pax_global_header00006660000000000000000000000064130363720360014515gustar00rootroot0000000000000052 comment=83665cbd4b1ad45e9e66ca4c603a845c002f3052 fwbuilder-5.3.7/000077500000000000000000000000001303637203600135145ustar00rootroot00000000000000fwbuilder-5.3.7/.gitignore000066400000000000000000000015501303637203600155050ustar00rootroot00000000000000core *.a *.o *.so* *.log *.status *.guess *.sub *.cache *.m4 *.fw *.conf *.app !src/gui/FwbuilderInfo.plist *.dylib *.spec *.control *.nsi build_num test/ipt/secuwall-1 Makefile !test/*/Makefile install* !src/res/configlets/*/install* ltmain.sh configure libtool qmake.inc config.h .obj .moc .ui qtdbus_test fwbedit qrc_MainRes.cpp fwb_iosacl fwb_nxosacl fwb_ipf fwb_ipfw fwb_ipt fwb_pf fwb_pix fwb_procurve_acl fwb_junosacl transfer_secuwall .configure_marker .build_marker src/unit_tests/*/*Test src/unit_tests/*/*Tests src/unit_tests/*/*.output src/unit_tests/generatedScriptTests*/generatedScriptTests* src/unit_tests/generatedScriptTestsSecuwall/ref.* src/unit_tests/generatedScriptTestsSecuwall/secuwall-1/ src/unit_tests/generatedScriptTestsSecuwall/secuwall-2/ *.pro.user src/libfwbuilder/etc/fwbuilder.dtd src/res/objects_init.xml src/res/templates.xml VERSION.h fwbuilder-5.3.7/.travis.yml000066400000000000000000000013671303637203600156340ustar00rootroot00000000000000sudo: required dist: trusty language: c++ addons: apt: packages: - build-essential - autoconf - libxml2-dev - libxslt1-dev - qt5-default - libsnmp-dev env: global: - MAKEJOBS=-j3 - CXXFLAGS="-Wall -Werror -Qunused-arguments" matrix: include: - os: linux compiler: clang env: QMAKESPEC=linux-clang - os: linux compiler: gcc - os: osx compiler: clang install: - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew install qt5 && brew link --force qt5 ; fi before_script: - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then ./autogen.sh ; fi script: - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then make $MAKEJOBS; fi - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then sh build_mac.sh ; fi fwbuilder-5.3.7/README.md000066400000000000000000000006051303637203600147740ustar00rootroot00000000000000[![Build Status](https://travis-ci.org/fwbuilder/fwbuilder.svg?branch=master)](https://travis-ci.org/fwbuilder/fwbuilder) fwbuilder ========= Firewall Builder is a GUI firewall management application for iptables, PF, Cisco ASA/PIX/FWSM, Cisco router ACL and more. Firewall configuration data is stored in a central file that can scale to hundreds of firewalls managed from a single UI. fwbuilder-5.3.7/VERSION000066400000000000000000000014751303637203600145730ustar00rootroot00000000000000#-*- mode: shell-script; tab-width: 4; -*- # Data format version FWBUILDER_XML_VERSION=24 # Static version number FWB_MAJOR_VERSION=5 FWB_MINOR_VERSION=3 FWB_MICRO_VERSION=7 FWB_QUALIFIER_VERSION= VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION" if [ -n "${FWB_QUALIFIER_VERSION}" ]; then VERSION="$VERSION-$FWB_QUALIFIER_VERSION" fi GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION" # Git may generate version info for us # May be overridden by setting NO_GIT_VER environment variable if [ ! -n "${NO_GIT_VER}" ]; then GIT_DIRTY_FLAG="--dirty" if [ -n "${NO_GIT_DIRTY}" ]; then GIT_DIRTY_FLAG="" fi GIT_VERSION=`git describe --tags ${GIT_DIRTY_FLAG} --always` if [ -n "${GIT_VERSION}" ]; then VERSION=${GIT_VERSION#v} GENERATION=${VERSION%.*} fi fi fwbuilder-5.3.7/acinclude.m4000066400000000000000000000310461303637203600157110ustar00rootroot00000000000000# generated automatically by aclocal 1.10.2 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. dnl ______ /usr/share/aclocal/Installed_Packages/acx_pthread.m4 ______ dnl @synopsis ACX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) dnl dnl This macro figures out how to build C programs using POSIX dnl threads. It sets the PTHREAD_LIBS output variable to the threads dnl library and linker flags, and the PTHREAD_CFLAGS output variable dnl to any special C compiler flags that are needed. (The user can also dnl force certain compiler flags/libs to be tested by setting these dnl environment variables.) dnl dnl Also sets PTHREAD_CC to any special C compiler that is needed for dnl multi-threaded programs (defaults to the value of CC otherwise). dnl (This is necessary on AIX to use the special cc_r compiler alias.) dnl dnl If you are only building threads programs, you may wish to dnl use these variables in your default LIBS, CFLAGS, and CC: dnl dnl LIBS="$PTHREAD_LIBS $LIBS" dnl CFLAGS="$CFLAGS $PTHREAD_CFLAGS" dnl CC="$PTHREAD_CC" dnl dnl In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute dnl constant has a nonstandard name, defines PTHREAD_CREATE_JOINABLE dnl to that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). dnl dnl ACTION-IF-FOUND is a list of shell commands to run if a threads dnl library is found, and ACTION-IF-NOT-FOUND is a list of commands dnl to run it if it is not found. If ACTION-IF-FOUND is not specified, dnl the default action will define HAVE_PTHREAD. dnl dnl Please let the authors know if this macro fails on any platform, dnl or if you have any other suggestions or comments. This macro was dnl based on work by SGJ on autoconf scripts for FFTW (www.fftw.org) dnl (with help from M. Frigo), as well as ac_pthread and hb_pthread dnl macros posted by AFC to the autoconf macro repository. We are also dnl grateful for the helpful feedback of numerous users. dnl dnl @version %Id: acx_pthread.m4,v 1.3 2002/12/12 23:15:12 guidod Exp % dnl @author Steven G. Johnson and Alejandro Forero Cuervo AC_DEFUN([ACX_PTHREAD], [ AC_REQUIRE([AC_CANONICAL_HOST]) AC_LANG_SAVE AC_LANG_C acx_pthread_ok=no # We used to check for pthread.h first, but this fails if pthread.h # requires special compiler flags (e.g. on True64 or Sequent). # It gets checked for in the link test anyway. # First of all, check if the user has set any of the PTHREAD_LIBS, # etcetera environment variables, and if threads linking works using # them: if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" save_LIBS="$LIBS" LIBS="$PTHREAD_LIBS $LIBS" AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) AC_TRY_LINK_FUNC(pthread_join, acx_pthread_ok=yes) AC_MSG_RESULT($acx_pthread_ok) if test x"$acx_pthread_ok" = xno; then PTHREAD_LIBS="" PTHREAD_CFLAGS="" fi LIBS="$save_LIBS" CFLAGS="$save_CFLAGS" fi # We must check for the threads library under a number of different # names; the ordering is very important because some systems # (e.g. DEC) have both -lpthread and -lpthreads, where one of the # libraries is broken (non-POSIX). # Create a list of thread flags to try. Items starting with a "-" are # C compiler flags, and other items are library names, except for "none" # which indicates that we try without any flags at all. acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt" # The ordering *is* (sometimes) important. Some notes on the # individual items follow: # pthreads: AIX (must check this before -lpthread) # none: in case threads are in libc; should be tried before -Kthread and # other compiler flags to prevent continual compiler warnings # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) # -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) # -pthreads: Solaris/gcc # -mthreads: Mingw32/gcc, Lynx/gcc # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it # doesn't hurt to check since this sometimes defines pthreads too; # also defines -D_REENTRANT) # pthread: Linux, etcetera # --thread-safe: KAI C++ case "${host_cpu}-${host_os}" in *solaris*) # On Solaris (at least, for some versions), libc contains stubbed # (non-functional) versions of the pthreads routines, so link-based # tests will erroneously succeed. (We need to link with -pthread or # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather # a function called by this macro, so we could check for that, but # who knows whether they'll stub that too in a future libc.) So, # we'll just look for -pthreads and -lpthread first: acx_pthread_flags="-pthread -pthreads pthread -mt $acx_pthread_flags" ;; esac if test x"$acx_pthread_ok" = xno; then for flag in $acx_pthread_flags; do case $flag in none) AC_MSG_CHECKING([whether pthreads work without any flags]) ;; -*) AC_MSG_CHECKING([whether pthreads work with $flag]) PTHREAD_CFLAGS="$flag" ;; *) AC_MSG_CHECKING([for the pthreads library -l$flag]) PTHREAD_LIBS="-l$flag" ;; esac save_LIBS="$LIBS" save_CFLAGS="$CFLAGS" LIBS="$PTHREAD_LIBS $LIBS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" # Check for various functions. We must include pthread.h, # since some functions may be macros. (On the Sequent, we # need a special flag -Kthread to make this header compile.) # We check for pthread_join because it is in -lpthread on IRIX # while pthread_create is in libc. We check for pthread_attr_init # due to DEC craziness with -lpthreads. We check for # pthread_cleanup_push because it is one of the few pthread # functions on Solaris that doesn't have a non-functional libc stub. # We try pthread_create on general principles. AC_TRY_LINK([#include ], [pthread_t th; pthread_join(th, 0); pthread_attr_init(0); pthread_cleanup_push(0, 0); pthread_create(0,0,0,0); pthread_cleanup_pop(0); ], [acx_pthread_ok=yes]) LIBS="$save_LIBS" CFLAGS="$save_CFLAGS" AC_MSG_RESULT($acx_pthread_ok) if test "x$acx_pthread_ok" = xyes; then break; fi PTHREAD_LIBS="" PTHREAD_CFLAGS="" done fi # Various other checks: if test "x$acx_pthread_ok" = xyes; then save_LIBS="$LIBS" LIBS="$PTHREAD_LIBS $LIBS" save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" # Detect AIX lossage: threads are created detached by default # and the JOINABLE attribute has a nonstandard name (UNDETACHED). AC_MSG_CHECKING([for joinable pthread attribute]) AC_TRY_LINK([#include ], [int attr=PTHREAD_CREATE_JOINABLE;], ok=PTHREAD_CREATE_JOINABLE, ok=unknown) if test x"$ok" = xunknown; then AC_TRY_LINK([#include ], [int attr=PTHREAD_CREATE_UNDETACHED;], ok=PTHREAD_CREATE_UNDETACHED, ok=unknown) fi if test x"$ok" != xPTHREAD_CREATE_JOINABLE; then AC_DEFINE(PTHREAD_CREATE_JOINABLE, $ok, [Define to the necessary symbol if this constant uses a non-standard name on your system.]) fi AC_MSG_RESULT(${ok}) if test x"$ok" = xunknown; then AC_MSG_WARN([we do not know how to create joinable pthreads]) fi AC_MSG_CHECKING([if more special flags are required for pthreads]) flag=no case "${host_cpu}-${host_os}" in *-aix* | *-freebsd*) flag="-D_THREAD_SAFE";; *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";; esac AC_MSG_RESULT(${flag}) if test "x$flag" != xno; then PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" fi LIBS="$save_LIBS" CFLAGS="$save_CFLAGS" # More AIX lossage: must compile with cc_r AC_CHECK_PROG(PTHREAD_CC, cc_r, cc_r, ${CC}) else PTHREAD_CC="$CC" fi AC_SUBST(PTHREAD_LIBS) AC_SUBST(PTHREAD_CFLAGS) AC_SUBST(PTHREAD_CC) # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: if test x"$acx_pthread_ok" = xyes; then ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1]) : else acx_pthread_ok=no $2 fi AC_LANG_RESTORE ])dnl ACX_PTHREAD dnl dnl AM_PATH_CPPUNIT(MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]]) dnl AC_DEFUN([AM_PATH_CPPUNIT], [ AC_ARG_WITH(cppunit-prefix,[ --with-cppunit-prefix=PFX Prefix where CppUnit is installed (optional)], cppunit_config_prefix="$withval", cppunit_config_prefix="") AC_ARG_WITH(cppunit-exec-prefix,[ --with-cppunit-exec-prefix=PFX Exec prefix where CppUnit is installed (optional)], cppunit_config_exec_prefix="$withval", cppunit_config_exec_prefix="") if test x$cppunit_config_exec_prefix != x ; then cppunit_config_args="$cppunit_config_args --exec-prefix=$cppunit_config_exec_prefix" if test x${CPPUNIT_CONFIG+set} != xset ; then CPPUNIT_CONFIG=$cppunit_config_exec_prefix/bin/cppunit-config fi fi if test x$cppunit_config_prefix != x ; then cppunit_config_args="$cppunit_config_args --prefix=$cppunit_config_prefix" if test x${CPPUNIT_CONFIG+set} != xset ; then CPPUNIT_CONFIG=$cppunit_config_prefix/bin/cppunit-config fi fi AC_PATH_PROG(CPPUNIT_CONFIG, cppunit-config, no) cppunit_version_min=$1 AC_MSG_CHECKING(for Cppunit - version >= $cppunit_version_min) no_cppunit="" if test "$CPPUNIT_CONFIG" = "no" ; then AC_MSG_RESULT(no) no_cppunit=yes else CPPUNIT_CFLAGS=`$CPPUNIT_CONFIG --cflags` CPPUNIT_LIBS=`$CPPUNIT_CONFIG --libs` cppunit_version=`$CPPUNIT_CONFIG --version` cppunit_major_version=`echo $cppunit_version | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\1/'` cppunit_minor_version=`echo $cppunit_version | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\2/'` cppunit_micro_version=`echo $cppunit_version | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\3/'` cppunit_major_min=`echo $cppunit_version_min | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\1/'` if test "x${cppunit_major_min}" = "x" ; then cppunit_major_min=0 fi cppunit_minor_min=`echo $cppunit_version_min | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\2/'` if test "x${cppunit_minor_min}" = "x" ; then cppunit_minor_min=0 fi cppunit_micro_min=`echo $cppunit_version_min | \ sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\3/'` if test "x${cppunit_micro_min}" = "x" ; then cppunit_micro_min=0 fi cppunit_version_proper=`expr \ $cppunit_major_version \> $cppunit_major_min \| \ $cppunit_major_version \= $cppunit_major_min \& \ $cppunit_minor_version \> $cppunit_minor_min \| \ $cppunit_major_version \= $cppunit_major_min \& \ $cppunit_minor_version \= $cppunit_minor_min \& \ $cppunit_micro_version \>= $cppunit_micro_min ` if test "$cppunit_version_proper" = "1" ; then AC_MSG_RESULT([$cppunit_major_version.$cppunit_minor_version.$cppunit_micro_version]) else AC_MSG_RESULT(no) no_cppunit=yes fi fi if test "x$no_cppunit" = x ; then ifelse([$2], , :, [$2]) else CPPUNIT_CFLAGS="" CPPUNIT_LIBS="" ifelse([$3], , :, [$3]) fi AC_SUBST(CPPUNIT_CFLAGS) AC_SUBST(CPPUNIT_LIBS) ]) fwbuilder-5.3.7/acsite.m4000066400000000000000000000143571303637203600152400ustar00rootroot00000000000000dnl dnl $Id: acsite.m4 808 2004-09-08 05:34:53Z vkurland $ dnl dnl Test files define( [AC_TEST_FILES], [ ac_file_found=yes for f in $1; do if test ! -f $2/$f; then ac_file_found=no break; fi done if test "$ac_file_found" = "yes" ; then ifelse([$3], , :,[$3]) else ifelse([$4], , :,[$4]) fi ]) dnl Search for headers, add path to CPPFLAGS if found define( [AC_SEARCH_HEADERS], [ AC_MSG_CHECKING("for $1") ac_hdr_found=no for p in $2; do AC_TEST_FILES($1, $p, [ ac_hdr_found=yes break ] ) done if test "$ac_hdr_found" = "yes" ; then CPPFLAGS="$CPPFLAGS -I$p" AC_MSG_RESULT( [($p) yes] ) ifelse([$3], , :,[$3]) else AC_MSG_RESULT("no") ifelse([$4], , :,[$4]) fi ]) dnl checks for ucd-snmp or netsnmp library and sets dnl vars LIBSNMP_LIBS and HAVE_LIBSNMP dnl dnl call like this: dnl AC_CHECK_LIBSNMP ( snmp ) dnl AC_CHECK_LIBSNMP ( netsnmp ) dnl define( [AC_CHECK_LIBSNMP], [ ac_snmplib_name="$1" ac_snmplib_name=`echo ${ac_snmplib_name} | tr -d " "` AC_CHECK_LIB($ac_snmplib_name, init_snmp, [ LIBSNMP_LIBS="-l$ac_snmplib_name" HAVE_LIBSNMP="1" AC_DEFINE(HAVE_LIBSNMP) ],[ if test "${ac_cv_lib_snmp_init_snmp+set}" = "set"; then unset ac_cv_lib_snmp_init_snmp fi save_LIBS="$LIBS" LIBS="$LIBS -lcrypto" AC_CHECK_LIB($ac_snmplib_name, init_snmp, [ LIBS="$save_LIBS" LIBSNMP_LIBS="-lcrypto -l$ac_snmplib_name" HAVE_LIBSNMP="1" AC_DEFINE(HAVE_LIBSNMP) ],[ echo dnl if test "${ac_cv_lib_snmp_init_snmp+set}" = "set"; then dnl unset ac_cv_lib_snmp_init_snmp dnl fi dnl dnl save_LIBS="$LIBS" dnl LIBS="$LIBS -ldes" dnl AC_CHECK_LIB($ac_snmplib_name, init_snmp, dnl [ dnl LIBS="$save_LIBS" dnl LIBSNMP_LIBS="-ldes -l$ac_snmplib_name" dnl HAVE_LIBSNMP="1" dnl AC_DEFINE(HAVE_LIBSNMP) dnl ]) ]) ]) dnl if test "Z$HAVE_LIBSNMP" != "Z"; then dnl AC_CHECK_LIB($ac_snmplib_name, snprint_objid, [ dnl AC_DEFINE(HAVE_SNPRINT_OBJID) dnl ]) dnl fi ]) define( [AC_CHECK_GETHOSTBYNAME_R], [ ac_define_this="$1" if test -z "$ac_define_this"; then ac_define_this="__FWB_DUMMY__"; fi AC_MSG_CHECKING(if gethostbyname_r takes 3 arguments) AC_TRY_COMPILE([ #define $ac_define_this #include ],[ char *name; struct hostent *he; struct hostent_data data; (void) gethostbyname_r(name, he, &data); ], AC_MSG_RESULT(yes) AC_DEFINE(HAVE_FUNC_GETHOSTBYNAME_R_3) ac_cv_func_which_gethostname_r="3", [ dnl ac_cv_func_which_gethostname_r=no AC_MSG_RESULT(no) AC_MSG_CHECKING(if gethostbyname_r takes 6 arguments) AC_TRY_COMPILE([ #define $ac_define_this #include ],[ char *name; struct hostent *he, *res; char buffer[2048]; int buflen = 2048; int h_errnop; (void) gethostbyname_r(name, he, buffer, buflen, &res, &h_errnop) ], AC_MSG_RESULT(yes) AC_DEFINE(HAVE_FUNC_GETHOSTBYNAME_R_6) ac_cv_func_which_gethostname_r="6", [ dnl ac_cv_func_which_gethostname_r=no AC_MSG_RESULT(no) AC_MSG_CHECKING(if gethostbyname_r takes 5 arguments) AC_TRY_COMPILE([ #define $ac_define_this #include ],[ char *name; struct hostent *he; char buffer[2048]; int buflen = 2048; int h_errnop; (void) gethostbyname_r(name, he, buffer, buflen, &h_errnop) ], AC_MSG_RESULT(yes) AC_DEFINE(HAVE_FUNC_GETHOSTBYNAME_R_5) ac_cv_func_which_gethostname_r="5", [ AC_MSG_RESULT(no) ac_cv_func_which_gethostname_r=no]) ]) ] ,ac_cv_func_which_gethostname_r=no) ]) dnl check for number of arguments to gethostbyaddr_r. it might take dnl 5, 7, or 8 arguments. define( [AC_CHECK_GETHOSTBYADDR_R], [ ac_define_this="$1" if test -z "$ac_define_this"; then ac_define_this="__FWB_DUMMY__"; fi AC_MSG_CHECKING(if gethostbyaddr_r takes 5 arguments) AC_TRY_COMPILE([ #define $ac_define_this #include #include ],[ char * address; int length; int type; struct hostent h; struct hostent_data hdata; int rc; rc = gethostbyaddr_r(address, length, type, &h, &hdata); ],[ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_GETHOSTBYADDR_R_5) ac_cv_gethostbyaddr_args=5 ],[ AC_MSG_RESULT(no) AC_MSG_CHECKING(if gethostbyaddr_r takes 7 arguments) AC_TRY_COMPILE([ #define $ac_define_this #include #include ],[ char * address; int length; int type; struct hostent h; char buffer[8192]; int h_errnop; struct hostent * hp; hp = gethostbyaddr_r(address, length, type, &h, buffer, 8192, &h_errnop); ],[ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_GETHOSTBYADDR_R_7) ac_cv_gethostbyaddr_args=7 ],[ AC_MSG_RESULT(no) AC_MSG_CHECKING(if gethostbyaddr_r takes 8 arguments and first arg is (in_addr*)) AC_TRY_COMPILE([ #define $ac_define_this #include #include ],[ struct in_addr *address; int length; int type; struct hostent h; char buffer[8192]; int h_errnop; struct hostent * hp; int rc; rc = gethostbyaddr_r(address, length, type, &h, buffer, 8192, &hp, &h_errnop); ],[ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_GETHOSTBYADDR_R_8) AC_DEFINE(GETHOSTBYADDR_FIRST_ARG_VOIDPTR) ac_cv_gethostbyaddr_first_arg="voidptr" ac_cv_gethostbyaddr_args=8 ],[ AC_MSG_RESULT(no) AC_MSG_CHECKING(if gethostbyaddr_r takes 8 arguments and first arg is (char*)) AC_TRY_COMPILE([ #define $ac_define_this #include #include ],[ char * address; int length; int type; struct hostent h; char buffer[8192]; int h_errnop; struct hostent * hp; int rc; rc = gethostbyaddr_r(address, length, type, &h, buffer, 8192, &hp, &h_errnop); ],[ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_GETHOSTBYADDR_R_8) AC_DEFINE(GETHOSTBYADDR_FIRST_ARG_CHARPTR) ac_cv_gethostbyaddr_first_arg="charptr" ac_cv_gethostbyaddr_args=8 ],[ AC_MSG_RESULT(no) have_missing_r_funcs="$have_missing_r_funcs gethostbyaddr_r" ac_cv_gethostbyaddr_args=no ]) ]) ]) ]) ]) ]) fwbuilder-5.3.7/autogen.sh000077500000000000000000000022271303637203600155200ustar00rootroot00000000000000#!/bin/sh MAKE=`which gnumake 2>/dev/null` if test ! -x "$MAKE" ; then MAKE=`which gmake` ; fi if test ! -x "$MAKE" ; then MAKE=`which make` ; fi HAVE_GNU_MAKE=`$MAKE --version|grep -c "Free Software Foundation"` if test "$HAVE_GNU_MAKE" != "1"; then echo Could not find GNU make on this system, can not proceed with build. exit 1 else echo Found GNU Make at $MAKE ... good. fi if test ! -x "`which aclocal`" then echo "You need aclocal and autoconf to generate configure and Makefile." echo "Please install autoconf package." exit 1 fi if test -x "`which libtoolize`" then LIBTOOLIZE="libtoolize" else if test -x "`which glibtoolize`" then LIBTOOLIZE="glibtoolize" else echo "You need libtoolize to generate autoconf and libtool scripts." echo "Please install libtool package." exit 1 fi fi $LIBTOOLIZE --dry-run --install > /dev/null 2>&1 && { LIBTOOLIZE_ARGS="--force --copy --install" } || { LIBTOOLIZE_ARGS="--force --copy" } echo This script runs configure ... $LIBTOOLIZE $LIBTOOLIZE_ARGS which acinclude >/dev/null 2>&1 && acinclude which aclocal >/dev/null 2>&1 && aclocal autoconf ./configure ${CFGARGS} $* fwbuilder-5.3.7/build_mac.sh000077500000000000000000000042541303637203600157770ustar00rootroot00000000000000#!/bin/bash export QMAKE_MAC_SDK="macosx" export QMAKESPEC="macx-clang" export QMAKE_MACOSX_DEPLOYMENT_TARGET=10.9 ./autogen.sh echo "==> Compiling" export JOBS=$(sysctl -n hw.ncpu | awk '{ print $1 + 1 }') make -j${JOBS} APP_VERSION=$(cat VERSION.h | grep VERSION | awk '{ print $3 }' | tr -d '"') QT_VERSION_MAJOR=$(qmake -version | awk '/Using Qt version/ { ver=4; print $ver }' | awk -F. '{ major=1; print $major }') FWBUILDER_ROOT_DIR=$(pwd) TMP_BUNDLE_DIR=$(ls -d ${FWBUILDER_ROOT_DIR}/src/gui/*.app) test -z "$TMP_BUNDLE_DIR" && { echo "Cannot find GUI bundle. My best guess was in ${FWBUILDER_ROOT_DIR}/src/gui/" exit 1 } TMP_BUNDLE=$(basename $TMP_BUNDLE_DIR) rm -rf $TMP_BUNDLE echo "==> Copying base bundle" cp -R ${FWBUILDER_ROOT_DIR}/src/gui/$TMP_BUNDLE . echo "==> Copying resources and libraries into bundle" mkdir -p ${TMP_BUNDLE}/Contents/Resources/os mkdir -p ${TMP_BUNDLE}/Contents/Resources/platform mkdir -p ${TMP_BUNDLE}/Contents/Resources/help mkdir -p ${TMP_BUNDLE}/Contents/Resources/configlets mkdir -p ${TMP_BUNDLE}/Contents/Resources/migration cp -R ${FWBUILDER_ROOT_DIR}/src/res/{*.xml,os,platform,help,configlets} ${TMP_BUNDLE}/Contents/Resources/ cp ${FWBUILDER_ROOT_DIR}/src/libfwbuilder/etc/fwbuilder.dtd ${TMP_BUNDLE}/Contents/Resources/ cp ${FWBUILDER_ROOT_DIR}/src/libfwbuilder/migration/*.xslt ${TMP_BUNDLE}/Contents/Resources/migration/ echo "==> Copying binaries into bundle" cp ${FWBUILDER_ROOT_DIR}/src/fwbedit/fwbedit.app/Contents/MacOS/fwbedit ${TMP_BUNDLE}/Contents/MacOS/ for binary in ipt pf ipf ipfw iosacl nxosacl pix procurve_acl junosacl do cp ${FWBUILDER_ROOT_DIR}/src/$binary/fwb_$binary.app/Contents/MacOS/fwb_$binary ${TMP_BUNDLE}/Contents/MacOS/ done BIN=${TMP_BUNDLE}/Contents/MacOS chmod +x ${BIN}/fwb* echo "==> Stripping binaries" strip ${BIN}/* echo "==> Running macdeployqt" macdeployqt ${TMP_BUNDLE} -executable=${BIN}/fwbedit -executable=${BIN}/fwb_ipt -executable=${BIN}/fwb_pf -executable=${BIN}/fwb_ipf -executable=${BIN}/fwb_ipfw -executable=${BIN}/fwb_iosacl -executable=${BIN}/fwb_nxosacl -executable=${BIN}/fwb_pix -executable=${BIN}/fwb_procurve_acl -executable=${BIN}/fwb_junosacl echo "==> Done" echo "# open ${TMP_BUNDLE}/" fwbuilder-5.3.7/build_mxe-w32.sh000077500000000000000000000007171303637203600164410ustar00rootroot00000000000000#!/bin/bash JOBS=$(nproc --all) export PATH=/usr/lib/mxe/usr/bin:$PATH export TOOLCHAIN_PREFIX=/usr/lib/mxe/usr/i686-w64-mingw32.shared ./autogen.sh \ --with-xml2-config=/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/xml2-config \ --with-xslt-config=/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/xslt-config \ --with-qtdir=/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5 \ --host=i686-w64-mingw32.shared make -j${JOBS} makensis -nocd packaging/fwbuilder.nsi fwbuilder-5.3.7/config.h.in000066400000000000000000000042411303637203600155400ustar00rootroot00000000000000 #include "VERSION.h" #undef BUILD_NUM /* Define if you have the header file. */ #undef HAVE_X11_SM_SMLIB_H /* Name of package */ #undef PACKAGE /* OS */ #undef OS /* OS */ #undef OS_CYGWIN #undef OS_MINGW #undef OS_MACOSX #undef OS_SOLARIS #undef OS_FREEBSD #undef OS_OPENBSD #undef OS_LINUX #undef OS_UNKNOWN #if defined(OS_SOLARIS) || defined(OS_FREEBSD) || defined(OS_OPENBSD) || defined(OS_LINUX) || defined(OS_MACOSX) #define OS_UNIX 1 #endif #if defined(_WIN32) #define OS_WIN32 1 #endif /* distribution (for Linux) */ #undef DISTRO /* prefix dir */ #undef PREFIX #define MANIFEST_MARKER "# files: " #undef RCS_DIR #undef RCS_FILE_NAME #undef RCSDIFF_FILE_NAME #undef RLOG_FILE_NAME #undef CI_FILE_NAME #undef CO_FILE_NAME #undef HAVE_LOCALE_H #undef HAVE_GETOPT_H #undef HAVE_SETLOCALE #undef HAVE_SETENV #undef HAVE_PUTENV #undef HAVE_SIGNAL #undef HAVE_SIGNAL_H #undef HAVE_PTY_H #undef HAVE_LIBUTIL_H #undef HAVE_UTIL_H #undef HAVE_UNISTD_H #ifdef HAVE_GETOPT_H # define HAVE_DECL_GETOPT HAVE_GETOPT_H #endif #undef HAVE_STRUCT_TM_TM_ZONE #undef TM_IN_SYS_TIME #undef HAVE_FORKPTY #undef HAVE_CFMAKERAW /* * This is needed for Solaris */ #undef __PRAGMA_REDEFINE_EXTNAME #undef HAVE_CATGETS #undef HAVE_GETTEXT #undef HAVE_LC_MESSAGES #undef HAVE_STPCPY #undef HAVE_LIBSM #undef HAVE_MEMPCPY #undef HAVE_STRCHR #undef HAVE_ANTLR_RUNTIME #undef HAVE_QTDBUS #undef HAVE_CPPUNIT /* * on some platforms (OpenBSD) the second parameter to dlopen is different */ #undef DLOPEN_MODE #if 0 #ifdef __cplusplus using namespace std; /* #ifndef __STD #define __STD std #endif */ #endif #endif #ifdef _WIN32 #define SNPRINTF _snprintf #define VSNPRINTF _vsnprintf #define WINVER 0x0502 #define PACKAGE_LOCALE_DIR "" #define PACKAGE_DATA_DIR "" #define PACKAGE_SOURCE_DIR "" /* * Normally this macro defines directory where system-wide QT * translations are installed. We do not use it on win32 since * we can't assume user has QT installed on their machine. */ #define QTTRANSLATIONSDIR "." #else #undef PACKAGE_LOCALE_DIR #undef PACKAGE_DATA_DIR #undef PACKAGE_SOURCE_DIR #define SNPRINTF snprintf #define VSNPRINTF vsnprintf #endif fwbuilder-5.3.7/config_tests/000077500000000000000000000000001303637203600162035ustar00rootroot00000000000000fwbuilder-5.3.7/config_tests/qtdbus_test.cpp000066400000000000000000000002611303637203600212470ustar00rootroot00000000000000 #include #include #include main() { QApplication app(); QDBusConnection conn = QDBusConnection::systemBus(); } fwbuilder-5.3.7/config_tests/qtdbus_test.pro000066400000000000000000000002561303637203600212710ustar00rootroot00000000000000# -*- mode: makefile; tab-width: 4; -*- TEMPLATE = app unix { !macx: QT += network dbus macx: LIBS += -framework QtDBus } SOURCES = qtdbus_test.cpp TARGET = qtdbus_test fwbuilder-5.3.7/configure.in000066400000000000000000000437731303637203600160430ustar00rootroot00000000000000dnl $Id: configure.in,v 1.70 2007/06/07 02:33:53 vkurland Exp $ AC_INIT AC_CONFIG_SRCDIR([src/gui/main.cpp]) AC_CANONICAL_TARGET AC_CONFIG_HEADER(config.h) AC_CONFIG_HEADER(src/libfwbuilder/src/fwbuilder/libfwbuilder-config.h) PACKAGE=fwbuilder AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [package]) AC_SUBST(PACKAGE) LT_INIT AC_CONFIG_MACRO_DIR([m4]) dnl dnl all version numbers are defined in the file VERSION dnl . ./VERSION RELEASE_NUM=$BUILD_NUM GENERATION_SHORT=$(echo $GENERATION | sed 's/\.//') AC_DEFINE_UNQUOTED(BUILD_NUM, "$BUILD_NUM") AC_SUBST(BUILD_NUM) AC_SUBST(RELEASE_NUM) AC_SUBST(FWB_MAJOR_VERSION) AC_SUBST(FWB_MINOR_VERSION) AC_SUBST(FWB_MICRO_VERSION) AC_SUBST(FWB_VERSION) AC_SUBST(GENERATION) AC_SUBST(GENERATION_SHORT) # libfwbuilder versions dnl AC_SUBST(LIBFWBUILDER_VERSION) AC_SUBST(FWBUILDER_XML_VERSION) AC_DEFINE_UNQUOTED(FWBUILDER_XML_VERSION, "$FWBUILDER_XML_VERSION") echo "Creating VERSION.h file..." cat < VERSION.h #define VERSION "$VERSION" #define GENERATION "$GENERATION" EOF dnl try to find QT dnl AC_ARG_WITH(qtdir,[ --with-qtdir=DIR Specify directory path for QT ]) if test -n "$with_qtdir"; then AC_MSG_CHECKING(Using QT in ) QTDIR="$with_qtdir"; export QTDIR AC_MSG_RESULT($QTDIR) fi # TODO: do we need to add $QTDIR/bin to PATH to find qmake? EXTENDED_PATH="/usr/local/bin:$QTDIR/bin/:$PATH" AC_ARG_WITH(qmake, [ --with-qmake=qmake Specify the qmake to be used (debian qmake-qt4) ]) if test -n "$with_qmake"; then AC_PATH_PROG(QMAKE, $with_qmake, ,[$EXTENDED_PATH]) if test -z "$QMAKE"; then AC_MSG_ERROR("Could not find qmake") fi else AC_PATH_PROG(QMAKE, qmake, ,[$EXTENDED_PATH]) if test -z "$QMAKE"; then AC_PATH_PROG(QMAKE, qmake-qt4, ,[$EXTENDED_PATH]) if test -z "$QMAKE"; then AC_MSG_ERROR("Could not find qmake") fi fi fi AC_MSG_CHECKING(checking version of QT this qmake is part of) qmake_version=`$QMAKE -v 2>&1 | awk '/Using Qt version/ { print $4;}'` case $qmake_version in 4.*) AC_MSG_RESULT( $qmake_version ) ;; 5.*) AC_MSG_RESULT( $qmake_version ) ;; *) AC_MSG_ERROR( "$qmake_version -- v4.x or v5.x is required") ;; esac AC_ARG_WITH(templatedir, [ --with-templatedir=DIR Specify directory path for fwbuilder template files ]) AC_ARG_WITH(docdir, [ --with-docdir=DIR Specify directory path for fwbuilder documentation files ]) AC_ARG_WITH(datadir, [ --with-datadir=DIR Specify directory path for fwbuilder data files ]) AC_C_BIGENDIAN(AC_DEFINE(WORDS_BIGENDIAN), AC_DEFINE(WORDS_LITTLEENDIAN), AC_MSG_ERROR(Failed to determine endianness!!)) LIBFWBUILDER_LIBDIR='-L${libdir}' dnl dnl Determine init dir and add definition to config.h. Program dnl determines prefix name of the directory it was started from dnl and prepends it to the RES_DIR dnl PREFIX=$ac_default_prefix if test "x$prefix" != "xNONE"; then PREFIX=$prefix fi AC_DEFINE_UNQUOTED(PREFIX, "${PREFIX}", [prefix]) AC_SUBST(PREFIX) AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [version]) AC_SUBST(VERSION) AC_PROG_INSTALL AC_ISC_POSIX AC_PROG_CC dnl AM_PROG_CC_STDC AC_HEADER_STDC AC_PROG_CPP AC_PROG_CXX AC_PROG_CXXCPP dnl need this for intl to compile on FreeBSD and may be other platforms AC_CHECK_FUNCS(strchr memcpy) dnl AM_INIT_AUTOMAKE($PACKAGE, $VERSION) dnl AC_CANONICAL_HOST AC_PROG_MAKE_SET dnl Check for GNU make dnl AC_MSG_CHECKING(whether make is GNU Make) if ${MAKE-make} -q --version 2>/dev/null | grep '^GNU Make ' >/dev/null ; then AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) if test "$host_vendor" = "sun" ; then AC_MSG_ERROR("SUN make does not work for building Firewall Builder. Please install GNU make") fi fi dnl some platform-dependent flags dnl dnl e.g. we need to set -I/sw/include before check for GETTEXT dnl GUILINKFLAGS= case "$build_os" in *solaris*) GUILINKFLAGS="-export-dynamic" ;; esac AC_SUBST(GUILINKFLAGS) dnl dnl forkpty is in libutil on Linux and BSD, while on Mac it is in libc dnl AC_CHECK_HEADERS( [pty.h libutil.h util.h],[],[],[#include ]) AC_CHECK_LIB(c,forkpty,[ AC_DEFINE_UNQUOTED(HAVE_FORKPTY, 1, [forkpty]) ],[ AC_CHECK_LIB(util,forkpty,[ AC_DEFINE_UNQUOTED(HAVE_FORKPTY, 1, [forkpty]) LIBS="-lutil $LIBS" ],[ AC_MSG_RESULT(["forkpty not found, will use emulation"]) ],[]) ],[]) AC_CHECK_LIB(c,cfmakeraw,[ AC_DEFINE_UNQUOTED(HAVE_CFMAKERAW, 1, [cfmakeraw]) ]) dnl standard LIBTOOL fragment dnl dnl commented out 12/20 - we now use qmake and do not need libtool dnl dnl AC_LIBTOOL_DLOPEN dnl AC_PROG_LIBTOOL dnl AC_SUBST(LIBTOOL_DEPS) dnl AM_PROG_LIBTOOL dnl AC_PROG_RANLIB AC_CHECK_HEADERS([getopt.h]) AC_CHECK_HEADERS([signal.h]) AC_CHECK_HEADERS([endian.h]) AC_CHECK_FUNCS(strtok_r) AC_CHECK_FUNCS(stat _stat signal) AC_STRUCT_TM AC_STRUCT_TIMEZONE AC_SUBST(LIBS) AC_LANG([C++]) AM_PATH_CPPUNIT(1.12.0, [HAVE_CPPUNIT="1"]) AC_DEFINE_UNQUOTED(HAVE_CPPUNIT, $HAVE_CPPUNIT) AC_SUBST(HAVE_CPPUNIT) AC_SUBST(CPPUNIT_CFLAGS) AC_SUBST(CPPUNIT_LIBS) dnl A check for antlr-runtime library used to be here but has been dnl removed. We should always use antlr runtime code incuded with dnl fwbuilder code tree because of the fixes I've done in dnl CurcularQueue.hpp module for 64 bit systems. This problem seems to dnl have been fixed in antlr v3 but until we convert all grammars to dnl the new antlr, we have to use provided antlr 2.7.7 with these dnl fixes. This means we can't use antlr runtime that comes with the dnl OS even if it is installed. ANTLR_INCLUDEPATH="`pwd`/src/" ANTLR_LIBS="`pwd`/src/antlr/libantlr.a" AC_SUBST(ANTLR_LIBS) AC_SUBST(ANTLR_INCLUDEPATH) dnl check for pthreads dnl dnl Somehow, standard macro tries -lpthreads, while pthread library really dnl is "libpthread" on Linux. Thus only test using -pthread suceeds, but dnl PTHREAD_LIBS macro ends up empty. ACX_PTHREAD([ test -z "$PTHREAD_LIBS" && test "$PTHREAD_CFLAGS" = "-pthread" && PTHREAD_LIBS="-pthread" echo "Found pthread library:" echo "PTHREAD_CFLAGS="$PTHREAD_CFLAGS echo "PTHREAD_LIBS="$PTHREAD_LIBS ] , [ AC_MSG_ERROR([POSIX threads library not present or not configured]) ]) dnl check for XML library AC_ARG_WITH(xml2-config, [ --with-xml2-config=xml2-config Specify the xml2-config to be used], [ XML2_CONFIG=$with_xml2_config ], [ AC_PATH_PROG(XML2_CONFIG, xml2-config, ,[$EXTENDED_PATH]) ]) if test x$XML2_CONFIG = x ; then AC_MSG_ERROR([libxml2 not present or not configured]) else XML_CFLAGS="`$XML2_CONFIG --cflags`" XML_LIBS="`$XML2_CONFIG --libs`" fi XML_CFLAGS=`echo $XML_CFLAGS | sed 's/-I\/usr\/include //'` AC_SUBST(XML_CFLAGS) AC_SUBST(XML_LIBS) SAVE_LIBS=${LIBS} LIBS="$XML_LIBS $LIBS" AC_CHECK_FUNCS(xmlSaveFormatFileEnc) LIBS=${SAVE_LIBS} dnl check for XSLT library AC_ARG_WITH(xslt-config, [ --with-xslt-config=xslt-config Specify the xslt-config to be used], [ XSLT_CONFIG=$with_xslt_config ], [ AC_PATH_PROG(XSLT_CONFIG, xslt-config, ,[$EXTENDED_PATH]) ]) if test x$XSLT_CONFIG = x ; then AC_MSG_ERROR([libxslt not present or not configured]) else XSLT_CFLAGS="`$XSLT_CONFIG --cflags`" XSLT_LIBS="`$XSLT_CONFIG --libs`" fi XSLT_CFLAGS=`echo $XSLT_CFLAGS | sed 's/-I\/usr\/include //'` dnl dnl purely aestetical: xslt-config often reports the same flags as dnl xml2-config dnl ac_xslt_var="" for w in ${XSLT_CFLAGS}; do case " ${XML_CFLAGS} " in *\ $w\ *) ;; *) ac_xslt_var="$ac_xslt_var $w" ;; esac done XSLT_CFLAGS=$ac_xslt_var ac_xslt_var="" for w in ${XSLT_LIBS}; do case " ${XML_LIBS} " in *\ $w\ *) ;; *) ac_xslt_var="$ac_xslt_var $w" ;; esac done XSLT_LIBS=$ac_xslt_var AC_SUBST(XSLT_CFLAGS) AC_SUBST(XSLT_LIBS) dnl libXslt header libxslt/xsltconfig.h only present in newew version of libxslt dnl for instance it is not part of 1.0.1 but present in 1.0.7. AC_CHECK_HEADERS(libxslt/xsltconfig.h) dnl Check for bind specific headers and libraries dnl if they are present, use them, rather than ones dnl coming with libc. AC_CHECK_HEADER(bind/resolv.h, [ CPPFLAGS="$CPPFLAGS -I/usr/include/bind" HAVE_RESOLV_H=yes ] , [ AC_CHECK_HEADER(/usr/local/bind/include/resolv.h, [ CPPFLAGS="$CPPFLAGS -I/usr/local/bind/include/" HAVE_RESOLV_H=yes ], [ AC_CHECK_HEADERS([resolv.h], [ HAVE_RESOLV_H=yes ], [], [ #include #include ] ) ] ) ], [ #include ] ) LIB_RESOLV="" HAVE_RES_NQUERY="" AC_SUBST(LIB_RESOLV) dnl dnl prepare equivalents of *_CFLAGS variables for qmake dnl qmake requires these to be without "-I" dnl XML_CFLAGS_Q=`echo ${XML_CFLAGS} | sed 's/-I//g'` XSLT_CFLAGS_Q=`echo ${XSLT_CFLAGS} | sed 's/-I//g'` PTHREAD_CFLAGS_Q=`echo ${PTHREAD_CFLAGS} | sed 's/-I//g'` LIBS_Q=`echo ${LIBS} | sed 's/-I//g'` AC_SUBST(XML_CFLAGS_Q) AC_SUBST(XSLT_CFLAGS_Q) AC_SUBST(PTHREAD_CFLAGS_Q) AC_SUBST(LIBS_Q) dnl dnl We also support "--with-ucdsnmp=no" and "--without-ucdsnmp" dnl By default we assume user wants snmp support, provided script dnl can find the library dnl dnl Just in case we support both --with-ucdsnmp and --with-ucd-snmp dnl --vk dnl check_for_ucdsnmp=yes if test x$with_ucdsnmp = xno ; then check_for_ucdsnmp=no fi if test x$with_ucd_snmp = xno ; then check_for_ucdsnmp=no fi if test $check_for_ucdsnmp = yes ; then dnl dnl net-snmp library includes script net-snmp-config which I use to determine cflags dnl and libs. Unfortunately even if this script is there and is used flags, dnl the program may still not link with the library. Currently having this problem on dnl FreeBSD 4.7 - after upgrade of openssl, code using net-snmp stopped linking. That dnl is why I still try to do linking test even if script is present. dnl dnl Testing for presence of includes and doing linking test assures that -devel dnl package is indeed installed (primitive test program could link with libsnmp.so dnl even if -devel package is not installed and headers are not there). dnl AC_PATH_PROG(NET_SNMP_CONFIG, net-snmp-config, ,[$EXTENDED_PATH]) if test x$NET_SNMP_CONFIG != x ; then ac_LIBSNMP_LIBS="`$NET_SNMP_CONFIG --libs`" ac_LIBSNMP_CFLAGS="`$NET_SNMP_CONFIG --cflags`" AC_CHECK_LIB(netsnmp, init_snmp, [ HAVE_LIBSNMP="1" AC_DEFINE(HAVE_LIBSNMP) NET_SNMP="1" AC_DEFINE(NET_SNMP) LIBSNMP_LIBS=$ac_LIBSNMP_LIBS LIBSNMP_CFLAGS=$ac_LIBSNMP_CFLAGS AC_CHECK_LIB(netsnmp, snprint_objid, [ AC_DEFINE(HAVE_SNPRINT_OBJID) ], ,$ac_LIBSNMP_LIBS) ], ,$ac_LIBSNMP_LIBS) else AC_CHECK_HEADERS([ucd-snmp/asn1.h], [ AC_CHECK_HEADER(ucd-snmp/snmp.h, [ AC_CHECK_LIBSNMP( snmp ) if test "Z$HAVE_LIBSNMP" != "Z"; then UCD_SNMP="1" AC_DEFINE(UCD_SNMP) save_LIBS=$LIBS LIBS="$LIBSNMP_LIBS $LIBS" AC_CHECK_LIB(snmp, snprint_objid, [ AC_DEFINE(HAVE_SNPRINT_OBJID) ]) LIBS=$save_LIBS fi ], ,[ #include #include ]) ]) fi LIBS="${LIBSNMP_LIBS} ${LIBS}" fi AC_SUBST(LIBSNMP_LIBS) AC_CHECK_LIB(c, inet_net_ntop, [ AC_DEFINE_UNQUOTED(HAVE_INET_NET_NTOP, 1, [inet_net_ntop]) ],[ AC_CHECK_LIB(bind, inet_net_ntop, [ AC_DEFINE_UNQUOTED(HAVE_INET_NET_NTOP, 1, [inet_net_ntop]) LIBS="-lbind $LIBS" ]) ],[]) AC_CHECK_LIB(z, gzopen, [ LIBS="-lz ${LIBS}"], [ AC_MSG_ERROR([libz library not found]) ]) dnl dnl Determine init dir and add definition to config.h dnl PREFIX=$ac_default_prefix if test "x$prefix" != "xNONE"; then PREFIX=$prefix fi dnl ******************************************************************** if test "x$with_docdir" != "x"; then DOCDIR="${with_docdir}" else DOCDIR="${PREFIX}/share/doc/fwbuilder-${VERSION}" fi DOCDIRPATH=`dirname ${DOCDIR}` if test "x$with_datadir" != "x"; then DATADIR="${with_datadir}" else DATADIR="${PREFIX}/share/" fi ICONSDIR="" dnl do not insert spaces in these macros, even outside of [] AC_PATH_PROG(RCS_FILE_NAME,[rcs],[rcs],[$EXTENDED_PATH]) AC_PATH_PROG(RCSDIFF_FILE_NAME,[rcsdiff],[rcsdiff],[$EXTENDED_PATH]) AC_PATH_PROG(RLOG_FILE_NAME,[rlog],[rlog],[$EXTENDED_PATH]) AC_PATH_PROG(CI_FILE_NAME,[ci],[ci],[$EXTENDED_PATH]) AC_PATH_PROG(CO_FILE_NAME,[co],[co],[$EXTENDED_PATH]) AC_MSG_CHECKING(what OS this is) case ${host} in *-*-cygwin*) OS=cygwin OS_CYGWIN=1 AC_MSG_RESULT(Win32 cygwin) DEFAULT_RES_DIR="resources" ;; *-*-mingw32*) OS=mingw32 OS_MINGW=1 AC_MSG_RESULT(Win32 mingw) DEFAULT_RES_DIR="resources" RCS_FILE_NAME="rcs.exe" RCSDIFF_FILE_NAME="rcsdiff.exe" RLOG_FILE_NAME="rlog.exe" CI_FILE_NAME="ci.exe" CO_FILE_NAME="co.exe" ;; *-*-darwin*) OS=MacOSX OS_MACOSX=1 MANDIR="${PREFIX}/share/man/" AC_MSG_RESULT(MacOSX) DEFAULT_RES_DIR="../Resources" ;; *-*-solaris*) OS=Solaris OS_SOLARIS=1 MANDIR="${PREFIX}/share/man/" AC_MSG_RESULT(Solaris) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" ;; *-*-freebsd*) OS=FreeBSD OS_FREEBSD=1 MANDIR="${PREFIX}/man/" AC_MSG_RESULT(FreeBSD) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" ;; *-*-openbsd*) OS=OpenBSD OS_OPENBSD=1 MANDIR="${PREFIX}/man/" AC_MSG_RESULT(OpenBSD) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" ;; *-*-kfreebsd*) OS=FreeBSD OS_FREEBSD=1 if test -f /etc/debian_version ; then DISTRO=Debian else DISTRO="Unknown" fi MANDIR="${PREFIX}/share/man/" AC_MSG_RESULT($DISTRO GNU/kFreeBSD) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" ;; *-*-linux*) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" OS=Linux OS_LINUX=1 if test -f /etc/debian_version ; then DISTRO=Debian elif test -f /etc/mandrake-release ; then DISTRO=Mandrake elif test -f /etc/slackware-version ; then DISTRO=Slackware elif test -f /etc/SuSE-release ; then DISTRO=SuSE elif test -f /etc/redhat-release ; then # # Mandrake has symlink /etc/redhat-release -> /etc/manrake-release , # so this check must be the last # DISTRO=RedHat else DISTRO="Unknown" fi MANDIR="${PREFIX}/share/man/" ICONSDIR="${DATADIR}/icons/hicolor/" AC_MSG_RESULT($DISTRO Linux) ;; *) OS=Unknown OS_UNKNOWN=1 DISTRO=Unknown MANDIR="${PREFIX}/share/man/" AC_MSG_RESULT(Unknown) DEFAULT_RES_DIR="${PREFIX}/share/fwbuilder-${VERSION}" ;; esac if test "x$with_templatedir" != "x"; then RES_DIR="${with_templatedir}" else RES_DIR="$DEFAULT_RES_DIR" fi AC_DEFINE_UNQUOTED(RES_DIR, "$RES_DIR", [res_dir]) AC_SUBST(RES_DIR) AC_DEFINE_UNQUOTED(RCS_FILE_NAME, ["$RCS_FILE_NAME"], [rcs_file_name]) AC_DEFINE_UNQUOTED(RCSDIFF_FILE_NAME, ["$RCSDIFF_FILE_NAME"], [rcsdiff_file_name]) AC_DEFINE_UNQUOTED(RLOG_FILE_NAME, ["$RLOG_FILE_NAME"], [rlog_file_name]) AC_DEFINE_UNQUOTED(CI_FILE_NAME, ["$CI_FILE_NAME"], [ci_file_name]) AC_DEFINE_UNQUOTED(CO_FILE_NAME, ["$CO_FILE_NAME"], [co_file_name]) dnl prefix has bogus value while building RPM. Since program dnl should incrorporate full path to the templates directory into dnl the code via config.h file, we need to keep track of dnl this directory twice: TEMPLATE_DIR is what goes to config.h, while dnl "install" Makefile targets will use $(prefix) to build install dnl path TEMPLATE_DIR=$RES_DIR AC_DEFINE_UNQUOTED(LIBFWBUILDER_TEMPLATE_DIR, "${TEMPLATE_DIR}") AC_SUBST(TEMPLATE_DIR) AC_SUBST(OS) AC_DEFINE_UNQUOTED(OS, "${OS}", [os]) test -n "$OS_CYGWIN" && AC_DEFINE_UNQUOTED(OS_CYGWIN, "${OS_CYGWIN}", [cygwin]) test -n "$OS_MINGW" && AC_DEFINE_UNQUOTED(OS_MINGW, "${OS_MINGW}", [mingw]) test -n "$OS_MACOSX" && AC_DEFINE_UNQUOTED(OS_MACOSX, "${OS_MACOSX}", [macosx]) test -n "$OS_SOLARIS" && AC_DEFINE_UNQUOTED(OS_SOLARIS,"${OS_SOLARIS}",[solaris]) test -n "$OS_FREEBSD" && AC_DEFINE_UNQUOTED(OS_FREEBSD,"${OS_FREEBSD}",[freebsd]) test -n "$OS_OPENBSD" && AC_DEFINE_UNQUOTED(OS_OPENBSD,"${OS_OPENBSD}",[openbsd]) test -n "$OS_LINUX" && AC_DEFINE_UNQUOTED(OS_LINUX, "${OS_LINUX}", [linux]) test -n "$OS_SECUWALL" && AC_DEFINE_UNQUOTED(OS_SECUWALL, "${OS_SECUWALL}", [secuwall]) test -n "$OS_UNKNOWN" && AC_DEFINE_UNQUOTED(OS_UNKNOWN,"${OS_UNKNOWN}",[unknown]) AC_SUBST(DISTRO) AC_DEFINE_UNQUOTED(DISTRO, "${DISTRO}", [distro]) AC_SUBST(DOCDIRPATH) AC_DEFINE_UNQUOTED(DOCDIRPATH, "${DOCDIRPATH}", [docdirpath]) AC_SUBST(DOCDIR) AC_DEFINE_UNQUOTED(DOCDIR, "${DOCDIR}", [docdir]) AC_SUBST(DATADIR) AC_SUBST(MANDIR) AC_SUBST(ICONSDIR) AC_ARG_WITH(ccache,[ --with-ccache=yes Use ccache to speed up repeated compilation]) if test -n "$with_ccache"; then if test "x$with_ccache" != "xno"; then AC_PATH_PROG(CCACHE, ccache, , ) AC_SUBST(CCACHE) if test -n "$CCACHE" then ccache -s fi else CCACHE="" AC_SUBST(CCACHE) fi else AC_PATH_PROG(CCACHE, ccache, , ) AC_SUBST(CCACHE) if test -n "$CCACHE" then ccache -s fi fi AC_ARG_WITH(distcc,[ --with-distcc=N Use distcc with N parallel make count]) if test -n "$with_distcc"; then if test "x$with_distcc" != "xno"; then AC_PATH_PROG(HAVE_DISTCC, distcc, , ) if test -n "$HAVE_DISTCC"; then DISTCC=$HAVE_DISTCC AC_SUBST(DISTCC) PARALLEL_MAKE_COUNT=$with_distcc AC_SUBST(PARALLEL_MAKE_COUNT) fi fi else AC_PATH_PROG(HAVE_DISTCC, distcc, , ) if test -n "$HAVE_DISTCC"; then M_J=$(distcc -j 2>/dev/null) if test -n "$M_J"; then DISTCC=$HAVE_DISTCC AC_SUBST(DISTCC) PARALLEL_MAKE_COUNT=$M_J AC_SUBST(PARALLEL_MAKE_COUNT) fi fi fi AC_CONFIG_FILES([ qmake.inc src/res/objects_init.xml src/res/templates.xml src/libfwbuilder/qmake.inc src/libfwbuilder/etc/fwbuilder.dtd packaging/fwbuilder.control packaging/fwbuilder.spec packaging/fwbuilder-static-qt.spec packaging/fwbuilder.nsi]) AC_OUTPUT # QMAKE=$QMAKE CCACHE=$CCACHE QTDIR=$QTDIR ./runqmake.sh QMAKE=$QMAKE QTDIR=$QTDIR ./runqmake.sh fwbuilder-5.3.7/debian/000077500000000000000000000000001303637203600147365ustar00rootroot00000000000000fwbuilder-5.3.7/debian/changelog000066400000000000000000000546121303637203600166200ustar00rootroot00000000000000fwbuilder (5.3.6-1) unstable; urgency=low * JunOS fix for /128 netmask on IPv6 issue. * JunOS fix ssh password prompt. -- Sirius Bakke Tue, 10 Mar 2015 16:40:00 +0200 fwbuilder (5.3.3-0.rc1) unstable; urgency=low * 5.3.3-rc1 from upstream. * Bugfixes. -- Morten Knutsen Tue, 20 Jan 2015 14:18:00 +0200 fwbuilder (5.3.2-1) unstable; urgency=low * JunOS fix for icmpv6 issue. -- Morten Knutsen Fri, 24 Oct 2014 09:18:00 +0200 fwbuilder (5.3.1-1) unstable; urgency=low * Various JunOS fixes. -- Morten Knutsen Tue, 30 Sep 2014 12:38:33 +0200 fwbuilder (5.3.0-2) unstable; urgency=low * Add missing binaries. -- Morten Knutsen Wed, 24 Sep 2014 15:38:33 +0200 fwbuilder (5.3.0-1) unstable; urgency=low * Bump to newest version. -- Morten Knutsen Wed, 24 Sep 2014 13:38:33 +0200 fwbuilder (5.1.0-3) unstable; urgency=low * generation of firewall was missing due to the removal of fwblookup Merci beaucoup à Roland Mas (Closes: #678006) -- Sylvestre Ledru Tue, 19 Jun 2012 11:38:33 +0200 fwbuilder (5.1.0-2) unstable; urgency=low * ACK NMU (thanks) * Fix the FTBFS under HURD -- Sylvestre Ledru Sun, 17 Jun 2012 22:37:12 +0200 fwbuilder (5.1.0-1.1) unstable; urgency=low * Non maintainer upload * Fix build failure with GCC 4.7 (Ilya Barygin). Closes: #674349. -- Matthias Klose Tue, 29 May 2012 09:23:33 +0000 fwbuilder (5.1.0-1) unstable; urgency=low * New upstream release * Standards-Version updated to version 3.9.3 -- Sylvestre Ledru Fri, 13 Apr 2012 14:32:30 +0200 fwbuilder (5.0.1-1) unstable; urgency=low * New upstream release -- Sylvestre Ledru Mon, 26 Dec 2011 19:42:33 +0100 fwbuilder (5.0.0-1) unstable; urgency=low * New upstream release -- Sylvestre Ledru Sat, 17 Sep 2011 13:00:26 +0200 fwbuilder (4.2.2-1) unstable; urgency=low * New upstream release (important regression) -- Sylvestre Ledru Thu, 12 May 2011 08:50:42 +0200 fwbuilder (4.2.1-1) unstable; urgency=low * New upstream release * netfilter-extensions-source added as suggests of fwbuilder (Closes: #605613) * Migration files were not installed (Closes: #626276) -- Sylvestre Ledru Tue, 10 May 2011 23:57:04 +0200 fwbuilder (4.2.0-1) unstable; urgency=low * New upstream release (no longer need the separate package libfwbuilder) * Standards-Version updated to version 3.9.2 * Update of the watch file * Switch to dpkg-source 3.0 (quilt) format -- Sylvestre Ledru Sun, 08 May 2011 19:41:21 +0200 fwbuilder (4.1.3-2) unstable; urgency=low * Upload in unstable -- Sylvestre Ledru Mon, 07 Feb 2011 17:19:10 +0100 fwbuilder (4.1.3-1) experimental; urgency=low * New upstream release * Missing files added (Closes: #601877) -- Sylvestre Ledru Sat, 11 Dec 2010 11:43:37 +0100 fwbuilder (4.1.2-1) unstable; urgency=low * New upstream release -- Sylvestre Ledru Tue, 12 Oct 2010 21:48:53 +0200 fwbuilder (4.1.1-1) unstable; urgency=low * New upstream release (Closes: #594428) -- Sylvestre Ledru Thu, 26 Aug 2010 00:24:43 +0200 fwbuilder (4.1.0-1) unstable; urgency=low * New upstream release -- Sylvestre Ledru Mon, 16 Aug 2010 20:08:21 +0200 fwbuilder (4.0.2-2) unstable; urgency=low * Install some missing files (Closes: #591769) -- Sylvestre Ledru Sat, 07 Aug 2010 00:18:05 +0200 fwbuilder (4.0.2-1) unstable; urgency=low * New upstream release (Closes: #580760) * Standards-Version updated to version 3.9.1 -- Sylvestre Ledru Thu, 29 Jul 2010 13:10:13 +0200 fwbuilder (3.0.7-1) unstable; urgency=high * New upstream version * This new version fixes a security issue described in the bug report. This problem is likely to be in the package libfwbuilder but since both packages are tightly connected, need to upload also fwbuilder (Closes: #547390) * fwbuilder-dbg moved to Section: debug -- Sylvestre Ledru Sat, 19 Sep 2009 02:12:41 +0200 fwbuilder (3.0.6-1) unstable; urgency=low * New upstream version * Change of my email address since I am now DD * Removal of Torsten on his request * Standards-Version updated to 3.8.3 * DM-Upload-Allowed removed -- Sylvestre Ledru Sat, 29 Aug 2009 17:58:32 +0200 fwbuilder (3.0.5-2) unstable; urgency=low * One more time, I forgot to update the version of the libfwbuilder-dev dep -- Sylvestre Ledru Thu, 18 Jun 2009 00:57:05 +0200 fwbuilder (3.0.5-1) unstable; urgency=low * Artificial separation of fwbuilder-{linux,bsd,cisco} removed on the advice of upstream * New upstream version -- Sylvestre Ledru Tue, 09 Jun 2009 17:33:45 +0200 fwbuilder (3.0.4-2) unstable; urgency=low * Increase of the dep on libfwbuilder (3.0.3 => 3.0.4) (Closes: #522038) -- Sylvestre Ledru Tue, 31 Mar 2009 13:33:08 +0200 fwbuilder (3.0.4-1) unstable; urgency=low * New upstream version (damn it, I should have waited a few hours) -- Sylvestre Ledru Mon, 30 Mar 2009 10:03:18 +0200 fwbuilder (3.0.3-2) unstable; urgency=low * Misc depends added * Missing files in the doc (LP: #350673) * Standards-Version updated to 3.8.1 * fwbuilder-doc added to Recommands of fwbuilder -- Sylvestre Ledru Sun, 29 Mar 2009 22:51:38 +0200 fwbuilder (3.0.3-1) unstable; urgency=low * New upstream release -- Torsten Werner Sat, 27 Dec 2008 00:56:18 +0100 fwbuilder (3.0.2-1) unstable; urgency=low * New upstream release * Remove patch gcc-4.4.diff that has been applied upstream. * Update patch debug.diff. -- Torsten Werner Sun, 07 Dec 2008 13:11:31 +0100 fwbuilder (3.0.1-2) unstable; urgency=low * Add --with-qmake=qmake-qt4 to the configure argument list. (Closes: #505651) * Clean up debian/rules. * Update Build-Depends: libfwbuilder-dev (>= 3.0.1). * Add patch gcc-4.4.diff provided by Martin Michlmayr. (Closes: #505654) -- Torsten Werner Fri, 14 Nov 2008 10:57:25 +0100 fwbuilder (3.0.1-1) unstable; urgency=low * New upstream version (Closes: #501419) * Patch tmpdirsecurity.diff removed (script removed upstream) -- Sylvestre Ledru Tue, 07 Oct 2008 15:11:17 +0200 fwbuilder (3.0.0-1) unstable; urgency=low * New upstream version (Closes: #498640, #255071) * Missing (= ${binary:Version}) for fwbuilder-dbg (Closes: #497752) -- Sylvestre Ledru Tue, 09 Sep 2008 01:21:48 +0200 fwbuilder (2.1.19-6) unstable; urgency=low * debian/* cleanup -- Sylvestre Ledru Wed, 03 Sep 2008 11:22:02 +0200 fwbuilder (2.1.19-5) unstable; urgency=low * Fix a security issue. Thanks to Thijs Kinkhorst. (Closes: #496406) -- Sylvestre Ledru Mon, 25 Aug 2008 21:57:00 +0200 fwbuilder (2.1.19-4) unstable; urgency=low * Add binary package fwbuilder-dbg that ships debugging symbols. * Add patch debug.diff to avoid stripping the binaries during installation. * Bump up Standards-Version: 3.8.0 (no changes needed). -- Torsten Werner Sun, 24 Aug 2008 18:03:21 +0200 fwbuilder (2.1.19-3) unstable; urgency=low * Still issues with gcc 4.3 -- Sylvestre Ledru Fri, 30 May 2008 00:06:59 +0200 fwbuilder (2.1.19-2) unstable; urgency=low * Remove the dependency to libantlr-dev since the recoginition languages tools are included by fwbuilder and builds now with gcc-4.3. (Closes: #483236) -- Sylvestre Ledru Thu, 29 May 2008 00:35:06 +0200 fwbuilder (2.1.19-1) unstable; urgency=low * new upstream release * Remove our patch that has been applied upstream. -- Torsten Werner Wed, 21 May 2008 22:52:10 +0200 fwbuilder (2.1.18-2) unstable; urgency=low * Add DM-Upload-Allowed: yes to enable uploads by Sylvestre. * Install tools fwb_compile_all, fwb_install and its man pages. (Closes: #477074) * Add new package fwbuilder-cisco. -- Torsten Werner Wed, 07 May 2008 06:53:31 +0200 fwbuilder (2.1.18-1) unstable; urgency=low [ Sylvestre Ledru ] * New upstream version (Closes: #438084) [ Torsten Werner ] * Switch to cdbs. * Clean up Build-Depends. * Fix manpage fwbedit(1). -- Sylvestre Ledru Wed, 16 Apr 2008 19:55:56 +0200 fwbuilder (2.1.17-3) unstable; urgency=low * Add Build-Depends: libantlr-dev. (Closes: #474673) -- Torsten Werner Mon, 07 Apr 2008 20:14:08 +0200 fwbuilder (2.1.17-2) unstable; urgency=low * Clean up (Build-)Depends, Conflicts, and Replaces. * Remove all extra arguments when calling dpkg-gencontrol via dh_gencontrol. * Replace some dbs files by plain debhelper. * Update and reformat the README files. (Closes: #347370) * Add a desktop file thanks to Stephan Windmüller. (Closes: #465472) * Disable stripping of binaries in install.sh. (Closes: #436910) -- Torsten Werner Sat, 29 Mar 2008 13:13:53 +0100 fwbuilder (2.1.17-1) unstable; urgency=low [ Sylvestre Ledru ] * New upstream version (Closes: #417685, #376527, #419753, #409262, #470402, #255071) * Update of the watch file (Closes: #449727) * Cleanup lintian warnings * Fields Homepage, Vcs-Svn and Vcs-Browser added * Standards-Version updated to 3.7.3 * Torsten and Sylvestre added as (co-)maintainers [ Torsten Werner ] * Switch to debhelper 5. -- Torsten Werner Tue, 18 Mar 2008 21:17:54 +0100 fwbuilder (2.1.8-1) unstable; urgency=low * New upstream version (Closes: #3276527, #382596, #275450) * Fix libfwbuilder dependency (Closes: #341803) * Accepting NMUs (Closes: #385831, #376622) -- Jeremy T. Bouse Wed, 31 Jan 2007 18:28:40 -0500 fwbuilder (2.0.9-1.2) unstable; urgency=low * NMU. * Drop build dependency on g++-3.4. Closes: #385831. -- Matthias Klose Sun, 3 Sep 2006 18:04:21 +0200 fwbuilder (2.0.9-1.1) unstable; urgency=low * Non-maintainer upload. * Remove the unneccesary Build-Depends on automake. (Closes: #376622) -- Eric Dorland Sat, 2 Sep 2006 19:35:13 -0400 fwbuilder (2.0.9-1) unstable; urgency=low * New upstream version released (Closes: #327826). * Clean-up build environment to clear lintian issues * Surprise having fwbuilder-2.0.9 to build with libfwbuilder-2.0.9 solves the impatient bug reporting of FTBFS (Closes: #338113). * Rebuilding after libfwbuilder 2.0.9-2 corrects the shlibs to keep incompatible libfwbuilder libs from being installed so fwbuilder doesn't segfault on XSLT transformations it doesn't have available (Closes: #338293). * Uploading this package early with no real testing to please Steve Langasek and Roland Stigge. I'll fix any issues after my wedding! -- Jeremy T. Bouse Wed, 9 Nov 2005 09:26:10 -0800 fwbuilder (2.0.7-2) unstable; urgency=high * Corrects build issues from C++ ABI transition and Qt/KDE (Closes: #327963, #327365, #324874, #327017). -- Jeremy T. Bouse Fri, 30 Sep 2005 15:06:42 -0700 fwbuilder (2.0.7-1.1) unstable; urgency=low * Non-maintainer upload. * Rebuild for Qt/KDE and gcc 4.0 transition (Closes: #327963, #327017, #324874, #327365) -- Luk Claes Tue, 27 Sep 2005 17:48:12 +0200 fwbuilder (2.0.7-1) unstable; urgency=low * New upstream release (Closes: #293405) * src/gui/SSHPIX.cpp includes errno.h (Closes: #274817) * Issue of empty example/ directory as mentioned in #257706 has been addressed and is correctly included with fwbuilder-common. As the full wishlist has not been completed I'm leaving it open. If Someone wants to create a userland script that can take the fwbuiler default file and init.d script from examples/ along with the generated fwbuilder script and generate a .DEB for install as Goswin has proposed I will evaluate and include in next upload. -- Jeremy T. Bouse Sun, 12 Jun 2005 00:34:45 -0700 fwbuilder (2.0.3-2) unstable; urgency=low * Correct libfwbuilder-dev Build-Depend (Closes: #276533) -- Jeremy T. Bouse Thu, 14 Oct 2004 13:41:31 -0700 fwbuilder (2.0.3-1) unstable; urgency=medium * New upstream bug fix release -- Jeremy T. Bouse Fri, 1 Oct 2004 17:06:03 -0700 fwbuilder (2.0.2-2) unstable; urgency=high * Rebuild against modified libfwbuilder6 shlibs (Closes: 270293) -- Jeremy T. Bouse Tue, 7 Sep 2004 02:28:59 -0700 fwbuilder (2.0.2-1) unstable; urgency=high * New upstream bug fix release (Closes: 268898) * Removed doc++ Build-Dep (Closes: 270002) * Removed Debian patches -- Jeremy T. Bouse Fri, 3 Sep 2004 22:33:13 -0700 fwbuilder (2.0.1-2) unstable; urgency=high * Added fwbuilder version depend on -common (Closes: 268897) * Urgency set to high to fix RC bug for testing -- Jeremy T. Bouse Tue, 31 Aug 2004 00:13:57 -0700 fwbuilder (2.0.1-1) unstable; urgency=high * New upstream release (Closes: 261978) * Example files return (Closes: 254908) * Release fixes seg fault crashes (Closes: 266615, 256085) * Updated watch file -- Jeremy T. Bouse Sun, 22 Aug 2004 16:33:54 -0700 fwbuilder (1.1.2-3) unstable; urgency=low * This it the Make-James-Troup-Happy upload. You will find that all the policy compiler packaging has changed into 2 packages either fwbuilder-linux or fwbuilder-bsd. These replace all the separate packages for the different policy compilers based on firewall platform which James considered "bloat" in rejecting the 1.1.2-2 upload. * This also corrects the conflict issue in fwbuilder-common when upgrading from an older version (Closes: #248583) -- Jeremy T. Bouse Sun, 6 Jun 2004 12:02:49 -0700 fwbuilder (1.1.2-2) unstable; urgency=low * Added Conflicts in fwbuilder-common against older versions of fwbuilder that contained the arch-indep files (Closes: #248583) * Created fwbuilder-ipfw package for missing policy compiler from build * Created fwbuilder-doc package to include provided documentation from upstream * Renamed fwbuilder-ipf to fwbuilder-ipfilter to remove possible confusion with fwbuilder-ipfw * Removed old fwbuilder-iptables transition package from build * GUI diaglogs for Mac OS X and FreeBSD ipfw not installed properly with fwbuilder causing errors when selecting those options for a given firewall -- Jeremy T. Bouse Thu, 13 May 2004 23:16:28 -0700 fwbuilder (1.1.2-1) unstable; urgency=low * New upstream version (Closes: #229084) * Moved arch-dep modules from /usr/share to /usr/lib via patch 01fhs_modules_path.diff (Closes: #234249) * Unable to reproduce the seg fault problem reported and the BTS does not contain enough information after 3 months to track any source down so closing. If more conclusive details can be given I will re-investigate. It may have been fixed along with the NMU that corrected 203776. (Closes: #229774) * Added entry to README.Debian regarding upgrading the data file from earlier versions. (Closes: #228803) -- Jeremy T. Bouse Sun, 2 May 2004 00:35:37 -0700 fwbuilder (1.1.1-1) unstable; urgency=low * Accept NMU done by Brian Bassett (Closes: #223651) * Created fwbuilder-common and moved common arch-indep files to install there rather than arch-dep fwbuilder. This does handle half of 233349 but not the portion covered by 234249 so I'm considering this one done and leaving the other open until I can patch the code to move the modules (Closes: #233349) * Suggests for iproute on fwbuilder-ipt (Closes: #219441) * Hope rebuild my fix seg faults reported but not willing to close the bug yet. -- Jeremy T. Bouse Fri, 30 Apr 2004 19:49:10 -0700 fwbuilder (1.1.1-0.1) unstable; urgency=low * NMU. * New upstream version. (Closes: #222025) + Fixes libxml2 2.6.2 breakage. (Closes: #203776, #220830, #222478) * Clean up Build-Depends line; no longer requires any GNOME components. -- Brian Bassett Wed, 10 Dec 2003 13:07:32 -0800 fwbuilder (1.0.10-2) unstable; urgency=low * Patch to fwbuilder-ipt OSConfigurator_linux24.cc to fix bashism in generated script (Closes: #200258, #200259) -- Jeremy T. Bouse Tue, 8 Jul 2003 23:06:31 -0700 fwbuilder (1.0.10-1) unstable; urgency=low * New upstream version * Libtool library linking issues resolved (Closes: #186032) * fwbuilder-doc package removed (Closes: #186245, #157352) * Corrected problem with fwblookup (Closes: #183914) * Patched contributed fwbuilder init.d with provided patch by Robert Lindgren see README.Debian for more details * Cleaned up lintian errors -- Jeremy T. Bouse Tue, 27 May 2003 11:09:30 -0700 fwbuilder (1.0.9-1) unstable; urgency=low * New upstream version * Rebuilt with new libsigc++ (Closes: #176801) * Rebuilt with new libgtkmm (Closes: #180037, #179743) -- Jeremy T. Bouse Fri, 7 Feb 2003 12:23:47 -0800 fwbuilder (1.0.8-1) unstable; urgency=low * New upstream version * Rebuilt with new libxml2 (Closes: #170908, #170918) -- Jeremy T. Bouse Sun, 15 Dec 2002 18:33:10 -0800 fwbuilder (1.0.7-1) unstable; urgency=low * New upstream version (Closes: #167319) -- Jeremy T. Bouse Sat, 2 Nov 2002 16:00:35 -0800 fwbuilder (1.0.5-1) unstable; urgency=low * New upstream version * Fixes build issues on HPPA (Closes: #148701, #133683) -- Jeremy T. Bouse Wed, 11 Sep 2002 09:22:35 -0700 fwbuilder (1.0.4-1) unstable; urgency=low * New upstream version (Closes: #155551, #155553) * New build environment * Fixes problem in fwbuilder-ipt (Closes: #151876) * Fixes dependency issue with fwbuilder-ipt (Closes: #154734) -- Jeremy T. Bouse Mon, 5 Aug 2002 12:52:35 -0700 fwbuilder (1.0.3-1) unstable; urgency=low * New upstream version -- Jeremy T. Bouse Wed, 19 Jun 2002 21:47:08 -0700 fwbuilder (1.0.2-3) unstable; urgency=low * Reworked conflicts with libfwbuilder-dev for fwbuilder-dev -- Jeremy T. Bouse Tue, 4 Jun 2002 11:55:27 -0700 fwbuilder (1.0.2-2) unstable; urgency=low * Corrected Conflicts with libfwbuilder-dev (Closes: #148730) -- Jeremy T. Bouse Sat, 1 Jun 2002 09:23:41 -0700 fwbuilder (1.0.2-1) unstable; urgency=low * New upstream release -- Jeremy T. Bouse Wed, 15 May 2002 11:44:19 -0700 fwbuilder (1.0.0-1) unstable; urgency=low * New upstream release * Removed fwbuilder-ipfilter from build as requested by upstream as it is not properly maintained at this time -- Jeremy T. Bouse Mon, 31 Dec 2001 11:09:36 -0800 fwbuilder (0.9.9-2) unstable; urgency=low * Typo/spelling correction in debian/control (Closes: #124655) -- Jeremy T. Bouse Mon, 17 Dec 2001 23:53:09 -0800 fwbuilder (0.9.9-1) unstable; urgency=low * New upstream bug fix release -- Jeremy T. Bouse Wed, 12 Dec 2001 15:05:41 -0800 fwbuilder (0.9.8-1) unstable; urgency=low * New upstream bug fix release -- Jeremy T. Bouse Mon, 10 Dec 2001 08:24:03 -0800 fwbuilder (0.9.7-3) unstable; urgency=low * Corrections in dependencies on libfwbuilder and backends -- Jeremy T. Bouse Thu, 6 Dec 2001 17:37:41 -0800 fwbuilder (0.9.7-2) unstable; urgency=low * Corrections to debian/control for Build-Depends -- Jeremy T. Bouse Sun, 2 Dec 2001 23:43:55 -0800 fwbuilder (0.9.7-1) unstable; urgency=low * New upstream version -- Jeremy T. Bouse Thu, 29 Nov 2001 08:18:58 -0800 fwbuilder (0.9.6-2) unstable; urgency=low * Fixed bug with fwbuilder-doc package not containing any of the documents as the upstream Makefile install installed using versioned doc directory -- Jeremy T. Bouse Sat, 27 Oct 2001 18:47:03 -0700 fwbuilder (0.9.6-1) unstable; urgency=low * New upstream release October 16, 2001 (closes: #116605) -- Jeremy T. Bouse Mon, 22 Oct 2001 10:06:08 -0700 fwbuilder (0.9.5-2) unstable; urgency=low * Included upstream patch to correct conflict with BIND9 namespace conflict with resolv.h -- Jeremy T. Bouse Tue, 28 Aug 2001 09:11:07 -0700 fwbuilder (0.9.5-1) unstable; urgency=low * New upstream release August 6, 2001 (closes: #107716) -- Jeremy T. Bouse Sun, 19 Aug 2001 23:10:46 -0700 fwbuilder (0.9.2-3) unstable; urgency=low * Bug fix for dependency (Closes: #109122) -- Jeremy T. Bouse Sun, 19 Aug 2001 22:59:10 -0700 fwbuilder (0.9.2-2) unstable; urgency=low * Bug fix for ports (Closes: #105317) -- Jeremy T. Bouse Sun, 15 Jul 2001 11:45:11 -0700 fwbuilder (0.9.2-1) unstable; urgency=low * New upstream release June 30, 2001 (closes: #103640) -- Jeremy T. Bouse Mon, 9 Jul 2001 10:41:07 -0700 fwbuilder (0.9.1-3) unstable; urgency=low * Corrected build to include bug-buddy support -- Jeremy T. Bouse Tue, 12 Jun 2001 09:29:24 -0700 fwbuilder (0.9.1-2) unstable; urgency=low * Minor change to conflict with obsolete fwbuilder-ipchains package * Added lintian overrides * Added simple manpage for fwbuilder -- Jeremy T. Bouse Mon, 11 Jun 2001 10:52:44 -0700 fwbuilder (0.9.1-1) unstable; urgency=low * New upstream release May 11, 2001 (closes: #97205) * Removal of fwbuilder-ipchains as upstream is no longer supporting -- Jeremy T. Bouse Sun, 13 May 2001 19:35:43 -0700 fwbuilder (0.8.7-1) unstable; urgency=low * Initial release. -- Jeremy T. Bouse Mon, 7 May 2001 20:38:14 -0700 fwbuilder-5.3.7/debian/compat000066400000000000000000000000021303637203600161340ustar00rootroot000000000000005 fwbuilder-5.3.7/debian/contrib/000077500000000000000000000000001303637203600163765ustar00rootroot00000000000000fwbuilder-5.3.7/debian/contrib/fwbuilder.default000066400000000000000000000003541303637203600217310ustar00rootroot00000000000000# Defaults for fwbuilder initscript # Master system-wide fwbuilder switch. The initscript # will not run if it is not set to yes. START_FWBUILDER=yes # Directory to look for the fwbuilder generated script FWBSCRIPT_DIR=/etc/fwbuilder fwbuilder-5.3.7/debian/contrib/fwbuilder.init.d000066400000000000000000000025201303637203600214670ustar00rootroot00000000000000#! /bin/sh # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin NAME=fwbuilder DESC="Firewall Builder" DEFAULT=/etc/default/fwbuilder IPTABLES=/sbin/iptables test -f $DEFAULT || exit 0 grep -s -q 'START_FWBUILDER=yes' $DEFAULT || exit 0 SCRIPT_DIR=$(grep -s "^[[:space:]]*FWBSCRIPT_DIR" $DEFAULT | cut -d "=" -f 2) SCRIPT="$SCRIPT_DIR/$(hostname -s).fw" stopfw() { #Set accept for default tables $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT #Flush tables $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X $IPTABLES -X -t nat $IPTABLES -X -t mangle } test -x $SCRIPT || exit 0 test -x $IPTABLES || exit 0 set -e case "$1" in start) echo -n "Starting $DESC: " $SCRIPT 2>/dev/null echo "$NAME." ;; stop) echo -n "Stopping $DESC: " stopfw echo "$NAME." ;; restart|force-reload|reload) # # Firewall Builder generated script flushes tables prior # to setting up new tables so safe to just re-execute # echo -n "Restarting $DESC: " $SCRIPT 2>/dev/null echo "$NAME." ;; listfilter) $IPTABLES -L -n -v ;; listnat) $IPTABLES -t nat -L -n -v ;; listmangle) $IPTABLES -t mangle -L -n -v ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|restart|reload|force-reload|listfilter|listnat|listmangle}" >&2 exit 1 ;; esac exit 0 fwbuilder-5.3.7/debian/control000066400000000000000000000062251303637203600163460ustar00rootroot00000000000000Source: fwbuilder Section: net Priority: optional Maintainer: Morten Knutsen Build-Depends: debhelper (>= 5), cdbs, autotools-dev, zlib1g-dev, libqt4-dev, libxml2-dev, libxslt1-dev, libssl-dev, libsnmp-dev, qt4-dev-tools, autoconf, automake, libtool Standards-Version: 3.9.3 Homepage: http://www.fwbuilder.org/ Vcs-Svn: https://bollin.googlecode.com/svn/fwbuilder/trunk Vcs-Browser: http://bollin.googlecode.com/svn/fwbuilder/trunk Package: fwbuilder Architecture: any Provides: fwbuilder-frontend Depends: ${shlibs:Depends}, ${misc:Depends}, fwbuilder-common (= ${source:Version}) Replaces: fwbuilder-linux, fwbuilder-cisco, fwbuilder-bsd, fwbuilder-backend, libfwbuilder9 Recommends: fwbuilder-doc Description: Firewall administration tool GUI Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps the user maintain a database of objects and allows policy editing using simple drag-and-drop operations. . This is the GUI part of fwbuilder Package: fwbuilder-common Depends: ${misc:Depends} Architecture: all Description: Firewall administration tool GUI (common files) Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps the user maintain a database of objects and allows policy editing using simple drag-and-drop operations. . This is the arch independent common parts of fwbuilder Package: fwbuilder-doc Depends: ${misc:Depends} Section: doc Architecture: all Description: Firewall administration tool GUI documentation Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps the user maintain a database of objects and allows policy editing using simple drag-and-drop operations. . This is the documentation of fwbuilder Package: fwbuilder-dbg Section: debug Priority: extra Architecture: any Depends: fwbuilder (= ${binary:Version}), ${misc:Depends} Description: Firewall administration tool GUI (debugging symbols) Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps the user maintain a database of objects and allows policy editing using simple drag-and-drop operations. . This package ships the debugging symbols of fwbuilder. fwbuilder-5.3.7/debian/copyright000066400000000000000000000005661303637203600167000ustar00rootroot00000000000000This package was debianized by Jeremy T. Bouse on Fri, 26 Jan 2001 14:26:21 -0500. It was downloaded from ftp://fwbuilder.sourceforge.net/pub/fwbuilder/ Copyright: Copyright (C) 2001-2008 NetCitadel, LLC It may be redistributed under the terms of the GNU GPL, Version 2 or later, found on Debian systems in the file /usr/share/common-licenses/GPL-2. fwbuilder-5.3.7/debian/fwbuilder-common.examples000066400000000000000000000001011303637203600217370ustar00rootroot00000000000000debian/contrib/fwbuilder.default debian/contrib/fwbuilder.init.d fwbuilder-5.3.7/debian/fwbuilder-common.install000066400000000000000000000005541303637203600216030ustar00rootroot00000000000000debian/tmp/usr/share/fwbuilder-*/platform/* debian/tmp/usr/share/fwbuilder-*/os/* debian/tmp/usr/share/fwbuilder-*/resources.xml debian/tmp/usr/share/fwbuilder-*/objects_init.xml debian/tmp/usr/share/fwbuilder-*/templates.xml debian/tmp/usr/share/fwbuilder-*/fwbuilder.dtd debian/tmp/usr/share/fwbuilder-*/configlets/* debian/tmp/usr/share/fwbuilder-*/migration/* fwbuilder-5.3.7/debian/fwbuilder-doc.docs000066400000000000000000000004601303637203600203360ustar00rootroot00000000000000debian/tmp/usr/share/doc/fwbuilder*/ReleaseNotes*.html debian/tmp/usr/share/doc/fwbuilder*/ReleaseNotes*.txt debian/tmp/usr/share/doc/fwbuilder*/README.* debian/tmp/usr/share/doc/fwbuilder*/AUTHORS debian/tmp/usr/share/doc/fwbuilder*/Credits debian/tmp/usr/share/doc/fwbuilder*/PatchAcceptancePolicy.txt fwbuilder-5.3.7/debian/fwbuilder-doc.install000066400000000000000000000000461303637203600210540ustar00rootroot00000000000000debian/tmp/usr/share/fwbuilder-*/help/fwbuilder-5.3.7/debian/fwbuilder.README.Debian000066400000000000000000000022221303637203600207570ustar00rootroot00000000000000This version of fwbuilder includes a template init.d script to start your firewall script that is generated and the default file. In order to use these you will need to install them on your firewall machine. These do not need to be installed on your build machine unless it also doubles as your firewall. The are included as part of the fwbuilder-common package and are located in /usr/share/doc/fwbuilder-common/examples/. The default file (examples/fwbuilder.default) should be installed as /etc/default/fwbuilder and the init.d script (examples/fwbuilder.init.d) as /etc/init.d/fwbuilder. Then copy your .fw script to /etc/fwbuilder as `hostname -s`.fw. You can use update-rc.d fwbuilder start 41 S . stop 89 0 6 . to install the init.d script to start on boot-up or modify to suit your systems boot-up sequence. This is a maintainer built script, and therefore not supported by the upstream authors of fwbuilder. Please report any problems to the package maintainer via the Debian BTS. The fwbuilder.init.d script patched by submission provided to me by Robert Lindgren to provide means of flushing rules as well as listing active rules. fwbuilder-5.3.7/debian/fwbuilder.desktop000066400000000000000000000004621303637203600203160ustar00rootroot00000000000000[Desktop Entry] # This is the spec version, *not* the application version Version=1.0 Type=Application Name=Firewall Builder GenericName=Firewall administration tool Comment=Firewall administration tool GUI Icon=/usr/share/pixmaps/fwbuilder/firewall_64.xpm Exec=fwbuilder Terminal=false Categories=Network fwbuilder-5.3.7/debian/fwbuilder.install000066400000000000000000000007361303637203600203170ustar00rootroot00000000000000debian/tmp/usr/bin/fwbuilder debian/tmp/usr/bin/fwbedit debian/tmp/usr/bin/fwb_ipf debian/tmp/usr/bin/fwb_ipfw debian/tmp/usr/bin/fwb_pf debian/tmp/usr/bin/fwb_ipt debian/tmp/usr/bin/fwb_iosacl debian/tmp/usr/bin/fwb_nxosacl debian/tmp/usr/bin/fwb_pix debian/tmp/usr/bin/fwb_procurve_acl debian/tmp/usr/bin/fwb_junosacl src/libgui/Icons/firewall_64.xpm /usr/share/pixmaps/fwbuilder/ debian/fwbuilder.desktop /usr/share/applications/ src/tools/fwb_compile_all /usr/bin/ fwbuilder-5.3.7/debian/fwbuilder.manpages000066400000000000000000000005331303637203600204370ustar00rootroot00000000000000debian/tmp/usr/share/man/man1/fwbuilder.1 debian/tmp/usr/share/man/man1/fwbedit.1 doc/fwb_compile_all.1 debian/tmp/usr/share/man/man1/fwb_ipf.1 debian/tmp/usr/share/man/man1/fwb_ipfw.1 debian/tmp/usr/share/man/man1/fwb_pf.1 debian/tmp/usr/share/man/man1/fwb_iosacl.1 debian/tmp/usr/share/man/man1/fwb_pix.1 debian/tmp/usr/share/man/man1/fwb_ipt.1 fwbuilder-5.3.7/debian/fwbuilder.menu000066400000000000000000000002021303637203600176010ustar00rootroot00000000000000?package(fwbuilder):needs="X11" section="Applications/System/Security/" \ title="Firewall Builder" command="/usr/bin/fwbuilder" fwbuilder-5.3.7/debian/rules000077500000000000000000000004711303637203600160200ustar00rootroot00000000000000#!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk DEB_CONFIGURE_SCRIPT := ./autogen.sh DEB_CONFIGURE_USER_FLAGS := --with-qmake=qmake-qt4 DEB_MAKE_INSTALL_TARGET := install INSTALL_ROOT=`pwd`/debian/tmp DEB_INSTALL_CHANGELOGS_ALL := doc/ChangeLog fwbuilder-5.3.7/definitions.h000066400000000000000000000022521303637203600162010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Define global macros and constants in this file if they are used in the GUI, compilers and tools */ #ifndef __DEFINITIONS_ #define __DEFINITIONS_ // Various #defines that are needed both in the GUI and compilers // definitions for ipfw classify methods #define DIVERTSOCKET 0 #define DUMMYNETPIPE 1 #define DUMMYNETQUEUE 2 #endif fwbuilder-5.3.7/doc/000077500000000000000000000000001303637203600142615ustar00rootroot00000000000000fwbuilder-5.3.7/doc/AUTHORS000066400000000000000000000011531303637203600153310ustar00rootroot00000000000000 Vadim Kurland Main author: GUI, iptables compiler Vadim Zaliva libfwbuilder API design; XML DTD design; XML data storage implementation; implementation of printing UNINETT AS, Sirius Bakke Search for objects by port number or ip address Graphical diff viewer Diff on generated output, autocompiling firewall when loading file Support for Cisco NXOS Access lists Support for dummy objects in rules Port to Qt5 New buildscript and instructions for OSX Added build instructions for Windows < fwbuilder-5.3.7/doc/COPYING000066400000000000000000000432541303637203600153240ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. fwbuilder-5.3.7/doc/ChangeLog000066400000000000000000026544661303637203600160620ustar00rootroot000000000000002015-03-10 Sirius Bakke * Version 5.3.6 * Several bugfixes for Junos, including rollback on syntax error, correct netmask for host objects and ssh password prompt lock-up 2014-09-24 Sirius Bakke * Version 5.3.0 * Support for Junos Access lists * Show release notes for previous releases 2013-08-10 Sirius Bakke * Version 5.2.0 * Search for objects by port number or ip addres * View graphical diff and autocompile firewall when loading file * Support for Cisco NXOS Access lists * Added support for dummy objects in rules * Port to Qt5 * New buildscript for OSX * Added build instructions for Windows 2012-03-21 Vadim Kurland * running autoconf, configure as part of windows build. Merged qmake .pro and .inc files for Windows, Mac and Linux builds. Moved files needed for Windows and Mac packaging to the "packaging" directory. 2012-03-19 Vadim Kurland * version 5.1.0 * switching to GPL for Mac OS X and Windows. 2012-03-18 Vadim Kurland * CompilerDriver.cpp (CompilerDriver::populateClusterElements): fixes #2686 "automatic rules for heartbeat are not generated for vlan subinterfaces" * clusterMembersDialog.cpp (clusterMembersDialog::clusterMembersDialog): fixes #2685 "Clicking "Manage Members" in a vlan subinterface of a cluster causes crash". 2012-02-20 Vadim Kurland * configlets/linux24/routing_functions (OLD_ROUTES): fixes SF bug 3489096 "dd-wrt-jffs: all routes are deleted if there is an error". The problem affects all supported Linux-like systems. Shell code that restores old static routing table entries in case of an error with commands adding new routing entries was broken and left the machine with no routes at all. * configlets/linux24/routing_functions: using mktemp to create temporary directory. If mktemp is not available, fall back onto less secure but guaranteed to work method where I generate randomized the name of the temporary directory using process ID. * OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands): fixes #2684 "fix address deletion in configlet update_addresses". This only applies to Linux firewalls and configurations where an interface has two or more ip addresses. If user deleted one of the addresses that happens to be the "primary" address of the interface in the GUI, generated script deleted both addresses on the firewall machine instead of just one and left interface with no addresses at all. The fix is to use /proc variable /proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel "promote" secondary address to a "primary" status when primary address is deleted. Default behavior in Linux kernel is to delete all addresses when primary address is deleted. 2012-02-13 Vadim Kurland * qmake.inc.in (QMAKE_CXXFLAGS_DEBUG): fix for SF bug #3468802. Need to define macro __STDC_FORMAT_MACROS. This still needs to be tested on all build machines. build 3594 2012-01-02 Vadim Kurland * PolicyCompiler_ipt.cpp (specialCaseAddressRangeInRE::processNext): fixed SF bug #3468358 "change in rule-compilation between 5.0.0 and 5.0.1". Rule with cluster interface in "Destination" should compile into matching ip addresses assigned to the cluster interface object and corresponding member firewall's interface object, but in v5.0.1 it only matched member interface address. This bug triggered when iptables version was set to 1.2.11 or greater. This was a regression from v5.0.0 * VERSION (FWB_MICRO_VERSION): v 5.0.2 2011-12-23 Vadim Kurland * v5.0.1 released 2011-12-07 Vadim Kurland * pix.g (nat_command_last_parameters): fixes #2678 Policy importer for PIX/ASA could not parse nat command with parameter "outside" * PIXImporterNat.cpp (PIXImporter::buildNoNATRule): fixes #2679 Policy importer for PIX/ASA could not import "nat exemption" rule (for example: "nat (inside) 0 access-list EXEMPT") * pix.g (nat_addr_match): fixes #2677 Policy importer for PIX/ASA could not parse command "nat (inside) 1 0 0" * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): fixed strings that should be translated; these strings caused problems when translation was loaded at the run time. 2011-11-30 Vadim Kurland * NATCompiler_pf.cpp (NATCompiler_pf::compile): fixes #2674 NAT compiler for PF crashed when AttachedNetworks object was used in Translated Source of a NAT rule. 2011-11-28 Vadim Kurland * NATCompiler_PrintRule.cpp (_printIpSetMatch): fixed SF bug #3443609 Return of ID: 3059893": iptables "--set" option deprecated". Need to use --match-set instead of --set if iptables version is >= 1.4.4. The fix done for #3059893 was only in the policy compiler but needs to be done in both policy and nat compilers. * PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): more fixes for SF bug #3439613. Adding "-i" / "-o" clause to match parent bridge interface. This allows us to correctly match which bridge the packet comes through in configurations using wildcard bridge port interfaces. For example, when br0 and br1 have "vnet+" bridge port interface, iptables can still correctly match which bridge the packet went through using "-o br0" or "-o br1" clause. This can be useful in installations with many bridged interfaces that get created and destroyed dynamically, e.g. with virtual machines. Note that the "-i br0" / "-o br0" clause is only added when there is more than one bridge interface and bridge port name ends with a wild card symbol "+" 2011-11-21 Vadim Kurland * TableFactory.cpp (TableFactory::createTablesForRE): see #2671 Duplicate objects appear in PF table when option "preserve group and addresses table object names" is in effect. This happened if the same user-defined group was used in multiple rules or different rule element of the same rule. In this case generated PF table would have several copies of the same addresses. * TableFactory.cpp (TableFactory::createTablesForRE): see #2672 PF option "preserve group and addresses table object names" does not work right when the same object is used in several different groups. If the same object was a member of multiple groups and these groups were used in the same or different rules of the same PF firewall, compiler used all groups in all rules. This could create match for objects that were not intended to be part of some rules. This problem has been fixed. Note that configuration with a combination of ipv4 and ipv6 objects as members of the same user-defined group when group is used in mixed ipv4+ipv6 rule set still does not work right. In this case compiler generates table that exactly reflects configuration user created in the GUI (i.e. includes both ipv4 and ipv6 addresses) and then uses this table in both "inet" and "inet6" rules. * PolicyCompiler_pf.cpp (createTables): With this fix, when option "preserve group and addresses table object names" is in effect, compiler for PF will create named tables for the user-defined object group even if it contains just one object. * PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): SF bug #3439613. physdev module does not allow --physdev-out for non-bridged traffic anymore. We should add --physdev-is-bridged to make sure this matches only bridged packets. 2011-11-16 Vadim Kurland * InetAddrMask.cpp (InetAddrMask::setNetworkAndBroadcastAddress): fixed bug (no number) introduced when I was working on #2670. Setting broadcast address in the network object with netmask /31 to 255.255.255.255 broke rule shadowing algorithm. 2011-11-15 Vadim Kurland * CustomServiceDialog.cpp (loadFWObject): fixes #2669 "Cant inspect custom Service object in Standard objects library". 2011-11-10 Vadim Kurland * configlets/linux24/check_utilities: fixes #2664 Update error message when "which" command fails. Generated iptables script uses "which" to check if all utilities it uses exist on the machine. We should also check if "which" itself exists and issue meaningful error message if not. * IC_PlatformWarningPage.cpp (initializePage): fixes #2668 Remove "static routes" from the explanation text in ASA/PIX import dialog. We can not import PIX/ASA routing configuration at this time. 2011-11-08 Vadim Kurland * InetAddrMask.cpp (setNetworkAndBroadcastAddress): see #2670. Per RFC3021 network with netmask /31 has no network and direct broadcast addresses. * PolicyCompiler_ipt.cpp (specialCaseAddressRangeInRE): fixed bug in the rule processor that replaces AddressRange object that represents single address with an IPv4 object. Also eliminated code redundancy. * PolicyCompiler_ipt.cpp (splitIfDstMatchingAddressRange): fixes #2663 "Rule with "old-broadcast" object results in invalid iptables INPUT chain". Compiler was choosing chain INPUT with direction "outbound" for rules that had old broadcast address in "Source", this lead to invalid iptables configuration with chain INPUT and "-o eth0" interface match clause. * ObjectMatcher.cpp (checkComplexMatchForSingleAddress): see #2663 Special handling of the "old broadcast" address. This address (0.0.0.0) should be treated just like 255.255.255.255 when we check if an address "matches" the firewall. * RuleSetViewDelegate.cpp (sizeHint): fixes #2665 "Adding text to comment causes rule to go from 2 rows to 1 row" * ACL.cpp (ciscoACL::trimLine): fixed SF bug 3435004: "Empty lines in comment result in "Incomplete Command" in IOS". * CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): fixed SF bug #3429377 "PF: IPv6 rules are not added in IPv4/IPv6 ruleset (anchor)". Compiler for PF did not inlcude rules generated for IPv6 in generated PF anchor configuration files. * CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): fixed SF bug 3428992: "PF: rules order problem with IPv4 and IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together, before it generates ipv4 and ipv6 policy rules. * BaseObjectDialog.cpp (connectSignalsOfAllWidgetsToSlotChange): fixed SF bug #3433587 "Manual edit of new service Destination Port END value fails". This bug made it impossible to edit the value of the end of the port range because as soon as the value became less than the value of the beginning the range, the GUI would reset it to be equal to the value of the beginning of the range. This affected both TCP and UDP service object dialogs. * PolicyCompiler_ipfw_writers.cpp (PrintRule::_printAddr): fixed SF bug #3426843 "ipfw doesn't work for self-reference, in 5.0.0.3568 version". 2011-10-19 Vadim Kurland * PolicyCompiler_pix.cpp (AddressRangesIfTcpServiceToFW::processNext): see #2662 "Crash when compiling ASA rule with IP range". Need to split address range if it is used in "source" of a rule that controls telnet, ssh or http to the firewall itself and firewall's version is >= 8.3. Commands "ssh", "telnet" and "http" (those that control access on the corresponding protocols to the firewall itself) accept only ip address of a host or a network as their argument. They do not accept address range, named object or object group. This is so at least as of ASA 8.3. Since we expand address ranges only for versions < 8.3 and use named object for 8.3 and later, we need to make this additional check and still expand address ranges in rules that will later convert to "ssh", "telnet" or "http" command. Compiler also generates redundant object-group statement with CIDR blocks generated from the address range but does not use this group in the rule. This does not break generated configuration but the object-group is redundant since it is never used. This will be rectified in future versions. * CompilerDriver_files.cpp (CompilerDriver::getOutputFileNameInternal): fixed a bug (no number): if the file name user entered in "Output file name" field in the "advanced settings" dialog of a firewall object ended with a white space, policy installer failed with an error "No such file or directory" * build 5.0.1.3583 2011-10-02 Vadim Kurland * shell_functions: see SF bug #3416900 "Replace `command` with `which`". Generated script (Linux/iptables) used to use "command -v" to check if command line tools it needs are present on the system. This was used to find iptables, lsmod, modprobe, ifconfig, vconfig, logger and others. Some embedded Linux distributions, notably TomatoUSB, come without support for "command". Switching to "which" that is more ubuquitous and should be available pretty much everywhere. 2011-09-29 Vadim Kurland * SSHSession.cpp (startSession): enable fwbuilder to take advantage of GSSAPIAuthentication with openssh using suggestion by Matthias Witte witte@netzquadrat.de * PolicyCompiler_ipt.cpp (compile): fixes SF bug #3414382 "Segfault in fwb_ipt dealing with empty groups". Compiler for iptables used to crash when an empty group was used in the "Interface" column of a policy rule. 2011-09-24 Vadim Kurland * NamedObjectsAndGroupsSupport.cpp (CreateObjectGroups::processNext): fixes #2660 "compiler for IOSACL crashed when address range appears in a rule AND object-group option is turned ON" 2011-09-19 Vadim Kurland * PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc): see #2656 "Generated Cisco ASA access-list has duplicate entry". * snmp.cpp (SNMPCrawler::run_impl): fixes #2658 "snmp network discovery creates duplicate address and network objects" * ND_ProgressPage.h (class ND_ProgressPage): see #2657 snmp network discovery crashed if option "Confine scan to network" was used. * iosInterfaces.cpp (iosInterfaces::basicValidateInterfaceName): see #2655 Interface names are not allowed to have dash "-" even with interface verification off. We should allow "-" in the interface name for Cisco IOS 2011-09-04 Vadim Kurland * IPTImporter.cpp (IPTImporter::isSupportedTable): see #2653 Importer for iptables checks that netfilter table used in the original iptables config is one of the tables we support. Currently only "filter", "mangle" and "nat" are supported. Also see #2651, #2652 * FWObjectDatabase_tree_ops.cpp (_recursively_copy_subtree): see #2654 fixes GUI crash that occured if user copied a rule from file A to file B, then closed file B, opened file C and tried to copy the same rule from A to C' 2011-08-30 Vadim Kurland * fixes SF bug 3247094 "Nomenclature of IP address edit dialog". Network ipv6 dialog says "Prefix length". * linux24advanceddialog_q.ui: fixes SF bug 3302121 "cosmetic mis-format in fwb Linux paths dialog" * DNSNameDialog.cpp (applyChanges): fixes SF bug 3388055 Adding a "DNS Name" with a trailing space causes failure. 2011-08-25 Vadim Kurland * see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network objects to the Standard objects library: TEST-NET-2, TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4, Teredo, unique-local and few others. * ObjectManipulator.cpp (openLibForObject): fixes #2648 "right mouse click on firewall object in "Deleted objects" library causes GUI crash" * PolicyCompiler_ipt.cpp (processNext): fixes #2650 "rules with address range that includes firewall address in Src are placed in OUTPUT chain even though addresses that do not match the firewall should go in FORWARD" 2011-08-14 Vadim Kurland * InetAddr.cpp (InetAddr::isValidV4Netmask): function InetAddr::isValidV4Netmask() checks that netmask represented by the object consists of a sequence of "1" bits, followed by the sequence of "0" bits and therefore does not have zeroes in the middle. * NetworkDialog.cpp (NetworkDialog::validate): added check to make sure user does not enter netmask with zeroes in the middle for the IPv4 network object. Netmasks like that are not supported by fwbuilder. * RuleSetView.cpp (RuleSetView::addColumnRelatedMenu): fixes #2643 "GUI crashes when user cuts a rule, then right-mouse click in any rule element of another" 2011-08-11 Vadim Kurland * freebsd/carp_interface: see #2638 "When CARP password is empty the advskew value is not read". Should skip "pass " parameter of the ifconfig command that creates carp interface if user did not set up any password. * OSConfigurator_linux24_interfaces.cpp (validateInterfaces): see #2639 "support for vlan subinterfaces of bridge interfaces (e.g. br0.5)". Currently fwbuilder can not generate script to configure vlan subinterfaces of bridge interfaces, however if user did not request this configuration script to be generated, compiler should not abort when it encounters this combination. * InterfaceEditorWidget.cpp (validateAddress): fixes #2641 "newFirewall dialog does not accept ipv6 addresses with long prefixes". The dialog did not allow ipv6 addresses of inetrfaces with netmask > 64 bit. * newFirewallDialog.cpp (cleanup): fixes #2642 "GUI crashes if user cancels newFirewall dialog". * RuleOptionsDialog.cpp (fillInterfaces): the drop-down list of interfaces for the "route-through" rule option for PF and iptables should include not only cluster interfaces, but also interfaces of all members. This way, we can make compiler generate configuration "pass in quick on em0 route-to { ( em0 10.1.1.2 ) } ... " for a rule of a PF cluster. Here "em0" is an interface of a member, not the cluster. 2011-08-08 Vadim Kurland * configlets/freebsd/rc_conf_carp_interface: see #2636 "carp : Incorrect output in rc.conf.local format". Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters. 2011-08-05 Vadim Kurland * RuleElement.cpp (RuleElementItf::validateChild): see #2635 Object type AttachedNetworks is not allowed in the "interface" rule element. 2011-08-03 Vadim Kurland * newFirewallDialog_from_template.cpp (replaceReferencesToObject): see #2628 fixed crash that happened if user create new firewall object from a template and changed one of the ip addresses, while another firewall object created from the same template already existed in the tree. 2011-08-02 Vadim Kurland * instDialog_ui_ops.cpp (instDialog::getInstOptions): moved "batch install" button from the main installer wizard to the dialog where user enters their password. Now user can start in a non-batch install mode but continue in batch install mode at any time if all their firewalls authenticate with the same user name and password. 2011-08-01 Vadim Kurland * pix.g (static_command_common_last_parameters): changed token name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP" that happened during build on OpenSolaris * unit_tests/ObjectMatcherTest/ObjectMatcherTest.cpp (matchTest): fixed unit test (ObjectMatcher matches ipv6 only when internal flag is set accordingly) * VERSION: set version to 5.0.1 2011-07-28 vadim * version 5.0.0. release 2011-07-22 vadim * ObjectManipulator.h (QWidget): see #2622 "Remove Back and Forward buttons". We have decided behavior of the GUI was too complicated since user can both act on objects directly and navigate backwards and forwards to the objects found in their browsing history. Navigation using browsing history was broken when quick filter was in use, too. All in all, it feels the value of "back" and "forward" buttons was relatively low. 2011-07-21 vadim * XMLTools.cpp (convert): see #2577 Updated error message that appears when user tries to open .fwb file created by the future version of fwbuilder. * TextFileEditor.cpp (save): fixes #2567 "If file doesn't exist when clicking 'edit file', then you have to hit save button twice". The bug affected "edit file" function in the Address Table object dialog. * NATCompiler_pf_writers.cpp (_printAddr): fixes #2590 "PF: NAT compiler fails when run-time address table object is used in a rule" * RoutingCompiler.cpp (processNext): fixes #2565 "Run-time dns name or address table in routing policy -> crash". Compiler for PF crashed if user placed run-time DNSName object in "destination" of a routing rule. * RuleSetModel.cpp (initRule): see #2515 Expanded set of options the user can change to pre-set parameters in the new policy rules they create. Now user can set default values for action ("Deny" or "Accept"), direction, the "stateless" flag and logging. * FindObjectWidget.cpp (matchAttr): see #2516 "Enhance Find to include searching for IP addresses in ranges". Function "find" now finds ip addresses inside address ranges. 2011-07-20 vadim * FWBTree.cpp (init_statics): see #2619 "Attempting to copy-and-paste a tag service results in an error". Pasting of a TagService object to the "Tag Services" group did not work. * RuleSetView.cpp (itemDoubleClicked): fixes #2566, #2618 Fix for the regression introduced when I worked on #2566 "Double-clicking on rule when program first starts results in empty editor pane". Double click on the rule number should not do anything, but double click on rule options, comment and other fields should open the editor. Change done for #2566 broke this. 2011-07-20 Vadim Kurland * ObjectMatcher.cpp (dispatch): removed optimization in dispatch(IPv4*,void*) and dispatch(IPv6*, void*) that assumed address matches a host or a firewall if it is located somewhere in the subtree rooted at the firewall object. This assumption fails if the address is a child of a Variable that belongs to the Variables folder of this firewall. Instead, always calling checkComplexMatchForSingleAddress() which uses Interface::findAllInterfaces() and therefore only matches against addresses that belong to the interfaces. See #2598 * PolicyCompiler_ipt.cpp (processSingleObjectNegationInRE): consolidated rule processors that deal with single object negation into one class. Also, taking into account Variables. * Interface.cpp (findAllInterfaces): added more efficient way to get a list of all interfaces of a firewall. This function assumes interfaces are direct children of the firewall and each interface may have a subinterface (one level deep). This function is faster because it does not scan whole tree rooted at the firewall object which might be large if firewall has lots of rules. 2011-07-19 vadim * NATCompiler_ipt.cpp (processNext): fixed SF bug 3371301 "Error compiling with VLAN and masquerade". Iptables NAT rules with vlan interface configured as "dynamic" and no ip address in Translated Source caused compiler crash. 2011-07-18 theron * Fixed #2511: make sure auto-scroll of items in ObjectTreeView works, otherwise it's impossible to move an item into a user-defined folder if there are lots of intervening items. 2011-07-13 theron * Fixed #2505: make sure that objects that we show are members of a dynamic group are actually objects. Previously we were showing stuff like FirewallOptions objects. To make sure that dynamic group expansion is done the same way in the UI and for the compiler, also fixed #2502 (consolidate logic for DynamicGroup). * Modified checks (added for #2514) for empty path in an Address Table object. It's valid to have an empty path for the situation where a user wants to use an ipset in place of the table. However, if there is a path and it comes out blank in getSourceNameAsPath() then that means %DATADIR% expansion failed. * Fixed #2440. Now when a firewall is matched in the quick filter, all child elements (e.g. policies, interfaces) will be displayed as well. * Fixed #2523: save the expanded/collapsed state of the tree when the user starts typing something into the quick filter. When the quick filter is cleared, re-expand any items that started off expanded (so we get the union of expanded items displayed by quick filter plus what the user started with expanded). * Tried to fix #2507: set a size for the "type" column in the dynamic group dialog (on some platforms it comes out so narrow you can't see it, despite it having ResizeToContents). 2011-07-11 theron * Implemented #2514, support for address table alternate paths. There's a "data directory" setting under user preferences. If the user selects an address table file using "choose file" and that file is "inside" the data directory, then the appropriate part of the path is replaced with %DATADIR% as a variable. If the address table is marked "run-time" then the path is taken from the firewall data directory option. 2011-07-11 Vadim Kurland * TableFactory.cpp (createTablesForRE): see #2513 "Group and Address Table name persistence in generated config". Compiler for PF can now preserve names of object groups, dynamic groups, compile-time AddressTable and compile-time DNSName objects in the generated pf.conf file. This is optional and is controlled by a checkbox in the firewall settings dialog. 2011-07-09 vadim * pf.g (rule_extended): see #2551 Importer should parse PF rules that use "route-to", "reply-to" and "dup-to" options in both pre-4.7 and 4.7 formats. In PF 4.7 these parameters moved to the end of the rule and are now part of the "filteropts" block of parameters. * PFImporter.cpp (pushPolicyRule): see #2551 Importer should correctly import "pool type" parameter that follows source routing rule options "route-to", "reply-to" and "dup-to". Also, since currently fwbuilder does not support source routing rules with multiple different interface-gateway pairs (only one interface in combination with one or multiple gateway addresses are supported), importer displays warning and marks rules as "broken" when it encounters this configuration. * ObjectManipulator_slots.cpp (makeSubinterface): see #2561 operation of making an interface a subinterface should be performed using undo/redo command. Also, this should take care of inconvenient scrolling of the object tree after this operation. * ObjectManipulator.cpp (addSubinterfaceSubmenu): see #2562 "Crash when making an interface that has subinterfaces a subinterface of another interfrace". If an interface has subinterfaces, it should not be allowed to become subinterface of another interface. 2011-07-08 vadim * ObjectManipulator_slots.cpp (makeSubinterface): see #2561 "Add context menu to move an interface to be a child of another interface". New context menu (submenu) allows user to move an interface in the tree to make it a subinterface of another interface. * parsers/pf.g: see #2556 "PF import: impor of rules referring to undefined macros". Importer now records all parser errors in the comments of rules where they occurred and marks these rules "broken" by coloring them red. Behavior on import of pf.conf file with undefined macros is inconsistent at this time: undefined macro that appears in a rule where parser expects ip addresses is converted to a run-time DNSName object with name "$macro", a warning is displayed and rule is marked as "broken". Undefined macro in the position of interface name, port name or other parameters triggers generic parser error that looks like "Parser error: line 26:19: unexpected token: $ext". The rule is marked as "broken" and the error is recorded in the comment. * PFImporterRun.cpp (substituteMacros): see #2556 "PF import: impor of rules referring to undefined macros". Importer displays warnings for all undefined macros found in the file, even if there are several. * objectSignature.cpp: fixes #2559 "Crash on import when at least one DynamicGroup object already exists in the object tree." 2011-07-07 Vadim Kurland * RoutingCompiler.cpp (processNext): see #2191 "Crash when compiling a route with table object". Compiler for PF crashed when run-time AddressTable object was used in RDst of a routing rule. * PFImporter.cpp (makeAddressObj): see #2546 "PF import - negation inside of inline tables is ignored". Since we can not import address lists or tables that contain a mix of negated and non-negated items, importer should display an error when it enounters one of these and mark all rules that use it as "broken" (rule is colored red and error message is added to the comment). * PFImporter.cpp (makeAddressObj): see #2556 "PF import: impor of rules referring to undefined macros". If pf.conf file uses an undefined macro (there is $macro somewhere but the macro has never been defined), importer issues a warning, creates run-time DNSName object with the name "$macro" and marks all rules where it is used as broken, that is, rules are colored red and the error message is added to the comment field. Using run-time DNSName object makes compiler use "$macro" in the generated pf rule which means fwbuilder generates exactly the same pf rule as the one it tried to import. * PFImporterRun.cpp (run): see #2554 "PF import: create groups of address objects for macros where possible". Importer for PF recognizes macros that define lists of ip addresses, interfaces or host names and creates object groups with the same name from them. Only macros that contain at least one ip address in the list are recognized. * PF import: check if a macro used somewhere in the file to be imported is actually defined and abort if not * PF import: see #2551 making sure rules that have route-to option get the call to setRoute() in the importer 2011-07-06 Vadim Kurland * applied two patches by Vadim Zhukov persgray@gmail.com to replace calls to sprintf with safer calls to snprintf and fix some compiler warnings. * Importer.cpp (addStandardImportComment): see #2552 "PF import: add ability to suppress comments referring to line numbers in the original file". * PFImporter.cpp (pushPolicyRule): see #2551 "PF Import - source routing rules are not imported with rule options set". Importer should import "route-to" rule parameters. * PFImporter.cpp (newAddressTableObject): see #2546 "PF import - negation inside of inline tables is ignored". We can not import PF table definition that has some addresses negated. * PFImporterRun.cpp (run): see #2550 "PF import - recursive macros are not supported". Importer for PF should interpret macro definitions that use other macros. See #2545 "PF import error when using macro names with same base name and incrementing digit suffix". Importer should correctly interpret a macro that has name of another macro as a substring of its own name. 2011-07-05 vadim * PolicyCompiler_pf_writers.cpp (processNext): see #2549 "Update generated route-to configuration for PF versions 4.7 and later", SF bug 3348931. The "route-to" parameter moved to the end of pass rules in PF 4.7 * pf.g: fixed bug in PF import: address lists such as "{ addr1, addr2, ... }" defined as macros or inside the rule could not be imported correctly. * pf.g: we should be able to import both "block quick log" and "block log quick". 2011-06-29 theron * Fixed #2547, made keyword add/remove buttons same size. 2011-06-29 theron * Fixed #2540. On mac we can get a drop event even if dragMoveEvent() says the drop is invalid. So in ObjectTreeView we validate the drop the same we we validate in dragMove to make sure the drop is valid. * Fixed #2542. Catch exception inside preprocessor loop so that loop continues after error (for unit tests). Also make sure to set ".loaded" variable before calling loadFromSource so that if an exception happens we won't try to load it again later. * Fixed #2539. Make sure user folders are added properly. Also deal with case of an object that has a folder attribute that doesn't exist in the parent's subfolders list (shouldn't ever happen, but in case it does it no longer crashes). Also make sure that subfolders don't have commas in them. * Partially fixed #2544. Adding new icons for dynamic group. 2011-06-27 theron * Fixed #2530, where adding a subfolder opens the parent folder in the object editor. * Fixed #2529, where dragging and dropping items between subfolders could cause a crash. * Fixed #2528, display icon next to "new subfolder" menu item. * Added feature #2517: directory location caching. Use FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so that the directory you navigated to last time shows up in the next file dialog. This behavior is overridden by setting a working directory. If the directory no longer exists, gracefully fall back to something sensible. 2011-06-23 theron * Added support for creating user-defined subfolders. The subfolders exist purely in the display and are not reflected in the FWObject tree, in order to keep changes in the back-end to a minimum. New attribute "subfolders" on a system folder tells the gui what additional child elements to display in the tree, and attribute "folder" on any FWObject tells gui which child tree element to put it in. 2011-06-22 Vadim Kurland * ObjectManipulator_ops.cpp (autorename): fixed #2520 "Attached Network objects are not renamed if a firewall is renamed" * AttachedNetworksDialog.cpp (addAddressToList): see #2519 Avoid creating duplicate network objects for the AttachedNetwork object if the parent interface has multiple ip addresses that belong to the same subnet. * CompilerDriver.cpp (CompilerDriver): fixed #2521 "Compile fails if firewall has locked interface that is set to dynamic". * NATCompiler_pf_writers.cpp (_printProtocol): see #2524 'avoid " {tcp udp icmp} " in place of protocol'. NAT compiler for PF does not need to generate protocol match "proto {tcp udp icmp}" when service object used in the NAT rule is "any". The reason this was done this way is lost in the mist of time; it's been like this since very early versions of fwbuilder. 2011-06-21 vadim * NATCompiler_pf.cpp (compile): fixed #2428 "PF compiler crashes when ipv4+ipv6 NAT rule uses only ipv4 address". This has been reported as SF bug 3305234. 2011-06-20 Vadim Kurland * ObjectManipulator_slots.cpp (forward): see #2493 implemented "forward" function in addition to the "back" function, added a button to the roolbar, using new icons for Back and Forward buttons. * src.pro (SUBDIRS): see #2477 removed transfer agent code. * gui.pro: see #2506 Removed obsolete localization files (Russian and Japanese). These were incomplete and have never been updated for v4. 2011-06-10 Theron Tock * implementation of keywords associated with objects in the GUI; ability to filter by keywords, dialog layout changes to add GUI controls for keywords. * imlementation of the DynamicGroup object type. Dynamic group automatically expands to a set of objects using matching rules that at this time can match object types and keywords. 2011-06-09 Vadim Kurland * fixed several GUI crashes that happened when user performed various operations on the object tree that contained locked objects. see #2487 2011-06-04 vadim * FWWindow_editor.cpp (openEditor): this change is a part of the GUI usability improvements: when user double clicks on a firewall object to open it in the editor, rule set view panel switches to the rule set of that firewall. To decide which rule set to show, the program scans history of the objects the user opened before in the same GUI session and shows that firewall's rule set they opened last. If user never opened any rule sets of this firewall, then the first Policy object is shown. See #2465. * RuleSetView.cpp (itemDoubleClicked): as part of the GUI usability improvements, its behavior when user double clicks on "any" in a rule has changed. Now the program opens object "any" in the editor and shows prompt text that explains its behavior. The editor stays read-only and should appear grayed-out if palette is set up for that. This reverses the change made for #1731. See #2454. 2011-06-03 vadim * applied patch to provide configure command line option to specify path to ccache. Thanks to user "a. k. huettel " on SourceForge. * NATCompiler_pf.cpp (_expand_addr): see #2455 NAT Compiler for PF should use "(interface)" syntax to the right of "->" in NAT rules. This now works for all interfaces, including those that have ip addresses in fwbuilder configuration, when interface object appears in "Translated Source" in a nat rule. When firewall object appears in "Translated Source", it gets replaced with a set of its interfaces which also get translated into "-> (interface)". * NATCompiler_ipt.cpp (compile): see #2456 Added support for single object negation in "Inbound Interface" and "Outbound Interface" columns in compiler for iptables. * NATCompiler_pf.cpp (compile): see #2456 Added support for single object negation in "Interface" rule element of PF NAT rules. Now compiler can produce PF commands such as "nat on ! em0 ... " (for PF <4.7) or "match on ! em0 ..." (for PF >= 4.7) * Compiler.cpp (singleObjectNegation::processNext): moved rule processor that processes single object negation in any rule element to the base class Compiler. 2011-06-02 Vadim Kurland * pf.g (set_rule): see #2464 implemented import of PF "set timeout", "set limit" and other "set" commands. Known limitations: - commands "set ruleset-optimization", "set loginterface", "set block-policy", "set state-defaults", "set require-order", "set fingerprints", "set reassemble", "set hostid" are not supported. 2011-05-30 vadim * pf.g (nat_rule): see #2449 Implementd import of PF "nat" rules. Known limitations: - as of v4.2 we can not generate optinal parameters for the "source-hash" pooltype. "sticky-address" is not supported either. - Interface group names are not recognized 2011-05-27 vadim * PFImporter.cpp: see #2394 pf.conf import. This version implements import of pf.conf configuration with the following limitations: - anchors are not imported. Anchor rules are imported but rules inside anchors are not. - only pf.conf configurations designed with the use of keyword "quick" can be imported. - Macros are expanded during import and are not recreated as objects. Tables are imported as run-time AddressTable obejcts configured with the file name, or object groups. - User has to specify host OS and PF version number during import process because interpretation of rules with default settings of some parameters is version-dependent. - Import of IPv6 addresses and ICMPv6 matches in pf.conf is not supported at this time. - Import of TCP flag matches for flags 'E' and 'W' is not supported. - Import of "include" clause is not supported - Import of "user" and "group" matches is not supported 2011-05-26 Vadim Kurland * PolicyCompiler_pf.cpp (compile): see #2434 "PF compiler should use 'self' keyword where appropriate". Compiler for PF now uses keyword 'self' in rules where firewall object is used in Source or Destination. * fwcompiler/Compiler.cpp (processNext): added rule processor to replace firewall object with special run-time object "self" in Source and Destination rule elements. This rule processor can be used in policy compilers for any platform. 2011-05-17 vadim * FWObjectDatabase_tree_ops.cpp (merge): see #2420 "Crash when selecting New Firewall and existing firewall has interface that is locked". Fixed GUI crash that happened on some operations if an object in the tree was locked. For example, if the user locked an interface of one of the firewall objects that then proceeded to create new firewall object, the GUI would crash. The problem was not limited to locking specifically interface objects. 2011-05-15 vadim * IPTImporter.cpp (pushPolicyRule): see #2411 Implemented import of iptables rules with target CLASSIFY. 2011-05-14 vadim * CompilerDriver_ipt.cpp (findBranchesInMangleTable): see #2405 "Tag and classify actions dont work properly with branches". When branching rule points to a rule set that has rules with Tag and Classify options, branching should occur in mangle table even when checkbox "create branch in mangle table" is not checked. The fix in this change is tentative as it creates branch in chains PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in POSTROUTING, this may create conflict. Need to test more. * AttachedNetworks.cpp (AttachedNetworks): see #1580 New object type: network object that automatically matches subnets an interface is attached to. The object can be a child of an interface. The object is optional and is not created automatically for all interfaces; user can add it using context menu associated with an interface. Dialog for this object allows editing of the name and comment. List of network addresses represented by this object is always generated automatically. Compiler for PF translates this object to "en0:network" construct that is supported by PF. Compiler for iptables expands it to the list of ipv4 and ipv6 networks defined by the addresses of the parent interface if interface has static addresses. If interface is confgiured as "dynamic" and has no address in fwbuilder, then compiler treats AttachedNetworks object as run-time and uses shell function to determine network addresses during activation of the firewall script. Compilers for other firewall platforms always treat this object as compile-time and abort if it is used with dynamic interface. 2011-05-13 vadim * PolicyCompiler_ipt.cpp (processNext): see #2402 "Tag action should be done in PREROUTING so it can be acted on later". If a rule has both tagging and classification options, the rule should be split so that iptables command doing tagging goes in PREROUTING and rule doing classification goes into POSTROUTING chain. * PolicyCompiler_ipt.cpp (processNext): see #2401 "Deprecating Route option for iptables". This target is not included in any of the popular Linux distributions (checked in Ubuntu, Fedora and CentOS). The GUI dialog and all support in the compiler will be removed in future version of fwbuilder. Beginning with 4.3.0, compiler aborts with an error when it encounters a rule using this option. In older versions of fwbuilder (4.2.x and before) this option was presented as an action "Route". * CompilerDriver_ipt_run.cpp (run): see #2400 'Mixing Actions "Accept" and "Classify" results in incorrect rules', see #2399 'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'. After we made Tag, Classify and Route rule options instead of actions, rules that mix these options with actions "Accept" and others, except for "Continue", should be treated differently. The action are now implemented using iptables rules in the table "filter" and additional rules in table "mangle" is used to implement only tagging, classification or routing. Generated script does not change default action in table "mangle" and assumes it is "ACCEPT" so adding rules with target ACCEPT in mangle table should not be necessary. Another change because of this affects branching rules that use option "create branch in mangle table in addition to the filter table". These rules used to duplicate the same action and logging rules in mangle. Now they dont do this and only create rules in mangle if branch rule set performs tagging, classification or routing. 2011-05-11 vadim * v4.2.2 released * newFirewallDialog.cpp (finishClicked): fixes #2395 "Crash when setting installer directory location" and fixes #2396 "Crash when changing firewall name". These two bug reports where the manifestation of the same problem that was introduced by the fix for #2380. When user hits OK in the newFirewallDialog and it merges temporary object tree into the main object tree, it should call fixTree() to fix all pointers to the root of the tree. 2011-05-10 vadim * v4.2.1 released 2011-05-10 Vadim Kurland * fwbuilder 4.2.1.3540 released; started v4.3.0 * merged from branch multiple_actions to add changes that implement conversion of actions Tag, Classify and Route to options. Now one policy rule can have any combination of these options. See #2367. 2011-05-09 Vadim Kurland * FWCmdAddObject.cpp (redo): fixes #2391 "selecting 'new library' when editor panel not on 'editor' tab causes crash" 2011-05-06 vadim * PolicyCompiler_pf_writers.cpp (_printQueue): see #2390 Classify does not generate "queue" string for rules created in V4.2.1.3538 This completes the fix for the bug #2385. 2011-05-05 Vadim Kurland * FWObjectDatabase_19.xslt: see #2385 "PF action Classify uses wrong parameter". This change fixes a bug introduced in 4.2.0 that affects rules with action Classify in PF firewalls. The bug causes the following problems: For users who built their rules before v4.2.0: - rules compile normally, both in the single rule compile and when the whole firewall is compiled - if they opened the action of one of such rules in the action editor, the classification string would look empty - if they entered new classification string in the editor, compiler kept using the old one (which they can not see or change in the editor) For users who tried to build rules with action Classify with v4.2.0: - no matter what classification string they enter in the action dialog, generated code does not use it 2011-05-04 Vadim Kurland * FWObjectDatabase_18.xslt: XSLT transformation to upgrade data files from DTD v18 to DTD v19. This transformation finds "PolicyRule" elements with missing "Itf" child elements and fixes them by adding such element with a reference pointint to "any". Fixes #2383 * fwbuilder.dtd.in: Element "Itf" (an interface) of "PolicyRule" should be required. DTD version increment. 2011-05-03 vadim * PolicyCompiler_ipt.cpp (processNext): see #2367 "Multiple actions per policy rule". Options "Tag", "Classify" and "Route" work with iptables in a combination with any action. This implementation has one restriction: option Route can not be used in combination with options Tag or Classify and any action that is not Continue. This is because option Route can yield rules in PREROUTING or POSTROUTING chains that are also used by options Tag and Classify. For this combination we create two user-defined chains that perform routing and tagging (or classification). In case of a terminating action both chains end with it. This means if one matches the packet, the other is never going to see it. Non-terminating action "Continue" does not create this problem. This limitation may be removed in future versions of fwbuilder. 2011-05-03 vadim * newFirewallDialog.cpp (finishClicked): see #2380 "Firewall object is created in the middle of the "new firewall" wizard and clicking Back creates two firewall objects". If user chose to create new firewall object from a template and clicked Back after choosing the template, the program actually created two firewall objects but only one was visible in the tree. 2011-04-30 vadim * RuleSetModel.cpp (objectChanged): see #2373 "GUI becomes unresponsive for a long time when an object that is used in a large number of rules is modified". The program spent too much time resizing rule set view columns. 2011-04-29 vadim * UsageResolver.cpp (findFirewallsForObject): see #2373 "GUI becomes unresponsive for a long time when an object that is used in a large number of rules is modified". This bug only affected configurations with very large rule sets (1500 rules) where lots of rules used the same object. The change in UsageResolver eliminates unnecessary scanning of all rule sets to check if the affected rule set might be used as a branch. The program used to scan the same objects many times. * iosaclAdvancedDialog.cpp (accept): fixes #2368 and SF bug 3294457 "External install script". External install script name and arguments weren't saved for IOS firewall objects. * snmpNetworkDiscoveryWizard/ND_ProgressPage.h: fixes #2370, #2371 "broken signals in network discovery wizard". Network discovery wizard was not correctly initializased and did not work. 2011-04-25 Vadim Kurland * instDialog_ui_ops.cpp (readInstallerOptionsFromDialog): tentative fix for SF bug 3169045 "Batch installer lists IPv4 address as management address". Built-in installer wanted to use management interface address in batch mode even when alternative address or putty session name was provided. This happens only in batch mode install. * VERSION (GENERATION): version 4.2.0 released; started 4.2.1 2011-04-20 vadim * configlets/pix_os/script_skeleton: fixed bug (no #): "clear" commands were not added when option "generate only access-list, access-group, nat, static..." was in effect; also making sure "clear" commands for object-groups and ssh are not added when option "do not add clear commands" is on. This affects PIX/ASA/FWSM. 2011-04-19 Vadim Kurland * RoutingCompiler_ipt.cpp (compile): see #2359 "Crash when compiling single rule with IPv6 destination and IPv4 gateway or interface". Routing compiler for iptables does not support ipv6 at this time and will issue a warning when user tries to place ipv6 address or network in a routing rule. The warning does not appear when ipv6 address is a member of a group used in the rule. Also see #1575. 2011-04-17 vadim * fwbedit.cpp (main): added command line switch "-d" to function "import" in fwbedit. This switch activates object deduplication on import. 2011-04-15 vadim * fwbedit.cpp (main): see #2328 "Add ability to run firewall import from the command line". This has been implemented as a new function "import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for more details. * iptables.g (multiport_tcp_udp_port_spec): see #2245 fixed bug in parser for iptables that prevented correct import of iptables rules using module "multiport" with port range matches. 2011-04-14 vadim * CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351 Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this. * IPTImporterRun.cpp (run): see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation. * platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to Cisco documentation, FWSM version 3.2 matches PIX 7. * platform/pix.xml: see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is pix or fwsm. * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script. * PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups. 2011-04-13 Vadim Kurland * IPTImporter.cpp (pushPolicyRule): see #2338 "Empty Mangle Policy object created on import". Iptables rules in the table 'mangle' will be imported in the dedicated Policy rule set with name "Mangle". Rules that use chains FORWARD and POSTROUTING in table 'mangle' can not be reproduced and will be marked as "bad" (color red and corresponding comment). * configlets/fwsm_os/ntp: see #2344 fwbuilder should not generate any "ntp" commands for FWSM because NTP can not be configured on FWSM. * OSConfigurator_pix_os.cpp (_printSysopt): see #2345 More fixes for FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc" * OSConfigurator_pix_os.cpp (_printInterfaceConfiguration): see #2343 "Interface nameif error when installing generated config for FWSM". Use correct "nameif" command sytax in FWSM 2.x and 4.x. * OSConfigurator_pix_os.cpp (_printSSHConfiguration): see #2344 "FWSM install errors for clear commands". Using correct syntax for "clear" commands for FWSM v4.x 2011-04-11 vadim * PolicyCompiler_PrintRule.cpp (_printTarget): see #2235 "Modified rule action for Continue". Rules with action "Continue" should translate into iptables commands without "-j TARGET" parameter. If such rule also has logging enabled, it should use target "-j LOG" instead of generating additional chain. * IPTImporter.cpp (pushPolicyRule): see #2206 Iptables commands with no "-j TARGET" parameter should be imported using action "Continue". * iptables.g (comment): see #2336 Importer for iptables recognizes version stored in the top comment by iptables-save and sets version in the firewall object it creates. 2011-04-10 vadim * utils.cpp (expand_interface_with_phys_address): see #2324 "NAT + MAC-matching rules not generated properly". Iptables NAT rules matching a group of host objects with both IP and MAC addresses each in "Original Source" were not generated properly. * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): SF bug 3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are added automatically to ipv6 Linux firewall to permit neighbor discovery packets should be also added to the FORWARD chain if the firewall is a bridge. * ObjectManipulator_create_new.cpp (actuallyCreateObject): see #2229 "Multiple new objects with the same name". The GUI should automatically choose unique object names for new objects. * platforms.cpp (setInterfaceTypes): see #2224 "FreeBSD - Bridge interfaces with the name vlan don't show as Bridge Port Interfaces". This actually applies to all OS where we support vlan and bridge interfaces. Fwbuilder GUI should allow the user to set subinterface type to both "ethernet" and "vlan" when its parent interface has type "bridge". Setting subinterface type to "ethernet" makes it bridge port, while setting the type to "vlan" signals policy compiler that it should generate code to configure real vlan interface. If the name of the subinterface does not include the name of the parent, such as "vlan101", or when the name does not match vlan ID, such as "vlan8101", global preferences option "Verify interface names and autoconfigure their parameters..." should turned off. The option is located in the Preferences dialog, tab "Objects". 2011-04-08 vadim * FWBSettings.cpp (init): fixed bug (no #): "Show text description in rule columns" does not persist across sessions * clusterMembersDialog.cpp (createMember): see SF bug 3211769 "Member interfaces not sorted". Sorting interfaces by name in the dialog where user adds them to the cluster member group. * os/ios.xml: see #2330 "Crash when creating a cluster of IOS router firewalls". Added support for basic IOS router clusters. No failover protocol support at this time, but the cluster can be configured with protocol "None" and fwbuilder will do address substitutions at compile time. * PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules with service set to "http" and destination set to asa firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself. * pix.g (static_starts_with_tcp_udp): more fixes for import of PIX/ASA "static" command in different variations. See #2334 * ObjectEditor.cpp (changed): see #2335 "GUI switches between data files upon closing editor panel". If user opened two data files in the GUI and was in the process of editing objects in one of them, the GUI would flip to the other file under certin circumstances. 2011-04-07 vadim * PIXImporterNat.cpp (buildDNATRule): resolved several problems with import of "static" commands that use access list that matches source or destination tcp/udp ports. See #2326, #2327 * pix.g (network_top_level_command): see #2295 fixes in the grammar to support import of FWSM configs * PIXImporter.cpp (fixServiceObjectUsedForBothSrcAndDstPorts): see #2265 "ASA 8.3 acl import: access-list commands using two named objects or object-groups", see #2290 "Access lists that include mix of service objects and inline service definitions are not properly imported". To import access-list command that matches both source and destination tcp/udp ports and uses object-group in either match I should create a new service group with a collection of TCP or UDP service objects matching all combinations of source and destination port ranges defined by the rule. This should work when one or both matches use object-group in combination with inline port match. * PIXImporter.cpp (pushPolicyRule): see #2297 Added warning when importer enounters access-list command that matches tcp or udp ports with "neq" port operators in both source and destination. This configuration is not supported by import at this time. * PIXImporterNat.cpp (buildSNATRule): see #2319 "Imported nat rules with multi-line access-lists have only the first entry" * PIXImporterRun.cpp (run): see #2167 Implemented import of "names" and "name" commands in PIX/ASA configs. * CompilerDriver_pix_run.cpp (pixNetworkZoneChecks): see SF bug 3213019 "FWSM Network zone and IPv6". Currently we do not support ipv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places ipv6 address in it, this address should be ignored while compiling the policy but this should not be an error. * FirewallInstaller.cpp (executeExternalInstallScript): see SF bug 3212988 "external script makes getopt difficult". User-defined parameters for the external script moved to the end of the command line. * res/os/fwsm_os.xml: updated filesystem path on FWSM where fwbuilder built-in installer should place generated configuration when it is installed using scp. Currently using path "disk:". 2011-04-05 vadim * pix.g (static_command_common_last_parameters): see #2314 "Import of static NAT statements drops netmask value and uses host instead". "Netmask" parameter of a "static" command applies to the real address. * PIXImporterNat.cpp (buildDNATRule): see #2313 "NAT with access-list destination address and original service not set". "Nat" and "static" commands that use access-list should import all components of the access-list command (source, destination and service/protocol). * PIXImporterNat.cpp (buildSNATRule): see #2310 "Imported global / nat rule has wrong interface defined". Importer mixed up inbound and outbound interfaces in NAT commands created from combination of "global" and "nat" PIX/ASA commands. * pix.g (nat_new_top_level_command): since import of ASA8.3 "new" nat commands is not implemented yet, importer should issue a warning when such command is encountered. See #2315 2011-04-01 vadim * FWObject.cpp (insert_before): see #2171 "Undoing delete of rule ends up with rules being created with duplicate rule numbers". Also see #2172 "Crash when deleting rule - related to #2171". When user deleted the last rule in a rule set, then used Undo to restore it, the program lost track of rules in the rule set and became unstable. * FWObject.cpp (shallowDuplicate): see #2286 "Crash when closing file". The GUI crashed if user imported iptables or pix configuration, then deleted a rule and tried to close project window. * PIXImporter.cpp (mirrorServiceObjectRecursively): see #2291 The same service object-group that matches some tcp or udp ports can be used to match both source and destination ports in an access-list command. Importer should recognize when such group is used to match source ports and create mirrored group with potentially mirrored service objects. This should work when group includes other groups. * FWWindow_editor.cpp (openOptEditor): fixes #2307 "GUI switches to another file after editor panel is closed" 2011-03-31 vadim * parsers/pix.g (http_command): see #2164 fixed import of "ssh" commands and added import of "http" commands * objectMaker.h (ObjectMakerErrorTracker): see #2302 Importer should log and continue when it encounters an error. This matches its behavior in older versions and makes it more resilient to changes in target platform firewall languages. Rule that had an error or unrecognized syntax in it should be marked by changing its color to red and an explanation should be added to its comment. * PIXImporterNat.cpp (buildSNATRule): import of PIX/ASA "global" and "nat" commands works. 2011-03-30 vadim * PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static" commands works for the most part. Needs more testing. 2011-03-28 vadim * ObjectManipulator.cpp (getDeleteMenuState): see #2226 fixed GUI crash that happened when user tried to delete or cut an object from locked library. * RuleOptionsDialog.cpp (loadFWObject): see #2230 the GUI should allow limit-burst values of up to 10000 2011-03-27 vadim * import/PIXImporter.cpp (addLogging): see #2279 Support for import of ASA access-list lines with log levels and intervals * parsers/pix.g (tcp_udp_port_spec): see #2284 fixed import of tcp/udp port ranges using mix of port numbers and port names * getServByName.cpp (getPortByName): see #2268 Making sure all tcp and udp port names are recognized on import; also since PIX/ASA converts udp port numbersin "show run" output to the same names as if they were tcp, using the same name mapping table. 2011-03-25 vadim * Importer.cpp (pushRule): fixes #2280 Rules created from PIX config import showed an icon that indicated non-default combination of rule options, yet all rule options looked normal when opened in the editor. * parsers/pix.g (icmp_top_level_command): see #2164 Implemented import of "ssh", "telnet" and "icmp" PIX/ASA commands. These commands are imported as regular rules in the main Policy ruleset. * PIXImporter.cpp (finalize): see #2277 "Create policy objects for ASA access-lists that are not applied in an access-group". Policy rule set will be created and populated with rules found in the corresponding access-list even if this access-list is not applied to an interface with access-group command. * parsers/pix.g (tcp_udp_rule_extended): see #2273 Improvements in the parser for PIX/ASA configs to make it recognize object-group and named object names used to define source port, destination address or destination port in "access-list ... tcp|udp" rules, including ambiguous situation when an object-group appears after source address specification because this group can define either source port or destination address. 2011-03-24 vadim * ASA8ObjectGroup.cpp: see #2263 looks like "object-group service" that includes named objects defined as "service-object" can not be used in access-list commands and therefore is useless. Unless I misunderstood and there is a way to use it, I should not generate ASA configuration like this: object-group service id5102X14531.srv.tcp.0 tcp service-object object http.0 service-object object https.0 Object-group with "tcp" or "udp" type-suffix in the end does not allow "service-object" statements at all, so this configuration is incorrect anyway. However even without "tcp" in the end to make "service-object" references acceptable, the group can be built but can not be used in access-list statements. Instead, the group should use port-object statements: object-group service id5102X14531.srv.tcp.0 tcp port-object eq 80 port-object eq 443 * IOSImporter.cpp (createTCPUDPServicePair): see #2267 added support for import of object-group and service-object statements of type "tcp-udp" (these get imported as service group object with two tcp and udp service objects). * getServByName.cpp (getPortByName): see #2268 updated list of named tcp and udp ports recognized by the importer for Cisco ASA. It is still unclear what port does the name "cifs" correspond to. 2011-03-23 vadim * addressObjectMaker.cpp (createObject): see #1548 Improved algorithm used to deduplicate Network objects on import. * FWWindow.cpp (prepareToolsMenu): fixed SF bug 3238026: build failure on systems without net-snmp development libraries. 2011-03-22 vadim * parsers/pix.g (acl_xoperator_src): first attempt at PIX/ASA access-list import. Not done yet. * parsers/pix.g (port_object): see #2234 added support for import of "obejct-group service name tcp|udp" constructs in ASA 8.3 with subsequent "port-object" statements. 2011-03-21 vadim * PortRangeConverter.h (PortRangeConverter): see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and pix access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary. 2011-03-20 vadim * ImportFirewallConfigurationWizard.cpp (accept): see #2253 "importer should not creates objects while still in the middle of the wizard". Importer wizard creates new objects in the object tree only when user clicks Finish and abandons results if they click Cancel. 2011-03-19 vadim * IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group. * objectMaker.cpp (findMatchingObject): see #2240 better deduplication algorithm on import: we consider objects created from in-line address/netmask and port specifications found inside object-group, access-list, filter or nat commands "anonymous" objects. These objects get automatically generated names and are deduplicated using only their relevant attributes but not names. Objects created from pix named object ("object network foo", "object service bar") statements are considered "named" objects. They get the name matching the name in corresponding pix config line and are deduplicated using both relevant attributes and the name. 2011-03-17 vadim * PIXImporter.cpp (newObjectGroupNetwork): see #2234 Added support for import of PIX/ASA "object-group" statements. * FirewallInstaller.cpp (getActivationCmd): see #2239 Added variable "firewall_name" to configlets that define commands installer runs on the firewall to activate new policy (all platforms). 2011-03-16 vadim * Importer.cpp (prepareForDeduplication): fixed #1548 "Object de-duplication during import process". Also SourceForge 3030072 "remove duplicates during any import". Now the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import. 2011-03-14 vadim * pix.g (named_object_network): see #2223 Implemented import of named objects for Cisco PIX and ASA ("object network name" and "object service name") 2011-03-12 vadim * Compiler.cpp (expandGroupsInRuleElement): sorting objects in the rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration. * Compiler.cpp (replaceClusterInterfaceInItfRE::processNext): sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration. * FWObject.h (FWObjectNameCmpPredicate): moved this class from gui-specific module to libfwbuilder as it is universally useful. It can compare FWObject objects by name and can optionally can follow references; it can be used with std::sort() to sort lists of FWObject pointers or directly sort rule elements. * Compiler.cpp (_init): see #2212 "Performance improvement in compilers". This change brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10. 2011-03-11 vadim * FWObject.cpp (add): fixes #2209 "do not allow the same object to be child of different objects in the tree". Method FWObject::add() enforces this. Subsequent clean-up and fixes in many places to follow this logic. This makes code much cleaner, better organized and more reliable. 2011-03-10 vadim * libfwbuilder/src/fwcompiler/Compiler.cpp (Compiler): see #2207 fixed memory leak in policy compilers. The impact of this leak was especially severe on Windows with very large object databases. 2011-03-08 vadim * CustomServiceDialog.cpp (loadFWObject): fixes #2201 "Some fields of locked object are editable". Some input fields of the Custom Service object dialog were editable even when object was locked read-only. * GroupObjectDialog.cpp (loadFWObject): fixes #2203 "Crash when attempting to add an object to a locked group". * PolicyCompiler.cpp (checkForShadowing): see #2204 "Shadowing detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed. * Importer.cpp (addStandardRuleComment): see #2189 Program adds the file name and the line number to comments of policy and nat rules it creates during import. * IPTImporter.cpp (pushPolicyRule): see #2202 importer for iptables creates Custom Service object to match combination of states it does not recognize. This includes "NEW,ESTABLISHED". 2011-03-07 vadim * IPTImporter.cpp (pushNATRule): see #2197 "iptables nat rules in chain OUTPUT not imported correctly" * iptables.g (nat_addr_range): see #2194 "iptables import problem with SNAT rule translating to an address range". NAT rules translating into address range with "-j SNAT --to-source 192.168.1.1-192.168.1.10" did not import correctly * IPTImporter.cpp (pushNATRule): fixes #2195 "incorrect iptables import of nat rule with NETMAP target" * IPTImporter.cpp (pushNATRule): see #2196 "iptables nat rules with target REDIRECT not imported". Iptables NAT rules with target REDIRECT where not imported correctly. * IPTImporter.cpp (pushNATRule): see #2190 "support for import of branches in NAT rules for iptables". Implemented import of NAT rules in user-defined chains for iptables, these translate into branching NAT rules in fwbuilder. 2011-03-06 vadim * Importer.cpp (ignoreCurrentInterface): see #2152 "ASA Import - shutdown interfaces". Importer recognizes and skips ASA interfaces in "shutdown" mode. * IPTImporter.cpp (pushNATRule): see #2181 "Update iptables importer to detect inbound & outbound interfaces in NAT rules". Importer can now import nat rules with "-i" or "-o" interface spec. * NATCompiler_ipt.cpp (processNext): see #2170 "Compiler should generate error for invalid iptables NAT configs". Now that we allow the user to specify inbound and outbound interfaces in iptables NAT rules, compiler should verify that combination of requested "-i" and "-o" interfaces is in fact valid. For example iptables does not allow "-o" interface spec with rules that go into PREROUTING chain (DNAT rules) or "-i" interface spec with rules in POSTROUTING chain (SNAT rules). * IPTImporter.cpp (pushPolicyRule): see #2189 Policy importer warnings and errors now include line numbers to help find relevant lines in the original configuration file. 2011-03-05 vadim * importFirewallConfigurationWizard/IC_ProgressPage.cpp (logLine): see #2183 "count errors and warnings generated by the importer and show the numbers in the progress page of the wizard". Configuration import wizard now shows counters of warnings and errors generated by the importer. * FWBMainWindow_q.ui: see #2162 menu item "File / Import Policy" renamed to "File / Import Firewall". This menu item launches wizard that imports existing iptables, Cisco router IOS or Cisco PIX/ASA config. 2011-03-04 vadim * IC_NetworkZonesPage.cpp (setNetworkZones): see #2161 policy import wizard shows the page where user can set up network zones of interfaces if firewall platform was determined to be PIX. * IC_PlatformWarningPage.cpp (initializePage): see #2161 "import workflow and automatic detection of firewall platform from the config file". When user imports existing firewall configuration, the GUI automatically detects firewall platform from the format of the config file and shows platform-specific warning to explain what parts of the config can and can not be imported. It also detects firewall host name where possible (currently Cisco IOS and ASA/PIX). Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved. 2011-03-01 vadim * importAddressListWizard/ImportAddressListWizard.cpp (ImportAddressListWizard): see #2163 code that imports addresses from a file in /etc/hosts format moved to its own wizard; using QWizard and QWizardPage classes with correct implementation of page sequencing and validation; old discovery druid has been disabled. SNMP discovery and ios/pix/iptables configuration import will move to their own wizards later. 2011-02-27 vadim * DiscoveryDruid.cpp (finishClicked): fixes #2156 "After import the firewall should be opened in object tree". * instDialog_ui_ops.cpp (readInstallerOptionsFromFirewallObject): fixes #2160 "Installer reports error "Generated script file .fw not found."". The problem was intorduced earlier while fixing #2047 2011-02-26 vadim * DiscoveryDruid.cpp (finishClicked): see #2153 "Add Network Zone explanation and selection dialog to ASA/PIX import". Wizard shows additional page when user imports PIX/ASA config. This page explains concept of network zones and offers UI to let them choose network objects or groups as a network zone of each interface. * PIXImporter.cpp (rearrangeVlanInterfaces): see #2145 "ASA Import of VLAN interfaces - Advanced Interface Settings not available". Vlan interfaces discovered in the process of PIX configuration import should be created as subinterfaces of the corresponding parent with correct interface type and vlan id. * parsers/pix.g (intf_address): fixes #2146 Issue a warning when parser encounters "standby" parameter in an interface configuration. We do not support import of PIX failover configuration at this time. * platforms.cpp (findBestVersionMatch): fixes #2147 "ASA Import - some versions are not detected correctly". when user imports PIX/ASA configuration, firewall object will automatically be configured with the version setting that best fits version indicated in the imported configuration. Note that fwbuilder does not provide the list of version numbers that match PIX/ASA versions exactly, for example we do not have settings "7.1" and "7.2". Devices running these versions of PIX/ASA software should be configured with version "7.0" in fwbuilder. 2011-02-25 vadim * parsers/pix.g (intf_address): see #87 "Import of PIX configuration". Basic grammar that can parse host name, version, interfaces, their names, labels, addresses, security levels and few other things for PIX 6, 7 and ASA 8. PIX standby configuration is not parsed (so we can't import cluster configuration at this time). More work needs to be done to import named objects, object groups, as well as policy and nat rules. 2011-02-24 Vadim Kurland * FirewallInstaller.cpp (getGeneratedFileName): see #2047 "Inspect generated files button shows different path information". Do not pass full path to the output file as an argument of the "-o" option when the GUI launches policy compiler. Since the "-d" option passes directory path where files sould be saved, actual file names do not need to be absolute path, except if the user entered absolute path for the output file name in the firewall settings dialog. * configlets/freebsd/installer_commands_root: see #2143 "installer should run /etc/rc.d/pf script to reload PF rules on FreeBSD when generated script is in rc.conf format" * AddressTableDialog.cpp (browse): see #2140 "Attempting to create new Address Table file results in read-only error". Implemented support for the workflow when user wants to create the file used to feed addresses to the AddressTable object. * AddressTableEditor.cpp (load): fixes #2139 "Provide "Cancel" button if Address Table file is read-only". IF the file configured with Address Table object is read-only, the GUI shows warning when user clicks "Edit" button and offers a choice: open it for viewing read-only or cancel. 2011-02-23 vadim * AddressTableEditor.cpp (save): fixes #2135 "Editing table objects". Dialog of the AddressTable object now offers button "Edit" that lets the user edit address table file. This only works if the file is located on the same machine where the GUI is running, so it is probably most useful for compile time objects. 2011-02-22 Vadim Kurland * configlets/linux24/shell_functions: see #2130 "unnecessary output when iptables script runs on the firewall". Ever since I switched to using "command" to verify that various system utilities generated script needs are present and can be used, the scirpt produced extra lines in the log printing full path and names to /usr/bin/logger, /sbin/ip etc. These lines are unnecessary and should not be there. This problem was introduced some time during the work on 4.2.0 * instOptionsDialog.cpp (instOptionsDialog): fixes #2129 'deprecate "test install" function'. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD. 2011-02-21 vadim * PolicyCompiler_ipt.cpp (processNext): fixes #2008 "option "--physdev-out" is not allowed in OUTPUT chain". After this change, compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule). * newFirewallDialog.cpp (monitor): see #2126 Using snmp sysDescr OID to guess version of the new firewall when it is created using snmp polling. * platform/pix.xml: see #1990 "Change default value for Cisco ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA firewall objects will now have "generate outbound acl" option turned on by default. * newFirewallDialog.cpp (showPage): fixes #1678 "When creating a firewall from template it appears that a default template is selected". When user arrives at the page where they choose template to create new firewall object from, the first template should be automatically selected. * AddressRangeDialog.cpp (applyChanges): fixes #1971 "Address range can be created with end address lower than start address". Address Range object dialog should not let the user enter range end address which is lower than range start address. Dialog behavior is now similar to the behavior of the tcp and udp service dialog where user can not enter port range end number lower than port range start number. * InterfaceData.cpp (guessLabel): fixes #2113 "ASA/PIX SNMP discovery - assign default labels based on interface description". Added pattern to match Cisco ASA interface description which is different from Cisco PIX interface descriptions as returned via snmp. 2011-02-20 vadim * BaseCompiler.cpp (getErrorsForRule): fixes #2124 "some error messages get multiplied when compiler splits rules". Under certain circumstances error messages could appear multiple times in the generated script. * Compiler.cpp (_expand_interface): fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used ip addresses that belonged to the interface even if it switchd to "unnumbered". These children address objects should be ignored. 2011-02-19 vadim * NATCompiler_pix.cpp (processNext): see #2098 Added support for user-configurable inbound and outbound interfaces in Cisco PIX/ASA NAT rules. Two new columns appear in the rule set view: "Inbound Interface" and "Outbound Interface". If user leaves one or both columns blank, the GUI shows "Auto" in there and policy compiler picks corresponding interface automatically. Leaving both columns blank ("Auto") triggers backwards-compatible automatic behavior where both interfaces are picked automatically. Multiple interface objects and groups of interfaces are allowed in these columns. * ClusterInterfaceWidget.cpp (getInterfaceData): fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan interfaces of member firewalls, CARP interfaces were not properly configured with master/slave choice user makes on the first page of the new cluster wizard. * configlets/bsd/update_addresses: fixes #2116 "When CARP interface IP address can't be assigned error or warning should appear". The problem actually affects any type of interface. Generated script should abort with an error termination code when ifconfig fails to assign ip address to an interface. 2011-02-17 vadim * NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for inbound and outbound interface columns in iptables NAT rules". This also addresses SF feature requests 1954286 "DNAT with interface as condition not possible" and 621023 "manipulating interface in NAT rule". * platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2101 "CARP interfaces are set with same advskew". When new PF cluster is created, master advskew paramerer will be set to 10 and backup to 20 to make it deterministic. * NATCompiler_ipf.cpp (processNext): see #133, fixes #2108 making nat compiler for ipfilter work with interface column, however the column is not exposed to the user. Compiler behavior should be backwards compatible with older versions of fwbuilder. * NATCompiler_pf.cpp (processNext): see #133. MErged code from the branch, running tests. Making sure rules that have firewall object in ODst and interface columnblank end up with rdr command without "on interface" clause as before. * stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more and more parts of the code do not compile and require workarounds, sometimes with loss of functionality in the GUI. v4.1.3 will be the last officially released version of fwbuilder to work on Hardy. 2011-02-16 vadim * NATCompiler_pf.cpp (compile): fixes #2095 added support for groups and multiple objects in column "Interface" for PF NAT rules. These translate into { em0 em1 em2 } groups in generated pf.conf lines. * NATCompiler_pf.cpp (compile): fixes #2096 added support for negation in Interface column for PF NAT rules. Sets of interfaces are converted to complementary sets using complete list of interfaces of the firewall. * carpOptionsDialog.cpp (validate): fixes #2100 carp password should be optional parameter * OSConfigurator_bsd_interfaces.cpp (configureInterfaces): make sure we print "ifconfig" commands for mtu and other parameters for all interfaces, including those with no ip addresses and bridge ports (unnumbered interfaces used to be skipped before) * ObjectTreeView.cpp (startDrag): fixes #2099 "Object list scrolls up to the last edited object". Object tree used to scroll spontaneously when user started dragging an object from it to a rule. * configlets/bsd/update_vlans: see #2105: generated script now supports vlan interfaces with names that do not match vlan IDs (OpenBSD, FreeBSD, shell script format). * OSConfigurator_bsd_interfaces.cpp (sort_interface_names): see #1807, #2104: arrange interface configuration commands in the generated scritpt in such order that bridge and carp interfaces are configured after all other interfaces are done. * compiler_lib/CompilerDriver.cpp (commonChecks2): see #2103 removed interface name validation check in compilers, this check will only be done in the GUI. Comiler still verifies bridge inetrface configuration and makes sure vlan interfaces that should also be bridge ports are created as copies. * InterfaceDialog.cpp (applyChanges): see #2103 "complex vlan/bridge configurations are not supported by the interface validation code". Added checkbox to let the user turn off interface name validation functions in the GUI. Checkbox is located in the global Preferences dialog, tab Objects, subtab Interface. For backwards compatibility, the checkbox is turned on by default. When it is off, the GUI does not validate the name of inetrfaces and subinterfaces and turns off checks that enforced interface name patterns for VLAN, bridge and bodning interfaces. It also turns off check for the validity of vlan ID derived from vlan interface name and turns off automatic configuration of interface type and vlan ID. These checks sometimes were in the way of building complex configurations that involved multiple vlan interfaces with names not matching their IDs. This also fixes SF bug #3066714 "please dont stop me from creating a new interface" where user wanted to create interface "veth201.0" on Linux but the GUI blocked this operation because the name seemed to match vlan interface pattern. 2011-02-15 vadim * ActionsDialog.cpp (setRule): see #1871 "PF Actions Tag and Classify can be terminating or non-terminating". Added checkbox to the action properties dialog for actions Tag and Classify for PF that lets the user choose if these actions should be terminating or not. Old behavior (Tag was non-terminating and Classify was terminating) is reflected in default settings of the checkboxes. Terminating rules generate "pass quick" commands, while non-terminating rules generate "pass" commands (no "quick" option). * libfwbuilder/migration/FWObjectDatabase_17.xslt: see #133 Working on adding interfaces to the NAT rule model. There will be two inetrfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded. 2011-02-14 vadim * OSConfigurator_bsd_interfaces.cpp (configureInterfaces): fixes #2091 "ethernet intrface options a used twice if the interface is a bridge port". When an interface appeared twice in the firewall configuration, such as when it is used as a bridge port and vlan parent interface, options configured for it in its settings dialog were added twice to the generated configuration. * OSConfigurator_freebsd.cpp (interfaceConfigLineBridge): fixes #2092 "option "stp" should be optional in the ifconfig command that builds bridge interface for FreeBSD". The dialog provides checkbox "Enable STP", parameter "stp" will be added to the ifconfig command only when the checkbox is turned on. * pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #1866 "support for pf option set state-policy", #1868 "support for pf option set block-policy", #1869 "support for pf option set debug". 2011-02-13 vadim * configlets/freebsd/carp_interface: see #2074 On FreeBSD ifconfig does not understand parameter carpdev * PolicyCompiler_pf.cpp (checkForShadowingPlatformSpecific): see #1867 "PF: rule with non-terminating action Tag shadows other rules below it". Since action Tag is non-terminating, rules with this action should not shadow other rules. * instConf.cpp (clear): see #2088 "Installer caches putty session". Need to initialize putty_session properly and clear it in clear(). * snmp.cpp (run_impl): See #2084 "snmp discovery takes forever on devices with large routing tables". This takes very long time on decides with large routing tables. This code was implemented long time ago and apparently routing data was intended to be used to discover "external" interfaces, but it is unclear if this is still done. The concept of external/internal currently exists only for platforms that support security levels (PIX) and there we guess levels by matching addresses against RFC1918 and let the user user adjust levels manually anyway. 2011-02-12 vadim * ObjectManipulator_tree_ops.cpp (expandOrCollapseCurrentTreeNode): fixes #1895 "Add context menu option to expand all child nodes in object tree". Added menu item "Expand" to the context menu associated with all objects in the object tree. This item recursively expands all tree nodes under the given object and automatically changes to "Collapse" if the item is expanded. Also changed behavior of the double click on the object in tree: before, double click opened object in the editor and expanded or collapsed subtree. Now it only opens object in the editor but does not expand/collapse subtree. * fixes #2083 Added new services to the Standard Objects Library: rtmp, xmpp-client, xmpp-server, nrpe 2011-02-11 vadim * instDialog_ui_ops.cpp (verifyManagementAddress): see #2073 "Add additional information or workflow when no management inferface configured". The error message shown to the user when no interfaces has been marked as "management" is now more verbose and provides instructions how to do this. Also, if user provided alternative address to be used to communicate with the firewall, the check for the management interface is not performed since it is not needed. * configlets/bsd/update_carp: see #2078 added verbose error message in a situation when "ifconfig carp0 create" command fails to create CARP interface. * OSConfigurator_bsd_interfaces.cpp (interfaceIfconfigLine): fixes #2058 "Ability to configure mtu and metric of regular inetrfaces". "Advanced settings" dialog of the interface object provides controls to configure MTU and possibly add any additional ifconfig parameters. This is available for OpenBSD and FreeBSD. 2011-02-10 vadim * NamedObjectsManagerPIX.cpp (getClearCommands): fixes #2060 "Existing configuration objects are not cleared in PIX 6.3". Commands used to clear object groups and objects have different syntax in PIX 6.3 and PIX 7 and later. * linux24/check_utilities: fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated. * OSConfigurator_freebsd.cpp (interfaceConfigLineVlan): fixes #2071 "vlandev missing in the vlan definition (when using rc.conf.local )" * NATCompiler_ipt.cpp (getAddressTableVarName): fixed SF bug #3102044 "Colon in (runtime) Address Table name". Variable used to process addresses in the run-time address table should not use character ":" even if it appears in the Address Table object name. * instDialog_ui_ops.cpp (summary): fixed SF bug 3169045: "Batch installer lists IPv4 address as management address". The "summary" display in the installer progress log output will now show putty session name if it is used instead of the management address. * NATCompiler_pf.cpp (processNext): fixes #2069 "PF: allow multiple objects in ODst of redirecting nat rule". This fixes SF bug 3162862 "NAT - more than one object in original destination" * newFirewallDialog_from_template.cpp (replaceReferencesToNetworks): fixes #1979 "New firewall created with Cisco c36xx template results in network object in interface column in Policy" * ObjectManipulator_tree_ops.cpp (getTreeLabel): fixes #2067 "Add way to show interface label in object tree". The tree now shows interface name and label if the label is not empty. * configlets/bsd/update_vlans: fixes #2066 "Existing VLAN interfaces are not properly removed from FreeBSD and install script fails" 2011-02-09 Vadim Kurland * RuleSetView.cpp (showToolTip): fixes #1915 "tooltip shown when mouse is over rule number should be added to the list of suppressed tooltips when 'Advanced user mode' is in effect" * platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2064 "CARP interfaces are not properly installed on FreeBSD cluster". I need to populate failover group objects with some reasonable defaults when they are created. * configlets/freebsd/installer_commands_root: fixes #2065 "activation commands on FreeBSD and OpenBSD lose script exit status". Sequence of commands ran by the built-in installer on *BSD firewalls were losing exit status of the script which meant installer always declared installation a "success" even when there were errors. 2011-02-08 vadim * SSHUnx.cpp (SSHUnx): fixes #2061 "Installer shows success for failed installed on FreeBSD due to corrupt script file". Added bunch of common shell error messages to make sure installer recognizes them and mark install as a failure even if ssh fails to pass termination code. * instDialog.cpp (showPage): fixes #2037 "If there is an error when compiling firewall then installer should be aborted". Compile/install wizard should disable "Next" button after compile phase is done if all firewalls failed to compile with no errors. * configlets/bsd/update_bridge: fixes #2042 "add configlet and shell functions to manage bridge interfaces via shell script on OpenBSD and FreeBSD". Bridge interfaces are managed incrementally, that is, the script creates and destroys them as needed, then adds or removes bridge ports, to bring bridge configuration in sync with what is defined in fwbuilder GUI. * CompilerDriver_pf_run.cpp (run): fixes #2054 "Add support for load anchor PF command". Instead of loading anchors using "pfctl -a anchor -f file" command in the .fw initialization script, now generated PF configuration uses "load anchor" commands in the pf.conf file. This way, we can load anchors correctly when PF configuration is activated from the generated rc.conf.local file where only one pf.conf file can be referenced. 2011-02-07 Vadim Kurland * CompilerDriver_pix_run.cpp (run): fixes #2055 "Compiler shows success, but there was a fatal error in the config". The bug has been introduced recently (in 4.2.0) and really affected all compilers. * AddressTableDialog.cpp (browse): fixes #1914 "Address table object file name is not created properly if user clicks outside Editor panel" 2011-02-06 vadim * SSHUnx.cpp (SSHUnx): fixes #2049 "Installer reports success even if there was an error while creating static routes". Added our own error message generated when command used to add static route fails to the list of error messages recognized by the installer. * OSConfigurator_freebsd.cpp (updateBridgeOfInterface): see #1889, #2043 Added support for bridge interface configuration in BSD. 2011-02-05 vadim * SSHUnx.cpp (SSHUnx): see #2039 "Installer reports success even if pfctl can't load config file". Added more pfctl error messages to the list to make code more robust. * CompilerDriver_pf.cpp (printStaticOptions): fixes #2038 "pfctl error when firewall settings include scrub option for reassembly". Command "scrub all reassemble tcp" does not allow direction. Tested and verified on OpenBSD 4.2 and FreeBSD 8.1 2011-02-04 vadim * freebsdInterfaces.cpp (manageIpAddresses): fixes #2032 "support for DHCP interfaces in rc.conf mode". Include dynamic interfaces inin the list of interfaces generated script manages when the script is in rc.conf format. This addds lines similar to 'ifconfig_em0="DHCP"'. 2011-02-03 vadim * RoutingCompiler_freebsd_writers.cpp (RoutingRuleToString): fixes #2026 Compiler can now generate static routing configuration in rc.conf format for FreeBSD. * pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #2021 "since rc.conf format is only supported for FreeBSD, the option in the dialog should not be available for other OS" 2011-02-02 vadim * OSConfigurator_freebsd.cpp: see #1888 "Add option to generate rc.conf.local file for BSD systems". Added ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their ipv4 and ipv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF. 2011-02-01 vadim * CompilerDriver_files.cpp (determineOutputFileNames): See #2015 "Add support for setting names of generated .fw and .conf files separately for PF". Added second input field in the "advanced settings" dialog, tab "Compiler" for the firewall platform "PF". Now user can set the name for both the generated .fw initialization script and .conf PF configuration file, as well as names for both files on the firewall. Support for this is generic and the same functions work for other platforms if corresponding input field in the dialog exists. The name of the initialization script is set as follows: 1) if user provided -o command line switch to the compiler, its argument is used. 2) if -o switch was not present but the name was configured in the firewall settings dialog, it is used. 3) if none of them were present, the name is constructed from the name of the firewall object with suffix .fw. The name of the .conf PF configuration file is taken from the settings dialog, but if it is blank, then it is constructed from the name of the initialization script but with suffix .conf. 2011-01-31 Vadim Kurland * RoutingCompiler_bsd_writers.cpp (_printAddr): see #1890 "Add support for configuring static routes on BSD". Implemented support for simple static routing rules. ECMP and routing via interface (routing to directly reachable subnets) are not supported. Generated script preserves static routing entries that existed before and attempts to recover in case of error. Needs testing. 2011-01-30 vadim * FWWindow_editor.cpp (clearEditorAndSearchPanels): see #2006 "Crash when closing editor panel with find-and-replace". The GUI crashed if user tried to close editor panel at the bottom after closing objects+rules panel and while some object was still displayed in the editor. 2011-01-28 vadim * newFirewallDialog.cpp (fillInterfaceNZList): fixes #2000 "New dialog window in New Firewall wizard for ASA / PIX - Network Zone explanation". Added page to the new firewall wizard to let the user configure network zones of interfaces when chosen firewall platform supports network zones (only PIX/ASA right now). * newFirewallDialog.cpp (fillInterfaceSLList): fixes #1983 "ASA multiple interfaces have the same security level". Using table widget with spin-boxes to let the user edit security levels of interfaces conveniently. 2011-01-27 vadim * ProjectPanel.cpp (closeEvent): fixes #1998 "Crash after running find-and-replace then closing file". Specific sequence of actions and only on Mac OSX caused GUI to crash. To fix, I clear editor panel when user closes project window using MDI window title menu item "Close" or "Close" button. * ProjectPanel.cpp (registerModifiedObject): see #1996 "Crash when finding and replacing a large number of objects". When "find and replace" function was used to replace large number of objects in a rule set, it generated stream of calls to updateLastModifiedTimestampForAllFirewalls() which caused corresponding stream of events to update various parts of the GUI, both in the tree and rule set views. This caused weird corruption and crash on Windows. Trying to resolve the issue by optimizing the part that updated "last modified" timestamp on the firewall since all parts of the rule set updated in one call to "find and replace" function belong to the same firewall. * IOSImporterRun.cpp (run): see #1931 "Update failed import behavior". Added meaningful error messages for when policy importer fails to create firewall object or does not create interface objects or any rules. * Rule.cpp (removeRef): fixes #1997 "add removeRef and addRef methods to class NATRule". Now undo and redo correctly remove and restore references to NAT rule sets in NAT rules with action Branch. * Rule.cpp (addRef): fixes #1991 "Undo does not restore object as a parameter of policy rule action Branch or Tag after it was deleted deleted". Now Undo restores references to rule sets and tag services as arguments of corresponding policy rules, as well as references to objects configured as interface network zones. * Interface.cpp (removeRef): fixes #1987 "Deleting object that is used as Network Zone for ASA/PIX interface results in inconsistent behavior". When an object that is used as a network zone of an interface is deleted, it should be removed from the interface configuration as well. * Cluster.cpp (init): fixes #1995 "Crash when compiling a cluster with identical firewalls". Method Cluster::init() must call base class method Firewall::init() to get child Policy, NAT and Routing objects created. * CompilerDriver_pix_run.cpp (run): fixes #1994 "Crash when compiling a firewall in an imported Library". Compilers should reset any read-only flags in the copy of object tree they work with before they make any modifications. 2011-01-26 vadim * ProjectPanel_events.cpp (event): see #1994 "Crash when compiling a firewall in an imported Library". To prevent crash, added check to make sure firewall object is not read-only before an attempt to update its "last compiled" or "last installed" timestamp. * ProjectPanel_file_ops.cpp (fileExport): fixes #1993 "V4.2 on Windows - export Library shows the file type as Firewall Builder 2" * FWBSettings.h (SETTINGS_PATH_PREFIX): fixes #1992 " V4.2 on Windows - installer error can't find Secure Shell utility" * init.cpp (init): fixed #1989 "variables respath and librespath are redundant and copy Constants::getTemplateDirectory()". Got rid of global variables sysfname, tempfname, librespath, respath and localepath; will now use class Constants to keep this information. 2011-01-25 vadim * src/fwbuilder/libfwbuilder-config.h.in: fixes #1937 "RES_DIR macro is defined twice". Got rid of duplicate definition of this macro. * FWObject.cpp (updateNonStandardObjectReferences): see #1985 added virtual function updateNonStandardObjectReferences() that is supposed to update any references to objects stored as attributes. * ACL.cpp (trimLine): fixes #1986 "Cisco ASA remarks should be truncated to 100 characters or less". Trimming all lines used for access list remarks to <100 characters. Remarks can only be less than 101 characters on PIX/ASA and less than 100 characters on IOS. 2011-01-24 Vadim Kurland * PolicyCompiler.cpp (addMgmtRule): fixes #1966 "IOSACL: object-group can get name that consists of only suffix". Compiler generated object-group statements with names such as ".src.net.0" in some cases. * ObjectIconView.cpp (dragEnterEvent): see #1980 "Objects from Deleted Objects should not be allowed to be used in rules". Added checks to not allow drag&drop of an object from Deleted Objects library into rules and groups. * NamedObject.cpp (createServiceObjectCommand): See #1958 "consistently use "exit" to get out of nested context in pix config". Using "exit" to exit from nested context while adding network or service object in generated PIX/ASA configuraton. * PolicyCompiler_pix.cpp (compile): see #1970 "ASA Policy - single IPv6 icmp object allowed in rules". Since we do not support ipv6 for PIX/ASA at this time, policy compiler should drop the rule if ipv6 address or icmpv6 service is used and issue a warning. * PolicyCompiler_pix_v6_acls.cpp (processNext): see #1981 "ASA / FWSM Policy - Generate warning message if rule will not generate config data" 2011-01-22 vadim * ObjectManipulator.cpp (contextMenuRequested): context menu item that opens object in the editor should be named "Inspect" when the object is read-only because the editor would not allow the user to change it. * ObjectManipulator.cpp (contextMenuRequested): fixed #1926 "Crash when moving object in Standard library". Context menu item "Move" should be disabled when the object is located in the read-only library. * GroupObjectDialog.cpp (setupPopupMenu): see #1976 "Crash when deleting firewall object from rule after export / import library" Crash occurred as the result of the following sequence of actions in the GUI: 1) use context menu item "Cut" to delete an object in the tree, 2) open object group or rule and use context menu item "Paste" to add it, 3) export library to an external file, 4) import this library into different data file, 5) save the data file. Saved data file is invalid XML since it has unsatisfied reference and some operations on it cause crash. The problem is that since it is a reference to the object that is being added in case of both groups and rules, we end up with a group or rule with a reference to an object that is located in Deleted Objects library. Deleted Objects library is not included when a library file is merged into data file and this leads to a dangling reference. The fix is to not allow Paste if object in the clipboard has been deleted. * NamedObjectsAndGroupsSupport.cpp (saveObjectGroups): see #1968, #1972 Class NamedObjectsManager maintains its own copy of object tree that holds object group objects it creates during compiler passes. This allows me to maitain one common set of object groups for both policy and nat compilers and avoid creating duplicate and redundant object-group statements. * NamedObjectsManagerPIX.cpp (getClearCommands): see #1968, #1972 class NamedObjectsManager (and derived classes for IOS and PIX) generate "clear" commands. This way, I can generate correct set of "clear" commands that take into account any named objects and object-groups that could be created during both policy and nat compiler passes. 2011-01-21 vadim * FWObject.cpp (init): see #1972 Seaprated object creation and initialization. Some complex objects need to create a set of standard child objects. Previously this was done in a special type of constructor which required pointer to the object tree root (FWObjectDatabase*). This created problems with implementation of the method to register functions that create objects of new types outside of the API. Now all objects have just a basic set of constructors, plus method init() that can initialize them. * FWObjectDatabase_create_object.cpp (registerObjectType): see #1972 implemented mechanism that allows me to register new object types created and used outside of libfwbuilder API. This means FWObjectDatabase can then copy and manipulate object trees that use these new object types. 2011-01-20 vadim * NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions): see #1963 "move printing of object-group definitions to NamedObjectManager::getNamedObjectsDefinitions()". Consolidated code that works with named objects and object groups in the class NamedObjectManager. This class manages all the objects and in the end generates commands. * PolicyCompiler_cisco (printClearCommands): Refactored parts that generate "clear" commands to make sure they are printed in the right order at the top of the generated configuration. Previously compiler placed "clear global", "clear static" and "clear nat" commands above the NAT section but below policy section. Since ASA8.3 nat commands can use named objects and object groups, and since I have added support for object groups in ASA 8.3 policy rules, I now need to clear objects and object groups at the very beginning of the generated config. However in order to be able to clear objects and object-groups, I need to clear access-lists and nat commands that might be using them first. So, all clear commands are now grouped at the beginning of the generated configuration. This affects pix/asa, iosacl and procurve_acl platforms. * NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959 "ASA Policy - ranges are broken into composite network instead of using range command". I have to create named objects for address ranges and put them into an object-group, which I can then use in access-list commands. * PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 and avoids using object-groups when firewall object version is set to 6.1 * NamedObjectsAndGroupsSupport.cpp (processNext): made names automatically assigned to object-groups in generated PIX configuration shorter by removing interface label prefix. 2011-01-19 vadim * PolicyCompiler_pix.cpp (compile): See #1959 "ASA Policy - ranges are broken into composite network instead of using range command." Added support for address ranges using named network object with parameter "range" for ASA 8.3 and later. NOTE: if a network or ip address object is used in a nat rule for ASA 8.3, a named object has to be created for it since ASA 8.3 does not accept ip addresses or subnets in "nat" commands. In the situation like this, if the same address or network object is used in any Policy rule, the same named object will be used in the generated access-lists command. * NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions): see #1959 Moved generation of the code that defines named objects to class NamedObjectManager. This allows me to put all named object commands on top of the generated policy, nat and routing configurations and make sure each object is defined only once. Still need to do #1963 - move code that generates commands to define object-groups to class NamedObjectManager. * NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler issues warning when objects used in OSrc and TSrc of a NAT rule make it use the same interface as both real and mapped interface in the generated nat command. This check is only done for ASA 8.3 NAT rules. 2011-01-19 Vadim Kurland * NamedObject.cpp (sanitizeObjectName): see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". We now register and keep track of all named objects to make sure their names are unique. * newHostDialog.cpp (finishClicked): see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". Objects that represent addresses of interfaces of a host object created using template will be automatically renamed to follow standard naming convention "host_name:interface_name:ip" to avoid creating duplicate names. * PolicyCompiler_pix_writers.cpp: see #1960 add support for CustomService for PIX policy rules. Note that CustomService objects are only supported in Policy rules since nat commands in ASA 8.3 require use of named objects and it is difficult to implement correct named objects and object-groups with protocol parameter and custom services. 2011-01-18 Vadim Kurland * PIXObjectGroup.cpp: ASA 8.3 see #1942, #1943 fixed generation of the "object-group" statements by adding protocol keyword at the end so that the group can be used in access-list commands. It looks like mixed service groups that have no protocol keyword at the end of the line that defines them cause error "specified object group has wrong type; expecting service type". I am going to avoid using mixed service groups because of this. 2011-01-17 vadim * ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule must be "static" when subnet is present in TSrc" * ServiceRuleProcessors.cpp (condition): see #1942 improved support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in each rule and then use object-group to match it. Note: this has been rolled back. There is no support for CustomService objects in NAT rules. * PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA v<8.3". Since we do not support custom service objects in policy and nat rules for versions older than 8.3, added check to generate fatal error when such object is used. * NamedObjectsAndGroupsSupport.cpp (init): fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was constantly increasing when user used single-rule compile function in the GUI. * PolicyCompiler_pix.cpp (compile): fixed #1944 "ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects". Need to convert address range objects to subnets early, before the rule is split for any reason, to make sure object groups created later match and are reused. * NamedObjectsAndGroupsSupport.cpp (processNext): See #1943 "ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config". Protocol word "tcp" was missing after "deny" in the generated rule. * NATCompiler_asa8.h (fwcompiler): see #1949 "ASA NAT - split objects if OSrc contains objects that are in more than one network zone". 2011-01-16 vadim * NamedObjectsAndGroupsSupport.cpp (processNext): Added support for CustomService objects in policy and nat rules for asa 8.3 using named objects and object-groups. -- see #1942 "ASA NAT - if custom service is included in service group incorrect config generated" -- see #1929 "move map named_objects inside class NamedObjectManager" -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in pix8" Note: this has been rolled back. There is no support for CustomService objects in NAT rules. * NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules translating destination allow Address Range objects in ODst or TDst for ASA 8.3 * NamedObject.cpp (NamedObject): see #1940 "ASA NAT - fwbuilder host objects interface ip is reserved keyword". Added list of reserved words used in IOS and ASA software to make sure generated named objects do not conflict. Will maintain single super-set of reserved words instead of separate set for each version of IOS and ASA. * PolicyCompiler_pix.cpp (compile): fixed #1938 "icmp" commands were not generated for ASA 8.x policy rules. * NATCompiler_asa8.cpp (processNext): See #1927. Added check for NAT rules that request translation of destination address but have ODst "any". This only applies to ASA 8.3; these rules are prohibited. 2011-01-14 vadim * NATCompiler_asa8_writers.cpp (printSDNAT): fixes #1932 "Add description field to generated NAT rules for ASA". NAT rules generated for ASA 8.3 and later will have "description" keyword added, with rule label as an argument. Rule label includes word "NAT" and rule number. * libfwbuilder/src/fwbuilder/InetAddrMask.cpp (getOverlap): fixes #1934 "libfwbuilder::getOverlap() incorrectly calculates overlap between ipv4 networks". This should also fix SF bug 3156376 "Can not find interface with network zone that includes address range". 2011-01-13 vadim * NATCompiler_asa8.cpp (compile): refs #1928 "Support for object-group in OSrc". Implemented support for object-group and named objects for Osrc and ODst in ASA 8.3 NAT rules. * PolicyCompiler_cisco.cpp (removeRedundantAddresses): fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user combines Address Table object with other address or network objects there. * ASA8ObjectGroup.cpp (toString): refs #1885 Compiler uses named objects and objects groups to build configurations that use address ranges in TSrc in NAT rules. (only ASA 8.3 and later) 2011-01-12 Vadim Kurland * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1907 "ASA NAT - fwbuilder doesn't support multiple translated sources in a single NAT rule". Compiler uses object-group to translate NAT rules that have multiple objects in Translated Source. * PolicyCompiler_pix_writers.cpp (_printLog): fixed #1913 "ASA/PIX rules with logging enabled don't have log set unless user modifies Firewall Settings". Added default log level setting to the resource xml file for platform "pix", set to "informational". ACL lines now get "log " keyword followed by the log level taken from the rule options, or if that was not configured, from the firewall object settings, or if that is not configured, the default. 2011-01-11 vadim * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The option is presented to the user as three radio buttons in the NAT rule options dialog which is only enabled when platform is "pix" and version >= 8.3. Policy compiler generates "twice nat" rules with keyword "static" in the following cases: when TSrc is "original", so the rule translates destination and not source or when numbers of ip addresses represented by OSrc and TSrc are equal. If TSrc is not "original" and represents different number of ip addresses than OSrc, compiler looks at the new rule option. User can use or override automatic algorithm using radio buttons in the NAT rule options dialog. * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available for ASA 8.3 or later. * NATCompiler_asa8_writers.cpp (printSDNAT): fixed #1909 "ASA NAT - static nat port translation where service is the same for original service and translated service not generated correctly" 2011-01-10 vadim * PolicyCompiler_pix.cpp (compile): fixed #1862 "fwb_pix crash". Compiler fwb_pix crashed when DNSName run-time object was used in a rule, but worked fine and issued an error when used in single-rule compile mode. * Helper.cpp (findInterfaceByNetzone): fixed #1906 "ASA NAT - Address objects are not properly identified by network zone and have the wrong real interface". The problem should have affected both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When an Address object was used in Original Source of a NAT rule, compiler used wrong interface in the (interfac1,interface2) pair in "nat" command. * CompilerDriver_pix_run.cpp (run): fixed #1905 "fwbuilder crash when compiling a rule with hosts folder as destination". Compiler issues a warning when an empty group object is used in a rule, but GUI crashed when user tried to compile this rule using single-rule compile function. The change actually affects all policy compilers and makes sure the GUI catches exception and does not crash, and prints any errors generated by the compiler in the compiler output panel when single-rule compile function is used. * CompilerDriver_ipt.cpp (findBranchesInMangleTable): fixed #1879 "gui crash". Both GUI and fwb_ipt crashed trying to compile a rule with action Branch that was not configured to point to any rule set. 2011-01-07 vadim * NATCompiler_pix.cpp (NATCompiler_pix): fixes #1901 "add destructor to NATCompiler_pix and NATCompiler_asa8". This eliminates memory leak. * ASA8Object.cpp (ASA8Object): refs #1885 "named network and service objects in pix8". So far, these objects are only used for nat configuration. * NATCompiler_asa8_writers.cpp (processNext): fixes #1903 "correct order of clear commands for ASA 8.3" * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat configuration in pix 8.3". Initial support for new style nat configuation. 2011-01-04 vadim * platform/fwsm.xml: FWSM v4.x does not have "fixup" command, instead, we should use policy-map and class commands. * OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect): refs #1893 fixes #1883 "inspect ip options in pix8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented. * PIX8ObjectGroup.cpp (toString): refs #1882 "Mixed service groups in PIX8". Added pix versions 8.0 and 8.3; added support for mixed servcie groups in pix 8.0 and later. * PolicyCompiler_srvre_functions.cpp (processNext): fixed #1892 "move rule processor class separateServiceObject to PolicyCompiler". This rule processor used to be implemented only in the compiler for PF, but since it has very general meaning, the same function was duplicated in other compilers as well. Moved the class to libfwbuilder and reimplemented several other rule processors to inherit from this class to avoid further duplication for code. * PolicyCompiler_pix.cpp (compile): fixed #1891 "problems with TCP and UDP services with source ports". Policy compiler for PIX did not generate correct PIX ACL lines when one Policy rule tried to match several TCP and/or UDP objects matching source ports. 2010-12-29 vadim * VERSION (VERSION): started 4.2.0 This version is the first one to merge libfwbuilder and fwbuilder packages. Libfwbuilder is now in the src/libfwbuilder subtree inside fwbuilder code tree. RPM .spec files and DEB .control files are now located in the packaging directory inside fwbuilder code tree. Changes in the versioning format: I am going to use build number as a "nano" version number, composing complete version as "4.2.0.3425". The "-N" suffix in rpm and deb package names will be used for package release number and most of the time will be "-1". This suffix should reflect minor differences in the package that do not affect code at all. 2010-12-16 Vadim Kurland * ActionsDialog.cpp (fillInterfaces): fixed #1872: "vlan interface does not appear in the list of interfaces for route-to action for PF". 2010-12-12 Vadim Kurland * VERSION (FWB_MICRO_VERSION): started 4.1.4 2010-12-05 Mike Horn * minor updates to main help dialog text to fix broken/outdated links 2010-12-02 Vadim Kurland * OSConfigurator_linux24.cpp (OSConfigurator_linux24::getInterfaceVarName): fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux bridge interfaces may have names with a "-" such as "br-lan". We will now permit a "-" in Linux interface names. * FWWIndow.cpp: Fixes #1858 'Remove "Summary of features" page from the package' and #1857 'Remove "Getting Started" guide from the package'. We have dediced to keep documentation and other content like this on the web site. Button "Watch Getting Started Tutorial" in the Tip of the Day dialog opens tutorial hosted on the web site in a web browser. 2010-11-16 Vadim Kurland * check_utilities: fixed #1851 "no need to check for modprobe when host OS is "dd-wrt" and possibly other embedded Linux systems". Generated script does not use modprobe utility when host OS is set to "DD-WRT" or "OpenWRT" and should not try to find this utility on the system. This is also related to the SourceForge bug 3032293 2010-11-16 Vadim Kurland * newclusterdialog_q.ui: fixed #1848 Text formatting clean up - New cluster wizard dialog 2010-11-15 Vadim Kurland * InetAddr.cpp (InetAddr::opGT): (change in libfwbuilder) added module uint128 (128-bt arithmetics by Evan Teran). Implemented basic operations with ipv6 addresses using this module. See #1834. Now all policy compilers can correctly compare ipv6 addresses used in rules with ipv6 addresses of interfaces. This helps perform various optimizations and fixes issues with the algorithm used to pick the right interface for the Cisco IOS ACL compiled from a policy rule with an empty "interface" rule element and direction "both". 2010-11-11 Vadim Kurland * newClusterDialog_create.cpp (copyRuleSets): Fixed SF bug #3106168 "Branch destinations lost when adding to cluster". Since the order in which I copy rule sets is undefined and because they may have references to each other via branching rules, I need to fix references after I create all of them. * configlets/linux24/load_modules: fixed #1844 "generated script fails if module nf_conntrack_ipv6 does not exist". Generated script tries to load module nf_conntrack_ipv6 if user defined any ipv6 rules, however the script should not fail if the module is not installed. * src/gui/gui.pro (LIBS): fixed #1840: fixed build on Mandriva 2010, all static libraries should go first on the linker command line. 2010-11-10 Vadim Kurland * NATCompiler_ipt.cpp (processNext): fixed SF bug 3103582 "Cant create redirect rule in cluster firewall object". Iptables nat rule with target REDIRECT could not be built in a cluster configuration. It should be possible to do this by putting cluster object in Translated Destination. * OSConfigurator_linux24_interfaces.cpp (printDynamicAddressesConfigurationCommands): fixed #1838 "function configure_interfaces() does not manage ip addresses of vlan interfaces". This function used to take into account only interfaces that were direct children objects of the firewall. Since vlan interfaces are children of the corresponding physical interface, they were not included. * FirewallInstaller.cpp (getGeneratedFileFullPath): fixed #1837 "generated script gets .fw suffix even when user set output file name". Suffix .fw should not be appended to the name entered by the user in the "output file name" input field in the firewall settings dialog. * PolicyCompiler_ipfw_writers.cpp (processNext): fixed #1836 "installer hangs and fails after activation of ipfw policy". As soon as .fw script swapped ipfw sets usig command "ipfw sawp" and deleted temporary set 1, ssh session would hang and eventually break. We optionally add ipfw rules to permit ssh session used to manage the firewall, as well as a rule to permit reply packets but the latter rule was not built correctly. It should match source and destination reversed, as well as match keyword "established" and recreate state with "keep-state". This rule automatically recreates state for the established ssh session over which firewall policy is being managed. Also added a comment to the firewall settings dialog for ipfw to remind the user that address or subnet they use with this automatic rule should be as narrow as possible. * instOptionsDialog.cpp (instOptionsDialog): see #1832 if user wants to use putty session, show session name instead of the ip address in the "Address that will be used to communicate with the firewall" input field in the installer options dialog. 2010-11-09 Vadim Kurland * Helper.cpp (Helper::findInterfaceByAddress): see #1834 Fixed matching algorithm that determins which interface a rule should be associated with for Cisco IOS ACLs. Previously compiler did not compare subnets properly and because of that it interpreted some configurations incorrectly. For example in the case with a network object 10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24 (network should not be considered matching) compiler considered this interface matching and assigned the rule to the interface only with direction "inbound". * FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): see #1832 pscp.exe supports putty session in place of the target name but not if argument "-load session_name" is also present. Plink.exe does the same. We can not use fwb_session_with_keepalive if user wants to use putty session. 2010-11-08 Vadim Kurland * FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): See #1832, SF bug 3097419 "installer uses bare IP address instead of putty session name". It appears pscp.exe on Windows can use putty session name in place of the host name. This change restores old behavior where session name was used like that but does it for both plink.exe and pscp.exe. This only affects users who run fwbuilder GUI on Windows 2010-11-05 Roman Bovsunivskiy * see #1809 "Add Firewall Setting in Logging settings for default log setting on new rules". Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off. 2010-11-04 Roman Bovsunivskiy * see #1826 "Please place all unit tests in one directory". All GUI and other unit tests moved to the directory src/unit_tests 2010-11-03 Roman Bovsunivskiy * code refactoring: see #1822 "refactor all GUI classes into libgui library and link executable with it" * see #1787 "new fw name input field should have focus when new firewall wizard opens" * see #1823 "Add Preference option for Advanced / Power users". Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI 2010-11-02 Vadim Kurland * OSConfigurator_linux24_interfaces.cpp (printVerifyInterfacesCommands): fixed #1824 "should not try to verify wildcard interfaces". 2010-11-01 Vadim Kurland * CompilerDriver.cpp (CompilerDriver::getAbsOutputFileName): fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior is for the compiler to create files in the directory specified by the argument of the "-d" command line flag. If flag "-d" is not provided, files should be created in the current directory. 2010-10-29 Vadim Kurland * PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext): fixed SF bug 3094273 "no state needed for ipv6-icmp in ip6tables". Rules that match ICMPv6 objects should be stateless. Compiler will check for this and reset "stateful" flag of a rule and issue warning if the rule was built stateful in the GUI. This could be version-dependent, we may need to revisit this in the future when netfilter fixes the underlying issue. Some resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739 https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105 * src/res/objects_init.xml.in: added ICMPv6 object "parameter problem" (type 4, any code) per SF feature request 3094743. Also added service group object "ipv6 unreachable messages" that includes ICMPv6 messages "destination unreachable", "packet too big", "parameter problem" and "time exceeded" per SF feature request 3094758 * configlets/linux24/automatic_rules: implemented SF feature request 3094738 "Set the HL to 255 for IPv6 Neighbor Discovery". Neighbor discovery packets must have hop limit of 255 per RFC 2461. Automatically generated rules that match neighbor discovery packets will math hooplimit 255. * configlets/linux24/update_addresses: fixed SF bug 3091069: "Routing configuration failed". Iptables script generated by fwbuilder did not configure broadcast when it added ip addresses to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF" syntax to do this. * OSConfigurator_bsd.cpp (compare_names): fixed #1807 "wrong order of address assignment in the generated OpenBSD/PF/CARP cluster configuration". Need to assign ip addresses to regular interfaces before trying to assign them to carp interfaces. * configlets/linux24/load_modules: fixed #1820 "skip module "nf_conntrack_ipv6" if generated script has no ipv6 rules" Shell function load_modules should not try to load module nf_conntrack_ipv6 if generated script does not load any ipv6 rules. Loading this module fails if ipv6 has been disabled in the kernel. 2010-10-29 Vadim Kurland * run_time_wrappers: fix for the SF bug #3095615 "reopen no PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong shell variable to access ip address of a wildcard interface. * VERSION (FWB_MICRO_VERSION): started 4.1.3 2010-10-07 Vadim Kurland * configlets/pix_os/installer_commands_reg_user: using command "terminal width 256" to turn off ANSI commands in the PIX command echo. * FindObjectWidget.cpp (showObject): rolled back change done in r3320 (refs #1790) "When an object is found using Find and the object is in the object tree, the keyboard focus shifts to the Object Panel". That change broke highlighting of the found object in rules. * refs #336 "Need template for PIX firewall"; added template for PIX 50X (501 and 506) 2010-10-06 Vadim Kurland * FWWindow.cpp (FWWindow::showIntroDialog): fixed compile problem with old Qt (v < 4.5.0). * FWWindow.cpp (FWWindow::showIntroDialog): See #1765, #1779 Will show a dialog inviting the user to watch Quick Start Guide on the web site when they run the GUI for the first few times. The dialog is shown instead of the Time of the day dialog. Switching to the tip of the day after 5 starts. * RoutingCompiler_pix.cpp (emptyRDstOrRItf::processNext): fixed #1783 "PIX routing entries require interface, but PIX config will compile without interface in Routing rule". Policy compiler for PIX now checks that both "interface" and "gateway" rule elements are not empty. 2010-10-05 Vadim Kurland * OSConfigurator_linux24.cpp (printRunTimeWrappers): fixed SF bug 3077132 "no PREROUTING rule with *-Interface". Rules matching addresses of a wildcard interface (e.g. "ppp*") were not properly generated. * RuleSetView.cpp (updateSelectionSensitiveActions): fixed SF bug 3039681 "context-menu items inconsistent for Single/Multiple rules". When several rules are selected in rule set, some context menu itmes should turn to plural. * FWWindow.cpp (prepareRulesMenu): fixed #1778 "main menu Rules should have the same items that context RuleSetView menu when no rules are selected" 2010-10-04 Vadim Kurland * ObjectManipulator.cpp (showObjectInTree): fixed #1777 "scroll new fw object to the top of the tree view panel once its created" This has side effect in that some other operations that open an object in the tree will also sc roll the tree to position this object at the top. * FWBSettings.cpp (setCustomTemplatesEnabled): fixed #1791 "Add preference flag to enable / disable the Custom templates button on the New Firewall Wizard". Use of the custom template library to create new firewall object is now optional, controlled by a checkbox in the "Object" tab of the gobal preferenes dialog. New users will have this option turned off by default, however existing users will see it enabled for backwards compatibility. * FindObjectWidget.cpp (showObject): fixed #1790 "When an object is found using Find and the object is in the object tree, the keyboard focus shifts to the Object Panel". The "find" pabel now retains keyboard focus after it shows found object in the tree, this allows the user to just hit Enter on the keyboard to find the next object. * FindObjectWidget.cpp (objectDeleted): fixed #1785 "Deleting graphic icon of object from Find tab should also remove the text name or label" * newFirewallDialog.cpp (changed): fixed #1770 Eliminated pause that happened when user switched from page 0 to page 1 of the new firewall wizard. Pause was caused by the DNS queries the program ran trying to determine ip address of the firewall using the name provided on the first page of the wizard. Now DNS query is launched only if user wants to create interfaces uses snmp scan. * InterfaceEditorWidget.cpp (InterfaceEditorWidget): fixed #1772 improved design of the widget used to edit ip addresses and other attributes of an interface in the new firewall, new host and new cluster wizards. Removed "MAC Address" imput field and rearranged other input fields according to the result of usability tests. * SSHCisco.cpp (SSHCisco): fixed #1784 added Cisco ASA (PIX) error message "cannot add route entry" to the list of errors that built-in installer recognizes and marks install process as "Failure". * newFirewallDialog.cpp (showPage): fixed #1767 improved UI in the new firewall and new host dialogs where user chooses file for the custom template library or uses standard template library. 2010-10-03 Vadim Kurland * ObjectManipulator_create_new.cpp (ObjectManipulator::createNewObject): fixed #1776 once new firewall is created, automatically open its Policy * FWWindow.cpp (FWWindow::showIntroDialog): fixed #1765, #1779 Move quick start guide to the web site. The "Quick Start Guide" is now part of the web site and the GUI only shows a dialog-invitation to watch it. 2010-10-01 Vadim Kurland * FWBSettings.cpp (getABTestingGroup): fixed #1763 Implemented basic facility for A/B testing within the GUI 2010-09-30 Vadim Kurland * FindObjectWidget.cpp (keyPressEvent): fixed #1755 "hitting enter after editing search attribute in the Find panel should trigger search" * FindObjectWidget.cpp (matchAttr): fixed #1760 'Search by attribute "name" should search by name or label'. * FindObjectWidget.cpp (objectInserted): fixed #1757 Allow searching by attributes even after an object is dropped into the drop area in search panel. * newFirewallDialog.cpp (browseTemplate): fixed #1759 "Use default template library" button seems to do nothing. This button should only be enabled if user switched to their own library of template objects. The button should be disabled if they switched back to the standard template library or never switched to their own one. * newHostDialog.cpp (finishClicked): fixed #1761 "blank interface name is possible in new host wizard" * FWObjectPropertiesFactory.cpp (getInterfaceNameExamplesForHostOS): fixed #1753 "Set interface name hint based on firewall platform and host OS". The placeholder text in the interface name and label input fields in the new firewall wizard will depend on the host OS chosen in the first page of the wizard. * utils.cpp (validateName): fixed #1751 "Don't allow interface names to be blank". The GUI should not allow the name of any object to be blank. 2010-09-29 Vadim Kurland * ProjectPanel.cpp (ProjectPanel::inspect): fixed #1718 "Inspect generated files" dialog says "Multiple firewalls" even when there is only one * InterfaceEditorWidget.cpp (InterfaceEditorWidget::InterfaceEditorWidget): added "placeholder" text to the interface name and label input fields. This text is displayed in greyed-out small font inside the imput field but is cleared as soon as user starts their input. The text gives user a prompt as of what is expected in each input field. The "placeholder" text support is available only in Qt 4.7 and later so the code is conditional on the version of Qt. * WorkflowIcons.cpp (WorkflowIcons::openTutorial): fixed #1733 "Add button for video tutorial link". Shortcut button "Watch Getting Started Tutorial" opens page with video tutorials in the standard browser. * InterfaceEditorWidget.cpp (InterfaceEditorWidget::isValid): fixed #1746 "Force user to change interface name in New Firewall wizard". When user creates interfaces for the new firewall or host using manual method and clicks on the "+" button to add a tab for the new interface in the wizard page, the interface tab is created with blank name. Wizard later checks the name when user clicks Finish to create new firewall or host object and does not let them do this while interface name is still blank. Error dialog reminds that the name of the interface must match the name of the interface on the machine. * ProjectPanel.cpp (ProjectPanel::updateFirewallName): fixed #1745 "Remove path data from text above rules window that shows firewall name". 2010-09-28 Vadim Kurland * ObjectManipulator_create_new.cpp (reminderAboutStandardLib): refs #1748 "Add dialog about Standard Library when user creates first Service object". First time users will see an informational dialog reminding them about the Standard objects library when they create their first service object. 2010-09-27 Vadim Kurland * src/gui/Tutorial/introduction/html/page0.html: refs #1737 Added "Quick Start Guide" tutorial that demonstrates basic features and key concepts of Firewall Builder. The tutorial is accessible via Help / Tutorials menu and is shown to the first-time user on the GUI startup instead of the "tip of the day" dialog. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): system folders in the tree now have tooltips that explain what kind of objects belong there. * RuleSetView.cpp (showToolTip): Added text to the tooltips shown for the "Direction" and "Action" rule elements to remind user that to change these rule parameters they need to click right mouse button to open list of possible settings * RuleSetView.cpp (showToolTip): fixed #1744 "Add tooltip to the rule number". The column in the RuleSetView? where rule number is shown now has a tooltip to remind the user that they can click right mouse button to the the context menu and use keyboard shortcut "x" to compile the rule * FWBSettings.cpp (init): fixed #1743 "change default for the option 'Show text descriptions for direction and action'". The option should be on by default. * RuleSetView.cpp (showToolTip): fixed #1730 "Add background help text and images to empty policy window". Showing tooltip in the empty space in the rule set view, this tooltip provides hints on how to edit rules which should be useful for the beginners. 2010-09-26 Vadim Kurland * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed #1741 "there is no way to undelete a library object". * FWCmdMoveObject.cpp (FWCmdMoveObject::notify): fixed #1740 "Deleted library remains in the drop-down list". If option "Show deleted objects" was turned off in the Preferences dialog and user deleted a library, it remained in the drop-down list of libraries and its object tree was still displayed in the object tree panel. * listOfLibrariesModel.cpp (ListOfLibrariesModel::addStaticItems): fixed #1728 "Update Library drop down menu". Library drop down list shows an item "Object libraries:" at the top that can not be selected and that always stays on top as libraries are added, removed and renamed. The list always stays sorted in ascending order. Library names are indented by 2 spaces to make them visually distinguishable from the prompt item at the top. Implementation uses class ListOfLibrariesModel that inherits QStringListModel. * PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed #1739 "remove "tooltip delay" input form preferences dialog". Qt4 does not allow for changing tooltip delay. 2010-09-24 Vadim Kurland * RuleSetView.cpp (itemDoubleClicked): refs #1731 Change double-clicking on "Any" object behavior. Double click on "any" in a rule does not try to open object "any" in the tree and editor panel. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): refs #1731 Change double-clicking on "Any" object behavior. Tooltip shown for the object "any" in rules says "to modify the rule drag and drop an object from the tree here" instead of atributes of the object "any". * FWBSettings.cpp (init): fixed #1738 "Enable tooltips by default" * ObjectManipulator.cpp (editSelectedObject): fixed #1729 "double clicking a folder in the tree should expand it rather than open it in the editor". * ObjectTreeView.cpp (edit): fixed #1732 "Double clicking on object with child objects should auto expand them". Double clicking on objects and folders in the tree expands and collapses them, as well as opens object in the editor. * ObjectManipulator.cpp (expandObjectInTree): fixed #1715 "automatically expand new firewall and new host objects in the tree once they are created" * configlets/linux24/check_utilities: fixed #1714 "make checking for MODPROBE conditional". There is no need to check if modprobe utility exists on the firewall machine if it is not used by the script. 2010-09-22 Vadim Kurland * instDialog_ui_ops.cpp (instDialog::readInstallerOptionsFromFirewallObject): fixed #1724 . There was a problem with pscp.exe and putty sessions. Plink.exe accepts session name in place of the host name on the command line, but pscp.exe does not. We ask user to enter session name in the "alternative name or address to use to communicate with the firewall" input field in the "Installer" tab of the firewall settings dialog and then use it in place of the host name in the command line for pscp.exe and plink.exe. This works with plink.exe but breaks pscp.exe which interprets it as a host name and fails with an error ""ssh_init: Host does not exist". The fix checks if what user entered in the "alternative host or address field" is a session name and uses different command line with pscp.exe 2010-09-20 Vadim Kurland * NATCompiler_ipt.cpp (compile): fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst. 2010-09-16 Vadim Kurland * SSHSession.cpp: Refs #1699 installation session status was reset from "failure" to "success" in a configuration where fwbuilder gui was running on Windows and talked to Cisco router using pscp.exe and plink.exe and ssh session failed because of authentication failure. This happened because plink.exe terminated with return status "success" even in case of authentication failure. * generatedScriptTestsIpfilter.cpp (GeneratedScriptTest::runCompiler): unit tests to test manifest and activation commands in the generated .fw script for ipfilter. Refs #1702 * FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath): fixed how we append suffix ".fw" to the name of generated script when it is preconfigured in the firewall settings dialog and already includes ".fw" suffix (it was added twice). * CompilerDriver_ipf_run.cpp (CompilerDriver_ipf::run): fixed #1702 "Wrong path in the activation script for ipfilter". Activation command embedded in the generated .fw script used local path to the generated .conf file on the machine where fwbuilder compiler was running. 2010-09-14 Vadim Kurland * FirewallInstaller.cpp (getGeneratedFileFullPath): fixed SF bug 3049665 "Firewall Settings -> Output file name misses .fw extension" * CompilerDriver_ipt_policy.cpp (processPolicyRuleSet): fixed #1707 "call function "prolog_commands" from the main iptables script part instead of function "script_body" when prolog should be executed after iptables reset" * configlets/linux24/script_skeleton (cmd): fixed SF bug 3060325 "Address table object and prolog script conflict". Generated script should run prolog before checking and loading run-time address tables. * NATCompiler_PrintRule.cpp (processNext): fixed SF bug 3057503 "DNAT rule with dynamic IP has a white space, causing error". * PolicyCompiler_PrintRule.cpp (_printIpSetMatch): fixed #1705 "iptables (v>=1.4.4) "--set option deprecated ..." (SF bug 3059893) Option "--set" has been deprecated and renamed "--match-set" in iptales 1.4.4 * CompilerDriver_pf.cpp (printPathForAllTools): fixed SF bug 3061034 "ifconfig definition missing". Script generated for the ipfw firewall on Mac OS X missed definition of variable IFCONFIG. 2010-09-13 Vadim Kurland * IPTImporter.cpp (addPktTypeMatch), iptables.g: fixed #1703 "importing iptables line with module pkttype causes parser error". We do not have any object with the behavior closely resembling that of iptables module "pkttype" so the importer creates CustomService object with the code taken from the original iptables rule. SF bug 3065435 * VERSION (FWB_MICRO_VERSION): started 4.1.2 2010-08-20 Vadim Kurland * v4.1.1 released 2010-08-19 Vadim Kurland * NATCompiler_ipt.cpp (splitNATBranchRule::processNext): fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning. * NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext. * NATCompiler_ipt.cpp (localNATRule::processNext): see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements. * NATCompiler_PrintRule.cpp (PrintRule::processNext): fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax. 2010-08-18 Vadim Kurland * Helper.cpp (list): fixed #1691 , this is a better fix for the problem reported in the earlier bug (see #1690). Function Helper::findInterfaceByNetzone() throws FWException, this changed in v4.1.0 with a fix for #1653. 2010-08-17 Vadim Kurland * procurveInterfaces.cpp (procurveInterfaces::parseVlan): fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1. * newFirewallDialog.cpp (newFirewallDialog::finishClicked): fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS. * safety_net_acl: fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect. * PolicyCompiler_cisco.cpp (PolicyCompiler_cisco::setAllNetworkZonesToAny): fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone "any" anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. * (PolicyCompiler_cisco::createACLObject): fixed #1688 "Procurve ACL remarks should be in quotes if they include space" 2010-08-14 Vadim Kurland * FirewallInstallerProcurve.cpp (FirewallInstallerProcurve::packInstallJobsList): Policy installer for HP Procurve. Currently only works in line-by-line mode (no support for scp). Tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo") * set version to 4.1.1 2010-08-10 Vadim Kurland * v4.1.0 released 2010-08-08 Vadim Kurland * ObjectManipulator_ops.cpp (ObjectManipulator::actuallyDeleteObject): fixed #1674 "Crash while using Undo Stack". Operation "Cut" should be represented by an undo macro object and should appear as one operation on the undo stack. * ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed #1676 "Crash when deleting an interface that has multiple IP addresses and not all addresses are selected for deletion" 2010-08-06 vadim * ObjectManipulator_tree_ops.cpp (ObjectManipulator::clearObjects): fixed crash that happened on Mac if the GUI was started with a file name as command line argument. The issue was introduced recently when GUI state update was reimplemented as an event. 2010-08-05 Vadim Kurland * ProjectPanel_events.cpp (event): fixed #1660 "Crash when cut-and-pasting firewall between libraries". GUI crashed if user performed the following sequence: cut an object, switch to a different object library, try to paste using keyboard shortcut Ctrl-V while library object was selected in the tree. 2010-08-04 Vadim Kurland * IPTImporter.cpp (IPTImporter::finalize): fixed #1664 "Policy import creates firewall object w/o version". This also fixes crash reported in SF bug #3036934 * pixAdvancedDialog.cpp (pixAdvancedDialog::displayCommands): fixed SF bug #3038945 "ASA inspect configurations not saved". Under some circumstances the GUI did not save changes made in the "Inspectors" tab of the PIX advanced settings dialog into the object. * ObjectManipulator_tree_ops.cpp (ObjectManipulator::removeObjectFromHistory): fixed #1661 "Crash after deleting firewall" a sequence where user deleted an object and then hit "Back" button caused crash. 2010-08-03 Vadim Kurland * pixAdvancedDialog.cpp (pixAdvancedDialog): fixed SF bug #3038948 "ASA logging severity levels are incremented". Log levels in the "Logging" tab of the PIX firewall advanced settings were incremented every time user opened the dialog and then clicked OK. * PolicyCompiler_PrintRule.cpp (_printIP): fixed SF bug #3038636 @v4.1b, "iptables v1.4.8: unknown option `--ra'". Ipv4options module has changed in iptables 1.4.3 and now accepts different set of parameters. Policy compiler generates new parameters if user set version in the firewall object dialog to "1.4.3 or later". 2010-08-02 Vadim Kurland * InterfaceDialog.cpp (loadFWObject): fixed #1657 "When no network zone is defined on the interface, the Interface object editor says it is "Any" which is a lie" * configlets/linux24/run_time_address_tables: fixed #1652 "support for adding single address to address table in the generated script". Generated iptables script now provides functions "add_to_address_table", "remove_from_address_table" and "test_address_table" that let administrator add or remove single ip address to a given address_table. * OSConfigurator_linux24.cpp (printRunTimeAddressTablesCode): fixed #1654 "Support for run-time Address Tables with empty file in iptables". This is an implementation of the same feature we already have for PF. If the file name in the configuration of the run-time Address Table object is blank, policy compiler generates firewall configuration that uses ipset with the name the same as the name of the object but does not generate code to load addresses from a file into it. All control of the ipset is left for the user. * Helper.cpp (findInterfaceByNetzone): fixed #1653 "Crash when compiling a rule for Cisco PIX with incorrect network zone". 2010-07-29 Vadim Kurland * instDialog_installer.cpp (instDialog::installerSuccess): fixed #1639 "Add success message to the bottom of the process log for the installer". Added a message to the installer log to display installation status. * stop_action: "stop" action should reset ipv4 iptables configuration only if firewall object configuration defines any ipv4 rules. This is how generated script works for ipv6; behavior for ipv4 and ipv6 should be similar. Fixes SF bug #3036541 "IPV6 only firewall resets ipv4 stack" * script_skeleton (cmd): added action "block" to the "usage" string of the generated iptables script 2010-07-28 Vadim Kurland * PolicyCompiler_ipt.cpp (checkActionInMangleTable::processNext): fixed SF bug 3034628 "iptables does not allow target REJECT in mangle table". Iptables does not support target REJECT in mangle table. Added check to the policy compiler to make it detect this situation and issue an error. * FWWindow.cpp (FWWindow::compile): fixed SF bug 3035426 "canceled save writes .fwb ". The program created file with name ".fwb" if user started with an empty project paje, created some objects, then hit "Compile" but then clicked "Cancel" when offered a chance to save objects into a new data file. * CompilerDriver.cpp (CompilerDriver::_findImportedRuleSetsRecursively): fixed #1631 "Process branch rule sets recursively". Policy compilers used to look only one level deep while processing branching rules. They should allow for arbitrary nesting and correctly avoid infinite loops if user creates looped branches. Compiler issues a warning when it detects looped bracnhing. This fixes SF bug 3033462 "nested shared branch rules between servers not working". * UsageResolver.cpp (UsageResolver::findWhereUsedRecursively): fixed #1632 "dependencies created by branching rule sets should be processed recursively". In the case of multi-level branches the GUI should trace all references to find all firewalls affected by a change of an object used in the rule. 2010-07-27 Vadim Kurland * configlets/linux24/block_action: fixed #1640 "default policy when the script is stopped should be optional". The "stop" command used to be interpreted by the iptables script generated by fwbuilder in a way that it blocked all connections going to, from and through the firewall. Luc Paulin pointed out that this behavior is incompatible with other firewall management scripts, such as /etc/rc.d/init.d/iptables on Fedora Linux or ufw on Ubuntu, where "stop" means disabling the firewall. In v4.1 the "stop" command flushed all chains in all tables and sets default policy to ACCEPT. New command "block" does what "stop" used to do before, that is, flushes all chains in all tables and sets default policy to "DROP". The option to add a rule to permit ssh access from the management workstation when firewall is stopped now adds this rule when firewall script is run with "block" command instead. 2010-07-26 Vadim Kurland * configlets/linux24/run_time_address_tables: implemented support for mixed address lists for run-time address table objects using ipset module. Normally, one ipset set can either contain individual ip addresses or subnets. We create a "setlist" type set that includes two sub-sets, one for ip addresses and the other for subnets. Function reload_address_table in the configlet run_time_address_tables takes care of managing these three sets automatically. Address list file has the same format as for all other supported types of Address Table object: one address per line, subnets are defined using '/bitlength' or '/netmask' syntax, comments start with '#' or ';' character. 2010-07-24 Vadim Kurland * code cleanup. Removed bunch of warnings and cleaned up some test cases using small patches from Mike Slifcak slif@bellsouth.net 2010-07-23 Vadim Kurland * Fixes #1635: included code generated by the configlet run_time_address_tables into script for all linux-based host OS (dd-wrt, openwrt, ipcop) even though most of they do not support ipset at this time. If ipset is not supported because iptables version is too old or the module is simply not available for the platform, user can just uncheck the checkbox in the firewall settings dialog and code generated by the configlet will support method of loading addresses from the file at run time based on script variables and a "while" loop. * script_skeleton: added command line argument "reload_address_table" that calls function reload_address_table and takes two additional arguments: set name and file name. * script_skeleton (cmd): calling functions to check if data files used by run time address table objects are available before making any changes to iptables policy. If files are not available, the script aborts and leaves iptables in the original state. This fixes #1628 "generated script checks presence of the address table files after it sets default iptables policy to DROP". fixes #1628 * run_time_address_tables: new configlet that adds shell code to check if all run time address table data files are present on the firewall machine and that ipset utility works and can communicate the the kernel driver. This configlet also defines a function to reload one ipset with given name and data file name and function to reload all ipsets used in the generated script. Fixes #1625, #1627 * PolicyCompiler_PrintRule.cpp (PrintRule::normalizeSetName): fixed #1626 "convert space and other special characters found in the run time address table object into underscores". The name of the run-time Address Table object is used for the name of the ipset module set. Making sure the name is sanitized of the chanracters considered "special" by shell before it is used. * check_utilities: fixed #1625, #see 137: added ipset to the list of command line utilities generated iptables script can use. Script will check if the utility is present on the firewall if user requested use of iptables module "set" for run-time Address Table objects. Also added an input field for ipset in the advanced settings host OS dialog for Linux to let the user specify path to ipset if it is not standard. 2010-07-22 Vadim Kurland * PolicyCompiler_PrintRule.cpp: added support for iptables module "set" used to generate iptables command for rules with run-time AddressTable objects. This module is only available in iptables 1.4.1.1 and later, however some embedded platforms do not have it even though they ship later versions of iptables (e.g. OpenWRT). Use of this module is controlled by a checkbox in the iptables "advanced" settings dialog which is off by default. This checkbox becomes disabled when iptables version is set to < 1.4.1.1. * newClusterDialog_create.cpp (newClusterDialog::createNewCluster): fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members while that rule set was opened in the rule set view. 2010-07-21 Vadim Kurland * iptadvanceddialog_q.ui: rearranged elements in the tab "Compiler" of the dialog to make it shorter and wider. Still needs some work to make it render better. * InterfaceEditorWidget.ui: set minimum height for the name, label and few other input fields because they came out squished on Mac. Fixes #1613. * FWWindow.cpp (fileNew): fixed #1611 "File/New should create new project panel". Like #1612, open new data file in a new project panel if current project panel has no data file associated with it but has unsaved changes. * FWWindow.cpp (loadFile): fixed #1612 "File/Open should create new project panel". If user has some unsaved changes in the default project panel (the one with no associated file) and then uses File/Open menu to open another data file, the file should open in a new project panel. 2010-07-20 Vadim Kurland * FWWindow.cpp (FWWindow::showEvent): default main window geometry should be 1000x600, wider than it used to be before. This is to make object dialogs fit in the main window without squishing. * routing_functions: added a copy of the routing_functions configlet to the dd-wrt-nvram and dd-wrt-jjfs because newest versions of DD-WRT lack mktemp. The original routing_functions configlet does not use mktemp either, but Gentoo (and possibly other distros) ship patched version that needs mktemp which breaks fwbuilder generated script on these versions of DD-WRT. Hopefully they won't patch the copy of routing_functions configlet. * StartTipDialog.cpp (StartTipDialog::StartTipDialog): fixed #1603 "Welcome dialog should show full version of the program". * set version to 4.1.0 and version of the data file format to "17". Data files need to be upgraded. Upgrade script changes the version and makes sure Standard objects library is read-only. Some users may have this library configured read-write in their data files because of a bug in the early versions of fwbuilder 4. * We have decided to release this version as 4.1.0 rather than 4.0.2. "4.0.2" will remain our internal testing version designation. 2010-07-19 Roman Bovsunivskiy * DiscoveryDruid_q.ui, newclusterdialog_q.ui, newfirewalldialog_q.ui: Set up default buttons in dialogs * DiscoveryDruid_q.ui, DiscoveryDruid.cpp, Importer.cpp: Added firewall name input field. * InterfaceEditorWidget.cpp: Button "Add address" now changes text to "Add anoter address" when there is at least one address in current interface. 2010-07-19 Vadim Kurland * objects_init.xml.in: fixed bug #3031721 "Qt has caught an exception thrown from an event handler." The "Standard" objects library was made read-write in one of the earlier builds 2010-07-17 Vadim Kurland * DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed #1597 import method "import configuration of a firewall" is disabled on the first page of the discovery druid 2010-07-15 Vadim Kurland * newFirewallDialog_from_template.cpp (newFirewallDialog::replaceReferencesToNetworks): fixed #1582 'tree is not refreshed after address substitutions in "new firewall" wizard' 2010-07-14 Vadim Kurland * FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fixed #1571 "Installer does not work if firewall object name contains spaces". Installer should use escaping to make sure file name with a space is correctly interpreted by the script it runs on the firewall. * DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter): fixed #1544 "fwbuilder crashes during import of file with rtf formatting data". The fix should prevent crashes in other cases when import was unsuccessful. 2010-07-13 Roman Bovsunivskiy * instdialogoptions_q.ui: Added "Cancell All" button to stop all firewalls installations, renamed OK button to "Install" * instDialog_ui_opts.cpp (instDialog::getInstOptions): added support for "Cancel All" dialog result code. 2010-07-12 Roman Bovsunivskiy * instDialog_ui_opts.cpp (intDialog::fillCompileSelectList): fixed wrong display of non-ascii symbols in cluster member compilation warning. * newFirewallDialog.cpp (newFirewallDialog::showPage): firewall names are now resolved to IP address. Added new input element for firewall IP address to use for SNMP interface discovery. 2010-07-11 Vadim Kurland * FirewallInstaller.cpp (FirewallInstaller::packSSHArgs): fixed bug 3027284: "redux settings for scp/ssh to respond to line failure". The solution for bug 3020381 used to force ssh and scp commands to use the parameters ServerAliveInterval and ConnectTimeout to activate and configure ssh keepalive protocol. These command line parameters were enforced and added to the input fields where user enters the path to ssh and scp utilities on the machine where fwbuilder GUI is running. This was confusing and poor GUI design as the program was changing fields that were supposed to be user-editable. This fix adds an input field for the timeout value in seconds to the "Installer" tab of the global preferences dialog. The program does not change strings entered by the user for ssh and scp path anymore. The same timeout value is used to set up ServerAliveInterval parameter for ssh, ConnectTimeout parameter for scp and registry entries required by plink and pscp on Windows. 2010-07-10 Vadim Kurland * Importer.cpp (Importer::getFirewallObject): fixed bug #3027272: "default values taken from unexpected sources". When new firewall object was created using "Import Policy" function, parts of its configuration were taken from default settings of an unexpected host OS. 2010-07-09 Roman Bovsunivskiy * newFirewallDialog.cpp (newFirewallDialog::finishClicked): fixed crash when clicking finish after getting error about wrong IP address or netmask * FirewallCodeViewer.cpp (FirewallCodeViewer::fileSelected): now when viewing again file that was viewed before scroll position is same as user left it. * instDialog_q.ui: renames "All" button to "Select all" and "None" to "Select none" * instDialog.cpp (instDialog::show): hide "Select all" and "Select none" buttons when there is only one firewall in list * instDialog.cpp (instDialog::showPage): next button on inspect page is now not enabled if dialog called for compile only 2010-07-05 Roman Bovsunivskiy * instDialog.cpp (instDialog::findFirewalls): sorting of filewall and cluster items in compile/install dialog is now case insensitive. * ProjectPanel.cpp (ProjectPanel::inspectAll) * ObjectManipulator.cpp (ObjectManipulator::inspet): inspect is now working with cluster objects. 2010-07-03 Vadim Kurland * RuleSetView.cpp (RuleSetView::restoreCollapsedGroups): fixed SourceForge bug 3020761 "printing from command line causes Segmentation fault". Fixes #1533 2010-06-28 Vadim Kurland * utils.cpp (parseCommandLine): See #1542 since now user can enter differet command line parameters together with the path to ssh and scp clients in the global Preferences dialog, we need to parse these properly. This is especially important if file paths or arguments contain white space characters. Unit tests are in src/gui/unit_tests/parseCommandLineTest 2010-06-26 Vadim Kurland * installer_commands_reg_user: all instllation commands should be on the single line in the configlet so they are sent to the firewall as one line. When these commands were on separate lines, linefeed characters between them appeared on the standard input of command "sudo -S" and broke installation process. This only happened in my tests when I ran GUI installer on windows and looked like some sort of a race. When all commands are on the one line the problem disappeared. Changed only configlets that used sudo as part of installation script. * CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks): do not verify network zones of unprotected interfaces. Compiler does not allow the same obejct to be used as network zone of two different interfaces, which caused problems when a vlan parent interface has zone "Any". Vlan parent interface can not have ACLs attached to it and does not need any meaningful network zone, so "Any" is reasonable fill-in choice. However it coinsides with network zone of the "outside" interface which triggered this check. * SSHUnx.cpp (SSHUnx::stateMachine): SF bug 3020381: "Line failure should abort remote firewall install". If network connection is lost during firewall policy activation, policy installer should detect this, disconnect and declare installation session a failure. Prior to v4.0.2, installer detected network failures during policy copy (done with scp) or when it could not connect to the firewall at all, but hang if connection was lost in the middle of ssh session used to activate firewall policy. Now using ssh parameter "ServerAliveInterval" to make it detect connection failure. This does not work with plink.exe on Windows which does not support these command line options. Still looking for a solution. * FWBSettings.cpp (FWBSettings::init): automatically adding ssh parameters "-o ServerAliveInterval=2 -o ServerAliveCountMax=15" and scp parameter "-o ConnectTimeout=30" to the path to ssh and scp in the global preferecnes dialog, tab "Installer" to activate ssh keepalive. This way, user can change values if they need to. Default values define 30 sec timeout which should be rather conservative. On windows automatically configuring plink.exe and pscp.exe to load parameters of putty session "fwb_session_with_keepalive" that turns keepalives on. 2010-06-25 Roman Bovsunivskiy * FirewallCodeViewer.cpp (FirewallCodeViewer::FirewallCodeViewer): See #1346. Mostly completed implementation of the viewer panel that can be used to inspect generated firewall configuration files from within the GUI. The panel can be opened using a button in the mini-toolbar above firewall rules or as a page in the compile and install wizard. 2010-06-24 Vadim Kurland * OSConfigurator_linux24::printVirtualAddressesForNatCommands: fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface addresses". Iptables script generated by fwbuilder used to include commands to configure virtual ip addresses for NAT only if option "configure interfaces" was turned on. Expected behavior is to generate these commands when option "Add virtual addresses for NAT" is turned on regardless of the setting of the option "configure interfaces". 2010-06-22 Roman Bovsunivskiy * fixed #1526 "Make sure GUI unit tests work in the environment where user turned off tip of the day dialog". Unit tests now use alternative settings file with all default values and do not depend on user's preferences. 2010-06-18 Roman Bovsunivskiy * fixed #1520 ("Comment field display clips comment text" 2010-06-17 Vadim Kurland * PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext): fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination is not generated". The rule with network object fe80::/10 in source and ipv6 muticast ff00::/8 in destination did not produce correspondign ip6tables command. The change affects other cases with rules using broadcast or multicast objects that should be considered matching the firewall object. 2010-06-17 Roman Bovsunivskiy * RuleSetView.cpp: fixed SF bug 3016680 "Vertical scrollbar issue" rules with a lot of objects did not scroll properly vertically. * fixed #1493 "workflow icons in the big empty space". The GUI shows big buttons in the empty space in the right hand side of the main window when no firewall policy is not opened yet. These buttons provide simple shortcuts to the workflow functions useful for the novice users. Currently this includes "Create new firewall", "Import configuration of existing firewall" and "Watch Getting Started Tutorial". * fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes SourceForge bug reports 3016482 "segfault with RHEL5 pre-built packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in centos 5.5" 2010-06-16 Vadim Kurland * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug 3017084 "compiler adds extra quote characters to log-prefix string". 2010-06-15 Vadim Kurland * IPTImporterRun.cpp (IPTImporter::run): policy importer for iptables replaces --sport and --dport parameters of module multiport with --source-ports and --destination-ports to remove grammar ambiguity that arises from the use of the same parameters --sport and --dport by different iptables modules with different argument syntax. * iptables.g (match_iprange_src): Fixed SF bug 3016779: Policy importer for iptables should understand module iprange * FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug 3016720 "import policy disabled after file close". Menu items "File/Import Library" and "File/Import policy" became disabled after user closed data file using "File/Close" and never became enabled again. 2010-06-14 Roman Bovsunivskiy * FWBSettings.cpp (FWBSettings::init): fixed #1504 Added (optional) text to the toolbar buttons. Text is turned on by default but can be turned off in the global Preferences dialog. * Preferences.cpp: fixed #1505 move "Clip comments in rules" checkbox to "Appearance" tab. 2010-06-14 Vadim Kurland * release_notes_4.0.2.html: Added release notes for v4.0.2 to the package. fixes #1515 * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug 3015641 "imported REJECT rule changed during compile". Importer of iptables rules did not handle properly parameters of the REJECT target. 2010-06-12 Vadim Kurland * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1516 policy importer for iptables should not use automatic ESTABLISHED rule. (See also SF bug 3012953). Policy importer for iptables always creates explicit rule to match ESTABLISHED,RELATED to make sure it goes into the same chain as the original rule. Also in the same fix, importer creates branch for iptables rules that match both regular service and state ESTABLISHED,RELATED. The service is matched in the main policy rule set, while ESTABLISHED,RELATED state is matched in the branch. * GroupObjectDialog.h (class GroupObjectDialog): fixed #1499 "GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF bug 3015307. There is no reason to make method insertObject() protected which caused problems (and hacky workaround) in the unit test. * IPTImporter.cpp (IPTImporter::finalize): fixed SF bug #3015305 "compile error XML validity ". The problem was introduced with a change that made policy importer cabaple of reproducing default policies of main chains. 2010-06-11 Vadim Kurland * fixed SF bug #3013743 "UI build warnings" * longtextdialog_q.ui, objconflictresolutiondialog_q.ui: fixed SF bug #3013735 "invalid pixmap properties during make". Fixed uic warnings. * IPServiceDialogTest.cpp (IPServiceDialogTest::testIpOptions): fixed SF bug #3013855 "various fixes for run_tests". Applied patch suggested by Michael J. Slifcak (with changes). * DiscoveryDruid.cpp (DiscoveryDruid::browseForImport): fixed SF bug #3013532 "file chooser dialog for import policy does not show all files". * IPTImporter.cpp (IPTImporter::finalize): fixed #1513 iptables importer should check default policy in standard chains. Importer creates rules at the bottom of the policy rule set to reproduce default policies in the built-in chains INPUT,OUTPUT,FORWARD. These rules are added only when default policy in these chains is set to ACCEPT because generated iptables script always sets default policies to DROP. Support for this in the mangle table is limited so far, only default policies in PREROUTING, OUTPUT and POSTROUTING can be implemented. Rules created for the commands that set default policy in chains FORWARD and INPUT will generate commands in PREROUTING chain instead. We will try to address this in the future if there is sufficient demand. 2010-06-08 Vadim Kurland * applied patch from slif@bellsouth.net to fix compiler warnings. Patch applied partially since not all fixes were appropriate. fixes #1510 * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1512 SF bug 3012953: iptables importer sometimes does not recognize rule with " ESTABLISHED,RELATED ". Parser properly processed iptables rules with state "RELATED,ESTABLISHED" but not when states were in the opposite order. * IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer for iptables can now parse numerical log levels. * Importer.cpp (Importer::getUDPService): fixed sourceforge bug 3012953 name of UDP and TCP objects created during import should follow the same pattern and not include "0-0" for the source ports if they are equal to zero. * IPTImporter.cpp (IPTImporter::IPTImporter): fixed #1511, SF bug 3012953: iptables import parse error icmp_type any 2010-06-07 Vadim Kurland * CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks): fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler should check validity of the object used as network zone of an interface. * FWBSettings.cpp (FWBSettings::init): fixed #1501 call qsrand(seed) to seed random generator before generating new UUID * TransferDevice.h (fwtransfer): fixed #1490 compile problem with Qt 4.7 * FWWindow.cpp (FWWindow::prepareRulesMenu): fixed #1489 removed unnecessary debugging messages. * interfaceProperties.cpp (interfaceProperties::manageIpAddresses): fixed #1506 SF bug #3011516: generated iptables script tries to update ip addresses of unnumbered interface. * v4.0.2 started 2010-06-06 vadim * FWBSettings.cpp (FWBSettings::FWBSettings): using separate settings object and file in the .ini format to store instance uuid to ensure uuid persistence on windows across upgrades done with complete deinstall. Fixes #1497 * UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user workflow progress flags for an attempted install and first successful install. Both flags are boolean true/false indicating that the even occurred. We do not track and do not report any information about the firewall, platform, rules etc. These flags will be used to determine how many users abandon the program before even trying to run install for real because it is too complicated or the UI is not good enough. Fixes #1495 * UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user workflow flag indicating that ssh/scp have been configured in the Prefereces dialog. The flag is boolean and registers only the fact that something was entered in ssh and scp fields. Actual path and programs used are not registered and reported. Fixes #1496 2010-06-03 vadim * v4.0.1 released 2010-06-02 vadim * Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules): change in libfwbuilder: fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set" 2010-06-02 yalovoy * fixes #1484 "paste below" function pastes rules out of order 1) copy 2 complete rules 2) go to a(nother) policy 3) right click on rule 0, say "paste rules below" => BUG: the two rules from the buffer become rules 0+2, the original rule 0 becomes rule 1 The original should stay rule 0, the two from buffer become 1+2 Affected files: FWCmdRule.cpp, FWCmdRule.h, RuleSetView.cpp 2010-06-01 vadim * Help.cpp (Help::downloadComplete): fixed #1482 Class Help should open window only after successful download * ObjConflictResolutionDialog.cpp (ObjConflictResolutionDialog::run): refs #1483 If program detects change in CustomService object and the change just adds code string for a platform that was not in the object in the user's data file, the change is accepted without showing the dialog. * ../src/res/objects_init.xml.in: fixed #1483 "missing code in the custom service object ESTABLISHED for ProCurve" 2010-05-31 vadim * FWWindow.cpp (FWWindow::checkForUpgrade): added mechanism for one-time announcements that can be pulled from the web site when version check server says there is one. Announcement is shown only once. To do this, I store time stamp when it was shown in settings using hash of the announcement url. * Help.cpp (Help::setSource): made class Help capable of downloading contents via HTTP. * FirewallDialog.cpp (FirewallDialog::fillVersion): fixed #1481 when user changes platform in the firewall object, its version should change too. 2010-05-28 vadim * ObjectManipulator.cpp (ObjectManipulator::editSelectedObject): see #1447 Reverting change done for ticket #1447 in r2892 and r2896 because of the user complaints. It appears to be more convenient if Policy, NAT and Routing objects open in the rule set view on double click but not in the editor. Second double clik opens these objects in the editor. 2010-05-25 vadim * configure.in (CPPUNIT_LIBS): fixed #1478 always use included antlr run-time library. Because of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit systems, we should always link with antlr run-time that is included with fwbuilder code tree rather than attempt to use the one that might be installed with the OS. 2010-05-24 vadim * UserWorkflow.cpp (UserWorkflow::report): see #1466 Implemented instrumentation that should help us improve user experience. Will track few things that new users do (or don't do) and report as a combination of boolean flags at the end of the GUI session. Reporting things such as if user ever looked at the "Getting Started" tutorial, if they created their first firewall object, modified any rules, tried to compile, install or import existing rule set. Information passed in the report is strictly a set of boolean flags, it is not identifiable and does not reveal what firewall platform they are using or anything about their objects and rules. List of flags is listed in the module UserWorkflow.h 2010-05-23 vadim * FWCmdAddObject.cpp (FWCmdAddObject::redo): fixed #1468 Open new object in the editor after it has been created. * applied patch by Vadim Jukov , maintainer of OpenBSD port. Patch fixes compile issues on OpenBSD 2010-05-22 yalovoy * fixes #1463 Always show branch rule set name with action "Branch" affected files: RuleSetView.cpp, RuleSetViewDelegate.cpp, RuleSetViewDelegate.h * fixes #1469 some actions should always display argument, even when text labels for actions and directions is off affected files: RuleSetViewDelegate.cpp 2010-05-21 vadim * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixes #1467: "rule options dialog shows iptables parameters for procurve_acl" * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions): fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table. 2010-05-20 vadim * ProjectPanel.cpp (ProjectPanel::addRule): fixed #1461 Need obvious button to add new rule to the empty rule set * instDialog.cpp (instDialog::show): fixed #1462 "if you do a bulk install, and then want to do a single install, bulk mode is selected" * ActionsDialog.cpp (ActionsDialog::setRule): fixed #1464 SourceForge bug 3004274: "Branch rule set object displays improperly". Branch rule set attribute was not loaded properly into Branch action dialog for rules of PF firewalls. 2010-05-17 vadim * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule): restored function of the "comment the code" in the "Script options" of the firewall settings dialog for Cisco IOS ACL and ProCurve ACL. When this checkbox is off, comments are not added to generated script. * RuleSetViewDelegate.cpp (RuleSetViewDelegate::paintOptions): fixed #1460 "when "show icons in rules" is turned off, there is no way to tell when logging is turned on and non-default options are present in a rule". * fixed #1339 "Logging" icon appears looking the same as "Rule options" icon on Mac 2010-05-15 Vadim Kurland * linux24Interfaces.cpp (linux24Interfaces::basicValidateInterfaceName): fixed #1458 Should permit interface name "br-lan" for bridge interface on Linux. Bridge interfaces on Linux can have any name, including those with "-". OpenWRT creates bridge interface with the name "br-lan" by default. 2010-05-14 Vadim Kurland * update_addresses: fixed #1455 Function update_addresses() (host OS linux24 and derivatives) uses both ip and ifconfig. Should stick with /sbin/ip so the script works on systems where ifconfig is not installed. 2010-05-13 Vadim Kurland * FWObjectDropArea.cpp (FWObjectDropArea::editObject): fixed #1452 double click on a rule set in the branch action dialog should open it in rule set view * iptables.g (MATCH_RECENT_SET): see #1451 "policy importer should support some popular iptables modules". Added support for module "recent" and rules that match standard ip/icmp/udp/tcp protocols and at the same time module "mark", "length", "limit" or "recent". Rules like these are translated into a combination of a branching rule and additional rule in a branch rule set that implements module match. * iptables.g (multiport_tcp_udp_port_spec): fixes #1453 "iptables importer should parse multiport module parameter --ports". Module multuport with parameter "--ports" matches either source or destination port numbers. Importer creates two tcp (or udp) service objects to implement this match. * IPTImporter.cpp (IPTImporter::addSrv): See #1450, SourceForge ticket 3000809: iptables parser can now import "mark" module matches with hexadecimal parameters and "length" module matches. Also added check in the importer for broken iptables-save files where rules for any table are not terminated with "COMMIT". 2010-05-12 vadim * configlets/procurve/installer_commands_pre_config: commands for the installer for ProCurve * instDialog.cpp (instDialog::isCiscoFamily): Using the same built-in installer for Cisco and for ProCurve. * procurveaclAdvancedDialog.cpp (procurveaclAdvancedDialog::procurveaclAdvancedDialog): fixed #1449 options for ACL remarks and comments for ProCurve * PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd): generated commands that attach acl to a regular inetrface needed newline after "exit". * configlets/procurve/safety_net_acl: generating different commands in "Safety net" install mode depending on whether management interface is vlan or not. 2010-05-11 Vadim Kurland * ObjectManipulatorTest.cpp (ObjectManipulatorTest::editSelectedObject): see #1447 fixed unit test for this change * ../src/res/configlets/dd-wrt-jffs/installer_commands_root: fixes #1448 "need to commit nvram changes on DD-WRT". * ObjectManipulator.cpp (ObjectManipulator::editSelectedObject): fixes #1447: context menu item "Edit" associated with rule set object in the tree opens it in the rule set view and the editor panel. Menu item "Open" only opens it in the rule set view. This eliminates strange behavior where it would open in the rule set view on first click on "Edit" and then in the editor in the second click on "Edit". Double click used to work the same, the first double click opened in rule set view, the second in the editor. Now double click always opens in rule set view and the editor which is more consistent with the behavior for other object types. * PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd): ProCurve uses different syntax for vlan ACLs and ACLs bound to switch ports. Enabled "advanced interface settings" dialog for ProCurve interfaces. * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): button "Advanced interface settings" is controlled by element in the host OS xml resource file. Before, it was controlled by the element . I need this button and associated dialog for vlan interfaces on ProCurves, where vlan interfaces are not subinterfaces. 2010-05-10 vadim * CompilerDriver_procurve_acl_run.cpp (CompilerDriver_procurve_acl::run): See #1442 Support for HP ProCurve. Added experimental support for HP ProCurve "intelligent" switches (L3). Code is based on the policy compiler for Cisco IOS extended access lists. Differences include ';' character for comments, different naming convention for Vlan interfaces ("VLAN 2", with a space), requirement to unbind an ACL from interface before it can be cleared. * CompilerDriver_iosacl.cpp (CompilerDriver_iosacl::safetyNetInstall): using configlet "safety_net" to add temporary ACL for the "safety net" install method. 2010-05-05 Vadim Kurland * ProjectPanel_events.cpp (ProjectPanel::event): fixed #1443 GUI crashes compiling file opened read-only. If a file that was added to RCS was opened read-only and then any firewall object in it compiled, the GUI crashed trying to update "last_compiled" timestamp. * ssh_wrappers.cpp: fixed #1444 compile error on FreeBSD-Current Compiler issues error "/usr/include/utmp.h:2:2: error: #error has been replaced by h>" * started work on v4.0.1. VERSION set to 4.0.1 in libfwbuilder and fwbuilder 2010-05-04 Vadim Kurland * v 4.0.0 released 2010-05-02 Vadim Kurland * Helper.cpp (Helper::findInterfaceByNetzone): fixed #1439 "ssh access rule uses wrong interface in the generated PIX config" * instDialog_ui_ops.cpp (instDialog::opError): fixed #1438 "installer crashes when user interrupts install to PIX". This only affected installs to PIX cluster and only if user decided to interrupt the process. 2010-05-01 vadim * new_object.cpp (_modObject): fixed #1437: fwbedit should support object type Cluster. * fwbedit.cpp (usage): fixed #1435: typo in fwbedit "usage" text * new_object.cpp (_modObject): fixed #1434 "fwbedit modify comment operation expects an attribute" * instDialog.cpp (instDialog::show): fixes #1433 "batch install" checkbox should be enabled even when when there is only one cluster in the list of objects to compile and install. * CompilerDriver_ipt_policy.cpp (CompilerDriver_ipt::processPolicyRuleSet): fixes #1432 "automatic rule with --restore-mark is missing if rules using action Tag are not in the default Policy rule set". 2010-05-01 yalovoy * RuleSetView.cpp: fixes #1431 GUI crash adding rules to rule group 2010-05-01 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule): fixed #1411 outbound rule that permits VRRP should be added outside the loop to avoid duplicate rules for clusters with 3 or more members. 2010-04-29 Vadim Kurland * SSHSession.cpp (SSHSession::terminate): see #1426, #1428 QProcess sends signal "finished()" during event processing on windows, added checks for that. * instDialog.cpp (instDialog::mainLoopInstall): disabling and enabling "stop" button in the compile/install dialog appropriately 2010-04-28 Vadim Kurland * instDialog.cpp (instDialog::show): fixes #1429 "Finish" button is activated during compile. Also added unit test for this. 2010-04-27 vadim * CompilerDriver_ipt.cpp (CompilerDriver_ipt::dumpScript): fixes #1425 "iptables script generated for the empty rule set is broken". Compiler generated empty shell function for empty Policy rule set. It should always include at least automatic rules. * SSHSession.cpp (SSHSession::terminate): see #1426, #1428 use QProcess::waitForFinished() instead of just sleep() after we send TERM signal to the background process. Also let Qt process events to update the GUI while waiting. * instDialog_installer.cpp (instDialog::stopInstall): fixed #1428 button "Stop" in the installer dialog does not stop installer process * SSHSession.cpp (terminate): fixes #1426 "segfault when cancel while installing" (SF bug 2990333). No need to process events in terminate(); instead, using QProcess::waitForFinished() to give QProcess object opportunity to call this signal if user hit Cancel at just right time when background process has finished but QProcess has not noticed this yet. This situation caused crash reported in the SF bug. This problem appears to be specific to some versions of Qt. It does not happen with Qt 4.5.0 or Qt 4.6.2 but happens with 4.5.3. * instDialog_ui_ops.cpp (addToLog): working on #1426 "segfault when cancel while installing". SF bug 2990333. Processing of large chunks of compile or installer output took long time, especially scanning for errors and warnings which involves RegEx match. Splitting the buffer onto individual QString lines and matching each line against all error and warning pattern regexes made it much faster. Also do not call qApp->processEvents() from addtoLog() to avoid recursive call. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific): see #1417 (SF bug 2992177) rule with greater limit module rate value shadows rule with lower rate value. Comments in the code explain why. 2010-04-26 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific): additional fix for #1417 (SF bug 2992177): compiler should compare limit rate value and other parameters set for modules limit, connlimit and hashlimit while deciding if rules shadow each other. 2010-04-24 Vadim Kurland * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific): fixes #1417 rule shadowing detection should recognize different rule options. Policy compiler for iptables takes into account rule options for modules limit, connlimit and hashlimit when it considers rules for rule shadowing. * instDialog.cpp (instDialog::show): fixed #1419: clear progress log display when instDialog is opened 2010-04-23 vadim * MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext): fixed #1415 "action branch that creates branch in mangle table should branch in FORWARD chain". Rule with "any" in src and dst and action Branch with option "branch in mangle table" will go into FORWARD chain in addition to the PREROUTING and POSTROUTING chains as before. Note that choice of PREROUTING or POSTROUTING chains depends on direction. 2010-04-23 Vadim Kurland * instDialog.cpp (instDialog::show): fixed #1418 "install checkboxes disappear from the compile/install dialog". This was a regression introduced when we fixed #547 ("User can open multiple compile/install dialogs") * instDialog_ui_ops.cpp (instDialog::checkIfNeedToCompile): see #1418 Simplified algorithm that decides whether compile and install checkboxes should be turned on in the install/compile dialog. Now always using Firewall::needsCompile() and Firewall::needsInstall(), which check "last_modified", "last_compiled" and "last_installed" timestamps. Before this change, the dialog also tried to take into account how the dialog was started, using main toolbar or menu or context menu or local toolbar. This was confusing and hard to test. * PolicyCompiler_PrintRule.cpp (PrintRule::_printTarget): fixes #1416 leading blank space in front of the custom action is missing. SF bug 2991397. 2010-04-22 vadim * NATCompiler_pf.cpp (VerifyRules::processNext): see #1401. Because of the change in the nat and rdr rules syntax in 4.7, I can no longer implement no-nat rules correctly for this version. They dropped the "no" keyword and their examples suggest using "pass" to implement exclusions for the nat rules. I need no-nat rule to just not translate but not make a decision whether the packet should be passed or dropped. In the new PF model, translation rules are just options on the matching policy rules and they do not offer any keyword or option to not translate. * NATCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1401 nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in 4.7 should be implemented using action "match" and keywords "nat-to" and "rdr-to" * PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): fixes #1414: use "match" action for tagging. Policy rules with action Tag should use pf action "match" instead of "pass" if version is 4.6 or later. 2010-04-20 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule): fixes #1411 "automatic rules for the HA protocol should match source IP". Rules added for heartbeat in unicast mode already matched source IP, this change makes rules added for VRRP, OpenAIS and heartbeat in muticast mode also match source address. * configlets/ipf/script_skeleton: fixed #1409, SF bug 2985886. Depending on the combination of the activated options, shell functions in the generated launcher script could have no body, which is a syntax error in bash. 2010-04-09 vadim * RoutingCompiler_ipt.cpp (RoutingCompiler_ipt::epilog): fixed #1404 call to function restore_script_output in the generated iptables script is sometimes added without function definition * NATCompiler_pf.cpp (ReplaceFirewallObjectsODst::processNext): fixes #1397 PF compiler fix: destination nat rule with fw object in ODst should skip "on intf" * NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1403 refs #1150 "Using ip address of wrong interface" is broken in v4.0. This effectively rolls back change r2437. With no "Interface" column in the NAT rules, it is difficult to build rules with arbitrary "-o" clause using address for SNAT that does not match interface of the firewall, or especially rules with address for SNAT that does match some inetrface but with another interface in "-o". Keeping old documented behavior where object in TSrc dictated this. If the object was a child of the firewall (an interface or address), then the rule was attached to the interface using "-o". If the object is not a child of the firewall, then the rule is attached to all interfaces using "-o eth+" but skips unnumbered interfaces. Column "interface" should be added to the NAT rules in the future to avoid these complications. * ProjectPanel_state_ops.cpp (ProjectPanel::saveState): fixed #1402 GUI crashes on exit when no rules are opened in the ruleset panel view * ObjectTreeViewItem.cpp (ObjectTreeViewItem::data): fixed #1398 bold font and "*" in the tree indicate firewalls that require installation but should indicate those that require recompile 2010-04-08 Vadim Kurland * interfacePropertiesObjectFactory.cpp: fixed #1396, SF bug 2984193 Vlan error when OpenWrt is selected as host 2010-04-08 vadim * CompilerDriver.cpp (CompilerDriver::copyFailoverInterface): see #1394 there is no need to add a copy of member interface objects to the cluster anymore. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface): fixes #1394 Using existing virtual functions that expand multiple addresses to expand cluster interfaces. Added parameter bool expand_cluster_interfaces_fully to _expand_addr, _expand_addr_recursive and _expand_interface. Now expanding cluster interface in the Compiler::_expand_interface instead of PolicyCompiler_ipt::_expand_interface. Now it is possible to use interface of another cluster in rules (interface of a cluster object different from the one being compiled). * ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTest): fixed #1395 "routing rules are not reported properly while exporting library" * configlets/linux24/update_addresses: fixed #1391 "function getaddr_internal does not work with point-to-point interfaces". In fact, fwbuilder v3 and v4 can not manage ip addresses of point-to-point interfaces. This fix makes generated script skip such interfaces and do not try to add, remove or change their ip addresses. Proper support for address management of point-to-point interfaces will be added in the future versions of the program. 2010-04-07 vadim * IPTImporter.cpp (IPTImporter::pushPolicyRule): see #1390 'update iptables importer to recognize rules with "-i intf -o intf"' 2010-04-01 vadim * src/res/os/dd-wrt-nvram.xml: Added direct support for DD-WRT in two modes: nvram and jffs 2010-04-01 Vadim Kurland * AddressRangeDialogTest.cpp (AddressRangeDialogTest::initTestCase): fixed #1366 - fixed unit test for AddressRangeDialog class 2010-03-29 vadim * RoutingCompiler_iosacl_writers.cpp (PrintRule::_printRItf): fixed #1379 "Should be able to build routing rules with interface as gateway for IOS". Routing rules for IOS now have column "Interface". Rules can be built either with explicit address of the gateway or interface. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed #1375 Interface group is not expanded in "Interface" rule element by compiler for PF * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectProperties): fixed #1371 "interface properties look ugly when interface is a member of a group". 2010-03-28 Vadim Kurland * generatedScriptTestsLinux.cpp (GeneratedScriptTest::CheckUtilitiesTest): See #1370. This is a place for the future compiler unit tests. In the future we are going to migrate tests from test/ipt/ to this directory, using cppunit framework and functions added to the class Configlet per #1369 * Configlet.h (class Configlet): fixes #1369 "Framework for unit testing of code generation via configlets" 2010-03-28 vadim * configlets/openbsd/installer_commands_reg_user: see #1368 A fix for the problem that causes built-in installer to hang after updating configuration of PF firewalls. 2010-03-27 vadim * fixed #1360 "negation of cluster interfaces is broken". Rule with one or several cluster interfaces in the "Interface" rule element with negation should compile into a rule using all other interfaces of the member firewall, or using single object negation "!" if appropriate. This is also fixed in compiler for PF. Files: src/iptlib/PolicyCompiler_ipt.cpp src/pflib/PolicyCompiler_pf.cpp See also changes r591 , r592 in libfwbuilder * platforms.cpp (isDefaultPolicyRuleOptions): fixed #1365 "missing some flags for the "non-default" rule options for PF" * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions): fixed #1364 "add synproxy and other missing pf rule options to the rule options tooltip" 2010-03-26 vadim * RuleSetModel.cpp (RuleSetModel::getDecoration): fixed #1363 "GUI crash in newClusterDialog". GUI crashed after a new cluster object has been created from two PF firewalls. * configlets/linux24/check_utilities: fixed #1359 "generated script hangs testing for iptables-restore" 2010-03-25 vadim * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesBrief): fixed #1356 "Show number of rules in the rule set object in the second column of the tree" * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed #1351 "synproxy rule option is broken" 2010-03-24 Roman Bovsunivskiy * unit tests for IPv4Dialog, IPv6dialog, NetworkDialog, NetworkIPv6dialog fixed #1329, #1327 2010-03-23 Vadim Kurland * using CppUnit::TestFixture in unit tests based on cppunit: ImporterTest.h UsageResolverTest.h RCSTest.h FWBTreeTest.h interfacePropertiesTest.h * configlets/linux24/check_utilities: fixes #1348 "check_tools should check IPTABLES and IPTABLES_RESTORE as well" 2010-03-20 vadim * FWWindow.cpp (FWWindow::updateGlobalToolbar): additional check for condition that happens in unit test 2010-03-19 vadim * FWWindow.cpp (FWWindow::updateGlobalToolbar): fixed SF bug 2973137 "'warning text goes here'". Main toolbar buttons "Compile" and "Install", as well as menu items Rules/Compile and Rules/Install should be disabled if currently opened data file has no firewalls to compile. * CompilerDriverFactory.cpp (CompilerDriverFactory::createCompilerDriver): fixed SF bug 2973221 "single rule compile (x) results in sigsegv". * SSHCisco.cpp (SSHCisco::stateMachine): fixed SF bug 2973136, fwbuilder bug #1347: ssh 'cancel' rule install sigsegv. Installer caused GUI crash if user hit "Cancel" at just the right moment. Apparently this also depends on the firewall platform (was discovered and reported for Cisco FWSM) and perhaps on how fast it responds to the installer commands. * platform/fwsm.xml: fixed SourceForge bug 2973121: Added support for FWSM v4.x * pixAdvancedDialog.cpp: fixed SourceForge bug 2973079 "pix typo" (typo in a tooltip) 2010-03-18 vadim * fixed SourceForge bug #2972699 "fwsm/pix syslog name". The dialog only accepts ip address for the syslog server. * configlets/ipfw/script_skeleton: fixed #1335 "Empty functions in ipfw script". Under some circumstances shell functions in the generated ipfw script could have no body; /bin/sh does not like that. * newFirewallDialog::createFirewallFromTemplate: fixes #1340 firewall object created from template does not inherit fw and host os settings. See the ticket and comment in the code for caveats. * templates.xml.in: set "stateless rule " option in template rules where it makes sense; turned ip forwarding and "assume fw is part of any" in the "web server" template object. 2010-03-16 * RCS.cpp, FWWindow.cpp: Fixed #1334 Program failed to open data file on Windows if it was stored on mounted network volume. "File/Open" operation terminated with no error but did not load the file. "File/Open Recent" ended with an error message that quoted file path as somehting like this: "Volume{3c50bdba-21b0-4ea5-b52f-aa5d9755f918}/test1.fwb" which was obviously incorrect and the file could not be loaded. 2010-03-15 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules): fixes #1333 "Add variable management_interface for the automatic_rules configlet". Variable "management_address" renamed "ssh_management_address" to avoid ambiguity. * ObjectManipulator.cpp (ObjectManipulator::editSelectedObject): change in the behavior of double click in the tree. Open rule set object in the editor if it is already opened in RuleSetView. If we just opened it in RuleSetView, check if the editor is visible and if yes, open the object in the editor right away. Fixes #1331 2010-03-13 vadim * using file name for the floating tree panel title. See #1317 * fixes #1326 MDI subwindow title is left "Untitled" when GUI starts with a file on the command line 2010-03-13 Roman Bovsunivskiy * Object tree panel should have title when detached. Fixes #1317 2010-03-08 yalovoy * RuleSetView.cpp: fixes #1315 menu item "Remove from group" is available for rules inside the group. "Create new group" action is fixed too. * fixes #1202: Main menu "Rules" does not match rule context menu Items in the main menu Rules should get disabled and enabled just like items in the context menu do. Affected files: RuleSetView.cpp, RuleSetView.h * src/gui/FWWindow.cpp: fixes #1322 main menu items "Rules" are broken 2010-03-07 vadim * FWWindow.cpp (FWWindow::startupLoad): final (hopefully) design of the welcome/startup window. Always showing startup tip dialog; added buttons to show "Getting started" and "summary of features" to the same dialog window. Fixes #1224 * renamed menu item Help/Welcome to Help/Summary of features. fixes #1311 2010-03-07 yalovoy * refs #1202: Main menu "Rules" does not match rule context menu Items in the main menu Rules should get disabled and enabled just like items in the context menu do. Added action: copyRuleAction; cutRuleAction; pasteRuleAboveAction; pasteRuleBelowAction; disableRuleAction; enableRuleAction; setColorEmptyAction; setColorRedAction; setColorBlueAction; setColorOrangeAction; setColorPurpleAction; setColorGrayAction; setColorYellowAction; setColorGreenAction; Affected files: FWWindow.cpp FWBMainWindow_q.ui RuleSetView.cpp RuleSetView.h 2010-03-07 Roman Bovsunivskiy * ticket #1307 "cluster names in cyrillic appear garbled in instDialog list" * ticket #1289 "turn off mouse wheel scrolling of tabs in the main window MDI area" * Ticket #1310 "New slots in startup dialog". Buttons in the startup tip dialog connected to slots that open "Getting started" tutorial and "Summary of features" 2010-03-06 vadim * FWWindow.cpp (FWWindow::checkForUpgrade): code that checks if upgrade is available shows warning dialog no more than once a day. Also framework for unit testing of this function. See #1309 2010-03-05 vadim * instDialog_ui_ops.cpp (instDialog::fillCompileSelectList): fixed #1305 "Compilation of cluster firewall". when user tries to compile a firewall object that is also a cluster member, but did not request compilation of the cluster, a warning should be presented. * fixed #1303 "Improve design of the global Preferences, tab Objects" 2010-03-04 vadim * pfAdvancedDialog.cpp (pfAdvancedDialog::doScrubToggled): fixed #1297 "change in scrub rules in PF 4.6". PF 4.6 stopped support for several reassemble options except for "reassemble tcp" and changed format for the "scrub" rules. * PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext): recognize multicast when matching Network and NetworkIPv6 objects. Fixes #1298 * ObjectManipulator.cpp (ObjectManipulator::getDeleteMenuState): fixed #1301 "can not delete Policy object when it is in Deleted Objects lib". SF bug 2962628 2010-03-03 glitch.vk.crocodile.org * CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): fixed #1296 "crash in fwb_pix". Compiler used to create copy of each network zone object, expanded it recursively and added network and address objects to the newly created group directly (rather than via references). This created objects that were referenced by two parents in the tree which caused crash in FWObject::destroyChildren() because an attempt to free the same block of memory twice. 2010-03-03 vadim * compiler_lib/CompilerDriver.cpp (CompilerDriver::commonChecks2): fixed #1292 Added check for interfaces with valid address and netmask 0.0.0.0 2010-03-03 glitch.vk.crocodile.org * iptables.g (port_def_with_incomplete_range): fixed #1294 'importer for iptables does not parse "--dport NNNN:"'. Policy importer for iptables should recognize the following variant of the --dport and --sport port ranges: "port1", "port1:port2", ":port1" and "port2:" 2010-03-03 vadim * IPTImporter.cpp (IPTImporter::finalize): fixed #1288 "all rules created by policy import have rule number 0" * FWWindowPrint.cpp (FWWindow::filePrint): fixed #1295 "File/Print does not work for clusters" * Importer.cpp (Importer::createAddress): fixed #1287 "policy importer (iptables) crashes when host name is used in iptables rule in place of an address". Importer now creates DNSName object. * fixed #1291 "deleted objects 'policy' problem". SF bug 2962628 If user ended up placing a 'policy' object in the 'Deleted Objects' library, it could not be deleted or opened. RuleSetView.cpp RuleSetModel.cpp ActionsDialog.cpp RuleSetDialog.cpp platforms.cpp * Helper.cpp: fixes #1293 When compiler searches for an interface that should match given address, it should skip unprotected interfaces. 2010-03-02 glitch.vk.crocodile.org * RCS.cpp (RCS::init): checking if RCS tools are installed on the system once in the beginning. This helps avoid unnecessary QProcess starts that make working with valgrind more difficult because of subprocess starts/stops. 2010-03-01 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): fixed time format for the iptables parameters --datestart, --datestop which is supposed to be ISO 8601 "T" notation but apparently with no support for time zone designators. Timezone desginators are an error in iptables 1.4.1.1 and 1.4.5, did not test newer versions. Fixes #1286 SourceForge bug #2961532 2010-02-28 vadim * (many files) fixed warning " format not a string literal and no format arguments". Fixes #1285 2010-02-28 yalovoy * refs #1202: Main menu "Rules" does not match rule context menu Items in the main menu Rules should get disabled and enabled just like items in the context menu do. Added action: insertRuleAction, addRuleAfterCurrentAction, addToGroupAboveAction, addToGroupBelowAction Affected files: FWWindow.cpp RuleSetView.cpp RuleSetView.h 2010-02-27 vadim * ../src/gui/Tutorial/getting_started/html/page0.html: "Getting Started" turorial is complete, it can be activated using main menu item "Help/Tutorials/Getting Started". 2010-02-27 glitch.vk.crocodile.org * unit_tests.sh (commands): Using Xvfb for GUI unit tests so they can run as an automated task. This was broken by r2602 2010-02-26 vadim * ../src/gui/TutorialDialog.cpp (TutorialDialog::showPage): TutorialDialog supports multiple tutorials. Each tutorial is presented in HTML with accompanying CSS stylesheet. fixes #1274 * ../src/res/configlets/bsd/update_vlans: fixes #1275 "script always deletes, then adds vlans back on OpenBSD" 2010-02-25 Roman Bovsunivskiy a2k0001@gmail.com * TutorialDialog.cpp (TutorialDialog::TutorialDialog): in-program tutorial "Getting Started". Activated using menu Help/Tutorial. Refs #1217 2010-02-19 vadim * ProjectPanel_state_ops.cpp (ProjectPanel::loadState): refs #1236 Crash on Mac. The GUI could be crashed by repetetivie scrolling of the tree and other parts of the main window with mouse scroll wheel on Mac * FindObjectWidget.cpp (FindObjectWidget::_findAll): fixed #1256 search in the policy of firewalls does not work. This problem was introduced whith a fix for #1250 2010-02-15 yalovoy * ProjectPanel.cpp: fixes #1244 GUI crash on exit Looks like it is sufficient to just open some data file, open rule set (I tried with Policy) and insert a rule in the middle. Then exist the program and it crashes. 2010-02-18 glitch.vk.crocodile.org * PolicyCompiler_iosacl.cpp (splitTCPServiceWithFlags::processNext): fixed #1247 incorrect use of tcp service with flags in object-group. "object-group service" does not seem to support tcp flags and "established" * ObjectTreeViewItem.cpp (ObjectTreeViewItem::data): fixed #1248 Filtering in the object-tree crashes the GUI, SourceForge bug #2954501 * ObjectManipulator_tree_ops.cpp (ObjectManipulator::updateObjectInTree): fixed #1249 GUI freezes when filters are applied. The GUI would freeze for a few seconds every time user modified anything in rules if a filter was applied to the tree at the same time. SourceForge bug #2954501 * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed #1255 context menu items "Lock" and "Unlock" are not updated after object is locked. * ProjectPanel_events.cpp (ProjectPanel::event): fixed #1253 Locking an object in the tree causes GUI crash. 2010-02-18 vadim * FWWindow.cpp (FWWindow::FWWindow): fixed #1252 The "New Object"-Dialog is always opened up twice when pressing + * FindObjectWidget.cpp (FindObjectWidget::_findAll): fixed #1250 The Find-Dialog searches 'Deleted Objects'-library although it's not enabled in the preferences. Sourceforge bug #2954501 * IPv4Dialog.cpp (IPv4Dialog::DNSlookup): fixed #1251 DNS-Lookups in Address-Objects don't work. Sourceforge bug #2954501 2010-02-17 vadim * PolicyCompiler_iosacl.cpp (mirrorRule::processNext): fixes #1241 "add mirror rule" checkbox for IOSACL. New feature: policy rule option "Add mirrored rule" (checkbox in the rule options dialog) makes policy compiler for IOS ACL automatically create a rule with mirrored source and destination addresses and service fields. This can be used to match "reply" packets using address and service parameters matched by this rule. The action of the mirrored rule is the same as that of this one. Firewall Builder recognizes the following services and creates "mirrored" versions as follows: - UDP service: mirrored service has source and destination port ranges reversed - TCP service: mirrored service has source and destination port ranges reversed and "established" flag inverted. If TCP service used in this rule does not have "established" flag, the mirrored service gets it, and the other way around. This is designed to simplify creating ACL rules to permit "reply" TCP packets - ICMP service: ICMP echo request is recognized, mirrored service becomes ICMP echo reply. Other ICMP types are simply copied to the mirrored service - ICMPv6 service: like with ICMP, ICMP echo request is recognized and other ICMPv6 types are just copied - IP service: mirrored service is a copy * ssh_wrappers.cpp (ssh_wrapper): fixed #1246 policy installer fails on Linux. Policy installer failed with error "bash: -c: line 6: syntax error: unexpected end of file" while trying to activate iptables script on Linux. This error was introduced in one of the recent builds. 2010-02-16 vadim * fixed #1243 "new cluster" operation creates failover groups that recursively refer to the interfaces of the same cluster. This happened when new cluster was created with a copy of rules from one of the firewalls. newClusterDialog_create.cpp * fixed #1235 "cluster with dynamic interface can not be used in rules". Fixes this and several other problems with policy and nat rules that use cluster inetrfaces with dynamic addresses. PolicyCompiler_ipt.cpp NATCompiler_ipt.cpp * fixed #1240 nat rule should get "on interface" when cluster interface is used in TSrc. NATCompiler_pf.cpp * Configlet.cpp (Configlet::expand): added basic protection against infinite loops in configlet expansion. 2010-02-15 vadim * Added template for the OpenWRT firewall. Fixes #1237 2010-02-15 glitch.vk.crocodile.org * working on memory leaks with the help of valgrind. Refs #1229 Help.cpp Help.h RCS.cpp StartTipDialog.cpp StartTipDialog.h ssh_wrappers.cpp 2010-02-15 yalovoy * refs #1202: Main menu "Rules" does not match rule context menu Items in the main menu Rules should get disabled and enabled just like items in the context menu do. Affected files: FWWindow.cpp RuleSetView.cpp RuleSetView.h 2010-02-14 glitch.vk.crocodile.org * ProjectPanel.cpp (ProjectPanel): refs #1229 memory leak problems. 2010-02-14 yalovoy * fixes #1228: removing consecutive rules from a group in a ruleset its currently only possible to remove either the single top rule or single last rule from a group it would be useful to be able to select say the first several rules or last several rules and remove them all at once or if you select all rules in the group it would then just remove the group. Affected files: FWWindow.cpp FWWindow.h: #1228 RuleSetView.cpp: #1228 RuleSetView.h: #1228 2010-02-14 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface): fixes #1234 When failover group object is used in the rule, rule gets placed in FORWARD chain. Working implementation follows these rules: 1) if cluster interface obejct is used in the rule, it is expanded to the set of addresses including cluster virtual IP address and all addresses of the corresponding member firewall interface; 2) Failover Group is treated as any regular object group. Expanding Failover group to the address of its parent (cluster interface) would work but seems counter-intuitive * PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext): fixes #1231 rules are placed FORWARD chain if firewall object is "bridging firewall". This bugfix concerns specific rule configuration used with bridging firewall where firewall object or one of its interfaces is used in "destination" and an interface which is not a bridge port is in the "interface" rule column. Rule like this should go into INPUT chain but compiler used to splut it and put generated iptables rules in both INPUT and FORWARD chains. Rule should be placed in the FORWARD chain only if interface in "interface" column is bridge port. The same algorithm also applies to rules with firewall or one if its interfaces in the "Source" column. 2010-02-13 vadim * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): New feature: incremental management of pfsync0 interface on OpenBSD. The script checks if interface exists and if not, it runs "ifconfig pfsync0 create" command to create it. If interface exists, the script only runs ifconfig to configure its parameters but does not try to create it again. If State Synchronization group object is deleted in fwbuilder GUI, interface pfsync0 will be deleted on the firewall by the script. * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): generated script compares vlan and carp interfaces of the firewall with objects created in fwbuilder GUI and deletes any such interfaces it finds if they are not defined in fwbuilder. This is done even when there are no vlan or carp interfaces in fwbuilder configuration. This code is added only when checkboxes "Configure VLAN interfaces" and "Configure CARP interfaces" are checked. * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): New feature: generated script adds and removes CARP interfaces incrementally. This means it is not going to run ifconfig command to create carp interface if it is already there and will run "ifconfig carp1 destroy" command if interface carp1 has been removed in fwbuilder GUI to delete it on the firewall. * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): New feature: incremental VLAN interface management for OpenBSD and FreeBSD. When user adds or removes VLAN subinterface in fwbuilder GUI, geenrated script executes appropriate ifconfig commands to add or remove corresponding vlan pseudo-interface on the firewall machine. 2010-02-12 vadim * OSConfigurator_bsd.cpp (OSConfigurator_bsd::updateAddressesOfInterfaceCall): New feature: incremental IP address management for OpenBSD and FreeBSD. Generated script adds and removes ipv4 and ipv6 addresses of interfaces as needed. When user adds an address in the fwbuilder object, the script adds it. Second run of the same script does nothing. If user removes an address in fwbuilder, generated script removes it from the interfaces to bring actual configuration of the machine in sync with fwbuilder objects. 2010-02-10 yalovoy * src/gui/RuleSetModel.cpp: fixes #1223: GUI crash while adding a host to a group To reproduce: - open test-fw1 / Policy by double clicking Policy object - expand Objects/Groups and Objects/Hosts tree branches - open group LDA-Servers by double clicking it - drag host ldap-server1 to the group dialog 2010-02-10 vadim * UsageResolver.cpp (list): fixes #1222 modification of host or fw settings of a member firewall does not trigger cluster recompile * InterfaceDialog.cpp (InterfaceDialog::validate): fixes #1221 warning dialogs for the incorrect interface name would not go away. If user entered incorrect name of the subinterace (e.g. name that is not a valid VLAN subinterface name) the GUI would pop up warning dialog infinitely. * ../src/gui/ProjectPanel_events.cpp (ProjectPanel::event): this change attempts to fix a bug that causes main menu item Edit / Paste (keyboard shortcut Ctrl-V) to stop working. The bug is hard to reproduce and we were not able to find reliable scenario to trigger it. * PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext): fixes #1220 "bridging fw rule using all multicast object in destination does not produce any iptables rules". 2010-02-07 vadim * src/gui/ClusterGroupDialog.cpp (ClusterGroupDialog::applyChanges): fixes #1215 "Edit protocol parameters" button gets disabled for no reason. This button would get disabled after certain manipulations in the cluster group object dialog even when no changes were made. * FWCmdChange.cpp (FWCmdChangeOptionsObject::notify): fixes #1212 Cluster object was not marked for recompile when user edited conntrack group parameters 2010-02-06 vadim * src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1210 "syntax error in PF rule - "modulate state" is required". Per bug reported in the mailing list (and according to the pf.conf manual), pf.conf requires "keep state", "modulate state" or "synproxy"if any of the stateful tracking options are used in the rule. These include "max", "no-sync", "pflow", "sloppy", "source-track" and others. * src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1209 "incorrect syntax in PF rules when only "Activate source tracking" option is on". Compiler sometimes generated empty "( )" in the end of the pf.conf line when there were no state tracking options * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule): fixes #1175 "There is no option for unicast on conntrac sync-group (like heartbeat)". User can now choose between multicast and unicast for conntrackd communication. * FWWindow.cpp (FWWindow::showWelcome): fixes #1213 Welcome screen. When user starts the program for the very first time, it shows a "Welcome" screen that lists summary of features of fwbuilder and provides a link to the Getting Started Guide on the web site. Link to the local copy of Release Notes is also provided. * InterfaceEditorWidget.cpp (InterfaceEditorWidget::isValid): "new cluster" visard should permit the user to create cluster interfaces without IP addresses for any failover protocol. Disable widgets used to add virtual ip addresses only for protocol "None". All other protocols permit adding addresses regardless of the OS resource file attribute "no_ip_ok". * linux24.xml, openwrt.xml: fixed #1172 It is ok for a cluster interface with failover protocol heartbeat to have no ip address. There are legitimate configurations where admin might want to run heartbeat over an inetrface which itself has no virtual ip address, for example to confine heartbeat packets to a dedicated link. 2010-02-02 vadim * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesDetailed): fixes #1201 "add parent to the object properties tooltip". Include parent name in the tooltip that is shown for interface objects. This helps identify interfaces in rules, especially subinterfaces and interfaces with common names in complex configurations with many firewall objects. * NATCompiler_ipt.cpp (ReplaceFirewallObjectsTSrc::processNext): fixes #1200 "SNAT with cluster object in TSrc uses all interfaces". When a network or host address used in OSrc of a NAT rule matches one of the interfaces of the firewall or a cluster, there is not need to use this interface for the "-o" clause in SNAT rule. 2010-02-02 glitch.vk.crocodile.org * FWWindow.cpp (FWWindow::closeEvent): fixes #1207 'status "maximized" of internal subwindows is not saved correctly' 2010-02-01 vadim * FWWindow.cpp (FWWindow::fileExit): fixes #1197 "clicking Cancel in RCS log dialog cancels log but the program still exits". * CompilerDriver.cpp (CompilerDriver::populateClusterElements): see #1198. The check of subnets defined by the member and cluster interfaces has been removed. The check originally implemented by Secuwall developers looked only at the first address of the interface and ignored others. It also did not allow for the cluster interface netmask /32, which is the case with vrrpd. All in all, the value here does not seem to be worth the effort of implementing checks for all combinations. * ../src/res/configlets/linux24/update_addresses: fixes #1196 "shell function update_addresses_of_interface() does not ignore virtual addresses of cluster inetrfaces". When generated iptables script updates ip addresses of interfaces, it should ignore addresses managed by vrrpd, heartbeat or other failover daemons. The script did not ignore them and instead removed them from interfaces. * objects_init.xml: fixes #1194 "Add standard address objects for various multicast groups". Added address objects for standard multicast groups OSPF, RIP, EIGRP, DHCP server / relay agent, PIM, RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local Multicast Name Resolution, Teredo. * ObjectManipulator.cpp (ObjectManipulator::updateCreateObjectMenu): fixes #1195 the GUI should enable "new object" button and menu item when objects_init.xml library is opened * platforms.cpp (isDefaultPolicyRuleOptions): fixes #1193 default setting for "Assume fw is part of any" per-rule option is "follow global" * ../src/res/os/linux24.xml: fixes #1192 "iptables script should skip virtual addresses configured on cluster interfaces while updating addresses of interfaces". The problem only affected cluster interfaces with VRRP failover protocol. * InterfaceEditorWidget.cpp (InterfaceEditorWidget::deleteAddress): fixes #1191 "broken behavior in InterfaceEditorWidget". When user added and then deleted bunch of ip addresses to an interface in the new firewall or new cluster wizard, addresses below the deleted row were ignored. * InterfaceEditorWidget.cpp (InterfaceEditorWidget::deleteAddress): fixes #1189 "GUI crash in newFirewall dialog upon completion". GUI crashed in the new firewall wizard if user deleted an address of an interface that had 3 or more addresses. 2010-01-31 vadim * NATCompiler_ipt.cpp (ReplaceFirewallObjectsTSrc::processNext): fixes #1185 "do not include member ip addresses for cluster NAT policies". For NAT rules in a cluster, make it use only cluster ip and ignore member ips. * PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext): fixes #1187: "regression in compiler for PIX". Rules that have cluster or firewall object in src or dst that expands to a bunch of addresses that match network zones of different interfaces should still be assigned to the interface dictated by the combination of both src and dst. There is no need to add them to the ACL of inetrface 1 in direction "outbound" if destination belongs to the network zone of inetrface 2. Rule like that should only be assigned to interface 2, direction outbound. However this does not apply to anti-spoofing rules. * NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1184 "compiler/GUI crash compiling cluster NAT rule when cluster and members have dynamic interface". It should be possible to have cluster interface that is mapped to dynamic interfaces of the member firewalls and then use this interface or whole cluster object in rules. Compiler should expand cluster object and replace it with its interfaces and corresponding interfaces of the member firewall and then correctly handle dynamic ones. 2010-01-31 yalovoy * RuleSetModel.cpp: fixes #1182 rule number column is invisible when very first rule is created in a rule set * fixes #1164 focus moves in RuleSetView after paste If i am in a rule and place the selection to service field of say rule 1 and ctrl c and then arrow down the selection to service element in rule 2 and ctrl v the focus then moves back to the rule number element of rule 2 after the paste instead of staying on the service element. likewise if i am on an element and do ctrl x it brings the focus back to the rule number element. my first expectation was that the focus would remain on the service element of the rule and not brought back to the rule number element. i guess this has something to do with refresh of the gui and you are not keeping track of which element the selection was on for the last operation. Affected files: FWCmdRule.cpp FWCmdRule.h RuleSetView.cpp RuleSetView.h 2010-01-30 vadim * change in libfwbuilder. fixes #1173 "rule ID labels do not match rule numbers when disabled rules exist in rule set". Do not remove disabled rules in PolicyCompiler::prolog() because some compilers might use RuleSet::insertRuleAtTop() and other similar methods from prolog() or addPredefinedPolicyRules() and these methods renumber rules. As the result, labels stop matching rule positions when this is done because labels are configured in prolog() method of the base class. See fwbuilder ticket 1173. Instead of dropping disabled rules in prolog(), will keep them and drop them in rule processor Begin which is always the first in all compilers. * PolicyCompiler_ipt.cpp (checkInterfaceAgainstAddressFamily::processNext): fixes #1172 "fwb_ipt does not generate rule for cluster interface with no ip address". * OSConfigurator_linux24.cpp (OSConfigurator_linux24::processFirewallOptions): fixes #1177 "problems with commands for conntrack_max, hashsize and other advanced conntrack parameters". Needed to add a line break between shell commands that set up kernel variables and those that set up conntrack kernel variables. * FWWindow.cpp (FWWindow::showSub): fixes #1181 "save state of subwindow on maximize/restore". The GUI would revert to the non-maximized subwindows display if user de-maximized subwindow, then maximized it again and tried to open new data file. * ProjectPanel_file_ops.cpp (ProjectPanel::fileNew): fixes #1178 window title stays "[Untitled]" after File/new 2010-01-30 yalovoy * fixes #1159 GUI crash on redo() : FWCmdChange.cpp FWCmdChange.h * fixes #1121 changing "rules font" in global preferences has no effect PrefsDialog.cpp RuleSetModel.cpp RuleSetViewDelegate.cpp 2010-01-30 vadim * ../src/res/os/linux24.xml: fixes #1180 "heartbeat failover protocol uses virtual ip address". New cluster wizard did not allow the user to add ip address to cluster interface configured with heartbeat failover protocol. * ../src/gui/instDialog_ui_ops.cpp (instDialog::setFlags): fixes #1176 GUI crash while compiling cluster object with no StateSyncGroup. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule): fixes #1174 "OUTPUT rule is not generated for heartbeat". Automatically generated rules for cluster members using heartbeat should be placed in both INPUT and OUTPUT chains. * ../src/gui/FirewallDialog.cpp (FirewallDialog::applyChanges): fixes #1171: the warning dialog asking if ip address objects should be renamed automatically appears twice. when user renames cluster, firewall, host or interface object, the GUI asks if they want to rename ip address objects as well to make them adhere to some naming convention. The warning dialog appeared twice on Mac and Windows with Qt 4.6 2010-01-29 vadim * ../src/res/configlets/linux24/installer_commands_reg_user: try to cancel reboot only if one is pending. This avoids a warning saying "cant find pid of running shutdown" every time user installs updated iptables script on Linux firewall. Fixes #1169 Fwbuilder can schedule reboot in a few minutes if user installs updated policy in "test mode" and requests reboot as a brute-force rollback to safeguard against locking themselves out of the firewall in case of error in the policy. * ../src/gui/ObjectManipulator_ops.cpp (ObjectManipulator::autorename): cluster failover group objects are now included in the algorithm that automatically renames addresses of interfaces when user renames firewall or cluster object. Fixes #1170 * ../src/gui/ObjectManipulator_slots.cpp (ObjectManipulator::copyObj): show a not on the status bar whenever user copies an object to clipboard. fixes #1167 2010-01-28 vadim * ../src/gui/ProjectPanel.cpp (ProjectPanel::isManipulatorSelected): fixes #1130 "Ctrl-C , Ctrl-V shortcuts do not work for selected objects in rule elements". Global keyboard shortcuts Ctrl-C, Ctrl-V, Ctrl-X should work on objects in rule elements when keyboard focus belongs to the rule set view or on objects in the tree when focus is on the tree. This also fixes #1138 "ctrl+x and edit->cut problems in both Policy and NAT". These keyboard shortcuts operate only on objects in the tree and rule elements but not on rules. Visual difference between the state when whole rule is selected and the state when an object is selected in one of the rule elements is insufficient so making Ctrl-X cut whole rule may appear unextected for the user. 2010-01-26 vadim * RuleSetView.cpp (RuleSetView::showContextMenu): fixes #1155 context menu is not updated on rule enable/disable * NATCompiler_PrintRule.cpp (PrintRule::processNext): fixes #1147 --persistent option for DNAT and SNAT. This adds support for the "--persistent" option in NAT rules. Version should be set to 1.4.3 or later in the firewall object. * NATCompiler_PrintRule.cpp (PrintRule::processNext): fixes #1146 support for NAT MASQUERADE source port randomization. This adds support for the "--random" option for SNAT, DNAT and MASQUERADE targets in iptables NAT rules. User needs to turn on the checkbox that adds this option in NAT rules again 2010-01-26 yalovoy * RuleSetView.cpp: fixes #1145 show keyboard shortcuts for "move rule up/down" in the rule context menu * RuleSetView.cpp: fixes #1158 ctrl page up/down breaks arrowing in the ruleset 2010-01-26 vadim * FWCmdChange.cpp (FWCmdChange::notify): fixes #1139 GUI crash on click in undo panel view. Sequence that caused crash: 1) new firewall next next finish 2) rename firewall couple of times 3) click to top of undo stack and it crashes * DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects): fixes #1144 after snmp discovery object attributes are not shown properly in the tree 2010-01-25 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName): fixes #1157 Qt dialog does not detect conflict of filenames properly for linux. When user tried to create new file using File/New or save existing one using using File/SaveAs and entered a name without extension when prompted to enter the file name, the program would overwrite existing file with the same name and suffix ".fwb" without warning. This happened on Linux but did not happen on Mac OS X where dialog automatically added the suffix to the file name. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::insertCarpRule): fixes #1152 CARP and pfsync rules should match "in" and "out". Automatically added rules for CARP and pfsync for the PF firewall should match in both directions, rather than just "out". * NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1150 "fwb_ipt should check AddressRange in TSrc against addresses of interfaces". Compiler for iptables finds interface that matches AddressRange object used in Translated Source of a NAT rule and uses it for the "-o intf" clause. Addresses of interface can match the range excactly or partially. Exact match is when range boundaries match the beginning and the end of the subnet defined by the interface address and netmask. Partial match is when one of the range boundaries belongs to the subnet but another one does not. In this case compiler uses inetrface but issues a warning. If interface has multiple ip addresses, all of them are taken into consideration and interface is used if at least one matches. If address range in TSrc is wide and matches subnets of several interfaces, compiler splits the rule and uses all of them but does not replace the range with narrower one and still issues a warning. * ProjectPanel.cpp (ProjectPanel::getDestDir): fixes #1149: ProjectPanel::getDestDir should use userDataDir dir on all OS 2010-01-24 yalovoy * #1127 GUI crash when clicking in undo panel 1) new firewall (set name, Next, Next, Finish) 2) add interface 3) open Policy rule set view 4) insert rule 5) drag interface to the "Interface" rule element of the rule 6) click on in the undo panel 6) click on the last entry in the undo panel Affected files: RuleSetModel.cpp * #1132 Keyboard shortcuts for moving rules with "move up", "move down" Affected files: src/gui/RuleSetView.cpp, src/gui/RuleSetView.h * #1131 after rule moves with "move up" or "move down", it loses selection Affected files: src/gui/RuleSetView.cpp, src/gui/RuleSetView.h, src/gui/FWCmdRule.cpp * #1142 GUI crash on moving rule into a group with russian name Affected files: src/gui/RuleSetModel.cpp 2010-01-23 vadim * ../src/gui/FWWindow.cpp (FWWindow::startupLoad): fixes #147: show Release Notes only once when user starts the program for the first time. When user upgrades to a new version, Release Notes for it will be shown once again. Show tip of the day on all subsequent runs, unless user disables it. * instDialog_ui_ops.cpp (instDialog::setFlags): fixes #1136: "install" checkbox appears next to the cluster object in instDialog and "compile" checkoxes appear next to cluster member firewalls. 2010-01-23 yalovoy * FWCmdRule.cpp (FWCmdRuleInsert::redoOnModel): refs #1127: GUI crash when clicking in undo panel. * FWCmdRule.h * RuleSetModel.cpp * RuleSetModel.h 2010-01-22 vadim * PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::compile): fixes #1134: object-group clause can only be used with ipv4 access lists in IOS per http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1058359 * IOSObjectGroup.cpp (IOSObjectGroup::toString): fixes #1107: support for "object-group" clause in IOS access lists. Fixed syntax for the subnet clause inside "object-group network". 2010-01-21 vadim * RuleOptionsDialog.cpp (RuleOptionsDialog::limitLabelChange): Added support for negation in the "-m limit --limit rate" clause for iptables. 2010-01-20 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixes #1123, #1124: Text label next to the option that translates into --connlimit-above clause for the iptables "connlimit" module now matches description in the iptables manual. Added checkbox that allows the user to add negation to the generated code (make it ! --connlimit-above NN) * IOSObjectGroup.cpp (IOSObjectGroup::toString): Refs #1107: first draft of the object-groups support for Cisco IOS. Controlled by a checkbox in the "Advanced" settings dialog of the firewall object; this feature requires IOS v12.4(20)T or later and is off by default. * CompilerDriver.cpp (CompilerDriver::validateClusterGroups): fixes #1119 "add test for the integrity of failover cluster groups". Compilers require all failover group objects to be configured with interfaces of member firewalls. * PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext): fixes #1120 "redundant commands generated for ssh access". Compiler for PIX generated two "ssh address netmask inside" commands for the same rule that permits ssh to the firewall. * CompilerDriver_pix_run.cpp (CompilerDriver_pix::assembleFwScript): fixes #1106 "fwb_pix does not include prolog". Prolog script was not included in generated configuration if firewall object was converted from some other platform because FirewallOptions? object inherited old "prolog_place" variable * Helper.cpp (Helper::findInterfaceByNetzone): fixes #1118 "fwb_pix uses wrong interface compiling the second cluster member". NAT compiler for PIX failed to find interface with correct network zone if interface was a child of another interface, e.g. vlan subinterface. * clusterMembersDialog.cpp (clusterMembersDialog::getSelectedMembers): fixes #1117 "failover group member editor loses interfaces". If failover group included vlan interfaces of the member firewalls, the dialog that appears when user clicks on "manage members" button would not show members at all. * NATCompiler_pix.cpp (NATCompiler_pix::_expand_interface): fixes #1115: "fwb_pix crash compiling cluster NAT rule set with interface in TSrc". A cluster interface was used in the TSrc rule element of a NAT rule. Cluster interfaces of PIX cluster have no ip addresses of their own (PIX HA pair uses ip addresses of the master unit), this caused rule element to become empty after interface object was supposed to be replaced with its ip address. 2010-01-19 vadim * ../src/cisco_lib/NATCompiler_pix.cpp (NATCompiler_pix::compile): fixes #1108: fwb_pix: incorrect access list is generated for "static". When a firewall or host object with an interface that was configured with netmask that was not 255.255.255.255 (i.e. configured correctly) was used in TDst of a NAT rule for PIX firewall, compiler generated configuration that used subnet instead of just the address of the inetrface. * (NATCompiler_pix::_expand_interface): reimplemented virtual method Compiler::_expand_interface() to process cluster interfaces. Using member interface instead of the cluster interface while compiling the rule. * (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw with dynamic interface is used in TDst". * ../src/iptlib/NATCompiler_ipt.cpp (VerifyRules2::processNext): fixes #1109: "rules that do not pass verifyRules() checks may cause compiler crash in test mode or gui crash in single rule compile mode" * CompilerDriver.cpp (CompilerDriver::formSingleRuleCompileOutput): fixes #1110: "when compiler detects fatal error and drops the rule that caused it, the error does not appear in the single rule compile output". * ../src/pflib/TableFactory.cpp (TableFactory::createTablesForRE): fixes #1111: "NAT compiler for PF does not recognize dynamic interface of the firewall in rule element". Compiler issued an error that it can not generate code using dynamic interface that does not belong to the firewall because its address is unknown. * ../src/cisco_lib/NATCompiler_pix.cpp (VerifyRules::processNext): fixes #1104: policy compiler for PIX crashed when it enountered NAT rule trying to trsnslate both source and destination addresses. * ../src/cisco_lib/Helper.cpp (triplet::hash): fixes #1105: compiler for PIX crashed when interface with dynamic address was used in ODst of a NAT rule. 2010-01-17 vadim * instDialog_ui_ops.cpp (instDialog::checkIfNeedToInstall): Regression: fixed #1092 "missing "install" checkboxes in the list of firewalls on the first page of the installer wizard". Checkboxes "install" disappeared randomly from the first page of the installer wizard. 2010-01-16 vadim * FWCmdAddObject.cpp (FWCmdAddObject::redo): fixes #1088 "duplicate objects on redo". Click on the last line in undo stack view created duplicate objects in the tree if some undo/redo commands created new objects. * ObjectManipulator_create_new.cpp (ObjectManipulator::newInterfaceAddress): fixes #1090: extra undo command added to the stack on "New address" * FWWindow.cpp (FWWindow::event): If user opens two data files with the same names but located in different directories, titles of the subwindows, the list in the main Windows menu and entries in the recently opened files list will display full path. See #936 * FWWindow.cpp (FWWindow::fileOpen, FWWindow::alreadyOpened): The GUI should not let the user open the same data file twice. If user tries to do this, even using different (e.g. relative) path, the program will instead activate project window that already holds this file. Still can not open the same data file in two subwindows. See #396 2010-01-15 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Using rule processor Compiler::checkForObjectsWithErrors to find objects with errors and generate proper calls to abort(). This exposes errors that happened when Preprocessor failed to resolve compile-time AddressTable and DNSName objects. If compiler runs in test mode, preprocessor did not abort but used dummy substitution addresses and continued. Call to checkForObjectsWithErrors generates proper error messages tied to rules. Using this rule processor in all compilers. Fixes #1087 * PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext): fixes #1086: incorrect processing of run time address tables. SourceForge bug 2932680. Rules with two run-time AddressTable objects in the same rule element (source or destination) were converted to the shell script that read addresses from the address table files, plus wrong iptables command that matched any to any. This change removes this extra command. * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): fixes #1084 "if all user turns off all interface management and configuration checkboxes, the check_tools shell function is not added to the script but still called". Shell function "check_tools" verifies that system tools iptables script needs to operate properly are installed on the firewall. These are: ip, modprobe and optionally vconfig, brctl, ifenslave. The bug made compiler for iptables to add the call to the function but function definition was missing if user unchecked all "configure interfaces" checkboxes in the Script tab of firewall object settings dialog. * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869 making sure non-english comments appear correctly in the single rule compile output and generated configuration files and scripts. 2010-01-14 vadim * FirewallInstaller.cpp: fixed #1083: "installer uses incorrect path when GUI runs on windows" (Sourceforge bug #2932446). Built-in installer used incorrect path on the firewall to store copy of the .fwb data file. This happened only when the GUI ran on Windows. * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): Added support for pf state tracking options "no-sync" and "pflow". Set version to "4.5" or "4.6" in the firewall object to be able to use these new options. 2010-01-13 vadim * CompilerDriver.cpp (CompilerDriver::commonChecks2): fixes #1080: "Add warning when "top" rule set is missing". All compilers issue a warning when the firewall has no top level NAT or Policy rule set. This could be an important error because rule set is used to generate iptables rules for the built-in chains INPUT/OUTPUT/FORWARD or the main PF rules. However there are legitimate cases when administrator may want to use fwbuilder to only generate iptables commands for a custom chain or configuration for a custom PF anchor, in which case this is not an error. Compilers generate warning for this condition to bring it to the attention of administrator but continue processing the rules. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::flushAndSetDefaultPolicy): fixes #178: "remove chain initialization commands in the single rule compile output". Lines that create chains do not need to be printed when user compiles just one rule, they take up display space and do not provide any useful information. * PolicyCompiler_PrintRuleIptRst.cpp (PrintRuleIptRst::_printRuleLabel): really fixed #869 '"compile rule" should also print the comment'. Printing rule comment in the compiler output in the single rule compile mode when firewall object is configured to use iptables-restore. Code that prints rule label and comment has been unified for compilers for all firewall platforms. 2010-01-12 vadim * TCPServiceDialog.cpp (TCPServiceDialog::applyChanges): fixed bug #1076: "when the start of a port range is greater than the end, the GUI goes into a loop showing error dialogs". Ths problem affected TCP and UDP service objects 2010-01-10 vadim * TableFactory.cpp (TableFactory::PrintTables): suppress comment "Tables: (0)" in the compiler for PF output when there are no tables. * CompilerDriver.cpp (CompilerDriver::findImportedRuleSets): fixed bug #1072: "member ruleset override produces empty config files for PF". In this case, cluster nat rule branched to a separate nat rule set. There was nat rule set with the same name in the member firewall but compiler seemed to ignore it and produced empty .conf file for this rule set. The warning about member having rule set with the same name was not issued * NATCompiler_pf.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces): fixed bug #1071 "can't use dynamic cluster interface in NAT rules for PF". In this case, cluster has interface rl1 which is mapped to dynamic interfaces rl1 of two member firewalls. Cluster interface object is used in the TSrc of a NAT rule. Compiler refused to compile this rule with error "cluster:NAT:2: error: Can not build rule using dynamic interface 'rl1' of the object 'member1' because its address in unknown." 2010-01-09 Vadim Kurland * src/res/configlets/openwrt/installer_commands_root: Added support for OpenWRT. Generated iptables script has standard format of the OpenWRT system scripts and should be installed in /etc/init.d/. The script loads firewall policy when it is started with command line argument "start" and stops it when it runs with argument "stop". Other standard arguments recognized by OpenWRT startup scripts are also supported. To make the system run fwbuilder script during boot, run it with argument "enable". See Release Notes for more details. * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): Added support for configuring ipv6 addresses of interfaces for *BSD, including CARP cluster interfaces 2010-01-08 Vadim Kurland * NATCompiler_ipt.cpp (AssignInterface::processNext): fixed bug #1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use interface only if it has addresses that match address family we compile for. * PolicyCompiler.cpp (PolicyCompiler::checkInterfacesForShadowing): (change in libfwbuilder) include interface rule element in the shadowing detection algorithm. See ticket #1068 2010-01-07 Vadim Kurland * FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesBrief): fixes #1059: "set attribute field in gui tree for policy and nat based on its settings". Show "top ruleset" and "ipv4" or "ipv6" in the second column of the object tree for rule set objects. * ProjectPanel_file_ops.cpp (ProjectPanel::loadLibrary): fixed bug #1053 "duplicate objects created on "Import library" operation". When user used "File/Import Library" function, the library is checked for objects with duplicate IDs. Library name is also checked for duplicates and changed by adding suffix "-1" if it matches existing library name. This means the same library can now be imported several times, which creates several copies (all with their unique IDs to make XML file valid) 2010-01-06 vadim * bug fixes in installer for PF: fixed commands it runs on the firewall when it authenticates as regular user. * ObjectManipulator_create_new.cpp (ObjectManipulator::newInterface): fixed bug #1051: GUI crash when user tried to add an interface to an interface. * CompilerDriver_pf.cpp (CompilerDriver_pf::getRemoteConfFileName): fixed bug #1049 (SourceForge bug #2927165) '(windows only) installer uses incorrect path on the OpenBSD firewall' 2010-01-01 vadim * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): fixed bug #1043: added explanation of the risk associated with password caching to the Preferences dialog and Release Notes; checkbox "remember passwords" will be disabled if user name is not configured * ObjectManipulator_tree_ops.cpp (ObjectManipulator::updateLibName): fixed bug #1042: editing name of a library updates it in the tree but does not update it in the drop-down list 2009-12-29 vadim * RuleSetView.cpp (RuleSetView::restoreCurrentRowColumn): fixed bug that caused rule set view to scroll all the way to the top every time user modified any object used in the rules. Fixes #968 2009-12-28 vadim Ticket #1040 (Another GUI crash in newClusterDialog) closed by a2k fixed Ticket #1038 (GUI crash in newClusterDialog on Ubuntu 8.04) closed by a2k fixed: (In [2296]) Fixed #1038 Ticket #1014 (fix tab order of elements in iptadvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017 Ticket #1015 (fix tab order in pixadvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017 Ticket #1016 (fix tab order in pfadvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017 Ticket #1017 (fix tab order in openbsdadvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017 Ticket #1013 (fix tab order of elements in iosacladvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017 Ticket #1030 (firewall name should be prepended with library name in the list on the ...) closed by a2k fixed: (In [2290]) Fixed #1030 Ticket #1025 (newCLuster dialog loses all interface addresses if user hits Back on the ...) closed by a2k fixed: (In [2289]) Fixed #1025, #1019 Ticket #1019 (unit test failure) closed by a2k fixed: (In [2289]) Fixed #1025, #1019 * instDialog_ui_ops.cpp (instDialog::setFlags): For the PIX cluster, built-in installer installs generated configuration only on the master member firewall. It determines which one is the master by looking in the StateSyncGroup object (state synchronization cluster group). Fixes #998 * fixed a bug in the rule options dialog: if user tried to edit iptables log prefix for the rule and deleted a character in the middle of the string, cursor jumped to the end of the line. Also, undo command was created for each keystroke in this input field. fixes #1037 2009-12-27 vadim * PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule): compiler for IOS ACL added only inbound automatic rule to permit ssh access from the management workstation but did not add a rule to permit reply packets. This fixes #993 * CompilerDriver_iosacl_run.cpp (CompilerDriver_iosacl::run): fixed bug (no #): compiler for iosacl failed to open output file because of the wrong path. * pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): fixed SF bug #2919941 "Wrong optimization flag for PF". If "For high latency" is selected the compiler outputs the following value for OpenBSD PF: "set optimization For high latency". Which is wrong syntax, should be high-latency. Fixes #1005 * bug fixes and changes 2009-12-27: Ticket #1032 ("creating cluster from selected firewalls" does not work) closed by vadim fixed: (In [2279]) Ticket #1031 ("New Cluster" function creates two undo commands and two cluster objects) closed by vadim fixed: (In [2278]) Ticket #969 ("Create and add to group" creates several undo commands) closed by yalovoy fixed: (In [2277]) 2009-12-26 vadim * ObjectManipulator_ops.cpp (ObjectManipulator::actuallyPasteTo): when an object was duplicated to another library, suffix "-1" was appended to its name even if there were no other objects with the same name. Also when an object was pasted into a group, its name was preserved. If the group had an object with the same name and user opened new one in the editor and tried to change anything, the program complained about duplicate name. fixes #1028 * newClusterDialog.cpp: program crashed when user tried to create new cluster dialog and turned the option to copy rules from one of the members to the cluster. Fixes #1026 2009-12-25 vadim * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed bug #1022: context menu item "New Interface" is disabled. if user selected an interface object in the tree and opens context menu, the "New Interface" menu item was always disabled. 2009-12-23 vadim * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): Added support for the "dry run" installer option for Cisco routers. When this option is on, installer logs into the router and switches to the enable mode, but does not execute any actual commands. If scp is used to copy configuration to the router, installer will copy the file but will not activate it. This tests ssh session in general, login password, enable password and scp but does not make any changes to the router configuration. * OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printSSHConfiguration): Implemented pushing of the PIX configuration using scp. This requires PIX v7, ssh v2 and scp should be enabled on the firewall. This method is much faster than running configuration line by line. Controlled by a checkbox in the pix advanced settings dialog. fixes #995 2009-12-22 vadim * src/res/configlets/ios/installer_commands_reg_user: Built-in installer can use command scp to copy IOS configuration to the router using ssh and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The router should be configured with ssh v2 and scp server. This method can be combined with rollback (by reload or EEM). * src/res/configlets/ios/installer_commands_pre_config: Built-in policy installer uses EEM (Embedded Event Manager) on IOS 12.4 or later to schedule automatic configuration rollback instead of reloading the router. EEM appears in IOS 12.4 and supports background operations that can be triggered by some events on the router or by timers. In this new feature, fwbuilder creates EEM applet with a countdown timer that executes command "config replace nvram:startup-config force" when timer expires. User has the following options: - install updated ACL configuration and schedule automatic rollback in a few minutes. This can be used to test new policy and revert to the original one after some short period of time. This also helps to avoid a situation when updated policy blocks access to the router because of an error; rolling back to the ACL configuration that was running before the update will restore access automatically. - install updated ACL, schedule rollback in a few minutes but cancel rollback if installation of the new configuration was successful. This is mostly intended to prevent blocking access to the router in case of an error in the new ACL configuration. If fwbuilder was able to enter all lines of the new configuration all the way to the end, then new configuration does not block access and installer executes command "no event manager applet fwbuilder-rollback" to cancel scheduled rollback. 2009-12-21 vadim * bug fixes and changes for 2009-12-21: Ticket #982 (raise floating tree window when user switches between different project windows) closed by vadim fixed: (In [2233]) Ticket #981 (Error entering new service. User could not change port range start before changing port range end for TCP and UDP services) closed by vadim fixed: (In [2234]) Ticket #983 (crash on IOS configuration import) closed by vadim fixed: (In [2235]) Ticket #875 (unit tests for the policy importers) closed by a2k fixed: (In [2237]) Ticket #897 (Add paragraph to the release notes explaining new "conntrack" tab in host OS dialog for Linux) closed by vadim fixed: (In [2239]) Ticket #901 (mention support for openWRT in release notes) closed by vadim fixed: (In [2239]) Ticket #900 (mention support for ipcop in release notes) closed by vadim fixed: (In [2239]) Ticket #899 (paragraph about script structure and command line args in release notes) closed by vadim fixed: (In [2239]) Ticket #788 (review ChangeLog and update release notes for v4.0) closed by vadim fixed: (In [2240]) 2009-12-20 vadim * interfaceProperties.cpp (interfaceProperties::validateInterface): permit unnumbered cluster interfaces. If member firewalls have unnumbered interfaces that user wants to use in rules, then cluster needs corresponding cluster interface as well. Previously the GUI did not allow copy/paste of an unnumbered interface from a firewall to a cluster and compiler complained about such interface not having ip address. Now both operations are permitted. * minor bug fixes: Ticket #971 (cluster interface should inherit properties of the member interfaces) closed by vadim fixed: (In [2225]) refs #487 fixes #966, #971 Ticket #947 (Add new options to the "help" dialog) closed by vadim Ticket #975 (if fw object has empty platform, it can not be changed) closed by vadim fixed: (In [2228]) Ticket #977 (context menu items Delete and Cut are disabled if library is Template ...) closed by vadim fixed: (In [2229]) Ticket #974 (fw template 3 is broken) closed by vadim Ticket #979 (recognize extension .fwl for the template file) closed by vadim 2009-12-19 vadim * src/res/configlets/linux24/status_action: Fixes #954 : generated iptables script now recognizes "status" command line parameter. When the script runs with this parameter, its exist status code indicates the state of the firewall: 0 means iptables modules are loaded and some rules are configured; 3 means either modules are not loaded or there are no tables. The script can not verify that the rules are those configured in fwbuilder, it only verifies that modules are loaded and there are some rules. Configuration with no rules but with default policies, even if these policies are ACCEPT in all chanins, returns "0" return code. This is consistent with behavior of /etc/rc.d/init.d/iptables script on Fedora Core Linux. * RuleSetView.cpp (RuleSetView::changeAction): fixed #957: when user changes action of a policy rule, it should be opened in the editor only if the new action has some parameters that can be edited. Such actions as "accept" and "deny" have no parameters and it does not make sense to open blank editor panel. * Ticket #959 (context menu items appear rearranged) closed by a2k fixed: (In [2212]) Fixed #959 * Ticket #958 (when user compiles single firewall, skip the first page of the wizard) closed by a2k fixed: (In [2210]) Fixed #958 * Ticket #952 (tooltips in RuleSetView should be controlled by ...) closed by yalovoy fixed: (In [2209]) fixes #952 tooltips in RuleSetView? should be controlled by … * Ticket #941 (Add Rule Below adds the new rule above) closed by yalovoy fixed: (In [2208]) fixes #941 Add Rule Below adds the new rule above * Ticket #951 (double click on an object in the group member list should open it in the ...) closed by a2k fixed: (In [2206]) Fixed #951 * Ticket #931 (context menu item "New cluster from selected firewalls" should be enabled ...) closed by a2k fixed: (In [2205]) Fixed #931 2009-12-18 vadim * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): generated script can now install backup ssh access rule when it shuts down the firewall. This is optional and is controlled by a checkbox in the "advanced settings" dialog for iptables firewall. To shut down the firewall user should run the script with command line option "stop". fixes #939 2009-12-17 vadim * fixed bug in the GUI: when user duplicated an object, it was created with the same name as the original, then the program complained about duplicate name on every attempt to modify it. * creating IPv4 or IPv6 address object using main "New object" menu ended up creating two identical objects instead of one * built-in policy installer failed if the GUI was running on Windows, the firewall was running CentOS5 system and regular user account was used to authenticate * fixed bug in the GUI: it was not possible to add interface object to the "Interface" rule element of Policy and Routing rules. * fixed bug in the GUI: if the user hit Tab to move from one input field in the object editor to another after making some changes, keyboard focus jumped to the object tree. * improvement in the built-in policy installer: now installer dialog terminates background ssh or scp process if user clicks "Cancel" or closes dialog window in the middle of the process. * documentation: Added comment to all configlet files explaining how user can modify them. 2009-12-16 vadim * src/res/configlets/linux24/installer_commands_root: Added command "chomd +x" to make firewall script executable on the firewall. Before, this was only done when the program used regular user account rather than root. Fixes #909 * src/res/configlets/linux24/installer_commands_root: Built-in policy installer gets commands that it needs to execute on the firewall from configlets (small scripts using simple macro language) that are installed in the /usr/share/fwbuilder-3.1.0/configlets on Linux. User can modify them by making a copy in $HOME/fwbuilder/configlets without having to touch the code. Fixes #268. 2009-12-15 vadim * FirewallInstaller.cpp (FirewallInstaller::readManifest): fixed bug in installer: when the GUI ran on Windows, the path of the file on the firewall was generated with mixed separators '/' and '\'. As the result, pscp.exe failed to copy the file to the firewall. * OSConfigurator_linux24::printInterfaceConfigurationCommands: call shell function clear_addresses_except_known_interfaces() with a list of all interfaces configured in fwbuilder. This will clear ip addresses of interfaces that are not configured in fwbuilder and bring them down. Before, the call to this function did not include dynamic interfaces and as the result, the script deleted their addresses and brought them down. * ../src/res/os/linux24.xml: the GUI and compiler should not assume that when failover protocol is VRRP, then there should be interface vrrpN. This seems to be the case and the default only for Secunet Secuwall firewall. Vrrpd daemon on Linux does not create vrrp inetrfaces and just manipulates alias IP and MAC addresses. Fixes #895 * objects_init.xml: Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks. Fixes #888 * instDialog.cpp (instDialog::instDialog): Moved "batch install" checkbox to the page that shows compiler progress so the user can decide to do batch install right before they perform installations instead of doing this before they start compile. 2009-12-14 vadim * src/res/configlets/linux24/automatic_rules: Generation of the automatic rules (matching ESTABLISHED and INVALID states, backup ssh access and others) now uses configlet. Fixes #883 * src/res/configlets/linux24/automatic_rules: generated script can now include automatic rules to match IPv6 neighbor discovery ICMP6 packets. This is controlled by a checkbox in the iptables "advanced" settings dialog and is off by default. Fixes #878 * PrefsDialog.cpp (PrefsDialog::accept): Added a place in the global Preferences dialog for options specific for different object types. First parameters include options for DNSName and AddressTable to let the user decide if the newly created objects of these types should be automatically configured with "Compile Time" or "Run Time" mode. Also, added an option that makes DNSName object editor copy the name of the object into the DNS record input field when new object is created or whenever the name changes. This is useful when the user does not want to keep object name and dns record different because they need to enter the name only once. * DNSNameDialog.cpp (DNSNameDialog::applyChanges): If global Preferences option "Use DNS Name object name for the DNS record" is turned on, copy the name into the record on every name change. Fixes #866 2009-12-11 vadim * GroupObjectDialog.cpp (GroupObjectDialog::newObject): Implemented feature request #2245537 "Add service object to service groups directly from groups". Group object dialog now has a button that shows a menu when clicked, this menu allows the user to create new object and add it to the group in one operation. This fixes #119 * ObjectManipulator::addNewObjectMenuItem: fixes #850 Redesigned methods used to create "new object" menu and call functions that create new objects to be able to build menus with limited sets of new object types. * ../src/gui/FWBTree.h (class FWBTree): added methods getTranslatableObjectTypeName and getTranslatableNewObjectMenuText that return translatable strings for the given object type name. 2009-12-09 vadim * FindWhereUsedWidget.cpp (FindWhereUsedWidget::_find): "Find where used" function can now find all uses of the given object, as well as all uses of its children. For example, if the object is firewall, then this function can find all groups and rules that refer to it directly, or to it and all its interfaces and their addresses. This extension is optional, it is controlled by a checkbox in the "Find" dialog. 2009-12-08 vadim * ../src/fwbedit/merge.cpp: fixed bug #2794851 (fwbuilder bug #202): "Ability to import Library using fwbedit". User can now merge objects from two files together using fwbedit just like the "Import library" function in the GUI. 2009-12-07 vadim * instDialog_ui_ops.cpp (instDialog::getInstOptions): fixed bug #2908220 (fwbuilder bug #803): "Running fwbuilder as root hardcodes batch install user". Built-in installer ignored user name entered in the installer options dialog and communicated with the firewall using the name of the user running the program. 2009-12-04 vadim * ../src/res/platform/pf.xml, iptables.xml: unified terminology for policy rule actions that create branching in the rule set or tag packets. Now we call these actions "Branch" and "Tag" for all platforms. Before, the name was different and matched original action on each platform, that is for PF it was "Anchor" and "Tag" and for iptables "Chain" and "Mark" respectively. 2009-12-01 vadim * src/res/configlets/linux24/run_time_wrappers: fixed #651: "support for dynamic ipv6 addresses is broken". When an interface with dynamic address was used in a rule in IPv6 rule set, generated shell script was supposed to read its IPV6 address and use it in the rule. This code was broken and never worked properly. Implemented idea for getaddr6 code suggested by , it now reads all IPv6 addresses of the interface and uses them in the rule via shell "for" loop. Implemented the same change for IPv4 as well. This changes behavior of the generated iptables script compared to fwbuilder v2 and v3 where it only used the first IPv4 address of the dynamic interface. In v3.1 and v4 it will use all addresses of such interface. 2009-11-29 vadim * newClusterDialog.cpp (newClusterDialog::finishClicked): New feature: the wizard that creates new cluster object starts with the list of firewall objects where the user can choose which firewalls should become members of the cluster. Next, the program finds interfaces of the member firewalls that have the same name and can be part of the cluster and creates cluster interfaces with the same name. Not all interfaces are eligible, for example bridge ports, bonding interface slaves or parents of vlan interfaces can not be used for the cluster. Cluster interfaces define failover groups. The user can add, remove or rename cluster interfaces, as well as change which interfaces of the member firewalls are used with each one. On the next page of the wizard user changes failover protocols and can add or remove or change ip addresses of cluster interfaces. Not all failover protocols require ip addresses, for example VRRP or CARP do but heartbeat or OpenAIS don't. Finally, the user can choose to use policy and NAT rules of one of the member firewalls to populate Policy and NAT rule sets of the new cluster. If this is done, all references to the original member firewall and its interfaces in rules are replaced with references to the cluster and its interfaces. The program also creates backup copies of the member firewall objects with the name with suffux "-bak" and clears Policy and NAT rule sets of the member firewall objects used with the cluster before new cluster is created. 2009-11-21 vadim * ObjectEditor.cpp (ObjectEditor::apply): New feature: behavior of all object dialogs has changed. According to the results of the user community opinion poll and discussion, object dialogs are losing button "Apply". All changes made in dialog entry fields are saved into the object immediately. This does not change the data in the .fwb file, only objects in memory. Combined with Undo, this allows for faster object editing and roll back of changes. * New feature: Undo/Redo facility. Undo supports changes to object parameters in editors, creation of new objects, deletion of objects, adding and removed objects to groups. Undo stack can be displayed in a special docked window. 2009-11-14 vadim * newFirewallDialog_from_template.cpp (newFirewallDialog::replaceReferencesToNetworks): New feature: when user creates new firewall from a template, the wizard dialog now offers a new page where they can change ip addresses of the interfaces of the template. User can change name, label, address, netmask, MAC address and type (regular/dynamic) of the interface, as well as add and delete interfaces. The program then creates interface objects with new parameters and updates policy and NAT rules of the template. It creates new Network and NetworkIPv6 objects using new addresses and replaces references to network objects that match old addresses with references to these new objects in rules and groups. This eliminates the need to do manual search and replace to update firewall object created from a template to make it match actual user network configuration. Fixes #613 2009-11-10 vadim * configlets/pix_os/failover_commands: New feature: Added ability to generate failover commands for PIX. Summary: - only "lan" type failover configuration is supported - one interface in each member firewall should be marked as "dedicated failover" interface. These interfaces must have the same name. - cluster should have interface with the same name as failover interface of the member firewalls; this cluster interface should have failover cluster group child object. The failover group is configured with failover interfaces of both members. One interface must be marked as "master". Compiler checks for this. - Protocol in this failover group should be configured as "PIX failover protocol" - cluster must have state synchronization cluster group object, configured with interfaces of member firewalls. Use the same interface as for the failover or another dedicated inetrface. In the latter case interface objects of the member firewalls used for state sync must be marked as "dedicated failover" as well. - Failover and state sync groups should have the same member firewall configured as "master". Compiler checks for this. - Regular interfaces: cluster should have interface object with the name matching corresponding interface of member firewalls. Each of these cluster interfaces should have failover cluster group child object configured with member firewall interfaces. Protocol in this failover group can be set to "None" (or blank). It is also not necessary to mark member interface as master. * OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printInterfaceConfiguration): Using configlet to generate interface configuration commands for PIX. Now user can change generated script if necessary without making changes in the fwbuilder code. * ObjectManipulator.cpp (ObjectManipulator::libChanged): Experimental change in the GUI, new feature: Now the program does not switch object in the editor on a single click in the tree. User should double click object in the tree or use context menu item "Edit" to open object in the editor. User can select different object in the tree or switch to another library while editor has unsaved changes. This helps, for example, when they need to populate large object group and need to switch between libraries to find objects. Switching to another library or accidentally clicking on a wrong object in the tree does not cause editor to switch. 2009-11-09 vadim * CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added support for failover configurations for PIX. - Interfaces of member firewalls used for failover configuration should be marked as "Dedicated failover" interfaces. They should have normal IP addresses. These interfaces will be used to generate "failover" commands in the PIX configuration. - Cluster should have interface with the same name as failover interfaces of the members, with protocol set to "PIX failover" and members configured as usual. This interface has no ip address. - Other interfaces of the cluster have the same name as corresponding interfaces of the member firewalls, protocol "None" and failover groups that define members as usual. These cluster interfaces also have no ip address. - Cluster state synchronization group uses protocol "PIX state synchrnization" and its members should be configured as usual. Use failover interfaces of the members as members of the state sync group. * Interface.cpp: Added attribute "dedicated_failover" to the Interface object. Interfaces with this attribute are treated like other "unprotected" interfaces, that is they are not used to attach ACLs to and not used in rules. Dedicated failover interfaces have special meaning in PIX configurations and are used to describe interfaces used for LAN failover. 2009-11-07 vadim * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags): Implemented TCP flag matching per #2865044: "Add TCP options support for IOS ACL". Uses extended ACL option "match-all" that supports list of TCP flags that should be set and cleared. This requires IOS v12.4 or later even though Cisco documentation seems to indicate this option was introduced in 12.3(4)T. Fixes #455 2009-11-06 vadim * PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX does not support IP options matching, compiler issues warning. Fixes #567 * res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2, 12.3, 12.4 * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions): Added support for IP options matching, requires IOS v12.4 or later. Fixes #566, #568 * configlets/sveasoft/script_skeleton: Fixes #571 /bin/sh on Sveasoft (busybox) does not like empty shell functions and fails with an error "36: Syntax error: "}" unexpected". Will call /bin/true as a placeholder so that if some other commands are added to the function body during template expansion, they are executed after /bin/true and their return code is preserved. If no commands are added, then the function body won't be empty and will return success. * NATCompiler_pf.cpp (NATCompiler_pf::compile): fixed bug #2889579: "fwb_pf crash when unnumbered interface is used in nat rule". Compiler for PF crashed when unnumbered interface was used in TSrc element of a NAT rule. * PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): Fixed bug #2892100: "'Old boradcast' object produces 0/0 in iptables script". The bug triggered when iptables version was set to 1.3.x or later. "Old broadcast" object is defined as AddressRange with 0.0.0.0 as a start and end addresses of the range. Generated script should have "0.0.0.0" but the compiler uses "0/0" instead. 2009-11-04 Vadim Kurland * PolicyCompiler_ipfw_writers.cpp (PrintRule::_printDstService): Added support for IP options matching in ipfw using "ipoptions" keyword. Matching IPService object with "any options" attribute is not supported though. * IPServiceDialog.cpp (IPServiceDialog::loadFWObject): IPService object now has attribute "any options". If this attribute is turned on, compilers will generate configuration to match IP packets with any options present. Fixes #561 2009-11-03 Vadim Kurland * NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext): Implemented feature request #2829661: "SNAT instead of MASQUERADE on dynamic interfaces". NAT rule options dialog now has a checkbox that makes compiler use SNAT target instead of MASQUERADING when checked when TSrc has dynamic interface. Apparently MASQ target has problems when iptables NAT is used in combination with policy routing. Using SNAT with a variable that gets interface address solves the problem. By default this option is off, that is compiler uses MASQUERADE target when TSrc has dynamic interface. Fixes #560 * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::prolog): Fixed bug #2792847 (SourceForge) "cant turn off "part of any" for a rule if default is on". There was no way to turn option "Assume firewall is part of any" for just one rule when it was ON globally. Now this attribute is presented as a tri-state control in the rule options dialog, with options "Follow global setting", "On" and "Off". Now this option can be turned on and off in individual rules regardless of the global setting. Default is "follow global". Old "Off" maps to the new "follow global", old "On" maps to the new "On". Fixes #559. 2009-11-02 Vadim Kurland * PolicyCompiler_pf_writers.cpp (PrintRule::_printInterface): New feature: optimization in compiler for PF. Rules that have several interface objects (or a group) in the "Interface" column are compiled using "{ }" grouping to produce only one configuration line instead of several for such rule. Fixes #76 * PolicyCompiler_pf.cpp (SpecialServices::processNext): Compiler for PF generates "allow-opts" keyword when IPService object used in the rule has IP options. This includes new option "router-alert". Fixes #503 * IPServiceDialog.cpp (IPServiceDialog::applyChanges): Added GUI elements to support IP option "router-alert" which is now available as an attribute of IPService object. Fixes #502 2009-11-01 Vadim Kurland * CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions): Added support for PF configuration parameter "set state-policy" which can have values "if-bound" or "floating". The GUI input element provides these options in addition to the default empty option. If empty list item is selected, command "set state-policy" is not added to the generated .conf file at all. Fixes #423 2009-10-31 Vadim Kurland * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): New feature: password caching. Built-in installer can remember firewall password (and enable password for Ciscos) for the duration of the session. Passwords are never stored permanenetly in any form, encrypted or plain text. The user needs to enter password once when they activate generated policy. If they keep the program open and need to modify and activate policy again, the password fields in the installer dialog can be filled automatically. The feature is optional and is off by default. Cached passwords are associated with the firewall object and account name used to activate policy. Implemented by a2k@codeminders.com 2009-10-22 vadim * RuleSetView.cpp (RuleSetView::itemDoubleClicked): Fixes #545. Change in the GUI behavior: both left and right mouse click on an object in rules should not select it in the tree. If user wants to open it in the tree, they can use context menu item "Reveal in the tree" or double click the object. This solves the following inconvenient behavior (quoting from email): 1) anytime I copy something and then right click to paste into a policy or nat it immediately changes the tree to the location of the object under the cursor which is usually to the standard library on any and then i have change it back to the user library. 2) if I want to compile a rule, unless I am careful and right click on the rule number instead of any field in the rule to select compile it move the tree to whatever is under the cursor. 2009-10-20 vadim * NATCompiler_pf_writers.cpp (PrintRule::processNext): Added support for branching NAT rules for PF. Compiler generates keyword "anchor" if PF version is 4.3 or later and "nat-anchor" and "rdr-anchor" for earlier versions. * platforms.cpp (getActionNameForPlatform): Human-readable names for Policy and NAT rule actions come from the platform .xml resource file (attribute "description"). This implements Feature Requests #1948874 and #1796803 * Support for branch rules in NAT rule sets. Currently only supported for iptables and PF. NAT rules get column "Action" for these platforms, with possible acctions "Translate" and "Branch". Action parameters dialog for the Branch action provides drop well where another NAT ruleset object can be dropped (just like with Branch action in the Policy rules). Action "Translate" performs translation as defined in the rule. Objects in the "Translated source/destination/service" are ignored in NAT rules with action "Branch" and a warning is issued at compile time. * NATCompiler_ipt.cpp (splitNATBranchRule::processNext): Support for branching NAT rules for iptables. Rules in the branch rule set are processed first and their targets and corresponding chains are recorded. These rules are placed in the user-defined chains with the name composed of the rule set name and the chain ("POSTROUTING" or "PREROUTING") that corresponds to the chosen target. Then top NAT rule set is processed. Branching rules found in it pass control to the chains used for the rules from the branching rule set. IF branching rule set uses a mix of SNAT and DNAT rules, the branching rule in the top rule set is split and placed in both PREROUTING and POSTROUTING chains as appropriate. 2009-10-14 vadim * src/res/configlets/linux24/conntrack: Implemented support for conntrack performance tuning parameters and tcp window tracking option. Parameters CONNTRACK_MAX and HASHSIZE are described at http://www.wallfire.org/misc/netfilter_conntrack_perf.txt. The conntrack_tcp_be_liberal option is described at http://conntrack-tools.netfilter.org/manual.html . Parameters can be set in the host OS dialog for Linux (added new tab "conntrack"). Commands that will be added to the generated script come from the new configlet "conntrack". Commands are different for iptables versions <1.4.0 and >=1.4.0. User can customize the commands by substituting the configlet if necessary. Fixes #198, #511. 2009-10-13 vadim * PolicyCompiler_ipf.cpp (SplitDirectionIpfilter::processNext): fixed bug #2874571: "ipfilter version 3.4.29 issues after introduction of 282860". Optimizations added for PF broke rule generation for ipfilter which does not allow rule without explicit direction specification. * FWBSettings.cpp (FWBSettings::getCollapsedRuleGroups): fixed bug #2872365: "problem with group names containing comma". State of the rule group with a comma in the name could not be saved in program settings and the group could not be expanded once it was collapsed. * CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject): fixed bug #2870562: "custom service - protocol name options". Added protocol "ipv6-icmp" to the list of predefined protocols in the CustomService object and fixed the dialog to make it properly save protocol name entered by the user (the widget where user choses protocol name also supports editing so the user can enter any protocol name not offered in the list of standard protocols). * FWWindow.cpp (FWWindow::toolsDiscoveryDruid): fixed bug #2867550: "Discovery Druid dieswhen there is no active'project window". * debugDialog.cpp (debugDialog::debugDialog), DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid) Reversing the change made in 3.0.7 in the debug and discovery druid windows, the change was intended to make the window title bar show "close" button on Mac OS X. Unfortunately the caused the title bar to disappear all together on Linux under some window managers. Modal QT dialogs do not have title bar buttons on Mac OS X, but since they always have "OK", "Finish", "Close" or "Cancel" buttons as part of the dialog contents, absense of the "close" button in the title bar is not critical. * VERSION (VERSION): started v3.0.8 2009-10-07 vadim * FindWhereUsedWidget.cpp (FindWhereUsedWidget::itemClicked): "find where used" panel selects object in the tree or in rules on single click in the list of the results. To open the object in the editor user needs to switch to the editor tab in the bottom docked panel. 2009-10-03 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule): Added support for heartbeat over unicast. Protocol options dialog for heartbeat offers checkbox "Use unicast" (off by default, when checked, address input field for the multicast heartbeat address becomes disabled). When checkbox is checked, compiler automatically adds rules to permit unicast heartbeat health checks between addresses of interfaces which are members of the failover group. 2009-10-02 Vadim Kurland * ProjectPanel.cpp (topLevelChangedForTreePanel): Main window layout redesign: Panels that show object tree and object editor now use docked widget and are detachable. User can "float" these panels to be able to rearrange information on the screen. When panel showing objects tree is detached, it can be expanded to show multiple columns of information comfortably. Also, when the tree is detached, panel showing rules expands to occupy whole window which helps to see rules using objects with long names. This provides easy way to see attrivbutes of many objects at once. Panel that shows object editor dialogs also shows "find" and "find where used" dialogs in a Tab widget. This panel is part of the main window (it used to be part of the internal MDI subwindow) and also can be detached. Editor panel now occupies whole bottom part of the main window. Since editor dialogs show all relevant information about the object, the "Info" panel has been deprecated. Since the editor and search dialogs are now placed inside docked widget that has its own "close" button, "Close" buttons in these dialogs have been removed. 2009-09-30 vadim * ObjectManipulator.cpp (ObjectManipulator::setAttributesColumnEnabled): New feature: the GUI can show brief summary of object attributes in the second column in the object tree. This is controlled by a checkbox in the global preferences dialog, tab "Objects". This is off by default. The first column always shows object icon and its name, the second (optional) column shows its attributes. Interface label is shown in the second column. The width of both columns in the tree is set automatically to accommodate all the text, then can be adjusted by the user using mouse. Column width is saved in settings and will be restored upon program restart. Column width is saved per-file, per-library. 2009-09-23 vadim * ../src/res/configlets/linux24/update_bonding: Generated iptables script incrementally updates bonding interfaces: - It creates new bonding interfaces with parameters configured in the GUI if module 'bonding' is not loaded. This is what happens if fwbuilder script runs after reboot. - if there are no bonding interfaces in fwbuilder configuration, the script removes bonding module to kill any bonding interfaces that might exist on the machine - if you add new bonding interface in fwbuilder, the script checks if it exists on the machine. It will not create it because to do so, it would have to remove the module which kills other bonding interfaces. If this second bonding interface exists, it will be configured with slaves and addresses. If it does not exist, script aborts. In this case you need to either 1) reload module manually or 2) add max_bonds=2 to /etc/modules.conf and reboot or 3) unload module and run fwbuilder script again (if module is not loaded, the script loads it with correct max_bonds parameter) - if a bonding interface exists on the machine but not in fwbuilder configuration, the script removes all slaves from it and brings it down. It can not delete it because to do so it would need to remove the module, which kills other bonding interfaces. Limitation: currently all bonding interfaces will use the same protocol parameters. This is because module loading with parameter "-obond1" that is supposed to be the way to obtain more than one bonding interface and also the way to specify different parameters for different interfaces causes kernel panic in my tests. Tested with bonding module v3.5.0 and kernel 2.6.29.4-167.fc11.i686.PAE on Fedora Core 11. The only working way to get two bonding interfaces I could find is to load the module with parameter max_bonds=2, but this means all bonding interfaces work with the same protocol parameters. If bond interfaces are configured with different parameters in fwbuilder, compiler uses the first and issues warning for others. 2009-09-18 vadim * PolicyCompiler.cpp (ItfNegation::processNext): (change in libfwbuilder) fix for bug #2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we expand "interface" rule element which uses negation, skip unprotected interfaces. 2009-09-16 vadim * RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6 2009-09-14 vadim * standardized compiler error and warning messages using format fw_name:ruleset_name:rule_number: warning: message fw_name:ruleset_name:rule_number: error: message * dialogs that show compiler output recognize error and warning messages and highlight them using different color and bold font. 2009-09-07 vadim * single rule compile feature implemented for all platforms (iptables, ipfilter, pf, ipfw, iosacl, pix) and integrated with the GUI. Currently using keyboard shortcut "x". Fixes #23. 2009-09-06 vadim * RuleSetView_single_rule_compile.cpp (RuleSetView::compileForCurrentRow): Single rule compile implementation. Currently this is triggered by hitting keyboard key 'x', the event is processed by RuleSetView class which calls RuleSetView::compileForCurrentRow(). This creates compiler driver object and calls it to compile currently selected rule. The result is shown in the editor panel. User can select parts or the whole of the generated script in the editor panel but it is read-only. Works only with iptables yet. Refs #23. * src/iptlib/iptlib.pro (SOURCES): Moved all modules for fwb_ipt except main module ipt.cpp to a separate library so that they can be linked with either command line compiler fwb_ipt or the GUI. Refs #23 2009-09-05 vadim * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService): fixed bug (no #): policy compiler for Cisco IOS ACL did not add icmp type to the generated ipv6 access-list statements for rules that matched ICMPv6 services. 2009-09-03 vadim * src/res/configlets/linux24/update_bridge: configlet that updates bridge interfaces will now completely synchronize interfaces with configuration created in fwbuilder even if no bridge interfaces are used in fwbuilder. Bridge interfaces that exist on the firewall but not in fwbuilder will be deleted and those that exist in fwbuilder but are missing on the machine will be added. Bridge ports are deleted and added after bridge interfaces have been synchronized. * src/res/configlets/linux24/update_vlans: fixed command line in the command that removed vlan interface 2009-08-30 vadim * instDialog_ui_ops.cpp (instDialog::addToLog): fixed bug #2847263 "Batch compiling incrementally slow". The time it took to add a log line to the progress window in the "Compile" dialog slowed down a lot as amount of text in QTextEditor increased. 2009-08-28 vadim * ProjectPanel.cpp (ProjectPanel::event): instead of several methods in FWWindow that scan all project panel windows and execute some operation, using user defined events. Currently have two events: dataModifiedEvent and updateObjectInTreeEvent. The first one signals that some object has changed so that ProjectPanel::event() can update timestamps and do other things. It then posts the second event, which it will catch and process on the next event processing run. The second event does UI updates. Both events carry file name and object ID. Only those ProjectPanel objects that have the same file process the event. Events are dispatched to project panels in FWWindow::event(). Concentrating all UI update logic in one place helps avoid unnecessary redraws. This replaces FWWIndow::updateLastModifiedTimestampForOneFirewall, FWWindow::updateLastModifiedTimestampForAllFirewalls, FWWindow::reloadAllWindowsWithFile. * interfaceProperties.cpp (interfaceProperties::manageIpAddresses): this is a generic method that implements a policy to decide whether generated script should manage ip addresses of a given interface. It checks if it belongs to a cluster or a firewall and failover protocol (if it belongs to a cluster). It fills two lists: one is the list of addresses that the interface should have and another is a list of interfaces the script must not remove even if they are assigned to the interface. The method uses data from host_os XML resource file. 2009-08-27 vadim * CompilerDriver.cpp (CompilerDriver::mergeRuleSets): See #372: this change reverses the logic of the program when it merges rule sets from the cluster into its member firewalls. In the original Secunet implementation rule sets of members were ignored and only one top level rule set from the cluster was ever used. Now we check if member firewall has rule set of the same name as cluster and use it if it is not empty and issue a warning. If rule set of the member firewall with the same name is empty, rules from the cluster are used. All rule sets of the cluster that do not match anything in member firewalls are merged into firewalls and used for compilation. This way, we can have multiple rule sets in the cluster and can have slightly different rules in member firewalls if necessary. See ticket #372 for more details and info for the documentation. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::addPredefinedPolicyRules): fixes #388: "automatic rules are added to second rule set in cluster member". IF a cluster member firewall had several policy rule set objects, automatic rules for conntrackd, vrrp, heartbeat were added multiple times. * OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands): fixes #387: add calls to update_addresses shell function in generated script even for interfaces with no ip addresses. This way, if such interface has an address on the machine, it will be removed. This helps synchronize configuration with fwbuilder when user removes all addresses from an interface and converts it to "unnumbered". Note that update_addresses never removes scope link and scope host addresses of the interface even if they are not configured in fwbuilder GUI. * PolicyCompiler_pf.cpp (SplitDirection::processNext): applied patch per #2844561: "PF Compiler Direction Both Duplicate for Route Action". Need to split the rule if direction is Both and action is Route. * newFirewallDialog.cpp (newFirewallDialog::templateSelected): fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed if user clicked "next" in the new firewall dialog to open page with templates, then clicked "Back" and then "Next" again. * ObjectManipulator.cpp (ObjectManipulator::select): fixed bug #2845667 "Crash after find object". When host object was found using "Find object" function while searching by ip address, clicking on the selected host in the tree caused crash. * VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7 2009-08-26 vadim * ObjectManipulator.cpp (ObjectManipulator::validateForPaste): User should be able to add vlan interface to a bridge (vlan interface becomes bridge port). Fixes #384 * CompilerDriver.cpp (CompilerDriver::populateClusterElements): moved this method from class Compiler. fixes #367 * CompilerDriver_compile.cpp (compileSingleRule): entry point for single rule compile. Takes one argument - rule ID and returns a QMap where key is firewall name and value is generated script for this rule. Currently using this entry point in the command line compilers via cli argument -s rule_id. Fully implemented in fwb_ipt. Fixes #358, #206 * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using std::auto_ptr to protect OSConfigurator, PolicyCompiler and NATCompiler objects and to properly delete them to avoid memory leaks in fwb_ipt. fixes #371 2009-08-24 vadim * CompilerDriver.cpp (CompilerDriver::commonChecks2): refactored bunch of common sense checks from compilers for ipt and pf into common module. This also fixes #337 by checking if it is ok for the cluster interface to have no ip address using xml resource file for the fw host OS. Protocols such as heartbeat and openais can operate when failover interface has no shared cluster address because these protocls can use multicast address. However configuration when cluster interface using one of these protocols has shared IP is also legit. The check here only suppresses error message when interface has no ip. * platforms.cpp (setInterfaceTypes): Fixes #335 : if interface name matches naming convention for vlan interfaces and vlan type is in the list that came from the resource file, then leave only vlan in the list we return. Note that if resource file says this subint can not be vlan, we dan't return vlan type on the list even if its name looks like it could be one. * ProjectPanel.cpp (ProjectPanel::updateTreeViewItemOrder): Removed ProjectPanel::updateTreeViewItemOrder() and removed call to it from ObjectEditor::notifyChangesApplied(). We take care of QT bug workaround for improper sorting in other places. This change fixes #329. 2009-08-21 vadim * ObjectManipulator.cpp (ObjectManipulator::newInterface): If newly created interface object is a top-level interface, always set its type to "ethernet". If it is subinterface, call guessInterfaceType() to guess. * ObjectManipulator.cpp (guessInterfaceType): fixes #334. the GUI guesses correct subinterface type when it is created and when user hits "Apply" in the interface object dialog after some changes have been made. If inetrface name matches one of the patterns of the vlan inetrface for the given OS, its type is set to "vlan" and vlan ID is assigned. If its name does not match naming pattern of a vlan interface but parent interface type is "bridge" or "bonding", subinterface type is set to "ethernet". This covers most of the use cases and makes subinterface type assignment automatic. * ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress): fixes #330: the name of the ip address of an interface should follow the schema "firewall:interface:subinterface:ip". The same schema should be followed when address object is automatically renamed when the user renames firewall or interface object. * ObjectManipulator.cpp (ObjectManipulator::copyObj): call Interface::getOptionsObject() at the beginning of copy and dragStart operations to make sure interface has options object later in paste and drop operations when we need it to do some validation checks. 2009-08-20 vadim * ObjectManipulator.cpp (ObjectManipulator::validateForPaste): perform checks for the valid vlan subinterface configuration for copy/paste and d&d drop operations; this uses the same algorithms as the check done when user renames an interface. This means user can not copy/paste or d&d interface "eth1.100" to make it a subinterface of "eth0" or top-level interface. * InterfaceDialog.cpp (InterfaceDialog::validate): Additional checks for validity of interface name: the name can not contain white space, if the name looks like vlan interface, checking if it is valid (base name must match name of the parent interface and vlan ID must be in the allowed range) * InterfaceDialog.cpp (InterfaceDialog::applyChanges): Fixes #328: "automatically assign vlan id to interface based on interface name". The GUI automatically sets interface type to "vlan" and configures vlan ID if user changes name of the interface to something that matches regex for vlan interfaces on given OS. This is done when user hits "Apply" button in the Interface object dialog. * src/compiler_lib/interfaceProperties.h (class interfaceProperties): refactored class linux24Intrfaces into class hierarchy with base class interfaceProperties and factory class interfacePropertiesObjectFactory. These classes are now part of the compiler extensions library in src/compiler_lib and can be used by both the GUI and compilers. * Configlet.cpp (Configlet::Configlet): New constructor for the class Configlet accepts os name perifx and default os name prefix. If configlet file is not found in the directory defined by the first prefix, the program tries to find it in the default place defined by the second prefix. * src/res/configlets/sveasoft/script_skeleton: Using separate configlets for Linksys/Sveasoft host os. 2009-08-19 vadim * ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress): fixes #318: New ip address of interface was always created with the same name even if there was an address object with the same name under the same interface. * OSConfigurator_linux24_interfaces.cpp (validateInterfaces): Tests for unsupported interface configurations, see #315, 324. The first test scans all subinterfaces of each interface and tries to find top level inetrfaces wth the same name, then checks their type. For the combination some_interface/br1, we look for the top level interface "br1" and if it exists and its type is "bridge", then this is unsupported configuration. This test does not allow subinterface to have the same name as a bridge interface regardless of the type of the parent interface. So, bridge/bridge or bonding/bridge combinations are not allowed. The test has to search top level interfaces because bridge port subinterfaces can be copies (e.g. when a vlan interface is at the same time a bridge port). The second test looks for the following combinations: 1) vlan interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan inetrface br0.100 is not supported) and 2) vlan interfaces as slaves of bonding interfaces (e.g. eth0.100, eth1.100, bond0 = [eth0.100, eth1.100], note the difference between this and vlan of bonding interface such as bond0.201). Only regular interfaces can be slaves of bonding interface. If subinterface type is "ethernet" but its name matches one of the vlan interface regexes, assume this is vlan. Slave subintrfaces do not have to be copies, one can have "eth4" only once, as a slave, so we cant search for a top level interface with the same name and rely on the subinterface type. 2009-08-18 vadim * ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): The program should never change the name of vlan interface when such interface is being copied/pasted or dropped to become a subinterface. The name of the vlan interface carries vlan ID and changing name is not allowed. One of the typical usage patterns is to create vlan interface "eth0.101" and then immediately try to copy/paste it to under br0 to make it bridge port. In this case interface eth0.101 wont have type "8021q" just yet because the user did not open interface "advanced" settings dialog to set its type and VLAN ID. Users assume that if its name is "eth0.101", then it must be vlan interface. We should follow this assumption too. Also, check for names "vlanNNN" as well. * ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo): during "paste" operation, call makeNameUnique() to make the name of the copy unique before actually adding the object to its parent. Otherwise makeNameUnique() finds it and changes the name. * src/res/configlets/ipcop/script_skeleton: Using configlet to define script structure for generated IPCOP script. IPCOP script is executed as /etc/rc.d/rc.firewall.local and does not manage ip addresses of interfaces or vlan/bond/bridge interfaces so it does not need corresponding shell functions. Script can check if interfaces configured in fwbuilder GUI match actual appliance, so the shell code to do that is included. Since we should be able to use interfaces with addresses assigned dynamically in rules, the code that gets their addresses at run time is included. Code to check if data files used by run time address table objects exist is also included. Using configlets helps better manage what is included for the given os family ("linux24" or "ipcop" or some other in the future). Also, user can override our configlets by placing file with the same name in "fwbuilder/configlets" directory in their $HOME. 2009-08-17 vadim * src/res/configlets/linux24/shell_functions: cleaned up coding style in shell functions in configlets: using uniform 4 spaces indentation. * src/res/configlets/linux24/script_skeleton: This configlet defines structure of generated iptables script. Script recognizes the following command line options: start|stop|interfaces * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Building whole iptables script from configlet. * OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces): See #314. Need to update vlans and bond interfaces first and only then deal with bridges because bridge may use bonding interface or vlan created in the first step. Unsupported configurations: vlan interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan inetrface br0.100 is not supported), bridge interface as part of bonding interface (e.g. bond0 = [br0, br1]), vlan interface as a slave of bonding interface (e.g. eth0.100, eth1.100, bond0 = [eth0.100, eth1.100]). Only regular interfaces can be slaves of bonding interface; vlans can be created under bonding interface (e.g. bond0.100), both regular interfaces and vlans can be bridge ports. Script first updates bonding interfaces, then updates all vlans, including possibly those under bonding interfaces, and finally updates bridge configurations using interfaces created in first two steps. 2009-08-12 vadim * NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug #2836321: "SNAT rule that changes Trans Src and Trans Port does not work". Dual translation rule that changes source address and destination port was not supported. 2009-08-10 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): For bug #2835193: "Modulate state doesnt work for PF". Check variable "modulate state" in rule optiopns and global firewall options. If checkbox is turned on in the firewall options, then we always use "modulate state". This option can also be turned on for an individual rule using rule options dialog. * pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed bug #2835193: "Modulate state doesnt work for PF". The name Xml attribute used to hold the value of "module state" option was entered incorrectly in the dialog. 2009-08-09 vadim * ipfw.cpp (main): compiler for ipfw uses new manifest format and supports remote file name for the generated .fw script Fixes #308 * ipf.cpp (main): compiler for ipfilter uses new manifest format and supports remote file names for generated .fw and .conf files. Fixes #307 * CompilerDriver_pf.cpp (CompilerDriver_pf::getRemoteConfFileName): compiler for PF uses new manifest format and supports remote file names for generated .fw and .conf files. Fixes #306 * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): compiler for iptables uses new manifest format to implement support for alternative name of the script on the firewall. Fixes #305 2009-08-08 vadim * instDialog.cpp: Installation process is controlled by sevral variables that the user can change in the "advanced" dialog for the firewall platform: Tab "Compiler": - output file name - script name on the firewall - for PF and ipfilter additionally .conf file name on the firewall Tab "Installer": - directory on the firewall where script should be installed - command that installer should execute on the firewall These variables have default values if input fields are left blank in the dialog as follows: output file name: the name of the firewall object, plus extension ".fw". For PF two files are generated: .fw and .conf; for ipfilter files .fw, -ipf.conf and -nat.conf are generated. script name on the firewall: the same as the output file name directory on the firewall: "/etc" command that installer executes to activate policy: installer runs script .fw If user enters alternative name in the "script name on the firewall", it is used when generated script is copied to the firewall. There are two input fields in the dialogs for PF and ipf where user can enter alternative name for the .fw script and .conf file. The name can be relative or absolute path. If it is a relative path or just a file name, it is treated as a file name in the directory specified by the "directory on the firewall" input field in the "Installer" tab. If the name is an absolute path, the directory entered in "directory on the firewall..." input field is ignored. If user entered alternative name for the script on the firewall, the command that installer should execute to activate it must be entered as well. If the alternative name was entered as an absolute path, activation command should take this into account and use the same absolute path. The command can start with "sudo " if user account used to copy and activate policy is not root. * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): Added input fields to the "advanced" dialogs for iptables, pf, ipfilter and ipfw to make it possible to specify the name of the generated script on the firewall. With this change, fwbuilder can generate the script using unique name but use standard common name such as "rc.firewall" when the script is copied to the firewall machine. This is important when two firewalls that are part of a cluster are compiled at the same time. In this case we can not use name such as "rc.firewall" for the output script because file generated for the second firewall in the pair overwrites the one generated earlier for the first. Now we can use unique names for scripts generated for each member of the pair but copy them to the firewall machines using the same common name. Fixes #304 The implementation is not complete yet, I still need to make changes in the installer and policy compilers. 2009-08-07 vadim * src/res/configlets/linux24/process_bridge: Configlets that updated ip addresses, vlan, bridge and bonding interfaces bring interfaces up using $IFCONFIG command. Fixes #301 2009-08-06 vadim * ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo): When a subinterface is copied to make a subinterface of another interface, the type of the copy is reset to "ethernet". If the type was retained, it was easy to create subinterface with invalid type without obvious signs in the GUI that this has happened. For example, if vlan subinterface was copied to make subinterface of a bridge interface, it retained type "8021q" but ended up as a child of interface with the name that did not match. The intention was to use vlan subinterface as a bridge port, but compiler issued an error because of a subinterface having illegal name (name is only checked for vlan subinterfaces). Fixes #299 * PrefsDialog.cpp: Added a page to the global Preferences dialog where user can enable/disable target firewall platforms and host OS. Disabled platforms and OS do not appear in the drop-down lists in a "new firewall" and "new cluster" dialogs, as well as object editor panel. This helps reduce clutter if user only works with a couple of platforms and OS. Default setting of the status for each platform and os comes from the corresponding XML resource file. This way we can ship the program with some host OS or platforms disabled by default, but the user can still enable them. Settings in users preferences override default status setting in the resource file. Fixes #262 * ObjectManipulator.cpp (ObjectManipulator::newAddressRange): newly created objects get default name that is the same as the type name with no "New ..." prefix. * ObjectTreeView.cpp (ObjectTreeView::dropEvent): if user drags an object in the tree and drops it beyond the last tree item, the program should ignore this drop operation and do nothing (it used to crash). Added checks for this condition. Fixes #294 * ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): while guessing the name of the new interface or trying to avoid duplicate names during copy/paste, we should not change names of the vlan interfaces. Fixes #296 2009-08-05 vadim * FWWindow.cpp (FWWindow::prepareToolsMenu): disable Tools/Discover menu if all internal windows were closed and there is no active object tree where discovered objects could be created. Fixes #291 * ObjectManipulator.cpp (ObjectManipulator::relocateTo): Added check for when user tries to drag&drop an object onto itself in the tree. Fixes #292 2009-08-04 vadim * ObjectManipulator.cpp (ObjectManipulator::newInterface): when user creates interfaces of a firewall or a cluster using context menu "Add Interface" in the object tree, the program finds interface that was created most recently and uses its name as a prototype, automatically incrementing its number. For example, if the user needs to create several "eth" interfaces, the program will automatically create "eth0", "eth1", "eth2" etc. whithout the need for the user to rename them. Fixes #277 * configure.in: Removed all .xml.in resource files in src/res/ src/res/os and src/res/platform. The only configurable attribute in these was "version", which is not required and was not used anywhere. Fixes #269 * PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules): automatically added rule that matches packets in state INVALID should use log prefix that says it is for state INVALID. The rule now ignores user-defined global logging prefix and always uses "INVALID state -- DENY ". Fixes #283 2009-08-04 Vadim Kurland * heartbeatOptionsDialog.cpp (heartbeatOptionsDialog::heartbeatOptionsDialog): Added GUI elements to allow the user to change multicast address for heartbeat. Deafault address is 224.0.10.100. Fixes #213 * clusterMembersDialog.cpp (clusterMembersDialog::firewallAdd): enabled multiple object selection in the left panel of the cluster member management dialog. User can select several interfaces using Ctrl-click (or Command-Click on Mac OS X) and then move them all to the right panel at once. Fixes #254 * ObjectEditor.cpp (ObjectEditor::notifyChangesApplied): Dialogs that have buttons to open "advanced" settings dialogs now save changes and disable "Apply" button when such additional dialog is opened. This includes Firewall, Interface, cluster group and few other objects. Previously changes were saved as well but the "Apply" button was not disabled, making impression that changes were not saved into the object. Fixes #286 2009-08-03 Vadim Kurland * ObjectManipulator.cpp (ObjectManipulator::autorename): See #273: "child objects not getting renamed". Autorename function should rename ip and mac addresses of interfaces and subinterfaces when the host or parent interface name changes. * newClusterDialog.cpp (newClusterDialog::finishClicked): See #211: "interface type mismatch between member interfaces and cluster interface". When cluster object was created manually and failover type was set to "heartbeat" or "openais" for its interfaces, the type was not properly set in created objects. 2009-08-02 vadim * ObjectTreeView.cpp (ObjectTreeView::dropEvent): Dragging several subinterfaces from one parent interface to another created bizzarre tree-like structure where each of these subinterfaces became subinterface of another. See #280. Fixed in r1254 * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule): Added test to make sure ip address entered by the user in the StateSync group dialog for conntrack is valid. Fixes #220 * CompilerDriver_ipt_cluster.cpp (CompilerDriver_ipt::processStateSyncGroups): The program did not find StateSync group member inetrfaces when they were subinterfaces and as the result compiler did not generate automatic policy rules for conntrack. Fixed in r1253 * ObjectManipulator.cpp (ObjectManipulator::prepareForInsertion): DTD does not allow nested subinterfaces; only one level of subinterfaces is supported. Interface::validateChild() now checks for this condition and the GUI shows detailed error message dialog when user tries to move interface that has subinterfaces under another interface using copy/paste or d&d. Fixes #275 * ObjectManipulator.cpp (ObjectManipulator::relocateTo): When user dragged an interface that has child objects (ip address, MAC address) and dropped it in a different place in the object tree, the program would show only the interface object in the new place but not its children. Should be using insertSubtree() to fix this. Fixes #276 2009-08-01 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName): If user forgot to add .fwb suffix to the file name they entered in the "Save As" function, the program automatically adds it. See #234 * CompilerDriver.cpp (CompilerDriver::commonChecks): compiler should check that cluster member firewalls are configured to use different output file names. See #237 * OSConfigurator_linux24::printVerifyInterfacesCommands: function verify_interfaces uses configlet "verify_interfaces" and checks if all interfaces of the firewall defined in the GUI really exist, including bonding, vlan and bridge interfaces. * OSConfigurator_linux24::printInterfaceConfigurationCommands: Using configlet process_addresses to implement shell commands that incrementally add and remove addresses on interfaces. Added support for IPv6 addresses. Addresses found on the actual interfaces of the firewall are compared with those defined in fwbuilder objects and missing ones are added and those not defined in fwbuilder are deleted. If a firewall is a cluster member using heratbeat for failover, ip addresses associated with heartbeat failover groups are skipped. The script wont delete these on the firewall that is active at the moment when script runs and wont add them to the passive firewall because that would interfere with operation of heartbeat. The same is done for OpenAIS protocol. Fixes #270 , See #261 2009-07-31 vadim * OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands): Using configlets to generate shell script that incrementally updates (adds and removed) VLAN, bridge and bonding interfaces. See #261 * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): Using configlets to generate iptables script. * Configlet.cpp (Configlet::Configlet): generic class to read fragment of generated script from an external file, possibly do macro substitution and then insert the contents into generated script. Configlets are stored in files in the resources directory that is part if installed package (/usr/share/fwbuilder/configlets on Linux, fwbuilder31.app/Contents/Resources/configlets on Mac OS X, c:\FWBuilder31\resources\configlets on Windows) or in the subdirectory "fwbuilder/configlets" in users home directory on all OS. If configlet file is found in the home directory, it overrides the one installed with the package. This provides for simple way for users to override parts of the generated configuration scripts. Currently configlets are only impletened for Linux-based OS. Fixes #263 2009-07-30 vadim * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): fixes #259 Generated script should check if brctl, vconfig and ifenslave tools are available before using them. * Host.cpp (Host::getManagementAddress): the program failed to retrieve ip address that should be used to talk to the fw when management interface was subinterface. Fixes #260 * linux24advanceddialog_q.ui: Fixes #258 fixed tab order in the dialog. 2009-07-29 vadim * linux24AdvancedDialog.cpp (linux24AdvancedDialog::linux24AdvancedDialog): Added input fields for vconfig, brctl and ifenslave to the host settings dialogs for linux24, linksys, ipcop, openwrt. See #256 * DiscoveryDruid.cpp (DiscoveryDruid::addInterface): Removed obsolete checkbox "Add virtual addresses", we always discover virtual addresses. Instead added checkbox "Add interfaces with no ip addresses". If this option is turned on, discovery druid creates interfaces with no ip addresses as "unnumbered". Even when this option is off, interfaces with no addresses are created if they are discovered to have vlan, bridge or bodning subinterfaces. Fixes #246 and 229 * NetworkDialog.cpp (NetworkDialog::validate): Fixes #251: do not allow 0 bit netmask for Network and NetworkIPv6 objects. * linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces): Special treatment of the vlan subinterface that are members of bridge group: snmp discovery now creates subinterfaces for these vlan interfaces twice, first time as a child of the bridge interface and then also as a vlan subinterface of the parent physical interface. For example, in the confgiuration such as the following bridge name bridge id STP enabled interfaces br0 8000.000c29f6bebe no eth4.102 eth5 We create interface br0 with subinterfaces eth4.102, eth5, and also we create interface eth4 with subinterface eth4.102 * ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): duplicate names are automatically fixed only if objects with the same name belong to the same parent. Identical names on different levels are allowed. For example, interface "eth0" can be direct child of a Firewall object (so it can have vlan subinterfaces) and a member of the bridge group where it is a child of another interface. 2009-07-28 vadim * NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove extra white space after tcp port spec if source port match was not used in the rule. * PolicyCompiler_pf.cpp (fillDirection::processNext): Applied patch per bug report #2828633: "Patch: Warning when changing rule direction in compiler". This adds warning when rule direction is changed by the compiler because object in source or destination was firewall itself. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented change per bug #2828602: "PF Compiler Direction Both no Duplication Patch". PF rules with direction "both" used to be split to make two rules, one with direction "inbound" and another with direction "outbound". This was an artefact of old rule generation model where user could choose to permit everything outbound and only generate inbound rules, or generate both inbound and outbound rules. Since we now always generate both in abd out rules and PF matches both directions when neither "in" or "out" is specificed, this splitting has become redundant. * Compiler_cluster.cpp (Compiler::populateClusterElements): while scanning interfaces-members of a failover group, use only those that are children of the firewall that we are compiling. fixes #242 "fwb_ipt generates duplicate automatic rules for heartbeat and other protocols" * FWWindow.cpp (FWWindow::disableActions): Always enable toolbar buttons "Compile" and "Install". Fixes #249 * FirewallDialog.cpp (FirewallDialog::validate): fixes #248 "setting firewall type as empty space crashes". Note that the combobox with firewall platforms will have separators instead of spaces if QT version is 4.5 or above. Separators are not selectable so this problem can not happen with late versions of QT. Old versions of QT do not support separators in QComboBox widget, which is why spaces are inserted in the list. This change makes the program validate platform and host os settings and not allow empty strings. * RoutingRuleOptionsDialog.cpp (RoutingRuleOptionsDialog::loadFWObject): fixes #247 - "lusters->fw->routing->insert rule->options causes segfault". Needed to check for Firewall and Cluster types here and in a few other places. * instDialog_ui_ops.cpp (instDialog::completeInstallerOptions): fixes #244: "installer does not check subinterfaces when it is looking for management interface" * OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands): fixes #243 - need to set naming schema for vlan interfaces in a separate command before creating vlan interface. Doing so in one vconfig command causes error. * DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects): discovery druid guesses which interfaces from the list found by SNMP crawler are vlan subinterfaces and creates them as children of the corresponding top level interface. It also sets interface type and vlan ID. Fixes #239 Bonding and bridge subinterfaces are also recognized. * DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects): discovery druid sets firewall platform and host OS using information from sysDescr OID. fixes #241 * linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces): this new class implements various algorithms used to guess which interfaces discovered by SNMP crawler might be vlan subinterfaces. It will also find bonding and bridge interfaces. Fixes #240 2009-07-27 vadim * clusterMembersDialog.cpp (clusterMembersDialog::createMember): support for subinterfaces as cluster group members. Fixes #235 2009-07-26 vadim * PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext): Better way to do optimization for "-i +", "-o +" for bug #2822098: check for interfaceStr equal to "*" instead of re->isAny() * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): check all interfaces, including subinterfaces to make sure all the ones marked as "regular" have IP addresses. * DialogFactory.cpp (DialogFactory::createClusterGroupOptionsDialog): fixed bug introduced in r1208 - clicking button "Edit protocol settings" in the failover group with type "heartbeat" failed to open the dialog. * PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext): Better way to do optimization for "-i +", "-o +" for bug #2822098: check for interfaceStr equal to "*" instead of re->isAny() 2009-07-25 vadim * OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands): the program did not create commands to add ip addresses to VLAN subinterfaces. Fixes #226 * openaisOptionsDialog.cpp (openaisOptionsDialog::openaisOptionsDialog): Added support for OpenAIS failover protocol in the GUI and policy compiler for iptables. Fixes #214 * newFirewallDialog.cpp (newFirewallDialog::finishClicked): the program left platform and os settings undefined of the new firewall object created from template. Fixes #210 * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule): Policy compiler for iptables adds automatic rules for heartbeat protocol if it is used for failover. Rules permit all udp port 694 in and out on the given interface. Refs #213 * Cluster.cpp (Cluster::getMembersList): need to scan not only StateSyncClusterGroup child objects but also all FailoverClusterGroup objects in order to find all member firewalls. The program used to look only at StateSyncClusterGroup objects, which meant it did not recognize any members if state sync group was empty. This fixes issue #4 in the bug #2826765: "problems and suggestions for 3.1.0-b1187". 2009-07-24 vadim * PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext): There was no rule in INPUT chain generated when cluster object was in "destination". Fixes #215 * CompilerDriver_ipt.cpp (CompilerDriver_ipt::processPolicyRuleSet): fixed problem #2 "duplicate rules" reported in the bug #2826765: "problems and suggestions for 3.1.0-b1187". Compiler did not add a call to the shell function reset_iptables_v4 to reset all chains. * Rule.cpp (PolicyRule::getBranch): fixed problem #4 "GUI crash when setting action to be a chain." reported in the bug #2826765: "problems and suggestions for 3.1.0-b1187". The GUI crashed when policy rule in the cluster policy was set to action "Chain". 2009-07-23 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule): automatically added rules that permit conntrackd messages use address and port configured in the protocol options for the state sync group for the cluster, or if these are empty, default values from the host OS xml resource file. Generated rules are configured to go into INPUT and OUTPUT chains. Refs #212 * conntrackOptionsDialog.cpp (conntrackOptionsDialog::conntrackOptionsDialog): make conntrackd multicast address and udp port configurable in the protocol options dialog for conntrackd state sync protocol. Default address and port are stored in the host OS xml resource file. Refs #212 2009-07-19 vadim * PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext): fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy rules that have interface object in "Interface" column and direction "Both" generate unnecessary iptables commands in the FORWARD chain when destination matches one of the addresses that belong to the firewall. 2009-07-18 vadim * RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668: "MDI window glitch". If the GUI had two or more MDI windows and user moved rules in one of them, the GUI switched to another after the operation was complete. * resources.xml.in: Removed unused XML elements from the resource file. A lot of the stuff was obsolete in there. * ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): New icons for v4. Cleanup in the code to make sure we use proper icons everywhere. 2009-07-17 vadim * linux24.xml.in: Moved tables of allowed failover and state sync types as well as interface and subinterface types from the code in platforms.cpp to the OS resource files in src/res/os/*.xml.in Fixes #58 * fwbuilder.dtd.in (Library): fixed bug #2823424: "Deleting UserService object breaks data file format". When user deleted UserService object, it was moved to the "Deleted Objects" library which broke XML file because DTD did not allow UserService element as a child of Library 2009-07-16 vadim * newClusterDialog.cpp (newClusterDialog::shrinkListOfPlatforms): clean-up in the newClusterDialog class. List of platforms shown on the first page should include only platforms that support clustering. Fixes #197 * FWBTree.cpp (systemObjects): system group "Clusters" moves to the top level of the tree. Fixes #167 2009-07-15 vadim * PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext): fixed bug #2822098: "IPT: adds useless "-i +" iin some cases". Added optimization to remove redundant "-i +" and "-o +" if chain is INPUT or OUTPUT. 2009-07-14 vadim * PolicyCompiler_ipt.cpp (singleItfNegation::processNext): fixed bug #2819901: "sub-optimal expansion of negated interface". Policy rules with single interface object in "interface" rule element with negation should generate iptables commands using "-i ! itf" or "-o ! itf" rather than multiply the rule using all other interfaces of the firewall. Note that for iptables v1.4.3 and later, extrapositioned syntax is used, such as "! -i itf". * PolicyCompiler_PrintRule.cpp, NATCompiler_PrintRule.cpp: fixed bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives warnings". starting with v1.4.3.1 iptables started giving warnings when negation ("!") is used after --option. This fix adds version "1.4.3" to the list of recognized iptables versions in fwbuilder and makes compiler generate extrapositioned version of the option such as "! --option arg". 2009-07-13 vadim * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): fixed bug #2820840: "IPT: prolog script+iptables-restore silent incompatibility". With this fix the GUI does not allow for the prolog script to be placed after policy reset if iptables-restore is used to activate iptables rules. Also policy compiler for iptables checks for this condition and aborts with an error message if prolog place is set to "after reset" but iptables-restore is used to activate policy. Configuration may end up with this combination of options if user set prolog place to "after reset" first and switched activation method to iptables-restore later. * ACL.cpp (ciscoACL::addRemark): fixed bug #1778536 "IOSACL - remark command". Remarks now include rule comments; if comment consists of several lines, each line is added using separate remark statement. This works for both IOS ACL and PIX platforms. 2009-07-12 vadim * printerStream.cpp (printerStream::printQTable): fix bug #2807724: "Print out FWB still not ok". Taking into account hidden rable rows associated with rule groups while printing rule sets. Before this fix some rules disappeared between pages in the printout. 2009-07-11 vadim * PrintingController.cpp (PrintingController::printRuleSet): bug #2807724: "Print out FWB still not ok". Rule groups were always printed expanded, even if they were collapsed by the user in the GUI. * OSConfigurator_openbsd.cpp (processFirewallOptions): fixed bug #2820162 "Bad sysctl name for OpenBSD pf" - the sysctl argument for IPv6 forwarding was incorrect. * AddressRange.h (libfwbuilder): fixed bug #2820152: "Address ranges and other such need IPv4/v6 typing". AddressRange object should be recognized and removed from the rule if it is used in ipv6 rule set. To do this, add virtual method hasInetAddress() (should return true) to indicate that this object has an address. This works since virtual method getAddressPtr() has been implemented anyway. * VERSION (VERSION): started v3.0.6 2009-07-11 vadim * FindObjectWidget.cpp (FindObjectWidget::inSelectedFirewall): Search and replace did not work in scope "policy of opened firewall" for cluster policies. Fixes #185 * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): since current implementation can not generate configuration commands for interfaces of the member firewalls using attributes of the cluster interface, disable GUI controls in the interface object dialog if it is an interface of a cluster. fixes #187 * Summary of changes in the "interface advanced options" dialogs for cluster interfaces. The "Advanced settings" button is now disabled in the dialog for the main cluster interface. The code has been changed to always check the type of the failover group instead of the interface type where it needs to determine failover protocol (vrrp, heartbeat or carp). All parameters of the failover protocol should be configured using failover group object. The "advanced options" dialog is still available for interfaces of the real firewalls and their subinterfaces. Fixes #109, refs #180, #183, #181, #187, #179, #163 2009-07-09 Vadim Kurland * OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands): user can now add loopback interface to the cluster object and use it in rules. This interface does not have failover group and has the usual 127.0.0.1/8 ip address. fixes #163 * OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces): ref #181: using failover group type instead of cluster interface type. * newClusterDialog.cpp (newClusterDialog::finishClicked): ref #183: set type of the cluster intrfaces to "cluster_intrface". Before, new cluster wizard unconditionally set it to "vrrp". Still need to add dialog elements to let user choose failover protocol. * linux24IfaceOptsDialog.cpp (linux24IfaceOptsDialog::linux24IfaceOptsDialog): fixes #180: hide "interface type" gui element from the "advanced" interface options dialog for the main interfaces of cluster objects. These interfaces have no parameters and their type always matches the type of failover cluster group object. All parameters of the failover protocol are set in the dialog of the failover group. * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): ref #180 : disable "Advanced settings" button in the interface object dialog if it is main intrface of a cluster object. 2009-06-29 Vadim Kurland * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Compiler checks types of state sync and failover groups and aborts if it finds unsupported type. Fixes #164 * ClusterDialog.cpp (ClusterDialog::resetClusterGroupTypes): fix types of state sync and failover groups when user changes host OS and/or platform. Fixes #164 2009-06-28 Vadim Kurland * OSConfigurator_linux24_interfaces.cpp (printBondingInterfaceConfigurationCommands): Support for intrface bonding for generic Linux firewall. "Advanced" interface settings dialog provides three interface types: "vlan", "bridge", "bonding". For bonding interfaces, GUI controls are provided for the following parameters: mode, xmit_hash_policy and a free-style single line input field for other driver options. Fixes #172 * platforms.cpp (getInterfaceTypes): Support for "heartbeat" failover protocol in clusters: "heartbeat" interface type, "heartbeat" failover group type. Compiler adds rules to permit vrrp only when failover type is set to "vrrp". For "heartbeat" failover no rules are added atm. Fixes #169 * Compiler_cluster.cpp (Compiler::processFailoverGroup): (change in libfwbuilder) fixes #166: cluster should be allowed to have interfaces with the same name as interfaces of the member firewall (i.e. "eth0"). This is necessary to support failover protocols that do not create virtual interfaces, but rather operate over normal interfaces, such as heartbeat. 2009-06-23 vadim * pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): force the tab widget to open tab 0 on creation of the dialog. Often after the dialog was modified in Designer, it is left in the state when it opens on some random page. This fixes #155 "pf advanced settings dialog opens on tab "Script" by default" * OSConfigurator_bsd.h: common class for all supported BSD-like host OS (freebsd, openbsd, macosx). Using common base class to avoid code duplication. This fixes #162 "ifconfig commands to create carp and pfsync interfaces are not generated for FreeBSD". * ClusterGroupDialog.cpp (ClusterGroupDialog::addIcon): fixes #161: pfsync protocol does not require "master" setting in cluster group. * clusterMembersDialog.cpp (clusterMembersDialog::availableClicked): Let user click in any column of the list except the very first to select interface to be added to the list of cluster group members. * clusterMembersDialog.cpp (clusterMembersDialog::updateAvailableTree): fixes #111 "Member dialog should keep the tree on the left hand side expanded all the time". The left hand side panel used to collapse all available firewalls, thus hiding their interfaces from view every time user added an interface to the right hand side panel. * CompilerDriver.cpp (CompilerDriver::configure): Using separator "," between fw object id and file name instead of ':' which was a poor choice because it is part of the file path on Windows. Fixes #157 * CompilerDriver_pf.cpp (CompilerDriver_pf::getConfFileName): Using QT classes QFileInfo and QDir to manipulate output file names and paths portably. * freebsd.xml.in: Support CARP/pfsync clusters on FreeBSD. 2009-06-19 vadim * release_notes_3.1.0_en_US.html: fixes #146: A warning telling the user that the way bridging interfaces should be configured has changed. Uses a one-time dialog created per #145. Refs #145 #147. * FWWindow.cpp (FWWindow::startupLoad): Fixes #145: universal facility for a one-time dialog shown to the user on program start. These dialogs will have important information about the release. Dialog is shown once for each version. 2009-06-18 vadim * newFirewallDialog.cpp (newFirewallDialog::newFirewallDialog): Fixes #90: Interface attribute "bridgeport" has been deprecated, removing GUI controls in the new firewall dialog and interface dialog. * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Fixes #143: If inetrface is a bridge port, then GUI elemnts "regular", "dynamic" "unnumbered" should be disabled b/c it can not have an ip address. Instead, showing text label "Bridge Port Interface". * ObjectManipulator.cpp (ObjectManipulator::relocateTo): Implemented drag&drop function to move objects from one place in the tree to another. Dragging with Ctrl button pressed creates a copy. Fixes #141. 2009-06-17 vadim * v3.0.5 released in the main production branch 2009-06-14 vadim * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Ticket #55: (libfwbuilder) deprecated isExt() and setExt() methods. Platforms that care about interface being external should use security levels. Currently this is only PIX and it uses sec. levels already. Also removed dialog element in InterfaceDialog class and references to these methods elsewhere. Compilers did not use the flag "ext" already. 2009-06-11 vadim * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule): implemented feature request #1778536: "IOSACL - remark command". This adds support for the "remark" command in generated IOS ACL configuration. Controlled by the checkbox "Add ACL remarks" in the "Script" tab of the firewall object settings dialog. 2009-06-09 vadim * NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug #2803702 "NAT rule with source port range in TSrv is broken for PF". NAT rules matching source port ranges and translating source port ranges should be possible. * NATCompiler.cpp (classifyNATRule::processNext): (change in libfwbuilder) fixed bug #2803689 "NAT rule matching dport but chaning sport is broken". NAT rules that match destination port but translate source port should be possible (and the opposite too). 2009-06-08 vadim * NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved support for NAT rules that translate both source and destination: now a rule like this can translate both source and destination addresses and at the same time source and destination port ranges. Compiler generates two iptables commands, one with SNAT and another with DNAT translation for a rule like this. * PolicyCompiler_ipt.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces): Using Compiler::abort() instead of throwing exception on all error conditions in the compiler. * NATCompiler_PrintRule.cpp (PrintRule::processNext): Added support for SNAT rules that translate only source port of udp or tcp packets. This rule generate "-j SNAT --to-source :" with no address part. 2009-06-06 vadim * PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed bug (no #): compiler for PF did not remove rules using IPv4 objects while compiling policy set to be "combined IPv4 and IPv6" for IPv6 and vice versa. As the result, it used to double some rules because the would appear both in IPv4 and IPv6 sections of generated .conf file. 2009-06-05 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug #2801548 "fwb_ipt should issue error for ipsrv with options for ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6, compiler should refuse to compile rules that request matching these options. * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions): fixed bug #2801547 "fwb_iosacl should issue an error for ipservice with options". IOS access lists can not match source routing options set in IPService object, compiler should issue an error and abort processing when an object like this is encountered in a rule. * IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug #2801545 "IP Service object: lsrr, ssrr, rr options not saved". * PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService): fixed bug #2801544 "missing space after tos option in pf config" 2009-06-04 vadim * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug #2801362 "Iptables policy import does not handle rules with ESTABLISED". Policy importer for iptables should properly handle rules that use combination of a "-p protocol" and match state "RELATED,ESTABLISHED". Example: -A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT This rule should translate into fwbuilder rule using CustomService object with code "-m state --state RELATED,ESTABLISHED" and protocol spec "tcp". 2009-06-03 vadim * ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively): fixed bug #2800625 "recursive groups cause infinite loop and crash in compiler". When a group included itself, compiler used to go into infinite loop and crash. The fix in this function also takes care of the situation when group A referenced group B, which in turn referenced group A again. * OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printBridgeInterfaceConfigurationCommands): implemented support for bridge configuration on Linux using brctl tool. Of bridge options only "stp on" is supported, it turns on STP protocol support on the bridge. 2009-06-02 vadim * OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces): implemented support for VLAN interfaces for Linux24 host os. Generated script uses "vconfig" to create and configure vlan interfaces. GUI provides elements for VLAN ID and VLAN interface name type (VLAN_PLUS_VID (vlan0005), VLAN_PLUS_VID_NO_PAD (vlan5), DEV_PLUS_VID (eth0.0005), DEV_PLUS_VID_NO_PAD (eth0.5). Compiler verifies that the name of the vlan interface object matches requested name type. 2009-06-01 vadim * OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces): implemented support for pfsync interface configuration for OpenBSD. Unicast communication method can be configured using checkbox in the pfsync protocol options dialog. Compiler generates ifconfig commands to configure pfsync virtual interfaces if checkbox "Configure pfsync interfaces" is turned on in the pf "advanced" settings dialog. Only one pfsync interface per firewall is supported (pfsync0), only with IPv4 addresses. * OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces): implemented support for CARP interface configuration for OpenBSD. Generated script uses ifconfig to create and configure carpN interfaces. The script is added only if option "Configure CARP interfaces" is turned on in the "advanced" settings dialog for PF. Currently only IPv4 addresses are supported and only one address per CARP interface is configured. CARP password and VHID are defined in the failover protocol settings dialog that user can open by clicking "Protocol parameters" button in the Failover group object dialog. * newHostDialog.cpp (newHostDialog::selectedInterface): fixed the same error reported in bug #2799163: "crash on correcting an error". The GUI crashed if user tried to add, then delete interfaces in the new firewall wizard. The crash occurred when the last interface was deleted on the page where interfaces can be configured manually. This needed to be fixed in both "new firewall" and "new host" dialogs. 2009-05-31 vadim * FindObjectWidget.cpp (FindObjectWidget::findNext): fixed bug #2799315 "Find object" cant find object in rules of opened firewall. If scope was set to "policy of the opened firewall", "Find object" function could not find anything. It worked when scope was set to "policy of all firewalls". * RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2799254 "Erratic behavior when rule is removed from the group". If user tried to remove a rule from the middle of a group of rules, the GUI behaved erratically. It showed two groups with the same name, each of these two groups claimed to have more rules than it really did. Also only one of these two groups could be collapsed at the time. Other weird things also happened. The fix is to not allow removing a rule from the rule group if the rule is in the middle. * newFirewallDialog.cpp (newFirewallDialog::selectedInterface): fixed bug #2799163: "crash on correcting an error". The GUI crashed if user tried to add, then delete interfaces in the new firewall wizard. The crash occurred when the last interface was deleted on the page where interfaces can be configured manually. * ObjectTreeView.cpp (ObjectTreeView::dragMoveEvent): fixed bug #2799174: "Multiple instance crashes a bug". The GUI crashed if user tried to drag and drop an object between two different running copies. Copy/Paste and Drag&Drop between separate copies are not supported at this time. 2009-05-30 vadim * CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): ref #22: compiler for PF uses CompilerDriver class. 2009-05-29 vadim * newFirewallDialog.cpp (newFirewallDialog::finishClicked): better fix for the bug #2796760 "Display error when adding new FW with multiple interfaces". 2009-05-28 vadim * ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject): fixed bug #2797791: "Display error when duplicating an object". * InterfaceData.cpp (InterfaceData::guessSecurityLevel): (change in libfwbuilder) set security level to 0 (insecure) by default. This makes all interfaces of the newly created firewall be "external" or "insecure" unless they were assigned labels or addresses from the private address space in which case guessSecurityLevel() assigns level 100. This addresses bug #2796760 "Display error when adding new FW with multiple interfaces". 2009-05-27 vadim * RCSFilePreview.cpp (RCSViewItem::operator<): implemented feature req. #2796238 "3.0.4 - FEAT REQ: Sort order for RCSFilePreview". RCS file preview dialog (the one that shows RCS revisions and RCS log records) can display revisions in the tree or list view style, controlled by radio-buttons. Style setting is saved in user preferences and persists from session to session. In both cases the view can be sorted by revision number or data. Sort column choice is also saved in preferences. By default program sorts by date and selects the latest revision. * ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo): fixed bug (no #): the GUI did not allow to copy/paste an address from one interface to another. This should be possible. * PolicyCompiler_pf_writers.cpp (PrintRule::_printAddr): fixed bug (no #): policy compiler for pf crashed when dynamic interface was used in source or destination of a policy rule. * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed bug #2793144 "Context menu item for the new User Service object is missing". 2009-05-21 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): (finally) fixed the algorithm used to determine directory offered to the user when they use main menu File/Open to open a file: 1) if "work directory" is configured in preferences, always use it first; 2) if it is blank, use the same directory where currently opened file is located; 3) if this is the first file to be opened, use the same directory user used last time they ran the program (saved in user settings). * RuleSetView.cpp (RuleSetView::pasteObject): fixed bug #2794827 "crash when pasting from a Library in a another file". The GUI crashed if user tried to copy/paste an object from one data file into a rule in another. 2009-05-20 vadim * ObjectEditor.cpp (ObjectEditor::help): Added support for the built-in help page for all objects dialogs, including rule actions and options dialog. Implemented help pages for actions "Route", "Branch", "Tag", "Classify" and rule options dialogs for iptables and pf. Button "Help" is greyed out if corresponding help page is unavailable. * RuleSetView.cpp (RuleSetView::switchObjectInEditor): fixed bug #2794484 "Crash after click in the "Options" col of rule group title". 2009-05-16 vadim * PolicyCompiler_ipt.cpp (checkInterfaceAgainstAddressFamily::processNext): fixed bug #2792888: "interface with only v4 address is used in v6 rules". Compiler should drop rule if it is associate with an interface that does not have address that belongs to the address family declared for the rule set. If interface has only ipv4 address, it will never see ipv6 packets and therefore rules that have this interface in the "interface" rule element should not be included in the output generated for the ipv6 or combined ipv4+ipv6 rule sets. 2009-05-14 vadim * PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug #2791950 "no way to generate "pass out" rule with no interface". Compiler created two rules "pass out" and "pass in" for rules with no interface and direction "in" or "out". It should create one rule with direction defined by the rule in the GUI. 2009-05-12 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed bug #2790927: "Add support for "sloppy" state tracking for PF". * FWWindowPrint.cpp (FWWindow::tableResolutionSettingChanged): Using slider widget to set table scaling factor; now user can choose any scaling factor between 1 and 200%. This fixes bug #2789903: "Table scaling when printing in 3.0.4" 2009-05-09 vadim * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): Moved configuration for the location of kernel modules to host os resource file (attribute Target/options/default/modules_dir). The value of this attribute is different for OpenWRT. This fixes ticket #2. * DialogFactory.cpp (DialogFactory::createFWDialog): Now that we use common platform "iptables" for linux-based appliances and differentiate then by host_OS, dialog for IPCOP, Endian and OneShield is determined using combination of platform and host family attribute from the os resource file. * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): Fixes #2: added host OS "OpenWRT"; the only difference at this time is the path to the directory where kernel modules are found. * ipt.cpp (main): Now that we use the same platform name for iptables on linux, ipcop, endian, oneshield and secuwall, there is no need in policy/nat/routing compiler classes for ipcop. * platform/iptables.xml.in: Unified support for different iptables appliances: configuration will require platform "iptables" and host os that corresponds to the chosen appliance. This matches support for Secuwall and is easier to maintain than separate platform-os pairs for each appliance. 2009-05-08 vadim * clusterMembersDialog.h (class clusterMembersDialog): Renamed class and module secuwallClusterConfDialog to clusterMembersDialog. This dialog is generic and is not specific to secunet wall in any way. This fixes #13. * PolicyCompiler_ipt.cpp (removeFW::processNext): fixes #15: using Compiler::isFirewallOrCluster to match object in rules to both firewall or it parent cluster. This helps compiler idenitify cluster in rules and choose correct chains (INPUT/OUTPUT) as if firewall object was there. * CompilerDriver.cpp (CompilerDriver::determineOutputFileName): this method implements logic that extracts enforced output file names from command line parameters of the compiler or determines these names automatically. * instDialog_compile.cpp (instDialog::prepareArgForCompiler): While compiling firewall cluster, passing output file name to the compiler using "-O" command line option. The old option "-o" is preserved for backwards compatibility and is used while compiling stand-alone firewall objects. 2009-05-07 vadim * instDialog_ui_ops.cpp (instDialog::createTreeItem): dialog that lists firewalls and clusters for compilation and installation puts checkbox for compile next to a cluster and checkbox for install next to a real firewall. Checkboxes are pre-checked if corresponding objects require compilation and installtion. Mutual dependencies between cluster and its members are tracked. this fixes #19 * ipt.cpp (main): Policy compiler for iptables accepts either Firewall or Cluster object as an argument. If Cluster is specified, compiler runs itself several times, generating script for each member firewall. Object can be defined by its name or ID as before. This fixes #18. * CompilerDriver.h (class CompilerDriver): Introduced class CompilerDriver that controls invocation of Policy, Mangle, NAT and Routing compilers for one firewall. The firewall may be part of a cluster, in which case we create several objects of this class and process each member firewall separately. * PolicyCompiler_secuwall.cpp (PolicyCompiler_secuwall::addMgmtRule): fixes #16: using RuleSet::insertRuleAtTop with arg hidden_rule to make automatic rules added for secunet wall "hidden". This way, these rules are ignored during shadowing detection and their position numbers are forced negative so that position numbers of regular rules do not change. 2009-05-06 vadim * FirewallInstallerCisco.cpp (FirewallInstallerCisco::activatePolicy): fixed bug #2787932 "External install script is not supported for PIX". 2009-05-04 vadim * instDialog_ui_ops.cpp (instDialog::fillCompileSelectList): dialog that shows list of firewalls for compilation and installation now uses QTreeWidget and displays firewall clusters and corresponding member firewalls as branches in the tree. The rest of the functionality remains the same as before. If user selected a cluster object in the object tree and clicked "Compile" in its context menu, only member firewalls of this clusters are going to be checked for compilation. Clicking "Compile" toolbar button or main menu selects all firewalls for compilation as before. Cluster objects can not be selected (do not have checkboxes in the widget) because compiler and installer works with actual firewall objects rather than cluster objects. This fixes ticket #7. 2009-05-02 vadim * DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed bug #2785671 "Menu 'Import Policy' opens wizard with wrong option checked". The "discovery druid' dialog would open on the first page (where user makes a choice which discovery method to use) even when called via main menu "File/Import Policy" and radio button for the SNMP discovery was activated. 2009-04-30 Vadim Kurland * ObjectManipulator.cpp (ObjectManipulator::addTreePage): fixed bug #2783780: using QTreeWidget::sortItems() instead of sortByColumn to sort objects in the tree. 2009-04-29 Vadim Kurland * RoutingCompiler_pix.cpp (RoutingCompiler_pix::prolog): fixes bug #2782645: "Can't compile for FWSM platform". Routing compiler for PIX should accept firewall object with platform "fwsm" as well as "pix". * ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject): fixes bug #2783780: "Tree objects not sorted in 3.0.4". Automatically re-sort object branch when new host or firewall object is created so that the new object is positioned in the alphabetic sorting order. 2009-04-27 vadim * ObjectManipulator.cpp (ObjectManipulator::getMenuState): for bug #2782289: "Crashes when deleting unused host object". Added safeguards to make it impossible to delete objects in the Standard library, as well as for a few other cases. Waiting for a clarification on the bug anyway. * ObjectListView.cpp (ObjectListView::dragObject): fixed bug #2781952: "fwbuilder (3.0.4-b794) crashes when creating a new group". The GUI crashed if user clicked and dragged mouse inside empty list of group members in the dialog of the new group object. 2009-04-17 vadim * ClusterDialog.cpp (ClusterDialog::ClusterDialog): Support for clusters of firewalls * Merging patches from Secunet Security Networks AG to add support for Secuwall firewall. * VERSION: start v3.1.0 branch v3_1_secunet 2009-04-15 vadim * ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog): Integration with IPCOP, Endian and OneShield firewall apliances (all based on linux/iptables). This sets generate file name to "rc.firewall.local", destination directory on the firewall to "/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall restart". Provided resource files for ipcop, endian and oneshield platforms and os define default parameters, including path to iptables and other command line tools. Generated script performs minimal environment setting, because everything is supposed to be set up by the aplpiance itself. Iptables commands are put in the standard chains INPUT/OUTPUT/FORWARD, with user-defined chans created as required. At this time policy and NAT rules work. Rules added by fwbuilder are activated by the standard appliance firewall script rc.firewall after all IPCOP rules are added and before all hooks. This means rules created by fwbuilder do not replace rules added by the appliance, but work together with those. Prolog and epilog user-defined sections work as well. Prolog is always added on top of the rules generated by fwbuilder. Prolog and epilog sections can include any kind of shell commands, not only iptables rules. Two new firewall templates are provided: one for IPCOP/Endian firewall with two interfaces (br0 is GREEN and eth1 is RED) and another for the appliance with three interfaces (additionally eth2, as ORANGE). * ipt.cpp (main): implemented feature request #2454447 "Standard options for startup-script". Script generated by fwbuilder now accepts standard arguments "start" and "stop". Running the script with no argument is equivalent to "start" for backwards compatibility. Running script with argument "stop" resets iptables tables and chains and sets all to default policy DROP (beware!). 2009-04-11 vadim * platforms.cpp (setPlatform): Firewall platforms are grouped in the drop-down list that appears in the firewall object dialog and new firewall creation dialog. Platforms are grouped using XML element in the platform xml resource file. * newFirewallDialog.cpp (newFirewallDialog::finishClicked): remember firewall platform used to create new firewall object between sessions. Also limit set of host OS shown in the second combo box to only those supported by chosen firewall platform. * VERSION: start v3.1.0 * platforms.cpp (setHostOS): fill "hsot OS" drop-down list with OS names supported for the choosen firewall platform. 2009-04-10 vadim * ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore option broken for multiple policy sets". Compiler inserted redundant line "echo COMMIT" to the iptables script if iptables-restore was used and there were no rules in the mangle table. * ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively): fixed bug #2744798 "dependency checking failed". In case when an object was used in a group and group used in a rule of a firewall, the program failed to properly update "last modified" attribute of the firewall when the object was changed. 2009-04-09 vadim * VERSION: start v3.0.5 2009-04-08 Vadim Kurland * v3.0.4 released, merged to the trunk, this comment is r796 2009-03-29 vadim * v3.0.4 release 2009-03-25 vadim * NATCompiler_pf_writers.cpp (PrintRule::_printPort): fixed bug #2712514: "Bug in PF NAT Writer - 'tagged' keyword". Keyword 'tagged' is only allowed on the left hand side of '->' in nat and rdr rules. * RuleElement.cpp (RuleElementTSrv::validateChild): (change in libfwbuilder) fixed bug #2712575: "NAT RuleSetView allows TagService to be in Translated Svc". TagService object should not be allowed in "Translated Service" in NAT rules. 2009-03-24 vadim * DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309: "Bug in gui/DialogData.cpp when not using mapping.". There was a bug in DialogData.cpp that when setting the value of a combobox and not using a mapping array the requested value would not be selected. Applied patch provided by Tom Judge ( tomjudge ) * platforms.cpp (init_platforms): fixed bug #2710300 "Bug in gui/platforms.cpp". there was a discrepancy between the list of route-to options for PF and UI elements. * pf.cpp (main): more changes to add support for externally-controlled policy rulesets for PF: if policy ruelset name ends with "/*", the program assumes it is controlled by external means and does not compile rules in it and does not create .conf file from it. * PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added support for anchor names with "/*" suffix for PF. Now the user can create policy ruleset with name e.g. "ftp-proxy/*" and then set up branching rule pointing to this ruleset. This ruleset is treated by the program in a special way. First, it allows characters "/" and "*" in the name of the ruleset (but only for PF firewalls). Second, compiler does not create a .conf file with rules from this ruleset, assuming that it will be controlled by external program such as ftp-proxy. See man page ftp-proxy(8) for examples. 2009-03-23 vadim * pf.cpp (main): fixed bug (no #): compiler for pf added code provided in the "prolog" section while option was set to "add after table definitions" in the incorrect place. 2009-03-22 vadim * RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2701593 "gui problem". Adding a rule to a policy with rule groups caused weird rule display - a rule immediately above rule group header would appear empty, with only "Source" shoring. 2009-03-19 vadim * iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6 temporary ACL blocks ICMPv6". Temporary ipv6 access list created for the "safety net install" should permit icmp. 2009-03-18 vadim * iosacl.cpp (safetyNetInstall): fixed bug #2694440 "Multiple policies cause multiple temporary ACLs": when "safety net install" option is used, temporary access list must be generated only once even when firewall object has multiple rulesets. * PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed bug #2694432 "IOS ACL syntax error with IPv6 host addresses & "safety net"": temporary access list created for IOS when option "safety net install" is used and ipv6 address is provided should use keyword "host" if provided address does not specify netmask. * fwbedit: properly saving data file after "checktree" operation 2009-03-17 vadim * PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed bug #2689978: "IOS ACL 'safety net' doesn't support IPv6?". Compiler did not process properly ipv6 address entered in the "safety net" install script option parameter. * iosaclAdvancedDialog.cpp, pixAdvancedDialog.cpp: fixed bug #2689987: "Typo in "script options" tab in 'Firewall settings'". * IPv6Dialog.cpp (IPv6Dialog::changed): fixed bug #2689958 "Error changing properties of a IPv6 address". Button "Apply" would stay greyed out when user changed network prefix length in IPv6 address dialog. 2009-03-12 vadim * PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed few bugs (no #) in policy compiler for Cisco IPv6 ACLs: - The "extended" keyword is not supported by IOS for IPv6 ACLs - keyword "established" is only valid in combination with protocol tcp. If standard CustomService objects "ESTABLISHED" and "ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp". - command to clear ipv6 access lists should be "no ipv6 access-list ipv6_management_in" - command to assign ipv6 acl to interface should be "ipv6 traffic-filter ipv6_acl in" * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): fixed bug (no #): compiler for IOS ACL used not to ignore netmasks of IPv4 and IPv6 objects and added them to the generated access list with netmask wildcard bits 255.255.255.255 which was equivalen to 'any'. 2009-03-11 vadim * RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if user selected some rules that belonged to a group and few other rules that did not belong to any group at the same time and used context menu to place all these rules in a new group, the GUI used to crash. 2009-03-06 vadim * ProjectPanel.h (class ProjectPanel): code clean-up: removed obsolete method getAddOnLibs() 2009-03-05 vadim * RoutingCompiler_ipt.cpp (addressRangesInDst::processNext): fixed bug #2666971 "fwb_ipt crashes when Address Range object in routing rule". Policy compiler for iptables crashed if Address Range object was used in "Destination" of a routing rule. * RuleSetView.cpp (RuleSetView::insertRule), ProjectPanel.cpp (ProjectPanel::closeEvent): fixed bug #2656815 "Copy/paste does not work properly". Fixed Copy/Paste problem with policy rules and crash reported in this bug report. 2009-03-04 vadim * iosacl.cpp (main), FirewallDialog::platformChanged(): fixed bug #2662290: "fwb_iosacl crash after firewall converted from iptables". If user changed platform setting of the firewall object, the program preserved its old version which was invalid for the new platform. 2009-03-02 vadim * RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): finish fixes for bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and #2356151 "Routing broken when default route has a 0 metric". Redirect script output to a file for the time when we remove static routing entries and add new ones to prevent ssh session from stalling. Restore output back to the terminal when script finishes or when an error is detected. Using idea suggested by Heiko Helmle 2009-02-27 vadim * RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and #2356151 "Routing broken when default route has a 0 metric". Generated script preserved default route when it deleted route entries before installing new ones. This was different in v2.1 where default was deleted together with other routing entries. The reason for this change (made some time in summer of 2008) was that if user did not define default route in their routing ruleset, the script would delete existing default without installing new one, leaving firewall with no default route at all. Now the script deletes default if there is new one to install and preserves it otherwise. * RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed bug (no #): if generated firewall script detects an error from one of the commands that install routing rules and runs function that restores previous routing entries, it should also run epilog commands. 2009-02-21 vadim * FirewallInstaller.cpp (FirewallInstaller::getDestinationDir): bugfix (bug was introduced in build 768). If user entered alternative activation command in the "installer" tab of the firewall object settings dialog, the program confused it with destination directory and tried to execute incorrect command to copy files to the firewall. This build (770) fixes this problem. * SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can now enter sudo password. There is no need to configure firewall management account for password-less sudo access anymore. 2009-02-19 vadim * FirewallInstaller.cpp (FirewallInstaller::getDestinationDir): fixed bug #2618772 ""test install" option does not work". If "test install" checkbox was checked in the installer options dialog, the program copied file to directory /etc/fw on the firewall but tried to find it in /etc/fw/tmp to run. * FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fix bug #2618686 "built-in installer can not handle ipv6 management address". Built-in installer did not properly for scp and ssh command like when it had to use IPv6 address to communicate with firewall. 2009-02-17 vadim * Management.cpp (Management::fromXML): (change in libfwbuilder): fixed bug #2609796 "internal object Management does not accept ipv6 address". Class Management should accept ipv6 address. The problem was that if an interface of the firewall had only ipv6 address and was marked as "management" interface, saving such configuration to .fwb file created broken data file that could not be loaded back. The error was: The program encountered error trying to load data file. The file has not been loaded. Error: Exception: Invalid IP address: 'aaaa:bbbb:cccc::1' XML element : Management where aaaa:bbbb:cccc: is ipv6 address. 2009-02-13 vadim * PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug #2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is on". Example: IPv6 policy, rule where fw object and internal network are in source, destination is "any". If option "assume firewall is part of any" was turned off and ipv6 forwarding was on but ipv4 forwarding was off, this rule did not yield any iptables commands in generated script. * iosaclAdvancedDialog.cpp (iosaclAdvancedDialog::accept): fixed bug #2597949 "GUI crash in IOS ACL "advanced" settings dialog". GUI crashed upon click OK in the firewall settings dialog for the IOS ACL firewall. 2009-02-06 vadim * src/gui/Icons/accept_25.png: fixed bug #2565164 "Colorblind friendly Accept & Deny Icons". Accept and Deny icons were indistinguishable for red-green colorblind people. New icons incorporate standard symbolics for the "Aceept" and "deny" functions to make them sufficiently different besides the color. 2009-02-05 vadim * src/res/os/linux24.xml.in: fixed bug #2568819 "generated script created on windows is not executable". If the GUI runs on Windows, produced .fw script lacks executable permission bit ('x') when it is copied over to the firewall with pscp.exe. Because of this, activation command "sudo -S /etc/fw/script.fw" can not run it and installation fails. Need to run "chmod" as part of the activation sequence. (We used to run chmod as part of the copy sequence when copying was done with ssh/plink.exe. Now that the copy is done with scp/pscp.exe, there is no way to change permissions bits on the firewall side during copy). * OSConfigurator_linux24.cpp: add empty line after user's code in prolog and epilog shell functions to make sure shell syntax is not violated if user does not end prolog or epilog code with linefeed. 2009-01-31 Vadim Kurland * ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic rules for filter table included twice in iptables". If user had two policy ruleset objects marked as "top" rule set, then automaitc rules were added twice. 2009-01-27 Vadim Kurland * ipt.cpp (main): bug #535146: "firewall script: exit code for ip6tables overwrites iptables". If generated iptables script used iptables-restore to activate the policy and contained both ipv4 and ipv6 iptables policies, return code from iptables-restore was overwritten with return code from ip6tables-restore and only the latter was returned as the return code of the script. To fix this, prolog and epilog commands were moved to shell functions prolog_commands and epilog_commands which are called from various places in the script. Script checks return code of iptables-restore and ip6tables-restore and if an error is detected from either, it runs epilog_commands and terminates, returning error code obtained from iptables-restore (or ip6tables-restore). In case of error, we always run epilog but do not turn ip forwarding on in the kernel. Also, if prolog place is set to "After iptables reset" in the GUI and script uses iptables-restore, prolog commands are executed just before iptables rules are sent to iptables-restore. This means if iptables-restore is used, position "after iptables reset" is equivalent to position "on top of the script". If iptables-restore is not used and prolog position is "after iptables reset", then prolog commands are executed right after the script flushes all chains in all tables and sets deault policy for all chains. Other positions of prolog commands in the script (on top and after interface configuration) are naffected and work as before. 2009-01-24 vadim * objects_init.xml.in: Added CustomService object "ESTABLISHED ipv6" which defines code for iptables, ipfw and IOS extended access lists for IPv6. * PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol): fixed behavior or policy compiler for ipfw which was broken in rev714 - it should print protocol "tcp" when custom service object that adds option "established" is used. This compiler worked like that before attribute "protocol" was added to the CustomService object. * platforms.cpp (getReadableRuleElementName): code refactoring: made it possible to translate ruleset table column names ("Source", "Destination" etc.). Currently only Russian translation is provided. 2009-01-23 vadim * FindWhereUsedWidget.cpp (FindWhereUsedWidget::createQTWidgetItem): fixed bug #2412334: "feature request: where used -> directly". There has been a change in the "Where used" function in v3.0 compared to the implementation in v2.1. New version showed not only rule elements and groups that referred to the given object, but also found all groups that referred to other groups that referred to the given object. Such recursive action was not always obvious to the user and was inconvenient when the function was used to find all places where given object was used with the goal to replace it with some other object. This fix reverts to the old behavior where only direct usages are reported by the "Where used" function. Elements of UI in this function have also been cleaned up and further unified with confirmation dialog shown when user tries to delete an object that is used in some groups and rules. * PolicyCompiler_PrintRule.cpp (PrintRule::_printChain): fixed bug #2507239: "length of iptables rule chain names not checked". Iptables does not allow chain names longer than 30 characters; policy compiler fwb_ipt should check for this. * PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug #2526173: "fwb_ipt crashes due to old-broadcast". This bug was introduced when support for module iprange was sadded. Need special check for AddressRange objects where start and end of range addresses are equal. * NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no #): the GUI used to check ip address entered for the network object whenever user switched focus from the address input widget in the network object dialog to another widget or even a different application to look up the address. This caused the program to show error dialog if this happened when the address was incomplete. This change makes the program verify the address only when user clicks "Apply". 2009-01-19 Vadim Kurland * FWWindow.cpp (FWWindow::prepareFileOpenRecentMenu): Added menu Files/Open Recent. This implements feature req. #2499615 "open last used file". * FWWindow.cpp (FWWindow::startupLoad): open StartTipDialog from FWWindow rather than main() to make sure this dialog always remains on top of the main window. * ProjectPanel_file_ops.cpp (ProjectPanel::autoSave): fixed bug #2499569: "fwbuilder crashes after some hours". The auto-save function now saves data file only if it has been modified. Frequent saves exasperate small memory leaks that appear in some old versions of libxml2. 2009-01-17 Vadim Kurland * FWWindowPrint.cpp (FWWindow::filePrint): fixed bug (no #): the GUI crashed if user tried to use File/Print function when no ruleset was opened in the right hand panel. * printerStream.cpp (printerStream::printQTable): Applied patch by Paul@Auroragrp.Com that fixes problems with printing long rule sets. If rule set printout exceeded the length of the page, some rules at the bottom were cut off and lost. The patch corrects the problem by taking into account printer dpi while calculating position for page breaks. 2009-01-11 vadim * unknown.xml.in: fixed bug #2486558 "firewall platform "unknown" should support basic actions". 2009-01-10 vadim * DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromCrawler): bug #2023261 "IPv6 - SNMP discovery of interfaces not working for IPv6". SNMP discovery can now read IPv6 addresses of interfaces using IP-MIB RFC4293. Not all snmp agents support this MIB, for example only recent versions of net-snmp support it. * starting with v3.0.4 build 739 snmp discovery is supported on Windows. 2009-01-06 vadim * RoutingCompiler_iosacl_writers.cpp (PrintRule::PrintRule): fixes to make code compile on Windows. 2009-01-05 vadim * RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile): fixed bug (no #): routing compiler for pix refused to add more than one routing rule with an error saying that other rules were duplicates. Error was introduced in build 732. 2009-01-02 vadim * RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile): Added support for generation of "ip route" commands for Cisco IOS. Variant of Cisco IOS "ip route" command where gateway is the name of one of the interfaces of the router is also supported. To get this, put interface object in the "gateway" column of the routing rule. * pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column "interface" only for platforms that require it. Currently IOS does not require it, while other platforms for which routing commands generation is supported require it (iptables and PIX). 2009-01-01 vadim * RoutingCompiler_cisco.cpp: refactored PIX routing compiler by steven@openbsd.org to use it as a foundation of the routing compiler for both PIX and Cisco IOS (r731). * RoutingCompiler_pix.cpp: applied patch by Steven Mestdagh that adds support for static routing configuration for PIX. Patch tested and applied in r726. 2008-12-31 vadim * RuleSetView.cpp (RuleSetView::copyRule): fixed bug #2478528: "Crash when copying multiple policy rules". GUI crashed if user tried to copy/paste several rules, some of which belonged to rule group and some did not. 2008-12-30 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_clampTcpToMssRule): bug #2477775: "Clamp MTU doesn't work in ip6tables". iptables target TCPMSS is available in ip6tables only in 1.3.8 and later. * unfortunately the package is not going to work on Tiger because of the mismatch in versions of libnetsnmp library. If this library is packaged with the bundle, the program crashes because the code in libnetsnmp v15.1.0 (that comes with Leopard) depends on functions missing in libSystem on Tiger. If libnetsnmp is not packaged with the bundle, then stubs linked with the GUI on Leopard do not match libnetsnmp that comes with Tiger (older version). So, even though we now have universal Mac OS X binary, it will only work on Leopard. 2008-12-29 vadim * FirewallInstallerUnx.cpp (FirewallInstallerUnx::executeInstallScript) bug #2474949: "External install script: trailing spaces". Trimming leading and trailing white spaces in the external installation script and its arguments before running it. * runqmake.sh: starting with v3.0.4 build 717, building universal binary for Mac OS X (both x86 and ppc architectures) * bug #2474194 "Please Provide MacOS X PowerPC Builds": debugging universal binary package for Mac OS X, trying to make it work on Tiger as well 2008-12-28 vadim * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService): support for the CustomService in compiler for IOS ACL, including support for address family, protocol and code string parameters. * PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol): support for the new "protocol" parameter of the CustomService object in compilers for ipfilter and ipfw. * NATCompiler_pf_writers.cpp (PrintRule::_printProtocol): 'checking for "proto ..." in the custom service code string before printing protocol part in policy and nat compilers for pf. 2008-12-27 vadim * feature req. #1111267 "CustomService should specify protocol and parameters for it". Support for protocol string in Custom Service in compilers for iptables and PF. * CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject): feature requests #1111267 "CustomService should specify protocol and parameters for it" and #2463048 "custom services should have IPv4/v6 setting". Added corresponding input elements to the CustomService object dialog. * CustomService.h (libfwbuilder): feature requests #1111267 "CustomService should specify protocol and parameters for it" and #2463048 "custom services should have IPv4/v6 setting". Added attributes "protocol" and "address_family" to the CustomService object. Corresponding XML attributes are "#IMPLIED", this helps avoid having to provide XSLT auto-upgrade script for this version. Class CustomService returns "any" for the protocol and "ipv4" for address family if these attributes are missing. 2008-12-25 vadim * All policy compilers: using FWObjectDatabase::createClass methods to create rules and other objects in compilers wherever the type is known at the (code) compile time. This makes code cleaner and speeds it up a little because of eliminated cast() and string comparison. * changes in libfbuilder: eliminated excessive use of dynamic_cast and long chains of "if" comparing object type names in FWObjectDatabase in methods that create new objects of given type. 2008-12-23 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): implemented feature req. #2353737 "use -m iprange". Using module iprange for AddressRange objects if iptables version is set to >=1.2.11. 2008-12-21 vadim * SSHSession.cpp (SSHSession::heartBeat): built-in installer periodically "pings" the other end to keep ssh session alive. This helps recreate state in the firewall state table if it is cleared when rules are reloaded, which in turn prevents installer from hanging. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule): Deprecated options "generate commands for both in and out" and "pass all outgoing" in compiler for PF. Before, user could choose whether compiler was to generate only commands to match inbound packets or both inbound and outbound. The distinction between these two modes became very minimal in the recent versions of fwbuilder because algorithm was mostly controlled by the setting of "direction" in the policy rules. Now these two options have been removed completely, the behavior of the compiler is as if option "generate both in and out" was used. * pf.cpp (main): Compiler can add command "pfctl -F states" after command "pfctl -f file.conf" to flush states that existed in memory from sessions opened prior to the policy reload. The reason is that some of these sessions might be denied by the new policy, but if state is not flushed, they will still work after policy reload. This is optional and is controller by checkbox in the "Script" tab of the "advanced" settings dialog for the PF firewall. 2008-12-20 vadim * PrintingController.cpp (PrintingController::addObjectsToTable): fixed bug #2388067: "Print out FWB 3.0.3 not ok". File/Print function failed to print objects used by rules of the firewall. 2008-12-19 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::loadFile): Implemented feature request #2412323: "feature request: command line flag to skip RCSFilePreview". New command line switch "-r" makes the GUI automatically open RCS head revision of the file given on command line if the file is in RCS. If the file is not in RCS, the new switch does nothing and the file is opened as usual. 2008-12-18 vadim * RuleSetView.cpp (RuleSetView::renameGroup): fixed bug #2412310: "Umlauts in group names". The GUI should properly handle non-ascii characters in the rule group names 2008-12-15 vadim * ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602: support for rulesets configured as "dual address family", that is, rulesets that should be compiled for both ipv4 and ipv6. Compiler processes rulesets like this twice, first for ipv4 and then for ipv6. On each pass it will only use address and service objects that match address family it uses for the ruleset. This also applies to "compile-time" DNSName objects, that is, it will use getaddrinfo() to get AF_INET address on ipv4 pass and AF_INET6 on ipv6 pass. Rules with "any" in rule elements in the "dual address family" ruleset yield iptables commands for both families. This was the reason I made setting exclusive in the first place. This means that users who do not want fwbuilder to generate ipv6 policy for them and want all ipv6 accepted, should not use "dual address family" setting. If the do, the bottom catch-all rule will install ip6tables command to block all ipv6 automatically even if all rules have absolutely no ipv6 objects at all. * RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented feature request #2431602: "Feature request: Unified policies (IPv4/v6)". RuleSet object now has two variables that define which address family it should be compiled for - ipv4 or ipv6. It is possible to have both set, in which case the same ruleset will be compiled for both address families. 2008-12-13 Vadim Kurland * VERSION (VERSION): started v3.0.4 * v3.0.3 released, merged to trunk. This comment is -r689 2008-12-08 Vadim Kurland * RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2407141 "label markers". Color label text set in Preferences was not used in the contet menus where user can actually apply those colors to rules. * RCS.cpp: fixed bug #2405909: "Umlauts in RCS log". RCS log is stored in RCS file in Utf8, need to convert it back from Utf8 on read. Technical note: rcs tools on windows do not seem to process properly rcs comments converted with toLocal8Bit, comment text comes out as '????' when inspected with rlog.exe from the command line. Comment text stored in Utf8, on the other hand, appears intact even though it can not be read in the output of rlog.exe. 2008-12-07 Vadim Kurland * FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change in libfwbuilder) additional fixes in algorithm that recursively copies object subtree between different data files. Making sure we do not create duplicates of groups referred to by other groups. * ObjectManipulator.cpp (ObjectManipulator::pasteObj): changes to speed up GUI when user copies many objects between different data files (do not reload and redraw object tree widget until last object is copied). Refactoring of the pasteObj to keep the same object ID mapping table for the duration of the bulk paste operation, this helps deduplicate objects. Also using the same ".copy_of_NNNN" object attribute to deduplicate objects. 2008-12-06 Vadim Kurland * iptables.g: Changes in grammar for iptables: removed ambiguitiesin parser; added lexer rules for elements of ipv6 address. Rules for IPV6 address parsing do not work yet, commented out as work in progress. No new functionality in the parser for iptables, only clean-up and preparations for ipv6. 2008-12-05 Vadim Kurland * InetAddr.cpp (InetAddr::toString): (change in libfwbuilder): Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies mask constructed from the bits argument to the result, so with bits==0 it always returned "::/0" 2008-12-04 Vadim Kurland * ProjectPanel.cpp (ProjectPanel::closeEvent): (fixed bug (no #): need to check if object in the object editor panel has been modified and needs to be saved when user closes internal window using "close" button in its title bar. * FWWindow.cpp (FWWindow::closeEvent): fixed bug (no #): GUI crashed if user closed internal window so no object files were left open, then closed application using "close" button in the main window title bar. 2008-12-03 Vadim Kurland * iosacl.g (certificate): fixed bug #2334007: "Problem parsing Cisco config". Parser now recognizes IOS configuration lines "certificate", "ip community-list", "controller ... description". These lines are recognized and ignored, they should not stop parser from processing the rest of the configuration. * ipt.cpp (main): fixed bug #2378672: "fwb 3.0.2 build 676 iptables script is not executable". Generated .fw file should have executable permissions. 2008-12-02 Vadim Kurland * FWObjectDatabase_tree_ops.cpp (recursivelyCopySubtree): (change in libfwbuilder) fixed bug #2375327: "Crash copying multiple groups between different data files". Using better algorithm to copy objects between different data files. * ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies): using FWObjectDatabase::recusrivelyCopySubtree() to copy objects if they are located in different data files. * FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change in libfwbuilder) Implemented additional check for object duplicates while copying objects. The problem happened when several object were copied in a batch operation (e.g. when user selected several objects in the GUI and then used copy/paste to copy them all). If some of these objects were groups that referred to other objects from the same batch, the program would copy the object and then create another copy of it when it copied the group using it. To avoid such multiplication it now creates special hidden attribute in the object when it makes a copy to keep track of the original object. When the same original object needs to be copied again, the program can find its copy in the target data tree using this attribute. This creates another problem because the attribute used to track original object is persistent for the duration of the program run. The scenario that leads to this is as follows: user copies object A, modifies it and then copies group B using the orignal of A. The end result is that the program does not recognize that the copy of A has changed and makes copy of group B use it anyway. This means the new group points at modified object A. This can not be easily fixed because we do not have "last_modified" attribute in each object. 2008-12-01 vadim * Started v3.0.3 * v3.0.2 released, merged -r565:676 to trunk. This changelog record is in rev 678 2008-11-28 vadim * FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug #2353052 "fwbuilder crashes on import without open object file". Fixed in rev 676. * ipt.cpp (dumpScript): fixed bug 2356131 "Iptables-restore option broken for multiple policy sets". If firewall was configured to use iptables-restore to activate policy and if it had two or more policy rule sets, compiler used to put "echo COMMIT" line at the bottom of each ruleset. This was incorrect, iptables-restore expects only one COMMIT line at the end of each table. Fixed in rev 675. 2008-11-28 User Vadim * InetAddr.cpp (InetAddr::toString): (change in libfwbuilder) Our included copy of inet_net_ntop does not add "/netmask" to IPv6 addresses if argument #3 is -1 (bits). However, the same function included in libc on FreeBSD returns EINVAL for bits=-1. It appears the function in libc in FreeBSD is based on the same code as our copy, but has been updated and instead of doing check "if ((bits < -1) || (bits > 128))" probably checks for (bits < 0). Because of this, fwbuilder GUI crashed when user tried to create IPv6 network object on FreeBSD. To fix, will use bits=0 in call to inet_net_ntop in InetAddr::toString and then strip /0 that inet_net_ntop adds to the generated string. Both our copy of inet_net_ntop and the one shipped with FreeBSD add "/0" consistently, so this works on all platforms. 2008-11-26 Vadim Kurland * IPTImporter.cpp (IPTImporter::pushRule): fixed crash in the importer for iptables * iptables.g (m_comment): rudimentary support for iptables module "comment" 2008-11-24 Vadim Kurland * tcpservicedialog_q.ui: fixed bug #2333759: "A really small camp". Fixes in dialog layouts for KDE4 theme Oxygen * Build fixes for FreeBSD. * Added GUI elements for krcmd and ekshell options for ipfilter Thanks to Cy.Schubert@komquats.com for the patch! * Using QT4 stylesheet to improve layout of TCP Service, UDP Service and group object dialogs when program is used with KDE theme Oxygen. 2008-11-23 Vadim Kurland * Help.cpp, StartTipDialog.cpp: the GUI will use English help files for online help (where available) and "start tip" dialog if it is started in the non-enligsh locale and help file for this locale inot available. This is better than to show an empty dialog. 2008-11-22 vadim * StartTipDialog.cpp (StartTipDialog::StartTipDialog): Added "start tip" dialog that shows brief information on the online resources available to the user (web site URL, links to the Firewall Builder FAQ, HOWTOs, Cook Book). Linked pages open in the standard browser. * FWWindow.cpp: added menu item Help/Firewall Builder Help that opens a page with information about online resources for Firewall Builder (the same page that is shown in the "start tip" dialog). * ipf.cpp (main): fixed bug #2328330: "basic_string::erase error in fwb_ipf". Compiler for ipfilter aborted processing with error "basic_string::erase" when compilation was launched from the GUI. 2008-11-21 vadim * Improved Mac OS X bundle: included qt.conf file to make it look only inside the bundle for QT libraries and plugins, this eliminated warnings about QT libraries being loaded from two places if the system where fwbuilder GUI was running had QT installed on it. Now packaging QT accessibility plugin library, this should make the GUI run with acessibility features if accessibility aids are turned on system-wide. 2008-11-20 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed bug #2318639: "bug in logging (rule number)". Added logging prefix macro %R that gets expanded to the ruleset name. This can be useful in logging prefixes for rules in branch rulesets. 2008-11-19 vadim * printerStream.cpp (printerStream::begin): fixed printing with QT 4.4. QT 4.4 correctly sets physical resolution of the printer and sets its logical resolution to 1200dpi. This caused rulesets to be printed incorrectly on Windows and Mac where we use QT 4.4.1. This fix restores printing on these platforms. * Printing from command line: user can print firewall object and all its rulesets from command line without running the program in interactive GUI mode using command line "fwbuilder -f file -P fw_object -o print_output_file.pdf". Making sure this works on Mac OS X as well where the program should be launched as "fwbuilder3.app/Contents/MacOS/fwbuilder" * RuleSetView.cpp (RuleSetView::updateGroups): fixed printing from command line which was broken some time ago (perhaps in 3.0.1). When user prints firewall policy from command line using "fwbuilder -f file -P fw_object" all rule groups are always printed expanded. 2008-11-18 vadim * prefsdialog_q.ui: better layout of the first page of Preferences dialog to make sure long path to the working directory fits in the input widget. * SSHPIX.cpp (SSHPIX::stateMachine): bugfix: installer for Cisco routers and PIX could not find generated file because variable conffile is now always a full absolute path. This bug was introduced earlier during installer rewrite for v3.0.2. Tested installer for router and PIX using default generated file name, as well as custom generated file name, defined both as absolute and as relative path. Tested batch install of combination of a router and a pix in one batch (the same user account, then same enable password on both) 2008-11-17 Vadim Kurland * ObjectManipulator.cpp (ObjectManipulator::duplicateObject): fix bug #2303486: "Operation of duplicating firewall should switch policy". When firewall object is duplicated, the GUI should automatically open policy of the new object rather than keep policy of the original open. At the same time, reset lastModified, lastCompiled, lastInstalled of the new firewall instead of keeping copies from the original. * instDialog.cpp (instDialog::testFirewall): Check to make sure paths to ssh and scp utilities are properly configured in Preferences before running install. Show aprropriate error dialog to the user if path to ssh or scp is not configured. 2008-11-15 Vadim Kurland * antlr/CharScanner.hpp: applied patch for gcc 4.4 from bug# 2282828 "patch for gcc-4.4" * AddressTable.cpp (AddressTable::AddressTable): (change in libfwbuilder) fixed bug# 2293052 "Saving file with empy AddressTable produces corrupt XML". When new AddressTable object is created, its "filename" attribute is empty. If data file was saved right after such new AddressTable object was created, resultant file could not be loaded back into the program becaise it violated XML DTD. 2008-11-13 Vadim Kurland * IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer for iptables properly creates TagService objects and places them into action of the rule finds iptables rule with target "-j MARK" * IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer for iptables correctly imports user-defined chain, configures rule with action "Chain" and establishes association between it and ruleset created for the user-defined chain. Multiple rules with this action can point at the same ruleset. 2008-11-12 Vadim Kurland * IPTImporter.cpp (IPTImporter::finalize): fixed bug (no #): policy importer used to create separate Policy objects for chains INPUT, FORWARD, OUTPUT. * CircularQueue.hpp (OFFSET_MAX_RESIZE): a temporary fix for the problem in ANTLR that causes crash on import of very large config files. This affected import of both iptables and Cisco IOS configurations and depended just on their size. 2008-11-10 vadim * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): for bug #2135827: "'Store a copy of fwb file...' very slow" - need to enable option "store copy of data file on the firewall" for the batch install. * RuleSetDialog.cpp (RuleSetDialog::applyChanges): fixed bug #2255591 Adding new ipv6 policy is always type "mangle". When user added new Policy object to the iptables firewall and made and saved any changes in the object editor (switched to "top rule set" or toggled setting "filter+mangle"="mangle only"), the setting of the ruleset would switch to "mangle only" and stick there. There was no way to switch it back to "filter+mangle". This is fixed in build 641. 2008-11-09 * Added updated Japanese translation by Tadashi Jokagi ( elf2000 ) from bug #2214440 * FirewallInstallerUnx.cpp(FirewallInstallerUnx::packInstallJobsList): fixed a bug introduced some time earlier and reported in the bug report #2135827: policy installer would only copy .fwb file to the firewall when "Store data file on the firewall" was activated and skipped actual generated policy file(s) (.fw). This only happened on Windows. 2008-11-01 vadim * fwbuilder/Rule.cpp (PolicyRule::PolicyRule): a bugfix in the PolicyRule class, fixes errors in some operations in policy compilers that were caused by switch to a more efficient way to find rule element objects in rules. 2008-10-30 vadim * Added Japanese translation by Tadashi Jokagi ( elf2000 ) Translation converted from the .po file generated for fwbuilder 2.1.19. Since translation was done for the old version of the product, it is incomplete, however at least menus seem to be translated. * ObjectIconView.cpp (ObjectIconView::event): fixed bug #2209210 "crash in fwbuilder: ObjectIconView.cpp:90:". The GUI crashed if user moved mouse cursor over object icons in a group object editor when tooltips were activated. 2008-10-26 Vadim Kurland * RuleSetView.cpp (RuleSetView::setRuleColor): making sure no rule operations are allowed when rule set or parent firewall object are read-only. This fixes GUI crash that happened when user tried to remove rule from a group in the read-only firewall. 2008-10-25 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::loadFromRCS): more fixes for bug #2194829: use toLocal8Bit() instead of toLatin1() in all calls to libfwbuilder functions that deal with files (FWObjectDatabase::load() etc.), as well as system functions such as unlink(), rename(), access(). Now I can open, save, check out and check in file if it is in directory with non-ascii name and also can use non-ascii characters in RCS checkin log records. * instDialog_compile.cpp (instDialog::prepareArgForCompiler): fixed bug #2194829: "the gui can not locate data file in non-ascii directory". This seems to have happened only on Windows and Mac; if data file was located in the directory with the name with non-ascii characters, the gui generated incorrect command line for the compiler when user tried to compile the data file more than once. 2008-10-23 vadim * PolicyCompiler_ipt.cpp (isChainDescendantOfOutput): more for the bug #2186568 "Again User service - group/negate". Support for groups of user service with negation. Now have a framework to keep track of chain "descendants", so that compiler can tell if some chain can be traced back to INPUT or OUTPUT through the sequence of chains calling each other. 2008-10-22 vadim * various dialogs: fixed bug #2187094: "fwbuilder does not use system colors for text boxes". Some dialogs would not properly pick up KDE theme. This was especially visible if theme used dark background colors and white font, in which case many input fields in dialogs would use white text on white background. * PolicyCompiler_ipt.cpp (separateUserServices::processNext): fixed bug #2186568 "Again User service - group/negate". Compiler for iptables did not support groups and negation of the UserService objects. 2008-10-21 vadim * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change in libfwbuilder) Optimisations in the code that detects rule shadowing. Combined with improvements in classes Rule and RuleElement, this yields speed-up in shadowing detection by a factor of about 5. 2008-10-20 vadim * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change in libfwbuilder) Using internal caching to speed-up shadowing detection. This cuts time of shadowing detection almost in half for large policies with many rules. * dns.cpp (list): (change in libfwbuilder) getHostByName() used to insert duplicate IP addresses into the list of the results. Now making sure ip addresses in the result are unique. * Compiler.cpp (Compiler::_expand_addr_recursive): (change in libfwbuilder) change in the algorithm used to decide which interfaces of the host or firewall object to use in a rule when this host or firewall object is found in source or destination. Previously, compiler would skip loopback interface unless user associated the rule with loopback by putting it in the "Interface" rule element. This made it impossible to create rules with address 127.0.0.1 in destination but attached to interface other than loopback (such rule is used for transparent proxy configuration). Now if user explicitly put loopback interface object into rule element, we always keep it. However when compiler expands interfaces from a host or firewall object, it will skip loopback as before, unless the rule is attached to loopback interface. 2008-10-19 vadim * fixed object type icon in the RuleSet and Interface object dialogs. * ProjectPanel.cpp (ProjectPanel::openEditor): fixed bug: object editor panel resized itself erratically when user switched between objects while editor was open. This happened on Windows and Mac OS X. * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): fixed bug #2180556: "broken support for the "old" time module for iptables". Compiler generated incorrect parameters for the "time" module for versions <1.4.0 2008-10-18 vadim * PolicyCompiler_ipt.cpp (singleDstNegation::processNext): while processing single object negation, consider hosts and firewalls with one normal interface and loopback interface eligible (i.e. ignore loopback address even though formally such object has at least two ip addresses). * PolicyCompiler_ipt.cpp (singleDstNegation::processNext): fixed bug (no #): policy compiler for iptables did not handle correctly rules where a host that has multiple addresses was a single object in a rule element and had negation. * NATCompiler_ipt.cpp (singleObjectNegation::processNext): added support for single object negation in OSrc and ODst in NAT rules. This provides for more compact iptables script in the often used case where single object is used with negation in these elements of a NAT rule. Other improvements in handling NAT rules with negation. 2008-10-15 vadim * ipt.cpp (dumpScript): Explicitly use "\n" instead of endl to avoid implicit conversion to "\r\n" on Windows (generated script is for iptables which can only run on Linux, so it is safe to use "\n" instead of endl). 2008-10-13 Vadim Kurland * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): fixed bug (no #): policy compiler for iptables would crash with assertion when AddressTable or DNSName object was used in a rule in pure mangle table ruleset. This could be related to crash reported in bug #2157121. 2008-10-11 Vadim Kurland * PolicyCompiler_ipt.cpp (finalizeChain::processNext): Always placing rules with action "Accept" in table mangle in chain PREROUTING * RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute to the Policy object for iptables to indicate that this policy ruleset should be compiled into filter and mangle tables or only for the mangle table. This makes sense (and is only shown) for iptables firewalls. By default the attribute is set to "filter+mangle" which means compiler will try to figure out which table each rule should go to. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, user can help by creating separate Policy ruleset that will be translated only into iptables rules in the mangle table. * PolicyCompiler_ipt.cpp (singleSrvNegation::processNext): fixed bug #2148378: "Negation does not work on Tag Service". Policy compiler for iptables should be able to use "!" single-object negation for TagService obejcts * ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): fixed bug #2149503: ever since attribute "read-only" of FWObject has been converted from a dictionary entry to a member variable, the GUI could not properly check if an object is read-only and could not update context menu and icon in the object tree. This lead to unstable behavior when an object was set read-only because the GUI could not show corresponding icon to indicate its status change, did not switch context menu items and permitted operations that should not have been permitted. * ProjectPanel.cpp (ProjectPanel::getDeleteMenuState): fixed bug #2149585 "Deleting Routing object breaks file". The GUI should not allow the user to delete "Routing" ruleset object, as well as any other top-level ruleset object. This applies to both deleting them via context menu item or Delete key stroke. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::newIptables): fixed bug #2151898: "use of "--icmp-type any" iptables 1.2.6a". Iptables v1.2.6a and older do not have option "-m icmp --icmp-type any". * PrefsDialog.cpp (PrefsDialog::PrefsDialog): Added tab "Data File" to the Preferences dialog; added checkbox "Enable data file compression" to this tab. If this checkbox is turned on, the GUI will compress data file when it is saved to disk. * FWBSettings.cpp (FWBSettings::getCompression): saving data file compression flag in user settings. * ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTo): added support for data file compression. This fixes bug# 2130128: "Option to compress the FWB file". * pix.pro, iosacl.pro: should be ../../install.sh rather than ../../install 2008-10-10 User Vadim * FirewallInstallerUnx.cpp: fixed bug #2158561: "Solaris fwb 3.0.2-b599 build prob" Fixed build problems on FreeBSD and Solaris * pix.pro, iosacl.pro: fixed bug #2158407: "iosacl and pix install probs" 2008-10-10 Vadim Kurland * iosacl.cpp (main): fixed bug #2154906 "Post script is missing / Cisco ACL handling". Prolog/epilog sections were not added to the generated script for Cisco IOS ACLs. 2008-10-09 vadim * ipt.cpp (main): Compiler for iptables uses QT functions to properly process non-ascii file names and firewall object names. Compiler correctly creates generated script when its file name contains non-ascii characters on all supported OS. The GUI can find the file and built-in installer can copy it to the firewall and activate it there. QT helps manage encodings and locales in OS-independent manner. Caveats: - Dependency on QT libraries means compilers can not be deployed on the firewall separately from the GUI. - pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. Could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler"). - Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables * instDialog_compile.cpp (instDialog::prepareArgForCompiler): always provide "-o" command line option to compilers when calling them from the GUI. The output file name defined this way can be encoded properly for the OS encoding and locale (compilers do not use QT so it is hard to do there). 2008-10-08 vadim * merged branch "new-installer" -r569:HEAD * PrefsDialog.cpp (PrefsDialog::accept): Added GUI control for the path to scp utility used by built-in policy installer * All compilers: firewall object can be specified by its ID in addition to by name. Command line option "-i" tells compiler that the last parameter of the command line is object ID. This works reliably when firewall object name contains non-ascii characters and the program runs under locale using 8 bit characters. Built-in installer now uses this method while calling all policy compilers. 2008-10-07 vadim * pf.cpp, ipf.cpp: Policy compilers for pf and ipf use file name and path specified with "-o" command line option for the name and path for all .fw and .conf files they generate. * instDialog.cpp: built-in installer finds all generated files when user specifies alternative name (possibly full path) for the generated script. * FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath): built-in installer works properly when firewall name contains non-english characters. In this case generated firewall script also has name that contains non-english characters. * FWWindowPrint.cpp, RuleSetView.cpp, FWBSettings.h, ProjectPanel_state_ops.cpp: got rid of references to InterfacePolicy class; build fixes for FreeBSD 7 (should fix compile problems on other systems too, such as Solaris) 2008-10-06 vadim * SSHPIX.cpp (SSHPIX::stateMachine): fixed crash in built-in installer that happened when existing PIX configuration was saved before loading new one. * pixAdvancedDialog.cpp (pixAdvancedDialog::accept): fixed crash that happened when user opened PIX firewall "advanced" settings dialog and then tried to save changes by clicking OK. * FirewallInstaller.h (class FirewallInstaller): all installer logic moved to separate classes FirewallInstaller, FirewallInstallerCisco and FirewallInstallerUnx. These classes launch background process (via SSHSession or QProcess) and control all steps of policy installation and activation, but do not deal with the UI. This provides for good separation of functions between UI and core logic classes. The code is much cleaner and easier to maintain now. 2008-10-05 vadim * instDialog_unx.cpp (instDialog::copyFileOnUnx): Using scp (pscp.exe on windows) to copy files to the firewall. This helps improve performance of the installer. This fixes bug #2135827: "Store a copy of fwb file..." very slow * instDialog.cpp (instDialog::instDialog): refactored installer classes to make code more manageable. * VERSION: started 3.0.2 2008-10-04 Vadim Kurland * v3.0.1 released Oct 4, 2008. Merged branch "v3" r513:565 to trunk * global.h (SETTINGS_PATH_PREFIX): making sure all modules store settings under the same path prefix "3.0/" (applies to all OS). 2008-10-03 Vadim Kurland * GroupObjectDialog.cpp (GroupObjectDialog::iconContextMenu): fixed bug #2144122 "Segfault when trying to add an address to a group" * ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName): fixed bug #2144358 "Double check with 'save as'". The GUI used to ask twice if user wants to overwrite the file in Save As operation if file with given name already existed. * FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug #2144114 "fwbuilder * exits if the last object file is closed". The GUI will not terminate after the last window is closed but instead will just show empty main window. * fwbedit.cpp (main): fixed bug #2143894: "fwbedit list does not show objects". Command "fwbedit list -f file" did not print anything unless option "-F" was supplied. This change adds default value for this option so that when it is missing, the command prints object path. * fwbedit.1: fixed bug #2143961: a typo in the man page fwbedit.1 2008-10-02 Vadim Kurland * instDialog.cpp (instDialog::finishInstall): fixed bug #2125604: "Cancel button does not kill the installer". Cancel button of the installer wizard in fact kills background process. Second issue raised in this bug report is that "Finish" button was always enabled. This is now fixed. * PolicyCompiler_PrintRule.cpp (PrintRule::_printTarget): fixed bug #2141911: "no ULOG for ip6tables". ULOG target has not been implemented for ip6tables yet, so the compiler should fall back to LOG target while compiling ipv6 policy. * RuleSetView.cpp (RuleSetView::updateGeometries): fixed crash that happened on Ubuntu with QT 4.3.x because of recursive call to updateGeometries() * fixed icon for rule action "Mark" 2008-09-30 Vadim Kurland * RuleSetView.cpp (PolicyView::PolicyView): constructors of rule set view classes (PolicyView, NATView, RoutingView) used to set "dirty" flag in the object database which caused the GUI to ask the user if they wanted to save modifications before exisitng the program even when there were no modifications made. This change fixes this annoying problem. 2008-09-29 Vadim Kurland * RuleSetView.cpp (RuleSetView::updateGroups): using setSpan to make row holding rule group head span across all columns. Without this, clicking on table cell in column >1 caused visual artifacts (cell color would turn white, possibly erasing part of the group name). * FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed bug #2129726: "Where Used" not working on collapsed groups. * RuleSetView.cpp (RuleSetView::paintEvent): fixed bug related to #2123152 "Fwbuilder 3.0.0 Gui very slow and doesn't refresh properly". There seems to be a bug in QT 4.4.1 (not sure of 4.4.0, definitely not in 4.3.x) which causes the last row of the rule set view table to come out blank when the table is redrawn. This happens when rows have very different height and looks like the last row comes out blank when user scrolls the table up. The last row is finally redrawn when most of it is already visible. 2008-09-26 Vadim Kurland * PolicyCompiler_pf_writers.cpp (PrintRule::_printAF): fixed bug (no #): policy compiler for PF used to insert both "inet" and "inet6" into generated pf.conf lines for the IPv6 policy. * RuleSetView.cpp (RuleSetView::getFullRuleGroupTitle): Added tooltip in the rule set view for the column showing rule group handle, the tooltip shows group name and number of rules. 2008-09-25 Vadim Kurland * FirewallDialog.cpp (FirewallDialog::openFWDialog): fixed bug #2105977: "Viewing firewall settings change state to edited". Opening firewall "advanced" settings dialog triggered internal flag that signalled that something in the object tree has changed. * FWObject.cpp (FWObject::setInt): (change in libfwbuilder) fixed bug #2128261: "fwbuilder thinks the file has changed when opened read-only". Operation "find where used" triggered "dirty" flag on the object tree even though it does not change anything. * NetworkDialog.cpp (NetworkDialog::addressEntered): Network and NetworkIPv6 object dialogs accept CIDR notation in the "address" input field. Netmask input field is filled automatically using "/NN" entered as part of the address when user hits Return or Tab or switches to another input element using mouse click. * ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified): fixed GUI crash that happened when user made modifications in the default object tree but did not save the changes and then tried to exit the program. * FWBTree.cpp (FWBTree::createNewLibrary): fixed bug #2126524: "User Service created in the Service Group section". * objects_init.xml.in: bug #2126524: "User Service created in the Service Group section" - added missing group UserServices to the standard objects file. 2008-09-24 Vadim Kurland * Network.cpp (Network::Network): (change in libfwbuilder) set netmask to /32 when new Network object is created. This used to be the default in fwbuilder v2.1. New default of 0.0.0.0 appears to be confusing and error-prone, by user's requests changing default back to /32. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0" * FWObjectPropertiesFactory.cpp (getObjectProperties): do not print netmask of the IPv4 and IPv6 objects in tooltips and "info" panel unless such object is child of an Interface. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0" * RuleSetView.cpp (RuleSetView::updateGeometries): fixed bug #2124804: "Policy list "jump" when using groups". Combination of rule groups and very tall rows in the rule set view caused problems with vertical scrolling. 2008-09-23 Vadim Kurland * RuleSetView.cpp (RuleSetView::insertRule): fixed bug #2123150: "add new rule below inserts at end of rulebase". The program used to append rule at the bottom of the policy when user tried to insert it n the middle when there were rule groups. * RuleSetView.cpp (RuleSetView::saveCollapsedGroups): fixed bug # 2106266: "Save collapse/expand state of groups in policy". The GUI will remember state of the rule groups (expanded/collapsed) between sessions. The state is saved in preferences. Groups are referenced by combination of file name (full path), firewall object name, ruleset name, group name. Since state is saved in preferences rather than in the data file, state of the rule groups is separate for each user. 2008-09-21 Vadim Kurland * NATCompiler_pix.cpp (mergeNATCmd::processNext): fixed crash in compiler for PIX that happened when compiler tried to merge "global" commands and some of the interfaces of the firewall had dynamic address. * FWObject.cpp (FWObject::fromXML): (change in libfwbuilder) converted attribute "ro" (read-only) from a dictionary variable to the member variable of class FWObject. We check read-only status of objects very often and dictionary lookups were slowing compiler down considerably. * FWObjectDatabase.cpp (FWObjectDatabase::getStringId): (change in libfwbuilder) generate unique string object id on demand instead of in the call to generateUniqeueId. This helps speed up compiler operations by a factor of about 3 because we generate unique int ID every time object is created or copied, yet string ID is only needed when object is stored in external XML file. Also using sprintf to assemble string ID, it works faster than ostringstream. * RoutingCompiler.cpp (reachableAddressInRGtw::processNext): (change in libfwbuilder) fixed crashes in RoutingCompiler that happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it. * RoutingCompiler.cpp (rItfChildOfFw::processNext): (change in libfwbuilder) fixed compiler error "Error (iptables): The object "eth0" used as interface in the routing rule 0 (main) is not a child of the firewall the rule belongs to!" that also happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it. 2008-09-19 Vadim Kurland * ipfw.cpp (main): Basic suport for IPv6 for ipfw. IPv6 rules should be kept in a separate policy, just like for all other platforms. Branching rules are not supported so there is no support for multiple policies (although there is no check for that at this time either). Both ipv4 and ipv6 rules are loaded into the same ipfw set "1" with globally unique increasing rule numbers. The order in which ipv4 and ipv6 policies are processed is controlled by an option in firewall settings dialog. * FWWindow.cpp (startupLoad): Using list of strings openDocFiles to pass names of the files that should be opened at start up time both when these names come from the command line and from odoc signal handler on Mac. This finally makes the GUI properly open a file given on the command line or via odoc signal (double clicking in Finder on Mac) in a single sub window, replacing default objects tree. 2008-09-16 Vadim Kurland * FWWindow.cpp (FWWindow::fileOpen): when the program is started without data file, it shows panel with just default objects, with a title "Untitled". If user opens data file, it is loaded into the same panel and its title changes accordingly. If user makes changes and then saves using "Save As", its title also changes accordingly (and there is still one panel). If user uses "File/New data file" and enters the name of the new data file, it is loaded into the same panel and its title changes accordingly. Still, after this there is only one panel. However if the panel shows contents of some data file, operations "File/Open" and "File/New" load second data file into a new panel. 2008-09-16 vadim * IPv4.cpp (IPv4::fromXML): (change in libfwbuilder) filter addresses and strip leading and trailing whitespaces and other non-digit characters before converting to InetAddr. This will help with annoying problem where v2.1 allowed such characters in address attributes of Address objects but v3.0 applies strict checks during file load and rejects such data files. 2008-09-15 vadim * ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): workaround for a problem that only appears on Mac: if user uses File/Open but cancels operation, the main window used to switch from the subwindow that was active to another one (usually the empty default window with only standard objects tree). * FWWindow.cpp (FWWindow::FWWindow): Experiment: since MDI looks very foreign on Mac and can not be fixed, trying tabbed presentation of internal subwindows. Only on Mac OS X. 2008-09-14 vadim * DiscoveryDruid.cpp, debugDialog.cpp, filePropDialog.cpp: enable "close" button in the dialog window title (it was not shown on Mac). 2008-09-14 Vadim Kurland * ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib): change in the logic applied when the program decided which library to open at start time. If a file is opened and there is settings record pointing to the library that was opened in this file last time the program was used, this library is opened. If there is no such settings record, the program tries to find the first not system library in the file but prefers the one named "User". If the program starts without data file, it shows library "User" from the standard objects file. * instDialog.cpp (instDialog::addToLog): better regex to recognize compiler erorrs. * TimeDialog.cpp (TimeDialog::loadFWObject): Changed format of the start and stop date fields in the Time Interval object to show year as four digits. Also enabled calendar in these widgets. * bug #2099700 "Association of the .fwb and .fwl file types with app". Implemented support for the association of the application and data file type on Windows. Double-clicking on .fwb and .fwl files in Explorer will now open application and load files automatically. 2008-09-13 Vadim Kurland * GroupObjectDialog.cpp (GroupObjectDialog::listContextMenu): fixed bug #2109833: "Crash on right mouse click in the object group". * FWWindow.cpp (FWWindow::prepareWindowsMenu): fixed bug #2109675: "file Title bar contains redundant info". Internal page title should be coordinated with items in the Windows main menu. There is also no need to add "Firewall Builder" to the title of internal windows. * instDialog.cpp (instDialog::interpretLogLine): fixed bug #2109660: "Compiler Progress: bar is incomplete". Compiler progress bar failed to show full length bar when operation was complete for some firewall platforms. * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed bug #2109431: "context menu item "Where used" is missing for rulesets". * RuleSetView.cpp (RuleSetView::selectRE): fixed bug # 2109432: "double click on results in "Where used" list opens wrong rule." * objects_init.xml.in: fix for bug #2099631: there used to be object "icmpv6 unreachables" in the Deleted Objects library in the file of standard objects that comes with the package. * FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed bug #2090332: "Where used search function does not always work.". WhereUsed function could not find firewall if it was used in its own rules. * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): fixed bug (no #): compiler for iptables used date entered for the beginning of the interval in "Time" object both for the beginning and for the end. 2008-09-12 Vadim Kurland * GroupObjectDialog.cpp (GroupObjectDialog::applyChanges): fixed bug #2107004: "Fwbuilder crashes while deleting objects in groups". I could only reproduce the crash when there were two identical objects in the group and I was trying to delete both. v3.0 does not allow the user to add the same object twice to the group so this condition should not be possible. 2008-09-11 Vadim Kurland * instDialog.cpp (instDialog::addToLog): working on bug #2105111: "use color for compiler status and errors". Compilation and installation status is color coded in the left panel of compile/install dialog (Error is red, Success is green). Also coloring compiler error messages red in the compiler progress panel. * RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2106124: "Crash after deletion of (last rule in + whole) rule group". * RuleSetView.cpp (RuleSetView::paintCell): working on bug #2106280: "option to change color of rule group head". Made rule group head colored in "medium dark", actual color depends on chosen QT theme. * RuleSetView.cpp (RuleTableModel::headerData): fixed bug #2106229 "Disable-Icon bad position in rule group". Icon that indicates that a rule is disabled used to be drawn in the wrong row of the ruleset table. * ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib): more for bug #2091225: "Can objects in the left pane remember last state.". If there is no record of the last library used by he user in the settings, the GUI opens library "User" or the first non-system library if there is non named "User". Minor bug-fix to prevent desynchronization of the tree view and pull-down list of libraries. 2008-09-10 Vadim Kurland * RuleSetView.cpp (RuleSetView::pasteRuleAbove): More checks for operations with rules and ruleset on the deleted Policy or NAT object. User should not be able to change anything in rule set object that has been deleted because it does not have parent firewall object. * FWWindow.cpp (FWWindow::prepareEditMenu): more fixes for bug #2100415: "cannot re-create or clone Routing object". Properly synchronizing main menu Edit to make sure user can not delete Ruleset objects. * instDialog.cpp (instDialog::initiateCopy): fixed bug (no #): if the name of the plink.exe program was specified in upper case in Preferences dialog, built-in installer failed to provide correct command line options to it. * ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed bug #2100415: "cannot re-create or clone Routing object". The GUI does not let the user to delete Routing object. Policy and NAT objects can be deleted as long as there is at least one more left. Also "top" rule set objects can not be deleted at all. * ObjectManipulator.cpp (ObjectManipulator::pasteTo): fixed bug (no #): added ability to copy/paste rule set objects. 2008-09-09 Vadim Kurland * FWBSettings.cpp (FWBSettings::setExpandedObjectIds): bug #2091225: "Can objects in the left pane remember last state.". The program saves state of the object tree branches (expanded or collapsed) between sessions. * FWBSettings.cpp (FWBSettings::getVisibleRuleSetId): bug #2099631 "GUI should rememver firewall object that was opened last". The program remembers opened ruleset between sessions. 2008-09-08 Vadim Kurland * fwbedit.cpp (usage): fixed "usage" in fwbedit, command line option that specifies object attributes for the command "new" is "-a", not "-o". Also fixed this in the man page. 2008-09-08 vadim * main.cpp (odocHandler): bug #2099700 "Association of the .fwb and .fwl file types with app on Mac". Implemented support for the association of the application and data file type on Mac OS X. Double-clicking on .fwb and .fwl files in Finder will now open application and load files automatically. User can open several files by selecting them in Finder and double-clicking. * main.cpp (main): remove "safe mode" command line flag -s because on Mac OS X the program is started with flag -psn when it is launched via finder. This caused undesired effects. 2008-09-06 Vadim Kurland * FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug #2091520: "Crash FWB". The GUI crashed if user closed mdi window showing just standard objects and then tried to close the main window. * FWWindow.cpp (FWWindow::fileNew): fixed bug #2091507: "Create New Firewall problem.". If user created new data file using File/New main menu item, items in the main menu File used to stay disabled and file could only be saved using "File/Save As" (which did not make sense because the name has already been assigned to the file during File/New operation). * ProjectPanel_file_ops.cpp (ProjectPanel::fileSaveAs): bugfix: if user called "Save As" and then hit Cancel in the dialog where they choose file name, internal RCS object used to be deleted anyway. * v3.0.1 started * v3.0.0 released Sep 1, 2008. Merged branch "v3" r512 to trunk 2008-09-01 Vadim Kurland * res.pro: Do not try to install icons if variable ICONSDIR was not defined by configure. This is the case on FreeBSD, I do not know where application icons should be installed there. * ActionsDialog.cpp: more fixes for compile problems on FreeBSD 2008-08-31 Vadim Kurland * ObjectTreeViewItem.cpp: more fixes for compile problems on FreeBSD 2008-08-30 Vadim Kurland * PrefsDialog.cpp: more fixes for compile problems on FreeBSD * instDialog.cpp (instDialog::fillCompileSelectList): fixed a bug: firewall table in the compile/install dialog did not show "last compiled", "last modified", "last installed" time stamps on windows and mac. * RuleSetDialog.cpp: fixing compile problems on FreeBSD 7.0 * instDialog.cpp (instDialog::fillCompileSelectList): resize rows in the table that lists all firewalls for compile/install to make rows minimal required height. * FWWindow.cpp (FWWindow::FWWindow): fixed GUI crash that happened when user clicked toolbar button "Install" right after gui start before any data file was opened. * instDialog.cpp (instDialog::fillCompileSelectList): disabled font manipulations in install/compile dialog, it did not work right on windows * InterfaceDialog: layout adjustment for bug #2078671: "fwbuilder 3.0.0 build 487 - add/edit interface". Layout did not work quite right with QT4 themes Plastique and Oxygen with default font size 14. 2008-08-29 Vadim Kurland * ObjectEditor.cpp: more missing #include for FreeBSD * ObjectManipulator.cpp: Added missing #include for FreeBSD 7.0 port * making sure dialogs do not enforce font type and size if not necessary. Main window and install dialog used to override system font which led to problems with dialog layouts on some systems. 2008-08-27 Vadim Kurland * configure.in: Applied patch per bug #2079941: "Patch for configure.in --with-qmake". Patch adds option --with-qmake to configure in libfwbuilder and fwbuilder. * iosaclAdvancedDialog.cpp (toggleGenerateLogging): fixed bug #2078107: "IOS ACL compiler issue". Logging commands for IOS ACL were not generated properly (settings made in the GUI were ignored). Also added checkbox to completely enable or suppress generation of logging commands, this checkbox is off by default. This provides for better backwards compatibility for existing routers. * various object type dialogs: layout changes for bug #2078671: "fwbuilder 3.0.0 build 487 - add/edit interface". Dialogs did not look right under QT theme with large fonts. 2008-08-26 Vadim Kurland * instDialog.cpp (instDialog::addToLog): fixed bug (no #): compile and install progress window was stuck showing the topmost part of the output of the compiler or installer. Need to make the window automatically scroll and follow the output so that the latest output lines are always visible. 2008-08-24 Vadim Kurland * HttpGet.cpp (HttpGet::httpDone): reset last_error when new http operation begins to make sure we do not accumulate error messages on top of those from previous http ops. 2008-08-23 Vadim Kurland * PrefsDialog.cpp (PrefsDialog::checkSwUpdates): Added setting for http proxy used with automatic checks for the new version of the program. Proxy can be defined by "host:port" pair; if port is not specified, port 80 is assumed. * FWObject.cpp (FWObject::toXML): (change in libfwbuilder) moved saving of XML attributes name and comment from FWObject::toXML() to implementations of this virtual method in all classes that are supposed to have name and comment. When user created an object with empty name, the old code used to save such object into XML file w/o attribute "name" which violated DTD. This is fixed now. 2008-08-22 Vadim Kurland * RuleSetView.cpp (RuleSetView::keyPressEvent): fixed bug (no #): while navigating between rule elements using keyboard, it was not possible to reach the very last rule if ruleset contained rule groups * RuleSetView.cpp (RuleSetView::paintCell): do not draw green frame around rule group; draw black bracket line in the column #0 longer, almost to the bottom of the last rule row. Draw rule group head row grey to make it visually stand out. * ipt.cpp (main): additional fix for the bug #2051629 "group with dns names are handled as empty": Compiler should check if any rules of given address family exists before running preprocessor. This is to prevent it from trying to resolve DNSName objects for IPv6 when there are no ipv6 rules. 2008-08-21 Vadim Kurland * ProjectPanel_file_ops.cpp (ProjectPanel::load): truncating very long error messages that happen when GUI tries to load broken .fwb file. These error messages contain complete output of the XML parser which can be very long and does not fit in the normal error dialog. Message will be cut off at 1000 characters, which is enough to see the topmost part of the parser output. 2008-08-20 vadim * ObjectTreeView.cpp (ObjectTreeView::ObjectTreeView): Fixed GUI crash on Ubuntu Hardy that happened b/c of a bug in QT 4.3.4. Crash happened when user added second object to any branch of the tree. When second object was added to the tree, the program terminated with assertion "ASSERT: "left.level > right.level" in file itemviews/qtreeview.cpp". This did not happen with QT 4.4.1 and 4.3.2 (could not test with 4.3.5). The fix was to disable sorting in the QTreeView widget used to represent object tree. 2008-08-19 Vadim Kurland * NATCompiler_PrintRule.cpp (PrintRule::_printSrcService): fixed bug (no #): policy compielr for iptables used multiport module option "--destination-port" instead of "--dports" when version was set to 1.4.0. Option "--destination-port" is only for very old versions of iptables (<1.2.6). This change makes compiler properly compare version numbers rather than compare them as strings. * RuleSetView.cpp (RuleSetView::pasteRuleAbove): Permit copy/paste of individual rules between two data files. When a rule is copied this way, all objects used in this rule are copied as well. * FWWindow.cpp (FWWindow::recreateWindowsMenu): fixed typo in the main menu item name 2008-08-18 Vadim Kurland * Compiler.cpp (Compiler::complexMatch): (change in libfwbuilder) fixed bug (no #): policy compiler for iptables used chain OUTPUT instead of FORWARD if NetworkIPv6 was used in "source". 2008-08-17 Vadim Kurland * ipt.cpp (main): fixed bug #2054755: "Duplicate Chain". Compiler for iptables used to generate duplicate "iptables -N chain" commands for the same chain in some cases. * Preprocessor_pf.cpp (Preprocessor_pf::convertObject): fixed bug #2056510 "Compile time" address tables objects dont work. Preprocessor in compiler for PF for some reason used to convert all compile time AddressTable objects to run-time. There was no mention of this in changelog and no comment in the module. * RuleSetView.cpp (RuleSetView::copySelectedObject): fixed bug #2055984: "Negate Objects not work". the problem really was not related to negated objects, instead, user could not copy an object from rule element into clipboard more than once. Copying whole rule into clipboard worked fine, but individual object inside the rule could be placed in clipboard only one time. 2008-08-15 Vadim Kurland * Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): fixed bug #2051629: "group with dns names are handled as empty". This bug triggered when object group that consisted of DNSName objects set to resolve at compile time was used in policy rule and at the same none of these DNSName objects were used in rules. If an object from the group was itself used in a rule, compiler properly converted it to address. But object was never used in rules by itself, it was not converted. 2008-08-14 Vadim Kurland * SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #2051005: "install to localhost fails with pam_thinkfinger". Built-in installer recognizes password prompt produced by pam_thinkfinger module that accepts both password or asks user to swipe finger against fingerprint reader device. Note that installer is likely to not work with fingerprint authentication because it will not wait once it gets to the point where pam_thinkfinger module asks for the password or fingerprint and will try to enter password. However with this change password prompt from pam_thinkfiger is recognized and password authentication becomes possible. 2008-08-13 Vadim Kurland * NATCompiler_ipt.cpp (NATCompiler_ipt::getInterfaceVarName): fixed bug 2047082: "Beta 3.0 Build 456: IPv4 & IPv6 mixed firewall". Compiler used ipv4 address of a dynamic interface in the ipv6 policy rules if interface address was determined dynamically at run time. This change makes compiler properly determine ipv4 address for ipv4 rules and ipv6 address for ipv6 rules. 2008-08-12 Vadim Kurland * ObjectListViewItem.cpp (ObjectListViewItem::operator<): (and several other places): code fixes to address warnings issued by gcc 4.3 * Helper.cpp (Helper::findInterfaceByNetzone): fixed bug in policy compiler for pix - it could not properly identify interface with network zone "any" * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed bug #2047992: "segfault cloning policies in version 3". "Duplicate" and "Move" context menu items should not be presented if an object for which context menu is called is policy or interface. * Rule.cpp (PolicyRule::removeRef): (change in libfwbuilder) fixed bug #2047991 "Drag & Drop in CHAIN actions, version 3". THe bug report consits of 3 parts, part 3 is "When I change the Action from CHAIN to ACCEPT and switch it back to CHAIN it still shows the last policy target I used. EVEN WHEN I DELETED this object meanwhile. I manually have to remove the policy object from the properties of the CHAIN action.". PolicyRule::removeRef removes references to RuleSets and TagSErvice objects from rule options when corresponding RuleSet or TagService object is deleted. 2008-08-11 Vadim Kurland * ObjectTreeView.cpp (ObjectTreeView::edit): double-clicking on an object in the tree opens it in the editor panel. Normally, QTreeWidget also expands or collapses tree branch on double click if the object has children. This was confusing. This change makes tree not expand and collapse branches on double click. * RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): Applied a one-line patch from to fix problem in the generated iptables script where it would delete default route if routing rules were used. 2008-08-10 Vadim Kurland * FWWindow.cpp (FWWindow::checkForUpgrade): the GUI checks if updated version is available on startup by making simple HTTP GET request to the web site at http://www.fwbuilder.org. This can be turned off in the Preferences dialog. Preferences dialog also provides a button to perform this query at any time. If function is enabled in Preferences, it is performed at every time the GUI is launched. The query does not transmit any data to the server, but the URL of the query includes the version of the Firewall Builder. 2008-08-06 Vadim Kurland * new_object.cpp (newObject): fixed bug # 1997469: "Create a new User library via fwbedit". Fwbedit creates new library and populates it with correct set of standard folders. 2008-08-05 Vadim Kurland * pfAdvancedDialog_en_US.html: Help page for the advanced settings dialog for PF firewall 2008-08-04 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printActionOnReject): fixed bug #2037806: "Beta 3.0 Build 437: IPTABLES IPv6 policy ICMP reject action". Ip6tables target REJECT accepts different arguments for the --reject-with. * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #2037809: "Beta 3.0 Build 437: IP6TABLES_RESTORE missing". Added missing variable declaration for IP6TABLES_RESTORE to the generated iptables script 2008-08-03 Vadim Kurland * ProjectPanel_file_ops.cpp: bug #2037314: "b449 does not build". More missing #include for gcc 4.3 * newhostdialog_q.ui: fixed bug # 2036963 "Add new Host Object on MacOSX". The "new host" dialog was too big and did not fit on low resolution screen * res.pro: Now installing fwbuilder.desktop file on Linux and application icons under $DATADIR/icons/hicolor/ (sizes 128x128 16x16 24x24 256x256 32x32 48x48 512x512 72x72) * bug #2036912 "fwbuilder b442 does not build". Added missing forward declarations and #include for gcc 4.3 * Applied patch for gcc 4.3 per bug #2036881 "gcc 4.3 patch for b442", Mandriva Cooker patch http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc4.3.patch 2008-08-02 Vadim Kurland * iptAdvancedDialog_en_US.html: Added help file for the firewall settings dialog for iptables firewalls * Help.cpp (Help::Help): generic built-in help framework. Help files are created in .html format in src/res/help directory. Help files can be localized, locale name is part of the file name; we need to create separate file for each supported language. First dialog to get associated help panel that can be activated by clicking "Help" button is Linux 2.4/2.6 firewall host settings dialog. 2008-08-01 Vadim Kurland * ipt.pro: Eliminated dependency on QT in all policy compilers. Compiler binaries can be deployed on machines without QT and X11. * ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested): fixed bug #2023243: "IPv6 - Some objects missing from context menus". Added items "New Address IPv6" and "New Network IPv6" to context menus associated with folders "Addresses" and "Networks" in the tree. 2008-08-01 Vadim Kurland * Fixed build on Mac, starting with rev 433 code is built with QT 4.4.1 and works on both Leopard and Tiger. * list_object.cpp (getAttributeValue): added command "list" to fwbedit. This command can print contents of one object, an object and all objects below it in the tree or contents of a group. Object's attributes can be arranged in the output according to the provided format string where attributes are represented by macros of the format "%attr_name%" where attr_name is the name of the attribute. * fwbedit.1: Man page fwbedit.1 has been updated with the list of commands, options, supported attributes and examples. * with addition of the "list" command to fwbedit, utility fwblookup has been deprecated and removed from the package and source code tree. 2008-07-31 Vadim Kurland * fwbedit.cpp (usage): Redesigned command line interface for fwbedit. The first command line argument is a command (one of "new", "delete", "modify", "list", "add", "remove", "upgrade" or "checktree") followed by options. Now fwbedit can be used not only to add or remove objects, but also to modify object attributes. The CLI is lot more consistent and can be extended with new commands in the future. 2008-07-30 Vadim Kurland * fwbedit.cpp: fixes for the bug #2030331: fwbedit/fwblookup issues: added option "-c" for fwbedit, with this option user can specify comment for the object being created; fixed both fwblookup and fwbedit to properly handle objects with duplicate names when operations are performed on objects specified by their path in the tree. Now, if several objects have the same name, operation will be performed on all such objects. Note that this includes deletion, that is, command "fwbedit -f file.fwb -l /User/Objects/Addresses/TestAddress" deletes all objects with name "TestAddress" if there are several. Added ability to create IPv6 and NetworkIPv6 objects in fwbedit. New command line option "-c text" can be used to set comment for the object created via "-t type -n name". 2008-07-30 vadim * fwbedit.cpp (main): fixed bug #1997475: "Adding Interface via fwbedit breaks .fwb file" 2008-07-28 * ObjectManipulator.cpp (ObjectManipulator::removeLib): fixed crash that happened upon exit on some platforms. Need to break away from the loop after lists were modified because iterators become undefined. 2008-07-28 Vadim Kurland * New application icon 2008-07-27 Vadim Kurland * ObjectManipulator.h (class ObjectManipulator): removed strange methods copyObjWithDeep and copyObj2Tree. Fixed drag&drop between different data files. Copy/Paste and D&D between different data files properly copy all dependencies and fix references in rules and groups. Tested with recursive groups (group references itself) and firewalls with rules referencing other firewalls with groups and other objects. * ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies): duplicate object that references other objects and create copies of these other objects. Examples: firewall (rules reference other object) and groups. This method is used in "Paste" operation. Will use it for d&d as well. 2008-07-26 Vadim Kurland * ObjectManipulator.cpp (ObjectManipulator::moveObj): code refactoring and cleaning up. Movig all loops over mdi child windows from ObjectManipulator class to the FWWindow class that owns all children windows. Along the way fixed few bugs, such as restored functions "Duplicate to .. " and "Move to ..." that are available via context menu associated with an object in the tree. * ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified): refactored class ProjectPanel to keep code more organized in several modules. 2008-07-25 Vadim Kurland * FWWindow.cpp (FWWindow::closeEvent): properly checking for unsaved modifications when user hits File/Exit or tries to close main window. * ProjectPanel.cpp (ProjectPanel::fileCommit): fixed bug (no #): crash while doing File/Commit. * PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast): fixed bug (no #): crash in fwb_ipt when interface object is used in destination and chain is INPUT. * init.cpp: removed #include , trying to fix bug #2027918: "Cannot compile fwbuilder-3.0.0-b413 on x86_64" 2008-07-24 Vadim Kurland * RCS.cpp (RCS::RCS): If data file has been added to RCS, show its revision history properly sorted by the revision number in ascending order and automatically select the latest revision in the dialog 2008-07-24 vadim * init.cpp (guessExecPath): properly managing path to the bundle on Mac. 2008-07-22 Vadim Kurland * FWWindow.cpp: Applied patch to make code compile with gcc 4.3 per http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc43.patch 2008-07-21 Vadim Kurland * ProjectPanel.h (libfwbuilder): Added missing declarations for gcc 4.3 per bug #2023292: "fwbuilder 3.0.0 does not build" * (libfwbuilder) Applied patch for gcc 4.3 per bug #2023676: "libfwbuilder does not build against gcc 4.3". * (libfwbuilder) fwbuilder.pro: removed unnecessary override in target.path to make it install in a proper place on 64 bit machines' 2008-07-20 * RuleSetView.cpp (RuleTableModel::insertRow): fixed bug (no #) which caused crash on windows when new rule group was created. This happened only on win32. 2008-07-20 Vadim Kurland * RuleSetView.cpp (RuleSetView::moveRule): fixed bug (no #): if rule set had several rule groups, moving rules within rule set did not work and caused weird effects. * NetworkIPv6.cpp (NetworkIPv6::NetworkIPv6): per bug #2023140: "Default prefix for IPv6 addresses" setting default netmask to /64 for NetworkIPv6 object. * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): fixed bug #2023141: "Can't set interface options". The GUI kept all controls in the interface object editor enabled when interface was child of a Host object, even though some controls do not apply to interfaces of a host. These controls were not saved into interface objects and the whoile behavior of the GUI was rather confusing. Now only proper controls are enabled when interface is a child of a host object. * RuleSetView.cpp (RuleSetView::removeRule): Fixed bug (no #): "remove rule" function used to remove wrong rule in the rule set if rule groups were used. 2008-07-18 * instDialog.cpp (instDialog::installerSuccess): bugfixes in the built-in installer on Windows in case of successfull and unsuccessfull termination of the process. Tests for when plink.exe asks whether user wants to accept new ssh host key from the firewall. 2008-07-18 Vadim Kurland * NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bugs in compiler for iptables where it sometimes would not print netmasks in ipv6 network objects in policy and nat rules. * Added control for IPv6 forwarding setting in "host settings" dialogs for Linux, OpenBSD and FreeBSD. This is in addition to the old ip forwarding control. Corresponding policy compilers add proper commands to generated scripts to turn ipv6 forwarding on or off in the kernel. * ipt.cpp (main): compiler for iptables puts build number in addition to the version number into "Generated with ..." comment in the produced script * instDialog.cpp (instDialog::installerError): fixed crash in the installer that happened when policy activation ended with an error * ipt.cpp (main): fixed bug (no #): if generated script used iptables-restore and if there were automatically generated rules in the magle table, for example for the "clamp MSS to MTU" rule, but no other rules in the mangle table, compiler would not add COMMIT. 2008-07-17 Vadim Kurland * PolicyCompiler_ipt.cpp (prepareForMultiport::processNext): fixed bug (no #) where compiler for iptables ignored ICMP6 Service objects used in the same rule in combination with tcp or udp service objects. * objects_init.xml.in: Added few more ICMPv6 objects to the Standard objects library: type name comment 133 routersol Router solicitation 134 routeradv Router advertisement 135 neighbrsol Neighbor solicitation 136 neighbradv Neighbor advertisement 137 redir Shorter route exists * ObjectManipulator.cpp (ObjectManipulator::delObj): fixed bug (no #): GUI crashed when user deleted one of the rule set objects of a firewall. * many dialogs: adjusted shape and size of many dialogs that used to be too big. * utils.cpp (getAddrByName): getAddrByName() works on all platforms and gets ipv4 and ipv6 addresses as requested. It looks like for it to work on Windows Vista machine needs to be configured with routable ipv6 addresses. When machine only had Link-local address on fe80:: net, even when ipv6 was enabled, getaddrinfo sent proper dns request for AAAA record, got reply but did not pass it back to the application. Once machine was configured with routable ipv6 address, getaddrinfo started working as expected. This problem was not observed on Linux and Mac OS X. * IPv6Dialog.cpp (IPv6Dialog::DNSlookup): Added "DNS Looup" button to the IPv6 object dialog. * dns.cpp (list): (libfwbuilder) Using getaddrinfo on all OS to perform dns lookup for different address families (AF_INET or AF_INET6). * utils.cpp (getAddrByName): using DNS::getHostByName instead of QT functions to perform host name lookup. This should allow us to do it for both AF_INET and AF_INET6 address families. Needs more testing. 2008-07-16 Vadim Kurland * ipt.cpp (dumpScript): Fixed bug (no #) that triggered when iptables script was geenrated with option that uses iptables-restore for activation. If ipv6 policy was empty, compiler added "( ) | ip6tables-restore" anyway which caused syntax errors. * RuleSetView.cpp (RuleSetView::addToGroupAbove): Additional check for a bug where adding very long list of rules to a rule group caused crash once. Bug is hard to reproduce. 2008-07-15 vadim * testing and bug fixes with QT 4.4. * Testing on Mac OS X and Windows Vista. 2008-07-08 vadim * fwcompiler.pro (LIBS): fixed build errors on Ubuntu Hardy. Background info: need to include -lfwbuilder while linking fwcompiler library on all Unix platforms because of the linker option -Wl,-Bsymbolic-functions . Discovered this on Ubuntu Hardy where libsnmp adds this option via net-snmp-config --libs 2008-07-07 Vadim Kurland * listOfLibraries.cpp (listOfLibraries::listOfLibraries): Removed support for add-on libraries in the GUI. User can now open their working file and external library file simultaneously and copy objects from one to another. This removes the need for the cumbersome add-on libraries feature. Will keep module listOfLibraries and corresponding code fragments in ProjectPanel and FWWindow until removal of this feature is validated by users. * PolicyCompiler_pf_writers.cpp: Support for "synproxy state" option for PF per FR #1098098: "Per-rule Synproxy" * templates.xml.in: Updated template firewall objects to include "top_rule_set" attribute. * RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute "top_rule_set" to Policy, NAT and Routing objects. This attribute is controlled by a checkbox "Top rule set" in the corresponding object dialog. The attribute has platform-specific meanning. On iptables, "top" rule set goes into the built-in chains INPUT, OUTPUT, FORWARD; if this flag is unchecked, rules go into user-defined chain with the name the same as the name of the rule set. On PF, If this flag is unchecked, rules go into anchor with the name the same as the name of the rule set. On Ciscio IOS ACL If this flag is unchecked, generated access list will not be assigned to interfaces with "ip access-group" command and also the name of the ACL will be prefixed with the name of the rule set to make it unique. One policy, nat and routing rule set must be marked as "top". Other rule sets are secondary and will be placed in their own unique chains, anchors or access lists (depending on the platform). Control may or may not be passed to these chains and anchors. One way to pass control is by using rule action "Branch" in the top rule set. However if control is not passed that way, compiler will still generate corresponding commands which can be used by means external to the firewall builder. Auto-upgrade migration script will assign attribute "top_rule_set" to Policy objects with name "Policy", NAT objects with name "NAT" and Routing objects with name "Routing". This provides for consistent backwards-compatible behaviour after upgrade from v2.1 2008-07-06 Vadim Kurland * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): Support for IPv6 in Cisco IOS ACL compiler fwb_iosacl. * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): Removed option "Enable IPv6 support" in the "advanced" dialog for all platforms. Now user needs to explicitly declare rule sets as ipv6. Since by default all rule sets are ipv4, there is no need in yet another parameter to enable ipv6 support. * RuleSetDialog.cpp (RuleSetDialog::applyChanges): Objects Policy, NAT and Routing now have attribute that tells compiler that corresponding rule set is ipv4 or ipv6. The attribute is controlled by radio-buttons in corresponding object dialog. Every policy or nat rule set is treated as exclusively either ipv4 or ipv6 by compilers, however the user can put objects of both address families in rules. This allows for creation of object groups that include objects of both address families. Such groups can be used in both ipv4 and ipv6 rule sets. Compilers pick objects that match address family declared for the rule set and drop others. One of the reasons why this attribute was added is to avoid generation of unwanted iptables or acl lines for rules that can not be unambiguously attributed to particular address family. Example of such rule is rule with "any" in both source and destination (e.g. "catch all and deny" rule typically found at the bottom of the policy). Without this attribute compilers tried to process every rule set for both ipv4 and ipv6. This way rule "any any any deny" found in ipv4 policy yielded corresponding line in the ipv6 policy, which was wrong. * instDialog.cpp (instDialog::installSelected): minor fixed in installer dialog (fixed progress bar and buffering of the compiler output) 2008-07-05 Vadim Kurland * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTOS): Support for TOS and DSCP matching in IOS access lists. * PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService): Support for tos matching in compiler for pf. PF does not support DSCP matching. * PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): Support for TOS and DSCP matching in compiler for iptables. * IPServiceDialog.cpp (IPServiceDialog::loadFWObject): Added support for attriutes "tos" and "dscp" in IPService object. FR #1948944: "support for TOS matching". * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): Implemented support for combinations of srcip, dstip, srcport, dstport options of the hashlimit module for iptables per bug #1812388: "add srcip,dstip to choices for hashlimit mode" 2008-07-03 Vadim Kurland * fwbuilder.1: updated man page for fwbuilder GUI. * ipt.cpp (main): document iptables version settings from the firewall object in generated script (for support and debugging). * MangleTableCompiler_ipt.cpp (flushAndSetDefaultPolicy): iptables rule with target TCPMSS generated for option "Clamp MSS to MTU" is valid only in mangle table in iptables 1.3.x and later. Still generate this command in the filter table for earlier versions of iptables * PrefsDialog.cpp (PrefsDialog::getFontDescription): Tab "Fonts" of the Preferences dialog shows currently selected fonts for both the tree and rules. 2008-07-02 Vadim Kurland * instDialog.cpp (instDialog::addToLog): fixes in built-in installer; pretty printing of the external process output; properly enable "next" and "finish" buttons. 2008-07-01 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): compiler for iptables distinguishes ICMPService and ICMP6Service * objects_init.xml.in: Added few standard ICMP6 objects * ObjectManipulator.cpp (ObjectManipulator::newICMP6): Added support for ICMP6Service object type in the GUI * ICMP6Service.cpp (ICMP6Service::ICMP6Service): Added class ICMP6Service * fwbuilder.dtd.in: Added XML element ICMP6Service 2008-06-30 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): do not generate "-m icmp6 --icmp6-type any" for ipv6 for object "any icmp". 2008-06-28 Vadim Kurland * DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromDNS): object "discovery" by DNS zone transfer is not supported anymore. 2008-06-27 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): should use "-p ipv6-icmp" for ipv6 rules. * PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): skip "-p all" for ipv6 to avoid warning "Warning: never matched protocol: all. use exension match instead" 2008-06-26 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): using "-m frag --fragmore" for IPService objects that should match ip fragments. * PolicyCompiler_PrintRule.cpp (PrintRule::_printDstService): compiler uses "--icmpv6-type" and "-m icmp6" options while generating ipv6 script. 2008-06-20 * FWWindowPrint.cpp: fixed bug # 1896771: "printing user defined chains". * main.cpp: implemented printing of the firewall object contents from CLI per bug #1996739: "Feature: CLI printing or policy export". Use command line flag "-P " to print and exit. 2008-06-16 * newHostDiaog.cpp: fixed bug #1899488: "Unable to set MAC address while adding a host" 2008-06-13 * GroupObjectDialog.cpp: implemented sorting by name and parameter in group dialogs per bug #646804: "No sort in Group". 2008-06-10 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): support for the "new" time module for iptables 2008-06-08 Vadim Kurland * merged branch "id-experiment" r233:HEAD 2008-06-07 Vadim Kurland * main.cpp (main): support for integer object ids 2008-06-06 Vadim Kurland * PolicyCompiler_pf_writers.cpp (PrintRule::_printUser): Support for UserService in compiler for PF. FR #1948872: "User based rules" * FWBSettings.cpp (FWBSettings::restoreGeometry): the program will remember window size and restore it on subsequent runs, but will not remember window position on the screen. This caused problems on Mac OS X (because window title bar and tool bar weren't taken into account, so window would slide up on every next run) 2008-06-05 Vadim Kurland * PolicyCompiler_ipt.cpp (checkUserServiceInWrongChains::processNext): Support for UserService in compiler for iptables. FR #1948872: "User based rules" * IPv6 suport implemented in the GUI and compilers for iptables and pf: FR #1517015, 1705261, 1706246, 1826325 * Rules with action Tag reference TagService objects. User drags and drops TagService object into a drop area in the rule action dialog. FR #1696841: "Mark action and TagService" 2008-06-05 * IPv4Dialog, NetworkDialog, newHostDialog, newFirewallDialog: netmask can be entered as bit length, in addition to the bit mask format supported before. Both formats are recognized. FR #995452, 1617297, 1666016 2008-06-05 Vadim Kurland * ipt.cpp, pf.cpp: Compilers for iptables and pf recognize branch rule sets that belong to different firewall objects. FR #737132: "Linkable Rules", #1224898 "Rule Link" * PolicyCompiler_ipt.cpp (dropTerminatingTargets::processNext): bugfix in the shadowing detection for non-terminating rules in the mangle table. * All compilers: all compilers include error and warning messages produced during compilation in the generated script. Messages are grouped by corresponding section (Policy, NAT, all branches etc.). Normally only warnings will be included because compilers stop when they encounter an error condition, however if compiler is being ran with "-xt" command line option, it does not stop and includes error messages in the output as well. This helps catch changes that generate warnings but do not translate into differences in generated configuration. 2008-06-02 Vadim Kurland * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): Support for --weekdays parameter in iptables 1.4.0 module "time". Per bugs #1914371: "iptables 1.4.0", #1806045: "latest 1.3.8 time match changed", #853364: "Time Restriction feature request". * platforms.cpp (list): Added iptables version 1.4.0 to the list. Will use it for the "new" time module support. Bugs #1914371: "iptables 1.4.0" and #1806045: "latest 1.3.8 time match changed" 2008-05-30 Vadim Kurland * pf.cpp (main): Like compiler for iptables, compiler for PF now supports multiple rule sets for policy and nat. Each rule set is translated into corresponding anchor .conf file. If some rule in another rule set references it via action Branch, corresponding "anchor" configuration line is generated, but if it is not references from any rule, the anchor .conf file is still created. Rule sets "Policy" and "NAT" are configured "main" or "root" and placed in the main .conf file with the name of the firewall object. 2008-05-29 Vadim Kurland * ipt.cpp (main): Compiler for iptables processes all Policy and NAT rulesets that firewall object has, regardless of whether they are referenced from any rules with action Branch or not. This is a change compared to the behavior of 2.1 which processed only those branch rule sets that were used in Branch rules. Each rule set that has name other than "Policy" is placed in a chain with the name the same as the name of the rule set. This way the user can create multiple rule sets and place them in different chains, control to these chains can be passed in the iptables commands supplied in prolog or epilog scripts. Another reason for this is to allow the user to place rules for ipv4 and ipv6 in separate rule sets. An attribute "address_family" will be added to objects Policy and NAT later on to be able to mark rule sets as belonging to either ipv4 or ipv6 address family. This separation helps avoid ambiguity that is possible in mixed rule sets (when both ipv4 and ipv6 rules are mixed in the same rule set). Suppose we allow the user to put both ipv4 and ipv6 rules in the same rule set and the user creates a rule with ipv4 object in Dst with negation. "Not host A", where "host A" translates into one ipv4 address should probably include "all ipv6" as well, which means that this simple rule can inadvertenly block all ipv6 without user even noticing it. This can be very confusing and difficult to troubleshoot. Placing rules acting on different address families into different rule sets helps avoid this problem. * ipt.cpp: Compiler for iptables can determine if a rule set is referenced by a rule with action Branch and option "branch in mangle table in addition to the filter table" and correctly places referenced rule set in both filter and mangle tables. 2008-05-29 * ObjectManipulator.cpp: new feature v3: Policy rules can now be arranged in multiple rule sets with names. These rule sets are shown in the tree under the firewall object (next to its interfaces). Each rule set is independent from others, user can add as many as they want. Rules with action "Branch" refer to existing rule sets, user associates them by dragging rule set object into action parameters dialog of the branching rule. This also fixes bug #1753297: "duplicate chain tab". 2008-05-23 Vadim Kurland * PolicyCompiler_ipt.cpp (countChainUsage::processNext): New feature: compiler for iptables keeps track of chain usage and removes unused chains from the generated iptables script. This helps optimize generated script and makes it smaller, especially in mixed IPv4/IPv6 configurations. 2008-05-22 Vadim Kurland * ipt.cpp (main): Policy compiler for iptables supports IPv6. Added command line switches "-4" and "-6" which force compiler to generate script for only one specified address family (by default it does both). Compiler can generate simple ipv6 iptables script. Generated script still can be improved but seems to be formally correct at this time. 2008-05-18 Vadim Kurland * OSConfigurator_linux24.cpp: compiler for iptables converted to use exclusively methods getAddressPtr and getNetmaskPtr. Checking for when Address object has no IP address where appropriate (getAddressPtr() returns NULL in this case). 2008-05-10 vadim * pf.cpp: (from 2.1) fixed bug #1961202: "Pf Timeouts overriden by Optimization". Compiler should generate "set optimization" command before "set timeout" commands. 2008-05-08 vadim * FWWindowPrint.cpp (printFirewall): (from 2.1): fixed bug #1562726: "policy print rule cut-off". Long rulesets would not print correctly on Windows, the bottom of the ruleset table was just printed solid grey with no rules visible. * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (from 2.1): partial fix for bugs #1789059 "shadow issue when using action chain" and #1945149: "Shadowing test for rules with action "chain". The mechanism for rule shadowing detection we have at this time can only detect shadowing of one rule by another. In case of branching it is a combination of the branching rule and rules inside the branch that may shadow other rules. I plan to redesign this part of the code in the future, but it won't happen in upcoming v3. Meanwhile, I am fixing it in 2.1 by making compiler ignore rules with action Branch. 2008-05-05 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext), RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from 2.1) fixed bug #1821573: "Rule options limits allow for multiple overload tables". PF allows only for one "overload" option per rule. * IPTImporter.cpp (IPTImporter::pushPolicyRule), (from 2.1) iptables.g (target_options): fixed bug #1949438: "parser expects decimal - hex is not accepted". Importer for iptables should be able to process "--set-mark" with hex argument. * fwbedit.1: (from 2.1) fixed bug #1949103: "manpage slightly broken". Minor fixes in fwbedit.1 man page. * PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules): (from 2.1) fixed bug# 1940504: "Clamp MSS to MTU". Iptables command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD chain should go before the one that matches "--state ESTABLISHED,RELATED" in order to work for the packets in these states. * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from 2.1) fixed bug #1938985: Rate in hashlimit in local language 2008-04-28 * v3 feature: rules can be grouped in Policy, NAT and Routing. Group of rules can have a name and color and can be collapsed or expanded. Collapsed rule groups take room equivalent to one rule in the ruleset panel. This implements Feature Requests #1961702, 1938992, 1751141, 1602294, 1372620, 1083981, 1017566, 848553, 811542, 2008-04-13 Vadim Kurland * NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug (no #): compiler fwb_ipt used to treat host objects as networks in TDst and generate iptables output with /netmask of the interface. * (various places in src/ipt): PREPARATION FOR IPV6: Changing IPv4::cast to dynamic_cast everywhere. In loops that walk child objects of interfaces, cast child objects to InetAddrMask* or to FWObject* instead of IPv4*. This is to facilitate support for ipv6 in the future. In all these places we need to use two aspects of the child objects: either their position in the tree, in which case FWObject* is sufficient, or their address/netmask, in which case we should use InetAddrMask. * (various places in src/pflib): PREPARATION FOR IPV6: Changing IPv4::cast to dynamic_cast everywhere. 2008-03-09 vadim * (from 2.1) pf.cpp: fixed bug #1899914: "Script to apply the new rules." It is enough to execute "pfctl -f file.conf" to load PF policy. There is no need to purge filter and nat rules first, then reload it. * (from 2.1) RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1908351: "rcs does not save log message and file remains locked" * (from 2.1) Compiler.cpp (emptyGroupsInRE::countChildren): (libfwbuilder) fixed bug #1905718: "Group of DNS Name objects considered empty" 2008-03-06 * v3 feature: Firewall Builder v3 GUI redesigned as MDI interfaces. Several data files can be opened simultaneously and objects dragged and dropped from one file to another. FR # 984979 "split window view of tabs". * v3 feature: the GUI allows the user to change font used for the UI, object tree and rules (separately). FR #1621799: "main window font_size & column resizing" (although column width is not saved). * v3 feature: The user can switch between icons 25x25 and 16x16 in rules. FR #1844437 "25x25 Icons to 16x16" 2008-03-05 vadim * VERSION: started v2.1.18 * src/cisco_lib, src/iosacl, src/pix: Code for policy compilers for Cisco IOS ACL and PIX has been released under GPL and merged into the main fwbuilder tree. 2008-02-18 vadim * CircularQueue.hpp (antlr): fixed crash of the policy importer on 64-bit systems. This fixes bug #1886575: "Seg Fault on reading vanilla Fedora iptables file". See comment in module CircularQueue.hpp for details. 2008-02-10 vadim * pt_BR.po: updated Brazilian Portuguese translation by Rubens Ferreira Neto and Jose Carlos Medeiros * PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed bug #1886570: Diagnostic related to Edit->Preferences. Removed harmless but annoying error message that appeared on stderr when user opened Preferences dialog. * IPTImporter.cpp (IPTImporter::pushPolicyRule): Fixed bug 1883536: "fwbuilder segfaults when importing iptables conf". Added support for TCPMSS target with option --clamp-mss-to-pmtu in iptables importer; also made importer upderstand option --tcp-option but skip it since it is not supported in fwbuilder. 2008-02-06 * RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1849392: "RCS using windows 2003 without administrator rights". Pass TMP and TEMP environment variables to RCS tools * pix_os.xml.in: more for the bug #1816798: "Installing policy on PIX 501 fails". The fix that was made for v2.1.16 did not cover test-mode install, which is now fixed too. Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential. 2007-12-29 * SSHUnx.cpp (SSHUnx::stateMachine): using signal proper for qt4 (bytesWritten(quint64) instead of wroteToStdin) 2007-12-19 vadim * v2.1.16 release 2007-12-15 vadim * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printRunTimeWrappers): fixed bug #1851166: "Installscript does not test for destination ip address". The problem affected specific case of a firewall with two (or more) interfaces that get their address dynamically and a policy rule that has one such interface in source and another in destination. Generated iptables script retrieves actual addresses of both interfaces and assigns them to variables, then uses these variables in actual iptables rules. Special check is provided in case some interface did not obtain any ip address at a time of execution of the script. Previously such test was only done for one dynamic interface per rule. This change makes the script check for both. * ipt.cpp: bug #1850352: "Install script wrongly completes successful". Storing exit status of iptables-restore so that generated firewall script can return the same status after it executes commands that set kernel parameters and runs user-defined epilog code. * PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions): applied patch #1850357: "Add support fo load balancing with pf to PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net) that adds support for load balancing rules in PF. Extended the patch adding support for address/netmask format of the next hop. Added checks for illegal IP addresses and netmasks in the next hop. Test cases for the PF load balancing rules are in test/pf/objects-for-regression-tests.fwb, firewall object firewall40-1. 2007-12-13 vadim * linux24.xml.in: working on bug #1850352: "Install script wrongly completes successful". Added more checks to the installer scriptlet to make it properly terminate with non-zero error code if iptables-restore returned error. Previously "echo" in the end of the generated masked error code returned by iptables-restore and made the GUI report successfull install even when it terminated with an error. Also added test for the presence of pkill on the system so that the script does not try to run it if it is not available. * platforms.cpp (list): applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7. * platforms.cpp (isDefaultPolicyRuleOptions): fixed bug #1850346: "GUI has 2 views on which actions should be stateless". Even though GUI made rules with action Route stateful by default, code that determined if combination of options of a given policy rules was default thought these rules should be stateless. * ipt.cpp: Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt". Option "-q" suppresses timestamp that is normally included in the generated script. This way, if no objects or rules changed in the firewall builder, generated script will be exactly the same. Timestamps made generated script different even if nothing really changed in the objects, which made external version control systems detect changes when there were none. * PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules): fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied patch #1848609 provided by reporter. Code that matched and logged packets in state INVALID always used target LOG, which was a problem for iptables installations that only come with target ULOG. * tcpservicedialog_q.ui: patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional tooltips in the TCP Service dialog to explain function of tcp flags masks and settings. 2007-12-12 vadim * ipt.cpp: fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug was introduced by the change for the bug 1812295. If option "use iptables-restore to activate policy" is on, we always generate script that prints iptables commands using echo and sends them to the input of iptables-restore via pipe. * VERSION (FWB_MICRO_VERSION): begin v2.1.16 2007-12-08 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed bug #1821576: "Rule option tracking gives inavlid config with default value". Compiler should skip max-src-nodes when it is set to default '0' in the GUI. * Added Brazilian Portuguese translation by Jose Carlos Medeiros 2007-11-25 vadim * Starting with build 320 Windows packages install on Vista 2007-11-15 vadim * FWObjectDropArea.cpp (FWObjectDropArea::paintEvent): more fixes for bug #1826558: need to fill background rectangle in "object drop" widget for search. * RuleSetView.cpp (RuleSetView::paintCell): more fixes for bug #1826558: need to fill background rectangle in action, options and comment columns. 2007-11-14 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1826558: "OSX 10.5 font problem". This problem appeared only in Mac OS X Leoprard (10.5) build, other platforms were unaffected. 2007-11-02 vadim * instDialog.cpp (instDialog::installSelected): previous fix for the bug #1811781: "Batch Install" was insufficient. Needed to clear altAddress input field in the install options dialog in case of the batch install. 2007-10-28 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::createPrintRuleProcessor): fixed bug #1812295: "Can't use runtime address tables AND iptabels-restore". Script generated by fwb_ipt used "here document" if the option "use iptables-restore to activate policy" was turned on. This did not work in case policy used any tun-time address table objects. Now generated script always uses "echo" to generate iptables commands that it sends to th standard input of iptables-restore. * instDialog.cpp (instDialog::doInstallPage): fixed bug #1811781: "Batch Install". Built-in installer used address of the first firewall of the batch to communicate with all firewalls in the "batch install" mode. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule): fixed bug #1800875 "'keep state' missing from pass out going traffic rule". Compilers for pf, ipf and ipfw were affected. * pix_os.xml.in: fixed bug #1816798: "Installing policy on PIX 501 fails". Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential. 2007-10-06 vadim * ipfAdvancedDialog.cpp (ipfAdvancedDialog::ipfAdvancedDialog): applied patch by to add support for Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules. * VERSION (FWB_MICRO_VERSION): begin v2.1.15 2007-09-10 vadim * 2.1.14 release 2007-09-08 vadim * configure.in: patch by Carlos Silva to add third parameter to AC_DEFINE_UNQUOTED 2007-08-25 vadim * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixed bug #1764971: "allowed value range for burst limit". Iptables "--limit-burst" option should not be limited in the GUI. * instDialog.cpp (instDialog::continueRun): fixed bug #1772722: "installer should recognize when it uses plink 0.60". We detect when installer uses plink on Windows by checking the name of the configured ssh client. The check should be case-insensitive. 2007-08-06 vadim * configure.in: applied patch by Carlos Silva to make configure.in use ANTLR C++ run-time installed on the system if it can find one; otherwise it uses copy in src/antlr 2007-08-05 vadim * IPTImporter.cpp: fixed bug (no num): importer for iptables should properly assign rule options when it finds "-m limit" and "--limit" options in the input file. * IPTImporter.cpp: added a workaround for a situation when several iptables commands pass control to the same user-define chaine in the iptables-save file. As of fwbuilder v2.1, branch ruleset is a child object of PolicyRule. This means two different rules can not point at the same branch ruleset. This is unfortunate but it is hard to fix in the current version because it requires changes XML DTD and API. Will do this in 3.0. Meanwhile, checking if branch ruleset with requested name already exists and change the name by adding suffix '1', '2' etc to make it different. Imported rule is marked as 'bad' (red background) and gets a comment explaining this. * iptables.g (tcp_flags_list): fixed bug #1764988: "iptables import -> GUI crash": syntax for TCP flag matching in iptables-save should allow for more than 2 flags in 'comp' part * iptables.g (target_options): added missing supprot for "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" options for target LOG to iptables policy importer * iptables.g (protocol_word): fixed bug (no num): iptables policy importer should properly parse numeric protocol specification (e.g. "-p 47"). * Importer.cpp (Importer::getTCPService): fixed bug #1764988: "iptables import -> GUI crash": iptables policy importer recognizes and parses TCP flag parameters ALL and NONE * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug #1764988: "iptables import -> GUI crash": iptables policy importer recognizes and parses target RETURN 2007-08-01 Vadim * FirewallDialog.cpp: fixed bug reported in Debian Bug report #417685 - added missing #include to make code compile with gcc 4.3 * fixed bug #1761373: "libfwbuilder doesn't build on Mandriva cooker". Applied fixes to make the code compile with gcc 4.2 * VERSION: started 2.1.14 2007-07-18 vadim * PolicyCompiler_ipt.cpp (InterfaceAndDirection::processNext): compiler permits setting direction in the rule while interface field is "All". This generates iptables command in chain INPUT or OUTPUT with "-i +" or "-o +" interface specification to match all interfaces. 2007-07-14 vadim * platforms.cpp (isDefaultPolicyRuleOptions): platform "iosacl" does not have any rule options at this time; making sure we never show an icon indicating non-default options. * templates.xml: added simple template for Cisco router 36xx * pf.cpp (main): Added support for "set skip on " command for PF. If an interface is marked as "unprotected" in the GUI, compiler generates this command for it. This is useful for loopback or other virtual interfaces. * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): better compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and 'flags any'". If version is set to 4.x, compiler skips "flags S/SA keep state" for rules mathcing tcp services. However, according to the section "1.2. Operational changes" in PF FAQ at http://www.openbsd.org/faq/upgrade41.html , there should be a way to add "keep state" explicitly for rules on interface enc0. Added this option to the rule options dialog. * pf.cpp (main): implemented support for PF limit options "src-nodes", "tables" and "table-entries". Feature Req. #1674919: "Support "set limit table-entries"" 2007-07-12 vadim * SSHSession.cpp: More key caching request and other messages for wider variety of ssh clients. * SSHPIX.cpp (SSHPIX::stateMachine): fixed bug #1753188: "policy activation fails on PIX and IOS". Installer failed if account used to authenticate to the router or PIX went straight to 'enable' mode after login. 2007-07-07 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::_printLogging): fixed bug #1747828: "anchors generation - "log" not supported". "Log" keyword is not allowed in "anchor" rules; compiler should not generate it even if user turned logging on in a rule with action 'Branch' * PolicyCompiler_ipt.cpp (checkForRestoreMarkInOutput::processNext): fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain" * PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy): fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the firewall settings dialog for iptables that controls whether compiler should skip generation of the code to set default policy of all ipv6 chains to DROP. This option is off by default, that is compiler puts the code in. This helps maintain backwards compatibility with old data files that do not have this option, which is equivalent to this option being "off". 2007-07-06 vadim * ObjectManipulator.cpp (ObjectManipulator::unlockObject): fixed bug #1743117: "crash while editing any". Added check, user should not be able to unlock Standard objects library * FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766: "lock not saved". This method now copies the value of "ro" attribute (read-only). Clear it in the caller if neccessary. Method duplicate() clears it after calling shallowDuplicate in order to be able to modify the object, then restores this attribute to its original value. 2007-06-23 vadim * v2.1.12 release * iptables.g (target_options): parser for iptables is aware of "--set-tos" target option. Even though fwbuilder does not support target TOS, importer should be able to import policy that uses it without crashing. 2007-06-20 vadim * FWWindowPrint.cpp (printFirewall): fixed bug #1739373: "FWB2111, register Routing not printed". Tab "Routing" was not included in the printed copy of firewall policies. * NATCompiler_pf.h: fixed bug #1740545: "AddressTable in NAT section". Policy compiler for PF crashed if AddressTable object was used in TDst element of a NAT rule. 2007-06-17 vadim * instDialog.cpp (instDialog::initiateCopy): fixed bug (no number) where installer failed to properly copy .fwb file over to the firewall if file name contained whitespace 2007-06-16 vadim * instDialog.cpp (instDialog::prepareInstallerOptions): discovered and fixed bug in the installer: if management interface of the firewall is dynamic (i.e. had no IP address) and address of the firewall was given in the "Installer" tab of the firewall object dialog, installer failed to copy it to the instOptionsDialog and filled corresponding entry field with 0.0.0.0 * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): fixed bug 1737733: "install script doesn't detect BROADCAST if eth is NO-CARRIER". If firewall script runs before network interface comes up (i.e. is still in NO-CARRIER state), script failed to add virtual addresses for NAT. 2007-06-13 vadim * ActionsDialog.cpp (registerOption): after changes made in the compiler to simplify algorithm used to decide which chain a rule with action Tag should go to, rule action option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting" ) has been deprecated. 2007-06-12 vadim * FWWindow.cpp (FWWindow::reopenFirewall): Added platform capability element "supports_nat" - if True, platform supports NAT rules so the main window should show tab "NAT" in the policy view. If this parameter is False, the tab disappears. * DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): added main menu item "File -> Import Policy" that activates Discovery Druid and opens it on the page where user can choose configuration file for import. 2007-06-09 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy): fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit any-to-any on loopback interface for ipv6 in addition to rules that set default policy to DROP for all chains in ipv6 2007-06-06 vadim * antlr.pro: Added ANTLR C++ runtime to the project under src/antlr 2007-06-05 vadim * PolicyCompiler_ipt.cpp (setChainPreroutingForTag::processNext): streamlined algorithm that assigns chain to a rule with action Tag. The goal is to always use chain PREROUTING for rules with direction Inbound or Both and a combination of OUTPUT and POSTROUTING for rules with direction Outbound and Both. 2007-06-02 vadim * DiscoveryDruid.cpp (DiscoveryDruid::importPlatformChanged): finalized rule importer GUI. 2007-06-01 vadim * IPTImporter.cpp (IPTImporter::pushNATRule): NAT import now works 2007-05-30 vadim * pf.cpp (main): fixed bug #1727715: "Policy Installer failed but indicates succes". Activation script for PF exits with non-zero return code if script activation fails. * IPTImporter.cpp (IPTImporter::addSrv): import of target MARK and TagService for iptables * IPTImporter.cpp (IPTImporter::pushRule): support for module "limit" in importer for iptables 2007-05-29 vadim * IPTImporter.cpp (IPTImporter::pushRule): meaningful import of iptables-restore files with all actions for filter table. Action "Continue" helps import iptables commands with targets LOG and ULOG. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule. 2007-05-28 vadim * IPTImporter.cpp (IPTImporter::pushRule): basic iptables-restore import works (only policy rules, only minimal set of modules) 2007-05-27 vadim * IPTImporter.cpp: initial work on iptables importer * OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers): Fixed bug in the shell code that finds netfilter modules (missing closing '"'). This bug broke generated iptables script. Bug was introduced in 2.1.12 some time before build 270 2007-05-25 vadim * iosacl.g (vlan): ignore "vlan" commands while importing IOS config * IOSImporter.cpp (IOSImporter::finalize): IOS accesslists importer properly handles situation when the same list is applied to multiple interfaces with different directions. 2007-05-22 vadim * run-tests.sh: simple framework for automated unit tests * importer_test.cpp: unit test for Cisco IOS access lists importer * IOSImporter.cpp (IOSImporter::finalize): IOS access lists importer works with a large complex test file. Test can be imported and then compiled with no manual changes. * PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization): allow for object group in "Interface" rule element 2007-05-21 vadim * DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter): finished configuration importer GUI 2007-05-16 vadim * RoutingCompiler_ipt_writers.cpp: fixed bug #1718791: "Bug with more than one router". This bug affected routing rules. * OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers): fixed bug #1720022: "Fail to load modules .ko.gz". * MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext): fixed bug #1720480: '"-A POSTROUTING -i interface" in branching rules'. Compiler should not generate iptables commands in POSTROUTING chain with "-i interface" clause. 2007-05-15 vadim * DiscoveryDruid.cpp (DiscoveryDruid::importConfig): basic GUI support for the configuration importer * IOSImporter.h (class IOSImporter): derived class - importer for Cisco IOS ACLs * Importer.h: generalized policy importer framework. Requires grammar for each platform. * iosacl.g: ANTLR grammar for IOS ACLs. Only "access-list ", "ip access-list extended" and certain "interface" commands cam be parsed 2007-05-11 vadim * SSHSession.cpp (SSHSession::readFromStdout): note about built-in installer on windows. Installer seems to have broke with upgrade of QT to 3.3.8. Specifically, in SSHSession::readFromStdout(), proc->readStdout() returns a byte array that contains actual output from the device, with some garbage appeneded to it. The garbage is included in the size() count of QByteArray returned by readStdout so it gets included into the QString which we append to stdoutBuffer. This happens only on win32; reverting to QT 3.3.7 fixes the problem. 2007-05-10 vadim * SSHPIX.cpp (SSHPIX::stateMachine): implemented support for scheduled reload for PIX firewalls (for roll-back). * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): PIX and Cisco routers (IOS) : built-in installer can schedule reboot of the firewall before activating new policy, then cancel it if the policy has been activated successfully. * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): fixed long-standing problem with size of the built-in installer options dialog. The dialog was too big and did not properly resize itself when some options were hidden. * SSHIOS.cpp (SSHIOS::stateMachine): installer for Cisco routers 2007-05-09 vadim * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): added support for the new attribute "unprotected" for the Interface object in the GUI. Compilers skip this interface while assigning ACLs or policy rules to interfaces. This is supported only in the compiler for Cisco IOS ACLs at this time. 2007-05-08 vadim * iosAdvancedDialog.cpp (iosAdvancedDialog::iosAdvancedDialog): Added dialogs and resource files for Cisco IOS ACLs 2007-05-07 vadim * RuleSetView.cpp (RuleSetView::changeAction): setting option "stateless" appropriately when new rule is created. * objects_init.xml: added object "All TCP established" - a tcp object with open port range and flag "established" * PolicyCompiler_ipf.cpp (PolicyCompiler_ipf::compile): using rule processor CheckForTCPEstablished in compilers for iptables, ipf and pf to check for TCP service objects with flag "established". This is considered an error because these platforms do not provide support for "established". * PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): using new TCPService object flag "established" in compiler for ipfw. * PolicyCompiler_ipf.cpp (doSrcNegation::processNext) and PolicyCompiler_ipfw.cpp: rules created for negation with action 'Continue' should be stateless. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug (no number): compiler used to not set unique internal id for rules in branches, which lead to chain names like 'C.0' in generated script. * PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed bug (no number): when a rule number is inserted into a log record in place of macro %N, it should be formatted as "N/M" for rules in a branch. * PolicyCompiler_ipt.cpp (decideOnChainForClassify::processNext): fixed bug (no number): setting chain for Classify action only if it has not been set before. Setting chain to POSTROUTING always broke things if a rule with action 'Classify' was used in a branch (so the chain has been set to that of the branch) * RuleSetView.cpp (RuleSetView::changeAction): working on bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rule option 'stateless' is automatically set when user changes rule action so it becomes anything except 'Accept', 'Tag' or 'Route'. This option is also automatically cleared when action is switched to any of these three actions. The user can override these default settings by checking or unchecking the option in the rule options dialog. * PolicyCompiler_PrintRule.cpp: working on bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rely only on rule option 'stateless' to decide whether the rule should have "-m state --state NEW". 2007-05-06 vadim * v2.1.12 started 2007-04-28 vadim * v2.1.11 release 2007-04-24 vadim * SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #1702830: "fwbuilder does not detect errors during policy install". Built-in installer detects error messages printed by iptables and iptables-restore and aborts installation process. Summary page shown in the end reflects this as failed install. * instOptionsDialog.cpp (instOptionsDialog::updateRollback): fixed bug #1701971: "Enabeling test mode doent activate the reboot interval". Checking "Test mode" checkbox in the installer options dialog should enable widgets that configure automatic reboot timeout. 2007-04-23 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): bug #1699483: "hashlimit-htable-expire not set". Compiler automatically generates name for the --hashlimit-name option if it is not set in the GUI. * PolicyCompiler_ipt.cpp (TagIfSrcFw::processNext): fixed bug #1703954: "Mark target in postrouting chain". Packets that originate on the firewall should be marked in the OUTPUT chain. According to the netfilter packet flow diagram at http://www.shorewall.net/NetfilterOverview.html , rerouting happens after OUTPUT hook but before POSTROUTING hook. * FWBTree.cpp (FWBTree::isSystem): fixed bug #1703595: "build 230 crashes when seaching for a deleted object" 2007-04-13 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixed bug 1699483: "hashlimit-htable-expire not set". Added GUI controls and compiler support for hashlimit module options "--hashlimit-name", "--hashlimit-htable-size", "--hashlimit-htable-max", "--hashlimit-htable-expire" and "--hashlimit-htable-gcinterval" * OSConfigurator_linux24.cpp (linux24::generateCodeForProtocolHandlers): fixed bug #1697832: "fc5 kernel 2.6.20 moved *conntrack* modules". Starting with kernel 2.6.20, netfilter installs *conntrack* modules in "/lib/modules/`uname -r`/kernel/net/netfilter/" rather than "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/". Modified shell code that finds and loads all "*conntrack*" and "*nat*" modules, it should now work with both old and new kernels. I do not know if this directory change was introduced only by Fedora or it is general for the netfilter. * TCPServiceDialog.cpp (TCPServiceDialog::validate): fixed bug #1695481: "compliation error with lower end port". Before, user could enter start port range number greater than the end port range number. Neither the GUI nor compiler noticed this, which resulted in the incorrect firewall configuration. This fix adds check in the GUI to not let the user enter port ranges like that. 2007-04-03 vadim * PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed bug #1676845: "lsrr option not compiling" * PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment"" * utils.cpp (getUserName): fixed bug #1684334: "RCS should use $LOGNAME when commit" * ActionsDialog.cpp (ActionsDialog::loadFWObject): fixed bug #1692411: "can't set accouting rule name (fwbuilder 2.1.11)" 2007-03-24 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop" 2007-03-21 vadim * ObjectTreeView.cpp (ObjectTreeView::focusOutEvent): working on the bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop" 2007-03-18 vadim * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): minor redesign of the interface object dialog to make network zone more prominent and easier to set when network and group objects have long names. 2007-03-13 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed bug #1674940: "if max-src-conn == 0: syntax error". Options max-src-conn and max-src-states can not have value '0' * TimeDialog.cpp (TimeDialog::loadFWObject): redesigned TimeService object dialog * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): fixed bug #1672191: "Time limit generates unexpected iptables command" * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): Added support for --datestart and --datestop options for module 'time' in compiler for iptables * started v2.1.11 2007-02-17 vadim * RuleSetView.cpp (RuleSetView::findWhereUsedSlot): added an item "Where used" to the context menu associated with objects in rules * FWWindow.cpp (FWWindow::setPolicyBranchTabName): a workaround for the bug 1629461: "Policy tabs do not scroll @ window extent on OSX". The tab widget used to show policy, nat, routing and policy branch rulesets does not switch to a "folded" mode on Mac OS X when it needs to show more tabs that fit in the window. Since I can't figure out a way to force it to do that, I am dropping "Policy/" from the tab titles for branches to make them shorter. This will help users with policies with many branches, however it does not solve the problem because as they keep adding branches, at some point they won't fit in the window again. 2007-02-15 vadim * FWWindow.cpp (FWWindow::fileCompare): fixed bug #1659832: "No compile with QT without STL support" * instDialog.cpp (instDialog::initiateCopy): fixed bug #1661140: "built-in installer broken in 2.1.9 for PF". Installer incorrectly set name for files it copied to the firewall if compiler generated more than one file. Normally two files are generated for PF and ipfilter. * v2.1.10 started 2007-02-10 vadim * v2.1.9 release * main.cpp (tty_raw): bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD. 2007-02-03 vadim * listOfLibraries.cpp (list): fixed bug #1620284: "conflict when adding library to Preferences/Libraries". When the user tried to add a library to the list in Preferemces/Libraries when a data file with the same object library was loaded, the GUI detected the conflict and showed error dialog. * FWWindow.cpp (FWWindow::fileCompare): New feature: new operation "Tools/Find Conflicting Objects in Two Data Files". This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file. This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations. This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change. In the process of this operation user is presented with series of dialogs showing conflicting objects side by side. In the end the program can generate report and write it to a text file. 2007-01-30 vadim * instDialog.cpp (instDialog::initiateCopy): more for the bug #1617501:"Install fails after compile". Making sure we always strip directory path from the file name if user specified full path for the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Need to strip path when macro "%FWSCRIPT%" is substituted in installation scriptlets and in some other places. 2007-01-15 vadim * OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers): fixed bug (no num.): data files used for run-time AddressTable objects can have empty lines, the script should skip them. 2007-01-14 vadim * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): more for bug #1618381: "CLASSIFY/MARK are non-terminating". Emulation of the terminating behavior for Classify and Tag actions is now controlled by a global option in the "Compiler" tab of the firewall properties dialog. This means emulation can be turned on and off for all rules that might require it at once. It is impossible to mix such rules with terminating and non-termninating behavior. The reason for this is that shadowing detection algorithm can only work with either terminating or non-terminating rules, not with the mix. Hopefully this is the last change made for this bug. * PolicyCompiler_ipt.cpp (ipt::getAddressTableVarName): fixed bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains "."". Compiler checks if the name of the run-time AddressTable object contains characters that have special meaning in sheel and relaces them with '_' when it generates the name of the temporary shell variable. * PolicyCompiler_ipt.cpp (splitNonTerminatingTargets): update for bug #1618381: "CLASSIFY/MARK are non-terminating". Adding iptables rule with target ACCEPT to make Tag and Classify rules terminating. This is controlled by checkbox in the action dialog for actions Classify and Tag. Default setting is off. 2007-01-09 vadim * FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): fixed bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs when user deleted objects from the Deleted Objects library, provided some of these objects were previously deleted firewalls. 2007-01-07 vadim * GroupObjectDialog.cpp (GroupObjectDialog::dropped): fixed bug #1624577: "group window doesn't stay open on multiple-adds". Using special flag to tell ObjectTreeView that it should ignore MouseReleaseEvent it gets after d&d operation, so it wont switch object in the editor panel. Note the bug triggered only on Mac OS X. * FWWindow.cpp (FWWindow::FWWindow): "Apply" and "Close" buttons in the objct editor panel should be of fixed size horizontally 2007-01-06 vadim * instDialog.cpp (instDialog::testFirewall): fixed bug #1617501:"Install fails after compile". The GUI got confused when user enter full path to the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. * SimpleTextEditor.cpp (SimpleTextEditor::loadFromFile): fixed bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite" * OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers): fixed bug #1628989: "run-time-loaded rules don't accept ";" as line comment" * RuleOptionsDialog.cpp (RuleOptionsDialog::changed): fixed bug #1620206: "RuleOptions' "Apply" button greyed-out until menu selection" * SimpleTextEditor.cpp (SimpleTextEditor::SimpleTextEditor): fixed bug #1619842: "prolog "script editor" opens behind other windows" * RuleSetView.cpp (RuleSetView::removeRule): fixed bug #1629521: "can't delete empty chain/policy tab" * instOptionsDialog.cpp (instOptionsDialog::hidePIXOptions): installOptionsDialog was too large and did not fit on some laptop screens. Doing tricks to make sure the dialog properly resized after unused GUI elements are hidden. 2007-01-04 vadim * PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext): (API change) fixed bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables. * PolicyCompiler_ipt.cpp (finalizeChain::processNext): working on bug #1618381 * For action Branch with option to add branching rule to the mangle table: we now generate rules in PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD chains. This is because some targets can only work in PREROUTING or POSTROUTING chains but we do not know what rules will user put in the branch. So we need to branch in all chains * For rules in mangle table with direction set to Inbound or Outbound force chain to PREROUTING or POSTROUTING respectively early. This eliminates duplicates such as the same rule in PREROUTING and INPUT chains. Also since most (all?) targets that require mangle table go into either PREROUTING or POSTROUTING chains, it should be enough to use these two chains. 2007-01-01 vadim * ActionsDialog.cpp (ActionsDialog::setRule), PolicyCompiler_ipt.cpp (splitNonTerminatingTargets::processNext): working on bug #1618381: "CLASSIFY/MARK are non-terminating". Converting non-terminating targets MARK and CLASSIFY into equivalent of terminating targets using intermediate chain and "-g" option to pass control to it. Added a checkbox to the rule options dialog for action Classify for this, by default this feature is off. 2006-12-27 vadim * Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option. Changes are made as follows: - Compiler::expandGroupsInRuleElement does not call s->setAnyElement(); to set rule element to 'any' before adding addresses from the group. This means that if group is empty, rule element remains empty (not even 'any', just with no children, i.e. with size()==0). Note that AddressTable::loadFromSource() leaves AddressTable object empty if the file does not have any addresses. - Compiler::emptyGroupsInRE specifically checks for run-time MultiAddress objects and skips them so they wont be treated as empty groups (since they are indeed empty). Compile-time MultiAddress objects are treated as groups and algorithm that depends on option 'ignore empty groups' is executed for both empty regular groups and empty compile-time MultiAddress objects. * PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement): fixed bug #1623113: 'connlimit fails in compiled "address table" rules' Module connlimit can only be used in iptables rules matching TCP services. Such iptables commands have "-p tcp" and/or "-m tcp" options. If a rule in fwbuilder uses TCP Service and connlimit option and has multiple objects in src and dst, optimizer used to split it to minimize matches. It however preserved connlimit option in all subrules, even though some of them did not have TCP service after the split. This lead to generation of incorrect iptables commands. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug #1623338: "Can not disable rules in a branch". Compiler for iptables ignored flag 'disabled' on rules in a branch. 2006-12-26 vadim * VERSION (FWB_MICRO_VERSION): set version to 2.1.9 2006-12-03 vadim * v2.1.8 released 2006-11-30 vadim * FirewallDialog.cpp (FirewallDialog::applyChanges): fixed bug #1589743: "compiler setting should be erased when fw platform changes". If user configured firewall object to use thrid-party compiler, this setting should be erased when firewall platform of this object changes. 1) compilers are always platform-specific and old compiler most likely won't work with different platform; 2) 'advanced' firewall settings dialog may not have an entry field for the compiler (e.g. dialog for PIX does not have it) 2006-11-26 vadim * gui.pro (TARGET): All binaries are renamed to drop suffix '21'. Opinion poll amongs the mailing list sbscribers showed majority of users does not care for the ability to install and run both old and new versions of fwbuilder on the same machine. This feature creates substantial problems because of the symlinks to libfwbuilder libraries that have the same name regardless of the library version ('libfwbuilder.so' and 'libfwcompiler.so'). These symlinks are required on Linux and *BSD and can not be avoided easily. The only simple alternative was to rename libraries to libfwbuilder21 and libfwcompiler21. I was impartial and thought of doing this but FreeBSD port maintainer did not like this solution. Given that most users said in the poll they do not want this feature anyway, I am reverting binary and man page names back to the old standard scheme without suffix '21'. 2006-11-16 vadim * FindObjectWidget.cpp (FindObjectWidget::matchAttr): added back search by regexp - object name or port, protocol or ICMP type numbers can be defined as regular expressions. 2006-11-09 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printDirectionAndInterface): fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no physdev opti..." Some times rules were generated with "-m physdev" but witout "--physdev-in" or "--physdev-out" options. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug #1592130: "Policy Chaining Issues". Policy compiler should expand rule subsets recursively * FWWindow.cpp (FWWindow::addPolicyBranchTab): working on bug #1592130: "Policy Chaining Issues". The GUI should properly display nested branch rulesets. * set version to 2.1.8 2006-10-30 vadim * v2.1.7 released 2006-10-28 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixes for QT w/o STL support 2006-10-24 vadim * manually removed from findobjectwidget_q.ui and findwhereusedwidget_q.ui * build 155 2006-10-23 vadim * platforms.cpp (getRouteOptions_pf_ipf): fixed bug (no num): the program used to incorrectly save "route option" parameter that is used for pf anf ipf firewalls when user edited action "Routing" for iptables firewall. This would corrupt saved XML file if the program was used under non-English locale. 2006-10-22 vadim * ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): eliminated useless creation of interim QPixmap objects. It appears this was responsible for creation of tons of extra pixmaps that triggered bug 1582130 on windows. Bug ##1582130: "GUI crashes on windows when very large data file is opened" is now fixed. 2006-10-21 vadim * ObjectManipulator.cpp (ObjectManipulator::addTreePage): working on bug #1582130: "GUI crashes on windows when very large data file is opened". Using QPixmapCache everywhere. * PixmapFactory.cpp (PixmapFactory::getPixmap): bug #1582130 "GUI crashes on windows when very large data file is opened". Ran into a known limitation on number of simultaneously created pixmaps on Windows. If the data file contains over 3000 obects or so, the GUI crashes on Windows. This is caused by the fact that GDI has global limit on the number of pixmaps. See here: http://lists.trolltech.com/qt-interest/2005-01/thread00679-0.html Using QPixmapCache class to cache and reuse pixmaps, using it via simple wrapper PixmapFactory that automatically creates pixmaps not found in the cache. 2006-10-20 vadim * listOfLibraries.cpp (listOfLibraries::listOfLibraries): fixes for QT w/o STL support on win32 2006-10-19 vadim * DialogData.cpp (DialogData::loadToWidget): properly using remapping tables while loading strings into QComboBox when program runs under international locale. Strings for qomboboxes are defined in platforms.cpp and need to be translated accordingly. 2006-10-16 vadim * RCSFileDialog.cpp (RCSFileDialog::getSelectedRev): fixed bug #1578502: "crashing opening file". The GUI crashed if the user switched "open file" dialog to detailed list mode and then tried to open a file. 2006-10-15 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): All compilers print error mesage when they encounter unknow action in a rule * Preprocessor.cpp (Preprocessor::convertObject): fixed bug #1575355: "Compiler tries to resove deleted AddressTable objects". Using findWhereUsed to find if MultiAddress object is used in firewall being compiled so we don't try to resolve objects that are not used anywhere. * FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup): code refactoring: moved methods findObjectsInGroup and findWhereUsed from the GUI to API. 2006-10-08 vadim * v2.1.6 build 134: major improvements in support for outbound ACLs in PIX 7.0 in compiler for PIX. Added file 'v21_migration_notes.txt' to fwbuilder-pix package 2006-10-07 vadim * NATCompiler_PrintRule.cpp (PrintRule::_printDstService): fixed bug#1572735: "Wrong syntax with TagService in NAT table". Added mssing "-m mark" 2006-10-06 vadim * PolicyCompiler_ipfw.cpp (SpecialRuleActionsForShadowing::processNext): rule with action 'Pipe' or 'Custom' should not shadow other rules * PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): compiler for ipfw generates rule with action check-state depending on the setting of he option "Add rule to accept packets matching dynamic rules created for known sessions". This option is controlled by a checkbox in the firewall settings dialog. * TableFactory.cpp (TableFactory::PrintTables): if AddressTable object is configured to resolve at run time but file name is left blank, compiler for PF generates PF configuration as follows: "table persist". That is, it omits 'file "filename"' clause all together. This is useful if table is updated automatically using "max-src-conn, overload " option and does not need to be pre-populated with addresses from a file. 2006-10-05 vadim * pixAdvancedDialog.cpp (pixAdvancedDialog::pixAdvancedDialog): added option "Generate outbound ACLs" for PIX 7.0 2006-10-02 vadim * Checking in updated German translation by Hans Peter Dittler 2006-09-29 vadim * PolicyCompiler_ipt.cpp (ipt::compile): fixed bug #1567873: "CLASSIFY/Logging". eed to run rule processor decideOnChainForClassify before rule is split for negation or logging to properly pick up chain for action Classify. Previously rules with this action and either negation or logging would match packets in chains INPUT/OUTPUT/FORWARD but use chain POSTROUTING when applying action. 2006-09-28 vadim * pf.cpp (main): 'Prolog' section of the generated script can now be added in different places: - to the activation shell script, as before - at the very top of generated .conf file - after 'set' commands in the generated .conf file - after 'scrub' commands in the generated .conf file - after table definitions in the generated .conf file but before all policy commands 2006-09-26 vadim * checking in updated Russian localization by 2006-09-21 vadim * ObjectManipulator.cpp (ObjectManipulator::deleteObj): fixed bug #1562965: "no confirmation when deleting an object". In a scenario when user starts with an emty object tree, then adds a firewall with an interfaces, then tries to delete the interface, the GUI would just delete it without presenting the user with "Are you sure ?" confirmation dialog. 2006-09-20 vadim * PolicyCompiler_ipt.cpp (convertAnyToNotFWForShadowing::processNext): fixed bug #1562348: "a case of undetected rule shadowing". Compiler did not detect shadowing in the pair of rules where first rule was 'any any service' (flag 'firewall is part of any' is ON) and the second was 'fw any service' when global flag 'firewall is part of any' is OFF * confirmdeleteobjectdialog_q.ui: fixed bug #1561165: "Delete dialog box sizing incorrect" * FWObject.cpp (FWObject::shallowDuplicate): API change: fixed bug 1562290: "GUI crashes in discovery druid". FWObject::shallowDuplicate should add to database index only if dbroot is defined. If dbroot==NULL, trying to copy it from parameter x of shallowDuplicate (the object we are duplicating), but need to check if dbroot is != NULL after that as well, because object we are dulicating may not belong to any object tree. This is the case with interface objects created in SNMPQuery::fetchInterfaces 2006-09-17 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): feature request #1531599: "max-src-conn and max-src-conn-rate". Added support for max-src-conn and max-src-conn-rate options n compiler for PF. * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): feature request #1531599: "max-src-conn and max-src-conn-rate". Added GUI elements to support these PF options. 2006-09-16 vadim * SSHPIX.cpp (SSHPIX::stateMachine): fixed a bug in the code that deals with previously unseen ssh host key. Properly terminating session if user hits 'No'; stopping heartbeat timer while waiting for user input. * FWWindow.cpp (FWWindow::install): compile/install wizard is now a top level non-modal window, it can be used in parallel with the main window so one can inspect and fix rules while still looking at the output produced by the compiler, or work with objects and rules while pushing policy update to the firewall. 2006-09-15 vadim * instDialog.cpp (instDialog::installerError): fixed bug #1559697: "built-in installer crashes on incorrect password" 2006-09-14 vadim * FWObjectClipboard.h: clipboard holds list of object IDs instead of object copies. Clearing clipboard when an object is deleted from the "Deleted objects" library in ObjectManipulator::delObj. * FWWindow.cpp (FWWindow::load): calling FWObjectDatabase::reIndex to fix object reference counters and rebuild the index after object tree is loaded from .fwb file. Doing the same in all policy compilers. * NATCompiler_pf.cpp (splitForTSrc::processNext): fixed bug #1556984" "Nat statements in PF are missing (source-natting)" Compiler was too restrictive checking firewall's interfaces while generating 'nat' rules. It generated such rule only when it was able to find an interface with address/netmask combination that defined subnet to which TSrc address belonged. 2.0.X used to be more liberal and created nat rule even if such interface was not found, in such case it generated nat rule bound to all interfaces of the firewall. 2006-09-13 vadim * ActionsDialog.cpp (ActionsDialog::iptRouteContinueToggled): fixed bug #1557827: "iptables, routing, iif and continue". GUI enforces rules on options to iptables target ROUTE: 'continue' is mutually exclusive with --iif and --tee, therefore checking option 'Continue packet inspection' disables options 'Change inbound interface to' and 'Make a copy' (GUI elements are greyed out). 2006-09-10 vadim * FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): using timer event to make sure rule sets are redrawn no more than once when needed. 2006-09-08 vadim * FWWindow.cpp (FWWindow::load): using FWObjectDatabase::addToIndexRecursive to quickly reindex whole database once datafile is loaded. This works very fast. Fixes everywhere for the new format of FWObjectDatabase::create 2006-09-07 vadim * FWWindow.cpp (FWWindow::load): improvements in the GUI ergonomics when working with very large data files: - The main window opens before the file specified on the command line is loaded - Using status bar to print messages indicating progress of the file loading process - Enforcing objects indexing after the file is loaded, this speeds things up later * ObjectEditor.cpp (ObjectEditor::actionChanged): fixed bug #1553394: "Options windows stays the same". 2006-09-05 vadim * FWWindow.cpp (FWWindow::killInstDialog): compile/install dialog is now not modal, this means the user can look at the policy and objects while compilation and/or installation is going on. This is especially convenient as it allows one to inspect the rules after failed compilation while still having compiler error on screen. * VERSION: set version to 2.1.6 * configure.in: added check to make sure qmake found by configure really is part of QT 3.x. This should help avoid build failures on systems where both QT 3.x and 4.x are installed and where /usr/bin/qmake is really QT 4.x qmake which we can not use. 2006-08-31 vadim * PolicyCompiler_ipfw.cpp (processMultiAddressObjectsInRE): checking for (currently unsupported) run-time AddressTable objects * All compilers: fixed bug #1544488: 'Error with DNS_name object when "resolve during run time"'. Needed to swap run-time DNSName and AddressTable objects with MultiAddressRunTime during rule shadowing run 2006-08-29 vadim * instDialog.cpp (readFromStdout): properly processing text coming from the background process if it comes buffered in chunks that include several lines of text and possibly incomplete last line. Previously, text would come out werdly formatted in the log window. * instDialog.cpp (processExited): detectig situation when background process (compiler) crashes or is killed * RuleSetView.cpp (fixRulePosition): this method fixes rule position if it is incorrect (this happens sometimes because of errors in auto-upgrade transformations). fixRulePosition checks if object the rule belongs to is read-only or belongs to a read-only subtree in the database and temporarily breaks the lock in order to be able to fix rule position. This method is recursive so it supports cases when several objects between the rule and database root are read-only. 2006-08-27 vadim * instDialog.cpp (prepareInstallerOptions): Added checkbox 'save copy of fwb file on the firewall' to the installer options dialog. If this checkbox is on, installer copies .fwb file to the firewall before it copies generated configuration and activates it. This can be used as last resort backup but should be avoided if firewall is managed from remote workstation and especially if many firewalls are managed from dedicated management workstation (because storing fwb file on each firewall means security policy of all firewalls resides on all every one of them). This option is off by default. 2006-08-26 vadim * ConfirmDeleteObjectDialog.cpp (findForObject): redesign of the dialog: now showing objects to be deleted and their parent objects in the same list with selection disabled. This removes confusion caused by the text in the dialog saying that 'seletect objects' were bout to be deleted and ability to select objects in the confirmation dialog. 2006-08-20 vadim * PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug #1543684: "fwb 2.1.5 IPFilter fallback rule issues". Fallback rule should be 'pass out' if option 'Pass all outgoing' is used. 2006-08-19 vadim * MangleTableCompiler_ipt.cpp (processNext): (new feature): added checkbox to the action 'Branch' for iptables "In addition to 'filter', create branching rule in 'mangle' table as well". When this parameter is activated, compiler creates branching rules in both filter and mangle tables; in mangle table it always uses chains PREROUTING, INPUT, OUTPUT and FORWARD. * PolicyCompiler_ipt.cpp (processNext): fixed bug #1534423 "2.1.5, mark action rules in branches". Added checkbox "Mark packets in PREROUTING chain" to the action "Tag" for iptables. Compiler places rule into PREROUTING chain when this parameter is activated. 2006-08-18 vadim * PolicyCompiler_ipt.cpp (compile): working on bug #1534423 "2.1.5, mark action rules in branches". Branch rules with action Tag go into mangle table. 2006-08-17 vadim * gui.cw: this file is used by QT to save descriptions of custom widgets * ObjectManipulator.h: added bunch of missing virtual destructors to various classes 2006-08-10 Vadim * ConfirmDeleteObjectDialog.cpp (ConfirmDeleteObjectDialog): completed implementation of feature request #1116454: "Where Used Option". When the user tries to delete an object from the tree, the GUI presents a list of groups and firewall rules where this object is used. 2006-08-09 Vadim * instDialog.cpp (findFirewalls): main menu item 'Compile' and corresponding toolbar button activate compilation/installation for all firewalls in all libraries. This fixes bug #1531007: "no firewall in comp/inst dialog if standard library selected" * utils.h (findByObjectType): added parameter bool skip_system_libs. This method will skip libraries DELETED_LIB and TEMPLATE_LIB if this parameter is true (which is its default value). 2006-08-08 Vadim * ObjectEditor.cpp (validateAndClose): fixed bug (no num.): "Apply" button in the editor panel would not activate when user reopened an object after it was edited and then editor panel closed. 2006-08-08 Vadim * ObjectEditor.cpp (apply): fixed bug #1531020: "gui behaviour on object renaming". Changing name of the selected object in the editor updated it in the tree but not in the rule set view. * ActionsDialog.cpp (applyChanges): fixed bug #1531008: "gui behaviour improvements". Gui used to reset rule selection after user selected different object in the tree. 2006-08-05 Vadim * newFirewallDialog.cpp (newFirewallDialog): fixed bug #1525808: "fwbuilder21: Windows are too large ". One of the pages of the firewall creation druid was too large vertically, as the result whole druid would not fit on screens 1024x768 with standard font bigger than 18pt * FindWhereUsedWidget.h (class FindWhereUsedWidget): Feature request #1116454: "Where Used Option". Ilya implemented "Find Where Used" function which quickly finds and shows rules of all firewalls that utilize a given object. 2006-07-23 vadim * RuleSetView.cpp (copyRule): still debugging problems caused by QT w/o STL support. Also got rid of methods RuleSetView::isSrc, isDst, isSrv etc, makes code cleaner cause these methods violated data access boundaries in the class hierarchy. 2006-07-22 vadim * FWObjectPropertiesFactory.cpp (getPolicyRuleOptions): fixes in bunch of places where code assumed QT is built with STL support 2006-07-20 vadim * PolicyCompiler_ipt_optimizer.cpp (processNext): checking if objects in srv are of the type TCPService or UDPService; if they are, treat srv as if it has one object even if there are several in it. This eliminates uncessesary rule splitting that optimizer used to do. * PolicyCompiler_ipt.cpp (compile): moved InterfacePolicyRulesWithOptimization further down the chain of rule processors to let other processors properly decide on chain for rules that are associated with multiple interfaces. Such rule is now treated as if it has one interface, and most of the chain and target decisions are made before the rule is split. When the rule is split in InterfacePolicyRulesWithOptimization, each part gets one interface from the original list. * PolicyCompiler_ipt.cpp (SrcNegation): all rule processors that work with negation reset "Interface" rule element in subrules they create except for the very first. * main.cpp (main): removed plays with styles on Mac, they proved unnecessary 2006-07-18 vadim * unit_tests.cpp (main): unit test for RCS module, currently only checks if rlog reading routing works right * RCS.cpp (RCS): trying to fix mysterious bug that causes RCS module to misinterpret RCS log in some cases and read modification date/time instead of the name of the user who apparently opened and locked the file. However in cases like that the file in fact is checked in and unlocked. Instead of reading rlog output line by line and using regex to parse each line separately, we now read the output in chunks using '------' as a separator. Each chunk corresponds to one revision and all regexps are written to work on the whole chunk instead of one line. 2006-07-17 vadim * RuleSetView.cpp (paintCell): When user selects an object in the rule set, all references to the same object in other rules are highlighted by drawing thin red frame around them. Similarly, when an object is selected in the tree, all references to it in the currently visible ruleset are similarly highlighted. This helps enforce the notion that all instances of the object in rules are really references to the same object, as well as helps locate these references visually. 2006-07-12 vadim * FWWindow.cpp (exportLibraryTo): user choses libraries for export using spearate modal dialog instead of built-in panel in the file choosing dialog in the "File/Export Library" function 2006-07-11 vadim * FWWindow.cpp (FWWindow): FindObjectWidget is not a custom widget anymore - this is a workaround for QT bug #85440 : http://www.trolltech.com/developer/task-tracker/index_html?id=85440&method=entry 2006-07-09 vadim * ObjectTreeView.cpp (contentsMouseReleaseEvent): bugfix: the GUI used to switch object in the editor if user tried to open a different library and expand/collapse subtree in it. It should not do this, expading/collapsing subtrees should not cause object switch in the editor. 2006-06-30 vadim * RuleSetView.cpp (paintCell): highlighting whole table cell for rule options/actions/directions/etc when corresponding rule element is selected. * Added title bar with icon and object type name to dialog panels for all object types 2006-06-25 vadim * PrefsDialog.cpp (PrefsDialog): removed "Data format" tab from the Preferences dialog. Option that turns off saving standard objects in every users data file was on by default for a long time, now it is time to remove the GUI control all together. * FWBSettings.h: using macro SETTINGS_PATH_PREFIX to define path prefix for settings. This makes it easier to change the prefix when new version is introduced 2006-06-23 vadim * DiscoveryDruid.cpp (): using QDns to get host names for discovered ip addresses instead of our own DNS methods 2006-06-21 vadim * NATCompiler_pf_writers.cpp (_printPort): fixed bug #1509411: "FWB does not build correct PF RDR port ranges". RDR rules should support port ranges in the RHS of "->" * qmake.inc.in: Passing CXXFLAGS from environment to the build process. Fedora engineers had to add a hack to their .spec file to do this, this change makes their hack unnecessary 2006-06-17 vadim * PolicyCompiler_pf_writers.cpp (_printRouteOptions): implemented spport for action Route for PF 2006-06-15 vadim * ObjectTreeView.cpp (contentsMouseReleaseEvent): fixed selection of multiple objects in the tree and interaction with editor. 2006-06-14 vadim * PolicyCompiler_ipt.cpp (processNext): implemented support for action Route for iptables 2006-06-13 vadim * RuleSetView.cpp (openObjectInTree): selecting object in a rule automatically opens it in the tree (both when editor opened and when it is closed) 2006-06-11 vadim * FWWindow.cpp (requestEditorOwnership): moved all the logic controlling switching between objects whith editor open to this method of FWWindow, this significantly simplifies other classes. Now we can properly process situations when user opens an object in a rule, edits it and then tries to open an object in the tree for editing. This also works in other situations when object with unsaved changes is opened in the editor and user tries to switch to another one, possibly in a different panel or widget. Still need to explore ways to maintain synchronized object highlighting in the tree and in rules. 2006-06-06 vadim * RuleSetView.cpp (maybeTip): directions are represented only by icons with no text; added tooltip for directions * ObjectEditor.cpp (validateAndSave): cleanup in ObjectEditor class - reusing method validateAndSave in methods close, validateAndClose * FirewallDialog.cpp (loadFWObject): "snmp" tab of the firewall object dialog has been deprecated 2006-06-04 vadim * RuleSetView.cpp (revealObjectInTree): change in the GUI behavior: - selection in the tree and ruleset are mutually exclusive, that is selecting an object in ruleset turn selection off in the tree and vice versa. Added menu item "Reveal in tree" to the context menu that appears when user clicks right mouse button on an object in ruleset. * PolicyCompiler_ipt.cpp (processNext): Added support for CONNMARK as an option for rules with action Tag. If a checkbox "Mark connections created by packets that match this rule" in rule options of a rule with action Tag is checked, compiler adds iptables command to save mark set by the Tag action into connmark module, and then adds another command at the beginning of the policy to restore it. 2006-06-03 vadim * ActionsDialog.cpp (setRule): New rule action: "Route", to be mapped to ROUTE target for iptables and 'route' option for pf and ipf 2006-05-31 vadim * RuleSetView.cpp (paintCell): When a group is opened in the editor, an object can be highlighted there which is different from the object highlighted in rules. Using alternatie color to highlight object in rules when user switches keyboard focus to the editor panel. This helps avoid confusion caused by identical look of objects highlighted in rules and group view. Currently using QColorGroup::midlight() to get color for when ruleset widget has no focus. This is probably incorrect because color should change when widget's colorGroup() changes from active to normal. Using midlight color may lead to incorrect results if QT theme does not define this color properly. 2006-05-25 vadim * ObjectManipulator.cpp (edit): GUI opens objects in the editor panel on single mouse click on an object in the tree if editor panel is opened. If it is closed, click just changes selection in the tree. Drag and drop works because object is opened in the editor on mouse release. Similarly, if user navigates in the tree using keyboard, object is opened in the editor on keyReleased event. Multiple selection works both by mouse and by keyboard. 2006-05-20 vadim * PolicyCompiler_pf.cpp (swapAddressTableObjectsInRE): AddressTable objects are converted to PF tables with the name of the object in both run-time and compile-time mode. This is so only for PF because other compilers simply expand compile-time AddressTable objects as a group of addresses (and lose its name in the process). Administrator can use compile-time AddressTable object to create tables with names known beforehand. In the future these tables can be used with 'overflow' rule option that updates tables automatically. * TableFactory.cpp (init): implemented persistent tables in compiler for PF: compiler maintains list of tables it creates between passes for NAT and policy rules. This reduces duplication if the same tables need to be created for both policy and NAT rules. Tables for branched rule sets (anchors) are generated separately and may duplicate those in the main rule set (although their name is different). 2006-05-16 vadim * PolicyCompiler_pf.cpp (processMultiAddressObjectsInRE): DNSName object now inherits MultiAddress, this allows for DNSName to be expanded into multiple addresses at compile time. Run time support hasn't changed because most fw platforms automatically expand domain name into all IP addresses defined as DNS A records for this name. 2006-05-14 vadim * FWWindow.cpp (unselectRules): rule set should lose focus when object editor is opened in a panel. Object shown in the editor is highlighted in the tree anyway. This works better during search when "find next" finds object in the tree * NATCompiler_PrintRule.cpp (processNext): fixed bug #1476797: "ipt NETMAP, POSTROUTING** chain --to problem with multiple network targets". * PolicyCompiler_PrintRule.cpp (_printModules): Added support for hashlimit module for iptables (with an option for older systems where the same module is called dstlimit) 2006-05-13 vadim * PolicyCompiler_PrintRule.cpp (_printModules): added support for connlimit module for iptables 2006-05-12 vadim * RuleOptionsDialog.cpp (loadFWObject): added input fieds for iptables module "connlimit" * Many dialogs: converting all object, rule options and actions editors from pop-up dialogs to built-in panels. 2006-05-07 vadim * PrefsDialog.cpp (accept): removed entry field for scp, it is not used by the installer. Cleaned up in all places where we check if path to ssh is configured to make sure installer can use it. * TableFactory.cpp (createTablesForRE): names for tables that go into an anchor have anchor name prepended to them as a prefix to ensure global uniqueness. One side effect of this is that AddressTable objects can only be used either in global rules or in an anchor, but not in both at the same time because the name of the table created for such object follows the name of the object and hence appears the same in the main rule set and in the anchor. 2006-05-06 vadim * pf.cpp (main): Added support for branching rules for PF, imlpemented via anchors. Rules defined in branches are stored in separate .conf files and loaded by the .fw file using pfctl -a -f Anchor rule files are also added to manifest in the .fw file to make sure the built-in installer will copy them to the firewall. * PolicyCompiler_ipt.cpp (processNext): support for branching rules for iptables (via user-ddefined chain, chain name is specified as action parameter for action 'Chain') * FWWindow.cpp (reopenFirewall): added support for policy branches. Setting rule action to "Chain" or "Anchor" (depending on platform) creates additional tab with a policy rule set. These rules represent a branch in the policy, implemented by means of a user-defined chain for iptables and anchor for pf. Chain or anchor name is set as action parameter through standard action options dialog. * FWWindow.cpp (fileSaveAs): fixed bug #1424880: "Save As" works incorrectly. "Save As" works as follows: * a new file is created with the name provided by user, this file captures the state of the object database as of the moment when user executed 'Save As' operation. * if the old file was not in RCS, then any changes made to it since it was saved to disk last time are lost. In other words, next time user opens the old file, its content will be as it was when it was saved to disk last time before using 'Save As' operation * if the old file was in RCS, then it is reverted to the head revision in RCS * fixed bug #1434321: firewall name heading incorrect after duplicate. After a firewall object is duplicated, the name of the new object as shown in the tree and in pull-down list of firewalls was incorrect. * ActionsDialog.cpp (setRule): Added GUI support for action 'Branch' (represented as 'Chain' for iptables and 'Anchor' for pf) 2006-04-30 vadim * platforms.cpp (getActionNameForPlatform): remapping names of some new actions depending on the target firewall platform. For example, action "Tag" appears as "Tag" for PF and as "Mark" for iptables. Also remapping name for actions Pipe and Accounting. This should help adoption of the new actions by people who are familiar with corresponding features of the target firewall platforms. Name mapping is done only for presentation; all internal references to actions use their abstract internal names both in the GUI and in all compilers. 2006-04-30 * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1464806: "Global custom log prefix not applied to built in options". Autogenerated rule that blocks packets matching INVALID state will use globally set custom logging prefix. "-1" is used for the rule number; macro "%C" is replaced with the chain name "drop_invalid" * NATCompiler_pf_writers.cpp (processNext): fixed bug #1407328: "NAT / RDR Exception PF problem". "no nat" rule in PF can translate either into 'no nat' or 'no rdr', depending on what the user really needs to achieve. There is no way fwbuilder can guess right by just analysing this single rule, so it will generate both variants. 2006-04-23 vadim * SSHSession.h: fix for bug #1455772 did not work on windows where QProcess added '\0' to each line of the stream passed to the ssh client. On Unix we run fwbuilder as a wrapper for ssh client and can intercept and filter these characters but on windows we do not use wrapper and can't fix the problem that way. Better fix is to avoid QString (and therefore conversions UTF8 <-> Unicode) all together. Changed last parameter for constructor of SSHSession and derived classes from QStringList to list. Now instDialog reads script as sequence of bytes and does not convert it to Unicode, then passes to the ssh client via SSHSession as-is. In principle, this alleviates the need in the hack in main.cpp but I leave it there just in case. (Forward ported from 2.0.12) 2006-04-23 vadim * pixAdvancedDialog.cpp (displayCommands): changed title of the tab where user controls protocol inspectors from "Fixup" to "Inspect". Added a button to show commands that will be generated by the compiler for a current combination of inspector configuration, this button calls policy compiler fwb_pix and feeds XML to it via standard input. Doing this automatically every time user touches something in the inspector control widgets may be slow on underpowered machines or when the data tree is very large because the GUI needs to start external process, which reads and parses the whole XML file. 2006-04-22 vadim * pixAdvancedDialog.cpp (pixAdvancedDialog): calling fwb_pix to generate protocol inspection commands. Need to implement saving into a buffer in FWObjectDatabase to make this work. 2006-04-19 ilya * FWWindow.cpp (singleInstall): batch compile and intsall operations are possible when user selects several firewalls in the tree and uses context menu items "Compile" and "install". Selected firewalls are automatically checked in the batch install dialog. * FirewallDialog.cpp (loadFWObject): support for attribute "inactive" in Firewall. Inactive firewalls are not picked for batch compile and install operations. 2006-04-10 vadim * NATCompiler_ipf.cpp (processNext), ipfAdvancedDialog.cpp (ipfAdvancedDialog): Added support for PPTP and IRC proxies for ipfilter 2006-04-07 ilya * instDialog.cpp (selected): implemented batch compile and batch install modes. Requires some work to polish the UI but basic functionality works 2006-03-26 vadim * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): fixed bug#1364060: "conntrack modules not found". The name of the 'conntrack' module in Linux 2.6 is 'ip_conntrack.ko' and 'ipt_conntack.ko'. Changed shell pattern to match new modules as well as old ones. * linux24.xml.in: made "chmod +x" part of the sequence that copieswall script to make the script is executable. This fixed bug #1455748: "make firewall script executable" * main.cpp (main): it appears some older versions of Qt have a bug referred to in the following article: http://lists.trolltech.com/qt-interest/2004-10/thread00024-0.html This bug causes '\0' to be appended to strings passed to/from QProcess if they are converted to/from utf-8. Added workaround in the ssh wrapper code to skip zeros. In combination with converting config file strings from/to utf-8 this fixes bug #1455772: "Problem with UTF8 Descriptions in FW Objects" * instDialog.cpp (initiateCopy): need to convert strings of the config file from utf-8 in order to be able to use methods of QString to process them. Strings are converted back to utf-8 right before they are sent to the background ssh process to be copied to the firewall in SSHSession::sendLine() 2006-03-22 vadim * PolicyCompiler_ipt.cpp (prolog): switched from Compiler::objcache to object index in FWObjectDatabase. Replaced calls to Compiler::getCachedObject with calls to FWReference::getPointer() everywhere 2006-03-20 vadim * ipf.cpp, ipt.cpp, pf.cpp, ipfw.cpp (main): added call to Preprocessor::compile() to convert DNSName and AddressTable objects before rule processing starts 2006-03-18 vadim * OSConfigurator_solaris.cpp (printPathForAllTools): fixed bug #1393004: "Solaris does not have "egrep -q". Since egrep shipped with Solaris does not have option '-q', using '-s' * ipf.cpp (main): fixed bug #1386226: "generated -nat.conf is not removed when nat rules removed.". Old fw-nat.conf was left in place when user deleted all NAT rules (the new one was not created either). Now compiler deletes *-ipf.conf and *-nat.conf files before creating new ones, also installer gets correct list of files to read. * PolicyCompiler_PrintRule.cpp (PolicyRuleToString): fixed bug #1375432: "fwb_ipt with twice -m state". Compiler used to generate options "-m state --state XYZ" twice in a situation when administrator uses custom service that already includes this code and rule is not stateless. 2006-03-15 ilya * ObjectManipulator.cpp (findFirewallsForObject): Using method findWhereUSed to find firewalls that require compile/install after an object is modified. 2006-03-15 vadim * ObjectManipulator.cpp (_findWhereUsed): generic recursive method that finds all groups and rules that use an object. 2006-03-10 ilya * ObjectManipulator.cpp (contextMenu): added temporary pop-up menu item 'simulate Install' for testing. * ObjectManipulator.cpp (__Is_Object_Ref_In_Firewall): added support for detection of firewall objects that require compile and install after any object in the tree is modified. The code keeps track of changes made to firewall's policy rules, as well as changes in all objects in the tree. After the user applies changes in an object editor, the program inspects every firewall trying to determine if the object is used in one of its rules. When one or more firewalls using this object are found, corresponding items in the tree are highlighted. Indirect usage, such as if the object is a member of a group that is used in a rule, is also detected. Multi-level group membership is detected too. 2006-03-07 vadim * All compilers: compiler prints only one 'success' message at the and of processing instead of after each section (policy, NAT etc). This makes it easier to keep track of its progress and is less confusing if it runs in a silent mode and takes a long time to process one section. Before, when it printed "Rules compiled successfully" after each section, the user could interpret this message as if compiler was done, while in fact it was still working on the next section 2006-03-06 vadim * PolicyCompiler_ipt.cpp (removeFW): restored rule processor that removes firewall object from src or dst to simplify rule if it uses OUTPUT or INPUT chain. Doing this only if original rule did not have negation and we do not add any virtual addresses for NAT. After removal the rule collapses to a simple command like this: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT this works fine except if we have added virtual addresses for NAT. It is assumed that firewall object in rules represents combination of addresses configured in its interfaces in the GUI. Virtual addresses added for NAT are considered to be a side effect and connections should not be implicitly permitted to them by a rule with fw object in destination. The same applies to fw object in source. See bug #685947 for discussion. To avoid inadvertently opening holes in the firewall by a rule like that, we remove fw object only when it is safe to do so. 2006-03-05 vadim * PolicyCompiler_ipt.cpp (decideOnChainForClassify): setting chain to POSTROUTING for rules with action Classify. Also added checks for this action in all rule processors that split rules in order to assign them to INPUT/OUTPUT/FORWARD chains later because this is not needed for this action (since only one chain is allowed anyway) * PolicyCompiler_PrintRule.cpp (_printDstService): added checks for iptables version "1.3.0" * PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): added support for physdev module for bridging firewalls. This module is used if interface a rule is associated with is marked as bridge port and iptables version is set to 1.3.0 or later in the firewall settings. Feature Request #1000757: "bridging: using physdev" * All compilers: by default treating bridge port interfaces the same as unnumbered interfaces, unless target firewall platform provides special support for bridge ports, such as module 'physdev' in iptables * InterfaceDialog.cpp (loadFWObject): added support for bridge port interface 2006-03-04 vadim * fwbedit.cpp (main), fwblookup.cpp (main): using global variable instead of singleton FWObjectDatabase::db. FWObjectDatabase::db is not used in fwbuilder2 anywhere and can be eliminated. * FWObjectClipboard.cpp (add): must create new objects using current instance of FWObjectDatabase because it maintains internal object index. Replacing FWObjectDatabase::db with mw->db() to accomplish that * getting rid of singleton FWObjectDatabase::db in the GUI - replacing it everywhere with mw->db() 2006-02-28 Vadim * FWObjectPropertiesFactory.cpp (getObjectProperties): printing firewall's lastModified, lastCompiled and lastInstalled timestamps in the info window and in tooltips 2006-02-26 ilya * ObjectManipulator.cpp (updateLastModifiedTimestamp): added methods to keep timestamps for the moments when a Firewall has been modified, compiled and installed. Using these timestamps to provide visual indication for when a firewall needs to be installed using bold font for its name in the tree view. Will use the same mechanism to automatically suggest which firewalls to install when user hits "Install" menu item or toolbar button. Still need to implement object modification tracking to properly detect which firewall needs to be marked when an object is modified (an object can be used in a firewall rule directly or indirectly if it is a member of a group) 2006-02-19 vadim * FWWindow.cpp (reopenFirewall): the GUI shows "Routing" tab only if the corresponding policy compiler for a give host OS supports it. Using element in the res/os/OS.xml resource file. * FirewallDialog.cpp (fillVersion): fixed a bug where firewall versions would appear in a mixed order in the 'version' pull-down in firewall object dialog 2006-02-18 vadim * Added support for load balancing rules in PF * Added support for address ranges and network objects in TSrc in NAT rules for PF * Added support for pool types in NAT rules for PF ('bitmask', 'random', 'source-hash', 'round-robin') as well as 'static-port' option * PolicyCompiler_ipf_writers.cpp (_printAction): basic support for Custom action for ipfilter. Lack of examples for actions 'auth' and 'call' in ipfilter documentation or anywhere on the web makes it hard to implement right. * PolicyCompiler_ipfw_writers.cpp (_printAction): Added support for policy rule action Custom for ipfw * PolicyCompiler_ipfw_writers.cpp (_printAction): Fwbuilder policy rule action 'Classify' is mapped to ipfw actions 'pipe' or 'queue'. Fwbuilder policy rule action 'Pipe' is mapped to ipfw action 'divert' 2006-02-17 ilya * execDialog.cpp (saveLog): Added a button and function to save compile or install progress log to a file with extension .txt * killed startup wizard; the GUI starts accordingly to the setting on the first page of the Preferences dialog - it can either start up showing just standard objects library or automatically open file the user was editing last time the GUI was used. * object created using "Duplicate" menu item is automatically activated and opened in the editor 2006-02-15 vadim * PolicyCompiler_pf_writers.cpp (_printQueue): implemented support for action 'Classify' in compiler for PF, mapped to a filtering rule option 'queue _queue_name_' * PolicyCompiler_PrintRule.cpp (PrintRule): implemented support for actions 'Classify' and 'Custom' in compiler for iptables. Action 'Classify' is mapped to '-j CLASSIFY --set-class M:N'; action 'Custom' is used verbatim 2006-02-15 ilya * :version 2.1.5 * :Added new Actions 'Classify' and 'Custom'. * :Added new dialog NATRuleOptionsDialog. * RuleSetView: In NATView inserted new column "Options" for viewing of Nat Rule Options. 2006-02-11 ilya * DiscoveryDruid.cpp (checkSNMPCommunity): unified method to check validity of the host name/ip address for dns name server used for zone transfer and seed host used for snmp crawler 2006-02-09 vadim * PolicyCompiler_pf_writers.cpp (_printDstService): added support for the TagService object (using 'tagged') * PolicyCompiler_PrintRule.cpp (_printDstService): added support for the TagService service object (using --mark) 2006-02-09 ilya * DiscoveryDruid.cpp (DiscoveryDruid): improvements in the implementation of the address and name validity for snmp crawler seed host and dns server for dns zone import. Implemented support for IP aliases in snmp crawler 2006-02-05 ilya * DiscoveryDruid.cpp (save): saving/restoring parameters of the DiscoveryDruid between sessions 2006-01-27 ilya * DiscoveryDruid.cpp (changedSelected): proper implementation of long/short name generation for dns zone import; proper checks for correctness of the seed host address for snmp crawler; showing number of interfaces in discovered hosts on the results page 2006-01-21 vadim * gui.pro (IMAGES): grand icons clean-up and update. Removed old unused icons and images, added new icon theme by Irina Filvarova 2006-01-20 ilya * DiscoveryDruid.cpp (changedSelected): working version of discovey druid. Got rid of all calls to setModal, hence workarounds defined in qt_workarounds.h are not needed anymore 2006-01-16 vadim * DiscoveryDruid.cpp (stripObjects): minor formatting cleanup in DiscoveryDruid; fixed typos in DiscoveryDruid ('wasCanceled' -> 'wasCancelled'); refactored #includes to improve compilation speed in DiscoveryDruid * DiscoveryDruid.cpp: had to move '#include "DiscoveryDruid.h"' below all qt #include's to make code compile on windows. When this #include was above qt includes, compiler would stop with an error: ------------------------------------------------------------ C:\Qt\3.3.1\include\qlistbox.h(139) : warning C4003: not enough actual parameter s for macro 'index' C:\Qt\3.3.1\include\qlistbox.h(139) : error C2059: syntax error : ')' C:\Qt\3.3.1\include\qlistbox.h(139) : error C2143: syntax error : missing ')' be fore ';' ------------------------------------------------------------ I haven't figured out where does 'index' macro come from * discoverydruid_q.ui.h: added workarounds for missing QDialog::setModal in QT 3.1 * FWWindow.cpp (doCompile): since we now package platform and os resource files with externally packaged compilers, we do not need to use "-r" flag while calling compilers anymore 2006-01-10 ilya * DiscoveryDruid.cpp (startHostsScan): implemented object import from a file in "/etc/hosts" format. This includes druid page where user selects objects from the list, a page where they can assign object type for each record and a page where they chose a library new objects should be part of 2006-01-07 vadim * PolicyCompiler_ipfw_writers.cpp (_printAction): support for action Pipe in ipfw. This action can be implemented using "divert", "pipe" or "queue" rule actions in ipfw; the method is chosen using rule action parameters dialog in the GUI. * ActionsDialog.cpp (setRule): support for action Pipe for ipfw in the GUI. * PolicyCompiler_pf_writers.cpp (_printAction): added support for Tag action for PF 2006-01-03 vadim * ipt.cpp (main): implemented checks for the situation when compiler produces an empty script. In such cases we avoid printing any header or commit commands (such as '*mangle' and 'COMMIT' if iptables-restore format is used) * PolicyCompiler_ipt.cpp (processNext): implemented support for QUEUE target in compiler for iptables. Commands with this target are generated for fwbuilder rules with action "Pipe" * MangleTableCompiler_ipt.h: Implemented support for MARK target for iptables. Iptables commands with target MARK are generated for fwbuilder rules using action "Tag". Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules. * AddressTableDialog.cpp (preview): AddressTable dialog "preview" function looks for the table file in the same directory as currently opened data file if file name is entered as relative path 2005-12-16 ilya * FWObjectPropertiesFactory.cpp : For objects of type 'interface' a path to library is included in "detailed properties". * FWWindow.cpp : Added new menu "/tools/Discovery Druid" * DiscoveryDruid.cpp : Created basic gui for Discovery druid 2005-12-16 ilya * SimpleTextView.cpp: new custom text viewer. * AddressTableDialog.cpp: file preview uses SimpleTextView. * newfirewalldialog_q.ui: Dialog size fixed (now all internal widgets are visible) * fwbedit.cpp : fixed run with unknown options. Added a new option: -u - interactive file upgrade 2005-12-14 ilya * Added detailed tooltips for rule options for all fw platforms * Redrawing policy view if user changes firewall version; this ensures that icon that indicates non-default rule options is correctly updated in case different versions of the same fw platform support different combinations of rule options. * Redesigned page of the new host dialog where user adds interfaces manually. Before buttons "add","Update","remove" were hidden because dialog was too small. 2005-12-13 vadim * po.pro: Added Swedish translation made by Daniel Nylander 2005-12-13 ilya * RuleSetView.cpp (maybeTip): added tooltips for rule elements Action and Options 2005-12-02 vadim * NATCompiler_ipf.cpp (processNext): Run-time AddressTable objects are not supported in ipfilter; added a placeholder for corresponding rule processors, aborting compilation when such object is detected in a rule * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1361564: "Prolog script env settings unavailable". Need to define env variables IPTABLES, LSMOD etc before prolog. (OSConfigurator_linux24::printChecksForRunTimeAddressTables): compiler for iptables inserts shell code to ensure that data files used in run-time AddressTable objects are present before firewall policy is activated. * PolicyCompiler_PrintRule.cpp (processNext): implemented run-time mode for AddressTable object in compiler for iptables. Current implementation *dos not* emulate dynamic table reloads as can be done for PF using "pfctl -t table -Treplace" command. The whole policy script must be run again if data file AddressTable object refers to changes. Current implementation does not allow comments in the data file 2005-12-01 ilya * version 2.1.4 * new object type TagService Actions 'Mark' and 'Queue' renamed as 'Tag' and 'Pipe' respectively. * fwbedit.cpp: fixing of absent 'TagServices' group added. * ActionsDialog.cpp: new actions control dialog * RuleSetView.cpp: changed actions context menu to use new parameters dialog (support of actions with parameters). 2005-11-24 vadim * PolicyCompiler_pf.cpp (processNext): added support for run-time AddressTable objects for PF. * PolicyCompiler_pf (PrintRule::_printAddr) * TableFactory.cpp (TableFactory::PrintTables): support for DNSName run-time mode in compiler for pf, ipfw and ipf * PolicyCompiler_PrintRule.cpp (_printAddr): support for DNSName run-time mode in compiler for iptables 2005-11-23 Vadim * AddressTable object dialog 2005-11-22 vadim * TableFactory.cpp (createTablesForRE): class TableFactory reuses existing tables separately for NAT and policy rules. Reuse of tables created for NAT in the policy rules is difficult because tables themselves are created in the temporary copy of the tree in the NAT compiler (the same applies to the objects - members of the tables) 2005-11-21 vadim * NATCompiler_pf_writers.cpp (_printAddr): Improvement in the compiler for PF: using '!' syntax for one-object negations * NATCompiler_pf.cpp (CeateTables): Improvement in the compiler for PF: Using tables for NAT rules * TableFactory.cpp (createTablesForRE): using the same class to generate tables for both policy and NAT rules for pf. Table names are composed using rule positions so that table names do not change between compiler runs (they used to change because they were created using rule IDs, which changed because compiler generated lots of copies of rules) 2005-11-14 Vadim * version 2.1.3 new object type DNSName using this method in Compiler::prolog to resolve DNSName objects that are supposed to be resolved at compile-time Redesigned RuleOptionsDialog to make room for new options Added actions MARK and QUEUE with basic support in API and GUI Added new object type AddressTable 2005-11-05 vadim * iptAdvancedDialog.cpp (iptAdvancedDialog): fixed bug #1349326 "ulogd option does not work". There was a typo in the class iptAdvancedDialog ( useULOG instead of use_ULOG ) *** Ported from 2.0.10 *** 2005-11-01 vadim * NATCompiler_ipt.cpp (processNext): fixed bug #1342495: "SNAT with address range". Compiler used to print warning "Adding virtual addresses for NAT is not supported for address range" even if adding virtual addresses for NAT was turned off. *** Ported from 2.0.10 *** 2005-10-26 vadim * PolicyCompiler_ipt.cpp (processNext): fixed bug #1313420: "OUTPUT chain is built wrong under certain conditions." Rules that have firewall in SRC and DST, while DST has negation, should be split so that the second generated rule goes into OUTPUT chain rather than FORWARD *** Ported from 2.0.10 *** 2005-10-24 vadim * FirewallDialog.cpp (openFWDialog): fixed bug #1315892: "fwbuilder crashes on missing OS template" The GUI crashed if user added new hostOS or firewall platform template under resources/os or resources/platforms, then reinstalled the package (and therefore lost their custom template files), then tried to open firewall or host OS settings dialog for the object using new template. *** Ported from 2.0.10 *** * RuleOptionsDialog.cpp (loadFWObject): fixed bug #1305933: "fwbuilder/Solaris: compilation errors". Another case of implicit type conversion QString->string which does not compile on systems with QT built w/o STL support. *** Ported from 2.0.10 *** * main.cpp: fixed bug #1304878: fwbuilder: signal.h required (Solaris). Using 'AC_CHECK_HEADERS([signal.h])' in configure.in to check for the appropriate #include. *** Ported from 2.0.10 *** * configure.in: fixed bug #1304764: "configure script: Sun make check fails". Need to use ${MAKE-make} instead of $ac_make when checking for GNU make. *** Ported from 2.0.10 *** * fixed bug #1304785: "fwbuilder - Solaris has no libutil". Using better way to check whether we need to link with libutil. *** Ported from 2.0.10 *** 2005-10-22 vadim * VERSION: set version to 2.0.10 in branch fwb2-2.0-maint 2005-09-29 Vadim * PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization): new rule processor: checks if the rule is associated with an interface and uses setInterfaceId to record its id. If the rule is associated with multiple interfaces, splits the rule accordingly. Unlike basic processor PolicyCompiler::InterfacePolicyrules, this processor tries to optimize rules applied to multiple interfaces using user-defined chain ***** Policy compilers support multiple interfaces and negation in "Interface" rule element 2005-09-28 Vadim * RuleSetView.cpp (paintCell): merged interface policies with global policy. Keeping most of the code that implements interface policy tabs just in case. * set version to 2.1.2 2005-09-26 Vadim * RoutingRuleOptionsDialog.cpp (loadFWObject): Added support for routing rules. Using "fwbuilder-routing" patch provided by Tidei Maurizio * set version to 2.1.1 * ObjectManipulator.cpp (createObject),(newDNSName), newHostDialog.cpp (accept): added checks for broken object tree 2005-09-20 * DNSNameDialog.cpp (loadFWObject): new object type: DNSName (Illiya) 2005-09-17 * 2.0.9 release in branch fwb2-2.0-maint 2005-09-12 * fwsm.xml.in: Added support for Cisco FWSM (platform and host OS) * pixAdvancedDialog.cpp (pixAdvancedDialog): Added support for manual ACL commit in FWSM 2005-09-11 * SSHPIX.cpp (SSHPIX): enable_prompt should include string "Access Rules Download Complete" which is _sometimes_ printed by FWSM when in auto-commit mode. 2005-09-07 * ObjectManipulator.cpp (lockObject): Added ability to lock/unlock individual objects in the tree (Illiya) * GroupObjectDialog.cpp (listViewSelectionChanged): Illiya implemented Feature Req #1151208: "Allow multiple objects select to make an action (Group)" 2005-09-07 * SSHSession.cpp (cmpPrompt): overloaded method SSHSession::cmpPrompt to be able to specify prompt as a regular expression. This variant is very convenient for PIX prompts. 2005-09-05 * fixed bug #1254775: "RCS checkin fails on Windows when data file is too big". RCS tools failed to check the file in if it consisted of one huge line of text. This fix makes th GUI save data file (.fwb) in formatted form on Windows, just like on Linux. This means each XML element is saved on separate line instead of all of them being on the same line. 2005-09-04 * NATCompiler_pf.cpp (processNext): fixed bug #1276083: "Destination NAT rules". Old restriction on "rdr" rules that required service in OSrv is not valid anymore, pf supports rdr rules with no protocol specification. (ported from 2.0.9) 2005-09-04 Vadim Kurland * FWWindow.cpp (fileCommit): properly handling situation when user hits Cancel in check-in log dialog (should abort File/Commit operation entirely) * main.cpp (main): added a workaround to make the GUI work in Spanish locale (QT 3.3.4 ships with broken qt_es.qm file at least on Fedora-C4 and Mac OS X) 2005-08-31 * SSHUnx.cpp (stateMachine): fixed bug #1277129: "script is truncated when installed by the GUI running on Mac". Large script was getting truncated while copied to the firewall if GUI was running on Mac OS X (bugfix ported from 2.0.9) 2005-08-17 * fwbedit.cpp (usage): Finished implementation of RFE #1211612 "fwbedit - add object?". Using "-p","-L","n" and "-o" command line switches to specify parent, library, name and attributes of an object 2005-08-04 * fwbedit.cpp (main): Illiya is working on RFE #1211612: "fwbedit - add object?" and #1114501: "Data file repair". Fwbedit can now add objects as well as repair tree structure. Still needs some more work. 2005-07-31 * LINGUAS: Added Spanish translation, thanks to Carlos Lozano 2005-07-30 * Started v2.1.0 2005-07-30 * FWWindow.cpp (fileCommit): Illya implemented Feature Request #1187461 "Add "commit" menu item". This menu item commits opened data file to RCS but keeps it opened so the user can continue editing. 2005-07-29 * FWWindowPrint.cpp (addObjectsToTable): Illiya implemented Feature Request #1225393 "FeatureRequest Print comments on objects" 2005-07-23 * RuleSetView.cpp (dragMoveEvent): Illiya fixed bug #1226069: "Segfault: Drag&Drop between two instances" 2005-07-21 * platforms.cpp (getLogFacilities): Illiya moved definitions of log levels, log facilities and actions on reject to module platforms.cpp. Methods getLogLevel, getLogFacilities and getActionsOnReject return string lists suitable for using with DialogData to provide mapping between localized and english strings so that the user sees translated ones but enlish ones are written into FWOptions object and used by compilers. This fixes bugs #1240205: "Iilegal --log-level Information" and #1233165: "Illegal Logging-Limit string.". 2005-07-08 v2.0.8 released 2005-07-05 * SSHSession.cpp (allDataSent): calling allDataSent from heartBeat slot method because on windows signal 'wroteToStdin' is emitted before I had a chance to connect it to a slot in SSHUnx::stateMachine in state PUSHING_CONFIG after entire file has been transmitted. I used to send an extra '\n' to force signal 'wroteToStdin', but that made the file to be sligltly different on the receiving end and I do not like that. * RuleSetView.cpp (dragMoveEvent): not really a change: bug 1226069 "Segfault: Drag&Drop between two instances" requires redesign of the drag&drop mechanism so that live pointer to FWObject is not passed between sender and receiver. 2005-07-04 * SSHSession.cpp (startSession): fixed bug #1232478: "FWB shuts down on incorrect password". Bug was intorduced in build 624 while working on installer stalls and undescriptive ssh termination error when OpenSSH 4.0 was used. 2005-07-02 Vadim Kurland * main.cpp (main): ignore SIGHUP in the child process in ssh wrapper. Closing stdin at the end of the file copy sends SIGHUP to the child. By some reason, this caused ssh to terminate with error message "killed by signal 1" and return code 255 on Fedora C4 which uses OpenSSH v4.0p1 2005-07-02 * main.cpp (tty_raw): switched from TCSAFLUSH to TCSANOW in call to tcsetattr when we switch tty to raw mode in ssh wrapper code. This should fix mysterious stalls in the installer that were introduced when I worked on the wrapper code to fix bug #1213361 (problems with file copies on FreeBSD 5.4) * instDialog.cpp (initiateCopy): added missing "-v" option to ssh call used to copy policy script to the firewall if "verbose" checkbox is checked. This should help troubleshoot problems with installer when ssh fails and terminates with an error. 2005-06-25 * configure.in: need to call macro AC_PROG_MAKE_SET before using $ac_make to check for GNU make * configure.in: added check for cfmakeraw (which is absent on Solaris) * configure.in: make script continue if forkpty is not found, the program will use emulation. 2005-06-13 * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): sorting list of objects for tooltips. Sorting is done by object name, alphabetically. TODO: use locale-aware sort and ignore case of the letters. 2005-06-12 * main.cpp (main): need to switch the pipe and stdin in the child process to raw mode in order to ensure proper communication when fwbuilder works in ssh wrapper mode. This (really) fixes bug #1213361 * configure.in: Added path to QT where it is installed on 64-bit systems to the list configure tries while searching for QT 2005-06-11 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1215279: "rate limiting rule logs everything". Rule utlilizing "limit" module to rate limit packets with logging logged every packet and dropped those that exceeded the limit. The fix makes it apply the limit first and then log only packets that were dropped. * main.cpp (forkpty): fixed bug #1072842: "fwbuilder: Solaris and forkpty". We need forkpty fr built-in installer but this function is not awailable on Solaris. I am adding re-implementation, but it hasn't been tested since I do not have Solaris machine. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): fixed bug #1212179: "tool tips for TCP services cuts off some services". The gui would show very long tooltip for large groups; if the group was too large, the tooltip did not fit on the screen. * main.cpp (main): fixed bug #1213361: "PF on FreeBSD-5.4R". Bug description is misleading, the probem was caused by built-in installer rather than by compiler for PF. Installer would not copy generated script over ssh if the script was longer than some threshold and the gui was running on FreeBSD. 2005-06-05 * linux24.xml.in: fixed bug #1212121: "sudo shutdown doesn't work". Installer needs to schedule reboot when the user activates policy in a test mode. There was a bug in the installer script that improperly used sudo to run shutdown when installation was performed using regular user account. * linux24.xml.in: fixed bug #1212123: "executing file below /tmp as root". Avoiding world-writable directory /tmp/ while activating policy in the test mode. This change makes installer use subdirectory "tmp" under directory specified in the "intaller" tab of firewall settings dialog. That directory is expected to have proper permissions; subdirectory "tmp" can be created manually, otherwise installer creates it. Either way, it is not world-writable, therefore unauthorized users can not create scripts in it. * freebsd.xml.in: Using pkill to find running shutdown process and kill it to cancel pending reboot. Pkill simplifies the scriptlet so we don't need to deal with output redirection etc. Pkill is available on FreeBSD, Linux, OpenBSD and Solaris. * linux24.xml.in: another fix for a bug #1201406: "shutdown messages should be suppressed". Scriptlet has been modified to make sure it works in both sh and csh (user who installs the policy may have tcsh as their login shell, root may use tcsh too) 2005-05-30 * src/res/os/*.xml.in: fixed bug #1201406: "shutdown messages should be suppressed". Installation scriptlet tries to kill shutdown process, if there is one, to cancel pending shutdown that might have been left over from test install. If there is none, the script prints an error message "shutdown process not found" or similar, which confuses user. Needed to suppress these error messages. * fixed bug #1155351: "Remote install of FW rulset fails due to race condition". Generated ipfw firewall script could not be ran reliably over ssh session because "ipfw -f" flushes all rules and all state, which breaks ssh session. As soon as the script needed to print anything, it got I/O error from the system because TCP session for ssh was blocked; this stopped the script and did not let it activate new firewall policy. * PolicyCompiler_ipfw_writers.cpp (processNext): improvemet in the compiler for ipfw: added "established" rule on top of the regular backup ssh access rule; this allows to maintain management ssh session after the policy is reloaded. both "ipfw -f" and swapping sets flushes all states, so the ssh session used to upload and activate new policy breaks. A rule with "established" keyword maintains this session. * PolicyCompiler_ipfw_writers.cpp (processNext): improvement in the compiler for ipfw: using rule sets to atomically swap old and new rules. New rules are loaded in the set 1 and then swapped into set 0. If there is an error in a new rule set, it is caught while loading rules into inactive set 1, at which point script stops without changing old firewall rules. * PolicyCompiler_pf.cpp (addDefaultPolicyRule): implemented support for subnets for backup ssh access for pf,ipf,ipfw. Subnet can be defined using either full netmask or bitlength: both "192.168.1.0/255.255.255.0" and "192.168.1.0/24" are acceptable. Single host address works too, both as "192.168.1.10" and as "192.168.1.10/255.255.255.255" or "192.168.1.10/32". Incorrect address or netmask cause compiler to abort processing. 2005-05-28 * GroupDialog: fixed bug #1207983: "incorrect size of "I" and "L" buttons in the group view dialog". Tested with large font and cleaned up layout in many dialogs. * HostDialog.cpp (loadFWObject): removed 'snmp community' option from the Host object dialog - it was not used anywhere * ipt.cpp (main): fixed bug #1205665: "Error with summer time when compiling script". Sometimes timezone name has "'" in it which confuses shell and causes an error when generated script prints "Activating firewall policy..." log message * RCS.cpp (RCSEnvFix): fixed bug #1204067: "incorrect timezone handling in RCS". Windows version of RCS incorrectly converts check-in time when time zone is east of GMT. Had to use "-z" option on all RCS commands to explicitly set offset; "-zLT" produces wrong results in rlog. * fwb_compile_all (LIB): fixed bug #1200902: "fwb_compile_all does not work in 2.0". Script fwb_compile_all broke because of changes in data file format * PolicyCompiler_PrintRule.cpp (_printTimeInterval): fixed bug #191423: "Weekend Time restriction not created correctly". Rules with time restriction spanning from Saturday to Sunday were generated with incorrect "--day" option * objects_init.xml.in: fixed bug #210518: 'Incorrect ending day in the standard object "weekends"'. This object defined time interval ending at 23:59 on Monday instead of Sunday * implemented Feature Request #1145666: "Print RCS Log". File/Properties dialog can now print RCS log. Thanks to "Ilya V. Yalovoy" for the patch. 2005-05-23 * added updated German translation by Hans Peter Dittler 2005-05-20 * set version to 2.0.8 2005-05-08 * v2.0.7 released 2005-05-04 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1195201: "getaddr function return error ip address". Yet another change in the way we use grep to find IP addresses of an interface on Linux. We can't use regex (bug #1123748) and need to filter out secondary addresses from the "ip addr show" output. It looks like "grep -v :" neatly solves the problem without using regex. 2005-05-02 * snmp.cpp: API change: Compiled all OIDs. The program may run on a system where MIBs are not installed, so we can not always use symbolic OID names Also using snmp_out_toggle_options to turn numeric output in all responses (equivalent to -On in snmp tools) 2005-05-01 * snmp.cpp (walk): API changes: verbose error message, printing response->errstat code as well as corresponding error string; this should help debug snmp -related problems better * snmp.cpp (walk): API changes: using snmp_error to print last snmp error string 2005-04-27 * implemented support for SNMP operations in Windows packages * qmake.inc files overhaul 2005-04-26 * newFirewallDialog.cpp (getInterfacesViaSNMP): switched to using QT class DNS to get host/firewall name in new HostDialog and newFirewallDialog classes. This seems to work better on Windows. Also added more locks to prevent reentering getInterfacesViaSNMP if user clicks the button multiple times in quick succession 2005-04-23 * newFirewallDialog.cpp (accept): fixed bug #1187248: using "find" for an address "192.168.10*" several times after a firewall objects has been created using templates caused GUI to crash 2005-04-17 * findDialog.cpp (matchAttr): implemented feature request #1151206: "Search for IP Addresses". "Find" dialog searches for objects by a combination of name and one of the following attributes: address, tcp/udp port, ip protocol number or icmp message type. Regular expressions can be used for both name and attribute. * ObjectTreeView.cpp (getSimplifiedSelection): fixed bug #1151212: "Collapsed sub-objects shouldn't be added if they are hidden". When user selects multiple objects in the tree some of which have child objects, those child objects used to be also selected and added to groups in addition to their parent objects via drag-and-drop operation. * GroupObjectDialog.cpp (pasteObj): fixed bug #1184791: "can not copy/paste multiple objects into a group" * FWWindow.cpp (doCompile): implemented feature req. #1151220: "Close" button should change is caption/title to "Install". When user clicks "Install" toolbar button or main menu item, the "Close" button in the pop-up window that displays compiler progress changes its text caption to "Install" 2005-04-13 * PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): fixed bug #1181359: "Missing traling space in "INVALID state" syslog message" 2005-04-10 * instDialog.cpp (continueRun): Improvement in built-in installer: user can specify additional command line parameters for ssh that built-in installer runs to access firewall. This allows for alternative ssh port or alternative ssh identity to be used when accessing firewall. Parameters can be added in the "Installer" tab of firewall settings dialog for all platforms. 2005-04-09 * ipt.cpp (main): fixed bug #1179103: 'compiled rules can not be install'. Generated iptables script could not be used on systems with non-English locale where timezone name used local characters because these characters were printed as hex ( "台" ) and '&' caused problems with shell. Now using single quotes to make shell ignore any characters in the string. Will deal with proper printing of localazed timezone later. 2005-04-07 * OSConfigurator_freebsd.cpp (printPathForAllTools): function getaddr() falls back to 0.0.0.0/32 if dynamic interface has not been assigned an address yet or is down. Ipfilter policy using run-time substitution of dynamic interface addresses will be functional even if these interfaces are down or do not have IP address. 2005-04-05 * PolicyCompiler_PrintRule.cpp (_flushAndSetDefaultPolicy): fixed bug #1176890: "block IPv6". Generated iptables script sets default policies to DROP in all ipv6 filter chains. More detailed control can be implemented using prolog or epilog scripts. 2005-04-03 * PolicyCompiler_pf.cpp (separateSrcPort): fixed bug #1176051: "incorrect rule generated for TCP service ftp-data". If a rule used several TCP or UDP service objects and one of them has source port range configured, generated PF filter rule incorrectly matched on a combiantion of that source port range _and_ destination port ranges from all other service objects. This bug affected compilers for OpenBSD PF and ipfilter 2005-03-31 * FWWindowPrint.cpp (filePrint): fixed bug #1155163: "print does not print group contents". The program printed only number of objects contaned in object or service groups. Now it prints lists of member objects for all groups used in rules. If groups contain other groups, they are printed recursively. 2005-03-30 * objects_init.xml.in: fixed bug #1172620: "Add tcp service object for icslap". Added this object to the objects library "Standard". * FWWindow.cpp (info): fixed bug #1151243: "Maintain format of description text". The GUI ignored text formatting in object comment when displayed it in the info panel (lower left corner of the main windows) * FWOptions.cpp (toXML): API change: fixed bug #1173801: '"&" character in prolog/epilog'. Needed to call xmlEncodeSpecialChars to encode special characters in firewall options 2005-03-29 * ipf.cpp (printActivationCommandWithSubstitution): fixed bug #1173064: "support for dynamic interfaces in ipfilter". Actual address of dynamic interface is now determined at run-time in the policy activation script .fw generated by fwbuilder. If dynamic interface is used somewhere in the policy or nat rules, it will be replaced with its actual address by activation script before configuration is sent to ipf or ipnat for activation. This run-time substitution is done only if a checkbox is checked in the "Script options" tab of firewall settings dialog. Default behavior is to use "any". This is because ipfilter configuration files -ipf.conf and -nat.conf that rely on run-time substitution of dynamic interface address can not be loaded using standard activation scripts that come with FreeBSD. This also fixes another problem in fwb_ipf where it generated rdr and nat commands with address 0.0.0.0/32 if dynamic interface was used in a NAT rule. 2005-03-28 vadim * PolicyCompiler_PrintRule.cpp (_printMultiport): fixed bug #1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31 ports were used in a single rule, compiler generated command with conflicting options "-m multiport --dport" * NATCompiler_ipf.cpp (processNext): fixed bug #1173067: "support for port ranges in NAT rules (ipfilter)" - policy compiler for ipfilter should split DNAT rules (rdr) that use TCP or UDP objects with port ranges. A warning is issued if more than 20 rules are created. 2005-03-20 * utils.cpp (getFileDir): fixed bug #1157976: "patches to make fwbuilder compile under NetBSD 1.6". Applied patches. * newHostDialog.cpp (newHostDialog): fixed bug #1151219: "New Host creation window is not well dimensioned". Fixed wrong dialog page layout in the new host wizard. * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1123748: "busybox grep -E". Busybox in floppyfw is compiled without support for egrep (or grep -E). Switched to using "plain" grep. * InterfaceDialog.cpp (loadFWObject): fixed bug #1151052: "Not external interfaces marked as external". Dialog for an interface object that belongs to a host should not show checkbox "external (insecure) interface" * Tools.cpp: API change: fixed bug #1158870: "mutexes are not properly created on FreeBSD". Mutexes gethostbyname_mutex and gethostbyaddr_mutex were never created but used on OS where thread-safe resolver is not available. 2005-02-17 * v2.0.6 released 2005-02-17 * ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr binary not found". As it turns out, /usr/bin/ is not in PATH during boot time on Slackware. I added /usr/bin/ to PATH variable in generated iptables script. 2005-02-16 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1123748 "busybox grep -E". Busybox does not support option "-E" with grep, however it has "egrep". 2005-02-12 * instDialog.cpp (instDialog): proper localization in the installer where it displays progress of the installation operation 2005-02-11 * main.cpp (main): Troubleshooting weird case of data file corruption during install * RCS.cpp (RCS): fixed bug #1120904: "GUI hangs when accessing RCS file". Improved parsing of rlog output. 2005-02-09 * utils.cpp (getUserName): working on bug #1118717: "fwbuilder 206 on Windows XP SP2: error checking out". Env variable USERNAME was not set in user's profile, which triggered this bug. Now using getuid to get user name on Unix and GetUserName on Windows. This should make the program more resilient for situations when environment variable LOGNAME or USERNAME is not set 2005-02-08 * ipt.cpp (main): Using getuid to read real user's ID on Unix 2005-02-07 * instDialog.cpp (continueRun): Fix for support request #1118039: "Error when Windows client calls plink -ssh". The problem is that putty ignores protocol and port specified in the session file if command line option -ssh is given. On the other hand, the sign of session usage is an empty user name, so we can check for that. If user name is empty, then putty will use current Windows account name to log in to the firewall and this is unlikely to work anyway. This seems to be a decent workaround. * printerStream.cpp (printQTable): further bugfixes in printing, in particular fixed a problem with partially greyed-out horizontal and vertical headers when ruleset was small enough to fit on the first page. 2005-02-05 * RuleSetView.cpp (selectionChanged): fixed bug #1030538: "incorrect highlighting when selecting multiple rules". This bug seems to be specific to Mac OS X * printerStream.cpp (printQTable): improvements in printing: - if a rule set does not fit on a single page, the program repeats table header on each page ("Source","Destination","Service" etc) - the program does not draw the whole rule set in memory anymore. Instead, it "scrolls" the table and only draws section that fits on a single page. This means we can now print really huge policies that can not be drawn as a whole because they exceed maximum coordinate value. Tested with a rule set that consists of 1200 rules which has size of 677x34884 pixels on my machine. 2005-02-03 * instDialog.cpp (selected): working on bug #1115412: "Problem installer FWbuilder 2.0.5 for Windows". Switched to command line option "-l" to specify user name for external ssh in installer. This was necessary because Van Dyke SecureCRT on Windows does not support user@host syntax. * instDialog.cpp: Installer verbose and quiet modes work as follows: - if quiet is off, verbose is off: prints everything that firewall script prints on stdout and stderr; does not add "-v" to calls to external ssh utilities - if quiet is off, verbose is on: adds "-v" to ssh command line - if quiet is on - supresses script output but still prints short messages to indicate when it copies files to the firewall and when it executes them 2005-02-01 * ObjectManipulator.cpp (delObj): slightly changed logic with user warnings in the object removal code. The program asks the user for confirmation if they remove an ordinary object from a regular library. Confirmation is not asked if object is removed from "Deleted objects" library or when a library is being deleted (in this case we ask a different quastion later anyway). This helps avoid double warning when a library is deleted. 2005-01-31 * POmakefile.in (POTFILES): Added module FWWindowPrint.cpp to the list of files processed for localization * FWWindowPrint.cpp (filePrint): Added small margin inside table cells in Legend and Object tables in the printout. 2005-01-30 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1112470: "Problem with FW part of ANY in Bridged mode". If fw is considered part of any, we should place rule in INPUT/OUTPUT chains even if it is a bridging fw since fw itself may send or receive packets. * PolicyCompiler_ipt.cpp (accounting): implemented feature req. #1112980: "Need unique names for accounting rules". User can now specify a unique name for rules with action 'Accounting'; this name will be converted to a chain name. This simplifies accounting since chain name for such rule won't change if the user adds or removes rules above or below. * PolicyCompiler_ipt.cpp (accounting): fixed bug #1112976: "Accounting rule with logging produces looped iptables command" * FWWindowPrint.cpp (beginPage): implemented Feature Req. #1112778: "include date and time on printouts". Added date and time to the header on each printed page. * RuleSetView.cpp (paintCell): fixed bug #1112776: "some items touching seperator lines on printouts". Rule elements "Action", "Direction", "Options" and "Comment" were placed right at the top of the table cell which led to their clipping when rule set was printed on Mac OS X. Need more testing. * FWWindowPrint.cpp (filePrint): fixed bug #1112764: "some Objects are partially obscured in printout". Parts of the "Objects" table were clipped. Need to test some more. 2005-01-29 * FWBSettings.cpp (init): fixed bug #1112264: "Load last edited file" setting doesn't work. This was broken only on Mac OS X. * FWObjectDatabase.cpp (merge): API change: fixed bug #1105167: "Crash when importing a library that has been deleted". 2005-01-27 * NATCompiler_pf_writers.cpp (_printPort): not quite fixed bug #1105755 "Custom Service objects not working for PF compiler". User tried to generate a nat rule like this using CustomService object: nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22 Taken from the bug report: it turned out, I can not fix this. You are trying to use Custom Service object to insert protocol list into a "nat" rule. Normally, a service object such as TCP or UDP service generates two components for any rule where it is used: a protocol specification and port specification (type/ code spec for ICMP). PF is sensitive to the order of parameters in the rule, in particular, protocol must be defined after interface but before src/dst addresses in the rule, while port numbers go after addresses. Compiler easily retrieves this information from IP, TCP, UDP and ICMP services and places it in a proper slots in the rule it generates. CustomService does not have a notion of protocol and parameters for it, so compiler puts a string that is configured in the CustomService in the place reserved for port numbers. This means you can not use CustomService to specify protocols. There still was a bug in fwb_pf where it would print "custom_service" in place of protocol. This is fixed in 2.0.6 build 542. Protocols can not be inserted with Custom Service though. Feature request #1111267 "CustomService should specify protocol and parameters for it" has been opened * PolicyCompiler_ipt.cpp (processNext): fixed bug #1102629: "lost chain in accounting rules". Rules with multiple objects in one of the rule elements and action 'Accounting' generated code that ignored objects in that rule element * ObjectManipulator.cpp (newPhysicalAddress): fixed bug #1111244 "GUI allows to add more than one MAC address to an interface". There can only be one MAC address for each interface. * FWWindowPrint.cpp (printQTable): While printing rule sets, the program makes sure rule set tables are broken on the rule boundaries while switching to a new page. * Added "Page setup" dialog to set parameters such as printing header, printing of a legend and object lists etc. * fixed bug #1109174: "Cannot print rule base" - implemented printing 2005-01-25 * instDialog.cpp (selected): fixed bug #1109631: "can not copy firewall script to /etc on Linksys". Added an option ot all OS resource files that determines whether user is allowed to change installation directory on the firewall. Currently it is allowed on all supported OS except Linksys/Sveasoft because there /etc/ resides on read-only filesystem 2005-01-24 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1101910: "Samba problem with Bridged Firewall". Need to split rule to take care of broadcasts forwarded by the bridge and broadcasts that are accepted by the firewall itself. Need to do this only if the rule is not associated with any bridging interface. * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1106701: 'backup ssh access' and statefulness interation. Need to add rules matching states ESTABLISHED and RELATED for the backup ssh access to make sure it works even if global rule matching these states is disabled. * configure.in: fixed bug #1107838: "bug in configure script in fwbuilder 2.0.6". Need to specify path "./" when calling runqmake.sh * FWWindowPrint.cpp (filePrint): printing legend and a list of objects at the bottom of a printed document. * Compiler_ops.cpp (operator==): API change: fixed bug #1108861: "two rules using MAC address matching shadow each other". Need to check for MAC addresses while processing rules for shadowing. 2005-01-21 * FWWindowPrint.cpp (filePrint): Implemented printing of firewall rule sets. Using standard QT class QPrinter; can print to a system printers or to a file (PostScript), both in black and white or a color where available. Prints policies of the currently opened firewall. The program can calculate total number of pages and offer the user a choice in the Print dialog only if QT v3.2 and later is used. Each printed page has a header with the file name, RCS revision and a page number. Currently, the header can not be turned off (will implement in the future). 2005-01-07 * v2.0.5 released 2005-01-06 * RCS.cpp (isDiff): writing RCS log in UTF-8, this simplified localization 2005-01-02 * RCS.cpp (RCS): working on localization of RCS log entries. Build 516 converts log strings into 8bit string into locale-specific format on Unix before sending it to ci. Strings returned by rlog are converted from locale-specific format. No conversion is done on Windows and Mac OS X. * objects_init.xml.in: fixed bug (no num) that caused GUI crash when user created new firewall object using template with three interfaces. 2004-12-30 * PolicyCompiler_ipfw_writers.cpp (processNext): fixed bug #1093620: "path (to ipfw) with spaces fails". Generated script failed if path to ipfw contained space. I only worked around this problem for ipfw; paths to sysctl and logger must be standard and never contain spaces. * PolicyCompiler_ipfw.cpp (processNext): fixed bug #1093472: "ipfw port range(s) errors". There can only be one port range in a single ipfw rule. * PolicyCompiler_ipfw_writers.cpp (_printProtocol): fixed bug #1093461: "problem with 'established' in ipfw". Ipfw requires protocol to be set to 'tcp' if option 'established' is used in a rule. 2004-12-29 * RCS.cpp (RCS): fixed bug #1092810: "Multiline RCS comments are shown as a single line on windows". As it turned out, this bug affected all platforms. * RCS.cpp (ci): an attempt to fix a bug that does not allow to enter RCS comment using non-english locale. 2004-12-28 * PolicyCompiler_ipt.cpp (getInterfaceVarName): fixed bug #1059393: "function getaddr failed for eth1.0020". Generated script can now work with interfaces that have a dot in their name (such as "eth1.0020" - vlan interface) * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1092141: "irritating FORWARD rule for established connections". Need rule in FORWARD chain only if ip forwarding is on or set to "no change" 2004-12-22 * Compiler.cpp (createRuleLabel): API change: fixed bug #1068119: "additional whitespace for Rule comments in .fw file". Added extra space between rule number and interface spec in rule comments. * PolicyCompiler_ipfw.cpp (processNext): fixed bug #1089866: "multiple services in one rule confuses ipfw compiler". If several UDP or TCP objects were used in the same policy rule and these service objects had source port ranges defined, the compiler would produce incorrect code by combining source port range specifications together in the same ipfw command. * main.cpp (main): Pull-down menu "On startup" in the "General" tab of the preferences dialog now has three items: "Load standard objects", "Load last edited file" and "Ask user what to do". The last item is default. * PolicyCompiler_PrintRule.cpp (_printProtocol): fixed bug #1089586: "default --icmp-type value is 0 in iptables < 1.2.9". The problem concerns policy rules using service object "any ICMP". A rule like this is supposed to match any ICMP packet. Few versions ago I had to add option "-m icmp" (and "-m udp", "-m tcp") because I've discovered that iptables-restore on some systems (linksys sveasoft firmware, iptables v1.2.11) refused to load rules without it. Now it turns out that iptables v < 1.2.9 (tested on 1.2.6a and 1.2.7a) implicitly adds equivalent of "--icmp-type 0" to rules with "-p icmp -m icmp" and without "--icmp-type" option. Since type 0 is actually icmp echo reply, a rule like this does not match "any ICMP" as it was supposed to do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which matches any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and 1.2.7 does not work (a rule does not match icmp packets with type different from 255). The fix generates "-p icmp -m icmp --icmp-type any" for iptables 1.2.9 and later, as well as when iptables version is not specified in the firewall object settings. It generates just "-p icmp" for versions < 1.2.9. 2004-12-19 * ObjectManipulator.cpp (newInterfaceAddress): GUI change: main menu item "Object/New Object/Address" and corresponding toolbar button always creates an Address object under Objects/Addresses folder in the tree. Address of an interface can be created using pop-up menu item "Add IP Address" 2004-12-16 * Bunch of cosmetic bugfixes in the GUI * PrefsDialog.cpp (setButtonColor): implemented feature request: colors that are used to color rules can be changed in Preferences dialog. 2004-12-13 * FWWindow.cpp (fileOpen): when user clicks menu item "File/Open" to open a new file, the GUI should save and close currently opened file only after the user chooses new file. If user clicks Cancel in the File/Open dialog, operation should be cancelled so the user can continue working with currently opened file. The same applies to operation File/New. 2004-12-12 * po.pro: fixed bug (no num): localization was broken on win32 and mac os x because translation files were not installed properly. * ObjectManipulator.cpp (pasteTo): improved behavior of the main menu "Edit" as well as pop-up menu that appears when user right mouse clicks on an object in the tree. Menu item "Paste" should only be enabled if the clipboard is not empty and objects that are stored in it can be pasted into selected object in the tree. 2004-12-10 * RCSFilePreview.cpp (selectedRevision): fixed bug (localization): RCS log entries made using non-ascii characters used to appear as '???' in Open File and File/Properties dialogs. * ObjectEditor.cpp (validateAndClose): more bugfixes for the behavior of the object editor dialogs. Dialog should ask if user wants to save data and then validate it when user clicks on [x] to close editor dialog. It used to validate the data first, then ask if they want to close dialog. 2004-12-09 * FWWindow.cpp (load): when user opens data file in the old format (fwbuilder v1.1.x, extension .xml) and after autoupgrade the program discovers that the same file with extension .fwb already exists, it offers the user a chance to choose different name. If user clicks "Cancel" at this point, the program cancel operation and reverts upgraded data file back to its original name and version. * listOfLibraries.cpp (add): fixed bug (internal #34) the program should issue a warning when user tries to add a library file (.fwl) that contains object library that already exists in the opened data file. * ObjectEditor.cpp (validate): Streamlined logic in the object editor dialog. This improves handling of the situation when user closes dialog by clicking on [x] while 1) there are unsaved data and/or 2) some of the object's parameters have illegal values. The dialog behavior also depends on the setting of the global flag "Autosave" that causes dialog to automatically save data when user switches between objects. 2004-12-08 * listOfLibraries.cpp (add): numerous fixes for localization 2004-12-05 * ObjectManipulator.h: numerous bugfixes: - properly synchronizing state of the items main menu with state of corresponding items in the pop-up menu that appears when user right-mouse-clicks on an object in the tree - fixes for non-localized text strings in dialogs (mostly "Continue", "Yes"/"No" etc. in many places) - proper localization of the human-readable version number text for iptables; also made info window print readable text instead of "lt_1.2.6" - cosmetic changes in some dialogs layout to make the look better when localized text makes strings much longer - firewall object dialog tab "Templates" has been hidden. It is unlikely that this feature will be implemented in 2.0.X series. 2004-12-04 * listOfLibraries.cpp (add): fixed bug (no num): the GUI crashed when user tried to add a library file for auto-load in Preferences/Libraries and the first library object in that file had a name using non-ascii characters * Bunch of other fixes to avoid '????' in various places for localized strings 2004-12-04 version 2.0.4 released 2004-12-02 * utils.cpp (fillLibraries): fixed bug (no num): if a library was assigned a name with non-ascii characters, it would appear distorted in the pull-down list in object dialogs. * fixed bug #1077496 ] Error compiling libfwbuilder in FreeBSD: The problem was caused by changed major version number of libnetsnmp library in the latest net-snmp port (v5.2) 2004-12-01 * FWWindow.cpp (openFirewall): fixed bug #1077072: "CrossPlatform Firewall Builder Crash" - pressing arrow down key on the keyboard right after the GUI started with no firewall objects defined caused crash. 2004-11-30 * po/ru.qm: Updated Russian translation 2004-11-25 * PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw::processNext): fixed bug #1073491: incorrect code for rules using two interfaces with negation. If a rule had two (or more) interfaces of the firewall in the destination, with negation, the code generated by compiler would check one interface's address in INPUT chain and another in FORWARD chain. It should check addresses of all interfaces from the corresponding rule element in the INPUT chain and also check addresses and possibly services from other rule elements in the FORWARD chain. This bug affected rules with two or more interfaces both in source and destination. * po/LINGUAS: translators maintain Russian localization using QT linguist rather than gettext, removed ru locale from gettext Makefiles but left it in po.pro for installation * fwblookup.cpp: a fix to make it compile on FreeBSD w/o gnugetopt port * utils.cpp (addPopupMenuItem): minor fix to help localization ('add object' and operation on rules pull-down menus did not translate properly) 2004-11-23 * instDialog.cpp (continueRun): built-in installer checks exit status of the script it runs on the firewall and aborts installation sequence if it detects an error. OS resource files have been updated accordingly so they return exit status '1' in case of error and '0' when they succeed. * Compiler_ops.cpp (checkForShadowing): API change: still working on the IPService object shadowing changes. ip fragments object was shadowing GRE object, which was incorrect. Hopefully this change finally fixes it. 2004-11-21 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug (no number): policy compiler for iptables used "tail -1" in the shell script that read actual IP addresses of interfaces of the firewall. This shell code failed to determine correct address of an interface that was configured with a secondary address. Reverted to using grep (I switched to tail when ran into limitations of one of the beta builds of Sveasoft Linksys firmware that did not have grep) 2004-11-18 * NATCompiler_ipt.cpp (processNext): fixed bug #1068936: "unnumbered interace not using MASQUERADE". Comiler for iptables will use target "MASQUERADE" if unnumbered interface is used in Translated Source in a NAT rule. * utils.cpp (fillLibraries): fixed bug (no num): group object dialog showed incorrect library name for groups located in the "Standard" library 2004-11-17 * listOfLibraries.cpp (add): fixed bug (no number): GUI could not find names of the object libraries in external library files that user added for automatic load in the Preferences dialog on Windows. It would find the name of the library in the first file, but failed to find library names in subsequent files and used the name from the first file. Since this library was only present in the first file, object tree was getting corrupted when the program attempted to load this library from every file configured for automatic pre-load. This only happened on Windows. * dns.cpp (init): API change: fixed bug (no number): program crashed on FreeBSD 5.3 when using SNMP to obtain parameters for hosts and interfaces. Crash occurred because of use of uninitialized mutex variables in module dns.cpp 2004-11-16 * main.cpp (main): improved error handling: if the GUI is started with a file on the command line or is configured to open a file automatically on startup and RCS can not check the file out, the GUI will come up empty (with only standard objects loaded). * po/ja.po: Added Japanese translation by Tadashi Jokagi * DialogFactory.cpp (createFWDialog): added XML element FWBuilderResources/Target/dialog to platform and host OS resource files. This element describes GUI dialog that should be opened for the firewall object for a given firewall platform or host OS. This is to be used with customized resource files, e.g. when user wants to add their own host OS resource file to change commands used to load and activate policy on the firewall. Such customized resource file will have unique "description" element (the value of this element appears in the pull-down menu in firewall object dialog) and the same values for "family" and "dialog" elements to indicate which firewall family it belongs to and which dialog should be used. Policy compilers consult "family" element to check if the firewall platform is supported by the compiler. * GroupObjectDialog.cpp (addIcon): fixed bug (no number): group object dialog corrupted object names if they contained non-ascii characters. 2004-11-13 * pixAdvancedDialog.cpp (pixAdvancedDialog): Removed "always new" mode for access lists and object groups for PIX configurations. This mode works well when user installs new configuration but causes problems if they want to reinstall the same configuration. Also converted old option "pix_add_clear_statements" to one of the confgiuration script modes. So, final list of script modes for PIX is as follows: - basic or old format when access lists are cleared and added from scratch. This is the simplest mode which can be used if management station connects to the firewall from inside. Remote management over IPSEC tunnel may be difficult since tunnel traffic is blocked as soon as "clear access-list" command is executed. - access-list and object-group commands are generated but "clear access-list" and "clear object-groups" commands are not added. User's installation scripts should take care of that. This option replaces old option pix_add_clear_statements (with opposite semantics) - temporary access list is created and added to outside interface, then main lists and object groups are added with permanent names and assigned to interfaces. Temporary list permits all traffic from a single subnet configured in the GUI via option pix_acl_temp_addr. Temporary list is small and is not cleared in the end. Temporary list helps maintain IPSEC tunnel for the time when access-lists are cleared and firewall is running with default acl that does implict deny for all traffic. 2004-11-12 * pf.cpp (main): fixed bug (no number): pfctl expects "-F Sources" and "-F Tables" command line options with "Sources" and "Tables" capitalized. * FWObjectDatabase.cpp (merge): API change: changes in the object database merge algorithm: when an object database we are trying to merge has non-empty "Deleted objects" library, deleted objects from this library should be ignored (they used to be deleted from the current tree). Likewise, when current tree has non-empty "Deleted objects" library and objects in it match objects being merged in, objects should be removed from "Deleted objects" library to avoid creating duplicate IDs with objects being merged in. 2004-11-10 * Compiler_ops.cpp (checkForShadowing): API change: fixed bug (no number): rule shadowing algorithm now assumes that IPService object with protocol number '0' shadows any other service just like 'any' does. * PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed bug #1063953: "Wrong accept/multiport rule generated". Compiler generated wrong code for rules using multiple service objects of different types (TCP and UDP, or TCP and ICMP etc), multiple addresses in src or dst with option that requires using TCP RST for action REJECT. 2004-11-07 * SSHPIX.cpp (getACLs): New feature: added support for new configuration script formats for PIX in installer: - basic or old format when access lists are cleared and added from scratch - access lists have unique names each time policy is recompiled, lists are added without clearing. - access lists are added with temporary names and assigned to interfaces, then the same lists are added with permanent names, lists are swapped and temporary lists cleared Last two methods provide for instantaneous access list swap so that the firewall never runs with empty lists. This helps maintain access to the firewall if configuration is installed remotely. * SSHPIX.cpp: New feature: Installer always clears unused access lists after confgiuration is loaded. 2004-11-06 * fwcompiler/Compiler.cpp (complexMatch): fixed bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check if network objects are multicasts; assume that multicast always matches firewall object (e.g fwb_ipt will put rule with such network object in destination in INPUT chain) * instDialog.cpp (instDialog): Added an option to push PIX configuration to a standby firewall at the end of install. 2004-11-01 * NATCompiler_PrintRule.cpp (_printDstService): fixed bug (no number) where compiler for iptables used option "--destination-port" with module "multiport" for versions of iptables that do not understand it (1.2.6 and later, as well as default version setting 'any'). The option should be "--destination-ports" or "--dports". 2004-10-31 * FWBSettings.cpp (init): fixed bug (no number): Policy installer failed if the following conditions were met: - it was running on Linux, FreeBSD or Mac OS X - working directory configured in the "General" tab of the Preferences dialog did not exist and could not be created or its permissions did not allow user that runs the GUI to access it * NATCompiler_ipt.cpp (processNext): fixed bug (no number) in fwb_ipt that caused no-nat rules with firewall in OSrc to be placed only in OUTPUT chain. Packets originating on the firewall go into OUTPUT and POSTROUTING chains, so no-nat rules must be placed in both. Other minor improvements for NAT of the locally originated connections have been done as well. 2004-10-30 * NATCompiler_PrintRuleIptRst.cpp (_endRuleLine): fixed bug (no number): compiler placed extra quote '"' at the end of each NAT command in the script using iptables-restore; this happened only if all interfaces of the firewall had static addresses. * PolicyCompiler_PrintRule.cpp (_printProtocol): testing policy installation via iptables-restore with old versions of iptables (1.2.6a). Need to include "-m tcp", "-m udp" or "-m icmp", otherwise iptables-restore does not understand options "--dport", "--tcp-flags" and some others. Also had to use "--tcp-flags SYN,RST,ACK SYN" instea dof "--syn" for better backwards compatibility. 2004-10-26 * ipt.cpp (main): iptables: Added ability to instert shell commands defined in the prolog script in three places: - on the top of generated script - after interface configuration but before resetting existing iptables policy - after existing policy rules are flushed and optional global implied rules added but before all policy and NAT rules 2004-10-24 * PolicyCompiler_PrintRuleIptRst.cpp (_createChain): implemented Feature Request #1021201: "output iptables-restore compatible config from fwb_ipt". Policy compiler for iptables can use iptables-restore to activate firewall policy. Iptables-restore provides for atomic policy load and allows to load large policy much faster. Atomic load means the whole filter or nat table is activated at once, and if there is an error, nothing is changed. Compiler generates script in three possible formats: - the ususal shell script that adds rules one at a time by executing iptables command with an "-A" flag to add a rule; - commands are fed to iptables-restore, this format is used when all interfaces of the firewall have static IP addresses and script does not need to determine addresses at run time; - script determines IP addresses of interfaces and discovers dynamic interfaces that were defined as a "wildcard" interface in fwbuilder (e.g. 'ppp*'); code that is sent to iptables-restore is generated dynamically by the script at run time. Using iptables-restore is optional and is controlled by the checkbutton in the "Script options" tab of firewall settings dialog. Path to iptables-restore utility can be set in the "Paths" tab of the host settings dialog. * A change in the script generated by fwb_ipt: if iptables-restore is not used to load policy, generated shell script purges existing firewall policy (all tables and chains) and sets default chain policies after it configures interfaces of the firewall. Previously, it would flush tables and set default policy before it configured interfaces. 2004-10-23 * RuleSetView.cpp (pasteRuleAbove): fixed bug #1028866: "incorrect order when several rules copied using copy/paste". Pasting multiple rules into an empty policy caused rules to be inserted in the wrong order. * freebsdAdvancedDialog.cpp (freebsdAdvancedDialog): fixed bug #1046345: "ipfw - no option to specify ipfw executable". Added GUI control to let user specify alternative path to "ipfw" on FreeBSD. Control like that was previously available only for Mac OS X * PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast), Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773: need to match network address as well as broadcast. Packets sent to the network address (192.168.1.0 for net 192.168.1.0/24) go in the broadcast frame and behave just like IP broadcast packets (sent to 192.168.1.1255 for the same net) * PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug #1040599: "unnecessary FORWARD rules". If ip forwarding is turned off in the host settings dialog of the linux-based firewall, compiler should not generate rules in FORWARD chain. 2004-10-20 * linux24.xml.in: Added element "Target/family" to all OS resource XML files. Compilers use "family" resource element to determine if host OS is supported. User may want to copy host OS resource file to modify installer scriptlets; as long as the family element is kept the same, compiler will accept new resource file. * linksys.xml.in: Added elements "Target/options/suppress_comments" and "Target/options/suppress_modules" to the OS resource files linksys.xml and linux24.xml. These options suppress printing comments in the generated script and remove commands that load kernel modules. These options are used for Linksys/Sveasoft appliance but can also be used for other firewalls based on Linux. 2004-10-19 * pf.cpp (main): Activation script for PF flushes only information about rules, nat, source and tables (it used to flush "all"). This preserves queue entries and states. * ipt.cpp (main): moved rule permitting backup ssh access from the management station to the firewall to the top of the script. This helps maintain ssh session, otherwise it may stall or break because stdout buffer is filled with diagnostic or progress output from the script that is printed after all chains are flushed but before rule permitting ssh to the firewall is added. If stdout buffer is full, ssh stops and tries to send the text to the management station but times out because firewall blocks it. * ipt.cpp: removed code that added iptables command to the "drop" table to drop and log all dropped packets. This rule used obsoleted patch-o-matic patch "drop" which is not available anymore. 2004-10-17 * ipt.cpp (main): fixed bug (no number): all policy compilers properly detect an error when the output file can not be created or overwritten and print error message to warn the user. * New feature: added support for prolog and epilog scripts for all firewall platforms. This was available for PIX for some time, now it has been added for all platforms. "Prolog/Epilog" tab of the firewall settings dialog allows for editing of two blocks of commands that will be added to the generated firewall script verbatim. Prolog block is added on top, while epilog block is added at the bottom. Both prolog and epilog are expected to be shell scripts and are added to the generated shell script that activates firewall. For iptables and ipfw all compiler generates is this shell script and prolog and epilog commands are inserted into it. These commands may execute some actions, as well as add any policy or nat commands. For ipf and pf prolog and epilog commands are added to the activation shell script ( .fw file); prolog is added immediately after the command that flushes all rules. This way user may either execute shell commands or add policy and/or nat rules by loading them from external file. 2004-10-10 * FWWindow.cpp (addFirewallToList): fixed bug (no number) introduced in 2.0.3 when GUI crashed if user tried to choose pull-down menu item in the firewall list after the very first firewall object has been created. * SSHPIX.cpp: Added #include to make code compile with gcc 3.4.2 and glibc 2.3.3 * ipt.cpp (main): fixed bug #1040788: fwb_ipt and user name. Compiler used to read environment variable "USER" to find out user's name. Sometimes this variable is not set, which caused compiler to abort. Using env variable LOGNAME in addition to USER. 2004-09-30 * v2.0.3 released 2004-09-28 * instDialog.cpp (instDialog): since config diff is broken for pix v6.3(3) (because it does not permit adding duplicate ACL entries), "save diff to file" option is temporary disabled. "Incremental" install renamed to "install only ACL,icmp,telnet,ssh,nat,global and static commands" 2004-09-27 * OSConfigurator_linux24.cpp (printPathForAllTools): script generated by compiler for iptables checks if /usr/sbin/ip exists on the firewall before it tries to use it to verify interfaces and configure IP addresses. This check is only performed if user activated options that use this tool. An error message "Interface eth0 does not exist" was generated if package iproute2 was not installed on the firewall, which was confusing. * FWWindow.cpp (doCompile): Added option "output file name" to firewall settings dialogs for all platforms. User can specify the name for the output file; this name is then used by built in installer in place of a macro %FWSCRIPT%. * ipt.cpp (main): Added command line option "-o" for all compilers * FWWindow.cpp (save): fixed bug #1035800: "Autosave failure opens error window repeatedly". This bug was in fact fixed earlier. 2004-09-26 * FWWindow.cpp (fileSaveAs): fixed bug #1035130: 'Persistent "Save" dialog box'. Certain combination of actions on user's part used to lead to an indefinite loop of "do you want to save the data" dialogs. The problem was triggered if user skipped choosing a name for the new file in startup dialog. * linux24.xml.in: fixed bug #1035132: "compile errors with default Linksys firewall object". This bug has been introduced in build 435. When user created a new firewall object using one of the template objects, the GUI would add bunch of garbage to the firewall options. This garbage violated XML DTD, so compilers and the GUI would not accept the data file anymore. 2004-09-25 * ipt.cpp (main): using "set -x" to turn debugging on in generated iptables script. This will work even if the script is activated with "sh script.fw" command. * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): changed commmand line for sed to more portable version. We used to use 'stmt; stmt' syntax, which is not always portable. Switched to a supposedly more portable syntax using multiple "-e" command line options. 2004-09-23 * instDialog.cpp (getActivationCmd): fixed bug (no number): as of build #430, installer ignored activation command configured in the "install" tab of firewall settings dialog. Restored this functionality. * OSConfigurator_linux24.cpp (printPathForAllTools): just like with "tail -1", some busybox based systems require "head -1" to be changed to "head -n1" 2004-09-22 * instDialog.cpp (testRunRequested): fixed bugs in installer that prevented it from working on OpenBSD. Enabled shceduled reboot for all OS except PIX. 2004-09-21 * instDialog.cpp (testRunRequested): "schedule reboot" option is only enabled for linksys since it does not work on other platforms (yet) * FWWindow.cpp (openFirewall): implemented Feature Request #1032126: "Firewall label for clarity". Printing the name of the firewall object that is opened in the policy panel in a large font right above interface/policy tabs. This was easy to implement but I consider it an experiment. Will request feedback from users. * SSHSession.cpp (startSession): refactored code in built-in installer. Moved interaction with ssh to classes SSHSession, SSHUnx and SSHPIX. Moved "scriptlets" that are executed on firewall to activate policy in different modes to resource files. Using ssh rather than scp to copy policy script to unix-based firewalls (pscp.exe on Windows works only if the server supports sftp, but dropbear on Linksys does not support it so installer breaks if we use scp/pscp.exe to copy the policy). Still having problems with scheduled reboot option on Linux/BSD firewalls (it works on Linksys though). * OSConfigurator_linux24.cpp (printPathForAllTools): bugfix: some editions of busybox do not support "tail -1" syntax and require "tail -n1" 2004-09-19 * instDialog.cpp (getActivationCmd): Improvement in the built-in installer: added an option to schedule automatic firewall reboot in specified time (in minutes) after policy activation. This option is available for all firewall platforms but PIX. This option only works if user requested policy activation in a test mode, in which case policy is copied and activated on the firewall but not stored in the permanent location. After reboot the firewall reverts to the previous version of the policy. To cancel scheduled reboot, run installer again with "test run" option turned off. Installer stores the policy in the permanent location, activates it and cancels scheduled reboot. * src/res/os/linux24.xml.in and other: moved all commands used by built-in installer to resource files. 2004-09-18 * NATCompiler_pf.cpp (processNext): NAT rule of type DNAT (rdr rule) is assigned to an interface of the firewall if interface object or its address object is used in ODst. To get rdr rule without interface assignment, use an Address or a Host object that has the same IP address as that of firewall's interface but that is not a child of an interface. This is the same approach that is used in iptables. * PolicyCompiler_pf.cpp (compile): Compiler for pf always uses tables; this breaks compatibility with older OpenBSD systems (3.2 and 3.3) * PolicyCompiler_pf.cpp (findDynamicInterfaces): Compiler for pf puts interface name in a table even if interface is dynamic for rules that use multiple objects in src or dst and one of these objects is dynamic interface of the firewall that is being processed. Using dynamic interface of another object in a rule is still considered an error. Compiler puts the name of dynamic interface in a table verbatim, without brackets '(' ')' since pf does not replace dynamic interface with its address dynamically if it is used in a table (pfctl issues an error if interface is put in brackets) 2004-09-17 * OSConfigurator_linux24.cpp (configureInterfaces): flushing only secondary ip addresses on interfaces. This should fix a bug that caused linksys/sveasoft unit to lose default route upon reboot if external interface has static IP address. 2004-09-15 * PolicyCompiler_pf.cpp (addDefaultPolicyRule): fixed bug #1028980: "need an option to turn logging on on fallback rule" * PolicyCompiler_pf_writers.cpp (processNext): fixed bug #1028973: fwb_pf: missing "flags S/SA" in front of "modulate state" * pfAdvancedDialog.cpp (pfAdvancedDialog): added an option to permit tcp sessions opened prior to firewall restart. This is needed now since compiler generates "flags S/SA" for the "keep state" and "modulate state" rules which means firewall won't permit TCP sessions unless it saw opening SYN packet. * instDialog.cpp (getActivationCmd): improvements in policy installer: added an option for test run. When this option is activated, policy script is pushed to the firewall and is executed but is not stored there permanently. Firewall reverts to the last working configuration after reboot. * NATCompiler_ipt_writers.cpp (processNext): using abbreviated versions of "--dport", "--sport", "--dports", "--sports" options to make generated iptables script smaller. Also changed the name of the variables used to hold IP address of dynamic interface from "interface_" to "i_". All this should help to fit larger policies into small FLASH on linksys. These changes shrunk my test script from 7964 bytes to 7430 bytes 2004-09-14 * platforms.cpp (isDefaultOptions): fixed bug #1028078: "options.png is not displayed for "Assume firewall is part..." * pfAdvancedDialog.cpp (pfAdvancedDialog): fixed bug (no num): "firewall settings" dialog for OpenBSD pf did not save option "Use tables". * instDialog.cpp (getActivationCmd): implemented compression of the firewall script for Linksys/Sveasoft combo. Using gzip and uuencode/uudecode to compress the script and store it in flash variable 'fwb'. Installer prints flash memory stats after commiting changes. Installer uses scp to copy firewall script to the firewall and autogenerated prompt to detect when it logged in; it does not depend on Linksys shell prompt anymore. 2004-09-12 * PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): implemented feature request #1023430: "add checkbox for INVALID support in fw settings". Added two checkboxes to the firewall settings dialog: one adds a rule to drop INVALID packets and another adds logging to the rule. * FWWindow.cpp (fileSaveAs): fixed bug #1026945: '"Save As" does not work if current file is in RCS' * FWWindow.cpp (removeFirewallFromList): fixed a bug (no number): after deleting a library firewall objects that belong to it were not removed from the pull-down list * PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed bug #1026794: multiple SRC ntwks --> "iptables: invalid argument". Recent changes in optimizer introduced this bug. Rules with multiple objects in src or dst, TCP service, action Reject and option "reject with TCP RST" would generate iptables command that used option "--reject-with tcp-reset" without "-p tcp" * PolicyCompiler_pf_writers.cpp (_printDstAddr): fixed bug #1006906: "Negated network causes pass on network". Compiler for pf uses native negation syntax that is now available in pf 2004-09-11 * PolicyCompiler_ipt.cpp (TimeNegation): fixed bug #1022216: "negated time produces incorrect iptables rule". Implemented negation for the "Time" rule element for iptables * PolicyCompiler_ipt.cpp (processNext): fixed bug #1026509: "incorrect rules generated for dual negation with time". Compiler generated incorrect iptables commands for rules that had negation in two or more rule elements, one of which was Time. 2004-09-09 * OSConfigurator_linux24.cpp (prolog): rules that permit packets associated with ESTABLISHED,RELATED states moved to the beginning of the script before NAT rules. * PolicyCompiler_ipt_writers.cpp: added a checkbox and support in policy compiler for iptables to generate rules that drop packets that are associated with no know connection (state "INVALID") 2004-09-08 * Firewall.cpp (duplicate): API change: fixed bug (no number): all references to the interfaces, as well as their IP and MAC addresses, in policy and NAT rules should be replaced when Firewall object is duplicated. Until now only references to the firewall object itself and to its interfaces were replaced with references to the newly created copies of object. References to IP and MAC addresses still pointed at the old objects. * FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI corrupts XML file after creating a second firewall". Global object ID counter was getting reset every time new FWObjectDatabase object was created. This lead to the ID collision if user quickly created and deleted complex objects (such as Firewall) and used database merge. This should also fix bug #1022785: "GUI corrupts XML file after creating a host entry" * PolicyCompiler_ipt_optimizer.cpp (processNext): fixed bug #1024861: "optimizer is broken in fwb_ipt". Used idea and a patch by Mark Vevers . Fixed compiler fwb_ipt generates more efficient iptables script for rules with multiple objects in all rule elements. The script is smaller and eliminates unnecessary comparisons for packet attributes. Every attribute (i.e. source address, destination address, protocol and port numbers) is checked by the script only once. This should help reduce load on firewalls with lots of complex rules. * VERSION: set version to 2.0.3 2004-08-31 * v2.0.2 released 2004-08-31 * ipt.cpp (main): fixed bug #1019943: "Missing ip addresses in the rule using interfaces" * linksysAdvancedDialog.cpp (linksysAdvancedDialog): fixed bug #1019691: "040829 nightly build doesn't add paths for linksys" 2004-08-30 * VERSION (VERSION): version 2.0.2, revision 1 * aboutdialog_q.ui.h (init): "About" dialog shows registration status (used only in non-GPL versions) 2004-08-28 * fixed FreeBSD port, now compiles on 5.3BETA 2004-08-25 * RuleOptionsDialog.cpp (loadFWObject): Added support for options "max", "max-src-nodes" and "max-src-states" in pf. These allow to limit number of concurrent state table entries ("max"), number of source addresses that can simultaneously have state table entries ("max-src-nodes") and number of simultaneous state entries per source address ("max-src-states") per rule. * LibExportDialog.cpp (accept): fixed bug #1015884: "Export more than one library fails with 0 references". Export library operation failed if user exported two libraries with groups or rules in one library referencing objects in the other. 2004-08-24 * pfAdvancedDialog.cpp (pfAdvancedDialog): Implemented support for all timeout settings in pf: tcp.first,tcp.opening,tcp.established, tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple, icmp.first,icmp.error,other.first,other.single,other.multiple, including adaptive timeout scaling options adaptive.start and adaptive.end 2004-08-23 * FWBTree.cpp (getStandardSlotForObject): fixed bug #1014725: "adding new ICMP types". If user created service group with the name "ICMP", the GUI would place new ICMP objects under this group instead of the standard folder "ICMP". There was the same problem with other object types, too. * ObjectManipulator.cpp (simplifySelection): debugging in operations "delete object", "move object", "undelete". Making sure we can delete and undelete libraries, delete and move several objects at once, group several objects. There were problems if user selected several host or firewall objects using Shift-Click (although interface and address objects were not visible to the user, they were selected and acted upon in delete or move functions; this lead to unexected results or crashes). 2004-08-22 * templates.xml.in: added template firewall objects for Linksys firewall and a web server. * templates.xml.in: fixed bug #1013957: "incorrect NAT rule in firewall created from template #3". The problem was caused by incorrect ip address of interface "dmz" in the template object #3. * pixAdvancedDialog.cpp (pixAdvancedDialog): implemented a backup ssh access rule. The user specifies management station IP in the firewall settings dialog for PIX and compiler adds a rule on top of all other rules to permit ssh from this address to the firewall. 2004-08-21 * OSConfigurator_linux24.cpp (prolog): avoiding grep in the generated iptables script - Sveasoft Alchemy pre-5.2.3 does not have grep * API change: fixed bug #1012733: "configure --libdir=DIR will be ignored at installation". Needed to use macro _libdir to specify target directory for libraries. Used it in configure, qmake.in, libfwbuilder-config-2 and a .spec file * objects_init.xml.in: added new service objects to the Standard objects library: "xmas scan" (old object renamed "xmas scan - full"), rsync, distcc, cvspserver, cvsup, afp, whois, bgp, radius and radius acct, SSDP and UPnP. This fixes bug #1011248: "need two xmas scan service objects" * FWWindow.cpp (fileImport): function File/Import offers a choice of .fwl, .fwb and "all files" in the open file dialog. This fixes bug #1013485: "File/Import should allow to import .fwb file" * FWWindow.cpp (load): fixed bug #1008956: "Existing .fwb file gets overwritten if has wrong extension". If the GUI needs to rename a data file with old extension .xml to .fwb, it checks if a file with new extension exists and offers user a chance to choose a different name. It also treats symlinks in a special way: if user creates a symlink with extension .xml pointing at a file with extension .fwb, the GUI simply follows the link and works with .fwb file. This should work with Windows shortcuts, too. * instDialog.cpp (instDialog): built-in installer uses shell prompt string patterns configured in the host OS settings dialog for linksys. This fixes bug #1013022: "can not install policy script on linksts Alchemy pre-5.2" * linksysAdvancedDialog.cpp (linksysAdvancedDialog): Added host OS settings dialog for linksys/Sveasoft. Dialog provides entry fields for paths to iptables, lsmod, modprobe, logger tools and two shell prompt string patterns, this should help to work around changes in the shell prompt on Linksys. This fixes bug #1013018: "host OS settings" dialog is missing for linksys 2004-08-20 * ObjectManipulator.cpp (contextMenu): fixed bug #1009345: "Can only move one host object at a time between libraries" * ObjectManipulator.cpp (deleteObj): fixed bug #1013177: "deleting multiple hosts causes crash" * DTD change: fixed bug #1011617: "deleting physcal address object leads to the DTD violation" 2004-08-08 * PolicyCompiler_ipt_writers.cpp (_printDstService): fixed bug #1005148: "MAC matching - space missing". Space was missing between MAC address and custom service code. 2004-08-06 * listOfLibraries.cpp (add): fixed compile problem on systems where QT is built without STL support * PolicyCompiler_ipt_writers.cpp (_printLimit): fixed bug #1004153 "limit-burst = 0 is not valid". Iptables does not accept the rule using "limit-burst" option if it is set to zero. 2004-08-04 * ObjectManipulator.cpp (pasteTo): fixed bug #1003068: "object copy/paste not always working". IP address object could not be placed under interface using copy/paste operation. Now ip address object can be pasted to interface as well as to Objects/Addresses folder. * FWWindow.cpp (fileDiscard): Operation File/Discard closes the file, discards all the changes that have been made to it and replaces it with a fresh copy of the head revision from RCS. This works if user wants to abort file upgrade when they switch to the new version of fwbuilder. 2004-08-02 * FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak" - children objects were not deleted when FWObjectDatabase object was destroyed. * iptAdvancedDialog.cpp (accept): fixed bug #1002388: "Clamp MSS to MTU" option is missing in 2.0 2004-08-01 * objects_init.xml.in: there were two TCP Service objects "linuxconf" in the Standard objects library. Object with ID id3AED0D6D has been removed. It seems this object has been duplicated long time ago (at least it was like this in 1.1.2) * FWObject.cpp (getPath): fixed bug #1001725: "object with empty name can not be deleted". the problem was caused by the algorithm used in FWObject::getPath. If object had had a blank name, the path returned by this method would end with the name of its parent without slash. * FWWindow.cpp (showFirewalls): fixed bug #1000485: "Firewalls in the drop-down box not ordered". List of firewalls in the pull-down that controls policy views is now alphabetically sorted on program startup. * utils.cpp (fillLibraries): fixed bug #1000862: "Creating groups in Deleted Objects". Library "Deleted objects" should not be offered as a choice for "group objects" operation. * ObjectManipulator.cpp (contextMenu): fixed bug #1001275: "object duplication fails w/ no action". GUI used to not allow user to duplicate IP address object. Now any object can be duplicated so that the copy is placed under the same parent, including IP address. * ICMPServiceDialog.cpp (applyChanges): fixed bug #1001521: "Cant create ICMP service". ICMP Service dialog did not save icmp code and type numbers in the object. 2004-07-29 * 2.0 released, CVS tag set 2004-07-27 * FWWindow.cpp (install): the GUI calls external installer script if it is configured in firewall settings dialog when user clicks 'Install', otherwise it should use built-in installer. 2004-07-24 * RuleSetView.cpp (insertRule): correctly copying rule direction when interface rule is copied/pasted * instDialog.cpp (selected): proper error messages for management interface misconfigurations 2004-07-20 * ICMPServiceDialog.cpp (loadFWObject): ICMP service dialog allows for setting type and code to 'any' (-1) 2004-07-19 * OSConfigurator_linux24.cpp (processFirewallOptions): fixed bug #992969: "argument to log should be quoted" 2004-07-14 * PolicyCompiler_ipt.cpp (processNext): working on bug #990037: "Wrong rule generated: fw interface included in negated group". Rules with negation should not generate code in INPUT/OUTPUT chains if option "assume firewall is part of any" is off. * ObjectManipulator.cpp (delObj): fixed bug #990675: "Application crashes when deleting objects" 2004-07-11 * PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw): optimized processing of policy rules where firewall object is used in src or dst with negation (possibly in combination with other objects). Before, generated script would match firewall's addresses in INPUT/OUTPUT and FORWARD chains which added redundant checks in the FORWARD chain. * NATCompiler_ipt.cpp (processNext): fixed bugs #935794: "dual translation and negation in fwb_ipt" and #986376: "Wrong result for negated source in NAT rules". Dual translation rule with negation in OSrc did not process negation in the second half (POSTROUTING rule, the one that translates the source). * NATCompiler_ipt.cpp (processNext): fixed bug #965558: "False ruleset generated for iptables (negate w/ nat)". There were problems with double negations in NAT rules (OSrc and ODst, or ODst and OSrv, etc). * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #988860: "Logging missing when firewall start is aborted". When iptables script generated by fwb_ipt finds missing interfaces, it prints error message both on stdout and sends it to the log. 2004-07-10 * FWObject.cpp (_moveToDeletedObjects): now move deleted objects to the special library with id 'sysid99' rather than delete them completely. This serves two purposes: 1. can easily provide for undelete function which is very useful 2. can catch a situation when an object has been deleted fromt he external library but is still used in the data file * FWObjectDatabase.cpp: while merging object trees, checking for deleted objects. If an object is present in the current tree but has been deleted in the file being merged in, special form of conflict resolution dialog is shown. User has only one option - to delete the object from the file. Typical situation when this happens is when an object from external library is used in a rule or group in a data file, then this object is deleted in the external library. If this external library is preloaded and then the data file using this object is opened, conflict occurs because this object is present in the file but is in the "Deleted objects" in the library. The problem is that the library is read-only, so if we kept the object (actually, its copy coming from the data file), the user would not be able to delete it. So, not only object magically reappeared after it has been deleted from the library, it appeared in read-only library and can not be deleted anymore. To avoid this situation we must delete it in the file if it has been deleted in the library. * ObjectManipulator.cpp (delObj): "delete object" function moves it to "Deleted objects" library. * PrefsDialog.cpp (accept): Added checkbox "Show deleted objects" to the preferences dialog. If this option is on, user has access to deleted objects via library "Deleted objects". * ObjectManipulator.cpp (contextMenu): pull-down menu item "Move" turns into "Undelete" if an object is in "Deleted objects" library. This provides for a simple undelete function. 2004-07-09 * PolicyCompiler_ipt.cpp (processNext): fixed bug #925199: "compiles wrongly a double negation". Policy compiler for iptables generated incorrect code for rules where two rule elements used negation (i.e. both src and dst, or dst and srv, etc.) * PolicyCompiler_ipt.cpp (prolog): fixed bug #978854: "false rule generated for fw object in interface rule". Policy compiler for iptables generated incorrect code for rules using negated firewall object in source or destination when global option "assume firewall is part of any" was turned off. * fwb_ipt: implemented Feature Request #913273: make "assume fw is part of any" a per-rule option 2004-07-08 * FWWindow.cpp (setupAutoSave): Added an option for autosave - if this option is turned on, the gui periodically saves data to the file. The autosave interval can be set between 1 minute and 2 hours. * ipt.cpp (main): fixed bug #917422: "compiler misinterprets interface with addr 0.0.0.0". If an interface has IP address "0.0.0.0", it is considered an error. * added option "strip comments in the script" to the installer for Linksys and PIX * do "nvram uset rc_firewall" before loading fw script on Linksys * added the following to the list of errors for Linksys /dev/nvram: Cannot allocate memory * skip table "mangle" when flushing iptables rules 2004-07-07 * NATCompiler_ipt_writers.cpp (processNext): fwb_ipt does not include comments in the script if it is intended for linksys firewall. Linksys has small nvram and script should be kept small, otherwise it may not fit in nvram. * NATCompiler_pf.cpp (processNext): fixed bug #986518: "PF redirection always point to loopback address" 2004-07-06 * instDialog4.cpp (stateMachineLinksys): Activating policy on Linksys/Sveasoft wothout reboot (using command "nvram get rc_firewall | /bin/sh" instead) * OSConfigurator_linux24.cpp (prolog): added an option to firewall platforms iptables, ipfilter, pf and ipfw that sets up a policy rule to permit ssh access from one specified IP address to the firewall regardless of other rules. This is for a backup ssh access from the management workstation in case of an error in the policy that locks user out of the firewall. The option (a checkbox and entry field for the management station address) is located in the "Compiler" tab of the firewall settings dialog. A command that permits ssh to the firewall from the given address is added on top of all other rules. 2004-07-05 * RuleSetView.cpp (dropEvent): fixed bug #985187: "Usability bug: Copy objects from one rule to another". Dragging an object from one rule to another with Ctrl down makes a copy. If Ctrl is up, then the object is moved. * instDialog4.cpp (stateMachineLinksys): Added support for Linksys devices running Sveasoft firmware. Firewall object should be configured as platform "iptables", host OS "linksys". Policy installer works both using password and public key authentication. * NATCompiler_pf_writers.cpp (processNext): fixed bug #985527: pf NAT rules miss destination port specification. NAT rules that translate to "map" missed destination port specification. * main.cpp: the gui can now use external wrapper scipts for ssh and scp all the way (removed all direct references to commands "ssh" and "scp", use whatever is configured in preferences everywhere) 2004-07-04 * RuleSetView.cpp (contextMenu): fixed bugs in the rule selection. The user can select one rule with a simple left-click on the rule number, or multiple consequtive rules using shift-left-click. Selecting non-ajacent rules with ctrl-click is not supported; ctrl-click acts as normal click. Right-click calls context menu and uses existing selection if click is on one of the selected rules, or resets it if click is outside of the selection. 2004-06-29 * ObjectTreeView.cpp (dragObject): implemented drag and drop of multiple objects. User can select and then drag several objects from the tree to a group or a rule. * LibExportDialog.cpp (accept): a change in the export library algorithm. We now permit exporting several libraries to one file, but check that all these libraries have only references to each other and to objects in the Standard lib and have no references to objects in libraries that are not going to be exported to the same file. This ensures integrity of this file and helps avoid pulling objects from other libraries into it. User can edit objects in the exported libraries by opening this file as usual; the GUI does not preload libraries configured in Preferences/Libraries when .fwl file is opened and unlocks all libraries in this file so objects can be edited. This way user can edit objects and move them between libraries in the .fwl file. 2004-06-28 * RCS.cpp (RCSEnvFix): fixed a bug (no #) that appeared only on Windows: the GUI failed to check a file in to RCS if it was launched by windows explorer via file extension association. * platform.cpp: pull-down "versions" is now translatable and says "1.2.9 or later" for iptables v > 1.2.9 2004-06-26 * LibExportDialog.cpp: when a library is exported to a file, the program checks whether any groups or rules in this library use objects in the othe libraries. Only self-contained libraries can be exported. 2004-06-24 * PolicyCompiler_ipt.cpp (processNext): fixed bug #979484: "improper command for rule with servie any and action reject." For rules like that, and if rule options dialog does not specify particular way to handle this combination, the compiler splits the rule; the first iptables command rejects any tcp packet with TCP RST, while the second rejects everything else with ICMP message. * minor bugfixes in the gui * incorporated changes suggested by a user to make code compile with gcc 3.4 2004-06-23 * LINGUAS: added Vietnamese translation .po file * FWBSettings.cpp (init): Option "do not save standard libraries in the user's data file" is now ON by default. User can still turn it off though. * FWWindow.cpp (save): Usability fixes in methods that work with libraries: - libary files have extension .fwl - preloaded libraries are always read-only (flag RO is set when library file is loaded, regardless of the value this attribute has in the file) - user can open library file using normal File/Open operation. Read-only flag is cleared when library file is opened, so it can be edited. File can be added to RCS and saved using normal File/Save or File/SaveAs operations. - When user opens library file for editing, other libraries that are configured in Preferences/Libraries are not preloaded. 2004-06-22 * LibExportDialog.cpp (init): when object library is exported to a file, the file gets extension .fwl to distinguish it from the regular data file. The GUI allows to export only one library to a file. * FWWindow.cpp (fileDiscard): added main menu function "File/discard" which discard all changes that have been done to the data and saved to the file and checks out clean copy of its head revision from RCS. This provides for a quick way to roll back to the latest revision. Older revisions can be checked out from RCS using list of versions in the right hand panel in open file dialog (this creates a branch in RCS). 2004-06-20 * IPv4Dialog.cpp (DNSlookup): "DNS Lookup" button in the IP address dialog runs dns query for the name of the address object and if that fails, repeats query for the name of the host or firewall object this address belongs to. If address object is in the folder "Addresses", it does only one DNS lookup on its name. 2004-06-18 * ObjectManipulator.cpp (ObjectManipulator): disabled ability to drop objects into groups in the tree. It was confusing and not really useful. Objects can still be dropped into a group opened in the editor dialog. * ObjectTreeView.cpp (dragObject): enabled dragging of all objects in the tree. It turns out, QListView will highlight multiple items in the tree in Extended selection mode when user drags mouse across items _and_ the first item they started cursor move on is not drag-enabled. So, to avoid this unexpected highlighting behavior, need to enable drag of all objects. We then make sure that system folder can not be dropped anywhere. 2004-06-16 * Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A dynamic interface". Dynamic interface used to "shadow" old broadcast object (0.0.0.0) * OSConfigurator_linux24.cpp (configureInterfaces): fixed bug #912849: "Reorder activation of network interfaces in IPT" - script generated by the compiler for iptables sets default policy to DROP, flushes all rules and then reconfigures interfaces of the firewall (it used to reconfigure intefaces and then flush the rules). * IPv4Dialog.cpp (DNSlookup): Button "DNS lookup" in the IP address editor dialog does DNS lookup on the address object name if the object is located in the "Addresses" folder, or on the parent host object name if it belongs to an interface of a host or a firewall. * ObjectManipulator.cpp (moveObject): refactored "move object" functions and added debug printing. Trying to debug crash reported by one of the users. 2004-06-15 * ObjectEditor.cpp (hide): checking if screen position for the dialog is 0,0 and not storing this value. This should help to work around a weird bug where screen position of dialogs sometimes is returned as 0,0 when GUI runs in Gnome. * Object names and comments are stored in the object file in UTF-8 format. This allows for names and comments to be entered and displayed in local languages. Although object names can be localized, it is recommended to keep firewall names in plain ASCII because compilers do not support UTF-8 yet. This fixes very old bug #657156: "Special characters problem". 2004-06-13 * init.cpp (init): the program uses reasonable default for the directory where user might want to save their data files on each OS. ( $HOME on Unix, $HOME/Documents on Mac, $USERPROFILE/Documents in windows) * ObjectManipulator.cpp (updateObjName): whenever user changes the name of a firewall, host or an interface object, the GUI asks whether they want to also rename all IP and MAC addresses that belong to that firewall or host. If user agrees to rename them, the program generates names automatically using scheme 'host_name:interface_name:ip' and 'host_name:interface_name:mac' 2004-06-12 * newHostDialog.cpp (selected): implemented "new host" wizard. User can choose to add interfaces manually or can use a library of predefined host object templates. 2004-06-10 * PolicyCompiler_pf_writers.cpp (_printDstService): fixed a bug (no number) where fwb_pf would not include code defined by custom service object in the .conf file 2004-06-08 * ObjectManipulator.cpp (copyObj): implemented multi-object and multi-rule copy/cut/paste operations * ObjectManipulator.cpp (moveObject): implemented "move object" operation - moves object to another library; operation is accessed via pull-down menu in the object tree. 2004-06-06 * ObjectManipulator.cpp (groupObjects): added ability to select multiple objects in the tree. Currently the following operations are performed on multiple objects: delete, duplicate, group. * ObjectManipulator.cpp (groupObjects): operation of grouping of selected obejcts. User selects several objects in the tree and choses menu item "group" in the pull-down menu; the GUI brings up a dialog asking for the new group name and a library it should be put in. New group is created and all selected objects are automatically added to it when user hits "Create group" button. 2004-06-05 * pixAdvancedDialog.cpp (accept): added "Installer" tab to the PIX firewall settings dialog * FWBSettings.cpp (getScreenPosition): checking if the window fits in the screen before restoring its geometry. * ObjectListView.cpp (dragObject): setting hot spot in the center of the object icon for drag and drop. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): showing group members in tooltips and conflict resolution dialog * ObjectEditor.cpp (ObjectEditor): redesigned ObjectEditor class. All individual object editor classes are now inherited from QDialog and are top-level windows. Class ObjectEditor is just a manager that opens and hides appropriate dialog and manages its size and position on the screen. Geometry is remembered separately for each dialog for each object type, so we can have group object editor open wider than, say, IP service object editor. Each object editor has its optimal size. * pfAdvancedDialog.cpp (pfAdvancedDialog): yet another redesign of PF firewall settings dialog. Using individual checkboxes to enable/disable each "limit" and "timeout" option * ipt.cpp (main): all compilers do not create any files if there was an error during rule processing (not even empty ones) 2004-06-04 * RuleSetView.cpp : Info window shows properties of an object selected in rules * RuleSetView.cpp (paintCell): added tooltips for objects in the policy view, using the same detailed properties text that is used for Info panel. * iptAdvancedDialog.cpp (accept): the actual command that installer should run on the firewall to activate the policy can now be specified in the "installer" tab of firewall settings dialog for all platforms. If this input field is left blank, installer will run firewall script, using sudo if user name used to authenticate to the firewall is not 'root'. On Windows, installer also does chmod +x on the file. * FWBSettings.cpp (setSSHPath): directory path and a file name for the secure file transfer and secure shell utilities can be configured in the Preferences (tab "SSH"). This allows for using of different SSH packages on Windows, as well as using SSH installed in a non-standard directory on Unix. 2004-06-03 * ObjectTreeView.cpp (dragObject): standard folders in the tree can not be dragged into groups or rules and open/close on double click. Regular objects open editor on doubleclick. * ipt.cpp (main): compiler for iptables sets up PATH environment variable at the beginning of the generated script. This is particularly useful if policy is compiled on windows or mac for Linux firewall that runs unknown version of Linux, so we cant be sure where standard tools such as iptables, lsmod etc are located. Most systems place them in /sbin, but for example SuSe places iptables in /usr/sbin. If policy is compiled on one of the Linux systems, we assume generated script will run on the same system (which may not be true, btw), but if we compile on Windows, there is no way to know where these tools are located beforehand. In this case we need PATH. User can always override this behavior and specify full path to all tools explicitly. 2004-06-02 * linux24.xml.in: changed "Linux 2.4" to "Linux 2.4/2.6" in all menu * iptAdvancedDialog.cpp (iptAdvancedDialog): removed "log all dropped packets" option from the firewall settings dialog for iptables. This option required p-o-m patch that has become obsoleted and is not included in p-o-m anymore. * FWWindow.cpp (install): when user hits "Install", the GUI checks if objects in the database were modified since policy of a firewall has been compiled last time. If existing policy file is older than the database, program offers the user to compile it before it is installed. There are options to recompile, install old copy or cancel the operation. 2004-05-31 * RuleSetView.cpp: Added support for operations that act on multiple rules: setting rule color, moving to a different position in rule set, disabling/enabling, deleting. User can select multiple rules by dragging mouse across several rows in the column that shows rule numbers. Copy/Cut/Paste operations of multiple rules are not supported yet. 2004-05-29 * RuleSetView.cpp (dragObject): implemented drag-and-drop of objects in the rules * utils.cpp (setDisabledPalette): all entry fields in the object editor are disabled if an object is read-only or is located in read-only library. Object editor is still opened for read-only objects, but since all fields are disabled, changes are not allowed. Opening object editor for read-only and standard objects allows for inspection of their properties. * FWWindow.cpp (load): file objects_init.xml does not include empty "User" library anymore. Instead, this library is created dynamically using method FWBTree::createNewLibrary when user creates new data file. This simplified things since 1) "User" library now has unique random ID in every data file so it can be safely exported and then imported back without any conflicts; 2) since its ID is unique, it can be renamed without creating any conflicts. The library is only created in FWWindow::load() (i.e. when new data file is created). It is not created when existing data file is loaded because it is supposed to be there. Old data files that still have this library with semi-standard ID will load it as before, but the ID loses its standard meaning. 2004-05-23 * filePropDialog.cpp (filePropDialog): added "File properties" main menu item and dialog * debugDialog.cpp (debugDialog): added "debug" menu item under "Help" 2004-05-20 * instDialog.cpp : built-in installer works with all supported firewall platforms: iptables, ipf, pf, ipfw and pix. * instDialog.cpp (instDialog): built-in installer reads list of files that policy compiler generated for a given firewall object ("manifest") from the .fw file and installs them on the firewall. One file in the manifest needs to be marked as executable, installer runs it after all files are copied. * all policy compilers: all compilers include a list of files generated for a given firewall object ("manifest") in .fw file. 2004-05-18 * RuleSetView.cpp (contextMenu): split long context menu that used to be shown when user clicked right mouse button on an object in a rule. Now this menu has only actions related to the object, while actions for the whole rule belong in the context menu shown when user clicks right mouse button on the rule number. * fr.po, ru.po: checked in updated French translation by Jean-Michel Poure and added some rudimentary Russian translation. Both translations are done in UTF-8. 2004-05-15 * init.cpp (init): define global var localepath that is initialized with a path to the directory where translation files (*.qm) are installed. This path is defined as $respath/locale on all systems (on Unix this typically is /usr/share/fwbuilder/locale, while on Windows and Mac it will be a subdirectory "locale" in the directory where the binary is installed) 2004-05-14 * ColorLabelMenuItem.cpp (ColorLabelMenuItem): implemented RFE #725461: "Colors". Added ability to color-code rules in the policy. User can pick one of the 7 predefined colors (plus none) in the pop-down menu that appears when they right-mouse-click on the policy or NAT rule. Custom text can be associated with each color using a panel in the Preferences dialog, this text appears as a tool tip when user flies mouse cursor over color buttons in the pop-down menu. 2004-05-12 * src/gui/ui: QT's ui translator uic creates code in this directory. This allows me to add generated files to the internationalization infrastructure (include in the .pot file). also added *.cpp files in src/gui/ui to cvs so translators can look at them to better understand context without having full QT development environment. 2004-05-09 * PolicyCompiler_ipt.cpp (processNext): fixed bug #934949: "duplicate rules". fwb_ipt created duplicate rules for a bridging firewall if fw object or its interfaces or their addresses were not in the source or desintaion 2004-05-04 * newFirewallDialog.cpp (accept): "new firewall" wizard can create a new firewall object using predefined templates from the file templates.xml (the file is a pat of the package and is installed in /usr/share/fwbuilder on Linux and in c:\FWBuilder\resources on Windows). User picks a template and the program creates a duplicate of the template object in the "User" object library. The wizard page where user picks template shows a diagram of the firewall configuration that illustrates its interfaces, their configuration and addresses. Comment text associated with template object explains its specific properties and is shown on the page as well. 2004-05-02 * templates.xml.in : a library of firewall object templates. This library is a part of the distribution and is installed in ${prefix}/share/fwbuilder on Linux and BSD and in C:FWBuilder/resources on windows (the same dir where standard objects are installed). This library is not loaded by default though. * listOfLibraries.cpp (listOfLibraries): Added a page to the preferences dialog to manage add-on libraries. The GUI maintains a list of available add-on libraries and allows user to define which ones will be automatically loaded when the GUI is started. The program always adds "standard" and "templates" libraries to the list, then scans directory $HOME/.fwbuilder/lib/ ( C:\FWBuilder\lib on windows) and adds all .fwb files found there to the list. It stores list of libraries in the user's preferences together with a boolean flag that is set if a library should be loaded on a start-up. Library added using main menu "Import Library" is also added to the list so the user can make the program load it automatically. 2004-04-29 * Makefile.in: Added support for internationalization. Using gettext 0.14.1. This is the first version where support for QT lanuage files is available, but it is not available in RedHat or other Linux distributions yet. Therefore had to copy some m4 macro colelctions from example to directory 'm4', as well as copied a Makefile.in and script remove-potcdate.sin to directory 'po'. New version of xgettext recognizes standard QT localization method tr() and can generate usual .pot files from strings used with it. The nwe msgfmt can generate .qm files from translated .po files. 2004-04-25 * instDialog.cpp (cmd): this method can be used whenever we need to execute several commands on the firewall sequentially. * (instDialog): install dialog hides incremental install options if 'diff' program can not be found (perhaps compiler that comes with it is not installed) * instDialog2.cpp (PIXincrementalInstall): integrated with fwb_pix_diff * instDialog2.cpp (PIXbackup): implemented function that stores backup copy of firewall configuration in a file 2004-04-18 * findDialog.cpp (find): 'find object' function is implemented by means of an external modeless dialog that allows for searching in the tree and or policy rules and supports matching with regular expressions. * newFirewallDialog.cpp (getInterfacesViaSNMP): 'new firewall' wizard can discover interfaces using SNMP. Finished work on the page where user can arrange interfaces according to their security levels. 2004-04-15 * newFirewallDialog.cpp (accept): added 'new firewall' wizard. Still need to work on the page where user sets security levels of interfaces. 2004-04-14 * VERSION (BETA): added a variable in the VERSION file that designates code revision as beta and stores beta testing period expiration time (+30 days). Currently only About dialog shows this time, but in the future I may make the program disable itself if it is used past this time. The released version won't have this limitation. This can be used to prompt people to upgrade, so I do not have to support old versions. 2004-04-11 * FWBSettings.cpp (restoreGeometry): added ability for dialogs to automatically remember and restore their geometry (size and relative position on the screen). Currently only main window, conflict resolution dialog and object editor dialogs do this. Geometry is stored in preferences. Main window comes up with a default geometry 100,100,750,600 (x,y,w,h) when no geometry is found in settings. 2004-04-10 * FWWindow.cpp (ConflictResolutionPredicate): implemented conflict detection and resolution for the "merge" operation. The same mechanism works for "open file" since it is also based on merge. When there is a conflict during merge, the program opens a dialog and asks the user which copy of the object they want to keep. 2004-04-09 * instDialog3.cpp (stateMachineSSHSUDO): builtin installer works with Linux/BSD systems using combination of ssh on the client side and sudo on the firewall. User provides a password for authentication and the program logs in into the firewall as that user, copies firewall script to "/etc/fw" (directory path is hardcoded), then executes it using sudo. Sudo should be configured for this user or group she belong to to be able to execute this script as root with no password. 2004-04-08 * instDialog.cpp (instDialog): added universal (hopefully) policy installer program. The program uses ssh in a background on both Unix and Windows (on Windows it requires putty/plink) to communicate with the firewall. Currently only supports PIX but I will add Linux/BSD later. Installer GUI asks user for a password. 2004-04-07 * RuleOptionsDialog.cpp (loadFWObject): added rule options dialog for ipt 2004-04-06 * FWWindow.cpp (search): implemented advanced search method that finds and highlights objects both in the tree and in any rule of any firewall. This resolves problem outlined in Feature Request #837448: '"Where used" only shows fw objects' 2004-04-04 * FWWindow.cpp (save): implemented saving data file without making copies of objects in the 'Standard' library (Feature Request #810504). This feature is considered experimental and is off by default. An option in Preferences dialog activates it. * FWWindow.cpp (load): All load is done via merging of the loaded file with a standard object tree. Now we can load files saved without copies of unused standard objects. * FWWindow.cpp (fileImport): implemented data import. Using method FWObjectDatabase::merge to merge imported data with current object tree. Only object IDs are compared, so modified standard object in the imported file will be ignored and its changes will be lost. 2004-04-03 * export.cpp (exportLibrary): Implemented library export * StartWizard.cpp (StartWizard): added simple startup wizard that asks user if they want to open existing file or create a new one. It also sets some useful preferences such as adds new file to RCS and makes the program automatically open it when it is started next time. * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): Fixed bug #956544: "Error into load modules script generation", where generated script would not load kernel modules with names "module.ko.gz". Regular expression should match on ".ko.*$" to find these modules properly. Thanks to Andrey Kaminsky who pointed this out. * RuleSetView.cpp (doubleClicked): double-clicking on an object in the policy rule opens that object in the editor 2004-04-02 * ObjectManipulator.cpp (ObjectManipulator): using combobox widget instead of a tab widget for libraries. This way we can fit more libraries without making interface cluttered. 2004-03-31 * ipt.cpp (main): the GUI saves path to the DTD and resources in user's settings using QT QSettings class. Policy compilers and other tools can read this setting to quickly determine location of DTD and resources. 2004-03-29 * getting rid of STL classes in the GUI. The idea is to make GUI use QT classes in most of the code and use STL classes such as 'string', 'map', 'list' where it has to pass data to and from API which is STL-based. This should simplify using QT compiled without STL support (much less conversions between string and QString). 2004-03-28 * main.cpp (main): the data file can be specified on a command line both as an argument for option '-f' and after all options. Option '-f' is preserved for compatibility with old versions. Preferred method is to specify the file name as a parameter without any option: "fwbuilder file.fwb" 2004-03-27 * platforms.cpp (getVersionsForPlatform): usability improvement: "combo boxes" that do not allow typing in them should not have empty choices. Fixed this for a drop-down menu of version numbers in firewall dialog. 2004-03-26 * RuleSetView.cpp (insertRule): counting rules from zero in the GUI * (RuleSetView): this is not a change, I just wanted to document that I tested the GUI with a policy that has 1000 rules. I haven't noticed any delay in loading this policy compared with when it had <100 rules. 2004-03-25 * FWWindow.cpp (fileSaveAs): gui automatically chooses working dir if none is set and user calls 'file save as' menu item : * on Unix will use current dir. * on Windows will use user's document dir. * NATCompiler_ipt.cpp (processNext): added a workaround for a bug (no number): if address range object was used in SNAT or DNAT rule and option 'manage virtual addresses' was on, compilerwould not add virtual address properly. It still won't do it, but at least there is a check for this situation and it prints appropriate warning message. The problem with this is that if the range is large, we end up with potentially lots of virtual addresses. Let the user deal with this themselves. * ipt.cpp: compiler(s) understand new command line option '-R', which should specify a full path to the resources. This is useful on Windows and Mac where resources are installed in a non-fixed place by the GUI package, but need to be used by the compilers. 2004-03-24 * ObjectManipulator.cpp (contextMenu): each system group object in the tree has an item in its pop-down menu that allows user to quickly add an object to that group. * IPv4Dialog.cpp (DNSlookup): added ability to determine IP address of an Address object using DNS lookup (using QDns class) * FWBSettings.cpp (FWBSettings): explicitly setting scope for QSettings as "User" 2004-03-22 * ObjectManipulator.cpp (addTreePage): added attribute 'ro' to all elements in DTD (see API). This provides for a way of locking down parts of the tree. * ObjectManipulator.cpp (addTreePage): read-only subtrees are marked with an icon of a lock and text 'read-only' * objects_init.xml : standard objects tree is now read-only. User objects can not be moved into 'standard' tree and standard objects can not be edited but can be duplicated (a copy is automatically created in the first user-defined library, most often it is a library 'User') * FWWindow.cpp (install): GUI supplies a path to the firewall object as a parameter to installation script rather than just its name (as before). This is because the path has changed when library element has been added. Changes made in the GUI (send path instead of name) and in fwb_install script (to make it interpret path). 2004-03-21 * pixosAdvancedDialog.cpp (pixosAdvancedDialog): 'advanced host settings' dialog for PIX * RuleSetView.cpp (contentsMousePressEvent): selectedObject is chosen in mouse press and key press even handlers; got rid of currentChanged slot all together. This eliminated flicker that was caused by extra repaint of the cell when selected object was chosen in currentChanged slot. 2004-03-20 * DialogData.cpp (DialogOption): universal class to load and save data in dialogs * pixAdvancedDialog.cpp (pixAdvancedDialog): 'advanced' firewall options dialog for PIX. Implemented tabls 'Compiler options', 'Prolog/Epilog', 'Timeouts' and partially 'Fixups'. Fixup pages are disabled using resource string that defines which fixups are available in certain PIX version. * FirewallDialog.cpp (openFWDialog): firewall dialog saves version from the widget to the object before opening 'advanced' firewall options dialog. This is a departure from the dialog logic where all data is stored when user clicks 'Apply changes' button. 2004-03-19 * FWBSettings.cpp: added support for an "object autosave" option (automatic saving of changes in dialogs while switching between objects) * RuleSetView.cpp (insertRule): added main menu items "insert rule" and "add rule after current" * RuleSetView.cpp (contextMenu): added pop-up menu items for adding, removing and moving rules up and down, as well as standard copy/cut/paste operations on moves. Similar menu items added to the main menu. * RuleSetView.cpp (paintCell): implemented double-buffering in paintCell to improve performance and remove flickering 2004-03-17 * FWBSettings.cpp: saving the size of the info window in settings * RCSFileDialog.cpp (RCSFileDialog): 'open file' dialog automatically looks for files in the working directory configured in a global preferences dialog. * main.cpp (main): added a global setting "startup action" in Preferences. Currently two actions are available: "load standard objects" and "load last edited file". * FWBSettings.cpp (FWBSettings): a specialized wrapper for QSettings. I will be adding methods to this class to simplify access to whatever global program preferences and options I need. Currently it supports 'working dir' and 'info window style' settings. Settings are stored in a platform-depended way as QSettings does it. 2004-03-16 * NATCompiler_ipt_writers.cpp (_printOPorts): minor bugifx - fixed typo ( '==' -> '=' ) * ObjectEditor.cpp (closeEvent): object editor checks for modifications before closing if user closes it using window manager buttons. * FWWindow.cpp (unselectRules): the main window maintains single selection across objects in the tree and in the policy view. Selecting an object in the tree automatically unselects object in the policy and vice versa. Now I can implement copy/cut/paste functions driven by the main menu; these operations will work on the currently selected object either in the tree or in the policy. * FWWindow.cpp (editCut): copy/cut/paste operations work between the tree and policy views using both context menus and main menu. * ipt.cpp: output stream is created with a mode ios::binary on Windows * RCS.cpp (isDiff): having problems with rcsdiff.exe in windows, for now will assume that the file always changes and needs checkin comment. 2004-03-15 * RCS.cpp (co): using windows-specific functions to create a temporary file for the file checkout * global.h: added redefinition of macro assert to be able to use it on windows where we compile without debugging info. (the reason I do not build Debug version on win32 is because I use precompiled libraries libxml2 etc that are built using Release CRT, and I can't mix different runtimes). * RCS.cpp (co): GUI makes sure that if the file has been opened and locked by a user, another user can only open it read-only. The same user has a choice of opening it read-only or read-write. The latter case is useful in case of a program crash that leaves opened files in the locked state. * RCS.cpp (co): added ability to open older revision of the file read-only. Requested revision is checked out into temporary file, which is then loaded and immediately deleted. The object tree is locked read-only and 'save' and 'save as' operations are disabled. 2004-03-14 * RCS.cpp (add): using "rcs -i -kb" to add a file to RCS, this should help avoid extra CR in the file while working on windows because it makes RCS use binary mode while working with the file. 2004-03-13 * ObjectManipulator.cpp: GUI redesign: switched to a single window design. Object manipulation happens inside three classes: ObjectManipulator (the tree widgets and algorithms), ObjectEditor (a stack of editor widgets and a glue logic), obejct info browser (class QTextBrowser). Object editor appears as a non-modal dialog when user double-clicks an object in the tree. Single click updates data in the info window but does not open the editor. Objects can be selected in the tree in any supported way - keyboard arrows, keyboard shortcuts, hitting the first letter of the objects's name, mouse click. In any case, appropriate object is selected and info window is updated with its attributes. Info window has three modes: collapsed (there is no info window), showing only comment attrbibute and showing brief summary of object's parameters and a comment. User can switch between modes using a button located on the main window panel directly under the info widget. 2004-03-12 * build environment is based on qmake: file qmake.inc is included from qmake project files in all subdirectories. File qmake.inc defines all variables for all platforms, so project files in subdirs only add lists of files and take care of exceptions. File qmake.inc is generated by configure, but all substitutions are only needed for Unix and Mac. This file is checked in to cvs so it could be used on Windows without a need to run configure. All qmake project files in subdirectories need no substitutions by configure, so they all are checked in to cvs and can be used on windows right away. Qmake project files fwbuilder2.pro and src/src.pro use template 'subdirs' and make qmake descent into subdirectories and rebuild projects there. Now using qmake to generate Makefile and MSVC project files in src/fwblookup, src/fwbedit, src/ipt. Makes it easier to generate consistent MSVC projects without having to edit them manually. resource files (src/res/*.xml and src/res/*/*.xml) are generated by configure, however, since substitutions made in them are only relevant on Unix and Mac, generated files are checked in to cvs so they can be used on windows without running configure. No need to run configure (or autogen.sh) on Windows anymore. To build on Unix and Mac: $ autogen.sh $ make $ make install To build on windows: run qmake, then make in the root dir. of the project Open fwbuilder2.dsw in MSVC and rebuild all * NATCompiler_ipt.cpp, PolicyCompiler_ipt.cpp and others in src/ipt: code cleanup. Removed all unused variables and added handling for 'default' case in switch operators. 2004-03-10 * FWWindow.cpp (compile): implemented main menu items "Rules/compile" and "Rules/install". Still need to add toolbar buttons though. * execDialog.cpp (execDialog): a dialog for a background execution of external commands. This class is used to call external policy compilers and installer scripts. Uses QT class QProcess. * ipt.cpp: transfered compiler for iptables over to fwb2. Only minor changes: new file name schema (*.h, *.cpp); proper choice of the directory where resource files are located; eliminated last dependencies on glib 2004-03-09 * iptAdvancedDialog.cpp (accept): firewall settings dialog saves all data in the object. 2004-03-07 * iptAdvancedDialog.cpp (iptAdvancedDialog): firewall settings dialog for iptables. Saving of the data back in the firewall object is not implemented yet. * DialogFactory.cpp (createDialog): DialogFactory: class that creates dialogs for all object types. * FWBTree.cpp (FWBTree): refactored code: all methods that enforce our standard tree structure now belong to the class FWBTree * TimeDialog.cpp (applyChanges): added dialog for the Time interval object. 2004-03-06 * GroupObjectDialog.cpp (setupPopupMenu): added pop-up menu in the group view (both icon and list modes) with oprations copy,cut,paste and delete. * all dialogs: object is moved from library to library when user clicks 'apply changes' (before it would move immediately when the library was changed in the pop-down menu). * CustomServiceDialog.cpp (loadFWObject): added dialog for the Custom Service object 2004-03-05 * PropertyEditor.cpp (copyObj): added pop-up menu to object tree view; implemented functions 'duplicate', 'copy', 'cut', 'paste' 2004-03-04 * ObjectTreeView.cpp (contentsMouseReleaseEvent): objects in the tree are selected with double-click. 2004-03-03 * RuleSetView.cpp (getRE): added platform capabilities check for columns 'Time' and 'log/options' in policy views * RuleSetView.cpp (dragMoveEvent): support for d&d of Time objects 2004-03-02 * InterfaceDialog.cpp (loadFWObject): added dialog elements for interface security level, 'external' checkbox, network zone. * RCS.cpp (isDiff): added a wrapper for rcsdiff in RCS class 2004-02-29 * PropertyEditor.cpp (createObject): properly creating interfaces and addresses for the firewall object * further testing and improvements in RCS integration 2004-02-28 * FWWindow.cpp (load): file can be opened with or without RCS, a head revision or any specific revision, read-write or read-only. File name, revision number and read-only status is displayed on the main window's title bar. * FWWindow.cpp (load): added ability to open data files read-only * RCS.cpp (RCS): refactored the code, made class RCS a wrapper for the command-line rcs tools. It should be possible to use the same or similar interface for other version control system if needed. 2004-02-26 * RCSFilePreview.cpp (showFileRLog): Open File dialog shows RCS revisions of the chosen file in a preview panel. Added button "add to RCS" that allows user to add selected file to RCS right from the "open file" dialog. Added elements for opening file read-only and with or without locking (but these functions have not been implemented yet). 2004-02-23 * RCS.cpp (rlog): class RCS provides simple integration with RCS. Uses portable functions provided by QT to call external RCS programs. * configure.in: added checks for external RCS programs ci, co, rlog. 2004-02-22 * FWWindow.cpp: added basic integration with RCS. Every time a data file is opened, it is checked out from RCS and locked. If the file has not been added to RCS, an initial checkin is performed with a generic comment. Every time an opened file is saved (using "save" or "save as" menu), it is checked in and kept in a locked state. A new menu item "File/Close" has been added; this menu item checks the file in and removes lock (does 'ci -u') so other users can work on it, then it reopens a standard objects database in the GUI. Opening a file while another file is already opened in the GUI causes the latter to be closed (checked in and lock removed) and a new one opened as described above. still TODO: add a dialog to ask the user for a checkin comment text. Add a global option "Use RCS" so that using version control is optional. Test the whole thing on Windows. 2004-02-16 * PropertyEditor.cpp (PropertyEditor): added dialogs for interface, MAC address, network, address range and other objects. * FWObjectDrag.h: implemented custom drag class FWObjectDrag; all widgets dynamically check if the object being dragged can be dropped in them. User can drag objects from the tree into groups and rules, as well as from a group into the tree. 2004-02-08 * IPServiceDialog.cpp (libChanged): implemented gui elements and support for moving objects between libraries. 2004-01-20 * added dialog for object IPv4. This object can now be created in a standard place in the tree in a group Objects/Addresses as well as as a child object of interface (as before in fwbuilder 1). This allows for using object IPv4 as an abstract for an IP address which is simpler than using a Host object. 2004-01-04 * GroupObjectDialog.cpp: Experiment: user and standard object tree views have different background colors. This provides simple visual clue of what library the object shown in the editor panel belongs to. This is especially useful if a standard object is referenced from the user defined group and user opens it; in this case the tree switches from user-defined objects to the standard onces but this switch may not be evident from the first glance, thus user loses context and may be confused why his objects apparently have gone away. 2004-01-03 * PropertyEditor.cpp (PropertyEditor): property editor has window type "dialog" and always stays on top of the main window. Implemented simple history feature for the object navigation and added a button "Back" to the toolbar. * GroupObjectDialog.cpp (loadFWObject): group object dialog can now show group contents as a set of icons or as a list; switching between two modes is done using toggle buttons a-la file list modes in the "open file" dialog. * PropertyEditor.cpp (loadObjects): merged object tree and object property editor in one dialog. 2003-12-20 * main.cpp (main): resources and preferences files can now be found dynamically, using a full path to the directory the binary has been launched from. The RES_DIR macro defined in config.h now specifies relative path to the resource files starting from the application root dir. If program is installed in /usr/local/bin, then the application root is "/usr/local" and resources should be located in /usr/local/$RES_DIR directory. fwbuilder-5.3.7/doc/Credits000066400000000000000000000130331303637203600156010ustar00rootroot00000000000000$Id: Credits 899 2005-12-14 06:58:43Z vkurland $ We would like to thank the following people who helped us in various ways to make this project happen: Special thanks to Friedhelm Dsterhft for help with XML development and initial XSLT filters implementation. For icons for Firewall Builder v2.x : Hector Rivera Falu For icons and a first web site: Tanya Soussokolova For debugging on SuSE, building packages for SuSE and for help with answering support requests: Marc Pfefferkorn For German translation for Firewall Builder v1.x: Marc Pfefferkorn Jens Hektor Axel Stenkamp For localization patch (gettext support) and French translation for Firewall Builder v1.x: Florent MANENS For French translation for Firewall Builder v2.x Jean-Michel Pour̩ For Japanese translation for Firewall Builder v2.x Tadashi Jokagi For Swedish translation for Firewall Builder v2.x: Daniel Nylander For ideas, suggestions, patches and contributions: ------------------------------------------------------------- Friedhelm Dsterhft" - many suggestions and prototype for DTD. Jeremy T. Bouse - package maintainer for Debian - libxml2 support. - X.509 certificate generation druid assistance - iptables/iproute2 patches Carlo Wood - many valuable patches and bug reports - suggestions regarding rpm building process and changes to spec file Jochen Friedrich - ideas for future development Vadim Fedukovich - help with OpenSSL and answering related questions. David Gullasch and stephan_r@users.sourceforge.net - firewall policy installation script Igor Morozov - first attempt at Win32 porting and a prototype Mark Vevers - for an idea and a patch that fixes optimizer in fwb_ipt Patch information: Author: Mark Vevers Copyright (c) 2004 Research Machines Plc Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Compal GmbH, Germany, Tidei Maurizio, fwbuilder-routing@compal.de - For contribution of the code that adds support for static routing for Linux Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Steven Mestdagh - for the code for the static routing configutation for PIX Copyright (c) 2008 Steven Mestdagh Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Heiko Helmle - for valuable ideas and suggestions that lead to improvement of support for Linux static routing configuration fwbuilder-5.3.7/doc/FWBuilder-Routing-LICENSE.txt000066400000000000000000000023161303637203600213540ustar00rootroot00000000000000 Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. fwbuilder-5.3.7/doc/PatchAcceptancePolicy.txt000066400000000000000000000031531303637203600212120ustar00rootroot00000000000000$Id: PatchAcceptancePolicy.txt 152 2004-03-27 17:11:54Z vkurland $ Firewall Buider Project welcomes user contributions. Because we would like not to be limited in future licensing options of the code, authors of all submitted patches must agree that their contribution is donated to our project under terms of following license (this is MIT license): ------------------------------------------------------------------------- Copyright (c) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------------------------------------------------------------- When submitting the patch please state that you agree with this license. fwbuilder-5.3.7/doc/README.cluster000066400000000000000000000133531303637203600166260ustar00rootroot00000000000000 Firewall Builder Clustering Add-On ================================== Copyright (c) 2009 secunet Security Networks AG, Germany Copyright (c) 2009 Adrian-Ken Rueegsegger Copyright (c) 2009 Reto Buerki Index ----- 1 - Introduction 2 - Definition 3 - Usage 4 - Example 5 - Things to consider 6 - References Introduction ------------ The Firewall Builder Clustering Add-On provides the possibility to manage multiple firewall objects together as one Cluster object. Cluster objects are used to configure HA (High Availability) features like conntrack [1] and VRRP [2] (Virtual Router Redundancy Protocol). Definition ---------- In the context of this Add-On a 'cluster' object is regarded as a meta-object grouping multiple firewall objects. This allows for a much simpler and convenient configuration of a HA scenario. The configuration is done once for the meta-object 'Cluster' and automatically compiled and distributed for each cluster member firewall. [cluster] (meta-object) | | +-----------------+-----------------+ | | | [fw1] (object) [fw2] (object) [fwX] (object) Usage ----- To use the clustering feature, you need to create firewalls which will be part of a HA cluster and create the cluster itself. The following two sections describe the necessary steps. Firewall configuration ~~~~~~~~~~~~~~~~~~~~~~ Make sure that all firewalls of a cluster use the same host OS and platform. The host OS and platform of all cluster member firewalls must match the one specified for the cluster itself. The following diagram defines two firewalls configured appropriately as cluster members: [fw1] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.2/255.255.0.0 | +---o eth1: inside +---o IP: 192.168.1.2/255.255.255.0 [fw2] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.3/255.255.0.0 | +---o eth1: inside +---o IP: 192.168.1.3/255.255.255.0 Both firewalls have an outside and an inside interface. In a cluster scenario, these interfaces will be combined to a redundant VRRP cluster interface. VRRP requires all interfaces joined to a VRRP group to be in the same subnet, with unique IP addresses. Cluster configuration ~~~~~~~~~~~~~~~~~~~~~ Now it's time to create a Cluster object which will act as meta-object for fw1 and fw2: [cluster1] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.1/255.255.0.0 | +---o Failover group0 (vrrp) | +---o eth1: inside (mgmt) | +---o IP: 192.168.1.1/255.255.255.0 | +---o Failover group1 (vrrp) | +---o State synchronization group (conntrack) Use the 'Manage Members' button to add firewall interfaces to the failover and state synchronization groups of the cluster. Additionally you need to specify which firewall interface is to act as master of the group. The firewall interfaces added to the state synchronization group will be used to keep the state information of the cluster members in sync. Typically the internal management interfaces are chosen as members of the conntrack group. For all cluster groups the IP addresses of it's firewall member interfaces have to be in the same subnet and the subnet mask must be identical to the one of the cluster interface. The following table shows the mapping of interfaces to cluster groups for our example configuration: +-----------------+--------------------+ | group | mapped interfaces | +-----------------+--------------------+ | State sync | fw1:eth1, fw2:eth1 | | Failover group0 | fw1:eth0, fw2:eth0 | | Failover group1 | fw1:eth1, fw2:eth1 | +-----------------+--------------------+ NAT/Policy/Routing Rules ~~~~~~~~~~~~~~~~~~~~~~~~ NAT, policy and routing rules are configured on the cluster meta-object. Rules are specified in the usual manner. Use the cluster object or it's interfaces as rule elements as you would for a regular firewall. Compilation/Installation/Export ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It's possible to compile and install firewalls which are part of a cluster by selecting the cluster meta-object and the corresponding action (Compile/Install). If you perform such an action on the cluster meta-object, all member firewalls will be selected automatically. Thus the cluster object provides a convenient way to perform actions on all cluster member firewalls. NOTE: If you compile/install a firewall which is part of a cluster by using the compile/install action of the firewall directly, the cluster parts will be omitted from the generated script. Cluster template ~~~~~~~~~~~~~~~~ This Add-On includes Cluster templates which can be used as starting point for complex cluster configurations. Enable the 'Use preconfigured template cluster object' checkbox when creating a new cluster object to use these templates. Example ------- The scenario described in this README can be found as example Firewall Builder file here [3]. For more examples on how to configure different cluster scenarios see the Firewall Builder Cookbook. Things to consider ------------------ * Host OS and platform of firewall members must match OS and platform of the cluster. * Cluster member firewalls must have at least one physical interface attached. * All IP addresses of interfaces added to a cluster group must be in the same subnet. * All addresses of a cluster group must be unique. * Cluster interface names must be unique per cluster. References ---------- [1] - http://conntrack-tools.netfilter.org/ [2] - RFC3768 - Virtual Router Redundancy Protocol (VRRP) [3] - doc/cluster_examples.fwb fwbuilder-5.3.7/doc/README.floppyfw000066400000000000000000000042461303637203600170140ustar00rootroot00000000000000 How to generate firewall script for floppyfw (http://www.zelow.no/floppyfw/index.html) 1. in Firewall dialog, tab "Firewall", set the following parameters: - "Load modules" - OFF - "Create virtual addresses for NAT rules" - ON - "Use numeric log levels" - ON 2. download and install rpm "fwbuilder-floppyfw-0.9.7" 3. in "Compile/Install" tab configure full path and name of the install script "/usr/bin/floppyfw_install.sh". Now you can compile policy in a usual way using menu Rules->Compile and then install it to floppyfw floppy using menu Rules->Install. Install script makes certain checks to verify that floppy you use indeed contains floppyfw code. Install script depends on mtools package. 4. some useful configuration parameters for floppyfw: - activate serial console for kernel boot-time messages and shell: in file "config" : SERIAL_CONSOLE=ttyS0 in file "syslinux.cfg" add "console=ttyS0,9600" kernel parameters: ------- file config ---------------------- # Choose the serial port for the console "n" for none. SERIAL_CONSOLE=ttyS0 ------------------------------------------ ------- file syslinux.cfg ---------------- default floppyfw display floppyfw.msg label floppyfw kernel vmlinuz append initrd=initrd.gz root=/dev/fd0 console=ttyS0,9600 ether=0,0,0,eth0 ether=0,0,0,eth1 ------------------------------------------ - logging via syslog: in file "config" set USE_SYSLOG=y and add "-R" to log to remote loghost ------- file config ---------------------- # Turning on syslogd and klogd. # This is a nice thing but will eat CPU which is why it is turned # off by default. # USE_SYSLOG=y # This SYSLOG does not use syslogd.conf so we have to set things here. # Flags: # Log to /dev/tty3 instead of /var/log/messages which aren't exactly a # good idea on a ramdisk. # -O /dev/tty3 # Log to network. host:port # -R 10.42.42.42:514 # Log to both network and file: # -L # --MARK-- 0 is no mark. # -m 0 # SYSLOG_FLAGS="-m 360 -O /dev/tty3" SYSLOG_FLAGS="-m 360 -R 10.42.42.4:514" ------------------------------------------ - do not forget to add rule to the firewall policy to permit sending syslog packets from firewall to your loghost fwbuilder-5.3.7/doc/README.iosacl000066400000000000000000000070401303637203600164130ustar00rootroot00000000000000 Policy compiler for Cisco IOS Access lists has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007) Support for Cisco IOS access lists in Firewall Builder v2.1.12, build 270: ---------------------------------------------------------------- Features implemented in this version: - The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x. - Compiler can also add commands to configure logging. - The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. While before auto-rollback option was only available if you installed in the test mode, now you can always use it. Test mode means that installer does not save configuration in the permanent memory, as before. - All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. The last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable. - New option has been added to the interface object, called "unprotected". This allows you to mark some interfaces to be skipped by the compiler when it picks interfaces for ACL rules. This should be useful when you have routers with many interfaces and only want to add ACLs to some of them. Also, you can explicitly put interface objects into policy rules and specify direction if you want to do this manually. - Since router ACLs have no state, all rules should be created in the policy pretty much like you do it on the router, including rules that permit reply packets. New option has been added to the TCP Service object, called "established". This makes compiler use option "established" in rules it generates if it is supported by the firewall platform. Compilers for iptables, ipfilter, pf and PIX can not use objects with this option and treat it as an error because corresponding platforms do not support it. IPFW, on the other hand, supports it so compiler fwb_ipfw can use it. Shortcomings of this version: - "tos", "precedence" and "time-range" options are not supported - "igmp" access lists can no be generated fwbuilder-5.3.7/doc/README.ipf000066400000000000000000000104121303637203600157140ustar00rootroot00000000000000fwb_ipf(1) Firewall Builder fwb_ipf(1) NNAAMMEE fwb_ipf - Policy compiler for ipfilter SSYYNNOOPPSSIISS ffwwbb__iippff [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name DDEESSCCRRIIPPTTIIOONN ffwwbb__iippff is a firewall policy compiler component of Fire wall Builder (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates ipfilter configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has exten sion ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates ipfilter. IPFilter configuration file name starts with the name of the firewall object, plus "-ipf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if fire wall object has name "myfirewall", then compiler will cre ate three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parame ters are optional. OOPPTTIIOONNSS -f FILE Specify the name of the data file to be processed. -d wdir Specify working directory. Compiler creates firewall activation script and ipfilter configura tion files in this directory. If this parameter is missing, then all files will be placed in the cur rent working directory. -v Be verbose: compiler prints diagnostic messages when it works. -V Print version number and quit. -x Generate debugging information while working. This option is intended for debugging only and may pro duce lots of cryptic messages. NNOOTTEESS Support for ipf returned in version 1.0.1 of Firewall Builder Supported features: o both ipf.conf and nat.conf files are generated o negation in policy rules o stateful inspection in individual rule can be turned off in rule options dialog. By default com piler adds "keep state" or "modulate state" to each rule with action 'pass' o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" o compiler adds flag "allow-opts" if match on ip options is needed o compiler can generate rules matching on TCP flags o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. o Address ranges in both policy and NAT Features that are not supported (yet) o negation in NAT o custom services Features that won't be supported (at least not anytime soon) o policy routing UURRLL Firewall Builder home page is located at the following URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg// BBUUGGSS Please report bugs using bug tracking system on Source Forge: hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144 SSEEEE AALLSSOO ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__ppff((11)) FWB fwb_ipf(1) fwbuilder-5.3.7/doc/README.ipfw000066400000000000000000000050661303637203600161140ustar00rootroot00000000000000fwb_ipfw(1) Firewall Builder fwb_ipfw(1) NNAAMMEE fwb_ipfw - Policy compiler for ipfw SSYYNNOOPPSSIISS ffwwbb__iippffww [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name DDEESSCCRRIIPPTTIIOONN ffwwbb__iippffww is a firewall policy compiler component of Fire wall Builder (see fwbuilder(1)). This compiler generates code for ipfw - a firewall and traffic shaper in FreeBSD (see ipfw(8)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates firewall configuration and acti vation script. The generated file has a name that starts with the name of the firewall object, with an extension ".fw". It is a shell script that flushes current policy, then loads new filter and nat rules. The data file and the name of the firewall objects must be specified on the command line. Other command line parame ters are optional. OOPPTTIIOONNSS -f FILE Specify the name of the data file to be processed. -d wdir Specify working directory. Compiler creates fire wall activation script in this directory. If this parameter is missing, then all files will be placed in the current working directory. -v Be verbose: compiler prints diagnostic messages when it works. -V Print version number and quit. -x Generate debugging information while working. This option is intended for debugging only and may pro duce lots of cryptic messages. NNOOTTEESS Support for ipfw was added in version 1.0.10 of Firewall Builder UURRLL Firewall Builder home page is located at the following URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg// BBUUGGSS Please report bugs using bug tracking system on Source Forge: hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144 SSEEEE AALLSSOO ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__ppff((11)) ffwwbb__iippff((11)) FWB fwb_ipfw(1) fwbuilder-5.3.7/doc/README.ipt000066400000000000000000000041111303637203600157310ustar00rootroot00000000000000fwb_ipt(1) Firewall Builder fwb_ipt(1) NNAAMMEE fwb_ipt - Policy compiler for iptables SSYYNNOOPPSSIISS ffwwbb__iipptt [[--wwvvVV]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name DDEESSCCRRIIPPTTIIOONN ffwwbb__iipptt is firewall policy compiler component of Firewall Builder (see fwbuilder(1)). Compiler reads objects defini tions and firewall description from the data file speci fied with "-f" option and generates resultant iptables script. The script is written to the file with the name the same as the name of the firewall object, plus exten sion ".fw". The data file and the name of the firewall objects must be specified on the command line. Other command line parame ters are optional. OOPPTTIIOONNSS -f FILE Specify the name of the data file to be processed. -d wdir Specify working directory. Compiler creates file with iptables script in this directory. If this parameter is missing, then iptables script will be placed in the current working directory. -w Supress compiler's warnings -v Be verbose: compiler prints diagnostic messages when it works. -V Print version number and quit. UURRLL Firewall Builder home page is located at the following URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg// BBUUGGSS Please report bugs using bug tracking system on Source Forge: hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144 SSEEEE AALLSSOO ffwwbbuuiillddeerr((11)),, ffwwbb__iippff((11)),, ffwwbb__ppff((11)) FWB fwb_ipt(1) fwbuilder-5.3.7/doc/README.junos000066400000000000000000000007071303637203600163020ustar00rootroot00000000000000Policy compiler for Junos Access lists has been implemented as part of the Firewall Builder GUI as of version 5.3.0. Support for Junos Access lists in Firewall Builder v5.3.0: ---------------------------------------------------------------- Features implemented in this version: - The implementation is based on code from Cisco IOS Access lists and shares codebase where applicable. More extended testing is needed to find bugs and differences. fwbuilder-5.3.7/doc/README.nxosacl000066400000000000000000000010611303637203600166050ustar00rootroot00000000000000Policy compiler for Cisco NXOS Access lists has been implemented as part of the Firewall Builder GUI as of version 5.2.0. Support for Cisco NXOS access lists in Firewall Builder v5.2.0, build 3600: ---------------------------------------------------------------- Features implemented in this version: - The implementation is based on Cisco IOS Access lists with small modifications. Support or Session Manager is added, and the rest should probably work as NXOS is quite similar to IOS. More extended testing is needed to find bugs and differences. fwbuilder-5.3.7/doc/README.osx000066400000000000000000000007511303637203600157540ustar00rootroot00000000000000Requirements: * XCode + Command Line Tools * Qt5 * - Qt4 is deprecated * autoconf, automake, libtool, net-snmp Easy install with Homebrew: $ brew install autoconf automake libtool net-snmp qt5 * Beware of buggy macdeployqt in Qt5 > 5.5 Fix permissions $ sudo chmod -R u+w /usr/local/Cellar/net-snmp Add qt to PATH, e.g. $ export PATH=/usr/local/Cellar/qt55/5.5.1/bin:$PATH Clone repository and $ cd fwbuilder && chmod +x build_mac.sh && ./build_mac.sh $ open fwbuilder.app/ fwbuilder-5.3.7/doc/README.pf000066400000000000000000000111521303637203600155450ustar00rootroot00000000000000fwb_pf(1) Firewall Builder fwb_pf(1) NNAAMMEE fwb_pf - Policy compiler for OpenBSD packet filter "pf" SSYYNNOOPPSSIISS ffwwbb__ppff [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name DDEESSCCRRIIPPTTIIOONN ffwwbb__ppff is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for OpenBSD Packet Filter (pf). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates pf configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has exten sion ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates pf. PF configuration file name starts with the name of the firewall object, plus "-pf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if firewall object has name "myfirewall", then compiler will create three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall- nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parame ters are optional. OOPPTTIIOONNSS -f FILE Specify the name of the data file to be processed. -d wdir Specify working directory. Compiler creates firewall activation script and PF configuration files in this directory. If this parameter is missing, then all files will be placed in the cur rent working directory. -v Be verbose: compiler prints diagnostic messages when it works. -V Print version number and quit. -x Generate debugging information while working. This option is intended for debugging only and may pro duce lots of cryptic messages. NNOOTTEESS Support for PF has been introduced in version 1.0.1 of Firewall Builder Supported features: o both pf.conf and nat.conf files are generated o negation in policy and NAT rules o grouping in "from", "to" and ports using '{' '}' syntax o if checkbox "Scrub" is checked in the rule options dialog, and rule's action is Accept, the compiler generates two (almost) identical rules: first with action 'scrub' and the second with action 'pass quick' o stateful inspection in individual rule can be turned off in rule options dialog. By default com piler adds "keep state" or "modulate state" to each rule with action 'pass' o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" o compiler adds flag "allow-opts" if match on ip options is needed o compiler can generate rules matching on TCP flags o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. o Address ranges in both policy and NAT Features that are not supported (yet) o custom services What will not be supported (at least not anytime soon) o policy routing UURRLL Firewall Builder home page is located at the following URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg// BBUUGGSS Please report bugs using bug tracking system on Source Forge: hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144 SSEEEE AALLSSOO ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__iippff((11)) FWB fwb_pf(1) fwbuilder-5.3.7/doc/README.pix000066400000000000000000000417651303637203600157550ustar00rootroot00000000000000 Firewall Builder for PIX Version 3.0.0 Summary of Features Usage: Like all Firewall Builder policy compilers, policy compiler for PIX has the following command line options: fwb_pix [-vV] [-d wdir] -f data_file.xml object_name +------------------------------------------------------------------------+ | -f FILE | Specify the name of the data file to be processed. | |---------+--------------------------------------------------------------| | -d wdir | Specify working directory. Compiler creates file with PIX | | | configuration in this directory. If this parameter is | | | missing, then PIX configuration will be placed in the | | | current working directory. | |---------+--------------------------------------------------------------| | -v | Be verbose: compiler prints diagnostic messages while it | | | works. | |---------+--------------------------------------------------------------| | -V | Print version number and quit. | +------------------------------------------------------------------------+ Compiler reads objects definitions and firewall description from the data file specified with '-f' option and generates resultant Cisco PIX configuration file. The configuration is written to the file with the name the same as the name of the firewall object, plus extension '.fw'. Normally you won't have to call policy compiler on the command line because Firewall Builder GUI does it automatically when you use main menu item 'Rules/Compile'. The GUI calls compiler with options -f and -d (if working directory is specificed in the GUI Options dialog). Option '-v' can be added in the 'Compile/Install' tab of the firewall object dialog. Network Zones In order to be able to assign generated access lists to interfaces of the firewall, policy compiler needs information about network topology. This information is relayed to it through the special parameter on firewall's interface called Network Zone. Network Zone is a network object or a group of objects that reflect all networks that are located 'behind' given interface. In other words, it is assumed that only packets with source addresses belonging to the Network Zone can enter this interface. See Users Guide for more detailed explanation of this concept. Policy: When rule includes services 'telnet' or 'ssh' and destination is firewall itself or one of its interfaces, compiler generates commands 'telnet' or 'ssh'. When rule includes any ICMP service and destination is firewall or one of its interfaces, compiler generates command 'icmp' In all other cases compiler generates 'access-list' and attaches it to one or several interfaces. Compiler can emulate outbound ACL. We do not use commands 'outbound/apply' since they are deprecated and Cisco recommends using access lists. Compiler supports address range objects; it expands them to the set of individual addresses. Since PIX does not support checking for IP options, rules that use IP Service objects with any options will cause compiler to stop processing of the policy and print error message. The same goes for checking TCP options and flags. There is one exception though: for IP object with options 'all fragments' or "'short' fragments" compiler generates command 'sysopt security fragguard' Where possible, compiler creates and uses object-groups. In this version different object-groups may contain the same objects, this will be fixed in the future releases. Policy compiler can perform check for shadowing rules, this is controlled by an option in the GUI. NAT Compiler supports global pools; for rules that use network or address range objects in Translated Source, compiler creates global pools with appropriate addresses. Dynamic translation rules where Translated Source is a firewall or one of its interfaces generate global pool with option 'interface' Dynamic translation rules that create translation going from lower security level interface to the one with higher security level generate command 'nat ... outside' Compiler generates 'nat 0 ' commands for rules that require no translation NAT compiler can perform the following checks for rule consistency and correctness: * check for duplicate 'nat' rules * check for overlapping global pools * check for overlapping 'static' rules * check for 'static' rules overlapping with global pools 'timeout' commands User can configure 'timeout' commands using 'Advanced' dialog in the Firewall tab of the firewall object dialog. Firewall Builder has information about default values of all parameters for 'timeout' commands for PIX v6.1 and 6.2. All configured timeout commands can be reset to their default values with a button 'Set all to defaults'. 'fixup' commands User can configure 'fixup' commands using 'Advanced' dialog in the Firewall tab of the firewall object dialog. Firewall Builder has information about default values for all parameters for 'fixup' commands for PIX v 6.1 and 6.2. All configured fixup commands can be reset to their default values with a button 'Set all to defaults'. 'logging' commands Policy compiler can generate 'logging' commands for syslog, internal buffer and console logging. For syslog user can specify server name or address, syslog message queue size, facility and level. For internal buffer and console logging the level can be specified. User can also enable logging timestamps for syslog logging. All logging parameters are located in the 'Advanced' dialog in the Firewall tab of the firewall object dialog. 'ntp' commands Policy compiler can generate commands to configure NTP protocol. Up to three NTP servers can be spcified, one of which can be marked as preferred. 'snmp' commands Policy compiler can generate commands to configure SNMP agent. SNMP communities can be specified in the GUI. SNMP 'sysinfo' data, such as location and contact can also be defined in the GUI. Two SNMP servers can be configured, each of them can be configured for polling, traps or both. Compiler can also generate command 'snmp-server enable traps' to send log messages as SNMP trap notifications. 'sysopt' and 'floodguard' commands Policy compiler can use the following 'sysopt' commands which are controlled by the GUI elements in the 'Advanced' dialog in the Firewall tab of the firewall object dialog: * sysopt connection tcpmss * sysopt connection timewait * sysopt security fragguard * sysopt nodnsalias inbound * sysopt nodnsalias outbound * sysopt route dnat Compiler can also generate command 'floodguard enable/disable'. Options found in the "Firewall" tab of the firewall dialog and their meaning: +------------------------------------------------------------------------+ | Version: | PIX OS version, choices are 6.1 and 6.2 | |----------------+-------------------------------------------------------| | Prolog Script: | this is a list of any PIX configuration commands that | | | will be included on top of generated configuration | | | file. No syntax or other checks are done on commands | | | in this list. | |----------------+-------------------------------------------------------| | Epilog Script: | this is a list of any PIX configuration commands that | | | will be appended at the end of generated | | | configuration file. No syntax or other checks are | | | done on commands in this list. | +------------------------------------------------------------------------+ Policy Compiler Options: +------------------------------------------------------------------------+ | Assume firewall | For all rules where source or destination is 'any', | | is part of Any | compiler generates PIX commands as if there was one | | | more rule with firewall objects in the same rule | | | element. In the case of PIX there is a difference | | | only if service in the rule uses objects | | | representing ssh, telnet and any icmp protocols, in | | | which case it generates commands "ssh", "telnet" or | | | "icmp" in addition to the regular access list | | | command. | |------------------+-----------------------------------------------------| | Replace NAT'ed | PIX inspects packet with access lists before it | | objects with | performs address translation. Many other firewall | | their | platforms do it the other way around. This option | | translations in | turns on emulation of the firewall that does NAT | | policy rules | first. | |------------------+-----------------------------------------------------| | Emulate outbound | Normally PIX does not support outbound access | | ACLs | lists.This option turns on amulation of outbound | | | ACLs. | |------------------+-----------------------------------------------------| | Generate 'clear' | If this option is ON, compiler generates 'clear' | | commands | commands to reset any pre-existing access lists, | | | object-group, nat, global, static, telnet, ssh and | | | other commands. | |------------------+-----------------------------------------------------| | Optimize | simplifies nat rules if object in Original Source | | 'default nat' | is the same as the Network zone of one of the | | rules | interfaces. Network zone of the interfaces defines | | | all networks that are located "behind" this | | | interface. This means that packets entering the | | | interface may have source address only belonging to | | | the Network zone of this interface. Since policy | | | compiler can correctly assign nat rule to the | | | interface using information about its Network Zone, | | | explicit specification of the source address can be | | | omitted. | |------------------+-----------------------------------------------------| | Ignore empty | Policy compiler can find and eliminate empty groups | | groups in rules | if they are used in the policy rules. If this | | | option is OFF, compiler treats empty groups as an | | | error and aborts compilation. If it is ON, then it | | | removes empty groups from rule elements. If rule | | | element becomes empty (that is, becomes 'any') | | | after the last empty group has been removed, then | | | the whole rule is ignored. This may be useful if | | | you need to control access to or from flexible | | | group of hosts and do not want to make changes to | | | the firewall policy rules. In this case you can | | | create a group of hosts or networks and use it in | | | the rule. Any changes to the set of hosts that need | | | control can now be made in the group, with the rule | | | staying intact. If for some reason the group | | | becomes empty because all hosts have been removed, | | | compiler will ignore the rule instead of treating | | | empty group as 'any'. | +------------------------------------------------------------------------+ Script formatting: +------------------------------------------------------------------------+ | Comment the code | If this option is activated, compiler adds comments | | | to the configuration file | |------------------+-----------------------------------------------------| | Group similar | If this option is activated, compiler groups | | commands | similar commands next to each other, just like PIX | | together | device does it in the output of "show config" | | | command. Otherwise commands are grouped logically: | | | first go all object-group commands, then all | | | access-lists, then all nat, global and static | | | commands. Commands access-list, nat, global and | | | static are grouped by the rules they were generated | | | for, as they appear in the GUI. If one rule | | | requires several access-list commands assigned to | | | different interfaces, these commands are grouped | | | together. Command "show conf" groups access-list | | | commands by their interface. | +------------------------------------------------------------------------+ Verification of Policy Rules: +------------------------------------------------------------------------+ | Detect rule | Shadowing happens because a rule is a superset of a | | shadowing in the | subsequent rule and any packets potentially matched | | policy | by a subsequent rule have already been matched by a | | | prior rule. If this option is activated, compiler | | | detects this situation and abort compilation with | | | an error message. | +------------------------------------------------------------------------+ Verification of NAT rules: +------------------------------------------------------------------------+ | Check for | If this option is activated, compiler checks | | duplicate nat | generated configuration for duplicate 'nat' | | rules | commands | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for overlapping 'global' | | global pools | address pools | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for 'static' commands that | | statics | use overlapping address ranges. | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for 'global' and 'static | | global pools and | commands using overlapping address ranges. | | statics | | +------------------------------------------------------------------------+ Caveats: PIX does not support filtering by MAC address. Although GUI provides entry field for the MAC address, it is ignored by PIX policy compiler. static translation (DNAT) rules create in fact bidirectional translation (not only translation from outside to inside, but also in the opposite direction using the same addresses). This is caused by the behavior of PIX command 'static' and can't be easily fixed. GUI option Logging is ignored because PIX can not turn logging on and off, it always logs blocked packets. There are no rule options available as of yet. Unlike in Linux/iptables and other firewall platforms, PIX inspects packet before it does NAT. Therefore policy rules that control access to NAT'ted hosts should use objects, representing translated addresses instead of objects representing real hosts. Firewall Builder provides an emulation for the mode where NAT happens before the policy (ACL) inspection. Use checkbox "Replace NAT'ed objects with their translations in policy rules" to turn on this emulation. You can use objects representing real servers in the policy rules if this option is on. Version 3.0 does not support IPSEC configuration. fwbuilder-5.3.7/doc/README.pix_routing000066400000000000000000000015761303637203600175200ustar00rootroot00000000000000 Code for the static routing configutation for PIX has been contributed to the poroject by Steven Mestdagh under the terms of MIT license. From: Steven Mestdagh To: Vadim Kurland ??? Subject: Re: fwbuilder: routing for pix compiler It supports compiling rules to add static routes, i.e. if the routing table contains entries as: destination, gateway, interface, metric then these are written as: route The default metric on PIX is 1, so the GUI default value of 0 becomes 1 in the compiled rules. Below is an example of a typically generated rule: route outside 10.0.1.0 255.255.255.0 172.17.0.1 1 It does not support compiling any rules for routing protocols like OSPF, BGP, etc. Configuration of routing protocols should just be added to the prolog or epilog. fwbuilder-5.3.7/doc/README.policy_import000066400000000000000000000144701303637203600200370ustar00rootroot00000000000000 Policy importer has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007) Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ ) Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/ ) Firewall Builder needs ANTLR C++ runtime header files and library and include these in the source tree under src/antlr. Unless you want to change the grammar (*.g files) you don't need to install ANTLR separately. All relevant ANTLR files are included in the package. For more information on ANTRL see: http://www.antlr2.org Policy import iptables configurations (v2.1.12, build 281 and later) ---------------------------------------------------------------- Features implemented in this version : - Importer can parse iptables config saved using iptables-save utility. Because of the huge variety of iptables modules, Importer can only interpret basic iptables configuration and a subset of modules. Currently the following modules are supported: * state * multiport * limit * mark - Importer creates firewall object with all interfaces. It can not assign object name for the firewall object nor add IP and MAC addresses to interfaces because this information is not present in iptables-save file. - option "Assume firewall is part of 'any'" is off in the created firewall object. Import is done this way in order to preserve logic of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules. Rules that had chain INPUT in the imported script will have firewall object in "destination" in the corresponding fwbuilder rules. Firewall object is placed in "Source" for rules with chain OUTPUT. For rules with chain FORWARD rule elements "Source" and "Destination" are populated with objects created using options "-s" and "-d" of the original rules or left empty ("any"). - all recognized iptables rules are imported and interface and direction are set in all rules appropriately. Interface objects are created as parser finds them in the script. - targets ACCEPT, DROP, REJECT, MARK and others are converted to the corresponding fwbuilder policy rule actions. Unrecognized targets and converted to branching rules, where the name of the target becomes the name of the branch. - SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their parameters are recognized in the NAT rules. - Address and service objects are created in the process for all addresses and ports used in all rules. - iptables rules can refer to tcp/udp ports both by name or by number. Importer can properly interpret both formats using system function getservbyname() to convert service name to the port number. Since the result of this function depends on the OS, some port names may not convert on some systems. For example, Windows can convert more limited set of service names compared to Linux or BSD. - targets LOG and ULOG are converted to the "logging" option in fwbuilder rules with action "Continue". This is an empty action that does not affect packet flow through the firewall but can be used in combination with "logging" option to log the packet. If such empty (logging-only) rule is undesired, it must be manually merged with some other rule in the policy. - "--log-prefix", and "--log-level" options of the LOG target are recognized - "--ulog-prefix" option of the ULOG target is recognized. Other options of the ULOG target are not. - Address and service objects are reused in the process of import. - in case when importer fails to parse some part of the iptables-save file, corresponding policy rule is colored red and appropriate diagnostic message added to its comment. The problem must be corrected manually. - comments ("#") found inside access lists are ignored. Shortcomings of this version: - user-defined chains in table "nat" are not supported - no import of time intervals - no MAC address matching import Policy import of Cisco IOS access lists (v2.1.12, build 270) ---------------------------------------------------------------- Features implemented in this version : - Importer can parse router config saved using "show run" command. Although importer can only interpret a subset of IOS configuration commands, other commands that it does not understand will be ignored and should not affect operation. No manual editing of the config is required prior to import. - Importer creates firewall object with all interfaces - firewall object name is assigned if "hostname" command is found in the configuration. If this command is not present, the name remains generic "New Firewall" - interface addresses are assigned if command "ip address" is found (multiple addresses per interface are supported). Interfaces without "ip address" in the configuration are marked as "unnumbered" in the firewall builder object tree. - all access lists are imported and interface and direction are set in all rules appropriately - Address and service objects are created in the process for all addresses and ports used in access lists - IOS access lists can define ip protocol, icmp code and type, and tcp/udp ports both by name or by number. Importer can properly interpret both formats. - "log", "log-input", "fragments", "established" keywords are supported and translated into rule or object options as appropriate. - Address and service objects are reused in the process of import. - in case when importer fails to parse some part of the access-list command, corresponding policy rule is colored in red and appropriate diagnostic message added to its comment. The problem must be corrected manually. - "remark" commands found inside access lists are translated into rule comments - comments ("!") found inside access lists are ignored. Shortcomings of this version: - importer does not use address and service objects that existed in the tree before the operation has started, it creates new ones. Deduplication only works for objects created in the process of import. - the following keywords available in extended access lists are not supported at this time: tos, precedence, time-range. - igmp access lists are not parsed. fwbuilder-5.3.7/doc/README.routing000066400000000000000000000215221303637203600166310ustar00rootroot00000000000000 //=========================================================================\\ || Firewall Builder Routing Add-On || || || || Copyright (c) 2004 Compal GmbH, Germany || || Tidei Maurizio, fwbuilder-routing at compal.de || || || \\=========================================================================// Index 1 - Requirements 2 - Features 3 - Problems 4 - Future (1) Requirements ================ The routing rules composed in the gui can be compiled using the ip tables compiler, which now generates "ip route" commands, too. The "ip" command is available since Linux 2.2. The other compilers (ipf, ipfw, pf and cisco pix) simply ignore the routing rules. If you want to use ECMP routing rules (Equal Cost Multi Path), make sure your kernel is compiled with the CONFIG_IP_ROUTE_MULTIPATH option. (2) Features ============ The GUI's routing add-on offers object based definition of the routing rules, exactly the same way as you define policy rules. This enables you to use the same objects you already defined to build the firewall policy in your routing rules. You won't have to update them separately when you change something in your network. In the GUI a routing rule is composed of a Destination, a Gateway, an Interface, a Metric and the Comment. The following table shows what can be inserted for this elements: | | | | | |Destination |Gateway |Interface |Metric |Comment ------------------------|-------------------------------|---------------|---------------|-------|-------- What can be inserted? |all Objects under the |- ip-adress |- interface |int |text |library's "Objects" section: |- interface | | | |- address ranges |- host | | | |- addresses | | | | |- groups | | | | |- hosts | | | | |- networks | | | | ------------------------|-------------------------------|---------------|---------------|-------|-------- Restrictions |none |Only one |The interface |0-255 |none | |interface or |has to be a | | | |host with ONE |child of the | | | |ip adress can |current fire- | | | |be inserted |wall | | ------------------------|-------------------------------|---------------|---------------|-------|-------- Default value |"Default" (0.0.0.0/0) |none |none |0 |"" | | | | | To build a valid routing rule you have to insert at least one of the two elements gateway and interface. More than one path can be sprecified for one destination. "This approach is called 'Equal-Cost Multi-Path Routing' and is used for load balancing (Note that this does not provide failover). With ECMP, a router potentially has several available next hops towards any given destination. A new gateway is chosen for each new source/destination IP pair. This means that, for example, one FTP connection will use only one link, but new connection to a different server will use another link. This also means that routes to often-used sites will always be over the same provider. But on big backbones this should distribute traffic fine. Also this has another good feature - single connection packets do not get reordered and therefore do not kill TCP performance." (The last Paragraph is a quotation from "http://www.mikrotik.com/Documentation/manual_2.7/IP/Route.html") To create an ECMP rule simply specify several rules with different paths, i.e. different combinations of Gateway and Interface, for the same Destination and with the same metric. Example: Destination Gateway Interface Metric Comment hostA hostB eth1 0 first possible route hostA hostC 0 second possible route hostA eth3 0 third possible route If you try to insert a non-valid object in a field, it will be ignored and a message box informs you of the mistake. The "Default" route can be specified by inserting a new rule or deleting all the destination of an existing rule. Before compiling the rules, they traverse several checks, to make sure that only complete, non-ambiguous and non-concurring rules are translated into ip commands. Follow the instructions of the compiler to correct the errors. If no error was found, the rules are automatically classified in ECMP rules and non-ECMP. The ECMP rules are written out in a separated section of the firewall script after the "normal" routing rules. (3) Problems ============ 1. Please note that when executing a firewall script all existing routing rules previously set by user space processes will be deleted. To see which rules will be deleted, you can use the command "ip route show". All lines not including "proto kernel" will be deleted upon reload of the firewall script. 2. *** NOTE FOR REDHAT 8.0 *** Redhat seems to reset routing rules explicitly upon system startup. Therefore its hard to distinguish interface rules from rules setup by the user. On Redhat systems you need to include the interface basic routing rules into your fwbuilder routing setup. IF YOU DO NOT FOLLOW THIS HINT, YOUR MACHINE WILL FREEZE ANY NETWORK TRAFFIC UPON START OF THE FIREWALL SCRIPT. This means e.g. if eth0 has network 192.168.3.0/24 attached to it, you need to add a route with Destination=Network(192.168.3.0/24), Gateway empty and Interface=eth0. We encountered this problem on redhat 8.0. Other versions and distros might be affected too. Debian sarge and SuSE Linux work fine without interface routing rules being included in fwbuilders routing rules. 3. If the firewall script states that the ECMP routes could not be installed on your system, make sure your Kernel was compiled with the CONFIG_IP_ROUTE_MULTIPATH option or renounce to ECMP rules. 4. If you have interfaces with a dynamic address or a point-to-point address and you try to insert a routing rule for the default gateway, compilation might fail, stateing "gateway not reachable". Typically this is the case for DSL dialup links. Solution: leave the gateway field empty. Just specify the interface. Example: The firewall connects itself to the internet by a DSL link via interface ppp0. During dialup pppd configures the default route: default via 62.14.190.33 dev ppp After specifying a routing rule in fwbuilder Destination=default, Gateway empty, Interface=ppp0 and running the script on the firewall, the route looks like: default dev ppp0 scope link Besides this, the kernel generates another route automaticelly upon default gw setup: 62.14.190.33 dev ppp0 proto kernel scope link src 191.54.12.143 We tested this on Debian/sarge with kernel 2.4.27. Technical explanation: On compilation, fwbuilder checks if gateways are reachable through any local network of the firewall. Otherwise setting up routing rules will fail on the firewall upon install. In case of point-to-point interfaces fwbuilder doesn't know the point-to-point address of the interface. Therefore this check fails since for fwbuilder it looks like the gateway is not from any local network. The only workaround available so far is to leave the gateway empty and to specify the interface only. Pakets will find their way to the internet anyway, since they are traveling over a point-to-point interface. (4) Future ========== Ideas, that could be implemented in the future, are: - Multiple customizable routing tables The idea is to add an option to the policy rules enabling the user to mark matching packets with a color. For every used color a new routing table would have to be built, that will be used only for packets marked with the associated color. - Load balancing Another idea is to integrate more sophisticated load balancing options in fwbuilder's GUI. fwbuilder-5.3.7/doc/README.windows000066400000000000000000000105541303637203600166370ustar00rootroot00000000000000* The current tested way of building Firewall Builder for Windows is by using MXE (M cross environment) in combination with Docker and docker-compose The docker image is provided in docker/Dockerfile, and the container is mounting the current git directory In most cases, the following command will * Build the Docker image * Start the container * Compile and build installer $ docker-machine up Note, you'll need some binary utilities for the packaging stage: * GNU RCS * PSCP and Plink You may obtain the utilites from the following repo: https://github.com/fwbuilder/w32-bin *** The guide below is deprecated and is neither maintained nor tested *** * Set up development directory: c:\dev * Install MinGW-get in c:\dev\mingw + Select C compiler, C++ Compiler, MSYS Basic System and MinGW Developer ToolKit * Compile Qt OpenSource 4.8.5 + Download and unpack into c:\dev\qt\4.8.5 + Run cmd.exe + SET PATH=c:\dev\MinGW\bin;%PATH% + cd dev\qt\4.8.5 + configure -opensource -confirm-license -platform win32-g++ -release -no-qt3support -no-phonon -no-phonon-backend -no-multimedia -no-audio-backend -no-webkit -no-script -no-scripttools -no-declarative -nomake demos -nomake examples + mingw32-make * Open MinGW shell + mingw-get install msys-wget + mingw-get install msys-unzip + mingw-get install libtool * Compile libiconv + cd /c/dev/libs + wget "http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz" + tar xzf libiconv-1.14.tar.gz + cd libiconv-1.14 + ./configure + make + make install-strip * Compile zlib + cd /c/dev/libs + wget "zlib.net/zlib128.zip" + unzip zlib128.zip + cd zlib-1.2.8 + make -f win32/Makefile.gcc + cp zlib1.dll /usr/local/bin + cp zconf.h zlib.h /usr/local/include + cp libz.a libz.dll.a /usr/local/lib + wget www.gaia-gis.it/spatialite-2.5.0/libz.la + cp libz.la /usr/local/lib * Compile libxml2 + cd /c/dev/libs + wget "ftp://xmlsoft.org/libxml2/libxml2-2.9.1.tar.gz" + tar xzf libxml2-2.9.1.tar.gz + cd libxml2-2.9.1 + export "CFLAGS=-I/usr/local/include" + export "LDFLAGS=-L/usr/local/lib" + ./configure --without-python + make + make install-strip * Compile libxslt + cd /c/dev/libs + wget "ftp://xmlsoft.org/libxml2/libxslt-1.1.28.tar.gz" + tar xzf libxslt-1.1.28.tar.gz + cd libxslt-1.1.28 + export "CFLAGS=-I/usr/local/include" + export "LDFLAGS=-L/usr/local/lib" + sed 's/\sdoc\s//' Makefile.am > Makefile.am.new + mv Makefile.am.new Makefile.am + sed 's/\sdoc\s//' Makefile.in > Makefile.in.new + mv Makefile.in.new Makefile.in + ./configure --without-python + make + make install-strip * Compile net-snmp + cd /c/dev/libs + wget "http://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.2/net-snmp-5.7.2.tar.gz/download" + tar xzf net-snmp-5.7.2.tar.gz + cd net-snmp-5.7.2 + ./configure --prefix="/usr/local" \ --disable-embedded-perl \ --without-perl-modules \ --disable-agent \ --disable-applications \ --disable-manuals \ --disable-scripts \ --disable-mibs \ --disable-mib-loading \ --disable-des \ --disable-privacy \ --disable-md5 \ --disable-set-support \ --disable-snmptrapd-subagent + make + make install * Compile fwbuilder + cd /c/dev/fwbuilder + export PATH=".:/c/dev/qt/4.8.5/bin:/c/dev/qt/mingw/bin:$PATH" + export QMAKESPEC="win32-g++" + export "CFLAGS=-I/usr/local/include" + export "CPPFLAGS=-I/usr/local/include" + export "LDFLAGS=-L/usr/local/lib" + ./autogen.sh + make * Download and install NSIS from http://nsis.sourceforge.net/Download * Download and i * Make install package + cd /c/dev/fwbuilder + mkdir windows + cd windows + wget "www.cs.purdue.edu/homes/trinkle/RCS/rcs57pc1.zip + unzip rcs57pc1.zip + cp /local/bin/* bin/ + cp /c/dev/MinGW/bin/pthreadGC2.dll bin/ + cp /c/dev/MinGW/bin/libgcc_s_dw2-1.dll bin/ + cp /c/dev/MinGW/bin/libstd++-6.dll bin/ + cp /c/dev/qt/4.8.5/lib/QtCore4.dll bin/ + cp /c/dev/qt/4.8.5/lib/QtGui4.dll bin/ + cp /c/dev/qt/4.8.5/lib/QtNetwork4.dll bin/ + cd bin + wget "http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe" + wget "http://the.earth.li/~sgtatham/putty/latest/x86/pcsp.exe" + cd ../.. + $PATH/TO/NSIS/makesis.exe -nocd packaging/fwbuilder.nsi + explorer . fwbuilder-5.3.7/doc/README_animated_tutorial000066400000000000000000000174141303637203600207350ustar00rootroot00000000000000Анимация диалога состоит из таких классов: TutorialDialog TutorialAnimator TutorialHelper MouseBlocker Каждый из них представлен .cpp и .h файлом, а к TutorialDialog есть еще .ui файл с интерфейсом. Что и как делает каждый класс: TutorialDialog Это сам интерфейс, в котором демонстрируется html файл с инструкциями. Он также содержит слайдер для регулировки скорости демонстрации и кнопку Demonstrate, нажатие на которую запускает анимацию. Содержимое инструкций заружается из файла :/Tutorial/html/pageN.html ресурсов программы. Кнопки next и previous активны в зависимости от наличия файла для следующей/прошлой страницы. Скорость регулируется от 20 до 70. Это базовое и минимальное значение скорости в милисекундах, быстрее которого не будет происходить ниодно действите анимации. Например, симуляция ввода с клавиатуры будет происходить с паузой в это значение между нажатиями на кнопки. По нажатию кнопки Demonstrate считывается файл :/Tutorial/commands/pageN.txt из ресурсов программы, в котором должны находиться инструкции по анимации действий описаных в html файле, который отображается в данный момент. Для анимации создается инстанс класс TutorialAnimator с аргументами: ссылкой на TutorialDialog и текстом файла комманд. Далее запускает его, после чего управление передается этому классу. TutorialAnimator Является наследником QThread, чтобы не блокироваться при открытии модальных диалогов и меню. При инициализации первым делом прячет TutorialDialog и разбивает полученый текст файла команд на строки, каждая из которых является отдельной командой. Создает инстанс класса TutorialHelper в GUI потоке, через который будет позже манипулировать интерфейсом. При запуске блокирует ввод и движения мышки при помощи методов blockInput и blockMouse из класса TutorialHelper. После чего начинает последовательно выполнять комманды полученые при инициализации. В данный момент поддерживаются следующие комманды: moveMouse X Y moveMouse objectName1 [objectName2 [... objectNameN]] clickWidget objectName1 [objectName2 [... objectNameN]] typeWidget objectName1 [objectName2 [... objectNameN]] text hoverMenuItem menuName itemName|itemIndex clickMenuItem menuName itemName|itemIndex selectComboItem objectName1 [objectName2 [... objectNameN]] itemIndex selectListItem objectName1 [objectName2 [... objectNameN]] itemIndex selectTab objectName1 [objectName2 [... objectNameN]] itemIndex wait SECONDS moveMouse - переместить указатель мыши в указаную точку или в центр виджета. clickWidget - переместить указатель мыши в центр виджета и кликнуть. typeWidget - напечатать текст на клавиатуре когда указаный обьект в фокусе. hoveMenuItem - переместить указатель мыши на пункт меню. clickMenuItem - кликнуть пункт меню мышью. selectComboItem - открыть combo box и выбрать в нем элемент. selectListItem - выбрать элемент в списке при помощи мыши. selectTab - выбрать вкладку QTabWidget при помощи мыши wait - ожидать указаное кол-во секунд. Для каждой из них есть отдельный метод, который ее обрабатывает. Все манипуляции с интерфейсом происходят через класс TutorialHelper, который был создан раньше и выполняется в GUI потоке. Но так как из треда, в котором TutorialAnimator, вызов метода TutorialHelper приведет к его выполнению не в GUI-потоке, для вызова этих методов используется QMetaObject::invokeMethod с аргументом Qt::BlockedQueuedConnection. Это позволяет выполнить метод когда выполнение программы вернется в основной поток и блокировать выполнение потока TutorialAnimator пока вызваный метод не выполнится. Этот класс также содержит такие полезные методы как findChild, findWidget и getWidget, который наверняка пригодятся также для написания unit-тестов. Они позволяют рекурсивно искать обьекты по дереву обьектов программы. Для этого используется поиск в ширину. В отличии от стандартной функции findChild, эти методы умеют искать не просто первый обьект с указаным именем, а последний обьект в цепочке наследования. Например, комманда clickWidget MainWindow SomeWidget TargetButton означает: найти виджет MainWindow, в нем SomeWidget, в нем TargetButton и кликнуть ее. Также поддерживается поиск по имени класса: w#className. Например6 moveMouse w#FWWindow objectTreeView - найти обьект класса FWWindow, в котором найти objectTreeView и переместить курсор мыши в его центр. TutorialHelper Этот класс содержит все методы по манипулированию интерфейсом. Его методы вызываются из TutorialAnimator, но должны выполняться в GUI потоке. Он также содержит методы blockInput для блокировки ввода и blockMouse для блокировки движения мыши, которые могут выполняться с любого потока. MouseBlocker Наследник QThread, который когда запущен каждые 10 милисекунд перемещает указатель мыши в его текущее положение. Это полностью блокирует перемещение мыши пользователем. Используется через TutorialHelper::blockMouse.fwbuilder-5.3.7/doc/ReleaseNotes_template.html000066400000000000000000000031631303637203600214360ustar00rootroot00000000000000

Firewall Builder Release Notes


Version 2.0.1


Released MM/DD/YY
GUI and compilers v2.0.1 require API library libfwbuilder version 2.0.1

Summary

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

What's new

  • Improvements in the GUI:


  • Improvements in policy compiler for iptables:



  • Improvements in policy compiler for ipfilter:

  • Improvements in policy compilers for all platforms:

  • New components:




Bugs fixed in libfwbuilder API:



Bugs fixed in GUI:



Bugs fixed in iptables policy compiler fwb_ipt:



Bugs fixed in iptables policy compiler fwb_ipf:



Bugs fixed in iptables policy compiler fwb_pf:

fwbuilder-5.3.7/doc/cisco_doc_15244_example.fwb000066400000000000000000002545361303637203600211770ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/doc/cluster_examples.fwb000066400000000000000000002567771303637203600203700ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/doc/doc.pro000066400000000000000000000027171303637203600155570ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../qmake.inc) TEMPLATE = aux win32 { CONFIG -= embed_manifest_exe } win32 { QMAKE_RUN_CC = echo QMAKE_RUN_CXX = echo QMAKE_LINK = echo } !win32 { QMAKE_RUN_CC = @echo > /dev/null QMAKE_RUN_CXX = @echo > /dev/null QMAKE_LINK = @echo > /dev/null } TARGET = doc doc.files = AUTHORS \ ChangeLog \ COPYING \ Credits \ README.floppyfw \ README.ipf \ README.ipfw \ README.ipt \ README.pf \ README.pix \ README.pix_routing \ README.routing \ README.iosacl \ README.policy_import \ FWBuilder-Routing-LICENSE.txt \ PatchAcceptancePolicy.txt doc.path = $$DOCDIR man.files = fwbedit.1 \ fwbuilder.1 \ fwb_iosacl.1 \ fwb_ipf.1 \ fwb_ipfw.1 \ fwb_ipt.1 \ fwb_pf.1 \ fwb_pix.1 \ export_secuwall.1 \ # fwb_install.1 \ # fwb_compile_all.1 \ man.path = $$MANDIR/man1 INSTALLS -= target INSTALLS += doc INSTALLS += man fwbuilder-5.3.7/doc/examples.fwb000066400000000000000000000540761303637203600166130ustar00rootroot00000000000000 fwbuilder-5.3.7/doc/fwb_compile_all.1000066400000000000000000000026641303637203600174710ustar00rootroot00000000000000.TH fwb_compile_all 1 "" FWB "Firewall Builder" .SH NAME fwb_compile_all \- Wrapper script that compiles policies for multiple firewall objects .SH SYNOPSIS .B fwb_compile_all .RB -f file.xml .RB [-d wdir] .RB [-av] [obj[ obj ...]] .SH "DESCRIPTION" .B fwb_compile_all is a wrapper script that compiles policies for several firewall objects in one batch job. This script takes a list of firewall object names on the command line (or '-a' command line option, see below) and calls policy compiler for each one. The script correctly determines which policy compiler is needed depending on the firewall platform of each object. .SH OPTIONS .IP "-a" The script processes all firewall objects in the "/Firewalls" subtree. .IP "-d wdir" Specify working directory. Compiler creates file with iptables script in this directory. If this parameter is missing, then iptables script will be placed in the current working directory. .IP "-f FILE" Specify the name of the data file to be processed. .IP "-v" Script passes this option to the compiler, this makes it print diagnostic messages indicating its progress. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1) .BR fwb_ipf(1) .BR fwb_pf(1) .BR fwbedit(1), .BR fwblookup(1) .P fwbuilder-5.3.7/doc/fwb_install.1000066400000000000000000000070751303637203600166600ustar00rootroot00000000000000.\"-*- mode: nroff; tab-width: 4; -*- .\" .de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_install 1 "" FWB "Firewall Builder" .SH NAME fwb_install \- Firewall policy installation and activation script .SH SYNOPSIS .B fwb_install .B [-d wdir] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_install is firewall policy installation and activation script for Firewall Builder (see fwbuilder(1)). This script transfers compiled rulesets via ssh to a firewall and activates them. Optionally it transfers a backup of the .xml source file, too. .PP The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .PP The firewall rules should allow ssh traffic to the firewall, or you will lock yourself out. .PP .SH INSTALLATION You should have a ssh and sshd installed and configured properly. .PP Make a public/private keypair using ssh-keygen tool, the public key goes into ~$REMOTEUSER/.ssh/ on the firewall, $SSHIDENTITY locally points to the private key. Protect your key with a good passphrase! .PP Tell fwbuilder to use the script: enter /home/vadim/Projects/fwb/fwbuilder/../usr//bin/fwb_install (a full path and name for this script) in the "install script" entry field in the firewall object dialog. .PP To customize the script you can adjust the following variables inside of it : .PP .PD 0 .TP .B REMOTEDIR Specifies where the firewall script or configuration file will be placed on the firewall (default: "/etc/firewall") .TP .B REMOTEUSER Specifies the user on the firewall allowed to set up the firewall rulesets (default: "root") .TP .B DOXMLBACKUP Specifies whether we want to store a backup copy of the .xml on the firewall (default: "YES") .TP .B SSHIDENTITY location of private ssh key (default: "${HOME}/.ssh/id_dsa") .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-d wdir" Specify working directory. Policy compilers create firewall configurations and/or scripts in this directory. If this parameter is missing, then script looks in the current working directory. .SH CAVEATS The firewall rules should allow ssh traffic to the firewall, or you will lock yourself out. .PP The script uses address of firewall's interface which is marked as "management". The script aborts if there is no management interface. .PP There still is a depenency on the current DTD structure in that the script assumes that all firewalls are always located in the tree branch "Firewalls". This may change in the future; the script will need to be updated then. .PP This script has been developed and tested for iptables firewall on Linux systems. To the best of my knowledge, nobody used this script for any other firewall type or OS, however it should work for any firewall running on a Unix box where firewall configuration is represented in a form of a shell script. On example is ipfw used on FreeBSD or Mac OS X. .PP .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH AUTHOR David Gullasch , Changes and corrections by Vadim Kurland .SH DISCLAIMER (K) 2001 by David Gullasch , All rights reversed. Copy what you like, but give credit and include this note. Don't blame me when this script does not do what you want it to - there is no bug-free software. .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_ipf(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_iosacl.1000066400000000000000000000050201303637203600164500ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_pix 1 "" FWB "Firewall Builder" .SH NAME fwb_ipt \- Policy compiler for Cisco IOS ACL .SH SYNOPSIS .B fwb_iosacl .B [-vV] .B [-d wdir] .B [-4] .B [-6] .B [-i] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_iosacl is firewall policy compiler component of Firewall Builder (see fwbuilder(1)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates resultant Cisco IOS ACL configuration file. The configuration is written to the file with the name the same as the name of the firewall object, plus extension ".fw". Compiler generates extended access lists for Cisco routers running IOS v12.x using "ip access-list " syntax. Compiler also generates "ip access-group" commands to assign access lists to interfaces. Generated ACL configuration can be uploaded to the router manually or using built-in installer in the fwbuilder(1) GUI. The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-4" Generate iptables script for IPv4 part of the policy. If any rules of the firewall refer to IPv6 addresses, compiler will skip these rules. Options "-4" and "-6" are exclusive. If neither option is used, compiler tries to generate both parts of the script, although generation of the IPv6 part is controlled by the option "Enable IPv6 support" in the "IPv6" tab of the firewall object advanced settings dialog. This option is off by default. .IP "-6" Generate iptables script for IPv6 part of the policy. If any rules of the firewall refer to IPv6 addresses, compiler will skip these rules. .IP "-f FILE" Specify the name of the data file to be processed. .IP "-d wdir" Specify working directory. Compiler creates file with ACL configuration in this directory. If this parameter is missing, then generated ACL will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_pix(1), .BR fwb_ipfw(1), .BR fwb_ipf(1), .BR fwb_ipt(1) .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_ipf.1000066400000000000000000000066131303637203600157650ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_ipf 1 "" FWB "Firewall Builder" .SH NAME fwb_ipf \- Policy compiler for ipfilter .SH SYNOPSIS .B fwb_ipf .B [-vVx] .B [-d wdir] .B [-o output.fw] .B [-i] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_ipf is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates ipfilter configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has extension ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates ipfilter. IPFilter configuration file name starts with the name of the firewall object, plus "-ipf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if firewall object has name "myfirewall", then compiler will create three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script and ipfilter configuration files in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for ipf returned in version 1.0.1 of Firewall Builder Supported features: .IP o both ipf.conf and nat.conf files are generated .IP o negation in policy rules .IP o stateful inspection in individual rule can be turned off in rule options dialog. By default compiler adds "keep state" or "modulate state" to each rule with action 'pass' .IP o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" .IP o compiler adds flag "allow-opts" if match on ip options is needed .IP o compiler can generate rules matching on TCP flags .IP o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall .IP o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. .IP o Address ranges in both policy and NAT .PP Features that are not supported (yet) .IP o negation in NAT .IP o custom services .PP Features that won't be supported (at least not anytime soon) .IP o policy routing .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_ipf21.1000066400000000000000000000063741303637203600161340ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_ipf 1 "" FWB "Firewall Builder" .SH NAME fwb_ipf \- Policy compiler for ipfilter .SH SYNOPSIS .B fwb_ipf .B [-vVx] .B [-d wdir] .B [-o output.fw] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_ipf is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates ipfilter configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has extension ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates ipfilter. IPFilter configuration file name starts with the name of the firewall object, plus "-ipf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if firewall object has name "myfirewall", then compiler will create three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script and ipfilter configuration files in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for ipf returned in version 1.0.1 of Firewall Builder Supported features: .IP o both ipf.conf and nat.conf files are generated .IP o negation in policy rules .IP o stateful inspection in individual rule can be turned off in rule options dialog. By default compiler adds "keep state" or "modulate state" to each rule with action 'pass' .IP o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" .IP o compiler adds flag "allow-opts" if match on ip options is needed .IP o compiler can generate rules matching on TCP flags .IP o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall .IP o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. .IP o Address ranges in both policy and NAT .PP Features that are not supported (yet) .IP o negation in NAT .IP o custom services .PP Features that won't be supported (at least not anytime soon) .IP o policy routing .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_ipfw.1000066400000000000000000000037721303637203600161570ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_ipfw 1 "" FWB "Firewall Builder" .SH NAME fwb_ipfw \- Policy compiler for ipfw .SH SYNOPSIS .B fwb_ipfw .B [-vVx] .B [-d wdir] .B [-o output.fw] .B [-i] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_ipfw is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for ipfw - a firewall and traffic shaper in FreeBSD (see ipfw(8)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates firewall configuration and activation script. The generated file has a name that starts with the name of the firewall object, with an extension ".fw". It is a shell script that flushes current policy, then loads new filter and nat rules. The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for ipfw was added in version 1.0.10 of Firewall Builder .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_pf(1) .BR fwb_ipf(1) .P fwbuilder-5.3.7/doc/fwb_ipfw21.1000066400000000000000000000035531303637203600163170ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_ipfw 1 "" FWB "Firewall Builder" .SH NAME fwb_ipfw \- Policy compiler for ipfw .SH SYNOPSIS .B fwb_ipfw .B [-vVx] .B [-d wdir] .B [-o output.fw] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_ipfw is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for ipfw - a firewall and traffic shaper in FreeBSD (see ipfw(8)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates firewall configuration and activation script. The generated file has a name that starts with the name of the firewall object, with an extension ".fw". It is a shell script that flushes current policy, then loads new filter and nat rules. The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for ipfw was added in version 1.0.10 of Firewall Builder .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_pf(1) .BR fwb_ipf(1) .P fwbuilder-5.3.7/doc/fwb_ipt.1000066400000000000000000000065351303637203600160060ustar00rootroot00000000000000.TH fwb_ipt 1 "" FWB "Firewall Builder" .SH NAME fwb_ipt \- Policy compiler for iptables .SH SYNOPSIS .B fwb_ipt .RB -f data_file.xml .RB [-4] .RB [-6] .RB [-V] .RB [-d wdir] .RB [-i] .RB [-o output.fw] .RB [-O fw1_id,fw1_output.fw[,fw2_id,fw2_output.fw]] .RB [-v] .RB [-xc] .RB [-xn N] .RB [-xp N] .RB [-xt] object_name .SH "DESCRIPTION" .B fwb_ipt is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates resultant iptables script. The script is written to the file with the name the same as the name of the firewall object, plus extension ".fw". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-4" Generate iptables script for IPv4 part of the policy. If any rules of the firewall refer to IPv6 addresses, compiler will skip these rules. Options "-4" and "-6" are exclusive. If neither option is used, compiler tries to generate both parts of the script, although generation of the IPv6 part is controlled by the option "Enable IPv6 support" in the "IPv6" tab of the firewall object advanced settings dialog. This option is off by default. .IP "-6" Generate iptables script for IPv6 part of the policy. If any rules of the firewall refer to IPv6 addresses, compiler will skip these rules. .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-O fw1_id,fw1_output.fw[,fw2_id,fw2_output.fw]" The argument is a comma separated list of firewall object IDs and corresponding output file names. This option is used by fwbuilder GUI while compiling firewall clusters. .IP "-d wdir" Specify working directory. Compiler creates file with iptables script in this directory. If this parameter is missing, then iptables script will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .IP "-xc" When output file name is determined automatically (i.e. flags -o or -O are not present), the file name is composed of the cluster name and member firewall name rather than just member firewall name. This is used mostly for testing when the same member firewall object can be a part of different clusters with different configurations. .IP "-xt" This flag makes compiler treat all fatal errors as warnings and continue processing rules. Generated configuration script most likely will be incorrect but will include error message as a comment; this flag is used for testing and debugging. .IP "-xp N" Debugging flag: this causes compiler to print detailed description of the policy rule number "N" as it precesses it, step by step. .IP "-xn N" Debugging flag: this causes compiler to print detailed description of the NAT rule number "N" as it precesses it, step by step. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipf(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_ipt21.1000066400000000000000000000026431303637203600161450ustar00rootroot00000000000000.TH fwb_ipt 1 "" FWB "Firewall Builder" .SH NAME fwb_ipt \- Policy compiler for iptables .SH SYNOPSIS .B fwb_ipt .RB [-wvV] .RB [-d wdir] .RB [-o output.fw] .RB -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_ipt is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates resultant iptables script. The script is written to the file with the name the same as the name of the firewall object, plus extension ".fw". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates file with iptables script in this directory. If this parameter is missing, then iptables script will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipf(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwb_pf.1000066400000000000000000000072201303637203600156070ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_pf 1 "" FWB "Firewall Builder" .SH NAME fwb_pf \- Policy compiler for OpenBSD packet filter "pf" .SH SYNOPSIS .B fwb_pf .B [-vVx] .B [-d wdir] .B [-o output.fw] .B [-i] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_pf is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for OpenBSD Packet Filter (pf). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates pf configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has extension ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates pf. PF configuration file name starts with the name of the firewall object, plus "-pf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if firewall object has name "myfirewall", then compiler will create three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script and PF configuration files in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for PF has been introduced in version 1.0.1 of Firewall Builder Supported features: .IP o both pf.conf and nat.conf files are generated .IP o negation in policy and NAT rules .IP o grouping in "from", "to" and ports using '{' '}' syntax .IP o if checkbox "Scrub" is checked in the rule options dialog, and rule's action is Accept, the compiler generates two (almost) identical rules: first with action 'scrub' and the second with action 'pass quick' .IP o stateful inspection in individual rule can be turned off in rule options dialog. By default compiler adds "keep state" or "modulate state" to each rule with action 'pass' .IP o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" .IP o compiler adds flag "allow-opts" if match on ip options is needed .IP o compiler can generate rules matching on TCP flags .IP o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall .IP o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. .IP o Address ranges in both policy and NAT .PP Features that are not supported (yet) .IP o custom services .PP What will not be supported (at least not anytime soon) .IP o policy routing .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_ipf(1) .P fwbuilder-5.3.7/doc/fwb_pf21.1000066400000000000000000000070011303637203600157470ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_pf 1 "" FWB "Firewall Builder" .SH NAME fwb_pf \- Policy compiler for OpenBSD packet filter "pf" .SH SYNOPSIS .B fwb_pf .B [-vVx] .B [-d wdir] .B [-o output.fw] .B -f data_file.xml object_name .SH "DESCRIPTION" .B fwb_pf is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)). This compiler generates code for OpenBSD Packet Filter (pf). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates pf configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has extension ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates pf. PF configuration file name starts with the name of the firewall object, plus "-pf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if firewall object has name "myfirewall", then compiler will create three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-o output.fw" Specify output file name .IP "-d wdir" Specify working directory. Compiler creates firewall activation script and PF configuration files in this directory. If this parameter is missing, then all files will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-x" Generate debugging information while working. This option is intended for debugging only and may produce lots of cryptic messages. .SH NOTES Support for PF has been introduced in version 1.0.1 of Firewall Builder Supported features: .IP o both pf.conf and nat.conf files are generated .IP o negation in policy and NAT rules .IP o grouping in "from", "to" and ports using '{' '}' syntax .IP o if checkbox "Scrub" is checked in the rule options dialog, and rule's action is Accept, the compiler generates two (almost) identical rules: first with action 'scrub' and the second with action 'pass quick' .IP o stateful inspection in individual rule can be turned off in rule options dialog. By default compiler adds "keep state" or "modulate state" to each rule with action 'pass' .IP o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" .IP o compiler adds flag "allow-opts" if match on ip options is needed .IP o compiler can generate rules matching on TCP flags .IP o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall .IP o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. .IP o Address ranges in both policy and NAT .PP Features that are not supported (yet) .IP o custom services .PP What will not be supported (at least not anytime soon) .IP o policy routing .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipt(1), .BR fwb_ipf(1) .P fwbuilder-5.3.7/doc/fwb_pix.1000066400000000000000000000042551303637203600160070ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwb_pix 1 "" FWB "Firewall Builder" .SH NAME fwb_ipt \- Policy compiler for Cisco PIX .SH SYNOPSIS .B fwb_pix .RB -f data_file.xml .RB [-V] .RB [-d wdir] .RB [-i] .RB [-v] .RB [-xc] .RB [-xt] object_name .SH "DESCRIPTION" .B fwb_pix is firewall policy compiler component of Firewall Builder (see fwbuilder(1)). Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates resultant Cisco PIX configuration file. The configuration is written to the file with the name the same as the name of the firewall object, plus extension ".fw". The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional. .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-d wdir" Specify working directory. Compiler creates file with PIX configuration in this directory. If this parameter is missing, then PIX configuration will be placed in the current working directory. .IP "-v" Be verbose: compiler prints diagnostic messages when it works. .IP "-V" Print version number and quit. .IP "-i" When this option is present, the last argument on the command line is supposed to be firewall object ID rather than its name .IP "-xc" When output file name is determined automatically (i.e. flags -o or -O are not present), the file name is composed of the cluster name and member firewall name rather than just member firewall name. This is used mostly for testing when the same member firewall object can be a part of different clusters with different configurations. .IP "-xt" This flag makes compiler treat all fatal errors as warnings and continue processing rules. Generated configuration script most likely will be incorrect but will include error message as a comment; this flag is used for testing and debugging. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwb_ipf(1), .BR fwb_ipt(1) .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwbedit.1000066400000000000000000000253671303637203600160040ustar00rootroot00000000000000.TH fwbedit 1 "" FWB "Firewall Builder" .SH NAME fwbedit \- General purpose object tree editing tool .SH SYNOPSIS .B fwbedit .RB command .RB [options] .SH "DESCRIPTION" .B fwbedit is a general purpose object tree editing tool for Firewall Builder (see fwbuilder(1)). This tool can be used in the shell scripts written for batch-processing of the Firewall Builder data files. Fwbedit can perform the following operations on the objects and the tree: create new object, delete existing object, modify attributes of an object, add a reference to the given object to a group, remove reference to an object from a group, upgrade data file and check object tree in the file and repair it if necessary. Both object and a group can be defined by their ID or by their name and a full path in the tree (see section .B EXAMPLES below). .SH COMMANDS AND OPTIONS: .B new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs] Creates new object. -f file.fwb data file -t objtype create new object of this type -p parent create new object as a child of this object. This parameter is mandatory. If you are adding an address to an interface, corresponding interface onkect must be specified as the parent. Similarly if you need to add an interface to a host or a firewall, corresponding host or firewall object is the parent. If you are adding an object to one of the standard folders, the parent is the library you want to add the object to or correct full path to the folder in the tree. -n name the name of the new object -c txt specify comment for the new object -a attribute1[,attribute2...] : specify attributes that define parameters of the new object (see below) .B delete -f file.fwb -o object Deletes object specified by its full path in the tree or object ID. -f file.fwb data file -o object object to be deleted, full path or ID .B modify -f file.fwb -o object -c comment [-a attrs] Modifies object specified by its full path in the tree or object ID. Object can not be renamed using this operation. -f file.fwb data file -o object object to be deleted, full path or ID -c txt specify comment for the new object -a attribute1[,attribute2...] : specify attributes that define parameters of the new object (see below) .B list -f file.fwb -o object [-r|-c] [-d|-Fformat] Prints name and ID of an object. -f file.fwb data file -o object object to print, full path or ID -r print specified object and all objects under it in the tree -c print only children objects of the given object but do not print the object itself. -d print full dump of all object's attributes including internal debugging information if available, this can be very verbose. -Fformat_string Program recognizes macros in the format string and replaces them with values of corresponding object's attributes. Macro is the name of the attribute surrounded with '%', such as '%name%' or '%address%'. Here is the list of some attribute names: "id", "name", "path", "comment", "type", "address", "netmask", "dnsname". TCP and UDP service objects provide attributes "src_range_start", "src_range_end", "dst_range_start", "dst_range_end" for the source and destination port ranges. ICMP and ICMP6 service objects have attributes "icmp_type" and "icmp_code". .B add -f file.fwb -g group -o object Adds object specified by path or ID to a group, also specified by its path or ID. -f file.fwb data file -g group group the object should be added to, full path or ID -o object object to be deleted, full path or ID .B remove -f file.fwb -g group -o object Removes object from a group. -f file.fwb data file -g group group the object should be removed from, full path or ID -o object object to be deleted, full path or ID .B upgrade -f file.fwb Upgrades data file to the latest data format version. -f file.fwb data file .B checktree -f file.fwb Checks consistency and correctness of the object tree in the given data file and repairs it if necessary. -f file.fwb data file .B merge -f file1.fwb -i file2.fwb Objects from the file2.fwb are merged with objects in file1 and combined object tree saved in file1.fwb -f file.fwb data file #1 -i file.fwb data file #2 .B import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object [-d] Firewall configuration from file firewall_config.txt is parsed and imported into data file file1.fwb. The program creates new firewall object located in the library and with the name defined by its path path_to_firewall_object. -f file.fwb data file #1 -i config.txt firewall configuration file -o object_path full path to the firewall object that will be created. This has to be full path, beginning with the library name, such as "/User/Firewalls/my_new_firewall" -d avoid creating duplicate objects on import currently (as of v4.2.0) fwbuilder supports import of iptables configuration saved with iptables-save command, as well as import of Cisco router IOS configuration, Cisco PIX, ASA and FWSM firewalls saved with "show run" command. .SH ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE .PP .PP -t Firewall -a platform, host OS .PP -t IPv4 -a IP address [,netmask] .PP -t IPv6 -a IPv6 address [,masklen] .PP -t DNSName -a DNS record,run time .PP -t AddressRange -a start address, end address .PP -t ObjectGroup .PP -t Network -a address,netmask .PP -t NetworkIPv6 -a ipv6_address,netmask_length .PP -t Interval -a start time,start date,start day,end time, end date, end day .PP -t Interface -a security level,address type (dynamic or unnumbered),management .PP -t Host .PP -t TCPService -a source port range start,end,destination port range start,end,UAPRSF,UAPRSF .PP -t UDPService -a source port range start,end,Destination port range start,end .PP -t ICMPService -a ICMP type,ICMP code .PP -t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm .SH EXAMPLES .PP Print contents of the object /User/Firewalls/firewall/eth0 according to the provided format. Note that object of the type "Interface" does not have attribute that would define its address, IP address is defined by its child object of the type IPv4 or IPv6. .PP fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment%" .PP Print contents of the object /User/Firewalls/firewall/eth0 and all its child objects. This is the way to see addresses and netmasks. Interface object does not have attribiute "address" so the program ignores macro "%address%" when it prints interface. .PP fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment% %address%" -r .PP Print group object /User/Objects/Addresses .PP fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" .PP Print group object /User/Objects/Addresses and all address objects inside of it: .PP fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -r .PP Print address objects inside group /User/Objects/Addresses but do not print the group object itself: .PP fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -c .PP Print addresses and netmasks of all interfaces of all firewalls in the form of their full object tree path, followed by the type, id, address and netmask: .PP fwbedit list -f x.fwb -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r | grep IP .PP Print names, platform and version information for all firewall objects defined in the data file: .PP fwbedit list -f x.fwb -o /User/Firewalls -F "%name% platform: %platform% version: %version%" -c .PP Print name, source and destination port ranges for all TCP services in the folder TCP of the user-defined group User: .PP fwbedit list -f x.fwb -o /User/Services/TCP -c -F "name='%name%' est=%established% \t %src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%" .PP Print icmp type and code for all ICMP services in the folder ICMP of the user-defined group User: .PP fwbedit list -f x.fwb -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type% icmp_code=%icmp_code%" .PP Add IPv6 address to one of the interfaces of firewall object "firewall": .PP fwbedit new -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a 2001:470:1f05:590::2,64 .PP Add reference to the Host object 'A' to the group 'B': .PP fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A .PP Add reference to the object with ID id3D71A1BA to the group with ID id3D151943. If objects with given IDs do not exist, fwbedit prints an error message and does not make any changes in the data file. .PP fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943 .PP Add reference to the object with ID id3D71A1BA to the group 'testgroup': .PP fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup .PP .PP The following script uses fwbedit "list" command to print IDs of all Address objects in the folder /User/Objects/Addresses , then cycles through the obtained list and uses fwbedit to add them to the group "group1". .LP fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c | \\ while read id; do \\ fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\ done .PP Here is slightly more complex example. The following script uses fwbedit "list" command to print types and IDs of all Address objects in the folder /User/Objects/Addresses , then filters them using grep to get only IPv6 objects and finally cycles through the obtained list and uses fwbedit to add them to the group "group1". .LP fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%type% %id%" -c | \\ grep IPv6 | \\ while read type id; do \\ fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\ done .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .P fwbuilder-5.3.7/doc/fwbedit21.1000066400000000000000000000050031303637203600161300ustar00rootroot00000000000000.TH fwbedit 1 "" FWB "Firewall Builder" .LO 1 .SH NAME fwbedit \- General purpose object tree editing tool .SH SYNOPSIS .B fwbedit .RB [-a obj,grp] .RB [-r obj,grp] .RB [-d obj] .RB -f data_file.xml .SH "DESCRIPTION" .B fwbedit is a general purpose object tree editing tool for Firewall Builder (see fwbuilder(1)). This tool can be used in the shell scripts written for batch-processing of the Firewall Builder data files. Fwbedit can perform the following operations on the objects and the tree: add a reference to the given object to a group, remove reference to an object from a group and delete an object and all references to it from the tree. Both object and a group can be specified by their ID or by their name and a full path in the tree (see section .B EXAMPLES below). .SH OPTIONS .IP "-f FILE" Specify the name of the data file to be processed. .IP "-a obj,grp" Adds reference to object 'obj' to the group 'grp'. .IP "-r obj,grp" Removes reference to object 'obj' from the group 'grp'. .IP "-d obj" Deletes object 'obj' and references to it from all groups and rules. .IP "-V" Prints version number and quit. .SH EXAMPLES .PP fwbedit -f x.xml -a /Objects/Hosts/A,/Objects/Groups/B .PP Adds reference to the Host object 'A' to the group 'B'. .PP .PP fwbedit -f x.xml -a id3D71A1BA,id3D151943 .PP Adds reference to the object with ID id3D71A1BA to the group with ID id3D151943. If objects with given IDs do not exist, fwbedit prints an error message and does not make any changes in the data file. .PP .PP fwbedit -f x.xml -a id3D71A1BA,/Objects/Groups/testgroup .PP Adds reference to the object with ID id3D71A1BA to the group 'testgroup'. .PP .PP fwbedit can be used in combination with fwblookup to execute operations on many objects: .LP fwblookup -f x.xml -lP /Objects/Hosts | \\ grep domain.com | \\ while read h; do \\ fwbedit -f x.xml -a $h,/Objects/Groups/domainGRP; \\ done .PP first, this script uses fwblookup to print full path of all Host objects (option -l in combination with option -P prints full path for all children objects of /Objects/Hosts), then uses grep to filter only those hosts that have 'domain.com' in their name, then cycles through the obtained list and uses fwbedit to add them to the group 'domainGRP'. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwbuilder(1), .BR fwblookup(1), .P fwbuilder-5.3.7/doc/fwbuilder.1000066400000000000000000000052531303637203600163330ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwbuilder 1 "" FWB "Firewall Builder" .SH NAME fwbuilder \- Multiplatform firewall configuration tool .SH SYNOPSIS .B /usr/bin/fwbuilder .RB [-f file.fwb] .RB [-d] .RB [-h] .RB [-o file] .RB [-P object_name] .RB [-r] .RB [-v] .SH "DESCRIPTION" .B fwbuilder is the Graphic User Interface (GUI) component of Firewall Builder. Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. GUI generates firewall description in the form of XML file, which compilers then interpret and generate platform-specific code. Several algorithms are provided for automated network objects discovery and bulk import of data. The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. Firewall Builder supports firewalls based on iptables (Linux kernel 2.4.x and 2.6.x, see fwb_ipt(1)), ipfilter (variety of platforms including *BSD, Solaris and others, see fwb_ipf(1)), pf (OpenBSD and FreeBSD, see fwb_pf(1)), ipfw (FreeBSD and others), Cisco PIX (v6.x and 7.x) and Cisco IOS extended access lists. .SH OPTIONS .IP "-f FILE" Specify the name of the file to be loaded when program starts. .IP "-r" When this command line option is given in combination with -f file, the program automatically opens RCS head revision of the file if file is in RCS. If file is not in RCS, this option does nothing and the file is opened as usual. .IP "-d" Turns on debug mode. Note that in this mode the program generates lots of output on standard error. This is used for debugging. .IP "-h" Prints brief help message .IP "-o file" Specify the name of the file for the print output, see option "-P". .IP "-P object_name" Print rules and objects for the firewall object "object_name" and immediately exit. The program does not go into interactive mode. Print output will be placed in the file specified with "-o" option. If file name is not given with option "-o", print output is stored in the file "print.pdf" in the current directory. .SH FILES .IP $HOME/.qt/firewallbuilder2rc Fwbuilder v2.1 stores user preferences in this file. .IP $HOME/.config/netcitadel.com/Firewall\ Builder.conf Fwbuilder v3.0 stores user preferences in this file. .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwblookup(1), .BR fwb_ipt(1), .BR fwb_ipf(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/fwbuilder21.1000066400000000000000000000032111303637203600164660ustar00rootroot00000000000000.de Sp .if n .sp .if t .sp 0.4 .. .TH fwbuilder 1 "" FWB "Firewall Builder" .SH NAME fwbuilder \- Multiplatform firewall configuration tool .SH SYNOPSIS .B /usr/bin/fwbuilder [ .B -f file.xml ] .SH "DESCRIPTION" .B fwbuilder is the Graphic User Interface (GUI) component of Firewall Builder. Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. GUI generates firewall description in the form of XML file, which compilers then interpret and generate platform-specific code. Several algorithms are provided for automated network objects discovery and bulk import of data. The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. At the moment of this writing Firewall Builder supports firewalls based on iptables (available on Linux, kernel 2.4.x, see fwb_ipt(1)), ipfilter (available on a variety of platforms including *BSD, Solaris and others, see fwb_ipf(1)) and pf (available on OpenBSD 3.0, see fwb_pf(1)) .SH OPTIONS .IP "-f FILE" Specify the name of the file to be loaded when program starts. .SH FILES .IP $HOME/.qt/firewallbuilder2rc fwbuilder stores user preferences in this file .SH URL Firewall Builder home page is located at the following URL: .B http://www.fwbuilder.org/ .SH BUGS Please report bugs using bug tracking system on SourceForge: .BR http://sourceforge.net/tracker/?group_id=5314&atid=105314 .SH SEE ALSO .BR fwblookup(1), .BR fwb_ipt(1), .BR fwb_ipf(1), .BR fwb_pf(1) .P fwbuilder-5.3.7/doc/open_source_licenses.txt000066400000000000000000001352051303637203600212360ustar00rootroot00000000000000open_source_licenses.txt Firewall Builder The following copyright statements and licenses apply to various open source software components that are distributed with Firewall Builder and other NetCitadel LLC software products. The NetCitadel, LLC product that includes this file does not necessarily use all the open source software components referred to below. ======================================================================= The XML Parser for Gnome license Except where otherwise noted in the source code (trio files, hash.c and list.c) covered by a similar licence but with different Copyright notices: Copyright (C) 1998-2002 Daniel Veillard. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is fur- nished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT- NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE DANIEL VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CON- NECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of Daniel Veillard shall not be used in advertising or otherwise to promote the sale, use or other deal- ings in this Software without prior written authorization from him. -------------------------------------------------------------------------- CMU/UCD copyright notice and license Various copyrights apply to this package, listed in 3 separate parts below. Please make sure that you all the parts. Up until 2001, the project was based at UC Davis, and the first part covers all code written during this time. From 2001 onwards, the project has been based at SourceForge, and Networks Associates Technology, Inc hold the copyright on behalf of the wider Net-SNMP community, covering all derivative work done since then. An additional copyright section has been added as Part 3 below also under a BSD license for the work contributed by Cambridge Broadband Ltd. to the project since 2001. Code has been contributed to this project by many people over the years it has been in development, and a full list of contributors can be found in the README file under the THANKS section. ---- Part 1: CMU/UCD copyright notice: (BSD like) ----- Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work - 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents of the University of California All Rights Reserved Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission. CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) ----- Copyright (c) 2001-2002, Networks Associates Technology, Inc All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----- Portions of this code are copyright (c) 2001-2002, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------- OpenSSL License LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ -------------------------------------------------------------------------- GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! -------------------------------------------------------------------------- The following is applicable to zlib.h. /* zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th, 2002 Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly jloup@gzip.org Mark Adler madler@alumni.caltech.edu */ -------------------------------------------------------------------------- The following is applicable to Libresolv. /* * Copyright (c) 1983, 1987, 1989 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANYWAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * Portions Copyright (c) 1996-1999 by Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ -------------------------------------------------------------------------- Starting with version 4.0.2, Firewall Builder for Windows package includes putty utilities by Simon Tatham. http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY license page: http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html The PuTTY executables and source code are distributed under the MIT licence, which is similar in effect to the BSD licence. (This licence is Open Source certified and complies with the Debian Free Software Guidelines.) The precise licence text, as given in the About box and in the file LICENCE in the source distribution, is as follows: PuTTY is copyright 1997-2010 Simon Tatham. Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watson, and CORE SDI S.A. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL SIMON TATHAM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. In particular, anybody (even companies) can use PuTTY without restriction (even for commercial purposes) and owe nothing to me or anybody else. Also, apart from having to maintain the copyright notice and the licence text in derivative products, anybody (even companies) can adapt the PuTTY source code into their own programs and products (even commercial products) and owe nothing to me or anybody else. And, of course, there is no warranty and if PuTTY causes you damage you're on your own, so don't use it if you're unhappy with that. In particular, note that the MIT licence is compatible with the GNU GPL. So if you want to incorporate PuTTY or pieces of PuTTY into a GPL program, there's no problem with that. -------------------------------------------------------------------------- starting with version 4.1.3, Firewall Builder includes uint128 class by Evan Teran http://www.codef00.com/coding.php * Copyright (c) 2008 * Evan Teran * * Permission to use, copy, modify, and distribute this software and its * documentation for any purpose and without fee is hereby granted, provided * that the above copyright notice appears in all copies and that both the * copyright notice and this permission notice appear in supporting * documentation, and that the same name not be used in advertising or * publicity pertaining to distribution of the software without specific, * written prior permission. We make no representations about the * suitability this software for any purpose. It is provided "as is" * without express or implied warranty. fwbuilder-5.3.7/doc/transfer_secuwall.1000066400000000000000000000042771303637203600201000ustar00rootroot00000000000000.\" Title: transfer_secuwall .\" Author: .\" Generator: DocBook XSL Stylesheets v1.73.2 .\" Date: 02/12/2010 .\" Manual: .\" Source: .\" .TH "TRANSFER_SECUWALL" "1" "02/12/2010" "" "" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" transfer_secuwall \- secunet wall configuration export utility .SH "SYNOPSIS" \fBtransfer_secuwall\fR [\-l] [\-h] [\-n] \-v \fIvolumeid\fR [\-f \fIfilename\&.xml\fR] [\-d \fIworkdir\fR] [\-a \fItemplatedir\fR] \fIfirewall_object_name\fR .sp The switches \-a, \-f and \-d are optional\&. If they are not specified, the appropriate defaults are used\&. .sp .SH "DESCRIPTION" transfer_secuwall(1) is a helper utility to compress and export secunet wall host OS specific firewall configuration to a portable device\&. .sp It is also capable of searching and displaying all transfer devices of a system which are suitable for config transfer\&. .sp .SH "OPTIONS" .PP \fB\-l\fR .RS 4 List all portable devices of the system\&. .RE .PP \fB\-h\fR .RS 4 Display help text\&. .RE .PP \fB\-n\fR .RS 4 Append firewall object name to transfer tarball\&. The default is \fBfalse\fR\&. .RE .PP \fB\-v\fR .RS 4 Transfer partition\&. Specifies the destination partition for firewall configuration export (e\&.g\&. /dev/sdc1)\&. .RE .PP \fB\-f\fR .RS 4 Firewall Builder XML file with object definition of firewall to export config\&. If not specified, the filename will be constructed from the \fIworkdir\fR and \fIfirewall_object_name\fR values: \fIworkdir\fR + \fIfwobjectname\fR + \&.fwb .RE .PP \fB\-d\fR .RS 4 Defines the working directory\&. If not specified, the current directory will be used\&. .RE .PP \fB\-a\fR .RS 4 Append files from given template directory to transfer tarball\&. .RE .PP \fIfirewall_object_name\fR .RS 4 Firewall object name\&. .RE .SH "EXAMPLES" $ transfer_secuwall \-f /tmp/cluster\&.fwb \-d /tmp \-v /dev/sdc1 fw3 .sp This will export the configuration of secunet wall firewall \fBfw3\fR to the partition \fB/dev/sdc1\fR, using the Firewall Builder XML file \fBcluster\&.fwb\fR in the working directory \fB/tmp\fR\&. .sp .SH "AUTHOR" Written by Reto Buerki \&. .sp fwbuilder-5.3.7/doc/transfer_secuwall.1.txt000066400000000000000000000033271303637203600207110ustar00rootroot00000000000000TRANSFER_SECUWALL(1) ==================== NAME ---- transfer_secuwall - secunet wall configuration export utility SYNOPSIS -------- *transfer_secuwall* [-l] [-h] [-n] -v 'volumeid' [-f 'filename.xml'] [-d 'workdir'] [-a 'templatedir'] 'firewall_object_name' The switches -a, -f and -d are optional. If they are not specified, the appropriate defaults are used. DESCRIPTION ----------- transfer_secuwall(1) is a helper utility to compress and export secunet wall host OS specific firewall configuration to a portable device. It is also capable of searching and displaying all transfer devices of a system which are suitable for config transfer. OPTIONS ------- *-l*:: List all portable devices of the system. *-h*:: Display help text. *-n*:: Append firewall object name to transfer tarball. The default is *false*. *-v*:: Transfer partition. Specifies the destination partition for firewall configuration export (e.g. /dev/sdc1). *-f*:: Firewall Builder XML file with object definition of firewall to export config. If not specified, the filename will be constructed from the 'workdir' and 'firewall_object_name' values: 'workdir' \+ 'fwobjectname' \+ .fwb *-d*:: Defines the working directory. If not specified, the current directory will be used. *-a*:: Append files from given template directory to transfer tarball. 'firewall_object_name':: Firewall object name. EXAMPLES -------- $ transfer_secuwall -f /tmp/cluster.fwb -d /tmp -v /dev/sdc1 fw3 This will export the configuration of secunet wall firewall *fw3* to the partition */dev/sdc1*, using the Firewall Builder XML file *cluster.fwb* in the working directory */tmp*. AUTHOR ------ Written by Reto Buerki . fwbuilder-5.3.7/docker-compose.yml000066400000000000000000000002551303637203600171530ustar00rootroot00000000000000version: '2' services: mxe-w32: build: docker/. command: ./build_mxe-w32.sh volumes: - .:/fwbuilder working_dir: /fwbuilder fwbuilder-5.3.7/docker/000077500000000000000000000000001303637203600147635ustar00rootroot00000000000000fwbuilder-5.3.7/docker/Dockerfile000066400000000000000000000017541303637203600167640ustar00rootroot00000000000000FROM ubuntu:16.10 # We need this to use apt-key RUN apt-get update && apt-get install -y \ dirmngr # Add mxe repos RUN echo "deb http://pkg.mxe.cc/repos/apt/debian wheezy main" > \ /etc/apt/sources.list.d/mxeapt.list && \ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D43A795B73B16ABE9643FE1AFD8FFF16DB45C6AB RUN apt-get update && apt-get install -y \ autoconf \ automake \ autopoint \ bash \ bison \ bzip2 \ flex \ gettext \ git \ g++ \ g++-multilib \ gperf \ intltool \ libc6-dev-i386 \ libffi-dev \ libgdk-pixbuf2.0-dev \ libtool \ libltdl-dev \ libssl-dev \ libxml-parser-perl \ make \ openssl \ p7zip-full \ patch \ perl \ pkg-config \ python \ ruby \ scons \ sed \ unzip \ wget \ xz-utils \ nsis \ mxe-i686-w64-mingw32.shared-qtbase \ mxe-i686-w64-mingw32.shared-libxml2 \ mxe-i686-w64-mingw32.shared-libxslt WORKDIR /root fwbuilder-5.3.7/fwbuilder3.pro000066400000000000000000000006231303637203600163050ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # TEMPLATE = subdirs SUBDIRS = src doc DOLLAR = $ build_tests.commands = ./unit_tests.sh make build_tests build_tests.depends = all run_tests.commands = ./unit_tests.sh make run_tests run_tests.depends = all tests.depends = run_tests clean_tests.commands = ./unit_tests.sh make clean_tests QMAKE_EXTRA_TARGETS += build_tests run_tests clean_tests tests fwbuilder-5.3.7/install.sh000077500000000000000000000127211303637203600155240ustar00rootroot00000000000000#! /bin/sh # # install - install a program, script, or datafile # This comes from X11R5 (mit/util/scripts/install.sh). # # Copyright 1991 by the Massachusetts Institute of Technology # # Permission to use, copy, modify, distribute, and sell this software and its # documentation for any purpose is hereby granted without fee, provided that # the above copyright notice appear in all copies and that both that # copyright notice and this permission notice appear in supporting # documentation, and that the name of M.I.T. not be used in advertising or # publicity pertaining to distribution of the software without specific, # written prior permission. M.I.T. makes no representations about the # suitability of this software for any purpose. It is provided "as is" # without express or implied warranty. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. It can only install one file at a time, a restriction # shared with many OS's install programs. # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit="${DOITPROG-}" # put in absolute paths if you don't have them in your path; or use env. vars. mvprog="${MVPROG-mv}" cpprog="${CPPROG-cp}" chmodprog="${CHMODPROG-chmod}" chownprog="${CHOWNPROG-chown}" chgrpprog="${CHGRPPROG-chgrp}" stripprog="${STRIPPROG-strip}" rmprog="${RMPROG-rm}" mkdirprog="${MKDIRPROG-mkdir}" transformbasename="" transform_arg="" instcmd="$mvprog" chmodcmd="$chmodprog 0755" chowncmd="" chgrpcmd="" stripcmd="" rmcmd="$rmprog -f" mvcmd="$mvprog" src="" dst="" dir_arg="" while [ x"$1" != x ]; do case $1 in -c) instcmd="$cpprog" shift continue;; -d) dir_arg=true shift continue;; -m) chmodcmd="$chmodprog $2" shift shift continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -g) chgrpcmd="$chgrpprog $2" shift shift continue;; -s) stripcmd="$stripprog" shift continue;; -t=*) transformarg=`echo $1 | sed 's/-t=//'` shift continue;; -b=*) transformbasename=`echo $1 | sed 's/-b=//'` shift continue;; *) if [ x"$src" = x ] then src=$1 else # this colon is to work around a 386BSD /bin/sh bug : dst=$1 fi shift continue;; esac done if [ x"$src" = x ] then echo "install: no input file specified" exit 1 else true fi if [ x"$dir_arg" != x ]; then dst=$src src="" if [ -d $dst ]; then instcmd=: else instcmd=mkdir fi else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] then true else echo "install: $src does not exist" exit 1 fi if [ x"$dst" = x ] then echo "install: no destination specified" exit 1 else true fi # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic if [ -d $dst ] then dst="$dst"/`basename $src` else true fi fi ## this sed command emulates the dirname command dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script # Skip lots of stat calls in the usual case. if [ ! -d "$dstdir" ]; then defaultIFS=' ' IFS="${IFS-${defaultIFS}}" oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" pathcomp='' while [ $# -ne 0 ] ; do pathcomp="${pathcomp}${1}" shift if [ ! -d "${pathcomp}" ] ; then $mkdirprog "${pathcomp}" else true fi pathcomp="${pathcomp}/" done fi if [ x"$dir_arg" != x ] then $doit $instcmd $dst && if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi else # If we're going to rename the final executable, determine the name now. if [ x"$transformarg" = x ] then dstfile=`basename $dst` else dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename if [ x"$dstfile" = x ] then dstfile=`basename $dst` else true fi # Make a temp file name in the proper directory. dsttmp=$dstdir/#inst.$$# # Move or copy the file name to the temp name $doit $instcmd $src $dsttmp && trap "rm -f ${dsttmp}" 0 && # and set any options; do chmod last to preserve setuid bits # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && $doit $mvcmd $dsttmp $dstdir/$dstfile fi && exit 0 fwbuilder-5.3.7/m4/000077500000000000000000000000001303637203600140345ustar00rootroot00000000000000fwbuilder-5.3.7/m4/nls.m4000066400000000000000000000035051303637203600150750ustar00rootroot00000000000000# nls.m4 serial 1 (gettext-0.12) dnl Copyright (C) 1995-2003 Free Software Foundation, Inc. dnl This file is free software, distributed under the terms of the GNU dnl General Public License. As a special exception to the GNU General dnl Public License, this file may be distributed as part of a program dnl that contains a configuration script generated by Autoconf, under dnl the same distribution terms as the rest of that program. dnl dnl This file can can be used in projects which are not available under dnl the GNU General Public License or the GNU Library General Public dnl License but which still want to provide support for the GNU gettext dnl functionality. dnl Please note that the actual code of the GNU gettext library is covered dnl by the GNU Library General Public License, and the rest of the GNU dnl gettext package package is covered by the GNU General Public License. dnl They are *not* in the public domain. dnl Authors: dnl Ulrich Drepper , 1995-2000. dnl Bruno Haible , 2000-2003. AC_DEFUN([AM_NLS], [ AC_MSG_CHECKING([whether NLS is requested]) dnl Default is enabled NLS AC_ARG_ENABLE(nls, [ --disable-nls do not use Native Language Support], USE_NLS=$enableval, USE_NLS=yes) AC_MSG_RESULT($USE_NLS) AC_SUBST(USE_NLS) ]) AC_DEFUN([AM_MKINSTALLDIRS], [ dnl If the AC_CONFIG_AUX_DIR macro for autoconf is used we possibly dnl find the mkinstalldirs script in another subdir but $(top_srcdir). dnl Try to locate it. MKINSTALLDIRS= if test -n "$ac_aux_dir"; then case "$ac_aux_dir" in /*) MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs" ;; *) MKINSTALLDIRS="\$(top_builddir)/$ac_aux_dir/mkinstalldirs" ;; esac fi if test -z "$MKINSTALLDIRS"; then MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs" fi AC_SUBST(MKINSTALLDIRS) ]) fwbuilder-5.3.7/m4/po.m4000066400000000000000000000426521303637203600147250ustar00rootroot00000000000000# po.m4 serial 3 (gettext-0.14) dnl Copyright (C) 1995-2003 Free Software Foundation, Inc. dnl This file is free software, distributed under the terms of the GNU dnl General Public License. As a special exception to the GNU General dnl Public License, this file may be distributed as part of a program dnl that contains a configuration script generated by Autoconf, under dnl the same distribution terms as the rest of that program. dnl dnl This file can can be used in projects which are not available under dnl the GNU General Public License or the GNU Library General Public dnl License but which still want to provide support for the GNU gettext dnl functionality. dnl Please note that the actual code of the GNU gettext library is covered dnl by the GNU Library General Public License, and the rest of the GNU dnl gettext package package is covered by the GNU General Public License. dnl They are *not* in the public domain. dnl Authors: dnl Ulrich Drepper , 1995-2000. dnl Bruno Haible , 2000-2003. dnl Checks for all prerequisites of the po subdirectory. AC_DEFUN([AM_PO_SUBDIRS], [ AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl AC_REQUIRE([AM_MKINSTALLDIRS])dnl AC_REQUIRE([AM_NLS])dnl dnl Perform the following tests also if --disable-nls has been given, dnl because they are needed for "make dist" to work. dnl Search for GNU msgfmt in the PATH. dnl The first test excludes Solaris msgfmt and early GNU msgfmt versions. dnl The second test excludes FreeBSD msgfmt. AM_PATH_PROG_WITH_TEST(MSGFMT, msgfmt, [$ac_dir/$ac_word --statistics /dev/null >/dev/null 2>&1 && (if $ac_dir/$ac_word --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi)], :) AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT) dnl Search for GNU xgettext 0.12 or newer in the PATH. dnl The first test excludes Solaris xgettext and early GNU xgettext versions. dnl The second test excludes FreeBSD xgettext. AM_PATH_PROG_WITH_TEST(XGETTEXT, xgettext, [$ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >/dev/null 2>&1 && (if $ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi)], :) dnl Remove leftover from FreeBSD xgettext call. rm -f messages.po dnl Search for GNU msgmerge 0.11 or newer in the PATH. AM_PATH_PROG_WITH_TEST(MSGMERGE, msgmerge, [$ac_dir/$ac_word --update -q /dev/null /dev/null >/dev/null 2>&1], :) dnl This could go away some day; the PATH_PROG_WITH_TEST already does it. dnl Test whether we really found GNU msgfmt. if test "$GMSGFMT" != ":"; then dnl If it is no GNU msgfmt we define it as : so that the dnl Makefiles still can work. if $GMSGFMT --statistics /dev/null >/dev/null 2>&1 && (if $GMSGFMT --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then : ; else GMSGFMT=`echo "$GMSGFMT" | sed -e 's,^.*/,,'` AC_MSG_RESULT( [found $GMSGFMT program is not GNU msgfmt; ignore it]) GMSGFMT=":" fi fi dnl This could go away some day; the PATH_PROG_WITH_TEST already does it. dnl Test whether we really found GNU xgettext. if test "$XGETTEXT" != ":"; then dnl If it is no GNU xgettext we define it as : so that the dnl Makefiles still can work. if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >/dev/null 2>&1 && (if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then : ; else AC_MSG_RESULT( [found xgettext program is not GNU xgettext; ignore it]) XGETTEXT=":" fi dnl Remove leftover from FreeBSD xgettext call. rm -f messages.po fi AC_OUTPUT_COMMANDS([ for ac_file in $CONFIG_FILES; do # Support "outfile[:infile[:infile...]]" case "$ac_file" in *:*) ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; esac # PO directories have a Makefile.in generated from Makefile.in.in. case "$ac_file" in */Makefile.in) # Adjust a relative srcdir. ac_dir=`echo "$ac_file"|sed 's%/[^/][^/]*$%%'` ac_dir_suffix="/`echo "$ac_dir"|sed 's%^\./%%'`" ac_dots=`echo "$ac_dir_suffix"|sed 's%/[^/]*%../%g'` # In autoconf-2.13 it is called $ac_given_srcdir. # In autoconf-2.50 it is called $srcdir. test -n "$ac_given_srcdir" || ac_given_srcdir="$srcdir" case "$ac_given_srcdir" in .) top_srcdir=`echo $ac_dots|sed 's%/$%%'` ;; /*) top_srcdir="$ac_given_srcdir" ;; *) top_srcdir="$ac_dots$ac_given_srcdir" ;; esac if test -f "$ac_given_srcdir/$ac_dir/POTFILES.in"; then rm -f "$ac_dir/POTFILES" test -n "$as_me" && echo "$as_me: creating $ac_dir/POTFILES" || echo "creating $ac_dir/POTFILES" cat "$ac_given_srcdir/$ac_dir/POTFILES.in" | sed -e "/^#/d" -e "/^[ ]*\$/d" -e "s,.*, $top_srcdir/& \\\\," | sed -e "\$s/\(.*\) \\\\/\1/" > "$ac_dir/POTFILES" POMAKEFILEDEPS="POTFILES.in" # ALL_LINGUAS, POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES depend # on $ac_dir but don't depend on user-specified configuration # parameters. if test -f "$ac_given_srcdir/$ac_dir/LINGUAS"; then # The LINGUAS file contains the set of available languages. if test -n "$OBSOLETE_ALL_LINGUAS"; then test -n "$as_me" && echo "$as_me: setting ALL_LINGUAS in configure.in is obsolete" || echo "setting ALL_LINGUAS in configure.in is obsolete" fi ALL_LINGUAS_=`sed -e "/^#/d" "$ac_given_srcdir/$ac_dir/LINGUAS"` # Hide the ALL_LINGUAS assigment from automake. eval 'ALL_LINGUAS''=$ALL_LINGUAS_' POMAKEFILEDEPS="$POMAKEFILEDEPS LINGUAS" else # The set of available languages was given in configure.in. eval 'ALL_LINGUAS''=$OBSOLETE_ALL_LINGUAS' fi # Compute POFILES # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).po) # Compute UPDATEPOFILES # as $(foreach lang, $(ALL_LINGUAS), $(lang).po-update) # Compute DUMMYPOFILES # as $(foreach lang, $(ALL_LINGUAS), $(lang).nop) # Compute GMOFILES # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).gmo) case "$ac_given_srcdir" in .) srcdirpre= ;; *) srcdirpre='$(srcdir)/' ;; esac POFILES= UPDATEPOFILES= DUMMYPOFILES= GMOFILES= for lang in $ALL_LINGUAS; do POFILES="$POFILES $srcdirpre$lang.po" UPDATEPOFILES="$UPDATEPOFILES $lang.po-update" DUMMYPOFILES="$DUMMYPOFILES $lang.nop" GMOFILES="$GMOFILES $srcdirpre$lang.gmo" done # CATALOGS depends on both $ac_dir and the user's LINGUAS # environment variable. INST_LINGUAS= if test -n "$ALL_LINGUAS"; then for presentlang in $ALL_LINGUAS; do useit=no if test "%UNSET%" != "$LINGUAS"; then desiredlanguages="$LINGUAS" else desiredlanguages="$ALL_LINGUAS" fi for desiredlang in $desiredlanguages; do # Use the presentlang catalog if desiredlang is # a. equal to presentlang, or # b. a variant of presentlang (because in this case, # presentlang can be used as a fallback for messages # which are not translated in the desiredlang catalog). case "$desiredlang" in "$presentlang"*) useit=yes;; esac done if test $useit = yes; then INST_LINGUAS="$INST_LINGUAS $presentlang" fi done fi CATALOGS= if test -n "$INST_LINGUAS"; then for lang in $INST_LINGUAS; do CATALOGS="$CATALOGS $lang.gmo" done fi test -n "$as_me" && echo "$as_me: creating $ac_dir/Makefile" || echo "creating $ac_dir/Makefile" sed -e "/^POTFILES =/r $ac_dir/POTFILES" -e "/^# Makevars/r $ac_given_srcdir/$ac_dir/Makevars" -e "s|@POFILES@|$POFILES|g" -e "s|@UPDATEPOFILES@|$UPDATEPOFILES|g" -e "s|@DUMMYPOFILES@|$DUMMYPOFILES|g" -e "s|@GMOFILES@|$GMOFILES|g" -e "s|@CATALOGS@|$CATALOGS|g" -e "s|@POMAKEFILEDEPS@|$POMAKEFILEDEPS|g" "$ac_dir/Makefile.in" > "$ac_dir/Makefile" for f in "$ac_given_srcdir/$ac_dir"/Rules-*; do if test -f "$f"; then case "$f" in *.orig | *.bak | *~) ;; *) cat "$f" >> "$ac_dir/Makefile" ;; esac fi done fi ;; esac done], [# Capture the value of obsolete ALL_LINGUAS because we need it to compute # POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES, CATALOGS. But hide it # from automake. eval 'OBSOLETE_ALL_LINGUAS''="$ALL_LINGUAS"' # Capture the value of LINGUAS because we need it to compute CATALOGS. LINGUAS="${LINGUAS-%UNSET%}" ]) ]) dnl Postprocesses a Makefile in a directory containing PO files. AC_DEFUN([AM_POSTPROCESS_PO_MAKEFILE], [ # When this code is run, in config.status, two variables have already been # set: # - OBSOLETE_ALL_LINGUAS is the value of LINGUAS set in configure.in, # - LINGUAS is the value of the environment variable LINGUAS at configure # time. changequote(,)dnl # Adjust a relative srcdir. ac_dir=`echo "$ac_file"|sed 's%/[^/][^/]*$%%'` ac_dir_suffix="/`echo "$ac_dir"|sed 's%^\./%%'`" ac_dots=`echo "$ac_dir_suffix"|sed 's%/[^/]*%../%g'` # In autoconf-2.13 it is called $ac_given_srcdir. # In autoconf-2.50 it is called $srcdir. test -n "$ac_given_srcdir" || ac_given_srcdir="$srcdir" case "$ac_given_srcdir" in .) top_srcdir=`echo $ac_dots|sed 's%/$%%'` ;; /*) top_srcdir="$ac_given_srcdir" ;; *) top_srcdir="$ac_dots$ac_given_srcdir" ;; esac # Find a way to echo strings without interpreting backslash. if test "X`(echo '\t') 2>/dev/null`" = 'X\t'; then gt_echo='echo' else if test "X`(printf '%s\n' '\t') 2>/dev/null`" = 'X\t'; then gt_echo='printf %s\n' else echo_func () { cat < "$ac_file.tmp" if grep -l '@TCLCATALOGS@' "$ac_file" > /dev/null; then # Add dependencies that cannot be formulated as a simple suffix rule. for lang in $ALL_LINGUAS; do frobbedlang=`echo $lang | sed -e 's/\..*$//' -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'` cat >> "$ac_file.tmp" < /dev/null; then # Add dependencies that cannot be formulated as a simple suffix rule. for lang in $ALL_LINGUAS; do frobbedlang=`echo $lang | sed -e 's/_/-/g'` cat >> "$ac_file.tmp" <> "$ac_file.tmp" <" exit 1 } # assuming the top of fwbuilder module source code is cwd when this # script is executed BUILD_ROOT_DIR="../../" . VERSION BASE_DMG_FILE_NAME=$(basename $BUNDLE | sed 's/\.app/.dmg/') BASE_RO_DMG_FILE_NAME=$(basename $BUNDLE | sed 's/\.app/-ro.dmg/') SLA_FILE="packaging/SLA.r" DMG_FILE="${BUILD_ROOT_DIR}/$BASE_DMG_FILE_NAME" DMG_RO_FILE="${BUILD_ROOT_DIR}/${BASE_RO_DMG_FILE_NAME}" /usr/bin/hdiutil create -srcfolder $BUNDLE \ -ov -fs HFS+ -volname "Firewall Builder $VERSION" $DMG_FILE # chmod 0664 $DMG_FILE # ################################################################ # How to add license agreement to the dms image # # http://developer.apple.com/documentation/DeveloperTools/Conceptual/SoftwareDistribution/Containers/chapter_3_section_4.html # # Need "Software License Agreements for UDIFs (DMG)" # http://developer.apple.com/sdk/index.html # Instructions are in this package. The SLA prototype in this SDK was in # a format that requires resource editor which I could not find. However # SLA prototype file provided in the buildDMG package found at # http://www.objectpark.org/buildDMG.html was usable. The prototype comes # in file SLA.r which can be edited with XCode (just do "open SLA.r"). # I added NetCitadel license text to the file SLA.r and checked it in # as modules/fwbuilder/files/packaging/SLA.r hdiutil convert -format UDCO $DMG_FILE -o $DMG_RO_FILE hdiutil unflatten $DMG_RO_FILE Rez /Developer/Headers/FlatCarbon/*.r $SLA_FILE -a -o $DMG_RO_FILE hdiutil flatten $DMG_RO_FILE mv $DMG_RO_FILE $DMG_FILE fwbuilder-5.3.7/packaging/fwbuilder-static-qt.spec.in000066400000000000000000000057161303637203600226240ustar00rootroot00000000000000 # .spec file for statically linked fwbuilder rpm for CentOS 5.2 %define name fwbuilder %define version @VERSION@ %define release 1 %if "%_vendor" == "MandrakeSoft" %define guigroup System/Configuration/Networking %define compgroup System/Configuration/Networking %else %define guigroup Applications/System %define compgroup Applications/System %endif Summary: Firewall Builder Name: %{name} Version: %{version} Release: %{release}%{?dist} License: GPL2 Vendor: NetCitadel LLC., http://sourceforge.net/project/showfiles.php?group_id=5314 Group: %{guigroup} Url: http://www.fwbuilder.org/ Source: http://prdownloads.sourceforge.net/fwbuilder/%{name}-%{version}.tar.gz Packager: Vadim Kurland Buildroot: %{_tmppath}/%{name}-%{version}-root BuildRequires: libxml2-devel, libxslt-devel, openssl-devel Obsoletes: fwbuilder-ipt, fwbuilder-pf, fwbuilder-ipf, fwbuilder-ipfw, fwbuilder-pix, fwbuilder-iosacl, fwbuilder-cisco, libfwbuilder, libfwbuilder-devel Docdir: /usr/share/doc %description Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. GUI generates firewall description in the form of XML file, which compilers then interpret and generate platform-specific code. Several algorithms are provided for automated network objects discovery and bulk import of data. The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. %prep %setup ./autogen.sh %build %configure --with-qtdir=/opt/qt44 make -j5 all %install [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT make INSTALL_ROOT="${RPM_BUILD_ROOT}/" install rm -fr $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version} %clean [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %dir /usr/share/fwbuilder-%version /usr/share/fwbuilder-%version /usr/bin/fwbuilder /usr/bin/fwbedit /usr/bin/fwb_iosacl /usr/bin/fwb_ipf /usr/bin/fwb_ipfw /usr/bin/fwb_ipt /usr/bin/fwb_pf /usr/bin/fwb_pix /usr/bin/fwb_procurve_acl %doc doc/AUTHORS %doc doc/COPYING %doc doc/Credits %doc doc/ChangeLog %doc doc/PatchAcceptancePolicy.txt %doc doc/README.floppyfw %doc doc/README.iosacl %doc doc/README.ipf %doc doc/README.ipfw %doc doc/README.ipt %doc doc/README.pf %doc doc/README.pix %doc doc/README.pix_routing %doc doc/README.routing %doc doc/README.policy_import %doc doc/README.iosacl %doc doc/FWBuilder-Routing-LICENSE.txt %{_mandir}/man1/fwbuilder.1* %{_mandir}/man1/fwbedit.1* %{_mandir}/man1/fwb_iosacl.1* %{_mandir}/man1/fwb_ipf.1* %{_mandir}/man1/fwb_ipfw.1* %{_mandir}/man1/fwb_ipt.1* %{_mandir}/man1/fwb_pf.1* %{_mandir}/man1/fwb_pix.1* %{_datadir}/applications/*.desktop %{_datadir}/icons/hicolor/*/apps/%name.png fwbuilder-5.3.7/packaging/fwbuilder.control.in000066400000000000000000000007501303637203600214340ustar00rootroot00000000000000Package: fwbuilder Conflicts: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linux, fwbuilder-doc, libfwbuilder Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linux, fwbuilder-doc, libfwbuilder Priority: extra Section: checkinstall Maintainer: vadim@fwbuilder.org Version: @VERSION@-1 Depends: libqt4-gui (>= 4.4.0), libqt4-network (>= 4.4.0), libxml2, libxslt1.1, libsnmp | libsnmp15 Description: Firewall Builder GUI and policy compilers fwbuilder-5.3.7/packaging/fwbuilder.nsi.in000077500000000000000000000324631303637203600205560ustar00rootroot00000000000000; fwbuilder.nsi ; ; !verbose 1 ;-------------------------------- ;Variables Var MUI_TEMP Var STARTMENU_FOLDER ; GENERATION is used to build the path in the registry, it should be coordinated ; with the path defined in FWBSettings class ; !define GENERATION "@GENERATION@" !define GENERATION_SHORT "@GENERATION_SHORT@" !define VERSION "@VERSION@" !define APPNAME "FirewallBuilder-${GENERATION}" ;------------------------------------------------------------------------------ ; GetWindowsVersion ; ; Based on Yazno's function, http://yazno.tripod.com/powerpimpit/ ; Returns on top of stack ; ; Windows Version (95, 98, ME, NT x.x, 2000) ; or ; '' (Unknown Windows Version) ; ; Usage: ; Call GetWindowsVersion ; Pop $0 ; ; at this point $0 is "NT 4.0" or whatnot Function GetWindowsVersion Push $0 Push $9 ReadRegStr $0 HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion" CurrentVersion StrCmp $0 "" 0 lbl_winnt ; we are not NT. ReadRegStr $0 HKLM SOFTWARE\Microsoft\Windows\CurrentVersion VersionNumber StrCpy $9 $0 1 StrCmp $9 '4' 0 lbl_error StrCpy $9 $0 3 StrCmp $9 '4.0' lbl_win32_95 StrCmp $9 '4.9' lbl_win32_ME lbl_win32_98 lbl_win32_95: StrCpy $0 '95' Goto lbl_done lbl_win32_98: StrCpy $0 '98' Goto lbl_done lbl_win32_ME: StrCpy $0 'ME' Goto lbl_done lbl_winnt: StrCpy $9 $0 1 StrCmp $9 '3' lbl_winnt_x StrCmp $9 '4' lbl_winnt_x StrCmp $9 '5' lbl_winnt_5 StrCmp $9 '6' lbl_winnt_6 lbl_error lbl_winnt_x: StrCpy $0 "NT $0" 6 Goto lbl_done lbl_winnt_5: Strcpy $0 '2000' Goto lbl_done lbl_winnt_6: Strcpy $0 'Vista' Goto lbl_done lbl_error: Strcpy $0 '' lbl_done: Pop $9 Exch $0 FunctionEnd Function .onInit Call GetWindowsVersion Pop $0 StrCmp $0 "NT 4.0" lbl_done check_2000 check_2000: StrCmp $0 "2000" lbl_done check_vista check_vista: StrCmp $0 "Vista" lbl_done lbl_error lbl_error: MessageBox MB_OK "Firewall Builder supports only Windows 2000, Windows XP and Vista platform." Abort lbl_done: FunctionEnd Function un.UninstallSurveyPageText IfFileExists $PROFILE\fwb4*license* +4 0 IfFileExists $PROFILE\Documents\fwb4*license* +3 0 MessageBox MB_YESNO "Help us improve Firewall Builder! If you are \ uninstalling because you don't plan to use the software please fill out \ a short survey to tell us why you are leaving and what we can do better.\ $\n\ $\n\ Click Yes to open the survey in your web browser, click No to exit the \ uninstaller." IDNO +2 ExecShell open "http://www.fwbuilder.org/uninstall_survey.html" ; MessageBox MB_ICONSTOP "Continuing uninstaller" FunctionEnd ;**************************************************************************** ;Include Modern UI !include "MUI2.nsh" ;**************************************************************************** setCompressor lzma Name "Firewall Builder ${GENERATION}" Caption "Firewall Builder installation" OutFile "fwbuilder-${VERSION}.exe" ; Default installation folder InstallDir "$PROGRAMFILES\FWBuilder-${GENERATION}" ;**************************************************************************** ; We need to keep installation data and program settings in ; registry folders with different names. QSettings always looks into ; Current User registry first, so if the folders have the same names, ; then we store evaluation key in Current User, while it is better ; to put it in the Local Machine branch. ; ; So, installation data goes to HKLM Software\NetCitadel\FirewallBuilder\2.1 ; and settings to HKCU Software\NetCitadel\FirewallBuilder2_1 ; ; fwbuilder-lm determines folder path for the license file by ; reading key Install_Dir under HKLM Software\NetCitadel\FirewallBuilder\2.1 ; ;**************************************************************************** ; ; Get installation folder from registry if available InstallDirRegKey HKLM Software\NetCitadel\${APPNAME} "Install_Dir" ;**************************************************************************** ;Interface Settings !define MUI_ABORTWARNING ;Start Menu Folder Page Configuration !define MUI_STARTMENUPAGE_REGISTRY_ROOT "HKLM" !define MUI_STARTMENUPAGE_REGISTRY_KEY "Software\NetCitadel\${APPNAME}" !define MUI_STARTMENUPAGE_REGISTRY_VALUENAME "Start Menu Folder" LicenseText "GNU GENERAL PUBLIC LICENSE" LicenseData "doc\COPYING" !define MUI_HEADERIMAGE !define MUI_HEADERIMAGE_BITMAP packaging\fwbuilder-160x60.bmp !define MUI_WELCOMEFINISHPAGE_BITMAP packaging\fwbuilder-164x314.bmp ;**************************************************************************** ; The following macros add PageEx statements !insertmacro MUI_PAGE_LICENSE "doc\COPYING" ; !insertmacro MUI_PAGE_COMPONENTS !insertmacro MUI_PAGE_DIRECTORY !insertmacro MUI_PAGE_STARTMENU Application $STARTMENU_FOLDER !insertmacro MUI_PAGE_INSTFILES ; Uninstaller starts with a custom page that asks the user to fill survey !insertmacro MUI_UNPAGE_CONFIRM !insertmacro MUI_UNPAGE_INSTFILES ; UninstPage custom un.UninstallSurveyPageText ; Set language !insertmacro MUI_LANGUAGE "English" ;**************************************************************************** ; Request elevated priviliges RequestExecutionLevel admin ;**************************************************************************** ; The stuff to install Section "FWBuilder (required)" ; Set output path to the installation directory. ; SetOutPath $INSTDIR SetOutPath $INSTDIR\resources File src\res\resources.xml File src\res\templates.xml File src\res\objects_init.xml File src\libfwbuilder\etc\fwbuilder.dtd File /r src\res\configlets File /r src\res\help File /r src\res\os File /r src\res\platform File /r src\libfwbuilder\migration SetOutPath $INSTDIR\resources\locale ; we have no working translations for v4 and v5 ; File src\libgui\*.qm SetOutPath $INSTDIR File /oname=COPYING.doc doc\COPYING File "doc\FWBuilder-Routing-LICENSE.txt" File "doc\README.iosacl" File "doc\README.ipt" File "doc\README.ipf" File "doc\README.ipfw" File "doc\README.pf" File "doc\README.pix" File "doc\README.pix_routing" File "doc\README.routing" File "doc\README.nxosacl" File "doc\README.junos" File /oname=fwbuilder.ico "src\gui\fwbuilder-windows.ico" File /a "src\gui\release\fwbuilder.exe" File /a "src\fwbedit\release\fwbedit.exe" File /a "src\iosacl\release\fwb_iosacl.exe" File /a "src\ipt\release\fwb_ipt.exe" File /a "src\ipf\release\fwb_ipf.exe" File /a "src\ipfw\release\fwb_ipfw.exe" File /a "src\pf\release\fwb_pf.exe" File /a "src\pix\release\fwb_pix.exe" File /a "src\procurve_acl\release\fwb_procurve_acl.exe" File /a "src\nxosacl\release\fwb_nxosacl.exe" File /a "src\junosacl\release\fwb_junosacl.exe" ; Install Qt and its dependencies File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/bin/Qt5Core.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/bin/Qt5Gui.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/bin/Qt5Network.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/bin/Qt5PrintSupport.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/bin/Qt5Widgets.dll" File /r "/usr/lib/mxe/usr/i686-w64-mingw32.shared/qt5/plugins/platforms" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libbz2.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libgcc_s_sjlj-1.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libglib-2.0-0.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libharfbuzz-0.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libiconv-2.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libintl-8.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libpcre-1.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libpcre16-0.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libpng16-16.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libstdc++-6.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libwinpthread-1.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libxml2-2.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libxslt-1.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/ssleay32.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/zlib1.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libeay32.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/libfreetype-6.dll" File "/usr/lib/mxe/usr/i686-w64-mingw32.shared/bin/liblzma-5.dll" ; Install RCS for these files ; File "w32-bin\ci.exe" File "w32-bin\co.exe" File "w32-bin\rcs.exe" File "w32-bin\rcsdiff.exe" File "w32-bin\rlog.exe" File "w32-bin\diff.exe" File "w32-bin\rcslib.dll" ;; Starting with 4.0.2, we now package putty tools with fwbuilder File "w32-bin\plink.exe" File "w32-bin\pscp.exe" ; Write the installation path into the registry WriteRegStr HKLM Software\NetCitadel\${APPNAME} "Install_Dir" "$INSTDIR" ; Write the uninstall keys for Windows WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\FWBuilder ${GENERATION}" "DisplayName" "Firewall Builder ${GENERATION}" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\FWBuilder ${GENERATION}" "UninstallString" '"$INSTDIR\uninstall.exe"' WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\FWBuilder ${GENERATION}" "Publisher" "https://github.com/fwbuilder" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\FWBuilder ${GENERATION}" "DisplayVersion" "${VERSION}" ; Write file associations and icons WriteRegStr HKLM "Software\Classes\.fwb" "" "fwbfile" WriteRegStr HKLM "Software\Classes\fwbfile\shell\open\command" "" "$INSTDIR\fwbuilder.exe -noexec %1" WriteRegStr HKLM "Software\Classes\fwbfile\DefaultIcon" "" "$INSTDIR\fwbuilder.exe,0" WriteRegStr HKLM "Software\Classes\.fwl" "" "fwlfile" WriteRegStr HKLM "Software\Classes\fwlfile\shell\open\command" "" "$INSTDIR\fwbuilder.exe -noexec %1" WriteRegStr HKLM "Software\Classes\fwlfile\DefaultIcon" "" "$INSTDIR\fwbuilder.exe,0" ; Create registry entry for putty session with ssh keepalive WriteRegDWORD HKCU "Software\SimonTatham\PuTTY\Sessions\fwb_session_with_keepalive" "PingInterval" "0" WriteRegDWORD HKCU "Software\SimonTatham\PuTTY\Sessions\fwb_session_with_keepalive" "PingIntervalSecs" "10" ; ======================================================================== ; Configure installer to use our prepackaged plink.exe and pscp.exe but only if it was not configured before ; ; ******** THESE KEYS MUST MATCH THOSE USED BY the class FWBSettings ; ReadRegStr $0 HKCU "Software\netcitadel.com\${APPNAME}\${GENERATION}\SSH" "SSHPath" StrCmp $0 "" 0 +3 WriteRegStr HKCU "Software\netcitadel.com\${APPNAME}\${GENERATION}\SSH" "SSHPath" "$INSTDIR\plink.exe" WriteRegStr HKCU "Software\netcitadel.com\${APPNAME}\${GENERATION}\SSH" "SCPPath" "$INSTDIR\pscp.exe" ; ======================================================================== !insertmacro MUI_STARTMENU_WRITE_BEGIN Application ; Setting var context to "all" makes Start menu shortcuts appear for all ; users ; SetShellVarContext all CreateDirectory "$SMPROGRAMS\$STARTMENU_FOLDER" CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\FWBuilder.lnk" "$INSTDIR\fwbuilder.exe" "" "$INSTDIR\fwbuilder.ico" CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\Uninstall.lnk" "$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0 !insertmacro MUI_STARTMENU_WRITE_END WriteUninstaller "uninstall.exe" SectionEnd ;============================================================================= ; uninstall stuff UninstallText "This will uninstall FWBuilder. Hit next to continue." ;============================================================================= Section "Uninstall" ; remove registry keys DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\FWBuilder ${GENERATION}" DeleteRegKey HKLM "Software\NetCitadel\${APPNAME}" ; delete obsolete registry folder, not used in v3.x but could be left over from older versions DeleteRegKey HKCU "Software\NetCitadel LLC\Firewall Builder" DeleteRegKey HKCU "Software\netcitadel.com\${APPNAME}" DeleteRegKey /ifempty HKCU "Software\netcitadel.com\${APPNAME}" DeleteRegKey /ifempty HKCU "Software\netcitadel.com" DeleteRegKey HKCR ".fwb" DeleteRegKey HKCR ".fwl" DeleteRegKey HKCR "fwbfile" DeleteRegKey HKCR "fwlfile" DeleteRegKey HKCR "FirewallBuilder.AssocFile.FWB" DeleteRegKey HKCR "FirewallBuilder.AssocFile.FWL" ; remove files ; MUST REMOVE UNINSTALLER, too Delete $INSTDIR\uninstall.exe Delete "$INSTDIR\*.*" Delete "$INSTDIR\migration\*.*" Delete "$INSTDIR\resources\os\*.*" Delete "$INSTDIR\resources\platform\*.*" Delete "$INSTDIR\resources\help\*.*" Delete "$INSTDIR\resources\configlets\*.*" Delete $INSTDIR\COPYING.doc RMDir /r "$INSTDIR" ; !insertmacro MUI_STARTMENU_GETFOLDER Application $MUI_TEMP ; Delete "$SMPROGRAMS\$MUI_TEMP\*.*" ; StrCpy $MUI_TEMP "$SMPROGRAMS\$MUI_TEMP" ; Remove Start menu shortcuts !insertmacro MUI_STARTMENU_GETFOLDER Application $STARTMENU_FOLDER ; SetShellVarContext all Delete "$SMPROGRAMS\$STARTMENU_FOLDER\FWBuilder.lnk" Delete "$SMPROGRAMS\$STARTMENU_FOLDER\Uninstall.lnk" RMDir "$SMPROGRAMS\$STARTMENU_FOLDER" ; delete only if empty because there could be registry folders ; for our other products DeleteRegKey /ifempty HKLM "Software\NetCitadel" SectionEnd ; eof fwbuilder-5.3.7/packaging/fwbuilder.spec.in000066400000000000000000000057151303637203600207140ustar00rootroot00000000000000 %define name fwbuilder %define version @VERSION@ %define release 1 %if "%_vendor" == "MandrakeSoft" %define guigroup System/Configuration/Networking %define compgroup System/Configuration/Networking %else %define guigroup Applications/System %define compgroup Applications/System %endif Summary: Firewall Builder Name: %{name} Version: %{version} Release: %{release}%{?dist} License: GPL2 Vendor: NetCitadel LLC., http://sourceforge.net/project/showfiles.php?group_id=5314 Group: %{guigroup} Url: http://www.fwbuilder.org/ Source: http://prdownloads.sourceforge.net/fwbuilder/%{name}-%{version}.tar.gz Packager: Vadim Kurland Buildroot: %{_tmppath}/%{name}-%{version}-root BuildRequires: libxml2-devel, libxslt-devel, openssl-devel %if "%_vendor" == "suse" BuildRequires: qt-devel %else BuildRequires: qt4-devel %endif Obsoletes: fwbuilder-ipt, fwbuilder-pf, fwbuilder-ipf, fwbuilder-ipfw, fwbuilder-pix, fwbuilder-iosacl, fwbuilder-cisco, libfwbuilder, libfwbuilder-devel Docdir: /usr/share/doc %description Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. GUI generates firewall description in the form of XML file, which compilers then interpret and generate platform-specific code. Several algorithms are provided for automated network objects discovery and bulk import of data. The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. %prep %setup ./autogen.sh %build %configure make -j5 all %install [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT make INSTALL_ROOT="${RPM_BUILD_ROOT}/" install rm -fr $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version} %clean [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %dir /usr/share/fwbuilder-%version /usr/share/fwbuilder-%version /usr/bin/fwbuilder /usr/bin/fwbedit /usr/bin/fwb_iosacl /usr/bin/fwb_ipf /usr/bin/fwb_ipfw /usr/bin/fwb_ipt /usr/bin/fwb_pf /usr/bin/fwb_pix /usr/bin/fwb_procurve_acl %doc doc/AUTHORS %doc doc/COPYING %doc doc/Credits %doc doc/ChangeLog %doc doc/PatchAcceptancePolicy.txt %doc doc/README.floppyfw %doc doc/README.iosacl %doc doc/README.ipf %doc doc/README.ipfw %doc doc/README.ipt %doc doc/README.pf %doc doc/README.pix %doc doc/README.pix_routing %doc doc/README.routing %doc doc/README.policy_import %doc doc/README.iosacl %doc doc/FWBuilder-Routing-LICENSE.txt %{_mandir}/man1/fwbuilder.1* %{_mandir}/man1/fwbedit.1* %{_mandir}/man1/fwb_iosacl.1* %{_mandir}/man1/fwb_ipf.1* %{_mandir}/man1/fwb_ipfw.1* %{_mandir}/man1/fwb_ipt.1* %{_mandir}/man1/fwb_pf.1* %{_mandir}/man1/fwb_pix.1* %{_datadir}/applications/*.desktop %{_datadir}/icons/hicolor/*/apps/%name.png fwbuilder-5.3.7/qmake.inc.in000066400000000000000000000137001303637203600157130ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # ########## fwbuilder/qmake.inc.in # QTDIR = $$(QTDIR) TEMPLATE = app DEFINES += $$(DEFINES) LANGUAGE = C++ UI_DIR = ui MANDIR = @MANDIR@ DOCDIR = @DOCDIR@ HAVE_QTDBUS = @HAVE_QTDBUS@ HAVE_CPPUNIT = @HAVE_CPPUNIT@ CPPUNIT_CFLAGS = @CPPUNIT_CFLAGS@ CPPUNIT_LIBS = @CPPUNIT_LIBS@ # CONFIG -= nostrip # CONFIG += release CONFIG += debug unix { PREFIX = @PREFIX@ ANTLR_INCLUDEPATH = @ANTLR_INCLUDEPATH@ ANTLR_LIBS = @ANTLR_LIBS@ QMAKE_CXX = @CCACHE@ @DISTCC@ $$QMAKE_CXX INCLUDEPATH += .. ../.. INCLUDEPATH += @XML_CFLAGS_Q@ @XSLT_CFLAGS_Q@ LIBS += @PTHREAD_LIBS@ @XML_LIBS@ @XSLT_LIBS@ @LIBSNMP_LIBS@ @LIB_RESOLV@ @LIBS@ UI_DIR = .ui MOC_DIR = .moc OBJECTS_DIR = .obj QMAKE_CFLAGS_DEBUG += -Wno-unused-parameter QMAKE_CFLAGS_RELEASE += -Wno-unused-parameter QMAKE_CXXFLAGS_DEBUG += -Wno-unused-parameter QMAKE_CXXFLAGS_RELEASE += -Wno-unused-parameter !macx { exec_prefix = @EXEC_PREFIX@ DESTDIR = ICONSDIR = @ICONSDIR@ target.path = $$PREFIX/bin dtd.path = @RES_DIR@/ migration.path = @RES_DIR@/migration doc.path = @DOCDIR@ datadir.path = @DATADIR@ res.path = @RES_DIR@ res_os.path = $$res.path/os/ res_platform.path = $$res.path/platform/ res_help_C.path = $$res.path/help/C res_help_en_US.path = $$res.path/help/en_US res_desktop.path = @DATADIR@/applications/ res_configlets.path = $$res.path/configlets # INSTALLS += icns # LIBS += @LIBS@ PKGLOCALEDIR = $$res.path/locale CONFIG += warn_on # DEFINES += __STDC_FORMAT_MACROS } } win32 { # Keep this as a absolute full path. For some reason, when # I leave it is up to qmake to define this variable, and it # makes it "xcopy /i /y /s /q", I get an error "Invalid number of parameters" # even though command line looks correct. Chances are, there is another # xcopy somewhere on the system that gets used, but I could not find it. # Setting this variable using full path works. QMAKE_COPY_DIR = C:\\Windows\\System32\\xcopy /I /Y /S /Q PREFIX = "c:/tmp/build_root" DOCDIR = "$$PREFIX/doc/fwbuilder" exec_prefix = "$$PREFIX" MANDIR = "$$PREFIX/man/" DESTDIR = "" doc.path = $$DOCDIR target.path = $$PREFIX/ res.path = $$PREFIX/resources res_os.path = $$res.path/os res_platform.path = $$res.path/platform res_help_C.path = $$res.path/help/C res_help_en_US.path = $$res.path/help/en_US res_configlets.path = $$res.path/configlets PKGLOCALEDIR = $$res.path/locale CONFIG += qt thread rtti stl warn_on release CONFIG -= debug BINARY_SUBDIR = release DEFINES += LIBXML_STATIC LIBXSLT_STATIC DEFINES += LIBEXSLT_STATIC XMLSEC_STATIC DEFINES += WIN32_LEAN_AND_MEAN INCLUDEPATH += "../.." INCLUDEPATH += $$(TOOLCHAIN_PREFIX)/include $$(TOOLCHAIN_PREFIX)/include/libxml2 $$(TOOLCHAIN_PREFIX)/include/net-snmp /include LIBS += -L$$(TOOLCHAIN_PREFIX)/lib -L$$(TOOLCHAIN_PREFIX)/bin # LIBS += -l xslt -l xml2 -l iconv -l pthread -l ws2_32 #LIBS += -l xslt -l xml2 -l iconv -l pthread -l netsnmp -l ws2_32 LIBS += -lxslt -lxml2 -liconv -lpthread -lz -lws2_32 # workaround for QT += dbus not working atm # Standard QT binary Windows distribution does not include QtDBus library # Checked with 4.4.1 and 4.4.3 06/12/2009 # LIBS += -lQtDBus target.path = $$PREFIX/bin # on windows we use antlr DLL HAVE_ANTLR_RUNTIME = 1 HAVE_EXTERNAL_ANTLR = 0 antlr.path = $$PREFIX/lib # Qt on windows does not have DBus framework support, turn parts of .pro files off # HAVE_QTDBUS = ANTLR_INCLUDEPATH = .. ANTLR_LIBS = ../antlr/release/libantlr.a # our parsers are linked as a library (code is in src/parsers) FWBPARSER_LIB = ../parsers/release/libfwbparser.a # fwtransfer library for secuwall (and possibly other os/platform) # override the name for windows # FWTRANSFER_LIB = ../fwtransfer/release/libfwtransfer.a } macx { # PREFIX = "$$DESTDIR" DOCDIR = "$$PREFIX/doc/" MANDIR = "$$PREFIX/share/man" # These do not really matter because we never run make install on Mac OS X target.path = $$PREFIX/ res.path = $$PREFIX/resources/ res_os.path = $$res.path/os res_platform.path = $$res.path/platform res_help_C.path = $$res.path/help/C res_help_en_US.path = $$res.path/help/en_US res_configlets.path = $$res.path/configlets icns.files = fwbuilder.icns icns.path = $$PREFIX/ PKGLOCALEDIR = $$res.path/locale # If I build on 10.6 without these, generated binary depends on # /usr/lib/libxml2.2.dynlib that has compatibility version 10.0.0 # which does not work on 10.5 where its compatibility version is # 9.0.0. Chances are, the same thing may be happening with other # dependency libraries. Building on 10.6 with deployment target 10.5 # should solve the problem QMAKE_MACOSX_DEPLOYMENT_TARGET = $$(QMAKE_MACOSX_DEPLOYMENT_TARGET) QMAKE_CXXFLAGS += -mmacosx-version-min=$$(QMAKE_MACOSX_DEPLOYMENT_TARGET) QMAKE_MAC_SDK = $$(QMAKE_MAC_SDK) CONFIG += qt thread rtti stl warn_on debug # release # not compiling for PPC because of problems on Snow Leopard CONFIG -= x86 CONFIG += x86_64 # See http://trolltech.com/developer/task-tracker/index_html?method=entry&id=211852 # for why ppc architecture is commented out. # If Trolltech does not fix it by the time of release v3.0, will have # to figure out workaround (turn off precompiled headers ?) # CONFIG += ppc INCLUDEPATH += $(INSTALL_ROOT)/$$PREFIX/include/ INCLUDEPATH += /usr/include/libxml2 /usr/include QMAKE_LIBS_QT = QMAKE_LIBS_QT_THREAD = # LIBS += $$LIBS_FWBUILDER LIBS += -lxml2 -lz LIBS += -lpthread } FWB_SIG = $$(FWB_SIG) if (isEmpty(FWB_SIG)) { FWB_SIG=26932 } DEFINES += FWB_SIG=$$FWB_SIG QMAKE_CXXFLAGS_DEBUG += -D__STDC_FORMAT_MACROS QMAKE_CXXFLAGS_RELEASE += -D__STDC_FORMAT_MACROS exists(qmake2.inc) { include(qmake2.inc) } INSTALLS += target fwbuilder-5.3.7/runqmake.sh000077500000000000000000000004311303637203600156740ustar00rootroot00000000000000#!/bin/sh test -z "${QMAKE}" && QMAKE="qmake" C="-recursive" test -n "$QMAKESPEC" && C="$C -spec $QMAKESPEC " echo "QTDIR=\"$QTDIR\"" echo "Running qmake: $QMAKE $C" oIFS=$IFS IFS=" " test -z "$EXTRA_CXXFLAGS" || FLAGS="QMAKE_CXXFLAGS += $EXTRA_CXXFLAGS" $QMAKE "$FLAGS" $C fwbuilder-5.3.7/src/000077500000000000000000000000001303637203600143035ustar00rootroot00000000000000fwbuilder-5.3.7/src/antlr/000077500000000000000000000000001303637203600154235ustar00rootroot00000000000000fwbuilder-5.3.7/src/antlr/ANTLRException.hpp000066400000000000000000000025261303637203600207000ustar00rootroot00000000000000#ifndef INC_ANTLRException_hpp__ #define INC_ANTLRException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API ANTLRException { public: /// Create ANTLR base exception without error message ANTLRException() : text("") { } /// Create ANTLR base exception with error message ANTLRException(const ANTLR_USE_NAMESPACE(std)string& s) : text(s) { } virtual ~ANTLRException() throw() { } /** Return complete error message with line/column number info (if present) * @note for your own exceptions override this one. Call getMessage from * here to get the 'clean' error message stored in the text attribute. */ virtual ANTLR_USE_NAMESPACE(std)string toString() const { return text; } /** Return error message without additional info (if present) * @note when making your own exceptions classes override toString * and call in toString getMessage which relays the text attribute * from here. */ virtual ANTLR_USE_NAMESPACE(std)string getMessage() const { return text; } private: ANTLR_USE_NAMESPACE(std)string text; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ANTLRException_hpp__ fwbuilder-5.3.7/src/antlr/ANTLRUtil.cpp000066400000000000000000000070731303637203600176540ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Eat whitespace from the input stream * @param is the stream to read from */ ANTLR_USE_NAMESPACE(std)istream& eatwhite( ANTLR_USE_NAMESPACE(std)istream& is ) { char c; while( is.get(c) ) { #ifdef ANTLR_CCTYPE_NEEDS_STD if( !ANTLR_USE_NAMESPACE(std)isspace(c) ) #else if( !isspace(c) ) #endif { is.putback(c); break; } } return is; } /** Read a string enclosed by '"' from a stream. Also handles escaping of \". * Skips leading whitespace. * @param in the istream to read from. * @returns the string read from file exclusive the '"' * @throws IOException if string is badly formatted */ ANTLR_USE_NAMESPACE(std)string read_string( ANTLR_USE_NAMESPACE(std)istream& in ) { char ch; ANTLR_USE_NAMESPACE(std)string ret(""); // States for a simple state machine... enum { START, READING, ESCAPE, FINISHED }; int state = START; eatwhite(in); while( state != FINISHED && in.get(ch) ) { switch( state ) { case START: // start state: check wether starting with " then switch to READING if( ch != '"' ) throw IOException("string must start with '\"'"); state = READING; continue; case READING: // reading state: look out for escape sequences and closing " if( ch == '\\' ) // got escape sequence { state = ESCAPE; continue; } if( ch == '"' ) // close quote -> stop { state = FINISHED; continue; } ret += ch; // else append... continue; case ESCAPE: switch(ch) { case '\\': ret += ch; state = READING; continue; case '"': ret += ch; state = READING; continue; case '0': ret += '\0'; state = READING; continue; default: // unrecognized escape is not mapped ret += '\\'; ret += ch; state = READING; continue; } } } if( state != FINISHED ) throw IOException("badly formatted string: "+ret); return ret; } /* Read a ([A-Z][0-9][a-z]_)* kindoff thing. Skips leading whitespace. * @param in the istream to read from. */ ANTLR_USE_NAMESPACE(std)string read_identifier( ANTLR_USE_NAMESPACE(std)istream& in ) { char ch; ANTLR_USE_NAMESPACE(std)string ret(""); eatwhite(in); while( in.get(ch) ) { #ifdef ANTLR_CCTYPE_NEEDS_STD if( ANTLR_USE_NAMESPACE(std)isupper(ch) || ANTLR_USE_NAMESPACE(std)islower(ch) || ANTLR_USE_NAMESPACE(std)isdigit(ch) || ch == '_' ) #else if( isupper(ch) || islower(ch) || isdigit(ch) || ch == '_' ) #endif ret += ch; else { in.putback(ch); break; } } return ret; } /** Read a attribute="value" thing. Leading whitespace is skipped. * Between attribute and '=' no whitespace is allowed. After the '=' it is * permitted. * @param in the istream to read from. * @param attribute string the attribute name is put in * @param value string the value of the attribute is put in * @throws IOException if something is fishy. E.g. malformed quoting * or missing '=' */ void read_AttributeNValue( ANTLR_USE_NAMESPACE(std)istream& in, ANTLR_USE_NAMESPACE(std)string& attribute, ANTLR_USE_NAMESPACE(std)string& value ) { attribute = read_identifier(in); char ch; if( in.get(ch) && ch == '=' ) value = read_string(in); else throw IOException("invalid attribute=value thing "+attribute); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/ANTLRUtil.hpp000066400000000000000000000032061303637203600176530ustar00rootroot00000000000000#ifndef INC_ANTLRUtil_hpp__ #define INC_ANTLRUtil_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Eat whitespace from the input stream * @param is the stream to read from */ ANTLR_USE_NAMESPACE(std)istream& eatwhite( ANTLR_USE_NAMESPACE(std)istream& is ); /** Read a string enclosed by '"' from a stream. Also handles escaping of \". * Skips leading whitespace. * @param in the istream to read from. * @returns the string read from file exclusive the '"' * @throws ios_base::failure if string is badly formatted */ ANTLR_USE_NAMESPACE(std)string read_string( ANTLR_USE_NAMESPACE(std)istream& in ); /* Read a ([A-Z][0-9][a-z]_)* kindoff thing. Skips leading whitespace. * @param in the istream to read from. */ ANTLR_USE_NAMESPACE(std)string read_identifier( ANTLR_USE_NAMESPACE(std)istream& in ); /** Read a attribute="value" thing. Leading whitespace is skipped. * Between attribute and '=' no whitespace is allowed. After the '=' it is * permitted. * @param in the istream to read from. * @param attribute string the attribute name is put in * @param value string the value of the attribute is put in * @throws ios_base::failure if something is fishy. E.g. malformed quoting * or missing '=' */ void read_AttributeNValue( ANTLR_USE_NAMESPACE(std)istream& in, ANTLR_USE_NAMESPACE(std)string& attribute, ANTLR_USE_NAMESPACE(std)string& value ); #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif fwbuilder-5.3.7/src/antlr/AST.hpp000066400000000000000000000121751303637203600165710ustar00rootroot00000000000000#ifndef INC_AST_hpp__ #define INC_AST_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif struct ASTRef; class ANTLR_API AST { public: AST() : ref(0) {} AST(const AST&) : ref(0) {} virtual ~AST() {} /// Return the type name for this AST node. (for XML output) virtual const char* typeName( void ) const = 0; /// Clone this AST node. virtual RefAST clone( void ) const = 0; /// Is node t equal to this in terms of token type and text? virtual bool equals(RefAST t) const = 0; /** Is t an exact structural and equals() match of this tree. The * 'this' reference is considered the start of a sibling list. */ virtual bool equalsList(RefAST t) const = 0; /** Is 't' a subtree of this list? The siblings of the root are NOT ignored. */ virtual bool equalsListPartial(RefAST t) const = 0; /** Is tree rooted at 'this' equal to 't'? The siblings of 'this' are * ignored. */ virtual bool equalsTree(RefAST t) const = 0; /** Is 't' a subtree of the tree rooted at 'this'? The siblings of * 'this' are ignored. */ virtual bool equalsTreePartial(RefAST t) const = 0; /** Walk the tree looking for all exact subtree matches. Return * a vector of RefAST that lets the caller walk the list * of subtree roots found herein. */ virtual ANTLR_USE_NAMESPACE(std)vector findAll(RefAST t) = 0; /** Walk the tree looking for all subtrees. Return * a vector of RefAST that lets the caller walk the list * of subtree roots found herein. */ virtual ANTLR_USE_NAMESPACE(std)vector findAllPartial(RefAST t) = 0; /// Add a node to the end of the child list for this node virtual void addChild(RefAST c) = 0; /// Get the number of children. Returns 0 if the node is a leaf virtual size_t getNumberOfChildren() const = 0; /// Get the first child of this node; null if no children virtual RefAST getFirstChild() const = 0; /// Get the next sibling in line after this one virtual RefAST getNextSibling() const = 0; /// Get the token text for this node virtual ANTLR_USE_NAMESPACE(std)string getText() const = 0; /// Get the token type for this node virtual int getType() const = 0; /** Various initialization routines. Used by several factories to initialize * an AST element. */ virtual void initialize(int t, const ANTLR_USE_NAMESPACE(std)string& txt) = 0; virtual void initialize(RefAST t) = 0; virtual void initialize(RefToken t) = 0; #ifdef ANTLR_SUPPORT_XML /** initialize this node from the contents of a stream. * @param in the stream to read the AST attributes from. */ virtual void initialize( ANTLR_USE_NAMESPACE(std)istream& in ) = 0; #endif /// Set the first child of a node. virtual void setFirstChild(RefAST c) = 0; /// Set the next sibling after this one. virtual void setNextSibling(RefAST n) = 0; /// Set the token text for this node virtual void setText(const ANTLR_USE_NAMESPACE(std)string& txt) = 0; /// Set the token type for this node virtual void setType(int type) = 0; /// Return this AST node as a string virtual ANTLR_USE_NAMESPACE(std)string toString() const = 0; /// Print out a child-sibling tree in LISP notation virtual ANTLR_USE_NAMESPACE(std)string toStringList() const = 0; virtual ANTLR_USE_NAMESPACE(std)string toStringTree() const = 0; #ifdef ANTLR_SUPPORT_XML /** get attributes of this node to 'out'. Override to customize XML * output. * @param out the stream to write the AST attributes to. * @returns if a explicit closetag should be written */ virtual bool attributesToStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const = 0; /** Print a symbol over ostream. Overload this one to customize the XML * output for AST derived AST-types * @param output stream */ virtual void toStream( ANTLR_USE_NAMESPACE(std)ostream &out ) const = 0; /** Dump AST contents in XML format to output stream. * Works in conjunction with to_stream method. Overload that one is * derived classes to customize behaviour. * @param output stream to write to string to put the stuff in. * @param ast RefAST object to write. */ friend ANTLR_USE_NAMESPACE(std)ostream& operator<<( ANTLR_USE_NAMESPACE(std)ostream& output, const RefAST& ast ); #endif private: friend struct ASTRef; ASTRef* ref; AST(RefAST other); AST& operator=(const AST& other); AST& operator=(RefAST other); }; #ifdef ANTLR_SUPPORT_XML inline ANTLR_USE_NAMESPACE(std)ostream& operator<<( ANTLR_USE_NAMESPACE(std)ostream& output, const RefAST& ast ) { ast->toStream(output); return output; } #endif extern ANTLR_API RefAST nullAST; extern ANTLR_API AST* const nullASTptr; #ifdef NEEDS_OPERATOR_LESS_THAN // RK: apparently needed by MSVC and a SUN CC, up to and including // 2.7.2 this was undefined ? inline bool operator<( RefAST l, RefAST r ) { return nullAST == l ? ( nullAST == r ? false : true ) : l->getType() < r->getType(); } #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_AST_hpp__ fwbuilder-5.3.7/src/antlr/ASTArray.hpp000066400000000000000000000014721303637203600175660ustar00rootroot00000000000000#ifndef INC_ASTArray_hpp__ #define INC_ASTArray_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** ASTArray is a class that allows ANTLR to * generate code that can create and initialize an array * in one expression, like: * (new ASTArray(3))->add(x)->add(y)->add(z) */ class ANTLR_API ASTArray { public: int size; // = 0; ANTLR_USE_NAMESPACE(std)vector array; ASTArray(int capacity) : size(0) , array(capacity) { } ASTArray* add(RefAST node) { array[size++] = node; return this; } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ASTArray_hpp__ fwbuilder-5.3.7/src/antlr/ASTFactory.cpp000066400000000000000000000277731303637203600201260ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/CommonAST.hpp" #include "antlr/ANTLRException.hpp" #include "antlr/IOException.hpp" #include "antlr/ASTFactory.hpp" #include "antlr/ANTLRUtil.hpp" #include #include using namespace std; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** AST Support code shared by TreeParser and Parser. * We use delegation to share code (and have only one * bit of code to maintain) rather than subclassing * or superclassing (forces AST support code to be * loaded even when you don't want to do AST stuff). * * This class collects all factories of AST types used inside the code. * New AST node types are registered with the registerFactory method. * On creation of an ASTFactory object a default AST node factory may be * specified. * * When registering types gaps between different types are filled with entries * for the default factory. */ /// Initialize factory ASTFactory::ASTFactory() : default_factory_descriptor(ANTLR_USE_NAMESPACE(std)make_pair(CommonAST::TYPE_NAME,&CommonAST::factory)) { nodeFactories.resize( Token::MIN_USER_TYPE, &default_factory_descriptor ); } /** Initialize factory with a non default node type. * factory_node_name should be the name of the AST node type the factory * generates. (should exist during the existance of this ASTFactory instance) */ ASTFactory::ASTFactory( const char* factory_node_name, factory_type fact ) : default_factory_descriptor(ANTLR_USE_NAMESPACE(std)make_pair(factory_node_name, fact)) { nodeFactories.resize( Token::MIN_USER_TYPE, &default_factory_descriptor ); } /// Delete ASTFactory ASTFactory::~ASTFactory() { factory_descriptor_list::iterator i = nodeFactories.begin(); while( i != nodeFactories.end() ) { if( *i != &default_factory_descriptor ) delete *i; i++; } } /// Register a factory for a given AST type void ASTFactory::registerFactory( int type, const char* ast_name, factory_type factory ) { // check validity of arguments... if( type < Token::MIN_USER_TYPE ) throw ANTLRException("Internal parser error invalid type passed to RegisterFactory"); if( factory == 0 ) throw ANTLRException("Internal parser error 0 factory passed to RegisterFactory"); // resize up to and including 'type' and initalize any gaps to default // factory. if( nodeFactories.size() < (static_cast(type)+1) ) nodeFactories.resize( type+1, &default_factory_descriptor ); // And add new thing.. nodeFactories[type] = new ANTLR_USE_NAMESPACE(std)pair( ast_name, factory ); } void ASTFactory::setMaxNodeType( int type ) { if( nodeFactories.size() < (static_cast(type)+1) ) nodeFactories.resize( type+1, &default_factory_descriptor ); } /** Create a new empty AST node; if the user did not specify * an AST node type, then create a default one: CommonAST. */ RefAST ASTFactory::create() { RefAST node = nodeFactories[0]->second(); node->setType(Token::INVALID_TYPE); return node; } RefAST ASTFactory::create(int type) { RefAST t = nodeFactories[type]->second(); t->initialize(type,""); return t; } RefAST ASTFactory::create(int type, const ANTLR_USE_NAMESPACE(std)string& txt) { RefAST t = nodeFactories[type]->second(); t->initialize(type,txt); return t; } #ifdef ANTLR_SUPPORT_XML RefAST ASTFactory::create(const ANTLR_USE_NAMESPACE(std)string& type_name, ANTLR_USE_NAMESPACE(std)istream& infile ) { factory_descriptor_list::iterator fact = nodeFactories.begin(); while( fact != nodeFactories.end() ) { if( type_name == (*fact)->first ) { RefAST t = (*fact)->second(); t->initialize(infile); return t; } fact++; } string error = "ASTFactory::create: Unknown AST type '" + type_name + "'"; throw ANTLRException(error); } #endif /** Create a new empty AST node; if the user did not specify * an AST node type, then create a default one: CommonAST. */ RefAST ASTFactory::create(RefAST tr) { if (!tr) return nullAST; // cout << "create(tr)" << endl; RefAST t = nodeFactories[tr->getType()]->second(); t->initialize(tr); return t; } RefAST ASTFactory::create(RefToken tok) { // cout << "create( tok="<< tok->getType() << ", " << tok->getText() << ")" << nodeFactories.size() << endl; RefAST t = nodeFactories[tok->getType()]->second(); t->initialize(tok); return t; } /** Add a child to the current AST */ void ASTFactory::addASTChild(ASTPair& currentAST, RefAST child) { if (child) { if (!currentAST.root) { // Make new child the current root currentAST.root = child; } else { if (!currentAST.child) { // Add new child to current root currentAST.root->setFirstChild(child); } else { currentAST.child->setNextSibling(child); } } // Make new child the current child currentAST.child = child; currentAST.advanceChildToEnd(); } } /** Deep copy a single node. This function the new clone() methods in the AST * interface. Returns nullAST if t is null. */ RefAST ASTFactory::dup(RefAST t) { if( t ) return t->clone(); else return RefAST(nullASTptr); } /** Duplicate tree including siblings of root. */ RefAST ASTFactory::dupList(RefAST t) { RefAST result = dupTree(t); // if t == null, then result==null RefAST nt = result; while( t ) { // for each sibling of the root t = t->getNextSibling(); nt->setNextSibling(dupTree(t)); // dup each subtree, building new tree nt = nt->getNextSibling(); } return result; } /** Duplicate a tree, assuming this is a root node of a tree * duplicate that node and what's below; ignore siblings of root node. */ RefAST ASTFactory::dupTree(RefAST t) { RefAST result = dup(t); // make copy of root // copy all children of root. if( t ) result->setFirstChild( dupList(t->getFirstChild()) ); return result; } /** Make a tree from a list of nodes. The first element in the * array is the root. If the root is null, then the tree is * a simple list not a tree. Handles null children nodes correctly. * For example, make(a, b, null, c) yields tree (a b c). make(null,a,b) * yields tree (nil a b). */ RefAST ASTFactory::make(ANTLR_USE_NAMESPACE(std)vector& nodes) { if ( nodes.size() == 0 ) return RefAST(nullASTptr); RefAST root = nodes[0]; RefAST tail = RefAST(nullASTptr); if( root ) root->setFirstChild(RefAST(nullASTptr)); // don't leave any old pointers set // link in children; for( unsigned int i = 1; i < nodes.size(); i++ ) { if ( nodes[i] == 0 ) // ignore null nodes continue; if ( root == 0 ) // Set the root and set it up for a flat list root = tail = nodes[i]; else if ( tail == 0 ) { root->setFirstChild(nodes[i]); tail = root->getFirstChild(); } else { tail->setNextSibling(nodes[i]); tail = tail->getNextSibling(); } if( tail ) // RK: I cannot fathom why this missing check didn't bite anyone else... { // Chase tail to last sibling while (tail->getNextSibling()) tail = tail->getNextSibling(); } } return root; } /** Make a tree from a list of nodes, where the nodes are contained * in an ASTArray object */ RefAST ASTFactory::make(ASTArray* nodes) { RefAST ret = make(nodes->array); delete nodes; return ret; } /// Make an AST the root of current AST void ASTFactory::makeASTRoot( ASTPair& currentAST, RefAST root ) { if (root) { // Add the current root as a child of new root root->addChild(currentAST.root); // The new current child is the last sibling of the old root currentAST.child = currentAST.root; currentAST.advanceChildToEnd(); // Set the new root currentAST.root = root; } } void ASTFactory::setASTNodeFactory( const char* factory_node_name, factory_type factory ) { default_factory_descriptor.first = factory_node_name; default_factory_descriptor.second = factory; } #ifdef ANTLR_SUPPORT_XML bool ASTFactory::checkCloseTag( ANTLR_USE_NAMESPACE(std)istream& in ) { char ch; if( in.get(ch) ) { if( ch == '<' ) { char ch2; if( in.get(ch2) ) { if( ch2 == '/' ) { in.putback(ch2); in.putback(ch); return true; } in.putback(ch2); in.putback(ch); return false; } } in.putback(ch); return false; } return false; } void ASTFactory::loadChildren( ANTLR_USE_NAMESPACE(std)istream& infile, RefAST current ) { char ch; for(;;) // for all children of this node.... { eatwhite(infile); infile.get(ch); // '<' if( ch != '<' ) { string error = "Invalid XML file... no '<' found ("; error += ch + ")"; throw IOException(error); } infile.get(ch); // / or text.... if( ch == '/' ) // check for close tag... { string temp; // read until '>' and see if it matches the open tag... if not trouble temp = read_identifier( infile ); if( strcmp(temp.c_str(), current->typeName() ) != 0 ) { string error = "Invalid XML file... close tag does not match start tag: "; error += current->typeName(); error += " closed by " + temp; throw IOException(error); } infile.get(ch); // must be a '>' if( ch != '>' ) { string error = "Invalid XML file... no '>' found ("; error += ch + ")"; throw IOException(error); } // close tag => exit loop break; } // put our 'look ahead' back where it came from infile.putback(ch); infile.putback('<'); // and recurse into the tree... RefAST child = LoadAST(infile); current->addChild( child ); } } void ASTFactory::loadSiblings(ANTLR_USE_NAMESPACE(std)istream& infile, RefAST current ) { for(;;) { eatwhite(infile); if( infile.eof() ) break; if( checkCloseTag(infile) ) break; RefAST sibling = LoadAST(infile); current->setNextSibling(sibling); } } RefAST ASTFactory::LoadAST( ANTLR_USE_NAMESPACE(std)istream& infile ) { RefAST current = nullAST; char ch; eatwhite(infile); if( !infile.get(ch) ) return nullAST; if( ch != '<' ) { string error = "Invalid XML file... no '<' found ("; error += ch + ")"; throw IOException(error); } string ast_type = read_identifier(infile); // create the ast of type 'ast_type' current = create( ast_type, infile ); if( current == nullAST ) { string error = "Unsuported AST type: " + ast_type; throw IOException(error); } eatwhite(infile); infile.get(ch); // now if we have a '/' here it's a single node. If it's a '>' we get // a tree with children if( ch == '/' ) { infile.get(ch); // get the closing '>' if( ch != '>' ) { string error = "Invalid XML file... no '>' found after '/' ("; error += ch + ")"; throw IOException(error); } // get the rest on this level loadSiblings( infile, current ); return current; } // and finaly see if we got the close tag... if( ch != '>' ) { string error = "Invalid XML file... no '>' found ("; error += ch + ")"; throw IOException(error); } // handle the ones below this level.. loadChildren( infile, current ); // load the rest on this level... loadSiblings( infile, current ); return current; } #endif // ANTLR_SUPPORT_XML #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif /* Heterogeneous AST/XML-I/O ramblings... * * So there is some heterogeneous AST support.... * basically in the code generators a new custom ast is generated without * going throug the factory. It also expects the RefXAST to be defined. * * Is it maybe better to register all AST types with the ASTFactory class * together with the respective factory methods. * * More and more I get the impression that hetero ast was a kindoff hack * on top of ANTLR's normal AST system. * * The heteroast stuff will generate trouble for all astFactory.create( ... ) * invocations. Most of this is handled via getASTCreateString methods in the * codegenerator. At the moment getASTCreateString(GrammarAtom, String) has * slightly to little info to do it's job (ok the hack that is in now * works, but it's an ugly hack) * * An extra caveat is the 'nice' action.g thing. Which also judiciously calls * getASTCreateString methods because it handles the #( ... ) syntax. * And converts that to ASTFactory calls. * * */ fwbuilder-5.3.7/src/antlr/ASTFactory.hpp000066400000000000000000000130601303637203600201130ustar00rootroot00000000000000#ifndef INC_ASTFactory_hpp__ #define INC_ASTFactory_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif // Using these extra types to appease MSVC typedef RefAST (*factory_type_)(); typedef ANTLR_USE_NAMESPACE(std)pair< const char*, factory_type_ > factory_descriptor_; typedef ANTLR_USE_NAMESPACE(std)vector< factory_descriptor_* > factory_descriptor_list_; /** AST Super Factory shared by TreeParser and Parser. * This super factory maintains a map of all AST node types to their respective * AST factories. One instance should be shared among a parser/treeparser * chain. * * @todo check all this code for possible use of references in * stead of RefAST's. */ class ANTLR_API ASTFactory { public: typedef factory_type_ factory_type; typedef factory_descriptor_ factory_descriptor; typedef factory_descriptor_list_ factory_descriptor_list; protected: /* The mapping of AST node type to factory.. */ factory_descriptor default_factory_descriptor; factory_descriptor_list nodeFactories; public: /// Make new factory. Per default (Ref)CommonAST instances are generated. ASTFactory(); /** Initialize factory with a non default node type. * factory_node_name should be the name of the AST node type the factory * generates. (should exist during the existance of this ASTFactory * instance) */ ASTFactory( const char* factory_node_name, factory_type factory ); /// Destroy factory virtual ~ASTFactory(); /// Register a node factory for the node type type with name ast_name void registerFactory( int type, const char* ast_name, factory_type factory ); /// Set the maximum node (AST) type this factory may encounter void setMaxNodeType( int type ); /// Add a child to the current AST void addASTChild(ASTPair& currentAST, RefAST child); /// Create new empty AST node. The right default type shou virtual RefAST create(); /// Create AST node of the right type for 'type' RefAST create(int type); /// Create AST node of the right type for 'type' and initialize with txt RefAST create(int type, const ANTLR_USE_NAMESPACE(std)string& txt); /// Create duplicate of tr RefAST create(RefAST tr); /// Create new AST node and initialize contents from a token. RefAST create(RefToken tok); /// Create new AST node and initialize contents from a stream. RefAST create(const ANTLR_USE_NAMESPACE(std)string& txt, ANTLR_USE_NAMESPACE(std)istream& infile ); /** Deep copy a single node. This function the new clone() methods in the * AST interface. Returns a new RefAST(nullASTptr) if t is null. */ RefAST dup(RefAST t); /// Duplicate tree including siblings of root. RefAST dupList(RefAST t); /** Duplicate a tree, assuming this is a root node of a tree-- * duplicate that node and what's below; ignore siblings of root node. */ RefAST dupTree(RefAST t); /** Make a tree from a list of nodes. The first element in the * array is the root. If the root is null, then the tree is * a simple list not a tree. Handles null children nodes correctly. * For example, make(a, b, null, c) yields tree (a b c). make(null,a,b) * yields tree (nil a b). */ RefAST make(ANTLR_USE_NAMESPACE(std)vector& nodes); /** Make a tree from a list of nodes, where the nodes are contained * in an ASTArray object. The ASTArray is deleted after use. * @todo FIXME! I have a feeling we can get rid of this ugly ASTArray thing */ RefAST make(ASTArray* nodes); /// Make an AST the root of current AST void makeASTRoot(ASTPair& currentAST, RefAST root); /** Set a new default AST type. * factory_node_name should be the name of the AST node type the factory * generates. (should exist during the existance of this ASTFactory * instance). * Only change factory between parser runs. You might get unexpected results * otherwise. */ void setASTNodeFactory( const char* factory_node_name, factory_type factory ); #ifdef ANTLR_SUPPORT_XML /** Load a XML AST from stream. Make sure you have all the factories * registered before use. * @note this 'XML' stuff is quite rough still. YMMV. */ RefAST LoadAST( ANTLR_USE_NAMESPACE(std)istream& infile ); #endif protected: void loadChildren( ANTLR_USE_NAMESPACE(std)istream& infile, RefAST current ); void loadSiblings( ANTLR_USE_NAMESPACE(std)istream& infile, RefAST current ); bool checkCloseTag( ANTLR_USE_NAMESPACE(std)istream& infile ); #ifdef ANTLR_VECTOR_HAS_AT /// construct a node of 'type' inline RefAST getNodeOfType( unsigned int type ) { return RefAST(nodeFactories.at(type)->second()); } /// get the name of the node 'type' const char* getASTNodeType( unsigned int type ) { return nodeFactories.at(type)->first; } /// get the factory used for node 'type' factory_type getASTNodeFactory( unsigned int type ) { return nodeFactories.at(type)->second; } #else inline RefAST getNodeOfType( unsigned int type ) { return RefAST(nodeFactories[type]->second()); } /// get the name of the node 'type' const char* getASTNodeType( unsigned int type ) { return nodeFactories[type]->first; } factory_type getASTNodeFactory( unsigned int type ) { return nodeFactories[type]->second; } #endif private: // no copying and such.. ASTFactory( const ASTFactory& ); ASTFactory& operator=( const ASTFactory& ); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ASTFactory_hpp__ fwbuilder-5.3.7/src/antlr/ASTNULLType.cpp000066400000000000000000000042151303637203600201150ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/config.hpp" #include "antlr/AST.hpp" #include "antlr/ASTNULLType.hpp" #include ANTLR_USING_NAMESPACE(std) #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif RefAST ASTNULLType::clone( void ) const { return RefAST(this); } void ASTNULLType::addChild( RefAST ) { } size_t ASTNULLType::getNumberOfChildren() const { return 0; } bool ASTNULLType::equals( RefAST ) const { return false; } bool ASTNULLType::equalsList( RefAST ) const { return false; } bool ASTNULLType::equalsListPartial( RefAST ) const { return false; } bool ASTNULLType::equalsTree( RefAST ) const { return false; } bool ASTNULLType::equalsTreePartial( RefAST ) const { return false; } vector ASTNULLType::findAll( RefAST ) { return vector(); } vector ASTNULLType::findAllPartial( RefAST ) { return vector(); } RefAST ASTNULLType::getFirstChild() const { return this; } RefAST ASTNULLType::getNextSibling() const { return this; } string ASTNULLType::getText() const { return ""; } int ASTNULLType::getType() const { return Token::NULL_TREE_LOOKAHEAD; } void ASTNULLType::initialize( int, const string& ) { } void ASTNULLType::initialize( RefAST ) { } void ASTNULLType::initialize( RefToken ) { } #ifdef ANTLR_SUPPORT_XML void ASTNULLType::initialize( istream& ) { } #endif void ASTNULLType::setFirstChild( RefAST ) { } void ASTNULLType::setNextSibling( RefAST ) { } void ASTNULLType::setText( const string& ) { } void ASTNULLType::setType( int ) { } string ASTNULLType::toString() const { return getText(); } string ASTNULLType::toStringList() const { return getText(); } string ASTNULLType::toStringTree() const { return getText(); } #ifdef ANTLR_SUPPORT_XML bool ASTNULLType::attributesToStream( ostream& ) const { return false; } void ASTNULLType::toStream( ostream& out ) const { out << "" << endl; } #endif const char* ASTNULLType::typeName( void ) const { return "ASTNULLType"; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/ASTNULLType.hpp000066400000000000000000000033171303637203600201240ustar00rootroot00000000000000#ifndef INC_ASTNULLType_hpp__ #define INC_ASTNULLType_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** There is only one instance of this class **/ class ANTLR_API ASTNULLType : public AST { public: const char* typeName( void ) const; RefAST clone( void ) const; void addChild(RefAST c); size_t getNumberOfChildren() const; void setFirstChild(RefAST c); void setNextSibling(RefAST n); bool equals(RefAST t) const; bool equalsList(RefAST t) const; bool equalsListPartial(RefAST t) const; bool equalsTree(RefAST t) const; bool equalsTreePartial(RefAST t) const; ANTLR_USE_NAMESPACE(std)vector findAll(RefAST tree); ANTLR_USE_NAMESPACE(std)vector findAllPartial(RefAST subtree); RefAST getFirstChild() const; RefAST getNextSibling() const; ANTLR_USE_NAMESPACE(std)string getText() const; int getType() const; void initialize(int t, const ANTLR_USE_NAMESPACE(std)string& txt); void initialize(RefAST t); void initialize(RefToken t); void initialize(ANTLR_USE_NAMESPACE(std)istream& infile); void setText(const ANTLR_USE_NAMESPACE(std)string& text); void setType(int ttype); ANTLR_USE_NAMESPACE(std)string toString() const; ANTLR_USE_NAMESPACE(std)string toStringList() const; ANTLR_USE_NAMESPACE(std)string toStringTree() const; bool attributesToStream( ANTLR_USE_NAMESPACE(std)ostream &out ) const; void toStream( ANTLR_USE_NAMESPACE(std)ostream &out ) const; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ASTNULLType_hpp__ fwbuilder-5.3.7/src/antlr/ASTPair.hpp000066400000000000000000000027641303637203600174100ustar00rootroot00000000000000#ifndef INC_ASTPair_hpp__ #define INC_ASTPair_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** ASTPair: utility class used for manipulating a pair of ASTs * representing the current AST root and current AST sibling. * This exists to compensate for the lack of pointers or 'var' * arguments in Java. * * OK, so we can do those things in C++, but it seems easier * to stick with the Java way for now. */ class ANTLR_API ASTPair { public: RefAST root; // current root of tree RefAST child; // current child to which siblings are added /** Make sure that child is the last sibling */ void advanceChildToEnd() { if (child) { while (child->getNextSibling()) { child = child->getNextSibling(); } } } // /** Copy an ASTPair. Don't call it clone() because we want type-safety */ // ASTPair copy() { // ASTPair tmp = new ASTPair(); // tmp.root = root; // tmp.child = child; // return tmp; // } ANTLR_USE_NAMESPACE(std)string toString() const { ANTLR_USE_NAMESPACE(std)string r = !root ? ANTLR_USE_NAMESPACE(std)string("null") : root->getText(); ANTLR_USE_NAMESPACE(std)string c = !child ? ANTLR_USE_NAMESPACE(std)string("null") : child->getText(); return "["+r+","+c+"]"; } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ASTPair_hpp__ fwbuilder-5.3.7/src/antlr/ASTRefCount.cpp000066400000000000000000000011611303637203600202230ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/ASTRefCount.hpp" #include "antlr/AST.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif ASTRef::ASTRef(AST* p) : ptr(p), count(1) { if (p && !p->ref) p->ref = this; } ASTRef::~ASTRef() { delete ptr; } ASTRef* ASTRef::getRef(const AST* p) { if (p) { AST* pp = const_cast(p); if (pp->ref) return pp->ref->increment(); else return new ASTRef(pp); } else return 0; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/ASTRefCount.hpp000066400000000000000000000031771303637203600202410ustar00rootroot00000000000000#ifndef INC_ASTRefCount_hpp__ # define INC_ASTRefCount_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ # include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class AST; struct ANTLR_API ASTRef { AST* const ptr; unsigned int count; ASTRef(AST* p); ~ASTRef(); ASTRef* increment() { ++count; return this; } bool decrement() { return (--count==0); } static ASTRef* getRef(const AST* p); private: ASTRef( const ASTRef& ); ASTRef& operator=( const ASTRef& ); }; template class ANTLR_API ASTRefCount { private: ASTRef* ref; public: ASTRefCount(const AST* p=0) : ref(p ? ASTRef::getRef(p) : 0) { } ASTRefCount(const ASTRefCount& other) : ref(other.ref ? other.ref->increment() : 0) { } ~ASTRefCount() { if (ref && ref->decrement()) delete ref; } ASTRefCount& operator=(AST* other) { ASTRef* tmp = ASTRef::getRef(other); if (ref && ref->decrement()) delete ref; ref=tmp; return *this; } ASTRefCount& operator=(const ASTRefCount& other) { if( other.ref != ref ) { ASTRef* tmp = other.ref ? other.ref->increment() : 0; if (ref && ref->decrement()) delete ref; ref=tmp; } return *this; } operator T* () const { return ref ? static_cast(ref->ptr) : 0; } T* operator->() const { return ref ? static_cast(ref->ptr) : 0; } T* get() const { return ref ? static_cast(ref->ptr) : 0; } }; typedef ASTRefCount RefAST; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ASTRefCount_hpp__ fwbuilder-5.3.7/src/antlr/BaseAST.cpp000066400000000000000000000150001303637203600173450ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/config.hpp" #include #include "antlr/AST.hpp" #include "antlr/BaseAST.hpp" ANTLR_USING_NAMESPACE(std) #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif size_t BaseAST::getNumberOfChildren() const { RefBaseAST t = this->down; size_t n = 0; if( t ) { n = 1; while( t->right ) { t = t->right; n++; } return n; } return n; } void BaseAST::doWorkForFindAll( ANTLR_USE_NAMESPACE(std)vector& v, RefAST target,bool partialMatch) { // Start walking sibling lists, looking for matches. for (RefAST sibling=this; sibling; sibling=sibling->getNextSibling()) { if ( (partialMatch && sibling->equalsTreePartial(target)) || (!partialMatch && sibling->equalsTree(target)) ) { v.push_back(sibling); } // regardless of match or not, check any children for matches if ( sibling->getFirstChild() ) { RefBaseAST(sibling->getFirstChild())->doWorkForFindAll(v, target, partialMatch); } } } /** Is t an exact structural and equals() match of this tree. The * 'this' reference is considered the start of a sibling list. */ bool BaseAST::equalsList(RefAST t) const { // the empty tree is not a match of any non-null tree. if (!t) return false; // Otherwise, start walking sibling lists. First mismatch, return false. RefAST sibling=this; for (;sibling && t; sibling=sibling->getNextSibling(), t=t->getNextSibling()) { // as a quick optimization, check roots first. if (!sibling->equals(t)) return false; // if roots match, do full list match test on children. if (sibling->getFirstChild()) { if (!sibling->getFirstChild()->equalsList(t->getFirstChild())) return false; } // sibling has no kids, make sure t doesn't either else if (t->getFirstChild()) return false; } if (!sibling && !t) return true; // one sibling list has more than the other return false; } /** Is 'sub' a subtree of this list? * The siblings of the root are NOT ignored. */ bool BaseAST::equalsListPartial(RefAST sub) const { // the empty tree is always a subset of any tree. if (!sub) return true; // Otherwise, start walking sibling lists. First mismatch, return false. RefAST sibling=this; for (;sibling && sub; sibling=sibling->getNextSibling(), sub=sub->getNextSibling()) { // as a quick optimization, check roots first. if (!sibling->equals(sub)) return false; // if roots match, do partial list match test on children. if (sibling->getFirstChild()) if (!sibling->getFirstChild()->equalsListPartial(sub->getFirstChild())) return false; } if (!sibling && sub) // nothing left to match in this tree, but subtree has more return false; // either both are null or sibling has more, but subtree doesn't return true; } /** Is tree rooted at 'this' equal to 't'? The siblings * of 'this' are ignored. */ bool BaseAST::equalsTree(RefAST t) const { // check roots first if (!equals(t)) return false; // if roots match, do full list match test on children. if (getFirstChild()) { if (!getFirstChild()->equalsList(t->getFirstChild())) return false; } // sibling has no kids, make sure t doesn't either else if (t->getFirstChild()) return false; return true; } /** Is 'sub' a subtree of the tree rooted at 'this'? The siblings * of 'this' are ignored. */ bool BaseAST::equalsTreePartial(RefAST sub) const { // the empty tree is always a subset of any tree. if (!sub) return true; // check roots first if (!equals(sub)) return false; // if roots match, do full list partial match test on children. if (getFirstChild()) if (!getFirstChild()->equalsListPartial(sub->getFirstChild())) return false; return true; } /** Walk the tree looking for all exact subtree matches. Return * an ASTEnumerator that lets the caller walk the list * of subtree roots found herein. */ ANTLR_USE_NAMESPACE(std)vector BaseAST::findAll(RefAST target) { ANTLR_USE_NAMESPACE(std)vector roots; // the empty tree cannot result in an enumeration if (target) { doWorkForFindAll(roots,target,false); // find all matches recursively } return roots; } /** Walk the tree looking for all subtrees. Return * an ASTEnumerator that lets the caller walk the list * of subtree roots found herein. */ ANTLR_USE_NAMESPACE(std)vector BaseAST::findAllPartial(RefAST target) { ANTLR_USE_NAMESPACE(std)vector roots; // the empty tree cannot result in an enumeration if (target) doWorkForFindAll(roots,target,true); // find all matches recursively return roots; } ANTLR_USE_NAMESPACE(std)string BaseAST::toStringList() const { ANTLR_USE_NAMESPACE(std)string ts=""; if (getFirstChild()) { ts+=" ( "; ts+=toString(); ts+=getFirstChild()->toStringList(); ts+=" )"; } else { ts+=" "; ts+=toString(); } if (getNextSibling()) ts+=getNextSibling()->toStringList(); return ts; } ANTLR_USE_NAMESPACE(std)string BaseAST::toStringTree() const { ANTLR_USE_NAMESPACE(std)string ts = ""; if (getFirstChild()) { ts+=" ( "; ts+=toString(); ts+=getFirstChild()->toStringList(); ts+=" )"; } else { ts+=" "; ts+=toString(); } return ts; } #ifdef ANTLR_SUPPORT_XML /* This whole XML output stuff needs a little bit more thought * I'd like to store extra XML data in the node. e.g. for custom ast's * with for instance symboltable references. This * should be more pluggable.. * @returns boolean value indicating wether a closetag should be produced. */ bool BaseAST::attributesToStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const { out << "text=\"" << this->getText() << "\" type=\"" << this->getType() << "\""; return false; } void BaseAST::toStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const { for( RefAST node = this; node != 0; node = node->getNextSibling() ) { out << "<" << this->typeName() << " "; // Write out attributes and if there is extra data... bool need_close_tag = node->attributesToStream( out ); if( need_close_tag ) { // got children so write them... if( node->getFirstChild() != 0 ) node->getFirstChild()->toStream( out ); // and a closing tag.. out << "typeName() << ">" << endl; } } } #endif // this is nasty, but it makes the code generation easier ANTLR_API RefAST nullAST; #if defined(_MSC_VER) && !defined(__ICL) // Microsoft Visual C++ extern ANTLR_API AST* const nullASTptr = 0; #else ANTLR_API AST* const nullASTptr = 0; #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/BaseAST.hpp000066400000000000000000000107361303637203600173650ustar00rootroot00000000000000#ifndef INC_BaseAST_hpp__ #define INC_BaseAST_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API BaseAST; typedef ASTRefCount RefBaseAST; class ANTLR_API BaseAST : public AST { public: BaseAST() : AST() { } BaseAST(const BaseAST& other) : AST(other) { } virtual ~BaseAST() { } /// Return the class name virtual const char* typeName( void ) const = 0; /// Clone this AST node. virtual RefAST clone( void ) const = 0; /// Is node t equal to this in terms of token type and text? virtual bool equals(RefAST t) const; /** Is t an exact structural and equals() match of this tree. The * 'this' reference is considered the start of a sibling list. */ virtual bool equalsList(RefAST t) const; /** Is 't' a subtree of this list? The siblings of the root are NOT ignored. */ virtual bool equalsListPartial(RefAST t) const; /** Is tree rooted at 'this' equal to 't'? The siblings of 'this' are * ignored. */ virtual bool equalsTree(RefAST t) const; /** Is 't' a subtree of the tree rooted at 'this'? The siblings of * 'this' are ignored. */ virtual bool equalsTreePartial(RefAST t) const; /** Walk the tree looking for all exact subtree matches. Return * an ASTEnumerator that lets the caller walk the list * of subtree roots found herein. */ virtual ANTLR_USE_NAMESPACE(std)vector findAll(RefAST t); /** Walk the tree looking for all subtrees. Return * an ASTEnumerator that lets the caller walk the list * of subtree roots found herein. */ virtual ANTLR_USE_NAMESPACE(std)vector findAllPartial(RefAST t); /// Add a node to the end of the child list for this node virtual void addChild(RefAST c) { if( !c ) return; RefBaseAST tmp = down; if (tmp) { while (tmp->right) tmp = tmp->right; tmp->right = c; } else down = c; } /** Get the number of child nodes of this node (shallow e.g. not of the * whole tree it spans). */ virtual size_t getNumberOfChildren() const; /// Get the first child of this node; null if no children virtual RefAST getFirstChild() const { return RefAST(down); } /// Get the next sibling in line after this one virtual RefAST getNextSibling() const { return RefAST(right); } /// Get the token text for this node virtual ANTLR_USE_NAMESPACE(std)string getText() const { return ""; } /// Get the token type for this node virtual int getType() const { return 0; } /// Remove all children virtual void removeChildren() { down = static_cast(static_cast(nullAST)); } /// Set the first child of a node. virtual void setFirstChild(RefAST c) { down = static_cast(static_cast(c)); } /// Set the next sibling after this one. virtual void setNextSibling(RefAST n) { right = static_cast(static_cast(n)); } /// Set the token text for this node virtual void setText(const ANTLR_USE_NAMESPACE(std)string& /*UNUSED txt */) { } /// Set the token type for this node virtual void setType(int /*UNUSED type */) { } #ifdef ANTLR_SUPPORT_XML /** print attributes of this node to 'out'. Override to customize XML * output. * @param out the stream to write the AST attributes to. */ virtual bool attributesToStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const; /** Write this subtree to a stream. Overload this one to customize the XML * output for AST derived AST-types * @param output stream */ virtual void toStream( ANTLR_USE_NAMESPACE(std)ostream &out ) const; #endif /// Return string representation for the AST virtual ANTLR_USE_NAMESPACE(std)string toString() const { return getText(); } /// Print out a child sibling tree in LISP notation virtual ANTLR_USE_NAMESPACE(std)string toStringList() const; virtual ANTLR_USE_NAMESPACE(std)string toStringTree() const; protected: RefBaseAST down; RefBaseAST right; private: void doWorkForFindAll(ANTLR_USE_NAMESPACE(std)vector& v, RefAST target, bool partialMatch); }; /** Is node t equal to this in terms of token type and text? */ inline bool BaseAST::equals(RefAST t) const { if (!t) return false; return ((getType() == t->getType()) && (getText() == t->getText())); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_BaseAST_hpp__ fwbuilder-5.3.7/src/antlr/BitSet.cpp000066400000000000000000000021621303637203600173220ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/BitSet.hpp" #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif BitSet::BitSet(unsigned int nbits) : storage(nbits) { for (unsigned int i = 0; i < nbits ; i++ ) storage[i] = false; } BitSet::BitSet( const unsigned long* bits_, unsigned int nlongs ) : storage(nlongs*32) { for ( unsigned int i = 0 ; i < (nlongs * 32); i++) storage[i] = (bits_[i>>5] & (1UL << (i&31))) ? true : false; } BitSet::~BitSet() { } void BitSet::add(unsigned int el) { if( el >= storage.size() ) storage.resize( el+1, false ); storage[el] = true; } bool BitSet::member(unsigned int el) const { if ( el >= storage.size()) return false; return storage[el]; } ANTLR_USE_NAMESPACE(std)vector BitSet::toArray() const { ANTLR_USE_NAMESPACE(std)vector elems; for (unsigned int i = 0; i < storage.size(); i++) { if (storage[i]) elems.push_back(i); } return elems; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/BitSet.hpp000066400000000000000000000033661303637203600173360ustar00rootroot00000000000000#ifndef INC_BitSet_hpp__ #define INC_BitSet_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A BitSet to replace java.util.BitSet. * Primary differences are that most set operators return new sets * as opposed to oring and anding "in place". Further, a number of * operations were added. I cannot contain a BitSet because there * is no way to access the internal bits (which I need for speed) * and, because it is final, I cannot subclass to add functionality. * Consider defining set degree. Without access to the bits, I must * call a method n times to test the ith bit...ack! * * Also seems like or() from util is wrong when size of incoming set is bigger * than this.length. * * This is a C++ version of the Java class described above, with only * a handful of the methods implemented, because we don't need the * others at runtime. It's really just a wrapper around vector, * which should probably be changed to a wrapper around bitset, once * bitset is more widely available. * * @author Terence Parr, MageLang Institute * @author
Pete Wells */ class ANTLR_API BitSet { private: ANTLR_USE_NAMESPACE(std)vector storage; public: BitSet( unsigned int nbits=64 ); BitSet( const unsigned long* bits_, unsigned int nlongs); ~BitSet(); void add( unsigned int el ); bool member( unsigned int el ) const; ANTLR_USE_NAMESPACE(std)vector toArray() const; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_BitSet_hpp__ fwbuilder-5.3.7/src/antlr/CharBuffer.cpp000066400000000000000000000025001303637203600201330ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/CharBuffer.hpp" #include //#include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /* RK: Per default istream does not throw exceptions. This can be * enabled with: * stream.exceptions(ios_base::badbit|ios_base::failbit|ios_base::eofbit); * * We could try catching the bad/fail stuff. But handling eof via this is * not a good idea. EOF is best handled as a 'normal' character. * * So this does not work yet with gcc... Comment it until I get to a platform * that does.. */ /** Create a character buffer. Enable fail and bad exceptions, if supported * by platform. */ CharBuffer::CharBuffer(ANTLR_USE_NAMESPACE(std)istream& input_) : input(input_) { // input.exceptions(ANTLR_USE_NAMESPACE(std)ios_base::badbit| // ANTLR_USE_NAMESPACE(std)ios_base::failbit); } /** Get the next character from the stream. May throw CharStreamIOException * when something bad happens (not EOF) (if supported by platform). */ int CharBuffer::getChar() { // try { return input.get(); // } // catch (ANTLR_USE_NAMESPACE(std)ios_base::failure& e) { // throw CharStreamIOException(e); // } } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CharBuffer.hpp000066400000000000000000000025561303637203600201530ustar00rootroot00000000000000#ifndef INC_CharBuffer_hpp__ #define INC_CharBuffer_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**A Stream of characters fed to the lexer from a InputStream that can * be rewound via mark()/rewind() methods. *

* A dynamic array is used to buffer up all the input characters. Normally, * "k" characters are stored in the buffer. More characters may be stored * during guess mode (testing syntactic predicate), or when LT(i>k) is * referenced. * Consumption of characters is deferred. In other words, reading the next * character is not done by consume(), but deferred until needed by LA or LT. *

* * @see antlr.CharQueue */ class ANTLR_API CharBuffer : public InputBuffer { public: /// Create a character buffer CharBuffer( ANTLR_USE_NAMESPACE(std)istream& input ); /// Get the next character from the stream int getChar(); protected: // character source ANTLR_USE_NAMESPACE(std)istream& input; private: // NOTE: Unimplemented CharBuffer(const CharBuffer& other); CharBuffer& operator=(const CharBuffer& other); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CharBuffer_hpp__ fwbuilder-5.3.7/src/antlr/CharInputBuffer.hpp000066400000000000000000000033431303637203600211660ustar00rootroot00000000000000#ifndef INC_CharInputBuffer_hpp__ # define INC_CharInputBuffer_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ # include # include # ifdef HAS_NOT_CCTYPE_H # include # else # include # endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** CharInputBuffer.hpp provides an InputBuffer for plain character arrays (buffers). */ class CharInputBuffer : public InputBuffer { public: /** Construct a CharInputBuffer.hpp object with a char* buffer of 'size' * if 'owner' is true, then the buffer will be delete[]-ed on destruction. * @note it is assumed the buffer was allocated with new[]! */ CharInputBuffer( unsigned char* buf, size_t size, bool owner = false ) : buffer(buf) , ptr(buf) , end(buf + size) , delete_buffer(owner) { } /** Destructor * @note If you're using malloced data, then you probably need to change * this destructor. Or better use this class as template for your own. */ ~CharInputBuffer( void ) { if( delete_buffer && buffer ) delete [] buffer; } /** Reset the CharInputBuffer to initial state * Called from LexerInputState::reset. * @see LexerInputState */ virtual inline void reset( void ) { InputBuffer::reset(); ptr = buffer; } virtual int getChar( void ) { return (ptr < end) ? *ptr++ : EOF; } protected: unsigned char* buffer; ///< the buffer with data unsigned char* ptr; ///< position ptr into the buffer unsigned char* end; ///< end sentry for buffer bool delete_buffer; ///< flag signifying if we have to delete the buffer }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif fwbuilder-5.3.7/src/antlr/CharScanner.cpp000066400000000000000000000056451303637203600203300ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include "antlr/CharScanner.hpp" #include "antlr/CommonToken.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif ANTLR_C_USING(exit) CharScanner::CharScanner(InputBuffer& cb, bool case_sensitive ) : saveConsumedInput(true) //, caseSensitiveLiterals(true) , caseSensitive(case_sensitive) , literals(CharScannerLiteralsLess(this)) , inputState(new LexerInputState(cb)) , commitToPath(false) , tabsize(8) , traceDepth(0) { setTokenObjectFactory(&CommonToken::factory); } CharScanner::CharScanner(InputBuffer* cb, bool case_sensitive ) : saveConsumedInput(true) //, caseSensitiveLiterals(true) , caseSensitive(case_sensitive) , literals(CharScannerLiteralsLess(this)) , inputState(new LexerInputState(cb)) , commitToPath(false) , tabsize(8) , traceDepth(0) { setTokenObjectFactory(&CommonToken::factory); } CharScanner::CharScanner( const LexerSharedInputState& state, bool case_sensitive ) : saveConsumedInput(true) //, caseSensitiveLiterals(true) , caseSensitive(case_sensitive) , literals(CharScannerLiteralsLess(this)) , inputState(state) , commitToPath(false) , tabsize(8) , traceDepth(0) { setTokenObjectFactory(&CommonToken::factory); } /** Report exception errors caught in nextToken() */ void CharScanner::reportError(const RecognitionException& ex) { ANTLR_USE_NAMESPACE(std)cerr << ex.toString().c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser error-reporting function can be overridden in subclass */ void CharScanner::reportError(const ANTLR_USE_NAMESPACE(std)string& s) { if (getFilename() == "") ANTLR_USE_NAMESPACE(std)cerr << "error: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; else ANTLR_USE_NAMESPACE(std)cerr << getFilename().c_str() << ": error: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser warning-reporting function can be overridden in subclass */ void CharScanner::reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { if (getFilename() == "") ANTLR_USE_NAMESPACE(std)cerr << "warning: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; else ANTLR_USE_NAMESPACE(std)cerr << getFilename().c_str() << ": warning: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } void CharScanner::traceIndent() { for( int i = 0; i < traceDepth; i++ ) ANTLR_USE_NAMESPACE(std)cout << " "; } void CharScanner::traceIn(const char* rname) { traceDepth++; traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "> lexer " << rname << "; c==" << LA(1) << ANTLR_USE_NAMESPACE(std)endl; } void CharScanner::traceOut(const char* rname) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "< lexer " << rname << "; c==" << LA(1) << ANTLR_USE_NAMESPACE(std)endl; traceDepth--; } #ifndef NO_STATIC_CONSTS const int CharScanner::NO_CHAR; const int CharScanner::EOF_CHAR; #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CharScanner.hpp000066400000000000000000000326351303637203600203340ustar00rootroot00000000000000#ifndef INC_CharScanner_hpp__ #define INC_CharScanner_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #ifdef HAS_NOT_CCTYPE_H #include #else #include #endif #if ( _MSC_VER == 1200 ) // VC6 seems to need this // note that this is not a standard C++ include file. # include #endif #include #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CharScanner; ANTLR_C_USING(tolower) #ifdef ANTLR_REALLY_NO_STRCASECMP // Apparently, neither strcasecmp nor stricmp is standard, and Codewarrior // on the mac has neither... inline int strcasecmp(const char *s1, const char *s2) { while (true) { char c1 = tolower(*s1++), c2 = tolower(*s2++); if (c1 < c2) return -1; if (c1 > c2) return 1; if (c1 == 0) return 0; } } #else #ifdef NO_STRCASECMP ANTLR_C_USING(stricmp) #else ANTLR_C_USING(strcasecmp) #endif #endif /** Functor for the literals map */ class ANTLR_API CharScannerLiteralsLess : public ANTLR_USE_NAMESPACE(std)binary_function { private: const CharScanner* scanner; public: #ifdef NO_TEMPLATE_PARTS CharScannerLiteralsLess() {} // not really used, definition to appease MSVC #endif CharScannerLiteralsLess(const CharScanner* theScanner) : scanner(theScanner) { } bool operator() (const ANTLR_USE_NAMESPACE(std)string& x,const ANTLR_USE_NAMESPACE(std)string& y) const; // defaults are good enough.. // CharScannerLiteralsLess(const CharScannerLiteralsLess&); // CharScannerLiteralsLess& operator=(const CharScannerLiteralsLess&); }; /** Superclass of generated lexers */ class ANTLR_API CharScanner : public TokenStream { protected: typedef RefToken (*factory_type)(); public: CharScanner(InputBuffer& cb, bool case_sensitive ); CharScanner(InputBuffer* cb, bool case_sensitive ); CharScanner(const LexerSharedInputState& state, bool case_sensitive ); virtual ~CharScanner() { } virtual int LA(unsigned int i); virtual void append(char c) { if (saveConsumedInput) { size_t l = text.length(); if ((l%256) == 0) text.reserve(l+256); text.replace(l,0,&c,1); } } virtual void append(const ANTLR_USE_NAMESPACE(std)string& s) { if( saveConsumedInput ) text += s; } virtual void commit() { inputState->getInput().commit(); } /** called by the generated lexer to do error recovery, override to * customize the behaviour. */ virtual void recover(const RecognitionException& , const BitSet& tokenSet) { consume(); consumeUntil(tokenSet); } virtual void consume() { if (inputState->guessing == 0) { int c = LA(1); if (caseSensitive) { append(c); } else { // use input.LA(), not LA(), to get original case // CharScanner.LA() would toLower it. append(inputState->getInput().LA(1)); } // RK: in a sense I don't like this automatic handling. if (c == '\t') tab(); else inputState->column++; } inputState->getInput().consume(); } /** Consume chars until one matches the given char */ virtual void consumeUntil(int c) { for(;;) { int la_1 = LA(1); if( la_1 == EOF_CHAR || la_1 == c ) break; consume(); } } /** Consume chars until one matches the given set */ virtual void consumeUntil(const BitSet& set) { for(;;) { int la_1 = LA(1); if( la_1 == EOF_CHAR || set.member(la_1) ) break; consume(); } } /// Mark the current position and return a id for it virtual unsigned int mark() { return inputState->getInput().mark(); } /// Rewind the scanner to a previously marked position virtual void rewind(unsigned int pos) { inputState->getInput().rewind(pos); } /// See if input contains character 'c' throw MismatchedCharException if not virtual void match(int c) { int la_1 = LA(1); if ( la_1 != c ) throw MismatchedCharException(la_1, c, false, this); consume(); } /** See if input contains element from bitset b * throw MismatchedCharException if not */ virtual void match(const BitSet& b) { int la_1 = LA(1); if ( !b.member(la_1) ) throw MismatchedCharException( la_1, b, false, this ); consume(); } /** See if input contains string 's' throw MismatchedCharException if not * @note the string cannot match EOF */ virtual void match( const char* s ) { while( *s != '\0' ) { // the & 0xFF is here to prevent sign extension lateron int la_1 = LA(1), c = (*s++ & 0xFF); if ( la_1 != c ) throw MismatchedCharException(la_1, c, false, this); consume(); } } /** See if input contains string 's' throw MismatchedCharException if not * @note the string cannot match EOF */ virtual void match(const ANTLR_USE_NAMESPACE(std)string& s) { size_t len = s.length(); for (size_t i = 0; i < len; i++) { // the & 0xFF is here to prevent sign extension lateron int la_1 = LA(1), c = (s[i] & 0xFF); if ( la_1 != c ) throw MismatchedCharException(la_1, c, false, this); consume(); } } /** See if input does not contain character 'c' * throw MismatchedCharException if not */ virtual void matchNot(int c) { int la_1 = LA(1); if ( la_1 == c ) throw MismatchedCharException(la_1, c, true, this); consume(); } /** See if input contains character in range c1-c2 * throw MismatchedCharException if not */ virtual void matchRange(int c1, int c2) { int la_1 = LA(1); if ( la_1 < c1 || la_1 > c2 ) throw MismatchedCharException(la_1, c1, c2, false, this); consume(); } virtual bool getCaseSensitive() const { return caseSensitive; } virtual void setCaseSensitive(bool t) { caseSensitive = t; } virtual bool getCaseSensitiveLiterals() const=0; /// Get the line the scanner currently is in (starts at 1) virtual int getLine() const { return inputState->line; } /// set the line number virtual void setLine(int l) { inputState->line = l; } /// Get the column the scanner currently is in (starts at 1) virtual int getColumn() const { return inputState->column; } /// set the column number virtual void setColumn(int c) { inputState->column = c; } /// get the filename for the file currently used virtual const ANTLR_USE_NAMESPACE(std)string& getFilename() const { return inputState->filename; } /// Set the filename the scanner is using (used in error messages) virtual void setFilename(const ANTLR_USE_NAMESPACE(std)string& f) { inputState->filename = f; } virtual bool getCommitToPath() const { return commitToPath; } virtual void setCommitToPath(bool commit) { commitToPath = commit; } /** return a copy of the current text buffer */ virtual const ANTLR_USE_NAMESPACE(std)string& getText() const { return text; } virtual void setText(const ANTLR_USE_NAMESPACE(std)string& s) { text = s; } virtual void resetText() { text = ""; inputState->tokenStartColumn = inputState->column; inputState->tokenStartLine = inputState->line; } virtual RefToken getTokenObject() const { return _returnToken; } /** Used to keep track of line breaks, needs to be called from * within generated lexers when a \n \r is encountered. */ virtual void newline() { ++inputState->line; inputState->column = 1; } /** Advance the current column number by an appropriate amount according * to the tabsize. This method needs to be explicitly called from the * lexer rules encountering tabs. */ virtual void tab() { int c = getColumn(); int nc = ( ((c-1)/tabsize) + 1) * tabsize + 1; // calculate tab stop setColumn( nc ); } /// set the tabsize. Returns the old tabsize int setTabsize( int size ) { int oldsize = tabsize; tabsize = size; return oldsize; } /// Return the tabsize used by the scanner int getTabSize() const { return tabsize; } /** Report exception errors caught in nextToken() */ virtual void reportError(const RecognitionException& e); /** Parser error-reporting function can be overridden in subclass */ virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s); /** Parser warning-reporting function can be overridden in subclass */ virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s); virtual InputBuffer& getInputBuffer() { return inputState->getInput(); } virtual LexerSharedInputState getInputState() { return inputState; } /** set the input state for the lexer. * @note state is a reference counted object, hence no reference */ virtual void setInputState(LexerSharedInputState state) { inputState = state; } /// Set the factory for created tokens virtual void setTokenObjectFactory(factory_type factory) { tokenFactory = factory; } /** Test the token text against the literals table * Override this method to perform a different literals test */ virtual int testLiteralsTable(int ttype) const { ANTLR_USE_NAMESPACE(std)map::const_iterator i = literals.find(text); if (i != literals.end()) ttype = (*i).second; return ttype; } /** Test the text passed in against the literals table * Override this method to perform a different literals test * This is used primarily when you want to test a portion of * a token */ virtual int testLiteralsTable(const ANTLR_USE_NAMESPACE(std)string& txt,int ttype) const { ANTLR_USE_NAMESPACE(std)map::const_iterator i = literals.find(txt); if (i != literals.end()) ttype = (*i).second; return ttype; } /// Override this method to get more specific case handling virtual int toLower(int c) const { // test on EOF_CHAR for buggy (?) STLPort tolower (or HPUX tolower?) // also VC++ 6.0 does this. (see fix 422 (is reverted by this fix) // this one is more structural. Maybe make this configurable. return (c == EOF_CHAR ? EOF_CHAR : tolower(c)); } /** This method is called by YourLexer::nextToken() when the lexer has * hit EOF condition. EOF is NOT a character. * This method is not called if EOF is reached during * syntactic predicate evaluation or during evaluation * of normal lexical rules, which presumably would be * an IOException. This traps the "normal" EOF condition. * * uponEOF() is called after the complete evaluation of * the previous token and only if your parser asks * for another token beyond that last non-EOF token. * * You might want to throw token or char stream exceptions * like: "Heh, premature eof" or a retry stream exception * ("I found the end of this file, go back to referencing file"). */ virtual void uponEOF() { } /// Methods used to change tracing behavior virtual void traceIndent(); virtual void traceIn(const char* rname); virtual void traceOut(const char* rname); #ifndef NO_STATIC_CONSTS static const int EOF_CHAR = EOF; #else enum { EOF_CHAR = EOF }; #endif protected: ANTLR_USE_NAMESPACE(std)string text; ///< Text of current token /// flag indicating wether consume saves characters bool saveConsumedInput; factory_type tokenFactory; ///< Factory for tokens bool caseSensitive; ///< Is this lexer case sensitive ANTLR_USE_NAMESPACE(std)map literals; // set by subclass RefToken _returnToken; ///< used to return tokens w/o using return val /// Input state, gives access to input stream, shared among different lexers LexerSharedInputState inputState; /** Used during filter mode to indicate that path is desired. * A subsequent scan error will report an error as usual * if acceptPath=true; */ bool commitToPath; int tabsize; ///< tab size the scanner uses. /// Create a new RefToken of type t virtual RefToken makeToken(int t) { RefToken tok = tokenFactory(); tok->setType(t); tok->setColumn(inputState->tokenStartColumn); tok->setLine(inputState->tokenStartLine); return tok; } /** Tracer class, used when -traceLexer is passed to antlr */ class Tracer { private: CharScanner* parser; const char* text; Tracer(const Tracer& other); // undefined Tracer& operator=(const Tracer& other); // undefined public: Tracer( CharScanner* p,const char* t ) : parser(p), text(t) { parser->traceIn(text); } ~Tracer() { parser->traceOut(text); } }; int traceDepth; private: CharScanner( const CharScanner& other ); // undefined CharScanner& operator=( const CharScanner& other ); // undefined #ifndef NO_STATIC_CONSTS static const int NO_CHAR = 0; #else enum { NO_CHAR = 0 }; #endif }; inline int CharScanner::LA(unsigned int i) { int c = inputState->getInput().LA(i); if ( caseSensitive ) return c; else return toLower(c); // VC 6 tolower bug caught in toLower. } inline bool CharScannerLiteralsLess::operator() (const ANTLR_USE_NAMESPACE(std)string& x,const ANTLR_USE_NAMESPACE(std)string& y) const { if (scanner->getCaseSensitiveLiterals()) return ANTLR_USE_NAMESPACE(std)less()(x,y); else { #ifdef NO_STRCASECMP return (stricmp(x.c_str(),y.c_str())<0); #else return (strcasecmp(x.c_str(),y.c_str())<0); #endif } } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CharScanner_hpp__ fwbuilder-5.3.7/src/antlr/CharStreamException.hpp000066400000000000000000000012001303637203600220350ustar00rootroot00000000000000#ifndef INC_CharStreamException_hpp__ #define INC_CharStreamException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CharStreamException : public ANTLRException { public: CharStreamException(const ANTLR_USE_NAMESPACE(std)string& s) : ANTLRException(s) {} ~CharStreamException() throw() {} }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CharStreamException_hpp__ fwbuilder-5.3.7/src/antlr/CharStreamIOException.hpp000066400000000000000000000013161303637203600222750ustar00rootroot00000000000000#ifndef INC_CharStreamIOException_hpp__ #define INC_CharStreamIOException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CharStreamIOException : public CharStreamException { public: ANTLR_USE_NAMESPACE(std)exception io; CharStreamIOException(ANTLR_USE_NAMESPACE(std)exception& e) : CharStreamException(e.what()), io(e) {} ~CharStreamIOException() throw() {} }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CharStreamIOException_hpp__ fwbuilder-5.3.7/src/antlr/CircularQueue.hpp000066400000000000000000000063101303637203600207050ustar00rootroot00000000000000#ifndef INC_CircularQueue_hpp__ #define INC_CircularQueue_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include // out_of_range exception #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif // Resize every 5000 items // -------------------- vk -------------------------------------------- // 11/12/2008: extend the size to make sure large policy files are // parsed without resizing. Resizing causes crash because of call to // elementAt with idx+m_offset = -1 (call comes from TokenBuffer::LT). // I could not figure out why this happens so simpler fix is just to avoid // resizing. // -------------------- vk -------------------------------------------- #define OFFSET_MAX_RESIZE 1000000 template class ANTLR_API CircularQueue { public: CircularQueue() : storage() , m_offset(0) { } ~CircularQueue() { } /// Clear the queue inline void clear( void ) { m_offset = 0; storage.clear(); } /// @todo this should use at or should have a check // // -------------------- vk -------------------------------------------- // Fix for 64-bt systems. Originally argument was defined as // size_t idx; size_t is defined as unsigned integral type. This leads // to a crash when parser requests LT(0) at the very beginning of // the circular buffer because TokenBuffer::LT calls elementAt // with argument markerOffset+i-1, which is at that point equal // to -1. If idx is defined as size_t, it ends up equal to // 4294967295, which means we are looking past the end of the buffer. // -------------------- vk -------------------------------------------- inline T elementAt( int idx ) const { return storage[idx+m_offset]; } void removeFirst() { if (m_offset >= OFFSET_MAX_RESIZE) { storage.erase( storage.begin(), storage.begin() + m_offset + 1 ); m_offset = 0; } else ++m_offset; } inline void removeItems( size_t nb ) { // it would be nice if we would not get called with nb > entries // (or to be precise when entries() == 0) // This case is possible when lexer/parser::recover() calls // consume+consumeUntil when the queue is empty. // In recover the consume says to prepare to read another // character/token. Then in the subsequent consumeUntil the // LA() call will trigger // syncConsume which calls this method *before* the same queue // has been sufficiently filled. if( nb > entries() ) nb = entries(); if (m_offset >= OFFSET_MAX_RESIZE) { storage.erase( storage.begin(), storage.begin() + m_offset + nb ); m_offset = 0; } else m_offset += nb; } inline void append(const T& t) { storage.push_back(t); } inline size_t entries() const { return storage.size() - m_offset; } private: ANTLR_USE_NAMESPACE(std)vector storage; size_t m_offset; CircularQueue(const CircularQueue&); const CircularQueue& operator=(const CircularQueue&); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CircularQueue_hpp__ fwbuilder-5.3.7/src/antlr/CommonAST.cpp000066400000000000000000000016531303637203600177340ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/config.hpp" #include #include #include "antlr/CommonAST.hpp" #include "antlr/ANTLRUtil.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif const char* const CommonAST::TYPE_NAME = "CommonAST"; #ifdef ANTLR_SUPPORT_XML void CommonAST::initialize( ANTLR_USE_NAMESPACE(std)istream& in ) { ANTLR_USE_NAMESPACE(std)string t1, t2, text; // text read_AttributeNValue( in, t1, text ); read_AttributeNValue( in, t1, t2 ); #ifdef ANTLR_ATOI_IN_STD int type = ANTLR_USE_NAMESPACE(std)atoi(t2.c_str()); #else int type = atoi(t2.c_str()); #endif // initialize first part of AST. this->initialize( type, text ); } #endif RefAST CommonAST::factory() { return RefAST(new CommonAST); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CommonAST.hpp000066400000000000000000000034431303637203600177400ustar00rootroot00000000000000#ifndef INC_CommonAST_hpp__ #define INC_CommonAST_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CommonAST : public BaseAST { public: CommonAST() : BaseAST() , ttype( Token::INVALID_TYPE ) , text() { } CommonAST( RefToken t ) : BaseAST() , ttype( t->getType() ) , text( t->getText() ) { } CommonAST( const CommonAST& other ) : BaseAST(other) , ttype(other.ttype) , text(other.text) { } virtual ~CommonAST() { } virtual const char* typeName( void ) const { return CommonAST::TYPE_NAME; } /// Clone this AST node. virtual RefAST clone( void ) const { CommonAST *ast = new CommonAST( *this ); return RefAST(ast); } virtual ANTLR_USE_NAMESPACE(std)string getText() const { return text; } virtual int getType() const { return ttype; } virtual void initialize( int t, const ANTLR_USE_NAMESPACE(std)string& txt ) { setType(t); setText(txt); } virtual void initialize( RefAST t ) { setType(t->getType()); setText(t->getText()); } virtual void initialize( RefToken t ) { setType(t->getType()); setText(t->getText()); } #ifdef ANTLR_SUPPORT_XML virtual void initialize( ANTLR_USE_NAMESPACE(std)istream& in ); #endif virtual void setText( const ANTLR_USE_NAMESPACE(std)string& txt ) { text = txt; } virtual void setType( int type ) { ttype = type; } static RefAST factory(); static const char* const TYPE_NAME; protected: int ttype; ANTLR_USE_NAMESPACE(std)string text; }; typedef ASTRefCount RefCommonAST; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CommonAST_hpp__ fwbuilder-5.3.7/src/antlr/CommonASTWithHiddenTokens.cpp000066400000000000000000000033351303637203600230670ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/config.hpp" #include "antlr/AST.hpp" #include "antlr/BaseAST.hpp" #include "antlr/CommonAST.hpp" #include "antlr/CommonASTWithHiddenTokens.hpp" #include "antlr/CommonHiddenStreamToken.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif const char* const CommonASTWithHiddenTokens::TYPE_NAME = "CommonASTWithHiddenTokens"; // RK: Do not put constructor and destructor into the header file here.. // this triggers something very obscure in gcc 2.95.3 (and 3.0) // missing vtables and stuff. // Although this may be a problem with with binutils. CommonASTWithHiddenTokens::CommonASTWithHiddenTokens() : CommonAST() { } CommonASTWithHiddenTokens::~CommonASTWithHiddenTokens() { } void CommonASTWithHiddenTokens::initialize(int t,const ANTLR_USE_NAMESPACE(std)string& txt) { CommonAST::initialize(t,txt); } void CommonASTWithHiddenTokens::initialize(RefAST t) { CommonAST::initialize(t); hiddenBefore = RefCommonASTWithHiddenTokens(t)->getHiddenBefore(); hiddenAfter = RefCommonASTWithHiddenTokens(t)->getHiddenAfter(); } void CommonASTWithHiddenTokens::initialize(RefToken t) { CommonAST::initialize(t); hiddenBefore = static_cast(t.get())->getHiddenBefore(); hiddenAfter = static_cast(t.get())->getHiddenAfter(); } RefAST CommonASTWithHiddenTokens::factory() { return RefAST(new CommonASTWithHiddenTokens); } RefAST CommonASTWithHiddenTokens::clone( void ) const { CommonASTWithHiddenTokens *ast = new CommonASTWithHiddenTokens( *this ); return RefAST(ast); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CommonASTWithHiddenTokens.hpp000066400000000000000000000026621303637203600230760ustar00rootroot00000000000000#ifndef INC_CommonASTWithHiddenTokens_hpp__ #define INC_CommonASTWithHiddenTokens_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A CommonAST whose initialization copies hidden token * information from the Token used to create a node. */ class ANTLR_API CommonASTWithHiddenTokens : public CommonAST { public: CommonASTWithHiddenTokens(); virtual ~CommonASTWithHiddenTokens(); virtual const char* typeName( void ) const { return CommonASTWithHiddenTokens::TYPE_NAME; } /// Clone this AST node. virtual RefAST clone( void ) const; // Borland C++ builder seems to need the decl's of the first two... virtual void initialize(int t,const ANTLR_USE_NAMESPACE(std)string& txt); virtual void initialize(RefAST t); virtual void initialize(RefToken t); virtual RefToken getHiddenAfter() const { return hiddenAfter; } virtual RefToken getHiddenBefore() const { return hiddenBefore; } static RefAST factory(); static const char* const TYPE_NAME; protected: RefToken hiddenBefore,hiddenAfter; // references to hidden tokens }; typedef ASTRefCount RefCommonASTWithHiddenTokens; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CommonASTWithHiddenTokens_hpp__ fwbuilder-5.3.7/src/antlr/CommonHiddenStreamToken.cpp000066400000000000000000000020071303637203600226470ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/CommonHiddenStreamToken.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif CommonHiddenStreamToken::CommonHiddenStreamToken() : CommonToken() { } CommonHiddenStreamToken::CommonHiddenStreamToken(int t, const ANTLR_USE_NAMESPACE(std)string& txt) : CommonToken(t,txt) { } CommonHiddenStreamToken::CommonHiddenStreamToken(const ANTLR_USE_NAMESPACE(std)string& s) : CommonToken(s) { } RefToken CommonHiddenStreamToken::getHiddenAfter() { return hiddenAfter; } RefToken CommonHiddenStreamToken::getHiddenBefore() { return hiddenBefore; } RefToken CommonHiddenStreamToken::factory() { return RefToken(new CommonHiddenStreamToken); } void CommonHiddenStreamToken::setHiddenAfter(RefToken t) { hiddenAfter = t; } void CommonHiddenStreamToken::setHiddenBefore(RefToken t) { hiddenBefore = t; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CommonHiddenStreamToken.hpp000066400000000000000000000016251303637203600226610ustar00rootroot00000000000000#ifndef INC_CommonHiddenStreamToken_hpp__ #define INC_CommonHiddenStreamToken_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CommonHiddenStreamToken : public CommonToken { protected: RefToken hiddenBefore; RefToken hiddenAfter; public: CommonHiddenStreamToken(); CommonHiddenStreamToken(int t, const ANTLR_USE_NAMESPACE(std)string& txt); CommonHiddenStreamToken(const ANTLR_USE_NAMESPACE(std)string& s); RefToken getHiddenAfter(); RefToken getHiddenBefore(); static RefToken factory(); void setHiddenAfter(RefToken t); void setHiddenBefore(RefToken t); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CommonHiddenStreamToken_hpp__ fwbuilder-5.3.7/src/antlr/CommonToken.cpp000066400000000000000000000015221303637203600203600ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/CommonToken.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif CommonToken::CommonToken() : Token(), line(1), col(1), text("") {} CommonToken::CommonToken(int t, const ANTLR_USE_NAMESPACE(std)string& txt) : Token(t) , line(1) , col(1) , text(txt) {} CommonToken::CommonToken(const ANTLR_USE_NAMESPACE(std)string& s) : Token() , line(1) , col(1) , text(s) {} ANTLR_USE_NAMESPACE(std)string CommonToken::toString() const { return "[\""+getText()+"\",<"+getType()+">,line="+getLine()+",column="+getColumn()+"]"; } RefToken CommonToken::factory() { return RefToken(new CommonToken); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/CommonToken.hpp000066400000000000000000000031261303637203600203670ustar00rootroot00000000000000#ifndef INC_CommonToken_hpp__ #define INC_CommonToken_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API CommonToken : public Token { public: CommonToken(); CommonToken(int t, const ANTLR_USE_NAMESPACE(std)string& txt); CommonToken(const ANTLR_USE_NAMESPACE(std)string& s); /// return contents of token virtual ANTLR_USE_NAMESPACE(std)string getText() const { return text; } /// set contents of token virtual void setText(const ANTLR_USE_NAMESPACE(std)string& s) { text = s; } /** get the line the token is at (starting at 1) * @see CharScanner::newline() * @see CharScanner::tab() */ virtual int getLine() const { return line; } /** gt the column the token is at (starting at 1) * @see CharScanner::newline() * @see CharScanner::tab() */ virtual int getColumn() const { return col; } /// set line for token virtual void setLine(int l) { line = l; } /// set column for token virtual void setColumn(int c) { col = c; } virtual ANTLR_USE_NAMESPACE(std)string toString() const; static RefToken factory(); protected: // most tokens will want line and text information int line; int col; ANTLR_USE_NAMESPACE(std)string text; private: CommonToken(const CommonToken&); const CommonToken& operator=(const CommonToken&); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CommonToken_hpp__ fwbuilder-5.3.7/src/antlr/IOException.hpp000066400000000000000000000016611303637203600203260ustar00rootroot00000000000000#ifndef INC_IOException_hpp__ #define INC_IOException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Generic IOException used inside support code. (thrown by XML I/O routs) * basically this is something I'm using since a lot of compilers don't * support ios_base::failure. */ class ANTLR_API IOException : public ANTLRException { public: ANTLR_USE_NAMESPACE(std)exception io; IOException( ANTLR_USE_NAMESPACE(std)exception& e ) : ANTLRException(e.what()) { } IOException( const ANTLR_USE_NAMESPACE(std)string& mesg ) : ANTLRException(mesg) { } virtual ~IOException() throw() { } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_IOException_hpp__ fwbuilder-5.3.7/src/antlr/InputBuffer.cpp000066400000000000000000000033541303637203600203650ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/config.hpp" #include "antlr/InputBuffer.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Ensure that the character buffer is sufficiently full */ void InputBuffer::fill(unsigned int amount) { syncConsume(); // Fill the buffer sufficiently to hold needed characters while (queue.entries() < amount + markerOffset) { // Append the next character queue.append(getChar()); } } /** get the current lookahead characters as a string * @warning it may treat 0 and EOF values wrong */ ANTLR_USE_NAMESPACE(std)string InputBuffer::getLAChars( void ) const { ANTLR_USE_NAMESPACE(std)string ret; for(unsigned int i = markerOffset; i < queue.entries(); i++) ret += queue.elementAt(i); return ret; } /** get the current marked characters as a string * @warning it may treat 0 and EOF values wrong */ ANTLR_USE_NAMESPACE(std)string InputBuffer::getMarkedChars( void ) const { ANTLR_USE_NAMESPACE(std)string ret; for(unsigned int i = 0; i < markerOffset; i++) ret += queue.elementAt(i); return ret; } /** Return an integer marker that can be used to rewind the buffer to * its current state. */ unsigned int InputBuffer::mark() { syncConsume(); nMarkers++; return markerOffset; } /** Rewind the character buffer to a marker. * @param mark Marker returned previously from mark() */ void InputBuffer::rewind(unsigned int mark) { syncConsume(); markerOffset = mark; nMarkers--; } unsigned int InputBuffer::entries() const { //assert(queue.entries() >= markerOffset); return queue.entries() - markerOffset; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/InputBuffer.hpp000066400000000000000000000065501303637203600203730ustar00rootroot00000000000000#ifndef INC_InputBuffer_hpp__ #define INC_InputBuffer_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A Stream of characters fed to the lexer from a InputStream that can * be rewound via mark()/rewind() methods. *

* A dynamic array is used to buffer up all the input characters. Normally, * "k" characters are stored in the buffer. More characters may be stored during * guess mode (testing syntactic predicate), or when LT(i>k) is referenced. * Consumption of characters is deferred. In other words, reading the next * character is not done by conume(), but deferred until needed by LA or LT. *

* * @see antlr.CharQueue */ class ANTLR_API InputBuffer { public: /** Create a character buffer */ InputBuffer() : nMarkers(0) , markerOffset(0) , numToConsume(0) { } virtual ~InputBuffer() { } /// Reset the input buffer to empty state virtual inline void reset( void ) { nMarkers = 0; markerOffset = 0; numToConsume = 0; queue.clear(); } /** This method updates the state of the input buffer so that * the text matched since the most recent mark() is no longer * held by the buffer. So, you either do a mark/rewind for * failed predicate or mark/commit to keep on parsing without * rewinding the input. */ inline void commit( void ) { nMarkers--; } /** Mark another character for deferred consumption */ virtual inline void consume() { numToConsume++; } /** Ensure that the character buffer is sufficiently full */ virtual void fill(unsigned int amount); /** Override this in subclasses to get the next character */ virtual int getChar()=0; /** Get a lookahead character */ virtual inline int LA(unsigned int i) { fill(i); return queue.elementAt(markerOffset + i - 1); } /** Return an integer marker that can be used to rewind the buffer to * its current state. */ virtual unsigned int mark(); /// Are there any marks active in the InputBuffer virtual inline bool isMarked() const { return (nMarkers != 0); } /** Rewind the character buffer to a marker. * @param mark Marker returned previously from mark() */ virtual void rewind(unsigned int mark); /** Get the number of non-consumed characters */ virtual unsigned int entries() const; ANTLR_USE_NAMESPACE(std)string getLAChars() const; ANTLR_USE_NAMESPACE(std)string getMarkedChars() const; protected: // char source // leave to subclasses // Number of active markers unsigned int nMarkers; // = 0; // Additional offset used when markers are active unsigned int markerOffset; // = 0; // Number of calls to consume() since last LA() or LT() call unsigned int numToConsume; // = 0; // Circular queue CircularQueue queue; /** Sync up deferred consumption */ void syncConsume(); private: InputBuffer(const InputBuffer& other); InputBuffer& operator=(const InputBuffer& other); }; /** Sync up deferred consumption */ inline void InputBuffer::syncConsume() { if (numToConsume > 0) { if (nMarkers > 0) markerOffset += numToConsume; else queue.removeItems( numToConsume ); numToConsume = 0; } } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_InputBuffer_hpp__ fwbuilder-5.3.7/src/antlr/LLkParser.cpp000066400000000000000000000032641303637203600177730ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/LLkParser.hpp" #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif ANTLR_USING_NAMESPACE(std) /**An LL(k) parser. * * @see antlr.Token * @see antlr.TokenBuffer * @see antlr.LL1Parser */ // LLkParser(int k_); LLkParser::LLkParser(const ParserSharedInputState& state, int k_) : Parser(state), k(k_) { } LLkParser::LLkParser(TokenBuffer& tokenBuf, int k_) : Parser(tokenBuf), k(k_) { } LLkParser::LLkParser(TokenStream& lexer, int k_) : Parser(new TokenBuffer(lexer)), k(k_) { } void LLkParser::trace(const char* ee, const char* rname) { traceIndent(); cout << ee << rname << ((inputState->guessing>0)?"; [guessing]":"; "); for (int i = 1; i <= k; i++) { if (i != 1) { cout << ", "; } cout << "LA(" << i << ")=="; string temp; try { temp = LT(i)->getText().c_str(); } catch( ANTLRException& ae ) { temp = "[error: "; temp += ae.toString(); temp += ']'; } cout << temp; } cout << endl; } void LLkParser::traceIn(const char* rname) { traceDepth++; trace("> ",rname); } void LLkParser::traceOut(const char* rname) { trace("< ",rname); traceDepth--; } RefToken LLkParser::LT(unsigned int i) { //assert(this!=NULL); //clang error: 'this' pointer cannot be null in well-defined C++ code; assert(inputState!=NULL); TokenBuffer &tb = inputState->getInput(); //assert(&tb!=NULL); //clang error: reference cannot be bound to dereferenced null pointer in well-defined C++ code; return tb.LT(i); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/LLkParser.hpp000066400000000000000000000027011303637203600177730ustar00rootroot00000000000000#ifndef INC_LLkParser_hpp__ #define INC_LLkParser_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**An LL(k) parser. * * @see antlr.Token * @see antlr.TokenBuffer * @see antlr.LL1Parser */ class ANTLR_API LLkParser : public Parser { public: LLkParser(const ParserSharedInputState& lexer, int k_); LLkParser(TokenBuffer& tokenBuf, int k_); LLkParser(TokenStream& lexer, int k_); /** Consume another token from the input stream. Can only write sequentially! * If you need 3 tokens ahead, you must consume() 3 times. *

* Note that it is possible to overwrite tokens that have not been matched. * For example, calling consume() 3 times when k=2, means that the first token * consumed will be overwritten with the 3rd. */ virtual inline void consume() { inputState->getInput().consume(); } virtual inline int LA(unsigned int i) { return inputState->getInput().LA(i); } virtual RefToken LT(unsigned int i); protected: /// the lookahead this LL(k) parser is using. int k; private: void trace(const char* ee, const char* rname); public: virtual void traceIn(const char* rname); virtual void traceOut(const char* rname); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_LLkParser_hpp__ fwbuilder-5.3.7/src/antlr/LexerSharedInputState.hpp000066400000000000000000000065001303637203600223640ustar00rootroot00000000000000#ifndef INC_LexerSharedInputState_hpp__ #define INC_LexerSharedInputState_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This object contains the data associated with an * input stream of characters. Multiple lexers * share a single LexerSharedInputState to lex * the same input stream. */ class ANTLR_API LexerInputState { public: /** Construct a new LexerInputState * @param inbuf the InputBuffer to read from. The object is deleted together * with the LexerInputState object. */ LexerInputState(InputBuffer* inbuf) : column(1) , line(1) , tokenStartColumn(1) , tokenStartLine(1) , guessing(0) , filename("") , input(inbuf) , inputResponsible(true) { } /** Construct a new LexerInputState * @param inbuf the InputBuffer to read from. */ LexerInputState(InputBuffer& inbuf) : column(1) , line(1) , tokenStartColumn(1) , tokenStartLine(1) , guessing(0) , filename("") , input(&inbuf) , inputResponsible(false) { } /** Construct a new LexerInputState * @param in an istream to read from. * @see antlr.CharBuffer */ LexerInputState(ANTLR_USE_NAMESPACE(std)istream& in) : column(1) , line(1) , tokenStartColumn(1) , tokenStartLine(1) , guessing(0) , filename("") , input(new CharBuffer(in)) , inputResponsible(true) { } /** Reset the LexerInputState with a specified stream and filename. * This method is a hack, dunno what I was thinking when I added it. * This should actually be done in a subclass. * @deprecated */ virtual void initialize( ANTLR_USE_NAMESPACE(std)istream& in, const char* file = "" ) { column = 1; line = 1; tokenStartColumn = 1; tokenStartLine = 1; guessing = 0; filename = file; if( input && inputResponsible ) delete input; input = new CharBuffer(in); inputResponsible = true; } /** Reset the LexerInputState to initial state. * The underlying InputBuffer is also reset. */ virtual void reset( void ) { column = 1; line = 1; tokenStartColumn = 1; tokenStartLine = 1; guessing = 0; input->reset(); } /** Set the file position of the SharedLexerInputState. * @param line_ line number to be set * @param column_ column number to be set */ void setPosition( int line_, int column_ ) { line = line_; column = column_; } virtual ~LexerInputState() { if (inputResponsible) delete input; } int column; int line; int tokenStartColumn; int tokenStartLine; int guessing; /** What file (if known) caused the problem? */ ANTLR_USE_NAMESPACE(std)string filename; InputBuffer& getInput(); private: /// Input buffer we use InputBuffer* input; /// Who is responsible for cleaning up the InputBuffer? bool inputResponsible; // we don't want these: LexerInputState(const LexerInputState&); LexerInputState& operator=(const LexerInputState&); }; inline InputBuffer& LexerInputState::getInput() { return *input; } /// A reference counted LexerInputState object typedef RefCount LexerSharedInputState; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_LexerSharedInputState_hpp__ fwbuilder-5.3.7/src/antlr/MismatchedCharException.cpp000066400000000000000000000060661303637203600226720ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/CharScanner.hpp" #include "antlr/MismatchedCharException.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif MismatchedCharException::MismatchedCharException() : RecognitionException("Mismatched char") {} // Expected range / not range MismatchedCharException::MismatchedCharException( int c, int lower, int upper_, bool matchNot, CharScanner* scanner_ ) : RecognitionException("Mismatched char", scanner_->getFilename(), scanner_->getLine(), scanner_->getColumn()) , mismatchType(matchNot ? NOT_RANGE : RANGE) , foundChar(c) , expecting(lower) , upper(upper_) , scanner(scanner_) { } // Expected token / not token MismatchedCharException::MismatchedCharException( int c, int expecting_, bool matchNot, CharScanner* scanner_ ) : RecognitionException("Mismatched char", scanner_->getFilename(), scanner_->getLine(), scanner_->getColumn()) , mismatchType(matchNot ? NOT_CHAR : CHAR) , foundChar(c) , expecting(expecting_) , scanner(scanner_) { } // Expected BitSet / not BitSet MismatchedCharException::MismatchedCharException( int c, BitSet set_, bool matchNot, CharScanner* scanner_ ) : RecognitionException("Mismatched char", scanner_->getFilename(), scanner_->getLine(), scanner_->getColumn()) , mismatchType(matchNot ? NOT_SET : SET) , foundChar(c) , set(set_) , scanner(scanner_) { } ANTLR_USE_NAMESPACE(std)string MismatchedCharException::getMessage() const { ANTLR_USE_NAMESPACE(std)string s; switch (mismatchType) { case CHAR : s += "expecting '" + charName(expecting) + "', found '" + charName(foundChar) + "'"; break; case NOT_CHAR : s += "expecting anything but '" + charName(expecting) + "'; got it anyway"; break; case RANGE : s += "expecting token in range: '" + charName(expecting) + "'..'" + charName(upper) + "', found '" + charName(foundChar) + "'"; break; case NOT_RANGE : s += "expecting token NOT in range: " + charName(expecting) + "'..'" + charName(upper) + "', found '" + charName(foundChar) + "'"; break; case SET : case NOT_SET : { s += ANTLR_USE_NAMESPACE(std)string("expecting ") + (mismatchType == NOT_SET ? "NOT " : "") + "one of ("; ANTLR_USE_NAMESPACE(std)vector elems = set.toArray(); for ( unsigned int i = 0; i < elems.size(); i++ ) { s += " '"; s += charName(elems[i]); s += "'"; } s += "), found '" + charName(foundChar) + "'"; } break; default : s += RecognitionException::getMessage(); break; } return s; } #ifndef NO_STATIC_CONSTS const int MismatchedCharException::CHAR; const int MismatchedCharException::NOT_CHAR; const int MismatchedCharException::RANGE; const int MismatchedCharException::NOT_RANGE; const int MismatchedCharException::SET; const int MismatchedCharException::NOT_SET; #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/MismatchedCharException.hpp000066400000000000000000000035471303637203600227000ustar00rootroot00000000000000#ifndef INC_MismatchedCharException_hpp__ #define INC_MismatchedCharException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class CharScanner; class ANTLR_API MismatchedCharException : public RecognitionException { public: // Types of chars #ifndef NO_STATIC_CONSTS static const int CHAR = 1; static const int NOT_CHAR = 2; static const int RANGE = 3; static const int NOT_RANGE = 4; static const int SET = 5; static const int NOT_SET = 6; #else enum { CHAR = 1, NOT_CHAR = 2, RANGE = 3, NOT_RANGE = 4, SET = 5, NOT_SET = 6 }; #endif public: // One of the above int mismatchType; // what was found on the input stream int foundChar; // For CHAR/NOT_CHAR and RANGE/NOT_RANGE int expecting; // For RANGE/NOT_RANGE (expecting is lower bound of range) int upper; // For SET/NOT_SET BitSet set; protected: // who knows...they may want to ask scanner questions CharScanner* scanner; public: MismatchedCharException(); // Expected range / not range MismatchedCharException( int c, int lower, int upper_, bool matchNot, CharScanner* scanner_ ); // Expected token / not token MismatchedCharException( int c, int expecting_, bool matchNot, CharScanner* scanner_ ); // Expected BitSet / not BitSet MismatchedCharException( int c, BitSet set_, bool matchNot, CharScanner* scanner_ ); ~MismatchedCharException() throw() {} /** * Returns a clean error message (no line number/column information) */ ANTLR_USE_NAMESPACE(std)string getMessage() const; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_MismatchedCharException_hpp__ fwbuilder-5.3.7/src/antlr/MismatchedTokenException.cpp000066400000000000000000000123351303637203600230710ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/MismatchedTokenException.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif MismatchedTokenException::MismatchedTokenException() : RecognitionException("Mismatched Token: expecting any AST node","",-1,-1) , token(0) , node(nullASTptr) , tokenNames(0) , numTokens(0) { } // Expected range / not range MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, int lower, int upper_, bool matchNot ) : RecognitionException("Mismatched Token","",-1,-1) , token(0) , node(node_) , tokenText( (node_ ? node_->toString(): ANTLR_USE_NAMESPACE(std)string("")) ) , mismatchType(matchNot ? NOT_RANGE : RANGE) , expecting(lower) , upper(upper_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } // Expected token / not token MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, int expecting_, bool matchNot ) : RecognitionException("Mismatched Token","",-1,-1) , token(0) , node(node_) , tokenText( (node_ ? node_->toString(): ANTLR_USE_NAMESPACE(std)string("")) ) , mismatchType(matchNot ? NOT_TOKEN : TOKEN) , expecting(expecting_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } // Expected BitSet / not BitSet MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, BitSet set_, bool matchNot ) : RecognitionException("Mismatched Token","",-1,-1) , token(0) , node(node_) , tokenText( (node_ ? node_->toString(): ANTLR_USE_NAMESPACE(std)string("")) ) , mismatchType(matchNot ? NOT_SET : SET) , set(set_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } // Expected range / not range MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, int lower, int upper_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ) : RecognitionException("Mismatched Token",fileName_,token_->getLine(),token_->getColumn()) , token(token_) , node(nullASTptr) , tokenText(token_->getText()) , mismatchType(matchNot ? NOT_RANGE : RANGE) , expecting(lower) , upper(upper_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } // Expected token / not token MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, int expecting_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ) : RecognitionException("Mismatched Token",fileName_,token_->getLine(),token_->getColumn()) , token(token_) , node(nullASTptr) , tokenText(token_->getText()) , mismatchType(matchNot ? NOT_TOKEN : TOKEN) , expecting(expecting_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } // Expected BitSet / not BitSet MismatchedTokenException::MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, BitSet set_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ) : RecognitionException("Mismatched Token",fileName_,token_->getLine(),token_->getColumn()) , token(token_) , node(nullASTptr) , tokenText(token_->getText()) , mismatchType(matchNot ? NOT_SET : SET) , set(set_) , tokenNames(tokenNames_) , numTokens(numTokens_) { } ANTLR_USE_NAMESPACE(std)string MismatchedTokenException::getMessage() const { ANTLR_USE_NAMESPACE(std)string s; switch (mismatchType) { case TOKEN: s += "expecting " + tokenName(expecting) + ", found '" + tokenText + "'"; break; case NOT_TOKEN: s += "expecting anything but " + tokenName(expecting) + "; got it anyway"; break; case RANGE: s += "expecting token in range: " + tokenName(expecting) + ".." + tokenName(upper) + ", found '" + tokenText + "'"; break; case NOT_RANGE: s += "expecting token NOT in range: " + tokenName(expecting) + ".." + tokenName(upper) + ", found '" + tokenText + "'"; break; case SET: case NOT_SET: { s += ANTLR_USE_NAMESPACE(std)string("expecting ") + (mismatchType == NOT_SET ? "NOT " : "") + "one of ("; ANTLR_USE_NAMESPACE(std)vector elems = set.toArray(); for ( unsigned int i = 0; i < elems.size(); i++ ) { s += " "; s += tokenName(elems[i]); } s += "), found '" + tokenText + "'"; } break; default: s = RecognitionException::getMessage(); break; } return s; } ANTLR_USE_NAMESPACE(std)string MismatchedTokenException::tokenName(int tokenType) const { if (tokenType == Token::INVALID_TYPE) return ""; else if (tokenType < 0 || tokenType >= numTokens) return ANTLR_USE_NAMESPACE(std)string("<") + tokenType + ">"; else return tokenNames[tokenType]; } #ifndef NO_STATIC_CONSTS const int MismatchedTokenException::TOKEN; const int MismatchedTokenException::NOT_TOKEN; const int MismatchedTokenException::RANGE; const int MismatchedTokenException::NOT_RANGE; const int MismatchedTokenException::SET; const int MismatchedTokenException::NOT_SET; #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/MismatchedTokenException.hpp000066400000000000000000000057761303637203600231110ustar00rootroot00000000000000#ifndef INC_MismatchedTokenException_hpp__ #define INC_MismatchedTokenException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API MismatchedTokenException : public RecognitionException { public: MismatchedTokenException(); /// Expected range / not range MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, int lower, int upper_, bool matchNot ); // Expected token / not token MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, int expecting_, bool matchNot ); // Expected BitSet / not BitSet MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefAST node_, BitSet set_, bool matchNot ); // Expected range / not range MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, int lower, int upper_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ); // Expected token / not token MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, int expecting_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ); // Expected BitSet / not BitSet MismatchedTokenException( const char* const* tokenNames_, const int numTokens_, RefToken token_, BitSet set_, bool matchNot, const ANTLR_USE_NAMESPACE(std)string& fileName_ ); ~MismatchedTokenException() throw() {} /** * Returns a clean error message (no line number/column information) */ ANTLR_USE_NAMESPACE(std)string getMessage() const; public: /// The token that was encountered const RefToken token; /// The offending AST node if tree walking const RefAST node; /// taken from node or token object ANTLR_USE_NAMESPACE(std)string tokenText; /// Types of tokens #ifndef NO_STATIC_CONSTS static const int TOKEN = 1; static const int NOT_TOKEN = 2; static const int RANGE = 3; static const int NOT_RANGE = 4; static const int SET = 5; static const int NOT_SET = 6; #else enum { TOKEN = 1, NOT_TOKEN = 2, RANGE = 3, NOT_RANGE = 4, SET = 5, NOT_SET = 6 }; #endif public: /// One of the above int mismatchType; /// For TOKEN/NOT_TOKEN and RANGE/NOT_RANGE int expecting; /// For RANGE/NOT_RANGE (expecting is lower bound of range) int upper; /// For SET/NOT_SET BitSet set; private: /// Token names array for formatting const char* const* tokenNames; /// Max number of tokens in tokenNames const int numTokens; /// Return token name for tokenType ANTLR_USE_NAMESPACE(std)string tokenName(int tokenType) const; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_MismatchedTokenException_hpp__ fwbuilder-5.3.7/src/antlr/NoViableAltException.cpp000066400000000000000000000023061303637203600221470ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/NoViableAltException.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif ANTLR_USING_NAMESPACE(std) NoViableAltException::NoViableAltException(RefAST t) : RecognitionException("NoViableAlt","",-1,-1), token(0), node(t) { } NoViableAltException::NoViableAltException( RefToken t, const ANTLR_USE_NAMESPACE(std)string& fileName_ ) : RecognitionException("NoViableAlt",fileName_,t->getLine(),t->getColumn()), token(t), node(nullASTptr) { } ANTLR_USE_NAMESPACE(std)string NoViableAltException::getMessage() const { if (token) { if( token->getType() == Token::EOF_TYPE ) return string("unexpected end of file"); else if( token->getType() == Token::NULL_TREE_LOOKAHEAD ) return string("unexpected end of tree"); else return string("unexpected token: ")+token->getText(); } // must a tree parser error if token==null if (!node) return "unexpected end of subtree"; return string("unexpected AST node: ")+node->toString(); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/NoViableAltException.hpp000066400000000000000000000016671303637203600221650ustar00rootroot00000000000000#ifndef INC_NoViableAltException_hpp__ #define INC_NoViableAltException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API NoViableAltException : public RecognitionException { public: const RefToken token; const RefAST node; // handles parsing and treeparsing NoViableAltException(RefAST t); NoViableAltException(RefToken t,const ANTLR_USE_NAMESPACE(std)string& fileName_); ~NoViableAltException() throw() {} /** * Returns a clean error message (no line number/column information) */ ANTLR_USE_NAMESPACE(std)string getMessage() const; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_NoViableAltException_hpp__ fwbuilder-5.3.7/src/antlr/NoViableAltForCharException.cpp000066400000000000000000000017531303637203600234210ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/NoViableAltForCharException.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif NoViableAltForCharException::NoViableAltForCharException(int c, CharScanner* scanner) : RecognitionException("NoViableAlt", scanner->getFilename(), scanner->getLine(),scanner->getColumn()), foundChar(c) { } NoViableAltForCharException::NoViableAltForCharException( int c, const ANTLR_USE_NAMESPACE(std)string& fileName_, int line_, int column_) : RecognitionException("NoViableAlt",fileName_,line_,column_), foundChar(c) { } ANTLR_USE_NAMESPACE(std)string NoViableAltForCharException::getMessage() const { return ANTLR_USE_NAMESPACE(std)string("unexpected char: ")+charName(foundChar); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/NoViableAltForCharException.hpp000066400000000000000000000017351303637203600234260ustar00rootroot00000000000000#ifndef INC_NoViableAltForCharException_hpp__ # define INC_NoViableAltForCharException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ # include # include # include # ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { # endif class ANTLR_API NoViableAltForCharException : public RecognitionException { public: NoViableAltForCharException(int c, CharScanner* scanner); NoViableAltForCharException(int c, const ANTLR_USE_NAMESPACE(std)string& fileName_, int line_, int column_); virtual ~NoViableAltForCharException() throw() { } /// Returns a clean error message (no line number/column information) ANTLR_USE_NAMESPACE(std)string getMessage() const; protected: int foundChar; }; # ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } # endif #endif //INC_NoViableAltForCharException_hpp__ fwbuilder-5.3.7/src/antlr/Parser.cpp000066400000000000000000000064141303637203600173700ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/Parser.hpp" #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A generic ANTLR parser (LL(k) for k>=1) containing a bunch of * utility routines useful at any lookahead depth. We distinguish between * the LL(1) and LL(k) parsers because of efficiency. This may not be * necessary in the near future. * * Each parser object contains the state of the parse including a lookahead * cache (the form of which is determined by the subclass), whether or * not the parser is in guess mode, where tokens come from, etc... * *

* During guess mode, the current lookahead token(s) and token type(s) * cache must be saved because the token stream may not have been informed * to save the token (via mark) before the try block. * Guessing is started by: *

    *
  1. saving the lookahead cache. *
  2. marking the current position in the TokenBuffer. *
  3. increasing the guessing level. *
* * After guessing, the parser state is restored by: *
    *
  1. restoring the lookahead cache. *
  2. rewinding the TokenBuffer. *
  3. decreasing the guessing level. *
* * @see antlr.Token * @see antlr.TokenBuffer * @see antlr.TokenStream * @see antlr.LL1Parser * @see antlr.LLkParser */ bool DEBUG_PARSER = false; /** Parser error-reporting function can be overridden in subclass */ void Parser::reportError(const RecognitionException& ex) { ANTLR_USE_NAMESPACE(std)cerr << ex.toString().c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser error-reporting function can be overridden in subclass */ void Parser::reportError(const ANTLR_USE_NAMESPACE(std)string& s) { if ( getFilename()=="" ) ANTLR_USE_NAMESPACE(std)cerr << "error: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; else ANTLR_USE_NAMESPACE(std)cerr << getFilename().c_str() << ": error: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser warning-reporting function can be overridden in subclass */ void Parser::reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { if ( getFilename()=="" ) ANTLR_USE_NAMESPACE(std)cerr << "warning: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; else ANTLR_USE_NAMESPACE(std)cerr << getFilename().c_str() << ": warning: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Set or change the input token buffer */ // void setTokenBuffer(TokenBuffer* t); void Parser::traceIndent() { for( int i = 0; i < traceDepth; i++ ) ANTLR_USE_NAMESPACE(std)cout << " "; } void Parser::traceIn(const char* rname) { traceDepth++; for( int i = 0; i < traceDepth; i++ ) ANTLR_USE_NAMESPACE(std)cout << " "; ANTLR_USE_NAMESPACE(std)cout << "> " << rname << "; LA(1)==" << LT(1)->getText().c_str() << ((inputState->guessing>0)?" [guessing]":"") << ANTLR_USE_NAMESPACE(std)endl; } void Parser::traceOut(const char* rname) { for( int i = 0; i < traceDepth; i++ ) ANTLR_USE_NAMESPACE(std)cout << " "; ANTLR_USE_NAMESPACE(std)cout << "< " << rname << "; LA(1)==" << LT(1)->getText().c_str() << ((inputState->guessing>0)?" [guessing]":"") << ANTLR_USE_NAMESPACE(std)endl; traceDepth--; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/Parser.hpp000066400000000000000000000211751303637203600173760ustar00rootroot00000000000000#ifndef INC_Parser_hpp__ #define INC_Parser_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif extern bool DEBUG_PARSER; /** A generic ANTLR parser (LL(k) for k>=1) containing a bunch of * utility routines useful at any lookahead depth. We distinguish between * the LL(1) and LL(k) parsers because of efficiency. This may not be * necessary in the near future. * * Each parser object contains the state of the parse including a lookahead * cache (the form of which is determined by the subclass), whether or * not the parser is in guess mode, where tokens come from, etc... * *

* During guess mode, the current lookahead token(s) and token type(s) * cache must be saved because the token stream may not have been informed * to save the token (via mark) before the try block. * Guessing is started by: *

    *
  1. saving the lookahead cache. *
  2. marking the current position in the TokenBuffer. *
  3. increasing the guessing level. *
* * After guessing, the parser state is restored by: *
    *
  1. restoring the lookahead cache. *
  2. rewinding the TokenBuffer. *
  3. decreasing the guessing level. *
* * @see antlr.Token * @see antlr.TokenBuffer * @see antlr.TokenStream * @see antlr.LL1Parser * @see antlr.LLkParser * * @todo add constructors with ASTFactory. */ class ANTLR_API Parser { protected: Parser(TokenBuffer& input) : inputState(new ParserInputState(input)), astFactory(0), traceDepth(0) { } Parser(TokenBuffer* input) : inputState(new ParserInputState(input)), astFactory(0), traceDepth(0) { } Parser(const ParserSharedInputState& state) : inputState(state), astFactory(0), traceDepth(0) { } public: virtual ~Parser() { } /** Return the token type of the ith token of lookahead where i=1 * is the current token being examined by the parser (i.e., it * has not been matched yet). */ virtual int LA(unsigned int i)=0; /// Return the i-th token of lookahead virtual RefToken LT(unsigned int i)=0; /** DEPRECATED! Specify the factory to be used during tree building. (Compulsory) * Setting the factory is nowadays compulsory. * @see setASTFactory */ virtual void setASTNodeFactory( ASTFactory *factory ) { astFactory = factory; } /** Specify the factory to be used during tree building. (Compulsory) * Setting the factory is nowadays compulsory. */ virtual void setASTFactory( ASTFactory *factory ) { astFactory = factory; } /** Return a pointer to the ASTFactory used. * So you might use it in subsequent treewalkers or to reload AST's * from disk. */ virtual ASTFactory* getASTFactory() { return astFactory; } /** Get the root AST node of the generated AST. When using a custom AST type * or heterogenous AST's, you'll have to convert it to the right type * yourself. */ virtual RefAST getAST() = 0; /// Return the filename of the input file. virtual inline ANTLR_USE_NAMESPACE(std)string getFilename() const { return inputState->filename; } /// Set the filename of the input file (used for error reporting). virtual void setFilename(const ANTLR_USE_NAMESPACE(std)string& f) { inputState->filename = f; } virtual void setInputState(ParserSharedInputState state) { inputState = state; } virtual inline ParserSharedInputState getInputState() const { return inputState; } /// Get another token object from the token stream virtual void consume()=0; /// Consume tokens until one matches the given token virtual void consumeUntil(int tokenType) { while (LA(1) != Token::EOF_TYPE && LA(1) != tokenType) consume(); } /// Consume tokens until one matches the given token set virtual void consumeUntil(const BitSet& set) { while (LA(1) != Token::EOF_TYPE && !set.member(LA(1))) consume(); } /** Make sure current lookahead symbol matches token type t. * Throw an exception upon mismatch, which is catch by either the * error handler or by the syntactic predicate. */ virtual void match(int t) { if ( DEBUG_PARSER ) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "enter match(" << t << ") with LA(1)=" << LA(1) << ANTLR_USE_NAMESPACE(std)endl; } if ( LA(1) != t ) { if ( DEBUG_PARSER ) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "token mismatch: " << LA(1) << "!=" << t << ANTLR_USE_NAMESPACE(std)endl; } throw MismatchedTokenException(getTokenNames(), getNumTokens(), LT(1), t, false, getFilename()); } else { // mark token as consumed -- fetch next token deferred until LA/LT consume(); } } virtual void matchNot(int t) { if ( LA(1)==t ) { // Throws inverted-sense exception throw MismatchedTokenException(getTokenNames(), getNumTokens(), LT(1), t, true, getFilename()); } else { // mark token as consumed -- fetch next token deferred until LA/LT consume(); } } /** Make sure current lookahead symbol matches the given set * Throw an exception upon mismatch, which is catch by either the * error handler or by the syntactic predicate. */ virtual void match(const BitSet& b) { if ( DEBUG_PARSER ) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "enter match(" << "bitset" /*b.toString()*/ << ") with LA(1)=" << LA(1) << ANTLR_USE_NAMESPACE(std)endl; } if ( !b.member(LA(1)) ) { if ( DEBUG_PARSER ) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "token mismatch: " << LA(1) << " not member of " << "bitset" /*b.toString()*/ << ANTLR_USE_NAMESPACE(std)endl; } throw MismatchedTokenException(getTokenNames(), getNumTokens(), LT(1), b, false, getFilename()); } else { // mark token as consumed -- fetch next token deferred until LA/LT consume(); } } /** Mark a spot in the input and return the position. * Forwarded to TokenBuffer. */ virtual inline unsigned int mark() { return inputState->getInput().mark(); } /// rewind to a previously marked position virtual inline void rewind(unsigned int pos) { inputState->getInput().rewind(pos); } /** called by the generated parser to do error recovery, override to * customize the behaviour. */ virtual void recover(const RecognitionException& , const BitSet& tokenSet) { consume(); consumeUntil(tokenSet); } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const RecognitionException& ex); /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s); /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s); /// get the token name for the token number 'num' virtual const char* getTokenName(int num) const = 0; /// get a vector with all token names virtual const char* const* getTokenNames() const = 0; /** Get the number of tokens defined. * This one should be overridden in subclasses. */ virtual int getNumTokens(void) const = 0; /** Set or change the input token buffer */ // void setTokenBuffer(TokenBuffer* t); virtual void traceIndent(); virtual void traceIn(const char* rname); virtual void traceOut(const char* rname); protected: // void setTokenNames(const char** tokenNames_); ParserSharedInputState inputState; // /// AST return value for a rule is squirreled away here // RefAST returnAST; /// AST support code; parser and treeparser delegate to this object ASTFactory *astFactory; // used to keep track of the indentation for the trace int traceDepth; /** Utility class which allows tracing to work even when exceptions are * thrown. */ class Tracer { /*{{{*/ private: Parser* parser; const char* text; public: Tracer(Parser* p,const char * t) : parser(p), text(t) { parser->traceIn(text); } ~Tracer() { #ifdef ANTLR_CXX_SUPPORTS_UNCAUGHT_EXCEPTION // Only give trace if there's no uncaught exception.. if(!ANTLR_USE_NAMESPACE(std)uncaught_exception()) #endif parser->traceOut(text); } private: Tracer(const Tracer&); // undefined const Tracer& operator=(const Tracer&); // undefined /*}}}*/ }; private: Parser(const Parser&); // undefined const Parser& operator=(const Parser&); // undefined }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_Parser_hpp__ fwbuilder-5.3.7/src/antlr/ParserSharedInputState.hpp000066400000000000000000000037401303637203600225440ustar00rootroot00000000000000#ifndef INC_ParserSharedInputState_hpp__ #define INC_ParserSharedInputState_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This object contains the data associated with an * input stream of tokens. Multiple parsers * share a single ParserSharedInputState to parse * the same stream of tokens. */ class ANTLR_API ParserInputState { public: /** Construct a new ParserInputState * @param in the TokenBuffer to read from. The object is deleted together * with the ParserInputState object. */ ParserInputState( TokenBuffer* in ) : guessing(0) , filename() , input(in) , inputResponsible(true) { } /** Construct a new ParserInputState * @param in the TokenBuffer to read from. */ ParserInputState( TokenBuffer& in ) : guessing(0) , filename("") , input(&in) , inputResponsible(false) { } virtual ~ParserInputState() { if (inputResponsible) delete input; } TokenBuffer& getInput( void ) { return *input; } /// Reset the ParserInputState and the underlying TokenBuffer void reset( void ) { input->reset(); guessing = 0; } public: /** Are we guessing (guessing>0)? */ int guessing; /** What file (if known) caused the problem? * @todo wrap this one.. */ ANTLR_USE_NAMESPACE(std)string filename; private: /** Where to get token objects */ TokenBuffer* input; /// Do we need to free the TokenBuffer or is it owned by another.. bool inputResponsible; // we don't want these: ParserInputState(const ParserInputState&); ParserInputState& operator=(const ParserInputState&); }; /// A reference counted ParserInputState typedef RefCount ParserSharedInputState; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_ParserSharedInputState_hpp__ fwbuilder-5.3.7/src/antlr/RecognitionException.cpp000066400000000000000000000031351303637203600222700ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/RecognitionException.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif RecognitionException::RecognitionException() : ANTLRException("parsing error") , line(-1) , column(-1) { } RecognitionException::RecognitionException(const ANTLR_USE_NAMESPACE(std)string& s) : ANTLRException(s) , line(-1) , column(-1) { } RecognitionException::RecognitionException(const ANTLR_USE_NAMESPACE(std)string& s, const ANTLR_USE_NAMESPACE(std)string& fileName_, int line_,int column_) : ANTLRException(s) , fileName(fileName_) , line(line_) , column(column_) { } ANTLR_USE_NAMESPACE(std)string RecognitionException::getFileLineColumnString() const { ANTLR_USE_NAMESPACE(std)string fileLineColumnString; if ( fileName.length() > 0 ) fileLineColumnString = fileName + ":"; if ( line != -1 ) { if ( fileName.length() == 0 ) fileLineColumnString = fileLineColumnString + "line "; fileLineColumnString = fileLineColumnString + line; if ( column != -1 ) fileLineColumnString = fileLineColumnString + ":" + column; fileLineColumnString = fileLineColumnString + ":"; } fileLineColumnString = fileLineColumnString + " "; return fileLineColumnString; } ANTLR_USE_NAMESPACE(std)string RecognitionException::toString() const { return getFileLineColumnString()+getMessage(); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/RecognitionException.hpp000066400000000000000000000032421303637203600222740ustar00rootroot00000000000000#ifndef INC_RecognitionException_hpp__ # define INC_RecognitionException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ # include # include # ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { # endif class ANTLR_API RecognitionException : public ANTLRException { public: RecognitionException(); RecognitionException(const ANTLR_USE_NAMESPACE(std)string& s); RecognitionException(const ANTLR_USE_NAMESPACE(std)string& s, const ANTLR_USE_NAMESPACE(std)string& fileName, int line, int column ); virtual ~RecognitionException() throw() { } /// Return file where mishap occurred. virtual ANTLR_USE_NAMESPACE(std)string getFilename() const throw() { return fileName; } /** * @return the line number that this exception happened on. */ virtual int getLine() const throw() { return line; } /** * @return the column number that this exception happened on. */ virtual int getColumn() const throw() { return column; } /// Return complete error message with line/column number info (if present) virtual ANTLR_USE_NAMESPACE(std)string toString() const; /// See what file/line/column info is present and return it as a string virtual ANTLR_USE_NAMESPACE(std)string getFileLineColumnString() const; protected: ANTLR_USE_NAMESPACE(std)string fileName; // not used by treeparsers int line; // not used by treeparsers int column; // not used by treeparsers }; # ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } # endif #endif //INC_RecognitionException_hpp__ fwbuilder-5.3.7/src/antlr/RefCount.hpp000066400000000000000000000025261303637203600176660ustar00rootroot00000000000000#ifndef INC_RefCount_hpp__ #define INC_RefCount_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif template class ANTLR_API RefCount { private: struct Ref { T* const ptr; unsigned int count; Ref(T* p) : ptr(p), count(1) {} ~Ref() {delete ptr;} Ref* increment() {++count;return this;} bool decrement() {return (--count==0);} private: Ref(const Ref&); Ref& operator=(const Ref&); }* ref; public: explicit RefCount(T* p = 0) : ref(p ? new Ref(p) : 0) { } RefCount(const RefCount& other) : ref(other.ref ? other.ref->increment() : 0) { } ~RefCount() { if (ref && ref->decrement()) delete ref; } RefCount& operator=(const RefCount& other) { Ref* tmp = other.ref ? other.ref->increment() : 0; if (ref && ref->decrement()) delete ref; ref = tmp; return *this; } operator T* () const { return ref ? ref->ptr : 0; } T* operator->() const { return ref ? ref->ptr : 0; } T* get() const { return ref ? ref->ptr : 0; } template operator RefCount() { return RefCount(ref); } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_RefCount_hpp__ fwbuilder-5.3.7/src/antlr/SemanticException.hpp000066400000000000000000000015271303637203600215630ustar00rootroot00000000000000#ifndef INC_SemanticException_hpp__ #define INC_SemanticException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API SemanticException : public RecognitionException { public: SemanticException(const ANTLR_USE_NAMESPACE(std)string& s) : RecognitionException(s) { } SemanticException(const ANTLR_USE_NAMESPACE(std)string& s, const ANTLR_USE_NAMESPACE(std)string& fileName_, int line_,int column_) : RecognitionException(s,fileName_,line_,column_) { } ~SemanticException() throw() { } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_SemanticException_hpp__ fwbuilder-5.3.7/src/antlr/String.cpp000066400000000000000000000031201303637203600173710ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/String.hpp" #include #ifdef HAS_NOT_CSTDIO_H #include #else #include #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif // wh: hack for Borland C++ 5.6 #if __BORLANDC__ using std::snprintf; #endif // RK: should be using snprintf actually... (or stringstream) ANTLR_C_USING(snprintf) ANTLR_USE_NAMESPACE(std)string operator+( const ANTLR_USE_NAMESPACE(std)string& lhs, const int rhs ) { char tmp[100]; snprintf(tmp, sizeof(tmp), "%d", rhs); return lhs+tmp; } ANTLR_USE_NAMESPACE(std)string operator+( const ANTLR_USE_NAMESPACE(std)string& lhs, size_t rhs ) { char tmp[100]; snprintf(tmp, sizeof(tmp), "%zu", rhs); // sprintf(tmp,"%u",rhs); return lhs+tmp; } /** Convert character to readable string */ ANTLR_USE_NAMESPACE(std)string charName(int ch) { if (ch == EOF) return "EOF"; else { ANTLR_USE_NAMESPACE(std)string s; // when you think you've seen it all.. an isprint that crashes... ch = ch & 0xFF; #ifdef ANTLR_CCTYPE_NEEDS_STD if( ANTLR_USE_NAMESPACE(std)isprint( ch ) ) #else if( isprint( ch ) ) #endif { s.append("'"); s += ch; s.append("'"); // s += "'"+ch+"'"; } else { s += "0x"; unsigned int t = ch >> 4; if( t < 10 ) s += t | 0x30; else s += t + 0x37; t = ch & 0xF; if( t < 10 ) s += t | 0x30; else s += t + 0x37; } return s; } } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/String.hpp000066400000000000000000000012371303637203600174050ustar00rootroot00000000000000#ifndef INC_String_hpp__ #define INC_String_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif ANTLR_API ANTLR_USE_NAMESPACE(std)string operator+( const ANTLR_USE_NAMESPACE(std)string& lhs, const int rhs ); ANTLR_API ANTLR_USE_NAMESPACE(std)string operator+( const ANTLR_USE_NAMESPACE(std)string& lhs, size_t rhs ); ANTLR_API ANTLR_USE_NAMESPACE(std)string charName( int ch ); #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_String_hpp__ fwbuilder-5.3.7/src/antlr/Token.cpp000066400000000000000000000023121303637203600172050ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/Token.hpp" #include "antlr/String.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif int Token::getColumn() const { return 0; } int Token::getLine() const { return 0; } ANTLR_USE_NAMESPACE(std)string Token::getText() const { return ""; } int Token::getType() const { return type; } void Token::setColumn(int) { } void Token::setLine(int) { } void Token::setText(const ANTLR_USE_NAMESPACE(std)string&) { } void Token::setType(int t) { type = t; } void Token::setFilename(const ANTLR_USE_NAMESPACE(std)string&) { } ANTLR_USE_NAMESPACE(std)string emptyString(""); const ANTLR_USE_NAMESPACE(std)string& Token::getFilename() const { return emptyString; } ANTLR_USE_NAMESPACE(std)string Token::toString() const { return "[\""+getText()+"\",<"+type+">]"; } ANTLR_API RefToken nullToken; #ifndef NO_STATIC_CONSTS const int Token::MIN_USER_TYPE; const int Token::NULL_TREE_LOOKAHEAD; const int Token::INVALID_TYPE; const int Token::EOF_TYPE; const int Token::SKIP; #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/Token.hpp000066400000000000000000000042011303637203600172110ustar00rootroot00000000000000#ifndef INC_Token_hpp__ #define INC_Token_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif struct TokenRef; /** A token is minimally a token type. Subclasses can add the text matched * for the token and line info. */ class ANTLR_API Token { public: // constants #ifndef NO_STATIC_CONSTS static const int MIN_USER_TYPE = 4; static const int NULL_TREE_LOOKAHEAD = 3; static const int INVALID_TYPE = 0; static const int EOF_TYPE = 1; static const int SKIP = -1; #else enum { MIN_USER_TYPE = 4, NULL_TREE_LOOKAHEAD = 3, INVALID_TYPE = 0, EOF_TYPE = 1, SKIP = -1 }; #endif Token() : ref(0) , type(INVALID_TYPE) { } Token(int t) : ref(0) , type(t) { } Token(int t, const ANTLR_USE_NAMESPACE(std)string& txt) : ref(0) , type(t) { setText(txt); } virtual ~Token() { } virtual int getColumn() const; virtual int getLine() const; virtual ANTLR_USE_NAMESPACE(std)string getText() const; virtual const ANTLR_USE_NAMESPACE(std)string& getFilename() const; virtual int getType() const; virtual void setColumn(int c); virtual void setLine(int l); virtual void setText(const ANTLR_USE_NAMESPACE(std)string& t); virtual void setType(int t); virtual void setFilename( const std::string& file ); virtual ANTLR_USE_NAMESPACE(std)string toString() const; private: friend struct TokenRef; TokenRef* ref; int type; ///< the type of the token Token(RefToken other); Token& operator=(const Token& other); Token& operator=(RefToken other); Token(const Token&); }; extern ANTLR_API RefToken nullToken; #ifdef NEEDS_OPERATOR_LESS_THAN // RK: Added after 2.7.2 previously it was undefined. // AL: what to return if l and/or r point to nullToken??? inline bool operator<( RefToken l, RefToken r ) { return nullToken == l ? ( nullToken == r ? false : true ) : l->getType() < r->getType(); } #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_Token_hpp__ fwbuilder-5.3.7/src/antlr/TokenBuffer.cpp000066400000000000000000000041171303637203600203440ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TokenBuffer.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**A Stream of Token objects fed to the parser from a TokenStream that can * be rewound via mark()/rewind() methods. *

* A dynamic array is used to buffer up all the input tokens. Normally, * "k" tokens are stored in the buffer. More tokens may be stored during * guess mode (testing syntactic predicate), or when LT(i>k) is referenced. * Consumption of tokens is deferred. In other words, reading the next * token is not done by conume(), but deferred until needed by LA or LT. *

* * @see antlr.Token * @see antlr.TokenStream * @see antlr.TokenQueue */ /** Create a token buffer */ TokenBuffer::TokenBuffer( TokenStream& inp ) : input(inp) , nMarkers(0) , markerOffset(0) , numToConsume(0) { } TokenBuffer::~TokenBuffer( void ) { } /** Ensure that the token buffer is sufficiently full */ void TokenBuffer::fill(unsigned int amount) { syncConsume(); // Fill the buffer sufficiently to hold needed tokens while (queue.entries() < (amount + markerOffset)) { // Append the next token queue.append(input.nextToken()); } } /** Get a lookahead token value */ int TokenBuffer::LA(unsigned int i) { fill(i); return queue.elementAt(markerOffset+i-1)->getType(); } /** Get a lookahead token */ RefToken TokenBuffer::LT(unsigned int i) { fill(i); return queue.elementAt(markerOffset+i-1); } /** Return an integer marker that can be used to rewind the buffer to * its current state. */ unsigned int TokenBuffer::mark() { syncConsume(); nMarkers++; return markerOffset; } /**Rewind the token buffer to a marker. * @param mark Marker returned previously from mark() */ void TokenBuffer::rewind(unsigned int mark) { syncConsume(); markerOffset=mark; nMarkers--; } /// Get number of non-consumed tokens unsigned int TokenBuffer::entries() const { return queue.entries() - markerOffset; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenBuffer.hpp000066400000000000000000000054021303637203600203470ustar00rootroot00000000000000#ifndef INC_TokenBuffer_hpp__ #define INC_TokenBuffer_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**A Stream of Token objects fed to the parser from a TokenStream that can * be rewound via mark()/rewind() methods. *

* A dynamic array is used to buffer up all the input tokens. Normally, * "k" tokens are stored in the buffer. More tokens may be stored during * guess mode (testing syntactic predicate), or when LT(i>k) is referenced. * Consumption of tokens is deferred. In other words, reading the next * token is not done by conume(), but deferred until needed by LA or LT. *

* * @todo: see if we can integrate this one with InputBuffer into one template * or so. * * @see antlr.Token * @see antlr.TokenStream * @see antlr.TokenQueue */ class ANTLR_API TokenBuffer { public: /** Create a token buffer */ TokenBuffer(TokenStream& input_); virtual ~TokenBuffer(); /// Reset the input buffer to empty state inline void reset( void ) { nMarkers = 0; markerOffset = 0; numToConsume = 0; queue.clear(); } /** Get a lookahead token value */ int LA( unsigned int i ); /** Get a lookahead token */ RefToken LT( unsigned int i ); /** Return an integer marker that can be used to rewind the buffer to * its current state. */ unsigned int mark(); /**Rewind the token buffer to a marker. * @param mark Marker returned previously from mark() */ void rewind(unsigned int mark); /** Mark another token for deferred consumption */ inline void consume() { numToConsume++; } /// Return the number of entries in the TokenBuffer virtual unsigned int entries() const; private: /** Ensure that the token buffer is sufficiently full */ void fill(unsigned int amount); /** Sync up deferred consumption */ void syncConsume(); protected: /// Token source TokenStream& input; /// Number of active markers unsigned int nMarkers; /// Additional offset used when markers are active unsigned int markerOffset; /// Number of calls to consume() since last LA() or LT() call unsigned int numToConsume; /// Circular queue with Tokens CircularQueue queue; private: TokenBuffer(const TokenBuffer& other); const TokenBuffer& operator=(const TokenBuffer& other); }; /** Sync up deferred consumption */ inline void TokenBuffer::syncConsume() { if (numToConsume > 0) { if (nMarkers > 0) markerOffset += numToConsume; else queue.removeItems( numToConsume ); numToConsume = 0; } } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenBuffer_hpp__ fwbuilder-5.3.7/src/antlr/TokenRefCount.cpp000066400000000000000000000012131303637203600206520ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TokenRefCount.hpp" #include "antlr/Token.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif TokenRef::TokenRef(Token* p) : ptr(p), count(1) { if (p && !p->ref) p->ref = this; } TokenRef::~TokenRef() { delete ptr; } TokenRef* TokenRef::getRef(const Token* p) { if (p) { Token* pp = const_cast(p); if (pp->ref) return pp->ref->increment(); else return new TokenRef(pp); } else return 0; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenRefCount.hpp000066400000000000000000000033021303637203600206600ustar00rootroot00000000000000#ifndef INC_TokenRefCount_hpp__ # define INC_TokenRefCount_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ # include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class Token; struct ANTLR_API TokenRef { Token* const ptr; unsigned int count; TokenRef(Token* p); ~TokenRef(); TokenRef* increment() { ++count; return this; } bool decrement() { return (--count==0); } static TokenRef* getRef(const Token* p); private: TokenRef( const TokenRef& ); TokenRef& operator=( const TokenRef& ); }; template class ANTLR_API TokenRefCount { private: TokenRef* ref; public: TokenRefCount(const Token* p=0) : ref(p ? TokenRef::getRef(p) : 0) { } TokenRefCount(const TokenRefCount& other) : ref(other.ref ? other.ref->increment() : 0) { } ~TokenRefCount() { if (ref && ref->decrement()) delete ref; } TokenRefCount& operator=(Token* other) { TokenRef* tmp = TokenRef::getRef(other); if (ref && ref->decrement()) delete ref; ref=tmp; return *this; } TokenRefCount& operator=(const TokenRefCount& other) { if( other.ref != ref ) { TokenRef* tmp = other.ref ? other.ref->increment() : 0; if (ref && ref->decrement()) delete ref; ref=tmp; } return *this; } operator T* () const { return ref ? static_cast(ref->ptr) : 0; } T* operator->() const { return ref ? static_cast(ref->ptr) : 0; } T* get() const { return ref ? static_cast(ref->ptr) : 0; } }; typedef TokenRefCount RefToken; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenRefCount_hpp__ fwbuilder-5.3.7/src/antlr/TokenStream.hpp000066400000000000000000000012011303637203600203620ustar00rootroot00000000000000#ifndef INC_TokenStream_hpp__ #define INC_TokenStream_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This interface allows any object to pretend it is a stream * of tokens. * @author Terence Parr, MageLang Institute */ class ANTLR_API TokenStream { public: virtual RefToken nextToken()=0; virtual ~TokenStream() { } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStream_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamBasicFilter.cpp000066400000000000000000000016061303637203600224760ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TokenStreamBasicFilter.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This object is a TokenStream that passes through all * tokens except for those that you tell it to discard. * There is no buffering of the tokens. */ TokenStreamBasicFilter::TokenStreamBasicFilter(TokenStream& input_) : input(&input_) { } void TokenStreamBasicFilter::discard(int ttype) { discardMask.add(ttype); } void TokenStreamBasicFilter::discard(const BitSet& mask) { discardMask = mask; } RefToken TokenStreamBasicFilter::nextToken() { RefToken tok = input->nextToken(); while ( tok && discardMask.member(tok->getType()) ) { tok = input->nextToken(); } return tok; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenStreamBasicFilter.hpp000066400000000000000000000017211303637203600225010ustar00rootroot00000000000000#ifndef INC_TokenStreamBasicFilter_hpp__ #define INC_TokenStreamBasicFilter_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This object is a TokenStream that passes through all * tokens except for those that you tell it to discard. * There is no buffering of the tokens. */ class ANTLR_API TokenStreamBasicFilter : public TokenStream { /** The set of token types to discard */ protected: BitSet discardMask; /** The input stream */ protected: TokenStream* input; public: TokenStreamBasicFilter(TokenStream& input_); void discard(int ttype); void discard(const BitSet& mask); RefToken nextToken(); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamBasicFilter_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamException.hpp000066400000000000000000000014711303637203600222520ustar00rootroot00000000000000#ifndef INC_TokenStreamException_hpp__ #define INC_TokenStreamException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Baseclass for exceptions thrown by classes implementing the TokenStream * interface. * @see TokenStream */ class ANTLR_API TokenStreamException : public ANTLRException { public: TokenStreamException() : ANTLRException() { } TokenStreamException(const ANTLR_USE_NAMESPACE(std)string& s) : ANTLRException(s) { } virtual ~TokenStreamException() throw() { } }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamException_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamHiddenTokenFilter.cpp000066400000000000000000000101471303637203600236510ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TokenStreamHiddenTokenFilter.hpp" #include "antlr/CommonHiddenStreamToken.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**This object filters a token stream coming from a lexer * or another TokenStream so that only certain token channels * get transmitted to the parser. * * Any of the channels can be filtered off as "hidden" channels whose * tokens can be accessed from the parser. */ TokenStreamHiddenTokenFilter::TokenStreamHiddenTokenFilter(TokenStream& input) : TokenStreamBasicFilter(input) { } void TokenStreamHiddenTokenFilter::consume() { nextMonitoredToken = input->nextToken(); } void TokenStreamHiddenTokenFilter::consumeFirst() { consume(); // Handle situation where hidden or discarded tokens // appear first in input stream RefToken p; // while hidden or discarded scarf tokens while ( hideMask.member(LA(1)->getType()) || discardMask.member(LA(1)->getType()) ) { if ( hideMask.member(LA(1)->getType()) ) { if ( !p ) { p = LA(1); } else { static_cast(p.get())->setHiddenAfter(LA(1)); static_cast(LA(1).get())->setHiddenBefore(p); // double-link p = LA(1); } lastHiddenToken = p; if (!firstHidden) firstHidden = p; // record hidden token if first } consume(); } } BitSet TokenStreamHiddenTokenFilter::getDiscardMask() const { return discardMask; } /** Return a ptr to the hidden token appearing immediately after * token t in the input stream. */ RefToken TokenStreamHiddenTokenFilter::getHiddenAfter(RefToken t) { return static_cast(t.get())->getHiddenAfter(); } /** Return a ptr to the hidden token appearing immediately before * token t in the input stream. */ RefToken TokenStreamHiddenTokenFilter::getHiddenBefore(RefToken t) { return static_cast(t.get())->getHiddenBefore(); } BitSet TokenStreamHiddenTokenFilter::getHideMask() const { return hideMask; } /** Return the first hidden token if one appears * before any monitored token. */ RefToken TokenStreamHiddenTokenFilter::getInitialHiddenToken() { return firstHidden; } void TokenStreamHiddenTokenFilter::hide(int m) { hideMask.add(m); } void TokenStreamHiddenTokenFilter::hide(const BitSet& mask) { hideMask = mask; } RefToken TokenStreamHiddenTokenFilter::LA(int) { return nextMonitoredToken; } /** Return the next monitored token. * Test the token following the monitored token. * If following is another monitored token, save it * for the next invocation of nextToken (like a single * lookahead token) and return it then. * If following is unmonitored, nondiscarded (hidden) * channel token, add it to the monitored token. * * Note: EOF must be a monitored Token. */ RefToken TokenStreamHiddenTokenFilter::nextToken() { // handle an initial condition; don't want to get lookahead // token of this splitter until first call to nextToken if ( !LA(1) ) { consumeFirst(); } // we always consume hidden tokens after monitored, thus, // upon entry LA(1) is a monitored token. RefToken monitored = LA(1); // point to hidden tokens found during last invocation static_cast(monitored.get())->setHiddenBefore(lastHiddenToken); lastHiddenToken = nullToken; // Look for hidden tokens, hook them into list emanating // from the monitored tokens. consume(); RefToken p = monitored; // while hidden or discarded scarf tokens while ( hideMask.member(LA(1)->getType()) || discardMask.member(LA(1)->getType()) ) { if ( hideMask.member(LA(1)->getType()) ) { // attach the hidden token to the monitored in a chain // link forwards static_cast(p.get())->setHiddenAfter(LA(1)); // link backwards if (p != monitored) { //hidden cannot point to monitored tokens static_cast(LA(1).get())->setHiddenBefore(p); } p = lastHiddenToken = LA(1); } consume(); } return monitored; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenStreamHiddenTokenFilter.hpp000066400000000000000000000042401303637203600236530ustar00rootroot00000000000000#ifndef INC_TokenStreamHiddenTokenFilter_hpp__ #define INC_TokenStreamHiddenTokenFilter_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /**This object filters a token stream coming from a lexer * or another TokenStream so that only certain token channels * get transmitted to the parser. * * Any of the channels can be filtered off as "hidden" channels whose * tokens can be accessed from the parser. */ class ANTLR_API TokenStreamHiddenTokenFilter : public TokenStreamBasicFilter { // protected BitSet discardMask; protected: BitSet hideMask; private: RefToken nextMonitoredToken; protected: /** track tail of hidden list emanating from previous * monitored token */ RefToken lastHiddenToken; RefToken firstHidden; // = null; public: TokenStreamHiddenTokenFilter(TokenStream& input); protected: void consume(); private: void consumeFirst(); public: BitSet getDiscardMask() const; /** Return a ptr to the hidden token appearing immediately after * token t in the input stream. */ RefToken getHiddenAfter(RefToken t); /** Return a ptr to the hidden token appearing immediately before * token t in the input stream. */ RefToken getHiddenBefore(RefToken t); BitSet getHideMask() const; /** Return the first hidden token if one appears * before any monitored token. */ RefToken getInitialHiddenToken(); void hide(int m); void hide(const BitSet& mask); protected: RefToken LA(int i); public: /** Return the next monitored token. * Test the token following the monitored token. * If following is another monitored token, save it * for the next invocation of nextToken (like a single * lookahead token) and return it then. * If following is unmonitored, nondiscarded (hidden) * channel token, add it to the monitored token. * * Note: EOF must be a monitored Token. */ RefToken nextToken(); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamHiddenTokenFilter_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamIOException.hpp000066400000000000000000000014351303637203600225020ustar00rootroot00000000000000#ifndef INC_TokenStreamIOException_hpp__ #define INC_TokenStreamIOException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class TokenStreamIOException : public TokenStreamException { public: TokenStreamIOException() : TokenStreamException() { } TokenStreamIOException(const ANTLR_USE_NAMESPACE(std)exception& e) : TokenStreamException(e.what()) , io(e) { } ~TokenStreamIOException() throw() { } private: ANTLR_USE_NAMESPACE(std)exception io; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamIOException_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamRecognitionException.hpp000066400000000000000000000023631303637203600244540ustar00rootroot00000000000000#ifndef INC_TokenStreamRecognitionException_hpp__ #define INC_TokenStreamRecognitionException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** Exception thrown from generated lexers when there's no default error * handler specified. * @see TokenStream */ class TokenStreamRecognitionException : public TokenStreamException { public: TokenStreamRecognitionException(RecognitionException& re) : TokenStreamException(re.getMessage()) , recog(re) { } virtual ~TokenStreamRecognitionException() throw() { } virtual ANTLR_USE_NAMESPACE(std)string toString() const { return recog.getFileLineColumnString()+getMessage(); } virtual ANTLR_USE_NAMESPACE(std)string getFilename() const throw() { return recog.getFilename(); } virtual int getLine() const throw() { return recog.getLine(); } virtual int getColumn() const throw() { return recog.getColumn(); } private: RecognitionException recog; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamRecognitionException_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamRetryException.hpp000066400000000000000000000011511303637203600232730ustar00rootroot00000000000000#ifndef INC_TokenStreamRetryException_hpp__ #define INC_TokenStreamRetryException_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class TokenStreamRetryException : public TokenStreamException { public: TokenStreamRetryException() {} ~TokenStreamRetryException() throw() {} }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamRetryException_hpp__ fwbuilder-5.3.7/src/antlr/TokenStreamRewriteEngine.cpp000066400000000000000000000131071303637203600230550ustar00rootroot00000000000000#include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif #ifndef NO_STATIC_CONSTS const size_t TokenStreamRewriteEngine::MIN_TOKEN_INDEX = 0; const int TokenStreamRewriteEngine::PROGRAM_INIT_SIZE = 100; #endif const char* TokenStreamRewriteEngine::DEFAULT_PROGRAM_NAME = "default"; namespace { struct compareOperationIndex { typedef TokenStreamRewriteEngine::RewriteOperation RewriteOperation; bool operator() ( const RewriteOperation* a, const RewriteOperation* b ) const { return a->getIndex() < b->getIndex(); } }; struct dumpTokenWithIndex { dumpTokenWithIndex( ANTLR_USE_NAMESPACE(std)ostream& o ) : out(o) {} void operator() ( const RefTokenWithIndex& t ) { out << "[txt='" << t->getText() << "' tp=" << t->getType() << " idx=" << t->getIndex() << "]\n"; } ANTLR_USE_NAMESPACE(std)ostream& out; }; } TokenStreamRewriteEngine::TokenStreamRewriteEngine(TokenStream& upstream) : stream(upstream) , index(MIN_TOKEN_INDEX) , tokens() , programs() , discardMask() { } TokenStreamRewriteEngine::TokenStreamRewriteEngine(TokenStream& upstream, size_t initialSize ) : stream(upstream) , index(MIN_TOKEN_INDEX) , tokens(initialSize) , programs() , discardMask() { } RefToken TokenStreamRewriteEngine::nextToken( void ) { RefTokenWithIndex t; // suck tokens until end of stream or we find a non-discarded token do { t = RefTokenWithIndex(stream.nextToken()); if ( t ) { t->setIndex(index); // what is t's index in list? if ( t->getType() != Token::EOF_TYPE ) { tokens.push_back(t); // track all tokens except EOF } index++; // move to next position } } while ( t && discardMask.member(t->getType()) ); return RefToken(t); } void TokenStreamRewriteEngine::rollback( const std::string& programName, size_t instructionIndex ) { program_map::iterator rewrite = programs.find(programName); if( rewrite != programs.end() ) { operation_list& prog = rewrite->second; operation_list::iterator j = prog.begin(), end = prog.end(); std::advance(j,instructionIndex); if( j != end ) prog.erase(j, end); } } void TokenStreamRewriteEngine::originalToStream( std::ostream& out, size_t start, size_t end ) const { token_list::const_iterator s = tokens.begin(); std::advance( s, start ); token_list::const_iterator e = s; std::advance( e, end-start ); std::for_each( s, e, tokenToStream(out) ); } void TokenStreamRewriteEngine::toStream( std::ostream& out, const std::string& programName, size_t firstToken, size_t lastToken ) const { if( tokens.size() == 0 ) return; program_map::const_iterator rewriter = programs.find(programName); if ( rewriter == programs.end() ) return; // get the prog and some iterators in it... const operation_list& prog = rewriter->second; operation_list::const_iterator rewriteOpIndex = prog.begin(), rewriteOpEnd = prog.end(); size_t tokenCursor = firstToken; // make sure we don't run out of the tokens we have... if( lastToken > (tokens.size() - 1) ) lastToken = tokens.size() - 1; while ( tokenCursor <= lastToken ) { // std::cout << "tokenCursor = " << tokenCursor << " first prog index = " << (*rewriteOpIndex)->getIndex() << std::endl; if( rewriteOpIndex != rewriteOpEnd ) { size_t up_to_here = std::min(lastToken,(*rewriteOpIndex)->getIndex()); while( tokenCursor < up_to_here ) out << tokens[tokenCursor++]->getText(); } while ( rewriteOpIndex != rewriteOpEnd && tokenCursor == (*rewriteOpIndex)->getIndex() && tokenCursor <= lastToken ) { tokenCursor = (*rewriteOpIndex)->execute(out); ++rewriteOpIndex; } if( tokenCursor <= lastToken ) out << tokens[tokenCursor++]->getText(); } // std::cout << "Handling tail operations # left = " << std::distance(rewriteOpIndex,rewriteOpEnd) << std::endl; // now see if there are operations (append) beyond last token index std::for_each( rewriteOpIndex, rewriteOpEnd, executeOperation(out) ); rewriteOpIndex = rewriteOpEnd; } void TokenStreamRewriteEngine::toDebugStream( std::ostream& out, size_t start, size_t end ) const { token_list::const_iterator s = tokens.begin(); std::advance( s, start ); token_list::const_iterator e = s; std::advance( e, end-start ); std::for_each( s, e, dumpTokenWithIndex(out) ); } void TokenStreamRewriteEngine::addToSortedRewriteList( const std::string& programName, RewriteOperation* op ) { program_map::iterator rewrites = programs.find(programName); // check if we got the program already.. if ( rewrites == programs.end() ) { // no prog make a new one... operation_list ops; ops.push_back(op); programs.insert(std::make_pair(programName,ops)); return; } operation_list& prog = rewrites->second; if( prog.empty() ) { prog.push_back(op); return; } operation_list::iterator i, end = prog.end(); i = end; --i; // if at or beyond last op's index, just append if ( op->getIndex() >= (*i)->getIndex() ) { prog.push_back(op); // append to list of operations return; } i = prog.begin(); if( i != end ) { operation_list::iterator pos = std::upper_bound( i, end, op, compareOperationIndex() ); prog.insert(pos,op); } else prog.push_back(op); } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenStreamRewriteEngine.hpp000066400000000000000000000304541303637203600230660ustar00rootroot00000000000000#ifndef INC_TokenStreamRewriteEngine_hpp__ #define INC_TokenStreamRewriteEngine_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html */ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This token stream tracks the *entire* token stream coming from * a lexer, but does not pass on the whitespace (or whatever else * you want to discard) to the parser. * * This class can then be asked for the ith token in the input stream. * Useful for dumping out the input stream exactly after doing some * augmentation or other manipulations. Tokens are index from 0..n-1 * * You can insert stuff, replace, and delete chunks. Note that the * operations are done lazily--only if you convert the buffer to a * String. This is very efficient because you are not moving data around * all the time. As the buffer of tokens is converted to strings, the * toString() method(s) check to see if there is an operation at the * current index. If so, the operation is done and then normal String * rendering continues on the buffer. This is like having multiple Turing * machine instruction streams (programs) operating on a single input tape. :) * * Since the operations are done lazily at toString-time, operations do not * screw up the token index values. That is, an insert operation at token * index i does not change the index values for tokens i+1..n-1. * * Because operations never actually alter the buffer, you may always get * the original token stream back without undoing anything. Since * the instructions are queued up, you can easily simulate transactions and * roll back any changes if there is an error just by removing instructions. * For example, * * TokenStreamRewriteEngine rewriteEngine = * new TokenStreamRewriteEngine(lexer); * JavaRecognizer parser = new JavaRecognizer(rewriteEngine); * ... * rewriteEngine.insertAfter("pass1", t, "foobar");} * rewriteEngine.insertAfter("pass2", u, "start");} * System.out.println(rewriteEngine.toString("pass1")); * System.out.println(rewriteEngine.toString("pass2")); * * You can also have multiple "instruction streams" and get multiple * rewrites from a single pass over the input. Just name the instruction * streams and use that name again when printing the buffer. This could be * useful for generating a C file and also its header file--all from the * same buffer. * * If you don't use named rewrite streams, a "default" stream is used. * * Terence Parr, parrt@cs.usfca.edu * University of San Francisco * February 2004 */ class TokenStreamRewriteEngine : public TokenStream { public: typedef ANTLR_USE_NAMESPACE(std)vector token_list; static const char* DEFAULT_PROGRAM_NAME; #ifndef NO_STATIC_CONSTS static const size_t MIN_TOKEN_INDEX; static const int PROGRAM_INIT_SIZE; #else enum { MIN_TOKEN_INDEX = 0, PROGRAM_INIT_SIZE = 100 }; #endif struct tokenToStream { tokenToStream( ANTLR_USE_NAMESPACE(std)ostream& o ) : out(o) {} template void operator() ( const T& t ) { out << t->getText(); } ANTLR_USE_NAMESPACE(std)ostream& out; }; class RewriteOperation { protected: RewriteOperation( size_t idx, const ANTLR_USE_NAMESPACE(std)string& txt ) : index(idx), text(txt) { } public: virtual ~RewriteOperation() { } /** Execute the rewrite operation by possibly adding to the buffer. * Return the index of the next token to operate on. */ virtual size_t execute( ANTLR_USE_NAMESPACE(std)ostream& /* out */ ) { return index; } virtual size_t getIndex() const { return index; } virtual const char* type() const { return "RewriteOperation"; } protected: size_t index; ANTLR_USE_NAMESPACE(std)string text; }; struct executeOperation { ANTLR_USE_NAMESPACE(std)ostream& out; executeOperation( ANTLR_USE_NAMESPACE(std)ostream& s ) : out(s) {} void operator () ( RewriteOperation* t ) { t->execute(out); } }; /// list of rewrite operations typedef ANTLR_USE_NAMESPACE(std)list operation_list; /// map program name to tuple typedef ANTLR_USE_NAMESPACE(std)map program_map; class InsertBeforeOp : public RewriteOperation { public: InsertBeforeOp( size_t index, const ANTLR_USE_NAMESPACE(std)string& text ) : RewriteOperation(index, text) { } virtual ~InsertBeforeOp() {} virtual size_t execute( ANTLR_USE_NAMESPACE(std)ostream& out ) { out << text; return index; } virtual const char* type() const { return "InsertBeforeOp"; } }; class ReplaceOp : public RewriteOperation { public: ReplaceOp(size_t from, size_t to, ANTLR_USE_NAMESPACE(std)string text) : RewriteOperation(from,text) , lastIndex(to) { } virtual ~ReplaceOp() {} virtual size_t execute( ANTLR_USE_NAMESPACE(std)ostream& out ) { out << text; return lastIndex+1; } virtual const char* type() const { return "ReplaceOp"; } protected: size_t lastIndex; }; class DeleteOp : public ReplaceOp { public: DeleteOp(size_t from, size_t to) : ReplaceOp(from,to,"") { } virtual const char* type() const { return "DeleteOp"; } }; TokenStreamRewriteEngine(TokenStream& upstream); TokenStreamRewriteEngine(TokenStream& upstream, size_t initialSize); RefToken nextToken( void ); void rollback(size_t instructionIndex) { rollback(DEFAULT_PROGRAM_NAME, instructionIndex); } /** Rollback the instruction stream for a program so that * the indicated instruction (via instructionIndex) is no * longer in the stream. UNTESTED! */ void rollback(const ANTLR_USE_NAMESPACE(std)string& programName, size_t instructionIndex ); void deleteProgram() { deleteProgram(DEFAULT_PROGRAM_NAME); } /** Reset the program so that no instructions exist */ void deleteProgram(const ANTLR_USE_NAMESPACE(std)string& programName) { rollback(programName, MIN_TOKEN_INDEX); } void insertAfter( RefTokenWithIndex t, const ANTLR_USE_NAMESPACE(std)string& text ) { insertAfter(DEFAULT_PROGRAM_NAME, t, text); } void insertAfter(size_t index, const ANTLR_USE_NAMESPACE(std)string& text) { insertAfter(DEFAULT_PROGRAM_NAME, index, text); } void insertAfter( const ANTLR_USE_NAMESPACE(std)string& programName, RefTokenWithIndex t, const ANTLR_USE_NAMESPACE(std)string& text ) { insertAfter(programName, t->getIndex(), text); } void insertAfter( const ANTLR_USE_NAMESPACE(std)string& programName, size_t index, const ANTLR_USE_NAMESPACE(std)string& text ) { // to insert after, just insert before next index (even if past end) insertBefore(programName,index+1, text); } void insertBefore( RefTokenWithIndex t, const ANTLR_USE_NAMESPACE(std)string& text ) { // std::cout << "insertBefore index " << t->getIndex() << " " << text << std::endl; insertBefore(DEFAULT_PROGRAM_NAME, t, text); } void insertBefore(size_t index, const ANTLR_USE_NAMESPACE(std)string& text) { insertBefore(DEFAULT_PROGRAM_NAME, index, text); } void insertBefore( const ANTLR_USE_NAMESPACE(std)string& programName, RefTokenWithIndex t, const ANTLR_USE_NAMESPACE(std)string& text ) { insertBefore(programName, t->getIndex(), text); } void insertBefore( const ANTLR_USE_NAMESPACE(std)string& programName, size_t index, const ANTLR_USE_NAMESPACE(std)string& text ) { addToSortedRewriteList(programName, new InsertBeforeOp(index,text)); } void replace(size_t index, const ANTLR_USE_NAMESPACE(std)string& text) { replace(DEFAULT_PROGRAM_NAME, index, index, text); } void replace( size_t from, size_t to, const ANTLR_USE_NAMESPACE(std)string& text) { replace(DEFAULT_PROGRAM_NAME, from, to, text); } void replace( RefTokenWithIndex indexT, const ANTLR_USE_NAMESPACE(std)string& text ) { replace(DEFAULT_PROGRAM_NAME, indexT->getIndex(), indexT->getIndex(), text); } void replace( RefTokenWithIndex from, RefTokenWithIndex to, const ANTLR_USE_NAMESPACE(std)string& text ) { replace(DEFAULT_PROGRAM_NAME, from, to, text); } void replace(const ANTLR_USE_NAMESPACE(std)string& programName, size_t from, size_t to, const ANTLR_USE_NAMESPACE(std)string& text ) { addToSortedRewriteList(programName,new ReplaceOp(from, to, text)); } void replace( const ANTLR_USE_NAMESPACE(std)string& programName, RefTokenWithIndex from, RefTokenWithIndex to, const ANTLR_USE_NAMESPACE(std)string& text ) { replace(programName, from->getIndex(), to->getIndex(), text); } void remove(size_t index) { remove(DEFAULT_PROGRAM_NAME, index, index); } void remove(size_t from, size_t to) { remove(DEFAULT_PROGRAM_NAME, from, to); } void remove(RefTokenWithIndex indexT) { remove(DEFAULT_PROGRAM_NAME, indexT, indexT); } void remove(RefTokenWithIndex from, RefTokenWithIndex to) { remove(DEFAULT_PROGRAM_NAME, from, to); } void remove( const ANTLR_USE_NAMESPACE(std)string& programName, size_t from, size_t to) { replace(programName,from,to,""); } void remove( const ANTLR_USE_NAMESPACE(std)string& programName, RefTokenWithIndex from, RefTokenWithIndex to ) { replace(programName,from,to,""); } void discard(int ttype) { discardMask.add(ttype); } RefToken getToken( size_t i ) { return RefToken(tokens.at(i)); } size_t getTokenStreamSize() const { return tokens.size(); } void originalToStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const { ANTLR_USE_NAMESPACE(std)for_each( tokens.begin(), tokens.end(), tokenToStream(out) ); } void originalToStream( ANTLR_USE_NAMESPACE(std)ostream& out, size_t start, size_t end ) const; void toStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const { toStream( out, MIN_TOKEN_INDEX, getTokenStreamSize()); } void toStream( ANTLR_USE_NAMESPACE(std)ostream& out, const ANTLR_USE_NAMESPACE(std)string& programName ) const { toStream( out, programName, MIN_TOKEN_INDEX, getTokenStreamSize()); } void toStream( ANTLR_USE_NAMESPACE(std)ostream& out, size_t start, size_t end ) const { toStream(out, DEFAULT_PROGRAM_NAME, start, end); } void toStream( ANTLR_USE_NAMESPACE(std)ostream& out, const ANTLR_USE_NAMESPACE(std)string& programName, size_t firstToken, size_t lastToken ) const; void toDebugStream( ANTLR_USE_NAMESPACE(std)ostream& out ) const { toDebugStream( out, MIN_TOKEN_INDEX, getTokenStreamSize()); } void toDebugStream( ANTLR_USE_NAMESPACE(std)ostream& out, size_t start, size_t end ) const; size_t getLastRewriteTokenIndex() const { return getLastRewriteTokenIndex(DEFAULT_PROGRAM_NAME); } /** Return the last index for the program named programName * return 0 if the program does not exist or the program is empty. * (Note this is different from the java implementation that returns -1) */ size_t getLastRewriteTokenIndex(const ANTLR_USE_NAMESPACE(std)string& programName) const { program_map::const_iterator rewrites = programs.find(programName); if( rewrites == programs.end() ) return 0; const operation_list& prog = rewrites->second; if( !prog.empty() ) { operation_list::const_iterator last = prog.end(); --last; return (*last)->getIndex(); } return 0; } protected: /** If op.index > lastRewriteTokenIndexes, just add to the end. * Otherwise, do linear */ void addToSortedRewriteList(RewriteOperation* op) { addToSortedRewriteList(DEFAULT_PROGRAM_NAME, op); } void addToSortedRewriteList( const ANTLR_USE_NAMESPACE(std)string& programName, RewriteOperation* op ); protected: /** Who do we suck tokens from? */ TokenStream& stream; /** track index of tokens */ size_t index; /** Track the incoming list of tokens */ token_list tokens; /** You may have multiple, named streams of rewrite operations. * I'm calling these things "programs." * Maps String (name) -> rewrite (List) */ program_map programs; /** Which (whitespace) token(s) to throw out */ BitSet discardMask; }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif fwbuilder-5.3.7/src/antlr/TokenStreamSelector.cpp000066400000000000000000000046561303637203600220770ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TokenStreamSelector.hpp" #include "antlr/TokenStreamRetryException.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A token stream MUX (multiplexor) knows about n token streams * and can multiplex them onto the same channel for use by token * stream consumer like a parser. This is a way to have multiple * lexers break up the same input stream for a single parser. * Or, you can have multiple instances of the same lexer handle * multiple input streams; this works great for includes. */ TokenStreamSelector::TokenStreamSelector() : input(0) { } TokenStreamSelector::~TokenStreamSelector() { } void TokenStreamSelector::addInputStream(TokenStream* stream, const ANTLR_USE_NAMESPACE(std)string& key) { inputStreamNames[key] = stream; } TokenStream* TokenStreamSelector::getCurrentStream() const { return input; } TokenStream* TokenStreamSelector::getStream(const ANTLR_USE_NAMESPACE(std)string& sname) const { inputStreamNames_coll::const_iterator i = inputStreamNames.find(sname); if (i == inputStreamNames.end()) { throw ANTLR_USE_NAMESPACE(std)string("TokenStream ")+sname+" not found"; } return (*i).second; } RefToken TokenStreamSelector::nextToken() { // keep looking for a token until you don't // get a retry exception for (;;) { try { return input->nextToken(); } catch (TokenStreamRetryException&) { // just retry "forever" } } } TokenStream* TokenStreamSelector::pop() { TokenStream* stream = streamStack.top(); streamStack.pop(); select(stream); return stream; } void TokenStreamSelector::push(TokenStream* stream) { streamStack.push(input); select(stream); } void TokenStreamSelector::push(const ANTLR_USE_NAMESPACE(std)string& sname) { streamStack.push(input); select(sname); } void TokenStreamSelector::retry() { throw TokenStreamRetryException(); } /** Set the stream without pushing old stream */ void TokenStreamSelector::select(TokenStream* stream) { input = stream; } void TokenStreamSelector::select(const ANTLR_USE_NAMESPACE(std)string& sname) { inputStreamNames_coll::const_iterator i = inputStreamNames.find(sname); if (i == inputStreamNames.end()) { throw ANTLR_USE_NAMESPACE(std)string("TokenStream ")+sname+" not found"; } input = (*i).second; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TokenStreamSelector.hpp000066400000000000000000000051721303637203600220760ustar00rootroot00000000000000#ifndef INC_TokenStreamSelector_hpp__ #define INC_TokenStreamSelector_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** A token stream MUX (multiplexor) knows about n token streams * and can multiplex them onto the same channel for use by token * stream consumer like a parser. This is a way to have multiple * lexers break up the same input stream for a single parser. * Or, you can have multiple instances of the same lexer handle * multiple input streams; this works great for includes. */ class ANTLR_API TokenStreamSelector : public TokenStream { protected: /** The set of inputs to the MUX */ #ifdef OS_NO_ALLOCATOR typedef ANTLR_USE_NAMESPACE(std)less lessp; typedef ANTLR_USE_NAMESPACE(std)map inputStreamNames_coll; #else typedef ANTLR_USE_NAMESPACE(std)map inputStreamNames_coll; #endif inputStreamNames_coll inputStreamNames; /** The currently-selected token stream input */ TokenStream* input; /** Used to track stack of input streams */ #ifdef OS_NO_ALLOCATOR typedef ANTLR_USE_NAMESPACE(std)stack > streamStack_coll; #else typedef ANTLR_USE_NAMESPACE(std)stack streamStack_coll; #endif streamStack_coll streamStack; public: TokenStreamSelector(); ~TokenStreamSelector(); void addInputStream(TokenStream* stream, const ANTLR_USE_NAMESPACE(std)string& key); /// Return the stream from which tokens are being pulled at the moment. TokenStream* getCurrentStream() const; TokenStream* getStream(const ANTLR_USE_NAMESPACE(std)string& sname) const; RefToken nextToken(); TokenStream* pop(); void push(TokenStream* stream); void push(const ANTLR_USE_NAMESPACE(std)string& sname); /** Abort recognition of current Token and try again. * A stream can push a new stream (for include files * for example, and then retry(), which will cause * the current stream to abort back to this.nextToken(). * this.nextToken() then asks for a token from the * current stream, which is the new "substream." */ void retry(); /** Set the stream without pushing old stream */ void select(TokenStream* stream); void select(const ANTLR_USE_NAMESPACE(std)string& sname); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TokenStreamSelector_hpp__ fwbuilder-5.3.7/src/antlr/TokenWithIndex.hpp000066400000000000000000000031441303637203600210420ustar00rootroot00000000000000#ifndef INC_TokenWithIndex_hpp__ #define INC_TokenWithIndex_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API TokenWithIndex : public ANTLR_USE_NAMESPACE(antlr)CommonToken { public: // static size_t count; TokenWithIndex() : CommonToken(), index(0) { // std::cout << __PRETTY_FUNCTION__ << std::endl; // count++; } TokenWithIndex(int t, const ANTLR_USE_NAMESPACE(std)string& txt) : CommonToken(t,txt) , index(0) { // std::cout << __PRETTY_FUNCTION__ << std::endl; // count++; } TokenWithIndex(const ANTLR_USE_NAMESPACE(std)string& s) : CommonToken(s) , index(0) { // std::cout << __PRETTY_FUNCTION__ << std::endl; // count++; } ~TokenWithIndex() { // count--; } void setIndex( size_t idx ) { index = idx; } size_t getIndex( void ) const { return index; } ANTLR_USE_NAMESPACE(std)string toString() const { return ANTLR_USE_NAMESPACE(std)string("[")+ index+ ":\""+ getText()+"\",<"+ getType()+">,line="+ getLine()+",column="+ getColumn()+"]"; } static RefToken factory() { return RefToken(new TokenWithIndex()); } protected: size_t index; private: TokenWithIndex(const TokenWithIndex&); const TokenWithIndex& operator=(const TokenWithIndex&); }; typedef TokenRefCount RefTokenWithIndex; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_CommonToken_hpp__ fwbuilder-5.3.7/src/antlr/TreeParser.cpp000066400000000000000000000037361303637203600202140ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include "antlr/TreeParser.hpp" #include "antlr/ASTNULLType.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** The AST Null object; the parsing cursor is set to this when * it is found to be null. This way, we can test the * token type of a node without having to have tests for null * everywhere. */ RefAST TreeParser::ASTNULL(new ASTNULLType); /** Parser error-reporting function can be overridden in subclass */ void TreeParser::reportError(const RecognitionException& ex) { ANTLR_USE_NAMESPACE(std)cerr << ex.toString().c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser error-reporting function can be overridden in subclass */ void TreeParser::reportError(const ANTLR_USE_NAMESPACE(std)string& s) { ANTLR_USE_NAMESPACE(std)cerr << "error: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Parser warning-reporting function can be overridden in subclass */ void TreeParser::reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { ANTLR_USE_NAMESPACE(std)cerr << "warning: " << s.c_str() << ANTLR_USE_NAMESPACE(std)endl; } /** Procedure to write out an indent for traceIn and traceOut */ void TreeParser::traceIndent() { for( int i = 0; i < traceDepth; i++ ) ANTLR_USE_NAMESPACE(std)cout << " "; } void TreeParser::traceIn(const char* rname, RefAST t) { traceDepth++; traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "> " << rname << "(" << (t ? t->toString().c_str() : "null") << ")" << ((inputState->guessing>0)?" [guessing]":"") << ANTLR_USE_NAMESPACE(std)endl; } void TreeParser::traceOut(const char* rname, RefAST t) { traceIndent(); ANTLR_USE_NAMESPACE(std)cout << "< " << rname << "(" << (t ? t->toString().c_str() : "null") << ")" << ((inputState->guessing>0)?" [guessing]":"") << ANTLR_USE_NAMESPACE(std)endl; traceDepth--; } #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif fwbuilder-5.3.7/src/antlr/TreeParser.hpp000066400000000000000000000102351303637203600202110ustar00rootroot00000000000000#ifndef INC_TreeParser_hpp__ #define INC_TreeParser_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #include #include #include #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif class ANTLR_API TreeParser { public: TreeParser() : astFactory(0) , inputState(new TreeParserInputState()) , traceDepth(0) { } TreeParser(const TreeParserSharedInputState& state) : astFactory(0) , inputState(state) , traceDepth(0) { } virtual ~TreeParser() { } /// Get the AST return value squirreled away in the parser virtual RefAST getAST() = 0; /** Make sure current lookahead symbol matches the given set * Throw an exception upon mismatch, which is caught by either the * error handler or by a syntactic predicate. */ virtual void match(RefAST t, const BitSet& b) { if ( !t || t==ASTNULL || !b.member(t->getType()) ) throw MismatchedTokenException( getTokenNames(), getNumTokens(), t, b, false ); } /** Specify the AST factory to be used during tree building. (Compulsory) * Setting the factory is compulsory (if you intend to modify * the tree in the treeparser). The AST Factory is shared between * parser (who builds the initial AST) and treeparser. * @see Parser::getASTFactory() */ virtual void setASTFactory(ASTFactory* factory) { astFactory = factory; } /// Return pointer to ASTFactory virtual ASTFactory* getASTFactory() const { return astFactory; } /// Get the name for token 'num' virtual const char* getTokenName(int num) const = 0; /// Return the number of tokens defined virtual int getNumTokens() const = 0; /// Return an array of getNumTokens() token names virtual const char* const* getTokenNames() const = 0; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const RecognitionException& ex); /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s); /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s); /// These are used during when traceTreeParser commandline option is passed. virtual void traceIndent(); virtual void traceIn(const char* rname, RefAST t); virtual void traceOut(const char* rname, RefAST t); /** The AST Null object; the parsing cursor is set to this when * it is found to be null. This way, we can test the * token type of a node without having to have tests for 0 * everywhere. */ static RefAST ASTNULL; protected: virtual void match(RefAST t, int ttype) { if (!t || t == ASTNULL || t->getType() != ttype ) throw MismatchedTokenException( getTokenNames(), getNumTokens(), t, ttype, false ); } virtual void matchNot(RefAST t, int ttype) { if ( !t || t == ASTNULL || t->getType() == ttype ) throw MismatchedTokenException( getTokenNames(), getNumTokens(), t, ttype, true ); } /** AST support code; parser and treeparser delegate to this object */ ASTFactory* astFactory; /// The input state of this tree parser. TreeParserSharedInputState inputState; /** Used to keep track of indent depth with -traceTreeParser */ int traceDepth; /** Utility class which allows tracing to work even when exceptions are * thrown. */ class Tracer { private: TreeParser* parser; const char* text; RefAST tree; public: Tracer(TreeParser* p, const char* t, RefAST a) : parser(p), text(t), tree(a) { parser->traceIn(text,tree); } ~Tracer() { parser->traceOut(text,tree); } private: Tracer(const Tracer&); // undefined const Tracer& operator=(const Tracer&); // undefined }; private: // no copying of treeparser instantiations... TreeParser(const TreeParser& other); TreeParser& operator=(const TreeParser& other); }; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TreeParser_hpp__ fwbuilder-5.3.7/src/antlr/TreeParserSharedInputState.hpp000066400000000000000000000020741303637203600233630ustar00rootroot00000000000000#ifndef INC_TreeParserSharedInputState_hpp__ #define INC_TreeParserSharedInputState_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ #include #include #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif /** This object contains the data associated with an * input AST. Multiple parsers * share a single TreeParserSharedInputState to parse * the same tree or to have the parser walk multiple * trees. */ class ANTLR_API TreeParserInputState { public: TreeParserInputState() : guessing(0) {} virtual ~TreeParserInputState() {} public: /** Are we guessing (guessing>0)? */ int guessing; //= 0; private: // we don't want these: TreeParserInputState(const TreeParserInputState&); TreeParserInputState& operator=(const TreeParserInputState&); }; typedef RefCount TreeParserSharedInputState; #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif #endif //INC_TreeParserSharedInputState_hpp__ fwbuilder-5.3.7/src/antlr/antlr.pro000066400000000000000000000043021303637203600172640ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = ANTLRUtil.cpp \ ASTFactory.cpp \ ASTNULLType.cpp \ ASTRefCount.cpp \ BaseAST.cpp \ BitSet.cpp \ CharBuffer.cpp \ CharScanner.cpp \ CommonAST.cpp \ CommonASTWithHiddenTokens.cpp \ CommonHiddenStreamToken.cpp \ CommonToken.cpp \ InputBuffer.cpp \ LLkParser.cpp \ MismatchedCharException.cpp \ MismatchedTokenException.cpp \ NoViableAltException.cpp \ NoViableAltForCharException.cpp \ Parser.cpp \ RecognitionException.cpp \ String.cpp \ TokenBuffer.cpp \ Token.cpp \ TokenRefCount.cpp \ TokenStreamBasicFilter.cpp \ TokenStreamHiddenTokenFilter.cpp \ TokenStreamRewriteEngine.cpp \ TokenStreamSelector.cpp \ TreeParser.cpp # dll.cpp \ HEADERS = ANTLRException.hpp \ ANTLRUtil.hpp \ ASTArray.hpp \ ASTFactory.hpp \ AST.hpp \ ASTNULLType.hpp \ ASTPair.hpp \ ASTRefCount.hpp \ BaseAST.hpp \ BitSet.hpp \ CharBuffer.hpp \ CharInputBuffer.hpp \ CharScanner.hpp \ CharStreamException.hpp \ CharStreamIOException.hpp \ CircularQueue.hpp \ CommonAST.hpp \ CommonASTWithHiddenTokens.hpp \ CommonHiddenStreamToken.hpp \ CommonToken.hpp \ config.hpp \ InputBuffer.hpp \ IOException.hpp \ LexerSharedInputState.hpp \ LLkParser.hpp \ MismatchedCharException.hpp \ MismatchedTokenException.hpp \ NoViableAltException.hpp \ NoViableAltForCharException.hpp \ Parser.hpp \ ParserSharedInputState.hpp \ RecognitionException.hpp \ RefCount.hpp \ SemanticException.hpp \ String.hpp \ TokenBuffer.hpp \ Token.hpp \ TokenRefCount.hpp \ TokenStreamBasicFilter.hpp \ TokenStreamException.hpp \ TokenStreamHiddenTokenFilter.hpp \ TokenStream.hpp \ TokenStreamIOException.hpp \ TokenStreamRecognitionException.hpp \ TokenStreamRetryException.hpp \ TokenStreamRewriteEngine.hpp \ TokenStreamSelector.hpp \ TokenWithIndex.hpp \ TreeParser.hpp \ TreeParserSharedInputState.hpp CONFIG += staticlib INCLUDEPATH += $$ANTLR_INCLUDEPATH DEPENDPATH += $$ANTLR_INCLUDEPATH DEFINES += $$ANTLR_DEFINES TARGET = antlr INSTALLS -= target fwbuilder-5.3.7/src/antlr/config.hpp000066400000000000000000000205411303637203600174030ustar00rootroot00000000000000#ifndef INC_config_hpp__ #define INC_config_hpp__ /* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ /* * Just a simple configuration file to differentiate between the * various compilers used and reconfigure stuff for any oddities of the * compiler in question. * * These are the defaults. Per compiler these are amended. */ #define ANTLR_USE_NAMESPACE(_x_) _x_:: #define ANTLR_USING_NAMESPACE(_x_) using namespace _x_; #define ANTLR_CXX_SUPPORTS_NAMESPACE 1 #define ANTLR_C_USING(_x_) #define ANTLR_API #ifndef CUSTOM_API # define CUSTOM_API #endif #define ANTLR_IOS_BASE ios_base /** define if cctype functions/macros need a std:: prefix. A lot of compilers * define these as macros, in which case something barfs. */ #define ANTLR_CCTYPE_NEEDS_STD /// Define if C++ compiler supports std::uncaught_exception #define ANTLR_CXX_SUPPORTS_UNCAUGHT_EXCEPTION #define ANTLR_ATOI_IN_STD /******************************************************************************/ /*{{{ Microsoft Visual C++ */ // NOTE: If you provide patches for a specific MSVC version guard them for // the specific version!!!! // _MSC_VER == 1100 for Microsoft Visual C++ 5.0 // _MSC_VER == 1200 for Microsoft Visual C++ 6.0 // _MSC_VER == 1300 for Microsoft Visual C++ 7.0 #if defined(_MSC_VER) # if _MSC_VER < 1300 # define NOMINMAX # pragma warning(disable : 4786) # define min _cpp_min # endif // This warning really gets on my nerves. // It's the one about symbol longer than 256 chars, and it happens // all the time with STL. # pragma warning( disable : 4786 4231 ) // this shuts up some DLL interface warnings for STL # pragma warning( disable : 4251 ) # ifdef ANTLR_CXX_USE_STLPORT # undef ANTLR_CXX_SUPPORTS_UNCAUGHT_EXCEPTION # endif # if ( _MSC_VER < 1300 ) && ( defined(ANTLR_EXPORTS) || defined(ANTLR_IMPORTS) ) # error "DLL Build not supported on these MSVC versions." // see comment in lib/cpp/src/dll.cpp # endif // For the DLL support originally contributed by Stephen Naughton // If you are building statically leave ANTLR_EXPORTS/ANTLR_IMPORTS undefined // If you are building the DLL define ANTLR_EXPORTS // If you are compiling code to be used with the DLL define ANTLR_IMPORTS # ifdef ANTLR_EXPORTS # undef ANTLR_API # define ANTLR_API __declspec(dllexport) # endif # ifdef ANTLR_IMPORTS # undef ANTLR_API # define ANTLR_API __declspec(dllimport) # endif # if ( _MSC_VER < 1200 ) // supposedly only for MSVC5 and before... // Using vector requires operator<(X,X) to be defined # define NEEDS_OPERATOR_LESS_THAN # endif // VC6 # if ( _MSC_VER == 1200 ) # undef ANTLR_ATOI_IN_STD # endif # if ( _MSC_VER < 1310 ) // Supposedly only for MSVC7 and before... // Not allowed to put 'static const int XXX=20;' in a class definition # define NO_STATIC_CONSTS # define NO_TEMPLATE_PARTS # endif // No strcasecmp in the C library (so use stricmp instead) // - Anyone know which is in which standard? # define NO_STRCASECMP # undef ANTLR_CCTYPE_NEEDS_STD # define NO_STATIC_CONSTS #endif // End of Microsoft Visual C++ /*}}}*/ /******************************************************************************/ /*{{{ SunPro Compiler (Using OBJECTSPACE STL) *****************************************************************************/ #ifdef __SUNPRO_CC # if (__SUNPRO_CC >= 0x500) # define NEEDS_OPERATOR_LESS_THAN # define NO_TEMPLATE_PARTS # else # undef namespace # define namespace # if (__SUNPRO_CC == 0x420) /* This code is specif to SunWspro Compiler 4.2, and will compile with the objectspace 2.1 toolkit for Solaris2.6 */ # define HAS_NOT_CASSERT_H # define HAS_NOT_CSTRING_H # define HAS_NOT_CCTYPE_H # define HAS_NOT_CSTDIO_H # define HAS_OSTREAM_H /* #define OS_SOLARIS_2_6 #define OS_NO_WSTRING #define OS_NO_ALLOCATORS #define OS_MULTI_THREADED #define OS_SOLARIS_NATIVE #define OS_REALTIME #define __OSVERSION__=5 #define SVR4 */ // ObjectSpace + some specific templates constructions with stl. /* #define OS_NO_ALLOCATOR */ // This great compiler does not have the namespace feature. # undef ANTLR_USE_NAMESPACE # define ANTLR_USE_NAMESPACE(_x_) # undef ANTLR_USING_NAMESPACE # define ANTLR_USING_NAMESPACE(_x_) # undef ANTLR_CXX_SUPPORTS_NAMESPACE # endif // End __SUNPRO_CC == 0x420 # undef explicit # define explicit # define exception os_exception # define bad_exception os_bad_exception // Not allowed to put 'static const int XXX=20;' in a class definition # define NO_STATIC_CONSTS // Using vector requires operator<(X,X) to be defined # define NEEDS_OPERATOR_LESS_THAN # endif # undef ANTLR_CCTYPE_NEEDS_STD #endif // end __SUNPRO_CC /*}}}*/ /*****************************************************************************/ /*{{{ Inprise C++ Builder 3.0 *****************************************************************************/ #ifdef __BCPLUSPLUS__ # define NO_TEMPLATE_PARTS # define NO_STRCASECMP # undef ANTLR_CCTYPE_NEEDS_STD #endif // End of C++ Builder 3.0 /*}}}*/ /*****************************************************************************/ /*{{{ IBM VisualAge C++ ( which includes the Dinkumware C++ Library ) *****************************************************************************/ #ifdef __IBMCPP__ // No strcasecmp in the C library (so use stricmp instead) // - Anyone know which is in which standard? #if (defined(_AIX) && (__IBMCPP__ >= 600)) # define NO_STATIC_CONSTS #else # define NO_STRCASECMP # undef ANTLR_CCTYPE_NEEDS_STD #endif #endif // end IBM VisualAge C++ /*}}}*/ /*****************************************************************************/ /*{{{ Metrowerks Codewarrior *****************************************************************************/ #ifdef __MWERKS__ # if (__MWERKS__ <= 0x2201) # define NO_TEMPLATE_PARTS # endif // CW 6.0 and 7.0 still do not have it. # define ANTLR_REALLY_NO_STRCASECMP # undef ANTLR_C_USING # define ANTLR_C_USING(_x_) using std:: ## _x_; # define ANTLR_CCTYPE_NEEDS_STD # undef ANTLR_CXX_SUPPORTS_UNCAUGHT_EXCEPTION #endif // End of Metrowerks Codewarrior /*}}}*/ /*****************************************************************************/ /*{{{ SGI Irix 6.5.10 MIPSPro compiler *****************************************************************************/ // (contributed by Anna Winkler) // Note: you can't compile ANTLR with the MIPSPro compiler on // anything < 6.5.10 because SGI just fixed a big bug dealing with // namespaces in that release. #ifdef __sgi # define HAS_NOT_CCTYPE_H # define HAS_NOT_CSTRING_H # define HAS_NOT_CSTDIO_H # undef ANTLR_CCTYPE_NEEDS_STD #endif // End IRIX MIPSPro /*}}}*/ /*****************************************************************************/ /*{{{ G++ in various incarnations *****************************************************************************/ // With the gcc-2.95 and 3.0 being in the near future we should start handling // incompatabilities between the various libstdc++'s. #if defined(__GNUC__) || defined(__GNUG__) // gcc 2 branch.. # if (__GNUC__ == 2 ) # if (__GNUC_MINOR__ <= 8 ) # undef ANTLR_USE_NAMESPACE # define ANTLR_USE_NAMESPACE(_x_) # undef ANTLR_USING_NAMESPACE # define ANTLR_USING_NAMESPACE(_x_) # undef ANTLR_CXX_SUPPORTS_NAMESPACE # endif # if (__GNUC_MINOR__ > 8 && __GNUC_MINOR__ <= 95 ) # undef ANTLR_IOS_BASE # define ANTLR_IOS_BASE ios # undef ANTLR_CCTYPE_NEEDS_STD // compiling with -ansi ? # ifdef __STRICT_ANSI__ # undef ANTLR_REALLY_NO_STRCASECMP # define ANTLR_REALLY_NO_STRCASECMP # endif # else // experimental .96 .97 branches.. # undef ANTLR_CCTYPE_NEEDS_STD # endif # endif #endif // ! __GNUC__ /*}}}*/ /*****************************************************************************/ /*{{{ Digital CXX (Tru64) *****************************************************************************/ #ifdef __DECCXX #define __USE_STD_IOSTREAM #endif /*}}}*/ /*****************************************************************************/ #ifdef __BORLANDC__ # if __BORLANDC__ >= 560 # include # include # define ANTLR_CCTYPE_NEEDS_STD # else # error "sorry, compiler is too old - consider an update." # endif #endif // Redefine these for backwards compatability.. #undef ANTLR_BEGIN_NAMESPACE #undef ANTLR_END_NAMESPACE #if ANTLR_CXX_SUPPORTS_NAMESPACE == 1 # define ANTLR_BEGIN_NAMESPACE(_x_) namespace _x_ { # define ANTLR_END_NAMESPACE } #else # define ANTLR_BEGIN_NAMESPACE(_x_) # define ANTLR_END_NAMESPACE #endif #endif //INC_config_hpp__ fwbuilder-5.3.7/src/antlr/dll.cpp000066400000000000000000000237041303637203600167100ustar00rootroot00000000000000/* ANTLR Translator Generator * Project led by Terence Parr at http://www.jGuru.com * Software rights: http://www.antlr.org/license.html * * $Id$ */ /* * DLL stub for MSVC++. Based upon versions of Stephen Naughton and Michael * T. Richter */ // RK: Uncommented by instruction of Alexander Lenski //#if _MSC_VER > 1000 //# pragma once //#endif // _MSC_VER > 1000 // Exclude rarely-used stuff from Windows headers #define WIN32_LEAN_AND_MEAN #include #if defined( _MSC_VER ) && ( _MSC_VER < 1300 ) # error "DLL Build not supported on old MSVC's" // Ok it seems to be possible with STLPort in stead of the vanilla MSVC STL // implementation. This needs some work though. (and don't try it if you're // not that familiar with compilers/building C++ DLL's in windows) #endif #include #include "antlr/config.hpp" #include "antlr/Token.hpp" #include "antlr/CircularQueue.hpp" #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE namespace antlr { #endif // Take care of necessary implicit instantiations of templates from STL // This should take care of MSVC 7.0 #if defined( _MSC_VER ) && ( _MSC_VER == 1300 ) // these come from AST.hpp template class ANTLR_API ASTRefCount< AST >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< RefAST >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< RefAST >; //template ANTLR_API int operator<( ASTRefCount< AST >, ASTRefCount< AST > ); // ASTFactory.hpp template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< factory_descriptor_* >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const char*, factory_type_ > >; template struct ANTLR_API ANTLR_USE_NAMESPACE(std)pair< const char*, factory_type_ >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Vector_val< factory_descriptor_*, ANTLR_USE_NAMESPACE(std)allocator< factory_descriptor_* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< factory_descriptor_* >; // BitSet.hpp template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< bool >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Vector_val< bool, ANTLR_USE_NAMESPACE(std)allocator< bool > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< bool >; // CharScanner.hpp template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< ANTLR_USE_NAMESPACE(std)string, int > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)_Tree_nod< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >, false > >::_Node >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)_Tree_ptr< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >, false > >::_Nodeptr >; template struct ANTLR_API ANTLR_USE_NAMESPACE(std)pair< ANTLR_USE_NAMESPACE(std)string, int >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >,false >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_nod< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_ptr< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_val< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, int > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)map< ANTLR_USE_NAMESPACE(std)string, int, CharScannerLiteralsLess >; // CircularQueue.hpp // RK: it might well be that a load of these ints need to be unsigned ints // (made some more stuff unsigned) template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< int >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Vector_val< int, ANTLR_USE_NAMESPACE(std)allocator< int > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< int >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< int, ANTLR_USE_NAMESPACE(std)allocator< int > >; // template ANTLR_API inline int CircularQueue< int >::entries() const; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< RefToken >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Vector_val< RefToken, ANTLR_USE_NAMESPACE(std)allocator< RefToken > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< RefToken >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)vector< RefToken, ANTLR_USE_NAMESPACE(std)allocator< RefToken > >; // template ANTLR_API inline int CircularQueue< RefToken >::entries() const; // CommonAST.hpp template class ANTLR_API ASTRefCount< CommonAST >; // CommonASTWithHiddenTokenTypes.hpp template class ANTLR_API ASTRefCount< CommonASTWithHiddenTokens >; // LexerSharedInputState.hpp template class ANTLR_API RefCount< LexerInputState >; // ParserSharedInputState.hpp template class ANTLR_API RefCount< ParserInputState >; // TokenStreamSelector.hpp template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< ANTLR_USE_NAMESPACE(std)string, TokenStream* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)_Tree_nod< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >, false > >::_Node >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)_Tree_ptr< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >, false > >::_Nodeptr >; template struct ANTLR_API ANTLR_USE_NAMESPACE(std)pair< ANTLR_USE_NAMESPACE(std)string, TokenStream* >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >,false >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_nod< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_ptr< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree_val< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Tree< ANTLR_USE_NAMESPACE(std)_Tmap_traits< ANTLR_USE_NAMESPACE(std)string, TokenStream*, ANTLR_USE_NAMESPACE(std)less< ANTLR_USE_NAMESPACE(std)string >, ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)pair< const ANTLR_USE_NAMESPACE(std)string, TokenStream* > >,false > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)map< ANTLR_USE_NAMESPACE(std)string, TokenStream* >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< TokenStream* >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)allocator< ANTLR_USE_NAMESPACE(std)_Deque_map< TokenStream* , ANTLR_USE_NAMESPACE(std)allocator< TokenStream* > >::_Tptr >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Deque_map< TokenStream*, ANTLR_USE_NAMESPACE(std)allocator< TokenStream* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)_Deque_val< TokenStream*, ANTLR_USE_NAMESPACE(std)allocator< TokenStream* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)deque< TokenStream*, ANTLR_USE_NAMESPACE(std)allocator< TokenStream* > >; template class ANTLR_API ANTLR_USE_NAMESPACE(std)stack< TokenStream*, ANTLR_USE_NAMESPACE(std)deque >; #elif defined( _MSC_VER ) && ( _MSC_VER == 1310 ) // Instantiations for MSVC 7.1 template class ANTLR_API CircularQueue< int >; template class ANTLR_API CircularQueue< RefToken >; // #else future msvc's #endif #ifdef ANTLR_CXX_SUPPORTS_NAMESPACE } #endif BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { return TRUE; } fwbuilder-5.3.7/src/cisco_lib/000077500000000000000000000000001303637203600162315ustar00rootroot00000000000000fwbuilder-5.3.7/src/cisco_lib/ACL.cpp000066400000000000000000000076101303637203600173400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ACL.h" #include using namespace fwcompiler; using namespace std; string ciscoACL::addLine(const std::string &s) { acl.push_back(s); nlines++; return printLastLine(); } /* * "remark" lines should be less than 101 on PIX/ASA and less than 100 on IOS */ string ciscoACL::trimLine(const string &s) { string trimmed_comment_line; if (s.length() < 100) trimmed_comment_line = s; else trimmed_comment_line = s.substr(0, 100); // remove white space at the beginning and the end string whitespaces(" \t\f\v\n\r"); string::size_type n1,n2; n1 = trimmed_comment_line.find_first_not_of(whitespaces); if (n1 != string::npos) trimmed_comment_line.erase(0, n1); else trimmed_comment_line.clear(); // all whitespace n2 = trimmed_comment_line.find_last_not_of(whitespaces); if (n2 != string::npos) trimmed_comment_line.erase(n2+1); else trimmed_comment_line.clear(); return trimmed_comment_line; } string ciscoACL::quoteLine(const string &s) { if (quote_remarks && s.find(' ') != string::npos) return "\"" + s + "\""; else return s; } /* * Adds remark to access list. Checks and adds each remark only * once. We use rule labels for remarks */ string ciscoACL::addRemark(const std::string &rl, const std::string &comment) { string output; if (_last_rule_label != rl) { acl.push_back(" remark " + quoteLine(trimLine(rl))); output += printLastLine(); nlines++; if (!comment.empty()) { string::size_type n, c1; c1 = 0; string trimmed_comment_line; while ( (n = comment.find("\n", c1)) != string::npos ) { trimmed_comment_line = trimLine(comment.substr(c1, n-c1)); if (!trimmed_comment_line.empty()) { acl.push_back(" remark " + quoteLine(trimmed_comment_line)); output += printLastLine(); nlines++; } c1 = n + 1; } trimmed_comment_line = trimLine(comment.substr(c1, n-c1)); if (!trimmed_comment_line.empty()) { acl.push_back(" remark " + quoteLine(trimmed_comment_line)); output += printLastLine(); nlines++; } } _last_rule_label = rl; return output; } return ""; } string ciscoACL::print() { ostringstream str; for (list::iterator s=acl.begin(); s!=acl.end(); s++) str << printLine(*s); return str.str(); } string ciscoACL::printLastLine() { return printLine(acl.back()); } string ciscoACL::printLine(const string &s) { ostringstream str; // _ip_acl means Cisco IOS "ip access-list extended " style ACL // actual lines of the access list just start with "permit" or "deny" if ( s.find('!')!=0 ) { if (_ip_acl) str << " "; else str << "access-list " << _workName << " "; } str << s << endl; return str.str(); } fwbuilder-5.3.7/src/cisco_lib/ACL.h000066400000000000000000000062341303637203600170060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ACL_H #define __ACL_H #include #include #include "fwbuilder/Interface.h" namespace fwcompiler { class ciscoACL { bool _ip_acl; std::string _name; std::string _workName; libfwbuilder::Interface *_interface; std::string _dir; std::string _last_rule_label; int nlines; std::list acl; bool quote_remarks; std::string printLine(const std::string &s); std::string quoteLine(const std::string &s); std::string trimLine(const std::string &s); public: ciscoACL() { _ip_acl = false; _name = ""; _workName = ""; _interface = NULL; _dir = "in"; nlines = 0; _last_rule_label = ""; quote_remarks = false; } ciscoACL(const std::string &n, libfwbuilder::Interface *intf, const std::string &d="in", bool _ip_list=false) { _ip_acl = _ip_list; _name = n; _workName = ""; _interface = intf; _dir = d; nlines = 0; _last_rule_label = ""; quote_remarks = false; } std::string addLine(const std::string &s); /* * Adds remark to access list. Checks and adds each remark only * once. We use rule labels and comments for remarks */ std::string addRemark(const std::string &rl, const std::string &comment); void setName(const std::string &s) { _name=s; } std::string name() { return _name; } void setWorkName(const std::string &s) { _workName=s; } std::string workName() { return _workName; } void setInterface(libfwbuilder::Interface *intf) { _interface=intf; } libfwbuilder::Interface* getInterface() { return _interface; } void setDirection(const std::string &d) { _dir=d; } std::string direction() { return _dir; } void setQuoteRemarks(bool f) { quote_remarks = f; } std::string print(); std::string printLastLine(); int size() { return nlines; } }; } #endif fwbuilder-5.3.7/src/cisco_lib/ASA8ObjectGroup.cpp000066400000000000000000000047601303637203600216040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "ASA8ObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/Address.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include #include using namespace libfwbuilder; using namespace std; using namespace fwcompiler; const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"}; /* * see #2263. It looks like "object-group service" that includes named * objects defined as "service-object" can not be used in access-list * commands and therefore is useless. Unless I misunderstood and * there is a way to use it, I should not generate ASA configuration * like this: * * object-group service id5102X14531.srv.tcp.0 tcp * service-object object http.0 * service-object object https.0 * exit * * */ QString ASA8ObjectGroup::groupMemberToString( FWObject *obj, NamedObjectsManager *named_objects_manager) throw(libfwbuilder::FWException) { if (this->getObjectGroupType() == NETWORK) { NamedObject *named_object = named_objects_manager->named_objects[obj->getId()]; if (named_object) { return named_object->getCommandWhenObjectGroupMember(); } } return PIXObjectGroup::groupMemberToString(obj, named_objects_manager); } string ASA8ObjectGroup::getObjectGroupClass() { switch (this->getObjectGroupType()) { case MIXED_SERVICE: return "service";; default: return PIXObjectGroup::getObjectGroupClass(); } } fwbuilder-5.3.7/src/cisco_lib/ASA8ObjectGroup.h000066400000000000000000000026111303637203600212420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ASA8_OBJECT_GROUP_HH #define _ASA8_OBJECT_GROUP_HH #include "PIXObjectGroup.h" namespace fwcompiler { class ASA8ObjectGroup : public PIXObjectGroup { public: ASA8ObjectGroup() : PIXObjectGroup() { } virtual ~ASA8ObjectGroup() {}; DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup); virtual std::string getObjectGroupClass(); virtual QString groupMemberToString( libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); }; } #endif fwbuilder-5.3.7/src/cisco_lib/ASA8TwiceNatLogic.cpp000066400000000000000000000061641303637203600220550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ASA8TwiceNatLogic.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Network.h" #include using namespace libfwbuilder; using namespace std; ASA8TwiceNatStaticLogic::ASA8TwiceNatStaticLogic(NATRule *_rule) { rule = _rule; } int ASA8TwiceNatStaticLogic::countAddresses(FWObject *re) { int res = 0; for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); if (Group::cast(o) != NULL) res += countAddresses(o); else { Address *addr = Address::cast(o); assert(addr); res += addr->dimension(); } } return res; } ASA8TwiceNatStaticLogic::TwiceNatRuleType ASA8TwiceNatStaticLogic::getAutomaticType() { RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re!=NULL); //Address *osrc = Address::cast(FWReference::getObject(osrc_re->front())); RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re!=NULL); //Address *tsrc = Address::cast(FWReference::getObject(tsrc_re->front())); if (tsrc_re->isAny()) return STATIC; else { /* * Default behavior: if the number of ip addresses in OSrc is * equal to that in TSrc, then use "static". Otherwise use * "dynamic". Note that TSrc may be a group, in which case we * assume it has different number of addresses and we fall * back to dynamic */ if (tsrc_re->size() > 1) return DYNAMIC; //if (tsrc == NULL) return DYNAMIC; Address *tsrc = Address::cast(FWReference::getObject(tsrc_re->front())); // ASA sez: "ERROR: Subnet can not be used as mapped source in // dynamic NAT policy." if (Network::isA(tsrc)) return STATIC; // If we tranlate one-to-one, then use static as well if (countAddresses(osrc_re) == countAddresses(tsrc_re)) return STATIC; else return DYNAMIC; } return DYNAMIC; } ASA8TwiceNatStaticLogic::TwiceNatRuleType ASA8TwiceNatStaticLogic::getType() { TwiceNatRuleType res = getAutomaticType(); FWOptions *ropt = rule->getOptionsObject(); if (ropt->getBool("asa8_nat_dynamic")) res = DYNAMIC; if (ropt->getBool("asa8_nat_static")) res = STATIC; return res; } fwbuilder-5.3.7/src/cisco_lib/ASA8TwiceNatLogic.h000066400000000000000000000023641303637203600215200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ASA8_TWICE_NAT_LOGIC_HH #define _ASA8_TWICE_NAT_LOGIC_HH #include "fwbuilder/Rule.h" class ASA8TwiceNatStaticLogic { libfwbuilder::NATRule *rule; int countAddresses(libfwbuilder::FWObject *re); public: enum TwiceNatRuleType {STATIC, DYNAMIC}; ASA8TwiceNatStaticLogic(libfwbuilder::NATRule *rule); TwiceNatRuleType getAutomaticType(); TwiceNatRuleType getType(); }; #endif fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_cisco.cpp000066400000000000000000000046771303637203600230740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules_cisco.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; void AutomaticRules_cisco::addSshAccessRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty()) { TCPService *ssh = ruleset->getRoot()->createTCPService(); ssh->setDstRangeStart(22); ssh->setDstRangeEnd(22); persistent_objects->add(ssh, false); TCPService *ssh_rev = ruleset->getRoot()->createTCPService(); ssh_rev->setSrcRangeStart(22); ssh_rev->setSrcRangeEnd(22); persistent_objects->add(ssh_rev, false); Network *mgmt_workstation = ruleset->getRoot()->createNetwork(); mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr")); persistent_objects->add(mgmt_workstation, false); addMgmtRule( mgmt_workstation, fw, ssh, NULL, PolicyRule::Inbound, PolicyRule::Accept, "backup ssh access rule"); } } fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_cisco.h000066400000000000000000000025741303637203600225330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_CISCO_HH__ #define __AUTOMATICRULES_CISCO_HH__ #include "AutomaticRules.h" namespace libfwbuilder { class Address; class Firewall; class Interface; class Service; }; namespace fwcompiler { class AutomaticRules_cisco : public AutomaticRules { public: AutomaticRules_cisco(libfwbuilder::Firewall *fw, libfwbuilder::Library *presistent_objects) : AutomaticRules(fw, presistent_objects) {} void addSshAccessRule(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_iosacl.cpp000066400000000000000000000051061303637203600232320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules_iosacl.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; void AutomaticRules_iosacl::addSshAccessRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty()) { AutomaticRules_cisco::addSshAccessRule(); /* * AutomaticRules_cisco::addDefaultPolicyRule() adds a rule to * permit backup ssh access to the firewall. Since IOS ACL are * stateless, we need to add another rule to permit reply * packets. */ TCPService *ssh_rev = ruleset->getRoot()->createTCPService(); ssh_rev->setSrcRangeStart(22); ssh_rev->setSrcRangeEnd(22); persistent_objects->add(ssh_rev, false); Network *mgmt_workstation = ruleset->getRoot()->createNetwork(); mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr")); persistent_objects->add(mgmt_workstation, false); addMgmtRule( fw, mgmt_workstation, ssh_rev, NULL, PolicyRule::Outbound, PolicyRule::Accept, "backup ssh access rule (out)"); } } fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_iosacl.h000066400000000000000000000026221303637203600226770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_IOSACL_HH__ #define __AUTOMATICRULES_IOSACL_HH__ #include "AutomaticRules_cisco.h" namespace libfwbuilder { class Address; class Firewall; class Interface; class Service; }; namespace fwcompiler { class AutomaticRules_iosacl : public AutomaticRules_cisco { public: AutomaticRules_iosacl(libfwbuilder::Firewall *fw, libfwbuilder::Library *presistent_objects) : AutomaticRules_cisco(fw, presistent_objects) {} void addSshAccessRule(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_nxosacl.cpp000066400000000000000000000051111303637203600234230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules_nxosacl.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; void AutomaticRules_nxosacl::addSshAccessRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty()) { AutomaticRules_cisco::addSshAccessRule(); /* * AutomaticRules_cisco::addDefaultPolicyRule() adds a rule to * permit backup ssh access to the firewall. Since NXOS ACL are * stateless, we need to add another rule to permit reply * packets. */ TCPService *ssh_rev = ruleset->getRoot()->createTCPService(); ssh_rev->setSrcRangeStart(22); ssh_rev->setSrcRangeEnd(22); persistent_objects->add(ssh_rev, false); Network *mgmt_workstation = ruleset->getRoot()->createNetwork(); mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr")); persistent_objects->add(mgmt_workstation, false); addMgmtRule( fw, mgmt_workstation, ssh_rev, NULL, PolicyRule::Outbound, PolicyRule::Accept, "backup ssh access rule (out)"); } } fwbuilder-5.3.7/src/cisco_lib/AutomaticRules_nxosacl.h000066400000000000000000000026261303637203600231000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_NXOSACL_HH__ #define __AUTOMATICRULES_NXOSACL_HH__ #include "AutomaticRules_cisco.h" namespace libfwbuilder { class Address; class Firewall; class Interface; class Service; }; namespace fwcompiler { class AutomaticRules_nxosacl : public AutomaticRules_cisco { public: AutomaticRules_nxosacl(libfwbuilder::Firewall *fw, libfwbuilder::Library *presistent_objects) : AutomaticRules_cisco(fw, presistent_objects) {} void addSshAccessRule(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/BaseObjectGroup.cpp000066400000000000000000000162041303637203600217560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "BaseObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/Address.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/FWException.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; map BaseObjectGroup::name_disambiguation; const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"}; FWObject& BaseObjectGroup::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { gt = BaseObjectGroup::constcast(other)->gt; return FWObject::shallowDuplicate(other, preserve_id); } QString BaseObjectGroup::registerGroupName(const QString &prefix, object_group_type gt) { QString type_suffix; switch (gt) { case UNKNOWN: type_suffix = "unknown"; break; case NETWORK: type_suffix = "net"; break; case PROTO: type_suffix = "proto"; break; case ICMP_TYPE: type_suffix = "icmp"; break; case TCP_SERVICE: type_suffix = "tcp"; break; case UDP_SERVICE: type_suffix = "udp"; break; case TCP_UDP_SERVICE: type_suffix = "tcpudp"; break; case MIXED_SERVICE: type_suffix = "mixed"; break; default: type_suffix = "unknown"; break; } int n = 0; while (true) { QString full_name = QString("%1.%2.%3").arg(prefix).arg(type_suffix).arg(n); if (name_disambiguation.count(full_name) == 0) { name_disambiguation[full_name] = 0; return full_name; } n++; } return ""; } BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject( const FWObject *obj) { if (Address::constcast(obj)!=NULL) return NETWORK; if (IPService::constcast(obj)!=NULL) return PROTO; if (ICMPService::constcast(obj)!=NULL) return ICMP_TYPE; if (TCPService::constcast(obj)!=NULL) return TCP_SERVICE; if (UDPService::constcast(obj)!=NULL) return UDP_SERVICE; return UNKNOWN; } void BaseObjectGroup::setObjectGroupTypeFromFWObject(const FWObject *obj) { setObjectGroupType(getObjectGroupTypeFromFWObject(obj)); } void BaseObjectGroup::setObjectGroupTypeFromMembers( NamedObjectsManager *named_objects_manager) { object_group_type my_type = UNKNOWN; std::map type_counters; for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1) { const FWObject *obj = FWReference::getObject(*i1); NamedObject *named_object = named_objects_manager->named_objects[obj->getId()]; if (named_object) obj = named_object->getObject(); object_group_type t = getObjectGroupTypeFromFWObject(obj); if (type_counters.count(t) == 0) type_counters[t] = 1; else type_counters[t]++; } if (type_counters[NETWORK]!=0 && (type_counters[PROTO]!=0 || type_counters[ICMP_TYPE]!=0 || type_counters[TCP_SERVICE]!=0 || type_counters[UDP_SERVICE]!=0 || type_counters[MIXED_SERVICE]!=0)) throw FWException("Object group should not contain both " "network and service objects"); if (type_counters[NETWORK]!=0) my_type = NETWORK; if (type_counters[PROTO]==0 && type_counters[ICMP_TYPE]==0 && (type_counters[TCP_SERVICE]!=0 || type_counters[UDP_SERVICE]!=0) && type_counters[MIXED_SERVICE]==0) { if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]!=0) my_type = TCP_UDP_SERVICE; if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]==0) my_type = TCP_SERVICE; if (type_counters[TCP_SERVICE]==0 && type_counters[UDP_SERVICE]!=0) my_type = UDP_SERVICE; } if (type_counters[PROTO]!=0 && type_counters[ICMP_TYPE]==0 && type_counters[MIXED_SERVICE]==0) my_type = PROTO; if (type_counters[PROTO]==0 && type_counters[ICMP_TYPE]!=0 && type_counters[MIXED_SERVICE]==0) my_type = ICMP_TYPE; if (my_type==UNKNOWN) my_type = MIXED_SERVICE; setObjectGroupType(my_type); } bool BaseObjectGroup::isServiceGroup() { switch (getObjectGroupType()) { case PROTO: return true; case ICMP_TYPE: return true; case TCP_SERVICE: return true; case UDP_SERVICE: return true; case TCP_UDP_SERVICE: return true; case MIXED_SERVICE: return true; default: return false; } return false; } bool BaseObjectGroup::isObjectGroup() { switch (getObjectGroupType()) { case UNKNOWN: return true; case NETWORK: return true; default: return false; } return false; } string BaseObjectGroup::getSrvTypeName() { switch (getObjectGroupType()) { case ICMP_TYPE: return "icmp"; case TCP_SERVICE: return "tcp"; case UDP_SERVICE: return "udp"; case TCP_UDP_SERVICE: return "tcp-udp"; default: break; } return ""; } string BaseObjectGroup::getObjectGroupClass() { switch (getObjectGroupType()) { case PROTO: case ICMP_TYPE: case TCP_SERVICE: case UDP_SERVICE: case TCP_UDP_SERVICE: case MIXED_SERVICE: return "service"; default: return "network"; } return ""; } QString BaseObjectGroup::groupMemberToString(FWObject*, NamedObjectsManager*) throw(libfwbuilder::FWException) { return ""; } QString BaseObjectGroup::toString(NamedObjectsManager *nm) throw(FWException) { QStringList res; if (this->size()==0) return ""; res << getObjectGroupHeader().c_str(); for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1) { res << QString(" %1").arg( groupMemberToString(FWReference::getObject(*i1), nm)); } res << getObjectGroupFooter().c_str(); res << ""; return res.join("\n"); } string BaseObjectGroup::getObjectGroupHeader() { return ""; } string BaseObjectGroup::getObjectGroupFooter() { return ""; } fwbuilder-5.3.7/src/cisco_lib/BaseObjectGroup.h000066400000000000000000000061721303637203600214260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BASEOBJECTGROUP_HH #define __BASEOBJECTGROUP_HH #include "NamedObject.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/FWException.h" #include namespace fwcompiler { class NamedObjectsManager; class BaseObjectGroup : public libfwbuilder::Group { public: typedef enum { UNKNOWN, NETWORK, PROTO, ICMP_TYPE, TCP_SERVICE, UDP_SERVICE, TCP_UDP_SERVICE, MIXED_SERVICE } object_group_type; private: object_group_type gt; public: static std::map name_disambiguation; static QString registerGroupName(const QString &prefix, object_group_type gt); BaseObjectGroup() : libfwbuilder::Group() { gt = UNKNOWN; } virtual ~BaseObjectGroup() {}; DECLARE_FWOBJECT_SUBTYPE(BaseObjectGroup); virtual bool validateChild(FWObject*) { return true; } virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(libfwbuilder::FWException); void setObjectGroupType(object_group_type _gt) { gt=_gt; } object_group_type getObjectGroupType() { return gt; } void setObjectGroupTypeFromMembers(NamedObjectsManager *named_obj_manager); object_group_type getObjectGroupTypeFromFWObject( const libfwbuilder::FWObject *o); void setObjectGroupTypeFromFWObject(const libfwbuilder::FWObject *obj); bool isServiceGroup(); bool isObjectGroup(); virtual std::string getSrvTypeName(); virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupFooter(); virtual QString groupMemberToString( libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); virtual QString toString(NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); }; } #endif fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_iosacl.cpp000066400000000000000000000176651303637203600232340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "Configlet.h" #include "CompilerDriver_iosacl.h" #include "PolicyCompiler_iosacl.h" #include "ACL.h" #include "BaseObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; #ifdef _WIN32 static string fs_separator = "\\"; #else static string fs_separator = "/"; #endif CompilerDriver_iosacl::CompilerDriver_iosacl(FWObjectDatabase *db) : CompilerDriver(db) { safety_net_install_option_name = "iosacl_acl_substitution"; safety_net_install_acl_addr_option_name = "iosacl_acl_temp_addr"; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_iosacl::clone() { CompilerDriver_iosacl* new_cd = new CompilerDriver_iosacl(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } void CompilerDriver_iosacl::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << "#" << endl; file << "# Prolog script" << endl; file << "#" << endl; file << prolog_code << endl; file << "#" << endl; file << "# End of prolog script" << endl; file << "#" << endl; } string CompilerDriver_iosacl::safetyNetInstall(Firewall *fw) { ostringstream output; if ( fw->getOptionsObject()->getBool(safety_net_install_option_name) ) { /* Generate short temporary ACL and assign it to all * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) as well as ssh from given subnet to any. */ string temp_acl_addr = fw->getOptionsObject()->getStr( safety_net_install_acl_addr_option_name); if (temp_acl_addr.empty()) { QString err = QObject::tr("Missing address for management host or subnet " "for the temporary ACL.\nPlease enter it in the " "tab 'Script options' in 'Firewall Settings' dialog"); abort(fw, NULL, NULL, err.toStdString()); } // if templ_acl_addr is ipv4 address, then we can not create this // temporary ACL while compiling ipv6 policy. And vice versa. bool create_temp_acl = false; //bool tmp_acl_ipv6 = false; //UNUSED if (temp_acl_addr.find(":")!=string::npos) { //looks like ipv6 create_temp_acl = true; //tmp_acl_ipv6 = true; } else { // not ipv6, assume ipv4 create_temp_acl = true; //tmp_acl_ipv6 = false; } if (create_temp_acl) { string::size_type slash_idx = temp_acl_addr.find('/'); string addr = temp_acl_addr; string netmask = "255.255.255.255"; bool tmp_acl_v6 = false; // check if addr is v6 try { InetAddr addrv6(AF_INET6, temp_acl_addr); tmp_acl_v6 = true; } catch(FWException &ex) { // Assume cnf->maddr is ipv4 if (slash_idx!=string::npos) { addr = temp_acl_addr.substr(0,slash_idx); netmask = temp_acl_addr.substr(slash_idx+1); try { if (netmask.find(".")!=string::npos) { InetAddr nm(netmask); nm.getLength(); // to avoid warning abt unused var } else { int nm_length; istringstream str(netmask); str >> nm_length; InetAddr nm(nm_length); netmask = nm.toString(); } } catch(FWException &ex) { QString err = QObject::tr("Invalid netmask for management subnet: " "'%1'").arg(netmask.c_str()); abort(fw, NULL, NULL, err.toStdString()); } } try { InetAddr a(addr); a.isAny(); } catch(FWException &ex) { QString err = QObject::tr("Invalid address for management subnet: " "'%1'").arg(addr.c_str()); abort(fw, NULL, NULL, err.toStdString()); } } Configlet configlet(fw, "cisco", "safety_net_acl"); configlet.collapseEmptyStrings(true); if (tmp_acl_v6) { configlet.setVariable("ipv4", false); configlet.setVariable("ipv6", true); configlet.setVariable("slash_notation", slash_idx!=string::npos); configlet.setVariable("host_addr", slash_idx==string::npos); configlet.setVariable("management_addr", addr.c_str()); configlet.setVariable("management_netm", ""); } else { InetAddr nnm( ~(InetAddr(netmask)) ); configlet.setVariable("ipv4", true); configlet.setVariable("ipv6", false); configlet.setVariable("management_addr", addr.c_str()); configlet.setVariable("management_netm", nnm.toString().c_str()); } // find management interface list ll = fw->getByType(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); if (intf->isManagement()) { configlet.setVariable("management_interface", intf->getName().c_str()); FWOptions *ifopt = intf->getOptionsObject(); string itype = ifopt->getStr("type"); configlet.setVariable("management_interface_is_vlan", (itype == "8021q")); configlet.setVariable("management_interface_is_not_vlan", (itype != "8021q")); if (itype == "8021q") configlet.setVariable("management_interface_vlan_id", ifopt->getInt("vlan_id")); else configlet.setVariable("management_interface_vlan_id", ""); break; } } output << configlet.expand().toStdString(); output << endl; } } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_iosacl.h000066400000000000000000000052041303637203600226630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_IOSACL_HH__ #define __COMPILER_DRIVER_IOSACL_HH__ #include "CompilerDriver.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class ciscoACL; class NamedObjectsManager; class CompilerDriver_iosacl : public CompilerDriver { protected: std::string system_configuration_script; std::string nat_script; std::string policy_script; std::string routing_script; std::string safety_net_install_option_name; std::string safety_net_install_acl_addr_option_name; std::string safetyNetInstall(libfwbuilder::Firewall *fw); void printProlog(QTextStream &file, const std::string &prolog_code); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_iosacl(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_iosacl_run.cpp000066400000000000000000000356661303637203600241210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_iosacl.h" #include "AutomaticRules_iosacl.h" #include "PolicyCompiler_iosacl.h" #include "RoutingCompiler_iosacl.h" #include "OSConfigurator_ios.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManagerIOS.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_iosacl::assembleManifest(Cluster *, Firewall* , bool ) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << "!" << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]) << endl; return script_buffer; } QString CompilerDriver_iosacl::printActivationCommands(Firewall*) { return ""; } QString CompilerDriver_iosacl::assembleFwScript(Cluster *cluster, Firewall *fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "cisco", "script_skeleton"); Configlet top_comment(fw, "cisco", "top_comment"); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8(system_configuration_script.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); script_skeleton.setVariable("nat_script", QString::fromUtf8(nat_script.c_str())); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("iosacl_prolog_script")); options->setStr("epilog_script", options->getStr("iosacl_epilog_script")); // we do not offer user a choice of the place where to put prolog // lines, therefore we can reset this attribute to make sure it // does not interfere options->setStr("prolog_place", ""); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); } QString CompilerDriver_iosacl::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); /* Now that all checks are done, we can drop copies of cluster * interfaces that were added to the firewall by * CompilerDriver::populateClusterElements() */ list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list copies_of_cluster_interfaces; for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) copies_of_cluster_interfaces.push_back(iface); } while (copies_of_cluster_interfaces.size()) { fw->remove(copies_of_cluster_interfaces.front()); copies_of_cluster_interfaces.pop_front(); } FWOptions* options = fw->getOptionsObject(); string fwvers = fw->getStr("version"); if (fwvers == "") fw->setStr("version", "12.1"); if (fwvers == "12.x") fw->setStr("version", "12.1"); string platform = fw->getStr("platform"); string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + fwvers + "/iosacl_commands/clear_ip_acl"); if (clearACLCmd.empty()) { // incorrect version. This could have happened if user converted // firewall platform. See bug #2662290 fw->setStr("version", "12.1"); } bool ios_acl_basic = options->getBool("ios_acl_basic"); bool ios_acl_no_clear = options->getBool("ios_acl_no_clear"); bool ios_acl_substitution = options->getBool("ios_acl_substitution"); bool ios_add_clear_statements = options->getBool("ios_add_clear_statements"); if ( !ios_acl_basic && !ios_acl_no_clear && !ios_acl_substitution ) { if ( ios_add_clear_statements ) options->setBool("ios_acl_basic",true); else options->setBool("ios_acl_no_clear",true); } std::auto_ptr oscnf(new OSConfigurator_ios(objdb, fw, false)); oscnf->prolog(); oscnf->processFirewallOptions(); list all_policies = fw->getByType(Policy::TYPENAME); try { AutomaticRules_iosacl auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not used by this compiler assignUniqueRuleIds(all_policies); vector ipv4_6_runs; if (!single_rule_compile_on) system_configuration_script = safetyNetInstall(fw); NamedObjectsManagerIOS named_objects_manager(persistent_objects, fw); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } string clear_commands; string object_groups_definitions; for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); // Count rules for each address family int policy_count = 0; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (policy_count) { std::auto_ptr prep(new Preprocessor(objdb, fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); } for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(policy_af)) continue; PolicyCompiler_iosacl c(objdb, fw, ipv6_policy, oscnf.get()); c.setNamedObjectsManager(&named_objects_manager); c.setSourceRuleSet( policy ); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); if ( c.prolog() > 0 ) { c.compile(); c.epilog(); if (!single_rule_compile_on) { if (ipv6_policy) { policy_script += "\n\n"; policy_script += "! ================ IPv6\n"; policy_script += "\n\n"; } else { policy_script += "\n\n"; policy_script += "! ================ IPv4\n"; policy_script += "\n\n"; } } if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } policy_script += c.getCompiledScript(); clear_commands += c.printClearCommands(); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in Policy"); } if (!ipv6_policy) { list all_routing = fw->getByType(Routing::TYPENAME); RuleSet *routing = RuleSet::cast(all_routing.front()); // currently routing is supported only for ipv4 RoutingCompiler_iosacl r(objdb, fw, false, oscnf.get()); r.setNamedObjectsManager(&named_objects_manager); r.setSourceRuleSet(routing); r.setRuleSetName(routing->getName()); r.setPersistentObjects(persistent_objects); r.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) r.setTestMode(); if (inEmbeddedMode()) r.setEmbeddedMode(); r.setDebugLevel( dl ); if (rule_debug_on) r.setDebugRule( drp ); r.setVerbose( verbose ); if ( r.prolog() > 0 ) { r.compile(); r.epilog(); if (r.haveErrorsAndWarnings()) { all_errors.push_back(r.getErrors("").c_str()); } routing_script += r.getCompiledScript(); } else info(" Nothing to compile in Routing"); } } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } object_groups_definitions += named_objects_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (object_groups_definitions + policy_script + routing_script).c_str())); } if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") || fw->getOptionsObject()->getBool("iosacl_acl_substitution")) { clear_commands += named_objects_manager.getClearCommands() + "\n"; } system_configuration_script += clear_commands; system_configuration_script += object_groups_definitions; QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_nxosacl.cpp000066400000000000000000000177001303637203600234170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "Configlet.h" #include "CompilerDriver_nxosacl.h" #include "PolicyCompiler_nxosacl.h" #include "ACL.h" #include "BaseObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; #ifdef _WIN32 static string fs_separator = "\\"; #else static string fs_separator = "/"; #endif CompilerDriver_nxosacl::CompilerDriver_nxosacl(FWObjectDatabase *db) : CompilerDriver(db) { safety_net_install_option_name = "nxosacl_acl_substitution"; safety_net_install_acl_addr_option_name = "nxosacl_acl_temp_addr"; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_nxosacl::clone() { CompilerDriver_nxosacl* new_cd = new CompilerDriver_nxosacl(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } void CompilerDriver_nxosacl::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << "#" << endl; file << "# Prolog script" << endl; file << "#" << endl; file << prolog_code << endl; file << "#" << endl; file << "# End of prolog script" << endl; file << "#" << endl; } string CompilerDriver_nxosacl::safetyNetInstall(Firewall *fw) { ostringstream output; if ( fw->getOptionsObject()->getBool(safety_net_install_option_name) ) { /* Generate short temporary ACL and assign it to all * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) as well as ssh from given subnet to any. */ string temp_acl_addr = fw->getOptionsObject()->getStr( safety_net_install_acl_addr_option_name); if (temp_acl_addr.empty()) { QString err = QObject::tr("Missing address for management host or subnet " "for the temporary ACL.\nPlease enter it in the " "tab 'Script options' in 'Firewall Settings' dialog"); abort(fw, NULL, NULL, err.toStdString()); } // if templ_acl_addr is ipv4 address, then we can not create this // temporary ACL while compiling ipv6 policy. And vice versa. bool create_temp_acl = false; //bool tmp_acl_ipv6 = false; //UNUSED if (temp_acl_addr.find(":")!=string::npos) { //looks like ipv6 create_temp_acl = true; //tmp_acl_ipv6 = true; } else { // not ipv6, assume ipv4 create_temp_acl = true; //tmp_acl_ipv6 = false; } if (create_temp_acl) { string::size_type slash_idx = temp_acl_addr.find('/'); string addr = temp_acl_addr; string netmask = "255.255.255.255"; bool tmp_acl_v6 = false; // check if addr is v6 try { InetAddr addrv6(AF_INET6, temp_acl_addr); tmp_acl_v6 = true; } catch(FWException &ex) { // Assume cnf->maddr is ipv4 if (slash_idx!=string::npos) { addr = temp_acl_addr.substr(0,slash_idx); netmask = temp_acl_addr.substr(slash_idx+1); try { if (netmask.find(".")!=string::npos) { InetAddr nm(netmask); nm.getLength(); // to avoid warning abt unused var } else { int nm_length; istringstream str(netmask); str >> nm_length; InetAddr nm(nm_length); netmask = nm.toString(); } } catch(FWException &ex) { QString err = QObject::tr("Invalid netmask for management subnet: " "'%1'").arg(netmask.c_str()); abort(fw, NULL, NULL, err.toStdString()); } } try { InetAddr a(addr); a.isAny(); } catch(FWException &ex) { QString err = QObject::tr("Invalid address for management subnet: " "'%1'").arg(addr.c_str()); abort(fw, NULL, NULL, err.toStdString()); } } Configlet configlet(fw, "cisco", "safety_net_acl"); configlet.collapseEmptyStrings(true); if (tmp_acl_v6) { configlet.setVariable("ipv4", false); configlet.setVariable("ipv6", true); configlet.setVariable("slash_notation", slash_idx!=string::npos); configlet.setVariable("host_addr", slash_idx==string::npos); configlet.setVariable("management_addr", addr.c_str()); configlet.setVariable("management_netm", ""); } else { InetAddr nnm( ~(InetAddr(netmask)) ); configlet.setVariable("ipv4", true); configlet.setVariable("ipv6", false); configlet.setVariable("management_addr", addr.c_str()); configlet.setVariable("management_netm", nnm.toString().c_str()); } // find management interface list ll = fw->getByType(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); if (intf->isManagement()) { configlet.setVariable("management_interface", intf->getName().c_str()); FWOptions *ifopt = intf->getOptionsObject(); string itype = ifopt->getStr("type"); configlet.setVariable("management_interface_is_vlan", (itype == "8021q")); configlet.setVariable("management_interface_is_not_vlan", (itype != "8021q")); if (itype == "8021q") configlet.setVariable("management_interface_vlan_id", ifopt->getInt("vlan_id")); else configlet.setVariable("management_interface_vlan_id", ""); break; } } output << configlet.expand().toStdString(); output << endl; } } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_nxosacl.h000066400000000000000000000052101303637203600230550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_NXOSACL_HH__ #define __COMPILER_DRIVER_NXOSACL_HH__ #include "CompilerDriver.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class ciscoACL; class NamedObjectsManager; class CompilerDriver_nxosacl : public CompilerDriver { protected: std::string system_configuration_script; std::string nat_script; std::string policy_script; std::string routing_script; std::string safety_net_install_option_name; std::string safety_net_install_acl_addr_option_name; std::string safetyNetInstall(libfwbuilder::Firewall *fw); void printProlog(QTextStream &file, const std::string &prolog_code); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_nxosacl(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_nxosacl_run.cpp000066400000000000000000000357271303637203600243140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_nxosacl.h" #include "AutomaticRules_nxosacl.h" #include "PolicyCompiler_nxosacl.h" #include "RoutingCompiler_nxosacl.h" #include "OSConfigurator_nxos.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManagerNXOS.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_nxosacl::assembleManifest(Cluster *, Firewall* , bool ) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << "!" << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]) << endl; return script_buffer; } QString CompilerDriver_nxosacl::printActivationCommands(Firewall*) { return ""; } QString CompilerDriver_nxosacl::assembleFwScript(Cluster *cluster, Firewall *fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "cisco", "script_skeleton"); Configlet top_comment(fw, "cisco", "top_comment"); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8(system_configuration_script.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); script_skeleton.setVariable("nat_script", QString::fromUtf8(nat_script.c_str())); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("nxosacl_prolog_script")); options->setStr("epilog_script", options->getStr("nxosacl_epilog_script")); // we do not offer user a choice of the place where to put prolog // lines, therefore we can reset this attribute to make sure it // does not interfere options->setStr("prolog_place", ""); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); } QString CompilerDriver_nxosacl::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); /* Now that all checks are done, we can drop copies of cluster * interfaces that were added to the firewall by * CompilerDriver::populateClusterElements() */ list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list copies_of_cluster_interfaces; for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) copies_of_cluster_interfaces.push_back(iface); } while (copies_of_cluster_interfaces.size()) { fw->remove(copies_of_cluster_interfaces.front()); copies_of_cluster_interfaces.pop_front(); } FWOptions* options = fw->getOptionsObject(); string fwvers = fw->getStr("version"); if (fwvers == "") fw->setStr("version", "12.1"); if (fwvers == "12.x") fw->setStr("version", "12.1"); string platform = fw->getStr("platform"); string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + fwvers + "/nxosacl_commands/clear_ip_acl"); if (clearACLCmd.empty()) { // incorrect version. This could have happened if user converted // firewall platform. See bug #2662290 fw->setStr("version", "12.1"); } bool nxos_acl_basic = options->getBool("nxos_acl_basic"); bool nxos_acl_no_clear = options->getBool("nxos_acl_no_clear"); bool nxos_acl_substitution = options->getBool("nxos_acl_substitution"); bool nxos_add_clear_statements = options->getBool("nxos_add_clear_statements"); if ( !nxos_acl_basic && !nxos_acl_no_clear && !nxos_acl_substitution ) { if ( nxos_add_clear_statements ) options->setBool("nxos_acl_basic",true); else options->setBool("nxos_acl_no_clear",true); } std::auto_ptr oscnf(new OSConfigurator_nxos(objdb, fw, false)); oscnf->prolog(); oscnf->processFirewallOptions(); list all_policies = fw->getByType(Policy::TYPENAME); try { AutomaticRules_nxosacl auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not used by this compiler assignUniqueRuleIds(all_policies); vector ipv4_6_runs; if (!single_rule_compile_on) system_configuration_script = safetyNetInstall(fw); NamedObjectsManagerNXOS named_objects_manager(persistent_objects, fw); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } string clear_commands; string object_groups_definitions; for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); // Count rules for each address family int policy_count = 0; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (policy_count) { std::auto_ptr prep(new Preprocessor(objdb, fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); } for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(policy_af)) continue; PolicyCompiler_nxosacl c(objdb, fw, ipv6_policy, oscnf.get()); c.setNamedObjectsManager(&named_objects_manager); c.setSourceRuleSet( policy ); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); if ( c.prolog() > 0 ) { c.compile(); c.epilog(); if (!single_rule_compile_on) { if (ipv6_policy) { policy_script += "\n\n"; policy_script += "! ================ IPv6\n"; policy_script += "\n\n"; } else { policy_script += "\n\n"; policy_script += "! ================ IPv4\n"; policy_script += "\n\n"; } } if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } policy_script += c.getCompiledScript(); clear_commands += c.printClearCommands(); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in Policy"); } if (!ipv6_policy) { list all_routing = fw->getByType(Routing::TYPENAME); RuleSet *routing = RuleSet::cast(all_routing.front()); // currently routing is supported only for ipv4 RoutingCompiler_nxosacl r(objdb, fw, false, oscnf.get()); r.setNamedObjectsManager(&named_objects_manager); r.setSourceRuleSet(routing); r.setRuleSetName(routing->getName()); r.setPersistentObjects(persistent_objects); r.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) r.setTestMode(); if (inEmbeddedMode()) r.setEmbeddedMode(); r.setDebugLevel( dl ); if (rule_debug_on) r.setDebugRule( drp ); r.setVerbose( verbose ); if ( r.prolog() > 0 ) { r.compile(); r.epilog(); if (r.haveErrorsAndWarnings()) { all_errors.push_back(r.getErrors("").c_str()); } routing_script += r.getCompiledScript(); } else info(" Nothing to compile in Routing"); } } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } object_groups_definitions += named_objects_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (object_groups_definitions + policy_script + routing_script).c_str())); } if ( fw->getOptionsObject()->getBool("nxosacl_acl_basic") || fw->getOptionsObject()->getBool("nxosacl_acl_substitution")) { clear_commands += named_objects_manager.getClearCommands() + "\n"; } system_configuration_script += clear_commands; system_configuration_script += object_groups_definitions; QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_pix.cpp000066400000000000000000000043201303637203600225420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "CompilerDriver_pix.h" #include "PolicyCompiler_pix.h" #include "OSConfigurator_pix_os.h" #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_pix::CompilerDriver_pix(FWObjectDatabase *db) : CompilerDriver(db) { } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_pix::clone() { CompilerDriver_pix* new_cd = new CompilerDriver_pix(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } string CompilerDriver_pix::protocolInspectorCommands() { OSConfigurator_pix_os oscnf(objdb , locateObject(), false); oscnf.prolog(); return oscnf.getProtocolInspectionCommands(); } void CompilerDriver_pix::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << "#" << endl; file << "# Prolog script" << endl; file << "#" << endl; file << prolog_code << endl; file << "#" << endl; file << "# End of prolog script" << endl; file << "#" << endl; } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_pix.h000066400000000000000000000062121303637203600222110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_PIX_HH__ #define __COMPILER_DRIVER_PIX_HH__ #include "CompilerDriver.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class CompilerDriver_pix : public CompilerDriver { protected: std::string clear_commands; std::string preamble_commands; std::string system_configuration_script; std::string named_objects_and_groups; std::string nat_script; std::string policy_script; std::string routing_script; void pixSecurityLevelChecks(libfwbuilder::Firewall *fw, std::list &all_interfaces); void pixNetworkZoneChecks(libfwbuilder::Firewall *fw, std::list &all_interfaces); void pixClusterGroupChecks(libfwbuilder::ClusterGroup *clgrp); void pixClusterConfigurationChecks(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw); std::string safetyNetInstall(libfwbuilder::Firewall *fw); void printProlog(QTextStream &file, const std::string &prolog_code); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_pix(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); std::string protocolInspectorCommands(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_pix_run.cpp000066400000000000000000001130761303637203600234370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_pix.h" #include "PolicyCompiler_pix.h" #include "NATCompiler_pix.h" #include "NATCompiler_asa8.h" #include "RoutingCompiler_pix.h" #include "OSConfigurator_pix_os.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManagerPIX.h" #include "NamedObjectsManagerASA8.h" #include "AutomaticRules_cisco.h" #include "Helper.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class sort_by_net_zone { string any_address_id; public: explicit sort_by_net_zone() { any_address_id = FWObjectDatabase::getStringId( FWObjectDatabase::ANY_ADDRESS_ID); } bool operator()(const FWObject *a, const FWObject *b) { if (Interface::constcast(a) && Interface::constcast(b)) { string netzone_a=a->getStr("network_zone"); string netzone_b=b->getStr("network_zone"); if ( netzone_a==any_address_id) return false; if ( netzone_b==any_address_id) return true; } return false; } }; QString CompilerDriver_pix::assembleManifest(Cluster*, Firewall*, bool) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << "!" << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]) << endl; return script_buffer; } QString CompilerDriver_pix::printActivationCommands(Firewall*) { return ""; } QString CompilerDriver_pix::assembleFwScript(Cluster *cluster, Firewall* fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "pix_os", "script_skeleton"); Configlet top_comment(fw, "pix_os", "top_comment"); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("pix_prolog_script")); options->setStr("epilog_script", options->getStr("pix_epilog_script")); options->setStr("prolog_place", ""); string vers = fw->getStr("version"); string platform = fw->getStr("platform"); bool outbound_acl_supported = Resources::platform_res[platform]->getResourceBool( string("/FWBuilderResources/Target/options/")+ "version_"+vers+ "/pix_outbound_acl_supported"); bool afpa = options->getBool("pix_assume_fw_part_of_any"); bool emulate_outb_acls = options->getBool("pix_emulate_out_acl"); bool generate_outb_acls = options->getBool("pix_generate_out_acl"); top_comment.setVariable( "outbound_acl_supported", QString((outbound_acl_supported) ? "supported" : "not supported")); top_comment.setVariable("emulate_outb_acls", QString((emulate_outb_acls)?"yes":"no")); top_comment.setVariable("generate_outb_acls", QString((generate_outb_acls)?"yes":"no")); top_comment.setVariable("afpa", QString((afpa)?"yes":"no")); script_skeleton.setVariable("short_script", options->getBool("short_script")); script_skeleton.setVariable("not_short_script", ! options->getBool("short_script")); script_skeleton.setVariable("preamble_commands", QString::fromUtf8( preamble_commands.c_str())); script_skeleton.setVariable("clear_commands", QString::fromUtf8( clear_commands.c_str())); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8( system_configuration_script.c_str())); script_skeleton.setVariable("named_objects_and_object_groups", QString::fromUtf8( named_objects_and_groups.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); script_skeleton.setVariable("nat_script", QString::fromUtf8(nat_script.c_str())); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); } QString CompilerDriver_pix::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); if (cluster) { // PIX failover is dfferent from VRRP and other failover protocols // in that it does not create new virtual address. Instead, each // unit is configured with two ip addresses, one for the active // unit and another for standby one. When active unit fails, the // other one assumes its address. // // This matters because when we use cluster object or one of its // interfaces in rules, compiler should expand it to the set of // addresses that includes addresses of the corresponding // interface of both member firewalls. Method // CompilerDriver::copyFailoverInterface adds a copy of firewall // interface to the cluster object. This works for all firewalls, // but for PIX we need to add copies of interfaces from both // members. // FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME); for (; cl_iface != cl_iface.end(); ++cl_iface) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { //FWObject *this_member_interface = NULL; //UNUSED list other_member_interfaces; for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { FWObject *intf = FWObjectReference::getObject(*it); assert(intf); //if (intf->isChildOf(fw)) this_member_interface = intf; //UNUSED //else other_member_interfaces.push_back(intf); if (!intf->isChildOf(fw)) other_member_interfaces.push_back(intf); } if (!other_member_interfaces.empty()) { for (list::iterator it=other_member_interfaces.begin(); it!=other_member_interfaces.end(); ++it) { cluster->addCopyOf(*it, true); } } } } } #if 0 FWObjectTypedChildIterator iface = fw->findByType(Interface::TYPENAME); for (; iface != iface.end(); ++iface) { (*iface)->dump(true, true); } #endif determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); FWOptions* options = fw->getOptionsObject(); QString script_buffer; std::auto_ptr n; std::auto_ptr c; std::auto_ptr r; try { clearReadOnly(fw); commonChecks2(cluster, fw); pixClusterConfigurationChecks(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); bool pix_acl_basic = options->getBool("pix_acl_basic"); bool pix_acl_no_clear = options->getBool("pix_acl_no_clear"); bool pix_acl_substitution = options->getBool("pix_acl_substitution"); bool pix_add_clear_statements = options->getBool("pix_add_clear_statements"); if (!pix_acl_basic && !pix_acl_no_clear && !pix_acl_substitution) { if ( pix_add_clear_statements ) options->setBool("pix_acl_basic",true); else options->setBool("pix_acl_no_clear",true); } list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); pixSecurityLevelChecks(fw, all_interfaces); pixNetworkZoneChecks(fw, all_interfaces); /* Now that all checks are done, we can drop copies of cluster * interfaces that were added to the firewall by * CompilerDriver::populateClusterElements() */ list copies_of_cluster_interfaces; for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) copies_of_cluster_interfaces.push_back(iface); } while (copies_of_cluster_interfaces.size()) { fw->remove(copies_of_cluster_interfaces.front()); copies_of_cluster_interfaces.pop_front(); } NamedObjectsManagerPIX named_objects_manager(persistent_objects, fw); all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); /* * missing labels on interfaces * */ if (iface->getLabel()=="") { string lbl; if (iface->isDedicatedFailover()) { // dedicated failover interface misses label. This // interface can be used in failover cluster group // or state sync group. Assign label depending on // the function. FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it); if (state_sync_group && state_sync_group->hasMember(iface)) lbl = "state"; if (!iface->getOptionsObject()->getStr("failover_group_id").empty()) lbl = "failover"; } if (lbl.empty()) { if (iface->getSecurityLevel()==0) lbl="outside"; else { if (iface->getSecurityLevel()==100) lbl="inside"; else { QString l("dmz%1"); lbl = l.arg(iface->getSecurityLevel()).toStdString(); } } } iface->setLabel(lbl); } } /* * now sort interfaces by their network zone "width" (that * is, more narrow network zone should go first, interface * with network zone "any" should be the last) * std::sort(fw->begin(), fw->end(), sort_by_net_zone() ); */ try { AutomaticRules_cisco auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); } catch (FWException &ex) { abort(ex.toString()); } std::auto_ptr prep( new Preprocessor(objdb , fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); std::auto_ptr oscnf( new OSConfigurator_pix_os(objdb , fw, false)); if (inTestMode()) oscnf->setTestMode(); if (inEmbeddedMode()) oscnf->setEmbeddedMode(); oscnf->prolog(); oscnf->processFirewallOptions(); bool have_named_objects = false; bool have_object_groups = false; /* create compilers and run the whole thing */ string version = fw->getStr("version"); if (XMLTools::version_compare(version, "8.3")>=0) n = std::auto_ptr( new NATCompiler_asa8(objdb, fw, false, oscnf.get())); else n = std::auto_ptr( new NATCompiler_pix(objdb, fw, false, oscnf.get())); RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME)); if (nat) { nat->assignUniqueRuleIds(); n->setNamedObjectsManager(&named_objects_manager); n->setSourceRuleSet(nat); n->setRuleSetName(nat->getName()); n->setPersistentObjects(persistent_objects); if (inTestMode()) n->setTestMode(); if (inEmbeddedMode()) n->setEmbeddedMode(); n->setSingleRuleCompileMode(single_rule_id); n->setDebugLevel( dl ); if (rule_debug_on) n->setDebugRule( drn ); n->setVerbose( verbose ); if ( n->prolog() > 0 ) { n->compile(); n->epilog(); preamble_commands += n->printPreambleCommands(); clear_commands += n->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); have_object_groups = (have_object_groups || named_objects_manager.haveObjectGroups()); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in NAT"); } c = std::auto_ptr( new PolicyCompiler_pix(objdb, fw, false, oscnf.get() , n.get())); RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME)); if (policy) { policy->assignUniqueRuleIds(); c->setNamedObjectsManager(&named_objects_manager); c->setSourceRuleSet(policy); c->setRuleSetName(policy->getName()); c->setPersistentObjects(persistent_objects); if (inTestMode()) c->setTestMode(); if (inEmbeddedMode()) c->setEmbeddedMode(); c->setSingleRuleCompileMode(single_rule_id); c->setDebugLevel( dl ); if (rule_debug_on) c->setDebugRule( drp ); c->setVerbose( verbose ); if ( c->prolog() > 0 ) { c->compile(); c->epilog(); preamble_commands += c->printPreambleCommands(); clear_commands += c->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); have_object_groups = (have_object_groups || named_objects_manager.haveObjectGroups()); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in Policy"); } r = std::auto_ptr( new RoutingCompiler_pix(objdb, fw, false, oscnf.get())); RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME)); if (routing) { routing->assignUniqueRuleIds(); r->setNamedObjectsManager(&named_objects_manager); r->setSourceRuleSet(routing); r->setRuleSetName(routing->getName()); r->setPersistentObjects(persistent_objects); if (inTestMode()) r->setTestMode(); if (inEmbeddedMode()) r->setEmbeddedMode(); r->setSingleRuleCompileMode(single_rule_id); r->setDebugLevel( dl ); if (rule_debug_on) r->setDebugRule( drp ); r->setVerbose( verbose ); if ( r->prolog() > 0 ) { r->compile(); r->epilog(); } else info(" Nothing to compile in Routing"); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } policy_script = c->getCompiledScript(); nat_script = n->getCompiledScript(); routing_script = r->getCompiledScript(); named_objects_and_groups = named_objects_manager.getNamedObjectsDefinitions(); if (c->haveErrorsAndWarnings()) all_errors.push_back(c->getErrors("C ").c_str()); if (n->haveErrorsAndWarnings()) all_errors.push_back(n->getErrors("N ").c_str()); if (r->haveErrorsAndWarnings()) all_errors.push_back(r->getErrors("R ").c_str()); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (named_objects_and_groups + policy_script + nat_script + routing_script).c_str())); } system_configuration_script = oscnf->getCompiledScript(); system_configuration_script += "\n"; clear_commands += named_objects_manager.getClearCommands() + "\n"; // system_configuration_script += preamble_commands; // system_configuration_script += clear_commands; script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } void CompilerDriver_pix::pixSecurityLevelChecks(Firewall *fw, list &all_interfaces) { for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = dynamic_cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) continue; if ((iface->getOptionsObject()->getStr("type") == "" || iface->getOptionsObject()->getStr("type") == "ethernet") && iface->getByType(Interface::TYPENAME).size() > 0) { // Parent vlan interface (i.e. trunk) if (!iface->isUnprotected()) { QString err( "Interface %1 has vlan subinterfaces, it can not " "be used for ACL. Marking this interface \"unprotected\" " "to exclude it." ); warning(fw, NULL, NULL, err.arg(iface->getName().c_str()) .toStdString()); iface->setUnprotected(true); } } // Tests for label, security level and network zone make sense // only for interfaces that can be used in ACLs or to bind // ACLs to. Unnumbered interfaces can't, so we do not need to // run these checks. One example of unnumbered interface is // parent interface for vlan subinterfaces. if (iface->isUnnumbered()) continue; if (iface->isUnprotected()) continue; /* * there shouldn't be two interfaces with the same security level and * same label * */ for (std::list::iterator j=all_interfaces.begin(); j!=all_interfaces.end(); ++j) { Interface *iface2 = dynamic_cast(*j); assert(iface2); if (iface2->isUnnumbered()) continue; if (iface2->isUnprotected()) continue; if (iface->getId()==iface2->getId()) continue; if (iface->getOptionsObject()->getBool("cluster_interface") || iface2->getOptionsObject()->getBool("cluster_interface")) continue; // see #2351. Security levels do not have to be unique // if (iface->getSecurityLevel()==iface2->getSecurityLevel()) // { // QString err( // "Security level of each interface should be unique, " // "however interfaces %1 (%2) and %3 (%4)" // " have the same security level." // ); // abort(fw, NULL, NULL, // err.arg(iface->getName().c_str()) // .arg(iface->getLabel().c_str()) // .arg(iface2->getName().c_str()) // .arg(iface2->getLabel().c_str()).toStdString()); // throw FatalErrorInSingleRuleCompileMode(); // } if (iface->getLabel()==iface2->getLabel()) { QString err( "Label of each interface should be unique, " "however interfaces %1 (%2) and %3 (%4)" " have the same." ); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()) .arg(iface->getLabel().c_str()) .arg(iface2->getName().c_str()) .arg(iface2->getLabel().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } // We only do limited checks for dedicated failover // interfaces because they are not used in ACLs or // anywhere else in configuration, except in "failover" // commands. if (iface->isDedicatedFailover()) continue; } } void CompilerDriver_pix::pixNetworkZoneChecks(Firewall *fw, list &all_interfaces) { multimap netzone_objects; Helper helper(NULL); for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = dynamic_cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) continue; if (iface->isDedicatedFailover()) continue; if (iface->isUnprotected()) continue; /* * in PIX, we need network zones to be defined for all * interfaces */ string netzone_id = iface->getStr("network_zone"); if (netzone_id=="") { QString err("Network zone definition is missing for interface '%1' (%2)"); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()) .arg(iface->getLabel().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } FWObject *netzone = objdb->findInIndex( FWObjectDatabase::getIntId(netzone_id)); if (netzone==NULL) { QString err("Network zone points at nonexisting object for " "interface '%1' (%2)"); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()) .arg(iface->getLabel().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } /* * netzone may be a group, in which case we need to expand it * (recursively). * * 1. We create new temporary object (type Group). * * 2. put it in the database somewhere * * 3. add all objects that belong to the network zone to this * group. We add objects directly, not as a reference. * * 4. finally replace reference to the old network zone object in the * interface with reference to this new group. * * 5. we store ID of the original network zone object * using iface->setStr("orig_netzone_id") * * This ensures netzones do not contain other groups and do not * require any recursive expanding anymore. Since objects were added * to netzones directly, we do not need to bother with dereferencing, * too. */ list ol; helper.expand_group_recursive(netzone, ol); FWObject *nz = objdb->createObjectGroup(); assert(nz!=NULL); nz->setName("netzone_" + iface->getLabel()); objdb->add(nz); for (list::iterator j=ol.begin(); j!=ol.end(); ++j) { Address *addr = Address::cast(*j); if (addr == NULL || addr->getAddressPtr() == NULL) { QString err("Network zone of interface '%1' uses object '%2' " "that is not an address"); abort(fw, NULL, NULL, err.arg(iface->getLabel().c_str()) .arg((*j)->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } /* Commented out for SF bug 3213019 currently we do not support ipv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places ipv6 address in it, this address should be ignored while compiling the policy but this should not be an error. Compiler uses network zone group to do various address matching operations when it tries to determine an interface for a rule where user did not specify one. Since we never (should) have ipv6 in policy and nat rules, compiler is not going to have anything to compare to ipv6 address in the network zone even if there is one and this ipv6 address is going to be ignored. if (addr->getAddressPtr()->isV6()) { QString err("Network zone of interface '%1' uses object '%2' " "that is IPv6 address"); abort(fw, NULL, NULL, err.arg(iface->getLabel().c_str()) .arg((*j)->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } */ netzone_objects.insert( pair(iface->getLabel(),*j)); nz->addRef(*j); } iface->setStr("orig_netzone_id", netzone_id ); iface->setStr("network_zone", FWObjectDatabase::getStringId(nz->getId()) ); } /* * the same object (network or host) can not belong to network zones * of two different interfaces. Map netzone_objects holds pairs * interface_id/object. We just make sure the same object does not * appear in two pairs with different interfaces. */ multimap::iterator k; for (k=netzone_objects.begin(); k!=netzone_objects.end(); ++k) { multimap::iterator l; l=k; ++l; for ( ; l!=netzone_objects.end(); ++l) { if ( l->second->getId() == k->second->getId() ) { if (k->first==l->first) { QString err("Object %1 is used more than once in network " "zone of interface '%2'"); abort(fw, NULL, NULL, err.arg(l->second->getName().c_str()) .arg(k->first.c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } else { QString err("Object %1 is used in network zones of " "interfaces '%2' and '%3'"); abort(fw, NULL, NULL, err.arg(l->second->getName().c_str()) .arg(k->first.c_str()) .arg(l->first.c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } } } /* * Sanity checks for the cluster configuration. Per ticket #606: * * - state sync group must have master * * - one interface must be marked as "dedicated failover" for failover * group. * * - this interface must have failover group with members, one of * which must be master * * - failover interfaces in member firewalls must have ip addresses * which should be different but in the same subnet. * * - possibly another interface can be defined as "dedicated failover" * and used in state sync group. * * - if second interface is used for state sync, it must have ip * address in member firewalls (different) * * - addresses of the dedicated failover interfaces must belong to the * same subnet in each pair of failover inetrfaces (failover and state sync) * * - failover interfaces of both members used in the failover cluster * group of the cluster object must have the same name. * * - The same check should be performed in the state sync group. * * */ void CompilerDriver_pix::pixClusterConfigurationChecks(Cluster *cluster, Firewall*) { if (cluster==NULL) return; FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it); if (state_sync_group->getStr("master_iface").empty()) { QString err("One of the interfaces in the state synchronization group " "must be marked as 'Master'"); abort(cluster, NULL, NULL, err.toStdString()); throw FatalErrorInSingleRuleCompileMode(); } pixClusterGroupChecks(state_sync_group); //bool failover_group_inspected = false; //UNUSED list l2 = cluster->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = dynamic_cast(*i); assert(iface); FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( iface->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *member_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(member_iface); pixClusterGroupChecks(failover_group); //if (member_iface->isDedicatedFailover()) //{ // failover_group_inspected = true; //UNUSED //} } } } } void CompilerDriver_pix::pixClusterGroupChecks(ClusterGroup *cluster_group) { FWObject *cluster = cluster_group; while (cluster && !Cluster::isA(cluster)) cluster = cluster->getParent(); FWObject *cluster_interface = NULL; FWObject *p = cluster_group->getParent(); if (Interface::isA(p)) cluster_interface = p; map addresses_and_masks; for (FWObjectTypedChildIterator it = cluster_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *member_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(member_iface); FWObject *member = Host::getParentHost(member_iface); //FWObject *member = member_iface->getParentHost(); if (cluster_interface) { // check consistency of the names. // In case of PIX the name of the cluster interface should match // names of member interfaces if (cluster_interface->getName() != member_iface->getName()) { QString err("Names of interfaces used in state synchronization " "or failover group must match the name of the " "cluster inetrface. Interface %1:%2 has the name " "that is different from the cluster interface name %3"); abort(cluster, NULL, NULL, err.arg(member->getName().c_str()) .arg(member_iface->getName().c_str()) .arg(cluster_interface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } if (StateSyncClusterGroup::isA(cluster_group) && !member_iface->isDedicatedFailover()) { QString err("Interface %1 is used in a state synchronization " "but is not marked as 'Dedicated Failover' " "interface. All interfaces used for the state " "synchronization or failover must be marked " "'Dedicated Failover'. "); abort(member, NULL, NULL, err.arg(member_iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } if (!member_iface->isRegular() || member_iface->countInetAddresses(true)==0) { QString err("Interface %1 which is used in state synchronization " "or failover group does not have an IP address. " "All interfaces used for the state " "synchronization or failover must have ip addresses."); abort(member, NULL, NULL, err.arg(member_iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } QString key("%1:%2"); FWObjectTypedChildIterator it_addr = member_iface->findByType(IPv4::TYPENAME); IPv4* addr = IPv4::cast(*it_addr); addresses_and_masks[key.arg(member->getName().c_str()).arg(member_iface->getName().c_str())] = addr->getInetAddrMaskObjectPtr(); } if (addresses_and_masks.size() >= 2) { QString first_key; const InetAddr *first_network_addr = NULL; map::iterator it; for (it=addresses_and_masks.begin(); it!=addresses_and_masks.end(); ++it) { QString key = it->first; const InetAddrMask *am = it->second; if (first_network_addr == NULL) { first_key = key; first_network_addr = am->getNetworkAddressPtr(); } else { const InetAddr *network_addr = am->getNetworkAddressPtr(); if (*first_network_addr != *(network_addr)) { QString err("Interfaces used in state synchronization " "or failover group must have IP addresses on " "the same subnet. Interfaces %1 and %2 have " "addresses on different subnets: %3 , %4"); abort(cluster, NULL, NULL, err.arg(first_key).arg(key) .arg(first_network_addr->toString().c_str()) .arg(network_addr->toString().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } } } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_procurve_acl.cpp000066400000000000000000000037441303637203600244370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include "CompilerDriver_procurve_acl.h" #include "PolicyCompiler_procurve_acl.h" #include "fwbuilder/Resources.h" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_procurve_acl::CompilerDriver_procurve_acl(FWObjectDatabase *db) : CompilerDriver_iosacl(db) { safety_net_install_option_name = "procurve_acl_acl_substitution"; safety_net_install_acl_addr_option_name = "procurve_acl_acl_temp_addr"; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_procurve_acl::clone() { CompilerDriver_procurve_acl* new_cd = new CompilerDriver_procurve_acl(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } void CompilerDriver_procurve_acl::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << ";" << endl; file << "; Prolog script" << endl; file << ";" << endl; file << prolog_code << endl; file << ";" << endl; file << "; End of prolog script" << endl; file << ";" << endl; } fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_procurve_acl.h000066400000000000000000000043211303637203600240740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_PROCURVE_ACL_HH__ #define __COMPILER_DRIVER_PROCURVE_ACL_HH__ #include "CompilerDriver_iosacl.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class CompilerDriver_procurve_acl : public CompilerDriver_iosacl { protected: void printProlog(QTextStream &file, const std::string &prolog_code); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_procurve_acl(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp000066400000000000000000000331241303637203600253160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_procurve_acl.h" #include "AutomaticRules_iosacl.h" #include "PolicyCompiler_procurve_acl.h" #include "RoutingCompiler_procurve_acl.h" #include "OSConfigurator_procurve.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManagerIOS.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_procurve_acl::assembleManifest(Cluster*, Firewall*, bool) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << ";" << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]) << endl; return script_buffer; } QString CompilerDriver_procurve_acl::assembleFwScript(Cluster *cluster, Firewall *fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "procurve", "script_skeleton"); Configlet top_comment(fw, "procurve", "top_comment"); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8(system_configuration_script.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); script_skeleton.setVariable("nat_script", QString::fromUtf8(nat_script.c_str())); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("procurve_acl_prolog_script")); options->setStr("epilog_script", options->getStr("procurve_acl_epilog_script")); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, ";", true); return script_skeleton.expand(); } QString CompilerDriver_procurve_acl::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); FWOptions* options = fw->getOptionsObject(); string fwvers = fw->getStr("version"); if (fwvers == "") fw->setStr("version", "K.13"); string platform = fw->getStr("platform"); bool procurve_acl_acl_basic = options->getBool("procurve_acl_acl_basic"); bool procurve_acl_acl_no_clear = options->getBool("procurve_acl_acl_no_clear"); bool procurve_acl_acl_substitution = options->getBool("procurve_acl_acl_substitution"); bool procurve_acl_add_clear_statements = options->getBool("procurve_acl_add_clear_statements"); if ( !procurve_acl_acl_basic && !procurve_acl_acl_no_clear && !procurve_acl_acl_substitution ) { if ( procurve_acl_add_clear_statements ) options->setBool("procurve_acl_acl_basic",true); else options->setBool("procurve_acl_acl_no_clear",true); } std::auto_ptr oscnf(new OSConfigurator_procurve(objdb, fw, false)); oscnf->prolog(); oscnf->processFirewallOptions(); list all_policies = fw->getByType(Policy::TYPENAME); try { AutomaticRules_iosacl auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not used by this compiler assignUniqueRuleIds(all_policies); vector ipv4_6_runs; if (!single_rule_compile_on) system_configuration_script = safetyNetInstall(fw); NamedObjectsManagerIOS named_objects_manager(persistent_objects, fw); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } string clear_commands; string object_groups_definitions; for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); // Count rules for each address family int policy_count = 0; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (policy_count) { std::auto_ptr prep(new Preprocessor(objdb, fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); } for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(policy_af)) continue; PolicyCompiler_procurve_acl c(objdb, fw, ipv6_policy, oscnf.get()); c.setNamedObjectsManager(&named_objects_manager); c.setSourceRuleSet( policy ); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); if ( c.prolog() > 0 ) { c.compile(); c.epilog(); if (!single_rule_compile_on) { if (ipv6_policy) { policy_script += "\n\n"; policy_script += "; ================ IPv6\n"; policy_script += "\n\n"; } else { policy_script += "\n\n"; policy_script += "; ================ IPv4\n"; policy_script += "\n\n"; } } if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } policy_script += c.getCompiledScript(); clear_commands += c.printClearCommands(); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in Policy"); } if (!ipv6_policy) { list all_routing = fw->getByType(Routing::TYPENAME); RuleSet *routing = RuleSet::cast(all_routing.front()); // currently routing is supported only for ipv4 RoutingCompiler_procurve_acl r(objdb, fw, false, oscnf.get()); r.setNamedObjectsManager(&named_objects_manager); r.setSourceRuleSet(routing); r.setRuleSetName(routing->getName()); r.setPersistentObjects(persistent_objects); r.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) r.setTestMode(); if (inEmbeddedMode()) r.setEmbeddedMode(); r.setDebugLevel( dl ); if (rule_debug_on) r.setDebugRule( drp ); r.setVerbose( verbose ); if ( r.prolog() > 0 ) { r.compile(); r.epilog(); if (r.haveErrorsAndWarnings()) { all_errors.push_back(r.getErrors("").c_str()); } routing_script += r.getCompiledScript(); } else info(" Nothing to compile in Routing"); } } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } object_groups_definitions += named_objects_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (object_groups_definitions + policy_script + routing_script).c_str())); } if ( fw->getOptionsObject()->getBool("procurve_acl_acl_basic") || fw->getOptionsObject()->getBool("procurve_acl_acl_substitution")) { clear_commands += named_objects_manager.getClearCommands() + "\n"; } system_configuration_script += clear_commands; system_configuration_script += object_groups_definitions; QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/cisco_lib/Helper.cpp000066400000000000000000000352631303637203600201650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Helper.h" #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; // #define DEBUG_NETZONE_OPS 1 static unsigned long calculateDimension(FWObject* obj) { if (Group::cast(obj)!=NULL) { unsigned long res=0; for (FWObject::iterator i1=obj->begin(); i1!=obj->end(); ++i1) { unsigned long n=calculateDimension( *i1 ); if (n==LONG_MAX) return n; if (LONG_MAX-resisAny()) return LONG_MAX; return a->dimension(); } } return 0; } void Helper::expand_group_recursive(FWObject *o,list &ol) { if (Group::cast( o )!=NULL) { for (FWObject::iterator i2=o->begin(); i2!=o->end(); ++i2) { FWObject *o1= *i2; if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer(); assert(o1); expand_group_recursive(o1,ol); } } else { ol.push_back( o ); } } int Helper::findInterfaceByAddress(Address *obj) { return findInterfaceByAddress(obj->getAddressPtr(), obj->getNetmaskPtr()); } /* * ticket #1293 * Weird corner case: user made a mistake setting netmask of an * intrface to 0.0.0.0, which made this interface match any address. * At the same time, this interface was marked as "unprotected". So, * if we get an interface from helper.findInterfaceByNetzoneOrAll() * but this interface is unprotected, issue a warning and use all * interfaces instead. */ int Helper::findInterfaceByAddress(const InetAddr *addr, const InetAddr *nm) { if (addr==NULL) return -1; #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByAddress"; cerr << " addr=" << addr->toString(); cerr << " nm=" << nm->toString(); cerr << endl; #endif Firewall *fw = compiler->fw; list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (iface->isDedicatedFailover()) continue; if (iface->isUnprotected()) continue; #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByAddress"; cerr << " intf=" << iface->getName(); cerr << endl; #endif FWObjectTypedChildIterator j = iface->findByType((addr->isV4())?IPv4::TYPENAME:IPv6::TYPENAME); for (; j!=j.end(); ++j) { const Address *i_addr = Address::constcast(*j); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByAddress"; cerr << " i_addr=" << i_addr->getName(); cerr << endl; cerr << " " << i_addr->getAddressPtr()->toString(); cerr << " " << i_addr->getNetmaskPtr()->toString(); cerr << endl; #endif if (nm != NULL) { InetAddrMask interface_subnet(*(i_addr->getAddressPtr()), *(i_addr->getNetmaskPtr())); InetAddrMask other_subnet(*addr, *nm); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByAddress"; cerr << " addr=" << other_subnet.toString(); cerr << " intf=" << iface->getName() << " " << interface_subnet.toString(); cerr << endl; #endif vector ovr = libfwbuilder::getOverlap(interface_subnet, other_subnet); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByAddress"; cerr << " overlap:"; cerr << " ovr.size()=" << ovr.size(); if (ovr.size() > 0) cerr << " ovr.front()=" << ovr.front().toString(); cerr << endl; #endif if (ovr.size()==0) continue; // if interface_subnet is equal or wider than other_subnet, // getOverlap() returns subnet object equal to other_subnet // If other_subnet is wider, returned object is equal // to interface_subnet. If they intersect but one does not fit // completely in the other, returned object is not equal // to either. if (ovr.front() == other_subnet) { return iface->getId(); } } else { if ( i_addr->belongs(*addr) ) return iface->getId(); } } } return -1; } int Helper::findInterfaceByNetzone(Address *obj) { if (IPv4::isA(obj)) { InetAddr host_netmask("255.255.255.255"); return findInterfaceByNetzone(obj->getAddressPtr(), &host_netmask); } else return findInterfaceByNetzone(obj->getAddressPtr(), obj->getNetmaskPtr()); } /** * finds interface of the firewall associated with the netzone * that object 'obj' belongs to. Returns interface ID * */ int Helper::findInterfaceByNetzone(const InetAddr *addr, const InetAddr *nm) throw(FWException) { #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " matching to"; cerr << " addr=" << addr; if (addr) cerr << " " << addr->toString(); cerr << " nm=" << nm; if (nm) cerr << " " << nm->toString(); cerr << endl; #endif Firewall *fw = compiler->fw; map zones; list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (iface->isDedicatedFailover()) continue; if (iface->isUnprotected()) continue; // NOTE: "network_zone" is globally unique string ID int netzone_id = FWObjectDatabase::getIntId(iface->getStr("network_zone")); if (netzone_id != -1) { FWObject *netzone = fw->getRoot()->findInIndex(netzone_id); list nz; expand_group_recursive(netzone, nz); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " netzone_id=" << netzone_id << " " << iface->getStr("network_zone") << " " << netzone->getName() << endl; #endif for (list::iterator j=nz.begin(); j!=nz.end(); ++j) { Address *netzone_addr = Address::cast(*j); if (netzone_addr == NULL) continue; #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " " << netzone_addr->getName() << " " << netzone_addr->getAddressPtr()->toString() << endl; #endif // if addr==NULL, return id of the interfacce that has // net_zone=="any" if (addr==NULL) { if (netzone_addr->getId()==FWObjectDatabase::ANY_ADDRESS_ID) return iface->getId(); // id of the interface } else { // see SF bug 3213019 // skip ipv6 addresses in network zone group if (netzone_addr->getAddressPtr()->addressFamily() != addr->addressFamily()) continue; const InetAddr *nz_addr = netzone_addr->getAddressPtr(); const InetAddr *nz_netm = netzone_addr->getNetmaskPtr(); if (nm != NULL && nz_netm != NULL) { InetAddrMask nz_subnet(*nz_addr, *nz_netm); InetAddrMask other_subnet(*addr, *nm); vector ovr = libfwbuilder::getOverlap(nz_subnet, other_subnet); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " addr=" << other_subnet.toString(); cerr << " nz=" << nz_subnet.toString(); cerr << " overlap:"; cerr << " ovr.size()=" << ovr.size(); if (ovr.size() > 0) cerr << " ovr.front()=" << ovr.front().toString(); cerr << endl; #endif if (ovr.size()==0) continue; // if nz_subnet is equal or wider than other_subnet, // getOverlap() returns subnet object equal to other_subnet // If other_subnet is wider, returned object is equal // to nz_subnet. If they intersect but one does not fit // completely in the other, returned object is not equal // to either. if (ovr.front() == other_subnet) { zones[iface->getId()] = netzone_addr; #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " match" << endl; #endif } } else { if (netzone_addr->belongs(*addr)) { zones[iface->getId()] = netzone_addr; #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " match" << endl; #endif } } } } } } /* * now compare dimensions of all netzones that contain address obj and * pick the one with smallest dimension */ int res_id = -1; unsigned long res_dim = LONG_MAX; for (map::iterator i=zones.begin(); i!=zones.end(); ++i) { int iface_id = (*i).first; FWObject *netzone = (*i).second; unsigned long dim = calculateDimension(netzone); #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " netzone=" << netzone->getName() << " dim=" << dim << " res_dim=" << res_dim << endl; #endif if (dim<=res_dim) { res_id = iface_id; res_dim = dim; } } #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " Result after scanning network zones: " << res_id << endl; #endif /* * Subnets defined by addresses of interfaces are automatically part * of the corresponding network zones */ if (res_id == -1) res_id = findInterfaceByAddress(addr, nm); if (res_id == -1) { QString err = QObject::tr("Can not find interface with network zone " "that includes address '%1%2'"); throw(FWException(err .arg((addr)?addr->toString().c_str():"NULL") .arg((nm)?QString("/%1").arg(nm->toString().c_str()):"") .toStdString())); } #if DEBUG_NETZONE_OPS cerr << "Helper::findInterfaceByNetzone"; cerr << " returning " << res_id << endl; #endif return res_id; } list Helper::getAllInterfaceIDs() { Firewall *fw = compiler->fw; list intf_id_list; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i) { Interface *ifs = Interface::cast(*i); assert(ifs); if (ifs->isUnprotected()) continue; // skip! intf_id_list.push_back( (*i)->getId() ); } return intf_id_list; } list Helper::findInterfaceByNetzoneOrAll(RuleElement *re) { list intf_id_list; if (re->isAny()) { return getAllInterfaceIDs(); } else { FWObject *fo = re->front(); if (FWReference::cast(fo)!=NULL) fo=FWReference::cast(fo)->getPointer(); Address *a = Address::cast(fo); if (a==NULL) { Rule *rule = Rule::cast(re->getParent()); Q_UNUSED(rule); compiler->abort( re->getParent(), string("findInterfaceByNetzoneOrAll failed to retrieve first " "object from the rule element; is argument not of " "the type RuleElementSrc or RuleElementDst ?")); return intf_id_list; } try { int intf_id = findInterfaceByNetzone(a); intf_id_list.push_back(intf_id); } catch(FWException &ex) { // could not find interface with netzone to match address 'a' // will assign rule to all interfaces. Act as if all interfaces // had network zone 'any' and each matches this address. // issue warning only if platform uses netwrk zones. bool supports_network_zones = Resources::getTargetCapabilityBool( compiler->fw->getStr("platform"), "network_zones"); if (supports_network_zones) compiler->warning(ex.toString()); FWObjectTypedChildIterator i = compiler->fw->findByType( Interface::TYPENAME); for ( ; i!=i.end(); ++i) { Interface *ifs = Interface::cast(*i); intf_id_list.push_back( ifs->getId() ); } } } return intf_id_list; } fwbuilder-5.3.7/src/cisco_lib/Helper.h000066400000000000000000000046001303637203600176210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HELPER_HH #define __HELPER_HH #include #include #include #include #include namespace fwcompiler { class Helper { fwcompiler::Compiler *compiler; public: Helper(fwcompiler::Compiler *comp) { compiler=comp; } /** * finds interface of the firewall to whose subnet object * 'obj' belongs to. Returns interface ID */ int findInterfaceByAddress(const libfwbuilder::InetAddr *a, const libfwbuilder::InetAddr *nm=NULL); int findInterfaceByAddress(libfwbuilder::Address *obj); /** * finds interface of the firewall associated with the netzone * that object 'obj' belongs to. Returns interface ID */ int findInterfaceByNetzone(const libfwbuilder::InetAddr *a, const libfwbuilder::InetAddr *nm=NULL) throw(libfwbuilder::FWException); int findInterfaceByNetzone(libfwbuilder::Address *obj); std::list findInterfaceByNetzoneOrAll( libfwbuilder::RuleElement *re); std::list getAllInterfaceIDs(); /** * recursively expands object 'o' and places all its children * objects in the list 'ol'. */ void expand_group_recursive(libfwbuilder::FWObject *o, std::list &ol); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/IOSObjectGroup.cpp000066400000000000000000000076171303637203600215460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "IOSObjectGroup.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"}; QString IOSObjectGroup::groupMemberToString(FWObject *obj, NamedObjectsManager*) throw(libfwbuilder::FWException) { ostringstream ostr; switch (getObjectGroupType()) { case NETWORK: { Address *a = Address::cast(obj); assert(a!=NULL); if (AddressRange::cast(a)) { const InetAddr &start = AddressRange::cast(a)->getRangeStart(); const InetAddr &end = AddressRange::cast(a)->getRangeEnd(); ostr << "range " << start.toString() << " " << end.toString(); } else { const InetAddr *addr = a->getAddressPtr(); if (Network::cast(obj)!=NULL) { const InetAddr *mask = a->getNetmaskPtr(); // Note: the syntax is "A.B.C.D /NN" (there must be space before /) ostr << addr->toString() << " /" << mask->getLength(); } else { ostr << "host " << addr->toString(); } } break; } case PROTO: { Service *s = Service::cast(obj); assert(s!=NULL); ostr << s->getProtocolNumber(); break; } case ICMP_TYPE: { ostr << "icmp "; ICMPService *s = ICMPService::cast(obj); assert(s!=NULL); if ( s->getInt("type")== -1) ostr << ""; else ostr << s->getInt("type"); break; } case TCP_SERVICE: case UDP_SERVICE: { if (getObjectGroupType()==TCP_SERVICE) ostr << "tcp "; else ostr << "udp "; TCPUDPService *s = TCPUDPService::cast(obj); assert(s!=NULL); int rs = s->getDstRangeStart(); int re = s->getDstRangeEnd(); if (rs<0) rs = 0; if (re<0) re = 0; if (rs>0 || re>0) { if (rs==re) ostr << "eq " << rs; else ostr << "range " << rs << " " << re; } else ostr << "range 0 65535"; break; } default: throw FWException("Unknown object group type"); } return ostr.str().c_str(); } string IOSObjectGroup::getObjectGroupClass() { switch (this->getObjectGroupType()) { case NETWORK: return "network"; case PROTO: case ICMP_TYPE: case TCP_SERVICE: case UDP_SERVICE: return "service"; default: throw FWException("Unknown object group type"); } } string IOSObjectGroup::getObjectGroupHeader() { ostringstream ostr; ostr << "object-group " << getObjectGroupClass() << " " << this->getName(); return ostr.str(); } string IOSObjectGroup::getObjectGroupFooter() { return "exit"; } fwbuilder-5.3.7/src/cisco_lib/IOSObjectGroup.h000066400000000000000000000027661303637203600212130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IOSOBJECTGROUP_HH #define __IOSOBJECTGROUP_HH #include "BaseObjectGroup.h" namespace fwcompiler { class IOSObjectGroup : public BaseObjectGroup { public: IOSObjectGroup() : BaseObjectGroup() { } virtual ~IOSObjectGroup() {}; DECLARE_FWOBJECT_SUBTYPE(IOSObjectGroup); virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupFooter(); virtual QString groupMemberToString( libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NATCompiler_asa8.cpp000066400000000000000000000373121303637203600217740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_asa8.h" #include "NamedObject.h" #include "ASA8ObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Network.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; NATCompiler_asa8::NATCompiler_asa8(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : NATCompiler_pix(_db, fw, ipv6_policy, _oscnf) { } NATCompiler_asa8::~NATCompiler_asa8() { } /* * Option "translate dns" can not be used if the rule has "destination" * part. */ bool NATCompiler_asa8::VerifyValidityOfDNSOption::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ropt = rule->getOptionsObject(); if (ropt->getBool("asa8_nat_dns")) { Address *odst = compiler->getFirstODst(rule); assert(odst); if (!odst->isAny()) { compiler->abort(rule, "Option 'translate dns' can not be used in combination " "with destination matching or translation"); } Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); if (!osrv->isAny()) { compiler->abort(rule, "Option 'translate dns' can not be used in combination " "with service matching or translation"); } } tmp_queue.push_back(rule); return true; } /* * After we call CreateObjectGroupsForTSrc to create object group for * TSrc, it can be one of the following: * * - any * - single address * - single group (object group that was created by CreateObjectGroupsForTSrc) * - an address and interface * - a group and interface * * CreateObjectGroups::processNext() always puts interface first and group or * address second in TSrc */ bool NATCompiler_asa8::VerifyValidityOfTSrc::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re); if (tsrc_re->isAny()) return true; if (tsrc_re->size()==1) return true; if (tsrc_re->size()==2) { FWObject *obj1 = NULL; FWObject *obj2 = NULL; for (FWObject::iterator it=tsrc_re->begin(); it!=tsrc_re->end(); ++it) { if (obj1 == NULL) obj1 = FWReference::getObject(*it); if (obj2 == NULL) obj2 = FWReference::getObject(*it); } if (Interface::isA(obj1) && Address::cast(obj2)!=NULL) return true; if (Interface::isA(obj1) && Group::cast(obj2)!=NULL) return true; QString err("Invalid combination of objects in TSrc: %1 (%2) and %3 (%4) "); compiler->abort( rule, err.arg(obj1->getName().c_str()).arg(obj1->getTypeName().c_str()) .arg(obj2->getName().c_str()).arg(obj2->getTypeName().c_str()) .toStdString()); } compiler->abort(rule, "TSrc has >2 objects"); return true; } bool NATCompiler_asa8::VerifyRules::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); if (rule->getRuleType()==NATRule::LB) { compiler->abort( rule, "Load balancing rules are not supported."); return true; } // if (rule->getRuleType()==NATRule::NONAT && (!osrv->isAny() || !tsrv->isAny())) // { // compiler->abort( // rule, // "'no nat' rules should have no services"); // return true; // } if (osrc->getNeg() || odst->getNeg() || osrv->getNeg() || tsrc->getNeg() || tdst->getNeg() || tsrv->getNeg()) { compiler->abort( rule, "Negation is not supported in NAT rules."); return true; } if (osrv->size()!=1 && !tsrv->isAny()) { compiler->abort( rule, "Can not translate multiple services into one service in one rule. "); return true; } if (tsrv->size()!=1) { compiler->abort( rule, "Translated service should be 'Original' or should contain " "single object."); return true; } if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL) { compiler->abort( rule, "Can not use group in translated service."); return true; } if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstOSrc(rule)); Network *a2=Network::cast(compiler->getFirstTSrc(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated source should both be networks " "of the same size"); return true; } } if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstODst(rule)); Network *a2=Network::cast(compiler->getFirstTDst(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated destination should both be networks " "of the same size."); return true; } } if (rule->getRuleType()==NATRule::SNetnat) rule->setRuleType(NATRule::SNAT); if (rule->getRuleType()==NATRule::DNetnat) rule->setRuleType(NATRule::DNAT); if ((rule->getRuleType()==NATRule::DNAT || rule->getRuleType()==NATRule::SDNAT) && odst->isAny()) { compiler->abort( rule, "Oiginal destination can not be \"any\" in rules that translate " "destination"); return true; } tmp_queue.push_back(rule); return true; } bool NATCompiler_asa8::verifyInterfacesInNatRule::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); return true; } void NATCompiler_asa8::compile() { info(" Compiling NAT rules for " + fw->getName()); Compiler::compile(); add( new Begin( "Begin processing")); add( new printTotalNumberOfRules()); add( new singleRuleFilter()); /* REMOVE_OLD_OPTIMIZATIONS if (fw->getOptionsObject()->getBool( "pix_optimize_default_nat")) add (new optimizeDefaultNAT( "optimize commands 'nat (interface) 0.0.0.0 0.0.0.0'")); */ add( new recursiveGroupsInOSrc("check for recursive groups in OSRC")); add( new recursiveGroupsInODst("check for recursive groups in ODST")); add( new recursiveGroupsInOSrv("check for recursive groups in OSRV")); add( new recursiveGroupsInTSrc("check for recursive groups in TSRC")); add( new recursiveGroupsInTDst("check for recursive groups in TDST")); add( new recursiveGroupsInTSrv("check for recursive groups in TSRV")); add( new emptyGroupsInOSrc("check for empty groups in OSRC")); add( new emptyGroupsInODst("check for empty groups in ODST")); add( new emptyGroupsInOSrv("check for empty groups in OSRV")); add( new emptyGroupsInTSrc("check for empty groups in TSRC")); add( new emptyGroupsInTDst("check for empty groups in TDST")); add( new emptyGroupsInTSrv("check for empty groups in TSRV")); add( new ExpandGroups("expand groups")); /* * We do not support ipv6 yet */ add( new DropIPv6RulesWithWarning( "drop ipv6 rules", "Rule has been suppressed because it contains IPv6 objects and " "Firewall Builder does not support IPv6 for this platform")); add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC")); add( new eliminateDuplicatesInODST("eliminate duplicates in ODST")); add( new eliminateDuplicatesInOSRV("eliminate duplicates in OSRV")); add( new processMultiAddressObjectsInOSrc( "process MultiAddress objects in OSrc")); add( new processMultiAddressObjectsInODst( "process MultiAddress objects in ODst")); add( new classifyNATRule("determine NAT rule types")); add( new VerifyRules("verify rules" )); // ReplaceFirewallObjectsODst, ReplaceFirewallObjectsODst and // UseFirewallInterfaces assume there is one object in ODst, // TSrc and TDst rule elements. This should have been assured // by inspector VerifyRules add( new ReplaceFirewallObjectsODst("replace fw object in ODst" )); add( new ReplaceFirewallObjectsTSrc("replace fw object in TSrc" )); add( new UseFirewallInterfaces( "replace host objects with firewall's interfaces if " "the have the same address")); // ExpandMultipleAddresses acts on different rule elements // depending on the rule type. // Also using overloaded virtual function _expand_interface add( new ExpandMultipleAddresses("expand multiple addresses")); add( new MACFiltering( "check for MAC address filtering")); // ASA8 nat commands support address range directly. // add( new ExpandAddressRanges("expand address range objects")); add( new checkForUnnumbered("check for unnumbered interfaces")); add( new splitByNetworkZonesForOSrc("split by netzone for OSrc")); //add( new groupServicesByProtocol("group services by protocol in OSrv")); add( new ConvertToAtomicForOSrv("convert to atomic for OSrv")); add( new ConvertToAtomicForTDst("convert to atomic for TDst")); add( new ConvertToAtomicForTSrv("convert to atomic for TSrv")); add( new AssignInterface("assign rules to interfaces" )); add( new verifyInterfacesInNatRule("verify assignment of interfaces")); add( new fillTranslatedSrv("fill translated service element" )); add( new verifyRuleElements( "verify rule elements for static NAT rules")); add( new processNONATRules("process NONAT" )); add( new VerifyValidityOfDNSOption( "Check validity of 'translate dns' option")); //add( new groupTCPUDP("split rules with TCP or UDP services")); add( new SpecialServicesOSrv( "check for special services" )); add( new CreateObjectGroupsForOSrc("create object groups for OSrc", named_objects_manager)); add( new CreateObjectGroupsForODst("create object groups for ODst", named_objects_manager)); add( new CreateObjectGroupsForOSrv("create object groups for OSrv", named_objects_manager)); // need special rule processor to create object groups in TSrc // because of a special tratment that an Interface object gets in TSrc add( new CreateObjectGroupsForTSrc("create object groups for TSrc", named_objects_manager)); add( new VerifyValidityOfTSrc("verify objects in TSrc")); /* REMOVE_OLD_OPTIMIZATIONS if (fw->getOptionsObject()->getBool("pix_optimize_default_nat")) add (new clearOSrc ("clear OSrc" )); */ /* WE_DO_NOT_USE_NATCMD_FOR_ASA8 add( new createNATCmd ("create NAT commands" )); add( new createStaticCmd ("create static commands" )); */ /* REMOVE_OLD_OPTIMIZATIONS add( new mergeNATCmd ("merge NAT commands" )); add( new SuppressDuplicateNONATStatics( "suppress duplicate NONAT statics" )); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); */ //add( new PrintClearCommands("Clear ACLs" )); add( new createNamedObjectsForNAT( "create named objects", named_objects_manager)); //add( new printObjectGroups( // "definitions of object groups", named_objects_manager)); add( new PrintRule("generate PIX code" )); add( new storeProcessedRules ("store processed rules" )); add( new simplePrintProgress ()); /* REMOVE_OLD_OPTIMIZATIONS bool pix_check_duplicate_nat = fw->getOptionsObject()->getBool("pix_check_duplicate_nat"); bool pix_check_overlapping_global_pools = fw->getOptionsObject()->getBool("pix_check_overlapping_global_pools"); bool pix_check_overlapping_statics = fw->getOptionsObject()->getBool("pix_check_overlapping_statics"); bool pix_check_overlapping_global_statics = fw->getOptionsObject()->getBool("pix_check_overlapping_global_statics"); if ( pix_check_duplicate_nat || pix_check_overlapping_global_pools || pix_check_overlapping_statics || pix_check_overlapping_global_statics ) { add( new createNewCompilerPass(" Detecting nat problems ...")); if ( pix_check_duplicate_nat ) add( new DetectDuplicateNAT(" Detect duplicate nat entries")); if ( pix_check_overlapping_global_pools ) add( new DetectGlobalPoolProblems( " Detect global pool overlapping" )); if ( pix_check_overlapping_statics ) add( new DetectOverlappingStatics( " Detect overlapping statics" )); if ( pix_check_overlapping_global_statics ) add( new DetectOverlappingGlobalPoolsAndStaticRules( " Detect overlapping global pools and statics" )); add( new simplePrintProgress ( )); } */ runRuleProcessors(); } string NATCompiler_asa8::printClearCommands() { ostringstream output; string version = fw->getStr("version"); string platform = fw->getStr("platform"); if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") && !inSingleRuleCompileMode()) { output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_xlate") << endl; output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_nat") << endl; } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/NATCompiler_asa8.h000066400000000000000000000101151303637203600214310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NATCOMPILER_ASA8_HH #define _NATCOMPILER_ASA8_HH #include "NATCompiler_pix.h" #include #include namespace fwcompiler { class NamedObject; class ASA8ObjectGroup; class NATCompiler_asa8 : public NATCompiler_pix { public: QString sanitizeObjectName(const QString &name); std::string createNetworkObjectCommand(libfwbuilder::Address *addr); std::string createServiceObjectCommand(libfwbuilder::Service *addr); /** * verifies correctness of the NAT rules. Some rule types * that were not supported in PIX v <8.3 are supported now, * so this rule processor is slightly different from * NATCompiler_pix::VerifyRules */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); /* * Check that TSrc has right combination of objects after * object group has been created. Call after CreateObjectGroupsForTSrc */ DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfTSrc); /* * Check if "translate dns" option can be used with the rule */ DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfDNSOption); /** * for #1954 Issue a warning when nat rule with the same interface * is used for the real and mapped interface, as in * nat (outside,outside) */ DECLARE_NAT_RULE_PROCESSOR(verifyInterfacesInNatRule); /** * Split rule to make sure objects in OSrc match network zones * of interfaces. We only need to do this for ASA 8.3 where we * support object-groups in "nat" rules. Older versions did * not support groups and so required all nat rules to be * atomic which achieved the same effect. */ class splitByNetworkZonesForOSrc : public splitByNetworkZonesForRE { public: splitByNetworkZonesForOSrc(const std::string &n) : splitByNetworkZonesForRE(n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. */ friend class PrintRule; class PrintRule : public NATCompiler_pix::PrintRule { QString printSingleObject(libfwbuilder::FWObject *obj); public: PrintRule(const std::string &n); virtual void printNONAT(libfwbuilder::NATRule *rule); virtual void printSNAT(libfwbuilder::NATRule *rule); virtual void printSDNAT(libfwbuilder::NATRule *rule); virtual void printDNAT(libfwbuilder::NATRule *rule); }; friend class NATCompiler_asa8::PrintRule; NATCompiler_asa8(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~NATCompiler_asa8(); virtual void compile(); virtual std::string printClearCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NATCompiler_asa8_writers.cpp000066400000000000000000000137461303637203600235600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_asa8.h" #include "NamedObject.h" #include "ASA8TwiceNatLogic.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Resources.h" #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; NATCompiler_asa8::PrintRule::PrintRule(const std::string &name) : NATCompiler_pix::PrintRule(name) { } void NATCompiler_asa8::PrintRule::printNONAT(libfwbuilder::NATRule *rule) { printSDNAT(rule); } void NATCompiler_asa8::PrintRule::printSNAT(libfwbuilder::NATRule *rule) { printSDNAT(rule); } void NATCompiler_asa8::PrintRule::printDNAT(libfwbuilder::NATRule *rule) { printSDNAT(rule); } QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj) { NATCompiler_asa8 *pix_comp = dynamic_cast(compiler); if (Address::cast(obj) && Address::cast(obj)->isAny()) return "any"; NamedObject* asa8_object = pix_comp->named_objects_manager->getNamedObject(obj); if (asa8_object) return asa8_object->getCommandWord(); if (BaseObjectGroup::cast(obj)!=NULL) return obj->getName().c_str(); if (Interface::isA(obj) && obj->isChildOf(compiler->fw)) return "interface"; QString err("Found unknown object '%1' in the NAT rule: it is not " "an ASA8 object, object group or an interface of the firewall"); compiler->abort(err.arg(obj->getName().c_str()).toStdString()); return ""; } void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule) { FWOptions *ropt = rule->getOptionsObject(); QStringList cmd; RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re!=NULL); FWObject *osrc = FWReference::getObject(osrc_re->front()); RuleElementODst *odst_re = rule->getODst(); assert(odst_re!=NULL); FWObject *odst = FWReference::getObject(odst_re->front()); RuleElementOSrv *osrv_re = rule->getOSrv(); assert(osrv_re!=NULL); FWObject *osrv = FWReference::getObject(osrv_re->front()); RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re!=NULL); Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); cmd << QString("nat (%1,%2)") .arg(i_iface->getLabel().c_str()) .arg(o_iface->getLabel().c_str()); cmd << "source"; switch (ASA8TwiceNatStaticLogic(rule).getType()) { case ASA8TwiceNatStaticLogic::STATIC: cmd << "static"; break; case ASA8TwiceNatStaticLogic::DYNAMIC: cmd << "dynamic"; break; } cmd << printSingleObject(osrc); if (tsrc_re->isAny()) cmd << printSingleObject(osrc); else { // TSrc can have one object, which can be either an address or // a group, or two objects in which case one must be an interface if (tsrc_re->size() == 1) { FWObject *tsrc = FWReference::getObject(tsrc_re->front()); cmd << printSingleObject(tsrc); } else { // first, print name of the address or group, then interface bool have_interface = false; for (FWObject::iterator it=tsrc_re->begin(); it!=tsrc_re->end(); ++it) { FWObject *obj = FWReference::getObject(*it); if (Interface::isA(obj)) { have_interface = true; continue; } else { cmd << printSingleObject(obj); break; } } if (have_interface) cmd << "interface"; } } // only need "destination" part if ODst is not any if (!odst_re->isAny()) { // ASA documentation says destination translation is always "static" cmd << "destination" << "static"; cmd << printSingleObject(odst); if (tdst->isAny()) cmd << printSingleObject(odst); else cmd << printSingleObject(tdst); } if (!osrv_re->isAny()) { cmd << "service"; cmd << printSingleObject(osrv); if (tsrv->isAny()) cmd << printSingleObject(osrv); else cmd << printSingleObject(tsrv); } if (ropt->getBool("asa8_nat_dns")) cmd << "dns"; cmd << QString("description \"%1\"").arg(rule->getLabel().c_str()); compiler->output << cmd.join(" ").toStdString() << endl; } fwbuilder-5.3.7/src/cisco_lib/NATCompiler_pix.cpp000066400000000000000000001273361303637203600217460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_pix.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string NATCompiler_pix::myPlatformName() { return "pix"; } string _print_addr(const InetAddr* addr) { if (addr) return addr->toString(); return "NULL"; } NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : NATCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this) { } NATCompiler_pix::~NATCompiler_pix() { std::map::iterator it1; for (it1=nat_commands.begin(); it1!=nat_commands.end(); ++it1) { delete it1->second; } nat_commands.clear(); std::map::iterator it2; for (it2=static_commands.begin(); it2!=static_commands.end(); ++it2) { delete it2->second; } static_commands.clear(); nonat_rules.clear(); first_nonat_rule_id.clear(); } bool StaticCmd::operator==(const StaticCmd &other) { return (*oaddr == *(other.oaddr) && *iaddr == *(other.iaddr) && *osrv == *(other.osrv) && *tsrv == *(other.tsrv) && i_iface->getId() == other.i_iface->getId() && o_iface->getId() == other.o_iface->getId()); } /* * Do not expand interfaces in ODst and TSrc * */ void NATCompiler_pix::_expand_addr_recursive_pix(Rule *rule, FWObject *re, FWObject *s, list &ol, bool expand_cluster_interfaces_fully) { bool odst_or_tsrc = (re->getTypeName() == RuleElementODst::TYPENAME || re->getTypeName() == RuleElementTSrc::TYPENAME); list addrlist; for (FWObject::iterator i1=s->begin(); i1!=s->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); assert(o); Address *addr = Address::cast(o); // this condition includes Host, Firewall and Interface if (addr && !addr->hasInetAddress()) { addrlist.push_back(o); continue; } // IPv4, IPv6, Network, NetworkIPv6 if (addr && addr->hasInetAddress() && MatchesAddressFamily(o)) { addrlist.push_back(o); continue; } if (o->getId() == FWObjectDatabase::ANY_ADDRESS_ID || MultiAddress::cast(o)!=NULL || Interface::cast(o) || physAddress::cast(o)) { addrlist.push_back(o); continue; } } if (addrlist.empty()) { if (RuleElement::cast(s)==NULL) ol.push_back(s); } else { for (list::iterator i2=addrlist.begin(); i2!=addrlist.end(); ++i2) { Interface *i2itf = Interface::cast(*i2); if (i2itf) { // if this is ODst or TSrc, just use interface if (odst_or_tsrc) { ol.push_back(i2itf); continue; } _expand_interface(rule, i2itf, ol, expand_cluster_interfaces_fully); continue; } _expand_addr_recursive_pix(rule, re, *i2, ol, expand_cluster_interfaces_fully); } } } void NATCompiler_pix::_expand_addr_recursive(Rule *rule, FWObject *re, list &ol, bool expand_cluster_interfaces_fully) { _expand_addr_recursive_pix(rule, re, re, ol, expand_cluster_interfaces_fully); } void NATCompiler_pix::_expand_interface(Rule *rule, Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully) { Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully); } string NATCompiler_pix::getNATACLname(Rule *rule,int nat_id) { int n=-1; string res; do { n++; ostringstream os; os << rule->getUniqueId() << "." << nat_id << "." << n; res=os.str(); } while (nat_acl_names.count(res)!=0); return res; } string NATCompiler_pix::getNATACLname(Rule *rule,string suffix) { int n=-1; string res; do { n++; ostringstream os; os << rule->getUniqueId(); if (!suffix.empty()) os << "." << suffix; os << "." << n; res=os.str(); } while (nat_acl_names.count(res)!=0); return res; } int NATCompiler_pix::prolog() { global_pool_no = 1; NAT *final_ruleset = new NAT(); final_ruleset->setName("Final NAT Rule Set"); persistent_objects->add( final_ruleset ); final_ruleset_id = final_ruleset->getId(); return NATCompiler::prolog(); } string NATCompiler_pix::debugPrintRule(Rule *r) { NATRule *rule=NATRule::cast(r); RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); ostringstream os; switch (rule->getRuleType()) { case NATRule::NONAT: os << "NONAT Type: " << rule->getInt("nonat_type"); break; case NATRule::SNAT: { if ( ! rule->exists("nat_cmd") ) break; NATCmd *natcmd = nat_commands[ rule->getInt("nat_cmd") ]; if (natcmd != NULL) { os <<" NATCmd: "; os << " rule=[" << natcmd->rule_label << "]"; os << " id=" << natcmd->nat_id; os << " rule=" << natcmd->rule_label; os << " nat_acl_name=" << natcmd->nat_acl_name; os << " (" << nat_acl_names[natcmd->nat_acl_name] << ")"; os << " o_src=" << _print_addr(natcmd->o_src->getAddressPtr()); os << " o_dst=" << _print_addr(natcmd->o_dst->getAddressPtr()); os << " o_srv=" << natcmd->o_srv->getName(); os << " t_addr=" << _print_addr(natcmd->t_addr->getAddressPtr()); os << " ignore_global=" << string((natcmd->ignore_global)?"1":"0"); os << " ignore_nat=" << string((natcmd->ignore_nat)?"1":"0"); os << " ignore_nat_and_print_acl=" << string((natcmd->ignore_nat_and_print_acl)?"1":"0"); os << " use_nat_0_0=" << string((rule->getBool("use_nat_0_0"))?"1":"0"); } } break; case NATRule::DNAT: { if ( ! rule->exists("sc_cmd") ) break; StaticCmd *scmd=static_commands[ rule->getInt("sc_cmd") ]; if (scmd!=NULL) { string iaddr_str = _print_addr(scmd->iaddr->getAddressPtr()); string oaddr_str = _print_addr(scmd->oaddr->getAddressPtr()); os << " StaticCmd:"; os << " ignore=" << scmd->ignore_scmd_and_print_acl; os << " acl=" << scmd->acl_name; os << " (" << nat_acl_names[scmd->acl_name] << ")"; os << " iaddr=" << iaddr_str; os << " oaddr=" << oaddr_str; os << " osrc=" << _print_addr(scmd->osrc->getAddressPtr()); os << " osrv=" << scmd->osrv->getName(); os << " tsrv=" << scmd->tsrv->getName(); } } break; default: ; // TODO: should actually be always_assert } return NATCompiler::debugPrintRule(rule) + " " + " (type=" + rule->getRuleTypeAsString() + ") " + "use_nat_0_0=" + string((rule->getBool("use_nat_0_0"))?"1":"0") + " " + os.str(); } /* * store final nat rules in final rule set object in * persistent_obejcts. Note that we can't add the same rules since an * object can not be placed in two different places in the tree, so we * have to add copies. */ bool NATCompiler_pix::storeProcessedRules::processNext() { NATCompiler_pix *pix_comp = dynamic_cast(compiler); FWObject *final_ruleset = compiler->persistent_objects->getRoot()->findInIndex( pix_comp->final_ruleset_id); slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { NATRule *rule = NATRule::cast( *k ); NATRule *r = compiler->dbcopy->createNATRule(); final_ruleset->add(r); r->duplicate(rule); } return true; } bool NATCompiler_pix::VerifyRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); if (rule->getRuleType()==NATRule::SDNAT) { compiler->abort( rule, "Rules that translate both source and destination are not supported."); return true; } bool version_lt_63= ( compiler->fw->getStr("platform")=="pix" && libfwbuilder::XMLTools::version_compare(version, "6.3")<0); // fwsm is always above 6.3 - its OS is based on 6.3 RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); if (rule->getRuleType()==NATRule::LB) { compiler->abort( rule, "Load balancing rules are not supported."); return true; } if (rule->getRuleType()==NATRule::NONAT && (!osrv->isAny() || !tsrv->isAny())) { compiler->abort( rule, "'no nat' rules should have no services"); return true; } if (osrc->getNeg() || odst->getNeg() || osrv->getNeg() || tsrc->getNeg() || tdst->getNeg() || tsrv->getNeg()) { compiler->abort( rule, "Negation is not supported in NAT rules."); return true; } if (rule->getRuleType()==NATRule::SNAT) { // if ( tsrc->size()!=1) // compiler->abort("There should be no more than one object in translated source in the rule "+rule->getLabel()); if ( ! odst->isAny() && version_lt_63) // can do on fwsm { compiler->warning( rule, "Original destination is ignored in 'nat' NAT rules " "when compiling for PIX v6.2 and earlier."); odst->clearChildren(); odst->setAnyElement(); } } if (rule->getRuleType()==NATRule::DNAT) { if ( odst->size()!=1 && version_lt_63) { compiler->abort( rule, "There should be no more than one object in original destination"); return true; } if ( ! osrc->isAny() && version_lt_63) compiler->warning( rule, "Original source is ignored in 'static' NAT rules " "when compiling for PIX v6.2 and earlier."); } if (osrv->size()!=1 && !tsrv->isAny()) { compiler->abort( rule, "Can not translate multiple services into one service in one rule. "); return true; } if (tsrv->size()!=1) { compiler->abort( rule, "Translated service should be 'Original' or should contain single object."); return true; } if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL) { compiler->abort( rule, "Can not use group in translated service."); return true; } if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstOSrc(rule)); Network *a2=Network::cast(compiler->getFirstTSrc(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated source should both be networks of the same size"); return true; } } if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstODst(rule)); Network *a2=Network::cast(compiler->getFirstTDst(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated destination should both be networks of the same size."); return true; } } if (rule->getRuleType()==NATRule::SNetnat) rule->setRuleType(NATRule::SNAT); if (rule->getRuleType()==NATRule::DNetnat) rule->setRuleType(NATRule::DNAT); tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::AssignInterface::processNext() { Helper helper(compiler); NATRule *rule = getNext(); if (rule==NULL) return false; RuleElement *itf_re; Address *a1 = NULL; Address *a2 = NULL; if (rule->getRuleType()==NATRule::SNAT || rule->getRuleType()==NATRule::SDNAT) { a1 = compiler->getFirstOSrc(rule); a2 = compiler->getFirstTSrc(rule); } if (rule->getRuleType()==NATRule::DNAT) { a1 = compiler->getFirstODst(rule); a2 = compiler->getFirstTDst(rule); } if (rule->getRuleType()==NATRule::NONAT) { a1 = compiler->getFirstOSrc(rule); a2 = compiler->getFirstODst(rule); } assert(a1!=NULL && a2!=NULL); int org_intf_id = helper.findInterfaceByNetzone(a1); int trn_intf_id = helper.findInterfaceByNetzone(a2); FWObject *iface_org = compiler->dbcopy->findInIndex(org_intf_id); FWObject *iface_trn = compiler->dbcopy->findInIndex(trn_intf_id); if ( org_intf_id==-1 ) { QString err("Object '%1' does not belong to any known network zone."); compiler->abort(rule, err.arg(a1->getName().c_str()).toStdString()); return true; } if ( trn_intf_id==-1 ) { QString err("Object '%1' does not belong to any known network zone."); compiler->abort(rule, err.arg(a2->getName().c_str()).toStdString()); return true; } itf_re = rule->getItfInb(); assert(itf_re!=NULL); if (itf_re->isAny() && ! itf_re->hasRef(iface_org)) itf_re->addRef(iface_org); itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if (itf_re->isAny() && ! itf_re->hasRef(iface_trn)) itf_re->addRef(iface_trn); if (org_intf_id == trn_intf_id) { QString err("Objects used in Original Source and Translated Source " "of the rule dictate that the same interface '%1' is going " "to be used as real and mapped interface in the generated " "nat command."); compiler->warning( rule, err.arg( Interface::cast(iface_org)->getLabel().c_str()).toStdString()); } tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::verifyInterfaces::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::verifyRuleElements::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); string version = compiler->fw->getStr("version"); if (rule->getRuleType()==NATRule::SNAT) { if ((! osrv->isAny() || ! tsrv->isAny()) && libfwbuilder::XMLTools::version_compare(version, "6.3")<0) { compiler->abort( rule, "only PIX v6.3 and later recognizes services in global NAT."); return true; } } if (rule->getRuleType()==NATRule::DNAT) { if ((AddressRange::cast(odst) || AddressRange::cast(tdst)) && libfwbuilder::XMLTools::version_compare(version, "8.3")<0) { compiler->abort( rule, "Address ranges are not supported in original destination or " "translated destination "); return true; } if (Network::isA(odst) && Network::isA(tdst)) { InetAddr n1 = (Interface::cast(odst)) ? InetAddr(InetAddr::getAllOnes()) : (*(odst->getNetmaskPtr())); InetAddr n2 = (Interface::cast(tdst)) ? InetAddr(InetAddr::getAllOnes()) : (*(tdst->getNetmaskPtr())); if ( !(n1==n2) ) { compiler->abort( rule, "Original and translated destination must be of the same " "size"); return true; } } if (osrv->getTypeName()!=tsrv->getTypeName()) { compiler->abort( rule, "Original and translated services must be of " "the same type."); return true; } if (ICMPService::isA(osrv)) { compiler->abort( rule, "ICMP services are not supported in static NAT. "); return true; } if (TCPService::isA(osrv) || UDPService::isA(osrv)) { int drs=TCPUDPService::cast(osrv)->getDstRangeStart(); int dre=TCPUDPService::cast(osrv)->getDstRangeEnd(); if (drs!=dre) { compiler->abort( rule, "TCP or UDP service with a port range is not " "supported in NAT."); return true; } } if (TCPService::isA(tsrv) || UDPService::isA(tsrv)) { int drs=TCPUDPService::cast(tsrv)->getDstRangeStart(); int dre=TCPUDPService::cast(tsrv)->getDstRangeEnd(); if (drs!=dre) { compiler->abort( rule, "TCP or UDP service with a port range is not " "supported in NAT."); return true; } } } tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::fillTranslatedSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *osrv_o=compiler->getFirstOSrv(rule); Service *tsrv_o=compiler->getFirstTSrv(rule); if ( ! osrv_o->isAny() && tsrv_o->isAny() ) { RuleElementTSrv *tsrv=rule->getTSrv(); tsrv->addRef(osrv_o); } return true; } /** * unlike standard inspector addressRanges in the base class NATCompiler, * this one does not expand address ranges in TSrc and TDst */ bool NATCompiler_pix::ExpandAddressRanges::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *rel; rel=rule->getOSrc(); assert(rel); compiler->_expandAddressRanges(rule,rel); rel=rule->getODst(); assert(rel); compiler->_expandAddressRanges(rule,rel); #if 0 // if we want to support NAT rules with address ranges. For example, // could compile these as a bunch of individual host translations switch (rule->getRuleType()) { case NATRule::SNAT: rel=rule->getTSrc(); assert(rel); compiler->_expandAddressRanges(rule,rel); break; case NATRule::DNAT: rel=rule->getTDst(); assert(rel); compiler->_expandAddressRanges(rule,rel); break; } #endif return true; } /* * I assume that there is always only one object in ODst, TSrc and TDst * rule elements. This should have been assured by inspector VerifyRules */ bool NATCompiler_pix::ReplaceFirewallObjectsODst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); list cl; RuleElementODst *rel; Address *obj=NULL; switch (rule->getRuleType()) { case NATRule::Masq: // case NATRule::Redirect: return true; case NATRule::DNAT: rel=rule->getODst(); assert(rel); obj=compiler->getFirstODst(rule); assert(obj!=NULL); if (obj->getId()==compiler->getFwId() ) { list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (! iface->isLoopback() && iface->getSecurityLevel()==0 ) cl.push_back(iface); } if ( ! cl.empty() ) { // while (rel->size()) // rel->remove( rel->front() ); rel->clearChildren(); for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); } } } default: ; // TODO: should actually be always_assert } return true; } bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext() { Helper helper(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; list cl; RuleElementTSrc *rel; Address *obj=NULL; switch (rule->getRuleType()) { case NATRule::Masq: case NATRule::Redirect: { tmp_queue.push_back(rule); return true; } case NATRule::SNAT: { int osrc_level=100; Address *osrc=NULL; Interface *osrc_iface=NULL; if ( ! rule->getOSrc()->isAny()) { osrc=compiler->getFirstOSrc(rule); assert(osrc!=NULL); osrc_iface = Interface::cast( compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(osrc))); osrc_level = osrc_iface->getSecurityLevel(); } rel = rule->getTSrc(); assert(rel); if (rel->size() == 0) { compiler->abort(rule, "Empty TSrc"); return true; } obj = compiler->getFirstTSrc(rule); assert(obj!=NULL); if (obj->getId()==compiler->getFwId() ) { /* if ODst is 'any', pick all interfaces with security level _less_ than * level of the interface OSrc is associated with. If ODst is not 'any', * find interface it is associated with and use only it. */ if (rule->getODst()->isAny()) { list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (iface->getSecurityLevel()getFirstODst(rule); assert(odst!=NULL); FWObject *odst_iface = compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(odst ) ); if (odst_iface!=NULL) cl.push_back(odst_iface); } if ( ! cl.empty() ) { // while (rel->size()) // rel->remove( rel->front() ); rel->clearChildren(); for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); } } } } break; default: ; // TODO: should actually be always_assert } tmp_queue.push_back(rule); return true; } void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel) { FWObject *o= rel->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *obj=Address::cast(o); if(obj==NULL) { compiler->abort(rel->getParent(), "Broken rule element "+ rel->getTypeName()+ " in rule "+ NATRule::cast(rel->getParent())->getLabel()+ " ( found object with type "+ string((o!=NULL)?o->getTypeName():"") + ")"); return; } const InetAddr *obj_addr = obj->getAddressPtr(); if (obj_addr==NULL) return; list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=Interface::cast(*i); const InetAddr *iface_addr = iface->getAddressPtr(); if (iface_addr == NULL) continue; if (*iface_addr == *obj_addr) { rel->removeRef(obj); rel->addRef(iface); return; } } } bool NATCompiler_pix::UseFirewallInterfaces::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *rel; rel=rule->getODst(); assert(rel); if (!rel->isAny()) scanInterfaces(rel); rel=rule->getTSrc(); assert(rel); if (!rel->isAny()) scanInterfaces(rel); return true; } bool NATCompiler_pix::processNONATRules::processNext() { Helper helper(compiler); NATCompiler_pix *pix_comp = dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()==NATRule::NONAT) { Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); Interface *osrc_iface = Interface::cast( compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc))); Interface *odst_iface = Interface::cast( compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst))); int osrc_level = osrc_iface->getSecurityLevel(); int odst_level = odst_iface->getSecurityLevel(); /* * PIX has two types of NONAT rules, one is when connection goes from * low security interface to the high security interface and another * for the opposite */ if (osrc_level>odst_level) { rule->setInt("nonat_type", NONAT_NAT0); nonat n0; // n0.i_iface = osrc_iface; // n0.o_iface = odst_iface; RuleElement *itf_re = rule->getItfInb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface); itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface); n0.src = osrc; n0.dst = odst; n0.acl_name = "nat0."+osrc_iface->getLabel(); n0.last = true; pix_comp->nonat_rules[rule->getId()] = n0; pix_comp->registerACL(n0.acl_name); if (pix_comp->first_nonat_rule_id.count(osrc_iface->getId()) == 0) pix_comp->first_nonat_rule_id[osrc_iface->getId()] = rule->getId(); } else { rule->setInt("nonat_type", NONAT_STATIC); Interface *osrc_iface = Interface::cast( compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc))); Interface *odst_iface = Interface::cast( compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst))); RuleElement *itf_re = rule->getItfInb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface); itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface); } } return true; } bool NATCompiler_pix::createNATCmd::processNext() { // Helper helper(compiler); NATCompiler_pix *pix_comp = dynamic_cast(compiler); NATRule *rule = getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); if (rule->getRuleType()==NATRule::SNAT) { Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); Address *odst = compiler->getFirstODst(rule); assert(osrc); Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); RuleElementItfInb *itf_in_re = rule->getItfInb(); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); NATCmd *natcmd = new NATCmd(); natcmd->nat_id = nat_id_counter; natcmd->rule_label = rule->getLabel(); natcmd->o_src = osrc; natcmd->o_dst = odst; natcmd->o_srv = osrv; natcmd->t_addr = tsrc; natcmd->i_iface = i_iface; // inbound interface natcmd->o_iface = o_iface; // outbound interface natcmd->nat_acl_name = pix_comp->getNATACLname(rule,""); pix_comp->registerACL(natcmd->nat_acl_name); if (Interface::cast(tsrc)!=NULL || o_iface->isDyn()) { natcmd->type = INTERFACE; } else { if (Network::cast(tsrc)) { natcmd->type = NETWORK_ADDRESS; } else { if (AddressRange::cast(tsrc)) natcmd->type = ADDRESS_RANGE; else natcmd->type = SINGLE_ADDRESS; } } natcmd->ignore_nat = natcmd->ignore_nat_and_print_acl = natcmd->ignore_global = false; natcmd->use_nat_0_0 = rule->getBool("use_nat_0_0"); /* * "nat ... outside" is only supported in PIX 6.2 */ natcmd->outside = ( i_iface->getSecurityLevel() < o_iface->getSecurityLevel()); if (natcmd->outside && compiler->fw->getStr("platform")=="pix" && libfwbuilder::XMLTools::version_compare(version, "6.2")<0 ) { compiler->abort( rule, "Bi-Directional NAT of source addresses is only " "supported in PIX 6.2 and newer."); return true; } /* * map is sorted container, this means that objects are going to be arranged * in nat_commands in the order of the key. */ pix_comp->nat_commands[nat_id_counter]= natcmd; rule->setInt("nat_cmd",nat_id_counter); nat_id_counter++; } tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::createStaticCmd::processNext() { NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()==NATRule::DNAT) { Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); Address *odst = compiler->getFirstODst(rule); assert(odst); Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); RuleElementItfInb *itf_in_re = rule->getItfInb(); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); StaticCmd *scmd = new StaticCmd(); scmd->acl_name = pix_comp->getNATACLname(rule,""); pix_comp->registerACL(scmd->acl_name); scmd->rule=rule->getLabel(); // source and destination addresses are swapped here because // access lists used for NAT should have 'real' addresses in source scmd->iaddr=tdst; scmd->oaddr=odst; scmd->osrc= osrc; scmd->osrv= osrv; scmd->tsrv= tsrv; scmd->ignore_scmd_and_print_acl=false; scmd->i_iface = i_iface; scmd->o_iface = o_iface; pix_comp->static_commands[sc_id_counter]=scmd; rule->setInt("sc_cmd",sc_id_counter); sc_id_counter++; } return true; } bool NATCompiler_pix::clearOSrc::processNext() { // NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getBool("clear_osrc")) { RuleElementOSrc *osrc=rule->getOSrc(); osrc->clearChildren(); osrc->setAnyElement(); } tmp_queue.push_back(rule); return true; } bool NATCompiler_pix::processMultiAddressObjectsInRE::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddress *atrt = MultiAddress::cast(o); if (atrt!=NULL && atrt->isRunTime()) { compiler->abort( rule, "Run-time AddressTable and DNSName objects are not supported."); return true; } } tmp_queue.push_back(rule); return true; } void NATCompiler_pix::compile() { info(" Compiling NAT rules for " + fw->getName()); Compiler::compile(); add( new Begin( "Begin processing")); add( new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new expandGroupsInItfInb("expand groups in inbound Interface")); add(new replaceClusterInterfaceInItfInb( "replace cluster interfaces with member interfaces in " "the inbound Interface rule element")); add(new ItfInbNegation("process negation in inbound Itf")); add(new expandGroupsInItfOutb("expand groups in outbound Interface")); add(new replaceClusterInterfaceInItfOutb( "replace cluster interfaces with member interfaces in " "the outbound Interface rule element")); add(new ItfOutbNegation("process negation in outbound Itf")); add( new ConvertToAtomicForItfInb("convert to atomic for inbound interface") ); add( new ConvertToAtomicForItfOutb("convert to atomic for outbound interface")); if (fw->getOptionsObject()->getBool( "pix_optimize_default_nat")) add (new optimizeDefaultNAT( "optimize commands 'nat (interface) 0.0.0.0 0.0.0.0'")); add( new recursiveGroupsInOSrc("check for recursive groups in OSRC")); add( new recursiveGroupsInODst("check for recursive groups in ODST")); add( new recursiveGroupsInOSrv("check for recursive groups in OSRV")); add( new recursiveGroupsInTSrc("check for recursive groups in TSRC")); add( new recursiveGroupsInTDst("check for recursive groups in TDST")); add( new recursiveGroupsInTSrv("check for recursive groups in TSRV")); add( new emptyGroupsInOSrc("check for empty groups in OSRC")); add( new emptyGroupsInODst("check for empty groups in ODST")); add( new emptyGroupsInOSrv("check for empty groups in OSRV")); add( new emptyGroupsInTSrc("check for empty groups in TSRC")); add( new emptyGroupsInTDst("check for empty groups in TDST")); add( new emptyGroupsInTSrv("check for empty groups in TSRV")); add( new ExpandGroups("expand groups")); /* * We do not support ipv6 yet */ add( new DropIPv6RulesWithWarning( "drop ipv6 rules", "Rule has been suppressed because it contains IPv6 objects and " "Firewall Builder does not support IPv6 for this platform")); add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC")); add( new eliminateDuplicatesInODST("eliminate duplicates in ODST")); add( new eliminateDuplicatesInOSRV("eliminate duplicates in OSRV")); add( new processMultiAddressObjectsInOSrc( "process MultiAddress objects in OSrc")); add( new processMultiAddressObjectsInODst( "process MultiAddress objects in ODst")); add( new classifyNATRule("determine NAT rule types")); add( new VerifyRules("verify rules" )); // ReplaceFirewallObjectsODst, ReplaceFirewallObjectsODst and // UseFirewallInterfaces assume there is one object in ODst, // TSrc and TDst rule elements. This should have been assured // by inspector VerifyRules add( new ReplaceFirewallObjectsODst("replace fw object in ODst" )); add( new ReplaceFirewallObjectsTSrc("replace fw object in TSrc" )); add( new UseFirewallInterfaces( "replace host objects with firewall's interfaces if the have the same address")); // ExpandMultipleAddresses acts on different rule elements // depending on the rule type. // Also using overloaded virtual function _expand_interface add( new ExpandMultipleAddresses("expand multiple addresses")); add( new MACFiltering( "check for MAC address filtering")); add( new ExpandAddressRanges("expand address range objects")); add( new checkForUnnumbered("check for unnumbered interfaces")); add( new ConvertToAtomic("convert to atomic rules" )); add( new AssignInterface("assign rules to interfaces" )); add( new verifyInterfaces("verify interfaces assignment" )); add( new fillTranslatedSrv("fill translated service element" )); add( new verifyRuleElements( "verify rule elements for static NAT rules")); add( new processNONATRules("process NONAT" )); if (fw->getOptionsObject()->getBool("pix_optimize_default_nat")) add (new clearOSrc ("clear OSrc" )); add( new SpecialServicesOSrv( "check for special services" )); add( new createNATCmd ("create NAT commands" )); add( new createStaticCmd ("create static commands" )); add( new mergeNATCmd ("merge NAT commands" )); add( new SuppressDuplicateNONATStatics( "suppress duplicate NONAT statics" )); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); //add( new PrintClearCommands( "Clear ACLs" )); add( new PrintRule ("generate PIX code" )); add( new storeProcessedRules ("store processed rules" )); add( new simplePrintProgress ()); bool pix_check_duplicate_nat = fw->getOptionsObject()->getBool("pix_check_duplicate_nat"); bool pix_check_overlapping_global_pools = fw->getOptionsObject()->getBool("pix_check_overlapping_global_pools"); bool pix_check_overlapping_statics = fw->getOptionsObject()->getBool("pix_check_overlapping_statics"); bool pix_check_overlapping_global_statics = fw->getOptionsObject()->getBool("pix_check_overlapping_global_statics"); if ( pix_check_duplicate_nat || pix_check_overlapping_global_pools || pix_check_overlapping_statics || pix_check_overlapping_global_statics ) { add( new createNewCompilerPass(" Detecting nat problems ...")); if ( pix_check_duplicate_nat ) add( new DetectDuplicateNAT(" Detect duplicate nat entries")); if ( pix_check_overlapping_global_pools ) add( new DetectGlobalPoolProblems( " Detect global pool overlapping" )); if ( pix_check_overlapping_statics ) add( new DetectOverlappingStatics( " Detect overlapping statics" )); if ( pix_check_overlapping_global_statics ) add( new DetectOverlappingGlobalPoolsAndStaticRules( " Detect overlapping global pools and statics" )); add( new simplePrintProgress ( )); } runRuleProcessors(); } void NATCompiler_pix::regroup() { list commands; map > script; commands.push_back("THE_REST"); commands.push_back("access-list "); commands.push_back("global "); commands.push_back("nat "); commands.push_back("static "); string acl, agrp, icmp, telnet, ssh; string new_output; char buf[1024]; istringstream in(output.str()); while (in) { in.getline(buf, 1023, '\n'); strcat(buf,"\n"); if (buf[0]=='!') continue; string slot="THE_REST"; for (list::iterator i=commands.begin(); i!=commands.end(); ++i) { if (strncmp(buf, (*i).c_str(), (*i).size())==0) { slot= *i; break; } } script[slot].push_back(buf); } output.str(""); for (list::iterator i=commands.begin(); i!=commands.end(); ++i) { for (list::iterator j=script[*i].begin(); j!=script[*i].end(); ++j) output << *j; output << "! \n"; output << "! \n"; } } void NATCompiler_pix::epilog() { if ( fw->getOptionsObject()->getBool("pix_regroup_commands")) { info(" Regrouping commands"); regroup(); } } string NATCompiler_pix::printClearCommands() { ostringstream output; string version = fw->getStr("version"); string platform = fw->getStr("platform"); if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") && !inSingleRuleCompileMode()) { output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_xlate") << endl; output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_static") << endl; output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_global") << endl; output << Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_nat") << endl; } return output.str(); } /* * This includes commands that should be added first, such as commit mode * for FWSM, setting up temporary access list etc. */ string NATCompiler_pix::printPreambleCommands() { return ""; } class MergeConflictRes : public FWObjectDatabase::ConflictResolutionPredicate { public: MergeConflictRes() { } virtual bool askUser(FWObject*, FWObject*) {return false;} }; void NATCompiler_pix::setNamedObjectsManager(NamedObjectsManager *mgr) { named_objects_manager = mgr; } fwbuilder-5.3.7/src/cisco_lib/NATCompiler_pix.h000066400000000000000000000453071303637203600214100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NATCOMPILER_PIX_HH #define _NATCOMPILER_PIX_HH #include "fwcompiler/NATCompiler.h" #include "Helper.h" #include "NamedObjectsAndGroupsSupport.h" #include "splitByNetworkZonesForRE.h" #include "specialServices.h" #include #include namespace fwcompiler { typedef enum { UNKNOWN, INTERFACE, SINGLE_ADDRESS, NETWORK_ADDRESS, ADDRESS_RANGE } global_pool_type; typedef enum { NONAT_NAT0, NONAT_STATIC } nonat_types; struct NATCmd { bool ignore_nat; bool ignore_nat_and_print_acl; bool ignore_global; bool use_nat_0_0; bool outside; std::string rule_label; std::string comment; libfwbuilder::Address *o_src; // for "nat" command libfwbuilder::Address *o_dst; // for "nat" command libfwbuilder::Service *o_srv; // for acl in "nat" command for 6.3 libfwbuilder::Address *t_addr; // for "global" command libfwbuilder::Interface *i_iface; // inbound libfwbuilder::Interface *o_iface; // ountbound int nat_id; std::string nat_acl_name; global_pool_type type; }; struct StaticCmd { bool ignore_scmd_and_print_acl; std::string acl_name; std::string rule; libfwbuilder::Address *iaddr; libfwbuilder::Address *oaddr; libfwbuilder::Address *osrc; libfwbuilder::Service *osrv; libfwbuilder::Service *tsrv; libfwbuilder::Interface *i_iface; // inbound libfwbuilder::Interface *o_iface; // outbound StaticCmd() { }; bool operator==(const StaticCmd &other); }; class NATCompiler_pix : public NATCompiler { public: Helper helper; NamedObjectsManager *named_objects_manager; int global_pool_no; std::map nat_commands; std::map static_commands; struct nonat { std::string acl_name; //libfwbuilder::Interface *i_iface; //libfwbuilder::Interface *o_iface; libfwbuilder::Address *src; libfwbuilder::Address *dst; bool last; nonat() { last=false; } }; // first: rule->getId(), second: nonat object std::map nonat_rules; // first: interface->getId(), second: rule->getId() std::map first_nonat_rule_id; int final_ruleset_id; std::string debugPrintRule(libfwbuilder::Rule *r); void _expand_addr_recursive_pix(libfwbuilder::Rule *rule, libfwbuilder::FWObject *re, libfwbuilder::FWObject *s, std::list &ol, bool expand_cluster_interfaces_fully); virtual void _expand_addr_recursive(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s, std::list &ol, bool expand_cluster_interfaces_fully); /** * internal: checks if interface is a child of a cluster and calls * Compiler::_expand_interface() with a pointer to the master member * interface. If @iface is not cluster interface, just calls * Compiler::_expand_interface() */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully); /* this is a dictionary of all nat acl names and associated boolean * flag that indicates that corresponding 'clear' command has been * issued. We use this to keep track of all names that are created to * make sure they are unique */ std::map nat_acl_names; std::string getNATACLname(libfwbuilder::Rule *r,int nat_id); std::string getNATACLname(libfwbuilder::Rule *r,std::string suffix); /** * verifies correctness of the NAT rules */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); friend class NATCompiler_pix::VerifyRules; /** * using network zone information determine inside and outside * interfaces for the NAT rule */ DECLARE_NAT_RULE_PROCESSOR( AssignInterface ); friend class NATCompiler_pix::AssignInterface; /** * if previous processor assigned the same interface as both * internal and external one for the NAT operation, drop the rule */ DECLARE_NAT_RULE_PROCESSOR( verifyInterfaces ); friend class NATCompiler_pix::verifyInterfaces; /** * in case of DNAT both odst and tdst should be of the same size: * either both hosts, or both networks of the same size and can not * be address ranges. There are other limitations, too. */ DECLARE_NAT_RULE_PROCESSOR( verifyRuleElements ); friend class NATCompiler_pix::verifyRuleElements; /** * expands address ranges in OSrc and ODst */ DECLARE_NAT_RULE_PROCESSOR( ExpandAddressRanges ); friend class NATCompiler_pix::ExpandAddressRanges; /** * in case OSrv is not "any" but TSrv is "original", copy it over */ DECLARE_NAT_RULE_PROCESSOR( fillTranslatedSrv ); friend class NATCompiler_pix::fillTranslatedSrv; /** * replaces firewall objects in ODst with its external interface(s) */ DECLARE_NAT_RULE_PROCESSOR( ReplaceFirewallObjectsODst ); friend class NATCompiler_pix::ReplaceFirewallObjectsODst; /** * replaces firewall objects in TSrc with its external interface(s) */ DECLARE_NAT_RULE_PROCESSOR( ReplaceFirewallObjectsTSrc ); friend class NATCompiler_pix::ReplaceFirewallObjectsTSrc; /** * replace host object with firewall's interace if host object * has the same address */ class UseFirewallInterfaces : public NATRuleProcessor { void scanInterfaces(libfwbuilder::RuleElement *rel); public: UseFirewallInterfaces(const std::string &name) : NATRuleProcessor(name){} virtual bool processNext(); }; friend class NATCompiler_pix::UseFirewallInterfaces; /** * this processor creates ACL for nat 0 rules */ class processNONATRules : public NATRuleProcessor { protected: int nonat_no; public: processNONATRules(const std::string &name) : NATRuleProcessor(name){ nonat_no=1; } virtual bool processNext(); }; friend class NATCompiler_pix::processNONATRules; /** * this processor creates object of class NATCmd if rule is of * type SNAT */ class createNATCmd : public NATRuleProcessor { protected: int nat_id_counter; public: createNATCmd(const std::string &name) : NATRuleProcessor(name){ nat_id_counter=1; } virtual bool processNext(); }; friend class NATCompiler_pix::createNATCmd; /** * Creates objects of class StaticCmd for all DNAT rules */ class createStaticCmd : public NATRuleProcessor { protected: int sc_id_counter; public: createStaticCmd(const std::string &name) : NATRuleProcessor(name){ sc_id_counter=1; } virtual bool processNext(); }; friend class NATCompiler_pix::createStaticCmd; /** * this processor manipulates list of NATCmd objects so that * to reuse identical "nat" and "global" rules. It also * merges objects of class StaticCmd in DNAT rules to avoid * * duplicate "static" commands */ DECLARE_NAT_RULE_PROCESSOR( mergeNATCmd ); friend class NATCompiler_pix::mergeNATCmd; /** * takes ID of the original object used in OSrc that has been * stored in storeOriginalOSrcID and compares this object with * network zones of interfaces. If FirewallOption * "pix_optimize_default_nat" is set and original OSrc is the * same as network zone of one of the interfaces, replaces * OSrc in this rule with "Any". */ DECLARE_NAT_RULE_PROCESSOR( optimizeDefaultNAT ); friend class NATCompiler_pix::optimizeDefaultNAT; /** * this rule processor uses boolean flag "clear_osrc" set by * optimizeDefaultNAT and removes objects in OSrc if this flag is set. */ DECLARE_NAT_RULE_PROCESSOR( clearOSrc ); friend class NATCompiler_pix::clearOSrc; class SpecialServicesOSrv : public SpecialServices { public: SpecialServicesOSrv(const std::string &n): SpecialServices(n, libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInODST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInODST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * Placeholder for MultiAddressRunTime objects that are not * supported for ipf */ class processMultiAddressObjectsInRE : public NATRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : NATRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInOSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInOSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class processMultiAddressObjectsInODst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInODst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. */ friend class PrintRule; class PrintRule : public NATRuleProcessor { protected: bool init; std::string current_rule_label; std::string _printPortRangeOp(int rs, int re); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); virtual void _printPort(libfwbuilder::Service *srv); std::string _printAddress(libfwbuilder::Address *a,bool print_netmask); std::string _printConnOptions(libfwbuilder::NATRule *rule); std::map printed_global_pools; public: PrintRule(const std::string &n); virtual bool processNext(); virtual void printNONAT(libfwbuilder::NATRule *rule); virtual void printSNAT(libfwbuilder::NATRule *rule); virtual void printSDNAT(libfwbuilder::NATRule *rule); virtual void printDNAT(libfwbuilder::NATRule *rule); }; friend class NATCompiler_pix::PrintRule; /** * detects duplicate nat */ class DetectDuplicateNAT : public NATRuleProcessor { public: DetectDuplicateNAT(const std::string &n) : NATRuleProcessor(n){} virtual bool processNext(); }; friend class NATCompiler_pix::DetectDuplicateNAT; /** * base class that has a method that checks for overlapping addresses * taking into account address ranges and other situations */ friend class DetectOverlap; class DetectOverlap : public NATRuleProcessor { protected: bool checkOverlapping(const libfwbuilder::Address &a1, const libfwbuilder::InetAddr &a2); std::string printGlobalPoolAddress(const libfwbuilder::Address &pool); public: DetectOverlap(const std::string &n) : NATRuleProcessor(n){} virtual ~DetectOverlap(); }; friend class NATCompiler_pix::DetectOverlap; /** * detects overlapping and some other problems with global pools */ friend class DetectGlobalPoolProblems; class DetectGlobalPoolProblems : public DetectOverlap { public: DetectGlobalPoolProblems(const std::string &n) : DetectOverlap(n){} virtual bool processNext(); }; friend class NATCompiler_pix::DetectGlobalPoolProblems; /** * detects overlapping global pools and static rules */ friend class DetectOverlappingGlobalPoolsAndStaticRules; class DetectOverlappingGlobalPoolsAndStaticRules : public DetectOverlap { public: DetectOverlappingGlobalPoolsAndStaticRules(const std::string &n) : DetectOverlap(n){} virtual bool processNext(); }; friend class NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules; /** * suppress identical nonat static (this happens in rules * that request no translation in access from a low security * zone to a high security zone and have group or multiple * objects in OSrc). */ friend class SuppressDuplicateNONATStatics; class SuppressDuplicateNONATStatics : public NATRuleProcessor { protected: typedef struct { std::string iface1, iface2; libfwbuilder::InetAddr addr; libfwbuilder::InetAddr mask; } nonat_static_parameters; std::deque all_nonat_statics; public: SuppressDuplicateNONATStatics(const std::string &n) : NATRuleProcessor(n){} virtual bool processNext(); }; friend class NATCompiler_pix::SuppressDuplicateNONATStatics; /** * detects overlapping static */ friend class DetectOverlappingStatics; class DetectOverlappingStatics : public NATRuleProcessor { protected: public: DetectOverlappingStatics(const std::string &n) : NATRuleProcessor(n){} virtual bool processNext(); }; friend class NATCompiler_pix::DetectOverlappingStatics; /** * this processor stores processed NAT rules in final_ruleset */ DECLARE_NAT_RULE_PROCESSOR( storeProcessedRules ); friend class NATCompiler_pix::storeProcessedRules; protected: virtual std::string myPlatformName(); public: NATCompiler_pix(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~NATCompiler_pix(); virtual int prolog(); virtual void compile(); virtual void epilog(); void regroup(); virtual std::string printClearCommands(); virtual std::string printPreambleCommands(); /** * scans all rules in source_ruleset and finds rules (if * any) that define DNAT translation for a combination of * src,dst and srv where src matches OSrc, srv matches OSrv * and dst matches rule element defined by argument * nat_re_type_to_match_dst. If such rules could be found, returns * a list of triplets (src,odst,osrv) */ std::list findMatchingDNATRules( libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv, const std::string &nat_re_type_to_match_dst); // virtual string atomicRuleToString(libfwbuilder::Rule *r); void registerACL(const std::string& acl_name) { setACLFlag(acl_name,0); } int getACLFlag(const std::string& acl_name) { if (nat_acl_names.count(acl_name)!=0) return nat_acl_names[acl_name]; return -1; } void setACLFlag(const std::string& acl_name, int f) { nat_acl_names[acl_name] = f; } void setNamedObjectsManager(NamedObjectsManager *mgr); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NATCompiler_pix_find_translations.cpp000066400000000000000000000106111303637203600255320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_pix.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; class triplet { public: libfwbuilder::Address *src; libfwbuilder::Address *dst; libfwbuilder::Service *srv; triplet() {src=NULL; dst=NULL; srv=NULL;} triplet(libfwbuilder::Address *s, libfwbuilder::Address *d, libfwbuilder::Service *v) {src=s; dst=d; srv=v;} std::string hash(); }; std::string triplet::hash() { ostringstream ostr; string dst_str; string src_str; Interface *intf = Interface::cast(src); if (intf && intf->isDyn()) src_str = intf->getId(); else src_str = src->getAddressPtr()->toString(); intf = Interface::cast(dst); if (intf && intf->isDyn()) dst_str = intf->getId(); else dst_str = dst->getAddressPtr()->toString(); ostr << src_str << "." << dst_str <<"." << srv->getId(); return ostr.str(); } list NATCompiler_pix::findMatchingDNATRules( Address *src, Address *dst, Service *srv, const string &nat_re_type_to_match_dst) { list res; map res_dict; FWObject *final_ruleset = persistent_objects->getRoot()->findInIndex(final_ruleset_id); for (FWObject::iterator i=final_ruleset->begin(); i!=final_ruleset->end(); ++i) { NATRule *rule = NATRule::cast(*i); if (rule == NULL) continue; // skip RuleSetOptions object switch (rule->getRuleType()) { case NATRule::DNAT: { FWObject *re_to_compare = rule->getFirstByType(nat_re_type_to_match_dst); Address *dst_to_compare = Address::cast( FWReference::getObject(re_to_compare->front())); Address *osrc = getFirstOSrc(rule); assert(osrc); Address *odst = getFirstODst(rule); assert(odst); Service *osrv = getFirstOSrv(rule); assert(osrv); Address *tsrc = getFirstTSrc(rule); assert(tsrc); // Address *tdst = getFirstTDst(rule); assert(tdst); Service *tsrv = getFirstTSrv(rule); assert(tsrv); const InetAddr *dst_to_compare_addr = dst_to_compare->getAddressPtr(); // dst_to_compare_addr can be NULL if object in rule // element is a dynamic interface or a group. We should // have expanded groups by now, but dynamic interface can // still be there. if (*(src->getAddressPtr()) == *(osrc->getAddressPtr()) && (osrv->isAny() || srv->getId()==tsrv->getId()) && (dst_to_compare_addr == NULL || *(dst->getAddressPtr()) == *(dst_to_compare_addr))) { if (osrv->isAny()) { triplet tr(src, odst, srv); res_dict[tr.hash()] = rule; } else { triplet tr(src, odst, osrv); res_dict[tr.hash()] = rule; } } } break; default: ; // TODO: should actually be always_assert } } for (map::iterator i=res_dict.begin(); i!=res_dict.end(); ++i) { res.push_back(i->second); } return res; } fwbuilder-5.3.7/src/cisco_lib/NATCompiler_pix_optimizers.cpp000066400000000000000000000541641303637203600242310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_pix.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Network.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * this processor uses slurp to make sure all previous processors ran before * it starts scanning rules. */ bool NATCompiler_pix::mergeNATCmd::processNext() { NATCompiler_pix *pix_comp = dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { NATRule *rule = NATRule::cast( *k ); if (rule->getRuleType() == NATRule::DNAT) { StaticCmd *scmd = pix_comp->static_commands[rule->getInt("sc_cmd")]; map::iterator i1; for (i1=pix_comp->static_commands.begin(); i1!=pix_comp->static_commands.end(); ++i1) { StaticCmd *sc = (*i1).second; if (scmd==sc) break; if ( *scmd == *sc) { /* * rule 'sc' is above rule 'scmd', we need to print 'static' command * only in the last rule using the same access list. That's why we set * flag ignore_scmd_and_print acl in sc and not in scmd */ scmd->acl_name = sc->acl_name; sc->ignore_scmd_and_print_acl = true; } } } if (rule->getRuleType()==NATRule::SNAT) { NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; map::iterator i1; for (i1 = pix_comp->nat_commands.begin(); i1 != pix_comp->nat_commands.end(); ++i1) { NATCmd *nc = (*i1).second; /* since map nat_commands is sorted by the key, we only have to scan it * until we hit natcmd */ if (natcmd==nc) break; const InetAddr *a1 = natcmd->t_addr->getAddressPtr(); const InetAddr *a2 = nc->t_addr->getAddressPtr(); Interface *int1 = natcmd->o_iface; Interface *int2 = nc->o_iface; if ((natcmd->t_addr == nc->t_addr || (a1 && a2 && *a1 == *a2)) && int1->getId() == int2->getId() ) { natcmd->ignore_global = true; natcmd->nat_id = nc->nat_id; } } for (map::iterator i1=pix_comp->nat_commands.begin(); i1!=pix_comp->nat_commands.end(); ++i1) { NATCmd *nc = (*i1).second; /* since map nat_commands is sorted by the key, we only have to scan it * until we hit natcmd */ if (natcmd == nc) break; if (nc->ignore_nat) continue; /* using operator==(const Address &o1,const Address &o2) here */ if ( *(natcmd->o_src) == *(nc->o_src) && *(natcmd->o_dst) == *(nc->o_dst) && *(natcmd->o_srv) == *(nc->o_srv) && natcmd->i_iface->getId() == nc->i_iface->getId() ) { /* * there is another nat rule (rule #2) with the same "original" * addresses and the same interface. We can drop this nat rule, but need * to merge its global pool with pool of the rule #2. * * This nat rule could have been sharing a global pool with some other * nat rule; in this case we need to find this other rule and also * reassign it to the global pool of the rule #2. */ natcmd->ignore_nat = true; map::iterator i2; for (i2 = pix_comp->nat_commands.begin(); i2 != pix_comp->nat_commands.end(); ++i2) { NATCmd *nc2 = i2->second; if (natcmd->nat_id == nc2->nat_id) nc2->nat_id = nc->nat_id; } natcmd->nat_id = nc->nat_id; } } if (!natcmd->use_nat_0_0) { map::iterator i1; for (i1 = pix_comp->nat_commands.begin(); i1 != pix_comp->nat_commands.end(); ++i1) { NATCmd *nc=(*i1).second; /* since map nat_commands is sorted by the key, we only have to scan it * until we hit natcmd */ if (natcmd==nc) break; /* ignore nat natcmd entries for rules where we won't print 'nat' * command or use 'nat 0' command since this means we won't print * access-list for those rules and hense can not merge lists */ if (nc->ignore_nat) continue; if (nc->use_nat_0_0) continue; if ( natcmd->nat_id == nc->nat_id && natcmd->t_addr == nc->t_addr && natcmd->i_iface->getId() == nc->i_iface->getId() ) { /* two nat commands with the same id, the same interface and the same * translated address, but different osrc and odst. OSrc and ODst must * be different, otherwise these two commands would have been merged * in the previous cycle. We can merge access lists and drop one of * these nat commands. We merge ACLs by assigning them the same name. */ natcmd->nat_acl_name = nc->nat_acl_name; nc->ignore_nat_and_print_acl = true; } } } } } return true; } /* * The goal of this processor is to find SNAT rules that could be * translated as "nat (interface) 0.0.0.0 0.0.0.0. These rules should * have the same network object in OSrc that is used to define * interface's network zone. The logic is simple: if network "A" is a * network zone for internal interface, then only packets from this * network can hit it and therefore there is no need to check source * address once more in the "nat" rule. * * We also check for ODst and OSrv, because if the destination or the * service are defined, then this optimization can not be done. * * This optimization can be turned off using checkbutton in the * "Firewall" tab. * * call this processor really early, when groups have not been * expanded yet. At this point both NAT rule type and interfaces it * is associated with are unknown yet. We have to partially repeat * algorithms used in other rule processors to determine NAT rule type * and interface. * * We do this optimization in two steps: * * 1. in this rule processor we replace object in OSrc with firewall's * interface. This way we can still use other rule processors that * determine rule type and assign it to interfaces, but rule won't be * split onto multiple rules because of objects in OSrc. We also set * boolean flags "clear_osrc" and "use_nat_0_0" on the rule. * * 2. further down in rule processor clearOSrc we check the flag and * clear OSrc if it is set. * * 3. flag "use_nat_0_0" is used in printRule processor. */ bool NATCompiler_pix::optimizeDefaultNAT::processNext() { // NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementOSrc *osrc=rule->getOSrc(); RuleElementOSrv *osrv=rule->getOSrv(); RuleElementODst *odst=rule->getODst(); RuleElementTSrc *tsrc=rule->getTSrc(); RuleElementTDst *tdst=rule->getTDst(); if (osrc->size()>1) return true; if (osrc->isAny()) return true; if (!osrv->isAny()) return true; if (!odst->isAny()) return true; /* * can't use RuleElementOSrc::getFirst(bool dereference) because it * returns Address::cast(o), but child element of rule element may be * a group when this processor is called. */ FWObject *o=osrc->front(); string osrc_id; if (FWReference::cast(o)!=NULL) osrc_id = FWObjectDatabase::getStringId(FWReference::cast(o)->getPointerId()); else osrc_id = FWObjectDatabase::getStringId(o->getId()); if ( ( !tsrc->isAny() && tdst->isAny()) || ( !osrc->isAny() && odst->isAny() && tsrc->isAny() && tdst->isAny() ) ) { // this rule type is SNAT or NONAT list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=Interface::cast(*i); if (iface->getStr("orig_netzone_id")==osrc_id ) { rule->setBool("clear_osrc",true); rule->setBool("use_nat_0_0",true); osrc->clearChildren(); osrc->addRef(iface); break; } } } return true; } bool NATCompiler_pix::SuppressDuplicateNONATStatics::processNext() { Helper helper(compiler); // NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getRuleType()== NATRule::NONAT && rule->getInt("nonat_type")==NONAT_STATIC) { Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); nonat_static_parameters sp; sp.iface1 = helper.findInterfaceByNetzone(osrc ); sp.iface2 = helper.findInterfaceByNetzone(odst ); sp.addr = *(odst->getAddressPtr()); sp.mask = *(odst->getNetmaskPtr()); for (deque::iterator i=all_nonat_statics.begin(); i!=all_nonat_statics.end(); ++i ) { if ( i->iface1==sp.iface1 && i->iface2==sp.iface2 && i->addr==sp.addr && i->mask==sp.mask ) return true; } all_nonat_statics.push_back(sp); } tmp_queue.push_back(rule); return true; } NATCompiler_pix::DetectOverlap::~DetectOverlap() {}; bool NATCompiler_pix::DetectOverlap::checkOverlapping( const libfwbuilder::Address &addr1, const libfwbuilder::InetAddr &addr2) { if (AddressRange::isA(&addr1)) { const InetAddr a1 = AddressRange::constcast(&addr1)->getRangeStart(); const InetAddr a2 = AddressRange::constcast(&addr1)->getRangeEnd(); return (addr2==a1 || addr2==a2 || (addr2>a1 && addr2getRangeStart(); const InetAddr a2=AddressRange::constcast(&pool)->getRangeEnd(); return a1.toString()+"-"+a2.toString(); } else { return pool.getAddressPtr()->toString() + "/" + pool.getNetmaskPtr()->toString(); } } bool NATCompiler_pix::DetectGlobalPoolProblems::processNext() { NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()== NATRule::SNAT ) { NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; if (natcmd->ignore_global) return true; if (natcmd->type != INTERFACE) { if (checkOverlapping(*(natcmd->t_addr), *(natcmd->o_iface->getAddressPtr()))) compiler->abort( rule, "Global pool " + printGlobalPoolAddress(*(natcmd->t_addr)) + " overlaps with interface address."); if (checkOverlapping(*(natcmd->t_addr), *(natcmd->o_iface->getBroadcastAddressPtr())) || checkOverlapping(*(natcmd->t_addr), *(natcmd->o_iface->getAddressPtr())) ) compiler->warning( rule, "Global pool " + printGlobalPoolAddress(*(natcmd->t_addr)) + " overlaps with broadcast address."); } for (map::iterator i1=pix_comp->nat_commands.begin(); i1!=pix_comp->nat_commands.end(); ++i1) { NATCmd *nc = (*i1).second; /* since map nat_commands is sorted by the key, we only have to scan it * until we hit natcmd */ if (nc->ignore_global) continue; if (natcmd==nc) break; Interface *int1 = natcmd->o_iface; Interface *int2 = nc->o_iface; if ( int1->getId()==int2->getId() ) { if ( ! fwcompiler::_find_obj_intersection(natcmd->t_addr,nc->t_addr).empty() ) { compiler->abort( rule, string("Global pool overlap: ") + rule->getLabel() + " : " + printGlobalPoolAddress(*(natcmd->t_addr)) + nc->rule_label + " : " + printGlobalPoolAddress(*(nc->t_addr)) ); } } } } return true; } bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext() { NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()== NATRule::DNAT ) { Address *outa=compiler->getFirstODst(rule); assert(outa); Address *insa=compiler->getFirstTDst(rule); assert(insa); for (map::iterator i=pix_comp->nat_commands.begin(); i!=pix_comp->nat_commands.end(); ++i) { NATCmd *natcmd=(*i).second; if (natcmd->ignore_global) return true; /* in this case natcmd->t_addr is interface. Interface creates * single-address global pool, but since it has netmask, * method checkOverlapping would treat it as network. I create * temporary substitution Address object to avoid this . * * If interface is used for a global pool (SNAT rule) and * for a static (DNAT rule), then this is ok even though * such global pool overlaps with such static (added 10/17/03) * * But first I need to check if this interface has dynamic * address, in which case I can not really do this check * at all. */ IPv4 addr; Interface *iface=Interface::cast(natcmd->t_addr); if (iface!=NULL && iface->isDyn()) return true; if (iface!=NULL && iface->getId()==outa->getId()) return true; addr.setAddress(*(natcmd->t_addr->getAddressPtr())); addr.setNetmask(*(natcmd->t_addr->getNetmaskPtr())); if (natcmd->type== INTERFACE) { addr.setNetmask(InetAddr(InetAddr::getAllOnes())); } if ( checkOverlapping( addr, *(outa->getAddressPtr())) || checkOverlapping( *outa, *(addr.getAddressPtr())) ) compiler->abort( rule, "Global pool " +printGlobalPoolAddress(addr) +" from rule " +natcmd->rule_label +" overlaps with static translation address in rule " +rule->getLabel()); } } return true; } bool NATCompiler_pix::DetectDuplicateNAT::processNext() { NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()== NATRule::SNAT) { NATCmd *natcmd=pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; if (natcmd->ignore_nat) return true; for (map::iterator i1=pix_comp->nat_commands.begin(); i1!=pix_comp->nat_commands.end(); ++i1) { NATCmd *nc = (*i1).second; /* since map nat_commands is sorted by the key, we only have to scan it * until we hit natcmd */ if (nc->ignore_nat) continue; if (natcmd==nc) break; Interface *int1 = natcmd->o_iface; Interface *int2 = nc->o_iface; // InetAddr a1=natcmd->o_addr->getAddress(); // InetAddr a2=nc->o_addr->getAddress(); // // InetAddr m1=natcmd->o_addr->getInetAddr(); // InetAddr m2=nc->o_addr->getNetmask(); if ( int1->getId()==int2->getId() && natcmd->o_src==nc->o_src && natcmd->o_dst==nc->o_dst && *(natcmd->o_srv)==*(nc->o_srv) ) { ostringstream str; str << "Duplicate NAT detected: rules " << rule->getLabel() << " and "<< nc->rule_label << " : "<< natcmd->o_src->getAddressPtr()->toString() << "/"<< natcmd->o_src->getNetmaskPtr()->toString() << " " << natcmd->o_srv->getProtocolName() << " " << TCPUDPService::cast(natcmd->o_srv)->getSrcRangeStart() << ":" << TCPUDPService::cast(natcmd->o_srv)->getSrcRangeEnd() << " " << "->"<< natcmd->o_dst->getAddressPtr()->toString() << "/"<< natcmd->o_dst->getNetmaskPtr()->toString() << " " << TCPUDPService::cast(natcmd->o_srv)->getDstRangeStart() << "/" << TCPUDPService::cast(natcmd->o_srv)->getDstRangeEnd(); compiler->abort(rule, str.str()); } } } return true; } bool NATCompiler_pix::DetectOverlappingStatics::processNext() { NATCompiler_pix *pix_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()== NATRule::DNAT ) { StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ]; for (map::iterator i1=pix_comp->static_commands.begin(); i1!=pix_comp->static_commands.end(); i1++ ) { // int scid=i1->first; StaticCmd *sc= i1->second; if (sc->ignore_scmd_and_print_acl) continue; if (sc==scmd) break; if (Interface::isA(scmd->oaddr) && Interface::isA(sc->oaddr)) { if ( *(sc->osrv) == *(scmd->osrv) && *(sc->tsrv) == *(scmd->tsrv) && *(sc->osrc) == *(scmd->osrc) && sc->oaddr->getId() == scmd->oaddr->getId()) compiler->abort( rule, "Static NAT rules overlap or are redundant : rules "+ sc->rule+" and "+scmd->rule+" : "+ "outside address: "+ "interface "+Interface::cast(scmd->oaddr)->getLabel()+ " inside address: "+ scmd->iaddr->getAddressPtr()->toString()+"/"+ scmd->iaddr->getNetmaskPtr()->toString()); } else { if ( *(sc->osrv) == *(scmd->osrv) && *(sc->tsrv) == *(scmd->tsrv) && *(sc->osrc) == *(scmd->osrc)) { const InetAddrMask *ia1 = scmd->iaddr->getInetAddrMaskObjectPtr(); const InetAddrMask *ia2 = sc->iaddr->getInetAddrMaskObjectPtr(); const InetAddrMask *oa1 = scmd->oaddr->getInetAddrMaskObjectPtr(); const InetAddrMask *oa2 = sc->oaddr->getInetAddrMaskObjectPtr(); if ( ! getOverlap(*(ia1), *(ia2)).empty() || ! getOverlap(*(oa1), *(oa2)).empty() ) compiler->abort( rule, "Static NAT rules overlap or are redundant: rules "+ sc->rule+" and "+scmd->rule+" : "+ "outside address: "+ scmd->oaddr->getAddressPtr()->toString()+"/"+ scmd->oaddr->getNetmaskPtr()->toString()+ " inside address: "+ scmd->iaddr->getAddressPtr()->toString()+"/"+ scmd->iaddr->getNetmaskPtr()->toString()); } } } } return true; } fwbuilder-5.3.7/src/cisco_lib/NATCompiler_pix_writers.cpp000066400000000000000000000463041303637203600235200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_pix.h" #include "PortRangeConverter.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Resources.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string NATCompiler_pix::PrintRule::_printAddress(Address *a,bool print_netmask) { string addr = a->getAddressPtr()->toString(); string mask = a->getNetmaskPtr()->toString(); if (addr=="0.0.0.0" && mask=="0.0.0.0") return "any"; // if (addr=="0.0.0.0") addr="0"; // if (mask=="0.0.0.0") mask="0"; /* * If the object 'a' is a Host or a IPv4 (that is, it defines only * a single IP address) but its netmask is not 255.255.255.255, PIX will * issue an error "address,mask doesn't pair". * * I am not sure if it is appropriate to just fix this for the user, * may be I should issue a warning or even abort. */ if (Host::isA(a) || IPv4::isA(a)) mask="255.255.255.255"; if (mask=="255.255.255.255") { addr="host "+addr; mask=""; } if (print_netmask) return addr+" "+mask; else return addr; } NATCompiler_pix::PrintRule::PrintRule(const std::string &name) : NATRuleProcessor(name) { init=true; } /* * we verify that port ranges are not used in verifyRuleElements */ void NATCompiler_pix::PrintRule::_printPort(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int drs = TCPUDPService::cast(srv)->getDstRangeStart(); if (drs!=0) compiler->output << drs << " "; } } string NATCompiler_pix::PrintRule::_printPortRangeOp(int rs, int re) { return PortRangeConverter(rs, re).toString(); } string NATCompiler_pix::PrintRule::_printSrcService(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); return _printPortRangeOp(rs, re); } return ""; } string NATCompiler_pix::PrintRule::_printDstService(Service *srv) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getDstRangeStart(); int re = TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPortRangeOp(rs, re); } if (ICMPService::isA(srv) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; } return str.str(); } string NATCompiler_pix::PrintRule::_printConnOptions(NATRule *rule) { if (rule==NULL) return ""; ostringstream ostr; int max_conns=compiler->fw->getOptionsObject()->getInt("pix_max_conns"); int emb_limit=compiler->fw->getOptionsObject()->getInt("pix_emb_limit"); if (max_conns<0) max_conns=0; if (emb_limit<0) emb_limit=0; // we only support tcp connection options at this time // however PIX 7.0 (7.2?) also supports udp conn limit // // Note that keyword 'tcp' here is only valid in 7.x if (libfwbuilder::XMLTools::version_compare( compiler->fw->getStr("version"),"7.0")>=0) ostr << "tcp "; ostr << max_conns << " " << emb_limit; return ostr.str(); } void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule) { Helper helper(compiler); NATCompiler_pix *pix_comp = dynamic_cast(compiler); string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+version+"/pix_commands/clear_acl"); Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); switch (rule->getInt("nonat_type")) { case NONAT_NAT0: { nonat n0 = pix_comp->nonat_rules[rule->getId()]; if (rule->getBool("use_nat_0_0")) { /* old, < 6.3 */ compiler->output << "nat (" << i_iface->getLabel() << ") 0 0 0"; compiler->output << endl; } else { /* new, >=6.3 */ compiler->output << endl; if (pix_comp->getACLFlag(n0.acl_name)==0 && compiler->fw->getOptionsObject()->getBool( "pix_acl_substitution")) { compiler->output << clearACLcmd <<" " << n0.acl_name << endl; pix_comp->setACLFlag(n0.acl_name,1); } compiler->output << "access-list " << n0.acl_name << " permit ip " << _printAddress(n0.src,true) << " " << _printAddress(n0.dst,true) << endl; if (pix_comp->first_nonat_rule_id[i_iface->getId()]==rule->getId()) { if (compiler->fw->getStr("platform")=="fwsm" && compiler->fw->getOptionsObject()->getBool( "pix_use_manual_commit") ) { compiler->output << "access-list commit" << endl; compiler->output << endl; } compiler->output << "nat (" << i_iface->getLabel() << ") 0 access-list " << n0.acl_name << endl; } } break; } case NONAT_STATIC: { string addr = odst->getAddressPtr()->toString(); string mask; if (Network::isA(odst)) mask=odst->getNetmaskPtr()->toString(); else mask="255.255.255.255"; compiler->output << "static (" << o_iface->getLabel() << "," << i_iface->getLabel() << ") " << addr << " " << addr << " netmask " << mask << endl; } break; } } void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule) { NATCompiler_pix *pix_comp = dynamic_cast(compiler); NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_acl"); Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); Address *odst = compiler->getFirstODst(rule); assert(odst); Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); if ( ! natcmd->ignore_global) { compiler->output << "global (" << o_iface->getLabel() << ") " << natcmd->nat_id; switch (natcmd->type) { case INTERFACE: compiler->output << " interface" << endl; break; case SINGLE_ADDRESS: compiler->output << " " << natcmd->t_addr->getAddressPtr()->toString() << endl; break; case NETWORK_ADDRESS: compiler->output << " " << natcmd->t_addr->getAddressPtr()->toString() << " netmask " << natcmd->t_addr->getNetmaskPtr()->toString() << endl; break; case ADDRESS_RANGE: { AddressRange *ar=AddressRange::cast(natcmd->t_addr); compiler->output << " " << ar->getRangeStart().toString() << "-" << ar->getRangeEnd().toString() << " netmask " << o_iface->getNetmaskPtr()->toString() << endl; } break; default: ; // TODO: should actually be always_assert } } if ( natcmd->ignore_nat) { compiler->output <<"! " << natcmd->comment << endl; } else { if (rule->getBool("use_nat_0_0") || libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.3")<0) { /* old, < 6.3 */ compiler->output << "nat (" << i_iface->getLabel() << ") " << natcmd->nat_id << " " << natcmd->o_src->getAddressPtr()->toString() << " " << natcmd->o_src->getNetmaskPtr()->toString(); if (natcmd->outside) compiler->output << " outside"; else compiler->output << " " << _printConnOptions(rule); compiler->output << endl; } else { /* new, >=6.3 */ if (pix_comp->getACLFlag(natcmd->nat_acl_name)==0 && compiler->fw->getOptionsObject()->getBool("pix_acl_substitution")) { compiler->output << clearACLcmd << " " << natcmd->nat_acl_name << endl; pix_comp->setACLFlag(natcmd->nat_acl_name,1); } compiler->output << "access-list " << natcmd->nat_acl_name << " permit "; compiler->output << osrv->getProtocolName(); compiler->output << " "; compiler->output << _printAddress(osrc,true); compiler->output << " "; compiler->output << _printSrcService( osrv ); compiler->output << " "; compiler->output << _printAddress(odst,true); compiler->output << " "; compiler->output << _printDstService( osrv ); compiler->output << endl; if (!natcmd->ignore_nat_and_print_acl) { if (compiler->fw->getStr("platform")=="fwsm" && compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit") ) { compiler->output << "access-list commit" << endl; compiler->output << endl; } compiler->output << "nat (" << i_iface->getLabel() << ") " << natcmd->nat_id << " access-list " << natcmd->nat_acl_name; if (natcmd->outside) compiler->output << " outside"; else compiler->output << " " << _printConnOptions(rule); compiler->output << endl; } } } } void NATCompiler_pix::PrintRule::printSDNAT(NATRule*) { } void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule) { NATCompiler_pix *pix_comp = dynamic_cast(compiler); string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version+"/pix_commands/clear_acl"); Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); Address *odst = compiler->getFirstODst(rule); assert(odst); Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); Interface *i_iface = Interface::cast( FWObjectReference::getObject(itf_in_re->front())); Interface *o_iface = Interface::cast( FWObjectReference::getObject(itf_out_re->front())); StaticCmd *scmd = pix_comp->static_commands[ rule->getInt("sc_cmd") ]; const InetAddr *outa = scmd->oaddr->getAddressPtr(); const InetAddr *outm = scmd->oaddr->getNetmaskPtr(); const InetAddr *insa = scmd->iaddr->getAddressPtr(); /* * we verify that odst and tdst have the same size in verifyRuleElements, * so we can rely on that now. */ if (libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.3")<0) { /* old, < 6.3 */ compiler->output << "static (" << o_iface->getLabel() << "," << i_iface->getLabel() << ") " ; bool use_ports=false; if (TCPService::cast(osrv)) { use_ports=true; compiler->output << "tcp "; } if (UDPService::cast(osrv)) { use_ports=true; compiler->output << "udp "; } if (Interface::cast(scmd->oaddr)!=NULL) { compiler->output << "interface "; if (use_ports) _printPort(scmd->osrv); compiler->output << insa->toString() << " "; if (use_ports) _printPort(scmd->tsrv); } else { compiler->output << outa->toString() << " "; if (use_ports) _printPort(scmd->osrv); compiler->output << insa->toString() << " "; if (use_ports) _printPort(scmd->tsrv); compiler->output << " netmask " << outm->toString(); } compiler->output << " " << _printConnOptions(rule) << endl; } else { /* new, >=6.3 */ if (pix_comp->getACLFlag(scmd->acl_name)==0 && compiler->fw->getOptionsObject()->getBool("pix_acl_substitution")) { compiler->output << clearACLcmd << " " << scmd->acl_name << endl; pix_comp->setACLFlag(scmd->acl_name,1); } compiler->output << "access-list " << scmd->acl_name << " permit "; /* * This acl does not make any sense if treated as a regular access * list. I just follow example from * http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113601 */ compiler->output << scmd->osrv->getProtocolName(); compiler->output << " "; compiler->output << _printAddress(scmd->iaddr,true); compiler->output << " "; compiler->output << _printDstService( scmd->tsrv ); compiler->output << " "; compiler->output << _printAddress(scmd->osrc,true); compiler->output << " "; compiler->output << _printSrcService( scmd->osrv ); compiler->output << endl; if (!scmd->ignore_scmd_and_print_acl) { if (compiler->fw->getStr("platform")=="fwsm" && compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit")) { compiler->output << "access-list commit" << endl; compiler->output << endl; } compiler->output << "static (" << o_iface->getLabel() << "," << i_iface->getLabel() << ") " ; bool use_ports=false; if (TCPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "tcp "; } if (UDPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "udp "; } if (Interface::cast(scmd->oaddr)!=NULL) compiler->output << "interface "; else compiler->output << outa->toString() << " "; if (use_ports) _printPort(scmd->osrv); compiler->output << " "; compiler->output << "access-list " << scmd->acl_name << " " << _printConnOptions(rule) << endl; } } } bool NATCompiler_pix::PrintRule::processNext() { string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_acl"); NATRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); bool suppress_comments = ! compiler->fw->getOptionsObject()->getBool("pix_include_comments"); compiler->output << compiler->printComment( rule, current_rule_label, "!", suppress_comments); switch (rule->getRuleType()) { case NATRule::NONAT: printNONAT(rule); break; case NATRule::SNAT: { printSNAT(rule); break; } case NATRule::SDNAT: { printSDNAT(rule); break; } case NATRule::DNAT: { printDNAT(rule); break; } default: ; // TODO: should actually be always_assert } return true; } fwbuilder-5.3.7/src/cisco_lib/NXOSObjectGroup.cpp000066400000000000000000000076261303637203600217030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NXOSObjectGroup.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; const char *NXOSObjectGroup::TYPENAME={"NXOSObjectGroup"}; QString NXOSObjectGroup::groupMemberToString(FWObject *obj, NamedObjectsManager*) throw(libfwbuilder::FWException) { ostringstream ostr; switch (getObjectGroupType()) { case NETWORK: { Address *a = Address::cast(obj); assert(a!=NULL); if (AddressRange::cast(a)) { const InetAddr &start = AddressRange::cast(a)->getRangeStart(); const InetAddr &end = AddressRange::cast(a)->getRangeEnd(); ostr << "range " << start.toString() << " " << end.toString(); } else { const InetAddr *addr = a->getAddressPtr(); if (Network::cast(obj)!=NULL) { const InetAddr *mask = a->getNetmaskPtr(); // Note: the syntax is "A.B.C.D /NN" (there must be space before /) ostr << addr->toString() << " /" << mask->getLength(); } else { ostr << "host " << addr->toString(); } } break; } case PROTO: { Service *s = Service::cast(obj); assert(s!=NULL); ostr << s->getProtocolNumber(); break; } case ICMP_TYPE: { ostr << "icmp "; ICMPService *s = ICMPService::cast(obj); assert(s!=NULL); if ( s->getInt("type")== -1) ostr << ""; else ostr << s->getInt("type"); break; } case TCP_SERVICE: case UDP_SERVICE: { if (getObjectGroupType()==TCP_SERVICE) ostr << "tcp "; else ostr << "udp "; TCPUDPService *s = TCPUDPService::cast(obj); assert(s!=NULL); int rs = s->getDstRangeStart(); int re = s->getDstRangeEnd(); if (rs<0) rs = 0; if (re<0) re = 0; if (rs>0 || re>0) { if (rs==re) ostr << "eq " << rs; else ostr << "range " << rs << " " << re; } else ostr << "range 0 65535"; break; } default: throw FWException("Unknown object group type"); } return ostr.str().c_str(); } string NXOSObjectGroup::getObjectGroupClass() { switch (this->getObjectGroupType()) { case NETWORK: return "network"; case PROTO: case ICMP_TYPE: case TCP_SERVICE: case UDP_SERVICE: return "service"; default: throw FWException("Unknown object group type"); } } string NXOSObjectGroup::getObjectGroupHeader() { ostringstream ostr; ostr << "object-group " << getObjectGroupClass() << " " << this->getName(); return ostr.str(); } string NXOSObjectGroup::getObjectGroupFooter() { return "exit"; } fwbuilder-5.3.7/src/cisco_lib/NXOSObjectGroup.h000066400000000000000000000027741303637203600213470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NXOSOBJECTGROUP_HH #define __NXOSOBJECTGROUP_HH #include "BaseObjectGroup.h" namespace fwcompiler { class NXOSObjectGroup : public BaseObjectGroup { public: NXOSObjectGroup() : BaseObjectGroup() { } virtual ~NXOSObjectGroup() {}; DECLARE_FWOBJECT_SUBTYPE(NXOSObjectGroup); virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupFooter(); virtual QString groupMemberToString( libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObject.cpp000066400000000000000000000223011303637203600211060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObject.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * Reserved words for all versions of IOS and ASA that support named * objects. It does not make sense to maintain sets of reserved words * separately for each version because it would take a lot of effort * for very little gain. We will maintain super-set of words that * corresponds to the version that has most extensive set. */ const char* rw[] = { "ah", "eigrp", "esp", "gre", "icmp", "icmp6", "igmp", "igrp", "ip", "ipinip", "ipsec", "nos", "ospf", "pcp", "pim", "pptp", "snp", "tcp", "udp", "tcp-aol", "tcp-bgp", "tcp-chargen", "tcp-cifs", "tcp-citrix-ica", "tcp-ctiqbe", "tcp-daytime", "tcp-discard", "tcp-domain", "tcp-echo", "tcp-exec", "tcp-finger", "tcp-ftp", "tcp-ftp-data", "tcp-gopher", "tcp-ident", "tcp-imap4", "tcp-irc", "tcp-hostname", "tcp-kerberos", "tcp-klogin", "tcp-kshell", "tcp-ldap", "tcp-ldaps", "tcp-login", "tcp-lotusnotes", "tcp-nfs", "tcp-netbios-ssn", "tcp-whois", "tcp-nntp", "tcp-pcanywhere-data", "tcp-pim-auto-rp", "tcp-pop2", "tcp-pop3", "tcp-pptp", "tcp-lpd", "tcp-rsh", "tcp-rtsp", "tcp-sip", "tcp-smtp", "tcp-ssh", "tcp-sunrpc", "tcp-tacacs", "tcp-talk", "tcp-telnet", "tcp-uucp", "tcp-www", "tcp-http", "tcp-https", "tcp-cmd", "tcp-sqlnet", "tcp-h323", "tcp-udp-cifs", "tcp-udp-discard", "tcp-udp-domain", "tcp-udp-echo", "tcp-udp-kerberos", "tcp-udp-nfs", "tcp-udp-pim-auto-rp", "tcp-udp-sip", "tcp-udp-sunrpc", "tcp-udp-tacacs", "tcp-udp-www", "tcp-udp-http", "tcp-udp-talk", "udp-biff", "udp-bootpc", "udp-bootps", "udp-cifs", "udp-discard", "udp-domain", "udp-dnsix", "udp-echo", "udp-www", "udp-http", "udp-nameserver", "udp-kerberos", "udp-mobile-ip", "udp-nfs", "udp-netbios-ns", "udp-netbios-dgm", "udp-ntp", "udp-pcanywhere-status", "udp-pim-auto-rp", "udp-radius", "udp-radius-acct", "udp-rip", "udp-secureid-udp", "udp-sip", "udp-snmp", "udp-snmptrap", "udp-sunrpc", "udp-syslog", "udp-tacacs", "udp-talk", "udp-tftp", "udp-time", "udp-who", "udp-xdmcp", "udp-isakmp", "icmp6-unreachable", "icmp6-packet-too-big", "icmp6-time-exceeded", "icmp6-parameter-problem", "icmp6-echo", "icmp6-echo-reply", "icmp6-membership-query", "icmp6-membership-report", "icmp6-membership-reduction", "icmp6-router-renumbering", "icmp6-router-solicitation", "icmp6-router-advertisement", "icmp6-neighbor-solicitation", "icmp6-neighbor-advertisement", "icmp6-neighbor-redirect", "icmp-echo", "icmp-echo-reply", "icmp-unreachable", "icmp-source-quench", "icmp-redirect", "icmp-alternate-address", "icmp-router-advertisement", "icmp-router-solicitation", "icmp-time-exceeded", "icmp-parameter-problem", "icmp-timestamp-request", "icmp-timestamp-reply", "icmp-information-request", "icmp-information-reply", "icmp-mask-request", "icmp-mask-reply", "icmp-traceroute", "icmp-conversion-error", "icmp-mobile-redirect", NULL }; QSet NamedObject::reserved_words; map NamedObject::name_disambiguation; NamedObject::NamedObject(const FWObject *_obj, const QString &_platform) { obj = _obj; platform = _platform; if (reserved_words.empty()) { const char** cptr = rw; while (*cptr!=NULL) { reserved_words.insert(QString(*cptr)); cptr++; } } name = sanitizeObjectName(QString::fromUtf8(obj->getName().c_str())); } QString NamedObject::getCommandWord() { if (Address::constcast(obj)!=NULL && Address::constcast(obj)->isAny()) return "any"; if (Service::constcast(obj)!=NULL && Service::constcast(obj)->isAny()) return "any"; if (Interface::constcast(obj)) return "interface"; return name; } QString NamedObject::sanitizeObjectName(const QString &name) { QString qs = name; qs = qs.replace(" ", "_").replace("/", "_").left(64); if (reserved_words.contains(qs)) { qs = qs + "_obj"; } int n = name_disambiguation[qs]; name_disambiguation[qs] = n + 1; qs = QString("%1.%2").arg(qs).arg(n); return qs; } QString NamedObject::createNetworkObjectCommand(const Address *addr_obj) { if (addr_obj == NULL) return ""; if (addr_obj->isAny()) return ""; if (Interface::constcast(obj)) return ""; QStringList res; res << QString("object network %1") .arg(name); if (AddressRange::isA(addr_obj)) { const AddressRange *ar = AddressRange::constcast(addr_obj); res << QString(" range %1 %2") .arg(ar->getRangeStart().toString().c_str()) .arg(ar->getRangeEnd().toString().c_str()); } else { string addr = addr_obj->getAddressPtr()->toString(); if (IPv4::isA(addr_obj)) { res << QString(" host %1").arg(addr.c_str()); } if (Network::isA(addr_obj)) { string netm = addr_obj->getNetmaskPtr()->toString(); res << QString(" subnet %1 %2") .arg(addr.c_str()) .arg(netm.c_str()); } } res << "exit"; res << ""; return res.join("\n"); } QString NamedObject::printPorts(int rs, int re) { QStringList res; if (rs<0) rs = 0; if (re<0) re = 0; if (rs>0 || re>0) { if (rs==re) res << "eq" << QString::number(rs); else if (rs==0 && re!=0) res << "lt" << QString::number(re); else if (rs!=0 && re==65535) res << "gt" << QString::number(rs); else res << "range " << QString::number(rs) << "" << QString::number(re); } return res.join(" "); } QString NamedObject::createServiceObjectCommand(const Service *serv_obj) { if (serv_obj == NULL) return ""; if (serv_obj->isAny()) return ""; QStringList res; QString proto_name = serv_obj->getProtocolName().c_str(); res << QString("object service %1").arg(name); QStringList service_line; service_line << " service"; if (TCPService::isA(serv_obj) || UDPService::isA(serv_obj)) { service_line << proto_name; int rs = TCPUDPService::constcast(serv_obj)->getSrcRangeStart(); int re = TCPUDPService::constcast(serv_obj)->getSrcRangeEnd(); if (rs != 0 || re != 0) { service_line << "source" << printPorts(rs, re); } rs = TCPUDPService::constcast(serv_obj)->getDstRangeStart(); re = TCPUDPService::constcast(serv_obj)->getDstRangeEnd(); if (rs != 0 || re != 0) { service_line << "destination" << printPorts(rs, re); } } if (ICMPService::isA(serv_obj)) { service_line << proto_name; if (serv_obj->getInt("type")!=-1) service_line << QString::number(serv_obj->getInt("type")); } if (CustomService::isA(serv_obj)) { service_line << CustomService::constcast(serv_obj)->getCodeForPlatform( platform.toStdString()).c_str(); } res << service_line.join(" "); res << "exit"; res << ""; return res.join("\n"); } QString NamedObject::getCommand() { if (Address::constcast(obj)!=NULL) return createNetworkObjectCommand(Address::constcast(obj)); if (Service::constcast(obj)!=NULL) return createServiceObjectCommand(Service::constcast(obj)); return ""; } QString NamedObject::getCommandWhenObjectGroupMember() { if (Address::constcast(obj)!=NULL) return "network-object object " + name; if (Service::constcast(obj)!=NULL) return "service-object object " + name; return ""; } fwbuilder-5.3.7/src/cisco_lib/NamedObject.h000066400000000000000000000035651303637203600205660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ASA8_OBJECT_HH #define _ASA8_OBJECT_HH #include "fwbuilder/FWObject.h" #include #include namespace fwcompiler { class NamedObject { const libfwbuilder::FWObject *obj; QString platform; QString name; static QSet reserved_words; QString printPorts(int port_range_start, int port_range_end); protected: QString sanitizeObjectName(const QString &name); QString createNetworkObjectCommand(const libfwbuilder::Address *addr); QString createServiceObjectCommand(const libfwbuilder::Service *addr); public: static std::map name_disambiguation; NamedObject(const libfwbuilder::FWObject *obj, const QString &platform); virtual ~NamedObject() {} virtual QString getCommand(); virtual QString getCommandWhenObjectGroupMember(); QString getName() { return name; } QString getCommandWord(); const libfwbuilder::FWObject* getObject() { return obj; } }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp000066400000000000000000000214171303637203600245200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "NamedObject.h" #include "PIXObjectGroup.h" #include "ASA8ObjectGroup.h" #include "IOSObjectGroup.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Firewall.h" #include "fwcompiler/Compiler.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; CreateObjectGroups::~CreateObjectGroups() { } BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re) { list relement; for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) relement.push_back(FWReference::getObject(*i1)); FWObject *object_groups = named_objects_manager->getObjectGroupsGroup(); for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i) { BaseObjectGroup *og = dynamic_cast(*i); assert(og!=NULL); if (og->size()==0 || (og->size()!=re->size()) ) continue; bool match = true; for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1) { if ( find(relement.begin(), relement.end(), FWReference::getObject(*i1))==relement.end() ) { match = false; break; } } if (match) return og; } return NULL; } bool CreateObjectGroups::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size()==1) { /* create object group if the object in the RE is AddressRange * because IOS normally does not support ranges in ACLs, but * supports them in groups */ FWObject *re_obj = FWReference::getObject(re->front()); if ( ! AddressRange::isA(re_obj)) { tmp_queue.push_back(rule); return true; } } BaseObjectGroup *obj_group = findObjectGroup(re); if (obj_group==NULL) { obj_group = named_objects_manager->createObjectGroup(); named_objects_manager->getObjectGroupsGroup()->add(obj_group); packObjects(re, obj_group); obj_group->setObjectGroupTypeFromMembers(named_objects_manager); QStringList group_name_prefix; group_name_prefix.push_back(rule->getUniqueId().c_str()); group_name_prefix.push_back(name_suffix.c_str()); QString reg_name = BaseObjectGroup::registerGroupName( group_name_prefix.join("."), obj_group->getObjectGroupType()); obj_group->setName(reg_name.toUtf8().constData()); } else { re->clearChildren(false); //do not want to destroy children objects re->addRef(obj_group); } tmp_queue.push_back(rule); return true; } void CreateObjectGroups::packObjects(RuleElement *re, BaseObjectGroup *obj_group) { for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); obj_group->addRef(obj); } re->clearChildren(false); //do not want to destroy children objects re->addRef(obj_group); } void CreateObjectGroupsForTSrc::packObjects(RuleElement *re, BaseObjectGroup *obj_group) { if (libfwbuilder::XMLTools::version_compare( compiler->fw->getStr("version"), "8.3")>=0) { // put all objects inside of the group, except for the interface // if it belongs to the firewall FWObject *re_interface = NULL; for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj = FWReference::cast(o)->getPointer(); if (Interface::isA(obj) && obj->isChildOf(compiler->fw)) { re_interface = obj; continue; } obj_group->addRef(obj); } re->clearChildren(false); //do not want to destroy children objects if (re_interface) { // add interface back. re->addRef(re_interface); } re->addRef(obj_group); } else { CreateObjectGroups::packObjects(re, obj_group); } } void createNamedObjectsCommon::printObjectsForRE(FWObject *re) { if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return; for (FWObject::iterator it=re->begin(); it!=re->end(); ++it) { FWObject *obj = FWReference::getObject(*it); if (Interface::isA(obj)) continue; if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj); else named_objects_manager->addNamedObject(obj); } } /* * We only need named objects for address ranges in policy. At least * at this time, we have decided to not create named objects for * everything and use them only in cases where it is inevitable. */ void createNamedObjectsForPolicy::printObjectsForRE(FWObject *re) { if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return; for (FWObject::iterator it=re->begin(); it!=re->end(); ++it) { FWObject *obj = FWReference::getObject(*it); if (Interface::isA(obj)) continue; if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj); if (AddressRange::isA(obj)) named_objects_manager->addNamedObject(obj); } } /* * We support named objects only for ASA 8.3 and in policy rules, only for * address ranges. * * See #1962, it looks like ASA 8.3 does not support named objects or * object-groups in place of port specification in access-list commands. */ bool createNamedObjectsForPolicy::processNext() { slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *policy_rule = PolicyRule::cast( *k ); if (policy_rule) { RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re); printObjectsForRE(src_re); RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re); printObjectsForRE(dst_re); //RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re); //printObjectsForRE(srv_re); } } return true; } bool createNamedObjectsForNAT::processNext() { slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { NATRule *nat_rule = NATRule::cast( *k ); if (nat_rule) { RuleElementOSrc *osrc_re = nat_rule->getOSrc(); assert(osrc_re); printObjectsForRE(osrc_re); RuleElementODst *odst_re = nat_rule->getODst(); assert(odst_re); printObjectsForRE(odst_re); RuleElementOSrv *osrv_re = nat_rule->getOSrv(); assert(osrv_re); printObjectsForRE(osrv_re); RuleElementTSrc *tsrc_re = nat_rule->getTSrc(); assert(tsrc_re); printObjectsForRE(tsrc_re); RuleElementTDst *tdst_re = nat_rule->getTDst(); assert(tdst_re); printObjectsForRE(tdst_re); RuleElementTSrv *tsrv_re = nat_rule->getTSrv(); assert(tsrv_re); printObjectsForRE(tsrv_re); } } return true; } fwbuilder-5.3.7/src/cisco_lib/NamedObjectsAndGroupsSupport.h000066400000000000000000000117211303637203600241620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OBJECT_GROUPS_SUPPORT_HH #define _OBJECT_GROUPS_SUPPORT_HH #include "config.h" #include "BaseObjectGroup.h" #include "NamedObject.h" #include "fwbuilder/Group.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwcompiler/RuleProcessor.h" namespace fwcompiler { class CreateObjectGroups : public BasicRuleProcessor { protected: std::string re_type; std::string name_suffix; NamedObjectsManager *named_objects_manager; BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re); virtual void packObjects(libfwbuilder::RuleElement *re, BaseObjectGroup *obj_group); public: CreateObjectGroups(const std::string &name, const std::string &_ns, const std::string &_type, NamedObjectsManager *m) : BasicRuleProcessor(name) { re_type=_type; name_suffix=_ns; named_objects_manager = m; } virtual ~CreateObjectGroups(); virtual bool processNext(); }; class CreateObjectGroupsForSrc : public CreateObjectGroups { public: CreateObjectGroupsForSrc(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME, m) {} }; class CreateObjectGroupsForDst : public CreateObjectGroups { public: CreateObjectGroupsForDst(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME, m) {} }; class CreateObjectGroupsForSrv : public CreateObjectGroups { public: CreateObjectGroupsForSrv(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME, m) {} }; // ################################################################ // OSrc, ODst, OSrv, TSrc class CreateObjectGroupsForOSrc : public CreateObjectGroups { public: CreateObjectGroupsForOSrc(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME, m){} }; class CreateObjectGroupsForODst : public CreateObjectGroups { public: CreateObjectGroupsForODst(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME, m){} }; class CreateObjectGroupsForOSrv : public CreateObjectGroups { public: CreateObjectGroupsForOSrv(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME, m){} }; class CreateObjectGroupsForTSrc : public CreateObjectGroups { protected: virtual void packObjects(libfwbuilder::RuleElement *re, BaseObjectGroup *obj_group); public: CreateObjectGroupsForTSrc(const std::string &n, NamedObjectsManager *m) : CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME, m){} }; class createNamedObjectsCommon : public BasicRuleProcessor { protected: virtual void printObjectsForRE(libfwbuilder::FWObject *re); NamedObjectsManager *named_objects_manager; public: createNamedObjectsCommon(const std::string &n, NamedObjectsManager *_m) : BasicRuleProcessor(n) { named_objects_manager = _m; } }; class createNamedObjectsForPolicy : public createNamedObjectsCommon { protected: virtual void printObjectsForRE(libfwbuilder::FWObject *re); public: createNamedObjectsForPolicy(const std::string &n, NamedObjectsManager *m) : createNamedObjectsCommon(n, m) {} virtual bool processNext(); }; class createNamedObjectsForNAT : public createNamedObjectsCommon { public: createNamedObjectsForNAT(const std::string &n, NamedObjectsManager *m) : createNamedObjectsCommon(n, m) {} virtual bool processNext(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManager.cpp000066400000000000000000000135021303637203600225670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObjectsManager.h" #include "NamedObject.h" #include "PIXObjectGroup.h" #include "ASA8ObjectGroup.h" #include "IOSObjectGroup.h" #include "NXOSObjectGroup.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwcompiler/Compiler.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; FWObject* create_NXOSObjectGroup(int id) { FWObject *nobj = new NXOSObjectGroup(); if (id > -1) nobj->setId(id); return nobj; } FWObject* create_IOSObjectGroup(int id) { FWObject *nobj = new IOSObjectGroup(); if (id > -1) nobj->setId(id); return nobj; } FWObject* create_PIXObjectGroup(int id) { FWObject *nobj = new PIXObjectGroup(); if (id > -1) nobj->setId(id); return nobj; } FWObject* create_ASA8ObjectGroup(int id) { FWObject *nobj = new ASA8ObjectGroup(); if (id > -1) nobj->setId(id); return nobj; } NamedObjectsManager::NamedObjectsManager(Library *persistent_objects, Firewall *_fw) { fw = _fw; version = fw->getStr("version"); platform = fw->getStr("platform"); this->persistent_objects = persistent_objects; Group *object_groups = new Group(); object_groups->setName("Object Groups"); persistent_objects->add( object_groups ); object_groups_group_id = FWObjectDatabase::getStringId(object_groups->getId()); BaseObjectGroup::name_disambiguation.clear(); NamedObject::name_disambiguation.clear(); FWObjectDatabase::registerObjectType(NXOSObjectGroup::TYPENAME, &create_NXOSObjectGroup); FWObjectDatabase::registerObjectType(IOSObjectGroup::TYPENAME, &create_IOSObjectGroup); FWObjectDatabase::registerObjectType(PIXObjectGroup::TYPENAME, &create_PIXObjectGroup); FWObjectDatabase::registerObjectType(ASA8ObjectGroup::TYPENAME, &create_ASA8ObjectGroup); } NamedObjectsManager::~NamedObjectsManager() { std::map::iterator it1; for (it1=named_objects.begin(); it1!=named_objects.end(); ++it1) { delete it1->second; } named_objects.clear(); } void NamedObjectsManager::addNamedObject(const FWObject *obj) { if (getNamedObject(obj) == NULL) named_objects[obj->getId()] = new NamedObject(obj, platform.c_str()); } NamedObject* NamedObjectsManager::getNamedObject(const FWObject *obj) { if (named_objects.count(obj->getId()) == 0) return NULL; else return named_objects[obj->getId()]; } bool NamedObjectsManager::haveNamedObjects() { return (named_objects.size() > 0); } bool NamedObjectsManager::haveObjectGroups() { FWObject *object_groups = persistent_objects->getRoot()->findInIndex( FWObjectDatabase::getIntId(object_groups_group_id)); return (object_groups->size() > 0); } string NamedObjectsManager::getNamedObjectsDefinitions() { QStringList output; map::iterator it; for (it=named_objects.begin(); it!=named_objects.end(); ++it) { NamedObject *nobj = it->second; if (nobj==NULL) continue; output << nobj->getCommand(); } FWObject *object_groups = persistent_objects->getRoot()->findInIndex( FWObjectDatabase::getIntId(object_groups_group_id)); for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i) { BaseObjectGroup *og = dynamic_cast(*i); assert(og!=NULL); if (og->size()==0) continue; output << og->toString(this); // ends with an empty line } return output.join("\n").toUtf8().constData(); } string NamedObjectsManager::getClearCommands() { return ""; } BaseObjectGroup* NamedObjectsManager::createObjectGroup() { BaseObjectGroup *grp = NULL; if (platform == "pix") { if (XMLTools::version_compare(version, "8.0")<0) grp = new PIXObjectGroup(); else grp = new ASA8ObjectGroup(); } if (platform == "fwsm") grp = new PIXObjectGroup(); if (platform == "iosacl") grp = new IOSObjectGroup(); assert(grp!=NULL); return grp; } Group* NamedObjectsManager::getObjectGroupsGroup() { return Group::cast(persistent_objects->getRoot()->findInIndex( FWObjectDatabase::getIntId(object_groups_group_id))); } fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManager.h000066400000000000000000000040701303637203600222340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NAMED_OBJECTS_MANAGER_HH #define _NAMED_OBJECTS_MANAGER_HH #include "config.h" #include "BaseObjectGroup.h" namespace libfwbuilder { class Group; class Firewall; class Library; }; namespace fwcompiler { class NamedObjectsManager { protected: libfwbuilder::Firewall *fw; std::string platform; std::string version; // storage for object groups created to be used with PIX // command object-group std::string object_groups_group_id; libfwbuilder::Library *persistent_objects; public: std::map named_objects; NamedObjectsManager(libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *_fw); virtual ~NamedObjectsManager(); void addNamedObject(const libfwbuilder::FWObject *obj); NamedObject* getNamedObject(const libfwbuilder::FWObject *obj); virtual std::string getNamedObjectsDefinitions(); virtual std::string getClearCommands(); bool haveNamedObjects(); bool haveObjectGroups(); BaseObjectGroup* createObjectGroup(); libfwbuilder::Group* getObjectGroupsGroup(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerASA8.h000066400000000000000000000025121303637203600226500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NAMED_OBJECTS_MANAGER_ASA8_HH #define _NAMED_OBJECTS_MANAGER_ASA8_HH #include "config.h" #include "NamedObjectsManagerPIX.h" namespace fwcompiler { class NamedObjectsManagerASA8 : public NamedObjectsManagerPIX { public: NamedObjectsManagerASA8(libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *fw) : NamedObjectsManagerPIX(persistent_objects, fw) {} virtual ~NamedObjectsManagerASA8() {}; }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerIOS.cpp000066400000000000000000000033011303637203600231360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObjectsManagerIOS.h" #include "NamedObject.h" #include "BaseObjectGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; NamedObjectsManagerIOS::NamedObjectsManagerIOS(Library *po, Firewall *fw) : NamedObjectsManager(po, fw) { } NamedObjectsManagerIOS::~NamedObjectsManagerIOS() { } string NamedObjectsManagerIOS::getClearCommands() { ostringstream output; FWObject *object_groups = getObjectGroupsGroup(); for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i) { BaseObjectGroup *og = dynamic_cast(*i); assert(og!=NULL); output << "no " << og->getObjectGroupHeader() << endl; } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerIOS.h000066400000000000000000000026071303637203600226130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NAMED_OBJECTS_MANAGER_IOS_HH #define _NAMED_OBJECTS_MANAGER_IOS_HH #include "config.h" #include "NamedObjectsManager.h" namespace libfwbuilder { class Group; class Firewall; class Library; }; namespace fwcompiler { class NamedObjectsManagerIOS : public NamedObjectsManager { public: NamedObjectsManagerIOS(libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *_fw); virtual ~NamedObjectsManagerIOS(); virtual std::string getClearCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerNXOS.cpp000066400000000000000000000033071303637203600233010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObjectsManagerNXOS.h" #include "NamedObject.h" #include "BaseObjectGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; NamedObjectsManagerNXOS::NamedObjectsManagerNXOS(Library *po, Firewall *fw) : NamedObjectsManager(po, fw) { } NamedObjectsManagerNXOS::~NamedObjectsManagerNXOS() { } string NamedObjectsManagerNXOS::getClearCommands() { ostringstream output; FWObject *object_groups = getObjectGroupsGroup(); for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i) { BaseObjectGroup *og = dynamic_cast(*i); assert(og!=NULL); output << "no " << og->getObjectGroupHeader() << endl; } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerNXOS.h000066400000000000000000000026141303637203600227460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NAMED_OBJECTS_MANAGER_NXOS_HH #define _NAMED_OBJECTS_MANAGER_NXOS_HH #include "config.h" #include "NamedObjectsManager.h" namespace libfwbuilder { class Group; class Firewall; class Library; }; namespace fwcompiler { class NamedObjectsManagerNXOS : public NamedObjectsManager { public: NamedObjectsManagerNXOS(libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *_fw); virtual ~NamedObjectsManagerNXOS(); virtual std::string getClearCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerPIX.cpp000066400000000000000000000037471303637203600231620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NamedObjectsManagerPIX.h" #include "PIXObjectGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; NamedObjectsManagerPIX::NamedObjectsManagerPIX(Library *po, Firewall *fw) : NamedObjectsManager(po, fw) { } NamedObjectsManagerPIX::~NamedObjectsManagerPIX() { } string NamedObjectsManagerPIX::getClearCommands() { ostringstream output; string clear_obj_group = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_og"); string clear_object = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/pix_commands/clear_obj"); if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") ) { if (haveObjectGroups()) output << clear_obj_group << endl; if (haveNamedObjects()) output << clear_object << endl; } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/NamedObjectsManagerPIX.h000066400000000000000000000026061303637203600226200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _NAMED_OBJECTS_MANAGER_PIX_HH #define _NAMED_OBJECTS_MANAGER_PIX_HH #include "config.h" #include "NamedObjectsManager.h" namespace libfwbuilder { class Group; class Firewall; class Library; }; namespace fwcompiler { class NamedObjectsManagerPIX : public NamedObjectsManager { public: NamedObjectsManagerPIX(libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *_fw); virtual ~NamedObjectsManagerPIX(); virtual std::string getClearCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_ios.cpp000066400000000000000000000153131303637203600225160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_ios.h" #include "Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_ios::myPlatformName() { return "ios"; } int OSConfigurator_ios::prolog() { string host_os = fw->getStr("host_OS"); if (host_os!="ios") abort("Unsupported OS " + host_os ); return Compiler::prolog(); } void OSConfigurator_ios::processFirewallOptions() { // FWOptions* options=fw->getOptionsObject(); string s; // int i; string version = fw->getStr("version"); string platform = fw->getStr("platform"); if ( fw->getOptionsObject()->getBool("ios_set_host_name") ) { output << "hostname " << fw->getName() << endl; output << endl; } output << _printNameif(); output << endl; output << _printIPAddress(); output << endl; output << _printLogging(); output << endl; } string OSConfigurator_ios::_printNameif() { ostringstream res; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string::size_type n; list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); string nameifCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/ios_commands/nameif"); if ((n = nameifCmd.find("%il"))!=string::npos) nameifCmd.replace(n,3,iface->getLabel()); if ((n = nameifCmd.find("%in"))!=string::npos) nameifCmd.replace(n,3,iface->getName()); res << nameifCmd; } res << endl; return res.str(); } string OSConfigurator_ios::_printIPAddress() { ostringstream res; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string setAddrCmd; string::size_type n; if ( fw->getOptionsObject()->getBool("ios_ip_address") ) { list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if (iface->isDyn()) { setAddrCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/ios_commands/ip_addr_dyn"); } else { if (iface->isUnnumbered()) { setAddrCmd = ""; } else { setAddrCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/ios_commands/ip_addr_static"); } } if ((n = setAddrCmd.find("%il"))!=string::npos) setAddrCmd.replace(n,3,iface->getLabel()); if ((n = setAddrCmd.find("%in"))!=string::npos) setAddrCmd.replace(n,3,iface->getName()); if ((n = setAddrCmd.find("%a"))!=string::npos) setAddrCmd.replace(n,2,iface->getAddressPtr()->toString()); if ((n = setAddrCmd.find("%n"))!=string::npos) setAddrCmd.replace(n,2,iface->getNetmaskPtr()->toString()); res << setAddrCmd; } } res << endl; return res.str(); } string OSConfigurator_ios::_printLogging() { Helper helper(this); ostringstream str; //bool logging_on=false; //UNUSED bool iosacl_generate_logging_commands = fw->getOptionsObject()->getBool( "iosacl_generate_logging_commands"); if (iosacl_generate_logging_commands) { string syslog_host = fw->getOptionsObject()->getStr("iosacl_syslog_host"); string syslog_facility= fw->getOptionsObject()->getStr("iosacl_syslog_facility"); string trap_level= fw->getOptionsObject()->getStr("iosacl_logging_trap_level"); bool buffered = fw->getOptionsObject()->getBool("iosacl_logging_buffered"); string buffered_level = fw->getOptionsObject()->getStr("iosacl_logging_buffered_level"); bool console = fw->getOptionsObject()->getBool("iosacl_logging_console"); string console_level = fw->getOptionsObject()->getStr("iosacl_logging_console_level"); bool timestamp = fw->getOptionsObject()->getBool("iosacl_logging_timestamp"); if ( ! timestamp ) str << "no "; str << "service timestamp log datetime localtime" << endl; if ( ! syslog_host.empty() ) { str << endl; str << "logging host " << syslog_host << endl; if ( ! syslog_facility.empty() ) str << "logging facility " << syslog_facility << endl; if ( ! trap_level.empty() ) str << "logging trap " << trap_level << endl; //logging_on=true; } if ( ! buffered ) str << "no logging buffered" << endl; else { str << "logging buffered " << buffered_level << endl; //logging_on=true; } if ( ! console ) str << "no logging console" << endl; else { str << "logging console " << console_level << endl; //logging_on=true; } str << endl; } return str.str(); } void OSConfigurator_ios::addVirtualAddressForNAT(const Address*) { } void OSConfigurator_ios::addVirtualAddressForNAT(const Network*) { } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_ios.h000066400000000000000000000032731303637203600221650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_IOS_HH #define _OSNETWORKCONFIGURATOR_IOS_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include namespace fwcompiler { class OSConfigurator_ios : public OSConfigurator { std::string _printNameif(); std::string _printIPAddress(); std::string _printLogging(); public: virtual ~OSConfigurator_ios() {}; OSConfigurator_ios(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void processFirewallOptions(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_nxos.cpp000066400000000000000000000153461303637203600227210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_nxos.h" #include "Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_nxos::myPlatformName() { return "nxos"; } int OSConfigurator_nxos::prolog() { string host_os = fw->getStr("host_OS"); if (host_os!="nxos") abort("Unsupported OS " + host_os ); return Compiler::prolog(); } void OSConfigurator_nxos::processFirewallOptions() { // FWOptions* options=fw->getOptionsObject(); string s; // int i; string version = fw->getStr("version"); string platform = fw->getStr("platform"); if ( fw->getOptionsObject()->getBool("nxos_set_host_name") ) { output << "hostname " << fw->getName() << endl; output << endl; } output << _printNameif(); output << endl; output << _printIPAddress(); output << endl; output << _printLogging(); output << endl; } string OSConfigurator_nxos::_printNameif() { ostringstream res; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string::size_type n; list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); string nameifCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/nxos_commands/nameif"); if ((n = nameifCmd.find("%il"))!=string::npos) nameifCmd.replace(n,3,iface->getLabel()); if ((n = nameifCmd.find("%in"))!=string::npos) nameifCmd.replace(n,3,iface->getName()); res << nameifCmd; } res << endl; return res.str(); } string OSConfigurator_nxos::_printIPAddress() { ostringstream res; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string setAddrCmd; string::size_type n; if ( fw->getOptionsObject()->getBool("nxos_ip_address") ) { list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if (iface->isDyn()) { setAddrCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/nxos_commands/ip_addr_dyn"); } else { if (iface->isUnnumbered()) { setAddrCmd = ""; } else { setAddrCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ version+"/nxos_commands/ip_addr_static"); } } if ((n = setAddrCmd.find("%il"))!=string::npos) setAddrCmd.replace(n,3,iface->getLabel()); if ((n = setAddrCmd.find("%in"))!=string::npos) setAddrCmd.replace(n,3,iface->getName()); if ((n = setAddrCmd.find("%a"))!=string::npos) setAddrCmd.replace(n,2,iface->getAddressPtr()->toString()); if ((n = setAddrCmd.find("%n"))!=string::npos) setAddrCmd.replace(n,2,iface->getNetmaskPtr()->toString()); res << setAddrCmd; } } res << endl; return res.str(); } string OSConfigurator_nxos::_printLogging() { Helper helper(this); ostringstream str; //bool logging_on=false; //UNUSED bool nxosacl_generate_logging_commands = fw->getOptionsObject()->getBool( "nxosacl_generate_logging_commands"); if (nxosacl_generate_logging_commands) { string syslog_host = fw->getOptionsObject()->getStr("nxosacl_syslog_host"); string syslog_facility= fw->getOptionsObject()->getStr("nxosacl_syslog_facility"); string trap_level= fw->getOptionsObject()->getStr("nxosacl_logging_trap_level"); bool buffered = fw->getOptionsObject()->getBool("nxosacl_logging_buffered"); string buffered_level = fw->getOptionsObject()->getStr("nxosacl_logging_buffered_level"); bool console = fw->getOptionsObject()->getBool("nxosacl_logging_console"); string console_level = fw->getOptionsObject()->getStr("nxosacl_logging_console_level"); bool timestamp = fw->getOptionsObject()->getBool("nxosacl_logging_timestamp"); if ( ! timestamp ) str << "no "; str << "service timestamp log datetime localtime" << endl; if ( ! syslog_host.empty() ) { str << endl; str << "logging host " << syslog_host << endl; if ( ! syslog_facility.empty() ) str << "logging facility " << syslog_facility << endl; if ( ! trap_level.empty() ) str << "logging trap " << trap_level << endl; //logging_on=true; } if ( ! buffered ) str << "no logging buffered" << endl; else { str << "logging buffered " << buffered_level << endl; //logging_on=true; } if ( ! console ) str << "no logging console" << endl; else { str << "logging console " << console_level << endl; //logging_on=true; } str << endl; } return str.str(); } void OSConfigurator_nxos::addVirtualAddressForNAT(const Address*) { } void OSConfigurator_nxos::addVirtualAddressForNAT(const Network*) { } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_nxos.h000066400000000000000000000033001303637203600223510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_NXOS_HH #define _OSNETWORKCONFIGURATOR_NXOS_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include namespace fwcompiler { class OSConfigurator_nxos : public OSConfigurator { std::string _printNameif(); std::string _printIPAddress(); std::string _printLogging(); public: virtual ~OSConfigurator_nxos() {}; OSConfigurator_nxos(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void processFirewallOptions(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_pix_os.cpp000066400000000000000000000716141303637203600232330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_pix_os.h" #include "Helper.h" #include "Configlet.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_pix_os::myPlatformName() { return "pix_os"; } int OSConfigurator_pix_os::prolog() { string host_os = fw->getStr("host_OS"); if (host_os!="pix_os" && host_os!="fwsm_os") abort("Unsupported OS " + host_os ); return Compiler::prolog(); } void OSConfigurator_pix_os::processFirewallOptions() { // FWOptions* options=fw->getOptionsObject(); string s; // int i; string version = fw->getStr("version"); string platform = fw->getStr("platform"); if ( fw->getOptionsObject()->getBool("pix_set_host_name") ) { output << "hostname " << fw->getName() << endl; output << endl; } output << _printInterfaceConfiguration(); output << endl; if (fw->getOptionsObject()->getBool("cluster_member")) { output << _printFailoverConfiguration(); output << endl; output << endl; output << endl; } output << _printLogging(); output << endl; output << _printTimeouts(); output << endl; output << _printSSHConfiguration(); output << endl; output << _printSNMP(); output << endl; output << _printNTP(); output << endl; output << _printSysopt(); output << endl; output << getProtocolInspectionCommands(); output << endl; } void OSConfigurator_pix_os::_getFailoverAddresses(ClusterGroup *cluster_group, QString *primary_addr, QString *primary_netm, QString *standby_addr) { int master_id = FWObjectDatabase::getIntId(cluster_group->getStr("master_iface")); if (master_id <= 0) { QString err; if (StateSyncClusterGroup::isA(cluster_group)) err = QObject::tr("One of the state synchronization group members " "must be marked as master. Can not configure " "PIX failover without master."); else err = QObject::tr("One of the failover group members must be marked " "as master. Can not configure PIX failover " "without master."); abort(err.toStdString()); } for (FWObjectTypedChildIterator it = cluster_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *gorup_intf = Interface::cast(FWObjectReference::getObject(*it)); assert(gorup_intf); QString addr; QString netm; const InetAddr *a = gorup_intf->getAddressPtr(); const InetAddr *n = gorup_intf->getNetmaskPtr(); if (a && n) { addr = a->toString().c_str(); netm = n->toString().c_str(); if (gorup_intf->getId() == master_id) { *primary_addr = addr; *primary_netm = netm; } else { *standby_addr = addr; } } } } void OSConfigurator_pix_os::_getAddressConfigurationForInterface( Interface *iface, QString *addr, QString *netm, QString *standby_addr) { const InetAddr *a = iface->getAddressPtr(); const InetAddr *n = iface->getNetmaskPtr(); if (a && n) { *addr = a->toString().c_str(); *netm = n->toString().c_str(); } if (standby_addr) { // find standby address (address of the other unit in failover group) int failover_group_id = FWObjectDatabase::getIntId( iface->getOptionsObject()->getStr("failover_group_id")); FWObject *failover_group = fw->getRoot()->findInIndex(failover_group_id); if (failover_group) { for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *failover_intf = Interface::cast(FWObjectReference::getObject(*it)); assert(failover_intf); if (failover_intf->getId() != iface->getId()) { const InetAddr *a = failover_intf->getAddressPtr(); if (a) *standby_addr = a->toString().c_str(); break; } } } } } string OSConfigurator_pix_os::_printInterfaceConfiguration() { ostringstream res; string host_os = fw->getStr("host_OS"); string version = fw->getStr("version"); string platform = fw->getStr("platform"); bool configure_address = fw->getOptionsObject()->getBool("pix_ip_address"); bool configure_standby_address = configure_address && fw->getOptionsObject()->getBool("cluster_member"); list l2=fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) continue; Configlet *cnf = NULL; QString configlet_name; if (iface->isDedicatedFailover()) { configlet_name = "failover_interface_"; if (iface->getLabel().empty()) iface->setLabel("failover"); } if (iface->getOptionsObject()->getStr("type") == "8021q") configlet_name = "vlan_subinterface_"; if ((iface->getOptionsObject()->getStr("type") == "" || iface->getOptionsObject()->getStr("type") == "ethernet") && iface->getByType(Interface::TYPENAME).size() > 0) { // vlan parent configlet_name = "vlan_parent_interface_"; } if (configlet_name.isEmpty()) configlet_name = "regular_interface_"; if (host_os == "pix_os") { if (XMLTools::version_compare(version, "7.0") < 0) configlet_name += "6"; if (XMLTools::version_compare(version, "7.0") >= 0) configlet_name += "7"; } if (host_os == "fwsm_os") { if (XMLTools::version_compare(version, "3.2") < 0) configlet_name += "2"; if (XMLTools::version_compare(version, "3.2") >= 0) configlet_name += "3_2"; } cnf = new Configlet(fw, "pix_os", configlet_name); cnf->removeComments(); cnf->collapseEmptyStrings(true); cnf->setVariable("configure_interface_address", configure_address); cnf->setVariable("configure_standby_address", configure_standby_address); cnf->setVariable("interface_name", iface->getName().c_str()); cnf->setVariable("interface_label", iface->getLabel().c_str()); cnf->setVariable("security_level", iface->getSecurityLevel()); if (iface->getOptionsObject()->getStr("type") == "8021q") { cnf->setVariable("vlan_id", iface->getOptionsObject()->getInt("vlan_id")); cnf->setVariable("parent_interface", iface->getParent()->getName().c_str()); } cnf->setVariable("static_address", ! iface->isDyn()); cnf->setVariable("dhcp_address", iface->isDyn()); if (!iface->isDyn()) { QString addr; QString netm; QString standby_addr; _getAddressConfigurationForInterface( iface, &addr, &netm, (configure_standby_address) ? &standby_addr : NULL); if (!addr.isEmpty() && !netm.isEmpty()) { cnf->setVariable("address", addr); cnf->setVariable("netmask", netm); } else { cnf->setVariable("configure_interface_address", false); cnf->setVariable("configure_standby_address", false); } if (configure_standby_address && !standby_addr.isEmpty()) cnf->setVariable("standby_address", standby_addr); } res << cnf->expand().toStdString(); res << endl; res << endl; delete cnf; } return res.str(); } string OSConfigurator_pix_os::_printFailoverConfiguration() { ostringstream res; string host_os = fw->getStr("host_OS"); string version = fw->getStr("version"); string platform = fw->getStr("platform"); QString configlet_name = "failover_commands_"; if (host_os == "pix_os") { if (XMLTools::version_compare(version, "7.0") < 0) configlet_name += "6"; if (XMLTools::version_compare(version, "7.0") >= 0) configlet_name += "7"; } if (host_os == "fwsm_os") { if (XMLTools::version_compare(version, "3.2") < 0) configlet_name += "2"; if (XMLTools::version_compare(version, "3.2") >= 0) configlet_name += "3_2"; } Configlet cnf(fw, "pix_os", configlet_name); cnf.removeComments(); cnf.collapseEmptyStrings(true); list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) continue; // Intrfaces used for failover and state sync must be marked // as "dedicated failover" in PIX firewall objects. This can // be the same or two different interfaces. if (iface->isDedicatedFailover()) { // configure state sync. StateSyncClusterGroup object // belongs to the cluster but method // CompilerDriver::processStateSyncGroups sets variables // "state_sync_group_id" and "state_sync_interface" in the // member firewall object int state_sync_group_id = FWObjectDatabase::getIntId( fw->getOptionsObject()->getStr("state_sync_group_id")); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast( fw->getRoot()->findInIndex(state_sync_group_id)); if (state_sync_group && state_sync_group->hasMember(iface)) { cnf.setVariable("state_sync_interface_name", iface->getName().c_str()); cnf.setVariable("state_sync_interface_label", iface->getLabel().c_str()); QString key = state_sync_group->getOptionsObject()->getStr("pix_failover_key").c_str(); cnf.setVariable("failover_key", key); QString primary_addr; QString primary_netm; QString standby_addr; /* * Note that in the "failover interface ip" command * the first address is always that of the primary * unit and the second address is that of the * standby. They come in this order in the * configuration of BOTH units which is rather * counter-intuitive. */ _getFailoverAddresses( state_sync_group, &primary_addr, &primary_netm, &standby_addr); cnf.setVariable("state_sync_interface_primary_address", primary_addr); cnf.setVariable("state_sync_interface_primary_netmask", primary_netm); cnf.setVariable("state_sync_interface_standby_address", standby_addr); } int failover_group_id = FWObjectDatabase::getIntId( iface->getOptionsObject()->getStr("failover_group_id")); FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( fw->getRoot()->findInIndex(failover_group_id)); if (failover_group) { cnf.setVariable("failover_interface_name", iface->getName().c_str()); cnf.setVariable("failover_interface_label", iface->getLabel().c_str()); QString primary_or_secondary = "secondary"; int master_id = FWObjectDatabase::getIntId( failover_group->getStr("master_iface")); if (iface->getId() == master_id) primary_or_secondary = "primary"; cnf.setVariable("primary_or_secondary", primary_or_secondary); QString primary_addr; QString primary_netm; QString standby_addr; _getFailoverAddresses( failover_group, &primary_addr, &primary_netm, &standby_addr); cnf.setVariable("failover_interface_primary_address", primary_addr); cnf.setVariable("failover_interface_primary_netmask", primary_netm); cnf.setVariable("failover_interface_standby_address", standby_addr); } } } return cnf.expand().toStdString(); } string OSConfigurator_pix_os::_printLogging() { Helper helper(this); ostringstream str; bool logging_on=false; string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host"); int syslog_queue_size = fw->getOptionsObject()->getInt( "pix_syslog_queue_size"); string syslog_facility = fw->getOptionsObject()->getStr( "pix_syslog_facility"); string trap_level = fw->getOptionsObject()->getStr( "pix_logging_trap_level"); bool buffered = fw->getOptionsObject()->getBool("pix_logging_buffered"); string buffered_level = fw->getOptionsObject()->getStr( "pix_logging_buffered_level"); bool console = fw->getOptionsObject()->getBool("pix_logging_console"); string console_level = fw->getOptionsObject()->getStr( "pix_logging_console_level"); bool timestamp = fw->getOptionsObject()->getBool("pix_logging_timestamp"); if ( ! syslog_host.empty() ) { InetAddr syslog_addr(syslog_host); int iface_id = helper.findInterfaceByNetzone(&syslog_addr); if (iface_id == -1) abort("Log server " + syslog_host + " does not belong to any known network zone"); Interface *syslog_iface = Interface::cast(dbcopy->findInIndex(iface_id)); str << endl; str << "logging host " << syslog_iface->getLabel() << " " << syslog_host; if ( fw->getOptionsObject()->getBool("pix_emblem_log_format") ) str << " format emblem "; str << endl; str << "logging queue " << syslog_queue_size << endl; if ( ! syslog_facility.empty() ) str << "logging facility " << syslog_facility << endl; if ( ! trap_level.empty() ) str << "logging trap " << trap_level << endl; logging_on=true; } if ( ! buffered ) str << "no logging buffered" << endl; else { str << "logging buffered " << buffered_level << endl; logging_on=true; } if ( ! console ) str << "no logging console" << endl; else { str << "logging console " << console_level << endl; logging_on=true; } if ( ! timestamp ) str << "no "; str << "logging timestamp" << endl; if ( ! logging_on) str << "no "; str << "logging on" << endl; string s=fw->getOptionsObject()->getStr("pix_syslog_device_id_opt"); string v=fw->getOptionsObject()->getStr("pix_syslog_device_id_val"); if (s=="hostname") str << "logging device-id hostname" << endl; if (s=="interface") str << "logging device-id ipaddress " << v << endl; if (s=="string") str << "logging device-id string " << v << endl; str << endl; return str.str(); } void OSConfigurator_pix_os::_configureSNMPServer(Configlet *cnf, int server_num, const string &srv, int poll_trap) { QString interface_var = QString("interface_%1_label").arg(server_num); QString address_var = QString("address_%1").arg(server_num); QString poll_or_trap_var = QString("poll_or_trap_%1").arg(server_num); Helper helper(this); InetAddr srv_addr(srv); int iface_id = helper.findInterfaceByNetzone(&srv_addr); if (iface_id == -1) abort(string("SNMP server ") + srv + " does not belong to any known network zone"); Interface *snmp_iface = Interface::cast(dbcopy->findInIndex(iface_id)); cnf->setVariable(interface_var, snmp_iface->getLabel().c_str()); cnf->setVariable(address_var, srv.c_str()); switch (poll_trap) { case 1: cnf->setVariable(poll_or_trap_var, "poll"); break; case 2: cnf->setVariable(poll_or_trap_var, "trap"); break; default: cnf->setVariable(poll_or_trap_var, ""); break; } } string OSConfigurator_pix_os::_printSNMP() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "snmp"); cnf.removeComments(); cnf.collapseEmptyStrings(true); cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); cnf.setVariable("fwsm_version_ge_32", version_ge_32); bool set_communities = fw->getOptionsObject()->getBool( "pix_set_communities_from_object_data"); bool set_sysinfo = fw->getOptionsObject()->getBool( "pix_set_sysinfo_from_object_data" ); bool enable_traps = fw->getOptionsObject()->getBool( "pix_enable_snmp_traps"); cnf.setVariable("clear", !fw->getOptionsObject()->getBool("pix_acl_no_clear")); cnf.setVariable("disable", fw->getOptionsObject()->getBool("pix_disable_snmp_agent")); cnf.setVariable("not_disable", ! fw->getOptionsObject()->getBool("pix_disable_snmp_agent")); cnf.setVariable("set_community", set_communities); cnf.setVariable( "read_community", fw->getManagementObject()->getSNMPManagement()->getReadCommunity().c_str()); cnf.setVariable("set_sysinfo", set_sysinfo); QString location = fw->getOptionsObject()->getStr("snmp_location").c_str(); QString contact = fw->getOptionsObject()->getStr("snmp_contact").c_str(); cnf.setVariable("not_enable_traps", ! enable_traps); string snmp_server_1 = fw->getOptionsObject()->getStr("pix_snmp_server1"); string snmp_server_2 = fw->getOptionsObject()->getStr("pix_snmp_server2"); int snmp_poll_traps_1 = fw->getOptionsObject()->getInt("pix_snmp_poll_traps_1"); int snmp_poll_traps_2 = fw->getOptionsObject()->getInt("pix_snmp_poll_traps_2"); cnf.setVariable("not_server_1_empty", ! snmp_server_1.empty()); cnf.setVariable("not_server_2_empty", ! snmp_server_2.empty()); _configureSNMPServer(&cnf, 1, snmp_server_1, snmp_poll_traps_1); _configureSNMPServer(&cnf, 2, snmp_server_2, snmp_poll_traps_2); return cnf.expand().toStdString() + "\n"; } void OSConfigurator_pix_os::_configureNTPServer(Configlet *cnf, int server_num, const std::string &server, bool pref) { Helper helper(this); InetAddr srv_addr(server); int iface_id = helper.findInterfaceByNetzone(&srv_addr); if (iface_id == -1) { QString err("NTP server %1 does not belong to any known network zone"); abort(fw, err.arg(server.c_str()).toStdString()); } Interface *ntp_iface = Interface::cast(dbcopy->findInIndex(iface_id)); QString var_name("not_server_%1_empty"); cnf->setVariable(var_name.arg(server_num), ! server.empty()); var_name = QString("address_%1"); cnf->setVariable(var_name.arg(server_num), server.c_str()); var_name = QString("interface_%1_label"); cnf->setVariable(var_name.arg(server_num), ntp_iface->getLabel().c_str()); var_name = QString("prefer_%1"); cnf->setVariable(var_name.arg(server_num), pref); } string OSConfigurator_pix_os::_printNTP() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "ntp"); cnf.removeComments(); cnf.collapseEmptyStrings(true); cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); cnf.setVariable("fwsm_version_ge_32", version_ge_32); string ntp_server_1=fw->getOptionsObject()->getStr("pix_ntp1"); bool ntp1_pref=fw->getOptionsObject()->getBool("pix_ntp1_pref"); string ntp_server_2=fw->getOptionsObject()->getStr("pix_ntp2"); bool ntp2_pref=fw->getOptionsObject()->getBool("pix_ntp2_pref"); string ntp_server_3=fw->getOptionsObject()->getStr("pix_ntp3"); bool ntp3_pref=fw->getOptionsObject()->getBool("pix_ntp3_pref"); cnf.setVariable("clear", !fw->getOptionsObject()->getBool("pix_acl_no_clear")); _configureNTPServer(&cnf, 1, ntp_server_1, ntp1_pref); _configureNTPServer(&cnf, 2, ntp_server_2, ntp2_pref); _configureNTPServer(&cnf, 3, ntp_server_3, ntp3_pref); return cnf.expand().toStdString() + "\n"; } string OSConfigurator_pix_os::_printSysopt() { ostringstream res; string platform = fw->getStr("platform"); string version = fw->getStr("version"); FWOptions *options=fw->getOptionsObject(); assert(options!=NULL); bool tcpmss = fw->getOptionsObject()->getBool("pix_tcpmss"); int tcpmss_val = fw->getOptionsObject()->getInt("pix_tcpmss_value"); res << endl; if (fw->getOptionsObject()->getBool("pix_resetinbound")) res << "service resetinbound" << endl; else res << "no service resetinbound" << endl; if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/pix_resetoutside_supported")) { if (fw->getOptionsObject()->getBool("pix_resetoutside")) res << "service resetoutside" << endl; else res << "no service resetoutside" << endl; } if (tcpmss) res << "sysopt connection tcpmss " << tcpmss_val << endl; if (fw->getStr("platform")=="pix") { if (fw->getOptionsObject()->getBool("pix_connection_timewait")) res << "sysopt connection timewait" << endl; else res << "no sysopt connection timewait" << endl; } if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/pix_security_fragguard_supported") ) { if ( fw->getOptionsObject()->getBool("pix_fragguard") ) res << "sysopt security fragguard" << endl; else res << "no sysopt security fragguard" << endl; } if ( fw->getOptionsObject()->getBool("pix_nodnsalias_inbound") ) res << "sysopt nodnsalias inbound" << endl; else res << "no sysopt nodnsalias inbound" << endl; if ( fw->getOptionsObject()->getBool("pix_nodnsalias_outbound") ) res << "sysopt nodnsalias outbound" << endl; else res << "no sysopt nodnsalias outbound" << endl; if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_"+version+ "/pix_route_dnat_supported") ) { if ( fw->getOptionsObject()->getBool("pix_route_dnat") ) res << "sysopt route dnat" << endl; else res << "no sysopt route dnat" << endl; } if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_"+version+ "/pix_floodguard_supported") ) { if ( fw->getOptionsObject()->getBool("pix_floodguard") ) res << "floodguard enable" << endl; else res << "floodguard disable" << endl; } res << endl; return res.str(); } string OSConfigurator_pix_os::_printServiceTimeout(const string &pix_service) { QStringList res; QString hh, mm, ss; string version = fw->getStr("version"); string platform = fw->getStr("platform"); bool use_sunrpc = Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/pix_timeout_rpc_is_sunrpc"); hh = fw->getOptionsObject()->getStr(pix_service+"_hh").c_str(); mm = fw->getOptionsObject()->getStr(pix_service+"_mm").c_str(); ss = fw->getOptionsObject()->getStr(pix_service+"_ss").c_str(); if ( ! hh.isEmpty() && ! mm.isEmpty() && ! ss.isEmpty()) { QString service_name = pix_service.c_str(); if (pix_service == "rpc" && use_sunrpc) service_name = "sunrpc"; bool ok1, ok2, ok3; int hh_int = hh.toInt(&ok1); if (!ok1) hh_int = 0; int mm_int = mm.toInt(&ok2); if (!ok2) mm_int = 0; int ss_int = ss.toInt(&ok3); if (!ok3) ss_int = 0; if (!ok1 || !ok2 || !ok3) qDebug() << QString("Invalid timeout spec '%1:%2:%3'") .arg(hh).arg(mm).arg(ss); if (pix_service == "xlate" && hh_int == 0 && mm_int == 0 && ss_int == 0) { ss_int = 30; } res << QString("timeout %1 %2:%3:%4") .arg(service_name).arg(hh_int).arg(mm_int).arg(ss_int); if (pix_service == "uauth") { bool abs = fw->getOptionsObject()->getBool("uauth_abs"); bool inact = fw->getOptionsObject()->getBool("uauth_inact"); if (abs) res << "absolute"; if (inact) res << "inactivity"; } res << "\n"; } return res.join(" ").toStdString(); } string OSConfigurator_pix_os::_printTimeouts() { ostringstream res; res << _printServiceTimeout("xlate"); res << _printServiceTimeout("conn"); res << _printServiceTimeout("udp"); res << _printServiceTimeout("rpc"); res << _printServiceTimeout("h323"); res << _printServiceTimeout("sip"); res << _printServiceTimeout("sip_media"); res << _printServiceTimeout("half-closed"); res << _printServiceTimeout("uauth"); res << endl; int to; to = fw->getOptionsObject()->getInt("pix_telnet_timeout"); if (to>60) abort("Telnet timeout should not exceed 60 minutes"); if (to!=0) res << "telnet timeout " << to << endl; return res.str(); } void OSConfigurator_pix_os::addVirtualAddressForNAT(const Address*) { } void OSConfigurator_pix_os::addVirtualAddressForNAT(const Network*) { } string OSConfigurator_pix_os::_printSSHConfiguration() { string platform = fw->getStr("platform"); string version = fw->getStr("version"); // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "ssh"); cnf.removeComments(); cnf.collapseEmptyStrings(true); cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); cnf.setVariable("fwsm_version_ge_32", version_ge_32); cnf.setVariable("clear", ! fw->getOptionsObject()->getBool("pix_acl_no_clear") ); cnf.setVariable("use_scp", fw->getOptionsObject()->getBool("use_scp")); int to = fw->getOptionsObject()->getInt("pix_ssh_timeout"); if (to>60) abort("SSH timeout should not exceed 60 minutes"); cnf.setVariable("ssh_timeout", to); // ssh accress control is added later when we generate rules return cnf.expand().toStdString() + "\n"; } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_pix_os.h000066400000000000000000000066371303637203600227030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_PIX_OS_HH #define _OSNETWORKCONFIGURATOR_PIX_OS_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include #include class Configlet; namespace libfwbuilder { class ClusterGroup; }; namespace fwcompiler { class OSConfigurator_pix_os : public OSConfigurator { //std::string _printNameif(); //std::string _printIPAddress(); void _getFailoverAddresses(libfwbuilder::ClusterGroup *cluster_group, QString *primary_addr, QString *primary_netm, QString *standby_addr); void _getAddressConfigurationForInterface(libfwbuilder::Interface *iface, QString *addr, QString *netm, QString *standby_addr); std::string _printInterfaceConfiguration(); std::string _printFailoverConfiguration(); std::string _printLogging(); void _configureSNMPServer(Configlet *cnf, int server_num, const std::string &srv, int poll_trap); void _configureNTPServer(Configlet *cnf, int server_num, const std::string &server, bool pref); std::string _printSNMP(); std::string _printSysopt(); std::string _printNTP(); std::string _printServiceTimeout(const std::string &pix_service); std::string _printTimeouts(); std::string _printSSHConfiguration(); std::string _printFixupCommand(const std::string &fixup_name, const std::string &sw, int arg1, int arg2, bool ov); std::string _printFixups(); std::string _printMPFPolicyMap(); std::string _printPolicyMapTypeInspect(); public: virtual ~OSConfigurator_pix_os() {}; OSConfigurator_pix_os(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void processFirewallOptions(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); std::string getProtocolInspectionCommands(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_pix_os_fixups.cpp000066400000000000000000000126251303637203600246260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_pix_os.h" #include "Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* ******************************************************************** * * Generating old school fixup commands for PIX 6.X * and FWSM 2.3 * * ********************************************************************/ /* * Copy this method into class PIXAdvancedFWDialog in fwbuilder/src/pix */ string OSConfigurator_pix_os::_printFixupCommand(const string &fixup_name, const string &sw, int arg1, int arg2, bool ov) { ostringstream res; if (sw=="0") { if (fixup_name=="dns") { if (arg1) { res << "fixup protocol " << fixup_name; res << " maximum-length " << arg1; res << endl; } } else { if (fixup_name=="ftp") { if (arg1) { res << "fixup protocol " << fixup_name << " "; if (ov) res << "strict "; res << arg1; res << endl; } } else { if (fixup_name=="mgcp") { if (arg1) { res << "fixup protocol " << fixup_name << " "; res << arg1; res << endl; } if (arg2) { res << "fixup protocol " << fixup_name << " "; res << arg2; res << endl; } } else { res << "fixup protocol " << fixup_name << " "; if (arg1) res << arg1; if (arg2 && arg1!=arg2) res << "-" << arg2; res << endl; } } } } if (sw=="1") { res << "no fixup protocol " << fixup_name; res << endl; } return res.str(); } string OSConfigurator_pix_os::_printFixups() { ostringstream res; string platform = fw->getStr("platform"); string version = fw->getStr("version"); FWOptions *options = fw->getOptionsObject(); assert(options!=NULL); string lst = Resources::platform_res[platform]->getResourceStr( "/FWBuilderResources/Target/options/version_" + version + "/fixups/list"); string::size_type i,j, k; i=0; while ( igetStr(fixup_xml_element); if (!f.empty()) { string fixup_name=fixup_xml_element.substr(0, fixup_xml_element.find("_fixup") ); while ( (k=fixup_name.find("_"))!=string::npos ) fixup_name.replace(k,1,1,' '); string sw; int arg1,arg2; string on; bool ov; istringstream str(f); str >> sw >> arg1 >> arg2 >> on >> ov; res << _printFixupCommand(fixup_name, sw, arg1, arg2, ov ); } if (j==string::npos) break; } return res.str(); } string OSConfigurator_pix_os::getProtocolInspectionCommands() { string platform = fw->getStr("platform"); string version = fw->getStr("version"); ostringstream res; if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/fixups/use_fixup_commands")) res << _printFixups(); if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/fixups/use_mpf_policy_map")) res << _printMPFPolicyMap(); if (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/version_" + version + "/fixups/use_policy_map_type_inspect")) res << _printPolicyMapTypeInspect(); return res.str(); } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp000066400000000000000000000130441303637203600254750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_pix_os.h" #include "inspectionProtocol.h" #include "inspectionClassMap.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* ******************************************************************** * * Generating class-map, class and match commands instead of fixups * for PIX 7.0 * * ********************************************************************/ string OSConfigurator_pix_os::_printMPFPolicyMap() { ostringstream res; string platform = fw->getStr("platform"); string version = fw->getStr("version"); string vers = "version_" + version; FWOptions *options = fw->getOptionsObject(); assert(options!=NULL); std::list defaultClassMaps; std::list customClassMaps; std::map DefaultInspectionInspectStatements; std::map CustomInspectionInspectStatements; QStringList allowed_fixups = QString(Resources::platform_res[platform]->getResourceStr( "/FWBuilderResources/Target/options/" + vers + "/fixups/list").c_str()).split(","); defaultClassMaps.clear(); customClassMaps.clear(); DefaultInspectionInspectStatements.clear(); CustomInspectionInspectStatements.clear(); foreach (QString fixup_xml_element, allowed_fixups) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string f = options->getStr(fixup_xml_element.toAscii().constData()); #else string f = options->getStr(fixup_xml_element.toLatin1().constData()); #endif if (!f.empty()) { QString fixup_name = fixup_xml_element.replace("_fixup", ""); int status; int p1,p2; string an; int av; istringstream str(f); str >> status >> p1 >> p2 >> an >> av; /* We should really fix this in the GUI and pass max length parameter * as an/av rather than as port p1 */ if (fixup_name == "dns" && p1 != 0) { an = "maximum-length"; av = p1; p1 = 53; } if (fixup_name.startsWith("ip_options")) { continue; } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) InspectionClassMap cm(fixup_name.toAscii().constData(), #else InspectionClassMap cm(fixup_name.toLatin1().constData(), #endif status, p1, p2, an, av); if (cm.isDefault()) defaultClassMaps.push_back(cm); else customClassMaps.push_back(cm); } } res << "class-map inspection_default" << endl; res << " match default-inspection-traffic" << endl; res << endl; std::list::iterator i1; if (customClassMaps.size()>0) { for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) { res << "class-map " << i1->class_map_name << endl; res << " " << i1->getMatchCommand() << endl; } res << endl; } res << "policy-map global_policy" << endl; if (defaultClassMaps.size()>0) { res << " class inspection_default" << endl; for (i1=defaultClassMaps.begin(); i1!=defaultClassMaps.end(); i1++) { string pn = i1->getPrintableName(); if (i1->status!=FIXUP_SKIP && DefaultInspectionInspectStatements[pn]!=1) { res << " "; if (i1->status==FIXUP_DISABLE) res << "no "; res << "inspect " << pn << endl; DefaultInspectionInspectStatements[pn]=1; } } } if (customClassMaps.size()>0) { for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) { string pn = i1->getPrintableName(); if (i1->status!=FIXUP_SKIP && CustomInspectionInspectStatements[pn]!=1) { res << " class " << i1->class_map_name << endl; res << " "; if (i1->status==FIXUP_DISABLE) res << "no "; res << "inspect " << i1->getPrintableName() << endl; CustomInspectionInspectStatements[pn]=1; } } } res << endl; res << "service-policy global_policy global" << endl; res << endl; return res.str(); } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp000066400000000000000000000076571303637203600264620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_pix_os.h" #include "Helper.h" #include "inspectionProtocol.h" #include "inspectionClassMap.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* ******************************************************************** * * Generating policy-map type inspect commands for PIX 8.0 * * ********************************************************************/ string OSConfigurator_pix_os::_printPolicyMapTypeInspect() { ostringstream res; string platform = fw->getStr("platform"); string version = fw->getStr("version"); string vers = "version_" + version; FWOptions *options = fw->getOptionsObject(); assert(options!=NULL); // first, generate commands for ip-options QStringList allowed_fixups = QString(Resources::platform_res[platform]->getResourceStr( "/FWBuilderResources/Target/options/" + vers + "/fixups/list").c_str()).split(","); list ip_options_matches; foreach (QString fixup_xml_element, allowed_fixups) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string f = options->getStr(fixup_xml_element.toAscii().constData()); #else string f = options->getStr(fixup_xml_element.toLatin1().constData()); #endif if (!f.empty()) { QString fixup_name = fixup_xml_element.replace("_fixup", ""); int status; int p1,p2; string an; int av; istringstream str(f); str >> status >> p1 >> p2 >> an >> av; if (fixup_name.startsWith("ip_options") && status != FIXUP_SKIP) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) InspectionClassMap cm(fixup_name.toAscii().constData(), #else InspectionClassMap cm(fixup_name.toLatin1().constData(), #endif status, p1, p2, an, av); ip_options_matches.push_back(cm); } } } if (ip_options_matches.size() > 0) { res << "policy-map type inspect ip-options ip-options-map" << endl; res << "parameters" << endl; for(list::iterator i=ip_options_matches.begin(); i!=ip_options_matches.end(); ++i) { switch (i->status) { case FIXUP_ENABLE: res << " " << i->getPrintableName() << " action "; res << "allow" << endl; break; case FIXUP_CLEAR: res << " " << i->getPrintableName() << " action "; res << "clear" << endl; break; default: break; } } } res << endl; return res.str(); } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_procurve.cpp000066400000000000000000000033631303637203600235730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_procurve.h" #include "Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_procurve::myPlatformName() { return "procurve"; } int OSConfigurator_procurve::prolog() { string host_os = fw->getStr("host_OS"); if (host_os!="procurve") abort("Unsupported OS " + host_os ); return Compiler::prolog(); } void OSConfigurator_procurve::processFirewallOptions() { if ( fw->getOptionsObject()->getBool("procurve_set_host_name") ) { output << "hostname " << fw->getName() << endl; output << endl; } } fwbuilder-5.3.7/src/cisco_lib/OSConfigurator_procurve.h000066400000000000000000000027401303637203600232360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_PROCURVE_HH #define _OSNETWORKCONFIGURATOR_PROCURVE_HH #include "config.h" #include "OSConfigurator_ios.h" #include namespace fwcompiler { class OSConfigurator_procurve : public OSConfigurator_ios { public: virtual ~OSConfigurator_procurve() {}; OSConfigurator_procurve(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator_ios(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void processFirewallOptions(); }; }; #endif fwbuilder-5.3.7/src/cisco_lib/PIXObjectGroup.cpp000066400000000000000000000107211303637203600215420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PIXObjectGroup.h" #include "fwbuilder/Address.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"}; QString PIXObjectGroup::groupMemberToString(FWObject *obj, NamedObjectsManager*) throw(libfwbuilder::FWException) { ostringstream ostr; if (this->getObjectGroupType() == NETWORK) { Address *a = Address::cast(obj); assert(a!=NULL); const InetAddr *addr = a->getAddressPtr(); ostr << "network-object "; if (Network::cast(obj)!=NULL) { const InetAddr *mask = a->getNetmaskPtr(); ostr << addr->toString() << " "; ostr << mask->toString() << " "; } else { ostr << "host "; ostr << addr->toString() << " "; } return ostr.str().c_str(); } else { if (IPService::isA(obj)) { ostr << "protocol-object "; Service *s=Service::cast(obj); assert(s!=NULL); ostr << s->getProtocolName(); return ostr.str().c_str(); } if (ICMPService::isA(obj)) { ostr << "icmp-object "; ICMPService *s=ICMPService::cast(obj); assert(s!=NULL); if ( s->getInt("type")== -1) ostr << "any"; else ostr << s->getInt("type"); return ostr.str().c_str(); } if (TCPService::isA(obj) || UDPService::isA(obj)) { ostr << "port-object "; Service *s=Service::cast(obj); assert(s!=NULL); int rs=TCPUDPService::cast(s)->getDstRangeStart(); int re=TCPUDPService::cast(s)->getDstRangeEnd(); if (rs<0) rs=0; if (re<0) re=0; if (rs>0 || re>0) { if (rs==re) ostr << "eq " << rs; else ostr << "range " << rs << " " << re; } else ostr << "range 0 65535"; return ostr.str().c_str(); } QString err("PIXObjectGroup: Unsupported object '%1' found in " "object group"); throw FWException(err.arg(obj->getName().c_str()).toStdString()); } return ostr.str().c_str(); } string PIXObjectGroup::getObjectGroupClass() { switch (this->getObjectGroupType()) { case NETWORK: return "network"; case PROTO: return "protocol"; case ICMP_TYPE: return "icmp-type"; case TCP_SERVICE: return "service"; case UDP_SERVICE: return "service"; case TCP_UDP_SERVICE: return "service"; case MIXED_SERVICE: return "service";; default: { QString err("PIXObjectGroup::getObjectGroupClass(): Unknown object " "group type '%1'"); throw FWException(err.arg(this->getObjectGroupType()).toStdString()); } } } string PIXObjectGroup::getObjectGroupHeader() { ostringstream ostr; ostr << "object-group " << getObjectGroupClass() << " " << this->getName(); switch (this->getObjectGroupType()) { case TCP_SERVICE: ostr << " tcp"; break; case UDP_SERVICE: ostr << " udp"; break; case TCP_UDP_SERVICE: ostr << " tcp-udp"; break; default: break; } return ostr.str(); } string PIXObjectGroup::getObjectGroupFooter() { return "exit"; } fwbuilder-5.3.7/src/cisco_lib/PIXObjectGroup.h000066400000000000000000000027611303637203600212140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PIXOBJECTGROUP_HH #define __PIXOBJECTGROUP_HH #include "BaseObjectGroup.h" namespace fwcompiler { class PIXObjectGroup : public BaseObjectGroup { public: PIXObjectGroup() : BaseObjectGroup() { } virtual ~PIXObjectGroup() {}; DECLARE_FWOBJECT_SUBTYPE(PIXObjectGroup); virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupFooter(); virtual QString groupMemberToString( libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager) throw(libfwbuilder::FWException); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_cisco.cpp000066400000000000000000000562411303637203600230570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_cisco.h" #include "NamedObjectsManager.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_cisco::myPlatformName() { return ""; } PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this) { } int PolicyCompiler_cisco::prolog() { return PolicyCompiler::prolog(); } string PolicyCompiler_cisco::createRuleLabel(const string &txt, Interface *iface, int rule_num) { ostringstream str; str << rule_num; if (iface!=NULL) str << "(" << iface->getLabel() << ")"; else str << "(" << txt << ")"; return str.str(); } void PolicyCompiler_cisco::setAllNetworkZonesToAny() { /* see #1690. After recent changes (aug 2010) in how we deal with * network zones, we do not assume that interfaces have network * zone "any" if they don't have network zone configured at all. * To work around this, will set network zone to "any" on all * interfaces. Note that this needs to be done only for IOS ACL and * Procurve ACL but not PIX where network zone must be configured * by the user. */ list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); int netzone_id = FWObjectDatabase::getIntId(iface->getStr("network_zone")); if (netzone_id == -1) iface->setStr("network_zone", FWObjectDatabase::getStringId(FWObjectDatabase::ANY_ADDRESS_ID)); } } void PolicyCompiler_cisco::setAllNetworkZonesToNone() { list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (iface->getStr("network_zone") != "") iface->setStr("network_zone", ""); } } ciscoACL* PolicyCompiler_cisco::createACLObject(const string &acl_name, Interface *intf, const string &dir, bool using_named_acl) { ciscoACL *acl = new ciscoACL(acl_name, intf, dir, using_named_acl); return acl; } string PolicyCompiler_cisco::debugPrintRule(Rule *r) { ostringstream str; PolicyRule *rule = PolicyRule::cast(r); // FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId()); // string iname = (rule_iface!=NULL)?rule_iface->getName():""; string dir = rule->getDirectionAsString(); str << PolicyCompiler::debugPrintRule(rule) << " " << dir // << " " << iname << " " << rule->getStr("acl"); // " intfId=" << rule->getInterfaceId() << // " intfstr=" << rule->getInterfaceStr(); return str.str(); } bool PolicyCompiler_cisco::splitIfSrcAny::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); Address *src = compiler->getFirstSrc(rule); if ( rule->getDirection()!=PolicyRule::Inbound && ( srcrel->isAny() || ( srcrel->size()==1 && src!=NULL && !compiler->complexMatch(src,compiler->fw) && srcrel->getBool("single_object_negation")) ) ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Outbound ); RuleElementSrc *nsrc=r->getSrc(); nsrc->clearChildren(); nsrc->addRef(compiler->fw); tmp_queue.push_back(r); } tmp_queue.push_back(rule); // add old rule anyway return true; } /* * This splits the rule if Dst==any and one or more icmp services are * found in Srv. The name of this rule processor needs to be more * descriptive. */ bool PolicyCompiler_cisco::splitIfDstAny::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srvrel=rule->getSrv(); RuleElementDst *dstrel=rule->getDst(); Address *dst=compiler->getFirstDst(rule); std::list cl; for (list::iterator i1=srvrel->begin(); i1!=srvrel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); if (ICMPService::isA(s)) cl.push_back(s); if (TCPService::isA(s) && TCPUDPService::cast(s)->getDstRangeStart()==22 && TCPUDPService::cast(s)->getDstRangeEnd()==22) cl.push_back(s); if (TCPService::isA(s) && TCPUDPService::cast(s)->getDstRangeStart()==23 && TCPUDPService::cast(s)->getDstRangeEnd()==23) cl.push_back(s); } if ( !cl.empty() && rule->getDirection()!=PolicyRule::Outbound && ( dstrel->isAny() || ( dstrel->size()==1 && dst!=NULL && !compiler->complexMatch(dst,compiler->fw) && dstrel->getBool("single_object_negation")) ) ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Inbound ); RuleElementDst *ndst=r->getDst(); ndst->clearChildren(); ndst->addRef(compiler->fw); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); for (list::iterator i=cl.begin(); i!=cl.end(); ++i) nsrv->addRef( (*i) ); tmp_queue.push_back(r); } tmp_queue.push_back(rule); // add old rule in any case return true; } bool PolicyCompiler_cisco::NegationPhase1::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; return true; #ifdef DO_NEGATION if (compiler->debug>=5) { cerr << rule->getLabel() + " >>> neg 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"; cerr << rule << " " << compiler->atomicRuleToString( rule ); } RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); RuleElementSrv *srv=rule->getSrv(); assert(srv); /* do not use clearChildren because it * destroys children objects (can delete * rules created on the previous pass) */ compiler->temp_ruleset->clear(); if (src->getNeg()) { PolicyRule *r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("action","CONTINUE"); RuleElementSrc *nsrc=r->getSrc(); nsrc->setNeg(false); vr->push_back(r); r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); nsrc->setNeg(false); vr->push_back(r); } if (dst->getNeg()) { PolicyRule *r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("action","CONTINUE"); RuleElementDst *ndst=r->getDst();; ndst->setNeg(false); vr->push_back(r); r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getDst();; ndst->clearChildren(); ndst->setAnyElement(); ndst->setNeg(false); vr->push_back(r); } if (srv->getNeg()) { PolicyRule *r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("action","CONTINUE"); RuleElementSrv *nsrv=r->getSrv(); nsrv->setNeg(false); vr->push_back(r); r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); nsrv->setNeg(false); vr->push_back(r); } if (vr->empty()) { PolicyRule *r= getCompiler()->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); if (compiler->debug>=5) { cerr << "****************** copying rule\n"; rule->dump(true,true); } r->duplicate(rule); vr->push_back(r); } if (compiler->debug>=5) { cerr << rule->getLabel() + " <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"; rule->dump(true,true); cerr << " ------------------------------------------------\n"; for (vector::iterator i=vr->begin(); i!=vr->end(); i++) { Rule *r=(*i); r->dump(true,true); cerr << r << " " << compiler->atomicRuleToString( r ); } } #endif } /** * re_type can be either RuleElementSrc::TYPENAME or RuleElementDst::TYPENAME * * TODO: this has to move to class PolicyRuleProcessor */ bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; PolicyCompiler_cisco *cisco_comp = dynamic_cast(compiler); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); int nre = re->size(); list cl; for (list::iterator i1=re->begin(); nre>1 && i1!=re->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); Address *a = Address::cast(obj); assert(a!=NULL); if (cisco_comp->complexMatch(a,cisco_comp->fw)) { cl.push_back(obj); nre--; PolicyRule *new_rule = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); RuleElement *new_re = RuleElement::cast(new_rule->getFirstByType(re_type)); new_re->clearChildren(); new_re->setAnyElement(); new_re->addRef( a ); tmp_queue.push_back(new_rule); } } if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->removeRef(*i1); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::specialCaseWithDynInterface::dropDynamicInterface( PolicyRule *rule, PolicyRule::Direction cmp_dir, RuleElement *re) { PolicyRule::Direction dir=rule->getDirection(); // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *obj = FWObjectReference::getObject(*i1); Interface *ifs = Interface::cast( obj ); if (ifs!=NULL && ifs->isDyn()) { if (ifs->getId()==rule_iface->getId() && dir==cmp_dir) cl.push_back(obj); // keep it else continue; // remove it } else cl.push_back(obj); } if (re->size()==1 && cl.empty()) // remove the whole rule return false; if (!cl.empty()) { re->clearChildren(); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { FWObject *oo = *i1; re->addRef( oo ); } } return true; } /** * checks for the following situations: * * assuming interface 'INT' is dynamic * * src. rule bound to interface direction decision * ----------------------------------------------------------------- * INT INT outbound keep * INT any other outbound remove * INT INT inbound remove * INT any other inbound remove * * dest. rule bound to interface direction decision * ------------------------------------------------------------------- * INT INT inbound keep * INT any other inbound remove * INT INT outbound remove * INT any other outbound remove * */ bool PolicyCompiler_cisco::specialCaseWithDynInterface::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( dropDynamicInterface( rule, PolicyRule::Outbound, rule->getSrc() ) && dropDynamicInterface( rule, PolicyRule::Inbound, rule->getDst() ) ) tmp_queue.push_back(rule); return true; } /* * processor splitIfRuleElementMatchesFW (or one derived from it) * should have been called before tcpServiceToFW. This way we know * that if dst is a firewall, it is a single object there. */ bool PolicyCompiler_cisco::tcpServiceToFW::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; PolicyCompiler_cisco *cisco_comp = dynamic_cast(compiler); Q_UNUSED(cisco_comp); RuleElementSrv *srv = rule->getSrv(); Address *a = compiler->getFirstDst(rule); assert(a!=NULL); if (rule->getAction()==PolicyRule::Accept && ( (Cluster::cast(a) != NULL && Cluster::cast(a)->hasMember(compiler->fw)) || a->getId() == compiler->fw->getId() ) ) { std::list cl; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); Service *s = Service::cast(obj); assert(s!=NULL); if (TCPService::isA(s) && TCPUDPService::cast(s)->getDstRangeStart()==port && TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(obj); } if (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementDst *ndst = r->getDst(); ndst->clearChildren(); ndst->addRef( compiler->fw ); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); r->setBool("tcp_service_to_fw", true); tmp_queue.push_back(r); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) srv->removeRef(*i1); if ( ! srv->isAny()) tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } /* * firewall should be a single object in SRC. If object in SRC matches * firewall (in a sence of complexMatch) but is not actual firewall object, * do nothing assuming user wanted it that way. */ bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound) { RuleElementSrc *src = rule->getSrc(); if (compiler->getFirstSrc(rule)->getId()==compiler->fw->getId()) { src->clearChildren(); src->addRef(rule_iface); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::replaceFWinDSTInterfacePolicy::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound) { RuleElementDst *dst = rule->getDst(); if (compiler->getFirstDst(rule)->getId()==compiler->fw->getId()) { dst->clearChildren(); dst->addRef(rule_iface); } } tmp_queue.push_back(rule); return true; } /* * dst should contain objects that belong to the network zone of the * same interface (use splitByNetworkZonesForRE for that) */ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext() { Helper helper(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); if (intf_re->isAny()) { RuleElementSrc *src = rule->getSrc(); RuleElementDst *dst = rule->getDst(); if (!src->isAny() && compiler->getFirstDst(rule)->getId()==compiler->fw->getId()) { try { int iface_id = helper.findInterfaceByNetzone( compiler->getFirstSrc(rule)); FWObject *iface = compiler->dbcopy->findInIndex(iface_id); dst->clearChildren(); dst->addRef(iface); } catch (string addr) { ostringstream str; str << "Address " << addr << " does not match address or network zone of any interface." ; compiler->abort(rule, str.str()); return true; } } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::equalObjCISCO::operator()(FWObject *o) { if (ICMPService::cast(obj)!=NULL && ICMPService::cast(o)!=NULL) { return (obj->getInt("type")==o->getInt("type")); } else return o->getId()==obj->getId(); } /* re_type can be either RuleElementSrc::TYPENAME or RuleElementDst::TYPENAME */ bool PolicyCompiler_cisco::removeRedundantAddresses::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type)); if (re->size()==1) { tmp_queue.push_back(rule); return true; } map status; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { Address *a = Address::cast(FWReference::getObject(*i1)); assert(a!=NULL); // assuming all objects are addresses. status[a] = false; } map::iterator i1; map::iterator i2; for (i1=status.begin(); i1!=status.end(); ++i1) { Address *a1 = i1->first; // const InetAddrMask* am1 = a1->getInetAddrMaskObjectPtr(); for (i2=status.begin(); i2!=status.end(); ++i2) { if (i2->second) continue; Address *a2 = i2->first; if (a1->getId() == a2->getId()) continue; // const InetAddrMask* am2 = a2->getInetAddrMaskObjectPtr(); // if (am1 && am2 && am1->toString() == am2->toString()) continue; if (compiler->checkForShadowing(*a1, *a2) ) status[a1] = true; } } for (i1=status.begin(); i1!=status.end(); ++i1) { if (i1->second) re->removeRef(i1->first); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::processMultiAddressObjectsInRE::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = *i; if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer(); MultiAddress *atrt = MultiAddress::cast(o); if (atrt!=NULL && atrt->isRunTime()) { compiler->abort( rule, "Run-time AddressTable and DNSName objects are not supported."); return true; } } tmp_queue.push_back(rule); return true; } void PolicyCompiler_cisco::compile() { } class acl_sort_order { public: acl_sort_order() {}; bool operator()(const string &a, const string &b) { string::size_type i1,i2; i1=a.find(' ',a.find(' ')+1); i2=b.find(' ',b.find(' ')+1); return a.substr(0,i1) < b.substr(0,i2); } }; void PolicyCompiler_cisco::regroup() { list commands; map > script; commands.push_back("THE_REST"); commands.push_back("access-list "); commands.push_back("access-group "); commands.push_back("icmp "); commands.push_back("ssh "); commands.push_back("telnet "); string acl, agrp, icmp, telnet, ssh; string new_output; char buf[1024]; istringstream in(output.str()); while (in) { in.getline(buf, 1023, '\n'); strcat(buf,"\n"); if (buf[0]=='!') continue; string slot="THE_REST"; string cmd(buf); string::size_type n=cmd.find(' '); list::iterator s = std::find(commands.begin(),commands.end(),cmd.substr(0,n+1)); if (s!=commands.end()) slot = *s; script[slot].push_back(buf); } script["access-list "].sort(acl_sort_order()); output.str(""); for (list::iterator i=commands.begin(); i!=commands.end(); ++i) { for (list::iterator j=script[*i].begin(); j!=script[*i].end(); ++j) output << *j; output << "! \n"; output << "! \n"; } } void PolicyCompiler_cisco::epilog() { } string PolicyCompiler_cisco::printClearCommands() { return ""; } /* * This includes commands that should be added first, such as commit mode * for FWSM, setting up temporary access list etc. */ string PolicyCompiler_cisco::printPreambleCommands() { return ""; } void PolicyCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr) { named_objects_manager = mgr; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_cisco.h000066400000000000000000000456461303637203600225330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_CISCO_HH #define __POLICYCOMPILER_CISCO_HH #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "Helper.h" #include "ACL.h" #include "BaseObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "splitByNetworkZonesForRE.h" namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class Group; }; namespace fwcompiler { class PolicyCompiler_cisco : public PolicyCompiler { protected: /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls PolicyCompiler::_internalPrintPolicyRule and then adds * fields specific to PIX rules at the end of the printout */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); virtual ciscoACL* createACLObject(const std::string &n, libfwbuilder::Interface *intf, const std::string &d="in", bool _ip_list=false); /* see #1690. After recent changes (aug 2010) in how we deal with * network zones, we do not assume that interfaces have network * zone "any" if they don't have network zone configured at all. * To work around this, will set network zone to "any" on all * interfaces. Note that this needs to be done only for IOS ACL and * Procurve ACL but not PIX where network zone must be configured * by the user. */ virtual void setAllNetworkZonesToAny(); /* * complementary operation: sets all interface's network zones * to blank to make sure compiler operates with predictable * configuration. This can be important if user switches from * platform that requires network zones (PIX) to the one that * does not support them, but compiler code uses the same * classes. */ virtual void setAllNetworkZonesToNone(); /** * drops dynamic interface from the rule in the following * cases because its address is unknown and we can not build * ACL rule for it. * * assuming interface 'INT' is dynamic * * src. rule bound to interface direction decision * ----------------------------------------------------------------- * INT INT outbound keep * INT any other outbound remove * INT INT inbound remove * INT any other inbound remove * * dest. rule bound to interface direction decision * ------------------------------------------------------------------- * INT INT inbound keep * INT any other inbound remove * INT INT outbound remove * INT any other outbound remove * * */ friend class specialCaseWithDynInterface; class specialCaseWithDynInterface : public PolicyRuleProcessor { bool dropDynamicInterface(libfwbuilder::PolicyRule *rule, libfwbuilder::PolicyRule::Direction dir, libfwbuilder::RuleElement *re); public: specialCaseWithDynInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * only for rules with interface element 'all' and direction * 'both' or 'inbound'; for interfaces with zones that match * src: create rule with that interface, direction * inbound. 'Any' in src matches all interfaces. * * Set flag (boolean) 'interface_and_direction_set_from_src' * so other rule processors in the same batch can skip the * rule. */ DECLARE_POLICY_RULE_PROCESSOR( setInterfaceAndDirectionBySrc ); /** * only for rules with interface element 'all'and direction * 'both' or 'outbound'; for interfaces with zones that match * dst: create rule with that interface, direction * outbound. 'Any' in dst matches all interfaces. * * Set flag (boolean) 'interface_and_direction_set_from_dst' * so other rule processors in the same batch can skip the * rule. */ DECLARE_POLICY_RULE_PROCESSOR( setInterfaceAndDirectionByDst ); /** * for rules with interface element not 'all' and direction * 'both': create two rules with the same interface and * directions Inbound and Outbound * * for rules with interface element not 'all' and direction * 'inbound' or 'outbound': setInterfaceId to this interface * * Skip rule if flag 'interface_and_direction_set_from_src' or * 'interface_and_direction_set_from_dst' is set * * Set flag (boolean) 'interface_and_direction_set' * so other rule processors in the same batch can skip the * rule. */ DECLARE_POLICY_RULE_PROCESSOR( setInterfaceAndDirectionIfInterfaceSet ); /** * determine acl rules should belong to */ class pickACL : public PolicyRuleProcessor { bool using_named_acl; public: pickACL(bool use_named_acl,const std::string &name) : PolicyRuleProcessor(name) {using_named_acl = use_named_acl;} virtual bool processNext(); }; friend class PolicyCompiler_cisco::pickACL; /** * split rule if Src==any * * This is special case since we assume that "any" includes * also a firewall object. Packets headed to or from the * firewall must be inspected by INPUT or OUTPUT chain, while * packets crossing the firewall are inspected by FORWARD * chain. If we assume that "any" also includes firewall * itself, then we need to generate code for both FORWARD and * INPUT/OUTPUT chains from the same rule. This processor * splits the rule onto two and sets chain and direction in * the second copy appropriately. It preserve original src and * dst in both copies, it only changes chain and direction in * the second copy. */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcAny); /** * split rule if Dst==any. See comment in splitIfSrcAny */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstAny); /** * TODO: move this processor to class PolicyCompiler. The same * processor is used in ipt and in pf (although in pf there it * is present in two copies that have different names * splitIfFirewallInSrc and splitIfFirewallInDst). Move also * splitIfSrcMatchesFw and splitIfDstMatchesFw */ friend class splitIfRuleElementMatchesFW; class splitIfRuleElementMatchesFW : public PolicyRuleProcessor { std::string re_type; public: splitIfRuleElementMatchesFW(const std::string &n, std::string _type) : PolicyRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; friend class splitIfSrcMatchesFw; class splitIfSrcMatchesFw : public splitIfRuleElementMatchesFW { public: splitIfSrcMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class splitIfDstMatchesFw : public splitIfRuleElementMatchesFW { public: splitIfDstMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; friend class PolicyCompiler_cisco::splitIfDstMatchesFw; /** * find redundant objects in rule element and eliminate * them. This only works for SRC and DST since all objects are * assumed to be addresses. Redundant object is such that has * narrower address range than some other object in the same * rule element. */ friend class removeRedundantAddresses; class removeRedundantAddresses : public PolicyRuleProcessor { std::string re_type; public: removeRedundantAddresses(const std::string &n,std::string _type) : PolicyRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; friend class removeRedundantAddressesFromSrc; class removeRedundantAddressesFromSrc : public removeRedundantAddresses { public: removeRedundantAddressesFromSrc (const std::string &n) : removeRedundantAddresses(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; friend class removeRedundantAddressesFromDst; class removeRedundantAddressesFromDst : public removeRedundantAddresses { public: removeRedundantAddressesFromDst (const std::string &n) : removeRedundantAddresses(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * this processor splits rules if it finds rule that controls * access for tcp service with port number "port" to the firewall */ class tcpServiceToFW : public PolicyRuleProcessor { int port; public: tcpServiceToFW(int p,const std::string &name) : PolicyRuleProcessor(name) {port=p;} virtual bool processNext(); }; friend class PolicyCompiler_cisco::tcpServiceToFW; /** * this processor splits rules if it finds telnet to firewall */ class telnetToFirewall : public tcpServiceToFW { public: telnetToFirewall(const std::string &n):tcpServiceToFW(23, n) {} }; friend class telnetToFirewall; /** * this processor splits rules if it finds ssh to firewall */ class sshToFirewall : public tcpServiceToFW { public: sshToFirewall(const std::string &n):tcpServiceToFW(22, n) {} }; friend class sshToFirewall; /** * this processor splits rules if it finds telnet to firewall */ class httpToFirewall : public tcpServiceToFW { public: httpToFirewall(const std::string &n):tcpServiceToFW(80, n) {} }; friend class httpToFirewall; /** * replace fw with one of its interfaces in SRC in interface * policy rule */ DECLARE_POLICY_RULE_PROCESSOR( replaceFWinSRCInterfacePolicy ); /** * replace fw with one of its interfaces in DST in interface * policy rule */ DECLARE_POLICY_RULE_PROCESSOR( replaceFWinDSTInterfacePolicy ); /** * replace fw with one of its interfaces in DST in global * policy rule */ DECLARE_POLICY_RULE_PROCESSOR( replaceFWinDSTPolicy ); class splitByNetworkZonesForSrc : public splitByNetworkZonesForRE { public: splitByNetworkZonesForSrc(const std::string &n): splitByNetworkZonesForRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class splitByNetworkZonesForDst : public splitByNetworkZonesForRE { public: splitByNetworkZonesForDst(const std::string &n): splitByNetworkZonesForRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * this processor deals with negation in all fields by * splitting the rule and using temporary action * "CONTINUE". Rules must be filtered through NegationPhase2 * later */ DECLARE_POLICY_RULE_PROCESSOR( NegationPhase1 ); /** * eliminates duplicate objects in rule element * 're_type'. Uses special comparison function class to * detect equivalent ICMP objects */ class equalObjCISCO : public PolicyCompiler::equalObj { public: virtual bool operator()(libfwbuilder::FWObject *o); }; class eliminateDuplicatesInRE_cisco : public PolicyCompiler::eliminateDuplicatesInRE { public: eliminateDuplicatesInRE_cisco(const std::string &n,const std::string &re_type) : eliminateDuplicatesInRE(n,re_type) { comparator=new equalObjCISCO(); } }; /** * eliminates duplicate objects in SRC. */ class eliminateDuplicatesInSRC : public eliminateDuplicatesInRE_cisco { public: eliminateDuplicatesInSRC(const std::string &n) : eliminateDuplicatesInRE_cisco(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. */ class eliminateDuplicatesInDST : public eliminateDuplicatesInRE_cisco { public: eliminateDuplicatesInDST(const std::string &n) : eliminateDuplicatesInRE_cisco(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV */ class eliminateDuplicatesInSRV : public eliminateDuplicatesInRE_cisco { public: eliminateDuplicatesInSRV(const std::string &n) : eliminateDuplicatesInRE_cisco(n,libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * Placeholders for MultiAddressRunTime objects which are not * supported for Cisco devices (IOS and PIX, at least) */ class processMultiAddressObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class processMultiAddressObjectsInDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInDst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; #ifdef OLD_STYLE_OBJECT_GROUP_SUPPORT /** * this processor creates PIX-specific object groups * (PIX CLI command "object-group") for rules with * more than one object in src or dst or srv */ class CreateObjectGroups : public PolicyRuleProcessor { std::string re_type; std::string name_suffix; public: CreateObjectGroups(const std::string &name, const std::string &_ns, const std::string &_type) : PolicyRuleProcessor(name) {re_type=_type; name_suffix=_ns; } virtual bool processNext(); }; friend class PolicyCompiler_cisco::CreateObjectGroups; class CreateObjectGroupsForSrc : public CreateObjectGroups { public: CreateObjectGroupsForSrc(const std::string &n): CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {} }; class CreateObjectGroupsForDst : public CreateObjectGroups { public: CreateObjectGroupsForDst(const std::string &n): CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {} }; class CreateObjectGroupsForSrv : public CreateObjectGroups { public: CreateObjectGroupsForSrv(const std::string &n): CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * this processor accumulates all rules fed to it by previous * processors, then prints all object groups and feeds all * rules to the next processor. Usually this processor is in * chain right before PrintRules. * */ class printObjectGroups : public PolicyRuleProcessor { public: printObjectGroups(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_cisco::printObjectGroups; #endif protected: Helper helper; NamedObjectsManager *named_objects_manager; virtual std::string myPlatformName(); std::string mangleInterfaceName(const std::string &interface_name); public: std::map acls; PolicyCompiler_cisco(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_cisco() {} #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" virtual std::string createRuleLabel(const std::string &txt, libfwbuilder::Interface *iface, int rule_num); #pragma GCC diagnostic pop virtual int prolog(); virtual void compile(); virtual void epilog(); virtual std::string printClearCommands(); virtual std::string printPreambleCommands(); /** * sort commands ('icmp', 'telnet', 'ssh') and access lists * in some kind of 'natural' order. Useful for both IOS and PIX */ void regroup(); void setNamedObjectsManager(NamedObjectsManager *mgr); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_cisco_acls.cpp000066400000000000000000000325751303637203600240650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_cisco.h" #include "NamedObjectsManager.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * Call this rule processor after splitIfSrcMatchesFw and * splitIfDstMatchesFw to make sure that if firewall or its interface * or address is in src or dst, it is the only object there. */ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; Helper helper(compiler); list intf_id_list; RuleElementItf *intf_re = rule->getItf(); if (intf_re->isAny()) { bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) cluster = Cluster::cast( compiler->dbcopy->findInIndex( compiler->fw->getInt("parent_cluster_id"))); RuleElementSrc *srcre = rule->getSrc(); RuleElementDst *dstre = rule->getDst(); Address *srcobj = compiler->getFirstSrc(rule); if (rule->getDirection()==PolicyRule::Both && ! compiler->complexMatch(srcobj, compiler->fw) && ! compiler->complexMatch(srcobj, cluster)) { intf_id_list = helper.findInterfaceByNetzoneOrAll( srcre ); } if (rule->getDirection()==PolicyRule::Inbound) intf_id_list = helper.getAllInterfaceIDs(); for (list::iterator i = intf_id_list.begin(); i!=intf_id_list.end(); ++i) { int intf_id = *i; Interface *ifs = Interface::cast(rule->getRoot()->findInIndex(intf_id)); assert(ifs); if (ifs->isUnprotected()) continue; // skip! if (ifs->isLoopback()) continue; // skip! PolicyRule *new_rule = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); // new_rule->setInterfaceId(intf_id); RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(ifs); new_rule->setDirection(PolicyRule::Inbound); new_rule->setBool("interface_and_direction_set_from_src",true); tmp_queue.push_back(new_rule); } // If dst does not match firewall, preserve original rule as // well to let setInterfaceAndDirectionByDst work on it. // // Note for #1298 // // if address in dst is multicast, it can be forwarded and so // we need to preserve the rule. But broadcasts are not // forwarded so we should consider them as matching the fw. // FWObject *d = dstre->front(); if (FWReference::cast(d)!=NULL) d = FWReference::cast(d)->getPointer(); if (!compiler->complexMatch(Address::cast(d), compiler->fw, true, false)) tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; Helper helper(compiler); if (rule->getBool("interface_and_direction_set_from_src")) { tmp_queue.push_back(rule); return true; } RuleElementItf *intf_re = rule->getItf(); list intf_id_list; if (intf_re->isAny()) { bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) cluster = Cluster::cast( compiler->dbcopy->findInIndex( compiler->fw->getInt("parent_cluster_id"))); RuleElementDst *dstre = rule->getDst(); Address *dstobj = compiler->getFirstDst(rule); if (rule->getDirection()==PolicyRule::Both && ! compiler->complexMatch(dstobj, compiler->fw) && ! compiler->complexMatch(dstobj, cluster)) { intf_id_list = helper.findInterfaceByNetzoneOrAll( dstre ); } if (rule->getDirection()==PolicyRule::Outbound) intf_id_list = helper.getAllInterfaceIDs(); for (list::iterator i = intf_id_list.begin(); i!=intf_id_list.end(); ++i) { int intf_id = *i; Interface *ifs = Interface::cast(rule->getRoot()->findInIndex(intf_id)); assert(ifs); if (ifs->isUnprotected()) continue; // skip! if (ifs->isLoopback()) continue; // skip! PolicyRule *new_rule = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); // new_rule->setInterfaceId(intf_id); RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(ifs); new_rule->setDirection(PolicyRule::Outbound); new_rule->setBool("interface_and_direction_set_from_dst",true); tmp_queue.push_back(new_rule); } return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; //RuleElementItf *itfre=rule->getItf(); RuleElementItf *intf_re = rule->getItf(); if (intf_re->isAny() || rule->getBool("interface_and_direction_set_from_src") || rule->getBool("interface_and_direction_set_from_dst")) { tmp_queue.push_back(rule); return true; } PolicyRule *new_rule; if ( ! intf_re->isAny()) { FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); RuleElementItf *itf_re; if (rule->getDirection()==PolicyRule::Both) { new_rule =compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); // new_rule->setInterfaceId( rule_iface_id ); itf_re = new_rule->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(rule_iface); new_rule->setDirection(PolicyRule::Inbound); new_rule->setBool("interface_and_direction_set",true); tmp_queue.push_back(new_rule); new_rule =compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); // new_rule->setInterfaceId( rule_iface_id ); itf_re = new_rule->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(rule_iface); new_rule->setDirection(PolicyRule::Outbound); new_rule->setBool("interface_and_direction_set",true); tmp_queue.push_back(new_rule); } else { new_rule =compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); // new_rule->setInterfaceId( rule_iface_id ); itf_re = new_rule->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(rule_iface); // direction is copied from the original rule new_rule->setBool("interface_and_direction_set",true); tmp_queue.push_back(new_rule); } } return true; } bool PolicyCompiler_cisco::pickACL::processNext() { PolicyCompiler_cisco *cisco_comp = dynamic_cast( compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; // Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex( // rule->getInterfaceId())); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); if(rule_iface==NULL) { compiler->abort(rule, "Missing interface assignment"); return true; } /* * option 'Generate outbound access lists' is called * 'pix_generate_out_acl' for PIX and 'generate_out_acl' for * IOS. Need to check the right one depending on what platform * this compiler is for. Class PolicyCompiler_cisco is base class * and can be used for both. */ /* * TODO: Here we hardcode this option to True for IOS. Instead of * doing it here, just set option "generate_out_acl" to true in * PolicyCompiler_iosacl::prolog(). It is done that way in * PolicyCompiler_procurveacl already. This way, base class * PolicyCompiler_cisco does not need to be aware of the actual * platform. */ bool generate_out_acl = false; if (compiler->myPlatformName()=="pix") generate_out_acl = compiler->fw->getOptionsObject()-> getBool("pix_generate_out_acl"); else { if (compiler->myPlatformName()=="iosacl") generate_out_acl = true; else generate_out_acl = compiler->fw->getOptionsObject()-> getBool("generate_out_acl"); } if (rule->getDirection() == PolicyRule::Outbound && !generate_out_acl) { compiler->abort( rule, "Rule with direction 'Outbound' requires outbound ACL " "but option 'Generate outbound access lists' is OFF."); return true; } /* The choice of the ACL name depends on whether this is a named * acl or not. If not, should use unique numbers. Also need to * pass this flag to the ciscoACL object. */ string acl_name = rule_iface->getLabel(); if (acl_name.empty()) acl_name = rule_iface->getName(); acl_name = cisco_comp->mangleInterfaceName(acl_name); string dir = "in"; if (rule->getDirection() == PolicyRule::Inbound) { acl_name += "_in"; dir="in"; } if (rule->getDirection() == PolicyRule::Outbound) { acl_name += "_out"; dir="out"; } // if this is not the "main" rule set, use its name for the acl name if (!compiler->getSourceRuleSet()->isTop()) acl_name = compiler->getSourceRuleSet()->getName() + "_" + acl_name; if (cisco_comp->ipv6) acl_name = "ipv6_" + acl_name; rule->setStr("acl",acl_name); ciscoACL *acl = cisco_comp->createACLObject(acl_name, rule_iface, dir, using_named_acl); cisco_comp->acls[acl_name] = acl; acl->setWorkName(acl_name); tmp_queue.push_back(rule); return true; } /* * Take interface name as an argument and produce * shortened, space-free string that uniquely identifies interface * in a human-readable way. */ std::string PolicyCompiler_cisco::mangleInterfaceName( const string &interface_name) { string::size_type n; string s = interface_name; // lowercase all characters transform (s.begin(), s.end(), // source s.begin(), // destination ::tolower); // operation map name_mapping; map::iterator nmi; name_mapping["async"] = "as"; name_mapping["atm"] = "atm"; name_mapping["bri"] = "bri"; name_mapping["ethernet"] = "e"; name_mapping["fastethernet"] = "fe"; name_mapping["fddi"] = "fddi"; name_mapping["gigabitethernet"] = "ge"; name_mapping["hssi"] = "h"; name_mapping["loopback"] = "l"; name_mapping["port-channel"] = "pc"; name_mapping["pos"] = "pos"; name_mapping["serial"] = "s"; name_mapping["switch"] = "sw"; name_mapping["tokenring"] = "tr"; name_mapping["tunnel"] = "tun"; name_mapping["tengigabitethernet"] = "te"; name_mapping["sonet"] = "so"; name_mapping["vg-anylan"] = "vg"; for (nmi=name_mapping.begin(); nmi!=name_mapping.end(); nmi++) { if (s.find( nmi->first )==0) { s.replace(0, nmi->first.size(), nmi->second); break; } } while ( (n=s.find(" "))!=string::npos) { s.replace(n,1,"_"); } while ( (n=s.find("/"))!=string::npos) { s.replace(n,1,"_"); } return s; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_iosacl.cpp000066400000000000000000000425361303637203600232330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_iosacl.h" #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/Network.h" #include "fwbuilder/ObjectMirror.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_iosacl::myPlatformName() { return "iosacl"; } PolicyCompiler_iosacl::PolicyCompiler_iosacl(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf) { resetinbound = false; fragguard = false; comment_symbol = "!"; } int PolicyCompiler_iosacl::prolog() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); string host_os = fw->getStr("host_OS"); if (platform!="iosacl") abort("Unsupported platform " + platform ); fw->getOptionsObject()->setBool( "use_acl_remarks", fw->getOptionsObject()->getBool("iosacl_use_acl_remarks")); // object_groups = new Group(); // persistent_objects->add( object_groups ); setAllNetworkZonesToNone(); return PolicyCompiler::prolog(); } bool PolicyCompiler_iosacl::checkForDynamicInterface::findDynamicInterface( PolicyRule *rule, RuleElement *rel) { string vers=compiler->fw->getStr("version"); for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *iface=Interface::cast(obj); if (iface!=NULL && iface->isDyn()) compiler->abort( rule, "Dynamic interface can not be used in the IOS ACL rules."); } return true; } bool PolicyCompiler_iosacl::checkForDynamicInterface::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; findDynamicInterface(rule,rule->getSrc()); findDynamicInterface(rule,rule->getDst()); tmp_queue.push_back(rule); return true; } /* * Copy all references from rule element re1 to rule element re2. */ void PolicyCompiler_iosacl::mirrorRule::duplicateRuleElement( RuleElement *re1, RuleElement *re2) { re2->clearChildren(); for (list::iterator i1=re1->begin(); i1!=re1->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); re2->addRef(obj); } } bool PolicyCompiler_iosacl::mirrorRule::processNext() { //PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (rule->getOptionsObject()->getBool("iosacl_add_mirror_rule")) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(rule->getAction()); switch (rule->getDirection()) { case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break; case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break; default: r->setDirection(PolicyRule::Both); break; } RuleElementSrc *osrc = rule->getSrc(); RuleElementDst *odst = rule->getDst(); RuleElementSrv *osrv = rule->getSrv(); RuleElementItf *oitf = rule->getItf(); RuleElementSrc *nsrc = r->getSrc(); RuleElementDst *ndst = r->getDst(); RuleElementSrv *nsrv = r->getSrv(); RuleElementItf *nitf = r->getItf(); duplicateRuleElement(osrc, ndst); duplicateRuleElement(odst, nsrc); duplicateRuleElement(oitf, nitf); if (!osrv->isAny()) { ObjectMirror mirror; nsrv->clearChildren(); for (list::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) { Service *nobj = mirror.getMirroredService( Service::cast(FWReference::getObject(*i1))); if (nobj->getParent() == NULL) compiler->persistent_objects->add(nobj, false); nsrv->addRef(nobj); } } tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_iosacl::SpecialServices::processNext() { //PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Service *s = compiler->getFirstSrv(rule); if (IPService::cast(s)!=NULL) { if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) compiler->abort( rule, "IOS ACL does not support checking for IP options in ACLs."); } if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags()) { string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")<0) compiler->abort(rule, "TCP flags match requires IOS v12.4 or later."); } tmp_queue.push_back(rule); return true; } /* * This rule processor is used to separate TCP service objects that * match tcp flags when generated config uses object-group clause */ bool PolicyCompiler_iosacl::splitTCPServiceWithFlags::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { std::list cl; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); TCPService *tcp_srv = TCPService::cast(s); if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished())) cl.push_back(s); } while (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); tmp_queue.push_back(r); srv->removeRef( cl.front() ); cl.pop_front(); } if (srv->size()>0) tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } void PolicyCompiler_iosacl::compile() { string banner = " Compiling ruleset " + getSourceRuleSet()->getName(); if (ipv6) banner += ", IPv6"; info(banner); string version = fw->getStr("version"); bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 && fw->getOptionsObject()->getBool("iosacl_use_object_groups") && ! ipv6; string vers = fw->getStr("version"); string platform = fw->getStr("platform"); Compiler::compile(); if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin("Detecting rule shadowing" ) ); add( new printTotalNumberOfRules()); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new mirrorRule("Add mirrored rules")); add( new ConvertToAtomic("convert to atomic rules" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing("Detect shadowing" ) ); add( new simplePrintProgress() ); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin (" Start processing rules" ) ); add( new printTotalNumberOfRules ( ) ); add( new singleRuleFilter()); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) ); add( new recursiveGroupsInDst( "check for recursive groups in DST" ) ); add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) ); add( new emptyGroupsInSrc( "check for empty groups in SRC" ) ); add( new emptyGroupsInDst( "check for empty groups in DST" ) ); add( new emptyGroupsInSrv( "check for empty groups in SRV" ) ); add( new ExpandGroups ("expand groups" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) ); add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) ); add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) ); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src") ); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst") ); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in the Interface rule element")); add( new ItfNegation( "process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids") ); add( new groupServicesByProtocol ("split rules with different protocols" ) ); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); add( new MACFiltering ("check for MAC address filtering" ) ); // add( new splitByNetworkZonesForSrc ("split rule if objects in Src belong to different network zones " ) ); // add( new replaceFWinDSTPolicy ("replace fw with its interface in DST in global policy rules") ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); add( new MACFiltering( "check for MAC address filtering" ) ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); // add( new splitByNetworkZonesForDst ("split rule if objects in Dst belong to different network zones " ) ); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new checkForUnnumbered("check for unnumbered interfaces")); if ( ! supports_object_groups) add( new addressRanges("process address ranges")); add( new mirrorRule("Add mirrored rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new setInterfaceAndDirectionBySrc( "Set interface and direction for rules with interface 'all' using SRC")); add( new setInterfaceAndDirectionByDst( "Set interface and direction for rules with interface 'all' using DST")); add( new setInterfaceAndDirectionIfInterfaceSet( "Set direction for rules with interface not 'all'")); add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface" ) ); // first arg is true because we use "ip access-list" for IOS. add( new pickACL( true, "assign ACLs" ) ); add( new SpecialServices( "check for special services" ) ); add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" ) ); add( new checkForDynamicInterface("check for dynamic interfaces" ) ); /* remove redundant objects only after all splits has been * done, right before object groups are created */ add( new removeRedundantAddressesFromSrc( "remove redundant addresses from Src") ); add( new removeRedundantAddressesFromDst( "remove redundant addresses from Dst") ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); if (supports_object_groups) { // "object-group service" does not seem to support // matching of tcp flags and "established". Need to // separate objects using these into separate rules to avoid // object-group add( new splitTCPServiceWithFlags( "separate TCP service with tcp flags")); add( new CreateObjectGroupsForSrc("create object groups for Src", named_objects_manager)); add( new CreateObjectGroupsForDst("create object groups for Dst", named_objects_manager)); add( new CreateObjectGroupsForSrv("create object groups for Srv", named_objects_manager)); } else { add( new ConvertToAtomic ("convert to atomic rules" ) ); } add( new simplePrintProgress()); add( new createNewCompilerPass("Creating object groups and ACLs")); // This processor prints each ACL separately in one block. // It adds comments inside to denote original rules. // add( new PrintCompleteACLs("Print ACLs")); add( new simplePrintProgress()); runRuleProcessors(); } string PolicyCompiler_iosacl::printAccessGroupCmd(ciscoACL *acl, bool neg) { ostringstream str; string addr_family_prefix = "ip"; if (ipv6) addr_family_prefix = "ipv6"; if (getSourceRuleSet()->isTop()) { string dir; if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in"; if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out"; str << "interface " << acl->getInterface()->getName() << endl; if (neg) str << " no"; str << " " << addr_family_prefix << " "; str << getAccessGroupCommandForAddressFamily(ipv6); str << " " << acl->workName() << " " << dir << endl; str << "exit" << endl; } return str.str(); } void PolicyCompiler_iosacl::epilog() { output << endl; for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl=(*i).second; if (acl->size()!=0) output << printAccessGroupCmd(acl, false); } output << endl; if ( fw->getOptionsObject()->getBool("iosacl_regroup_commands") ) { info(" Regrouping commands"); regroup(); } } string PolicyCompiler_iosacl::getAccessGroupCommandForAddressFamily(bool ipv6) { if (ipv6) return "traffic-filter"; return "access-group"; } string PolicyCompiler_iosacl::printClearCommands() { ostringstream output; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string xml_element = "clear_ip_acl"; if (ipv6) xml_element = "clear_ipv6_acl"; string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/iosacl_commands/" + xml_element); assert( !clearACLCmd.empty()); // No need to output "clear" commands in single rule compile mode if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") || fw->getOptionsObject()->getBool("iosacl_acl_substitution")) { for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl = (*i).second; output << clearACLCmd << " " << acl->workName() << endl; } } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_iosacl.h000066400000000000000000000244151303637203600226740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_IOSACL_HH #define __POLICYCOMPILER_IOSACL_HH #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "Helper.h" #include "ACL.h" #include "PolicyCompiler_cisco.h" #include namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class Group; }; namespace fwcompiler { class PolicyCompiler_iosacl : public PolicyCompiler_cisco { protected: std::string comment_symbol; /** * dynamic interfaces can not be used in policy rules in IOS ACLs */ friend class checkForDynamicInterface; class checkForDynamicInterface : public PolicyRuleProcessor { bool findDynamicInterface(libfwbuilder::PolicyRule *rule, libfwbuilder::RuleElement *re); public: checkForDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /* ************************************************************************* * * the following rule processors are intended for IOSACL < 7.0 * the code is in the module PolicyCompiler_iosacl_v6_acls.cpp * ************************************************************************* */ /** * verifies combination of interface and direction and * fills interface and direction. After this predicate it * is guaranteed that both interface and direction have * some value. In certain situations interface ID may be * set to "nil" though (e.g. global policy rules). */ DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 ); /** * if interface has not been defined (this is global policy * rule), then multiply the rule for each interface and set * direction to "Inbound" */ DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 ); /** * split rules with direction "both". * TODO: This is used in OpenBSD pf. Move to class PolicyCompiler */ DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 ); /** * in IOSACL, ACLs are always applied on interface and direction * can only be "inbound". We emulate outbound ACLs though. */ DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 ); /** * determine acl rules should belong to */ DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 ); friend class PolicyCompiler_iosacl::pickACL_v6; /* ************************************************************************* * * end of module PolicyCompiler_iosacl_v6_acls.cpp * ************************************************************************* */ /* ************************************************************************* * * rule processors intended to manage ACLs for IOSACL < 7.0 are inherited * from PolicyCompiler_cisco. * The code is in the module PolicyCompiler_cisco_acls.cpp * * The processors assume that all objects in src and dst * belong to the same network zone (respectively) * * All these rule processors assume outbound ACLs are supported. * Check corresponding capability flag and do not include these * processors in the processors chain in iosacl.cpp if outbound acls * are not supported. * ************************************************************************* */ /** * this processor checks for the services which require * special treatment. Some of these will be checking for * source or destination object as well because special * command may need to be generated in case source or * destination is a firewall itself. Therefore this processor * should be called after converting to atomic rules, but * before interface addresses in source and destination are * expanded. */ DECLARE_POLICY_RULE_PROCESSOR( SpecialServices ); friend class PolicyCompiler_iosacl::SpecialServices; /** * to implement action "Reject" add command "service resetinbound" */ DECLARE_POLICY_RULE_PROCESSOR( RejectAction ); friend class PolicyCompiler_iosacl::RejectAction; /** * Implements "mirrored" rules */ class mirrorRule : public PolicyRuleProcessor { void duplicateRuleElement(libfwbuilder::RuleElement *re1, libfwbuilder::RuleElement *re2); public: mirrorRule(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_iosacl::mirrorRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * feeds all rules to the next processor. Usually this * processor is in chain right before PrintRules. * * We use this processor to print "clear" commands because * they need to be generated when all access lists have been * created but before they are printed. */ class ClearACLs : public PolicyRuleProcessor { public: ClearACLs(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_iosacl::ClearACLs; /** * "object-group service" does not seem to support matching of * tcp flags and "established". Need to separate objects using * these into separate rules to avoid object-group */ DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags); friend class PolicyCompiler_iosacl::splitTCPServiceWithFlags; /** * this processor prints single policy rule, assuming all * groups have been expanded, so source, destination and * service hold exactly one object each, and this object is * not a group. Negation should also have been taken care of * before this method is called. */ class PrintRule : public PolicyRuleProcessor { protected: std::string current_rule_label1; std::map current_rule_label2; int aclLineCounter; std::string _printPortRangeOp(int rs, int re); std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); std::string _printAddr(libfwbuilder::Address *o); std::string _printProtocol(libfwbuilder::Service *srv); std::string _printTCPFlags(libfwbuilder::TCPService *srv); std::string _printAction(libfwbuilder::PolicyRule *r); std::string _printACL(libfwbuilder::PolicyRule *r); std::string _printLog(libfwbuilder::PolicyRule *r); std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r); std::string _printRule(libfwbuilder::PolicyRule *rule); public: PrintRule(const std::string &name) : PolicyRuleProcessor(name) { aclLineCounter=0; } virtual bool processNext(); }; friend class PolicyCompiler_iosacl::PrintRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * generates commands for the new ACLs. * */ class PrintCompleteACLs : public PrintRule { public: PrintCompleteACLs(const std::string &n) : PrintRule(n) {} virtual bool processNext(); struct printRulesForACL : public std::unary_function { ciscoACL *acl; std::stringstream *output; PolicyCompiler_iosacl *iosacl_comp; PolicyCompiler_iosacl::PrintCompleteACLs *print_acl_p; printRulesForACL(PolicyCompiler_iosacl *_comp, PolicyCompiler_iosacl::PrintCompleteACLs *pp, ciscoACL* _acl, std::stringstream *_out) { iosacl_comp = _comp; print_acl_p = pp; acl = _acl; output = _out; } // print rule if it belongs to ACL void operator() (libfwbuilder::Rule* x); }; friend struct PrintCompleteACLs::printRulesForACL; }; friend class PolicyCompiler_iosacl::PrintCompleteACLs;; bool resetinbound; bool fragguard; protected: virtual std::string myPlatformName(); virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); public: PolicyCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_iosacl() {} virtual int prolog(); virtual void compile(); virtual void epilog(); virtual std::string printClearCommands(); static std::string getAccessGroupCommandForAddressFamily(bool ipv6); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_iosacl_writers.cpp000066400000000000000000000433471303637203600250130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_iosacl.h" #include "IOSObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "PortRangeConverter.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool PolicyCompiler_iosacl::ClearACLs::processNext() { PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); string vers = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_acl"); slurp(); if (tmp_queue.size()==0) return false; if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") ) { compiler->output << clearACLcmd << endl; } if (compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution")) { for (map::iterator i=iosacl_comp->acls.begin(); i!=iosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << clearACLcmd << " " << acl->workName() << endl; } compiler->output << endl; } if ( !compiler->fw->getOptionsObject()->getBool("iosacl_acl_no_clear") ) { string clearICMPcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_icmp"); string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_telnet"); string clearSSHcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_ssh"); //compiler->output << clearICMPcmd << endl; //compiler->output << clearTelnetcmd << endl; //compiler->output << clearSSHcmd << endl; } return true; } void PolicyCompiler_iosacl::PrintCompleteACLs::printRulesForACL::operator()( Rule* rule) { // print rule if it belongs to ACL PolicyRule *prule = PolicyRule::cast(rule); string acl_name = prule->getStr("acl"); assert (acl_name!=""); ciscoACL *rule_acl = iosacl_comp->acls[acl_name]; assert(rule_acl!=NULL); if (acl == rule_acl) { *output << print_acl_p->_printRule(prule); } } bool PolicyCompiler_iosacl::PrintCompleteACLs::processNext() { PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; string addr_family_prefix = "ip"; if (iosacl_comp->ipv6) addr_family_prefix = "ipv6"; for (map::iterator i=iosacl_comp->acls.begin(); i!=iosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << addr_family_prefix << " access-list "; if (!iosacl_comp->ipv6) compiler->output << "extended "; compiler->output<< acl->workName() << endl; std::for_each(tmp_queue.begin(), tmp_queue.end(), printRulesForACL(iosacl_comp, this, acl, &(compiler->output))); compiler->output << "exit" << endl; compiler->output << endl; } return true; } string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule) { PolicyCompiler_iosacl *iosacl_comp = dynamic_cast(compiler); string platform = compiler->fw->getStr("platform"); //FWOptions *ruleopt =rule->getOptionsObject(); bool write_comments = compiler->fw->getOptionsObject()->getBool( platform + "_include_comments"); ostringstream ruleout; ostringstream aclstr; if (write_comments) compiler->output << compiler->printComment( rule, current_rule_label1, iosacl_comp->comment_symbol); /* * all three rule elements contain exactly one object, which can * be either group (in case processor CreateObjectGroups created * object group for it) or a regular object */ RuleElementSrc *src=rule->getSrc(); RuleElementDst *dst=rule->getDst(); RuleElementSrv *srv=rule->getSrv(); assert(src->size()==1); assert(dst->size()==1); assert(srv->size()==1); FWObject *srcobj = src->front(); FWObject *dstobj = dst->front(); FWObject *srvobj = srv->front(); assert(srcobj); assert(dstobj); assert(srvobj); if (FWReference::cast(srcobj)!=NULL) { srcobj=FWReference::cast(srcobj)->getPointer(); assert(srcobj); } if (FWReference::cast(dstobj)!=NULL) { dstobj=FWReference::cast(dstobj)->getPointer(); assert(dstobj); } if (FWReference::cast(srvobj)!=NULL) { srvobj=FWReference::cast(srvobj)->getPointer(); assert(srvobj); } string acl_name=rule->getStr("acl"); assert (acl_name!=""); ciscoACL *acl = iosacl_comp->acls[acl_name]; assert(acl!=NULL); /* * Assemble ACL command in aclstr */ aclstr << _printAction(rule); IOSObjectGroup *pgsrc = IOSObjectGroup::cast(srcobj); IOSObjectGroup *pgdst = IOSObjectGroup::cast(dstobj); IOSObjectGroup *pgsrv = IOSObjectGroup::cast(srvobj); /* * Possible configurations: * * permit object-group service_group object-group src_grp object-group dst_grp * permit object-group service_group SRC_SPEC DST_SPEC * permit SRC_SPEC DST_SPEC * * Where SRC_SPEC and DST_SPEC are * obejct-group network_group * or traidtional

* */ if ( pgsrv!=NULL && pgsrv->isServiceGroup()) { aclstr << "object-group " << pgsrv->getName(); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } } else { // Service is not object group aclstr << _printProtocol(Service::cast(srvobj)); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } aclstr << _printSrcService( compiler->getFirstSrv(rule) ); if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } aclstr << _printDstService( compiler->getFirstSrv(rule) ); } aclstr << _printLog( rule ); // "fragments" should be the last option in the access-list command aclstr << _printIPServiceOptions(rule); // Note that option "use_acl_remarks" is set in prolog() because // we use different options for this function in GUI dialogs for // iosacl and procurve. This is historical. if (compiler->fw->getOptionsObject()->getBool("use_acl_remarks")) { ruleout << acl->addRemark(rule->getLabel(), rule->getComment()); } ruleout << acl->addLine(aclstr.str()); return ruleout.str(); } string PolicyCompiler_iosacl::PrintRule::_printAction(PolicyRule *rule) { ostringstream str; switch (rule->getAction()) { case PolicyRule::Accept: str << "permit "; break; case PolicyRule::Deny: str << "deny "; break; case PolicyRule::Reject: str << "deny "; break; default: str << rule->getActionAsString() << " "; } return str.str(); } string PolicyCompiler_iosacl::PrintRule::_printACL(PolicyRule *rule) { // PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); string acl_name=rule->getStr("acl"); assert (acl_name!=""); return acl_name+" "; } string PolicyCompiler_iosacl::PrintRule::_printLog(PolicyRule *rule) { if (rule->getLogging()) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("iosacl_log_input")) return "log-input "; return "log "; } return ""; } string PolicyCompiler_iosacl::PrintRule::_printPortRangeOp(int rs, int re) { return PortRangeConverter(rs, re).toString(); } string PolicyCompiler_iosacl::PrintRule::_printSrcService(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); return _printPortRangeOp(rs, re); } return ""; } string PolicyCompiler_iosacl::PrintRule::_printIPServiceOptions(PolicyRule *r) { Service *srv = compiler->getFirstSrv(r); const IPService *ip; if ((ip=IPService::constcast(srv))!=NULL) { string version = compiler->fw->getStr("version"); if (srv->getBool("fragm") || srv->getBool("short_fragm")) return "fragments "; if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0) compiler->abort(r, "IP options match requires IOS v12.4 or later."); if (ip->getBool("lsrr")) return "option lsr"; if (ip->getBool("ssrr")) return "option ssr"; if (ip->getBool("rr")) return "option record-route"; if (ip->getBool("rtralt")) return "option router-alert"; if (ip->getBool("any_opt")) return "option any-options "; string tos = ip->getTOSCode(); string dscp = ip->getDSCPCode(); if (!dscp.empty()) return string("dscp ") + dscp; else if (!tos.empty()) return string("tos ") + tos; } return ""; } string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getDstRangeStart(); int re = TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPortRangeOp(rs, re); } if (TCPService::isA(srv)) { if (srv->getBool("established")) str << "established "; else str << _printTCPFlags(TCPService::cast(srv)); } if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; } if (CustomService::isA(srv)) str << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; return str.str(); } string PolicyCompiler_iosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f) { switch (f) { case TCPService::URG: return "urg"; case TCPService::ACK: return "ack"; case TCPService::PSH: return "psh"; case TCPService::RST: return "rst"; case TCPService::SYN: return "syn"; case TCPService::FIN: return "fin"; default: return ""; } return ""; } string PolicyCompiler_iosacl::PrintRule::_printTCPFlags(TCPService *srv) { if (srv->inspectFlags()) { // We check the version and call compiler->abort() if its // wrong in SpecialServices rule processor. Here we should just execute. string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")>=0) { std::set flags = srv->getAllTCPFlags(); std::set masks = srv->getAllTCPFlagMasks(); std::set::iterator mit = masks.begin(); QStringList match_specs; for (; mit!=masks.end(); mit++) { if (flags.count(*mit) > 0) match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str())); else match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str())); } if (!match_specs.empty()) match_specs.push_front("match-all"); return match_specs.join(" ").toStdString() + " "; } } return ""; } string PolicyCompiler_iosacl::PrintRule::_printProtocol(Service *srv) { PolicyCompiler_iosacl *iosacl_comp = dynamic_cast( compiler); string addr_family_prefix = "ip "; if (iosacl_comp->ipv6) addr_family_prefix = "ipv6 "; string proto = srv->getProtocolName(); if (ICMP6Service::isA(srv)) proto = "icmp"; if (CustomService::isA(srv)) { // special case standard CusctomService objects "ESTABLISHED" // and "ESTABLISHED ipv6": these require protocol "tcp" but // protocol is set in the Custom Service object for all // platforms at once, so we can't have protocol defined only // for iosacl to be used here. string srv_code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); if (srv_code == "established") proto = "tcp"; } if (proto=="ip") return addr_family_prefix; return proto + " "; } string PolicyCompiler_iosacl::PrintRule::_printAddr(Address *o) { PolicyCompiler_iosacl *iosacl_comp = dynamic_cast(compiler); if (Interface::cast(o)!=NULL) { Interface *interface_ = Interface::cast(o); if (interface_->isDyn()) { return string("interface ") + interface_->getLabel() + " "; } } ostringstream str; const InetAddr *srcaddr = o->getAddressPtr(); if (srcaddr) { const InetAddr *nm = o->getNetmaskPtr(); InetAddr srcmask; if (nm != NULL) { srcmask = *nm; } else { cerr << "Address object " << o << " " << o->getName() << " (" << o->getTypeName() << ") " << " has no netmask" << endl; srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily())); } // const InetAddr srcmask = *(o->getNetmaskPtr()); if (srcaddr->isAny() && srcmask.isAny()) { str << "any "; } else { if (Interface::cast(o)==NULL && Interface::cast(o->getParent())==NULL && o->dimension() > 1 && !srcmask.isHostMask()) { if (iosacl_comp->ipv6) { str << srcaddr->toString() << "/" << srcmask.getLength() << " "; } else { str << srcaddr->toString() << " "; // cisco uses "wildcards" instead of netmasks //long nm = srcmask.to32BitInt(); //struct in_addr na; //na.s_addr = ~nm; InetAddr nnm( ~srcmask ); str << nnm.toString() << " "; } } else { str << "host " << srcaddr->toString() << " "; } } return str.str(); } ostringstream errstr; errstr << "Object " << o->getName() << " (id=" << o->getId() << ") " << " has no ip address and can not be used " << "in the rule."; compiler->abort(errstr.str()); return ""; // to make compiler happy } /* * the following additional attributes should have been defined by now: * * "acl" - string, name of the access list * choices are: outside-in, outside-out, inside-in, indside-out, * dmz-in, dmz-out etc. * General rule for the acl name: "iface_name-{in,out}" */ bool PolicyCompiler_iosacl::PrintRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); compiler->output << _printRule(rule); return true; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_nxosacl.cpp000066400000000000000000000427011303637203600234220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_nxosacl.h" #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/Network.h" #include "fwbuilder/ObjectMirror.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_nxosacl::myPlatformName() { return "nxosacl"; } PolicyCompiler_nxosacl::PolicyCompiler_nxosacl(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf) { resetinbound = false; fragguard = false; comment_symbol = "!"; } int PolicyCompiler_nxosacl::prolog() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); string host_os = fw->getStr("host_OS"); if (platform!="nxosacl") abort("Unsupported platform " + platform ); fw->getOptionsObject()->setBool("generate_out_acl", true); fw->getOptionsObject()->setBool( "use_acl_remarks", fw->getOptionsObject()->getBool("nxosacl_use_acl_remarks")); // object_groups = new Group(); // persistent_objects->add( object_groups ); setAllNetworkZonesToNone(); return PolicyCompiler::prolog(); } bool PolicyCompiler_nxosacl::checkForDynamicInterface::findDynamicInterface( PolicyRule *rule, RuleElement *rel) { string vers=compiler->fw->getStr("version"); for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *iface=Interface::cast(obj); if (iface!=NULL && iface->isDyn()) compiler->abort( rule, "Dynamic interface can not be used in the NXOS ACL rules."); } return true; } bool PolicyCompiler_nxosacl::checkForDynamicInterface::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; findDynamicInterface(rule,rule->getSrc()); findDynamicInterface(rule,rule->getDst()); tmp_queue.push_back(rule); return true; } /* * Copy all references from rule element re1 to rule element re2. */ void PolicyCompiler_nxosacl::mirrorRule::duplicateRuleElement( RuleElement *re1, RuleElement *re2) { re2->clearChildren(); for (list::iterator i1=re1->begin(); i1!=re1->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); re2->addRef(obj); } } bool PolicyCompiler_nxosacl::mirrorRule::processNext() { //PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (rule->getOptionsObject()->getBool("nxosacl_add_mirror_rule")) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(rule->getAction()); switch (rule->getDirection()) { case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break; case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break; default: r->setDirection(PolicyRule::Both); break; } RuleElementSrc *osrc = rule->getSrc(); RuleElementDst *odst = rule->getDst(); RuleElementSrv *osrv = rule->getSrv(); RuleElementItf *oitf = rule->getItf(); RuleElementSrc *nsrc = r->getSrc(); RuleElementDst *ndst = r->getDst(); RuleElementSrv *nsrv = r->getSrv(); RuleElementItf *nitf = r->getItf(); duplicateRuleElement(osrc, ndst); duplicateRuleElement(odst, nsrc); duplicateRuleElement(oitf, nitf); if (!osrv->isAny()) { ObjectMirror mirror; nsrv->clearChildren(); for (list::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) { Service *nobj = mirror.getMirroredService( Service::cast(FWReference::getObject(*i1))); if (nobj->getParent() == NULL) compiler->persistent_objects->add(nobj, false); nsrv->addRef(nobj); } } tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_nxosacl::SpecialServices::processNext() { //PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Service *s = compiler->getFirstSrv(rule); if (IPService::cast(s)!=NULL) { if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) compiler->abort( rule, "NXOS ACL does not support checking for IP options in ACLs."); } if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags()) { string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")<0) compiler->abort(rule, "TCP flags match requires NXOS v12.4 or later."); } tmp_queue.push_back(rule); return true; } /* * This rule processor is used to separate TCP service objects that * match tcp flags when generated config uses object-group clause */ bool PolicyCompiler_nxosacl::splitTCPServiceWithFlags::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { std::list cl; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); TCPService *tcp_srv = TCPService::cast(s); if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished())) cl.push_back(s); } while (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); tmp_queue.push_back(r); srv->removeRef( cl.front() ); cl.pop_front(); } if (srv->size()>0) tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } void PolicyCompiler_nxosacl::compile() { string banner = " Compiling ruleset " + getSourceRuleSet()->getName(); if (ipv6) banner += ", IPv6"; info(banner); string version = fw->getStr("version"); bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 && fw->getOptionsObject()->getBool("nxosacl_use_object_groups") && ! ipv6; string vers = fw->getStr("version"); string platform = fw->getStr("platform"); Compiler::compile(); if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin("Detecting rule shadowing" ) ); add( new printTotalNumberOfRules()); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new mirrorRule("Add mirrored rules")); add( new ConvertToAtomic("convert to atomic rules" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing("Detect shadowing" ) ); add( new simplePrintProgress() ); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin (" Start processing rules" ) ); add( new printTotalNumberOfRules ( ) ); add( new singleRuleFilter()); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) ); add( new recursiveGroupsInDst( "check for recursive groups in DST" ) ); add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) ); add( new emptyGroupsInSrc( "check for empty groups in SRC" ) ); add( new emptyGroupsInDst( "check for empty groups in DST" ) ); add( new emptyGroupsInSrv( "check for empty groups in SRV" ) ); add( new ExpandGroups ("expand groups" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) ); add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) ); add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) ); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src") ); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst") ); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in the Interface rule element")); add( new ItfNegation( "process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids") ); add( new groupServicesByProtocol ("split rules with different protocols" ) ); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); add( new MACFiltering ("check for MAC address filtering" ) ); // add( new splitByNetworkZonesForSrc ("split rule if objects in Src belong to different network zones " ) ); // add( new replaceFWinDSTPolicy ("replace fw with its interface in DST in global policy rules") ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); add( new MACFiltering( "check for MAC address filtering" ) ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); // add( new splitByNetworkZonesForDst ("split rule if objects in Dst belong to different network zones " ) ); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new checkForUnnumbered("check for unnumbered interfaces")); if ( ! supports_object_groups) add( new addressRanges("process address ranges")); add( new mirrorRule("Add mirrored rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new setInterfaceAndDirectionBySrc( "Set interface and direction for rules with interface 'all' using SRC")); add( new setInterfaceAndDirectionByDst( "Set interface and direction for rules with interface 'all' using DST")); add( new setInterfaceAndDirectionIfInterfaceSet( "Set direction for rules with interface not 'all'")); add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface" ) ); // first arg is true because we use "ip access-list" for NXOS. add( new pickACL( true, "assign ACLs" ) ); add( new SpecialServices( "check for special services" ) ); add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" ) ); add( new checkForDynamicInterface("check for dynamic interfaces" ) ); /* remove redundant objects only after all splits has been * done, right before object groups are created */ add( new removeRedundantAddressesFromSrc( "remove redundant addresses from Src") ); add( new removeRedundantAddressesFromDst( "remove redundant addresses from Dst") ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); if (supports_object_groups) { // "object-group service" does not seem to support // matching of tcp flags and "established". Need to // separate objects using these into separate rules to avoid // object-group add( new splitTCPServiceWithFlags( "separate TCP service with tcp flags")); add( new CreateObjectGroupsForSrc("create object groups for Src", named_objects_manager)); add( new CreateObjectGroupsForDst("create object groups for Dst", named_objects_manager)); add( new CreateObjectGroupsForSrv("create object groups for Srv", named_objects_manager)); } else { add( new ConvertToAtomic ("convert to atomic rules" ) ); } add( new simplePrintProgress()); add( new createNewCompilerPass("Creating object groups and ACLs")); // This processor prints each ACL separately in one block. // It adds comments inside to denote original rules. // add( new PrintCompleteACLs("Print ACLs")); add( new simplePrintProgress()); runRuleProcessors(); } string PolicyCompiler_nxosacl::printAccessGroupCmd(ciscoACL *acl, bool neg) { ostringstream str; string addr_family_prefix = "ip"; if (ipv6) addr_family_prefix = "ipv6"; if (getSourceRuleSet()->isTop()) { string dir; if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in"; if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out"; str << "interface " << acl->getInterface()->getName() << endl; if (neg) str << " no"; str << " " << addr_family_prefix << " "; str << getAccessGroupCommandForAddressFamily(ipv6); str << " " << acl->workName() << " " << dir << endl; str << "exit" << endl; } return str.str(); } void PolicyCompiler_nxosacl::epilog() { output << endl; for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl=(*i).second; if (acl->size()!=0) output << printAccessGroupCmd(acl, false); } output << endl; if ( fw->getOptionsObject()->getBool("nxosacl_regroup_commands") ) { info(" Regrouping commands"); regroup(); } } string PolicyCompiler_nxosacl::getAccessGroupCommandForAddressFamily(bool ipv6) { if (ipv6) return "traffic-filter"; return "access-group"; } string PolicyCompiler_nxosacl::printClearCommands() { ostringstream output; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string xml_element = "clear_ip_acl"; if (ipv6) xml_element = "clear_ipv6_acl"; string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/nxosacl_commands/" + xml_element); assert( !clearACLCmd.empty()); // No need to output "clear" commands in single rule compile mode if ( fw->getOptionsObject()->getBool("nxosacl_acl_basic") || fw->getOptionsObject()->getBool("nxosacl_acl_substitution")) { for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl = (*i).second; output << clearACLCmd << " " << acl->workName() << endl; } } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_nxosacl.h000066400000000000000000000244471303637203600230760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_NXOSACL_HH #define __POLICYCOMPILER_NXOSACL_HH #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "Helper.h" #include "ACL.h" #include "PolicyCompiler_cisco.h" #include namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class Group; }; namespace fwcompiler { class PolicyCompiler_nxosacl : public PolicyCompiler_cisco { protected: std::string comment_symbol; /** * dynamic interfaces can not be used in policy rules in NXOS ACLs */ friend class checkForDynamicInterface; class checkForDynamicInterface : public PolicyRuleProcessor { bool findDynamicInterface(libfwbuilder::PolicyRule *rule, libfwbuilder::RuleElement *re); public: checkForDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /* ************************************************************************* * * the following rule processors are intended for NXOSACL < 7.0 * the code is in the module PolicyCompiler_nxosacl_v6_acls.cpp * ************************************************************************* */ /** * verifies combination of interface and direction and * fills interface and direction. After this predicate it * is guaranteed that both interface and direction have * some value. In certain situations interface ID may be * set to "nil" though (e.g. global policy rules). */ DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 ); /** * if interface has not been defined (this is global policy * rule), then multiply the rule for each interface and set * direction to "Inbound" */ DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 ); /** * split rules with direction "both". * TODO: This is used in OpenBSD pf. Move to class PolicyCompiler */ DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 ); /** * in NXOSACL, ACLs are always applied on interface and direction * can only be "inbound". We emulate outbound ACLs though. */ DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 ); /** * determine acl rules should belong to */ DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 ); friend class PolicyCompiler_nxosacl::pickACL_v6; /* ************************************************************************* * * end of module PolicyCompiler_nxosacl_v6_acls.cpp * ************************************************************************* */ /* ************************************************************************* * * rule processors intended to manage ACLs for NXOSACL < 7.0 are inherited * from PolicyCompiler_cisco. * The code is in the module PolicyCompiler_cisco_acls.cpp * * The processors assume that all objects in src and dst * belong to the same network zone (respectively) * * All these rule processors assume outbound ACLs are supported. * Check corresponding capability flag and do not include these * processors in the processors chain in nxosacl.cpp if outbound acls * are not supported. * ************************************************************************* */ /** * this processor checks for the services which require * special treatment. Some of these will be checking for * source or destination object as well because special * command may need to be generated in case source or * destination is a firewall itself. Therefore this processor * should be called after converting to atomic rules, but * before interface addresses in source and destination are * expanded. */ DECLARE_POLICY_RULE_PROCESSOR( SpecialServices ); friend class PolicyCompiler_nxosacl::SpecialServices; /** * to implement action "Reject" add command "service resetinbound" */ DECLARE_POLICY_RULE_PROCESSOR( RejectAction ); friend class PolicyCompiler_nxosacl::RejectAction; /** * Implements "mirrored" rules */ class mirrorRule : public PolicyRuleProcessor { void duplicateRuleElement(libfwbuilder::RuleElement *re1, libfwbuilder::RuleElement *re2); public: mirrorRule(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_nxosacl::mirrorRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * feeds all rules to the next processor. Usually this * processor is in chain right before PrintRules. * * We use this processor to print "clear" commands because * they need to be generated when all access lists have been * created but before they are printed. */ class ClearACLs : public PolicyRuleProcessor { public: ClearACLs(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_nxosacl::ClearACLs; /** * "object-group service" does not seem to support matching of * tcp flags and "established". Need to separate objects using * these into separate rules to avoid object-group */ DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags); friend class PolicyCompiler_nxosacl::splitTCPServiceWithFlags; /** * this processor prints single policy rule, assuming all * groups have been expanded, so source, destination and * service hold exactly one object each, and this object is * not a group. Negation should also have been taken care of * before this method is called. */ class PrintRule : public PolicyRuleProcessor { protected: std::string current_rule_label1; std::map current_rule_label2; int aclLineCounter; std::string _printPortRangeOp(int rs, int re); std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); std::string _printAddr(libfwbuilder::Address *o); std::string _printProtocol(libfwbuilder::Service *srv); std::string _printTCPFlags(libfwbuilder::TCPService *srv); std::string _printAction(libfwbuilder::PolicyRule *r); std::string _printACL(libfwbuilder::PolicyRule *r); std::string _printLog(libfwbuilder::PolicyRule *r); std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r); std::string _printRule(libfwbuilder::PolicyRule *rule); public: PrintRule(const std::string &name) : PolicyRuleProcessor(name) { aclLineCounter=0; } virtual bool processNext(); }; friend class PolicyCompiler_nxosacl::PrintRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * generates commands for the new ACLs. * */ class PrintCompleteACLs : public PrintRule { public: PrintCompleteACLs(const std::string &n) : PrintRule(n) {} virtual bool processNext(); struct printRulesForACL : public std::unary_function { ciscoACL *acl; std::stringstream *output; PolicyCompiler_nxosacl *nxosacl_comp; PolicyCompiler_nxosacl::PrintCompleteACLs *print_acl_p; printRulesForACL(PolicyCompiler_nxosacl *_comp, PolicyCompiler_nxosacl::PrintCompleteACLs *pp, ciscoACL* _acl, std::stringstream *_out) { nxosacl_comp = _comp; print_acl_p = pp; acl = _acl; output = _out; } // print rule if it belongs to ACL void operator() (libfwbuilder::Rule* x); }; friend struct PrintCompleteACLs::printRulesForACL; }; friend class PolicyCompiler_nxosacl::PrintCompleteACLs;; bool resetinbound; bool fragguard; protected: virtual std::string myPlatformName(); virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); public: PolicyCompiler_nxosacl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_nxosacl() {} virtual int prolog(); virtual void compile(); virtual void epilog(); virtual std::string printClearCommands(); static std::string getAccessGroupCommandForAddressFamily(bool ipv6); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_nxosacl_writers.cpp000066400000000000000000000434521303637203600252050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_nxosacl.h" #include "NXOSObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "PortRangeConverter.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool PolicyCompiler_nxosacl::ClearACLs::processNext() { PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast(compiler); string vers = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/nxosacl_commands/clear_acl"); slurp(); if (tmp_queue.size()==0) return false; if ( compiler->fw->getOptionsObject()->getBool("nxosacl_acl_basic") ) { compiler->output << clearACLcmd << endl; } if (compiler->fw->getOptionsObject()->getBool("nxosacl_acl_substitution")) { for (map::iterator i=nxosacl_comp->acls.begin(); i!=nxosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << clearACLcmd << " " << acl->workName() << endl; } compiler->output << endl; } if ( !compiler->fw->getOptionsObject()->getBool("nxosacl_acl_no_clear") ) { string clearICMPcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/nxosacl_commands/clear_icmp"); string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/nxosacl_commands/clear_telnet"); string clearSSHcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/nxosacl_commands/clear_ssh"); //compiler->output << clearICMPcmd << endl; //compiler->output << clearTelnetcmd << endl; //compiler->output << clearSSHcmd << endl; } return true; } void PolicyCompiler_nxosacl::PrintCompleteACLs::printRulesForACL::operator()( Rule* rule) { // print rule if it belongs to ACL PolicyRule *prule = PolicyRule::cast(rule); string acl_name = prule->getStr("acl"); assert (acl_name!=""); ciscoACL *rule_acl = nxosacl_comp->acls[acl_name]; assert(rule_acl!=NULL); if (acl == rule_acl) { *output << print_acl_p->_printRule(prule); } } bool PolicyCompiler_nxosacl::PrintCompleteACLs::processNext() { PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; string addr_family_prefix = "ip"; if (nxosacl_comp->ipv6) addr_family_prefix = "ipv6"; for (map::iterator i=nxosacl_comp->acls.begin(); i!=nxosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << addr_family_prefix << " access-list "; // if (!nxosacl_comp->ipv6) compiler->output << "extended "; compiler->output<< acl->workName() << endl; std::for_each(tmp_queue.begin(), tmp_queue.end(), printRulesForACL(nxosacl_comp, this, acl, &(compiler->output))); compiler->output << "exit" << endl; compiler->output << endl; } return true; } string PolicyCompiler_nxosacl::PrintRule::_printRule(PolicyRule *rule) { PolicyCompiler_nxosacl *nxosacl_comp = dynamic_cast(compiler); string platform = compiler->fw->getStr("platform"); //FWOptions *ruleopt =rule->getOptionsObject(); bool write_comments = compiler->fw->getOptionsObject()->getBool( platform + "_include_comments"); ostringstream ruleout; ostringstream aclstr; if (write_comments) compiler->output << compiler->printComment( rule, current_rule_label1, nxosacl_comp->comment_symbol); /* * all three rule elements contain exactly one object, which can * be either group (in case processor CreateObjectGroups created * object group for it) or a regular object */ RuleElementSrc *src=rule->getSrc(); RuleElementDst *dst=rule->getDst(); RuleElementSrv *srv=rule->getSrv(); assert(src->size()==1); assert(dst->size()==1); assert(srv->size()==1); FWObject *srcobj = src->front(); FWObject *dstobj = dst->front(); FWObject *srvobj = srv->front(); assert(srcobj); assert(dstobj); assert(srvobj); if (FWReference::cast(srcobj)!=NULL) { srcobj=FWReference::cast(srcobj)->getPointer(); assert(srcobj); } if (FWReference::cast(dstobj)!=NULL) { dstobj=FWReference::cast(dstobj)->getPointer(); assert(dstobj); } if (FWReference::cast(srvobj)!=NULL) { srvobj=FWReference::cast(srvobj)->getPointer(); assert(srvobj); } string acl_name=rule->getStr("acl"); assert (acl_name!=""); ciscoACL *acl = nxosacl_comp->acls[acl_name]; assert(acl!=NULL); /* * Assemble ACL command in aclstr */ aclstr << _printAction(rule); NXOSObjectGroup *pgsrc = NXOSObjectGroup::cast(srcobj); NXOSObjectGroup *pgdst = NXOSObjectGroup::cast(dstobj); NXOSObjectGroup *pgsrv = NXOSObjectGroup::cast(srvobj); /* * Possible configurations: * * permit object-group service_group object-group src_grp object-group dst_grp * permit object-group service_group SRC_SPEC DST_SPEC * permit SRC_SPEC DST_SPEC * * Where SRC_SPEC and DST_SPEC are * obejct-group network_group * or traidtional
* */ if ( pgsrv!=NULL && pgsrv->isServiceGroup()) { aclstr << "object-group " << pgsrv->getName(); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } } else { // Service is not object group aclstr << _printProtocol(Service::cast(srvobj)); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } aclstr << _printSrcService( compiler->getFirstSrv(rule) ); if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } aclstr << _printDstService( compiler->getFirstSrv(rule) ); } aclstr << _printLog( rule ); // "fragments" should be the last option in the access-list command aclstr << _printIPServiceOptions(rule); // Note that option "use_acl_remarks" is set in prolog() because // we use different options for this function in GUI dialogs for // nxosacl and procurve. This is historical. if (compiler->fw->getOptionsObject()->getBool("use_acl_remarks")) { ruleout << acl->addRemark(rule->getLabel(), rule->getComment()); } ruleout << acl->addLine(aclstr.str()); return ruleout.str(); } string PolicyCompiler_nxosacl::PrintRule::_printAction(PolicyRule *rule) { ostringstream str; switch (rule->getAction()) { case PolicyRule::Accept: str << "permit "; break; case PolicyRule::Deny: str << "deny "; break; case PolicyRule::Reject: str << "deny "; break; default: str << rule->getActionAsString() << " "; } return str.str(); } string PolicyCompiler_nxosacl::PrintRule::_printACL(PolicyRule *rule) { // PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast(compiler); string acl_name=rule->getStr("acl"); assert (acl_name!=""); return acl_name+" "; } string PolicyCompiler_nxosacl::PrintRule::_printLog(PolicyRule *rule) { if (rule->getLogging()) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("nxosacl_log_input")) return "log-input "; return "log "; } return ""; } string PolicyCompiler_nxosacl::PrintRule::_printPortRangeOp(int rs, int re) { return PortRangeConverter(rs, re).toString(); } string PolicyCompiler_nxosacl::PrintRule::_printSrcService(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); return _printPortRangeOp(rs, re); } return ""; } string PolicyCompiler_nxosacl::PrintRule::_printIPServiceOptions(PolicyRule *r) { Service *srv = compiler->getFirstSrv(r); const IPService *ip; if ((ip=IPService::constcast(srv))!=NULL) { string version = compiler->fw->getStr("version"); if (srv->getBool("fragm") || srv->getBool("short_fragm")) return "fragments "; if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0) compiler->abort(r, "IP options match requires NXOS v12.4 or later."); if (ip->getBool("lsrr")) return "option lsr"; if (ip->getBool("ssrr")) return "option ssr"; if (ip->getBool("rr")) return "option record-route"; if (ip->getBool("rtralt")) return "option router-alert"; if (ip->getBool("any_opt")) return "option any-options "; string tos = ip->getTOSCode(); string dscp = ip->getDSCPCode(); if (!dscp.empty()) return string("dscp ") + dscp; else if (!tos.empty()) return string("tos ") + tos; } return ""; } string PolicyCompiler_nxosacl::PrintRule::_printDstService(Service *srv) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getDstRangeStart(); int re = TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPortRangeOp(rs, re); } if (TCPService::isA(srv)) { if (srv->getBool("established")) str << "established "; else str << _printTCPFlags(TCPService::cast(srv)); } if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; } if (CustomService::isA(srv)) str << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; return str.str(); } string PolicyCompiler_nxosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f) { switch (f) { case TCPService::URG: return "urg"; case TCPService::ACK: return "ack"; case TCPService::PSH: return "psh"; case TCPService::RST: return "rst"; case TCPService::SYN: return "syn"; case TCPService::FIN: return "fin"; default: return ""; } return ""; } string PolicyCompiler_nxosacl::PrintRule::_printTCPFlags(TCPService *srv) { if (srv->inspectFlags()) { // We check the version and call compiler->abort() if its // wrong in SpecialServices rule processor. Here we should just execute. string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")>=0) { std::set flags = srv->getAllTCPFlags(); std::set masks = srv->getAllTCPFlagMasks(); std::set::iterator mit = masks.begin(); QStringList match_specs; for (; mit!=masks.end(); mit++) { if (flags.count(*mit) > 0) match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str())); else match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str())); } if (!match_specs.empty()) match_specs.push_front("match-all"); return match_specs.join(" ").toStdString() + " "; } } return ""; } string PolicyCompiler_nxosacl::PrintRule::_printProtocol(Service *srv) { PolicyCompiler_nxosacl *nxosacl_comp = dynamic_cast( compiler); string addr_family_prefix = "ip "; if (nxosacl_comp->ipv6) addr_family_prefix = "ipv6 "; string proto = srv->getProtocolName(); if (ICMP6Service::isA(srv)) proto = "icmp"; if (CustomService::isA(srv)) { // special case standard CusctomService objects "ESTABLISHED" // and "ESTABLISHED ipv6": these require protocol "tcp" but // protocol is set in the Custom Service object for all // platforms at once, so we can't have protocol defined only // for nxosacl to be used here. string srv_code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); if (srv_code == "established") proto = "tcp"; } if (proto=="ip") return addr_family_prefix; return proto + " "; } string PolicyCompiler_nxosacl::PrintRule::_printAddr(Address *o) { PolicyCompiler_nxosacl *nxosacl_comp = dynamic_cast(compiler); if (Interface::cast(o)!=NULL) { Interface *interface_ = Interface::cast(o); if (interface_->isDyn()) { return string("interface ") + interface_->getLabel() + " "; } } ostringstream str; const InetAddr *srcaddr = o->getAddressPtr(); if (srcaddr) { const InetAddr *nm = o->getNetmaskPtr(); InetAddr srcmask; if (nm != NULL) { srcmask = *nm; } else { cerr << "Address object " << o << " " << o->getName() << " (" << o->getTypeName() << ") " << " has no netmask" << endl; srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily())); } // const InetAddr srcmask = *(o->getNetmaskPtr()); if (srcaddr->isAny() && srcmask.isAny()) { str << "any "; } else { if (Interface::cast(o)==NULL && Interface::cast(o->getParent())==NULL && o->dimension() > 1 && !srcmask.isHostMask()) { if (nxosacl_comp->ipv6) { str << srcaddr->toString() << "/" << srcmask.getLength() << " "; } else { str << srcaddr->toString() << " "; // cisco uses "wildcards" instead of netmasks //long nm = srcmask.to32BitInt(); //struct in_addr na; //na.s_addr = ~nm; InetAddr nnm( ~srcmask ); str << nnm.toString() << " "; } } else { str << "host " << srcaddr->toString() << " "; } } return str.str(); } ostringstream errstr; errstr << "Object " << o->getName() << " (id=" << o->getId() << ") " << " has no ip address and can not be used " << "in the rule."; compiler->abort(errstr.str()); return ""; // to make compiler happy } /* * the following additional attributes should have been defined by now: * * "acl" - string, name of the access list * choices are: outside-in, outside-out, inside-in, indside-out, * dmz-in, dmz-out etc. * General rule for the acl name: "iface_name-{in,out}" */ bool PolicyCompiler_nxosacl::PrintRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); compiler->output << _printRule(rule); return true; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_pix.cpp000066400000000000000000000674131303637203600225620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "Helper.h" #include "PolicyCompiler_pix.h" #include "NATCompiler_pix.h" #include "PIXObjectGroup.h" #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_pix::myPlatformName() { return "pix"; } PolicyCompiler_pix::PolicyCompiler_pix(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf, NATCompiler_pix *_natcmp) : PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf) { natcmp=_natcmp; resetinbound=false; fragguard=false; } int PolicyCompiler_pix::prolog() { string platform = fw->getStr("platform"); if (platform!="pix" && platform!="fwsm") abort("Unsupported platform " + platform ); return PolicyCompiler::prolog(); } void PolicyCompiler_pix::_expand_interface(Rule *rule, Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully) { Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully); } bool PolicyCompiler_pix::checkVersionAndDynamicInterface::findDynamicInterface( PolicyRule *rule, RuleElement *rel) { string vers=compiler->fw->getStr("version"); for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *iface=Interface::cast(obj); if (iface!=NULL && iface->isDyn() && (vers=="6.1" || vers=="6.2")) { compiler->abort( rule, "Dynamic interface can be used in the policy rule only " "in v6.3 or later."); return false; } } return true; } bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; Service *s = compiler->getFirstSrv(rule); /* if service is ssh, telnet or icmp then we can use dynamic interface * even in earlier versions */ if (ICMPService::isA(s)) { tmp_queue.push_back(rule); return true; } if (TCPService::isA(s)) { if ( s->getInt("dst_range_start")==22 && s->getInt("dst_range_end")==22) { tmp_queue.push_back(rule); return true; } if ( s->getInt("dst_range_start")==23 && s->getInt("dst_range_end")==23) { tmp_queue.push_back(rule); return true; } } if (findDynamicInterface(rule,rule->getSrc()) && findDynamicInterface(rule,rule->getDst())) tmp_queue.push_back(rule); return true; } /* * if dst contains firewall, it must be a single object there. */ bool PolicyCompiler_pix::PrepareForICMPCmd::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; Address *dst=compiler->getFirstDst(rule); Service *srv=compiler->getFirstSrv(rule); if (ICMPService::isA(srv) && compiler->complexMatch(dst,compiler->fw)) rule->setBool("icmp_cmd",true); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pix::SplitSRCForICMPCmd::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getBool("icmp_cmd")) { RuleElementSrc *src=rule->getSrc(); if (src->size()==1) { tmp_queue.push_back(rule); return true; } for (FWObject::iterator i=src->begin(); i!=src->end(); ++i) { FWObject *o = *i; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Address *a=Address::cast(obj); assert(a!=NULL); PolicyRule *new_rule= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); RuleElementSrc *new_re=new_rule->getSrc(); new_re->clearChildren(); new_re->addRef(a); tmp_queue.push_back(new_rule); } } else tmp_queue.push_back(rule); return true; } /* * About "service resetinbound" command: * * "The service command works with all inbound TCP connections to * statics whose access lists or uauth (user authorization) do not * allow inbound" */ bool PolicyCompiler_pix::RejectAction::processNext() { PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getAction()==PolicyRule::Reject) pix_comp->resetinbound=true; tmp_queue.push_back(rule); return true; } /* * processor splitIfDstMatchesFw should have made a firewall a single * object in dst */ bool PolicyCompiler_pix::splitIfTelnetSSHICMPtoFw::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; // PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); Address *dst=compiler->getFirstDst(rule); RuleElement *re=rule->getSrc(); if (re->size()!=1 && dst->getId()==compiler->getFwId()) { for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrc *nsrc=r->getSrc(); nsrc->clearChildren(); nsrc->addRef( obj ); tmp_queue.push_back(r); } } else tmp_queue.push_back(rule); return true; } /* * this is probably not necessary. PIX prints all acl rules with * object-groups twice: first time as entered, with object-group, and * the second time it expands the group (for convenience ?). I thought * it does not print original rule for icmp but it looks like it it * does it for icmp just like for other protocols. PIX is ok, I made a * mistake. I keep with rule processor just in case, but comment out * the call to it. */ bool PolicyCompiler_pix::AvoidObjectGroup::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; // PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); RuleElement *srv=RuleElement::cast(rule->getFirstByType(RuleElementSrv::TYPENAME)); if (srv->size()==1) // no need to create object-group since there is single object in the rule element { tmp_queue.push_back(rule); return true; } FWObject *o = srv->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (ICMPService::isA(o)) { /* we have a rule with multiple icmp services in Srv. We do not want * to use object-group for it because PIX 6.3(3) expands them anyway, * which breaks incremental installer. */ for (FWObject::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getSrv(); assert(s); s->clearChildren(); s->add( *i1 ); tmp_queue.push_back(r); } return true; } tmp_queue.push_back(rule); return true; } /* * See #2662: commands "ssh", "telnet" and "http" (those that control * access on the corresponding protocols to the firewall itself) * accept only ip address of a host or a network as their * argument. They do not accept address range, named object or object * group. This is so at least as of ASA 8.3. Since we expand address * ranges only for versions < 8.3 and use named object for 8.3 and * later, we need to make this additional check and still expand * address ranges in rules that will later convert to "ssh", "telnet" * or "http" command. Call this rule processor after telnetToFirewall, * sshToFirewall and httpToFirewall */ bool PolicyCompiler_pix::AddressRangesIfTcpServiceToFW::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; if (rule->getBool("tcp_service_to_fw")) { expandAddressRangesInSrc(rule); } tmp_queue.push_back(rule); return true; } void PolicyCompiler_pix::compile() { string banner = " Compiling ruleset " + getSourceRuleSet()->getName(); if (ipv6) banner += ", IPv6"; info(banner); string vers = fw->getStr("version"); string platform = fw->getStr("platform"); bool outbound_acl_supported = Resources::platform_res[platform]->getResourceBool( string("/FWBuilderResources/Target/options/")+ "version_"+vers+ "/pix_outbound_acl_supported"); bool generate_out_acl = fw->getOptionsObject()->getBool("pix_generate_out_acl"); bool object_groups_supported = Resources::platform_res[platform]->getResourceBool( string("/FWBuilderResources/Target/options/")+ "version_"+vers+ "/pix_object_groups_supported"); if (outbound_acl_supported && !generate_out_acl) { // behave like if outbound acls are not supported but are emulated outbound_acl_supported = false; fw->getOptionsObject()->setBool("pix_emulate_out_acl", true); } Compiler::compile(); if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin ("Detecting rule shadowing" )); add( new printTotalNumberOfRules ( )); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in " "the Interface rule element")); add( new ItfNegation( "process negation in Itf" )); add( new InterfacePolicyRules("process interface policy rules and " "store interface ids")); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" )); add( new recursiveGroupsInDst( "check for recursive groups in DST" )); add( new recursiveGroupsInSrv( "check for recursive groups in SRV" )); add( new ExpandGroups ("expand groups" )); add( new eliminateDuplicatesInSRC ("eliminate duplicates in SRC" )); add( new eliminateDuplicatesInDST ("eliminate duplicates in DST" )); add( new eliminateDuplicatesInSRV ("eliminate duplicates in SRV" )); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src")); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst")); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" )); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" )); add( new ConvertToAtomic ("convert to atomic rules" )); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing ("Detect shadowing" )); add( new simplePrintProgress ( )); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin (" Start processing rules" )); add( new printTotalNumberOfRules ( )); add( new singleRuleFilter()); add( new RejectAction ("check for action 'Reject'" )); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" )); add( new recursiveGroupsInDst( "check for recursive groups in DST" )); add( new recursiveGroupsInSrv( "check for recursive groups in SRV" )); add( new emptyGroupsInSrc( "check for empty groups in SRC" )); add( new emptyGroupsInDst( "check for empty groups in DST" )); add( new emptyGroupsInSrv( "check for empty groups in SRV" )); add( new ExpandGroups ("expand groups" )); add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" )); add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" )); add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" )); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src")); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst")); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in " "the Interface rule element")); add( new ItfNegation( "process negation in Itf" )); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); if (XMLTools::version_compare(vers, "8.3")<0) add( new addressRanges("process address ranges" )); /* * We do not support ipv6 yet */ add( new DropIPv6RulesWithWarning( "drop ipv6 rules", "Rule has been suppressed because it contains IPv6 objects and " "Firewall Builder does not support IPv6 for this platform")); if ( fwopt->getBool("pix_assume_fw_part_of_any")) { // Note that this splits the rule if Dst==any and one or more // icmp services are found in Srv. The name of this rule // processor needs to be more descriptive. add( new splitIfDstAny( "split rule if dst is any" )); } add( new splitIfSrcMatchesFw ("split rule if Src matches FW" )); add( new splitIfDstMatchesFw ("split rule if Dst matches FW" )); add( new telnetToFirewall( "separate rules controlling telnet to firewall")); add( new sshToFirewall( "separate rules controlling ssh to firewall" )); add( new httpToFirewall( "separate rules controlling http to firewall")); add( new AddressRangesIfTcpServiceToFW( "process address ranges in rules that control telnet/ssh/http to Fw")); add( new separateSrcPort("split rules matching source ports")); add( new separateCustom("split rules matching custom services")); add( new groupServicesByProtocol("split rules with different protocols")); add( new PrepareForICMPCmd("prepare for icmp command" )); add( new replaceFWinSRCInterfacePolicy( "replace fw with its interface in SRC in interface policy rules")); add( new replaceFWinDSTInterfacePolicy( "replace fw with its interface in DST in interface policy rules")); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" )); add( new MACFiltering("check for MAC address filtering" )); add( new splitByNetworkZonesForSrc( "split rule if objects in Src belong to different network zones " )); add( new replaceFWinDSTPolicy( "replace fw with its interface in DST in global policy rules")); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" )); add( new MACFiltering("check for MAC address filtering" )); add( new splitByNetworkZonesForDst( "split rule if objects in Dst belong to different network zones " )); add( new checkForUnnumbered( "check for unnumbered interfaces" )); if (outbound_acl_supported ) { // Call these after splitIfSrcMatchesFw and splitIfDstMatchesFw add( new setInterfaceAndDirectionBySrc( "Set interface and direction for rules with interface " "'all' using SRC; v7")); add( new setInterfaceAndDirectionByDst( "Set interface and direction for rules with interface " "'all' using DST; v7")); add(new setInterfaceAndDirectionIfInterfaceSet( "Set direction for rules with interface not 'all'; v7")); } else { add( new SplitDirection_v6("split rules with direction 'both'" )); // add( new assignRuleToInterface ("assign rules to interfaces" )); add( new EmulateOutboundACL_v6("emulate outbound ACL" )); add( new assignRuleToInterface_v6("assign rules to interfaces" )); add( new InterfaceAndDirection_v6( "check for combinations of interface and direction")); } add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface" )); add( new SplitSRCForICMPCmd( "split SRC for icmp commands" )); if (XMLTools::version_compare(vers, "8.3")<0) { if ( fwopt->getBool("pix_replace_natted_objects")) add( new replaceTranslatedAddresses( "replace objects in DST that are TDst in DNAT " "translations")); } else { add( new warnWhenTranslatedAddressesAreUsed( "warng when addresses that are ODst in DNAT translations " "are used in DST")); } if (outbound_acl_supported ) // first arg is false because we are not using // "ip access-list" for PIX. add( new pickACL( false, "assign ACLs for v7" )); else add( new pickACL_v6( "assign ACLs for v6" )); add( new SpecialServicesSrv( "check for special services" )); add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" )); add( new checkVersionAndDynamicInterface( "check for dynamic interfaces in policy rule and verify " "version of PIX OS")); add( new splitIfTelnetSSHICMPtoFw( "split rule if there are multiple objects in src and it " "controlls access to the firewall")); /* remove redundant objects only after all splits has been * done, right before object groups are created */ add( new removeRedundantAddressesFromSrc( "remove redundant addresses from Src")); add( new removeRedundantAddressesFromDst( "remove redundant addresses from Dst")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); if (object_groups_supported) { // add( new AvoidObjectGroup("avoid object groups for certain cases")); add( new CreateObjectGroupsForSrc("create object groups for Src", named_objects_manager)); add( new CreateObjectGroupsForDst("create object groups for Dst", named_objects_manager)); add( new CreateObjectGroupsForSrv("create object groups for Srv", named_objects_manager)); } else { add( new ConvertToAtomic ("convert to atomic rules" )); } add( new simplePrintProgress()); add( new createNewCompilerPass("Creating object groups and ACLs ...")); if (XMLTools::version_compare(vers, "8.3")>=0) { add( new createNamedObjectsForPolicy( "create named objects", named_objects_manager)); } add( new PrintRule("generate code for ACLs")); add( new simplePrintProgress()); /* if ( fw->getOptionsObject()->getBool("pix_check_rule_shadowing")) { add( new createNewCompilerPass (" Detecting rule shadowing ..." )); add( new ExpandGroups ("expand groups" )); add( new ConvertToAtomic ("convert to atomic rules" )); add( new DetectShadowing ("Detect shadowing" )); add( new simplePrintProgress ( )); } */ runRuleProcessors(); } string PolicyCompiler_pix::printAccessGroupCmd(ciscoACL *acl) { if (getSourceRuleSet()->isTop()) { string dir; if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in"; if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out"; return string("access-group ") + acl->workName() + " " + dir + " interface " + acl->getInterface()->getLabel() + "\n"; } return ""; } void PolicyCompiler_pix::epilog() { output << endl; if (resetinbound) output << "service resetinbound" << endl; output << endl; if (fw->getStr("platform")=="fwsm" && fw->getOptionsObject()->getBool("pix_use_manual_commit")) { output << "access-list commit" << endl; output << endl; } for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl=(*i).second; if (acl->size()!=0) output << printAccessGroupCmd(acl); } output << endl; if ( fw->getOptionsObject()->getBool("pix_regroup_commands")) { info(" Regrouping commands"); regroup(); } } string PolicyCompiler_pix::printClearCommands() { ostringstream output; string vers = fw->getStr("version"); string platform = fw->getStr("platform"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + vers + "/pix_commands/clear_acl"); // string clearOGcmd = Resources::platform_res[platform]->getResourceStr( // string("/FWBuilderResources/Target/options/") + // "version_" + vers + "/pix_commands/clear_og"); string clearICMPcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + vers + "/pix_commands/clear_icmp"); string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + vers + "/pix_commands/clear_telnet"); if ( fw->getOptionsObject()->getBool("pix_acl_basic") ) { output << clearACLcmd << endl; //output << clearOGcmd << endl; } if (fw->getOptionsObject()->getBool("pix_acl_substitution")) { for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl = (*i).second; output << clearACLcmd << " " << acl->workName() << endl; } //output << clearOGcmd << endl; } if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") ) { output << clearICMPcmd << endl; output << clearTelnetcmd << endl; } // see #2322 If this is FWSM and if manual commit mode is used, we // need to commit after clearing ACLs before we clear object groups if (fw->getStr("platform")=="fwsm" && fw->getOptionsObject()->getBool("pix_use_manual_commit") ) { output << "access-list commit" << endl; } return output.str(); } /* * This includes commands that should be added first, such as commit mode * for FWSM, setting up temporary access list etc. */ string PolicyCompiler_pix::printPreambleCommands() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); ostringstream output; output << "!################" << endl; if (platform=="fwsm") { if (fw->getOptionsObject()->getBool("pix_use_manual_commit") ) output << "access-list mode manual" << endl; else output << "access-list mode auto" << endl; } if ( fw->getOptionsObject()->getBool("pix_acl_substitution") ) { /* Generate short temporary ACL and assign it to all * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) as well as ssh from given subnet to any. */ string temp_acl = "tmp_acl"; string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr"); if (temp_acl_addr.empty()) { abort( "Missing address for management host or subnet for " "temporary ACL. Enter it in the tab 'Script " "options' in 'Firewall Settings' dialog"); } string::size_type slash_idx = temp_acl_addr.find('/'); string addr = temp_acl_addr; string netmask = "255.255.255.255"; if (slash_idx!=string::npos) { addr = temp_acl_addr.substr(0,slash_idx); netmask = temp_acl_addr.substr(slash_idx+1); try { if (netmask.find(".")!=string::npos) { InetAddr nm(netmask); nm.isAny(); // to avoid warning abt unused var } else { int nm_length; istringstream str(netmask); str >> nm_length; InetAddr nm(nm_length); netmask = nm.toString(); } } catch(FWException &ex) { abort("Invalid netmask for management subnet: '"+netmask+"'"); } } try { InetAddr(addr); } catch(FWException &ex) { abort("Invalid address for management subnet: '"+addr+"'"); } string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+version+"/pix_commands/clear_acl"); output << endl; output << clearACLcmd << " " << temp_acl << endl; if (fw->getStr("platform")=="fwsm" && fw->getOptionsObject()->getBool("pix_use_manual_commit") ) { output << "access-list commit" << endl; } output << "access-list " << temp_acl << " permit ip " << addr << " " << netmask << " any " << endl; output << "access-list " << temp_acl << " deny ip any any " << endl; if (platform=="fwsm" && fw->getOptionsObject()->getBool("pix_use_manual_commit") ) output << "access-list commit" << endl; output << endl; // see #2347 attach temporary acl to all interfaces list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); output << "access-group " << temp_acl << " in interface " << iface->getLabel() << endl; } output << endl; } return output.str(); } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_pix.h000066400000000000000000000276431303637203600222300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_PIX_HH #define __POLICYCOMPILER_PIX_HH #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "Helper.h" #include "ACL.h" #include "PolicyCompiler_cisco.h" #include "specialServices.h" namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class Group; }; namespace fwcompiler { class NATCompiler_pix; class PolicyCompiler_pix : public PolicyCompiler_cisco { protected: /** * dynamic interfaces can be used in policy rules only in v6.3 and later * */ friend class checkVersionAndDynamicInterface; class checkVersionAndDynamicInterface : public PolicyRuleProcessor { bool findDynamicInterface(libfwbuilder::PolicyRule *rule, libfwbuilder::RuleElement *re); public: checkVersionAndDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * internal: checks if interface is a child of a cluster and calls * Compiler::_expand_interface() with a pointer to the master member * interface. If @iface is not cluster interface, just calls * Compiler::_expand_interface() */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully); /* ************************************************************************* * * the following rule processors are intended for PIX < 7.0 * the code is in the module PolicyCompiler_pix_v6_acls.cpp * ************************************************************************* */ /** * verifies combination of interface and direction and * fills interface and direction. After this predicate it * is guaranteed that both interface and direction have * some value. In certain situations interface ID may be * set to "nil" though (e.g. global policy rules). */ DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 ); /** * if interface has not been defined (this is global policy * rule), then multiply the rule for each interface and set * direction to "Inbound" */ DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 ); class AddressRangesIfTcpServiceToFW : public PolicyCompiler::addressRanges { public: AddressRangesIfTcpServiceToFW(const std::string &n): addressRanges(n) {} virtual bool processNext(); }; friend class AddressRangesIfTcpServiceToFW; /** * split rules with direction "both". * TODO: This is used in OpenBSD pf. Move to class PolicyCompiler */ DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 ); /** * in PIX, ACLs are always applied on interface and direction * can only be "inbound". We emulate outbound ACLs though. */ DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 ); /** * determine acl rules should belong to */ DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 ); friend class PolicyCompiler_pix::pickACL_v6; /* ************************************************************************* * * end of module PolicyCompiler_pix_v6_acls.cpp * ************************************************************************* */ /* ************************************************************************* * * rule processors intended to manage ACLs for PIX < 7.0 are inherited * from PolicyCompiler_cisco. * The code is in the module PolicyCompiler_cisco_acls.cpp * * The processors assume that all objects in src and dst * belong to the same network zone (respectively) * * All these rule processors assume outbound ACLs are supported. * Check corresponding capability flag and do not include these * processors in the processors chain in pix.cpp if outbound acls * are not supported. * ************************************************************************* */ class SpecialServicesSrv : public SpecialServices { public: SpecialServicesSrv(const std::string &n): SpecialServices(n, libfwbuilder::RuleElementSrv::TYPENAME) {} }; friend class SpecialServices; /** * sets boolean flag icmp_cmd to be able to generate command * "icmp" instead of "access-list" later. Call this processor * after SplitServices and splitIfDstMatchesFw */ DECLARE_POLICY_RULE_PROCESSOR( PrepareForICMPCmd ); /** * splits SRC if this is icmp_cmd rule */ DECLARE_POLICY_RULE_PROCESSOR( SplitSRCForICMPCmd ); /** * to implement action "Reject" add command "service resetinbound" */ DECLARE_POLICY_RULE_PROCESSOR( RejectAction ); friend class PolicyCompiler_pix::RejectAction; /* * Rule processors that inherit this class match objects used * in policy rules to the nat rules and do something about * them. */ class matchTranslatedAddresses : public PolicyRuleProcessor { protected: std::list transformed_rules; public: matchTranslatedAddresses(const std::string &n):PolicyRuleProcessor(n) {} virtual bool processNext(); virtual std::list findMatchingNATRules( libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); virtual void action( libfwbuilder::PolicyRule* policy_rule, libfwbuilder::NATRule* nat_rule, libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); }; /** * this processor replaces objects in dst for which we have * DNAT rule in a NAT policy. Call _after_ telnetToFirewall, * sshToFirewall and PrepareForICMPCmd */ class replaceTranslatedAddresses : public matchTranslatedAddresses { public: replaceTranslatedAddresses(const std::string &n) : matchTranslatedAddresses(n) {} virtual std::list findMatchingNATRules( libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); virtual void action( libfwbuilder::PolicyRule* policy_rule, libfwbuilder::NATRule* nat_rule, libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); }; friend class PolicyCompiler_pix::replaceTranslatedAddresses; /** * this processor issues warning when translated addresses are * used in policy rules. Use for PIX 8.3 and later. */ class warnWhenTranslatedAddressesAreUsed : public matchTranslatedAddresses { public: warnWhenTranslatedAddressesAreUsed(const std::string &n) : matchTranslatedAddresses(n) {} virtual std::list findMatchingNATRules( libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); virtual void action( libfwbuilder::PolicyRule* policy_rule, libfwbuilder::NATRule* nat_rule, libfwbuilder::Address *src, libfwbuilder::Address *dst, libfwbuilder::Service *srv); }; friend class PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed; /** * can not use object-group in "icmp", "telnet" and "ssh" commands */ DECLARE_POLICY_RULE_PROCESSOR( splitIfTelnetSSHICMPtoFw ); class AvoidObjectGroup : public PolicyRuleProcessor { public: AvoidObjectGroup(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_pix::AvoidObjectGroup; /** * this processor prints single policy rule, assuming all * groups have been expanded, so source, destination and * service hold exactly one object each, and this object is * not a group. Negation should also have been taken care of * before this method is called. */ class PrintRule : public PolicyRuleProcessor { protected: std::string current_rule_label1; std::map current_rule_label2; std::list seen_icmp_commands; int aclLineCounter; std::string _printPortRangeOp(int rs, int re); std::string _printSingleSSHTelnetCommand(int port, libfwbuilder::Address *a, const std::string &interfaceLabel); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); std::string _printAddr(libfwbuilder::Address *o); std::string _printAction(libfwbuilder::PolicyRule *r); std::string _printACL(libfwbuilder::PolicyRule *r); std::string _printSSHTelnetCommand(libfwbuilder::PolicyRule *r); std::string _printICMPCommand(libfwbuilder::PolicyRule *r); std::string _printLog(libfwbuilder::PolicyRule *r); bool suppressDuplicateICMPCommands(const std::string &cmd); public: PrintRule(const std::string &name) : PolicyRuleProcessor(name) { aclLineCounter=0; } virtual bool processNext(); }; friend class PolicyCompiler_pix::PrintRule; bool resetinbound; bool fragguard; NATCompiler_pix *natcmp; protected: virtual std::string myPlatformName(); std::string printAccessGroupCmd(ciscoACL *acl); public: PolicyCompiler_pix(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, NATCompiler_pix *_natcmp); virtual ~PolicyCompiler_pix() {} virtual int prolog(); virtual void compile(); virtual void epilog(); virtual std::string printClearCommands(); virtual std::string printPreambleCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp000066400000000000000000000161131303637203600270450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "Helper.h" #include "PolicyCompiler_pix.h" #include "NATCompiler_pix.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool PolicyCompiler_pix::matchTranslatedAddresses::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); transformed_rules.clear(); RuleElementSrc *srcrel = rule->getSrc(); RuleElementDst *dstrel = rule->getDst(); RuleElementSrv *srvrel = rule->getSrv(); for (list::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1) { for (list::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2) { for (list::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3) { FWObject *o1 = *i1; FWObject *o2 = *i2; FWObject *o3 = *i3; FWObject *obj1 = NULL; FWObject *obj2 = NULL; FWObject *obj3 = NULL; obj1 = FWReference::getObject(o1); Address *src = Address::cast(obj1); assert(src!=NULL); obj2 = FWReference::getObject(o2); Address *dst = Address::cast(obj2); assert(dst!=NULL); obj3 = FWReference::getObject(o3); Service *srv = Service::cast(obj3); assert(srv!=NULL); list tl = findMatchingNATRules(src, dst, srv); for( list::iterator t=tl.begin(); t!=tl.end(); ++t) action(rule, *t, src, dst, srv); } } } /* *list transformed_rules has all the atomic rules that have a matching * NAT rule, with dst and srv already converted. We just add them to * the policy on top of the original rule. */ list::iterator i1; for (i1=transformed_rules.begin(); i1!=transformed_rules.end(); ++i1) { PolicyRule *r=PolicyRule::cast( *i1 ); tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } list PolicyCompiler_pix::matchTranslatedAddresses::findMatchingNATRules( Address*, Address*, Service*) { return list(); } void PolicyCompiler_pix::matchTranslatedAddresses::action( PolicyRule* , NATRule* , Address*, Address*, Service*) { } list PolicyCompiler_pix::replaceTranslatedAddresses::findMatchingNATRules( Address *src, Address *dst, Service *srv) { PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); return pix_comp->natcmp->findMatchingDNATRules( src, dst, srv, RuleElementTDst::TYPENAME); } void PolicyCompiler_pix::replaceTranslatedAddresses::action( PolicyRule* policy_rule, NATRule* nat_rule, Address *src, Address*, Service *srv) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); RuleElement *re = nat_rule->getOSrc(); FWObject *o = FWReference::getObject(re->front()); Address *osrc = Address::cast(o); assert(osrc); re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); re = nat_rule->getOSrv(); o = FWReference::getObject(re->front()); Service *osrv = Service::cast(o); assert(osrv); re = nat_rule->getTSrc(); o = FWReference::getObject(re->front()); Address *tsrc = Address::cast(o); assert(tsrc); re = nat_rule->getTDst(); o = FWReference::getObject(re->front()); Address *tdst = Address::cast(o); assert(tdst); re = nat_rule->getTSrv(); o = FWReference::getObject(re->front()); Service *tsrv = Service::cast(o); assert(tsrv); FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(policy_rule); RuleElementSrc *nsrc = r->getSrc(); nsrc->clearChildren(); nsrc->addRef( src ); RuleElementDst *ndst = r->getDst(); ndst->clearChildren(); ndst->addRef( odst ); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); if (osrv->isAny()) nsrv->addRef( srv ); else nsrv->addRef( osrv ); transformed_rules.push_back(r); } } list PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::findMatchingNATRules( Address *src, Address *dst, Service *srv) { PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); return pix_comp->natcmp->findMatchingDNATRules( src, dst, srv, RuleElementODst::TYPENAME); } void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action( PolicyRule* policy_rule, NATRule* nat_rule, Address*, Address *dst, Service*) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); string version = compiler->fw->getStr("version"); RuleElement *re; FWObject *o; re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { QString err("Object %1 that represents translated address in a NAT rule %2 " "is used in a policy rule of ASA v%3 firewall. " "Starting with v8.3, ASA requires using real IP addresses " "in the firewall policy rules. "); compiler->warning( policy_rule, err.arg(QString::fromUtf8(dst->getName().c_str())) .arg(nat_rule->getLabel().c_str()) .arg(version.c_str()).toStdString()); } } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp000066400000000000000000000317451303637203600241760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Rule processors in this module build ACLs for PIX v6 they employ number of assumptions that are only valid for PIX <7.0 */ #include "config.h" #include "PolicyCompiler_pix.h" #include "NATCompiler_pix.h" #include "PIXObjectGroup.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); bool icmp_cmd = rule->getBool("icmp_cmd"); bool tcp_service_to_fw = rule->getBool("tcp_service_to_fw"); // int interface_id = rule->getInterfaceId(); RuleElementItf *intf_re = rule->getItf(); if (rule->getDirection()==PolicyRule::Undefined) rule->setDirection( PolicyRule::Both ); if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both) return true; if (intf_re->isAny() && !icmp_cmd && !tcp_service_to_fw && ( rule->getDirection()==PolicyRule::Inbound || rule->getDirection()==PolicyRule::Outbound) ) compiler->abort(rule, "Direction set without interface"); return true; } /* * rules with direction 'both' associated with an interface are split * and copies are assigned directions Inbound and Outbound * * rules with direction 'both' not associated with any interface are * simply converted to "Inbound". This is because we only generate * outbound ACLs for rules that explicitly were defined by the user * with direction "Outbound"; everything else is implemented using * inbound ACLs * * 04/21/06 --vk */ bool PolicyCompiler_pix::SplitDirection_v6::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); if (rule->getDirection()==PolicyRule::Both) { if ( ! intf_re->isAny()) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Inbound); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Outbound); tmp_queue.push_back(r); } else { rule->setDirection(PolicyRule::Inbound); tmp_queue.push_back(rule); } } else tmp_queue.push_back(rule); return true; } /** * this processor emulates outbound ACL by splitting a rule onto * several rules and assigning them to interfaces. This processor * works only with rules that have direction "Outbound" and have * interface specified. * * Prerequisities: * * Rule should have been split before this processor is called if * objects in src and/or dst belong to different network zones * * * Internet ("any") * ^ * | * | i4 * +----------+ * i1| |i3 * ---------------+ PIX +---------------- * host1 | | host3 * +----------+ * |i2 * | * |host2 * * src dst interface * * h1 h2 i2 change interface to i1 * any h2 i2 split, use all interfaces but i2 * h1 any i2 change interface to i1 * any any i2 split, use all interfaces but i2 * * * FWSM v2.3 and beyond, as well as PIX 7.0, support outbound ACLs * (via "access-group out ..." command) We do not need to do this * for these platforms. */ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext() { Helper helper(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; // FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); RuleElementItf *intf_re = rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); if (rule->getDirection()==PolicyRule::Outbound && ! intf_re->isAny()) { if ( compiler->fw->getOptionsObject()->getBool("pix_emulate_out_acl") ) { RuleElementSrc *src = rule->getSrc(); assert(src); RuleElementDst *dst = rule->getDst(); assert(dst); try { if (!src->isAny()) { int iface1_id = helper.findInterfaceByNetzone( compiler->getFirstSrc(rule) ); /* special case: interface detected via comparison of src and the * network zone is the same as the one this rule is assigned to, but * direction is Outbound - drop this rule */ if (iface1_id == rule_iface->getId()) { compiler->warning(rule, "Rule with direction 'Outbound' was suppressed " "because generation of outbound access lists " "is turned off in firewall object settings" ); return true; } // rule->setInterfaceId(iface1_id); intf_re->reset(); intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id)); rule->setDirection(PolicyRule::Inbound); tmp_queue.push_back(rule); } else { int iface2_id; iface2_id = helper.findInterfaceByNetzone( compiler->getFirstDst(rule) ); list l2 = compiler->fw->getByTypeDeep( Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { if ( (*i)->getId()==iface2_id ) continue; PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); // r->setInterfaceId((*i)->getId()); RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(*i); rule->setDirection(PolicyRule::Inbound); tmp_queue.push_back(r); } } } catch (string addr) { ostringstream str; str << "Can not find interface to assign rule " << rule->getLabel() << ": " << endl << "Address " << addr << " does not match address or network zone of any interface" << endl; compiler->abort(rule, str.str()); } } else compiler->abort( rule, "Outbound ACLs are not supported and emulation is " "not activated"); } else tmp_queue.push_back(rule); return true; } /** * this processor assigns rules to interfaces (since PIX only * supports ACLs on interfaces and direction can only be "inbound"). * * * Internet ("any") * ^ * | * | i4 * +----------+ * i1| |i3 * ---------------+ PIX +---------------- * host1 | | host3 * +----------+ * |i2 * | * |host2 * * src dst assign to interface * * any i1 i1 * any i2 i2 * any i3 i3 * any i4 i4 * any host2 all * host1 host2 i1 * host1 any i1 * any any all */ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; Helper helper(compiler); RuleElementSrc *src = rule->getSrc(); assert(src); RuleElementDst *dst = rule->getDst(); assert(dst); RuleElementItf *intf_re = rule->getItf(); // FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); if (intf_re->isAny()) { try { if (! src->isAny() ) { Address *a = compiler->getFirstSrc(rule); int iface1_id = helper.findInterfaceByNetzone(a); // rule->setInterfaceId(iface1_id); intf_re->reset(); intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id)); tmp_queue.push_back(rule); } else { Address *a=compiler->getFirstDst(rule); if ( ! dst->isAny() && compiler->complexMatch(a,compiler->fw)) { int iface2_id = helper.findInterfaceByNetzone( a ); // rule->setInterfaceId(iface2_id); intf_re->reset(); intf_re->addRef(compiler->dbcopy->findInIndex(iface2_id)); rule->setStr("direction","Inbound"); tmp_queue.push_back(rule); return true; } list l2 = compiler->fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *intf = Interface::cast(*i); if (intf->isUnprotected()) continue; if (intf->getOptionsObject()->getBool("cluster_interface")) continue; PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); // r->setInterfaceId(intf->getId()); RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL); itf_re->reset(); itf_re->addRef(intf); r->setStr("direction","Inbound"); tmp_queue.push_back(r); } } } catch (string addr) { ostringstream str; str << "Can not find interface to assign rule " << rule->getLabel() << ": " << endl << "Address " << addr << " does not match address or network zone of any interface" << endl; compiler->abort(rule, str.str()); } } else { tmp_queue.push_back(rule); } return true; } /* * This processor is called after emulateOutboundACL */ bool PolicyCompiler_pix::pickACL_v6::processNext() { PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; // Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId())); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); if (intf_re->isAny() || rule_iface==NULL) compiler->abort(rule, "Missing interface assignment"); string acl_name = rule_iface->getLabel() + "_acl_in"; rule->setStr("acl", acl_name); ciscoACL *acl = new ciscoACL(acl_name, rule_iface, "in"); pix_comp->acls[acl_name] = acl; acl->setWorkName(acl_name); tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_pix_writers.cpp000066400000000000000000000345551303637203600243420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_pix.h" #include "PIXObjectGroup.h" #include "NamedObjectsManager.h" #include "PortRangeConverter.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_pix::PrintRule::_printAction(PolicyRule *rule) { ostringstream str; switch (rule->getAction()) { case PolicyRule::Accept: str << "permit "; break; case PolicyRule::Deny: str << "deny "; break; case PolicyRule::Reject: str << "deny "; break; default: str << rule->getActionAsString() << " "; } return str.str(); } string PolicyCompiler_pix::PrintRule::_printACL(PolicyRule *rule) { // PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); string acl_name=rule->getStr("acl"); assert (acl_name!=""); return acl_name+" "; } string PolicyCompiler_pix::PrintRule::_printLog(PolicyRule *rule) { string platform = compiler->fw->getStr("platform"); string vers = compiler->fw->getStr("version"); if (platform=="pix" && (vers=="6.1" || vers=="6.2")) return ""; // PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); FWOptions *ruleopt =rule->getOptionsObject(); QStringList str; if (ruleopt->getBool("disable_logging_for_this_rule")) return "log disable "; if (rule->getLogging()) { string level = ruleopt->getStr("log_level"); int logint = ruleopt->getInt("log_interval"); /* * PIX always adds logging interval in "show * access-list" command, * so we should always add it, too. Otherwise ACL lines look * different when diff is generated. */ if (logint<=0) logint = Resources::platform_res[platform]->getResourceInt( string("/FWBuilderResources/Target/options/") + "version_" + compiler->fw->getStr("version") + "/pix_default_logint"); if (level.empty()) level = compiler->fw->getOptionsObject()->getStr( "pix_logging_trap_level"); if (level.empty()) level = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + compiler->fw->getStr("version") + "/pix_default_loglevel"); if (level=="alert") level = "1"; if (level=="crit") level = "2"; if (level=="error") level = "3"; if (level=="warning") level = "4"; if (level=="notice") level = "5"; if (level=="info") level = "6"; if (level=="debug") level = "7"; str << "log" << level.c_str(); if (logint>0 || platform=="pix") // can't use "interval 0" on fwsm { str << "interval" << QString().setNum(logint); } } return str.join(" ").toStdString(); } string PolicyCompiler_pix::PrintRule::_printPortRangeOp(int rs, int re) { return PortRangeConverter(rs, re).toString(); } string PolicyCompiler_pix::PrintRule::_printSrcService(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); return _printPortRangeOp(rs, re); } return ""; } string PolicyCompiler_pix::PrintRule::_printDstService(Service *srv) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getDstRangeStart(); int re=TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPortRangeOp(rs, re); } if (ICMPService::isA(srv) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; } if (CustomService::isA(srv)) { str << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; } const IPService *ip_srv = IPService::constcast(srv); if (ip_srv && ip_srv->hasIpOptions()) compiler->warning("PIX can not match IP options"); return str.str(); } string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o) { if (Interface::cast(o)!=NULL) { Interface *interface_=Interface::cast(o); if (interface_->isDyn()) { return string("interface ") + interface_->getLabel() + " "; } } ostringstream str; const InetAddr *srcaddr = o->getAddressPtr(); if (srcaddr) { InetAddr srcmask = *(o->getNetmaskPtr()); if (Interface::cast(o)!=NULL) srcmask = InetAddr(InetAddr::getAllOnes()); if (IPv4::cast(o)!=NULL) srcmask = InetAddr(InetAddr::getAllOnes()); if (srcaddr->isAny() && srcmask.isAny()) { str << "any "; } else { if (srcmask.isHostMask()) { str << "host " << srcaddr->toString() << " "; } else { str << srcaddr->toString() << " "; str << srcmask.toString() << " "; } } return str.str(); } ostringstream errstr; errstr << "Object " << o->getName() << " (id=" << o->getId() << ") " << " has no ip address and can not be used " << "in the rule."; compiler->abort(errstr.str()); return ""; // to make compiler happy } bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd) { list::iterator i; i = std::find(seen_icmp_commands.begin(), seen_icmp_commands.end(), cmd); if (i!=seen_icmp_commands.end()) return true; seen_icmp_commands.push_back(cmd); return false; } string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule) { ostringstream str; Address *src = compiler->getFirstSrc(rule); RuleElementSrv *srvrel = rule->getSrv(); FWObject *srv = srvrel->front(); if (FWReference::cast(srv)!=NULL) srv = FWReference::cast(srv)->getPointer(); // Interface *rule_iface = // Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId())); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); assert(rule_iface); if (PIXObjectGroup::cast(srv)!=NULL) { for (FWObject::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { ICMPService *s = ICMPService::cast(FWReference::getObject(*i1)); assert(s!=NULL); ostringstream str1; str1 << "icmp "; str1 << _printAction(rule); str1 << _printAddr( src ); str1 << s->getStr("type"); str1 << " "; str1 << rule_iface->getLabel(); str1 << endl; if ( ! suppressDuplicateICMPCommands(str1.str())) str << str1.str(); } return str.str(); } else { str << "icmp "; str << _printAction(rule); str << _printAddr( src ); str << _printDstService( Service::cast(srv) ); str << " "; str << rule_iface->getLabel(); str << endl; if ( ! suppressDuplicateICMPCommands(str.str())) return str.str(); } return ""; } string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule) { ostringstream str; int port; RuleElementSrc *rel = rule->getSrc(); Service *srv = compiler->getFirstSrv(rule); RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); assert(rule_iface); port = TCPUDPService::cast(srv)->getDstRangeStart(); for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i) { FWObject *o = FWReference::getObject(*i); if (dynamic_cast(o)!=NULL) { for (FWObject::iterator j=o->begin(); j!=o->end(); ++j) { Address *a = Address::cast(FWReference::getObject(*j)); assert(a!=NULL); str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel()); } } else { Address *a = Address::cast(o); assert(a!=NULL); str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel()); } } return str.str(); } string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand( int port, Address *a, const string &interfaceLabel) { string res; if (port==22) res = "ssh "; if (port==23) res = "telnet "; if (port==80) res = "http "; if (!res.empty()) { res += a->getAddressPtr()->toString() + " " + a->getNetmaskPtr()->toString() + " " + interfaceLabel + "\n"; } return res; } /* * the following additional attributes should have been defined by now: * * "acl" - string, name of the access list * choices are: outside-in, outside-out, inside-in, indside-out, * dmz-in, dmz-out etc. * General rule for the acl name: "iface_name-{in,out}" */ bool PolicyCompiler_pix::PrintRule::processNext() { PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); ostringstream comment; compiler->output << compiler->printComment(rule, current_rule_label1, "!"); if (rule->getBool("icmp_cmd")) { compiler->output << _printICMPCommand(rule); // need to generate access list command as well as icmp command // in order to properly serve icmp through nat // 04/21/06 --vk // return true; } if (rule->getBool("tcp_service_to_fw")) { compiler->output << _printSSHTelnetCommand(rule); return true; } /* * all three rule elements contain exactly one object, which can * be either group (in case processor CreateObjectGroups created * object group for it) or a regular object */ RuleElementSrc *src = rule->getSrc(); RuleElementDst *dst = rule->getDst(); RuleElementSrv *srv = rule->getSrv(); assert(src->size()==1); assert(dst->size()==1); assert(srv->size()==1); FWObject *srcobj = FWReference::getObject(src->front()); FWObject *dstobj = FWReference::getObject(dst->front()); FWObject *srvobj = FWReference::getObject(srv->front()); assert(srcobj); assert(dstobj); assert(srvobj); ostringstream aclstr; string acl_name = rule->getStr("acl"); assert(acl_name!=""); ciscoACL *acl = pix_comp->acls[acl_name]; assert(acl!=NULL); if (compiler->fw->getOptionsObject()->getBool("pix_use_acl_remarks")) { compiler->output << acl->addRemark(rule->getLabel(), rule->getComment()); } /* * Assemble ACL command in aclstr */ aclstr << _printAction(rule); /* * processor groupServicesByProtocol guaranties that rule has * services of the same type (that is, the same protocol, like all * tcp, all udp, all icmp or all IP with the same protocol * number). PIX can use object-group for protocol only if protocol * numbers are different and these are not icmp/tcp/udp * protocols. This means that because of processor * groupServicesByProtocol we never use object-group in protocol * part of ACL. */ PIXObjectGroup *pgsrv = PIXObjectGroup::cast(srvobj); PIXObjectGroup *pgsrc = PIXObjectGroup::cast(srcobj); PIXObjectGroup *pgdst = PIXObjectGroup::cast(dstobj); Service *srv_s = Service::cast(srvobj); assert(pgsrv!=NULL || srv_s!=NULL); if ( pgsrv!=NULL && pgsrv->isServiceGroup()) { aclstr << pgsrv->getSrvTypeName(); } else aclstr << srv_s->getProtocolName(); aclstr << " "; NamedObject* asa8_object; asa8_object = pix_comp->named_objects_manager->getNamedObject(srcobj); if (asa8_object) { aclstr << "object " << asa8_object->getCommandWord().toStdString() << " "; } else { if (pgsrc!=NULL) { aclstr << "object-group " << srcobj->getName() << " "; } else { aclstr << _printAddr(Address::cast(srcobj)); } } if ( pgsrv==NULL ) aclstr << _printSrcService( compiler->getFirstSrv(rule) ); asa8_object = pix_comp->named_objects_manager->getNamedObject(dstobj); if (asa8_object) { aclstr << "object " << asa8_object->getCommandWord().toStdString() << " "; } else { if (pgdst!=NULL) { aclstr << "object-group " << dstobj->getName() << " "; } else { aclstr << _printAddr(Address::cast(dstobj)); } } if (pgsrv!=NULL) { aclstr << "object-group " << srvobj->getName() << " "; } else { aclstr << _printDstService(Service::cast(srvobj)); } aclstr << _printLog( rule ); // aclstr << endl; compiler->output << acl->addLine(aclstr.str()); return true; } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_procurve_acl.cpp000066400000000000000000000100341303637203600244310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_procurve_acl.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Resources.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_procurve_acl::myPlatformName() { return "procurve_acl"; } PolicyCompiler_procurve_acl::PolicyCompiler_procurve_acl(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : PolicyCompiler_iosacl(_db, fw, ipv6_policy, _oscnf) { comment_symbol = ";"; } int PolicyCompiler_procurve_acl::prolog() { string platform = fw->getStr("platform"); if (platform!="procurve_acl") abort("Unsupported platform " + platform ); /* This is optional for PIX (controller by a checkbox in * "asvanced" settings dialog) and is hardcoded as "true" for * iosacl in PolicyCompiler_cisco::pickACL::processNext(). I do * not want a function in the base class PolicyCompiler_cisco be * aware of yet another platform, especially one that is not * strictly speaking Cisco. Just set this option here which is * equivalent to hardcoding it to true. * * TODO: use the same method in PolicyCompiler_iosacl */ fw->getOptionsObject()->setBool("generate_out_acl", true); fw->getOptionsObject()->setBool( "use_acl_remarks", fw->getOptionsObject()->getBool("procurve_acl_use_acl_remarks")); setAllNetworkZonesToNone(); return PolicyCompiler::prolog(); } ciscoACL* PolicyCompiler_procurve_acl::createACLObject(const string &acl_name, Interface *intf, const string &dir, bool using_named_acl) { ciscoACL *acl = new ciscoACL(acl_name, intf, dir, using_named_acl); acl->setQuoteRemarks(true); return acl; } string PolicyCompiler_procurve_acl::printClearCommands() { ostringstream output; string vers = fw->getStr("version"); string platform = fw->getStr("platform"); string xml_element = "clear_ip_acl"; if (ipv6) xml_element = "clear_ipv6_acl"; string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/procurve_acl_commands/" + xml_element); assert( !clearACLCmd.empty()); // No need to output "clear" commands in single rule compile mode if ( fw->getOptionsObject()->getBool("procurve_acl_acl_basic") || fw->getOptionsObject()->getBool("procurve_acl_acl_substitution")) { for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl = (*i).second; output << printAccessGroupCmd(acl, true); output << clearACLCmd << " " << acl->workName() << endl; output << endl; } output << endl; } output << endl; return output.str(); } fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_procurve_acl.h000066400000000000000000000040251303637203600241010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_PROCURVE_ACL_HH #define __POLICYCOMPILER_PROCURVE_ACL_HH #include #include "PolicyCompiler_iosacl.h" namespace libfwbuilder { class FWObjectDatabase; class Firewall; }; namespace fwcompiler { class OSConfigurator; }; namespace fwcompiler { class PolicyCompiler_procurve_acl : public PolicyCompiler_iosacl { protected: virtual std::string myPlatformName(); virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); virtual ciscoACL* createACLObject(const std::string &n, libfwbuilder::Interface *intf, const std::string &d="in", bool _ip_list=false); public: PolicyCompiler_procurve_acl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_procurve_acl() {} virtual int prolog(); virtual std::string printClearCommands(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp000066400000000000000000000056631303637203600262240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_procurve_acl.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleSet.h" #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_procurve_acl::printAccessGroupCmd(ciscoACL *acl, bool neg) { if (getSourceRuleSet()->isTop()) { QString dir; if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in"; if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out"; QString addr_family_prefix = "ip"; if (ipv6) addr_family_prefix = "ipv6"; // ProCurve uses different syntax for vlan ACLs Interface *intf = acl->getInterface(); FWOptions *ifopt = intf->getOptionsObject(); string itype = ifopt->getStr("type"); if (itype == "8021q") { int vlan_id = ifopt->getInt("vlan_id"); QStringList outp; if (neg) outp.push_back("no"); outp.push_back("vlan"); outp.push_back(QString("%1").arg(vlan_id)); outp.push_back(addr_family_prefix); outp.push_back(getAccessGroupCommandForAddressFamily(ipv6).c_str()); outp.push_back(acl->workName().c_str()); outp.push_back(dir); return outp.join(" ").toStdString() + "\n"; } else { QStringList outp; QStringList outp_combined; outp_combined.push_back( QString("interface %1").arg(intf->getName().c_str())); if (neg) outp.push_back("no"); outp.push_back(addr_family_prefix); outp.push_back(getAccessGroupCommandForAddressFamily(ipv6).c_str()); outp.push_back(acl->workName().c_str()); outp.push_back(dir); outp_combined.push_back(" " + outp.join(" ")); outp_combined.push_back("exit"); outp_combined.push_back(""); return outp_combined.join("\n").toStdString(); } } return ""; } fwbuilder-5.3.7/src/cisco_lib/PortRangeConverter.h000066400000000000000000000034631303637203600222010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _PORT_RANGE_CONVERTER_HH #define _PORT_RANGE_CONVERTER_HH #include #include class PortRangeConverter { int rs; int re; public: PortRangeConverter(int range_start, int range_end) { rs = range_start; re = range_end; } std::string toString() { std::ostringstream str; if (rs<0) rs = 0; if (re<0) re = 0; if (rs>0 || re>0) { if (rs==re) str << "eq " << rs << " "; else { if (rs==0 && re!=0) { str << "lt " << re + 1 << " "; } else { if (rs!=0 && re==65535) { str << "gt " << rs - 1 << " "; } else { str << "range " << rs << " " << re << " "; } } } } return str.str(); } }; #endif fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_cisco.cpp000066400000000000000000000055441303637203600232470ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "RoutingCompiler_cisco.h" #include "NamedObjectsAndGroupsSupport.h" #include "NamedObjectsManager.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; int RoutingCompiler_cisco::prolog() { return RoutingCompiler::prolog(); } /* * this processor eliminates duplicate atomic routing rules in one * routing table */ bool RoutingCompiler_cisco::eliminateDuplicateRules::processNext() { RoutingCompiler_cisco *cisco_comp = dynamic_cast(compiler); RoutingRule *rule = getNext(); if (rule == NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } string label = rule->getLabel(); int bracepos = label.find("("); label.erase(0, bracepos); string thisRule = label + " " + cisco_comp->printRule->RoutingRuleToString(rule); rules_it = rules_seen_so_far.find(thisRule); if (rules_it != rules_seen_so_far.end()) { string msg; msg = "Two of the sub rules created from the gui routing rules " + rules_it->second + " and " + rule->getLabel() + " are identical, skipping the second. " + "Revise them to avoid this warning"; compiler->warning(rule, msg.c_str() ); return true; } tmp_queue.push_back(rule); rules_seen_so_far[thisRule] = rule->getLabel(); return true; } void RoutingCompiler_cisco::compile() { printRule = new RoutingCompiler_cisco::PrintRule(""); } string RoutingCompiler_cisco::debugPrintRule(Rule *r) { RoutingRule *rule = RoutingRule::cast(r); string s = RoutingCompiler::debugPrintRule(rule); return s; } void RoutingCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr) { named_objects_manager = mgr; } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_cisco.h000066400000000000000000000105111303637203600227020ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef __ROUTINGCOMPILER_CISCO_HH__ #define __ROUTINGCOMPILER_CISCO_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include "NamedObjectsAndGroupsSupport.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_cisco : public RoutingCompiler { protected: NamedObjectsManager *named_objects_manager; /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls RoutingCompiler::debugPrintRule */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * processes rules with negation in Dst if it holds only one object */ DECLARE_ROUTING_RULE_PROCESSOR(singleDstNegation); /** * processes rules with negation in Dst */ DECLARE_ROUTING_RULE_PROCESSOR(DstNegation); /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInDST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInDST(const std::string &name) : eliminateDuplicatesInRE(name, libfwbuilder::RuleElementRDst::TYPENAME) {} }; /** * eliminates duplicate rules */ class eliminateDuplicateRules : public RoutingRuleProcessor { std::map rules_seen_so_far; std::map::iterator rules_it; public: eliminateDuplicateRules(const std::string &name) : RoutingRuleProcessor(name) {} virtual bool processNext(); }; /** * prints single policy rule, assuming all groups have been * expanded, destination holds exactly one object, and this * object is not a group. Negation should also have been taken * care of before this method is called. * * This processor is not necessarily the last in the * conveyor, so it should push rules back to tmp_queue (for * example there could be progress indicator processor after * this one) */ class PrintRule : public RoutingRuleProcessor { protected: std::string current_rule_label; virtual std::string _printAddr(libfwbuilder::Address *o); public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r); virtual std::string _printRGtw(libfwbuilder::RoutingRule *r); virtual std::string _printRItf(libfwbuilder::RoutingRule *r); virtual std::string _printRDst(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_cisco::PrintRule; public: RoutingCompiler_cisco::PrintRule *printRule; RoutingCompiler_cisco(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); virtual void compile(); void setNamedObjectsManager(NamedObjectsManager *mgr); }; } #endif fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_cisco_writers.cpp000066400000000000000000000104071303637203600250200ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "RoutingCompiler_cisco.h" #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ RoutingCompiler_cisco::PrintRule::PrintRule(const std::string &name) : RoutingRuleProcessor(name) { } bool RoutingCompiler_cisco::PrintRule::processNext() { RoutingRule *rule = getNext(); if (rule == NULL) return false; tmp_queue.push_back(rule); return true; } string RoutingCompiler_cisco::PrintRule::_printAddr(Address *o) { std::ostringstream ostr; if (Interface::cast(o)!=NULL) { Interface *iface=Interface::cast(o); if (iface->isDyn()) ostr << "$interface_" << iface->getName() << " "; return ostr.str(); } const InetAddr *addr; const InetAddr *mask; addr = o->getAddressPtr(); mask = o->getNetmaskPtr(); if (addr==NULL) { FWObject *obj=o; /* * check if this is object of class Address. since we want to * distinguish between Host, Interface and Address, and both Host and * Interface are inherited from Address, we can't use cast. Use isA * instead */ while (obj!=NULL && !Host::isA(obj) && !Firewall::isA(obj) && !Network::isA(obj)) obj=obj->getParent(); compiler->abort( "Problem with address or netmask in the object or one " "of its interfaces: '" + obj->getName() + "'"); } if (addr->isAny() && mask->isAny()) { ostr << "default "; } else { ostr << addr->toString(); if (Interface::cast(o)==NULL && Address::cast(o)->dimension() > 1 && !mask->isHostMask()) { ostr << " "; ostr << mask->toString(); } ostr << " "; } return ostr.str(); } string RoutingCompiler_cisco::PrintRule::RoutingRuleToString(RoutingRule*) { return ""; } string RoutingCompiler_cisco::PrintRule::_printRGtw(RoutingRule *rule) { FWObject *ref; RuleElementRGtw *gtwrel = rule->getRGtw(); ref = gtwrel->front(); Address *gtw = Address::cast(FWReference::cast(ref)->getPointer()); if (gtw == NULL) compiler->abort(rule, "Broken GTW"); string gateway = _printAddr(gtw); if (gateway != "default ") return gateway; else return " "; } string RoutingCompiler_cisco::PrintRule::_printRItf(RoutingRule *rule) { FWObject *ref; RuleElementRItf *itfrel = rule->getRItf(); ref = itfrel->front(); Interface *itf = Interface::cast(FWReference::cast(ref)->getPointer()); if (itf != NULL) return itf->getLabel() + " "; else return ""; } string RoutingCompiler_cisco::PrintRule::_printRDst(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel = rule->getRDst(); ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if (dst==NULL) compiler->abort(rule, "Broken DST"); string dest = _printAddr(dst); if (dest != "default ") return dest; else return "0.0.0.0 0.0.0.0 "; } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_iosacl.cpp000066400000000000000000000116751303637203600234230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "RoutingCompiler_iosacl.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; string RoutingCompiler_iosacl::myPlatformName() { return "iosacl"; } int RoutingCompiler_iosacl::prolog() { int n = RoutingCompiler_cisco::prolog(); if (fw->getStr("platform")!="iosacl") abort("Unsupported platform " + fw->getStr("platform") ); return n; } void RoutingCompiler_iosacl::epilog() { } /* * Replace objects in dst and gw with their ip addresses, except if * interface of the firewall is found in gw, it is left intact because * IOS allows for using interface name as gateway in "ip route" * command. */ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRDst *dst = rule->getRDst(); assert(dst); compiler->_expand_addr(rule, dst, true); RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); Address *gtw = Address::cast( FWReference::cast(gtwrel->front())->getPointer()); if (gtw == NULL) compiler->abort(rule, "Broken GTW"); if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true; compiler->_expand_addr(rule, gtwrel, false); return true; } bool RoutingCompiler_iosacl::checkRItfAndGw::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRItf *itfrel = rule->getRItf(); assert(itfrel); RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); if (!itfrel->isAny() && !gtwrel->isAny()) compiler->abort(rule, "Can not use both gateway address and interface in " "IOS routing rule"); return true; } /** *----------------------------------------------------------------------- */ void RoutingCompiler_iosacl::compile() { printRule = new RoutingCompiler_iosacl::PrintRule(""); info(" Compiling routing rules for " + fw->getName()); Compiler::compile(); add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstAndRItf("Check if RDst and RItf are both empty")); // add(new singleAdressInRGtw( // "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); add(new checkRItfAndGw("Both gateway and interface can not be used in the same rule")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); //add(new contradictionRGtwAndRItf( // "Check if RGtw is in a network of RItf")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddressesExceptInterface( "Expand objects with multiple addresses in DST")); add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); add(new classifyRoutingRules( "Classify into single path or part of a multi path rule")); //add(new eliminateDuplicateRules( // "Eliminate duplicate rules over the whole table")); add(new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_iosacl.h000066400000000000000000000051021303637203600230540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ROUTINGCOMPILER_IOSACL_HH__ #define __ROUTINGCOMPILER_IOSACL_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include "RoutingCompiler_cisco.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_iosacl : public RoutingCompiler_cisco { protected: virtual std::string myPlatformName(); /** * this inspector replaces references to hosts and firewalls * in dst and gw with references to their interfaces, except * for interfaces of the firewall found in gw, which are left * intact. */ DECLARE_ROUTING_RULE_PROCESSOR(ExpandMultipleAddressesExceptInterface); DECLARE_ROUTING_RULE_PROCESSOR(checkRItfAndGw); class PrintRule : public RoutingCompiler_cisco::PrintRule { public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r); virtual std::string _printRGtw(libfwbuilder::RoutingRule *r); virtual std::string _printRItf(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_iosacl::PrintRule; public: RoutingCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {}; virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp000066400000000000000000000114031303637203600251670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_iosacl.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ RoutingCompiler_iosacl::PrintRule::PrintRule(const std::string &name) : RoutingCompiler_cisco::PrintRule(name) { } bool RoutingCompiler_iosacl::PrintRule::processNext() { RoutingRule *rule = getNext(); if (rule == NULL) return false; tmp_queue.push_back(rule); string rl = rule->getLabel(); string comm = rule->getComment(); string::size_type c1, c2; c1 = 0; if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { compiler->output << "! " << endl; compiler->output << "! Rule " << rl << endl; compiler->output << "! " << endl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) compiler->output << "# " << err << endl; if( rule->getRuleType() != RoutingRule::MultiPath ) { if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { while ( (c2 = comm.find('\n',c1)) != string::npos ) { compiler->output << "! " << comm.substr(c1,c2-c1) << endl; c1 = c2 + 1; } compiler->output << "! " << comm.substr(c1) << endl; compiler->output << "! " << endl; string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; current_rule_label = rl; } string command_line = RoutingRuleToString(rule); compiler->output << command_line; } else { string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; compiler->abort(rule, "MultiPath routing not supported by platform"); } return true; } string RoutingCompiler_iosacl::PrintRule::_printRGtw(RoutingRule *rule) { FWObject *ref; RuleElementRGtw *gtwrel = rule->getRGtw(); ref = gtwrel->front(); Address *gtw = Address::cast(FWReference::cast(ref)->getPointer()); if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) { // gateway is interface of this firewall. Generate command // ip route A.B.C.D N.N.N.N interface metric return gtw->getName() + " "; } string gateway = _printAddr(gtw); if (gateway != "default ") return gateway; else return " "; } string RoutingCompiler_iosacl::PrintRule::_printRItf(RoutingRule *rule) { RuleElementRItf *itfrel = rule->getRItf(); if (!itfrel->isAny()) { Interface *itf = Interface::cast(FWObjectReference::getObject(itfrel->front())); if (itf != NULL) return itf->getName() + " "; } return ""; } string RoutingCompiler_iosacl::PrintRule::RoutingRuleToString(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel = rule->getRDst(); ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if(dst == NULL) compiler->abort(rule, "Broken DST"); std::ostringstream command_line; command_line << "ip route "; command_line << _printRDst(rule); command_line << _printRGtw(rule); command_line << _printRItf(rule); // default metric in IOS is 1 (can't have metric 0) if (rule->getMetricAsString() == "0") { command_line << "1"; } else { command_line << rule->getMetricAsString(); } command_line << endl; return command_line.str(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_nxosacl.cpp000066400000000000000000000117111303637203600236070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "RoutingCompiler_nxosacl.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; string RoutingCompiler_nxosacl::myPlatformName() { return "nxosacl"; } int RoutingCompiler_nxosacl::prolog() { int n = RoutingCompiler_cisco::prolog(); if (fw->getStr("platform")!="nxosacl") abort("Unsupported platform " + fw->getStr("platform") ); return n; } void RoutingCompiler_nxosacl::epilog() { } /* * Replace objects in dst and gw with their ip addresses, except if * interface of the firewall is found in gw, it is left intact because * NXOS allows for using interface name as gateway in "ip route" * command. */ bool RoutingCompiler_nxosacl::ExpandMultipleAddressesExceptInterface::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRDst *dst = rule->getRDst(); assert(dst); compiler->_expand_addr(rule, dst, true); RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); Address *gtw = Address::cast( FWReference::cast(gtwrel->front())->getPointer()); if (gtw == NULL) compiler->abort(rule, "Broken GTW"); if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true; compiler->_expand_addr(rule, gtwrel, false); return true; } bool RoutingCompiler_nxosacl::checkRItfAndGw::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRItf *itfrel = rule->getRItf(); assert(itfrel); RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); if (!itfrel->isAny() && !gtwrel->isAny()) compiler->abort(rule, "Can not use both gateway address and interface in " "NXOS routing rule"); return true; } /** *----------------------------------------------------------------------- */ void RoutingCompiler_nxosacl::compile() { printRule = new RoutingCompiler_nxosacl::PrintRule(""); info(" Compiling routing rules for " + fw->getName()); Compiler::compile(); add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstAndRItf("Check if RDst and RItf are both empty")); // add(new singleAdressInRGtw( // "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); add(new checkRItfAndGw("Both gateway and interface can not be used in the same rule")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); //add(new contradictionRGtwAndRItf( // "Check if RGtw is in a network of RItf")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddressesExceptInterface( "Expand objects with multiple addresses in DST")); add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); add(new classifyRoutingRules( "Classify into single path or part of a multi path rule")); //add(new eliminateDuplicateRules( // "Eliminate duplicate rules over the whole table")); add(new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_nxosacl.h000066400000000000000000000051071303637203600232560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ROUTINGCOMPILER_NXOSACL_HH__ #define __ROUTINGCOMPILER_NXOSACL_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include "RoutingCompiler_cisco.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_nxosacl : public RoutingCompiler_cisco { protected: virtual std::string myPlatformName(); /** * this inspector replaces references to hosts and firewalls * in dst and gw with references to their interfaces, except * for interfaces of the firewall found in gw, which are left * intact. */ DECLARE_ROUTING_RULE_PROCESSOR(ExpandMultipleAddressesExceptInterface); DECLARE_ROUTING_RULE_PROCESSOR(checkRItfAndGw); class PrintRule : public RoutingCompiler_cisco::PrintRule { public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r); virtual std::string _printRGtw(libfwbuilder::RoutingRule *r); virtual std::string _printRItf(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_nxosacl::PrintRule; public: RoutingCompiler_nxosacl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {}; virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_nxosacl_writers.cpp000066400000000000000000000114121303637203600253640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_nxosacl.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ RoutingCompiler_nxosacl::PrintRule::PrintRule(const std::string &name) : RoutingCompiler_cisco::PrintRule(name) { } bool RoutingCompiler_nxosacl::PrintRule::processNext() { RoutingRule *rule = getNext(); if (rule == NULL) return false; tmp_queue.push_back(rule); string rl = rule->getLabel(); string comm = rule->getComment(); string::size_type c1, c2; c1 = 0; if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { compiler->output << "! " << endl; compiler->output << "! Rule " << rl << endl; compiler->output << "! " << endl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) compiler->output << "# " << err << endl; if( rule->getRuleType() != RoutingRule::MultiPath ) { if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { while ( (c2 = comm.find('\n',c1)) != string::npos ) { compiler->output << "! " << comm.substr(c1,c2-c1) << endl; c1 = c2 + 1; } compiler->output << "! " << comm.substr(c1) << endl; compiler->output << "! " << endl; string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; current_rule_label = rl; } string command_line = RoutingRuleToString(rule); compiler->output << command_line; } else { string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; compiler->abort(rule, "MultiPath routing not supported by platform"); } return true; } string RoutingCompiler_nxosacl::PrintRule::_printRGtw(RoutingRule *rule) { FWObject *ref; RuleElementRGtw *gtwrel = rule->getRGtw(); ref = gtwrel->front(); Address *gtw = Address::cast(FWReference::cast(ref)->getPointer()); if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) { // gateway is interface of this firewall. Generate command // ip route A.B.C.D N.N.N.N interface metric return gtw->getName() + " "; } string gateway = _printAddr(gtw); if (gateway != "default ") return gateway; else return " "; } string RoutingCompiler_nxosacl::PrintRule::_printRItf(RoutingRule *rule) { RuleElementRItf *itfrel = rule->getRItf(); if (!itfrel->isAny()) { Interface *itf = Interface::cast(FWObjectReference::getObject(itfrel->front())); if (itf != NULL) return itf->getName() + " "; } return ""; } string RoutingCompiler_nxosacl::PrintRule::RoutingRuleToString(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel = rule->getRDst(); ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if(dst == NULL) compiler->abort(rule, "Broken DST"); std::ostringstream command_line; command_line << "ip route "; command_line << _printRDst(rule); command_line << _printRGtw(rule); command_line << _printRItf(rule); // default metric in NXOS is 1 (can't have metric 0) if (rule->getMetricAsString() == "0") { command_line << "1"; } else { command_line << rule->getMetricAsString(); } command_line << endl; return command_line.str(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_pix.cpp000066400000000000000000000075311303637203600227450ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "RoutingCompiler_pix.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include using namespace libfwbuilder; using namespace fwcompiler; string RoutingCompiler_pix::myPlatformName() { return "pix"; } int RoutingCompiler_pix::prolog() { int n = RoutingCompiler_cisco::prolog(); string platform = fw->getStr("platform"); if (platform!="pix" && platform!="fwsm") abort("Unsupported platform " + platform ); return n; } void RoutingCompiler_pix::epilog() { } bool RoutingCompiler_pix::emptyRDstOrRItf::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRGtw *gtwrel = rule->getRGtw(); RuleElementRItf *itfrel = rule->getRItf(); if (itfrel->isAny() || gtwrel->isAny()) { compiler->abort( rule, "Interface and gateway rule elements can not be empty in " "the PIX routing rule"); } return true; } /** *----------------------------------------------------------------------- */ void RoutingCompiler_pix::compile() { printRule = new RoutingCompiler_pix::PrintRule(""); info(" Compiling routing rules for " + fw->getName()); Compiler::compile(); add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstOrRItf("Check if RDst or RItf is empty")); add(new singleAdressInRGtw( "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); add(new contradictionRGtwAndRItf( "Check if RGtw is in a network of RItf")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddresses( "Expand objects with multiple addresses in DST")); add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); add(new classifyRoutingRules( "Classify into single path or part of a multi path rule")); add(new eliminateDuplicateRules( "Eliminate duplicate rules over the whole table")); add(new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_pix.h000066400000000000000000000042061303637203600224060ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef __ROUTINGCOMPILER_PIX_HH__ #define __ROUTINGCOMPILER_PIX_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include "RoutingCompiler_cisco.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_pix : public RoutingCompiler_cisco { protected: virtual std::string myPlatformName(); class PrintRule : public RoutingCompiler_cisco::PrintRule { public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_pix::PrintRule; public: RoutingCompiler_pix(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {}; /** * checks if the gateway or Interface rule element is empty * (both are mandatory on PIX) */ DECLARE_ROUTING_RULE_PROCESSOR(emptyRDstOrRItf); virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_pix_writers.cpp000066400000000000000000000075501303637203600245250ustar00rootroot00000000000000/* * Copyright (c) 2008 Steven Mestdagh * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "RoutingCompiler_pix.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ RoutingCompiler_pix::PrintRule::PrintRule(const std::string &name) : RoutingCompiler_cisco::PrintRule(name) { } bool RoutingCompiler_pix::PrintRule::processNext() { RoutingRule *rule = getNext(); if (rule == NULL) return false; tmp_queue.push_back(rule); string rl = rule->getLabel(); string comm = rule->getComment(); string::size_type c1, c2; c1 = 0; if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { compiler->output << "! " << endl; compiler->output << "! Rule " << rl << endl; compiler->output << "! " << endl; compiler->output << "! \"Routing rule " << rl << "\"" << endl; compiler->output << "! " << endl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) compiler->output << "# " << err << endl; if( rule->getRuleType() != RoutingRule::MultiPath ) { if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label) { while ( (c2 = comm.find('\n',c1)) != string::npos ) { compiler->output << "! " << comm.substr(c1,c2-c1) << endl; c1 = c2 + 1; } compiler->output << "! " << comm.substr(c1) << endl; compiler->output << "! " << endl; string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; current_rule_label = rl; } string command_line = RoutingRuleToString(rule); compiler->output << command_line; } else { string err = compiler->getErrorsForRule(rule, "! "); if (!err.empty()) compiler->output << err << endl; compiler->abort(rule, "MultiPath routing not supported by platform"); } return true; } string RoutingCompiler_pix::PrintRule::RoutingRuleToString(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel = rule->getRDst(); ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if(dst == NULL) compiler->abort(rule, "Broken DST"); std::ostringstream command_line; command_line << "route "; command_line << _printRItf(rule); command_line << _printRDst(rule); command_line << _printRGtw(rule); // default metric in PIX is 1 if (rule->getMetricAsString() == "0") { command_line << "1"; } else { command_line << rule->getMetricAsString(); } command_line << endl; return command_line.str(); } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_procurve_acl.cpp000066400000000000000000000026071303637203600246300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: RoutingCompiler_procurve.cpp -1 $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "RoutingCompiler_procurve_acl.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include using namespace libfwbuilder; using namespace fwcompiler; string RoutingCompiler_procurve_acl::myPlatformName() { return "procurve_acl"; } int RoutingCompiler_procurve_acl::prolog() { int n = RoutingCompiler_cisco::prolog(); if (fw->getStr("platform")!="procurve_acl") abort("Unsupported platform " + fw->getStr("platform") ); return n; } fwbuilder-5.3.7/src/cisco_lib/RoutingCompiler_procurve_acl.h000066400000000000000000000032511303637203600242710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: RoutingCompiler_procurve.h -1 $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ROUTINGCOMPILER_PROCURVE_ACL_HH__ #define __ROUTINGCOMPILER_PROCURVE_ACL_HH__ #include #include "config.h" #include "RoutingCompiler_iosacl.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_procurve_acl : public RoutingCompiler_iosacl { protected: virtual std::string myPlatformName(); public: RoutingCompiler_procurve_acl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_iosacl(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/cisco_lib.pro000066400000000000000000000104611303637203600207030ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = PolicyCompiler_cisco.cpp \ PolicyCompiler_cisco_acls.cpp \ NamedObjectsAndGroupsSupport.cpp \ NamedObjectsManager.cpp \ NamedObjectsManagerNXOS.cpp \ NamedObjectsManagerIOS.cpp \ NamedObjectsManagerPIX.cpp \ RoutingCompiler_cisco.cpp \ RoutingCompiler_cisco_writers.cpp \ splitByNetworkZonesForRE.cpp \ specialServices.cpp \ ACL.cpp \ NamedObject.cpp \ ASA8TwiceNatLogic.cpp \ Helper.cpp \ inspectionProtocol.cpp \ InspectionClassMap.cpp \ OSConfigurator_nxos.cpp \ OSConfigurator_ios.cpp \ CompilerDriver_nxosacl.cpp \ CompilerDriver_nxosacl_run.cpp \ CompilerDriver_iosacl.cpp \ CompilerDriver_iosacl_run.cpp \ PolicyCompiler_nxosacl.cpp \ PolicyCompiler_nxosacl_writers.cpp \ PolicyCompiler_iosacl.cpp \ PolicyCompiler_iosacl_writers.cpp \ RoutingCompiler_nxosacl.cpp \ RoutingCompiler_nxosacl_writers.cpp \ RoutingCompiler_iosacl.cpp \ RoutingCompiler_iosacl_writers.cpp \ CompilerDriver_pix.cpp \ CompilerDriver_pix_run.cpp \ NATCompiler_pix.cpp \ NATCompiler_pix_find_translations.cpp \ NATCompiler_pix_writers.cpp \ NATCompiler_asa8.cpp \ NATCompiler_asa8_writers.cpp \ NATCompiler_pix_optimizers.cpp \ OSConfigurator_pix_os.cpp \ OSConfigurator_pix_os_fixups.cpp \ OSConfigurator_pix_os_inspectors.cpp \ OSConfigurator_pix_os_inspectors_pix8.cpp \ CompilerDriver_procurve_acl.cpp \ CompilerDriver_procurve_acl_run.cpp\ OSConfigurator_procurve.cpp \ PolicyCompiler_procurve_acl.cpp \ PolicyCompiler_procurve_acl_writers.cpp \ RoutingCompiler_procurve_acl.cpp \ BaseObjectGroup.cpp \ PIXObjectGroup.cpp \ ASA8ObjectGroup.cpp \ NXOSObjectGroup.cpp \ IOSObjectGroup.cpp \ PolicyCompiler_pix.cpp \ PolicyCompiler_pix_writers.cpp \ PolicyCompiler_pix_v6_acls.cpp \ PolicyCompiler_pix_replace_translations.cpp \ RoutingCompiler_pix.cpp \ RoutingCompiler_pix_writers.cpp \ AutomaticRules_cisco.cpp \ AutomaticRules_iosacl.cpp \ AutomaticRules_nxosacl.cpp HEADERS = ../../config.h \ PortRangeConverter.h \ splitByNetworkZonesForRE.h \ specialServices.h \ ACL.h \ Helper.h \ NamedObject.h \ ASA8TwiceNatLogic.h \ NamedObjectsAndGroupsSupport.h \ NamedObjectsManager.h \ NamedObjectsManagerIOS.h \ NamedObjectsManagerPIX.h \ NamedObjectsManagerASA8.h \ inspectionProtocol.h \ InspectionClassMap.h \ PolicyCompiler_cisco.h \ RoutingCompiler_cisco.h \ CompilerDriver_nxosacl.h \ CompilerDriver_iosacl.h \ OSConfigurator_ios.h \ PolicyCompiler_iosacl.h \ CompilerDriver_pix.h \ NATCompiler_pix.h \ NATCompiler_asa8.h \ OSConfigurator_pix_os.h \ CompilerDriver_procurve_acl.h \ OSConfigurator_procurve.h \ PolicyCompiler_procurve_acl.h \ RoutingCompiler_procurve_acl.h \ BaseObjectGroup.h \ PIXObjectGroup.h \ ASA8ObjectGroup.h \ NXOSObjectGroup.h \ IOSObjectGroup.h \ PolicyCompiler_pix.h \ RoutingCompiler_pix.h \ AutomaticRules_cisco.h \ AutomaticRules_iosacl.h \ AutomaticRules_nxosacl.h macx:LIBS += $$LIBS_FWCOMPILER INCLUDEPATH += ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../compiler_lib ../libfwbuilder/src win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a !win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a CONFIG += staticlib TARGET = fwbcisco INSTALLS -= target fwbuilder-5.3.7/src/cisco_lib/globalNATPool.cpp000066400000000000000000000040541303637203600213750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_pix.h" #include "helpers.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Interface.h" using namespace libfwbuilder; using namespace fwcompiler; globalNATPool::globalNATPool(int id,Interface *ifs,Address *a) { nat_id=id; iface=ifs; addr= a; if (Interface::cast(a)!=NULL || iface->isDyn()) { type=INTERFACE; } else { type= (AddressRange::cast(a)!=NULL)?ADDRESS_RANGE:SINGLE_ADDRESS; } } /* * global pool prints itself only once */ ostream& fwcompiler::operator<<(ostream &s,const globalNATPool &pool) { s << "global (" << pool.iface->getLabel() << ") " << pool.pool_no; switch (pool.type) { case globalNATPool::INTERFACE: s << " interface" << endl; break; case globalNATPool::SINGLE_ADDRESS: s << " " << pool.addr->getAddressPtr()->toString() << endl; break; case globalNATPool::ADDRESS_RANGE: AddressRange *ar=AddressRange::cast(pool.addr); s << " " << ar->getRangeStart().toString() << "-" << ar->getRangeEnd().toString() << " netmask " << pool.iface->getNetmask().toString() << endl; break; } return s; } fwbuilder-5.3.7/src/cisco_lib/inspectionClassMap.cpp000066400000000000000000000035521303637203600225410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "inspectionClassMap.h" #include "inspectionProtocol.h" #include using namespace std; bool InspectionClassMap::isDefault() { InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; if (ip!=NULL) return (ip->par1==port1 && ip->par2==port2); return false; } string InspectionClassMap::getIPProtocol() { InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; if (ip!=NULL) return ip->ip_proto; return ""; } string InspectionClassMap::getPrintableName() { InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; if (ip!=NULL) return ip->printable_name; return ""; } string InspectionClassMap::getMatchCommand() { ostringstream res; res << "match port " << getIPProtocol() << " "; if (port1!=0 && port2==0) res << "eq " << port1; if (port1!=0 && port1==port2) res << "eq " << port1; if (port1!=0 && port2!=0 && port1!=port2) res << "range " << port1 << " " << port2; res << endl; return res.str(); } fwbuilder-5.3.7/src/cisco_lib/inspectionClassMap.h000066400000000000000000000034651303637203600222110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSPECTION_CLASS_MAP_HH #define INSPECTION_CLASS_MAP_HH #include /* * status: * 0: enable * 1: disable * 2: skip */ class InspectionClassMap { public: std::string class_map_name; std::string fixup_name; std::string inspect_name; int status; int port1,port2; std::string arg_name; int arg_val; InspectionClassMap(const std::string &fn,int s,int p1,int p2, const std::string &a,int v) { status=s; port1=p1; port2=p2; arg_name=a; arg_val=v; std::string ss = fn; std::string::size_type k; while ( (k=ss.find(" ")) != std::string::npos ) ss.replace(k,1,1,'_'); inspect_name = ss; fixup_name = fn; class_map_name = std::string("custom_") + ss + std::string("_inspection"); } bool isDefault(); std::string getIPProtocol(); std::string getPrintableName(); std::string getMatchCommand(); }; #endif fwbuilder-5.3.7/src/cisco_lib/inspectionProtocol.cpp000066400000000000000000000076631303637203600226460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "inspectionProtocol.h" std::map InspectionProtocol::protocols; /* * Default ports are defined here jsut like they are filled in the * options by the GUI. If the GUI allows for port range, we specify * port range here, and vice versa. Some of the cases seem to differ * from what Cisco doc specify in the table of the default ports here * http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html * I suppose this is ok since we always can use port range map with * "match" command even if they did not intend it to be like that by * default. However if the GUI returned port numbers that match those * defined in protocolDefinitions, we do not generate 'match' commands * at all and put everything in the "inspection_default" class-map * * Here is how this works: constructor of the class InspectionProtocols * adds object to map 'protocols'. Every initialization of an object * of this class in array protocolDefinitions calls constructor and * therefore creates an entry in the map 'protocols'. It is done this * way because we can statically initialize an array but cant initialize * std::map (at least I do not know how) * * Note: in PIX 7.0 inspector that corresponds to fixup 'smtp' is * called 'esmtp' */ InspectionProtocol protocolDefinitions[] = { InspectionProtocol("ctiqbe", "ctiqbe", "tcp", 2748, 0 ), InspectionProtocol("dns", "dns", "udp", 53, 0 ), InspectionProtocol("ftp", "ftp", "tcp", 21, 0 ), InspectionProtocol("gtp", "gtp", "udp", 2123, 3386 ), InspectionProtocol("h323_h225", "h323 h225", "tcp", 1720, 1720 ), InspectionProtocol("h323_ras", "h323 ras", "udp", 1718, 1719 ), InspectionProtocol("http", "http", "tcp", 80, 80 ), InspectionProtocol("icmp_error","icmp", "icmp", 0, 0 ), InspectionProtocol("ils", "ils", "tcp", 389, 389 ), InspectionProtocol("mgcp", "mgcp", "udp", 2427, 2727 ), InspectionProtocol("netbios", "netbios", "udp", 137, 138 ), InspectionProtocol("rpc", "rpc", "udp", 111, 0 ), InspectionProtocol("rsh", "rsh", "tcp", 514, 0 ), InspectionProtocol("rtsp", "rtsp", "tcp", 554, 0 ), InspectionProtocol("sip", "sip", "tcp", 5060, 5060 ), InspectionProtocol("sip_udp", "sip", "udp", 5060, 0 ), InspectionProtocol("skinny", "skinny", "tcp", 2000, 2000 ), InspectionProtocol("smtp", "esmtp", "tcp", 25, 25 ), InspectionProtocol("sqlnet", "sqlnet", "tcp", 1521, 1521 ), InspectionProtocol("tftp", "tftp", "udp", 69, 0 ), InspectionProtocol("xdmcp", "xdmcp", "udp", 177, 0 ), InspectionProtocol("ip_options_eool", "eool","", 0, 0 ), InspectionProtocol("ip_options_nop", "nop", "", 0, 0 ), InspectionProtocol("ip_options_rtralt", "router-alert", "", 0, 0 ), }; fwbuilder-5.3.7/src/cisco_lib/inspectionProtocol.h000066400000000000000000000035431303637203600223040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSPECTION_PROTOCOL_HH #define INSPECTION_PROTOCOL_HH #include #include typedef enum { FIXUP_ENABLE=0, FIXUP_DISABLE=1, FIXUP_SKIP=2, FIXUP_CLEAR=3 } FixupTypes; /* * par1 and par2 are parameters for the inspection protocol. These are * port numbers most of the time, but for some protocols the meaning * may be different. For example for dns it is "maximum-length". */ class InspectionProtocol { public: std::string name; std::string printable_name; std::string ip_proto; int par1,par2; static std::map protocols; InspectionProtocol(const std::string &fn, const std::string &prn, const std::string &pn, int p1, int p2) { name = fn; printable_name = prn; ip_proto = pn; par1 = p1; par2 = p2; if (protocols.count(fn)==0) protocols[fn] = this; } }; extern InspectionProtocol protocolDefinitions[]; #endif fwbuilder-5.3.7/src/cisco_lib/specialServices.cpp000066400000000000000000000054001303637203600220600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "specialServices.h" #include "PolicyCompiler_pix.h" #include "fwbuilder/IPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/CustomService.h" #include "fwcompiler/Compiler.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool SpecialServices::processNext() { PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size() == 0) { cerr << "Rule " << rule->getLabel() << "rule element " << re_type << " is empty" << endl; assert(re->size() != 0); } FWObject *obj = FWReference::getObject(re->front()); Service *s = Service::cast(obj); string version = compiler->fw->getStr("version"); if (IPService::cast(s)!=NULL) { if (s->getBool("short_fragm") || s->getBool("fragm") ) { if (pix_comp) pix_comp->fragguard = true; return true; // do not copy the rule } if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) { compiler->abort( rule, "PIX does not support checking for IP options in ACLs."); return true; } } if (TCPService::cast(s)!=NULL) { if (s->getBool("ack_flag") || s->getBool("fin_flag") || s->getBool("rst_flag") || s->getBool("syn_flag") ) { compiler->abort( rule, "PIX does not support checking for TCP options in ACLs."); return true; } } if (CustomService::cast(s)!=NULL && pix_comp==NULL) { compiler->abort( rule, "CustomService objects are not supported in NAT rules"); return true; } tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/cisco_lib/specialServices.h000066400000000000000000000034351303637203600215330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SPECIALSERVICES_HH #define __SPECIALSERVICES_HH #include "fwbuilder/RuleElement.h" #include "fwcompiler/RuleProcessor.h" namespace libfwbuilder { class Address; class Rule; }; namespace fwcompiler { /** * this processor checks for the services which require * special treatment. Some of these will be checking for * source or destination object as well because special * command may need to be generated in case source or * destination is a firewall itself. Therefore this processor * should be called after converting to atomic rules, but * before interface addresses in source and destination are * expanded. */ class SpecialServices : public BasicRuleProcessor { std::string re_type; public: SpecialServices(const std::string &name, const std::string &_type) : BasicRuleProcessor(name) {re_type=_type; } virtual bool processNext(); }; } #endif fwbuilder-5.3.7/src/cisco_lib/splitByNetworkZonesForRE.cpp000066400000000000000000000072151303637203600236570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "splitByNetworkZonesForRE.h" #include "Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Interface.h" #include "fwcompiler/Compiler.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * create new rule and associate it with given interface. If we * already have a rule associated with it, then just add Address to * the rule element of that existing rule. */ void splitByNetworkZonesForRE::AddToInterface( int interface_id, Address *addr, Rule *rule) { Rule *new_rule; RuleElement *new_re; new_rule = rules[interface_id]; if (new_rule==NULL) { new_rule = Rule::cast(compiler->dbcopy->create(rule->getTypeName())); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); rules[interface_id] = new_rule; new_re = RuleElement::cast(new_rule->getFirstByType(re_type)); new_re->clearChildren(); new_re->setAnyElement(); } new_re = RuleElement::cast(new_rule->getFirstByType(re_type)); new_re->addRef( addr ); } bool splitByNetworkZonesForRE::processNext() { Helper helper(compiler); Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size()==1) { tmp_queue.push_back(rule); return true; } rules.clear(); std::list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { Address *a = Address::cast(FWReference::getObject(*i1)); assert(a!=NULL); try { int interface_id = helper.findInterfaceByNetzone(a); AddToInterface(interface_id, a, rule); } catch (string err) { // could not find interface with netzone to match address 'a' // will assign rule to all interfaces. Act as if all interfaces // had network zone 'any' and each matches this address. // issue warning only if platform uses netwrk zones. bool supports_network_zones = Resources::getTargetCapabilityBool( compiler->fw->getStr("platform"), "network_zones"); if (supports_network_zones) compiler->warning(rule, err); FWObjectTypedChildIterator i = compiler->fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i) { Interface *ifs = Interface::cast(*i); AddToInterface(ifs->getId(), a, rule); } } } for (std::map::iterator i=rules.begin(); i!=rules.end(); ++i) { tmp_queue.push_back((*i).second); } return true; } fwbuilder-5.3.7/src/cisco_lib/splitByNetworkZonesForRE.h000066400000000000000000000032701303637203600233210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SPLIT_BY_NETWORK_ZONES_FOR_RE_HH #define __SPLIT_BY_NETWORK_ZONES_FOR_RE_HH #include "fwbuilder/RuleElement.h" #include "fwcompiler/RuleProcessor.h" namespace libfwbuilder { class Address; class Rule; }; namespace fwcompiler { /** * this processor splits rules if objects in rule element * re_type belong to different network zones */ class splitByNetworkZonesForRE : public BasicRuleProcessor { std::string re_type; std::map rules; void AddToInterface(int interface_id, libfwbuilder::Address *addr, libfwbuilder::Rule *rule); public: splitByNetworkZonesForRE(const std::string &name,const std::string &_type) : BasicRuleProcessor(name) {re_type=_type; } virtual bool processNext(); }; } #endif fwbuilder-5.3.7/src/common/000077500000000000000000000000001303637203600155735ustar00rootroot00000000000000fwbuilder-5.3.7/src/common/common.pro000066400000000000000000000007061303637203600176100ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # # This library provides basic initialization function used in all executables, # including the GUI and all compilers # on QT include(../../qmake.inc) QT -= gui TEMPLATE = lib SOURCES = init.cpp init2.cpp HEADERS = ../../config.h commoninit.h INCLUDEPATH += ../libfwbuilder/src DEPENDPATH += ../libfwbuilder/src CONFIG += staticlib TARGET = common INSTALLS -= target exists(qmake.inc):include( qmake.inc) fwbuilder-5.3.7/src/common/commoninit.h000066400000000000000000000001451303637203600201200ustar00rootroot00000000000000#ifndef COMMON_INIT_H #define COMMON_INIT_H #include void init(char * const *argv); #endif fwbuilder-5.3.7/src/common/init.cpp000066400000000000000000000024231303637203600172430ustar00rootroot00000000000000 #include "../../config.h" #include #include #include #include #include #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include "commoninit.h" // TODO: switch to QString std::string appRootDir; std::string userDataDir; std::string argv0; std::string ee; QString user_name; #if defined(Q_OS_WIN32) || defined(Q_OS_MACX) extern void init_win(); void init(char * const*) { init_win(); } #else #include #include extern int fwbdebug; using namespace std; using namespace libfwbuilder; void init(char * const*) { appRootDir = string(PREFIX) + FS_SEPARATOR + "bin"; /* On Unix RES_DIR and LIBFWBUILDER_TEMPLATE_DIR are absolute paths */ libfwbuilder::init(); /* need argv0 for built-in installer on unix and mac */ argv0 = appRootDir + FS_SEPARATOR + "fwbuilder"; /* default directory where the user may want to save files */ userDataDir = string(getenv("HOME")); char *lname = getenv("LOGNAME"); if (lname!=NULL) user_name = QString(lname); else { struct passwd *pwd = getpwuid(getuid()); assert(pwd); user_name = QString(pwd->pw_name); } } #endif fwbuilder-5.3.7/src/common/init2.cpp000066400000000000000000000057171303637203600173360ustar00rootroot00000000000000 #include "../../config.h" #include #if defined(Q_OS_MACX) || defined(Q_OS_WIN32) # include # include # include # include #endif #include #include #ifdef _WIN32 # include # include # include # include #else # include # include #endif #include #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include "commoninit.h" extern std::string appRootDir; extern std::string userDataDir; extern std::string argv0; extern std::string ee; extern QString user_name; using namespace std; using namespace libfwbuilder; void init_win() { /* * Note appRootDir is the path to the directory where fwbuilder binary * is installed (on Mac it is /fwbuilder3.app/Contents/MacOS. * On Windows it is c:\FWBuilder30, on Linux it is something like * /usr/bin or /usr/local/bin and so on. */ #if defined(Q_OS_WIN32) || defined(Q_OS_MACX) // if (QCoreApplication::instance()==NULL) // { // int ac = 0; // char **av = { NULL }; // new QApplication( ac, av ); // } QDir dir(QCoreApplication::applicationDirPath()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) appRootDir = string(dir.absolutePath().toAscii().constData()); #else appRootDir = string(dir.absolutePath().toLatin1().constData()); #endif /* On windows and mac we install API resources (DTD etc) in the * dir right above the one where we install resources for the GUI and compilers */ Constants::init(appRootDir); // if (respath == "") // { // respath = appRootDir + FS_SEPARATOR + Constants::getTemplateDirectory(); // QFileInfo fi(respath.c_str()); // respath = fi.canonicalFilePath().toStdString(); // to remove .. and symlinks // librespath = fi.canonicalPath().toStdString(); // dir one level up // } argv0 = QCoreApplication::applicationFilePath().toStdString(); libfwbuilder::init(); /* default directory where the user may want to save files */ #if defined(Q_OS_WIN32) userDataDir = string(getenv("USERPROFILE"))+"\\Documents"; #elif defined(Q_OS_MACX) userDataDir = string(getenv("HOME"))+"/Documents"; #endif #ifdef _WIN32 #define INFO_BUFFER_SIZE 32767 TCHAR infoBuf[INFO_BUFFER_SIZE]; DWORD bufCharCount = INFO_BUFFER_SIZE; bufCharCount = INFO_BUFFER_SIZE; if( GetUserName( infoBuf, &bufCharCount ) ) { #ifdef UNICODE user_name = QString::fromUtf16((ushort*)infoBuf); #else user_name = QString::fromLocal8Bit(infoBuf); #endif } user_name = user_name.replace(' ','_'); #elif defined(Q_OS_MACX) char *lname = getenv("LOGNAME"); if (lname!=NULL) user_name = QString(lname); else { struct passwd *pwd = getpwuid(getuid()); assert(pwd); user_name = QString(pwd->pw_name); } #endif #endif } fwbuilder-5.3.7/src/compiler_lib/000077500000000000000000000000001303637203600167435ustar00rootroot00000000000000fwbuilder-5.3.7/src/compiler_lib/AutomaticRules.cpp000066400000000000000000000075531303637203600224220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Policy.h" using namespace fwcompiler; using namespace libfwbuilder; using namespace std; AutomaticRules::AutomaticRules(Firewall *fw, Library *persistent_objects) { this->fw = fw; this->persistent_objects = persistent_objects; ruleset = NULL; list all_policies = fw->getByType(Policy::TYPENAME); for (FWObject::iterator it=all_policies.begin(); it!=all_policies.end(); ++it) { Policy *policy = Policy::cast(*it); FWOptions *rulesetopts = policy->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) continue; if (policy->isTop()) { ruleset = policy; break; } } } PolicyRule* AutomaticRules::addMgmtRule( Address* src, Address* dst, Service* service, Interface* iface, const PolicyRule::Direction direction, const PolicyRule::Action action, const string &label, bool related) { (void) related; // Unused if (ruleset == NULL) return NULL; /* Insert PolicyRules at top so they do not get shadowed by other * rules. Call insertRuleAtTop() with hidden_rule argument true to * make sure this rule gets negative position number and does not * shift positions of other rules. See ticket #16. Also, hidden * rules are not considered for shadowing. */ PolicyRule* rule = PolicyRule::cast(ruleset->insertRuleAtTop(true)); assert(rule != NULL); ostringstream str; str << rule->getPosition() << " " << label << " (automatic)" ; rule->setLabel(str.str()); FWObject *re; re = rule->getSrc(); assert(re!=NULL); RuleElementSrc::cast(re)->reset(); if(src != NULL) re->addRef(src); re = rule->getDst(); assert(re!=NULL); RuleElementDst::cast(re)->reset(); if(dst != NULL) re->addRef(dst); re = rule->getSrv(); assert(re!=NULL); RuleElementSrv::cast(re)->reset(); if(service != NULL) re->addRef(service); re = rule->getWhen(); assert(re!=NULL); RuleElementInterval::cast(re)->reset(); re = rule->getItf(); assert(re!=NULL); RuleElementItf::cast(re)->reset(); if(iface != NULL) { re->addRef(iface); // rule->setInterfaceId(iface->getId()); } rule->add(ruleset->getRoot()->create(PolicyRuleOptions::TYPENAME)); rule->setLogging(false); rule->enable(); rule->setAction(action); rule->setDirection(direction); // Use firewall object ID to generate uique ID for this management rule // to make it stable across different runs of the compiler rule->setUniqueId( ruleset->getRoot()->getPredictableId( FWObjectDatabase::getStringId(fw->getId()) + "." )); return rule; } fwbuilder-5.3.7/src/compiler_lib/AutomaticRules.h000066400000000000000000000034171303637203600220620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_HH__ #define __AUTOMATICRULES_HH__ #include "fwbuilder/Rule.h" #include #include namespace libfwbuilder { class Address; class Firewall; class Interface; class Library; class Service; }; namespace fwcompiler { class AutomaticRules { protected: libfwbuilder::Firewall *fw; libfwbuilder::RuleSet *ruleset; libfwbuilder::Library *persistent_objects; public: AutomaticRules(libfwbuilder::Firewall *fw, libfwbuilder::Library *persistent_objects); virtual libfwbuilder::PolicyRule* addMgmtRule( libfwbuilder::Address* src, libfwbuilder::Address* dst, libfwbuilder::Service* service, libfwbuilder::Interface* iface, const libfwbuilder::PolicyRule::Direction direction, const libfwbuilder::PolicyRule::Action action, const std::string &label, bool related = false); }; }; #endif fwbuilder-5.3.7/src/compiler_lib/CompilerDriver.cpp000066400000000000000000001320431303637203600224000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include // for chdir #ifndef _WIN32 # include #else # include # include # include #endif #include "CompilerDriver.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwcompiler/Compiler.h" #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver::CompilerDriver(FWObjectDatabase *db) : BaseCompiler() { fwbdebug = 0; filename = ""; wdir = ""; fwobjectname = ""; single_rule_compile_on = false; prepend_cluster_name_to_output_file = false; dl = 0; rule_debug_on = false; drp = -1; drn = -1; drr = -1; verbose = 0; have_dynamic_interfaces = false; ipv4_run = true; ipv6_run = true; fw_by_id = false; objdb = new FWObjectDatabase(*db); objdb->setIgnoreReadOnlyFlag(true); //objdb = db; persistent_objects = new Library(); persistent_objects->setName("Persistent Objects"); objdb->add(persistent_objects); workspace = new Library(); workspace->setName("Workspace"); objdb->add(workspace); prolog_done = false; epilog_done = false; have_filter = false; have_nat = false; start_current_dir = QDir::current(); } CompilerDriver::~CompilerDriver() { if (persistent_objects->getParent() == NULL) delete persistent_objects; else { if (persistent_objects->getParent() == objdb) { objdb->remove(persistent_objects, false); delete persistent_objects; } } if (workspace->getParent() == NULL) delete workspace; else { if (workspace->getParent() == objdb) { objdb->remove(workspace, false); delete workspace; } } delete objdb; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver::clone() { CompilerDriver* new_cd = new CompilerDriver(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } bool CompilerDriver::configure(const QStringList &args) { QString last_arg; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-i") { fw_by_id = true; continue; } if (arg == "-v") { verbose++; continue; } if (arg == "-4") { ipv4_run = true; ipv6_run = false; continue; } if (arg == "-6") { ipv4_run = false; ipv6_run = true; continue; } if (arg == "-d") { // TODO: deal with UTF-8 in directory name idx++; wdir = string(args.at(idx).toLatin1().constData()); continue; } if (arg == "-D") { idx++; FWObject::setDataDir(args.at(idx).toUtf8().constData()); continue; } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } if (arg == "-o") { idx++; file_name_setting_from_command_line = args.at(idx); continue; } if (arg == "-O") { // parameter is ',' separated list of , // // All separated by commands, the id and file name just // follow one after another. idx++; QString member_files = args.at(idx); QStringList mf_list = member_files.split(","); QStringListIterator it(mf_list); while (it.hasNext()) { QString fw_id = it.next(); if (it.hasNext()) { QString file_name = it.next(); member_file_names[fw_id] = file_name; } else { QString err("Misconfigured -O option, missing file " "name component for ID %1"); abort(err.arg(fw_id).toStdString()); } } continue; } if (arg == "-xc") { prepend_cluster_name_to_output_file = true; continue; } if (arg == "-xt") { setTestMode(); info("*** Running in test mode, fatal errors are treated as warnings"); continue; } if (arg == "-xp") { idx++; bool ok = false; drp = args.at(idx).toInt(&ok); if (!ok) return false; rule_debug_on = true; continue; } if (arg == "-xn") { idx++; bool ok = false; drn = args.at(idx).toInt(&ok); if (!ok) return false; rule_debug_on = true; continue; } if (arg == "-xr") { idx++; bool ok = false; drr = args.at(idx).toInt(&ok); if (!ok) return false; rule_debug_on = true; continue; } if (arg == "-s") { idx++; single_rule_id = args.at(idx).toStdString(); single_rule_compile_on = true; continue; } } fwobjectname = last_arg; if (wdir.empty()) wdir="./"; return true; } void CompilerDriver::chDir() { if ( #ifdef _WIN32 _chdir(wdir.c_str()) #else chdir(wdir.c_str()) #endif ) { cerr << "Can't change to: " << wdir << endl; exit(1); } } /* * See #1994. We need to reset read-only flag on the firewall and up * the tree all the way to the root in order to let compilers make any * modifications they need. Note that this resets read-only flags in * the copy of the database this class works with. */ void CompilerDriver::clearReadOnly(Firewall *fw) { if (fw->isReadOnly()) { FWObject *p = fw; while (p) { p->setReadOnly(false); p = p->getParent(); } } } QString CompilerDriver::getAbsOutputFileName(const QString &output_file_name) { QFileInfo finfo(output_file_name); if (finfo.isRelative()) { // if fw_file_name is relative, it is relative to the // directory the program started in, or if wdir was defined // via "-d" command line switch, then it is relative to that. if (wdir.empty()) { QFileInfo new_finfo(start_current_dir, output_file_name); return new_finfo.absoluteFilePath(); } else { QFileInfo new_finfo(QDir(wdir.c_str()), output_file_name); return new_finfo.absoluteFilePath(); } } return output_file_name; } void CompilerDriver::commonChecks(Firewall *fw) { if (Cluster::isA(fw)) { Cluster *cluster = Cluster::cast(fw); // Check #1 : make sure output file names are different in member // firewalls set output_file_names; list members; cluster->getMembersList(members); for (list::iterator it=members.begin(); it!=members.end(); ++it) { FWOptions *fwopt = (*it)->getOptionsObject(); string ofname = fwopt->getStr("output_file"); if (ofname.empty()) continue; if (output_file_names.count(ofname) > 0) { QString err("Member firewalls use the same output file name %1"); error(cluster, NULL, NULL, err.arg(ofname.c_str()).toStdString()); } output_file_names.insert(ofname); } } } /* * This method performs series of checks for the configuration * consitency of clusters and cluster members as well as common * problems with interfaces, addresses and their combinations. There * are several possible levels of errors: * * - errors that can be worked around. Compiler makes minor changes * to objects and continues. These are not warnings though, the user * should fix these problems. Using Compiler::error() to report. * * - serious errors that should stop processing because generated file * will be incorrect or inconsistent. However it is possible to * continue in single rule compile mode because the error may not * affect the rule being compiled. Using Compiler::abort() to * report. Normally this method throws FWException() but in single * rule compile mode or in testing mode it records the error and * continues. * * - fatal errors that make it impossible to continue even in test or * single rule compile modes. To report call Compiler::abort() and * then throw FatalErrorInSingleRuleCompileMode exception. This * exception should be caught in CompilerDriver::run() (virtual * method) where recorded error can be shown to the user in the GUI. * */ void CompilerDriver::commonChecks2(Cluster *cluster, Firewall *fw) { QString current_firewall_name = fw->getName().c_str(); string host_os = fw->getStr("host_OS"); if (cluster) { // firewall is a member of a cluster. // Rely on the caller to make sure this firewall is really a member // of this cluster. Do not perform redundant check here. processStateSyncGroups(cluster, fw); // some initial sanity checks validateClusterGroups(cluster); } list all_policies = fw->getByType(Policy::TYPENAME); list all_nat = fw->getByType(NAT::TYPENAME); bool have_top = false; for (list::iterator p=all_nat.begin(); p!=all_nat.end(); ++p) { if (RuleSet::cast(*p)->isTop()) { have_top = true; break; } } if ( ! have_top ) warning(fw, NULL, NULL,"Missing top level NAT ruleset"); have_top = false; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { if (RuleSet::cast(*p)->isTop()) { have_top = true; break; } } if ( ! have_top ) warning(fw, NULL, NULL,"Missing top level Policy ruleset"); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=interfaces.begin(); i!=interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); string::size_type n; if ( (n=iface->getName().find("*"))!=string::npos) { /* this is a special 'wildcard' interface. Its name must end with '*', * it must be dynamic and should not have a child IPv4 or * physAddress object */ if (n!=iface->getName().length()-1) { QString err("'*' must be the last character in " "the wildcard's interface name: '%1'."); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } /* removed test to implement RFE #837238: "unnummbered wildcard interfaces" if (!iface->isDyn()) { QString errstr; errstr.sprintf(_("Wildcard interface '%s' must be dynamic."), iface->getName().c_str() ); throw FWException(errstr); } */ list l3=iface->getByType(physAddress::TYPENAME); if (l3.size()>0) { QString err("Wildcard interface '%1' should not have " "physcal address object attached to it. " "The physical address object will be ignored."); error(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); for (list::iterator j=l3.begin(); j!=l3.end(); ++j) iface->remove(*j); } } if (iface->isDyn()) { have_dynamic_interfaces=true; iface->setBool("use_var_address",true); list l3=iface->getByType(IPv4::TYPENAME); if (l3.size()>0) { for (list::iterator j=l3.begin(); j!=l3.end(); ++j) if ( objdb->findAllReferences(*j).size()!=0 ) { QString err("Dynamic interface %1 has IP address " "that is used in the firewall policy rule."); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } QString err("Dynamic interface %1 should not have an " "IP address object attached to it. " "This IP address object will be ignored."); error(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); for (list::iterator j=l3.begin(); j!=l3.end(); ++j) iface->remove(*j); } } if (iface->isRegular()) { // Regular interface (should have an ip address) bool no_addr_ok = false; if (iface->getOptionsObject()->getBool("cluster_interface")) { // cluster interface with failover type heartbeat or // openais may have no ip address. Other failover // types require an address. FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); if (failover_group) { string failover_type = failover_group->getStr("type"); no_addr_ok = Resources::os_res[host_os]->getResourceBool( "/FWBuilderResources/Target/protocols/" + failover_type + "/no_ip_ok"); } } list all_addr = iface->getByType(IPv4::TYPENAME); list all_ipv6 = iface->getByType(IPv6::TYPENAME); all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end()); if (iface->isRegular() && !no_addr_ok && all_addr.empty() && all_ipv6.empty()) { QString err("Missing IP address for interface %1"); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } for (list::iterator j = all_addr.begin(); j != all_addr.end(); ++j) { const InetAddr *ip_addr = Address::cast(*j)->getAddressPtr(); const InetAddr *netmask = Address::cast(*j)->getNetmaskPtr(); if (ip_addr && ip_addr->isAny()) { QString err("Interface %1 (id=%2) has IP address %3."); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()) .arg(FWObjectDatabase::getStringId( iface->getId()).c_str()) .arg(ip_addr->toString().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } if (ip_addr && netmask && netmask->isAny()) { QString err("Interface %1 (id=%2) has invalid netmask %3."); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()) .arg(FWObjectDatabase::getStringId( iface->getId()).c_str()) .arg(netmask->toString().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } FWObject *parent = iface->getParent(); if (Interface::isA(parent)) { Resources* os_res = Resources::os_res[fw->getStr("host_OS")]; string os_family = fw->getStr("host_OS"); if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( os_family)); #if 0 // See #2103. All interface name validation checks should // be done in the GUI. QString err; if (!int_prop->validateInterface(parent, iface, true, err)) { abort(fw, NULL, NULL, err.toStdString()); throw FatalErrorInSingleRuleCompileMode(); } #endif string interface_type = iface->getOptionsObject()->getStr("type"); if (interface_type.empty()) interface_type = "ethernet"; string parent_interface_type = Interface::cast(parent)->getOptionsObject()->getStr("type"); if (parent_interface_type == "bridge" && interface_type == "ethernet" && int_prop->looksLikeVlanInterface(iface->getName().c_str())) { // if vlan interface is used as a bridge port, it // should be a copy of the top-level interface object // with the same name bool have_top_level_copy = false; for (list::iterator i2=interfaces.begin(); i2!=interfaces.end(); ++i2) { Interface *in = Interface::cast(*i2); assert(in); if (in == iface) continue; if (in->getName() == iface->getName()) { have_top_level_copy = true; break; } } if (!have_top_level_copy) { QString err("Interface %1 looks like Vlan interface and is " "used as a bridge port. This configuration " "is only allowed if this object is a copy of another " "top-level interface with the same name" ); abort(fw, NULL, NULL, err.arg(iface->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } } } void CompilerDriver::setTargetId(const string &id) { fw_by_id = true; fwobjectname = id.c_str(); } Firewall* CompilerDriver::locateObject() { Firewall* obj; if (fw_by_id) { // fwobjectname is actually object id obj = Firewall::cast( objdb->findInIndex( #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) objdb->getIntId(fwobjectname.toAscii().constData()))); #else objdb->getIntId(fwobjectname.toLatin1().constData()))); #endif //fwobjectname = obj->getName().c_str(); } else obj = objdb->findFirewallByName(fwobjectname.toUtf8().constData()); return obj; } /* Find rulesets that belong to other firewall objects but are * referenced by rules of this firewall using action Branch. * * Important: rulesets that belong to other firewalls may be marked as * "top rulesets", which means they should be translated into the * built-in chains INPUT/OUTPUT/FORWARD rather then into named chain * with the name the same as the name of the ruleset. However this * does not make sense if we want to jump to that ruleset from a rule * from a ruleset that belongs to the firewall we are compiling. If we * compile such "foreighn" ruleset as "top ruleset", then we do not * create chain we would jump to. To avoid this will reset "top * ruleset" flag of rulesets of other firewalls referenced by * branching rules of the firewall being compiled. */ void CompilerDriver::findImportedRuleSets(Firewall *fw, list &all_policies) { bool cluster_member = fw->getOptionsObject()->getBool("cluster_member"); int cluster_id = fw->getInt("parent_cluster_id"); list imported_policies; for (list::iterator i=all_policies.begin(); i!=all_policies.end(); ++i) { RuleSet *ruleset = RuleSet::cast(*i); if (ruleset == NULL) continue; // should not happen for (list::iterator r=ruleset->begin(); r!=ruleset->end(); ++r) { Rule *rule = Rule::cast(*r); if (rule == NULL) continue; // skip RuleSetOptions object RuleSet *branch_ruleset = rule->getBranch(); if (branch_ruleset!=NULL) { // qDebug() << "ruleset=" << ruleset->getName().c_str() // << "branch=" << branch_ruleset->getName().c_str(); map referenced_branch_rulesets; _findImportedRuleSetsRecursively( fw, branch_ruleset, referenced_branch_rulesets); map::iterator it; for (it=referenced_branch_rulesets.begin(); it!=referenced_branch_rulesets.end(); ++it) { RuleSet *branch_ruleset = RuleSet::cast(it->first); int counter = it->second; // qDebug() << " " // << "branch=" << branch_ruleset->getName().c_str() // << "counter=" << counter; if (counter > 1) { QString err( "Rule branches to rule set %1 which branches " "back to it, creating a loop"); warning(ruleset->getParent(), ruleset, rule, err.arg(branch_ruleset->getName().c_str()) .toStdString()); } if (branch_ruleset->isChildOf(fw)) continue; list::iterator it = std::find( imported_policies.begin(), imported_policies.end(), branch_ruleset); if (it != imported_policies.end()) continue; // Additional check: the rule set may be child of a // cluster this firewall is member of. If it is, it // has been taken care of in CompilerDriver::mergeRuleSets() FWObject *ruleset_parent = branch_ruleset->getParent(); if (cluster_member && Cluster::isA(ruleset_parent) && ruleset_parent->getId() == cluster_id) continue; branch_ruleset->setTop(false); imported_policies.push_back(branch_ruleset); } } } } if (imported_policies.size() > 0) all_policies.insert(all_policies.end(), imported_policies.begin(), imported_policies.end()); } void CompilerDriver::_findImportedRuleSetsRecursively( Firewall *fw, RuleSet *branch_ruleset, map &branch_rulesets) { // multiple rules in the rule set may branch to the same branch rule set map local_branch_ruleset_counters; int c = branch_rulesets[branch_ruleset]; branch_rulesets[branch_ruleset] = ++c; if (c > 1) return; // we have seen this one already for (list::iterator r=branch_ruleset->begin(); r!=branch_ruleset->end(); ++r) { Rule *rule = Rule::cast(*r); if (rule == NULL) continue; // skip RuleSetOptions object RuleSet *next_branch_ruleset = rule->getBranch(); if (next_branch_ruleset!=NULL && local_branch_ruleset_counters.count(next_branch_ruleset)==0) { local_branch_ruleset_counters[next_branch_ruleset] = 1; _findImportedRuleSetsRecursively( fw, next_branch_ruleset, branch_rulesets); } } } void CompilerDriver::assignUniqueRuleIds(list &all_rulesets) { for_each(all_rulesets.begin(), all_rulesets.end(), RuleSet::UniqueRuleIdsSetter()); } QString CompilerDriver::run(const std::string&, const std::string&, const std::string&) { return ""; } void CompilerDriver::validateClusterGroups(Cluster *cluster) { string host_os = cluster->getStr("host_OS"); Resources* os_res = Resources::os_res[host_os]; if (os_res==NULL) return; // check if state sync groups are of supported type list state_sync_protocols; os_res->getResourceStrList("/FWBuilderResources/Target/protocols/state_sync", state_sync_protocols); for (FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) { string state_sync_type = (*it)->getStr("type"); if (!isSupported(&state_sync_protocols, state_sync_type)) { QString err("State sync group type '%1' is not supported"); abort(cluster, NULL, NULL, err.arg(state_sync_type.c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } // same for failover groups list failover_protocols; os_res->getResourceStrList("/FWBuilderResources/Target/protocols/failover", failover_protocols); list failover_groups = cluster->getByTypeDeep(FailoverClusterGroup::TYPENAME); for (list::iterator it = failover_groups.begin(); it != failover_groups.end(); ++it) { FWObject *failover_group = *it; FWObject *parent = failover_group->getParent(); string failover_type = failover_group->getStr("type"); if (!isSupported(&failover_protocols, failover_type)) { QString err("Failover group type '%1' is not supported"); abort(cluster, NULL, NULL, err.arg(failover_type.c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } list l2 = failover_group->getByTypeDeep(FWObjectReference::TYPENAME); if (l2.size() == 0) { QString err("Failover group of cluster interface '%1' is empty"); abort(cluster, NULL, NULL, err.arg(parent->getName().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } bool CompilerDriver::isSupported(list *protocols, const string &cluster_group_type) { bool supported = false; for (list::iterator supported_types=protocols->begin(); supported_types!=protocols->end(); ++supported_types) { QString str = QString(supported_types->c_str()); QStringList pl = str.split(","); if (cluster_group_type.c_str() == pl[0]) { supported = true; break; } } return supported; } QTextStream& operator<< (QTextStream &text_stream, const string &str) { text_stream << str.c_str(); return text_stream; } /* * Add indentation to each line in txt */ string CompilerDriver::indent(int n_spaces, const string &txt) { QString res = indent(n_spaces, QString(txt.c_str())); return res.toStdString(); } QString CompilerDriver::indent(int n_spaces, const QString &txt) { QString fill = QString("%1").arg("", n_spaces, ' '); return prepend(fill, txt); } /* * prepend each line in @txt with @prep, however there is no need to * prepend empty lines */ QString CompilerDriver::prepend(const QString &prep, const QString &txt) { QStringList str; foreach (QString line, txt.split("\n")) { if (line.isEmpty()) str.append(line); else str.append(line.prepend(prep)); } return str.join("\n"); } void CompilerDriver::mergeRuleSets(Cluster *cluster, Firewall *fw, const string &type) { list all_rulesets = cluster->getByType(type); for (list::iterator p = all_rulesets.begin(); p != all_rulesets.end(); ++p) { FWObject *ruleset = *p; FWObject::iterator i = std::find_if( fw->begin(), fw->end(), FWObjectNameEQPredicate(ruleset->getName())); if (i!=fw->end() && (*i)->getTypeName() == type) { FWObject *fw_ruleset = *i; /* * fw has rule set with the same name. See ticket #372 * for details. * * if member firewall has rule set of the same type and * with the same name as cluster and firewall's rule set * is not empty, cluster's rule set is ignored and warning * is ussued * * if matching firewall's rule set is empty, cluster's * rule set is used * * all rule sets from the cluster that do not have * matching ones in the member firewall are merged into * the firewall before compilation and used. * * Note that rule set object has two different kinds of * children: rules and RuleSetOption objects. Check if it * has any rules. */ int rule_cntr = 0; list::iterator it = fw_ruleset->begin(); for ( ; it!=fw_ruleset->end(); ++it) { if (Rule::cast(*it)!=NULL) rule_cntr++; } if (rule_cntr > 0) { QString err("ignoring cluster rule set \"%1\" " "because member firewall \"%2\" " "has rule set with the same name."); warning(fw, fw_ruleset, NULL, err.arg(fw_ruleset->getName().c_str()) .arg(fw->getName().c_str()).toStdString()); } else { fw_ruleset->clear(); fw_ruleset->duplicate(ruleset, false); fw_ruleset->setStr(".ruleset_owner", cluster->getName()); fw_ruleset->setInt(".ruleset_owner_id", cluster->getId()); } } else { // fw does not have rule set with this name FWObject *copy_ruleset = fw->addCopyOf(ruleset, false); copy_ruleset->setStr(".ruleset_owner", cluster->getName()); copy_ruleset->setInt(".ruleset_owner_id", cluster->getId()); } } } /* * 1. Iterate over all fw interfaces and check if they are referenced in a * ClusterGroup. * -> if yes then make copy of vrrp interface and set BASEDEV accordingly * 2. clear Policy, NAT & Routing rules of the firewall, then copy cluster * policy, NAT and routing rules. */ void CompilerDriver::populateClusterElements(Cluster *cluster, Firewall *fw) { if (cluster==NULL) return; #ifdef DEBUG_CLUSTER_INTERFACES cerr << "CompilerDriver::populateClusterElements " << endl; cerr << cluster->getPath(false, true) << endl; list cl_interfaces = cluster->getByTypeDeep(Interface::TYPENAME); cerr << cl_interfaces.size() << " interface" << endl; cluster->dump(false, true); cerr << fw->getPath(false, true) << endl; list fw_interfaces = fw->getByTypeDeep(Interface::TYPENAME); cerr << fw_interfaces.size() << " interface" << endl; fw->dump(false, true); #endif // int addedPolicies = 0; set state_sync_types; checkCluster(cluster); for (FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) { StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it); /* For the state syncing cluster group, hierarchy looks like this: * Cluster->StateSyncClusterGroup->ObjectRef */ string grp_type = state_sync_group->getStr("type"); if (state_sync_types.count(grp_type) > 0) throw FWException("Several state synchronization groups of the same type in one cluster object."); state_sync_types.insert(grp_type); for (FWObjectTypedChildIterator it = state_sync_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *iface = Interface::cast(FWObjectReference::getObject(*it)); assert(iface); //processStateSyncGroup(cluster, fw, state_sync_group, iface); iface->getOptionsObject()->setBool("state_sync_group_member", true); iface->getOptionsObject()->setStr( "state_sync_group_id", FWObjectDatabase::getStringId(state_sync_group->getId())); string master_id = state_sync_group->getStr("master_iface"); string iface_str_id = FWObjectDatabase::getStringId(iface->getId()); iface->getOptionsObject()->setBool("state_sync_master", master_id == iface_str_id); fw->getOptionsObject()->setBool("cluster_member", true); } } // For VRRP references the hierarchy is as follows: // Cluster->Interface->FailoverClusterGroup->ObjectRef // get a list of pointers to all cluster interfaces. Can't use findByType() // and iterator because we'll be adding interfaces in the middle of the loop list cluster_interfaces = cluster->getByTypeDeep(Interface::TYPENAME); list::iterator cl_iface = cluster_interfaces.begin(); for (; cl_iface != cluster_interfaces.end(); ++cl_iface) { Interface *cluster_interface = Interface::cast(*cl_iface); FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( cluster_interface->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { Interface *member_iface = failover_group->getInterfaceForMemberFirewall(fw); if (member_iface == NULL) continue; assert(fw->getOptionsObject() != NULL); member_iface->getOptionsObject()->setStr( "failover_group_id", FWObjectDatabase::getStringId(failover_group->getId())); // per #971: cluster interface should inherit attributes // of the member interfaces: regular / dynamic / unnimbered cluster_interface->setDyn(member_iface->isDyn()); cluster_interface->setUnnumbered(member_iface->isUnnumbered()); cluster_interface->setUnprotected(member_iface->isUnprotected()); cluster_interface->setSecurityLevel(member_iface->getSecurityLevel()); copyFailoverInterface(cluster, fw, failover_group, member_iface); } else { // cluster interface without failover group // is this a loopback interface ? if (cluster_interface->isLoopback()) { /* Add copy of the interface from the cluster to the * firewall object so that when it is encountered in * the "intrface" rule element of its rules, it * belongs to the firewall and is therefore valid. */ Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_interface, true)); assert(new_cl_if != NULL); new_cl_if->getOptionsObject()->setBool("cluster_interface", true); } } } mergeRuleSets(cluster, fw, Policy::TYPENAME); mergeRuleSets(cluster, fw, NAT::TYPENAME); mergeRuleSets(cluster, fw, Routing::TYPENAME); // finally need to remember cluster object ID so that compiler can later // associate it in rules with the firewall. // // The alternative is to find all references to the cluster object // in rules and replace them with refs to the firewall. That could // be done either in prolog or in a special rule processor. It is // _much_ cheaper to just remember cluster ID though. fw->setInt("parent_cluster_id", cluster->getId()); // return addedPolicies; } /* * Perform checks for failover interfaces and their addresses, add a * copy of failover interface form the cluster to the firewall object. * * This method assumes the following: * * - Failover interface owns its ip address which is different from * addresses of either firewall * * - address of the failover interface must be on the same subnet as * addresses of the firewalls (perhaps this restriction can be * lifted? Was originally implemented by Secunet folks like this) */ void CompilerDriver::copyFailoverInterface(Cluster * /*UNUSED cluster */, Firewall *fw, FailoverClusterGroup *cluster_group, Interface *iface) { Interface* cluster_if = Interface::cast(cluster_group->getParent()); assert(cluster_if != NULL); /* Add copy of the cluster interface to the firewall object * * While adding a copy of cluster interface to the firewall, make * sure it has new unique ID instead of a copy of the ID of the * cluster's interface object. If the ID is the same, * RuleElementItf::validateChild() finds clusters' interface which * is not a child of the firewall object and therefore is * rejected. */ Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_if, true)); assert(new_cl_if != NULL); new_cl_if->getOptionsObject()->setBool("cluster_interface", true); new_cl_if->getOptionsObject()->setStr("base_device", iface->getName()); new_cl_if->getOptionsObject()->setStr( "base_interface_id", FWObjectDatabase::getStringId(iface->getId())); /* Set master property if interface is referenced * as master_iface */ string master_id = cluster_group->getStr("master_iface"); string iface_str_id = FWObjectDatabase::getStringId(iface->getId()); new_cl_if->getOptionsObject()->setBool("failover_master", master_id == iface_str_id); /* * cluster interface should "inherit" some of the attributes of * the member interfaces it represents. For example, if member * interfaces are marked "unprotected" or "dedicated failover", * should be the cluster interface. What else? */ new_cl_if->setDedicatedFailover(iface->isDedicatedFailover()); new_cl_if->setUnprotected(iface->isUnprotected()); fw->getOptionsObject()->setBool("cluster_member", true); } /** * Do something with state sync cluster groups. Find interfaces that * were placed in the group and store the name in the variable * "state_sync_interface" which is used later to associate policy rule * that should be added to permit state sync protocol with right * interface. For iptables we add rule to permit conntrackd, for PIX * we generate "failover" commands, etc. */ void CompilerDriver::processStateSyncGroups(Cluster *cluster, Firewall *member_fw) { for (FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) { FWObject *state_sync_group = *it; for (FWObjectTypedChildIterator grp_it = state_sync_group->findByType(FWObjectReference::TYPENAME); grp_it != grp_it.end(); ++grp_it) { FWObject *iface = FWObjectReference::getObject(*grp_it); if (iface->isChildOf(member_fw)) { member_fw->getOptionsObject()->setStr( "state_sync_group_id", FWObjectDatabase::getStringId(state_sync_group->getId())); member_fw->getOptionsObject()->setStr( "state_sync_interface", iface->getName()); break; } } } } /* * Verify that there is at least one Cluster interface and that all * have unique names and IP addresses. */ int CompilerDriver::checkCluster(Cluster* cluster) { assert(cluster != NULL); FWObjectTypedChildIterator cluster_ifaces = cluster->findByType(Interface::TYPENAME); if (cluster_ifaces == cluster_ifaces.end()) { /* No configured cluster interface found */ abort(cluster, NULL, NULL, "The cluster has no interfaces."); throw FatalErrorInSingleRuleCompileMode(); } for (; cluster_ifaces != cluster_ifaces.end(); ++cluster_ifaces) { string iface_name = Interface::cast(*cluster_ifaces)->getName(); const InetAddr* iface_address = Interface::cast(*cluster_ifaces)->getAddressPtr(); if (iface_address==NULL) continue; // cluster interface with no address FWObjectTypedChildIterator other_ifaces = cluster_ifaces; for (++other_ifaces; other_ifaces != cluster_ifaces.end(); ++other_ifaces) { if (iface_name == Interface::cast(*other_ifaces)->getName()) { QString err("Found duplicate cluster interface %1"); abort(cluster, NULL, NULL, err.arg(iface_name.c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } const InetAddr *other_iface_address = Interface::cast(*other_ifaces)->getAddressPtr(); if (other_iface_address==NULL) continue; // cluster interface with no address if (*iface_address == *other_iface_address) { QString err("Found duplicate cluster interface address %1"); abort(cluster, NULL, NULL, err.arg(iface_address->toString().c_str()).toStdString()); throw FatalErrorInSingleRuleCompileMode(); } } } return 0; } QString CompilerDriver::formSingleRuleCompileOutput(const QString &generated_code) { // in single rule compile mode just return the // result. Note that we do not return all_errors because // all compilers include errors and warnings with // generated code for each rule. Two exceptions: 1) // CompilerDriver errors need to be added on top, 2) if no // output has been produced by the compiler, we have to // show all_errors to the user because there could be an // error message explaining this. Combined output of all // compilers we assemble here may consist of a bunch of // empty lines separated by LF. Need to account for that. QString res = generated_code; QString res2 = res.split("\n", QString::SkipEmptyParts).join("").replace(" ", ""); if (res2.isEmpty()) res = all_errors.join("\n"); return res; } void CompilerDriver::getFirewallAndClusterObjects(const string &cluster_id, const string &firewall_id, Cluster **cl, Firewall **fw) { if (!cluster_id.empty()) { Cluster *orig_cluster = Cluster::cast( objdb->findInIndex(objdb->getIntId(cluster_id))); #ifdef WORK_ON_COPIES *cl = objdb->createCluster(); workspace->add(*cl); (*cl)->duplicate(orig_cluster); #else *cl = orig_cluster; #endif } Firewall *orig_fw = Firewall::cast( objdb->findInIndex(objdb->getIntId(firewall_id))); assert(orig_fw); #ifdef WORK_ON_COPIES *fw = objdb->createFirewall(); workspace->add(*fw); (*fw)->duplicate(orig_fw); if (*cl != NULL) { const map &id_map = (*fw)->getIDMappingTable(); map::const_iterator it; for (it=id_map.begin(); it!=id_map.end(); ++it) (*cl)->replaceRef(it->first, it->second); } #else *fw = orig_fw; #endif } fwbuilder-5.3.7/src/compiler_lib/CompilerDriver.h000066400000000000000000000253401303637203600220460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_HH__ #define __COMPILER_DRIVER_HH__ #include "fwcompiler/BaseCompiler.h" #include "Configlet.h" #include #include #include #include #include #include #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; class Cluster; class ClusterGroup; class FailoverClusterGroup; class Firewall; class RuleSet; class Interface; class Address; class InetAddr; }; #define FW_FILE 0 #define CONF1_FILE 1 #define CONF2_FILE 2 namespace fwcompiler { class OSConfigurator; class CompilerDriver : public BaseCompiler { QString getOutputFileNameInternal(libfwbuilder::Firewall *current_fw, const QString &from_cli, const QString &option_name, const QString &fw_name, const QString &ext); protected: QStringList all_errors; QStringList args; int fwbdebug; std::string filename; std::string wdir; QDir start_current_dir; QString fwobjectname; QString current_firewall_name; // list of file names we should generate. Items in the list are // as follows: [0] - the name of the initialization script (normally // the .fw file); [1] - the name of the confguration file (for // pf, ipfilter this is the main .conf file); [2] - the name of the // next conf file, if any; and so on. // // function determineOutputFileNames() fills this list QStringList file_names; // file names on the firewall with full path. Items should correspond // to items in the list file_name // // function determineOutputFileNames() fills this list QStringList remote_file_names; // I store file name provided via -o command line option here QString file_name_setting_from_command_line; // member_file_names is the mapping between member firewall // object ID and corresponding output file name. Can be // enfirced via -O command line option or determined // automatically using member firewall name. Used only when // compiling Cluster QMap member_file_names; int dl; int drp; int drn; int drr; bool rule_debug_on; bool single_rule_compile_on; bool prepend_cluster_name_to_output_file; std::string single_rule_id; int verbose; bool have_dynamic_interfaces; bool ipv4_run; bool ipv6_run; bool fw_by_id; bool prolog_done; bool epilog_done; bool have_filter; bool have_nat; std::map branches; libfwbuilder::FWObjectDatabase *objdb; libfwbuilder::Library *persistent_objects; libfwbuilder::Library *workspace; void determineOutputFileNames(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *current_fw, bool cluster_member, const QStringList &suffixes, const QStringList &extensions, const QStringList &remote_file_name_fw_options); bool isSupported(std::list *protocols, const std::string &cluster_group_type); virtual int checkCluster(libfwbuilder::Cluster* cluster); void mergeRuleSets(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw, const std::string &type); static bool isReachable(const libfwbuilder::Address* const subnet, const libfwbuilder::InetAddr* const addr); void clearReadOnly(libfwbuilder::Firewall *fw); /* Virtual methods used to compose generated script */ virtual QString printPathForAllTools(libfwbuilder::Firewall* fw, const std::string &os); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual void assembleFwScriptInternal(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf, Configlet *script_skeleton, Configlet *top_comment, const QString &comment_char, bool indent); void _findImportedRuleSetsRecursively(libfwbuilder::Firewall *fw, libfwbuilder::RuleSet *ruleset, std::map &branch_rulesets); QString getAbsOutputFileName(const QString &output_file_name); public: CompilerDriver(libfwbuilder::FWObjectDatabase *db); virtual ~CompilerDriver(); // create a copy of itself, including objdb virtual CompilerDriver* clone(); /** * Process command line arguments */ virtual bool configure(const QStringList &args); /** * Assign target object by its id */ void setTargetId(const std::string &id); /** * create right compiler objects and compile policy, nat and * routing rules for given firewall which can be a member of a * cluster. If firewall is standalone, @cluster_id is an empty * string. Cluster and firewall are defined by their string IDs. * In single compile mode rule ID is provided in @single_rule_id * and generated script is returned. For compilers that create * several files it is up to the actual cmopiler class to decide * what should be returned in the single rule compile mode. In * normal (not single rule) compile mode returned string is * undefined and should not be used. */ virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); virtual void commonChecks(libfwbuilder::Firewall *fw); virtual void commonChecks2(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw); void copyFailoverInterface(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw, libfwbuilder::FailoverClusterGroup *cluster_group, libfwbuilder::Interface *iface); virtual void populateClusterElements(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw); virtual void processStateSyncGroups(libfwbuilder::Cluster*, libfwbuilder::Firewall*); std::string indent(int n_spaces, const std::string &txt); QString indent(int n_spaces, const QString &txt); QString prepend(const QString &prep, const QString &txt); /* * Verifies that state sync and failover group types configured in * the GUI are supported for the given host OS. List of supported * protocols is taken from the os resource file. If unsupported * protocol is found, calls compiler->abort to abort immediately. */ virtual void validateClusterGroups(libfwbuilder::Cluster *cluster); /* * Use chdir to change working directory. In case of failure, exit(1) */ void chDir(); /* * Find firewall or cluster object we should process. */ virtual libfwbuilder::Firewall* locateObject(); void getFirewallAndClusterObjects(const std::string &cluster_id, const std::string &fw_id, libfwbuilder::Cluster **cl, libfwbuilder::Firewall **fw); void findImportedRuleSets(libfwbuilder::Firewall *fw, std::list &all_policies); void assignUniqueRuleIds(std::list &all_policies); virtual bool prepare(const QStringList &args); virtual void compile(); virtual QMap compileSingleRule(const std::string &rule_id); /* * if compilers produced empty string for the generated code, * this method checks if there were any errors and returns * them. If compilers generated output, errors should be * included in it because warning and error messages are * usually attached to rules. Errors are taken from the * all_errors member variable. */ QString formSingleRuleCompileOutput(const QString &generated_code); static QString escapeFileName(QString fileName); static QString unescapeFileName(QString fileName); static QString getConfFileNameFromFwFileName(const QString &file_name, const QString &ext); void setDebugRule(int dr) { drp = drn = dr; rule_debug_on = true; } }; }; QTextStream& operator<< (QTextStream &text_stream, const std::string &str); #endif fwbuilder-5.3.7/src/compiler_lib/CompilerDriver_compile.cpp000066400000000000000000000123641303637203600241130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include "CompilerDriver.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Rule.h" #include "fwcompiler/Compiler.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; bool CompilerDriver::prepare(const QStringList &_args) { args = _args; if (!configure(args)) return false; if (!single_rule_compile_on) { Firewall *fw = locateObject(); if (fw == NULL) { cerr << "Firewall or cluster object not found" << endl; return false; } } return true; } void CompilerDriver::compile() { if (single_rule_compile_on) { QMapIterator it(compileSingleRule(single_rule_id)); while (it.hasNext()) { it.next(); info("Firewall " + it.key().toStdString()); info(it.value().toStdString()); info("\n"); } return; } Firewall *fw = locateObject(); if (Cluster::isA(fw)) { commonChecks(fw); // compiling cluster. list members; Cluster::cast(fw)->getMembersList(members); for (list::iterator it=members.begin(); it!=members.end(); ++it) { info("\n"); info(" Firewall " + (*it)->getName() + " member of cluster " + fw->getName()); CompilerDriver *cl_driver = clone(); cl_driver->configure(args); cl_driver->chDir(); cl_driver->run(objdb->getStringId(fw->getId()), objdb->getStringId((*it)->getId()), ""); // if (cl_driver->status == BaseCompiler::FWCOMPILER_ERROR) // We need to always copy the status to make sure // FWCOMPILER_WARNING is passed through status = cl_driver->status; delete cl_driver; } } else { chDir(); commonChecks(fw); run("", objdb->getStringId(fw->getId()), ""); } } /* * Compile single rule and return generated code. Rule is defined by * its ID, this is sufficient to locate the rule, ruleset and firewall * objects. If ruleset belongs to a cluster, compile all members and * return code generated for all of them. Returned code is placed in * QMap where the key is member firewall name and value is generated * script. If the rule belongs to a firewall rather than a cluster, * returned QMap contains one item. */ QMap CompilerDriver::compileSingleRule(const string &rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; Rule *rule = Rule::cast( objdb->findInIndex(FWObjectDatabase::getIntId(rule_id))); if (rule==NULL) throw FWException(string("Rule with ID=") + rule_id + " not found"); FWObject *p = rule; while (p && Firewall::cast(p)==NULL) p = p->getParent(); if (Cluster::isA(p)) cluster = Cluster::cast(p); if (Firewall::isA(p)) fw = Firewall::cast(p); QMap result; if (cluster) { commonChecks(cluster); list members; Cluster::cast(cluster)->getMembersList(members); // this copy of CompilerDriver is not going to do any useful work and // does not need these. objdb->remove(persistent_objects, false); objdb->remove(workspace, false); for (list::iterator it=members.begin(); it!=members.end(); ++it) { CompilerDriver *cl_driver = clone(); cl_driver->single_rule_compile_on = true; if (inTestMode()) cl_driver->setTestMode(); if (inEmbeddedMode()) cl_driver->setEmbeddedMode(); result[(*it)->getName().c_str()] = cl_driver->run( objdb->getStringId(cluster->getId()), objdb->getStringId((*it)->getId()), rule_id); delete cl_driver; } } else { commonChecks(fw); single_rule_compile_on = true; result[fw->getName().c_str()] = run("", objdb->getStringId(fw->getId()), rule_id); } return result; } fwbuilder-5.3.7/src/compiler_lib/CompilerDriver_files.cpp000066400000000000000000000237411303637203600235660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "CompilerDriver.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; /** * Determine output file name. If compiling standalone firewall, the * name can be enforced via -o command line switch in which case it * is stored in file_name_setting_from_command_line. If not, * determine automatically using firewall name. * * The name is determined as follows: * * - if file_name_setting_from_command_line is not empty, it is used * - if file_name_setting_from_command_line is empty, check firewall option * "output_file" and use it if it is not empty * - if it is empty, generate the name using firewall object name and suffix .fw * * If compiling a cluster, the name could have been enforced via -O * command line switch, in which case it will be found in * member_file_names. If not, determine automatically using the same * algorithm as for the standalone firewall (see above). * * This function also determines the name of the .conf file we should * generate. Used only by compielers that generate multiple * files. There is no cli switch to set this name, so the name is * taken from firewall option "conf1_file" or derived from * fw_file_name * * This function stores script file name in variable fw_file_name and * conf file name in conf1_file_name */ void CompilerDriver::determineOutputFileNames(Cluster *cluster, Firewall *fw, bool cluster_member, const QStringList &suffixes, const QStringList &extensions, const QStringList &remote_name_fw_options) { file_names.clear(); remote_file_names.clear(); assert(suffixes.size()==extensions.size()); assert(suffixes.size()==remote_name_fw_options.size()); foreach(QString ext, extensions) { file_names << ""; remote_file_names << ""; } QString firewall_name = QString::fromUtf8(fw->getName().c_str()); if (cluster_member) { // member of a cluster QString fw_id = objdb->getStringId(fw->getId()).c_str(); if (member_file_names.contains(fw_id)) { file_names[FW_FILE] = getOutputFileNameInternal( fw, member_file_names[fw_id], "output_file", firewall_name, extensions[FW_FILE]); } else { file_names[FW_FILE] = getOutputFileNameInternal( fw, "", "output_file", firewall_name, extensions[FW_FILE]); } } else { // standalone firewall file_names[FW_FILE] = getOutputFileNameInternal( fw, file_name_setting_from_command_line, "output_file", firewall_name, extensions[FW_FILE]); } FWOptions* options = fw->getOptionsObject(); if (suffixes.size() > 1) { // if we need to deal with conf files at all ... // skip item 0 since it is the .fw file for (int i=1; igetStr( opt_name.arg(i).toStdString()).c_str()); if (!name_from_option.isEmpty()) { // user provided a name for the conf1 file in the // firewall settings dialog. file_names[i] = name_from_option; } else { // special-case file names for the 2-d and subsequent conf // files: if we have the name for the first conf file from // fw option, use it as a prototype, otherwise use fw file // name as a prototype. This is useful when user specifies // the name for pf.conf file, this name will be used as a // prototype for anchor .conf file names instead of the fw // file name if (i >= CONF2_FILE) file_names[i] = getConfFileNameFromFwFileName( file_names[CONF1_FILE], extensions[i]); else file_names[i] = getConfFileNameFromFwFileName( file_names[FW_FILE], extensions[i]); } } // file_names at this point is like this: // file_names= ("ipf4.fw", "ipf4.conf", "ipf4.conf") // // qDebug() << "file_names=" << file_names; // suffixes are inserted right before the file extension, such as in // firewall-suffix.conf for (int i=1; igetName().c_str())) .arg(file_names[i]); } } // Determine remote file names using fw options, if any. If option // has not been specificed in the list remote_name_fw_options // (list item is empty string), or the option value is empty, then // guess using firewall_dir option and local file name QString fw_dir = options->getStr("firewall_dir").c_str(); if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr( fw->getStr("host_OS"), "activation/fwdir").c_str(); for (int i=0; igetStr(remote_name_fw_options[i].toStdString()).c_str(); if (remote_file_name_from_fw_option.isEmpty()) { remote_file_names[i] = fw_dir + "/" + QFileInfo(fn).fileName(); } else remote_file_names[i] = remote_file_name_from_fw_option; } } //qDebug() << remote_file_names; } QString CompilerDriver::getOutputFileNameInternal(Firewall *current_fw, const QString &from_cli, const QString &option_name, const QString &fw_name, const QString &ext) { if (!from_cli.isEmpty()) return from_cli; FWOptions* options = current_fw->getOptionsObject(); QString name_from_option = QString::fromUtf8(options->getStr(option_name.toStdString()).c_str()).trimmed(); if (!name_from_option.isEmpty()) return name_from_option; else return fw_name + "." + ext; } QString CompilerDriver::getConfFileNameFromFwFileName(const QString &file_name, const QString &ext) { QString res; QFileInfo fi(file_name); QString path = fi.path(); if (path == ".") res = fi.completeBaseName() + "." + ext; else res = path + "/" + fi.completeBaseName() + "." + ext; return res; } /* * Replace ' ' with '\ ' in the string. * * DO NOT CHANGE WITHOUT EXTENSIVE TESTING OF THE POLICY INSTALLER ! * * This is used in different places to deal with generated files with * spaces in the name. This can happen if firewall object name has * spaces. This method of escaping the space is used when we generate * manifest line in the .fw file to find other generated files. The * same method is also used to generate command line arguments for scp * where spaces cause all sorts of problems, for example scp can't * find the file to copy or issues "ambiguous target" error when * remote file name has a space. Finally, the same method is used to * escape space in the file name before using it for the configlet * variable because this name is used in the shell script that we run * on the firewall. */ QString CompilerDriver::escapeFileName(QString fileName) { return fileName.replace(' ', "\\ "); } QString CompilerDriver::unescapeFileName(QString fileName) { return fileName.replace("\\ ", " "); } fwbuilder-5.3.7/src/compiler_lib/CompilerDriver_generators.cpp000066400000000000000000000131071303637203600246300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include "CompilerDriver.h" #include "Configlet.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwcompiler/OSConfigurator.h" #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; extern QString user_name; QString CompilerDriver::printPathForAllTools(Firewall*, const std::string &) { return ""; } QString CompilerDriver::printActivationCommands(Firewall*) { return ""; } QString CompilerDriver::assembleManifest(Cluster*, Firewall*, bool) { return ""; } void CompilerDriver::assembleFwScriptInternal(Cluster *cluster, Firewall* fw, bool cluster_member, OSConfigurator *oscnf, Configlet *script_skeleton, Configlet *top_comment, const QString &comment_char, bool indent) { FWOptions* options = fw->getOptionsObject(); string platform = fw->getStr("platform"); string fw_version = fw->getStr("version"); string host_os = fw->getStr("host_OS"); string family = Resources::os_res[host_os]->Resources::getResourceStr( "/FWBuilderResources/Target/family"); bool debug = options->getBool("debug"); string shell_dbg = (debug)?"set -x":"" ; string cmd_dbg = (debug)?"-v ":""; string prolog_place = options->getStr("prolog_place"); if (prolog_place.empty()) prolog_place = "fw_file"; // old default string pre_hook = fw->getOptionsObject()->getStr("prolog_script"); string firewall_dir = options->getStr("firewall_dir"); if (firewall_dir=="") firewall_dir = "/etc/fw"; char *timestr; time_t tm; struct tm *stm; tm = time(NULL); stm = localtime(&tm); timestr = strdup(ctime(&tm)); timestr[strlen(timestr)-1] = '\0'; QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script_skeleton->removeComments(); script_skeleton->setVariable("shell_debug", shell_dbg.c_str()); script_skeleton->setVariable("firewall_dir", firewall_dir.c_str()); top_comment->setVariable("version", VERSION); top_comment->setVariable("timestamp", timestr); top_comment->setVariable("tz", tzname[stm->tm_isdst]); top_comment->setVariable("user", user_name); //QFileInfo fw_file_info(fw_file_name); top_comment->setVariable("manifest", assembleManifest(cluster, fw, cluster_member)); top_comment->setVariable("platform", platform.c_str()); top_comment->setVariable("fw_version", fw_version.c_str()); top_comment->setVariable( "comment", prepend(comment_char + " ", fw->getComment().c_str())); script_skeleton->setVariable("have_nat", have_nat); script_skeleton->setVariable("have_filter", have_filter); script_skeleton->setVariable("top_comment", top_comment->expand()); script_skeleton->setVariable( "errors_and_warnings", prepend(comment_char + " ", all_errors.join("\n"))); script_skeleton->setVariable("tools", printPathForAllTools(fw, family)); script_skeleton->setVariable("timestamp", timestr); script_skeleton->setVariable("user", user_name); if (prolog_place == "fw_file") script_skeleton->setVariable("prolog_script", pre_hook.c_str()); else script_skeleton->setVariable("prolog_script", ""); script_buffer = ""; script_skeleton->setVariable("shell_functions", oscnf->printFunctions().c_str()); script_skeleton->setVariable("kernel_vars_commands", prepend((indent) ? " " : "", oscnf->printKernelVarsCommands().c_str())); script_skeleton->setVariable("configure_interfaces", prepend((indent) ? " " : "", oscnf->configureInterfaces().c_str())); // this really adds nothing for the most of the systems script_skeleton->setVariable("other_os_configuration_commands", oscnf->getCompiledScript().c_str()); script_skeleton->setVariable("activation_commands", printActivationCommands(fw)); script_skeleton->setVariable("verify_interfaces", ""); script_skeleton->setVariable("epilog_script", fw->getOptionsObject()->getStr("epilog_script").c_str()); } fwbuilder-5.3.7/src/compiler_lib/Configlet.cpp000066400000000000000000000240701303637203600213640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "Configlet.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; /* * Switch to the special debugging mode if this flag is true. Used in * unit tests. This adds special comment lines to mark beginning and * end of the generated text */ bool Configlet::configlet_debugging = false; QString Configlet::begin_marker = "|||||||||||||||| Begin configlet %1"; QString Configlet::end_marker = "|||||||||||||||| End configlet %1"; /* * @filename is a name of the configlet file. The program searches for * it in resources directory, subdirectory configlets/@prefix. If * @filename is absolute path, the program tries to open file as * specified. */ Configlet::Configlet(const std::string &prefix, const QString &file_name) { name = file_name; reload(prefix, file_name); } Configlet::Configlet(const std::string &prefix, const std::string &default_prefix, const QString &file_name) { clear(); name = file_name; if (!reload(prefix, file_name)) reload(default_prefix, file_name); } Configlet::Configlet(FWObject *fw, const std::string &default_prefix, const QString &file_name) { string host_os = fw->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); remove_comments = true; comment_str = "##"; collapse_empty_strings = false; name = file_name; if (!reload(os_family, file_name)) reload(default_prefix, file_name); if (code.size() == 0) qCritical() << "Could not open configlet file" << os_family.c_str() << "/" << file_name << "or" << default_prefix.c_str() << "/" << file_name; } Configlet::~Configlet() { } void Configlet::clear() { vars.clear(); remove_comments = true; comment_str = "##"; collapse_empty_strings = false; } bool Configlet::reload(const std::string &_prefix, const QString &file_name) { prefix = _prefix.c_str(); code.clear(); file_path = getConfigletPath(file_name); if (!QFile(file_path).exists()) return false; else { QFile file(file_path); if (file.open(QFile::ReadOnly)) { QTextStream ts(&file); do { QString line = ts.readLine(); code.push_back(line); } while (!ts.atEnd()); removeComments(); return true; } } return false; } QString Configlet::getFullPath(const QString &path) { if (QDir::isRelativePath(path)) return QString(Constants::getResourcesDirectory().c_str()) + "/configlets/" + path; else return path; } QString Configlet::getConfigletPath(const QString &configlet_name) { if (QDir::isAbsolutePath(configlet_name)) return configlet_name; QString home = QDir::homePath(); QString file_path; file_path = home + "/fwbuilder/configlets/" + prefix + "/" + configlet_name; if (QFile(file_path).exists()) return file_path; file_path = getFullPath(prefix + "/" + configlet_name); return file_path; } // ************************************************************************ void Configlet::setVariable(const QString &name, const QString &value) { vars[name] = value.trimmed(); } void Configlet::setVariable(const QString &name, int value) { QString val; val.setNum(value); vars[name] = val; } QString Configlet::expand() { // Need non-greedy matching so that if_re matches only one {{?var}} ... {{?}} // clause QRegExp var_re("\\{\\{\\$([^}]*)\\}\\}", Qt::CaseSensitive, QRegExp::RegExp2); var_re.setMinimal(true); // remove comments before processing {{$var}} and {{if var}} so we can // use these in comments QString all_code; if (remove_comments) { QStringList res; foreach(QString line, code) { if (line.startsWith(comment_str)) continue; res.push_back(line); } all_code = res.join("\n"); } else all_code = code.join("\n"); QString err = QObject::tr("Configlet expansion stopped by " "infinite loop protector. " "Check configlet syntax. %1").arg(file_path); int counter = 0; int pos = 0; while ((pos = var_re.indexIn(all_code, pos)) != -1 && counter < 1000) { QString var = var_re.cap(1); if (vars.count(var) > 0) { all_code.replace(QString("{{$%1}}").arg(var), vars[var]); } else { // template has a variable that has not been defined // remove '$' from the macro but leave it in place for debugging all_code.replace(QString("{{$%1}}").arg(var), QString("{{%1}}").arg(var)); } counter++; } if (counter >= 1000) qDebug() << err; counter = 0; while (processIf(all_code, 0) && counter < 1000) counter++; if (counter >= 1000) qDebug() << err; if (configlet_debugging) { all_code.push_front(begin_marker.arg(name) + "\n"); all_code.push_back(end_marker.arg(name) + "\n"); } if (collapse_empty_strings) { QStringList res; foreach(QString line, all_code.split("\n")) { if (line.trimmed().isEmpty()) continue; res.push_back(line); } return res.join("\n"); } return all_code; } /* * pos points to the position of "{{?var}}" in the stream */ bool Configlet::processIf(QString &stream, int pos) { QRegExp if_re("\\{\\{if {1,}([^}]{1,})\\}\\}", Qt::CaseSensitive, QRegExp::RegExp2); QRegExp endif_re("\\{\\{endif\\}\\}", Qt::CaseSensitive, QRegExp::RegExp2); if_re.setMinimal(true); endif_re.setMinimal(true); int current_if_pos = if_re.indexIn(stream, pos); if (current_if_pos == -1) return false; int current_if_length = if_re.cap(0).length(); QString current_if_var = if_re.cap(1); // look what is next, another opening if or closing endif int next_if_pos = if_re.indexIn( stream, current_if_pos + current_if_length); int next_endif_pos = endif_re.indexIn( stream, current_if_pos + current_if_length); if (next_if_pos != -1 && next_if_pos < next_endif_pos) { processIf(stream, next_if_pos); // the next if statement has been replaced, process current if // statement again return true; } if (next_endif_pos != -1) { int next_endif_length = endif_re.cap(0).length(); // current if statement starts at current_if_pos // and ends at next_endif_pos + next_endif_length int current_if_clause_length = next_endif_pos + next_endif_length - current_if_pos; QString body = stream.mid( current_if_pos + current_if_length, next_endif_pos - current_if_pos - current_if_length); QString replacement; if (vars.count(current_if_var) > 0) { bool ok = false; int f = vars[current_if_var].toInt(&ok); if (ok && f) replacement = body; } stream.replace(current_if_pos, current_if_clause_length, replacement); } return true; } /** * Set internal flag to remove comments from the produced script and * set comment string. By default comment string is "##". This means * we can still put comments with single "#" in templates and have * these comments appear in the generated script. At the same time, # comments marked with "##" will be removed. */ void Configlet::removeComments(const QString &_str) { remove_comments = true; comment_str = _str; } void Configlet::collapseEmptyStrings(bool f) { collapse_empty_strings = f; } /* * find n-th occurrence of the configlet with given name in @text. Count * from 1 */ QString Configlet::findGeneratedText(const QString &configlet_name, const QString &text, int nth) { QString begin_m = begin_marker.arg(configlet_name) + "\n"; QString end_m = end_marker.arg(configlet_name) + "\n"; int n1 = -1, n2 = 0; // find n-th occurrence int count = 0; while (count < nth) { n1++; n1 = text.indexOf(begin_m, n1); if (n1 == -1) return ""; count++; } n1 += begin_m.length(); n2 = text.indexOf(end_m, n1); if (n2 != -1) return text.mid(n1, n2 - n1); return text.mid(n1); } QString Configlet::findConfigletInFile(const QString &configlet_name, const QString &file_path, int nth) { QStringList res; if (!QFile(file_path).exists()) return ""; else { QFile file(file_path); if (file.open(QFile::ReadOnly)) { QTextStream ts(&file); do { QString line = ts.readLine(); res.push_back(line); } while (!ts.atEnd()); } } return findGeneratedText(configlet_name, res.join("\n"), nth); } fwbuilder-5.3.7/src/compiler_lib/Configlet.h000066400000000000000000000052051303637203600210300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CONFIGLET_HH__ #define __CONFIGLET_HH__ #include #include #include namespace libfwbuilder { class FWObject; }; class Configlet { bool processIf(QString &stream, int pos); protected: QString name; QString prefix; QString file_path; QStringList code; QMap vars; bool remove_comments; QString comment_str; bool collapse_empty_strings; static bool configlet_debugging; static QString begin_marker; static QString end_marker; QString getFullPath(const QString &rel_path); QString getConfigletPath(const QString &configlet_name); public: Configlet(const std::string &prefix, const QString &filename); Configlet(const std::string &prefix, const std::string &default_prefix, const QString &filename); Configlet(libfwbuilder::FWObject *fw, const std::string &default_prefix, const QString &filename); virtual ~Configlet(); bool reload(const std::string &prefix, const QString &filename); void clear(); void setVariable(const QString &name, const QString &value); void setVariable(const QString &name, int value); QString expand(); void removeComments(const QString &comment_str="##"); void collapseEmptyStrings(bool f); /* * the following methods are used in unit tests */ static void setDebugging(bool f) { configlet_debugging = f; } static QString findGeneratedText(const QString &configlet_name, const QString &text, int nth=1); static QString findConfigletInFile(const QString &configlet_name, const QString &file_path, int nth=1); }; #endif fwbuilder-5.3.7/src/compiler_lib/compiler_lib.pro000066400000000000000000000021071303637203600221250ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # # This library is separate from fwcompiler library because it has dependency # on QT include(../../qmake.inc) TEMPLATE = lib SOURCES = CompilerDriver.cpp \ CompilerDriver_files.cpp \ CompilerDriver_compile.cpp \ CompilerDriver_generators.cpp \ Configlet.cpp \ interfaceProperties.cpp \ linux24Interfaces.cpp \ openbsdInterfaces.cpp \ freebsdInterfaces.cpp \ nxosInterfaces.cpp \ iosInterfaces.cpp \ junosInterfaces.cpp \ procurveInterfaces.cpp \ pixInterfaces.cpp \ interfacePropertiesObjectFactory.cpp \ AutomaticRules.cpp HEADERS = ../../config.h \ CompilerDriver.h \ Configlet.h \ interfaceProperties.h \ linux24Interfaces.h \ openbsdInterfaces.h \ freebsdInterfaces.h \ nxosInterfaces.h \ iosInterfaces.h \ junosInterfaces.h \ procurveInterfaces.h \ pixInterfaces.h \ interfacePropertiesObjectFactory.h \ AutomaticRules.h INCLUDEPATH += ../libfwbuilder/src DEPENDPATH += ../libfwbuilder/src CONFIG += staticlib TARGET = compilerdriver INSTALLS -= target fwbuilder-5.3.7/src/compiler_lib/freebsdInterfaces.cpp000066400000000000000000000034241303637203600230700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "freebsdInterfaces.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" #include using namespace libfwbuilder; /* see #2032. About dynamic interfaces: - when we generate rc.conf file, we should add line "ifconfig_em0="DHCP"" for dynamic interfaces, so we should include them in the management list as well. */ bool freebsdInterfaces::manageIpAddresses(Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses) { if (intf->isDyn()) { FWObject *p = intf; while (Firewall::cast(p) == NULL) p = p->getParent(); Firewall *fw = Firewall::cast(p); FWOptions* options = fw->getOptionsObject(); return options->getBool("generate_rc_conf_file"); } else return openbsdInterfaces::manageIpAddresses( intf, update_addresses, ignore_addresses); } fwbuilder-5.3.7/src/compiler_lib/freebsdInterfaces.h000066400000000000000000000024021303637203600225300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FREEBSD_INTERFACE_PROPERTIES_HH #define FREEBSD_INTERFACE_PROPERTIES_HH #include "openbsdInterfaces.h" class freebsdInterfaces : public openbsdInterfaces { public: freebsdInterfaces() : openbsdInterfaces() {} virtual bool manageIpAddresses(libfwbuilder::Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses); }; #endif fwbuilder-5.3.7/src/compiler_lib/interfaceProperties.cpp000066400000000000000000000447171303637203600235010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "interfaceProperties.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; bool interfaceProperties::parseVlan(const QString&, QString*, int*) { return false; } bool interfaceProperties::looksLikeVlanInterface(InterfaceData *intf) { return parseVlan(intf->name.c_str(), NULL, NULL); } bool interfaceProperties::looksLikeVlanInterface(const QString &int_name) { return parseVlan(int_name, NULL, NULL); } /* * common denominator interface name guess. Something like "eth0", * "foo0", "longname0", "name0.1", "name0:1". This is mostly intended * for Linux and BSD, even though it probably matches some Cisco * interfaces too. */ bool interfaceProperties::looksLikeInterface(const QString &name) { QRegExp basic_interface_name_pattern("^[a-zA-Z]+\\d{1,}(\\.\\d{1,})?(:\\d{1,})?$"); return (basic_interface_name_pattern.indexIn(name) != -1); } // simple name validation: does not allow space and "-" // However some platform permit space (procurve). bool interfaceProperties::basicValidateInterfaceName(Interface *, const QString &obj_name, QString &err) { if (obj_name.indexOf(' ') != -1 || obj_name.indexOf('-') != -1) { err = QObject::tr("Interface name '%1' can not contain white space and \"-\"").arg(obj_name); return false; } return true; } /* * While looksLikeVlanInterface only checks interface name format, * this method does more detailed check to determine if the interface * is valid vlan. In particular, it checks that given interface is * indeed a subinterface (parent is also interface) and its base name * matches the name of the parent */ bool interfaceProperties::isValidVlanInterfaceName(const QString &subint_name, const QString &parent_name, QString &err) { if (!looksLikeVlanInterface(subint_name)) { err = QObject::tr("'%1' is not a valid vlan interface name") .arg(subint_name); return false; } QString parent_name_from_regex; int vlan_id; if (parseVlan(subint_name, &parent_name_from_regex, &vlan_id)) { if (!parent_name.isEmpty() && parent_name_from_regex != "vlan" && parent_name != parent_name_from_regex) { err = QObject::tr("'%1' looks like a name of a vlan interface " "but it does not match the name of the parent " "interface '%2'").arg(subint_name).arg(parent_name); return false; } if (vlan_id > 4095) { err = QObject::tr("'%1' looks like a name of a vlan interface " "but vlan ID it defines is outside of the valid " "range.").arg(subint_name); return false; } } return true; } void interfaceProperties::getListOfAddresses(Interface *intf, QStringList &addr_list) { list addresses = intf->getByType(IPv4::TYPENAME); list ipv6_addresses = intf->getByType(IPv6::TYPENAME); addresses.splice(addresses.begin(), ipv6_addresses); for (FWObject::iterator j=addresses.begin(); j!=addresses.end(); ++j) { const InetAddr *iaddr_addr = Address::cast(*j)->getAddressPtr(); const InetAddr *iaddr_netm = Address::cast(*j)->getNetmaskPtr(); addr_list.push_back( QString("%1/%2"). arg(iaddr_addr->toString().c_str()). arg(iaddr_netm->getLength())); } } /* * we manage only addresses of vrrp cluster interfaces. * * We ignore addresses of heartbeat and openais cluster interfaces. * To ignore them, we pass list of addresses managed by heartbeat to * shell function update_addresses (defined in configlet * "update_addresses") as its second argument to make it ignore these * * This code assumes the name of the cluster interface is the same as * names of the corresponding interfaces of member firewalls. */ bool interfaceProperties::manageIpAddresses(Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses) { update_addresses.clear(); ignore_addresses.clear(); FWObject *fw = Host::getParentHost(intf); //FWObject *fw = intf->getParentHost(); Resources *os_res = Resources::os_res[fw->getStr("host_OS")]; assert(os_res != NULL); if (intf->isDyn()) return false; if (intf->isBridgePort()) return false; if (intf->isSlave()) return false; if (intf->isUnnumbered()) return false; // see #1506 string intf_name = intf->getName(); if (intf->getOptionsObject()->getBool("cluster_interface")) { if (intf->isLoopback()) return false; if (intf->isFailoverInterface()) { FWObject *failover_group = intf->getFirstByType(FailoverClusterGroup::TYPENAME); string failover_type = failover_group->getStr("type"); if (os_res->getResourceBool( "/FWBuilderResources/Target/protocols/" + failover_type + "/manage_addresses")) { getListOfAddresses(intf, update_addresses); return true; } else return false; } /* * if this is cluster interface with the same name as fw interface * (as happens in case of hearbeat or openais), skip it */ if (intf->getOptionsObject()->getStr("base_device") == intf_name) return false; } else { // regular interface. Lets see if there is cluster interface // with the same name. If there is and its failover protocol // is heartbeat or openais, we should ignore all addresses it // might have. getListOfAddresses(intf, update_addresses); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getName() == intf_name && iface->getOptionsObject()->getBool("cluster_interface") && iface->isFailoverInterface()) { FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); string failover_type = failover_group->getStr("type"); // some protocols do not like it when failover ip address // is managed outside their software if (! os_res->getResourceBool( "/FWBuilderResources/Target/protocols/" + failover_type + "/manage_addresses")) getListOfAddresses(iface, ignore_addresses); break; } } } return true; } bool interfaceProperties::validateInterface(FWObject *target, FWObject *intf, bool check_types, QString &err) { if (Interface::cast(target) && Interface::cast(intf)) { if (!Interface::cast(target)->validateChild(intf)) { // See Interface::validateChild(). Currently the only // condition when interface can not become a child of // another interface is when interface has subinterfaces // of its own. err = QObject::tr("Interface %1 can not become subinterface of %2 " "because only one level of subinterfaces is allowed.") .arg(intf->getName().c_str()) .arg(target->getName().c_str()); return false; } if (check_types) { // We check types when this method is called from a compiler string target_interface_type = Interface::cast(target)->getOptionsObject()->getStr("type"); if (target_interface_type.empty()) target_interface_type = "ethernet"; FWObject *fw = Host::getParentHost(target); //FWObject *fw = Interface::cast(target)->getParentHost(); QString host_os = fw->getStr("host_OS").c_str(); Resources* os_res = Resources::os_res[host_os.toStdString()]; list interface_type_pairs; os_res->getResourceStrList( "/FWBuilderResources/Target/subinterfaces/" + target_interface_type, interface_type_pairs); list interface_types; for (list::iterator it=interface_type_pairs.begin(); it!=interface_type_pairs.end(); ++it) { QString p = it->c_str(); interface_types.push_back(p.split(",")[0].toStdString()); } // Implement interface type checks here string interface_type = Interface::cast(intf)->getOptionsObject()->getStr("type"); if (interface_type.empty()) interface_type = "ethernet"; if (std::find(interface_types.begin(), interface_types.end(), interface_type) == interface_types.end()) { err = QObject::tr("Interface %1 (type '%2') can not be a child " "of interface %3 (type '%4')") .arg(intf->getName().c_str()) .arg(interface_type.c_str()) .arg(target->getName().c_str()) .arg(target_interface_type.c_str()); return false; } } } if (Cluster::cast(target) && Interface::cast(intf)) { // Note that @target may not be actually a parent of @intf at // the time of call to this function. We use this function to // validate operation of making @intf a child of @target. @intf // can have some other parent at the moment. FWObject *parent_interface = intf->getParent(); if (Interface::isA(parent_interface)) { string interface_type = Interface::cast(intf)->getOptionsObject()->getStr("type"); if (interface_type.empty()) interface_type = "ethernet"; string parent_interface_type = Interface::cast(parent_interface)->getOptionsObject()->getStr("type"); if (parent_interface_type.empty()) parent_interface_type = "ethernet"; if (parent_interface_type == "bridge" && interface_type == "ethernet") { err = QObject::tr("Interface %1 is a bridge port, " "it can not belong to a cluster") .arg(intf->getName().c_str()); return false; } if (parent_interface_type == "bonding" && interface_type == "ethernet") { err = QObject::tr("Interface %1 is a bonding interface slave, " "it can not belong to a cluster") .arg(intf->getName().c_str()); return false; } } } return validateInterface(target, intf->getName().c_str(), err); } /** * this method implements policy for the interface hierarchy, that is, * can given interface be a child of a cluster or a firewall or * another interface. */ bool interfaceProperties::validateInterface(FWObject *target, const QString &interface_name, QString &err) { if (Firewall::cast(target) || Host::cast(target)) { if (vlan_checks && looksLikeVlanInterface(interface_name)) { QString target_name = target->getName().c_str(); if (Cluster::isA(target)) { // cluster is allowed to have top-level vlan interfaces, // therefore we do not need to check the name of the // interface against the name of the parent. This is // signalled to isValidVlanInterfaceName() by passing // empty string as target_interface target_name = ""; } return isValidVlanInterfaceName(interface_name, target_name, err); } return true; } if (Interface::cast(target)) { string target_interface_type = Interface::cast(target)->getOptionsObject()->getStr("type"); // check vlan conditions as well if (vlan_checks && looksLikeVlanInterface(interface_name)) { // vlan interface can be a child of a bridge, in which // case its base name does not match the // parent. Perform other checks except this, pass "" // as parent name argument to isValidVlanInterfaceName() if (target_interface_type == "bridge") return isValidVlanInterfaceName(interface_name, "", err); QString target_name = target->getName().c_str(); return isValidVlanInterfaceName(interface_name, target_name, err); } // interface_name is not a vlan // regular interface can only be a child of bond or bridge if (target_interface_type != "bridge" && target_interface_type != "bonding") { err = QObject::tr("Interface %1 which is not a vlan can only " "be a subinterface of a bridge or bonding interface") .arg(interface_name); return false; } return true; } // target is not firewall (cluster) and not interface err = QObject::tr("Interface can not be a child object of %1").arg( target->getTypeName().c_str()); return false; } /* * Ticket #727 * * if type is ethernet and has vlan subinterfaces, not eligible * if type is vlan, eligible * if type is bridge, eligible * if type is bonding, eligible * if type is ethernet and interface with the same name is used for bonding, then not eligible * if type is ethernet and parent is bridge, then not eligible */ bool interfaceProperties::isEligibleForCluster(Interface *intf) { list subinterfaces = intf->getByType(Interface::TYPENAME); string interface_type = intf->getOptionsObject()->getStr("type"); if (intf->isBridgePort()) return false; if (interface_type.empty()) interface_type = "ethernet"; if (interface_type == "8021q") return true; if (interface_type == "bridge") return true; if (interface_type == "bonding") return true; if (interface_type == "ethernet") { Interface *parent_iface = Interface::cast(intf->getParent()); if (parent_iface && parent_iface->getOptionsObject()->getStr("type") == "bridge") return false; FWObject *fw = Host::getParentHost(intf); //FWObject *fw = intf->getParentHost(); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); Interface *parent_iface = Interface::cast(iface->getParent()); if (parent_iface == NULL) continue; if (parent_iface->getOptionsObject()->getStr("type") == "bonding" && iface->getName() == intf->getName()) { // @intf is used as a bond slave and can't be used for cluster return false; } } if (subinterfaces.size() > 0) return false; } return true; } void interfaceProperties::guessSubInterfaceTypeAndAttributes(Interface *intf) { Interface *parent_intf = Interface::cast(intf->getParent()); if (parent_intf == NULL) return; // Do not modify read-only object if (intf->isReadOnly()) return; //FWObject *f = Host::getParentHost(intf); //FWObject *f = intf->getParentHost(); // Resources* os_res = Resources::os_res[f->getStr("host_OS")]; // string os_family = f->getStr("host_OS"); // if (os_res!=NULL) // os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); QString err; if (looksLikeVlanInterface(intf->getName().c_str()) && isValidVlanInterfaceName(intf->getName().c_str(), intf->getParent()->getName().c_str(), err) ) { InterfaceData *idata = new InterfaceData(*intf); //parseVlan(idata); idata->interface_type = "8021q"; parseVlan(idata->name.c_str(), NULL, &(idata->vlan_id)); if (!idata->interface_type.empty()) { intf->getOptionsObject()->setStr("type", idata->interface_type); if (idata->interface_type == "8021q") intf->getOptionsObject()->setInt("vlan_id", idata->vlan_id); } delete idata; } else { if (parent_intf->getOptionsObject()->getStr("type") == "bridge") { intf->getOptionsObject()->setStr("type", "ethernet"); } if (parent_intf->getOptionsObject()->getStr("type") == "bonding") { intf->getOptionsObject()->setStr("type", "ethernet"); intf->setUnnumbered(true); } } } fwbuilder-5.3.7/src/compiler_lib/interfaceProperties.h000066400000000000000000000101751303637203600231350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTERFACE_PROPERTIES_HH #define INTERFACE_PROPERTIES_HH #include #include #include #include "fwbuilder/InterfaceData.h" class interfaceProperties { protected: typedef enum {BONDING_INTERFACE, ETH_NO_DOT, VLAN_INTERFACE, BRIDGE_INTERFACE, UNKNOWN} interface_type; bool vlan_checks; /* * collects all ip addresses of the interface (only direct * addresses, not addresses of subinterfaces) and fills the list * with string representation in the form "address/masklen" */ void getListOfAddresses(libfwbuilder::Interface *intf, QStringList &addr_list); public: interfaceProperties() { vlan_checks = true; } virtual ~interfaceProperties() {} void setPerformVlanChecks(bool f) { vlan_checks = f; } // simple name validation: does not allow space and "-" // However some platform permit space (procurve). virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual void rearrangeInterfaces( std::map &interfaces, std::list &interface_tree) { // default rearranger: just copy the data std::map::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i) { interface_tree.push_back(&(i->second)); } } virtual bool looksLikeInterface(const QString&); virtual bool parseVlan(const QString&, QString*, int*); virtual bool isValidVlanInterfaceName(const QString &, const QString &, QString&); virtual bool looksLikeVlanInterface(libfwbuilder::InterfaceData*); virtual bool looksLikeVlanInterface(const QString&); virtual bool validateInterface(libfwbuilder::FWObject *parent, const QString &inetrface_name, QString &err); virtual bool validateInterface(libfwbuilder::FWObject *parent, libfwbuilder::FWObject *intf, bool check_types, QString &err); virtual bool isEligibleForCluster(libfwbuilder::Interface *intf); virtual void guessSubInterfaceTypeAndAttributes(libfwbuilder::Interface *intf); /** * for the given interface return list of its ip addresses that we * should manage using update_addresses shell function and list of * addresses we should ignore (as in the case of hearbeat or openais * cluster interfaces). Returns true if we should manage ip addresses * of this interface and false otherwise. Note that it is possible to * return true even when there are no addresses to manage, in which * case lists update_addresses and ignore_addresses are empty. */ virtual bool manageIpAddresses(libfwbuilder::Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses); }; #endif fwbuilder-5.3.7/src/compiler_lib/interfacePropertiesObjectFactory.cpp000066400000000000000000000051241303637203600261450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "interfacePropertiesObjectFactory.h" #include "interfaceProperties.h" #include "linux24Interfaces.h" #include "nxosInterfaces.h" #include "iosInterfaces.h" #include "junosInterfaces.h" #include "procurveInterfaces.h" #include "openbsdInterfaces.h" #include "freebsdInterfaces.h" #include "pixInterfaces.h" #include "procurveInterfaces.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Resources.h" #include using namespace libfwbuilder; using namespace std; interfaceProperties* interfacePropertiesObjectFactory::getInterfacePropertiesObject(FWObject *fw) { Resources* os_res = Resources::os_res[fw->getStr("host_OS")]; string os_family = fw->getStr("host_OS"); if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); return getInterfacePropertiesObject(os_family); } interfaceProperties* interfacePropertiesObjectFactory::getInterfacePropertiesObject( const std::string &os_family) { if (os_family == "linux24" || os_family == "openwrt" || os_family == "dd-wrt-nvram" || os_family == "dd-wrt-jffs" || os_family == "secuwall") return new linux24Interfaces(); if (os_family == "nxos") return new nxosInterfaces(); if (os_family == "ios") return new iosInterfaces(); if (os_family == "junos") return new junosInterfaces(); if (os_family == "pix_os" || os_family == "ios") return new pixInterfaces(); if (os_family == "openbsd") return new openbsdInterfaces(); if (os_family == "freebsd") return new freebsdInterfaces(); if (os_family == "procurve") return new procurveInterfaces(); // by default return object of the base class. It performs some // reasonable default actions. return new interfaceProperties(); } fwbuilder-5.3.7/src/compiler_lib/interfacePropertiesObjectFactory.h000066400000000000000000000024161303637203600256130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTERFACE_PROPERTIES_OBJECT_FACTORY_HH #define INTERFACE_PROPERTIES_OBJECT_FACTORY_HH #include #include "interfaceProperties.h" namespace libfwbuilder { class FWObject; } class interfacePropertiesObjectFactory { public: static interfaceProperties* getInterfacePropertiesObject(const std::string &host_os); static interfaceProperties* getInterfacePropertiesObject(libfwbuilder::FWObject *fw); }; #endif fwbuilder-5.3.7/src/compiler_lib/iosInterfaces.cpp000066400000000000000000000035751303637203600222570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "iosInterfaces.h" #include "fwbuilder/Interface.h" #include #include #include using namespace std; using namespace libfwbuilder; bool iosInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QRegExp vlan_name_pattern("([a-zA-Z-]+\\d{1,}/\\d{1,})\\.(\\d{1,})"); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt(); return true; } return false; } // simple name validation: does not allow space and "-" // However some platform permit space (procurve). bool iosInterfaces::basicValidateInterfaceName(Interface *, const QString &obj_name, QString &err) { if (obj_name.indexOf(' ') != -1) { err = QObject::tr("Interface name '%1' can not contain white space").arg(obj_name); return false; } return true; } fwbuilder-5.3.7/src/compiler_lib/iosInterfaces.h000066400000000000000000000026651303637203600217230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IOS_INTERFACE_PROPERTIES_HH #define IOS_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class iosInterfaces : public interfaceProperties { public: iosInterfaces() : interfaceProperties() {} // simple name validation: does not allow space. Unlike this function // in the base class, permit "-" virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual bool parseVlan(const QString&, QString*, int*); }; #endif fwbuilder-5.3.7/src/compiler_lib/junosInterfaces.cpp000066400000000000000000000050261303637203600226140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "junosInterfaces.h" #include "fwbuilder/Interface.h" #include #include #include using namespace std; using namespace libfwbuilder; bool junosInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QRegExp vlan_name_pattern("unit (\\d{1,})"); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = QString("unit"); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(1).toInt(); return true; } return false; } // simple name validation: DOES allow space and "-" bool junosInterfaces::basicValidateInterfaceName(Interface *, const QString &obj_name, QString &err) { (void) obj_name; (void) err; // Unused return true; } bool junosInterfaces::isValidVlanInterfaceName(const QString &subint_name, const QString &parent_name, QString &err) { (void) parent_name; // Unused if (!looksLikeVlanInterface(subint_name)) { err = QObject::tr("'%1' is not a valid unit name") .arg(subint_name); return false; } QString parent_name_from_regex; int vlan_id; if (parseVlan(subint_name, &parent_name_from_regex, &vlan_id)) { if (vlan_id > 16384) { err = QObject::tr("'%1' looks like a name of a unit " "but the unit number it defines is outside of the valid " "range.").arg(subint_name); return false; } } return true; } fwbuilder-5.3.7/src/compiler_lib/junosInterfaces.h000066400000000000000000000031451303637203600222610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef JUNOS_INTERFACE_PROPERTIES_HH #define JUNOS_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class junosInterfaces : public interfaceProperties { public: junosInterfaces() : interfaceProperties() {} // simple name validation: DOES allow space and "-" virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual bool parseVlan(const QString&, QString*, int*); virtual bool isValidVlanInterfaceName(const QString &subint_name, const QString &parent_name, QString &err); }; #endif fwbuilder-5.3.7/src/compiler_lib/linux24Interfaces.cpp000066400000000000000000000300731303637203600227630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "interfaceProperties.h" #include "linux24Interfaces.h" #include #include #include #include using namespace std; using namespace libfwbuilder; bool linux24Interfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QList vlan_name_patterns; vlan_name_patterns.append(QRegExp("([a-zA-Z-]+\\d{1,})\\.(\\d{1,})")); vlan_name_patterns.append(QRegExp("(vlan)(\\d{1,})")); for (int idx=0; idx < vlan_name_patterns.size(); ++idx) { if (vlan_name_patterns[idx].indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_patterns[idx].cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_patterns[idx].cap(2).toInt(); return true; } } return false; } /* * per #1856, OpenWRT uses "-" in ppp interface names, such as * "ppp-dsl". Also bridge interfaces can have "-" in their names. It * seems we should just allow "-" in names instead of cherry-picking */ bool linux24Interfaces::basicValidateInterfaceName(Interface *intf, const QString &obj_name, QString &err) { (void) intf; // Unused if (obj_name.indexOf(' ') != -1) { err = QObject::tr("Bridge interface name '%1' can not contain white space").arg(obj_name); return false; } return true; return true; } /* * Take original information about interfaces provided by the crawler * and try to arrange it into a tree or interfaces and * subinterfaces. Guess based on host OS, inetrface names and their * MAC addresses. Returns data in the argument @interface_tree */ void linux24Interfaces::rearrangeInterfaces(map &interfaces, list &interface_tree) { /* how to find vlan subinterfaces: if interface 1 has name with a dot and numbers after the dot, AND its MAC address is the same as MAC address of an interface 2 with the name matching the part before the dot, then interface 1 is subinterface of 1 and type of interface 2 should be 8021q Example of mixed configuration : Bridge: br0 -> eth4 Bonding: bond0 -> eth2 eth3 Vlans: eth1 -> eth1.100 eth1.101 eth1.102 bond0 -> bond0.200 bond0.201 bond0.202 eth0 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:96 bond0 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA bond0.200 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA bond0.201 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA bond0.202 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA eth2 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA eth3 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:AA eth1 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:A0 eth1.100 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:A0 eth1.101 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:A0 eth1.102 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:A0 br0 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:BE eth4 Link encap:Ethernet HWaddr 00:0C:29:F6:BE:BE */ // map mac addresse to list of InterfaceData objects. Note that // there can be several interfaces with the same mac address map > all_mac_addresses; // pass 1: group interfaces by mac address map::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i) { // loopback, tunnels and p2p interfaces have no mac address if (i->second.mac_addr.empty()) interface_tree.push_back(&(i->second)); else all_mac_addresses[i->second.mac_addr].push_back(&(i->second)); } // pass 2: for each unique mac address, create top level interface and // subinterfaces map >::iterator it; for (it=all_mac_addresses.begin(); it!=all_mac_addresses.end(); ++it) { if (it->second.size() > 1) { // several interfaces with the same mac address // // Can be: // eth0 and eth0.100, eth0.101 // eth0 and vlan1, vlan2 // bond0 and eth0, eth1 // br0 and eth0, eth1 list vlan_subinterfaces; list bond_subinterfaces; list bridge_subinterfaces; InterfaceData *vlan_parent_interface = NULL; InterfaceData *bond_parent_interface = NULL; InterfaceData *bridge_parent_interface = NULL; list::iterator intf; bool bonding = false; bool bridge = false; bool vlans = false; bool have_dots = false; for (intf=it->second.begin(); intf!=it->second.end(); ++intf) { if ((*intf)->name.find("br") == 0) bridge = true; if ((*intf)->name.find("bond") == 0) bonding = true; if ((*intf)->name.find("vlan") == 0) vlans = true; if ((*intf)->name.find(".") != string::npos) have_dots = true; } // assume that interface with a dot in names are vlan // interfaces such as "eth0.100". // But vlan interfaces can be "bond0.100" as well. if (!vlans && have_dots) vlans = true; for (intf=it->second.begin(); intf!=it->second.end(); ++intf) { linux24Interfaces::interface_type itype; if ((*intf)->name.find("bond") == 0 && (*intf)->name.find(".") == string::npos) itype = BONDING_INTERFACE; if ((*intf)->name.find("eth") == 0 && (*intf)->name.find(".") == string::npos) itype = ETH_NO_DOT; if ((*intf)->name.find(".") != string::npos || (*intf)->name.find("vlan") == 0) itype = VLAN_INTERFACE; if ((*intf)->name.find("br") == 0 && (*intf)->name.find(".") == string::npos) itype = BRIDGE_INTERFACE; if (bonding) { switch (itype) { case BONDING_INTERFACE: // interface name starts with "bond" and has no dot // like "bond0" (*intf)->interface_type = "bonding"; bond_parent_interface = *intf; continue; case ETH_NO_DOT: // interface name starts with "eth" and has no dot // like "eth0" // This is physical interface that is a member of bonding group (*intf)->interface_type = "ethernet"; bond_subinterfaces.push_back(*intf); continue; case VLAN_INTERFACE: { (*intf)->interface_type = "8021q"; parseVlan((*intf)->name.c_str(), NULL, &((*intf)->vlan_id)); //parseVlan(*intf); bond_subinterfaces.push_back(*intf); continue; } default: break; } } if (bridge) { switch (itype) { case BRIDGE_INTERFACE: // interface name starts with "br" and has no dot // like "br0" (*intf)->interface_type = "bridge"; bridge_parent_interface = *intf; continue; case ETH_NO_DOT: // interface name starts with "eth" and has no dot // like "eth0" // This is physical interface that is a member of a bridge (*intf)->interface_type = "ethernet"; bridge_subinterfaces.push_back(*intf); // special case: eth0 can be part of the bridge and // vlan parent interface // break from switch but continue the loop // continue; break; case VLAN_INTERFACE: { (*intf)->interface_type = "8021q"; parseVlan((*intf)->name.c_str(), NULL, &((*intf)->vlan_id)); //parseVlan(*intf); bridge_subinterfaces.push_back(*intf); // special case: vlan interface can be part of // the bridge and part of the vlan configuration // break from switch but continue the loop // continue; break; } default: break; } } if (vlans) { switch (itype) { case ETH_NO_DOT: // interface name starts with "eth" and has no dot // like "eth0" (*intf)->interface_type = "ethernet"; vlan_parent_interface = *intf; continue; case VLAN_INTERFACE: { (*intf)->interface_type = "8021q"; parseVlan((*intf)->name.c_str(), NULL, &((*intf)->vlan_id)); //parseVlan(*intf); vlan_subinterfaces.push_back(*intf); continue; } default: break; } } // if we get here, then interface was not covered by either // of the cases above. Just create it as top-level interface_tree.push_back(*intf); } if (bond_parent_interface) { for (intf=bond_subinterfaces.begin(); intf!=bond_subinterfaces.end(); ++intf) bond_parent_interface->subinterfaces.push_back(*intf); interface_tree.push_back(bond_parent_interface); } if (bridge_parent_interface) { for (intf=bridge_subinterfaces.begin(); intf!=bridge_subinterfaces.end(); ++intf) bridge_parent_interface->subinterfaces.push_back(*intf); interface_tree.push_back(bridge_parent_interface); } if (vlan_parent_interface) { for (intf=vlan_subinterfaces.begin(); intf!=vlan_subinterfaces.end(); ++intf) vlan_parent_interface->subinterfaces.push_back(*intf); interface_tree.push_back(vlan_parent_interface); } } else { // single interface with this mac, just create it as top-level interface_tree.push_back(it->second.front()); } } } fwbuilder-5.3.7/src/compiler_lib/linux24Interfaces.h000066400000000000000000000030401303637203600224220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef LINUX24_INTERFACE_PROPERTIES_HH #define LINUX24_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class linux24Interfaces : public interfaceProperties { public: linux24Interfaces() : interfaceProperties() {} virtual ~linux24Interfaces() {} virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual bool parseVlan(const QString&, QString*, int*); virtual void rearrangeInterfaces( std::map &interfaces, std::list &interface_tree); }; #endif fwbuilder-5.3.7/src/compiler_lib/nxosInterfaces.cpp000066400000000000000000000036001303637203600224410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "nxosInterfaces.h" #include "fwbuilder/Interface.h" #include #include #include using namespace std; using namespace libfwbuilder; bool nxosInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QRegExp vlan_name_pattern("([a-zA-Z-]+\\d{1,}/\\d{1,})\\.(\\d{1,})"); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt(); return true; } return false; } // simple name validation: does not allow space and "-" // However some platform permit space (procurve). bool nxosInterfaces::basicValidateInterfaceName(Interface *, const QString &obj_name, QString &err) { if (obj_name.indexOf(' ') != -1) { err = QObject::tr("Interface name '%1' can not contain white space").arg(obj_name); return false; } return true; } fwbuilder-5.3.7/src/compiler_lib/nxosInterfaces.h000066400000000000000000000026711303637203600221150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef NXOS_INTERFACE_PROPERTIES_HH #define NXOS_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class nxosInterfaces : public interfaceProperties { public: nxosInterfaces() : interfaceProperties() {} // simple name validation: does not allow space. Unlike this function // in the base class, permit "-" virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual bool parseVlan(const QString&, QString*, int*); }; #endif fwbuilder-5.3.7/src/compiler_lib/openbsdInterfaces.cpp000066400000000000000000000036141303637203600231110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "openbsdInterfaces.h" #include "fwbuilder/Interface.h" #include using namespace libfwbuilder; bool openbsdInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QRegExp vlan_name_pattern(QRegExp("(vlan)(\\d{1,})")); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt(); return true; } return false; } bool openbsdInterfaces::manageIpAddresses(Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses) { if (intf->isDyn()) { // We never manage dynamic interfaces on OpenBSD // But we should add them to the list when rc.conf output format is // implemented, just like it is now done for FreeBSD return false; } else return interfaceProperties::manageIpAddresses( intf, update_addresses, ignore_addresses); } fwbuilder-5.3.7/src/compiler_lib/openbsdInterfaces.h000066400000000000000000000025041303637203600225530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OPENBSD_INTERFACE_PROPERTIES_HH #define OPENBSD_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class openbsdInterfaces : public interfaceProperties { public: openbsdInterfaces() : interfaceProperties() {} virtual bool parseVlan(const QString&, QString*, int*); virtual bool manageIpAddresses(libfwbuilder::Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses); }; #endif fwbuilder-5.3.7/src/compiler_lib/pixInterfaces.cpp000066400000000000000000000032251303637203600222550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "pixInterfaces.h" #include /* * http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1644971 * * hostname(config)# interface gigabitethernet0/1.1 * hostname(config-subif)# vlan 101 * hostname(config-subif)# nameif dmz1 * hostname(config-subif)# security-level 50 * hostname(config-subif)# ip address 10.1.2.1 255.255.255.0 * hostname(config-subif)# no shutdown * */ bool pixInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id) { QRegExp vlan_name_pattern("([a-zA-Z-]+\\d{1,}(/\\d{1,})*)\\.(\\d{1,})"); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(3).toInt(); return true; } return false; } fwbuilder-5.3.7/src/compiler_lib/pixInterfaces.h000066400000000000000000000021651303637203600217240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PIX_INTERFACE_PROPERTIES_HH #define PIX_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class pixInterfaces : public interfaceProperties { public: pixInterfaces() : interfaceProperties() {} virtual bool parseVlan(const QString&, QString*, int*); }; #endif fwbuilder-5.3.7/src/compiler_lib/procurveInterfaces.cpp000066400000000000000000000102721303637203600233220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "procurveInterfaces.h" #include "fwbuilder/Interface.h" #include #include using namespace std; using namespace libfwbuilder; // simple name validation: does not allow space and "-" // However PoCurve permits space. What about "-" ? bool procurveInterfaces::basicValidateInterfaceName(Interface*, const QString &obj_name, QString &err) { if (obj_name.indexOf('-') != -1) { err = QObject::tr("Interface name '%1' can not contain \"-\"").arg(obj_name); return false; } err = ""; return true; } /* * The difference is that in ProCurve, vlan interfaces have names like * "VLAN 2". We should permit white space between "vlan" and the * number. It is unclear whether "vlan" and "Vlan" are allowed besides * "VLAN". */ bool procurveInterfaces::parseVlan( const QString &name, QString *base_name, int *vlan_id) { if (name == "DEFAULT_VLAN") { if (base_name!=NULL) *base_name = "vlan"; if (vlan_id!=NULL) *vlan_id = 1; return true; } // Procurve SNMP reports vlan interface names without space QRegExp vlan_name_pattern("(vlan|Vlan|VLAN) *(\\d{1,})"); if (vlan_name_pattern.indexIn(name) != -1) { if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1); if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt(); return true; } return false; } /* * In ProCurve, parent interface and vlan interface names have nothing * in common and can not be verified. */ bool procurveInterfaces::isValidVlanInterfaceName(const QString &subint_name, const QString & /*UNUSED parent_name */, QString &err) { if (!looksLikeVlanInterface(subint_name)) { err = QObject::tr("'%1' is not a valid vlan interface name").arg(subint_name); return false; } QString parent_name_from_regex; int vlan_id; if (parseVlan(subint_name, &parent_name_from_regex, &vlan_id)) { if (vlan_id > 4095) { err = QObject::tr("'%1' looks like a name of a vlan interface " "but vlan ID it defines is outside of the valid range." "").arg(subint_name); return false; } } return true; } /* * many switch ports can be part of the same vlan. It would be ideal * if I could make interface objects that represent switch ports as * subinterfaces of a vlan interface. Unfortunately this is reverse of * our normal model, where vlans are subinterfaces of ethernet * interface objects. Until I figure this out, there will be no * restrictions on ProCurve interface objects. */ bool procurveInterfaces::validateInterface(FWObject * /*UNUSED target */, FWObject * /*UNUSED intf */, bool /*UNUSED check_types */, QString & /*UNUSED err */) { return true; } bool procurveInterfaces::validateInterface(FWObject * /*UNUSED target */, const QString & /*UNUSED interface_name */, QString & /*UNUSED err */) { return true; } fwbuilder-5.3.7/src/compiler_lib/procurveInterfaces.h000066400000000000000000000040361303637203600227700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PROCURVE_INTERFACE_PROPERTIES_HH #define PROCURVE_INTERFACE_PROPERTIES_HH #include "interfaceProperties.h" class procurveInterfaces : public interfaceProperties { public: procurveInterfaces() : interfaceProperties() {} // simple name validation: does not allow space and "-" // However some platform permit space (procurve). virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf, const QString &proposed_name, QString &err); virtual bool parseVlan(const QString&, QString*, int*); virtual bool isValidVlanInterfaceName(const QString &, const QString &, QString&); virtual bool validateInterface(libfwbuilder::FWObject *parent, const QString &inetrface_name, QString &err); virtual bool validateInterface(libfwbuilder::FWObject *parent, libfwbuilder::FWObject *intf, bool check_types, QString &err); }; #endif fwbuilder-5.3.7/src/fwbedit/000077500000000000000000000000001303637203600157275ustar00rootroot00000000000000fwbuilder-5.3.7/src/fwbedit/fwbedit.cpp000066400000000000000000000576271303637203600201000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include #include #ifdef HAVE_LOCALE_H #include #endif #include #include #include #include #include #ifndef _WIN32 # include #endif #include #include #include #include #include #include #ifndef errno extern int errno; #endif #ifdef HAVE_GETOPT_H # include #else # ifdef _WIN32 # include # else # include # endif #endif #include "fwbuilder/Resources.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Constants.h" #include "../common/init.cpp" #include "fwbedit.h" #include "upgradePredicate.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" #include #include using namespace libfwbuilder; using namespace std; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; string cmd_str = ""; command cmd = NONE; bool autoupgrade_flag = false; string filename = ""; string filemerge = ""; int conflict_res = 1; vector platforms; FWObjectDatabase *objdb = NULL; int fwbdebug = 0; void list_attributes() { cout << "Attributes for the new objects, by type:" << endl; cout << endl; cout << " " << " -t " < &res) { string path = fixPath(obj_path); if (obj->getPath()==path) res.push_back(obj); for (FWObject::iterator it=obj->begin(); it!=obj->end(); ++it) { if (FWReference::cast(*it)) continue; _findObjects(path, *it, res); } } string fixPath(const string &obj_path) { string res = obj_path; // add leading "/" if it is not there if (res[0]!='/') res = string("/") + res; // strip trailing "/" if (res[res.length()-1] == '/') res = res.substr(0, res.length()-1); if (res.find("/FWObjectDatabase")!=0) res = string("/FWObjectDatabase") + res; return res; } void findObjects(const string &obj_path, FWObject *obj, list &res) { if (obj_path.find('/')==string::npos) { int id = FWObjectDatabase::getIntId(obj_path); if (id>=0) { FWObject *o = obj->getRoot()->findInIndex(id); if (o) { res.push_back(o); return; } } } string path = fixPath(obj_path); _findObjects(path, obj, res); } int splitStr(char ch,string s, operands * ops) { int res=0; string::size_type pos; ops->clear(); if (s.length()>0) { while((pos=s.find_first_of(ch))!=string::npos) { ops->push_back(s.substr(0,pos)); s=s.substr(pos+1); res++; } ops->push_back(s); res++; } return res; } string getNextOpt(operands &ops) { operands::iterator it = ops.begin(); if (it == ops.end()) throw OperandsError(); string s = *it; ops.pop_front(); return s; } bool getBool(string s) { return (s.find("y")!=string::npos) || (s.find("Y")!=string::npos) || (s.find("1")!=string::npos); } int main(int argc, char * const *argv) { operands ops; string objtype; string name; string object; string group; string parent; string comment_txt; bool list_children = false; bool recursive = false; string list_format = "%path%"; bool full_dump = false; string import_config; bool deduplicate = false; if (argc<=1) { usage(); exit(1); } /* * Command line format: * fwbedit command [options] * * argv[1] is always command */ cmd_str = string(argv[1]); cmd = NONE; if (cmd_str=="new") cmd = NEWOBJECT; if (cmd_str=="delete") cmd = DELOBJECT; if (cmd_str=="modify") cmd = MODOBJECT; if (cmd_str=="add") cmd = ADDGRP; if (cmd_str=="remove") cmd = REMGRP; if (cmd_str=="list") cmd = LIST; if (cmd_str=="upgrade") cmd = UPGRADE; if (cmd_str=="checktree") cmd = STRUCT; if (cmd_str=="merge") cmd = MERGE; if (cmd_str=="import") cmd = IMPORT; char * const *args = argv; args++; argc--; int opt; switch (cmd) { case NEWOBJECT: { // -f file.fwb -t objtype -n name -c comment -p parent [-a attrs] while( (opt=getopt(argc, args, "f:t:n:c:p:a:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 't': objtype = optarg; break; case 'n': name = optarg; break; case 'c': comment_txt = optarg; break; case 'p': parent = optarg; break; case 'a': int num=0; Q_UNUSED(num); if (optarg!=NULL) { string str = optarg; num = splitStr(',', str, &ops); } break; } } if (filename=="") { usage_new(); exit(1); } break; } case DELOBJECT: // -f file.fwb -o object_def // object_def can be either full path or object ID while( (opt=getopt(argc, args, "f:o:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'o': object = optarg; break; } } if (filename.empty() || object.empty()) { usage_delete(); exit(1); } break; case MODOBJECT: { // -f file.fwb -o object -c comment [-a attrs] while( (opt=getopt(argc, args, "f:o:c:a:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'o': object = optarg; break; case 'c': comment_txt = optarg; break; case 'a': int num=0; Q_UNUSED(num); if (optarg!=NULL) { string str = optarg; num = splitStr(',', str, &ops); } break; } } if (filename.empty() || object.empty()) { usage_modify(); exit(1); } break; } case ADDGRP: case REMGRP: // -f file.fwb -p group -o object // Add/remove object to group // both group and object can be either path or ID while( (opt=getopt(argc, args, "f:g:o:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'g': group = optarg; break; case 'o': object = optarg; break; } } if (filename.empty() || group.empty() || object.empty()) { if (cmd == ADDGRP) usage_add(); if (cmd == REMGRP) usage_remove(); exit(1); } break; case LIST: // -f file.fwb -o object [-r] [-Fformat_string] [-d] // object can be either path or ID while( (opt=getopt(argc, args, "f:o:crdF:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'o': object = optarg; break; case 'c': list_children = true; break; case 'r': recursive = true; break; case 'F': list_format = optarg; break; case 'd': full_dump = true; break; } } if (filename.empty() || object.empty()) { usage_list(); exit(1); } break; case UPGRADE: // -f file.fwb autoupgrade_flag = true; while( (opt=getopt(argc, args, "f:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; } } if (filename.empty()) { usage_upgrade(); exit(1); } break; case STRUCT: // -f file.fwb while( (opt=getopt(argc, args, "f:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; } } if (filename.empty()) { usage_checktree(); exit(1); } break; case MERGE: // -f file1.fwb -i file2.fwb while( (opt=getopt(argc, args, "f:i:c:")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'i': filemerge = optarg; break; case 'c': conflict_res = atoi(optarg); break; } } if (filename.empty() || filemerge.empty()) { usage_merge(); exit(1); } break; case IMPORT: // -f file.fwb -i config.txt -o /User/Firewalls/new_firewall while( (opt=getopt(argc, args, "f:i:o:d")) != EOF ) { switch(opt) { case 'f': filename = optarg; break; case 'i': import_config = optarg; break; case 'o': object = optarg; break; case 'd': deduplicate = true; break; } } if (filename.empty() || import_config.empty() || object.empty()) { usage_import(); exit(1); } break; case NONE: break; } if (cmd==NONE || filename=="") { usage(); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate(autoupgrade_flag); objdb->load(filename, &upgrade_predicate, Constants::getDTDDirectory()); if (cmd == MERGE) { if (filemerge.empty()) { cerr << "The name of the file that should be merged is missing" << endl; usage_merge(); exit(1); } mergeTree(objdb, filemerge, conflict_res); } else if (cmd == IMPORT) { if (import_config.empty() || object.empty()) { cerr << "Configuration file name and path to the new firewall " "object are mandatory options for import" << endl; usage_import(); exit(1); } QStringList components = QString::fromUtf8(object.c_str()) .split("/", QString::SkipEmptyParts); string fw_name = components.last().toUtf8().constData(); Library *library = NULL; while (library == NULL) { components.pop_back(); string library_path = components.join("/").toUtf8().constData(); list objects; findObjects(library_path, objdb, objects); if (objects.size() == 0) { cerr << "Library or folder '" << library_path << "' not found" << endl; usage_import(); exit(1); } library = Library::cast(objects.front()); } cout << "Import firewall configuration from file " << import_config << endl; cout << "New firewall object '" << fw_name << "' will be created in library '" << library->getName() << "'" << endl; importConfig(import_config, library, fw_name, deduplicate); } else if (cmd == STRUCT) { checkAndRepairTree(objdb); } else if (cmd == LIST) { listObject(objdb, object, list_children, recursive, list_format, full_dump); return(0); } else if (cmd == UPGRADE) { cout << "File upgraded; current data format version: " << libfwbuilder::Constants::getDataFormatVersion() << endl; } else if (cmd == NEWOBJECT) { newObject(objdb, objtype, name, comment_txt, parent, ops); } else if (cmd == DELOBJECT) { delObject(objdb, object); } else if (cmd == MODOBJECT) { modObject(objdb, object, comment_txt, ops); } else { list objects; findObjects(object, objdb, objects); if (objects.size()==0) { cout << "Object " << object << " not found" << endl; exit(-1); } for (list::iterator it=objects.begin(); it!=objects.end(); ++it) { FWObject *obj = *it; if (cmd==ADDGRP) { list groups; findObjects(group, objdb, groups); if (groups.size()==0) { cout << "Group " << group << " not found" << endl; exit(-1); } FWObject *grp = groups.front(); cout << "Adding object '" << obj->getName() << "' to the group '" << grp->getName() << "'" << endl; grp->addRef(obj); } if (cmd==REMGRP) { list groups; findObjects(group, objdb, groups); if (groups.size()==0) { cout << "Group " << group << " not found" << endl; exit(-1); } FWObject *grp = groups.front(); cout << "Removing object '" << obj->getName() << "' from the group '" << grp->getName() << "'" << endl; grp->removeRef(obj); } } } QString filename_qstr = QString::fromUtf8(filename.c_str()); QString bakfile = filename_qstr + ".bak"; QFile bakf(bakfile); if (bakf.exists()) bakf.remove(); QFile dataf(filename_qstr); if (dataf.rename(bakfile)) { objdb->saveFile(filename); } else { cout << "Could not rename data file, abroting operation" << endl; cout << dataf.errorString().toStdString() << endl; exit(-1); } } catch(FWException &ex) { cerr << ex.toString() << endl; exit(1); } catch (std::string s) { cerr << s; exit(1); } catch (std::exception ex) { cerr << ex.what(); exit(1); } catch (...) { cerr << "Unsupported exception"; exit(1); } return(0); } fwbuilder-5.3.7/src/fwbedit/fwbedit.h000066400000000000000000000063101303637203600175240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: fwbedit.cpp 429 2008-07-31 07:03:39Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include #include #include #include // can't use 'DELETE' in this enum because it is degined somewhere on windows typedef enum { NONE, ADDGRP, REMGRP, DELOBJECT, NEWOBJECT, MODOBJECT, LIST, STRUCT, UPGRADE, MERGE, IMPORT} command; class OperandsError : public std::exception {}; // need to qualify deque even though we use "using namespace std;" // to make it compile on windows typedef std::deque operands; extern void listObject(libfwbuilder::FWObjectDatabase *objdb, const std::string &path, bool list_children, bool recursive, const std::string &list_format, bool full_dump); extern void newObject(libfwbuilder::FWObjectDatabase *objdb, const std::string &objtype, const std::string &name, const std::string &comment_txt, const std::string &parent, operands &ops); extern void delObject(libfwbuilder::FWObjectDatabase *objdb, const std::string &object); extern void modObject(libfwbuilder::FWObjectDatabase *objdb, const std::string &object, const std::string &comment_txt, operands &ops); extern void checkAndRepairTree(libfwbuilder::FWObjectDatabase *objdb); extern void mergeTree(libfwbuilder::FWObjectDatabase *objdb, const std::string &mergefile, int conflict_res); extern void importConfig(const std::string &import_config, libfwbuilder::FWObject *library, const std::string &fw_name, bool deduplicate); extern int splitStr(char ch,std::string s, operands * ops); extern std::string getNextOpt(operands &ops); extern std::string fixPath(const std::string &obj_path); extern void findObjects(const std::string &obj_path, libfwbuilder::FWObject *obj, std::list &res); extern bool getBool(std::string s); extern void usage(); fwbuilder-5.3.7/src/fwbedit/fwbedit.pro000066400000000000000000000020551303637203600200770ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # # TEMPLATE = app QT += network greaterThan(QT_MAJOR_VERSION, 4): QT += widgets printsupport SOURCES = fwbedit.cpp new_object.cpp repair_tree.cpp list_object.cpp merge.cpp import.cpp HEADERS = ../../config.h fwbedit.h upgradePredicate.h INCLUDEPATH += ../libfwbuilder/src ../import ../compiler_lib ../libgui DEPENDPATH += ../libfwbuilder/src ../import ../compiler_lib ../libgui win32:INCLUDEPATH += ../libgui/ui !win32:INCLUDEPATH += ../libgui/.ui TARGET = fwbedit !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../import/$$BINARY_SUBDIR/libimport.a \ ../parsers/$$BINARY_SUBDIR/libfwbparser.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libgui/$$BINARY_SUBDIR/libgui.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$ANTLR_LIBS $$LIBS win32:CONFIG += console fwbuilder-5.3.7/src/fwbedit/import.cpp000066400000000000000000000060161303637203600177500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Library.h" #include "fwbedit.h" #include "PreImport.h" #include "IOSImporter.h" #include "IPTImporter.h" #include "PIXImporter.h" #include #include #include using namespace libfwbuilder; using namespace std; Logger& operator<<(Logger &logger, const QString &str) { logger << str.toUtf8().constData(); return logger; } void importConfig(const string &import_config, FWObject *library, const string &fw_name, bool deduplicate) { QFile f(QString::fromUtf8(import_config.c_str())); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); std::istringstream instream(buffer); QueueLogger *logger = new QueueLogger(); logger->copyToStderr(); Importer* imp = NULL; QStringList sl_buf = QString::fromUtf8(buffer.c_str()).split("\n"); PreImport pi(&sl_buf); pi.scan(); switch (pi.getPlatform()) { case PreImport::PIX: case PreImport::FWSM: imp = new PIXImporter(library, instream, logger, fw_name); break; case PreImport::IOSACL: imp = new IOSImporter(library, instream, logger, fw_name); break; case PreImport::IPTABLES: imp = new IPTImporter(library, instream, logger, fw_name); break; case PreImport::IPTABLES_WITH_COUNTERS: cerr << "This appears to be iptables configuration saved using " "command \"iptables-save -c\"" "and it includes packet counters. Please save configuration " "using command \"iptables-save\" without option \"-c\" and " "try to import it again." << endl; exit(1); default: cerr << "Can not import configuration file: unrecognized firewall platform" << endl; exit(1); } if (deduplicate) imp->prepareForDeduplication(); try { imp->run(); } catch(ImporterException &e) { *logger << e.toString() << "\n"; } catch(ObjectMakerException &e) { *logger << e.toString() << "\n"; } imp->finalize(); } fwbuilder-5.3.7/src/fwbedit/list_object.cpp000066400000000000000000000164761303637203600207520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: fwbedit.cpp 429 2008-07-31 07:03:39Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include #include #ifdef HAVE_LOCALE_H #include #endif #include #include #include #include #include #include #include #include #ifndef _WIN32 # include #endif #include #include #include #include #include #ifdef HAVE_GETOPT_H # include #else # ifdef _WIN32 # include # else # include # endif #endif #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include #include "fwbedit.h" using namespace libfwbuilder; using namespace std; string getAttributeValue(FWObject *obj, const string &attr_name) { if (attr_name=="ID" || attr_name=="id") return FWObjectDatabase::getStringId(obj->getId()); if (attr_name=="type") return obj->getTypeName(); if (attr_name=="name") return obj->getName(); if (attr_name=="path") return obj->getPath(); if (attr_name=="comment") return obj->getComment(); string objtype = obj->getTypeName(); if (attr_name=="address") { if (objtype==IPv4::TYPENAME || objtype==IPv6::TYPENAME || objtype==Network::TYPENAME || objtype==NetworkIPv6::TYPENAME) { return Address::cast(obj)->getAddressPtr()->toString(); } } if (attr_name=="netmask") { if (objtype==IPv4::TYPENAME || objtype==Network::TYPENAME) { return Address::cast(obj)->getNetmaskPtr()->toString(); } if (objtype==IPv6::TYPENAME || objtype==NetworkIPv6::TYPENAME) { ostringstream str; str << Address::cast(obj)->getNetmaskPtr()->getLength(); return str.str(); } } if (attr_name=="start_address" && objtype==AddressRange::TYPENAME) { return AddressRange::cast(obj)->getRangeStart().toString(); } if (attr_name=="end_address" && objtype==AddressRange::TYPENAME) { return AddressRange::cast(obj)->getRangeEnd().toString(); } if (attr_name=="dnsname" && objtype==DNSName::TYPENAME) { return DNSName::cast(obj)->getSourceName(); } if (TCPUDPService::cast(obj)!=NULL) { ostringstream str; if (attr_name=="src_range_start") str << TCPUDPService::cast(obj)->getSrcRangeStart(); if (attr_name=="src_range_end") str << TCPUDPService::cast(obj)->getSrcRangeEnd(); if (attr_name=="dst_range_start") str << TCPUDPService::cast(obj)->getDstRangeStart(); if (attr_name=="dst_range_end") str << TCPUDPService::cast(obj)->getDstRangeEnd(); if (str.tellp()>0) return str.str(); } if (ICMPService::cast(obj)!=NULL) { if (attr_name=="icmp_type") return obj->getStr("type"); if (attr_name=="icmp_code") return obj->getStr("code"); } string av = obj->getStr(attr_name); return av; } /* * find first occurrence of the %attr% macro and replace it with the * value of corresponding attribute of the obj. Replacement is done in * the same string in place, function returns true if it found and * replaced at least one macro, false otherwise */ bool replaceFirstMacroInString(string &str, FWObject *obj) { string::size_type n = 0; for (n=0; n=str.length()) return false; n1 = n; string attr_name = str.substr(n0+1, n1-n0-1); string attr_value = getAttributeValue(obj, attr_name); str.replace(n0, n1-n0+1, attr_value); return true; } } return false; } void listObject(FWObject *obj, bool list_children, bool recursive, const string &list_format, bool full_dump, int offset) { int off = offset; /* * print according to the list_format * format macros are attribute names surrounded by %%, like * %name% or %address% */ if (!list_children) { if (full_dump) obj->dump(recursive, false); else { string format = list_format; while (replaceFirstMacroInString(format, obj)) ; string::size_type n; while ( (n=format.find("\\t"))!=string::npos ) format.replace(n, 2, "\t"); while ( (n=format.find("\\n"))!=string::npos ) format.replace(n, 2, "\n"); cout << string(offset,' ') << format << endl; off += 4; } } if (recursive || list_children) { for (FWObject::iterator it=obj->begin(); it!=obj->end(); ++it) listObject(*it, false, recursive, list_format, full_dump, off); } } void listObject(FWObjectDatabase *objdb, const string &path, bool list_children, bool recursive, const string &list_format, bool full_dump) { list objects; findObjects(path, objdb, objects); if (objects.size()==0) { cout << "Object " << path << " not found" << endl; exit(-1); } for (list::iterator it=objects.begin(); it!=objects.end(); ++it) listObject(*it, list_children, recursive, list_format, full_dump, 0); } fwbuilder-5.3.7/src/fwbedit/merge.cpp000066400000000000000000000042221303637203600175320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Constants.h" #include "fwbedit.h" #include "upgradePredicate.h" #include using namespace libfwbuilder; using namespace std; class MergeConflictRes : public libfwbuilder::FWObjectDatabase::ConflictResolutionPredicate { int conflict_res; public: MergeConflictRes(int cr) { conflict_res = cr; } virtual bool askUser(libfwbuilder::FWObject*, libfwbuilder::FWObject*) { return (conflict_res == 1); } }; void mergeTree(FWObjectDatabase *objdb, const string &mergefile, int conflict_res) { cout << "Merge objects from file " << mergefile << endl; UpgradePredicate upgrade_predicate(false); try { FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(mergefile, &upgrade_predicate, Constants::getDTDDirectory()); FWObject *dobj = ndb->findInIndex(FWObjectDatabase::DELETED_OBJECTS_ID); if (dobj) ndb->remove(dobj, false); MergeConflictRes mcr(conflict_res); objdb->merge(ndb, &mcr); delete ndb; } catch(FWException &ex) { cerr << ex.toString() << endl; } } fwbuilder-5.3.7/src/fwbedit/new_object.cpp000066400000000000000000000606311303637203600205600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: fwbedit.cpp 429 2008-07-31 07:03:39Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include #include #ifdef HAVE_LOCALE_H #include #endif #include #include #include #include #include #include #include #include #ifndef _WIN32 # include #endif #include #include #include #include #include #ifdef HAVE_GETOPT_H # include #else # ifdef _WIN32 # include # else # include # endif #endif #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include #include "fwbedit.h" using namespace libfwbuilder; using namespace std; std::map systemGroupPaths; std::map systemGroupTypes; void initConstants() { systemGroupPaths[Library::TYPENAME] = ""; systemGroupPaths[IPv4::TYPENAME] = "Objects/Addresses"; systemGroupPaths[IPv6::TYPENAME] = "Objects/Addresses"; systemGroupPaths[DNSName::TYPENAME] = "Objects/DNS Names"; systemGroupPaths[AddressTable::TYPENAME] = "Objects/Address Tables"; systemGroupPaths[AddressRange::TYPENAME] = "Objects/Address Ranges"; systemGroupPaths[ObjectGroup::TYPENAME] = "Objects/Groups"; systemGroupPaths[Host::TYPENAME] = "Objects/Hosts"; systemGroupPaths[Network::TYPENAME] = "Objects/Networks"; systemGroupPaths[NetworkIPv6::TYPENAME] = "Objects/Networks"; systemGroupPaths[ServiceGroup::TYPENAME] = "Services/Groups"; systemGroupPaths[CustomService::TYPENAME] = "Services/Custom"; systemGroupPaths[IPService::TYPENAME] = "Services/IP"; systemGroupPaths[ICMPService::TYPENAME] = "Services/ICMP"; systemGroupPaths[TCPService::TYPENAME] = "Services/TCP"; systemGroupPaths[UDPService::TYPENAME] = "Services/UDP"; systemGroupPaths[TagService::TYPENAME] = "Services/TagServices"; systemGroupPaths[UserService::TYPENAME] = "Services/Users"; systemGroupPaths[Firewall::TYPENAME] = "Firewalls"; systemGroupPaths[Cluster::TYPENAME] = "Clusters"; systemGroupPaths[Interval::TYPENAME] = "Time"; systemGroupTypes["Objects/Addresses"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Addresses"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/DNS Names"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Address Tables"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Address Ranges"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Groups"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Hosts"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Networks"] = ObjectGroup::TYPENAME; systemGroupTypes["Objects/Networks"] = ObjectGroup::TYPENAME; systemGroupTypes["Services/Groups"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/Custom"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/IP"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/ICMP"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/TCP"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/UDP"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/TagServices"] = ServiceGroup::TYPENAME; systemGroupTypes["Services/Users"] = ServiceGroup::TYPENAME; systemGroupTypes["Firewalls"] = ObjectGroup::TYPENAME; systemGroupTypes["Clusters"] = ObjectGroup::TYPENAME; systemGroupTypes["Time"] = IntervalGroup::TYPENAME; } void notEnoughAttributesError() { cerr << "Incorrect number of attributes for given object type" << endl; exit(-1); } bool testIPv4(string s) { bool res=false; try { InetAddr( s.c_str() ); res=true; } catch (FWException &ex) { } return res; } bool testIPv6(string s) { bool res=false; try { InetAddr(AF_INET6, s.c_str()); res=true; } catch (FWException &ex) { } return res; } void invalidIPv4(string s) { if (!testIPv4(s)) { cout << "\"" << s << "\" - invalid IPv4 address." << endl; exit(0); } } void invalidIPv6(string s) { if (!testIPv6(s)) { cout << "\"" << s << "\" - invalid IPv6 address." << endl; exit(0); } } bool testPlatform(const string &pl, const string &os) { vector platforms = Resources::getListOfPlatforms(); operands lst; string str; if (platforms.empty() || ( platforms.size()==1 && platforms.front()=="unknown" )) { cout << "Failed to load list of supported platforms" << endl; exit(1); } for (vector::iterator i=platforms.begin();i!=platforms.end();i++) { string sos=Resources::platform_res[*i]->getResourceStr("/FWBuilderResources/Target/supported_os"); if (sos.empty()) return false; if (*i!="unknown") { if (*i==pl ) { int n = splitStr(',',sos,&lst); for (int i=0;icreate(type); // parent can be either full path to the parent object or // just the name of the library. If there are no "/" in the string, // then this is the latter case. string::size_type n = parent.find("/"); if (n==string::npos) path = "/" + parent + "/" + systemGroupPaths[type]; else path = parent; list parents; findObjects(path, objdb, parents); if (parents.size()) { FWObject *parent_obj = parents.front(); if (parent_obj && parent_obj->validateChild(obj)) parent_obj->add(obj); } return obj; } /* * _modObject takes a copy of ops (so the original can be used several times) */ void _modObject(FWObject *nobj, const string &comment_txt, operands ops) { string group; string addr1; string addr2; string dnsrec; string runtime; string path; string lib; string time1; string time2; string date1; string date2; string day1; string day2; string platform; string hostOS; string management; string addr3; string addr4; string tcpflags_mask; string tcpflags_bits; string protocol; string bitmap; string ICMPtype; string ICMPcode; string security; string addrtype; string objtype = nobj->getTypeName(); if (!comment_txt.empty()) nobj->setComment(comment_txt); if (ops.size()==0) return; if (objtype==IPv4::TYPENAME || objtype==IPv6::TYPENAME) { if (objtype==IPv4::TYPENAME) { addr1 = getNextOpt(ops); invalidIPv4(addr1); if (ops.size()>0) { addr2 = getNextOpt(ops); invalidIPv4(addr2); } } else { addr1 = getNextOpt(ops); invalidIPv6(addr1); if (ops.size()>0) { addr2 = getNextOpt(ops); // addr2 is mask length } } cout << "Address: " << addr1 << endl; if (!addr2.empty()) cout << "Netmask: " << addr2 << endl; Address *o = Address::cast(nobj); if (objtype==IPv6::TYPENAME) o->setAddress(InetAddr(AF_INET6, addr1)); else o->setAddress(InetAddr(addr1)); if (!addr2.empty()) { if (objtype==IPv6::TYPENAME) { istringstream istr(addr2); int masklen; istr >> masklen; o->setNetmask(InetAddr(AF_INET6, masklen)); } else o->setNetmask(InetAddr(addr2)); } } else if (objtype==DNSName::TYPENAME) { try { dnsrec = getNextOpt(ops); runtime = getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "DNS Record: " << dnsrec << endl; cout << "Run time: " << runtime << endl; DNSName *o=DNSName::cast(nobj); o->setSourceName(dnsrec); o->setRunTime(getBool(runtime)); } else if (objtype==AddressRange::TYPENAME) { try { addr1 = getNextOpt(ops); invalidIPv4(addr1); addr2 = getNextOpt(ops); invalidIPv4(addr2); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Range start: " << addr1 << endl << "Range end: " << addr2 << endl; AddressRange *o=AddressRange::cast(nobj); o->setRangeStart(InetAddr(addr1)); o->setRangeEnd(InetAddr(addr2)); } else if (objtype==ObjectGroup::TYPENAME) { //ObjectGroup *o=ObjectGroup::cast(nobj); ; } else if (objtype==Network::TYPENAME) { try { addr1 = getNextOpt(ops); invalidIPv4(addr1); addr2 = getNextOpt(ops); invalidIPv4(addr2); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Address: " << addr1 << endl << "Netmask: " << addr2 << endl; Network *o=Network::cast(nobj); o->setAddress(InetAddr(addr1)); o->setNetmask(InetAddr(addr2)); } else if (objtype==NetworkIPv6::TYPENAME) { try { addr1=getNextOpt(ops); invalidIPv6(addr1); addr2=getNextOpt(ops); invalidIPv6(addr2); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Address: " << addr1 << endl << "Netmask: " << addr2 << endl; NetworkIPv6 *o=NetworkIPv6::cast(nobj); o->setAddress(InetAddr(AF_INET6, addr1)); istringstream istr(addr2); int masklen; istr >> masklen; o->setNetmask(InetAddr(AF_INET6, masklen)); } else if (objtype==Firewall::TYPENAME || objtype==Cluster::TYPENAME) { try { platform=getNextOpt(ops); hostOS=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Platform: " << platform << endl << "Host OS: " << hostOS << endl; if (testPlatform(platform, hostOS)) { Firewall *o=Firewall::cast(nobj); o->setStr("platform",platform); o->setStr("host_OS",hostOS); } else { cout << "Platform and Host OS combination is invalid." << endl; } } else if (objtype==Interval::TYPENAME) { try { time1 = getNextOpt(ops); date1 = getNextOpt(ops); day1 = getNextOpt(ops); time2 = getNextOpt(ops); date2 = getNextOpt(ops); day2 = getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } QTime time; QDate date; int m,h,d,mn,y,dw; cout << "Activate a rule on:" << endl << "Time: " << time1 << endl << "Date: " << date1 << endl << "Day of week:" << day1 << endl << "Deactivate a rule on:" << endl << "Time: " << time2 << endl << "Date: " << date2 << endl << "Day of week:" << day2 << endl; Interval *o=Interval::cast(nobj); if (time1 == "") { m=0; h=0; } else { time=QTime::fromString(time1.c_str()); m=time.minute(); h=time.hour(); } if (date1 == "") { mn=2; d=28; y=2935093; } else { date=QDate::fromString(date1.c_str(),Qt::ISODate); mn=date.month(); d=date.day(); y=date.year(); } if (day1 == "") { dw=-1; } else { dw=atoi(day1.c_str()); } o->setStartTime(m,h,d,mn,y,dw); if (time2 == "") { m=0; h=0; } else { time=QTime::fromString(time2.c_str()); m=time.minute(); h=time.hour(); } if (date2 == "") { mn=2; d=28; y=2935093; } else { date=QDate::fromString(date2.c_str(),Qt::ISODate); mn=date.month(); d=date.day(); y=date.year(); } if (day2 == "") { dw=-1; } else { dw=atoi(day2.c_str()); } o->setEndTime(m,h,d,mn,y,dw); } else if (objtype==Interface::TYPENAME) { try { security=getNextOpt(ops); addrtype=getNextOpt(ops); management=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } if (security=="") { cout << "Security level is mandatory attribute." << endl; } else { cout << "Security level: " << security << endl << "Address type: " << addrtype << endl << "Management interface: " << management << endl; Interface *o = Interface::cast(nobj); int sl = atoi(security.c_str()); o->setSecurityLevel(sl); o->setDyn(addrtype=="dynamic"); o->setUnnumbered(addrtype=="unnumbered"); o->setManagement(getBool(management)); } } else if (objtype==Host::TYPENAME) { //Host *o=Host::cast(nobj); ; } else if (objtype==TCPService::TYPENAME) { try { addr1=getNextOpt(ops); addr2=getNextOpt(ops); addr3=getNextOpt(ops); addr4=getNextOpt(ops); tcpflags_mask=getNextOpt(ops); tcpflags_bits=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Source port range:" << endl << "Start: " << addr1 << endl << "End: " << addr2 << endl << "Destination port range:" << endl << "Start: " << addr3 << endl << "End: " << addr4 << endl << "TCP Flags: " << endl << "Mask: " << tcpflags_mask << endl << "Settings: " << tcpflags_bits << endl; TCPService *o=TCPService::cast(nobj); o->setSrcRangeStart(atoi(addr1.c_str())); o->setSrcRangeEnd( atoi(addr2.c_str())); o->setDstRangeStart(atoi(addr3.c_str())); o->setDstRangeEnd( atoi(addr4.c_str())); o->setBool("urg_flag_mask", tcpflags_mask.find('u')!=string::npos || tcpflags_mask.find('U')!=string::npos); o->setBool("ack_flag_mask", tcpflags_mask.find('a')!=string::npos || tcpflags_mask.find('A')!=string::npos); o->setBool("psh_flag_mask", tcpflags_mask.find('p')!=string::npos || tcpflags_mask.find('P')!=string::npos); o->setBool("rst_flag_mask", tcpflags_mask.find('r')!=string::npos || tcpflags_mask.find('R')!=string::npos); o->setBool("syn_flag_mask", tcpflags_mask.find('s')!=string::npos || tcpflags_mask.find('S')!=string::npos); o->setBool("fin_flag_mask", tcpflags_mask.find('f')!=string::npos || tcpflags_mask.find('F')!=string::npos); o->setBool("urg_flag", tcpflags_bits.find('u')!=string::npos || tcpflags_bits.find('U')!=string::npos); o->setBool("ack_flag", tcpflags_bits.find('a')!=string::npos || tcpflags_bits.find('A')!=string::npos); o->setBool("psh_flag", tcpflags_bits.find('p')!=string::npos || tcpflags_bits.find('P')!=string::npos); o->setBool("rst_flag", tcpflags_bits.find('r')!=string::npos || tcpflags_bits.find('R')!=string::npos); o->setBool("syn_flag", tcpflags_bits.find('s')!=string::npos || tcpflags_bits.find('S')!=string::npos); o->setBool("fin_flag", tcpflags_bits.find('f')!=string::npos || tcpflags_bits.find('F')!=string::npos); } else if (objtype==UDPService::TYPENAME) { try { addr1=getNextOpt(ops); addr2=getNextOpt(ops); addr3=getNextOpt(ops); addr4=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Source port range:" << endl << "Start: " << addr1 << endl << "End: " << addr2 << endl << "Destination port range:" << endl << "Start: " << addr3 << endl << "End: " << addr4 << endl; UDPService *o=UDPService::cast(nobj); o->setSrcRangeStart(atoi(addr1.c_str())); o->setSrcRangeEnd( atoi(addr2.c_str())); o->setDstRangeStart(atoi(addr3.c_str())); o->setDstRangeEnd( atoi(addr4.c_str())); } else if (objtype==ICMPService::TYPENAME) { try { ICMPtype=getNextOpt(ops); ICMPcode=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "ICMP type: " << ICMPtype << endl << "ICMP code: " << ICMPcode << endl; ICMPService *o=ICMPService::cast(nobj); o->setInt("type",atoi(ICMPtype.c_str())); o->setInt("code",atoi(ICMPcode.c_str())); } else if (objtype==IPService::TYPENAME) { try { protocol=getNextOpt(ops); bitmap=getNextOpt(ops); } catch (OperandsError &e) { notEnoughAttributesError(); } cout << "Protocol number: " << protocol << endl << "Flags: " << bitmap << endl; IPService *o=IPService::cast(nobj); o->setInt("protocol_num",atoi(protocol.c_str())); o->setBool("lsrr",false); o->setBool("ssrr",false); o->setBool("rr",false); o->setBool("ts",false); o->setBool("fragm",false); o->setBool("short_fragm",false); operands flags; int n=splitStr('/',bitmap,&flags); string tt; try { for (int i=0; isetBool(tt,true); } else if (tt=="ssrr") { o->setBool(tt,true); } else if (tt=="rr") { o->setBool(tt,true); } else if (tt=="ts") { o->setBool(tt,true); } else if (tt=="fragm") { o->setBool(tt,true); } else if (tt=="short_fragm") { o->setBool(tt,true); } } } catch (OperandsError &e) { notEnoughAttributesError(); } } } void newObject(FWObjectDatabase *objdb, const string &objtype, const string &name, const string &comment_txt, const string &parent, operands &ops) { initConstants(); if (parent.empty()) { cout << "Parent for the object is undefined." << endl; usage(); exit(1); } if (objtype.empty() || name.empty()) { cout << "Need object type and name" << endl; usage(); exit(-1); } cout << "Adding a new object to '" << parent <<"': " << endl << "Type: " << objtype << endl << "Name: " << name << endl; FWObject *nobj = createObject(objdb, objtype, parent); nobj->setName(name); _modObject(nobj, comment_txt, ops); if (objtype==Library::TYPENAME) { FWObject *new_child = createObject(objdb, ObjectGroup::TYPENAME, nobj->getPath()); new_child->setName("Objects"); cout << new_child->getPath() << endl; new_child = createObject(objdb, ServiceGroup::TYPENAME, nobj->getPath()); new_child->setName("Services"); cout << new_child->getPath() << endl; std::map::iterator it; for (it=systemGroupPaths.begin(); it!=systemGroupPaths.end(); ++it) { string path = it->second; if (path.empty()) continue; string t = systemGroupTypes[path]; string::size_type n = path.find("/"); string parent_obj = path.substr(0,n); string obj_name = path.substr(n+1); if (n==string::npos) parent_obj = ""; new_child = createObject( objdb, t, nobj->getName() + "/" + parent_obj); new_child->setName(obj_name); cout << new_child->getPath() << endl; } } cout << endl; } void modObject(FWObjectDatabase *objdb, const string &object, const string &comment_txt, operands &ops) { list objects; findObjects(object, objdb, objects); if (objects.size()==0) { cout << "Object " << object << " not found" << endl; exit(-1); } for (list::iterator it=objects.begin(); it!=objects.end(); ++it) { FWObject *obj = *it; cout << obj->getPath() << endl; _modObject(obj, comment_txt, ops); } } void delObject(FWObjectDatabase *objdb, const string &object) { list objects; findObjects(object, objdb, objects); if (objects.size()==0) { cout << "Object " << object << " not found" << endl; exit(-1); } for (list::iterator it=objects.begin(); it!=objects.end(); ++it) { FWObject *obj = *it; cout << "Removing object '" << obj->getName() << "' from the tree." << endl; objdb->removeAllInstances(obj); } } fwbuilder-5.3.7/src/fwbedit/repair_tree.cpp000066400000000000000000000116631303637203600207430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: fwbedit.cpp 429 2008-07-31 07:03:39Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/IntervalGroup.h" #include "fwbedit.h" #include using namespace libfwbuilder; using namespace std; void testAndFix(FWObjectDatabase *objdb, const string &path, const string &type, FWObject *root) { list objects; findObjects(path, root, objects); if (objects.size()==0) { string::size_type n = path.rfind('/'); string obj_name = path.substr(n+1); string parent_path = path.substr(0, n); findObjects(parent_path, root, objects); assert(objects.size()==1); FWObject *parent = objects.front(); cout << path << " is missing "; FWObject *new_obj = objdb->create(type); new_obj->setName(obj_name); parent->add(new_obj); cout << "( Fixed )" << endl; } else cout << path << " ok" << endl; } void checkAndRepairTree(FWObjectDatabase *objdb) { cout << "Check and repair tree structure:" << endl; FWObject *root=objdb; FWObject *nlib; string lib_name; bool ro_flag; for (FWObject::iterator i=root->begin(); i!=root->end(); ++i) { nlib = *i; lib_name = nlib->getName(); if (nlib->getId()!=FWObjectDatabase::DELETED_OBJECTS_ID) { ro_flag = nlib->isReadOnly(); cout << "Library: " << lib_name << ((ro_flag)?"(Read only)":" ") << endl; nlib->setReadOnly(false); testAndFix(objdb, lib_name + "/Objects", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Address Ranges", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Address Tables", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Addresses", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/DNS Names", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Groups", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Hosts", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Objects/Networks", ObjectGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services", ServiceGroup::TYPENAME,nlib); testAndFix(objdb, lib_name + "/Services/Custom", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/Groups", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/ICMP", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/IP", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/TCP", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/UDP", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/Custom", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/TagServices", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Services/Users", ServiceGroup::TYPENAME, root); testAndFix(objdb, lib_name + "/Clusters", ObjectGroup::TYPENAME,nlib); testAndFix(objdb, lib_name + "/Firewalls", ObjectGroup::TYPENAME,nlib); testAndFix(objdb, lib_name + "/Time", IntervalGroup::TYPENAME,nlib); nlib->setReadOnly(ro_flag); } } } fwbuilder-5.3.7/src/fwbedit/upgradePredicate.h000066400000000000000000000034341303637203600213540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003-2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "fwbuilder/XMLTools.h" #include class UpgradePredicate: public libfwbuilder::XMLTools::UpgradePredicate { bool autoupgrade_flag; public: UpgradePredicate(bool autoupgrade) { autoupgrade_flag = autoupgrade; } virtual bool operator()(const std::string&) const { bool res=false; std::cout << "Data file has been created in the old version of Firewall Builder." << std::endl << std::flush; if (autoupgrade_flag) { std::cout << "Do you want to convert it? (Y/n)" << std::endl; int a = getchar(); if (a=='y' || a=='Y' || a=='\n' ) res= true; } else { std::cout << "Use option '-u' to upgrade the file in fwbedit." " Alternatively, fwbuilder GUI can convert it." << std::endl; } if (res) std::cout << "Upgrading the file now ..." << std::endl; return res; } }; fwbuilder-5.3.7/src/gui/000077500000000000000000000000001303637203600150675ustar00rootroot00000000000000fwbuilder-5.3.7/src/gui/.gitignore000066400000000000000000000000131303637203600170510ustar00rootroot00000000000000fwbuilder fwbuilder-5.3.7/src/gui/FwbuilderInfo.plist000066400000000000000000000037311303637203600207070ustar00rootroot00000000000000 CFBundleDocumentTypes CFBundleTypeExtensions fwb CFBundleTypeIconFile @ICON@ CFBundleTypeMIMETypes text/xml CFBundleTypeName Firewall Builder Object File CFBundleTypeRole Viewer LSIsAppleDefaultForType CFBundleTypeExtensions fwl CFBundleTypeIconFile @ICON@ CFBundleTypeMIMETypes text/xml CFBundleTypeName Firewall Builder Library File CFBundleTypeRole Viewer LSIsAppleDefaultForType CFBundleIconFile @ICON@ CFBundlePackageType APPL CFBundleGetInfoString Created by Qt/QMake CFBundleSignature @TYPEINFO@ CFBundleExecutable @EXECUTABLE@ NOTE Please, do NOT change this file -- It was generated by Qt/QMake. fwbuilder-5.3.7/src/gui/fwbuilder-macosx.icns000066400000000000000000007152741303637203600212400ustar00rootroot00000000000000icnsis322SjvP'322SjvP'322TvQ6322TvQ63242niom6ic16'7QWPMA.78("LCMhvY?6TD2P;@6iVA..JC;  2SjvP'322SjvP'322TvQ6322TvQ6322/niom4ic.6kziZPMA.9WyXdޛ|vY?Yr7W`iVA.\:;F>A4=FDH12SjvP'322SjvP'322TvQ6322TvQ632,)niom.ic(6"HVPMA.6. '/avY?+,+*iVA.$ s8mk5bS +3il32 X jZZYYXVplziu[YFGIsbZrc.cBUZZXgY[@^K(^L7ZwZkZ+-cy1.y\bZ/1?qPE\qY@2++Z01CqLhyeR@51@EZ+0Ep{iVD7/QnZidcz#As|iVD710KXZ!|nkc^jqpZVWiyfR@55F_ZZ_ae]]_nUZZ}ykbXUgrhhZTPLXN:DiyjmɵssA/EQ(:Paҟekⴣ˿n\`9 4'OõUn`Ugo??}ɴŸ_^d<.bZEQ͹~KYVzܘuyrvkq ebq̿qWxjiŇwvw~ηvt^L7Ϲ[xH: ŤePbxW)׷Ƹ}|bMJB^SӾ|E}SDONzx>0ҼnjS]IHIQW]݌fJxCOC??8bĵm:bnt}l. *Nzͷ|U=LLJGS\[&)9[tdG:LLID7=2>Wq^J8D=N;L:65)?[ziXH8QEMME6-)"S~m\HC?;WJ4/) ,XsuqhZH4(" .  jZZYYXVplziu[YFGIsbZrc.cBUZZXgY[@^K(^L7ZwZkZ+-cx1.y\bZ/1?qMD\qY@2++Z01CqJhyeR@51@EZ+0Ep{iVD7/QnZiccz#As|iVD710KXZ!|mkc^iqpZVWiyfR@55F_ZZ_ae]]_nUZZ}ykbXUgrhgZTPLXN:DiyjmɵssA/EQ(:Paҟekⳣ˿n\`9 4'OõUn`Ugo??}ɴŸ_^d<.bZEQ͹KYVzܘuyrvkq ebq̿qWxjiŇwvw~ηvt^L7Ϲ[xH: ŤePbxb׷Ƹ}|b ^SӾ|E}"zx=0ҼnjSAW]݌fGr~z(8bĵeOrul-F) *Nzͷx^|X&)9[tdKpȾyq>Wq^FP{h?[ziXC[xg"S~m\FxzswqN ,XsuqhZH33^TEaEOF  jZZYYXVplziu[YFGIsbZrc.cBUZZXgY[@^K(^L7ZwZkZ+-ds./y\bZ/1?pFB]qY@2++Z01CpBeyeR@51@EZ+0Eo~{iVD7/QnZiccy#As|iVD710KXZ{mjc^iqpZVWiyfR@55F`ZZ^`d\]_`_mUZZ}ykbXUgqffZTPLWN:EhyjmɵssA/DP(9Paџekⱟʿn\`9 2'OõUn^Rgo??}ɴŸ_^d:,bZEP͹~JYVzܕryrvkpebq̿qWxifŅtvw~ηvt^K6Ϲ[xF8 ŤePbv@ֵŸ}|b9.(\QӾ|E9(51zx;.ӼnjSJ-.06 W]܉cKz'0*$(8bĵp4Pms}"l/*Nzͷ~S(+$+1;P\&)9[tdF(%(%$#>Wq^K2' ).?[ziXJ,0&+*$"S~m\J,41 ,XsuqhZH5   l8mkWN`b; RoTDmY g  & 1G6^_hQuQ8 a J D$ 6wٷF#!)' it32qnoligcb_^\YWWURRQOONMLKJJIH FBKTTSSTYUQOKIHJKJPqno(ligcb_]\ZXXWVUSSRQPPOMMLLJCI{SPOKIHJKJPnik(geedcba`_^]\[ZYWUTRQOMLLIIt\PQOKIHJKJPyogbbca^ZVY^aeijtxxu|MTQOKIHJKJPpgoļЩ ZRTQNKJJIHJKJPƵsjmmf]RC2%.oCHIMNNMMLLJJIHIHHJKJP|{) ,AS_dc\QD5$2wePQQPONMLLKKJJKJPsuvuo$6GVafd]RE6&5z~>csWUTSSRPPONMLKO znkhhke$6GVafd]RE6&5hnu: QpWYXWVUTSRQQNMNK^"u_^__Y$6GVafd]RE6&4X^ aAkd\WTTVTV[ZYglMRSM$6GVafd]RE6'1INK_a`{jbYRM H$FMhD@?$6GVafd]RE6'.i9>;@w6Kɻ[a!`e,?+'a\8t$6GVafd]RE6(,U*./,.ow= MF15!-^/=,]Wc$6GVafd\PB3$'Ej~qMM}||}}||{x3:;"8O/43+DĬy4Y$6GVafb\`SEAAI;GP`{zxrorp9;<$=:@/433/1bӼЖNE.L$6GV`cngd|;>?$>Ai/3279Dlֱb@GN+>$6FRdZ[Xp?BC$PNO(NMwz~/38?GP[fAJIPXWTt~yupkgb\XSOJFB>;863 4:. ""0URS(Mo{wz~038?GP[eAJIUdc`y~yupkgb\XSOJFB>;863 49(!nYTU)Plzwz~/38?GQ\fAJGZrpn~~yupkgb\XSOJFB>;863 49  d]VW)Qzwz~/38?GQ\fAJG_}{~yupkgb\XSOJFB>;863 70 \`Z[+Z[izwz~/38?GQ]hAJFd~yupkgb\XSOJFB>;863/_}mYOi^[,\Z`rzwz~/38?HR^iBJJHAk~yupkgb\XSOJFB>;863 -el^YZ-[Yckpzwz~/38?HR^iCHDPu~yupkgb\XSOJFB>;863 ,lwgga\]-\Zjmpzwz~.3348?HS_j>Mu~yupkgb\XSOJFB>;863 ,li[ahha[\-]eimpzwz~*2348?HS_jo~yupkgb\XSOJFB>;863;=EXcgh[QR!QVjimpzwz~'.348@IS_lz€Ģ~yupkgb\XSOJFB>;8634;HVahfVQ PQh\himpzwz~&-(148@IT`my~yupkgb\XSOJFB>;8634:ES`f\O lb%,)29@IUamy~yupkgb\XSOJFB>;86349CQ\[Q~{z{yh^_bb%+)5@JUamy~yupkgb\XSOJFB>;86348BKOO ywvx~sbY[`bcdb%,&+7GVamy~yupkgb\XSOJFB>;864345:>E|wonlmllkjijk|j\TW\^_abcdb +&-?@H]ly~yupkgb\XSOJFB>;8631.1=Hvrmleccddedc`an~^LWZ[]^_abcdbE7DSaf88X]n~~yupkgb\XSOJFB?;964331/-0:FOb)wja]YVVWZYWXh|z^NIGPXZ[]^_abcdbv6trwCIm]_fv~yupkgb\XSOJGB?<840.-/5?IRZal-kiib^ht{kY`xrWGBHLOJPXZ[]^_a`beb4O[uskilt|zvqlhb\WRLGC;831026?ENU\dmrv.koYXNJFGEDCGKOXdo~jO?@AFKPX`hov{~}UaUPC@=?#>;7=Rm~q/4;@CEGIKMOJPXXZ]foz|5z\tpnunkjdda^\YVVWVUUVR7gOPPQTYaipw|4}Q=3+.13456652/9RpwZ=&uy0;>ACEGIKMOJNXblwynw]z{vusoopoonngHb`_^aflt{QSMj{cM:1*%&2No{rQ6').+yz1;>ACEGIKMMHcuʦͅuns[{đ|Wpnighlryt?,& "(2H^uxbhwkH-")-/0+yz1;>ACEGGHMVeeyЦ҅qnpWzّ½ayvokkmrw}f-Vt9%"%(+-/0+yz1;>AABFO\kzvҦ҅o7n}Wz¾h~yrljjnsx}h-"@_eS&ph  "$%(+-/0+yz1::@IXiwрӦӅ^f]nU}¾kzqjhgjnry}~Y  8V^M+ km "$%(+-/0*zy/AUfuЁӦʅ˅[n^K0uĿm}tlffhlrw||i:# +BJd"24(  lm "$%''*3H^us˦ϹzɅjniqcGLlLEEXſx|ri_TH8+%:sk    lm ! "+AXp˥˿٦҆dWgxsxڦw3JvqbN?6:BVsKdqh  lm&9Sk|ȁ˨ͭɦʅZXYfwȽ]a|=Nvldcca[]ht|Fcsm  ln59_}ʀǤ㡪׀ȆZWeuקخSAKNR0z~{tf`eoEctm  by`~Xvɀ˘ʦʆWmevБݜJ:EKKf=͙ȾxnhcbepFctn %Ccvm¾ŶȆ=*əɦɆVmdȗژE0;AEV=}Ñ{sidcbpHdso" =^v}οýöƹ!%rĖʦ͆WmfwˑڙA%18;O=zǿ|sljgipHesr&.ZrȆҽƽک{ciwPONZ{ˑڜ<&-2F=zɿzvnilsMlub/Y;Tˈm^LFSƪu~koliAK}ёٝ7$'=>xú{rlsuSnzA3/=^vKdʆʾɼ±q#^LJ?NmŦՅv@y_Df~ϑמ3 3>{}ytynM92JyZ@[v\rļ*̈°ǭ\ZDF@5I|ɦdž`myqbiˑڞ- )=xĸvq_P@GTvRJibvǺLjǖ~zҽýZ^:<5)E}ŦĆnmwsОN-&={zpaPVU^n~xw\Ssb{¶ɽ|hx֌ѲȻZ^/1+?{˾engwö|smu:s|tjjdb[d}y~{dYq_zɳ|hз̽¶\^$' ;}ƽao`g|ƺYx|}y~yc[obwȲ¹biֻıھĺķĠ?b4zȺȄdocm{¬ƾu}~zyvb[rczȹ\IxX-Ӫ¹Ib{ Q~œcpam{˱ùù|~}zxwaVpfraHaXX?˴Ebw/N|oz}\nVlۑǼ{zaCUoH,Ky]:}[u½̺9\jyͦ΄orDZȋȾŻ~lB&N\iZ=6fƼ`lSLGQ׬Žai¯ƹxov`Mgۑɼ~iD(Ctf$;wľKrLNI?L~·voontzsZ^qܑ¼v{jZIES{wQ4h? gGF@5HjЖڮɵs|Ưx֑ƾýujla``xxl[Yj>S@<6*CƳӸɳɁʄtɼº~wkh[epuk\K^}>K73+ =̷ܦ͵`\s~ɾμpwi[K]@A,)"9͛ǷԶ8^ǸȂƱ{ti[L`}89# 3ǥʀӵxq>p}|wqg]N]ziL`z/0һҶr5p|IJƣzysoh^MUxtJDlǞ% 1gxǿҸ~Ϧ[~ϸ}zwsol`N]unO8O$!>j}śղ|S tUwþ̻ɱz~|wwv[;F:+2dvxxŰ̲̊ǯ;4, >{FEó;nI3Y@ B2?y|{puӽή˶íOAkdH8/ tgCcͼǨgG4N}b,TyLuriyͪXLR|jE>>%toJQtͲôŴnT8/J_"OOsao̧ӯѻ97@Pk_\KU+tĦsvʿIJĪzjZX]l]s` Oz`_˔Ϯȴ~8MdQW=>;%.6vޑʐ]a|@ӿӰý¾^pkG`@M}ƱS5-32=5MULaD7;1vޑSAKNR=ŷǙȺ_qmDeB:Zyỡf>TpR972EK]oUGGEvݑJ:EKKf=ΛͶ_nl/`t}β_GQaO@>3BV\YNL_T/oymwܑߗE0;AEV>ڡλbo\H>s~uæe1=F_h`NTABFTICmLK9zyYfۑݙA%18;O>՞^qb;@Tit;zlwljȞ[8`YTJ9SXC8=p?MK&@A yBPۑޛ<&-2F>ԝÿ^tF.g3Ffrٝÿ`VX)F}-Dcpל׿}_;-Iu0Cbo<}bRu.JN[VKW[P@E'?QX_[..- qyptí[Veߝ- )>ؙǺgM<:Jow3DanʔzhTHFFRrz6D`o=\@R]|Y6=>G2Z`T8IYtm.5UA MzKJfyĂ˽}snu9`||rjhdc`bm}m{}9Gb^%BYdNEBGYSC`]zy}N+[/TnaoyǿuznV8"8A@C@:gsX>>_hF3Ft}{}pD-Y25W~iewtܑ¼jw\;(*=MKX`NAR5RGMF9/,FJdT><:7h|{y{> +X-48:Lsnfh֑hxl\K8.0:FJOK;@QGTSaGAAXT518`[[M\2Jvva1 -V.48=BHazjkӑiwLD;;BST?RUVR_c_E_oRJLaKVO3'=5@`RID[0,T048>DKPYlvnjiqϦ{lbXSIK~TScpsqeK>NLGA?F`n]N6Y[XOE1K?(.4\S,J+V,,+148=DKS\dnzȿwqlic]_^\\[\[\]`bhr{q\G85:HNKFDD?I\`HE^6[XUSK!1:2CH*W++-258=CKR\fp{ÿlXD91..14$5?\VBF_=DIP'/TN( VUH2V,448=CKS\fp|~{vqmida^YVRPLIFB@=615KBGf27(U>.1/@H+#W.448=DKS\fq|}yuqlhd_[WSNKGC@;06OA0GY0=ZHB[;-2.1LO]M 3FM4)D+/-U?V3348=DKS\gr|}yuqlhd_[WSNKGC@8.7di6IZ/;N`Q>0>Q9-6OTY&"*,K72967?L6 U5348=DKS]gr|}yuqlhd_[WSNKGC?52OSCqQZ3AeZ9=NKJIhn]Fij5(4:H9.*)3<. T5348=DKS]gs}}yuqlhd_[WSNKGC>4+8VRjULBFCTD+:#=0)7&5&$S3348=DKS]hs~}yuqlhd_[WSNKGC>4+/4VQI\<7:A@;SJA=23L+@RA8+7'8)*0R.248=DKS]ht~}yuqlhd_[WSNKGC>3,=>_lO=3&KT3/BWLB=9L3A<.I)$/45. R/38=DKT^ht}yuqlhd_[WSNKGC=18EL\UR3;3D6AUTYrxE-;I62/*(.@E*2Q/6=DLT^it}yuqlhd_[WSNKGB:0>?.FP@!;O_3Wzhh[P-L,A523%54&84!P-8BJU_iu}yuqlhd_[WSNKGA65KQD%=816]sZ8G=19UDZUULO4.8*1A91@$$4+:"K'@Tbn{}yuqlhd_[WSNKF<03LI*5C>'?6;:OO]=I=//$/1;,';(H=Wl~}yuqlhd_[WSNKF=.(98-!;0%,'5IN;I:6$ )+*0&!'D 9]w}yuqkgc^ZVQLHC<2&(#)+;0"(&0>++/;?+ (*.$#/  %9Igy4~|ywsplhc_\WROJD?92*&1-?A0!(-8-,&)/25AFKMKMMKHA<:2-$(/ +   qnoligcb_^\YWWURRQOONMLKJJIH FBKTTSSTYUQOKIHJKJPqno(ligcb_]\ZXXWVUSSRQPPOMMLLJCI{SPOKIHJKJPnik(geedcba`_^]\[ZYWUTRQOMLLIIt\PQOKIHJKJPyogbbca^ZVY^aeijtxxu|MTQOKIHJKJPpgoļЩ ZRTQNKJJIHJKJPƵsjmmf]RC2%.oCHIMNNMMLLJJIHIHHJKJP|{) ,AS_dc\QD5$2wePQQPONMLLKKJJKJPsuvuo$6GVafd]RE6&5z~>csWUTSSRPPONMLKO znkhhke$6GVafd]RE6&5hnu: QpWYXWVUTSRQQNMNK^"u_^__Y$6GVafd]RE6&4X^ aAkd\WTTVTV[ZYglMRSM$6GVafd]RE6'1INK_a`{jbYRM H$FMhD@?$6GVafd]RE6'.i9>;@w6Kɻ[a!`e,?+'a\8t$6GVafd]RE6(,U*./,.ow= MF15!-]/=,]Wc$6GVafd\PB3$'Ej~qMM}||}}||{x3:;"8O/43+DĬx3Y$6GVafb\`SEAAI;GP`{zxrorp9;<$=:@/433/1bӼЕLC-L$6GV`cngd|;>?$>Ah/3279Dlְ`>EL*>$6FRdZ[Xp?BC$BHHL%4#4EloK75HQPPMeDEF%DSz~/38@IWgs>H&J42+9mI7/+/5PNO(NLwz}/38?GP[f?HGOXWTt~yupkgb\XSOJFB>;863 4:. ""0URS(Mo{wz}038?GP[e?HGSdc`y~yupkgb\XSOJFB>;863 49(!nYTU)Pkzwz}/38?GQ\f?HEYrpn~~yupkgb\XSOJFB>;863 49  d]VW)Qzwz}/38?GQ\f?HE^}{~yupkgb\XSOJFB>;863 70 \`Z[+Z[izwz}/38?GQ]h?HDc~yupkgb\XSOJFB>;863/_}mYOi^[,\Z`rzwz}/38?HR^i@HHF?j~yupkgb\XSOJFB>;863 -el^YZ-[Ycjpzwz}/38?HR^iAFBNt~yupkgb\XSOJFB>;863 ,lwgga\]-\Zjmpzwz}.3348?HS_j;Kt~yupkgb\XSOJFB>;863 ,li[ahha[\-]eilpzwz}*2348?HS_jn~yupkgb\XSOJFB>;863;=EXcgh[QR!QVjilpzwz}'.348@IS_lz€Ģ~yupkgb\XSOJFB>;8634;HVahfVQ PQg\hilpzwz} &-(148@IT`my~yupkgb\XSOJFB>;8634:ES`f\O lb%,)29@IUamy~yupkgb\XSOJFB>;86349CQ\[Q ~{ yh^_bb%+)5@JUamy~yupkgb\XSOJFB>;86348BKOO ~ywvx~sbY[`bcdb%,&+7GVamy~yupkgb\XSOJFB>;864345:>E|wonlmllkjijk|j\TW\^_abcdb +&-?@H]ly~yupkgb\XSOJFB>;8631.1=Hvrmleccddedc`an~^LWZ[]^_abcdbE7DSaf88X]n~~yupkgb\XSOJFB?;964331/-0:FOb)wja]YVVWZYWXh|z^NIGPXZ[]^_abcdbv6trwCIm]_fv~yupkgb\XSOJGB?<840.-/5?IRZal-kiib^hs{kY`xrWFBHLOJPXZ[]^_a`beb4O[uskilt|zvqlhb\WRLGC;831026?ENU\dmrv.knYXNJGGEDCFKNXdo~jO?@AFKPX`hov{~}U`UPC@=?#>;7=Rm~q/4;@CEGIKMOJPXXZ]eoz|5z\tpnunkjdda^\YVVWVUUVR7gOPPQTYaipw|4}Q<3+.13456652/9RpwZ=&sy0;>ACEGIKMOJNXbkwynw]z{vusoopoonngHb`_^aflt{QRMjzcM:1*%&2No{rQ6').+xz1;>ACEGIKMMHcuʦͅuns[{đ|Wpnighlryt?,& "(2H^uxahwkH-")-/0+xz1;>ACEGGHMVdeyЦ҅qnpWzّ½ayvokkmrw}f-Vs9%"%(+-/0+xz1;>AABFO\kzvҦ҅o7n}Wz¾h~yrljjnsx}h-"@_eS&oh  "$%(+-/0+xz1::@IWiwрӦӅ^f]nU}¾kzqjhgjnry}~Y  8V^M+ jm "$%(+-/0*yy/AUfuЁӦʅ˅[n^K0uĿm}tlffhlrw||i:# +BJd"24(  km "$%''*3G^us˦ϹzɅjniqcGLlJBBVſx|ri_TH8+%:sk    km ! "+AXp˥˿٦҆dWgxsxڦv/HvqbN?6:BVsKdqh  km&9Sk|ȁ˨ͭɦʅZXYfwȽ^a|:Kvldcca[]ht|Fcsm  lm59_}ʀǤ㡪׀ȆZWeuקٮRAKMR-z~{tf`eoEctm  by`~Xvɀ˘ʦʆWmevБޜI:EKKf:͙ȾxnhcbepFctn %Ccum¾Ŷȅ=*əɦɆVmdȗۘD0;AEV:}Ñ{sidcbpHdso" =^v}οýöƹ!&sĖʦ͆Wmfwˑژ@%18;O:zǿ|sljgipHesr&.ZrȆҽƽک{diwPONZ{ˑڛ:&-2F:yɿzvnilsMlub/X;Tˈn^LGRƪu~koliAK}ёڝ6$'=;xú{rlsuSnzA3/=^vKdʆʾɼ±q#_LJ@MmŦՅv@y_Df~ϑמ2 3;z}ytynM92JyZ?[v\rļ*̈°ǭ\[DF@5H|ɦdž`myqbiˑڝ, ):wĸvq_P@GTvRJibvǺLjǖ~zҽýZ_:<5)C}ŦĆnmwsОL+%:{zpaPVU^n~xw\Ssb{¶ɽ|hx֌ѲȻZ^/1+>{˾engwö|qks7r|tjjdb[d}y~{dYq_zɳ|hз̽¶[_$' :}ƽao`g|ƻYx|}y~yc[obwȲ¹biֻıھĺķĠ?c3zȺȄdocm{¬ƾu}~zyvb[rczȹ\IxX.Ӫ¹Hc| O~œcpam{˱ùù|~}zxwaVpfraHaXX@˴Ecx.M{oz}\nVlۑǼ{zaCUoH,Ky]:}[s½̺9\iyͦ΄orDZȋȾŻ~lB&N\iZ=6fƼ`lSLGP׬Žajðƹxov`Mgۑɼ~iD(Ctf$;wľKrLNI?K~·voontzsZ^qܑ¼v{jZIES{wQ4h? gGF@5GjЖڮɵs|Ưx֑ƾýujla``xxl[Yj>S@<6*BƳӸɳɁʄtɼº~wkh[epuk\K^}>K73+ <̷ܦ͵`\s~ɾμpwi[K]@A,)"8͛ǷԶ8^ǸȂƱ{ti[L`}89# 2ǥʀӵxq>p}|wqg]N]ziL`z0/һҶr5p|IJƣzysoh^MUxtJDlǞ% 0exǿҸ~˦[~ϸ}zwsol`N]unO8O$>i}śղ|"tUwþ̻ɱz~|wwv[;F:+2duxxŰ̲̊ǯzH8$>{FEó;nI3Y@ B2?y|{puӽή˶éƼ|ugCcͼǨgG4N}b,TyLuriyͪduoJQtͲôŴnT8/J_"OOsao̧ӯѻ̻muĦsvʿIJĪzjZX]l]s` Oz`_˔Ϯȴ|ʱuĵƳƹqieolbpdMhOeƶ{ůܴ½wĪotɨ{Gw¾_rgIxQIr~ͺ±mvynz1vޑː]a|>ӿӰý¾^pkG`@M}Ʊ~|}<yޑRAKMR;ŷǙȺ_qmDeB:Zyỡ˨̩TyݑI:EKKf:ΛͶ_nl/`t}βឋ|qoymwܑߗD0;AEV;ڡλbo\H>s~uæƼ˙zyYfۑߘ@%18;O;՞^qb;@Tit;zlwljȞ|Ƽڜf)yBPۑߚ:&-2F;ԝÿ^tF.g3Ffr +X-48:Lsnfh֑hxl\K7-f³Ŷť{hqva1 -V.48=BHazjkӑiwLD;;BOfζ׵oUh|fW0,T048>DKPYlvnjiqϦ{lbXSIK~TScpsq^½ƳrsZtwl]W,,+148=DKS\dnzȿwqlic]_^\\[\[\]`bhr{q\G53ɫzVYt{kW++-258=CKR\fp{ÿlXD6++(@rrŰʩzdWoax}*W+448=CKS\fp{wiZQIB:738jY8DyuOcurnceNW,448=CKS\fp|~{vqmida^YVRPLIFB@<5G_bʨOksumd`vdW.448=DKS\fq|}yuqlhd_[WSNKGC@8>câ]hykjgJt^W3348=DKS\gr|}yuqlhd_[WSNKGC@5>Дzrnuvzu_#U5348=DKS]gr|}yuqlhd_[WSNKGC?3X԰˷̉vt[ngq~2T5348=DKS]gs}}yuqlhd_[WSNKGC>3Yɳ}zqqggHb?S3348=DKS]hs~}yuqlhd_[WSNKGC>0?~{~sWymkny3R.248=DKS]ht~}yuqlhd_[WSNKGC>.KЭ~hvq}wsbcft}x'R/38=DKT^ht}yuqlhd_[WSNKGC;9yxk}؍k}yytqx0Sl~5R/6=DLT^it}yuqlhd_[WSNKGB6PukTͮhhyu|jMhWdIP-8BJU_iu}yuqlhd_[WSNKG@5jWf{l{t|qv|jpkNOZSumc'N #8FQ\hu}yuqlhd_[WSNKG;C~ɩ|tIcuocr]mueUepd9K'@Tbn{}yuqlhd_[WSNKF8N|`wjmjgu{daO>prcsWUTSSRPPONMLKO znkhhke$6GVafd]RE6&5hnu: QpWYXWVUTSRQQNMNK]"u_^__Y$6GVafd]RE6&4X^ aAkd\WTTVTV[ZYflMRSM$6GVafd]RE6'1INK_a`{jbYRM H$FMhD@?$6GVafd]RE6'.i9>;@w6Kɻ[a!`e,?+'a\8t$6GVafd]RE6(,U*./,.ow= MF15!-]~/=,]Vc$6GVafd\PB3$'Ej~qMM}||}}||{x3:;"8O~/43+DĬǿq/Z$6GVafb\`SEAAI;GP`{zxrorp9;<$=:@~/433/1bӼϑF;)L$6GV`cngd|;>?$>Ah~/3279Dl֮Z7>D&?$6FRdZ[Xp?BC$=c~/38@JVd{7;AAE!4#4EloK75HQPPMeDEF%DSx}~/38@IWgs7A&C02+9mI7/+/5PNO'M~vx|~/38?GP[f8A@JYWTt~yupkgb\XSOJFB>;863 4:. ""0URS(Nmyvx|~038?GP[e8A?Oec`y~yupkgb\XSOJFB>;863 49(!nYTU)Qjyvx|~/38?GQ\f8A>Trpn~~yupkgb\XSOJFB>;863 49  d]VW)Qyvx|~/38?GQ\f8A>Z}{~yupkgb\XSOJFB>;863 70 \`Z[+Z[gyvx|~/38?GQ]h8A<_~yupkgb\XSOJFB>;863/_}mYOi^[,\Z`qyvx|~/38?HR^i9AA?7f~yupkgb\XSOJFB>;863 -el^YZ,Ycioyvx|~/38?HR^i:?:Gp~yupkgb\XSOJFB>;863 ,lwgga\],Ziknyvx|~.3348?HS_j4Dp~yupkgb\XSOJFB>;863 ,li[ahha[\-]dgknyvx|~*2348?HS_ji~yupkgb\XSOJFB>;863;=EXcgh[QR Vigknyvx|~'.348@IS_lz€Ģ~yupkgb\XSOJFB>;8634;HVahfVQ"PQf[fgknyvx|~&-(148@IT`my~yupkgb\XSOJFB>;8634:ES`f\O lb%,)29@IUamy~yupkgb\XSOJFB>;86349CQ\[Q ~{ yh^_bb%+)5@JUamy~yupkgb\XSOJFB>;86348BKOO ~~ywvx}sbY[`bcdb%,&+7GVamy~yupkgb\XSOJFB>;864345:>E~{vonlmllkjijk{j\TW\^_abcdb +&-?@H]ly~yupkgb\XSOJFB>;8631.1=Huqlkeccddedc`an~_MWZ[]^_abcdbE7DSaf88X]n~~yupkgb\XSOJFB?;964331/-0:FOb)vj`]YVVXZYWXh|z^NIHQXZ[]^_abcdbv6trwCIm]_fv~yupkgb\XSOJGB?<840.-/5?IRZal-igha]grxjX`xrWFBHLOKQXZ[]^_aabeb4O[uskilt|zvqlhb\WRLGC;831026?ENU\dmrv/imXWMJGGEDCGKNWcm~jO?@AFKPX`hov{~}T`TOC@=?#>;7>Rm~q}04;@CEGIKMOKQXXZ]eoz|5z\tpnunkjdda^\YVVWVUUVR7gOPPQTYaipw|4zP<3,.13456652/9QpwZ=&qw1;>ACEGIKMOKNXakwynw]z{vusoopoonngHb`_^aflt{OQLh}xaM91*&&2Mo{qQ6').+vx2;>ACEGIKMMIcuʦͅuns[{đ|Wpnighlryt>,& "(2G\rvahwkH-")-/0+vx2;>ACEGGHMVddxЦ҅qnpWzّ½ayvokkmrw}f-Ur9%"%(+-/0+vx2;>ABBFO\kzvҦ҅o7n}Wz¾h~yrljjnsx}h-"@_eS'mf  "$%(+-/0+vx2::@IWiwрӦӅ^f]nU}¾kzqjhgjnry}~Y  8V^M+ hk "$%(+-/0*ww0AUfuЁӦʅ˅[n^K0uĿm}tlffhlrw||i:# +BJd"24(  ik "$%''*3G^us˦ϹzɅjniqcGLl{D;=Qſx|ri_TH8+%:sk    ik ! "+AXp˥˿٦҆dWgxsxڣo(BvqbN?6:BVsKdqh  ik%9Sj{ȁ˨ͭɦʅZXYfwȽ\a{2Gvldcca[]ht|Fcsm  ik59_}ʀǤ㡪׀ȆZWeuק֧OAKNS'y~{tf`eoEctm  `w`~Xvɀ˘ʦʆWmevБۖG;EKLe4͙ȾxnhcbepFctn %Bcvm¾ŶȆ=*əɦɆVmdȗؑB0;AEV4}Ñ{sidcbpHdso" =]v}οýöƹ!$oĖʦ͆Wmfwˑג=%18;N4yǿ|sljgipHesr&-YrȆҽƽک{ahsPONZ{ˑו8&-2E4yɿzvnilsMlub/X;Tˈj^LGPƪu~koliAK}ёח3$'<4wú{rlsuSnzA3/=^vKdʆʾɼ±q!^LJ@KmŦՅv@y_Df~ϑԗ/ 34z}ytynM92JyZ?[v\rļ*̈°ǭ]WDF@5E|ɦdž`myqbiˑח* )3xĸvq_P@GTvRJibvǺLjǖ~zҽý[[:<5)@}ŦĆnmws͗H)%3zzpaPVU^n~xw\Ssb{¶ɽ|hx֌ѲȻZ[01+<{˾engwövlgo1r|tjjdb[d}y~{dYq_zɳ|hз̽¶\\$' 7}ƽao`g|ŷXx|}y~yc[obwȲ¹biֻıھĺķĠ?`~0zȺȄdocm{¬ƾu}~zyvb[rczȹ\IxY-Ӫ¹I_x K~œcpam{˱ùù|~}zxwaVpfraHaXX=˴F_t,Ivoz}\nVlۑǼ{zaCUoH,Ky]:|[p½̺9Ydyͦ΄orDZȋȾŻ~lB&N\iZ=6fƼ`lSLGN׬Žbgƹxov`Mgۑɼ~iD(Ctf$;wľKnMNI@I~·uoontzsZ^qܑ¼v{jZIES{wQ4h? fHF@5EjЖڮɵs|Ưx֑ƾýujla``xxl[Yj>R@<6+?ƳӸɳɁʄtɼº~wkh[epuk\K^}>K73+ :̷ܦ͵`\s~ɾμpwi[K]@A,)"5͛ǷԶ8^ǸȂƱ{ti[L`}88# 0ǥʀӵxq>p}|wqg]N]ziL`z/,һҶr5p|IJƣzysoh^MUxtJDlǞ% -axǿҸ~Ϧ[~ϸ}zwsol`N]unO8O#;e}śղ|BtUwþ̻ɱz~|wwv[;F:+2dpwxŰ̲̊ǯz>{FEó;nI3Y@ B2?y|{puӽή˶ï:%]O)tgCcͼǨgG4N}b,TxLuriyͪE+0fU%! toJQtͲôŴnT8/J_"OOsao̧ӯѻ "3SH>-9tĦsvʿIJĪzjZX]l]s` Oz`_˔Ϯȴ~"6R;A!$B/ uĵƲƹqieolbpdMhOeƶ{ůܴ½|{.8%B&K?tǢtAu¾_rgIxQIr~ͺ±uqV$ #&' vޑƋ\az6ӿӰý¾^pkG`@M}Ʊ@(270P(vޑOAKNS4ŷǙȺ_qmDeB:Zyỡ\">c7#)=V9))'vݑߕG;EKLe3ΛͶ_nl/`t}βT,/Cq3! +?ED3+B7oymwܑܑB0;AEV4ڡλbo\H>s~uæX)DQG.8$*.;.&R0.zyYfۑۑ=%18;N4՞^qb;@Tit;zlwljȞQND?25;("Z%20%%yBPۑܕ8&-2E4ԝÿ^tF.g3Ffr uytxX;Qݖ/ 35ל׿}_;-Iu0Cbo<}bRu.7<;0 +X-48:Lsnfh֑hxl\K8/")%&$$",0=!31 JE>-?=xva1 -V.48=BHazjkӑiwLD;;BTO!/11.>C>DKPYlvnjiqϦ{lbXSIK~TScpsqg<))$#>H3$37-<(D<,V,,+148=DKS\dnzȿwqlic]_^\\[\[\]`bhr{q\G96" +'"#-<7##8"C>771"+,W++-258=CKR\fp{ÿlXD92.0, 93 %3, 9> 1  $4,,)W+448=CKS\fp{wiZQIB:750!&)")-+!8  &**( 6 '=>2 V,448=CKS\fp|~{vqmida^YVRPLIFB@=6*) ,17= $0 ?<%*6 W.448=DKS\fq|}yuqlhd_[WSNKGC@<- 4" "96!<;0D9&,#&;( V3348=DKS\gr|}yuqlhd_[WSNKGC@9(KM$=)8).,7Ct  1',6# U5348=DKS]gr|}yuqlhd_[WSNKGC?5'38'P.?"@2'">D5&IK.!!)T5348=DKS]gs}}yuqlhd_[WSNKGC>4=5H71!+'&H`6 !$3%! R3348=DKS]hs~}yuqlhd_[WSNKGC>5%9+-B# $1% & !1*$ !R.248=DKS]ht~}yuqlhd_[WSNKGC>5 #)& % .+.=;0 ) # H=Wl~}yuqlhd_[WSNKF=,  '.5(! D 9]w}yuqkgc^ZVQLHC<3)    &   %9Igy3~|ywsplhc_\WROJD?92* %(    %)/25AFKMKMMKHA<:2-$  t8mk@ (5*! k/ +>VlT3# e- "! a+ H\* vY( V' Y& !" PK9`m % ف-rE 1?JB E62wP* !?|p5!7a> &=YI) !-CZ{_eT. %.>O\r|fYUZm;|kUVuh>) !%),28=@BGJJIE@@;60*'# ,;OpwE4" ,b}d@)    #   ic08p jP ftypjp2 jp2 Ojp2hihdrcolr"cdefjp2cOQ2R \ PXX`XX`XX`XXXPPXdKakadu-v5.2.1 :7_VE ȗc" b™jcDɷGpfi07c疐r!suph4\S `P+!#K)|_5-0R ~F}b==s $b >aCG3"ي͋2>,N?C^N6 )y8"?4h~יzAį`o*od;N`,XZ9i ~ݺhb\JEU%ʹ7*ZlbHV‹- mU#raZ?g-!~nua,!_*p*Aj֕$8Ӑ;6/S !9p][#AL5p %mӜ3; SQUxc&%uP#y.qbL<["DU/mLu9<^ Mo3 jë,UEQ}੬R2PH+oL] C\yogL4%vk?x΀9d FB|VwP/na(S!Cgo#F٭y&:>ޫT.mFh[һxLfnV E1|MsbHbW]ef]%4"h}K&ql^7g]E,H7nT*,rR%]Q!kaco(nOqvZkk?ͺJhgZێa<}杴5ql:,6ϝjb 8x Ň2C; Eq0|QKBL|{y`g{aEڍڔeAhU_:کJ^6^!B2ĘSW7Fml} 1yPHBrGRy*R. TE7ؿHJ|Ii,Q~QXQفHe݁P#8`J_SDe\o"ʹ]4!5?8AArShcn !Od?\)̔򃔻BghWd, sNR=,uG|{ $G(!YCtW7}tkL(s6"xhS+^s3δ:t z.yʖj.3DIp u[D_]HΉB*eCvS_ uGG9IU&~SɂQGMf(R'WAJ'!˥9]#l!62 D~wa'Iq#N줧s@ơi~*M0ydy Ƥ۬>ajjcס.E]2:WQ:kcLI;-q[~ h4P:Ӥ@"EnX닇 7Wםo?)K֎?hkG /vfRv9/9 1!;IUgR[+Jz9i ,H1P8ؿ9kCd( Ǣ<:-a"¶(҄]iq:;ks;Fel@}g/tF W|~Gl<6IsZ&2j{ӫ9VVls `Ct_2.)=7*>\"mR&>#, |12bNFħ9~ V%qԜXңeտ0RۮV" gWkBS>t3 /g6A:\z!g<{7|R2W%ή[*7'g /`#=#"Qۿ 2'aZ9Y报 PWv+ %_i`EOS+$X~oJ B}rE~W_R dnT==O+8Ӄ41[f+aN9zguM#/b/ɣ/u ঳msdxYbhY0(No *|0JoSF8[5lUjZWa1C8*k# XZVZ9}\(ӿ,qƩ#L!7ZRӄJ1oY Ѿ ܥ5"mH J7Hf+aD^u@9. FTI%3{̍qɹֵ݈Lƥ( 8b)~T;mUXlEl(w kAG5qt}vЖONup 3K1 gjKUW熑dPriwV 1 >G;!p}tFifi3 hG%ajCuWz@ɺ ZMl&@5TEGdJ=#R*o;]m{:jos8{ܾkL~T4IvE׆FfɵH# r$ ;fZ͸6`DO w IшvqyY<_;-uV3V-6xq]UKˊ@FJ( >^ag3=nϢM$sI k.[.ZI^r_h놢5"q`}PC{Dr Y%3K8A\$yQ8_(W{V4p4[Rd̸T%ٚ'*WXz;8J9Η0(upwlQQ[^cZLExrBЮ[z~*);B.Hu/#qA ubrr.4?R !򾯣%H{ Ձ~~[׀$a}e ffl:]!/m]+oE`ŗVo%OG^&Z}МƹQ8wd5`J"q EoUu}Dh;X7*օ5&KOwjH,y^VTq)hCkW+;.\N3"S :Yxrn  ,ƴ^^{Oz1L&hUqzu.۹k3_W\>'|gW^{{EHod-ڥpp8el8P,~J{L!+iEsCE5L4cXl!*ː닶p~*Kb H :㾷#\Y)DbQyEV;ٱ8zh4ڽ͓9̾S=1q6ڷB}kgiml83No6)tc 'EZY^A)F?sab6s;x"vQbyS{ʹe N|IAEjǹ/BWJ OիvW}Wx̞ "QMܤ6varzm.9e2+ 7TgjNA_`ɺC]:,ݳ">U>4a<Nj ][#/xH1^Yf>xG :(뭂y L}cs9$@X3:E?fJct ypxk*Y&*F K$JA|,v=F[Q6֫*` GWK[8*`vKQchR9AcQu|c6}i+?X–A5ߙی)2)=kgS YO}l凾}buS9{m2Z]WI ~1gnE= 9\x:',qմgmW3 xM{-h'PYUTy# >ƅ?,/"/S?6O"lZ^.%^Wc֞ tABW;08[ 0c _1m8Ʒk8eoӭ^.o5}%CӚ()xo̹'<Ci~"23\2|TA nB28V@Nqra_w,+~'kb {ޚȏc~=nE!s]:O蛏C6,!)i խ'ƴby7 fصba}; 2EJZuE Lf3tA.>*qrst#"o$хY²ҏzA]3aߪIܡ 3raHx}t}(k,;&Mf^;%LTN g; d`5x=5nЬOҥ)^M.W9Q`.S%ma 1ʷ[ᆉ[%}DJKVR cutyȋZwt\2N"ۤV&T~}6Nc({@B٬oV,ȬhMwj^^[X/KMⶾ)~ml3S+u)*Oop쥩^8Vdm:\}XVgb',QqA~ꝫ,`Ekl\ joq@ېPv na&;B'UB~Iȗ0΄QRytd{ab z۫h ևD`6!&f0)EqCѰFKBT_~9@i@ba\iO ) uaTCI K!!+ _CY5HhE  |"UXmB.ۆ}REo_Y3$f4ᖙY(":g= ĒyyOVZzC kiq$S2>@9* A1m[ۇښ6 ]B k~˔BYN<:=%8T>Ll?<~\Ss{EPɉ1  "Gʴ/ASUx\[DQ`_FN"eeF$!<o> >ɭY *OTK<źv,f`P6H!Iw8 'uNsf7BS,"'Ӄ^vyM%wgbcCT!›_BpT v^vXYK,cf zsݣѽ;"?0uc͙5׆[]JR%>ƳQv^f >H ];nU')H !J" &uZ:@ џ+n`|\;FC +*,)P@ :ZYOIE|$ܿ%"O/ D@԰FF ץ-93%J^k{TdC6|yQ:59)srtf 7ڶtY=!?b&aǕ\ܴW]0SܾS|\n` ̧kY$4SA|߆I)av)VRΨmLk+;߀1hl_q7xTN- 3SB~FQAҀqF%;N '!LwMDzoj3 R{܆,np.W_ݿ%̳jt=OGbX?R_[ܠ6>5D>e06!98GLh1TSSXV?6Tfx.QP{Kvyպ4l G HRA.iI2!k 6?71Ig*4ԟ7̯⸁RHƱ}'7ٖiE!~Si:^*iFYư^)$՞7 a]ʤ`;v1oR`2һ*-98-2ctyj#(M/Z U <jv ^gحp7tCp8hΊj8 3U8PTOG,1 G{ ]Yރr>$Fxuu/Xapu*1UA{؟;kL:&ܭآ=E7N5(5"1H} BE%mEd!kщ^Q0| Y:Jo=t qwX俕ˠ-"z¢G \g|+AKyr!ՠTWJl`dc>a=T;;Դ; y;]XD'T5fW_TFR3$F4XIĶfA?zL'Ȅ1_AS-״@8+ַ)eqt\i׵o\*RfvBkX^\7ô#gބmOPc!͝$ria ܜ!E~7I'lK8GبE}L]$Z}1 Ea?!>E<mgW>YSDZQ w+\$ sda@/iH 7Qt*MJ0C0!p̩n1!dXȆsN](駹~0RЅ H ;zR<pپ$qer ?H b{j,RPIuS1H7i}b)%&TË6 Nᓀ P Cx5NGxiFc}LYO{ _ j4>,+rU,A|TaxM%ܗ›J'XދZZ|0O=Cy/ m|c6Ed$+CT|KpŒMEQ /fZt /j)=GBgq1 5vm aqخ`}{@ _:z[Ńz> ϐ ? ~18nxgH^T6l2>ccuVG9 #JdPz^m-?/N4-xpKX=E5*$h&:W~#[Wa78k~g5>+y\\ŸVX+]\# a(h n'd{oc#z߀ނpA1 [l.|~yFC=FR Pw(W'pK|(޽,jhHgE`lXȮkMi(.4wkK=pcQu..fӻ9>_X㶄"CeɖU7}A{Pɭ E^HܧBؐ[b5x(Ĥ!0'$:z,y 1җ|'5N5n@t)Ҟ>Z{ zQrdZJJ",ei :BL/ &$eTխ6^+5]a Y\:uZ~LBi/JCQV?tDTF7hBWhS&H2 k+^v p6{8+UZ̕H瞢S^ 3.B'd__}r3$ lj7SHD>r[5+T 6|H $$W1a_z؈"@ڀwlΎ\$PAt*>TxaV+w7jLfFJwj%fig&n;Q1PбNQC^Jz}ٙok0}CM+;v|*E3sԷYf.wKma$٨͈+}>&V@=aoFgēѭ%QY~(w.;ob S&ôL Zè Y$KIA'&Rx[0&֖C ya8E@!dB&O@lEɇ(T!u.MM0tL R=d{/fGvف(6=t&BYto4A OSx}v|uie WCQ-^>ezjXidH\P_94r;3!dך\H+ hR,(Fӵ&;Ɂ Ig{Q-˗h2g-<-xN\*z_WI/![h3K8e>q-./v6, I{]gSF6`bo4,=n$p k йyւM pR<.,1'pv!ҠLec;o!֣ƽFݟ_ \ 杷U4@?xOL^+yH>S،[]OIjzK-x]74ax H쯹?߀q@4c{i]gB/sRw5šniy')exC]=U/LHഝX{"‡;e3U4y~>Rk]fzs<^{F31eW jqx}Yc )傐(\T4,ǝXX*Mnx"(ǔJ.K0v]+ xrߊרKٜ2@P"}mUq#05msm* l:pk[w1O-dM 3f,MƍT0R.;%uC$h~l2jLMv$8l=8Rt6+ xJ]v$aW+17Q_AmSi(gB|aU:rдltb'ʖf x4' g`IB,#W|Ц@q(p< ʋQ^8ـ@Γ_'4ۜ_ SՖ{Zckڅ1|IbKSc>!vczARjX[[`^ %v:S@ṡvq6uT럀rn<^|vN-s/빯a7r:=$^i!ZR]TWROؐ6L8P[ML\vHR0k#x7NK~gX"վZzG;)Oh~"H9%]- U Tn;!2Sp0[e/2}P 7~67(_z{[P! 7Dܖcџ;(VUml1 yB b,/͈k9sBjhQ_DQ; ț=F.syIF>#H(4\ i5}$sxiEYVAD |~ظ}%jk 2/feaNǟHX#>6'-$d׺09VL3}g4u^k)Į£(P]6Q'&#H"oҁ%el,w8Yeuچr G{0Gz?G L ^YkMz9I6ѽki:63!%'+Q!dPw&kyoU+X{vF61S*q\nQ< -\ q3z"P:c)ɩӌ\9h{C{~$>8L&[;]1)DY-͊ᓂޡ/X:R!D ZOFyfAĸV֝Cװ.R;=M"zJ&7Eh(X>a>EvP} r@4>i8;3k&mc:g0s;܄TMSPLXcx))swZ@j֌|`,QDRuX 8];k1]y\>?6lTei_OGxPCUbE:/LHﮧ7QmSeRY4M& rtFm9ngUfspځ`BKR=W)X Y@)C{M.#/KAQmFq8hosMEm;ؘjjUݳBԖT_6Xw={6;m=)2BڟL@Ph}]$;E,Ezl-q+;+'ʤjȏy\'n48tYgQ} L~)H3믕SbXUϠf'6! yw9eРK9N[d6E V49\]`쟦||{T-նcf׹$!ZdQx+C& ̌FWr2V !5 \首39ZplyĖb#z' ۛK v;Hu!r$+x8ҧ<laO)sC -9ZV5ifLTeX]f&,6FcЖ$ | PEbWbza~s!]\%Խ.&&ؐͰ[Ls^ *Bv̩͹O3V l遶f!x~2"TqF'K@YJck܀IU4!@v>5¡2f@GfKo?˧^Lg'Akf, VJ-ww:8phhMl2UJ$w^#>R),V~D8pL@=Q4೪ a;_%g#T RW6jBUǐ/SA sB7fp"O,cPxFO.FV`sU׸jPLv:D,7×$X=lt"VK3xTaT{F;;.CMtM䬄 \LǪWE*,EgKt踾چ$ˢhQO +<È CXWbNB} 2,fѐʊr;B!Q.]'prLvG0. lMc`BP]~郖^d[䲨6e)|xFC껌LڮERuݑ7kEy+Gwq[%y"VT#a#^(/UvV@GO<@!^&u-9'2;t͢G$m$pe:Q7.DX(#`ܹ5K\N^&-\pTQ>t(7>}l:_'^_(ޑ}hEÉ[]nXAЩj=F>?_{z"bbd${+[j%ݽ>;A"@y)eax=Pa5ia*g;sdr\ܑvqli)ൽYZޜ_5gn d˼7Dį\V#}Yc>x V]ux {Ce ОPdz\%)%Zv8rI*Xf 'eV_LJ%}Bel80*'ij=ͼtr|={17'gNz%gb^$]X6uYHܓQۊZ) s8G%2"%-&a2>%V' -맴:*nYY1ס:xLR4HUn.~0!1idzɆ TڀPgZFh|?6aPp+4qOFH8ʴȐb:͝ X{b,zU =q##ashrhu=tcϊR4,QO rͦ[v%\nл\M`LC)Bh;"Nyf! Z605Nv$PN\3Y5{ex(8PKSxO(Fq@7⋮U",_cI{_Qʠz }XNv9vO0.EX(#O)K8}e3܍ˊ$_˚}V\^- BSさeN(.JVrKÊ?Q]22ѮaJ<T.mr@[E譞60hD )\$uė ] 0V)*2.]0+fPw𰭂_(lڴ&?n|H VN6)0 ϑyjю?SYS M$ Vq{aq{_.,[D\984aOrq6M0)&rUY旣fe7%#`@E֔;g֯*b)9QYYY- g.nlm{fQ.'r-|f5xVՓvv@ߠA=*ȦxUݘa@R}oTq9~2PXBkbn?\H7]FpUp7ିmubi$Zam߫_ɂHq߳$H=ߛ*4צ~^UowZ7ί9T搣$Hn|t'o3_F/he4,aY58=gݐZX\Z6#&gԦʍĢ1AÉ~I=_?JGKE;-Gt)'Ǥa뻄>SkOܒK/'}L0/*PS_AS3b%a2EO Dz(}[?qi}UOP~k]=I?>ԝM'H;;k'dۂe">R.ذ(1wyj=fzۡSɃߡ1_ՙй * YsYp>~tkaW{׈+ D6a~%,x"ϦEU<_lmA[(FA=)PǪ|Ta?ZGsEźld}Ү[03f#W6^q>Ŋ3c2yCxrŝ1˂Ny @] ] ʄ:fno#_9kDCIb{mP,!v}ѹa! AUWB"GcǖCb)0_`^9skٝn#&=[i]Y\DOwN0:i__QbaR/' EU)?S킩+,NZr]T+k(,fV㱋L:*n{U|K}_1Rz)jsM\{vj) =4 sidؚMșYr%\ƾ,x \{f կE_P@hw bf4!P6NBn4[)&igRkWZ5~:!NMb| BԴm/& ʬ, |0Lѣ1^m`6#-`̯=MZ'И-Oj}זÙxeqI%<9+Xi@U&pGȼQ8xhrk\CݧP$L9~S u9H{:~6SՃЄX>q/vlL:!r}1YHgLu0~ԘU/yGbHhnըNML [Rf2y&qIKsa $;"TbC`DcIcqdcUQap=!ftj;2>c\zPn>~4o}[X"Q-f|}< jD%B8 zp S-{6V$maɒxsn2"V?v C">PMO.af׫FSnnzT5Ds8IĎ$ Cd[-[=’7:| A.^ϵ^ziK!!/} /K~Ÿ?xSp:$yOuv]l+, b+XUw]T^^NJ@4$?:9FU*]-Q7$ MLj 5gȭ}:吇lwLM/sXǡ+%X{김'YG2ܛ^luG;K'gP Jդ4ÐGY^B۴O5|R^ܫ]:Jȁ%.Ę},?`tWM\J^<.W"d)KP_  ,`C-8/mk4 w-萐hUmSҩ"M6 hFh4/FnᆱtE' t>S﹥'01S\vyfDr#B XD9ɿr3 WU?;+3bt҆0-޿lٶkl1VخmfcBwcQ]v Ù;KkUS7kZ>(15x >,Oǰj"Ɍg :5KPpD[xPHa*RSS H Ɠ參Gyl=|}<2%CzK39bKyY`<[;["'Y $ωe ~dl*$Y2y(C XQq4aI]ѿ;",|GĨZx <eQ'3&j-Ix0~f@GMxiőO &UZA6_\"T{w!E>,#{#KL@7쿑vyFE,zkJ+_G~Fj ze'ȧr?ND%Mꡘdq<>AT-LEHj5TNa!K:)^ Ϡ Q%0(ŗTh"s7|_ħ_X;qW.ݏӀ6:`&[A P,3:/ omza d L"Uf)ys, à \*$['J^Zrq_/ev%͂)ɉvΌ6`fuo4^'$ШP,w p #) ɋMd![;`rE|>µ.r%[Xvhs\!KߘhT (U$ 3-ɤOrP/ ~O C|ОdЙe?F0SmJ|-Wu.Z=Kׁm*z4t<mAIyL^ӝ5&7\@dczW5ȥvO%T ę \ .8$ U`]MC)DC᯴Jƕ% ~AII0JWŒCWN㘙^L}gͅ?+u[V>L\ьڔi G4$=$-w&'7YɾG+BŞ#PG|Z[$53SeڄpQV"6**1/W3 WA񅁦VշIY -}3~7W$Yp\=YM7K]q |75:s_.FU,3=M Rm-s ? %ݭNia(Wɇ\-`p#ESzhER|tB f0k| "D9B5}w]^ĢӱA1/KUH?_F|cؾ^hxe"CӗZ,0iӑ] #"˵Me[/32ⵂ|!ž(Bd*bF/vND'p'a8pegR%w4?ۥ),Jorji40ӀGS96#io5U=Hw_r̆1Eѵs&ԶGw|je GԨIyנUDbZzt733|?_Tz 렎hyX\w7x`]* J!bnҿju(asrON pg @(קŷ.st-b13qU2V4el90*'|9!|sM_J+H3ȍb[A͜F*HgbVaq\krƤj馲^yhoDƫiOyzF|Tn=PW!–J ,Gy޿ɣ İ"ٟ?YM- ߍ_>3^j*}?wƒ]Y¢?Zq,[qyw5eydhsu_ ;xò$hKb`Ul*~ipB[7K)MtyT79xZpǒc\C|QSǢ1gşIM m'pC#@_%3{>ՙ|AVfP=(/]dC żTAZ-G{ RE)6z91h@h=J u{0Vdc[zqKCҿ/x:o;ӅCH,rJ.o.*ٿ Zv.+ACM*b?-!W!SDǾoC5 D+]㺝`loJZl)gU#-EglYk)8Br>Rê>Fo,C0b^Q'= ] Qn@ҊŰlm2l>JnԀ<.d/ XmA$Lxq%f\IEA))?*rrB.QzcC0 j:XW9pz#ogdz'Kv'9yx\\ Z#-;d,ri6IlV*fY)-w8.I2DD%R1[c$% z,ClD-ߖГrG4[{s:tЛ2KdUFcf)W,Be, ,l \SR5G.aN_~m2KYP5wl,`NwH&l⣱46vWT1gpSד[VVu!Ψ}*Ae5ܕOgܷU}%`f`0FSSpCjIcڰT^0egDؾ X0}̖o ȯ䢨I :Қ߼ʽ6 ׿ͅ<&=Wp(61*< HUf{ouÎe0/t'Y@Nᭊl:*ȩt߇ݥZ:.Khz^X XS^=n< F YIeĜ*1I;"@_VقEs[P3} w=%DHG?2iqt ڂiߧI|Cc iI P.wUਡBFM<6@{2n{jRn]aDntrÄ!4Q%,L+ж;eZo,N"|7:U3!d؉_cܑCqq[@>&EeǪN2 ±c>4;x|%"Y惇4;iaA l֞C&u?C"Iat'> ?w&\9C7eb]_"Yȱ 0UGUQLw ܱ)cDGpbg/)bcq ˏ!KeJ'[.UV#]*@ElĠde:LtkjUmI4KVYq!ǥa"jYGh*uz=ɒfNG|OԽvV,t[7̏'Wi sK!E;Ռn_#ZLx;Q0KcKĐ!M*KٔC@l3zZu ;p3XlC >:HqciLNt@^I_4fGn*'EcEkc@+`ZA~S:RxXosmQ: ˠgܩIf<4$2?s|(ȉQ[NP\D%LvЛ/YS@O2>J.(X^7f5iDZ~Ǣq3\Vɧm)#iIË/sE}ɞLЦT^F'4Y.\yz+Z>4'LH[?̗{h )]?5F u_w͂cK:v37k !+n ӫ]?6flWa\kzf_$)ׄ]h-3hI u))Ǚ]U]=f6Fw# ȹ?҉@&+X@ $!o7Z@s?X:L ,e2g]՗@-xXw1/Òdĝ<;{K5}+xڛ5UbuE2ͤ]᳦.cKq OjA vo#g0 aYE4su "G7(˨Ocyl4HܐMOrs s*Jk> v#x 0X?HTuCjXU}t?T KitF>_ƐZށ j2 =ybgNկ҂y[ & zˊhCUnI H>4cyG4fs2,!< Lih3D]ls gjH-рaH7lЩYu1NRӉc(&|,( 5_F&-rZ¶N*Zuj0`c;_s🡝LOв}U۹02+g}d}B nϊ=Gތ6Q@}m >T- WBoNHǣ}H{%Qؤ J_ӹՙV']6(Cv3݂0uDXa( R{&BCJ\PmBaؓyxr'ލ# _c+O꒩WcR@궮2T!cxTQU .h-En"EFR.!Įe&Qri(Et/h[SƠ/,{pgl44C >YvpbkWF֑9.#h&7_-mcnۀzl 8Be\;±ANŜ?(r]Eg4qFEy ퟮ/+?]0`&-~/Z mNgs,1*)!a~3nTrӳ*`[`ogպNY5G&Mb2q7]kNx:N[~cUz0GClS?wHdk&^%I-K /tFVaqa)GɪgR#4_ =]4PdO3 94aA7;Y0L=A_%x3hz) *$rQ), m 9X4G4"l~f'4:>{([d!PX)=Cv֎_ "ǮSHd_d@ʀ*"6K(qu_bʚ%$p$0qGi{ڊ\̽!J;6_IQ!Xn$6a,PQOs` q̧Cc_2څ숺g,+=F\^b {o$Ke\ "T*W9|jiA&Xb-hM;<_j)]?IFABX6k#GL18ÀvՠT] B͛C`J<P@ 8? FgXm}(h $Ԣ#r!C"?goҒ6z3Up͐_Sr20hY(Ma)oCv%+PG3Q@C]ôqH'ˍKDz>'!6ܑթ&Ǯ<6-HUb֪sW!^st6x.Lc7 b1!5ADŮ`ai^-mќ0;ô/ P7-s<~Wc8^ .Dɐ)z╡P|1002踷*Z)O3 prxǯ-qm%54ġR5,9vƕp^u%hn1sHU)1$YΌBx,:6NJn 91궨*.@&z!$np**= VжVoywE/,n0h(O=8ᨔYW'^259ŅG rG̖/ Yy, ?aU`bK3to^NPXD‡u"YӜǻp{+ӥ9I*vWql۪0$:+0 ڣQ!w" zW-THP ۥ-TJ4j 8/[t>5LahKP6?yK&++M MBխ:c{uqAW#qŹD2B^, (Ĺw:.OoڭC%U.k@h.P|Gt*bm5߼oa)1l0:.G[2S `(wwoY*sb-/cQrV)QA9֐!+`9Lgķi4<lMO](ݝ_MAoZO)HN 6'hztv3 E$܉{p!Y,4cDf8h_ nGCXg }9;."⤡w)qy_}*H\-{<EQ-Tg&VPzYդq/Z朣GɹPQ?u+扟l7UYC*gu/e,qmYqRdRߖo=Ta' ?`'d7!NBu,K`[ A"(wWp&uLMYryJ'%V1.q}U397z*5* Nre~'ب哑ĖsIK'D\/ɎB].-QB0 dU 5 x'Гin#.:ӓ$35Rd L6rpנڵ6<(4pYh`<֛ł^"%2$z-BYCr_yӛ*ں.zyUBX=)z"#M+mP `P kfԶdr/)l'LcZ}4YGXˬـ-9,z0$MSau4ϗ :f: Syl4t}b ͗ߊ-t̝ZCK9Yn @[^|[@GΪ9N:=:tsO;CE+Q4k-A?Uuutw]6N)ECv;т *QpC5^6\+kH[ &Fo@R,"o C͍N j:ESJwǏDiH$~5(BAgZ9[F2檧ube3hʦd;b8}ո`yrGHL%DrwpZH 8ԲeYbpDRH;^Id63#ڭPem_Y-c jNn^LRWu%HÞ[4V;y/k,B.^Ӡ]$jtW1$U2V wSgOe\syU\~\,XQwP2Ox˜V*;-h&&[(Vۍծ v1UpMf>CVVLIaBB ^s3{ͽf]^HU*hlZ`>՗ٳ؛`:fl# z VsM(7ylOǞ•/Zݡ_,r|lmxy#ŚM%ERqiԇ`b`r fW2bao>h;CI&w Fu`.ɂ %h^Bd[ ѿxtcԓu?ZZ=i2|i%> oM zX^zC1UI=A}7Ը{p\/LQn:X❁ !2)a ȧ^hƕI9p'E8o?xoTk @ .w;-Xbu-`?*S&LW-/E'BezDމKh7Q ,>ngvүc1Mw $=:/93Jj7Hfyl@[v9B;q{N{Ȧ-z(Jtt-1P?ZۚRY זX&wV2rԇ5$!ah73W{gǔ&eBd0`\][>տbe EqRUM;sP+-$ Fq%xM8(O c!hK,i$-ίJ]ʛyFc skXƳ{O/z@e,a. )N#3Fodx!!Jm}n׆U䧺[ʍ&0$lF O唖1N-G?LR Y*(hd y c߁SAx?tZhYi=A"{IF)9Vk!)^rzscaCi^b=e3tyyXJxՐ=.Ow;&(y\rL*$b#ѰΑ8]ƍGퟺ}b\t~ͩw "&w$֎߆TxBwMxt%_L,ds\O{QS;g)MJݸA$aR[!-eeIf1G 4ae5m臈K+ܰ?62 i qa2\q k>a6i>K̢GlR3x&ѺlZiG*ʒ5gLh1oɟ[/}涩On8Q\{F h™ߠ@燑S Le \޹{K;szp:ʦ wj΁k@_Z6[#ݿ;Bye'_.&3y8MX;[*}(Ԍ4?= An(&ſW) KRG[;Iۃ%i3-) ܏4+VO"iЦ3Hl>/aSOKYZaaMѲv?8ajt?q[N ҝ%&p?kvSLCZɍKm"röVHLpjAn^zQ8x{7jU Ai*6IqE.m9z[ra,9cA+pwF~&<6W3p_Őw ջ3U~uk QûV܂>c%3p[nU_0h~Ro Nzsn2]=I 2lOwᆔ%kEu_ GLA=s9jaqUs;5HӽXOiU,80zN'(`n*~!-Cty[T#[cR,n$tTM9~腬+bi.2W\DKnUڸIYfNx|4TU|#)ȑsό"joe 9c}'EC ?f?ʻRAA!dR*XҲ<.I=pyF?"97`%o-7&_( AF@|pƇ/;a0ҷx08&N!yVF sz`ǙQGUc8 !FL>l/vBP)~ӓ~kf ;oTBSFbQ K0< i'C).z)"D l /Εvl٪2dtKQ+m-[hrta!y1>1" s&wU4j]Ї,_gHGa~EM/jyUD"_Q%65mU'A]FpALc}f,+uR=CsvnJ8.n*hxe׆CVfgLϛ=7?h.a6"/ș0&'Cr@l,TY1y J%a $Iܮ-Ԫ>lk%=ޡ@mVmB"aN{zwTWDijUA%ιX8Q:(뾞@v ,U u NQVZ3ͳI>ޗkZ:ˈUje}^SKNJ?J hzjMs3[2 xՋX|Gdޔ&&(GJ*MǢE:{K^-Cq [#c[SyKشlyYS iE‬i{ަZ&'$ZP:pb[)jŔ%x fkNvC?ZwՇi_s2Ln[BsUvyvD6}IoHz&Z߼ lݪ!-:8EH+ӲAeeB}eh:M-/(IKC𱗳rf WW }L!8z#195Z SMV,U?xֱMlbD$8sF9Ջ`}meTgq S!#0 ݈hzG@˓.y5߬p#hz=3d%?@wM+,iIB'z;z<\e2%$߭o;YMT"ߟ֯iH_o"8yi5`nZ!YnWE}: :ߙ1V T5(9d&~85q@:ESm"Xy02fE,A}v1p!ODFc4j~3VĆb/ 4pX˕yC:8Gao퐃&ْ~Y~؇8c)~  ,*2= ペy 8%੪q^T4@IDD2Mew=6L=?1A3ٸʕVAJq ;] >+{:CCo^@rifWʼA #$HމE!a% ao*LJEgNw.xG|-yK*AuIXMRͯoM/MN}2h?q$p˛<pj0u87Zs.4~!2=anK|K=SeGM5@BP)%j.ߠ5Ɠtyzc odHGN=<$ )p45S`aĪ-t1OQɹS.?Y$Bi>Q>'Do|7vfgAF#cS.ȤJ'!$QgOw zZD+TD떨m71FJО.hkդR2s1  ó H?^'-*^;7`Г1[NZE)k{g' C_]f|OY>tjA] VS{p]P\qO:vTwl𖏳3h"X\F c>$c~C5#֛*#I@Lf<,%*Hswi~3< ~_ -h~K)q ކkA*/2J1TS!~]T7#3WQRxP{(c=={2a^垎 c.Yi۲,XY׏pqZպ ՂQ=-fzNVYaDO &biNd~$~. ^>B _?;0l8O8\ )]n֌kpUONZFN]8֘14>|ZL 693 9j[^ܽ_ʚI0k99vUzT(䠦X%?9$ϿEM$OT@\*|WTa' wNSTwЈ3L>$da89j.0iG?ཤZŔHץW 7Ԉ^eD)vRC-(&phY.-ô;^Io__V5ұ.$se~r?51<-e#Voj /{q˝^iI,1]a¢]px/ nr4%oC4@0|!'ѐ,ΰeDuzmb L' BO:H o!HG٨5uxjAя YaԔ!)|)jw8 EI{˧(: sH+ּ1HTItyL4C.?VC4JgQh;}VtqI }P}8<QHtlB@Ċᬏ~m1cH_cxs ]S21 RY=]G2(`AQ[N* raK܈\_zZJOR 2TbE@xNC,p翐NG6}j9M(nki=cݨd_[Lϸg{O@al~]FW_EoAfsOu4~."žH332Wұ1wc 6,WgEXvJz ;#ӗE?^-^#jCCU6Y5M?1m=F&$tKgbDfk[\ @7M){:U;C`{q ,k'?\;;*¿,r %VwRj= W?F؇E| .nI qF\7\xPŸJAAQ]ʐËIyF E]3I?9߲F\埵X \L753ٟ">mpyF$'] rb{Z$IZ/@ %.hI3GNF e³ɵ(msZ"Ԍ~H/@ZBgl2_3y U\O'W8.Te\/`a˴9 fg&+aE>dOa8CQVY4|s ITea-{^٨$éS$0ˬ$^q] Oo%&Euq|iTϱ6i^gO.d6ZQ3.) Ý%vGr}Ha ]M;wj/xS{:$@A|)hk ~}"$H9;I:aE)jbnmKVwAed*[AR'KqpқJ$؆)險ZftW&ч ʫ;?YeHײ}%S}ѻN:DG|jE*7e<~hUiEA6O"CV#r ͻWAXiRfŎ;q~ jj=Ё&W>f0UG^e#䖚Fq:W<ǚشae8?زJS;i .-wU 5-iAJ$Nj&J1-U1pw^wlσM+%V9(_T-:>dj:inVoCD -9t} g,-Ӷ6q #BBxfg}#>(9 t:aCK)DyqN; - e3iۚW/C?/ZNA}^_\UmCw*zZ^(U:M2t*THٵY^KTP|Ț>Fƫ]ihREtwRQy$Ɠ@Bga kv $g ("s`E$w p;C8 @皭cI#7-X[+ӥpFƔmw]Øn(sY(b&"ѷ@ӊ3IVN&u$lhJmRZ   /f\ɬO??6(!׋{Nn:%b }?;MջR %ƻhRXH}ZAXO?VBԘƚʳ<95PkI*#A ϴE_$2G&7Cp?hp:k^Lp?enHvh6Xަmz ^Mdiuv%98 6M₫ZBRsnsG?د|GS>w賐 Óp//_l׸`\&rR fQySQ,DrsELt̿i"{ic[ͨ fL;8;8s'0%=Zqgς( e[`|xT9C(?$UT44cEbr?SV5aQsf EE,4o%:Cq|c 2:2#n]/H&MtHWH|`yQJ0'A}6XJ\?]3N*TE]FK-([MrYoO@BDhb7?m|:.8"NQj]#zn.5Z^vZ'z`FIBV)]2l\Kry9S0neUm2]ç2b5!qlਲ਼$#0D2LRD MR,yd KG>͊d'=g Jtak+&`1b!;$%k'yJZ܋4iibJ?kA} [t롅dݧ3MX3|cҔͦ?!guYsgͩ٩)CGf3D5e ʁƮG 鯷sVXlrdⳄkKo]cڂ|>*fZQ!PE36J~QD{c"ߔOH{uJ?e RIҐaE[ a%uҧvT))PM0t?^vQz?m#8@DHCZOHPrbu@L-h -s'sr%zmg+B%laV аG%$ dz(^.3˗@ï/xM#~#5_υ}\y9ɷn}qQea/iU]=Z2xr(/Ȱh~LȷWb[vw6šiJޒYuQ-z0԰JjJBD9< YϬ>b*R,}`KoЭ~ևGUӭ8gA(Su CB߳ vږ=yto]z ++m0}S~n(hwc֢ TFqx l#Xf6 BU#p_YPɵcj0t \x|do=E5ۗRu>q33TtN"{y>Cg}X{X8Pq "ZK?/ J\tJ*0ns;#ۜ(N(;'Ux9P?B 3PRl3.k,u$*JqG__ee:B dg\:l1;R[#:2o^Y=_R>boK \N }dbc4"xNuY z9 j4[a5KxevӨ= g$( f+*P O0"ZޮF@jԘR](1ɺI|sCȐ%OC T)aĖQ/1 )rd KBK =Tk52`:CI>-|g (]JOATՖV:HLT!m3y,90XcX,$7ԚWI%THØCuF@4Ook)WX֧۵sגm5K$o)z_f.=.@őX -:G\R-8s0vKsւf35G]8JXmihNui,zC6gcdG?&$#m tKzi޻$1] _AX\-4n>0/SF*ܧЄR8t3\Yaɷg!asG3 ct#"n*N#JwRsal'?lr&G S&ׄ)T=is+s[SnUj:Iqɀ ٽZfjRцgDđ+ʌM$Cfm|n躡 tɏ+&X TAJ"!]O?!f{@Po㞑38^29 CIbL hnU c@eIn, ܉SWgcl(Z1E/8'ɜ2{ؒ BƾfZD!@Lh)({ã *ފf1 Mװ1rv%3,M=N’R [-*ҥnQp<7,x?Zѥ,9ߍt}z7(3{rz 4{eEs~N / xYï+ux>}m(4 4= ('dq-at6E6,",t>J֋ B^"ǽQVѻ#QuVSW1\>AZANcImN Դy3$6yq7d `$ZU ~^Uwvڌˆg:T*zP{+/{ 6C@\!G<-'!2N 'ιEHN^R=T+řp7!DX~N yQw`@:շy#`eku=Y^tۉJ1w̩+&]@]c1@ACjQ"xvƢʏu4}nkv>>$3fK]V+ fn6PF:)#~ph}Ld.L+i\e6եk8 x6.݋Ss>Y D=3X:iџ9z,Wֲ+J8G#U¬qI7vsB %s5M?ux]{v(I,fuC6>FjKTȆ3scBHzR=eIP=^yV([PT)iśVq.jUM  @Nj%SWHXH}}8۹+R`ht4i,I" ]/@lF]0hN(%}ՎsCiUK lo478PN ]nbJtfcӏpzʠg>q.hW^Ƃ]1ƲsdhzR4+j($yuU =0)ҠK6-gڙxsf!F쨾Bğ;s^cݵyHw<ჹcc9jZL6G`y[.z41]%"x9a nG&liN!Ze5WgAˊRq^:ױD)}Ԥ.OO)Ż@Pd uɛUA*|;1R7鱙*<).֕s8xI'lz8 3^\yU*pk&mQN4oIhCD"YD?O_$`4fJ )Ush㣔uS'dc]߀y{k+vn_\tA[v? H"?٠%ZJlqhuO @]DU&\;1L=~:4Y4bR>,}iƼ`BŬ˜4qSTڅ $]otrN8 >gn&^ٷ₹<M6 'q\$œ%۶I,^hݑ$jYJ:L+fgmC\/U㮲,F!zWwvgVi 4  ?c!U^0$`TTc5Uh =η}a]˶UTbL|ڀdkc`Nf|]#|2ȅkBí.rlGuvi:L0q|V+NzAE8d}\. ?™ 5</*\3h4]dm~CQ9ѕOiLiVjs E `-j|zc{xVуm)] ae cLN%An-'`15Sa5`R6&HtkClU>0;Sꏄ[;U ),Czh;#`MZ2 XrpUQ9MNe 4E=` M6.%og-Kpm$yi96KB\/6c:1K;_0N~x^yKqa>j/1NwDӸ(Fڍښ;?i.MqZHLY4yMp^@iך6~{p_48c˟PݥxLTUg3Z FʩbnfJWXiHbhntYqJ$~\?5w.:(o3ޒI̘\Co}4 ̖ ]HkL'8bF(-72vA8Bӛ}\ :n;ʩ!+LRX1ϰ,4)qlT7MWHP3pDk&_eH(C*k]41{OFH? E|Ҡ4i<3䅚gip(+N9V(Bõ56HX&=lR66B4k_ .u?B#e)`HO΋*e懧 1w :B\Tsr惂Es02BUb?BUNc-`i!ztT*3&vP BiKHTC o$] ~CWI!zA:>OZ[M9`y sݾY$)#'j]>GYG#@iiUJm RgO n_@)#"Cٌ@ȶ$Nz=<(:y"[{ [e*WdQ}X}71!iV]+V;2U zVLo)g"x̍! Vq<k;enщ\ vΖ ^C⾐= lƹ?öA }LlBC(ϭ;Ϯ@bx*ޘYNoneOS}M^#l VZE-+NCyrҺ=NU(.@j<0fA ֠}u{]'5}#ZA";-1ik`ɧ_'XQ̴Ln,WbϖIk< ?O Q)@R T?%;ȷValz3\]Uݵ"PS81/87IQa3БbSe _}ype,qT&W̨o"6󥘰CHZqT^=(IQ:E7WP*A.iaY^ [O]#ptOG،Ra&k9?S¼n뉉m/7jch7IVX LDg-ʷל_kly*c9:":u S6c]ěH)L"|HIF6y5ZSu͞`voxs8JaL#&0Z]INy͸cWM t ! !Ƣ`pnӀu 6"-ϱJ]!!LT54N,ZnC"zCG*9uqas>|$z0JoI=ٌ#~毕i[| w&8_{do_LK57H~(=ɥ 2f8UCB8:jz\jh"f!C[]Rpҥj}2!~bs0îܙe ;lj4J1)!0StXsk`Ćw>]17?#e3b*0G뾓&5z,uOm I3JFOw}kzq=n^> Ǝ~3J?3#|ATIAr${P4 IPniW5z}fK ZlW6tXCc0@'sUKm1֤)6H89z29^WF)ݢ(/%&mN{=/wx,ѽ4jg6&|[uUJ-١nMDt354{:d5c߿LP̏ZoU2VҀ'Vq55AɁU/y}SbuVT+f$[;%4~6"A:G#Б`>43T(Oa`vv,辀v| pKv_LOv(sdU '(H:cJ§qv>%T/,_;O%=HͣksbLsl1mJ֜]rm lW>ҮqPڔvp1o&g¶ꚖYAgz_|ަYvů_*$t FW蓡`5q3W7Gs˟}\,Nc͔uΒ &7  X,xkE YR0YA h SQOS G Mo%oQo\d?oW΄C!cpSVo]n$FRˠAWJrON̜NAI}%#:a :x)'S6{>GR8.XKQ߃٢ZQHu;zE[$QPLr-yPP[lzLΪ uH֡. uH /T9dda02R-ЕN:{0My]{Orί{ ;=&{ǏMĄI"(g%-c J|c`yUa2W6޳&1X@' [ȷ2Ċ8AOE!V '2wp6p6= OMm\- U/4m_膢4*O4,1FoRlևY+;L)TF6` b8kWl:rGc(wg!jRhv`w*6F!M!s& f GT?TNl% P Q+y+pxb?M 8AX+lxf [6X6~8E8<=zxaRVY8LdsQJ*_!w{af뺠~(c$U:69/4MѹBUӍDҠ p`rI=]^1K`Uoތoyok+U z#!RUbW<΁2 puFI9; ٽ VVM xxYϣK!k;tyOT Q,.ْ:"[[/{zbj:eE AЁyfeք:܁h y Stܜ 1\;2%l9:N@f 5vD {=}0zA$z['[*N0\p9ƃvX@yyCn]<@8GP8܈.v| <^%jMC\mO#_V+ޭUVNGcdHyͩ!Yw>۬Op.vV \pLnnB]ηfQlNUw:D~2%E"Eukb/l)W¶΅R܍Ρ] 2N^N3U!L4QY181F%f:]G2kXPβ :@&Lm#|' wSڠ;D}8k%|ҧGL_ĝu(6!lD. ]H9K\Ci&Md(C5)0o96uD/g.+X{f'?ދ!T'(qgD4Uhm-&ϑltя_(-uJض pb&F([RQD>,I6wW? uh0nB_cb\C:-Ѹ$ALO|2 ͩ/ -Xx  5CL]:KF Fxe;'=X \qΚƘJsL[!}tikGt3t?R^9dPu^e#m?Q/8Y(B % /0}#+,KqfQ2$3SKw#W&zDII " RD9?WuHqޮwGioƳYOQ #FyjBof'_E>4r$BDg"-U*S_oZiOWoXLgd4B0p-w)]).: @箐C\w 'B"ek7Ra;lo찲d_ Hvu>Ta1fy=&g19C-lUFE"t}7oЖEv%wܘRb̕MG^u\lv57CP' Z!FX4:{%YNgj3W뚹,Hg>ɘAJ$0Qe60^ ƴˤk,`@}dP.Rg76#'ϫ4ڲw7i[TJ%Uaf;}P7%R3~EH.cW RI> ^}E}$ ivFxysKR Ժk\E+Z$,g ;?s4Pw[q3=%ۋ~~9 @Z&[\A'հ"3Q%}Պ+@e3߹SHSBCI# p:9n5GsJw=h@~E,jG~;;/"?x S*)ˎ %_ hMC!̜iKT~S" w,1Qs԰FꌊdC +L픠~Kް  A]ՠNd78>N6'8Т0E(>˙IZ4kb Nk6vD3ܸnuF&5lAm˥Ufwf2κfMS9n.sn2e+Z[YD!u4\EK'uc'=Pw$ai+/$EbU\Q 4yj3['"* ovFlk$9e'jDžA7nWU{*S)jzlWw]!u'l"mTG]J7OՁpԹgr2e'er ȭ?hrpreULp]D y&I+n֐vTBawy|lce$*7$ro圙..(gCHJ$,0h/Ū2- G ِ(~* wJݲ*mm+oo_|Af]Udahp^Sn6~a%d$5 Ws׿;r#@:w #]il9qaA,{t \.%氳O+ mRS XR4 47qxHIww2±7ֲQ _W` ]t{qҩgwPY ʒu=} |Q9+cB$ܘv-nYzWH[ ; 44emHc%tu:wGx(cH&_s + rX ;jc0fuBD}8s۱dM\Ah7f#J5[c8tcR胂Ȉ]7~裩P3qM&A'9,4sB8jd)!P;SoqGi[C<2m) nOWWwB퟽~#ZZu/yWy`:KYx#kSN>ߦa-\n lh4`ҝB9ppщ3Śs_!lؠc-=_^y1Z"59-=M\*aB_X'XCҐֵ!?U[_^kj.ܟYWaogD/ ڨ-(=T *hZR]UGZƼ0\C)B1~J5&e~,͡SB.-wY$_D.%@~Gq /b"67E*|~(i\ VT:#(\MԯJ[˜-ȩOT=5T7OSi!;ka!dV:S~cz S|ԻڸᅔbQw}w8e? !&H K Qx! x^"lI|?caQQFg|"I/˓V܂d3/0<_͚3A$~j+6hyƧҮz ڍoJjQhk|} 슰'M*S|P ?v,XWϏ @6?Ik 3KpR O ?|9i'go֟!G)߀6 g=zG.T&B v͍zsLRY_ihNO }˔b@3!.`h:g.΍Go-HNVk),=)=Y^ڤaH&u3sξ{w T;.|y !\ iJwH]S! NQ0HYiR;Fƞ-@&'N+&ut%jinɫHLn%%CuC;F,UYkuvƁ7` Fwͥ9x4;J <;u], %;Χfg9䏦QEm}JbFN$>H,O`t(3O(tg 9KVu+)Rg9 J ٟA!Jp/Ü )jc?̰lJ<Ư׵%mqsT iwc%fjy\&7rKmGYLP=ȣ!l_ky3bM8mPC(kuL>.t<Pv"d?9C:ă~:ZV]nM+ɍH_`=oJ\@A5e8_Q u.yKxZ*_/~Tf;WdrE` #eҔWPR'Q.3 H0{3wٳ ̕|>6bWHVEjXd!tz_ڼ1%cm9C,OjǧT*!c{WK(FV8z' aP5;](W\Pw7A8c0Y*/0. jEZu5îa5,vwla[71+8Z0%W4WiuΈ?->+i޾P?yʋXPU6ΰFc/Ѣ4Ȋ@͸Iz<) s16PTKA bj*̔}ָtq*G:0UkZ_ Rkކl&y/Mfz™y:1UK4-ra ʙn`n_#+ mWvqӚzyq;' ܘfO/洫(i+$_E%45.:yC:Qqf^1CvX;N³wg&#{SCMG M&V=I4Abz?f9f˵gspaW6xhHja۞h:'u>˩tZDFΟ M݊:Yv3[C2,q{,$hT'ΕzP}pv3_ )9>X Ç0P[NN zy$"*bh@dk61m*[LP8Xh2-6/ 'OhDV~dcc2)kPw2Zu)6`G=SkOEc\$T/-׊ .'nةjoPCv)\P<pԲR864[n}H85.U}0RfNHed|}'۶l*K'(fۉaluNkDԂ(vL @ hY J)i7HS_6ʺ6Pms }U}; ?o6i}#;YQ'#-h[ KNGE)z7 ]' #8P_! ުkm%mW 0zA8WL! +:3%g@`Hx}匯M'G >y7p,@ n~F //Ysj8Y9XBQ}O@_3=QǨxp @\8:{6c_hbуѳU`n\q 0e&F aew?:}CM^ /vk4mԔcAbg c~:>|pJD"3?$wܯ.- _bV.S} 1pS@AG2fe,ᙚ}Nn agA j, E=X)ULA6 c1Gߛ_W"Ԡ'3wK-s2XYѐkgY뵗4MX'W2*<"H# 7=]{R6>\:WC4v0&T&KQ# oު[N1k.S-OFZu_3au,BQ$ ᫀ )@^ě~'p]ƊSo ;PS݂8g{T0B&ӌبA'| a b$?w=&=-M#hQ}TU42]Gs!_R 'cYlNK˿g& xORHz+q\wU ꋒNI ~6G%q:FP.^^N5[Q#y|Kw1[Q^I҈,[?TK #1Hws=LVmINI.[/ QDY+'hfjٯH^,o]x##O3& _7pyLc ab'.0Y% An$I]1!9XR |1d=bhե FHuڰ<ZRWbU5%5>Kr=)~bj 5cӖJXb ؅0Z#BOg eKحcnw8kCʣ8$9FVlSى<ihRAUm$C`XX nrtAF qYd@O7#]{%t#h[+:SGiT" f*!EYjDlZfρP^yl> ,r0k)Nڑ `kMq0Ws_ DK=Y@Ma'd `t+Ol]#J{RJkj:hS^c:r`7N罵j) kv01]J|+]ӄQ4liU;x Vw8Kk24eYg!qc_[|}+ezEZ O%}b11$%S1w\gr ,_^w_DT&*]^ddy^_ >7IH́k4,T*GZZM[jfbTv<=nV ~6lf.XSwlXP/C\_3L)Nzc 2=Scx(ۋ&XdևFzz$*=ㄈYǠck- Pu,4P+Qʀ3}#S;)Vk* WQ MTͭ-8,"D/N|*/M!-z2_qQi>'T^n?.-XʇwqY`RC{SҼ: 7rb6(1v>_u:d ^.nK"' ƽ0e `l2 ~,h٧vu0{$(Iw)6?jr%2m1p[ ~/sWj|u|ӟ aLN?}V^8h"|y?c,׼j{bE@ŗ~?wz o}z\ \5˼?g4i8ЬCSةMd6PFxK^8q̫LGRn)Pm͛> ܣFVR~0d1 x)_W>Ś]յ6~uR| f šek>ZÈn}plGGh(bxQ|<}5P\`ܳbBΙL04}njYخNp;ZE <ܜ/dGDmY&yJg,EIאpJڴ?S<˴ѿx\Z5׌iUyhӘ@*EVmL^30f0;SgfɼQvc27BFB"&]ZT63@m:A6X:1:ͥKCqC AŊv3TFDd+it:3gFJ ftRRXiVԐ$uU&A>=N3:zkr5@Or \5ӷtL$(u*Qbf[}&T(x{xJw&5:0fWW%fPbQKGivrR-BhP^To(,__TBn5S`'^=XA/*u3,]~E6V;[3j3|9.z[Sؾ0@Y|#8IqMK>g xaӋ0"4Β kXwV᳅J1?Up5sPxl̊SޘSL}/]>0LqH&m֚߉3u8&TSe/\'Ժ$BZjD^\7:sE9oz=(Gtomٝ3e: #=`sGPQ3]d)ߢQ`#xIFT횑D*.yi-GF /+KH|rг{Ϙ6}#'>]VYF+:t+"C^Dڧ51c7slECX78z z =H&?s@3;iō # e4\ӁP+|OBA0*fddN8$VYv;fZl{7x- ATfoU O\/XeUE5*><>bi􄤂MmݡXp.eP1Rws%RYZAqLiLwcm㝜8+T#;,eeT!\ 5\llHن|$?JuWASQA@;b*[qFj{7MJt'dE@i~*uQ#lr~Z FS†atO`ue+h]ӝg`sɃ٨D 3x >jϊ91:R-׽\xo1||dޞL,ylL]'{q%rsRٙѨ*!%HIf=ϋ]LnNJb++r3Yy21hGW! AZgĹl%VüKY/|UuN]& w{CJ3o,+AZXw `7/`l,JvfW#3[ܹE2&LtlTDAzbc_7{B3&BJf[zocBt8,bU2 C=gn2V⫹L(r~ ';_BUd]ԮB#2kۚ"Ux=BO/:È^Wl9.9` "dK[ڙYMk.ka@rzD3S?fזEsw3 E;cw%Wfʑ; ~Fcv%pT7x|jU0 WpjG3mQʿlh]S\?v^dj $Ei_* $ƃ'Sva8.]4HyĮNMIoy-$oC@^.5v_Z %WHU#9TH6t?sRr1wy\ CVNx'!C[j*UV[U$ E&V{X=[:.t :o5캬f{231>JJ vkLwhb./c H@b9(ZRd <\ko% ׇQVOuB-}4U]DI{|va-XRatADuQ"3 *wDLf΋#hwS,By LE94vq( vv$U:>Jx -K'%g\O W%T(5F)(QGrҔ+ U0FmAIPYN49@wtbjsCj0dSt[qLk6HhK?vĀ4HI;L|rM= ЛEo*3/*2w>2|Jf܏\&Jp݌PmU ƭft4utҿ\Sƕ%B ]'# VKWǂUӓH^o&yMDV}X-U4=ͫGw.(oMY>CLVbujFVn$F% ~(-S kԕCwoQPj aܺvdb.aOWrL"\ n$]N"d,HDpɝ +dynq]\ 롒>TY`.N\\-! Om֤ N&o V тFX fX/t>]#Fj XRT9ݜbY2(cK a_2^sZJ&3#6@tnNsj´MwTZB>! $A6Je孑3yƬ tc@M\ KY](rks.X?< spCn IΨJy??C,mC{D )K C;7r-Ml #gjdw}bu'W5u3JIFqC{?cΥl`~X8E`Yieޟ(Xx!7HZ+,5uz3amB6o+fT۳#)9hUUpܑ9#a2;9xA;`Dq%41udo& 4jm[hÌlҏs1hq_Df)4&_?`%,{Y}i1]/FKh@`^D"p3A=%XÊ@48Nv'@E9swhڄ/r]X D=s뱷jKS^8`0G麡DgW$6z0ΐEwBpa8 *Z<YUYZu()"YZ2r>8 4k|D #o'uH-ƵNB)'ԏkzމD]{T#h«< y ,uZwV<딜.*J̲SiBV9&֯F(˓qڦuiW~r9}1m UR$/5eVB?+py~1ԭ]zmmj `JM\-bq_U)QYQeFEF*Rs K n0aXA q y< o$Lf.d*vAȫ?LYF h"")a AiAfkJם7%&m1bx$J'>:$4鋂MBx"d` |6)Z8QQ{^α)n!'ӆZXmx-/&/c#pG#\@)$ 9?ÑQqoG@ܲ&zb2Mۦ۠\ ӟ;c>󧛏 eB>dB4QVP0% D=n 暡qm{Y9lGg|MHm"TĴf]qP#PfOEϥ̧26s":jTLd79LA#׺fն2@?u[ż \fB+dz{V=eMڻ$cc8Yry*H.YBN[A!hip4gKKP`{/Q$_Cyfu,]Ey W? Bbgؕ7T9:b?A孍δ1QCc:`OX$e~hp:ώ\ri:cםj Mk+s t<~̄0$] ϏL-Q:eN݄WDXB͞Vݍ^ϕ\UnE2yuB<K9DP/!pn&U8!&)Cvx\&IQŤ1!X6'm5:O 5!3_b$ZU6*~T< gNNQh2yi6m`"f٪#cڊz4埬ۚ9:i$)1dD[Ya<#j]nS#Az(!WBuvk"cDVu7gz#En) E ۭ4#[61/KѠ=# ZYt431ːAyڣ˛CazV 6ܮoB.T“!!<KxH}UԌ]:YFlw|2Pel6aUy w[)Cwxy\m(+ٓߞ8f _^藙ۋnl<|VsC/" p+x9hokMJry#\F(W3,9h+|؊;Į7+8KjY*OA"o'q:uig [, 5PIlP?0DҴ+߯-\iD}BAU] Z_1đ2g +EvlO͡%8&7Op,N8CRp@ghQӊP}F5|nEƂ̀8J̊A>^6j kl&ʽ_{1,m;pV\Qp>RQ+aM۲Œ;1-2T fu ɐ3 儚GNagcS*^%ViO<U+x^!zr3QY <)Ut w kt1Rs1:W{[VKZ\K%BU ndOjjuȝ\}T.Ʃ'-#rbB7'\5 W B.uH^0#uԖw^7}Cu]͘["<" z +`dG>)*WCCc[e@\ JQO" 'W;2mQn#HcģёcK'9sу#Mq7L!8#J7gǂ,hݹ& 05~k/l2ʹθBVė GNPn[sP7̃hc&憔 K?8= +`mMvxnHD/s$@  mJe*͏Mlgε$ڋ\l,?;-51Tjk[VHin9КIrW@o 6Er}8O9Ksrcb e#hKA"ԣZ8fU"e#"KJNb1= hۑԫ{~2NL֣`\Hq_1 H˞P)*t͈uY3\@dс CQTTG&K z3+Ƨy*gVi<jfē,cپ5ZxI1ΰ@ ]g7)Igcv_P`Ѭ+oAo1# RZ2"D=~A|U",I0#ŒWF^Ryh|ߵ4][`\BUD^aoO޲DV51j+3ȅba*-,992ZpE6zhwmn,LltUKbה@Y0=˱M[SgPqwXG5WJVMp+P^2Bgѕ-j*z*碣 C I$I$vq'&0>+䵣E2Z0#Q4 ̡l,Bt=.:f4')y坸5+Zf D'Wi]F2u0L{ό`?q/ØD:KZ?; Ewy&jW[m}r[2M5IY4$yMR(f^D`ᘡK&kgY-tnNW'VʻBjw*+$ |C5%\ 0RH*vl*sY/>q] `,WܛRneWDtsX!;٠ <Šat!a~hܭb]XmcjX`UkZ!wPo*$2>9bc+W9&ƹ1AEN=4֠Α{ T{d9a,brq<޻eB?i <,FTfZخ~I.zu֧Nq $2SGe^-Y~ fcs@he3'Om*Ŝm 諯v@Kn8x0YAyeX?l-4a+OB@7(f{qny#uTO~OBV,63hqI{u\Zz97>-wvq02&qׯr;ovWԀ<}4v,g/l ˋBJ#wĚM}'I52ѯ{j۷},kHd !FL|yR* X s` TܐW7'eYWZ㋩R%GIPCfquG Bl'X YN li)$ F:Aަ.WxZ eIp;";}1+$DͬVs3s`?2,ԕ(8QE-QǕx2YNR:z?lP~ʸVuZ"%'#}Ȭ 0 Csl*ft3ħGr{*G`͚*>NgWMt_-" S(z:KKiO!eewu]=~`>Ƒ[9ȀUސ7$Ny}.Bryeq!BIHF:RMD#]lmb2y| Z{}8b$. J:iˁq72V:-lѧW`ֈ2&[;}7.2mf̋m UvCdWEXÄԉOͰJ،"1Gjb O&tИ3  +EvHp <",u49&}@)cwA;a(e-.FI8,8yeٗ W$aNV!)G S[;[XO1"9Puv֜Bo%jK` pڏ6 $d C^a E8p Z9_:x´ o{prtehVizxI7Hc`)p( R|eSvDl&)*advs{YJDǙ?]H;1 R#qB2WH!CV췒}+"Եm| >% VMx |g?CsԖWzHSO$ H!eebc4B pV.j٭Nin[·AEv!4y] ElJOK{*7EygTr[-zf{>=1c'◕<*=wr[-K掃] ~W>A+kl)/E-Gy8}dUB?́+4 pTs)OHpf֊_r256=@~u֕+~lm|+_f`מa>ndWWOut˵-ʟ[yY~PUi};Z܎ȹK:[ZLHPGSOc%VyC"|9>O!Cs3~LAxIi]>u. m*kabt:t~;qfԡ teVN-@ɈFvϪb God؄:_6܂ 8@y(1 /u!^D;7{O;Ҏs W~մZ*_89~ ⌿x>AL+pF2WIҙVoYTcP+Ά Iy>c[3U^0+.c?2 ʣh؎+όbV R7;I)݊&W ztD v$D\@qFR1P0Qѕu>gZl(B<[H,dcvdh: u/oAZ0 "6#3S_d(wFƦy/8Mwpȫ0 5q;cXv;7q`4b,k|\& ҁg3gX+0etWW{j/կI]MdH$4c5y浙%R_nݰT \(q͡ _i^#hQOwK!quStUc!a@T:i~c&`#qKICKkO +/dNOp%3 ֙,n /'Ũ"mwI^E[+x !_f cy/8~1BQ)V(|5A} o8Wh򩪇K,X=[pV2ܤUOdGWgaJ .DWӈT*] t*( ZwxF$RgEHL}Wȓ˸jAV3 vv5`FQrH`Ok-Fmcz=}5YFLRȭ=oڈ&a`KpuHc+ZsPhty=简;K @%A#<&|-]D4/MAs :]Y-P<}efE@]FQkGlD@ +Bꋸ*: xd&0J*6-7 pP#="D4xTię{Aӄg歞f,ߍJ&:^vt"qޝ9D9En8L!(*EPJ'cp\:!R=˗-ɹ)M~'U.5S 5iٴP]V5;? LPb"/LMhi'ārՠOL] :L()yPÂ)=+H:>( $W0l>@<s398Gp#! k1޿luɣ ;[g,sLZJV/mhZa<C]ͦh Vx#|oSd#%ȅ,ĩvB&PELU G8{Ҳz3HkӶMd$dRW9{(k~qIVNU-Ҋ{vNtn}q^]fQ:sf*? D%amofmEiC[p)HĞ93X y3&Bw{$):faBktb+v  ڄjnE;0+$Eq|Y"5g+KpK'H;xGmռM&8x|Bg{6JtJ!L Ǫ8VmYKGL?8AذG*Mil|h3.j~vZErYk0q79]]4}a[ѧ(]wzJ4roXF}R=0+G O-!^MhpUNǭIE=0.z&Kaf[nA,]h "[G\ma(~e&],=H(;9.%?A&}. fx'9Yk蛁a 57eGNdeSoƓdz|}wScQHmҶ360MհGT4,,†8jt@GSgd5 <~Y^p]aLZrt8jjLjyu\m-n8#CPL871ga~Fl.P쒗U }:A֨6DemdbMI5ϻeMKL'jZp^  ؇Sي5 H<ﲻ_RԖcuNs0d]f '$T RH*=>}QtBV<8cyawN=T%־\}ΈLLQ`LnU|ĀJ-{%0'/berM}$YFyɾ</-IlRxQDK-LQ->R-O@_qrz㇐C^2FyN;f IZZ֦8t ?;)Dν.\Gkx<#y@DB`f0%i-N $:@?zMzIE* 'Wn Oz]DJG۠BV;oﻓab~|`-z/C?8c&B',)J7QQ8B˱|$9fSKa2}rgcSSd"nF PXvE(pK{DIO\k4ONTgG* `lH4 |6@|n4 jK'ȯ y]4 ]vLmZO~+(~55q+/a_}0f;)aT15~qP~D.n0U;׬F¥$|HȒԁ#6{p2̴X8gѡ^oG15:c Vdph]Ʌ6A %m>_u\c﴾y -šH|Ԩsy@N{0V^|3QmknJgȱ 7Kx@cWASjT8#N[i,C fZi"zZ+>dER)D̝&c;Q?"=lƝ[|uպ%2>3/QG1y MsU@MD?7$ncάsmP&I4G?Ҋ:0.wo_oðNz>oI fo}DY *#-2r=V|V= ѠYf&ԬJث?IC?0vx Au)$f+ȁH̚3 68V`s@B8a]0^V )*XrO͜1UGagh=ý ^L|~79ecl]xRq>s.Q^c%8C#D&OOM=IG{'к'HCk+Wyq(J*otCN=`z"L4m[2aG7IQ:f4l3+s~-uN#&BFe_۟Z0$ڦ}=I߈4ltMT^E:olc|_mwaOtfDFZMdGA%8rzۜ@02 IOFn Ӟ<%1m ~ܛэ.gZR)DYGx9Ѭ% (V4s9LET.ƌ9%=MSpQ23 .p0'yRe's)g\`i8Arhs+~PMHRp9r} g+8 <VHoKI?uSQXn43X&gʙ#y7Hqv*X_Z=uH {=6(A|Jr5,ҹo}}>UW) d6mZ 9ފn&I4Y'gzۏ̋n'r_Ѵk۞[._ʩzfS@D˯eN Zz2/ԤA]v[--ċraGGbɓܹ HrJ&xG/ƛ}6-y8l+-m7b: .Եh)3YZc/|o0Z*V)둰d]_s<#`u0 iUdaA2O2rgxdW&ؘ5Vz!j rQbqW>YlfK[q?Cd(>EK R 0o3O8{H4ByJʿEgխ`QcyZѷ&=v@/`WK0Rv}-ɑԽ7IbHsN=aTFLW.愾=j {:w~i/40+YE“g,5 *.fU TlMHJJ9 O$4/tlYb ld. <Bg߫a~0tND ]gٛ\[* [F u™e#8T9}+@l+ Ձ2RsbŎ9pO/jY P{RH ÒoխD`QuɥL> g!$o @KᄆaU9Ro.F,Wy1`"a|-/D!,-P)A? s^`VwfJYVnf9&֔$pI1U^ى F d$JFG7mj[3_,u&hÜH υP `0߯03RPJt!j:uشa|PIPZ-֎J:up֭/Pm÷1 8 >nQpbdr^>RRDYu J\hr_3lN+ )-5QKJE+=2%L!ZIFkVz 3x1# K!8^$A&O\$PNyu"6@nGPD<ϯF-3+wt Ta,@4\UjoKaQ&_.$ۢ "p 1X{V9GH,k9سXY%|ISi GXz]D\*YA*B0Q9U}nIiMW~iڊMh۪<^`೾O0&sODFm[l(T /~RfN¬~+ C8Ov _,U,ŻHN&,U-Ub G@tuLuLћ-8_ZڂDΔ+cΫ)qlTi2TS^22֫S6>:Έ]15вZ`EYWD %J ۩W_dñn!_U%q1Xt_j=rVWyԹ0cXCXd]MavB?sN%)@Ȑ/wk[X>f{@;5Y*\{dZ\Y!_)>z.'5Pa~ިthB'OY?9$d"g/zo08xg.%hk’NsմHóFñ~aAo]1+CIXzꦯ٘sJ|IH\fVtmyẍV7 8k8upA-8/偱H2|WwpME!XHfy>qDžqz!wk6+ l丐Qv}wWd2"G@m\<ˉDzf ?⯝tm`ޔS܎GXZ¦k_KHIJ|VwlxIj,ahIU)k!qHj\Ss;H4l %]WMVYe.p8}xL)el1lm%l#5 nz;'73+|m#0_(1;qky"vjM6D%%g+%(È,f0ieA+Gj[!IR%?u9`"tJ{qqa"@E[r Tr'/!XKEO/Aưxw| ɶN~k<]7?.ㆋ!(XF mY@;n2I;j?ӊK']Hv[D"E 2SYhF L@>wy8U}J-Mp>_"椱oRKL_ֳcyY! lgq A:morp_dKidZ˫6#lvLFqPb+Y,#nq}ed _. +\综!v +v'? yYQL`:̼\h-W).4*ePi>)*7`hL1֖UQrQėR-a*Ӳ>ݠ\5udGI%k[$ek:Xxb!Q$>ʈTGqF 8Ol*\\ĝC<(|n:j|&'Q3 qCo(H;`9=N?Tymhn>Q_3i8CPSZv48oZǺ(|=-D>ְ?'DYQ vzi*nN?ryp6B;,mm)Ufw!w7b5d3Xj}/L,ї?Ol3hBSbhipl9!-b*bLmvsEr .F'.j; N_dUbB}^o@ y%gV'vxd$df*rG#}Nhe#jW l0uY$Ws4XGkcj8>CkzYMAZAݾXЇ(a]&8s ֙UwC*IÙc!)AKJLaZ]m10]69E, i&LaB4Ǵb`8Aϳ"Sb*c/> cZx|y;*+)8߃ZN("UXSبP %hu0,{־7y +wv8yj5 ,uQ֢piA ͔%|s9(-w un4mk#/3X &{ 2EZwꅸ+@gՑM'}U?+8ѫzs"/MM,b ^C YWFȭ+VÃ؏<" z.#ڬfB7|;[Ҳ ,dӇAіŤ7GY{r477zp ?/R_0̑V2OaFcB%x̠hA:oR2c($ 1&RWqwi3hn#pO > /L nk=:ۜT`{J '>2o?P*zl~UAbޚýZ ڎwU.08(UD{HQofe"KO nqS&w7uD9iwJ5? jqu#6#)hlVs͐3p[ue>g,L=C('fKo#Thͧ" {$ ;~8txhܤ>%*Ʉ&*׼번WPQusCbķW/]Ŕq$g4~!wlʄ= Qcޒic/R[`bKI&~]|wmdi[<w 799$!nh Ro\L\BPnf:%3 I)cٳA* EL}\NE $T}a ݊^ERry")eBڱ%ߚ곒;cnp12e?4+ @IM ^$wBĐkTZɛ0ƼQq/]&AV  G fO1 Ң3OZ-J.֕|ox , u~(iy)WfGFэH$ S|ƅw< yG!AT^.8H= g&B v!qs/Ic5h&:/Vx̢a..Lb0\ m)NZ3x{eL(+3e zo^`Lb2;K;F lfȨq m<)q!74?]7A$t.X~ڑn[VX6? hƒAVX8'ӾR"c _sMMGeߩ˛SVZPb(Ns-4x^4e5&[AʚXs`pQfC&R^DQFr-տ]'3Y ]6ᖌ9l*X8nD?W2"s[Fr -ˇhhXu@軉_[[+:E* >%7Pu؝g CK$a*.XyH D2VYU4hW8u2hoi InY&IR08s4Zy hb`u0Yq`# 'pPX-Q.Ls{7rfåĭ qԟ'd~ah3#wZoηJɀ_.Q6T㍀Ӿv%zHj0B\i%IY`~-/OEbeƁV?e^-щݕ L,N[o܀@9u]_MaOK0ڨ<5Q̛vz扂c2e;8w}Fߏ*HH]'̎#6R]voΏkv_a q V`Ψ:h i' *RQe%kB23Ϗ֒Ν ̉m}/k 'UڢYH ͢@;Qy><?otℬm3{T@O#%# 7 zerT`^)KOpo;Q]i-7okLC= nGNǽ`7L6 "!XO.=*~#*[R0d83#Qi ^{xC+Nky=!B/p {vWvk]D"ыw,Τ ۋzU} ÀMw+"U+bfW`Xo8L^i&r̟xH[!z"0b]4B?PBl4 T(Q n_GԆm7TNjz CrN\/[\>i#̎-/f o4`bORְ|@UoSKBF@ hKr.jk=1:$N+7cr͕߁5&$\讼9x`d>-^'G61??tWw)9VK}w,#@*ŧFĜ|#HkFFvXJn-Ph /yՔ)_}s }ovYΗ%vK40kx:}'IXyƶ I4O4n%Cm 2 Z)2>P)XOcIu;z gGH)Iov)CRr ߆K3+Y֍pWgSqILسXsD>>QF_#"/I8fxB}/xZ%d=@䅆fH $Z 4&L9){,cf<5%&s\d;wr͗x2aЬZXpMWLoWsy$Q(u(ɩ ;! x+$jT @!̲ޅѺx0_^M|njR =Uod)L!%&GQvޯ+rZL0Jԋ#햎nl2;j ^`˙2EnV@&)i |ҒjuR걣BΥzwXqX3qqV7BThHv|?naj]?p^@gIz@=qT)Fe&,ިڗ3q3EԡnGCpn PEQlEA}Gq8_|:Ty׆du*1!>1>D>t.|%qI+=hZq?Q9Op^Qb m5 oI4ziU]CXDZ( &7jC L9p4rCH/6@_ 2P]ji8] U~_wuZ{Q[Kŋ& "^kOF[ʺ"^ W 8lP{DJZMv6+^qu z'u<Fp{hLce%fP LGo/!׌94?5sZ^Rp&'1\RO.:Ǽ&?٘0|SO ķ3'Cd6}X"0bԛ$k-C^: Tkܱڴ'<ȰNHc3F٫q,WetS7:h7mɁ\S)-wxm'CV4Veʆ6"T#U8k.;fsp*W-S5٭M*#,KK^@偂 +s* 00R!K.]HoED tm74LKc23T1LuF@k/o#!Qr3VҺs[@'Ćn~,͎l/᤟Wq5 ]ۤS4Z_@L(tiSo/)"'pI5̖$< IxxƉ 0lN0ҡt-\/7(ҽ ΈxlkC\ C/njRCw'ֆwI Dq:Sr:*DHF%RHljls GS]V! khֻY w&Q{W@Tic?PZ :rPFv=q$1E5>?yײ=" Y҆^pO,?BTZWyRG"+0uH[D7 !~ +Zvڈ˶ި-!=HɶC'n8l |R?w )($Q 򐭝Tv}ha~;eRhdX=X9L,b&!{ɠ~*} @֡<[ˊRq ?8y@x|~!c@YD,4] tNH󔇦wKrkDlO%~:Ɵ06k=Gd&s~`$\\ZiwmpTpD{>!v8ƝtMQKԂN҂^a(vM R~O4^7&Cy]Dnsj X[k0d; @&6'vߌ$,cn@]Ԅ(9])6iAE$VpM/Aa9H8db58R1Vd].+φ6wŰl")_' ,pg뤦X~Q9gƜ(>4\TqCAtqzbE{[ M5h^Zo%8TvfӲ)R+wX"[X-؜D?5Da4N.&E) 4Zq1X?gT Z~aTNj"V-Fy(`ZNVԝot;Ĩ%nT)TY*O; AJXޔMRi?6I>=V80+p̆~áaFEPۄ}u5b#1Zpnysd."e K%TF>MŶ6U6!Zho"ޚRӶV ʵUMt>'瑵XĨ@xRO`%Nθ>${} ey /yǟi$>70`“1Qe ~gUB \&I\K^VPf@~QEG _ļN=*\{vX >c]+qMe嘧%n-6XCn-ʝin ܬ+*Ӏ&C2= |۴Nۙ{c+RJ LE_>P-/ѹ r76f}.$kFA/[Fڈs h]Wt&_/?}>]xEͱeo8\Pk(D#m52C)f"IIiYd>i(+S~Ys5GІcVoXVSm38Rn"#&Twd ^n)Jnb} bDZ"h4C^tη'MfV,"b'%U@]b }CDEsJu˔p'}Ioߠc+dvSC aF~P_osmJxe@?(Kn*60\;˳ 2̞f'29}|_jHsT,:RT"!&ˉ6f%" H Jh,ije~Zy&Z5QUh&&qǬ74`2Lr~5PxHtؔF\foؼ.76 `G*{<!"+ vCؐ.PUg8Uop~Fsv>J?lk?[WD#g*6`@7. S`T+pC }S 0Xfn|/"@P`XFLo+#ARq!55ĵ 'If4nEssς܌>cx9:+6Bkt'F $Ǝ(OX MJHHm\Q<ƞ}O nGfthq>;N:KVHLl=sk@KOt7w[ҝ+y VaDyukv@ ~7F=PJ8wDq_E{Ϡuh15!芘]c'4er+⤬DOa=֡cͷ%!i5qajB2YhHQ72>փX~cކ)vA ֻ16D4Ƿҫ-wݘydmrmY{~̭(@4[ґ߬$C(Xx_ٝ2s@XwsE//r 4ǵTEULЯp"46[f{ޥv+{":4Hإbh簌j9"`ZN$DanNwS-$SnQ v ovi; ae\[jDZ"-j|i)@K-LMcj L5i3h1;Tr~ו'4"dgxdm:r;D;#E1u*[rK)k2 _XZ":4HqȳGk*UnRP//<3B%"G/#0uPRٞ7H<:b&>䡝qG)? x$ßǓ@yvqZ Q!FJ(oZ6ގؤq" qh.n|=fW]}DP&4*ׯEٸуDRU`㝂Ln!zXp5 cqSX~z9Bp:Oȫ"5eO^ݖcw sw8Da(B"&jD83W"`cS'7Jddy8W3;NєjE\ H=KǶ1^{f3XsQ:yENHə"ZP+*'R)xt*P-TӇ jsx_ Q!AHNօiX-f$3<~G&]?U ԈM~_Jk/{@xq9|36&+ Q(?a­ ),nn2Sktp챘M1$ \"cݟϨY3ZuWwWv|`.`zZS{5!=Nʿ~~P'g(%|qA|S{h)VЛO Uf|'  )5I'U$PPF:dByO+2R}S96͵hfXzv P^kH*Yb]FӱCtNUz+:'Iڠ>o>8bXadr}ֲAd%q.H,)>WM|hQ2U*RWP1!7`$ckf7{x ޓ?d]!WmМ02lcs ճP^Fޭęx%NjwG_^:xx47Ql!<Ƭw ׸Ic)ZE.U_|ۮ*i9XiD#Ҙ1^Sӄ<^ ,x T_{ґkrDb"I JWo;0BU7*b|B4X`Q$|Vw󉱖K?Wу\2 pK_FWP2j@CcΦ1[QjKm8č0ɱâ6{0 (䟉hi<˰롡 MvhS<T9:sQPm{z6Zc?m5 $IOn3n۽ɁS(ž ~n,&*f ʫLԃZ< Mm)#=bk W-WJP\dvcQi\PQ&noD/+6ȺFMV~!G;糰P]U߻L/@R=_?6Q}xvDN8#`$/}wooc4h]PH?!R_#(;ؿSY xV F(܈=h) =5ڽt2lsULTр΋?a` !{R8K [Al3xZ`:H=XX]|G!>mcמYp86C4"G"6.LSc|La,N9B]yT }P43ԝFzs8Ou}|eM1<'KS? ъc$$F3uGYN䅑F➗X8e+\LLu ! ~7125u^&zhnmƍUH@$_ 7S4 Z)e="w9hF)M5҇b"OekuΗhj#K'&J 94 ƻ)]Ks( 鯶Druw~c&;O􆄮Rxfwy#PDPV-5r`gM1xO9= jI‚y0&R)ST'*@j>ѴMQ> 1 ]T GP9KG.^w!B5r67eFxf*zQ#)DJ5R8tET=^Ԧ;c(u:ރ?;Yp@\OD`o((DɩvXpFܼanfrG|N;8~ƹxtxy縥a|da.K-gĽ1WA4փ(DjہW KW:YZ)p*[1 W.n:Iy+ P8j$w) _T3]1Y2qQCr4>۷LǙ\ezF3vBw1,njSz!=@lfƢܱJ҆-'(E*OeM2`LuM6H;'w2>Rj5+ Il2; mGљLŒN>!6` P(F5}{m, }&ےBkƹTx/xB/b$/oRD/DwGkzaKcx840ˮ)A'Nq$//@x{?SXinGg@H\"ҟ_/!ʠDd$ãܨ$8!l*w?N6~"$.=Un6ϩYB98 ᷄>,b"ƀ*6'6z*-גËX赛+0d 6&pLûi0-L]t8 %2}3ϋ-C9m9  ʭFXtlڟe>Dkw?܂oCL*jݣ[}V 3<`5{hFÌc64h݁"LɉvTeئX髿d7K:fd9 WhsrbER.;=-U{bH+j'uUqA4,yŔM‰yc %/L>i(py9l@p!fJXI'i韯씊!KO@ehpegIxGhY*AB \TdB8W5vئ:~tQ0#BgP0:¯GOn;`fD=I-&A#2nv8Ӷ^h h H["]yXۣƖ`>Qv0"!̱/ArNb]伿&h?}ȹΕg+/i8S%ЀMi&A HTZȦճӣõ+ZL xPJ^E|]uF]#H(̼ct}NKNYvwR)둺PSrVׄ-.ϙz'8: =ZUgBi>LSuVûQ>>ӈ=`:N%, PG:*4T=+"uoWyW(kS wD>.CMvv.eiR^~=:', "hQ k5;3 &qFrv>fe^=?p{%:`#hOji ڒ_^j[ݾ+qT=dENyمh~I=/ 6߅[R=8U$ޕ7ؐﱔG)GzXVfL~SlU>>@5{+ʚe:5Xs-KobٰP8B2qѩ$柉 \gFI*v͚N+H%QHvI3=-aﶪFZ^T5q\lN!_:͂م׻iBb8OY10z`SoagKzncY+R8ߣaǟ4U%&p(RTQn'&*{= !,HFAN#P/߉NWBK{ VO3Wlf7Qvv3ƌgӸЀ,\k îoS"d+ hH]'g7Zi\>*bc1]?]K Q1ǟy ES$Dsr˷nO;K?- `1ʤ{o_$@t0=%M,w_IK Kǧ=?xne&H0ϰ>TDm/NkVz`꒲|Qy'ĄegU4Jc䳼 n Qntt§YVZ*[J坡yУ6]{Y=դvՊq&&C*/M.765$PP% ^U8\rPG^%!Tax+읣 ܒG!_z m]8+hc'B(/<% l YK?혋ԛbAȴWDVuV>ʗqF@s=nCW,-G2łun!ROvI,_0l6CږϙCM2-b~t!SFiox\Lٹ3RjUh*ܖ-)l7ry,V]ؘuvi%(B;HTbV$D ]4 -(wQ?(zƈICF/b_V-Qy0w/P1]]ѯqS'GYdHc83{|T\U)fѓ&Iֽ'*322JPoLLVZt$uۧ^dK &^QzW? %̮_u)y±J~2,# OWG$ eOu3d#_}YJɓ9 4$8vDڋBkFbWI lh/3m5Eoy/R1MadFj~-+fx8{ARrTqT4L’ Qk ukޛF|Q|&1EJꅆd]|cg)#Zk_{2V=㈨4]%  KLK,WA@H ,PNj烖dqkn0F^+ǷnUk c) IJ|Ŕ }HDz68 Z:3<kp#F+_$ٞ-C:o$'N>P_yDxst#4^ ,Y7fR%u~l !K]}c(L X2/]0J ngrxOD1J@ihs;ie&fsRz*B@Jn]ݾ/K3E]cVԧmy {R9V5+Uh~ ^N?xXavNVvX碵;6é`RV/0B>{E,ߟ֭Lkka]wBz;MP}dxKWgr~ O_.F3.P8++렷*<}GLQ/#yu8 ::Ϻ,iK"'8?JD~yW)"Q&gb[.ϸ tuUI L VKaJ`Mj 4]1R?gEw,_O` |æʛ-pQ9ˍ2~7,]am|lƯ :]LT]Z3Rbiht|d"(Jq + rŗ7rNr> Ja0_BsO,\ģE/20q|EոyJH1iF^{p#]M$ƼEʅ_Q|zRAigfk-C |/QQw^}dXBK֨g}ֵ̄́; Qa9 ֨93 ~6Hb}gw7~e4P[c9-֪~N*,q`Gz&upDA=I9q^B&[=&Ո TҵT`*rLq )@2&WMS&$4khzwb_Z+9ijK"n<ʕGfHخpew$SO'K4asJVIX%p{U!HDy#iuv -ΎgIb}3qaʧkhz;f64 jص2<# uz sm#5Lb@wQ[ 2ӆ2e>y.sZ Pz(gT !]KF/c4Ha&P# 9~ x@&tmD :=,xX3m W> Qi'dfS$;~&@CV]&X|v2\5>o*xkoQn&Kb!D3Zhy3 q1 dqC+"<2`Wvbq,f )nf!5(%a8m(WSÛI5/]Bj#zYu ;QLx&ѐXb+7e@\}NiX0:MZAh+G%jIcFGԋi[4͹ٲFv>hv|-&~k)v[LWpx&ƫ,PA-8Qv(i 5? _GCUU-.ל?1֞@,yjl̻@k æt</X7;y #[p5S!;u fD!Jue aS*KQ=Ԇp]/)/r纎Cá 4R\(4n Z_[}A:Ë'vbဣ[QΞUMTɯKơ|z"Vȡ7t}_4j )F)4Em7saqxpʟBoa)p'.GT&SŎ\U}Z˞u=Ùmk-e{$4;|4WpmdyE`78kd޴ҦY?fCn$y?} I8R]t>7 \]~fV'UY[L"+ 531ÁD$EHl!{&BK|ka)WM1&H>6#Zo1^ F+!RV (=/\(-.ͪֆQyV!U-fҵkt5A~o$$>S u'F6Xa9 ~st+<E)aT k.Xok fPK(㱤u_UK}"/µv:=!Q|ݍ15"Vvϳ>sꜢm@oܸCSEX l40;/D +GGij/8h/ ^R,Ն*f:/8ԗjB+kR j*gz,F&jQ9ZF#rN:|$|KG AJ~Xp2~XrXO6G!mɣB@Wv[%rcozy- O7ȏ2z!L15M#}!OF^Rݙ/&:)0 g zceQ6SNz %&?lABcfVA 8SREa(d֣}/A_#xD9gG6ϙi֢]9xQk Sx9UJ;O`!R^T[}#;D O<멀{,ٿlQG_7=i+akzu_)ʆYyFVXv/0e.љt$]sVdW;/0Gf}NΩmh:ʻD)$ :*}j'>k졡`" u3Tc1t?`ل\;q 9RhBO 6o.-!1cqCL/EN6t=:ϥ&M)p|yТZXfDcO .C>60?z^ /9r.j݅GI:L{5( ,,7vs>)cכ;)q\ 1hXVIm 4&C Q;<RwNAR|Zw q;bdV@#_>5e]69/qR+զ% * H#SHuXx=fDP&K,GҊ/cLz a$ԀS] (D4T _U~O5@^݋80`?n791WGD0@F1YX> i(x_,T!UiZp&YwŒQ= s u䕸'&l hOe,0|, g|,'SIܪH&Ptۨ.~ )Y92YƺE`Z({h(gBr>kZR'g羪n|qz+?е"N\.hLJhV XqyI vZpMX RLWy{>JB?h\ , o{3NARkڙv0I 3t4+ np֩BV(,^NЕ~.gQ7KYg2r$`9iQ7zy/6Nep8IAN?E@"o/|Dއݪ\EZ85~3f:#,gAkTؿS|[<,fpc,HΏW~tjLԲ݃4G$1W<$ Ьjwg)N/o(9045들gg3by(@tV1KעuļIH8~7aҩ"PKY|.Wj--յ<.UrrSmɋVsY]^ H*FqyͰG!\֊٥靈=- QO@a2:w̟XيwoTy" 4V3IB4nȠ|1Ze%&obcI~qy?FS־Z aaa1ڎorJS< VZ0s{N1K`ka]}ƔA(, j@=@+?1P$R6dg1NAmJ}vwuД%z4QM֬:GbJq,s dW.],r) l%4550mʁb5q:v~c\rPP'u[ZcuwI$63sxal&甗ræ)%OB1Ypde\MF{﹒Ժahpʼniq.Df p>AyRÕjzu+/%2X,/0&}n>48]|. f~ԏ$.AFpݢKY\ʒ)pgV\X`#Ptm]0 9~^+B! |O˲*Tur1 '`yQcB濮>٨!)x g';05/YH3x(58B!@ ٮ9ILb|⎆@zĬѼ9 Hۄ|uUX܃#UnE{hƚLLzsJ`&2ȿJ12+VLU08AX֒FQZ+de[hV=]OfNΦ;b]g2' s%^Ud ̵R2^A.SU"e>*]\!5B^y/_& kh O{cHIr2h|#6 "87>_*7; Ru׾r ɼXJ0[U v JM!%cLUL,ZR#@ѓ¾U>6FxܺGFM [F_L"$_׋ؖ7WBX#ԆYK"%+f>OhsNםrKE+xc`8YţjwIۄ\4kH~` 2 ,>uPL {lݳDNJ~HZhaUv 98 2gN.C| C1*c2XH%= tҮ_w7**lˑ+ߑh#mt LrATtqQF!8zpd 捁r$<4?CDt3ϐ;v3Xp%q`{%`h"rao-'LݖpꤾRmEᠾ,$TQPb[ ՚x[tTV%{pt.Y'E*#BO4ޡ8?Od WLDC宝^Hu sGu˦Ҳ ,%[3kb0`ɲ&nźyG*BU1'bH[ag3ߙcZuMF5y3xIzg'ٜ(um0C缌 ؠ#9.j-%NQdO_ 3'}lE'֑A;*΄I2AO=K-Q"30Nߐ\k%<;vMO*ly@ppLsL{*10 z%`a1!9`UD=% /7ۀBc GxE#XMB:|XÂLt Ø дN;coHIGAĞL/}>[s!Kn,Qwp OT)^t`@e"E݄]_^jo(YiJD=B)TLaC͝GovE0٭]=I_>4Z"(bZ\ĄW\BAŗ*~,qi-g [_slT}44 EQ^}s\.P-Zמ/%q|PkPxRo6bo"y4jP׶R:gܧW= s=fvI3VcanYћ`iJV1 mI;Vp;f)wSH9I/$PdVO0߭+$Ǣ`@{!f2~gʘ.VWA!רP Za/5CBV^oR9ѷX'|iu lf-AtV́WCI%+ET-[C]x &$#Pist \*?s&T 1WXr2/ڲaK(h= *e-:ZͤxGIBksy-6Ӊ{:ImdMK tM\}& |ij YוC훱ẋi#IPWn%[rR )b~]J@wͱt:,?,eҦi-[bFC4yŞOX['I Czܜr ~8St䙷鱙ߣ]7nk^~[Oj858UZtͮ]JW_bvMyFˊ 2dU'ݭjGXK: Bcm4guMIj[R_˴`cH)-[XMwe^)_Zp% hu7K9tP+b(s%Btp߶(F1(lI^x6uD _ jVSt9lf |.ɨDSʶK/Wdf; TX9|~M{sTts>"n|u ]m`m b^W%t$nr;U_[p_NY"|O4[zӱ8^E8Lam, tݞua=9EY\xYsXņchO]Hב7#e8gX2h~Dsji4h J,GfJеM| KCW._2t zS3^ǗeoiQҍF*uo6>OϯDtXؠ!(M>l?3َEfHL%Tt:WG齗 kA9ŃaѰJe-tk`.T̆P\ޭQC>RQ]m 5Fc~^Ixd_ 3VDag=r{{ӛ} +IQdh֑jEgwQlY[g`yi' E'V}@Nx^^8CaVt2PQaܵJpx$oQ(]S!5DY,/ZUM[vt#@%a%\i"i|f "|s5,ca1gu PF s \B~C`N+u}֞ @-2xDĽ 0%5 |nΩ@v5qB>*Zfv%(x4ӋE5ʱPn{2 o.AK:!ҿyKiz]PP{D`7R SiVXY.Qp̖=, 6\!_Rvik azјSOW2aڸ3#/Jy_N <%QDP:R>U8BG3>Q)"'ulqnM>jvך*۠&򼩸ZmN5 ˈy_'s yZ?c{b; EDX]Fi;a_46%:rrB'UӪM*NjA8gMm*qի:SQ{R'ElCc0"L`/mDZ[8 9\;ÁSg&#KL1r06;"< EdHbCCX D& "g_k05"9@9 cCI0=,*]Q㫚qfll͙dg.9p Dł[/ ʂtTnL|;AH7›vC(f%%SCb2"IdYAuȣkEcAFw!6/ k6.tyܒ1zzYN@yʔj%BJ/-j9&7I 3s24j 7U Z(Ma=!WdhCgiieZZ]6s:ff%(B7|#_E囷4K%n ~۴JGjh\yJRFJ =8n:PyjV',YJz&fVK+`Ɠskme%Rj4ȔX~9w!"^Ybo1&bOäCo|EQ*^hdd (V]C* 0RZȔ%bbnHCg͙zTdTcpSl71-qW;YTQ8TyzI ?qxu@`e{(C+B2u'>[7p~FJ%QʴE؟#F3R/*uB7| n{ۅة'ۡ-}LHÒl~eOx MqSBB&ʫԠ㿑P1q9}>JݦH DSK-z uʼn)m  UЇɺ^/υ%4ҜaȴA' >kPK()SI1]c V3 +Se/0㱌i?~9} gO=Jls|ejqV}Q{-MDsE 8Z{5n"lVK&>oBub4svek# 9u#}3lf# ӫg ITP+ j2u k!gS!`A̡Kգz#;nФ’zv:" c=zG͗uj:I tL5$1kL!pIǎ+/ȪUߗpY^['2Hf" 33!> >0䇢,o?Zq>:^rLD!v4M U(ҝnVwg?9#u'G彏kv 0g$(7,痑U H}GN}dPg5DoicXVdݥZۚk\26a塝˾h".] BCX//O@CM/B2AX[gVVN&IEJ,6zt*]n?nǃQ@,;PV]N5RPN5ݼOXP4b`\[>6BᯯcܵN+aF@\kLc,;hW&=dOJs]dOf#~tHQ1_|SH.{2Љ/+6 C5N6.,H| p滀h ӵcuǻI[ne8Q|"EZE%9eM@Vz^~ʽORnvx3p t 52n,ͺ?`.'݊׋ ,nK2"NpdC:⟇tR-&F,Md2dY U1ȕzOny'h)w;vwM-uf*6jJ-p_'%h¸Gf/7ްR<[$Qrm ,lgSLM01Ǜ+ zGYRmDWdICxBQ/|oc*,̊B gֽ'0Fv"_&)?r.IwFX_ g|b~Ҩ+|%Vb"Cxm;.PW(lC 1"Z>Yc˟HZ$sAXrq_3`[E0-z7Y&)7{wO(skDtMU!>6&5T> sj K]% rŠƥ˼[jrL-kBkNg~˜!c)fPjfu16%a&u)Qq-.׮7[NIB|v|UKh&в3advmdKg%N~2(z[~cܙ&MBW蛸"7l/QIk2U2SdCp'Zkh0NY %.,>3xuBfv#uflPnP{G$O qv]>iiW$[+^9r.7+63CcaC^>i`E1O|:~P]G!%t"P@ށ)8Igv~d>&䎐ZV~q"=ƔAl7lN QKR2%Cm ކG"BƵx6%͹kg'~ XQ 1wqr A +ЋLgdGBG\1)Kdx-M@o, Wf ~ e.w[{/xXނ:7ϱDa ;8&1zF-AAOI&qZs(i"Nf ,r!ؙ+_F;QDZ%8ہPi&J(64`(]($#TȲ sx//s! eo\"l,U2qK9@GZ^N*}e>eGGuzX;vytM`׈.@ޱ+Аl.P`!)ۻD;Zpn)^$@U&%^~p?nA:ATA K-'):y6TXzmޖy|oЉn'WY\eh|piu 9 Hv=ʗa>m`)y!GDKILSAbA6ˀYGfȌ [}HIٹv{ =I-R2fd@11F02ei mw`5@v`Ep-c܆8^$6aq"@挃C S)~Ai-;!`KT))s,m9 InzTja/i=k54ĐCۆ5xcf Ũ^P(em=c=}Hw?ŧ1F>[.pSv믃_sR"eftUOtIbѰV4}LQwza|4ovAa߾?J6aoeuM/ikIB=tN{tx`\i`(6Ǜf~{tl%pJQi/lZ<0U5-K AqllVAO4e6 [>P8 t^P7(Gb9'@(.@.LM  !zĞY4Yޞ6^=ua7 ZR3㴚&봓 J1N/zQx̄h ]ס]/2Ihw| aۻwT$xёayA|Xe. &iOyE3g鮓B%5nRRYwS543)NB;KhPUEcmZ\s`i=NVftZ Mȿ}GEA}nP |&wȱe(7ZNlh4nT}Q#θu=~]b ;i~Ю0+dtLjV8G*F Ʒrzi? ImLۅ;áOӠ٣͉K>P|):Y=^AQ"߼"EtNie9WG X;>SS\Z޻wX: L#V;PVkf8QFjUO0_(`2oOO @b?'h}~4Nq2ue-hbzN ~U2,%ʨ[{UK7n "$yZUfz7tEj -Yq~Z3H rj$+p\̞kRCpZ vDX[[p`DWJuG/fCd1У+}N>0ڌ5[sT / 3nЖef6*Kw6D"H>͏l]L3$Cߨ(;$V]q DrFYΤ}IGS[ގؾ`P{y>O1-alwS`ЉlH A={l{dŋ>n 8Ɋ`!/{7#ҕ-d@;vȿ3i4X~c[ecw=߸i}]u"$upc݂8`D$VW`Rc-{Z7}mL\6c?oERw-G85)RZt,6TU ,)#qλLXڑaJ'ͮiЭ4lx mM(1wz:3_Z޿Y\o}hJ,Io!M"_Ai:4\Tߊ^`Joֺ g1Ij+S~,*;Rх1(-qۛ m-L .q,{U|Zf@HZ09M7]:-`s{ 8ƤvF"ȆFkDѷ"tߢhFƽ Al6"rI17h3`s$ [FgcLourǦw'f<QﳏfG7 ޖ k'_czߵ4C>R4}6:##{^j1ᓳC Elڔҵi#>!> 5fb  +m~J6Uex1r` xu~&aGȯ1ǩRmb77 bgvqA.0817.5@7Ի:L&ڵ `WXq3f*ZgH"%~GZ-t@噜 "́Śn 0jѼ4'xIѮ6?8w,\Jzups=ŻDC`]y;ŵ|='DUgΤ 7]5*v&MTc:ylmL)x,a ls? kZbvN=]įgG`j7l:O]*m4b6$mՔ)j8'x26- ̵W€ 8P\/Yb\(43\/1Fwv~>lONԢ+2=L*ֻ %4&}k%- ؒ1)"khY2gWꏾ`c08a'&ç +8/JqXz!!뭈Y^fUW)lUyjr1S1ʳ]M%a"a/.$chݘ Ra,peSL7AٞvỹE[fE (kf8k5jẩzvψ|U/df2^)j~n]-x.3/uǴwo顁HW)# }/a2m aHA;QzU-=RB'Sr"^U`Op]EԳ؛1zkw8{_|k!j籘MX%ϫL1!~n>M 1X5xAk,h,ʤ%I{n<*W ['Do-yjwiIMKмAIk!)b[|uk;;?soWe3rvkJ'4hLj}_ Qkץ{(cʓ6Q8J-KW;t;~Pv媎l)_;#(K?Rmm:6@224=iS5HwQnђ7<:@lqN_KE %+T S즡#Ҿ~P hR,DM2ihosPB>t% ϪZ21v[R0QձDpkZ&i ~yO7{ĵ+tbYD9jJAxJYzz6u%6DHT_OXl+1L/h.z"V^-0^'bxR|U]V4W1-mkDO+\nG:Nǧxz.ϑ>v/8WTQ d=,k%hxx",(d]IJnV0ī)RoG27<\΋6aXxw]V$>t:tݣ _*ٙKnP%ߣ܏6:t+^87oL-׾D-&0EɔT q2NZZUc\#F9:)d0_+lxZ.ٷ|<2K&.G~MVmo*nyH&_.jN% h0[]NCOL&p܏* @*ː"xaجZܸtTRx=T%, B~ 2ŌpX0v#fQ[/uTnOB&)s^"9؄0+`񥃔}$b3xOIFY!jg.K~:Ոe#UJ+T$O H'$v'qƏ39(*!vnި\z<0̕&Џcl/\5}X.i Di.BO0˳U_6[4QmR ԩpuħ<+^G6F>iqQ}p >S۔?.7({|JCrnnnnTV}GhQ]Ql%և l[A>+{ԭ^RAk}5C%v+[h7dBGz%#z:*_cmr$,*Dej1xF\ZDj=ձjmD!>zh;FSZ(.vGp^{7UQ?Aifn hrcsxG>2T0?S7ztIJi.Wֹ@ A_1`ʽ(Sr.;>T*Ld%=C*,Rvf'/Z;u{F=oHz>WJ$/'4&̄[EMɀ)Trbmz@+(Nsa?..dt]ȑOK74[",,UWi4Z Hw keUyo/OSQd+X%`=cӷ}Z ?|HVx،e!h0ntYzrYjYd`HH}/1;gM]*"ʿ9ux6=xFJT.5QT ; D0 $.ޖƷ鐰+@ kkH9Ff,ChV ?w#rR~,k"Ft߭C)k9t#l[*j}rPhF~g?1)IG,i tBRJ7&uTF_Eq1rSI(ȹw r sOw9̓02MggVrh82Z6 в@38r>D㐴Xs !c!Y :gÝ>Nt8dhl{aBrP|G!4B5@/Әu6<ϴl!({;\Ɉq":+kwqgdܴh2flmM{YJm0pdZo'k`{=p? |V(xۖزЙ,*-PaLƽuB}Ө %89cĂA8T3P':bJ.ûlOAH ̒Y',BWlΠHN - <@{>KX.Qw ]Ym.6J*|rć @NMDhĽrmdX}%}qۦ|&(pcӣ3qU6/w|hWl4MCQLSBf=ZgV}slmF;`pM/;K,Rʜ|dV%x׭7h^iA8ر.rCkԍ@0wYn?#v g'NUkɪKtʹr64Ӓy4,<!B? zL瀋db4pM"!mC+艳詗$Q[ t-Ycf%^"W6#O#۞1q"({M7t{˩p 8g:4׽7LGPPP:jC͍U0j /Pl;C=NZ(0-})8ϚʁeÈn氹5wE;P ikjR[N1EЇ.l0ع%'>`M9݌Y@T!02[q Q3X+%[sԤ| EM'fΒ,E9+FϰQ Ȇ[>"Bs@#`dP&J"b Lt `A\;πF&Lz-OȤ,YM ڤ/9~sމ1kW8D9Fc{#OA&%ؼ`֖biu݂}!gm#; @!d. AI XXbnorfq"=Skn{p颚2|y8N+.8@]Vv<҈ΠZ dHwi.r\ETcC\-DEQCSd Y_p`৭"]u?Uڕ ]KJǺBۦ@}V<7@Wv@xC$ܛޓINHL#'!#;vo^de1<0Goe޶oG9 i8+rQ6hCШxV1(:ɣ -iFA){9XQ̦ҩ-Zf#٠+ d[f% 6Lzt-vgoiЫ !`KFȧkpM5, !2B5`Ko5A1A&;~0'@SGRʼ$[q˂2EЄ~Ez'/ [=ACg r+ՂTĮm78dԐ 0D3ۑkeڼݝ=l=xC(tbBJ x4|WFԋ1S|X9zv~p`釒Q RJ\1}enK`4U tO-=h%m.\c9R=]QkRr1H'#4H:DDڨVRDt0..~# æ3T:;D_GP)F;H9Q[#]^!1ghF="gf.(\]e Y% Z&5EQ&Rԏ5gˇp-SC2,h[fCNt]j4E3nKCm9o5-L7ک :gwi e$*jb䖢mV`Pj"wdh ݼe<>.΂iSχΜ,5,?NϴBBfU{-BuR[b3Ov1Ml*tSG6Ol̃R-&'Z!J&Z:>)?eٕyxĶ zҼ9]N[d/ޢӭaʄQ۠fV%2Ezfw}R"jynu;dU.18Ǚfdi~=9J\'x y-% ޓD-˟',*I{'K YL\5YU[l3ӥp'yfTs֎*O÷r8 orjsT#c6lbK]h*zciDoW*;mI*3I6P&֒rkQS4w%#VK-2{(!m1x wy^?N8X:/x QF9ֿZ>DX5d)ybCKjk6_yJJacY`2++NNi>Cf*|^L:DPt -`T0Ո-d$t놉G.C\Z:]J\qհ$֢Wʕj9bZb:^SvF61Bx{fY[m<1My<~Cw~3sR}~p0yyBb+S ✩Br) =8p"!)x\SdUmY bX HNFKz*SEEB\' ] 3|as-! UU i~fFGDb[+#.xIIch(IT3vQkMXŚ"[s1uL&WP^`IJ տ/iVTG%v6ĂOWĘht:A} $\\'kz!ug1tydQ5:NԌ09 |x=B`/UWU5}݆l̅#@) L 1U *j>TcM4+AMO o|g,ZqY#>\uL *TllFӔ/e>[KnUGB'cCiVA[j~XubJDxL kdHh(h2 $K¾O5FYu*G9nZzTdjpsͧiн-(.KQl4&S>٩ fU1:vk;H#8ʬ fzW1- uoi{7JAk?wQ0/ܐ-׋)$ɮudB X??T,dL`*&u@ s{kR~4W\lz7B͘@N!eznǘ# REe2[A S Is V=Xiұ=8MZd!Ljĺh#c~t {A3.\lYOEUESllǘկyhʡ}ٓMe40ow}^kWg?N{Ih 7S sf>X/ ~dgbxs]f䌨'snv0 :37t!~V]#(gО ]Wp,uW3JnW1ZeOM3 4Rⴱ( Tk˃-LV:ӗbP7kɕns\a"NqBQU8Wi;.$ڣːeY': zw56(.cgϚ tq.,)D80(?e~FϪz7džڡ^wH L҄ɬj;ZȤJFNSu~i, ӡÊoG+D<޶HJ(u oQ<IhyLN=gBA[e BZ>%ⷔK$l Ly/BEۧl]4?R,GtcQ9D|\ΏMJfX&Io? a ,tV)\pmcܜ{zggsg}th0]oV%hs>"KV, g9Qssՙ9t'. šhkIX%C{a{[ۨM6O=-柸 hi@ 5g,hu@cZVp !o$=S"ŽE}.רaZXcspM%dal<ϓ{ @T%:=N9q'Yk*X +3ġc@ic.ژlmЇ}272b0!# pٵL~_ODA%$ŹSE^V$3MoPCВVnea$ ujYf p&"FUd_@ӑ}TF:lFiIoJ2㕕cW4=Z;&{kz$'7OF['\cd6+8\v桑TtL}n!ʂABJ__7d"wϳ7qf=$uܴX`=7Q=Po;^ų|I$]kNlO95*}i{I>Oz0m +JwD(팤ZyB5CѺ'x3щ]."n6ݛFH/Dw)U`26J-׻oXw.Zbx"ہ716c pʢ;ݜ~tE|0!+#ҳd)]7]cvSMww8XFo*Wڏ ZxRz8S@̅ N,ܖt%7crB58D<|r3ј*<Vz4>5F%<Ni,A{a ^EfrԈpG ɫүYȰ*{r:27^U@z*:4p>+tȿ=Ы-Pa+}Oβ+ðq6fѶe@҃ɋo$*IIaTA7es|OToM.J4;8`6` S׎Ԩ Po@l+p ??()Ŗgn(hgWokpOGM7pX=`." .^VjL^ݐNu.qH?pQ!/g峏$x[ajOmԯ U) a *'gb ;h]FԟOrm[T%*@ #)OޜP\cL4`t3 Q:qXp;'Lˏ8UJK&< )9p8D~AtzK 4HZp90%ծeeZћtf UXlKm obSDl;po E,\h-;K$(ؘ3PE5~rRyɈo 4rE P6 Fu Mj%t=/-r,!cwˆ!^/!&Ӄy'[v]P7iafvև->e/$m.H2X^ @uEd;MC0RQGn:ظĢ*厊R4%<3(ƍX!VpSW>4wxݴUlt.L*Λ'z=. /Ρk]~i7FNkɸ uEv{Qn?҄- %;E-~ArKfy^lD*MB~*Y\zF hsfͭm$FUCn ׫$YWyjIRQ2(kZTy*ýlRVSS5%,h"Œ z2=?`Π}xb8J Fk VJEwI*nD'\(8"ڽ)e_j倦'f.:|.h9(ΔAa#-c6l {O1)*.Qojq bms#B[㣮*4ٗ*٧=IClñ*{9pFMib`VFt_}flJL#FՓlɐ;›M[ַQ-S>1s9Dr_s!fKkt)n &"N(Y~>QdCf@M:WZJc swd"w: z(tfX`n^<@ e7كT <٦¤.hXoAal%0i- &ݣpMelߗW2GTG_6-]kDp.c|*.rJ@u:lœY^qG2k}?ѧ69 D*fԀ96zj%JuZX'*:zs-@fKdxfљ線$)IO&-,9ZӪq $YUm ;2,'I%}u*69(ُm1e`ხ.!;_j'8p1եd~*v5 ?\1XVE_uO X&;q& lPȦ+⣾|їBY_*~ =?!Znņ_.w>o|7!Q)Lx5h>#|-hwMh{:m'2Nyvo,jd㮳))?ձI z#u^juɡ: V"].#?B eSR$Kj7SzG1X;W6*:`3ikOۧDCLI$=<.?m[{0O1W(%^{8_Bn ک#CP(pf;*ΤD55 .hGj{f˸AɾƱh39N[03g ;?5g OL"ʕ2=0o>Z +hwp+mA[G ̩8v_=X,nP\v:P0#I^Z!#GG&979M"YƜ@*cr], a|<5,D|t@;`efcb>A}4@L8-hotj='5?5=40b$@`x_c8{|zDٞp(Y eQMClwnZEK?%ޗUƱvi5j39KOhبUO!%QvYzQ%1,KAeL6^cl&!H܀O!clt}FiijIo5oR hU= 1zt;H؇!Mol5*:'Y0?^>h rRTs~i4vp&1#G@s1N*>X9" 7Pm؅?.{w2N9y?# gA|ӲVuuP -ӧDW;)V#O˼I@GJtu*OΒ<-wXLOB=3l:LIVH E\}]5 wRpYwwJeUK٢a(*`QV͉Q&;MHzKXȲ\?xu=CbMtÜ!~4 jq)r* 'dE%sUvp8t֛)뜸ؾQxm%h S$T2W=\.(N#֘ $-e*q~ɪnw"j((WWC{9 L} K%፭&+,Aj=L 4]YRxFU) ?ΆwsĤd&T**0` (8gۥ _ϊĂq='t1 UHL7M*eG!,^\"߉.RHHݙ3k,Vp2.WYGDz Y`,W~otFng.AB@ۙbhj+>YXPzV*WoFfWmp\h҄ ڌg`t-5gK }Bd 'd}Bj*NQ9U,ҭfTU.)<.t¾dHRdxiòx T82iWL63,J^_cMqks"G=QW?k_ K,qc F~Q_<#܄"j84axvlQp*ȫڄ01TZx8􎐍t͈m @tP} "ge7R{k-?Q%y1$G kT%~'>aDP7gz}|x|y"vqS1D4qsBi=d!Vbf+;9 ]u97򂎭/Ж&T lr 5 DF=Ғ-(8kM +kTPO%gQY̧ɖUx/.GoExr)PBe/*YдH\@w2&ހ;^,9J?ŞOgyʬ"sm*ssڜI6g@R}:舡-޾'zqy>7v0dD$>˳D(q iq);Vpq_p[*Jif[8knN7:@+Fh<$TlA$3eN~o_V~a!7^{dWo4׃hXvVWt@sD& ĦaK\vǒ5)dfurpQux^h]֝ aMD&0U Cll 0ef}z[ ^ ΅!-Дz4y~(<ڛePB^JU\l |"lFr/D=@rZa<~ !ٜ)z6?ظFNrY08uŸ}rQ䶳g ӄ``[|9աH~{kv7 ۴tL)|59eإ~P*SDYK 2Bu\0RE_QsX<$7Nv_;Ax$oa{F8Zw ZlU85پ#Q6Ut냂-> ~p-zNXL5LSdZeq|_| s/0hv񟪥L$`OV Tϲ b7g*!;<XkHHvnp Q8n]z>oKɰֈ.=?Z\6i,ߔj. pNjb7͠͹n[slq'n@0(7f25j0@g%$Goct`ǃ6Qs&vԍ$@3^t jdvASާyZ~J:ǯY.'tHY~d/h%\1z~r˙^ yv_({[q|BRދte\[\`ey*%k7.O:팛A$syWx͞|7n d{:'pv@E4# z\Jp3xqntC^plݯgR|z˯('T6R FE_QbM{ƌp1M9X̩7<^^41"剒bܫ_ j6KORЏ~LA+F.ΌYP%  ;zCHX-|Rۤ{ӱ1y czȇѽ6 Tͽn㞀1F^#sGKm2b0rĜa(dV3:qUTr =:XI>[ְk!%tm$|&TpǠKP&{On E.sy݈D7I"*DVeOz܂49vB22 VgUƔoEAgW5w=Q1쳥6iԡ]e尺jPn@nrWXBJ߀/Z^=rn{" HTNxZWp^ߋb.J8JIJl`+P\+ӊZA6i+1HLju#&A*zgKvnm.*ѻT 1GQKNwķ}?@5I(9AǼZ__4VML|KV Loo|%,ЖEZ1哢[Tv whc_~.7}'h~M$J떰 u DQXFu2|{Ε,Y&RM|=\CӴ+6e߱f\3-oĔXn|b1[ՕZ"^b(@m:@v2L'G-싼 ceC4ܶGv7QpVRDcAMirͫg류:(d#HNŃOf"0.IlDH 0DnEK 7mA ӰC 8@ K~8* Gl~?B;a9I 75`(ܨ*m<.&%J2uYDbVlz*kI޳AE`f#=5aDW!W-=nuĨ=eDeMEbhZws3s.~\Fa)6^L5bS/ Q8N1?GڧG<򮱣/tܶS7D7` IwHL׊9^2ԬZpf^kvʅH=d!kTưꗬsk]7szt[\%9g#'b;˗y8y6t,DѢ=";!rcYvE'eƷ R_9Y-~L|$N O*~n@Cf=QUHS0+_B:#ʆFŘGI!|mT'?e:6QJS9hd2v_=SYm{eCtޅF|ϗmXT3؀,k"Ɇ+s5a,so=ø7C J.5- OPwvNcZ- ( ||N*4c\;g𝪠cRvhKYK qLz%r2p^`gFM2ZɔGef.0!!#wR(O Atѭ@V<۱9^%R`9š0~-kdQ ͚wbK)'] 5)i󎥟< *,^ɾCk8d_e@)#1c ɵN j9r&`ڡJd6*EyC _qMs% 685:'Q٠\Vf}?Q\k²gtE{hPu{Ij^i¼Doxp,)9nu)H@XVa_zlDQ0nR mf~1 [|`p۽ x"6Jد[h]M[T4S<5ߵNѡ!@334PQP "Q ސ{?}kl O&z`i~clJOJ4'LFoY`v)zFK]9r8,djBx"Yw3-4;ʕ'iNZ*LxZ e)w d5 d,oâϾAEY 5ae#G:ӌjiuXt#ES J4{Y-lq:g.5oUuK3.ª ]y)_ X:}}|:l?ê~__}MUMv-`{qat/qhY6'{U퐓.pdf_0 n;S83oj4~rUVdL$;٣ 19NBlfB{B&̩Jh5Z`%q9Zg:}Ph1BE H kνu6"DF[  }J$8LJG? B=n ( W׋ιR8F;5D Tl@0Fלx?Im Wh\ts*deMu&Au'V' '2΋+i8D·Sp-rG5[c~B $1b 1tr0dZ~;qU9F U[۰J0#,:xV%JzOSlPhó "6ݤjOyKtsWE>Laҥ6q]ӟ~d#&۰1U|ݙ%r*?wM(d 8-áxlLٵ2ma[CIGtb/nxfjXNwAchf7pNt>.ٯ8.K3Đ\z R/_bGoB 3=-ǐJnr=/9} )H\R3Ң*ͤ*9YlElw#'xKS;%bc$8?cSy !Iv_%\? Or6ʽzG0GRx>PE&uK""qZ~+8udЫǔ)!~xPyQsRlQ'3sfϲ3}m!?vNX w(JfGףWdX/"8QppFCհ.Drl9 B3ruhUyr<2 sȞ| q̍&x ~E|][(4Ş$_"G&*BZY-#42g48șj'Z n-Ho/=ۂ#FwiFzofSR41fphmTcR]do 2y$Dx! >a@kA{(tNW߬ 9P윥í"|l(MxBP,-9(#Z( =SX~P٘Q3Ʈ$ W*J/ c+}ևĕ9Bʹ0_{@ka zbyHZ2\?oa4QnB7W%Iw+'Z j$ىxAπ{25QWٱj'trߩ8ŵ cUhRjr`ɽzpe(B M~Tt:(?2Oz-U@v=1XnPtI2LEM,ŻKe'N}/fPVTYB"7ӥ.r$uM]!ɵ%(?w'uƧRs (Y,z"&*\8x@g# K@u/i&wkU 81^TCF$@ިFF_sCǨ@0n#/5X"yz Ͻa/WӞ[f~a%;p5H !9[#~^OMBg{QXCNmMx-XuiJCZ5& *9*| KΌxryX1̡̓Ypfӊ߽v+Xo(QV7[w"yq8i(6`b-bh;t*V+Ɗk0VdV o ' Rb7whf:8^`й.j^$xWVt,zLRmAOȀGayl<u ^k@aoV2/1$.)'kM`}6Ue0%#ڮqٹ'0gθu9Zy&/`蝒մ(9QA)qf= = aK?I$@zIʨ2l֋muVYyH| M>)ˢNgR|HiefV"p;|C'$]RO[ٜ`SECJ<IUatVh1XKc0VEF"0]*4S~V{A(E8|2ۉ ݾN7E{!ٮwROXG`'f}*7?&)iؐ+ϑp HTdI#6j[@Ԧ^iK#Hid%61q #{Q!uXSAbƥH0+y]RxY>hSo6PX褈]~(:`cYxܳX*XWgQny 3!yÅYi%{l<pz.l}cuw1%q'ajf>S_jOin7xݠ<,~%up.& ~&ݝTv5nNp5 EGDSci@&;24P@I(֐Si?ͩHM?vUi,[t>8aJKv!\ R`2W73*e2gbVmNoA$9]*AX 5V>~xd_R@ }[ cS,^Ĭݯka C%j:` D/~/ES`6P@tDyOMEI.]ʾ;ZY5 P:*Ԣ}'ó%P6UB ±Q>Wd5-ا+Lg^2YoG|xo._׼wbPO߈)4   8k(Cpն0oT=_0JBZIt@@r4[:՜9KRg(ZqT`he;b 蛕֢vvV*Y۞~{%l.@ȐHoEydp[C0Sþ![(uVA Sh%Rn.=VN|7hu37xEG`#| 3ex.䲞 9i; g@Aq_hv? xSʥzUxWXh`~HMl 6830+K9<_jP`$ley3|$O#rŃg\)j?Nlu!E,#AGd񘿣9>2i~h@j?Z봘=P:Ok+ A2E&{R:W-Qwa$c{{AHT&@ `2ۇF&ڡ$?@͸i!ϠhEcGgђ)sh;5a` pn=3G>{Mf ܈;)q8CvXx3ZUg.7>6 + 7MF &‡3w4J 0!2eznG}Kd,~%D9UzvAt-/6j# EKv\Q`R.\рR':D9V 7N0롮J?Hb$,wp|)>17V ~. o,psh{A#Lìe̿ XiF1+\263Ѽ)DC‰w@*ҘVX%a֫IǣS(׉J")*7؎*p$yyh&ڱvN p5$ z.Fuz(BZ;yawGX1-iyƢVʼn 1R3|i뜋銶hGuiѱ ?|J6>RgFx;<lN@):|X 7G)"uո\) l\K{B:FQE Bqo~u\.Ub#+͏Xvܘ3t# ? PSno~aMʢAЊ {sS55 pזb:{jc\+ْ>ƨL޼Z̠maybD*Y9=[vD h5e6~P#Y 0~ΦNfB-$?$]t ˮ}+,pRUCRX ȁŝecE@ s>eVJc߲'^‹)ȁc2c>|Xc|݅ gqf6~ >R)ݷ%8 4 5s_9M?H?pߡN ,< LJߪƀW ċ <i!eiE~. w+5掄U_s͐J|8IPWr~ Q?g tUNEƥO%J d'oH>I8ںS㩁&Ukr)8cCP k0Bҥ+|mE"Lρlj#@-vӜdoX0į5|psx[*pMϡF'q"cS" W J3j@J*x&r,E)1G\) X!s9(|O0tm}~آK?ďMu!6mDW;ˣ.i-  sDWYW r & {R/Gwp8IELNUbx3ꃗ1Av<_e5l1]W!]1Ы'Ks@ =LaU,0  =a*]bwC1z7| ? X^wYp֗z,, c lǤMjDnf#tJ%x s!;f ]speAqJ&fa,փ&-\,-XhH꽀x_"[ [b{v++2ʆͱx99S,c+Ģm`4jT>Uh.6j36g& Jk|_tAr/:;'`gEF΍Rg08+<*BL^.%~Tn̿I<5T6` y;M@2OnÒ^(vDŽ\H/Hvz{s`ܱȧgw%0ִ I}m]7)_09 B.& fecF6eWx۴'cpg2hg_{xt,zo=MN5ҥ6)`i9>d\&.: 0-K-SbI<\3x@̶TwJW rnݢSVŗ*wCʭW'"lx[Ω YxB{1oJ6 K/qv?z.3Fq˽1KÔaGEn#U;T @-y%iLT3[AsRJatU{"}*k$D'ʦWC%[κ >3}>BգU>BMݑ/yrQ@NOI8 H+t,+hEՊ`k 2FG1j$̴b9ۚ!4h(T'}G蠮kI|H!A_4YZHH dI8*)5xa Z6n),+Pw_B9?t# "sDc cQ1|+?TQ%t8v`|KG2 Q _e,$G<J&J9?.S#ݸzt7VIѨL]r.+"a,A'. +3L9qIYv4oBj ܎dr"+HqtEahb{Tr螋JNSu|6h$ |a*{I{S΋JᒺNaGg7DX$l7tWۧ"*Y|!N[9oBBɶr dZko,rZ,㽚3q8lژI\>Sna#뚞.̻ o"qZ,3ؤ~[H‡gOxsyIxդr /-DHsn;5 =&EXv L;\kXZ,=W :J],. e9#ﳂcɥf[v%@/K`}^姲m-Bdc> Yy A] 6{ڢup&U)t'\#}.ٜk빊S{&C"%!Pb!mbp溰0^ LjYg{a'Jt?CK5dN oW=N̿g-cI`PAu%I RCWݴ]EOvExDw#O&Im)pp#~f8^̊Cr 엔zcٹRr:U"q0Fhu㶏ɦ Fi9Al܊$P9 2JL+uB@Pz6OܑVV6}[N<+E^pO)-I}T8xO Us<5Oit77`e[Mw^< XbKTߧj^d?%Z \79I3YxcAeIcyxrC;]A8sasH8SvX u!j6SXcy'pTHh<%D cd6BҔT@C6LL.+_R-;ȅEP"s$vxrve?⫺ ̤KkDZ6c-K̪O6Z }.{96pM[j?$6s2L|"J4螽#T!U ^C%fJ5ˮKr(/gEl }S|X{DrGNKQ쫞k͚Öbg2OwmVrqKڀ tY5O Vi>]ނ7Y #Xrm|ӨϘl0МϨiۀF󖆛OnGJY*T(7\dY8kΔuW]ESh#uRIuA !%LE& kP&*o kYWy_NsQbot݆ n">r |:P$e("V%XHUE# W-S}xA425ṿZXΒ<6cTM0E\@d:y1{6JII|qgv5}iIn_@bmu?LEl3l'D?uy$D}6inr,v2 :GSAz'/tH^EFMm^t75@a+Zu9$&3' .F4'<=qMrҝ\xah)XX- .qlr|կ^OWp'20VVYvҋ _\ !3Xr9R+q:chQ*R{3w;~߮U8 Eړ{b"|b8!. N呗/}gZP )L= y9u}L{a:1Y,ϊHЊj[fr =F7̦p@{w1^L 8o< g{P~Q@FMH2EP nF3NG Z|P3 (` oMōi`"sj4@}-fZ,.bU %66N+tH0D nvS`C ʸ١ZA`1ELba4{.P{GoĚV4kKc i .F@ Hgrƥ5J7ıčSey="VkR"qlvt3id7$$VnAUmeq*_gkҤC9!tn[.i[ lDD;3[r(.&cKh)=l#65Wa+yl#+T_~h,:Z=Pv#a6o>}dz Bj( 2qv}Zd8HxCSp4LC=&%v鸙FdOouzEpȞꭩԏS!ԤNKL7La)$[׹O[:=xۡW ݄rd%a›ȳ,}#[U;k -8oy0$M8Z]0mw<;\n6Û2s -. .UD,C:Q{Dw|D)ru1Tŝ3aĀ`uۙZvd20T=R)ǺgE6iS(޸;(qqKL:"݆A0t]@_r^`Ӳ&}po7mzb5EFUrՌR28v3:e};9A"ú3UՇ]tM*FH1*6l2$޹Ƿ&z }fD~4]R.{$B7!}0*Fsn:Ky(_ o;*}'dOڲ$!~% Z`!GVŲ8^ޓ(:k?Mveys:o^gTTS(v?Frv{a 0~dcȞ>$(^)PmaAH{Hu|'1u=8дӘh[) h#++3C˝A#wqɩo~M.c3O[bWgH(Y*מc-KWIb (=˕FB\j'C$z3} 1e X둪;Ѧ&b{H,y?aͭ])[D s}fL!;T?c<% dzH*1F.eK2,M;DX\l 8``ۭS&\esxTt9c|GAB3!L%mu|`æ9isvAL!("MoCHv- $WJךԛ\"5E)t#:vLD|;UL&AkAJ[I+!;L"u~fL$T&{Fsbդ,H?OkoPC,{A^O*R|:ڜ~=9"%y0ʇ> ir<6 S=> xf.|5cw԰̄EwV:[|%7ZS#COyoY~3*=Q0]܍,.Au1dTA>q~6-^j J76 y6]_5dG@$C-*y\?i_s/~ϲcw?㡽@ish:13zȰxlw`sKUЛ''%$1 ~֊<;L޿+ox0>8Qڊ2T`ְyP˦ #C>ДF`VT`UIJA^=:S<XN0,o\ sy)bx iYaxx5f󼅱"ќ-#v6dbǝ~J3 O1(UwaU;e0CMK|œNM+'n+k839Kiy+ȟK(@϶ѐ8ldVֿl@bc/_.Z-v," T$|pyBXV㳸GNĔ(6\.i1q/n(L[-U3&lʾr1 i/ůmWSǛ$\1o!ߜ/5Uz؞K]v (^%[NAB\TD%ҥ R%Vکx|Y-&Ocu)** GUKM'~턪~!y+v?8,#Pr}w5u9E1vR8~ w2RgV%a;xl:K多M + PG[H-xiu|#em0q=v`}wc*[jzmt_?O/Oy}JZLm)}EU_ZVڳ]UqJc(;VPF5R0O΢wɲ!o$|DKdml@?ACB,QFayhtFdEP.77l2򹥮Xr<؝2.E5T=O Z"5 ;TlbIϽ,q{{cw6N,rcAVSsqX^2p~ԁF%zŊ1tJh{\_O5qG2CoȔ@wLYQu4P,}jIW8ex!jټeQ2 2s-#y +ʰjbQF|iZ~$sQ _;27C;jVY[Fr=ezRP!8 V'ŭ3z%Bàz>a-xڀxq@4C1#e p$PDKo1h_f/z^|3K#Za_BsyB\0 ?d7j]τJ_\6+WMɃ,YbO~G%߫Z#Tc]6I(u/Vw`QG@D~> j_P'El[ ίBEF2Wsibө5^.s#FK؁zfqʛ9 ;dVIJ+q NđHpO:#K}U@8$3%m g^37mN5A~H$]n9Olg=Mc"c)& y^J u>cuhfznRK'W/WY6 G }Q??^mòO{D Bi& =:gb>R<_X;"&B9y71,laQEz;>v,gZ:ᄡ;rW?6`O5z4 OS/9cF Q΍ŷϖ ZPH`}tεv4^;3~݂/(d%fe.@^c9'e 3UTׁ4gU2mB?r)CXLf'( o^*)GBNl~6|tkU⺸R\ řËOGf4sJuH;*ˌA^xtT3&̉پ/wV?m 3Y$>W6,pp><ݝӸ cԧJ{a4J:OAF+k_K.^c@ /UosIA/3ofxbS#ACLKa ܤFŌ('#$"|h}$B';ZS8Oj0ⅺ _DpEPx ;X>րҘΊ%iz2Lk=Q}F0=P8J2R)WGØwki0V[4+ A "ҰmđW$낸D^!& S/9)(jUdX.8:7=swsK%䦲O<6ByaosነZ nhqÄ!~В3FỤ }u—(0IvI8^6#-VH̼]} ڜwŨf̝%6kTM.jpXaיǃ ɉ|n=VݻtˑG(.ZcLONKxWVY:5<~^#?)3]XdnRpQ$Sheue(Aj&EwىΘ[UJ* 8^p]i=]!]I n|TK ]8)/meLUtEpGOɴP]` ȺawODS9ٓuаse/M>BN*(SC4=a2:7`!: <#AӾ=f6F _mO>d H5""oƃSYzU&vOPKˇs5 2r)D5+"[}[XlIx0bQ/p6}1skDUD2y4:i,H:'K2 k8Tc(0G9YQrmzNm΂RVB[L)%$?vrE=uZ*(]Eu,%gsҍbVs%Gqnjg*?ImӘ`;}m/*V|m{s9ZC\g^9IK #T$$C6 upq\-֕, mZ?Qb>jO`WK>lF/nj]3i9U'K1+쁄KK(t?LE@F2h16%U$s Un7D: 7F ă-sy((`U2mDlq9ϜArUO~en,XʮDd^^jv/7{Vk 0`P@~󈷐; a< +s"Z7dVrGe$vqЙӵp%(LD9_~AkXCt5*x]i BٟѷYt[XuVR" y-cfSS)>F Nð8vX0 #Uc~rP,sg4ܘ @RczFu>tG_W %YdOMw$?FSq?4P޵誋A}Hji1W*  w++|ȍqRQaH Q~kfh닦|%qbl독3iQW l$bĂpil ;uU{%Pcצ~ [eו”ʼ ^0_7=FȊ0/՜)4G-fl6;6hx8+FnKլGG|Cҋ&~uJ, m)P2;&~+olOcou&O" {:qN@PT]Vh Q6&=ݩu #`8d fULEhXN@P|'E E+P e!0YhRI[`(͈ifP%ڬ!Aݗ;g^jΫC`p8{5E|wX >~O' w ]{3},(k2ax| 0%aQR g8Ҋ'PeĚ3u3*l%,bl>Gbh눿!݇8eg]3z(mdG -U Y= Cal [.(P9,a'vT8RS`hhsU8þe3$ evds8}t?Z|p;n^fPo8A:V O|!:b_ Vw`"2k U ?Ԟr?삫K1[m4,"wgz cҖ $+bZjx-?q[,2(e7@9#*rJV6΀bږUW6y@ڭV&;"SM q + |s[#Ríx5//K5y؂$FhrB/Ef3t!'YMO\ij?To^ҪhoT諦YbzpZTUZ>aU#?D'= R2}@}&J}!G稂 \!C.0UTܤU]͟hÂڡ"L.&Ԇ؝EE9Mc8gQADTMBbޘn7Nsiw3=G"ϤS%|%S,LWj MrɳM`*}[&o!GbK/E fE$ K\Rgl 8գJM [ǀon*žhxaa>S˜Mqt=KEWXsErv\5+Ff_Q'xPOh?S2)F.W~(vC{; 4|dI=A0z:"YOȒ(cp^e &qIrNA$ 6B&c^ ~)O icnV Bfwbuilder-5.3.7/src/gui/fwbuilder-windows-app.ico000066400000000000000000005260441303637203600220270ustar00rootroot00000000000000 v (4 HH T\00 %g   4 hPNG  IHDR\rfsRGBgAMA a cHRMz&u0`:pQ<IDATx^]U7p${zBHIhBzޥ.M *::EqqfƲ $s=g=lf5f` ̚Y30SV[m;8jRcmel ̔4g<{5Fncx~箻zOve/c3vy cvj-cvho}nZwlhUg9uofM5}g:~߯ъ{cܸq1v(00 Q rWᥗ^6K[xSQج!fuwA]z<^+5Z@o~FBo &P L j /_9&f<%y䑛~va8CUVv!FBo %(DKj fiOO?*o%[gyuof SO=uޣ>zc9:~j:7 G @ ajAaZ0)}[|_n/B'>[oR,s! :GgfO\N:N8fc=7  (^ (L/ӁSOG?{Ƈ> 0{9/x9#|)bSZYϚm5~s=yOy_r-.k @%WS?}s9qgYggyfoxhgZ=D{HbSfiI]wݵ>؞|P?϶OlVg{=OZB@k:DS(r)+l?>򑏴O}S6~Mo~_~w{g'7+C/Yn(~*$Yc, 5o |j[{ >kDk/~Gm_};{ZBLh @뮻G??/w]cXohw_>wygs_%_s@.vy4M6٤Wj?dc=6"ǖ$?fTư7f;%`) f,Zl~}l|;w5η7v8{p…LM!G{I @n|ۆnFՆ  VZiֿ|x4Vy +&OWFuy@5\sy 4G+_z?3yd&(Gђ+b*3 COs*b+_>31A@arCs2H+9[o^orRW]u))@y]IV/Q' mmV[֞z&23f97whOy6V1 c2/4pvM9 5UtÀN*Ə:W w&-Wk:Lʟ,ygz mX=TJ̡ lA>= IG+lTUgԳsh|P'VaƻO9Ë4b-k.H}:=gԲK Q;GQ!! r&@=-Ok1 f'Z@|3#]^{6M_~=f@$jSO:lCfWJbP'9zv=>*>c_# |9kfi3S,rOs>`3O*/90g] ia0D (Ϳ$$=1e&e' =Aƍy`-9h l@ }Ø$1VcTp'};= y:Vr@Zyϓ$ 01j@r1|#0vx^d*iL c,N I_@'U~bZ_-#JlUS3d9 gIғ!)̹4 u$&0)Jmg=? 2"#}V@{@1bﬦ3 SOsNNH& 4m8ؕ0]=vai;N!jh#-wBj _lO<,<]8k%՚iaܾ K.ic`*Lw&`]v 3@7ˤ~S=A9' pfk/'L{Ox@_G _-`*L8@3tL#oOM M#,W0@{;T@2`t @ 8CφT6`! uCS@wMh1#L#p={jߓK/u Jlr2jfm 21Shx%p/fA )@`%]h!_ L裎ߦflvd1Z@Vf4Lq+>8W8zf*&vXaZLAгrfL,5uj€x8UN3PTvfiYg3j4n@4L,wZଳ!'\}5EYj#J=ܽ IV)zCN LM*&/? ]u]wRG3 no9})sQv$aUVTVr T, `Xc8l wwfZ5K.x# SsB ~6sPx% Z@uf+zqf~cN9 i"Y'30-0b@w;puyNof @f&@Z@i``i{W BLL.3&Y|Wn)~6S&77JH1~F|`Xc8". >ՀL gloȻ{ N5&48Es.wޯY0s=+4I[0@zj>)ثZ&P-&fc_["csa;C=p\\kkxaÆv[ ЭCO0>nGB }?3yfnlfQ{i}}`e:&>Y;F.{@Lw@|uj zuw3][r(dr4`\s~]mzQ5Öc -f j is,S PNG).u}o{Z'-;Xuow=8ou3`}7ISPy m =V{W[ /8q&s;@ xzgc. jF&#su1J%{>^[oT;_S:O}̀ e4.(MO@F/-U]ݴܞ^GnfМj :kV[:ר4u}`A~~{n?X&=G'_m!;~NcitA/AH: 4┉&MM/[wiyw JLJ>^ˮ& ݙBBg5X9?r72۸^Gѫ믯qݵ= 37Cu +| 3 ? {OU_ڻ+st"mv$ 81' `t|Oi{@"ٺ8 7|W_u]tJXvgk&s#b*`ro3%Xo+a =~ ֭&QBxWa3b ^+tFaz>Ț| :fptGw/qv.~=__x'TU,(¨0?@_mNY#ـ<2N& H }10 [^@UFczIYazۂ_NiĻgn/1x_#="V:z /􄓆Һ 8,[q{`#``d$G V%(~.O fH%Lo`zR×#k0ғ{ZT [L3O<:rwCo*~uy/3qN98ԦUQaBIڳѪbY09x/!65@D*6 L#')9ohDʳ]`z+~y'٬C9Ey:~ /u=yG#Yg.vז)&jGn]hS3o?K/b2SMQ9 a EbR+]J='iw.6\2;Ss8kxYo 9N=ܳ8>~A=Ni߾#hgqzK7]ߋO)9wO*LwY6ͼ@Izڥ:Mc振|ʙQ&K/fA?+le l'(1xli *@e KsRD" @mweΈa@FbOcwCIa1hXie>1>3L̮ӍpO?;{=p(xYeT{da9&CufmpF{@.뵆;UI;R=J 2R##&Āa".i ^BiJn'v6/ Upr#r~W]ρ1%Ga¤$~l}IO?M`|~BkPK٣+KN;sk= &(hu*p.vI']q衇|gw{}>e:,/b/1Gk[<#\=h}VghN4H 0? a<|  Ϝqe0Lwc~3dZ90=aX%O?u%J*)u4=W8.4+si]$7qtc!*ƽLݳ{s?j7l7n؏l&T2֎=vE;ny9y%]~x@96iMt=Ͻ2/B(89wBiDwl?ĹMcIi <xi cg?}k_1$)x<0{{PL1W׆`^L0 M@CS@ ZeL|'mȽNrQIHB݆@{F#<bn  H"1Ghk#6:$f\=T4@gT1Oe7pם{׳O4s 33RC"я)8lhx>L3I;S=~3&r=H0?Co4?Sw˿Kox}oAƞ704MFbnX9SO=qRicݨF7D  By3$!$}(G2&Ol!N P5XmU+nۨT1c6e{Xs>:r 8p#8|C'CMn{\܄ -M] GfL(!xIu0)lq0#Ġ#I0wۿ[~0?c*`%@wLz&>PcȰ!|b30@&MD{! Pn6d `Hy- !? g7\*r˽Sc~NPiiC{{9A +0C9Z{kd繀 ‘S=˄=u!z"p]Ə)<㌩>  &441AD*:|T$`t1O~ 203~ l&7 0,Xwq6h1'T ]7LTF.ZHF#[T%8T$ < \?Q˾O8gK.ٖXbqzS|z4 T|=u4?=#)S??'8'ЛI?)a5"hTP< CD-(U{̎ ׄ揖5p5m<~?fH!rk&h @w"}+?#$Y)ƌiTo gzFc(^cZ& ĎgkV t @퀀 NÄYq w~҄u! L>@rrn#H+yr$7|S5b1a\go ,@H, ߫W Ād73y_!zp3) cNhyjr^sّ6F 2{#Zdd>@̃D0t|@8{"sp/P7~ %HLnr̀$͗vx4# D}F!(Fl]]m䠶dL<fwnzh PP1$z2W1=:^[wku lO&?qZJBO4/ =e>Byݙ{j~z0? ׊Z&6˘P@8DC>A[!0  AF!nZ5<3QiAT(q*{3x-zwwX Ǡʏ%Ӑ@>&c9j,آ=U^Uߓ Ö3OoY1 e^ߪŠV&<w3I"O??Mm2Q9ez%ԘJ̘ݝ ~p,<Ų<ir1Sl% G&Y ާ'L 5ɟ(@5.$hbd( Hv`D̟dhT90)VBSX $-8as+ܦ"NY}{}ى4>s暫7,P/ҍէu`j@<|Bw1%ɇ>Ҋx?h)[ ͽO4|,"߰7M2T{-J-UKe,R6|2iQ Ct7)@s__{5n׶k M6ZvyRIA&~MBi &Ja~(d $S,D:K*A#Rh ]3Rr :ZDޯ_ ZԚTSʣ'$ ѮhYc%7%l'$a}90:@4ֳ1\Fd$ ͘Հ%A,!.@5JVR@CИ tӁho~^>?n'wTym_`r$<zF$1(ώTLP~Py@B`dbx%(mkCж6F{[k5N8A1 9tT|Z1G Rj)->]o~!߹0@LF XD03HM AkE݈Ti3&$#nN,Ȧ7ˆiNF[[G?nW1mgx}*X短-h;n_Dᄅ7!@*#Jp8&3 `~9tT:`C@@7/@h0Iϱ4BIspiռ5IHq*>aVt6{Jvs@-O\W II0>:@2}gN Dr|}-%wE@P/Gt@i"ܿM̾M$B'HJ̆19vM$xA&@bx?T*%>?#uZƢ|kueͱߑmHͧ l]v7lՖl* =; 'Vߕ;~; y(7^7#474R͚(s@ܓVhZ_ ~Dc7' sF1AJu1Łm*=Q1;TLE7v4ZX&sݷS/~6W- SU_ O~dH\|@`kcfc)tR ާ ~~*(KcQ>;@CFanhs/*fT `7j\qv114MO&?Hz6)N<7Q[y#vcB]I3C ''&e`ڃwƮ;ouGNs 8y$;2;Osdbl;M!L @@)(a4)5Fz$y )Kk0jȶgii&];L٩*f `u>Uwl8)t OJzWچɻxutJV Ɏ^xrUR7{ 3dA6O HUMHwlg&Gj$0#h^Kҗ.m}X/ԘĴǟx=D 0K"i{m }^'y]Gr,8_s<b& ̞pK?$nz0͋ R* k9+dǢ8~ͽF'cnhII>;mp~d E͏[¼@4C};ج7o' jLJg< $>4`2V'ɥ!CSn*q$ʋ[|d Ȅs0)m }_ -ߕ_cKmKa3EEv$r?* ,8RQ*kT~7",sg$*{ʃI8ҟ mg0{Kn.AQ=OK3Y9C(sn&@'*1uJX>ܹ c`§z/>Kѵne׿u>iOJ]x.~4IQ u`0@"HY0"&=gd+phk#H$MJHXTh y  duOM<̚\ډ!bI^21ҡ8<D4cv~lޅuiu(~-@kYia>s,!lKual 2)N5J.v-t弾@D5F0(OO0=D#LRyيLJL?A.%wZ pa\8TXϙEek#c륂[ `2CW8RluX/+.)i}ùW a|戰IWF-MG ^n.^` % \7dfe 0$-8Y渻ׁgKB mxOmv"qcaaYIETxk0xOvVLZDc"iEOs2=9|U|K ,09vǵ*"ȓ$SS$gQ8i7@M"pL4K' rZr4pk8|x2SՂ%"$LIE49Ql",Q( N#Q@{Nz4/1aFHbgo`z oi/!MJo oOn~O{M30\<dEC6@ R]W*Ogs`t:faYrI$sR,g5ZFظYMlS::ΐp"6gw#'`_ .BA=jA,ۊ$NJE80il)i}#aDĉC|B 2,\: $Dǁya6(I $рT@M#>s +].> ͽRߚxZIQ!c&0G>v}wOA}x;7Nhmo{y[@+&GcT^oaL& Ԣ@Lg"4yTcOIV@Ʉ#A~0}*5՚?;0a6FM쒌H'$ =O8Cp{9#EB SrN h1lҪFNHjJm}|EYvpݭ0(Mf^4-sɱyy4$$S3uHG{&ܚ3MhG !t~aMc++zt{ϠvCO>=ؽjO9y['|2qn*pM]3IfƫO$1%"1F~:XhAM-- Bb; SO7uh/Md)i}C!`|o c&’a>˶O s`|e-G}`F!)wgJ>6$ )6Dh"^yL>cƍ'꯶Wˑ-];}woiG3^4ּ6h#tkRaQ-٨fcb&8M400J@=bT|l2=镹NI ${!xd-bI:2BH 2:5Ѐb~&$|~ҿ ˜;*K@€@}L HzaDt7Z8R7`֕[_!5Ϡm ,Cq$y:9h')kRo~-$d}7ހ'q9_[\pzl'O= lvOꞦcsp3WMg+WdZ_J‘ť41 p 3xsӶbsO0pH2,tbJ#${̤  KK([LJ̎`L@9it0LU B9x4j90HQSe;0L,@1.*ز/y&@Rt1}Zһ1eؼJվ iY6rqMtI"T20r,h.;tUttҠ&Ճh2[ 2/z6'^p$rпVI(rOj4K(:BW/}*}#!Zuxݛ}Lf )$.#S 9#'S3i9|T[ORpxy'&S@ >ABC8ЁlӈSTם/ҞT4Y8 SFZ9O,?!};'ٓ /;/V ةWp}_0 BLV:;gkv`N %K/w {I ׍E;hI7aBxH:IJx-?^5zY;NڡǷO0 f?A#8Iw0瘝Z3$"CyZLJ+zf@Z\KPh \LEN4IID :ǘ}@Kki L* RxZ|a~D3LKz[8= 1~d 8g>3y<%̞ٽϒ!Xs7C,RlҮ41Lj3AŖatR1QZ}|?h\NI *FMO" B ݑडYwNgx&K-9S@1qLOBːIΤ^?+qMBh%f78\(3/~1Tsbm4Z=A@ɤDǸ,6`Hg$.]H8~_kEct^G;K.|SR?ZI}`Ikʦ,0ܹ\ڗhU3g<'`՟mbl0{ǓxL-LF3[<'P =sxgۦlJů9 K* #&Dg }/R\8&ڼ$4ڋL&69^iJ]c0}d;0 1M6>Hczg`g='b%ɨ0"-"C64 cp;Lx9LDvblja6?!9FpE',I}y(OSO9nB:N'i~N@ڊƧxPٟ$#B]AeR "Ac3RI#L5`﯅ ^seOI'1d$m${ETyϟ}HbsqL'#s PŨن|cn L.($i.i53]@ 90NAt0$F4e)ro]HL=Հ#7=5Nq2 ӵ񿭼zڂu׭YXgy_CF=V:HZ{Oz'cS*]I}#|; aS  3 <#NRv܏󁒣47Z@5wDw:dg 1\r'0k77?y>w?” =!;ji`nw03H(?' I]g%ZJynH}L{kzR_4R_Ƥ4h҄h+d_=_7 ,絨I'bK{+D 0,2FPT-A^}!@ c;Z$9[ ʿ Ǔg}϶|/83>SIELgF g`6$-b6 4̐HLg=N]=cx670)Fv/Z=:"Ӧ=NC$?!Dpyl~[yiv̓2H:-\J˜A@gNLzx sxcDLRbt)&!1%@΅=8܃{Iwb,s=nW8%-*d}%$"fnjJ+opis@M&;݄;ɄyhmiZ97;dzNMa2ogͮfaIRNKM`Vs0k7gY_ E9kF`<utB[_Pt6),=p`XG1@ܹTЛϳMo^W ?+F-IjA٫H 07揊+H1$&K`'0ka΀ &<(EvI.xX{q=0 < @ݎ@hS!D_6]5jc'0'W{]=tBW%<Ѝ秹es) 󺱓Ҿ*Qx%dg7O,aI#HaNtϭ' {X,4'u*|)ےa~(`,q4Hw v S9?u+鸩eYEψO#H;v?yj 8V)ݦb*sd"%@g0Nc/6g5Fs]ͻLG?r9qa@[~Pfg{ Y#`G ЦO zqfbJ5lͶJvV[-s`HQp>4~#PvqN cJ+s}"D>}bky3ħE@G#HprTWKc 4O{/0^@‹ ̷$.< ntdUZNkؗ-D0$@S lS_@Za9$&ȺL[ FgVw2+m j^[:(-,W; g\Ax?]?$:br/u#h{cHV?Υn"L31ΠF :$ie>ٍ$q%A 㧵8Vc87-$!h3cTl%VP1\k&>I:ҺKOXdV}yߏ$|vs!YG ږL5Nd@Z[K- A?p߄; /1kgvL? FЩ{t;KU TR꓈&=DT9=t5@C#{3K韭èw#b9oh} $0{2h ~'/#>b%Cϳy#UkgY4Cr"&轔"9 w^ &;yI,Q?`f)P.Cz^w$69k}0Ebqz8y0:IIO>I6L}O;dm{>@귺I%e?GscDZ0)s6zƴsmacsW|CZ=RyiOѨCR{v}ck`2|x_ҌE@Z<&TiҒ,AXDd)ݴJd&֏!a114ϩqȨNqblsabGv"GǔYJ;)qNv2z i g"bEL8cj~!LI",qI1L~Rޤc4L #0)m0 Eŗjdiү/yq^&g>eɫw? s?'4ΞXW@v6]Pv5tJBFyV̭g?3]K9b>I@2QZٕ= tb7gB+i;x"Y1)˩XPsOPX̚JhB&nLŴ`j@@bcxy }!(΄z3,r/=]$I% `HySߎL0K? 7)B\MRgJz{ Q8C\08lS&fM3HlcܷH#ݢtUUs%|EhonWҳ @Վ@v,;kFfs)b]灹 @!&Mn@޵9DFKHRNэC*D#^G"[#(D "'m1q1y\bZ,]f@y4{4[Y ydwK"= @BS' R:hJ$s a`tkgnL$VI4gDR܂H{c|Gff"D"g‰*O bJ*BtAEnjD+{ 1ŗh=LK@ 0rQifkc OqJ\۬']8vq"a*"{Ax>0 I=? >9T  Edgfv;F0d!N-, I\ tP r3RaĤ>%ˣhcY[b=1{v?]g2U2FzUGZɋzi@ ~Gɞ@ h~ߵڤD7~eM@iRM.PYi_ `JRR+ a4R%3&Q}ZZs; 1g̲0#JF_2J~5-p !]GXՀ%e~`$ !eyI<$Hfl`L*&&a6 Nٶ$z;~+Ga 5鱖}t%1 THXf:=yToGZc~Ig00% @sę=g hn5n-0!8 y3DY8W0zYuR?1mQf!sϏh`JR[c*~ :  9i}n`:/0=ڳv Ǿ 7{m F@@S׵gJ?V{FʘHsשMwn5h6Aq>[΂w!pFRX 53hʇ@,>Aڏ`#I4 'ՔBٙ(dƠ. pi?Mw^|Oзٓc@`>D$-IH 9=Ot Z NE4NN7 t n]<'qB~OıԞdGi _~!H_H@7u)1A0gɦFO3P0l~A2R i)3@xHo‚$0@ i ma4LVxBigȞ"# ' 7͕)i~!^n% uI@-Nc4`|4?=I&T9Rz;ت.ۜ&>og`n0]k}J+Q]^3Z'*B̟I I5)oWM9NpK2@BJ/&Y0\Bl107a`V%#_P(@6͘~zGq_i+捚L9EGfW[58#Fu4hbw5?E(-~ۼZc~#YY|׍Cu)BXq:nބ&"  tIIp$1f.GLK;{G#H>BR;1!i01h (a-Y|Ƽ$h0?]y5` 4 8$H@X0%牎$XW^xwY$ė5k "qj2),njsaz?6ИhuKށJVhȮ& DD]p[d#!s$VMiTi>cbTEOaL6/GO3 3S Rؒp iCՅz ]ͩ/L][vn;]$fHͧ>GA8'@YHpiɹ-:yR' KQ>=nCNDfo(3dK$_1d.@#a1^T9L10/&98]@`~ ʧhy;;z3L d9Om>MۤTOdtNl.1eW`꾵L(Zq"$1xƽru[q$rD&#bNDM[eMJI?b^fN2&D;)eD!{6i.mԄ} 88 P$8LH%!5K ږ0¤$"5[h15;#Xhad3c0)C1mSi$IݛOY0z!`tsw{&*8HiQn#xөT`~cԴ%ۍ 4=8Pi>& &'m󗩭FVn*guZ-I{bnQJ~9S"L&i)dM" ӧS,#IANh?`:0?iV 4Is"x䡶۷nO#޺G^ 5MA-JR TL9&ç( c֤w~Ҫ9P1eQ׏1 6 L!V C~-"ЈH{{@$im&c. @n:T=:Q6W_-?s[/9#׏yhf tE/IZDPUx+[*CD$S~OO~Ӱ HH@b э`6u^ ]4\\Ɩ X搹i}=xީ}5^/=_O߿{WmVzjȎG(ѤS˼LD/tVLd;ud'!L1!!qf M7kM\U$m{wwg[ۨo[vI0&i` @~1<^SL( \' Amtn c],]K@w-CraL AiJ ("($+;q!lS7^.怮@Trm6gC'U#x۳an#x@ =NM7P|JV}{NNr|N+Pѧ9ĀO I{c&v˝af>zTtsb=8l ͢sh5ƻNG4P˷\ pѶ}#ڦׯ6yնU+u/_u"m!-x+= 5t)m s2y&FCc0>fNV`Rr}5L:dMbB>D9}Ps9#IsuDLK޹żݛbN`\Ód*Y7@.VkfPig ȫ@paՙH~̞uOOG {DI*{zdb͔ R .r*V+zO|8I7SnS> Q:=c"8@h3omwȶ>]Qnmg~vvziZ/\;myjmI wENzk7il\j%$(рt\iG04抴DL83Ɦx1 Hldw X/ ]}N:ϳZص'%HDF\+l#_"VcTԠ8wbԿS o֊9@BzglL=ý'sPJ?8kӎs0%`kjSۍћC@ڽc:*)aN-OEKJnrqy=1YP)v&oMk3ߘ/_K5۸G}_}zd;m]]ݳݮmzmvxm /?.}|I-l`*>bxL_ԝ8s:MMBrqfw u!D= R Dn68/^{--ui4:%'%8b;~uSo5"*14 F4)`l ;9LEj[Sg 6Oʳ(bۇɣd6ڀfN^>m1aHBG3ZR4{A/j^@>JBl[$q$q ~8{iAO|HqA̷yA/jݺK5w/vz|Ͷk{kTk[3i_ڷ ?mMRoSэi'`L m@!$U$gl3H'3!}z &@ju ~7`Kp$MBu0wTnN9K`FmrFvmo࠶Cڨi#n\=.Ojdvoncٲ=ۙ>m{jm޽E;۵\b@[ع_*44tS(# 3I$,iU1Z&NkRSO?) ږދ(x/ J#A\A@$ Ɍ'7Əؽ@=#ڀFb:/!}hR?v>Ť~-H"LO=9Ipݴ Py(恹-BaBf$4's5S[si Rz ncW@6gpo]OKP{kA)؇W6:wH[y;oG~nvh|vاwn{Ն46@0|)$ΟH:vr/sƟ4Ir]‹?f]g&#i7@ۜ9n߾B;Ǵ~6vݎmJӻ[%*'F]Tmϧ6l#] _x?W9LB*0B¥vjd8٨VT*}bJ͙F̙};)?)iC6e8{y!'qקܘ|blt;0m L"39z袋69=i#L\/QHR|o&{ӱs'oGBZ0 @"$RN$;&3%|JXI &o yqVFLcfBg_xVܑm{WmmOT֯v?жpڢOsZ/s{@~m˄qًBjLMFi0 '&ÔFvʦt}L4 & /p>{6d6bAQmm6oz_vŤ/oxa,"Ah d7Ĥ>bD 鿏I+bޘ(jjj!>NR &B`hټPaqZͼij8 584J0@a"$ċ<~ kN*.bM3"P^x==φ53?h9h3 {`$ݓ{"NdF;Y CE ^P{m_z/V;o%WWcۙ|`ۡ޶b}\joYgƉ /6r`[dk/DJ}z?ɖ"D[49@6{_ vdݦoٟ'۹^ u[cN"[v~ Zm}b&h[0z!|C d8՜J<4ÍDTq;@гrFvw"2@_I{Fh#wLC]00l@@sz,{5MBjczZ |Cs`L6?αF~Ͻa8#@ҵ8)撹!韮0iF(EQ ;I ~}zߗݿd(pmϓvn럷|[E*D[ƅzN>4 z6yn^χ'F\l; {uߺ\y%oK3G୫nZ<;k+8Oxm.i^؆^Hvm[Wiۿ}DymqAX 9w6ҥz/V6`ʃ#ڄ60ɉJ ~8R NZnt} a@X2ԋkT 'WNwwlſ/,sw{_tvF_]}R |,I`> vu@Tc[i(zmK?>GBJL0Cүuc$Z!%4NH&L \]~ #mcrhHH4~ yb$ qu S|e0[/=}ow'Kbj]kE?@uY03Ezm'ֆ_d|mVnc߸ۺ7,h#wo|OWyw{zL;䅽 Fnv{bK6jm+!.ІD[EXxG TXDW-NF A21&K.$(=?~;q^r^{$S7̙s~ݷO /8X㡷O%@ =cH#SDĦ# 6`.CGN͡KKcEO>;$ySO@.F r'x pKwl?s`jI #'B,;9YHL1IYٕ?qQ 8̵{ŴI:t Pw\oi\$+6y`tKr1C0~b&A8&4̉8&BP6)f ˼& 49Jz>+}$ TL H?llmƶ``IRːl@ I\l6(&KԁMR:];8Yz&K<5)@hDG{?ߺњdizޢm+xwj|ds,َ.mo[\J5ښr|m[M뽭oY 8_[z3 3` YWY9H&qq Zs$)!Y'P(*K& =oOJxGz VϞ p1KٱQtk @OG]7s$4"$4NJD$ޘlI@prqzQ]/`>CG Z=x..F"HГc#L$-4 ٓ LH"'ߗl0_H}$08 ScOL$RHKOWg^N;m^QEZeormYmtcIJ޻vh'3nvwxۭҁw{`dJl`[ڀ}oO1jB7-drA^ct 9QPz?_|?{_6X|{R@…WXfނ7ges^$lD]Ex'DC%~h35+9FUFpڱP)+Wyi2SI")@@0t*ݛ>OP,N;?~&L_bbM.;Iʆ-KpyJh:> noRc/DEK@}V)M%br˓ ɓo>\?&Ez TE9Fڛ[j#\`tU \aLj0I) ^| .`T.첽эg 2 D| @xFsۓ)"(c4̟'w29ƘJIfhkG*?lz'WoUykꊾ ._S)|ҁ_*wlٶΥKlo_ӛ)gU-AsH@!D!rDMqE0[iH^~] @&R\c:OI G (e@$3esVh ] +]!Bf\C:h~3y| x=@[0ZyH&4hPȻib퓉܃s{}̢!ۓGOP?EG/h-NǴ0 s^Rp4jFj9/znUXik_t[yph;M*xwhGK~ҁoF\d[턹:,]뵽\sn;U-رmsǐ6ϱQq^=T폑>SO?IDVgdI ĩ<8bA1Hlړ̀ߒ|и/pXc9 vd:btr/>ppϾC=&}0'bEgzLJX^2csX{>8״ĜϑY.Ra*7F2(ҍzm0ÀOG 3Dl3v0iPBP[hNDiFrwqF3O&}4¬[΄O?.9kL>91WrI%\x?TbXmtӀkVip_9c6Гj[\Zm˶ (?)+ ,zM|3?#7a(N5(-[n_Z/{kJ J@$RR{wte!3!iPaT^/`dG`<ƽ8=9@%-cQ9Gu$`:pxn@B '-.Ӳ+|I(N4f Z3 ^3?GO4$/uVٕ:%0uKvmЈ.肶\|UQ}?M{Eߺ-%Mv/NnKXqس^Sk%ڒ{6qXۡj 6|`Ԙ ߖk nE"CWG[&Dd1Ry,@Gp}M @">Cۀ'601h7Td6`Jx0}UdnhD0~ҁ#6O!P0XR9v~J  L40 \@]?HvISSA%]| !ցz(} q8V6FhaɽH.;f> qz6ovQ1zwv|\8_۩T3{`ꁿ軽Ts7}gk꜋礶敋M_Jž~]O[>%.}H%@˴UzLՇ+{͠'6Z@] j䴁Ii٦\h6 AHecS1b@<+G LjJ8/y-6h"axœ (@*H`RIC0V]%sNFd0q:MBӋеdDH,ui‚WIh}eEY}HT Lsine| Ǘ]!@]x޶{rvhܽ\[+JaU=ڕۿbh>0]ߖ޳*֭UP|av֎ҸvLI]߷Ay ܹC6lG}avNA1Q#4T>-n6yP}Պ_r#P@P6qX ?.dFc|Zχt}q8ښ609'`G s}~!>CldDCF@Is-pfBHT$P3{8S?p1LCi/E`Bj6@.Lf?@ HZ' 3~7} MB79 FWy->3ǼJ?쿀i! ]Uk4dYZs<umVnܺH%w,ƾovvhgn,_>{Z[ ~Iu._/m̍CO+}ӛ.6aɶoi/}KcJ#ظ¶퀏nQZ@u?8eۚ,ԆXUK/%uՎZS_}e`ygOHh"WZP2LRRBɄ"i$kL܈ vP.5%m`bHk$ݫ|' L?];#07أ@ )IJswh/&L3=3fN=&cҘQERN~. !A}ہ- ♛4B?\g M$!5s:}%r&j]RJYVO/]mvy9O_-Uگ-uL1?m;۴m*K/3aw6(ؼTxE=#.Y_W:г ?hWc f`'jo[ km{7n[>0}/N:muװ؆ojϠ(y!KT`@}&6;"gSxvv601$w'Ȧ%70X D`"TC?>|r ݤ4dRiDT*P ؄XYo8yMVФ(kh4_ObSB 0 0G'cB%so1:'#s6hɧwW.<YWמw^%9;]s*ov7KTF!mwnG|nvk?a_mV9^Btb!}\ \{a>[uۖoe'ݟ݆T1eS&~O^-Y ̀Oل,~IDTJtGtM XǤj&Zl9-]n& @~G 4>LԫKpK3w;s{?B~sO;0J$"v|$} D0 Ribmde,'sb=ۦpՆ>grO[gw\pEwxm%˗j_ۇqUǿsmqܧwi{>NB;[Kr\6hkT3F_jz"Ko p*Z]%߯O_;oiY|\ʱT9qTd`{l|JW!D픀"tz 1A( w⹞EHN@1+ lks9g601R93 Y_ L,`P)ʞI W|$;!#3ט 4q$\ ƈ3vgB* 0+rv}5ݖ`GLw<94H3OP=9LD"hوNfc28Ȍ&a3v CRUݭ~m V|mm{?n;(76fC_m׸ m|{\;髵eҥ/wIgo*5ڑߦqd;=ش: iV~'vyhT;vi~n;7)ў& ]oWmh&@i ur峹0/9#V&>鄣{q &AVXa^@_f/A >a88∆109fЂ"nvJ9ACȶV =XӺ$)F<@d-b@z 0)d C>ch=`Rdmn%4#=̞F=I(H)NTMh9?۝#[ :r=#aUi^mrrU_K-`l1tOk_y{qvocYmGy*JV82oo[ڎ/Cھݲ3pHMxP靣:` 8չmtN(LE0iR H[4!]ÈaHءK-G40DХOIc uёOko1> G~!5'^:b~}Ir0O4p#ZgOҍY' -{TӴ| dM2 ,{ٽ8GZtK>ޓ{]O}:`Vs85\pCj?ϖ1vM7 '$UoCO>~kCC^=jڇ-=~`[Z~{ZmO.nדQDsEw)%JGڱ^mxƱ/Zfk]^>k;+Zpv7imlQ7ֆd[bՖ=`ϷrW^ P0Wd .&/RܒXwL=fS Aч/T{O P03O+p $4&4HHt.I}Te@h.0p&5ӓ3}h^{=ēۻ{oc}ζVI u<{^(PFna2]c Rd1m2T4)$|P %{0bVR p_%JW(Tj|k 89 `If#K CXc ]}ySEl>#=TQJӔCʝ1 V'rr;C^Zmږ{}jUnѳUFdyjKmov'*.TW;k{r׭a.:o[fڰj_-YrȶEoC^̇*G-ؖAV?aъ,:g6eU>_1/?y%}K8d%i"d]T0B7@z=0&$11[ZaD{<$؅Tua-#սI;|=֓qĖ HaQZRZa0N#p_sċK$=#7"L<#QiGSB${NhH=L h|8"H}c 9X+fk$'ҍ=Ct[[rڧpAPA3٠9vV?|?:dK-wW: _޵zm׷6¿ mm[e+`¸yVsxk랸x}m+aԆHEoH[P[r{ť6Wxjg:ybAض#&KZpe b/ %'@H0 I1 巺mҷ.(wAM:Z!0=N2i6^~ݰf=s}KM44 }"?6*s]NK4%10 .7IYW̜f!$stLLh3z;7R=>۪A\$WP005m|u# '|7R!TiVkĬ#5Q?̥'\--m:r߭]RȈ;FTkm*co\A=Q*;J?uTx!!Ku_e~1޶*޾ |i}n[5H[qj,V>l/6s|tegH;^_#IOs$$c,iQdan ?y]Hn' 0%P HbLhċ$>|*IRve:6^p{gcF:es <("s̞fTWR럆486)^A|I/7qry )ܓcZc\+aـ6=]'%bR#EÔ6\S9i X]ɟ׉*XDG{ o(R 0`|>Q'dU'̻[Zr9|آ~mW8Î* < _|8j6eʇ_a~m#Q[ 뾺IР~7.<\q]EK{i M0BgR?]ip|?]l>|?[[#M:%=z )I96`f>;71hJĠQ`BA,# @Nb=?8|?yu t̑Whێ?Vǽgs6+4߯vYyܜ6/6MJAR_P (D NA|%n@?Y bcjA&emƈc[a30w- /~ ?pJÁR~-~tfSgx6|5>q@j$?/tZ?f8R Ϻp`B}L1%1t ƣH vZPG`~y|(`vRni 0hwxp.%vZRa"q$ s ? 7h›&Ŵt`m쾻/ڸm*mݧ+{uYnŶU.׎;"Fd$ĘD 08 a~As+a`duOc@!@ 6ó7 s 8h~W+bҞt+zlkQlQkQcE֜嶛,R*|?Xn9?V qfICk`k$;F>>~kWGoRDhP$ BqNO6Lu "]G`rF&~}d?VR44> 89>#5=Q1*PHVN@q}!c'm$E{wvZ˵նwsm?j_mDՕ]V6ZM i]~XO).fD'h ߐn,t?IX#Ya.'0[%g @IE`pIL‘~YJ?Xo80D6pjh#&6|4s~/ޜWϻǗ H-.rm%1#f<^Ej,T#O?mℿC$$F M/y ̭n$ ;Bݲ+6@ ]?Lh nL? VcII?m>̎pSLHJNfk "(|s)F~b!b C*G'R0ZB⚕zx%7mUi{~zD;KUn-vh%&=6}b@{; =p;b| R! K.{z ,äКpD\<ǾP bHcsc6#Y1`V@@r4*=u,$:S7]J3G}m}ѕBY+' c @b|JBP ZFK$ [ I OJ3$% ;PӞOolpSpcj3cl'ޏ>e| 9&7-m7>`jͽ9O zœ:n2cvߦ'X-QRv;_ƶ?n]sK1O,Vi6vYmJm+E81SR]qOJۮ +vH*q_ @\7~=wi+[cXI1~Wd`Ħ X[ՠcz ~}%bj̍3>)IE4 \Civ"sN/.θZSlLFxοQ2H~Oғ`qX%ԇ1||B};tO9( DU?[a\ЬGw@:bp4NQmhm:>th<;-^h~X \>=Amm>6mնy<4mٺ=`ӜTxXk3M: t޶ɃEI} veMOaj "ѻu0`LA\UQI'̒SkK@@*4ܮo`P߁ǜj]fW@:(RAP$IHα&}M)v5)Z83 n4 >DqEH{/}H{LOd3@x &>I6q}=`$& tɹq朦 GcNҘB~QjMj]0w+VMkCqm܋hKv6kԶx.6gC^n1&}vٽ3;um[oYmXq_T;\4]t=xǶ~% @}*Ā.w RWIV   Qy1>cN-Ooj:jL$AHz "--e=Csr(s1mǵMߨ4d`[uڪx+c{z#Tj$mgmqxmj=S+,ن9ۈ{k\O,׶rh;u\zӆ;ip\;gض>8 UF=jMn'6n|϶n댻KWwm*Eځ zPe\;`=MDb']ɹ}T7^='7au#'"}0Gjw@4ddL.MD/v ?c)[{gz;L"@?E=;=[d@*?r*^I5Z@ 0vbնeՀrqmn~xmY{l>x}K߿tua_߲kYW^r>RIuVn6e6OUgVm?T>ݰ6v|vhybmh[Oֻ}JmOjWu9_M/WvwV9l˳/T=k[N;szO2QQGcg_ʇ/I3a|69)MZz߲Tז_ l;-!k2RyXld R=h@ 4: &5 F~>ώ?]HGبH\8/9;[xcb$z3oq!]N=4H~ŶFg6}|Ŷ'#͗k|/}nD;vwn}{vk>SۊU5W;s ^{T̿lڟ޽f|f[iݲlyҵ=uUvU;Lm{U۬XCQݩ ;uEfk5O\ 9j^3M}[Vov=a}6ia^B5%x\mBm|[ubW˂oK]j1ܑ!!(@Kn3ݮ92!Hy;m14O\bGG$~HHdanwlASSt<Ȟs4`wi7-̗}#'JҺ7i7F9B\wFR[7 hcZm{Wh[}tVinͶo;?`z@䟭m?r祑ض|`mcu>_ӯum.O m#XއԴl{T_|*:kk@[TeWi~|l;c\&|nv{6nZ#^U{W#̓fzźZOE߮+{vdZH7qǯ'wjm*J10'n˰vÃHLm` d80x? iDtMRO$~z;N){N]pF?PʎXmϯv}{꽥~?Wl]Qm܇_ܨwBmv}oچ.Ѷ;jܺ|;[e\;c%&7ֽ? 9{acv{v7i;߿qoӿhU?s;67Q~ڧ-ol> ;~6_>_wjJ Qդ $wZTz?M[jy{KYϓ>ta5@7Dt] 3U9@H/a矘'흛3g˶LTA |vi4Iw<8dM{bۑ7-NmӶsH ϽP}>?=>v iRmc?v;[۶S[URmGlo#[oҮݧ۾նzgF7S]m)06(UaսvLȰyZ'.Z=F ;kr-6dH1m)Kf׭ڶ46jG|xӛ)7UY~Jc~`'=R"g?yϔ#rL'cQ8 ˗r0յʞɲ;?8{]} }`@k#aKk~#P^1ڎom.#ڝj}^^m|I,cۅ?>5&Um@z;u3C۵? mMsmYmu{mNyR,~h6`۱Ta5ޟ_^̿m|tmg6چ-vwǵmvwjWv9TzyuoB S̝R ӭOs6m)-ͧwS՚?ѿ xVl|h`˵?b1z0^]h>4mQ ek盽wS'ok=Xoonl"ܶm'W-[iۼsnJڸ-1DҶm!jF7i?5P oˏf֩>zcnkt^no_UlzBm K-3=E;אK՟'R&'RHy䀘 51t<\:-{lѶjg*6kѶp5:5֯mw4)X5ێVln_e]6zm5U.rmU A}~v7g[?ȶTl;mVic[mXy|vOj] ܵ;u! Wj+Tp;i&>%?ϾS:=|sb#0DGl<[ؘ} @BX_-ȶV |dB4yBIL_A8/^|pQy/g -JH ,aoRkuvb~LeaÇ#mjյD膥*6gXC,7vζU˴9mm\amyl6y{jm:=Ymp9$!,ݶ{6jrݿ\l䘶C˷N-ю6߾Z]ZڪjI %|Kmy˵ .X:cDP[^]l* Xa~_iÏXW0m5z井mX~oԶTjM)LWݛ9_{ecGT*pW|g}b&>t&=M&iGZGtQ +com:=/󇳏#МpN+ı7jmE+TkkTC^mVxm q^߶iP[p9Zn+fU>Ckг K=^ٶxߠ6^~rI|mKik5o˶ݪgsA\Rm}?AU) [D[?-iKV۪]NAm鿵wֽ ^v|m~*pas2F=eN,v}xLud nn6N;|ӾkHo뿥bwT 7 a&G데A4lf~{ᗗm]I5>Y;[p+Qۼ` -m7/X߫o?qWom ݷL;;ZrT߁m-tm5熳-[غm~~*ެ ;iѶ^^kbKUэ#>c;} RYGY8ƶ$ =+E\o>2~Sdxkfvz|0#@0Y ژ?CWa&^ m7rxcMXz'օěs3@ac>5y~3eb>{@ަHG1cH}<ˎb 4L ?5~Џ/BI:Yɸ߾Nbo8H|{,5/P-XnA˩tL?+Gaj5ۙ ~6ъl ^R܍!EڼPzIW 4b ոL(af<%]LSW-3]=U@3_$ A(;YOO_/ _'*Pv8;p`&f]3v'GZpr@%4o]=`&~ZW T_QY"MDRt\*łWaS}WboG7d]$5 ~ʚ4 li٭w.SN`ӵXd QIuc68&FCCo;j\ÄcT;r~ށZ=Ɵϣ+<{~g:V҂3o_C,g30t̲/'<}0!& A4(Dž\F, ƣJO*Ƃɧ3-^//" Y2wrP-APb N:bX*dp5Å "/Vw%P,xPt ^Kf UmL4A ]A_Tg/cW*j+^4R Q1 uxOu5jjz?gݮ8#À|2h@ypu0qz),X}_ywv3OtMHLšQc|^}cJ|v=;HiF++ģt"I G`_DY-rFqVc:y-'I+&ۯC_ESnqΎ@HE4|t+~y9ygJ8 &%=O`?O FwNEzi <R$!Q.!֟=K(݁똸[ ®5fiw832"kie±ۍ軧 HםP Cnvt︇E~+͑|uF0B}SWfK6q(3 ߳kщ4f֞]4zox1(a8'}U8*v$zY['8K@HBɖXzH =.nRʴrWTRzOF$%e<_\ D+|\#W A@ 0L55|)EKz5m2v&`!51ja1qǁ8hfw]O9oc=9<ϑtL3 GOM*8[~S4ZLs}=?_hB(8c8~ل| VdQkƩ2/PkqO2ybo2B?.!7/ @t{ y ~{`)6%XaV|2SFl5e̶s g:d@.K.K+(̀P5 2C= H|xߐ#ƞ0T j5@рr վ,EU/,= f;PH"9He|_uV2V/DOXb}8r 7f0G8;v% s,(aн@RN97ĝkB3pRG|Tဏ?8lFR/}i|DdE.<DuX@l'BY=rOui̗xc<?@d'Kɖf ApN+mZm`SgB/ J%@Nw1uݱB"E@.uIOGR\1FtA 9XN{[QFt+þ-­>–gs)$f+ Ѽ+}yh9Ǽ'&a#HW̳&2rp^N D86'-hg7"FQ+013@Lt=R6zI,Uک MA߹ + hL;Hzk3ف SSS$U2`F{ؾ`EO hdG{f 9o*{'K3qQGF nRh#~65$Q(P3?J:t)d Qv+ɜf&& wñ?.8$1Nvy~}$BzΖccL r"o p=3UT]䇰 Cq6C<; Gw-Ol +$@x=\1}oK~ؙWq%*9V9yM!]O+ڗˇg U( y}gNNλP۪X$jU +H74!+S1`#ihE4w?`G嵑t{fQVNqS&laNJ$ !@WTbImX䯧j2I6 ŷS+]f,؂<={uqq%p] `@@hڙ\AoT4 L$~)!L*sN+hs5~W_ FOyPN vGЃ[-o 6*z{-=ߎdNԭڗ!rqv^$ !vγ9 `^ G'"!B 2QR3s\,u)TbǬ55‘2y([J!Yܙ4&禑vՊOViiERs,g2/6krbQlgO2D/xz ѭopR/P6bnA@7Xܭ7_. ­' P#L3@JhO-@#:QZ= *(XУM?V&P V24( #7a/N |xRSw?gyf nZԶ9G1|΁d`wg2,k>O:܋'oY;X ja/oH0&3h roX-l}+̺{k2|¡edQ'D,e. GA0RﶳI2sʰGw?~a\=>߼uㅾjT-V} ggg?Lo-P>@ L7,im(P2ѵ`@5s\Y,}8,TLa +Ϯ-l !Nzo%{:B֓nG٪Xݩ[Y'So(')[0|] ݨ۟X=mRV2kyqAvNjg~B e=43=k $Ӈ_$& f"l8h\7DpA85|=KeiyDwWo@ b@B}aC111{9i(O+PP(`}poU2@@E9ω#c/X;{RP͒Xu1`Ii;SJq2VgnU1dVs] 4t(]軣 |L,wVQ?ݜ%;n,BFG(bh!LC!']}, F!j0U:R9#?ccX\sC:;x9O?v˂l0jWg\.n+++܀b0TJ+G tԹ5 [> F#PAkP$ .##PX`ġ)0р2#`G|e#&8 ɳx,L"MμN̓c{b L:n&"N1|%'F&gpW+VJ/BLٙhH^,ߛyw57v[6-Aɂx$5B̡M'ნTYe2#Υ[*0"9& U>% )LЗ5Į LK;JWR:is.\ &Ĺ\ֈN&y4%QR:0\m\%ߧ*@a(0;zʺ~À|ܘ#eL!`OQ < RX3ÿ&1$L@ oD$;?Mj" CLT,.nlA>"~KILLv/T4ҠQ˘]OncʃZ?t+7qNv /d]DW?jJpw)ڌƫ&%%?ug\X3}$dܕP6Ylةe,_eWf_y\,/X>*/#U¶:8:7jϢZuagp & I jE[8rcG_c9OUxTi}%b/^t ,Ba!| J<Rc"s~TSxV 륺7 ՗*@yy\]) .Pa'0p-y#hb'w /3GпѢ1 ֒8 [K4eJ:Λ]ֻ8ڽWl{3ߑ0^/_"Y-a~պE"%\:3㦠 s -,6ÊmXr Sp͸vM1VK~qV+kEr)i+ab7GL)?i]bm[#}!F7y1LS^\}-2rۃa?{V_٠rg&=RL`0R^ _߯F %J _ F rEAAjrUfTA6p9 -nTy@H=fk.o Oa?O\7 i|A 7x*gDwݹh/w/ј_"g%>y&A*s@̈́ |{bcco:mz_.ճlujuStB?'y#)PXyKF\ C4wzYeYY7XG5T==UH%ս.7s6w}W@&o"ϡϣRr<;|^}wz#5m KfÎUtiJ )dLd2(mJm>mBm.K.}$i< =_KA7K3lzc 7AamtP&2`ͧMͨMi6 MK)JuYwy6y6S-t}Nmx]__O`Oce$*z:OOkN}US] SK *1yt]>]Yz߅>gtgp5k|;]O6cDXS666Y@̦ƀ:z=W6F=ڰ]Oag13鳌6P ݀ǜ2z]1Ny_;>,kzme fI?\K^w߁q|D\7m+m/z@e6. |dcWW/ $tR~J=_wv\ ,7GY+>]_;pdFn;;3wPP:IENDB`(      #   !%),28=@BGJJIE@@;60*'# ,;Op" wE4" ,b}d@) %.>O\r)))///222555AAAFFFKKKLLLJJJLLLLLLKKKHHHAAA<<<:::111,,,$$$|fYUZm Eg's.::2; |GJh+ S/ kUVu) "  h>) !-CZ%%%{888HHHgggxxx耀~~~|||yyywwwsssppplllhhhccc___\\\WWWRRROOOJJJDDD???999111***5 \&n1h-%?(Av0 b!@ _e L_(F]-r8^-b, J3F K I[FZ_C5T.&=Y 888\\\www}}}yyyuuuqqqkkkgggccc^^^ZZZVVVQQQLLLHHHCCC<<<312)"&H(Y#@H ^)g+ ;s0 ]"e(N Y&f0x>Y+W+^/s;&?X+Q d(i*s.b$_#x/EJ Y- I)!7a<< !?|'''@@@TTTbbbnnn{{{}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKFFF>8<#N0|3)L&I `*w5%C > j'.?m6j;g:+O.O=]u=;I0{=d/a/O$>p/r1 <);s, ]h'#; Xl( X p52 w"""888FFFQQQ\\\hhhuuu}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGG?;>*C1~6?]Vs@Z|8,G =t1 Ic9.UuD1Z-U0U)L6Oo4c.r8]*m1$A9u10@e$Ue$4p+%:d"8P*  E---888BBBJJJUUU___iiiuuu}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGA@A756#j5.K2Q&DWf%=8 {<l?!{JKmRm!tF|Hq=v=-L|=%E j-p1/H!:,@k(NO Z Su/+Dm) c!' 6J///666===DDDLLLTTT^^^iiittt}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGBBB<6:$P0!>? u.!F,P!@k!#;/O8_T3>>5.3 K,=><_Ll/O=~3 h&,K3Tv3 q/B0W)L"B=9-L}3 A<w.:Is)b cf$t/}45x.& E333333444888===DDDKKKSSS]]]hhhsss~~~}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC>>>504%?+/49V+Q-IB\#<7: A$@~;1S%JA= {2 ~3&L s+!@1R*A$8 Wy+7m'!8k)n*y02- 555333444888===DDDKKKSSS]]]gggsss}}}}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC>>>434Y+8=V5RHj7U1L!<+M'O&LHm`6W}5 :!N>BF$C3T%Dz+:q#!=0q)7g&5g&Hb# >% m555333444888===DDDKKKSSS]]]gggrrr|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC???535'X23O8S'CPq.Q?Z3"A@e2Z9='N"KJI>hDn5]&FIiKj5v(4:.H!9t.[n*g)!q3)<~.1 9222333444888===DDDKKKSSS\\\gggrrr|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC@@@958(>.7KdMi6$I=Zz/;)N8`)Q>0>.Q9-6,O7TCYt r&n" u*v,1K7z296'u7,?6L#6 ^" `---444444888===DDDKKKSSS\\\fffqqq|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC@@@<8;->0 64O"A 0"G9Yc0=6Z!HB<[;-2.1;L0OD]9M]h 3&F,My4k)#Dj+&g/Jt-;U(? ]+++444444888===CCCKKKSSS\\\fffppp|||~~~{{{vvvqqqmmmiiidddaaa^^^YYYVVVRRRPPPLLLIIIFFFBBB@@@=<=656*G15<?)J? _ b9,T1W7Y=^<- "-$>0KB G?f27Ok(s.u1m/*@6Hd` v+ d#***444444888===CCCKKKSSS\\\fffppp{{{wwwiiiZZZQQQIIIBBB:::777534082!j3&Y2)8-"D+y-u+O:)S-U+O:!=8V 3FC (&J*O3*K(E c u-6Fr,n+ c$e,'>=V>U2H2 N,,,P222555888===CCCKKKRRR\\\fffppp{{{lllXXXDDD9692+1.+.0(.,@1r4 r$5?9\3V B%F3_=DI,P ' /9T>Nz(d <1K W'o5 a&$x74F,C,G)C|1( K...!000444888===DDDKKKSSS\\\dddnnnzzzwwwqqqllliiiccc]]]___^^^\\\\\\[[[\\\[[[\\\]]]```bbbhhhrrr{{{qqq\\\GGG958635": H+N'K"F#DD?-I<\7`#Hz#E8^"6C[V>X7U7S1KY!t1":{2+C,Hj*" ***///444888>>>DDDKKKPPPYYYlllvvvnnnjjjiiiqqq{{{lllbbbXXXSSSIIIKKK~~~TTTSSScccpppsssqqqg^e<K>)N)L$GA?#F>`Hn3]$N63Y7[-XOEr1_Cc>_E<_Lo)R$J%L5aK*V(Oo3U h')=|5#@A`5R+I5fD\W[///V' ---v444888:::LLLsssnnnfffhhhhhhxxxlll\\\KKK878/-."f0:)F%J&O$K;@$Q"G,T0S=a!GAA3X1T51 8J`E[>[-M?\{2=hJxqvvvv```111 Y( ...H222555WWW~~~iiieeewwwtttjjjwww\Z\7H;M(W*=+M%K7X;`!NA1R5.R G+M$F9q/},)F*JJd:T><:s7dph|z|{{{yyy{{{=== \* //////TTTnnnaaaoooyyyuuuzzznnnUZV6B8+"$"*d8'A$<0X/W C>@C @,g:bygksHX$>#>R_^h/F32{Fr{t}}}{{{}}}pppCCCa+ :::zzziiibbbyyy|||wwwwvw{y{PMP:L>;WB9Y@d#NEB,GTiYVLSD?Ca]`M]rzuy}}}NNNe- "! IIIoooaaavvv}}}VVV6mB$F GA:1Igvj{}}}QQQzzzTSTb^aUUUk/ +> Vl T3# LLL~xxxeeeiiiuuu~~~|||&&&7?9NY0H*@Y|`|~~~TTTutt]]]^^^^^^$$$q3+Ab+ Z#q.S8' L./5>5*! WWWRlllccciiiuuu|||www...VTUzrxsrsy~ySSS}}}qqq]]]aaaddd###Ub8f)i/m4!?z8i(c T of1M8 v q L!fffYYYaaaiiiwww}}}ghhwww***PPPTTT~~~~~~|||vvvfffeee[UY@ k, B/N8T ?;Z&C&?7 M< e- =j, a$h$ V+ )FFFRRRgggwwwFJK222555+++000fff~~~SSS~~~~~~rrrlllRp[p7#J&Dt9)AA\WsQk:P,D 5p4$B{<)Ft0 g#4%9 @ DDDeeeyyyw|}mrsglnotu069__`||||||rrrjjjhhhdddccc```bbbmmm}}}mmm{{{}}}999GGGbbb^^^%%%<<zzzhhhTTTHHHFFFFFFRRRrrrzzz666DDD```ooo===\\\@@@RRR]]]|||MtY~6=>0G\z2:ZC`;T$8Zb2I=YXtXmy.5?U/A d@fff sss܁[[[VVVeee*,- )))5;>gggMMM<<<:::JJJooowww333DDDaaannn<<}}}___;;;---IIIuuu000CCCbbbooo<<<}}}bbbRRRuuu|..J7N<[;V0K```VVVXXX)))FFF}}}---DDDcccppp<<W 8p+ BBBPPP8:<&&&---222EFF4;>^^^tttFFF...ggg333FFFfffrrr<<^^^qqqbbb;;;@@@TTTiiittt;;;zzzlllwwwQ|[8N`DY?T2J95S;X(C8"=Zp%?2M0Kf&%@%A( RwwwBDE000;;;AAAEEEVVV4;>bbbooo\\\HHH>>>sss~~~uuuXe1=)FD_QhG`.N8T$A*B.F;T.I&CRm0L.K89GIJ;::EEEKKKLKKeff3:=___nnnlll///```ttt}}}T_,G/QCaq3O!@ >|3+B?VE\DY3N+LB_7Tp/&ORSAAAKKKNMNSRR4;=___qqqmmmDDDeeeBBB:::ZZZyyy\f">>Tcp7R972#E)K=]Vo9U)G)G'ET}\]]aaaz||6>@^^^pppkkkGGG```@@@MMM}}}@S5~-|32(=52M7U0LPa(D7;}1;st{{AGJuwx___rrrgggIIIxxxQQQIIIrrr~~~u~qyVm\$v: y&1;#>&='> ; n%z.60YjqqqiiieeeooolllbbbpppdddMMMhhhOOOeee{{{|w{{.I8W6%?B\&AKd?Uo*7%asssvvvzzzjjjZZZXXX]]]lll]]]sss``` OOOzzz```___~|~"86MRd;QAW!<$AB^/L9XoooJJJQQQtttnnnTTT888///JJJ___"""OOOOOOsssaaaooo 97"@3PSkH_>\-K9Ul*MgggCCCcccgggGGG444NNN}}}bbb,,,TTTxyyLLLuuurrriiiyyyEX+L0Rf|Uj%E>!> d$Q{{{FFFEEEnnnIII333YYY@@@ BBB???yyy|||{{{pppuuu:O%A]kOd)H7{/ /\UUUwwwzzz~~~|||wwwwwwvvv[[[;;;FFF:::+++222dddpuvwxxxxxz;4 z+HU6=& (=~~~}}}zzzwwwsssooolll```NNN]]]uuunnnOOO888OOO#$$!;>>eij}}}|||BS )(|||zzzyyysssooohhh^^^MMMUUUxxxtttJJJDDDlll%%% -01aegxxx~~~򧧧}}}|||wwwqqqggg]]]NNN]]]zzziiiLLL```zzz/0/,/0rrr{{{tttiii[[[LLL```}}}888899### 023xxx頠~~~pppwwwiii[[[KKK]]]@@@AAA,,,)))"""589 昘~~~wwwkkkhhh[[[eeepppuuukkk\\\KKK^^^}}}>>>KKK777333+++ :<= |||xxxuuujjjlllaaa``````xxxxxxlll[[[YYYjjj>>>RSS@@@<<<666+**?BCqqq tttْzzzsssZZZ^^^qqqvvv{{{jjjZZZIIIEEESSS{{{wwwQQQ444hhh??? fggHGGFFF@@@555EGHjjjВ```MMMggg~~~iiiDDD(((CCCtttfff$$$;;;wwwKKKnrrMLLNNNIII@??IKL~~~uvv rrrDDDZZZ~~~lllBBB&&&NNN\\\iiiZZZ===666fff```lllSSSLLLGGGNPQbaagjiUUUVVVlll{{{zzzaaaCCCUUUoooHHH,,,KKKyyy]]]:::|}}[[[psu999Y\\dijyyymmm{{{|||~~~}}}zzzxxxwwwaaaVVVpppfffrrraaaHHHaaaXXXXXX=@?FEE_cbtxw,./IMNv{|ooozzz}}}mmm{{{uuu}}}~~~zzzyyyvvvbbb[[[rrrccczzz\\\IIIxxxYXX-.-IHI_cbx|{ KOQ~~~ggg|||XYYxxx|||}}}yyy~~~yyyccc[[[ooobbbwwwbbbiii???`cb~034zzzfffwwwv||lqsgkmosu17:rrs|||tttjjjjjjdddbbb[[[ddd}}}yyy~~~{{{dddYYYqqq___zzz|||hhh\[\\_^$$$''' 7:;}}}mmm~wwwsssHLN)+-%%&3:=z{{zzzpppaaaPPPVVVUUU^^^nnn~~~xxxwww\\\SSSsssbbb{{{|||hhhxxxZZZ[^^0//111+++<>?{{{```zyyyqqqbbbiii*,- )))3:=xwxvvvqqq___PPP@@@GGGTTTvvvRRRJJJiiibbbvvv~~~zzz[ZZ[_^:::<<<555)))@CE}}}yyyv___DDDfff~~~/23 3334;>zz{}}}yyytttyyynnnMMM999222JJJyyyZZZ??@[[[vvv\\\rrr]\\W[ZDDDFFF@@@555EHI|||hhhzAAAKKK}}}367$$$'''<==4;>wxx{{{rrrlllsssuuuSSSnnnzzzAAA333///===^^^vvvKKKdddqqq!##^_^LLLJJJ@@?KMNmmmMMMlZZZ{{{8:<&&&---222EFF4:=yyzzzzvvvnnniiilllsssMMMllluuubbb///XXY;;;TTTjnm^^^LLLGGFPRSuuuWWWWfffwww=@A%%%111888;;;NOO4:=yzz|||sssllljjjgggiiipppHHHeeesssrrr&&&-..YZZrrr{{{adchiiswwVVVJddduuuBDE000;;;AAAEEEVVV4:=}}}{{{sssiiidddcccbbbpppHHHdddsssooo""" ===]^^vvv}}}!!!$&%osrVVV;dddvvvGIJ;::EEEKKKLKKeff4:=xxxnnnhhhcccbbbeeepppFFFccctttnnn %%%BCCcccvuvmmm===***XXX+eeeuuuORSAAAKKKNMNSRR'-0yzz~~~{{{tttfff```eeeoooEEEccctttmmm  `bbwyy```~~~XXXvvv\\\eeewww\^]aaa{||2:=GKNvvvllldddccccccaaa[[[]]]hhhttt|||FFFcccsssmmm  illkmn555999___}}}[[[fffxxxsssxxxovw(/3BHJvvvqqqbbbNNN???666:::BBBVVVsssKKKdddqqqhhh  iklkmm%&&999SSSjkk{||mmmqqq엗cccGGGLLLlll{DJL;BE=BEQVXxxx|||rrriii___TTTHHH888+++%%%:::ssskkk    iklkmm !!! """+++AAAXXXppp{{{[[[;;;NNN}}}pppuuunnnhhhfffhhhmmmooogggWWW:::!!!>>>ddd"""222444(((  iklkmm """$$$%%%''''''***333GGH^^^uuussszzzfffJJJ000uuummm}}}tttlllffffffhhhlllrrrwww||||||iii:::### +++BBBJJJ<<>>AAABAABBBFFFOOO\\\kkkzzzvvv[[[{{{|||WWWpppnnniiiggghhhlllrrryyysss>>>,,,&&& """(((222GHH\^^ruuvxxaabhhhwwwkkkHHH---""")))---///000+++vxyxzz211;;;>>>AAACCCEEEGGGGGGHHHMMMVVVddedeexyy]]]zzz{{{vvvuuusssoooooopppoooooonnnnnngggHHHbbb```___^^^aaaffflllttt{{{QQQPPSeKLLgjj}xz{accMMM9::111***&%%&&&222MNNooo{{{qrrQQQ666''')))...+++vxyxzz211;;;>>>AAACCCEEEGGGIIIKKKMMMMMMIHHcccuuu\\\tttpppnnnuuunnnkkkjjjddddddaaa^^^\\\YYYVVVVVVWWWVVVUUUUUUVVVRRR777gggOOOPPPPPPQQQTTTYYYaaaiiipppwww||| @z}}PPP<<=333,++...111333444555666666555222///999QRRpppwwwZZZ===&&&qsuwyy100;;;>>>AAACCCEEEGGGIIIKKKMMMOOOKJJNNNXXXabbkklwwwXXXiii{{{wwwuuutttuuuvvvuuuooooootttttttttsssrrrooollliiieeeaaa\\\WWWSSSNNNIIIFFFCCC???222DDD===>>>@@@AAAFFFKKKPPPXXX```hhhooovvv{{{~~~|||\\\ ```BTTTNOOCCC@@@===?????????????????????>>>;;;777>==RRRmmm~~~qqq}0//444;;;@@@CCCEEEGGGIIIKKKMMMOOOKJJQPPXXXXXXZZZ]]]eefooozzzzOOO[[[uuussskkkiiilllttt|||zzzvvvqqqlllhhhbbb\\\WWWRRRLLLGGGCCC;;;888333111000222666???EEENNNUUU\\\dddmmmrrrvvvmmmmmm1WYYxVXXMNNJJJGGFGGGEEEDDDCCCGFGKKKNNOWXXcddmoo~~~jjjOOO???<<>>;;;888666333333333333333333111...111===FFFssss pppOkmmklleeeccccccddddddeeeeeeeeeeeedddccc```aaannn~~~_^^MLLWWWZZZ[[[]]]^^^___aaabbbcccdddbbb***m666GGGVVVaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666444333333333333333333444555:::===DDDqq ;z||vwwooonnnlllmmmmmmmmmllllllkkkjjjiiijjjkkk{||jjj\\\TTTWWW\\\^^^___aaabbbcccdddbbb (((555@@@JJJUUUaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444888BBBKKKOOOOOO0*u~~xxxwwwvvvxxx}~~sssbbbYYY[[[```bbbcccdddbbb)))222999@@@IIIUUUaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444999CCCQQQ\\\ZZZRRR(gܤ~~~{{{{{z{{{yyyhhh^^^___bbbbbb'''h111444888@@@IIITTT```mmmyyy񰰰ﶶ跷ߥ~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444:::EEESSS```fff\\\UUU V⃃lllbbb---...333444888@@@IIISSS___lllzzz~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444;;;HHHVVVaaahhhfffTTTW HՋ)))V222333444888???HHHSSS___jjjino~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333;;;===EEEXXXcccggghhhZZZ3zƒ𒒒㕗 ---333333444888???HHHSSS___jjj4;>DKMptu~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333,,,llliii[[[aaahhhhhhaaaUUU %q옚Қ~jA ///333333333888???HHHRRR^^^iii:AC?FH:BDGNPptu~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333,,,lllwwwggggggaaabbb ///333333333888???HHHRRR^^^iii9@BAHJAHJ?FH7?Afjk~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333---eeelll^^^bbb ///333333333888???GGGQQQ]]]hhh8?AAHJAHJAHJ>>;;;888666333333333333333333///___}}}mmmYYYOOOiii^^^[[[///333333333888???GGGQQQ\\\fff8?AAHJAHJAHJ>EGZ^_}}}}}}}}}{{{~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333777000 \\\```UUU///333333333888???GGGQQQ\\\fff8?AAHJAHJAHJ>EGTYZrrrpppppppppnnn~~~~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444999  ddd\\\NNN ///333333333888???GGGPPP[[[eee8?AAHJAHJAHJ?GIOSUeddccccccccc```yyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444999(((!!!nnnYYYUUU ///333333333888???GGGPPP[[[fff8?AAHJAHJAHJ@GIJOPYXXWWWWWWWWWTTTttt~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444:::... """"""000TTTUUU ///333333444888???GGGQQQ]]]hhh8?AAHJAHJAHJ@HJFJKMMMMMMMMMMMMHHHkkk~~~zzzuuuqqqlllgggbbbZZZRRROOOJJJGGGDDDBBB???<<<:::888666333333333333333444;;;444+++,,,,,,)))>>>PPPUUU ///333333444888@@@HHHTTTaaammm8?AAHJAHJAHJAHJCGHBBBAAABBBBBBDDDsss\\\LLLAAA555,,,...///111222333333555;;;<<<777888888555MMMKKKUUU ///333333333888@@@IIIWWWgggsss7>@AHJAHJAHJCJM045222+++999mmmIII777///+++///555<<A;BDAHJAHJELN!%&444###444EEEllloooKKK777555HHHQQQPPPPPPMMMeeeDDD??? ///333333333777999DDDlllZ`b7>@>EGDLN&*+?>>$$$666FFFRRRdddZZZ[[[[[[[[[XXXppp>>>??? ///333333///111bbbFLN;CE)-.LLL$$$666GGGVVV```cccnnnggggggggggggddd|||;;;??? ///333+++DDDqxy/34ZYY$$$666GGGVVVaaafffbbb\\\```SSSEEEAAAAAAIII;;;GGGPPP```݈{{{zzzxxxrrrooorrrrrrrrrrrrppp999??? ///,,,]]]VWWccc$$$666GGGVVVaaafffddd\\\PPPBBB333$$$'''EEEjjj "Z~~~qqqMMMMMM}}}||||||}}}}}}||||||{{{xxx222??? '''```\\\888ttt$$$666GGGVVVaaafffddd]]]RRREEE666(((,,,UUU***...///+++... mmmuuuL<<< MMMFFF*** LLLuhhhDDD@@@???$$$666GGGVVVaaafffddd]]]RRREEE666'''...iii999>>>>>>>>>::: UUUKKKbbb jlllMMMRRRSSSMMM$$$666GGGVVVaaafffddd]]]RRREEE666'''111IIINNNNNNMMMNNN  ```{{{jjjbbbYYYRRRMMM۲ ~uuu___^^^______YYY$$$666GGGVVVaaafffddd]]]RRREEE666&&&444XXX^^^^^^^^^bbb  kkkddd\\\WWWTTTTTTVVVVVVVVVVVVVVVTTTVVVUUU Pݐuyyynnnkkkhhhhhhkkkkkkkkkkkkeee$$$666GGGVVVaaafffddd]]]RRREEE666&&&555hhhnnnnnnnnnuuu  QQQpppWWWYYYXXXWWWVVVUUUTTTSSSRRRQQQQQQMMMUUU[( sssuuuvvvvvvvvvvvvvvvvvvuuuooo$$$666GGGVVVaaafffddd]]]RRREEE666&&&555zzz~~~~~~}}}uuu ===cccsssWWWUUUTTTSSSSSSRRRPPPPPPOOONNNMMMKKKMMM;|||{{{))) ,,,AAASSS___dddccc\\\QQQDDD555$$$222鉉 wwweeePPPQQQQQQPPPOOONNNMMMLLLLLLKKKKKKIIIKKKNsssjjjmmmmmmfff]]]RRRCCC222%%%...霜 UUUKKK3NNNNNNMMMMMMLLLLLLJJJJJJIIIHHHIIIGGGJJJ)pppgggooo鰰 KKK^IIIJJJIIIHHHHHHHHHHHHHHHGGG@bߊyyyooogggbbbbbbcccccccccaaa^^^ZZZVVVYYY^^^aaaeeeiiijjjtttxxxxxxuuu|||鰰 DDDGGGGGGGGGGGGGGGrFFF$jjj eee:eeeqcccbbbaaaaaa```___^^^]]]\\\[[[ZZZYYYWWWUUUTTTRRRQQQOOOMMMLLLLLLIIIIIIsss JJJ0HHH#fff \\\,^^^Q[[[uYYYWWWXXXVVVUUUTTTSSSSSSRRRQQQPPPPPPOOOMMMMMMLLLLLLJJJCCCIIIzzzLLL PPPRRR(PPPDB=94-**2CQK5    #/AZ///qGGG:::CCC>>>QQQNNNHHHIIIAAA;;;888000""" KH.?9LEF1 R# N4 3 0 I" &? \,,,TTTvvvՈ掎~~~yyywwwsssmmmggg```YYYRRRKKKCCC;;;,,,5 [(m3t4o. W N]+]/c3^,P TZ Y SKy-  #J666UUUlllyyyrrrkkkccc\\\TTTMMMCCC111=#r5i2o1~9j*]-r>!yC'{B#q;]/V'h+n-m+h(`"K _# - t(((===OOOccczzz}}}vvvnnnfff___WWWPPPGGG888L(*H$E;9g0sD,R)O.J'{?f1g. }8!{3g%k)t.i'?D|***666FFFXXXkkk}}}vvvnnnfff___WWWPPPIII<<<(5+7<=*Ex3$J8[8Y:W/L =~:#> 5j&g$~4x0b"h 5)))000<<>>---Y),O/R*H:?2OBZE_1N"?">">3z/l&z2z2 [ m$C...444>>>KKKZZZkkk}}}vvvnnnfff___WWWPPPIII>>>.0/S&*H5T4R6#EB(M!HBA#G+J%:u)y.z2~7 R- : ///555>>>JJJYYYjjj~~~}}}vvvnnnfff___WWWPPPIII@@@454X*/K4T+G ;%K1X*OH$M*P0R4T17!<y2w1Z#e( Y$...555>>>JJJYYYjjj}}}}}}vvvnnnfff___WWWPPPIIIBBB999*=.:$E<5 B$J D>7%A>V>>JJJYYYiii|||xxxhhhaaaSSS???:::666"_1#N.a-x19+P)I ?;>&G)K:i'(Ax4h*"m3#:x1XB+++c333>>>JJJYYYiiizzzvvvrrrdddbbbcccdddnnniiifffnnnggg___WWWCCC555,Q5?+O%G#G&K"F!C+K&@t0*Dq8e(#r6'Am-0----333>>>III\\\zzzzzzhhh]]]ccczzzxxxlll```@@@>>>HHHMPM=(K(L-Q/T,R*N,Q'MB!x<p0m/(@)F'k>qMtttgggPPPV0444ccc^^^WWWhhhBNE<%(<&>%K$I"G7CfK>qK":DT5I>zO{||||uuuPPP]1  QQQ```bbbbbb .l<A=7GhhhSSScccuyv[[[e93DV dZ9*)'JJJVVVrrr!!!???]ekzn{{{}}}jjjyyyjjj{{{[[[ Ah-q1 Y( m) h@??? GGGrrriiideejkk(((AAAlll~~~{{{yyyqqq|||]`^Y*|<'E-J*Bt+ \$z6w3h%K KKKtttmmm~~~kkkxxxyyy:::^^^GGGXXXmmm}}}OgV@-K/MAX3I3p,,I3O-C|.Y}}}jjj.// ,,,oooVVV```888cccZZZqqq```___ptq4%B)E6R5N&>u-6RKa3$<{1L xxxlll333###---ZZZ\\\kkk666eee[[[ooo)t<$@3M6P1L'Ax0+G;X1K#>k(eeeCCC333###...kkkyyySSS;;;jjj[[[~~~p{r'@;T8Q2M(D59S4P,F&A b 稨QQQCCC444///lllxxx&&&kkkjjj,B9S5v/((( JJJwww~~~iiippp;;;yyyssssss'=7Q;T3M,It-yyyiiipppJJJbbbkkk???tttllluuuAQ1L>X7S'E i&eee~~~lllOOO\\\&&&MMMO_*F&Cv, g%/xxxrrrhhhPPP```eeeXXXwww-..moo~{+|||vvvhhhSSSgggkkk^^^((( }}}kkkRRRlll 888+++|||yyy{{{mmmTTTlllGGG;;;...ooouuuqqqyyyxxxjjjUUUoooyyyGGGgggZZZJJJ???uuu^^^bbbBBB^^^TTTQQQyyy&&&NPPZ[[UVV^^^aaaccc___hii~~~{{{pppWWW{{{nnnssshhhmmm788-..nqpbbbtxxx{{{www___rrrxxx{{{YYY$$$((( ___c.// &&&zzzhhhqqq~~~yyyaaattt|||888+++^^^Qwww333###)))ssslllYYYXXXwwwVVVxxxrrrGGG;;;...oooPUUUiiiCCC333###(((|||qqqrrr]]]XXXEEE===HHH{{{]]]ZZZJJJ???WWW kkkQQQCCC444+++rrrjjjlll\\\kkk 567]]]888NPPZ[[UVVHHHmmm_``QQQbdd...|||kkkdddhhhYYYppp HHIhii{{{788mmm"##CCCyyydddiiiWWWooo Y[[SSSVVV&&&nnn))) MMM}}}sssYYYLLL___kkkXXXnnn 445566UVVstt\\\```oooggg___XXX===BBBlll444+++ 445"""&&&)))BBB^^_xxxZZZvvvyyykkkhhhmmmuuu{{{hhhIII 333MMNCCC)))445"""&&&)))---111QRSllmrrrxxxmmmmmmsss}}}ddd<<>>888444222111000???QQQ;|ttugggggggggggggggggglllvvvUUUXXX[[[^^^```bbbdddfff(((K666III```vvv~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333666FFFNNNX(yyyyyyfff^^^```bbbdddfff'''-000999KKK```uuuᛛٗŚ~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333:::OOO___QQQ5 N􏐐nnndddfff,,,333999JJJ___}}}ⴴ뿿~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333;;;SSSeee^^^nǔjjj---333999HHH]]]LRSquv~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333222___fffcccH蚛隚Λh?333333999HHH\\\HNPAHJFMO~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333222}}}aaa444333999GGG[[[HNPAHJAHJ|}}~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333:::%%%ppp 222333888FFFZZZHNPAHJAHJfffhhhhhhiii~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333555rrr...333888FFF[[[HNPAHJAHJQQRRRRRRRTTT~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333777///------}}}...333999JJJbbbJPRAHJAHJBCC333888___III333333444:::BBBBBBBBB...333:::OOOrrr^bdAHJAHJ888999ccceeeBBBVVVWWWWWW...222EEEDKMJJJ888WWWfffuuuyyyyyyzzzjjjllllll000𗗗oop888WWWfff^^^FFF,,,))) B}}}xzzztttQQQyyy~~~~~~~~~~~~~~~|||ᣣWWWvvv888WWWfff^^^FFF,,,===))))))󎎎훛\\\WWW888WWWfff^^^FFF,,,NNNGGGGGG􏏏sssWWWfff󑑑vvvnnnlllllllll888WWWfff^^^FFF,,,^^^ffffffBBB]]]WWWUUUSSSQQQPPPNNN ~~~~~~~~~~~~~~~888WWWfff^^^FFF,,,ddd]]]bbbQQQPPPNNNMMMKKKIIIGGG'򭭭󓓓}}}iiiUUUrrrUUU LLLKKKJJJIIIHHHGGG??? tttjjjgggeeecccaaa^^^\\\pppxxxwwwuuuHHH?GGGHHHTUUUUUU]]]9[[[oYYYWWWWWWUUURRRQQQPPPNNNMMMVVVꔔ `??????a?(0` %#C _%%%t***222333000))) ~lZ m >3 < 713\ira>###III|||뙙xxxkkk___SRSDAC&@.a-r3y2 Po7#y=f2 Nf'i'`!" 4EEEmmmtttiii]]]RRRGAE&`7,Nv1o1(N5Z/Jm4l0 z5g%v.l)c'''@@@RRRlllttthhh]]]RRRHDG5E9>)K!="E2MLb <<{3q)m(z0,666===PPPjjjttthhh]]]RRRHFG697$<8X+G C(KHD"E&Bx+v-r,G +444===PPPiii{{{ooodddYYYNNNECD676,B.Q%B'K&L?%DA]*E1"?t1"~6a&333===OOOfffyyyfffWWWJFI1X:$e5j*;/T"@8"B"@y19q1,Cw/000;;;NNNuuu~~~uuuzzzrnqQFN=OA#G&K+N6\A,M$A!r9q0-H_,---JJJuuuiii]Y\.n<#C1U)O.R#K$H42K!ALuX]V\***y333gsssuuuxtwGPI&P0.QB>PTaWWdyfnkkk---| HHH1iiiyyy.)-S^ep|~{vy|}w{vvv303xH8a+ G[ kTVVV@@@`Y^||||||3oI;7T>>bbb=Q;U8S#?Y#> 'eggnrsAAAkkk}}}J]'?84P,Ih+"zzzLLLdk'B6O*FM!wwwiii^^^bbbGGGoqqM`>Z.M 8g󓓓qqqRRROOOwwwxyxW[[^bb?~N$혘xxxZZZqqqdee@BAY]] 葑ZZZsss[\\XYY$##[^_ vvvvvvkkk___NNN\\\^__illGGGhkkfffhhh٣sssVVV{{{npo]__ehg`ccqqqgggegg%''rrrfjjACCx|}uuufffeeeqqq^^^qss@@@344\\\{{{adeOPQz}~~~~pppiiiggg///555__`oqqbccSTT\\\knn...dffz~sssdddhhh444!!!III{{{oqpadcbbbXZ[lqrtttpppkkkddd222`bbDDD|||jjjqqqwww___YYYNNN```222  XZZ$$$<<>>CCCFFFhiidddeeeeee?LLLlll}}}rrrfffXXXJJJ???666000666DDDYYYmmm1___^^^A```mppkllsttsttjjj___\\\MLLghh___VVV\\\aaa\\\???666PPPwwwsssgggZZZMMMBBB999444222///777KKKUvvv6uwwulllgggiiippp}}}tuu^^^]]]^^^\\\***<<EGSUUVVU}}}wwwjjj[[[KKK<<<222,,,111444!!!QQQ222888RRRLSU>>WWWqqq^^^KFJ2P8'D =)N;.L:6{5g))))J999[[[tttdddFKG(p:%L(L%I$Dy7#=q1 ''' NNNzzz~x|S^U(=+L$L+J1G;SP{\\W[$$$a ???aaaֆpem4O:Pbmrnsut}}lll.,.h QE )u Q 8\\\^cffKGJzrx~'zC0O*C$?'?( _vvv6;=>.00nnnjjjSSSJ]-I.H0I6Q A1\^^QSS|||EEE9S(D5O1N G&}}}|||bbb9M.J(A eeePPPbbbvxx@Vb)[[[xxxFHH8::ooo~~~ꤤvvvttt^^^KLL677bbb ppp䞞qqqWWWxxxijjfiitwwfffyyy֚ruuyyyrrrvvvkkkpqq UUUdddӔ:<<,..bbbZZZEEEPQQ~~JKKnnnǮ^``RUUgggooo??????}}}jjjnnn\\\```999 244'''OOOmmmssssss@@@///DEEPQQ(((9::PPPaaa}}}yyykkkbbbXXXUUUgggprregggefhZZZTTTPPPLLLWXXNNN:::EDDhiiyyyWWWiiiyyyfffRRR@@@555555FFFa^^Y___ ```cee\]]]]]___`_____mnnUUUZZZZZZ$$$T@@@sss|||iiiVVVDDD777111000KKKVVVDxxxmmmmijjbbb^^^iijqqqpppZZZUUU000EEEopp~{{{iiiVVVDDD777///QQQnnnZZZ Riiibbdcccyyyo333000CCCpqqBJLehhyyyeeeRRR@@@555111@@@EEEZZZ333111???pqqFMPBDE]\\qqqYYY@@@222++++++ZZZ333---dccsxy.11/..yyy\\\bbbZZZ???]]]KKK(((^^^LLL777ZZZyyy;ZZZkkkZZZrrraaaZZZrrrccc...cccBBBUUUZZZZZZXXXgggYYY[[[bNlllzzziiiuuu[[[XXXEEEGGG`UUUmmmZZZYYYYYYYYYXXXVVVoooWx(0 ` =S9k2_4/ @?P<7B4 F$pEb6p5z4p.K`OxxxpppdddWWWJJJ>>>C%.~Oa6 w:|6s,7f YS)MA!A*E69cCvvvdddQQQAAA!I+1YC)H,G4<f f#9%K)R.P5Q{7vvvdddQQQAAA+G2.X*R1S7Qt462$G%E/PDqPvvvdddQQQAAA:>;,C%E)H-ONat'S$:JdP{{{yyyiii___TTTHHH===???TTT)M1~* eiii匌nnn͎(.1rrrʍ'.1}}}pppsssttt28:}}}~~~~~~tttvvvuuuowwwfZ(.1wwwTU'.1yyyxxxwwwM028:0 kkktttkkkbbb )))333VVVuuuyyyooo^^^JJJ888+++))))))&&&333@@@kkkvvv]]]FFF666333333111333@@@kkkfffvvv]]]"""333333111333@@@kkkfffvvv]]]"""333333111333@@@kkkfffooo^^^JJJ"""333333111?????(  @E F=A5 +<3F D G6Ub+P;@*`6iiiVVVAAA...\.J$C;:S f&'LC/Ma|hvvvYYY???+Y6,TDq13i&5"z7HiQVZWPPPMMMAAA...697.W8x' [(.1.46iiibbbmmmooo)/2nnniii,24111TTTvvvQQQ666333111111TTTvvvQQQ666333111111RRRfffvvvOOO"""333111111RRRfffvvvOOO"""333111fwbuilder-5.3.7/src/gui/fwbuilder-windows.ico000066400000000000000000005260441303637203600212510ustar00rootroot00000000000000 v (4 HH T\00 %g   4 hPNG  IHDR\rfsRGBgAMA a cHRMz&u0`:pQ<IDATx^]U7p${zBHIhBzޥ.M *::EqqfƲ $s=g=lf5f` ̚Y30SV[m;8jRcmel ̔4g<{5Fncx~箻zOve/c3vy cvj-cvho}nZwlhUg9uofM5}g:~߯ъ{cܸq1v(00 Q rWᥗ^6K[xSQج!fuwA]z<^+5Z@o~FBo &P L j /_9&f<%y䑛~va8CUVv!FBo %(DKj fiOO?*o%[gyuof SO=uޣ>zc9:~j:7 G @ ajAaZ0)}[|_n/B'>[oR,s! :GgfO\N:N8fc=7  (^ (L/ӁSOG?{Ƈ> 0{9/x9#|)bSZYϚm5~s=yOy_r-.k @%WS?}s9qgYggyfoxhgZ=D{HbSfiI]wݵ>؞|P?϶OlVg{=OZB@k:DS(r)+l?>򑏴O}S6~Mo~_~w{g'7+C/Yn(~*$Yc, 5o |j[{ >kDk/~Gm_};{ZBLh @뮻G??/w]cXohw_>wygs_%_s@.vy4M6٤Wj?dc=6"ǖ$?fTư7f;%`) f,Zl~}l|;w5η7v8{p…LM!G{I @n|ۆnFՆ  VZiֿ|x4Vy +&OWFuy@5\sy 4G+_z?3yd&(Gђ+b*3 COs*b+_>31A@arCs2H+9[o^orRW]u))@y]IV/Q' mmV[֞z&23f97whOy6V1 c2/4pvM9 5UtÀN*Ə:W w&-Wk:Lʟ,ygz mX=TJ̡ lA>= IG+lTUgԳsh|P'VaƻO9Ë4b-k.H}:=gԲK Q;GQ!! r&@=-Ok1 f'Z@|3#]^{6M_~=f@$jSO:lCfWJbP'9zv=>*>c_# |9kfi3S,rOs>`3O*/90g] ia0D (Ϳ$$=1e&e' =Aƍy`-9h l@ }Ø$1VcTp'};= y:Vr@Zyϓ$ 01j@r1|#0vx^d*iL c,N I_@'U~bZ_-#JlUS3d9 gIғ!)̹4 u$&0)Jmg=? 2"#}V@{@1bﬦ3 SOsNNH& 4m8ؕ0]=vai;N!jh#-wBj _lO<,<]8k%՚iaܾ K.ic`*Lw&`]v 3@7ˤ~S=A9' pfk/'L{Ox@_G _-`*L8@3tL#oOM M#,W0@{;T@2`t @ 8CφT6`! uCS@wMh1#L#p={jߓK/u Jlr2jfm 21Shx%p/fA )@`%]h!_ L裎ߦflvd1Z@Vf4Lq+>8W8zf*&vXaZLAгrfL,5uj€x8UN3PTvfiYg3j4n@4L,wZଳ!'\}5EYj#J=ܽ IV)zCN LM*&/? ]u]wRG3 no9})sQv$aUVTVr T, `Xc8l wwfZ5K.x# SsB ~6sPx% Z@uf+zqf~cN9 i"Y'30-0b@w;puyNof @f&@Z@i``i{W BLL.3&Y|Wn)~6S&77JH1~F|`Xc8". >ՀL gloȻ{ N5&48Es.wޯY0s=+4I[0@zj>)ثZ&P-&fc_["csa;C=p\\kkxaÆv[ ЭCO0>nGB }?3yfnlfQ{i}}`e:&>Y;F.{@Lw@|uj zuw3][r(dr4`\s~]mzQ5Öc -f j is,S PNG).u}o{Z'-;Xuow=8ou3`}7ISPy m =V{W[ /8q&s;@ xzgc. jF&#su1J%{>^[oT;_S:O}̀ e4.(MO@F/-U]ݴܞ^GnfМj :kV[:ר4u}`A~~{n?X&=G'_m!;~NcitA/AH: 4┉&MM/[wiyw JLJ>^ˮ& ݙBBg5X9?r72۸^Gѫ믯qݵ= 37Cu +| 3 ? {OU_ڻ+st"mv$ 81' `t|Oi{@"ٺ8 7|W_u]tJXvgk&s#b*`ro3%Xo+a =~ ֭&QBxWa3b ^+tFaz>Ț| :fptGw/qv.~=__x'TU,(¨0?@_mNY#ـ<2N& H }10 [^@UFczIYazۂ_NiĻgn/1x_#="V:z /􄓆Һ 8,[q{`#``d$G V%(~.O fH%Lo`zR×#k0ғ{ZT [L3O<:rwCo*~uy/3qN98ԦUQaBIڳѪbY09x/!65@D*6 L#')9ohDʳ]`z+~y'٬C9Ey:~ /u=yG#Yg.vז)&jGn]hS3o?K/b2SMQ9 a EbR+]J='iw.6\2;Ss8kxYo 9N=ܳ8>~A=Ni߾#hgqzK7]ߋO)9wO*LwY6ͼ@Izڥ:Mc振|ʙQ&K/fA?+le l'(1xli *@e KsRD" @mweΈa@FbOcwCIa1hXie>1>3L̮ӍpO?;{=p(xYeT{da9&CufmpF{@.뵆;UI;R=J 2R##&Āa".i ^BiJn'v6/ Upr#r~W]ρ1%Ga¤$~l}IO?M`|~BkPK٣+KN;sk= &(hu*p.vI']q衇|gw{}>e:,/b/1Gk[<#\=h}VghN4H 0? a<|  Ϝqe0Lwc~3dZ90=aX%O?u%J*)u4=W8.4+si]$7qtc!*ƽLݳ{s?j7l7n؏l&T2֎=vE;ny9y%]~x@96iMt=Ͻ2/B(89wBiDwl?ĹMcIi <xi cg?}k_1$)x<0{{PL1W׆`^L0 M@CS@ ZeL|'mȽNrQIHB݆@{F#<bn  H"1Ghk#6:$f\=T4@gT1Oe7pם{׳O4s 33RC"я)8lhx>L3I;S=~3&r=H0?Co4?Sw˿Kox}oAƞ704MFbnX9SO=qRicݨF7D  By3$!$}(G2&Ol!N P5XmU+nۨT1c6e{Xs>:r 8p#8|C'CMn{\܄ -M] GfL(!xIu0)lq0#Ġ#I0wۿ[~0?c*`%@wLz&>PcȰ!|b30@&MD{! Pn6d `Hy- !? g7\*r˽Sc~NPiiC{{9A +0C9Z{kd繀 ‘S=˄=u!z"p]Ə)<㌩>  &441AD*:|T$`t1O~ 203~ l&7 0,Xwq6h1'T ]7LTF.ZHF#[T%8T$ < \?Q˾O8gK.ٖXbqzS|z4 T|=u4?=#)S??'8'ЛI?)a5"hTP< CD-(U{̎ ׄ揖5p5m<~?fH!rk&h @w"}+?#$Y)ƌiTo gzFc(^cZ& ĎgkV t @퀀 NÄYq w~҄u! L>@rrn#H+yr$7|S5b1a\go ,@H, ߫W Ād73y_!zp3) cNhyjr^sّ6F 2{#Zdd>@̃D0t|@8{"sp/P7~ %HLnr̀$͗vx4# D}F!(Fl]]m䠶dL<fwnzh PP1$z2W1=:^[wku lO&?qZJBO4/ =e>Byݙ{j~z0? ׊Z&6˘P@8DC>A[!0  AF!nZ5<3QiAT(q*{3x-zwwX Ǡʏ%Ӑ@>&c9j,آ=U^Uߓ Ö3OoY1 e^ߪŠV&<w3I"O??Mm2Q9ez%ԘJ̘ݝ ~p,<Ų<ir1Sl% G&Y ާ'L 5ɟ(@5.$hbd( Hv`D̟dhT90)VBSX $-8as+ܦ"NY}{}ى4>s暫7,P/ҍէu`j@<|Bw1%ɇ>Ҋx?h)[ ͽO4|,"߰7M2T{-J-UKe,R6|2iQ Ct7)@s__{5n׶k M6ZvyRIA&~MBi &Ja~(d $S,D:K*A#Rh ]3Rr :ZDޯ_ ZԚTSʣ'$ ѮhYc%7%l'$a}90:@4ֳ1\Fd$ ͘Հ%A,!.@5JVR@CИ tӁho~^>?n'wTym_`r$<zF$1(ώTLP~Py@B`dbx%(mkCж6F{[k5N8A1 9tT|Z1G Rj)->]o~!߹0@LF XD03HM AkE݈Ti3&$#nN,Ȧ7ˆiNF[[G?nW1mgx}*X短-h;n_Dᄅ7!@*#Jp8&3 `~9tT:`C@@7/@h0Iϱ4BIspiռ5IHq*>aVt6{Jvs@-O\W II0>:@2}gN Dr|}-%wE@P/Gt@i"ܿM̾M$B'HJ̆19vM$xA&@bx?T*%>?#uZƢ|kueͱߑmHͧ l]v7lՖl* =; 'Vߕ;~; y(7^7#474R͚(s@ܓVhZ_ ~Dc7' sF1AJu1Łm*=Q1;TLE7v4ZX&sݷS/~6W- SU_ O~dH\|@`kcfc)tR ާ ~~*(KcQ>;@CFanhs/*fT `7j\qv114MO&?Hz6)N<7Q[y#vcB]I3C ''&e`ڃwƮ;ouGNs 8y$;2;Osdbl;M!L @@)(a4)5Fz$y )Kk0jȶgii&];L٩*f `u>Uwl8)t OJzWچɻxutJV Ɏ^xrUR7{ 3dA6O HUMHwlg&Gj$0#h^Kҗ.m}X/ԘĴǟx=D 0K"i{m }^'y]Gr,8_s<b& ̞pK?$nz0͋ R* k9+dǢ8~ͽF'cnhII>;mp~d E͏[¼@4C};ج7o' jLJg< $>4`2V'ɥ!CSn*q$ʋ[|d Ȅs0)m }_ -ߕ_cKmKa3EEv$r?* ,8RQ*kT~7",sg$*{ʃI8ҟ mg0{Kn.AQ=OK3Y9C(sn&@'*1uJX>ܹ c`§z/>Kѵne׿u>iOJ]x.~4IQ u`0@"HY0"&=gd+phk#H$MJHXTh y  duOM<̚\ډ!bI^21ҡ8<D4cv~lޅuiu(~-@kYia>s,!lKual 2)N5J.v-t弾@D5F0(OO0=D#LRyيLJL?A.%wZ pa\8TXϙEek#c륂[ `2CW8RluX/+.)i}ùW a|戰IWF-MG ^n.^` % \7dfe 0$-8Y渻ׁgKB mxOmv"qcaaYIETxk0xOvVLZDc"iEOs2=9|U|K ,09vǵ*"ȓ$SS$gQ8i7@M"pL4K' rZr4pk8|x2SՂ%"$LIE49Ql",Q( N#Q@{Nz4/1aFHbgo`z oi/!MJo oOn~O{M30\<dEC6@ R]W*Ogs`t:faYrI$sR,g5ZFظYMlS::ΐp"6gw#'`_ .BA=jA,ۊ$NJE80il)i}#aDĉC|B 2,\: $Dǁya6(I $рT@M#>s +].> ͽRߚxZIQ!c&0G>v}wOA}x;7Nhmo{y[@+&GcT^oaL& Ԣ@Lg"4yTcOIV@Ʉ#A~0}*5՚?;0a6FM쒌H'$ =O8Cp{9#EB SrN h1lҪFNHjJm}|EYvpݭ0(Mf^4-sɱyy4$$S3uHG{&ܚ3MhG !t~aMc++zt{ϠvCO>=ؽjO9y['|2qn*pM]3IfƫO$1%"1F~:XhAM-- Bb; SO7uh/Md)i}C!`|o c&’a>˶O s`|e-G}`F!)wgJ>6$ )6Dh"^yL>cƍ'꯶Wˑ-];}woiG3^4ּ6h#tkRaQ-٨fcb&8M400J@=bT|l2=镹NI ${!xd-bI:2BH 2:5Ѐb~&$|~ҿ ˜;*K@€@}L HzaDt7Z8R7`֕[_!5Ϡm ,Cq$y:9h')kRo~-$d}7ހ'q9_[\pzl'O= lvOꞦcsp3WMg+WdZ_J‘ť41 p 3xsӶbsO0pH2,tbJ#${̤  KK([LJ̎`L@9it0LU B9x4j90HQSe;0L,@1.*ز/y&@Rt1}Zһ1eؼJվ iY6rqMtI"T20r,h.;tUttҠ&Ճh2[ 2/z6'^p$rпVI(rOj4K(:BW/}*}#!Zuxݛ}Lf )$.#S 9#'S3i9|T[ORpxy'&S@ >ABC8ЁlӈSTם/ҞT4Y8 SFZ9O,?!};'ٓ /;/V ةWp}_0 BLV:;gkv`N %K/w {I ׍E;hI7aBxH:IJx-?^5zY;NڡǷO0 f?A#8Iw0瘝Z3$"CyZLJ+zf@Z\KPh \LEN4IID :ǘ}@Kki L* RxZ|a~D3LKz[8= 1~d 8g>3y<%̞ٽϒ!Xs7C,RlҮ41Lj3AŖatR1QZ}|?h\NI *FMO" B ݑडYwNgx&K-9S@1qLOBːIΤ^?+qMBh%f78\(3/~1Tsbm4Z=A@ɤDǸ,6`Hg$.]H8~_kEct^G;K.|SR?ZI}`Ikʦ,0ܹ\ڗhU3g<'`՟mbl0{ǓxL-LF3[<'P =sxgۦlJů9 K* #&Dg }/R\8&ڼ$4ڋL&69^iJ]c0}d;0 1M6>Hczg`g='b%ɨ0"-"C64 cp;Lx9LDvblja6?!9FpE',I}y(OSO9nB:N'i~N@ڊƧxPٟ$#B]AeR "Ac3RI#L5`﯅ ^seOI'1d$m${ETyϟ}HbsqL'#s PŨن|cn L.($i.i53]@ 90NAt0$F4e)ro]HL=Հ#7=5Nq2 ӵ񿭼zڂu׭YXgy_CF=V:HZ{Oz'cS*]I}#|; aS  3 <#NRv܏󁒣47Z@5wDw:dg 1\r'0k77?y>w?” =!;ji`nw03H(?' I]g%ZJynH}L{kzR_4R_Ƥ4h҄h+d_=_7 ,絨I'bK{+D 0,2FPT-A^}!@ c;Z$9[ ʿ Ǔg}϶|/83>SIELgF g`6$-b6 4̐HLg=N]=cx670)Fv/Z=:"Ӧ=NC$?!Dpyl~[yiv̓2H:-\J˜A@gNLzx sxcDLRbt)&!1%@΅=8܃{Iwb,s=nW8%-*d}%$"fnjJ+opis@M&;݄;ɄyhmiZ97;dzNMa2ogͮfaIRNKM`Vs0k7gY_ E9kF`<utB[_Pt6),=p`XG1@ܹTЛϳMo^W ?+F-IjA٫H 07揊+H1$&K`'0ka΀ &<(EvI.xX{q=0 < @ݎ@hS!D_6]5jc'0'W{]=tBW%<Ѝ秹es) 󺱓Ҿ*Qx%dg7O,aI#HaNtϭ' {X,4'u*|)ےa~(`,q4Hw v S9?u+鸩eYEψO#H;v?yj 8V)ݦb*sd"%@g0Nc/6g5Fs]ͻLG?r9qa@[~Pfg{ Y#`G ЦO zqfbJ5lͶJvV[-s`HQp>4~#PvqN cJ+s}"D>}bky3ħE@G#HprTWKc 4O{/0^@‹ ̷$.< ntdUZNkؗ-D0$@S lS_@Za9$&ȺL[ FgVw2+m j^[:(-,W; g\Ax?]?$:br/u#h{cHV?Υn"L31ΠF :$ie>ٍ$q%A 㧵8Vc87-$!h3cTl%VP1\k&>I:ҺKOXdV}yߏ$|vs!YG ږL5Nd@Z[K- A?p߄; /1kgvL? FЩ{t;KU TR꓈&=DT9=t5@C#{3K韭èw#b9oh} $0{2h ~'/#>b%Cϳy#UkgY4Cr"&轔"9 w^ &;yI,Q?`f)P.Cz^w$69k}0Ebqz8y0:IIO>I6L}O;dm{>@귺I%e?GscDZ0)s6zƴsmacsW|CZ=RyiOѨCR{v}ck`2|x_ҌE@Z<&TiҒ,AXDd)ݴJd&֏!a114ϩqȨNqblsabGv"GǔYJ;)qNv2z i g"bEL8cj~!LI",qI1L~Rޤc4L #0)m0 Eŗjdiү/yq^&g>eɫw? s?'4ΞXW@v6]Pv5tJBFyV̭g?3]K9b>I@2QZٕ= tb7gB+i;x"Y1)˩XPsOPX̚JhB&nLŴ`j@@bcxy }!(΄z3,r/=]$I% `HySߎL0K? 7)B\MRgJz{ Q8C\08lS&fM3HlcܷH#ݢtUUs%|EhonWҳ @Վ@v,;kFfs)b]灹 @!&Mn@޵9DFKHRNэC*D#^G"[#(D "'m1q1y\bZ,]f@y4{4[Y ydwK"= @BS' R:hJ$s a`tkgnL$VI4gDR܂H{c|Gff"D"g‰*O bJ*BtAEnjD+{ 1ŗh=LK@ 0rQifkc OqJ\۬']8vq"a*"{Ax>0 I=? >9T  Edgfv;F0d!N-, I\ tP r3RaĤ>%ˣhcY[b=1{v?]g2U2FzUGZɋzi@ ~Gɞ@ h~ߵڤD7~eM@iRM.PYi_ `JRR+ a4R%3&Q}ZZs; 1g̲0#JF_2J~5-p !]GXՀ%e~`$ !eyI<$Hfl`L*&&a6 Nٶ$z;~+Ga 5鱖}t%1 THXf:=yToGZc~Ig00% @sę=g hn5n-0!8 y3DY8W0zYuR?1mQf!sϏh`JR[c*~ :  9i}n`:/0=ڳv Ǿ 7{m F@@S׵gJ?V{FʘHsשMwn5h6Aq>[΂w!pFRX 53hʇ@,>Aڏ`#I4 'ՔBٙ(dƠ. pi?Mw^|Oзٓc@`>D$-IH 9=Ot Z NE4NN7 t n]<'qB~OıԞdGi _~!H_H@7u)1A0gɦFO3P0l~A2R i)3@xHo‚$0@ i ma4LVxBigȞ"# ' 7͕)i~!^n% uI@-Nc4`|4?=I&T9Rz;ت.ۜ&>og`n0]k}J+Q]^3Z'*B̟I I5)oWM9NpK2@BJ/&Y0\Bl107a`V%#_P(@6͘~zGq_i+捚L9EGfW[58#Fu4hbw5?E(-~ۼZc~#YY|׍Cu)BXq:nބ&"  tIIp$1f.GLK;{G#H>BR;1!i01h (a-Y|Ƽ$h0?]y5` 4 8$H@X0%牎$XW^xwY$ė5k "qj2),njsaz?6ИhuKށJVhȮ& DD]p[d#!s$VMiTi>cbTEOaL6/GO3 3S Rؒp iCՅz ]ͩ/L][vn;]$fHͧ>GA8'@YHpiɹ-:yR' KQ>=nCNDfo(3dK$_1d.@#a1^T9L10/&98]@`~ ʧhy;;z3L d9Om>MۤTOdtNl.1eW`꾵L(Zq"$1xƽru[q$rD&#bNDM[eMJI?b^fN2&D;)eD!{6i.mԄ} 88 P$8LH%!5K ږ0¤$"5[h15;#Xhad3c0)C1mSi$IݛOY0z!`tsw{&*8HiQn#xөT`~cԴ%ۍ 4=8Pi>& &'m󗩭FVn*guZ-I{bnQJ~9S"L&i)dM" ӧS,#IANh?`:0?iV 4Is"x䡶۷nO#޺G^ 5MA-JR TL9&ç( c֤w~Ҫ9P1eQ׏1 6 L!V C~-"ЈH{{@$im&c. @n:T=:Q6W_-?s[/9#׏yhf tE/IZDPUx+[*CD$S~OO~Ӱ HH@b э`6u^ ]4\\Ɩ X搹i}=xީ}5^/=_O߿{WmVzjȎG(ѤS˼LD/tVLd;ud'!L1!!qf M7kM\U$m{wwg[ۨo[vI0&i` @~1<^SL( \' Amtn c],]K@w-CraL AiJ ("($+;q!lS7^.怮@Trm6gC'U#x۳an#x@ =NM7P|JV}{NNr|N+Pѧ9ĀO I{c&v˝af>zTtsb=8l ͢sh5ƻNG4P˷\ pѶ}#ڦׯ6yնU+u/_u"m!-x+= 5t)m s2y&FCc0>fNV`Rr}5L:dMbB>D9}Ps9#IsuDLK޹żݛbN`\Ód*Y7@.VkfPig ȫ@paՙH~̞uOOG {DI*{zdb͔ R .r*V+zO|8I7SnS> Q:=c"8@h3omwȶ>]Qnmg~vvziZ/\;myjmI wENzk7il\j%$(рt\iG04抴DL83Ɦx1 Hldw X/ ]}N:ϳZص'%HDF\+l#_"VcTԠ8wbԿS o֊9@BzglL=ý'sPJ?8kӎs0%`kjSۍћC@ڽc:*)aN-OEKJnrqy=1YP)v&oMk3ߘ/_K5۸G}_}zd;m]]ݳݮmzmvxm /?.}|I-l`*>bxL_ԝ8s:MMBrqfw u!D= R Dn68/^{--ui4:%'%8b;~uSo5"*14 F4)`l ;9LEj[Sg 6Oʳ(bۇɣd6ڀfN^>m1aHBG3ZR4{A/j^@>JBl[$q$q ~8{iAO|HqA̷yA/jݺK5w/vz|Ͷk{kTk[3i_ڷ ?mMRoSэi'`L m@!$U$gl3H'3!}z &@ju ~7`Kp$MBu0wTnN9K`FmrFvmo࠶Cڨi#n\=.Ojdvoncٲ=ۙ>m{jm޽E;۵\b@[ع_*44tS(# 3I$,iU1Z&NkRSO?) ږދ(x/ J#A\A@$ Ɍ'7Əؽ@=#ڀFb:/!}hR?v>Ť~-H"LO=9Ipݴ Py(恹-BaBf$4's5S[si Rz ncW@6gpo]OKP{kA)؇W6:wH[y;oG~nvh|vاwn{Ն46@0|)$ΟH:vr/sƟ4Ir]‹?f]g&#i7@ۜ9n߾B;Ǵ~6vݎmJӻ[%*'F]Tmϧ6l#] _x?W9LB*0B¥vjd8٨VT*}bJ͙F̙};)?)iC6e8{y!'qקܘ|blt;0m L"39z袋69=i#L\/QHR|o&{ӱs'oGBZ0 @"$RN$;&3%|JXI &o yqVFLcfBg_xVܑm{WmmOT֯v?жpڢOsZ/s{@~m˄qًBjLMFi0 '&ÔFvʦt}L4 & /p>{6d6bAQmm6oz_vŤ/oxa,"Ah d7Ĥ>bD 鿏I+bޘ(jjj!>NR &B`hټPaqZͼij8 584J0@a"$ċ<~ kN*.bM3"P^x==φ53?h9h3 {`$ݓ{"NdF;Y CE ^P{m_z/V;o%WWcۙ|`ۡ޶b}\joYgƉ /6r`[dk/DJ}z?ɖ"D[49@6{_ vdݦoٟ'۹^ u[cN"[v~ Zm}b&h[0z!|C d8՜J<4ÍDTq;@гrFvw"2@_I{Fh#wLC]00l@@sz,{5MBjczZ |Cs`L6?αF~Ͻa8#@ҵ8)撹!韮0iF(EQ ;I ~}zߗݿd(pmϓvn럷|[E*D[ƅzN>4 z6yn^χ'F\l; {uߺ\y%oK3G୫nZ<;k+8Oxm.i^؆^Hvm[Wiۿ}DymqAX 9w6ҥz/V6`ʃ#ڄ60ɉJ ~8R NZnt} a@X2ԋkT 'WNwwlſ/,sw{_tvF_]}R |,I`> vu@Tc[i(zmK?>GBJL0Cүuc$Z!%4NH&L \]~ #mcrhHH4~ yb$ qu S|e0[/=}ow'Kbj]kE?@uY03Ezm'ֆ_d|mVnc߸ۺ7,h#wo|OWyw{zL;䅽 Fnv{bK6jm+!.ІD[EXxG TXDW-NF A21&K.$(=?~;q^r^{$S7̙s~ݷO /8X㡷O%@ =cH#SDĦ# 6`.CGN͡KKcEO>;$ySO@.F r'x pKwl?s`jI #'B,;9YHL1IYٕ?qQ 8̵{ŴI:t Pw\oi\$+6y`tKr1C0~b&A8&4̉8&BP6)f ˼& 49Jz>+}$ TL H?llmƶ``IRːl@ I\l6(&KԁMR:];8Yz&K<5)@hDG{?ߺњdizޢm+xwj|ds,َ.mo[\J5ښr|m[M뽭oY 8_[z3 3` YWY9H&qq Zs$)!Y'P(*K& =oOJxGz VϞ p1KٱQtk @OG]7s$4"$4NJD$ޘlI@prqzQ]/`>CG Z=x..F"HГc#L$-4 ٓ LH"'ߗl0_H}$08 ScOL$RHKOWg^N;m^QEZeormYmtcIJ޻vh'3nvwxۭҁw{`dJl`[ڀ}oO1jB7-drA^ct 9QPz?_|?{_6X|{R@…WXfނ7ges^$lD]Ex'DC%~h35+9FUFpڱP)+Wyi2SI")@@0t*ݛ>OP,N;?~&L_bbM.;Iʆ-KpyJh:> noRc/DEK@}V)M%br˓ ɓo>\?&Ez TE9Fڛ[j#\`tU \aLj0I) ^| .`T.첽эg 2 D| @xFsۓ)"(c4̟'w29ƘJIfhkG*?lz'WoUykꊾ ._S)|ҁ_*wlٶΥKlo_ӛ)gU-AsH@!D!rDMqE0[iH^~] @&R\c:OI G (e@$3esVh ] +]!Bf\C:h~3y| x=@[0ZyH&4hPȻib퓉܃s{}̢!ۓGOP?EG/h-NǴ0 s^Rp4jFj9/znUXik_t[yph;M*xwhGK~ҁoF\d[턹:,]뵽\sn;U-رmsǐ6ϱQq^=T폑>SO?IDVgdI ĩ<8bA1Hlړ̀ߒ|и/pXc9 vd:btr/>ppϾC=&}0'bEgzLJX^2csX{>8״ĜϑY.Ra*7F2(ҍzm0ÀOG 3Dl3v0iPBP[hNDiFrwqF3O&}4¬[΄O?.9kL>91WrI%\x?TbXmtӀkVip_9c6Гj[\Zm˶ (?)+ ,zM|3?#7a(N5(-[n_Z/{kJ J@$RR{wte!3!iPaT^/`dG`<ƽ8=9@%-cQ9Gu$`:pxn@B '-.Ӳ+|I(N4f Z3 ^3?GO4$/uVٕ:%0uKvmЈ.肶\|UQ}?M{Eߺ-%Mv/NnKXqس^Sk%ڒ{6qXۡj 6|`Ԙ ߖk nE"CWG[&Dd1Ry,@Gp}M @">Cۀ'601h7Td6`Jx0}UdnhD0~ҁ#6O!P0XR9v~J  L40 \@]?HvISSA%]| !ցz(} q8V6FhaɽH.;f> qz6ovQ1zwv|\8_۩T3{`ꁿ軽Ts7}gk꜋礶敋M_Jž~]O[>%.}H%@˴UzLՇ+{͠'6Z@] j䴁Ii٦\h6 AHecS1b@<+G LjJ8/y-6h"axœ (@*H`RIC0V]%sNFd0q:MBӋеdDH,ui‚WIh}eEY}HT Lsine| Ǘ]!@]x޶{rvhܽ\[+JaU=ڕۿbh>0]ߖ޳*֭UP|av֎ҸvLI]߷Ay ܹC6lG}avNA1Q#4T>-n6yP}Պ_r#P@P6qX ?.dFc|Zχt}q8ښ609'`G s}~!>CldDCF@Is-pfBHT$P3{8S?p1LCi/E`Bj6@.Lf?@ HZ' 3~7} MB79 FWy->3ǼJ?쿀i! ]Uk4dYZs<umVnܺH%w,ƾovvhgn,_>{Z[ ~Iu._/m̍CO+}ӛ.6aɶoi/}KcJ#ظ¶퀏nQZ@u?8eۚ,ԆXUK/%uՎZS_}e`ygOHh"WZP2LRRBɄ"i$kL܈ vP.5%m`bHk$ݫ|' L?];#07أ@ )IJswh/&L3=3fN=&cҘQERN~. !A}ہ- ♛4B?\g M$!5s:}%r&j]RJYVO/]mvy9O_-Uگ-uL1?m;۴m*K/3aw6(ؼTxE=#.Y_W:г ?hWc f`'jo[ km{7n[>0}/N:muװ؆ojϠ(y!KT`@}&6;"gSxvv601$w'Ȧ%70X D`"TC?>|r ݤ4dRiDT*P ؄XYo8yMVФ(kh4_ObSB 0 0G'cB%so1:'#s6hɧwW.<YWמw^%9;]s*ov7KTF!mwnG|nvk?a_mV9^Btb!}\ \{a>[uۖoe'ݟ݆T1eS&~O^-Y ̀Oل,~IDTJtGtM XǤj&Zl9-]n& @~G 4>LԫKpK3w;s{?B~sO;0J$"v|$} D0 Ribmde,'sb=ۦpՆ>grO[gw\pEwxm%˗j_ۇqUǿsmqܧwi{>NB;[Kr\6hkT3F_jz"Ko p*Z]%߯O_;oiY|\ʱT9qTd`{l|JW!D픀"tz 1A( w⹞EHN@1+ lks9g601R93 Y_ L,`P)ʞI W|$;!#3ט 4q$\ ƈ3vgB* 0+rv}5ݖ`GLw<94H3OP=9LD"hوNfc28Ȍ&a3v CRUݭ~m V|mm{?n;(76fC_m׸ m|{\;髵eҥ/wIgo*5ڑߦqd;=ش: iV~'vyhT;vi~n;7)ў& ]oWmh&@i ur峹0/9#V&>鄣{q &AVXa^@_f/A >a88∆109fЂ"nvJ9ACȶV =XӺ$)F<@d-b@z 0)d C>ch=`Rdmn%4#=̞F=I(H)NTMh9?۝#[ :r=#aUi^mrrU_K-`l1tOk_y{qvocYmGy*JV82oo[ڎ/Cھݲ3pHMxP靣:` 8չmtN(LE0iR H[4!]ÈaHءK-G40DХOIc uёOko1> G~!5'^:b~}Ir0O4p#ZgOҍY' -{TӴ| dM2 ,{ٽ8GZtK>ޓ{]O}:`Vs85\pCj?ϖ1vM7 '$UoCO>~kCC^=jڇ-=~`[Z~{ZmO.nדQDsEw)%JGڱ^mxƱ/Zfk]^>k;+Zpv7imlQ7ֆd[bՖ=`ϷrW^ P0Wd .&/RܒXwL=fS Aч/T{O P03O+p $4&4HHt.I}Te@h.0p&5ӓ3}h^{=ēۻ{oc}ζVI u<{^(PFna2]c Rd1m2T4)$|P %{0bVR p_%JW(Tj|k 89 `If#K CXc ]}ySEl>#=TQJӔCʝ1 V'rr;C^Zmږ{}jUnѳUFdyjKmov'*.TW;k{r׭a.:o[fڰj_-YrȶEoC^̇*G-ؖAV?aъ,:g6eU>_1/?y%}K8d%i"d]T0B7@z=0&$11[ZaD{<$؅Tua-#սI;|=֓qĖ HaQZRZa0N#p_sċK$=#7"L<#QiGSB${NhH=L h|8"H}c 9X+fk$'ҍ=Ct[[rڧpAPA3٠9vV?|?:dK-wW: _޵zm׷6¿ mm[e+`¸yVsxk랸x}m+aԆHEoH[P[r{ť6Wxjg:ybAض#&KZpe b/ %'@H0 I1 巺mҷ.(wAM:Z!0=N2i6^~ݰf=s}KM44 }"?6*s]NK4%10 .7IYW̜f!$stLLh3z;7R=>۪A\$WP005m|u# '|7R!TiVkĬ#5Q?̥'\--m:r߭]RȈ;FTkm*co\A=Q*;J?uTx!!Ku_e~1޶*޾ |i}n[5H[qj,V>l/6s|tegH;^_#IOs$$c,iQdan ?y]Hn' 0%P HbLhċ$>|*IRve:6^p{gcF:es <("s̞fTWR럆486)^A|I/7qry )ܓcZc\+aـ6=]'%bR#EÔ6\S9i X]ɟ׉*XDG{ o(R 0`|>Q'dU'̻[Zr9|آ~mW8Î* < _|8j6eʇ_a~m#Q[ 뾺IР~7.<\q]EK{i M0BgR?]ip|?]l>|?[[#M:%=z )I96`f>;71hJĠQ`BA,# @Nb=?8|?yu t̑Whێ?Vǽgs6+4߯vYyܜ6/6MJAR_P (D NA|%n@?Y bcjA&emƈc[a30w- /~ ?pJÁR~-~tfSgx6|5>q@j$?/tZ?f8R Ϻp`B}L1%1t ƣH vZPG`~y|(`vRni 0hwxp.%vZRa"q$ s ? 7h›&Ŵt`m쾻/ڸm*mݧ+{uYnŶU.׎;"Fd$ĘD 08 a~As+a`duOc@!@ 6ó7 s 8h~W+bҞt+zlkQlQkQcE֜嶛,R*|?Xn9?V qfICk`k$;F>>~kWGoRDhP$ BqNO6Lu "]G`rF&~}d?VR44> 89>#5=Q1*PHVN@q}!c'm$E{wvZ˵նwsm?j_mDՕ]V6ZM i]~XO).fD'h ߐn,t?IX#Ya.'0[%g @IE`pIL‘~YJ?Xo80D6pjh#&6|4s~/ޜWϻǗ H-.rm%1#f<^Ej,T#O?mℿC$$F M/y ̭n$ ;Bݲ+6@ ]?Lh nL? VcII?m>̎pSLHJNfk "(|s)F~b!b C*G'R0ZB⚕zx%7mUi{~zD;KUn-vh%&=6}b@{; =p;b| R! K.{z ,äКpD\<ǾP bHcsc6#Y1`V@@r4*=u,$:S7]J3G}m}ѕBY+' c @b|JBP ZFK$ [ I OJ3$% ;PӞOolpSpcj3cl'ޏ>e| 9&7-m7>`jͽ9O zœ:n2cvߦ'X-QRv;_ƶ?n]sK1O,Vi6vYmJm+E81SR]qOJۮ +vH*q_ @\7~=wi+[cXI1~Wd`Ħ X[ՠcz ~}%bj̍3>)IE4 \Civ"sN/.θZSlLFxοQ2H~Oғ`qX%ԇ1||B};tO9( DU?[a\ЬGw@:bp4NQmhm:>th<;-^h~X \>=Amm>6mնy<4mٺ=`ӜTxXk3M: t޶ɃEI} veMOaj "ѻu0`LA\UQI'̒SkK@@*4ܮo`P߁ǜj]fW@:(RAP$IHα&}M)v5)Z83 n4 >DqEH{/}H{LOd3@x &>I6q}=`$& tɹq朦 GcNҘB~QjMj]0w+VMkCqm܋hKv6kԶx.6gC^n1&}vٽ3;um[oYmXq_T;\4]t=xǶ~% @}*Ā.w RWIV   Qy1>cN-Ooj:jL$AHz "--e=Csr(s1mǵMߨ4d`[uڪx+c{z#Tj$mgmqxmj=S+,ن9ۈ{k\O,׶rh;u\zӆ;ip\;gض>8 UF=jMn'6n|϶n댻KWwm*Eځ zPe\;`=MDb']ɹ}T7^='7au#'"}0Gjw@4ddL.MD/v ?c)[{gz;L"@?E=;=[d@*?r*^I5Z@ 0vbնeՀrqmn~xmY{l>x}K߿tua_߲kYW^r>RIuVn6e6OUgVm?T>ݰ6v|vhybmh[Oֻ}JmOjWu9_M/WvwV9l˳/T=k[N;szO2QQGcg_ʇ/I3a|69)MZz߲Tז_ l;-!k2RyXld R=h@ 4: &5 F~>ώ?]HGبH\8/9;[xcb$z3oq!]N=4H~ŶFg6}|Ŷ'#͗k|/}nD;vwn}{vk>SۊU5W;s ^{T̿lڟ޽f|f[iݲlyҵ=uUvU;Lm{U۬XCQݩ ;uEfk5O\ 9j^3M}[Vov=a}6ia^B5%x\mBm|[ubW˂oK]j1ܑ!!(@Kn3ݮ92!Hy;m14O\bGG$~HHdanwlASSt<Ȟs4`wi7-̗}#'JҺ7i7F9B\wFR[7 hcZm{Wh[}tVinͶo;?`z@䟭m?r祑ض|`mcu>_ӯum.O m#XއԴl{T_|*:kk@[TeWi~|l;c\&|nv{6nZ#^U{W#̓fzźZOE߮+{vdZH7qǯ'wjm*J10'n˰vÃHLm` d80x? iDtMRO$~z;N){N]pF?PʎXmϯv}{꽥~?Wl]Qm܇_ܨwBmv}oچ.Ѷ;jܺ|;[e\;c%&7ֽ? 9{acv{v7i;߿qoӿhU?s;67Q~ڧ-ol> ;~6_>_wjJ Qդ $wZTz?M[jy{KYϓ>ta5@7Dt] 3U9@H/a矘'흛3g˶LTA |vi4Iw<8dM{bۑ7-NmӶsH ϽP}>?=>v iRmc?v;[۶S[URmGlo#[oҮݧ۾նzgF7S]m)06(UaսvLȰyZ'.Z=F ;kr-6dH1m)Kf׭ڶ46jG|xӛ)7UY~Jc~`'=R"g?yϔ#rL'cQ8 ˗r0յʞɲ;?8{]} }`@k#aKk~#P^1ڎom.#ڝj}^^m|I,cۅ?>5&Um@z;u3C۵? mMsmYmu{mNyR,~h6`۱Ta5ޟ_^̿m|tmg6چ-vwǵmvwjWv9TzyuoB S̝R ӭOs6m)-ͧwS՚?ѿ xVl|h`˵?b1z0^]h>4mQ ek盽wS'ok=Xoonl"ܶm'W-[iۼsnJڸ-1DҶm!jF7i?5P oˏf֩>zcnkt^no_UlzBm K-3=E;אK՟'R&'RHy䀘 51t<\:-{lѶjg*6kѶp5:5֯mw4)X5ێVln_e]6zm5U.rmU A}~v7g[?ȶTl;mVic[mXy|vOj] ܵ;u! Wj+Tp;i&>%?ϾS:=|sb#0DGl<[ؘ} @BX_-ȶV |dB4yBIL_A8/^|pQy/g -JH ,aoRkuvb~LeaÇ#mjյD膥*6gXC,7vζU˴9mm\amyl6y{jm:=Ymp9$!,ݶ{6jrݿ\l䘶C˷N-ю6߾Z]ZڪjI %|Kmy˵ .X:cDP[^]l* Xa~_iÏXW0m5z井mX~oԶTjM)LWݛ9_{ecGT*pW|g}b&>t&=M&iGZGtQ +com:=/󇳏#МpN+ı7jmE+TkkTC^mVxm q^߶iP[p9Zn+fU>Ckг K=^ٶxߠ6^~rI|mKik5o˶ݪgsA\Rm}?AU) [D[?-iKV۪]NAm鿵wֽ ^v|m~*pas2F=eN,v}xLud nn6N;|ӾkHo뿥bwT 7 a&G데A4lf~{ᗗm]I5>Y;[p+Qۼ` -m7/X߫o?qWom ݷL;;ZrT߁m-tm5熳-[غm~~*ެ ;iѶ^^kbKUэ#>c;} RYGY8ƶ$ =+E\o>2~Sdxkfvz|0#@0Y ژ?CWa&^ m7rxcMXz'օěs3@ac>5y~3eb>{@ަHG1cH}<ˎb 4L ?5~Џ/BI:Yɸ߾Nbo8H|{,5/P-XnA˩tL?+Gaj5ۙ ~6ъl ^R܍!EڼPzIW 4b ոL(af<%]LSW-3]=U@3_$ A(;YOO_/ _'*Pv8;p`&f]3v'GZpr@%4o]=`&~ZW T_QY"MDRt\*łWaS}WboG7d]$5 ~ʚ4 li٭w.SN`ӵXd QIuc68&FCCo;j\ÄcT;r~ށZ=Ɵϣ+<{~g:V҂3o_C,g30t̲/'<}0!& A4(Dž\F, ƣJO*Ƃɧ3-^//" Y2wrP-APb N:bX*dp5Å "/Vw%P,xPt ^Kf UmL4A ]A_Tg/cW*j+^4R Q1 uxOu5jjz?gݮ8#À|2h@ypu0qz),X}_ywv3OtMHLšQc|^}cJ|v=;HiF++ģt"I G`_DY-rFqVc:y-'I+&ۯC_ESnqΎ@HE4|t+~y9ygJ8 &%=O`?O FwNEzi <R$!Q.!֟=K(݁똸[ ®5fiw832"kie±ۍ軧 HםP Cnvt︇E~+͑|uF0B}SWfK6q(3 ߳kщ4f֞]4zox1(a8'}U8*v$zY['8K@HBɖXzH =.nRʴrWTRzOF$%e<_\ D+|\#W A@ 0L55|)EKz5m2v&`!51ja1qǁ8hfw]O9oc=9<ϑtL3 GOM*8[~S4ZLs}=?_hB(8c8~ل| VdQkƩ2/PkqO2ybo2B?.!7/ @t{ y ~{`)6%XaV|2SFl5e̶s g:d@.K.K+(̀P5 2C= H|xߐ#ƞ0T j5@рr վ,EU/,= f;PH"9He|_uV2V/DOXb}8r 7f0G8;v% s,(aн@RN97ĝkB3pRG|Tဏ?8lFR/}i|DdE.<DuX@l'BY=rOui̗xc<?@d'Kɖf ApN+mZm`SgB/ J%@Nw1uݱB"E@.uIOGR\1FtA 9XN{[QFt+þ-­>–gs)$f+ Ѽ+}yh9Ǽ'&a#HW̳&2rp^N D86'-hg7"FQ+013@Lt=R6zI,Uک MA߹ + hL;Hzk3ف SSS$U2`F{ؾ`EO hdG{f 9o*{'K3qQGF nRh#~65$Q(P3?J:t)d Qv+ɜf&& wñ?.8$1Nvy~}$BzΖccL r"o p=3UT]䇰 Cq6C<; Gw-Ol +$@x=\1}oK~ؙWq%*9V9yM!]O+ڗˇg U( y}gNNλP۪X$jU +H74!+S1`#ihE4w?`G嵑t{fQVNqS&laNJ$ !@WTbImX䯧j2I6 ŷS+]f,؂<={uqq%p] `@@hڙ\AoT4 L$~)!L*sN+hs5~W_ FOyPN vGЃ[-o 6*z{-=ߎdNԭڗ!rqv^$ !vγ9 `^ G'"!B 2QR3s\,u)TbǬ55‘2y([J!Yܙ4&禑vՊOViiERs,g2/6krbQlgO2D/xz ѭopR/P6bnA@7Xܭ7_. ­' P#L3@JhO-@#:QZ= *(XУM?V&P V24( #7a/N |xRSw?gyf nZԶ9G1|΁d`wg2,k>O:܋'oY;X ja/oH0&3h roX-l}+̺{k2|¡edQ'D,e. GA0RﶳI2sʰGw?~a\=>߼uㅾjT-V} ggg?Lo-P>@ L7,im(P2ѵ`@5s\Y,}8,TLa +Ϯ-l !Nzo%{:B֓nG٪Xݩ[Y'So(')[0|] ݨ۟X=mRV2kyqAvNjg~B e=43=k $Ӈ_$& f"l8h\7DpA85|=KeiyDwWo@ b@B}aC111{9i(O+PP(`}poU2@@E9ω#c/X;{RP͒Xu1`Ii;SJq2VgnU1dVs] 4t(]軣 |L,wVQ?ݜ%;n,BFG(bh!LC!']}, F!j0U:R9#?ccX\sC:;x9O?v˂l0jWg\.n+++܀b0TJ+G tԹ5 [> F#PAkP$ .##PX`ġ)0р2#`G|e#&8 ɳx,L"MμN̓c{b L:n&"N1|%'F&gpW+VJ/BLٙhH^,ߛyw57v[6-Aɂx$5B̡M'ნTYe2#Υ[*0"9& U>% )LЗ5Į LK;JWR:is.\ &Ĺ\ֈN&y4%QR:0\m\%ߧ*@a(0;zʺ~À|ܘ#eL!`OQ < RX3ÿ&1$L@ oD$;?Mj" CLT,.nlA>"~KILLv/T4ҠQ˘]OncʃZ?t+7qNv /d]DW?jJpw)ڌƫ&%%?ug\X3}$dܕP6Ylةe,_eWf_y\,/X>*/#U¶:8:7jϢZuagp & I jE[8rcG_c9OUxTi}%b/^t ,Ba!| J<Rc"s~TSxV 륺7 ՗*@yy\]) .Pa'0p-y#hb'w /3GпѢ1 ֒8 [K4eJ:Λ]ֻ8ڽWl{3ߑ0^/_"Y-a~պE"%\:3㦠 s -,6ÊmXr Sp͸vM1VK~qV+kEr)i+ab7GL)?i]bm[#}!F7y1LS^\}-2rۃa?{V_٠rg&=RL`0R^ _߯F %J _ F rEAAjrUfTA6p9 -nTy@H=fk.o Oa?O\7 i|A 7x*gDwݹh/w/ј_"g%>y&A*s@̈́ |{bcco:mz_.ճlujuStB?'y#)PXyKF\ C4wzYeYY7XG5T==UH%ս.7s6w}W@&o"ϡϣRr<;|^}wz#5m KfÎUtiJ )dLd2(mJm>mBm.K.}$i< =_KA7K3lzc 7AamtP&2`ͧMͨMi6 MK)JuYwy6y6S-t}Nmx]__O`Oce$*z:OOkN}US] SK *1yt]>]Yz߅>gtgp5k|;]O6cDXS666Y@̦ƀ:z=W6F=ڰ]Oag13鳌6P ݀ǜ2z]1Ny_;>,kzme fI?\K^w߁q|D\7m+m/z@e6. |dcWW/ $tR~J=_wv\ ,7GY+>]_;pdFn;;3wPP:IENDB`(      #   !%),28=@BGJJIE@@;60*'# ,;Op" wE4" ,b}d@) %.>O\r)))///222555AAAFFFKKKLLLJJJLLLLLLKKKHHHAAA<<<:::111,,,$$$|fYUZm Eg's.::2; |GJh+ S/ kUVu) "  h>) !-CZ%%%{888HHHgggxxx耀~~~|||yyywwwsssppplllhhhccc___\\\WWWRRROOOJJJDDD???999111***5 \&n1h-%?(Av0 b!@ _e L_(F]-r8^-b, J3F K I[FZ_C5T.&=Y 888\\\www}}}yyyuuuqqqkkkgggccc^^^ZZZVVVQQQLLLHHHCCC<<<312)"&H(Y#@H ^)g+ ;s0 ]"e(N Y&f0x>Y+W+^/s;&?X+Q d(i*s.b$_#x/EJ Y- I)!7a<< !?|'''@@@TTTbbbnnn{{{}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKFFF>8<#N0|3)L&I `*w5%C > j'.?m6j;g:+O.O=]u=;I0{=d/a/O$>p/r1 <);s, ]h'#; Xl( X p52 w"""888FFFQQQ\\\hhhuuu}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGG?;>*C1~6?]Vs@Z|8,G =t1 Ic9.UuD1Z-U0U)L6Oo4c.r8]*m1$A9u10@e$Ue$4p+%:d"8P*  E---888BBBJJJUUU___iiiuuu}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGA@A756#j5.K2Q&DWf%=8 {<l?!{JKmRm!tF|Hq=v=-L|=%E j-p1/H!:,@k(NO Z Su/+Dm) c!' 6J///666===DDDLLLTTT^^^iiittt}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGBBB<6:$P0!>? u.!F,P!@k!#;/O8_T3>>5.3 K,=><_Ll/O=~3 h&,K3Tv3 q/B0W)L"B=9-L}3 A<w.:Is)b cf$t/}45x.& E333333444888===DDDKKKSSS]]]hhhsss~~~}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC>>>504%?+/49V+Q-IB\#<7: A$@~;1S%JA= {2 ~3&L s+!@1R*A$8 Wy+7m'!8k)n*y02- 555333444888===DDDKKKSSS]]]gggsss}}}}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC>>>434Y+8=V5RHj7U1L!<+M'O&LHm`6W}5 :!N>BF$C3T%Dz+:q#!=0q)7g&5g&Hb# >% m555333444888===DDDKKKSSS]]]gggrrr|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC???535'X23O8S'CPq.Q?Z3"A@e2Z9='N"KJI>hDn5]&FIiKj5v(4:.H!9t.[n*g)!q3)<~.1 9222333444888===DDDKKKSSS\\\gggrrr|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC@@@958(>.7KdMi6$I=Zz/;)N8`)Q>0>.Q9-6,O7TCYt r&n" u*v,1K7z296'u7,?6L#6 ^" `---444444888===DDDKKKSSS\\\fffqqq|||}}}yyyuuuqqqlllhhhddd___[[[WWWSSSNNNKKKGGGCCC@@@<8;->0 64O"A 0"G9Yc0=6Z!HB<[;-2.1;L0OD]9M]h 3&F,My4k)#Dj+&g/Jt-;U(? ]+++444444888===CCCKKKSSS\\\fffppp|||~~~{{{vvvqqqmmmiiidddaaa^^^YYYVVVRRRPPPLLLIIIFFFBBB@@@=<=656*G15<?)J? _ b9,T1W7Y=^<- "-$>0KB G?f27Ok(s.u1m/*@6Hd` v+ d#***444444888===CCCKKKSSS\\\fffppp{{{wwwiiiZZZQQQIIIBBB:::777534082!j3&Y2)8-"D+y-u+O:)S-U+O:!=8V 3FC (&J*O3*K(E c u-6Fr,n+ c$e,'>=V>U2H2 N,,,P222555888===CCCKKKRRR\\\fffppp{{{lllXXXDDD9692+1.+.0(.,@1r4 r$5?9\3V B%F3_=DI,P ' /9T>Nz(d <1K W'o5 a&$x74F,C,G)C|1( K...!000444888===DDDKKKSSS\\\dddnnnzzzwwwqqqllliiiccc]]]___^^^\\\\\\[[[\\\[[[\\\]]]```bbbhhhrrr{{{qqq\\\GGG958635": H+N'K"F#DD?-I<\7`#Hz#E8^"6C[V>X7U7S1KY!t1":{2+C,Hj*" ***///444888>>>DDDKKKPPPYYYlllvvvnnnjjjiiiqqq{{{lllbbbXXXSSSIIIKKK~~~TTTSSScccpppsssqqqg^e<K>)N)L$GA?#F>`Hn3]$N63Y7[-XOEr1_Cc>_E<_Lo)R$J%L5aK*V(Oo3U h')=|5#@A`5R+I5fD\W[///V' ---v444888:::LLLsssnnnfffhhhhhhxxxlll\\\KKK878/-."f0:)F%J&O$K;@$Q"G,T0S=a!GAA3X1T51 8J`E[>[-M?\{2=hJxqvvvv```111 Y( ...H222555WWW~~~iiieeewwwtttjjjwww\Z\7H;M(W*=+M%K7X;`!NA1R5.R G+M$F9q/},)F*JJd:T><:s7dph|z|{{{yyy{{{=== \* //////TTTnnnaaaoooyyyuuuzzznnnUZV6B8+"$"*d8'A$<0X/W C>@C @,g:bygksHX$>#>R_^h/F32{Fr{t}}}{{{}}}pppCCCa+ :::zzziiibbbyyy|||wwwwvw{y{PMP:L>;WB9Y@d#NEB,GTiYVLSD?Ca]`M]rzuy}}}NNNe- "! IIIoooaaavvv}}}VVV6mB$F GA:1Igvj{}}}QQQzzzTSTb^aUUUk/ +> Vl T3# LLL~xxxeeeiiiuuu~~~|||&&&7?9NY0H*@Y|`|~~~TTTutt]]]^^^^^^$$$q3+Ab+ Z#q.S8' L./5>5*! WWWRlllccciiiuuu|||www...VTUzrxsrsy~ySSS}}}qqq]]]aaaddd###Ub8f)i/m4!?z8i(c T of1M8 v q L!fffYYYaaaiiiwww}}}ghhwww***PPPTTT~~~~~~|||vvvfffeee[UY@ k, B/N8T ?;Z&C&?7 M< e- =j, a$h$ V+ )FFFRRRgggwwwFJK222555+++000fff~~~SSS~~~~~~rrrlllRp[p7#J&Dt9)AA\WsQk:P,D 5p4$B{<)Ft0 g#4%9 @ DDDeeeyyyw|}mrsglnotu069__`||||||rrrjjjhhhdddccc```bbbmmm}}}mmm{{{}}}999GGGbbb^^^%%%<<zzzhhhTTTHHHFFFFFFRRRrrrzzz666DDD```ooo===\\\@@@RRR]]]|||MtY~6=>0G\z2:ZC`;T$8Zb2I=YXtXmy.5?U/A d@fff sss܁[[[VVVeee*,- )))5;>gggMMM<<<:::JJJooowww333DDDaaannn<<}}}___;;;---IIIuuu000CCCbbbooo<<<}}}bbbRRRuuu|..J7N<[;V0K```VVVXXX)))FFF}}}---DDDcccppp<<W 8p+ BBBPPP8:<&&&---222EFF4;>^^^tttFFF...ggg333FFFfffrrr<<^^^qqqbbb;;;@@@TTTiiittt;;;zzzlllwwwQ|[8N`DY?T2J95S;X(C8"=Zp%?2M0Kf&%@%A( RwwwBDE000;;;AAAEEEVVV4;>bbbooo\\\HHH>>>sss~~~uuuXe1=)FD_QhG`.N8T$A*B.F;T.I&CRm0L.K89GIJ;::EEEKKKLKKeff3:=___nnnlll///```ttt}}}T_,G/QCaq3O!@ >|3+B?VE\DY3N+LB_7Tp/&ORSAAAKKKNMNSRR4;=___qqqmmmDDDeeeBBB:::ZZZyyy\f">>Tcp7R972#E)K=]Vo9U)G)G'ET}\]]aaaz||6>@^^^pppkkkGGG```@@@MMM}}}@S5~-|32(=52M7U0LPa(D7;}1;st{{AGJuwx___rrrgggIIIxxxQQQIIIrrr~~~u~qyVm\$v: y&1;#>&='> ; n%z.60YjqqqiiieeeooolllbbbpppdddMMMhhhOOOeee{{{|w{{.I8W6%?B\&AKd?Uo*7%asssvvvzzzjjjZZZXXX]]]lll]]]sss``` OOOzzz```___~|~"86MRd;QAW!<$AB^/L9XoooJJJQQQtttnnnTTT888///JJJ___"""OOOOOOsssaaaooo 97"@3PSkH_>\-K9Ul*MgggCCCcccgggGGG444NNN}}}bbb,,,TTTxyyLLLuuurrriiiyyyEX+L0Rf|Uj%E>!> d$Q{{{FFFEEEnnnIII333YYY@@@ BBB???yyy|||{{{pppuuu:O%A]kOd)H7{/ /\UUUwwwzzz~~~|||wwwwwwvvv[[[;;;FFF:::+++222dddpuvwxxxxxz;4 z+HU6=& (=~~~}}}zzzwwwsssooolll```NNN]]]uuunnnOOO888OOO#$$!;>>eij}}}|||BS )(|||zzzyyysssooohhh^^^MMMUUUxxxtttJJJDDDlll%%% -01aegxxx~~~򧧧}}}|||wwwqqqggg]]]NNN]]]zzziiiLLL```zzz/0/,/0rrr{{{tttiii[[[LLL```}}}888899### 023xxx頠~~~pppwwwiii[[[KKK]]]@@@AAA,,,)))"""589 昘~~~wwwkkkhhh[[[eeepppuuukkk\\\KKK^^^}}}>>>KKK777333+++ :<= |||xxxuuujjjlllaaa``````xxxxxxlll[[[YYYjjj>>>RSS@@@<<<666+**?BCqqq tttْzzzsssZZZ^^^qqqvvv{{{jjjZZZIIIEEESSS{{{wwwQQQ444hhh??? fggHGGFFF@@@555EGHjjjВ```MMMggg~~~iiiDDD(((CCCtttfff$$$;;;wwwKKKnrrMLLNNNIII@??IKL~~~uvv rrrDDDZZZ~~~lllBBB&&&NNN\\\iiiZZZ===666fff```lllSSSLLLGGGNPQbaagjiUUUVVVlll{{{zzzaaaCCCUUUoooHHH,,,KKKyyy]]]:::|}}[[[psu999Y\\dijyyymmm{{{|||~~~}}}zzzxxxwwwaaaVVVpppfffrrraaaHHHaaaXXXXXX=@?FEE_cbtxw,./IMNv{|ooozzz}}}mmm{{{uuu}}}~~~zzzyyyvvvbbb[[[rrrccczzz\\\IIIxxxYXX-.-IHI_cbx|{ KOQ~~~ggg|||XYYxxx|||}}}yyy~~~yyyccc[[[ooobbbwwwbbbiii???`cb~034zzzfffwwwv||lqsgkmosu17:rrs|||tttjjjjjjdddbbb[[[ddd}}}yyy~~~{{{dddYYYqqq___zzz|||hhh\[\\_^$$$''' 7:;}}}mmm~wwwsssHLN)+-%%&3:=z{{zzzpppaaaPPPVVVUUU^^^nnn~~~xxxwww\\\SSSsssbbb{{{|||hhhxxxZZZ[^^0//111+++<>?{{{```zyyyqqqbbbiii*,- )))3:=xwxvvvqqq___PPP@@@GGGTTTvvvRRRJJJiiibbbvvv~~~zzz[ZZ[_^:::<<<555)))@CE}}}yyyv___DDDfff~~~/23 3334;>zz{}}}yyytttyyynnnMMM999222JJJyyyZZZ??@[[[vvv\\\rrr]\\W[ZDDDFFF@@@555EHI|||hhhzAAAKKK}}}367$$$'''<==4;>wxx{{{rrrlllsssuuuSSSnnnzzzAAA333///===^^^vvvKKKdddqqq!##^_^LLLJJJ@@?KMNmmmMMMlZZZ{{{8:<&&&---222EFF4:=yyzzzzvvvnnniiilllsssMMMllluuubbb///XXY;;;TTTjnm^^^LLLGGFPRSuuuWWWWfffwww=@A%%%111888;;;NOO4:=yzz|||sssllljjjgggiiipppHHHeeesssrrr&&&-..YZZrrr{{{adchiiswwVVVJddduuuBDE000;;;AAAEEEVVV4:=}}}{{{sssiiidddcccbbbpppHHHdddsssooo""" ===]^^vvv}}}!!!$&%osrVVV;dddvvvGIJ;::EEEKKKLKKeff4:=xxxnnnhhhcccbbbeeepppFFFccctttnnn %%%BCCcccvuvmmm===***XXX+eeeuuuORSAAAKKKNMNSRR'-0yzz~~~{{{tttfff```eeeoooEEEccctttmmm  `bbwyy```~~~XXXvvv\\\eeewww\^]aaa{||2:=GKNvvvllldddccccccaaa[[[]]]hhhttt|||FFFcccsssmmm  illkmn555999___}}}[[[fffxxxsssxxxovw(/3BHJvvvqqqbbbNNN???666:::BBBVVVsssKKKdddqqqhhh  iklkmm%&&999SSSjkk{||mmmqqq엗cccGGGLLLlll{DJL;BE=BEQVXxxx|||rrriii___TTTHHH888+++%%%:::ssskkk    iklkmm !!! """+++AAAXXXppp{{{[[[;;;NNN}}}pppuuunnnhhhfffhhhmmmooogggWWW:::!!!>>>ddd"""222444(((  iklkmm """$$$%%%''''''***333GGH^^^uuussszzzfffJJJ000uuummm}}}tttlllffffffhhhlllrrrwww||||||iii:::### +++BBBJJJ<<>>AAABAABBBFFFOOO\\\kkkzzzvvv[[[{{{|||WWWpppnnniiiggghhhlllrrryyysss>>>,,,&&& """(((222GHH\^^ruuvxxaabhhhwwwkkkHHH---""")))---///000+++vxyxzz211;;;>>>AAACCCEEEGGGGGGHHHMMMVVVddedeexyy]]]zzz{{{vvvuuusssoooooopppoooooonnnnnngggHHHbbb```___^^^aaaffflllttt{{{QQQPPSeKLLgjj}xz{accMMM9::111***&%%&&&222MNNooo{{{qrrQQQ666''')))...+++vxyxzz211;;;>>>AAACCCEEEGGGIIIKKKMMMMMMIHHcccuuu\\\tttpppnnnuuunnnkkkjjjddddddaaa^^^\\\YYYVVVVVVWWWVVVUUUUUUVVVRRR777gggOOOPPPPPPQQQTTTYYYaaaiiipppwww||| @z}}PPP<<=333,++...111333444555666666555222///999QRRpppwwwZZZ===&&&qsuwyy100;;;>>>AAACCCEEEGGGIIIKKKMMMOOOKJJNNNXXXabbkklwwwXXXiii{{{wwwuuutttuuuvvvuuuooooootttttttttsssrrrooollliiieeeaaa\\\WWWSSSNNNIIIFFFCCC???222DDD===>>>@@@AAAFFFKKKPPPXXX```hhhooovvv{{{~~~|||\\\ ```BTTTNOOCCC@@@===?????????????????????>>>;;;777>==RRRmmm~~~qqq}0//444;;;@@@CCCEEEGGGIIIKKKMMMOOOKJJQPPXXXXXXZZZ]]]eefooozzzzOOO[[[uuussskkkiiilllttt|||zzzvvvqqqlllhhhbbb\\\WWWRRRLLLGGGCCC;;;888333111000222666???EEENNNUUU\\\dddmmmrrrvvvmmmmmm1WYYxVXXMNNJJJGGFGGGEEEDDDCCCGFGKKKNNOWXXcddmoo~~~jjjOOO???<<>>;;;888666333333333333333333111...111===FFFssss pppOkmmklleeeccccccddddddeeeeeeeeeeeedddccc```aaannn~~~_^^MLLWWWZZZ[[[]]]^^^___aaabbbcccdddbbb***m666GGGVVVaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666444333333333333333333444555:::===DDDqq ;z||vwwooonnnlllmmmmmmmmmllllllkkkjjjiiijjjkkk{||jjj\\\TTTWWW\\\^^^___aaabbbcccdddbbb (((555@@@JJJUUUaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444888BBBKKKOOOOOO0*u~~xxxwwwvvvxxx}~~sssbbbYYY[[[```bbbcccdddbbb)))222999@@@IIIUUUaaammmyyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444999CCCQQQ\\\ZZZRRR(gܤ~~~{{{{{z{{{yyyhhh^^^___bbbbbb'''h111444888@@@IIITTT```mmmyyy񰰰ﶶ跷ߥ~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444:::EEESSS```fff\\\UUU V⃃lllbbb---...333444888@@@IIISSS___lllzzz~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333444;;;HHHVVVaaahhhfffTTTW HՋ)))V222333444888???HHHSSS___jjjino~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333333;;;===EEEXXXcccggghhhZZZ3zƒ𒒒㕗 ---333333444888???HHHSSS___jjj4;>DKMptu~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333,,,llliii[[[aaahhhhhhaaaUUU %q옚Қ~jA ///333333333888???HHHRRR^^^iii:AC?FH:BDGNPptu~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333,,,lllwwwggggggaaabbb ///333333333888???HHHRRR^^^iii9@BAHJAHJ?FH7?Afjk~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333---eeelll^^^bbb ///333333333888???GGGQQQ]]]hhh8?AAHJAHJAHJ>>;;;888666333333333333333333///___}}}mmmYYYOOOiii^^^[[[///333333333888???GGGQQQ\\\fff8?AAHJAHJAHJ>EGZ^_}}}}}}}}}{{{~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333333777000 \\\```UUU///333333333888???GGGQQQ\\\fff8?AAHJAHJAHJ>EGTYZrrrpppppppppnnn~~~~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444999  ddd\\\NNN ///333333333888???GGGPPP[[[eee8?AAHJAHJAHJ?GIOSUeddccccccccc```yyy~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444999(((!!!nnnYYYUUU ///333333333888???GGGPPP[[[fff8?AAHJAHJAHJ@GIJOPYXXWWWWWWWWWTTTttt~~~yyyuuupppkkkgggbbb\\\XXXSSSOOOJJJFFFBBB>>>;;;888666333333333333333444:::... """"""000TTTUUU ///333333444888???GGGQQQ]]]hhh8?AAHJAHJAHJ@HJFJKMMMMMMMMMMMMHHHkkk~~~zzzuuuqqqlllgggbbbZZZRRROOOJJJGGGDDDBBB???<<<:::888666333333333333333444;;;444+++,,,,,,)))>>>PPPUUU ///333333444888@@@HHHTTTaaammm8?AAHJAHJAHJAHJCGHBBBAAABBBBBBDDDsss\\\LLLAAA555,,,...///111222333333555;;;<<<777888888555MMMKKKUUU ///333333333888@@@IIIWWWgggsss7>@AHJAHJAHJCJM045222+++999mmmIII777///+++///555<<A;BDAHJAHJELN!%&444###444EEEllloooKKK777555HHHQQQPPPPPPMMMeeeDDD??? ///333333333777999DDDlllZ`b7>@>EGDLN&*+?>>$$$666FFFRRRdddZZZ[[[[[[[[[XXXppp>>>??? ///333333///111bbbFLN;CE)-.LLL$$$666GGGVVV```cccnnnggggggggggggddd|||;;;??? ///333+++DDDqxy/34ZYY$$$666GGGVVVaaafffbbb\\\```SSSEEEAAAAAAIII;;;GGGPPP```݈{{{zzzxxxrrrooorrrrrrrrrrrrppp999??? ///,,,]]]VWWccc$$$666GGGVVVaaafffddd\\\PPPBBB333$$$'''EEEjjj "Z~~~qqqMMMMMM}}}||||||}}}}}}||||||{{{xxx222??? '''```\\\888ttt$$$666GGGVVVaaafffddd]]]RRREEE666(((,,,UUU***...///+++... mmmuuuL<<< MMMFFF*** LLLuhhhDDD@@@???$$$666GGGVVVaaafffddd]]]RRREEE666'''...iii999>>>>>>>>>::: UUUKKKbbb jlllMMMRRRSSSMMM$$$666GGGVVVaaafffddd]]]RRREEE666'''111IIINNNNNNMMMNNN  ```{{{jjjbbbYYYRRRMMM۲ ~uuu___^^^______YYY$$$666GGGVVVaaafffddd]]]RRREEE666&&&444XXX^^^^^^^^^bbb  kkkddd\\\WWWTTTTTTVVVVVVVVVVVVVVVTTTVVVUUU Pݐuyyynnnkkkhhhhhhkkkkkkkkkkkkeee$$$666GGGVVVaaafffddd]]]RRREEE666&&&555hhhnnnnnnnnnuuu  QQQpppWWWYYYXXXWWWVVVUUUTTTSSSRRRQQQQQQMMMUUU[( sssuuuvvvvvvvvvvvvvvvvvvuuuooo$$$666GGGVVVaaafffddd]]]RRREEE666&&&555zzz~~~~~~}}}uuu ===cccsssWWWUUUTTTSSSSSSRRRPPPPPPOOONNNMMMKKKMMM;|||{{{))) ,,,AAASSS___dddccc\\\QQQDDD555$$$222鉉 wwweeePPPQQQQQQPPPOOONNNMMMLLLLLLKKKKKKIIIKKKNsssjjjmmmmmmfff]]]RRRCCC222%%%...霜 UUUKKK3NNNNNNMMMMMMLLLLLLJJJJJJIIIHHHIIIGGGJJJ)pppgggooo鰰 KKK^IIIJJJIIIHHHHHHHHHHHHHHHGGG@bߊyyyooogggbbbbbbcccccccccaaa^^^ZZZVVVYYY^^^aaaeeeiiijjjtttxxxxxxuuu|||鰰 DDDGGGGGGGGGGGGGGGrFFF$jjj eee:eeeqcccbbbaaaaaa```___^^^]]]\\\[[[ZZZYYYWWWUUUTTTRRRQQQOOOMMMLLLLLLIIIIIIsss JJJ0HHH#fff \\\,^^^Q[[[uYYYWWWXXXVVVUUUTTTSSSSSSRRRQQQPPPPPPOOOMMMMMMLLLLLLJJJCCCIIIzzzLLL PPPRRR(PPPDB=94-**2CQK5    #/AZ///qGGG:::CCC>>>QQQNNNHHHIIIAAA;;;888000""" KH.?9LEF1 R# N4 3 0 I" &? \,,,TTTvvvՈ掎~~~yyywwwsssmmmggg```YYYRRRKKKCCC;;;,,,5 [(m3t4o. W N]+]/c3^,P TZ Y SKy-  #J666UUUlllyyyrrrkkkccc\\\TTTMMMCCC111=#r5i2o1~9j*]-r>!yC'{B#q;]/V'h+n-m+h(`"K _# - t(((===OOOccczzz}}}vvvnnnfff___WWWPPPGGG888L(*H$E;9g0sD,R)O.J'{?f1g. }8!{3g%k)t.i'?D|***666FFFXXXkkk}}}vvvnnnfff___WWWPPPIII<<<(5+7<=*Ex3$J8[8Y:W/L =~:#> 5j&g$~4x0b"h 5)))000<<>>---Y),O/R*H:?2OBZE_1N"?">">3z/l&z2z2 [ m$C...444>>>KKKZZZkkk}}}vvvnnnfff___WWWPPPIII>>>.0/S&*H5T4R6#EB(M!HBA#G+J%:u)y.z2~7 R- : ///555>>>JJJYYYjjj~~~}}}vvvnnnfff___WWWPPPIII@@@454X*/K4T+G ;%K1X*OH$M*P0R4T17!<y2w1Z#e( Y$...555>>>JJJYYYjjj}}}}}}vvvnnnfff___WWWPPPIIIBBB999*=.:$E<5 B$J D>7%A>V>>JJJYYYiii|||xxxhhhaaaSSS???:::666"_1#N.a-x19+P)I ?;>&G)K:i'(Ax4h*"m3#:x1XB+++c333>>>JJJYYYiiizzzvvvrrrdddbbbcccdddnnniiifffnnnggg___WWWCCC555,Q5?+O%G#G&K"F!C+K&@t0*Dq8e(#r6'Am-0----333>>>III\\\zzzzzzhhh]]]ccczzzxxxlll```@@@>>>HHHMPM=(K(L-Q/T,R*N,Q'MB!x<p0m/(@)F'k>qMtttgggPPPV0444ccc^^^WWWhhhBNE<%(<&>%K$I"G7CfK>qK":DT5I>zO{||||uuuPPP]1  QQQ```bbbbbb .l<A=7GhhhSSScccuyv[[[e93DV dZ9*)'JJJVVVrrr!!!???]ekzn{{{}}}jjjyyyjjj{{{[[[ Ah-q1 Y( m) h@??? GGGrrriiideejkk(((AAAlll~~~{{{yyyqqq|||]`^Y*|<'E-J*Bt+ \$z6w3h%K KKKtttmmm~~~kkkxxxyyy:::^^^GGGXXXmmm}}}OgV@-K/MAX3I3p,,I3O-C|.Y}}}jjj.// ,,,oooVVV```888cccZZZqqq```___ptq4%B)E6R5N&>u-6RKa3$<{1L xxxlll333###---ZZZ\\\kkk666eee[[[ooo)t<$@3M6P1L'Ax0+G;X1K#>k(eeeCCC333###...kkkyyySSS;;;jjj[[[~~~p{r'@;T8Q2M(D59S4P,F&A b 稨QQQCCC444///lllxxx&&&kkkjjj,B9S5v/((( JJJwww~~~iiippp;;;yyyssssss'=7Q;T3M,It-yyyiiipppJJJbbbkkk???tttllluuuAQ1L>X7S'E i&eee~~~lllOOO\\\&&&MMMO_*F&Cv, g%/xxxrrrhhhPPP```eeeXXXwww-..moo~{+|||vvvhhhSSSgggkkk^^^((( }}}kkkRRRlll 888+++|||yyy{{{mmmTTTlllGGG;;;...ooouuuqqqyyyxxxjjjUUUoooyyyGGGgggZZZJJJ???uuu^^^bbbBBB^^^TTTQQQyyy&&&NPPZ[[UVV^^^aaaccc___hii~~~{{{pppWWW{{{nnnssshhhmmm788-..nqpbbbtxxx{{{www___rrrxxx{{{YYY$$$((( ___c.// &&&zzzhhhqqq~~~yyyaaattt|||888+++^^^Qwww333###)))ssslllYYYXXXwwwVVVxxxrrrGGG;;;...oooPUUUiiiCCC333###(((|||qqqrrr]]]XXXEEE===HHH{{{]]]ZZZJJJ???WWW kkkQQQCCC444+++rrrjjjlll\\\kkk 567]]]888NPPZ[[UVVHHHmmm_``QQQbdd...|||kkkdddhhhYYYppp HHIhii{{{788mmm"##CCCyyydddiiiWWWooo Y[[SSSVVV&&&nnn))) MMM}}}sssYYYLLL___kkkXXXnnn 445566UVVstt\\\```oooggg___XXX===BBBlll444+++ 445"""&&&)))BBB^^_xxxZZZvvvyyykkkhhhmmmuuu{{{hhhIII 333MMNCCC)))445"""&&&)))---111QRSllmrrrxxxmmmmmmsss}}}ddd<<>>888444222111000???QQQ;|ttugggggggggggggggggglllvvvUUUXXX[[[^^^```bbbdddfff(((K666III```vvv~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333666FFFNNNX(yyyyyyfff^^^```bbbdddfff'''-000999KKK```uuuᛛٗŚ~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333:::OOO___QQQ5 N􏐐nnndddfff,,,333999JJJ___}}}ⴴ뿿~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333;;;SSSeee^^^nǔjjj---333999HHH]]]LRSquv~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333222___fffcccH蚛隚Λh?333333999HHH\\\HNPAHJFMO~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333222}}}aaa444333999GGG[[[HNPAHJAHJ|}}~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333333:::%%%ppp 222333888FFFZZZHNPAHJAHJfffhhhhhhiii~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333555rrr...333888FFF[[[HNPAHJAHJQQRRRRRRRTTT~~~vvvmmmeee\\\TTTKKKDDD>>>888444333333777///------}}}...333999JJJbbbJPRAHJAHJBCC333888___III333333444:::BBBBBBBBB...333:::OOOrrr^bdAHJAHJ888999ccceeeBBBVVVWWWWWW...222EEEDKMJJJ888WWWfffuuuyyyyyyzzzjjjllllll000𗗗oop888WWWfff^^^FFF,,,))) B}}}xzzztttQQQyyy~~~~~~~~~~~~~~~|||ᣣWWWvvv888WWWfff^^^FFF,,,===))))))󎎎훛\\\WWW888WWWfff^^^FFF,,,NNNGGGGGG􏏏sssWWWfff󑑑vvvnnnlllllllll888WWWfff^^^FFF,,,^^^ffffffBBB]]]WWWUUUSSSQQQPPPNNN ~~~~~~~~~~~~~~~888WWWfff^^^FFF,,,ddd]]]bbbQQQPPPNNNMMMKKKIIIGGG'򭭭󓓓}}}iiiUUUrrrUUU LLLKKKJJJIIIHHHGGG??? tttjjjgggeeecccaaa^^^\\\pppxxxwwwuuuHHH?GGGHHHTUUUUUU]]]9[[[oYYYWWWWWWUUURRRQQQPPPNNNMMMVVVꔔ `??????a?(0` %#C _%%%t***222333000))) ~lZ m >3 < 713\ira>###III|||뙙xxxkkk___SRSDAC&@.a-r3y2 Po7#y=f2 Nf'i'`!" 4EEEmmmtttiii]]]RRRGAE&`7,Nv1o1(N5Z/Jm4l0 z5g%v.l)c'''@@@RRRlllttthhh]]]RRRHDG5E9>)K!="E2MLb <<{3q)m(z0,666===PPPjjjttthhh]]]RRRHFG697$<8X+G C(KHD"E&Bx+v-r,G +444===PPPiii{{{ooodddYYYNNNECD676,B.Q%B'K&L?%DA]*E1"?t1"~6a&333===OOOfffyyyfffWWWJFI1X:$e5j*;/T"@8"B"@y19q1,Cw/000;;;NNNuuu~~~uuuzzzrnqQFN=OA#G&K+N6\A,M$A!r9q0-H_,---JJJuuuiii]Y\.n<#C1U)O.R#K$H42K!ALuX]V\***y333gsssuuuxtwGPI&P0.QB>PTaWWdyfnkkk---| HHH1iiiyyy.)-S^ep|~{vy|}w{vvv303xH8a+ G[ kTVVV@@@`Y^||||||3oI;7T>>bbb=Q;U8S#?Y#> 'eggnrsAAAkkk}}}J]'?84P,Ih+"zzzLLLdk'B6O*FM!wwwiii^^^bbbGGGoqqM`>Z.M 8g󓓓qqqRRROOOwwwxyxW[[^bb?~N$혘xxxZZZqqqdee@BAY]] 葑ZZZsss[\\XYY$##[^_ vvvvvvkkk___NNN\\\^__illGGGhkkfffhhh٣sssVVV{{{npo]__ehg`ccqqqgggegg%''rrrfjjACCx|}uuufffeeeqqq^^^qss@@@344\\\{{{adeOPQz}~~~~pppiiiggg///555__`oqqbccSTT\\\knn...dffz~sssdddhhh444!!!III{{{oqpadcbbbXZ[lqrtttpppkkkddd222`bbDDD|||jjjqqqwww___YYYNNN```222  XZZ$$$<<>>CCCFFFhiidddeeeeee?LLLlll}}}rrrfffXXXJJJ???666000666DDDYYYmmm1___^^^A```mppkllsttsttjjj___\\\MLLghh___VVV\\\aaa\\\???666PPPwwwsssgggZZZMMMBBB999444222///777KKKUvvv6uwwulllgggiiippp}}}tuu^^^]]]^^^\\\***<<EGSUUVVU}}}wwwjjj[[[KKK<<<222,,,111444!!!QQQ222888RRRLSU>>WWWqqq^^^KFJ2P8'D =)N;.L:6{5g))))J999[[[tttdddFKG(p:%L(L%I$Dy7#=q1 ''' NNNzzz~x|S^U(=+L$L+J1G;SP{\\W[$$$a ???aaaֆpem4O:Pbmrnsut}}lll.,.h QE )u Q 8\\\^cffKGJzrx~'zC0O*C$?'?( _vvv6;=>.00nnnjjjSSSJ]-I.H0I6Q A1\^^QSS|||EEE9S(D5O1N G&}}}|||bbb9M.J(A eeePPPbbbvxx@Vb)[[[xxxFHH8::ooo~~~ꤤvvvttt^^^KLL677bbb ppp䞞qqqWWWxxxijjfiitwwfffyyy֚ruuyyyrrrvvvkkkpqq UUUdddӔ:<<,..bbbZZZEEEPQQ~~JKKnnnǮ^``RUUgggooo??????}}}jjjnnn\\\```999 244'''OOOmmmssssss@@@///DEEPQQ(((9::PPPaaa}}}yyykkkbbbXXXUUUgggprregggefhZZZTTTPPPLLLWXXNNN:::EDDhiiyyyWWWiiiyyyfffRRR@@@555555FFFa^^Y___ ```cee\]]]]]___`_____mnnUUUZZZZZZ$$$T@@@sss|||iiiVVVDDD777111000KKKVVVDxxxmmmmijjbbb^^^iijqqqpppZZZUUU000EEEopp~{{{iiiVVVDDD777///QQQnnnZZZ Riiibbdcccyyyo333000CCCpqqBJLehhyyyeeeRRR@@@555111@@@EEEZZZ333111???pqqFMPBDE]\\qqqYYY@@@222++++++ZZZ333---dccsxy.11/..yyy\\\bbbZZZ???]]]KKK(((^^^LLL777ZZZyyy;ZZZkkkZZZrrraaaZZZrrrccc...cccBBBUUUZZZZZZXXXgggYYY[[[bNlllzzziiiuuu[[[XXXEEEGGG`UUUmmmZZZYYYYYYYYYXXXVVVoooWx(0 ` =S9k2_4/ @?P<7B4 F$pEb6p5z4p.K`OxxxpppdddWWWJJJ>>>C%.~Oa6 w:|6s,7f YS)MA!A*E69cCvvvdddQQQAAA!I+1YC)H,G4<f f#9%K)R.P5Q{7vvvdddQQQAAA+G2.X*R1S7Qt462$G%E/PDqPvvvdddQQQAAA:>;,C%E)H-ONat'S$:JdP{{{yyyiii___TTTHHH===???TTT)M1~* eiii匌nnn͎(.1rrrʍ'.1}}}pppsssttt28:}}}~~~~~~tttvvvuuuowwwfZ(.1wwwTU'.1yyyxxxwwwM028:0 kkktttkkkbbb )))333VVVuuuyyyooo^^^JJJ888+++))))))&&&333@@@kkkvvv]]]FFF666333333111333@@@kkkfffvvv]]]"""333333111333@@@kkkfffvvv]]]"""333333111333@@@kkkfffooo^^^JJJ"""333333111?????(  @E F=A5 +<3F D G6Ub+P;@*`6iiiVVVAAA...\.J$C;:S f&'LC/Ma|hvvvYYY???+Y6,TDq13i&5"z7HiQVZWPPPMMMAAA...697.W8x' [(.1.46iiibbbmmmooo)/2nnniii,24111TTTvvvQQQ666333111111TTTvvvQQQ666333111111RRRfffvvvOOO"""333111111RRRfffvvvOOO"""333111fwbuilder-5.3.7/src/gui/fwbuilder-windows.rc000066400000000000000000000001141303637203600210640ustar00rootroot00000000000000IDI_ICON1 ICON DISCARDABLE "fwbuilder-windows-app.ico" fwbuilder-5.3.7/src/gui/gui.pro000066400000000000000000000043551303637203600164040ustar00rootroot00000000000000# -*- mode: makefile; tab-width: 4; -*- # $Id$ TEMPLATE = app LANGUAGE = C++ QT += network greaterThan(QT_MAJOR_VERSION, 4): QT += widgets printsupport TARGET = fwbuilder include(../../qmake.inc) exists(qmake.inc):include( qmake.inc) SOURCES += main.cpp # Arrange static libraries before dynamic ones in the linker command # line. libgui goes first IMPORT_LIB = ../import/$$BINARY_SUBDIR/libimport.a FWBPARSER_LIB = ../parsers/$$BINARY_SUBDIR/libfwbparser.a # FWTRANSFER_LIB = ../fwtransfer/$$BINARY_SUBDIR/libfwtransfer.a INCLUDEPATH += $$ANTLR_INCLUDEPATH DEFINES += $$ANTLR_DEFINES STATIC_LIBS += ../libgui/$$BINARY_SUBDIR/libgui.a \ $$IMPORT_LIB $$FWBPARSER_LIB $$ANTLR_LIBS # fwtransfer lib. Add this before adding -lQtDBus to LIBS below # STATIC_LIBS += $$FWTRANSFER_LIB # contains( HAVE_QTDBUS, 1 ):unix { # !macx:QT += network \ # dbus # macx:STATIC_LIBS += -framework \ # QtDBus # } # !macx:STATIC_LIBS += -lQtDBus # workaround for QT += dbus not working with Qt < 4.4.0 INCLUDEPATH += \ ../libgui \ ../compiler_lib \ ../libfwbuilder/src win32:INCLUDEPATH += ../libgui/ui !win32:INCLUDEPATH += ../libgui/.ui DEPENDPATH += \ ../libgui \ ../compiler_lib \ ../libfwbuilder/src OTHER_LIBS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../iptlib/$$BINARY_SUBDIR/libiptlib.a \ ../pflib/$$BINARY_SUBDIR/libfwbpf.a \ ../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \ ../juniper_lib/$$BINARY_SUBDIR/libfwbjuniper.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a STATIC_LIBS += $$OTHER_LIBS PRE_TARGETDEPS = $$STATIC_LIBS macx:STATIC_LIBS += -framework Carbon STATIC_LIBS += $$LIBS_FWCOMPILER LIBS = $$STATIC_LIBS $$LIBS win32 { RC_FILE = fwbuilder-windows.rc win_ico.files = fwbuilder-windows.ico win_ico.path = $$PREFIX INSTALLS += win_ico } macx { QMAKE_INFO_PLIST = FwbuilderInfo.plist ICON = fwbuilder-macosx.icns SOURCES += main_mac.cpp } # TRANSLATIONS = fwbuilder_ru.ts fwbuilder_ja.ts fwbuilder_en.ts # ja.path = $$PKGLOCALEDIR # ja.files = fwbuilder_ja.qm # ru.path = $$PKGLOCALEDIR # ru.files = fwbuilder_ru.qm # INSTALLS += ja ru fwbuilder-5.3.7/src/gui/main.cpp000066400000000000000000000157261303637203600165320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "VERSION.h" #include "../common/commoninit.h" #ifdef HAVE_GETOPT_H # include #else # ifdef _WIN32 # include # else # include # endif #endif #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include #else # include #endif #include #include #include #include #include #include #include #include #include "FWBApplication.h" #include "FWBSettings.h" #include "RCS.h" #include "FWWindow.h" #include "FWObjectClipboard.h" #include "FWBTree.h" #include "platforms.h" #include "ObjectEditor.h" #include "findDialog.h" #include "ProjectPanel.h" #include "RCS.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Tools.h" #include "fwbuilder/dns.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Constants.h" #if defined(Q_WS_MAC) extern void connectOdocHandler(); #endif #ifndef INIT2 #define INIT2 #endif extern void extras(); extern void ssh_wrapper(int argc, char *argv[]); using namespace libfwbuilder; using namespace std; static QString filename; static QString print_output_file_name; bool auto_load_from_rcs_head_revision = false; FWBApplication *app = NULL; FWWindow *mw = NULL; FWBSettings *st = NULL; int fwbdebug = 0; bool safemode = false; bool cli_print = false; QString cli_print_fwname = ""; int sig = FWB_SIG; void usage() { cerr << "Usage: fwbuilder [-hv] [-P object_name] [-o file_name] [-r] [ [-f] filename]\n"; cerr << endl; } int main( int argc, char *argv[] ) { cout << "Firewall Builder GUI " VERSION << endl << flush; filename = ""; print_output_file_name = ""; fwbdebug = 0; safemode = false; bool force_first_time_run_flag = false; ssh_wrapper(argc, argv); //QApplication::setDesktopSettingsAware(desktopaware); Q_INIT_RESOURCE(MainRes); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QApplication::setGraphicsSystem("native"); #endif app = new FWBApplication( argc, argv ); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); // can not use "-p" for command line printing because // Mac OS X supplies switch "-psnXXXXX" when program is // started via Finder. int c; while ((c = getopt (argc , argv , "1hvf:o:P:dxgr")) != EOF ) switch (c) { case 'h': usage(); exit(0); case 'f': filename = optarg; break; case 'o': print_output_file_name=optarg; break; case 'r': auto_load_from_rcs_head_revision = true; break; case 'd': fwbdebug++; break; case 'v': cout << VERSION << endl; exit(0); case 'P': cli_print = true ; cli_print_fwname = optarg; break; case '1': force_first_time_run_flag = true; break; } if ( (argc-1)==optind) filename = strdup( argv[optind++] ); if (fwbdebug) qDebug("Initializing ..."); /* need to initialize in order to be able to use FWBSettings */ init(argv); init_platforms(); RCS::init(); if (fwbdebug) qDebug("Reading settings ..."); st = new FWBSettings(); st->init(force_first_time_run_flag); FWObject::setDataDir(st->getDataDir().toUtf8().constData()); if (fwbdebug) qDebug("done"); QPixmapCache::setCacheLimit(4096); // INIT2; string full_res_path = Constants::getResourcesFilePath(); if (fwbdebug) { qDebug("reading resources from '%s' ...", full_res_path.c_str()); } QFileInfo fi(full_res_path.c_str()); if (!fi.exists()) { qDebug() << QString("Resource file %1 does not exist").arg(fi.filePath()); exit(1); } Resources res(full_res_path); if (fwbdebug) qDebug("done"); vector platforms = Resources::getListOfPlatforms(); if (platforms.empty() || ( platforms.size()==1 && platforms.front()=="unknown" )) { qDebug("Failed to load list of supported platforms"); exit(1); } if (cli_print) { if (fwbdebug) qDebug("Print from command line"); FWWindow::printFirewallFromFile(filename, cli_print_fwname, print_output_file_name); return 0; } if (fwbdebug) qDebug("creating widgets ..."); //new FWObjectDatabase(); new FWObjectClipboard(); if (fwbdebug) qDebug("loading translation for the current locale ..."); QString local = QLocale::system().name();//"en_US";// QTranslator translator(0); translator.load(QLatin1String("fwbuilder_") + QString(local), Constants::getLocaleDirectory().c_str()); app->installTranslator (&translator); QString qt_resource_dir = QLibraryInfo::location(QLibraryInfo::TranslationsPath); QTranslator qt_translator(0); qt_translator.load(QLatin1String("qt_") + QLocale::system().name(), qt_resource_dir); app->installTranslator (&qt_translator); mw = new FWWindow(); //mw->setSafeMode(safemode); if (filename != "") mw->registerAutoOpenDocFile(filename, auto_load_from_rcs_head_revision); mw->show(); // it is connected to QApplication's slot, not to FWBApplication app->setQuitOnLastWindowClosed(false); // connecting to right slot app->connect(app, SIGNAL(lastWindowClosed()), app, SLOT(quit())); #if defined(Q_WS_MAC) connectOdocHandler(); #endif // setup single shot timer to call startupLoad() QTimer::singleShot(500, mw, SLOT(startupLoad())); try { app->exec(); } catch (const libfwbuilder::FWException &ex) { qDebug() << "Caught FWException: " << ex.toString().c_str(); } mw->hide(); // must do this before settings object is destroyed st->save(); delete st; res.clear(); XMLTools::close(); // We need to call FWWindow::~FWWindow() to remove temporary directory delete mw; } fwbuilder-5.3.7/src/gui/main_mac.cpp000066400000000000000000000101011303637203600173300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: main.cpp 493 2008-08-30 05:05:56Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "VERSION.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" using namespace std; #if defined(Q_WS_MAC) #include static OSErr checkAppleEventForMissingParams(const AppleEvent& theAppleEvent) { DescType returnedType; Size actualSize; OSErr err; switch (err = AEGetAttributePtr(&theAppleEvent, keyMissedKeywordAttr, typeWildCard, &returnedType, nil, 0, &actualSize)) { case errAEDescNotFound: return noErr; case noErr: return errAEEventNotHandled; default: return err; } } static pascal OSErr odocHandler(const AppleEvent* inEvent, AppleEvent* /*reply*/, SRefCon /*refCon*/) { if (fwbdebug) qDebug("Handling 'odoc'\n"); AEDescList documentList; OSErr err = AEGetParamDesc(inEvent, keyDirectObject, typeAEList, &documentList); if (err == noErr) { err = checkAppleEventForMissingParams(*inEvent); if (err == noErr) { long documentCount; err = AECountItems(&documentList, &documentCount); for (long documentIndex = 1; err == noErr && documentIndex <= documentCount; documentIndex++) { // What kind of document is it? DescType returnedType; Size actualSize; err = AESizeOfNthItem(&documentList, documentIndex, &returnedType, &actualSize); if (err == noErr) { // It's just a normal document file AEKeyword keyword; FSRef ref; err = AEGetNthPtr(&documentList, documentIndex, typeFSRef, &keyword, &returnedType, (Ptr)&ref, sizeof(FSRef), &actualSize); if (err == noErr) { char buf[1024]; FSRefMakePath(&ref, reinterpret_cast(buf),1024); QDir file(buf); mw->registerAutoOpenDocFile(file.canonicalPath(), false); //mw->openDocFiles << file.canonicalPath(); } } } } AEDisposeDesc(&documentList); } if (fwbdebug) qDebug("Returning %d from handleOpenDocuments\n", err); return err; } void connectOdocHandler() { AEInstallEventHandler(kCoreEventClass, kAEOpenDocuments, NewAEEventHandlerUPP(odocHandler),0,false); } #endif // Q_WS_MAC fwbuilder-5.3.7/src/import/000077500000000000000000000000001303637203600156155ustar00rootroot00000000000000fwbuilder-5.3.7/src/import/AddressSpec.h000066400000000000000000000047131303637203600201730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ADDRESS_SPEC_H_ #define _ADDRESS_SPEC_H_ #include #include #include #include class AddressSpec { public: typedef enum { UNKNOWN, ANY, HOST_NAME, HOST_ADDRESS, NETWORK_ADDRESS, SPECIAL_ADDRESS, INTERFACE_NAME, INTERFACE_NETWORK, INTERFACE_BROADCAST, INTERFACE_CONFIGURATION, INTERFACE_OR_HOST_NAME, TABLE } address_type; address_type at; bool neg; std::string address; std::string netmask; std::string broadcast; AddressSpec() { at = UNKNOWN; neg = false; address = ""; netmask = ""; broadcast = ""; } AddressSpec(const AddressSpec &other) { at = other.at; neg = other.neg; address = other.address; netmask = other.netmask; broadcast = other.broadcast; } AddressSpec(address_type _at, bool _neg, const std::string _addr, const std::string _nm) { at = _at; neg= _neg; address = _addr; netmask = _nm; } // This function is mostly used in unit tests QString toString() { QStringList str; QString address_type_as_string("type:%1"); str << "AddressSpec"; str << address_type_as_string.arg(at); str << QString((neg)? "neg:true" : "neg:false"); str << QString("addr:%1").arg(address.c_str()); str << QString("netm:%1").arg(netmask.c_str()); str << QString("bcast:%1").arg(broadcast.c_str()); return str.join("|"); } }; #endif fwbuilder-5.3.7/src/import/IOSImporter.cpp000066400000000000000000000345741303637203600205120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" // #include "global.h" // #include "utils_no_qt.h" // #include "platforms.h" #include "IOSImporter.h" #include "getProtoByName.h" #include "getServByName.h" #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Library.h" #include #include extern int fwbdebug; using namespace std; using namespace libfwbuilder; IOSImporter::IOSImporter(FWObject *lib, std::istringstream &input, Logger *log, const std::string &fwname) : Importer(lib, "iosacl", input, log, fwname) { address_maker->setInvertedNetmasks(true); } IOSImporter::~IOSImporter() { all_rulesets.clear(); all_interfaces.clear(); } void IOSImporter::setInterfaceAndDirectionForRuleSet( const std::string &ruleset_name, const std::string &_intf_name, const std::string &_dir) { Importer::setInterfaceAndDirectionForRuleSet( ruleset_name, _intf_name, _dir); } ObjectSignature IOSImporter::packObjectSignatureTCPService() { // use src_port_op, src_port_spec, dst_port_op, dst_port_spec // port_op can be: lt (less than), gt (greater than), eq (equal), // neq (not equal), and range (inclusive range). ObjectSignature sig(error_tracker); sig.type_name = TCPService::TYPENAME; sig.port_range_inclusive = false; sig.setSrcPortRangeFromPortOpForCisco( src_port_op.c_str(), src_port_spec.c_str(), protocol.c_str()); sig.setDstPortRangeFromPortOpForCisco( dst_port_op.c_str(), dst_port_spec.c_str(), protocol.c_str()); sig.established = established; sig.flags_mask = tcp_flags_mask; sig.flags_comp = tcp_flags_comp; return sig; } ObjectSignature IOSImporter::packObjectSignatureUDPService() { // use src_port_op, src_port_spec, dst_port_op, dst_port_spec // port_op can be: lt (less than), gt (greater than), eq (equal), // neq (not equal), and range (inclusive range). ObjectSignature sig(error_tracker); sig.type_name = UDPService::TYPENAME; sig.port_range_inclusive = false; sig.setSrcPortRangeFromPortOpForCisco( src_port_op.c_str(), src_port_spec.c_str(), protocol.c_str()); sig.setDstPortRangeFromPortOpForCisco( dst_port_op.c_str(), dst_port_spec.c_str(), protocol.c_str()); return sig; } FWObject* IOSImporter::createTCPService(const QString &name) { if (src_port_op == "neq" || dst_port_op == "neq") return createTCPUDPNeqObject("tcp", name); ObjectSignature sig = packObjectSignatureTCPService(); if( ! name.isEmpty()) sig.object_name = name; return commitObject(service_maker->createObject(sig)); } FWObject* IOSImporter::createUDPService(const QString &name) { if (src_port_op == "neq" || dst_port_op == "neq") return createTCPUDPNeqObject("udp", name); ObjectSignature sig = packObjectSignatureUDPService(); if ( ! name.isEmpty()) sig.object_name = name; return commitObject(service_maker->createObject(sig)); } FWObject* IOSImporter::createTCPUDPServicePair(const QString &name) { FWObject *srv1 = createTCPService((name.isEmpty()) ? "" : name + "-tcp"); FWObject *srv2 = createUDPService((name.isEmpty()) ? "" : name + "-udp"); QString group_name = name; if (name.isEmpty()) { group_name = QString(srv1->getName().c_str()).replace("tcp ","tcp-udp "); } ObjectMaker maker(Library::cast(library), error_tracker); FWObject *grp = commitObject( maker.createObject(ServiceGroup::TYPENAME, group_name.toStdString())); grp->addRef(srv1); grp->addRef(srv2); return grp; } /* * create two tcp service objects to cover port ranges before * and after src_port_spec, put them into service group and * return pointer to the group. We ignore tcp ports and * "established" flag in combination with "neq" * */ FWObject* IOSImporter::createTCPUDPNeqObject(const QString &proto, const QString &name) { ObjectSignature sig(error_tracker); sig.port_range_inclusive = false; if (proto == "tcp") sig.type_name = TCPService::TYPENAME; if (proto == "udp") sig.type_name = UDPService::TYPENAME; if ( ! name.isEmpty()) sig.object_name = name; QString group_name; FWObject *srv1 = NULL; FWObject *srv2 = NULL; if (src_port_op == "neq") { if ( ! dst_port_spec.empty()) group_name = QString("%1 src neq %2 / dst %3") .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str()); else group_name = QString("%1 src neq %2").arg(proto).arg(src_port_spec.c_str()); sig.setDstPortRangeFromPortOpForCisco( dst_port_op.c_str(), dst_port_spec.c_str(), proto); sig.setSrcPortRangeFromPortOpForCisco("lt", src_port_spec.c_str(), proto); srv1 = service_maker->createObject(sig); sig.setSrcPortRangeFromPortOpForCisco("gt", src_port_spec.c_str(), proto); srv2 = service_maker->createObject(sig); } if (dst_port_op == "neq") { if ( ! src_port_spec.empty()) group_name = QString("%1 src %2 / dst neq %3") .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str()); else group_name = QString("%1 dst neq %2").arg(proto).arg(dst_port_spec.c_str()); sig.setSrcPortRangeFromPortOpForCisco( src_port_op.c_str(), src_port_spec.c_str(), proto); sig.setDstPortRangeFromPortOpForCisco("lt", dst_port_spec.c_str(), proto); srv1 = service_maker->createObject(sig); sig.setDstPortRangeFromPortOpForCisco("gt", dst_port_spec.c_str(), proto); srv2 = service_maker->createObject(sig); } assert(srv1 != NULL && srv2 != NULL); ObjectMaker maker(Library::cast(library), error_tracker); FWObject *grp = commitObject( maker.createObject(ServiceGroup::TYPENAME, group_name.toStdString())); grp->addRef(commitObject(srv1)); grp->addRef(commitObject(srv2)); return grp; } void IOSImporter::ignoreCurrentInterface() { if (current_interface) { QString err("Warning: interface %1 was not imported because it " "is in \"shutdown\" mode\n"); *Importer::logger << err.arg(current_interface->getName().c_str()).toStdString(); Importer::ignoreCurrentInterface(); // this clears current_interface } } void IOSImporter::pushRule() { assert(current_ruleset!=NULL); assert(current_rule!=NULL); // populate all elements of the rule addMessageToLog( QString("access list rule: access list %1, action %2") .arg(QString::fromUtf8(current_ruleset->ruleset->getName().c_str())) .arg(action.c_str())); Importer::pushRule(); } void IOSImporter::MergeRules::move(FWObject* r) { PolicyRule *rule = PolicyRule::cast(r); // Note that Policy object can have children that are objects of // classes PolicyRule and RuleSetOptions. If r does not cast to // PolicyRule, then it must be RuleSetOptions and we should just // skip it. if (rule==NULL) { r->getParent()->remove(r); return; } target_ruleset->reparent(rule); if (intf) { RuleElementItf* re =rule->getItf(); assert(re); re->addRef(intf); } rule->setDirection(dir); std::string prev_comment = rule->getComment(); rule->setComment( std::string("Imported from ") + ruleset_name + "\n" + prev_comment); } Firewall* IOSImporter::finalize() { // scan all UnidirectionalRuleSet objects, set interface and // direction in all rules of corresponding RuleSet and merge all // UnidirectionalRuleSet into one RuleSet object. Attach this // object to the firewall. if (fwbdebug) qDebug("IOSImporter::finalize()"); if (haveFirewallObject()) { Firewall *fw = Firewall::cast(getFirewallObject()); fw->setStr("host_OS", "ios"); Resources::setDefaultTargetOptions("ios" , fw); fw->setStr("version", ""); // default version "any" fw->getManagementObject(); // creates management obj FWObject *policy = getFirewallObject()->getFirstByType(Policy::TYPENAME); assert( policy!=NULL ); if (all_rulesets.size()!=0) { if (fwbdebug) { qDebug() << "Setting interface and direction for all rules"; qDebug() << "all_rulesets.size()=" << all_rulesets.size(); } std::map::iterator i; for (i=all_rulesets.begin(); i!=all_rulesets.end(); ++i) { UnidirectionalRuleSet *irs = (*i).second; if (fwbdebug) { qDebug() << " irs->name=" << irs->name.c_str(); qDebug() << " irs->intf_dir.size()=" << irs->intf_dir.size(); qDebug() << " irs->ruleset->size()=" << irs->ruleset->size(); } // optimization: If we have several interfaces for // the ruleset, create a group // But first group interfaces by direction so // that later we can merge rules into the policy // with proper combination of interface group and // direction. Remember that the same access list // can be used with multiple interfaces with different // directions each time. The same list can be applied // to the same interface both in and out (although in // this case we have already switched direction to "both") // if (irs->intf_dir.size()>1) { std::list all_in; std::list all_out; std::list all_both; std::map::iterator i; for (i = irs->intf_dir.begin(); i != irs->intf_dir.end(); ++i) { if ( (*i).second=="in") all_in.push_back( (*i).first ); if ( (*i).second=="out") all_out.push_back( (*i).first ); if ( (*i).second=="both") all_both.push_back( (*i).first ); } FWObject *og; if (all_in.size()>0) { og = createGroupOfInterfaces(irs->name, all_in); MergeRules mr(irs->name, og, PolicyRule::Inbound, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } if (all_out.size()>0) { og = createGroupOfInterfaces(irs->name, all_out); MergeRules mr(irs->name, og, PolicyRule::Outbound, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } if (all_both.size()>0) { og = createGroupOfInterfaces(irs->name, all_both); MergeRules mr(irs->name, og, PolicyRule::Both, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } } else { std::map::iterator j; for (j=irs->intf_dir.begin(); j!=irs->intf_dir.end(); ++j) { Interface *intf = all_interfaces[ (*j).first ]; std::string _dir = (*j).second; PolicyRule::Direction direction = PolicyRule::Both; if (_dir=="in") direction = PolicyRule::Inbound; if (_dir=="out") direction = PolicyRule::Outbound; // not all access lists are associated with interfaces if (intf!=NULL) { if (fwbdebug) qDebug() << " interface=" << intf->getName().c_str(); MergeRules mr(irs->name, intf, direction, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } } } // qDebug("ruleset done"); // call clearChidren() not recursive because children objects // of all rules should not be deleted irs->ruleset->clearChildren(false); getFirewallObject()->remove(irs->ruleset, false); delete irs->ruleset; } } list l2 = fw->getByType(Policy::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } return getFirewallObject(); } else { return NULL; } } fwbuilder-5.3.7/src/import/IOSImporter.h000066400000000000000000000056601303637203600201510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWB_POLICY_IMPORTER_IOS_H_ #define _FWB_POLICY_IMPORTER_IOS_H_ #include #include #include #include #include #include "Importer.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Logger.h" #include "fwbuilder/Policy.h" class IOSImporter : public Importer { protected: virtual libfwbuilder::FWObject* createTCPService(const QString &name=""); virtual libfwbuilder::FWObject* createUDPService(const QString &name=""); virtual libfwbuilder::FWObject* createTCPUDPServicePair(const QString &name=""); virtual libfwbuilder::FWObject* createTCPUDPNeqObject(const QString &proto, const QString &name=""); virtual ObjectSignature packObjectSignatureTCPService(); virtual ObjectSignature packObjectSignatureUDPService(); public: IOSImporter(libfwbuilder::FWObject *lib, std::istringstream &input, libfwbuilder::Logger *log, const std::string &fwname); ~IOSImporter(); virtual void run(); virtual void setInterfaceAndDirectionForRuleSet(const std::string &ruleset_name, const std::string &interface_name, const std::string &dir); virtual void ignoreCurrentInterface(); virtual void pushRule(); // this method actually adds interfaces to the firewall object // and does final clean up. virtual libfwbuilder::Firewall* finalize(); class MergeRules { std::string ruleset_name; libfwbuilder::FWObject *intf; libfwbuilder::PolicyRule::Direction dir; libfwbuilder::FWObject *target_ruleset; public: MergeRules(const std::string &_n, libfwbuilder::FWObject *i, libfwbuilder::PolicyRule::Direction d, libfwbuilder::FWObject *_rs) { ruleset_name = _n; intf = i; dir = d; target_ruleset = _rs; } void move(libfwbuilder::FWObject* r); }; }; #endif fwbuilder-5.3.7/src/import/IOSImporterRun.cpp000066400000000000000000000054041303637203600211650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" // #include "global.h" #include "IOSImporter.h" #include #include #include #include #include #include #include // parser and lexer for Cisco IOS access lists #include "../parsers/IOSCfgLexer.hpp" #include "../parsers/IOSCfgParser.hpp" extern int fwbdebug; /* * Only this module depends on IOSCfgLexer and IOSCfgParser, * so only this file is recompiled when we change grammar */ void IOSImporter::run() { // it is probably safer to create an empty firewall if we do not have // ANTLR on the system rather than try to #ifdef out chunks of code // here and there in this module // // Obviously we should disable GUI elements that activate this importer // if ANTLR runtime is not available. // QStringList err; QString parser_err = QObject::tr("Parser error:"); QString gen_err = QObject::tr("Error:"); std::ostringstream parser_debug; IOSCfgLexer lexer(input); IOSCfgParser parser(lexer); parser.importer = this; if (fwbdebug) parser.dbg = &std::cerr; else parser.dbg = &parser_debug; try { parser.cfgfile(); } catch(ANTLR_USE_NAMESPACE(antlr)ANTLRException &e) { err << parser_err + " " + e.toString().c_str(); } catch(ObjectMakerException &e) { err << gen_err + " " + e.toString(); } catch(ImporterException &e) { err << gen_err + " " + e.toString(); } catch(std::exception& e) { err << parser_err + " " + e.what(); } if (haveFirewallObject()) { if (countInterfaces()==0) err << noInterfacesErrorMessage(); if (countRules()==0) err << noRulesErrorMessage(); } else { err << parser_err; err << noFirewallErrorMessage(); err << commonFailureErrorMessage(); } if (!err.isEmpty()) *logger << err.join("\n").toUtf8().constData(); } fwbuilder-5.3.7/src/import/IPTImporter.cpp000066400000000000000000001622101303637203600205010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "IPTImporter.h" #include "getProtoByName.h" #include "getServByName.h" #include #include #include #include #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include #include extern int fwbdebug; using namespace std; using namespace libfwbuilder; // TODO: this should move to some common library, together with // getVersionsForPlatform() it uses. Currently these functions are // defined in libgui/platforms.cpp extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); IPTImporter::IPTImporter(FWObject *lib, std::istringstream &input, Logger *log, const std::string &fwname) : Importer(lib, "iptables", input, log, fwname) { service_group_name_seed = 0; aux_branch_number = 0; current_table = ""; current_chain = ""; current_state = ""; current_ruleset = NULL; current_rule = NULL; last_mark_rule = NULL; clear(); // mapping between REJECT target argument and our internal name for it. // See also comment in IPTImporter::pushPolicyRule() reject_action_arg_mapping["icmp-net-unreachable"] = "ICMP net unreachable"; reject_action_arg_mapping["net-unreach"] = "ICMP net unreachable"; reject_action_arg_mapping["icmp-host-unreachable"] = "ICMP host unreachable"; reject_action_arg_mapping["host-unreach"] = "ICMP host unreachable"; reject_action_arg_mapping["icmp-proto-unreachable"] = "ICMP protocol unreachable"; reject_action_arg_mapping["proto-unreach"] = "ICMP protocol unreachable"; reject_action_arg_mapping["icmp-port-unreachable"] = "ICMP port unreachable"; reject_action_arg_mapping["port-unreach"] = "ICMP port unreachable"; reject_action_arg_mapping["icmp-net-prohibited"] = "ICMP net prohibited"; reject_action_arg_mapping["net-prohib"] = "ICMP net prohibited"; reject_action_arg_mapping["icmp-host-prohibited"] = "ICMP host prohibited"; reject_action_arg_mapping["host-prohib"] = "ICMP host prohibited"; reject_action_arg_mapping["icmp-admin-prohibited"] = "ICMP admin prohibited"; reject_action_arg_mapping["admin-prohib"] = "ICMP admin prohibited"; } IPTImporter::~IPTImporter() { clear(); } void IPTImporter::clear() { Importer::clear(); if (!src_port_list.empty()) src_port_list.clear(); if (!dst_port_list.empty()) dst_port_list.clear(); if (!both_port_list.empty()) both_port_list.clear(); current_state = ""; i_intf = ""; o_intf = ""; target = ""; tmp_port_range_start = ""; tmp_port_range_end = ""; src_neg = dst_neg = srv_neg = intf_neg = tmp_neg = false; match_mark = ""; neg_match_mark = false; recent_match = ""; limit_val = ""; limit_suffix = ""; limit_burst = ""; length_spec = ""; pkt_type_spec = ""; if (!action_params.empty()) action_params.clear(); nat_addr1 = ""; nat_addr2 = ""; nat_nm = ""; nat_port_range_start = ""; nat_port_range_end = ""; using_iprange_src = false; iprange_src_from = ""; iprange_src_to = ""; using_iprange_dst = false; iprange_dst_from = ""; iprange_dst_to = ""; } void IPTImporter::registerTable(const string &table_name) { current_table = table_name; if ( ! isSupportedTable(table_name)) { QString err = QObject::tr( "Unrecognized netfilter table \"%1\". " "Only tables \"filter\", \"mangle\" and \"nat\" are supported.") .arg(QString::fromUtf8(table_name.c_str())); reportError(err); } } bool IPTImporter::isSupportedTable(const string &table_name) { return (table_name == "nat" || table_name == "filter" || table_name == "mangle"); } string IPTImporter::getBranchName(const std::string &suffix) { ostringstream str; str << current_chain << suffix << aux_branch_number; aux_branch_number++; return str.str(); } void IPTImporter::startSrcMultiPort() { src_port_list.clear(); } void IPTImporter::pushTmpPortSpecToSrcPortList() { src_port_list.push_back( str_tuple( tmp_port_range_start, tmp_port_range_end ) ); } void IPTImporter::startDstMultiPort() { dst_port_list.clear(); } void IPTImporter::pushTmpPortSpecToDstPortList() { dst_port_list.push_back( str_tuple( tmp_port_range_start, tmp_port_range_end ) ); } void IPTImporter::startBothMultiPort() { both_port_list.clear(); } void IPTImporter::pushTmpPortSpecToBothPortList() { both_port_list.push_back( str_tuple( tmp_port_range_start, tmp_port_range_end ) ); } FWObject* IPTImporter::createTCPUDPService(str_tuple &src_range, str_tuple &dst_range, const std::string &proto) { if (fwbdebug) { qDebug() << "Creating service " << proto.c_str(); qDebug() << "src range: " << src_range.first.c_str() << " - " << src_range.second.c_str(); qDebug() << "dst range: " << dst_range.first.c_str() << " - " << dst_range.second.c_str(); } ObjectSignature sig(error_tracker); sig.setSrcPortRange(src_range.first.c_str(), src_range.second.c_str(), proto.c_str()); sig.setDstPortRange(dst_range.first.c_str(), dst_range.second.c_str(), proto.c_str()); if (proto=="tcp") { sig.type_name = TCPService::TYPENAME; sig.established = established; sig.flags_mask = tcp_flags_mask; sig.flags_comp = tcp_flags_comp; } else { sig.type_name = UDPService::TYPENAME; } return commitObject( service_maker->createObject(sig)); } /* * TODO: fix this */ FWObject* IPTImporter::createTCPUDPService(const std::string &proto) { str_tuple empty_range("0","0"); // use src_port_list and dst_port_list // if this is multiport, should only be either src or dst port // if (src_port_list.size()>1 || dst_port_list.size()>1) { std::list olist; std::list list_names; std::list::iterator i; std::list *list_ptr; if (src_port_list.size()>1) list_ptr = &src_port_list; else list_ptr = &dst_port_list; std::string sig; if (src_port_list.size()>1) sig = proto + " src "; else sig = proto + " dst "; for (i = list_ptr->begin(); i != list_ptr->end(); ++i) { sig += (*i).first + ":" + (*i).second + "_"; } if (all_objects.count(sig)!=0) return all_objects[sig]; for (i = list_ptr->begin(); i != list_ptr->end(); ++i) { FWObject *o; o = createTCPUDPService( (list_ptr == &src_port_list) ? *i : empty_range, (list_ptr == &dst_port_list) ? *i : empty_range, proto); olist.push_back(o); list_names.push_back(o->getName()); } std::ostringstream s; s << service_group_name_seed; service_group_name_seed++; std::string name = proto + " group " + s.str(); if (fwbdebug) qDebug() << QString("Group of %1 services with name '%2', sig '%3'") .arg(proto.c_str()).arg(name.c_str()).arg(sig.c_str()); ObjectMaker maker(Library::cast(library), error_tracker); ServiceGroup *sg = ServiceGroup::cast( commitObject(maker.createObject(ServiceGroup::TYPENAME, name))); for (FWObject::iterator j=olist.begin(); j!=olist.end(); ++j) { sg->addRef(*j); } all_objects[sig] = sg; return sg; } else // single tcp/udp object { return createTCPUDPService( (src_port_list.size()>0) ? src_port_list.front() : empty_range, (dst_port_list.size()>0) ? dst_port_list.front() : empty_range, proto); } } FWObject* IPTImporter::createTCPService(const QString &) { return createTCPUDPService("tcp"); } FWObject* IPTImporter::createUDPService(const QString &) { return createTCPUDPService("udp"); } FWObject* IPTImporter::makeSrcObj() { if (using_iprange_src) { ObjectSignature sig(error_tracker); sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(iprange_src_from.c_str()); sig.setAddressRangeEnd(iprange_src_to.c_str()); return commitObject(address_maker->createObject(sig)); } else return Importer::makeSrcObj(); } FWObject* IPTImporter::makeDstObj() { if (using_iprange_dst) { ObjectSignature sig(error_tracker); sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(iprange_dst_from.c_str()); sig.setAddressRangeEnd(iprange_dst_to.c_str()); return commitObject(address_maker->createObject(sig)); } else return Importer::makeDstObj(); } void IPTImporter::addSrv() { // special case for the multiport module parameter "--ports". This // parameter matches source OR destination ports. Will created two // separate service objects in the same rule if (!both_port_list.empty()) { src_port_list.insert(src_port_list.begin(), both_port_list.begin(), both_port_list.end()); Importer::addSrv(); src_port_list.clear(); dst_port_list.insert(dst_port_list.begin(), both_port_list.begin(), both_port_list.end()); Importer::addSrv(); dst_port_list.clear(); } else Importer::addSrv(); } /* * Importer::addSrv() adds regular (IP/ICMP/UDP/TCP) service * object. If we have mark module match, implement it as * TagService object only if there is no IP/ICMP/UDP/TCP service * as well. Other modules, such as length, are added only if there * is nothing else. If we have more than one service to deal with, * mark rule as bad and issue warning. * * I check and issue warning after I try to add TagService because * I want to add it in case when there are no regular services * but there is "mark" and some other module in the original rule. * Priorities: 1) IP/ICMP/UDP/TCP service 2) TagService (module mark) * 3) any other module * */ void IPTImporter::processModuleMatches() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); FWOptions *fwopt = getFirewallObject()->getOptionsObject(); assert(fwopt!=NULL); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); addAllModuleMatches(rule); // functions that addAllModuleMatches() calls actually clear // variables match_mark, length_spec etc. list module_match_options; module_match_options.push_back(match_mark); module_match_options.push_back(length_spec); module_match_options.push_back(recent_match); module_match_options.push_back(pkt_type_spec); int branch_depth = 0; for(list::iterator it=module_match_options.begin(); it!=module_match_options.end(); ++it) { if (!it->empty()) { if (branch_depth) { // at this time I create branches only one level deep QString err = QObject::tr( "Original rule combines match of tcp/udp/icmp " "protocols with two or more module matches, such as " "module 'mark', 'recent' or 'length'. Use additional " "branches to implement this complex match."); reportError(err); break; } ostringstream str; str << current_chain << "_" << rule->getPosition() << "_mod_match"; string branch_chain = str.str(); branch_depth++; PolicyRule *new_rule = createPolicyBranch(rule, branch_chain, true, true); addAllModuleMatches(new_rule); } } } void IPTImporter::addAllModuleMatches(PolicyRule *rule) { addLimitMatch(rule); addMarkMatch(rule); addLengthMatch(rule); addRecentMatch(rule); addPktTypeMatch(rule); } void IPTImporter::addMarkMatch(PolicyRule *rule) { RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); if (rule->getSrv()->isAny() && !match_mark.empty()) { ObjectSignature sig(error_tracker); sig.type_name = TagService::TYPENAME; sig.tag = match_mark.c_str(); srv->addRef( commitObject(service_maker->createObject(sig)) ); if (neg_match_mark) srv->setNeg(true); match_mark = ""; } } void IPTImporter::addLengthMatch(PolicyRule *rule) { RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); if (rule->getSrv()->isAny() && !length_spec.empty()) { // create custom service with module "length" ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m length --length %1").arg(length_spec.c_str()); sig.protocol_name = ""; srv->addRef(commitObject(service_maker->createObject(sig))); length_spec = ""; } } void IPTImporter::addPktTypeMatch(PolicyRule *rule) { RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); if (rule->getSrv()->isAny() && !pkt_type_spec.empty()) { // create custom service with module "pkttype" ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m pkttype --pkt-type %1").arg(pkt_type_spec.c_str()); sig.protocol_name = ""; srv->addRef(commitObject(service_maker->createObject(sig))); pkt_type_spec = ""; } } void IPTImporter::addLimitMatch(PolicyRule *rule) { FWOptions *ropt = rule->getOptionsObject(); assert(ropt!=NULL); if (target!="LOG" && !limit_val.empty()) { // TODO: this is where we should add support for hashlimit ropt->setStr("limit_value", limit_val); ropt->setStr("limit_suffix", std::string("/") + limit_suffix); if (!limit_burst.empty()) ropt->setStr("limit_burst", limit_burst); limit_val = ""; } } void IPTImporter::addRecentMatch(PolicyRule *rule) { RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); if (rule->getSrv()->isAny() && !recent_match.empty()) { // create custom service with module "recent" ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m recent %1").arg(recent_match.c_str()); sig.protocol_name = ""; srv->addRef(commitObject(service_maker->createObject(sig))); recent_match = ""; } } void IPTImporter::addStateMatch(libfwbuilder::PolicyRule *rule, const string &state) { RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); if (rule->getSrv()->isAny() && !state.empty()) { // create custom service with module "state" ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m state --state %1").arg(state.c_str()); sig.protocol_name = ""; srv->addRef(commitObject(service_maker->createObject(sig))); recent_match = ""; } } /** * Special method that takes a rule and converts it into a branching * rule, creates new rule set object, adds a rule to it and makes this * rule a copy of the rule passed as an argument. Returns pointer to * the new rule inside the branch rule set. Note that new rule inside * the branch rule set is a copy of the original rule, with its action * and other attributes. The original rule's action changes however * and becomes "Branch". */ PolicyRule* IPTImporter::createPolicyBranch( PolicyRule *rule, const std::string &branch_ruleset_name, bool clear_rule_elements, bool make_stateless) { UnidirectionalRuleSet *rs = branch_rulesets[branch_ruleset_name]; if (rs==NULL) rs = getUnidirRuleSet(branch_ruleset_name, Policy::TYPENAME); branch_rulesets[branch_ruleset_name] = rs; rs->ruleset->setName(branch_ruleset_name); FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); PolicyRule *new_rule = PolicyRule::cast(dbroot->create(PolicyRule::TYPENAME)); rs->ruleset->add(new_rule); new_rule->duplicate(rule); rule->setAction(PolicyRule::Branch); rule->setBranch(rs->ruleset); FWOptions *ropt = rule->getOptionsObject(); assert(ropt!=NULL); ropt->setBool("stateless", true); if (rule->getParent() != NULL) { ostringstream str1; str1 << "Called from ruleset " << rule->getParent()->getName() << ", rule " << rule->getPosition(); new_rule->setComment(str1.str()); } if (clear_rule_elements) { RuleElement* re; re = new_rule->getSrc(); re->reset(); re = new_rule->getDst(); re->reset(); re = new_rule->getSrv(); re->reset(); re = new_rule->getItf(); re->reset(); } if (make_stateless) { FWOptions *ropt = new_rule->getOptionsObject(); assert(ropt!=NULL); ropt->setBool("stateless", true); } addMessageToLog(QString("Created branch %1") .arg(QString::fromUtf8(branch_ruleset_name.c_str()))); return new_rule; } NATRule* IPTImporter::createNATBranch( NATRule *rule, const std::string &branch_ruleset_name, bool clear_rule_elements) { UnidirectionalRuleSet *rs = branch_rulesets[branch_ruleset_name]; if (rs==NULL) rs = getUnidirRuleSet(branch_ruleset_name, NAT::TYPENAME); branch_rulesets[branch_ruleset_name] = rs; rs->ruleset->setName(branch_ruleset_name); FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); NATRule *new_rule = NATRule::cast(dbroot->create(NATRule::TYPENAME)); rs->ruleset->add(new_rule); new_rule->duplicate(rule); rule->setRuleType(NATRule::NATBranch); rule->setBranch(rs->ruleset); if (rule->getParent() != NULL) { ostringstream str1; str1 << "Called from ruleset " << rule->getParent()->getName() << ", rule " << rule->getPosition(); new_rule->setComment(str1.str()); } if (clear_rule_elements) { RuleElement* re; re = new_rule->getOSrc(); re->reset(); re = new_rule->getODst(); re->reset(); re = new_rule->getOSrv(); re->reset(); re = new_rule->getTSrc(); re->reset(); re = new_rule->getTDst(); re->reset(); re = new_rule->getTSrv(); re->reset(); re = new_rule->getItfInb(); re->reset(); re = new_rule->getItfOutb(); re->reset(); } addMessageToLog( QString("Created branch %1") .arg(QString::fromUtf8(branch_ruleset_name.c_str()))); return new_rule; } void IPTImporter::pushRule() { // assert(current_ruleset!=NULL); if (current_rule==NULL) return; if (current_table=="nat") pushNATRule(); else pushPolicyRule(); } void IPTImporter::pushPolicyRule() { // populate all elements of the rule PolicyRule *rule = PolicyRule::cast(current_rule); rule->setLogging(false); FWOptions *fwopt = getFirewallObject()->getOptionsObject(); assert(fwopt!=NULL); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); bool skip_rule = false; PolicyRule::Action action = PolicyRule::Unknown; if (target=="ACCEPT") action = PolicyRule::Accept; if (target=="DROP") action = PolicyRule::Deny; if (target=="REJECT") { action = PolicyRule::Reject; if (action_params["reject_with"]=="tcp-reset") ropt->setStr("action_on_reject", "TCP RST"); else { /* * for historical reasons, the argument for action Reject * is stored in our XML as a human readable string such as * "ICMP admin prohibited" instead of some kind of a * computer readable code. Function getActionsOnReject() (see platforms.cpp) * returns a list of strings where every even string is one of * these codes and every odd string is translatable display name * (that by currently is the same string, except it can be translated). * Values in the map reject_action_arg_mapping must match internal * (untranslated) codes that we get from getActionsOnReject(), keys * in reject_action_arg_mapping must match iptables arguments for * the target REJECT */ QString iptables_reject_arg = action_params["reject_with"].c_str(); QString action_on_reject_code; if (reject_action_arg_mapping.count(iptables_reject_arg) > 0) action_on_reject_code = reject_action_arg_mapping[iptables_reject_arg]; else { action_on_reject_code = "ICMP admin prohibited"; QString err = QObject::tr( "Error: Line %1: Unknown parameter of target REJECT: %2.") .arg(getCurrentLineNumber()) .arg(iptables_reject_arg); reportError(err); // throw ImporterException(err); // ropt->setStr("color", getBadRuleColor()); // rule_comment += string(err.toUtf8().constData()); // *Importer::logger << err.toUtf8().constData(); } ropt->setStr("action_on_reject", action_on_reject_code.toStdString()); } } if (target=="QUEUE") action = PolicyRule::Pipe; if (target=="CLASSIFY") // #2367 { action = PolicyRule::Continue; rule->setClassification(true); ropt->setStr("classify_str", action_params["set_class"]); } if (target=="LOG") { action = PolicyRule::Continue; rule->setLogging(true); QString log_prefix = action_params["log_prefix"].c_str(); log_prefix.replace("\"", ""); ropt->setStr("log_prefix", log_prefix.toStdString()); ropt->setStr("log_tcp_seq", action_params["log_tcp_seq"]); ropt->setStr("log_tcp_options", action_params["log_tcp_options"]); ropt->setStr("log_ip_options", action_params["log_ip_options"]); string slevel = action_params["log_level"]; int llevel; std::istringstream str1(slevel); str1.exceptions(std::ios::failbit); try { str1 >> llevel; // log level defined as a number map levels; levels[0] = ""; levels[1] = "alert"; levels[2] = "crit"; levels[3] = "error"; levels[4] = "warning"; levels[5] = "notice"; levels[6] = "info"; levels[7] = "debug"; if (llevel <= 7) ropt->setStr("log_level", levels[llevel]); else { reportError(std::string("Unrecognized log level '") + slevel); } } catch (const std::exception &ex) { // not an integer ropt->setStr("log_level", slevel); } //ropt->setStr("log_level", action_params["log_level"]); if (!limit_val.empty()) { ropt->setStr("limit_value", limit_val); ropt->setStr("limit_suffix", std::string("/")+limit_suffix); if (!limit_burst.empty()) ropt->setStr("limit_burst", limit_burst); } } if (target=="ULOG") { action = PolicyRule::Continue; rule->setLogging(true); fwopt->setBool("use_ULOG", true); QString log_prefix = action_params["log_prefix"].c_str(); log_prefix.replace("\"", ""); ropt->setStr("log_prefix", log_prefix.toStdString()); } if (target=="MARK") { action = PolicyRule::Continue; rule->setTagging(true); last_mark_rule = rule; ObjectSignature sig(error_tracker); sig.type_name = TagService::TYPENAME; sig.tag = action_params["set_mark"].c_str(); FWObject *tag_service = commitObject(service_maker->createObject(sig)); rule->setTagObject(tag_service); } if (target=="CONNMARK") action = PolicyRule::Continue; if (target=="ROUTE") { action = PolicyRule::Continue; rule->setRouting(true); if (!action_params["route_iif"].empty()) newInterface(action_params["route_iif"]); if (!action_params["route_oif"].empty()) newInterface(action_params["route_oif"]); ropt->setStr("ipt_iif", action_params["route_iif"]); ropt->setStr("ipt_oif", action_params["route_oif"]); ropt->setStr("ipt_gw", action_params["route_gw"]); ropt->setBool("ipt_continue", !action_params["route_continue"].empty()); ropt->setBool("ipt_tee", !action_params["route_tee"].empty()); } if (target=="RETURN" || target.empty()) { action = PolicyRule::Continue; } if (target=="TCPMSS" && action_params["clamp-mss-to-pmtu"] == "--clamp-mss-to-pmtu") { fwopt->setBool("clamp_mss_to_mtu", true); skip_rule = true; addMessageToLog( QString("Warning: Using automatic rule controlled by option " "Clamp MSS to MTU")); } if (target=="TOS") { // special-case target TOS, create custom action // this is not very useful though because compiler can not properly // put such rule in POSTROUTING chain. action = PolicyRule::Custom; ropt->setStr("custom_str", "-j TOS --set-tos " + action_params["set_tos"]); } if (action==PolicyRule::Unknown) { if (fwbdebug) qDebug("Unknown target %s, creating branch", target.c_str()); // unknown target, consider it a branch // std::string branch_ruleset_name = target; action = PolicyRule::Branch; UnidirectionalRuleSet *rs = branch_rulesets[branch_ruleset_name]; if (rs==NULL) rs = getUnidirRuleSet(branch_ruleset_name, Policy::TYPENAME); branch_rulesets[branch_ruleset_name] = rs; rs->ruleset->setName(target); rule->setBranch(rs->ruleset); ropt->setBool("stateless", true); } rule->setAction(action); addSrc(); addDst(); addSrv(); RuleElementSrc *nsrc; RuleElementDst *ndst; rule->getSrc()->setNeg(src_neg); rule->getDst()->setNeg(dst_neg); rule->getSrv()->setNeg(srv_neg); rule->getItf()->setNeg(intf_neg); /* Recognize some typical rule patterns and set firewall and rule * options appropriately */ if (current_state == "NEW") { ropt->setBool("stateless", false); current_state = ""; } if (current_state == "RELATED,ESTABLISHED" || current_state == "ESTABLISHED,RELATED") { RuleElementSrv *srv = rule->getSrv(); std::string protocol = ""; FWObject *estab = NULL; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); FWObject *std_obj = dbroot->findInIndex(FWObjectDatabase::STANDARD_LIB_ID); estab = std_obj->findObjectByName(CustomService::TYPENAME, "ESTABLISHED"); if (estab == NULL) { ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m state --state RELATED,ESTABLISHED"); sig.protocol_name = ""; estab = service_maker->createObject(sig); } if (!rule->getSrv()->isAny()) { string branch_ruleset_name = getBranchName("_established_"); // two boolean args of createPolicyBranch() clear all rule elements // of the rule in the branch rule set and make it stateless PolicyRule *new_rule = createPolicyBranch(rule, branch_ruleset_name, true, true); new_rule->setDirection(PolicyRule::Both); RuleElement* re = new_rule->getSrv(); re->addRef(estab); } else { srv->clearChildren(); srv->addRef(estab); } addMessageToLog( QString( "Warning: Rule matches states 'RELATED,ESTABLISHED'. " "Consider using " "automatic rule controlled by the checkbox in the firewall " "settings dialog. Automatic rule matches in all standard chains " "which may be different from the original imported configuration. " "This requires manual checking." )); current_state = ""; } if (rule->getSrc()->isAny() && rule->getDst()->isAny() && rule->getSrv()->isAny() && current_state == "INVALID") { if (target=="DROP") fwopt->setBool("drop_invalid", true); if (target=="LOG") fwopt->setBool("log_invalid", true); skip_rule = true; addMessageToLog( QString("Warning: Using automatic rule controlled by option " "'Drop packet that do not match any known connection' " "to match state INVALID" )); current_state = ""; } // finally, process unrecognized combination of states if ( ! current_state.empty()) { RuleElementSrv *srv = rule->getSrv(); ObjectSignature sig(error_tracker); sig.type_name = CustomService::TYPENAME; sig.platform = "iptables"; sig.code = QString("-m state --state %1").arg(current_state.c_str()); sig.protocol_name = ""; FWObject *state_match_srv = commitObject(service_maker->createObject(sig)); if ( ! rule->getSrv()->isAny()) { string branch_ruleset_name = getBranchName("_state_match_"); // two boolean args of createPolicyBranch() clear all rule elements // of the rule in the branch rule set and make it stateless PolicyRule *new_rule = createPolicyBranch(rule, branch_ruleset_name, true, true); new_rule->setDirection(PolicyRule::Both); RuleElement* re = new_rule->getSrv(); re->addRef(state_match_srv); } else { srv->clearChildren(); srv->addRef(state_match_srv); } // no need to make rule stateless since compiler is smart enough to drop // --state NEW when service object adds its own state match // ropt->setBool("stateless", false); addMessageToLog( QString( "Warning: Rule matches combination of states '%1'. " "Iptables rules generated by fwbuilder can be stateless (match " "no state) or stateful (match state NEW). Fwbuilder also adds " "a rule at the top of the script to match states " "ESTABLISHED,RELATED. Combination of states '%2' does not fit " "these standard cases and to match it, the program created " "new Custom Service object. This may require manual checking." ) .arg(current_state.c_str()) .arg(current_state.c_str())); current_state = ""; } if (target=="CONNMARK" && last_mark_rule != NULL && !action_params["connmark_save_mark"].empty()) { FWOptions *lmr_ropt = last_mark_rule->getOptionsObject(); assert(lmr_ropt!=NULL); lmr_ropt->setBool("ipt_mark_connections", true); skip_rule = true; addMessageToLog( QString("Warning: Turned option on in previous rule " "with action Mark " "for '-j CONNMARK --save-mark' " )); } if (target=="CONNMARK" && !action_params["connmark_restore_mark"].empty()) { // this rule is added automatically in // MangleTableCompiler_ipt::flushAndSetDefaultPolicy() // if we have at least one rule with CONNMARK target in the policy skip_rule = true; addMessageToLog( QString("Warning: Skipping command with '-j CONNMARK --restore-mark' " "This rule is generated automatically." )); } if (!skip_rule) { /* we set "firewall_is_part_of_any_and_networks" to False */ rule_comment += "Chain " + current_chain + ". "; if (current_chain=="INPUT") { ndst = rule->getDst(); if (ndst->isAny()) ndst->addRef(getFirewallObject()); else rule_comment += "Does DST match one of the firewall's addresses?"; } if (current_chain=="OUTPUT") { nsrc = rule->getSrc(); if (nsrc->isAny()) nsrc->addRef(getFirewallObject()); else rule_comment += "Does SRC match one of the firewall's addresses?"; } if (current_table == "mangle") { if ( ! rule->getClassification() && (current_chain == "POSTROUTING" || current_chain == "FORWARD")) { QString err = QObject::tr( "Fwbuilder can not reproduce iptables rule in " "the table 'mangle', chain %1") .arg(current_chain.c_str()); reportError(err); markCurrentRuleBad(); } } // add rule to the right ruleset RuleSet *ruleset = NULL; std::string ruleset_name = ""; // if (isStandardChain(current_chain)) // { // ruleset = RuleSet::cast( // getFirewallObject()->getFirstByType(Policy::TYPENAME)); // assert(ruleset!=NULL); // } else // { // UnidirectionalRuleSet *rs = getUnidirRuleSet( // current_chain, Policy::TYPENAME); // assert(rs!=NULL); // ruleset = rs->ruleset; // } UnidirectionalRuleSet *rs = getUnidirRuleSet(current_chain, Policy::TYPENAME); assert(rs!=NULL); ruleset = rs->ruleset; ruleset->add(current_rule); // renumber to clean-up rule positions ruleset->renumberRules(); rule->setDirection(PolicyRule::Both); if ( !i_intf.empty() && !o_intf.empty()) { // The rule defines inbound and outbound interfaces simultaneously. // -i i_intf // -o o_intf // Making this rule inbound on i_intf, with action Branch // Branch points to a new rule set where we put a rule with // direction outbount on o_intf action = PolicyRule::Branch; string branch_ruleset_name = ruleset->getName() + "_" + o_intf; // note that this new rule only matches interface and // direction, everything else has been matched by the main // rule. There is no need for the rule in the branch to be stateful // (that is what the last bool argument for createPolicyBranch() is for) PolicyRule *new_rule = createPolicyBranch(rule, branch_ruleset_name, true, true); // Important: at this point we have assembled the // current_rule completely. This means all rule elements, // its action and options have been set above. By // duplicating it into new_rule, we set the same action in // the new_rule. We will change interface, direction and // action in the current_rule below. RuleElement* re; new_rule->setDirection(PolicyRule::Outbound); newInterface(o_intf); Interface *intf = all_interfaces[o_intf]; re = new_rule->getItf(); re->addRef(intf); rule->setDirection(PolicyRule::Inbound); newInterface(i_intf); intf = all_interfaces[i_intf]; re =rule->getItf(); re->addRef(intf); QString interfaces = QString("-i %1 -o %2").arg(i_intf.c_str()).arg(o_intf.c_str()); rule_comment += QString( " Both inbound and outbound interfaces " "in original iptables command: %1").arg(interfaces).toStdString(); addMessageToLog( QString("Warning: Creating branch ruleset '%1' to " "match inbound and outbound interfaces %2") .arg(branch_ruleset_name.c_str()).arg(interfaces)); } else { if ( !i_intf.empty()) { rule->setDirection(PolicyRule::Inbound); newInterface(i_intf); Interface *intf = all_interfaces[i_intf]; RuleElementItf* re =rule->getItf(); re->addRef(intf); } if ( !o_intf.empty()) { rule->setDirection(PolicyRule::Outbound); newInterface(o_intf); Interface *intf = all_interfaces[o_intf]; RuleElementItf* re =rule->getItf(); re->addRef(intf); } } processModuleMatches(); addStandardImportComment( current_rule, QString::fromUtf8(rule_comment.c_str())); } if ( ! isSupportedTable(current_table)) { QString err = QObject::tr( "Rule can not be imported correctly because " "original configuration uses " "unrecognized netfilter table \"%1\". ") .arg(QString::fromUtf8(current_table.c_str())); reportError(err); } if (error_tracker->hasWarnings()) { QStringList warn = error_tracker->getWarnings(); // parser errors and warnings are added to the log by // PFCfgParser::reportError() and PFCfgParser::reportWarning() // so we dont need to add them again here foreach(QString w, warn) { if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w); } markCurrentRuleBad(); } if (error_tracker->hasErrors()) { QStringList err = error_tracker->getErrors(); foreach(QString e, err) { if (!e.startsWith("Parser error:")) addMessageToLog("Error: " + e); } markCurrentRuleBad(); } current_rule = NULL; rule_comment = ""; clear(); } void IPTImporter::pushNATRule() { // populate all elements of the rule NATRule *rule = NATRule::cast(current_rule); FWOptions *fwopt = getFirewallObject()->getOptionsObject(); assert(fwopt!=NULL); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); addOSrc(); addODst(); addOSrv(); if (src_nm.empty()) src_nm = InetAddr::getAllOnes().toString(); if (dst_nm.empty()) dst_nm = InetAddr::getAllOnes().toString(); if (nat_nm.empty()) nat_nm = InetAddr::getAllOnes().toString(); NATRule::NATRuleTypes rule_type = NATRule::Unknown; if (target=="ACCEPT") { rule_type = NATRule::NONAT; } if (target=="MASQUERADE") { rule_type = NATRule::Masq; RuleElementTSrc *re = rule->getTSrc(); assert(re!=NULL); if ( !o_intf.empty() ) { newInterface(o_intf); Interface *intf = all_interfaces[o_intf]; re->addRef(intf); } else { re->addRef(getFirewallObject()); } } if (target=="SNAT") { rule_type = NATRule::SNAT; FWObject *tsrc = NULL; if (nat_addr1!=nat_addr2) { ObjectSignature sig(error_tracker); sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(nat_addr1.c_str()); sig.setAddressRangeEnd(nat_addr2.c_str()); tsrc = commitObject(address_maker->createObject(sig)); } else { ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(nat_addr1.c_str()); sig.setNetmask(nat_nm.c_str()); tsrc = commitObject(address_maker->createObject(sig)); } RuleElementTSrc *re = rule->getTSrc(); assert(re!=NULL); re->addRef(tsrc); if (!nat_port_range_start.empty()) { str_tuple empty_range("0", "0"); str_tuple nat_port_range(nat_port_range_start, nat_port_range_end); FWObject *s = createTCPUDPService(nat_port_range, empty_range, protocol); RuleElementTSrv *re = rule->getTSrv(); assert(re!=NULL); re->addRef(s); } if (!o_intf.empty()) { RuleElement *itf_o_re = rule->getItfOutb(); assert(itf_o_re!=NULL); newInterface(o_intf); Interface *intf = all_interfaces[o_intf]; itf_o_re->addRef(intf); } } if (target=="DNAT") { rule_type = NATRule::DNAT; // if chain is "OUTPUT", put fw object in OSrc if (current_chain == "OUTPUT") { RuleElementOSrc *re = rule->getOSrc(); assert(re!=NULL); re->addRef(getFirewallObject()); } FWObject *tdst = NULL; if (nat_addr1!=nat_addr2) { ObjectSignature sig(error_tracker); sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(nat_addr1.c_str()); sig.setAddressRangeEnd(nat_addr2.c_str()); tdst = commitObject(address_maker->createObject(sig)); } else { ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(nat_addr1.c_str()); sig.setNetmask(nat_nm.c_str()); tdst = commitObject(address_maker->createObject(sig)); } RuleElementTDst *re = rule->getTDst(); assert(re!=NULL); re->addRef(tdst); if (!nat_port_range_start.empty()) { str_tuple empty_range("0", "0"); str_tuple nat_port_range(nat_port_range_start, nat_port_range_end); FWObject *s = createTCPUDPService(empty_range, nat_port_range, protocol); RuleElementTSrv *re = rule->getTSrv(); assert(re!=NULL); re->addRef(s); } if (!i_intf.empty()) { RuleElement *itf_i_re = rule->getItfInb(); assert(itf_i_re!=NULL); newInterface(i_intf); Interface *intf = all_interfaces[i_intf]; itf_i_re->addRef(intf); } } if (target=="REDIRECT") { rule_type = NATRule::Redirect; RuleElementTDst *re = rule->getTDst(); assert(re!=NULL); re->addRef(getFirewallObject()); if (!nat_port_range_start.empty()) { str_tuple empty_range("0", "0"); str_tuple nat_port_range(nat_port_range_start, nat_port_range_end); FWObject *s = createTCPUDPService(empty_range, nat_port_range, protocol); RuleElementTSrv *re = rule->getTSrv(); assert(re!=NULL); re->addRef(s); } if ( ! o_intf.empty()) { RuleElement *itf_o_re = rule->getItfOutb(); assert(itf_o_re!=NULL); newInterface(o_intf); Interface *intf = all_interfaces[o_intf]; itf_o_re->addRef(intf); } } if (target=="NETMAP") { FWObject *o = NULL; if (!src_a.empty()) { rule_type = NATRule::SNetnat; RuleElementTSrc *tsrc = rule->getTSrc(); assert(tsrc!=NULL); ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(nat_addr1.c_str()); sig.setNetmask(nat_nm.c_str()); o = commitObject(address_maker->createObject(sig)); tsrc->addRef(o); } if (!dst_a.empty()) { rule_type = NATRule::DNetnat; RuleElementTDst *tdst = rule->getTDst(); assert(tdst!=NULL); ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(nat_addr1.c_str()); sig.setNetmask(nat_nm.c_str()); o = commitObject(address_maker->createObject(sig)); tdst->addRef(o); } } if (rule_type==NATRule::Unknown) { if (fwbdebug) qDebug("Unknown target %s, creating branch", target.c_str()); // unknown target, consider it a branch // std::string branch_ruleset_name = target; rule_type = NATRule::NATBranch; rule->setAction(NATRule::Branch); UnidirectionalRuleSet *rs = branch_rulesets[branch_ruleset_name]; if (rs==NULL) { rs = getUnidirRuleSet(branch_ruleset_name, NAT::TYPENAME); branch_rulesets[branch_ruleset_name] = rs; } rs->ruleset->setName(target); rule->setBranch(rs->ruleset); } rule->setRuleType(rule_type); // add rule to the right ruleset RuleSet *ruleset = NULL; std::string ruleset_name = ""; if (isStandardChain(current_chain)) { ruleset = RuleSet::cast( getFirewallObject()->getFirstByType(NAT::TYPENAME)); assert(ruleset!=NULL); ruleset->add(current_rule); } else { UnidirectionalRuleSet *rs = getUnidirRuleSet(current_chain, NAT::TYPENAME); assert(rs!=NULL); rs->ruleset->add(current_rule); ruleset = rs->ruleset; } // renumber to clean-up rule positions ruleset->renumberRules(); addStandardImportComment(current_rule, QString::fromUtf8(rule_comment.c_str())); if (error_tracker->hasErrors()) markCurrentRuleBad(); // RuleSet *nat = RuleSet::cast( // getFirewallObject()->getFirstByType(NAT::TYPENAME)); // assert( nat!=NULL ); // nat->add(current_rule); current_rule = NULL; rule_comment = ""; clear(); } Firewall* IPTImporter::finalize() { // scan all UnidirectionalRuleSet objects, set interface and // direction in all rules of corresponding RuleSet and merge all // UnidirectionalRuleSet into one RuleSet object. Attach this // object to the firewall. if (fwbdebug) qDebug("IPTImporter::finalize()"); if (haveFirewallObject()) { Firewall *fw = Firewall::cast(getFirewallObject()); if (fwbdebug) qDebug() << "fw=" << fw; fw->setStr("host_OS", "linux24"); Resources::setDefaultTargetOptions("linux24" , fw); fw->setStr("version", ""); // default version "any" string version = findBestVersionMatch( "iptables", discovered_version.c_str()).toStdString(); if ( ! version.empty()) fw->setStr("version", version); fw->getManagementObject(); // creates management obj FWOptions *fwopt = fw->getOptionsObject(); assert(fwopt!=NULL); fwopt->setBool("firewall_is_part_of_any_and_networks", false); // scan all UnidirectionalRuleSet objects and take care of // their default action std::map::iterator it; for (it=all_rulesets.begin(); it!=all_rulesets.end(); ++it) { // rs_index is a string composed of the table name and chain name // like "filter / FORWARD" or "mangle / PREROUTING" // This string is created in IPTImporter::getUnidirRuleSet() string rs_index = it->first; UnidirectionalRuleSet* rs = it->second; if (Policy::isA(rs->ruleset) && rs->default_action == PolicyRule::Accept) { FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); PolicyRule *rule = PolicyRule::cast( dbroot->create(PolicyRule::TYPENAME)); // check if all child objects were populated properly FWOptions *ropt = rule->getOptionsObject(); assert(ropt != NULL); ropt->setBool("stateless", true); rule->setAction(PolicyRule::Accept); rule->setLogging(false); ostringstream str1; str1 << "Default iptables policy in " << rs_index; rule->setComment(str1.str()); if (rs->name == "FORWARD") { rule->setDirection(PolicyRule::Both); if (rs_index.find("mangle") != string::npos) { QString err = QObject::tr( "Warning: Line %1: Can not reproduce default " "action in table 'mangle' chain 'FORWARD'. " "(Generated rule may not generate equivalent " "iptables command when compiled)" ); ropt->setStr("color", getBadRuleColor()); rule->setComment( err.arg( rs->default_action_line_number).toUtf8().constData()); addMessageToLog(err.arg(rs->default_action_line_number)); } } if (rs->name == "INPUT") { RuleElementDst* dst = rule->getDst(); assert(dst!=NULL); dst->addRef(fw); rule->setDirection(PolicyRule::Inbound); if (rs_index.find("mangle") != string::npos) { QString err = QObject::tr( "Warning: Line %1: Can not reproduce default " "action in table 'mangle' chain 'INPUT'. " "(Generated rule may not generate equivalent " "iptables command when compiled)" ); ropt->setStr("color", getBadRuleColor()); rule->setComment( err.arg( rs->default_action_line_number).toUtf8().constData()); addMessageToLog(err.arg(rs->default_action_line_number)); } } if (rs->name == "OUTPUT") { RuleElementSrc* src = rule->getSrc(); assert(src!=NULL); src->addRef(fw); rule->setDirection(PolicyRule::Outbound); } if (rs->name == "PREROUTING") { rule->setDirection(PolicyRule::Inbound); } if (rs->name == "POSTROUTING") { rule->setDirection(PolicyRule::Outbound); } rs->ruleset->add(rule); addMessageToLog( QString("Warning: Line %1: Added rule to reproduce default " "policy ACCEPT in %2") .arg(rs->default_action_line_number) .arg(rs_index.c_str())); } } list l2 = fw->getByType(Policy::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } l2 = fw->getByType(NAT::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } return getFirewallObject(); } else { return NULL; } } UnidirectionalRuleSet* IPTImporter::checkUnidirRuleSet( const std::string &ruleset_name) { string all_rulesets_index = current_table + "/" + ruleset_name; return all_rulesets[all_rulesets_index]; } UnidirectionalRuleSet* IPTImporter::getUnidirRuleSet( const std::string &ruleset_name, const string &ruleset_type_name) { string all_rulesets_index = current_table + "/" + ruleset_name; UnidirectionalRuleSet *rs = all_rulesets[all_rulesets_index]; if (rs == NULL) { RuleSet *ruleset = NULL; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); if (isStandardChain(ruleset_name)) { if (ruleset_type_name == NAT::TYPENAME) ruleset = RuleSet::cast( getFirewallObject()->getFirstByType(NAT::TYPENAME)); else { list policies = getFirewallObject()->getByType(Policy::TYPENAME); if (current_table == "mangle") { for (list::iterator it=policies.begin(); it!=policies.end(); ++it) { RuleSet *rs = RuleSet::cast(*it); FWOptions *rulesetopt = rs->getOptionsObject(); if (rulesetopt->getBool("mangle_only_rule_set")) { ruleset = rs; break; } } if (ruleset == NULL) { ruleset = RuleSet::cast(dbroot->create(Policy::TYPENAME)); FWOptions *rulesetopt = ruleset->getOptionsObject(); rulesetopt->setBool("mangle_only_rule_set", true); ruleset->setTop(true); ruleset->setName("Mangle"); getFirewallObject()->add(ruleset); } } else { for (list::iterator it=policies.begin(); it!=policies.end(); ++it) { RuleSet *rs = RuleSet::cast(*it); FWOptions *rulesetopt = rs->getOptionsObject(); if (rs->getName() == "Policy" && !rulesetopt->getBool("mangle_only_rule_set")) { ruleset = rs; break; } } if (ruleset == NULL) { ruleset = RuleSet::cast(dbroot->create(Policy::TYPENAME)); FWOptions *rulesetopt = ruleset->getOptionsObject(); rulesetopt->setBool("mangle_only_rule_set", false); ruleset->setTop(true); ruleset->setName("Policy"); getFirewallObject()->add(ruleset); } } } } else { ruleset = RuleSet::cast(dbroot->create(ruleset_type_name)); ruleset->setName(ruleset_name); getFirewallObject()->add(ruleset); } rs = new UnidirectionalRuleSet(); rs->name = ruleset_name; rs->ruleset = ruleset; all_rulesets[all_rulesets_index] = rs; } return rs; } void IPTImporter::newUnidirRuleSet(const string &chain_name, const string &ruleset_type) { current_ruleset = getUnidirRuleSet(chain_name, ruleset_type); // creates if new addMessageToLog( QString("New ruleset: %1 / %2") .arg(current_table.c_str()).arg(current_ruleset->name.c_str())); } bool IPTImporter::isStandardChain(const std::string &ipt_chain) { return (ipt_chain == "INPUT" || ipt_chain == "OUTPUT" || ipt_chain == "FORWARD" || ipt_chain == "PREROUTING" || ipt_chain == "POSTROUTING"); } fwbuilder-5.3.7/src/import/IPTImporter.h000066400000000000000000000124311303637203600201450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWB_POLICY_IMPORTER_IPT_H_ #define _FWB_POLICY_IMPORTER_IPT_H_ #include #include #include #include #include #include "Importer.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Logger.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include #include #include class IPTImporter : public Importer { QMap reject_action_arg_mapping; int aux_branch_number; libfwbuilder::FWObject* createTCPUDPService(str_tuple &src_range, str_tuple &dst_range, const std::string &proto); libfwbuilder::FWObject* createTCPUDPService(const std::string &proto); virtual libfwbuilder::FWObject* createTCPService(const QString &name=""); virtual libfwbuilder::FWObject* createUDPService(const QString &name=""); virtual libfwbuilder::FWObject* makeSrcObj(); virtual libfwbuilder::FWObject* makeDstObj(); void processModuleMatches(); void addAllModuleMatches(libfwbuilder::PolicyRule *rule); void addMarkMatch(libfwbuilder::PolicyRule *rule); void addLengthMatch(libfwbuilder::PolicyRule *rule); void addLimitMatch(libfwbuilder::PolicyRule *rule); void addRecentMatch(libfwbuilder::PolicyRule *rule); void addPktTypeMatch(libfwbuilder::PolicyRule *rule); void addStateMatch(libfwbuilder::PolicyRule *rule, const std::string &state); std::string getBranchName(const std::string &suffix); libfwbuilder::PolicyRule* createPolicyBranch( libfwbuilder::PolicyRule *rule, const std::string &branch_name, bool clear_rule_elements, bool make_stateless); libfwbuilder::NATRule* createNATBranch( libfwbuilder::NATRule *rule, const std::string &branch_name, bool clear_rule_elements); public: int service_group_name_seed; std::string current_table; std::string current_chain; std::string current_state; std::string i_intf; std::string o_intf; std::string target; std::string tmp_port_range_start; std::string tmp_port_range_end; std::list src_port_list; std::list dst_port_list; std::list both_port_list; std::map action_params; // need to keep track of branches in 2.1 // should not be neccessary in 3.0 when multiple // rule can refer to the same branch ruleset std::map branch_rulesets; std::string match_mark; bool neg_match_mark; bool src_neg; bool dst_neg; bool srv_neg; bool intf_neg; bool tmp_neg; std::string limit_val; std::string limit_suffix; std::string limit_burst; std::string length_spec; std::string recent_match; std::string pkt_type_spec; std::string nat_addr1; std::string nat_addr2; std::string nat_nm; std::string nat_port_range_start; std::string nat_port_range_end; bool using_iprange_src; std::string iprange_src_from; std::string iprange_src_to; bool using_iprange_dst; std::string iprange_dst_from; std::string iprange_dst_to; libfwbuilder::PolicyRule *last_mark_rule; IPTImporter(libfwbuilder::FWObject *lib, std::istringstream &input, libfwbuilder::Logger *log, const std::string &fwname); ~IPTImporter(); virtual void run(); virtual void clear(); void startSrcMultiPort(); void pushTmpPortSpecToSrcPortList(); void startDstMultiPort(); void pushTmpPortSpecToDstPortList(); void startBothMultiPort(); void pushTmpPortSpecToBothPortList(); void pushPolicyRule(); void pushNATRule(); virtual void addSrv(); virtual void pushRule(); virtual UnidirectionalRuleSet* getUnidirRuleSet( const std::string &rsname, const std::string &ruleset_type_name); virtual UnidirectionalRuleSet* checkUnidirRuleSet( const std::string &rsname); virtual void newUnidirRuleSet(const std::string &name, const std::string &ruleset_type); // this method actually adds interfaces to the firewall object // and does final clean up. virtual libfwbuilder::Firewall* finalize(); bool isStandardChain(const std::string &ipt_chain); void registerTable(const std::string &table_name); bool isSupportedTable(const std::string &table_name); }; #endif fwbuilder-5.3.7/src/import/IPTImporterRun.cpp000066400000000000000000000130301303637203600211610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "IPTImporter.h" #include #include #include #include #include #include #include #include // parser and lexer for files produced by iptables-save #include "../parsers/IPTCfgLexer.hpp" #include "../parsers/IPTCfgParser.hpp" extern int fwbdebug; using namespace std; /* * Only this module depends on IPTCfgLexer and IPTCfgParser, * so only this file is recompiled when we change grammar */ void IPTImporter::run() { // it is probably safer to create an empty firewall if we do not have // ANTLR on the system rather than try to #ifdef out chunks of code // here and there in this module // // Obviously we should disable GUI elements that activate this importer // if ANTLR runtime is not available. // QStringList err; ostringstream parser_debug; /* Do a bit of preprocessing of the input to simplify crazy grammar. String * operations are easier to do with Qt QString class. * * Do the following (will add more stuff here in the future): * * - normalize parameters for the multiport module. Multiport accepts * parameters --source-ports and --sport and aparently in the older versions * --sports. Unfortunayely the same parameter "--sport" is used * to do port match with module tcp, udp and several others. Even though the * name of the parameter is the same, port specification can follow different * rules. For example, for multiport we can have port1[,port2], while for * modules tcp and udp it is port1[:port2]. This makes grammar difficult * to write. Need to convert parameters to the unique long form before * passing script to antlr */ input.seekg (0, ios::end); size_t input_size = input.tellg(); string normalized_input_buffer; normalized_input_buffer.reserve(input_size); QRegExp old_negation_short("(-[^- ])\\s!"); QRegExp old_negation_long("(--[^- ]+)\\s!"); input.seekg (0, ios::beg); char buf[8192]; while (!input.eof()) { input.getline(buf, sizeof(buf)-1); QString str(buf); if (str.contains("-m multiport")) { str.replace("--sports", "--source-ports"); str.replace("--sport", "--source-ports"); str.replace("--dports", "--destination-ports"); str.replace("--dport", "--destination-ports"); } // negation: "-s ! something" format is deprecated and is replaced with // "! -s something", but our parser understands only old format. int pos = 0; while (true) { QString option; int match_length = 0; int old_pos = 0; old_pos = old_negation_short.indexIn(str, pos); if (old_pos != -1) { option = old_negation_short.cap(1); match_length = old_negation_short.matchedLength(); } else { old_pos = old_negation_long.indexIn(str, pos); if (old_pos != -1) { option = old_negation_long.cap(1); match_length = old_negation_long.matchedLength(); } } if (old_pos == -1) break; QString new_format = QString("! %1").arg(option); str.replace(old_pos, match_length, new_format); pos = old_pos + match_length; } normalized_input_buffer.append(str.toStdString()); normalized_input_buffer.append("\n"); } assert(normalized_input_buffer.length() > 0); istringstream normalized_input(normalized_input_buffer); IPTCfgLexer lexer(normalized_input); IPTCfgParser parser(lexer); parser.importer = this; if (fwbdebug) parser.dbg = &std::cerr; else parser.dbg = &parser_debug; QString parser_err = QObject::tr("Parser error:"); QString gen_err = QObject::tr("Error:"); try { parser.cfgfile(); } catch(ANTLR_USE_NAMESPACE(antlr)ANTLRException &e) { err << parser_err + " " + e.toString().c_str(); } catch(ObjectMakerException &e) { err << gen_err + " " + e.toString(); } catch(ImporterException &e) { err << gen_err + " " + e.toString(); } catch(std::exception& e) { err << parser_err + " " + e.what(); } if (haveFirewallObject()) { if (countInterfaces()==0) err << noInterfacesErrorMessage(); if (countRules()==0) err << noRulesErrorMessage(); } else { err << parser_err; err << noFirewallErrorMessage(); err << commonFailureErrorMessage(); } if (!err.isEmpty()) *logger << err.join("\n").toUtf8().constData(); } fwbuilder-5.3.7/src/import/IcmpSpec.h000066400000000000000000000033001303637203600174650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ICMP_SPEC_H_ #define _ICMP_SPEC_H_ #include #include #include class IcmpSpec { public: std::string icmp_type_name; std::string icmp_type_int; std::string icmp_code_name; std::string icmp_code_int; IcmpSpec() { icmp_type_name = ""; icmp_type_int = ""; icmp_code_name = ""; icmp_code_int = ""; } IcmpSpec(const IcmpSpec &other) { icmp_type_name = other.icmp_type_name; icmp_type_int = other.icmp_type_int; icmp_code_name = other.icmp_code_name; icmp_code_int = other.icmp_code_int; } IcmpSpec(const std::string s1, const std::string s2, const std::string s3, const std::string s4) { icmp_type_name = s1; icmp_type_int = s2; icmp_code_name = s3; icmp_code_int = s4; } }; #endif fwbuilder-5.3.7/src/import/Importer.cpp000066400000000000000000000707251303637203600201350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * Trying to avoid dependency on libgui (except for FWBTree, which * will be refactored into some other common module in the future). */ #include "../../config.h" #include "Importer.h" #include #include #include #include #include #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include #include #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; // a functor to join list into a string with separator sep class join : public std::unary_function { std::string *result; std::string separator; public: join(std::string *res, const std::string &s) { result = res; separator = s; } void operator()(std::string &s); }; void join::operator()(string &s) { if (!result->empty()) *result += separator; *result += s; } std::string Importer::getBadRuleColor() { return "#C86E6E"; } void Importer::SaveTmpAddrToSrc() { src_a = tmp_a; src_nm = tmp_nm; } void Importer::SaveTmpAddrToDst() { dst_a = tmp_a; dst_nm = tmp_nm; } void Importer::SaveTmpPortToSrc() { src_port_op = tmp_port_op; src_port_spec = tmp_port_spec; } void Importer::SaveTmpPortToDst() { dst_port_op = tmp_port_op; dst_port_spec = tmp_port_spec; } Importer::Importer(FWObject *_lib, const std::string &_platform, std::istringstream &_input, Logger *log, const std::string &fwname) : input(_input) { this->fwname = fwname; library = _lib; fw = NULL; error_counter = 0; logger = log; platform = _platform; current_interface = NULL; current_ruleset = NULL; current_rule = NULL; error_tracker = new ObjectMakerErrorTracker(); address_maker = new AddressObjectMaker(Library::cast(library), error_tracker); service_maker = new ServiceObjectMaker(Library::cast(library), error_tracker); clear(); } void Importer::prepareForDeduplication() { address_maker->prepareForDeduplication(library->getRoot()); service_maker->prepareForDeduplication(library->getRoot()); } void Importer::run() { // create and run parsers in derived classes } Importer::~Importer() { all_rulesets.clear(); all_interfaces.clear(); delete address_maker; delete service_maker; delete error_tracker; } void Importer::clear() { last_comment.clear(); action = ""; protocol = ""; src_a = ""; src_nm = ""; src_port_op = ""; src_port_spec = ""; dst_a = ""; dst_nm = ""; dst_port_op = ""; dst_port_spec = ""; tmp_a = ""; tmp_nm = ""; tmp_port_op = ""; tmp_port_spec = ""; tmp_port_spec_2 = ""; tmp_range_1 = ""; tmp_range_2 = ""; logging = false; log_level = ""; log_interval = ""; established = false; fragments = false; icmp_spec = ""; icmp_code = ""; icmp_type = ""; time_range_name = ""; if (!tcp_flags_mask.empty()) tcp_flags_mask.clear(); if (!tcp_flags_comp.empty()) tcp_flags_comp.clear(); if (!tmp_tcp_flags_list.empty()) tmp_tcp_flags_list.clear(); error_tracker->clear(); } Firewall* Importer::getFirewallObject() { if (fw!=NULL) return fw; ObjectMaker maker(Library::cast(library), error_tracker); FWObject *nobj = commitObject( maker.createObject(Firewall::TYPENAME, fwname)); fw = Firewall::cast(nobj); fw->setStr("platform", platform); Resources::setDefaultTargetOptions(platform , fw); return fw; } /* * Creates firewall object and sets its name * * This assumes that configuration clase that declares host name * comes first (true for Ciscos, but may not be true for others) * */ void Importer::setHostName(const std::string &hn) { getFirewallObject()->setName(hn); addMessageToLog("Host name: " + hn); } void Importer::setDiscoveredVersion(const std::string &v) { discovered_version = v; addMessageToLog("Version: " + v); } void Importer::setDiscoveredPlatform(const std::string &v) { discovered_platform = v; addMessageToLog("Platform: " + v); } Interface* Importer::newInterface(const std::string &name) { if (all_interfaces.count(name)>0) return all_interfaces[name]; ObjectMaker maker(Library::cast(library), error_tracker); FWObject *nobj = commitObject( maker.createObject(getFirewallObject(), Interface::TYPENAME, name)); current_interface = Interface::cast(nobj); current_interface->setUnnumbered(true); all_interfaces[name] = current_interface; addMessageToLog(QObject::tr("New interface: %1").arg(name.c_str())); return current_interface; } /* * We call this when importer for PIX or IOS encounters interface in * state "shutdown" */ void Importer::ignoreCurrentInterface() { if (current_interface) { string name = current_interface->getName(); current_interface->getParent()->remove(current_interface); all_interfaces.erase(name); current_interface = NULL; } } void Importer::addAddressObjectToInterface(Interface*intf, const string &addr, const string &netm) { intf->setUnnumbered(false); if (addr == "dhcp") intf->setDyn(true); else { string aname = getFirewallObject()->getName() + ":" + intf->getName() + ":ip"; ObjectMaker maker(Library::cast(library), error_tracker); FWObject *nobj = commitObject( maker.createObject(intf, IPv4::TYPENAME, aname)); IPv4::cast(nobj)->setAddress( InetAddr(addr) ); IPv4::cast(nobj)->setNetmask( InetAddr(netm) ); } } void Importer::addInterfaceAddress(const std::string &a, const std::string &nm) { if (current_interface!=NULL) { addAddressObjectToInterface(current_interface, a, nm); addMessageToLog("Interface address: " + a + "/" + nm); } } void Importer::addInterfaceAddress(const std::string &label, const std::string &a, const std::string &nm) { map::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *intf = it->second; if (intf->getLabel() == label) { addAddressObjectToInterface(intf, a, nm); addMessageToLog("Interface address: " + a + "/" + nm); } } } void Importer::setInterfaceComment(const std::string &descr) { // current_interface can be NULL if parser encountered command // that looked like interface description but in reality was // description of something else. For example this happens when // it finds command "description" under "controller" in Cisco router // configuration. if (current_interface!=NULL) { current_interface->setComment(descr); addMessageToLog("Interface comment: " + descr); } } void Importer::setInterfaceLabel(const std::string &descr) { if (current_interface!=NULL) { current_interface->setLabel(descr); addMessageToLog("Interface label: " + descr); } } void Importer::setInterfaceParametes(const std::string &phys_intf_or_label, const std::string &label, const std::string &sec_level) { addMessageToLog("Interface parameters: " + phys_intf_or_label + " " + label + " " + sec_level); if (all_interfaces.count(phys_intf_or_label)) { // since first arg. is physical interface name, this must be pix6 // "nameif ethernet0 outside security0" Interface *intf = all_interfaces[phys_intf_or_label]; intf->setLabel(label); QRegExp pix6_sec_level("security(\\d+)"); if (pix6_sec_level.indexIn(sec_level.c_str()) > -1) intf->setSecurityLevel(pix6_sec_level.cap(1).toInt()); } else { // since first arg is not physical interface name, it must be a label // as in pix7 config // // interface Ethernet0.101 // vlan 101 // nameif outside // security-level 0 // ip address 192.0.2.253 255.255.255.0 setInterfaceLabel(phys_intf_or_label); } } void Importer::setInterfaceSecurityLevel(const std::string &seclevel) { if (current_interface!=NULL) { QString sl(seclevel.c_str()); current_interface->setSecurityLevel(sl.toInt()); } } void Importer::setInterfaceVlanId(const std::string &vlan_id) { if (current_interface!=NULL) { FWOptions *ifopt = (Interface::cast(current_interface))->getOptionsObject(); ifopt->setStr("type", "8021q"); ifopt->setStr("vlan_id", vlan_id); } } void Importer::addRuleComment(const std::string &comm) { rule_comment += comm; addMessageToLog("Rule comment: " + comm); } UnidirectionalRuleSet* Importer::checkUnidirRuleSet( const std::string &ruleset_name) { return all_rulesets[ruleset_name]; } UnidirectionalRuleSet* Importer::getUnidirRuleSet( const std::string &ruleset_name, const string &ruleset_type_name) { UnidirectionalRuleSet *rs = all_rulesets[ruleset_name]; if (rs==NULL) { // got 'ip access-group' command before the access list was defined rs = new UnidirectionalRuleSet(); rs->name = ruleset_name; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); rs->ruleset = RuleSet::cast(dbroot->create(ruleset_type_name)); rs->ruleset->setName(ruleset_name); all_rulesets[ruleset_name] = rs; // add this ruleset to the firewall temporarily // because ruleset must belong to the tree somewhere in // order for other objects to be added properly. getFirewallObject()->add(rs->ruleset); } return rs; } void Importer::setInterfaceAndDirectionForRuleSet( Interface *intf, const std::string &ruleset_name, const std::string &dir) { UnidirectionalRuleSet *rs = getUnidirRuleSet(ruleset_name, Policy::TYPENAME); string intf_name = intf->getName(); if (rs->intf_dir.count(intf_name)==0) rs->intf_dir[intf_name] = dir; else { // already have this interface with some direction // compare direction, if different, switcht to "both" if (rs->intf_dir[intf_name] != "both" && rs->intf_dir[intf_name] != dir) rs->intf_dir[intf_name] = "both"; } QString l("Interface %1 ruleset %2 direction '%3'"); addMessageToLog( l.arg(intf_name.c_str()).arg(ruleset_name.c_str()).arg(dir.c_str())); } /* * associate ruleset with interface * and direction * * if is empty, use current_interface * * Note that a ruleset may be associated with multiple interfaces * and each association can have different direction. */ void Importer::setInterfaceAndDirectionForRuleSet(const std::string &ruleset_name, const std::string &intf_name, const std::string &dir) { Interface *intf = NULL; if ( ! intf_name.empty()) { intf = all_interfaces[intf_name]; } else { if (current_interface) intf = current_interface; } if (intf == NULL) { // current_interface is NULL and _intf_name is empty. Not enough // information to associate ruleset with an interface. QString err("Can not associate rule set %1 with any interface\n"); addMessageToLog(err.arg(QString::fromUtf8(ruleset_name.c_str()))); } else setInterfaceAndDirectionForRuleSet(intf, ruleset_name, dir); } void Importer::newUnidirRuleSet(const string &ruleset_name, const string &ruleset_type) { current_ruleset = getUnidirRuleSet(ruleset_name, ruleset_type); // creates if new current_ruleset->created_from_line_number = getCurrentLineNumber(); //*logger << "Ruleset: " + ruleset_name + "\n"; } /* * Grammar must ensure the call to setDefaultAction() happens * after the call to newUnidirRuleSet() * */ void Importer::setDefaultAction(const std::string &iptables_action_name) { string default_action_str = "Deny"; if (iptables_action_name == "ACCEPT") { current_ruleset->default_action = PolicyRule::Accept; current_ruleset->default_action_line_number = getCurrentLineNumber(); default_action_str = "Accept"; } else current_ruleset->default_action = PolicyRule::Deny; addMessageToLog("Default action: " + default_action_str); } void Importer::newPolicyRule() { if (fwbdebug) qDebug() << "Importer::newPolicyRule()"; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); FWObject *nobj = dbroot->create(PolicyRule::TYPENAME); current_rule = Rule::cast(nobj); // check if all child objects were populated properly FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); ropt->setBool("stateless", true); } void Importer::newNATRule() { if (fwbdebug) qDebug() << "Importer::newNATRule()"; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); FWObject *nobj = dbroot->create(NATRule::TYPENAME); current_rule = Rule::cast(nobj); if (fwbdebug) qDebug() << "current_rule=" << current_rule; } void Importer::pushRule() { assert(current_ruleset!=NULL); assert(current_rule!=NULL); // populate all elements of the rule PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); if (action=="permit") { rule->setAction(PolicyRule::Accept); ropt->setBool("stateless", false); } if (action=="deny") { rule->setAction(PolicyRule::Deny); ropt->setBool("stateless", true); } rule->setDirection(PolicyRule::Both); addSrc(); addDst(); addSrv(); addLogging(); // then add it to the current ruleset current_ruleset->ruleset->add(current_rule); if (error_tracker->hasWarnings()) { QStringList warn = error_tracker->getWarnings(); // parser errors and warnings are added to the log by // PFCfgParser::reportError() and PFCfgParser::reportWarning() // so we dont need to add them again here foreach(QString w, warn) { if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w); } markCurrentRuleBad(); } if (error_tracker->hasErrors()) { QStringList err = error_tracker->getErrors(); foreach(QString e, err) { if (!e.startsWith("Parser error:")) addMessageToLog("Error: " + e); } markCurrentRuleBad(); } addStandardImportComment( current_rule, QString::fromUtf8(rule_comment.c_str())); current_rule = NULL; rule_comment = ""; clear(); } void Importer::setSrcSelf() { src_a = "self"; } void Importer::setDstSelf() { dst_a = "self"; } FWObject* Importer::makeAddressObj(const std::string addr, const std::string netm) { if (addr == "self") { return getFirewallObject(); } if ( (addr=="" && netm=="") || (addr==InetAddr::getAny().toString() && netm==InetAddr::getAny().toString())) return NULL; // this is 'any' ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(addr.c_str()); if (netm=="") sig.setNetmask(InetAddr::getAllOnes().toString().c_str(), address_maker->getInvertedNetmasks()); else sig.setNetmask(netm.c_str(), address_maker->getInvertedNetmasks()); return commitObject(address_maker->createObject(sig)); } FWObject* Importer::makeSrcObj() { return makeAddressObj(src_a, src_nm); } FWObject* Importer::makeDstObj() { return makeAddressObj(dst_a, dst_nm); } FWObject* Importer::makeSrvObj() { if (protocol=="") return NULL; // this is 'any' FWObject *s; if (protocol=="icmp") { ObjectSignature sig(error_tracker); sig.type_name = ICMPService::TYPENAME; if ( ! icmp_spec.empty()) { sig.setIcmpFromName(icmp_spec.c_str()); } else { sig.setIcmpType(icmp_type.c_str()); sig.setIcmpCode(icmp_code.c_str()); } s = service_maker->createObject(sig); } else { if (protocol=="tcp") { s = createTCPService(); } else { if (protocol=="udp") { s = createUDPService(); } else { ObjectSignature sig(error_tracker); sig.type_name = IPService::TYPENAME; sig.setProtocol(protocol.c_str()); sig.fragments = fragments; s = service_maker->createObject(sig); } } } // if create*Service returns NULL, this is 'any' return commitObject(s); } void Importer::addSrc() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElementSrc* src = rule->getSrc(); assert(src!=NULL); FWObject *s = makeSrcObj(); if (s) src->addRef( s ); } void Importer::addDst() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElementDst* dst = rule->getDst(); assert(dst!=NULL); FWObject *s = makeDstObj(); if (s) dst->addRef( s ); } void Importer::addSrv() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElementSrv* srv = rule->getSrv(); assert(srv!=NULL); FWObject *s = makeSrvObj(); if (s) srv->addRef( s ); } void Importer::addOSrc() { NATRule *rule = NATRule::cast(current_rule); RuleElementOSrc* src = rule->getOSrc(); assert(src!=NULL); FWObject *s = makeSrcObj(); if (s) src->addRef( s ); } void Importer::addODst() { NATRule *rule = NATRule::cast(current_rule); RuleElementODst* dst = rule->getODst(); assert(dst!=NULL); FWObject *s = makeDstObj(); if (s) dst->addRef( s ); } void Importer::addOSrv() { NATRule *rule = NATRule::cast(current_rule); RuleElementOSrv* srv = rule->getOSrv(); assert(srv!=NULL); FWObject *s= makeSrvObj(); if (s) srv->addRef( s ); } void Importer::addLogging() { PolicyRule *rule = PolicyRule::cast(current_rule); rule->setLogging(logging); // log_level // log_interval } Firewall* Importer::finalize() { return fw; } FWObject* Importer::createTCPService(const QString &) { // Default implementation return NULL; } FWObject* Importer::createUDPService(const QString &) { // Default implementation return NULL; } FWObject* Importer::createGroupOfInterfaces( const std::string &ruleset_name, std::list &interfaces) { std::string name = "intf-" + ruleset_name; // by including ruleset name (==acl name) into the signature we // force import to create separate interface group for each access list // even if interface set is the same as for some other access list. // This decision is rather arbitrary but it feels less confusing // compared to the case when interface groups cretaed from different // access lists are merged. If they are merged, the name refers to one // access list which looks weird in the GUI since rules may have been // imported from another access list. std::string sig = ruleset_name + "_"; std::for_each(interfaces.begin(), interfaces.end(), join(&sig, "_")); if (fwbdebug) qDebug() << QString("Interface group with name '%1', sig '%2'") .arg(name.c_str()).arg(sig.c_str()); if (all_objects.count(sig)!=0) return all_objects[sig]; ObjectMaker maker(Library::cast(library), error_tracker); ObjectGroup *og = ObjectGroup::cast( commitObject( maker.createObject(ObjectGroup::TYPENAME, name))); for (std::list::iterator j=interfaces.begin(); j!=interfaces.end(); ++j) { Interface *intf = all_interfaces[*j]; og->addRef(intf); } all_objects[sig] = og; return og; } /** * set color of the current rule (use red) and add comment * to indicate that the rule could not be properly parsed */ void Importer::markCurrentRuleBad() { FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); ropt->setStr("color", getBadRuleColor()); QStringList comment; if ( ! current_rule->getComment().empty()) comment.append(QString::fromUtf8(current_rule->getComment().c_str())); foreach(QString err, error_tracker->getWarnings()) comment.append(err); foreach(QString err, error_tracker->getErrors()) comment.append(err); current_rule->setComment(comment.join("\n").toUtf8().constData()); } void Importer::reportError(const std::string &comment) { reportError(QString::fromUtf8(comment.c_str())); } void Importer::reportError(const QString &comment) { error_counter++; QString err = QObject::tr("Error: %1").arg(comment); addMessageToLog(err); error_tracker->registerError(err); } int Importer::countRules() { int n = 0; std::map::iterator it; for (it=all_rulesets.begin(); it!=all_rulesets.end(); ++it) { // rs_index is a string composed of the table name and chain name // like "filter / FORWARD" or "mangle / PREROUTING" // This string is created in IPTImporter::getUnidirRuleSet() string rs_index = it->first; UnidirectionalRuleSet* rs = it->second; if (rs->ruleset) n += rs->ruleset->getRuleSetSize(); } return n; } int Importer::countInterfaces() { if (haveFirewallObject()) { Firewall *fw = Firewall::cast(getFirewallObject()); list all_interface_objects = fw->getByType(Interface::TYPENAME); return all_interface_objects.size(); } else return 0; } QString Importer::noFirewallErrorMessage() { return QObject::tr( "Could not find enough information in the data file " "to create firewall object." "\n\n" ); } QString Importer::noRulesErrorMessage() { return QObject::tr( "Could not find enough information in the data file " "to create any firewall rules." "\n\n" ); } QString Importer::noInterfacesErrorMessage() { return QObject::tr( "Could not find enough information in the data file " "to create firewall interface objects." "\n\n" ); } /* * This is a common error message shown by the importer when it fails * to create firewall object. Keeping it in the base class since it is * used in the finalize() function of all importer classes. */ QString Importer::commonFailureErrorMessage() { return QObject::tr( "Please check that the " "file you are trying to import is in one of supported " "formats. Currently fwbuilder can only import " "iptables configuration saved with " "'iptables-restore' command, Cisco routers (IOS), " "Cisco ASA, FWSM and PIX configurations saved with " "'show run' command and PF configuration from a pf.conf file." ); } void Importer::addMessageToLog(const std::string &msg) { addMessageToLog(QString::fromUtf8(msg.c_str())); } void Importer::addMessageToLog(const QString &msg) { if (getCurrentLineNumber() >= 0) { QString log_line("%1: %2\n"); *logger << log_line.arg(getCurrentLineNumber()).arg(msg).toUtf8().constData(); } else { *logger << msg.toUtf8().constData(); } } /** * This function adds "standard" comment to the object, plus text * passed as @additional_comment argument. If the object already has * some comment, it is preserved and new text is appended to it. If * flag add_standard_comments is false, then comment referring to the * line number in the original file is not added, but * @additional_comment is added anyway. Note that we also add comments * to rules in case of errors but those are not suppressed by the flag * add_standard_comments */ void Importer::addStandardImportComment(FWObject *obj, const QString &additional_comment) { if (obj == NULL) return; // what if this object has been found in a read-only library? if (obj->isReadOnly()) return; // this function may get called again if object is being reused if ( obj->getBool(".import-commited")) return; QStringList comment; if ( ! obj->getComment().empty()) comment << QString::fromUtf8(obj->getComment().c_str()); if ( ! additional_comment.isEmpty()) comment << additional_comment; if (add_standard_comments) { QString file_and_line("Created during import of %1 line %2"); comment << file_and_line .arg(QString::fromUtf8(input_file_name.c_str())) .arg(getCurrentLineNumber()); } obj->setComment(comment.join("\n").toUtf8().constData()); obj->setBool(".import-commited", true); } FWObject* Importer::commitObject(FWObject *obj) { // what if this object has been found in a read-only library? if (obj->isReadOnly()) return obj; if (obj) addStandardImportComment(obj, ""); return obj; } /* * Rearrange vlan interfaces. Importer creates all interfaces as * children of the firewall. Vlan interfaces should become * subinterfaces of the corresponding physical interfaces. */ void Importer::rearrangeVlanInterfaces() { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( getFirewallObject())); list all_interface_objects = getFirewallObject()->getByTypeDeep(Interface::TYPENAME); list vlans; list::iterator it; for (it=all_interface_objects.begin(); it!=all_interface_objects.end(); ++it) { Interface *intf = Interface::cast(*it); FWOptions *ifopt = intf->getOptionsObject(); if (int_prop->looksLikeVlanInterface(intf->getName().c_str()) && ifopt->getStr("type")=="8021q") { qDebug() << "Found vlan interface" << intf->getName().c_str(); vlans.push_back(intf); } } for (it=vlans.begin(); it!=vlans.end(); ++it) { Interface *vlan_intf = Interface::cast(*it); qDebug() << "VLAN " << vlan_intf->getName().c_str(); QString base_name; int vlan_id; int_prop->parseVlan(vlan_intf->getName().c_str(), &base_name, &vlan_id); qDebug() << "base name" << base_name; if ( ! base_name.isEmpty()) { getFirewallObject()->remove(vlan_intf, false); // do not delete list::iterator it2; for (it2=all_interface_objects.begin(); it2!=all_interface_objects.end(); ++it2) { if (base_name == (*it2)->getName().c_str()) { (*it2)->add(vlan_intf, false); break; } } } } } void Importer::registerBrokenObject(FWObject *obj, const QString &err) { broken_objects[obj] = err; } bool Importer::isObjectBroken(FWObject *obj) { return broken_objects.count(obj) != 0; } QString Importer::getBrokenObjectError(FWObject *obj) { return broken_objects[obj]; } fwbuilder-5.3.7/src/import/Importer.h000066400000000000000000000314411303637203600175720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWB_POLICY_IMPORTER_H_ #define _FWB_POLICY_IMPORTER_H_ #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Logger.h" #include "objectMaker.h" #include "addressObjectMaker.h" #include "serviceObjectMaker.h" #include #include #include #include #include #include typedef std::pair str_tuple; typedef std::vector str_vector; class Importer; /* * Used for platforms where interface and direction are set for the * whole ruleset (like in router access lists), as opposed to * platforms where interface and direction are set on a per-rule basis * (iptables) */ class UnidirectionalRuleSet { public: libfwbuilder::RuleSet* ruleset; std::string name; // interface names and directions std::map intf_dir; libfwbuilder::PolicyRule::Action default_action; int created_from_line_number; int default_action_line_number; bool to_be_deleted; UnidirectionalRuleSet() { created_from_line_number = -1; default_action_line_number = -1; default_action = libfwbuilder::PolicyRule::Deny; to_be_deleted = false; } }; class ImporterException : public std::exception { QString err; public: ImporterException(const std::string &e) { err = e.c_str(); } ImporterException(const QString &e) { err = e; } virtual ~ImporterException() throw() {} QString toString() { return err; } virtual const char* what() const throw() { return err.toStdString().c_str(); } }; class Importer { // firewall object // one instance of Importer creates only one firewall object. // // Do not access this member directly, always use getFirewallObject() // This ensures the object is created only when it is needed // so that if we get ane xception in parser early, we do not // create unnecessary object libfwbuilder::Firewall *fw; std::string fwname; protected: AddressObjectMaker *address_maker; ServiceObjectMaker *service_maker; int error_counter; // line number in the original stream being imported int current_line_number; libfwbuilder::FWObject *library; std::string input_file_name; std::istringstream &input; std::string platform; std::string discovered_platform; std::string discovered_version; std::string user_choice_host_os; std::string user_choice_version; libfwbuilder::Interface* current_interface; // map : ruleset name : ruleset // in case of IOS ACls or PIX policy ruleset name == acl name // all other platforms have single ruleset for policy // and another for NAT std::map all_rulesets; // map : interface name : interface std::map all_interfaces; // map : object signature : object // use this to quickly find objects to avoid creating duplicates std::map all_objects; // registry of broken objects. Sometimes we create an AddressTable // or a group object during import that may have some kind of a problem // that we leave for the user to fix manually. In order to be able to mark // all rules that use this object as "broken", we should register these // broken objects somewhere. std::map broken_objects; UnidirectionalRuleSet* current_ruleset; libfwbuilder::Rule* current_rule; void addAddressObjectToInterface(libfwbuilder::Interface*intf, const std::string &addr, const std::string &netm); std::string getBadRuleColor(); // this method returns fw. It is created if fw==NULL // Using getFirewallObject() instead of accessing fw directly // provides a way to create firewall object only when // it is really needed. libfwbuilder::Firewall* getFirewallObject(); // need to be able to tell if firewall object has really // been created during import. If the file is empty or in case of // a parser error firewall object may not have been created. // However in other cases there could have been an error after // the object was created. This method allows us to tell one // situation from another. bool haveFirewallObject() { return (fw!=NULL); } // checks if ruleset "rsname" exists. Returns pointer if yes, // otherwise returns NULL virtual UnidirectionalRuleSet* checkUnidirRuleSet(const std::string &rsname); // finds and rturns pointer to ruleset "rsname". If it does not // exists, it is created virtual UnidirectionalRuleSet* getUnidirRuleSet( const std::string &ruleset_name, const std::string &ruleset_type_name); virtual libfwbuilder::FWObject* createTCPService(const QString &name=""); virtual libfwbuilder::FWObject* createUDPService(const QString &name=""); // create libfwbuilder::ObjectGroup and place all interfaces in it // argument represents a list of interface names virtual libfwbuilder::FWObject* createGroupOfInterfaces( const std::string &ruleset_name, std::list &interfaces); virtual libfwbuilder::FWObject* makeAddressObj(const std::string addr, const std::string netm); virtual libfwbuilder::FWObject* makeSrcObj(); virtual libfwbuilder::FWObject* makeDstObj(); virtual libfwbuilder::FWObject* makeSrvObj(); // importer may need to create multiple objects for // either rule element for some platforms. It is more convenient to // make these special virtual methods rather than use createAddress // and createService every time. virtual void addSrc(); virtual void addDst(); virtual void addSrv(); virtual void addOSrc(); virtual void addODst(); virtual void addOSrv(); virtual void addLogging(); void registerBrokenObject(libfwbuilder::FWObject *o, const QString &err); bool isObjectBroken(libfwbuilder::FWObject*); QString getBrokenObjectError(libfwbuilder::FWObject*); public: ObjectMakerErrorTracker *error_tracker; // making logger public so I can access it from the code in the grammar libfwbuilder::Logger *logger; QStringList last_comment; bool add_standard_comments; // temporary variables used by parser to store values // Importer converts these into a proper rule using method // pushRule() // Method clear() resets all these variables to their defaults. // // TODO: need to add more variables to cover everything needed // for NAT rules std::string action; std::string protocol; std::string rule_comment; std::string src_a; std::string src_nm; std::string src_port_op; std::string src_port_spec; std::string dst_a; std::string dst_nm; std::string dst_port_op; std::string dst_port_spec; std::string tmp_a; std::string tmp_nm; std::string tmp_port_op; std::string tmp_port_spec; std::string tmp_port_spec_2; std::string tmp_range_1; std::string tmp_range_2; int tmp_tcp_flag_code; QList tmp_tcp_flags_list; QList tcp_flags_mask; QList tcp_flags_comp; bool logging; std::string log_level; std::string log_interval; bool established; bool fragments; std::string icmp_spec; std::string icmp_code; std::string icmp_type; std::string time_range_name; void SaveTmpAddrToSrc(); void SaveTmpAddrToDst(); void SaveTmpPortToSrc(); void SaveTmpPortToDst(); void setSrcSelf(); void setDstSelf(); virtual void clear(); Importer(libfwbuilder::FWObject *lib, const std::string &platform, std::istringstream &input, libfwbuilder::Logger *log, const std::string &fwname); virtual ~Importer(); virtual void run(); void setFileName(const std::string &fn) { input_file_name = fn; } void setPlatform(const std::string &pl) { platform = pl; } void prepareForDeduplication(); // add standard line to rule comment, this adds something like // "created during import from , line " virtual void addStandardImportComment(libfwbuilder::FWObject *obj, const QString &additional_comment); virtual libfwbuilder::FWObject* commitObject(libfwbuilder::FWObject *obj); int errorCounter() { return error_counter; } virtual void setDiscoveredPlatform(const std::string &v); virtual void setDiscoveredVersion(const std::string &v); void setUserChoiceHostOS(const std::string &s) { user_choice_host_os = s; } void setUserChoiceVersion(const std::string &s) { user_choice_version = s; } void setAddStandardCommentsFlag(bool f) { add_standard_comments = f; } virtual void setHostName(const std::string &hn); virtual libfwbuilder::Interface* newInterface(const std::string &interface_name); virtual void clearCurrentInterface() { current_interface = NULL; } virtual void ignoreCurrentInterface(); virtual void addInterfaceAddress(const std::string &a, const std::string &nm); virtual void addInterfaceAddress(const std::string &label, const std::string &a, const std::string &nm); virtual void setInterfaceComment(const std::string &descr); virtual void setInterfaceLabel(const std::string &descr); virtual void setInterfaceSecurityLevel(const std::string &seclevel); virtual void setInterfaceParametes(const std::string &phys_intf, const std::string &label, const std::string &sec_level); virtual void setInterfaceVlanId(const std::string &vlan_id); virtual void addRuleComment(const std::string &comm); /** * create new unidirectional ruleset. Unidirectional ruleset * has interface association and direction that apply to all rules * in the set. */ virtual void newUnidirRuleSet(const std::string &name, const std::string &ruleset_type); /** * Sets default action for the current rule set. */ virtual void setDefaultAction(const std::string &iptables_action_name); /** * add interface and direction setting to a ruleset. Note that the * same ruleset may be associated with multiple interfaces and * each association may have its own direction. */ virtual void setInterfaceAndDirectionForRuleSet( const std::string &ruleset_name, const std::string &interface_name, const std::string &dir); virtual void setInterfaceAndDirectionForRuleSet( libfwbuilder::Interface *intf, const std::string &ruleset_name, const std::string &dir); virtual void newPolicyRule(); virtual void newNATRule(); virtual void pushRule(); void setCurrentLineNumber(int n) { current_line_number = n; } int getCurrentLineNumber() { return current_line_number;} void markCurrentRuleBad(); void reportError(const std::string &comment); void reportError(const QString &comment); // this method actually adds interfaces to the firewall object // and does final clean up. virtual libfwbuilder::Firewall* finalize(); int countRules(); int countInterfaces(); QString noFirewallErrorMessage(); QString noRulesErrorMessage(); QString noInterfacesErrorMessage(); QString commonFailureErrorMessage(); // statistics int getNumberOfRuleSets(); int getTotalNumberOfRules(); int getNumberOfInterfaces(); void addMessageToLog(const std::string &msg); void addMessageToLog(const QString &msg); void rearrangeVlanInterfaces(); }; #endif fwbuilder-5.3.7/src/import/InterfaceSpec.h000066400000000000000000000043631303637203600205070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _INTERFACE_SPEC_H_ #define _INTERFACE_SPEC_H_ #include #include #include #include #include "AddressSpec.h" class InterfaceSpec { public: bool neg; std::string name; std::string label; std::list as; std::string hwaddr; std::list groups; InterfaceSpec() { neg = false; name = ""; label = ""; } InterfaceSpec(const InterfaceSpec &other) { neg = other.neg; name = other.name; label = other.label; as = other.as; hwaddr = other.hwaddr; groups = other.groups; } InterfaceSpec(bool _neg, const std::string _name) { neg = _neg; name = _name; } // This function is mostly used in unit tests QString toString() { QStringList str; str << "InterfaceSpec"; str << QString("name:%1").arg(name.c_str()); str << QString("label:%1").arg(label.c_str()); str << QString((neg)? "neg:true" : "neg:false"); str << QString("hwaddr:%1").arg(hwaddr.c_str()); for (std::list::iterator i=as.begin(); i!=as.end(); ++i) str << i->toString(); for (std::list::iterator i=groups.begin(); i!=groups.end(); ++i) str << QString("group:%1").arg((*i).c_str()); return str.join("|"); } }; #endif fwbuilder-5.3.7/src/import/PFImporter.cpp000066400000000000000000001365121303637203600203600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "PFImporter.h" #include #include #include #include #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "../libgui/platforms.h" #include #include extern int fwbdebug; // TODO: this should move to some common library, together with // getVersionsForPlatform() it uses. Currently these functions are // defined in libgui/platforms.cpp extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); using namespace std; using namespace libfwbuilder; PFImporter::PFImporter(FWObject *lib, std::istringstream &input, Logger *log, const std::string &fwname) : Importer(lib, "pf", input, log, fwname) { setPlatform("pf"); address_maker->setInvertedNetmasks(false); icmp_codes_to_reject_parameters["net-unr"] = "ICMP net unreachable"; icmp_codes_to_reject_parameters["0"] = "ICMP net unreachable"; icmp_codes_to_reject_parameters["host-unr"] = "ICMP host unreachable"; icmp_codes_to_reject_parameters["1"] = "ICMP host unreachable"; icmp_codes_to_reject_parameters["proto-unr"] = "ICMP protocol unreachable"; icmp_codes_to_reject_parameters["2"] = "ICMP protocol unreachable"; icmp_codes_to_reject_parameters["port-unr"] = "ICMP port unreachable"; icmp_codes_to_reject_parameters["3"] = "ICMP port unreachable"; icmp_codes_to_reject_parameters["net-prohib"] = "ICMP net prohibited"; icmp_codes_to_reject_parameters["9"] = "ICMP net prohibited"; icmp_codes_to_reject_parameters["host-prohib"] = "ICMP host prohibited"; icmp_codes_to_reject_parameters["10"] = "ICMP host prohibited"; icmp_codes_to_reject_parameters["filter-prohib"] = "ICMP admin prohibited"; icmp_codes_to_reject_parameters["13"] = "ICMP admin prohibited"; } PFImporter::~PFImporter() { } void PFImporter::clear() { rule_type = NATRule::Unknown; quick = false; direction = ""; address_family = ""; iface_group.clear(); proto_list.clear(); tmp_group.clear(); src_group.clear(); dst_group.clear(); nat_group.clear(); src_neg = false; dst_neg = false; tmp_neg = false; tmp_port_def = ""; tmp_port_op = ""; src_port_group.clear(); dst_port_group.clear(); nat_port_group.clear(); tmp_port_group.clear(); icmp_type_code_group.clear(); block_action_params.clear(); queue = ""; state_op = ""; logopts = ""; flags_check = ""; flags_mask = ""; tag = ""; tagged = ""; tagged_neg = false; route_type = UNKNOWN; route_group.clear(); pooltype_opt = ""; nat_rule_opt_2 = ""; // Do not clear name-value pairs lists of timeout and limits since // they is filled when we parse "set timeout", "set limit" // commands and then used in finalize() scrub_rule = false; Importer::clear(); } void PFImporter::clearTempVars() { Importer::clear(); } void PFImporter::addSrc() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElement *re = rule->getSrc(); list::iterator it; for (it=src_group.begin(); it!=src_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addDst() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElement *re = rule->getDst(); list::iterator it; for (it=dst_group.begin(); it!=dst_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addSrv() { PolicyRule *rule = PolicyRule::cast(current_rule); addServiceObjectsToRE(rule->getSrv()); } void PFImporter::addServiceObjectsToRE(RuleElement *re) { list::iterator it; for (it=proto_list.begin(); it!=proto_list.end(); ++it) { // TODO: need better interface to Importer::makeSrvObj() // function and other functions that it uses. protocol = *it; if (protocol == "icmp") { list::iterator i1; for (i1=icmp_type_code_group.begin(); i1!=icmp_type_code_group.end(); ++i1) { IcmpSpec is = *i1; ObjectSignature sig(error_tracker); sig.type_name = ICMPService::TYPENAME; if ( ! is.icmp_type_name.empty()) { sig.setIcmpFromName(is.icmp_type_name.c_str()); } else { sig.setIcmpType(is.icmp_type_int.c_str()); } if ( ! is.icmp_code_name.empty()) { sig.setIcmpCodeFromName(is.icmp_code_name.c_str()); } else { sig.setIcmpCode(is.icmp_code_int.c_str()); } FWObject *s = service_maker->createObject(sig); if (s) re->addRef(s); } } else { if (protocol == "tcp" || protocol == "udp") { // TODO: deal with cases where both source and destination // ports are matched. // See PIXImporter::fixServiceObjectUsedForBothSrcAndDstPorts() if (src_port_group.size() == 0 && dst_port_group.size() == 0) { // protocol has been defined but not ports to match ObjectSignature sig(error_tracker); buildTCPUDPObjectSingature( &sig, PortSpec(), PortSpec(), protocol.c_str(), flags_check.c_str(), flags_mask.c_str()); re->addRef(commitObject(service_maker->createObject(sig))); } else { addTCPUDPServiceObjectsToRE(re, protocol, src_port_group, dst_port_group, false); } } else { // protocol is not icmp, udp or tcp ObjectSignature sig(error_tracker); sig.type_name = IPService::TYPENAME; sig.setProtocol(protocol.c_str()); sig.fragments = fragments; re->addRef(commitObject(service_maker->createObject(sig))); } } } if (! tagged.empty()) { ObjectSignature sig(error_tracker); sig.type_name = TagService::TYPENAME; sig.tag = tagged.c_str(); re->addRef( commitObject(service_maker->createObject(sig)) ); if (tagged_neg) re->setNeg(true); tagged = ""; } } void PFImporter::addTCPUDPServiceObjectsToRE( RuleElement *re, const std::string &protocol, const list< PortSpec > &src_port_list, const list< PortSpec > &dst_port_list, bool for_nat_rhs) { list src_ports = src_port_list; if (src_port_list.size() == 0) src_ports.push_back(PortSpec()); list dst_ports = dst_port_list; if (dst_port_list.size() == 0) dst_ports.push_back(PortSpec()); list::const_iterator psis; list::const_iterator psid; for (psis=src_ports.begin(); psis!=src_ports.end(); ++psis) { PortSpec ps_src = *psis; for (psid=dst_ports.begin(); psid!=dst_ports.end(); ++psid) { PortSpec ps_dst = *psid; ObjectSignature sig(error_tracker); buildTCPUDPObjectSingature( &sig, ps_src, ps_dst, protocol.c_str(), (for_nat_rhs) ? "" : flags_check.c_str(), (for_nat_rhs) ? "" : flags_mask.c_str()); re->addRef(commitObject(service_maker->createObject(sig))); if (!for_nat_rhs && ps_dst.port_op == "!=") re->setNeg(true); } } } void PFImporter::addOSrc() { NATRule *rule = NATRule::cast(current_rule); RuleElement *re = rule->getOSrc(); list::iterator it; for (it=src_group.begin(); it!=src_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addODst() { NATRule *rule = NATRule::cast(current_rule); RuleElement *re = rule->getODst(); list::iterator it; for (it=dst_group.begin(); it!=dst_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addOSrv() { NATRule *rule = NATRule::cast(current_rule); addServiceObjectsToRE(rule->getOSrv()); } void PFImporter::addTSrc() { NATRule *rule = NATRule::cast(current_rule); RuleElement *re = rule->getTSrc(); list::iterator it; for (it=nat_group.begin(); it!=nat_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addTDst() { NATRule *rule = NATRule::cast(current_rule); RuleElement *re = rule->getTDst(); list::iterator it; for (it=nat_group.begin(); it!=nat_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } } void PFImporter::addTSrvSNAT() { NATRule *rule = NATRule::cast(current_rule); if (protocol == "tcp" || protocol == "udp") { addTCPUDPServiceObjectsToRE(rule->getTSrv(), protocol, nat_port_group, list< PortSpec >(), true); // for_nat_rhs } } void PFImporter::addTSrvDNAT() { NATRule *rule = NATRule::cast(current_rule); if (protocol == "tcp" || protocol == "udp") { addTCPUDPServiceObjectsToRE(rule->getTSrv(), protocol, list< PortSpec >(), nat_port_group, true); // for_nat_rhs } } /* * Set source and destination port ranges in the object signature * object. */ bool PFImporter::buildTCPUDPObjectSingature(ObjectSignature *sig, const PortSpec &src_port, const PortSpec &dst_port, const QString &protocol, const QString &flags_check, const QString &flags_mask) { if (protocol == "tcp") sig->type_name = TCPService::TYPENAME; else sig->type_name = UDPService::TYPENAME; if (src_port.port_op == "<>" || dst_port.port_op == "<>") { error_tracker->registerError( QObject::tr("'except ranges' ('<>') for port numbers " "are not supported yet.")); return false; } if (src_port.port_op == "!=" || dst_port.port_op == "!=") { error_tracker->registerError( QObject::tr("'Port not equal' operation is not supported yet.")); } sig->port_range_inclusive = true; sig->setSrcPortRangeFromPortOpForPF(src_port.port_op.c_str(), src_port.port1.c_str(), src_port.port2.c_str(), protocol); sig->setDstPortRangeFromPortOpForPF(dst_port.port_op.c_str(), dst_port.port1.c_str(), dst_port.port2.c_str(), protocol); if (protocol == "tcp") { convertTcpFlags(sig->flags_comp, flags_check); convertTcpFlags(sig->flags_mask, flags_mask); } return true; } void PFImporter::convertTcpFlags(QList &flags_list, const QString &flags_str) { for (int i=0; iregisterError( QObject::tr("TCP flag matches 'E' and 'W' " "are not supported.")); } } qSort(flags_list); } FWObject* PFImporter::makeAddressObj(AddressSpec &as) { if (as.at == AddressSpec::ANY) return NULL; if (as.at == AddressSpec::INTERFACE_OR_HOST_NAME) { interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( user_choice_host_os); if (int_prop->looksLikeInterface(as.address.c_str())) { Interface *intf = getInterfaceByName(as.address); if (intf == NULL) { // this interface was never used in "on " clause before newInterface(as.address); intf = getInterfaceByName(as.address); } return intf; } else { QString name = QString::fromUtf8(as.address.c_str()); if (name.startsWith('$')) { /* * We perform macro substitutions in * PFImporter::substituteMacros(), however if we get a * host name that starts with a '$' here, then this is * an undefined macro that could not be substituted. * Mark rule as bad but still create run-time DNSName * object. */ error_tracker->registerWarning( QObject::tr("Macro '%1' was undefined, rule may be broken") .arg(name)); } ObjectSignature sig(error_tracker); sig.type_name = DNSName::TYPENAME; sig.object_name = name; sig.dns_name = name; return address_maker->createObject(sig); } } if (as.at == AddressSpec::INTERFACE_NETWORK) { Interface *intf = getInterfaceByName(as.address); if (intf == NULL) { // this interface was never used in "on " clause before newInterface(as.address); intf = getInterfaceByName(as.address); } FWObject *o = intf->getFirstByType(AttachedNetworks::TYPENAME); if ( o != NULL ) { return o; } else { ObjectMaker maker(Library::cast(library), error_tracker); string name = intf->getName() + "-net"; AttachedNetworks *an = AttachedNetworks::cast( maker.createObject(intf, AttachedNetworks::TYPENAME, name)); an->setRunTime(true); an->setSourceName(intf->getName()); address_table_registry[name.c_str()] = an; return an; } } if (as.at == AddressSpec::INTERFACE_BROADCAST) { error_tracker->registerError( QObject::tr("import of 'interface:broadcast' is not supported.")); return NULL; } if (as.at == AddressSpec::HOST_ADDRESS) { return Importer::makeAddressObj(as.address, ""); } if (as.at == AddressSpec::NETWORK_ADDRESS) { return Importer::makeAddressObj(as.address, as.netmask); } if (as.at == AddressSpec::SPECIAL_ADDRESS) { if (as.address == "self") return getFirewallObject(); { error_tracker->registerError( QObject::tr("Warning: matching '%1' is not supported") .arg(as.address.c_str())); return NULL; } } if (as.at == AddressSpec::TABLE) { FWObject *at = address_table_registry[as.address.c_str()]; if (isObjectBroken(at)) { error_tracker->registerError(getBrokenObjectError(at)); } return at; } return NULL; } void PFImporter::addLogging() { PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = rule->getOptionsObject(); /* alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) disable Disable log option on this ACL element, (no log at all) emergencies System is unusable (severity=0) errors Error conditions (severity=3) inactive Keyword for disabling an ACL element informational Informational messages (severity=6) interval Configure log interval, default value is 300 sec notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) */ QMap logging_levels; logging_levels["alerts"] = "alert"; logging_levels["critical"] = "crit"; logging_levels["debugging"] = "debug"; logging_levels["emergencies"] = ""; logging_levels["errors"] = "error"; logging_levels["informational"] = "info"; logging_levels["notifications"] = "notice"; logging_levels["warnings"] = "warning"; logging_levels["0"] = ""; logging_levels["1"] = "alert"; logging_levels["2"] = "crit"; logging_levels["3"] = "error"; logging_levels["4"] = "warning"; logging_levels["5"] = "notice"; logging_levels["6"] = "info"; logging_levels["7"] = "debug"; // QStringList log_levels = getLogLevels("pix"); rule->setLogging(logging); QString log_level_qs = log_level.c_str(); if ( ! log_level_qs.isEmpty()) { if (logging_levels.count(log_level_qs) != 0) ropt->setStr("log_level", logging_levels[log_level_qs].toStdString()); else ropt->setStr("log_level", log_level); if (log_level_qs == "disable" || log_level_qs == "inactive") ropt->setBool("disable_logging_for_this_rule", true); } if ( ! log_interval.empty()) { bool ok = false; int log_interval_int = QString(log_interval.c_str()).toInt(&ok); if (ok) ropt->setInt("log_interval", log_interval_int); } } void PFImporter::pushRule() { if (PolicyRule::isA(current_rule)) pushPolicyRule(); else pushNATRule(); assert(current_rule!=NULL); if (error_tracker->hasWarnings()) { QStringList warn = error_tracker->getWarnings(); // parser errors and warnings are added to the log by // PFCfgParser::reportError() and PFCfgParser::reportWarning() // so we dont need to add them again here foreach(QString w, warn) { if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w); } markCurrentRuleBad(); } if (error_tracker->hasErrors()) { QStringList err = error_tracker->getErrors(); foreach(QString e, err) { if (!e.startsWith("Parser error:")) addMessageToLog("Error: " + e); } markCurrentRuleBad(); } current_rule = NULL; rule_comment = ""; clear(); } void PFImporter::pushPolicyRule() { RuleSet *ruleset = RuleSet::cast( getFirewallObject()->getFirstByType(Policy::TYPENAME)); // this importer does not use UnidirectionalRuleSet objects but // base class uses dictionary all_rulesets to do some checks (e.g. // countRules()) so we'll create one dummy UnidirectionalRuleSet object string ruleset_name = ruleset->getName(); if (checkUnidirRuleSet(ruleset_name) == NULL) { UnidirectionalRuleSet *rs = new UnidirectionalRuleSet(); rs->name = ruleset_name; rs->ruleset = ruleset; all_rulesets[ruleset_name] = rs; } assert(current_rule!=NULL); // populate all elements of the rule // Note that standard function // setInterfaceAndDirectionForRuleSet() assumes there is only one // interface, but here we can have a group. Information about // interfaces (even if there is only one) is stored in the list // iface_group // // importer->setInterfaceAndDirectionForRuleSet( // "", importer->iface, importer->direction); QString message_str = QString("filtering rule: action %1; interfaces: %2"); PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); if (action=="pass") { if (quick) rule->setAction(PolicyRule::Accept); else rule->setAction(PolicyRule::Continue); ropt->setBool("stateless", false); } if (action=="block") { rule->setAction(PolicyRule::Deny); ropt->setBool("stateless", true); if (block_action_params.size() > 0) { string block_return = block_action_params.front(); block_action_params.pop_front(); if (block_return == "drop") { ; // Action Drop accurately represents "block drop" } if (block_return == "return") { rule->setAction(PolicyRule::Reject); error_tracker->registerError( QObject::tr( "'block return' is not supported in fwbuilder, " "replacing with 'block return-icmp' ")); ropt->setStr("action_on_reject", "ICMP admin prohibited"); } if (block_return == "return-rst") { rule->setAction(PolicyRule::Reject); ropt->setStr("action_on_reject", "TCP RST"); } if (block_return == "return-icmp") { rule->setAction(PolicyRule::Reject); ropt->setStr("action_on_reject", "ICMP admin prohibited"); if (block_action_params.size() > 0) { string icmp_code = icmp_codes_to_reject_parameters[ block_action_params.front()]; block_action_params.pop_front(); if (icmp_code.empty()) error_tracker->registerError( QObject::tr( "Unrecognized icmp code parameter for " "'block return-icmp' action: %1") .arg(block_action_params.front().c_str())); ropt->setStr("action_on_reject", icmp_code); } } } } if (direction == "in") rule->setDirection(PolicyRule::Inbound); if (direction == "out") rule->setDirection(PolicyRule::Outbound); if (direction == "") rule->setDirection(PolicyRule::Both); QStringList interfaces; list::iterator it; for (it=iface_group.begin(); it!=iface_group.end(); ++it) { Interface *intf = getInterfaceByName(it->name); assert(intf!=NULL); RuleElement *re =rule->getItf(); re->addRef(intf); if (it->neg) re->setNeg(true); interfaces << it->name.c_str(); } /* * Set state-related rule options using variable state_op */ if (state_op.empty()) { // when "state" keyword is absent, behavior depends on the // version because different versions have different // defaults. Versions prior to 4.0 treat missing keyword as // "no state", while versions past 4.0 treat is as "keep // state". See also #2441. Rules with action "block" should // always be stateless by default. if (XMLTools::version_compare(user_choice_version, "4.0") < 0) ropt->setBool("stateless", true); else { if (action == "pass") ropt->setBool("stateless", false); } } if (state_op == "no") ropt->setBool("stateless", true); if (state_op == "modulate") ropt->setBool("pf_modulate_state", true); if (state_op == "keep") ropt->setBool("stateless", false); if (state_op == "synproxy") ropt->setBool("pf_synproxy", true); /* * Set tagging rule option using variable tag */ if ( ! tag.empty()) { ObjectSignature sig(error_tracker); sig.type_name = TagService::TYPENAME; sig.tag = tag.c_str(); FWObject *tobj = commitObject(service_maker->createObject(sig)); rule->setTagging(tobj != NULL); rule->setTagObject(tobj); } /* * Set queueing rule option using variable queue */ if (! queue.empty()) ropt->setStr("pf_classify_str", queue); /* * route-to options * */ if (route_type != UNKNOWN && route_group.size() != 0) { switch (route_type) { case ROUTE_TO: ropt->setStr("pf_route_option", "route_through"); break; case REPLY_TO: ropt->setStr("pf_route_option", "route_reply_through"); break; case DUP_TO: ropt->setStr("pf_route_option", "route_copy_through"); break; default: ; } /* * see initialization of routeLoadOptions_pf in function * init_platforms() in platforms.cpp for the list of strings * recognized by compilers as values of "pf_route_load_option" * rule option */ if (pooltype_opt == "bitmask") ropt->setStr("pf_route_load_option", "bitmask"); if (pooltype_opt == "random") ropt->setStr("pf_route_load_option", "random"); if (pooltype_opt == "source-hash") ropt->setStr("pf_route_load_option", "source_hash"); if (pooltype_opt == "round-robin") ropt->setStr("pf_route_load_option", "round_robin"); QStringList route_opt_addr; bool has_different_interfaces = false; string interface_name; QStringList reconstructed_parameter_string; list::iterator it; for (it=route_group.begin(); it!=route_group.end(); ++it) { RouteSpec &rs = *it; Interface *intf = getInterfaceByName(rs.iface); if (intf == NULL) { // this interface was never used in "on " clause before intf = newInterface(rs.iface); } if (interface_name.empty()) interface_name = intf->getName(); if (interface_name != intf->getName()) { has_different_interfaces = true; } ropt->setStr("pf_route_opt_if", rs.iface); QString gw; if (rs.netmask.empty()) gw = rs.address.c_str(); else gw = QString("%1/%2") .arg(rs.address.c_str()).arg(rs.netmask.c_str()); route_opt_addr << gw; reconstructed_parameter_string << QString("(%1 %2)") .arg(intf->getName().c_str()).arg(gw); } if (has_different_interfaces) { // currently we do not support route-to configuration // with multiple interface-gateway pairs. multiple // gateway addresses and only one interface // are allowed. These rules will be imported partially. error_tracker->registerWarning( QObject::tr("'route-to' parameters with multiple " "interface-gateway pairs are not supported: \"%1\"") .arg(reconstructed_parameter_string.join(", "))); } ropt->setStr("pf_route_opt_addr", route_opt_addr.join(",").toStdString()); rule->setRouting( ! ropt->getStr("pf_route_option").empty()); } /* * Protocols are in proto_list * Source addresses are in src_group * Destination addresses are in dst_group */ addSrc(); addDst(); addSrv(); /* * Set logging options using variables logging and logopts */ addLogging(); // then add it to the current ruleset ruleset->add(current_rule); addStandardImportComment( current_rule, QString::fromUtf8(rule_comment.c_str())); addMessageToLog(message_str.arg(action.c_str()).arg(interfaces.join(","))); } void PFImporter::pushNATRule() { RuleSet *ruleset = RuleSet::cast( getFirewallObject()->getFirstByType(NAT::TYPENAME)); // this importer does not use UnidirectionalRuleSet objects but // base class uses dictionary all_rulesets to do some checks (e.g. // countRules()) so we'll create one dummy UnidirectionalRuleSet object string ruleset_name = ruleset->getName(); if (checkUnidirRuleSet(ruleset_name) == NULL) { UnidirectionalRuleSet *rs = new UnidirectionalRuleSet(); rs->name = ruleset_name; rs->ruleset = ruleset; all_rulesets[ruleset_name] = rs; } assert(current_rule!=NULL); QString message_str = QString("nat rule: action %1; interfaces: %2"); NATRule *rule = NATRule::cast(current_rule); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); if (action=="nat") rule->setRuleType(NATRule::SNAT); if (action=="rdr") rule->setRuleType(NATRule::DNAT); if (action=="nonat") rule->setRuleType(NATRule::NONAT); rule->setAction(NATRule::Translate); // remember that even though NATRule has two interface rule elements // ("in" and "out"), compiler for PF only uses one, the "outbound" one. QStringList interfaces; list::iterator it; for (it=iface_group.begin(); it!=iface_group.end(); ++it) { Interface *intf = getInterfaceByName(it->name); assert(intf!=NULL); RuleElement *re =rule->getItfOutb(); re->addRef(intf); if (it->neg) re->setNeg(true); interfaces << it->name.c_str(); } addOSrc(); addODst(); addOSrv(); switch (rule->getRuleType()) { case NATRule::SNAT: addTSrc(); addTSrvSNAT(); break; case NATRule::DNAT: addTDst(); addTSrvDNAT(); break; case NATRule::NONAT: break; default: error_tracker->registerError( QObject::tr("NAT rules \"%1\" " "are not supported yet.").arg(action.c_str())); } if (pooltype_opt == "bitmask") ropt->setBool("pf_bitmask", true); if (pooltype_opt == "random") ropt->setBool("pf_random", true); if (pooltype_opt == "source-hash") ropt->setBool("pf_source_hash", true); if (pooltype_opt == "round-robin") ropt->setBool("pf_round_robin", true); if (nat_rule_opt_2 == "static-port") ropt->setBool("pf_static_port", true); // reset rule type. Rule type is used internally by the compilers // and is not stored in the object permanently. Rule type assigned // by the compiler may actually differ from what we use here // (e.g. some DNAT rules are identified as LB -- load balancing -- // rules by compilers) rule->setRuleType(NATRule::Unknown); // then add it to the current ruleset ruleset->add(current_rule); addStandardImportComment( current_rule, QString::fromUtf8(rule_comment.c_str())); addMessageToLog(message_str.arg(action.c_str()).arg(interfaces.join(","))); } Firewall* PFImporter::finalize() { // scan all UnidirectionalRuleSet objects, set interface and // direction in all rules of corresponding RuleSet and merge all // UnidirectionalRuleSet into one RuleSet object. Attach this // object to the firewall. if (fwbdebug) qDebug("PFImporter::finalize()"); if (haveFirewallObject()) { Firewall *fw = Firewall::cast(getFirewallObject()); // We can not "discover" host OS just by reading pf.conf file. // Assume FreeBSD fw->setStr("platform", "pf"); string host_os = "freebsd"; fw->setStr("host_OS", host_os); Resources::setDefaultTargetOptions(host_os , fw); FWOptions* options = fw->getOptionsObject(); // We may be able to infer at least something about the version // from the pf.conf file in the future. string version = findBestVersionMatch( "pf", discovered_version.c_str()).toStdString(); if ( ! version.empty()) fw->setStr("version", version); rearrangeVlanInterfaces(); list l1 = fw->getByType(Policy::TYPENAME); for (list::iterator i=l1.begin(); i!=l1.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } // Deal with NAT ruleset list l2 = fw->getByType(NAT::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } // We can not deduce ip addresses of interfaces from just // looking at pf.conf so lets just mark them all "dynamic" list l3 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l3.begin(); i!=l3.end(); ++i) { Interface *iface = Interface::cast(*i); iface->setUnnumbered(false); iface->setDyn(true); } // Log lines from now on should not start with original file line numbers setCurrentLineNumber(-1); // configure timeouts // mapping between PF timeout names and our option names map timeout_option_names; timeout_option_names["tcp.first"] = "pf_tcp_first"; timeout_option_names["tcp.opening"] = "pf_tcp_opening"; timeout_option_names["tcp.established"] = "pf_tcp_established"; timeout_option_names["tcp.closing"] = "pf_tcp_closing"; timeout_option_names["tcp.finwait"] = "pf_tcp_finwait"; timeout_option_names["tcp.closed"] = "pf_tcp_closed"; timeout_option_names["udp.first"] = "pf_udp_first"; timeout_option_names["udp.single"] = "pf_udp_single"; timeout_option_names["udp.multiple"] = "pf_udp_multiple"; timeout_option_names["icmp.first"] = "pf_icmp_first"; timeout_option_names["icmp.error"] = "pf_icmp_error"; timeout_option_names["other.first"] = "pf_other_first"; timeout_option_names["other.single"] = "pf_other_single"; timeout_option_names["other.multiple"] = "pf_other_multiple"; timeout_option_names["adaptive.start"] = "pf_adaptive_start"; timeout_option_names["adaptive.end"] = "pf_adaptive_end"; timeout_option_names["frag"] = "pf_timeout_frag"; timeout_option_names["interval"] = "pf_timeout_interval"; // looks like we do not support src.track as of 4.3 // timeout_option_names["src.track"] = "pf_src_track"; // mapping between PF timeout names and boolean option names that // activate setting of the corresponding timeout map timeout_activation_names; timeout_activation_names["tcp.first"] = "pf_set_tcp_first"; timeout_activation_names["tcp.opening"] = "pf_set_tcp_opening"; timeout_activation_names["tcp.established"] = "pf_set_tcp_established"; timeout_activation_names["tcp.closing"] = "pf_set_tcp_closing"; timeout_activation_names["tcp.finwait"] = "pf_set_tcp_finwait"; timeout_activation_names["tcp.closed"] = "pf_set_tcp_closed"; timeout_activation_names["udp.first"] = "pf_set_udp_first"; timeout_activation_names["udp.single"] = "pf_set_udp_single"; timeout_activation_names["udp.multiple"] = "pf_set_udp_multiple"; timeout_activation_names["icmp.first"] = "pf_set_icmp_first"; timeout_activation_names["icmp.error"] = "pf_set_icmp_error"; timeout_activation_names["other.first"] = "pf_set_other_first"; timeout_activation_names["other.single"] = "pf_set_other_single"; timeout_activation_names["other.multiple"] = "pf_set_other_multiple"; timeout_activation_names["adaptive.start"] = "pf_set_adaptive"; timeout_activation_names["adaptive.end"] = "pf_set_adaptive"; timeout_activation_names["frag"] = "pf_do_timeout_frag"; timeout_activation_names["interval"] = "pf_do_timeout_interval"; if (timeouts.size() > 0) { addMessageToLog(QObject::tr("Configuring timeouts:\n")); list::iterator it; for (it=timeouts.begin(); it!=timeouts.end(); ++it) { string name = it->first; bool ok = false; int value = QString(it->second.c_str()).toInt(&ok); addMessageToLog(QString("set timeout %1 %2\n") .arg(name.c_str()).arg(value)); if (timeout_activation_names.count(name) == 0) { addMessageToLog( QObject::tr("Error: Unknown timeout name %1\n") .arg(name.c_str())); } else { options->setBool(timeout_activation_names[name], true); options->setInt(timeout_option_names[name], value); } } } // configure limits map limit_option_names; limit_option_names["frags"] = "pf_limit_frags"; limit_option_names["states"] = "pf_limit_states"; limit_option_names["src-nodes"] = "pf_limit_src_nodes"; limit_option_names["tables"] = "pf_limit_tables"; limit_option_names["tables-entries"] = "pf_limit_table_entries"; // mapping between PF limit names and boolean option names that // activate setting of the corresponding limit map limit_activation_names; limit_activation_names["frags"] = "pf_do_limit_frags"; limit_activation_names["states"] = "pf_do_limit_states"; limit_activation_names["src-nodes"] = "pf_do_limit_src_nodes"; limit_activation_names["tables"] = "pf_do_limit_tables"; limit_activation_names["tables-entries"] = "pf_do_limit_table_entries"; if (limits.size() > 0) { addMessageToLog(QObject::tr("Configuring limits:\n")); list::iterator it; for (it=limits.begin(); it!=limits.end(); ++it) { string name = it->first; bool ok = false; int value = QString(it->second.c_str()).toInt(&ok); addMessageToLog(QString("set limit %1 %2\n") .arg(name.c_str()).arg(value)); if (limit_activation_names.count(name) == 0) { addMessageToLog( QObject::tr("Error: Unknown limit name %1\n") .arg(name.c_str())); } else { options->setBool(limit_activation_names[name], true); options->setInt(limit_option_names[name], value); } } } // cofigure other "set" commands // addMessageToLog(QObject::tr("Configuring set commands:\n")); if ( ! set_optimization.empty()) { options->setStr("pf_optimization", set_optimization); addMessageToLog(QString("set optimization %1\n") .arg(set_optimization.c_str())); } if ( ! set_block_policy.empty()) { options->setStr("pf_block_policy", set_block_policy); addMessageToLog(QString("set block-policy %1\n") .arg(set_block_policy.c_str())); } if ( ! set_state_policy.empty()) { options->setStr("pf_state_policy", set_state_policy); addMessageToLog(QString("set state-policy %1\n") .arg(set_state_policy.c_str())); } if (set_skip_on.size() != 0) { for (list::iterator it=set_skip_on.begin(); it!=set_skip_on.end(); ++it) { string skip_interface_name = *it; interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( user_choice_host_os); if (int_prop->looksLikeInterface(skip_interface_name.c_str())) { Interface *intf = getInterfaceByName(skip_interface_name); if (intf == NULL) { // this interface was never used in "on // " clause before newInterface(skip_interface_name); intf = getInterfaceByName(skip_interface_name); intf->setUnprotected(true); addMessageToLog(QString("set skip on %1\n") .arg(intf->getName().c_str())); } } else { addMessageToLog( QObject::tr("Error: In 'set skip on %1' argument " "does not look like an interface name\n") .arg(skip_interface_name.c_str())); } } } if ( ! set_debug.empty()) { options->setStr("pf_set_debug", set_debug); addMessageToLog(QString("set debug %1\n").arg(set_debug.c_str())); } // Scrub options if (scrub_options.size() > 0) { options->setBool("pf_do_scrub", true); list::iterator it; for (it=scrub_options.begin(); it!=scrub_options.end(); ++it) { string name = it->first; string arg = it->second; addMessageToLog(QString("scrub %1 %2\n") .arg(name.c_str()).arg(arg.c_str())); if (name == "fragment") { if (arg == "reassemble") options->setBool("pf_scrub_reassemble", true); if (arg == "crop") options->setBool("pf_scrub_fragm_crop", true); if (arg == "drop-ovl") options->setBool("pf_scrub_fragm_drop_ovl", true); } if (name == "reassemble") options->setBool("pf_scrub_reassemble_tcp", true); if (name == "no-df") options->setBool("pf_scrub_no_df", true); if (name == "min-ttl") { options->setBool("pf_scrub_use_minttl", true); options->setStr("pf_scrub_minttl", arg); } if (name == "max-mss") { options->setBool("pf_scrub_use_maxmss", true); options->setStr("pf_scrub_maxmss", arg); } if (name == "random-id") options->setBool("pf_scrub_random_id", true); } } return fw; } else { return NULL; } } Interface* PFImporter::getInterfaceByName(const string &name) { map::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *intf = it->second; if (intf->getName() == name) { return intf; } } return NULL; } void PFImporter::newAddressTableObject(const string &name, const string &file) { addMessageToLog(QString("Address Table: <%1> file %2") .arg(QString::fromUtf8(name.c_str())) .arg(QString::fromUtf8(file.c_str()))); ObjectMaker maker(Library::cast(library), error_tracker); ObjectSignature sig(error_tracker); sig.type_name = AddressTable::TYPENAME; sig.object_name = QString::fromUtf8(name.c_str()); QString filename = QString::fromUtf8(file.c_str()); filename.replace("\"", ""); sig.address_table_name = filename; FWObject *at = address_maker->createObject(sig); address_table_registry[sig.object_name] = at; } void PFImporter::newAddressTableObject(const string &name, list &addresses) { bool has_negations = false; QStringList addr_list; list::iterator it; for (it=addresses.begin(); it!=addresses.end(); ++it) { if (it->neg) has_negations = true; QString nm = QString(it->netmask.c_str()).trimmed(); if (!nm.isEmpty()) nm = "/" + nm; addr_list << QString("%1%2%3") .arg((it->neg)?"!":"").arg(it->address.c_str()).arg(nm); } addMessageToLog(QString("Address Table: <%1>: %2") .arg(QString::fromUtf8(name.c_str())) .arg(addr_list.join(", "))); ObjectMaker maker(Library::cast(library), error_tracker); FWObject *og = commitObject(maker.createObject(ObjectGroup::TYPENAME, name.c_str())); assert(og!=NULL); address_table_registry[name.c_str()] = og; if (has_negations) { // can not use error_tracker->registerError() here because // tables are created before importer encounters any rules and // so this error can not be associated with a rule. QString err = QObject::tr("Error: import of table definition with negated " "addresses is not supported."); addMessageToLog(err); err = QObject::tr("Address table '%1' has a mix of negated and non-negated " "addresses in the original file."); registerBrokenObject(og, err.arg(QString::fromUtf8(name.c_str()))); } for (it=addresses.begin(); it!=addresses.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) og->addRef(obj); } } fwbuilder-5.3.7/src/import/PFImporter.h000066400000000000000000000121631303637203600200200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWB_POLICY_IMPORTER_PF_H_ #define _FWB_POLICY_IMPORTER_PF_H_ #include #include #include #include #include #include "IOSImporter.h" #include "AddressSpec.h" #include "InterfaceSpec.h" #include "PortSpec.h" #include "IcmpSpec.h" #include "RouteSpec.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Logger.h" #include "fwbuilder/Rule.h" #include "fwbuilder/NAT.h" #include class PFImporter : public Importer { void addServiceObjectsToRE(libfwbuilder::RuleElement *re); void addTCPUDPServiceObjectsToRE( libfwbuilder::RuleElement *re, const std::string &protocol, const std::list< PortSpec > &src_port_spec_list, const std::list< PortSpec > &dst_port_spec_list, bool for_nat_rhs); void substituteMacros(const QMap ¯os, QString &buffer); public: typedef enum { UNKNOWN, ROUTE_TO, REPLY_TO, DUP_TO} route_op_type; QMap address_table_registry; std::string direction; std::string address_family; bool quick; bool src_neg; bool dst_neg; bool tmp_neg; std::map icmp_codes_to_reject_parameters; std::list block_action_params; std::list iface_group; std::list proto_list; std::list< AddressSpec > src_group; std::list< AddressSpec > dst_group; std::list< AddressSpec > nat_group; std::list< AddressSpec > tmp_group; std::string tmp_port_op; std::string tmp_port_def; std::list< PortSpec > src_port_group; std::list< PortSpec > dst_port_group; std::list< PortSpec > nat_port_group; std::list< PortSpec > tmp_port_group; std::list< IcmpSpec > icmp_type_code_group; route_op_type route_type; std::list route_group; std::string queue; std::string state_op; std::string logopts; std::string flags_check; std::string flags_mask; std::string tag; bool tagged_neg; std::string tagged; std::string pooltype_opt; std::string nat_rule_opt_2; libfwbuilder::NATRule::NATRuleTypes rule_type; std::list timeouts; std::list limits; std::string set_optimization; std::string set_block_policy; std::string set_state_policy; std::string set_debug; std::list set_skip_on; std::list scrub_options; bool scrub_rule; PFImporter(libfwbuilder::FWObject *lib, std::istringstream &input, libfwbuilder::Logger *log, const std::string &fwname); ~PFImporter(); virtual void clear(); void clearTempVars(); virtual void run(); void pushPolicyRule(); void pushNATRule(); void buildDNATRule(); void buildSNATRule(); virtual void pushRule(); // this method actually adds interfaces to the firewall object // and does final clean up. virtual libfwbuilder::Firewall* finalize(); #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" virtual libfwbuilder::FWObject* makeAddressObj(AddressSpec &as); #pragma GCC diagnostic pop virtual void addSrc(); virtual void addDst(); virtual void addSrv(); virtual void addOSrc(); virtual void addODst(); virtual void addOSrv(); virtual void addTSrc(); virtual void addTDst(); void addTSrvSNAT(); void addTSrvDNAT(); virtual void addLogging(); libfwbuilder::Interface* getInterfaceByName(const std::string &name); void newAddressTableObject(const std::string &name, const std::string &file); void newAddressTableObject(const std::string &name, std::list &addresses); bool buildTCPUDPObjectSingature(ObjectSignature *sig, const PortSpec &src_port, const PortSpec &dst_port, const QString &protocol, const QString &flags_check, const QString &flags_mask); void convertTcpFlags(QList &flags_list, const QString &flags_str); }; #endif fwbuilder-5.3.7/src/import/PFImporterRun.cpp000066400000000000000000000213171303637203600210410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "fwbuilder/InetAddr.h" #include "PFImporter.h" #include #include #include #include #include #include #include #include #include "../parsers/PFCfgLexer.hpp" #include "../parsers/PFCfgParser.hpp" extern int fwbdebug; using namespace std; using namespace libfwbuilder; /* * Only this module depends on PFCfgLexer and PFCfgParser, * so only this file is recompiled when we change grammar */ void PFImporter::run() { QStringList err; QString parser_err = QObject::tr("Parser error:"); QString gen_err = QObject::tr("Error:"); std::ostringstream parser_debug; /* Do a bit of preprocessing of the input to simplify crazy grammar. * * Do the following (will add more stuff here in the future): * * - fold lines split with '\' * - find macro definitions and perform all macro sustitutions */ QMap named_addresses; QStringList whole_input_tmp; input.seekg (0, ios::beg); char buf[8192]; while (!input.eof()) { input.getline(buf, sizeof(buf)-1); whole_input_tmp.append(QString(buf)); } QString whole_input = whole_input_tmp.join("\n") + "\n"; QRegExp line_continuation("\\\\\\s*\n"); whole_input.replace(line_continuation, ""); QRegExp inline_comment("#.*$"); QRegExp macro_definition("^\\s*(\\S+)\\s*=\\s*(.*)$"); QRegExp list_of_items("^\\{\\s*((\\S+,?\\s*)+)\\s*\\}$"); QMap macros; QMap macros_source_lines; foreach(QString str, whole_input.split("\n")) { QString work_str = str; work_str.replace(inline_comment, ""); work_str = work_str.trimmed(); if (macro_definition.indexIn(work_str) != -1) { QString macro_name = macro_definition.cap(1); QString value = macro_definition.cap(2); value.replace('\"', ""); value = value.simplified(); macros[macro_name] = value; macros_source_lines[macro_name] = macro_definition.cap(0); } } QMapIterator it(macros); while (it.hasNext()) { it.next(); QString macro_name = it.key(); QString value = it.value(); substituteMacros(macros, value); macros[macro_name] = value; } it = macros; while (it.hasNext()) { it.next(); QString macro_name = it.key(); QString value = it.value(); qDebug() << "Macro: name=" << macro_name << "value=" << value; /* * Special case: if this macro defines list of addresses * in '{' '}', we convert it to a table with the same name * so that importer later on can create object group for * it. * * RegExp list_of_items assumes the string has been * stripped of any quotes and trimmed. */ if (list_of_items.indexIn(value) != -1) { qDebug() << "This macro defines a list"; /* * we only convert to table if the list contains at * least one ip address. We assume that if there is an * address there, then all items in the list must * represent addresses, host names or interface names * because pf does not allow mixed address/service * lists anywhere. */ QString list_str = list_of_items.cap(1); list_str.replace(",", ""); QStringList items = list_str.split(QRegExp("\\s"), QString::SkipEmptyParts); qDebug() << items; bool has_address = false; foreach(QString item, items) { qDebug() << "Item:" << item; if (!item.isEmpty() && (item.contains(':') || item.contains('.'))) { try { InetAddr(item.toStdString()); // stop the loop if string successfully // converts to an ip address has_address = true; break; } catch(FWException &ex) { ; } } } if (has_address) { /* * Convert as follows: * Macro: * name = "{ 1.1.1.1 2.2.2.2 }" * to a table: * table "{ 1.1.1.1 2.2.2.2 }" */ QString table_def("table <%1> %2"); whole_input.replace(macros_source_lines[macro_name], table_def.arg(macro_name).arg(value)); /* * And add a macro to the dictionary to map macro_name to * the table */ macros[macro_name] = "<" + macro_name + ">"; qDebug() << "Replacing macro definition with table:"; qDebug() << table_def.arg(macro_name).arg(value); } } } if (fwbdebug) qDebug() << "Macros defined in this file: " << macros; substituteMacros(macros, whole_input); if (fwbdebug) { qDebug() << "pf.conf file after line unfolding and macro substitution:"; qDebug() << whole_input; } istringstream normalized_input(whole_input.toStdString()); PFCfgLexer lexer(normalized_input); PFCfgParser parser(lexer); parser.importer = this; if (fwbdebug) parser.dbg = &std::cerr; else parser.dbg = &parser_debug; try { parser.cfgfile(); } catch(ANTLR_USE_NAMESPACE(antlr)ANTLRException &e) { err << parser_err + " " + e.toString().c_str(); } catch(ObjectMakerException &e) { err << gen_err + " " + e.toString(); } catch(ImporterException &e) { err << gen_err + " " + e.toString(); } catch(std::exception& e) { err << parser_err + " " + e.what(); } if (fwbdebug) { qDebug() << "haveFirewallObject()=" << haveFirewallObject() << "countInterfaces()=" << countInterfaces() << "countRules()=" << countRules(); } if (haveFirewallObject()) { if (countInterfaces()==0) err << noInterfacesErrorMessage(); if (countRules()==0) err << noRulesErrorMessage(); } else { err << parser_err; err << noFirewallErrorMessage(); err << commonFailureErrorMessage(); } if (!err.isEmpty()) *logger << err.join("\n").toUtf8().constData(); } void PFImporter::substituteMacros(const QMap ¯os, QString &buffer) { // make several passes: sometimes macros can use other macros QRegExp any_macro_instance("\\$(\\w+)\\W"); QSet undefined_macros; for (;;) { QMapIterator it(macros); while (it.hasNext()) { it.next(); QString macro_name = it.key(); QString macro_value = it.value(); QRegExp macro_instance(QString("\\$%1(?=\\W)").arg(macro_name)); buffer.replace(macro_instance, macro_value); } bool has_known_macros = false; int idx = 0; while ((idx = buffer.indexOf(any_macro_instance, idx)) != -1) { QString macro_name = any_macro_instance.cap(1); if (macros.contains(macro_name)) has_known_macros = true; else undefined_macros.insert(macro_name); idx++; } if (!has_known_macros) break; } foreach(QString macro_name, undefined_macros) { QString err; err = QObject::tr("Warning: Macro %1 is undefined").arg(macro_name); *logger << err.toUtf8().constData(); } } fwbuilder-5.3.7/src/import/PIXImporter.cpp000066400000000000000000001130711303637203600205060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "PIXImporter.h" #include #include #include #include #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Library.h" #include "fwbuilder/TCPUDPService.h" #include "../libgui/platforms.h" #include #include extern int fwbdebug; // TODO: this should move to some common library, together with // getVersionsForPlatform() it uses. Currently these functions are // defined in libgui/platforms.cpp extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); using namespace std; using namespace libfwbuilder; PIXImporter::PIXImporter(FWObject *lib, std::istringstream &input, Logger *log, const std::string &fwname) : IOSImporter(lib, input, log, fwname) { setPlatform("pix"); address_maker->setInvertedNetmasks(false); // since parent class sets to true } PIXImporter::~PIXImporter() { global_pools.clear(); } /* * do not clear named_objects_registry because this function is called * when we start processing each named object, object-group and some other * lines in the config */ void PIXImporter::clear() { Importer::clear(); current_named_object = NULL; named_object_name = ""; named_object_comment = ""; current_object_group = NULL; object_group_name = ""; object_group_comment = ""; object_group_service_protocol = ""; rule_type = NATRule::Unknown; prenat_interface = ""; postnat_interface = ""; real_a = ""; real_nm = ""; mapped_a = ""; mapped_nm = ""; real_addr_acl = ""; mapped_port_spec = ""; real_port_spec = ""; static_max_conn = ""; static_max_emb_conn = ""; nat_num = ""; nat_a = ""; nat_nm = ""; nat_acl = ""; tmp_global_pool = GlobalPool(); } /* * this clears temporary variables inside Importer but does not touch * current_named_object and current_object_group */ void PIXImporter::clearTempVars() { Importer::clear(); } Interface* PIXImporter::getInterfaceByLabel(const string &label) { map::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *intf = it->second; if (intf->getLabel() == label) { return intf; } } return NULL; } FWObject* PIXImporter::makeSrcObj() { if (src_nm == "interface") { Interface *intf = getInterfaceByLabel(src_a); if (intf) return intf; // throw ImporterException( reportError( QString("Cannot find interface with label '%1'").arg(src_a.c_str())); } if (named_objects_registry.count(src_a.c_str()) > 0) { return named_objects_registry[src_a.c_str()]; } return Importer::makeSrcObj(); } FWObject* PIXImporter::makeDstObj() { if (dst_nm == "interface") { Interface *intf = getInterfaceByLabel(dst_a); if (intf) return intf; // throw ImporterException( reportError( QString("Cannot find interface with label '%1'").arg(dst_a.c_str())); } if (named_objects_registry.count(dst_a.c_str()) > 0) { return named_objects_registry[dst_a.c_str()]; } return Importer::makeDstObj(); } FWObject* PIXImporter::makeSrvObj() { if (protocol=="tcp" || protocol=="udp") { if (!src_port_spec.empty() && named_objects_registry.count(src_port_spec.c_str()) > 0) return named_objects_registry[src_port_spec.c_str()]; if (!dst_port_spec.empty() && named_objects_registry.count(dst_port_spec.c_str()) > 0) return named_objects_registry[dst_port_spec.c_str()]; } if (protocol == "icmp") { if (!icmp_spec.empty() && named_objects_registry.count(icmp_spec.c_str()) > 0) return named_objects_registry[icmp_spec.c_str()]; } if (named_objects_registry.count(protocol.c_str()) > 0) return named_objects_registry[protocol.c_str()]; return Importer::makeSrvObj(); } /* * See #2291 * * Service group can be defined to match dstination ports but used to * match source ports in the access-list command. In ASA 8.0 and 8.3 the * following configuration is valid: * * object-group service test-service-1 tcp * port-object eq www * * Group test-service-1 can be used in the position in an access-list * command where it would match source ports. * */ void PIXImporter::fixServiceObjectUsedForSrcPorts() { if ((protocol=="tcp" || protocol=="udp") && ! src_port_spec.empty() && named_objects_registry.count(src_port_spec.c_str()) > 0) { FWObject *obj = named_objects_registry[src_port_spec.c_str()]; FWObject *new_obj = mirrorServiceObjectRecursively(obj); src_port_spec = new_obj->getName(); } } /* * see #2265 and 2290. If access-list command uses object groups * and/or in-line port matches for both source and destination * ports, we need to create several new TCPService or UDPService * objects to match all combinations of ports. However this is only * necessary when at least one of them (source or destination port match) * uses object-group or named object because configuration with two in-line * port matches is taken care in IOSImporter::createTCPService() * and IOSImporter::createUDPService() */ void PIXImporter::fixServiceObjectUsedForBothSrcAndDstPorts() { if (protocol=="tcp" || protocol=="udp") { // empty port_spec means no corresponding port match (either inline or // named object/object group) if (src_port_spec.empty() || dst_port_spec.empty()) return; FWObject *src_port_obj = NULL; FWObject *dst_port_obj = NULL; if (!src_port_spec.empty() && named_objects_registry.count(src_port_spec.c_str()) > 0) src_port_obj = named_objects_registry[src_port_spec.c_str()]; if (!dst_port_spec.empty() && named_objects_registry.count(dst_port_spec.c_str()) > 0) dst_port_obj = named_objects_registry[dst_port_spec.c_str()]; // if both src_port_obj and dst_port_obj are NULL, this means // both port operations are in-line port matches that will be // taken are of in the base class functions if (src_port_obj == NULL && dst_port_obj == NULL) return; // If only one of the two is NULL, use base class functions to // fill it in from its port_op and port_spec variables if (dst_port_obj == NULL) { src_port_spec = ""; src_port_op = ""; if (protocol=="tcp") dst_port_obj = createTCPService(); else dst_port_obj = createUDPService(); } if (src_port_obj == NULL) { dst_port_spec = ""; dst_port_op = ""; if (protocol=="tcp") src_port_obj = createTCPService(); else src_port_obj = createUDPService(); } // now we have service objects or groups of service objects for // both source and destination port match string group_name = QString("%1 port match line %2").arg(protocol.c_str()) .arg(getCurrentLineNumber()).toStdString(); newObjectGroupService(group_name); mixServiceObjects(src_port_obj, dst_port_obj, current_object_group); src_port_spec = ""; dst_port_spec = group_name; } } void PIXImporter::mixServiceObjects(FWObject *src_ports, FWObject *dst_ports, FWObject *service_group) { if (Group::cast(src_ports)!=NULL) { for (FWObject::iterator i1=src_ports->begin(); i1!=src_ports->end(); ++i1) { FWObject *o1 = FWReference::getObject(*i1); mixServiceObjects(o1, dst_ports, service_group); } return; } if (Group::cast(dst_ports)!=NULL) { for (FWObject::iterator i1=dst_ports->begin(); i1!=dst_ports->end(); ++i1) { FWObject *o1 = FWReference::getObject(*i1); mixServiceObjects(src_ports, o1, service_group); } return; } if (src_ports->getTypeName() != dst_ports->getTypeName()) { // this should not happen since ASA would not have allowed // access list rule with different source and destination // protocols but it does not hurt to check reportError( QString("Source and destination protocols do not match: '%1', '%2'") .arg(src_ports->getTypeName().c_str()) .arg(dst_ports->getTypeName().c_str())); return; } ObjectSignature sig(error_tracker); sig.type_name = src_ports->getTypeName().c_str(); sig.port_range_inclusive = false; sig.src_port_range_start = TCPUDPService::cast(src_ports)->getSrcRangeStart(); sig.src_port_range_end = TCPUDPService::cast(src_ports)->getSrcRangeEnd(); sig.dst_port_range_start = TCPUDPService::cast(dst_ports)->getDstRangeStart(); sig.dst_port_range_end = TCPUDPService::cast(dst_ports)->getDstRangeEnd(); service_group->addRef(commitObject(service_maker->createObject(sig))); } FWObject* PIXImporter::mirrorServiceObjectRecursively(FWObject *obj) { FWObject *res = NULL; string new_name = obj->getName() + "-mirror"; if (Service::cast(obj) != NULL) { FWObject *new_obj = service_maker->getMirroredServiceObject(obj); if (new_obj) named_objects_registry[QString::fromUtf8(new_name.c_str())] = new_obj; res = new_obj; } else { // newObjectGroupService creates new group object, // registers it as a named object and assigns pointer to // it to current_object_group newObjectGroupService(new_name); // if this group includes another group, we'll end up calling // mirrorServiceObjectRecursively() again and at this very // point will overwrite current_object_group with a pointer to // that group's mirror FWObject *new_group = current_object_group; for (FWObject::iterator it=obj->begin(); it!=obj->end(); ++it) { FWObject *new_obj = mirrorServiceObjectRecursively( FWReference::getObject(*it)); if (new_obj) new_group->addRef(commitObject(new_obj)); } res = new_group; current_object_group = new_group; } return res; } void PIXImporter::setInterfaceAndDirectionForRuleSet( const string &ruleset_name, const string &interface_label, const string &dir) { map::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *intf = it->second; if (intf->getLabel() == interface_label) { Importer::setInterfaceAndDirectionForRuleSet(intf, ruleset_name, dir); return; } } QString err("Can not associate rule set %1 with any interface\n"); addMessageToLog(err.arg(QString::fromUtf8(ruleset_name.c_str()))); } void PIXImporter::addLogging() { PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = rule->getOptionsObject(); /* alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) disable Disable log option on this ACL element, (no log at all) emergencies System is unusable (severity=0) errors Error conditions (severity=3) inactive Keyword for disabling an ACL element informational Informational messages (severity=6) interval Configure log interval, default value is 300 sec notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) */ QMap logging_levels; logging_levels["alerts"] = "alert"; logging_levels["critical"] = "crit"; logging_levels["debugging"] = "debug"; logging_levels["emergencies"] = ""; logging_levels["errors"] = "error"; logging_levels["informational"] = "info"; logging_levels["notifications"] = "notice"; logging_levels["warnings"] = "warning"; logging_levels["0"] = ""; logging_levels["1"] = "alert"; logging_levels["2"] = "crit"; logging_levels["3"] = "error"; logging_levels["4"] = "warning"; logging_levels["5"] = "notice"; logging_levels["6"] = "info"; logging_levels["7"] = "debug"; // QStringList log_levels = getLogLevels("pix"); rule->setLogging(logging); QString log_level_qs = log_level.c_str(); if ( ! log_level_qs.isEmpty()) { if (logging_levels.count(log_level_qs) != 0) ropt->setStr("log_level", logging_levels[log_level_qs].toStdString()); else ropt->setStr("log_level", log_level); if (log_level_qs == "disable" || log_level_qs == "inactive") ropt->setBool("disable_logging_for_this_rule", true); } if ( ! log_interval.empty()) { bool ok = false; int log_interval_int = QString(log_interval.c_str()).toInt(&ok); if (ok) ropt->setInt("log_interval", log_interval_int); } } void PIXImporter::pushRule() { if (rule_type == NATRule::Unknown) pushPolicyRule(); else pushNATRule(); assert(current_rule!=NULL); if (error_tracker->hasWarnings()) { QStringList warn = error_tracker->getWarnings(); // parser errors and warnings are added to the log by // PFCfgParser::reportError() and PFCfgParser::reportWarning() // so we dont need to add them again here foreach(QString w, warn) { if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w); } markCurrentRuleBad(); } if (error_tracker->hasErrors()) { QStringList err = error_tracker->getErrors(); foreach(QString e, err) { if (!e.startsWith("Parser error:")) addMessageToLog("Error: " + e); } markCurrentRuleBad(); } current_rule = NULL; rule_comment = ""; clear(); } void PIXImporter::pushPolicyRule() { assert(current_ruleset!=NULL); assert(current_rule!=NULL); // populate all elements of the rule addMessageToLog( QString("filtering rule: access list %1, action %2") .arg(QString::fromUtf8(current_ruleset->ruleset->getName().c_str())) .arg(action.c_str())); PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); if (action=="permit") { rule->setAction(PolicyRule::Accept); ropt->setBool("stateless", false); } if (action=="deny") { rule->setAction(PolicyRule::Deny); ropt->setBool("stateless", true); } rule->setDirection(PolicyRule::Both); // named service object or a group can be defined to match dstination // ports but used to match source ports in the access-list command. fixServiceObjectUsedForSrcPorts(); fixServiceObjectUsedForBothSrcAndDstPorts(); // special exception for rules with "neq" port operator in both // source and destination. #2297. We have decided to just issue a // warning at this time and let user fix the rule manually. We // should handle this case properly some day. if (src_port_op == "neq" && dst_port_op == "neq") { error_tracker->registerError( QObject::tr("Rule matches tcp or udp ports using \"neq\" port operator in " "both source and destination. This configuration is " "not supported by import at this time, please fix manually")); } addSrc(); addDst(); addSrv(); addLogging(); // then add it to the current ruleset current_ruleset->ruleset->add(current_rule); addStandardImportComment( current_rule, QString::fromUtf8(rule_comment.c_str())); } /* * Rearrange vlan interfaces. Importer creates all interfaces as * children of the firewall. Vlan interfaces should become * subinterfaces of the corresponding physical interfaces. */ void PIXImporter::rearrangeVlanInterfaces() { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( getFirewallObject())); list all_interface_objects = getFirewallObject()->getByTypeDeep(Interface::TYPENAME); list vlans; list::iterator it; for (it=all_interface_objects.begin(); it!=all_interface_objects.end(); ++it) { Interface *intf = Interface::cast(*it); FWOptions *ifopt = intf->getOptionsObject(); if (int_prop->looksLikeVlanInterface(intf->getName().c_str()) && ifopt->getStr("type")=="8021q") { qDebug() << "Found vlan interface" << intf->getName().c_str(); vlans.push_back(intf); } } for (it=vlans.begin(); it!=vlans.end(); ++it) { Interface *vlan_intf = Interface::cast(*it); qDebug() << "VLAN " << vlan_intf->getName().c_str(); QString base_name; int vlan_id; int_prop->parseVlan(vlan_intf->getName().c_str(), &base_name, &vlan_id); qDebug() << "base name" << base_name; if ( ! base_name.isEmpty()) { getFirewallObject()->remove(vlan_intf, false); // do not delete list::iterator it2; for (it2=all_interface_objects.begin(); it2!=all_interface_objects.end(); ++it2) { if (base_name == (*it2)->getName().c_str()) { (*it2)->add(vlan_intf, false); break; } } } } } bool compare_ruleset_names(string a, string b) { if (a.find("ssh_commands") == 0) return true; if (a.find("telnet_commands") == 0) return true; if (a.find("icmp_commands") == 0) return true; if (a.find("http_commands") == 0) return true; return a < b; } Firewall* PIXImporter::finalize() { // scan all UnidirectionalRuleSet objects, set interface and // direction in all rules of corresponding RuleSet and merge all // UnidirectionalRuleSet into one RuleSet object. Attach this // object to the firewall. if (fwbdebug) qDebug("PIXImporter::finalize()"); if (haveFirewallObject()) { Firewall *fw = Firewall::cast(getFirewallObject()); if (! discovered_platform.empty()) { QString pl = QString(discovered_platform.c_str()).toLower(); if (pl == "asa") pl = "pix"; fw->setStr("platform", pl.toStdString()); string host_os; if (pl == "pix") host_os = "pix_os"; if (pl == "fwsm") host_os = "fwsm_os"; if (! host_os.empty()) { fw->setStr("host_OS", host_os); Resources::setDefaultTargetOptions(host_os , fw); } string version = findBestVersionMatch( pl, discovered_version.c_str()).toStdString(); if ( ! version.empty()) fw->setStr("version", version); } rearrangeVlanInterfaces(); FWObject *policy = getFirewallObject()->getFirstByType(Policy::TYPENAME); assert( policy!=NULL ); FWObject *nat = getFirewallObject()->getFirstByType(NAT::TYPENAME); assert( nat!=NULL ); if (all_rulesets.size()!=0) { if (fwbdebug) { qDebug() << "Setting interface and direction for all rules"; qDebug() << "all_rulesets.size()=" << all_rulesets.size(); } list ruleset_names; std::map::iterator i; for (i=all_rulesets.begin(); i!=all_rulesets.end(); ++i) { ruleset_names.push_back(i->first); } // sort rule sets by name, making sure "ssh_commands_*", // "telnet_commands_*" and "icmp_commands_*" stay on top ruleset_names.sort(compare_ruleset_names); list::iterator it; for (it=ruleset_names.begin(); it!=ruleset_names.end(); ++it) { string ruleset_name = *it; if (ruleset_name == "nat") continue; UnidirectionalRuleSet *irs = all_rulesets[ruleset_name]; if (irs->to_be_deleted) { irs->ruleset->clearChildren(false); getFirewallObject()->remove(irs->ruleset, false); delete irs->ruleset; continue; } if (fwbdebug) { qDebug() << " irs->name=" << irs->name.c_str(); qDebug() << " irs->intf_dir.size()=" << irs->intf_dir.size(); qDebug() << " irs->ruleset->getName()=" << irs->ruleset->getName().c_str(); qDebug() << " irs->ruleset->size()=" << irs->ruleset->size(); FWObject *p = irs->ruleset->getParent(); qDebug() << " irs->ruleset->getParent()=" << p; if (p) qDebug() << " " << p->getName().c_str(); qDebug() << " fw=" << fw; qDebug() << " policy=" << policy; } if (irs->intf_dir.size() == 0) { // no interface and direction information for this rule set // Perhaps no access-group command ? FWObjectDatabase *dbroot = fw->getRoot(); FWObject *new_ruleset = dbroot->create( irs->ruleset->getTypeName()); fw->add(new_ruleset); new_ruleset->duplicate(irs->ruleset); } // optimization: If we have several interfaces for // the ruleset, create a group // But first group interfaces by direction so // that later we can merge rules into the policy // with proper combination of interface group and // direction. Remember that the same access list // can be used with multiple interfaces with different // directions each time. The same list can be applied // to the same interface both in and out (although in // this case we have already switched direction to "both") // if (irs->intf_dir.size()>1) { std::list all_in; std::list all_out; std::list all_both; std::map::iterator i; for (i = irs->intf_dir.begin(); i != irs->intf_dir.end(); ++i) { if ( (*i).second=="in") all_in.push_back( (*i).first ); if ( (*i).second=="out") all_out.push_back( (*i).first ); if ( (*i).second=="both") all_both.push_back( (*i).first ); } FWObject *og; if (all_in.size()>0) { og = createGroupOfInterfaces(irs->name, all_in); MergeRules mr(irs->name, og, PolicyRule::Inbound, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } if (all_out.size()>0) { og = createGroupOfInterfaces(irs->name, all_out); MergeRules mr(irs->name, og, PolicyRule::Outbound, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } if (all_both.size()>0) { og = createGroupOfInterfaces(irs->name, all_both); MergeRules mr(irs->name, og, PolicyRule::Both, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } } else { std::map::iterator j; for (j=irs->intf_dir.begin(); j!=irs->intf_dir.end(); ++j) { string intf_name = (*j).first; Interface *intf = all_interfaces[intf_name]; std::string _dir = (*j).second; PolicyRule::Direction direction = PolicyRule::Both; if (_dir=="in") direction = PolicyRule::Inbound; if (_dir=="out") direction = PolicyRule::Outbound; if (fwbdebug) qDebug() << "Interface: " << intf << "dir: " << _dir.c_str(); // not all access lists are associated with interfaces if (intf != NULL) { if (fwbdebug) qDebug() << " interface: " << intf->getName().c_str(); MergeRules mr(irs->name, intf, direction, policy); while (irs->ruleset->size() > 0) mr.move(irs->ruleset->front()); } } } if (fwbdebug) qDebug("ruleset done"); // call clearChidren() not recursive because children objects // of all rules should not be deleted irs->ruleset->clearChildren(false); getFirewallObject()->remove(irs->ruleset, false); delete irs->ruleset; } } list l2 = fw->getByType(Policy::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { RuleSet *rs = RuleSet::cast(*i); rs->renumberRules(); } // Deal with NAT ruleset UnidirectionalRuleSet *nat_rs = all_rulesets["nat"]; if (nat_rs) { while (nat_rs->ruleset->size() > 0) { FWObject *r = nat_rs->ruleset->front(); nat->reparent(r); } NAT::cast(nat)->renumberRules(); nat_rs->ruleset->clearChildren(false); getFirewallObject()->remove(nat_rs->ruleset, false); delete nat_rs->ruleset; } return fw; } else { return NULL; } } /* * Named objects * * At least in the case of Cisco configurations, I can only create an * object after I saw the line "host ... ", "subnet ..." or "range * ..." so I know its type. This means things like the name and * comment are known before the type. I use methods * commitNamed*Object() to create objects once all information is available. * * I other platforms information about named objects may not be * arranged in this way, for example in PF configs named objects are * represented by macros which do not have explicit type and have all * information on one line. Still, in that case the same commit*() * method will work if called by the grammar after all variables have * been parsed and values assigned to temporary member variables * inside the Importer object. */ void PIXImporter::newNamedObjectAddress(const string &name) { named_object_name = QString::fromUtf8(name.c_str()); named_object_comment = ""; addMessageToLog("Named object (address) " + name); } void PIXImporter::newNamedObjectService(const string &name) { named_object_name = QString::fromUtf8(name.c_str()); named_object_comment = ""; addMessageToLog("Named object (service) " + name); } void PIXImporter::commitNamedAddressObject() { ObjectSignature sig(error_tracker); sig.object_name = named_object_name; sig.type_name = Address::TYPENAME; sig.address = tmp_a.c_str(); sig.netmask = tmp_nm.c_str(); current_named_object = commitObject(address_maker->createObject(sig)); named_objects_registry[named_object_name] = current_named_object; } void PIXImporter::commitNamedAddressRangeObject() { ObjectSignature sig(error_tracker); sig.object_name = named_object_name; sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(tmp_range_1.c_str()); sig.setAddressRangeEnd(tmp_range_2.c_str()); current_named_object = commitObject(address_maker->createObject(sig)); named_objects_registry[named_object_name] = current_named_object; } void PIXImporter::commitNamedIPServiceObject() { ObjectSignature sig(error_tracker); sig.object_name = named_object_name; sig.type_name = IPService::TYPENAME; sig.setProtocol(protocol.c_str()); sig.fragments = fragments; current_named_object = commitObject(service_maker->createObject(sig)); named_objects_registry[named_object_name] = current_named_object; } void PIXImporter::commitNamedICMPServiceObject() { ObjectSignature sig(error_tracker); sig.object_name = named_object_name; sig.type_name = ICMPService::TYPENAME; if ( ! icmp_spec.empty()) { sig.setIcmpFromName(icmp_spec.c_str()); } else { sig.setIcmpType(icmp_type.c_str()); sig.setIcmpCode(icmp_code.c_str()); } current_named_object = commitObject(service_maker->createObject(sig)); named_objects_registry[named_object_name] = current_named_object; } void PIXImporter::commitNamedTCPUDPServiceObject() { FWObject *obj; // have to use createTCPService because it processes "neq" port // operators and may create a group with two services nstead of // just tcp service. Same for udp. if (protocol == "tcp") obj = createTCPService(named_object_name); if (protocol == "udp") obj = createUDPService(named_object_name); current_named_object = commitObject(obj); named_objects_registry[named_object_name] = current_named_object; } FWObject* PIXImporter::commitObject(FWObject *obj) { return Importer::commitObject(obj); } FWObject* PIXImporter::setNameOfNamedObject(FWObject *obj) { if (obj->isReadOnly()) return obj; if ( ! named_object_name.isEmpty()) obj->setName(named_object_name.toUtf8().constData()); if ( ! object_group_name.isEmpty()) obj->setName(object_group_name.toUtf8().constData()); return obj; } /* * it looks like "description" line is always the last in the named * object block output of "show run" command on ASA, however * "description" is optional and we create the object when we see * "subnet", "host" or "service" line. This function adds description * to existing named object if it exists or just sets the variable * named_object_comment. I dont want to lose the ability to parse the * description if it happens to appear first in the named object * block. */ void PIXImporter::setNamedObjectDescription(const std::string &txt) { named_object_comment = QString::fromUtf8(txt.c_str()); if (current_named_object != NULL && ! named_object_name.isEmpty()) { current_named_object->setBool(".import-commited", false); current_named_object->setComment(""); addStandardImportComment(current_named_object, named_object_comment); } } /************************************************************************/ void PIXImporter::newObjectGroupNetwork(const string &name) { object_group_name = QString::fromUtf8(name.c_str()); object_group_comment = ""; ObjectMaker maker(Library::cast(library), error_tracker); current_object_group = setNameOfNamedObject( commitObject( maker.createObject(ObjectGroup::TYPENAME, name))); named_objects_registry[object_group_name] = current_object_group; addMessageToLog("Object Group (network) " + name); } void PIXImporter::newObjectGroupService(const string &name) { object_group_name = QString::fromUtf8(name.c_str()); object_group_comment = ""; ObjectMaker maker(Library::cast(library), error_tracker); current_object_group = setNameOfNamedObject( commitObject( maker.createObject(ServiceGroup::TYPENAME, name))); named_objects_registry[object_group_name] = current_object_group; object_group_service_protocol = ""; addMessageToLog("Object Group (service) " + name); } bool PIXImporter::isKnownServiceGroupName(const string &object_group_name) { QString qs_object_group_name = QString::fromUtf8(object_group_name.c_str()); if (fwbdebug) qDebug() << "isKnownServiceGroupName:" << qs_object_group_name; if (named_objects_registry.count(qs_object_group_name) > 0) { FWObject *grp = named_objects_registry[qs_object_group_name]; return ServiceGroup::isA(grp); } return false; } void PIXImporter::newObjectGroupProtocol(const string &name) { object_group_name = QString::fromUtf8(name.c_str()); object_group_comment = ""; ObjectMaker maker(Library::cast(library), error_tracker); current_object_group = setNameOfNamedObject( commitObject( maker.createObject(ServiceGroup::TYPENAME, name))); named_objects_registry[object_group_name] = current_object_group; addMessageToLog("Object Group (protocol) " + name); } void PIXImporter::newObjectGroupICMP(const string &name) { object_group_name = QString::fromUtf8(name.c_str()); object_group_comment = ""; ObjectMaker maker(Library::cast(library), error_tracker); current_object_group = setNameOfNamedObject( commitObject( maker.createObject(ServiceGroup::TYPENAME, name))); named_objects_registry[object_group_name] = current_object_group; addMessageToLog("Object Group (icmp) " + name); } void PIXImporter::setObjectGroupDescription(const std::string &descr) { object_group_comment = QString::fromUtf8(descr.c_str()); if (current_object_group != NULL && ! object_group_name.isEmpty()) { current_object_group->setBool(".import-commited", false); current_object_group->setComment(""); addStandardImportComment(current_object_group, object_group_comment); } } void PIXImporter::addNetworkToObjectGroup() { ObjectSignature sig(error_tracker); sig.type_name = Address::TYPENAME; sig.setAddress(tmp_a.c_str()); sig.setNetmask(tmp_nm.c_str()); current_object_group->addRef( commitObject(address_maker->createObject(sig))); } void PIXImporter::addNamedObjectToObjectGroup(const std::string &object_name) { QString no_name = QString::fromUtf8(object_name.c_str()); if (named_objects_registry.count(no_name) > 0) { current_object_group->addRef(named_objects_registry[no_name]); } else // throw ImporterException( reportError( QString("Attempt to add yet undefined named object '%1' " "to object group '%2'").arg(no_name).arg(object_group_name)); } void PIXImporter::addIPServiceToObjectGroup() { ObjectSignature sig(error_tracker); sig.type_name = IPService::TYPENAME; sig.setProtocol(protocol.c_str()); sig.fragments = fragments; FWObject *s = service_maker->createObject(sig); current_object_group->addRef(commitObject(s)); } void PIXImporter::addTCPUDPServiceToObjectGroup() { FWObject *new_obj = NULL; if (protocol.empty() && ! object_group_service_protocol.isEmpty()) protocol = object_group_service_protocol.toStdString(); if (protocol == "tcp") new_obj = createTCPService(); if (protocol == "udp") new_obj = createUDPService(); if (protocol == "tcp-udp") new_obj = createTCPUDPServicePair(); if (new_obj) current_object_group->addRef(commitObject(new_obj)); } void PIXImporter::addICMPServiceToObjectGroup() { ObjectSignature sig(error_tracker); sig.type_name = ICMPService::TYPENAME; if ( ! icmp_spec.empty()) { sig.setIcmpFromName(icmp_spec.c_str()); } else { sig.setIcmpType(icmp_type.c_str()); sig.setIcmpCode(icmp_code.c_str()); } FWObject *s = service_maker->createObject(sig); current_object_group->addRef(commitObject(s)); } fwbuilder-5.3.7/src/import/PIXImporter.h000066400000000000000000000137301303637203600201540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWB_POLICY_IMPORTER_PIX_H_ #define _FWB_POLICY_IMPORTER_PIX_H_ #include #include #include #include #include #include "IOSImporter.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Logger.h" #include "fwbuilder/Rule.h" #include "fwbuilder/NAT.h" #include class GlobalPool { public: int num; std::string str_num; std::string pool_interface; std::string start; std::string end; std::string netmask; GlobalPool() { num = -1; str_num = ""; pool_interface = ""; start = ""; end = ""; netmask = ""; } GlobalPool& operator=(const GlobalPool &other); std::string toStdString(); QString toString(); }; class PIXImporter : public IOSImporter { libfwbuilder::FWObject* getMirroredServiceObject(libfwbuilder::FWObject *obj); libfwbuilder::FWObject* mirrorServiceObjectRecursively(libfwbuilder::FWObject *obj); void mixServiceObjects(libfwbuilder::FWObject *src_ports, libfwbuilder::FWObject *dst_ports, libfwbuilder::FWObject *service_group); void natRuleWithACL(libfwbuilder::NATRule *rule); public: QString named_object_name; QString named_object_comment; libfwbuilder::FWObject *current_named_object; QString object_group_name; QString object_group_comment; QString object_group_service_protocol; libfwbuilder::FWObject *current_object_group; QMap named_objects_registry; // variables for the nat rules libfwbuilder::NATRule::NATRuleTypes rule_type; std::string prenat_interface; std::string postnat_interface; std::string real_a; std::string real_nm; std::string mapped_a; std::string mapped_nm; std::string real_addr_acl; std::string mapped_port_spec; std::string real_port_spec; std::string static_max_conn; std::string static_max_emb_conn; std::string nat_num; std::string nat_a; std::string nat_nm; std::string nat_acl; GlobalPool tmp_global_pool; std::map > global_pools; PIXImporter(libfwbuilder::FWObject *lib, std::istringstream &input, libfwbuilder::Logger *log, const std::string &fwname); ~PIXImporter(); virtual void clear(); void clearTempVars(); void addGlobalPool(); virtual void run(); void pushPolicyRule(); void pushNATRule(); void buildDNATRule(); void buildSNATRule(); void buildNoNATRule(); virtual void pushRule(); // this method actually adds interfaces to the firewall object // and does final clean up. virtual libfwbuilder::Firewall* finalize(); virtual libfwbuilder::FWObject* makeSrcObj(); virtual libfwbuilder::FWObject* makeDstObj(); virtual libfwbuilder::FWObject* makeSrvObj(); virtual void addLogging(); void fixServiceObjectUsedForSrcPorts(); void fixServiceObjectUsedForBothSrcAndDstPorts(); /* * the difference is that in PIX, we get interface label instead * of its name in "access-group" command */ virtual void setInterfaceAndDirectionForRuleSet( const std::string &ruleset_name, const std::string &interface_name, const std::string &dir); virtual void newNamedObjectAddress(const std::string &name); virtual void newNamedObjectService(const std::string &name); /* * it looks like "description" line is always the last in the * named object block output of "show run" command on ASA, however * "description" is optional and we create the object when we see * "subnet", "host" or "service" line. This function adds * description to existing named object. */ virtual void setNamedObjectDescription(const std::string &txt); virtual void commitNamedAddressObject(); virtual void commitNamedAddressRangeObject(); virtual void commitNamedIPServiceObject(); virtual void commitNamedICMPServiceObject(); virtual void commitNamedTCPUDPServiceObject(); virtual libfwbuilder::FWObject* commitObject(libfwbuilder::FWObject *obj); virtual libfwbuilder::FWObject* setNameOfNamedObject( libfwbuilder::FWObject *obj); void newObjectGroupNetwork(const std::string &group_name); void newObjectGroupService(const std::string &group_name); void newObjectGroupProtocol(const std::string &group_name); void newObjectGroupICMP(const std::string &group_name); bool isKnownServiceGroupName(const std::string &object_group_name); void setObjectGroupServiceProtocol(const std::string &proto) { object_group_service_protocol = proto.c_str(); } void setObjectGroupDescription(const std::string &descr); void addNamedObjectToObjectGroup(const std::string &object_name); void addNetworkToObjectGroup(); void addIPServiceToObjectGroup(); void addTCPUDPServiceToObjectGroup(); void addICMPServiceToObjectGroup(); libfwbuilder::Interface* getInterfaceByLabel(const std::string &label); void rearrangeVlanInterfaces(); }; #endif fwbuilder-5.3.7/src/import/PIXImporterNat.cpp000066400000000000000000000335021303637203600211510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "PIXImporter.h" #include #include #include #include #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/NAT.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Library.h" #include "../libgui/platforms.h" #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; QString GlobalPool::toString() { QString l("number %1, interface %2, address range %3-%4, netmask %5 "); return l.arg(num).arg(pool_interface.c_str()) .arg(start.c_str()).arg(end.c_str()).arg(netmask.c_str()); } string GlobalPool::toStdString() { return toString().toStdString(); } GlobalPool& GlobalPool::operator=(const GlobalPool &other) { num = other.num; pool_interface = other.pool_interface; start = other.start; end = other.end; netmask = other.netmask; return *this; } void PIXImporter::addGlobalPool() { bool ok = false; int n; n = QString(tmp_global_pool.str_num.c_str()).toInt(&ok); if (ok) { tmp_global_pool.num = n; global_pools[tmp_global_pool.num].push_back(tmp_global_pool); addMessageToLog("Global address pool: " + tmp_global_pool.toString()); } } void PIXImporter::pushNATRule() { assert(current_ruleset!=NULL); switch (rule_type) { case NATRule::DNAT: buildDNATRule(); break; case NATRule::SNAT: buildSNATRule(); break; default: assert(rule_type!=NATRule::DNAT && rule_type!=NATRule::SNAT); } } /* * DNAT rule. * * Using real_a, real_nm, mapped_a, mapped_nm, real_addr_acl, * real_port_spec, mapped_port_spec, prenat_interface, * postnat_interface */ void PIXImporter::buildDNATRule() { addMessageToLog(QString("Destination translation rule (\"static\" command)")); newNATRule(); NATRule *rule = NATRule::cast(current_rule); Interface *pre_intf = getInterfaceByLabel(prenat_interface); Interface *post_intf = getInterfaceByLabel(postnat_interface); rule->setAction(NATRule::Translate); if (real_nm.empty()) real_nm = InetAddr::getAllOnes().toString(); if (mapped_nm.empty()) mapped_nm = InetAddr::getAllOnes().toString(); if ( ! mapped_a.empty()) { if (mapped_a == "interface") { RuleElementODst* odst = rule->getODst(); assert(odst!=NULL); odst->addRef(post_intf); } else { dst_a = mapped_a; dst_nm = mapped_nm; addODst(); } } if ( ! real_a.empty()) { dst_a = real_a; dst_nm = real_nm; RuleElement* tdst = rule->getTDst(); assert(tdst!=NULL); FWObject *s = makeDstObj(); if (s) tdst->addRef( s ); } if ( ! mapped_port_spec.empty()) { src_port_spec = ""; dst_port_op = "eq"; dst_port_spec = mapped_port_spec; RuleElement* osrv = rule->getOSrv(); assert(osrv!=NULL); FWObject *s = Importer::makeSrvObj(); if (s) osrv->addRef( s ); } if ( ! real_port_spec.empty()) { src_port_spec = ""; dst_port_op = "eq"; dst_port_spec = real_port_spec; RuleElement* tsrv = rule->getTSrv(); assert(tsrv!=NULL); FWObject *s = Importer::makeSrvObj(); if (s) tsrv->addRef( s ); } RuleElement *itf_i_re = rule->getItfInb(); assert(itf_i_re!=NULL); itf_i_re->addRef(post_intf); RuleElement *itf_o_re = rule->getItfOutb(); assert(itf_o_re!=NULL); itf_o_re->addRef(pre_intf); if ( ! real_addr_acl.empty()) { UnidirectionalRuleSet *rs = all_rulesets[real_addr_acl]; if (rs) { for(FWObject::iterator rs_it=rs->ruleset->begin(); rs_it!=rs->ruleset->end(); ++rs_it) { PolicyRule *policy_rule = PolicyRule::cast(*rs_it); if (policy_rule) { FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); NATRule *nat_rule = NATRule::cast( dbroot->create(NATRule::TYPENAME)); nat_rule->duplicate(rule); RuleElement* osrc = nat_rule->getOSrc(); RuleElement* osrv = nat_rule->getOSrv(); RuleElement* tdst = nat_rule->getTDst(); RuleElement* tsrv = nat_rule->getTSrv(); /* copy objects from a policy rule into * rule elements of a nat rule * * Src --> TDst * Dst --> OSrc * * If Srv matches destination ports, it should be mirrored and * placed in OSrv * * If it matches source ports, it goes to TSrv, mirrored * */ RuleElement *re = policy_rule->getSrc(); FWObject::iterator it; for (it=re->begin(); it!=re->end(); ++it) tdst->addRef(FWReference::getObject(*it)); re = policy_rule->getDst(); for (it=re->begin(); it!=re->end(); ++it) osrc->addRef(FWReference::getObject(*it)); re = policy_rule->getSrv(); for (it=re->begin(); it!=re->end(); ++it) { FWObject *old_obj = FWReference::getObject(*it); TCPUDPService *tcpudp = TCPUDPService::cast( mirrorServiceObjectRecursively(old_obj)); if (tcpudp == NULL) tsrv->addRef(old_obj); else { if (tcpudp->getSrcRangeEnd() > 0) osrv->addRef(tcpudp); if (tcpudp->getDstRangeEnd() > 0) tsrv->addRef(tcpudp); } } current_ruleset->ruleset->add(nat_rule); addStandardImportComment( nat_rule, QString::fromUtf8(rule_comment.c_str())); } } rs->to_be_deleted = true; } } else { // add it to the current ruleset current_ruleset->ruleset->add(rule); addStandardImportComment(rule, QString::fromUtf8(rule_comment.c_str())); } } /* * SNAT rule. Using rule_type, global_pools, prenat_interface, * nat_num, nat_a, nat_nm, nat_acl, max_conn, max_emb_conn * * Note that there can be multiple global pools with the same number * and same or different interfaces. In that case we should create * multiple SNAT rules. */ void PIXImporter::buildSNATRule() { addMessageToLog(QString("Source translation rule (\"nat\" command)")); bool ok = false; int pool_num = QString(nat_num.c_str()).toInt(&ok); // Parser matches INT_CONST so it can't be anything but integer... assert (ok); if (pool_num == 0) buildNoNATRule(); else { foreach(GlobalPool pool, global_pools[pool_num]) { if (fwbdebug) { qDebug() << "NAT command num=" << pool_num; qDebug() << "nat_a=" << nat_a.c_str() << "nat_nm=" << nat_nm.c_str(); qDebug() << "Using pool " << pool.toString(); } Interface *post_intf = getInterfaceByLabel(pool.pool_interface); newNATRule(); NATRule *rule = NATRule::cast(current_rule); Interface *pre_intf = getInterfaceByLabel(prenat_interface); rule->setAction(NATRule::Translate); if ( ! nat_a.empty()) { // makeSrcObj() uses these variables src_a = nat_a; src_nm = nat_nm; RuleElement* osrc = rule->getOSrc(); assert(osrc!=NULL); FWObject *s = makeSrcObj(); if (s) osrc->addRef( s ); } ObjectSignature sig(error_tracker); FWObject *addr = NULL; if (pool.start == "interface") { addr = post_intf; } else { if (pool.start == pool.end) { sig.type_name = Address::TYPENAME; sig.address = pool.start.c_str(); sig.netmask = pool.netmask.c_str(); } else { sig.type_name = AddressRange::TYPENAME; sig.setAddressRangeStart(pool.start.c_str()); sig.setAddressRangeEnd(pool.end.c_str()); } addr = commitObject(address_maker->createObject(sig)); } RuleElement* tsrc = rule->getTSrc(); assert(tsrc!=NULL); if (addr) tsrc->addRef( addr ); if (pre_intf) { RuleElement *itf_i_re = rule->getItfInb(); assert(itf_i_re!=NULL); itf_i_re->addRef(pre_intf); } if (post_intf) { RuleElement *itf_o_re = rule->getItfOutb(); assert(itf_o_re!=NULL); itf_o_re->addRef(post_intf); } if ( ! nat_acl.empty()) { natRuleWithACL(rule); } else { // add it to the current ruleset current_ruleset->ruleset->add(rule); addStandardImportComment(rule, QString::fromUtf8(rule_comment.c_str())); } } } } void PIXImporter::buildNoNATRule() { addMessageToLog(QString("NAT exemption rule (\"nat (interface) 0\" command)")); if (fwbdebug) { qDebug() << "NAT command num=0"; qDebug() << "nat_a=" << nat_a.c_str() << "nat_nm=" << nat_nm.c_str(); } newNATRule(); NATRule *rule = NATRule::cast(current_rule); rule->setRuleType(libfwbuilder::NATRule::NONAT); Interface *pre_intf = getInterfaceByLabel(prenat_interface); rule->setAction(NATRule::Translate); if ( ! nat_a.empty()) { // makeSrcObj() uses these variables src_a = nat_a; src_nm = nat_nm; RuleElement* osrc = rule->getOSrc(); assert(osrc!=NULL); FWObject *s = makeSrcObj(); if (s) osrc->addRef( s ); } RuleElement *itf_i_re = rule->getItfInb(); assert(itf_i_re!=NULL); itf_i_re->addRef(pre_intf); if ( ! nat_acl.empty()) { natRuleWithACL(rule); } else { // add it to the current ruleset current_ruleset->ruleset->add(rule); addStandardImportComment(rule, QString::fromUtf8(rule_comment.c_str())); } } void PIXImporter::natRuleWithACL(NATRule *rule) { UnidirectionalRuleSet *rs = all_rulesets[nat_acl]; if (rs) { for(FWObject::iterator rs_it=rs->ruleset->begin(); rs_it!=rs->ruleset->end(); ++rs_it) { PolicyRule *policy_rule = PolicyRule::cast(*rs_it); if (policy_rule) { FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); NATRule *nat_rule = NATRule::cast( dbroot->create(NATRule::TYPENAME)); nat_rule->duplicate(rule); RuleElement* osrc = nat_rule->getOSrc(); RuleElement* odst = nat_rule->getODst(); RuleElement* osrv = nat_rule->getOSrv(); /* copy objects from a policy rule into "original" * rule elements of a nat rule * * Src --> OSrc * Dst --> ODst * Srv --> OSrv */ RuleElement *re = policy_rule->getSrc(); FWObject::iterator it; for (it=re->begin(); it!=re->end(); ++it) osrc->addRef(FWReference::getObject(*it)); re = policy_rule->getDst(); for (it=re->begin(); it!=re->end(); ++it) odst->addRef(FWReference::getObject(*it)); re = policy_rule->getSrv(); for (it=re->begin(); it!=re->end(); ++it) osrv->addRef(FWReference::getObject(*it)); current_ruleset->ruleset->add(nat_rule); addStandardImportComment( nat_rule, QString::fromUtf8(rule_comment.c_str())); } } rs->to_be_deleted = true; } } fwbuilder-5.3.7/src/import/PIXImporterRun.cpp000066400000000000000000000074051303637203600211760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "PIXImporter.h" #include #include #include #include #include #include #include #include #include "../parsers/PIXCfgLexer.hpp" #include "../parsers/PIXCfgParser.hpp" extern int fwbdebug; using namespace std; /* * Only this module depends on PIXCfgLexer and PIXCfgParser, * so only this file is recompiled when we change grammar */ void PIXImporter::run() { QStringList err; QString parser_err = QObject::tr("Parser error:"); QString gen_err = QObject::tr("Error:"); std::ostringstream parser_debug; /* Do a bit of preprocessing of the input to simplify crazy grammar. * * Do the following (will add more stuff here in the future): * * - process "names" section: isolate "name" commands and build * dictionary of names and addresses, then scan input file and * replace names with addresses everywhere. */ QMap named_addresses; QStringList whole_input; input.seekg (0, ios::beg); char buf[8192]; while (!input.eof()) { input.getline(buf, sizeof(buf)-1); whole_input.append(QString(buf)); } foreach(QString str, whole_input) { if (str.startsWith("name ")) { QStringList items = str.split(" "); named_addresses[items[2]] = items[1]; } } QStringList normalized_input_buffer; foreach(QString str, whole_input) { if ( ! str.startsWith("name ")) { QMap::iterator it; for (it=named_addresses.begin(); it!=named_addresses.end(); ++it) { QString re("\\b%1\\b"); str.replace(QRegExp(re.arg(it.key())), it.value()); } } normalized_input_buffer.append(str); } istringstream normalized_input( normalized_input_buffer.join("\n").toStdString()); PIXCfgLexer lexer(normalized_input); PIXCfgParser parser(lexer); parser.importer = this; if (fwbdebug) parser.dbg = &std::cerr; else parser.dbg = &parser_debug; try { parser.cfgfile(); } catch(ANTLR_USE_NAMESPACE(antlr)ANTLRException &e) { err << parser_err + " " + e.toString().c_str(); } catch(ObjectMakerException &e) { err << gen_err + " " + e.toString(); } catch(ImporterException &e) { err << gen_err + " " + e.toString(); } catch(std::exception& e) { err << parser_err + " " + e.what(); } if (haveFirewallObject()) { if (countInterfaces()==0) err << noInterfacesErrorMessage(); if (countRules()==0) err << noRulesErrorMessage(); } else { err << parser_err; err << noFirewallErrorMessage(); err << commonFailureErrorMessage(); } if (!err.isEmpty()) *logger << err.join("\n").toUtf8().constData(); } fwbuilder-5.3.7/src/import/PortSpec.h000066400000000000000000000033711303637203600175310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _PORT_SPEC_H_ #define _PORT_SPEC_H_ #include #include #include class PortSpec { public: std::string port1; std::string port2; std::string port_op; PortSpec() { port1 = ""; port2 = ""; port_op = ""; } PortSpec(const PortSpec &other) { port1 = other.port1; port2 = other.port2; port_op = other.port_op; } PortSpec(const std::string s1, const std::string s2, const std::string s3) { port1 = s1; port2 = s2; port_op = s3; } void setFromPortRange(const std::string &port_range) { std::size_t n = port_range.find(':'); if ( n != std::string::npos ) { port1 = port_range.substr(0, n); port2 = port_range.substr(n+1); port_op = ":"; } } std::string toString() { return std::string("PortSpec: ") + port_op + " " + port1 + " " + port2; } }; #endif fwbuilder-5.3.7/src/import/PreImport.cpp000066400000000000000000000206011303637203600202410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PreImport.h" #include #include using namespace std; class matchPFDirectionIn : public matchPFDirection { public: virtual bool operator()(const QString &str) { return str.contains(" in "); } }; class matchPFDirectionOut : public matchPFDirection { public: virtual bool operator()(const QString &str) { return str.contains(" out "); } }; class matchPFDirectionBoth : public matchPFDirection { public: virtual bool operator()(const QString &str) { return ! str.contains(" in ") && ! str.contains(" out "); } }; void PreImport::scan() { QList pix_re; pix_re << QRegExp("^ASA Version") << QRegExp("^PIX Version") << QRegExp("^FWSM Version") << QRegExp("^nat \\(\\S+,\\S+\\)") << QRegExp("^static \\(\\S+,\\S+\\)") << QRegExp("^global \\(") << QRegExp("^nameif \\S+") << QRegExp("^fixup \\S+"); QList fwsm_re; fwsm_re << QRegExp("^FWSM Version"); QList ios_re; ios_re << QRegExp("IOS Version") << QRegExp("^[vV]ersion 1[012]\\..*"); QList iptables_re; iptables_re << QRegExp("# Generated by iptables-save") << QRegExp("^:INPUT ") << QRegExp("^:OUTPUT ") << QRegExp("^:FORWARD ") << QRegExp("^-A INPUT ") << QRegExp("^-A OUTPUT ") << QRegExp("^-A FORWARD "); QList iptables_with_counters_re; iptables_with_counters_re << QRegExp("^\\[\\d+:\\d+\\] -A INPUT ") << QRegExp("^\\[\\d+:\\d+\\] -A OUTPUT ") << QRegExp("^\\[\\d+:\\d+\\] -A FORWARD "); QList pf_conf_re; pf_conf_re << QRegExp("^scrub\\s+\\S+") << QRegExp("^set\\s+timeout\\s+\\S+") << QRegExp("^pass\\s+") << QRegExp("^block\\s+") << QRegExp("^nat\\s+(?!\\()") << QRegExp("^rdr\\s+(?!\\()") << QRegExp("^table\\s+<\\S+>\\s+"); foreach (QString line, *buffer) { if (platform == UNKNOWN) { foreach (QRegExp re, pix_re) { if (re.indexIn(line) > -1) { platform = PIX; break; } } foreach (QRegExp re, fwsm_re) { if (re.indexIn(line) > -1) { platform = FWSM; break; } } foreach (QRegExp re, ios_re) { if (re.indexIn(line) > -1) { platform = IOSACL; break; } } foreach (QRegExp re, iptables_re) { if (re.indexIn(line) > -1) { platform = IPTABLES; break; } } foreach (QRegExp re, pf_conf_re) { if (re.indexIn(line) > -1) { platform = PF; break; } } } if (platform == IPTABLES) { foreach (QRegExp re, iptables_with_counters_re) { if (re.indexIn(line) > -1) { platform = IPTABLES_WITH_COUNTERS; break; } } } } /* * fwbuilder generates PF configuration that always uses "quick" * keyword to make the first matching rule stop processing. A lot * of existing pf.conf files use the other model where PF commands * do not use this keyword, so that all rules inspect the packet * and the last matching rule makes the decision. Fwbuilder can * not generate PF configuration in this style and can not import * it. We look for "block" command without "quick" parameter to * determine if the configuration offered for import is written in * this style. * We refuse to import policies that have "block" line with no * "quick" word, unless there are other command(s) with "quick" * after it. We should do this comparison keeping direction in * mind because it is possible to have "block in all" and then * "pass out quick something". It looks like a style with "block * all" at the top used to set up default policy is quite * popular. Configuration written in this style has "block all * log" at the top (or in the middle), followed by a bunch of * specific "pass quick" rules. We can import this if "block all * log" is the last rule, but not if it is followed by some pass * rules with no "quick". */ if (platform == PF) { matchPFDirectionIn dir_in; matchPFDirectionOut dir_out; matchPFDirectionBoth dir_both; if (isReversePFConfigurationStyle(dir_in) || isReversePFConfigurationStyle(dir_out) || isReversePFConfigurationStyle(dir_both)) { platform = PF_REVERSE; } } } bool PreImport::isReversePFConfigurationStyle(matchPFDirection &dir_op) { bool has_block_no_quick = false; bool has_command_with_quick_after_block = false; bool has_command_with_no_quick_after_block = false; QRegExp cont("\\\\\\s*\n"); QString line; QStringListIterator it(*buffer); while (it.hasNext()) { // first, unfold lines ending with "\" line = it.next(); int cont_idx; while ( (cont_idx = cont.indexIn(line)) > -1 && it.hasNext()) { line.insert(cont_idx, it.next()); } line = line.trimmed(); if (line.startsWith("#")) continue; if (line.isEmpty()) continue; if ( ! dir_op(line)) continue; if (line.contains(" quick")) { // check if after the line with "block" and no "quick" // comes a line with action "pass" and "quick" word. // This is a mixed-style policy and we can try to // import it. if (has_block_no_quick && (line.startsWith("pass ") || line.startsWith("block "))) { has_command_with_quick_after_block = true; continue; } } else { // check if this is a line with action "block" and no // "quick" word if (line.startsWith("block ")) { has_block_no_quick = true; continue; } if (has_block_no_quick) { has_command_with_no_quick_after_block = true; break; } } } return (has_block_no_quick && has_command_with_no_quick_after_block && ! has_command_with_quick_after_block); } QString PreImport::getPlatformAsString() { QString platform_string; switch (platform) { case PreImport::UNKNOWN: platform_string = ""; break; case PreImport::PIX: platform_string = "pix"; break; case PreImport::FWSM: platform_string = "fwsm"; break; case PreImport::IOSACL: platform_string = "iosacl"; break; case PreImport::IPTABLES: case PreImport::IPTABLES_WITH_COUNTERS: platform_string = "iptables"; break; case PreImport::PF: case PreImport::PF_REVERSE: platform_string = "pf"; break; } return platform_string; } fwbuilder-5.3.7/src/import/PreImport.h000066400000000000000000000031571303637203600177150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _PRE_IMPORTER_H_ #define _PRE_IMPORTER_H_ #include #include class matchPFDirection { public: virtual bool operator()(const QString&) {return false;} }; /* * This class scans firewall configuration and tries to guess platform * and some other parameters */ class PreImport { const QStringList *buffer; public: enum Platforms { UNKNOWN, IPTABLES, IPTABLES_WITH_COUNTERS, PF, PF_REVERSE, IOSACL, PIX, FWSM } ; private: enum Platforms platform; public: PreImport(const QStringList *buf) { buffer = buf; platform = UNKNOWN; } void scan(); enum Platforms getPlatform() { return platform; } QString getPlatformAsString(); bool isReversePFConfigurationStyle(matchPFDirection &dir_op); }; #endif fwbuilder-5.3.7/src/import/QStringListOperators.cpp000066400000000000000000000030741303637203600224470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "QStringListOperators.h" #include #include QStringList& operator<<(QStringList &lst, const char* x) { lst << QString::fromUtf8(x); return lst; } QStringList& operator<<(QStringList &lst, const std::string &x) { lst << QString::fromUtf8(x.c_str()); return lst; } QStringList& operator<<(QStringList &lst, int x) { QString s; lst << s.setNum(x); return lst; } QStringList& operator<<(QStringList &lst, bool x) { QString s; lst << s.setNum(x); return lst; } QStringList& operator<<(QStringList &lst, const QList &x) { QStringList r; foreach(int i, x) { QString s; r << s.setNum(i); } lst << "[" + r.join(",") + "]"; return lst; } fwbuilder-5.3.7/src/import/QStringListOperators.h000066400000000000000000000022731303637203600221140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include extern QStringList& operator<<(QStringList &lst, const char* x); extern QStringList& operator<<(QStringList &lst, const std::string &x); extern QStringList& operator<<(QStringList &lst, int x); extern QStringList& operator<<(QStringList &lst, bool x); extern QStringList& operator<<(QStringList &lst, const QList &x); fwbuilder-5.3.7/src/import/RouteSpec.h000066400000000000000000000026341303637203600177040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ROUTE_SPEC_H_ #define _ROUTE_SPEC_H_ #include #include #include class RouteSpec { public: std::string iface; std::string address; std::string netmask; RouteSpec() { iface = ""; address = ""; netmask = ""; } RouteSpec(const RouteSpec &other) { iface = other.iface; address = other.address; netmask = other.netmask; } RouteSpec(const std::string _iface, const std::string _addr, const std::string _nm) { iface = _iface; address = _addr; netmask = _nm; } }; #endif fwbuilder-5.3.7/src/import/addressObjectMaker.cpp000066400000000000000000000141771303637203600220670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "addressObjectMaker.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "QStringListOperators.h" #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; AddressObjectMaker::~AddressObjectMaker() {} FWObject* AddressObjectMaker::createObject(ObjectSignature &sig) { FWObject *obj = NULL; if (sig.type_name == AddressRange::TYPENAME) obj = createAddressRange(sig); if (sig.type_name == AddressTable::TYPENAME) obj = createAddressTable(sig); if (sig.type_name == DNSName::TYPENAME) obj = createDNSName(sig); if (obj == NULL) obj = createAddress(sig); // Now I should build new signature because actual object type has // only been determined in createAddress() ObjectSignature new_sig(error_tracker); if ( ! sig.object_name.isEmpty()) { obj->setName(sig.object_name.toUtf8().constData()); obj->dispatch(&new_sig, (void*)(NULL)); registerNamedObject(new_sig, obj); } else { obj->dispatch(&new_sig, (void*)(NULL)); registerAnonymousObject(new_sig, obj); } return obj; } FWObject* AddressObjectMaker::createAddress(ObjectSignature &sig) { ObjectSignature signature = sig; InetAddr netmask(signature.netmask.toStdString()); if ( netmask == InetAddr::getAllOnes() ) { QString name; try { signature.type_name = IPv4::TYPENAME; FWObject *obj = findMatchingObject(signature); if (obj) return obj; InetAddr obj_addr(sig.address.toStdString()); // testing if string converts to an address name = QString("h-") + sig.address; Address *a = Address::cast( ObjectMaker::createObject(IPv4::TYPENAME, name.toStdString())); a->setAddress(obj_addr); a->setNetmask(InetAddr(InetAddr::getAllOnes())); return a; } catch(FWException &ex) { // address text line can not be converted to ipv4 address. // Since parsers do not understand ipv6 yet, assume this // is a host address and create DNSName object signature.type_name = DNSName::TYPENAME; FWObject *obj = findMatchingObject(signature); if (obj) return obj; name = sig.address; DNSName *da = DNSName::cast( ObjectMaker::createObject(DNSName::TYPENAME, name.toStdString())); da->setSourceName(sig.address.toStdString()); da->setRunTime(true); return da; } } else { signature.type_name = Network::TYPENAME; FWObject *obj = findMatchingObject(signature); if (obj) return obj; QString name = QString("net-%1/%2") .arg(signature.address).arg(signature.netmask); Network *net = Network::cast( ObjectMaker::createObject(Network::TYPENAME, name.toStdString())); try { net->setAddress( InetAddr(sig.address.toStdString()) ); } catch (FWException &ex) { error_tracker->registerError( QString("Error converting address '%1'").arg(sig.address)); } // we have already verified netmask above net->setNetmask(netmask); return net; } return NULL; } FWObject* AddressObjectMaker::createAddressRange(ObjectSignature &sig) { FWObject *obj = findMatchingObject(sig); if (obj) return obj; QString addr1 = sig.address_range_start; QString addr2 = sig.address_range_end; QString name = QString("range-%1-%2").arg(addr1).arg(addr2); AddressRange *ar = AddressRange::cast( ObjectMaker::createObject(AddressRange::TYPENAME, name.toStdString())); try { ar->setRangeStart( InetAddr(addr1.toStdString()) ); } catch (FWException &ex) { error_tracker->registerError( QString("Error converting address '%1'").arg(addr1)); } try { ar->setRangeEnd( InetAddr(addr2.toStdString()) ); } catch (FWException &ex) { error_tracker->registerError( QString("Error converting address '%1'").arg(addr2)); } return ar; } FWObject* AddressObjectMaker::createAddressTable(ObjectSignature &sig) { FWObject *obj = findMatchingObject(sig); if (obj) return obj; AddressTable *at = AddressTable::cast( ObjectMaker::createObject(AddressTable::TYPENAME, sig.object_name.toUtf8().constData())); assert(at!=NULL); at->setRunTime(true); at->setSourceName(sig.address_table_name.toStdString()); return at; } FWObject* AddressObjectMaker::createDNSName(ObjectSignature &sig) { FWObject *obj = findMatchingObject(sig); if (obj) return obj; DNSName *dns_obj = DNSName::cast( ObjectMaker::createObject(DNSName::TYPENAME, sig.object_name.toUtf8().constData())); assert(dns_obj!=NULL); dns_obj->setRunTime(true); dns_obj->setSourceName(sig.dns_name.toStdString()); return dns_obj; } fwbuilder-5.3.7/src/import/addressObjectMaker.h000066400000000000000000000033751303637203600215320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ADDRESS_OBJECT_MAKER_H_ #define _ADDRESS_OBJECT_MAKER_H_ #include "objectMaker.h" #include class AddressObjectMaker : public ObjectMaker { bool inverted_netmasks; public: AddressObjectMaker(libfwbuilder::Library *l, ObjectMakerErrorTracker *et) : ObjectMaker(l, et) { inverted_netmasks = false; } virtual ~AddressObjectMaker(); void setInvertedNetmasks(bool f) { inverted_netmasks = f; } bool getInvertedNetmasks() { return inverted_netmasks; } virtual libfwbuilder::FWObject* createObject(ObjectSignature &sig); protected: virtual libfwbuilder::FWObject* createAddress(ObjectSignature &sig); virtual libfwbuilder::FWObject* createAddressRange(ObjectSignature &sig); virtual libfwbuilder::FWObject* createAddressTable(ObjectSignature &sig); virtual libfwbuilder::FWObject* createDNSName(ObjectSignature &sig); }; #endif fwbuilder-5.3.7/src/import/getProtoByName.cpp000066400000000000000000000074661303637203600212350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "getProtoByName.h" #ifndef _WIN32 # include # include #else # include #endif QMap GetProtoByName::protocols; int GetProtoByName::getProtocolByName(const QString &name) { if (protocols.size() == 0) { protocols["icmp"] = 1; protocols["igmp"] = 2; protocols["ggp"] = 3; protocols["ipencap"] = 4; protocols["st"] = 5; protocols["tcp"] = 6; protocols["egp"] = 8; protocols["igp"] = 9; protocols["pup"] = 12; protocols["udp"] = 17; protocols["hmp"] = 20; protocols["xns-idp"] = 22; protocols["rdp"] = 27; protocols["iso-tp4"] = 29; protocols["xtp"] = 36; protocols["ddp"] = 37; protocols["idpr-cmtp"] = 38; protocols["ipv6"] = 41; protocols["ipv6-route"] = 43; protocols["ipv6-frag"]= 44; protocols["idrp"] = 45; protocols["rsvp"] = 46; protocols["gre"] = 47; protocols["esp"] = 50; protocols["ah"] = 51; protocols["skip"] = 57; protocols["ipv6-icmp"] = 58; protocols["ipv6-nonxt"] = 59; protocols["ipv6-opts"] = 60; protocols["rspf"] = 73; protocols["vmtp"] = 81; protocols["eigrp"] = 88; protocols["ospf"] = 89; protocols["ax.25"] = 93; protocols["ipip"] = 94; protocols["etherip"] = 97; protocols["encap"] = 98; protocols["pim"] = 103; protocols["ipcomp"] = 108; protocols["vrrp"] = 112; protocols["l2tp"] = 115; protocols["isis"] = 124; protocols["sctp"] = 132; protocols["fc"] = 133; protocols["udplite"] = 136; protocols["mpls-in-ip"] = 137; protocols["manet"] = 138; protocols["hip"] = 139; // these are found in Cisco configs. Some of these names // duplicate protocols listed above but a few are extras. protocols["ah"] = 51; protocols["ahp"] = 51; protocols["eigrp"] = 88; protocols["esp"] = 50; protocols["gre"] = 47; protocols["igmp"] = 2; protocols["igrp"] = 9; protocols["ip"] = 0; protocols["ipinip"] = 4; protocols["nos"] = 94; protocols["ospf"] = 89; protocols["pim"] = 103; protocols["pcp"] = 108; protocols["snp"] = 109; // ASA configs use protocol name "ipsec" as an alias for "esp" // and "pptp" as an alias for "gre" protocols["ipsec"] = 50; protocols["pptp"] = 47; } bool ok = false; int protocol = name.toInt(&ok); if (ok) return protocol; if (protocols.contains(name)) return protocols[name]; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) struct protoent *pe = getprotobyname(name.toAscii().constData()); #else struct protoent *pe = getprotobyname(name.toLatin1().constData()); #endif if (pe!=NULL) return pe->p_proto; return -1; } fwbuilder-5.3.7/src/import/getProtoByName.h000066400000000000000000000025161303637203600206710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _GETPROTOBYNAME_H_ #define _GETPROTOBYNAME_H_ #include #include /* * Simple wrapper class for getprotobyname() function to make sure we * get useful results even when this function does not work quite * right. For example, protocol "gre" does not resolve on Windows but * resolves to ip protocol 47 on Linux. */ class GetProtoByName { static QMap protocols; public: GetProtoByName() {}; static int getProtocolByName(const QString &name); }; #endif fwbuilder-5.3.7/src/import/getServByName.cpp000066400000000000000000000710031303637203600210350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "getServByName.h" #ifndef _WIN32 # include # include #else # include #endif QMap > GetServByName::ports; int GetServByName::getPortByName(const QString &name, const QString &proto) { if (ports.size() == 0) { ports["tcp"]["tcpmux"] = 1; ports["tcp"]["echo"] = 7; ports["tcp"]["discard"] = 9; ports["tcp"]["systat"] = 11; ports["tcp"]["daytime"] = 13; ports["tcp"]["netstat"] = 15; ports["tcp"]["qotd"] = 17; ports["tcp"]["msp"] = 18; ports["tcp"]["chargen"] = 19; ports["tcp"]["ftp-data"] = 20; ports["tcp"]["ftp"] = 21; ports["tcp"]["ssh"] = 22; ports["tcp"]["telnet"] = 23; ports["tcp"]["smtp"] = 25; ports["tcp"]["time"] = 37; ports["tcp"]["nameserver"] = 42; ports["tcp"]["whois"] = 43; ports["tcp"]["tacacs"] = 49; ports["tcp"]["re-mail-ck"] = 50; ports["tcp"]["domain"] = 53; ports["tcp"]["mtp"] = 57; ports["tcp"]["tacacs-ds"] = 65; ports["tcp"]["bootps"] = 67; ports["tcp"]["bootpc"] = 68; ports["tcp"]["gopher"] = 70; ports["tcp"]["rje"] = 77; ports["tcp"]["finger"] = 79; ports["tcp"]["www"] = 80; ports["tcp"]["link"] = 87; ports["tcp"]["kerberos"] = 88; ports["tcp"]["supdup"] = 95; ports["tcp"]["hostnames"] = 101; ports["tcp"]["iso-tsap"] = 102; ports["tcp"]["acr-nema"] = 104; ports["tcp"]["csnet-ns"] = 105; ports["tcp"]["rtelnet"] = 107; ports["tcp"]["pop2"] = 109; ports["tcp"]["pop3"] = 110; ports["tcp"]["sunrpc"] = 111; ports["tcp"]["auth"] = 113; ports["tcp"]["sftp"] = 115; ports["tcp"]["uucp-path"] = 117; ports["tcp"]["nntp"] = 119; ports["tcp"]["ntp"] = 123; ports["tcp"]["pwdgen"] = 129; ports["tcp"]["loc-srv"] = 135; ports["tcp"]["netbios-ns"] = 137; ports["tcp"]["netbios-dgm"] = 138; ports["tcp"]["netbios-ssn"] = 139; ports["tcp"]["imap2"] = 143; ports["tcp"]["snmp"] = 161; ports["tcp"]["snmp-trap"] = 162; ports["tcp"]["cmip-man"] = 163; ports["tcp"]["cmip-agent"] = 164; ports["tcp"]["mailq"] = 174; ports["tcp"]["xdmcp"] = 177; ports["tcp"]["nextstep"] = 178; ports["tcp"]["bgp"] = 179; ports["tcp"]["prospero"] = 191; ports["tcp"]["irc"] = 194; ports["tcp"]["smux"] = 199; ports["tcp"]["at-rtmp"] = 201; ports["tcp"]["at-nbp"] = 202; ports["tcp"]["at-echo"] = 204; ports["tcp"]["at-zis"] = 206; ports["tcp"]["qmtp"] = 209; ports["tcp"]["z3950"] = 210; ports["tcp"]["ipx"] = 213; ports["tcp"]["imap3"] = 220; ports["tcp"]["pawserv"] = 345; ports["tcp"]["zserv"] = 346; ports["tcp"]["fatserv"] = 347; ports["tcp"]["rpc2portmap"] = 369; ports["tcp"]["codaauth2"] = 370; ports["tcp"]["clearcase"] = 371; ports["tcp"]["ulistserv"] = 372; ports["tcp"]["ldap"] = 389; ports["tcp"]["imsp"] = 406; ports["tcp"]["https"] = 443; ports["tcp"]["snpp"] = 444; ports["tcp"]["microsoft-ds"] = 445; ports["tcp"]["kpasswd"] = 464; ports["tcp"]["saft"] = 487; ports["tcp"]["isakmp"] = 500; ports["tcp"]["rtsp"] = 554; ports["tcp"]["nqs"] = 607; ports["tcp"]["npmp-local"] = 610; ports["tcp"]["npmp-gui"] = 611; ports["tcp"]["hmmp-ind"] = 612; ports["tcp"]["qmqp"] = 628; ports["tcp"]["ipp"] = 631; ports["tcp"]["exec"] = 512; ports["tcp"]["login"] = 513; ports["tcp"]["shell"] = 514; ports["tcp"]["printer"] = 515; ports["tcp"]["tempo"] = 526; ports["tcp"]["courier"] = 530; ports["tcp"]["conference"] = 531; ports["tcp"]["netnews"] = 532; ports["tcp"]["gdomap"] = 538; ports["tcp"]["uucp"] = 540; ports["tcp"]["klogin"] = 543; ports["tcp"]["kshell"] = 544; ports["tcp"]["afpovertcp"] = 548; ports["tcp"]["remotefs"] = 556; ports["tcp"]["nntps"] = 563; ports["tcp"]["submission"] = 587; ports["tcp"]["ldaps"] = 636; ports["tcp"]["tinc"] = 655; ports["tcp"]["silc"] = 706; ports["tcp"]["kerberos-adm"] = 749; ports["tcp"]["webster"] = 765; ports["tcp"]["rsync"] = 873; ports["tcp"]["ftps-data"] = 989; ports["tcp"]["ftps"] = 990; ports["tcp"]["telnets"] = 992; ports["tcp"]["imaps"] = 993; ports["tcp"]["ircs"] = 994; ports["tcp"]["pop3s"] = 995; ports["tcp"]["socks"] = 1080; ports["tcp"]["proofd"] = 1093; ports["tcp"]["rootd"] = 1094; ports["tcp"]["openvpn"] = 1194; ports["tcp"]["rmiregistry"] = 1099; ports["tcp"]["kazaa"] = 1214; ports["tcp"]["nessus"] = 1241; ports["tcp"]["lotusnote"] = 1352; ports["tcp"]["ms-sql-s"] = 1433; ports["tcp"]["ms-sql-m"] = 1434; ports["tcp"]["ingreslock"] = 1524; ports["tcp"]["prospero-np"] = 1525; ports["tcp"]["datametrics"] = 1645; ports["tcp"]["sa-msg-port"] = 1646; ports["tcp"]["kermit"] = 1649; ports["tcp"]["l2f"] = 1701; ports["tcp"]["radius"] = 1812; ports["tcp"]["radius-acct"] = 1813; ports["tcp"]["msnp"] = 1863; ports["tcp"]["unix-status"] = 1957; ports["tcp"]["log-server"] = 1958; ports["tcp"]["remoteping"] = 1959; ports["tcp"]["cisco-sccp"] = 2000; ports["tcp"]["search"] = 2010; ports["tcp"]["pipe_server"] = 2010; ports["tcp"]["nfs"] = 2049; ports["tcp"]["gnunet"] = 2086; ports["tcp"]["rtcm-sc104"] = 2101; ports["tcp"]["cvspserver"] = 2401; ports["tcp"]["venus"] = 2430; ports["tcp"]["venus-se"] = 2431; ports["tcp"]["codasrv"] = 2432; ports["tcp"]["codasrv-se"] = 2433; ports["tcp"]["mon"] = 2583; ports["tcp"]["dict"] = 2628; ports["tcp"]["gpsd"] = 2947; ports["tcp"]["gds_db"] = 3050; ports["tcp"]["icpv2"] = 3130; ports["tcp"]["mysql"] = 3306; ports["tcp"]["nut"] = 3493; ports["tcp"]["distcc"] = 3632; ports["tcp"]["daap"] = 3689; ports["tcp"]["svn"] = 3690; ports["tcp"]["suucp"] = 4031; ports["tcp"]["sysrqd"] = 4094; ports["tcp"]["remctl"] = 4373; ports["tcp"]["iax"] = 4569; ports["tcp"]["radmin-port"] = 4899; ports["tcp"]["rfe"] = 5002; ports["tcp"]["mmcc"] = 5050; ports["tcp"]["sip"] = 5060; ports["tcp"]["sip-tls"] = 5061; ports["tcp"]["aol"] = 5190; ports["tcp"]["xmpp-client"] = 5222; ports["tcp"]["xmpp-server"] = 5269; ports["tcp"]["cfengine"] = 5308; ports["tcp"]["mdns"] = 5353; ports["tcp"]["postgresql"] = 5432; ports["tcp"]["freeciv"] = 5556; ports["tcp"]["ggz"] = 5688; ports["tcp"]["x11"] = 6000; ports["tcp"]["x11-1"] = 6001; ports["tcp"]["x11-2"] = 6002; ports["tcp"]["x11-3"] = 6003; ports["tcp"]["x11-4"] = 6004; ports["tcp"]["x11-5"] = 6005; ports["tcp"]["x11-6"] = 6006; ports["tcp"]["x11-7"] = 6007; ports["tcp"]["gnutella-svc"] = 6346; ports["tcp"]["gnutella-rtr"] = 6347; ports["tcp"]["sge_qmaster"] = 6444; ports["tcp"]["sge_execd"] = 6445; ports["tcp"]["afs3-fileserver"] = 7000; ports["tcp"]["afs3-callback"] = 7001; ports["tcp"]["afs3-prserver"] = 7002; ports["tcp"]["afs3-vlserver"] = 7003; ports["tcp"]["afs3-kaserver"] = 7004; ports["tcp"]["afs3-volser"] = 7005; ports["tcp"]["afs3-errors"] = 7006; ports["tcp"]["afs3-bos"] = 7007; ports["tcp"]["afs3-update"] = 7008; ports["tcp"]["afs3-rmtsys"] = 7009; ports["tcp"]["font-service"] = 7100; ports["tcp"]["http-alt"] = 8080; ports["tcp"]["bacula-dir"] = 9101; ports["tcp"]["bacula-fd"] = 9102; ports["tcp"]["bacula-sd"] = 9103; ports["tcp"]["amanda"] = 10080; ports["tcp"]["hkp"] = 11371; ports["tcp"]["bprd"] = 13720; ports["tcp"]["bpdbm"] = 13721; ports["tcp"]["bpjava-msvc"] = 13722; ports["tcp"]["vnetd"] = 13724; ports["tcp"]["bpcd"] = 13782; ports["tcp"]["vopied"] = 13783; ports["tcp"]["wnn6"] = 22273; ports["tcp"]["kerberos4"] = 750; ports["tcp"]["kerberos_master"] = 751; ports["tcp"]["krb_prop"] = 754; ports["tcp"]["krbupdate"] = 760; ports["tcp"]["swat"] = 901; ports["tcp"]["kpop"] = 1109; ports["tcp"]["knetd"] = 2053; ports["tcp"]["eklogin"] = 2105; ports["tcp"]["kx"] = 2111; ports["tcp"]["iprop"] = 2121; ports["tcp"]["supfilesrv"] = 871; ports["tcp"]["supfiledbg"] = 1127; ports["tcp"]["linuxconf"] = 98; ports["tcp"]["poppassd"] = 106; ports["tcp"]["ssmtp"] = 465; ports["tcp"]["moira_db"] = 775; ports["tcp"]["moira_update"] = 777; ports["tcp"]["spamd"] = 783; ports["tcp"]["omirr"] = 808; ports["tcp"]["customs"] = 1001; ports["tcp"]["skkserv"] = 1178; ports["tcp"]["rmtcfg"] = 1236; ports["tcp"]["wipld"] = 1300; ports["tcp"]["xtel"] = 1313; ports["tcp"]["xtelw"] = 1314; ports["tcp"]["support"] = 1529; ports["tcp"]["cfinger"] = 2003; ports["tcp"]["frox"] = 2121; ports["tcp"]["ninstall"] = 2150; ports["tcp"]["zebrasrv"] = 2600; ports["tcp"]["zebra"] = 2601; ports["tcp"]["ripd"] = 2602; ports["tcp"]["ripngd"] = 2603; ports["tcp"]["ospfd"] = 2604; ports["tcp"]["bgpd"] = 2605; ports["tcp"]["ospf6d"] = 2606; ports["tcp"]["ospfapi"] = 2607; ports["tcp"]["isisd"] = 2608; ports["tcp"]["afbackup"] = 2988; ports["tcp"]["afmbackup"] = 2989; ports["tcp"]["xtell"] = 4224; ports["tcp"]["fax"] = 4557; ports["tcp"]["hylafax"] = 4559; ports["tcp"]["distmp3"] = 4600; ports["tcp"]["munin"] = 4949; ports["tcp"]["enbd-cstatd"] = 5051; ports["tcp"]["enbd-sstatd"] = 5052; ports["tcp"]["pcrd"] = 5151; ports["tcp"]["noclog"] = 5354; ports["tcp"]["hostmon"] = 5355; ports["tcp"]["nsca"] = 5667; ports["tcp"]["mrtd"] = 5674; ports["tcp"]["bgpsim"] = 5675; ports["tcp"]["canna"] = 5680; ports["tcp"]["sane-port"] = 6566; ports["tcp"]["ircd"] = 6667; ports["tcp"]["zope-ftp"] = 8021; ports["tcp"]["tproxy"] = 8081; ports["tcp"]["omniorb"] = 8088; ports["tcp"]["clc-build-daemon"] = 8990; ports["tcp"]["xinetd"] = 9098; ports["tcp"]["git"] = 9418; ports["tcp"]["zope"] = 9673; ports["tcp"]["webmin"] = 10000; ports["tcp"]["kamanda"] = 10081; ports["tcp"]["amandaidx"] = 10082; ports["tcp"]["amidxtape"] = 10083; ports["tcp"]["smsqp"] = 11201; ports["tcp"]["xpilot"] = 15345; ports["tcp"]["sgi-cad"] = 17004; ports["tcp"]["isdnlog"] = 20011; ports["tcp"]["vboxd"] = 20012; ports["tcp"]["binkp"] = 24554; ports["tcp"]["asp"] = 27374; ports["tcp"]["csync2"] = 30865; ports["tcp"]["dircproxy"] = 57000; ports["tcp"]["tfido"] = 60177; ports["tcp"]["fido"] = 60179; ports["udp"]["echo"] = 7; ports["udp"]["discard"] = 9; ports["udp"]["daytime"] = 13; ports["udp"]["msp"] = 18; ports["udp"]["chargen"] = 19; ports["udp"]["fsp"] = 21; ports["udp"]["ssh"] = 22; ports["udp"]["time"] = 37; ports["udp"]["rlp"] = 39; ports["udp"]["tacacs"] = 49; ports["udp"]["re-mail-ck"] = 50; ports["udp"]["domain"] = 53; ports["udp"]["tacacs-ds"] = 65; ports["udp"]["bootps"] = 67; ports["udp"]["bootpc"] = 68; ports["udp"]["tftp"] = 69; ports["udp"]["gopher"] = 70; ports["udp"]["www"] = 80; ports["udp"]["kerberos"] = 88; ports["udp"]["acr-nema"] = 104; ports["udp"]["csnet-ns"] = 105; ports["udp"]["rtelnet"] = 107; ports["udp"]["pop2"] = 109; ports["udp"]["pop3"] = 110; ports["udp"]["sunrpc"] = 111; ports["udp"]["ntp"] = 123; ports["udp"]["pwdgen"] = 129; ports["udp"]["loc-srv"] = 135; ports["udp"]["netbios-ns"] = 137; ports["udp"]["netbios-dgm"] = 138; ports["udp"]["netbios-ssn"] = 139; ports["udp"]["imap2"] = 143; ports["udp"]["snmp"] = 161; ports["udp"]["snmp-trap"] = 162; ports["udp"]["cmip-man"] = 163; ports["udp"]["cmip-agent"] = 164; ports["udp"]["mailq"] = 174; ports["udp"]["xdmcp"] = 177; ports["udp"]["nextstep"] = 178; ports["udp"]["bgp"] = 179; ports["udp"]["prospero"] = 191; ports["udp"]["irc"] = 194; ports["udp"]["smux"] = 199; ports["udp"]["at-rtmp"] = 201; ports["udp"]["at-nbp"] = 202; ports["udp"]["at-echo"] = 204; ports["udp"]["at-zis"] = 206; ports["udp"]["qmtp"] = 209; ports["udp"]["z3950"] = 210; ports["udp"]["ipx"] = 213; ports["udp"]["imap3"] = 220; ports["udp"]["pawserv"] = 345; ports["udp"]["zserv"] = 346; ports["udp"]["fatserv"] = 347; ports["udp"]["rpc2portmap"] = 369; ports["udp"]["codaauth2"] = 370; ports["udp"]["clearcase"] = 371; ports["udp"]["ulistserv"] = 372; ports["udp"]["ldap"] = 389; ports["udp"]["imsp"] = 406; ports["udp"]["https"] = 443; ports["udp"]["snpp"] = 444; ports["udp"]["microsoft-ds"] = 445; ports["udp"]["kpasswd"] = 464; ports["udp"]["saft"] = 487; ports["udp"]["isakmp"] = 500; ports["udp"]["rtsp"] = 554; ports["udp"]["nqs"] = 607; ports["udp"]["npmp-local"] = 610; ports["udp"]["npmp-gui"] = 611; ports["udp"]["hmmp-ind"] = 612; ports["udp"]["qmqp"] = 628; ports["udp"]["ipp"] = 631; ports["udp"]["biff"] = 512; ports["udp"]["who"] = 513; ports["udp"]["syslog"] = 514; ports["udp"]["talk"] = 517; ports["udp"]["ntalk"] = 518; ports["udp"]["route"] = 520; ports["udp"]["timed"] = 525; ports["udp"]["netwall"] = 533; ports["udp"]["gdomap"] = 538; ports["udp"]["afpovertcp"] = 548; ports["udp"]["nntps"] = 563; ports["udp"]["submission"] = 587; ports["udp"]["ldaps"] = 636; ports["udp"]["tinc"] = 655; ports["udp"]["silc"] = 706; ports["udp"]["webster"] = 765; ports["udp"]["rsync"] = 873; ports["udp"]["telnets"] = 992; ports["udp"]["imaps"] = 993; ports["udp"]["ircs"] = 994; ports["udp"]["pop3s"] = 995; ports["udp"]["socks"] = 1080; ports["udp"]["proofd"] = 1093; ports["udp"]["rootd"] = 1094; ports["udp"]["openvpn"] = 1194; ports["udp"]["rmiregistry"] = 1099; ports["udp"]["kazaa"] = 1214; ports["udp"]["nessus"] = 1241; ports["udp"]["lotusnote"] = 1352; ports["udp"]["ms-sql-s"] = 1433; ports["udp"]["ms-sql-m"] = 1434; ports["udp"]["ingreslock"] = 1524; ports["udp"]["prospero-np"] = 1525; ports["udp"]["datametrics"] = 1645; ports["udp"]["sa-msg-port"] = 1646; ports["udp"]["kermit"] = 1649; ports["udp"]["l2f"] = 1701; ports["udp"]["radius"] = 1812; ports["udp"]["radius-acct"] = 1813; ports["udp"]["msnp"] = 1863; ports["udp"]["cisco-sccp"] = 2000; ports["udp"]["nfs"] = 2049; ports["udp"]["gnunet"] = 2086; ports["udp"]["rtcm-sc104"] = 2101; ports["udp"]["cvspserver"] = 2401; ports["udp"]["venus"] = 2430; ports["udp"]["venus-se"] = 2431; ports["udp"]["codasrv"] = 2432; ports["udp"]["codasrv-se"] = 2433; ports["udp"]["mon"] = 2583; ports["udp"]["dict"] = 2628; ports["udp"]["gpsd"] = 2947; ports["udp"]["gds_db"] = 3050; ports["udp"]["icpv2"] = 3130; ports["udp"]["mysql"] = 3306; ports["udp"]["nut"] = 3493; ports["udp"]["distcc"] = 3632; ports["udp"]["daap"] = 3689; ports["udp"]["svn"] = 3690; ports["udp"]["suucp"] = 4031; ports["udp"]["sysrqd"] = 4094; ports["udp"]["remctl"] = 4373; ports["udp"]["iax"] = 4569; ports["udp"]["radmin-port"] = 4899; ports["udp"]["rfe"] = 5002; ports["udp"]["mmcc"] = 5050; ports["udp"]["sip"] = 5060; ports["udp"]["sip-tls"] = 5061; ports["udp"]["aol"] = 5190; ports["udp"]["xmpp-client"] = 5222; ports["udp"]["xmpp-server"] = 5269; ports["udp"]["cfengine"] = 5308; ports["udp"]["mdns"] = 5353; ports["udp"]["postgresql"] = 5432; ports["udp"]["freeciv"] = 5556; ports["udp"]["ggz"] = 5688; ports["udp"]["x11"] = 6000; ports["udp"]["x11-1"] = 6001; ports["udp"]["x11-2"] = 6002; ports["udp"]["x11-3"] = 6003; ports["udp"]["x11-4"] = 6004; ports["udp"]["x11-5"] = 6005; ports["udp"]["x11-6"] = 6006; ports["udp"]["x11-7"] = 6007; ports["udp"]["gnutella-svc"] = 6346; ports["udp"]["gnutella-rtr"] = 6347; ports["udp"]["sge_qmaster"] = 6444; ports["udp"]["sge_execd"] = 6445; ports["udp"]["afs3-fileserver"] = 7000; ports["udp"]["afs3-callback"] = 7001; ports["udp"]["afs3-prserver"] = 7002; ports["udp"]["afs3-vlserver"] = 7003; ports["udp"]["afs3-kaserver"] = 7004; ports["udp"]["afs3-volser"] = 7005; ports["udp"]["afs3-errors"] = 7006; ports["udp"]["afs3-bos"] = 7007; ports["udp"]["afs3-update"] = 7008; ports["udp"]["afs3-rmtsys"] = 7009; ports["udp"]["font-service"] = 7100; ports["udp"]["http-alt"] = 8080; ports["udp"]["bacula-dir"] = 9101; ports["udp"]["bacula-fd"] = 9102; ports["udp"]["bacula-sd"] = 9103; ports["udp"]["amanda"] = 10080; ports["udp"]["hkp"] = 11371; ports["udp"]["bprd"] = 13720; ports["udp"]["bpdbm"] = 13721; ports["udp"]["bpjava-msvc"] = 13722; ports["udp"]["vnetd"] = 13724; ports["udp"]["bpcd"] = 13782; ports["udp"]["vopied"] = 13783; ports["udp"]["wnn6"] = 22273; ports["udp"]["kerberos4"] = 750; ports["udp"]["kerberos_master"] = 751; ports["udp"]["passwd_server"] = 752; ports["udp"]["zephyr-srv"] = 2102; ports["udp"]["zephyr-clt"] = 2103; ports["udp"]["zephyr-hm"] = 2104; ports["udp"]["poppassd"] = 106; ports["udp"]["moira_ureg"] = 779; ports["udp"]["omirr"] = 808; ports["udp"]["customs"] = 1001; ports["udp"]["predict"] = 1210; ports["udp"]["ninstall"] = 2150; ports["udp"]["afbackup"] = 2988; ports["udp"]["afmbackup"] = 2989; ports["udp"]["noclog"] = 5354; ports["udp"]["hostmon"] = 5355; ports["udp"]["rplay"] = 5555; ports["udp"]["omniorb"] = 8088; ports["udp"]["mandelspawn"] = 9359; ports["udp"]["kamanda"] = 10081; ports["udp"]["smsqp"] = 11201; ports["udp"]["xpilot"] = 15345; ports["udp"]["sgi-cmsd"] = 17001; ports["udp"]["sgi-crsd"] = 17002; ports["udp"]["sgi-gcd"] = 17003; ports["udp"]["isdnlog"] = 20011; ports["udp"]["vboxd"] = 20012; ports["udp"]["asp"] = 27374; // these are found in Cisco configs. Some of these names duplicate // protocols listed above but a few are extras. // http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ports.html // // this is a mix of port names from PIX/ASA and IOS ports["tcp"]["aol"] = 5190; // America Online ports["tcp"]["bgp"] = 179; // Border Gateway Protocol, RFC 1163 ports["tcp"]["chargen"] = 19; // Character Generator // about the port value for cifs: // http://serverfault.com/questions/71582/list-of-cisco-asa-pre-defined-services ports["tcp"]["cifs"] = 3020; ports["tcp"]["citrix-ica"] = 1494; // Citrix Independent Computing // Architecture (ICA) protocol ports["tcp"]["cmd"] = 514; // Similar to exec except that cmd // has automatic authentication ports["tcp"]["ctiqbe"] = 2748; // Computer Telephony Interface // Quick Buffer Encoding ports["tcp"]["daytime"] = 13; // Day time, RFC 867 ports["tcp"]["discard"] = 9; // Discard ports["tcp"]["domain"] = 53; // DNS ports["tcp"]["echo"] = 7; // Echo ports["tcp"]["exec"] = 512; // Remote process execution ports["tcp"]["finger"] = 79; // Finger ports["tcp"]["ftp"] = 21; // File Transfer Protocol (control port) ports["tcp"]["ftp-data"] = 20; // File Transfer Protocol (data port) ports["tcp"]["gopher"] = 70; // Gopher ports["tcp"]["h323"] = 1720; // H.323 call signalling ports["tcp"]["hostname"] = 101; // NIC Host Name Server ports["tcp"]["https"] = 443; // HTTP over SSL ports["tcp"]["ident"] = 113; // Ident authentication service ports["tcp"]["imap4"] = 143; // Internet Message Access Protocol, // version 4 ports["tcp"]["irc"] = 194; // Internet Relay Chat protocol ports["tcp"]["kerberos"] = 750; // Kerberos ports["tcp"]["klogin"] = 543; // KLOGIN ports["tcp"]["kshell"] = 544; // Korn Shell ports["tcp"]["ldap"] = 389; // Lightweight Directory Access // Protocol ports["tcp"]["ldaps"] = 636; // Lightweight Directory Access // Protocol (SSL) ports["tcp"]["login"] = 513; // Remote login ports["tcp"]["lotusnotes"] = 1352; // IBM Lotus Notes ports["tcp"]["lpd"] = 515; // Line Printer Daemon - printer spooler ports["tcp"]["netbios-ssn"] = 139; // NetBIOS Session Service ports["tcp"]["nfs"] = 2049; ports["tcp"]["nntp"] = 119; // Network News Transfer Protocol ports["tcp"]["pcanywhere-data"] = 5631; // pcAnywhere data ports["tcp"]["pim-auto-rp"] = 496; // Protocol Independent Multicast, // reverse path flooding, dense mode ports["tcp"]["pop2"] = 109; // Post Office Protocol - Version 2 ports["tcp"]["pop3"] = 110; // Post Office Protocol - Version 3 ports["tcp"]["pptp"] = 1723; // Point-to-Point Tunneling Protocol ports["tcp"]["rsh"] = 514; ports["tcp"]["rtsp"] = 554; ports["tcp"]["smtp"] = 25; // Simple Mail Transport Protocol ports["tcp"]["sqlnet"] = 1521; // Structured Query Language Network ports["tcp"]["ssh"] = 22; // Secure Shell ports["tcp"]["sip"] = 5060; ports["tcp"]["sunrpc"] = 111; // 111 Sun Remote Procedure Call ports["tcp"]["syslog"] = 514; ports["tcp"]["tacacs"] = 49; // Terminal Access Controller // Access Control System Plus ports["tcp"]["tacacs-ds"] = 63; // ??? ports["tcp"]["talk"] = 517; // Talk ports["tcp"]["telnet"] = 23; // RFC 854 Telnet ports["tcp"]["time"] = 37; // ??? ports["tcp"]["uucp"] = 540; // UNIX-to-UNIX Copy Program ports["tcp"]["whois"] = 43; // Who Is ports["tcp"]["http"] = 80; ports["tcp"]["www"] = 80; // World Wide Web ports["udp"]["biff"] = 512; // Used by mail system to notify // users that new mail is received ports["udp"]["bootpc"] = 68; // Bootstrap Protocol Client ports["udp"]["bootps"] = 67; // Bootstrap Protocol Server ports["udp"]["cifs"] = 3020; ports["udp"]["discard"] = 9; // Discard ports["udp"]["dnsix"] = 195; // DNSIX Session Management // Module Audit Redirector ports["udp"]["domain"] = 53; // DNS ports["udp"]["echo"] = 7; ports["udp"]["isakmp"] = 500; // Internet Security Association // and Key Management Protocol ports["udp"]["kerberos"] = 750; // Kerberos ports["udp"]["mobile-ip"] = 434; // MobileIP-Agent ports["udp"]["nameserver"] = 42; // Host Name Server ports["udp"]["netbios-dgm"] = 138; // NetBIOS Datagram Service ports["udp"]["netbios-ns"] = 137; // NetBIOS Name Service ports["udp"]["netbios-ss"] = 139; ports["udp"]["nfs"] = 2049; ports["udp"]["ntp"] = 123; // Network Time Protocol ports["udp"]["pcanywhere-status"] = 5632; // pcAnywhere status ports["udp"]["pim-auto-rp"] = 496; // Protocol Independent Multicast, // reverse path flooding, dense mode ports["udp"]["radius"] = 1645; // Remote Authentication Dial-In // User Service ports["udp"]["radius-acct"] = 1646; // Remote Authentication Dial-In // User Service (accounting) ports["udp"]["rip"] = 520; // Routing Information Protocol ports["udp"]["rtsp"] = 554; ports["udp"]["secureid-udp"] = 5510; // SecureID over ports["udp"]["sip"] = 5060; ports["udp"]["snmp"] = 161; // Simple Network Management Protocol ports["udp"]["snmptrap"] = 162; // Simple Network Management Protocol // - Trap ports["udp"]["sunrpc"] = 111; // 111 Sun Remote Procedure Call ports["udp"]["syslog"] = 514; // System Log ports["udp"]["tacacs"] = 49; // Terminal Access Controller // Access Control System Plus ports["udp"]["talk"] = 517; // Talk ports["udp"]["tftp"] = 69; // Trivial File Transfer Protocol ports["udp"]["time"] = 37; // Time ports["udp"]["who"] = 513; // Who ports["udp"]["xdmcp"] = 177; // X Display Manager Control Protocol } bool ok = false; int port = name.toInt(&ok); if (ok) return port; if (ports.contains(proto) && ports[proto].contains(name)) return ports[proto][name]; // I guess this can be considered a hack. For some reason ASA // converts all UDP ports in "show run" to the same names as if // they were tcp. if ((proto == "udp" || proto == "tcp-udp") && ports["tcp"].contains(name)) return ports["tcp"][name]; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) struct servent *se = getservbyname(name.toAscii().constData(), proto.toAscii().constData()); #else struct servent *se = getservbyname(name.toLatin1().constData(), proto.toLatin1().constData()); #endif if (se!=NULL) { int port = ntohs(se->s_port); //free(se); return port; } return -1; } fwbuilder-5.3.7/src/import/getServByName.h000066400000000000000000000024021303637203600204770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _GETSERVBYNAME_H_ #define _GETSERVBYNAME_H_ #include #include /* * Simple wrapper class for getservbyname() function to make sure we * get useful results even when this function does not work quite * right. */ class GetServByName { static QMap > ports; public: GetServByName() {}; static int getPortByName(const QString &name, const QString &proto); }; #endif fwbuilder-5.3.7/src/import/import.pro000066400000000000000000000025051303637203600176530ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = QStringListOperators.cpp \ PreImport.cpp \ objectMaker.cpp \ objectSignature.cpp \ addressObjectMaker.cpp \ serviceObjectMaker.cpp \ getProtoByName.cpp \ getServByName.cpp \ Importer.cpp \ IOSImporter.cpp \ IOSImporterRun.cpp \ IPTImporter.cpp \ IPTImporterRun.cpp \ PIXImporter.cpp \ PIXImporterNat.cpp \ PIXImporterRun.cpp \ PFImporter.cpp \ PFImporterRun.cpp \ HEADERS = QStringListOperators.h \ PreImport.h \ objectMaker.h \ objectSignature.h \ addressObjectMaker.h \ serviceObjectMaker.h \ getProtoByName.h \ getServByName.h \ Importer.h \ IOSImporter.h \ IPTImporter.h \ PIXImporter.h \ PFImporter.h \ InterfaceSpec.h \ AddressSpec.h \ PortSpec.h \ IcmpSpec.h \ RouteSpec.h \ CONFIG += staticlib # need to add "." for g++ on mingw INCLUDEPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src ../compiler_lib . DEPENDPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src ../compiler_lib LIBS += $$ANTLR_LIBS DEFINES += $$ANTLR_DEFINES TARGET = import INSTALLS -= target fwbuilder-5.3.7/src/import/objectMaker.cpp000066400000000000000000000165441303637203600205610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "objectMaker.h" #include "objectSignature.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Host.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Address.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/Service.h" // TODO: FWBTree needs to be refactored into an independent module #include "../libgui/FWBTree.h" #include #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; void ObjectMakerErrorTracker::registerError(const QString &msg) { if ( ! errors.contains(msg)) errors.append(msg); error_status = true; } void ObjectMakerErrorTracker::registerError(const string &msg) { QString qs_msg = QString::fromUtf8(msg.c_str()); if ( ! errors.contains(qs_msg)) errors.append(qs_msg); error_status = true; } void ObjectMakerErrorTracker::registerWarning(const QString &msg) { if ( ! warnings.contains(msg)) warnings.append(msg); warning_status = true; } void ObjectMakerErrorTracker::registerWarning(const string &msg) { QString qs_msg = QString::fromUtf8(msg.c_str()); if ( ! warnings.contains(qs_msg)) warnings.append(qs_msg); warning_status = true; } //**************************************************************** void ObjectMaker::clear() { last_created = NULL; named_object_registry.clear(); anon_object_registry.clear(); } FWObject* ObjectMaker::findMatchingObject(const ObjectSignature &sig) { QString sig_str = sig.toString(); if ( ! sig.object_name.isEmpty()) { if (named_object_registry.count(sig_str) > 0) return library->getRoot()->findInIndex( named_object_registry[sig_str]); return NULL; } if (anon_object_registry.count(sig_str) > 0) return library->getRoot()->findInIndex(anon_object_registry[sig_str]); return NULL; } void ObjectMaker::registerNamedObject(const ObjectSignature &sig, FWObject* obj) { ObjectSignature anon_sig = sig; anon_sig.object_name = ""; QString as = anon_sig.toString(); if (anon_object_registry.count(as) > 0) anon_object_registry.remove(as); named_object_registry[sig.toString()] = (obj!=NULL) ? obj->getId() : -1; } void ObjectMaker::registerAnonymousObject(const ObjectSignature &sig, FWObject* obj) { ObjectSignature anon_sig = sig; anon_sig.object_name = ""; anon_object_registry[anon_sig.toString()] = (obj!=NULL) ? obj->getId() : -1; } /* * take anonymous object @obj and make named object from it. * * - assignin @objName * - check if this object is in standard objects library and if it is, create * a copy since we cant rename objects there * * Note that this means that returned pointer may point to a new object * rather than @obj */ FWObject* ObjectMaker::promoteToNamedObject(FWObject *obj, const std::string &objName) { if (obj->getLibrary()->getId() == FWObjectDatabase::STANDARD_LIB_ID) { FWObject *new_obj = library->getRoot()->create(obj->getTypeName()); new_obj->duplicate(obj); new_obj->setName(objName); ObjectSignature sig(error_tracker); new_obj->dispatch(&sig, (void*)(NULL)); registerNamedObject(sig, new_obj); return new_obj; } else { obj->setName(objName); ObjectSignature sig(error_tracker); obj->dispatch(&sig, (void*)(NULL)); registerNamedObject(sig, obj); return obj; } } //**************************************************************** FWObject* ObjectMaker::createObject(const std::string &objType, const std::string &objName) { assert(library!=NULL); FWBTree tree ; FWObject *slot = tree.getStandardSlotForObject(library,objType.c_str()); return createObject(slot, objType, objName); } FWObject* ObjectMaker::createObject(FWObject *parent, const std::string &objType, const std::string &objName) { assert(library!=NULL); FWObject* o = library->getRoot()->create(objType); if (parent != NULL) { if (parent->isReadOnly()) { QString pn = QString::fromUtf8(parent->getName().c_str()); if (parent->getLibrary()->isReadOnly()) // throw ObjectMakerException( error_tracker->registerError( QObject::tr("Can not add new objects to folder %1 because " "it belongs to a locked library").arg(pn)); else // throw ObjectMakerException( error_tracker->registerError( QObject::tr("Can not add new objects to folder %1 because " "it is locked").arg(pn)); } if (parent->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) { // throw ObjectMakerException( error_tracker->registerError( QObject::tr("Can not add new objects to the \"Deleted Objects\" " "library")); } parent->add(o); } o->setName(objName); return o; } FWObject* ObjectMaker::createObject(ObjectSignature &) { return NULL; } //**************************************************************** /* * scan the tree starting at @root and use registerObject to build * signatures for all address and service objects in order to be able * to use them on import */ void ObjectMaker::prepareForDeduplication(FWObject *root) { switch(root->getId()) { // Skip dummy objects case FWObjectDatabase::DUMMY_ADDRESS_ID: case FWObjectDatabase::DUMMY_INTERFACE_ID: case FWObjectDatabase::DUMMY_SERVICE_ID: return; } if (RuleSet::cast(root) || Rule::cast(root) || FWReference::cast(root) || Host::cast(root) || FWOptions::cast(root)) return; if (Address::cast(root) || MultiAddress::cast(root) || Service::cast(root)) { ObjectSignature sig(error_tracker); root->dispatch(&sig, (void*)(NULL)); registerNamedObject(sig, root); registerAnonymousObject(sig, root); // this erases sig.object_name } if (Library::isA(root) && root->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) return; for (FWObject::iterator it=root->begin(); it!=root->end(); ++it) { prepareForDeduplication(*it); } } fwbuilder-5.3.7/src/import/objectMaker.h000066400000000000000000000101431303637203600202130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OBJECT_MAKER_H_ #define _OBJECT_MAKER_H_ #include "fwbuilder/FWObject.h" #include "fwbuilder/Dispatch.h" #include "objectSignature.h" #include #include #include #include namespace libfwbuilder { class AddressRange; class AttachedNetworks; class Cluster; class CustomService; class Firewall; class Host; class ICMPService; class IPService; class IPv4; class IPv6; class Interface; class Library; class Network; class NetworkIPv6; class ObjectGroup; class ServiceGroup; class TCPService; class TagService; class UDPService; class physAddress; class UserService; }; class ObjectMakerException : public std::exception { QString err; public: ObjectMakerException(const std::string &e) { err = e.c_str(); } ObjectMakerException(const QString &e) { err = e; } virtual ~ObjectMakerException() throw() {} QString toString() { return err; } virtual const char* what() const throw() { return err.toStdString().c_str(); } }; class ObjectMakerErrorTracker { QStringList errors; bool error_status; QStringList warnings; bool warning_status; public: ObjectMakerErrorTracker() { error_status = false; warning_status = false; } void clear() { error_status = false; warning_status = false; errors.clear(); warnings.clear(); } void registerError(const QString &msg); void registerError(const std::string &msg); bool hasErrors() { return error_status; } QStringList getErrors() { return errors; } void registerWarning(const QString &msg); void registerWarning(const std::string &msg); bool hasWarnings() { return warning_status; } QStringList getWarnings() { return warnings; } }; class ObjectMaker { protected: ObjectMakerErrorTracker *error_tracker; libfwbuilder::Library *library; libfwbuilder::FWObject *last_created; QMap named_object_registry; QMap anon_object_registry; libfwbuilder::FWObject* findMatchingObject(const ObjectSignature &sig); void registerNamedObject(const ObjectSignature &sig, libfwbuilder::FWObject* obj); void registerAnonymousObject(const ObjectSignature &sig, libfwbuilder::FWObject* obj); public: ObjectMaker(libfwbuilder::Library *l, ObjectMakerErrorTracker *et) { library = l; error_tracker = et; last_created = NULL; } virtual ~ObjectMaker() {}; virtual void clear(); virtual libfwbuilder::FWObject* createObject(ObjectSignature &sig); libfwbuilder::FWObject *getLastCreatedObject() { return last_created; } void prepareForDeduplication(libfwbuilder::FWObject *root); libfwbuilder::FWObject* createObject(const std::string &objType, const std::string &objName); libfwbuilder::FWObject* createObject(libfwbuilder::FWObject *parent, const std::string &objType, const std::string &objName); libfwbuilder::FWObject* promoteToNamedObject(libfwbuilder::FWObject *obj, const std::string &objName); }; #endif fwbuilder-5.3.7/src/import/objectSignature.cpp000066400000000000000000001015311303637203600214520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "objectMaker.h" #include "objectSignature.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/DynamicGroup.h" #include "QStringListOperators.h" #include "getProtoByName.h" #include "getServByName.h" #include #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; QMap > ObjectSignature::icmp_names; QMap ObjectSignature::icmp_code_names; ObjectSignature::ObjectSignature(ObjectMakerErrorTracker *et) { error_tracker = et; port_range_inclusive = true; protocol = 0; fragments = false; short_fragments = false; any_opt = false; lsrr = false; ssrr = false; rr = false; ts = false; rtralt = false; rtralt_value = false; icmp_type = -1; icmp_code = -1; src_port_range_start = 0; src_port_range_end = 0; dst_port_range_start = 0; dst_port_range_end = 0; established = false; if (icmp_names.size() == 0) { // Cisco icmp names icmp_names["echo-reply"] = QPair(0, 0); icmp_names["unreachable"] = QPair(3, -1); // all "unreachables" icmp_names["net-unreachable"] = QPair(3, 0); icmp_names["host-unreachable"] = QPair(3, 1); icmp_names["protocol-unreachable"] = QPair(3, 2); icmp_names["port-unreachable"] = QPair(3, 3); icmp_names["packet-too-big"] = QPair(3, 4); icmp_names["source-route-failed"] = QPair(3, 5); icmp_names["network-unknown"] = QPair(3, 6); icmp_names["host-unknown"] = QPair(3, 7); icmp_names["host-isolated"] = QPair(3, 8); icmp_names["dod-net-prohibited"] = QPair(3, 9); icmp_names["dod-host-prohibited"] = QPair(3, 10); icmp_names["net-tos-unreachable"] = QPair(3, 11); icmp_names["host-tos-unreachable"] = QPair(3, 12); icmp_names["administratively-prohibited"] = QPair(3, 13); icmp_names["host-precedence-unreachable"] = QPair(3, 14); icmp_names["precedence-unreachable"] = QPair(3, 15); icmp_names["source-quench"] = QPair(4, 0); icmp_names["net-redirect"] = QPair(5, 0); icmp_names["host-redirect"] = QPair(5, 1); icmp_names["net-tos-redirect"] = QPair(5, 2); icmp_names["host-tos-redirect"] = QPair(5, 3); icmp_names["echo"] = QPair(8, 0); icmp_names["router-advertisement"] = QPair(9, 0); icmp_names["router-solicitation"] = QPair(10, 0); icmp_names["ttl-exceeded"] = QPair(11, 0); icmp_names["reassembly-timeout"] = QPair(11, 1); icmp_names["general-parameter-problem"] = QPair(12, 0); icmp_names["option-missing"] = QPair(12, 1); icmp_names["timestamp-request"] = QPair(13, 0); icmp_names["timestamp-reply"] = QPair(14, 0); icmp_names["information-request"] = QPair(15, 0); icmp_names["information-reply"] = QPair(16, 0); icmp_names["mask-request"] = QPair(17, 0); icmp_names["mask-reply"] = QPair(18, 0); // ASA 8.3 icmp names icmp_names["alternate-address"] = QPair(6, -1); icmp_names["conversion-error"] = QPair(31, -1); icmp_names["echo"] = QPair(8, -1); icmp_names["echo-reply"] = QPair(0, -1); icmp_names["information-reply"] = QPair(16, -1); icmp_names["information-request"] = QPair(15, -1); icmp_names["mask-reply"] = QPair(18, -1); icmp_names["mask-request"] = QPair(17, -1); icmp_names["mobile-redirect"] = QPair(32, -1); icmp_names["parameter-problem"] = QPair(12, -1); icmp_names["redirect"] = QPair(5, -1); icmp_names["router-advertisement"] = QPair(9, -1); icmp_names["router-solicitation"] = QPair(10, -1); icmp_names["source-quench"] = QPair(4, -1); icmp_names["time-exceeded"] = QPair(11, -1); icmp_names["timestamp-reply"] = QPair(14, -1); icmp_names["timestamp-request"] = QPair(13, -1); icmp_names["traceroute"] = QPair(30, -1); icmp_names["unreachable"] = QPair(3, -1); // iptables icmp names icmp_names["any"] = QPair(-1,-1); icmp_names["echo-reply"] = QPair(0,0); // all "unreachables" icmp_names["destination-unreachable"] = QPair(3,-1); icmp_names["network-unreachable"] = QPair(3,0); icmp_names["host-unreachable"] = QPair(3,1); icmp_names["protocol-unreachable"] = QPair(3,2); icmp_names["port-unreachable"] = QPair(3,3); icmp_names["fragmentation-needed"] = QPair(3,4); icmp_names["source-route-failed"] = QPair(3,5); icmp_names["network-unknown"] = QPair(3,6); icmp_names["host-unknown"] = QPair(3,7); icmp_names["host-isolated"] = QPair(3,8); icmp_names["network-prohibited"] = QPair(3,9); icmp_names["host-prohibited"] = QPair(3,10); icmp_names["TOS-network-unreachable"] = QPair(3,11); icmp_names["TOS-host-unreachable"] = QPair(3,12); icmp_names["communication-prohibited"] = QPair(3,13); icmp_names["host-precedence-violation"] = QPair(3,14); icmp_names["precedence-cutoff"] = QPair(3,15); icmp_names["source-quench"] = QPair(4,0); icmp_names["redirect"] = QPair(5,-1); icmp_names["network-redirect"] = QPair(5,0); icmp_names["host-redirect"] = QPair(5,1); icmp_names["TOS-network-redirect"] = QPair(5,2); icmp_names["TOS-host-redirect"] = QPair(5,3); icmp_names["echo-request"] = QPair(8,0); icmp_names["router-advertisement"] = QPair(9,0); icmp_names["router-solicitation"] = QPair(10,0); icmp_names["ttl-exceeded"] = QPair(11,0); icmp_names["time-exceeded"] = QPair(11,0); icmp_names["ttl-zero-during-transit"] = QPair(11,0); icmp_names["ttl-zero-during-reassembly"] = QPair(11,1); icmp_names["parameter-problem"] = QPair(12,0); icmp_names["ip-header-bad"] = QPair(12,0); icmp_names["required-option-missing"] = QPair(12,1); icmp_names["timestamp-request"] = QPair(13,0); icmp_names["timestamp-reply"] = QPair(14,0); icmp_names["information-request"] = QPair(15,0); icmp_names["information-reply"] = QPair(16,0); icmp_names["address-mask-request"] = QPair(17,0); icmp_names["address-mask-reply"] = QPair(18,0); // ICMP types defined in "man 4 icmp" on OpenBSD icmp_names["echorep"] = QPair(0,0); icmp_names["unreach"] = QPair(3,0); icmp_names["squench"] = QPair(4,0); icmp_names["redir"] = QPair(5,0); icmp_names["althost"] = QPair(6,0); icmp_names["echoreq"] = QPair(8,0); icmp_names["routeradv"] = QPair(9,0); icmp_names["routersol"] = QPair(10,0); icmp_names["timex"] = QPair(11,0); icmp_names["paramprob"] = QPair(12,0); icmp_names["timereq"] = QPair(13,0); icmp_names["timerep"] = QPair(14,0); icmp_names["inforeq"] = QPair(15,0); icmp_names["inforep"] = QPair(16,0); icmp_names["maskreq"] = QPair(17,0); icmp_names["maskrep"] = QPair(18,0); icmp_names["trace"] = QPair(30,0); icmp_names["dataconv"] = QPair(31,0); icmp_names["mobredir"] = QPair(32,0); icmp_names["ipv6-where"] = QPair(33,0); icmp_names["ipv6-here"] = QPair(34,0); icmp_names["mobregreq"] = QPair(35,0); icmp_names["mobregrep"] = QPair(36,0); icmp_names["skip"] = QPair(39,0); icmp_names["photuris"] = QPair(40,0); } /* ICMP codes defined in "man 4 icmp". These are used by PF Num Abbrev. Type Description 0 net-unr unreach Network unreachable 1 host-unr unreach Host unreachable 2 proto-unr unreach Protocol unreachable 3 port-unr unreach Port unreachable 4 needfrag unreach Fragmentation needed but DF bit set 5 srcfail unreach Source routing failed 6 net-unk unreach Network unknown 7 host-unk unreach Host unknown 8 isolate unreach Host isolated 9 net-prohib unreach Network administratively prohibited 10 host-prohib unreach Host administratively prohibited 11 net-tos unreach Invalid TOS for network 12 host-tos unreach Invalid TOS for host 13 filter-prohib unreach Prohibited access 14 host-preced unreach Precedence violation 15 cutoff-preced unreac Precedence cutoff 0 redir-net redir Shorter route for network 1 redir-host redir Shorter route for host 2 redir-tos-net redir Shorter route for TOS and network 3 redir-tos-host redir Shorter route for TOS and host 0 normal-adv routeradv Normal advertisement 16 common-adv routeradv Selective advertisement 0 transit timex Time exceeded in transit 1 reassemb timex Time exceeded in reassembly 0 badhead paramprob Invalid option pointer 1 optmiss paramprob Missing option 2 badlen paramprob Invalid length 1 unknown-ind photuris Unknown security index 2 auth-fail photuris Authentication failed 3 decrypt-fail photuris Decryption failed */ if (icmp_code_names.size() == 0) { icmp_code_names["net-unr"] = 0; icmp_code_names["host-unr"] = 1; icmp_code_names["proto-unr"] = 2; icmp_code_names["port-unr"] = 3; icmp_code_names["needfrag"] = 4; icmp_code_names["srcfail"] = 5; icmp_code_names["net-unk"] = 6; icmp_code_names["host-unk"] = 7; icmp_code_names["isolate"] = 8; icmp_code_names["net-prohib"] = 9; icmp_code_names["host-prohib"] = 10; icmp_code_names["net-tos"] = 11; icmp_code_names["host-tos"] = 12; icmp_code_names["filter-prohib"] = 13; icmp_code_names["host-preced"] = 14; icmp_code_names["cutoff-preced"] = 15; icmp_code_names["redir-net"] = 0; icmp_code_names["redir-host"] = 1; icmp_code_names["redir-tos-net"] = 2; icmp_code_names["redir-tos-host"] = 3; icmp_code_names["normal-adv"] = 0; icmp_code_names["common-adv"] = 16; icmp_code_names["transit"] = 0; icmp_code_names["reassemb"] = 1; icmp_code_names["badhead"] = 0; icmp_code_names["optmiss"] = 1; icmp_code_names["badlen"] = 2; icmp_code_names["unknown-ind"] = 1; icmp_code_names["auth-fail"] = 2; icmp_code_names["decrypt-fail"] = 3; } } ObjectSignature::ObjectSignature(const ObjectSignature &other) : libfwbuilder::Dispatch(other) { error_tracker = other.error_tracker; type_name = other.type_name; object_name = other.object_name; address = other.address; netmask = other.netmask; address_range_start = other.address_range_start; address_range_end = other.address_range_end; dns_name = other.dns_name; address_table_name = other.address_table_name; parent_interface_name = other.parent_interface_name; protocol = other.protocol; fragments = other.fragments; short_fragments = other.short_fragments; any_opt = other.any_opt; dscp = other.dscp; tos = other.tos; lsrr = other.lsrr; ssrr = other.ssrr; rr = other.rr; ts = other.ts; rtralt = other.rtralt; rtralt_value = other.rtralt_value; icmp_type = other.icmp_type; icmp_code = other.icmp_code; src_port_range_start = other.src_port_range_start; src_port_range_end = other.src_port_range_end; dst_port_range_start = other.dst_port_range_start; dst_port_range_end = other.dst_port_range_end; established = other.established; flags_mask = other.flags_mask; flags_comp = other.flags_comp; platform = other.platform; protocol_name = other.protocol_name; code = other.code; tag = other.tag; user_id = other.user_id; } void ObjectSignature::setAddress(const QString &s) { address = s; } void ObjectSignature::setAddressRangeStart(const QString &s) { address_range_start = s; } void ObjectSignature::setAddressRangeEnd(const QString &s) { address_range_end = s; } void ObjectSignature::setNetmask(const QString &netm, bool inverted_netmask) { InetAddr inetaddr_nm; try { inetaddr_nm = InetAddr(netm.toStdString()); if (inverted_netmask) inetaddr_nm = ~inetaddr_nm; } catch (FWException &ex) { if (netm.contains('.')) { // netmask has '.' in it but conversion failed. // throw ObjectMakerException( error_tracker->registerError( QString("Error converting netmask '%1'").arg(netm)); } else { // no dot in netmask, perhaps it is specified by its length? // If netmask is specified by length, need to use special // constructor for class Netmask to convert bool ok = false; int nm_len = netm.toInt(&ok); if (ok) { inetaddr_nm = InetAddr(nm_len); } else { // could not convert netmask as simple integer // throw ObjectMakerException( error_tracker->registerError( QString("Error converting netmask '%1'").arg(netm)); } } } netmask = inetaddr_nm.toString().c_str(); } void ObjectSignature::setProtocol(const QString &s) { // this assumes protocol is represented by a number bool ok = false; protocol = QString(s).toInt(&ok); if ( ! ok) { // could not convert protocol number protocol = GetProtoByName::getProtocolByName(s); if (protocol == -1) { protocol = 0; error_tracker->registerError( QString("Protocol '%1' is unknown").arg(s)); } } } void ObjectSignature::setIcmpFromName(const QString &s) { if (icmp_names.count(s) > 0) { QPair p = icmp_names[s]; icmp_type = p.first; icmp_code = p.second; } else error_tracker->registerError( QString("ICMP type name '%1' is unknown").arg(s)); } void ObjectSignature::setIcmpCodeFromName(const QString &s) { if (icmp_code_names.count(s) > 0) { icmp_code = icmp_code_names[s]; } else error_tracker->registerError( QString("ICMP code name '%1' is unknown").arg(s)); } void ObjectSignature::setIcmpType(const QString &s) { if (s.isEmpty()) icmp_type = -1; else { bool ok = false; icmp_type = s.toInt(&ok); if (!ok) { // could not convert icmp_type = -1; error_tracker->registerError( QString("ICMP type '%1' is unusable").arg(s)); } } } void ObjectSignature::setIcmpCode(const QString &s) { if (s.isEmpty()) icmp_code = -1; else { bool ok = false; icmp_code = s.toInt(&ok); if (!ok) { // could not convert icmp_code = -1; error_tracker->registerError( QString("ICMP code '%1' is unusable").arg(s)); } } } int ObjectSignature::portFromString(const QString &port_spec, const QString &proto, int default_port) { QString ps = port_spec.trimmed(); if (ps == "") return 0; if (ps == ":") return default_port; int port = GetServByName::getPortByName(ps, proto); if (port == -1) { error_tracker->registerError( QString("%1 port name '%2' is unknown").arg(proto).arg(ps)); port = 0; } return port; } void ObjectSignature::setSrcPortRange(const QString &range_start_spec, const QString &range_end_spec, const QString &proto) { src_port_range_start = portFromString(range_start_spec, proto, 0); src_port_range_end = portFromString(range_end_spec, proto, 65535); } void ObjectSignature::setDstPortRange(const QString &range_start_spec, const QString &range_end_spec, const QString &proto) { dst_port_range_start = portFromString(range_start_spec, proto, 0); dst_port_range_end = portFromString(range_end_spec, proto, 65535); } /* * Sets source port range from cisco-like port operation: * * eq www * gt smtp * lt 1024 * range 10000 10010 * * @port_op is operation ("lt", "gt", "eq", "range") * @port_spec is port number of service name * @proto is protocol name used for GetServByName::GetPortByName() */ void ObjectSignature::setSrcPortRangeFromPortOpForCisco(const QString &port_op, const QString &port_spec, const QString &proto) { QString portop = port_op.trimmed(); QString portspec = port_spec.trimmed(); src_port_range_start = 0; src_port_range_end = 0; QString range_start; QString range_end; QStringList sl = portspec.split(" "); if (sl.size() > 1) { range_start = sl[0]; range_end = sl[1]; } else { range_start = portspec; range_end = portspec; } src_port_range_start = portFromString(range_start, proto, 0); src_port_range_end = portFromString(range_end, proto, 65535); if (portop == "lt") src_port_range_start = 0; if (portop=="gt") src_port_range_end = 65535; if (portop=="eq") { src_port_range_start = src_port_range_end; } if (portop=="range") { // range_start and range_end have been set ; } if ( ! port_range_inclusive) { if (portop == "lt") src_port_range_end--; if (portop == "gt") src_port_range_start++; } } void ObjectSignature::setDstPortRangeFromPortOpForCisco(const QString &port_op, const QString &port_spec, const QString &proto) { QString portop = port_op.trimmed(); QString portspec = port_spec.trimmed(); dst_port_range_start = 0; dst_port_range_end = 0; QString range_start; QString range_end; QStringList sl = portspec.split(" "); if (sl.size() > 1) { range_start = sl[0]; range_end = sl[1]; } else { range_start = portspec; range_end = portspec; } dst_port_range_start = portFromString(range_start, proto, 0); dst_port_range_end = portFromString(range_end, proto, 65535); if (portop == "lt") dst_port_range_start = 0; if (portop=="gt") dst_port_range_end = 65535; if (portop=="eq") { dst_port_range_start = dst_port_range_end; } if (portop=="range") { // range_start and range_end have been set ; } if ( ! port_range_inclusive) { if (portop == "lt") dst_port_range_end--; if (portop == "gt") dst_port_range_start++; } } void ObjectSignature::setSrcPortRangeFromPortOpForPF(const QString &port_op, const QString &port1, const QString &port2, const QString &proto) { QString portop = port_op.trimmed(); src_port_range_start = 0; src_port_range_end = 0; QString range_start = port1; QString range_end = port2; src_port_range_start = portFromString(range_start, proto, 0); src_port_range_end = portFromString(range_end, proto, 65535); if (portop == "<") { src_port_range_start = 0; src_port_range_end--; } if (portop == "<=") { src_port_range_start = 0; } if (portop == ">") { src_port_range_start++; src_port_range_end = 65535; } if (portop == ">=") { src_port_range_end = 65535; } if (portop == "=") { src_port_range_start = src_port_range_end; } if (portop==":") { // range_start and range_end have been set ; } if (portop == "><") { src_port_range_end--; src_port_range_start++; } } void ObjectSignature::setDstPortRangeFromPortOpForPF(const QString &port_op, const QString &port1, const QString &port2, const QString &proto) { QString portop = port_op.trimmed(); dst_port_range_start = 0; dst_port_range_end = 0; QString range_start = port1; QString range_end = port2; dst_port_range_start = portFromString(range_start, proto, 0); dst_port_range_end = portFromString(range_end, proto, 65535); if (portop == "<") { dst_port_range_start = 0; dst_port_range_end--; } if (portop == "<=") { dst_port_range_start = 0; } if (portop == ">") { dst_port_range_start++; dst_port_range_end = 65535; } if (portop == ">=") { dst_port_range_end = 65535; } if (portop == "=") { dst_port_range_start = dst_port_range_end; } if (portop==":") { // range_start and range_end have been set ; } if (portop == "><") { dst_port_range_end--; dst_port_range_start++; } } QString ObjectSignature::toString() const { QStringList sig; sig << type_name; if ( ! object_name.isEmpty()) sig << object_name; if (type_name == IPv4::TYPENAME || type_name == IPv6::TYPENAME || type_name == Network::TYPENAME || type_name == NetworkIPv6::TYPENAME || type_name == Address::TYPENAME) sig << address << netmask; if (type_name == AddressRange::TYPENAME) sig << address_range_start << address_range_end; if (type_name == AttachedNetworks::TYPENAME) sig << parent_interface_name; if (type_name == DNSName::TYPENAME) sig << dns_name; if (type_name == AddressTable::TYPENAME) sig << address_table_name; if (type_name == CustomService::TYPENAME) sig << platform << code << protocol_name; if (type_name == ICMPService::TYPENAME || type_name == ICMP6Service::TYPENAME) sig << icmp_type << icmp_code; if (type_name == IPService::TYPENAME) sig << protocol << fragments << short_fragments << any_opt << dscp << tos << lsrr << ssrr << rr << ts << rtralt << rtralt_value; if (type_name == TCPService::TYPENAME) sig << src_port_range_start << src_port_range_end << dst_port_range_start << dst_port_range_end << established << flags_mask << flags_comp; if (type_name == UDPService::TYPENAME) sig << src_port_range_start << src_port_range_end << dst_port_range_start << dst_port_range_end; if (type_name == TagService::TYPENAME) sig << tag; if (type_name == ServiceGroup::TYPENAME || type_name == ObjectGroup::TYPENAME) sig << group_children_ids; if (type_name == UserService::TYPENAME) sig << protocol_name << user_id; return sig.join("||"); } void* ObjectSignature::dispatch(Network *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address = obj->getAddressPtr()->toString().c_str(); netmask = obj->getNetmaskPtr()->toString().c_str(); return this; } void* ObjectSignature::dispatch(NetworkIPv6 *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address = obj->getAddressPtr()->toString().c_str(); netmask = obj->getNetmaskPtr()->toString().c_str(); return this; } void* ObjectSignature::dispatch(IPv4 *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address = obj->getAddressPtr()->toString().c_str(); netmask = InetAddr::getAllOnes().toString().c_str(); return this; } void* ObjectSignature::dispatch(IPv6 *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address = obj->getAddressPtr()->toString().c_str(); netmask = InetAddr::getAllOnes(AF_INET6).toString().c_str(); return this; } void* ObjectSignature::dispatch(AddressRange *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address_range_start = obj->getRangeStart().toString().c_str(); address_range_end = obj->getRangeEnd().toString().c_str(); return this; } /* * Note that we do not track "compile time" / "run time" attribute of * the object because on import, only "run time" make sense */ void* ObjectSignature::dispatch(AddressTable *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address_table_name = QString::fromUtf8(obj->getSourceName().c_str()); return this; } /* * TODO: implement signature for DynamicGroup object so we can deduplicate them */ void* ObjectSignature::dispatch(DynamicGroup *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); return this; } void* ObjectSignature::dispatch(physAddress *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); address = obj->getPhysAddress().c_str(); return this; } void* ObjectSignature::dispatch(IPService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); protocol = obj->getProtocolNumber(); fragments = obj->getBool("fragm"); short_fragments = obj->getBool("short_fragm"); any_opt = obj->getBool("any_opt"); dscp = obj->getStr("dscp").c_str(); tos = obj->getStr("tos").c_str(); lsrr = obj->getBool("lsrr"); ssrr = obj->getBool("ssrr"); rr = obj->getBool("rr"); ts = obj->getBool("ts"); rtralt = obj->getBool("rtralt"); rtralt_value = obj->getBool("rtralt_value"); return this; } void* ObjectSignature::dispatch(ICMPService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); icmp_type = obj->getInt("type"); icmp_code = obj->getInt("code"); return this; } void* ObjectSignature::dispatch(ICMP6Service *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); icmp_type = obj->getInt("type"); icmp_code = obj->getInt("code"); return this; } void* ObjectSignature::dispatch(TCPService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); src_port_range_start = obj->getSrcRangeStart(); src_port_range_end = obj->getSrcRangeEnd(); dst_port_range_start = obj->getDstRangeStart(); dst_port_range_end = obj->getDstRangeEnd(); established = obj->getEstablished(); set flags = obj->getAllTCPFlags(); set::iterator it; for (it=flags.begin(); it!=flags.end(); ++it) flags_comp << *it; flags = obj->getAllTCPFlagMasks(); for (it=flags.begin(); it!=flags.end(); ++it) flags_mask << *it; qSort(flags_comp); qSort(flags_mask); return this; } void* ObjectSignature::dispatch(UDPService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); src_port_range_start = obj->getSrcRangeStart(); src_port_range_end = obj->getSrcRangeEnd(); dst_port_range_start = obj->getDstRangeStart(); dst_port_range_end = obj->getDstRangeEnd(); return this; } void* ObjectSignature::dispatch(CustomService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); platform = ""; code = ""; list platforms = obj->getAllKnownPlatforms(); foreach(std::string pl, platforms) { platform += pl.c_str(); code += obj->getCodeForPlatform(pl).c_str(); } protocol_name = obj->getProtocol().c_str(); return this; } void* ObjectSignature::dispatch(TagService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); tag = obj->getStr("tagcode").c_str(); return this; } /* * Note that we do not track "compile time" / "run time" attribute of * the object because on import, only "run time" make sense */ void* ObjectSignature::dispatch(DNSName *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); dns_name = obj->getSourceName().c_str(); return this; } void* ObjectSignature::dispatch(UserService *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); protocol_name = obj->getProtocolName().c_str(); user_id = obj->getUserId().c_str(); return this; } void* ObjectSignature::dispatch(AttachedNetworks *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); parent_interface_name = obj->getSourceName().c_str(); return this; } void* ObjectSignature::dispatch(ServiceGroup *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); for(FWObject::iterator it=obj->begin(); it!=obj->end(); ++it) { FWObject *c = FWReference::getObject(*it); group_children_ids << c->getId(); } return this; } void* ObjectSignature::dispatch(ObjectGroup *obj, void*) { object_name = QString::fromUtf8(obj->getName().c_str()); type_name = obj->getTypeName().c_str(); for(FWObject::iterator it=obj->begin(); it!=obj->end(); ++it) { FWObject *c = FWReference::getObject(*it); group_children_ids << c->getId(); } return this; } fwbuilder-5.3.7/src/import/objectSignature.h000066400000000000000000000145711303637203600211260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OBJECT_SIGNATURE_H_ #define _OBJECT_SIGNATURE_H_ #include "fwbuilder/FWObject.h" #include "fwbuilder/Dispatch.h" #include #include #include #include namespace libfwbuilder { class AddressRange; class AttachedNetworks; class Cluster; class CustomService; class Firewall; class Host; class ICMPService; class IPService; class IPv4; class IPv6; class Interface; class Library; class Network; class NetworkIPv6; class ObjectGroup; class ServiceGroup; class TCPService; class TagService; class UDPService; class physAddress; class UserService; class DynamicGroup; }; class ObjectMakerErrorTracker; class ObjectSignature : public libfwbuilder::Dispatch { static QMap > icmp_names; static QMap icmp_code_names; public: ObjectSignature(ObjectMakerErrorTracker *error_tracker); ObjectSignature(const ObjectSignature &other); ObjectMakerErrorTracker *error_tracker; bool port_range_inclusive; QString type_name; QString object_name; // for address-like objects QString address; QString netmask; QString address_range_start; QString address_range_end; QString dns_name; QString address_table_name; QString parent_interface_name; // for IP service int protocol; bool fragments; bool short_fragments; bool any_opt; QString dscp; QString tos; bool lsrr; bool ssrr; bool rr; bool ts; bool rtralt; bool rtralt_value; // for ICMP service int icmp_type; int icmp_code; // for tcp and udp int src_port_range_start; int src_port_range_end; int dst_port_range_start; int dst_port_range_end; // tcp only bool established; QList flags_mask; QList flags_comp; // custom service QString platform; QString protocol_name; QString code; // tag service QString tag; QList group_children_ids; // UserService QString user_id; // convenience methods that populate various attributes from // strings taken from imported configs void setAddress(const QString &s); void setNetmask(const QString &s, bool inverted_netmask=false); void setAddressRangeStart(const QString &s); void setAddressRangeEnd(const QString &s); void setProtocol(const QString &s); // set icmp type from string void setIcmpFromName(const QString &s); // set icmp code from string void setIcmpCodeFromName(const QString &s); // set icmp type from string that reads a number void setIcmpType(const QString &s); // set icmp code from string that reads a number void setIcmpCode(const QString &s); int portFromString(const QString &port_spec, const QString &proto, int default_port); void setSrcPortRange(const QString &range_start_spec, const QString &range_end_spec, const QString &proto); void setDstPortRange(const QString &range_start_spec, const QString &range_end_spec, const QString &proto); void setSrcPortRangeFromPortOpForCisco(const QString &port_op, const QString &port_spec, const QString &proto); void setDstPortRangeFromPortOpForCisco(const QString &port_op, const QString &port_spec, const QString &proto); void setSrcPortRangeFromPortOpForPF(const QString &port_op, const QString &port1, const QString &port2, const QString &proto); void setDstPortRangeFromPortOpForPF(const QString &port_op, const QString &port1, const QString &port2, const QString &proto); QString toString() const; // The following methods build signature from given object taking // into account its type virtual void* dispatch(libfwbuilder::Network*, void*); virtual void* dispatch(libfwbuilder::NetworkIPv6*, void*); virtual void* dispatch(libfwbuilder::IPv4*, void*); virtual void* dispatch(libfwbuilder::IPv6*, void*); virtual void* dispatch(libfwbuilder::AddressRange*, void*); virtual void* dispatch(libfwbuilder::AddressTable*, void*); virtual void* dispatch(libfwbuilder::physAddress*, void*); virtual void* dispatch(libfwbuilder::IPService*, void*); virtual void* dispatch(libfwbuilder::ICMPService*, void*); virtual void* dispatch(libfwbuilder::ICMP6Service*, void*); virtual void* dispatch(libfwbuilder::TCPService*, void*); virtual void* dispatch(libfwbuilder::UDPService*, void*); virtual void* dispatch(libfwbuilder::CustomService*, void*); virtual void* dispatch(libfwbuilder::TagService*, void*); virtual void* dispatch(libfwbuilder::DNSName*, void*); virtual void* dispatch(libfwbuilder::ObjectGroup*, void*); virtual void* dispatch(libfwbuilder::ServiceGroup*, void*); #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" virtual void* dispatch(libfwbuilder::AttachedNetworks*, void*); #pragma GCC diagnostic pop virtual void* dispatch(libfwbuilder::UserService*, void*); virtual void* dispatch(libfwbuilder::DynamicGroup*, void*); }; #endif fwbuilder-5.3.7/src/import/serviceObjectMaker.cpp000066400000000000000000000232611303637203600220740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "serviceObjectMaker.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Library.h" #include "fwbuilder/ObjectMirror.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" // TODO: FWBTree needs to be refactored into an independent module #include "../libgui/FWBTree.h" #include "QStringListOperators.h" #include #include extern int fwbdebug; using namespace libfwbuilder; using namespace std; ServiceObjectMaker::ServiceObjectMaker(Library *l, ObjectMakerErrorTracker *et) : ObjectMaker(l, et) { custom_service_code_tracker = 0; tcp_flag_names[libfwbuilder::TCPService::URG] = "u"; tcp_flag_names[libfwbuilder::TCPService::ACK] = "a"; tcp_flag_names[libfwbuilder::TCPService::PSH] = "p"; tcp_flag_names[libfwbuilder::TCPService::RST] = "r"; tcp_flag_names[libfwbuilder::TCPService::SYN] = "s"; tcp_flag_names[libfwbuilder::TCPService::FIN] = "f"; tcp_flag_names[98]="N"; // NONE tcp_flag_names[99]="A"; // ALL // some "built-in" objects ObjectSignature sig(error_tracker); sig.type_name = IPService::TYPENAME; sig.protocol = 0; sig.fragments = false; registerAnonymousObject(sig, NULL); // "any" } ServiceObjectMaker::~ServiceObjectMaker() {} void ServiceObjectMaker::clear() { ObjectMaker::clear(); } FWObject* ServiceObjectMaker::createObject(ObjectSignature &sig) { assert( ! sig.type_name.isEmpty()); FWObject *obj = findMatchingObject(sig); // qDebug() << "Create object " << sig.toString() << " obj=" << obj; if (obj) return obj; if (sig.type_name == CustomService::TYPENAME) obj = getCustomService(sig.platform, sig.code, sig.protocol_name); if (sig.type_name == IPService::TYPENAME) { QString name; if (sig.protocol > 0) name = QString("ip-%1").arg(sig.protocol); else name = "ip"; if (sig.fragments) name += "-fragm"; obj = ObjectMaker::createObject(IPService::TYPENAME, name.toStdString()); obj->setInt("protocol_num", sig.protocol); obj->setBool("fragm", sig.fragments); obj->setBool("short_fragm", sig.short_fragments); obj->setBool("any_opt", sig.any_opt); obj->setStr("dscp", sig.dscp.toStdString()); obj->setStr("tos", sig.tos.toStdString()); obj->setBool("lsrr", sig.lsrr); obj->setBool("ssrr", sig.ssrr); obj->setBool("rr", sig.rr); obj->setBool("ts", sig.ts); obj->setBool("rtralt", sig.rtralt); obj->setBool("rtralt_value", sig.rtralt_value); } if (sig.type_name == ICMPService::TYPENAME) { QString name = QString("icmp %1/%2").arg(sig.icmp_type).arg(sig.icmp_code); obj = ObjectMaker::createObject(ICMPService::TYPENAME, name.toStdString()); obj->setInt("type", sig.icmp_type); obj->setInt("code", sig.icmp_code); } if (sig.type_name == TCPService::TYPENAME) obj = getTCPService(sig.src_port_range_start, sig.src_port_range_end, sig.dst_port_range_start, sig.dst_port_range_end, sig.established, sig.flags_mask, sig.flags_comp); if (sig.type_name == UDPService::TYPENAME) obj = getUDPService(sig.src_port_range_start, sig.src_port_range_end, sig.dst_port_range_start, sig.dst_port_range_end); if (sig.type_name == TagService::TYPENAME) obj = getTagService(sig.tag); if ( ! sig.object_name.isEmpty()) { obj->setName(sig.object_name.toUtf8().constData()); registerNamedObject(sig, obj); } else registerAnonymousObject(sig, obj); return obj; } FWObject* ServiceObjectMaker::getCustomService(const QString &platform, const QString &code, const QString &protocol) { QString custom_service_name_sig = platform + "-" + code; if (custom_service_codes.count(custom_service_name_sig) > 0) custom_service_code_tracker++; QStringList name; name << "cust-" << custom_service_code_tracker; if ( ! protocol.isEmpty()) name << "-" << protocol; CustomService *s = CustomService::cast( ObjectMaker::createObject(CustomService::TYPENAME, name.join("").toStdString())); if (!protocol.isEmpty()) s->setProtocol(protocol.toStdString()); s->setCodeForPlatform(platform.toStdString(), code.toStdString()); return s; } FWObject* ServiceObjectMaker::getTCPService(int srs, int sre, int drs, int dre, bool established, QList &flags_mask, QList &flags_comp) { QStringList nl; nl << QString("tcp %1:%2 / %3:%4").arg(srs).arg(sre).arg(drs).arg(dre); if (established) nl << "est"; if (!flags_mask.isEmpty() || !flags_comp.isEmpty()) { QStringList f; foreach(int x, flags_comp) f << tcp_flag_names[x]; f << "/"; foreach(int x, flags_mask) f << tcp_flag_names[x]; nl << f.join(""); } TCPService* s = TCPService::cast( ObjectMaker::createObject(TCPService::TYPENAME, nl.join(" ").toStdString())); s->setSrcRangeStart(srs); s->setSrcRangeEnd(sre); s->setDstRangeStart(drs); s->setDstRangeEnd(dre); if (!flags_mask.isEmpty() || !flags_comp.isEmpty()) { // TCP flags foreach(int x, flags_mask) { switch (x) { case 99: // ALL s->setAllTCPFlagMasks(); break; case 98: // NONE s->clearAllTCPFlagMasks(); break; default: s->setTCPFlagMask( TCPService::TCPFlag(x), true); } } foreach(int x, flags_comp) { switch (x) { case 99: // ALL s->setTCPFlag( TCPService::URG, true); s->setTCPFlag( TCPService::ACK, true); s->setTCPFlag( TCPService::PSH, true); s->setTCPFlag( TCPService::RST, true); s->setTCPFlag( TCPService::SYN, true); s->setTCPFlag( TCPService::FIN, true); break; case 98: // NONE s->clearAllTCPFlags(); break; default: s->setTCPFlag( TCPService::TCPFlag(x), true); } } } s->setEstablished(established); return s; } FWObject* ServiceObjectMaker::getUDPService(int srs, int sre, int drs, int dre) { QString name = QString("udp %1:%2 / %3:%4") .arg(srs).arg(sre).arg(drs).arg(dre); UDPService* s = UDPService::cast( ObjectMaker::createObject(UDPService::TYPENAME, name.toStdString())); s->setSrcRangeStart(srs); s->setSrcRangeEnd(sre); s->setDstRangeStart(drs); s->setDstRangeEnd(dre); return s; } FWObject* ServiceObjectMaker::getTagService(const QString &tagcode) { TagService *s = NULL; QString name = QString("tag-%1").arg(tagcode); s = TagService::cast( ObjectMaker::createObject(TagService::TYPENAME, name.toStdString())); assert(s!=NULL); s->setCode(tagcode.toStdString()); return s; } FWObject* ServiceObjectMaker::getMirroredServiceObject(FWObject *obj) { string new_name = obj->getName() + "-mirror"; QString qs_new_name = QString::fromUtf8(new_name.c_str()); FWObject *new_obj = NULL; if (TCPService::isA(obj) || UDPService::isA(obj)) { ObjectMirror mirror; new_obj = mirror.getMirroredService(Service::cast(obj)); if (new_obj!=NULL) { if (TCPService::isA(new_obj)) TCPService::cast(new_obj)->setEstablished(false); ObjectSignature sig(error_tracker); new_obj->dispatch(&sig, (void*)(NULL)); sig.object_name = ""; FWObject *matching_obj = findMatchingObject(sig); if (matching_obj) { delete new_obj; return matching_obj; } registerAnonymousObject(sig, new_obj); new_obj->setName(new_name); // obj may belong to the standard objects library if it was // deduplicated before FWObject *parent = obj->getParent(); if (parent->isReadOnly()) { FWBTree tree ; FWObject *slot = tree.getStandardSlotForObject( library, new_obj->getTypeName().c_str()); slot->add(new_obj); } else parent->add(new_obj); } } return new_obj; } fwbuilder-5.3.7/src/import/serviceObjectMaker.h000066400000000000000000000043411303637203600215370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _SERVICE_OBJECT_MAKER_H_ #define _SERVICE_OBJECT_MAKER_H_ #include "objectMaker.h" class ServiceObjectMaker : public ObjectMaker { int custom_service_code_tracker; std::map custom_service_codes; std::map tcp_flag_names; public: ServiceObjectMaker(libfwbuilder::Library *l, ObjectMakerErrorTracker *et); virtual ~ServiceObjectMaker(); virtual void clear(); virtual libfwbuilder::FWObject* createObject(ObjectSignature &sig); libfwbuilder::FWObject* getMirroredServiceObject(libfwbuilder::FWObject *obj); protected: virtual libfwbuilder::FWObject* getCustomService(const QString &platform, const QString &code, const QString &protocol); virtual libfwbuilder::FWObject* getTCPService(int srs, int sre, int drs, int dre, bool established, QList &flags_mask, QList &flags_comp); virtual libfwbuilder::FWObject* getUDPService(int srs, int sre, int drs, int dre); virtual libfwbuilder::FWObject* getTagService(const QString &tagcode); }; #endif fwbuilder-5.3.7/src/iosacl/000077500000000000000000000000001303637203600155555ustar00rootroot00000000000000fwbuilder-5.3.7/src/iosacl/iosacl.cpp000066400000000000000000000112401303637203600175310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #ifdef _WIN32 # include #else # include #endif #include #include #include #include #include #include #include #include "CompilerDriver_iosacl.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &msg) const { msg.size(); // to make compiler happy about unused parameter cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for Cisco IOS ACL" << endl; cout << "Copyright 2007-2009 NetCitadel, LLC" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl; } int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_iosacl *driver = new CompilerDriver_iosacl(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(libfwbuilder::FWException &ex) { cerr << ex.toString() << endl; return 1; } catch (std::string s) { cerr << s << endl; return 1; } catch (std::exception ex) { cerr << "exception: " << ex.what() << endl; return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } return 0; } fwbuilder-5.3.7/src/iosacl/iosacl.pro000066400000000000000000000016001303637203600175460ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # # # PACKAGE = fwbuilder-iosacl-$$FWB_VERSION # # QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\"" # QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\"" greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = iosacl.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_iosacl fwbuilder-5.3.7/src/ipf/000077500000000000000000000000001303637203600150615ustar00rootroot00000000000000fwbuilder-5.3.7/src/ipf/ipf.cpp000066400000000000000000000121611303637203600163440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #ifdef HAVE_LOCALE_H #include #endif #include #include #include #include #include #ifndef _WIN32 # include # include #else # include # include # include #endif #include #include #include #include #include #include #include "CompilerDriver_ipf.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; int fwbdebug = 0; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of "; cout << "Firewall Builder. Use fwbuilder GUI to convert it." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for ipfilter" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-x] [-v] [-V] [-f filename.xml] [-o output.fw] [-d destdir] [-m] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(""); FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->merge(ndb, NULL); delete ndb; objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_ipf *driver = new CompilerDriver_ipf(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(const FWException &ex) { cerr << ex.toString() << endl; return 1; #if __GNUC__ >= 3 /* need to check version because std::ios::failure does not seem to be * supported in gcc 2.9.5 on FreeBSD 4.10 */ } catch (const std::ios::failure &e) { cerr << "Error while opening or writing to the output file" << endl; return 1; #endif } catch (const std::string &s) { cerr << s; return 1; } catch (const std::exception &ex) { cerr << ex.what(); return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } } fwbuilder-5.3.7/src/ipf/ipf.pro000066400000000000000000000013731303637203600163650ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui # greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = ipf.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console # unix { !macx: CONFIG -= qt } INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../pflib/$$BINARY_SUBDIR/libfwbpf.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_ipf fwbuilder-5.3.7/src/ipfw/000077500000000000000000000000001303637203600152505ustar00rootroot00000000000000fwbuilder-5.3.7/src/ipfw/ipfw.cpp000066400000000000000000000120341303637203600167210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #ifdef HAVE_LOCALE_H #include #endif #include #include #include #include #include #ifndef _WIN32 # include # include #else # include # include # include #endif #include #include #include #include #include #include #include "CompilerDriver_ipfw.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; int fwbdebug = 0; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for ipfw" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-x] [-v] [-V] [-f filename.xml] [-o output.fw] [-d destdir] [-m] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(""); FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->merge(ndb, NULL); delete ndb; objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_ipfw *driver = new CompilerDriver_ipfw(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(const FWException &ex) { cerr << ex.toString() << endl; return 1; #if __GNUC__ >= 3 /* need to check version because std::ios::failure does not seem to be * supported in gcc 2.9.5 on FreeBSD 4.10 */ } catch (const std::ios::failure &e) { cerr << "Error while opening or writing to the output file" << endl; return 1; #endif } catch (const std::string &s) { cerr << s; return 1; } catch (const std::exception &ex) { cerr << ex.what(); return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } } fwbuilder-5.3.7/src/ipfw/ipfw.pro000066400000000000000000000013401303637203600167350ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui # greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = ipfw.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../pflib/$$BINARY_SUBDIR/libfwbpf.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_ipfw fwbuilder-5.3.7/src/ipt/000077500000000000000000000000001303637203600150775ustar00rootroot00000000000000fwbuilder-5.3.7/src/ipt/ipt.cpp000066400000000000000000000121411303637203600163760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include "CompilerDriver_ipt.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for " "Linux 2.4.x and 2.6.x iptables" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-x level] [-v] [-V] [-q] [-f filename.xml] [-d destdir] " "[-D datadir ] [-m] [-4|-6] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); QTime total_time_timer; total_time_timer.start(); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); // register protocols we need IPService::addNamedProtocol(51, "ah"); IPService::addNamedProtocol(112, "vrrp"); try { Resources res(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cerr << " *** Loading data ..."; cerr << flush; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cerr << " done\n"; cerr << flush; FWObject *slib = objdb->findInIndex(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_ipt *driver = new CompilerDriver_ipt(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); QTime time_spent = QTime().addMSecs(total_time_timer.elapsed()); cerr << "Compile time: " << time_spent.toString("hh:mm:ss").toStdString() << endl; delete driver; delete objdb; return ret; } catch(const FWException &ex) { cerr << "Error: " << ex.toString() << std::endl; /* Cleanup resources */ delete objdb; return 1; #if __GNUC__ >= 3 /* need to check version because std::ios::failure does not seem to be * supported in gcc 2.9.5 on FreeBSD 4.10 */ } catch (const std::ios::failure &e) { cerr << "Error while opening or writing to the output file" << std::endl; /* Cleanup ressources */ delete objdb; return 1; #endif } catch (const std::string &s) { cerr << s << std::endl; return 1; } catch (const std::exception &ex) { cerr << ex.what() << std::endl; return 1; } catch (...) { cerr << "Unsupported exception" << std::endl; return 1; } } fwbuilder-5.3.7/src/ipt/ipt.pro000066400000000000000000000013351303637203600164170ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = ipt.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32: CONFIG += console INCLUDEPATH += ../iptlib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../iptlib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../iptlib/$$BINARY_SUBDIR/libiptlib.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_ipt fwbuilder-5.3.7/src/iptlib/000077500000000000000000000000001303637203600155665ustar00rootroot00000000000000fwbuilder-5.3.7/src/iptlib/AutomaticRules_ipt.cpp000066400000000000000000000456251303637203600221230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules_ipt.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Policy.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/IPService.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; PolicyRule* AutomaticRules_ipt::addMgmtRule( Address* src, Address* dst, Service* service, Interface* iface, const PolicyRule::Direction direction, const PolicyRule::Action action, const string &label, bool related) { PolicyRule *rule = AutomaticRules::addMgmtRule(src, dst, service, iface, direction, action, label); FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL); if (related) { ruleopt->setBool("stateless", false); ruleopt->setBool("accept_established", true); } else { ruleopt->setBool("stateless", true); } ruleopt->setBool("firewall_is_part_of_any_and_networks", true); return rule; } void AutomaticRules_ipt::addConntrackRule() { if (ruleset == NULL) return; FWOptions* options = fw->getOptionsObject(); string conntrack_iface_name = options->getStr("state_sync_interface"); if (conntrack_iface_name.empty()) { /* CONNTRACK not active, nothing left to do */ return; } string conntrack_group_id = options->getStr("state_sync_group_id"); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast( ruleset->getRoot()->findInIndex( FWObjectDatabase::getIntId(conntrack_group_id))); Resources *os_res = Resources::os_res[fw->getStr("host_OS")]; assert(os_res != NULL); string default_address = os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_address"); string default_port = os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_port"); bool ucast = state_sync_group->getOptionsObject()->getBool("conntrack_unicast"); string addr = state_sync_group->getOptionsObject()->getStr("conntrack_address"); if (addr.empty()) addr = default_address; try { InetAddr(addr); } catch (FWException &ex) { try { InetAddr(AF_INET6, addr); } catch (FWException &ex) { throw FWException(string("Invalid IP address for conntrack: ") + addr); } } string port = state_sync_group->getOptionsObject()->getStr("conntrack_port"); if (port.empty()) port = default_port; /* Add CONNTRACK-Address to database */ Address *conntrack_dst = Address::cast(ruleset->getRoot()->create(IPv4::TYPENAME)); conntrack_dst->setName("CONNTRACK-Address"); conntrack_dst->setAddress(InetAddr(addr)); // Why the whole multicast adress range ? //conntrack_dst->setNetmask(InetAddr("240.0.0.0")); conntrack_dst->setComment("CONNTRACK Multicast Address"); persistent_objects->add(conntrack_dst); UDPService *conntrack_srv = UDPService::cast(ruleset->getRoot()->create(UDPService::TYPENAME)); conntrack_srv->setName("CONNTRACK-UDP"); conntrack_srv->setDstRangeStart(atoi(port.c_str())); conntrack_srv->setDstRangeEnd(atoi(port.c_str())); conntrack_srv->setComment("CONNTRACK UDP port"); persistent_objects->add(conntrack_srv); /* Find conntrack interface */ Interface* conntrack_iface = Interface::cast(fw->findObjectByName(Interface::TYPENAME, conntrack_iface_name)); if (conntrack_iface == NULL) { throw FWException( "Unable to get CONNTRACK interface ("+ conntrack_iface_name +")"); } /* Add automatic rules for CONNTRACK */ if (ucast) { Interface *fw_iface = NULL; list other_interfaces; for (FWObjectTypedChildIterator it = state_sync_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *iface = Interface::cast(FWObjectReference::getObject(*it)); assert(iface); if (iface->isChildOf(fw)) { fw_iface = iface; } else { other_interfaces.push_back(iface); } } for (list::iterator it=other_interfaces.begin(); it!=other_interfaces.end(); ++it) { Interface *other_iface = *it; addMgmtRule(other_iface, fw, conntrack_srv, fw_iface, PolicyRule::Inbound, PolicyRule::Accept, "CONNTRACK"); addMgmtRule(fw, other_iface, conntrack_srv, fw_iface, PolicyRule::Outbound, PolicyRule::Accept, "CONNTRACK"); } } else { addMgmtRule(NULL, conntrack_dst, conntrack_srv, conntrack_iface, PolicyRule::Inbound, PolicyRule::Accept, "CONNTRACK"); addMgmtRule(fw, conntrack_dst, conntrack_srv, conntrack_iface, PolicyRule::Outbound, PolicyRule::Accept, "CONNTRACK"); } } void AutomaticRules_ipt::addFailoverRules() { if (ruleset == NULL) return; Resources *os_res = Resources::os_res[fw->getStr("host_OS")]; assert(os_res != NULL); string default_heartbeat_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_port"); string default_heartbeat_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_address"); string default_openais_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_port"); string default_openais_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_address"); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); interfaces.sort(FWObjectNameCmpPredicate()); list::iterator iface_i; for (iface_i=interfaces.begin(); iface_i != interfaces.end(); ++iface_i) { Interface *iface = Interface::cast(*iface_i); /* We add copies of cluster interface objects to fw objects so each interface appears twice, the original interface of the firewall, plus a copy of the cluster interface. To deduplicate will use only copies of cluster interfaces because these include VRRP interfaces. */ if (iface->isFailoverInterface() && iface->getOptionsObject()->getBool("cluster_interface")) { FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); PolicyRule *rule = NULL; string fw_iface_id = iface->getOptionsObject()->getStr("base_interface_id"); Interface *fw_iface = Interface::cast( ruleset->getRoot()->findInIndex(FWObjectDatabase::getIntId(fw_iface_id))); if (fw_iface == NULL) { throw FWException( QString("Can not find interface of the firewall " "for the cluster failover group %1. ") .arg(failover_group->getName().c_str()).toStdString()); } if (failover_group->getStr("type") == "vrrp") { /* Add VRRP-Address to database */ Address *vrrp_dst = Address::cast( ruleset->getRoot()->create(IPv4::TYPENAME)); vrrp_dst->setName("VRRP-Address"); vrrp_dst->setAddress(InetAddr("224.0.0.18")); vrrp_dst->setNetmask(InetAddr(InetAddr::getAllOnes())); vrrp_dst->setComment("VRRP Multicast Address"); persistent_objects->add(vrrp_dst); bool use_ipsec_ah = false; FWOptions *failover_opts = FailoverClusterGroup::cast(failover_group)->getOptionsObject(); if (failover_opts) { use_ipsec_ah = failover_opts->getBool("vrrp_over_ipsec_ah"); } /* Add VRRP-Service to database */ IPService* vrrp_srv = IPService::cast( ruleset->getRoot()->create(IPService::TYPENAME)); vrrp_srv->setComment("VRRP service"); vrrp_srv->setProtocolNumber(112); persistent_objects->add(vrrp_srv); /* * Add AH-Service to database. * According to RFC 2338 section 5.3.6.3, VRRP can use * IPsec AH. */ IPService* ah_srv = IPService::cast( ruleset->getRoot()->create(IPService::TYPENAME)); ah_srv->setComment("IPSEC-AH"); ah_srv->setProtocolNumber(51); persistent_objects->add(ah_srv); for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *other_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(other_iface); if (other_iface->getId() == fw_iface->getId()) continue; // if interface is dynamic, we can't use it in the rule // (because it belongs to another machine, not the fw // we compile for so we can't use script). NULL means "any" // in the call to addMgmtRule() if (other_iface->isDyn()) other_iface = NULL; if (!use_ipsec_ah) { addMgmtRule(other_iface, vrrp_dst, vrrp_srv, iface, PolicyRule::Inbound, PolicyRule::Accept, "VRRP"); } else { addMgmtRule(other_iface, vrrp_dst, ah_srv, iface, PolicyRule::Inbound, PolicyRule::Accept, "VRRP (with IPSEC-AH)"); } } // outbound rule does not use other_interface and // should be created outside the loop to avoid // duplicates. Duplicates happen when cluster has 3 or // more members. if (!use_ipsec_ah) { addMgmtRule(fw, vrrp_dst, vrrp_srv, iface, PolicyRule::Outbound, PolicyRule::Accept, "VRRP"); } else { addMgmtRule(fw, vrrp_dst, ah_srv, iface, PolicyRule::Outbound, PolicyRule::Accept, "VRRP (with IPSEC-AH)"); } } if (failover_group->getStr("type") == "heartbeat") { /* * Note that iface is a copy of the cluster inetrface. * Find interface of the member firewall fw that corresponds * to the cluster interface iface */ bool ucast = FailoverClusterGroup::cast(failover_group)-> getOptionsObject()->getBool("heartbeat_unicast"); string addr = FailoverClusterGroup::cast(failover_group)-> getOptionsObject()->getStr("heartbeat_address"); if (addr.empty()) addr = default_heartbeat_address; string port = FailoverClusterGroup::cast(failover_group)-> getOptionsObject()->getStr("heartbeat_port"); if (port.empty()) port = default_heartbeat_port; UDPService *heartbeat_srv = UDPService::cast( ruleset->getRoot()->create(UDPService::TYPENAME)); /* Add heartbeat-Address to database */ Address *heartbeat_dst = Address::cast(ruleset->getRoot()->create( IPv4::TYPENAME)); heartbeat_dst->setName("HEARTBEAT-Address"); heartbeat_dst->setAddress(InetAddr(addr)); heartbeat_dst->setNetmask(InetAddr(InetAddr::getAllOnes())); heartbeat_dst->setComment("HEARTBEAT Multicast Address"); persistent_objects->add(heartbeat_dst); heartbeat_srv->setName("HEARTBEAT-UDP"); heartbeat_srv->setDstRangeStart(atoi(port.c_str())); heartbeat_srv->setDstRangeEnd(atoi(port.c_str())); heartbeat_srv->setComment("HEARTBEAT UDP port"); persistent_objects->add(heartbeat_srv); // Heartbeat can use either multicast or unicast for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *other_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(other_iface); if (other_iface->getId() == fw_iface->getId()) continue; // if interface is dynamic, we can't use it in the rule // (because it belongs to another machine, not the fw // we compile for so we can't use script). NULL means "any" // in the call to addMgmtRule() if (other_iface->isDyn()) other_iface = NULL; if (ucast) { addMgmtRule(other_iface, fw, heartbeat_srv, fw_iface, PolicyRule::Inbound, PolicyRule::Accept, "heartbeat"); addMgmtRule(fw, other_iface, heartbeat_srv, fw_iface, PolicyRule::Outbound, PolicyRule::Accept, "heartbeat"); } else { addMgmtRule(other_iface, heartbeat_dst, heartbeat_srv, fw_iface, PolicyRule::Inbound, PolicyRule::Accept, "heartbeat"); addMgmtRule(fw, heartbeat_dst, heartbeat_srv, fw_iface, PolicyRule::Outbound, PolicyRule::Accept, "heartbeat"); } } } if (failover_group->getStr("type") == "openais") { string addr = FailoverClusterGroup::cast(failover_group)-> getOptionsObject()->getStr("openais_address"); if (addr.empty()) addr = default_openais_address; string port = FailoverClusterGroup::cast(failover_group)-> getOptionsObject()->getStr("openais_port"); if (port.empty()) port = default_openais_port; /* Add OPENAIS-Address to database */ Address *openais_dst = Address::cast(ruleset->getRoot()->create( IPv4::TYPENAME)); openais_dst->setName("OPENAIS-Address"); openais_dst->setAddress(InetAddr(addr)); openais_dst->setNetmask(InetAddr(InetAddr::getAllOnes())); openais_dst->setComment("OPENAIS Multicast Address"); persistent_objects->add(openais_dst); UDPService *openais_srv = UDPService::cast( ruleset->getRoot()->create(UDPService::TYPENAME)); openais_srv->setName("OPENAIS-UDP"); openais_srv->setDstRangeStart(atoi(port.c_str())); openais_srv->setDstRangeEnd(atoi(port.c_str())); openais_srv->setComment("OPENAIS UDP port"); persistent_objects->add(openais_srv); for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *other_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(other_iface); if (other_iface->getId() == fw_iface->getId()) continue; // if interface is dynamic, we can't use it in the rule // (because it belongs to another machine, not the fw // we compile for so we can't use script). NULL means "any" // in the call to addMgmtRule() if (other_iface->isDyn()) other_iface = NULL; addMgmtRule(other_iface, openais_dst, openais_srv, iface, PolicyRule::Inbound, PolicyRule::Accept, "openais"); addMgmtRule(fw, openais_dst, openais_srv, iface, PolicyRule::Outbound, PolicyRule::Accept, "openais"); } } if (rule) { FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL); ruleopt->setInt("firewall_is_part_of_any_and_networks", 1); } } } } fwbuilder-5.3.7/src/iptlib/AutomaticRules_ipt.h000066400000000000000000000034661303637203600215650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_IPT_HH__ #define __AUTOMATICRULES_IPT_HH__ #include "AutomaticRules.h" namespace libfwbuilder { class Address; class Firewall; class Interface; class Service; }; namespace fwcompiler { class AutomaticRules_ipt : public AutomaticRules { public: AutomaticRules_ipt(libfwbuilder::Firewall *fw, libfwbuilder::Library *presistent_objects) : AutomaticRules(fw, presistent_objects) {} virtual libfwbuilder::PolicyRule* addMgmtRule( libfwbuilder::Address* src, libfwbuilder::Address* dst, libfwbuilder::Service* service, libfwbuilder::Interface* iface, const libfwbuilder::PolicyRule::Direction direction, const libfwbuilder::PolicyRule::Action action, const std::string &label, bool related = false); void addConntrackRule(); void addFailoverRules(); }; }; #endif fwbuilder-5.3.7/src/iptlib/CompilerDriver_ipt.cpp000066400000000000000000000202731303637203600221000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "Configlet.h" #include "CompilerDriver_ipt.h" #include "PolicyCompiler_ipt.h" #include "PolicyCompiler_secuwall.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/IPService.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_ipt::CompilerDriver_ipt(FWObjectDatabase *db) : CompilerDriver(db) { have_connmark = false; have_connmark_in_output = false; } CompilerDriver_ipt::~CompilerDriver_ipt() { } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_ipt::clone() { CompilerDriver_ipt* new_cd = new CompilerDriver_ipt(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } void CompilerDriver_ipt::assignRuleSetChain(RuleSet *ruleset) { string branch_name = ruleset->getName(); for (FWObject::iterator r=ruleset->begin(); r!=ruleset->end(); r++) { Rule *rule = Rule::cast(*r); if (rule == NULL) continue; // skip RuleSetOptions object if (rule->isDisabled()) continue; if (!ruleset->isTop()) rule->setStr("ipt_chain", branch_name); // ??? // rule->setUniqueId( FWObjectDatabase::getStringId(rule->getId()) ); } } void CompilerDriver_ipt::findBranchesInMangleTable(Firewall *fw, list &all_policies) { // special but common case: if we only have one policy, there is // no need to check if we have to do branching in mangle table // since we do not have any branching rules in that case. if (all_policies.size() > 1) { for (list::iterator i=all_policies.begin(); i!=all_policies.end(); ++i) { for (list::iterator r=(*i)->begin(); r!=(*i)->end(); ++r) { PolicyRule *rule = PolicyRule::cast(*r); if (rule == NULL) continue; // skip RuleSetOptions object FWOptions *ruleopt = rule->getOptionsObject(); if (rule->getAction() == PolicyRule::Branch && ! ruleopt->getBool("ipt_branch_in_mangle")) { RuleSet *ruleset = rule->getBranch(); if (ruleset == NULL) { abort(fw, *i, rule, "Action branch does not point to any rule set"); } for (list::iterator br=ruleset->begin(); br!=ruleset->end(); ++br) { PolicyRule *b_rule = PolicyRule::cast(*br); if (b_rule == NULL) continue; if (b_rule->getTagging() || b_rule->getClassification()) ruleopt->setBool("ipt_branch_in_mangle", true); } } } } } } /* * TODO: use configlet to define structure of generated script. Need 2 * configlets: for the shell script format and iptables-restore format * However in order to use configlets in an efficient manner, we need * to be able to use if-then-else statements there. This will help * implement logic that skips filter or mangle or nat segments if * there are no rules in them. * * Also will need either special configlets for the single-rule * compile or more if-then-else in configlet code. */ string CompilerDriver_ipt::dumpScript(Firewall *fw, const string& automatic_rules_script, const string& automatic_mangle_script, const string& nat_script, const string& mangle_script, const string& filter_script, bool ipv6_policy) { // cerr << "nat script" << endl; // cerr << "\"" << nat_script << "\"" << endl; ostringstream res; ostringstream script; string prolog_place = fw->getOptionsObject()->getStr("prolog_place"); Configlet *conf = NULL; bool have_auto = !automatic_rules_script.empty() || !automatic_mangle_script.empty(); if (single_rule_compile_on) { have_auto = false; conf = new Configlet(fw, "linux24", "script_body_single_rule"); conf->collapseEmptyStrings(true); } else { if (fw->getOptionsObject()->getBool("use_iptables_restore")) { conf = new Configlet(fw, "linux24", "script_body_iptables_restore"); } else conf = new Configlet(fw, "linux24", "script_body_iptables_shell"); } conf->setVariable("auto", have_auto); conf->setVariable("iptables_restore_format", fw->getOptionsObject()->getBool("use_iptables_restore")); conf->setVariable("filter", !filter_script.empty()); conf->setVariable("filter_or_auto", have_auto || !filter_script.empty()); conf->setVariable("filter_auto_script", automatic_rules_script.c_str()); conf->setVariable("filter_script", filter_script.c_str()); conf->setVariable("mangle", !mangle_script.empty()); conf->setVariable("mangle_or_auto", !mangle_script.empty() || !automatic_mangle_script.empty()); conf->setVariable("mangle_auto_script", automatic_mangle_script.c_str()); conf->setVariable("mangle_script", mangle_script.c_str()); conf->setVariable("nat", !nat_script.empty()); conf->setVariable("nat_script", nat_script.c_str()); bool have_script = (have_auto || !filter_script.empty() || !mangle_script.empty() || !nat_script.empty()); conf->setVariable("have_script", have_script); conf->setVariable("ipv4", !ipv6_policy); conf->setVariable("ipv6", ipv6_policy); res << conf->expand().toStdString(); delete conf; return res.str(); } std::auto_ptr CompilerDriver_ipt::createPolicyCompiler( Firewall *fw, bool ipv6_policy, OSConfigurator *oscnf, std::map *minus_n_commands_filter) { string platform = fw->getStr("platform"); string platform_family = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/family"); std::auto_ptr policy_compiler; if (fw->getStr("host_OS") == "secuwall") { policy_compiler = std::auto_ptr( new PolicyCompiler_secuwall(objdb,fw, ipv6_policy, oscnf, minus_n_commands_filter)); } else { policy_compiler = std::auto_ptr( new PolicyCompiler_ipt(objdb,fw, ipv6_policy, oscnf, minus_n_commands_filter)); } if (policy_compiler.get()==NULL) abort("Unrecognized firewall platform " + fw->getStr("platform") + " (family " + platform_family+")"); return policy_compiler; } fwbuilder-5.3.7/src/iptlib/CompilerDriver_ipt.h000066400000000000000000000111261303637203600215420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_IPT_HH__ #define __COMPILER_DRIVER_IPT_HH__ #include "../compiler_lib/CompilerDriver.h" #include "PolicyCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include #include #include #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; class Address; class PolicyRule; }; namespace fwcompiler { class CompilerDriver_ipt : public CompilerDriver { // commands that pass control to branch chains should go into // POSTROUTING or PREROUTING chains depending on the targets used // inside the branch. Branches that use mixed rules (both SNAT // and DNAT) will be split so that two separate chains are created, one // for all SNAT rules and another for all DNAT rules. Rules in // the top NAT ruleset that pass control to them will be placed into // PREROUTING or POSTROUTING chain depending on the target in the branch. // The following maps targets used in the branch to the ruleset name. // By convention, the chain created for the branch rules will be named // using combination of the ruleset name and word "PREROUTING" // or "POSTROUTING" std::map > branch_ruleset_to_chain_mapping; std::auto_ptr createPolicyCompiler( libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map *m_n_commands_map); bool have_connmark; bool have_connmark_in_output; public: CompilerDriver_ipt(libfwbuilder::FWObjectDatabase *db); virtual ~CompilerDriver_ipt(); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); void assignRuleSetChain(libfwbuilder::RuleSet *ruleset); void findBranchesInMangleTable(libfwbuilder::Firewall*, std::list &all_policies); std::string dumpScript(libfwbuilder::Firewall *fw, const std::string& automatic_rules_script, const std::string& automatic_mangle_script, const std::string& nat_script, const std::string& mangle_script, const std::string& filter_script, bool ipv6_policy); bool processPolicyRuleSet( libfwbuilder::Firewall *fw, libfwbuilder::FWObject *ruleset, const std::string &single_rule_id, std::ostringstream &filter_table_stream, std::ostringstream &mangle_table_stream, std::ostringstream &automatic_rules_stream, std::ostringstream &automatic_mangle_stream, fwcompiler::OSConfigurator_linux24 *oscnf, int policy_af, std::map &minus_n_commands_filter, std::map &minus_n_commands_mangle); bool processNatRuleSet( libfwbuilder::Firewall *fw, libfwbuilder::FWObject *ruleset, const std::string &single_rule_id, std::ostringstream &nat_stream, fwcompiler::OSConfigurator_linux24 *oscnf, int policy_af, std::map &minus_n_commands_nat); }; }; #endif fwbuilder-5.3.7/src/iptlib/CompilerDriver_ipt_nat.cpp000066400000000000000000000101021303637203600227300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "CompilerDriver_ipt.h" #include "NATCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Library.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; bool CompilerDriver_ipt::processNatRuleSet( Firewall *fw, FWObject *ruleset, const std::string &single_rule_id, std::ostringstream &nat_rules_stream, fwcompiler::OSConfigurator_linux24 *oscnf, int policy_af, std::map &minus_n_commands_nat) { int nat_rules_count = 0; string host_os = fw->getStr("host_OS"); bool flush_and_set_default_policy = Resources::getTargetOptionBool( host_os, "default/flush_and_set_default_policy"); bool empty_output = true; NAT *nat = NAT::cast(ruleset); assignRuleSetChain(nat); string branch_name = nat->getName(); if (!nat->matchingAddressFamily(policy_af)) return true; bool ipv6_policy = (policy_af == AF_INET6); // compile NAT rules before policy rules because policy // compiler needs to know the number of virtual addresses // being created for NAT std::auto_ptr nat_compiler( new NATCompiler_ipt(objdb, fw, ipv6_policy, oscnf, &minus_n_commands_nat)); if (!nat->isTop()) nat_compiler->registerRuleSetChain(branch_name); nat_compiler->setSourceRuleSet( nat ); nat_compiler->setRuleSetName(branch_name); nat_compiler->setPersistentObjects(persistent_objects); nat_compiler->setSingleRuleCompileMode(single_rule_id); nat_compiler->setDebugLevel( dl ); if (rule_debug_on) nat_compiler->setDebugRule( drn ); nat_compiler->setVerbose( (bool)(verbose) ); nat_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces); if (inTestMode()) nat_compiler->setTestMode(); if (inEmbeddedMode()) nat_compiler->setEmbeddedMode(); nat_compiler->setRulesetToChainMapping(&branch_ruleset_to_chain_mapping); if ( (nat_rules_count=nat_compiler->prolog()) > 0 ) { nat_compiler->compile(); nat_compiler->epilog(); } have_nat = (have_nat || (nat_rules_count > 0)); if (nat_compiler->getCompiledScriptLength() > 0) { if (!single_rule_compile_on) nat_rules_stream << "# ================ Table 'nat', " << " rule set " << branch_name << "\n"; if (nat->isTop()) { if (flush_and_set_default_policy) nat_rules_stream << nat_compiler->flushAndSetDefaultPolicy(); nat_rules_stream << nat_compiler->printAutomaticRules(); } nat_rules_stream << nat_compiler->getCompiledScript(); nat_rules_stream << "\n"; empty_output = false; branch_ruleset_to_chain_mapping[branch_name] = nat_compiler->getUsedChains(); } if (nat_compiler->haveErrorsAndWarnings()) { all_errors.push_back(nat_compiler->getErrors("").c_str()); } return empty_output; } fwbuilder-5.3.7/src/iptlib/CompilerDriver_ipt_policy.cpp000066400000000000000000000235561303637203600234660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "CompilerDriver_ipt.h" #include "MangleTableCompiler_ipt.h" #include "PolicyCompiler_ipt.h" #include "PolicyCompiler_secuwall.h" #include "OSConfigurator_linux24.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Library.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; // we always first process all non-top rule sets, then all top rule // sets bool CompilerDriver_ipt::processPolicyRuleSet( Firewall *fw, FWObject *ruleset, const string &single_rule_id, ostringstream &filter_rules_stream, ostringstream &mangle_rules_stream, ostringstream &automatic_rules_stream, ostringstream &automatic_mangle_stream, OSConfigurator_linux24 *oscnf, int policy_af, std::map &minus_n_commands_filter, std::map &minus_n_commands_mangle) { int policy_rules_count = 0; int mangle_rules_count = 0; bool empty_output = true; string prolog_place = fw->getOptionsObject()->getStr("prolog_place"); string platform = fw->getStr("platform"); string host_os = fw->getStr("host_OS"); bool flush_and_set_default_policy = Resources::getTargetOptionBool( host_os, "default/flush_and_set_default_policy"); string platform_family = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/family"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); Policy *policy = Policy::cast(ruleset); assignRuleSetChain(policy); string branch_name = policy->getName(); if (!policy->matchingAddressFamily(policy_af)) return true; bool ipv6_policy = (policy_af == AF_INET6); std::auto_ptr mangle_compiler( new MangleTableCompiler_ipt(objdb , fw, ipv6_policy , oscnf, &minus_n_commands_mangle )); if (!policy->isTop()) mangle_compiler->registerRuleSetChain(branch_name); mangle_compiler->setSourceRuleSet( policy ); mangle_compiler->setRuleSetName(branch_name); mangle_compiler->setPersistentObjects(persistent_objects); mangle_compiler->setSingleRuleCompileMode(single_rule_id); mangle_compiler->setDebugLevel( dl ); if (rule_debug_on) mangle_compiler->setDebugRule( drp ); mangle_compiler->setVerbose( (bool)(verbose) ); mangle_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces); if (inTestMode()) mangle_compiler->setTestMode(); if (inEmbeddedMode()) mangle_compiler->setEmbeddedMode(); if ( (mangle_rules_count = mangle_compiler->prolog()) > 0 ) { mangle_compiler->compile(); mangle_compiler->epilog(); // We need to generate automatic rules in mangle // table (-j CONNMARK --restore-mark) if CONNMARK // target is present in any ruleset, not only in // the top-level ruleset. So we keep global // boolean flags for this condition which will // become true if any ruleset has such // rules. We'll call // MangleTableCompiler_ipt::flushAndSetDefaultPolicy // later if either of these flags is true after // all rulesets have been processed. have_connmark |= mangle_compiler->haveConnMarkRules(); have_connmark_in_output |= mangle_compiler->haveConnMarkRulesInOutput(); long m_str_pos = mangle_rules_stream.tellp(); if (mangle_compiler->getCompiledScriptLength() > 0) { ostringstream tmp; tmp << mangle_compiler->getCompiledScript(); if (tmp.tellp() > 0) { if (!single_rule_compile_on) { mangle_rules_stream << "# ================ Table 'mangle', "; mangle_rules_stream << "rule set " << branch_name << "\n"; } mangle_rules_stream << tmp.str(); } } if (mangle_compiler->haveErrorsAndWarnings()) { all_errors.push_back(mangle_compiler->getErrors("").c_str()); mangle_compiler->clearErrors(); } if (m_str_pos!=mangle_rules_stream.tellp()) { //mangle_rules_stream << "\n"; empty_output = false; } } std::auto_ptr policy_compiler = createPolicyCompiler( fw, ipv6_policy, oscnf, &minus_n_commands_filter); policy_compiler->setSingleRuleCompileMode(single_rule_id); policy_compiler->setDebugLevel( dl ); if (rule_debug_on) policy_compiler->setDebugRule( drp ); policy_compiler->setVerbose( (bool)(verbose) ); policy_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces); if (inTestMode()) policy_compiler->setTestMode(); if (inEmbeddedMode()) policy_compiler->setEmbeddedMode(); if (!policy->isTop()) policy_compiler->registerRuleSetChain(branch_name); policy_compiler->setSourceRuleSet( policy ); policy_compiler->setRuleSetName(branch_name); policy_compiler->setPersistentObjects(persistent_objects); if ( (policy_rules_count=policy_compiler->prolog()) > 0 ) { policy_compiler->compile(); policy_compiler->epilog(); if (policy_compiler->getCompiledScriptLength() > 0) { ostringstream tmp; tmp << policy_compiler->getCompiledScript(); if (tmp.tellp() > 0) { empty_output = false; if (!single_rule_compile_on) { filter_rules_stream << "# ================ Table 'filter', "; filter_rules_stream << "rule set " << branch_name << "\n"; } filter_rules_stream << tmp.str(); } } if (policy_compiler->haveErrorsAndWarnings()) { all_errors.push_back(policy_compiler->getErrors("").c_str()); policy_compiler->clearErrors(); } } /* bug #2550074: "Automatic rules for filter table included twice * in iptables". If user had two policy ruleset objects marked as * "top" rule set, then automaitc rules were added twice. Since we * add rules to automatic_rules_stream only in this one place, it * is sufficient to check if the stream is empty to avoid * duplication. Note that on windows tellp() seems to return -1 * if no data has ever been written to the stream. */ long auto_rules_stream_position = automatic_rules_stream.tellp(); if (policy->isTop() && auto_rules_stream_position <= 0) { ostringstream tmp; if (flush_and_set_default_policy) tmp << policy_compiler->flushAndSetDefaultPolicy(); /* * commented out for #1707 * if (!prolog_done && prolog_place == "after_flush" && !fw->getOptionsObject()->getBool("use_iptables_restore")) { tmp << "prolog_commands" << endl; prolog_done = true; } */ tmp << policy_compiler->printAutomaticRules(); // printAutomaticRules() can generate errors and warnings if (policy_compiler->haveErrorsAndWarnings()) { all_errors.push_back(policy_compiler->getErrors("").c_str()); policy_compiler->clearErrors(); } if (tmp.tellp() > 0) { empty_output = false; if (!single_rule_compile_on) { automatic_rules_stream << "# ================ Table 'filter', automatic rules" << "\n"; } automatic_rules_stream << tmp.str(); } } long auto_mangle_stream_position = automatic_mangle_stream.tellp(); if (policy->isTop() && auto_mangle_stream_position <= 0) { // Note that we process non-top rule sets first and then // deal with the top rule set. By the time we get here the // have_connmark flags reflect the state of all other rule // sets and the top one. ostringstream tmp_m; tmp_m << mangle_compiler->printAutomaticRulesForMangleTable( have_connmark, have_connmark_in_output); // printAutomaticRulesForMangleTable() can generate errors and warnings if (mangle_compiler->haveErrorsAndWarnings()) { all_errors.push_back(mangle_compiler->getErrors("").c_str()); mangle_compiler->clearErrors(); } if (tmp_m.tellp() > 0) { if (!single_rule_compile_on) { automatic_mangle_stream << "# ================ Table 'mangle', "; automatic_mangle_stream << "automatic rules"; automatic_mangle_stream << "\n"; } automatic_mangle_stream << tmp_m.str(); } } return empty_output; } fwbuilder-5.3.7/src/iptlib/CompilerDriver_ipt_run.cpp000066400000000000000000000721331303637203600227660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include "CompilerDriver_ipt.h" #include "PolicyCompiler_ipt.h" #include "NATCompiler_ipt.h" #include "RoutingCompiler_ipt.h" #include "Preprocessor_ipt.h" #include "OSConfigurator_linux24.h" #include "OSConfigurator_secuwall.h" #include "OSConfigurator_ipcop.h" #include "combinedAddress.h" #include "AutomaticRules_ipt.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Resources.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Library.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; extern QString user_name; FWObject* create_combinedAddress(int id) { FWObject *nobj = new combinedAddress(); if (id > -1) nobj->setId(id); return nobj; } /* * Go through paces to compile firewall which may be a member of a * cluster. Note that both firewall and cluster are defined by their * unique string IDs. This is necessary because CompilerDriver * operates with a copy of the object database which is not exposed * outside, so the caller can not provide pointers to these obejcts. */ QString CompilerDriver_ipt::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { FWObjectDatabase::registerObjectType(combinedAddress::TYPENAME, &create_combinedAddress); // see #2212 Create temporary copy of the firewall and cluster // objects and pass them to the compilers. Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); string generated_script; try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); string fw_version = fw->getStr("version"); if (fw_version.empty()) fw_version = "(any version)"; string platform = fw->getStr("platform"); string host_os = fw->getStr("host_OS"); FWOptions* options = fw->getOptionsObject(); string s; // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); if (fw->getOptionsObject()->getStr("prolog_place") == "after_flush" && fw->getOptionsObject()->getBool("use_iptables_restore")) { abort("Prolog place \"after policy reset\" can not be used" " when policy is activated with iptables-restore"); } string firewall_dir = options->getStr("firewall_dir"); if (firewall_dir=="") firewall_dir="/etc"; bool debug=options->getBool("debug"); QString shell_dbg = (debug)?"set -x":"" ; std::auto_ptr oscnf; string platform_family = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/family"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); bool supports_prolog_epilog = Resources::getTargetCapabilityBool( platform, "supports_prolog_epilog"); if (!supports_prolog_epilog) { prolog_done = true; epilog_done = true; } string os_variant = DISTRO; /* minimal sanity checking */ if (os_family == "ipcop") { os_variant = "ipcop"; // can't use iptables-restore with ipcop fw->getOptionsObject()->setBool("use_iptables_restore", false); // ipcop has its own iptables commands that accept packets // in states ESTABLISHED,RELATED fw->getOptionsObject()->setBool("accept_established", false); oscnf = std::auto_ptr( new OSConfigurator_ipcop(objdb , fw, false)); } if (os_family == "linux24" || os_family == "openwrt" || os_family == "dd-wrt-nvram" || os_family == "dd-wrt-jffs" || os_family == "sveasoft") oscnf = std::auto_ptr( new OSConfigurator_linux24(objdb , fw, false)); if (os_family == "secuwall") oscnf = std::auto_ptr( new OSConfigurator_secuwall(objdb , fw, false)); if (oscnf.get()==NULL) { abort("Unrecognized host OS " + fw->getStr("host_OS") + " (family " + os_family+")"); return ""; } if (inTestMode()) oscnf->setTestMode(); if (inEmbeddedMode()) oscnf->setEmbeddedMode(); oscnf->validateInterfaces(); oscnf->prolog(); list all_policies = fw->getByType(Policy::TYPENAME); list all_nat = fw->getByType(NAT::TYPENAME); int routing_rules_count = 0; bool have_ipv4 = false; bool have_ipv6 = false; // track chains in each table separately. Can we have the same // chain in filter and mangle tables ? Would it be the same // chain, i.e. do we need to create it only once or do we create // it twice, in each table separately ? // Using separate trackers we track and create chain in each // table separately. std::map minus_n_commands_filter; std::map minus_n_commands_mangle; std::map minus_n_commands_nat; vector ipv4_6_runs; findImportedRuleSets(fw, all_policies); findBranchesInMangleTable(fw, all_policies); findImportedRuleSets(fw, all_nat); try { AutomaticRules_ipt auto_rules(fw, persistent_objects); auto_rules.addConntrackRule(); auto_rules.addFailoverRules(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() assignUniqueRuleIds(all_policies); assignUniqueRuleIds(all_nat); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); /* clear chain tracker map only between ipv4/ipv6 runs Don't clear it between compiler runs for different policy or nat objects for the same address family. */ minus_n_commands_filter.clear(); minus_n_commands_mangle.clear(); minus_n_commands_nat.clear(); /* We need to create and run preprocessor for this address family before nat and policy compilers, but if there are no nat / policy rules for this address family, we do not need preprocessor either. */ // Count rules for each address family int nat_count = 0; int policy_count = 0; for (list::iterator p=all_nat.begin(); p!=all_nat.end(); ++p) { NAT *nat = NAT::cast(*p); if (nat->matchingAddressFamily(policy_af)) nat_count++; } for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (nat_count || policy_count) { Preprocessor_ipt* prep = new Preprocessor_ipt( objdb , fw, ipv6_policy); prep->setSingleRuleCompileMode(single_rule_id); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); delete prep; } ostringstream automaitc_rules_stream; ostringstream automaitc_mangle_stream; ostringstream filter_rules_stream; ostringstream mangle_rules_stream; ostringstream nat_rules_stream; bool empty_output = true; // First, process branch NAT rulesets, then top NAT ruleset NAT *top_nat = NULL; for (list::iterator p=all_nat.begin(); p!=all_nat.end(); ++p) { NAT *nat = NAT::cast(*p); if (!nat->matchingAddressFamily(policy_af)) continue; if (nat->isTop()) { top_nat = nat; continue; } if (! processNatRuleSet( fw, nat, single_rule_id, nat_rules_stream, oscnf.get(), policy_af, minus_n_commands_nat)) empty_output = false; } if (top_nat && ! processNatRuleSet( fw, top_nat, single_rule_id, nat_rules_stream, oscnf.get(), policy_af, minus_n_commands_nat)) empty_output = false; // first process all non-top rule sets, then all top rule sets for (int all_top = 0; all_top < 2; ++all_top) { for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(policy_af)) continue; if (policy->isTop() && all_top == 0) continue; if (!policy->isTop() && all_top == 1) continue; if (! processPolicyRuleSet( fw, policy, single_rule_id, filter_rules_stream, mangle_rules_stream, automaitc_rules_stream, automaitc_mangle_stream, oscnf.get(), policy_af, minus_n_commands_filter, minus_n_commands_mangle)) empty_output = false; } } if (!empty_output && !single_rule_compile_on) { if (ipv6_policy) { have_ipv6 = true; generated_script += "\n\n"; generated_script += "# ================ IPv6\n"; generated_script += "\n\n"; } else { have_ipv4 = true; generated_script += "\n\n"; generated_script += "# ================ IPv4\n"; generated_script += "\n\n"; } } generated_script += dumpScript(fw, automaitc_rules_stream.str(), automaitc_mangle_stream.str(), nat_rules_stream.str(), mangle_rules_stream.str(), filter_rules_stream.str(), ipv6_policy); if (single_rule_compile_on) generated_script += "\n\n"; } std::auto_ptr routing_compiler( new RoutingCompiler_ipt(objdb, fw, false, oscnf.get())); RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME)); if (routing) { routing_compiler->setSourceRuleSet(routing); routing_compiler->setRuleSetName(routing->getName()); routing_compiler->setPersistentObjects(persistent_objects); routing_compiler->setSingleRuleCompileMode(single_rule_id); routing_compiler->setDebugLevel( dl ); if (rule_debug_on) routing_compiler->setDebugRule(drr); routing_compiler->setVerbose( verbose ); if (inTestMode()) routing_compiler->setTestMode(); if (inEmbeddedMode()) routing_compiler->setEmbeddedMode(); if ( (routing_rules_count=routing_compiler->prolog()) > 0 ) { routing_compiler->compile(); routing_compiler->epilog(); } if (routing_compiler->haveErrorsAndWarnings()) all_errors.push_back(routing_compiler->getErrors("").c_str()); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (getErrors("") + generated_script + routing_compiler->getCompiledScript()).c_str())); } /* * These store generated configuration internally, extract it later using * OSConfiguration::getGeneratedFiles(); */ oscnf->processFirewallOptions(); /* * now write generated scripts to files */ char *timestr = NULL; time_t tm; struct tm *stm; tm = time(NULL); stm = localtime(&tm); timestr = strdup(ctime(&tm)); timestr[strlen(timestr)-1] = '\0'; /* * assemble the script and then perhaps post-process it if it * should run on Linksys device with sveasoft firmware */ Configlet script_skeleton(fw, "linux24", "script_skeleton"); script_skeleton.removeComments(); QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); /* * text comes from the compiler in UTF-8 (because all comments * and object names are stored in UTF-8 in objects and * compilers do not decode). We have a choice: 1) apply * QString::fromUtf8() to all strings coming from the compiler * to convert to Unicode and rely on QTextStream to convert * back to UTF-8 in the generated file, or 2) leavle strings * coming from compilers as-is and tell the stream to not * covert. */ script_buffer = ""; script_skeleton.setVariable("shell_debug", shell_dbg); script << "PATH=\"/sbin:/usr/sbin:/bin:/usr/bin:${PATH}\"" << "\n"; script << "export PATH" << "\n"; script_skeleton.setVariable("path", script_buffer); script_buffer = ""; Configlet script_constants(fw, "linux24", "constants"); script_skeleton.setVariable("constants", script_constants.expand()); /* * print definitions for variables IPTABLES, IP, LOGGER. Some * day we may add a choice of os_variant in the GUI. Right now * paths are either default for a given os_variant, or custom * strings entered by user in the GUI and stored in firewall * options. */ script_skeleton.setVariable("tools", oscnf->printPathForAllTools(os_variant).c_str()); script_skeleton.setVariable("shell_functions", oscnf->printShellFunctions(have_ipv6).c_str()); script_skeleton.setVariable("run_time_address_tables", oscnf->printRunTimeAddressTablesCode().c_str()); script_skeleton.setVariable("using_ipset", oscnf->usingIpSetModule()); if (supports_prolog_epilog) { //script_skeleton.setVariable("prolog_epilog", // oscnf->printPrologEpilogFunctions().c_str()); script_skeleton.setVariable( "prolog_script", fw->getOptionsObject()->getStr("prolog_script").c_str()); script_skeleton.setVariable( "epilog_script", fw->getOptionsObject()->getStr("epilog_script").c_str()); } ostringstream ostr; ostr << "# Configure interfaces" << endl; if ( options->getBool("configure_bonding_interfaces") ) ostr << oscnf->printBondingInterfaceConfigurationCommands(); if ( options->getBool("configure_vlan_interfaces")) ostr << oscnf->printVlanInterfaceConfigurationCommands(); if ( options->getBool("configure_bridge_interfaces") ) ostr << oscnf->printBridgeInterfaceConfigurationCommands(); if ( options->getBool("configure_interfaces") || options->getBool("manage_virtual_addr")) { if ( options->getBool("configure_interfaces")) ostr << oscnf->printInterfaceConfigurationCommands(); else ostr << oscnf->printVirtualAddressesForNatCommands(); } ostr << oscnf->printCommandsToClearKnownInterfaces(); ostr << oscnf->printDynamicAddressesConfigurationCommands(); script_skeleton.setVariable( "configure_interfaces", indent(4, QString(ostr.str().c_str()))); // verify_interfaces checks bridge interfaces so run it // after those have been created if (options->getBool("verify_interfaces")) { list l2=fw->getByType(Interface::TYPENAME); if (l2.empty() ) script_skeleton.setVariable("verify_interfaces", QString()); else script_skeleton.setVariable("verify_interfaces", oscnf->printVerifyInterfacesCommands().c_str()); } else script_skeleton.setVariable("verify_interfaces", QString()); string prolog_place = fw->getOptionsObject()->getStr("prolog_place"); if (prolog_place == "") prolog_place="top"; /* there is no way to stick prolog commands between iptables * reset and iptables rules if we use iptables-restore to * activate policy. Therefore, if prolog needs to be ran after * iptables flush and we use iptables-restore, we run prolog * on top of the script. */ if (!prolog_done && (prolog_place == "top" || (prolog_place == "after_flush" && fw->getOptionsObject()->getBool("use_iptables_restore")))) { script_skeleton.setVariable("prolog_top", 1); script_skeleton.setVariable("prolog_after_interfaces", 0); script_skeleton.setVariable("prolog_after_flush", 0); prolog_done = true; } if (!prolog_done && prolog_place == "after_interfaces") { script_skeleton.setVariable("prolog_top", 0); script_skeleton.setVariable("prolog_after_interfaces", 1); script_skeleton.setVariable("prolog_after_flush", 0); prolog_done = true; } if (!prolog_done && prolog_place == "after_flush") { script_skeleton.setVariable("prolog_top", 0); script_skeleton.setVariable("prolog_after_interfaces", 0); script_skeleton.setVariable("prolog_after_flush", 1); prolog_done = true; } script_skeleton.setVariable("load_modules", oscnf->generateCodeForProtocolHandlers().c_str()); script_skeleton.setVariable("load_modules_with_nat", (have_nat)?"nat":""); script_skeleton.setVariable("load_modules_with_ipv6", (have_ipv6)?"ipv6":""); script_skeleton.setVariable("ip_forward_commands", oscnf->printIPForwardingCommands().c_str()); /* * script body begins here */ script_buffer = ""; if (oscnf->haveErrorsAndWarnings()) { all_errors.push_back(oscnf->getErrors("").c_str()); } // convert from UTF8 to make sure localized comments are shown correctly // script << oscnf->getCompiledScript().c_str(); // script << generated_script.c_str(); // script << routing_compiler->getCompiledScript().c_str(); script << QString::fromUtf8(oscnf->getCompiledScript().c_str()); script << QString::fromUtf8(generated_script.c_str()); script << QString::fromUtf8(routing_compiler->getCompiledScript().c_str()); script << endl; script_skeleton.setVariable("script_body", indent(4, script_buffer)); script_skeleton.setVariable("timestamp", timestr); script_skeleton.setVariable("tz", tzname[stm->tm_isdst]); script_skeleton.setVariable("user", user_name); script_skeleton.setVariable("database", objdb->getFileName().c_str()); /* * Call reset_all function to flush and reset iptables, but only * do this if we do not use iptables_restore. Reset is done as part * of iptables-restore script in the latter case and commands are * added in PolicyCompiler_ipt::flushAndSetDefaultPolicy() */ script_skeleton.setVariable("not_using_iptables_restore", ! fw->getOptionsObject()->getBool("use_iptables_restore")); script_buffer = ""; if (have_ipv4) script << " reset_iptables_v4" << endl; if (have_ipv6) script << " reset_iptables_v6" << endl; script_skeleton.setVariable("reset_all", script_buffer); script_buffer = ""; Configlet block_action(fw, "linux24", "block_action"); if (XMLTools::version_compare(fw_version, "1.4.20") >= 0) block_action.setVariable("opt_wait", "-w"); else block_action.setVariable("opt_wait", ""); block_action.collapseEmptyStrings(true); // the name of the option is historical (including the typo) if (fw->getOptionsObject()->getBool("add_mgmt_ssh_rule_when_stoped")) { std::auto_ptr policy_compiler = createPolicyCompiler(fw, false, NULL, NULL); PolicyCompiler_ipt::PrintRule* print_rule = policy_compiler->createPrintRuleProcessor(); print_rule->setContext(policy_compiler.get()); print_rule->_printBackupSSHAccessRules(&block_action); } else { block_action.setVariable("mgmt_access", 0); } script_skeleton.setVariable("block_action", block_action.expand()); Configlet stop_action(fw, "linux24", "stop_action"); stop_action.collapseEmptyStrings(true); stop_action.setVariable("have_ipv4", have_ipv4); stop_action.setVariable("have_ipv6", have_ipv6); if (XMLTools::version_compare(fw_version, "1.4.20") >= 0) stop_action.setVariable("opt_wait", "-w"); else stop_action.setVariable("opt_wait", ""); script_skeleton.setVariable("stop_action", stop_action.expand()); Configlet status_action(fw, "linux24", "status_action"); status_action.collapseEmptyStrings(true); script_skeleton.setVariable("status_action", status_action.expand()); Configlet top_comment(fw, "linux24", "top_comment"); top_comment.setVariable("version", VERSION); top_comment.setVariable("timestamp", timestr); top_comment.setVariable("tz", tzname[stm->tm_isdst]); top_comment.setVariable("user", user_name); top_comment.setVariable("database", objdb->getFileName().c_str()); determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("script_name_on_firewall")); script_buffer = ""; script << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]); if (!remote_file_names[FW_FILE].isEmpty()) script << " " << this->escapeFileName(remote_file_names[FW_FILE]); script << "\n"; /* Add additional files to manifest if specified. Currently there * are no GUI controls to let user provide alternative names for * these on the firewall. See description of manifest format in * comments in src/gui/FirewallInstaller.cpp */ map file_list = oscnf->getGeneratedFiles(); if (!file_list.empty()) { info(" Adding additional files to manifest"); map::const_iterator c_iter = file_list.begin(); for (; c_iter != file_list.end(); ++c_iter) { string name = c_iter->first; string dest = c_iter->second; script << MANIFEST_MARKER << this->escapeFileName(name.c_str()); if (!dest.empty()) script << " " << dest; script << "\n"; } } top_comment.setVariable("manifest", script_buffer); top_comment.setVariable("platform", platform.c_str()); top_comment.setVariable("fw_version", fw_version.c_str()); top_comment.setVariable("comment", prepend("# ", fw->getComment().c_str())); script_skeleton.setVariable("top_comment", top_comment.expand()); script_skeleton.setVariable("errors_and_warnings", prepend("# ", all_errors.join("\n"))); info("Output file name: " + file_names[FW_FILE].toStdString()); QFile fw_file(file_names[FW_FILE]); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_skeleton.expand(); fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } free(timestr); if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/iptlib/MangleTableCompiler_ipt.cpp000066400000000000000000000142761303637203600230260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "MangleTableCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string MangleTableCompiler_ipt::myPlatformName() { return "iptables"; } int MangleTableCompiler_ipt::prolog() { return PolicyCompiler_ipt::prolog(); } bool MangleTableCompiler_ipt::keepMangleTableRules::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); string ruleset_name = compiler->getRuleSetName(); FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) tmp_queue.push_back(rule); else { if (rule->getAction() == PolicyRule::Branch && ruleopt->getBool("ipt_branch_in_mangle")) { PolicyRule* r; // this is a branching rule for mangle table. Need to put it // into PREROUTING and POSTROUTING chains as well because some // targets that work with mangle table can only go into these // chains, yet we do not know what kind of rules will user // place in the branch if (rule->getDirection()==PolicyRule::Undefined || rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Inbound) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","PREROUTING"); tmp_queue.push_back(r); } if (rule->getDirection()==PolicyRule::Undefined || rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Outbound) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","POSTROUTING"); tmp_queue.push_back(r); } // ticket #1415 User reports that only packets that went // through the FORWARD chain can match inbound "-i" and // outbound "-o" interface at the same time. Since we do // not allow both in and out interface matches in one rule // and have to use branch to do this, need to branch in // FORWARD chain as well so that inbound interface can be // matched in the branching rule and outbound interface // can be matched in a rule in the branch // // This is ugly, this means the branch will inspect the // packet at least twice - in PREROUTING and FORWARD, or // FORWARD and POSTROUTING chains. // // I mention above that some targets can only be used in // PREROUTING or POSTROUTING chains. It would help if // these tagrets worked in FORWARD chain, in that case we // could just branch in FORWARD instead of all thress chains. // r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","FORWARD"); tmp_queue.push_back(r); // tmp_queue.push_back(rule); return true; } if (rule->getTagging() || rule->getRouting() || rule->getClassification() || ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule); } return true; } void MangleTableCompiler_ipt::addRuleFilter() { add(new keepMangleTableRules("keep only rules that require mangle table")); } string MangleTableCompiler_ipt::flushAndSetDefaultPolicy() { return ""; } // mangle table compiler is special, it needs additional parameters to // generate automatic rules correctly. But virtual function // printAutomaticRules() has no parameters so we have another one // that takes parameters: printAutomaticRulesForMangleTable() string MangleTableCompiler_ipt::printAutomaticRules() { return ""; } string MangleTableCompiler_ipt::printAutomaticRulesForMangleTable( bool have_connmark, bool have_connmark_in_output) { ostringstream res; PolicyCompiler_ipt::PrintRule *prp = createPrintRuleProcessor(); // res << prp->_declareTable(); if (have_connmark) { res << prp->_startRuleLine() << "PREROUTING -j CONNMARK --restore-mark" << prp->_endRuleLine(); } if (have_connmark_in_output) { res << prp->_startRuleLine() << "OUTPUT -j CONNMARK --restore-mark" << prp->_endRuleLine(); res << endl; } // iptables accepted TCPMSS target in filter table, FORWARD chain // in the older versions, but requires it to be in mangle filter // starting somewhere 1.3.x string version = fw->getStr("version"); if (XMLTools::version_compare(version, "1.3.0")>=0) res << prp->_clampTcpToMssRule(); delete prp; return res.str(); } fwbuilder-5.3.7/src/iptlib/MangleTableCompiler_ipt.h000066400000000000000000000041311303637203600224600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __MANGLETABLECOMPILER_IPT_HH #define __MANGLETABLECOMPILER_IPT_HH #include #include "PolicyCompiler_ipt.h" namespace fwcompiler { class MangleTableCompiler_ipt : public PolicyCompiler_ipt { protected: virtual std::string myPlatformName(); /** * this processor drops all rules except for those that require mangle table */ DECLARE_POLICY_RULE_PROCESSOR(keepMangleTableRules); friend class keepMangleTableRules; public: MangleTableCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map *m_n_cmd_map ) : PolicyCompiler_ipt(_db, fw, ipv6_policy, _oscnf, m_n_cmd_map) { my_table = "mangle"; } virtual int prolog(); virtual void addRuleFilter(); virtual std::string flushAndSetDefaultPolicy(); virtual std::string printAutomaticRules(); std::string printAutomaticRulesForMangleTable( bool have_connmark, bool have_connmark_in_output); }; } #endif fwbuilder-5.3.7/src/iptlib/NATCompiler_PrintRule.cpp000066400000000000000000000602531303637203600224210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/XMLTools.h" #include "combinedAddress.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ /* * Prints single --option with argument and negation "!" * taking into account the change that happened in iptables 1.4.3.1 * that causes warning * Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). */ string NATCompiler_ipt::PrintRule::_printSingleOptionWithNegation( const string &option, RuleElement *rel, const string &arg) { ostringstream ostr; if (XMLTools::version_compare(version, "1.4.3")>=0) { ostr << _printSingleObjectNegation(rel); ostr << option << " "; ostr << arg << " "; } else { ostr << option << " "; ostr << _printSingleObjectNegation(rel); ostr << arg << " "; } return ostr.str(); } void NATCompiler_ipt::PrintRule::initializeMinusNTracker() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); for (list::const_iterator i = NATCompiler_ipt::getStandardChains().begin(); i != NATCompiler_ipt::getStandardChains().end(); ++i) { (*(ipt_comp->minus_n_commands))[*i] = true; } minus_n_tracker_initialized = true; } /* * Initialize some internal variables. Need to do this in a separate * method because pointer to the compiler object is set by * RuleProcessor::setContext and is not available in constructor. */ void NATCompiler_ipt::PrintRule::initialize() { // retrieve and save version for _printSingleOptionWithNegation and others version = compiler->fw->getStr("version"); } /* * check and create new chain if needed */ string NATCompiler_ipt::PrintRule::_createChain(const string &chain) { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); ostringstream res; if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { string opt_wait; if (XMLTools::version_compare(version, "1.4.20")>=0) opt_wait = "-w "; else opt_wait = ""; string ipt_cmd = (ipt_comp->ipv6) ? "$IP6TABLES " : "$IPTABLES "; res << ipt_cmd << opt_wait << "-t nat -N " << chain << endl; (*(ipt_comp->minus_n_commands))[chain] = true; } return res.str(); } string NATCompiler_ipt::PrintRule::_startRuleLine() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); string res = (ipt_comp->ipv6) ? "$IP6TABLES " : "$IPTABLES "; string opt_wait; if (XMLTools::version_compare(version, "1.4.20")>=0) opt_wait = "-w "; else opt_wait = ""; return res + opt_wait + string("-t nat -A "); } string NATCompiler_ipt::PrintRule::_endRuleLine() { return string("\n"); } string NATCompiler_ipt::PrintRule::_printRuleLabel(NATRule *rule) { ostringstream res; bool nocomm = Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments"); // TODO: convert this into virtual function NATCompiler_ipt::printComment() string rl=rule->getLabel(); if (rl != current_rule_label) { if (!compiler->inSingleRuleCompileMode() && !nocomm) { res << "# " << endl; res << "# Rule " << rl << endl; res << "# " << endl; } res << "echo " << _quote(string("Rule ")+rl) << endl; res << "# " << endl; /* do not put comment in the script if it is intended for linksys */ if (!nocomm || compiler->inSingleRuleCompileMode()) { QStringList comm = QString(rule->getComment().c_str()).split("\n", QString::SkipEmptyParts); foreach(QString line, comm) { res << "# " << line.toStdString() << endl; } //res << "# " << endl; string err = compiler->getErrorsForRule(rule, "# "); if (!err.empty()) res << err << endl; } current_rule_label=rl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) res << "# " << err << endl; return res.str(); } /* * check and create new chain if needed */ QString NATCompiler_ipt::PrintRule::getInterfaceName(RuleElement *itf_re) { if (itf_re->isAny()) return ""; FWObject *iface = FWObjectReference::getObject(itf_re->front()); QString iface_name = iface->getName().c_str(); if (iface_name.endsWith("*")) iface_name.replace("*", "+"); return iface_name; } /** *----------------------------------------------------------------------- */ string NATCompiler_ipt::PrintRule::_printChainDirectionAndInterface(NATRule *rule) { QStringList res; RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); QString iface_in_name = getInterfaceName(itf_in_re); QString iface_out_name = getInterfaceName(itf_out_re); if (rule->getStr(".iface_in") == "nil") iface_in_name = ""; if (rule->getStr(".iface_out") == "nil") iface_out_name = ""; res << rule->getStr("ipt_chain").c_str(); if ( ! iface_in_name.isEmpty()) { res << _printSingleOptionWithNegation( "-i", itf_in_re, iface_in_name.toStdString()).c_str(); } if ( ! iface_out_name.isEmpty()) { res << _printSingleOptionWithNegation( "-o", itf_out_re, iface_out_name.toStdString()).c_str(); } res << ""; return res.join(" ").toStdString(); } string NATCompiler_ipt::PrintRule::_printProtocol(Service *srv) { std::ostringstream ostr; // CustomService returns protocol name starting with v3.0.4 // However CustomService can return protocol name "any", which we should // just skip. if (CustomService::isA(srv)) { // check if the code string for this custom service already includes // "-p proto" fragment string code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); std::size_t minus_p = code.find("-p "); if (minus_p != string::npos) return ""; string pn = srv->getProtocolName(); if (pn == "any") return ""; } if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv)) { string pn = srv->getProtocolName(); if (pn=="ip") pn="all"; ostr << "-p " << pn << " "; if (pn == "tcp") ostr << "-m tcp "; if (pn == "udp") ostr << "-m udp "; if (pn == "icmp") ostr << "-m icmp "; } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printMultiport(NATRule *rule) { std::ostringstream ostr; if( rule->getBool("ipt_multiport")) ostr << "-m multiport "; return ostr.str(); } string NATCompiler_ipt::PrintRule::_printOPorts(int rs,int re) { std::ostringstream ostr; if (rs<0) rs=0; if (re<0) re=0; if (rs>0 || re>0) { if (rs==re) ostr << rs; else if (rs==0 && re!=0) ostr << ":" << re; else ostr << rs << ":" << re; } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printTPorts(int rs,int re) { std::ostringstream ostr; if (rs<0) rs=0; if (re<0) re=0; if (rs>0 || re>0) { if (rs==re) ostr << rs; else if (rs==0 && re!=0) ostr << "-" << re; else ostr << rs << "-" << re; } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printICMP(ICMPService *srv) { std::ostringstream ostr; if (ICMPService::isA(srv) && srv->getInt("type")!=-1) { ostr << srv->getStr("type"); if (srv->getInt("code")!=-1) ostr << "/" << srv->getStr("code") << " "; } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printIP(IPService *srv) { std::ostringstream ostr; if (IPService::isA(srv) ) { if (srv->getBool("fragm") || srv->getBool("short_fragm")) ostr << "-f "; if (srv->getBool("lsrr") || srv->getBool("ssrr") || srv->getBool("rr") || srv->getBool("ts") ) ostr << " -m ipv4options "; if (srv->getBool("lsrr")) ostr << " --lsrr"; if (srv->getBool("ssrr")) ostr << " --ssrr"; if (srv->getBool("rr")) ostr << " --rr"; if (srv->getBool("ts")) ostr << " --ts"; } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printSrcPorts(Service *srv) { std::ostringstream ostr; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getSrcRangeStart(); int re=TCPUDPService::cast(srv)->getSrcRangeEnd(); ostr << _printOPorts(rs,re); } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printDstPorts(Service *srv) { std::ostringstream ostr; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getDstRangeStart(); int re=TCPUDPService::cast(srv)->getDstRangeEnd(); ostr << _printOPorts(rs,re); } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printSNATPorts(Service *srv) { std::ostringstream ostr; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getSrcRangeStart(); int re=TCPUDPService::cast(srv)->getSrcRangeEnd(); ostr << _printTPorts(rs,re); } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printDNATPorts(Service *srv) { std::ostringstream ostr; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getDstRangeStart(); int re=TCPUDPService::cast(srv)->getDstRangeEnd(); ostr << _printTPorts(rs,re); } return ostr.str(); } /* * we made sure that all services in rel represent the same protocol */ string NATCompiler_ipt::PrintRule::_printSrcService(RuleElementOSrv *rel) { std::ostringstream ostr; /* I do not want to use rel->getFirst because it traverses the tree to * find the object. I'd rather use a cached copy in the compiler */ FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (rel->size()==1) { if (UDPService::isA(srv) || TCPService::isA(srv)) { string str=_printSrcPorts( srv ); if (! str.empty() ) ostr << "--sport " << str << " "; } } else { /* use multiport */ string str; bool first=true; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (UDPService::isA(srv) || TCPService::isA(srv)) { if (!first) str+=","; str+= _printSrcPorts( s ); if (!str.empty()) first=false; } } if ( !str.empty() ) { if (version.empty() || version=="ge_1.2.6" || XMLTools::version_compare(version, "1.2.6")>=0) ostr << "--sports "; else ostr << "--source-port "; ostr << str << " "; } } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printDstService(RuleElementOSrv *rel) { std::ostringstream ostr; FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (rel->size()==1) { if (UDPService::isA(srv) || TCPService::isA(srv)) { string str=_printDstPorts( srv ); if (! str.empty() ) ostr << "--dport " << str << " "; } if (ICMPService::isA(srv)) { string str=_printICMP( ICMPService::cast(srv) ); if (! str.empty() ) ostr << "--icmp-type " << str << " "; } if (IPService::isA(srv)) { string str=_printIP( IPService::cast(srv) ); if (! str.empty() ) ostr << str << " "; } if (CustomService::isA(srv)) { ostr << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; } if (TagService::isA(srv)) { ostr << "-m mark --mark " << TagService::constcast(srv)->getCode() << " "; } } else { /* use multiport */ string str; bool first=true; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (UDPService::isA(srv) || TCPService::isA(srv)) { if (!first) str+=","; str+= _printDstPorts( s ); if (!str.empty()) first=false; } } if ( !str.empty() ) { if (version.empty() || version=="ge_1.2.6" || XMLTools::version_compare(version, "1.2.6")>=0) ostr << "--dports "; else ostr << "--destination-port "; ostr << str << " "; } } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printIpSetMatch(Address *o, RuleElement *rel) { NATCompiler_ipt *ipt_comp=dynamic_cast(compiler); string set_name = dynamic_cast(ipt_comp->osconfigurator)->normalizeSetName(o->getName()); string suffix = "dst"; if (RuleElementOSrc::isA(rel)) suffix = "src"; if (RuleElementODst::isA(rel)) suffix = "dst"; string set_match_option; if (XMLTools::version_compare(version, "1.4.4")>=0) set_match_option = "--match-set"; else set_match_option = "--set"; string set_match = set_match_option + " " + set_name + " " + suffix; ostringstream ostr; ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); return ostr.str(); } // Note print_mask is true by default, print_range is false by default. string NATCompiler_ipt::PrintRule::_printAddr(Address *o, bool , bool print_range) { NATCompiler_ipt *ipt_comp=dynamic_cast(compiler); std::ostringstream ostr; MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { ostr << "$" << ipt_comp->getAddressTableVarName(atrt) << " "; return ostr.str(); } if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { return atrt->getSourceName(); } // at this time we only support two types of MultiAddress // objects: AddressTable and DNSName. Both should be converted // to MultiAddressRunTime at this point. If we get some other // kind of MultiAddressRunTime object, we do not know what to do // with it so we stop. assert(atrt==NULL); } if (print_range && AddressRange::cast(o)!=NULL) { InetAddr a1 = AddressRange::cast(o)->getRangeStart(); InetAddr a2 = AddressRange::cast(o)->getRangeEnd(); ostr << a1.toString() << "-" << a2.toString(); } else { Interface *iface = Interface::cast(o); if (iface!=NULL && iface->isDyn() && iface->getBool("use_var_address")) { ostr << "$" << ipt_comp->getInterfaceVarName(iface, ipt_comp->ipv6) << " "; return ostr.str(); } const InetAddr* addr = o->getAddressPtr(); const InetAddr* mask = o->getNetmaskPtr(); if (addr==NULL) { compiler->warning( string("Empty inet address in object ") + FWObjectDatabase::getStringId(o->getId())); return ostr.str(); } if (addr->isAny() && mask->isAny()) { ostr << "0/0 "; } else { ostr << addr->toString(); if (Interface::cast(o)==NULL && Address::cast(o)->dimension() > 1 && !mask->isHostMask()) { ostr << "/" << mask->getLength(); } // do not add space after address because there might be // :port spec coming right after it. } } return ostr.str(); } string NATCompiler_ipt::PrintRule::_printSingleObjectNegation( RuleElement *rel) { if (rel->getBool("single_object_negation")) return "! "; else return ""; } NATCompiler_ipt::PrintRule::PrintRule(const std::string &name) : NATRuleProcessor(name) { init = true; print_once_on_top = true; minus_n_tracker_initialized = false; } bool NATCompiler_ipt::PrintRule::processNext() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ropt = rule->getOptionsObject(); string chain = rule->getStr("ipt_chain"); if (ipt_comp->chain_usage_counter[chain] == 0) { return true; } tmp_queue.push_back(rule); compiler->output << _printRuleLabel(rule); string s; std::ostringstream cmdout; compiler->output << _createChain(rule->getStr("ipt_chain")); compiler->output << _createChain(rule->getStr("ipt_target")); RuleElementOSrc *osrcrel = rule->getOSrc(); Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); RuleElementODst *odstrel = rule->getODst(); Address *odst = compiler->getFirstODst(rule); assert(odst); RuleElementOSrv *osrvrel=rule->getOSrv(); Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); cmdout << _startRuleLine(); cmdout << _printChainDirectionAndInterface(rule); if (! osrv->isAny() ) cmdout << _printProtocol(osrv); cmdout << _printMultiport(rule); if (!osrc->isAny()) { string physaddress=""; if (physAddress::isA(osrc)) physaddress= physAddress::cast(osrc)->getPhysAddress(); if (combinedAddress::isA(osrc)) physaddress= combinedAddress::cast(osrc)->getPhysAddress(); if ( ! physaddress.empty()) { cmdout << " -m mac --mac-source " << physaddress; } const InetAddr *osrc_addr = osrc->getAddressPtr(); if (osrc_addr==NULL || !osrc_addr->isAny()) { MultiAddressRunTime *atrt = MultiAddressRunTime::cast(osrc); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && ipt_comp->using_ipset) { cmdout << _printIpSetMatch(osrc, osrcrel); } else { string osrc_out = _printAddr(osrc); if (!osrc_out.empty()) cmdout << _printSingleOptionWithNegation(" -s", osrcrel, osrc_out); } } // cmdout << " -s "; // cmdout << _printAddr(osrc); } if (!osrv->isAny()) { cmdout << " "; cmdout << _printSrcService(osrvrel); } if (!odst->isAny()) { MultiAddressRunTime *atrt = MultiAddressRunTime::cast(odst); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && ipt_comp->using_ipset) { cmdout << _printIpSetMatch(odst, odstrel); } else cmdout << _printSingleOptionWithNegation(" -d", odstrel, _printAddr(odst)); } cmdout << " "; cmdout << _printDstService(osrvrel); cmdout << "-j " << rule->getStr("ipt_target") << " "; switch (rule->getRuleType()) { case NATRule::Masq: if (ropt->getBool("ipt_nat_random")) cmdout << " --random"; break; case NATRule::SNAT: if (rule->getStr("ipt_target")=="SNAT") { cmdout << "--to-source "; // if TSrc is "any" and this is SNAT rule, then this rule only // translates source port. Skip address part. // Note for #1693: _printAddr() returns string that ends with a space, // but there should be no space if the address is followed by port // spec. QString addr_part; if (!tsrc->isAny()) { addr_part = _printAddr(tsrc, false, true).c_str(); } string ports = _printSNATPorts(tsrv); if (!ports.empty()) { cmdout << addr_part.trimmed().toStdString() << ":" << ports; } else cmdout << addr_part.toStdString(); if (ropt->getBool("ipt_nat_random")) cmdout << " --random"; if (XMLTools::version_compare(version, "1.4.3")>=0) if (ropt->getBool("ipt_nat_persistent")) cmdout << " --persistent"; } break; /* * if rule type is DNAT and TDst is any, this rule only does port * translation and does not change addresses. Iptables accepts * "--to-destination :80" (no address in front of the ':') and seems * to do the right thing. */ case NATRule::DNAT: if (rule->getStr("ipt_target")=="DNAT") { cmdout << "--to-destination "; // if TDst is "any" and this is DNAT rule, then this rule only // translates source port. Skip address part. QString addr_part; if (!tdst->isAny()) addr_part = _printAddr(tdst, false, true).c_str(); string ports = _printDNATPorts(tsrv); if (!ports.empty()) { cmdout << addr_part.trimmed().toStdString() << ":" << ports; } else { cmdout << addr_part.toStdString(); } if (ropt->getBool("ipt_nat_random")) cmdout << " --random"; if (XMLTools::version_compare(version, "1.4.3")>=0) if (ropt->getBool("ipt_nat_persistent")) cmdout << " --persistent"; } break; case NATRule::SNetnat: if (rule->getStr("ipt_target")=="NETMAP") { cmdout << "--to "; cmdout << _printAddr(tsrc,true,false); } break; case NATRule::DNetnat: if (rule->getStr("ipt_target")=="NETMAP") { cmdout << "--to "; cmdout << _printAddr(tdst,true,false); } break; case NATRule::Redirect: if (rule->getStr("ipt_target")=="REDIRECT") { string ports=_printDNATPorts(tsrv); if (!ports.empty()) cmdout << "--to-ports " << ports; } break; case NATRule::NATBranch: break; default: break; } cmdout << " "; cmdout << _endRuleLine(); // cmdout << endl; compiler->output << dynamic_cast(compiler->osconfigurator)-> printRunTimeWrappers( rule, cmdout.str(), ipt_comp->ipv6); return true; } string NATCompiler_ipt::PrintRule::_declareTable() { return ""; } string NATCompiler_ipt::PrintRule::_commit() { return ""; } string NATCompiler_ipt::PrintRule::_quote(const string &s) { return "\"" + s + "\""; } fwbuilder-5.3.7/src/iptlib/NATCompiler_PrintRuleIptRst.cpp000066400000000000000000000053111303637203600235610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipt.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ /* * check and create new chain if needed */ string NATCompiler_ipt::PrintRuleIptRst::_createChain(const string &chain) { string res; NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { if ( ! compiler->inSingleRuleCompileMode()) res = ":" + chain + " - [0:0]\n"; (*(ipt_comp->minus_n_commands))[chain] = true; } return res; } string NATCompiler_ipt::PrintRuleIptRst::_startRuleLine() { return string("-A "); } string NATCompiler_ipt::PrintRuleIptRst::_endRuleLine() { return string("\n"); } string NATCompiler_ipt::PrintRuleIptRst::_printRuleLabel(NATRule *rule) { bool nocomm = Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments"); return compiler->printComment(rule, current_rule_label, "#", nocomm); } bool NATCompiler_ipt::PrintRuleIptRst::processNext() { if (print_once_on_top) { print_once_on_top=false; } return NATCompiler_ipt::PrintRule::processNext(); } string NATCompiler_ipt::PrintRuleIptRst::_declareTable() { ostringstream res; res << "*nat" << endl; return res.str(); } string NATCompiler_ipt::PrintRuleIptRst::_commit() { return "COMMIT\n"; } string NATCompiler_ipt::PrintRuleIptRst::_quote(const string &s) { return "\"" + s + "\""; } fwbuilder-5.3.7/src/iptlib/NATCompiler_PrintRuleIptRstEcho.cpp000066400000000000000000000046721303637203600243710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipt.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ /* * check and create new chain if needed */ string NATCompiler_ipt::PrintRuleIptRstEcho::_createChain(const string &chain) { string res; NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { if ( ! compiler->inSingleRuleCompileMode()) res = "echo \":" + chain + " - [0:0]\"\n"; (*(ipt_comp->minus_n_commands))[chain] = true; } return res; } string NATCompiler_ipt::PrintRuleIptRstEcho::_startRuleLine() { return string("echo \"-A "); } string NATCompiler_ipt::PrintRuleIptRstEcho::_endRuleLine() { return string("\"\n"); } bool NATCompiler_ipt::PrintRuleIptRstEcho::processNext() { if (print_once_on_top) { print_once_on_top=false; } return NATCompiler_ipt::PrintRuleIptRst::processNext(); } string NATCompiler_ipt::PrintRuleIptRstEcho::_declareTable() { ostringstream res; res << "echo '*nat'" << endl; return res.str(); } string NATCompiler_ipt::PrintRuleIptRstEcho::_commit() { return "echo COMMIT\n"; } string NATCompiler_ipt::PrintRuleIptRstEcho::_quote(const string &s) { return "\\\"" + s + "\\\""; } fwbuilder-5.3.7/src/iptlib/NATCompiler_ipt.cpp000066400000000000000000002506451303637203600212770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "ipt_utils.h" #include "combinedAddress.h" #include "fwcompiler/OSConfigurator.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "config.h" #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; struct subnetInfo { Interface *iface; IPv4 *ipv4; int nmlength; subnetInfo() { iface=NULL; ipv4=NULL; nmlength=0; } subnetInfo(Interface *i,IPv4 *a,int n) { iface=i; ipv4=a; nmlength=n; } }; #if 0 static int chain_no=0; #endif static std::map tmp_chain_no; static std::list standard_chains; const std::list& NATCompiler_ipt::getStandardChains() { if (standard_chains.size()==0) { standard_chains.push_back("POSTROUTING"); standard_chains.push_back("PREROUTING"); standard_chains.push_back("SNAT"); standard_chains.push_back("DNAT"); standard_chains.push_back("MASQUERADE"); standard_chains.push_back("REDIRECT"); standard_chains.push_back("NETMAP"); standard_chains.push_back("LOG"); standard_chains.push_back("MARK"); standard_chains.push_back("ACCEPT"); standard_chains.push_back("REJECT"); standard_chains.push_back("DROP"); standard_chains.push_back("RETURN"); standard_chains.push_back("OUTPUT"); } return standard_chains; } string NATCompiler_ipt::myPlatformName() { return "iptables"; } /* * this function generates acceptable shell variable name from * interface name. Note that * OSConfigurator_linux24::getInterfaceVarName() and * PolicyCompiler_ipt::getInterfaceVarName() do the same thing and * these functions should be identical. * * TODO: really need to have one function for this instead of three in * three different classes. */ string NATCompiler_ipt::getInterfaceVarName(FWObject *iface, bool v6) { ostringstream ostr; string iname=iface->getName(); string::size_type p1; while ( (p1=iname.find("."))!=string::npos) iname=iname.replace(p1,1,"_"); while ( (p1=iname.find("-"))!=string::npos) iname=iname.replace(p1,1,"_"); ostr << "i_" << iname; if (v6) ostr << "_v6"; return ostr.str(); } string NATCompiler_ipt::getAddressTableVarName(FWObject *at) { ostringstream ostr; string name=at->getName(); string::size_type p1; const char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.:"; for (const char *cptr=bad_shell_chars; *cptr; cptr++) { while ( (p1=name.find(*cptr))!=string::npos) name=name.replace(p1,1,"_"); } ostr << "at_" << name; return ostr.str(); } string NATCompiler_ipt::getNewTmpChainName(NATRule *rule) { std::ostringstream str; string chain_id=rule->getUniqueId(); int n=tmp_chain_no[chain_id]; str << "C" << chain_id; str << "." << setw(1) << setfill('0') << n; n++; tmp_chain_no[chain_id]=n; return str.str(); #if 0 std::ostringstream str; str << "ntmp" << setw(3) << setfill('0') << chain_no; chain_no++; return str.str(); #endif } string NATCompiler_ipt::debugPrintRule(Rule *r) { NATRule *rule = NATRule::cast(r); return NATCompiler::debugPrintRule(rule)+ " c=" + rule->getStr("ipt_chain") + " t=" + rule->getStr("ipt_target") + " (type="+rule->getRuleTypeAsString()+")"; } void NATCompiler_ipt::verifyPlatform() { string family = Resources::platform_res[fw->getStr("platform")]-> getResourceStr("/FWBuilderResources/Target/family"); if (family != myPlatformName()) abort("Unsupported platform " + fw->getStr("platform") + " (family " + family + ")"); } int NATCompiler_ipt::prolog() { verifyPlatform(); // initialize counters for the standard chains for (list::const_iterator i = NATCompiler_ipt::getStandardChains().begin(); i != NATCompiler_ipt::getStandardChains().end(); ++i) { chain_usage_counter[*i] = 1; } int n = NATCompiler::prolog(); if ( n>0 ) { list l2=fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if ( iface->isDyn()) iface->setBool("use_var_address",true); } build_interface_groups(dbcopy, persistent_objects, fw, ipv6, regular_interfaces); } string version = fw->getStr("version"); using_ipset = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && fwopt->getBool("use_m_set")); return n; } void NATCompiler_ipt::_expand_interface(Rule *rule, Interface *iface, std::list &list_result, bool expand_cluster_interfaces_fully) { std::list ol1; Compiler::_expand_interface( rule, iface, ol1, expand_cluster_interfaces_fully); // see utils.cpp expand_interface_with_phys_address(this, rule, iface, ol1, list_result); } bool compare_addresses_ptr(const InetAddr* a1, const InetAddr* a2) { return (*a1 < *a2); } /* * call this processor after classifyNATRules */ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()==NATRule::LB) { RuleElementTDst *tdst=rule->getTDst(); assert(tdst); list al; for(list::iterator i=tdst->begin(); i!=tdst->end(); i++) { FWObject *o= *i; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); //const InetAddrMask *a = Address::cast(obj)->getAddressObjectInetAddrMask(); const InetAddr *ip_addr = Address::cast(obj)->getAddressPtr(); al.push_back( ip_addr ); } al.sort(compare_addresses_ptr); const InetAddr* a1 = al.front(); list::iterator j=al.begin(); j++; for ( ; j!=al.end(); j++) { /* I use temporary AddressRange object here because it takes care of * big endian/little endian conversion for me */ AddressRange tar; tar.setRangeStart( *a1 ); tar.setRangeEnd( *(*j) ); if ( tar.dimension() != 2 ) { compiler->abort( rule, "Non-contiguous address range in " "Translated Destination in load balancing NAT rule"); } a1 = *j; } AddressRange *ar = compiler->dbcopy->createAddressRange(); ar->setRangeStart( *(al.front()) ); ar->setRangeEnd( *(al.back()) ); ar->setName(string("%")+al.front()->toString() +"-"+al.back()->toString()+"%" ); compiler->persistent_objects->add(ar,false); tdst->clearChildren(); tdst->addRef(ar); rule->setRuleType(NATRule::DNAT); } return true; } /* * This processor should be called after classifyNATRule. Should call * classifyNATRule after this processor again. * * This algorithm is very much specific to iptables. Platforms where * this simple algorithm for SDNAT rules is not appropriate, should * either implement equivalent of this processor using different * algorithm, or should catch SDNAT rules and abort in their own * verifyNATRule processor. */ bool NATCompiler_ipt::splitSDNATRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if ( rule->getRuleType()==NATRule::SDNAT) { // RuleElementOSrc *osrc; RuleElementODst *odst; RuleElementOSrv *osrv; RuleElementTSrc *tsrc; RuleElementTDst *tdst; RuleElementTSrv *tsrv; bool tsrv_translates_src_port = false; bool tsrv_translates_dst_port = false; Service *osrv_obj = compiler->getFirstOSrv(rule); Service *tsrv_obj = compiler->getFirstTSrv(rule); if (TCPUDPService::cast(osrv_obj) && TCPUDPService::cast(tsrv_obj)) { TCPUDPService *tu_osrv = TCPUDPService::cast(osrv_obj); TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv_obj); tsrv_translates_src_port = (tu_tsrv->getSrcRangeStart() != 0 && tu_tsrv->getDstRangeStart() == 0); tsrv_translates_dst_port = (tu_tsrv->getSrcRangeStart() == 0 && tu_tsrv->getDstRangeStart() != 0); if (tsrv_translates_dst_port && tu_osrv->getDstRangeStart() == tu_tsrv->getDstRangeStart() && tu_osrv->getDstRangeEnd() == tu_tsrv->getDstRangeEnd()) tsrv_translates_dst_port = false; // osrv and tsrv define the same ports if (tsrv_translates_src_port && tu_osrv->getSrcRangeStart() == tu_tsrv->getSrcRangeStart() && tu_osrv->getSrcRangeEnd() == tu_tsrv->getSrcRangeEnd()) tsrv_translates_src_port = false; // osrv and tsrv define the same ports } /* first rule translates destination and may translate service (depends * on the original rule). Set type to Unknown because this may become * DNAT or DNetNat - we will decide later. */ NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); r->setRuleType(NATRule::Unknown); tsrc = r->getTSrc(); tsrc->clearChildren(); tsrc->setAnyElement(); /* this rule translates destination and can't deal with source port * translation. Leave that to the second rule */ if (tsrv_translates_src_port) { tsrv = r->getTSrv(); tsrv->clearChildren(); tsrv->setAnyElement(); } tmp_queue.push_back(r); /* the second rule translates source and uses translated object in * ODst. Since the service could have been translated by the first * rule, we use TSrv in OSrv */ r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); r->setRuleType(NATRule::Unknown); /* if original rule involved negation in ODst, it should be processed * in the first of the two rules we create for SDNAT. Negation in OSrc * must be processed in both rules since the first rule does not * change OSrc */ odst = r->getODst(); odst->setNeg(false); odst->clearChildren(); for (FWObject::iterator i=rule->getTDst()->begin(); i!=rule->getTDst()->end(); i++) { FWObject *obj = FWObjectReference::getObject(*i); odst->addRef(obj); } if ( ! rule->getTSrv()->isAny()) { /* * If the first rule in the pair translated service and * changed destination port, we need to match it in the * second rule to only trsnslate source in the packets * that have been processed by the first rule. However * this only applies to the case when destination port has * been translated because the first rule uses DNAT which * can only translate dest. port. So, if TSrv has zero * dest. port range but non-zero source port range, we * should not match it here because in this case no * dest. port translation occurs. If TSrv translates both * source and destination ports, we create new TCP(UDP) * service object with only dest. port part and use it to * match. */ Service *tsrv = compiler->getFirstTSrv(rule); TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv); if (tu_tsrv && tu_tsrv->getDstRangeStart() != 0) { TCPUDPService *match_service = NULL; if (tu_tsrv->getSrcRangeStart() == 0) { // no source port tranlsation match_service = tu_tsrv; } else { // both source and dest port translation occurs match_service = TCPUDPService::cast( compiler->dbcopy->create(tsrv->getTypeName())); match_service->setName(tsrv->getName() + "_dport"); compiler->persistent_objects->add(match_service); match_service->setDstRangeStart(tu_tsrv->getDstRangeStart()); match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd()); } osrv = r->getOSrv(); osrv->clearChildren(); osrv->addRef(match_service); } } tdst = r->getTDst(); tdst->clearChildren(); tdst->setAnyElement(); if (tsrv_translates_dst_port) { tsrv = r->getTSrv(); tsrv->clearChildren(); tsrv->setAnyElement(); } tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::VerifyRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); if (tsrc->getNeg()) { compiler->abort( rule, "Can not use negation in translated source "); return true; } if (tdst->getNeg()) { compiler->abort( rule, "Can not use negation in translated destination."); return true; } if (tsrv->getNeg()) { compiler->abort( rule, "Can not use negation in translated service."); return true; } if (tsrv->size()!=1) { compiler->abort( rule, "Translated service should be 'Original' or should contain single object."); return true; } if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL) { compiler->abort( rule, "Can not use group in translated service."); return true; } if (rule->getRuleType()==NATRule::LB) { compiler->abort( rule, "Load balancing rules are not supported."); return true; } // Note that in -xt mode and in single rule compile compiler->abort // does not really abort processing if (rule->getRuleType()==NATRule::NATBranch) { RuleSet *branch = rule->getBranch(); if (branch == NULL) { compiler->abort( rule, "Action 'Branch' needs NAT rule set to point to"); return true; } else { if (!NAT::isA(branch)) { compiler->abort( rule, "Action 'Branch' must point to a NAT rule set " "(points to " + branch->getTypeName() + ")"); return true; } } } if (rule->getRuleType()==NATRule::SNAT ) { FWObject *o1 = FWReference::getObject(tsrc->front()); if ( ! tsrc->isAny() && Network::cast(o1)!=NULL) { compiler->abort( rule, "Can not use network object in translated source."); return true; } if (Interface::isA(o1) && Interface::cast(o1)->isUnnumbered()) { compiler->abort( rule, "Can not use unnumbered interface in " "Translated Source of a Source translation rule."); return true; } } if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstOSrc(rule)); Network *a2=Network::cast(compiler->getFirstTSrc(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated source should both be networks of the same size."); return true; } } if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstODst(rule)); Network *a2=Network::cast(compiler->getFirstTDst(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated destination should both be networks of the same size ."); return true; } } tmp_queue.push_back(rule); return true; } /* * this should be called only after groupServicesByProtocol, so that we have * objects of the same type in OSrv and either "any" or a single * object in TSrv */ bool NATCompiler_ipt::VerifyRules2::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getRuleType()!= NATRule::Return) { RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); Service *s1=compiler->getFirstOSrv(rule); Service *s2=compiler->getFirstTSrv(rule); if (osrv->isAny() && ! tsrv->isAny()) { compiler->abort( rule, "Can not use service object in Translated Service if Original Service is 'Any'."); return true; } if (!tsrv->isAny() && s1->getProtocolName()!=s2->getProtocolName()) { compiler->abort( rule, "Translated Service should be either 'Original' or should contain object of the same type as Original Service."); return true; } } tmp_queue.push_back(rule); return true; } /* * make sure combination of "-i" or "-o" interface spec and chosen chain * is allowed */ bool NATCompiler_ipt::VerifyRules3::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElement *itf_i_re = rule->getItfInb(); assert(itf_i_re!=NULL); RuleElement *itf_o_re = rule->getItfOutb(); assert(itf_o_re!=NULL); if (rule->getRuleType()==NATRule::SNAT && ! itf_i_re->isAny()) { // iptables does not allow "-i" in POSTROUTING chain compiler->abort( rule, "Can not use inbound interface specification with " "rules that translate source because iptables does not " "allow \"-i\" in POSTROUTING chain"); return true; } if (rule->getRuleType()==NATRule::DNAT && ! itf_o_re->isAny()) { // iptables does not allow "-o" in PREROUTING chain compiler->abort( rule, "Can not use outbound interface specification with " "rules that translate destination because iptables does not " "allow \"-o\" in PREROUTING chain"); return true; } string chain = rule->getStr("ipt_chain"); if (chain == "OUTPUT" && ! itf_i_re->isAny()) { // iptables does not allow "-i" in POSTROUTING chain compiler->abort( rule, "Can not use inbound interface specification with " "this rule because iptables does not " "allow \"-i\" in OUTPUT chain"); return true; } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::convertToAtomicportForOSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getOSrv()->size()>1 && ! rule->getTSrv()->isAny()) { RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); for (FWObject::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s = r->getOSrv(); assert(s); s->clearChildren(); s->addRef(FWReference::getObject(*i1)); tmp_queue.push_back(r); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::portTranslationRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; Address *odst=compiler->getFirstODst(rule); // Service *osrv=compiler->getFirstOSrv(rule); Address *tsrc=compiler->getFirstTSrc(rule); Address *tdst=compiler->getFirstTDst(rule); Service *tsrv=compiler->getFirstTSrv(rule); if (rule->getRuleType() == NATRule::DNAT && tsrc->isAny() && tdst->isAny() && ! tsrv->isAny() && odst->getId()==compiler->fw->getId() ) { rule->getTDst()->addRef( odst ); } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::specialCaseWithRedirect::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; Address *tdst = compiler->getFirstTDst(rule); /* we consider rule redirect only if TDst is a firewall object * */ int fw_id = compiler->fw->getId(); int cluster_id = -1; bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) { cluster = Cluster::cast( compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id"))); cluster_id = cluster->getId(); } if (rule->getRuleType() == NATRule::DNAT && (tdst->getId() == fw_id || tdst->getId() == cluster_id)) rule->setRuleType(NATRule::Redirect); tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::splitOnODst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementODst *odst=rule->getODst(); assert(odst); if (rule->getRuleType()==NATRule::DNAT && odst->size()!=1) { for(list::iterator i=odst->begin(); i!=odst->end(); ++i) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *a=Address::cast( o ); assert(a); NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementODst *nodst=r->getODst(); nodst->clearChildren(); nodst->addRef( a ); tmp_queue.push_back( r ); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::splitOnOSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); if (osrv->size()!=1) { for(list::iterator i=osrv->begin(); i!=osrv->end(); ++i) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementOSrv *nosrv=r->getOSrv(); nosrv->clearChildren(); nosrv->addRef( s ); tmp_queue.push_back( r ); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::fillTranslatedSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *osrv_o=compiler->getFirstOSrv(rule); Service *tsrv_o=compiler->getFirstTSrv(rule); if ( ! osrv_o->isAny() && tsrv_o->isAny() ) { RuleElementTSrv *tsrv=rule->getTSrv(); tsrv->addRef(osrv_o); } return true; } bool NATCompiler_ipt::addVirtualAddress::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) cluster = Cluster::cast( compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id"))); Address *a = NULL; if (rule->getRuleType()==NATRule::SNAT || rule->getRuleType()==NATRule::DNAT) { if (rule->getRuleType()==NATRule::SNAT) a = compiler->getFirstTSrc(rule); else a = compiler->getFirstODst(rule); Interface *iface = Interface::cast(a); if (iface && ! iface->isRegular()) return true; if ( ! a->isAny() && ! compiler->complexMatch(a, compiler->fw) && ! compiler->complexMatch(a, cluster)) { if (AddressRange::cast(a)!=NULL) { compiler->warning( rule, string("Adding of virtual address for address range " "is not implemented (object ") + a->getName() + ")" ); } else compiler->osconfigurator->addVirtualAddressForNAT( a ); } return true; } if (rule->getRuleType()==NATRule::SNetnat || rule->getRuleType()==NATRule::DNetnat) { if (rule->getRuleType()==NATRule::SNetnat) a=compiler->getFirstTSrc(rule); else a=compiler->getFirstODst(rule); if ( ! a->isAny() && Network::cast(a) ) compiler->osconfigurator->addVirtualAddressForNAT( Network::constcast(a) ); return true; } return true; } bool NATCompiler_ipt::splitRuleIfRuleElementIsDynamicInterface::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re =RuleElement::cast(rule->getFirstByType(re_type)); int nre = re->size(); vector cl; for(list::iterator i=re->begin(); nre>1 && i!=re->end(); ++i) { FWObject *o= *i; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *iface=Interface::cast(obj); if (iface!=NULL && !iface->isRegular()) { cl.push_back(o); // can not remove right now because remove invalidates iterator nre--; NATRule *new_rule= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); RuleElement *new_re=RuleElement::cast(new_rule->getFirstByType(re_type)); new_re->clearChildren(); new_re->setAnyElement(); new_re->addRef( iface ); tmp_queue.push_back(new_rule); } } if (!cl.empty()) { for (vector::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->remove( (*i1) ); } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::specialCaseWithUnnumberedInterface::dropUnnumberedInterface(RuleElement *re) { if (re->isAny()) return true; list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && (ifs->isUnnumbered() || ifs->isBridgePort()) ) cl.push_back(obj); } if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->removeRef( (*i1) ); } return (!re->isAny()); } bool NATCompiler_ipt::specialCaseWithUnnumberedInterface::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; bool keep_rule=true; switch (rule->getRuleType()) { case NATRule::Masq: case NATRule::SNAT: keep_rule=dropUnnumberedInterface( rule->getOSrc() ); break; case NATRule::DNAT: keep_rule=dropUnnumberedInterface( rule->getODst() ); break; default: ; } if (keep_rule) tmp_queue.push_back(rule); return true; } /* * I assume that there is always only one object in ODst, TSrc and TDst * rule elements. This should have been assured by inspector VerifyRules */ bool NATCompiler_ipt::ReplaceFirewallObjectsODst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) cluster = Cluster::cast( compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id"))); tmp_queue.push_back(rule); list cl; RuleElementODst *rel; Address *obj=NULL; switch (rule->getRuleType()) { case NATRule::Masq: // case NATRule::Redirect: return true; default: rel=rule->getODst(); assert(rel); obj=compiler->getFirstODst(rule); assert(obj!=NULL); if (obj->getId()==compiler->fw->getId() || (cluster && obj->getId()==cluster->getId())) { list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *interface_=Interface::cast(*i); if (interface_->isLoopback()) continue; if (cluster && ! interface_->getOptionsObject()->getBool("cluster_interface")) continue; cl.push_back(interface_); } if ( ! cl.empty() ) { while (rel->size()) rel->remove( rel->front() ); for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); } } } } return true; } /* * This processor works together with ConvertToAtomicRules and * AssignInterfaces. If firewall object is used in TSrc of SNAT rule, * it gets replaced with its interfaces. ConvertToAtomicRules slits * this rule onto atomic rules, each of which has one interface object * in TSrc. AssigInterfaces then assigns each atomic rule to * corresponding interface. * * it seems the simplest way is just to assign SNAT rule to all * interfaces if firewall is used in TSrc. This automatically takes * care of weird cases where people use address that belongs to subnet * of one interface to do translation of packets going out through * another interface. Basically, compiler does not have information * about routing, so we have no choice but assume the routing can be * anything and assign the rule to all interfaces. */ bool NATCompiler_ipt::ReplaceFirewallObjectsTSrc::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); Cluster *cluster = NULL; if (cluster_member) cluster = Cluster::cast( compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id"))); tmp_queue.push_back(rule); list cl; RuleElementTSrc *rel; Address *obj=NULL; switch (rule->getRuleType()) { case NATRule::Masq: case NATRule::Redirect: return true; default: rel=rule->getTSrc(); assert(rel); obj=compiler->getFirstTSrc(rule); assert(obj!=NULL); if (obj->getId()==compiler->fw->getId() || (cluster && obj->getId()==cluster->getId())) { RuleElementODst *odstrel = rule->getODst(); Address *osrc = compiler->getFirstOSrc(rule); Address *odst = compiler->getFirstODst(rule); rel->clearChildren(); Interface *odst_iface = NULL; if (cluster) odst_iface = compiler->findInterfaceFor(odst, cluster); else odst_iface = compiler->findInterfaceFor(odst, compiler->fw); Interface *osrc_iface = NULL; if (cluster) osrc_iface = compiler->findInterfaceFor(osrc, compiler->fw); else osrc_iface = compiler->findInterfaceFor(osrc, compiler->fw); if (!odst->isAny() && odst_iface!=NULL && !odstrel->getBool("single_object_negation")) { rel->addRef(odst_iface); } else { /* * else use all interfaces except loopback and * unnumbered ones. Skip interface connected to ODst * if single object negation was detected in ODst. For * cluster members use only copy of cluster interfaces * (ticket #1185) */ list l2 = compiler->fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); if (iface->isLoopback() || iface->isUnnumbered() || iface->isBridgePort() ) continue; // Note: comparing osrc_iface and odst_iface by name // because these objects are children of cluster if (odstrel->getBool("single_object_negation") && odst_iface && odst_iface->getName()==iface->getName()) continue; if (osrc_iface && osrc_iface->getName() == iface->getName()) continue; if (cluster && ! iface->getOptionsObject()->getBool("cluster_interface")) continue; rel->addRef( *i ); } for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) rel->addRef( *i1 ); /* it is an error if rule element is empty at this point. this could have * happened if all external interfaces are unnumbered */ if (rel->size()==0) { compiler->abort( rule, "Could not find suitable interface for the NAT rule. " "Perhaps all interfaces are unnumbered?"); } } } } return true; } bool NATCompiler_ipt::splitMultiSrcAndDst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrv=rule->getOSrv(); RuleElementOSrc *osrc=rule->getOSrc(); RuleElementODst *odst=rule->getODst(); RuleElementOSrc *rosrc; RuleElementODst *rodst; int nosrv=osrv->size(); int nosrc=osrc->size(); int nodst=odst->size(); /* * Return if service is set - svcs my introduce complications and I'm * treading carefully here. * We don't handle anything thats redirect, MASQ yet - just NONAT,SNAT & DNAT * We also check we've got multiple rules to deal with - we can't optimize * 1 src with 1 dst ... */ if ((nosrv>1 || !(osrv->isAny())) || (nosrc<1 || osrc->isAny()) || (nodst<1 || odst->isAny()) || (nosrc==1 && nodst==1) ) { tmp_queue.push_back(rule); return true; } switch (rule->getRuleType()) { case NATRule::NONAT: case NATRule::SNAT: case NATRule::DNAT: { // get old chain name create new chain name string new_chain = NATCompiler_ipt::getNewTmpChainName(rule); // create new rule NATRule *r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); // move existing rule onto new chain rule->setStr("ipt_chain", new_chain); // we've already tested for interface .... rule->setStr(".iface_in", "nil"); rule->setStr(".iface_out", "nil"); // new rule points to new chain, continues if no match r->setStr("ipt_target", new_chain); // Now decide which way round would be best ... if (nosrc < nodst) { rodst= r->getODst(); rodst->clearChildren(); rodst->setAnyElement(); osrc->clearChildren(); osrc->setAnyElement(); } else { rosrc = r->getOSrc(); rosrc->clearChildren(); rosrc->setAnyElement(); odst->clearChildren(); odst->setAnyElement(); } tmp_queue.push_back(r); } break; default: ; } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::dynamicInterfaceInODst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementODst *odstrel=rule->getODst(); assert(odstrel); Address *odst = compiler->getFirstODst(rule); if ( ! odstrel->isAny() ) { Interface *iface = Interface::cast(odst); if (iface!=NULL && iface->isDyn() && iface->isFailoverInterface()) { Address *new_odst = compiler->correctForCluster(odst); RuleElementODst *odst_re = rule->getODst(); assert(odst_re); odst_re->removeRef(odst); odst_re->addRef(new_odst); } } return true; } bool NATCompiler_ipt::dynamicInterfaceInTSrc::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); bool use_snat = ruleopt->getBool("ipt_use_snat_instead_of_masq"); tmp_queue.push_back(rule); Address *tsrc = compiler->getFirstTSrc(rule); if (rule->getRuleType()==NATRule::SNAT && Interface::cast(tsrc)!=NULL && !Interface::cast(tsrc)->isRegular()) { Interface *iface = Interface::cast(tsrc); if (iface->isFailoverInterface()) { Address *new_tsrc = compiler->correctForCluster(tsrc); RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc); tsrc_re->removeRef(tsrc); tsrc_re->addRef(new_tsrc); } if (use_snat) { // Emulate SNAT with dynamic interface //tsrc->setBool("use_var_address", true); } else { rule->setRuleType(NATRule::Masq); if (rule->getStr("ipt_target")=="" || rule->getStr("ipt_target")=="SNAT") rule->setStr("ipt_target", "MASQUERADE"); } } return true; } /** * unlike standard inspector addressRanges in the base class NATCompiler, * this one does not expand address ranges in TSrc and TDst because * iptables supports ranges in those rule elements */ bool NATCompiler_ipt::ExpandAddressRanges::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *rel; rel=rule->getOSrc(); assert(rel); compiler->_expandAddressRanges(rule,rel); rel=rule->getODst(); assert(rel); compiler->_expandAddressRanges(rule,rel); return true; } void NATCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces( RuleElement *re, Rule *rule) { if (re->isAny()) return; bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); FWObject *cluster = NULL; if (cluster_member) cluster = compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")); list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && ifs->isDyn() && ! ifs->isChildOf(compiler->fw) && ! ifs->isChildOf(cluster)) { QString err( "Can not build rule using dynamic interface '%1' " "of the object '%2' because its address in unknown."); compiler->abort( rule, err .arg(ifs->getName().c_str()) .arg(ifs->getParent()->getName().c_str()).toStdString()); } } } bool NATCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; findDynamicInterfaces( rule->getOSrc() , rule ); findDynamicInterfaces( rule->getODst() , rule ); findDynamicInterfaces( rule->getTSrc() , rule ); findDynamicInterfaces( rule->getTDst() , rule ); tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::prepareForMultiport::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *rel= rule->getOSrv(); Service *srv= compiler->getFirstOSrv(rule); if (rel->size()==1) { tmp_queue.push_back(rule); return true; } /* * processor groupServicesByProtocol should have been called eariler, so now all * services in Srv are of the same type */ if (TCPService::isA(srv) || UDPService::isA(srv)) { rule->setBool("ipt_multiport",true); /* make sure we have no more than 15 ports */ if (rel->size()>15) { int n=0; NATRule *r; RuleElementOSrv *nsrv=NULL; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (n==0) { r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getOSrv(); nsrv->clearChildren(); tmp_queue.push_back(r); } assert(nsrv!=NULL); nsrv->addRef( s ); if (++n>=15) n=0; } } else { tmp_queue.push_back(rule); } // tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::splitMultipleICMP::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *rel= rule->getOSrv(); Service *srv= compiler->getFirstOSrv(rule); if (rel->size()==1) { tmp_queue.push_back(rule); return true; } if (ICMPService::isA(srv)) { NATRule *r; RuleElementOSrv *nsrv; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->addRef( s ); tmp_queue.push_back(r); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::doOSrcNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrcrel=rule->getOSrc(); /* ! A B C */ if (osrcrel->getNeg()) { NATRule *r; RuleElementOSrc *nsrc; RuleElementODst *ndst; RuleElementOSrv *nsrv; RuleElementTSrc *ntsrc; RuleElementTDst *ntdst; RuleElementTSrv *ntsrv; string new_chain = NATCompiler_ipt::getNewTmpChainName(rule); osrcrel->setNeg(false); /* * negation in OSrc : * * CHAIN !A B C RULE_TYPE TARGET *----------------------------------------------- * ----- any B C SNAT/DNAT TMP_CHAIN * TMP_CHAIN A any any RETURN RETURN * TMP_CHAIN any any C SNAT/DNAT --------- */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); // ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); // ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); // r->setRuleType(NATRule::Continue); r->setStr("ipt_target",new_chain); // r->setBool("rule_added_for_osrc_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN A any any RETURN */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); ntsrv=r->getTSrv(); ntsrv->clearChildren(); ntsrv->setAnyElement(); ndst->setNeg(false); nsrv->setNeg(false); r->setRuleType(NATRule::Return); r->setStr("ipt_target","RETURN"); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); r->setBool("rule_added_for_osrc_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN any any C ACTION */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); nsrv=r->getOSrv(); ndst->setNeg(false); nsrv->setNeg(false); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); r->setBool("rule_added_for_osrc_neg",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::doODstNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementODst *odstrel=rule->getODst(); /* ! A B C */ if (odstrel->getNeg()) { NATRule *r; RuleElementOSrc *nsrc; RuleElementODst *ndst; RuleElementOSrv *nsrv; RuleElementTSrc *ntsrc; RuleElementTDst *ntdst; RuleElementTSrv *ntsrv; string new_chain=NATCompiler_ipt::getNewTmpChainName(rule); odstrel->setNeg(false); /* * negation in Odst : * * CHAIN A !B C RULE_TYPE TARGET *----------------------------------------------- * ----- A any C SNAT/DNAT TMP_CHAIN * TMP_CHAIN any B any RETURN RETURN * TMP_CHAIN any any C SNAT/DNAT --------- */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); // ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); // ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); // r->setRuleType(NATRule::Continue); r->setStr("ipt_target",new_chain); r->setBool("rule_added_for_odst_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN any B any RETURN */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); ntsrv=r->getTSrv(); ntsrv->clearChildren(); ntsrv->setAnyElement(); nsrc->setNeg(false); nsrv->setNeg(false); r->setRuleType(NATRule::Return); r->setStr("ipt_target","RETURN"); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); // r->setBool("rule_added_for_odst_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN any any C ACTION */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); nsrv=r->getOSrv(); nsrc->setNeg(false); nsrv->setNeg(false); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); r->setBool("rule_added_for_odst_neg",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::doOSrvNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrvrel=rule->getOSrv(); /* A B ! C */ if (osrvrel->getNeg()) { NATRule *r; RuleElementOSrc *nsrc; RuleElementODst *ndst; RuleElementOSrv *nsrv; RuleElementTSrc *ntsrc; RuleElementTDst *ntdst; string new_chain=NATCompiler_ipt::getNewTmpChainName(rule); osrvrel->setNeg(false); /* * negation in OSrv : * * CHAIN A B !C RULE_TYPE TARGET *----------------------------------------------- * ----- A B any SNAT/DNAT TMP_CHAIN * TMP_CHAIN any any C RETURN RETURN * TMP_CHAIN any any any SNAT/DNAT --------- */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); // ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); // ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); // r->setRuleType(NATRule::Continue); r->setStr("ipt_target",new_chain); r->setBool("rule_added_for_osrv_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN any any C RETURN */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); ntdst=r->getTDst(); ntdst->clearChildren(); ntdst->setAnyElement(); nsrc->setNeg(false); ndst->setNeg(false); r->setRuleType(NATRule::Return); r->setStr("ipt_target","RETURN"); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); r->setBool("rule_added_for_osrv_neg",true); tmp_queue.push_back(r); /* TMP_CHAIN any any any ACTION */ r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); nsrc->setNeg(false); ndst->setNeg(false); r->setStr("ipt_chain",new_chain); r->setStr(".iface_in", "nil"); r->setStr(".iface_out", "nil"); //r->setInterfaceStr("nil"); // r->setBool("rule_added_for_osrv_neg",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::splitNONATRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if ( rule->getStr("ipt_chain").empty() && rule->getRuleType()==NATRule::NONAT) { Address *osrc=compiler->getFirstOSrc(rule); bool osrcfw= compiler->complexMatch(osrc,compiler->fw); /* * NONAT is special if OSrc matches firewall. It is not sufficient to * only put this rule in the OUTPUT chain because packets originating * on the firewall actually cross both OUTPUT and POSTROUTING chains * (I tested this). So, we need to make sure we _do not_ translate in * both these chains because there may be other rules in POSTROUTING * chain that may accidentally match the packet and translate it. */ NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","POSTROUTING"); tmp_queue.push_back(r); if (osrcfw) { rule->setStr("ipt_chain","OUTPUT"); if (osrc->getId()==compiler->fw->getId()) { RuleElementOSrc *src; src=rule->getOSrc(); src->clearChildren(); src->setAnyElement(); } } else rule->setStr("ipt_chain","PREROUTING"); tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } /** * Branch rule in NAT rule sets should go into PREROUTING or * POSTROUTING chain depending on the target of the rules in the * branch. Iptables verifies this when a command that passes control * (the one with "-j ") is entered. If branch * ruleset has -j SNAT, the command that sends control to the branch * should be in POSTROUTING. Attempt to place it in PREROUTING ends * with an error "iptables: Invalid argument". * * Note that if branch rule set contains a mix of rules that use both * SNAT and DNAT targets, the branching rule (that should pass control * to the branch) can not be added to PREROUTING and POSTROUTING * chains, it just gives an error "iptables: Invalid argument" for both. * Tested with iptables 1.4.1.1 10/20/2009 */ bool NATCompiler_ipt::splitNATBranchRule::processNext() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; if ( rule->getRuleType()==NATRule::NATBranch) { RuleSet *branch = rule->getBranch(); if (branch) { string branch_name = branch->getName(); if (ipt_comp->branch_ruleset_to_chain_mapping) { map >::const_iterator lit = ipt_comp->branch_ruleset_to_chain_mapping->find(branch_name); if (lit!=ipt_comp->branch_ruleset_to_chain_mapping->end()) { list chains = lit->second; list::iterator it; for (it=chains.begin(); it!=chains.end(); ++it) { string branch_chain = *it; // If chain in the branch rule set does not // start with its own name plus "_", skip it // because it is one of the standard chains if (branch_chain.find(branch_name + "_") == 0) { // branch chain is + "_" + string my_chain = branch_chain.substr(branch_name.length()+1); NATRule *r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain", my_chain); r->setStr("ipt_target", *it); tmp_queue.push_back(r); } } return true; } } { NATRule *r; string prefix, new_chain, tgt_chain; string prepost[] = { "PRE", "POST" }; int i; compiler->warning(rule, "NAT branching rule does not have information" " about targets used in the branch ruleset" " to choose proper chain in the nat table." " Will split the rule and place it in both" " PREROUTNING and POSTROUTING"); prefix = (ipt_comp->getRuleSetName() + "_"); if (prefix == string("NAT_")) prefix = ""; for (i = 0; i < 2; i++) { r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); new_chain = prefix + prepost[i] + "ROUTING"; tgt_chain = branch_name + "_" + prepost[i] + "ROUTING"; ipt_comp->registerRuleSetChain(new_chain); ipt_comp->registerRuleSetChain(tgt_chain); r->setStr("ipt_chain", new_chain); r->setStr("ipt_target", tgt_chain); tmp_queue.push_back(r); } } return true; } else { compiler->abort(rule, "NAT branching rule misses branch rule set."); // in case we are in the test mode and abort() does not // really abort. Both the chain and the target are bogus // and are needed only to make the compiler continue and // produce some output, which will be shown to the user // together with the error in single-rule compile mode rule->setStr("ipt_chain", "PREROUTING"); rule->setStr("ipt_target", "UNDEFINED"); tmp_queue.push_back(rule); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::localNATRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; // if ( rule->getStr("ipt_chain").empty()) // { Address *osrc = compiler->getFirstOSrc(rule); bool osrcfw = compiler->complexMatch(osrc,compiler->fw); switch( rule->getRuleType()) { case NATRule::DNAT: case NATRule::DNetnat: case NATRule::Redirect: /* it should not be necessary to do anything if rule type is NONAT * since splitNONATRule takes care of NONAT rules * * is there any need to split the rule if it is SNAT or DNAT type ? I * can't see any reason to do it. * * Can use OUTPUT chain only for DNAT rules and a like */ if (osrcfw) rule->setStr("ipt_chain", "OUTPUT"); if (osrcfw && osrc->getId()==compiler->fw->getId()) { RuleElementOSrc *src; src=rule->getOSrc(); src->clearChildren(); src->setAnyElement(); } break; default: break; } // } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::splitIfOSrcAny::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); /* do not split if user nailed inbound interface */ RuleElement *itf_re = rule->getItfInb(); assert(itf_re!=NULL); if (! itf_re->isAny()) return true; /* do not split rules added to handle negation, these rules have "any" * in OSrc but get control only after OSrc is tested by another * rule */ if (rule->getBool("rule_added_for_osrc_neg")) return true; if (rule->getBool("rule_added_for_odst_neg")) return true; if (rule->getBool("rule_added_for_osrv_neg")) return true; if (rule->getRuleType()==NATRule::DNAT) { RuleElementOSrc *osrcrel = rule->getOSrc(); Address *osrc = compiler->getFirstOSrc(rule); // split if osrc is any OR if it has a single object with negation if (osrc->isAny() || osrcrel->getBool("single_object_negation")) { NATRule *r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementOSrc *nosrcrel = r->getOSrc(); nosrcrel->addRef(compiler->fw); tmp_queue.push_back(r); } } return true; } /* * we assume that splitIfOSrcMatchesFw was called before, so that if firewall * was in OSrc, it is now a single object in that rule element */ bool NATCompiler_ipt::DNATforFW::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()==NATRule::DNAT) { Address *osrc=compiler->getFirstOSrc(rule); if ( compiler->complexMatch(osrc,compiler->fw) ) { rule->setStr("ipt_chain","OUTPUT"); if (osrc->getId()==compiler->fw->getId()) { rule->getOSrc()->clearChildren(); rule->getOSrc()->setAnyElement(); } } } return true; } bool NATCompiler_ipt::decideOnChain::processNext() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); string chain; switch (rule->getRuleType()) { case NATRule::SNAT: chain = "POSTROUTING"; break; case NATRule::SNetnat: chain = "POSTROUTING"; break; case NATRule::Masq: chain = "POSTROUTING"; break; case NATRule::DNAT: chain = "PREROUTING"; break; case NATRule::DNetnat: chain = "PREROUTING"; break; case NATRule::Redirect: chain = "PREROUTING"; break; case NATRule::NONAT: // processor splitNONATRule took care of NONAT rule break; case NATRule::NATBranch: // processor splitNATBranchRule took care of NATBranch rule break; default: ; } if (!rule->getStr("ipt_chain").empty()) { if (!compiler->getSourceRuleSet()->isTop() && ipt_comp->getRuleSetName() == rule->getStr("ipt_chain")) { // this is a NAT branch. Need to rename the chain to add // information about the chain that would have been used // if this was top ruleset string new_chain = compiler->getRuleSetName() + "_" + chain; ipt_comp->registerRuleSetChain(new_chain); rule->setStr("ipt_chain", new_chain); } return true; // already defined } if (!chain.empty()) rule->setStr("ipt_chain", chain); return true; } bool NATCompiler_ipt::decideOnTarget::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if ( ! rule->getStr("ipt_target").empty() ) return true; // already defined switch (rule->getRuleType()) { case NATRule::NONAT: rule->setStr("ipt_target","ACCEPT"); break; case NATRule::SNAT: rule->setStr("ipt_target","SNAT"); break; case NATRule::SNetnat: rule->setStr("ipt_target","NETMAP"); break; case NATRule::DNAT: rule->setStr("ipt_target","DNAT"); break; case NATRule::DNetnat: rule->setStr("ipt_target","NETMAP"); break; case NATRule::Masq: rule->setStr("ipt_target","MASQUERADE"); break; case NATRule::Redirect: rule->setStr("ipt_target","REDIRECT"); break; case NATRule::Return: rule->setStr("ipt_target","RETURN"); break; case NATRule::NATBranch: // this case has been taken care for in splitNATBranchRule() break; default: ; } return true; } /* * This rule processor chooses interfaces for the rule automatically * if user did not set them manually in "Inbound Interface" and * "Outbound Interface" columns. * * Automatic algorithm: * * this processor works together with ReplaceFirewallObjectsTSrc and * ConvertToAtomicRules. If the first two left interface object in * TSrc, AssignInterfaces assigns this rule to the corresponding * interface. Rule will be split and assigned to all interfaces here * if object in TSrc is not an interface or an address of interface. * * Summary: SNAT rules are now assigned to interfaces (using "-o * iface_name") as follows: * * - if firewall's interface or its address is in TSrc, the rule the * uses its address for "--to-source" and its name for "-o" * * - if firewall object is in TSrc, then it gets replaced with its * interfaces (except unnumbered and loopback interfaces) and rule is * processed using each interface as described above * * - if some other object is in TSrc, the rule is assigned to all * interfaces of the firewall (using notation with '+') and address of * this object is used for "--to-source". There are reasons why rule * has to be explicitly assigned to all interfaces using "-o" as * opposed to skipping "-o" all together. consider for example a * configuration with an unnumbred tunnel interface (e.g. ipsec0) used * for "road varrior" connections where IP address on the other end of * the tunnel is unknown. We can not add a "no nat" rule because we do * not know address of the net on the other side of the tunnel, but * fortunately ipsec0 is skipped in the assignment of SNAT rule * because it is unnumbered, so the firewall won't translate packets * going through this interface. * * * NOTE: this rule processor may place groups of interfaces in inbound * and outbound interface rule elements. Names of these groups were * specifically constructed to match "wildcard" interface * specifications supported by iptables, such as "eth+". Do not call * rule processors that expand groups after AssignInterface. * */ bool NATCompiler_ipt::AssignInterface::processNext() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); NATRule *rule = getNext(); if (rule==NULL) return false; RuleElement *itf_re; itf_re = rule->getItfInb(); assert(itf_re!=NULL); if ( ! itf_re->isAny()) { tmp_queue.push_back(rule); return true; } itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->isAny()) { tmp_queue.push_back(rule); return true; } switch (rule->getRuleType()) { case NATRule::SNAT: case NATRule::Masq: { Address* tsrc = compiler->getFirstTSrc(rule); Interface *iface = Interface::cast(tsrc); if (IPv4::isA(tsrc) || IPv6::isA(tsrc)) { iface = Interface::cast(tsrc->getParent()); } if (iface) { FWObject *parent_host = Host::getParentHost(iface); if (Cluster::isA(parent_host)) { if (iface->isFailoverInterface()) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( iface->getFirstByType(FailoverClusterGroup::TYPENAME)); Interface *fw_iface = failover_group->getInterfaceForMemberFirewall(compiler->fw); if (fw_iface) { // this is a bit tricky: we assign rule to the // member firewall's inteface but TSrc remains // cluster interface or its address. iface = fw_iface; RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); tmp_queue.push_back(rule); return true; } } else { // parent is the cluster but there is no failover // group. This must be a copy of the member interface. RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); tmp_queue.push_back(rule); return true; } } else { if (iface->isChildOf(compiler->fw)) { RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); tmp_queue.push_back(rule); return true; } } } #if 0 FWObject *p = iface->getParent(); qDebug() << "Checkpoint #1" << " iface=" << iface << " " << iface->getName().c_str() << " parent=" << p << " " << p->getName().c_str() << " " << p->getTypeName().c_str(); #endif /* if we appear here, then TSrc is not an interface or address of an * interface. This processor will simply pass a rule along if firewall * has no interfaces at all. I wonder if I really have to do this, * but I do it anyway. */ int n = 0; QMap::iterator it; for (it=ipt_comp->regular_interfaces.begin(); it!=ipt_comp->regular_interfaces.end(); ++it) { FWObject *itf_group = it.value(); // group "*" holds all interfaces if (itf_group->getName() == "*") continue; NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); RuleElementItfOutb *itf_re = r->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->hasRef(itf_group)) itf_re->addRef(itf_group); //r->setInterfaceStr(intf_name.toStdString()); tmp_queue.push_back(r); n++; } if (n==0) tmp_queue.push_back(rule); return true; } break; default: ; } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::verifyRuleWithMAC::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *rel = rule->getOSrc(); if (rel->isAny()) { tmp_queue.push_back(rule); return true; } string chain = rule->getStr("ipt_chain"); if (chain!="PREROUTING" && chain!="FORWARD" && chain!="INPUT" ) { /* scan all objects in OSrc, look for physAddress or combinedAddress * with pa present. Objects like that are not allowed in chain POSTROUTING. * Issue warning and remove physAddress from the list. */ list cl; FWObject *pa=NULL; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; FWObject *o1= o; if (FWReference::cast(o)!=NULL) o1=FWReference::cast(o)->getPointer(); if (physAddress::isA(o1)) { pa=o1; cl.push_back(o1); } combinedAddress *ca=combinedAddress::cast(o1); if (ca!=NULL && ca->getPhysAddress()!="" ) { /* there are two possibilities: * 1 - combinedAddress consists of the IPv4 component and MAC address component * 2 - combinedAddress consists of an empty IPv4 component and MAC address . */ pa=o1; if ( ca->isAny() ) cl.push_back(o1); else ca->setPhysAddress(""); } } if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) rel->removeRef( (*i1) ); } if (pa!=NULL) { if (rel->isAny()) { QString err( "SNAT rule can not match MAC address, however " "after removing object %1 from OSrc it becomes 'Any'"); compiler->abort(rule, err.arg(pa->getName().c_str()).toStdString()); return true; } else { QString err( "SNAT rule can not match MAC address. Object %1 " "removed from the rule"); compiler->warning(rule, err.arg(pa->getName().c_str()).toStdString()); } } } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; OSConfigurator_linux24 *osconf = dynamic_cast(compiler->osconfigurator); RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); if (re->size()==1) { FWObject *o = re->front(); if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { // we have just one object in RE and this object is MutiAddressRunTime if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); if (path.empty() && !atrt->getSourceName().empty()) { compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); return true; } rule->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); } if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { // this is DNSName converted to its run-time counterpart, // we do not need to touch it at all } tmp_queue.push_back(rule); return true; } } list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) cl.push_back(atrt); } if (!cl.empty()) { RuleElement *nre; RuleElement *ore=RuleElement::cast( rule->getFirstByType(re_type) ); NATRule *r; for (list::iterator i=cl.begin(); i!=cl.end(); i++) { MultiAddressRunTime *atrt = *i; r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); nre->addRef( atrt ); string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); if (path.empty() && !atrt->getSourceName().empty()) { compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); return true; } r->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); tmp_queue.push_back(r); ore->removeRef( *i ); } } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipt::countChainUsage::processNext() { NATCompiler_ipt *ipt_comp = dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { NATRule *rule = NATRule::cast( *k ); ipt_comp->chain_usage_counter[rule->getStr("ipt_target")] += 1; } return true; } void NATCompiler_ipt::registerRuleSetChain(const std::string &chain_name) { chain_usage_counter[chain_name] = 1; } void NATCompiler_ipt::compile() { string banner = " Compiling ruleset " + getRuleSetName() + " for 'nat' table"; if (ipv6) banner += ", IPv6"; info(banner); Compiler::compile(); add( new NATCompiler::Begin()); add( new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new expandGroupsInItfInb("expand groups in inbound Interface")); add(new replaceClusterInterfaceInItfInb( "replace cluster interfaces with member interfaces in " "the inbound Interface rule element")); add(new singleObjectNegationItfInb("process single object negation in inbound Itf")); add(new ItfInbNegation("process negation in inbound Itf")); add(new expandGroupsInItfOutb("expand groups in outbound Interface")); add(new replaceClusterInterfaceInItfOutb( "replace cluster interfaces with member interfaces in " "the outbound Interface rule element")); add(new singleObjectNegationItfOutb("process single object negation in outbound Itf")); add(new ItfOutbNegation("process negation in outbound Itf")); add( new recursiveGroupsInOSrc("check for recursive groups in OSRC")); add( new recursiveGroupsInODst("check for recursive groups in ODST")); add( new recursiveGroupsInOSrv("check for recursive groups in OSRV")); add( new recursiveGroupsInTSrc("check for recursive groups in TSRC")); add( new recursiveGroupsInTDst("check for recursive groups in TDST")); add( new recursiveGroupsInTSrv("check for recursive groups in TSRV")); add( new emptyGroupsInOSrc("check for empty groups in OSRC" )); add( new emptyGroupsInODst("check for empty groups in ODST" )); add( new emptyGroupsInOSrv("check for empty groups in OSRV" )); add( new emptyGroupsInTSrc("check for empty groups in TSRC" )); add( new emptyGroupsInTDst("check for empty groups in TDST" )); add( new emptyGroupsInTSrv("check for empty groups in TSRV")); add( new ExpandGroups("Expand groups")); // processors that expand objects with multiple addresses // check addresses against current address family using member // ipv6. If all addresses do not match, we may end up with // empty rule element. add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC")); add( new eliminateDuplicatesInODST("eliminate duplicates in ODST")); add( new eliminateDuplicatesInOSRV("eliminate duplicates in OSRV")); add( new swapMultiAddressObjectsInOSrc( " swap MultiAddress -> MultiAddressRunTime in OSrc") ); add( new swapMultiAddressObjectsInODst( " swap MultiAddress -> MultiAddressRunTime in ODst") ); add( new swapMultiAddressObjectsInTSrc( " swap MultiAddress -> MultiAddressRunTime in TSrc") ); add( new swapMultiAddressObjectsInTDst( " swap MultiAddress -> MultiAddressRunTime in TDst") ); add( new processMultiAddressObjectsInOSrc( "process MultiAddress objects in OSrc") ); add( new processMultiAddressObjectsInODst( "process MultiAddress objects in ODst") ); add( new processMultiAddressObjectsInTSrc( "process MultiAddress objects in TSrc") ); add( new processMultiAddressObjectsInTDst( "process MultiAddress objects in TDst") ); add( new doOSrvNegation( "process negation in OSrv" )); add( new convertToAtomicportForOSrv("convert to atomic rules in OSrv")); add( new classifyNATRule( "classify NAT rule" )); add( new splitSDNATRule( "split SDNAT rules" )); add( new classifyNATRule( "reclassify rules" )); add( new ConvertLoadBalancingRules( "convert load balancing rules")); add( new VerifyRules( "verify rules" )); add( new singleObjectNegationOSrc( "negation in OSrc if it holds single object")); add( new singleObjectNegationODst( "negation in ODst if it holds single object")); add( new doOSrcNegation( "process negation in OSrc" )); add( new doODstNegation( "process negation in ODst" )); /* call splitOnODst after processing negation */ add( new splitOnODst( "split on ODst" )); add( new portTranslationRules( "port translation rules" )); add( new specialCaseWithRedirect( "special case with redirecting port translation rules" ) ); if (fwopt->getBool("local_nat") ) { if ( fwopt->getBool("firewall_is_part_of_any_and_networks") ) add( new splitIfOSrcAny( "split rule if OSrc is any" )); add( new splitIfOSrcMatchesFw("split rule if OSrc matches FW" )); } add( new splitNONATRule("NAT rules that request no translation")); add( new splitNATBranchRule("Split Branch rules to use all chains")); add( new localNATRule("process local NAT rules")); // add( new DNATforFW("process DNAT rules for packets originated on the firewall")); add( new decideOnChain( "decide on chain" ) ); add( new decideOnTarget( "decide on target" ) ); // ----------- 10/18/2008 add( new splitODstForSNAT( "split rule if objects in ODst belong to different subnets") ); add( new ReplaceFirewallObjectsODst("replace firewall in ODst" ) ); add( new ReplaceFirewallObjectsTSrc("replace firewall in TSrc" ) ); add( new splitOnDynamicInterfaceInODst( "split rule if ODst is dynamic interface" ) ); add( new splitOnDynamicInterfaceInTSrc( "split rule if TSrc is dynamic interface" ) ); add( new ExpandMultipleAddresses("expand multiple addresses") ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new specialCaseWithUnnumberedInterface( "special cases with dynamic and unnumbered interfaces" ) ); add( new checkForDynamicInterfacesOfOtherObjects( "dynamic interfaces of other hosts and firewalls" ) ); add( new verifyRuleWithMAC("verify rules using MAC address filtering")); add( new ExpandAddressRanges("expand address ranges") ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new splitMultiSrcAndDst( "split rules where multiple srcs and dsts are present" ) ); add( new groupServicesByProtocol("group services by protocol")); add( new VerifyRules2("check correctness of TSrv")); add( new separatePortRanges("separate port ranges")); add( new separateSrcPort("separate objects with src ports") ); add( new separateSrcAndDstPort("separate objects with src and dest ports")); add( new prepareForMultiport("prepare for multiport") ); add( new splitMultipleICMP("split rule with multiple ICMP services") ); add( new ConvertToAtomicForAddresses("convert to atomic rules") ); add( new addVirtualAddress("add virtual addresses") ); add( new AssignInterface("assign rules to interfaces") ); add( new VerifyRules3("check combination of interface spec and chain")); add( new dynamicInterfaceInODst("split if dynamic interface in ODst") ); add( new dynamicInterfaceInTSrc( "set target if dynamic interface in TSrc" ) ); add( new ConvertToAtomicForItfInb("convert to atomic for inbound interface") ); add( new ConvertToAtomicForItfOutb("convert to atomic for outbound interface")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new countChainUsage("Count chain usage")); if (fwopt->getBool("use_iptables_restore")) { // bug #1812295: we should use PrintRuleIptRstEcho not only // when we have dynamic interfaces, but also when we have // address tables expanded at run time. Instead of checking // for all these conditions, just always use PrintRuleIptRstEcho printRule=new PrintRuleIptRstEcho( "generate code for iptables-restore using echo"); } else printRule=new PrintRule("generate iptables shell script"); printRule->setContext(this); printRule->initialize(); add( printRule ); add( new simplePrintProgress() ); runRuleProcessors(); } void NATCompiler_ipt::epilog() { if (fwopt->getBool("use_iptables_restore") && getCompiledScriptLength()>0 && ! inSingleRuleCompileMode()) { output << "#" << endl; } } string NATCompiler_ipt::flushAndSetDefaultPolicy() { string res=""; if (fwopt->getBool("use_iptables_restore") && ! inSingleRuleCompileMode()) { res += "echo :PREROUTING ACCEPT [0:0]\n"; res += "echo :POSTROUTING ACCEPT [0:0]\n"; res += "echo :OUTPUT ACCEPT [0:0]\n"; } return res; } string NATCompiler_ipt::printAutomaticRules() { return ""; } string NATCompiler_ipt::commit() { string res=""; if(printRule!=NULL) { res += printRule->_commit(); } return res; } list NATCompiler_ipt::getUsedChains() { list res; for (map::iterator it=chain_usage_counter.begin(); it!=chain_usage_counter.end(); ++it) res.push_back(it->first); return res; } fwbuilder-5.3.7/src/iptlib/NATCompiler_ipt.h000066400000000000000000000512401303637203600207320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NATCOMPILER_IPT_HH__ #define __NATCOMPILER_IPT_HH__ #include #include "fwcompiler/NATCompiler.h" #include "fwbuilder/RuleElement.h" #include #include #include #include #include namespace libfwbuilder { class Host; class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementOSrc; class RuleElementODst; class RuleElementOSrv; class RuleElementTSrc; class RuleElementTDst; class RuleElementTSrv; }; namespace fwcompiler { class NATCompiler_ipt : public NATCompiler { protected: class PrintRule; NATCompiler_ipt::PrintRule *printRule; bool have_dynamic_interfaces; bool using_ipset; std::map chain_usage_counter; // use minus_n_commands map to track creation of chains. // Using external map object for this to be able to track // new chains across different compiler runs (used to process // rules in different policy or nat objects) std::map *minus_n_commands; // This map is located in CompilerDriver_ipt const std::map > *branch_ruleset_to_chain_mapping; QMap regular_interfaces; static const std::list& getStandardChains(); std::string getInterfaceVarName(libfwbuilder::FWObject *iface, bool v6=false); std::string getAddressTableVarName(libfwbuilder::FWObject *iface); /** * internal: scans child objects of interface iface, both IPv4 * and physAddress, and puts them in the list ol. Since iptables * supports matching on MAc addresses, we create objects of * the class combinedAddress here from each pair of physAddress * and IPV4 */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully); virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * convert load balancing rules into DNAT rules with address * range in TDst. If objects in TDst do not constitute a * consecutive address range, abort with an error message */ DECLARE_NAT_RULE_PROCESSOR(ConvertLoadBalancingRules); /** * this processor spits SDNAT rule onto SNAT and DNAT rules. * SDNAT rule translates both source and destination. */ DECLARE_NAT_RULE_PROCESSOR(splitSDNATRule); /** * this processor spits NAT rule with action Branch to * generate iptables commands in all chains that it needs */ DECLARE_NAT_RULE_PROCESSOR(splitNATBranchRule); /** * verifies correctness of the NAT rules */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); /** * verifies correctness of the NAT rules - this one * specifically * checks for some inconsistencies between * OSrv and TSrv and should * only be used after * splitServices */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules2); /** * verifies correctness of the combination of interface * specification and chain. */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules3); /** * splits rule with multiple objects in ODst. This needs to be * done only * for DNAT rules. Call this processor when * negation has been dealt with already. */ DECLARE_NAT_RULE_PROCESSOR(splitOnODst); /** * splits rule with multiple service objects in OSrv onto * several rules */ DECLARE_NAT_RULE_PROCESSOR(splitOnOSrv); /** * process special case: multiple objects in osrv and * tsrv!=any. Need to convert to atomic by OSrv before * using classifyNATRule. */ DECLARE_NAT_RULE_PROCESSOR(convertToAtomicportForOSrv); /** * process special case: rule that translates dest. port but * does not change addresses (tsrc==any, tdst==any, tsrv!=any) * Need to copy odst to tdst. */ DECLARE_NAT_RULE_PROCESSOR(portTranslationRules); /** * processor portTranslationRules copies ODst into TDst * for rules that only do port translations and where TDst * is "any". In case ODst was firewall or one of its interfaces, * we should set rule type to NATRule::REDIRECT */ DECLARE_NAT_RULE_PROCESSOR(specialCaseWithRedirect); class splitRuleIfRuleElementIsDynamicInterface : public NATRuleProcessor { std::string re_type; public: splitRuleIfRuleElementIsDynamicInterface(const std::string &n,std::string _type): NATRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * splits rule if one of the objects in tsrc is * interface * with dynamic address */ class splitOnDynamicInterfaceInTSrc : public splitRuleIfRuleElementIsDynamicInterface { public: splitOnDynamicInterfaceInTSrc(const std::string &n): splitRuleIfRuleElementIsDynamicInterface(n,libfwbuilder::RuleElementTSrc::TYPENAME) {} }; /** * splits rule if one of the objects in odst is * interface * with dynamic address */ class splitOnDynamicInterfaceInODst : public splitRuleIfRuleElementIsDynamicInterface { public: splitOnDynamicInterfaceInODst(const std::string &n): splitRuleIfRuleElementIsDynamicInterface(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * checks for the following situations: * * 1. an unnumbered interface is in OSrc and rule rtype is Masq * or SNAT (drop interface from src since source address is * undertermined) * * 2. an unnumbered interface is in ODst and rule type is * DNAT (drop interface since dest. address is undefined) * */ friend class specialCaseWithUnnumberedInterface; class specialCaseWithUnnumberedInterface : public NATRuleProcessor { bool dropUnnumberedInterface(libfwbuilder::RuleElement *re); public: specialCaseWithUnnumberedInterface(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; friend class checkForDynamicInterfacesOfOtherObjects; class checkForDynamicInterfacesOfOtherObjects : public NATRuleProcessor { void findDynamicInterfaces(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: checkForDynamicInterfacesOfOtherObjects(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; /** * fills translated service with the copy of original srv */ DECLARE_NAT_RULE_PROCESSOR(fillTranslatedSrv); /** * Assigns NAT rules to interfaces * * This processor works together with * ReplaceFirewallObjectsTSrc and ConvertToAtomicRules. If the * first two left interface object in TSrc, AssignInterfaces * assigns this rule to the corresponding interface. Rule * wont'be assigned to any interface if object in TSrc is not * an interface or an address of interface. */ friend class AssignInterface; class AssignInterface : public NATRuleProcessor { public: AssignInterface(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; /** * calls OSConfigurator to add virtual * address to the * firewall if it is needed for NAT rule */ DECLARE_NAT_RULE_PROCESSOR(addVirtualAddress); /** * replaces references to the firewall in odst * with * references to its external interfaces */ DECLARE_NAT_RULE_PROCESSOR(ReplaceFirewallObjectsODst); /** * replaces references to the firewall in tsrc with * references to its interfaces in SNAT rules */ DECLARE_NAT_RULE_PROCESSOR(ReplaceFirewallObjectsTSrc); /** * distinguishes SNAT from Masquerading (can do * this after * firewall objects has been replaced with its * interfaces * and basic NAT rule type has been determined) */ DECLARE_NAT_RULE_PROCESSOR(dynamicInterfaceInTSrc); /** * takes care of dynamic interfaces in ODst (if ODst contains * interface and its address is dynamic, replace it with any) */ DECLARE_NAT_RULE_PROCESSOR(dynamicInterfaceInODst); /** * splits rule element if src or dst contains * address * range. This inspector differs from the standard one * in * the base class NATCompiler */ DECLARE_NAT_RULE_PROCESSOR(ExpandAddressRanges); /** * splits rules so multiport module can be used (only works for UDP and TCP) */ DECLARE_NAT_RULE_PROCESSOR(prepareForMultiport); /** * splits rules using multiple ICMP services */ DECLARE_NAT_RULE_PROCESSOR(splitMultipleICMP); /** * deals with negation in OSrc */ DECLARE_NAT_RULE_PROCESSOR(doOSrcNegation); /** * deals with negation in ODst */ DECLARE_NAT_RULE_PROCESSOR(doODstNegation); /** * deals with negation in OSrv */ DECLARE_NAT_RULE_PROCESSOR(doOSrvNegation); /** * splits DNAT rule if "Assume firewall is part of any" is ON * and OSrc is any. Need this to take care of the case with * packets originating on the firewall in DNAT rules. */ DECLARE_NAT_RULE_PROCESSOR(splitIfOSrcAny); /** * splits NONAT rule and assigns chains to PREROUTING, * POSTROUTING and OUTPUT. Always call this processor before * decideOnChain */ DECLARE_NAT_RULE_PROCESSOR(splitNONATRule); /** * sets chain and possibly splits a NAT rule if firewall or * its interface is in OSrc. */ DECLARE_NAT_RULE_PROCESSOR(localNATRule); /** * special case of DNAT rule for packets originated on the * firewall itself * (should go to the OUTPUT chain) */ DECLARE_NAT_RULE_PROCESSOR(DNATforFW); /** * decides what chain this rule should go to. */ DECLARE_NAT_RULE_PROCESSOR(decideOnChain); /** * decides on "jump to" chain */ DECLARE_NAT_RULE_PROCESSOR(decideOnTarget); /** * split rule for efficiency where multiple srcs & dsts are present */ DECLARE_NAT_RULE_PROCESSOR(splitMultiSrcAndDst); /** * MAC address filtering is permitted only in DNAT rules (only * in PREROUTING chain) */ DECLARE_NAT_RULE_PROCESSOR(verifyRuleWithMAC); /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInODST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInODST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * Split rule if MultiAddress object is used in RE to make * sure it is single object. */ class processMultiAddressObjectsInRE : public NATRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : NATRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInOSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInOSrc(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class processMultiAddressObjectsInODst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInODst(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementODst::TYPENAME) {} }; class processMultiAddressObjectsInTSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInTSrc(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementTSrc::TYPENAME) {} }; class processMultiAddressObjectsInTDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInTDst(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * count how many times each user-defined chain we've created is * used. We should be able to drop unused chains. */ DECLARE_NAT_RULE_PROCESSOR(countChainUsage); /** * prints single policy rule, assuming all * groups have * been expanded, so source, destination and * service hold * exactly one object each, and this object is * not a * group. Negation should also have been taken care of * * before this method is called. */ class PrintRule : public NATRuleProcessor { protected: bool init; bool print_once_on_top; bool minus_n_tracker_initialized; std::string current_rule_label; std::string version; void initializeMinusNTracker(); QString getInterfaceName(libfwbuilder::RuleElement *itf_re); /* * Prints single --option with argument and negation "!" * taking into account the change that happened in iptables 1.4.3.1 * that causes warning * Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). */ virtual std::string _printSingleOptionWithNegation( const std::string &option, libfwbuilder::RuleElement *rel, const std::string &arg); virtual std::string _createChain(const std::string &chain); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); virtual std::string _printRuleLabel(libfwbuilder::NATRule *r); virtual std::string _printProtocol(libfwbuilder::Service *srv); virtual std::string _printSrcService(libfwbuilder::RuleElementOSrv *o); virtual std::string _printDstService(libfwbuilder::RuleElementOSrv *o); virtual std::string _printICMP(libfwbuilder::ICMPService *srv); virtual std::string _printIP(libfwbuilder::IPService *srv); virtual std::string _printOPorts(int rs,int re); virtual std::string _printTPorts(int rs,int re); virtual std::string _printSrcPorts(libfwbuilder::Service *srv); virtual std::string _printDstPorts(libfwbuilder::Service *srv); virtual std::string _printSNATPorts(libfwbuilder::Service *srv); virtual std::string _printDNATPorts(libfwbuilder::Service *srv); virtual std::string _printMultiport(libfwbuilder::NATRule *r); virtual std::string _printAddr(libfwbuilder::Address *o, bool print_mask=true, bool print_range=false); virtual std::string _printIpSetMatch( libfwbuilder::Address *o, libfwbuilder::RuleElement *rel); virtual std::string _printChainDirectionAndInterface(libfwbuilder::NATRule *r); virtual std::string _printSingleObjectNegation(libfwbuilder::RuleElement *rel); public: PrintRule(const std::string &name); void initialize(); virtual std::string _declareTable(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual bool processNext(); }; friend class NATCompiler_ipt::PrintRule; class PrintRuleIptRst : public PrintRule { virtual std::string _createChain(const std::string &chain); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); virtual std::string _printRuleLabel(libfwbuilder::NATRule *r); public: PrintRuleIptRst(const std::string &name) : PrintRule(name) {}; virtual std::string _declareTable(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual bool processNext(); }; friend class NATCompiler_ipt::PrintRuleIptRst; class PrintRuleIptRstEcho : public PrintRuleIptRst { virtual std::string _createChain(const std::string &chain); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); public: PrintRuleIptRstEcho(const std::string &name) : PrintRuleIptRst(name) {}; virtual std::string _declareTable(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual bool processNext(); }; friend class NATCompiler_ipt::PrintRuleIptRstEcho; virtual std::string myPlatformName(); public: NATCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map *m_n_commands_map) : NATCompiler(_db, fw, ipv6_policy, _oscnf) { have_dynamic_interfaces=false; printRule=NULL; minus_n_commands = m_n_commands_map; branch_ruleset_to_chain_mapping = NULL; } /** * this method registers chain used for the ruleset (most * often branch rule set). Since rules in the same ruleset do * not use this chain as target, rule processor * countChainUsage considers it unused. Registering it makes * sure its usage counter is > 0. */ void registerRuleSetChain(const std::string &chain_name); virtual void verifyPlatform(); virtual int prolog(); virtual void compile(); virtual void epilog(); void setHaveDynamicInterfaces(bool f) { have_dynamic_interfaces=f; } virtual std::string flushAndSetDefaultPolicy(); virtual std::string printAutomaticRules(); std::string commit(); std::list getUsedChains(); static std::string getNewTmpChainName(libfwbuilder::NATRule *rule); void setRulesetToChainMapping(const std::map > *m) { branch_ruleset_to_chain_mapping = m; } }; } #endif fwbuilder-5.3.7/src/iptlib/OSConfigurator_ipcop.cpp000066400000000000000000000031021303637203600223640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: OSConfigurator_linux24.cpp 756 2009-02-06 00:58:01Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "OSConfigurator_ipcop.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_ipcop::myPlatformName() { return "ipcop"; } OSConfigurator_ipcop::OSConfigurator_ipcop(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) : OSConfigurator_linux24(_db, fw, ipv6_policy) { } void OSConfigurator_ipcop::addVirtualAddressForNAT(const Network*) { } void OSConfigurator_ipcop::addVirtualAddressForNAT(const Address*) { } int OSConfigurator_ipcop::prolog() { return 0; } void OSConfigurator_ipcop::epilog() { } fwbuilder-5.3.7/src/iptlib/OSConfigurator_ipcop.h000066400000000000000000000031161303637203600220360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: OSConfigurator_linux24.h 752 2009-01-30 04:54:03Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_IPCOP_HH #define _OSNETWORKCONFIGURATOR_IPCOP_HH #include "config.h" #include "OSConfigurator_linux24.h" #include "OSData.h" namespace fwcompiler { class OSConfigurator_ipcop : public OSConfigurator_linux24 { public: virtual ~OSConfigurator_ipcop() {}; OSConfigurator_ipcop(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); virtual std::string myPlatformName(); virtual int prolog(); virtual void epilog(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); }; } #endif fwbuilder-5.3.7/src/iptlib/OSConfigurator_linux24.cpp000066400000000000000000000546561303637203600226030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/Resources.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "Configlet.h" #ifndef _WIN32 # include #endif #include #include #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_linux24::myPlatformName() { return "Linux24"; } OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS")) { command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers"); FWOptions* fwopt = fw->getOptionsObject(); string version = fw->getStr("version"); using_ipset = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && fwopt->getBool("use_m_set")); } OSConfigurator_linux24::~OSConfigurator_linux24() { delete command_wrappers; } /* * this function generates acceptable shell variable name from * interface name. Note that PolicyCompiler_ipt::getInterfaceVarName() * and NATCompiler_ipt::getInterfaceVarName do the same thing and * these functions should be identical. * * TODO: really need to have one function for this instead of three in * three different classes. */ string OSConfigurator_linux24::getInterfaceVarName(FWObject *iface, bool v6) { ostringstream ostr; string iname=iface->getName(); string::size_type p1; while ( (p1=iname.find("."))!=string::npos) iname=iname.replace(p1,1,"_"); while ( (p1=iname.find("-"))!=string::npos) iname=iname.replace(p1,1,"_"); ostr << "i_" << iname; if (v6) ostr << "_v6"; return ostr.str(); } void OSConfigurator_linux24::setConfigletMacroForOptionStr( const string &s, Configlet *c, const char *option_name) { // "" means no change, do not include the command in the script if (!s.empty()) { c->setVariable(QString("if_") + option_name, 1); c->setVariable(option_name, s.c_str()); } else { c->setVariable(QString("if_") + option_name, 0); c->setVariable(option_name, s.c_str()); } } void OSConfigurator_linux24::setConfigletMacroForOptionInt( int val, Configlet *c, const char *option_name) { // -1 means no change, do not include the command in the script if (val >= 0) { c->setVariable(QString("if_") + option_name, 1); c->setVariable(option_name, val); } else { c->setVariable(QString("if_") + option_name, 0); c->setVariable(option_name, 0); } } void OSConfigurator_linux24::processFirewallOptions() { Configlet kernel_vars(fw, "linux24", "kernel_vars"); kernel_vars.removeComments(); kernel_vars.collapseEmptyStrings(true); FWOptions* options = fw->getOptionsObject(); setConfigletMacroForOptionStr(options->getStr("linux24_ip_dynaddr"), &kernel_vars, "linux24_ip_dynaddr"); setConfigletMacroForOptionStr(options->getStr("linux24_rp_filter"), &kernel_vars, "linux24_rp_filter"); setConfigletMacroForOptionStr(options->getStr("linux24_accept_source_route"), &kernel_vars, "linux24_accept_source_route"); setConfigletMacroForOptionStr(options->getStr("linux24_accept_redirects"), &kernel_vars, "linux24_accept_redirects"); setConfigletMacroForOptionStr(options->getStr("linux24_log_martians"), &kernel_vars, "linux24_log_martians"); setConfigletMacroForOptionStr(options->getStr("linux24_icmp_echo_ignore_broadcasts"), &kernel_vars, "linux24_icmp_echo_ignore_broadcasts"); setConfigletMacroForOptionStr(options->getStr("linux24_icmp_echo_ignore_all"), &kernel_vars, "linux24_icmp_echo_ignore_all"); setConfigletMacroForOptionStr(options->getStr("linux24_icmp_ignore_bogus_error_responses"), &kernel_vars, "linux24_icmp_ignore_bogus_error_responses"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_window_scaling"), &kernel_vars, "linux24_tcp_window_scaling"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_sack"), &kernel_vars, "linux24_tcp_sack"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_fack"), &kernel_vars, "linux24_tcp_fack"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_syncookies"), &kernel_vars, "linux24_tcp_syncookies"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_ecn"), &kernel_vars, "linux24_tcp_ecn"); setConfigletMacroForOptionStr(options->getStr("linux24_tcp_timestamps"), &kernel_vars, "linux24_tcp_timestamps"); int opt = options->getInt("linux24_tcp_fin_timeout"); setConfigletMacroForOptionInt((opt==0)?-1:opt, &kernel_vars, "linux24_tcp_fin_timeout"); opt = options->getInt("linux24_tcp_keepalive_interval"); setConfigletMacroForOptionInt((opt==0)?-1:opt, &kernel_vars, "linux24_tcp_keepalive_interval"); Configlet conntrack_vars(fw, "linux24", "conntrack"); conntrack_vars.removeComments(); conntrack_vars.collapseEmptyStrings(true); string version = fw->getStr("version"); bool version_ge_1_4 = XMLTools::version_compare(version, "1.4.0") >= 0; conntrack_vars.setVariable("iptables_version_ge_1_4", version_ge_1_4); conntrack_vars.setVariable("iptables_version_lt_1_4", !version_ge_1_4); // if conntrack_max and conntrack_hashsize are equal to 0, we do // not add commands from the configlet (so the kernel defaults are // used). Options above assume -1 is the default. Need to pass -1 // instead of 0 for the conntrack vars opt = options->getInt("linux24_conntrack_max"); setConfigletMacroForOptionInt( (opt==0)?-1:opt, &conntrack_vars, "conntrack_max"); opt = options->getInt("linux24_conntrack_hashsize"); setConfigletMacroForOptionInt( (opt==0)?-1:opt, &conntrack_vars, "conntrack_hashsize"); // This option uses three-state control and assumes empty string is the default setConfigletMacroForOptionStr( options->getStr("linux24_conntrack_tcp_be_liberal"), &conntrack_vars, "conntrack_tcp_be_liberal"); output << kernel_vars.expand().toStdString(); output << endl; output << conntrack_vars.expand().toStdString(); } void OSConfigurator_linux24::addVirtualAddressForNAT(const Network *nw) { FWOptions* options=fw->getOptionsObject(); if (options->getBool("manage_virtual_addr")) { if (virtual_addresses.empty() || find(virtual_addresses.begin(),virtual_addresses.end(), *(nw->getAddressPtr())) == virtual_addresses.end()) { Interface *iface = findInterfaceFor( nw, fw ); if (iface!=NULL) { const InetAddr *addr = nw->getAddressPtr(); InetAddr first, last; InetAddr a; first = *addr; last = *(nw->getBroadcastAddressPtr()); QStringList addresses; for (a=first; agetName()) > 0) addresses.push_front(virtual_addresses_for_nat[iface->getName()].c_str()); virtual_addresses_for_nat[iface->getName()] = addresses.join(" ").toStdString(); virtual_addresses.push_back( *(nw->getAddressPtr()) ); registerVirtualAddressForNat(); } else warning("Can not add virtual address " + nw->getAddressPtr()->toString() + " (object " + nw->getName() + ")" ); } } } void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr) { FWOptions* options=fw->getOptionsObject(); if ( options->getBool("manage_virtual_addr") ) { const InetAddr *addr_addr = addr->getAddressPtr(); if (virtual_addresses.empty() || find(virtual_addresses.begin(), virtual_addresses.end(), *addr_addr) == virtual_addresses.end()) { FWObject *vaddr = findAddressFor(addr, fw ); if (vaddr!=NULL) { Interface *iface = Interface::cast(vaddr->getParent()); assert(iface!=NULL); QStringList addresses; const InetAddr *vaddr_netm = Address::cast(vaddr)->getNetmaskPtr(); addresses.push_back(QString("%1/%2"). arg(addr_addr->toString().c_str()). arg(vaddr_netm->getLength())); if (virtual_addresses_for_nat.count(iface->getName()) > 0) addresses.push_front(virtual_addresses_for_nat[iface->getName()].c_str()); virtual_addresses_for_nat[iface->getName()] = addresses.join(" ").toStdString(); virtual_addresses.push_back(*(addr_addr)); registerVirtualAddressForNat(); } else warning("Can not add virtual address for object " + addr->getName()); } return; } } string OSConfigurator_linux24::normalizeSetName(const string &txt) { QString table_name = txt.c_str(); table_name.replace(QRegExp("[ +*!#|]"), "_"); return table_name.toStdString(); } void OSConfigurator_linux24::registerMultiAddressObject(MultiAddressRunTime *at) { // std::map address_table_objects[normalizeSetName(at->getName())] = at->getSourceName(); } int OSConfigurator_linux24::prolog() { return 0; } /** * Print shell functions used by the script. If argument (boolean) is true, * do not add comments. */ string OSConfigurator_linux24::printShellFunctions(bool have_ipv6) { QStringList output; FWOptions* options = fw->getOptionsObject(); string version = fw->getStr("version"); // string host_os = fw->getStr("host_OS"); // string os_family = Resources::os_res[host_os]-> // getResourceStr("/FWBuilderResources/Target/family"); Configlet shell_functions(fw, "linux24", "shell_functions"); output.push_back(shell_functions.expand()); /* check if package iproute2 is installed, but do this only if * we really need /usr/sbin/ip */ Configlet configlet(fw, "linux24", "check_utilities"); configlet.removeComments(); configlet.collapseEmptyStrings(true); configlet.setVariable("load_modules", options->getBool("load_modules")); if (options->getBool("load_modules") || options->getBool("configure_vlan_interfaces") || options->getBool("configure_bonding_interfaces")) { configlet.setVariable("need_modprobe", true); } if (options->getBool("verify_interfaces") || options->getBool("manage_virtual_addr") || options->getBool("configure_interfaces") ) { configlet.setVariable("need_vconfig", options->getBool("configure_vlan_interfaces")); configlet.setVariable("need_brctl", options->getBool("configure_bridge_interfaces")); configlet.setVariable("need_ifenslave", options->getBool("configure_bonding_interfaces")); } configlet.setVariable("need_ipset", using_ipset); configlet.setVariable("need_iptables_restore", options->getBool("use_iptables_restore")); configlet.setVariable("need_ip6tables_restore", have_ipv6 && options->getBool("use_iptables_restore")); output.push_back(configlet.expand()); /* * Generate commands to reset all tables and chains and set * default policy */ Configlet reset_iptables(fw, "linux24", "reset_iptables"); if (XMLTools::version_compare(version, "1.4.20") >= 0) reset_iptables.setVariable("opt_wait", "-w"); else reset_iptables.setVariable("opt_wait", ""); output.push_back(reset_iptables.expand()); Configlet addr_conf(fw, "linux24", "update_addresses"); output.push_back(addr_conf.expand()); if (options->getBool("configure_vlan_interfaces")) { Configlet conf(fw, "linux24", "update_vlans"); output.push_back(conf.expand()); } if (options->getBool("configure_bridge_interfaces")) { Configlet conf(fw, "linux24", "update_bridge"); output.push_back(conf.expand()); } if (options->getBool("configure_bonding_interfaces")) { Configlet conf(fw, "linux24", "update_bonding"); output.push_back(conf.expand()); } return output.join("\n").toStdString(); } string OSConfigurator_linux24::printRunTimeAddressTablesCode() { Configlet conf(fw, "linux24", "run_time_address_tables"); conf.setVariable("using_ipset", using_ipset); ostringstream check_ostr; ostringstream load_ostr; map::iterator i; for (i=address_table_objects.begin(); i!=address_table_objects.end(); ++i) { string at_name = i->first; string at_file = i->second; // If the file name is empty, this run-time table is // completely controlled by the user outside fwbuilder so we // do not need to add commands to check if the file exits and // load it if (!at_file.empty()) { check_ostr << "check_file \"" + at_name + "\" \"" + at_file + "\"" << endl; load_ostr << "reload_address_table \"" + at_name + "\" \"" + at_file + "\"" << endl; } } conf.setVariable("check_files_commands", check_ostr.str().c_str()); conf.setVariable("load_files_commands", load_ostr.str().c_str()); return conf.expand().toStdString(); } string OSConfigurator_linux24::getPathForATool(const std::string &os_variant, OSData::tools tool_name) { FWOptions* options = fw->getOptionsObject(); string attr = os_data.getAttributeNameForTool(tool_name); string s = options->getStr("linux24_" + attr); if (!s.empty()) return s; string host_os = fw->getStr("host_OS"); string r = "/FWBuilderResources/Target/tools/" + os_variant + "/" + attr; if (Resources::os_res[host_os]->getResourceStr(r).empty()) r = "/FWBuilderResources/Target/tools/Unknown/" + attr; return Resources::os_res[host_os]->getResourceStr(r); } string OSConfigurator_linux24::printPathForAllTools(const string &os) { ostringstream res; list::const_iterator i; const list &all_tools = os_data.getAllTools(); for (i=all_tools.begin(); i!=all_tools.end(); ++i) res << os_data.getVariableName(OSData::tools(*i)) << "=\"" << getPathForATool(os, OSData::tools(*i)) << "\"" << endl; return res.str(); } string OSConfigurator_linux24::generateCodeForProtocolHandlers() { FWOptions* options = fw->getOptionsObject(); bool nomod = Resources::os_res[fw->getStr("host_OS")]-> Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_modules"); // string host_os = fw->getStr("host_OS"); // string os_family = Resources::os_res[host_os]-> // getResourceStr("/FWBuilderResources/Target/family"); Configlet load_modules(fw, "linux24", "load_modules"); load_modules.removeComments(); // See ticket #2 string modules_dir = Resources::os_res[fw->getStr("host_OS")]-> Resources::getResourceStr("/FWBuilderResources/Target/options/default/modules_dir"); /* there is no need to load modules on some platforms */ load_modules.setVariable("load_modules", options->getBool("load_modules") && !nomod); load_modules.setVariable("modules_dir", modules_dir.c_str()); return load_modules.expand().toStdString(); } QString OSConfigurator_linux24::addressTableWrapper(FWObject *rule, const QString &command, bool ipv6) { QString combined_command = command; QRegExp address_table_re("\\$at_(\\S+)"); int pos = address_table_re.indexIn(command); if (pos > -1) { QStringList command_lines = QString(command).split("\n", QString::SkipEmptyParts); if (command_lines.size() > 1) { command_lines.push_front("{"); command_lines.push_back("}"); } combined_command = command_lines.join("\n"); command_wrappers->clear(); command_wrappers->removeComments(); command_wrappers->collapseEmptyStrings(true); command_wrappers->setVariable("ipv6", ipv6); QString at_var = address_table_re.cap(1); QString at_file = rule->getStr("address_table_file").c_str(); command_wrappers->setVariable("address_table_file", at_file); command_wrappers->setVariable("address_table_var", at_var); command_wrappers->setVariable("command", combined_command); command_wrappers->setVariable("address_table", true); command_wrappers->setVariable("wildcard_interface", false); command_wrappers->setVariable("no_dyn_addr", false); command_wrappers->setVariable("one_dyn_addr", false); command_wrappers->setVariable("two_dyn_addr", false); combined_command = command_wrappers->expand(); } return combined_command; } string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule, const string &command, bool ipv6) { /* if anywhere in command_line we used variable holding an address of * dynamic interface (named $i_something) then we need to add this * command with a check for the value of this variable. We execute * iptables command only if the value is a non-empty string. * * bug #1851166: there could be two dynamic interfaces in the same * rule. */ bool wildcard_interface = false; QString combined_command; if (using_ipset) combined_command = command.c_str(); else combined_command = addressTableWrapper(rule, command.c_str(), ipv6); command_wrappers->clear(); command_wrappers->removeComments(); command_wrappers->collapseEmptyStrings(true); command_wrappers->setVariable("ipv6", ipv6); command_wrappers->setVariable("address_table", false); QRegExp intf_re("\\$i_([^ :]+)"); QStringList iface_names; QStringList iface_vars; int pos = -1; while ((pos = intf_re.indexIn(combined_command, pos + 1)) > -1) { QString name = intf_re.cap(1); int match_len = intf_re.matchedLength(); iface_names.push_back(name); iface_vars.push_back("$i_" + name); if (name.contains("*")) { wildcard_interface = true; QString intf_family = name.section('*', 0, 0); command_wrappers->setVariable("interface_family_name", intf_family); // replace $i_ppp* with $addr. This must match shell code // in the configlet run_time_wrappers combined_command.replace(pos, match_len, "$addr"); break; } } bool no_wrapper = !wildcard_interface && iface_names.size() == 0; if (!no_wrapper) { QStringList command_lines = QString(combined_command).split("\n", QString::SkipEmptyParts); if (command_lines.size() > 1) { command_lines.push_front("{"); command_lines.push_back("}"); } combined_command = command_lines.join("\n"); } command_wrappers->setVariable("no_wrapper", no_wrapper); command_wrappers->setVariable("wildcard_interface", wildcard_interface); command_wrappers->setVariable("one_dyn_addr", !wildcard_interface && iface_names.size() == 1); command_wrappers->setVariable("two_dyn_addr", !wildcard_interface && iface_names.size() > 1); for (int idx=0; idxsetVariable(QString("intf_%1_var_name").arg(idx+1), intf_name); } command_wrappers->setVariable("command", combined_command); return command_wrappers->expand().toStdString() + "\n"; } string OSConfigurator_linux24::printIPForwardingCommands() { /* Turn on packet forwarding if we have to */ // string os_family = Resources::os_res[fw->getStr("host_OS")]-> // getResourceStr("/FWBuilderResources/Target/family"); FWOptions* options = fw->getOptionsObject(); Configlet ip_forwarding(fw, "linux24", "ip_forwarding"); ip_forwarding.removeComments(); ip_forwarding.collapseEmptyStrings(true); string s = options->getStr("linux24_ip_forward"); ip_forwarding.setVariable("ipv4", !s.empty()); ip_forwarding.setVariable("ipv4_forw", (s=="1" || s=="On" || s=="on")?1:0); s = options->getStr("linux24_ipv6_forward"); ip_forwarding.setVariable("ipv6", !s.empty()); ip_forwarding.setVariable("ipv6_forw", (s=="1" || s=="On" || s=="on")?1:0); return ip_forwarding.expand().toStdString(); } void OSConfigurator_linux24::epilog() { } map OSConfigurator_linux24::getGeneratedFiles() const { map files; return files; } fwbuilder-5.3.7/src/iptlib/OSConfigurator_linux24.h000066400000000000000000000112171303637203600222320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSCONFIGURATOR_LINUX24_HH #define _OSCONFIGURATOR_LINUX24_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include "OSData.h" class QString; class QStringList; namespace libfwbuilder { class FWObject; class MultiAddressRunTime; }; class Configlet; namespace fwcompiler { class OSConfigurator_linux24 : public OSConfigurator { OSData os_data; Configlet *command_wrappers; bool using_ipset; std::map address_table_objects; // this vector is used to avoid duplication of virtual addresses for nat std::vector virtual_addresses; // map of virt. addresses for nat for each interface std::map virtual_addresses_for_nat; std::list known_interfaces; std::string getInterfaceVarName(libfwbuilder::FWObject *iface, bool v6=false); std::string getPathForATool(const std::string &os_variant, OSData::tools tool_name); void setConfigletMacroForOptionStr(const std::string &opt, Configlet *c, const char *option_name); void setConfigletMacroForOptionInt(int opt, Configlet *c, const char *option_name); virtual QString addressTableWrapper(libfwbuilder::FWObject *rule, const QString &command, bool ipv6=false); virtual QString printUpdateAddressCommand( libfwbuilder::Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses); public: virtual ~OSConfigurator_linux24(); OSConfigurator_linux24(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); virtual std::string myPlatformName(); virtual int prolog(); virtual void epilog(); bool usingIpSetModule() { return using_ipset; } /* * Try to find conflicts in subinterface types and unsupported * interface configurations. */ virtual bool validateInterfaces(); virtual void processFirewallOptions(); virtual std::string generateCodeForProtocolHandlers(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); virtual void registerMultiAddressObject(libfwbuilder::MultiAddressRunTime *at); virtual std::string printShellFunctions(bool have_ipv6); virtual std::string printPathForAllTools(const std::string &os); virtual std::string printIPForwardingCommands(); virtual std::string printRunTimeWrappers(libfwbuilder::FWObject *rule, const std::string &command, bool ipv6=false); virtual std::string printVerifyInterfacesCommands(); virtual std::string printVirtualAddressesForNatCommands(); virtual std::string printInterfaceConfigurationCommands(); virtual std::string printCommandsToClearKnownInterfaces(); virtual std::string printVlanInterfaceConfigurationCommands(); virtual std::string printBridgeInterfaceConfigurationCommands(); virtual std::string printBondingInterfaceConfigurationCommands(); virtual std::string printDynamicAddressesConfigurationCommands(); virtual std::string printRunTimeAddressTablesCode(); virtual std::map getGeneratedFiles() const; std::string normalizeSetName(const std::string &txt); }; }; #endif fwbuilder-5.3.7/src/iptlib/OSConfigurator_linux24_interfaces.cpp000066400000000000000000000604661303637203600250020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/Resources.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/FailoverClusterGroup.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "Configlet.h" #ifndef _WIN32 # include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_linux24::printVerifyInterfacesCommands() { // string os_family = Resources::os_res[fw->getStr("host_OS")]-> // getResourceStr("/FWBuilderResources/Target/family"); QStringList interfaces_to_check; list interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { QString iface_name = (*i)->getName().c_str(); /* if interface name ends with '*', this is a wildcard interface. Do * not check if it exists. */ if (!iface_name.contains("*") && interfaces_to_check.indexOf(iface_name) == -1) { interfaces_to_check.push_back((*i)->getName().c_str()); } } Configlet verify_interfaces(fw, "linux24", "verify_interfaces"); verify_interfaces.setVariable("have_interfaces", interfaces_to_check.size()); verify_interfaces.setVariable("interfaces", interfaces_to_check.join(" ")); return verify_interfaces.expand().toStdString(); } /* * Generate calls to the shell function update_addresses_of_interface * to add or remove ip addresses of interfaces. The following cases * are supported, depending on the value of * @add_virtual_addresses_for_nat and @configure_interfaces * * configure_interfaces == false && add_virtual_addresses_for_nat == false: * do not generate any commands * * configure_interfaces == false && add_virtual_addresses_for_nat == true: * use only virtual_addresses_for_nat, add normal addresses of the interface * to the list of addresses we should ignore * * configure_interfaces == true && add_virtual_addresses_for_nat == false: * ignore virtual_addresses_for_nat * * configure_interfaces == true && add_virtual_addresses_for_nat == true: * use virtual_addresses_for_nat * * */ string OSConfigurator_linux24::printInterfaceConfigurationCommands() { FWOptions* options = fw->getOptionsObject(); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( fw->getStr("host_OS"))); Configlet script(fw, "linux24", "configure_interfaces"); script.removeComments(); script.collapseEmptyStrings(true); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); bool need_promote_command = false; QStringList gencmd; list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); string iface_name = iface->getName(); QStringList update_addresses; QStringList ignore_addresses; if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) { if (options->getBool("manage_virtual_addr") && virtual_addresses_for_nat.count(iface_name) > 0) update_addresses.push_back( virtual_addresses_for_nat[iface_name].c_str()); // generate update_addresses calls even if interface has // no addresses in fwbuilder. This makes sure all // addresses it might have on the machine will be // removed. Say, interface was regular and had an address // and then user converted it to unnumbered. In this case // the address should be removed. gencmd.push_back( printUpdateAddressCommand(iface, update_addresses, ignore_addresses)); // update_addresses list looks like this: // ("eth0", "22.22.22.22/24", "22.22.22.23/24") // I need to add "promote" command only when there is more than 1 address. need_promote_command |= (update_addresses.size() > 2); } known_interfaces.push_back(iface_name); } script.setVariable("have_interfaces", interfaces.size() > 0); script.setVariable("need_promote_command", need_promote_command); script.setVariable("configure_interfaces_script", gencmd.join("\n")); return script.expand().toStdString() + "\n"; } /* * printVirtualAddressesForNatCommands() deals with the case when we * add virtual addresses for NAT but do not configure normal addresses * of interfaces */ string OSConfigurator_linux24::printVirtualAddressesForNatCommands() { QStringList gencmd; std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( fw->getStr("host_OS"))); list interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); string iface_name = iface->getName(); QStringList update_addresses; QStringList ignore_addresses; // Return value of InterfaceProperties::manageIpAddresses() // signals if we should manage addresses of the interface at // all, so it is useful even if we are not going to use the // lists. if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) { // we should not configure normal addresses of interfaces, but // should configure virtual addresses for nat. This means we should // add normal addresses to the ignore_addresses list. ignore_addresses += update_addresses; update_addresses.clear(); if (virtual_addresses_for_nat.count(iface_name) > 0) { update_addresses.push_back( virtual_addresses_for_nat[iface_name].c_str()); gencmd.push_back( printUpdateAddressCommand(iface, update_addresses, ignore_addresses)); } } known_interfaces.push_back(iface_name); } return gencmd.join("\n").toStdString() + "\n"; } string OSConfigurator_linux24::printCommandsToClearKnownInterfaces() { if (fw->getOptionsObject()->getBool("clear_unknown_interfaces") && known_interfaces.size() > 0) { // last resort protection: if there are no interfaces with // addresses in fwbuilder configuration, we should not kill // all addresses of all interfaces on the firewall string res = "clear_addresses_except_known_interfaces "; for (list::iterator it=known_interfaces.begin(); it!=known_interfaces.end(); ++it) { res += *it + " "; } return res; } return ""; } QString OSConfigurator_linux24::printUpdateAddressCommand( Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses) { QStringList out; update_addresses.push_front(intf->getName().c_str()); out.push_back("update_addresses_of_interface"); out.push_back("\"" + update_addresses.join(" ") + "\""); out.push_back("\"" + ignore_addresses.join(" ") + "\""); return out.join(" "); } string OSConfigurator_linux24::printVlanInterfaceConfigurationCommands() { ostringstream out; // Generate code to call shell function "update_vlans" // http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html // vconfig add eth0 5 QStringList all_vlans; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); QStringList vlan_interfaces; QString parent_interface = iface->getName().c_str(); FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME); for ( ; si!=si.end(); ++si ) { Interface *subinterface = Interface::cast(*si); assert(subinterface); if (subinterface->getOptionsObject()->getStr("type") == "8021q") { vlan_interfaces.push_back(subinterface->getName().c_str()); string name_type = ""; int vlan_id = subinterface->getOptionsObject()->getInt("vlan_id"); QString sintf_name = subinterface->getName().c_str(); QString vlan_name; QStringList supported_vlan_names; vlan_name.sprintf("vlan%04d", vlan_id); supported_vlan_names.append(vlan_name); if (vlan_name == sintf_name) name_type = "VLAN_PLUS_VID"; else { vlan_name.sprintf("vlan%d", vlan_id); supported_vlan_names.append(vlan_name); if (vlan_name == sintf_name) name_type = "VLAN_PLUS_VID_NO_PAD"; else { vlan_name.sprintf("%s.%04d", iface->getName().c_str(), vlan_id); supported_vlan_names.append(vlan_name); if (vlan_name == sintf_name) name_type = "DEV_PLUS_VID_PAD"; else { vlan_name.sprintf("%s.%d", iface->getName().c_str(), vlan_id); supported_vlan_names.append(vlan_name); if (vlan_name == sintf_name) name_type = "DEV_PLUS_VID_NO_PAD"; } } } if (name_type.empty()) { QString err_str( "Name of the VLAN interface '%1' " "does not match any supported naming " "type for VLAN interfaces. Possible names: %2"); abort(err_str.arg(sintf_name). arg(supported_vlan_names.join(", ")).toStdString()); } } } if (vlan_interfaces.size() > 0) { out << "update_vlans_of_interface \"" << parent_interface.toStdString() << " " << vlan_interfaces.join(" ").toStdString() << "\"" << endl; foreach(QString intf, vlan_interfaces) { all_vlans.push_back(QString("%1@%2").arg(intf).arg(parent_interface)); } } } out << "clear_vlans_except_known" << " " << all_vlans.join(" ").toStdString() << endl; return out.str(); } string OSConfigurator_linux24::printBridgeInterfaceConfigurationCommands() { /* * http://www.linuxfoundation.org/en/Net:Bridge#Manual_Configuration * # brctl addbr br12 * # brctl addif br12 eth0 * # brctl addif br12 eth1 * # ifconfig br12 up */ list all_bridges = fw->getInterfacesByType("bridge"); QStringList names; for (list::iterator it=all_bridges.begin(); it!=all_bridges.end(); ++it) names.push_back((*it)->getName().c_str()); QStringList gencmd; gencmd.push_back("sync_bridge_interfaces " + names.join(" ")); for (list::iterator it=all_bridges.begin(); it!=all_bridges.end(); ++it) { Interface *iface = Interface::cast(*it); assert(iface); QStringList out; QStringList bridge_interfaces; if (iface->getOptionsObject()->getStr("type") == "bridge") { out.push_back("update_bridge"); out.push_back(iface->getName().c_str()); FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME); for ( ; si!=si.end(); ++si ) { Interface *subinterface = Interface::cast(*si); assert(subinterface); bridge_interfaces.push_back(subinterface->getName().c_str()); } out.push_back("\"" + bridge_interfaces.join(" ") + "\""); gencmd.push_back(out.join(" ")); out.clear(); bool enable_stp = iface->getOptionsObject()->getBool("enable_stp"); out.push_back("$BRCTL stp"); out.push_back(iface->getName().c_str()); out.push_back((enable_stp)?"on":"off"); gencmd.push_back(out.join(" ")); } } return gencmd.join("\n").toStdString() + "\n"; } string OSConfigurator_linux24::printBondingInterfaceConfigurationCommands() { /* * http://www.linuxfoundation.org/en/Net:Bonding#Configuring_Bonding_Manually * * modprobe bonding mode=balance-alb miimon=100 * modprobe e100 * ifconfig bond0 192.168.1.1 netmask 255.255.255.0 up * ifenslave bond0 eth0 * ifenslave bond0 eth1 */ QStringList gencmd; QStringList bonding_interfaces; QString module_parameters; FWObjectTypedChildIterator i = fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); QStringList out; if (iface->getOptionsObject()->getStr("type") == "bonding") { /* * current implementation of function load_bonding_module() * in the configlet loads the module once, which means we can * only support the same parameters for all bonding interfaces. * Take parameters from the first bonding interface and use that * in the call to load_bonding_module() * * However, check if parameters for the subsequent bonding * interfaces are different and issue warning. */ QString mode = iface->getOptionsObject()->getStr("bonding_policy").c_str(); QString xmit_hash_policy = iface->getOptionsObject()->getStr("xmit_hash_policy").c_str(); QString driver_opts = iface->getOptionsObject()->getStr("bondng_driver_options").c_str(); QStringList params; if (!mode.isEmpty()) params.push_back("mode=" + mode); if (!xmit_hash_policy.isEmpty()) params.push_back("xmit_hash_policy=" + xmit_hash_policy); if (!driver_opts.isEmpty()) params.push_back(driver_opts); if (module_parameters.isEmpty()) { module_parameters = params.join(" "); } else { if (module_parameters != params.join(" ")) { warning( QString("Different protocol parameters for multiple " "bonding interfaces are not supported at " "this time. Module 'bonding' " "will be loaded with the following parameters: '%1'") .arg(module_parameters).toStdString()); } } out.push_back("update_bonding"); out.push_back(iface->getName().c_str()); bonding_interfaces.push_back(iface->getName().c_str()); QStringList bonding_interfaces; FWObjectTypedChildIterator j = iface->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *subint = Interface::cast(*j); if (subint->getOptionsObject()->getStr("type") == "" || subint->getOptionsObject()->getStr("type") == "ethernet") bonding_interfaces.push_back(subint->getName().c_str()); } out.push_back(bonding_interfaces.join(" ")); gencmd.push_back(out.join(" ")); } } if (bonding_interfaces.size()) { gencmd.push_front( QString("load_bonding_module \"%1\" max_bonds=%2 %3") .arg(bonding_interfaces.join(" ")) .arg(bonding_interfaces.size()) .arg(module_parameters)); gencmd.push_back( QString("clear_bonding_except_known %1") .arg(bonding_interfaces.join(" "))); } else gencmd.push_front("unload_bonding_module"); return gencmd.join("\n").toStdString() + "\n"; } string OSConfigurator_linux24::printDynamicAddressesConfigurationCommands() { ostringstream out; /* * get addresses of dynamic interfaces */ list interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator j; for (j=interfaces.begin(); j!=interfaces.end(); ++j ) { Interface *iface = Interface::cast(*j); if ( iface->isDyn() ) { /* if interface name ends with '*', this is a wildcard interface. Do * not get its address at this time. */ if (iface->getName().find("*")==string::npos) { out << "getaddr " << iface->getName() << " " << getInterfaceVarName(iface, false) << endl; out << "getaddr6 " << iface->getName() << " " << getInterfaceVarName(iface, true) << endl; out << "getnet " << iface->getName() << " " << getInterfaceVarName(iface, false) << "_network" << endl; out << "getnet6 " << iface->getName() << " " << getInterfaceVarName(iface, true) << "_network" << endl; } } } return out.str(); } bool OSConfigurator_linux24::validateInterfaces() { FWOptions* options = fw->getOptionsObject(); if ( options->getBool("configure_bridge_interfaces") ) { /* * Per #315: * * The test should scan all subinterfaces of each interface and * try to find inetrfaces wth the same name, then check the * type. So, for the combination br0/br1, the type of br1 * is (probably) "bridge" which is not allowed. */ FWObjectTypedChildIterator i = fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); FWObjectTypedChildIterator j = iface->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *subinterface = Interface::cast(*j); FWObject::const_iterator it = find_if( fw->begin(), fw->end(), FWObjectNameEQPredicate(subinterface->getName())); if (it != fw->end() && Interface::isA(*it)) { Interface *other_iface = Interface::cast(*it); // Have top-level interface with the same name if (other_iface->getOptionsObject()->getStr("type") == "bridge") { QString err( "Subinterface '%1' of interface '%2' has the same name as " "another bridge interface of the firewall '%3'. " "The configuration where bridge interface is " "a subinterface of another interface is not supported."); abort( err.arg(subinterface->getName().c_str()). arg(iface->getName().c_str()). arg(fw->getName().c_str()).toStdString()); return false; } } } } } if (options->getBool("configure_vlan_interfaces")) { /* * Per #324: * * Unsupported configurations: * * vlan interfaces under bridge interface (e.g. br0 = [eth1, * eth2], vlan inetrface br0.100 is not supported) * * bridge interface as part of bonding interface (e.g. bond0 = * [br0, br1]) (This is covered by the case above, including * unusual interface names) * * vlan interface as a slave of bonding interface (e.g. eth0.100, * eth1.100, bond0 = [eth0.100, eth1.100]). Only regular * interfaces can be slaves of bonding interface. If subinterface * type is "slave" but its name matches one of the vlan interface * regexes, assume this is vlan. Slave subintrfaces do not have to * be copies, one can have "eth4" only once, as a slave, so here * we rely on the subinterface type. * * Allowed configurations: * * vlans can be created under bonding interface (e.g. bond0.100), * both regular interfaces and vlans can be bridge ports. } */ FWObjectTypedChildIterator i = fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); FWObjectTypedChildIterator j = iface->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *subinterface = Interface::cast(*j); if ( options->getBool("configure_bridge_interfaces") ) { if (subinterface->getOptionsObject()->getStr("type") == "8021q" && iface->getOptionsObject()->getStr("type") == "bridge") { QString err( "Vlan subinterfaces of bridge interfaces " "are not supported. " "Interface '%1', subinterface '%2'"); abort( err.arg(iface->getName().c_str()). arg(subinterface->getName().c_str()).toStdString()); } } if ( options->getBool("configure_bonding_interfaces")) { if (subinterface->getOptionsObject()->getStr("type") != "8021q" && iface->getOptionsObject()->getStr("type") == "bonding") { QString subint_name = subinterface->getName().c_str(); QRegExp vlan1("[a-zA-Z-]+\\d{1,}\\.\\d{1,}"); QRegExp vlan2("vlan\\d{1,}"); if (vlan1.indexIn(subint_name) != -1 || vlan1.indexIn(subint_name) != -1) { QString err( "Vlan subinterfaces as slaves of bonding interfaces " "are not supported. " "Interface '%1', subinterface '%2'"); abort( err.arg(iface->getName().c_str()). arg(subinterface->getName().c_str()).toStdString()); } } } } } } return true; } fwbuilder-5.3.7/src/iptlib/OSConfigurator_secuwall.cpp000066400000000000000000000727471303637203600231160ustar00rootroot00000000000000/* * OSConfigurator_secuwall.cpp - secunet wall OS configurator implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "config.h" #include "OSConfigurator_secuwall.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/Resources.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Tools.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static string sysconfig_dir = "sysconfig"; static string ssh_dir = "ssh"; static string networkscripts_dir = sysconfig_dir + "/network-scripts"; static string hosts_filename = "hosts"; static string dns_filename = "resolv.conf"; static string nsswitch_filename = "nsswitch.conf"; static string mgmt_filename = sysconfig_dir + "/management"; static string network_filename = sysconfig_dir + "/network"; static string iface_prefix = "ifcfg-"; static string iface_filename = networkscripts_dir+"/"+iface_prefix; static string fwadmin_ssh_key = "/.ssh/id_rsa.pub"; static string fwadmin_known_hosts = "/.ssh/known_hosts2"; string OSConfigurator_secuwall::myPlatformName() { return "Secuwall"; } OSConfigurator_secuwall::OSConfigurator_secuwall(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) : OSConfigurator_linux24(_db, fw, ipv6_policy) { s_mapIfaceTypes["ethernet"] = ETHERNET; s_mapIfaceTypes["bridge"] = BRIDGE; s_mapIfaceTypes["bonding"] = BONDING; s_mapIfaceTypes["vrrp"] = CLUSTER; s_mapIfaceTypes["8021q"] = VLAN; s_mapIfaceStrings[ETHERNET] = "ethernet"; s_mapIfaceStrings[ALIAS] = "alias"; s_mapIfaceStrings[BRIDGE] = "bridge"; s_mapIfaceStrings[BONDING] = "bonding"; s_mapIfaceStrings[CLUSTER] = "vrrp"; s_mapIfaceStrings[VLAN] = "8021q"; /* search all interfaces, this means here: IP endpoints in stack! */ list fw_ifaces = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator it = fw_ifaces.begin(); it != fw_ifaces.end(); it++) { Interface *iface = Interface::cast(*it); assert(NULL != iface); /* Check if it is a management interface */ if (!iface->getName().empty() && (NULL != iface->getAddressObject())) { m_ifaces.push_back(iface); } } } /* * in addition to kernel parameters and other standard things * OSConfigurator_linux24 does, this class also creates configuration * directories, generates ssh keys and files for sysconfig-style * configuration. This method is called from CompilerDriver_ipt::run() * and does not run in single rule compile mode. */ void OSConfigurator_secuwall::processFirewallOptions() { OSConfigurator_linux24::processFirewallOptions(); if (!createDirStructure()) abort("Unable to create directory structure"); FWOptions* options = fw->getOptionsObject(); assert(options != NULL); /* Do ssh key generation if not disabled. */ if (!options->getBool("secuwall_no_ssh_key_generation")) { generateSSHKeys(); } generateHostsFile(); generateDNSFile(); generateNsswitchFile(); generateManagementFile(); generateNetworkFile(); generateInterfaces(); } bool OSConfigurator_secuwall::createDirStructure() const { QDir directory; list dir_names; dir_names.push_back (QString (fw->getName().c_str())); QString tmp_name = fw->getName().c_str(); tmp_name.append("/"); tmp_name.append(ssh_dir.c_str()); dir_names.push_back(tmp_name); tmp_name = fw->getName().c_str(); tmp_name.append("/"); tmp_name.append(sysconfig_dir.c_str()); dir_names.push_back(tmp_name); tmp_name = fw->getName().c_str(); tmp_name.append("/"); tmp_name.append(networkscripts_dir.c_str()); dir_names.push_back(tmp_name); list::const_iterator c_iter = dir_names.begin(); for (; c_iter != dir_names.end(); c_iter++) { if (!directory.mkdir(*c_iter)) { /* Check if directory already exists */ if (!directory.exists()) { cerr << "Error[" << errno << "]: " << strerror(errno); cerr << " '" << c_iter->toStdString() << "'"<< endl; return false; } } } cout << " created directory structure successfully" << endl << flush; return true; } int OSConfigurator_secuwall::generateManagementFile() { FWOptions* options = fw->getOptionsObject(); assert(options != NULL); QString s, mgm_ip, vrrp_secret, stream_string, snmp_ip; bool vrrp_master = false; vector tmp_v, mgm_iface; /* Temporary storage for management file content */ QTextStream stream (&stream_string); /* search Management Interfaces, note: this can be more than one */ for (list::iterator it = m_ifaces.begin(); it != m_ifaces.end(); it++) { /* Check if it is a management interface */ if ((*it)->isManagement()) { mgm_iface.push_back((*it)->getName()); } } stream << "MGM_DEV=\""; stream << stringify(mgm_iface, " ").c_str(); stream << "\"" << endl; /* lookup Management IP address */ mgm_ip = options->getStr("secuwall_mgmt_mgmtaddr").c_str(); if (mgm_ip.isEmpty()) { /* This is only a warning, if the system is not managed online */ cout << " Warning: no Management IP address specified!" << endl; } else { if (mgm_iface.empty()) { abort("At least one management interface is needed for Online Management!"); } else { stream << "MGM_IP=\""; tmp_v.clear(); tokenize(mgm_ip.toStdString(), tmp_v, ","); stream << stringify(tmp_v, " ").c_str(); stream << s << "\"" << endl; } } /* Log-Server IP address */ stream << "LOG_IP=\""; tmp_v.clear(); tokenize(options->getStr("secuwall_mgmt_loggingaddr"), tmp_v, ","); stream << stringify(tmp_v, " ").c_str(); stream << "\"" << endl; /* SNMP-Server IP address */ snmp_ip = options->getStr("secuwall_mgmt_snmpaddr").c_str(); if (!snmp_ip.isEmpty()) { if (mgm_iface.empty()) { abort("At least one management interface is needed for SNMP!"); } else { stream << "SNMP_IP=\""; tmp_v.clear(); tokenize(options->getStr("secuwall_mgmt_snmpaddr"), tmp_v, ","); stream << stringify(tmp_v, " ").c_str(); stream << "\"" << endl; /* SNMP Community string */ stream << "SNMP_COM=\""; stream << options->getStr("secuwall_mgmt_rosnmp").c_str(); stream << "\"" << endl; } } /* NTP-Server IP address */ stream << "NTP_IP=\""; tmp_v.clear(); tokenize(options->getStr("secuwall_mgmt_ntpaddr"), tmp_v, ","); stream << stringify(tmp_v, " ").c_str(); stream << "\"" << endl; /* /var partition */ stream << "VARPART=\""; stream << options->getStr("secuwall_mgmt_varpart").c_str(); stream << "\"" << endl; /* Configuration partition */ stream << "CFGPART=\""; stream << options->getStr("secuwall_mgmt_confpart").c_str(); stream << "\"" << endl; /* Activate Nagios */ stream << "NRPE="; s.clear(); s = options->getStr("secuwall_mgmt_nagiosaddr").c_str(); if (!s.isEmpty()) { stream << "yes" << endl; /* Nagios-Server IP-Address */ stream << "NRPE_IP=\""; tmp_v.clear(); tokenize(s.toStdString(), tmp_v, ","); stream << stringify(tmp_v, " ").c_str(); stream << "\"" << endl; } else { stream << "no" << endl; } /* VRRP interfaces */ for (FWObjectTypedChildIterator fw_ifaces = fw->findByType(Interface::TYPENAME); fw_ifaces != fw_ifaces.end(); ++fw_ifaces) { Interface *iface = Interface::cast(*fw_ifaces); /* Check if it is a VRRP interface */ FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); if (failover_group) { FWOptions *failover_opts = FailoverClusterGroup::cast(failover_group)->getOptionsObject(); if (failover_group->getStr("type") == "vrrp" && failover_opts != NULL) { vrrp_secret = failover_opts->getStr("vrrp_secret").c_str(); vrrp_master = iface->getOptionsObject()->getBool("failover_master");; } } } /* Activate VRRP */ stream << "VRRPD="; if (options->getBool("cluster_member")) { stream << "yes" << endl; /* VRRP secret */ stream << "VRRPSECRET=\""; stream << vrrp_secret; stream << "\"" << endl; /* VRRP Master/Slave */ stream << "MASTER="; stream << (vrrp_master ? "yes" : "no"); stream << endl; } else { stream << "no" << endl; } /* conntrackd */ s.clear(); s = options->getStr("state_sync_interface").c_str(); stream << "CONNTRACKD="; if (!s.isEmpty()) { stream << "yes" << endl; /* conntrack device */ stream << "CONN_DEV=\""; stream << s; stream << "\"" << endl; } else { stream << "no" << endl; } /* Write actual management file */ string filename = fw->getName() + "/" + mgmt_filename; stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << mgmt_filename << " successfully" << endl << flush; return 0; } /* Routes are expected to be verified & valid since this step is executed after Route policy compilation */ int OSConfigurator_secuwall::generateNetworkFile() { FWOptions* options = fw->getOptionsObject(); assert(options != NULL); FWObject *routes = fw->getFirstByType(Routing::TYPENAME); assert(routes); QString s, ifName, gwAddress, stream_string; /* Temporary storage for file content */ QTextStream stream (&stream_string); /* Default route */ RoutingRule* defaultRoute = NULL; /* Prepend static content */ stream << "NETWORKING=yes" << endl; /* Find default route */ FWObjectTypedChildIterator routing_rules = routes->findByType(RoutingRule::TYPENAME); for (; routing_rules != routing_rules.end(); ++routing_rules) { RoutingRule* route = RoutingRule::cast(*routing_rules); if (!route->isEmpty() && !route->isDisabled() && route->getRDst()->isAny()) { defaultRoute = route; /* There can only be one default route, so we are done */ break; } } if (defaultRoute != NULL) { RuleElementRItf* itfrel = defaultRoute->getRItf(); RuleElementRGtw* gtwrel = defaultRoute->getRGtw(); FWObject *oRGtw = FWReference::cast(gtwrel->front())->getPointer(); assert(oRGtw != NULL); FWObject *oRItf = FWReference::cast(itfrel->front())->getPointer(); assert(oRItf != NULL); /* Extract Gateway IP address */ if (Host::cast(oRGtw) != NULL) { Host *host=Host::cast(oRGtw); gwAddress = host->getAddressPtr()->toString().c_str(); } else if (Interface::cast(oRGtw) != NULL) { Interface *intf=Interface::cast(oRGtw); gwAddress = intf->getAddressPtr()->toString().c_str(); } else if (Address::cast(oRGtw)->dimension()==1) { Address *ipv4 = Address::cast(oRGtw); gwAddress = ipv4->getAddressPtr()->toString().c_str(); } /* Extract Interface name */ ifName = oRItf->getName().c_str(); } /* XXX: not setting gateway since default route will be set by routing rules */ /* Default Gateway */ stream << "GATEWAY=\""; s = gwAddress; { // stream << s; } stream << "\"" << endl; /* Gateway interface */ stream << "GATEWAYDEV=\""; s = ifName; { // stream << s; } stream << "\"" << endl; /* Hostname */ stream << "HOSTNAME=\""; stream << fw->getName().c_str(); stream << "\"" << endl; /* Routing */ stream << "FORWARD_IPV4=\""; if (options->getBool("linux24_ip_forward")) { stream << "yes"; } else { stream << "no"; } stream << "\"" << endl; /* Write actual network file */ string filename = fw->getName() + "/" + network_filename; stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << network_filename << " successfully" << endl << flush; return 0; } int OSConfigurator_secuwall::generateHostsFile() { FWOptions* options = fw->getOptionsObject(); assert(options != NULL); QString s, stream_string; /* Temporary storage for file content */ QTextStream stream (&stream_string); /* Prepend static content */ stream << "127.0.0.1\tlocalhost\n\n# Secuwall hosts" << endl; /* TODO: Should entries of every fw interface address be appended? */ stream << options->getStr("secuwall_dns_hosts").c_str(); stream << endl; /* Write actual hosts file */ string filename = fw->getName() + "/" + hosts_filename; stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << hosts_filename << " successfully" << endl << flush; return 0; } int OSConfigurator_secuwall::generateDNSFile() { FWOptions* options = fw->getOptionsObject(); assert(options != NULL); QString s, stream_string; /* Temporary storage for file content */ QTextStream stream (&stream_string); /* Search domains */ s = options->getStr("secuwall_dns_domains").c_str(); if (!s.isEmpty()) { /* Replace \n with " " */ s.replace(QString("\n"), QString(" ")); stream << "search\t\t" << s << endl; } /* DNS-Server entries */ s = options->getStr("secuwall_dns_srv1").c_str(); if (!s.isEmpty()) stream << "nameserver\t" << s << endl; s = options->getStr("secuwall_dns_srv2").c_str(); if (!s.isEmpty()) stream << "nameserver\t" << s << endl; s = options->getStr("secuwall_dns_srv3").c_str(); if (!s.isEmpty()) stream << "nameserver\t" << s << endl; /* Write actual DNS file */ string filename = fw->getName() + "/" + dns_filename; stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << dns_filename << " successfully" << endl << flush; return 0; } int OSConfigurator_secuwall::generateNsswitchFile() { FWOptions* options = fw->getOptionsObject(); assert(options != NULL); QString s, stream_string; /* Temporary storage for file content */ QTextStream stream(&stream_string); /* Prepend static content */ stream << "passwd:\t\tfiles\nshadow:\t\tfiles\ngroup:\t\tfiles\n" << endl; /* hosts entries */ stream << "hosts:\t\t"; s = options->getStr("secuwall_dns_reso1").c_str(); if (!s.isEmpty() && s != "none") { stream << s; } s = options->getStr("secuwall_dns_reso2").c_str(); if (!s.isEmpty() && s != "none") { stream << " " << s; } s = options->getStr("secuwall_dns_reso3").c_str(); if (!s.isEmpty() && s != "none") { stream << " " << s; } s = options->getStr("secuwall_dns_reso4").c_str(); if (!s.isEmpty() && s != "none") { stream << " " << s; } s = options->getStr("secuwall_dns_reso5").c_str(); if (!s.isEmpty() && s != "none") { stream << " " << s << endl; } stream << endl; /* Append static content */ stream << "ethers:\t\tfiles\nnetmasks:\tfiles\nnetworks:\tfiles\nprotocols:\tfiles\nrpc:\t\tfiles\nservices:\tfiles\n"; /* Write actual nsswitch file */ string filename = fw->getName() + "/" + nsswitch_filename; stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << nsswitch_filename << " successfully" << endl << flush; return 0; } int OSConfigurator_secuwall::generateInterfaceFile (Interface * iface, string name, IPv4 * ip_address, int iface_number) { FWOptions* options = NULL; ifaceType itype = ifNotDefined; QString s; /* Temporary storage for file content */ QString stream_string; QTextStream stream(&stream_string); assert(iface != NULL); /* fallback for name of the interface */ if (name.empty()) name = iface->getName(); if (name.empty()) abort("cannot get name for interface"); /* determine the type of the interface */ if (iface->getName().find("*") == string::npos) options = iface->getOptionsObject(); if (iface_number > 0) { itype = ALIAS; } else if (options == NULL || options->getStr("type").empty()) { itype = ETHERNET; } else { itype = s_mapIfaceTypes[options->getStr("type")]; } /* shortcut: unconfigured ethernet devices just exist, they don't need a config file */ if ((itype == ETHERNET) && (ip_address == NULL) && (iface->getAddressObject() == NULL)) return 0; /* Interface name */ stream << "DEVICE=\""; stream << name.c_str(); if (iface_number > 0) stream << ":" << iface_number; stream << "\"" << endl; /* Boot-Protocol */ stream << "BOOTPROTO=\""; if (iface->isDyn()) { stream << "dhcp"; } else { stream << "none"; } stream << "\"" << endl; /* Address object contains host, network and broadcast address plus netmask */ const Address* ipAddr = NULL; if (ip_address != NULL) ipAddr = ip_address->getAddressObject(); if (ipAddr != NULL) { /* Interface IP Address */ stream << "IPADDR=\""; stream << ipAddr->getAddressPtr()->toString().c_str(); stream << "\"" << endl; /* Netmask */ stream << "NETMASK=\""; stream << ipAddr->getNetmaskPtr()->toString().c_str(); stream << "\"" << endl; /* Network IP Address */ stream << "NETWORK=\""; stream << ipAddr->getNetworkAddressPtr()->toString().c_str(); stream << "\"" << endl; /* Broadcast IP Address */ stream << "BROADCAST=\""; stream << ipAddr->getBroadcastAddressPtr()->toString().c_str(); stream << "\"" << endl; } /* Activate on bootup */ stream << "ONBOOT=\""; if (options != NULL && options->getBool("iface_disableboot")) { stream << "no"; } else { stream << "yes"; } stream << "\"" << endl; /* Link */ stream << "LINK=\""; if (options != NULL) { stream << options->getStr("iface_options").c_str(); } stream << "\"" << endl; /* MAC-Address */ stream << "MACADDR=\""; physAddress* macAddr = iface->getPhysicalAddress(); if (macAddr != NULL) { stream << macAddr->getPhysAddress().c_str(); } stream << "\"" << endl; /* MTU */ s.clear(); stream << "MTU=\""; if (options == NULL || (s = options->getStr("iface_mtu").c_str()).isEmpty()) { /* TODO: Extract magic value */ /* Set to "sane" default: "1500" */ s = "1500"; } stream << s; stream << "\"" << endl; /* Activate ARP */ stream << "ARP=\""; if (options != NULL && options->getBool("iface_disablearp")) { stream << "no"; } else { stream << "yes"; } stream << "\"" << endl; /* Interface type */ stream << "TYPE=\""; stream << s_mapIfaceStrings[itype].c_str(); stream << "\"" << endl; /* get all direct children of type interface */ list basedevs = iface->getByType(Interface::TYPENAME); /* Type-specific parameter handling */ switch (itype) { case BRIDGE: /* Fall-through */ case BONDING: /* Iterate over all child interfaces */ if (basedevs.empty()) { abort("No base device specified for " + name); } else { vector devs; for (list::iterator it = basedevs.begin(); it != basedevs.end(); it++) { Interface *iface = Interface::cast(*it); assert(NULL != iface); if (!(iface->getName().empty())) { devs.push_back(iface->getName()); generateInterfaceFile(iface); } } /* Base Device */ stream << "BASEDEV=\""; stream << stringify(devs," ").c_str(); stream << "\"" << endl; } break; case VLAN: if (options == NULL || options->getStr("vlan_id").empty()) { abort("No VLAN id specified for " + name); } stream << "VLANID=\""; stream << options->getStr("vlan_id").c_str(); stream << "\"" << endl; if (iface->getParent() == NULL || iface->getParent()->getName().empty()) { /* No base device provided */ abort("No base device specified for " + name); } stream << "BASEDEV=\""; stream << iface->getParent()->getName().c_str(); stream << "\"" << endl; generateInterfaceFile(Interface::cast(iface->getParent())); break; case CLUSTER: if (options->getStr("base_device").empty()) { /* No base device provided */ abort("No base device specified for " + name); } stream << "BASEDEV=\""; stream << options->getStr("base_device").c_str(); stream << "\"" << endl; break; case ALIAS: /* Base Device for secondary interfaces*/ stream << "BASEDEV=\""; stream << name.c_str(); stream << "\"" << endl; break; default: /* Don't define BASEDEV */ break; } /* Write actual interface file */ string filename = fw->getName() + "/" + iface_filename + name; if (iface_number > 0) { stringstream tmp; tmp << ":" << iface_number; filename += tmp.str(); } stringToFile(stream.string()->toStdString(), filename); cout << " wrote " << filename << " successfully" << endl << flush; return 0; } template inline std::string toString (const T& t) { std::stringstream ss; ss << t; return ss.str(); } int OSConfigurator_secuwall::generateInterfaces() { /* clean up possibly stale interface files */ string nwdir = fw->getName() + "/" + networkscripts_dir; QDir d(nwdir.c_str()); QStringList entries = d.entryList(); for (QStringList::ConstIterator entry=entries.begin(); entry!=entries.end(); ++entry) { if (*entry != "." && *entry != "..") { d.remove(*entry); } } int vrrp_count = 0; /* Iterate over all top-level interfaces */ for (list::iterator it = m_ifaces.begin(); it != m_ifaces.end(); it++) { string ifname = (*it)->getName(); FWOptions *options = (*it)->getOptionsObject(); /* rename handling for our vrrp "devices" */ if ((options != NULL) && options->getBool("cluster_interface")) { ifname = "vrrp" + ::toString(vrrp_count++); } /* Iterate over all addresses */ FWObjectTypedChildIterator j = (*it)->findByType(IPv4::TYPENAME); int count = 0; for (; j != j.end(); ++j, ++count) { IPv4 *address = IPv4::cast(*j); generateInterfaceFile (*it, ifname, address, count); } } return 0; } int OSConfigurator_secuwall::stringToFile(const std::string data, const std::string filename, const QIODevice::OpenMode mode) const { QFile file (QString (filename.c_str())); if (!file.open (mode)) { cerr << "Unable to open file " << filename << endl; } qint64 byte_count = file.write (data.c_str()); if (byte_count == -1) { cerr << "Unable to write data to file " << filename << endl; } if (data.length() != (unsigned int) byte_count) { cerr << "Unable to write all data (" << byte_count << " of " << data.length() << " bytes) to file " << filename << endl; } file.close(); file.setPermissions (QFile::ReadOwner|QFile::WriteOwner|QFile::ReadGroup|QFile::ReadOther); return 0; } int OSConfigurator_secuwall::generateSSHKeys() { int i; string cmd; QString pwd = QDir::currentPath(); string filename; string hostKey_file; string fwadmin_keyfilename; QFile file (filename.c_str()); /* TODO: Rewrite with popen for error handling */ /* Generate RSA Keys */ filename = fw->getName() + "/" + ssh_dir + "/ssh_host_rsa_key"; if (!QFile::exists(filename.c_str())) { cmd = "ssh-keygen -t rsa -b 2048 -f " + pwd.toStdString() + "/" + filename + " -C root@" + fw->getName() + " -P \"\" 2>&1"; i = system(cmd.c_str()); } else { cout << " Found existing RSA key: skipping key generation." << endl; } /* Generate DSA Keys */ filename = fw->getName() + "/" + ssh_dir + "/ssh_host_dsa_key"; if (!QFile::exists(filename.c_str())) { cmd = "ssh-keygen -t dsa -f " + pwd.toStdString() + "/" + filename + " -C root@" + fw->getName() + " -P \"\" 2>&1"; i = system(cmd.c_str()); } else { cout << " Found existing DSA key: skipping key generation." << endl; } Q_UNUSED(i); /* Add RSA pub key of fwadmin to the firewall's known hosts file */ fwadmin_keyfilename = getenv("HOME"); fwadmin_keyfilename += fwadmin_ssh_key; QFile fwadmin_ssh_keyfile(fwadmin_keyfilename.c_str()); filename = pwd.toStdString() + "/" + fw->getName() + "/" + ssh_dir + "/authorized_keys2"; if (!QFile::exists(filename.c_str())) { if (fwadmin_ssh_keyfile.open(QIODevice::ReadOnly)) { /* Temporary storage for file content */ QString stream_string; QTextStream stream(&stream_string); stream << fwadmin_ssh_keyfile.readAll(); fwadmin_ssh_keyfile.close(); /* Write actual authorized_keys2 file */ stringToFile(stream.string()->toStdString(), fw->getName() + "/" + ssh_dir + "/authorized_keys2"); QFile::setPermissions (filename.c_str(), QFile::ReadOwner|QFile::ReadGroup); } else { cout << " Unable to open " << fwadmin_keyfilename << endl; } } else { cout << " Found existing key authorization file: skipping addition of management key." << endl; } /* Add RSA host key of firewall to the fwadmin's known hosts file */ string hostKey_filename = getenv("HOME"); hostKey_filename += fwadmin_known_hosts; QFile host_key_file(hostKey_filename.c_str()); bool keyPresent = false; /* Check if hosts key file exists */ if (host_key_file.exists()) { /* Check if key entry is present */ host_key_file.open(QIODevice::ReadOnly); QTextStream known_hosts(&host_key_file); QString tmp; while(!known_hosts.atEnd()) { known_hosts >> tmp; if (containsFirewallKey(tmp.toStdString())) keyPresent = true; } host_key_file.close(); } if (!keyPresent) { filename = pwd.toStdString() + "/" + fw->getName() + "/" + ssh_dir + "/ssh_host_rsa_key.pub"; QFile ssh_keyfile(filename.c_str()); if (ssh_keyfile.open(QIODevice::ReadOnly)) { /* Temporary storage for file content */ QString stream_string; QTextStream stream(&stream_string); stream << fw->getName().c_str() << " "; stream << ssh_keyfile.readAll(); ssh_keyfile.close(); /* Append entry to authorized_keys2 file */ stringToFile(stream.string()->toStdString(), hostKey_filename, QIODevice::Append); } else { cout << " Unable to open firewall public key" << endl; } } else { cout << " Found existing authorization entry: skipping addition of firewall key." << endl; } cout << " generated SSH keys successfully" << endl << flush; return 0; } /* TODO: Put in utility library */ bool OSConfigurator_secuwall::containsFirewallKey(string in) const { string match = "root@"+fw->getName(); if (match == in) return true; else return false; } string OSConfigurator_secuwall::printPathForAllTools(const string &) { return OSConfigurator_linux24::printPathForAllTools("secuwall"); } map OSConfigurator_secuwall::getGeneratedFiles() const { map files; return files; } fwbuilder-5.3.7/src/iptlib/OSConfigurator_secuwall.h000066400000000000000000000051411303637203600225430ustar00rootroot00000000000000/* * OSConfigurator_secuwall.h - OS configurator for secunet wall host OS * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __OSNETWORKCONFIGURATOR_SECUWALL_H_ #define __OSNETWORKCONFIGURATOR_SECUWALL_H_ #include "fwbuilder/Tools.h" #include "OSConfigurator_linux24.h" #include #include namespace fwcompiler { class OSConfigurator_secuwall : public OSConfigurator_linux24 { public: virtual ~OSConfigurator_secuwall() {}; OSConfigurator_secuwall(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); virtual std::string myPlatformName(); virtual void processFirewallOptions(); virtual std::string printPathForAllTools(const std::string &); virtual std::map getGeneratedFiles() const; /* TODO: Merge this mapping with gui interface types mapping */ /* Value-Defintions of the different String values */ enum ifaceType { ifNotDefined, ETHERNET, ALIAS, BRIDGE, BONDING, CLUSTER, VLAN, ifEnd }; /* Map to associate the strings with the enum values */ std::map s_mapIfaceTypes; /* and vice versa for the config files */ std::map s_mapIfaceStrings; private: bool createDirStructure() const; int generateManagementFile(); int generateNetworkFile(); int generateHostsFile(); int generateDNSFile(); int generateNsswitchFile(); int generateInterfaces(); int generateInterfaceFile(libfwbuilder::Interface * iface, std::string name = "", libfwbuilder::IPv4 * ip_address = NULL, int iface_number = 0); int generateSSHKeys(); int stringToFile(const std::string data, const std::string filename, const QIODevice::OpenMode mode = QIODevice::ReadWrite|QIODevice::Truncate) const; bool containsFirewallKey(std::string in) const; std::list m_ifaces; }; }; #endif fwbuilder-5.3.7/src/iptlib/OSData.cpp000066400000000000000000000050751303637203600174140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSData.h" using namespace std; OSData::OSData(const std::string &ho) { host_os = ho; attribute_names[LSMOD] = "path_lsmod"; attribute_names[MODPROBE] = "path_modprobe"; attribute_names[IPTABLES] = "path_iptables"; attribute_names[IP6TABLES] = "path_ip6tables"; attribute_names[IPTABLES_RESTORE] = "path_iptables_restore"; attribute_names[IP6TABLES_RESTORE] = "path_ip6tables_restore"; attribute_names[IP] = "path_ip"; attribute_names[IFCONFIG] = "path_ifconfig"; attribute_names[VCONFIG] = "path_vconfig"; attribute_names[BRCTL] = "path_brctl"; attribute_names[IFENSLAVE] = "path_ifenslave"; attribute_names[IPSET] = "path_ipset"; attribute_names[LOGGER] = "path_logger"; variable_names[LSMOD] = "LSMOD"; variable_names[MODPROBE] = "MODPROBE"; variable_names[IPTABLES] = "IPTABLES"; variable_names[IP6TABLES] = "IP6TABLES"; variable_names[IPTABLES_RESTORE] = "IPTABLES_RESTORE"; variable_names[IP6TABLES_RESTORE] = "IP6TABLES_RESTORE"; variable_names[IP] = "IP"; variable_names[IFCONFIG] = "IFCONFIG"; variable_names[VCONFIG] = "VCONFIG"; variable_names[BRCTL] = "BRCTL"; variable_names[IFENSLAVE] = "IFENSLAVE"; variable_names[IPSET] = "IPSET"; variable_names[LOGGER] = "LOGGER"; all_tools.push_back(LSMOD); all_tools.push_back(MODPROBE); all_tools.push_back(IPTABLES); all_tools.push_back(IP6TABLES); all_tools.push_back(IPTABLES_RESTORE); all_tools.push_back(IP6TABLES_RESTORE); all_tools.push_back(IP); all_tools.push_back(IFCONFIG); all_tools.push_back(VCONFIG); all_tools.push_back(BRCTL); all_tools.push_back(IFENSLAVE); all_tools.push_back(IPSET); all_tools.push_back(LOGGER); } fwbuilder-5.3.7/src/iptlib/OSData.h000066400000000000000000000034121303637203600170520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OSDATA_HH #define __OSDATA_HH #include "config.h" #include #include #include class OSData { std::string host_os; std::map variable_names; std::map attribute_names; std::list all_tools; public: OSData(const std::string &ho); typedef enum { LSMOD, MODPROBE, IPTABLES, IP6TABLES, IPTABLES_RESTORE, IP6TABLES_RESTORE, IP, IFCONFIG, VCONFIG, BRCTL, IFENSLAVE, IPSET, LOGGER } tools; std::string getVariableName(tools t) { return variable_names[t]; } const std::list& getAllTools() { return all_tools; } std::string getAttributeNameForTool(tools t) { return attribute_names[t]; } }; #endif fwbuilder-5.3.7/src/iptlib/PolicyCompiler_PrintRule.cpp000066400000000000000000001673531303637203600232470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Network.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Inet6AddrMask.h" #include "combinedAddress.h" #include "Configlet.h" #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ string PolicyCompiler_ipt::PrintRule::_printSingleObjectNegation( RuleElement *rel) { if (rel->getBool("single_object_negation")) return "! "; else return ""; } /* * Prints single --option with argument and negation "!" * taking into account the change that happened in iptables 1.4.3.1 * that causes warning * Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). */ string PolicyCompiler_ipt::PrintRule::_printSingleOptionWithNegation( const string &option, RuleElement *rel, const string &arg) { ostringstream ostr; if (XMLTools::version_compare(version, "1.4.3")>=0) { ostr << _printSingleObjectNegation(rel); ostr << option << " "; ostr << arg << " "; } else { ostr << option << " "; ostr << _printSingleObjectNegation(rel); ostr << arg << " "; } return ostr.str(); } void PolicyCompiler_ipt::PrintRule::initializeMinusNTracker() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); for (list::const_iterator i = PolicyCompiler_ipt::getStandardChains().begin(); i != PolicyCompiler_ipt::getStandardChains().end(); ++i) { (*(ipt_comp->minus_n_commands))[*i] = true; } minus_n_tracker_initialized = true; } /* * check and create new chain if needed */ string PolicyCompiler_ipt::PrintRule::_createChain(const string &chain) { string res; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { string opt_wait; if (XMLTools::version_compare(version, "1.4.20")>=0) opt_wait = "-w "; else opt_wait = ""; res = string((ipt_comp->ipv6) ? "$IP6TABLES " : "$IPTABLES ") + opt_wait + "-N " + chain; if (ipt_comp->my_table != "filter") res += " -t " + ipt_comp->my_table; res += "\n"; (*(ipt_comp->minus_n_commands))[chain] = true; } return res; } string PolicyCompiler_ipt::PrintRule::_startRuleLine() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); string res = (ipt_comp->ipv6) ? "$IP6TABLES " : "$IPTABLES "; string opt_wait; if (XMLTools::version_compare(version, "1.4.20")>=0) opt_wait = "-w "; else opt_wait = ""; res += opt_wait; if (ipt_comp->my_table != "filter") res += "-t " + ipt_comp->my_table + " "; res += "-A "; return res; } string PolicyCompiler_ipt::PrintRule::_endRuleLine() { return string("\n"); } string PolicyCompiler_ipt::PrintRule::_printRuleLabel(PolicyRule *rule) { ostringstream res; bool nocomm = Resources::os_res[compiler->fw->getStr("host_OS")]-> Resources::getResourceBool( "/FWBuilderResources/Target/options/suppress_comments"); // TODO: convert this into virtual function PolicyCompiler_ipt::printComment() string rl=rule->getLabel(); if (rl != current_rule_label) { if (!compiler->inSingleRuleCompileMode()) { if (!nocomm) { res << "# " << endl; res << "# Rule " << rl << endl; res << "# " << endl; } res << "echo " << _quote(string("Rule ")+rl) << endl; res << "# " << endl; } /* do not put comment in the script if it is intended for linksys */ if (!nocomm || compiler->inSingleRuleCompileMode()) { QStringList comm = QString(rule->getComment().c_str()).split("\n", QString::SkipEmptyParts); foreach(QString line, comm) { res << "# " << line.toStdString() << endl; } //res << "# " << endl; string err = compiler->getErrorsForRule(rule, "# "); if (!err.empty()) res << err << endl; } } current_rule_label = rl; // string err = rule->getCompilerMessage(); // if (!err.empty()) res << "# " << err << endl; return res.str(); } /** *----------------------------------------------------------------------- */ string PolicyCompiler_ipt::PrintRule::_printChain(PolicyRule *rule) { string s = rule->getStr("ipt_chain"); if (s.empty()) s = "UNKNOWN"; // check chain name length per bug report #2507239 if (s.length() > 30) { ostringstream str; str << "Chain name '" << s << "' "; str << "is longer than 30 characters. Rule " << rule->getLabel(); compiler->abort(rule, str.str()); } s= s + " "; return s; } string PolicyCompiler_ipt::PrintRule::_printModules(PolicyRule *rule) { std::ostringstream ostr; string target=rule->getStr("ipt_target"); if (target.empty()) target="UNKNOWN"; FWOptions *ruleopt =rule->getOptionsObject(); int lim = 0; /* * Here is what do we do with limits: * * Limit set globally in 'Firewall' tab of the firewall dialog * applies only to logging * * Limit set in the rule options dialog applies only to this * rule's target. * * this is so as of 1.0.11 ( 28/06/03 ) --vk */ if (target=="LOG") { FWOptions *compopt=compiler->getCachedFwOpt(); if ((lim=compopt->getInt("limit_value"))>0) { ostr << " -m limit --limit " << lim; string ls=compopt->getStr("limit_suffix"); if (!ls.empty()) ostr << ls; int lb=compopt->getInt("limit_burst"); if (lb>0) ostr << " --limit-burst " << lb; } } else { if (ruleopt!=NULL && (lim=ruleopt->getInt("limit_value"))>0) { if (ruleopt->getBool("limit_value_not")) ostr << " -m limit \\! --limit " << lim; else ostr << " -m limit --limit " << lim; string ls=ruleopt->getStr("limit_suffix"); if (!ls.empty()) ostr << ls; int lb=ruleopt->getInt("limit_burst"); if (lb>0) ostr << " --limit-burst " << lb; } } if (ruleopt!=NULL && (lim=ruleopt->getInt("connlimit_value"))>0) { if (ruleopt->getBool("connlimit_above_not")) ostr << " -m connlimit \\! --connlimit-above " << lim; else ostr << " -m connlimit --connlimit-above " << lim; int ml=ruleopt->getInt("connlimit_masklen"); if (ml>0) ostr << " --connlimit-mask " << ml; } if (ruleopt!=NULL && (lim=ruleopt->getInt("hashlimit_value"))>0) { string module_name = "hashlimit"; if (ruleopt->getBool("hashlimit_dstlimit")) module_name = "dstlimit"; ostr << " -m " << module_name << " --" << module_name << " " << lim; string ls = ruleopt->getStr("hashlimit_suffix"); if (!ls.empty()) ostr << ls; int lb=ruleopt->getInt("hashlimit_burst"); if (lb>0) ostr << " --" << module_name << "-burst " << lb; ls = ruleopt->getStr("hashlimit_mode"); if (ls.empty()) { /* syntax "--hashlimit-mode srcip,srcport " (i.e. with options separated by commas) tested with iptables 1.3.6 */ QStringList opts; bool f; f = ruleopt->getBool("hashlimit_mode_srcip"); if (f) opts.push_back("srcip"); f = ruleopt->getBool("hashlimit_mode_dstip"); if (f) opts.push_back("dstip"); f = ruleopt->getBool("hashlimit_mode_srcport"); if (f) opts.push_back("srcport"); f = ruleopt->getBool("hashlimit_mode_dstport"); if (f) opts.push_back("dstport"); if (!opts.isEmpty()) ostr << " --" << module_name << "-mode " << opts.join(",").toStdString(); } else // hashlimit_mode is v2.1 option. In v3 we have options // hashlimit_mode_srcip // hashlimit_mode_dstip // hashlimit_mode_srcport // hashlimit_mode_dstport ostr << " --" << module_name << "-mode " << ls; string hl_name = ruleopt->getStr("hashlimit_name"); if (hl_name.empty()) { std::ostringstream hn; hn << "htable_rule_" << rule->getPosition(); hl_name = hn.str(); } ostr << " --" << module_name << "-name " << hl_name; int arg = ruleopt->getInt("hashlimit_size"); if (arg>0) ostr << " --" << module_name << "-htable-size " << arg; arg = ruleopt->getInt("hashlimit_max"); if (arg>0) ostr << " --" << module_name << "-htable-max " << arg; arg = ruleopt->getInt("hashlimit_expire"); if (arg>0) ostr << " --" << module_name << "-htable-expire " << arg; arg = ruleopt->getInt("hashlimit_gcinterval"); if (arg>0) ostr << " --" << module_name << "-htable-gcinterval " << arg; } return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printTarget(PolicyRule *rule) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); std::ostringstream ostr; string target=rule->getStr("ipt_target"); if (target.empty()) target="UNKNOWN"; FWOptions *ruleopt =rule->getOptionsObject(); if (rule->getTagging()) { ostr << " -j MARK"; ostr << " --set-mark " << rule->getTagValue(); return ostr.str(); } if (rule->getClassification()) { ostr << " -j CLASSIFY"; ostr << " --set-class " << ruleopt->getStr("classify_str"); return ostr.str(); } if (rule->getRouting()) { ostr << " -j ROUTE"; string a; a = ruleopt->getStr("ipt_iif"); if (!a.empty()) ostr << " --iif " << a; a = ruleopt->getStr("ipt_oif"); if (!a.empty()) ostr << " --oif " << a; a = ruleopt->getStr("ipt_gw"); if (!a.empty()) ostr << " --gw " << a; bool c = ruleopt->getBool("ipt_continue"); if (c) ostr << " --continue"; c = ruleopt->getBool("ipt_tee"); if (c) ostr << " --tee"; return ostr.str(); } if (target==".CUSTOM") { ostr << " " << ruleopt->getStr("custom_str"); return ostr.str(); } if (target==".CONTINUE") // not a real target ! return ostr.str(); // there is no ULOG for ip6tables yet if (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG") && target=="LOG") target="ULOG"; ostr << " -j " << target << " "; if (target=="REJECT") ostr << _printActionOnReject(rule); if (target=="LOG" || target=="ULOG") ostr << _printLogParameters(rule); if (target=="CONNMARK") { ostr << ruleopt->getStr("CONNMARK_arg"); } return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printMultiport(PolicyRule *rule) { RuleElementSrv *srvrel=rule->getSrv(); string s; if(srvrel->size()>1 && rule->getBool("ipt_multiport")) s= " -m multiport "; return s; } string PolicyCompiler_ipt::PrintRule::_printDirectionAndInterface(PolicyRule *rule) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); QStringList res; if (rule->getStr(".iface") == "nil") return ""; RuleElementItf *itfrel = rule->getItf(); QString iface_name; FWObject *rule_iface_obj = NULL; Interface *rule_iface = NULL; if ( ! itfrel->isAny()) { rule_iface_obj = FWObjectReference::getObject(itfrel->front()); rule_iface = Interface::cast(rule_iface_obj); iface_name = rule_iface_obj->getName().c_str(); if (iface_name.endsWith("*")) iface_name.replace("*", "+"); if (rule_iface && rule_iface->isBridgePort() && (version.empty() || XMLTools::version_compare(version, "1.3.0")>=0)) { /* http://www.netfilter.org/projects/iptables/files/changes-iptables-1.2.9.txt See SF bug #3439613 https://sourceforge.net/tracker/index.php?func=detail&aid=3439613&group_id=5314&atid=1129518# physdev module does not allow --physdev-out for non-bridged traffic anymore. We should add --physdev-is-bridged to make sure this matches only bridged packets. Also, adding "-i" / "-o" clause to match parent bridge interface. This allows us to correctly match which bridge the packet comes through in configurations using wildcard bridge port interfaces. For example, when br0 and br1 have "vnet+" bridge port interface, iptables can still correctly match which bridge the packet went through using "-o br0" or "-o br1" clause. This can be useful in installations with many bridged interfaces that get created and destroyed dynamically, e.g. with virtual machines. However add "-i br0" / "-o br0" only when there is more than one bridge interface _and_ bridge port name ends with a wild card symbol "+" */ QString parent_name = rule_iface->getParent()->getName().c_str(); if (rule->getDirection()==PolicyRule::Inbound) { if (ipt_comp->bridge_count > 1 && iface_name.endsWith("+")) res << "-i" << parent_name; res << "-m physdev --physdev-in" << iface_name; } if (rule->getDirection()==PolicyRule::Outbound) { if (ipt_comp->bridge_count > 1 && iface_name.endsWith("+")) res << "-o" << parent_name; res << "-m physdev --physdev-is-bridged --physdev-out" << iface_name; } } else { if (rule->getDirection()==PolicyRule::Inbound) res << _printSingleOptionWithNegation( "-i", itfrel, iface_name.toStdString()).c_str(); if (rule->getDirection()==PolicyRule::Outbound) res << _printSingleOptionWithNegation( "-o", itfrel, iface_name.toStdString()).c_str(); } res << ""; } return res.join(" ").toStdString(); } string PolicyCompiler_ipt::PrintRule::_printActionOnReject(PolicyRule *rule) { std::ostringstream str; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); // RuleElementSrv *srvrel=rule->getSrv(); Service *srv = compiler->getFirstSrv(rule); assert(srv); string s = ipt_comp->getActionOnReject(rule); if (!s.empty()) { if (ipt_comp->isActionOnRejectTCPRST(rule)) str << " --reject-with tcp-reset"; if (s.find("ICMP")!=string::npos) { if (ipt_comp->ipv6) { if (s.find("unreachable")!=string::npos) { if (s.find("net")!=string::npos || s.find("host")!=string::npos) str << " --reject-with icmp6-addr-unreachable"; if (s.find("port")!=string::npos || s.find("proto")!=string::npos) str << " --reject-with icmp6-port-unreachable"; } if (s.find("prohibited")!=string::npos) { str << " --reject-with icmp6-adm-prohibited"; } } else { if (s.find("unreachable")!=string::npos) { if (s.find("net")!=string::npos) str << " --reject-with icmp-net-unreachable"; if (s.find("host")!=string::npos) str << " --reject-with icmp-host-unreachable"; if (s.find("port")!=string::npos) str << " --reject-with icmp-port-unreachable"; if (s.find("proto")!=string::npos) str << " --reject-with icmp-proto-unreachable"; } if (s.find("prohibited")!=string::npos) { if (s.find("net")!=string::npos) str << " --reject-with icmp-net-prohibited"; if (s.find("host")!=string::npos) str << " --reject-with icmp-host-prohibited"; if (XMLTools::version_compare(version, "1.2.9")>=0 && s.find("admin")!=string::npos) str << " --reject-with icmp-admin-prohibited"; } } } } str << " "; return str.str(); } string PolicyCompiler_ipt::PrintRule::_printGlobalLogParameters() { return _printLogParameters(NULL); } string PolicyCompiler_ipt::PrintRule::_printLogPrefix(const string &rule_num, const string &action, const string &interf, const string &chain, const string &ruleset, const string& , const string &prefix) { string s = prefix; /* deal with our logging macros: * %N - rule number ('2', or '2/3' for rule in a branch) * %A - action * %I - interface name * %C - chain name * %R - ruleset name */ string::size_type n; if ((n=s.find("%N"))!=string::npos ) { s.replace(n, 2, rule_num); } if ((n=s.find("%A"))!=string::npos ) { s.replace(n, 2, action); } if ((n=s.find("%I"))!=string::npos ) { s.replace(n, 2, interf); } if ((n=s.find("%C"))!=string::npos ) { s.replace(n, 2, chain); } if ((n=s.find("%R"))!=string::npos ) { s.replace(n, 2, ruleset); } if (s.length()>29) { compiler->warning( "Log prefix has been truncated to 29 characters"); s=s.substr(0,29); } return _quote( s ); } string PolicyCompiler_ipt::PrintRule::_printLogPrefix(PolicyRule *rule, const string &prefix) { FWObject *ruleset = rule->getParent(); QString action = QString(rule->getStr("stored_action").c_str()).toUpper(); RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); FWObject *rule_iface = FWObjectReference::getObject(itf_re->front()); string rule_iface_name = rule_iface->getName(); if (rule_iface_name=="") rule_iface_name = "global"; if (rule_iface_name=="Any") rule_iface_name = "global"; std::ostringstream s1; int pos = rule->getPosition(); // parent_rule_num is set by processor "Branching" for branch rules string ppos = rule->getStr("parent_rule_num"); if (ppos != "") s1 << ppos << "/"; s1 << pos; return _printLogPrefix(s1.str(), action.toStdString(), rule_iface_name, rule->getStr("ipt_chain"), ruleset->getName(), rule->getLabel(), prefix); } string PolicyCompiler_ipt::PrintRule::_printLogParameters(PolicyRule *rule) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); std::ostringstream str; string s; FWOptions *ruleopt = (rule!=NULL) ? rule->getOptionsObject() : compiler->getCachedFwOpt(); // there is no ULOG for ip6tables yet bool use_ulog = (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG")); if (use_ulog) { s=ruleopt->getStr("ulog_nlgroup"); if (s.empty()) s=compiler->getCachedFwOpt()->getStr("ulog_nlgroup"); if (!s.empty()) str << " --ulog-nlgroup " << s; s=ruleopt->getStr("log_prefix"); if (s.empty()) s=compiler->getCachedFwOpt()->getStr("log_prefix"); if (!s.empty()) str << " --ulog-prefix " << _printLogPrefix(rule, s); int r=compiler->getCachedFwOpt()->getInt("ulog_cprange"); if (r!=0) str << " --ulog-cprange " << r << " "; r=compiler->getCachedFwOpt()->getInt("ulog_qthreshold"); if (r!=0) str << " --ulog-qthreshold " << r << " "; } else { bool numeric_levels; numeric_levels=compiler->getCachedFwOpt()->getBool("use_numeric_log_levels"); s=ruleopt->getStr("log_level"); if (s.empty()) s=compiler->getCachedFwOpt()->getStr("log_level"); if (!s.empty()) { if ( numeric_levels ) { if (s=="alert") s="1"; if (s=="crit") s="2"; if (s=="error") s="3"; if (s=="warning") s="4"; if (s=="notice") s="5"; if (s=="info") s="6"; if (s=="debug") s="7"; } str << " --log-level " << s; } s=ruleopt->getStr("log_prefix"); if (s.empty()) s=compiler->getCachedFwOpt()->getStr("log_prefix"); if (!s.empty()) str << " --log-prefix " << _printLogPrefix(rule, s); if (ruleopt->getBool("log_tcp_seq") || compiler->getCachedFwOpt()->getBool("log_tcp_seq")) str << " --log-tcp-sequence "; if (ruleopt->getBool("log_tcp_opt") || compiler->getCachedFwOpt()->getBool("log_tcp_opt")) str << " --log-tcp-options "; if (ruleopt->getBool("log_ip_opt") || compiler->getCachedFwOpt()->getBool("log_ip_opt")) str << " --log-ip-options "; } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printLimit(libfwbuilder::PolicyRule *rule) { std::ostringstream str; string s; int l, lb; FWOptions *ruleopt =rule->getOptionsObject(); FWOptions *compopt =compiler->getCachedFwOpt(); if ( (ruleopt!=NULL && (l=ruleopt->getInt("limit_value"))>0) || (l=compopt->getInt("limit_value"))>0 ) { str << " -m limit --limit " << l; if (ruleopt!=NULL) s=ruleopt->getStr("limit_suffix"); if (s.empty()) s=compopt->getStr("limit_suffix"); if (!s.empty()) str << s; lb=-1; if (ruleopt!=NULL) lb=ruleopt->getInt("limit_burst"); if (lb<0) lb=compopt->getInt("limit_burst"); if (lb>0) str << " --limit-burst " << lb; } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printProtocol(Service *srv) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); string s; // CustomService returns protocol name starting with v3.0.4 // However CustomService can return protocol name "any", which we should // just skip. if (CustomService::isA(srv)) { // check if the code string for this custom service already includes // "-p proto" fragment string code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); std::size_t minus_p = code.find("-p "); if (minus_p != string::npos) return ""; string pn = srv->getProtocolName(); if (pn == "any") return ""; } if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv)) { string pn = srv->getProtocolName(); if (pn=="ip" || pn=="any") pn = "all"; if (ipt_comp->ipv6) { if (ICMPService::isA(srv)) { compiler->abort( "Can not use ICMPService in ipv6 rule; " "use ICMP6Service object instead"); } if (ICMP6Service::isA(srv)) { s = "-p ipv6-icmp "; if (srv->getInt("type")!=-1 && (version.empty() || XMLTools::version_compare(version, "1.3.0")>=0)) s += " -m icmp6"; } else { // ip6tables issues warning for commands using "-p all" // Warning: never matched protocol: all. use exension match instead // Skip "-p all" if ipv6 if (pn!="all") s = "-p " + pn + " "; } } else { if (ICMP6Service::isA(srv)) { compiler->abort( "Can not use ICMP6Service in ipv4 rule; " "use ICMPService object instead"); } if (ICMPService::isA(srv)) { s = "-p icmp "; if (version.empty() || XMLTools::version_compare(version, "1.2.9")>=0) s += " -m icmp "; } else { s = "-p " + pn + " "; } } if (pn == "tcp") s += "-m tcp "; if (pn == "udp") s += "-m udp "; } return s; } string PolicyCompiler_ipt::PrintRule::_printPorts(int rs,int re) { std::ostringstream str; compiler->normalizePortRange(rs,re); if (rs>0 || re>0) { if (rs==re) str << rs; else if (rs==0 && re!=0) str << ":" << re; else str << rs << ":" << re; } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printSrcPorts(Service *srv) { std::ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); str << _printPorts(rs,re); } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printDstPorts(Service *srv) { std::ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getDstRangeStart(); int re = TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPorts(rs,re); } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printICMP(ICMPService *srv) { std::ostringstream str; if (ICMPService::cast(srv) && srv->getInt("type")!=-1) { str << srv->getStr("type"); if (srv->getInt("code")!=-1) str << "/" << srv->getStr("code") << " "; } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printIP(IPService *srv, PolicyRule *rule) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); std::ostringstream str; if (srv->getBool("fragm") || srv->getBool("short_fragm")) { if (ipt_comp->ipv6) str << " -m frag --fragmore"; else str << " -f "; } string tos = srv->getTOSCode(); string dscp = srv->getDSCPCode(); if (!tos.empty()) str << " -m tos --tos " << tos; else if (!dscp.empty()) { if (dscp.find("BE")==0 || dscp.find("EF")==0 || dscp.find("AF")==0 || dscp.find("CS")==0) str << " -m dscp --dscp-class " << dscp; else str << " -m dscp --dscp " << dscp; } if (srv->hasIpOptions()) { if (!ipt_comp->ipv6) { str << " -m ipv4options "; if (version.empty() || XMLTools::version_compare(version, "1.4.3")<0) { // "old" ipv4options module if (srv->getBool("any_opt")) str << " --any-opt"; else { if (srv->getBool("lsrr")) str << " --lsrr"; if (srv->getBool("ssrr")) str << " --ssrr"; if (srv->getBool("rr")) str << " --rr"; if (srv->getBool("ts")) str << " --ts"; if (srv->getBool("rtralt")) str << " --ra"; } } else { // "new" ipv4options module if (srv->getBool("any_opt")) str << " --any"; else { QStringList options; if (srv->getBool("lsrr")) options << "lsrr"; if (srv->getBool("ssrr")) options << "ssrr"; if (srv->getBool("rr")) options << "record-route"; if (srv->getBool("ts")) options << "timestamp"; if (srv->getBool("rtralt")) options << "router-alert"; if (options.size() > 0) str << " --flags " << options.join(",").toStdString(); } } } else { compiler->abort( rule, "IP options match is not supported for IPv6."); } } return str.str(); } string PolicyCompiler_ipt::PrintRule::_printTCPFlags(libfwbuilder::TCPService *srv) { string str; if (srv->inspectFlags()) { TCPService::TCPFlag f1[2]={ TCPService::SYN }; TCPService::TCPFlag f2[7]={ TCPService::URG, TCPService::ACK, TCPService::PSH, TCPService::RST, TCPService::SYN, TCPService::FIN }; std::set none; std::set syn( f1, f1+1 ); std::set all_masks( f2 , f2+6 ); if (srv->getAllTCPFlags()==syn && srv->getAllTCPFlagMasks()==all_masks) str=" --tcp-flags SYN,RST,ACK SYN "; else { str=" --tcp-flags "; bool first=true; if (srv->getAllTCPFlagMasks()==all_masks) str+="ALL"; else { if (srv->getTCPFlagMask(TCPService::URG)) { if (!first) str+=","; str+="URG"; first=false; } if (srv->getTCPFlagMask(TCPService::ACK)) { if (!first) str+=","; str+="ACK"; first=false; } if (srv->getTCPFlagMask(TCPService::PSH)) { if (!first) str+=","; str+="PSH"; first=false; } if (srv->getTCPFlagMask(TCPService::RST)) { if (!first) str+=","; str+="RST"; first=false; } if (srv->getTCPFlagMask(TCPService::SYN)) { if (!first) str+=","; str+="SYN"; first=false; } if (srv->getTCPFlagMask(TCPService::FIN)) { if (!first) str+=","; str+="FIN"; first=false; } } str+=" "; if (srv->getAllTCPFlags()==none) str+="NONE"; else { first=true; if (srv->getTCPFlag(TCPService::URG)) { if (!first) str+=","; str+="URG"; first=false; } if (srv->getTCPFlag(TCPService::ACK)) { if (!first) str+=","; str+="ACK"; first=false; } if (srv->getTCPFlag(TCPService::PSH)) { if (!first) str+=","; str+="PSH"; first=false; } if (srv->getTCPFlag(TCPService::RST)) { if (!first) str+=","; str+="RST"; first=false; } if (srv->getTCPFlag(TCPService::SYN)) { if (!first) str+=","; str+="SYN"; first=false; } if (srv->getTCPFlag(TCPService::FIN)) { if (!first) str+=","; str+="FIN"; first=false; } } } } return str; } /* * we made sure that all services in rel represent the same protocol */ string PolicyCompiler_ipt::PrintRule::_printSrcService(RuleElementSrv *rel) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); std::ostringstream ostr; /* I do not want to use rel->getFirst because it traverses the tree to * find the object. I'd rather use a cached copy in the compiler */ FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (rel->size()==1) { if (UDPService::isA(srv) || TCPService::isA(srv) || TagService::isA(srv)) { string str=_printSrcPorts( srv ); if (! str.empty() ) { ostr << _printSingleOptionWithNegation(" --sport", rel, str); } } } else { /* use multiport */ string str; bool first=true; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (UDPService::isA(srv) || TCPService::isA(srv)) { if (!first) str+=","; str+= _printSrcPorts( s ); if (!str.empty()) first=false; } } if ( !str.empty() ) { if (ipt_comp->newIptables(version)) ostr << " --sports "; else ostr << " --source-port "; ostr << str << " "; } } return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printDstService(RuleElementSrv *rel) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); std::ostringstream ostr; FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (rel->size()==1) { if (UDPService::isA(srv) || TCPService::isA(srv)) { string str=_printDstPorts( srv ); if (! str.empty() ) { ostr << _printSingleOptionWithNegation(" --dport", rel, str); } } if (TCPService::isA(srv)) { string str=_printTCPFlags(TCPService::cast(srv)); if (!str.empty()) { ostr << _printSingleOptionWithNegation("", rel, str); } } if (ICMPService::isA(srv) || ICMP6Service::isA(srv)) { string icmp_type_str = (ipt_comp->ipv6) ? " --icmpv6-type" : " --icmp-type"; string str = _printICMP( ICMPService::cast(srv) ); if (str.empty() ) { // module icmp6 does not like "--icmp6-type any" if ((version.empty() || XMLTools::version_compare(version, "1.2.6")>0) && !ipt_comp->ipv6) ostr << icmp_type_str << " any "; } else { ostr << _printSingleOptionWithNegation(icmp_type_str, rel, str); } } if (IPService::isA(srv)) { string str = _printIP(IPService::cast(srv), PolicyRule::cast(rel->getParent())); if (! str.empty() ) { ostr << _printSingleObjectNegation(rel) << str << " "; } } if (CustomService::isA(srv)) { ostr << _printSingleObjectNegation(rel) << " " << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; } if (TagService::isA(srv)) { ostr << "-m mark " << _printSingleObjectNegation(rel) << "--mark " << TagService::constcast(srv)->getCode() << " "; } if (UserService::isA(srv)) { ostr << "-m owner " << _printSingleObjectNegation(rel) << "--uid-owner " << UserService::cast(srv)->getUserId() << " "; } } else { /* use multiport */ string str; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (UDPService::isA(srv) || TCPService::isA(srv)) { string str1 = _printDstPorts( s ); if (str!="" && str1!="") str+=","; str+=str1; } } if ( !str.empty() ) { if (ipt_comp->newIptables(version)) ostr << " --dports "; else ostr << " --destination-port "; ostr << str << " "; } } return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address *o) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { AddressRange *ar = AddressRange::cast(o); const InetAddr &range_start = ar->getRangeStart(); const InetAddr &range_end = ar->getRangeEnd(); if (range_start != range_end) { if (!have_m_iprange) { res = "-m iprange "; have_m_iprange = true; } res += _printSingleObjectNegation(rel) + "--src-range "; res += range_start.toString() + "-" + range_end.toString() + " "; } else res += "-s " + range_start.toString() + " "; return res; } MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && ipt_comp->using_ipset) { return _printIpSetMatch(o, rel); } return _printSingleOptionWithNegation(" -s", rel, _printAddr(o)); } string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address *o) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { AddressRange *ar = AddressRange::cast(o); const InetAddr &range_start = ar->getRangeStart(); const InetAddr &range_end = ar->getRangeEnd(); if (range_start != range_end) { if (!have_m_iprange) { res = "-m iprange "; have_m_iprange = true; } res += _printSingleObjectNegation(rel) + "--dst-range "; res += range_start.toString() + "-" + range_end.toString() + " "; } else res += "-d " + range_start.toString() + " "; return res; } MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && ipt_comp->using_ipset) { return _printIpSetMatch(o, rel); } return _printSingleOptionWithNegation(" -d", rel, _printAddr(o)); } string PolicyCompiler_ipt::PrintRule::_printIpSetMatch(Address *o, RuleElement *rel) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string set_name = dynamic_cast(ipt_comp->osconfigurator)->normalizeSetName(o->getName()); string suffix = "dst"; if (RuleElementSrc::isA(rel)) suffix = "src"; if (RuleElementDst::isA(rel)) suffix = "dst"; string set_match_option; if (XMLTools::version_compare(version, "1.4.4")>=0) set_match_option = "--match-set"; else set_match_option = "--set"; string set_match = set_match_option + " " + set_name + " " + suffix; ostringstream ostr; ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); std::ostringstream ostr; MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { ostr << "$" << ipt_comp->getAddressTableVarName(atrt) << " "; return ostr.str(); } if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { return atrt->getSourceName(); } if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME) { ostr << "$i_" << atrt->getSourceName() << "_network"; return ostr.str(); } // at this time we only support two types of MultiAddress // objects: AddressTable and DNSName. Both should be converted // to MultiAddressRunTime at this point. If we get some other // kind of MultiAddressRunTime object, we do not know what to do // with it so we stop. assert(atrt==NULL); } if (Interface::cast(o)!=NULL) { Interface *iface=Interface::cast(o); if (iface->isDyn()) ostr << "$" << ipt_comp->getInterfaceVarName(iface, ipt_comp->ipv6) << " "; return ostr.str(); } const InetAddr *addr = o->getAddressPtr(); const InetAddr *mask = o->getNetmaskPtr(); if (addr==NULL) { compiler->warning( string("Empty inet address in object ") + o->getName() + "(" + FWObjectDatabase::getStringId(o->getId()) + ")"); return ostr.str(); } // Note that mask can be NULL, for example if o is AddressRange. if (addr->isAny() && (mask==NULL || mask->isAny())) { ostr << "0/0 "; } else { ostr << addr->toString(); if (Interface::cast(o)==NULL && Address::cast(o)->dimension() > 1 && !mask->isHostMask()) { ostr << "/" << mask->getLength(); } ostr << " "; } return ostr.str(); } string PolicyCompiler_ipt::PrintRule::_printTimeInterval(PolicyRule *r) { std::ostringstream ostr; RuleElementInterval* ri=r->getWhen(); if (ri==NULL || ri->isAny()) return ""; std::map daysofweek; daysofweek[0]="Sun"; daysofweek[1]="Mon"; daysofweek[2]="Tue"; daysofweek[3]="Wed"; daysofweek[4]="Thu"; daysofweek[5]="Fri"; daysofweek[6]="Sat"; daysofweek[7]="Sun"; int smin, shour, sday, smonth, syear, sdayofweek; int emin, ehour, eday, emonth, eyear, edayofweek; string days_of_week; Interval *interval = compiler->getFirstWhen(r); assert(interval!=NULL); interval->getStartTime( &smin, &shour, &sday, &smonth, &syear, &sdayofweek); interval->getEndTime( &emin, &ehour, &eday, &emonth, &eyear, &edayofweek); days_of_week = interval->getDaysOfWeek(); if (shour<0) shour=0; if (smin<0) smin=0; if (ehour<0) ehour=23; if (emin<0) emin=59; ostr << "-m time "; bool use_timestart_timestop = true; if (XMLTools::version_compare(version, "1.4.0")>=0) { /* in 1.4.0 date format has changed, it is now ISO 8601 * http://www.w3.org/TR/NOTE-datetime * * --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] * * --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] */ if (sday>0 && smonth>0 && syear>0) { ostr << "--datestart " << setw(2) << setfill('0') << syear << "-" << setw(2) << setfill('0') << smonth << "-" << setw(2) << setfill('0') << sday << "T" << setw(2) << setfill('0') << shour << ":" << setw(2) << setfill('0') << smin << ":00 "; use_timestart_timestop = false; } if (eday>0 && emonth>0 && eyear>0) { ostr << "--datestop " << setw(2) << setfill('0') << eyear << "-" << setw(2) << setfill('0') << emonth << "-" << setw(2) << setfill('0') << eday << "T" << setw(2) << setfill('0') << ehour << ":" << setw(2) << setfill('0') << emin << ":00 "; use_timestart_timestop = false; } if (use_timestart_timestop) { ostr << " --timestart " << setw(2) << setfill('0') << shour << ":" << setw(2) << setfill('0') << smin << " "; ostr << " --timestop " << setw(2) << setfill('0') << ehour << ":" << setw(2) << setfill('0') << emin << " "; } if (!days_of_week.empty() && days_of_week != "0,1,2,3,4,5,6") { ostr << " --weekdays "; istringstream istr(days_of_week); bool first= true; while (!istr.eof()) { if (!first) ostr << ','; first = false; int d; istr >> d; ostr << daysofweek[d]; char sep; istr >> sep; } } if ( (XMLTools::version_compare(version, "1.4.11") >=0 ) && compiler->getCachedFwOpt()->getBool("use_kerneltz")) { ostr << " --kerneltz"; } } else { /* "old" iptables time module TIME v1.2.11 options: --timestart value --timestop value --days listofdays timestart value : HH:MM timestop value : HH:MM listofdays value: a list of days to apply -> ie. Mon,Tue,Wed,Thu,Fri. Case sensitive */ ostr << " --timestart " << setw(2) << setfill('0') << shour << ":" << setw(2) << setfill('0') << smin << " "; ostr << " --timestop " << setw(2) << setfill('0') << ehour << ":" << setw(2) << setfill('0') << emin << " "; if (!days_of_week.empty() && days_of_week != "0,1,2,3,4,5,6") { ostr << " --days "; istringstream istr(days_of_week); bool first= true; while (!istr.eof()) { if (!first) ostr << ','; first = false; int d; istr >> d; ostr << daysofweek[d]; char sep; istr >> sep; } } } return ostr.str(); } PolicyCompiler_ipt::PrintRule::PrintRule(const std::string &name) : PolicyRuleProcessor(name) { init = true; print_once_on_top = true; // use delayed initialization for ipt_comp->minus_n_commands // because it requires pointer to the compiler which has not been // initialized yet when this constructor is executed. minus_n_tracker_initialized = false; } /* * Initialize some internal variables. Need to do this in a separate * method because pointer to the compiler object is set by * RuleProcessor::setContext and is not available in constructor. */ void PolicyCompiler_ipt::PrintRule::initialize() { // retrieve and save version for _printSingleOptionWithNegation and others version = compiler->fw->getStr("version"); } bool PolicyCompiler_ipt::PrintRule::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule =getNext(); if (rule==NULL) return false; string chain = rule->getStr("ipt_chain"); if (ipt_comp->chain_usage_counter[chain] > 0) { tmp_queue.push_back(rule); compiler->output << _printRuleLabel(rule); compiler->output << _createChain(rule->getStr("ipt_chain")); string target = rule->getStr("ipt_target"); if (target[0] != '.') compiler->output << _createChain(target); compiler->output << dynamic_cast( compiler->osconfigurator)->printRunTimeWrappers( rule, PolicyRuleToString(rule), ipt_comp->ipv6); } return true; } string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule) { FWOptions *ruleopt = rule->getOptionsObject(); FWObject *ref; RuleElementSrc *srcrel=rule->getSrc(); ref=srcrel->front(); Address *src=Address::cast(FWReference::cast(ref)->getPointer()); if(src==NULL) compiler->abort(rule, string("Broken SRC in ") + rule->getLabel()); RuleElementDst *dstrel=rule->getDst(); ref=dstrel->front(); Address *dst=Address::cast(FWReference::cast(ref)->getPointer()); if(dst==NULL) compiler->abort(rule, string("Broken DST in ") + rule->getLabel()); RuleElementSrv *srvrel=rule->getSrv(); ref=srvrel->front(); Service *srv=Service::cast(FWReference::cast(ref)->getPointer()); if(srv==NULL) compiler->abort(rule, string("Broken SRV in ") + rule->getLabel()); std::ostringstream command_line; have_m_iprange = false; command_line << _startRuleLine(); command_line << _printChain(rule); command_line << _printDirectionAndInterface(rule); command_line << _printProtocol(srv); command_line << _printMultiport(rule); if (!src->isAny()) { if (physAddress::isA(src) || combinedAddress::isA(src)) { string physaddress = ""; if (physAddress::isA(src)) { physaddress = physAddress::cast(src)->getPhysAddress(); if (physaddress.empty()) { compiler->warning( rule, "Empty MAC address in rule"); physaddress = "00:00:00:00:00:00"; } } if (combinedAddress::isA(src)) physaddress = combinedAddress::cast(src)->getPhysAddress(); /* physAddress component of combinedAddress can be empty. For example * this happens when an object with both IP and MAC addresses is found * in "source" and rule is determined to go into OUTPUT chain. On the * other hand, if physAddress object has no MAC address, it is always * an error. */ if (!physaddress.empty()) { command_line << " -m mac"; command_line << _printSingleOptionWithNegation(" --mac-source", srcrel, physaddress); } /* * fool-proof: this is last resort check for situation when user * created IPv4 object for the interface but left it with empty * address ( 0.0.0.0 ). * * note that combinedAddress inherits IPv4 and therefore * combinedAddress::hasInetAddress returns true; * */ if (src->hasInetAddress() && !src->getAddressPtr()->isAny()) command_line << _printSrcAddr(srcrel, src); } else command_line << _printSrcAddr(srcrel, src); } command_line << _printSrcService(srvrel); if (!dst->isAny()) command_line << _printDstAddr(dstrel, dst); command_line << _printDstService(srvrel); /* keeping state does not apply to deny/reject however some rules need state check even if action is Deny autoupgrade transformation 2.1.11 -> 2.1.12 adds rule option 'stateless=True' for rules with action NOT 'Accept', 'Tag' or 'Route'. No need to check action here, just rely on this option and internal flag 'force_state_check' (05/07/07 --vk) */ if (!ruleopt->getBool("stateless") || rule->getBool("force_state_check") ) { string state_module_option; /* * But not, when the line already contains a state matching */ if (XMLTools::version_compare(version, "1.4.4")>=0) state_module_option = "conntrack --ctstate"; else state_module_option = "state --state"; if (command_line.str().find("-m " + state_module_option, 0) == string::npos) command_line << " -m " << state_module_option << " NEW "; } command_line << _printTimeInterval(rule); command_line << _printModules(rule); command_line << _printTarget(rule); command_line << _endRuleLine(); // command_line << endl; return command_line.str(); } string PolicyCompiler_ipt::PrintRule::_declareTable() { return ""; } string PolicyCompiler_ipt::PrintRule::_commit() { return ""; } string PolicyCompiler_ipt::PrintRule::_clampTcpToMssRule() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); ostringstream res; if ( compiler->getCachedFwOpt()->getBool("clamp_mss_to_mtu")) { bool ipforw; if (ipt_comp->ipv6) { string s = compiler->getCachedFwOpt()->getStr("linux24_ipv6_forward"); ipforw = (s.empty() || s=="1" || s=="On" || s=="on"); // bug #2477775: target TCPMSS is not available in ip6tables // before 1.4.0 In fact I am not sure of the minimal required // version. According to the netfilter git log, it was added in // 1.3.8 if (XMLTools::version_compare(version, "1.3.8")<0) { if (ipforw) { res << "target TCPMSS is not supported by ip6tables before v1.3.8"; compiler->warning(res.str()); return "# " + res.str() + "\n\n"; } else return ""; } } else { string s = compiler->getCachedFwOpt()->getStr("linux24_ip_forward"); ipforw = (s.empty() || s=="1" || s=="On" || s=="on"); } if (ipforw) { res << _startRuleLine() << "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" << _endRuleLine(); res << endl; } } return res.str(); } string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); ostringstream res; bool isIPv6 = ipt_comp->ipv6; string state_module_option; string s = compiler->getCachedFwOpt()->getStr("linux24_ip_forward"); bool ipforward= (s.empty() || s=="1" || s=="On" || s=="on"); s = compiler->getCachedFwOpt()->getStr("linux24_ipv6_forward"); bool ip6forward= (s.empty() || s=="1" || s=="On" || s=="on"); bool ipforw = ((!ipt_comp->ipv6 && ipforward) || (ipt_comp->ipv6 && ip6forward)); Configlet configlet(compiler->fw, "linux24", "automatic_rules"); configlet.removeComments(); configlet.collapseEmptyStrings(true); configlet.setVariable("begin_rule", _startRuleLine().c_str()); configlet.setVariable("end_rule", _endRuleLine().c_str()); configlet.setVariable("ipforw", ipforw); configlet.setVariable("accept_established", compiler->getCachedFwOpt()->getBool("accept_established") && ipt_comp->my_table=="filter"); if (XMLTools::version_compare(version, "1.4.4")>=0) state_module_option = "conntrack --ctstate"; else state_module_option = "state --state"; configlet.setVariable("state_module_option", state_module_option.c_str()); list ll = compiler->fw->getByTypeDeep(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); if (intf->isManagement()) { configlet.setVariable("management_interface", intf->getName().c_str()); break; } } _printBackupSSHAccessRules(&configlet); configlet.setVariable( "drop_new_tcp_with_no_syn", ! compiler->getCachedFwOpt()->getBool("accept_new_tcp_with_no_syn")); configlet.setVariable( "bridging_firewall", compiler->getCachedFwOpt()->getBool("bridging_fw")); configlet.setVariable( "add_rules_for_ipv6_neighbor_discovery", isIPv6 && compiler->getCachedFwOpt()->getBool("add_rules_for_ipv6_neighbor_discovery")); configlet.setVariable("drop_invalid", compiler->getCachedFwOpt()->getBool("drop_invalid") && !compiler->getCachedFwOpt()->getBool("log_invalid")); configlet.setVariable("drop_invalid_and_log", compiler->getCachedFwOpt()->getBool("drop_invalid") && compiler->getCachedFwOpt()->getBool("log_invalid")); configlet.setVariable("create_drop_invalid_chain", _createChain("drop_invalid").c_str()); if (compiler->getCachedFwOpt()->getBool("log_invalid") && !isIPv6 && compiler->getCachedFwOpt()->getBool("use_ULOG")) { configlet.setVariable("use_ulog", 1); string s = compiler->getCachedFwOpt()->getStr("ulog_nlgroup"); configlet.setVariable("use_nlgroup", !s.empty()); configlet.setVariable("nlgroup", s.c_str()); int r = compiler->getCachedFwOpt()->getInt("ulog_cprange"); configlet.setVariable("use_cprange", r!=0); configlet.setVariable("cprange", r); r = compiler->getCachedFwOpt()->getInt("ulog_qthreshold"); configlet.setVariable("use_qthreshold", r!=0); configlet.setVariable("qthreshold", r); } else configlet.setVariable("not_use_ulog", 1); configlet.setVariable("invalid_match_log_prefix", _printLogPrefix("-1", "DENY", "global", "drop_invalid", "Policy", "BLOCK INVALID", "INVALID state -- DENY ").c_str()); return configlet.expand().toStdString(); } void PolicyCompiler_ipt::PrintRule::_printBackupSSHAccessRules(Configlet *conf) { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); bool isIPv6 = ipt_comp->ipv6; if ( compiler->getCachedFwOpt()->getBool("mgmt_ssh") && ! compiler->getCachedFwOpt()->getStr("mgmt_addr").empty() ) { string addr_str = compiler->getCachedFwOpt()->getStr("mgmt_addr"); InetAddrMask *inet_addr = NULL; bool addr_is_good = true; if (isIPv6) { // check if given address is ipv6 try { inet_addr = new Inet6AddrMask(addr_str); } catch(const FWException &ex) { // address does not parse as ipv6, skip this rule. addr_is_good = false; QString err("Backup ssh access rule could not be added " "to IPv6 policy because specified address " "'%1' is invalid"); compiler->warning(err.arg(addr_str.c_str()).toStdString()); } } else { // check if given address parses as ipv4 try { inet_addr = new InetAddrMask(addr_str); } catch(const FWException &ex) { // address does not parse addr_is_good = false; QString err("Backup ssh access rule could not be added " "to IPv4 policy because specified address " "'%1' is invalid"); compiler->warning(err.arg(addr_str.c_str()).toStdString()); } } if (addr_is_good) { conf->setVariable("begin_rule", _startRuleLine().c_str()); conf->setVariable("end_rule", _endRuleLine().c_str()); conf->setVariable("mgmt_access", 1); conf->setVariable("ssh_management_address", inet_addr->toString().c_str()); } } } string PolicyCompiler_ipt::PrintRule::_quote(const string &s) { return "\"" + s + "\""; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_PrintRuleIptRst.cpp000066400000000000000000000072171303637203600244050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipt.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ /* * check and create new chain if needed */ string PolicyCompiler_ipt::PrintRuleIptRst::_createChain(const string &chain) { string res; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { if ( ! compiler->inSingleRuleCompileMode()) res = ":" + chain + " - [0:0]\n"; (*(ipt_comp->minus_n_commands))[chain] = true; } return res; } string PolicyCompiler_ipt::PrintRuleIptRst::_startRuleLine() { return string("-A "); } string PolicyCompiler_ipt::PrintRuleIptRst::_endRuleLine() { return string("\n"); } string PolicyCompiler_ipt::PrintRuleIptRst::_printRuleLabel(PolicyRule *rule) { bool nocomm = Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments"); return compiler->printComment(rule, current_rule_label, "#", nocomm); #if 0 ostringstream res; string rl=rule->getLabel(); if (rl!=current_rule_label) { if (!compiler->inSingleRuleCompileMode() && !nocomm) { res << "# " << endl; res << "# Rule " << rl << endl; res << "# " << endl; } /* do not put comment in the script if it is intended for linksys */ if (!nocomm || compiler->inSingleRuleCompileMode()) { QStringList comm = QString(rule->getComment().c_str()).split("\n"); foreach(QString line, comm) { res << "# " << line.toStdString() << endl; } //res << "# " << endl; } current_rule_label=rl; } return res.str(); #endif } bool PolicyCompiler_ipt::PrintRuleIptRst::processNext() { if (print_once_on_top) { print_once_on_top=false; } return PolicyCompiler_ipt::PrintRule::processNext(); } string PolicyCompiler_ipt::PrintRuleIptRst::_declareTable() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); ostringstream res; res << "*" << ipt_comp->my_table << endl; return res.str(); } string PolicyCompiler_ipt::PrintRuleIptRst::_commit() { return "COMMIT\n"; } string PolicyCompiler_ipt::PrintRuleIptRst::_quote(const string &s) { return "\"" + s + "\""; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_PrintRuleIptRstEcho.cpp000066400000000000000000000052151303637203600252000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipt.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ /* * check and create new chain if needed */ string PolicyCompiler_ipt::PrintRuleIptRstEcho::_createChain(const string &chain) { string res; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); if (!minus_n_tracker_initialized) initializeMinusNTracker(); if ( ipt_comp->minus_n_commands->count(chain)==0 ) { if ( ! compiler->inSingleRuleCompileMode()) res = "echo \":" + chain + " - [0:0]\"\n"; (*(ipt_comp->minus_n_commands))[chain] = true; } return res; } string PolicyCompiler_ipt::PrintRuleIptRstEcho::_startRuleLine() { return string("echo \"-A "); } string PolicyCompiler_ipt::PrintRuleIptRstEcho::_endRuleLine() { return string("\"\n"); } bool PolicyCompiler_ipt::PrintRuleIptRstEcho::processNext() { if (print_once_on_top) { print_once_on_top=false; } return PolicyCompiler_ipt::PrintRule::processNext(); } string PolicyCompiler_ipt::PrintRuleIptRstEcho::_declareTable() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); ostringstream res; res << "echo '*" << ipt_comp->my_table << "'" << endl; return res.str(); } string PolicyCompiler_ipt::PrintRuleIptRstEcho::_commit() { return "echo COMMIT\n"; } string PolicyCompiler_ipt::PrintRuleIptRstEcho::_quote(const string &s) { return "\\\"" + s + "\\\""; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_ipt.cpp000066400000000000000000005000121303637203600220760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_ipt.h" #include "OSConfigurator_linux24.h" #include "ipt_utils.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/physAddress.h" #include "combinedAddress.h" #include #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static int chain_no=0; static std::list standard_chains; const std::list& PolicyCompiler_ipt::getStandardChains() { if (standard_chains.size()==0) { standard_chains.push_back("INPUT"); standard_chains.push_back("OUTPUT"); standard_chains.push_back("FORWARD"); standard_chains.push_back("PREROUTING"); standard_chains.push_back("POSTROUTING"); standard_chains.push_back("RETURN"); standard_chains.push_back("LOG"); standard_chains.push_back("ACCEPT"); standard_chains.push_back("DROP"); standard_chains.push_back("REJECT"); standard_chains.push_back("MARK"); standard_chains.push_back("CONNMARK"); standard_chains.push_back("QUEUE"); standard_chains.push_back("CLASSIFY"); standard_chains.push_back("ROUTE"); // pseudo-targets standard_chains.push_back(".CUSTOM"); standard_chains.push_back(".CONTINUE"); } return standard_chains; } PolicyCompiler_ipt::~PolicyCompiler_ipt() { // if (printRule) delete printRule; while (chains.size() > 0) { map::iterator i = chains.begin(); chain_list *cl = i->second; chains.erase(i); delete cl; } } string PolicyCompiler_ipt::myPlatformName() { return "iptables"; } void PolicyCompiler_ipt::registerChain(const string &chain_name) { map::iterator i = chains.find(chain_name); if (i==chains.end()) { chain_list *cl = new chain_list(); cl->push_back(chain_name); chains[chain_name] = cl; } } void PolicyCompiler_ipt::insertUpstreamChain(const string &chain_name, const string &before_chain) { if (!chain_name.empty()) { map::iterator i = chains.find(before_chain); if (i==chains.end()) return; chain_list *cl = i->second; list::iterator j = std::find(cl->begin(), cl->end(), before_chain); cl->insert(j, chain_name); } } string PolicyCompiler_ipt::findUpstreamChain(const string &chain_name) { map::iterator i = chains.find(chain_name); if (i==chains.end()) return ""; return i->second->front(); } void PolicyCompiler_ipt::setChain(PolicyRule *rule, const string &chain_name) { rule->setStr("ipt_chain", chain_name); string target = rule->getStr("ipt_target"); if (!target.empty()) { registerChain(target); insertUpstreamChain(chain_name, target); } } string PolicyCompiler_ipt::printChains(PolicyRule *rule) { string chain_name = rule->getStr("ipt_chain"); map::iterator i = chains.find(chain_name); if (i==chains.end() || i->second->size()==0) return chain_name; ostringstream res; for (list::iterator j=i->second->begin(); j!=i->second->end(); ++j) { res << *j; if (*j == chain_name) res << "*"; res << "[" << chain_usage_counter[*j] << "],"; } return res.str(); } bool PolicyCompiler_ipt::isChainDescendantOfOutput(const string &chain_name) { map::iterator i = chains.find(chain_name); if (i==chains.end()) return false; for (list::iterator j=i->second->begin(); j!=i->second->end(); ++j) if (*j=="OUTPUT") return true; return false; } bool PolicyCompiler_ipt::isChainDescendantOfInput(const string &chain_name) { map::iterator i = chains.find(chain_name); if (i==chains.end()) return false; for (list::iterator j=i->second->begin(); j!=i->second->end(); ++j) if (*j=="INPUT") return true; return false; } /* * this function generates acceptable shell variable name from * interface name. Note that OSConfigurator_linux24::getInterfaceVarName() * does the same and these two functions should be identical. * * TODO: really need to have one function for this instead of two in * two different classes. */ string PolicyCompiler_ipt::getInterfaceVarName(FWObject *iface, bool v6) { ostringstream ostr; string iname = iface->getName(); string::size_type p1; while ( (p1=iname.find("."))!=string::npos) iname=iname.replace(p1,1,"_"); while ( (p1=iname.find("-"))!=string::npos) iname=iname.replace(p1,1,"_"); ostr << "i_" << iname; if (v6) ostr << "_v6"; return ostr.str(); } string PolicyCompiler_ipt::getAddressTableVarName(FWObject *at) { ostringstream ostr; string name = at->getName(); string::size_type p1; const char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.:"; for (const char *cptr=bad_shell_chars; *cptr; cptr++) { while ((p1 = name.find(*cptr)) != string::npos) name = name.replace(p1,1,"_"); } ostr << "at_" << name; return ostr.str(); } string PolicyCompiler_ipt::getNewTmpChainName(PolicyRule *rule) { std::ostringstream str; string chain_id = rule->getUniqueId(); int n = tmp_chain_no[chain_id]; str << "C" << chain_id; str << "." << setw(1) << setfill('0') << n; n++; tmp_chain_no[chain_id]=n; return str.str(); #if 0 std::ostringstream str; str << "ptmp" << setw(3) << setfill('0') << chain_no; chain_no++; return str.str(); #endif } string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule, Interface *rule_iface) { std::ostringstream str; /* if interface name ends with '*', this is a wildcard interface. We * do not want '*' to get incorporated into the chain name, so we * replace it with '_' */ if (rule_iface) { string iface_name = rule_iface->getName(); string::size_type n=iface_name.find("*"); str << iface_name.substr(0,n) << "_"; } switch (rule->getDirection()) { case PolicyRule::Inbound: str << "In_"; break; case PolicyRule::Outbound: str << "Out_"; break; default: ; } int pos = rule->getPosition(); string ruleset_name = getRuleSetName(); if (ruleset_name != "Policy") str << ruleset_name << "_"; else str << "RULE_"; if (pos>=0) str << pos; else // special case: position == -1 str << "000"; string suffix = rule->getStr("subrule_suffix"); if (!suffix.empty()) str << "_" << suffix; string chain_name = str.str(); int n = rule_chain_no[chain_name]; n++; rule_chain_no[chain_name] = n; // if (n > 1) // { // str << "_" << n; // } string full_chain_name = str.str(); chain_no++; return full_chain_name; } void PolicyCompiler_ipt::_expand_interface(Rule *rule, Interface *iface, std::list &list_result, bool expand_cluster_interfaces_fully) { std::list ol1; Compiler::_expand_interface( rule, iface, ol1, expand_cluster_interfaces_fully); // see utils.cpp expand_interface_with_phys_address(this, rule, iface, ol1, list_result); } string PolicyCompiler_ipt::getActionOnReject(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); return ruleopt->getStr("action_on_reject"); } bool PolicyCompiler_ipt::isActionOnRejectTCPRST(PolicyRule *rule) { string s = getActionOnReject(rule); return ( ! s.empty() && s.find("TCP ")!=string::npos ); } /* * resets rule option "action_on_reject" so it won't be TCP RST * Algorithm: * * if global option "action_on_reject" is not empty * if global option is TCP RST * set rule option value to "none" * else * copy value from global option to rule option * else * set rule option value to "none" * * */ void PolicyCompiler_ipt::resetActionOnReject(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); string go = getCachedFwOpt()->getStr("action_on_reject"); if (!go.empty()) { if ( go.find("TCP ")!=string::npos ) { ruleopt->setStr("action_on_reject", "NOP"); // hack. } else { ruleopt->setStr("action_on_reject", go); } } else ruleopt->setStr("action_on_reject", "none"); // hack. } void PolicyCompiler_ipt::registerRuleSetChain(const std::string &chain_name) { chain_usage_counter[chain_name] = 1; } void PolicyCompiler_ipt::verifyPlatform() { string family = Resources::platform_res[fw->getStr("platform")]-> getResourceStr("/FWBuilderResources/Target/family"); if (family != myPlatformName()) abort("Unsupported platform " + fw->getStr("platform") + " (family " + family + ")"); } int PolicyCompiler_ipt::prolog() { verifyPlatform(); PolicyCompiler::prolog(); addPredefinedPolicyRules(); FWOptions *fwopt = getCachedFwOpt(); // initialize counters for the standard chains for (list::const_iterator i = PolicyCompiler_ipt::getStandardChains().begin(); i != PolicyCompiler_ipt::getStandardChains().end(); ++i) { chain_usage_counter[*i] = 1; } Service *anytcp, *anyudp, *anyicmp, *anyip; Address *bcast255; TCPService *tcpsyn; anytcp=dbcopy->createTCPService(); anytcp->setId(FWObjectDatabase::registerStringId(ANY_TCP_OBJ_ID)); anytcp->setName("AnyTCP"); persistent_objects->add(anytcp); tcpsyn=dbcopy->createTCPService(); tcpsyn->setId(FWObjectDatabase::registerStringId(TCP_SYN_OBJ_ID)); tcpsyn->setName("tcpSYN"); tcpsyn->setTCPFlag(TCPService::SYN,true); tcpsyn->setAllTCPFlagMasks(); persistent_objects->add(tcpsyn); anyudp=dbcopy->createUDPService(); anyudp->setId(FWObjectDatabase::registerStringId(ANY_UDP_OBJ_ID)); anyudp->setName("AnyUDP"); persistent_objects->add(anyudp); anyicmp=dbcopy->createICMPService(); anyicmp->setId(FWObjectDatabase::registerStringId(ANY_ICMP_OBJ_ID)); anyicmp->setName("AnyICMP"); persistent_objects->add(anyicmp); anyip=dbcopy->createIPService(); anyip->setId(FWObjectDatabase::registerStringId(ANY_IP_OBJ_ID)); anyip->setName("AnyIP"); persistent_objects->add(anyip); bcast255=dbcopy->createIPv4(); bcast255->setId(FWObjectDatabase::registerStringId(BCAST_255_OBJ_ID)); bcast255->setName("Broadcast_addr"); bcast255->setAddress(InetAddr::getAllOnes()); bcast255->setNetmask(InetAddr(InetAddr::getAllOnes())); persistent_objects->add(bcast255); bool global_afpa = fwopt->getBool("firewall_is_part_of_any_and_networks"); int n = 0; for(FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++) { Rule *r = Rule::cast( *i ); if (r == NULL) continue; if (r->isDisabled()) continue; FWOptions *ruleopt = r->getOptionsObject(); string rule_afpa = ruleopt->getStr("firewall_is_part_of_any_and_networks"); // in v3.0 rule options attribute "assume fw is part of any" // used to be a checkbox and therefore stored as boolean in // the rule options. Old "on" or "True" maps to "1", old "off" // or "False" maps to "use global" (it was impossible to turn // this option off for just one rule if it was on // globally). If this attribute has value of an empty string, // then we should use global setting from the firewall options // object. if (rule_afpa.empty()) ruleopt->setInt("firewall_is_part_of_any_and_networks", global_afpa); if (rule_afpa == "True") ruleopt->setInt("firewall_is_part_of_any_and_networks", 1); if (rule_afpa == "False") ruleopt->setInt("firewall_is_part_of_any_and_networks", global_afpa); n++; } string version = fw->getStr("version"); using_ipset = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && fwopt->getBool("use_m_set")); actually_used_module_set = false; build_interface_groups(dbcopy, persistent_objects, fw, ipv6, regular_interfaces); // count bridge interfaces. We need this later in // PrintRule::_printDirectionAndInterface list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); string interface_type = iface->getOptionsObject()->getStr("type"); if (interface_type == "bridge") bridge_count++; } return n; } void PolicyCompiler_ipt::addPredefinedPolicyRules() { // if (getSourceRuleSet()->isTop() && !inSingleRuleCompileMode()) // { // insertConntrackRule(); // insertFailoverRule(); // } } bool PolicyCompiler_ipt::SkipActionContinueWithNoLogging::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getStr("ipt_target").empty() && rule->getStr("ipt_target") == ".CONTINUE" && ! rule->getLogging() && ! rule->getTagging() && ! rule->getClassification() && ! rule->getRouting()) return true; // skip this rule tmp_queue.push_back(rule); return true; } /* * by the time this processor is called all non-terminating rules should * be processed if terminating behevior needs to be emulated. */ bool PolicyCompiler_ipt::dropTerminatingTargets::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; string tgt = rule->getStr("ipt_target"); if (tgt=="CLASSIFY" || tgt=="MARK") tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::clearTagClassifyInFilter::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (ipt_comp->my_table != "mangle") { rule->setClassification(false); rule->setRouting(false); rule->setTagging(false); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::clearActionInTagClassifyIfMangle::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (ipt_comp->my_table == "mangle" && (rule->getTagging() || rule->getClassification()) ) rule->setAction(PolicyRule::Continue); tmp_queue.push_back(rule); return true; } /* * in a rule generates some code in both filter and mangle tables and * has logging turned on, we should log only once. Will log in filter. * However if the rule belongs to mangle-only rule set, we should log * in mangle. */ bool PolicyCompiler_ipt::clearLogInMangle::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) { tmp_queue.push_back(rule); return true; } if (ipt_comp->my_table == "mangle") rule->setLogging(false); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *r; Q_UNUSED(r); int number_of_options = 0; if (rule->getTagging()) number_of_options++; if (rule->getClassification()) number_of_options++; if (rule->getRouting()) number_of_options++; if (ipt_comp->my_table=="mangle" && number_of_options > 0) { RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementItf *nitfre; PolicyRule *r, *r2; Q_UNUSED(r); Q_UNUSED(r2); string this_chain = rule->getStr("ipt_chain"); string new_chain = this_chain; nsrc = rule->getSrc(); ndst = rule->getDst(); nsrv = rule->getSrv(); nitfre = rule->getItf(); if ( (! nsrc->isAny() || ! ndst->isAny() || ! nsrv->isAny() || ! nitfre->isAny()) && number_of_options > 1 ) { new_chain = ipt_comp->getNewTmpChainName(rule); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix", "ntt"); r->setStr("ipt_target", new_chain); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setAction(PolicyRule::Continue); tmp_queue.push_back(r); nsrc = rule->getSrc(); nsrc->reset(); ndst = rule->getDst(); ndst->reset(); nsrv = rule->getSrv(); nsrv->reset(); nitfre = rule->getItf(); nitfre->reset(); ruleopt = rule->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setBool("stateless",true); rule->setLogging(false); } if (rule->getTagging()) { r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setClassification(false); r->setRouting(false); rule->setTagging(false); r->setStr("ipt_chain", new_chain); r->setStr("upstream_rule_chain", this_chain); r->setAction(PolicyRule::Continue); tmp_queue.push_back(r); } if (rule->getClassification()) { r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); rule->setClassification(false); r->setRouting(false); r->setTagging(false); r->setStr("ipt_chain", new_chain); r->setStr("upstream_rule_chain", this_chain); r->setAction(PolicyRule::Continue); tmp_queue.push_back(r); } /* * Target ROUTE is terminating unless parameter "--continue" * is present. We add "--continue" if action is Continue, * otherwise the rule does not need to be split and we carry * action Accept further. */ if (rule->getRouting() || rule->getAction() != PolicyRule::Continue) { rule->setClassification(false); rule->setTagging(false); rule->setStr("ipt_chain", new_chain); rule->setStr("upstream_rule_chain", this_chain); tmp_queue.push_back(rule); } } else tmp_queue.push_back(rule); return true; } // this version just splits rule so that each elementary rule is associated // with one interface. bool PolicyCompiler_ipt::InterfacePolicyRulesWithOptimization::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itfre = rule->getItf(); assert(itfre); // sometimes for whatever reason itf rule element appears to be broken // (it is just empty, not even "any") if (itfre->isAny() || itfre->size()==0) { //rule->setInterfaceId(-1); tmp_queue.push_back(rule); return true; } for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i) { FWObject *o = FWObjectReference::getObject(*i); PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix", "i1"); //r->setInterfaceId(o->getId()); RuleElementItf *nitfre = r->getItf(); nitfre->reset(); nitfre->addRef(o); tmp_queue.push_back(r); } return true; } /** * Deprecated beginning with 4.3.0. To be removed in future versions. */ bool PolicyCompiler_ipt::Route::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); if (rule->getRouting()) { string iif,oif,gw; iif = ruleopt->getStr("ipt_iif"); oif = ruleopt->getStr("ipt_oif"); gw = ruleopt->getStr("ipt_gw"); if (!iif.empty()) { ipt_comp->setChain(rule, "PREROUTING"); } if (!oif.empty() || !gw.empty()) { ipt_comp->setChain(rule, "POSTROUTING"); } if (ruleopt->getBool("ipt_tee")) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(rule, "PREROUTING"); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(rule, "POSTROUTING"); tmp_queue.push_back(r); return true; } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::dropMangleTableRules::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); string ruleset_name = compiler->getRuleSetName(); FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) return true; if ( rule->getAction() == PolicyRule::Continue && ! rule->getLogging() && (rule->getTagging() || rule->getRouting() || rule->getClassification())) return true; // Another special case (while working on #1415, although not // related directly): branching rule that has "branch in mangle table" // checkbox turned on and is branches to the "mangle only" rule set // does not need any iptables rules in the filter table FWOptions *ruleopt = rule->getOptionsObject(); if (rule->getAction() == PolicyRule::Branch && ruleopt->getBool("ipt_branch_in_mangle")) { RuleSet *ruleset = rule->getBranch(); assert(ruleset!=NULL); rulesetopts = ruleset->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) return true; } tmp_queue.push_back(rule); return true; } /* * Only call this rule processor if compiling for the mangle table */ bool PolicyCompiler_ipt::checkActionInMangleTable::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getAction() == PolicyRule::Reject) { compiler->abort( rule, "Action Reject is not allowed in mangle table"); return true; } tmp_queue.push_back(rule); return true; } /* * Rules with action Tag can only be in PREROUTING or OUTPUT chains, * rules with action Classify always go into POSTROUTING. This means * they can't conflict. But option Route can yield rules in PREROUTING * or POSTROUTING and can conflict. We'll flag combinations of Tag + * Route and Classify + Route if action is not Continue. */ bool PolicyCompiler_ipt::checkForUnsupportedCombinationsInMangle::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (ipt_comp->my_table=="mangle" && rule->getAction() != PolicyRule::Continue && rule->getRouting() && (rule->getTagging() || rule->getClassification())) { QString err("Can not process option Route in combination with " "options Tag or Classify and action %1"); compiler->abort( rule, err.arg(rule->getActionAsString().c_str()).toStdString()); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::deprecateOptionRoute::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getRouting()) { compiler->abort( rule, "Option Route is deprecated. You can use Custom Action " "to generate iptables command using '-j ROUTE' target " "if it is supported by your firewall OS"); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::Logging1::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( compiler->getCachedFwOpt()->getBool("log_all") ) rule->setLogging(true); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::storeAction::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; rule->setStr("stored_action", rule->getActionAsString() ); rule->setBool("originated_from_a_rule_with_tagging", rule->getTagging()); rule->setBool("originated_from_a_rule_with_classification", rule->getClassification()); rule->setBool("originated_from_a_rule_with_routing", rule->getRouting()); tmp_queue.push_back(rule); return true; } /** * splits rule if logging is required and either src or dst is * not any */ bool PolicyCompiler_ipt::Logging2::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementInterval *nint; RuleElementItf *nitfre; if (rule->getLogging()) { /* * see #2235 Rules with action Continue translate into iptables * commands without "-j TARGET" parameter, so we dont need to create new chain * for logging. */ if (rule->getAction() == PolicyRule::Continue && ( ! rule->getTagging() && ! rule->getClassification() && ! rule->getRouting())) { rule->setStr("ipt_target", "LOG"); tmp_queue.push_back(rule); return true; } /* * chain could have been assigned if we split this rule before */ string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewChainName(rule, NULL); //rule_iface); PolicyRule *r; FWOptions *ruleopt; /* * if we are in the user-defined chain and src=dst=srv=int=any, then there is no * need to create a sub-chain. Otherwise, create new chain and handle logging * and actual original target there. */ bool need_new_chain = true; if (this_chain==new_chain && rule->getSrc()->isAny() && rule->getDst()->isAny() && rule->getSrv()->isAny() && (rule->getWhen())!=NULL && rule->getWhen()->isAny()) { need_new_chain = false; } /* * add copy of original rule, but turn off logging and set target * chain to new_chain. */ if (need_new_chain) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ruleopt =r->getOptionsObject(); r->setStr("ipt_target",new_chain); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setAction(PolicyRule::Continue); // ### // ruleopt->setInt("limit_value",-1); tmp_queue.push_back(r); } /* * need to add two rules with the same rule_label, direction=both, no * interface, no src, no srv and no dst. One of these new rules should * have target = LOG and another should inherit action and therefore * target from original rule. Both new rules go into chain new_chain. * In both rules turn off stateful inspection. * * keep interface information in the first one to be able to process * %I in log prefix * */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ruleopt =r->getOptionsObject(); nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nsrv=r->getSrv(); nsrv->reset(); nitfre=r->getItf(); nitfre->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); r->setStr("ipt_target","LOG"); r->setAction(PolicyRule::Continue); // ### r->setDirection( PolicyRule::Both ); r->setLogging(false); r->setClassification(false); r->setRouting(false); r->setTagging(false); ruleopt->setBool("stateless",true); r->setBool("force_state_check",false); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ruleopt =r->getOptionsObject(); nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); nitfre=r->getItf(); nitfre->reset(); /* * special case: need to preserve information about service protocol in case * action_on_reject is TCP RST */ nsrv=r->getSrv(); Service *srv= compiler->getFirstSrv(r); if (TCPService::isA(srv)) { nsrv->clearChildren(); nsrv->addRef(compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); } else { nsrv->reset(); } r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); r->setStr(".iface", "nil"); //r->setInterfaceStr("nil"); r->setDirection( PolicyRule::Both ); r->setLogging(false); ruleopt->setBool("stateless",true); r->setBool("force_state_check",false); r->setBool("final",true); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } string PolicyCompiler_ipt::printRuleElements::printRE(RuleElement *re) { ostringstream str; if (re->size() == 0) return ""; FWObject *obj = FWReference::cast(re->front())->getPointer(); str << "id=" << obj->getId() << " name=" << obj->getName() << " type=" << obj->getTypeName(); return str.str(); } bool PolicyCompiler_ipt::printRuleElements::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel = rule->getSrc(); RuleElementDst *dstrel = rule->getDst(); RuleElementSrv *srvrel = rule->getSrv(); cerr << "rule " << rule->getLabel() << " src: " << printRE(srcrel) << " dst: " << printRE(dstrel) << " srv: " << printRE(srvrel) << endl; tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipt::SingleRENegation::processSingleObjectNegationInRE( FWObject *obj, RuleElement *rel) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); // We call singleSrcNegation before we replace AddressTable // objects with MultiAddressRunTime objects if (AddressTable::cast(obj) && AddressTable::cast(obj)->isRunTime() && ipt_comp->using_ipset) { rel->setNeg(false); rel->setBool("single_object_negation", true); return; } Address *src = Address::cast(obj); // note: src can be NULL if object in this rule element is a group // or MultiAddress if (src!=NULL && src->countInetAddresses(true)==1 && !compiler->complexMatch(src, compiler->fw)) { rel->setNeg(false); rel->setBool("single_object_negation", true); return; } Service *srv = Service::cast(obj); // see comment in compile() where this rule processor is used for why // only some services can be processed here. if (TagService::isA(srv) || UserService::isA(srv)) { /* A B ! C ACTION */ rel->setNeg(false); rel->setBool("single_object_negation", true); } } bool PolicyCompiler_ipt::SingleRENegation::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElement *rel = RuleElement::cast(rule->getFirstByType(type_name)); /* ! A B C ACTION */ if (rel->getNeg() && rel->size()==1) { processSingleObjectNegationInRE(FWReference::getObject(rel->front()), rel); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::SrcNegation::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); string afpa = ruleopt->getStr("firewall_is_part_of_any_and_networks"); RuleElementSrc *srcrel=rule->getSrc(); /* ! A B C D ACTION */ if (srcrel->getNeg()) { PolicyRule *r; RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementInterval *nint; RuleElementItf *nitf; FWOptions *ruleopt; /*chain could have been assigned if we split this rule before */ string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewTmpChainName(rule); srcrel->setNeg(false); rule->setBool("upstream_rule_neg",true); /* any B C D TMP_CHAIN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","1"); nsrc=r->getSrc(); nsrc->reset(); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_target",new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setStr("firewall_is_part_of_any_and_networks", afpa); tmp_queue.push_back(r); /* TMP_CHAIN A any any any RETURN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","2"); if (!shadowing_mode) { ndst=r->getDst(); ndst->reset(); nsrv=r->getSrv(); nsrv->reset(); nitf=r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); } r->setAction( PolicyRule::Return ); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_chain",new_chain); r->setStr("ipt_target",""); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setBool("stateless",true); // ### tmp_queue.push_back(r); /* TMP_CHAIN any any any any ACTION */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","3"); nsrc=r->getSrc(); nsrc->reset(); if (!shadowing_mode) { ndst = r->getDst(); ndst->reset(); nitf = r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); /* * special case: need to preserve information about service protocol in case * action_on_reject is TCP RST */ nsrv=r->getSrv(); Service *srv= compiler->getFirstSrv(r); if (TCPService::isA(srv)) { nsrv->clearChildren(); nsrv->addRef(compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); } else { nsrv->reset(); } } r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); if ( ! rule->getStr("ipt_target").empty() ) r->setStr("ipt_target",rule->getStr("ipt_target")); // r->setInterfaceStr("nil"); r->setBool("final",true); ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); // ### tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::DstNegation::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); string afpa = ruleopt->getStr("firewall_is_part_of_any_and_networks"); RuleElementDst *dstrel=rule->getDst(); /* A ! B C D ACTION */ if (dstrel->getNeg()) { PolicyRule *r; RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementInterval *nint; RuleElementItf *nitf; FWOptions *ruleopt; /*chain could have been assigned if we split this rule before */ string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewTmpChainName(rule); dstrel->setNeg(false); rule->setBool("upstream_rule_neg",true); /* A any C D TMP_CHAIN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","1"); ndst=r->getDst(); ndst->reset(); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_target",new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setStr("firewall_is_part_of_any_and_networks", afpa); tmp_queue.push_back(r); /* TMP_CHAIN any B any any RETURN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","2"); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); nsrv=r->getSrv(); nsrv->reset(); nitf=r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); } r->setAction( PolicyRule::Return ); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_chain",new_chain); r->setStr("ipt_target",""); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setBool("stateless",true); // ### // r->setInterfaceStr("nil"); tmp_queue.push_back(r); /* TMP_CHAIN any any any any ACTION */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","3"); ndst=r->getDst(); ndst->reset(); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); nitf=r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); /* * special case: need to preserve information about service protocol in case * action_on_reject is TCP RST */ nsrv=r->getSrv(); Service *srv= compiler->getFirstSrv(r); if (TCPService::isA(srv)) { nsrv->clearChildren(); nsrv->addRef(compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); } else { nsrv->reset(); } } r->setStr("ipt_chain",new_chain); r->setStr("ipt_target",""); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); if ( ! rule->getStr("ipt_target").empty() ) r->setStr("ipt_target",rule->getStr("ipt_target")); // r->setInterfaceStr("nil"); r->setBool("final",true); ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); // ### tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::SrvNegation::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srvrel=rule->getSrv(); /* A B !C D ACTION */ if (srvrel->getNeg()) { PolicyRule *r; RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementInterval *nint; RuleElementItf *nitf; FWOptions *ruleopt; /*chain could have been assigned if we split this rule before */ string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewTmpChainName(rule); srvrel->setNeg(false); /* A B any D TMP_CHAIN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","1"); nsrv=r->getSrv(); nsrv->reset(); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_target",new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); tmp_queue.push_back(r); /* TMP_CHAIN any any C any RETURN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","2"); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nitf=r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); } r->setAction( PolicyRule::Return ); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_chain",new_chain); r->setStr("ipt_target",""); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setBool("stateless",true); // ### // r->setInterfaceStr("nil"); tmp_queue.push_back(r); /* TMP_CHAIN any any any any ACTION */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","3"); nsrv=r->getSrv(); nsrv->reset(); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nitf=r->getItf(); nitf->reset(); if ( (nint=r->getWhen())!=NULL ) nint->reset(); } r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); r->setBool("upstream_rule_neg",true); if ( ! rule->getStr("ipt_target").empty() ) r->setStr("ipt_target",rule->getStr("ipt_target")); // r->setInterfaceStr("nil"); r->setBool("final",true); ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); // ### tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::TimeNegation::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); string afpa = ruleopt->getStr("firewall_is_part_of_any_and_networks"); RuleElementInterval *intrel=rule->getWhen(); /* A B C !D ACTION */ if (intrel!=NULL && intrel->getNeg()) { PolicyRule *r; RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; RuleElementInterval *nint; RuleElementItf *nitf; FWOptions *ruleopt; /*chain could have been assigned if we split this rule before */ string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewTmpChainName(rule); intrel->setNeg(false); rule->setBool("upstream_rule_neg",true); /* A B C any TMP_CHAIN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","1"); if ( (nint=r->getWhen())!=NULL ) nint->reset(); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_target",new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setStr("firewall_is_part_of_any_and_networks", afpa); tmp_queue.push_back(r); /* TMP_CHAIN any any any D RETURN */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","2"); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nsrv=r->getSrv(); nsrv->reset(); nitf=r->getItf(); nitf->reset(); } r->setAction( PolicyRule::Return ); r->setClassification(false); r->setRouting(false); r->setTagging(false); r->setLogging(false); r->setStr("ipt_chain",new_chain); r->setStr("ipt_target",""); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); ruleopt =r->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); ruleopt->setBool("stateless",true); // ### // r->setInterfaceStr("nil"); tmp_queue.push_back(r); /* TMP_CHAIN any any any any ACTION */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("subrule_suffix","3"); if ( (nint=r->getWhen())!=NULL ) nint->reset(); if (!shadowing_mode) { nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nsrv=r->getSrv(); nsrv->reset(); nitf=r->getItf(); nitf->reset(); /* * special case: need to preserve information about service protocol in case * action_on_reject is TCP RST */ nsrv=r->getSrv(); Service *srv= compiler->getFirstSrv(r); if (TCPService::isA(srv)) { nsrv->clearChildren(); nsrv->addRef(compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); } else { nsrv->reset(); } } r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); if ( ! rule->getStr("ipt_target").empty() ) r->setStr("ipt_target",rule->getStr("ipt_target")); // r->setInterfaceStr("nil"); r->setBool("final",true); ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); // ### tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::InterfaceAndDirection::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementItf *itfre = rule->getItf(); assert(itfre); if (rule->getDirection()==PolicyRule::Undefined) rule->setDirection( PolicyRule::Both ); if (itfre->isAny() && rule->getDirection()==PolicyRule::Both) { rule->setStr(".iface", "nil"); //rule->setInterfaceStr("nil"); return true; } if (itfre->isAny() && ( rule->getDirection()==PolicyRule::Inbound || rule->getDirection()==PolicyRule::Outbound )) { itfre->addRef(ipt_comp->regular_interfaces["*"]); //rule->setInterfaceStr("*"); return true; } return true; } bool PolicyCompiler_ipt::setChainPreroutingForTag::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; /* * About setting chain for rules with action Tag * * We tag in chains OUTPUT and PREROUTING. Here is why we need * OUTPUT: packets that originate on the firewall should be marked * in OUTPUT chain rather than in POSTROUTING because NAT * rerouting happens after OUTPUT hook but before POSTROUTING * hook. See diagram at * http://www.shorewall.net/NetfilterOverview.html * * Packet that traverse the firewall will be marked in PREROUTING * giving us a chance to match them later in other chains. * * Rule is split by the normal splitIfSrcAny rule processor if src * is any or chain is set to OUTPUT if src matches fw. In case * rule is split, the second copy won't have chain set when this * rule processor is called so it will place it in PREROUTING. * * This means this processor must be called after splitIfSrcAny but * before splitIfDstAny * * Chain is set by the rule processor setChainForMangle for all * rules in the table mangle if direction is set to Inbound or * Outbound */ /* * set chain to PREROUTING if this is (was) a Tag rule, chain has * not been assigned yet, direction is Both and there is no * interface. */ RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); if ( (rule->getTagging() || rule->getBool("originated_from_a_rule_with_tagging")) && rule->getStr("ipt_chain").empty() && (rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Inbound) && itf_re->isAny()) { ipt_comp->setChain(rule, "PREROUTING"); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::setChainPostroutingForTag::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); if ( (rule->getTagging() || rule->getBool("originated_from_a_rule_with_tagging")) && rule->getStr("ipt_chain").empty() && (rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Outbound) && itf_re->isAny()) ipt_comp->setChain(rule, "POSTROUTING"); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::checkForRestoreMarkInOutput::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); if ( (rule->getTagging() || rule->getBool("originated_from_a_rule_with_tagging")) && ruleopt->getBool("ipt_mark_connections") && rule->getStr("ipt_chain")=="OUTPUT") ipt_comp->have_connmark_in_output = true; tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::setChainForMangle::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (ipt_comp->my_table=="mangle" && rule->getStr("ipt_chain").empty()) { if (rule->getDirection()==PolicyRule::Inbound) ipt_comp->setChain(rule, "PREROUTING"); if (rule->getDirection()==PolicyRule::Outbound) ipt_comp->setChain(rule, "POSTROUTING"); /* if direction is "Outbound", chain can never be INPUT, but could be FORWARD */ RuleElementSrc *srcrel = rule->getSrc(); Address *src = compiler->getFirstSrc(rule); assert(src); if ( rule->getDirection()!=PolicyRule::Inbound && !srcrel->isAny() && compiler->complexMatch(src,compiler->fw,true,true)) { ipt_comp->setChain(rule, "OUTPUT"); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); FWOptions *ruleopt = rule->getOptionsObject(); if (rule->getTagging() && ruleopt->getBool("ipt_mark_connections")) { tmp_queue.push_back(rule); PolicyRule *r1 = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r1); r1->duplicate(rule); r1->setStr("ipt_target", "CONNMARK"); r1->setAction(PolicyRule::Continue); // ### r1->setClassification(false); r1->setRouting(false); r1->setTagging(false); r1->setLogging(false); ruleopt = r1->getOptionsObject(); ruleopt->setStr("CONNMARK_arg", "--save-mark"); tmp_queue.push_back(r1); ipt_comp->have_connmark = true; } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfIfaceAndDirectionBoth::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementItf *itfre=rule->getItf(); assert(itfre); if ( !itfre->isAny() && rule->getDirection()==PolicyRule::Both) { PolicyRule *r; // If this rule has been assigned to chain POSTROUTING, // direction 'inbound' does not make sense for it. if (rule->getStr("ipt_chain") != "POSTROUTING") { r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Inbound ); tmp_queue.push_back(r); } // If this rule has been assigned to chain PREROUTING, // direction 'Outbound' does not make sense for it. if (rule->getStr("ipt_chain") != "PREROUTING") { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Outbound ); tmp_queue.push_back(r); } } else tmp_queue.push_back(rule); return true; } /* * Check if ip address of the object passed as argument "addr" matches * broadcast address defined by an address/mask of one of the * interfaces of the firewall or is a broadcast or multicast address * itself, such as 255.255.255.255. */ bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast( Address *addr) { // addr can be interface, in which case it does not own ip address // and can not match broadcast or multicast if (!addr->hasInetAddress()) return false; const InetAddr *obj1_addr = addr->getAddressPtr(); if (!obj1_addr->isAny() && (obj1_addr->isBroadcast() || obj1_addr->isMulticast()) ) return true; FWObjectTypedChildIterator j= compiler->fw->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *iface = Interface::cast(*j); if ( iface->isRegular() ) { FWObjectTypedChildIterator k = iface->findByType(IPv4::TYPENAME); for ( ; k!=k.end(); ++k ) { //const InetAddrMask *ipv4 = Address::cast(*k)->getAddressObjectInetAddrMask(); Address *addr = Address::cast(*k); const InetAddr *ip_netm = addr->getNetmaskPtr(); const InetAddr *ip_net_addr = addr->getNetworkAddressPtr(); const InetAddr *ip_bcast_addr = addr->getBroadcastAddressPtr(); /* * bug #780345: if interface has netmask 255.255.255.255, its own * address will be detected as broadcast. Of course interface address * should not be created with netmask 255.255.255.255, but even if it * is, we should not interpret its own address as a broadcast, so we * should just skip it here. Typical case when this happens is the * rule that uses firewall's interface in dst. If we compare an addres * found in dst against combination addr/netmask of the same * interface, and the netmask is 255.255.255.255, then we get positive * match because this routine interprets this address as a broadcast. */ if (ip_netm->isHostMask()) continue; /* * commented out to fix bug #637694 - "bridge enbaled / management" * Rule where firewall was in destination, and bridging option was on, * yielded code in FORWARD chain when this line was uncommented. if ( ipv4->getAddress()==obj1_addr ) return true; */ if (*ip_net_addr == *obj1_addr) return true; if (*ip_bcast_addr == *obj1_addr) return true; } } } return false; } /* * call this after splitIfSrcMatchesFw and splitIfDstMatchesFw so that * we can count on firewall or broadcast/multicast being a single * object in src and dst. */ bool PolicyCompiler_ipt::bridgingFw::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; // Address *src=compiler->getFirstSrc(rule); Address *dst = compiler->getFirstDst(rule); if ( rule->getStr("ipt_chain")=="INPUT" ) { if ( checkForMatchingBroadcastAndMulticast(dst) ) { /* bug #1101910: "Samba problem with Bridged Firewall" need to split * rule to take care of broadcasts forwarded by the bridge, as well as * broadcasts that are accepted by the firewall itself. Need to do * this only if the rule is not associated with any bridging * interfaces */ RuleElementItf *itfre = rule->getItf(); assert(itfre); RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); Interface *rule_iface = Interface::cast(FWObjectReference::getObject(itf_re->front())); // Interface *rule_iface = Interface::cast( // compiler->dbcopy->findInIndex(rule->getInterfaceId())); if (rule_iface!=NULL && (rule_iface->isUnnumbered() || rule_iface->isBridgePort() )) { ipt_comp->setChain(rule, "FORWARD"); } else { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r, "FORWARD"); tmp_queue.push_back(r); } } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfSrcNegAndFw::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getStr("ipt_chain").empty() ) { tmp_queue.push_back(rule); return true; } RuleElementSrc *srcrel=rule->getSrc(); RuleElementSrc *nsrc; // Address *src=compiler->getFirstSrc(rule); /* if there is negation in SRC, then we need to split the rule based on what * first rule generated as the result of processing negation would be: any B C TMP_CHAIN in this case SRC will become Any even if it is not in the original rule. That is, we should split if srcrel is 'any' OR if it has negation. To avoid extra complexity in the generated code, this processor does it only if src contains more than 1 object and one of these objects is firewall. This is the only case when we need to split before processing negation. All other "normal" cases are handled by splitIfSrcAny */ list fwLikes; list notFwLikes; if (rule->getDirection()!=PolicyRule::Inbound && srcrel->getNeg()) { for (list::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *a = Address::cast(o); if (a && compiler->complexMatch(a,compiler->fw)) fwLikes.push_back(o); else notFwLikes.push_back(o); } if (fwLikes.size() != 0) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"OUTPUT"); r->setDirection( PolicyRule::Outbound ); nsrc=r->getSrc(); nsrc->clearChildren(); for (list::iterator m=fwLikes.begin(); m!=fwLikes.end(); ++m) nsrc->addRef(*m); tmp_queue.push_back(r); // rule->setStr("ipt_chain","FORWARD"); nsrc=rule->getSrc(); nsrc->reset(); // resets negation flag for (list::iterator m=notFwLikes.begin(); m!=notFwLikes.end(); ++m) nsrc->addRef(*m); if (!nsrc->isAny()) nsrc->setNeg(true); FWOptions *ruleopt = rule->getOptionsObject(); // so we do not put this rule in OUTPUT chain later ruleopt->setBool("no_output_chain",true); tmp_queue.push_back(rule); return true; } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfDstNegAndFw::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getStr("ipt_chain").empty() ) { tmp_queue.push_back(rule); return true; } RuleElementDst *dstrel=rule->getDst(); RuleElementDst *ndst; // Address *dst=compiler->getFirstDst(rule); /* if there is negation in DST, then we need to split the rule based on what * first rule generated as the result of processing negation would be: A any C TMP_CHAIN in this case DST will become Any even if it is not in the original rule. That is, we should split if dstrel is 'any' OR if it has negation. To avoid extra complexity in the generated code, this processor does it only if dst contains more than 1 object and one of these objects is firewall. This is the only case when we need to split before processing negation. All other "normal" cases are handled by splitIfDstAny */ list fwLikes; list notFwLikes; if (rule->getDirection()!=PolicyRule::Outbound && dstrel->getNeg()) { for (list::iterator i1=dstrel->begin(); i1!=dstrel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *a = Address::cast(o); if (a && compiler->complexMatch(a,compiler->fw)) fwLikes.push_back(o); else notFwLikes.push_back(o); } if (fwLikes.size() != 0) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"INPUT"); r->setDirection( PolicyRule::Inbound ); ndst=r->getDst(); ndst->clearChildren(); for (list::iterator m=fwLikes.begin(); m!=fwLikes.end(); ++m) ndst->addRef(*m); tmp_queue.push_back(r); // the second rule goes into FORWARD chain, but if source // is (or contains) firewall, we may also need OUTPUT chain // rule->setStr("ipt_chain","FORWARD"); ndst=rule->getDst(); ndst->reset(); // resets negation flag for (list::iterator m=notFwLikes.begin(); m!=notFwLikes.end(); ++m) ndst->addRef(*m); if (!ndst->isAny()) ndst->setNeg(true); FWOptions *ruleopt = rule->getOptionsObject(); // so we do not put this rule in INPUT chain later ruleopt->setBool("no_input_chain",true); tmp_queue.push_back(rule); return true; } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfSrcAny::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); FWOptions *fwopt = compiler->getCachedFwOpt(); /* commented to fix bug #1112470 * if fw is considered part of any, we should place rule in INPUT/OUTPUT * chains even if it is a bridging fw since fw itself may send or receive * packets */ if ( /* fwopt->getBool("bridging_fw") || */ ruleopt->getInt("firewall_is_part_of_any_and_networks")==0 || ruleopt->getBool("no_output_chain")) { tmp_queue.push_back(rule); return true; } /* See #2008. It appears "--physdev-out" is not allowed in OUTPUT * chain. */ RuleElementItf *itfre = rule->getItf(); assert(itfre); Interface *itf = compiler->getFirstItf(rule); if (fwopt->getBool("bridging_fw") && itf && itf->isBridgePort()) { tmp_queue.push_back(rule); return true; } if ( ! rule->getStr("ipt_chain").empty() ) { tmp_queue.push_back(rule); return true; } RuleElementSrc *srcrel = rule->getSrc(); Address *src = compiler->getFirstSrc(rule); if ( rule->getDirection()!=PolicyRule::Inbound && ( srcrel->isAny() || ( srcrel->size()==1 && src!=NULL && !compiler->complexMatch(src,compiler->fw) && srcrel->getBool("single_object_negation")) ) ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"OUTPUT"); r->setDirection( PolicyRule::Outbound ); tmp_queue.push_back(r); /* * A note about CLASSIFY target in iptables: * * CLASSIFY only works in mangle table in POSTROUTING chain. * the man page does not mention this, but module * documentation in p-o-m says so. */ if (ipt_comp->my_table=="mangle" && rule->getClassification()) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"POSTROUTING"); r->setDirection( PolicyRule::Outbound ); tmp_queue.push_back(r); } } tmp_queue.push_back(rule); // add old rule anyway return true; } bool PolicyCompiler_ipt::splitIfDstAny::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; // FWOptions *fwopt = compiler->getCachedFwOpt(); FWOptions *ruleopt = rule->getOptionsObject(); /* commented to fix bug #1112470 * if fw is considered part of any, we should place rule in INPUT/OUTPUT * chains even if it is a bridging fw since fw itself may send or receive * packets */ if ( /* fwopt->getBool("bridging_fw") || */ ruleopt->getInt("firewall_is_part_of_any_and_networks")==0 || ruleopt->getBool("no_input_chain")) { tmp_queue.push_back(rule); return true; } if ( ! rule->getStr("ipt_chain").empty() ) { tmp_queue.push_back(rule); return true; } RuleElementDst *dstrel = rule->getDst(); Address *dst = compiler->getFirstDst(rule); if ( rule->getDirection()!=PolicyRule::Outbound && ( dstrel->isAny() || ( dstrel->size()==1 && dst!=NULL && !compiler->complexMatch(dst,compiler->fw) && dstrel->getBool("single_object_negation")) ) ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"INPUT"); r->setDirection( PolicyRule::Inbound ); tmp_queue.push_back(r); // if this rule is for mangle table, need to put it into // POSTROUTING chain as well because some targets that // work with mangle table can only go into POSTROUTING chain // such as CLASSIFY if (ipt_comp->my_table=="mangle" && rule->getClassification()) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"PREROUTING"); r->setDirection( PolicyRule::Inbound ); tmp_queue.push_back(r); } } tmp_queue.push_back(rule); // add old rule in any case return true; } /** * If rule element RE (Src or Dst) has an AddressRange object that * represents single address, replace it with corresponding IPv4 * object. Call this rule processor before splitIfSrcMatchingAddressRange * * #2650 */ bool PolicyCompiler_ipt::specialCaseAddressRangeInRE::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; list new_children; RuleElement *rel = RuleElement::cast( rule->getFirstByType(re_type) ); for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { Address *addr_obj = Address::cast(FWReference::getObject(*i1)); if (addr_obj == NULL) continue; /* * commented out for SF bug 3468358 * Why did I need to replace cluster interface with member interface if * addresses of interfaces can not be AddressRange objects ? * Address *addr_obj = compiler->correctForCluster(Address::cast(obj)); */ if (addr_obj && !addr_obj->isAny() && AddressRange::isA(addr_obj) && addr_obj->dimension() == 1) { Address *new_addr = compiler->dbcopy->createIPv4(); new_addr->setName(addr_obj->getName() + "_addr"); new_addr->setAddress(AddressRange::cast(addr_obj)->getRangeStart()); new_addr->setNetmask(InetAddr(InetAddr::getAllOnes())); compiler->persistent_objects->add(new_addr); new_children.push_back(new_addr); } else new_children.push_back(addr_obj); } if (new_children.size() > 0) { rel->clearChildren(); for (list::iterator i1=new_children.begin(); i1!=new_children.end(); ++i1) { rel->addRef(*i1); } } tmp_queue.push_back(rule); // add old rule in any case return true; } /** * Split rule if src has addressRange object that matches the * firewall. If some addresses inside the range match the firewall, * while others dont, the rule must be placed in both OUTPUT and * FORWARD chains. * * #2650 */ bool PolicyCompiler_ipt::splitIfSrcMatchingAddressRange::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Address *src = compiler->correctForCluster(compiler->getFirstSrc(rule)); bool b, m; b=m= !( compiler->getCachedFwOpt()->getBool("bridging_fw") ); /* * directions outbound or both: if src is an address range that * matches fw, we should split the rule to make sure we match both * in OUTPUT and FORWARD */ if ( rule->getDirection() != PolicyRule::Inbound && src && !src->isAny() && AddressRange::isA(src) && ipt_comp->complexMatch(src, ipt_comp->fw, b, m)) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r, "OUTPUT"); r->setDirection( PolicyRule::Outbound ); tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } /** * Split rule if dst has addressRange object that matches the * firewall. If some addresses inside the range match the firewall, * while others dont, the rule must be placed in both INPUT and * FORWARD chains. * * #2650 */ bool PolicyCompiler_ipt::splitIfDstMatchingAddressRange::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Address *dst = compiler->correctForCluster(compiler->getFirstDst(rule)); bool b, m; b=m= !( compiler->getCachedFwOpt()->getBool("bridging_fw") ); /* * directions inbound or both: if src is an address range that * matches fw, we should split the rule to make sure we match both * in INPUT and FORWARD */ if ( rule->getDirection() != PolicyRule::Outbound && dst && !dst->isAny() && AddressRange::isA(dst) && ipt_comp->complexMatch(dst, ipt_comp->fw, b, m)) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r, "INPUT"); r->setDirection( PolicyRule::Inbound ); tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfSrcAnyForShadowing::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getClassification()) { tmp_queue.push_back(rule); return true; } RuleElementSrc *srcrel=rule->getSrc(); FWOptions *ruleopt = rule->getOptionsObject(); if ( ruleopt->getInt("firewall_is_part_of_any_and_networks")==1 && !ruleopt->getBool("no_output_chain") && rule->getDirection()!=PolicyRule::Inbound && srcrel->isAny() ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"OUTPUT"); r->setDirection( PolicyRule::Outbound ); RuleElementSrc *nsrcrel=r->getSrc(); nsrcrel->addRef(compiler->fw); tmp_queue.push_back(r); } tmp_queue.push_back(rule); // add old rule anyway return true; } bool PolicyCompiler_ipt::splitIfDstAnyForShadowing::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getClassification()) { tmp_queue.push_back(rule); return true; } RuleElementDst *dstrel=rule->getDst(); FWOptions *ruleopt = rule->getOptionsObject(); if ( ruleopt->getInt("firewall_is_part_of_any_and_networks")==1 && !ruleopt->getBool("no_input_chain") && rule->getDirection()!=PolicyRule::Outbound && dstrel->isAny() ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"INPUT"); r->setDirection( PolicyRule::Inbound ); RuleElementDst *ndstrel=r->getDst(); ndstrel->addRef(compiler->fw); tmp_queue.push_back(r); } tmp_queue.push_back(rule); // add old rule anyway return true; } bool PolicyCompiler_ipt::splitIfSrcFWNetwork::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getClassification()) { tmp_queue.push_back(rule); return true; } RuleElementSrc *srcrel=rule->getSrc(); FWOptions *fwopt = compiler->getCachedFwOpt(); FWOptions *ruleopt = rule->getOptionsObject(); if ( fwopt->getBool("bridging_fw") || ruleopt->getInt("firewall_is_part_of_any_and_networks")==0 || ruleopt->getBool("no_output_chain")) { tmp_queue.push_back(rule); return true; } if ( ! rule->getStr("ipt_chain").empty() || srcrel->isAny() ) { tmp_queue.push_back(rule); return true; } if (rule->getDirection()!=PolicyRule::Inbound) { std::map obj_subst; for (list::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *a = Address::cast(o); FWObject *na; if ((Network::isA(o) || NetworkIPv6::isA(o)) && (na=compiler->findAddressFor(a, compiler->fw ))!=NULL) { obj_subst[a]=na; } } if ( ! obj_subst.empty() ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"OUTPUT"); r->setDirection( PolicyRule::Outbound ); #if 0 /* I can't decide right now if I should replace network objects with firewall's addresses. I am going not to replace them for now */ RuleElementSrc *nsrcrel=r->getSrc(); for (std::map::iterator i=obj_subst.begin(); i!=obj_subst.end(); i++) { nsrcrel->removeRef( i->first ); nsrcrel->addRef( i->second ); } #endif tmp_queue.push_back(r); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitIfDstFWNetwork::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getClassification()) { tmp_queue.push_back(rule); return true; } RuleElementDst *dstrel=rule->getDst(); FWOptions *fwopt = compiler->getCachedFwOpt(); FWOptions *ruleopt = rule->getOptionsObject(); if ( fwopt->getBool("bridging_fw") || ruleopt->getInt("firewall_is_part_of_any_and_networks")==0 || ruleopt->getBool("no_input_chain")) { tmp_queue.push_back(rule); return true; } if ( ! rule->getStr("ipt_chain").empty() || dstrel->isAny() ) { tmp_queue.push_back(rule); return true; } if (rule->getDirection()!=PolicyRule::Outbound) { std::map obj_subst; for (list::iterator i1=dstrel->begin(); i1!=dstrel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *a = Address::cast(o); FWObject *na; if ((Network::isA(a) || NetworkIPv6::isA(a)) && (na=compiler->findAddressFor(a, compiler->fw))!=NULL) { obj_subst[a]=na; } } if ( ! obj_subst.empty() ) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"INPUT"); r->setDirection( PolicyRule::Inbound ); #if 0 /* I can't decide right now if I should replace network objects with firewall's addresses. I am going not to replace them for now */ RuleElementDst *ndstrel=r->getDst(); for (std::map::iterator i=obj_subst.begin(); i!=obj_subst.end(); i++) { ndstrel->removeRef( i->first ); ndstrel->addRef( i->second ); } #endif tmp_queue.push_back(r); } } tmp_queue.push_back(rule); return true; } /* * predicates that run before guarantee that when we call this one, * firewall object, if it is in src or dst, is single object there */ bool PolicyCompiler_ipt::checkSrcAndDst1::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; Address *src = compiler->getFirstSrc(rule); assert(src); Address *dst = compiler->getFirstDst(rule); assert(dst); if (!compiler->isFirewallOrCluster(src) && compiler->isFirewallOrCluster(dst) && rule->getDirection()==PolicyRule::Outbound ) { compiler->abort( rule, "direction can not be outbound when destination is firewall"); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::checkSrcAndDst2::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; Address *src = compiler->getFirstSrc(rule); assert(src); Address *dst = compiler->getFirstDst(rule); assert(dst); if (compiler->isFirewallOrCluster(src) && !compiler->isFirewallOrCluster(dst) && rule->getDirection()==PolicyRule::Inbound ) { compiler->abort( rule, "direction can not be inbound when source is firewall"); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::specialCaseWithFW1::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getClassification()) { tmp_queue.push_back(rule); return true; } // RuleElementSrc *srcrel=rule->getSrc(); Address *src = compiler->getFirstSrc(rule); if(src==NULL) compiler->abort(rule, "Broken SRC "); // RuleElementDst *dstrel=rule->getDst(); Address *dst = compiler->getFirstDst(rule); if(dst==NULL) compiler->abort(rule, "Broken DST"); if (!src->isAny() && !dst->isAny() && compiler->complexMatch(src,compiler->fw) && compiler->complexMatch(dst,compiler->fw) && rule->getDirection()== PolicyRule::Both ) { PolicyRule *r; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Inbound ); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection( PolicyRule::Outbound ); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; Interface *itf = compiler->getFirstItf(rule); // note: itf can be NULL if object in this rule element is a group RuleElementSrc *srcrel = rule->getSrc(); Address *src =compiler->getFirstSrc(rule); Address *dst =compiler->getFirstDst(rule); string chain = rule->getStr("ipt_chain"); if (rule->getDirection()== PolicyRule::Outbound && itf!=NULL && itf->isChildOf(compiler->fw) && chain!="OUTPUT") { // If dst is broadcast, drop the rule if this is not bridging // fw. Bridging fw can forward broadcasts, so a rule with // this address in destination, direction Outbound and // non-empty interface is legit FWOptions *fwopt = compiler->getCachedFwOpt(); const InetAddr *dst_addr = dst->getAddressPtr(); if (dst_addr && (dst_addr->isBroadcast() || dst_addr->isMulticast()) && fwopt->getBool("bridging_fw")) { tmp_queue.push_back(rule); return true; } // if src does not match fw and dst matches firewall, skip the // rule. The idea is that if src does not match fw, such // packet can only be forwarded by the firewall. If dst // matches firewall, it would go into INPUT chain and would // not be forwarded, so it can't cross interface in outbound // direction and the rule would never see this packet. If src // matches the firewall, the packet might be generated by it // and can cross interface in outbound direction, so the rule // must be preserved. // Also, if src is negated, the rule must be preserved too. if (srcrel->getNeg() || srcrel->getBool("single_object_negation")) { tmp_queue.push_back(rule); return true; } FWOptions *ruleopt = rule->getOptionsObject(); bool rule_afpa = ruleopt->getBool("firewall_is_part_of_any_and_networks"); bool src_matches = compiler->complexMatch(src, compiler->fw); bool dst_matches = compiler->complexMatch(dst, compiler->fw); // if "assume fw is part of any and networks" is turned off, // do not consider network objects matching. Except when such // network has netmask 255.255.255.255 and defines just a // single address if ((src->isAny() || Network::isA(src) || NetworkIPv6::isA(src)) && !rule_afpa && ! src->getNetmaskPtr()->isHostMask()) src_matches = false; if ((dst->isAny() || Network::isA(dst) || NetworkIPv6::isA(dst)) && !rule_afpa && ! dst->getNetmaskPtr()->isHostMask()) dst_matches = false; // there is still one case that this rule processor catches // and drop the rule, but I am not sure if it is right thing // to do. This is when src=some address on the subnet fw // intrface is on, but not the address of the firewall, // dst=broadcast or multicast, "assume fw is part of any" is // turned on, the firewall is not a bridge. A rule like this // passes all checks above and gets dropped by this rule // processor. It is hard ot say what should we really do in // this case. if (!src_matches && dst_matches) { // src does not match, dst matches: skipping the rule return true; } tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } /* * this is basically the same as ExpandMultipleAddresses except it * does not skip loopback */ bool PolicyCompiler_ipt::specialCaseWithFW2::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); Address *src =compiler->getFirstSrc(rule); RuleElementDst *dstrel=rule->getDst(); Address *dst =compiler->getFirstDst(rule); if (src->getId()==compiler->fw->getId() && dst->getId()==compiler->fw->getId() ) { srcrel->reset(); dstrel->reset(); list all_addresses; FWObjectTypedChildIterator i=compiler->fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface=Interface::cast(*i); if ( iface->isUnnumbered() || iface->isBridgePort() ) continue; FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME); for ( ; j!=j.end(); ++j ) all_addresses.push_back( *j); } for (list::iterator i=all_addresses.begin(); i!=all_addresses.end(); ++i) { srcrel->addRef(*i); dstrel->addRef(*i); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::specialCaseWithUnnumberedInterface::dropUnnumberedInterface(RuleElement *re) { if (re->isAny()) return true; list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && (ifs->isUnnumbered() || ifs->isBridgePort())) cl.push_back(obj); } if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->removeRef( (*i1) ); } return (!re->isAny() ); } /** * checks for the following situations: * * 1. unnumbered interface is in source and direction is inbound * (drop interface from src since source address is * undertermined) * * 2. unnumbered interface is in source, direction is outbound * and chain is temporary (drop interface from the list, this * rule has been created while processing negation. TODO: this * is kludge, need to create separate temporary chain while * doing negation in src if one of the objects is firewall) * * 3. unnumbered interface is in destination and chain is "OUTPUT" * (drop interface since dest. address is undefined) * * */ bool PolicyCompiler_ipt::specialCaseWithUnnumberedInterface::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; bool keep_rule=true; switch ( rule->getDirection() ) { case PolicyRule::Inbound: keep_rule=dropUnnumberedInterface( rule->getSrc() ); break; case PolicyRule::Outbound: if ( rule->getStr("ipt_chain")=="OUTPUT" ) keep_rule=dropUnnumberedInterface( rule->getDst() ); else keep_rule=dropUnnumberedInterface( rule->getSrc() ); break; default: ; } if (keep_rule) tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces( RuleElement *re, Rule *rule) { if (re->isAny()) return true; list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs = Interface::cast( obj ); if (ifs != NULL && ifs->isDyn()) { if ( ! ifs->isChildOf(compiler->fw)) { // If this is dynamic failover interface, look at // corresponding member interface. If we can find one, // it is ok. Otherwise it is probably failover // interface of a cluster this firewall is not a // member of. if (ifs->isFailoverInterface()) { FailoverClusterGroup *fg = FailoverClusterGroup::cast( ifs->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg && fg->getInterfaceForMemberFirewall(compiler->fw)!=NULL) continue; } QString err( "Can not build rule using dynamic interface '%1' " "of the object '%2' because its address in unknown."); compiler->abort( rule, err .arg(ifs->getName().c_str()) .arg(ifs->getParent()->getName().c_str()).toStdString()); return false; } } } return true; } bool PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (findDynamicInterfaces( rule->getSrc() , rule ) && findDynamicInterfaces( rule->getDst() , rule )) tmp_queue.push_back(rule); return true; } /* * remember, behavior of this processor has been changed in virtual * method _expand_interface */ bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinSrc::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel = rule->getSrc(); Address *src =compiler->getFirstSrc(rule); assert(src); if (Firewall::cast(src)==NULL) compiler->_expand_addr(rule, srcrel, true); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinDst::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dstrel=rule->getDst(); Address *dst =compiler->getFirstDst(rule); assert(dst); if (Firewall::cast(dst)==NULL) compiler->_expand_addr(rule, dstrel, true); tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipt::expandLoopbackInterfaceAddress::replaceLoopbackWithItsAddress( RuleElement *rel, Rule *rule) { if (rel->isAny()) return; list cl; for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); if (Interface::cast(obj)!=NULL && Interface::cast(obj)->isLoopback()) { FWObject *addr = obj->getFirstByType(IPv4::TYPENAME); if (addr==NULL) compiler->abort( rule, "Loopback interface of the firewall object does not " "have IP address but is used in the rule"); rel->removeRef(obj); rel->addRef(addr); break; // I guess there can be only one loopback object in the rule, right ? } } } bool PolicyCompiler_ipt::expandLoopbackInterfaceAddress::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); replaceLoopbackWithItsAddress(srcrel,rule); replaceLoopbackWithItsAddress(dstrel,rule); tmp_queue.push_back(rule); return true; } /* * This processor sets chain only if it is INPUT or OUTPUT. We will * look at the rule if it goes into FORWARD chain in * splitIfSrcFWNetwork / splitIfDstFWNetwork and possibly split it. We will * set chain to FORWARD after that in decideOnChain */ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification()) { tmp_queue.push_back(rule); return true; } #ifdef DEBUG_FOR_DMZ cerr << endl; cerr << "PolicyCompiler_ipt::decideOnChainIfSrcFW " << " rule " << rule->getLabel() << endl; #endif Address *src = compiler->correctForCluster(compiler->getFirstSrc(rule)); assert(src); /* Bug 811860: "IPTables Compiler Firewall IP to Input Chain". * on a bridging firewall rules not associated with interfaces should * go into INPUT/OUTPUT chain on interfaces that do routing and into * FORWARD chain on bridging interfaces. Sometimes bridging interfaces * are not created in the GUI, so to play it safe we will split the * rule and put it into both FORWARD and INPUT/OUTPUT chain. * * Bug #934949: "duplicate rules". Split the rule only if firewall is * in src or dst. Otherwise compiler produces duplicates. * */ if ( compiler->getCachedFwOpt()->getBool("bridging_fw") && compiler->complexMatch(src, compiler->fw, false, false) ) { /* Correction for bug #1231 : as of fwbuilder v4.0 (and * really, probably as of 3.0), bridge ports must be created * in the GUI for the compiler to process policy of the * bridging firewall correctly. Will split the rule if it is * not associated with any particular interface or associated * with an interface which is a bridge port. */ Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"FORWARD"); tmp_queue.push_back(r); } } bool b,m; /* * do not check for broadcasts and multicasts in bridging firewall because * they should go to FORWARD chain * * b=m= !( compiler->getCachedFwOpt()->getBool("bridging_fw") ); * * * Commented out the line above while working on the bug #811860: * "IPTables Compiler Firewall IP to Input Chain". No need to do it * anymore since we now split the rule if we work with a bridging fw * and the rule _always_ goes into FORWARD chain --vk 09/28/03 */ b=m=true; switch ( rule->getDirection() ) { case PolicyRule::Outbound: /* if direction is "Outbound", chain can never be INPUT, but could be FORWARD */ if (! src->isAny() && ! AddressRange::isA(src) && // #2650 compiler->complexMatch(src, compiler->fw, b, m)) ipt_comp->setChain(rule,"OUTPUT"); break; case PolicyRule::Both: /* direction == Both */ if (! src->isAny() && ! AddressRange::isA(src) && // #2650 compiler->complexMatch(src, compiler->fw, b, m)) { ipt_comp->setChain(rule,"OUTPUT"); rule->setDirection( PolicyRule::Outbound ); } break; default: break; } tmp_queue.push_back(rule); return true; } /* * Call this processor before InterfacePolicyRulesWithOptimization */ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification()) { tmp_queue.push_back(rule); return true; } Address *dst = compiler->correctForCluster(compiler->getFirstDst(rule)); assert(dst); /* * Note: dst can be cluster object but not necessarily the same cluster * that is being compiled. Check if compiler->fw is a member of this cluster. */ list cluster_members; if (Cluster::isA(dst)) Cluster::cast(dst)->getMembersList(cluster_members); /* Bug 811860: "IPTables Compiler Firewall IP to Input Chain". * on a bridging firewall rules not associated with interfaces should * go into INPUT/OUTPUT chain on interfaces that do routing and into * FORWARD chain on bridging interfaces. Sometimes bridging interfaces * are not created in the GUI, so to play it safe we will split the * rule and put it into both FORWARD and INPUT/OUTPUT chain. * * Bug #934949: "duplicate rules". Split the rule only if firewall is * in src or dst. Otherwise compiler produces duplicates. */ if ( compiler->getCachedFwOpt()->getBool("bridging_fw") && compiler->complexMatch(dst,compiler->fw,false,false) ) { /* Correction for bug #1231 : as of fwbuilder v4.0 (and * really, probably as of 3.0), bridge ports must be created * in the GUI for the compiler to process policy of the * bridging firewall correctly. Will split the rule if it is * not associated with any particular interface or associated * with an interface which is a bridge port. */ Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ipt_comp->setChain(r,"FORWARD"); tmp_queue.push_back(r); } } bool b,m; /* * do not check for broadcasts and multicasts in bridging firewall because * they should go to FORWARD chain * * b=m= !( compiler->getCachedFwOpt()->getBool("bridging_fw") ); * * * Commented out the line above while working on the bug #811860: * "IPTables Compiler Firewall IP to Input Chain". No need to do it * anymore since we now split the rule if we work with a bridging fw * and the rule _always_ goes into FORWARD chain --vk 09/28/03 */ b=m=true; switch ( rule->getDirection() ) { case PolicyRule::Inbound: /* if direction is "Inbound", chain can never be OUTPUT, but could be FORWARD */ if (! dst->isAny() && ! AddressRange::isA(dst) && // #2650 (compiler->complexMatch(dst,compiler->fw,b,m) || std::find(cluster_members.begin(), cluster_members.end(), compiler->fw) != cluster_members.end()) ) ipt_comp->setChain(rule,"INPUT"); break; case PolicyRule::Both: /* direction == Both */ if (! dst->isAny() && ! AddressRange::isA(dst) && // #2650 (compiler->complexMatch(dst,compiler->fw,b,m) || std::find(cluster_members.begin(), cluster_members.end(), compiler->fw) != cluster_members.end()) ) { ipt_comp->setChain(rule,"INPUT"); rule->setDirection(PolicyRule::Inbound); } break; default: break; } tmp_queue.push_back(rule); return true; } /* * processor splitIfIfaceAndDirectionBoth splits interface rule if its * direction is "Both". This means that by the time when this * processor is called, original rule "any any any accept both" on the * loopback interface has already been converted to two rules : * * any any any accept inbound * any any any accept outbound * * We do not have to split rule here, but rather just assign it to * INPUT/OUTPUT chains. * * We now call this rule processor after InterfacePolicyRulesWithOptimization * which means there is no more than one object in rule element 'Interface' */ bool PolicyCompiler_ipt::decideOnChainIfLoopback::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementItf *itfre=rule->getItf(); assert(itfre); assert(itfre->size()<=1); // sometimes for whatever reason itf rule element appears to be broken // (it is just empty, not even "any") if (itfre->size()==0) { tmp_queue.push_back(rule); return true; } Interface *rule_iface = compiler->getFirstItf(rule); RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); if (srcrel->isAny() && dstrel->isAny() && rule->getStr("ipt_chain").empty() && rule_iface!=NULL && rule_iface->isLoopback() ) { switch (rule->getDirection()) { case PolicyRule::Inbound: ipt_comp->setChain(rule,"INPUT"); break; case PolicyRule::Outbound: ipt_comp->setChain(rule,"OUTPUT"); break; default: ; } } tmp_queue.push_back(rule); return true; } /** * target CLASSIFY is only valid in mangle table, chain POSTROUTING. * However if the same rule also has tagging option, it should be * split because we want to tag in PREROUTING */ bool PolicyCompiler_ipt::decideOnChainForClassify::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( ! rule->getClassification()) { tmp_queue.push_back(rule); return true; } if (rule->getStr("ipt_chain").empty()) { if (rule->getTagging()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setClassification(false); r->setRouting(false); r->setAction(PolicyRule::Continue); tmp_queue.push_back(r); rule->setTagging(false); } ipt_comp->setChain(rule, "POSTROUTING"); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::finalizeChain::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; // tmp_queue.push_back(rule); if ( ! rule->getStr("ipt_chain").empty() ) { tmp_queue.push_back(rule); return true; } ipt_comp->setChain(rule, "FORWARD"); if (ipt_comp->my_table=="mangle") { switch ( rule->getDirection() ) { case PolicyRule::Inbound: ipt_comp->setChain(rule,"PREROUTING"); break; case PolicyRule::Outbound: ipt_comp->setChain(rule,"POSTROUTING"); break; default: ipt_comp->setChain(rule,"FORWARD"); break; } if (rule->getAction() == PolicyRule::Accept) ipt_comp->setChain(rule,"PREROUTING"); } else { Address *src = compiler->correctForCluster(compiler->getFirstSrc(rule)); Address *dst = compiler->correctForCluster(compiler->getFirstDst(rule)); /* * Note that we deal with address ranges in splitIfSrcMatchingAddressRange and * splitIfDstMatchingAddressRange. At this point we treat ranges as always * not matching the firewall (so the go into FORWARD chain), except for ranges * that consist of 1 address. These should be treated as a single address. This * is for #2650 */ bool b,m; /* * do not check for broadcasts and multicasts in bridging firewall because * they should go to FORWARD chain */ b=m= !( compiler->getCachedFwOpt()->getBool("bridging_fw") ); switch ( rule->getDirection() ) { case PolicyRule::Inbound: /* if direction is "Inbound", chain can never be OUTPUT, but could be FORWARD */ if (dst && !dst->isAny() && ! AddressRange::isA(dst) && // #2650 ipt_comp->complexMatch(dst, ipt_comp->fw, b, m)) { ipt_comp->setChain(rule,"INPUT"); } break; case PolicyRule::Outbound: /* if direction is "Outbound", chain can never be INPUT, but could be FORWARD */ if (src && !src->isAny() && ! AddressRange::isA(src) && // #2650 ipt_comp->complexMatch(src, ipt_comp->fw, b, m)) { ipt_comp->setChain(rule,"OUTPUT"); } break; default: /* direction == Both */ if (dst && !dst->isAny() && ! AddressRange::isA(dst) && // #2650 ipt_comp->complexMatch(dst, ipt_comp->fw, b, m)) { ipt_comp->setChain(rule,"INPUT"); break; } if (src && !src->isAny() && ! AddressRange::isA(src) && // #2650 ipt_comp->complexMatch(src, ipt_comp->fw, b, m)) { ipt_comp->setChain(rule,"OUTPUT"); break; } } } /* * bug #1040599: "unnecessary FORWARD rules". * If we haven't decided on INPUT/OUTPUT chain, it stays FORWARD. * However, if ip forwarding is turned off, we do not want any rules * in FORWARD chain, so we just drop it. * * If ip forwarding is set to "no change", assume it is on. */ bool ipforw = true; string ip_forward_option; if (ipt_comp->ipv6) ip_forward_option = compiler->getCachedFwOpt()->getStr("linux24_ipv6_forward"); else ip_forward_option = compiler->getCachedFwOpt()->getStr("linux24_ip_forward"); if (!ip_forward_option.empty() && (ip_forward_option=="0" || ip_forward_option=="Off" || ip_forward_option=="off")) ipforw = false; if (rule->getStr("ipt_chain")=="FORWARD" && !ipforw) return true; tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::decideOnTarget::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if ( ! rule->getStr("ipt_target").empty() ) return true; // already defined // note that we use pseudo-target for action Continue switch (rule->getAction()) { case PolicyRule::Accept: rule->setStr("ipt_target", "ACCEPT"); break; case PolicyRule::Deny: rule->setStr("ipt_target", "DROP"); break; case PolicyRule::Reject: rule->setStr("ipt_target", "REJECT"); break; case PolicyRule::Return: rule->setStr("ipt_target", "RETURN"); break; // case PolicyRule::Tag: rule->setStr("ipt_target", "MARK"); break; case PolicyRule::Pipe: rule->setStr("ipt_target", "QUEUE"); break; // case PolicyRule::Classify: rule->setStr("ipt_target", "CLASSIFY"); break; // case PolicyRule::Route: rule->setStr("ipt_target", "ROUTE"); break; case PolicyRule::Continue: rule->setStr("ipt_target", ".CONTINUE"); break; case PolicyRule::Custom: rule->setStr("ipt_target", ".CUSTOM"); break; case PolicyRule::Branch: { RuleSet *ruleset = rule->getBranch(); if (ruleset==NULL) compiler->abort( rule, string("Branching rule ") + rule->getLabel() + " refers ruleset that does not exist"); else rule->setStr("ipt_target", ruleset->getName()); break; } default: ; } return true; } /* * remove fw object from src or dst to simplify rules but only if: * * original rule did not have negation and * we do not add any virtual addresses for NAT. * * After removal the rule collapses to a simple command like this: * iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT * * this works fine except if we have added virtual addresses for * NAT. It is assumed that firewall object in rules represents * combination of addresses configured in its interfaces in the * GUI. Virtual addresses added for NAT are considered to be a side * effect and connections should not be implicitly permitted to them * by a rule with fw object in destination. The same applies to fw * object in source. See bug #685947 * * To avoid inadvertently opening holes in the firewall by a rule like * that, we remove fw object only when it is safe to do so. */ bool PolicyCompiler_ipt::removeFW::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; if (compiler->osconfigurator->getNumOfVirtualAddressesForNat()==0 && ! rule->getBool("upstream_rule_neg") ) { RuleElementSrc *srcrel = rule->getSrc(); Address *src = compiler->getFirstSrc(rule); if (src==NULL) { compiler->abort( rule, "removeFW: Empty Source rule element in rule"); return true; } RuleElementDst *dstrel = rule->getDst(); Address *dst = compiler->getFirstDst(rule); if (dst==NULL) { compiler->abort( rule, "removeFW: Empty Destination rule element in rule"); return true; } string chain = rule->getStr("ipt_chain"); if (( chain=="INPUT" || ipt_comp->isChainDescendantOfInput(chain)) && compiler->isFirewallOrCluster(dst)) { dstrel->reset(); } if (( chain=="OUTPUT" || ipt_comp->isChainDescendantOfOutput(chain)) && compiler->isFirewallOrCluster(src)) { srcrel->reset(); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( rule->getStr("ipt_chain")=="OUTPUT" ) { // RuleElementSrc *srcrel=rule->getSrc(); Address *src = compiler->getFirstSrc(rule); assert(src); if (physAddress::isA(src)) { compiler->abort( rule, "Can not match MAC address of the firewall"); return true; } if (combinedAddress::isA(src)) { compiler->warning( rule, "Can not match MAC address of the firewall " "(chain OUTPUT) "); combinedAddress::cast(src)->setPhysAddress(""); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::checkUserServiceInWrongChains::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Service *srv = compiler->getFirstSrv(rule); assert(srv); string chain = rule->getStr("ipt_chain"); if (UserService::cast(srv) != NULL && chain != "OUTPUT" && !ipt_comp->isChainDescendantOfOutput(chain)) { compiler->warning( rule, "Iptables does not support module 'owner' in a chain " "other than OUTPUT"); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::fillActionOnReject::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); string s=ruleopt->getStr("action_on_reject"); if (s.empty()) ruleopt->setStr("action_on_reject", ipt_comp->getCachedFwOpt()->getStr("action_on_reject")); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::splitRuleIfSrvAnyActionReject::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv= rule->getSrv(); string s=ipt_comp->getActionOnReject(rule); if ( rule->getAction()==PolicyRule::Reject && s.empty() && srv->isAny() ) { PolicyRule *r; RuleElementSrv *nsrv; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->addRef(compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); FWOptions *ruleopt =r->getOptionsObject(); ruleopt->setStr("action_on_reject","TCP RST"); tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } /** * objects in Srv must be of the same type by the time when we call * this rule processor */ bool PolicyCompiler_ipt::checkForStatefulICMP6Rules::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); RuleElementSrv *srv = rule->getSrv(); if (!srv->isAny()) { Service *s = Service::cast(FWReference::getObject(srv->front())); assert(s); if (ICMP6Service::isA(s) && ! ruleopt->getBool("stateless")) { compiler->warning( rule, "Making rule stateless because it matches ICMPv6"); ruleopt->setBool("stateless",true); } } tmp_queue.push_back(rule); return true; } /* * I am adding subrule suffix here, which I then use to generate * unique new chain name for this rule. The idea is to generate * meaningful chain name, which is associated with rule number (like * RULE_5), however since this processor runs very early and may split * the rule, subsequent processors that create new chains end up * creating chains with the same names. Need this suffix to create * different, yet meaningful chain names. * * TODO: add methods addRuleSuffix and getRuleSuffix to class Rule. * Define suffix automatically in a tree-like manner, so that when * original rule is split, its parts will get suffixes ".1" and * ".2". When these parts are split again, suffixes should become * ".1.1" and ".1.2" and so on. */ bool PolicyCompiler_ipt::splitServicesIfRejectWithTCPReset::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv= rule->getSrv(); if ( rule->getAction()==PolicyRule::Reject && ipt_comp->isActionOnRejectTCPRST(rule)) { list tcp; list other; for (FWObject::iterator i=srv->begin(); i!=srv->end(); ++i) { Service *s1 = Service::cast(FWReference::getObject(*i)); assert(s1); // Protocol name is more reliable reference because CustomService // allows user to set protocol name if (s1->getProtocolName()=="tcp") tcp.push_back(s1); else other.push_back(s1); } if ( !other.empty() && tcp.empty() ) { if (seen_rules[rule->getPosition()]==false) compiler->warning( rule, "Rule action 'Reject' with TCP RST can be used " "only with TCP services."); ipt_comp->resetActionOnReject(rule); tmp_queue.push_back(rule); seen_rules[rule->getPosition()]=true; return true; } if ( other.empty() && !tcp.empty() ) { tmp_queue.push_back(rule); return true; } /* if both are not empty */ PolicyRule *r; RuleElementSrv *nsrv; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); for (list::iterator j=other.begin(); j!=other.end(); j++) nsrv->addRef( (*j) ); r->getOptionsObject()->setStr("action_on_reject",""); r->setStr("subrule_suffix","1"); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); for (list::iterator j=tcp.begin(); j!=tcp.end(); j++) nsrv->addRef( (*j) ); r->setStr("subrule_suffix","2"); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } /* * processor groupServicesByProtocol should have been called eariler, so now all * services in Srv are of the same type */ bool PolicyCompiler_ipt::prepareForMultiport::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *rel= rule->getSrv(); Service *srv= compiler->getFirstSrv(rule); if (rel->size()==1) { tmp_queue.push_back(rule); return true; } if (IPService::isA(srv) || ICMPService::isA(srv) || ICMP6Service::isA(srv) || CustomService::isA(srv) || TagService::isA(srv)) { /* multiport does not support ip and icmp services, split the rule */ for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef( s ); tmp_queue.push_back(r); } return true; } if (TCPService::isA(srv) || UDPService::isA(srv)) { rule->setBool("ipt_multiport",true); /* make sure we have no more than 15 ports */ if (rel->size()>15) { int n=0; PolicyRule *r; RuleElementSrv *nsrv = NULL; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (n==0) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); tmp_queue.push_back(r); } assert(nsrv!=NULL); nsrv->addRef( s ); if (++n>=15) n=0; } } else tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } /* * processor groupServicesByProtocol should have been called before, it makes sure * all objects in Service are of the same type. * * One special case is custom service "ESTABLISHED". This processor * splits rule if it finds this service and turns off stateful * inspection on the rule. * */ bool PolicyCompiler_ipt::specialCasesWithCustomServices::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv= rule->getSrv(); if (srv->isAny()) { tmp_queue.push_back(rule); return true; } stack cl; for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); assert(o!=NULL); if (CustomService::isA(o)) { string code=CustomService::cast(o)->getCodeForPlatform(compiler->myPlatformName()); if (code.find("ESTABLISHED")!=string::npos || code.find("RELATED")!=string::npos) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(o); r->getOptionsObject()->setBool("stateless",true); tmp_queue.push_back(r); cl.push(o); } } } while (!cl.empty()) { srv->removeRef( cl.top() ); cl.pop(); } /* * if srv is 'any' at this point, then it had only single object at * the beginning and that object was CustomService which we've split * into a new rule. There is nothing left in the original srv so we * can simply drop the old rule. */ if (!srv->isAny()) tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::convertAnyToNotFWForShadowing::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); PolicyRule *r; if ( ruleopt->getInt("firewall_is_part_of_any_and_networks")==0 ) { RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); if (srcrel->isAny()) { // srcrel->addRef(compiler->fw); // srcrel->setNeg(true); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction( PolicyRule::Return ); RuleElementSrc *nsrc=r->getSrc(); nsrc->clearChildren(); nsrc->addRef( compiler->fw ); tmp_queue.push_back(r); } if (dstrel->isAny()) { // dstrel->addRef(compiler->fw); // dstrel->setNeg(true); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction( PolicyRule::Return ); RuleElementDst *ndst=r->getDst(); ndst->clearChildren(); ndst->addRef( compiler->fw ); tmp_queue.push_back(r); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; OSConfigurator_linux24 *osconf = dynamic_cast(compiler->osconfigurator); RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); if (re->size()==1) { FWObject *o = re->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { // we have just one object in RE and this object is MutiAddressRunTime if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); if (path.empty() && !atrt->getSourceName().empty()) { compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); return true; } rule->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); } if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { // this is DNSName converted to its run-time counterpart, // we do not need to touch it at all } } tmp_queue.push_back(rule); return true; } list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) cl.push_back(atrt); } if (cl.empty()) { tmp_queue.push_back(rule); return true; } RuleElement *nre; RuleElement *ore = re; PolicyRule *r; for (list::iterator i=cl.begin(); i!=cl.end(); i++) { MultiAddressRunTime *atrt = *i; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); nre->addRef( atrt ); string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); if (path.empty() && !atrt->getSourceName().empty()) { compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); return true; } r->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); tmp_queue.push_back(r); ore->removeRef( *i ); } // if rule element contained only run-time address tables, it should // be empty by now. There is no need to continue with this rule then. if ( ! re->isAny()) tmp_queue.push_back(rule); return true; } /* * iptables does not have target that would do nothing and would not * terminate processing of the packet (like NOP), so we create a new * user chain with target RETURN. */ bool PolicyCompiler_ipt::accounting::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); Interface *rule_iface = Interface::cast(FWObjectReference::getObject(itf_re->front())); FWOptions *ruleopt = rule->getOptionsObject(); if (rule->getAction()==PolicyRule::Accounting && rule->getStr("ipt_target").empty()) { string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewChainName(rule, rule_iface); string rule_name_accounting = ruleopt->getStr("rule_name_accounting"); if (!rule_name_accounting.empty()) new_chain = rule_name_accounting; if (new_chain==this_chain) { rule->setStr("ipt_target", "RETURN"); rule->setAction(PolicyRule::Continue); } else { PolicyRule *r; FWOptions *ruleopt; RuleElementSrc *nsrc; RuleElementDst *ndst; RuleElementSrv *nsrv; /* * add copy of original rule, but turn off logging and set target * chain to new_chain. */ r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getSrc(); nsrc->reset(); ndst=r->getDst(); ndst->reset(); nsrv=r->getSrv(); nsrv->reset(); r->setStr("ipt_chain",new_chain); r->setStr("upstream_rule_chain",this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); r->setStr("ipt_target", "RETURN"); r->setLogging(false); r->setAction(PolicyRule::Continue); tmp_queue.push_back(r); rule->setStr("ipt_target", new_chain); rule->setLogging(false); ruleopt = rule->getOptionsObject(); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); } } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::countChainUsage::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *rule = PolicyRule::cast( *k ); ipt_comp->chain_usage_counter[rule->getStr("ipt_target")] += 1; } // second pass: if chain the rule belongs to has never been used as a target // then the target chain of the rule will never be used as well for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *rule = PolicyRule::cast( *k ); if (ipt_comp->chain_usage_counter[rule->getStr("ipt_chain")] == 0) ipt_comp->chain_usage_counter[rule->getStr("ipt_target")] = 0; } return true; } bool PolicyCompiler_ipt::checkInterfaceAgainstAddressFamily::processNext() { PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; /* * If interface is "regular", compiler expects its addresses to * match addresses on real firewall. If it does not have any * addresses that match address family of the rule set, drop the * rule. If interface is not "Regular", i.e. dynamic, unnumbered * or bridge port, then compiler assumes it gets its address(es) * at run time and therefore can have address that matches address * family of the rule set. Therefore we can not drop the rule. */ Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface==NULL || !rule_iface->isRegular()) { tmp_queue.push_back(rule); return true; } string addr_type = IPv4::TYPENAME; if (ipt_comp->ipv6) addr_type = IPv6::TYPENAME; list addr_list = rule_iface->getByType(addr_type); if (addr_list.size() != 0) { tmp_queue.push_back(rule); return true; } if (rule_iface->isFailoverInterface()) { /* * for ticket #1172 : this is cluster interface that has no * address, check properties of the corresponding member */ FailoverClusterGroup *fg = FailoverClusterGroup::cast( rule_iface->getFirstByType(FailoverClusterGroup::TYPENAME)); Interface *other_iface = fg->getInterfaceForMemberFirewall(compiler->fw); if (other_iface == NULL) { // if we get here, this cluster interface does not have // any corresponding interface of the firewall we are // compiling right now. What is the right thing to do in // this case? I suppose we can't check if this interface // matches address family. Dropping the rule. QString err("Cluster interface '%1' does not map onto any " "interface of the firewall '%2' but is used " "in the 'Interface' rule element. " "The rule will be dropped because it can " "not be associated with this interface."); compiler->warning(rule, err.arg(rule_iface->getName().c_str()) .arg(compiler->fw->getName().c_str()).toStdString()); return true; } if (other_iface->getByType(addr_type).size() != 0) { tmp_queue.push_back(rule); return true; } else { // member interface also has no addresses return true; } } // interface has no addresses and is not cluster failover interface // drop the rule return true; } bool PolicyCompiler_ipt::addPredefinedRules::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipt::addRuleFilter() { add( new dropMangleTableRules(" remove rules that require mangle table") ); } /** *----------------------------------------------------------------------- */ void PolicyCompiler_ipt::compile() { string version = fw->getStr("version"); string banner = " Compiling ruleset " + getRuleSetName() + " for '" + my_table + "' table"; if (ipv6) banner += ", IPv6"; info(banner); Compiler::compile(); bool check_for_recursive_groups=true; if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin("Detecting rule shadowing")); addRuleFilter(); add( new printTotalNumberOfRules()); // use full negation rule processor in shadowing detection. // This rule processor replaces inetrface(s) object(s) with a // complimentary set of "other" interfaces of the firewall. // add( new ItfNegation("process negation in Itf")); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new convertAnyToNotFWForShadowing("convert 'any' to '!fw'")); #if 0 add( new splitIfSrcAnyForShadowing("split rule if src is any")); add( new splitIfDstAnyForShadowing("split rule if dst is any")); add( new SrcNegation(true, "process negation in Src")); add( new DstNegation(true, "process negation in Dst")); #endif add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); check_for_recursive_groups=false; add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src")); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst")); /* behavior of processors ExpandMultiple... has been changed in * virtual method _expand_interface */ add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC")); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST")); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new ConvertToAtomic("convert to atomic rules")); /* * This assumes that all rules that go into the mangle table are * non-terminating. This is not necessarily correct because * non-termination is really an attribute of the target. However * targets that we support that go into mangle table (CLASSIFY and * MARK) are indeed non-terminating. */ add( new SkipActionContinueWithNoLogging( "drop rules with action Continue") ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); // #2367 // if (my_table=="mangle" && // !fw->getOptionsObject()->getBool("classify_mark_terminating") // ) // { // add( new dropTerminatingTargets( // "Drop rules with terminating targets") ); // add( new DetectShadowingForNonTerminatingRules( // "Detect shadowing for non-terminating rules" ) ); // } else add( new DetectShadowing("Detect shadowing" ) ); add( new simplePrintProgress() ); runRuleProcessors(); deleteRuleProcessors(); } add( new PolicyCompiler::Begin()); add( new addPredefinedRules("Add some predefined rules")); addRuleFilter(); add( new printTotalNumberOfRules()); add( new singleRuleFilter()); add( new deprecateOptionRoute("Deprecate option Route")); add( new checkForUnsupportedCombinationsInMangle( "Check for unsupported Tag+Route and Classify+Route combinations")); add( new clearTagClassifyInFilter( "Clear Tag and Classify options in filter table")); add( new clearLogInMangle("clear logging in rules in mangle table")); add( new clearActionInTagClassifyIfMangle( "clear action in rules with Tag and Classify in mangle")); add( new storeAction("store original action of this rule")); add( new Logging1("check global logging override option")); add( new emptyGroupsInItf("check for empty groups in Itf")); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in the Interface rule element")); add( new singleObjectNegationItf( "negation in Itf if it holds single object")); add( new ItfNegation("process negation in Itf")); add( new decideOnChainForClassify("set chain for action is Classify")); add( new InterfaceAndDirection("fill in interface and direction")); // if an action requires chain POSTROUTING (e.g. Classify), set chain // BEFORE calling splitIfIfaceAndDirectionBoth add( new splitIfIfaceAndDirectionBoth( "split interface rule with direction 'both'")); if (check_for_recursive_groups) { add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); } add( new emptyGroupsInSrc("check for empty groups in SRC")); add( new emptyGroupsInDst("check for empty groups in DST")); add( new emptyGroupsInSrv("check for empty groups in SRV")); /* * commented out to fix bug #727324. "-p tcp --destination-port ! 25" * means "all TCP with port != 25", which is not the same as "all * protocols except TCP port 25". We just can't use "!" with negation * in service even if there is only single object in that rule * element. * * Further correction: we CAN use single object negatiob with some types * of service objects, such as e.g. TagService or UserService */ add( new SingleSrvNegation("negation in Srv if it holds 1 object")); add( new splitRuleIfSrvAnyActionReject( "split rule if action is reject and srv is any" ) ); add( new SrvNegation( false, "process negation in Srv") ); add( new expandGroupsInSrv("expand groups in Srv" )); add( new CheckForTCPEstablished("TCPService with \"established\"") ); // add( new splitRuleIfSrvAnyActionReject( // "split rule if action is reject and srv is any" ) ); add( new fillActionOnReject("fill in action_on_reject" ) ); add( new splitServicesIfRejectWithTCPReset( "split if action on reject is TCP reset")); add( new fillActionOnReject("fill in action_on_reject 2" ) ); add( new splitServicesIfRejectWithTCPReset( "split if action on reject is TCP reset 2")); add( new SingleSrcNegation("negation in Src if it holds single object")); add( new SingleDstNegation("negation in Dst if it holds single object")); add( new splitIfSrcNegAndFw("split rule if src has negation and fw")); add( new splitIfDstNegAndFw("split rule if dst has negation and fw")); add( new SrcNegation(false, "process negation in Src" )); add( new DstNegation(false, "process negation in Dst" )); add( new TimeNegation(false, "process negation in Time" )); add( new Logging2("process logging")); // #2367 #2397 add( new splitIfTagClassifyOrRoute( "Split rule if it uses tagging, classification or routing options")); add( new splitIfTagAndConnmark("Tag+CONNMARK combo")); add( new Route("process route rules")); /* * this is just a patch for those who do not understand how does * "assume firewall is part of any" work. It also eliminates redundant * and useless rules in the FORWARD chain for rules assigned to a * loopback interface. */ // add( new decideOnChainIfLoopback("any-any rule on loopback" ) ); add( new ExpandGroups("expand all groups")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC" )); add( new eliminateDuplicatesInDST("eliminate duplicates in DST" )); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV" )); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src")); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst")); add( new accounting("Accounting") ); add( new splitIfSrcAny("split rule if src is any") ); if (my_table == "mangle") add( new checkActionInMangleTable("check allowed actions in mangle table")); add( new setChainForMangle("set chain for other rules in mangle")); add( new setChainPreroutingForTag("chain PREROUTING for Tag")); add( new splitIfDstAny("split rule if dst is any") ); add( new setChainPostroutingForTag("chain POSTROUTING for Tag")); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src")); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst")); if (XMLTools::version_compare(version, "1.2.11") < 0) { /* Use module iprange for iptables v1.2.11 and later. * should expand address range before splitIfSrcMatchesFw because some * addresses in the range may match firewall */ add( new addressRanges("process address ranges")); } else { add( new specialCaseAddressRangeInSrc( "replace single address range in Src")); add( new specialCaseAddressRangeInDst( "replace single address range in Dst")); add( new splitIfSrcMatchingAddressRange( "split rule if Src contains matching address range object")); add( new splitIfDstMatchingAddressRange( "split rule if Dst contains matching address range object")); } add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new splitIfSrcMatchesFw("split rule if src matches FW")); add( new splitIfDstMatchesFw("split rule if dst matches FW")); add( new specialCaseWithFW1( "special case with firewall" ) ); add( new decideOnChainIfDstFW( "decide on chain if Dst has fw" ) ); add( new splitIfSrcFWNetwork( "split rule if src has a net fw has interface on" ) ); add( new decideOnChainIfSrcFW( "decide on chain if Src has fw" ) ); add( new splitIfDstFWNetwork( "split rule if dst has a net fw has interface on" ) ); add( new specialCaseWithFW2( "replace fw with its interfaces if src==dst==fw" ) ); /* behavior of processors ExpandMultiple... has been changed in * the virtual method expandInterface */ add( new expandMultipleAddressesIfNotFWinSrc( "expand multiple addresses if not FW in Src") ); add( new expandMultipleAddressesIfNotFWinDst( "expand multiple addresses if not FW in Dst") ); add( new expandLoopbackInterfaceAddress( "check for loopback interface in the rule objects") ); // processors that expand objects with multiple addresses // check addresses against current address family using member // ipv6. If all addresses do not match, we may end up with // empty rule element. add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); // trying process rules with multiple interfaces as late as possible add( new InterfacePolicyRulesWithOptimization( "process interface policy rules and store interface ids") ); add( new checkInterfaceAgainstAddressFamily( "check if interface matches address family") ); /* this is just a patch for those who do not understand how does * "assume firewall is part of any" work. It also eliminates * redundant and useless rules in the FORWARD chain for rules * assigned to a loopback interface. */ add( new decideOnChainIfLoopback("any-any rule on loopback" ) ); // add( new decideOnChainForClassify("set chain if action is Classify")); add( new finalizeChain( "decide on chain" ) ); /*****************************************************************/ /* at this point in all rules where firewall is in either src or * dst, firewall is a single object in that rule element. Other * rule elements may contain multiple objects yet */ add( new specialCaseWithFWInDstAndOutbound( "Drop rules in FORWARD chain with non-empty interface and dir Outbound")); add( new decideOnTarget( "decide on target" ) ); add( new checkForRestoreMarkInOutput( "check if we need -A OUTPUT -j CONNMARK --restore-mark")); /* * removed call to processor removeFW to make changes for bug * #685947: "Rules with firewall object allow too much. " */ add( new removeFW("remove fw") ); add( new ExpandMultipleAddresses("expand multiple addresses" ) ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); //add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new checkForUnnumbered("check for unnumbered interfaces" ) ); add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls")); if ( fwopt->getBool("bridging_fw") ) add( new bridgingFw("handle bridging firewall cases")); add( new specialCaseWithUnnumberedInterface( "check for a special cases with unnumbered interface")); // add( new groupServicesByProtocol("split on services")); // add( new prepareForMultiport("prepare for multiport")); add( new optimize1("optimization 1, pass 1")); add( new optimize1("optimization 1, pass 2")); add( new optimize1("optimization 1, pass 3")); add( new groupServicesByProtocol("split on services")); add( new separateTCPWithFlags("split on TCP services with flags")); add( new verifyCustomServices("verify custom services")); add( new specialCasesWithCustomServices( "scpecial cases with some custom services")); add( new separatePortRanges("separate port ranges")); add( new separateUserServices("separate user services")); add( new separateSrcPort("split on TCP and UDP with source ports")); add( new checkForStatefulICMP6Rules( "Make sure rules that match icmpv6 are stateless")); add( new optimize2("optimization 2") ); add( new prepareForMultiport("prepare for multiport") ); add( new ConvertToAtomicForAddresses( "convert to atomic rules by address elements") ); add( new checkForZeroAddr("check for zero addresses") ); add( new checkMACinOUTPUTChain("check for MAC in OUTPUT chain") ); add( new checkUserServiceInWrongChains( "Check for UserSErvice ojects in chains other than OUTPUT")); add( new ConvertToAtomicForIntervals( "convert to atomic rules by interval element") ); // see #2235. ACtion Continue should generate iptables command // w/o "-j TARGET" parameter // // add( new SkipActionContinueWithNoLogging( // "drop rules with action Continue") ); add( new optimize3("optimization 3") ); add( new optimizeForMinusIOPlus("optimize for '-i +' / '-o +'") ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new countChainUsage("Count chain usage")); add( createPrintRuleProcessor() ); add( new simplePrintProgress()); runRuleProcessors(); deleteRuleProcessors(); } string PolicyCompiler_ipt::debugPrintRule(Rule *r) { PolicyRule *rule=PolicyRule::cast(r); FWOptions *ruleopt =rule->getOptionsObject(); RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); RuleElementSrv *srvrel=rule->getSrv(); RuleElementInterval *intrel=rule->getWhen(); RuleElementItf *itfrel=rule->getItf(); ostringstream str; // str << setw(70) << setfill('-') << "-"; int no=0; FWObject::iterator i1=srcrel->begin(); FWObject::iterator i2=dstrel->begin(); FWObject::iterator i3=srvrel->begin(); FWObject::iterator i4=intrel->begin(); FWObject::iterator i5=itfrel->begin(); while ( i1!=srcrel->end() || i2!=dstrel->end() || i3!=srvrel->end() || i4!=intrel->end() || i5!=itfrel->end()) { str << endl; ostringstream src; ostringstream dst; string srv=" "; string time=" "; ostringstream itf; if (srcrel->getNeg()) src << "!"; if (dstrel->getNeg()) dst << "!"; if (srvrel->getNeg()) srv = "!"; if (intrel->getNeg()) time = "!"; if (itfrel->getNeg()) itf << "!"; if (i1!=srcrel->end()) { FWObject *o = FWReference::getObject(*i1); src << o->getName(); if (Group::cast(o)!=NULL) src << "[" << o->size() << "]"; if ( MultiAddress::cast(o)!=NULL) src << string((MultiAddress::cast(o)->isRunTime()) ? "(r)" : "(c)"); } if (i2!=dstrel->end()) { FWObject *o = FWReference::getObject(*i2); dst << o->getName(); if (Group::cast(o)!=NULL) dst << "[" << o->size() << "]"; if ( MultiAddress::cast(o)!=NULL) dst << string((MultiAddress::cast(o)->isRunTime()) ? "(r)" : "(c)"); } if (i3!=srvrel->end()) { FWObject *o = FWReference::getObject(*i3); srv += o->getName(); } if (i4!=intrel->end()) { FWObject *o = FWReference::getObject(*i4); time += o->getName(); } if (i5!=itfrel->end()) { FWObject *o = FWReference::getObject(*i5); Interface *iface = Interface::cast(o); itf << o->getName() << "(" << o->getId() << ")"; if (iface) { if (iface->isDyn()) itf << "D"; if (iface->isUnnumbered()) itf << "U"; if (iface->isFailoverInterface()) itf << "F"; } } int w=0; if (no==0) { str << rule->getLabel(); w = rule->getLabel().length(); } str << setw(15-w) << setfill(' ') << " "; str << setw(18) << setfill(' ') << src.str(); str << setw(18) << setfill(' ') << dst.str(); str << setw(12) << setfill(' ') << srv.c_str(); str << setw(10) << setfill(' ') << time.c_str(); str << setw(8) << setfill(' ') << itf.str(); if (no==0) { str << setw(9) << setfill(' ') << rule->getActionAsString().c_str(); str << setw(9) << setfill(' ') << rule->getDirectionAsString().c_str(); if (rule->getLogging()) str << " LOG"; } else str << setw(18) << setfill(' ') << " "; ++no; if ( i1!=srcrel->end() ) ++i1; if ( i2!=dstrel->end() ) ++i2; if ( i3!=srvrel->end() ) ++i3; if ( i4!=intrel->end() ) ++i4; if ( i5!=itfrel->end() ) ++i5; } str << " pos=" << rule->getPosition(); str << " u=" << rule->getUniqueId(); str << " c=" << printChains(rule); str << " t=" << rule->getStr("ipt_target"); if ( ! rule->getStr(".iface").empty()) str << " .iface=" << rule->getStr(".iface"); if (rule->getTagging()) str << " (tag)"; if (rule->getClassification()) str << " (class)"; if (rule->getRouting()) str << " (route)"; if (rule->getAction()==PolicyRule::Reject) str << " " + ruleopt->getStr("action_on_reject"); if (ruleopt!=NULL && ruleopt->getInt("limit_value")>0) str << " limit"; if (ruleopt!=NULL && ruleopt->getInt("connlimit_value")>0) str << " connlimit"; if (ruleopt!=NULL && ruleopt->getInt("hashlimit_value")>0) str << " hashlimit"; if (ruleopt!=NULL && ruleopt->getBool("no_input_chain")) str << " no_input"; if (ruleopt!=NULL && ruleopt->getBool("no_output_chain")) str << " no_output"; //ruleopt->dump(str, false, false); return str.str(); } void PolicyCompiler_ipt::epilog() { if (fwopt->getBool("use_iptables_restore") && getCompiledScriptLength()>0 && ! inSingleRuleCompileMode()) { output << "#" << endl; } } PolicyCompiler_ipt::PrintRule* PolicyCompiler_ipt::createPrintRuleProcessor() { PolicyCompiler_ipt::PrintRule* print_rule = NULL; if (fw->getOptionsObject()->getBool("use_iptables_restore")) { // bug #1812295: we should use PrintRuleIptRstEcho not only // when we have dynamic interfaces, but also when we have // address tables expanded at run time. Instead of checking // for all these conditions, just always use PrintRuleIptRstEcho print_rule = new PrintRuleIptRstEcho( "generate code for iptables-restore using echo"); } else { print_rule = new PrintRule("generate shell script"); } print_rule->setContext(this); print_rule->initialize(); return print_rule; } string PolicyCompiler_ipt::flushAndSetDefaultPolicy() { string res = ""; if (!inSingleRuleCompileMode() && fwopt->getBool("use_iptables_restore")) { res += "echo :INPUT DROP [0:0]\n"; res += "echo :FORWARD DROP [0:0]\n"; res += "echo :OUTPUT DROP [0:0]\n"; } return res; } std::string PolicyCompiler_ipt::printAutomaticRules() { string res=""; if (!inSingleRuleCompileMode()) { PolicyCompiler_ipt::PrintRule* print_rule = createPrintRuleProcessor(); // iptables accepted TCPMSS target in filter table, FORWARD chain // in the older versions, but requires it to be in mangle filter // starting somewhere 1.3.x string version = fw->getStr("version"); if (XMLTools::version_compare(version, "1.3.0")<0) res += print_rule->_clampTcpToMssRule(); res += print_rule->_printOptionalGlobalRules(); delete print_rule; } return res; } string PolicyCompiler_ipt::commit() { return createPrintRuleProcessor()->_commit(); } bool PolicyCompiler_ipt::newIptables(const string &version) { return (version.empty() || version=="ge_1.2.6" || XMLTools::version_compare(version, "1.2.6")>0); } list PolicyCompiler_ipt::getUsedChains() { list res; for (map::iterator it=chain_usage_counter.begin(); it!=chain_usage_counter.end(); ++it) res.push_back(it->first); return res; } /* * see #1417 To policy rules with different module limit settings but * otherwise identical should not shadow each other. * * For all limit modules: * rule with rate "-1" (i.e. no rate limiting at all) shadows rule with * rate > 0 * OR * rule with greater rate shadows rule with lower rate * * From man iptables: "A rule using this extension will match until * this limit is reached " * * consider for example two rules: rule 1 that matches 50 pkts/sec and * rule 2 that matches 30 pkts/sec * * rule 1 matches rates between 0 and 49 and rule 2 rates between 0 * and 29. This means rule 2 will never match any rate and rule with * greater limit value shadows the one with lower limit value * * we should return true if candidate_rule_2 shadows candidate_rule_1 */ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate_r1, PolicyRule *candidate_r2) { FWOptions *opt_1 = candidate_r1->getOptionsObject(); FWOptions *opt_2 = candidate_r2->getOptionsObject(); if (opt_1->getInt("limit_value")>0 || opt_2->getInt("limit_value")>0) { int rate_1 = opt_1->getInt("limit_value"); if (rate_1 == -1) rate_1 = INT_MAX; int rate_2 = opt_2->getInt("limit_value"); if (rate_2 == -1) rate_2 = INT_MAX; if (rate_1 > rate_2) return false; if (opt_1->getStr("limit_value_not") != opt_2->getStr("limit_value_not")) return false; if (opt_1->getStr("limit_suffix") != opt_2->getStr("limit_suffix")) return false; } if (opt_1->getInt("connlimit_value")>0 || opt_2->getInt("connlimit_value")>0) { int rate_1 = opt_1->getInt("connlimit_value"); if (rate_1 == -1) rate_1 = INT_MAX; int rate_2 = opt_2->getInt("connlimit_value"); if (rate_2 == -1) rate_2 = INT_MAX; if (rate_1 > rate_2) return false; if (opt_1->getStr("connlimit_value_not") != opt_2->getStr("connlimit_value_not")) return false; if (opt_1->getStr("connlimit_suffix") != opt_2->getStr("connlimit_suffix")) return false; } if (opt_1->getInt("hashlimit_value")>0 || opt_2->getInt("hashlimit_value")>0) { int rate_1 = opt_1->getInt("hashlimit_value"); if (rate_1 == -1) rate_1 = INT_MAX; int rate_2 = opt_2->getInt("hashlimit_value"); if (rate_2 == -1) rate_2 = INT_MAX; if (rate_1 > rate_2) return false; if (opt_1->getStr("hashlimit_suffix") != opt_2->getStr("hashlimit_suffix")) return false; if (opt_1->getStr("hashlimit_mode") != opt_2->getStr("hashlimit_mode")) return false; if (opt_1->getStr("hashlimit_name") != opt_2->getStr("hashlimit_name")) return false; } return true; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_ipt.h000066400000000000000000001267521303637203600215620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_IPT_HH__ #define __POLICYCOMPILER_IPT_HH__ #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include "Configlet.h" #include #include namespace libfwbuilder { class Interface; class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; }; #define ANY_IP_OBJ_ID "__any_ip_obj__" #define ANY_ICMP_OBJ_ID "__any_icmp_obj__" #define ANY_TCP_OBJ_ID "__any_tcp_obj__" #define ANY_UDP_OBJ_ID "__any_udp_obj__" #define TCP_SYN_OBJ_ID "__tcp_syn_obj__" #define BCAST_255_OBJ_ID "__bcast_255_obj__" namespace fwcompiler { class PolicyCompiler_ipt : public PolicyCompiler { public: class PrintRule; protected: bool have_dynamic_interfaces; bool have_connmark; bool have_connmark_in_output; bool using_ipset; bool actually_used_module_set; std::string my_table; std::map tmp_chain_no; std::map rule_chain_no; std::map chain_usage_counter; std::map ipset_tables; typedef std::list chain_list; std::map chains; // number of bridge interfaces (br0 / br1 / etc) int bridge_count; // use minus_n_commands map to track creation of chains. // Using external map object for this to be able to track // new chains across different compiler runs (used to process // rules in different policy or nat objects) std::map *minus_n_commands; QMap regular_interfaces; static const std::list& getStandardChains(); void registerChain(const std::string &chain_name); void insertUpstreamChain(const std::string &chain_name, const std::string &before_chain); std::string findUpstreamChain(const std::string &chain_name); void setChain(libfwbuilder::PolicyRule *rule, const std::string &chain_name); std::string printChains(libfwbuilder::PolicyRule *rule); bool isChainDescendantOfOutput(const std::string &chain_name); bool isChainDescendantOfInput(const std::string &chain_name); std::string getInterfaceVarName(libfwbuilder::FWObject *iface, bool v6=false); std::string getAddressTableVarName(libfwbuilder::FWObject *iface); bool newIptables(const std::string &version); /** * internal: scans child objects of interface iface, both IPv4 * and physAddress, and puts them in the list ol. Since iptables * supports matching on MAC addresses, we create objects of * the class combinedAddress here from each pair of physAddress * and IPV4 */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully); /** * virtual method to let policy compiler check rules using * options specific for the given fw platform. Base class * PolicyCompiler has no visibility into platform-specific * options and can not do this. */ virtual bool checkForShadowingPlatformSpecific(libfwbuilder::PolicyRule *r1, libfwbuilder::PolicyRule *r2); /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls PolicyCompiler::_internalPrintPolicyRule and then adds * chain and target at the end of the printed line */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * trivial rule processor - just prints contents of src, dst, srv */ class printRuleElements : public PolicyRuleProcessor { std::string printRE(libfwbuilder::RuleElement *re); public: printRuleElements(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class printRuleElements; /** * this processor drops all rules that require mangle table */ DECLARE_POLICY_RULE_PROCESSOR(dropMangleTableRules); /** * this processor checks actions in mangle table. For example, * REJECT is not allowed. */ DECLARE_POLICY_RULE_PROCESSOR(checkActionInMangleTable); /** * Rule with options "Tag", "Classify" and "Route" may need to * placed in the same chain (PREROUTING or POSTROUTING since * ROUTE can go into both), but we can't process it if it also * has action Accept (or any other action that is not * "Continue"). This is because we have to split the rule * before the chain is determined and so we end up with two * user defined chains, one for CLASSIFY or MARK and another * for ROUTE, each of them ending with ACCEPT. This means one * of the chains accepts the packet and the other never sees * it. We may eventually optimize this and find a way to * generate code for rules like this in one chain, but since * this is rarely used case, we'll abort for now. */ DECLARE_POLICY_RULE_PROCESSOR(checkForUnsupportedCombinationsInMangle); /** * See #2401 Option "Route" (used to be action "Route") is * deprecated. Iptables target ROUTE is not included in major * distributions (Debian, Ubuntu, Fedora, CentOS). */ DECLARE_POLICY_RULE_PROCESSOR(deprecateOptionRoute); /** * adds few predefined (or "builtin") rules on top of the policy */ class addPredefinedRules : public PolicyRuleProcessor { bool add_once; public: addPredefinedRules(const std::string &name) : PolicyRuleProcessor(name) { add_once=true; } virtual bool processNext(); }; friend class addPredefinedRules; /** * need to duplicate original action of this rule. We use this * information later to decide whether we need to use "-m * state --state new". Also this rule processor stores a copy * of flags getRouting(), getTagging() and getClassification() * which we use in setChainPreroutingForTag() and * setChainPostroutingForTag() to place rules that do tagging in * chain PREROUTING and similar purposes. */ DECLARE_POLICY_RULE_PROCESSOR(storeAction); /** * set target and chain in case of branching */ class Branching : public PolicyRuleProcessor { public: Branching(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); void expandBranch(libfwbuilder::PolicyRule *rule, const std::string &parentRuleNum ); }; friend class Branching; /** * set target and chain in case of route rules * Deprecated beginning with 4.3.0. To be removed in future versions. */ DECLARE_POLICY_RULE_PROCESSOR(Route); /** * turns logging on if global logging override is used */ DECLARE_POLICY_RULE_PROCESSOR(Logging1); /** * splits rule if logging is required and either src or dst is * not any */ DECLARE_POLICY_RULE_PROCESSOR(Logging2); /** * splits rule if it has more than option Tag, Classify or Route */ DECLARE_POLICY_RULE_PROCESSOR(splitIfTagClassifyOrRoute); /** * clears options Tag and Classify in filter table */ DECLARE_POLICY_RULE_PROCESSOR(clearTagClassifyInFilter); /** * turns off logging in rules with options Tag, Classify or * Route in table mangle */ DECLARE_POLICY_RULE_PROCESSOR(clearLogInMangle); /** * switches action to Continue in rules with options Tag, * Classify in mangle table. We deal with other actions in * table filter. */ DECLARE_POLICY_RULE_PROCESSOR(clearActionInTagClassifyIfMangle); /** * this processor checks if the rule is associated with an * interface and uses setInterfaceId to record its id. If the * rule is associated with multiple interfaces, this processor * splits the rule accordingly. Unlike basic processor * PolicyCompiler::InterfacePolicyrules, this processor tries * to optimize rules applied to multiple interfaces using * user-defined chains */ DECLARE_POLICY_RULE_PROCESSOR(InterfacePolicyRulesWithOptimization); /** * if option "firewall is part of any" is OFF, replace all * "Any" with "!fw" before checking for rule shadowing (if fw is * not * part of "any", then "any" does not shadow the * firewall) */ DECLARE_POLICY_RULE_PROCESSOR(convertAnyToNotFWForShadowing); /** * processes rules with negation in Src if it holds only one * object. Similar to PolicyCompiler::singleObjectNegationSrc * but takes into account AddressTable objects if we compile * with support for ipset module */ class SingleRENegation : public PolicyRuleProcessor { std::string type_name; void processSingleObjectNegationInRE(libfwbuilder::FWObject *obj, libfwbuilder::RuleElement *re); public: SingleRENegation(const std::string &name, const std::string &tn) : PolicyRuleProcessor(name) { type_name = tn; } virtual bool processNext(); }; class SingleSrcNegation : public SingleRENegation { public: SingleSrcNegation(const std::string &name) : SingleRENegation(name, libfwbuilder::RuleElementSrc::TYPENAME) {} }; class SingleDstNegation : public SingleRENegation { public: SingleDstNegation(const std::string &name) : SingleRENegation(name, libfwbuilder::RuleElementDst::TYPENAME) {} }; class SingleSrvNegation : public SingleRENegation { public: SingleSrvNegation(const std::string &name) : SingleRENegation(name, libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * processes rules with negation in Src * * Argument dm defines mode of operation for this rule processor: * if it is false, processor compiles the rule * if it is true, it works in the mode of shadowing detection * * difference is that in shadowing detection mode it does not * replace objects in dst,srv and time with any so that we can * properly check shadowing later. Regular rule processor that * deals with negation in SRC replaces objects in rule * elements DST, SRV and Time with any which causes problems * because these rule elements then match those in other * rules, but they really should not match them because * originally they had specific object so only some packets * would match these rules. */ class SrcNegation : public PolicyRuleProcessor { bool shadowing_mode; public: SrcNegation(bool dm, const std::string &name) : PolicyRuleProcessor(name) { shadowing_mode = dm; } virtual bool processNext(); }; /** * processes rules with negation in Dst */ class DstNegation : public PolicyRuleProcessor { bool shadowing_mode; public: DstNegation(bool dm, const std::string &name) : PolicyRuleProcessor(name) { shadowing_mode = dm; } virtual bool processNext(); }; /** * processes rules with negation in Srv */ class SrvNegation : public PolicyRuleProcessor { bool shadowing_mode; public: SrvNegation(bool dm, const std::string &name) : PolicyRuleProcessor(name) { shadowing_mode = dm; } virtual bool processNext(); }; /** * processes rules with negation in Interval */ class TimeNegation : public PolicyRuleProcessor { bool shadowing_mode; public: TimeNegation(bool dm, const std::string &name) : PolicyRuleProcessor(name) { shadowing_mode = dm; } virtual bool processNext(); }; /** * verifies combination of interface and * direction and * fills interface and direction. After this * predicate it * is guaranteed that both interface and * direction have * some value. In certain situations interface * ID may be * set to "nil" though (e.g. global policy rules). */ DECLARE_POLICY_RULE_PROCESSOR(InterfaceAndDirection); /** * splits rule onto two if interface is defined and direction is Both */ DECLARE_POLICY_RULE_PROCESSOR(splitIfIfaceAndDirectionBoth); /** * If this is bridging firewall, broadcasts and multicasts go * to FORWARD chain unconditionally. There may be other * special conditions to be added later. */ class bridgingFw : public PolicyRuleProcessor { bool checkForMatchingBroadcastAndMulticast(libfwbuilder::Address *addr); public: bridgingFw(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * set chain if Tag rule should go into PREROUTING * DECLARE_POLICY_RULE_PROCESSOR(setChainIfTagInPrerouting); */ /** * set chain if Tag rule should go into PREROUTING */ DECLARE_POLICY_RULE_PROCESSOR(setChainPreroutingForTag); /** * set chain if Tag rule should go into POSTROUTING */ DECLARE_POLICY_RULE_PROCESSOR(setChainPostroutingForTag); /** * set chain for mangle table */ DECLARE_POLICY_RULE_PROCESSOR(setChainForMangle); /** * check if we need to do CONNMARK --restore-mark in OUTPUT chain */ DECLARE_POLICY_RULE_PROCESSOR(checkForRestoreMarkInOutput); /** * split rule if action is Tag and connmark option is activated */ DECLARE_POLICY_RULE_PROCESSOR(splitIfTagAndConnmark); /** * split rule if Src==any * * This is special case since we assume that "any" includes * also a firewall object. Packets headed to or from the * firewall must be inspected by INPUT or OUTPUT chain, while * packets crossing the firewall are inspected by FORWARD * chain. If we assume that "any" also includes firewall * itself, then we need to generate code for both FORWARD and * INPUT/OUTPUT chains from the same rule. This processor * splits the rule onto two and sets chain and direction in * the second copy appropriately. It preserves original src * and dst in both copies, it only changes chain and direction * in the second copy. */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcAny); /** * split rule if Dst==any. See comment in splitIfSrcAny */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstAny); /** * Split rule if src has addressRange object that matches the * firewall */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcMatchingAddressRange); /** * Split rule if dst has addressRange object that matches the * firewall */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstMatchingAddressRange); /** * If rule element RE has an AddressRange object that * represents single address, replace it with corresponding * IPv4 object */ class specialCaseAddressRangeInRE : public PolicyRuleProcessor { std::string re_type; public: specialCaseAddressRangeInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class specialCaseAddressRangeInSrc : public specialCaseAddressRangeInRE { public: specialCaseAddressRangeInSrc(const std::string &n) : specialCaseAddressRangeInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class specialCaseAddressRangeInDst : public specialCaseAddressRangeInRE { public: specialCaseAddressRangeInDst(const std::string &n) : specialCaseAddressRangeInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * split rule if Src==any * * This works just like splitIfSrcAny, except is used in the * part of compiler that detects rule shadowing. While * compiling rules, we split the rule and set chains * appropriately (one rule gets into chain OUTPUT) but leave * SRC 'any' to avoid generating lots of address matches since * setting chain to OUTPUT is sufficient. We can not do this * while detecting shadowing and need to explicitly put the * firewall object in the first of the two rules we produce. */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcAnyForShadowing); /** * split rule if Dst==any for shadowing detection. See comment * in splitIfSrcAnyForShadowing */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstAnyForShadowing); /** * split rule if Src==network the firewall is connected to * * This is special case since we assume that network object * that firewall has interface on includes also a firewall * object. See comment in splitIfSrcAny for further explanation. * * Unlike in splitIfSrcAny, we can not assume rule element * holds a single object (since in splitIfSrcAny we are * looking for "any", we could rely on rule element containing * single object because "any" can only be there alone). * * This processor splits the rule onto two and sets chain and * direction in the second copy appropriately. It preserves * original src and dst in both copies, it only changes chain * and direction in the second copy. */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcFWNetwork); /** * split rule if Dst==network the firewall is connected to. * See comment in splitIfSrcAny */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstFWNetwork); /** * this is a special case of splitIfSrcAny. It splits the rule * but only if SRC has negation turned on, contains two or more * objects and one of these objects is firewall. * * This processor should be called immediately before * processing negation. I tried to modify splitIfSrcAny to * split if there is negation and use it, but that lead to too * much overhead in the generated code for rules with negation * but no firewall in the rule element. */ DECLARE_POLICY_RULE_PROCESSOR(splitIfSrcNegAndFw); /** * similar to splitIfSrcNegAndFw */ DECLARE_POLICY_RULE_PROCESSOR(splitIfDstNegAndFw); /** * checks for illegal combination of src, dst and direction */ DECLARE_POLICY_RULE_PROCESSOR(checkSrcAndDst1); /** * checks for illegal combination of src, dst and direction */ DECLARE_POLICY_RULE_PROCESSOR(checkSrcAndDst2); /** * Split rule if MultiAddress object is used in RE to make * sure it is single object. */ class processMultiAddressObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class processMultiAddressObjectsInDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInDst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * splits rule if firewall is in src and dst */ DECLARE_POLICY_RULE_PROCESSOR(specialCaseWithFW1); /** * splits rule if firewall is in dst, interface is not empty, * direction is Outbound and chain is not OUTPUT (it makes * sense to check packets in OUTPUT chain with destination * address that belogns to the firewall, but it does not make * sense to do it in FORWARD chain) */ DECLARE_POLICY_RULE_PROCESSOR(specialCaseWithFWInDstAndOutbound); /** * expands src and dst if both contain fw object. Unlike * standard processor ExpandMultipleAddresses, this one * uses loopback interface as well. */ DECLARE_POLICY_RULE_PROCESSOR(specialCaseWithFW2); /** * checks for the following situations: * * 1. unnumbered interface is in source and direction is inbound * (drop interface from src since source address is * undertermined) * * 2. unnumbered interface is in source, direction is outbound * and temporary chain (drop interface from the list, this * rule has been created while processing negation. TODO: this * is kludge, need to create separate temporary chain while * doing negation in src if one of the objects is firewall) * * 3. unnumbered interface is in destination and direction is * outbound (drop interface since dest. address is undefined) * */ friend class specialCaseWithUnnumberedInterface; class specialCaseWithUnnumberedInterface : public PolicyRuleProcessor { bool dropUnnumberedInterface(libfwbuilder::RuleElement *re); public: specialCaseWithUnnumberedInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class checkForDynamicInterfacesOfOtherObjects; class checkForDynamicInterfacesOfOtherObjects : public PolicyRuleProcessor { bool findDynamicInterfaces(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: checkForDynamicInterfacesOfOtherObjects(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * expand object with multiple addresses but only if it is NOT * the firewall we are working with. This processor is called * right before decideOnChain but after groups have been * expanded and splitIfSrcMatchesFw and splitIfDstMatchesFw * have been called. Latter two make sure that firewall, if it * is part of Src or Dst, will be a single object there when * this processor is called. * * 1. We need to expand objects with multiple addresses (such * as interfaces with many addresses) so that decideOnChain * would properly match when it calls * complexMatch. complexMatch does not match if its first * argument is an object with multiple addresses. * * 2. At the same time we need to keep firewall as a whole, so * that we can drop it later in removeFW, but only after * decideOnChain has determined that chain is INPUT or OUTPUT. */ DECLARE_POLICY_RULE_PROCESSOR(expandMultipleAddressesIfNotFWinSrc); DECLARE_POLICY_RULE_PROCESSOR(expandMultipleAddressesIfNotFWinDst); /** * Compiler::_expandAddr skips loopback interface, so we need * to explicitly process the case when user puts loopback * interface object in the rule */ friend class expandLoopbackInterfaceAddress; class expandLoopbackInterfaceAddress : public PolicyRuleProcessor { void replaceLoopbackWithItsAddress(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: expandLoopbackInterfaceAddress(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * decides what chain this rule should go to if Src contains * firewall object. This is a simple case and we need to set * chain before we try to split the rule if it contains * network the firewall has interface on (splitIfSrcFWNetwork * / splitIfDstFWNetwork). */ DECLARE_POLICY_RULE_PROCESSOR(decideOnChainIfSrcFW); /** * Similar to the above, except it decides what chain this * rule should go to if Dst contains firewall object. */ DECLARE_POLICY_RULE_PROCESSOR(decideOnChainIfDstFW); /** * This processor takes care of a special case where a rule * with 'any' in both src and dst is used on a loopback * interface and option 'assume firewall is part of any' is * OFF. Processor splitIfIfaceAndDirectionBoth splits * interface rule if its direction is "Both". This means that * by the time this processor is called, the original rule * "any any any accept both" on the loopback interface has * already been converted to two rules : * * any any any accept inbound * any any any accept outbound * * We do not have to split rule here, but rather just assign it to * INPUT/OUTPUT chains. * * This is mostly a patch for those who do not understand how * does "assume firewall is part of any" work. It also * eliminates useless code in the FORWARD chain that appear in * the rules on a loopback interface if the option "assume * firewall is part of any" is ON. */ DECLARE_POLICY_RULE_PROCESSOR(decideOnChainIfLoopback); /** * define chain for rules with action Classify */ DECLARE_POLICY_RULE_PROCESSOR(decideOnChainForClassify); /** * drop rules with terminating targets. Used as part of the * shadowing detection for non-terminating rules in the mangle * table. */ DECLARE_POLICY_RULE_PROCESSOR(dropTerminatingTargets); /** * decides what chain this rule should go to if it has not * been decided in decideOnChainIfFW */ DECLARE_POLICY_RULE_PROCESSOR(finalizeChain); /** * decides on "jump to" chain */ DECLARE_POLICY_RULE_PROCESSOR(decideOnTarget); /** * If chain has been determined to be INPUT or OUTPUT, we can * remove firewall object from dst or src (resp.) NB: we can * remove only reference to the whole firewall. We DO NOT * remove reference to its interface or (in the future) * address objects under interfaces. We do this only if we do * not add any virtual addresses for NAT and if original rule * did not have negation. */ DECLARE_POLICY_RULE_PROCESSOR(removeFW); /** * if rule option action_on_reject is empty, initialize it * with global setting of this option. */ DECLARE_POLICY_RULE_PROCESSOR(fillActionOnReject); /** * iptables does not permit using "--m mac --mac-source" in * the OUTPUT chain */ DECLARE_POLICY_RULE_PROCESSOR(checkMACinOUTPUTChain); /** * iptables permits using "--m owner --uid-owner" only in * the OUTPUT chain */ DECLARE_POLICY_RULE_PROCESSOR(checkUserServiceInWrongChains); /** * split a rule if action Reject is used in a rule with * Service 'any' and rule options do not specify what should * we use for Reject */ class splitRuleIfSrvAnyActionReject :public PolicyRuleProcessor { std::map seen_rules; public: splitRuleIfSrvAnyActionReject(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipt::splitRuleIfSrvAnyActionReject; /** * separate TCP/UDP services that specify source port (can * not be used in combination with destination port with * multiport) * * Call this processor after groups have been expanded in Srv */ class splitServicesIfRejectWithTCPReset :public PolicyRuleProcessor { std::map seen_rules; public: splitServicesIfRejectWithTCPReset(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipt::splitServicesIfRejectWithTCPReset; /** * Rules that match icmpv6 should not be stateful. See SF bug 3094273 * Will reset "stateful" flag and issue warning. * Call this processor after groups have been expanded in Srv */ class checkForStatefulICMP6Rules :public PolicyRuleProcessor { public: checkForStatefulICMP6Rules(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipt::checkForStatefulICMP6Rules; /** * deals with special cases with some known custom services */ DECLARE_POLICY_RULE_PROCESSOR(specialCasesWithCustomServices); /** * optimize rules in case we deal with one or few objects in * one rule element and lots of objects in the other two */ class optimize1 : public PolicyRuleProcessor { void optimizeForRuleElement(libfwbuilder::PolicyRule *rule, const std::string &re_type); public: optimize1(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipt::optimize1; /** * simple optimization: if the rule is "final" and its action * does not need protocol specification (it is _not_ -j REJECT * --reject-with tcp-reset), then make sure service is * "any". The "final" is such rule that defines the actual * built-in chain ACCEPT/DROP/REJECT and * should not be * further split or processed in any way; such rule for * example is created in Logging and negations) */ DECLARE_POLICY_RULE_PROCESSOR(optimize2); friend class PolicyCompiler_ipt::optimize2; /** * remove duplicate rules */ class optimize3 : public PolicyRuleProcessor { std::map rules_seen_so_far; PolicyCompiler_ipt::PrintRule *printRule; public: optimize3(const std::string &name) : PolicyRuleProcessor(name) { printRule = NULL; } virtual ~optimize3() { if (printRule) delete printRule; } virtual bool processNext(); }; friend class PolicyCompiler_ipt::optimize3; /** * Optimize rules by dropping "-i +" or "-o +" if chain is * INPUT or OUTPUT respectively. */ DECLARE_POLICY_RULE_PROCESSOR(optimizeForMinusIOPlus); /** * split rules so multiport module can be used */ DECLARE_POLICY_RULE_PROCESSOR(prepareForMultiport); /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInDST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInDST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * process action 'Accounting' */ DECLARE_POLICY_RULE_PROCESSOR(accounting); /* * Check if interface uses in the element "interface" has address * that matches address family of the rule set. If interface does * not have ipv6 address but rule set is ipv6, this interface will * never see ipv6 packets and rule should be dropped. */ DECLARE_POLICY_RULE_PROCESSOR(checkInterfaceAgainstAddressFamily); /** * if action is Continue and logging is off, skip this rule. * We only use action Continue to log some packets without making * policy decision */ DECLARE_POLICY_RULE_PROCESSOR(SkipActionContinueWithNoLogging); /** * count how many times each user-defined chain we've created is * used. We should be able to drop unused chains. */ DECLARE_POLICY_RULE_PROCESSOR(countChainUsage); virtual std::string myPlatformName(); /** * TODO: move these two to class fwcompiler::PolicyCompiler, * then create enum for all possible actions on reject in that * class and use it instead of string. */ std::string getActionOnReject(libfwbuilder::PolicyRule *rule); bool isActionOnRejectTCPRST(libfwbuilder::PolicyRule *rule); void resetActionOnReject(libfwbuilder::PolicyRule *rule); public: PolicyCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map *m_n_commands_map ) : PolicyCompiler(_db, fw, ipv6_policy, _oscnf) { have_dynamic_interfaces = false; have_connmark = false; have_connmark_in_output = false; my_table = "filter"; minus_n_commands = m_n_commands_map; bridge_count = 0; } virtual ~PolicyCompiler_ipt(); /** * Add some predefined rules controlled by checkboxes in * firewall settings dialog */ virtual void addPredefinedPolicyRules(); virtual void verifyPlatform(); virtual int prolog(); virtual void compile(); virtual void epilog(); /** * addRuleFilter() is a hook where we can add a rule processor to filter * some of the rules out before we begin actual processing */ virtual void addRuleFilter(); /** * this method registers chain used for the ruleset (most * often branch rule set). Since rules in the same ruleset do * not use this chain as target, rule processor * countChainUsage considers it unused. Registering it makes * sure its usage counter is > 0. */ void registerRuleSetChain(const std::string &chain_name); void setHaveDynamicInterfaces(bool f) { have_dynamic_interfaces=f; } virtual std::string flushAndSetDefaultPolicy(); virtual std::string printAutomaticRules(); std::string commit(); std::string getNewTmpChainName(libfwbuilder::PolicyRule *rule); std::string getNewChainName(libfwbuilder::PolicyRule *rule,libfwbuilder::Interface *rule_iface); bool haveConnMarkRules() { return have_connmark; } bool haveConnMarkRulesInOutput() { return have_connmark_in_output; } std::list getUsedChains(); PolicyCompiler_ipt::PrintRule* createPrintRuleProcessor(); /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. * * This processor is not necessarily the last in the * conveyor, so it should push rules back to tmp_queue (for * example there could be progress indicator processor after * this one) */ class PrintRule : public PolicyRuleProcessor { protected: bool init; bool print_once_on_top; bool minus_n_tracker_initialized; bool have_m_iprange; std::string current_rule_label; std::string version; void initializeMinusNTracker(); /* * Prints single --option with argument and negation "!" * taking into account the change that happened in iptables 1.4.3.1 * that causes warning * Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). */ virtual std::string _printSingleOptionWithNegation( const std::string &option, libfwbuilder::RuleElement *rel, const std::string &arg); virtual std::string _createChain(const std::string &chain); virtual std::string _printRuleLabel(libfwbuilder::PolicyRule *r); virtual std::string _printSrcService( libfwbuilder::RuleElementSrv *o); virtual std::string _printDstService( libfwbuilder::RuleElementSrv *o); virtual std::string _printProtocol(libfwbuilder::Service *srv); virtual std::string _printPorts(int rs,int re); virtual std::string _printSrcPorts(libfwbuilder::Service *srv); virtual std::string _printDstPorts(libfwbuilder::Service *srv); virtual std::string _printICMP(libfwbuilder::ICMPService *srv); virtual std::string _printIP(libfwbuilder::IPService *srv, libfwbuilder::PolicyRule *rule); virtual std::string _printTCPFlags(libfwbuilder::TCPService *srv); virtual std::string _printSrcAddr(libfwbuilder::RuleElement *rel, libfwbuilder::Address *o); virtual std::string _printDstAddr(libfwbuilder::RuleElement *rel, libfwbuilder::Address *o); virtual std::string _printAddr(libfwbuilder::Address *o); virtual std::string _printIpSetMatch( libfwbuilder::Address *o, libfwbuilder::RuleElement *rel); virtual std::string _printSingleObjectNegation( libfwbuilder::RuleElement *rel); virtual std::string _printChain(libfwbuilder::PolicyRule *r); virtual std::string _printTarget(libfwbuilder::PolicyRule *r); virtual std::string _printModules(libfwbuilder::PolicyRule *r); virtual std::string _printDirectionAndInterface( libfwbuilder::PolicyRule *r); virtual std::string _printMultiport(libfwbuilder::PolicyRule *r); virtual std::string _printTimeInterval(libfwbuilder::PolicyRule *r); virtual std::string _printLogParameters( libfwbuilder::PolicyRule *r); virtual std::string _printLogPrefix(const std::string &rule_n, const std::string &action, const std::string &interf, const std::string &chain, const std::string &ruleset, const std::string &rule_label, const std::string &prefix); virtual std::string _printLogPrefix(libfwbuilder::PolicyRule *r, const std::string &prefix); virtual std::string _printActionOnReject( libfwbuilder::PolicyRule *r); virtual std::string _printLimit(libfwbuilder::PolicyRule *r); public: PrintRule(const std::string &name); void initialize(); virtual std::string _printGlobalLogParameters(); virtual std::string _printOptionalGlobalRules(); virtual std::string _declareTable(); virtual std::string _clampTcpToMssRule(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); virtual void _printBackupSSHAccessRules(Configlet *c); virtual bool processNext(); std::string PolicyRuleToString(libfwbuilder::PolicyRule *r); }; friend class PolicyCompiler_ipt::PrintRule; class PrintRuleIptRst : public PrintRule { virtual std::string _createChain(const std::string &chain); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); virtual std::string _printRuleLabel(libfwbuilder::PolicyRule *r); public: PrintRuleIptRst(const std::string &name) : PrintRule(name) {}; virtual std::string _declareTable(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual bool processNext(); }; friend class PolicyCompiler_ipt::PrintRuleIptRst; class PrintRuleIptRstEcho : public PrintRuleIptRst { virtual std::string _createChain(const std::string &chain); virtual std::string _startRuleLine(); virtual std::string _endRuleLine(); public: PrintRuleIptRstEcho(const std::string &name) : PrintRuleIptRst(name) {}; virtual std::string _declareTable(); virtual std::string _commit(); virtual std::string _quote(const std::string &s); virtual bool processNext(); }; friend class PolicyCompiler_ipt::PrintRuleIptRstEcho; }; } #endif fwbuilder-5.3.7/src/iptlib/PolicyCompiler_ipt_optimizer.cpp000066400000000000000000000235641303637203600242140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipt.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Firewall.h" #include "combinedAddress.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * Optimizer 1: * * splits rule, making sure we make only one parameter check at a time * That is, we only check source, or destination or service and then * pass control to a user-defined chain to check for the next * parameter. This helps avoid multiple checks for the same parameter. * * Assumtions: * * Can use this process with multiple objects in src,dst,srv * Run splitRuleIfSrvAnyActionReject before this processor to make sure * Srv contains only TCP objects if action is "Reject" and TCP RST is required */ void PolicyCompiler_ipt::optimize1::optimizeForRuleElement( PolicyRule *rule, const std::string &re_type) { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *r; string this_chain = rule->getStr("ipt_chain"); string new_chain = ipt_comp->getNewTmpChainName(rule); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); for (FWObject::iterator i=r->begin(); i!=r->end(); ++i) { if (RuleElement::cast(*i)!=NULL) { if ((*i)->getTypeName()!=re_type && (*i)->size()!=1) { RuleElement *nre=RuleElement::cast(*i); nre->clearChildren(); nre->setAnyElement(); } else { RuleElement *re = RuleElement::cast( rule->getFirstByType((*i)->getTypeName())); /* * put "any tcp" service back in srv field if it was originally some * tcp service. This is needed because we may need to produce * --reject-with tcp-reset if the action is reject and we need to * reject with TCP RST. */ if (RuleElementSrv::isA(re) && r->getAction()==PolicyRule::Reject && ipt_comp->isActionOnRejectTCPRST(r)) { Service *srv= compiler->getFirstSrv(r); if (TCPService::isA(srv)) { re->clearChildren(); re->addRef( compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(ANY_TCP_OBJ_ID))); /* also leave a flag indicating that further optimization by service * is not needed */ rule->setBool("do_not_optimize_by_srv",true); r->setBool("do_not_optimize_by_srv",true); } else { re->reset(); } } else { re->reset(); } } } } r->setStr("ipt_target",new_chain); r->setClassification(false); r->setRouting(false); r->setTagging(false); tmp_queue.push_back(r); FWOptions *ruleopt=rule->getOptionsObject(); ruleopt->setBool("stateless",true); ruleopt->setInt("limit_value",-1); ruleopt->setInt("connlimit_value",-1); ruleopt->setInt("hashlimit_value",-1); rule->setStr("ipt_chain",new_chain); rule->setBool("force_state_check",false); rule->setStr("upstream_rule_chain", this_chain); ipt_comp->registerChain(new_chain); ipt_comp->insertUpstreamChain(this_chain, new_chain); // if (rule->getInterfaceStr()=="") // rule->setInterfaceStr("nil"); rule->setDirection( PolicyRule::Both ); tmp_queue.push_back(rule); } bool PolicyCompiler_ipt::optimize1::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel; RuleElementDst *dstrel; RuleElementSrv *srvrel; RuleElementInterval *intrel; FWObject::iterator i1 = rule->begin(); srcrel = RuleElementSrc::cast(*i1); i1++; dstrel = RuleElementDst::cast(*i1); i1++; srvrel = RuleElementSrv::cast(*i1); i1++; i1++; intrel = RuleElementInterval::cast(*i1); bool srcany = srcrel->isAny(); bool dstany = dstrel->isAny(); bool srvany = srvrel->isAny(); bool intany = (intrel!=NULL && intrel->isAny()); int srcn = srcrel->size(); int dstn = dstrel->size(); int srvn = srvrel->size(); int intn = 1; if (intrel!=NULL) intn = intrel->size(); bool all_tcp_or_udp = true; for (FWObject::iterator i=srvrel->begin(); i!=srvrel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *service_object = Service::cast( o ); if (service_object==NULL) { compiler->abort(rule, "Broken Service rule element"); } // tcp and udp will be collapsed because we can use multiport module if ( !TCPService::isA(service_object) && !UDPService::isA(service_object)) { all_tcp_or_udp = false; break; } } if (all_tcp_or_udp) srvn = 1; // Golden rule - try to introduce minimum forward rules .... // we can't optimize 1 src, 1 dstn, 1 service and 1 time interval // we can't optimize if we've got three 'anys' .. if ((srcn <= 1 && dstn <= 1 && srvn <= 1 && intn <= 1) || (srcany && dstany && srvany) || (srcany && dstany && intany) || (srcany && srvany && intany) || (dstany && srvany && intany) ) { tmp_queue.push_back(rule); return true; } // Assume any means LOTS of rules - i.e. not good candidate for optimization if (srcany) srcn=INT_MAX; if (dstany) dstn=INT_MAX; if (srvany) srvn=INT_MAX; if (intany) intn=INT_MAX; // Now work out which is best optimization to do. // this rule is called twice so we only need to do one op on each if ( !srvany && (srvn <= dstn) && (srvn <= srcn) && (srvn <= intn) && ! rule->getBool("do_not_optimize_by_srv") ) { optimizeForRuleElement(rule,RuleElementSrv::TYPENAME); return true; } if ( !srcany && (srcn <= dstn) && (srcn <= srvn) && (srcn <= intn)) { optimizeForRuleElement(rule,RuleElementSrc::TYPENAME); return true; } if ( !dstany && (dstn <= srcn) && (dstn <= srvn) && (dstn <= intn)) { optimizeForRuleElement(rule,RuleElementDst::TYPENAME); return true; } if ( !intany && (intn <= srcn) && (intn <= dstn) && (intn <= srvn)) { optimizeForRuleElement(rule,RuleElementInterval::TYPENAME); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipt::optimize2::processNext() { PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srvrel=rule->getSrv(); if (rule->getBool("final")) { if ( rule->getAction()==PolicyRule::Reject && ipt_comp->isActionOnRejectTCPRST(rule)) { // preserve service ; } else { srvrel->clearChildren(); srvrel->setAnyElement(); } } tmp_queue.push_back(rule); return true; } /* * this processor eliminates duplicate rules _generated for the same * high level rule_ This is different from processor * PolicyCompiler_ipf::eliminateDuplicateRules, which finds and * eliminates duplicate rules throughout the whole generated script. */ bool PolicyCompiler_ipt::optimize3::processNext() { PolicyRule *rule; rule = getNext(); if (rule==NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } if (printRule==NULL) { printRule = new PrintRule(""); printRule->setContext(compiler); printRule->initialize(); } string thisRule = rule->getLabel() + " " + printRule->PolicyRuleToString(rule); if (rules_seen_so_far.count(thisRule)!=0) return true; tmp_queue.push_back(rule); rules_seen_so_far[thisRule]=true; return true; } bool PolicyCompiler_ipt::optimizeForMinusIOPlus::processNext() { PolicyRule *rule; rule=getNext(); if (rule==NULL) return false; RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); FWObject *rule_iface = FWObjectReference::getObject(itf_re->front()); string iface_name = rule_iface->getName(); // rule->getInterfaceStr(); if (iface_name.empty() || iface_name=="nil" ) { tmp_queue.push_back(rule); return true; } string chain = rule->getStr("ipt_chain"); if (iface_name == "*" && (chain == "INPUT" || chain == "OUTPUT")) itf_re->reset(); // rule->setInterfaceStr(""); tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_secuwall.cpp000066400000000000000000000105301303637203600231220ustar00rootroot00000000000000/* * PolicyCompiler_secuwall.cpp - secunet wall policy compiler implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include #include "PolicyCompiler_secuwall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Network.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_secuwall::myPlatformName() { return "secuwall"; } vector PolicyCompiler_secuwall::getMgmtInterfaces() { vector interfaces; /* search Management Interfaces, note: this can be more than one */ for (FWObjectTypedChildIterator fw_ifaces = fw->findByType(Interface::TYPENAME); fw_ifaces != fw_ifaces.end(); ++fw_ifaces) { Interface *iface = Interface::cast(*fw_ifaces); /* Check if it is a management interface */ if (iface->isManagement() && iface->getAddressObject() != NULL) { interfaces.push_back(iface->getName()); } } return interfaces; } void PolicyCompiler_secuwall::verifyPlatform() { string family = Resources::platform_res[fw->getStr("platform")]-> getResourceStr("/FWBuilderResources/Target/family"); if ((family != myPlatformName()) && (fw->getStr("host_OS") != myPlatformName())) abort("Unsupported platform " + fw->getStr("platform") + " (family " + family + ")"); } std::string PolicyCompiler_secuwall::printAutomaticRules() { string res = PolicyCompiler_ipt::printAutomaticRules(); FWOptions* options = getCachedFwOpt(); if (options->getBool("secuwall_mgmt_rules_disable")) { return res; } Configlet configlet(fw, "secuwall", "management_rules"); configlet.removeComments(); configlet.collapseEmptyStrings(false); PolicyCompiler_ipt::PrintRule *print_rule = createPrintRuleProcessor(); configlet.setVariable("begin_rule", print_rule->_startRuleLine().c_str()); configlet.setVariable("end_rule", print_rule->_endRuleLine().c_str()); // export these variables to the configlet std::vector vars; vars.push_back("secuwall_mgmt_mgmtaddr"); vars.push_back("secuwall_mgmt_loggingaddr"); vars.push_back("secuwall_mgmt_ntpaddr"); vars.push_back("secuwall_mgmt_nagiosaddr"); vars.push_back("secuwall_mgmt_snmpaddr"); vars.push_back("secuwall_dns_srv1"); vars.push_back("secuwall_dns_srv2"); vars.push_back("secuwall_dns_srv3"); vars.push_back("secuwall_mgmt_confpart"); for (vector::iterator it = vars.begin(); it != vars.end(); ++it) { std::vector tmp; tokenize(options->getStr(*it), tmp, ","); if (!tmp.empty()) { configlet.setVariable(it->c_str(), stringify(tmp, " ").c_str()); configlet.setVariable((string("has_")+*it).c_str(), true); } } configlet.setVariable("secuwall_mgmt_ifaces", stringify(getMgmtInterfaces(), " ").c_str()); res += configlet.expand().toStdString(); delete print_rule; return res; } /* * An interface is considered a valid interface when it is * 1. a management interface * 2. of type "ethernet" */ bool PolicyCompiler_secuwall::isValidMgmtRuleInterface(Interface *intf) { if (intf == NULL) return false; if (Interface::isA(intf)) { FWOptions* if_opts = intf->getOptionsObject(); if (if_opts == NULL) return false; /* TODO: Extract magic value! */ string iface_type = if_opts->getStr("type"); if (intf->isManagement() && (iface_type != "cluster_member") && (intf->getAddressObject() != NULL)) { return true; } } return false; } fwbuilder-5.3.7/src/iptlib/PolicyCompiler_secuwall.h000066400000000000000000000033351303637203600225740ustar00rootroot00000000000000/* * PolicyCompiler_secuwall.h - Policy compiler for secunet wall host OS * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __POLICYCOMPILER_SECUWALL_H_ #define __POLICYCOMPILER_SECUWALL_H_ #include #include #include "PolicyCompiler_ipt.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Tools.h" namespace libfwbuilder { class Address; class Service; class Interface; class Address; class InetAddr; } namespace fwcompiler { class PolicyCompiler_secuwall : public PolicyCompiler_ipt { protected: virtual std::string myPlatformName(); public: PolicyCompiler_secuwall(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map *m_n_commands_map) : PolicyCompiler_ipt(_db, fw, ipv6_policy, _oscnf, m_n_commands_map) {}; /** * Add some predefined rules controlled by checkboxes in * firewall settings dialog */ virtual std::string printAutomaticRules(); virtual void verifyPlatform(); private: std::vector getMgmtInterfaces(); static bool isValidMgmtRuleInterface(libfwbuilder::Interface* intf); }; } #endif fwbuilder-5.3.7/src/iptlib/Preprocessor_ipt.cpp000066400000000000000000000027331303637203600216410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Preprocessor_ipt.h" #include "fwbuilder/Interface.h" #include "fwbuilder/AttachedNetworks.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; void Preprocessor_ipt::convertObject(FWObject *obj) { if ( AttachedNetworks::isA(obj)) { AttachedNetworks *att = AttachedNetworks::cast(obj); Interface *intf = Interface::cast(att->getParent()); if (intf->isRegular()) { att->setCompileTime(true); att->loadFromSource(ipv6, getCachedFwOpt(), inTestMode()); } else att->setRunTime(true); } else Preprocessor::convertObject(obj); } fwbuilder-5.3.7/src/iptlib/Preprocessor_ipt.h000066400000000000000000000026331303637203600213050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PREPROCESSOR_IPT_HH #define __PREPROCESSOR_IPT_HH #include #include "fwcompiler/Preprocessor.h" namespace libfwbuilder { class FWObjectDatabase; }; namespace fwcompiler { class Preprocessor_ipt : public Preprocessor { public: Preprocessor_ipt(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : Preprocessor(_db, fw, ipv6_policy) { } virtual void convertObject(libfwbuilder::FWObject *obj); }; } #endif fwbuilder-5.3.7/src/iptlib/RoutingCompiler_ipt.cpp000066400000000000000000000235511303637203600222760ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "RoutingCompiler_ipt.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static std::map tmp_chain_no; string RoutingCompiler_ipt::myPlatformName() { return "iptables"; } void RoutingCompiler_ipt::verifyPlatform() { //TODO: Routing based on the 'ip' command is independent from iptables string family = Resources::platform_res[fw->getStr("platform")]-> getResourceStr("/FWBuilderResources/Target/family"); if (family != myPlatformName()) abort("Unsupported platform " + fw->getStr("platform") + " (family " + family + ")"); } int RoutingCompiler_ipt::prolog() { int n = RoutingCompiler::prolog(); verifyPlatform(); return n; } /* * this processor eliminates duplicate routing rules, generated from the same * rule in the GUI */ bool RoutingCompiler_ipt::optimize3::processNext() { RoutingRule *rule; rule=getNext(); if (rule==NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } if (printRule==NULL) { printRule = new PrintRule(""); printRule->setContext(compiler); } string thisRule = rule->getLabel() + " " + printRule->RoutingRuleToString(rule); if (rules_seen_so_far.count(thisRule)!=0) return true; tmp_queue.push_back(rule); rules_seen_so_far[thisRule] = true; return true; } /* * this processor eliminates duplicate atomic routing rules in one routing table */ bool RoutingCompiler_ipt::eliminateDuplicateRules::processNext() { RoutingRule *rule; rule = getNext(); if (rule==NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } if (printRule==NULL) { printRule = new PrintRule(""); printRule->setContext(compiler); } string label = rule->getLabel(); int bracepos = label.find("("); label.erase(0, bracepos); string thisRule = label + " " + printRule->RoutingRuleToString(rule); rules_it = rules_seen_so_far.find(thisRule); if (rules_it != rules_seen_so_far.end()) { string msg; msg = "Two of the sub rules created from the gui routing rules " + rules_it->second + " and " + rule->getLabel() + " are identical, skipping the second. " + "Revise them to avoid this warning"; compiler->warning(rule, msg.c_str()); return true; } tmp_queue.push_back(rule); rules_seen_so_far[thisRule] = rule->getLabel(); return true; } bool RoutingCompiler_ipt::addressRangesInDst::processNext() { RoutingRule *rule; rule=getNext(); if (rule==NULL) return false; RuleElementRDst *dstrel = rule->getRDst(); compiler->_expandAddressRanges(rule, dstrel); tmp_queue.push_back(rule); return true; } bool RoutingCompiler_ipt::FindDefaultRoute::processNext() { RoutingCompiler_ipt *ipt_comp = dynamic_cast(compiler); RoutingRule *rule; rule=getNext(); if (rule==NULL) return false; RuleElementRDst *dstrel = rule->getRDst(); FWObject *ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if (dst->isAny()) ipt_comp->have_default_route = true; tmp_queue.push_back(rule); return true; } /** *----------------------------------------------------------------------- */ void RoutingCompiler_ipt::compile() { string banner = " Compiling routing rules for " + fw->getName(); info(banner); Compiler::compile(); //bool check_for_recursive_groups=true; add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstAndRItf("Check if RDst and RItf are both empty")); add(new singleAdressInRGtw( "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); // unfortunately ExpandGroups also filters out objects that do not // match address family but does not issue a warning when that // happens. Since I need to show a warning when user places ipv6 // object in a routing rule, I call DropIPv6RulesWithWarning() // before expanding groups. This has limited effect though: user // gets a warning when a single ipv6 address or network object // appears in the rule but gets no warning when it appears as a // member of a group. add(new DropIPv6RulesWithWarning( "drop ipv6 rules", "Rule has been suppressed because it contains IPv6 " "objects and Firewall Builder does not support IPv6 " "routing rules at this time")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddresses( "Expand objects with multiple addresses in DST")); add(new dropRuleWithEmptyRE("drop rules with empty rule elements")); add(new DropIPv6RulesWithWarning( "drop ipv6 rules", "Rule has been suppressed because it contains IPv6 " "objects and Firewall Builder does not support IPv6 " "routing rules at this time")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); add(new contradictionRGtwAndRItf( "Check if RGtw is in a network of RItf")); add(new addressRangesInDst("process address ranges")); add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new FindDefaultRoute("Find rules that install default route")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); add(new classifyRoutingRules( "Classify into single path or part of a multi path rule")); add(new optimize3( "Eliminate duplicate rules generated from a single gui-rule")); add(new eliminateDuplicateRules( "Eliminate duplicate rules over the whole table")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add(new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } string RoutingCompiler_ipt::debugPrintRule(Rule *r) { RoutingRule *rule=RoutingRule::cast(r); string s= RoutingCompiler::debugPrintRule(rule); return s; } void RoutingCompiler_ipt::epilog() { ///int total = ecmp_comments_buffer.size(); int nb = 0; // ecmp roules can only be generated after all the rules have been // parsed, that is the reason for putting this code in the epilog // function if (ecmp_rules_buffer.size() > 0) { output << "\n#\n# ============== EQUAL COST MULTI PATH ============\n#" << endl; output << "echo \"Activating ecmp routing rules...\"" << endl; for (map::iterator ecmp_comments_buffer_it = ecmp_comments_buffer.begin(); ecmp_comments_buffer_it != ecmp_comments_buffer.end(); ++ecmp_comments_buffer_it) { output << ecmp_comments_buffer_it->second << "#\n" << flush; output << ecmp_rules_buffer[ecmp_comments_buffer_it->first] << flush; output << " \\\n|| route_command_error " << "\"" << ++nb << "\"" << endl; //echo \"Error: The ECMP routing rule #" << ++nb <<" couldn't be activated! Please make sure your kernel is compiled with the CONFIG_IP_ROUTE_MULTIPATH option.\"" << endl; } } if (!inSingleRuleCompileMode() && defined_restore_script_output) { // function restore_script_output may not be defined if we // have no rules or all rules are disabled output << endl; output << "restore_script_output" << endl; output << "echo \"...done.\"" << endl; } } fwbuilder-5.3.7/src/iptlib/RoutingCompiler_ipt.h000066400000000000000000000143261303637203600217430ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __ROUTINGCOMPILER_IPT_HH__ #define __ROUTINGCOMPILER_IPT_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_ipt : public RoutingCompiler { protected: /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls RoutingCompiler::debugPrintRule */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * processes rules with negation in Dst if it holds only one object */ DECLARE_ROUTING_RULE_PROCESSOR(singleDstNegation); /** * processes rules with negation in Dst */ DECLARE_ROUTING_RULE_PROCESSOR(DstNegation); /** * check if we have to install default route */ DECLARE_ROUTING_RULE_PROCESSOR(FindDefaultRoute); /** * expand address range objects in destination */ DECLARE_ROUTING_RULE_PROCESSOR(addressRangesInDst); /** * remove duplicate rules */ class PrintRule; class optimize3 : public RoutingRuleProcessor { std::map rules_seen_so_far; RoutingCompiler_ipt::PrintRule *printRule; public: optimize3(const std::string &name) : RoutingRuleProcessor(name){ printRule=NULL; } virtual bool processNext(); }; friend class RoutingCompiler_ipt::optimize3; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInDST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInDST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementRDst::TYPENAME) {} }; /** * eliminates duplicate rules */ class eliminateDuplicateRules : public RoutingRuleProcessor { std::map rules_seen_so_far; std::map::iterator rules_it; RoutingCompiler_ipt::PrintRule *printRule; public: eliminateDuplicateRules(const std::string &name) : RoutingRuleProcessor(name){ printRule=NULL; } virtual bool processNext(); }; /** * prints single policy rule, assuming all groups have been * expanded, destination holds exactly one object, and this * object is not a group. Negation should also have been taken * care of before this method is called. * * This processor is not necessarily the last in the * conveyor, so it should push rules back to tmp_queue (for * example there could be progress indicator processor after * this one) */ class PrintRule : public RoutingRuleProcessor { bool print_once_on_top; std::string current_rule_label; virtual std::string _printAddr(libfwbuilder::Address *o); public: PrintRule(const std::string &name); virtual bool processNext(); std::string RoutingRuleToString(libfwbuilder::RoutingRule *r); std::string _printRGtw(libfwbuilder::RoutingRule *r); std::string _printRItf(libfwbuilder::RoutingRule *r); std::string _printRDst(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_ipt::PrintRule; virtual std::string myPlatformName(); // These buffers are needed to collect output generated from the single ECMP rules belonging to one destination, // because all these routes have to be activated with a single ip command. So ECMP ip commands are built up gradually // during compilation and inserted in the shell script after all rules are processed. std::map< std::string, std::string> ecmp_rules_buffer; // sortedDstId+metric-->nexthops std::map< std::string, std::string> ecmp_comments_buffer; // sortedDstId+metric-->rule's info for the fw script bool have_default_route; bool defined_restore_script_output; public: RoutingCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler(_db, fw, ipv6_policy, _oscnf) { have_default_route = false; defined_restore_script_output = false; } virtual void verifyPlatform(); virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/iptlib/RoutingCompiler_ipt_writers.cpp000066400000000000000000000260101303637203600240460ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Modified: Vadim Kurland vadim@vk.crocodile.org Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "RoutingCompiler_ipt.h" #include "Configlet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ string RoutingCompiler_ipt::PrintRule::_printAddr(Address *o) { ostringstream ostr; if (Interface::cast(o)!=NULL) { Interface *iface=Interface::cast(o); if (iface->isDyn()) ostr << "$interface_" << iface->getName() << " "; return ostr.str(); } const InetAddr *addr; const InetAddr *mask; addr = o->getAddressPtr(); mask = o->getNetmaskPtr(); if (addr==NULL) { FWObject *obj=o; /* * check if this is object of class Address. since we want to * distinguish between Host, Interface and Address, and both Host and * Interface are inherited from Address, we can't use cast. Use isA * instead */ while (obj!=NULL && !Host::isA(obj) && !Firewall::isA(obj) && !Network::isA(obj)) obj=obj->getParent(); compiler->abort( "Problem with address or netmask in the object or " "one of its interfaces: '" + obj->getName() + "'"); } if (addr->isAny() && mask->isAny()) { ostr << "default "; } else { ostr << addr->toString(); if (Interface::cast(o)==NULL && Address::cast(o)->dimension() > 1 && !mask->isHostMask()) { ostr << "/" << mask->getLength(); } ostr << " "; } return ostr.str(); } RoutingCompiler_ipt::PrintRule::PrintRule(const std::string &name) : RoutingRuleProcessor(name) { print_once_on_top=true; } bool RoutingCompiler_ipt::PrintRule::processNext() { RoutingCompiler_ipt *ipt_comp = dynamic_cast(compiler); RoutingRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (print_once_on_top && !compiler->inSingleRuleCompileMode()) { // string os_family = Resources::os_res[compiler->fw->getStr("host_OS")]-> // getResourceStr("/FWBuilderResources/Target/family"); Configlet routing_functions(compiler->fw, "linux24", "routing_functions"); // we should delete default route if we have a new one to // install. IF user did not define any routes that look like // default (i.e. where destination is "any"), then we should // preserve default so that we won't leave machine with no // default at all. QString route_pattern = ""; if (ipt_comp->have_default_route) { // If we will install default route, delete it now route_pattern = "'proto kernel'"; } else { // do not delete default if we won't install new one route_pattern = "'\\( proto kernel \\)\\|\\(default via \\)'"; } routing_functions.setVariable("proto_filter", route_pattern); compiler->output << routing_functions.expand().toStdString(); ipt_comp->defined_restore_script_output = true; print_once_on_top = false; } // TODO: convert this into virtual function RoutingCompiler_ipt::printComment() string rl = rule->getLabel(); string comm = rule->getComment(); string::size_type c1,c2; c1=0; if (!compiler->inSingleRuleCompileMode() && rl!=current_rule_label) { compiler->output << "# " << endl; compiler->output << "# Rule " << rl << endl; //compiler->output << "# " << rule->getRuleTypeAsString() << endl; compiler->output << "# " << endl; compiler->output << "echo \"Routing rule " << rl << "\"" << endl; compiler->output << "# " << endl; } if( rule->getRuleType() != RoutingRule::MultiPath ) { if (!compiler->inSingleRuleCompileMode() && rl!=current_rule_label) { while ( (c2=comm.find('\n',c1))!=string::npos ) { compiler->output << "# " << comm.substr(c1,c2-c1) << endl; c1=c2+1; } compiler->output << "# " << comm.substr(c1) << endl; compiler->output << "# " << endl; string err = compiler->getErrorsForRule(rule, "# "); if (!err.empty()) compiler->output << err << endl; current_rule_label = rl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) compiler->output << "# " << err << endl; string command_line = RoutingRuleToString(rule); compiler->output << command_line; } else { // the ecmp_id contains the table, the rule label and the metric. These are the properties the ecmp rules are distinguished string metric = rule->getMetricAsString(); string ecmp_id = rule->getSortedDstIds() + "#" + metric; if (rl!=current_rule_label) { compiler->output << "# Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below." << endl; current_rule_label=rl; } map< string, string>& ecmp_rules_buffer = ((RoutingCompiler_ipt*)compiler)->ecmp_rules_buffer; map< string, string>& ecmp_comments_buffer = ((RoutingCompiler_ipt*)compiler)->ecmp_comments_buffer; map< string, string>::iterator ecmp_rules_buffer_it; ecmp_rules_buffer_it = ecmp_rules_buffer.find(ecmp_id); if( ecmp_rules_buffer_it == ecmp_rules_buffer.end() ) { // ECMP Dst not seen so far, add "ip route add x.x.x.x" // and comment's header ecmp_comments_buffer[ecmp_id] = "#\n# Multipath Rule " " derived from the following routing rules:\n#\n"; if (rule->getMetricAsString() != "0") { ecmp_rules_buffer[ecmp_id] += "$IP route add " + _printRDst(rule) + "metric " + metric; } else { ecmp_rules_buffer[ecmp_id] += "$IP route add " + _printRDst(rule); } } ecmp_comments_buffer[ecmp_id] += "# Rule " + rl + "\n"; while ( (c2=comm.find('\n',c1))!=string::npos ) { ecmp_comments_buffer[ecmp_id] += "# " + comm.substr(c1,c2-c1) + "\n"; c1=c2+1; } ecmp_comments_buffer[ecmp_id] += "# " + comm.substr(c1) + "\n"; // Collect the nexthop information for the multipath rules, indexed by the sorted dst ids ecmp_rules_buffer[ecmp_id] += " \\\nnexthop " ; ecmp_rules_buffer[ecmp_id] += _printRGtw(rule); ecmp_rules_buffer[ecmp_id] += _printRItf(rule); } return true; } string RoutingCompiler_ipt::PrintRule::RoutingRuleToString(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel=rule->getRDst(); ref=dstrel->front(); Address *dst=Address::cast(FWReference::cast(ref)->getPointer()); if(dst==NULL) compiler->abort(rule, "Broken DST"); ostringstream command_line; command_line << "$IP route add "; command_line << _printRDst(rule); if (rule->getMetricAsString() != "0") { command_line << " metric " << rule->getMetricAsString() << " "; } command_line << _printRGtw(rule); command_line << _printRItf(rule); // to make generated script more readable in single rule compile mode, // skip the part that rolls back in case of an error if (!compiler->inSingleRuleCompileMode()) { command_line << "\\\n|| "; FWObject *opt_dummy = rule->getFirstByType(RoutingRuleOptions::TYPENAME); RoutingRuleOptions *opt = opt_dummy ? RoutingRuleOptions::cast(opt_dummy) : 0; if ( opt && opt->getBool("no_fail") ) { command_line << "echo \"*** Warning: routing rule " << rule->getLabel() << " failed. ignored. ***\"\n"; } else { command_line << "route_command_error " << "\"" << rule->getLabel() << "\"" << endl;; } } command_line << endl; return command_line.str(); } string RoutingCompiler_ipt::PrintRule::_printRGtw(RoutingRule *rule) { FWObject *ref; RuleElementRGtw *gtwrel = rule->getRGtw(); ref = gtwrel->front(); Address *gtw = Address::cast(FWReference::cast(ref)->getPointer()); if(gtw==NULL) compiler->abort(rule, "Broken GTW"); string gateway = _printAddr(gtw); if( gateway != "default ") return "via " + gateway; else return ""; } string RoutingCompiler_ipt::PrintRule::_printRItf(RoutingRule *rule) { FWObject *ref; RuleElementRItf *itfrel=rule->getRItf(); ref=itfrel->front(); Interface *itf=Interface::cast(FWReference::cast(ref)->getPointer()); if(itf != NULL) return "dev " + itf->getName() + " "; else return ""; } string RoutingCompiler_ipt::PrintRule::_printRDst(RoutingRule *rule) { FWObject *ref; RuleElementRDst *dstrel=rule->getRDst(); ref=dstrel->front(); Address *dst=Address::cast(FWReference::cast(ref)->getPointer()); if(dst==NULL) compiler->abort(rule, "Broken DST"); return _printAddr(dst); } fwbuilder-5.3.7/src/iptlib/combinedAddress.cpp000066400000000000000000000033621303637203600213640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include "combinedAddress.h" #include #include #include using namespace libfwbuilder; using namespace std; const char *combinedAddress::TYPENAME={"combinedAddress"}; combinedAddress::~combinedAddress() {} std::string combinedAddress::getPhysAddress() const { return physAddress; } void combinedAddress::setPhysAddress(const std::string &s) { physAddress = s; } bool combinedAddress::isAny() const { return (IPv4::isAny() && physAddress==""); } FWObject& combinedAddress::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { physAddress = dynamic_cast(other)->physAddress; return IPv4::shallowDuplicate(other, preserve_id); } fwbuilder-5.3.7/src/iptlib/combinedAddress.h000066400000000000000000000027741303637203600210370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMB_ADDRESS_HH_FLAG__ #define __COMB_ADDRESS_HH_FLAG__ #include #include #include namespace libfwbuilder { class combinedAddress : public IPv4 { private: std::string physAddress; public: DECLARE_FWOBJECT_SUBTYPE(combinedAddress); combinedAddress() {} virtual ~combinedAddress(); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); std::string getPhysAddress() const; void setPhysAddress(const std::string &s); bool isAny() const; }; } #endif fwbuilder-5.3.7/src/iptlib/ipt_utils.cpp000066400000000000000000000146731303637203600203210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ipt_utils.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/ObjectGroup.h" #include "fwcompiler/Compiler.h" #include "combinedAddress.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; void build_interface_groups( FWObjectDatabase *dbcopy, Library *persistent_objects, Firewall *fw, bool ipv6, QMap ®ular_interfaces) { // object group that will hold all regular inetrfaces FWObject *all_itf_group = dbcopy->create(ObjectGroup::TYPENAME); persistent_objects->add(all_itf_group); all_itf_group->setName("*"); regular_interfaces["*"] = all_itf_group; list l2 = fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->isLoopback() || iface->isUnnumbered() || iface->isBridgePort()) continue; FWObjectTypedChildIterator ipv4_addresses = iface->findByType(IPv4::TYPENAME); FWObjectTypedChildIterator ipv6_addresses = iface->findByType(IPv6::TYPENAME); if ((ipv6 && ipv6_addresses != ipv6_addresses.end()) || (!ipv6 && ipv4_addresses != ipv4_addresses.end()) || (ipv4_addresses == ipv4_addresses.end() && ipv6_addresses == ipv6_addresses.end())) { /* * regular_interfaces is a set of groups of * interfaces, where each group holds references to * all interfaces with "similar names". The group name * is then the base name of these interfaces with * numeric index replaced with "*". For example: * group "eth*" { eth0, eth1, eth2, ... } * * if interface name ends with '*', this is wildcard * interface. Just replace '*' with '+'. If interace * name does not end with '*', replace numeric * interface index with '+'. */ QString iname = QString(iface->getName().c_str()); iname.replace(QRegExp("[0-9]{1,}$"), "+"); iname.replace("*", "+"); if (regular_interfaces.count(iname) == 0) { FWObject *itf_group = dbcopy->create(ObjectGroup::TYPENAME); persistent_objects->add(itf_group); itf_group->setName(iname.toStdString()); regular_interfaces[iname] = itf_group; } regular_interfaces[iname]->addRef(iface); regular_interfaces["*"]->addRef(iface); } } } void expand_interface_with_phys_address(Compiler *compiler, Rule *rule, Interface *iface, std::list &ol1, std::list &list_result) { (void) rule; // Unused std::list lipaddr; std::list lother; physAddress *pa = NULL; for (std::list::iterator j=ol1.begin(); j!=ol1.end(); j++) { if ((*j)->getTypeName() == IPv4::TYPENAME) { lipaddr.push_back(*j); continue; } if (physAddress::cast(*j)!=NULL) { pa = physAddress::cast(*j); continue; } lother.push_back(*j); } /* * if pa==NULL then this is trivial case: there is no physical address */ if (pa==NULL) { list_result.insert(list_result.end(), ol1.begin(), ol1.end()); return; } /* At this point we have physAddress object and have to deal with it * * Compiler::_expand_interface picks all IPv4 objects and physAddress * object under Interface; it can also add interface object(s) to * the list. * * We have two possibilities now: there could be IPv4 objects or * not. In either case list ol1 may contain also interface object(s). * If there are IPv4 objects, we replace them with combinedAddress * objects which store information about IPv4 address and physAddress pa. * If there were no IPv4 objects, then we pass physAddress along. * We always copy interface objects to the output list. * * * * we use physAddress only if Host option "use_mac_addr_filter" of the * parent Host object is true */ FWObject *p = Host::getParentHost(iface); //FWObject *p = iface->getParentHost(); assert(p!=NULL); FWOptions *hopt = Host::cast(p)->getOptionsObject(); bool use_mac = (hopt!=NULL && hopt->getBool("use_mac_addr_filter") ); if (lipaddr.empty()) list_result.push_back(pa); else { std::list::iterator j=lipaddr.begin(); for ( ; j!=lipaddr.end(); j++) { const InetAddr *ip_addr = Address::cast(*j)->getAddressPtr(); const InetAddr *ip_netm = Address::cast(*j)->getNetmaskPtr(); if (use_mac) { combinedAddress *ca = new combinedAddress(); compiler->persistent_objects->add(ca); ca->setName( "CA("+iface->getName()+")" ); ca->setAddress( *ip_addr ); ca->setNetmask( *ip_netm ); ca->setPhysAddress( pa->getPhysAddress() ); list_result.push_back(ca); } else list_result.push_back(*j); } } list_result.insert(list_result.end(), lother.begin(), lother.end()); } fwbuilder-5.3.7/src/iptlib/ipt_utils.h000066400000000000000000000030511303637203600177520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; class Firewall; class Interface; class Library; class Rule; }; namespace fwcompiler { class Compiler; }; extern void build_interface_groups( libfwbuilder::FWObjectDatabase *dbcopy, libfwbuilder::Library *persistent_objects, libfwbuilder::Firewall *fw, bool ipv6, QMap ®ular_interfaces); extern void expand_interface_with_phys_address( fwcompiler::Compiler *compiler, libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &list_temp, std::list &list_result); fwbuilder-5.3.7/src/iptlib/iptlib.pro000066400000000000000000000034321303637203600175750ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) TEMPLATE = lib SOURCES = CompilerDriver_ipt.cpp \ CompilerDriver_ipt_run.cpp \ CompilerDriver_ipt_policy.cpp \ CompilerDriver_ipt_nat.cpp \ MangleTableCompiler_ipt.cpp \ NATCompiler_PrintRule.cpp \ NATCompiler_PrintRuleIptRst.cpp \ NATCompiler_PrintRuleIptRstEcho.cpp \ NATCompiler_ipt.cpp \ OSConfigurator_ipcop.cpp \ OSConfigurator_linux24.cpp \ OSConfigurator_linux24_interfaces.cpp \ OSConfigurator_secuwall.cpp \ OSData.cpp \ PolicyCompiler_PrintRule.cpp \ PolicyCompiler_PrintRuleIptRst.cpp \ PolicyCompiler_PrintRuleIptRstEcho.cpp \ PolicyCompiler_ipt.cpp \ PolicyCompiler_ipt_optimizer.cpp \ PolicyCompiler_secuwall.cpp \ RoutingCompiler_ipt.cpp \ RoutingCompiler_ipt_writers.cpp \ Preprocessor_ipt.cpp \ combinedAddress.cpp \ AutomaticRules_ipt.cpp \ ipt_utils.cpp HEADERS = ../../config.h \ CompilerDriver_ipt.h \ MangleTableCompiler_ipt.h \ NATCompiler_ipt.h \ OSConfigurator_ipcop.h \ OSConfigurator_linux24.h \ OSConfigurator_secuwall.h \ OSData.h \ PolicyCompiler_ipt.h \ PolicyCompiler_secuwall.h \ RoutingCompiler_ipt.h \ Preprocessor_ipt.h \ combinedAddress.h \ AutomaticRules_ipt.h \ ipt_utils.h CONFIG += staticlib INCLUDEPATH += ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../compiler_lib ../libfwbuilder/src win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/release/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/release/libfwbuilder.a !win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/libfwbuilder.a TARGET = iptlib INSTALLS -= target fwbuilder-5.3.7/src/juniper_lib/000077500000000000000000000000001303637203600166055ustar00rootroot00000000000000fwbuilder-5.3.7/src/juniper_lib/CompilerDriver_junosacl.cpp000066400000000000000000000017161303637203600241420ustar00rootroot00000000000000#include "../../config.h" #include #include "CompilerDriver_junosacl.h" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; #include #ifdef _WIN32 string fs_separator = "\\"; #else string fs_separator = "/"; #endif CompilerDriver_junosacl::CompilerDriver_junosacl(FWObjectDatabase *db) : CompilerDriver(db) { comment_symbol = "#"; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_junosacl::clone() { CompilerDriver_junosacl* new_cd = new CompilerDriver_junosacl(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } void CompilerDriver_junosacl::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << "/*" << endl; file << " * Prolog script" << endl; file << " */" << endl; file << prolog_code << endl; file << "/*" << endl; file << " * End of prolog script" << endl; file << " */" << endl; } fwbuilder-5.3.7/src/juniper_lib/CompilerDriver_junosacl.h000066400000000000000000000030171303637203600236030ustar00rootroot00000000000000#ifndef __COMPILER_DRIVER_JUNOSACL_HH__ #define __COMPILER_DRIVER_JUNOSACL_HH__ #include "CompilerDriver.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class NamedObjectsManager; class CompilerDriver_junosacl : public CompilerDriver { protected: std::string system_configuration_script; std::string policy_script; std::string comment_symbol; void printProlog(QTextStream &file, const std::string &prolog_code); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *oscnf); public: CompilerDriver_junosacl(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; } #endif // __COMPILER_DRIVER_JUNOSACL_HH__ fwbuilder-5.3.7/src/juniper_lib/CompilerDriver_junosacl_run.cpp000066400000000000000000000254311303637203600250260ustar00rootroot00000000000000#include "../../config.h" #include "CompilerDriver_junosacl.h" #include "OSConfigurator_junos.h" #include "cisco_lib/NamedObjectsManager.h" #include "cisco_lib/NamedObjectsAndGroupsSupport.h" #include "PolicyCompiler_junosacl.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_junosacl::assembleManifest(Cluster*, Firewall*, bool) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << "/* " << MANIFEST_MARKER << " * " << this->escapeFileName(file_names[FW_FILE]) << " */" << endl; return script_buffer; } QString CompilerDriver_junosacl::printActivationCommands(Firewall *) { return QString(); } QString CompilerDriver_junosacl::assembleFwScript(Cluster *cluster, Firewall *fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "junos", "script_skeleton"); Configlet top_comment(fw, "junos", "top_comment"); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8(system_configuration_script.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("junosacl_prolog_script")); options->setStr("epilog_script", options->getStr("junosacl_epilog_script")); // we do not offer user a choice of the place where to put prolog // lines, therefore we can reset this attribute to make sure it // does not interfere options->setStr("prolog_place", ""); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, QString::fromStdString(comment_symbol), true); return script_skeleton.expand(); } QString CompilerDriver_junosacl::run(const string &cluster_id, const string &firewall_id, const string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); /* Now that all checks are done, we can drop copies of cluster * interfaces that were added to the firewall by * CompilerDriver::populateClusterElements() */ list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list copies_of_cluster_interfaces; for (std::list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) copies_of_cluster_interfaces.push_back(iface); } while (copies_of_cluster_interfaces.size()) { fw->remove(copies_of_cluster_interfaces.front()); copies_of_cluster_interfaces.pop_front(); } FWOptions* options = fw->getOptionsObject(); string fwvers = fw->getStr("version"); if (fwvers == "") fw->setStr("version", "11.2"); if (fwvers == "11.x") fw->setStr("version", "11.2"); string platform = fw->getStr("platform"); std::auto_ptr oscnf(new OSConfigurator_junos(objdb, fw, false)); oscnf->prolog(); oscnf->processFirewallOptions(); list all_policies = fw->getByType(Policy::TYPENAME); // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not used by this compiler assignUniqueRuleIds(all_policies); vector ipv4_6_runs; // // // // //NamedObjectsManager named_objects_manager(persistent_objects, fw); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } string object_groups_definitions; for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); // Count rules for each address family int policy_count = 0; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (policy_count) { std::auto_ptr prep(new Preprocessor(objdb, fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); } for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(policy_af)) continue; PolicyCompiler_junosacl c(objdb, fw, ipv6_policy, oscnf.get()); // // // // //c.setNamedObjectsManager(&named_objects_manager); c.setSourceRuleSet( policy ); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); if ( c.prolog() > 0) { c.compile(); c.epilog(); if (!single_rule_compile_on) { if (ipv6_policy) { policy_script += "\n\n"; policy_script += "# ================ IPv6\n"; policy_script += "\n\n"; } else { policy_script += "\n\n"; policy_script += "# ================ IPv4\n"; policy_script += "\n\n"; } } if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } policy_script += c.getCompiledScript(); } else { info(" Nothing to compile in Policy"); } } } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } // // // // //object_groups_definitions += // // // // // named_objects_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (object_groups_definitions + policy_script).c_str())); } system_configuration_script += object_groups_definitions; QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8((ex.toString().c_str())); } return ""; } fwbuilder-5.3.7/src/juniper_lib/OSConfigurator_junos.cpp000066400000000000000000000037731303637203600234450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator_junos.h" #include "cisco_lib/Helper.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_junos::myPlatformName() { return "junos"; } int OSConfigurator_junos::prolog() { string host_os = fw->getStr("host_OS"); if (host_os!="junos") abort("Unsupported OS " + host_os ); return Compiler::prolog(); } void OSConfigurator_junos::processFirewallOptions() { } string OSConfigurator_junos::_printNameif() { ostringstream res; return res.str(); } string OSConfigurator_junos::_printIPAddress() { ostringstream res; return res.str(); } string OSConfigurator_junos::_printLogging() { ostringstream str; return str.str(); } void OSConfigurator_junos::addVirtualAddressForNAT(const Address*) { } void OSConfigurator_junos::addVirtualAddressForNAT(const Network*) { } fwbuilder-5.3.7/src/juniper_lib/OSConfigurator_junos.h000066400000000000000000000033111303637203600230760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_JUNOS_HH #define _OSNETWORKCONFIGURATOR_JUNOS_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include namespace fwcompiler { class OSConfigurator_junos : public OSConfigurator { std::string _printNameif(); std::string _printIPAddress(); std::string _printLogging(); public: virtual ~OSConfigurator_junos() {} OSConfigurator_junos(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void processFirewallOptions(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); }; } #endif fwbuilder-5.3.7/src/juniper_lib/PolicyCompiler_junosacl.cpp000066400000000000000000000526171303637203600241540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_junosacl.h" // #include "NamedObjectsAndGroupsSupport.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/Network.h" #include "fwbuilder/ObjectMirror.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "compiler_lib/junosInterfaces.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_junosacl::myPlatformName() { return "junosacl"; } PolicyCompiler_junosacl::PolicyCompiler_junosacl(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf) { resetinbound = false; fragguard = false; comment_symbol = "#"; } int PolicyCompiler_junosacl::prolog() { string version = fw->getStr("version"); string platform = fw->getStr("platform"); string host_os = fw->getStr("host_OS"); if (platform!="junosacl") abort("Unsupported platform " + platform ); fw->getOptionsObject()->setBool("generate_out_acl", true); fw->getOptionsObject()->setBool( "use_acl_remarks", fw->getOptionsObject()->getBool("iosacl_use_acl_remarks")); // object_groups = new Group(); // persistent_objects->add( object_groups ); setAllNetworkZonesToNone(); return PolicyCompiler::prolog(); } bool PolicyCompiler_junosacl::checkForDynamicInterface::findDynamicInterface( PolicyRule *rule, RuleElement *rel) { string vers=compiler->fw->getStr("version"); for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *iface=Interface::cast(obj); if (iface!=NULL && iface->isDyn()) compiler->abort( rule, "Dynamic interface can not be used in the IOS ACL rules."); } return true; } bool PolicyCompiler_junosacl::checkForDynamicInterface::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; findDynamicInterface(rule,rule->getSrc()); findDynamicInterface(rule,rule->getDst()); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_junosacl::ValidateInterfaceUnitName::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); slurp(); if (tmp_queue.size()==0) return false; junosInterfaces * jInterface = new junosInterfaces(); for (std::deque::iterator i=tmp_queue.begin(); i!=tmp_queue.end(); ++i) { if (PolicyRule *rule = PolicyRule::cast(*i)) if (FWObject *obj = FWReference::getObject(*rule->getItf()->begin())) { if (!jInterface->parseVlan(QString::fromStdString(obj->getName()), NULL, NULL)) compiler->abort(rule, QString("junosacl policy rules must use a 'unit ' subinterface, not the main interface. You used: ") .append(QString::fromStdString(obj->getName())) .toStdString()); } } return true; } /* * Copy all references from rule element re1 to rule element re2. */ void PolicyCompiler_junosacl::mirrorRule::duplicateRuleElement( RuleElement *re1, RuleElement *re2) { re2->clearChildren(); for (list::iterator i1=re1->begin(); i1!=re1->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); re2->addRef(obj); } } bool PolicyCompiler_junosacl::mirrorRule::processNext() { //PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; if (rule->getOptionsObject()->getBool("iosacl_add_mirror_rule")) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(rule->getAction()); switch (rule->getDirection()) { case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break; case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break; default: r->setDirection(PolicyRule::Both); break; } RuleElementSrc *osrc = rule->getSrc(); RuleElementDst *odst = rule->getDst(); RuleElementSrv *osrv = rule->getSrv(); RuleElementItf *oitf = rule->getItf(); RuleElementSrc *nsrc = r->getSrc(); RuleElementDst *ndst = r->getDst(); RuleElementSrv *nsrv = r->getSrv(); RuleElementItf *nitf = r->getItf(); duplicateRuleElement(osrc, ndst); duplicateRuleElement(odst, nsrc); duplicateRuleElement(oitf, nitf); if (!osrv->isAny()) { ObjectMirror mirror; nsrv->clearChildren(); for (list::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) { Service *nobj = mirror.getMirroredService( Service::cast(FWReference::getObject(*i1))); if (nobj->getParent() == NULL) compiler->persistent_objects->add(nobj, false); nsrv->addRef(nobj); } } tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_junosacl::SpecialServices::processNext() { //PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Service *s = compiler->getFirstSrv(rule); if (IPService::cast(s)!=NULL) { if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) compiler->abort( rule, "IOS ACL does not support checking for IP options in ACLs."); } if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags()) { string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")<0) compiler->abort(rule, "TCP flags match requires IOS v12.4 or later."); } tmp_queue.push_back(rule); return true; } /* * This rule processor is used to separate TCP service objects that * match tcp flags when generated config uses object-group clause */ bool PolicyCompiler_junosacl::splitTCPServiceWithFlags::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { std::list cl; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); TCPService *tcp_srv = TCPService::cast(s); if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished())) cl.push_back(s); } while (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); tmp_queue.push_back(r); srv->removeRef( cl.front() ); cl.pop_front(); } if (srv->size()>0) tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_junosacl::checkIPv4FragmentService::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { CustomService *fragment_srv = NULL; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); CustomService *custom_srv = CustomService::cast(s); if (custom_srv && (!custom_srv->getCodeForPlatform(compiler->myPlatformName()).substr(0, 15).compare("fragment-offset")) ) { if (!fragment_srv) { fragment_srv = custom_srv; } else { if (fragment_srv->getId() != custom_srv->getId()) compiler->abort( rule, "You have contradicting IPv4 fragmentation services in the same rule."); } } } } tmp_queue.push_back(rule); return true; } void PolicyCompiler_junosacl::compile() { string banner = " Compiling ruleset " + getSourceRuleSet()->getName(); if (ipv6) banner += ", IPv6"; info(banner); string version = fw->getStr("version"); bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 && fw->getOptionsObject()->getBool("iosacl_use_object_groups") && ! ipv6; Q_UNUSED(supports_object_groups); string vers = fw->getStr("version"); string platform = fw->getStr("platform"); Compiler::compile(); if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin("Detecting rule shadowing" ) ); add( new printTotalNumberOfRules()); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); add( new emptyGroupsInSrc( "check for empty groups in SRC" ) ); add( new emptyGroupsInDst( "check for empty groups in DST" ) ); add( new emptyGroupsInSrv( "check for empty groups in SRV" ) ); add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new checkIPv4FragmentService("Avoid contradiction IPv4 fragmentation services")); //add( new ExpandMultipleAddressesInSrc( // "expand objects with multiple addresses in SRC" ) ); //add( new ExpandMultipleAddressesInDst( // "expand objects with multiple addresses in DST" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new mirrorRule("Add mirrored rules")); //add( new ConvertToAtomic("convert to atomic rules" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing("Detect shadowing" ) ); add( new simplePrintProgress() ); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin (" Start processing rules" ) ); add( new printTotalNumberOfRules ( ) ); add( new singleRuleFilter()); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) ); add( new recursiveGroupsInDst( "check for recursive groups in DST" ) ); add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) ); add( new emptyGroupsInSrc( "check for empty groups in SRC" ) ); add( new emptyGroupsInDst( "check for empty groups in DST" ) ); add( new emptyGroupsInSrv( "check for empty groups in SRV" ) ); add( new ExpandGroups ("expand groups" ) ); add( new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) ); add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) ); add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) ); add( new checkIPv4FragmentService("Avoid contradiction IPv4 fragmentation services")); // TODO: fix processMultiAddressObjects // add( new processMultiAddressObjectsInSrc( // "process MultiAddress objects in Src") ); // add( new processMultiAddressObjectsInDst( // "process MultiAddress objects in Dst") ); add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in the Interface rule element")); add( new ItfNegation( "process negation in Itf" ) ); // TODO: does this function do what we want it to do? add( new InterfacePolicyRules( "process interface policy rules and store interface ids") ); add( new groupServicesByProtocol ("split rules with different protocols" ) ); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); // add( new MACFiltering ("check for MAC address filtering" ) ); //// add( new splitByNetworkZonesForSrc ("split rule if objects in Src belong to different network zones " ) ); //// add( new replaceFWinDSTPolicy ("replace fw with its interface in DST in global policy rules") ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); // add( new MACFiltering( // "check for MAC address filtering" ) ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); //// add( new splitByNetworkZonesForDst ("split rule if objects in Dst belong to different network zones " ) ); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new checkForUnnumbered("check for unnumbered interfaces")); add( new separateSrcAndDstPort("check for services with both src and dst port specified")); add( new separateSrcPort("split services with src port specified")); // if ( ! supports_object_groups) // add( new addressRanges("process address ranges")); // add( new mirrorRule("Add mirrored rules")); // add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); // add( new setInterfaceAndDirectionBySrc( // "Set interface and direction for rules with interface 'all' using SRC")); // add( new setInterfaceAndDirectionByDst( // "Set interface and direction for rules with interface 'all' using DST")); // add( new setInterfaceAndDirectionIfInterfaceSet( // "Set direction for rules with interface not 'all'")); // add( new specialCaseWithDynInterface( // "check for a special cases with dynamic interface" ) ); // first arg is true because we use "ip access-list" for IOS. // add( new ConvertToAtomic ("convert to atomic rules" ) ); add( new ValidateInterfaceUnitName("validate interface unit name") ); add( new pickACL( true, "assign ACLs" ) ); // add( new SpecialServices( "check for special services" ) ); // add( new CheckForUnsupportedUserService("check for user service") ); // add( new checkForZeroAddr( "check for zero addresses" ) ); // add( new checkForDynamicInterface("check for dynamic interfaces" ) ); // /* remove redundant objects only after all splits has been // * done, right before object groups are created // */ // add( new removeRedundantAddressesFromSrc( // "remove redundant addresses from Src") ); // add( new removeRedundantAddressesFromDst( // "remove redundant addresses from Dst") ); // add( new checkForObjectsWithErrors( // "check if we have objects with errors in rule elements")); // if (supports_object_groups) // { // // "object-group service" does not seem to support // // matching of tcp flags and "established". Need to // // separate objects using these into separate rules to avoid // // object-group // add( new splitTCPServiceWithFlags( // "separate TCP service with tcp flags")); // add( new CreateObjectGroupsForSrc("create object groups for Src", // named_objects_manager)); // add( new CreateObjectGroupsForDst("create object groups for Dst", // named_objects_manager)); // add( new CreateObjectGroupsForSrv("create object groups for Srv", // named_objects_manager)); // } else // { // add( new ConvertToAtomic ("convert to atomic rules" ) ); // } // add( new simplePrintProgress()); // add( new createNewCompilerPass("Creating object groups and ACLs")); // This processor prints each ACL separately in one block. // It adds comments inside to denote original rules. // add( new PrintCompleteACLs("Print ACLs")); add( new simplePrintProgress()); runRuleProcessors(); } string PolicyCompiler_junosacl::printAccessGroupCmd(ciscoACL *acl, bool neg) { (void) neg; // Unused ostringstream str; string addr_family_prefix = "inet"; if (ipv6) addr_family_prefix = "inet6"; if (getSourceRuleSet()->isTop()) { string dir; if (acl->direction()=="in" || acl->direction()=="Inbound") dir="input"; if (acl->direction()=="out" || acl->direction()=="Outbound") dir="output"; str << "interfaces {\n"; str << " " << acl->getInterface()->getParent()->getName() << " {\n"; str << " " << acl->getInterface()->getName() << " {\n"; str << " family " << addr_family_prefix << " {\n"; str << " filter {\n"; string filter_prefix = fw->getOptionsObject()->getStr("filter_prefix"); if (filter_prefix.empty()) filter_prefix = "fwbfilter"; filter_prefix += "_"; str << " " << dir << " " << filter_prefix << acl->workName() << ";\n"; str << " }\n"; str << " }\n"; str << " }\n"; str << " }\n"; str << "}\n"; /* str << "interface " << acl->getInterface()->getName() << endl; if (neg) str << " no"; str << " " << addr_family_prefix << " "; str << getAccessGroupCommandForAddressFamily(ipv6); str << " " << acl->workName() << " " << dir << endl; str << "exit" << endl; */ } return str.str(); } void PolicyCompiler_junosacl::epilog() { output << endl; // output << "Epilog, acls size: " << acls.size() << endl; for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl=(*i).second; if (acl->size()!=0) output << printAccessGroupCmd(acl, false); } output << endl; if ( fw->getOptionsObject()->getBool("iosacl_regroup_commands") ) { info(" Regrouping commands"); regroup(); } } string PolicyCompiler_junosacl::getAccessGroupCommandForAddressFamily(bool ipv6) { if (ipv6) return "traffic-filter"; return "access-group"; } string PolicyCompiler_junosacl::printClearCommands() { ostringstream output; string version = fw->getStr("version"); string platform = fw->getStr("platform"); string xml_element = "clear_ip_acl"; if (ipv6) xml_element = "clear_ipv6_acl"; string clearACLCmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/") + "version_" + version + "/iosacl_commands/" + xml_element); assert( !clearACLCmd.empty()); // No need to output "clear" commands in single rule compile mode if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") || fw->getOptionsObject()->getBool("iosacl_acl_substitution")) { for (map::iterator i=acls.begin(); i!=acls.end(); ++i) { ciscoACL *acl = (*i).second; output << clearACLCmd << " " << acl->workName() << endl; } } return output.str(); } fwbuilder-5.3.7/src/juniper_lib/PolicyCompiler_junosacl.h000066400000000000000000000274501303637203600236160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_JUNOSACL_HH #define __POLICYCOMPILER_JUNOSACL_HH #include #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "cisco_lib/Helper.h" #include "cisco_lib/ACL.h" #include "cisco_lib/PolicyCompiler_cisco.h" #include namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class Group; } namespace fwcompiler { class PolicyCompiler_junosacl : public PolicyCompiler_cisco { protected: std::string comment_symbol; /** * dynamic interfaces can not be used in policy rules in JUNOS ACLs */ friend class checkForDynamicInterface; class checkForDynamicInterface : public PolicyRuleProcessor { bool findDynamicInterface(libfwbuilder::PolicyRule *rule, libfwbuilder::RuleElement *re); public: checkForDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; DECLARE_POLICY_RULE_PROCESSOR( ValidateInterfaceUnitName ); /* ************************************************************************* * * the following rule processors are intended for IOSACL < 7.0 * the code is in the module PolicyCompiler_iosacl_v6_acls.cpp * ************************************************************************* */ /** * verifies combination of interface and direction and * fills interface and direction. After this predicate it * is guaranteed that both interface and direction have * some value. In certain situations interface ID may be * set to "nil" though (e.g. global policy rules). */ DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 ); /** * if interface has not been defined (this is global policy * rule), then multiply the rule for each interface and set * direction to "Inbound" */ DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 ); /** * split rules with direction "both". * TODO: This is used in OpenBSD pf. Move to class PolicyCompiler */ DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 ); /** * in IOSACL, ACLs are always applied on interface and direction * can only be "inbound". We emulate outbound ACLs though. */ DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 ); /** * determine acl rules should belong to */ DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 ); friend class PolicyCompiler_junosacl::pickACL_v6; /* ************************************************************************* * * end of module PolicyCompiler_iosacl_v6_acls.cpp * ************************************************************************* */ /* ************************************************************************* * * rule processors intended to manage ACLs for IOSACL < 7.0 are inherited * from PolicyCompiler_cisco. * The code is in the module PolicyCompiler_cisco_acls.cpp * * The processors assume that all objects in src and dst * belong to the same network zone (respectively) * * All these rule processors assume outbound ACLs are supported. * Check corresponding capability flag and do not include these * processors in the processors chain in iosacl.cpp if outbound acls * are not supported. * ************************************************************************* */ /** * this processor checks for the services which require * special treatment. Some of these will be checking for * source or destination object as well because special * command may need to be generated in case source or * destination is a firewall itself. Therefore this processor * should be called after converting to atomic rules, but * before interface addresses in source and destination are * expanded. */ DECLARE_POLICY_RULE_PROCESSOR( SpecialServices ); friend class PolicyCompiler_junosacl::SpecialServices; /** * to implement action "Reject" add command "service resetinbound" */ DECLARE_POLICY_RULE_PROCESSOR( RejectAction ); friend class PolicyCompiler_junosacl::RejectAction; /** * Implements "mirrored" rules */ class mirrorRule : public PolicyRuleProcessor { void duplicateRuleElement(libfwbuilder::RuleElement *re1, libfwbuilder::RuleElement *re2); public: mirrorRule(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_junosacl::mirrorRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * feeds all rules to the next processor. Usually this * processor is in chain right before PrintRules. * * We use this processor to print "clear" commands because * they need to be generated when all access lists have been * created but before they are printed. */ class ClearACLs : public PolicyRuleProcessor { public: ClearACLs(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_junosacl::ClearACLs; /** * "object-group service" does not seem to support matching of * tcp flags and "established". Need to separate objects using * these into separate rules to avoid object-group */ DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags); friend class PolicyCompiler_junosacl::splitTCPServiceWithFlags; /** * Avoid contradiction IPv4 fragmentation services */ DECLARE_POLICY_RULE_PROCESSOR(checkIPv4FragmentService); friend class PolicyCompiler_junosacl::checkIPv4FragmentService; /** * this processor prints single policy rule, assuming all * groups have been expanded, so source, destination and * service hold exactly one object each, and this object is * not a group. Negation should also have been taken care of * before this method is called. */ class PrintRule : public PolicyRuleProcessor { protected: std::string current_rule_label1; std::map current_rule_label2; int aclLineCounter; int termNumber; std::map reject_icmp_reason; std::string _printPortRangeOp(int rs, int re); std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); std::string _printAddr(libfwbuilder::Address *o); std::string _printProtocol(libfwbuilder::Service *srv); std::string _printTCPFlags(libfwbuilder::TCPService *srv); std::string _printAction(libfwbuilder::PolicyRule *r); std::string _printACL(libfwbuilder::PolicyRule *r); std::string _printLog(libfwbuilder::PolicyRule *r); std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r); std::string _printRule(libfwbuilder::PolicyRule *rule); public: PrintRule(const std::string &name) : PolicyRuleProcessor(name) { aclLineCounter=0; termNumber=0; reject_icmp_reason.insert(std::pair("ICMP admin prohibited", "administratively-prohibited")); reject_icmp_reason.insert(std::pair("ICMP host prohibited", "host-prohibited")); reject_icmp_reason.insert(std::pair("ICMP host unreachable", "host-unreachable")); reject_icmp_reason.insert(std::pair("ICMP net prohibited", "network-prohibited")); reject_icmp_reason.insert(std::pair("ICMP net unreachable", "network-unreachable")); reject_icmp_reason.insert(std::pair("ICMP port unreachable", "port-unreachable")); reject_icmp_reason.insert(std::pair("ICMP protocol unreachable", "protocol-unreachable")); reject_icmp_reason.insert(std::pair("TCP RST", "tcp-reset")); } virtual bool processNext(); }; friend class PolicyCompiler_junosacl::PrintRule; /** * this processor accumulates all rules fed to it by previous * * processors, prints commands to clear access-lists, then * generates commands for the new ACLs. * */ class PrintCompleteACLs : public PrintRule { public: PrintCompleteACLs(const std::string &n) : PrintRule(n) {} virtual bool processNext(); struct printRulesForACL : public std::unary_function { ciscoACL *acl; std::stringstream *output; PolicyCompiler_junosacl *iosacl_comp; PolicyCompiler_junosacl::PrintCompleteACLs *print_acl_p; printRulesForACL(PolicyCompiler_junosacl *_comp, PolicyCompiler_junosacl::PrintCompleteACLs *pp, ciscoACL* _acl, std::stringstream *_out) { iosacl_comp = _comp; print_acl_p = pp; acl = _acl; output = _out; } // print rule if it belongs to ACL void operator() (libfwbuilder::Rule* x); }; friend struct PrintCompleteACLs::printRulesForACL; }; friend class PolicyCompiler_junosacl::PrintCompleteACLs;; bool resetinbound; bool fragguard; int termNumber; protected: virtual std::string myPlatformName(); virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); public: PolicyCompiler_junosacl(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_junosacl() {} virtual int prolog(); virtual void compile(); virtual void epilog(); virtual std::string printClearCommands(); static std::string getAccessGroupCommandForAddressFamily(bool ipv6); }; } #endif fwbuilder-5.3.7/src/juniper_lib/PolicyCompiler_junosacl_writers.cpp000066400000000000000000000561041303637203600257260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_junosacl.h" #include "cisco_lib/IOSObjectGroup.h" // #include "NamedObjectsAndGroupsSupport.h" #include "cisco_lib/PortRangeConverter.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool PolicyCompiler_junosacl::ClearACLs::processNext() { PolicyCompiler_junosacl *junosacl_comp=dynamic_cast(compiler); string vers = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_acl"); slurp(); if (tmp_queue.size()==0) return false; if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") ) { compiler->output << clearACLcmd << endl; } if (compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution")) { for (map::iterator i=junosacl_comp->acls.begin(); i!=junosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << clearACLcmd << " " << acl->workName() << endl; } compiler->output << endl; } if ( !compiler->fw->getOptionsObject()->getBool("iosacl_acl_no_clear") ) { string clearICMPcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_icmp"); string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_telnet"); string clearSSHcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/")+ "version_"+vers+"/iosacl_commands/clear_ssh"); //compiler->output << clearICMPcmd << endl; //compiler->output << clearTelnetcmd << endl; //compiler->output << clearSSHcmd << endl; } return true; } void PolicyCompiler_junosacl::PrintCompleteACLs::printRulesForACL::operator()( Rule* rule) { // print rule if it belongs to ACL PolicyRule *prule = PolicyRule::cast(rule); string acl_name = prule->getStr("acl"); assert (acl_name!=""); ciscoACL *rule_acl = iosacl_comp->acls[acl_name]; assert(rule_acl!=NULL); if (acl == rule_acl) { *output << print_acl_p->_printRule(prule); } } bool PolicyCompiler_junosacl::PrintCompleteACLs::processNext() { PolicyCompiler_junosacl *junosacl_comp=dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; string addr_family_prefix = "family inet {\n"; if (junosacl_comp->ipv6) addr_family_prefix = "family inet6 {\n"; for (map::iterator i=junosacl_comp->acls.begin(); i!=junosacl_comp->acls.end(); ++i) { ciscoACL *acl=(*i).second; compiler->output << "firewall {\n" << " " << addr_family_prefix << " " << "replace:\n" << " " << "filter "; string filter_prefix = compiler->fw->getOptionsObject()->getStr("filter_prefix"); if (filter_prefix.empty()) filter_prefix = "fwbfilter"; filter_prefix += "_"; compiler->output<< filter_prefix << acl->workName() << " {\n"; std::for_each(tmp_queue.begin(), tmp_queue.end(), printRulesForACL(junosacl_comp, this, acl, &(compiler->output))); compiler->output << " }\n }\n}" << endl; } return true; } string PolicyCompiler_junosacl::PrintRule::_printRule(PolicyRule *rule) { PolicyCompiler_junosacl *junosacl_comp=dynamic_cast(compiler); ostringstream ruleout; string platform = compiler->fw->getStr("platform"); bool write_comments = compiler->fw->getOptionsObject()->getBool( platform + "_include_comments"); ruleout << " term " << termNumber++ << " {\n"; if (write_comments) compiler->output << compiler->printComment( rule, current_rule_label1, junosacl_comp->comment_symbol); RuleElementSrc *src=rule->getSrc(); RuleElementDst *dst=rule->getDst(); RuleElementSrv *srv=rule->getSrv(); FWObject *srvobj = srv->front(); bool src_contains_any = false; bool dst_contains_any = false; bool srv_contains_any = false; for (FWObject::iterator i1=src->begin(); i1!=src->end(); i1++) { if (Address::cast(FWReference::cast(*i1)->getPointer())->isAny()) { src_contains_any = true; break; } } for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); i2++) { if (Address::cast(FWReference::cast(*i2)->getPointer())->isAny()) { dst_contains_any = true; break; } } for (FWObject::iterator i3=srv->begin(); i3!=srv->end(); i3++) { if (Service::cast(FWReference::cast(*i3)->getPointer())->isAny()) { srv_contains_any = true; break; } } if (!src_contains_any || !dst_contains_any || !srv_contains_any) ruleout << " from {\n"; if ((src->size() > 0) && !src_contains_any) { ruleout << " source-address {\n"; FWObject* o; for (FWObject::iterator i1=src->begin(); i1!=src->end(); i1++) { o = FWReference::cast(*i1)->getPointer(); ruleout << " " << _printAddr(Address::cast(o)) << ";\n"; } ruleout << " }\n"; // source-address { } if ((dst->size() > 0) && !dst_contains_any) { ruleout << " destination-address {\n"; FWObject* o; for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); i2++) { o = FWReference::cast(*i2)->getPointer(); ruleout << " " << _printAddr(Address::cast(o)) << ";\n"; } ruleout << " }\n"; // destination-address { } // BEGIN SERVICE string protocol_command = junosacl_comp->ipv6 ? "next-header " : "protocol "; if (srv->size() == 1) { if (FWReference::cast(srvobj)!=NULL) { srvobj=FWReference::cast(srvobj)->getPointer(); assert(srvobj); } if ( compiler->getFirstSrv(rule) && !compiler->getFirstSrv(rule)->isAny() ) ruleout << " " << protocol_command << _printProtocol(Service::cast(srvobj)) << ";\n"; string serviceStr = _printSrcService( compiler->getFirstSrv(rule) ); if (serviceStr.size()) ruleout << " " << serviceStr << ";\n"; serviceStr = ""; serviceStr = _printDstService( compiler->getFirstSrv(rule) ); if (serviceStr.size()) { if (isdigit(serviceStr.at(0))) ruleout << " destination-port " << serviceStr << ";\n"; else ruleout << " " << serviceStr << ";\n"; } } else { ruleout << " " << protocol_command << _printProtocol(Service::cast(FWReference::cast(srvobj)->getPointer())) << ";\n"; ruleout << " destination-port [ "; FWObject* o; for (FWObject::iterator i3=srv->begin(); i3!=srv->end(); i3++) { o = FWReference::cast(*i3)->getPointer(); ruleout << _printDstService(TCPUDPService::cast(o)) << " "; } ruleout << "];\n"; } // END SERVICE if (!src_contains_any || !dst_contains_any || !srv_contains_any) ruleout << " }\n"; // from { ruleout << " then {\n"; string counter_name = rule->getOptionsObject()->getStr("counter_name"); if (!counter_name.empty()) ruleout << " count " << counter_name << ";\n"; if (rule->getLogging()) ruleout << " syslog;\n"; ruleout << " " << _printAction(rule) << ";\n"; ruleout << " }\n"; // then { ruleout << " }\n"; // term x { //return ruleout.str(); //FWOptions *ruleopt =rule->getOptionsObject(); // ostringstream ruleout; ostringstream aclstr; // if (write_comments) // compiler->output << compiler->printComment( // rule, current_rule_label1, junosacl_comp->comment_symbol); /* * all three rule elements contain exactly one object, which can * be either group (in case processor CreateObjectGroups created * object group for it) or a regular object */ // RuleElementSrc *src=rule->getSrc(); // RuleElementDst *dst=rule->getDst(); // RuleElementSrv *srv=rule->getSrv(); //assert(src->size()==1); //assert(dst->size()==1); //assert(srv->size()==1); FWObject *srcobj = src->front(); FWObject *dstobj = dst->front(); //FWObject *srvobj = srv->front(); assert(srcobj); assert(dstobj); assert(srvobj); if (FWReference::cast(srcobj)!=NULL) { srcobj=FWReference::cast(srcobj)->getPointer(); assert(srcobj); } if (FWReference::cast(dstobj)!=NULL) { dstobj=FWReference::cast(dstobj)->getPointer(); assert(dstobj); } if (FWReference::cast(srvobj)!=NULL) { srvobj=FWReference::cast(srvobj)->getPointer(); assert(srvobj); } string acl_name=rule->getStr("acl"); assert (acl_name!=""); ciscoACL *acl = junosacl_comp->acls[acl_name]; assert(acl!=NULL); /* * Assemble ACL command in aclstr */ aclstr << _printAction(rule); IOSObjectGroup *pgsrc = IOSObjectGroup::cast(srcobj); IOSObjectGroup *pgdst = IOSObjectGroup::cast(dstobj); IOSObjectGroup *pgsrv = IOSObjectGroup::cast(srvobj); /* * Possible configurations: * * permit object-group service_group object-group src_grp object-group dst_grp * permit object-group service_group SRC_SPEC DST_SPEC * permit SRC_SPEC DST_SPEC * * Where SRC_SPEC and DST_SPEC are * obejct-group network_group * or traidtional
* */ if ( pgsrv!=NULL && pgsrv->isServiceGroup()) { aclstr << "object-group " << pgsrv->getName(); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } } else { // Service is not object group aclstr << _printProtocol(Service::cast(srvobj)); aclstr << _printProtocol(Service::cast(srvobj)); aclstr << " "; if ( pgsrc!=NULL && pgsrc->isObjectGroup()) { aclstr << "object-group " << pgsrc->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstSrc(rule) ); } aclstr << _printSrcService( compiler->getFirstSrv(rule) ); if ( pgdst!=NULL && pgdst->isObjectGroup()) { aclstr << "object-group " << pgdst->getName(); aclstr << " "; } else { aclstr << _printAddr( compiler->getFirstDst(rule) ); } aclstr << _printDstService( compiler->getFirstSrv(rule) ); } aclstr << _printLog( rule ); // "fragments" should be the last option in the access-list command aclstr << _printIPServiceOptions(rule); // Note that option "use_acl_remarks" is set in prolog() because // we use different options for this function in GUI dialogs for // iosacl and procurve. This is historical. if (compiler->fw->getOptionsObject()->getBool("use_acl_remarks")) { ruleout << acl->addRemark(rule->getLabel(), rule->getComment()); } acl->addLine(aclstr.str()); //ruleout << "#" << acl->addLine(aclstr.str()); return ruleout.str(); } string PolicyCompiler_junosacl::PrintRule::_printAction(PolicyRule *rule) { ostringstream str; switch (rule->getAction()) { case PolicyRule::Accept: str << "accept"; break; case PolicyRule::Deny: str << "discard"; break; case PolicyRule::Reject: str << "reject"; { FWOptions *ruleopt =rule->getOptionsObject(); string reason = ruleopt->getStr("action_on_reject"); if (!reason.empty()) str << " " << reject_icmp_reason.at(reason); } break; default: str << rule->getActionAsString() << ""; } return str.str(); } string PolicyCompiler_junosacl::PrintRule::_printACL(PolicyRule *rule) { // PolicyCompiler_iosacl *iosacl_comp=dynamic_cast(compiler); string acl_name=rule->getStr("acl"); assert (acl_name!=""); return acl_name+" "; } string PolicyCompiler_junosacl::PrintRule::_printLog(PolicyRule *rule) { if (rule->getLogging()) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("iosacl_log_input")) return "log-input "; return "log "; } return ""; } string PolicyCompiler_junosacl::PrintRule::_printPortRangeOp(int rs, int re) { std::ostringstream str; if (rs<0) rs = 0; if (re<0) re = 0; if (rs>0 || re>0) { if (rs==re) str << rs; else { if (rs==0 && re!=0) { str << "1-" << re + 1; } else { if (rs!=0 && re==65535) { str << rs << "-65535"; } else { str << rs << "-" << re; } } } } return str.str(); return PortRangeConverter(rs, re).toString(); } string PolicyCompiler_junosacl::PrintRule::_printSrcService(Service *srv) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getSrcRangeStart(); int re = TCPUDPService::cast(srv)->getSrcRangeEnd(); string outstr = _printPortRangeOp(rs, re); if (outstr.size()) return "source-port " + outstr; } return ""; } string PolicyCompiler_junosacl::PrintRule::_printIPServiceOptions(PolicyRule *r) { Service *srv = compiler->getFirstSrv(r); const IPService *ip; if ((ip=IPService::constcast(srv))!=NULL) { string version = compiler->fw->getStr("version"); if (srv->getBool("fragm") || srv->getBool("short_fragm")) return "fragments "; if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0) compiler->abort(r, "IP options match requires IOS v12.4 or later."); if (ip->getBool("lsrr")) return "option lsr"; if (ip->getBool("ssrr")) return "option ssr"; if (ip->getBool("rr")) return "option record-route"; if (ip->getBool("rtralt")) return "option router-alert"; if (ip->getBool("any_opt")) return "option any-options "; string tos = ip->getTOSCode(); string dscp = ip->getDSCPCode(); if (!dscp.empty()) return string("dscp ") + dscp; else if (!tos.empty()) return string("tos ") + tos; } return ""; } string PolicyCompiler_junosacl::PrintRule::_printDstService(Service *srv) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs = TCPUDPService::cast(srv)->getDstRangeStart(); int re = TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPortRangeOp(rs, re); } if (TCPService::isA(srv)) { if (srv->getBool("established")) str << "tcp-established"; else str << _printTCPFlags(TCPService::cast(srv)); } if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; } if (CustomService::isA(srv)) str << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ); return str.str(); } string PolicyCompiler_junosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f) { switch (f) { case TCPService::URG: return "urg"; case TCPService::ACK: return "ack"; case TCPService::PSH: return "psh"; case TCPService::RST: return "rst"; case TCPService::SYN: return "syn"; case TCPService::FIN: return "fin"; default: return ""; } return ""; } string PolicyCompiler_junosacl::PrintRule::_printTCPFlags(TCPService *srv) { if (srv->inspectFlags()) { // We check the version and call compiler->abort() if its // wrong in SpecialServices rule processor. Here we should just execute. string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "12.4")>=0) { std::set flags = srv->getAllTCPFlags(); std::set masks = srv->getAllTCPFlagMasks(); std::set::iterator mit = masks.begin(); QStringList match_specs; for (; mit!=masks.end(); mit++) { if (flags.count(*mit) > 0) match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str())); else match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str())); } if (!match_specs.empty()) match_specs.push_front("match-all"); return match_specs.join(" ").toStdString() + " "; } } return ""; } string PolicyCompiler_junosacl::PrintRule::_printProtocol(Service *srv) { PolicyCompiler_junosacl *junosacl_comp = dynamic_cast( compiler); string addr_family_prefix = "ip "; if (junosacl_comp->ipv6) addr_family_prefix = "ipv6 "; string proto = srv->getProtocolName(); if (ICMP6Service::isA(srv)) proto = "icmp6"; if (CustomService::isA(srv)) { // special case standard CusctomService objects "ESTABLISHED" // and "ESTABLISHED ipv6": these require protocol "tcp" but // protocol is set in the Custom Service object for all // platforms at once, so we can't have protocol defined only // for junosacl to be used here. string srv_code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); if (srv_code == "tcp-established") proto = "tcp"; } if (proto=="ip") return addr_family_prefix; return proto; } string PolicyCompiler_junosacl::PrintRule::_printAddr(Address *o) { PolicyCompiler_junosacl *junosacl_comp = dynamic_cast(compiler); if (Interface::cast(o)!=NULL) { Interface *interface_ = Interface::cast(o); if (interface_->isDyn()) { return string("interface ") + interface_->getLabel() + " "; } } ostringstream str; const InetAddr *srcaddr = o->getAddressPtr(); if (srcaddr) { const InetAddr *nm = o->getNetmaskPtr(); InetAddr srcmask; if (nm != NULL) { srcmask = *nm; } else { cerr << "Address object " << o << " " << o->getName() << " (" << o->getTypeName() << ") " << " has no netmask" << endl; srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily())); } // const InetAddr srcmask = *(o->getNetmaskPtr()); if (srcaddr->isAny() && srcmask.isAny()) { str << "any "; } else { if (Interface::cast(o)==NULL && Interface::cast(o->getParent())==NULL && o->dimension() > 1 && !srcmask.isHostMask()) { if (junosacl_comp->ipv6) { str << srcaddr->toString() << "/" << srcmask.getLength(); } else { str << srcaddr->toString() << "/" << srcmask.getLength(); } } else { if (srcaddr->isV4()) str << srcaddr->toString() << "/" << 32; else str << srcaddr->toString() << "/" << 128; // str << srcaddr->toString() << "/" << srcmask.getLength(); } } return str.str(); } ostringstream errstr; errstr << "Object " << o->getName() << " (id=" << o->getId() << ") " << " has no ip address and can not be used " << "in the rule."; compiler->abort(errstr.str()); return ""; // to make compiler happy } /* * the following additional attributes should have been defined by now: * * "acl" - string, name of the access list * choices are: outside-in, outside-out, inside-in, indside-out, * dmz-in, dmz-out etc. * General rule for the acl name: "iface_name-{in,out}" */ bool PolicyCompiler_junosacl::PrintRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); compiler->output << _printRule(rule); return true; } fwbuilder-5.3.7/src/juniper_lib/juniper_lib.pro000066400000000000000000000023471303637203600216370ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = \ CompilerDriver_junosacl.cpp \ CompilerDriver_junosacl_run.cpp \ OSConfigurator_junos.cpp \ ../cisco_lib/PolicyCompiler_cisco.cpp \ ../cisco_lib/Helper.cpp \ PolicyCompiler_junosacl.cpp \ PolicyCompiler_junosacl_writers.cpp \ ../cisco_lib/NamedObjectsAndGroupsSupport.cpp \ ../cisco_lib/NamedObject.cpp \ ../cisco_lib/PolicyCompiler_cisco_acls.cpp \ ../cisco_lib/BaseObjectGroup.cpp \ ../cisco_lib/IOSObjectGroup.cpp \ ../cisco_lib/NamedObjectsManager.cpp \ ../cisco_lib/ACL.cpp \ ../cisco_lib/NXOSObjectGroup.cpp \ ../cisco_lib/PIXObjectGroup.cpp \ ../cisco_lib/ASA8ObjectGroup.cpp HEADERS = ../../config.h \ CompilerDriver_junosacl.h \ OSConfigurator_junos.h \ PolicyCompiler_junosacl.h \ ../cisco_lib/BaseObjectGroup.h macx:LIBS += $$LIBS_FWCOMPILER INCLUDEPATH += ../compiler_lib ../libfwbuilder/src .. DEPENDPATH += ../compiler_lib ../libfwbuilder/src win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a !win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a CONFIG += staticlib TARGET = fwbjuniper INSTALLS -= target fwbuilder-5.3.7/src/junosacl/000077500000000000000000000000001303637203600161215ustar00rootroot00000000000000fwbuilder-5.3.7/src/junosacl/junosacl.cpp000066400000000000000000000112621303637203600204450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #ifdef _WIN32 # include #else # include #endif #include #include #include #include #include #include #include #include "CompilerDriver_junosacl.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &msg) const { msg.size(); // to make compiler happy about unused parameter cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for Juniper Junos ACL" << endl; cout << "Copyright 2007-2009 NetCitadel, LLC" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_junosacl *driver = new CompilerDriver_junosacl(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(libfwbuilder::FWException &ex) { cerr << ex.toString() << endl; return 1; } catch (std::string s) { cerr << s << endl; return 1; } catch (std::exception ex) { cerr << "exception: " << ex.what() << endl; return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } return 0; } fwbuilder-5.3.7/src/junosacl/junosacl.pro000066400000000000000000000016301303637203600204610ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui # # # PACKAGE = fwbuilder-junosacl-$$FWB_VERSION # # QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\"" # QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\"" greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = junosacl.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../juniper_lib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../juniper_lib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../juniper_lib/$$BINARY_SUBDIR/libfwbjuniper.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_junosacl fwbuilder-5.3.7/src/libfwbuilder/000077500000000000000000000000001303637203600167555ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/.gitignore000066400000000000000000000000261303637203600207430ustar00rootroot00000000000000libfwbuilder-config.h fwbuilder-5.3.7/src/libfwbuilder/etc/000077500000000000000000000000001303637203600175305ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/etc/etc.pro000066400000000000000000000004271303637203600210300ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../qmake.inc) TEMPLATE = aux win32 { CONFIG -= embed_manifest_exe } QMAKE_RUN_CC = @echo QMAKE_RUN_CXX = @echo QMAKE_LINK = @echo QMAKE_LIB = @echo TARGET = etc dtd.files = fwbuilder.dtd INSTALLS -= target INSTALLS += dtd fwbuilder-5.3.7/src/libfwbuilder/etc/fwbuilder.dtd.in000066400000000000000000000446421303637203600226270ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/libfwbuilder.pro000066400000000000000000000006321303637203600221520ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # TEMPLATE = subdirs SUBDIRS = etc migration src DOLLAR = $ build_tests.commands = ./unit_tests.sh make build_tests build_tests.depends = all run_tests.commands = ./unit_tests.sh make run_tests run_tests.depends = all clean_tests.commands = ./unit_tests.sh make clean_tests tests.depends = run_tests QMAKE_EXTRA_TARGETS += build_tests run_tests clean_tests tests fwbuilder-5.3.7/src/libfwbuilder/migration/000077500000000000000000000000001303637203600207465ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.0.xslt000066400000000000000000000124621303637203600255530ustar00rootroot00000000000000 -i 0 100 -m state --state ESTABLISHED,RELATED fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.1.xslt000066400000000000000000000036651303637203600255610ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.10.xslt000066400000000000000000000036401303637203600256320ustar00rootroot00000000000000 0.10.11 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.11.xslt000066400000000000000000000066221303637203600256360ustar00rootroot00000000000000 1 1 1 1 1 1 False True 0.10.12 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.12.xslt000066400000000000000000000055521303637203600256400ustar00rootroot00000000000000 False -pa (MAC) 0.10.13 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.13.xslt000066400000000000000000000015361303637203600256370ustar00rootroot00000000000000 0.10.14 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.14.xslt000066400000000000000000000015321303637203600256340ustar00rootroot00000000000000 1.0.0 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.2.xslt000066400000000000000000000015121303637203600255470ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.3.xslt000066400000000000000000000023151303637203600255520ustar00rootroot00000000000000 0.10.4 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.4.xslt000066400000000000000000000341071303637203600255570ustar00rootroot00000000000000 33524 False False ipf False True 0.10.5 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.5.xslt000066400000000000000000000026561303637203600255640ustar00rootroot00000000000000 0.10.6 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.6.xslt000066400000000000000000000026561303637203600255650ustar00rootroot00000000000000 0.10.7 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.7.xslt000066400000000000000000000015041303637203600255550ustar00rootroot00000000000000 0.10.8 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.8.xslt000066400000000000000000000107411303637203600255610ustar00rootroot00000000000000 -i interface-1 False 0 -i-1-addr 255.255.255.255 0.10.9 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.10.9.xslt000066400000000000000000000015501303637203600255600ustar00rootroot00000000000000 0.10.10 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.0.xslt000066400000000000000000000012471303637203600255020ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.1.xslt000066400000000000000000000024141303637203600255000ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.2.xslt000066400000000000000000000012331303637203600254770ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.3.xslt000066400000000000000000000053641303637203600255110ustar00rootroot00000000000000 -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.4.xslt000066400000000000000000000012331303637203600255010ustar00rootroot00000000000000 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_0.9.5.xslt000066400000000000000000000360421303637203600255100ustar00rootroot00000000000000 linux24 0.10.0 root Standard fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_1.0.0.xslt000066400000000000000000000015261303637203600254720ustar00rootroot00000000000000 1.0.1 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_1.0.1.xslt000066400000000000000000000043361303637203600254750ustar00rootroot00000000000000 id3F6D115C broadcast Standard 255.255.255.255 255.255.255.255 id3F6D115D old-broadcast Standard 0.0.0.0 0.0.0.0 1.0.2 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_1.0.2.xslt000066400000000000000000000107131303637203600254720ustar00rootroot00000000000000 _1 _1 2.0.0 root syslib000 Standard Standard objects #d4f8ff True syslib001 User User defined objects #d2ffd0 fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_10.xslt000066400000000000000000000044731303637203600252620ustar00rootroot00000000000000 _clusters Clusters 11 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_11.xslt000066400000000000000000000040011303637203600252460ustar00rootroot00000000000000 Clusters 12 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_12.xslt000066400000000000000000000030211303637203600252500ustar00rootroot00000000000000 Translate 13 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_13.xslt000066400000000000000000000025731303637203600252640ustar00rootroot00000000000000 14 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_14.xslt000066400000000000000000000067431303637203600252700ustar00rootroot00000000000000 mangle_only_rule_set True 15 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_15.xslt000066400000000000000000000030611303637203600252570ustar00rootroot00000000000000 sveasoft 16 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_16.xslt000066400000000000000000000031211303637203600252550ustar00rootroot00000000000000 True 17 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_17.xslt000066400000000000000000000053011303637203600252600ustar00rootroot00000000000000 False sysid0 False sysid0 18 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_18.xslt000066400000000000000000000045221303637203600252650ustar00rootroot00000000000000 False sysid0 19 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_19.xslt000066400000000000000000000040531303637203600252650ustar00rootroot00000000000000 pf_classify_str 20 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.0.xslt000066400000000000000000000015311303637203600254670ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.1.xslt000066400000000000000000000015311303637203600254700ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.10.xslt000066400000000000000000000015301303637203600255470ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.11.xslt000066400000000000000000000015301303637203600255500ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.12.xslt000066400000000000000000000015301303637203600255510ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.2.xslt000066400000000000000000000015311303637203600254710ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.3.xslt000066400000000000000000000015311303637203600254720ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.4.xslt000066400000000000000000000015311303637203600254730ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.5.xslt000066400000000000000000000015311303637203600254740ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.6.xslt000066400000000000000000000015311303637203600254750ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.7.xslt000066400000000000000000000015311303637203600254760ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.8.xslt000066400000000000000000000015321303637203600255000ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.9.xslt000066400000000000000000000015311303637203600255000ustar00rootroot00000000000000 2.0.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.0.99.xslt000066400000000000000000000041241303637203600255720ustar00rootroot00000000000000 _og_dnsn_1 DNS Names 2.1.0 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.0.xslt000066400000000000000000000036041303637203600254730ustar00rootroot00000000000000 -routing 2.1.1 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.1.xslt000066400000000000000000000206341303637203600254760ustar00rootroot00000000000000 num. of interfaces: num. of interface policy rules: interface id= num. of preceding interface policy rules: interface policy rule pos new position False global policy rule new position False sysid0 2.1.2 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.10.xslt000066400000000000000000000015331303637203600255530ustar00rootroot00000000000000 2.1.11 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.11.xslt000066400000000000000000000052521303637203600255560ustar00rootroot00000000000000 2.1.12 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.12.xslt000066400000000000000000000016311303637203600255540ustar00rootroot00000000000000 2.1.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.13.xslt000066400000000000000000000016311303637203600255550ustar00rootroot00000000000000 2.1.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.14.xslt000066400000000000000000000015331303637203600255570ustar00rootroot00000000000000 2.1.99 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.15.xslt000066400000000000000000000015211303637203600255550ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.16.xslt000066400000000000000000000015211303637203600255560ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.17.xslt000066400000000000000000000015211303637203600255570ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.18.xslt000066400000000000000000000015211303637203600255600ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.19.xslt000066400000000000000000000015211303637203600255610ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.2.xslt000066400000000000000000000031041303637203600254700ustar00rootroot00000000000000 _og_ats_1 Address Tables 2.1.3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.3.xslt000066400000000000000000000031041303637203600254710ustar00rootroot00000000000000 _og_tag_1 TagServices 2.1.4 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.4.xslt000066400000000000000000000016251303637203600255000ustar00rootroot00000000000000 2.1.6 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.5.xslt000066400000000000000000000015251303637203600255000ustar00rootroot00000000000000 2.1.6 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.6.xslt000066400000000000000000000015271303637203600255030ustar00rootroot00000000000000 2.1.7 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.7.xslt000066400000000000000000000015271303637203600255040ustar00rootroot00000000000000 2.1.8 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.8.xslt000066400000000000000000000015271303637203600255050ustar00rootroot00000000000000 2.1.9 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.9.xslt000066400000000000000000000015311303637203600255010ustar00rootroot00000000000000 2.1.10 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_2.1.99.xslt000066400000000000000000000015211303637203600255710ustar00rootroot00000000000000 3 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_20.xslt000066400000000000000000000224351303637203600252610ustar00rootroot00000000000000 Accept Accept Continue taggingTrue classificationFalse routingFalse True Accept Accept Accept Continue taggingFalse classificationTrue routingFalse Continue Accept taggingFalse classificationFalse routingTrue 21 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_21.xslt000066400000000000000000000020531303637203600252540ustar00rootroot00000000000000 22 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_22.xslt000066400000000000000000000020521303637203600252540ustar00rootroot00000000000000 23 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_23.xslt000066400000000000000000000020521303637203600252550ustar00rootroot00000000000000 24 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_3.xslt000066400000000000000000000015061303637203600251760ustar00rootroot00000000000000 4 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_4.xslt000066400000000000000000000046541303637203600252060ustar00rootroot00000000000000 Policy NAT Routing 5 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_5.xslt000066400000000000000000000071721303637203600252050ustar00rootroot00000000000000 Policy 6 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_6.xslt000066400000000000000000000035521303637203600252040ustar00rootroot00000000000000 _userservices Users 7 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_7.xslt000066400000000000000000000131021303637203600251750ustar00rootroot00000000000000 Automatically created for rule Tag In library "" 8 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_8.xslt000066400000000000000000000037611303637203600252100ustar00rootroot00000000000000 tagobject_id 9 root fwbuilder-5.3.7/src/libfwbuilder/migration/FWObjectDatabase_9.xslt000066400000000000000000000043711303637203600252070ustar00rootroot00000000000000 True True True 10 root fwbuilder-5.3.7/src/libfwbuilder/migration/migration.pro000066400000000000000000000065201303637203600234640ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../qmake.inc) TEMPLATE = aux TARGET = migration win32 { CONFIG -= embed_manifest_exe } QMAKE_RUN_CC = "@echo" QMAKE_RUN_CXX = "@echo" QMAKE_LINK = "@echo" target.path = $${migration.path} target.files = FWObjectDatabase_0.9.0.xslt \ FWObjectDatabase_0.9.1.xslt \ FWObjectDatabase_0.9.2.xslt \ FWObjectDatabase_0.9.3.xslt \ FWObjectDatabase_0.9.4.xslt \ FWObjectDatabase_0.9.5.xslt \ FWObjectDatabase_0.10.0.xslt \ FWObjectDatabase_0.10.1.xslt \ FWObjectDatabase_0.10.2.xslt \ FWObjectDatabase_0.10.3.xslt \ FWObjectDatabase_0.10.4.xslt \ FWObjectDatabase_0.10.5.xslt \ FWObjectDatabase_0.10.6.xslt \ FWObjectDatabase_0.10.7.xslt \ FWObjectDatabase_0.10.8.xslt \ FWObjectDatabase_0.10.9.xslt \ FWObjectDatabase_0.10.10.xslt \ FWObjectDatabase_0.10.11.xslt \ FWObjectDatabase_0.10.12.xslt \ FWObjectDatabase_0.10.13.xslt \ FWObjectDatabase_0.10.14.xslt \ FWObjectDatabase_1.0.0.xslt \ FWObjectDatabase_1.0.1.xslt \ FWObjectDatabase_1.0.2.xslt \ FWObjectDatabase_2.0.0.xslt \ FWObjectDatabase_2.0.1.xslt \ FWObjectDatabase_2.0.2.xslt \ FWObjectDatabase_2.0.3.xslt \ FWObjectDatabase_2.0.4.xslt \ FWObjectDatabase_2.0.5.xslt \ FWObjectDatabase_2.0.6.xslt \ FWObjectDatabase_2.0.7.xslt \ FWObjectDatabase_2.0.8.xslt \ FWObjectDatabase_2.0.9.xslt \ FWObjectDatabase_2.0.10.xslt \ FWObjectDatabase_2.0.11.xslt \ FWObjectDatabase_2.0.12.xslt \ FWObjectDatabase_2.0.99.xslt \ FWObjectDatabase_2.1.0.xslt \ FWObjectDatabase_2.1.1.xslt \ FWObjectDatabase_2.1.2.xslt \ FWObjectDatabase_2.1.3.xslt \ FWObjectDatabase_2.1.4.xslt \ FWObjectDatabase_2.1.5.xslt \ FWObjectDatabase_2.1.6.xslt \ FWObjectDatabase_2.1.7.xslt \ FWObjectDatabase_2.1.8.xslt \ FWObjectDatabase_2.1.9.xslt \ FWObjectDatabase_2.1.10.xslt \ FWObjectDatabase_2.1.11.xslt \ FWObjectDatabase_2.1.12.xslt \ FWObjectDatabase_2.1.13.xslt \ FWObjectDatabase_2.1.14.xslt \ FWObjectDatabase_2.1.15.xslt \ FWObjectDatabase_2.1.16.xslt \ FWObjectDatabase_2.1.17.xslt \ FWObjectDatabase_2.1.18.xslt \ FWObjectDatabase_2.1.19.xslt \ FWObjectDatabase_2.1.99.xslt \ FWObjectDatabase_3.xslt \ FWObjectDatabase_4.xslt \ FWObjectDatabase_5.xslt \ FWObjectDatabase_6.xslt \ FWObjectDatabase_7.xslt \ FWObjectDatabase_8.xslt \ FWObjectDatabase_9.xslt \ FWObjectDatabase_10.xslt \ FWObjectDatabase_11.xslt \ FWObjectDatabase_12.xslt \ FWObjectDatabase_13.xslt \ FWObjectDatabase_14.xslt \ FWObjectDatabase_15.xslt \ FWObjectDatabase_16.xslt \ FWObjectDatabase_17.xslt \ FWObjectDatabase_18.xslt \ FWObjectDatabase_19.xslt \ FWObjectDatabase_20.xslt \ FWObjectDatabase_21.xslt \ FWObjectDatabase_22.xslt \ FWObjectDatabase_23.xslt \ fwbuilder-5.3.7/src/libfwbuilder/qmake.inc.in000066400000000000000000000061411303637203600211550ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # ######### libfwbuilder/qmake.inc.in # QTDIR = $$(QTDIR) TEMPLATE = lib DEFINES += $$(DEFINES) INCLUDEPATH += .. ../.. $$(INCLUDEPATH) DEPENDPATH += .. ../.. LANGUAGE = C++ HAVE_CPPUNIT = @HAVE_CPPUNIT@ CPPUNIT_CFLAGS = @CPPUNIT_CFLAGS@ CPPUNIT_LIBS = @CPPUNIT_LIBS@ CONFIG -= qt QMAKE_CXXFLAGS_DEBUG += -D__STDC_FORMAT_MACROS QMAKE_CXXFLAGS_RELEASE += -D__STDC_FORMAT_MACROS unix { CONFIG += warn_on debug UI_DIR = .ui MOC_DIR = .moc OBJECTS_DIR = .obj prefix = @prefix@ QMAKE_CXX = @CCACHE@ @DISTCC@ $$QMAKE_CXX freebsd { # We put /usr/include into INCLUDEPATH to fix a problem compiling # fwbuilder/snmp.cpp on freebsd. INCLUDEPATH += /usr/include } INCLUDEPATH += @XML_CFLAGS_Q@ @XSLT_CFLAGS_Q@ LIBS += @PTHREAD_LIBS@ @XML_LIBS@ @XSLT_LIBS@ @LIBSNMP_LIBS@ @LIB_RESOLV@ @LIBS@ QMAKE_CFLAGS_DEBUG += -Wno-unused-parameter QMAKE_CFLAGS_RELEASE += -Wno-unused-parameter QMAKE_CXXFLAGS_DEBUG += -Wno-unused-parameter @CXXFLAGS@ QMAKE_CXXFLAGS_RELEASE += -Wno-unused-parameter @CXXFLAGS@ exec_prefix = @EXEC_PREFIX@ DESTDIR = target.path = @LIBDIR@ dtd.path = @RES_DIR@/ migration.path = @RES_DIR@/migration doc.path = @DOCDIR@ } win32 { prefix = "c:/tmp/build_root" DOCDIR = "$$prefix/doc/" exec_prefix = "$$prefix" DESTDIR = "" target.path = "$$prefix/lib" dtd.path = "$$prefix/resources" migration.path = "$$prefix/resources/migration" doc.path = "$$prefix/doc/libfwbuilder" CONFIG -= debug CONFIG += thread rtti stl warn_on release CONFIG += staticlib DEFINES += LIBXML_STATIC LIBXSLT_STATIC INCLUDEPATH += $$(TOOLCHAIN_PREFIX)/include $$(TOOLCHAIN_PREFIX)/include/libxml2 $$(TOOLCHAIN_PREFIX)/include/net-snmp /include LIBS += -L$$(TOOLCHAIN_PREFIX)/lib -L$$(TOOLCHAIN_PREFIX)/bin # LIBS += ws2_32.lib pthreadVC.lib LIBS += pthreadVC.lib LIBS += libxml2.lib libxslt_a.lib libz.a # zlib.lib } macx { prefix = "$$prefix" DOCDIR = "$$prefix/doc/" exec_prefix = "$$prefix" DESTDIR = # these path definitions are not used since we do not run make install on Mac # (see fwbuilder.def file where it is defined that we don't do that) # But I need to assign these variables some value to make qmake happy. target.path = "$$prefix/lib" dtd.path = "$$prefix/" migration.path = "$$prefix/migration" doc.path = "$$prefix/doc/" CONFIG -= x86 CONFIG += x86_64 # If I build on 10.6 without these, generated binary depends on # /usr/lib/libxml2.2.dynlib that has compatibility version 10.0.0 # which does not work on 10.5 where its compatibility version is # 9.0.0. Chances are, the same thing may be happening with other # dependency libraries. Building on 10.6 with deployment target 10.5 # should solve the problem QMAKE_MACOSX_DEPLOYMENT_TARGET = $$(QMAKE_MACOSX_DEPLOYMENT_TARGET) QMAKE_CXXFLAGS += -mmacosx-version-min=$$(QMAKE_MACOSX_DEPLOYMENT_TARGET) QMAKE_MAC_SDK = $$(QMAKE_MAC_SDK) QMAKE_LFLAGS_SONAME = -Wl,-install_name,@executable_path/../Frameworks/ } INSTALLS += target fwbuilder-5.3.7/src/libfwbuilder/src/000077500000000000000000000000001303637203600175445ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/000077500000000000000000000000001303637203600215275ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Address.cpp000066400000000000000000000106661303637203600236310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed with the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Address.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" using namespace libfwbuilder; using namespace std; const char *Address::TYPENAME={"Address"}; Address::Address() : FWObject() { inet_addr_mask = new InetAddrMask(); setName("address"); } Address::Address(const Address& other) : FWObject(other) { inet_addr_mask = new InetAddrMask(*(other.inet_addr_mask)); } Address::~Address() { delete inet_addr_mask; } FWObject& Address::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { const Address* a_other = Address::constcast(other); delete inet_addr_mask; inet_addr_mask = new InetAddrMask(*(a_other->inet_addr_mask)); return FWObject::shallowDuplicate(other, preserve_id); } FWReference* Address::createRef() { FWObjectReference *ref = getRoot()->createFWObjectReference(); ref->setPointer(this); return ref; } bool Address::isAny() const { return getId()==FWObjectDatabase::ANY_ADDRESS_ID; } const Address* Address::getAddressObject() const { return NULL; } const InetAddrMask* Address::getInetAddrMaskObjectPtr() const { const Address *addr_obj = getAddressObject(); if (addr_obj) return addr_obj->inet_addr_mask; return NULL; } bool Address::hasInetAddress() const { return false; } int Address::countInetAddresses(bool ) const { return 0; } const InetAddr* Address::getAddressPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getAddressPtr(); return NULL; } const InetAddr* Address::getNetmaskPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getNetmaskPtr(); return NULL; } const InetAddr* Address::getNetworkAddressPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getNetworkAddressPtr(); return NULL; } const InetAddr* Address::getBroadcastAddressPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getBroadcastAddressPtr(); return NULL; } void Address::setAddress(const InetAddr& a) { inet_addr_mask->setAddress(a); } void Address::setNetmask(const InetAddr& nm) { inet_addr_mask->setNetmask(nm); } void Address::setAddressNetmask(const std::string&) { } /* By default dimension is 1. Compilers may rely on this behavior * assuming that every Address object represents single address unless * specific netmask is given. */ unsigned int Address::dimension() const { const InetAddrMask *addr_obj = getInetAddrMaskObjectPtr(); if (addr_obj!=NULL) return addr_obj->dimension(); return 1; } bool Address::belongs(const InetAddr &other) const { const InetAddrMask *addr_obj = getInetAddrMaskObjectPtr(); if (addr_obj!=NULL) return addr_obj->belongs(other); return false; } bool Address::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (Address::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; if (hasInetAddress()!=Address::constcast(obj)->hasInetAddress()) return false; if (!hasInetAddress()) return true; // both this and obj are objects that own ip addresses return (*inet_addr_mask == *(Address::constcast(obj)->inet_addr_mask)); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Address.h000066400000000000000000000071311303637203600232670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GEN_ADDRESS_HH_FLAG__ #define __GEN_ADDRESS_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" namespace libfwbuilder { /** * This is base class for all objects that can have an address and can * be a child of RuleElementSrc, RuleElementDst and other rule * elements holding addresses. It is never used on it's own, only * it's subclasses are used. * * TODO: we might need to derive ObjectGroup and AddressRange from Address, * but this requires lot more testing */ class Address : public FWObject { protected: InetAddrMask* inet_addr_mask; public: DECLARE_FWOBJECT_SUBTYPE(Address); DECLARE_DISPATCH_METHODS(Address); Address(); Address(const Address&); virtual ~Address(); // Address(const std::string& addr,const std::string& mask); // Address(const std::string &s) throw(FWException); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); const InetAddrMask* getInetAddrMaskObjectPtr() const; /** * This method returns true if object "owns" ip address. Owning * in this context means that the object itself has an address, rather * than one of its child objects. In this sense Firewall, Host, * Interface do not "own" ip address, whereas IPv4, Network, IPv6 * NetworkIPv6 do. */ virtual bool hasInetAddress() const; /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool skip_loopback) const; /** * returns const pointer to internal InetAddr object. Some objects * that inherit this class may return NULL if they do not have * their own IP address (examples: physAddress or Interface with * no child IPv4 object). Using exclusively method that returns * pointer rather than reference to the object allows us to * distinguish between when an object has address 0.0.0.0 or has no * address at all. */ virtual const InetAddr* getAddressPtr() const; virtual const InetAddr* getNetmaskPtr() const; virtual const InetAddr* getNetworkAddressPtr() const; virtual const InetAddr* getBroadcastAddressPtr() const; virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual void setAddressNetmask(const std::string& s); virtual const Address* getAddressObject() const; virtual unsigned int dimension() const; bool belongs(const InetAddr &) const; virtual FWReference* createRef(); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); bool isAny() const; virtual bool isPrimaryObject() const { return true; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AddressRange.cpp000066400000000000000000000075651303637203600246120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; const char *AddressRange::TYPENAME={"AddressRange"}; /** * Empty constructor. Make sure start and end addresses are * initialized to 0. */ AddressRange::AddressRange() : Address(), start_address(InetAddr::getAny()), end_address(InetAddr::getAny()) { Address::setNetmask(InetAddr::getAny()); } AddressRange::AddressRange(AddressRange &o) : Address() , start_address(o.getRangeStart()), end_address(o.getRangeEnd()) { FWObject::operator=(o); } const InetAddr* AddressRange::getAddressPtr() const { return &start_address; } unsigned int AddressRange::dimension() const { return start_address.distance(end_address); } void AddressRange::setAddress(const InetAddr &a) { setRangeStart(a); setRangeEnd(a); } void AddressRange::setNetmask(const InetAddr& ) {} FWObject& AddressRange::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const AddressRange *n = dynamic_cast(o); if (n==NULL) { std::ostringstream s; s << "Attempt to copy incompatible object to AddressRange: objectID="; s << o->getId(); throw(FWException(s.str())); } start_address = n->getRangeStart(); end_address = n->getRangeEnd(); return FWObject::shallowDuplicate(o, preserve_id); } bool AddressRange::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (AddressRange::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; InetAddr o1b; InetAddr o1e; InetAddr o2b; InetAddr o2e; o1b = getRangeStart(); o1e = getRangeEnd(); o2b = AddressRange::constcast(obj)->getRangeStart(); o2e = AddressRange::constcast(obj)->getRangeEnd(); return (o1b==o2b && o1e==o2e); } void AddressRange::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("start_address"))); assert(n!=NULL); start_address = InetAddr(n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("end_address"))); assert(n!=NULL); end_address = InetAddr(n); FREEXMLBUFF(n); } xmlNodePtr AddressRange::toXML(xmlNodePtr xml_parent_node) throw(FWException) { xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("start_address"), STRTOXMLCAST(start_address.toString())); xmlNewProp(me, TOXMLCAST("end_address"), STRTOXMLCAST(end_address.toString())); return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AddressRange.h000066400000000000000000000045021303637203600242430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ADDRESSRANGE_HH_FLAG__ #define __ADDRESSRANGE_HH_FLAG__ #include "fwbuilder/Address.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class AddressRange : public Address { private: InetAddr start_address; InetAddr end_address; public: AddressRange(); AddressRange(AddressRange &); const InetAddr &getRangeStart() const { return start_address; } const InetAddr &getRangeEnd() const { return end_address; } void setRangeStart(const InetAddr &o) { start_address = o; } void setRangeEnd(const InetAddr &o) { end_address = o; } /** * virtual methods inherited from Address */ virtual bool hasInetAddress() const { return true; } virtual const InetAddr* getAddressPtr() const; virtual unsigned int dimension() const; virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual void fromXML (xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr xml_parent_node) throw(FWException); virtual bool isPrimaryObject() const { return true; } DECLARE_FWOBJECT_SUBTYPE(AddressRange); DECLARE_DISPATCH_METHODS(AddressRange); }; } #endif // __ADDRESSRANGE_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AddressTable.cpp000066400000000000000000000161531303637203600245760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include #include #include #include using namespace libfwbuilder; using namespace std; const char *AddressTable::TYPENAME={"AddressTable"}; AddressTable::AddressTable() : MultiAddress() { setRunTime(false); setStr("filename", ""); } string AddressTable::getSourceName() { return getStr("filename"); } void AddressTable::setSourceName(const std::string& source_name) { setStr("filename", source_name); } void AddressTable::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("filename"))); assert(n!=NULL); setStr("filename", n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("run_time"))); assert(n!=NULL); setStr("run_time", n); FREEXMLBUFF(n); } xmlNodePtr AddressTable::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } string AddressTable::getFilename(FWOptions *options) throw (FWException) { string path = getStr("filename"); size_t found = path.find("%DATADIR%"); if (found == string::npos) return path; string dataDir; if (isRunTime()) { dataDir = options->getStr("data_dir"); if (dataDir.empty()) { throw FWException("Firewall 'data directory' setting is blank"); } } else { dataDir = FWObject::getDataDir(); if (dataDir.empty()) { throw FWException("Global 'data directory' setting is blank"); } } path.replace(found, 9, dataDir); return path; } /* * read file specified by the "filename" attribute and interpret lines * as addresses. Create corresponding address or network objects, add * them to the object database and add references to them to @this. If * file does not exist and we run in test mode, create dummy object * and add it to the database and referece to it, then throw * exception. * * TODO: new objects should be added to some kind of special group in * the object tree, something with the name "tmp" or similar. */ void AddressTable::loadFromSource(bool ipv6, FWOptions *options, bool test_mode) throw(FWException) { string path = getFilename(options); ifstream fs(path.c_str()); ostringstream exmess; string buf; size_type pos; int line = 1; int cntr = 0; Address *new_addr; if(fs) { while(!fs.eof()) { getline(fs,buf); pos = buf.find_first_not_of(" \t"); if (pos!=string::npos) { buf = buf.substr(pos); pos = buf.find_first_not_of("0123456789abcdef:/."); buf = buf.substr(0,pos); } else { buf=""; } if (!buf.empty()) { new_addr = NULL; if (ipv6 && buf.find(":")!=string::npos) { try { InetAddr(AF_INET6, buf); // to test address NetworkIPv6 *net = getRoot()->createNetworkIPv6(); net->setAddressNetmask(buf); new_addr = net; } catch (FWException &ex) { exmess << "Invalid address: " << path << ":" << line << " \"" << buf << "\""; throw FWException(exmess.str()); } } if (!ipv6 && buf.find(".")!=string::npos) { try { InetAddr(AF_INET, buf); // to test address Network *net = getRoot()->createNetwork(); net->setAddressNetmask(buf); new_addr = net; } catch (FWException &ex) { exmess << "Invalid address: " << path << ":" << line << " \"" << buf << "\""; throw FWException(exmess.str()); } } if (new_addr) { new_addr->setName(buf); if (validateChild(new_addr)) { getRoot()->add(new_addr); addRef(new_addr); cntr++; } } } line++; } } else { // in test mode we use dummy address but still throw exception. // Compiler should print error message but continue. exmess << "File not found for Address Table: " << getName() << " (" << path << ")"; if (test_mode) { exmess << " Using dummy address in test mode"; if (ipv6) { NetworkIPv6 *net = getRoot()->createNetworkIPv6(); net->setAddressNetmask("2001:db8::/32"); new_addr = net; } else { Network *net = getRoot()->createNetwork(); net->setAddressNetmask("192.0.2.0/24"); new_addr = net; } new_addr->setName(buf); if (validateChild(new_addr)) { getRoot()->add(new_addr); addRef(new_addr); cntr++; } new_addr->setBool(".rule_error", true); new_addr->setStr(".error_msg", exmess.str()); } throw FWException(exmess.str()); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AddressTable.h000066400000000000000000000031711303637203600242370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GEN_ADDRESSTABLE_HH_FLAG__ #define __GEN_ADDRESSTABLE_HH_FLAG__ #include "fwbuilder/MultiAddress.h" namespace libfwbuilder { class AddressTable : public MultiAddress { private: std::string getFilename(FWOptions *options) throw(FWException); public: DECLARE_FWOBJECT_SUBTYPE(AddressTable); DECLARE_DISPATCH_METHODS(AddressTable); AddressTable(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual std::string getSourceName(); virtual void setSourceName(const std::string& source_name); virtual void loadFromSource(bool ipv6, FWOptions *options, bool test_mode=false) throw(FWException); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AttachedNetworks.cpp000066400000000000000000000103201303637203600255010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include #include #include #include using namespace libfwbuilder; using namespace std; const char *AttachedNetworks::TYPENAME={"AttachedNetworks"}; AttachedNetworks::AttachedNetworks() : MultiAddress() { } void AttachedNetworks::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); } xmlNodePtr AttachedNetworks::toXML(xmlNodePtr parent) throw(FWException) { remStr("run_time"); xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } void AttachedNetworks::addNetworkObject(const InetAddrMask &addr_mask) { const InetAddr *ip_addr = addr_mask.getAddressPtr(); const InetAddr *ip_netm = addr_mask.getNetmaskPtr(); FWObject *new_obj = NULL; if (ip_addr->isV4()) { Network *net = getRoot()->createNetwork(); net->setAddress(*ip_addr); net->setNetmask(*ip_netm); ostringstream str; str << "net-" << ip_addr->toString() << "/" << ip_netm->toString(); net->setName(str.str()); new_obj = net; } if (ip_addr->isV6()) { NetworkIPv6 *net = getRoot()->createNetworkIPv6(); net->setAddress(*ip_addr); net->setNetmask(*ip_netm); ostringstream str; str << "net-" << ip_addr->toString() << "/" << ip_netm->getLength(); net->setName(str.str()); new_obj = net; } if (validateChild(new_obj)) { getRoot()->add(new_obj); addRef(new_obj); } } /* * Read addresses of the parent interface and build a group of * corresponding networks. */ void AttachedNetworks::loadFromSource(bool ipv6, FWOptions*, bool) throw(FWException) { Interface *parent_intf = Interface::cast(getParent()); assert(parent_intf); string c_type = (ipv6) ? IPv6::TYPENAME : IPv4::TYPENAME; // assemble list of address/netmask pairs to eliminate duplicates map networks; FWObjectTypedChildIterator k = parent_intf->findByType(c_type); for ( ; k!=k.end(); ++k) { Address *addr = Address::cast(*k); const InetAddr *ip_netm = addr->getNetmaskPtr(); const InetAddr *ip_net_addr = addr->getNetworkAddressPtr(); ostringstream net; if (ip_net_addr->isV6()) { net << ip_net_addr->toString() << "/" << ip_netm->getLength(); } else { net << ip_net_addr->toString() << "/" << ip_netm->toString(); } networks[net.str()] = InetAddrMask(*ip_net_addr, *ip_netm); } for (map::iterator it=networks.begin(); it!=networks.end(); ++it) { addNetworkObject(it->second); } } string AttachedNetworks::getSourceName() { Interface *parent = Interface::cast(getParent()); assert(parent!=NULL); return parent->getName(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/AttachedNetworks.h000066400000000000000000000030501303637203600251500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _ATTACHEDNETWORKS_HH_ #define _ATTACHEDNETWORKS_HH_ #include "fwbuilder/MultiAddress.h" namespace libfwbuilder { class AttachedNetworks : public MultiAddress { private: void addNetworkObject(const InetAddrMask &addr_mask); public: DECLARE_FWOBJECT_SUBTYPE(AttachedNetworks); DECLARE_DISPATCH_METHODS(AttachedNetworks); AttachedNetworks(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual void loadFromSource(bool ipv6, FWOptions *options, bool test_mode=false) throw(FWException); virtual std::string getSourceName(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/BackgroundOp.cpp000066400000000000000000000131371303637203600246160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include // #include #include #include #include #include "fwbuilder/BackgroundOp.h" using namespace std; using namespace libfwbuilder; BackgroundOp::BackgroundOp():running(false),connected(true) { error = NULL; stop_program = new SyncFlag(false); iamdead = new SyncFlag(false); pthread_attr_init(&tattr); } /* * we destroy logger in the background thread because run_impl may use * logger and we should be able to destroy object of this class even * while background thread is working. * * iamdead should not be deleted either because it is used as a flag * so that background thread would know if this object has been deleted * while run_impl was running */ BackgroundOp::~BackgroundOp() { stop_program->lock(); stop_program->modify(true); stop_program->unlock(); iamdead->lock(); iamdead->modify(true); iamdead->unlock(); pthread_attr_destroy(&tattr); } /* replaced by a macro void BackgroundOp::check_stop() { stop_program->lock(); if ( stop_program->peek() ) { stop_program->unlock(); pthread_exit(NULL); } stop_program->unlock(); } */ bool BackgroundOp::isRunning() { return running; } void BackgroundOp::setRunning() { running=true; } void BackgroundOp::clearRunning() { running=false; } bool BackgroundOp::isConnected() { return connected; } void BackgroundOp::disconnect() { connected=false; } Logger* BackgroundOp::start_operation() throw(FWException) { /* * Suppose calling program wants to stop background operation. It * calls stop_oprtation and some times immediately destroys * BackgroundOp object. If background op. was stuck in a system * call when this happened, it will check stop_program flag only * after it returns from the system call. Since BackgroundOp * object has been destroyed by then, the program crashes. To * avoid this, we create stop_program flag here so that even * BackgroundOp object is destoryed, this flag is still available * and can be properly checked. */ stop_program->lock(); stop_program->modify(false); stop_program->unlock(); running = true; Logger *logger = new QueueLogger(); void **void_pair = new void*[4]; void_pair[0] = this; void_pair[1] = logger; void_pair[2] = iamdead; void_pair[3] = stop_program; pthread_t tid; pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED); int err = pthread_create(&tid, &tattr, background_thread, void_pair); switch (err) { case EAGAIN: throw FWException("Not enough system resources to create new thread"); case EINVAL: throw FWException("The value specified by attr is invalid."); } return logger; } void BackgroundOp::stop_operation() { error = new FWException("Interrupted by user"); stop_program->lock(); stop_program->modify(true); stop_program->unlock(); } namespace libfwbuilder { void *background_thread(void *args) { void **void_pair=(void**)args; BackgroundOp *bop = (BackgroundOp*)void_pair[0]; Logger *logger = (Logger *) void_pair[1]; SyncFlag *isdead = (SyncFlag*) void_pair[2]; SyncFlag *stop_program = (SyncFlag*) void_pair[3]; try { bop->run_impl(logger,stop_program); } catch (FWException &ex) { isdead->lock(); if (isdead->peek()) { isdead->unlock(); delete logger; delete isdead; delete void_pair; return(NULL); } *logger << "Exception: " << ex.toString().c_str() << '\n'; bop->error=new FWException(ex); isdead->unlock(); } *logger << "Background process has finished\n"; isdead->lock(); if (isdead->peek()) { isdead->unlock(); delete logger; delete isdead; delete void_pair; return(NULL); } /* operation completed - clear "running" flag */ bop->clearRunning(); isdead->unlock(); /* wait till the other thread reads all the lines from logger. If * widget that was reading lines from this logger has been destroyed, * it should have called BackhroundOp::disconnect to release BackgroundOp * object */ while (true) { isdead->lock(); if (isdead->peek() || !bop->isConnected()) { isdead->unlock(); break; } isdead->unlock(); libfwbuilder::cxx_sleep(1); } delete logger; delete void_pair; return(NULL); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/BackgroundOp.h000066400000000000000000000076131303637203600242650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BACKGROUNDOP_HH_FLAG__ #define __BACKGROUNDOP_HH_FLAG__ #include #include #ifdef __MINGW32__ //win32 pthread ditrib doesn't have config.h # ifdef HAVE_CONFIG_H # undef HAVE_CONFIG_H # include # define HAVE_CONFIG_H # endif #else # include #endif #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/ThreadTools.h" #include "fwbuilder/Pool.h" #include "fwbuilder/Logger.h" // #include namespace libfwbuilder { void *background_thread(void *); /** * Abstract class BackgroundOp represents operatioin executed in background */ class BackgroundOp { friend void *background_thread(void *); private: SyncFlag running ; SyncFlag connected ; pthread_attr_t tattr; protected: SyncFlag *stop_program ; FWException *error ; SyncFlag *iamdead ; /** * Implementation of the actual operation. Use logger to send * output text to the GUI. The SyncFlag is a mutex flag used to * interrupt background operation. We can't keep this flag as a * member of the class BackgroundOp because object of this class * gets destroyed before actual background operation has finished * (especially if it got stuck in a system call). To avoid having * to use object of the class BackgroundOp and any of its members * or methods, we create this flag as a dynamic variable and pass * pointer to run_impl, which should destroy it when it finishes. */ virtual void run_impl(Logger *,SyncFlag *) throw(FWException) = 0; /** * sets flag "running" */ void setRunning(); /** * clears flag "running" */ void clearRunning(); /** * checks "stop" flag and terminates thread if it is set. Used * from inside run_impl to check if background operation should be * immediately interrupted */ #define CHECK_STOP_AND_RETURN { stop_program->lock();\ if ( stop_program->peek() ){ stop_program->unlock(); return; }\ stop_program->unlock(); } #define CHECK_STOP_AND_THROW_EXCEPTION { stop_program->lock();\ if ( stop_program->peek() ){ stop_program->unlock(); throw FWException("Interrupted"); }\ stop_program->unlock(); } public: BackgroundOp(); virtual ~BackgroundOp(); /** * checks whether background operation is connected to GUI */ bool isConnected(); /** * disconnects background operation from the GUI */ void disconnect(); /** * Initiates background operation */ virtual Logger* start_operation() throw(FWException); /** * Stops background operation */ virtual void stop_operation(); /** * returns flag "running" */ bool isRunning(); /** * returns last error from the background operation. The meaning of * the error is determined by the operation */ FWException *get_latest_error() { return error; } }; } #endif // __BACKGROUNDOP_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Cluster.cpp000066400000000000000000000176471303637203600236730ustar00rootroot00000000000000/* * Cluster.cpp - Cluster class implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Resources.h" using namespace std; using namespace libfwbuilder; const char *Cluster::TYPENAME = {"Cluster"}; Cluster::Cluster() { setStr("platform", "unknown"); setStr("host_OS", "unknown"); setInt("lastModified", 0); setInt("lastInstalled", 0); setInt("lastCompiled", 0); } void Cluster::init(FWObjectDatabase *root) { Firewall::init(root); // create one conntrack member group FWObject *state_sync_members = getFirstByType(StateSyncClusterGroup::TYPENAME); if (state_sync_members == NULL) { state_sync_members = root->create(StateSyncClusterGroup::TYPENAME); state_sync_members->setName("State Sync Group"); state_sync_members->setStr("type", "conntrack"); add(state_sync_members); } } void Cluster::fromXML(xmlNodePtr root) throw(FWException) { Firewall::fromXML(root); } xmlNodePtr Cluster::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = Firewall::toXML(parent); FWObject *o; for (FWObjectTypedChildIterator it = findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) { o = *it; if (o) { o->toXML(me); } } return me; } FWOptions* Cluster::getOptionsObject() { return FWOptions::cast(getFirstByType(FirewallOptions::TYPENAME)); } Policy* Cluster::getPolicy() { return (Policy::cast(findObjectByName(Policy::TYPENAME, "Policy"))); } NAT* Cluster::getNAT() { return (NAT::cast(findObjectByName(NAT::TYPENAME, "NAT"))); } Routing* Cluster::getRouting() { return(Routing::cast(findObjectByName(Routing::TYPENAME, "Routing"))); } ClusterGroup* Cluster::getStateSyncGroupObject() { StateSyncClusterGroup *group = StateSyncClusterGroup::cast( getFirstByType(StateSyncClusterGroup::TYPENAME)); if (group == NULL) { // create a new ClusterGroup object group = StateSyncClusterGroup::cast(getRoot()->create( StateSyncClusterGroup::TYPENAME)); add(group); } return group; } bool Cluster::validateChild(FWObject *o) { string otype = o->getTypeName(); return (FWObject::validateChild(o) && (otype == Interface::TYPENAME || otype == RuleSet::TYPENAME || otype == Policy::TYPENAME || otype == NAT::TYPENAME || otype == Routing::TYPENAME || otype == Management::TYPENAME || otype == StateSyncClusterGroup::TYPENAME || otype == FirewallOptions::TYPENAME)); } FWObject& Cluster::duplicate(const FWObject *obj, bool preserve_id) throw(FWException) { Firewall::duplicate(obj, preserve_id); FWObject *o; for (FWObjectTypedChildIterator it = obj->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) { o = *it; if (o) { addCopyOf(o, preserve_id); } } return *this; } void Cluster::updateLastInstalledTimestamp() { setInt("lastInstalled", time(NULL)); } void Cluster::updateLastModifiedTimestamp() { setInt("lastModified", time(NULL)); } bool Cluster::needsInstall() { if (getLastInstalled() == 0 || getLastCompiled() == 0) { return true; } return !(getLastModified() <= getLastCompiled() && getLastCompiled() <= getLastInstalled()); } bool Cluster::needsCompile() { return getLastModified() > getLastCompiled() || getLastCompiled() == 0; } time_t Cluster::getLastModified() { return getInt("lastModified"); } time_t Cluster::getLastInstalled() { return getInt("lastInstalled"); } time_t Cluster::getLastCompiled() { return getInt("lastCompiled"); } void Cluster::updateLastCompiledTimestamp() { setInt("lastCompiled", time(NULL)); } bool Cluster::getInactive() { return getBool("inactive"); } void Cluster::setInactive(bool b) { setBool("inactive", b); } bool Cluster::validateMember(Firewall *fw) { string my_host_os = getStr("host_OS"); string their_host_os = fw->getStr("host_OS"); string my_platform = getStr("platform"); string their_platform = fw->getStr("platform"); if (my_host_os != their_host_os) return false; if (my_platform != their_platform) return false; if (! Resources::getTargetCapabilityBool(my_host_os, "supports_cluster")) return false; // Any other checks we should do ? return true; } /* * List members should contain each member firewall only once, but the * same member firewall can be present in several failover groups and * possibly in state synchronization group. Using set to make the * list unique. */ void Cluster::getMembersList(list &members) { set members_ids; list all_groups = getByTypeDeep(StateSyncClusterGroup::TYPENAME); list all_failover = getByTypeDeep(FailoverClusterGroup::TYPENAME); all_groups.merge(all_failover); for (list::iterator it = all_groups.begin(); it != all_groups.end(); ++it) { for (list::iterator j = (*it)->begin(); j != (*it)->end(); ++j) { FWObject *member = FWReference::getObject(*j); if (ClusterGroupOptions::isA(member)) continue; Firewall *fw = NULL; // as of 05/04 members of StateSyncClusterGroup are interfaces. See // tickets #10 and #11 if (Interface::cast(member)) fw = Firewall::cast(Host::getParentHost(member)); else fw = Firewall::cast(member); members_ids.insert(fw->getId()); } } for (set::iterator it = members_ids.begin(); it != members_ids.end(); ++it) { Firewall *fw = Firewall::cast(getRoot()->findInIndex(*it)); if (fw) members.push_back(fw); } } bool Cluster::hasMember(Firewall *fw) { list all_groups = getByTypeDeep(StateSyncClusterGroup::TYPENAME); list all_failover = getByTypeDeep(FailoverClusterGroup::TYPENAME); all_groups.merge(all_failover); for (list::iterator it = all_groups.begin(); it != all_groups.end(); ++it) { for (list::iterator j = (*it)->begin(); j != (*it)->end(); ++j) { FWObject *member = FWReference::getObject(*j); if (ClusterGroupOptions::isA(member)) continue; Firewall *member_fw = NULL; // as of 05/04/2009 members of StateSyncClusterGroup are // interfaces. See tickets #10 and #11 if (Interface::cast(member)) member_fw = Firewall::cast(Host::getParentHost(member)); else member_fw = Firewall::cast(member); if (fw == member_fw) return true; } } return false; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Cluster.h000066400000000000000000000061151303637203600233240ustar00rootroot00000000000000/* * Cluster.h - Cluster class header file * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __CLUSTER_HH__ #define __CLUSTER_HH__ #include "fwbuilder/Firewall.h" namespace libfwbuilder { class Policy; class NAT; class RuleSet; class Routing; class ClusterGroup; class Cluster : public Firewall { public: Cluster(); virtual ~Cluster() {}; /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(Cluster); DECLARE_DISPATCH_METHODS(Cluster); /** * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual FWOptions* getOptionsObject(); virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); Policy* getPolicy(); NAT* getNAT(); Routing* getRouting(); /** * return attached cluster group members object that * supports state synchronization (e.g. conntrackd). * * if the object is not found, a new one is created. * * @return assigned cluster group members object */ virtual ClusterGroup* getStateSyncGroupObject(); /** * Build a list of member firewalls. This method scans all * failover groups as well as state sync groups of the * cluster. Upon return, each firewall object appears in the * list exactly once. */ virtual void getMembersList(std::list &members); /** * Check validity of a given member. This is where we * implement logic to check if host OS of the cluster and * members is the same and possibly other criteria. */ virtual bool validateMember(libfwbuilder::Firewall*); /** * check if @fw is a member of this cluster. */ bool hasMember(libfwbuilder::Firewall *fw); time_t getLastModified(); time_t getLastInstalled(); time_t getLastCompiled(); void updateLastInstalledTimestamp(); void updateLastModifiedTimestamp(); void updateLastCompiledTimestamp(); bool needsInstall(); bool needsCompile(); bool getInactive(); void setInactive(bool b); }; } #endif /* __CLUSTER_HH__ */ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ClusterGroup.cpp000066400000000000000000000120071303637203600246710ustar00rootroot00000000000000/* * ClusterGroup.cpp - ClusterGroup class implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" using namespace std; using namespace libfwbuilder; const char *ClusterGroup::TYPENAME = {"ClusterGroup"}; ClusterGroup::ClusterGroup() : ObjectGroup() { setStr("type", ""); } void ClusterGroup::init(FWObjectDatabase *root) { FWObject *gopt = getFirstByType(ClusterGroupOptions::TYPENAME); if (gopt == NULL) { gopt = root->create(ClusterGroupOptions::TYPENAME); add(gopt); } } bool ClusterGroup::validateChild(FWObject *o) { string otype = o->getTypeName(); return (FWObject::validateChild(o) && (otype == Interface::TYPENAME || otype == ClusterGroupOptions::TYPENAME || otype == FWObjectReference::TYPENAME)); } void ClusterGroup::replaceReferenceInternal(int old_id, int new_id, int &counter) { if (old_id == new_id) return; FWObject::replaceReferenceInternal(old_id, new_id, counter); string master_iface_id = getStr("master_iface"); if (!master_iface_id.empty()) { int master_iface_id_int = FWObjectDatabase::getIntId(master_iface_id); if (master_iface_id_int == old_id) { setStr("master_iface", FWObjectDatabase::getStringId(new_id)); counter++; } } } void ClusterGroup::fromXML(xmlNodePtr parent) throw(FWException) { FWObject::fromXML(parent); const char *n; n = FROMXMLCAST(xmlGetProp(parent, TOXMLCAST("type"))); if (n != NULL) { setStr("type", n); FREEXMLBUFF(n); } n = FROMXMLCAST(xmlGetProp(parent, TOXMLCAST("master_iface"))); if (n != NULL) { setStr("master_iface", n); FREEXMLBUFF(n); } } xmlNodePtr ClusterGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); FWObject *o; for (FWObjectTypedChildIterator it = findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } for (FWObjectTypedChildIterator it = findByType(ClusterGroupOptions::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } return me; } ClusterGroupOptions* ClusterGroup::getOptionsObject() { ClusterGroupOptions *gopt = ClusterGroupOptions::cast( getFirstByType(ClusterGroupOptions::TYPENAME)); if (gopt == NULL) { gopt = ClusterGroupOptions::cast( getRoot()->create(ClusterGroupOptions::TYPENAME)); add(gopt); } return gopt; } FWObject& ClusterGroup::duplicateForUndo(const FWObject *obj) throw(FWException) { if (ClusterGroup::constcast(obj)==NULL) return *this; setRO(false); ClusterGroupOptions *their_opts = ClusterGroupOptions::cast( obj->getFirstByType(ClusterGroupOptions::TYPENAME)); ClusterGroupOptions *mine_opts = ClusterGroupOptions::cast( getFirstByType(ClusterGroupOptions::TYPENAME)); list all_refs = getByType(FWObjectReference::TYPENAME); while (all_refs.size()) { remove(all_refs.front(), false); all_refs.pop_front(); } for(list::const_iterator m=obj->begin(); m!=obj->end(); ++m) { if (FWReference::cast(*m)) { FWObject *object = FWReference::getObject(*m); addRef(object); } } if (their_opts && mine_opts) mine_opts->duplicate(their_opts); if (their_opts && mine_opts==NULL) addCopyOf(their_opts); shallowDuplicate(obj); return *this; } Interface* ClusterGroup::getInterfaceForMemberFirewall(Firewall *fw) { #ifdef DEBUG_FOR_DMZ cerr << "ClusterGroup::getInterfaceForMemberFirewall " << fw << endl; if (fw) { cerr << " fw: " << fw->getName() << endl; } #endif for (FWObjectTypedChildIterator it = findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *other_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(other_iface); #ifdef DEBUG_FOR_DMZ cerr << " other_iface: " << other_iface->getName() << " isChildOf(fw): " << other_iface->isChildOf(fw) << endl; #endif if (other_iface->isChildOf(fw)) return other_iface; } return NULL; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ClusterGroup.h000066400000000000000000000044671303637203600243510ustar00rootroot00000000000000/* * ClusterGroup.h - Class to group cluster interfaces * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement * * * Class ClusterGroup serves as a base class for StateSyncClusterGroup and * FailoverClusterGroup. Objects of the class ClusterGroup are never used * and can not be stored in XML file. */ #ifndef __CLUSTERGROUP_HH_ #define __CLUSTERGROUP_HH_ #include "fwbuilder/ObjectGroup.h" namespace libfwbuilder { class ClusterGroupOptions; class ClusterGroup : public ObjectGroup { protected: virtual void replaceReferenceInternal(int oldfw_id, int newfw_id, int &counter); public: ClusterGroup(); virtual ~ClusterGroup() {}; /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); DECLARE_FWOBJECT_SUBTYPE(ClusterGroup); DECLARE_DISPATCH_METHODS(ClusterGroup); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual ClusterGroupOptions* getOptionsObject(); /** * This method copies all attributes of obj plus all reference * child objects and the options object to reproduce accurate * state of this. */ virtual FWObject& duplicateForUndo(const FWObject *obj) throw(FWException); /** * If @this is cluster interface and it is correctly * configured with member interfaces, this method returns * pointer to interface that belongs to the given member * firewall. Otherwise it returns NULL. */ Interface* getInterfaceForMemberFirewall(Firewall *fw); }; } #endif /* __CLUSTERGROUP_HH_ */ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Constants.cpp000066400000000000000000000042351303637203600242130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Constants.h" using namespace std; using namespace libfwbuilder; string Constants::res_dir; void Constants::init(const std::string &app_root_dir) { if (app_root_dir.empty()) res_dir = string(RES_DIR); else res_dir = app_root_dir + FS_SEPARATOR + string(RES_DIR); } const string Constants::getLibraryDescription() { return "Firewall Builder API "; } const string Constants::getLibraryVersion() { return string(VERSION); } const string Constants::getDataFormatVersion() { return string(FWBUILDER_XML_VERSION); } const string Constants::getTemplateDirectory() { return string(RES_DIR); } string Constants::getDTDDirectory() { if (res_dir.empty()) init(""); return res_dir; } string Constants::getResourcesDirectory() { if (res_dir.empty()) init(""); return res_dir; } string Constants::getResourcesFilePath() { return getResourcesDirectory() + FS_SEPARATOR + "resources.xml"; } string Constants::getStandardObjectsFilePath() { return getResourcesDirectory() + FS_SEPARATOR + "objects_init.xml"; } string Constants::getTemplatesObjectsFilePath() { return getResourcesDirectory() + FS_SEPARATOR + "templates.xml"; } string Constants::getLocaleDirectory() { return getResourcesDirectory() + "/locale"; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Constants.h000066400000000000000000000045741303637203600236660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LIBFWBUILDER_CONSTANTS_HH__ #define __LIBFWBUILDER_CONSTANTS_HH__ #include namespace libfwbuilder { /** * This class represents various information * about library as well as some public * constants. */ class Constants { static std::string res_dir; public: static void init(const std::string &app_root_dir); /** * Returns library's description */ static const std::string getLibraryDescription(); /** * Returns library version number */ static const std::string getLibraryVersion(); /** * Returns data format version number */ static const std::string getDataFormatVersion(); /** * Returns directory in which library stores it's data files. */ static const std::string getTemplateDirectory(); /** * Returns directory where we install XML DTD file */ static std::string getDTDDirectory(); /** * Returns directory where we install resources */ static std::string getResourcesDirectory(); /** * Returns full path to the resources file */ static std::string getResourcesFilePath(); /** * Returns full path to the standard objects library file */ static std::string getStandardObjectsFilePath(); /** * Returns full path to the prepackaged firewall template objects file */ static std::string getTemplatesObjectsFilePath(); /** * Returns full path to the directory where we install locale files */ static std::string getLocaleDirectory(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/CustomService.cpp000066400000000000000000000140401303637203600250250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/XMLTools.h" using namespace std; using namespace libfwbuilder; const char *CustomService::TYPENAME={"CustomService"}; CustomService::CustomService() { address_family = AF_INET;} CustomService::~CustomService() {} string CustomService::getProtocolName() const { if (protocol.empty()) return "any"; return protocol; } int CustomService::getProtocolNumber() const { return 65000; } FWObject& CustomService::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { const CustomService *cs = dynamic_cast(x); codes = cs->codes; protocol = cs->protocol; address_family = cs->address_family; return FWObject::shallowDuplicate(x, preserve_id); } void CustomService::fromXML(xmlNodePtr root) throw(FWException) { const char *n; const char *cont; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("name"))); if (n) { setName(n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("id"))); if (n) { setId(FWObjectDatabase::registerStringId(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("comment"))); if (n) { setComment(XMLTools::unquote_linefeeds(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("protocol"))); if (n) { setProtocol(XMLTools::unquote_linefeeds(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address_family"))); if (n) { string af(XMLTools::unquote_linefeeds(n)); if (af=="ipv6") setAddressFamily(AF_INET6); else setAddressFamily(AF_INET); FREEXMLBUFF(n); } for (xmlNodePtr cur=root->xmlChildrenNode; cur; cur=cur->next) { if (cur && !xmlIsBlankNode(cur)) { n = FROMXMLCAST(xmlGetProp(cur,TOXMLCAST("platform"))); assert(n!=NULL); cont = FROMXMLCAST( xmlNodeGetContent(cur) ); if (cont) { setCodeForPlatform(n, cont ); FREEXMLBUFF(cont); } FREEXMLBUFF(n); } } } xmlNodePtr CustomService::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr opt; xmlNodePtr me = FWObject::toXML(parent); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("protocol"), STRTOXMLCAST(getProtocol())); string af; if (getAddressFamily() == AF_INET6) af ="ipv6"; else af = "ipv4"; xmlNewProp(me, TOXMLCAST("address_family"), STRTOXMLCAST(af)); map::const_iterator i; for(i=codes.begin(); i!=codes.end(); ++i) { const string &platform = (*i).first; const string &code = (*i).second; xmlChar *codebuf = xmlEncodeSpecialChars(NULL, STRTOXMLCAST(code) ); opt=xmlNewChild(me,NULL,TOXMLCAST("CustomServiceCommand"), codebuf); FREEXMLBUFF(codebuf); xmlNewProp(opt, TOXMLCAST("platform") , STRTOXMLCAST(platform)); } return me; } bool CustomService::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (CustomService::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const CustomService *o2 = CustomService::constcast(obj); if (protocol!=o2->protocol || address_family!=o2->address_family) return false; map::const_iterator i; for (i=codes.begin(); i!=codes.end(); ++i) { const string &platform = (*i).first; const string &code = (*i).second; if (o2->codes.count(platform)==0 ) return false; map::const_iterator j=o2->codes.find(platform); if ( (*j).second!=code) return false; } return true; } void CustomService::setCodeForPlatform(const string& platform, const string& code) { codes[platform]=code; } const string CustomService::getCodeForPlatform(const string& platform) const { std::map::const_iterator it = codes.find(platform); if (it == codes.end()) return ""; return it->second; } list CustomService::getAllKnownPlatforms() { list res; map::const_iterator i; for (i=codes.begin(); i!=codes.end(); ++i) { res.push_back( (*i).first); } return res; } void CustomService::setProtocol(const string& proto) { protocol = proto; } const string& CustomService::getProtocol() { if (protocol.empty()) protocol = "any"; return protocol; } void CustomService::setAddressFamily(int af) { address_family = af; } int CustomService::getAddressFamily() { if (address_family==-1) return AF_INET; return address_family; } bool CustomService::isV4Only() { return (getAddressFamily() == AF_INET); } bool CustomService::isV6Only() { return (getAddressFamily() == AF_INET6); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/CustomService.h000066400000000000000000000046161303637203600245020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CUSTOMSERVICE_HH_FLAG__ #define __CUSTOMSERVICE_HH_FLAG__ #include "fwbuilder/Service.h" #include // for AF_INET and AF_INET6 #ifndef _WIN32 # include # include # include # include #else # include # include #endif namespace libfwbuilder { class CustomService : public Service { private: std::map codes; std::string protocol; int address_family; public: CustomService(); virtual ~CustomService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(CustomService); DECLARE_DISPATCH_METHODS(CustomService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; void setCodeForPlatform(const std::string& platform, const std::string& code); const std::string getCodeForPlatform(const std::string& platform) const; std::list getAllKnownPlatforms(); void setProtocol(const std::string& proto); const std::string& getProtocol(); void setAddressFamily(int af); int getAddressFamily(); virtual bool isV4Only(); virtual bool isV6Only(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/DNSName.cpp000066400000000000000000000121441303637203600234620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/dns.h" #include using namespace libfwbuilder; using namespace std; const char *DNSName::TYPENAME={"DNSName"}; DNSName::DNSName() : MultiAddress() { setRunTime(false); setStr("dnsrec", ""); setStr("dnsrectype", "A"); } string DNSName::getSourceName() { return getStr("dnsrec"); } void DNSName::setSourceName(const std::string& source_name) { setStr("dnsrec", source_name); } string DNSName::getDNSRecordType() { return getStr("dnsrec"); } void DNSName::setDNSRecordType(const string& rectype) { setStr("dnsrec", rectype); } void DNSName::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dnsrec"))); assert(n!=NULL); setStr("dnsrec", n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dnsrectype"))); if (n!=NULL) { setStr("dnsrectype", n); FREEXMLBUFF(n); } else { setStr("dnsrectype", "A"); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("run_time"))); assert(n!=NULL); setStr("run_time", n); FREEXMLBUFF(n); } xmlNodePtr DNSName::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } /* * take domain name from the "dnsrec" attribute and try to run DNS * query. If successful, create corresponding IPv4 or IPv6 object, add * it to the object database and add reference to it to @this. If * unsuccessful, create dummy object and add it to the database and * referece to it, then throw exception. * * TODO: new object should be added to some kind of special group in * the object tree, something with the name "tmp" or similar. */ void DNSName::loadFromSource(bool ipv6, FWOptions *options, bool test_mode) throw(FWException) { (void) options; // Unused int af_type = (ipv6)?AF_INET6:AF_INET; try { list v = DNS::getHostByName(getSourceName(), af_type); for (list::iterator i=v.begin(); i!=v.end(); ++i) { //Address *a = Address::cast( // getRoot()->create((ipv6)?IPv6::TYPENAME:IPv4::TYPENAME)); int af = AF_INET; Address *a = NULL; if (ipv6) { a = getRoot()->createIPv6(); af = AF_INET6; } else a = getRoot()->createIPv4(); getRoot()->add(a); a->setAddress(*i); a->setNetmask(InetAddr::getAllOnes(af)); addRef(a); } } catch (const FWException &ex) { // in test mode we use dummy address but still throw exception. // Compiler should print error message but continue. ostringstream err; string af_type_name = (ipv6)?string("AF_INET6"):string("AF_INET"); err << "DNSName object \"" << getName() << "\" (compile time) can not resolve dns name \"" << getSourceName() << "\" " << "(" << af_type_name << ")" << ": " << ex.toString(); if (test_mode) { err << " Using dummy address in test mode"; int af = AF_INET; Address *a = NULL; if (ipv6) { a = getRoot()->createIPv6(); a->setAddress(InetAddr(af_type, "2001:db8::1")); af = AF_INET6; } else { a = getRoot()->createIPv4(); a->setAddress("192.0.2.1"); a->setNetmask(InetAddr::getAllOnes(af)); } getRoot()->add(a); addRef(a); a->setBool(".rule_error", true); a->setStr(".error_msg", err.str()); } throw(FWException(err.str())); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/DNSName.h000066400000000000000000000032151303637203600231260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DNS_NAME_HH_FLAG__ #define __DNS_NAME_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/MultiAddress.h" namespace libfwbuilder { class DNSName : public MultiAddress { private: public: DECLARE_FWOBJECT_SUBTYPE(DNSName); DECLARE_DISPATCH_METHODS(DNSName); DNSName(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual std::string getSourceName(); virtual void setSourceName(const std::string& source_name); std::string getDNSRecordType(); void setDNSRecordType(const std::string& rectype); virtual void loadFromSource(bool ipv6, FWOptions *options, bool test_mode=false) throw(FWException); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Dispatch.h000066400000000000000000000201361303637203600234410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: Dispatch.h 516 2010-01-26 03:25:44Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DISPATCH_HH_FLAG__ #define __DISPATCH_HH_FLAG__ #include #include #include #include "fwbuilder/libfwbuilder-config.h" namespace libfwbuilder { class InetAddr; class InetAddrMask; class Address; class AddressRange; class AddressTable; class Cluster; class ClusterGroup; class ClusterGroupOptions; class CustomService; class DNSName; class FWBDManagement; class FWIntervalReference; class FWObject; class FWObjectDatabase; class FWObjectReference; class FWOptions; class FWReference; class FWServiceReference; class FailoverClusterGroup; class Firewall; class FirewallOptions; class Group; class Host; class HostOptions; class ICMP6Service; class ICMPService; class IPService; class IPv4; class IPv6; class Interface; class InterfaceOptions; class Interval; class IntervalGroup; class Library; class Management; class MultiAddress; class MultiAddressRunTime; class NAT; class NATRule; class NATRuleOptions; class Network; class NetworkIPv6; class ObjectGroup; class Policy; class PolicyInstallScript; class PolicyRule; class PolicyRuleOptions; class Routing; class RoutingRule; class RoutingRuleOptions; class Rule; class RuleElement; class RuleElementDst; class RuleElementInterval; class RuleElementItf; class RuleElementODst; class RuleElementOSrc; class RuleElementOSrv; class RuleElementRDst; class RuleElementRGtw; class RuleElementRItf; class RuleElementSrc; class RuleElementSrv; class RuleElementTDst; class RuleElementTSrc; class RuleElementTSrv; class RuleSet; class RuleSetOptions; class SNMPManagement; class Service; class ServiceGroup; class StateSyncClusterGroup; class TCPService; class TCPUDPService; class TagService; class UDPService; class UserService; class physAddress; class DynamicGroup; }; /* * Keeping return NULL; after assert() to make sure the function * returns something even if compiled with -DNDEBUG that disables assert() * and to make gcc happy at compile time. */ #define __DECLARE_DISPATCH_METHODS(classname) \ virtual void* dispatch(classname*, void*) \ { assert("Call to unimplemented virtual void* Dispatch::dispatch("#classname"*, void*)"==NULL); \ return NULL; } \ virtual void* dispatch(classname*, const void*) \ { assert("Call to unimplemented virtual void* Dispatch::dispatch("#classname"*, const void*)"==NULL); \ return NULL; } \ virtual void* dispatch(const classname*, void*) \ { assert("Call to unimplemented virtual void* Dispatch::dispatch(const "#classname"*, void*)"==NULL); \ return NULL; } \ virtual void* dispatch(const classname*, const void*) \ { assert("Call to unimplemented virtual void* Dispatch::dispatch(const "#classname"*, const void*)"==NULL); \ return NULL; } \ virtual const void* const_dispatch(const classname*, void*) \ { assert("Call to unimplemented virtual const void* Dispatch::const_dispatch(const "#classname"*, void*)"==NULL); \ return NULL; } \ virtual const void* const_dispatch(const classname*, const void*) \ { assert("Call to unimplemented virtual const void* Dispatch::const_dispatch(const "#classname"*, const void*)"==NULL); \ return NULL; }\ namespace libfwbuilder { class Dispatch { public: Dispatch() {} virtual ~Dispatch() {} __DECLARE_DISPATCH_METHODS(Address); __DECLARE_DISPATCH_METHODS(AddressRange); __DECLARE_DISPATCH_METHODS(AddressTable); __DECLARE_DISPATCH_METHODS(Cluster); __DECLARE_DISPATCH_METHODS(ClusterGroup); __DECLARE_DISPATCH_METHODS(ClusterGroupOptions); __DECLARE_DISPATCH_METHODS(CustomService); __DECLARE_DISPATCH_METHODS(DNSName); __DECLARE_DISPATCH_METHODS(FWBDManagement); __DECLARE_DISPATCH_METHODS(FWIntervalReference); __DECLARE_DISPATCH_METHODS(FWObject); __DECLARE_DISPATCH_METHODS(FWObjectDatabase); __DECLARE_DISPATCH_METHODS(FWObjectReference); __DECLARE_DISPATCH_METHODS(FWOptions); __DECLARE_DISPATCH_METHODS(FWReference); __DECLARE_DISPATCH_METHODS(FWServiceReference); __DECLARE_DISPATCH_METHODS(FailoverClusterGroup); __DECLARE_DISPATCH_METHODS(Firewall); __DECLARE_DISPATCH_METHODS(FirewallOptions); __DECLARE_DISPATCH_METHODS(Group); __DECLARE_DISPATCH_METHODS(Host); __DECLARE_DISPATCH_METHODS(HostOptions); __DECLARE_DISPATCH_METHODS(ICMP6Service); __DECLARE_DISPATCH_METHODS(ICMPService); __DECLARE_DISPATCH_METHODS(IPService); __DECLARE_DISPATCH_METHODS(IPv4); __DECLARE_DISPATCH_METHODS(IPv6); __DECLARE_DISPATCH_METHODS(Interface); __DECLARE_DISPATCH_METHODS(InterfaceOptions); __DECLARE_DISPATCH_METHODS(Interval); __DECLARE_DISPATCH_METHODS(IntervalGroup); __DECLARE_DISPATCH_METHODS(Library); __DECLARE_DISPATCH_METHODS(Management); __DECLARE_DISPATCH_METHODS(MultiAddress); __DECLARE_DISPATCH_METHODS(MultiAddressRunTime); __DECLARE_DISPATCH_METHODS(NAT); __DECLARE_DISPATCH_METHODS(NATRule); __DECLARE_DISPATCH_METHODS(NATRuleOptions); __DECLARE_DISPATCH_METHODS(Network); __DECLARE_DISPATCH_METHODS(NetworkIPv6); __DECLARE_DISPATCH_METHODS(ObjectGroup); __DECLARE_DISPATCH_METHODS(Policy); __DECLARE_DISPATCH_METHODS(PolicyInstallScript); __DECLARE_DISPATCH_METHODS(PolicyRule); __DECLARE_DISPATCH_METHODS(PolicyRuleOptions); __DECLARE_DISPATCH_METHODS(Routing); __DECLARE_DISPATCH_METHODS(RoutingRule); __DECLARE_DISPATCH_METHODS(RoutingRuleOptions); __DECLARE_DISPATCH_METHODS(Rule); __DECLARE_DISPATCH_METHODS(RuleElement); __DECLARE_DISPATCH_METHODS(RuleElementDst); __DECLARE_DISPATCH_METHODS(RuleElementInterval); __DECLARE_DISPATCH_METHODS(RuleElementItf); __DECLARE_DISPATCH_METHODS(RuleElementODst); __DECLARE_DISPATCH_METHODS(RuleElementOSrc); __DECLARE_DISPATCH_METHODS(RuleElementOSrv); __DECLARE_DISPATCH_METHODS(RuleElementRDst); __DECLARE_DISPATCH_METHODS(RuleElementRGtw); __DECLARE_DISPATCH_METHODS(RuleElementRItf); __DECLARE_DISPATCH_METHODS(RuleElementSrc); __DECLARE_DISPATCH_METHODS(RuleElementSrv); __DECLARE_DISPATCH_METHODS(RuleElementTDst); __DECLARE_DISPATCH_METHODS(RuleElementTSrc); __DECLARE_DISPATCH_METHODS(RuleElementTSrv); __DECLARE_DISPATCH_METHODS(RuleSet); __DECLARE_DISPATCH_METHODS(RuleSetOptions); __DECLARE_DISPATCH_METHODS(SNMPManagement); __DECLARE_DISPATCH_METHODS(Service); __DECLARE_DISPATCH_METHODS(ServiceGroup); __DECLARE_DISPATCH_METHODS(StateSyncClusterGroup); __DECLARE_DISPATCH_METHODS(TCPService); __DECLARE_DISPATCH_METHODS(TCPUDPService); __DECLARE_DISPATCH_METHODS(TagService); __DECLARE_DISPATCH_METHODS(UDPService); __DECLARE_DISPATCH_METHODS(UserService); __DECLARE_DISPATCH_METHODS(physAddress); __DECLARE_DISPATCH_METHODS(DynamicGroup); }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/DynamicGroup.cpp000066400000000000000000000137211303637203600246400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include using namespace std; using namespace libfwbuilder; const char *DynamicGroup::TYPE_NONE = "none"; const char *DynamicGroup::TYPE_ANY = "any"; const char *DynamicGroup::KEYWORD_NONE = ","; const char *DynamicGroup::KEYWORD_ANY = ""; const char *DynamicGroup::TYPENAME={"DynamicGroup"}; DynamicGroup::DynamicGroup() : MultiAddress() {} DynamicGroup::~DynamicGroup() {} bool DynamicGroup::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; return FWObject::validateChild(o); } void DynamicGroup::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); for (xmlNodePtr child = root->xmlChildrenNode; child != 0; child = child->next) { if (child->type != XML_ELEMENT_NODE) continue; assert(strcmp(FROMXMLCAST(child->name), "SelectionCriteria") == 0); const char *type = FROMXMLCAST(xmlGetProp(child, TOXMLCAST("type"))); const char *keyword = FROMXMLCAST(xmlGetProp(child, TOXMLCAST("keyword"))); string filter; if (makeFilter(filter, type, keyword)) { m_filter.push_back(filter); } FREEXMLBUFF(type); FREEXMLBUFF(keyword); } } xmlNodePtr DynamicGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlRemoveProp(xmlHasProp(me, TOXMLCAST("run_time"))); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); list::const_iterator iter; for (iter = m_filter.begin(); iter != m_filter.end(); ++iter) { string filter, type, keyword; if (!splitFilter(*iter, type, keyword)) continue; if (!makeFilter(filter, type, keyword)) continue; xmlNodePtr item = xmlNewChild(me, NULL, TOXMLCAST("SelectionCriteria"), NULL); xmlNewProp(item, TOXMLCAST("type"), STRTOXMLCAST(type)); xmlNewProp(item, TOXMLCAST("keyword"), STRTOXMLCAST(keyword)); } return me; } bool DynamicGroup::splitFilter(const std::string &filter, std::string &type, std::string &keyword) { size_t pos = filter.find(','); if (pos == string::npos) return false; type = filter.substr(0, pos); keyword = filter.substr(pos + 1); return true; } bool DynamicGroup::makeFilter(string &filter, const string &type, const string &keyword) { if (type == TYPE_NONE || keyword == KEYWORD_NONE) return false; filter = type; filter.append(","); filter.append(keyword); return true; } bool DynamicGroup::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (!FWObject::cmp(obj, recursive)) return false; const DynamicGroup *group = DynamicGroup::constcast(obj); return group->m_filter == m_filter; } FWObject& DynamicGroup::shallowDuplicate(const FWObject *other, bool preserve_id) throw (FWException) { const DynamicGroup *otherObj = DynamicGroup::constcast(other); m_filter = otherObj->m_filter; return FWObject::shallowDuplicate(otherObj, preserve_id); } bool DynamicGroup::isCompileTime() const { return true; } void DynamicGroup::loadFromSource(bool ipv6, FWOptions *options, bool test_mode) throw (FWException) { (void) ipv6; (void) options; (void) test_mode; // Unused FWObjectDatabase *root = getRoot(); FWObject::tree_iterator tree_iter; for (tree_iter = root->tree_begin(); tree_iter != root->tree_end(); ++tree_iter) { FWObject *elem = (*tree_iter); if (elem == root) continue; if (!isMemberOfGroup(elem)) continue; addRef(elem); } } static bool isInDeletedObjs(FWObject *obj) { FWObject *lib = obj->getLibrary(); return lib == 0 || lib->getId() == FWObjectDatabase::DELETED_OBJECTS_ID; } bool DynamicGroup::isMemberOfGroup(FWObject *obj) { if (obj == this) return false; if (ObjectGroup::cast(obj) == 0 && Address::cast(obj) == 0) return false; if (RuleElement::cast(obj) != 0) return false; if (isInDeletedObjs(obj)) return false; /* There's no way to figure out what are the "standard" object groups (like "address tables") from within the fwbuilder library, so we rely on counting how deep we are in the tree instead. */ if (ObjectGroup::cast(obj) != 0 && obj->getDistanceFromRoot() <= 3) return false; const set &keywords = obj->getKeywords(); list::const_iterator iter; for (iter = m_filter.begin(); iter != m_filter.end(); ++iter) { string type, keyword; splitFilter(*iter, type, keyword); if ((type == TYPE_ANY || obj->getTypeName() == type) && (keyword == KEYWORD_ANY || keywords.count(keyword) > 0)) { return true; } } return false; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/DynamicGroup.h000066400000000000000000000047301303637203600243050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DynamicGroup_h__ #define __DynamicGroup_h__ #include "fwbuilder/MultiAddress.h" namespace libfwbuilder { class DynamicGroup : public MultiAddress { std::list m_filter; public: DynamicGroup(); virtual ~DynamicGroup(); DECLARE_FWOBJECT_SUBTYPE(DynamicGroup); DECLARE_DISPATCH_METHODS(DynamicGroup); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); /* Each list entry is comma-separated list of matching criteria */ const std::list &getFilter() { return m_filter; } void setFilter(const std::list &filter) { m_filter = filter; } static bool splitFilter(const std::string &str, std::string &type, std::string &keyword); static bool makeFilter(std::string &filter, const std::string &type, const std::string &keyword); virtual bool cmp(const FWObject *obj, bool recursive=false) throw (FWException); virtual FWObject& shallowDuplicate(const FWObject *other, bool preserve_id) throw (FWException); virtual bool isCompileTime() const; virtual void loadFromSource(bool ipv6, FWOptions *options, bool test_mode=false) throw (FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); bool isMemberOfGroup(FWObject *obj); static const char *TYPE_NONE; static const char *TYPE_ANY; static const char *KEYWORD_NONE; static const char *KEYWORD_ANY; }; } #endif /* __DynamicGroup_h__ */ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWException.cpp000066400000000000000000000023021303637203600244230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWException.h" using namespace std; using namespace libfwbuilder; FWException::FWException(const string &r) { reason = r; } const string &FWException::toString() const { return reason; } map& FWException::getProperties() { return properties; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWException.h000066400000000000000000000032131303637203600240720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FW_EXCEPTION_HH_FLAG__ #define __FW_EXCEPTION_HH_FLAG__ #include #include namespace libfwbuilder { /** * Base class for all Exceptions used in FWBuilder project */ class FWException { private: protected: std::string reason; std::map properties; public: /** * Creates exception with given reason */ FWException(const std::string &reason); virtual ~FWException() {}; /** * Returns textual representation of this exception */ virtual const std::string &toString() const; std::map& getProperties(); }; class FWNotSupportedException: public FWException { public: FWNotSupportedException(const std::string &reason):FWException(reason) {}; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWIntervalReference.cpp000066400000000000000000000031141303637203600260720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; const char *FWIntervalReference::TYPENAME={"IntervalRef"}; //FWIntervalReference::FWIntervalReference(Interval *p):FWReference(p){} //FWIntervalReference::FWIntervalReference(IntervalGroup *p):FWReference(p){} FWIntervalReference::FWIntervalReference():FWReference(){} void FWIntervalReference::setPointer(Interval *p) { //TODO: add check if it is right type. FWReference::setPointer(p); } void FWIntervalReference::setPointer(IntervalGroup *p) { //TODO: add check if it is right type. FWReference::setPointer(p); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWIntervalReference.h000066400000000000000000000026041303637203600255420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWINTERVALREF_HH_FLAG__ #define __FWINTERVALREF_HH_FLAG__ #include "fwbuilder/FWReference.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" namespace libfwbuilder { /** * This class represents object reference. */ class FWIntervalReference : public FWReference { public: DECLARE_FWOBJECT_SUBTYPE(FWIntervalReference); DECLARE_DISPATCH_METHODS(FWIntervalReference); FWIntervalReference(); void setPointer(Interval *o); void setPointer(IntervalGroup *o); }; } #endif // _FWOBJECT_HH fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObject.cpp000066400000000000000000001174671303637203600237160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Host.h" #include "fwbuilder/Interface.h" #include #include // #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; const char *FWObject::TYPENAME={"UNDEF"}; string FWObject::NOT_FOUND=""; string FWObject::dataDir; //#define FWB_DEBUG //#define TI_DEBUG void FWObject::fromXML(xmlNodePtr root) throw(FWException) { assert(root!=NULL); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("name"))); if(n) { setName(n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("id"))); if(n) { setId(FWObjectDatabase::registerStringId(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("comment"))); if(n) { setComment(XMLTools::unquote_linefeeds(n)); FREEXMLBUFF(n); } n = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("keywords"))); if (n != 0) { keywords = stringToSet(n); dbroot->keywords.insert(keywords.begin(), keywords.end()); FREEXMLBUFF(n); } n = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("subfolders"))); if (n != 0) { setStr("subfolders", n); FREEXMLBUFF(n); } n = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("folder"))); if (n != 0) { setStr("folder", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("ro"))); if(n) { ro = (cxx_strcasecmp(n, "1")==0 || cxx_strcasecmp(n , "true")==0); FREEXMLBUFF(n); } // ref_counter = 0; FWObjectDatabase *dbr = getRoot(); for (xmlNodePtr cur=root->xmlChildrenNode; cur; cur=cur->next) { if (cur && !xmlIsBlankNode(cur)) { FWObject *o = dbr->createFromXML(cur); if (o!=NULL) { /* Add w/o validation. Trust XML to do that */ add(o, false); try { o->fromXML(cur); } catch(FWException &ex) { map &properties = ex.getProperties(); if (properties.find("failed_element")==properties.end()) properties["failed_element"]=o->getTypeName(); throw; } } } } setDirty(false); } xmlNodePtr FWObject::toXML(xmlNodePtr xml_parent_node) throw(FWException) { return toXML(xml_parent_node, true); } xmlNodePtr FWObject::toXML(xmlNodePtr parent, bool process_children) throw(FWException) { string s_id = FWObjectDatabase::getStringId(getId()); xmlNodePtr me = xmlNewChild( parent, NULL, xml_name.empty() ? STRTOXMLCAST(getTypeName()) : STRTOXMLCAST(xml_name), NULL); if (id!=-1) { xmlNewProp( me, TOXMLCAST("id"), STRTOXMLCAST(s_id)); } if (!keywords.empty()) { xmlNewProp(me, TOXMLCAST("keywords"), STRTOXMLCAST(setToString(keywords))); } for(map::const_iterator i=data.begin(); i!=data.end(); ++i) { const string &name = (*i).first; const string &value = (*i).second; if (name[0]=='.') continue; if (name == "folder" && value.empty()) continue; xmlNewProp(me, STRTOXMLCAST(name), STRTOXMLCAST(value)); } if (process_children) { for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); } return me; } FWObject::FWObject() { busy = false; ref_counter = 0; parent = NULL; dbroot = NULL; name = ""; comment = ""; id = -1; ro = false; // When object is created we assign it unique Id setId(FWObjectDatabase::generateUniqueId()); setDirty(false); storeCreationTime(); } FWObject::FWObject(bool new_id) { busy = false; ref_counter = 0; parent = NULL; dbroot = NULL; name = ""; comment = ""; id = -1; ro = false; // When object created we assign it unique Id if (new_id) setId(FWObjectDatabase::generateUniqueId()); setDirty(false); storeCreationTime(); } FWObject::FWObject(const FWObject &c) : list(c) { busy = false; *this = c; storeCreationTime(); } FWObject::~FWObject() { busy = true; // ignore read-only if (size() > 0) destroyChildren(); data.clear(); private_data.clear(); } void FWObject::init(FWObjectDatabase *root) { dbroot = (FWObjectDatabase*)root; } void FWObject::setPrivateData(const string &key, void *data) { private_data[key] = data; } void* FWObject::getPrivateData(const string &key) const { map::const_iterator it = private_data.find(key); if(it == private_data.end()) return NULL; else return it->second; } map &FWObject::getAllPrivateData() { return private_data; } void FWObject::updateNonStandardObjectReferences() { } FWObject* FWObject::getParent() const { return parent; } void FWObject::setParent(FWObject *p) { parent=p; } void FWObject::setXMLName(const string &n) { xml_name = n; } FWObject* FWObject::_find(const string& name) const { const_iterator i = std::find_if(begin(),end(), FWObjectNameEQPredicate(name)); return i==end()?NULL:(*i); } list FWObject::findIf(FWObjectFindPredicate *pred) { list res_list; list::iterator i1; for(i1=begin(); i1!=end(); ++i1) { if ((*pred)(*i1)) res_list.push_back(*i1); list res1 = (*i1)->findIf(pred); res_list.splice(res_list.begin(), res1); } return res_list; } FWObject* FWObject::findObjectByName(const string &type, const string &name) throw(FWException) { if (getTypeName()==type && getName()==name) return this; list::iterator j; for(j=begin(); j!=end(); ++j) { FWObject *o=*j; o=o->findObjectByName(type,name); if(o) return o; } return NULL; // not found } FWObject* FWObject::findObjectByAttribute(const std::string &attr, const std::string &val) throw(FWException) { if (getStr(attr)==val) return this; list::iterator j; for(j=begin(); j!=end(); ++j) { FWObject *o=*j; o=o->findObjectByAttribute(attr, val); if(o) return o; } return NULL; // not found } bool FWObject::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (getTypeName() != obj->getTypeName() || name != obj->name || comment != obj->comment || ro != obj->ro) return false; if (data.size() != obj->data.size()) return false; for(map::const_iterator i=data.begin(); i!=data.end(); ++i) { const string &name = (*i).first; const string &value = (*i).second; // 10/21/2008 --vk map::const_iterator j=obj->data.find(name); if (j==obj->data.end()) return false; if (j->second!=value) return false; } if (keywords.empty() != obj->keywords.empty() || keywords != obj->keywords) return false; if (recursive) { if (size()!=obj->size()) return false; /* chidren are not necessarily in the same order in two groups */ std::set matched; FWObject::const_iterator i1=begin(); for ( ; i1!=end(); ++i1) { bool found_equal_child_object=false; FWObject::const_iterator j1=obj->begin(); for ( ; j1!=obj->end(); ++j1) { if ((*i1)->cmp(*j1, recursive)) { if (matched.find(*j1) == matched.end()) { matched.insert(*j1); found_equal_child_object = true; break; } // else object matches some other object } } if (!found_equal_child_object) return false; } } return true; } FWObject& FWObject::operator=(const FWObject &x) throw(FWException) { return duplicate(&x, false); } FWObject& FWObject::duplicate(const FWObject *x, bool preserve_id) throw(FWException) { checkReadOnly(); bool xro = x->ro; shallowDuplicate(x, preserve_id); if (xro) setReadOnly(false); destroyChildren(); // does it erase index entries? for(list::const_iterator m=x->begin(); m!=x->end(); ++m) { FWObject *o = *m; addCopyOf( o, preserve_id); } setDirty(true); if (xro) setReadOnly(true); return *this; } FWObject* FWObject::addCopyOf(const FWObject *x, bool preserve_id) throw(FWException) { if (x==NULL) return NULL; FWObject *o1; FWObjectDatabase *root = getRoot(); if (root==NULL) root = x->getRoot(); // do not prepopulte children for objects that do that automatically // in their constructor o1 = root->create(x->getTypeName(), -1); if(!o1) throw FWException(string("Error creating object with type: ")+ x->getTypeName()); // This adds with validation add(o1); o1->duplicate(x, preserve_id); return o1; } /* * copying an object does not copy its read-only status; thus we can * take read-only object and make a read-write copy of it to work * with. * * 07/06/2007 -- changed that. Now copy has the same value of "ro" * attribute. Clear it in the caller if neccessary. */ FWObject& FWObject::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { checkReadOnly(); int old_id = getId(); id = x->id; name = x->name; comment = x->comment; ro = x->ro; data = x->data; private_data = x->private_data; keywords = x->keywords; set::const_iterator iter; for (iter = keywords.begin(); iter != keywords.end(); ++iter) { dbroot->keywords.insert(*iter); } setReadOnly(false); if (!preserve_id) { // ref_counter = 0 ; xml_name = x->xml_name; } else { // some objects do not have ID per DTD (e.g. Src, Dst, etc.) // Those will return -1 from getId() if (id > -1) setId(old_id); } if (dbroot==NULL) setRoot(x->getRoot()); if (dbroot!=NULL) dbroot->addToIndex(this); setReadOnly(x->ro); setDirty(true); return *this; } class InheritsFWOptions: public std::unary_function { public: InheritsFWOptions() {} bool operator()(const FWObject *o) const { return FWOptions::constcast(o)!=NULL; } }; FWObject& FWObject::duplicateForUndo(const FWObject *obj) throw(FWException) { setRO(false); InheritsFWOptions pred; FWObject::const_iterator mine_opts_iter = std::find_if(begin(), end(), pred); FWObject::const_iterator their_opts_iter = std::find_if(obj->begin(), obj->end(), pred); if (their_opts_iter != obj->end()) { if (mine_opts_iter != end()) (*mine_opts_iter)->duplicate(*their_opts_iter); else addCopyOf(*their_opts_iter); } shallowDuplicate(obj); return *this; } const string &FWObject::getName() const { return name; } void FWObject::setName(const string &n) { if (name != n) { name = n; setDirty(true); } } const string& FWObject::getLibraryName() const { return getLibrary()->getName(); } FWObject* FWObject::getLibrary() const { const FWObject *p=this; while (p!=NULL && !Library::isA(p) ) p=p->getParent(); return (FWObject*)p; } FWObjectDatabase* FWObject::getRoot() const { return dbroot; } int FWObject::getDistanceFromRoot() const { int count = 0; for (FWObject *obj = getParent(); obj != 0; obj = obj->getParent()) { count++; } return count; } class pathAccumulator : public string { public: void operator()(const string &s) { append("/" + s); } }; string FWObject::getPath(bool relative, bool detailed) const { list res; const FWObject *p = this; if (p == NULL) res.push_front("(0x0)"); while (p!=NULL) { if (relative && Library::isA(p)) break; ostringstream s; s << p->getName(); if (detailed) { s << "(" << p << ")"; } res.push_front(s.str()); p = p->getParent(); } string path = std::for_each(res.begin(), res.end(), pathAccumulator()); if (relative && path[0] == '/') path.erase(0, 1); return path; } const string& FWObject::getComment() const { return comment; } void FWObject::setComment(const string &c) { if (comment != c) { comment = c; setDirty(true); } } int FWObject::getId() const { return id; } /* * need to update index because ID of the object changes */ void FWObject::setId(int c) { if (id != c) { id = c; setDirty(true); if (dbroot!=NULL) dbroot->addToIndex(this); } } bool FWObject::exists(const string &name) const { return data.count(name)!=0; } const string &FWObject::getStr(const string &name) const { map::const_iterator i=data.find(name); if (i==data.end()) return NOT_FOUND; else return (*i).second; } void FWObject::remStr(const string &name) { checkReadOnly(); map::iterator m=data.find(name); if(m != data.end()) { data.erase(m); setDirty(true); } } void FWObject::setStr(const string &name, const string &val) { if (name[0]!='.' && name != "folder") checkReadOnly(); string old_val = data[name]; if (old_val != val) { data[name] = val; // attribute with name that starts with "." is considered "hidden" // or "internal". Such attribute is not saved to the data file and // should not trigger "dirty" flag. if (name[0]!='.') setDirty(true); } } int FWObject::getInt(const string &name) const { string val = getStr(name); size_t n = val.find_first_of(" \n\r\t"); while (n != string::npos) { val = val.erase(n, 1); n = val.find_first_of(" \n\r\t"); } if (val != "") return( atol(val.c_str()) ); else return(-1); } void FWObject::setInt(const string &name, int val) { ostringstream str; str << val; setStr(name, str.str()); } bool FWObject::getBool(const string &name) const { // 10/21/2008 --vk string val = getStr(name); size_t n = val.find_first_of(" \n\r\t"); while (n != string::npos) { val = val.erase(n, 1); n = val.find_first_of(" \n\r\t"); } return (val=="1" || cxx_strcasecmp(val.c_str() , "true")==0); } void FWObject::setBool(const string &name, bool val) { setStr(name, (val)?"True":"False"); //if (name[0]!='.') setDirty(true); } void FWObject::setBool(const string &name, const string &val) { if(!name.empty()) setBool(name, (val=="1" || cxx_strcasecmp(val.c_str(),"true")==0)); } void FWObject::Show() { setBool("read",true); } void FWObject::Hide() { setBool("read",false); } void FWObject::dump(bool recursive,bool brief,int offset) const { dump(cerr,recursive,brief,offset); } void FWObject::dump(std::ostream &f,bool recursive,bool brief,int offset) const { FWObject *o; string n; if (brief) { f << string(offset,' '); f << " Obj=" << this; f << " ID=" << getId() << " (" << FWObjectDatabase::getStringId(getId()) << ")"; f << " Name=" << getName(); f << " Type=" << getTypeName(); if (this!=getRoot()) f << " Library=" << getLibrary(); f << " Root=" << getRoot(); f << " ref_counter=" << ref_counter; f << endl; if (recursive) { list::const_iterator m; for (m=begin(); m!=end(); ++m) { if ( (o=(*m))!=NULL) o->dump(f,recursive,brief,offset+2); } } } else { f << string(offset,' ') << string(16,'-') << endl; f << string(offset,' ') << "Obj: " << this << endl; f << string(offset,' ') << "ID: " << getId() << " (" << FWObjectDatabase::getStringId(getId()) << ")" << endl; f << string(offset,' ') << "Name: " << getName() << endl; f << string(offset,' ') << "Ref.ctr:" << ref_counter << endl; f << string(offset,' ') << "Type: " << getTypeName() << endl; f << string(offset,' ') << "Library:" << getLibrary() << endl; // f << string(offset,' ') << "Path: " << getPath() << endl; n=(getParent()!=NULL)?getParent()->getName():""; f << string(offset,' ') << "Parent: " << getParent() << " name=" << n << endl; f << string(offset,' ') << "Root: " << getRoot() << endl; map::const_iterator d; for (d=data.begin(); d!=data.end(); ++d) { f << string(offset,' '); f << (*d).first << ": " << (*d).second << endl; } if (recursive) { list::const_iterator m; for (m=begin(); m!=end(); ++m) { if ( (o=(*m))!=NULL) o->dump(f,recursive,brief,offset+2); } } } } void FWObject::_adopt(FWObject *obj) { obj->ref(); obj->setParent(this); /* * normally we always create objects using FWObjectDatabase::create * which sets dbroot in the object. However, if an object is created * just with 'new ...' and then added to the database using * FWObject::add, it doesn't have correct pointer to the database * root. We can easily repair this by setting dbroot here. Even if * this operation is redundant, its cost is very low and it adds * robustness. * */ obj->setRoot(getRoot()); } void FWObject::addAt(int where_id, FWObject *obj) { FWObject *p = getRoot()->findInIndex( where_id ); assert (p!=NULL); p->add(obj); } void FWObject::add(FWObject *obj, bool validate) { checkReadOnly(); FWObject *old_parent = obj->getParent(); if (old_parent != NULL) { cerr << "WARNING: object " << obj << " " << "(name: " << obj->getName() << " type: " << obj->getTypeName() << ") " << "that is a child of " << old_parent << " " << "(name: " << old_parent->getName() << " type: " << old_parent->getTypeName() << ") " << "is being added to the new parent " << this << " " << "(name: " << getName() << " type: " << getTypeName() << ") " << endl; assert(old_parent == NULL); } // do not allow to add the same object twice if (old_parent == this) { cerr << "WARNING: object " << obj << " " << "(name: " << obj->getName() << " type: " << obj->getTypeName() << ") " << "that is a child of " << old_parent << " " << "(name: " << old_parent->getName() << " type: " << old_parent->getTypeName() << ") " << "is being added to the same parent again" << endl; assert(old_parent != this); } if (!validate || validateChild(obj)) { push_back(obj); _adopt(obj); setDirty(true); } } void FWObject::reparent(FWObject *obj, bool validate) { FWObject *old_parent = obj->getParent(); if (old_parent != NULL && old_parent != this) { old_parent->remove(obj, false); add(obj, validate); obj->fixTree(); } } FWReference* FWObject::createRef() { // FWObjectReference *ref=new FWObjectReference(); FWObjectReference *ref = getRoot()->createFWObjectReference(); ref->setPointer(this); return ref; } void FWObject::addRef(FWObject *obj) { checkReadOnly(); if (validateChild(obj)) { FWReference *oref = obj->createRef(); obj->ref(); push_back(oref); _adopt(oref); setDirty(true); // see comment in FWObject::_adopt obj->setRoot(getRoot()); } } void FWObject::insert_before(FWObject *o1, FWObject *obj) { checkReadOnly(); if (obj == NULL) return; if (o1 == NULL) { insert(begin(), obj); _adopt(obj); setDirty(true); return; } list::iterator m = find(begin(), end(), o1); if (m != end()) { insert(m, obj); _adopt(obj); setDirty(true); } } void FWObject::insert_after(FWObject *o1, FWObject *obj) { checkReadOnly(); if (obj == NULL) return; list::iterator m = find(begin(), end(), o1); if (m != end()) { insert(++m, obj); _adopt(obj); setDirty(true); } } void FWObject::swapObjects(FWObject *o1, FWObject *o2) { checkReadOnly(); for(list::iterator m=begin(); m!=end(); ++m) { if(*m==o1) { *m=o2; } else if(*m==o2) { *m=o1; } } setDirty(true); } void FWObject::remove(FWObject *obj, bool delete_if_last) { FWObject::iterator fi=std::find(begin(), end(), obj); if (fi!=end()) { checkReadOnly(); erase(fi); setDirty(true); obj->unref(); if (delete_if_last && obj->ref_counter <= 0) { FWObjectDatabase *db = getRoot(); if (db) db->removeFromIndex(obj->getId()); delete obj; } obj->parent = NULL; } } void FWObject::_removeAll(FWObject *rm) { for (FWObject::iterator i=begin(); i!=end(); i++) (*i)->_removeAll(rm); remove(rm,false); } void FWObject::removeAllInstances(FWObject *rm) { checkReadOnly(); removeAllReferences(rm); _removeAll(rm); } void FWObject::removeRef(FWObject *obj) { if (!obj) return; int obj_id = obj->getId(); for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o = *m; FWReference *oref = FWReference::cast(o); if (oref && oref->getPointerId()==obj_id) { // do not delete object even if this reference was the last one (?) obj->unref(); FWObject::remove(o, false); // do not remove delete o; return; } } } bool FWObject::hasRef(FWObject *obj) { int obj_id = obj->getId(); for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o = *m; FWReference *oref = FWReference::cast(o); if (oref && oref->getPointerId()==obj_id) return true; } return false; } void FWObject::_removeAllRef(FWObject *rm) { // Do not delete references to the same object from its children // such as references to the firewall or cluster in its own rules if (this == rm || this->isChildOf(rm)) return; for (FWObject::iterator i=begin(); i!=end(); i++) (*i)->_removeAllRef(rm); removeRef(rm); } void FWObject::removeAllReferences(FWObject *rm) { _removeAllRef(rm); } void FWObject::findAllReferences(const FWObject *obj, std::set &res) { int obj_id = obj->getId(); for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o=*m; FWReference *oref = FWReference::cast(o); if(oref) { if(oref->getPointerId()==obj_id) res.insert(oref); } else { o->findAllReferences(obj, res); } } } set FWObject::findAllReferences(const FWObject *obj) { set res; findAllReferences(obj, res); return res; } bool FWObject::validateChild(FWObject*) { return true; } /* * this method deletes all children recursively regardless of their * usage counter. We call this method form destructor. */ void FWObject::destroyChildren() { #ifdef DEBUG_DESTROY_CHILDREN cerr << "destroyChildren() " << this << " name=" << name << " type=" << getTypeName() << " parent=" << getParent() << " path=" << getPath() << endl; #endif FWObjectDatabase *dbr = getRoot(); while (size() > 0) { FWObject *o = front(); #ifdef DEBUG_DESTROY_CHILDREN cerr << " " << this << " size=" << size() << " o=" << o << " o->size=" << o->size() << endl; #endif if (o) { if (o->size()) o->destroyChildren(); if (dbr && !dbr->busy) dbr->removeFromIndex( o->getId() ); #ifdef DEBUG_DESTROY_CHILDREN cerr << " " << this << " delete " << o << " " << o->name << " " << o->getTypeName() << endl; #endif delete o; } pop_front(); } //clear(); } void FWObject::sortChildrenByName(bool follow_references) { if (!follow_references) sort(FWObjectNameCmpPredicate()); } /* * Walks the tree, looking for objects that are referenced by two parents */ bool FWObject::verifyTree() { bool res = false; for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o = *m; FWObject *o_parent = o->getParent(); if (o_parent != this) { if (o_parent != NULL) { cerr << "WARNING: Object " << o << " (name: '" << o->getName() << "' type: " << o->getTypeName() << ")" << " has two parents in the tree:" << endl; cerr << " " << o_parent->getPath(false, true) << endl; cerr << " " << getPath(false, true) << endl; bool o_parent_real = false; for (FWObject::iterator k=o_parent->begin(); k!=o_parent->end(); ++k) { FWObject *o1 = *k; if (o1 == o) { o_parent_real = true; break; } } if ( ! o_parent_real) { cerr << "WARNING: Parent " << o_parent_real << " does not have child " << o << endl; } } else { cerr << "WARNING: Object " << o << " (name: '" << o->getName() << "' type: " << o->getTypeName() << ")" << " was not correctly added to its parent " << "(getParent()==NULL):" << endl; cerr << " " << getPath(false, true) << endl; } o->dump(true, false); // recursive, not brief res = true; } res |= o->verifyTree(); } return res; } void FWObject::fixTree() { getRoot()->addToIndex(this); for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o = *m; if (o->getRoot() != getRoot()) o->setRoot(getRoot()); if (o->getParent() != this) o->setParent(this); getRoot()->addToIndex(o); o->fixTree(); } } /* * even if I run this method with flag recursive=true, it does not * guarantee that there will be no objects lost in the memory. If * some children of this are referenced from somewhere else, they * won't be deleted because their reference counter is >1. This is * bad because it leads to a situation when object is not a part of * the tree anymore, but reference to it does exist. * * If this method is called with recursive=false, then it deletes * only immediate children of this, leaving their children hanging in * the memory. TODO: research whether we ever need to call it with * recursive=false * * In other words, this method leaves tree in inconsistent state. At * this time I am just using it carefully, only when I copy objects * between main tree and scratch pad, and when I create copies of * objects. In both cases children of this will be immediately * restored after call to clearChildren. * * 05/08/02 vk */ void FWObject::clearChildren(bool recursive) { #ifdef FWB_DEBUG cerr << "FWObject::clearChildren" << endl; #endif FWObjectDatabase *dbr = getRoot(); checkReadOnly(); int referenced_children = 0; int total_children = 0; for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o = *m; total_children++; if (recursive) o->clearChildren(recursive); o->unref(); if(o->ref_counter==0) { if (dbr) dbr->removeFromIndex( o->getId() ); delete o; } else referenced_children++; } clear(); setDirty(true); #ifdef FWB_DEBUG cerr << "Deleted " << total_children - referenced_children << " child objects; still referenced " << referenced_children << " child objects" << endl; #endif } int FWObject::getChildrenCount() const { return(size()); } /* * returns true if this is either direct child of obj, or a child * of one of its children and so on. */ bool FWObject::isChildOf(FWObject *obj) { if (this==obj) return false; #ifdef FWB_DEBUG cerr << "FWObject::isChildOf" << endl; cerr << "this: " << endl; dump(true,true); cerr << endl; cerr << "obj: " << endl; obj->dump(true,true); cerr << endl; #endif FWObject *p=this; while (p!=NULL && p!=obj) p=p->getParent(); return (p==obj); } bool FWObject::hasChild(FWObject *obj) { int o_id = obj->getId(); for (list::iterator it=begin(); it!=end(); ++it) { if ((*it)->getId() == o_id) return true; } return false; } FWObject* FWObject::getById (int id, bool recursive) { if(id==getId()) return this; list::iterator j; for(j=begin(); j!=end(); ++j) { FWObject *o=*j; int oid = o->getId(); if(id==oid) return o; if(recursive && (o=o->getById(id, true))!=NULL ) return o; } return NULL; // not found } FWObject* FWObject::getFirstByType(const string &type_name) const { const_iterator i=find_if(begin(),end(), FWObjectTypeNameEQPredicate(type_name)); return i==end()?NULL:(*i); } list FWObject::getByType(const string &type_name) const { list res; for(const_iterator i=begin(); i!=end(); ++i) { i=find_if( i, end(), FWObjectTypeNameEQPredicate(type_name)); if (i==end()) break; res.push_back(*i); } return res; } list FWObject::getByTypeDeep(const string &type_name) const { list res = getByType(type_name); // direct children for (const_iterator i=begin(); i!=end(); ++i) { list c_res = (*i)->getByTypeDeep(type_name); res.insert(res.end(), c_res.begin(), c_res.end()); } return res; } FWObjectTypedChildIterator FWObject::findByType(const std::string &type_name) const { return FWObjectTypedChildIterator(this, type_name); } /** * this method should change 'dirty' flag in the root, i.e. in * FWObjectDatabase object */ void FWObject::setDirty(bool f) { FWObjectDatabase *dbr = getRoot(); if (dbr==NULL) return; if (dbr==this) dirty = f; else dbr->dirty = f; } bool FWObject::isDirty() { FWObjectDatabase *dbr = getRoot(); if (dbr==NULL) return false; return (dbr->dirty); } /* * can't use normal method setBool because it checks for read-only * flag */ void FWObject::setReadOnly(bool f) { ro = f; FWObjectDatabase *dbr = getRoot(); if (dbr) { bool ri = dbr->busy; dbr->busy = true; setDirty(true); dbr->busy = ri; } } /* * scan the tree up from 'this' to the root and see if any object * along the way is marked as read-only. If such object exists, it * makes the whole subtree under it read-only which blocks all * changes. * * If root of the tree has flag 'busy' set to true, we do not check * for read-only. This is used to initialize the tree. */ bool FWObject::isReadOnly() { FWObjectDatabase *dbr = getRoot(); if (dbr==NULL || dbr->busy) return false; FWObject *p=this; while (p) { if (p->ro) return true; p = p->getParent(); } return false; } void FWObject::checkReadOnly() throw(FWException) { if (isReadOnly() && ! getRoot()->getIgnoreReadOnlyFlag()) throw FWException(string("Attempt to modify read-only object ")+getName()); } FWObjectTypedChildIterator::FWObjectTypedChildIterator() : type_name(), real_iterator() { } FWObjectTypedChildIterator::FWObjectTypedChildIterator( const FWObjectTypedChildIterator &o) : type_name(o.type_name), real_iterator(o.real_iterator), _begin(o._begin), _end(o._end) { } FWObjectTypedChildIterator::FWObjectTypedChildIterator( const FWObject *o, const std::string &_type_name) { init(o, _type_name); } void FWObjectTypedChildIterator::init( const FWObject *o, const std::string &_type_name) { type_name = _type_name ; _end = o->end() ; // position to first element real_iterator = o->begin() ; while(real_iterator!=_end && (*real_iterator)->getTypeName()!=type_name) real_iterator++; _begin = real_iterator; } bool FWObjectTypedChildIterator::operator==( const FWObject::const_iterator& __x) const { return real_iterator == __x; } bool FWObjectTypedChildIterator::operator!=( const FWObject::const_iterator& __x) const { return real_iterator != __x; } FWObject *FWObjectTypedChildIterator::operator*() const { return *real_iterator; } FWObjectTypedChildIterator& FWObjectTypedChildIterator::operator++() { if(real_iterator==_end) return *this; do { real_iterator++; } while(real_iterator!=_end && (*real_iterator)->getTypeName()!=type_name); return *this; } /* * if iterator points to the first element in the list, then operator--() * should move it and make it point to end() */ FWObjectTypedChildIterator& FWObjectTypedChildIterator::operator--() { if(real_iterator==_end) return *this; do { real_iterator--; } while(real_iterator!=_end && (*real_iterator)->getTypeName()!=type_name); return *this; } /* this is a postfix operator */ FWObject::tree_iterator FWObject::tree_iterator::operator++(int ) { FWObject::tree_iterator __tmp = *this; ++*this; return __tmp; } //#define TI_DEBUG 1 /* this is a prefix operator */ FWObject::tree_iterator& FWObject::tree_iterator::operator++() { if (node == (FWObject*)(-1)) return *this; #ifdef TI_DEBUG cerr << endl; cerr << "ENTRY node=" << node << "(" << node->getTypeName() << " " << node->getName() << ")" << endl; node->dump(false, false); #endif if (node->size()!=0) { node = node->front(); #ifdef TI_DEBUG cerr << "#2 node=" << node << "(" << node->getTypeName() << " " << node->getName() << ")" << endl; #endif return *this; } FWObject *p = node; while (node->getParent()!=NULL) { p = node->getParent(); #ifdef TI_DEBUG cerr << " p=" << p << "(" << p->getTypeName() << " " << p->getName() << ")" << endl; #endif for (FWObject::iterator i=p->begin(); i!=p->end(); ++i) { #ifdef TI_DEBUG cerr << " child=" << (*i) << "(" << (*i)->getTypeName() << " " << (*i)->getName() << ")" << endl; #endif if ( node == (*i) ) { ++i; if (i==p->end()) { #ifdef TI_DEBUG cerr << " end of list" << endl; #endif node = p; break; } node = *i; #ifdef TI_DEBUG cerr << "#3 node=" << node << "(" << node->getTypeName() << " " << node->getName() << ")" << endl; #endif return *this; } } } node=(FWObject*)(-1); #ifdef TI_DEBUG cerr << "#4 END" << endl; #endif return *this; } bool FWObject::tree_iterator::operator==(const FWObject::tree_iterator& i) const { return (node==i.node); } bool FWObject::tree_iterator::operator!=(const FWObject::tree_iterator& i) const { return (node!=i.node); } FWObject::tree_iterator FWObject::tree_begin() { return FWObject::tree_iterator(this); } FWObject::tree_iterator FWObject::tree_end() { return FWObject::tree_iterator( (FWObject*)(-1) ); } /* * find all references to object with id "old_id" in objects in rs * (recursively) and replace them with references to object with id * "new_id" Use this to find all references to old firewall with * references to the new one when copying policy of the old one into * the new one. */ int FWObject::replaceRef(int old_id, int new_id) { int ref_replacement_counter = 0; replaceReferenceInternal(old_id, new_id, ref_replacement_counter); return ref_replacement_counter; } void FWObject::replaceReferenceInternal(int old_id, int new_id, int &counter) { if (old_id == new_id) return; FWReference *ref = FWReference::cast(this); if (ref==NULL) { for (FWObject::iterator j1=begin(); j1!=end(); ++j1) (*j1)->replaceReferenceInternal(old_id, new_id, counter); } else { if (ref->getPointerId()==old_id) { ref->setPointerId(new_id); counter++; } } } void FWObject::findDependencies(list &deps) { int loop_id = time(NULL); _findDependencies_internal(this, deps, loop_id); } void FWObject::_findDependencies_internal(FWObject *obj, list &deps, int anti_loop_id) { if (obj==NULL) return; if (FWOptions::cast(obj)) return; if (FWReference::cast(obj)!=NULL) { _findDependencies_internal(FWReference::cast(obj)->getPointer(), deps, anti_loop_id); } else { if (obj->getInt(".anti_loop")==anti_loop_id) return; obj->setInt(".anti_loop", anti_loop_id); if (!RuleElement::cast(obj) && !Rule::cast(obj) && !RuleSet::cast(obj)) deps.push_back(obj); if (Group::cast(obj) || RuleSet::cast(obj) || Host::cast(obj)) { for (FWObject::iterator j1=obj->begin(); j1!=obj->end(); ++j1) { FWObject *o = *j1; _findDependencies_internal(o, deps, anti_loop_id); } } } } bool FWObject::isPrimaryObject() const { return false; } const set &FWObject::getAllKeywords() { return dbroot->keywords; } void FWObject::addKeyword(const string &keyword) { keywords.insert(keyword); dbroot->keywords.insert(keyword); } void FWObject::removeKeyword(const string &keyword) { keywords.erase(keyword); } void FWObject::clearKeywords() { keywords.clear(); } FWObjectNameCmpPredicate::FWObjectNameCmpPredicate(bool follow_refs) { follow_references = follow_refs; } bool FWObjectNameCmpPredicate::operator()(FWObject *a, FWObject *b) { FWObject *o1 = (follow_references) ? FWReference::getObject(a) : a; FWObject *o2 = (follow_references) ? FWReference::getObject(b) : b; return o1->getName() < o2->getName(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObject.h000066400000000000000000000532721303637203600233540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECT_HH_FLAG__ #define __FWOBJECT_HH_FLAG__ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include #include #include #include #include #include #include "fwbuilder/FWException.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/Dispatch.h" namespace libfwbuilder { class FWObject; class FWObjectDatabase; class FWReference; class FWObjectTypedChildIterator; class FWObjectFindPredicate; #define DECLARE_FWOBJECT_SUBTYPE(name) \ static const char *TYPENAME; \ virtual std::string getTypeName() const { return TYPENAME; } \ static bool isA(const FWObject *o) { return o && o->getTypeName()==TYPENAME; } \ static name* cast(FWObject *o) { return dynamic_cast(o); } \ static const name* constcast(const FWObject *o) { return dynamic_cast(o); } #define DECLARE_DISPATCH_METHODS(classname) \ virtual void* dispatch(Dispatch* _d, void* _a1) \ {return _d->dispatch(this, _a1); } \ virtual void* dispatch(Dispatch* _d, const void* _a1) \ {return _d->dispatch(this, _a1); } \ virtual void* dispatch(Dispatch* _d, void* _a1) const \ {return _d->dispatch(this, _a1); } \ virtual void* dispatch(Dispatch* _d, const void* _a1) const \ {return _d->dispatch(this, _a1); } \ virtual const void* const_dispatch(Dispatch* _d, void* _a1) const \ {return _d->const_dispatch(this, _a1); } \ virtual const void* const_dispatch(Dispatch* _d, const void* _a1) const \ {return _d->const_dispatch(this, _a1); } /** * This class represents base class for all * objects we are dealing with. * * FWObject can have children, that is other objects of the same class * or derived classes which are included in this one */ class FWObject : public std::list { friend class libfwbuilder::FWObjectDatabase; private: int ref_counter; FWObject *parent; /** * dbroot is a pointer to the database root. Method getRoot * returns this. We need this pointer because most of the time we * create an object first, make some manipulations with it (such * as create its children and/or add copies of children objects) * and only then put it in its place in the tree. This means the * object does not have valid parent pointer for a while, yet we * must be able to work with it. Many methods rely on being able * to reach the root of the tree (FWObjectDatabase object) for * things like setting 'dirty' flag etc. Therefore we need to * store the pointer to the root as soon as possible after we * create the object. The 'parent' pointer, on the other hand, is * stored once the object is added to the tree. * * dbroot is assigned by method FWObjectDatabase::create */ FWObjectDatabase *dbroot; int id; bool ro; std::string name; std::string comment; static std::string NOT_FOUND; time_t creation_time; std::set keywords; static std::string dataDir; protected: std::string xml_name; bool busy; bool dirty; std::map data; std::map private_data; void clearRefCounter() { ref_counter=0; } void _removeAll(FWObject *rm); void _removeAllRef(FWObject *rm); void _adopt(FWObject *obj); // increments reference void _findDependencies_internal(FWObject *obj, std::list &deps, int anti_loop_id); void setRO(bool f) { ro = f; } virtual void replaceReferenceInternal(int oldfw_id, int newfw_id, int &counter); /** * Finds direct child of this object with given name. */ FWObject* _find(const std::string& name) const; /** * Finds all references to the object 'obj' in object * tree starting from 'this' and address them to resulting * set. */ virtual void findAllReferences(const FWObject *obj, std::set &res); /** * internal method: update references to other objects this object * might keep in attributes. Example of this is reference to * branch rule set that is stored as its string ID in RuleOptions * object. Eventually we must fix these and make these references * either use FWReference child object or be normal C++ * pointers. Meanwhile, this virtual method is called from * FWObjectDatabase::_set_predictable_str_ids_recursively() when string * ids are replaced (and possibly from other places for similar reasons). */ virtual void updateNonStandardObjectReferences(); FWObject(); // special constructor used to create FWObjectDatabase objects FWObject(bool new_id); public: DECLARE_FWOBJECT_SUBTYPE(FWObject); DECLARE_DISPATCH_METHODS(FWObject); class tree_iterator { friend class libfwbuilder::FWObject; FWObject *node; public: tree_iterator() { node=NULL; } tree_iterator(FWObject *_n) { node=_n; } tree_iterator(const tree_iterator &ti) { node=ti.node; } FWObject* operator*() { return node; } tree_iterator& operator++(); tree_iterator operator++(int); tree_iterator& operator=(const tree_iterator &ti) { node=ti.node; return *this; } bool operator==(const tree_iterator& i) const; bool operator!=(const tree_iterator& i) const; }; tree_iterator tree_begin(); tree_iterator tree_end(); FWObject(const FWObject ©); /** * This method should create any standard mandatory child objects * the object might need. The function should not require that the * object be already added to the object tree but can use provided * pointer to FWObjectDatabase to create other objects it might * need to add as children. */ virtual void init(FWObjectDatabase *root); int getId() const; void setId(int i); bool haveId() { return (id != -1); } /** * getRO() simply returns value of private member ro. Note the * difference between _getRO and isReadOnly() - the latter checks * if any parent of this object is read-only in addition to * checking if this object is read-only itself. */ bool getRO() const { return ro; } virtual void fromXML(xmlNodePtr xml_parent_node) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); xmlNodePtr toXML(xmlNodePtr xml_parent_node, bool process_children) throw(FWException); /** * Rarely used feature: we can change the name of XML element * represented by the class derived from FWObject if we want to. For * example, used in all "Any" objects so we did not have to create extra * classes * */ void setXMLName (const std::string &); virtual ~FWObject(); int ref() { ++ref_counter; return(ref_counter); } int unref() { --ref_counter; return(ref_counter); } int getRefCounter() { return(ref_counter); } /** * It is same as calling duplicate(x, FALSE); */ virtual FWObject& operator=(const FWObject &) throw(FWException); /** * This method copies content of object 'x' in the object 'this'. * depending on 'preserve_id' flag, Id are either copied or new * ones are issued. All children of 'this' are destroyed and new ones * are created recursively as copies of corresponding children of obj. */ virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); /** * This method works just like duplicate, except it does not destroy * or change children of 'this'. */ virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); /** * This method copies all attributes of obj into this, plus * FWOptions child object if it exists but no other * children. Combination of attributes of the object plus its * option child object describe all parameters of the object and * should be sufficient to properly roll back or redo any changes. * Changes done to its children should be undone or redone using * corresponding objects. */ virtual FWObject& duplicateForUndo(const FWObject *obj) throw(FWException); /** * This method creates a copy of object 'x' and adds it to 'this'. * Depending on 'preserve_id' flag, Id are either copied or new * ones are issued. */ virtual FWObject* addCopyOf(const FWObject *obj, bool preserve_id = true) throw(FWException); /** * compares objects. Ignores ID and always looks at * attributes. Returns true if objects are equal. */ virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); void Show(); void Hide(); FWObject* getParent() const; void setParent(FWObject *p); bool exists(const std::string &name) const; void remStr(const std::string &name); const std::string &getStr(const std::string& name) const; void setStr(const std::string &name, const std::string &val); int getInt(const std::string &name) const; void setInt(const std::string &name, int val); bool getBool(const std::string &name) const; void setBool(const std::string &name, bool val); void setBool(const std::string &name, const std::string &val); const std::string &getName() const; void setName(const std::string& n); const std::string &getComment() const; void setComment(const std::string& c); void storeCreationTime() { creation_time = time(NULL); } time_t getCreationTime() { return creation_time; } void setPrivateData(const std::string &key, void *data); void* getPrivateData(const std::string &key) const; std::map &getAllPrivateData(); /** * convenience method: returns the name of the library this object belongs to. * In fwbuilder2 library is an element directly under FWObjectDatabase; all * other objects are children of a Library object */ const std::string &getLibraryName() const; /** * returns a pointer to the library object 'this' is a part of. */ FWObject* getLibrary() const; /** * Returns root of the objects tree this object is part of */ FWObjectDatabase* getRoot() const; int getDistanceFromRoot() const; /* How many parents does this have? */ /** * Sets pointer to the database root */ void setRoot(const FWObjectDatabase *_dbroot) { dbroot = (FWObjectDatabase*)_dbroot; } /** * Returns a string that represents a path to the object * 'this'. Path is built using names of objects above 'this', * all the way to the root of the tree. If parameter 'relative' * is true, the path is built relative to the library 'this' is * a part of (name of the library is not included). */ std::string getPath(bool relative=false, bool detailed=false) const; void addAt(int where_id, FWObject *obj); virtual void add(FWObject *obj,bool validate=true); virtual void insert_before(FWObject *o1,FWObject *obj); virtual void insert_after(FWObject *o1,FWObject *obj); /** * call add(), but first remove() object from its old parent */ virtual void reparent(FWObject *obj,bool validate=true); /** * In direct children of 'this' swaps all references * to o1 with o2 and vice versa. */ virtual void swapObjects(FWObject *o1,FWObject *o2); /** * Finds first instance of 'obj' in children of this * object and removes if. If 'obj' reference counter * reaches 0 it is also deleted. */ virtual void remove(FWObject *obj, bool delete_if_last=true); /** * Finds and removes instances of 'obj' recursively in the * whole tree under this object */ virtual void removeAllInstances(FWObject *obj); /** * Adds reference object pointing to 'obj' as a child of 'this' */ virtual void addRef(FWObject *obj); /** * Removes reference to given object among * children of 'this'. */ virtual void removeRef(FWObject *obj); /** * check if 'this' already has reference to obj */ virtual bool hasRef(FWObject *obj); /** * Removes all references to 'obj' recursively in the whole tree * under 'this' */ virtual void removeAllReferences(FWObject *obj); /** * Finds all references to the object 'obj' in object * tree starting from 'this'. */ virtual std::set findAllReferences(const FWObject *obj); /* * Create appropriate reference object for itself. * Different object require different class of reference. e.g.: * for Host reference should be of class FWObjectReference * for Service reference should be of class FWServiceReference */ virtual FWReference* createRef(); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); /** * forcefully destroys all objects in the subtree under this, * except this. This method ignores reference counters and simply * deletes everything. */ void destroyChildren(); void clearChildren(bool recursive=true); void sortChildrenByName(bool follow_references=false); /** * Walks the tree, looking for objects that are referenced by two parents * or those with this->parent == NULL. Prints report to stderr and * returns true if such objects have been found. */ bool verifyTree(); /** * sometimes we need to move object subtree from one object * database to another. For example, this can be a useful * mechanism to maintain persistent objects between compiler * passes. However when the object and its children are added to * the new tree, "parent" and "root" pointers in obejcts still * point to the old object tree and need to be fixed. */ void fixTree(); int getChildrenCount() const; virtual void dump(bool recursive,bool brief,int offset=0) const; virtual void dump(std::ostream &f,bool recursive,bool brief,int offset=0) const; /** * returns true if this is either direct child of obj, or a child * of one of its children and so on (this method works recursively). */ bool isChildOf(FWObject *obj); bool hasChild(FWObject *obj); /** * Returns object with given ID. If recursive is 'false' * search is restricted to direct children of given object * and itslef. If it is true, method proceeds to all chidren of all * objects starting from current one. */ virtual FWObject* getById(int id, bool recursive=false); /** * Returns list of direct children of current object whose * getTypeName() is equal type_name. If not found, empty list is * returned. */ virtual std::list getByType(const std::string &type_name) const; /** * Returns list of children of current object whose getTypeName() * is equal type_name. If not found, empty list is * returned. Search recursively including all direct children of this. */ virtual std::list getByTypeDeep(const std::string &type_name) const; /** * Returns list of direct children of current object * whose getTypeName() same as given. * If not found, end() is returned. */ virtual FWObjectTypedChildIterator findByType( const std::string &type_name) const; /** * Returns first of direct children of current object * whose getTypeName() same as given or NULL if not found. */ virtual FWObject* getFirstByType(const std::string &type_name) const; /** * finds a child object of a given type with a given name */ FWObject* findObjectByName(const std::string &type, const std::string &name) throw(FWException); /** * finds a child object of a given type with an attribute attr */ FWObject* findObjectByAttribute(const std::string &attr, const std::string &val) throw(FWException); /** * Generic find function, finds all objects in the tree rooted at * that match given predicate. Fills @res_list with * pointers to the objects it finds. */ std::list findIf(FWObjectFindPredicate *pred); /** * if this object has any references as its children, replace IDs * these references point to. */ virtual int replaceRef(int oldfw_id, int newfw_id); /** * recursively find all FWReference objects that are children of * this and generate list of pointers to the objects these * references point to. */ void findDependencies(std::list &deps); virtual void setDirty(bool f); virtual bool isDirty(); /** * sets read-only flag for the object. FWObject checks all objects * up in the tree before making any change to see if the subtree * is read-only. Marking an object read-only automatically makes * the whole tree branch under it read-only. */ virtual void setReadOnly(bool f); virtual bool isReadOnly(); virtual void checkReadOnly() throw(FWException); /** * return true if this object can be copied around and put in the * tree in one of the system folders. False if it must be a child * of some other primary obejct. The latter category includes * physAddress, interface, IPv4 and IPv6 if they are children of * interface, rulesets, rule elements and rules. */ virtual bool isPrimaryObject() const; // Attributes iterator std::map::const_iterator dataBegin() { return data.begin(); } std::map::const_iterator dataEnd() { return data.end(); } const std::set &getKeywords() { return keywords; } const std::set &getAllKeywords(); void addKeyword(const std::string &keyword); void removeKeyword(const std::string &keyword); void clearKeywords(); static std::string getDataDir() { return dataDir; } static void setDataDir(const std::string &dir) { dataDir = dir; } }; class FWObjectTypedChildIterator { public: FWObjectTypedChildIterator(); FWObjectTypedChildIterator(const FWObjectTypedChildIterator &o); FWObjectTypedChildIterator(const FWObject *o, const std::string &_type_name); bool operator==(const FWObject::const_iterator& __x) const; bool operator!=(const FWObject::const_iterator& __x) const; FWObject *operator*() const; FWObjectTypedChildIterator& operator++(); FWObjectTypedChildIterator& operator--(); const FWObject::const_iterator &begin() { return _begin; } const FWObject::const_iterator & end() { return _end ; } protected: std::string type_name; FWObject::const_iterator real_iterator; FWObject::const_iterator _begin; FWObject::const_iterator _end; void init(const FWObject *o, const std::string &_type_name); }; /** * Predicate class testing object pointers for name eqivalence. * name is obtained by calling getName() method. * This class could be used in STL Algoriths find_if, and others. */ class FWObjectNameEQPredicate: public std::unary_function { std::string n; public: FWObjectNameEQPredicate(const std::string &name):n(name) {} bool operator()(const FWObject *o) const { return o->getName()==n; } }; struct FWObjectNameCmpPredicate : public std::binary_function { bool follow_references; FWObjectNameCmpPredicate(bool follow_refs=false); bool operator()(FWObject *a,FWObject *b); }; class findFWObjectIDPredicate : public std::unary_function { int _id; public: findFWObjectIDPredicate(int id):_id(id) {} bool operator()(const FWObject *o) const {return o->getId()==_id;} }; /** * Predicate class testing object pointers for type name eqivalence. * name is obtained by calling getTypeName() method. * This class could be used in STL Algoriths find_if, and others. */ class FWObjectTypeNameEQPredicate: public std::unary_function { std::string n; public: FWObjectTypeNameEQPredicate(const std::string &name):n(name) {} bool operator()(const FWObject *o) const { return o->getTypeName()==n; } }; /** * Generic predicate class testing any object parameters, used for findIf. */ class FWObjectFindPredicate { public: FWObjectFindPredicate() {} virtual ~FWObjectFindPredicate() {} virtual bool operator()(FWObject*) const { std::cerr << "#"; return false; } }; } #endif // _FWOBJECT_HH fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectDatabase.cpp000066400000000000000000000371331303637203600253320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/memcheck.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Library.h" #include "fwbuilder/Interval.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/IPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/Host.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Group.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include #include using namespace std; using namespace libfwbuilder; // each program invocation tracks its own set of object ids (as int) // we just increment this counter to get new id. We also keep a dictionary // that maps integer ids to strings. This dictionary is populated when // objects are loaded from xml file and then used to write string ids // when objects are written back to file. Internally we operate with // integer ids all the time, string ids are only used in xml file. // "System" objects use ids < 1000. int id_seed = 1000; #ifdef _WIN32 static int cached_pid = _getpid(); # ifndef __GNUC__ #define snprintf sprintf_s # endif #else static int cached_pid = getpid(); #endif // these two dictionaries must be static to ensure uniqueness of integer // ids across multiple FWObjectDatabase objects map id_dict; map id_dict_reverse; const char* FWObjectDatabase::TYPENAME = {"FWObjectDatabase"}; const string FWObjectDatabase::DTD_FILE_NAME = "fwbuilder.dtd" ; FWObjectDatabase::FWObjectDatabase() : FWObject(false), data_file(), obj_index() { init_create_methods_table(); setRoot(this); index_hits = index_misses = 0; init_id_dict(); predictable_id_tracker = 0; ignore_read_only = false; searchId =0; lastModified = 0; setName(TYPENAME); setId( ROOT_ID ); setDirty(false); } FWObjectDatabase::FWObjectDatabase(FWObjectDatabase& d) : FWObject(false), data_file(), obj_index() { init_create_methods_table(); setRoot(this); index_hits = index_misses = 0; init_id_dict(); predictable_id_tracker = 0; ignore_read_only = false; data_file = d.data_file; setName(TYPENAME); searchId =0; busy = true; *this = d; // copies entire tree setId( ROOT_ID ); // I do not understand why do I need to reindex the whole database // after operator=. It calls FWobject::duplicate, which in turn // uses FWObject::shallowDuplicate, which calls addToIndex // This is necessary however. // addToIndexRecursive( this ); // reindex setDirty(false); busy = false; } FWObjectDatabase::~FWObjectDatabase() { busy = true; //verifyTree(); // debugging destroyChildren(); } void FWObjectDatabase::init_id_dict() { if (id_dict.size()==0) { id_dict[ROOT_ID] = "root"; id_dict[ANY_ADDRESS_ID] = "sysid0"; id_dict[ANY_SERVICE_ID] = "sysid1"; id_dict[ANY_INTERVAL_ID] = "sysid2"; id_dict[STANDARD_LIB_ID] = "syslib000"; id_dict[TEMPLATE_LIB_ID] = "syslib100"; id_dict[DELETED_OBJECTS_ID] = "sysid99"; id_dict[DUMMY_ADDRESS_ID] = "dummyaddressid0"; id_dict[DUMMY_SERVICE_ID] = "dummyserviceid0"; id_dict[DUMMY_INTERFACE_ID] = "dummyinterfaceid0"; for (map::iterator i=id_dict.begin(); i!=id_dict.end(); ++i) id_dict_reverse[i->second] = i->first; } } int FWObjectDatabase::registerStringId(const std::string &s_id) { int i_id = -1; if (id_dict_reverse.count(s_id) > 0) return id_dict_reverse[s_id]; i_id = ++id_seed; id_dict[i_id] = s_id; id_dict_reverse[s_id] = i_id; return i_id; } int FWObjectDatabase::getIntId(const std::string &s_id) { if (id_dict_reverse.count(s_id) > 0) return id_dict_reverse[s_id]; return -1; } string FWObjectDatabase::getStringId(int i_id) { if (id_dict.count(i_id) > 0) return id_dict[i_id]; // TODO: Use proper GUID algorithm here char id_buf[64]; snprintf(id_buf, sizeof(id_buf), "id%dX%d", i_id, cached_pid); id_dict[i_id] = string(id_buf); id_dict_reverse[string(id_buf)] = i_id; return id_dict[i_id]; } string FWObjectDatabase::getPredictableId(const string &prefix) { ostringstream str; str << prefix << predictable_id_tracker; string new_id = str.str(); predictable_id_tracker++; return new_id; } void FWObjectDatabase::_setPredictableStrIdsRecursively(FWObject *obj) { if (obj->getBool(".seen_this")) return; if (!obj->isReadOnly() && !FWObjectDatabase::isA(obj) && obj->getLibrary()->getId() != FWObjectDatabase::STANDARD_LIB_ID && obj->getLibrary()->getId() != FWObjectDatabase::DELETED_OBJECTS_ID && obj->getId() != -1) { string new_id = getPredictableId("id"); int int_id = obj->getId(); id_dict[int_id] = new_id; id_dict_reverse[new_id] = int_id; obj->setBool(".seen_this", true); } for (list::iterator it=obj->begin(); it!=obj->end(); ++it) { _setPredictableStrIdsRecursively(*it); } } void FWObjectDatabase::_updateNonStandardObjectReferencesRecursively( FWObject *obj) { for (list::iterator it=obj->begin(); it!=obj->end(); ++it) { (*it)->updateNonStandardObjectReferences(); _updateNonStandardObjectReferencesRecursively(*it); } } void FWObjectDatabase::setPredictableIds() { _setPredictableStrIdsRecursively(this); _updateNonStandardObjectReferencesRecursively(this); } int FWObjectDatabase::generateUniqueId() { return ++id_seed; } void FWObjectDatabase::setFileName(const string &filename) { data_file = filename; } const string &FWObjectDatabase::getFileName() { return data_file; } const string FWObjectDatabase::getFileDir() { char dir_delimiter='/'; #ifdef __MINGW32__ dir_delimiter = '\\'; #endif string::size_type i = data_file.rfind(dir_delimiter); if (i==string::npos || i==0) return ""; else return data_file.substr(0,i); } void FWObjectDatabase::load(const string &f, XMLTools::UpgradePredicate *upgrade, const std::string &template_dir) throw(FWException) { if(f=="") return; xmlDocPtr doc = XMLTools::loadFile(f, FWObjectDatabase::TYPENAME, FWObjectDatabase::DTD_FILE_NAME, upgrade, template_dir); xmlNodePtr root = xmlDocGetRootElement(doc); if(!root || !root->name || strcmp(FROMXMLCAST(root->name), FWObjectDatabase::TYPENAME)!=SAME) { xmlFreeDoc(doc); throw FWException("Data file has invalid structure: "+f); } try { busy = true; destroyChildren(); clearIndex(); fromXML(root); setDirty(false); setFileName(f); } catch (FWException &ex) { busy = false; throw(ex); } xmlFreeDoc(doc); busy = false; } void FWObjectDatabase::saveFile(const string &filename) throw(FWException) { /* need to set flag 'busy' so we ignore read-only status. Some objects * modify themselves in toXML() (e.g. Management) so if they belong to * a read-only library, we can't save them to a file. It should be * safe to ignore read-only flag but save it though. */ busy = true; xmlDocPtr doc = xmlNewDoc(TOXMLCAST("1.0")); xmlNodePtr node = xmlNewNode(NULL, STRTOXMLCAST(getName())); xmlDocSetRootElement(doc, node); xmlNewNs(node, TOXMLCAST("http://www.fwbuilder.org/1.0/"), NULL); toXML(xmlDocGetRootElement(doc)); XMLTools::saveFile(doc, filename, FWObjectDatabase::TYPENAME, FWObjectDatabase::DTD_FILE_NAME); xmlFreeDoc(doc); setDirty(false); busy = false; } void FWObjectDatabase::saveToBuffer(xmlChar **buffer, int *size) throw(FWException) { /* need to set flag 'busy' so we ignore read-only status. Some objects * modify themselves in toXML() (e.g. Management) so if they belong to a * read-only library, we can't save them to a file. It should be safe * to ignore read-only flag but save it though. */ busy = true; xmlDocPtr doc = xmlNewDoc(TOXMLCAST("1.0")); xmlNodePtr node = xmlNewDocNode(doc, NULL, STRTOXMLCAST(getName()), NULL); xmlDocSetRootElement(doc, node); xmlNewNs(node, TOXMLCAST("http://www.fwbuilder.org/1.0/"), NULL); toXML(xmlDocGetRootElement(doc)); XMLTools::dumpToMemory(doc, buffer, size, FWObjectDatabase::TYPENAME, FWObjectDatabase::DTD_FILE_NAME); xmlFreeDoc(doc); //xmlCleanupParser(); // setDirty(false); busy = false; } void FWObjectDatabase::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("lastModified"))); if (n!=NULL) { int i = 0; istringstream str(n); str >> i; lastModified = i; FREEXMLBUFF(n); //xmlFree((void*)n); } } xmlNodePtr FWObjectDatabase::toXML(xmlNodePtr parent) throw(FWException) { FWObject *o; //xmlNewProp(parent, NULL, NULL); xmlNewProp(parent, TOXMLCAST("version") , TOXMLCAST(FWBUILDER_XML_VERSION)); if (lastModified!=0) { ostringstream str; str << lastModified; xmlNewProp(parent, TOXMLCAST("lastModified"), TOXMLCAST(str.str().c_str())); } int rootid = getId(); //NOTUSED xmlAttrPtr pr = xmlNewProp(parent, TOXMLCAST("id") , STRTOXMLCAST(id_dict[rootid])); //xmlAddID(NULL, parent->doc, STRTOXMLCAST(id_dict[rootid]), pr); for(list::const_iterator j=begin(); j!=end(); ++j) { if ((o=(*j))!=NULL) o->toXML(parent); } return parent; } void FWObjectDatabase::setDirty(bool f) { dirty=f; if(!busy && f) lastModified=time(NULL); } void FWObjectDatabase::addToIndex(FWObject* o) { if (o) { o->setRoot( this ); if (o->getId() > -1 ) obj_index[o->getId()] = o; } } void FWObjectDatabase::removeFromIndex(int id) { obj_index.erase(id); } FWObject* FWObjectDatabase::checkIndex(int id) { if (obj_index.count(id)==0) return NULL; return obj_index[id]; } FWObject* FWObjectDatabase::findInIndex(int id) { if (id < 0) return NULL; FWObject *o = checkIndex(id); if (o!=NULL) index_hits++; else { index_misses++; // if index is incomplete or empty, update it automatically using // recursive search to find object o = getById( id , true ); if (o) addToIndex(o); } return o; } void FWObjectDatabase::buildIndex() { clearIndex(); addToIndexRecursive(this); } void FWObjectDatabase::validateIndex() { std::map::iterator it; for (it=obj_index.begin(); it!=obj_index.end(); ++it) { if (it->second->getRoot() != this) { cerr << "Object '" << it->second->getName() << "'" << " ( " << it->second << " type " << it->second->getTypeName() << ")" << " in index of db " << this << " has incorrect db root ptr " << it->second->getRoot() << endl; } } } void FWObjectDatabase::_clearReferenceCounters(FWObject *o) { o->clearRefCounter(); for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { _clearReferenceCounters(*i); } } void FWObjectDatabase::_fixReferenceCounters(FWObject *o) { if (FWReference::cast(o)!=NULL) { FWObject *obj = findInIndex( FWReference::cast(o)->getPointerId() ); assert(obj); obj->ref(); } for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { (*i)->ref(); _fixReferenceCounters(*i); } } void FWObjectDatabase::reIndex() { buildIndex(); _clearReferenceCounters(this); _fixReferenceCounters(this); } void FWObjectDatabase::clearIndex() { index_hits = index_misses = 0; obj_index.clear(); } void FWObjectDatabase::getIndexStats(int &index_size, int &hit_counter, int &miss_counter) { index_size = obj_index.size(); hit_counter = index_hits; miss_counter = index_misses; } void FWObjectDatabase::addToIndexRecursive(FWObject *o) { addToIndex(o); for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) addToIndexRecursive(*i); } /* * This method removes all references to child objects of obj, then * removes obj. FWObject::remove moves obj to the "DeletedObjects" * library so we want to preserve subtree structure under obj. There * is no need to delete child objects, but we must remove all * references to them. * * Note: there is no need to search for references pointing at certain * types of objects, such as references and rules/rule sets. This * dramatically speeds up deleting firewalls with large policies and * groups with lots of objects */ void FWObjectDatabase::recursivelyRemoveObjFromTree(FWObject* obj, bool remove_ref) { obj->checkReadOnly(); for (FWObject::iterator i=obj->begin(); i!=obj->end(); ++i) { if (FWReference::cast(*i)!=NULL || RuleSet::cast(*i)!=NULL) continue; recursivelyRemoveObjFromTree( *i , true); } if (remove_ref) removeAllReferences(obj); else removeAllInstances(obj); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectDatabase.h000066400000000000000000000477261303637203600250100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECTDATABASE_HH_FLAG__ #define __FWOBJECTDATABASE_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/FWException.h" #include "fwbuilder/ThreadTools.h" #include "fwbuilder/XMLTools.h" #ifdef _WIN32 # include # include #else # include # include #endif #include // for time_t #define DECLARE_CREATE_OBJ_METHOD(classname) \ FWObject* create_##classname(int id=-1); #define DECLARE_CREATE_OBJ_CLASS_METHOD(classname) \ classname * create##classname(int id=-1); namespace libfwbuilder { class Group; // forward declarations for specialized create() methods class AddressRange; class AddressTable; class AttachedNetworks; class Cluster; class StateSyncClusterGroup; class FailoverClusterGroup; class ClusterGroupOptions; class CustomService; class DNSName; class DynamicGroup; class FWBDManagement; class FWIntervalReference; class FWObjectReference; class FWServiceReference; class Firewall; class FirewallOptions; class Host; class HostOptions; class ICMP6Service; class ICMPService; class IPService; class IPv4; class IPv6; class Interface; class InterfaceOptions; class Interval; class IntervalGroup; class Library; class Management; class NAT; class NATRule; class NATRuleOptions; class Network; class NetworkIPv6; class ObjectGroup; class Policy; class PolicyInstallScript; class PolicyRule; class PolicyRuleOptions; class Routing; class RoutingRule; class RoutingRuleOptions; class RuleElementDst; class RuleElementInterval; class RuleElementItf; class RuleElementItfInb; class RuleElementItfOutb; class RuleElementODst; class RuleElementOSrc; class RuleElementOSrv; class RuleElementRDst; class RuleElementRGtw; class RuleElementRItf; class RuleElementSrc; class RuleElementSrv; class RuleElementTDst; class RuleElementTSrc; class RuleElementTSrv; class RuleSetOptions; class SNMPManagement; class ServiceGroup; class TCPService; class TagService; class UDPService; class UserService; class physAddress; DECLARE_CREATE_OBJ_METHOD(AddressRange); DECLARE_CREATE_OBJ_METHOD(AddressTable); DECLARE_CREATE_OBJ_METHOD(AttachedNetworks); DECLARE_CREATE_OBJ_METHOD(Cluster); DECLARE_CREATE_OBJ_METHOD(StateSyncClusterGroup); DECLARE_CREATE_OBJ_METHOD(FailoverClusterGroup); DECLARE_CREATE_OBJ_METHOD(ClusterGroupOptions); DECLARE_CREATE_OBJ_METHOD(CustomService); DECLARE_CREATE_OBJ_METHOD(DNSName); DECLARE_CREATE_OBJ_METHOD(DynamicGroup); DECLARE_CREATE_OBJ_METHOD(FWBDManagement); DECLARE_CREATE_OBJ_METHOD(FWIntervalReference); DECLARE_CREATE_OBJ_METHOD(FWObjectReference); DECLARE_CREATE_OBJ_METHOD(FWServiceReference); DECLARE_CREATE_OBJ_METHOD(Firewall); DECLARE_CREATE_OBJ_METHOD(FirewallOptions); DECLARE_CREATE_OBJ_METHOD(Host); DECLARE_CREATE_OBJ_METHOD(HostOptions); DECLARE_CREATE_OBJ_METHOD(ICMP6Service); DECLARE_CREATE_OBJ_METHOD(ICMPService); DECLARE_CREATE_OBJ_METHOD(IPService); DECLARE_CREATE_OBJ_METHOD(IPv4); DECLARE_CREATE_OBJ_METHOD(IPv6); DECLARE_CREATE_OBJ_METHOD(Interface); DECLARE_CREATE_OBJ_METHOD(InterfaceOptions); DECLARE_CREATE_OBJ_METHOD(Interval); DECLARE_CREATE_OBJ_METHOD(IntervalGroup); DECLARE_CREATE_OBJ_METHOD(Library); DECLARE_CREATE_OBJ_METHOD(Management); DECLARE_CREATE_OBJ_METHOD(NAT); DECLARE_CREATE_OBJ_METHOD(NATRule); DECLARE_CREATE_OBJ_METHOD(NATRuleOptions); DECLARE_CREATE_OBJ_METHOD(Network); DECLARE_CREATE_OBJ_METHOD(NetworkIPv6); DECLARE_CREATE_OBJ_METHOD(ObjectGroup); DECLARE_CREATE_OBJ_METHOD(Policy); DECLARE_CREATE_OBJ_METHOD(PolicyInstallScript); DECLARE_CREATE_OBJ_METHOD(PolicyRule); DECLARE_CREATE_OBJ_METHOD(PolicyRuleOptions); DECLARE_CREATE_OBJ_METHOD(Routing); DECLARE_CREATE_OBJ_METHOD(RoutingRule); DECLARE_CREATE_OBJ_METHOD(RoutingRuleOptions); DECLARE_CREATE_OBJ_METHOD(RuleElementDst); DECLARE_CREATE_OBJ_METHOD(RuleElementInterval); DECLARE_CREATE_OBJ_METHOD(RuleElementItf); DECLARE_CREATE_OBJ_METHOD(RuleElementItfInb); DECLARE_CREATE_OBJ_METHOD(RuleElementItfOutb); DECLARE_CREATE_OBJ_METHOD(RuleElementODst); DECLARE_CREATE_OBJ_METHOD(RuleElementOSrc); DECLARE_CREATE_OBJ_METHOD(RuleElementOSrv); DECLARE_CREATE_OBJ_METHOD(RuleElementRDst); DECLARE_CREATE_OBJ_METHOD(RuleElementRGtw); DECLARE_CREATE_OBJ_METHOD(RuleElementRItf); DECLARE_CREATE_OBJ_METHOD(RuleElementSrc); DECLARE_CREATE_OBJ_METHOD(RuleElementSrv); DECLARE_CREATE_OBJ_METHOD(RuleElementTDst); DECLARE_CREATE_OBJ_METHOD(RuleElementTSrc); DECLARE_CREATE_OBJ_METHOD(RuleElementTSrv); DECLARE_CREATE_OBJ_METHOD(RuleSetOptions); DECLARE_CREATE_OBJ_METHOD(SNMPManagement); DECLARE_CREATE_OBJ_METHOD(ServiceGroup); DECLARE_CREATE_OBJ_METHOD(TCPService); DECLARE_CREATE_OBJ_METHOD(TagService); DECLARE_CREATE_OBJ_METHOD(UDPService); DECLARE_CREATE_OBJ_METHOD(UserService); DECLARE_CREATE_OBJ_METHOD(physAddress); DECLARE_CREATE_OBJ_METHOD(Group); class IDcounter { protected: long cntr; public: IDcounter(); long get() { ++cntr; return cntr; } }; class FWObjectDatabase; typedef FWObject*(*create_function_ptr)(int); /** * Database of objects. */ class FWObjectDatabase : public FWObject { private: void _clearReferenceCounters(FWObject *o); void _fixReferenceCounters(FWObject *o); bool _isInIgnoreList(FWObject *o); /* bool _findWhereUsed( */ /* libfwbuilder::FWObject *o, */ /* libfwbuilder::FWObject *p, */ /* std::set &resset); */ bool _findWhereObjectIsUsed(libfwbuilder::FWObject *o, libfwbuilder::FWObject *p, std::set &resset, int search_id); void _findObjectsInGroup( libfwbuilder::Group *g, std::set &res); Firewall* _findFirewallByNameRecursive( FWObject* db, const std::string &name) throw(FWException); FWObject* _recursively_copy_subtree(FWObject *target, FWObject *source, std::map &id_map, const std::string &dedup_attribute); void _copy_foreign_obj_aux(FWObject *target, FWObject *source, std::map &id_map, const std::string &dedup_attribute); void _setPredictableStrIdsRecursively(FWObject *obj); void _updateNonStandardObjectReferencesRecursively(FWObject *obj); protected: static const std::string DTD_FILE_NAME ; time_t lastModified; int index_hits; int index_misses; std::string data_file; std::map obj_index; int searchId; int predictable_id_tracker; bool ignore_read_only; void init_create_methods_table(); void init_id_dict(); public: DECLARE_FWOBJECT_SUBTYPE(FWObjectDatabase); DECLARE_DISPATCH_METHODS(FWObjectDatabase); enum {ROOT_ID = 0, ANY_ADDRESS_ID = 1, ANY_SERVICE_ID = 2, ANY_INTERVAL_ID = 3, STANDARD_LIB_ID = 4, USER_LIB_ID = 5, TEMPLATE_LIB_ID = 6, DELETED_OBJECTS_ID = 7, DUMMY_ADDRESS_ID = 8, DUMMY_SERVICE_ID = 9, DUMMY_INTERFACE_ID = 10 } standard_ids; static void registerObjectType(const std::string &type_name, create_function_ptr create_function); /** * this constructor initializes singleton db */ FWObjectDatabase(); /** * this constructor makes a copy of entire tree and does not * intitialize db */ FWObjectDatabase(FWObjectDatabase& d); virtual ~FWObjectDatabase(); // --- methods dealing with object index void addToIndexRecursive(FWObject *o); /** * add an object to the index */ void addToIndex(FWObject* obj); /** * remove an object from the index */ void removeFromIndex(int id); /** * check if an object is present in the index using its ID */ FWObject* checkIndex(int id); /** * find an object in the index using its ID */ FWObject* findInIndex(int id); /** * build index */ void buildIndex(); /** * clear the index */ void clearIndex(); /** * this is just like buildIndex, except it also fixes reference * counters in objects. Call this method after loading database * from XML file. This method uses private _fixReferenceCounters */ void reIndex(); /** * return index usage statistics */ void getIndexStats(int &index_size, int &hit_counter, int &miss_counter); /** * this function is intended for debugging. */ void validateIndex(); /** * Some operations, such as object tree merging, should ignore * read-only flag on individual objects. */ bool getIgnoreReadOnlyFlag() { return ignore_read_only; } void setIgnoreReadOnlyFlag(bool f) { ignore_read_only = f; } // --- XML import/export --- virtual void fromXML(xmlNodePtr xml_parent_node) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); time_t getTimeLastModified() { return lastModified; } void resetTimeLastModified(time_t t) { lastModified=t; } // --- Load/Save --- virtual void saveFile(const std::string &filename) throw(FWException); virtual void saveToBuffer(xmlChar **buffer,int *size) throw(FWException); virtual void load( const std::string &filename, XMLTools::UpgradePredicate *upgrade, const std::string &template_dir) throw(FWException); virtual void setDirty(bool f); Firewall* findFirewallByName(const std::string &name) throw(FWException); FWObjectDatabase* exportSubtree( FWObject *lib ); FWObjectDatabase* exportSubtree( const std::list &libs ); /* void findWhereUsed( */ /* libfwbuilder::FWObject *o, */ /* libfwbuilder::FWObject *p, */ /* std::set &resset); */ /** * Find reference to object in the subtree rooted at

. Do * not search for indirect usage, i.e. when an object has a * reference to a group that in turn has reference to . Search * also includes references to objects used in rule actions Tag * and Branch. */ void findWhereObjectIsUsed( libfwbuilder::FWObject *o, libfwbuilder::FWObject *p, std::set &resset); /** * find all objects used by the group 'gr'. Resolve references * recursively (that is, if a group member is another group, this * method descends into it and scans all objects that group uses) */ void findObjectsInGroup( libfwbuilder::Group *g, std::set &resset); /** * We ignore read-only flag on individual objects when whole object * tree is duplicated */ virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); void recursivelyRemoveObjFromTree(FWObject* obj, bool remove_ref=false); /** * Copy object and all its children, recursively, into * object tree starting from . is a parent of the copy * of that will be created. * Store ID mapping in (as a dictionary old_id -> new_id) */ FWObject* recursivelyCopySubtree(FWObject *target, FWObject *source, std::map &id_map); /** * Create groups to reproduce path inside given library. If groups * with required names exist, do nothing. Return pointer to the * last object created to copy the path. Do not copy object. * This means returned object can be a parent for the copy of . */ FWObject* reproduceRelativePath(FWObject *lib, const FWObject *source); /** * fix references in children of obj according to the map_ids which * maps old IDs to the new ones. Return the number of fixed references. */ int fixReferences(FWObject *obj, const std::map &map_ids); /** * this predicate is used to hand control over to user in case * when a conflict is detected while merging trees. By default the * old object is overwritten with new one. */ class ConflictResolutionPredicate { public: virtual ~ConflictResolutionPredicate() {} virtual bool askUser(FWObject*,FWObject*) { return true; } }; void merge(FWObjectDatabase *ndb, ConflictResolutionPredicate *mp=NULL); void findDuplicateIds(FWObjectDatabase *ndb, std::set &dupids); void setFileName(const std::string &filename); const std::string& getFileName (); const std::string getFileDir (); static int generateUniqueId(); static int registerStringId(const std::string &s_id); static int getIntId(const std::string &s_id); static std::string getStringId(int i_id); /** * generate predictable ID based on given prefix by adding sequential * suffix to it. */ std::string getPredictableId(const std::string &prefix); /** * This method replaces random string object ids with * predictable ones. This does not change their int IDs, only * string IDs that appear in the XML file when objects are * saved change. * * Used in unit testing to create .fwb files that can be * compared. */ virtual void setPredictableIds(); /** * This is the main "Create" method: * it creates instance of FWObject of given type * * if parameter 'create_with_root' is true, this method will create * objects using constructor that uses pointer to this as a parameter, * otherwise empty constructor is used */ FWObject *create(const std::string &type, int id=-1, bool init=true); /** * Creates instance of FWObject using its XML representation */ virtual FWObject *createFromXML(xmlNodePtr data); /** * Specialized createClass() methods: class name is part of the method * name, e.g. createLibrary(), also these return a pointer to the * corresponding class. Note that each macro declares two methods: * Class* createClass(int,bool) and FWObject* createFWObjectClass(int,bool) */ DECLARE_CREATE_OBJ_CLASS_METHOD(AddressRange); DECLARE_CREATE_OBJ_CLASS_METHOD(AddressTable); DECLARE_CREATE_OBJ_CLASS_METHOD(AttachedNetworks); DECLARE_CREATE_OBJ_CLASS_METHOD(Cluster); DECLARE_CREATE_OBJ_CLASS_METHOD(StateSyncClusterGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(FailoverClusterGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(ClusterGroupOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(CustomService); DECLARE_CREATE_OBJ_CLASS_METHOD(DNSName); DECLARE_CREATE_OBJ_CLASS_METHOD(DynamicGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(FWBDManagement); DECLARE_CREATE_OBJ_CLASS_METHOD(FWIntervalReference); DECLARE_CREATE_OBJ_CLASS_METHOD(FWObjectReference); DECLARE_CREATE_OBJ_CLASS_METHOD(FWServiceReference); DECLARE_CREATE_OBJ_CLASS_METHOD(Firewall); DECLARE_CREATE_OBJ_CLASS_METHOD(FirewallOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(Host); DECLARE_CREATE_OBJ_CLASS_METHOD(HostOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(ICMP6Service); DECLARE_CREATE_OBJ_CLASS_METHOD(ICMPService); DECLARE_CREATE_OBJ_CLASS_METHOD(IPService); DECLARE_CREATE_OBJ_CLASS_METHOD(IPv4); DECLARE_CREATE_OBJ_CLASS_METHOD(IPv6); DECLARE_CREATE_OBJ_CLASS_METHOD(Interface); DECLARE_CREATE_OBJ_CLASS_METHOD(InterfaceOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(Interval); DECLARE_CREATE_OBJ_CLASS_METHOD(IntervalGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(Library); DECLARE_CREATE_OBJ_CLASS_METHOD(Management); DECLARE_CREATE_OBJ_CLASS_METHOD(NAT); DECLARE_CREATE_OBJ_CLASS_METHOD(NATRule); DECLARE_CREATE_OBJ_CLASS_METHOD(NATRuleOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(Network); DECLARE_CREATE_OBJ_CLASS_METHOD(NetworkIPv6); DECLARE_CREATE_OBJ_CLASS_METHOD(ObjectGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(Policy); DECLARE_CREATE_OBJ_CLASS_METHOD(PolicyInstallScript); DECLARE_CREATE_OBJ_CLASS_METHOD(PolicyRule); DECLARE_CREATE_OBJ_CLASS_METHOD(PolicyRuleOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(Routing); DECLARE_CREATE_OBJ_CLASS_METHOD(RoutingRule); DECLARE_CREATE_OBJ_CLASS_METHOD(RoutingRuleOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementDst); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementInterval); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItf); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItfInb); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItfOutb); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementODst); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementOSrc); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementOSrv); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementRDst); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementRGtw); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementRItf); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementSrc); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementSrv); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementTDst); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementTSrc); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementTSrv); DECLARE_CREATE_OBJ_CLASS_METHOD(RuleSetOptions); DECLARE_CREATE_OBJ_CLASS_METHOD(SNMPManagement); DECLARE_CREATE_OBJ_CLASS_METHOD(ServiceGroup); DECLARE_CREATE_OBJ_CLASS_METHOD(TCPService); DECLARE_CREATE_OBJ_CLASS_METHOD(TagService); DECLARE_CREATE_OBJ_CLASS_METHOD(UDPService); DECLARE_CREATE_OBJ_CLASS_METHOD(UserService); DECLARE_CREATE_OBJ_CLASS_METHOD(physAddress); DECLARE_CREATE_OBJ_CLASS_METHOD(Group); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_create_object.cpp000066400000000000000000000344331303637203600302030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/Group.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/physAddress.h" #include #include using namespace std; using namespace libfwbuilder; static std::map create_methods; #define CREATE_OBJ_METHOD(classname) \ FWObject* libfwbuilder::create_##classname(int id) \ { \ classname *nobj = new classname(); \ if (id > -1) nobj->setId(id); \ return nobj; \ } \ \ classname * FWObjectDatabase::create##classname(int id) \ { \ classname * nobj = classname::cast(create_##classname(id)); \ addToIndex(nobj); \ nobj->init(this); \ return nobj; \ } void FWObjectDatabase::registerObjectType(const std::string &type_name, create_function_ptr create_function) { create_methods[type_name] = create_function; } void FWObjectDatabase::init_create_methods_table() { if (create_methods.size()==0) { registerObjectType("AddressRange", &create_AddressRange); registerObjectType("AddressTable", &create_AddressTable); registerObjectType("AttachedNetworks", &create_AttachedNetworks); registerObjectType("Cluster", &create_Cluster); registerObjectType("StateSyncClusterGroup", &create_StateSyncClusterGroup); registerObjectType("FailoverClusterGroup", &create_FailoverClusterGroup); registerObjectType("ClusterGroupOptions", &create_ClusterGroupOptions); registerObjectType("CustomService", &create_CustomService); registerObjectType("DNSName", &create_DNSName); registerObjectType("DynamicGroup", &create_DynamicGroup); registerObjectType("FWBDManagement", &create_FWBDManagement); registerObjectType("IntervalRef", &create_FWIntervalReference); registerObjectType("ObjectRef", &create_FWObjectReference); registerObjectType("ServiceRef", &create_FWServiceReference); registerObjectType("Firewall", &create_Firewall); registerObjectType("FirewallOptions", &create_FirewallOptions); registerObjectType("Host", &create_Host); registerObjectType("HostOptions", &create_HostOptions); registerObjectType("ICMP6Service", &create_ICMP6Service); registerObjectType("ICMPService", &create_ICMPService); registerObjectType("InterfaceOptions", &create_InterfaceOptions); registerObjectType("IPService", &create_IPService); registerObjectType("IPv4", &create_IPv4); registerObjectType("IPv6", &create_IPv6); registerObjectType("Interface", &create_Interface); registerObjectType("Interval", &create_Interval); registerObjectType("IntervalGroup", &create_IntervalGroup); registerObjectType("Library", &create_Library); registerObjectType("Management", &create_Management); registerObjectType("NAT", &create_NAT); registerObjectType("NATRule", &create_NATRule); registerObjectType("NATRuleOptions", &create_NATRuleOptions); registerObjectType("Network", &create_Network); registerObjectType("NetworkIPv6", &create_NetworkIPv6); registerObjectType("ObjectGroup", &create_ObjectGroup); registerObjectType("Policy", &create_Policy); registerObjectType("PolicyInstallScript", &create_PolicyInstallScript); registerObjectType("PolicyRule", &create_PolicyRule); registerObjectType("PolicyRuleOptions", &create_PolicyRuleOptions); registerObjectType("Routing", &create_Routing); registerObjectType("RoutingRule", &create_RoutingRule); registerObjectType("RoutingRuleOptions", &create_RoutingRuleOptions); registerObjectType("RuleSetOptions", &create_RuleSetOptions); registerObjectType("Dst", &create_RuleElementDst); registerObjectType("When", &create_RuleElementInterval); registerObjectType("Itf", &create_RuleElementItf); registerObjectType("ItfInb", &create_RuleElementItfInb); registerObjectType("ItfOutb", &create_RuleElementItfOutb); registerObjectType("ODst", &create_RuleElementODst); registerObjectType("OSrc", &create_RuleElementOSrc); registerObjectType("OSrv", &create_RuleElementOSrv); registerObjectType("RDst", &create_RuleElementRDst); registerObjectType("RGtw", &create_RuleElementRGtw); registerObjectType("RItf", &create_RuleElementRItf); registerObjectType("Src", &create_RuleElementSrc); registerObjectType("Srv", &create_RuleElementSrv); registerObjectType("TDst", &create_RuleElementTDst); registerObjectType("TSrc", &create_RuleElementTSrc); registerObjectType("TSrv", &create_RuleElementTSrv); registerObjectType("SNMPManagement", &create_SNMPManagement); registerObjectType("ServiceGroup", &create_ServiceGroup); registerObjectType("TCPService", &create_TCPService); registerObjectType("TagService", &create_TagService); registerObjectType("UDPService", &create_UDPService); registerObjectType("UserService", &create_UserService); registerObjectType("physAddress", &create_physAddress); registerObjectType("Group", &create_Group); } } FWObject *FWObjectDatabase::create(const string &type_name, int id, bool init) { create_function_ptr fn = create_methods[type_name]; if (fn == NULL) { const char *type_name_cptr = type_name.c_str(); FWObject *nobj; if (strcmp("comment", type_name_cptr)==SAME) return NULL; if (strcmp("SelectionCriteria", type_name_cptr) == 0) return 0; if (strcmp("AnyNetwork", type_name_cptr)==SAME) { nobj = new Network(); if (id > -1) nobj->setId(id); nobj->setXMLName("AnyNetwork"); addToIndex(nobj); return nobj; } if (strcmp("AnyIPService", type_name_cptr)==SAME) { nobj = new IPService(); if (id > -1) nobj->setId(id); nobj->setXMLName("AnyIPService"); addToIndex(nobj); return nobj; } if (strcmp("AnyInterval", type_name_cptr)==SAME) { nobj = new Interval(); if (id > -1) nobj->setId(id); nobj->setXMLName("AnyInterval"); addToIndex(nobj); return nobj; } if (strcmp("DummyNetwork", type_name_cptr)==SAME) { nobj = new Network(); if (id > -1) nobj->setId(id); nobj->setXMLName("DummyNetwork"); addToIndex(nobj); return nobj; } if (strcmp("DummyIPService", type_name_cptr)==SAME) { nobj = new IPService(); if (id > -1) nobj->setId(id); nobj->setXMLName("DummyIPService"); addToIndex(nobj); return nobj; } if (strcmp("DummyInterface", type_name_cptr)==SAME) { nobj = new Interface(); if (id > -1) nobj->setId(id); nobj->setXMLName("DummyInterface"); addToIndex(nobj); return nobj; } cerr << "Do not have method to create object of type " << type_name << endl; return NULL; } FWObject *nobj = (*fn)(id); addToIndex(nobj); if (init) nobj->init(this); return nobj; } FWObject *FWObjectDatabase::createFromXML(xmlNodePtr data) { const char *n; string typen; int id = -1; n = FROMXMLCAST(data->name); if (!n) return NULL; typen = n; n = FROMXMLCAST(xmlGetProp(data, TOXMLCAST("id"))); if (n) { id = registerStringId(n); FREEXMLBUFF(n); } // create new object but do not prepopulate objects that // automatically create children in constructor return create(typen, id, false); } CREATE_OBJ_METHOD(AddressRange); CREATE_OBJ_METHOD(AddressTable); CREATE_OBJ_METHOD(AttachedNetworks); CREATE_OBJ_METHOD(Cluster); CREATE_OBJ_METHOD(StateSyncClusterGroup); CREATE_OBJ_METHOD(FailoverClusterGroup); CREATE_OBJ_METHOD(ClusterGroupOptions); CREATE_OBJ_METHOD(CustomService); CREATE_OBJ_METHOD(DNSName); CREATE_OBJ_METHOD(DynamicGroup); CREATE_OBJ_METHOD(FWBDManagement); CREATE_OBJ_METHOD(FWIntervalReference); CREATE_OBJ_METHOD(FWObjectReference); CREATE_OBJ_METHOD(FWServiceReference); CREATE_OBJ_METHOD(Firewall); CREATE_OBJ_METHOD(FirewallOptions); CREATE_OBJ_METHOD(InterfaceOptions); CREATE_OBJ_METHOD(Host); CREATE_OBJ_METHOD(HostOptions); CREATE_OBJ_METHOD(ICMP6Service); CREATE_OBJ_METHOD(ICMPService); CREATE_OBJ_METHOD(IPService); CREATE_OBJ_METHOD(IPv4); CREATE_OBJ_METHOD(IPv6); CREATE_OBJ_METHOD(Interface); CREATE_OBJ_METHOD(Interval); CREATE_OBJ_METHOD(IntervalGroup); CREATE_OBJ_METHOD(Library); CREATE_OBJ_METHOD(Management); CREATE_OBJ_METHOD(NAT); CREATE_OBJ_METHOD(NATRule); CREATE_OBJ_METHOD(NATRuleOptions); CREATE_OBJ_METHOD(Network); CREATE_OBJ_METHOD(NetworkIPv6); CREATE_OBJ_METHOD(ObjectGroup); CREATE_OBJ_METHOD(Policy); CREATE_OBJ_METHOD(PolicyInstallScript); CREATE_OBJ_METHOD(PolicyRule); CREATE_OBJ_METHOD(PolicyRuleOptions); CREATE_OBJ_METHOD(Routing); CREATE_OBJ_METHOD(RoutingRule); CREATE_OBJ_METHOD(RoutingRuleOptions); CREATE_OBJ_METHOD(RuleElementDst); CREATE_OBJ_METHOD(RuleElementInterval); CREATE_OBJ_METHOD(RuleElementItf); CREATE_OBJ_METHOD(RuleElementItfInb); CREATE_OBJ_METHOD(RuleElementItfOutb); CREATE_OBJ_METHOD(RuleElementODst); CREATE_OBJ_METHOD(RuleElementOSrc); CREATE_OBJ_METHOD(RuleElementOSrv); CREATE_OBJ_METHOD(RuleElementRDst); CREATE_OBJ_METHOD(RuleElementRGtw); CREATE_OBJ_METHOD(RuleElementRItf); CREATE_OBJ_METHOD(RuleElementSrc); CREATE_OBJ_METHOD(RuleElementSrv); CREATE_OBJ_METHOD(RuleElementTDst); CREATE_OBJ_METHOD(RuleElementTSrc); CREATE_OBJ_METHOD(RuleElementTSrv); CREATE_OBJ_METHOD(RuleSetOptions); CREATE_OBJ_METHOD(SNMPManagement); CREATE_OBJ_METHOD(ServiceGroup); CREATE_OBJ_METHOD(TCPService); CREATE_OBJ_METHOD(TagService); CREATE_OBJ_METHOD(UDPService); CREATE_OBJ_METHOD(UserService); CREATE_OBJ_METHOD(physAddress); CREATE_OBJ_METHOD(Group); fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp000066400000000000000000000167171303637203600266640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Group.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include #include using namespace std; using namespace libfwbuilder; /* * find all objects used by the group 'gr'. Resolves references * recursively (that is, if a group member is another group, this * method descends into it and scans all objects that group uses) */ void FWObjectDatabase::findObjectsInGroup(Group *g, set &res) { searchId++; _findObjectsInGroup(g, res); } void FWObjectDatabase::_findObjectsInGroup(Group *g, set &res) { if (g->size()==0 || g->getInt(".searchId")==searchId) return; g->setInt(".searchId",searchId); FWObjectReference *ref; Group *sg; FWObject *obj; FWObject::iterator i=g->begin(); for (;i!=g->end();++i) { ref=FWObjectReference::cast(*i); if (ref==NULL) { res.insert(*i); continue; } obj=ref->getPointer(); sg=Group::cast(obj); if (sg==NULL) { res.insert(obj); continue; } _findObjectsInGroup(sg,res); } } /* *********************************************************************** */ /** * Find firewall object by name. Finds Firewall and Cluster objects. */ Firewall* FWObjectDatabase::_findFirewallByNameRecursive(FWObject* db, const string &name) throw(FWException) { // use Firewall::cast so that both Firewall and Cluster objects match if (Firewall::cast(db) && db->getName()==name && db->getParent()->getId()!=FWObjectDatabase::DELETED_OBJECTS_ID) return static_cast(db); list::iterator j; for(j=db->begin(); j!=db->end(); ++j) { FWObject *o=*j; o = _findFirewallByNameRecursive(o, name); if(o) return static_cast(o); } if (db==this) throw FWException("Firewall object '"+name+"' not found"); return NULL; // not found } Firewall* FWObjectDatabase::findFirewallByName(const string &name) throw(FWException) { return _findFirewallByNameRecursive(this, name); } //#define DEBUG_WHERE_USED 1 bool FWObjectDatabase::_isInIgnoreList(FWObject *o) { if (FWOptions::cast(o)!=NULL) return true; if (o->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) return true; return false; } /* *********************************************************************** */ /** * Finds references to object 'o' in a subtree rooted at object * 'p'. Skips 'deleted objects' library. Avoids circular group * references using temporary flags set in objects this method * visits. Results are placed in the set resset. This function * returns the following objects as the results: * * - references that point to the object (FWObjectReference, * FWServiceReference objects). Note that the reference itself is * returned rather than the parent object the reference is a child of. * This includes cases where object is a member of a user-defined * group and when it is used in a rule element. In both cases reference * is returned as part of the resset. * * - group objects which are parents of the object . */ void FWObjectDatabase::findWhereObjectIsUsed(FWObject *o, FWObject *p, std::set &resset) { searchId++; _findWhereObjectIsUsed(o, p, resset, searchId); } bool FWObjectDatabase::_findWhereObjectIsUsed(FWObject *o, FWObject *p, std::set &resset, int search_id) { bool res = false; if ( _isInIgnoreList(p)) return res; if (p->size()==0) return res; if (p->getInt(".search_id")==search_id) return p->getBool(".searchResult"); // set flags to break indefinite recursion in case we encounter circular groups p->setInt(".search_id", search_id); p->setBool(".searchResult", false); Interface *intf = Interface::cast(p); if (intf) { string netzone_id = intf->getStr("network_zone"); FWObject *netzone = findInIndex(FWObjectDatabase::getIntId(netzone_id)); if (netzone == o) { resset.insert(p); res = true; } } PolicyRule *rule = PolicyRule::cast(p); if (rule) { if (rule->getAction() == PolicyRule::Branch) { FWObject *ruleset = rule->getBranch(); if (o==ruleset) { resset.insert(p); res = true; } } if (rule->getTagging()) { FWObject *tagobj = rule->getTagObject(); if (o==tagobj) { resset.insert(p); res = true; } } } NATRule *nat_rule = NATRule::cast(p); if (nat_rule && nat_rule->getAction() == NATRule::Branch) { FWObject *ruleset = nat_rule->getBranch(); if (o==ruleset) { resset.insert(p); res = true; } } if (Firewall::isA(o) && Cluster::isA(p)) { if (Cluster::cast(p)->hasMember(Firewall::cast(o))) { resset.insert(p); res = true; } } FWObject::iterator i1 = p->begin(); for ( ; i1!=p->end(); ++i1) { FWReference *ref = FWReference::cast(*i1); if (ref!=NULL) { // child is a reference FWObject *g = ref->getPointer(); if (o->getId() == g->getId()) { resset.insert(*i1); res = true; } } else // child is a regular object, not a reference { if (o->getId() == (*i1)->getId()) { resset.insert(p); res = true; // still run search recursively, the same object could be // used in rules if it is a firewall } _findWhereObjectIsUsed(o, *i1, resset, search_id); } } p->setBool(".searchResult", res); return res; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_tree_ops.cpp000066400000000000000000000565111303637203600272330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/Interface.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWIntervalReference.h" #include #include using namespace std; using namespace libfwbuilder; class FWObjectTreeScanner { FWObjectDatabase *treeRoot; map srcMap; map dstMap; FWObjectDatabase::ConflictResolutionPredicate *crp; bool defaultCrp; int reference_object_id_offset; void walkTree(map &m,FWObject *root); void addRecursively(FWObject *src); public: FWObjectTreeScanner(FWObject *r, FWObjectDatabase::ConflictResolutionPredicate *_crp=NULL) { reference_object_id_offset = 1000000; treeRoot=FWObjectDatabase::cast(r); defaultCrp=false; if (_crp==NULL) { crp=new FWObjectDatabase::ConflictResolutionPredicate(); defaultCrp=true; } else crp=_crp; } ~FWObjectTreeScanner() { if (defaultCrp) delete crp; } void scanAndAdd(FWObject *dst,FWObject *source); void merge( FWObject *dst,FWObject *source); }; /* * why does FWReference not have an 'id' attribute ? Marginal savings * in the size of the data file turns into a major headache in coding * things such as tree merge. * * Here, in effect, I am artifically adding IDs to references. */ void FWObjectTreeScanner::walkTree(map &m, FWObject *root) { if (root->haveId()) m[root->getId()]=root; if (FWReference::cast(root)!=NULL) { FWReference *r=FWReference::cast(root); // need to add reference to the map, but references do not have // their own Id. Create new id using id of the object reference // points to, plus some offset. // I can not just generate new uniq id because I need to be able // to find this object later, and for that its id must be predictable. m[reference_object_id_offset+r->getPointerId()]=root; } for (FWObject::iterator i=root->begin(); i!=root->end(); i++) { walkTree(m, *i); } } void FWObjectTreeScanner::addRecursively(FWObject *src) { if (src==NULL) return; if (treeRoot->getId()==src->getId()) return ; addRecursively(src->getParent()); if (dstMap[src->getId()]==NULL) { // last arg.==false : do not call method init() of the new object to // make sure it doesn't create its children FWObject *o1 = treeRoot->create(src->getTypeName(), -1, false); FWObject *pdst = dstMap[src->getParent()->getId()]; assert(pdst!=NULL); // no validation is necessary - this copies existing tree pdst->add(o1, false); if (src->size()==0) o1->shallowDuplicate(src, false); else { if (Firewall::isA(src) || Host::isA(src) || Interface::isA(src) ) o1->duplicate(src, false); else { /* copy system groups (folders) partially, but user's * groups should be copied as a whole. There is no * definite and simple * way to tell them apart, except * that user groups contain references * while system * groups contain objects. */ if (Group::cast(src)!=NULL && FWReference::cast(src->front())!=NULL) o1->duplicate(src, false); else o1->shallowDuplicate(src, false); } } walkTree( dstMap , o1 ); // there are children objects if we did a deep copy } } /* * scans tree treeRoot and finds references to missing objects. Tries * to add an object from 'source' by adding all missing objects * between it and a tree root. Method addRecusrively climbs up from * the objects that it needs to add to the root by doing recursive * calls to itself, then while it exist invokations it adds objects to * the tree. Since added objects are appended to the end of each level * of the tree, method scanAndAdd finds them later. For example, if * 'Standard' library was added because some standard object was * referenced but missing, this library will be found in the loop in * scanAndAdd even if it wasn't there when the loop started. This * ensures that this method will pull in any objects referenced from * objects it included, recursively. * */ void FWObjectTreeScanner::scanAndAdd(FWObject *dst,FWObject *source) { if (dst==NULL) { dst=treeRoot; walkTree(dstMap,treeRoot); walkTree(srcMap, source); } for (FWObject::iterator i=dst->begin(); i!=dst->end(); i++) { FWObject *o1=*i; if (FWReference::cast(o1)!=NULL) { int pid = FWReference::cast(o1)->getPointerId(); FWObject *o2 = dstMap[pid]; if (o2==NULL) { FWObject *osrc = srcMap[ pid ]; if (osrc==NULL) cerr << "Object with ID=" << pid << " (" << FWObjectDatabase::getStringId(pid) << ") " << " disappeared" << endl; else addRecursively( osrc); } } else scanAndAdd( o1 , source ); } // TODO: do the same for the objects referenced by // rule actions Branch and Tag - find those objects and add. // Wrap operations with network_zone in methods of class Interface, // setNetworkZone(FWObject*) getNetworkZone() // (Just like Rule::getBranch Rule::setBranch) // if (Interface::isA(dst)) { string sid = dst->getStr("network_zone"); if ( !sid.empty() ) { int pid = FWObjectDatabase::getIntId(sid); FWObject *o2 = dstMap[pid]; if (o2==NULL) { FWObject *osrc = srcMap[ pid ]; addRecursively( osrc); } } } } // #define DEBUG_MERGE 1 void FWObjectTreeScanner::merge(FWObject *dst, FWObject *src) { int dobjId = FWObjectDatabase::DELETED_OBJECTS_ID; if (dst==NULL) { /* dst == NULL on the first call to this function */ dst = treeRoot; walkTree(dstMap,treeRoot); walkTree(srcMap, src); /** * find deleted objects library in src and check if any object * from it is present in dst */ FWObjectDatabase *dstroot = dst->getRoot(); /* * find deleted objects library in dst and delete objects from * it if they are present and not deleted in src */ list deletedObjects; FWObject *dstdobj = dstroot->findInIndex( dobjId ); if (dstdobj) { for (FWObject::iterator i=dstdobj->begin(); i!=dstdobj->end(); i++) { FWObject *sobj = srcMap[ (*i)->getId() ]; if(sobj!=NULL && sobj->getParent()->getId()!=dobjId) deletedObjects.push_back(*i); } for (FWObject::iterator i=deletedObjects.begin(); i!=deletedObjects.end(); i++) { dstroot->recursivelyRemoveObjFromTree( *i ); dstMap[ (*i)->getId() ] = NULL; } } } for (FWObject::iterator i=src->begin(); i!=src->end(); i++) { /* * commented 12/04/04. We now delete "deleted objects" * from libraries we are merging in before calling * FWObjectDatabase::merge. Ignoring "Deleted objects" here * caused problems; in particular, deleted objects disappeared * from a data file whenever it was opened. This happened * because we merged user's data file into standard objects * tree, so user's file was _source_ here, and deleted objects * in it were ignored. */ // if ((*i)->getId()==dobjId) continue; FWObject *dobj; FWObject *sobj; if (FWReference::cast( *i )) { FWReference *r=FWReference::cast(*i); dobj= dstMap[reference_object_id_offset + r->getPointerId()]; } else dobj= dstMap[ (*i)->getId() ]; if (dobj==NULL) { sobj = *i; FWObject *o1 = treeRoot->create( sobj->getTypeName()); FWObject *pdst = dstMap[ src->getId() ]; assert(pdst!=NULL); // no validation is necessary - this copies existing tree pdst->add(o1, false); #ifdef DEBUG_MERGE cerr << "--------------------------------" << endl; cerr << "merge: duplicate #1 " << endl; cerr << "dobj: " << endl; o1->dump(true,true); cerr << endl; cerr << "sobj: " << endl; sobj->dump(true,true); #endif o1->duplicate( sobj, false); // copy IDs as well #ifdef DEBUG_MERGE cerr << "duplicate #1 done" << endl; #endif /* there may be children objects since we did a deep copy */ walkTree( dstMap , o1 ); } else { /* need to compare objects, looking into attributes. This is different * from Compiler::operator== operators because fwcompiler assumes that * objects with the same ID are equal. Here we specifically look for a * case when objects with the same ID have different attributes. */ if (dobj->cmp(*i, true)) continue; // compare recursively /* such object exists in destination tree but is different Since we * traverse the tree from the root towards leaves, it won't help much * if we ask the user if they want to overwrite the old library or a * high-level system group only because a single object somewhere deep * down the tree is different. Need to traverse the tree further until * the actual object that differs is found. * * There still is a problem because we do want to ask the user if the * group we are looking at is user-defined as opposed to our standard * top level one. There is no reliable way to distinguish them though * because both are represented by the same class. We use simple hack: * all children of our system groups are regular objects, while * children of user-defined groups are always references. */ if (Group::cast(dobj)!=NULL) { // at one point I've got bunch of data files where // DeletedObjects library contained references for // some reason. This should not happen, but at the // same time this is valid file structure so the code // should be able to handle it. if (dobj->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) merge( dobj , *i ); else { FWObject *firstChild=NULL; if (dobj->size()>0) firstChild= dobj->front(); else { if ( (*i)->size()>0 ) firstChild= (*i)->front(); } if (firstChild==NULL || FWReference::cast(firstChild)!=NULL) { if (crp!=NULL && crp->askUser( dobj, *i )) { #ifdef DEBUG_MERGE cerr << "--------------------------------" << endl; cerr << "merge: duplicate #2 " << endl; dobj->dump(true,true); cerr << endl; #endif dobj->duplicate( (*i), false ); } } else merge( dobj , *i ); } } else { if (crp!=NULL && crp->askUser( dobj, *i )) { #ifdef DEBUG_MERGE cerr << "--------------------------------" << endl; cerr << "merge: duplicate #3 " << endl; dobj->dump(true,true); cerr << endl; #endif dobj->duplicate( (*i), false ); } } } } } FWObjectDatabase* FWObjectDatabase::exportSubtree( const list &libs ) { FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->busy = true; for (list::const_iterator i=libs.begin(); i!=libs.end(); i++) { FWObject *lib = *i; FWObject *nlib = ndb->create(lib->getTypeName()); // no validation is necessary - this copies existing tree ndb->add(nlib, false); *nlib = *lib; } FWObjectTreeScanner scanner(ndb); scanner.scanAndAdd(NULL, this); ndb->busy = false; return ndb; } FWObjectDatabase* FWObjectDatabase::exportSubtree( FWObject *lib ) { FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->busy = true; FWObject *nlib = ndb->create(lib->getTypeName()); // no validation is necessary - this copies existing tree ndb->add(nlib, false); *nlib = *lib; FWObjectTreeScanner scanner(ndb); scanner.scanAndAdd(NULL, this); ndb->busy = false; return ndb; } /** * check if source and destination files have objects with the * same ID. To do this, compare keys in obj_index in this and * ndb. */ void FWObjectDatabase::findDuplicateIds(FWObjectDatabase *ndb, set &dupids) { FWObjectDatabase *db1; FWObjectDatabase *db2; if (obj_index.size() > ndb->obj_index.size()) { db1 = ndb; db2 = this; } else { db2 = ndb; db1 = this; } for (map::iterator it=db1->obj_index.begin(); it!=db1->obj_index.end(); ++it) { int id = it->first; if (db2->obj_index.count(id) != 0) { // skip standard IDs if (id <= DELETED_OBJECTS_ID) continue; FWObject *obj = db1->findInIndex(id); assert(obj); if (obj->getLibrary()->getId() == STANDARD_LIB_ID || obj->getLibrary()->getId() == DELETED_OBJECTS_ID) continue; dupids.insert(id); } } } void FWObjectDatabase::merge( FWObjectDatabase *ndb, ConflictResolutionPredicate *crp) { busy = true; setIgnoreReadOnlyFlag(true); FWObjectTreeScanner scanner(this, crp); scanner.merge(NULL, ndb); setIgnoreReadOnlyFlag(false); busy = false; } /** * Copy object and all its children, recursively, into * object tree starting from . is a parent of the copy * of that will be created. * Store ID mapping in (as a dictionary old_id -> new_id) */ FWObject* FWObjectDatabase::recursivelyCopySubtree(FWObject *target, FWObject *source, std::map &id_map) { char s[64]; snprintf(s, sizeof(s), ".copy_of_%p", source->getRoot()); string dedup_attribute = s; FWObject *nobj = _recursively_copy_subtree(target, source, id_map, dedup_attribute); fixReferences(nobj, id_map); // one more pass to fix references in other firewalls and groups // we might have copied. for (map::const_iterator i=id_map.begin(); i!=id_map.end(); ++i) { int new_id = i->second; // new id FWObject *new_obj = findInIndex(new_id); if (Firewall::cast(new_obj) || Group::cast(new_obj)) fixReferences(new_obj, id_map); } return nobj; } /* * fix references in children of obj according to the map_ids which * maps old IDs to the new ones. Return the number of fixed references. */ int FWObjectDatabase::fixReferences(FWObject *obj, const map &map_ids) { int total_counter = 0; for (map::const_iterator it=map_ids.begin(); it!=map_ids.end(); ++it) total_counter += obj->replaceRef(it->first, it->second); return total_counter; } FWObject* FWObjectDatabase::_recursively_copy_subtree( FWObject *target, FWObject *source, std::map &id_map, const string &dedup_attribute) { target->checkReadOnly(); // TODO: get rid of references in attributes, they suck. ticket #1004 if (Interface::cast(source)) { int nzid = FWObjectDatabase::getIntId(source->getStr("network_zone")); // check if we have seen old_ptr_obj already. if (nzid!= 0 && id_map.count(nzid) == 0 && findInIndex(nzid)==NULL) { FWObject *netzone = source->getRoot()->findInIndex(nzid); if (netzone) _copy_foreign_obj_aux(target, netzone, id_map, dedup_attribute); } } if (ClusterGroup::cast(source)) { int miface_id = FWObjectDatabase::getIntId(source->getStr("master_iface")); FWObject *miface = source->getRoot()->findInIndex(miface_id); if (miface) _copy_foreign_obj_aux(target, miface, id_map, dedup_attribute); } FWObject *nobj = create(source->getTypeName()); nobj->clearChildren(); nobj->shallowDuplicate(source, true); id_map[source->getId()] = nobj->getId(); nobj->setInt(dedup_attribute, source->getId()); // no validation is necessary - this copies existing tree target->add(nobj, false); // copy interfaces and options objects before rule sets for(list::iterator m=source->begin(); m!=source->end(); ++m) { FWObject *old_obj = *m; if (RuleSet::cast(old_obj)!=NULL) continue; if (FWReference::cast(old_obj)!=NULL) continue; _recursively_copy_subtree(nobj, old_obj, id_map, dedup_attribute); } for(list::iterator m=source->begin(); m!=source->end(); ++m) { FWObject *old_obj = *m; if (id_map.count(old_obj->getId()) > 0) continue; if (FWReference::cast(old_obj)) { FWReference *old_ref_obj = FWReference::cast(old_obj); FWObject *old_ptr_obj = old_ref_obj->getPointer(); FWObject *n_ptr_obj = NULL; // check if we have seen old_ptr_obj already. if (id_map.count(old_ptr_obj->getId()) > 0) { n_ptr_obj = findInIndex(id_map[old_ptr_obj->getId()]); nobj->addRef(n_ptr_obj); continue; } // search for old_ptr_obj in the index. If it is found, we do not // need to copy it and its ID is valid (perhaps standard object?) n_ptr_obj = findInIndex(old_ptr_obj->getId()); if (n_ptr_obj != NULL) { nobj->addRef(n_ptr_obj); continue; } // Check if we have already copied the same object before char s[64]; snprintf(s, sizeof(s), "%d", old_ptr_obj->getId()); n_ptr_obj = findObjectByAttribute(dedup_attribute, s); if (n_ptr_obj) { nobj->addRef(n_ptr_obj); continue; } // Need to create a copy of old_ptr_obj and put it in the // same place in the tree. // Problem: what if old_ptr_obj is interface or an address of // interface or a rule etc ? Check isPrimaryObject(). // _copy_foreign_obj_aux(nobj, old_ptr_obj, id_map, dedup_attribute); } else _recursively_copy_subtree(nobj, old_obj, id_map, dedup_attribute); } return nobj; } void FWObjectDatabase::_copy_foreign_obj_aux( FWObject *target, FWObject *source, map &id_map, const std::string &dedup_attribute) { FWObject *parent_obj = source; while (parent_obj && !parent_obj->isPrimaryObject()) parent_obj = parent_obj->getParent(); // check if this parent (which is a primary object) is // unknown. If it is known or exist in our tree, no need // to create a copy. if (parent_obj && id_map.count(parent_obj->getId()) == 0 && !Library::isA(parent_obj)) { FWObject *new_parent = reproduceRelativePath( target->getLibrary(), parent_obj); // (parent_obj at this point is either pointer // to the same obj or pointer to its parent // object that we can copy as a whole. The latter // happens if obj is an interface or address // of an interface. new_parent = _recursively_copy_subtree(new_parent, parent_obj, id_map, dedup_attribute); // we just copied old object to the target data tree. // Copy of obj is either new_parent, or one of its // children. In the process of making this copy, // its ID should have been added to id_map. assert(id_map.count(source->getId()) > 0); FWObject *n_ptr_obj = new_parent->getById(id_map[source->getId()], true); target->addRef(n_ptr_obj); } } /** * Create groups to reproduce path inside given library. If groups * with required names exist, do nothing. Return pointer to the * last object created to copy the path. Do not copy object. * This means returned object can be a parent for the copy of . */ FWObject* FWObjectDatabase::reproduceRelativePath(FWObject *lib, const FWObject *source) { list path; FWObject *p = source->getParent(); while (p && !Library::isA(p)) { path.push_front(p); p = p->getParent(); } FWObject *target = lib; FWObject *nobj; for (list::iterator p=path.begin(); p!=path.end(); ++p) { FWObject *obj = *p; nobj = target->findObjectByName(obj->getTypeName(), obj->getName()); if (nobj==NULL) { nobj = create(obj->getTypeName()); nobj->shallowDuplicate(obj, false); // no validation is necessary - this copies existing tree target->add(nobj, false); } target = nobj; } return target; } FWObject& FWObjectDatabase::duplicate(const FWObject *obj, bool preserve_id) throw(FWException) { setIgnoreReadOnlyFlag(true); FWObject &o = FWObject::duplicate(obj, preserve_id); setIgnoreReadOnlyFlag(false); return o; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectReference.cpp000066400000000000000000000030241303637203600255140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; const char *FWObjectReference::TYPENAME={"ObjectRef"}; //FWObjectReference::FWObjectReference(FWObject *p):FWReference(p) //{ //} FWObjectReference::FWObjectReference():FWReference() { } void FWObjectReference::setPointer(FWObject *p) { //TODO: add check if it is right type. FWReference::setPointer(p); } void FWObjectReference::setPointer(ObjectGroup *p) { //TODO: add check if it is right type. FWReference::setPointer(p); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWObjectReference.h000066400000000000000000000025051303637203600251640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECTREF_HH_FLAG__ #define __FWOBJECTREF_HH_FLAG__ #include "fwbuilder/FWReference.h" namespace libfwbuilder { class ObjectGroup; /** * This class represents object reference. */ class FWObjectReference : public FWReference { public: DECLARE_FWOBJECT_SUBTYPE(FWObjectReference); DECLARE_DISPATCH_METHODS(FWObjectReference); FWObjectReference(); void setPointer(FWObject *o); void setPointer(ObjectGroup *o); }; } #endif // _FWOBJECT_HH fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWOptions.cpp000066400000000000000000000070411303637203600241250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include using namespace std; using namespace libfwbuilder; const char *FWOptions::TYPENAME={"FWOptions"}; FWOptions::FWOptions() { remStr("comment"); remStr("name" ); remStr("id" ); } void FWOptions::fromXML(xmlNodePtr root) throw(FWException) { const char *n; const char *cont; for (xmlNodePtr cur = root->xmlChildrenNode; cur; cur = cur->next) { if (cur && !xmlIsBlankNode(cur)) { n = FROMXMLCAST(xmlGetProp(cur,TOXMLCAST("name"))); assert(n!=NULL); cont = FROMXMLCAST( xmlNodeGetContent(cur) ); if (cont) { setStr(n, cont ); FREEXMLBUFF(cont); } FREEXMLBUFF(n); } } } xmlNodePtr FWOptions::toXML(xmlNodePtr root) throw(FWException) { xmlNodePtr opt; xmlNodePtr me = xmlNewChild( root, NULL, xml_name.empty() ? STRTOXMLCAST(getTypeName()) : STRTOXMLCAST(xml_name), NULL); for(map::const_iterator i=data.begin(); i!=data.end(); ++i) { const string &name = (*i).first; const string &value = (*i).second; if (name[0]=='.') continue; xmlChar *valbuf = xmlEncodeSpecialChars(root->doc, STRTOXMLCAST(value) ); // xmlChar *valbuf = xmlEncodeEntitiesReentrant(root->doc, // STRTOXMLCAST(value) ); opt = xmlNewChild(me, NULL, TOXMLCAST("Option"), valbuf); FREEXMLBUFF(valbuf); xmlNewProp(opt, TOXMLCAST("name") , STRTOXMLCAST(name)); } return me; } const char *HostOptions::TYPENAME ={"HostOptions"}; HostOptions::HostOptions() : FWOptions() {} const char *FirewallOptions::TYPENAME ={"FirewallOptions"}; FirewallOptions::FirewallOptions() : FWOptions() {} const char *InterfaceOptions::TYPENAME ={"InterfaceOptions"}; InterfaceOptions::InterfaceOptions() : FWOptions() {} const char *RuleSetOptions::TYPENAME={"RuleSetOptions"}; RuleSetOptions::RuleSetOptions() : FWOptions() {} const char *PolicyRuleOptions::TYPENAME={"PolicyRuleOptions"}; PolicyRuleOptions::PolicyRuleOptions() : FWOptions() {} const char *NATRuleOptions::TYPENAME={"NATRuleOptions"}; NATRuleOptions::NATRuleOptions() : FWOptions() {} const char *RoutingRuleOptions::TYPENAME={"RoutingRuleOptions"}; RoutingRuleOptions::RoutingRuleOptions() : FWOptions() {} const char *ClusterGroupOptions::TYPENAME={"ClusterGroupOptions"}; ClusterGroupOptions::ClusterGroupOptions() : FWOptions() {} fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWOptions.h000066400000000000000000000054221303637203600235730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOPTINS_HH_FLAG__ #define __FWOPTINS_HH_FLAG__ #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWObject.h" namespace libfwbuilder { class FWOptions : public FWObject { public: FWOptions(); DECLARE_FWOBJECT_SUBTYPE(FWOptions); DECLARE_DISPATCH_METHODS(FWOptions); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class HostOptions : public FWOptions { public: HostOptions(); DECLARE_FWOBJECT_SUBTYPE(HostOptions); DECLARE_DISPATCH_METHODS(HostOptions); }; class FirewallOptions : public FWOptions { public: FirewallOptions(); DECLARE_FWOBJECT_SUBTYPE(FirewallOptions); DECLARE_DISPATCH_METHODS(FirewallOptions); }; class InterfaceOptions : public FWOptions { public: InterfaceOptions(); DECLARE_FWOBJECT_SUBTYPE(InterfaceOptions); DECLARE_DISPATCH_METHODS(InterfaceOptions); }; class RuleSetOptions : public FWOptions { public: RuleSetOptions(); DECLARE_FWOBJECT_SUBTYPE(RuleSetOptions); DECLARE_DISPATCH_METHODS(RuleSetOptions); }; class PolicyRuleOptions : public FWOptions { public: PolicyRuleOptions(); DECLARE_FWOBJECT_SUBTYPE(PolicyRuleOptions); DECLARE_DISPATCH_METHODS(PolicyRuleOptions); }; class NATRuleOptions : public FWOptions { public: NATRuleOptions(); DECLARE_FWOBJECT_SUBTYPE(NATRuleOptions); DECLARE_DISPATCH_METHODS(NATRuleOptions); }; class RoutingRuleOptions : public FWOptions { public: RoutingRuleOptions(); DECLARE_FWOBJECT_SUBTYPE(RoutingRuleOptions); DECLARE_DISPATCH_METHODS(RoutingRuleOptions); }; class ClusterGroupOptions : public FWOptions { public: ClusterGroupOptions(); DECLARE_FWOBJECT_SUBTYPE(ClusterGroupOptions); DECLARE_DISPATCH_METHODS(ClusterGroupOptions); }; } #endif // __FWOPTINS_HH_FLAG fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWReference.cpp000066400000000000000000000107071303637203600243730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include using namespace libfwbuilder; using namespace std; const char *FWReference::TYPENAME={"Ref"}; /* FWReference::FWReference(FWObject *p) { setPointer(p); } */ FWReference::FWReference() { setPointer(NULL); } FWReference::~FWReference() {} void FWReference::fromXML(xmlNodePtr root) throw(FWException) { assert(root!=NULL); FWObject::fromXML(root); const char *n = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("ref"))); assert(n!=NULL); str_ref = n; //setInt("ref", n); // if object with id str_ref has not been loaded yet, // FWObjectDatabase::getIntId returns -1. int_ref = FWObjectDatabase::getIntId(str_ref); FREEXMLBUFF(n); } // Note that XML elements represented by FWReference have only one // attribute "ref" and no value xmlNodePtr FWReference::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = xmlNewChild( parent, NULL, xml_name.empty() ? STRTOXMLCAST(getTypeName()) : STRTOXMLCAST(xml_name), NULL); if (int_ref == -1 && !str_ref.empty()) int_ref = FWObjectDatabase::getIntId(str_ref); str_ref = FWObjectDatabase::getStringId(int_ref); xmlNewProp(me, TOXMLCAST("ref"), STRTOXMLCAST(str_ref)); //xmlAddRef(NULL, parent->doc, STRTOXMLCAST(str_ref), pr); return me; } FWObject& FWReference::shallowDuplicate(const FWObject *_other, bool) throw(FWException) { const FWReference *other = FWReference::constcast(_other); int_ref = other->int_ref; str_ref = other->str_ref; return *this; } bool FWReference::cmp(const FWObject *obj, bool /* UNUSED recursive */) throw(FWException) { const FWReference *rx = FWReference::constcast(obj); if (rx == NULL) return false; if (int_ref != rx->int_ref || str_ref != rx->str_ref) return false; return true; } void FWReference::add(FWObject*,bool validate) { (void) validate; // Unused throw std::string("Can't add to a reference !"); } void FWReference::setPointer(FWObject *p) { if(p) setPointerId(p->getId()); else { int_ref = -1; str_ref = ""; } } void FWReference::setPointerId(int ref_id) { //setInt("ref" , ref_id ); int_ref = ref_id; // if object with id ref_id has not been loaded into database // yet, FWObjectDatabase::getStringId returns empty string. // This works as postponed initialization. // We really need string id only in toXML. str_ref = FWObjectDatabase::getStringId(int_ref); } FWObject *FWReference::getPointer() { return getRoot()->findInIndex( getPointerId() ); } int FWReference::getPointerId() { // postponed initialization happens now if (int_ref==-1 && !str_ref.empty()) int_ref = FWObjectDatabase::getIntId(str_ref); return int_ref; //return getInt("ref"); } void FWReference::dump(std::ostream &f, bool recursive, bool brief, int offset) const { FWObject::dump(f, recursive, brief, offset); FWObject* ptr = getRoot()->findInIndex(int_ref); f << string(offset,' ') << "PointerId: " << int_ref << endl; f << string(offset,' ') << "Pointer: " << ptr << endl; if (ptr) { f << string(offset,' ') << "Ptr.name: " << ptr->getName() <getId() <getPointer(); return o; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWReference.h000066400000000000000000000050231303637203600240330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWREF_HH_FLAG__ #define __FWREF_HH_FLAG__ #include "fwbuilder/FWObject.h" namespace libfwbuilder { /** * This class represents reference reference. */ class FWReference : public FWObject { private: std::string str_ref; int int_ref; protected: FWReference(); public: DECLARE_FWOBJECT_SUBTYPE(FWReference); DECLARE_DISPATCH_METHODS(FWReference); virtual ~FWReference(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual void add(FWObject *obj,bool validate=true); virtual FWObject *getPointer(); virtual int getPointerId(); void setPointer(FWObject *o); void setPointerId(int ref_id); virtual void dump(std::ostream &f,bool recursive,bool brief,int offset=0) const; virtual bool isPrimaryObject() const { return false; } /** * If obj is FWReference object, return pointer to the object this * reference points to. Otherwise return obj. This is a typical * operation repeated in many places where we loop over children * of some object. */ static FWObject* getObject(FWObject* obj); /** * Unlike getPointerId(), this method does not use cache when * returns reference ID. This is faster and makes it possible to * be const method but late initialization does not work when it * is used. */ int getPointerIdDirect() const { return int_ref; } }; } #endif // _FWREF_HH fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWServiceReference.cpp000066400000000000000000000030521303637203600257070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Service.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; const char *FWServiceReference::TYPENAME={"ServiceRef"}; FWServiceReference::FWServiceReference():FWReference(){} //FWServiceReference::FWServiceReference(Service *p):FWReference(p){} //FWServiceReference::FWServiceReference(ServiceGroup *p):FWReference(p){} void FWServiceReference::setPointer(Service *p) { FWReference::setPointer(p); } void FWServiceReference::setPointer(ServiceGroup *p) { FWReference::setPointer(p); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FWServiceReference.h000066400000000000000000000025651303637203600253640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWSRVREF_HH_FLAG__ #define __FWSRVREF_HH_FLAG__ #include "fwbuilder/FWReference.h" namespace libfwbuilder { class Service; class ServiceGroup; /** * This class represents object reference. */ class FWServiceReference : public FWReference { public: DECLARE_FWOBJECT_SUBTYPE(FWServiceReference); DECLARE_DISPATCH_METHODS(FWServiceReference); FWServiceReference(); void setPointer(Service *o); void setPointer(ServiceGroup *o); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FailoverClusterGroup.cpp000066400000000000000000000030201303637203600263540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/FWOptions.h" using namespace std; using namespace libfwbuilder; const char *FailoverClusterGroup::TYPENAME = {"FailoverClusterGroup"}; FailoverClusterGroup::FailoverClusterGroup() : ClusterGroup() { setStr("type", ""); } void FailoverClusterGroup::fromXML(xmlNodePtr parent) throw(FWException) { ClusterGroup::fromXML(parent); // Read additional attributes here } xmlNodePtr FailoverClusterGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = ClusterGroup::toXML(parent); // Save additional attributes here return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/FailoverClusterGroup.h000066400000000000000000000026421303637203600260320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FAILOVERCLUSTERGROUP_HH_ #define __FAILOVERCLUSTERGROUP_HH_ #include "fwbuilder/ClusterGroup.h" namespace libfwbuilder { class FailoverClusterGroup : public ClusterGroup { public: FailoverClusterGroup(); virtual ~FailoverClusterGroup() {}; DECLARE_FWOBJECT_SUBTYPE(FailoverClusterGroup); DECLARE_DISPATCH_METHODS(FailoverClusterGroup); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); }; } #endif /* __CLUSTERGROUP_HH_ */ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Firewall.cpp000066400000000000000000000264551303637203600240140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include #include using namespace std; using namespace libfwbuilder; const char *Firewall::TYPENAME={"Firewall"}; Firewall::Firewall() { setStr("platform","unknown"); setStr("host_OS" ,"unknown"); setInt("lastModified" ,0); setInt("lastInstalled" ,0); setInt("lastCompiled" ,0); } void Firewall::init(FWObjectDatabase *root) { FWObject *opt = getFirstByType(FirewallOptions::TYPENAME); if (opt == NULL) { add( root->createFirewallOptions() ); RuleSet *p; p = root->createPolicy(); p->setTop(true); add(p); p = root->createNAT(); p->setTop(true); add(p); p = root->createRouting(); p->setTop(true); add(p); } } Firewall::~Firewall() {} void Firewall::fromXML(xmlNodePtr root) throw(FWException) { const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("platform"))); assert(n!=NULL); setStr("platform", n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("version"))); if (n!=NULL) { setStr("version", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("host_OS"))); if (n!=NULL) { setStr("host_OS", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("lastModified"))); if(n!=NULL) { setStr("lastModified", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("lastInstalled"))); if(n!=NULL) { setStr("lastInstalled", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("lastCompiled"))); if(n!=NULL) { setStr("lastCompiled", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("inactive"))); if(n!=NULL) { setStr("inactive", n); FREEXMLBUFF(n); } Host::fromXML(root); } xmlNodePtr Firewall::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); FWObject *o; for (FWObjectTypedChildIterator it = findByType(NAT::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } for (FWObjectTypedChildIterator it = findByType(Policy::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } for (FWObjectTypedChildIterator it = findByType(Routing::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } for(FWObjectTypedChildIterator it = findByType(Interface::TYPENAME); it != it.end(); ++it) { o = *it; if (o) o->toXML(me); } o=getFirstByType( Management::TYPENAME ); if(o) o->toXML(me); o=getFirstByType( FirewallOptions::TYPENAME ); if (o) o->toXML(me); return me; } FWOptions* Firewall::getOptionsObject() { return FWOptions::cast( getFirstByType(FirewallOptions::TYPENAME) ); } Policy* Firewall::getPolicy() { return(Policy::cast(findObjectByName(Policy::TYPENAME, "Policy"))); } NAT* Firewall::getNAT() { return(NAT::cast(findObjectByName(NAT::TYPENAME, "NAT"))); } Routing* Firewall::getRouting() { return(Routing::cast(findObjectByName(Routing::TYPENAME, "Routing"))); } bool Firewall::validateChild(FWObject *o) { string otype=o->getTypeName(); if (Routing::isA(o)) { // there can be only one list routing_objects = getByType(Routing::TYPENAME); if (routing_objects.size() > 0) return false; } return (FWObject::validateChild(o) && (otype==Interface::TYPENAME || otype==RuleSet::TYPENAME || otype==Policy::TYPENAME || otype==NAT::TYPENAME || otype==Routing::TYPENAME || otype==Management::TYPENAME || otype==FirewallOptions::TYPENAME )); } void Firewall::duplicateInterfaces(FWObject *target, const FWObject *source, map &id_mapping, bool preserve_id) { for (FWObjectTypedChildIterator m = source->findByType(Interface::TYPENAME); m!=m.end(); ++m ) { FWObject *src_interface = *m; FWObject *dst_interface_copy = target->addCopyOf(src_interface, preserve_id); id_mapping[src_interface->getId()] = dst_interface_copy->getId(); Interface::cast(dst_interface_copy)->duplicateWithIdMapping( src_interface, id_mapping, preserve_id); #if 0 if (Firewall::cast(target)) { /* * duplicate FailoverClusterGroup object of all interfaces * this is actually used for Cluster object only atm. * * Do this only if @target is Firewall or Cluster, do not do * this if @target is an interface because in the latter case * this function copies subinterfaces and those don't have * failover group child objects. */ for (FWObjectTypedChildIterator k = src_interface->findByType(FailoverClusterGroup::TYPENAME); k!=k.end(); ++k ) { FWObject *src_subinterface = *k; FWObject *dst_subinterface_copy = dst_interface_copy->addCopyOf(src_subinterface, preserve_id); if (src_subinterface!=NULL && dst_subinterface_copy!=NULL) id_mapping[src_subinterface->getId()] = dst_subinterface_copy->getId(); } duplicateInterfaces(dst_interface_copy, src_interface, id_mapping, preserve_id); } #endif } } FWObject& Firewall::duplicate(const FWObject *obj, bool preserve_id) throw(FWException) { string err="Error creating object with type: "; checkReadOnly(); bool xro = obj->getRO(); //shallowDuplicate(obj, preserve_id); FWObject::shallowDuplicate(obj, preserve_id); setReadOnly(false); destroyChildren(); id_mapping_for_duplicate.clear(); duplicateInterfaces(this, obj, id_mapping_for_duplicate, preserve_id); for (FWObjectTypedChildIterator it = obj->findByType(Policy::TYPENAME); it != it.end(); ++it) { FWObject *new_ruleset = addCopyOf(*it, preserve_id); id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId(); } for (FWObjectTypedChildIterator it = obj->findByType(NAT::TYPENAME); it != it.end(); ++it) { FWObject *new_ruleset = addCopyOf(*it, preserve_id); id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId(); } for (FWObjectTypedChildIterator it = obj->findByType(Routing::TYPENAME); it != it.end(); ++it) { FWObject *new_ruleset = addCopyOf(*it, preserve_id); id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId(); } // replace references to old fw (obj) with references to this fw id_mapping_for_duplicate[obj->getId()] = getId(); FWObject *o=obj->getFirstByType( Management::TYPENAME ); addCopyOf(o,preserve_id); o=obj->getFirstByType( FirewallOptions::TYPENAME ); addCopyOf(o,preserve_id); // replace references to old objects in rules map::iterator it; for (it=id_mapping_for_duplicate.begin(); it!=id_mapping_for_duplicate.end(); ++it) { int old_id = it->first; int new_id = it->second; replaceRef(old_id, new_id); } setDirty(true); if (xro) setReadOnly(true); return *this; } FWObject& Firewall::duplicateForUndo(const FWObject *obj) throw(FWException) { setRO(false); FWObject *their_mgmt = obj->getFirstByType(Management::TYPENAME); if (their_mgmt) { FWObject *my_mgmt = getManagementObject(); if (my_mgmt) my_mgmt->duplicate(their_mgmt); } FWObject::duplicateForUndo(obj); return *this; } void Firewall::updateLastInstalledTimestamp() { setInt("lastInstalled",time(NULL)); } void Firewall::updateLastModifiedTimestamp() { setInt("lastModified",time(NULL)); } bool Firewall::needsInstall() { if (getLastInstalled()==0 || getLastCompiled()==0) return true; return !(getLastModified()<=getLastCompiled() && getLastCompiled()<=getLastInstalled()); } bool Firewall::needsCompile() { return getLastModified()>getLastCompiled() || getLastCompiled()==0; } time_t Firewall::getLastModified() { return getInt("lastModified"); } time_t Firewall::getLastInstalled() { return getInt("lastInstalled"); } time_t Firewall::getLastCompiled() { return getInt("lastCompiled"); } void Firewall::updateLastCompiledTimestamp() { setInt("lastCompiled",time(NULL)); } bool Firewall::getInactive() { return getBool("inactive"); } void Firewall::setInactive(bool b) { setBool("inactive",b); } /* * There are only two levels of interfaces, i.e. a top-level interface can only * have a subinterface. Subinterfaces can not have further subinterfaces. */ list Firewall::getInterfacesByType(const string &iface_type) { list res; for (FWObjectTypedChildIterator it = findByType(Interface::TYPENAME); it != it.end(); ++it) { Interface *iface = Interface::cast(*it); if (iface->getOptionsObject()->getStr("type") == iface_type) res.push_back(iface); for (FWObjectTypedChildIterator subit = iface->findByType(Interface::TYPENAME); subit != subit.end(); ++subit) { Interface *subiface = Interface::cast(*subit); if (subiface->getOptionsObject()->getStr("type") == iface_type) res.push_back(subiface); } } return res; } void Firewall::assignUniqueRuleIds() { std::for_each(begin(), end(), RuleSet::UniqueRuleIdsSetter()); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Firewall.h000066400000000000000000000076511303637203600234560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALL_HH_FLAG__ #define __FIREWALL_HH_FLAG__ #include "fwbuilder/Host.h" #include // for time_t #include #include namespace libfwbuilder { class Interface; class Policy; class NAT; class RuleSet; class Routing; class Firewall : public Host { std::map id_mapping_for_duplicate; void duplicateInterfaces(FWObject *target, const FWObject *source, std::map &id_mapping, bool preserve_id = true); public: Firewall(); virtual ~Firewall(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(Firewall); DECLARE_DISPATCH_METHODS(Firewall); /** * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual FWOptions* getOptionsObject(); /** * This method copies content of object 'x' in the object 'this'. * Depending on 'preserve_id' flag, Id's are either copied or new * ones are issued. Unlike FWObject::duplicate, this method also * replaces references to the old firewall in all policy and NAT * rules with references to 'this' */ virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); /** * This method copies all attributes of obj into this, plus * FWOptions and Management child objects but no other * children. */ virtual FWObject& duplicateForUndo(const FWObject *obj) throw(FWException); /* * Return id mapping table created during latest run of duplicate() */ const std::map& getIDMappingTable() { return id_mapping_for_duplicate; } Policy *getPolicy(); NAT *getNAT(); Routing *getRouting(); /** * scan all rules of all rule sets and call setUniqueId() to set * unique string id for each rule. These IDs will be carried * through calls to duplicate() when firewall object and its rule * sets are cloned. These IDs are used by compilers to generate * stable labels for chains and such. */ void assignUniqueRuleIds(); /** * Return list of interfaces of given type. This walks all interfaces recursively, * including subinterfaces. */ std::list getInterfacesByType(const std::string &iface_type); time_t getLastModified(); time_t getLastInstalled(); time_t getLastCompiled(); void updateLastInstalledTimestamp(); void updateLastModifiedTimestamp(); void updateLastCompiledTimestamp(); bool needsInstall(); bool needsCompile(); bool getInactive(); void setInactive(bool b); }; } #endif //__FIREWALL_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Group.cpp000066400000000000000000000065661303637203600233440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Group.h" #include "fwbuilder/XMLTools.h" #include using namespace libfwbuilder; using namespace std; const char *Group::TYPENAME={"Group"}; /* * Group should inherit a list of allowed types from its parent upon creation */ Group::Group() {} Group::~Group() { } bool Group::validateChild(FWObject *o) { return FWObject::validateChild(o); } int Group::getSize() { return getChildrenCount(); } bool Group::hasMember(FWObject *o) { // unlike FWObject::hasChild(), Group::hasMember() also checks references int o_id = o->getId(); for (list::iterator it=begin(); it!=end(); ++it) { if (FWReference::cast(*it)) { if (FWReference::cast(*it)->getPointerId() == o_id) return true; } else { if ((*it)->getId() == o_id) return true; } } return false; } /* * if this is user-defined group, it holds references to objects and * we need to copy it with all these child objects to accurately * reproduce its state for undo. If this is system group, we only copy * this object and its attributes. However we should never really need * to execute undo/redo for system groups anyway. * * Important assumption: groups never have a mix of references and * actual objects, it is either one or another. We can check the kind * of the group by looking at the first child object. * * Caveat: This breaks FWObject::tree_iterator which is used in long * operations that walk the whole tree so the iterator holds the state * that is broken when objects are added or removed from groups in the * middle of iteration. */ FWObject& Group::duplicateForUndo(const FWObject *obj) throw(FWException) { setRO(false); if ((obj->size() && FWReference::cast(obj->front())!=NULL) || (this->size() && FWReference::cast(this->front())!=NULL)) { destroyChildren(); for(list::const_iterator m=obj->begin(); m!=obj->end(); ++m) { if (FWReference::cast(*m)) { FWObject *object = FWReference::getObject(*m); addRef(object); } } } FWObject::duplicateForUndo(obj); return *this; } /* * this is virtual function. Overloaded functions in derived classes * return some meaningful list of types. */ void Group::getAllowedTypesOfChildren(std::list&) { } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Group.h000066400000000000000000000043261303637203600230010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GROUP_HH_FLAG__ #define __GROUP_HH_FLAG__ #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectReference.h" namespace libfwbuilder { class Group : virtual public FWObject { protected: public: Group(); virtual ~Group(); DECLARE_FWOBJECT_SUBTYPE(Group); DECLARE_DISPATCH_METHODS(Group); bool hasMember(FWObject *o); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual bool isPrimaryObject() const { return true; } int getSize(); /** * This method copies all attributes of obj plus all reference * child objects to reproduce accurate state of this. In fact, it * simply calls duplicate() if this is user-defined group. For system * grops that hold actual objects, it calls shallowDuplicate() */ virtual FWObject& duplicateForUndo(const FWObject *obj) throw(FWException); /** * get the list of object type names that can be inserted into * given object group. For example, if the group is ObjectGroup, * then the list will include all objects but not services. This * reflects definition of the group XML element in DTD. */ virtual void getAllowedTypesOfChildren(std::list &types_list); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Host.cpp000066400000000000000000000110061303637203600231460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Host.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" using namespace std; using namespace libfwbuilder; const char *Host::TYPENAME={"Host"}; Host::Host() { } void Host::init(FWObjectDatabase *root) { FWObject *opt = getFirstByType(HostOptions::TYPENAME); if (opt == NULL) add( root->createHostOptions() ); } Host::~Host() {} void Host::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); } xmlNodePtr Host::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); FWObject *o; for(FWObjectTypedChildIterator j=findByType(Interface::TYPENAME); j!=j.end(); ++j) if((o=(*j))!=NULL ) o->toXML(me); o=getFirstByType( Management::TYPENAME ); if (o) o->toXML(me); o=getFirstByType( HostOptions::TYPENAME ); if (o) o->toXML(me); return me; } bool Host::validateChild(FWObject *o) { string otype=o->getTypeName(); return (FWObject::validateChild(o) && (otype==Interface::TYPENAME || otype==Management::TYPENAME || otype==HostOptions::TYPENAME) ); } /* * TODO: Implement syntax checks for interfaces * */ bool Host::Appropriate(Interface*) { return true; } void Host::addInterface(Interface *i) { add(i); } void Host::removeInterface(Interface *i) { remove(i); } FWOptions* Host::getOptionsObject() { return FWOptions::cast( getFirstByType(HostOptions::TYPENAME) ); } Management *Host::getManagementObject() { Management *res = dynamic_cast( getFirstByType(Management::TYPENAME)); if(!res) add( res = getRoot()->createManagement() ); // add(res = new Management()); return res; } /** * returns address from management interface. If there is no * management interface or no address to be found, returns NULL. * May throw exception if interface has invalid address. */ const InetAddr* Host::getManagementAddress() throw(FWException) { list interfaces = getByTypeDeep(Interface::TYPENAME); list::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); if (iface->isManagement()) { FWObjectTypedChildIterator k = iface->findByType(IPv4::TYPENAME); if (k != k.end()) return Address::cast(*k)->getAddressPtr(); } } return NULL; } const Address* Host::getAddressObject() const { FWObjectTypedChildIterator j = findByType(Interface::TYPENAME); if (j == j.end()) return NULL; return Interface::cast(*j)->getAddressObject(); } int Host::countInetAddresses(bool skip_loopback) const { int res = 0; FWObjectTypedChildIterator j = findByType(Interface::TYPENAME); for( ; j!=j.end(); ++j) { Interface *iface = Interface::cast(*j); res += iface->countInetAddresses(skip_loopback); } return res; } /* * This function will find parent host, firewall or cluster object of * a given object. If object is not a child of host, firewall or * cluster, it returns NULL */ FWObject* Host::getParentHost(FWObject *obj) { FWObject *parent_h = obj; while (parent_h != NULL && Host::cast(parent_h) == NULL) parent_h = parent_h->getParent(); return parent_h; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Host.h000066400000000000000000000056171303637203600226260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HOST_HH_FLAG__ #define __HOST_HH_FLAG__ #include #include #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class Interface; class Management; class Host : public Address { protected: public: Host(); virtual ~Host(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(Host); DECLARE_DISPATCH_METHODS(Host); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); bool Appropriate(Interface *i); void addInterface(Interface *i); void removeInterface(Interface *i); const InetAddr* getManagementAddress() throw(FWException); /** * This method returns reference to the object representing * host's platform-specific options (class HostOptions) */ virtual FWOptions* getOptionsObject(); /** * Returns management object associated with this Host. * If none is present, new one will be created; */ Management *getManagementObject(); virtual const Address* getAddressObject() const; virtual unsigned int dimension() const { return 1; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool skip_loopback) const; virtual bool isPrimaryObject() const { return true; } /** * helper-function, needed when dealing with sub-interfaces: * function returns the parent host (or firewall) of an interface * or rule set. This is just a convenience function that performs * operation we often need. */ static FWObject* getParentHost(FWObject *obj); protected: Management *mgmt; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ICMP6Service.cpp000066400000000000000000000024761303637203600244030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *ICMP6Service::TYPENAME={"ICMP6Service"}; ICMP6Service::ICMP6Service() : ICMPService() { } ICMP6Service::~ICMP6Service() {} string ICMP6Service::getProtocolName() const { return "icmp6";} int ICMP6Service::getProtocolNumber() const { return 58; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ICMP6Service.h000066400000000000000000000025621303637203600240440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ICMP6SERVICE_HH_FLAG__ #define __ICMP6SERVICE_HH_FLAG__ #include "fwbuilder/ICMPService.h" namespace libfwbuilder { class ICMP6Service : public ICMPService { private: public: ICMP6Service(); virtual ~ICMP6Service(); DECLARE_FWOBJECT_SUBTYPE(ICMP6Service); DECLARE_DISPATCH_METHODS(ICMP6Service); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; virtual bool isV4Only() { return false; } virtual bool isV6Only() { return true; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ICMPService.cpp000066400000000000000000000040471303637203600243110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *ICMPService::TYPENAME={"ICMPService"}; ICMPService::ICMPService() { setStr("type", "-1"); setStr("code", "-1"); } ICMPService::~ICMPService() {} string ICMPService::getProtocolName() const { return "icmp";} int ICMPService::getProtocolNumber() const { return 1; } void ICMPService::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("type"))); assert(n!=NULL); setStr("type", n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("code"))); if(n!=NULL) { setStr("code", n); FREEXMLBUFF(n); } } xmlNodePtr ICMPService::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ICMPService.h000066400000000000000000000027611303637203600237570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ICMPSERVICE_HH_FLAG__ #define __ICMPSERVICE_HH_FLAG__ #include "fwbuilder/Service.h" namespace libfwbuilder { class ICMPService : public Service { private: public: ICMPService(); virtual ~ICMPService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(ICMPService); DECLARE_DISPATCH_METHODS(ICMPService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; virtual bool isV4Only() { return true; } virtual bool isV6Only() { return false; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPRoute.cpp000066400000000000000000000031141303637203600235610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPRoute.h" #include #include #ifndef _WIN32 # include # include #else # include #endif using namespace std; namespace libfwbuilder { IPRoute::IPRoute(const IPRoute &o) { nm = o.nm; dst = o.dst; gw = o.gw; intf = o.intf; direct = o.direct; } IPRoute::~IPRoute() {} IPRoute::IPRoute(const InetAddr &_dst, const InetAddr &_nm, const InetAddr &_gw, const InterfaceData& _intf, bool _direct) { nm = _nm; dst = _dst; gw = _gw; intf = _intf; direct = _direct; } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPRoute.h000066400000000000000000000037211303637203600232320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPROUTE_HH_FLAG__ #define __IPROUTE_HH_FLAG__ #include #include #ifndef _WIN32 # include # include # include # include #else # include #endif #include "fwbuilder/FWException.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InterfaceData.h" namespace libfwbuilder { class Interface; class IPRoute { public: IPRoute(const IPRoute &); IPRoute(const InetAddr &_dst, const InetAddr &_nm, const InetAddr &_gw, const InterfaceData &_intf, bool _direct); virtual ~IPRoute(); bool isDirect() const { return direct;} const InetAddr &getNetmask () const { return nm; } const InetAddr &getDestination() const { return dst; } const InetAddr &getGateway () const { return gw; } /** * @return interface associated with this route, or * NULL if none. */ const InterfaceData& getInterface() const { return intf; } private: InetAddr nm ; InetAddr dst ; InetAddr gw ; InterfaceData intf; bool direct ; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPService.cpp000066400000000000000000000115431303637203600240700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/IPService.h" #include "fwbuilder/XMLTools.h" #include using namespace libfwbuilder; using namespace std; const char *IPService::TYPENAME={"IPService"}; std::map IPService::named_protocols; void IPService::initNamedProtocols() { if (IPService::named_protocols.size() == 0) { IPService::named_protocols[0] = "ip"; IPService::named_protocols[1] = "icmp"; IPService::named_protocols[6] = "tcp"; IPService::named_protocols[17] = "udp"; } } IPService::IPService() { setStr("protocol_num", ""); IPService::initNamedProtocols(); } IPService::~IPService() {} void IPService::addNamedProtocol(int proto_num, const std::string &proto_name) { // Call initialize function because we might be trying to register // named protocol before any IPService objects have been created. IPService::initNamedProtocols(); IPService::named_protocols[proto_num] = proto_name; } void IPService::setProtocolNumber(int n) { setInt("protocol_num", n); } string IPService::getProtocolName() const { int proto_num = getInt("protocol_num"); if (IPService::named_protocols.count(proto_num) > 0) return IPService::named_protocols[proto_num]; else return getStr("protocol_num"); } int IPService::getProtocolNumber() const { return getInt("protocol_num"); } void IPService::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("protocol_num"))); assert(n!=NULL); setStr("protocol_num", n); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("fragm"))); if(n!=NULL) { setStr("fragm", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("short_fragm"))); if(n!=NULL) { setStr("short_fragm", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("any_opt"))); if(n!=NULL) { setStr("any_opt", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("lsrr"))); if(n!=NULL) { setStr("lsrr", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("ssrr"))); if(n!=NULL) { setStr("ssrr", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("rr"))); if(n!=NULL) { setStr("rr", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("ts"))); if(n!=NULL) { setStr("ts", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("tos"))); if(n!=NULL) { setStr("tos", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dscp"))); if(n!=NULL) { setStr("dscp", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("rtralt"))); if(n!=NULL) { setStr("rtralt", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("rtralt_value"))); if(n!=NULL) { setStr("rtralt_value", n); FREEXMLBUFF(n); } } xmlNodePtr IPService::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } bool IPService::hasIpOptions() const { return (getBool("any_opt") || getBool("lsrr") || getBool("rr") || getBool("ssrr") || getBool("ts") || getBool("rtralt")); } string IPService::getTOSCode() const { return getStr("tos"); } void IPService::setTOSCode(const string &c) { setStr("tos", c); } string IPService::getDSCPCode() const { return getStr("dscp"); } void IPService::setDSCPCode(const string &c) { setStr("dscp", c); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPService.h000066400000000000000000000034641303637203600235400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPSERVICE_HH_FLAG__ #define __IPSERVICE_HH_FLAG__ #include "fwbuilder/Service.h" namespace libfwbuilder { class IPService : public Service { static void initNamedProtocols(); protected: static std::map named_protocols; public: IPService(); virtual ~IPService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(IPService); DECLARE_DISPATCH_METHODS(IPService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; void setProtocolNumber(int n); std::string getTOSCode() const; void setTOSCode(const std::string &c); std::string getDSCPCode() const; void setDSCPCode(const std::string &c); bool hasIpOptions() const; static void addNamedProtocol(int proto_num, const std::string &proto_name); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPv4.cpp000066400000000000000000000077371303637203600230330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Class IPv4 serves two purposes: - it is used to describe configuration of an interface which consists of an address and netmask - it is used to describe a single standalone address object (in the tree, under Objects/Addresses) Even though class Network also has address and netmask, IPv4 objects are recognized by compilers as single addresses. */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include "fwbuilder/IPv4.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" using namespace std; using namespace libfwbuilder; const char *IPv4::TYPENAME={"IPv4"}; IPv4::IPv4() : Address() { } IPv4::~IPv4() { } void IPv4::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char* n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); assert(n!=NULL); // strip whitespace and other non-numeric characters at the beginng and end string addr(n); string::size_type first = addr.find_first_of("0123456789"); string::size_type last = addr.find_last_of("0123456789"); try { addr = addr.substr(first, last-first+1); } catch (std::out_of_range &ex) { cerr << "Object \"" << getName() << "\": Invalid address" << n << endl; addr = "0.0.0.0"; } setAddress(InetAddr(addr)); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("netmask"))); assert(n!=NULL); string netm(n); first = netm.find_first_of("0123456789"); last = netm.find_last_of("0123456789"); try { netm = netm.substr(first, last-first+1); } catch (std::out_of_range &ex) { cerr << "Object \"" << getName() << "\": Invalid netmask" << n << endl; addr = "0.0.0.0"; } if (!netm.empty()) setNetmask(InetAddr(netm)); else setNetmask(InetAddr(0)); FREEXMLBUFF(n); } xmlNodePtr IPv4::toXML(xmlNodePtr xml_parent_node) throw(FWException) { if (getName().empty()) setName(getTypeName()); xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("address"), STRTOXMLCAST(inet_addr_mask->getAddressPtr()->toString())); xmlNewProp(me, TOXMLCAST("netmask"), STRTOXMLCAST(inet_addr_mask->getNetmaskPtr()->toString())); return me; } void IPv4::setAddress(const InetAddr &a) { inet_addr_mask->setAddress(a); } void IPv4::setNetmask(const InetAddr &nm) { inet_addr_mask->setNetmask(nm); } void IPv4::setAddressNetmask(const std::string& s) { delete inet_addr_mask; inet_addr_mask = new InetAddrMask(s); } void IPv4::dump(std::ostream &f,bool recursive,bool brief,int offset) const { FWObject::dump(f, recursive, brief, offset); f << inet_addr_mask->getAddressPtr()->toString() << endl; } bool IPv4::isPrimaryObject() const { return (!Interface::isA(getParent())); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPv4.h000066400000000000000000000037431303637203600224710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPV4_HH_FLAG__ #define __IPV4_HH_FLAG__ #include #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class IPv4 : public Address { public: IPv4(); virtual ~IPv4(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual unsigned int dimension() const { return 1; } DECLARE_FWOBJECT_SUBTYPE(IPv4); DECLARE_DISPATCH_METHODS(IPv4); virtual bool hasInetAddress() const { return true; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool) const { return 1; } virtual const Address* getAddressObject() const { return this; } virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual void setAddressNetmask(const std::string& s); virtual void dump(std::ostream &f,bool recursive,bool brief,int offset=0) const; virtual bool isPrimaryObject() const; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPv6.cpp000066400000000000000000000077751303637203600230370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Class IPv6 serves two purposes: - it is used to describe configuration of an interface which consists of an address and netmask - it is used to describe a single standalone address object (in the tree, under Objects/Addresses) Even though class Network also has address and netmask, IPv6 objects are recognized by compilers as single addresses. */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include "fwbuilder/Inet6AddrMask.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" using namespace std; using namespace libfwbuilder; const char *IPv6::TYPENAME={"IPv6"}; IPv6::IPv6() : Address() { delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask(); } IPv6::~IPv6() { } FWObject& IPv6::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { const IPv6* a_other = IPv6::constcast(other); assert(a_other); delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask( *(dynamic_cast(a_other->inet_addr_mask))); return FWObject::shallowDuplicate(other, preserve_id); } void IPv6::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char* n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); assert(n!=NULL); setAddress(InetAddr(AF_INET6, n)); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("netmask"))); assert(n!=NULL); if (strlen(n)) { if (string(n).find(":")!=string::npos) { setNetmask(InetAddr(AF_INET6, n)); } else { istringstream str(n); int netm; str >> netm; setNetmask(InetAddr(AF_INET6, netm)); } } else setNetmask(InetAddr(AF_INET6, 0)); FREEXMLBUFF(n); } xmlNodePtr IPv6::toXML(xmlNodePtr xml_parent_node) throw(FWException) { if (getName().empty()) setName(getTypeName()); xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("address"), STRTOXMLCAST(inet_addr_mask->getAddressPtr()->toString())); // Save netmask as bit length ostringstream str; str << inet_addr_mask->getNetmaskPtr()->getLength(); xmlNewProp(me, TOXMLCAST("netmask"), STRTOXMLCAST(str.str())); return me; } void IPv6::setAddress(const InetAddr &a) { inet_addr_mask->setAddress(a); } void IPv6::setNetmask(const InetAddr &nm) { inet_addr_mask->setNetmask(nm); } void IPv6::setAddressNetmask(const std::string& s) { delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask(s); } void IPv6::dump(std::ostream &f,bool recursive,bool brief,int offset) const { FWObject::dump(f, recursive, brief, offset); f << inet_addr_mask->getAddressPtr()->toString() << endl; } bool IPv6::isPrimaryObject() const { return (!Interface::isA(getParent())); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IPv6.h000066400000000000000000000041701303637203600224660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPV6_HH_FLAG__ #define __IPV6_HH_FLAG__ #include #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class IPv6 : public Address { public: IPv6(); virtual ~IPv6(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual unsigned int dimension() const { return 1; } DECLARE_FWOBJECT_SUBTYPE(IPv6); DECLARE_DISPATCH_METHODS(IPv6); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool hasInetAddress() const { return true; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool) const { return 1; } virtual const Address* getAddressObject() const { return this; } virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual void setAddressNetmask(const std::string& s); virtual void dump(std::ostream &f,bool recursive,bool brief,int offset=0) const; virtual bool isPrimaryObject() const; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Inet6AddrMask.cpp000066400000000000000000000067361303637203600246430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Inet6AddrMask.h" extern "C" { #include "fwbuilder/inet_net.h" } #include #include #include #include #include #ifndef _WIN32 # include # include #else # include #endif #include #include using namespace std; using namespace libfwbuilder; Inet6AddrMask::Inet6AddrMask() : InetAddrMask() { address->address_family = AF_INET6; netmask->address_family = AF_INET6; setNetworkAndBroadcastAddress(); } Inet6AddrMask::Inet6AddrMask(const string &s) throw(FWException) : InetAddrMask(true) { struct in6_addr a_ipv6; int nbits; nbits = inet_net_pton(AF_INET6, s.c_str(), &a_ipv6, sizeof(a_ipv6)); if (nbits < 0) throw FWException(string("Invalid IP address: '") + s + "'"); address = new InetAddr(&a_ipv6); netmask = new InetAddr(AF_INET6, nbits); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); setNetworkAndBroadcastAddress(); } Inet6AddrMask::Inet6AddrMask(const InetAddr &a, const InetAddr &n) : InetAddrMask(true) { address = new InetAddr(a & n); netmask = new InetAddr(AF_INET6, n.getLength()); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); setNetworkAndBroadcastAddress(); } Inet6AddrMask::~Inet6AddrMask() { // destructor of InetAddrMask deletes address, netmask // and other member variables } std::string Inet6AddrMask::toString() const { char ntop_buf[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255/128"]; char *cp; cp = inet_net_ntop(AF_INET6, (const void*)(&(address->ipv6)), netmask->getLength(), ntop_buf, sizeof(ntop_buf)); if (cp==NULL) { ostringstream err; switch (errno) { case EINVAL: err << "Inet6AddrMask::toString() Invalid bit length 0"; throw FWException(err.str()); ;; case EMSGSIZE: err << "Inet6AddrMask::toString() EMSGSIZE error"; throw FWException(err.str()); ;; case EAFNOSUPPORT: err << "Inet6AddrMask::toString() EAFNOSUPPORT error"; throw FWException(err.str()); ;; default: err << "Inet6AddrMask::toString() other error: " << errno; throw FWException(err.str()); ;; } } return std::string(strdup(cp)); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Inet6AddrMask.h000066400000000000000000000032341303637203600242760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * This class is a holder of a pair address / netmask. * It can act both as a container for the address/netmask configuration * data (such as for an interface) or as a network. * */ #ifndef __INET6ADDRMASK_HH_FLAG__ #define __INET6ADDRMASK_HH_FLAG__ #include #include #ifndef _WIN32 # include # include # include # include #else # include #endif #include "fwbuilder/FWException.h" #include "fwbuilder/InetAddrMask.h" namespace libfwbuilder { class Inet6AddrMask : public InetAddrMask { protected: public: Inet6AddrMask(); Inet6AddrMask(const std::string &s) throw(FWException); Inet6AddrMask(const InetAddr&, const InetAddr&); virtual ~Inet6AddrMask(); virtual std::string toString() const; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InetAddr.cpp000066400000000000000000000325441303637203600237350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" extern "C" { # include "fwbuilder/inet_net.h" } #ifndef _WIN32 # include # include # include # include # include #endif #include #include #include #include #include #include #include #ifndef _WIN32 # include # include #else # include #endif #ifdef __linux__ # ifndef _GNU_SOURCE # define _GNU_SOURCE # endif # define A6PREF __in6_u #else # define A6PREF __u6_addr #endif using namespace std; using namespace libfwbuilder; /* * if data is a string that represents integer number without '.' or ':' * in it, call init_from_int */ void InetAddr::init_from_string(const char* data) { if(!data) throw FWException("NULL IP address data.."); if (strchr(data, '.')==NULL && strchr(data, ':')==NULL) { char *invalid_chars; long r = strtol(data, &invalid_chars, 10); if (invalid_chars && *invalid_chars == '\0') init_from_int(r); else throw FWException(string("Invalid IP address: '") + string(data) + "'"); } else { if (address_family == AF_INET) { if (inet_net_pton(AF_INET, data, &ipv4, sizeof(ipv4)) < 0) throw FWException(string("Invalid IP address: '") + string(data)+"'"); } else { if (inet_net_pton(AF_INET6, data, &ipv6, sizeof(ipv6)) < 0) throw FWException(string("Invalid IPv6 address: '") + string(data)+"'"); } } } void InetAddr::init_from_int(unsigned int len) { if (address_family == AF_INET) { if (len > addressLengthBits()) { throw FWException(string("Invalid netmask length")); } unsigned long nm_bits = 0; int i = len; while (i>0) { nm_bits >>= 1; nm_bits |= 0x80000000; i--; } ipv4.s_addr = htonl(nm_bits); } else { if (len > addressLengthBits()) { throw FWException(string("Invalid netmask length")); } ((uint32_t *) (&ipv6))[0] = 0xffffffff; ((uint32_t *) (&ipv6))[1] = 0xffffffff; ((uint32_t *) (&ipv6))[2] = 0xffffffff; ((uint32_t *) (&ipv6))[3] = 0xffffffff; // bits is number of zeros counting from the right end unsigned int nbits = addressLengthBits() - len; for (int i=3; i>=0; --i) { if (nbits >= 32) { ((uint32_t*)(&ipv6))[i] = 0; nbits -= 32; continue; } uint32_t t = 0xffffffff; for (int k = nbits % 32; k; --k) { t <<= 1; t &= 0xfffffffe; } ((uint32_t*)(&ipv6))[i] = htonl(t); break; } } } /* * Netmask with "holes" is accepted by InetAddr, but we do not support * it at this time. This function returns true if InetAddr object * corresponds to an integer with a string of consequitive "1" bits * and then string of consequtive "0" bits. The function only works * for ipv4 addresses. */ bool InetAddr::isValidV4Netmask() { assert(isV4()); unsigned int n = ntohl(ipv4.s_addr); while (n & 0x80000000) { n = n<<1; } return (n == 0); } // uint128 is always in the host order void InetAddr::init_from_uint128(uint128 la) { ((uint32_t *) (&ipv6))[0] = htonl((la >> 96).to_integer() & 0xffffffff); ((uint32_t *) (&ipv6))[1] = htonl((la >> 64).to_integer() & 0xffffffff); ((uint32_t *) (&ipv6))[2] = htonl((la >> 32).to_integer() & 0xffffffff); ((uint32_t *) (&ipv6))[3] = htonl( la.to_integer() & 0xffffffff); } uint128 InetAddr::to_uint128() const { assert(isV6()); uint128 res; uint128 x = uint64_t(ntohl(((uint32_t *) (&ipv6))[0])); x <<= 96; res |= x; x = uint64_t(ntohl(((uint32_t *) (&ipv6))[1])); x <<= 64; res |= x; x = uint64_t(ntohl(((uint32_t *) (&ipv6))[2])); x <<= 32; res |= x; x = uint64_t(ntohl(((uint32_t *) (&ipv6))[3])); res |= x; return res; } InetAddr::InetAddr(const InetAddr &o) { *this = o; } InetAddr::InetAddr(const string &s) throw(FWException, FWNotSupportedException) { address_family = AF_INET; init_from_string(s.c_str()); } InetAddr::InetAddr(int af, const string &s) throw(FWException, FWNotSupportedException) { address_family = af; init_from_string(s.c_str()); } InetAddr::InetAddr(const char *data) throw(FWException) { address_family = AF_INET; init_from_string(data); } InetAddr::InetAddr(int af, const char *data) throw(FWException) { address_family = af; init_from_string(data); } InetAddr::InetAddr(const struct in_addr *na) throw(FWException) { address_family = AF_INET; ipv4.s_addr = na->s_addr; } InetAddr::InetAddr(const struct in6_addr *na) throw(FWException) { address_family = AF_INET6; _copy_in6_addr(&ipv6, na); } // Set netmask to 'n' bits InetAddr::InetAddr(int n) throw(FWException) { address_family = AF_INET; init_from_int(n); } InetAddr::InetAddr(int af, int n) throw(FWException) { address_family = af; init_from_int(n); } InetAddr& InetAddr::operator=(const InetAddr &addr) { if ((address_family = addr.address_family)==AF_INET) { ipv4.s_addr = addr.ipv4.s_addr; } else { InetAddr::_copy_in6_addr(&ipv6, &(addr.ipv6) ); } return *this; } int InetAddr::getLength() const { if (address_family==AF_INET) { if (ipv4.s_addr == INADDR_BROADCAST) return addressLengthBits(); if (ipv4.s_addr == 0) return 0; unsigned int n = ntohl(ipv4.s_addr); int i=0; while (n) { n=n<<1; i++; } return i; } else { int bits = 0; for (int i=3; i>=0; --i) { uint32_t n = ntohl(((uint32_t*)(&ipv6))[i]); if (n==0) { bits += 32; continue; } while ((n & 1) == 0) { bits++; n = n >> 1; } bits = 128 - bits; break; } return bits; } } string InetAddr::toString() const { if (address_family==AF_INET) { return std::string(inet_ntoa(ipv4)); } else { char ntop_buf[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255/128"]; /* * Our included copy of inet_net_ntop does not add /netmask if * bits==-1 (argument #3). However, the same function included * in libc on FreeBSD returns EINVAL for bits=-1. Here is a * hack: use bits=128 and then strip /128 that inet_net_ntop * adds to the generated string. Both our included * inet_net_ntop and the one shipped with FreeBSD add "/128" * consistently, so this works on all platforms. */ char *cp; cp = inet_net_ntop(AF_INET6, (const void*)(&ipv6), 128, ntop_buf, sizeof(ntop_buf)); if (cp==NULL) { ostringstream err; switch (errno) { case EINVAL: err << "InetAddr::toString() Invalid bit length 0"; throw FWException(err.str()); ;; case EMSGSIZE: err << "InetAddr::toString() EMSGSIZE error"; throw FWException(err.str()); ;; case EAFNOSUPPORT: err << "InetAddr::toString() EAFNOSUPPORT error"; throw FWException(err.str()); ;; default: err << "InetAddr::toString() other error: " << errno; throw FWException(err.str()); ;; } } char *slash_p = strchr(ntop_buf, '/'); if (slash_p!=NULL) *slash_p = '\0'; return std::string(ntop_buf); } } // note that address family of the result is dictated by the address family of // "this". Address family of mask must be the same. InetAddr InetAddr::opAnd(const InetAddr &mask) const { assert(address_family==mask.address_family); if (address_family==AF_INET) { struct in_addr res; res.s_addr = htonl(ntohl(ipv4.s_addr) & ntohl(mask.ipv4.s_addr)); return InetAddr(&res); } else { struct in6_addr res; for (int i=0; i<4; ++i) ((uint32_t*)(&res))[i] = htonl(ntohl(((uint32_t*)(&(ipv6)))[i]) & ntohl(((uint32_t*)(&(mask.ipv6)))[i])); return InetAddr(&res); } } InetAddr InetAddr::opOr(const InetAddr &mask) const { assert(address_family==mask.address_family); if (address_family==AF_INET) { struct in_addr res; res.s_addr = htonl(ntohl(ipv4.s_addr) | ntohl(mask.ipv4.s_addr)); return InetAddr(&res); } else { struct in6_addr res; for (int i=0; i<4; ++i) ((uint32_t*)(&res))[i] = htonl(ntohl(((uint32_t*)(&(ipv6)))[i]) | ntohl(((uint32_t*)(&(mask.ipv6)))[i])); return InetAddr(&res); } } InetAddr InetAddr::opPlus(int increment) const { if (address_family==AF_INET) { struct in_addr res; res.s_addr = htonl(ntohl(ipv4.s_addr) + increment); return InetAddr(&res); } else { uint128 x = to_uint128(); x += increment; InetAddr res(AF_INET6, 0); res.init_from_uint128(x); return res; // struct in6_addr res; // InetAddr::_copy_in6_addr(&res, &(ipv6) ); // ((uint32_t*)(&res))[3] = // htonl(ntohl( ((uint32_t*)(&(ipv6)))[3]) + increment); // return InetAddr(&res); } } InetAddr InetAddr::opMinus(int decrement) const { if (address_family==AF_INET) { struct in_addr res; res.s_addr = htonl(ntohl(ipv4.s_addr) - decrement); return InetAddr(&res); } else { uint128 x = to_uint128(); x -= decrement; InetAddr res(AF_INET6, 0); res.init_from_uint128(x); return res; // struct in6_addr res; // InetAddr::_copy_in6_addr(&res, &(ipv6) ); // ((uint32_t*)(&res))[3] = // htonl(ntohl( ((uint32_t*)(&(ipv6)))[3]) - decrement); // return InetAddr(&res); } } bool InetAddr::opLT(const InetAddr &other) const { if (address_family!=other.address_family) return false; if (address_family==AF_INET) { return (ntohl( ipv4.s_addr ) < ntohl( other.ipv4.s_addr )); } else { uint128 a = to_uint128(); uint128 b = other.to_uint128(); return a < b; // return (ntohl(((uint32_t*)(&(ipv6)))[3]) < // ntohl(((uint32_t*)(&(other.ipv6)))[3])); } } bool InetAddr::opGT(const InetAddr &other) const { if (address_family!=other.address_family) return false; if (address_family==AF_INET) { return (ntohl( ipv4.s_addr ) > ntohl( other.ipv4.s_addr )); } else { uint128 a = to_uint128(); uint128 b = other.to_uint128(); return a > b; // return (ntohl(((uint32_t*)(&(ipv6)))[3]) > // ntohl(((uint32_t*)(&(other.ipv6)))[3])); } } bool InetAddr::opEQ(const InetAddr &other) const { if (address_family!=other.address_family) return false; if (address_family==AF_INET) { return ipv4.s_addr == other.ipv4.s_addr; } else { return (IN6_ARE_ADDR_EQUAL(&(ipv6), &(other.ipv6))); } } bool InetAddr::opNEQ(const InetAddr &other) const { if (address_family!=other.address_family) return false; if (address_family==AF_INET) { return ipv4.s_addr != other.ipv4.s_addr; } else { return (!(IN6_ARE_ADDR_EQUAL(&(ipv6), &(other.ipv6)))); } } InetAddr InetAddr::opCompl() const { if (address_family==AF_INET) { struct in_addr res; res.s_addr = htonl(~(ntohl(ipv4.s_addr))); return InetAddr(&res); } else { struct in6_addr res; ((uint32_t *) (&res))[0] = htonl(~(ntohl(((uint32_t *) (&ipv6))[0]))); ((uint32_t *) (&res))[1] = htonl(~(ntohl(((uint32_t *) (&ipv6))[1]))); ((uint32_t *) (&res))[2] = htonl(~(ntohl(((uint32_t *) (&ipv6))[2]))); ((uint32_t *) (&res))[3] = htonl(~(ntohl(((uint32_t *) (&ipv6))[3]))); return InetAddr(&res); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InetAddr.h000066400000000000000000000225441303637203600234010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INETADDR_HH_FLAG__ #define __INETADDR_HH_FLAG__ #include #include #include #include #ifndef _WIN32 # include # include # include # include #else # include # include # include typedef unsigned int uint32_t; #endif #include "fwbuilder/uint128.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWException.h" namespace libfwbuilder { /** * Class InetAddr is a wrapper for struct inet_addr and in6_addr * * Why both address families are implemented as the same class ? Mostly * because I need to have a family of two-argument operators such as * operator&, operator| etc which return new object of the class that * represent the same address family as the arguments. These operators * should be "friends" of class InetAddr since they return new object * by value rather than modify "this". But how to do it if returned * type should be different depending on the types of arguments ? * */ class InetAddr { protected: friend class InetAddrMask; friend class Inet6AddrMask; int address_family; // Address in network order struct in_addr ipv4; struct in6_addr ipv6; // copy in6_addr from sa to da static inline void _copy_in6_addr(struct in6_addr* da, const struct in6_addr* sa) { ((uint32_t*)(da))[0] = ((uint32_t*)(sa))[0]; ((uint32_t*)(da))[1] = ((uint32_t*)(sa))[1]; ((uint32_t*)(da))[2] = ((uint32_t*)(sa))[2]; ((uint32_t*)(da))[3] = ((uint32_t*)(sa))[3]; } void init_from_string(const char* data); void init_from_int(unsigned int n); public: explicit InetAddr() { address_family = AF_INET; ipv4.s_addr = 0; ((uint32_t *) (&ipv6))[0] = 0; ((uint32_t *) (&ipv6))[1] = 0; ((uint32_t *) (&ipv6))[2] = 0; ((uint32_t *) (&ipv6))[3] = 0; } virtual ~InetAddr() {} inline unsigned int addressLengthBits() const { if (address_family == AF_INET) return sizeof(ipv4) * 8; return sizeof(ipv6) * 8; } bool isValidV4Netmask(); void init_from_uint128(uint128 int128a); uint128 to_uint128() const; InetAddr(const char *data) throw(FWException); InetAddr(int af, const char *data) throw(FWException); InetAddr(const struct in_addr*) throw(FWException); InetAddr(const struct in6_addr*) throw(FWException); explicit InetAddr(const std::string&) throw(FWException, FWNotSupportedException); explicit InetAddr(int af, const std::string&) throw(FWException, FWNotSupportedException); InetAddr(const InetAddr &); // creates netmask 'n' bits long explicit InetAddr(int n) throw(FWException); explicit InetAddr(int af, int n) throw(FWException); InetAddr& operator=(const InetAddr &addr); int addressFamily() const { return address_family; } bool isV4() const { return (address_family==AF_INET); } bool isV6() const { return (address_family==AF_INET6); } const struct in_addr* getV4() const { return &ipv4; } const struct in6_addr* getV6() const { return &ipv6; } static inline InetAddr getAny() { return InetAddr(); } static inline InetAddr getAllOnes(int af=AF_INET) { if (af==AF_INET) { struct in_addr allones; allones.s_addr = 0xffffffff; return InetAddr(&allones); } else { struct in6_addr a; ((uint32_t *) (&a))[0] = 0xffffffff; ((uint32_t *) (&a))[1] = 0xffffffff; ((uint32_t *) (&a))[2] = 0xffffffff; ((uint32_t *) (&a))[3] = 0xffffffff; return InetAddr(&a); } } static inline InetAddr getLoopbackAddr(int af=AF_INET) { if (af==AF_INET) { struct in_addr loopback; loopback.s_addr = htonl(INADDR_LOOPBACK); return InetAddr(&loopback); } else { struct in6_addr a; ((uint32_t *) (&a))[0] = 0; ((uint32_t *) (&a))[1] = 0; ((uint32_t *) (&a))[2] = 0; ((uint32_t *) (&a))[3] = htonl (1); return InetAddr(&a); } } std::string toString() const; /** * Broadcast : 255.255.255.255 * * there are no broadcast addresses in ipv6. However some multicast * addresses serve similar purpose. For example "link-scope * all-hosts multicast" address ff02::1 corresponds to the ipv4 * broadcast 255.255.255.255 */ inline bool isBroadcast() const { if (address_family==AF_INET) return ipv4.s_addr == INADDR_BROADCAST; else return IN6_IS_ADDR_MC_LINKLOCAL(&ipv6); } /** * Multicast : 224.0.0.0 - 239.0.0.0 */ inline bool isMulticast() const { if (address_family==AF_INET) return IN_MULTICAST(ntohl(ipv4.s_addr)); else return IN6_IS_ADDR_MULTICAST(&ipv6); } /** * INADDR_ANY: 0 */ inline bool isAny() const { if (address_family==AF_INET) return ipv4.s_addr == INADDR_ANY; else return (IN6_IS_ADDR_UNSPECIFIED(&ipv6)); } /** * calculate distance between _this_ address and address a2 and return * it as int * This method is limited, it only calculates distance that fit in 32 bit * number */ inline unsigned int distance(const InetAddr &a2) const { if (address_family==AF_INET) return ntohl(a2.ipv4.s_addr) - ntohl(ipv4.s_addr) + 1; else { uint128 d1 = to_uint128(); uint128 d2 = a2.to_uint128(); uint128 res; if (d1 < d2) { res = d2; res -= d1; } else { res = d1; res -= d2; } return res.to_integer() + 1; } } /** * returns the "length" of the netmask, that is number of bits set to '1' * counting from left to right */ int getLength() const; /** * for netmasks: return true if this is host mask, i.e. all '1' */ inline bool isHostMask() const { if (address_family==AF_INET) return ipv4.s_addr == INADDR_BROADCAST; else return (((uint32_t*)(&ipv6))[0] == 0xffffffff && ((uint32_t*)(&ipv6))[1] == 0xffffffff && ((uint32_t*)(&ipv6))[2] == 0xffffffff && ((uint32_t*)(&ipv6))[3] == 0xffffffff); } /*****************************************************************/ InetAddr opAnd(const InetAddr &mask) const; InetAddr opOr(const InetAddr &mask) const; InetAddr opPlus(int increment) const; InetAddr opMinus(int decrement) const; bool opLT(const InetAddr &other) const; bool opGT(const InetAddr &other) const; bool opEQ(const InetAddr &other) const; bool opNEQ(const InetAddr &other) const; InetAddr opCompl() const; /*****************************************************************/ inline friend InetAddr operator&(const InetAddr &addr, const InetAddr &mask) { assert (typeid(addr) == typeid(mask)); return addr.opAnd(mask); } inline friend InetAddr operator|(const InetAddr &addr, const InetAddr &mask) { assert (typeid(addr) == typeid(mask)); return addr.opOr(mask); } inline friend InetAddr operator+(const InetAddr &addr, int increment) { return addr.opPlus(increment); } inline friend InetAddr operator-(const InetAddr &addr, int decrement) { return addr.opMinus(decrement); } inline friend bool operator<(const InetAddr &a, const InetAddr &b) { assert (typeid(a) == typeid(b)); return a.opLT(b); } inline friend bool operator>(const InetAddr &a, const InetAddr &b) { assert (typeid(a) == typeid(b)); return a.opGT(b); } inline friend bool operator==(const InetAddr &a, const InetAddr &b) { assert (typeid(a) == typeid(b)); return a.opEQ(b); } inline friend bool operator!=(const InetAddr &a, const InetAddr &b) { assert (typeid(a) == typeid(b)); return a.opNEQ(b); } inline friend InetAddr operator~(const InetAddr &a) { return a.opCompl(); } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InetAddrMask.cpp000066400000000000000000000331731303637203600245500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/InetAddrMask.h" #include #include #include #include #include #include #ifndef _WIN32 # include # include #else # include #endif using namespace std; using namespace libfwbuilder; void InetAddrMask::setNetworkAndBroadcastAddress() { // see #2670. Per RFC3021 network with netmask /31 has no network // and direct broadcast addresses. if (netmask->isV4() && netmask->getLength() >= 31) { *network_address = *address; *broadcast_address = InetAddr(32); *last_host = *address; if (netmask->getLength() == 31) *last_host = *last_host + 1; } else { *network_address = *address & *netmask; *broadcast_address = *address | (~(*netmask)); *last_host = *broadcast_address; } } InetAddrMask::InetAddrMask(bool) { // this constructor does not create address, netmask and other // variables. This constructor should only be used by classes that // inherit InetAddrMask and create address, netmask themselves, // such as Inet6AddrMask address = NULL; netmask = NULL; broadcast_address = NULL; network_address = NULL; last_host = NULL; } InetAddrMask::InetAddrMask() { address = new InetAddr(); netmask = new InetAddr(); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); } InetAddrMask::InetAddrMask(const InetAddr &a, const InetAddr &n) { address = new InetAddr(a & n); netmask = new InetAddr(n); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); setNetworkAndBroadcastAddress(); } InetAddrMask::InetAddrMask(const InetAddrMask& other) { address = new InetAddr(*(other.address)); netmask = new InetAddr(*(other.netmask)); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); setNetworkAndBroadcastAddress(); } InetAddrMask::InetAddrMask(const string &s) throw(FWException) { address = new InetAddr(); netmask = new InetAddr(); broadcast_address = new InetAddr(); network_address = new InetAddr(); last_host = new InetAddr(); if(s.find_first_not_of(".1234567890/")!=string::npos) { throw FWException(string("Invalid IP address: '")+s+"'"); } string::size_type pos=s.find("/"); if (pos==string::npos) { setAddress(InetAddr(s)); setNetmask(InetAddr(InetAddr::getAllOnes())); } else { setAddress(InetAddr(s.substr(0,pos))); string netm = s.substr(pos+1); if (netm.find(".")==string::npos) { // netmask is represented as /NN (length in bits) int d = atoi(netm.c_str()); *netmask = InetAddr(d); } else { setNetmask(InetAddr(netm)); } } setNetworkAndBroadcastAddress(); } InetAddrMask::~InetAddrMask() { if (address!=NULL) delete address; if (netmask!=NULL) delete netmask; if (network_address!=NULL) delete network_address; if (broadcast_address!=NULL) delete broadcast_address; if (last_host!=NULL) delete last_host; } bool InetAddrMask::isAny() { return (address->isAny() && netmask->isAny()); } void InetAddrMask::setAddress(const InetAddr &a) { *address = a; setNetworkAndBroadcastAddress(); } void InetAddrMask::setNetmask(const InetAddr &nm) { *netmask = nm; setNetworkAndBroadcastAddress(); } // check if address 'o' belongs to the network bool InetAddrMask::belongs(const InetAddr &o) const { return ((o & *netmask) == *network_address); } unsigned int InetAddrMask::dimension() const { /* * TODO: this code not portable 'cause it implies specific to IPv4 * maximum length of netmask */ int masklength = netmask->getLength(); int host_part = netmask->addressLengthBits() - masklength; if (host_part>=32) return INT_MAX; // can be >32 if ipv6 unsigned int u = 1; for (int i=0; igetAddressPtr()->addressFamily() != b.getAddressPtr()->addressFamily()) return false; return *(this->getAddressPtr()) < *(b.getAddressPtr()); } bool libfwbuilder::operator==(const InetAddrMask &a, const InetAddrMask &b) { if (a.getAddressPtr()->addressFamily() != b.getAddressPtr()->addressFamily()) return false; return ( *(a.getNetmaskPtr()) == *(b.getNetmaskPtr()) && *(a.getAddressPtr()) == *(b.getAddressPtr())); } bool libfwbuilder::operator<(const InetAddrMask &a, const InetAddrMask &b) { if (a.getAddressPtr()->addressFamily() != b.getAddressPtr()->addressFamily()) return false; return *(a.getAddressPtr()) < *(b.getAddressPtr()); } /* this is just a better interface to _convert_range_to_networks */ vector libfwbuilder::convertAddressRange(const InetAddr &start, const InetAddr &end) { vector res; _convert_range_to_networks(start,end,res); return res; } bool libfwbuilder::_convert_range_to_networks(const InetAddr &start, const InetAddr &end, vector &res) { if (end < start) return false; if (start == end) { res.push_back(InetAddrMask( start, InetAddr(InetAddr::getAllOnes(start.addressFamily())))); return false; } if (start.isAny() && end.isBroadcast()) { res.push_back( InetAddrMask() ); return false; } unsigned int size = start.distance(end); if (size==2) { res.push_back(InetAddrMask( start, InetAddr(InetAddr::getAllOnes(start.addressFamily())))); res.push_back(InetAddrMask( end, InetAddr(InetAddr::getAllOnes(end.addressFamily())))); return false; } /* determine closest power of 2 which is less or equal to size */ unsigned int l = size; int mask_bits = 0; while ( l!=0 ) { l>>=1; mask_bits++; } mask_bits--; mask_bits = start.addressLengthBits() - mask_bits; /* mask_bits represents number of '1'in the netmask for the new subnet */ /* test start address to see if it is a good network address for netmask */ InetAddr nm1(mask_bits); // new netmask InetAddrMask tn1(start, nm1); InetAddr nstart; InetAddr nend; InetAddr nnm; nstart = start; if (start != *(tn1.getAddressPtr())) { /* we can not use start address for the network because it shifts * beginning of the range back after netmask is applied to it. Need to * make netmask longer and then find the first address higher than * start, which matches the netmask and can be used as a network * address */ do { mask_bits++; nnm = InetAddr(mask_bits); tn1 = InetAddrMask(nstart, nnm); } while (start != *(tn1.getAddressPtr()) && mask_bits>0); nend = nstart; nend = nend | (~nnm); } else { /* find shortest netmask that yields subnet with end address within * required range. Start with very short netmask and keep making it longer * while the end of the subnet it defines is still above required end of * the range. Once the end moves inside the range, stop. */ mask_bits--; do { mask_bits++; nnm = InetAddr(mask_bits); // new netmask nend = start; nend = nend | (~nnm); } while (nend > end); } /* new range starts from nstart and ends at nend */ res.push_back( InetAddrMask(nstart, nnm) ); if (!(nstart == start)) { /* there are some addresses between start and nstart */ while (libfwbuilder::_convert_range_to_networks(start,nstart-1,res)) ; } if (!(nend == end)) { /* the remainder of the original range is nend+1 - end */ while (libfwbuilder::_convert_range_to_networks(nend+1,end,res)) ; } return false; } vector libfwbuilder::getOverlap(const InetAddrMask &n1, const InetAddrMask &n2) { const InetAddr& s1 = *(n1.getAddressPtr()); const InetAddr& s2 = *(n2.getAddressPtr()); const InetAddr& m1 = *(n1.getNetmaskPtr()); const InetAddr& m2 = *(n2.getNetmaskPtr()); InetAddr e1 = s1 | (~m1); InetAddr e2 = s2 | (~m2); /* * now both networks are represented by their first and last addresses * * we assume network 0.0.0.0/0.0.0.0 in fact represents the whole * possible range of ip addresses (for ip v4 it is 0.0.0.0 - * 255.255.255.255). Check for this condition and replace e1 or e2 * accordingly if needed. * */ if (s1.isAny() && m1.isAny()) e1 = InetAddr(InetAddr::getAllOnes(s1.addressFamily())); if (s2.isAny() && m2.isAny()) e2 = InetAddr(InetAddr::getAllOnes(s2.addressFamily())); vector res; if (e2 < s1) return res; if (e1 < s2) return res; if (s1 == s2 && e1 == e2) { // subnets are identical res.push_back(n1); return res; } if (e2 == s1) { // end of n2 == start of n1, overlap is just 1 address res.push_back(InetAddrMask(s1, InetAddr::getAllOnes(s1.addressFamily()))); return res; } if (e1 == s2) { // end of n1 == start of n2, overlap is just 1 address res.push_back(InetAddrMask(s2, InetAddr::getAllOnes(s2.addressFamily()))); return res; } if (s1 == s2 && e1 < e2) { // both subnets have the same start address, but n1 is smaller res.push_back(n1); return res; } if (s1 == s2 && e2 < e1) { // both subnets have the same start address, but n2 is smaller res.push_back(n2); return res; } if (s2 < s1 && e1 == e2) { // both subnets have the same end address, but n1 is smaller res.push_back(n1); return res; } if (s1 < s2 && e1 == e2) { // both subnets have the same end address, but n2 is smaller res.push_back(n2); return res; } if (s1 > s2 && e1 < e2) { // n1 fits inside of n2 res.push_back(n1); return res; } if (s2 > s1 && e2 < e1) { // n2 fits inside of n1 res.push_back(n2); return res; } InetAddr rs, re; // if (s1 == s2) { rs = s1; } if (s1 < s2) { rs = s2; } if (s2 < s1) { rs = s1; } // if (e1 == e2) { re = e1; } if (e1 < e2) { re = e1; } if (e2 < e1) { re = e2; } /* rb and re represent resulting address range boundaries */ libfwbuilder::_convert_range_to_networks(rs, re, res); return res; } vector libfwbuilder::substract(const InetAddrMask &n1, const InetAddrMask &n2) { const InetAddr n1s = *(n1.getAddressPtr()); const InetAddr n2s = *(n2.getAddressPtr()); const InetAddr n1m = *(n1.getNetmaskPtr()); const InetAddr n2m = *(n2.getNetmaskPtr()); InetAddr n1e = n1s; n1e = n1e | (~n1m); InetAddr n2e = n2s; n2e = n2e | (~n2m); /* * now both networks are represented by their first and last addresses * * we assume network 0.0.0.0/0.0.0.0 in fact represents the whole * possible range of ip addresses (for ip v4 it is 0.0.0.0 - * 255.255.255.255). Check for this condition and replace n1e or n2e * accordingly if needed. */ if (n1s.isAny() && n1e.isAny()) n1e=InetAddr(InetAddr::getAllOnes()); if (n2s.isAny() && n2e.isAny()) n2e=InetAddr(InetAddr::getAllOnes()); vector res; if (/* n2sn1s) { InetAddr rs=n2e + 1; InetAddr re=n1e; libfwbuilder::_convert_range_to_networks(rs,re,res); } if ( n2s>n1s && n2en1s && n2e>n1e) { InetAddr rs=n1s; InetAddr re=n2s - 1; libfwbuilder::_convert_range_to_networks(rs,re,res); } if (n2s>n1e /* && n2e>n1e */) { res.push_back(n1); } if (n2sn1e) { /* * Do nothing since in this case network n2 is bigger than n1 and n1 * is totally eclipsed by n2. Result is empty list. */ ; } return res; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InetAddrMask.h000066400000000000000000000110401303637203600242020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * This class is a holder of a pair address / netmask. * It can act both as a container for the address/netmask configuration * data (such as for an interface) or as a network. * * TODO(vadim): need better name. InetNetwork ? InetAddrMaskPair ? */ #ifndef __INETADDRMASK_HH_FLAG__ #define __INETADDRMASK_HH_FLAG__ #include #include #ifndef _WIN32 # include # include # include # include #else # include #endif #include "fwbuilder/FWException.h" #include "fwbuilder/InetAddr.h" namespace libfwbuilder { class InetAddrMask; std::vector getOverlap(const InetAddrMask &n1, const InetAddrMask &n2); std::vector substract(const InetAddrMask &n1, const InetAddrMask &n2); std::vector convertAddressRange(const InetAddr &start, const InetAddr &end); bool _convert_range_to_networks(const InetAddr &start, const InetAddr &end, std::vector &res); class InetAddrMask { protected: InetAddr* address; InetAddr* netmask; InetAddr* broadcast_address; InetAddr* network_address; InetAddr* last_host; explicit InetAddrMask(bool no_address); public: InetAddrMask(); InetAddrMask(const InetAddr&, const InetAddr&); InetAddrMask(const std::string &s) throw(FWException); InetAddrMask(const InetAddrMask&); virtual ~InetAddrMask(); void setNetworkAndBroadcastAddress(); virtual const InetAddr* getAddressPtr() const { return address; } virtual const InetAddr* getNetmaskPtr() const { return netmask; } virtual const InetAddr* getNetworkAddressPtr() const { return network_address; } virtual const InetAddr* getBroadcastAddressPtr() const { return broadcast_address; } const InetAddr* getFirstHostPtr() const { return network_address;} const InetAddr* getLastHostPtr() const{ return last_host;} virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual unsigned int dimension() const; bool isAny(); InetAddrMask& operator=(const InetAddrMask &o); bool operator<(const InetAddrMask &b); friend bool operator==(const InetAddrMask &a, const InetAddrMask &b); friend bool operator<(const InetAddrMask &a, const InetAddrMask &b); virtual std::string toString() const { return address->toString()+"/"+netmask->toString(); } bool belongs(const InetAddr &) const; /** * calculates overlapping part of two networks n1 and * n2. Overlapping part is defined as in sets: if we think of * networks as sets of addresses, then intersection contains all * addresses that belong to both networks */ friend std::vector getOverlap(const InetAddrMask &n1, const InetAddrMask &n2); /** * substract network n2 from the network n1. The meaning of this * operation is opposite to getOverlap: it returns all addresses * that belong to n1 but do not belong to n2 */ friend std::vector substract(const InetAddrMask &n1, const InetAddrMask &n2); /** * converts address range (defined by its start and end) to a * bunch of networks */ friend std::vector convertAddressRange(const InetAddr &start, const InetAddr &end); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Interface.cpp000066400000000000000000000350111303637203600241330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Host.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Resources.h" using namespace std; using namespace libfwbuilder; const char *Interface::TYPENAME={"Interface"}; Interface::Interface(const Interface &i):Address() { FWObject::operator=(i); bcast_bits = i.bcast_bits ; ostatus = i.ostatus ; snmp_type = i.snmp_type ; } Interface::Interface():Address() { setName("unknown"); setBool("dyn", false); setBool("unnum", false); setBool("unprotected", false); setBool("dedicated_failover", false); setInt("security_level",0); bcast_bits = 1 ; ostatus = true ; snmp_type = -1 ; } Interface::~Interface() {} /** * Add reference to given object. In case of an Interface this only * makes sense in terms of adding @obj as a network zone. */ void Interface::addRef(FWObject *obj) { setStr("network_zone", FWObjectDatabase::getStringId(obj->getId())); } /** * Removes reference to given object among children of 'this'. In case * of Interface we check if @obj is used as network zone. */ void Interface::removeRef(FWObject *obj) { string netzone_id = getStr("network_zone"); FWObject *netzone = getRoot()->findInIndex( FWObjectDatabase::getIntId(netzone_id)); if (obj == netzone) setStr("network_zone", ""); } FWObject& Interface::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { FWObject::shallowDuplicate(o,preserve_id); if (Interface::isA(o)) { bcast_bits = Interface::constcast(o)->bcast_bits ; ostatus = Interface::constcast(o)->ostatus ; snmp_type = Interface::constcast(o)->snmp_type ; } return *this; } FWObject& Interface::duplicate(const FWObject *x, bool preserve_id) throw(FWException) { FWObject::duplicate(x, preserve_id); const Interface *rx = Interface::constcast(x); if (rx!=NULL) { bcast_bits = rx->bcast_bits; ostatus = rx->ostatus; snmp_type = rx->snmp_type; } return *this; } void Interface::duplicateWithIdMapping(const FWObject *src, map &id_mapping, bool preserve_id) { assert(src->getTypeName() == Interface::TYPENAME); checkReadOnly(); shallowDuplicate(src, preserve_id); destroyChildren(); for(list::const_iterator m=src->begin(); m!=src->end(); ++m) { FWObject *src_obj = *m; FWObject *dst_obj_copy = addCopyOf(src_obj, preserve_id); if (src_obj!=NULL && dst_obj_copy!=NULL) id_mapping[src_obj->getId()] = dst_obj_copy->getId(); } setDirty(true); } bool Interface::cmp(const FWObject *obj, bool recursive) throw(FWException) { const Interface *rx = Interface::constcast(obj); if (rx == NULL) return false; if (bcast_bits != rx->bcast_bits || ostatus != rx->ostatus || snmp_type != rx->snmp_type) return false; return FWObject::cmp(obj, recursive); } void Interface::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("security_level"))); if (n!=NULL) { setStr("security_level",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dyn"))); if (n!=NULL) { setStr("dyn",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("unnum"))); if (n!=NULL) { setStr("unnum",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("unprotected"))); if (n!=NULL) { setStr("unprotected",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dedicated_failover"))); if (n!=NULL) { setStr("dedicated_failover",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("mgmt"))); if (n!=NULL) { setStr("mgmt",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("label"))); if (n!=NULL) { setStr("label",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("network_zone"))); if (n!=NULL) { setStr("network_zone", n); FREEXMLBUFF(n); } } /* * */ xmlNodePtr Interface::toXML(xmlNodePtr parent) throw(FWException) { // DTD prohibits empty network_zone attribute if (exists("network_zone") && getStr("network_zone").empty()) remStr("network_zone"); xmlNodePtr me = FWObject::toXML(parent, false); FWObject *o; xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); for(FWObjectTypedChildIterator j1=findByType(IPv4::TYPENAME); j1!=j1.end(); ++j1) { if ((o=(*j1))!=NULL ) o->toXML(me); } for(FWObjectTypedChildIterator j1=findByType(IPv6::TYPENAME); j1!=j1.end(); ++j1) { if ((o=(*j1))!=NULL ) o->toXML(me); } for(FWObjectTypedChildIterator j2=findByType(physAddress::TYPENAME); j2!=j2.end(); ++j2) { if ((o=(*j2))!=NULL ) o->toXML(me); } o = getFirstByType(InterfaceOptions::TYPENAME); if (o) o->toXML(me); /* * serialize sub-interfaces (only for interfaces with advanced interface * config mode enabled) */ for(FWObjectTypedChildIterator j1=findByType(Interface::TYPENAME); j1!=j1.end(); ++j1) { if((o=(*j1))!=NULL) o->toXML(me); } /* * serialize ClusterGroup members (if any) */ o = getFirstByType(FailoverClusterGroup::TYPENAME); if (o) o->toXML(me); o = getFirstByType(AttachedNetworks::TYPENAME); if (o) o->toXML(me); return me; } FWOptions* Interface::getOptionsObject() { FWOptions *iface_opt = FWOptions::cast(getFirstByType(InterfaceOptions::TYPENAME)); if (iface_opt == NULL) { iface_opt = FWOptions::cast(getRoot()->create(InterfaceOptions::TYPENAME)); add(iface_opt); // set default interface options const FWObject *parent_host = Host::getParentHost(this); if (parent_host != NULL) { const string host_OS = parent_host->getStr("host_OS"); try { Resources::setDefaultIfaceOptions(host_OS, this); } catch (FWException &ex) { // Resources::setDefaultIfaceOptions throws exception if it can't // find resources module for the given host OS. ; } } } return iface_opt; } FWOptions* Interface::getOptionsObjectConst() const { FWOptions *iface_opt = FWOptions::cast(getFirstByType(InterfaceOptions::TYPENAME)); if (iface_opt == NULL) cerr << "Interface " << getName() << " (" << getPath() << ") " << " has no options object; late initialization failure" << endl; return iface_opt; } int Interface::getSecurityLevel() const { return getInt("security_level") ; } void Interface::setSecurityLevel(int level) { setInt("security_level",level); } void Interface::setDyn(bool value) { setBool("dyn",value); } bool Interface::isDyn() const { return(getBool("dyn")); } void Interface::setUnnumbered(bool value) { setBool("unnum",value); } bool Interface::isUnnumbered() const { return getBool("unnum"); } void Interface::setUnprotected(bool value) { setBool("unprotected",value); } bool Interface::isUnprotected() const { return getBool("unprotected") || getBool("dedicated_failover"); } void Interface::setDedicatedFailover(bool value) { setBool("dedicated_failover",value); } bool Interface::isDedicatedFailover() const { return getBool("dedicated_failover"); } void Interface::setManagement(bool value) { setBool("mgmt",value); } bool Interface::isManagement() const { return (getBool("mgmt")); } void Interface::setOStatus(bool value) { ostatus=value; } void Interface::setInterfaceType(int _snmp_type) { snmp_type=_snmp_type; } void Interface::setBroadcastBits(int _val) { bcast_bits=_val; } bool Interface::validateChild(FWObject *o) { string otype=o->getTypeName(); if (otype==Interface::TYPENAME) { // Interface with subinterfaces is not allowed (DTD allows only one // level of subinterfaces) if (Interface::isA(getParent())) return false; list il = o->getByType(Interface::TYPENAME); return (il.size() == 0); } return (otype==IPv4::TYPENAME || otype==IPv6::TYPENAME || otype==physAddress::TYPENAME || otype==InterfaceOptions::TYPENAME || otype==FailoverClusterGroup::TYPENAME || otype==AttachedNetworks::TYPENAME); } /* * I get options obect directly instead of calling getOptionsObject() * because that method tries to add options object if it is missing, * which means @this can not be const. */ bool Interface::isBridgePort() const { string my_type; FWOptions *iface_opt = getOptionsObjectConst(); if (iface_opt) my_type = iface_opt->getStr("type"); Interface *parent = Interface::cast(getParent()); return ((my_type.empty() || my_type == "ethernet") && parent && parent->getOptionsObject()->getStr("type") == "bridge"); } bool Interface::isSlave() const { string my_type; FWOptions *iface_opt = getOptionsObjectConst(); if (iface_opt) my_type = iface_opt->getStr("type"); Interface *parent = Interface::cast(getParent()); return ((my_type.empty() || my_type == "ethernet") && parent && parent->getOptionsObject()->getStr("type") == "bonding"); } bool Interface::isLoopback() const { const Address *iaddr = getAddressObject(); if (iaddr) { return (iaddr && *(iaddr->getAddressPtr()) == InetAddr::getLoopbackAddr()); } /* just a little flexibility in case this is a cluster interface: it * should be considered loopback if corresponding member * interfaces are loopbacks themselves even if it has no address */ if (isFailoverInterface()) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { bool all_loopbacks = true; for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *iface = Interface::cast(FWObjectReference::getObject(*it)); assert(iface); if (!iface->isLoopback()) { all_loopbacks = false; break; } } return all_loopbacks; } } return false; } physAddress* Interface::getPhysicalAddress () const { return physAddress::cast( getFirstByType( physAddress::TYPENAME ) ); } /* * per DTD, there can be 0 or 1 physAddress */ void Interface::setPhysicalAddress(const std::string &paddr) { physAddress *pa=getPhysicalAddress(); if (pa!=NULL) { pa->setPhysAddress(paddr); } else { pa = getRoot()->createphysAddress(); pa->setPhysAddress(paddr); add(pa); } } const string& Interface::getLabel() const { return getStr("label"); } void Interface::setLabel(const string& n) { setStr("label",n); } const Address* Interface::getAddressObject() const { Address *res = Address::cast(getFirstByType(IPv4::TYPENAME)); if (res==NULL) res = Address::cast(getFirstByType(IPv6::TYPENAME)); return res; } IPv4* Interface::addIPv4() { IPv4* ipv4 = getRoot()->createIPv4(); add(ipv4); return ipv4; } IPv6* Interface::addIPv6() { IPv6* ipv6 = getRoot()->createIPv6(); add(ipv6); return ipv6; } int Interface::countInetAddresses(bool skip_loopback) const { if (skip_loopback && isLoopback()) return 0; int res = 0; for(FWObjectTypedChildIterator j=findByType(IPv4::TYPENAME); j!=j.end(); ++j) res++; for(FWObjectTypedChildIterator j=findByType(IPv6::TYPENAME); j!=j.end(); ++j) res++; return res; } bool Interface::isFailoverInterface() const { return getFirstByType(FailoverClusterGroup::TYPENAME) != NULL; } void Interface::replaceReferenceInternal(int old_id, int new_id, int &counter) { if (old_id == new_id) return; FWObject::replaceReferenceInternal(old_id, new_id, counter); string nzid = getStr("network_zone"); if (!nzid.empty()) { int nzid_int = FWObjectDatabase::getIntId(nzid); if (nzid_int == old_id) { setStr("network_zone", FWObjectDatabase::getStringId(new_id)); counter++; } } } /* * finds all interfaces of the host (or firewall, since class Firewall * inherits Host) without scanning whole tree rooted at this. This is * more efficient than calling getByTypeDeep() when firewall has lots * of rules. */ void Interface::findAllInterfaces(FWObject *obj, list &interfaces) { for (FWObjectTypedChildIterator it = obj->findByType(Interface::TYPENAME); it != it.end(); ++it) { interfaces.push_back(*it); findAllInterfaces(*it, interfaces); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Interface.h000066400000000000000000000167721303637203600236150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INTERFACE_HH_FLAG__ #define __INTERFACE_HH_FLAG__ #include #include "fwbuilder/Address.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/FWException.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/FWOptions.h" namespace libfwbuilder { class IPv4; class IPv6; class Interface : public Address { private: /* * @param _bcast_bits The value of the least-significant bit in the IP * broadcast address used for sending datagrams on * the (logical) interface associated with the IP * address of this entry. For example, when the * Internet standard all-ones broadcast address is * used, the value will be 1. This value applies to * both the subnet and network broadcasts addresses * used by the entity on this (logical) interface." * * @param _snmp_type type of interface, as described in RFC-1213 under * 'ifType' variable description. * @param _ostatus, interface operational status. 'true' means up. * * These attrbites are not stored in XML yet. */ int bcast_bits; bool ostatus; int snmp_type; protected: virtual void replaceReferenceInternal(int oldfw_id, int newfw_id, int &counter); public: Interface(); Interface(const Interface &i); virtual ~Interface(); /** * Removes reference to given object among * children of 'this'. In case of an Interface, we should check for * if the reference to @obj is used as a network zone. */ virtual void removeRef(FWObject *obj); /** * Add reference to given object to 'this'. In case of an Interface, * add @obj as a network zone. */ virtual void addRef(FWObject *obj); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool validateChild(FWObject *o); virtual FWOptions* getOptionsObject(); virtual FWOptions* getOptionsObjectConst() const; DECLARE_FWOBJECT_SUBTYPE(Interface); DECLARE_DISPATCH_METHODS(Interface); /** * each interface must be associated with some security level. Level * is described by interger number between 0 and 100, with 0 being * least secure and 100 most secure levels. By default class Interface * assigns value of 0 to its security level. */ int getSecurityLevel() const; void setSecurityLevel(int level); /** * set and check 'dyn' attribute - for interfaces that get their * IP address dynamically */ void setDyn(bool value); bool isDyn() const ; /** * set and check 'unnum' attribute - for unnumbered interfaces */ void setUnnumbered(bool value); bool isUnnumbered() const ; /** * Check if this is a bridge port. Bridge port is an * interfaces with type "ethernet" that is a child of an * interface with type "bridge". Type is defined in the * InterfaceOptions object. This is different from how it was * in v3.0.x where bridge port was defined by an attribute * "bridgeport" of the interface object. There is no * automatic conversion! User must conver their bridge port * interfaces manually by dragging them under the bridge * interface (typically br0) and setting the type * appropriately. * */ bool isBridgePort() const; /** * Check if this is a slave of bonding interface. Slave is an * interfaces with type "ethernet" that is a child of an * interface with type "bonding". Type is defined in the * InterfaceOptions object. */ bool isSlave() const; /** * we often need to check if this is a regular interface * Equivalent to (!isDyn() && !isUnnumbered() && !isBridgePort()) */ bool isRegular() const { return (!isDyn() && !isUnnumbered() && !isBridgePort()); } /** * set and check 'unprotected' attribute - for interfaces that * should not have any ACLs or policy rules */ void setUnprotected(bool value); bool isUnprotected() const ; void setDedicatedFailover(bool value); bool isDedicatedFailover() const; void setManagement(bool value); bool isManagement() const; bool isUp () const { return ostatus; } void setOStatus(bool value); bool isFailoverInterface() const; void setInterfaceType(int _snmp_type); int getInterfaceType() const { return snmp_type; } void setBroadcastBits(int _val); /** * returns true if interface is loopback. Should work correctly * for both ipv4 and ipv6 (some day) */ bool isLoopback() const; IPv4* addIPv4(); IPv6* addIPv6(); physAddress* getPhysicalAddress () const; void setPhysicalAddress(const std::string &pa); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); void duplicateWithIdMapping(const FWObject *src, std::map &id_mapping, bool preserve_id); const std::string &getLabel() const; void setLabel(const std::string& n); virtual const Address* getAddressObject() const; virtual unsigned int dimension() const { return 1; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool skip_loopback) const; virtual bool isPrimaryObject() const { return false; } /** * finds all interfaces of the host (or firewall, since class * Firewall inherits Host) without scanning whole tree rooted * at this. This is more efficient than calling * getByTypeDeep() when firewall has lots of rules. */ static void findAllInterfaces(FWObject *obj, std::list &interfaces); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp000066400000000000000000000066071303637203600247360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "InterfaceData.h" #include "fwbuilder/Resources.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include using namespace libfwbuilder; using namespace std; InterfaceData::InterfaceData() : addr_mask() { ext = false; isDyn = false; isUnnumbered = false; isBridgePort = false; securityLevel = 0; snmp_type = 0; ostatus = 0; } InterfaceData::InterfaceData(const InterfaceData& other) : addr_mask() { id = other.id; name = other.name; label = other.label; if (other.addr_mask.size()) { for (list::const_iterator i=other.addr_mask.begin(); i!=other.addr_mask.end(); ++i) { InetAddrMask *am; const InetAddr *ad = (*i)->getAddressPtr(); const InetAddr *nm = (*i)->getNetmaskPtr(); if (ad==NULL) continue; if (ad->isV6()) { am = new Inet6AddrMask(); am->setAddress(*(ad)); am->setNetmask(*(nm)); } else am = new InetAddrMask(*(*i)); addr_mask.push_back(am); } } ext = other.ext; isDyn = other.isDyn; isUnnumbered = other.isUnnumbered; isBridgePort = other.isBridgePort; securityLevel = other.securityLevel; mac_addr = other.mac_addr; snmp_type = other.snmp_type; ostatus = other.ostatus; } InterfaceData::InterfaceData(const Interface &iface) : addr_mask() { id = iface.getId(); name = iface.getName(); IPv4 *addr = IPv4::cast(iface.getFirstByType(IPv4::TYPENAME)); if (addr) { addr_mask.push_back(new InetAddrMask(*(addr->getAddressPtr()), *(addr->getNetmaskPtr()))); } IPv6 *addr6 = IPv6::cast(iface.getFirstByType(IPv6::TYPENAME)); if (addr6) { addr_mask.push_back(new Inet6AddrMask(*(addr6->getAddressPtr()), *(addr6->getNetmaskPtr()))); } securityLevel = iface.getSecurityLevel(); isDyn = iface.isDyn(); isUnnumbered = iface.isUnnumbered(); isBridgePort = iface.isBridgePort(); libfwbuilder::physAddress *pa = iface.getPhysicalAddress(); if (pa!=NULL) mac_addr = pa->getPhysAddress(); label = iface.getLabel(); networkZone = iface.getStr("network_zone"); } InterfaceData::~InterfaceData() { // TODO: memory leak! need to delete items in the list addr_mask. addr_mask.clear(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/InterfaceData.h000066400000000000000000000034171303637203600243770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INTERFACE_DATA_HH_ #define __INTERFACE_DATA_HH_ #include "fwbuilder/Interface.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Inet6AddrMask.h" #include namespace libfwbuilder { class InterfaceData { public: std::string id; std::string name; std::list addr_mask; bool ext; int snmp_type; int ostatus; int securityLevel; bool isDyn; bool isUnnumbered; bool isBridgePort; std::string mac_addr; std::string label; std::string networkZone; std::string interface_type; int vlan_id; std::list subinterfaces; InterfaceData(); InterfaceData(const InterfaceData& other); InterfaceData(const libfwbuilder::Interface &iface); virtual ~InterfaceData(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Interval.cpp000066400000000000000000000166331303637203600240300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Interval.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace libfwbuilder; const char *Interval::TYPENAME={"Interval"}; Interval::Interval() { setInt("from_minute", -1); setInt("from_hour", -1); setInt("from_day", -1); setInt("from_month", -1); setInt("from_year", -1); setInt("from_weekday", -1); setInt("to_minute", -1); setInt("to_hour", -1); setInt("to_day", -1); setInt("to_month", -1); setInt("to_year", -1); setInt("to_weekday", -1); setStr("days_of_week", ""); } std::string Interval::constructDaysOfWeek(int sdayofweek, int edayofweek) { std::ostringstream ostr; if (sdayofweek<0) sdayofweek=0; if (sdayofweek>6) sdayofweek=6; // if both start and end day are -1, need to // generate "sun,mon,tue,wed,thu,fri,sat" if (edayofweek<0) edayofweek=6; if (edayofweek>6) edayofweek=6; bool first=true; bool inside_interval = false; int day=0; while (1) { if (!inside_interval && day==sdayofweek) inside_interval=true; if (inside_interval) { if (!first) ostr << ","; first=false; ostr << day; // if sdayofweek==edayofweek print one day if (day==edayofweek) break; } if (++day>6) day=0; } return ostr.str(); } void Interval::setStartTime(int min,int hour,int day,int month,int year,int dayofweek) { setInt("from_minute", min); setInt("from_hour", hour); setInt("from_day", day); setInt("from_month", month); setInt("from_year", year); setInt("from_weekday", dayofweek); setStr("days_of_week", constructDaysOfWeek(dayofweek,getInt("to_weekday"))); } void Interval::setEndTime(int min,int hour,int day,int month,int year,int dayofweek) { setInt("to_minute", min); setInt("to_hour", hour); setInt("to_day", day); setInt("to_month", month); setInt("to_year", year); setInt("to_weekday", dayofweek); setStr("days_of_week", constructDaysOfWeek(getInt("from_weekday"),dayofweek)); } void Interval::setStartTime(int min,int hour,int day,int month,int year) { setInt("from_minute", min); setInt("from_hour", hour); setInt("from_day", day); setInt("from_month", month); setInt("from_year", year); } void Interval::setEndTime(int min,int hour,int day,int month,int year) { setInt("to_minute", min); setInt("to_hour", hour); setInt("to_day", day); setInt("to_month", month); setInt("to_year", year); } void Interval::setDaysOfWeek(const std::string &days_of_week) { setStr("days_of_week", days_of_week); } void Interval::getStartTime(int *min,int *hour,int *day,int *month,int *year,int *dayofweek) const { *min=getInt("from_minute"); *hour=getInt("from_hour"); *day=getInt("from_day"); *month=getInt("from_month"); *year=getInt("from_year"); *dayofweek=getInt("from_weekday"); } void Interval::getEndTime(int *min,int *hour,int *day,int *month,int *year,int *dayofweek) const { *min=getInt("to_minute"); *hour=getInt("to_hour"); *day=getInt("to_day"); *month=getInt("to_month"); *year=getInt("to_year"); *dayofweek=getInt("to_weekday"); } /** * Returns a string, a comma separated list of day numbers. Sunday is * day "0" */ std::string Interval::getDaysOfWeek() { std::string days_of_week = getStr("days_of_week"); int sdayofweek = getInt("from_weekday"); int edayofweek = getInt("to_weekday"); if (!days_of_week.empty()) return getStr("days_of_week"); if (sdayofweek!=-1 || edayofweek!=-1) // Old school representation of the days of week return constructDaysOfWeek(sdayofweek, edayofweek); return ""; } void Interval::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_minute"))); if (n!=NULL) { setStr("from_minute", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_hour"))); if (n!=NULL) { setStr("from_hour", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_day"))); if (n!=NULL) { setStr("from_day", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_month"))); if (n!=NULL) { setStr("from_month", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_year"))); if (n!=NULL) { setStr("from_year", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("from_weekday"))); if (n!=NULL) { setStr("from_weekday", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_minute"))); if (n!=NULL) { setStr("to_minute", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_hour"))); if (n!=NULL) { setStr("to_hour", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_day"))); if (n!=NULL) { setStr("to_day", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_month"))); if (n!=NULL) { setStr("to_month", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_year"))); if (n!=NULL) { setStr("to_year", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("to_weekday"))); if (n!=NULL) { setStr("to_weekday", n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("days_of_week"))); if (n!=NULL) { setStr("days_of_week", n); FREEXMLBUFF(n); } else { setStr("days_of_week", constructDaysOfWeek(getInt("from_weekday"), getInt("to_weekday"))); } } xmlNodePtr Interval::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } FWReference* Interval::createRef() { // FWIntervalReference *ref=new FWIntervalReference(); FWIntervalReference *ref = getRoot()->createFWIntervalReference(); ref->setPointer(this); return ref; } bool Interval::isAny() const { return getId()==FWObjectDatabase::ANY_INTERVAL_ID; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Interval.h000066400000000000000000000040271303637203600234670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INTERVAL_HH_FLAG__ #define __INTERVAL_HH_FLAG__ #include "fwbuilder/FWObject.h" namespace libfwbuilder { class Interval : public FWObject { std::string constructDaysOfWeek(int from_dayofweek, int to_dayofweek); public: Interval(); void setStartTime(int min,int hour,int day,int month,int year,int dayofweek); void setEndTime(int min,int hour,int day,int month,int year,int dayofweek); void setStartTime(int min,int hour,int day,int month,int year); void setEndTime(int min,int hour,int day,int month,int year); void setDaysOfWeek(const std::string &days_of_week); void getStartTime(int *min,int *hour,int *day,int *month,int *year,int *dayofweek) const; void getEndTime(int *min,int *hour,int *day,int *month,int *year,int *dayofweek) const; std::string getDaysOfWeek(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(Interval); DECLARE_DISPATCH_METHODS(Interval); virtual FWReference* createRef(); bool isAny() const; virtual bool isPrimaryObject() const { return true; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IntervalGroup.cpp000066400000000000000000000046701303637203600250430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Interval.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/FWObjectDatabase.h" using namespace std; using namespace libfwbuilder; const char *IntervalGroup::TYPENAME={"IntervalGroup"}; IntervalGroup::IntervalGroup() : Group() {} IntervalGroup::~IntervalGroup() {} bool IntervalGroup::validateChild(FWObject *o) { FWObject *oo = o; if (FWObjectReference::cast(o)!=NULL) oo = FWObjectReference::cast(o)->getPointer(); string otype = oo->getTypeName(); return (FWObject::validateChild(o) && (otype=="Interval" || otype=="IntervalGroup" || otype=="IntervalRef" )); } FWReference* IntervalGroup::createRef() { // FWIntervalReference *ref=new FWIntervalReference(); FWIntervalReference *ref = getRoot()->createFWIntervalReference(); ref->setPointer(this); return ref; } xmlNodePtr IntervalGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } void IntervalGroup::getAllowedTypesOfChildren(std::list &types_list) { types_list.clear(); types_list.push_back(Interval::TYPENAME); types_list.push_back(FWIntervalReference::TYPENAME); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/IntervalGroup.h000066400000000000000000000032421303637203600245020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INTERVALGROUP_HH_FLAG__ #define __INTERVALGROUP_HH_FLAG__ #include "fwbuilder/Group.h" namespace libfwbuilder { class IntervalGroup : public Group { public: IntervalGroup(); virtual ~IntervalGroup(); DECLARE_FWOBJECT_SUBTYPE(IntervalGroup); DECLARE_DISPATCH_METHODS(IntervalGroup); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual FWReference* createRef(); /** * get the list of object type names that can be inserted into * given object group. This reflects definition of the group XML * element in DTD. */ virtual void getAllowedTypesOfChildren(std::list &types_list); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Library.cpp000066400000000000000000000036621303637203600236460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Library.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *Library::TYPENAME={"Library"}; Library::Library() {} Library::~Library() { } bool Library::validateChild(FWObject*) { return true; // anything goes } void Library::fromXML(xmlNodePtr root) throw(FWException) { const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("color"))); if(n!=NULL) // color is not a mandatory attribute { setStr("color", n); FREEXMLBUFF(n); } FWObject::fromXML(root); } xmlNodePtr Library::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Library.h000066400000000000000000000027651303637203600233160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * $Id$ */ #ifndef __LIBRARY_HH_FLAG__ #define __LIBRARY_HH_FLAG__ #include "fwbuilder/Group.h" namespace libfwbuilder { class Library : public Group { protected: public: Library(); virtual ~Library(); DECLARE_FWOBJECT_SUBTYPE(Library); DECLARE_DISPATCH_METHODS(Library); virtual void fromXML (xmlNodePtr xml_parent_node) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual bool isPrimaryObject() const { return true; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Logger.cpp000066400000000000000000000077411303637203600234630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include #ifndef _WIN32 #include #endif #include #include #include #include "fwbuilder/BackgroundOp.h" using namespace std; using namespace libfwbuilder; /* Logger &libfwbuilder::start(Logger &l) { l.line_lock.lock(); return l; } Logger &libfwbuilder::end(Logger &l) { l.line_lock.unlock(); return l; } */ void Logger::blackhole() { line_lock.lock(); blackhole_mode = true; copy_to_stderr = false; line_lock.unlock(); } Logger& NullLogger::operator<< (char ) { return *this;} Logger& NullLogger::operator<< (char*) { return *this;} Logger& NullLogger::operator<< (const char*) { return *this;} Logger& NullLogger::operator<< (const string&) { return *this;} Logger& NullLogger::operator<< (int) { return *this;} Logger& NullLogger::operator<< (long) { return *this;} Logger& NullLogger::operator<< (std::ostringstream&) { return *this;} QueueLogger::QueueLogger() {} Logger& QueueLogger::operator<< (char c) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << c; std::ostringstream str; str << c; *this << str; return *this; } Logger& QueueLogger::operator<< (char *str) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << str; line_lock.lock(); linequeue.push(str); line_lock.unlock(); return *this; } Logger& QueueLogger::operator<< (const char *str) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << str; line_lock.lock(); linequeue.push(str); line_lock.unlock(); return *this; } Logger& QueueLogger::operator<< (const string &str) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << str; line_lock.lock(); linequeue.push(str); line_lock.unlock(); return *this; } Logger& QueueLogger::operator<< (int i ) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << i; std::ostringstream str; str << i; *this << str; return *this; } Logger& QueueLogger::operator<< (long l ) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << l; std::ostringstream str; str << l; *this << str; return *this; } Logger& QueueLogger::operator<< (std::ostringstream &sstr) { if (blackhole_mode) return *this; if (copy_to_stderr) cerr << sstr.str(); line_lock.lock(); linequeue.push(sstr.str()); line_lock.unlock(); sstr.str(""); // purge stream contents return *this; } bool QueueLogger::ready() { if (blackhole_mode) return false; bool res=false; line_lock.lock(); res=(!linequeue.empty()); line_lock.unlock(); return res; } string QueueLogger::getLine() { if (blackhole_mode) return ""; string str; line_lock.lock(); if(!linequeue.empty()) { str=linequeue.front(); linequeue.pop(); } line_lock.unlock(); return str; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Logger.h000066400000000000000000000056731303637203600231320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LOGGER_HH_FLAG__ #define __LOGGER_HH_FLAG__ #include #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/ThreadTools.h" namespace libfwbuilder { class Logger { protected: Mutex line_lock; bool blackhole_mode; bool copy_to_stderr; public: Logger() { blackhole_mode=false; copy_to_stderr=false; } virtual ~Logger() {}; virtual Logger& operator<< (char c) = 0; virtual Logger& operator<< (char *str) = 0; virtual Logger& operator<< (const char *str) = 0; virtual Logger& operator<< (const std::string &str) = 0; virtual Logger& operator<< (int i ) = 0; virtual Logger& operator<< (long l ) = 0; virtual Logger& operator<< (std::ostringstream &sstr) = 0; // Manipulator virtual Logger& operator<< (Logger&(*f)(Logger &l)) { return f(*this); } virtual bool ready() { return true; } virtual std::string getLine() { return std::string(""); } void blackhole(); void copyToStderr() { copy_to_stderr=true; } }; class NullLogger:public Logger { public: virtual Logger& operator<< (char c) ; virtual Logger& operator<< (char *str) ; virtual Logger& operator<< (const char *str) ; virtual Logger& operator<< (const std::string &str) ; virtual Logger& operator<< (int i ) ; virtual Logger& operator<< (long l ) ; virtual Logger& operator<< (std::ostringstream &sstr); }; class QueueLogger:public Logger { private: std::queue linequeue; public: QueueLogger(); virtual Logger& operator<< (char c) ; virtual Logger& operator<< (char *str) ; virtual Logger& operator<< (const char *str) ; virtual Logger& operator<< (const std::string &str) ; virtual Logger& operator<< (int i ) ; virtual Logger& operator<< (long l ) ; virtual Logger& operator<< (std::ostringstream &sstr); virtual bool ready(); virtual std::string getLine(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Management.cpp000066400000000000000000000301021303637203600243030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" #include using namespace std; using namespace libfwbuilder; // --- Management --- const char *Management::TYPENAME={"Management"}; Management::Management() { // This object does not have standard attributes setId(-1); } void Management::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); if (!n) { throw FWException( "Missing required address attribute in Management element"); } try { addr = InetAddr(n); FREEXMLBUFF(n); } catch(FWException &ex) { // try ipv6 try { addr = InetAddr(AF_INET6, n); FREEXMLBUFF(n); } catch(FWException &ex) { FREEXMLBUFF(n); throw FWException( string("Invalid address attribute in Management element: ") + ex.toString()); } } } xmlNodePtr Management::toXML(xmlNodePtr parent) throw(FWException) { setId(-1); setStr("address", addr.toString()); xmlNodePtr me = FWObject::toXML(parent, false); // to ensure right order we convert these nodes manually // also we do not save them if they are empty SNMPManagement *sm=getSNMPManagement(); sm->toXML(me); // if(!sm->isEmpty()) sm->toXML(me); FWBDManagement *fm=getFWBDManagement(); fm->toXML(me); // if(!fm->isEmpty()) fm->toXML(me); PolicyInstallScript *pi=getPolicyInstallScript(); pi->toXML(me); // if(!pi->isEmpty()) pi->toXML(me); return me; } bool Management::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (Management::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const Management *o2=Management::constcast(obj); return (addr==o2->addr); } bool Management::validateChild(FWObject *o) { string otype=o->getTypeName(); return (otype==SNMPManagement::TYPENAME || otype==FWBDManagement::TYPENAME || otype==PolicyInstallScript::TYPENAME ); } FWObject& Management::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const Management *other = dynamic_cast(o); addr = other->getAddress(); FWObject::shallowDuplicate(o, preserve_id); return *this; } bool Management::isEmpty() const { const SNMPManagement *sm = dynamic_cast(getFirstByType(SNMPManagement::TYPENAME)); const FWBDManagement *fm = dynamic_cast(getFirstByType(FWBDManagement::TYPENAME)); const PolicyInstallScript *pi = dynamic_cast( getFirstByType(PolicyInstallScript::TYPENAME)); return (!pi || pi->isEmpty()) && (!sm || sm->isEmpty()) && (!fm || fm->isEmpty()) && addr.isAny(); } PolicyInstallScript *Management::getPolicyInstallScript() { PolicyInstallScript *res = dynamic_cast( getFirstByType(PolicyInstallScript::TYPENAME)); if (!res) add( res= getRoot()->createPolicyInstallScript() ); //add(res = new PolicyInstallScript()); return res; } SNMPManagement *Management::getSNMPManagement() { SNMPManagement *res = dynamic_cast( getFirstByType(SNMPManagement::TYPENAME)); if (!res) add( res = getRoot()->createSNMPManagement() ); //add(res = new SNMPManagement()); return res; } FWBDManagement *Management::getFWBDManagement() { FWBDManagement *res = dynamic_cast( getFirstByType(FWBDManagement::TYPENAME)); if (!res) add( res = getRoot()->createFWBDManagement() ); //add(res = new FWBDManagement()); return res; } // --- PolicyInstallScript --- const char *PolicyInstallScript::TYPENAME={"PolicyInstallScript"}; PolicyInstallScript::PolicyInstallScript() { // This object does not have standard attributes setId(-1); enabled = false ; } bool PolicyInstallScript::isEmpty() const { return command.empty(); } bool PolicyInstallScript::isEnabled() const { return enabled; } void PolicyInstallScript::setEnabled(bool v) { enabled = v; } void PolicyInstallScript::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("command"))); if(n) { command=n; FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("arguments"))); if(n) { arguments=n; FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("enabled"))); if(n) { enabled=(cxx_strcasecmp(n,"True")==0); FREEXMLBUFF(n); } else enabled = false; } xmlNodePtr PolicyInstallScript::toXML(xmlNodePtr parent) throw(FWException) { setId(-1); setStr("command", command ); setStr("arguments", arguments); setBool("enabled", enabled); return FWObject::toXML(parent); } bool PolicyInstallScript::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (PolicyInstallScript::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const PolicyInstallScript *o2=PolicyInstallScript::constcast(obj); return (command==o2->command && arguments==o2->arguments && enabled==o2->enabled); } FWObject& PolicyInstallScript::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const PolicyInstallScript *n=dynamic_cast(o); command = n->getCommand(); arguments = n->getArguments(); enabled = n->isEnabled(); FWObject::shallowDuplicate(o, preserve_id); return *this; } const string& PolicyInstallScript::getCommand() const { return command; } void PolicyInstallScript::setCommand(const string& s) { command = s; } const string& PolicyInstallScript::getArguments() const { return arguments; } void PolicyInstallScript::setArguments(const string& s) { arguments = s; } // --- SNMPManagement --- const char *SNMPManagement::TYPENAME={"SNMPManagement"}; SNMPManagement::SNMPManagement() { // This object does not have standard attributes enabled = false ; setId(-1); } bool SNMPManagement::isEmpty() const { return read_community.empty() && write_community.empty(); } bool SNMPManagement::isEnabled() const { return enabled; } void SNMPManagement::setEnabled(bool v) { enabled = v; } void SNMPManagement::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("snmp_read_community"))); if(n) { read_community=n; FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("snmp_write_community"))); if(n) { write_community=n; FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("enabled"))); if(n) { enabled=(cxx_strcasecmp(n,"True")==0); FREEXMLBUFF(n); } else enabled = false; } xmlNodePtr SNMPManagement::toXML(xmlNodePtr parent) throw(FWException) { setId(-1); setStr("snmp_read_community", read_community ); setStr("snmp_write_community", write_community); setBool("enabled", enabled); return FWObject::toXML(parent); } bool SNMPManagement::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (SNMPManagement::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const SNMPManagement *o2=SNMPManagement::constcast(obj); return (read_community==o2->read_community && write_community==o2->write_community && enabled==o2->enabled); } FWObject& SNMPManagement::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const SNMPManagement *n=dynamic_cast(o); read_community = n->getReadCommunity(); write_community = n->getWriteCommunity(); enabled = n->isEnabled(); FWObject::shallowDuplicate(o, preserve_id); return *this; } const string& SNMPManagement::getReadCommunity () const { return read_community; } void SNMPManagement::setReadCommunity (const string& s) { read_community = s; } const string& SNMPManagement::getWriteCommunity() const { return write_community; } void SNMPManagement::setWriteCommunity(const string& s) { write_community = s; } // --- FWBDManagement --- const char *FWBDManagement::TYPENAME={"FWBDManagement"}; FWBDManagement::FWBDManagement() { port = -1 ; enabled = false ; // This object does not have standard attributes setId(-1); } FWBDManagement::~FWBDManagement() { } bool FWBDManagement::isEmpty() const { return port==-1; } bool FWBDManagement::isEnabled() const { return enabled; } void FWBDManagement::setEnabled(bool v) { enabled = v; } void FWBDManagement::fromXML(xmlNodePtr parent) throw(FWException) { const char *n=FROMXMLCAST(xmlGetProp(parent,TOXMLCAST("identity"))); assert(n!=NULL); identity_id = n; FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(parent,TOXMLCAST("port"))); assert(n!=NULL); port = atoi(n); FREEXMLBUFF(n); enabled=false; n=FROMXMLCAST(xmlGetProp(parent,TOXMLCAST("enabled"))); if(n) { enabled=(cxx_strcasecmp(n,"True")==0); FREEXMLBUFF(n); } } xmlNodePtr FWBDManagement::toXML(xmlNodePtr parent) throw(FWException) { setId(-1); setInt("port", port); setStr("identity", identity_id); setBool("enabled", enabled); xmlNodePtr me = FWObject::toXML(parent, false); return me; } bool FWBDManagement::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (FWBDManagement::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const FWBDManagement *o2=FWBDManagement::constcast(obj); return (port==o2->port && identity_id==o2->identity_id && enabled==o2->enabled); } FWObject& FWBDManagement::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const FWBDManagement *n=dynamic_cast(o); #if 0 cerr << "FWBDManagement::shallowDuplicate" << endl; cerr << "this:" << endl; dump(false,false); cerr << "Port: " << port << endl; cerr << "identity_id: " << identity_id << endl; cerr << "enabled: " << enabled << endl; cerr << endl; cerr << "n:" << endl; ((FWObject*)n)->dump(false,false); cerr << "Port: " << n->port << endl; cerr << "identity_id: " << n->identity_id << endl; cerr << "enabled: " << n->enabled << endl; cerr << endl; #endif port = n->getPort(); identity_id = n->getIdentityId(); enabled = n->isEnabled(); FWObject::shallowDuplicate(o, preserve_id); return *this; } int FWBDManagement::getPort() const { return port; } void FWBDManagement::setPort(int x) { port = x; } const string &FWBDManagement::getIdentityId() const { return identity_id; } void FWBDManagement::setIdentityId(const string &s) { identity_id = s; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Management.h000066400000000000000000000116041303637203600237560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __MANAGEMENT_HH_FLAG__ #define __MANAGEMENT_HH_FLAG__ #include "fwbuilder/InetAddr.h" #include "fwbuilder/FWObject.h" namespace libfwbuilder { class PolicyInstallScript : public FWObject { public: PolicyInstallScript(); DECLARE_FWOBJECT_SUBTYPE(PolicyInstallScript); DECLARE_DISPATCH_METHODS(PolicyInstallScript); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); const std::string& getCommand () const; void setCommand (const std::string& ); const std::string& getArguments() const; void setArguments(const std::string& ); bool isEmpty() const; bool isEnabled() const; void setEnabled(bool v); private: bool enabled; std::string command; std::string arguments; }; class SNMPManagement : public FWObject { public: SNMPManagement(); DECLARE_FWOBJECT_SUBTYPE(SNMPManagement); DECLARE_DISPATCH_METHODS(SNMPManagement); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); const std::string& getReadCommunity () const; void setReadCommunity (const std::string& ); const std::string& getWriteCommunity() const; void setWriteCommunity(const std::string& ); bool isEmpty() const; bool isEnabled() const; void setEnabled(bool v); private: bool enabled; std::string read_community; std::string write_community; }; class FWBDManagement : public FWObject { public: FWBDManagement(); virtual ~FWBDManagement(); DECLARE_FWOBJECT_SUBTYPE(FWBDManagement); DECLARE_DISPATCH_METHODS(FWBDManagement); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); int getPort() const; void setPort(int); const std::string &getIdentityId() const; void setIdentityId(const std::string &); bool isEmpty() const; bool isEnabled() const; void setEnabled(bool v); private: bool enabled ; int port ; std::string identity_id ; }; class Management : public FWObject { public: Management(); DECLARE_FWOBJECT_SUBTYPE(Management); DECLARE_DISPATCH_METHODS(Management); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual FWObject& shallowDuplicate( const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual bool validateChild(FWObject *o); const InetAddr& getAddress() const { return addr; } void setAddress(const InetAddr& a) { addr = a; } PolicyInstallScript *getPolicyInstallScript(); SNMPManagement *getSNMPManagement(); FWBDManagement *getFWBDManagement(); bool isEmpty() const; private: InetAddr addr; }; } #endif //__MANAGEMENT_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/MultiAddress.cpp000066400000000000000000000054301303637203600246350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Network.h" #include #include #include #include using namespace libfwbuilder; using namespace std; const char *MultiAddress::TYPENAME={"MultiAddress"}; MultiAddress::MultiAddress() : FWObject() { setRunTime(false); } MultiAddress::~MultiAddress() { } string MultiAddress::getSourceName() { return ""; } void MultiAddress::setSourceName(const std::string&) { } bool MultiAddress::isCompileTime() const { return !getBool("run_time"); } bool MultiAddress::isRunTime() const { return getBool("run_time"); } void MultiAddress::setCompileTime(const bool b) { setBool("run_time",!b); } void MultiAddress::setRunTime(const bool b) { setBool("run_time",b); } bool MultiAddress::validateChild(FWObject *o) { return ObjectGroup::validateChild(o); } // ======================================================================== const char *MultiAddressRunTime::TYPENAME={"MultiAddressRunTime"}; MultiAddressRunTime::MultiAddressRunTime() { setName("UnknownMultiAddressRunTime"); source_name = "source"; run_time = false; subst_type_name = "Unknown"; } MultiAddressRunTime::MultiAddressRunTime(MultiAddress *maddr) { setName(maddr->getName()); source_name = maddr->getSourceName(); run_time = maddr->isRunTime(); subst_type_name = maddr->getTypeName(); } string MultiAddressRunTime::getSourceNameAsPath(FWOptions *options) const { string ret = source_name; size_t found = ret.find("%DATADIR%"); if (found == string::npos) return ret; string dataDir = options->getStr("data_dir"); if (dataDir.empty()) return dataDir; ret.replace(found, 9, dataDir); return ret; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/MultiAddress.h000066400000000000000000000065571303637203600243150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GEN_MULTIADDRESS_HH_FLAG__ #define __GEN_MULTIADDRESS_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/Address.h" #include "fwbuilder/ObjectGroup.h" #include namespace libfwbuilder { class MultiAddress : public ObjectGroup { private: public: DECLARE_FWOBJECT_SUBTYPE(MultiAddress); DECLARE_DISPATCH_METHODS(MultiAddress); MultiAddress(); virtual ~MultiAddress(); virtual std::string getSourceName(); virtual void setSourceName(const std::string& source_name); virtual void loadFromSource(bool ipv6, FWOptions *options, bool test_mode=false) throw(FWException) = 0; /* * functions isCompileTime() and isRunTime() are virtual because * some multi-address objects allow the user to set these flags, * while other object types behave as run-time or compile-time * depending on attributes of other objects (e.g. AttachedNetworks) */ virtual bool isCompileTime() const; virtual bool isRunTime() const; void setCompileTime(const bool b); void setRunTime(const bool b); virtual bool validateChild(FWObject *o); virtual bool isPrimaryObject() const { return true; } }; /* * compilers assume that object that appear in Src, Dst, OSrc, ODst * are inherited from class Address and use this in many * places. MultiAddress is derived from ObjectGroup to simplify * processing in compile-time mode, which creates lots of problems * with it when it is configured in run-time mode. To simplify things, * we'll use class MultiAddressRunTime which is derived from * Address. We'll replace MultiAddress objects with run-time mode with * objects of this class in a special rule processor * * Objects of this class are never stored in the data file and do not * appear in DTD; they are only used in compilers. */ class MultiAddressRunTime : public Address { std::string subst_type_name; std::string source_name; bool run_time; public: DECLARE_FWOBJECT_SUBTYPE(MultiAddressRunTime); DECLARE_DISPATCH_METHODS(MultiAddressRunTime); MultiAddressRunTime(); MultiAddressRunTime(MultiAddress *maddr); std::string getSourceName() const { return source_name; } std::string getSubstitutionTypeName() const { return subst_type_name; } std::string getSourceNameAsPath(FWOptions *options) const; bool isCompileTime() const { return !run_time; } bool isRunTime() const { return run_time; } virtual bool isPrimaryObject() const { return true; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/NAT.cpp000066400000000000000000000024551303637203600226630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" using namespace libfwbuilder; const char *NAT::TYPENAME={"NAT"}; NAT::NAT() : RuleSet() { setName("NAT"); } NAT::~NAT() {} Rule* NAT::createRule() { FWObjectDatabase* db=getRoot(); assert(db!=NULL); return db->createNATRule(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/NAT.h000066400000000000000000000032711303637203600223250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NAT_HH_FLAG__ #define __NAT_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleSet.h" namespace libfwbuilder { class NAT : public RuleSet { public: NAT(); virtual ~NAT(); DECLARE_FWOBJECT_SUBTYPE(NAT); DECLARE_DISPATCH_METHODS(NAT); /* the following methods provide proper typization */ NATRule* getRuleByNum(int n) { return NATRule::cast(RuleSet::getRuleByNum(n)); } NATRule* insertRuleAtTop() { return NATRule::cast(RuleSet::insertRuleAtTop()); } NATRule* insertRuleBefore(int n){ return NATRule::cast(RuleSet::insertRuleBefore(n));} NATRule* appendRuleAfter(int n){ return NATRule::cast(RuleSet::appendRuleAfter(n));} NATRule* appendRuleAtBottom(){ return NATRule::cast(RuleSet::appendRuleAtBottom());} virtual Rule* createRule(); }; } #endif //__NAT_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Network.cpp000066400000000000000000000064551303637203600236760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Network.h" #include "fwbuilder/XMLTools.h" #include using namespace libfwbuilder; using namespace std; const char *Network::TYPENAME={"Network"}; Network::Network() : Address() { setNetmask(InetAddr(AF_INET, 32)); } Network::Network(Network &o) : Address(o) { FWObject::operator=(o); setAddress(*(o.getAddressPtr())); setNetmask(*(o.getNetmaskPtr())); } Network::Network (const string &s) : Address() { setAddressNetmask(s); } Network::~Network() {} void Network::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); assert(n!=NULL); setAddress(InetAddr(n)); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("netmask"))); assert(n!=NULL); setNetmask(InetAddr(n)); FREEXMLBUFF(n); } xmlNodePtr Network::toXML(xmlNodePtr xml_parent_node) throw(FWException) { if (getName().empty()) setName(getTypeName()); xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("address"), STRTOXMLCAST(getAddressPtr()->toString())); xmlNewProp(me, TOXMLCAST("netmask"), STRTOXMLCAST(getNetmaskPtr()->toString())); return me; } /* check if host address bits are cleared */ bool Network::isValidRoutingNet() const { return (*(getAddressPtr()) == *(getNetworkAddressPtr())); } void Network::setAddress(const InetAddr &a) { inet_addr_mask->setAddress(a); } void Network::setNetmask(const InetAddr &nm) { inet_addr_mask->setNetmask(nm); } void Network::setAddressNetmask(const std::string& s) { delete inet_addr_mask; inet_addr_mask = new InetAddrMask(s); } const InetAddr* Network::getFirstHostPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getFirstHostPtr(); return NULL; } const InetAddr* Network::getLastHostPtr() const { const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr(); if (inet_addr_mask) return inet_addr_mask->getLastHostPtr(); return NULL; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Network.h000066400000000000000000000041511303637203600233320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NETWORK_HH_FLAG__ #define __NETWORK_HH_FLAG__ #include "fwbuilder/Address.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class Network : public Address { public: Network(); Network(Network &); Network(const std::string &); virtual ~Network(); bool isValidRoutingNet() const; virtual void fromXML (xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(Network); DECLARE_DISPATCH_METHODS(Network); virtual bool hasInetAddress() const { return true; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool) const { return 1; } virtual const Address* getAddressObject() const { return this; } const InetAddr* getFirstHostPtr() const; const InetAddr* getLastHostPtr() const; virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual void setAddressNetmask(const std::string& s); virtual bool isPrimaryObject() const { return true; } }; } #endif // __NETWORK_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/NetworkIPv6.cpp000066400000000000000000000077301303637203600244000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Inet6AddrMask.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/XMLTools.h" #include #include #include using namespace libfwbuilder; using namespace std; const char *NetworkIPv6::TYPENAME={"NetworkIPv6"}; NetworkIPv6::NetworkIPv6() : Address() { delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask(); setNetmask(InetAddr(AF_INET6, 64)); } NetworkIPv6::NetworkIPv6(NetworkIPv6 &other) : Address(other) { delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask( *(dynamic_cast(other.inet_addr_mask))); FWObject::operator=(other); } NetworkIPv6::NetworkIPv6 (const string &s) : Address() { setAddressNetmask(s); } NetworkIPv6::~NetworkIPv6() {} FWObject& NetworkIPv6::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { const NetworkIPv6* a_other = NetworkIPv6::constcast(other); delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask( *(dynamic_cast(a_other->inet_addr_mask))); return FWObject::shallowDuplicate(other, preserve_id); } void NetworkIPv6::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); assert(n!=NULL); setAddress(InetAddr(AF_INET6, n)); FREEXMLBUFF(n); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("netmask"))); assert(n!=NULL); if (strlen(n)) { if (string(n).find(":")!=string::npos) { setNetmask(InetAddr(AF_INET6, n)); } else { istringstream str(n); int netm; str >> netm; setNetmask(InetAddr(AF_INET6, netm)); } } else setNetmask(InetAddr(AF_INET6, 0)); FREEXMLBUFF(n); } xmlNodePtr NetworkIPv6::toXML(xmlNodePtr xml_parent_node) throw(FWException) { if (getName().empty()) setName(getTypeName()); xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("address"), STRTOXMLCAST(inet_addr_mask->getAddressPtr()->toString())); // Save netmask as bit length ostringstream str; str << inet_addr_mask->getNetmaskPtr()->getLength(); xmlNewProp(me, TOXMLCAST("netmask"), STRTOXMLCAST(str.str())); return me; } /* check if host address bits are cleared */ bool NetworkIPv6::isValidRoutingNet() const { return (*(getAddressPtr()) == *(getNetworkAddressPtr())); } void NetworkIPv6::setAddress(const InetAddr &a) { inet_addr_mask->setAddress(a); } void NetworkIPv6::setNetmask(const InetAddr &nm) { inet_addr_mask->setNetmask(nm); } void NetworkIPv6::setAddressNetmask(const std::string& s) { delete inet_addr_mask; inet_addr_mask = new Inet6AddrMask(s); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/NetworkIPv6.h000066400000000000000000000043141303637203600240400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NETWORKIPV6_HH_FLAG__ #define __NETWORKIPV6_HH_FLAG__ #include "fwbuilder/Address.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class NetworkIPv6 : public Address { public: NetworkIPv6(); NetworkIPv6(NetworkIPv6 &); NetworkIPv6(const std::string &); virtual ~NetworkIPv6(); bool isValidRoutingNet() const; virtual void fromXML (xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(NetworkIPv6); DECLARE_DISPATCH_METHODS(NetworkIPv6); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool hasInetAddress() const { return true; } /** * similar to hasInetAddress() but counts addresses */ virtual int countInetAddresses(bool) const { return 1; } virtual const Address* getAddressObject() const { return this; } virtual void setAddress(const InetAddr &a); virtual void setNetmask(const InetAddr &nm); virtual void setAddressNetmask(const std::string& s); virtual bool isPrimaryObject() const { return true; } }; } #endif // __NETWORK_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectGroup.cpp000066400000000000000000000060711303637203600244620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Service.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interval.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/RuleSet.h" using namespace std; using namespace libfwbuilder; const char *ObjectGroup::TYPENAME={"ObjectGroup"}; ObjectGroup::ObjectGroup() : Group() {} ObjectGroup::~ObjectGroup() {} bool ObjectGroup::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; return (FWObject::validateChild(o) && Service::cast(o)==NULL && ServiceGroup::cast(o)==NULL && Interval::cast(o)==NULL && FWServiceReference::cast(o)==NULL && RuleSet::cast(o)==NULL); } xmlNodePtr ObjectGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } void ObjectGroup::getAllowedTypesOfChildren(std::list &types_list) { types_list.clear(); types_list.push_back(Host::TYPENAME); types_list.push_back(Firewall::TYPENAME); types_list.push_back(Cluster::TYPENAME); types_list.push_back(Network::TYPENAME); types_list.push_back(NetworkIPv6::TYPENAME); types_list.push_back(IPv4::TYPENAME); types_list.push_back(IPv6::TYPENAME); types_list.push_back(DNSName::TYPENAME); types_list.push_back(AddressTable::TYPENAME); types_list.push_back(AddressRange::TYPENAME); types_list.push_back(FWObjectReference::TYPENAME); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectGroup.h000066400000000000000000000033271303637203600241300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTGROUP_HH_FLAG__ #define __OBJECTGROUP_HH_FLAG__ #include "fwbuilder/Group.h" namespace libfwbuilder { class ObjectGroup : public Group { public: ObjectGroup(); virtual ~ObjectGroup(); DECLARE_FWOBJECT_SUBTYPE(ObjectGroup); DECLARE_DISPATCH_METHODS(ObjectGroup); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); /** * get the list of object type names that can be inserted into * given object group. For example, if the group is ObjectGroup, * then the list will include all objects but not services. This * reflects definition of the group XML element in DTD. */ virtual void getAllowedTypesOfChildren(std::list &types_list); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectMatcher.cpp000066400000000000000000000415671303637203600247620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ==================================================================== Algorithms implemented in this module are used to decide if an object that defines one or several addresses matches firewall, its interface or any of its addresses in the sense that packets with address equal to that of would be accepted by the firewall machine. Two match modes are defined: EXACT and PARTIAL. The difference makes sense when object is an AddressRange because the range may match subnet of an interface exactly or overlap with it only partially. This class is used in policy compilers to determine chain (for iptables) or find interface that matches addresses used in policy or nat rules. */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/Group.h" #include #include using namespace libfwbuilder; using namespace std; /** * returns true if : * 1. obj1 is the same as obj2, or * 2. any child of obj2 or * 3. its address matches that of any obj2's interfaces, or * 4. its address matches broadcast address of one of the interfaces * 5. address of obj1 is a broadcast (255.255.255.255) * 6. address of obj1 is a multicast ( added 09/15/02, --vk ) * * This used double dispatch pattern: complexMatch calls virtual * method dispatchComplexMatch method of obj1, which in turn calls * appropriate variant of ObjectMatcher::checkComplexMatch method * depending on which class obj1 is an object of. */ bool ObjectMatcher::complexMatch(Address *obj1, Address *obj2) { if (obj1->getId()==obj2->getId()) return true; if (Cluster::cast(obj1) && Firewall::cast(obj2)) { // "parent_cluster_id" is set in CompilerDriver::populateClusterElements() // which unfortunately is part of fwbuilder rather than fwcompiler int cluster_id = obj2->getInt("parent_cluster_id"); if (obj1->getId() == cluster_id) return true; } void* res = obj1->dispatch(this, obj2); return (res != NULL); } /** * Compare single InetAddr to an address defined by Address * object. The right hand side Address object should be a "primary" * address object (i.e. IPv4, IPv6, Network, NetworkIPv6, AddressRange * but not Interface or Host). This method takes into account the * hierarcy of which rhs_obj is part. That is, it treats IPv4 which is * a child of interface differently from IPv4 which is a standalone * object. This method uses flag match_subnets to decide whether it * should consider only ip address of rhs_obj or a subnet defined by * its address and netmask. */ int ObjectMatcher::matchRHS(const InetAddr *inet_addr_obj, Address *rhs_obj) { const InetAddr *addr = rhs_obj->getAddressPtr(); const InetAddr *netm = rhs_obj->getNetmaskPtr(); if (match_subnets) { return matchSubnetRHS(inet_addr_obj, addr, netm); } else { if (matchInetAddrRHS(inet_addr_obj, addr) == 0) return 0; if (recognize_broadcasts) { /* * bug #1040773: need to match network address as well as * broadcast. Packets sent to the network address (192.168.1.0 for net * 192.168.1.0/24) go in the broadcast frame and behave just like IP * broadcast packets (sent to 192.168.1.1255 for the same net) * */ InetAddrMask n(*addr, *netm); int f1 = matchInetAddrRHS(inet_addr_obj, n.getNetworkAddressPtr()); int f2 = matchInetAddrRHS(inet_addr_obj, n.getBroadcastAddressPtr()); if (f1 == 0 || f2 == 0) return 0; if (f2 > 0) return 1; } return -1; } } /** * Match inet one address against another * Returns: * 0 if first address is equal to the secnd * -1 if first address is less than the secnd * 1 if first address is greater than the secnd */ int ObjectMatcher::matchInetAddrRHS(const InetAddr *inet_addr_obj, const InetAddr *rhs_obj_addr) { if ((*inet_addr_obj) == (*rhs_obj_addr)) return 0; if ((*inet_addr_obj) < (*rhs_obj_addr)) return -1; return 1; } /** * Match inet address against subnet defined by addr/mask pair. * Returns: * 0 if inet address belongs to the subnet, * -1 if inet address is less than the beginning of the subnet * 1 if inet address is greater than the end of the subnet */ int ObjectMatcher::matchSubnetRHS(const InetAddr *inet_addr_obj, const InetAddr *rhs_obj_addr, const InetAddr *rhs_obj_netm) { InetAddrMask n(*rhs_obj_addr, *rhs_obj_netm); int f1 = matchInetAddrRHS(inet_addr_obj, n.getNetworkAddressPtr()); int f2 = matchInetAddrRHS(inet_addr_obj, n.getBroadcastAddressPtr()); if (f1 >= 0 && f2 <= 0) return 0; if (f1 < 0) return -1; if (f2 > 0) return 1; return -1; } bool ObjectMatcher::checkComplexMatchForSingleAddress(const InetAddr *obj1_addr, FWObject *obj2) { if (!obj1_addr->isAny() && ( (recognize_broadcasts && obj1_addr->isBroadcast()) || (recognize_multicasts && obj1_addr->isMulticast()) ) ) return true; // case of "old boradcast" if (recognize_broadcasts && obj1_addr->isAny()) return true; string addr_type = (ipv6) ? IPv6::TYPENAME : IPv4::TYPENAME; list all_addresses; if (Host::cast(obj2)) { /* * note that compilers add copies of rules to the same firewall object * (temp_ruleset object) which means the tree rooted at the firewall * can be large, so searching for all interfaces using getByTypeDeep() * may cause scanning very large tree. */ list all_interfaces; Interface::findAllInterfaces(obj2, all_interfaces); for (list::iterator it = all_interfaces.begin(); it != all_interfaces.end(); ++it) { list intf_addresses = (*it)->getByTypeDeep(addr_type); all_addresses.splice(all_addresses.end(), intf_addresses); } } else { all_addresses = obj2->getByTypeDeep(addr_type); } for (list::iterator it = all_addresses.begin(); it != all_addresses.end(); ++it) { Address *rhs_addr = Address::cast(*it); const InetAddr *addr = rhs_addr->getAddressPtr(); if (match_subnets) { const InetAddr *netm = rhs_addr->getNetmaskPtr(); if (matchSubnetRHS(obj1_addr, addr, netm) == 0) return true; } else { if (matchRHS(obj1_addr, rhs_addr) == 0) return true; } } return false; } bool ObjectMatcher::checkComplexMatchForSingleAddress(Address *obj1, FWObject *obj2) { const InetAddr *obj1_addr = obj1->getAddressPtr(); // obj1_addr may be NULL if obj1 does not have any real address, // one case when this happens is when obj1 is physAddress if (obj1_addr) return checkComplexMatchForSingleAddress(obj1_addr, obj2); return false; } /** * check if any of the addresses of obj2 belongs to the subnet of obj1 */ bool ObjectMatcher::checkComplexMatchForSubnet(Address *obj1, FWObject *obj2) { //cerr << "ObjectMatcher::checkComplexMatchForSubnet obj1=" << obj1->getName() // << " obj2=" << obj2->getName(); const InetAddr *addr = obj1->getAddressPtr(); const InetAddr *netm = obj1->getNetmaskPtr(); bool res = false; string addr_type = (ipv6) ? IPv6::TYPENAME : IPv4::TYPENAME; list all_addresses = obj2->getByTypeDeep(addr_type); for (list::iterator it = all_addresses.begin(); it != all_addresses.end(); ++it) { Address *obj2_addr = Address::cast(*it); const InetAddr *rhs_addr = obj2_addr->getAddressPtr(); if (matchSubnetRHS(rhs_addr, addr, netm) == 0) { res = true; break; } } //cerr << " " << res << endl; return res; } void* ObjectMatcher::dispatch(Interface* obj1, void* _obj2) { FWObject *obj2 = (FWObject*)(_obj2); if (obj1->getParent()->getId() == obj2->getId()) return obj1; if (!obj1->isRegular()) return NULL; if ((obj1->getByType(IPv4::TYPENAME)).size()>1) return NULL; if ((obj1->getByType(IPv6::TYPENAME)).size()>1) return NULL; return (checkComplexMatchForSingleAddress(obj1, obj2)) ? obj1 : NULL; } void* ObjectMatcher::dispatch(Network *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); /* * bug #1055937: "Any->all_multicasts not in INPUT Chain" * Need to check for multicast networks. We assume they always * match if obj2 is firewall */ //Network *nobj1 = Network::cast(obj1); const InetAddr *inet_addr = obj1->getAddressPtr(); if (inet_addr) { if (recognize_multicasts && inet_addr->isMulticast() && Firewall::isA(obj2)) return obj1; /* * need to check for network object with mask 255.255.255.255 * Such objects are created by the method that expands address * ranges, and some often used ranges trigger that (like * "255.255.255.255-255.255.255.255" or "0.0.0.0-0.0.0.0") */ if (!obj1->getNetmaskPtr()->isHostMask()) return NULL; } else return NULL; return checkComplexMatchForSingleAddress(obj1, obj2) ? obj1 : NULL; } void* ObjectMatcher::dispatch(NetworkIPv6 *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); const InetAddr *inet_addr = obj1->getAddressPtr(); if (inet_addr) { if (recognize_multicasts && inet_addr->isMulticast() && Firewall::isA(obj2)) return obj1; if (!obj1->getNetmaskPtr()->isHostMask()) return NULL; } else return NULL; return checkComplexMatchForSingleAddress(obj1, obj2) ? obj1 : NULL; } void* ObjectMatcher::dispatch(IPv4 *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); return checkComplexMatchForSingleAddress(obj1, obj2) ? obj1 : NULL; } void* ObjectMatcher::dispatch(IPv6 *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); return checkComplexMatchForSingleAddress(obj1, obj2) ? obj1 : NULL; } void* ObjectMatcher::dispatch(physAddress *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); list all_pa = obj2->getByTypeDeep(physAddress::TYPENAME); for (list::iterator i = all_pa.begin(); i != all_pa.end(); ++i) { physAddress *iface_pa = physAddress::cast(*i); if (obj1->getPhysAddress() == iface_pa->getPhysAddress()) return obj1; } return NULL; } void* ObjectMatcher::dispatch(AddressRange *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); const InetAddr &range_start = obj1->getRangeStart(); const InetAddr &range_end = obj1->getRangeEnd(); if (!range_start.isAny() && ( (recognize_broadcasts && range_start.isBroadcast()) || (recognize_multicasts && range_start.isMulticast()) ) ) return obj1; if (!range_end.isAny() && ( (recognize_broadcasts && range_end.isBroadcast()) || (recognize_multicasts && range_end.isMulticast()) ) ) return obj1; // case of "old boradcast" if (recognize_broadcasts && range_start == range_end && range_start.isAny()) return obj1; string addr_type = (ipv6) ? IPv6::TYPENAME : IPv4::TYPENAME; list all_addresses = obj2->getByTypeDeep(addr_type); for (list::iterator it = all_addresses.begin(); it != all_addresses.end(); ++it) { Address *rhs_addr = Address::cast(*it); const InetAddr *addr = rhs_addr->getAddressPtr(); if (match_subnets) { const InetAddr *netm = rhs_addr->getNetmaskPtr(); int f_b = matchSubnetRHS(&range_start, addr, netm); int f_e = matchSubnetRHS(&range_end, addr, netm); #if 0 cerr << "Address Range " << range_start.toString() << ":" << range_end.toString() << " rhs_addr " << rhs_addr->getName() << " " << addr->toString() << "/" << netm->toString() << " f_b=" << f_b << " f_e=" << f_e << " match_mode=" << address_range_match_mode << endl; #endif if (address_range_match_mode == EXACT) { if (f_b == 0 && f_e == 0) return obj1; } // PARTIAL match only makes sense when match_subnets is true if (address_range_match_mode == PARTIAL) { if (f_b == 0 || f_e == 0) return obj1; // one end of the range is inside subnet if (f_b == -1 && f_e == 1) return obj1; // range is wider than subnet, subnet fits inside the range completely } } else { // If we do not need to match subnets, we just look if address // @addr is inside the range int f_b = matchInetAddrRHS(&range_start, addr); int f_e = matchInetAddrRHS(&range_end, addr); #if 0 cerr << "Address Range " << range_start.toString() << ":" << range_end.toString() << " rhs_addr " << rhs_addr->getName() << " " << addr->toString() << " f_b=" << f_b << " f_e=" << f_e << " match_mode=" << address_range_match_mode << endl; #endif if (f_b <= 0 && f_e >= 0) return obj1; } } return NULL; bool f_b = checkComplexMatchForSingleAddress(&range_start, obj2); bool f_e = checkComplexMatchForSingleAddress(&range_end, obj2); if (address_range_match_mode == EXACT && f_b && f_e) return obj1; if (address_range_match_mode == PARTIAL && (f_b || f_e)) return obj1; return NULL; } /* * Special case: run-time DNSName object with source name "self" * matches firewall. */ void* ObjectMatcher::dispatch(MultiAddressRunTime *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); if (obj1->getSubstitutionTypeName() == DNSName::TYPENAME && obj1->getSourceName() == "self" && Firewall::isA(obj2)) return obj1; return NULL; // never matches in this implementation } void* ObjectMatcher::dispatch(Host *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); /* * match only if all interfaces of obj1 match obj2 */ bool res = true; list all_interfaces; Interface::findAllInterfaces(obj1, all_interfaces); for (list::iterator it = all_interfaces.begin(); it != all_interfaces.end(); ++it) { res &= checkComplexMatchForSingleAddress(Interface::cast(*it), obj2); } return res ? obj1 : NULL; } void* ObjectMatcher::dispatch(Firewall *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); if (obj1->getId() == obj2->getId()) return obj1; /* * Special case: run-time DNSName object with source name "self" * matches firewall. */ MultiAddressRunTime *mart = MultiAddressRunTime::cast(obj2); if (mart) { if (mart->getSubstitutionTypeName() == DNSName::TYPENAME && mart->getSourceName() == "self") return obj1; } /* * match only if all interfaces of obj1 match obj2 */ return dispatch(static_cast(obj1), obj2); } void* ObjectMatcher::dispatch(Cluster *obj1, void *_obj2) { FWObject *obj2 = (FWObject*)(_obj2); if (obj1->getId() == obj2->getId()) return obj1; list members; obj1->getMembersList(members); list::iterator it; for (it=members.begin(); it!=members.end(); ++it) { if (dispatch(*it, obj2) != NULL) return obj1; } /* * match only if all interfaces of obj1 match obj2 */ return dispatch(static_cast(obj1), obj2); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectMatcher.h000066400000000000000000000076461303637203600244270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTMATCHER_HH_FLAG__ #define __OBJECTMATCHER_HH_FLAG__ #include #include #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Dispatch.h" namespace libfwbuilder { class ObjectMatcher : public Dispatch { public: typedef enum {EXACT, PARTIAL} address_range_match; private: bool recognize_broadcasts; bool recognize_multicasts; bool ipv6; bool match_subnets; address_range_match address_range_match_mode; bool checkComplexMatchForSingleAddress(const InetAddr *addr1, FWObject *obj2); int matchRHS(const InetAddr *addr1, Address *obj2); int matchInetAddrRHS(const InetAddr *addr1, const InetAddr *rhs_obj_addr); int matchSubnetRHS(const InetAddr *addr1, const InetAddr *rhs_obj_addr, const InetAddr *rhs_obj_netm); public: ObjectMatcher() : Dispatch() { recognize_broadcasts = false; recognize_multicasts = false; ipv6 = false; match_subnets = false; address_range_match_mode = PARTIAL; } virtual ~ObjectMatcher() {} void setMatchSubnets(bool f) { match_subnets = f; } void setAddressRangeMatchMode(address_range_match f) { address_range_match_mode = f; } void setRecognizeBroadcasts(bool f) { recognize_broadcasts = f; } void setRecognizeMulticasts(bool f) { recognize_multicasts = f; } void setIPV6(bool f) { ipv6 = f; } /** * check if address obj1 matches any of the addresses of obj2. Obj1 * has to be a single address. */ bool checkComplexMatchForSingleAddress(Address *obj1, FWObject *obj2); /** * check if any of the addresses of obj2 belongs to the subnet of obj1 */ bool checkComplexMatchForSubnet(Address *obj1, FWObject *obj2); /** * This method returns true if one of the following conditions is met: * * 1. obj1 is the same as obj2 (compares ID of both objects), or * 2. obj1 is a child of obj2 on any depth, or * 3. address of obj1 matches that of any obj2's interfaces, or * 4. address of obj1 is a broadcast address of one of * the interfaces of obj2 * 5. address of obj1 is a broadcast (255.255.255.255) */ bool complexMatch(Address *obj1, Address *obj2); virtual void* dispatch(Interface*, void*); virtual void* dispatch(Network*, void*); virtual void* dispatch(NetworkIPv6*, void*); virtual void* dispatch(IPv4*, void*); virtual void* dispatch(IPv6*, void*); virtual void* dispatch(Host*, void*); virtual void* dispatch(Firewall*, void*); virtual void* dispatch(Cluster*, void*); virtual void* dispatch(AddressRange*, void*); virtual void* dispatch(physAddress*, void*); virtual void* dispatch(MultiAddressRunTime*, void*); }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectMirror.cpp000066400000000000000000000070321303637203600246360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: ObjectMirror.cpp 534 2010-02-07 23:25:06Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ==================================================================== */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectMirror.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace std; Service* ObjectMirror::getMirroredService(Service *obj) { void* res = obj->dispatch(this, (void*)NULL); return Service::cast((FWObject*)(res)); } void* ObjectMirror::dispatch(IPService* obj, void*) { return obj; } void* ObjectMirror::dispatch(ICMPService* obj, void*) { ICMPService *new_obj = obj->getRoot()->createICMPService(); new_obj->setName(obj->getName() + "-mirror"); if (obj->getInt("type") == 8) { new_obj->setInt("type", 0); new_obj->setInt("code", 0); } else { new_obj->setInt("type", obj->getInt("type")); new_obj->setInt("code", obj->getInt("code")); } return new_obj; } void* ObjectMirror::dispatch(ICMP6Service* obj, void*) { ICMP6Service *new_obj = obj->getRoot()->createICMP6Service(); new_obj->setName(obj->getName() + "-mirror"); if (obj->getInt("type") == 128) { new_obj->setInt("type", 129); new_obj->setInt("code", 0); } else { new_obj->setInt("type", obj->getInt("type")); new_obj->setInt("code", obj->getInt("code")); } return new_obj; } void* ObjectMirror::dispatch(TCPService* obj, void*) { TCPService *new_obj = obj->getRoot()->createTCPService(); new_obj->duplicate(obj); // mostly to copy tcp flags new_obj->setName(obj->getName() + "-mirror"); new_obj->setSrcRangeStart(obj->getDstRangeStart()); new_obj->setSrcRangeEnd(obj->getDstRangeEnd()); new_obj->setDstRangeStart(obj->getSrcRangeStart()); new_obj->setDstRangeEnd(obj->getSrcRangeEnd()); // if original tcp service does something with flags, we can't simply // invert it by adding flag "established". Just leave as-is if (!obj->inspectFlags()) new_obj->setEstablished( ! obj->getEstablished()); return new_obj; } void* ObjectMirror::dispatch(UDPService* obj, void*) { UDPService *new_obj = obj->getRoot()->createUDPService(); new_obj->setName(obj->getName() + "-mirror"); new_obj->setSrcRangeStart(obj->getDstRangeStart()); new_obj->setSrcRangeEnd(obj->getDstRangeEnd()); new_obj->setDstRangeStart(obj->getSrcRangeStart()); new_obj->setDstRangeEnd(obj->getSrcRangeEnd()); return new_obj; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ObjectMirror.h000066400000000000000000000045571303637203600243140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: ObjectMirror.h 534 2010-02-07 23:25:06Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTMIRROR_HH_FLAG__ #define __OBJECTMIRROR_HH_FLAG__ #include #include #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Dispatch.h" namespace libfwbuilder { class ObjectMirror : public Dispatch { public: ObjectMirror() : Dispatch() { } /** * Creates "mirrored" object (currently only * service). Mirroring means swapping source and destination * port ranges for tcp and udp and picking appropriate ICMP * type for some known ICMP services. The object it returns is * not added to the tree, caller must do this in order to * avoid memory leaks and to be able to use the object later. * * Note: mirroring of actual rules requires knowledge of the * firewall platform specifics, such as what set of rule * elements is supported and their semantics (e.g. is time * supported ? If yes, then what does it mean to mirror the * rule with time match?). So it is not done here to avoid * dependency on the platform. This class focuses only on * mirroring of individual objects. */ Service* getMirroredService(Service *obj); virtual void* dispatch(IPService*, void*); virtual void* dispatch(ICMPService*, void*); virtual void* dispatch(ICMP6Service*, void*); virtual void* dispatch(UDPService*, void*); virtual void* dispatch(TCPService*, void*); }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Policy.cpp000066400000000000000000000025571303637203600235030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; const char *Policy::TYPENAME={"Policy"}; Policy::Policy() : RuleSet() { setName("Policy"); } Policy::~Policy() {} Rule* Policy::createRule() { FWObjectDatabase* db=getRoot(); assert(db!=NULL); return db->createPolicyRule(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Policy.h000066400000000000000000000034551303637203600231460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICY_HH_FLAG__ #define __POLICY_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleSet.h" namespace libfwbuilder { class Policy : public RuleSet { public: Policy(); virtual ~Policy(); DECLARE_FWOBJECT_SUBTYPE(Policy); DECLARE_DISPATCH_METHODS(Policy); /* the following methods provide proper typization */ PolicyRule* getRuleByNum(int n) { return PolicyRule::cast(RuleSet::getRuleByNum(n)); } PolicyRule* insertRuleAtTop() { return PolicyRule::cast(RuleSet::insertRuleAtTop()); } PolicyRule* insertRuleBefore(int n){ return PolicyRule::cast(RuleSet::insertRuleBefore(n)); } PolicyRule* appendRuleAfter(int n){ return PolicyRule::cast(RuleSet::appendRuleAfter(n)); } PolicyRule* appendRuleAtBottom(){ return PolicyRule::cast(RuleSet::appendRuleAtBottom()); } virtual Rule* createRule(); }; } #endif //__POLICY_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Pool.h000066400000000000000000000072601303637203600226160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POOL_HH_FLAG__ #define __POOL_HH_FLAG__ #include #include #include "fwbuilder/ThreadTools.h" namespace libfwbuilder { /** * General purpose Pool. * Object can be 'leased' from pool, * and 'released' back to pool. * All access is synchronized. */ template class Pool { typedef std::vector __vtp; typedef std::set __stp; typedef typename __vtp::iterator __vtp_i; typedef typename __stp::iterator __stp_i; private: size_t max; Mutex mutex ; Cond cond ; std::vector freepool; std::set usedpool; public: /** * Creates Pool with initial size and max size. * 'initial' objects are created immediately. * Later Pool can automatically grow up to 'max_'. */ Pool(size_t initial, size_t max_) { max = max_; for(size_t i=0;i #include #ifndef _WIN32 # include # include #endif #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Host.h" #include "fwbuilder/Tools.h" using namespace libfwbuilder; using namespace std; const string Resources::PLATFORM_RES_DIR_NAME = "platform"; const string Resources::OS_RES_DIR_NAME = "os"; Resources* Resources::global_res = NULL; map Resources::platform_res; map Resources::os_res; Resources::Resources() throw(FWException) { doc=NULL; } Resources::Resources(const string &_resF) throw(FWException) { doc = NULL; resfile = _resF; if (global_res==NULL) { global_res = this; loadRes(_resF); loadSystemResources(); } else loadRes(_resF); } Resources::~Resources() { if (doc) xmlFreeDoc(doc); } void Resources::clear() { for (map::iterator it=platform_res.begin(); it!=platform_res.end(); ++it) { delete it->second; } platform_res.clear(); for (map::iterator it=os_res.begin(); it!=os_res.end(); ++it) { delete it->second; } os_res.clear(); } string Resources::getXmlNodeContent(xmlNodePtr node) { string res; char* cptr= (char*)( xmlNodeGetContent(node) ); if (cptr!=NULL) { res=cptr; FREEXMLBUFF(cptr); } return res; } string Resources::getXmlNodeProp(xmlNodePtr node,string prop) { string res; char* cptr=(char*)( xmlGetProp(node,TOXMLCAST(prop.c_str()))); if (cptr!=NULL) { res=cptr; FREEXMLBUFF(cptr); } return res; } void Resources::loadRes(const std::string &rfile ) throw(FWException) { string buffer = XMLTools::readFile(rfile); doc = xmlParseMemory(buffer.c_str(), buffer.length()); // doc = xmlParseFile(rfile.c_str()); // doc = XMLTools::loadAndParseFile(rfile); if (!doc) throw FWException("Error parsing "+rfile); root = xmlDocGetRootElement(doc); if(!root || !root->name || strcmp(FROMXMLCAST(root->name), "FWBuilderResources")!=0) { xmlFreeDoc(doc); throw FWException("Invalid resources file "+rfile); } } void Resources::loadSystemResources() throw(FWException) { /* * Find and open resources for individual firewall platforms and OS. * If corresponding directory does not exist or is empty, then no * target platform support package is installed. So be it, not my * problem */ // string resDir=Constants::getTemplateDirectory(); string::size_type n=resfile.find_last_of("/\\"); string resDir = resfile.substr(0,n); list pllist = getDirList( resDir + FS_SEPARATOR +PLATFORM_RES_DIR_NAME, "xml" ); for (list::iterator lsi1=pllist.begin(); lsi1!=pllist.end(); lsi1++) { string::size_type n=lsi1->find_last_of("/\\")+1; string platform=lsi1->substr(n, lsi1->rfind(".xml")-n); Resources *tr=new Resources(*lsi1); platform_res[platform]=tr; } list oslist = getDirList( resDir + FS_SEPARATOR +OS_RES_DIR_NAME, "xml" ); for (list::iterator lsi2=oslist.begin(); lsi2!=oslist.end(); lsi2++) { string::size_type n=lsi2->find_last_of("/\\")+1; string os=lsi2->substr(n, lsi2->rfind(".xml")-n); Resources *tr=new Resources(*lsi2); os_res[os]=tr; } #if 0 cerr << "Loaded resources for the following modules :\n"; map p=getPlatforms(); map::iterator i1; for (i1=p.begin(); i1!=p.end(); ++i1) { cerr << (*i1).first << " " << (*i1).second << endl; } p=getOS(); for (i1=p.begin(); i1!=p.end(); ++i1) { cerr << (*i1).first << " " << (*i1).second << endl; } #endif } xmlNodePtr Resources::getXmlNode(const string& path) { return XMLTools::getXmlNodeByPath(root,path); } string Resources::getIconPath(const char* icon) { string icn; icn= getResourceStr("/FWBuilderResources/Paths/Icndir"); icn += "/"; icn += getResourceStr(string("/FWBuilderResources/UI/Icons/")+icon); return icn; } string Resources::getIconPath(const string& icon) { return getIconPath(icon.c_str()); } string Resources::getResourceStr(const string& resource_path) { xmlNodePtr node=XMLTools::getXmlNodeByPath(root,resource_path.c_str()); if (node) return getXmlNodeContent(node); return ""; } int Resources::getResourceInt(const string& resource_path) { return atoi(getResourceStr(resource_path).c_str()); } bool Resources::getResourceBool(const string& resource_path) { string res=getResourceStr(resource_path); return (res=="true" || res=="True"); } /* * Adds bodies of xml elements found directly under resource_path to * the list res * * * * value1 * value2 * value3 * value4 * * * * here resorce_path="/element1/element2", returned list consists of * strings value1,value2,value3,value4 */ void Resources::getResourceStrList(const string& resource_path, list &res) { xmlNodePtr node = XMLTools::getXmlNodeByPath(root, resource_path.c_str()); if (node) { xmlNodePtr c; for(c=node->xmlChildrenNode; c; c=c->next) { if ( xmlIsBlankNode(c) ) continue; res.push_back(getXmlNodeContent(c)); } } } string Resources::getObjResourceStr(const FWObject *obj, const string& resource_name) { string objid = FWObjectDatabase::getStringId(obj->getId()); string objtype = obj->getTypeName(); string res; string resource="/FWBuilderResources/Object/"+objid+"/"+resource_name; res= getResourceStr(resource); if (res.empty()) { string resource="/FWBuilderResources/Type/"+objtype+"/"+resource_name; res= getResourceStr(resource); if (res.empty()) { resource="/FWBuilderResources/Type/DEFAULT/"+resource_name; res= getResourceStr(resource); } } if (res.empty()) cerr << "Failed to locate resource for object " << obj->getName() << " (type=" << objtype << "), " << " (id=" << obj->getId() << "), resource name: " << resource_name << endl; return res; } bool Resources::getObjResourceBool(const FWObject *obj, const string& resource_name) { string res=getObjResourceStr(obj,resource_name); return (res=="true" || res=="True"); } /* * call this using appropriate Resources object, like this: * * platform_res["iptables"]->getVersion() */ string Resources::getVersion() { xmlNodePtr pn=getXmlNode("/FWBuilderResources/"); return getXmlNodeProp(pn,"version"); } /* * call this using appropriate Resources object, like this: * * platform_res["iptables"]->getCompiler() */ string Resources::getCompiler() { return getResourceStr("/FWBuilderResources/Target/compiler"); } string Resources::getInstaller() { return getResourceStr("/FWBuilderResources/Target/installer"); } string Resources::getTransferAgent() { return getResourceStr("/FWBuilderResources/Target/transfer_agent"); } vector Resources::getListOfPlatforms() { vector vs; for (map::iterator i1=platform_res.begin(); i1!=platform_res.end(); ++i1) { vs.push_back( (*i1).first ); } return vs; } map Resources::getPlatforms() { map vs; for (map::iterator i1=platform_res.begin(); i1!=platform_res.end(); ++i1) { Resources *res = (*i1).second; if (res) { string desc = res->getResourceStr( "/FWBuilderResources/Target/description"); vs[ (*i1).first ]=desc; } } return vs; } map Resources::getOS() { map vs; for (map::iterator i1=os_res.begin(); i1!=os_res.end(); ++i1) { Resources *res = (*i1).second; if (res) { string desc = res->getResourceStr( "/FWBuilderResources/Target/description"); vs[ (*i1).first ]=desc; } } return vs; } string Resources::getRuleElementResourceStr(const string &rel, const string &resource_name) { xmlNodePtr c,d; xmlNodePtr dptr=Resources::global_res->getXmlNode("FWBuilderResources/RuleElements"); assert (dptr!=NULL); for(c=dptr->xmlChildrenNode; c; c=c->next) { if ( xmlIsBlankNode(c) ) continue; if (rel==getXmlNodeProp(c,"RuleElement")) { d=XMLTools::getXmlChildNode(c,resource_name.c_str()); if (d) { return getXmlNodeContent(d); } } } return string(""); } bool Resources::isSystem(const FWObject *o) { return global_res->getObjResourceBool(o, "system"); } string Resources::getIconFileName(const FWObject *o) { string res; res=global_res->getResourceStr("/FWBuilderResources/Paths/Icndir"); res += "/"; res += global_res->getObjResourceStr(o, "icon"); return res; } string Resources::getNegIconFileName(const FWObject *o) { string res; res=global_res->getResourceStr("/FWBuilderResources/Paths/Icndir"); res += "/"; res += global_res->getObjResourceStr(o, "icon-neg"); return res; } string Resources::getRefIconFileName(const FWObject *o) { string res; res=global_res->getResourceStr("/FWBuilderResources/Paths/Icndir"); res += "/"; res += global_res->getObjResourceStr(o, "icon-ref"); return res; } string Resources::getTreeIconFileName(const FWObject *o) { string res; res=global_res->getResourceStr("/FWBuilderResources/Paths/Icndir"); res += "/"; res += global_res->getObjResourceStr(o, "icon-tree"); return res; } void Resources::setDefaultOption(FWObject *o,const string &xml_node) { xmlNodePtr pn = XMLTools::getXmlNodeByPath(root,xml_node.c_str()); if (pn==NULL) return; string optname=FROMXMLCAST(pn->name); string optval =getXmlNodeContent(pn); o->setStr(optname , optval); } void Resources::setDefaultOptionsAll(FWObject *o,const string &xml_node) { xmlNodePtr pn = XMLTools::getXmlNodeByPath(root , xml_node.c_str() ); if (pn==NULL) return; xmlNodePtr opt; for(opt=pn->xmlChildrenNode; opt; opt=opt->next) { if ( xmlIsBlankNode(opt) ) continue; setDefaultOption(o,xml_node+"/"+FROMXMLCAST(opt->name)); } } void Resources::setDefaultTargetOptions(const string &target,Firewall *fw) throw (FWException) { FWOptions *opt=fw->getOptionsObject(); Resources *r=NULL; if (platform_res.count(target)!=0) r=platform_res[target]; if (r==NULL && os_res.count(target)!=0) r=os_res[target]; if (r==NULL) throw FWException("Support module for target '"+target+"' is not available"); r->setDefaultOptionsAll(opt,"/FWBuilderResources/Target/options/default"); } void Resources::setDefaultIfaceOptions(const string &target,Interface *iface) throw (FWException) { FWOptions *opt=iface->getOptionsObject(); /* if InterfaceOptions object does not yet exist -> create one */ if (opt == NULL) { iface->add(iface->getRoot()->create(InterfaceOptions::TYPENAME)); opt = iface->getOptionsObject(); } Resources *r=NULL; if (platform_res.count(target)!=0) r=platform_res[target]; if (r==NULL && os_res.count(target)!=0) r=os_res[target]; if (r==NULL) throw FWException("Support module for target '"+target+"' is not available"); r->setDefaultOptionsAll(opt,"/FWBuilderResources/Target/options/interface"); } void Resources::setDefaultOptions(Host *h) { FWOptions *opt=h->getOptionsObject(); global_res->setDefaultOptionsAll(opt, "/FWBuilderResources/Type/"+h->getTypeName()+"/options"); } void Resources::setDefaultProperties(FWObject *obj) { global_res->setDefaultOptionsAll(obj, "/FWBuilderResources/Type/"+obj->getTypeName()+"/properties"); } string Resources::getTargetCapabilityStr(const string &target, const string &cap_name) throw (FWException) { Resources *r=NULL; if (platform_res.count(target)!=0) r=platform_res[target]; if (r==NULL && os_res.count(target)!=0) r=os_res[target]; if (r==NULL) throw FWException("Support module for target '"+target+"' is not available"); return r->getResourceStr("/FWBuilderResources/Target/capabilities/"+cap_name); } bool Resources::getTargetCapabilityBool(const string &target, const string &cap_name) throw (FWException) { string s=getTargetCapabilityStr(target,cap_name); return (s=="true" || s=="True"); } bool Resources::isTargetActionSupported(const string &target, const string &action) { bool res=false; try { res = getTargetCapabilityBool(target, "actions/" + action + "/supported"); } catch (FWException &ex) { } return res; } string Resources::getActionEditor(const string &target, const string &action) { string res="None"; try { res = getTargetCapabilityStr(target, "actions/" + action + "/parameter"); } catch (FWException &ex) { } return res; } string Resources::getTargetOptionStr(const string &target, const string &opt_name) throw (FWException) { Resources *r=NULL; if (platform_res.count(target)!=0) r=platform_res[target]; if (r==NULL && os_res.count(target)!=0) r=os_res[target]; if (r==NULL) throw FWException("Support module for target '"+target+"' is not available"); return r->getResourceStr("/FWBuilderResources/Target/options/"+opt_name); } bool Resources::getTargetOptionBool(const string &target, const string &opt_name) throw (FWException) { string s=getTargetOptionStr(target,opt_name); return (s=="true" || s=="True"); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Resources.h000066400000000000000000000150621303637203600236560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _RESOURCES_HH #define _RESOURCES_HH #include "fwbuilder/libfwbuilder-config.h" #include #include #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" namespace libfwbuilder { class Host; class Firewall; class Interface; class FWOptions; }; class Resources { xmlDocPtr doc; xmlNodePtr root; std::string resfile; static const std::string PLATFORM_RES_DIR_NAME; static const std::string OS_RES_DIR_NAME; std::string getXmlNodeContent(xmlNodePtr node); std::string getXmlNodeProp(xmlNodePtr node,std::string prop); void loadRes(const std::string &rfile ) throw(libfwbuilder::FWException); public: Resources() throw(libfwbuilder::FWException); Resources(const std::string &resF) throw(libfwbuilder::FWException); ~Resources(); void clear(); void loadSystemResources() throw(libfwbuilder::FWException); xmlNodePtr getXmlNode(const std::string& path); std::string getIconPath(const char* icon); std::string getIconPath(const std::string& icon); std::string getResourceStr(const std::string& resource_path); int getResourceInt(const std::string& resource_path); bool getResourceBool(const std::string& resource_path); void getResourceStrList(const std::string& resource_path, std::list &res); bool getObjResourceBool(const libfwbuilder::FWObject *obj, const std::string& resource_name); std::string getObjResourceStr(const libfwbuilder::FWObject *obj, const std::string& resource_name); std::string getRuleElementResourceStr(const std::string &rel, const std::string &resource); std::string getVersion(); std::string getCompiler(); std::string getInstaller(); std::string getTransferAgent(); static std::vector getListOfPlatforms(); static std::map getPlatforms(); static std::map getOS(); /** * sets value of _one_ option using default value from resources */ void setDefaultOption(libfwbuilder::FWObject *o, const std::string &xml_node); /** * sets values of _all_ options using default values from * resources */ void setDefaultOptionsAll(libfwbuilder::FWObject *o, const std::string &xml_node); /** * This method sets default values to objects's properties (or * attributes) defined in DTD. Values are found in global * resources. */ static void setDefaultProperties(libfwbuilder::FWObject *o); /** * This method sets default values to the platform-specific host * or firewall options. Values are found in global resources. Only * class Host and its descendants have child element Options, hence * limitation on the parameter type. */ static void setDefaultOptions(libfwbuilder::Host *o); /** * This method sets default values to the platform-specific * firewall or OS-specific host_OS options. */ static void setDefaultTargetOptions(const std::string &target, libfwbuilder::Firewall *o) throw (libfwbuilder::FWException); /** * This method sets default values to the platform-specific interface * or OS-specific interface options. */ static void setDefaultIfaceOptions(const std::string &target, libfwbuilder::Interface *iface) throw (libfwbuilder::FWException); /** * returns string value of target's capability * 'cap_name'. Capabilities are stored in platform-specific xml files * in subtree "/FWBuilderResources/Target/capabilities" */ static std::string getTargetCapabilityStr(const std::string &target, const std::string &cap_name) throw (libfwbuilder::FWException); static bool getTargetCapabilityBool(const std::string &target, const std::string &cap_name) throw (libfwbuilder::FWException); /** * returns string value of target's option * 'opt_name'. Options are stored in platform-specific xml files * in subtree "/FWBuilderResources/Target/options" */ static std::string getTargetOptionStr(const std::string &target, const std::string &opt_name) throw (libfwbuilder::FWException); static bool getTargetOptionBool(const std::string &target, const std::string &opt_name) throw (libfwbuilder::FWException); static bool isTargetActionSupported(const std::string &target, const std::string &action); static std::string getActionEditor (const std::string &target, const std::string &action); static bool isSystem(const libfwbuilder::FWObject *o); static std::string getIconFileName(const libfwbuilder::FWObject *o); static std::string getNegIconFileName(const libfwbuilder::FWObject *o); static std::string getRefIconFileName(const libfwbuilder::FWObject *o); static std::string getTreeIconFileName(const libfwbuilder::FWObject *o); static Resources *global_res; static std::map platform_res; static std::map os_res; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Routing.cpp000066400000000000000000000033311303637203600236620ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" using namespace libfwbuilder; const char *Routing::TYPENAME={"Routing"}; Routing::Routing() : RuleSet() { setName("Routing"); } Routing::~Routing() {} Rule* Routing::createRule() { FWObjectDatabase* db=getRoot(); assert(db!=NULL); return db->createRoutingRule(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Routing.h000066400000000000000000000042031303637203600233260ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __ROUTING_HH_FLAG__ #define __ROUTING_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleSet.h" namespace libfwbuilder { class Routing : public RuleSet { public: Routing(); virtual ~Routing(); DECLARE_FWOBJECT_SUBTYPE(Routing); DECLARE_DISPATCH_METHODS(Routing); /* the following methods provide proper typization */ RoutingRule* getRuleByNum(int n) { return RoutingRule::cast(RuleSet::getRuleByNum(n)); } RoutingRule* insertRuleAtTop() { return RoutingRule::cast(RuleSet::insertRuleAtTop()); } RoutingRule* insertRuleBefore(int n){ return RoutingRule::cast(RuleSet::insertRuleBefore(n));} RoutingRule* appendRuleAfter(int n){ return RoutingRule::cast(RuleSet::appendRuleAfter(n));} RoutingRule* appendRuleAtBottom(){ return RoutingRule::cast(RuleSet::appendRuleAtBottom());} virtual Rule* createRule(); }; } #endif //__ROUTING_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Rule.cpp000066400000000000000000000753511303637203600231550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Interface.h" using namespace std; using namespace libfwbuilder; const char *Rule::TYPENAME={"Rule"}; Rule::Rule() { setInt("position",0); enable(); setFallback(false); setHidden(false); setRuleGroupName(""); } void Rule::init(FWObjectDatabase*) { } FWOptions* Rule::getOptionsObject() const { return NULL; } RuleSet* Rule::getBranch() { return NULL; } void Rule::setPosition(int n) { setInt("position", n); } int Rule::getPosition() const { return getInt("position"); } void Rule::disable() { setBool("disabled",true); } void Rule::enable() { setBool("disabled",false); } bool Rule::isDisabled() const { return( getBool("disabled")); } bool Rule::isEmpty() { return false; } bool Rule::isDummyRule() { return false; } void Rule::setBranch(RuleSet*) {}; string Rule::getRuleGroupName() const { return getStr("group"); } void Rule::setRuleGroupName(const std::string &group_name) { setStr("group", group_name); } FWObject& Rule::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { const Rule *rx=Rule::constcast(x); fallback = rx->fallback; hidden = rx->hidden; label = rx->label; unique_id = rx->unique_id; abs_rule_number = rx->abs_rule_number; compiler_message = rx->compiler_message; return FWObject::shallowDuplicate(x,preserve_id); } bool Rule::cmp(const FWObject *x, bool recursive) throw(FWException) { const Rule *rx = Rule::constcast(x); if (fallback != rx->fallback || hidden != rx->hidden || label != rx->label || unique_id != rx->unique_id) return false; return FWObject::cmp(x, recursive); } /***************************************************************************/ const char *PolicyRule::TYPENAME={"PolicyRule"}; PolicyRule::PolicyRule() { // setStr("action","Deny"); setAction(PolicyRule::Deny); src_re = NULL; dst_re = NULL; srv_re = NULL; itf_re = NULL; when_re = NULL; } void PolicyRule::init(FWObjectDatabase *root) { FWObject *re = getFirstByType(RuleElementSrc::TYPENAME); if (re == NULL) { // re = root->createRuleElementSrc(); assert(re!=NULL); add(re); src_re = RuleElementSrc::cast(re); re = root->createRuleElementDst(); assert(re!=NULL); add(re); dst_re = RuleElementDst::cast(re); re = root->createRuleElementSrv(); assert(re!=NULL); add(re); srv_re = RuleElementSrv::cast(re); re = root->createRuleElementItf(); assert(re!=NULL); add(re); itf_re = RuleElementItf::cast(re); re = root->createRuleElementInterval(); assert(re!=NULL); add(re); when_re = RuleElementInterval::cast(re); add( root->createPolicyRuleOptions() ); } } FWObject& PolicyRule::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { const PolicyRule *rx=PolicyRule::constcast(x); setDirection(rx->getDirection()); setAction(rx->getAction()); setLogging(rx->getLogging()); src_re = NULL; dst_re = NULL; srv_re = NULL; itf_re = NULL; when_re = NULL; return Rule::shallowDuplicate(x, preserve_id); } bool PolicyRule::cmp(const FWObject *x, bool recursive) throw(FWException) { const PolicyRule *rx = PolicyRule::constcast(x); if (rx == NULL) return false; if (getDirection() != rx->getDirection() || getAction() != rx->getAction() || getLogging() != rx->getLogging()) return false; return Rule::cmp(x, recursive); } // RuleElementSrc* PolicyRule::getSrc() { if (src_re) return src_re; FWObject::iterator i1 = begin(); src_re = RuleElementSrc::cast(*i1); return src_re; } RuleElementDst* PolicyRule::getDst() { if (dst_re) return dst_re; FWObject::iterator i1 = begin(); i1++; dst_re = RuleElementDst::cast(*i1); return dst_re; } RuleElementSrv* PolicyRule::getSrv() { if (srv_re) return srv_re; FWObject::iterator i1 = begin(); i1++; i1++; srv_re = RuleElementSrv::cast(*i1); return srv_re; } RuleElementItf* PolicyRule::getItf() { if (itf_re) return itf_re; FWObject::iterator i1 = begin(); i1++; i1++; i1++; itf_re = RuleElementItf::cast(*i1); return itf_re; } RuleElementInterval* PolicyRule::getWhen() { if (when_re) return when_re; FWObject::iterator i1 = begin(); i1++; i1++; i1++; i1++; when_re = RuleElementInterval::cast(*i1); return when_re; } bool PolicyRule::isEmpty() { return (getSrc()->isAny() && getDst()->isAny() && getSrv()->isAny() && getItf()->isAny()); } string PolicyRule::getActionAsString() const { return getActionAsString(action); } // static method string PolicyRule::getActionAsString(int act) { switch (act) { case Accept: return "Accept"; case Deny: return "Deny"; case Reject: return "Reject"; case Scrub: return "Scrub"; case Return: return "Return"; case Skip: return "Skip"; case Continue: return "Continue"; case Accounting: return "Accounting"; case Modify: return "Modify"; case Pipe: return "Pipe"; case Custom: return "Custom"; case Branch: return "Branch"; default: return "Unknown"; } return "Deny"; } void PolicyRule::setAction(const string& act) { if (act=="Accept") { setAction(Accept); return; } if (act=="Deny") { setAction(Deny); return; } if (act=="Reject") { setAction(Reject); return; } if (act=="Scrub") { setAction(Scrub); return; } if (act=="Return") { setAction(Return); return; } if (act=="Skip") { setAction(Skip); return; } if (act=="Continue") { setAction(Continue); return; } if (act=="Accounting") { setAction(Accounting); return; } if (act=="Modify") { setAction(Modify); return; } if (act=="Pipe") { setAction(Pipe); return; } if (act=="Custom") { setAction(Custom); return; } if (act=="Branch") { setAction(Branch); return; } setAction(Deny); } string PolicyRule::getDirectionAsString() const { switch (direction) { case Inbound: return "Inbound"; case Outbound: return "Outbound"; default: return "Both"; } return "Both"; } void PolicyRule::setDirection(const string& dir) { if (dir=="Inbound") { setDirection(Inbound); return; } if (dir=="Outbound") { setDirection(Outbound); return; } setDirection(Both); } void PolicyRule::setDummySource() { FWObjectDatabase *root = getRoot(); FWObject *dummySource = root->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID); if (!dummySource || (root->getStringId(dummySource->getId()) != "dummyaddressid0")) return; FWObject::iterator i1 = begin(); (*i1)->addRef(dummySource); src_re = RuleElementSrc::cast(*i1); } void PolicyRule::setDummyDestination() { FWObjectDatabase *root = getRoot(); FWObject *dummyDestination = root->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID); if (!dummyDestination || (root->getStringId(dummyDestination->getId()) != "dummyaddressid0")) return; FWObject::iterator i1 = begin(); i1++; (*i1)->addRef(dummyDestination); dst_re = RuleElementDst::cast(*i1); } void PolicyRule::setDummyService() { FWObjectDatabase *root = getRoot(); FWObject *dummyService = root->findInIndex(FWObjectDatabase::DUMMY_SERVICE_ID); if (!dummyService || (root->getStringId(dummyService->getId()) != "dummyserviceid0")) return; FWObject::iterator i1 = begin(); i1++; i1++; (*i1)->addRef(dummyService); srv_re = RuleElementSrv::cast(*i1); } void PolicyRule::setDummyInterface() { FWObjectDatabase *root = getRoot(); FWObject *dummyInterface = root->findInIndex(FWObjectDatabase::DUMMY_INTERFACE_ID); if (!dummyInterface || (root->getStringId(dummyInterface->getId()) != "dummyinterfaceid0")) return; FWObject::iterator i1 = begin(); i1++; i1++; i1++; (*i1)->addRef(dummyInterface); itf_re = RuleElementItf::cast(*i1); } bool PolicyRule::isDummyRule() { if (getSrc()->isDummy() || getDst()->isDummy() || getSrv()->isDummy() || getItf()->isDummy()) return true; return false; } bool PolicyRule::getLogging() const { return getBool("log"); } void PolicyRule::setLogging(bool flag) { setBool("log",flag); } void PolicyRule::fromXML(xmlNodePtr root) throw(FWException) { const char* n; FWObject::fromXML(root); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("position"))); if(n) { setInt("position",atoi(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("disabled"))); if(n) { setStr("disabled",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("action"))); if(n) { setAction(string(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("log"))); if(n) { setStr("log",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("interface"))); if(n) { setStr("interface",n); FREEXMLBUFF(n); } n= FROMXMLCAST(xmlGetProp(root,TOXMLCAST("direction"))); if(n) { setDirection(string(n)); FREEXMLBUFF(n); } n= FROMXMLCAST(xmlGetProp(root,TOXMLCAST("group"))); if(n) { setStr("group",n); FREEXMLBUFF(n); } } xmlNodePtr PolicyRule::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("action"), STRTOXMLCAST(getActionAsString())); xmlNewProp(me, TOXMLCAST("direction"),STRTOXMLCAST(getDirectionAsString())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); FWObject *o; /* * Save children to XML file in just this order (src, dst, srv). * PolicyCompiler::checkForShadowing depends on it! * But after all, DTD requires this order. * */ if ( (o=getFirstByType( RuleElementSrc::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementDst::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementSrv::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementItf::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementInterval::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( PolicyRuleOptions::TYPENAME ))!=NULL ) o->toXML(me); // there should be no children Policy objects in v3 if ( (o=getFirstByType( Policy::TYPENAME ))!=NULL ) o->toXML(me); return me; } FWOptions* PolicyRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(PolicyRuleOptions::TYPENAME) ); } /* * FWObjectDatabase::setPredictableIds() calls this method after it * has updated string ID of all objects, including rule sets. */ void PolicyRule::updateNonStandardObjectReferences() { if (getAction() == PolicyRule::Branch) { RuleSet *branch_ruleset = getBranch(); setBranch(branch_ruleset); } if (getTagging()) { FWObject *tag_object = getTagObject(); setTagObject(tag_object); } } RuleSet* PolicyRule::getBranch() { if (getAction() != PolicyRule::Branch) return NULL; FWObject *fw = this; while (fw && Firewall::cast(fw) == NULL) fw = fw->getParent(); assert(fw!=NULL); string branch_id = getOptionsObject()->getStr("branch_id"); if (!branch_id.empty()) { return RuleSet::cast(getRoot()->findInIndex( FWObjectDatabase::getIntId(branch_id))); } else { string branch_name = getOptionsObject()->getStr("branch_name"); if (!branch_name.empty()) { return RuleSet::cast( fw->findObjectByName(Policy::TYPENAME, branch_name)); } else return NULL; } } void PolicyRule::setBranch(RuleSet* ruleset) { string branch_id = (ruleset) ? FWObjectDatabase::getStringId(ruleset->getId()) : ""; getOptionsObject()->setStr("branch_id", branch_id); } bool PolicyRule::getRouting() const { return getOptionsObject()->getBool("routing"); } void PolicyRule::setRouting(bool f) { getOptionsObject()->setBool("routing", f); } bool PolicyRule::getClassification() const { return getOptionsObject()->getBool("classification"); } void PolicyRule::setClassification(bool f) { getOptionsObject()->setBool("classification", f); } bool PolicyRule::getTagging() const { return getOptionsObject()->getBool("tagging"); } void PolicyRule::setTagging(bool f) { getOptionsObject()->setBool("tagging", f); } void PolicyRule::setTagObject(FWObject *tag_object) { string tag_id = (tag_object) ? FWObjectDatabase::getStringId(tag_object->getId()) : ""; getOptionsObject()->setStr("tagobject_id", tag_id); setTagging(tag_object && ! tag_id.empty()); } FWObject* PolicyRule::getTagObject() { if (getTagging()) { string tagobj_id = getOptionsObject()->getStr("tagobject_id"); if (!tagobj_id.empty()) { return getRoot()->findInIndex( FWObjectDatabase::getIntId(tagobj_id)); } } return NULL; } string PolicyRule::getTagValue() { if (getTagging()) { TagService *tagobj = TagService::cast(getTagObject()); if (tagobj) return tagobj->getCode(); else return getOptionsObject()->getStr("tagvalue"); } return ""; } /** * Add reference to given object. In case of PolicyRule this only * makes sense in terms of adding reference to this object as an * argument for actions Branch and Tag. */ void PolicyRule::addRef(FWObject *obj) { if (RuleSet::cast(obj)) { setBranch(RuleSet::cast(obj)); } if (TagService::cast(obj)) { setTagObject(TagService::cast(obj)); } } /** * Removes reference to given object among children of 'this'. In case * of PolicyRule we should also clear reference to it if action is * Branch. Caveat: clear reference to it even if action is not branch * right now but was in the past and reference got stuck in options. * * Do the same for the TagService */ void PolicyRule::removeRef(FWObject *obj) { if (RuleSet::cast(obj)) { string branch_id = FWObjectDatabase::getStringId(obj->getId()); string rule_branch_id = getOptionsObject()->getStr("branch_id"); if (branch_id == rule_branch_id) getOptionsObject()->setStr("branch_id", ""); } if (TagService::cast(obj)) { string tag_id = FWObjectDatabase::getStringId(obj->getId()); string rule_tag_id = getOptionsObject()->getStr("tagobject_id"); if (tag_id == rule_tag_id) getOptionsObject()->setStr("tagobject_id", ""); } FWObject::removeRef(obj); } void PolicyRule::replaceReferenceInternal(int old_id, int new_id, int &counter) { if (old_id == new_id) return; FWObject::replaceReferenceInternal(old_id, new_id, counter); string branch_id = getOptionsObject()->getStr("branch_id"); if (!branch_id.empty()) { int branch_id_int = FWObjectDatabase::getIntId(branch_id); if (branch_id_int == old_id) { getOptionsObject()->setStr("branch_id", FWObjectDatabase::getStringId(new_id)); counter++; } } } /***************************************************************************/ const char *NATRule::TYPENAME={"NATRule"}; NATRule::NATRule() : Rule() { rule_type = Unknown; setAction(NATRule::Translate); osrc_re = NULL; odst_re = NULL; osrv_re = NULL; tsrc_re = NULL; tdst_re = NULL; tsrv_re = NULL; itf_inb_re = NULL; itf_outb_re = NULL; when_re = NULL; } void NATRule::init(FWObjectDatabase *root) { FWObject *re = getFirstByType(RuleElementOSrc::TYPENAME); if (re == NULL) { re = root->createRuleElementOSrc(); assert(re!=NULL); add(re); osrc_re = RuleElementOSrc::cast(re); re = root->createRuleElementODst(); assert(re!=NULL); add(re); odst_re = RuleElementODst::cast(re); re = root->createRuleElementOSrv(); assert(re!=NULL); add(re); osrv_re = RuleElementOSrv::cast(re); re = root->createRuleElementTSrc(); assert(re!=NULL); add(re); tsrc_re = RuleElementTSrc::cast(re); re = root->createRuleElementTDst(); assert(re!=NULL); add(re); tdst_re = RuleElementTDst::cast(re); re = root->createRuleElementTSrv(); assert(re!=NULL); add(re); tsrv_re = RuleElementTSrv::cast(re); re = root->createRuleElementItfInb(); assert(re!=NULL); add(re); itf_inb_re = RuleElementItfInb::cast(re); re = root->createRuleElementItfOutb(); assert(re!=NULL); add(re); itf_outb_re = RuleElementItfOutb::cast(re); add( root->createNATRuleOptions() ); } } /** * Add reference to given object. In case of NATRule this only * makes sense in terms of adding reference to this object as an * argument for action Branch. */ void NATRule::addRef(FWObject *obj) { if (RuleSet::cast(obj)) { setBranch(RuleSet::cast(obj)); } } /** * Removes reference to given object among children of 'this'. In case * of NATRule we should also clear reference to it if action is * Branch. Caveat: clear reference to it even if action is not branch * right now but was in the past and reference got stuck in options. */ void NATRule::removeRef(FWObject *obj) { if (RuleSet::cast(obj)) { string branch_id = FWObjectDatabase::getStringId(obj->getId()); string rule_branch_id = getOptionsObject()->getStr("branch_id"); if (branch_id == rule_branch_id) getOptionsObject()->setStr("branch_id", ""); } FWObject::removeRef(obj); } RuleElementOSrc* NATRule::getOSrc() { if (osrc_re) return osrc_re; osrc_re = RuleElementOSrc::cast(getFirstByType(RuleElementOSrc::TYPENAME)); return osrc_re; } RuleElementODst* NATRule::getODst() { if (odst_re) return odst_re; odst_re = RuleElementODst::cast(getFirstByType(RuleElementODst::TYPENAME)); return odst_re; } RuleElementOSrv* NATRule::getOSrv() { if (osrv_re) return osrv_re; osrv_re = RuleElementOSrv::cast(getFirstByType(RuleElementOSrv::TYPENAME)); return osrv_re; } RuleElementTSrc* NATRule::getTSrc() { if (tsrc_re) return tsrc_re; tsrc_re = RuleElementTSrc::cast(getFirstByType(RuleElementTSrc::TYPENAME)); return tsrc_re; } RuleElementTDst* NATRule::getTDst() { if (tdst_re) return tdst_re; tdst_re = RuleElementTDst::cast(getFirstByType(RuleElementTDst::TYPENAME)); return tdst_re; } RuleElementTSrv* NATRule::getTSrv() { if (tsrv_re) return tsrv_re; tsrv_re = RuleElementTSrv::cast(getFirstByType(RuleElementTSrv::TYPENAME)); return tsrv_re; } RuleElementInterval* NATRule::getWhen() { if (when_re) return when_re; when_re = RuleElementInterval::cast(getFirstByType(RuleElementInterval::TYPENAME)); return when_re; } RuleElementItfInb* NATRule::getItfInb() { if (itf_inb_re) return itf_inb_re; itf_inb_re = RuleElementItfInb::cast(getFirstByType(RuleElementItfInb::TYPENAME)); return itf_inb_re; } RuleElementItfOutb* NATRule::getItfOutb() { if (itf_outb_re) return itf_outb_re; itf_outb_re = RuleElementItfOutb::cast(getFirstByType(RuleElementItfOutb::TYPENAME)); return itf_outb_re; } string NATRule::getActionAsString() const { return getActionAsString(action); } // static method string NATRule::getActionAsString(int act) { if (act == Branch) return "NATBranch"; return "Translate"; } void NATRule::setAction(const string& act) { if (act=="Translate") { setAction(Translate); return; } if (act=="Branch") { setAction(Branch); return; } if (act=="NATBranch") { setAction(Branch); return; } setAction(Translate); } bool NATRule::isEmpty() { RuleElement *osrc = getOSrc(); RuleElement *odst = getODst(); RuleElement *osrv = getOSrv(); RuleElement *tsrc = getTSrc(); RuleElement *tdst = getTDst(); RuleElement *tsrv = getTSrv(); RuleElement *itf_inb = getItfInb(); RuleElement *itf_outb = getItfOutb(); return (osrc->isAny() && odst->isAny() && osrv->isAny() && tsrc->isAny() && tdst->isAny() && tsrv->isAny() && itf_inb->isAny() && itf_outb->isAny()); } void NATRule::fromXML(xmlNodePtr root) throw(FWException) { const char* n; FWObject::fromXML(root); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("action"))); if(n) { setAction(string(n)); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("disabled"))); if(n) { setStr("disabled",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("position"))); if(n) { setStr("position",n); FREEXMLBUFF(n); } n= FROMXMLCAST(xmlGetProp(root,TOXMLCAST("group"))); if(n) { setStr("group",n); FREEXMLBUFF(n); } } xmlNodePtr NATRule::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); // xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("action"), STRTOXMLCAST(getActionAsString())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); FWObject *o; if ( (o=getFirstByType( RuleElementOSrc::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementODst::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementOSrv::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementTSrc::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementTDst::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementTSrv::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementItfInb::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementItfOutb::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementInterval::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( NATRuleOptions::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( NAT::TYPENAME ))!=NULL ) o->toXML(me); return me; } FWOptions* NATRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(NATRuleOptions::TYPENAME) ); } RuleSet* NATRule::getBranch() { if (getAction() != NATRule::Branch) return NULL; FWObject *fw = getParent()->getParent(); assert(fw!=NULL); string branch_id = getOptionsObject()->getStr("branch_id"); if (!branch_id.empty()) { return RuleSet::cast(getRoot()->findInIndex( FWObjectDatabase::getIntId(branch_id))); } else { string branch_name = getOptionsObject()->getStr("branch_name"); if (!branch_name.empty()) return RuleSet::cast(fw->findObjectByName(NAT::TYPENAME, branch_name)); else return NULL; } } void NATRule::setBranch(RuleSet* ruleset) { string branch_id = (ruleset) ? FWObjectDatabase::getStringId(ruleset->getId()) : ""; getOptionsObject()->setStr("branch_id", branch_id); } NATRule::NATRuleTypes NATRule::getRuleType() const { return rule_type; } string NATRule::getRuleTypeAsString() const { switch (rule_type) { case SNAT: return("SNAT"); case DNAT: return("DNAT"); case SDNAT: return("SDNAT"); case Masq: return("Masq"); case SNetnat: return("SNetnat"); case DNetnat: return("DNetnat"); case Redirect: return("Redirect"); case Return: return("Return"); case Skip: return("Skip"); case Continue: return("Continue"); case LB: return("LB"); case NONAT: return("NONAT"); case NATBranch: return("NATBranch"); default: return("Unknown"); } } void NATRule::setRuleType(NATRuleTypes rt) { rule_type=rt; } FWObject& NATRule::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { const NATRule *rx = NATRule::constcast(x); if (rx!=NULL) rule_type = rx->rule_type; setAction(rx->getAction()); osrc_re = NULL; odst_re = NULL; osrv_re = NULL; tsrc_re = NULL; tdst_re = NULL; tsrv_re = NULL; itf_inb_re = NULL; itf_outb_re = NULL; when_re = NULL; return Rule::shallowDuplicate(x, preserve_id); } bool NATRule::cmp(const FWObject *x, bool recursive) throw(FWException) { const NATRule *rx = NATRule::constcast(x); if (rx == NULL) return false; if (getAction() != rx->getAction()) return false; return Rule::cmp(x, recursive); } /***************************************************************************/ const char *RoutingRule::TYPENAME={"RoutingRule"}; RoutingRule::RoutingRule() : Rule() { rule_type=Undefined; sorted_dst_ids=""; setMetric(0); } void RoutingRule::init(FWObjectDatabase *root) { FWObject *re = getFirstByType(RuleElementRDst::TYPENAME); if (re == NULL) { re = root->createRuleElementRDst(); assert(re!=NULL); add(re); re = root->createRuleElementRGtw(); assert(re!=NULL); add(re); re = root->createRuleElementRItf(); assert(re!=NULL); add(re); add( root->createRoutingRuleOptions() ); } } RuleElementRDst* RoutingRule::getRDst() const { return RuleElementRDst::cast(getFirstByType(RuleElementRDst::TYPENAME)); } RuleElementRGtw* RoutingRule::getRGtw() const { return RuleElementRGtw::cast(getFirstByType(RuleElementRGtw::TYPENAME)); } RuleElementRItf* RoutingRule::getRItf() const { return RuleElementRItf::cast(getFirstByType(RuleElementRItf::TYPENAME)); } bool RoutingRule::isEmpty() { RuleElement *rdst=getRDst(); RuleElement *rgtw=getRGtw(); RuleElement *ritf=getRItf(); return (rdst->isAny() && rgtw->isAny() && ritf->isAny()); } int RoutingRule::getMetric() const { return getInt("metric"); } string RoutingRule::getMetricAsString() const { stringstream s; s << getMetric(); return s.str(); } void RoutingRule::setMetric(const int metric) { setInt("metric", metric); } void RoutingRule::setMetric(string metric) { int imetric = atoi(metric.c_str()); setInt("metric", imetric); } void RoutingRule::fromXML(xmlNodePtr root) throw(FWException) { const char* n; FWObject::fromXML(root); n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("disabled"))); if(n) { setStr("disabled",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("metric"))); if(n) { setStr("metric",n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("position"))); if(n) { setStr("position",n); FREEXMLBUFF(n); } n= FROMXMLCAST(xmlGetProp(root,TOXMLCAST("group"))); if(n) { setStr("group",n); FREEXMLBUFF(n); } } xmlNodePtr RoutingRule::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); // xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); FWObject *o; if ( (o=getFirstByType( RuleElementRDst::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementRGtw::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RuleElementRItf::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( RoutingRuleOptions::TYPENAME ))!=NULL ) o->toXML(me); if ( (o=getFirstByType( Routing::TYPENAME ))!=NULL ) o->toXML(me); return me; } FWOptions* RoutingRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(RoutingRuleOptions::TYPENAME) ); } RuleSet* RoutingRule::getBranch() { FWObject *fw = getParent()->getParent(); assert(fw!=NULL); string branch_id = getOptionsObject()->getStr("branch_id"); if (!branch_id.empty()) { return RuleSet::cast(getRoot()->findInIndex( FWObjectDatabase::getIntId(branch_id))); } else { string branch_name = getOptionsObject()->getStr("branch_name"); if (!branch_name.empty()) return RuleSet::cast(fw->findObjectByName(Routing::TYPENAME, branch_name)); else return NULL; } } RoutingRule::RoutingRuleTypes RoutingRule::getRuleType() const { return rule_type; } string RoutingRule::getRuleTypeAsString() const { switch (rule_type) { case Undefined: return("Undefined"); case SinglePath: return("Single Path"); case MultiPath: return("Multi Path"); default: return("Unknown"); } } void RoutingRule::setRuleType(RoutingRuleTypes rt) { rule_type=rt; } FWObject& RoutingRule::duplicate(const FWObject *x, bool preserve_id) throw(FWException) { Rule::duplicate(x,preserve_id); const RoutingRule *rx = RoutingRule::constcast(x); if (rx!=NULL) { rule_type = rx->rule_type; sorted_dst_ids = rx->sorted_dst_ids; } return *this; } void RoutingRule::setSortedDstIds(const string& ids) { sorted_dst_ids = ids; } string RoutingRule::getSortedDstIds() const { return sorted_dst_ids; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Rule.h000066400000000000000000000334031303637203600226120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULE_HH_FLAG__ #define __RULE_HH_FLAG__ #include "fwbuilder/Group.h" namespace libfwbuilder { class FWOptions; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class RuleElementItf; class RuleElementOSrc; class RuleElementODst; class RuleElementOSrv; class RuleElementTSrc; class RuleElementTDst; class RuleElementTSrv; class RuleElementItfInb; class RuleElementItfOutb; class RuleElementInterval; class RuleElementRDst; class RuleElementRGtw; class RuleElementRItf; class RuleSet; class Rule : public Group { /* these members are used only by compilers and are not stored in XML */ std::string label; bool fallback; bool hidden; std::string unique_id; int abs_rule_number; /* compilers store warnings and errors associated with this rule here. */ std::string compiler_message; public: Rule(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); DECLARE_FWOBJECT_SUBTYPE(Rule); DECLARE_DISPATCH_METHODS(Rule); void setPosition(int n); int getPosition() const; void setCompilerMessage(const std::string &msg) { compiler_message = msg; } std::string getCompilerMessage() { return compiler_message; } void disable(); void enable(); bool isDisabled() const; bool isFallback() const { return fallback; } void setFallback(bool f) { fallback=f; } bool isHidden() const { return hidden; } void setHidden(bool f) { hidden=f; } std::string getUniqueId() const { return unique_id; } void setUniqueId(const std::string &str) { unique_id=str; } std::string getLabel() const { return label; } void setLabel(const std::string &l) { label=l; } std::string getRuleGroupName() const; void setRuleGroupName(const std::string &group_name); int getAbsRuleNumber() const { return abs_rule_number; } void setAbsRuleNumber(int rn) { abs_rule_number=rn; } virtual bool isEmpty(); virtual bool isDummyRule(); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual FWOptions* getOptionsObject() const; // find branch ruleset for policy rules with action Branch // We may support some kind of branching in NAT in the future, so // lets make this method virtual. virtual RuleSet* getBranch(); virtual void setBranch(RuleSet *ruleset); virtual bool isPrimaryObject() const { return false; } }; class PolicyRule : public Rule { public: /* * Supported policy rule actions: * * Accept - accept the packet, analysis terminates * * Reject - reject the packet and send ICMP 'unreachable' or * TCP RST back to sender, analysis terminates * * Deny - drop the packet, nothing is sent back to sender, * analysis terminates * * Scrub - run the packet through normalizer (see 'scrub' in * PF), continue analysis * * Return - action used internally, meaning may depend on * implementation of the policy compiler but generally * means return from the block of rules * * Skip - skip N rules down and continue analysis. Used * internally. * * Continue - do nothing, continue analysis. Used internally. * * Accounting - generate target firewall platform rule to count * the packet and continue analysis. * * Modify - edit the packet (change some header values, like * TOS bits) or mark it somehow if the kernel supports * that (e.g. target MARK in iptables) * * Branch - * * Route - * */ typedef enum { Unknown, Accept, Reject, Deny, Scrub, Return, Skip, Continue, Accounting, Modify, Pipe, Custom, Branch} Action; typedef enum { Undefined, Inbound, Outbound, Both } Direction; private: libfwbuilder::RuleElementSrc* src_re; libfwbuilder::RuleElementDst* dst_re; libfwbuilder::RuleElementSrv* srv_re; libfwbuilder::RuleElementItf* itf_re; libfwbuilder::RuleElementInterval* when_re; Action action; Direction direction; protected: virtual void updateNonStandardObjectReferences(); public: PolicyRule(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(PolicyRule); DECLARE_DISPATCH_METHODS(PolicyRule); virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual void setBranch(RuleSet *ruleset); virtual bool isEmpty(); virtual bool isDummyRule(); /** * Removes reference to given object among * children of 'this'. */ virtual void removeRef(FWObject *obj); /** * Add reference to given object to 'this'. In case of a PolicyRule, * change action and add parameter if @obj is TagService or RuleSet. */ virtual void addRef(FWObject *obj); /** * if this object has any references as its children, replace IDs * these references point to. This overloaded method also replaces * references to branch rulesets. */ virtual void replaceReferenceInternal(int old_id, int new_id, int &counter); libfwbuilder::RuleElementSrc* getSrc() ; libfwbuilder::RuleElementDst* getDst() ; libfwbuilder::RuleElementSrv* getSrv() ; libfwbuilder::RuleElementItf* getItf() ; libfwbuilder::RuleElementInterval* getWhen() ; Action getAction() const { return action; } void setAction(Action act) { action = act; } static std::string getActionAsString(int act); std::string getActionAsString() const; void setAction(const std::string& act); Direction getDirection() const { return direction; } void setDirection(Direction dir) { direction = dir; } std::string getDirectionAsString() const; void setDirection(const std::string& dir); void setDummySource(); void setDummyDestination(); void setDummyService(); void setDummyInterface(); bool getLogging() const; void setLogging(bool flag); // return true if rule does tagging bool getTagging() const; void setTagging(bool f); // return true if rule does routing bool getRouting() const; void setRouting(bool f); // return true if rule does classification bool getClassification() const; void setClassification(bool f); // find TagService object for rules that do tagging FWObject* getTagObject(); std::string getTagValue(); void setTagObject(FWObject *tag_object); }; class NATRule : public Rule { public: typedef enum { Translate, Branch } NATAction; /* * Supported NAT rule types: * * Unknown - Uknown action * * NONAT - Exception to other nat rules * * SNAT - Source NAT - Translate Source Address * * Masq - Masquerading. * * DNAT - Destnation NAT - Translate Destination Address. * * SDNAT - Source & Destination NAT - Translate both source and * destination addresses. * * SNetNAT - Source Network Translation - Translate source * address network. * * DNetNAT - Destination Network Translation - Translate * destination address network. * * Redirect - Redirect to firewall - Translate destination to a * firewall address. * * Return - Internal use for rule chains. * * Skip - * * Continue - Internal use for nat rules with negation. * * LB - NAT Rule that does load ballencing. * * NOTE: Not all types supported on all platforms. * */ typedef enum { Unknown, NONAT, NATBranch, SNAT, Masq, DNAT, SDNAT, SNetnat, DNetnat, Redirect , Return , Skip , Continue , LB } NATRuleTypes; private: libfwbuilder::RuleElementOSrc* osrc_re; libfwbuilder::RuleElementODst* odst_re; libfwbuilder::RuleElementOSrv* osrv_re; libfwbuilder::RuleElementTSrc* tsrc_re; libfwbuilder::RuleElementTDst* tdst_re; libfwbuilder::RuleElementTSrv* tsrv_re; libfwbuilder::RuleElementItfInb* itf_inb_re; libfwbuilder::RuleElementItfOutb* itf_outb_re; libfwbuilder::RuleElementInterval* when_re; NATAction action; NATRuleTypes rule_type; public: NATRule(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(NATRule); DECLARE_DISPATCH_METHODS(NATRule); virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual void setBranch(RuleSet *ruleset); virtual bool isEmpty(); /** * Removes reference to given object among * children of 'this'. */ virtual void removeRef(FWObject *obj); /** * Add reference to given object to 'this'. In case of a PolicyRule, * change action and add parameter if @obj is TagService or RuleSet. */ virtual void addRef(FWObject *obj); libfwbuilder::RuleElementOSrc* getOSrc(); libfwbuilder::RuleElementODst* getODst(); libfwbuilder::RuleElementOSrv* getOSrv(); libfwbuilder::RuleElementTSrc* getTSrc(); libfwbuilder::RuleElementTDst* getTDst(); libfwbuilder::RuleElementTSrv* getTSrv(); libfwbuilder::RuleElementItfInb* getItfInb(); libfwbuilder::RuleElementItfOutb* getItfOutb(); libfwbuilder::RuleElementInterval* getWhen(); NATAction getAction() const { return action; } void setAction(NATAction act) { action = act; } static std::string getActionAsString(int act); std::string getActionAsString() const; void setAction(const std::string& act); NATRuleTypes getRuleType() const; std::string getRuleTypeAsString() const; void setRuleType(NATRuleTypes rt); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); }; class RoutingRule : public Rule { public: typedef enum { Undefined, SinglePath, MultiPath } RoutingRuleTypes; private: RoutingRuleTypes rule_type; std::string sorted_dst_ids; // int ecmp_id; // Unused public: RoutingRule(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(RoutingRule); DECLARE_DISPATCH_METHODS(RoutingRule); virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual bool isEmpty(); int getMetric() const; void setMetric(int metric); void setMetric(std::string metric); std::string getMetricAsString() const; libfwbuilder::RuleElementRDst* getRDst() const; libfwbuilder::RuleElementRGtw* getRGtw() const; libfwbuilder::RuleElementRItf* getRItf() const; RoutingRuleTypes getRuleType() const; std::string getRuleTypeAsString() const; void setRuleType(RoutingRuleTypes rt); void setSortedDstIds(const std::string& ids); std::string getSortedDstIds() const; virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); }; } #endif //__RULE_HH_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/RuleElement.cpp000066400000000000000000000437461303637203600244720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Rule.h" #include "fwbuilder/IPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Network.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/XMLTools.h" #include using namespace std; using namespace libfwbuilder; const char *RuleElement::TYPENAME={"RuleElement"}; RuleElement::RuleElement() { setNeg(false); } void RuleElement::init(FWObjectDatabase *root) { setRoot(root); /* we need to add a reference to 'any' to this new rule element. However, when objects are being loaded from XML file, ANY element may be located at its bottom so at the moment when this rule element is created, we may have not read the ANY yet. In that case we do not add the reference here because it will be added when it is read from the file anyway */ int any_id = getAnyElementId(); FWObject *any_obj = getById(any_id); if (any_obj == NULL) { any_obj = root->checkIndex( any_id ); if (any_obj) FWObject::addRef( any_obj ); } } void RuleElement::fromXML(xmlNodePtr root) throw(FWException) { const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("neg"))); if (n) { negation = (cxx_strcasecmp(n, "1")==0 || cxx_strcasecmp(n , "true")==0); FREEXMLBUFF(n); } FWObject::fromXML(root); } xmlNodePtr RuleElement::toXML(xmlNodePtr xml_parent_node) throw(FWException) { int my_id = getId(); setId(-1); // FWObject::toXML() skips id if it is == -1. RuleElement objects // have no ID as per DTD (why?) xmlNodePtr me = FWObject::toXML(xml_parent_node, false); xmlNewProp(me, TOXMLCAST("neg"), TOXMLCAST(((getNeg()) ? "True" : "False"))); setId(my_id); return me; } FWObject& RuleElement::shallowDuplicate(const FWObject *other, bool preserve_id) throw(FWException) { setNeg(RuleElement::constcast(other)->getNeg()); return FWObject::shallowDuplicate(other, preserve_id); } void RuleElement::addRef(FWObject *obj) { FWObject *o=NULL; if (isAny()) { o=(*(begin())); o=(FWReference::cast(o))->getPointer(); } FWObject::addRef(obj); if (o!=NULL) removeRef(o); } void RuleElement::removeRef(FWObject *obj) { FWObject::removeRef(obj); if (getChildrenCount()==0) { // there is nothing left obj = obj->getRoot()->findInIndex( getAnyElementId() ); if (obj) addRef(obj); } } bool RuleElement::isAny() const { if (getChildrenCount()!=1) return(false); const FWObject *o = front(); return ((FWReference::constcast(o))->getPointerIdDirect() == getAnyElementId()); } void RuleElement::setAnyElement() { int any_id = getAnyElementId(); FWObject *any = getRoot()->findInIndex( any_id ); if (any) addRef( any ); } void RuleElement::reset() { clearChildren(); setAnyElement(); setNeg(false); } int RuleElement::getAnyElementId() const { return -1; } const char *RuleElementSrc::TYPENAME={"Src"}; RuleElementSrc::RuleElementSrc() {} int RuleElementSrc::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementSrc::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementSrc::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } int RuleElementSrc::getDummyElementId() const { return FWObjectDatabase::DUMMY_ADDRESS_ID; } bool RuleElementSrc::isDummy() const { for (FWObject::const_iterator i1 = begin(); i1 != end(); ++i1) { if (FWObject *obj = FWObjectReference::getObject(*i1)) if ((obj->getId() == FWObjectDatabase::DUMMY_ADDRESS_ID) && FWObjectDatabase::getStringId(obj->getId()) == "dummyaddressid0") return true; } return false; } const char *RuleElementDst::TYPENAME={"Dst"}; RuleElementDst::RuleElementDst() {} int RuleElementDst::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementDst::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementDst::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } int RuleElementDst::getDummyElementId() const { return FWObjectDatabase::DUMMY_ADDRESS_ID; } bool RuleElementDst::isDummy() const { for (FWObject::const_iterator i1 = begin(); i1 != end(); ++i1) { if (FWObject *obj = FWObjectReference::getObject(*i1)) if ((obj->getId() == FWObjectDatabase::DUMMY_ADDRESS_ID) && FWObjectDatabase::getStringId(obj->getId()) == "dummyaddressid0") return true; } return false; } const char *RuleElementSrv::TYPENAME={"Srv"}; RuleElementSrv::RuleElementSrv() {} int RuleElementSrv::getAnyElementId() const { return FWObjectDatabase::ANY_SERVICE_ID; } xmlNodePtr RuleElementSrv::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementSrv::validateChild(FWObject *o) { if (FWServiceReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ServiceGroup::validateChild(o); } int RuleElementSrv::getDummyElementId() const { return FWObjectDatabase::DUMMY_SERVICE_ID; } bool RuleElementSrv::isDummy() const { for (FWObject::const_iterator i1 = begin(); i1 != end(); ++i1) { if (FWObject *obj = FWObjectReference::getObject(*i1)) if ((obj->getId() == FWObjectDatabase::DUMMY_SERVICE_ID) && FWObjectDatabase::getStringId(obj->getId()) == "dummyserviceid0") return true; } return false; } const char *RuleElementItf::TYPENAME={"Itf"}; RuleElementItf::RuleElementItf() {} int RuleElementItf::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementItf::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementItf::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if (o->getId() == getAnyElementId()) return true; if (Interface::cast(o)!=NULL) return true; if (ObjectGroup::cast(o)!=NULL && o->size() > 0) { bool all_intf = true; for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { FWObject *o1 = FWReference::getObject(*i); if (!Interface::isA(o1)) { all_intf = false; break; } } return all_intf; // group is allowed if all members are interfaces } return false; } int RuleElementItf::getDummyElementId() const { return FWObjectDatabase::DUMMY_INTERFACE_ID; } bool RuleElementItf::isDummy() const { for (FWObject::const_iterator i1 = begin(); i1 != end(); ++i1) { if (FWObject *obj = FWObjectReference::getObject(*i1)) if ((obj->getId() == FWObjectDatabase::DUMMY_INTERFACE_ID) && FWObjectDatabase::getStringId(obj->getId()) == "dummyinterfaceid0") return true; } return false; } /* * this method checks if an object 'o' is a child of the same firewall * this rule element belongs to * * Note: when an object is being inserted into a rule using clipboard * (copy/paste), the object 'o' is in fact a copy of the original * object. This causes problems because the copy does not have any * parent and hence we can not simply traverse up the tree using * getParent(). We have to take its ID, find the original (clipboard * copy has the same ID as the original) and then walk up the tree * starting from it. This also means that if an object was placed into * clipboard using 'cut', it won't validate because the original has * lost its parent. * * After implementing undo(), we now run into the same problem with * the rule element object because the GUI tries to call addRef() * using a copy of the RuleElement object (the copy is a part of the * undo command) and this copy does not have any parent either. The * trick with using object Id does not work in this case though * because the copy of RuleElement stored in the command has different * ID. Will call this function from the GUI to do additional check * where appropriate, but validateChild() will accept any Interface * object. */ bool RuleElementItf::checkItfChildOfThisFw(FWObject *o) { if (Group::cast(o) != NULL) { for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { FWObject *o1 = FWReference::getObject(*i); if (!checkItfChildOfThisFw(o1)) return false; } return true; } FWObject* o_tmp = getRoot()->findInIndex(o->getId()); FWObject* o_tmp2 = getRoot()->findInIndex(this->getId()); FWObject *fw1 = o_tmp; while (fw1 && Firewall::cast(fw1) == NULL) fw1 = fw1->getParent(); FWObject *fw2 = o_tmp2; while (fw2 && Firewall::cast(fw2) == NULL) fw2 = fw2->getParent(); return (fw1 != NULL && fw1 == fw2); } const char *RuleElementItfInb::TYPENAME={"ItfInb"}; RuleElementItfInb::RuleElementItfInb() {} const char *RuleElementItfOutb::TYPENAME={"ItfOutb"}; RuleElementItfOutb::RuleElementItfOutb() {} const char *RuleElementOSrc::TYPENAME={"OSrc"}; RuleElementOSrc::RuleElementOSrc() {} int RuleElementOSrc::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementOSrc::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementOSrc::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } const char *RuleElementODst::TYPENAME={"ODst"}; RuleElementODst::RuleElementODst() {} int RuleElementODst::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementODst::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementODst::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } const char *RuleElementOSrv::TYPENAME={"OSrv"}; RuleElementOSrv::RuleElementOSrv() {} int RuleElementOSrv::getAnyElementId() const { return FWObjectDatabase::ANY_SERVICE_ID; } xmlNodePtr RuleElementOSrv::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementOSrv::validateChild(FWObject *o) { if (FWServiceReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ServiceGroup::validateChild(o); } const char *RuleElementTSrc::TYPENAME={"TSrc"}; RuleElementTSrc::RuleElementTSrc() {} int RuleElementTSrc::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementTSrc::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementTSrc::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } const char *RuleElementTDst::TYPENAME={"TDst"}; RuleElementTDst::RuleElementTDst() {} int RuleElementTDst::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementTDst::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementTDst::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } const char *RuleElementTSrv::TYPENAME={"TSrv"}; RuleElementTSrv::RuleElementTSrv() {} int RuleElementTSrv::getAnyElementId() const { return FWObjectDatabase::ANY_SERVICE_ID; } xmlNodePtr RuleElementTSrv::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementTSrv::validateChild(FWObject *o) { if (FWServiceReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; // TagService is not allowed in translated service if (TagService::isA(o)) return false; if (ServiceGroup::cast(o)!=NULL) { for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { FWObject *o1 = FWReference::getObject(*i); if (!validateChild(o1)) return false; } } return ServiceGroup::validateChild(o); } const char *RuleElementInterval::TYPENAME={"When"}; RuleElementInterval::RuleElementInterval() {} int RuleElementInterval::getAnyElementId() const { return FWObjectDatabase::ANY_INTERVAL_ID; } xmlNodePtr RuleElementInterval::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementInterval::validateChild(FWObject *o) { if (FWIntervalReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return (Interval::cast(o)!=NULL || IntervalGroup::cast(o)!=NULL); } const char *RuleElementRDst::TYPENAME={"RDst"}; RuleElementRDst::RuleElementRDst() {} int RuleElementRDst::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementRDst::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementRDst::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if ( o->getId() == getAnyElementId()) return true; return ObjectGroup::validateChild(o); } const char *RuleElementRGtw::TYPENAME={"RGtw"}; RuleElementRGtw::RuleElementRGtw() {} int RuleElementRGtw::getAnyElementId() const { return FWObjectDatabase::ANY_ADDRESS_ID; } xmlNodePtr RuleElementRGtw::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = RuleElement::toXML(parent); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } bool RuleElementRGtw::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if( getChildrenCount() > 0 && !isAny()) return false; return checkSingleIPAdress(o); } // check if the gateway has only one interface with only one ipv4 adress bool RuleElementRGtw::checkSingleIPAdress(FWObject *o) { if( Host::cast(o) != NULL) { list obj_list = o->getByType("Interface"); if( obj_list.size() == 1) { obj_list = (obj_list.front())->getByType("IPv4"); if( obj_list.size() == 1) { return true; } else return false; } else return false; } else if( Interface::cast(o) != NULL) { list obj_list = o->getByType("IPv4"); if( obj_list.size() == 1) { return true; } else return false; } return ( o->getId() == getAnyElementId() || (FWObject::validateChild(o) && (IPv4::cast(o)!=NULL || FWObjectReference::cast(o)!=NULL))); } const char *RuleElementRItf::TYPENAME={"RItf"}; RuleElementRItf::RuleElementRItf() {} bool RuleElementRItf::validateChild(FWObject *o) { if (FWObjectReference::cast(o)!=NULL) return true; if (getChildrenCount() > 0 && !isAny()) return false; if ( o->getId() == getAnyElementId()) return true; return (Interface::cast(o)!=NULL); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/RuleElement.h000066400000000000000000000220301303637203600241160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULEELEMENT_HH_FLAG__ #define __RULEELEMENT_HH_FLAG__ #include "fwbuilder/Group.h" #include "fwbuilder/Address.h" #include "fwbuilder/Service.h" #include "fwbuilder/Interval.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/IntervalGroup.h" namespace libfwbuilder { class Rule; class FWReference; class RuleElement : virtual public FWObject { protected: bool negation; public: RuleElement(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); DECLARE_FWOBJECT_SUBTYPE(RuleElement); DECLARE_DISPATCH_METHODS(RuleElement); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); void setAnyElement(); void reset(); virtual int getAnyElementId() const; bool isAny() const; /** * Adds reference object pointing to 'obj' as a child of 'this'. If * RuleElement contained "any", it is removed */ virtual void addRef(FWObject *obj); /** * Removes reference to given object among children of 'this'. If * this object was the last one, appropriate "any" object is added * instead */ virtual void removeRef(FWObject *obj); bool getNeg() const { return negation; } void setNeg(bool flag) { negation = flag; } void toggleNeg() { negation = !negation; } virtual int getDummyElementId() const { return -1; } virtual bool isDummy() const { return false; } }; class RuleElementSrc : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementSrc); DECLARE_DISPATCH_METHODS(RuleElementSrc); RuleElementSrc(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } virtual int getDummyElementId() const; virtual bool isDummy() const; }; class RuleElementDst : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementDst); DECLARE_DISPATCH_METHODS(RuleElementDst); RuleElementDst(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } virtual int getDummyElementId() const; virtual bool isDummy() const; }; class RuleElementSrv : public ServiceGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementSrv); DECLARE_DISPATCH_METHODS(RuleElementSrv); RuleElementSrv(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } virtual int getDummyElementId() const; virtual bool isDummy() const; }; class RuleElementItf : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementItf); DECLARE_DISPATCH_METHODS(RuleElementItf); RuleElementItf(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); bool checkItfChildOfThisFw(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } virtual int getDummyElementId() const; virtual bool isDummy() const; }; class RuleElementItfInb : public RuleElementItf { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementItfInb); DECLARE_DISPATCH_METHODS(RuleElementItfInb); RuleElementItfInb(); }; class RuleElementItfOutb : public RuleElementItf { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementItfOutb); DECLARE_DISPATCH_METHODS(RuleElementItfOutb); RuleElementItfOutb(); }; class RuleElementInterval : public IntervalGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementInterval); DECLARE_DISPATCH_METHODS(RuleElementInterval); RuleElementInterval(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementOSrc : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementOSrc); DECLARE_DISPATCH_METHODS(RuleElementOSrc); RuleElementOSrc(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementODst : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementODst); DECLARE_DISPATCH_METHODS(RuleElementODst); RuleElementODst(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementOSrv : public ServiceGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementOSrv); DECLARE_DISPATCH_METHODS(RuleElementOSrv); RuleElementOSrv(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementTSrc : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementTSrc); DECLARE_DISPATCH_METHODS(RuleElementTSrc); RuleElementTSrc(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementTDst : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementTDst); DECLARE_DISPATCH_METHODS(RuleElementTDst); RuleElementTDst(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementTSrv : public ServiceGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementTSrv); DECLARE_DISPATCH_METHODS(RuleElementTSrv); RuleElementTSrv(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementRDst : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementRDst); DECLARE_DISPATCH_METHODS(RuleElementRDst); RuleElementRDst(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementRGtw : public ObjectGroup, public RuleElement { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementRGtw); DECLARE_DISPATCH_METHODS(RuleElementRGtw); RuleElementRGtw(); virtual int getAnyElementId() const; virtual bool validateChild(FWObject *o); bool checkSingleIPAdress(FWObject *o); bool checkReachableIPAdress(FWObject *o); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool isPrimaryObject() const { return false; } }; class RuleElementRItf : public RuleElementItf { public: DECLARE_FWOBJECT_SUBTYPE(RuleElementRItf); DECLARE_DISPATCH_METHODS(RuleElementRItf); RuleElementRItf(); virtual bool validateChild(FWObject *o); virtual bool isPrimaryObject() const { return false; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/RuleSet.cpp000066400000000000000000000224141303637203600236210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/XMLTools.h" #include using namespace std; using namespace libfwbuilder; const char *RuleSet::TYPENAME={"Ruleset"}; RuleSet::RuleSet() { setName("RuleSet"); ipv4 = false; ipv6 = false; top = false; } void RuleSet::init(FWObjectDatabase *root) { FWObject *opt = getFirstByType(RuleSetOptions::TYPENAME); if (opt == NULL) add(root->createRuleSetOptions()); } RuleSet::~RuleSet() {} void RuleSet::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; // Both ipv4_rule_set and ipv6_rule_set attributes can be set to // true, which means this is "dual" rule set When both are false, // this is ipv4-only rule set (for backwards compatibility and to // avoid having to increment DTD version number) n=FROMXMLCAST(xmlGetProp(root, TOXMLCAST("ipv4_rule_set"))); if (n!=NULL) { ipv4 = (string(n)=="True" || string(n)=="true"); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root, TOXMLCAST("ipv6_rule_set"))); if (n!=NULL) { ipv6 = (string(n)=="True" || string(n)=="true"); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("top_rule_set"))); if (n!=NULL) { top = (string(n)=="True" || string(n)=="true"); FREEXMLBUFF(n); } } xmlNodePtr RuleSet::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("ipv4_rule_set"), TOXMLCAST(((ipv4) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("ipv6_rule_set"), TOXMLCAST(((ipv6) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("top_rule_set"), TOXMLCAST(((top) ? "True" : "False"))); // First all rules, skip options for(list::const_iterator j=begin(); j!=end(); ++j) { if (FWOptions::cast(*j) == NULL) (*j)->toXML(me); } FWObject *o; if ( (o=getFirstByType( RuleSetOptions::TYPENAME ))!=NULL ) o->toXML(me); return me; } FWOptions* RuleSet::getOptionsObject() { return FWOptions::cast(getFirstByType(RuleSetOptions::TYPENAME)); } FWObject& RuleSet::shallowDuplicate(const FWObject *o, bool preserve_id) throw(FWException) { const RuleSet *other = RuleSet::constcast(o); FWObject::shallowDuplicate(o, preserve_id); ipv4 = other->ipv4; ipv6 = other->ipv6; top = other->top; return *this; } bool RuleSet::cmp(const FWObject *obj, bool recursive) throw(FWException) { const RuleSet *other = RuleSet::constcast(obj); if (other == NULL) return false; if (ipv4 != other->ipv4 || ipv6 != other->ipv6 || top != other->top) return false; return FWObject::cmp(obj, recursive); } /** * Add new rule on top of the rule set. If hidden_rule arg is true, * force new rule position number ot be negative. Make sure it grows * backwards if there are other rules with negative position * numbers. If the topmost rule has position > 0 for whatever reason, * set hidden rule's position to -1 rather than 0. * * Hidden rules are those added by compilers automatically, such as * automatic rule to permit ssh to the firewall or rules to permit * vrrp and other protocols. These rules are constructed by compilers * rather than defined by the user in the GUI. */ Rule* RuleSet::insertRuleAtTop(bool hidden_rule) { Rule *r = createRule(); r->setHidden(hidden_rule); if (hidden_rule) r->setPosition(-1); else r->setPosition(0); insert(begin(), r); _adopt(r); renumberRules(); return(r); } Rule* RuleSet::insertRuleBefore(int rule_n) { Rule *old_rule = getRuleByNum(rule_n); Rule *r = createRule(); if (old_rule==NULL) add(r); else insert_before(old_rule, r); renumberRules(); return(r); } Rule* RuleSet::appendRuleAtBottom(bool hidden_rule) { Rule *r = createRule(); r->setHidden(hidden_rule); int last_rule_position; Rule *last_rule = Rule::cast(back()); if (last_rule != NULL) { last_rule_position = last_rule->getPosition() + 1000; } else last_rule_position = 1000; if (hidden_rule) r->setPosition(last_rule_position); add(r); // FWObject::add adds to the end of the list renumberRules(); return(r); } Rule* RuleSet::appendRuleAfter(int rule_n) { Rule *old_rule = getRuleByNum(rule_n); Rule *r = createRule(); if (old_rule==NULL) add(r); else insert_after(old_rule,r); renumberRules(); return(r); } bool RuleSet::deleteRule(int rule_n) { return deleteRule( getRuleByNum(rule_n) ); } bool RuleSet::deleteRule(Rule *r) { if (r!=NULL) { remove(r, true); // and delete the rule if ref counter == 0 renumberRules(); return(true); } return(false); } bool RuleSet::moveRuleUp(int rule_n) { if (rule_n==0) return(false); FWObject* o = getRuleByNum( rule_n ); FWObject* prev = getRuleByNum( rule_n-1 ); swapObjects(prev,o); renumberRules(); return(true); } bool RuleSet::moveRuleDown(int rule_n) { if (rule_n > (getRuleSetSize() - 1) ) return(false); FWObject* o = getRuleByNum( rule_n ); FWObject* next = getRuleByNum( rule_n+1 ); swapObjects(o,next); renumberRules(); return(true); } bool RuleSet::disableRule(int rule_n) { FWObject* o =getRuleByNum( rule_n ); if (o) { (Rule::cast(o))->disable(); return true; } return false; } bool RuleSet::enableRule(int rule_n) { FWObject* o =getRuleByNum( rule_n ); if (o) { (Rule::cast(o))->enable(); return true; } return false; } bool RuleSet::isRuleDisabled(int rule_n) { FWObject* o =getRuleByNum( rule_n ); if (o) return((Rule::cast(o))->isDisabled()); return false; } /* * Rule number src_rule_n moves right above rule number dst_rule_n */ bool RuleSet::moveRule(int src_rule_n, int dst_rule_n) { FWObject* src =getRuleByNum( src_rule_n ); FWObject* dst =getRuleByNum( dst_rule_n ); if (src!=NULL && dst!=NULL && src!=dst ) { FWObject *o; list::iterator m, m1, m2; for (m=begin(); m!=end(); ++m) { if ( (o=(*m))!=NULL ) { if ( o==src ) m1=m; if ( o==dst ) m2=m; } } if ( (*m1)!=NULL && (*m2)!=NULL ) { erase(m1); insert(m2,src); } renumberRules(); return(true); } return(false); } void RuleSet::renumberRules() { if (size() == 0) return; list::iterator m, it; int rn; // first pass: find first not hidden rule; it will become rule #0 // Even though RuleSet object an only have Rule objects as // children, I am checking for the child type everywhere in case // we ever add another type of child. it = begin(); for (; it!=end(); ++it) { Rule *rule = Rule::cast(*it); if (rule && !rule->isHidden()) break; } list::reverse_iterator rev_it(it); list::reverse_iterator rev_end(begin()); // rev_it points to the last hidden rule rn = 0; for (; it != end(); it++) { Rule *rule = Rule::cast(*it); // there can be hidden rules at the bottom of policy // Just do not change their position numbers. if (rule && !rule->isHidden()) { rule->setPosition(rn); rn++; } } rn = -1; for (; rev_it != rev_end; rev_it++) { Rule *rule = Rule::cast(*rev_it); if (rule && rule->isHidden()) { rule->setPosition(rn); rn--; } } } Rule* RuleSet::getRuleByNum(int n) { for(list::iterator m=begin(); m!=end(); ++m) { FWObject *o; if ( (o=(*m))!=NULL ) { Rule *r = Rule::cast(o); if (r && r->getPosition()==n) return r; } } return NULL; } int RuleSet::getRuleSetSize() { return getChildrenCount() - 1; } void RuleSet::assignUniqueRuleIds() { for (FWObject::iterator it=begin(); it!=end(); ++it) { Rule *r = Rule::cast(*it); if (r != NULL && r->getUniqueId().empty()) r->setUniqueId(FWObjectDatabase::getStringId((*it)->getId()) ); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/RuleSet.h000066400000000000000000000076201303637203600232700ustar00rootroot00000000000000 /* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULESET_HH_FLAG__ #define __RULESET_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/Rule.h" #include "fwbuilder/InetAddr.h" namespace libfwbuilder { class RuleSet : public FWObject { private: bool ipv4; bool ipv6; bool top; protected: public: RuleSet(); virtual ~RuleSet(); /** * This method should create any standard mandatory child objects * the object might need. */ virtual void init(FWObjectDatabase *root); DECLARE_FWOBJECT_SUBTYPE(RuleSet); DECLARE_DISPATCH_METHODS(RuleSet); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual FWOptions* getOptionsObject(); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); // Both ipv4 and ipv6 variables can be set to true, which means // this is "dual" rule set. When both are false, this is ipv4-only // rule set (for backwards compatibility and to avoid having to // increment DTD version number) bool isV4() const { return (ipv4 || (!ipv4 && !ipv6)); } bool isV6() const { return (ipv6); } bool isDual() const { return (ipv4 && ipv6); } bool matchingAddressFamily(int af) { if (af == AF_INET && isV4()) return true; if (af == AF_INET6 && isV6()) return true; return false; } void setV4() { ipv4=true; ipv6=false; } void setV6() { ipv4=false; ipv6=true; } void setDual() { ipv4=true; ipv6=true; } bool isTop() const { return top; } void setTop(bool f) { top=f; } Rule* getRuleByNum(int n); Rule* insertRuleAtTop(bool hidden_rule=false); Rule* insertRuleBefore(int rule_n); Rule* appendRuleAfter(int rule_n); Rule* appendRuleAtBottom(bool hidden_rule=false); bool deleteRule(int rule_n); bool deleteRule(Rule *r); bool moveRuleUp(int rule_n); bool moveRuleDown(int rule_n); bool moveRule(int src_rule_n,int dst_rule_n); bool disableRule(int rule_n); bool enableRule(int rule_n); bool isRuleDisabled(int rule_n); int getRuleSetSize(); virtual Rule* createRule() = 0; virtual bool isPrimaryObject() const { return false; } void renumberRules(); /** * scan all rules of all rule sets and call setUniqueId() to set * unique string id for each rule. These IDs will be carried * through calls to duplicate() when firewall object and its rule * sets are cloned. These IDs are used by compilers to generate * stable labels for chains and such. */ void assignUniqueRuleIds(); struct UniqueRuleIdsSetter { void operator()(FWObject *o) { RuleSet *rs = RuleSet::cast(o); if (rs != NULL) rs->assignUniqueRuleIds(); } }; }; //__RULESET_HH_FLAG__ } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/SecuwallMgmtFile.cpp000066400000000000000000000075621303637203600254510ustar00rootroot00000000000000/* * SecuwallMgmtFile.cpp - hosts(5) file format parser implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/SecuwallMgmtFile.h" #include "fwbuilder/Tools.h" #include #include #include using namespace std; using namespace libfwbuilder; void SecuwallMgmtFile::parse(const string &filename) throw(FWException) { ifstream f(filename.c_str(), ios::in); if (!f) { throw FWException("Can't open file '" + filename + "'"); } else { parse(f); } } /** * Does the actual parsing. */ void SecuwallMgmtFile::parse(istream &from) throw(FWException) { enum { s_begin, s_key, s_space, s_value, s_rest } state; state = s_begin; string key; string temp; char c; int ln = 1; while (from.get(c)) { switch (state) { case s_begin: if (c == '#') { /* Ignore commented lines */ state = s_rest; break; } else if (c != '\n' && c != ' ' && c != '\t' && c != '\"') { /* Found key entry */ state = s_key; } else break; case s_key: if (c == '=' || c == ' ' || c == '\t' || c == '\"') { /* End of key */ if (temp.empty()) { ostringstream err; cerr << "Found line without key: " << ln; throw FWException(err.str()); } key = temp; temp.clear(); state = s_space; } else { /* Processing key entry */ temp += c; } break; case s_space: if (c == '#' || c == '\n') { /* Key entry without value */ ostringstream err; cerr << "Found key without value: " << ln; throw FWException(err.str()); } else if (c == ' ' || c == '\t') { /* Ignore whitespaces */ break; } else { /* Process value */ state = s_value; } /* FALLTHROUGH */ case s_value: if (c == ' ' || c == '\t' || c == '#' || c == '\n') { /* Store data */ data.insert(make_pair(key, temp)); /* Reset processing variables */ key.clear(); temp.clear(); if (c == '\n') { /* Process next line */ ln++; state = s_begin; } else { /* Process rest of line */ state = s_rest; } break; } else if (c == '\"') { /* Ignore Quotation marks */ break; } else { temp += c; break; } case s_rest: if (c == '\n') { ln++; state = s_begin; } break; } } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/SecuwallMgmtFile.h000066400000000000000000000021621303637203600251050ustar00rootroot00000000000000/* * SecuwallMgmtFile.h - hosts(5) file format parser * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __SECUWALLMGMT_FILE_H_ #define __SECUWALLMGMT_FILE_H_ #include "FWException.h" #include #include #include namespace libfwbuilder { /** * This class is parser for file in hosts(5) format * (e.g. /etc/hosts) */ class SecuwallMgmtFile { public: void parse(const std::string &filename) throw(FWException); void parse(std::istream &from) throw(FWException); /* Return data */ std::map getData() { return data; } private: std::map data; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Service.cpp000066400000000000000000000032401303637203600236320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Zaliva $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Service.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWObjectDatabase.h" using namespace libfwbuilder; using namespace std; const char *Service::TYPENAME={"Service"}; string Service::getProtocolName() const { throw FWException("base class Service does not return protocol name"); } int Service::getProtocolNumber() const { throw FWException("base class Service does not return protocol number"); } FWReference* Service::createRef() { // FWServiceReference *ref=new FWServiceReference(); FWServiceReference *ref = getRoot()->createFWServiceReference(); ref->setPointer(this); return ref; } bool Service::isAny() const { return getId()==FWObjectDatabase::ANY_SERVICE_ID; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Service.h000066400000000000000000000035601303637203600233040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Zaliva $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GEN_SERVICE_HH_FLAG__ #define __GEN_SERVICE_HH_FLAG__ #include "fwbuilder/FWObject.h" namespace libfwbuilder { /** * This is base class for all service objects and other objects that * can be children of RuleElementSrv (service rule element). It is * never used on it's own, only it's subclasses are used. * * TODO: we might need to derive ServiceGroup from Service, but this * requires lot more testing */ class Service : public FWObject { private: public: DECLARE_FWOBJECT_SUBTYPE(Service); DECLARE_DISPATCH_METHODS(Service); Service() {} virtual FWReference* createRef(); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; bool isAny() const; virtual bool isPrimaryObject() const { return true; } // All service objects except for ICMPService, ICMP6Service and // CustomService can be used in both ipv4 and ipv6 contexts. virtual bool isV4Only() { return false; } virtual bool isV6Only() { return false; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ServiceGroup.cpp000066400000000000000000000064141303637203600246550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Service.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/Address.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/RuleSet.h" #include using namespace std; using namespace libfwbuilder; const char *ServiceGroup::TYPENAME={"ServiceGroup"}; ServiceGroup::ServiceGroup() : Group() {} ServiceGroup::~ServiceGroup() {} bool ServiceGroup::validateChild(FWObject *o) { if (FWServiceReference::cast(o)!=NULL) return true; return (FWObject::validateChild(o) && Address::cast(o)==NULL && ObjectGroup::cast(o)==NULL && Interval::cast(o)==NULL && FWObjectReference::cast(o)==NULL && RuleSet::cast(o)==NULL); } FWReference* ServiceGroup::createRef() { // FWServiceReference *ref=new FWServiceReference(); FWServiceReference *ref = getRoot()->createFWServiceReference(); ref->setPointer(this); return ref; } xmlNodePtr ServiceGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); for(list::const_iterator j=begin(); j!=end(); ++j) (*j)->toXML(me); return me; } void ServiceGroup::getAllowedTypesOfChildren(std::list &types_list) { types_list.clear(); types_list.push_back(IPService::TYPENAME); types_list.push_back(ICMPService::TYPENAME); types_list.push_back(ICMP6Service::TYPENAME); types_list.push_back(TCPService::TYPENAME); types_list.push_back(UDPService::TYPENAME); types_list.push_back(CustomService::TYPENAME); types_list.push_back(TagService::TYPENAME); types_list.push_back(UserService::TYPENAME); types_list.push_back(FWServiceReference::TYPENAME); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ServiceGroup.h000066400000000000000000000032271303637203600243210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SERVICEGROUP_HH_FLAG__ #define __SERVICEGROUP_HH_FLAG__ #include "fwbuilder/Group.h" namespace libfwbuilder { class ServiceGroup : public Group { public: ServiceGroup(); virtual ~ServiceGroup(); DECLARE_FWOBJECT_SUBTYPE(ServiceGroup); DECLARE_DISPATCH_METHODS(ServiceGroup); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); /* * verify whether given object type is approppriate as a child */ virtual bool validateChild(FWObject *o); virtual FWReference* createRef(); /** * get the list of object type names that can be inserted into * given object group. This reflects definition of the group XML * element in DTD. */ virtual void getAllowedTypesOfChildren(std::list &types_list); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/StateSyncClusterGroup.cpp000066400000000000000000000030271303637203600265310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FWOptions.h" using namespace std; using namespace libfwbuilder; const char *StateSyncClusterGroup::TYPENAME = {"StateSyncClusterGroup"}; StateSyncClusterGroup::StateSyncClusterGroup() : ClusterGroup() { setStr("type", ""); } void StateSyncClusterGroup::fromXML(xmlNodePtr parent) throw(FWException) { ClusterGroup::fromXML(parent); // Read additional attributes here } xmlNodePtr StateSyncClusterGroup::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = ClusterGroup::toXML(parent); // Save additional attributes here return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/StateSyncClusterGroup.h000066400000000000000000000026521303637203600262010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __STATESYNCCLUSTERGROUP_HH_ #define __STATESYNCCLUSTERGROUP_HH_ #include "fwbuilder/ClusterGroup.h" namespace libfwbuilder { class StateSyncClusterGroup : public ClusterGroup { public: StateSyncClusterGroup(); virtual ~StateSyncClusterGroup() {}; DECLARE_FWOBJECT_SUBTYPE(StateSyncClusterGroup); DECLARE_DISPATCH_METHODS(StateSyncClusterGroup); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); }; } #endif /* __CLUSTERGROUP_HH_ */ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/SyncQueue.h000066400000000000000000000106201303637203600236200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SYNC_QUEUE_H_FLAG__ #define __SYNC_QUEUE_H_FLAG__ #include "fwbuilder/ThreadTools.h" namespace libfwbuilder { /** * This is exception thrown by SyncQueue. * * @see SyncQueue */ class SyncQueueDoneException: public FWException { public: SyncQueueDoneException(const std::string &reason):FWException(reason) {} }; /** * SyncQueue - queue with access synchronized by mutex. * * @see SyncQueueDoneException */ template class SyncQueue: protected queue<_Tp> { protected: Mutex mutex ; Cond cond ; bool down ; public: /** * Creates empty queue. */ SyncQueue() : queue<_Tp>() { down = false; } /** * Returns true if queue is currently empty * * @exception SyncQueueDoneException if queue have been already shut down */ bool empty() const throw (SyncQueueDoneException) { mutex.lock(); if(down) { mutex.ulock(); throw SyncQueueDoneException("This queue already have been shut down."); } bool res=queue<_Tp>::empty(); mutex.unlock(); return res; } /** * Returns current queue size * * @exception SyncQueueDoneException if queue have been already shut down */ size_type size() const throw (SyncQueueDoneException) { mutex.lock(); if(down) { mutex.ulock(); throw SyncQueueDoneException("This queue already have been shut down."); } size_type res=queue<_Tp>::size(); mutex.unlock(); return res; } /** * Adds element to end of queue * * @exception SyncQueueDoneException if queue have been already shut down */ void push(const queue<_Tp>::value_type& __x) throw (SyncQueueDoneException) { mutex.lock(); if(down) { mutex.ulock(); throw SyncQueueDoneException("This queue already have been shut down."); } queue<_Tp>::push_back(__x); cond.signal(); mutex.unlock(); } /** * Pops element from front of queue. It queue is empty, blocks * according to timeout_ms parameter. * * @param timeout_ms timeout in milliseconds. -1 means wait forewer. * @exception FWException if timeout occured * @exception SyncQueueDoneException if shutdown() was called */ const queue<_Tp>::value_type pop(long timeout_ms=-1) throw(SyncQueueDoneException, FWException) { mutex.lock(); if(down) { mutex.ulock(); throw SyncQueueDoneException("This queue already have been shut down."); } while(true) { if(!queue<_Tp>::empty()) break; bool wait_status=cond.wait(mutex, timeout_ms); if(down) { mutex.ulock(); throw SyncQueueDoneException("The queue have been shut down."); } if(!wait_status) { //Timeout occured mutex.unlock(); throw FWException("SyncQueue timeout in pop()"); } } queue<_Tp>::value_type res = queue<_Tp>::front(); queue<_Tp>::pop(); mutex.unlock(); } /** * Shut down this queue. All waiting threads will be released * throwing SyncQueueDoneException exception. */ void shutdown() { mutex.lock(); down = true; cond.signal(); mutex.unlock(); } }; } #endif // __SYNC_QUEUE_H_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TCPService.cpp000066400000000000000000000121301303637203600241770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *TCPService::TYPENAME={"TCPService"}; std::map TCPService::flags; std::map TCPService::flags_masks; TCPService::TCPService() { _init_flags(); clearAllTCPFlags(); clearAllTCPFlagMasks(); } TCPService::~TCPService() {} string TCPService::getProtocolName() const { return "tcp";} int TCPService::getProtocolNumber() const { return 6; } void TCPService::_init_flags() { if (flags.empty()) { flags[URG]="urg_flag"; flags[ACK]="ack_flag"; flags[PSH]="psh_flag"; flags[RST]="rst_flag"; flags[SYN]="syn_flag"; flags[FIN]="fin_flag"; } if (flags_masks.empty()) { flags_masks[URG]="urg_flag_mask"; flags_masks[ACK]="ack_flag_mask"; flags_masks[PSH]="psh_flag_mask"; flags_masks[RST]="rst_flag_mask"; flags_masks[SYN]="syn_flag_mask"; flags_masks[FIN]="fin_flag_mask"; } } void TCPService::fromXML(xmlNodePtr root) throw(FWException) { TCPUDPService::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("established"))); if(n!=NULL) { setStr("established", n); FREEXMLBUFF(n); } std::map::iterator i; for (i=flags.begin(); i!=flags.end(); ++i) { n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST( (i->second).c_str() ))); if(n!=NULL) { setStr( i->second , n); FREEXMLBUFF(n); } } for (i=flags_masks.begin(); i!=flags_masks.end(); ++i) { n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST( (i->second).c_str() ))); if(n!=NULL) { setStr( i->second , n); FREEXMLBUFF(n); } } } xmlNodePtr TCPService::toXML(xmlNodePtr xml_parent_node) throw(FWException) { xmlNodePtr me = TCPUDPService::toXML(xml_parent_node); return me; } bool TCPService::getEstablished() { return getBool("established"); } void TCPService::setEstablished(bool f) { return setBool("established", f); } bool TCPService::inspectFlags() const { return ( ! getAllTCPFlagMasks().empty() ); } bool TCPService::getTCPFlag(TCPFlag fl) const { return getBool( flags[fl] ); } std::set TCPService::getAllTCPFlags() const { std::set res; std::map::iterator i; for (i=flags.begin(); i!=flags.end(); ++i) { TCPFlag fl= i->first; if (getTCPFlag( fl )) res.insert( fl ); } return res; } void TCPService::setTCPFlag(TCPFlag fl,bool v) { setBool( flags[fl] , v ); } bool TCPService::getTCPFlagMask(TCPFlag fl) const { return getBool( flags_masks[fl] ); } std::set TCPService::getAllTCPFlagMasks() const { std::set res; std::map::iterator i; for (i=flags_masks.begin(); i!=flags_masks.end(); ++i) { TCPFlag fl= i->first; if (getTCPFlagMask( fl )) res.insert( fl ); } return res; } void TCPService::setTCPFlagMask(TCPFlag fl,bool v) { setBool( flags_masks[fl] , v ); } void TCPService::clearAllTCPFlags() { setBool( flags[URG] , false ); setBool( flags[ACK] , false ); setBool( flags[PSH] , false ); setBool( flags[RST] , false ); setBool( flags[SYN] , false ); setBool( flags[FIN] , false ); } void TCPService::clearAllTCPFlagMasks() { setBool( flags_masks[URG] , false ); setBool( flags_masks[ACK] , false ); setBool( flags_masks[PSH] , false ); setBool( flags_masks[RST] , false ); setBool( flags_masks[SYN] , false ); setBool( flags_masks[FIN] , false ); } void TCPService::setAllTCPFlagMasks() { setBool( flags_masks[URG] , true ); setBool( flags_masks[ACK] , true ); setBool( flags_masks[PSH] , true ); setBool( flags_masks[RST] , true ); setBool( flags_masks[SYN] , true ); setBool( flags_masks[FIN] , true ); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TCPService.h000066400000000000000000000046331303637203600236550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TCPSERVICE_HH_FLAG__ #define __TCPSERVICE_HH_FLAG__ #include "fwbuilder/TCPUDPService.h" namespace libfwbuilder { class TCPService : public TCPUDPService { public: typedef enum {URG, ACK, PSH, RST, SYN, FIN } TCPFlag; private: static std::map flags; static std::map flags_masks; void _init_flags(); public: TCPService(); virtual ~TCPService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(TCPService); DECLARE_DISPATCH_METHODS(TCPService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; /** * this is a shortcut method, it returns true if TCPService object * inspects any TCP flags. This is so if it has non-empty set of TCP * flag masks. Note that configuration with non-empty set of the TCP * flags masks and empty set of TCP flags is completely legal and * sometimes desired (checking for null scans, for example). */ bool inspectFlags() const; bool getTCPFlag(TCPFlag f) const; std::set getAllTCPFlags() const; void setTCPFlag(TCPFlag f,bool v); bool getTCPFlagMask(TCPFlag f) const; std::set getAllTCPFlagMasks() const; void setTCPFlagMask(TCPFlag f,bool v); void clearAllTCPFlags(); void clearAllTCPFlagMasks(); void setAllTCPFlagMasks(); bool getEstablished(); void setEstablished(bool f); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TCPUDPService.cpp000066400000000000000000000074711303637203600245640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *TCPUDPService::TYPENAME={"TCPUDPService"}; TCPUDPService::TCPUDPService() { src_range_start = 0; src_range_end = 0; dst_range_start = 0; dst_range_end = 0; } TCPUDPService::~TCPUDPService() {} string TCPUDPService::getProtocolName() const { return ""; } int TCPUDPService::getProtocolNumber() const { return -1; } void TCPUDPService::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n; n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("src_range_start"))); if(n!=NULL) { src_range_start = atol(n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("src_range_end"))); if(n!=NULL) { src_range_end = atol(n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dst_range_start"))); if(n!=NULL) { dst_range_start = atol(n); FREEXMLBUFF(n); } n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("dst_range_end"))); if(n!=NULL) { dst_range_end = atol(n); FREEXMLBUFF(n); } } xmlNodePtr TCPUDPService::toXML(xmlNodePtr xml_parent_node) throw(FWException) { xmlNodePtr me = FWObject::toXML(xml_parent_node); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); char str[128]; snprintf(str, sizeof(str), "%d", src_range_start); xmlNewProp(me, TOXMLCAST("src_range_start"), TOXMLCAST(str)); snprintf(str, sizeof(str), "%d", src_range_end); xmlNewProp(me, TOXMLCAST("src_range_end"), TOXMLCAST(str)); snprintf(str, sizeof(str), "%d", dst_range_start); xmlNewProp(me, TOXMLCAST("dst_range_start"), TOXMLCAST(str)); snprintf(str, sizeof(str), "%d", dst_range_end); xmlNewProp(me, TOXMLCAST("dst_range_end"), TOXMLCAST(str)); return me; } FWObject& TCPUDPService::shallowDuplicate(const FWObject *obj, bool preserve_id) throw(FWException) { const TCPUDPService *other = TCPUDPService::constcast(obj); src_range_start = other->src_range_start; src_range_end = other->src_range_end; dst_range_start = other->dst_range_start; dst_range_end = other->dst_range_end; return FWObject::shallowDuplicate(obj, preserve_id); } bool TCPUDPService::cmp(const FWObject *obj, bool recursive) throw(FWException) { const TCPUDPService *other = TCPUDPService::constcast(obj); if (other == NULL) return false; if (src_range_start != other->src_range_start || src_range_end != other->src_range_end || dst_range_start != other->dst_range_start || dst_range_end != other->dst_range_end) return false; return FWObject::cmp(obj, recursive); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TCPUDPService.h000066400000000000000000000043471303637203600242300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TCPUDPSERVICE_HH_FLAG__ #define __TCPUDPSERVICE_HH_FLAG__ #include "fwbuilder/Service.h" namespace libfwbuilder { class TCPUDPService : public Service { protected: int src_range_start; int src_range_end; int dst_range_start; int dst_range_end; public: TCPUDPService(); virtual ~TCPUDPService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(TCPUDPService); DECLARE_DISPATCH_METHODS(TCPUDPService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; int getSrcRangeStart() const { return src_range_start; } int getSrcRangeEnd() const { return src_range_end; } int getDstRangeStart() const { return dst_range_start; } int getDstRangeEnd() const { return dst_range_end; } void setSrcRangeStart(int p) { src_range_start = p; } void setSrcRangeEnd(int p) { src_range_end = p; } void setDstRangeStart(int p) { dst_range_start = p; } void setDstRangeEnd(int p) { dst_range_end = p; } virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TagService.cpp000066400000000000000000000040441303637203600242710ustar00rootroot00000000000000 /* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/TagService.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *TagService::TYPENAME={"TagService"}; string TagService::getProtocolName() const { return "tag_service";} int TagService::getProtocolNumber() const { return 65001; } TagService::TagService() { setStr("tagcode", ""); } TagService::~TagService() {} void TagService::setCode(const string &p) { setStr("tagcode", p); } string TagService::getCode() const { return getStr("tagcode"); } void TagService::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("tagcode"))); assert(n!=NULL); setStr("tagcode", n); FREEXMLBUFF(n); } xmlNodePtr TagService::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/TagService.h000066400000000000000000000036001303637203600237330ustar00rootroot00000000000000 /* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GEN_TAGSERVICE_HH_FLAG__ #define __GEN_TAGSERVICE_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/Service.h" namespace libfwbuilder { /** * This is base class for all service objects and other objects that * can be children of RuleElementSrv (service rule element). It is * never used on it's own, only it's subclasses are used. * * TODO: we might need to derive ServiceGroup from Service, but this * requires lot more testing */ class TagService : public Service { private: public: std::string getCode() const; void setCode(const std::string &p); DECLARE_FWOBJECT_SUBTYPE(TagService); DECLARE_DISPATCH_METHODS(TagService); TagService(); ~TagService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; //virtual FWReference* createRef(); //bool isAny() const; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ThreadTools.cpp000066400000000000000000000067611303637203600244750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ThreadTools.h" #include #include #ifndef _WIN32 # include # include #else # include #endif # ifndef DST_NONE # define DST_NONE 0 # endif using namespace std; using namespace libfwbuilder; Mutex::Mutex() { pthread_mutexattr_t mutexattr; pthread_mutexattr_init( &mutexattr); // pthread_mutexattr_settype( &mutexattr, PTHREAD_MUTEX_FAST_NP ); pthread_mutex_init(&mutex, &mutexattr); } Mutex::~Mutex() { } void Mutex::lock() const { pthread_mutex_lock( (pthread_mutex_t*)&mutex ); } void Mutex::unlock() const { pthread_mutex_unlock( (pthread_mutex_t*)&mutex ); } Cond::Cond() { pthread_cond_init( &cond, NULL ); } Cond::~Cond() { } bool Cond::wait(const Mutex &m) const { m.lock(); pthread_cond_wait( (pthread_cond_t*)&cond, (pthread_mutex_t*)&m.mutex); return true; } void Cond::signal() const { pthread_cond_signal( (pthread_cond_t*)&cond ); } void Cond::broadcast() const { pthread_cond_broadcast( (pthread_cond_t*)&cond ); } SyncFlag::SyncFlag(bool v) { value = v; } bool SyncFlag::peek() const { return value; } bool SyncFlag::get() const { bool v; lock(); v = value; unlock(); return v; } void SyncFlag::modify(bool v) { value = v; } void SyncFlag::set(bool v) { lock(); value = v; unlock(); } SyncFlag::operator bool() const { return get(); } SyncFlag& SyncFlag::operator=(const SyncFlag &o) { set(o.get()); return *this; } SyncFlag& SyncFlag::operator=(bool v) { set(v); return *this; } #ifndef _WIN32 TimeoutCounter::TimeoutCounter(unsigned int _timeout, const string &_name) : timeout(_timeout),name(_name) { start(); } void TimeoutCounter::start() { time_t tres; finish = time(&tres) + timeout ; } unsigned int TimeoutCounter::timeLeft() const { time_t tres; int res = finish-time(&tres); return res<0?0:res; } bool TimeoutCounter::isExpired() const { time_t tres; return time(&tres) > finish ; } void TimeoutCounter::check() const throw(FWException) { if(isExpired()) { //cerr << "Expired Timeout Counter." << endl; throw FWException(name+" timeout"); } } ssize_t TimeoutCounter::read(int fd, void *buf, size_t n) const throw(FWException) { struct pollfd ufds[1]; ufds[0].fd=fd; ufds[0].events=POLLIN|POLLPRI; int retval=poll(ufds, 1, 1000*timeLeft()); if(retval==0) throw FWException("Timeout "+name); else if(retval>0) return ::read(fd, buf, n); else return -1; //error } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/ThreadTools.h000066400000000000000000000067661303637203600241470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __THREAD_TOOLS_H_FLAG__ #define __THREAD_TOOLS_H_FLAG__ #include "fwbuilder/libfwbuilder-config.h" #include //for time_t definition #include #include #include #include #include "fwbuilder/FWException.h" #ifdef _MSC_VER # ifdef _WIN64 typedef __int64 ssize_t; # elif _WIN32 typedef _W64 int ssize_t; #endif #else #include #define HAVE_SSIZE_T 1 #endif namespace libfwbuilder { /** * POSIX Mutex wrapper class. */ class Mutex { friend class Cond; protected: pthread_mutex_t mutex; public: Mutex(); virtual ~Mutex(); void lock() const; void unlock() const; }; /** * POSIX Mutex wrapper class. */ class Cond { protected: pthread_cond_t cond; public: Cond(); virtual ~Cond(); bool wait(const Mutex &mutex) const; void signal () const; void broadcast() const; }; /** * This class represents boolean value, access to which * is guarded by mutex. */ class SyncFlag: public Mutex { private: bool value; public: SyncFlag(bool v=false); /** * Checks value without locking. * Use with lock/unlock() */ bool peek() const; /** * Changes value without locking. * Use with lock/unlock() */ void modify(bool v); bool get() const; void set(bool v); operator bool() const; SyncFlag& operator=(const SyncFlag &o); SyncFlag& operator=(bool v); }; #ifndef _WIN32 /** * Timeout counter. This class needs poll(2) which does not exist on Windows */ class TimeoutCounter { private: unsigned int timeout ; std::string name ; time_t finish ; public: /** * Creates counter with start time now * and end time now+timeout. String is counter * name which will be used in thrown exception * in check() method. * NB: timeout is in whole seconds. */ TimeoutCounter(unsigned int timeout, const std::string &name); /** * Starts counter with start time 'now' * and end time now+timeout. * Could be called several times to restart it. */ void start(); /** * retunrs time left before * timeout expiration (in seconds) */ unsigned int timeLeft() const; /** * Returns 'true' if timeout is expired. */ bool isExpired() const; /** * Throw exception if timeout is expired */ void check() const throw(FWException) ; /** * Reads from socket/file. * Throws FWException if timeout occured. */ ssize_t read(int fd, void *buf, size_t n) const throw(FWException); }; #endif } #endif //__THREAD_TOOLS_H_FLAG__ fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Tools.cpp000066400000000000000000000136371303637203600233450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" #include "fwbuilder/XMLTools.h" #include #include #include #include /* * this is workaround, for some reason dirent.h defines DIR as a typedef * for struct __dirstream which is not defined anywhere. 07/12/02 vk */ #ifndef __dirstream struct __dirstream {}; #endif #ifndef _WIN32 # include # include #else # include # include //# include # include #endif using namespace std; namespace libfwbuilder { char *cxx_strdup(const string &x) { char *res=new char[x.length()+1]; strcpy(res, x.c_str()); return res; } char *cxx_strdup(const char *x) { if(!x) return (char*)NULL; char *res=new char[strlen(x)+1]; strcpy(res,x); return res; } int cxx_strcasecmp(const char *s1, const char *s2) { #ifndef _WIN32 return ::strcasecmp(s1,s2); #else return _stricoll(s1,s2); #endif } void init() { #ifdef _WIN32 WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 0 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { // Could not find usable dll cerr << "Could not initialize winsock dll v2.0"; return; } // Confirm that the WinSock DLL supports 2.0. if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) { cerr << "Could not initialize winsock dll v2.0"; WSACleanup( ); return; } #endif /* Init XML parser */ XMLTools::initXMLTools(); } /** * portable function that gets a list of files in the directory. * dir - directory * ext - file extension mask, should be just "xml" rather than "*.xml" */ list getDirList(const std::string &dir, const std::string &ext) { list res; #ifndef _WIN32 DIR *d=opendir(dir.c_str()); if (d!=NULL) { struct dirent *de; while ( (de=readdir(d))!=NULL ) { if (strcmp(de->d_name,".")==SAME || strcmp(de->d_name,"..")==SAME) continue; string pfile=de->d_name; string rfile=dir+FS_SEPARATOR+pfile; if (rfile.rfind(string(".")+ext)==rfile.size()-ext.size()-1) res.push_back(rfile); } } closedir(d); #else struct _finddata_t c_file; long hFile; string filepath=dir + FS_SEPARATOR + "*." + ext; /* Find first file in current directory */ if( (hFile = _findfirst( filepath.c_str(), &c_file )) != -1L ) { string rfile=dir+FS_SEPARATOR+c_file.name; res.push_back(rfile); /* Find the rest of the files */ while( _findnext( hFile, &c_file ) == 0 ) { string rfile=dir+FS_SEPARATOR+c_file.name; res.push_back(rfile); } } #endif return res; } unsigned int cxx_sleep(unsigned int seconds) { #ifndef _WIN32 return sleep(seconds); #else Sleep(seconds*1000); return 0; #endif } void tokenize(const string& str, vector& tokens, const string& delimiters) { // Skip delimiters at beginning. string::size_type lastPos = str.find_first_not_of(delimiters, 0); // Find first "non-delimiter". string::size_type pos = str.find_first_of(delimiters, lastPos); while (string::npos != pos || string::npos != lastPos) { // Found a token, add it to the vector. tokens.push_back(str.substr(lastPos, pos - lastPos)); // Skip delimiters. Note the "not_of" lastPos = str.find_first_not_of(delimiters, pos); // Find next "non-delimiter" pos = str.find_first_of(delimiters, lastPos); } } string strip(const string& in, const string& identifier) { string result; vector parts; tokenize(in, parts, identifier); for (vector::iterator it = parts.begin(); it != parts.end(); ++it) { result += *it; } return result; } string stringify(const vector& parts, const string& delimiter) { string result; vector::const_iterator it = parts.begin(); while (it != parts.end()) { result += *it++; if (it != parts.end()) { result += delimiter; } } return result; } set stringToSet(const string &str) { set ret; size_t lastpos = 0; for ( ; ; ) { size_t pos = str.find(',', lastpos); if (pos == string::npos) { if (lastpos < str.size()) { ret.insert(str.substr(lastpos)); } return ret; } ret.insert(str.substr(lastpos, pos - lastpos)); lastpos = pos + 1; } } string setToString(const set &s) { string ret; set::const_iterator iter; bool first = true; for (iter = s.begin(); iter != s.end(); ++iter) { if (first) { first = false; } else { ret += ","; } ret += *iter; } return ret; } } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/Tools.h000066400000000000000000000065221303637203600230050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * This file contains various utility methods */ #ifndef __FW_TOOLS_HH_FLAG__ #define __FW_TOOLS_HH_FLAG__ #ifndef SAME # define SAME 0 #endif #ifndef nil # define nil NULL #endif #include "config.h" #include #include #include #include #include #ifndef _WIN32 # include #else # include #endif #include "fwbuilder/FWException.h" namespace libfwbuilder { /** * This method should be called to initialize the library * before any calls to it are made. The argument is a full path * to the executable that wants to initialize the library. Just * pass argv[0] there. This method passes substring between * the beginning of exec_path and position of the last '/' or '\' * to XMLTools::init; this information is later used to find DTD * if template directory is defined as relative path. This is especially * useful on Mac and Win32 where API is not installed in the absolute * predetermined path. */ void init(); /** * case insensitive string comparison. We reimplement it on win32 */ int cxx_strcasecmp(const char *s1, const char *s2); char *cxx_strdup(const char *x); char *cxx_strdup(const std::string &x); std::string int2string(int n); /** * portable function that gets a list of files that reside in a given * directory and have specified extension */ std::list getDirList(const std::string &dir, const std::string &ext); /** * just a portable version of sleep */ unsigned int cxx_sleep(unsigned int seconds); /** * Tokenize given string 'str' with delimiters into string vector. */ void tokenize(const std::string& str, std::vector& tokens, const std::string& delimiters = " "); /** * Concat all members of a vector together into a string * if there is more than one member, they are separated by delimiter. */ std::string stringify(const std::vector& parts, const std::string& delimiter = " "); /** * Strip identifier from string 'in' and return as string. */ std::string strip(const std::string& in, const std::string& identifier); /* Convert from string <-> set, using comma as delim */ std::set stringToSet(const std::string &str); std::string setToString(const std::set &s); } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/UDPService.cpp000066400000000000000000000024041303637203600242040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/XMLTools.h" using namespace libfwbuilder; using namespace std; const char *UDPService::TYPENAME={"UDPService"}; UDPService::UDPService() {} UDPService::~UDPService() {} string UDPService::getProtocolName() const { return "udp"; } int UDPService::getProtocolNumber() const { return 17; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/UDPService.h000066400000000000000000000024221303637203600236510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __UDPSERVICE_HH_FLAG__ #define __UDPSERVICE_HH_FLAG__ #include "fwbuilder/TCPUDPService.h" namespace libfwbuilder { class UDPService : public TCPUDPService { public: UDPService(); virtual ~UDPService(); DECLARE_FWOBJECT_SUBTYPE(UDPService); DECLARE_DISPATCH_METHODS(UDPService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/UserService.cpp000066400000000000000000000050111303637203600244670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/UserService.h" #include "fwbuilder/XMLTools.h" using namespace std; using namespace libfwbuilder; const char *UserService::TYPENAME={"UserService"}; UserService::UserService() {} UserService::~UserService() {} string UserService::getProtocolName() const { return "user_service";} int UserService::getProtocolNumber() const { return 65002; } FWObject& UserService::shallowDuplicate(const FWObject *x, bool preserve_id) throw(FWException) { const UserService *cs = dynamic_cast(x); userid = cs->userid; return FWObject::shallowDuplicate(x, preserve_id); } void UserService::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char *n = FROMXMLCAST(xmlGetProp(root,TOXMLCAST("userid"))); if(n) { userid = string(n); FREEXMLBUFF(n); } } xmlNodePtr UserService::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); xmlNewProp(me, TOXMLCAST("userid"), STRTOXMLCAST(userid)); return me; } bool UserService::cmp(const FWObject *obj, bool recursive) throw(FWException) { if (UserService::constcast(obj)==NULL) return false; if (!FWObject::cmp(obj, recursive)) return false; const UserService *user_serv = UserService::constcast(obj); return (userid == user_serv->userid); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/UserService.h000066400000000000000000000034321303637203600241410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __USERSERVICE_HH_FLAG__ #define __USERSERVICE_HH_FLAG__ #include "fwbuilder/Service.h" #include namespace libfwbuilder { class UserService : public Service { private: std::string userid; public: UserService(); virtual ~UserService(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) throw(FWException); DECLARE_FWOBJECT_SUBTYPE(UserService); DECLARE_DISPATCH_METHODS(UserService); virtual std::string getProtocolName() const; virtual int getProtocolNumber() const; const std::string& getUserId() const { return userid; } void setUserId(const std::string& uid) { userid = uid; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/XMLTools.cpp000066400000000000000000000666621303637203600237340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/ThreadTools.h" #include #include #include #include // for va_start and friends #include #include #include #include #ifndef _WIN32 # include // need this for read(2) #else # include // for access # define R_OK 4 // for access #endif #ifdef HAVE_LIBXSLT_XSLTCONFIG_H # include #endif #include #include #include #include #include #include #include #undef FW_XMLTOOLS_VERBOSE // #define FW_XMLTOOLS_VERBOSE 1 #define DTD_LOAD_BITS (1|XML_DETECT_IDS|XML_COMPLETE_ATTRS) using namespace std; using namespace libfwbuilder; #ifndef __MINGW32__ extern int xmlDoValidityCheckingDefaultValue ; extern int xmlLoadExtDtdDefaultValue ; #else extern __declspec(dllimport) int xmlDoValidityCheckingDefaultValue ; extern __declspec(dllimport) int xmlLoadExtDtdDefaultValue ; #endif /* * This mutex protects access to XML parser. * since we change DTD validation flags and error * handling function pointers, access should be * synchronized. */ Mutex xml_parser_mutex; /* * This mutex protects access to XSLT processor. * since we error handling function pointers, access should be * synchronized. */ Mutex xslt_processor_mutex; static void xslt_error_handler(void *ctx, const char *msg, ...) { char buf[4096]; va_list args; assert(ctx!=NULL); va_start(args, msg); VSNPRINTF(buf, sizeof(buf)-1, msg, args); va_end(args); #ifdef FW_XMLTOOLS_VERBOSE cerr << "XSLT ERR: " << buf << endl; #endif *((string*)ctx)+=buf; } xmlNodePtr XMLTools::getXmlChildNode(xmlNodePtr r,const char *child_name) { xmlNodePtr cur; for(cur=r->xmlChildrenNode; cur; cur=cur->next) { if ( xmlIsBlankNode(cur) ) continue; if (strcmp(child_name,FROMXMLCAST(cur->name))==SAME) return cur; } return NULL; } xmlNodePtr XMLTools::getXmlNodeByPath(xmlNodePtr r, const string &path) { return getXmlNodeByPath(r, path.c_str()); } xmlNodePtr XMLTools::getXmlNodeByPath(xmlNodePtr r, const char *path) { char *s1, *cptr; char *path_copy; xmlNodePtr cur, res; res=NULL; path_copy= cxx_strdup( path ); s1=path_copy+strlen(path_copy)-1; while (*s1=='/') { *s1='\0'; s1--; } s1=path_copy; if (*s1=='/') { res=getXmlNodeByPath(r,s1+1); delete[] path_copy; return(res); } cptr=strchr(s1,'/'); if (cptr!=NULL) { *cptr='\0'; cptr++; } if (strcmp(FROMXMLCAST(r->name), s1)==0) { if (cptr) { for(cur=r->xmlChildrenNode; cur; cur=cur->next) { if ( xmlIsBlankNode(cur) ) continue; res=getXmlNodeByPath(cur,cptr); if (res) { delete[] path_copy; return(res); } } } else res=r; } delete[] path_copy; return(res); } xmlExternalEntityLoader XMLTools::defaultLoader = NULL; /** * This is global variable used in 'fwbExternalEntityLoader' * parser callback. It is protected by 'xml_parser_mutex'. */ static char* current_template_dir=NULL; xmlParserInputPtr fwbExternalEntityLoader(const char *URL, const char *ID, xmlParserCtxtPtr ctxt) { xmlParserInputPtr ret; #ifdef FW_XMLTOOLS_VERBOSE cerr << "ENTITY: " << URL << " " << string((ID)?ID:"(null)") << endl; #endif string fname; fname=string(current_template_dir) + FS_SEPARATOR; string url=URL; string::size_type pos=url.find_last_of("/\\"); fname+=(pos==string::npos)?url:url.substr(pos+1); #ifdef FW_XMLTOOLS_VERBOSE cerr << "ENTITY FNAME: " << fname << endl; #endif ret = xmlNewInputFromFile(ctxt, fname.c_str()); if(ret) return(ret); else if(XMLTools::defaultLoader) return XMLTools::defaultLoader(URL, ID, ctxt); else return NULL; } void XMLTools::initXMLTools() { // xml_parser_mutex = PTHREAD_MUTEX_INITIALIZER; // xslt_processor_mutex = PTHREAD_MUTEX_INITIALIZER; xmlInitMemory(); xmlInitParser(); defaultLoader = xmlGetExternalEntityLoader(); current_template_dir=cxx_strdup(""); xmlSetExternalEntityLoader(fwbExternalEntityLoader); } void XMLTools::close() { xmlCleanupParser(); } string XMLTools::readFile(const std::string &rfile) throw(FWException) { string buf; if (rfile=="-") { string s; while (!cin.eof()) { getline(cin,s); buf += s; buf += '\n'; } return buf; } gzFile gzf = gzopen(rfile.c_str(), "rb9"); if (gzf == NULL) throw FWException("Could not read file "+rfile); int chunk_size = 65536; char *chunk = (char*)malloc(chunk_size); if (!chunk) throw FWException("Out of memory"); int n = 0; while(1) { n = gzread(gzf, chunk, chunk_size-1); if (n<=0) break; chunk[n] = '\0'; buf = buf + chunk; } int errn = errno; free(chunk); gzclose(gzf); if (n<0) { string s; s = "Error reading from file " + rfile + " : " + string(strerror(errn)); throw FWException(s); } return buf; } xmlDocPtr XMLTools::parseFile(const string &file_name, const string &buffer, bool use_dtd, const string &template_dir) throw(FWException) { xml_parser_mutex.lock(); if (current_template_dir!=NULL) delete[] current_template_dir; current_template_dir = cxx_strdup(template_dir.c_str()); xmlDoValidityCheckingDefaultValue = use_dtd ? 1 : 0; xmlLoadExtDtdDefaultValue = use_dtd ? DTD_LOAD_BITS : 0; string errors; xmlSetGenericErrorFunc(&errors, xslt_error_handler); // xmlDocPtr doc = xmlParseFile(file_name.c_str()); xmlDocPtr doc = xmlParseMemory(buffer.c_str(), buffer.length()); xmlSetGenericErrorFunc(NULL, NULL); xml_parser_mutex.unlock(); if (!doc || errors.length()) { throw FWException( "Error parsing XML from file '"+file_name+ "' "+ "(use_dtd="+ (use_dtd?string("1"):string("0"))+") "+ (errors.length() ? ( string("\nXML Parser reported:\n")+errors):string("")) ); } return doc; } xmlDocPtr XMLTools::loadFile(const string &data_file , const string &type , const string &dtd_file , const UpgradePredicate *upgrade, const string &template_dir, const string ¤t_version ) throw(FWException) { #ifdef FW_XMLTOOLS_VERBOSE cerr << "Loading file: " << data_file << endl << " type: " << type << endl << " dtd_file: " << dtd_file << endl << " template_dir: " << template_dir << endl << " current_version: " << current_version << endl; #endif int access_err = 0; if (data_file!="-" && (access_err=access(data_file.c_str() , R_OK ))!=0) { string access_err_str; switch (access_err) { case EACCES: access_err_str = "EACCES"; break; case EFAULT: access_err_str = "EFAULT"; break; case EIO: access_err_str = "EIO"; break; #ifdef ELOOP case ELOOP: access_err_str = "ELOOP"; break; #endif case ENAMETOOLONG: access_err_str = "ENAMETOOLONG"; break; case ENOENT: access_err_str = "ENOENT"; break; case ENOTDIR: access_err_str = "ENOTDIR"; break; default: access_err_str = "Unknown"; break; } throw FWException( string("Could not access data file '") + data_file + "'" + " error code " + access_err_str); } string buf = readFile(data_file); // First load without using DTD to check version xmlDocPtr doc = parseFile(data_file, buf, false, template_dir); #ifdef FW_XMLTOOLS_VERBOSE cerr << "Parsed file: " << data_file << endl; #endif // normally we load the file twice, first time to check the version and // upgrade it and the second time to generate doc that will be // used in the program. We can't do this if data_file is '-' (stdin) // 'cause we can't read stdin twice. So in this case we do not // upgrade. if (data_file=="-") return doc; xmlDocPtr newdoc = convert(doc, data_file, type, template_dir, current_version); if(newdoc) { const string upgrade_msg = "The file '" + data_file + "' was saved with\n\ an older version of Firewall Builder. Opening it in this version will\n\ cause it to be upgraded, which may prevent older versions of the program\n\ from reading it. Backup copy of your file in the old format will be made\n\ in the same directory with extension '.bak'. Are you sure you want to open it?"; if(!(*upgrade)(upgrade_msg)) { xmlFreeDoc(newdoc); //xmlCleanupParser(); throw FWException("Load operation cancelled for file: '"+data_file); } #ifdef FW_XMLTOOLS_VERBOSE cerr << "Saving updated file: " << data_file << endl; #endif // file was changed save it doc=newdoc; string backup_file = data_file+".bak"; // on windows rename fails if target file already exists unlink(backup_file.c_str()); if(rename(data_file.c_str(), backup_file.c_str())) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException("Error making backup copy of file: '" + data_file + "' as '" + backup_file + "'"); } try { saveFile(doc, data_file, type, dtd_file); } catch(FWException &ex) { // Saving converted copy failed // let's restore backup if(rename(backup_file.c_str(), data_file.c_str())) { throw FWException(ex.toString() + "\nRestoring backup copy failed " + "your old data could be found in the file: '"+ backup_file+"'"); } else throw; } } assert(doc!=NULL); xmlFreeDoc(doc); //xmlCleanupParser(); // Now we know the version is OK, // let us load for real, checking DTD. doc = parseFile(data_file, readFile(data_file), true, template_dir); return doc; } void XMLTools::setDTD(xmlDocPtr doc, const string &type_name, const string &dtd_file) throw(FWException) { #ifdef FW_XMLTOOLS_VERBOSE cerr << "XMLTools::setDTD: type_name=" << type_name << " dtd_file=" << dtd_file << endl; #endif xmlCreateIntSubset(doc, STRTOXMLCAST(type_name), NULL, STRTOXMLCAST(dtd_file) ); xml_parser_mutex.lock(); xmlDoValidityCheckingDefaultValue = 1; xmlLoadExtDtdDefaultValue = DTD_LOAD_BITS; xmlSubstituteEntitiesDefaultValue = 1; string errors; xmlSetGenericErrorFunc (&errors, xslt_error_handler); try { /* * This broke with libxml 2.6.4. Tests seem to rule out bug inside * libxml2 (used their example program "tree2.c" and added similar * fragment for validation, it worked), so it must be something in our * code. I can't seem to find the problem though. * * We recreate the tree from the objects in the memory, so doing * validation here is mostly a double check. It should be relatively * safe to just skip validation until I figure out what's wrong with * it. xmlValidCtxt vctxt; vctxt.userData = &errors; vctxt.error = xslt_error_handler; vctxt.warning = xslt_error_handler; if(xmlValidateDocument(&vctxt, doc)!=1) throw FWException(string("DTD validation stage 2 failed with following errors:\n")+errors); */ xmlSetGenericErrorFunc (NULL, NULL); xml_parser_mutex.unlock(); } catch(...) { xmlSetGenericErrorFunc (NULL, NULL); xml_parser_mutex.unlock(); throw; } } void XMLTools::saveFile(xmlDocPtr doc, const string &file_name, const string &type_name, const string &dtd_file) throw(FWException) { #ifdef FW_XMLTOOLS_VERBOSE cerr << "SAVE: " << file_name << " " <name || type_name!=FROMXMLCAST(root->name)) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException("XML file '"+file_name+ "' has invalid structure."); } string vers; const char *v = FROMXMLCAST(xmlGetProp(root,TOXMLCAST("version"))); if (v==NULL) { // no version. v="0.8.7"; // at this version attribute has been introduced xmlNewProp(root, TOXMLCAST("version") , TOXMLCAST(v)); res=doc; // changed vers=v; } else { vers=v; FREEXMLBUFF(v); } #ifdef FW_XMLTOOLS_VERBOSE cerr << "File reports version : " << vers << endl; #endif int c; while (!vers.empty() && (c=version_compare(current_version,vers))!=0) { if(c<0) { string err; err += string("The file '"); err += file_name; err += string("' "); err += string("was created by a newer version of " "Firewall Builder, please upgrade in order to " "open this file."); err += string("\n"); err += string("\n"); err += string("DTD version in the file: "); err += vers; err += string(" current: "); err += current_version; throw FWException(err); } string oldversion = vers; #ifdef FW_XMLTOOLS_VERBOSE cerr << "Converting from version: " << oldversion << endl; #endif string fname; fname = template_dir; fname = fname+FS_SEPARATOR+"migration"+FS_SEPARATOR+type_name+"_"+vers+".xslt"; if (access(fname.c_str() , R_OK )!=0) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException( string("File '" + file_name + "' conversion error: no converter found for version: ") + oldversion+".\n" + string("Supposed to be a file ")+fname ); } try { res = transformDocument(doc, fname, NULL); } catch(FWException &ex) { ex.getProperties()["failed_transformation"]=fname; xmlFreeDoc(doc); //xmlCleanupParser(); throw; } xmlFreeDoc(doc); //xmlCleanupParser(); doc = res; root = xmlDocGetRootElement(doc); if (!root || !root->name || type_name!=FROMXMLCAST(root->name)) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException("File '" + file_name + "' conversion Error: conversion produced file with invalid structure."); } v = FROMXMLCAST(xmlGetProp(root, TOXMLCAST("version"))); if (v==NULL) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException("File '" + file_name + "' conversion error: converted to unknown version."); } vers=v; FREEXMLBUFF(v); if (version_compare(vers, oldversion) <= 0) { xmlFreeDoc(doc); //xmlCleanupParser(); throw FWException("File '" + file_name + "' conversion error: conversion did not advance version number!."); } } return res; } int XMLTools::major_number(const string &v, string &rest) { string a; string::size_type pos=v.find('.'); if(pos==string::npos) { a = v; rest = ""; } else { a = v.substr(0,pos); rest = v.substr(pos+1); } //TODO: handle conversion errors, by using 'strtol' if (a.empty()) a = "0"; return atoi(v.c_str()); } /* * Compare two version numbers. * If versions have different length (different total number of components) * consider missing components equal to zero. That is, * 1.2.3 is equal to 1.2.3.0 so, if we have to compare "1.2.3.4" to "1.2.3", then * this is equivalent to comparing "1.2.3.4" to "1.2.3.0". The opposite * is also true. */ int XMLTools::version_compare(const string &v1, const string &v2) { string rest1, rest2; int x1=major_number(v1, rest1); int x2=major_number(v2, rest2); if (rest1.empty() && rest2.empty()) return x1-x2; if (rest1.empty() && !rest2.empty()) rest1 = "0"; if (rest2.empty() && !rest1.empty()) rest2 = "0"; if (x1!=x2) return x1-x2; else return version_compare(rest1, rest2); } string XMLTools::quote_linefeeds(const string &s) { string res; for(string::size_type i=0;i127) res[i]='?'; } return res; } #undef DTD_LOAD_BITS #undef FW_XMLTOOLS_VERBOSE fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/XMLTools.h000066400000000000000000000146171303637203600233720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * This file contains assorted XML handling code */ #ifndef __XML_TOOLS_HH_FLAG__ #define __XML_TOOLS_HH_FLAG__ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include namespace libfwbuilder { //TODO: define type cast operators for these #define FROMXMLCAST(x) ((const char *)x) #define STRTOXMLCAST(x) ((xmlChar *)x.c_str()) #define TOXMLCAST(x) ((xmlChar *)x) class XMLTools { public: static xmlNodePtr getXmlNodeByPath(xmlNodePtr r,const char *path ); static xmlNodePtr getXmlNodeByPath(xmlNodePtr r,const std::string &path ); static xmlNodePtr getXmlChildNode (xmlNodePtr r,const char *child_name ); static void initXMLTools(); static void close(); class UpgradePredicate { public: virtual ~UpgradePredicate() {} virtual bool operator()(const std::string&) const { return true; } }; static std::string readFile(const std::string &file_name) throw(FWException); /** * Loads given file, performing version conversion * if neccessary. */ static xmlDocPtr loadFile(const std::string &file_name, const std::string &type_name, const std::string &dtd_file, const UpgradePredicate *upgrade, const std::string &template_dir, const std::string ¤t_version = std::string(FWBUILDER_XML_VERSION) ) throw(FWException); static void setDTD(xmlDocPtr doc, const std::string &type_name, const std::string &dtd_file) throw(FWException); /** * Saves to file with setting DTD. */ static void saveFile(xmlDocPtr doc, const std::string &file_name, const std::string &type_name, const std::string &dtd_file) throw(FWException); /** * Saves XML document to the memory buffer */ static void dumpToMemory(xmlDocPtr doc, xmlChar **buffer, int *size, const std::string &type_name, const std::string &dtd_file) throw(FWException); static xmlExternalEntityLoader defaultLoader; /** * parses contents of the file file_name which is preloaded into * buffer, without version conversion. File name is passed for * pretty error printing. * * @return document pointer */ static xmlDocPtr parseFile(const std::string &file_name, const std::string &buffer, bool use_dtd, const std::string &template_dir ) throw(FWException); /** * Performs XSLT transformation of the document in memory * @return new document */ static xmlDocPtr transformDocument(xmlDocPtr doc, const std::string &stylesheet_file, const char **params ) throw(FWException); /** * Performs XSLT transformation of the document. Results are * stored in dst file. */ static void transformDocumentToFile(xmlDocPtr doc, const std::string &stylesheet_file, const char **params, const std::string &dst_file ) throw(FWException); /** * Performs XSLT transformation of the src file. Results are * stored in dst file. */ static void transformFileToFile(const std::string &src_file, const std::string &stylesheet_file, const char **params, const std::string &dst_file ) throw(FWException); static std::string quote_linefeeds (const std::string &s); static std::string unquote_linefeeds(const std::string &s); /** * checks all characters in str and makes sure they all conform * with UTF8 encoding. Replaces unconforming characters with '?' */ static std::string cleanForUTF8(const std::string &str); /** * checks all characters in str and makes sure they all conform * to NVT ASCII encoding. Replaces unconforming characters with '?' */ static std::string cleanForNVTASCII(const std::string &str); /** * Compares 2 product version numbers in dotted notation * @return 0 if equal, positive if v1>v2, negative if v1 # include # include # include # include # include # include # include # include # include # include # include #else # include #endif #include #include #include #include #include #include "fwbuilder/dns.h" #include "fwbuilder/ThreadTools.h" using namespace std; using namespace libfwbuilder; #undef DEBUG_DNS Mutex *DNS::gethostbyname_mutex = NULL; Mutex *DNS::gethostbyaddr_mutex = NULL; // use this function for delayed initialization void DNS::init() { if (gethostbyname_mutex==NULL) gethostbyname_mutex = new Mutex(); if (gethostbyaddr_mutex==NULL) gethostbyaddr_mutex = new Mutex(); } /* * gethostbyaddr and gethostbyname return pointers to a static structure. * Since this is not thread safe, need to use mutex to protect calls to * these functions. */ HostEnt DNS::getHostByAddr(const InetAddr &addr, int type) throw(FWException) { DNS::init(); struct hostent *hp; size_t hstbuflen = 1024; char *tmphstbuf = (char *)malloc(hstbuflen); gethostbyaddr_mutex->lock(); if (type==AF_INET) { hp = gethostbyaddr((const char *)addr.getV4(), sizeof(struct in_addr), type); } else { hp = gethostbyaddr((const char *)addr.getV6(), sizeof(struct in_addr), type); } if(hp==NULL) { gethostbyaddr_mutex->unlock(); free(tmphstbuf); throw FWException(string("Hostname of address: '") + addr.toString() + "' not found"); } HostEnt v; v.name = hp->h_name; if (hp->h_aliases) for(char **p = hp->h_aliases; *p; p++) v.aliases.insert(string(*p)); free(tmphstbuf); gethostbyaddr_mutex->unlock(); return v; } list DNS::getHostByName(const string &name, int type) throw(FWException) { DNS::init(); list v; struct addrinfo *aiList = NULL; int retVal; #ifdef DEBUG_DNS cerr << "DNS::getHostByName " << name << " type=" << type << endl; #endif if ((retVal = getaddrinfo(name.c_str(), NULL, NULL, &aiList)) != 0) { std::ostringstream strerr; strerr << "Host or network '" + name + "' not found; last error: "; #ifdef _WIN32 strerr << WSAGetLastError(); #else strerr << gai_strerror(errno); #endif throw FWException(strerr.str()); } struct addrinfo *ai; try { for (ai=aiList; ai!=NULL; ai=ai->ai_next) { #ifdef DEBUG_DNS cerr << "DNS::getHostByName " << name << " returned address type=" << ai->ai_family << endl; #endif if (ai->ai_family!=type) continue; switch (ai->ai_family) { case AF_INET: { struct sockaddr_in *sa = (struct sockaddr_in *) ai->ai_addr; InetAddr addr((struct in_addr *)(&(sa->sin_addr))); v.push_back(addr); #ifdef DEBUG_DNS cerr << "DNS::getHostByName " << name << " ipv4 address=" << addr.toString() << endl; #endif } break; case AF_INET6: { struct sockaddr_in6 *sa = (struct sockaddr_in6 *) ai->ai_addr; InetAddr addr((struct in6_addr *)(&(sa->sin6_addr))); v.push_back(addr); #ifdef DEBUG_DNS cerr << "DNS::getHostByName " << name << " ipv6 address=" << addr.toString() << endl; #endif } break; } } } catch(const FWException &e) { freeaddrinfo(aiList); throw e; } freeaddrinfo(aiList); v.sort(); v.unique(); return v; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/dns.h000066400000000000000000000051461303637203600224720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DNS_HH_FLAG__ #define __DNS_HH_FLAG__ #include "fwbuilder/libfwbuilder-config.h" #ifndef _WIN32 /* do not change the order of these headers! resolv.h should be included * before netdb.h, otherwise there seems to be a problem with macro __P * which is defined in cdfes.h as '#define __P(args) args __THROW' and * gcc 3.3 does not like this */ # include # include # include # include # include # include #else # ifndef RES_TIMEOUT # define RES_TIMEOUT 1 # endif #endif // _WIN32 #include "fwbuilder/InetAddr.h" #include "fwbuilder/FWException.h" #include "fwbuilder/BackgroundOp.h" #include "fwbuilder/ThreadTools.h" #include #include #include #ifndef RES_DFLRETRY # define RES_DFLRETRY 1 #endif namespace libfwbuilder { class HostEnt { public: std::string name ; std::set aliases ; }; /** * This is abstract class */ class DNS { public: DNS() {} /** * Should be called exactly once before this class * ever used. */ static void init(); /** * Finds IP adddresses of the host with given host name. * This operation does not run in backgound. * Returned list is sorted. */ static std::list getHostByName(const std::string &name, int type=AF_INET) throw(FWException); /** * Find all host names of host with given IP. * This operation does not run in backgound. */ static HostEnt getHostByAddr(const InetAddr &addr, int type=AF_INET) throw(FWException); private: static Mutex *gethostbyname_mutex; static Mutex *gethostbyaddr_mutex; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/fwbuilder.pro000066400000000000000000000063041303637203600242370ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib CONFIG += staticlib INCLUDEPATH += "../../../../" # SOURCES = InetAddr.cpp \ InetAddrMask.cpp \ Inet6AddrMask.cpp \ IPRoute.cpp \ Address.cpp \ AddressRange.cpp \ BackgroundOp.cpp \ Constants.cpp \ CustomService.cpp \ dns.cpp \ Firewall.cpp \ Cluster.cpp \ ClusterGroup.cpp \ FailoverClusterGroup.cpp \ StateSyncClusterGroup.cpp \ FWException.cpp \ FWIntervalReference.cpp \ FWObject.cpp \ FWObjectDatabase.cpp \ FWObjectDatabase_create_object.cpp \ FWObjectDatabase_tree_ops.cpp \ FWObjectDatabase_search.cpp \ FWObjectReference.cpp \ FWOptions.cpp \ FWReference.cpp \ FWServiceReference.cpp \ Group.cpp \ Host.cpp \ ICMPService.cpp \ ICMP6Service.cpp \ Interface.cpp \ InterfaceData.cpp \ Interval.cpp \ IntervalGroup.cpp \ IPService.cpp \ IPv4.cpp \ IPv6.cpp \ Library.cpp \ Logger.cpp \ Management.cpp \ MultiAddress.cpp \ NAT.cpp \ Network.cpp \ NetworkIPv6.cpp \ AttachedNetworks.cpp \ ObjectGroup.cpp \ DynamicGroup.cpp \ physAddress.cpp \ DNSName.cpp\ AddressTable.cpp\ Policy.cpp \ Resources.cpp \ Routing.cpp \ Rule.cpp \ RuleElement.cpp \ RuleSet.cpp \ SecuwallMgmtFile.cpp \ Service.cpp \ ServiceGroup.cpp \ snmp.cpp \ TCPService.cpp \ ThreadTools.cpp \ Tools.cpp \ TCPUDPService.cpp \ UDPService.cpp \ UserService.cpp \ TagService.cpp \ XMLTools.cpp \ ObjectMatcher.cpp \ ObjectMirror.cpp \ inet_net_ntop.c \ inet_net_pton.c \ uint128.cpp HEADERS = inet_net.h \ uint128.h \ InetAddr.h \ InetAddrMask.h \ Inet6AddrMask.h \ Dispatch.h \ IPRoute.h \ Address.h \ AddressRange.h \ BackgroundOp.h \ Constants.h \ CustomService.h \ dns.h \ Firewall.h \ Cluster.h \ ClusterGroup.h \ FailoverClusterGroup.h \ StateSyncClusterGroup.h \ FWException.h \ FWIntervalReference.h \ FWObjectDatabase.h \ FWObject.h \ FWObjectReference.h \ FWOptions.h \ FWReference.h \ FWServiceReference.h \ Group.h \ Host.h \ ICMPService.h \ ICMP6Service.h \ Interface.h \ InterfaceData.h \ IntervalGroup.h \ Interval.h \ IPService.h \ IPv4.h \ IPv6.h \ libfwbuilder-config.h \ libfwbuilder-version.h \ Library.h \ Logger.h \ Management.h \ MultiAddress.h \ NAT.h \ Network.h \ NetworkIPv6.h \ AttachedNetworks.h \ ObjectGroup.h \ DynamicGroup.h \ physAddress.h \ DNSName.h\ AddressTable.h\ Policy.h \ Pool.h \ Resources.h \ Routing.h \ RuleElement.h \ Rule.h \ RuleSet.h \ SecuwallMgmtFile.h \ ServiceGroup.h \ Service.h \ snmp.h \ SyncQueue.h \ TCPService.h \ ThreadTools.h \ Tools.h \ TCPUDPService.h \ UDPService.h \ UserService.h \ TagService.h \ ObjectMatcher.h \ ObjectMirror.h \ XMLTools.h TARGET = fwbuilder # no need to install headers #headers.files = $$HEADERS #headers.path = "$$prefix/include/fwb-4/fwbuilder" #INSTALLS += headers # and no need to install .a library INSTALLS -= target fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/inet_net.h000066400000000000000000000047171303637203600235160ustar00rootroot00000000000000/* * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1996,1999 by Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ #ifndef INET_NET_H #define INET_NET_H #include "fwbuilder/libfwbuilder-config.h" #ifdef _WIN32 # include // missing errno definitions: #define EMSGSIZE 40 /* Message too long */ #define EAFNOSUPPORT 47 /* Address family not supported by protocol family */ #else # include # include //# include # include # include #endif /* * char * * inet_net_ntop(af, src, bits, dst, size) * convert host/network address from network to presentation format. * "src"'s size is determined from its "af". * return: * pointer to dst, or NULL if an error occurred (check errno). * note: * 192.5.5.1/28 has a nonzero host part, which means it isn't a network * as called for by inet_net_pton() but it can be a host address with * an included netmask. * author: * Paul Vixie (ISC), October 1998 */ extern char* inet_net_ntop(int af, const void *src, int bits, char *dst, size_t size); /* * int * inet_net_pton(af, src, dst, size) * convert network number from presentation to network format. * accepts hex octets, hex strings, decimal octets, and /CIDR. * "size" is in bytes and describes "dst". * return: * number of bits, either imputed classfully or specified with /CIDR, * or -1 if some failure occurred (check errno). ENOENT means it was * not a valid network specification. * author: * Paul Vixie (ISC), June 1996 * * Changes: * I added the inet_cidr_pton function (also from Paul) and changed * the names to reflect their current use. * */ extern int inet_net_pton(int af, const char *src, void *dst, size_t size); #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/inet_net_ntop.c000066400000000000000000000325741303637203600245530ustar00rootroot00000000000000/* * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1996,1999 by Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ #include "inet_net.h" #include #include #include #define NS_IN6ADDRSZ 16 #define NS_INT16SZ 2 #ifdef SPRINTF_CHAR #define SPRINTF(x) strlen(sprintfx) #else #define SPRINTF(x) ((size_t)sprintf x) #endif static char *inet_net_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size); static char *inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size); static char *inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size); static char *inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size); /* * char * * inet_net_ntop(af, src, bits, dst, size) * convert host/network address from network to presentation format. * "src"'s size is determined from its "af". * return: * pointer to dst, or NULL if an error occurred (check errno). * note: * 192.5.5.1/28 has a nonzero host part, which means it isn't a network * as called for by inet_net_pton() but it can be a host address with * an included netmask. * author: * Paul Vixie (ISC), October 1998 */ char* inet_net_ntop(int af, const void *src, int bits, char *dst, size_t size) { switch (af) { case AF_INET: return (inet_net_ntop_ipv4(src, bits, dst, size)); case AF_INET6: return (inet_net_ntop_ipv6(src, bits, dst, size)); default: errno = EAFNOSUPPORT; return (NULL); } } /* * char * * inet_cidr_ntop(af, src, bits, dst, size) * convert network number from network to presentation format. * generates CIDR style result always. * return: * pointer to dst, or NULL if an error occurred (check errno). * author: * Paul Vixie (ISC), July 1996 */ char* inet_cidr_ntop(int af, const void *src, int bits, char *dst, size_t size) { switch (af) { case AF_INET: return (inet_cidr_ntop_ipv4(src, bits, dst, size)); case AF_INET6: return (inet_cidr_ntop_ipv6(src, bits, dst, size)); default: errno = EAFNOSUPPORT; return (NULL); } } /* * static char * * inet_cidr_ntop_ipv4(src, bits, dst, size) * convert IPv4 network number from network to presentation format. * generates CIDR style result always. * return: * pointer to dst, or NULL if an error occurred (check errno). * note: * network byte order assumed. this means 192.5.5.240/28 has * 0b11110000 in its fourth octet. * author: * Paul Vixie (ISC), July 1996 */ static char * inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) { char *odst = dst; char *t; u_int m; int b; if (bits < 0 || bits > 32) { errno = EINVAL; return (NULL); } if (bits == 0) { if (size < sizeof "0") goto emsgsize; *dst++ = '0'; size--; *dst = '\0'; } /* Format whole octets. */ for (b = bits / 8; b > 0; b--) { if (size <= sizeof "255.") goto emsgsize; t = dst; dst += SPRINTF((dst, "%u", *src++)); if (b > 1) { *dst++ = '.'; *dst = '\0'; } size -= (size_t) (dst - t); } /* Format partial octet. */ b = bits % 8; if (b > 0) { if (size <= sizeof ".255") goto emsgsize; t = dst; if (dst != odst) *dst++ = '.'; m = ((1 << b) - 1) << (8 - b); dst += SPRINTF((dst, "%u", *src & m)); size -= (size_t) (dst - t); } /* Format CIDR /width. */ if (size <= sizeof "/32") goto emsgsize; dst += SPRINTF((dst, "/%u", bits)); return (odst); emsgsize: errno = EMSGSIZE; return (NULL); } /* * static char * * inet_cidr_ntop_ipv6(src, bits, fakebits, dst, size) * convert IPv6 network number from network to presentation format. * generates CIDR style result always. Picks the shortest representation * unless the IP is really IPv4. * always prints specified number of bits (bits). * return: * pointer to dst, or NULL if an error occurred (check errno). * note: * network byte order assumed. this means 192.5.5.240/28 has * 0x11110000 in its fourth octet. * author: * Vadim Kogan (UCB), June 2001 * Original version (IPv4) by Paul Vixie (ISC), July 1996 */ static char * inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) { u_int m; int b; int p; int zero_s, zero_l, tmp_zero_s, tmp_zero_l; int i; int is_ipv4 = 0; unsigned char inbuf[16]; char outbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255/128")]; char *cp; int words; u_char *s; if (bits < 0 || bits > 128) { errno = EINVAL; return (NULL); } cp = outbuf; if (bits == 0) { *cp++ = ':'; *cp++ = ':'; *cp = '\0'; } else { /* Copy src to private buffer. Zero host part. */ p = (bits + 7) / 8; memcpy(inbuf, src, p); memset(inbuf + p, 0, 16 - p); b = bits % 8; if (b != 0) { m = ~0 << (8 - b); inbuf[p - 1] &= m; } s = inbuf; /* how many words need to be displayed in output */ words = (bits + 15) / 16; if (words == 1) words = 2; /* Find the longest substring of zero's */ zero_s = zero_l = tmp_zero_s = tmp_zero_l = 0; for (i = 0; i < (words * 2); i += 2) { if ((s[i] | s[i + 1]) == 0) { if (tmp_zero_l == 0) tmp_zero_s = i / 2; tmp_zero_l++; } else { if (tmp_zero_l && zero_l < tmp_zero_l) { zero_s = tmp_zero_s; zero_l = tmp_zero_l; tmp_zero_l = 0; } } } if (tmp_zero_l && zero_l < tmp_zero_l) { zero_s = tmp_zero_s; zero_l = tmp_zero_l; } if (zero_l != words && zero_s == 0 && ((zero_l == 6) || ((zero_l == 5 && s[10] == 0xff && s[11] == 0xff) || ((zero_l == 7 && s[14] != 0 && s[15] != 1))))) is_ipv4 = 1; /* Format whole words. */ for (p = 0; p < words; p++) { if (zero_l != 0 && p >= zero_s && p < zero_s + zero_l) { /* Time to skip some zeros */ if (p == zero_s) *cp++ = ':'; if (p == words - 1) *cp++ = ':'; s++; s++; continue; } if (is_ipv4 && p > 5) { *cp++ = (p == 6) ? ':' : '.'; cp += SPRINTF((cp, "%u", *s++)); /* we can potentially drop the last octet */ if (p != 7 || bits > 120) { *cp++ = '.'; cp += SPRINTF((cp, "%u", *s++)); } } else { if (cp != outbuf) *cp++ = ':'; cp += SPRINTF((cp, "%x", *s * 256 + s[1])); s += 2; } } } /* Format CIDR /width. */ (void) SPRINTF((cp, "/%u", bits)); if (strlen(outbuf) + 1 > size) goto emsgsize; strcpy(dst, outbuf); return (dst); emsgsize: errno = EMSGSIZE; return (NULL); } /* * static char * * inet_net_ntop_ipv4(src, bits, dst, size) * convert IPv4 network address from network to presentation format. * "src"'s size is determined from its "af". * return: * pointer to dst, or NULL if an error occurred (check errno). * note: * network byte order assumed. this means 192.5.5.240/28 has * 0b11110000 in its fourth octet. * author: * Paul Vixie (ISC), October 1998 */ static char * inet_net_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) { char *odst = dst; char *t; int len = 4; int b; if (bits < 0 || bits > 32) { errno = EINVAL; return (NULL); } /* Always format all four octets, regardless of mask length. */ for (b = len; b > 0; b--) { if (size <= sizeof ".255") goto emsgsize; t = dst; if (dst != odst) *dst++ = '.'; dst += SPRINTF((dst, "%u", *src++)); size -= (size_t) (dst - t); } /* don't print masklen if 32 bits */ if (bits != 32) { if (size <= sizeof "/32") goto emsgsize; dst += SPRINTF((dst, "/%u", bits)); } return (odst); emsgsize: errno = EMSGSIZE; return (NULL); } static int decoct(const u_char *src, int bytes, char *dst, size_t size) { char *odst = dst; char *t; int b; for (b = 1; b <= bytes; b++) { if (size <= sizeof "255.") return (0); t = dst; dst += SPRINTF((dst, "%u", *src++)); if (b != bytes) { *dst++ = '.'; *dst = '\0'; } size -= (size_t) (dst - t); } return (dst - odst); } static char * inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) { /* * Note that int32_t and int16_t need only be "at least" large enough to * contain a value of the specified size. On some systems, like Crays, * there is no such thing as an integer variable with 16 bits. Keep this * in mind if you think this function should have been coded to use * pointer overlays. All the world's not a VAX. */ char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255/128"]; char *tp; struct { int base, len; } best, cur; u_int words[NS_IN6ADDRSZ / NS_INT16SZ]; int i; if ((bits < -1) || (bits > 128)) { errno = EINVAL; return (NULL); } /* * Preprocess: Copy the input (bytewise) array into a wordwise array. Find * the longest run of 0x00's in src[] for :: shorthanding. */ memset(words, '\0', sizeof words); for (i = 0; i < NS_IN6ADDRSZ; i++) words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3)); best.base = -1; cur.base = -1; best.len = 0; cur.len = 0; for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { if (words[i] == 0) { if (cur.base == -1) cur.base = i, cur.len = 1; else cur.len++; } else { if (cur.base != -1) { if (best.base == -1 || cur.len > best.len) best = cur; cur.base = -1; } } } if (cur.base != -1) { if (best.base == -1 || cur.len > best.len) best = cur; } if (best.base != -1 && best.len < 2) best.base = -1; /* * Format the result. */ tp = tmp; for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { /* Are we inside the best run of 0x00's? */ if (best.base != -1 && i >= best.base && i < (best.base + best.len)) { if (i == best.base) *tp++ = ':'; continue; } /* Are we following an initial run of 0x00s or any real hex? */ if (i != 0) *tp++ = ':'; /* Is this address an encapsulated IPv4? */ if (i == 6 && best.base == 0 && (best.len == 6 || (best.len == 7 && words[7] != 0x0001) || (best.len == 5 && words[5] == 0xffff))) { int n; n = decoct(src + 12, 4, tp, sizeof tmp - (tp - tmp)); if (n == 0) { errno = EMSGSIZE; return (NULL); } tp += strlen(tp); break; } tp += SPRINTF((tp, "%x", words[i])); } /* Was it a trailing run of 0x00's? */ if (best.base != -1 && (best.base + best.len) == (NS_IN6ADDRSZ / NS_INT16SZ)) *tp++ = ':'; *tp = '\0'; if (bits != -1 && bits != 128) tp += SPRINTF((tp, "/%u", bits)); /* * Check for overflow, copy, and we're done. */ if ((size_t) (tp - tmp) > size) { errno = EMSGSIZE; return (NULL); } strcpy(dst, tmp); return (dst); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/inet_net_pton.c000066400000000000000000000352121303637203600245430ustar00rootroot00000000000000/* * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1996,1999 by Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ #include "inet_net.h" #include #include #include #include #include static int inet_net_pton_ipv4(const char *src, u_char *dst); static int inet_cidr_pton_ipv4(const char *src, u_char *dst, size_t size); static int inet_net_pton_ipv6(const char *src, u_char *dst); static int inet_cidr_pton_ipv6(const char *src, u_char *dst, size_t size); static const size_t invalid_size = -1; /* * int * inet_net_pton(af, src, dst, size) * convert network number from presentation to network format. * accepts hex octets, hex strings, decimal octets, and /CIDR. * "size" is in bytes and describes "dst". * return: * number of bits, either imputed classfully or specified with /CIDR, * or -1 if some failure occurred (check errno). ENOENT means it was * not a valid network specification. * author: * Paul Vixie (ISC), June 1996 * * Changes: * I added the inet_cidr_pton function (also from Paul) and changed * the names to reflect their current use. * */ int inet_net_pton(int af, const char *src, void *dst, size_t size) { switch (af) { case AF_INET: return size == invalid_size ? inet_net_pton_ipv4(src, dst) : inet_cidr_pton_ipv4(src, dst, size); case AF_INET6: return size == invalid_size ? inet_net_pton_ipv6(src, dst) : inet_cidr_pton_ipv6(src, dst, size); default: errno = EAFNOSUPPORT; return (-1); } } /* * static int * inet_cidr_pton_ipv4(src, dst, size) * convert IPv4 network number from presentation to network format. * accepts hex octets, hex strings, decimal octets, and /CIDR. * "size" is in bytes and describes "dst". * return: * number of bits, either imputed classfully or specified with /CIDR, * or -1 if some failure occurred (check errno). ENOENT means it was * not an IPv4 network specification. * note: * network byte order assumed. this means 192.5.5.240/28 has * 0b11110000 in its fourth octet. * author: * Paul Vixie (ISC), June 1996 */ static int inet_cidr_pton_ipv4(const char *src, u_char *dst, size_t size) { static const char xdigits[] = "0123456789abcdef"; static const char digits[] = "0123456789"; int n, ch, tmp = 0, dirty, bits; const u_char *odst = dst; ch = *src++; if (ch == '0' && (src[0] == 'x' || src[0] == 'X') && isxdigit((unsigned char) src[1])) { /* Hexadecimal: Eat nybble string. */ if (size <= 0U) goto emsgsize; dirty = 0; src++; /* skip x or X. */ while ((ch = *src++) != '\0' && isxdigit((unsigned char) ch)) { if (isupper((unsigned char) ch)) ch = tolower((unsigned char) ch); n = strchr(xdigits, ch) - xdigits; assert(n >= 0 && n <= 15); if (dirty == 0) tmp = n; else tmp = (tmp << 4) | n; if (++dirty == 2) { if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) tmp; dirty = 0; } } if (dirty) { /* Odd trailing nybble? */ if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) (tmp << 4); } } else if (isdigit((unsigned char) ch)) { /* Decimal: eat dotted digit string. */ size_t size_l = 4; // vk for (;;) { tmp = 0; do { n = strchr(digits, ch) - digits; assert(n >= 0 && n <= 9); tmp *= 10; tmp += n; if (tmp > 255) goto enoent; } while ((ch = *src++) != '\0' && isdigit((unsigned char) ch)); if (size_l-- == 0) goto emsgsize; if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) tmp; if (ch == '\0' || ch == '/') break; if (ch != '.') goto enoent; ch = *src++; if (!isdigit((unsigned char) ch)) goto enoent; } /* Extend address to four octets. -- vk */ while (size_l-- > 0) *dst++ = 0; } else goto enoent; bits = -1; if (ch == '/' && isdigit((unsigned char) src[0]) && dst > odst) { /* CIDR width specifier. Nothing can follow it. */ ch = *src++; /* Skip over the /. */ bits = 0; do { n = strchr(digits, ch) - digits; assert(n >= 0 && n <= 9); bits *= 10; bits += n; } while ((ch = *src++) != '\0' && isdigit((unsigned char) ch)); if (ch != '\0') goto enoent; if (bits > 32) goto emsgsize; } /* Firey death and destruction unless we prefetched EOS. */ if (ch != '\0') goto enoent; /* If nothing was written to the destination, we found no address. */ if (dst == odst) goto enoent; /* If no CIDR spec was given, infer width from net class. */ if (bits == -1) { if (*odst >= 240) /* Class E */ bits = 32; else if (*odst >= 224) /* Class D */ bits = 8; else if (*odst >= 192) /* Class C */ bits = 24; else if (*odst >= 128) /* Class B */ bits = 16; else /* Class A */ bits = 8; /* If imputed mask is narrower than specified octets, widen. */ if (bits < ((dst - odst) * 8)) bits = (dst - odst) * 8; /* * If there are no additional bits specified for a class D address * adjust bits to 4. */ if (bits == 8 && *odst == 224) bits = 4; } /* Extend network to cover the actual mask. */ while (bits > ((dst - odst) * 8)) { if (size-- <= 0U) goto emsgsize; *dst++ = '\0'; } return (bits); enoent: errno = ENOENT; return (-1); emsgsize: errno = EMSGSIZE; return (-1); } /* * int * inet_net_pton(af, src, dst, *bits) * convert network address from presentation to network format. * accepts inet_pton()'s input for this "af" plus trailing "/CIDR". * "dst" is assumed large enough for its "af". "bits" is set to the * /CIDR prefix length, which can have defaults (like /32 for IPv4). * return: * -1 if an error occurred (inspect errno; ENOENT means bad format). * 0 if successful conversion occurred. * note: * 192.5.5.1/28 has a nonzero host part, which means it isn't a network * as called for by inet_cidr_pton() but it can be a host address with * an included netmask. * author: * Paul Vixie (ISC), October 1998 */ static int inet_net_pton_ipv4(const char *src, u_char *dst) { static const char digits[] = "0123456789"; const u_char *odst = dst; int n, ch, tmp, bits; size_t size = 4; /* Get the mantissa. */ while (ch = *src++, isdigit((unsigned char) ch)) { tmp = 0; do { n = strchr(digits, ch) - digits; assert(n >= 0 && n <= 9); tmp *= 10; tmp += n; if (tmp > 255) goto enoent; } while ((ch = *src++) != '\0' && isdigit((unsigned char) ch)); if (size-- == 0) goto emsgsize; *dst++ = (u_char) tmp; if (ch == '\0' || ch == '/') break; if (ch != '.') goto enoent; } /* Get the prefix length if any. */ bits = -1; if (ch == '/' && isdigit((unsigned char) src[0]) && dst > odst) { /* CIDR width specifier. Nothing can follow it. */ ch = *src++; /* Skip over the /. */ bits = 0; do { n = strchr(digits, ch) - digits; assert(n >= 0 && n <= 9); bits *= 10; bits += n; } while ((ch = *src++) != '\0' && isdigit((unsigned char) ch)); if (ch != '\0') goto enoent; if (bits > 32) goto emsgsize; } /* Firey death and destruction unless we prefetched EOS. */ if (ch != '\0') goto enoent; /* Prefix length can default to /32 only if all four octets spec'd. */ if (bits == -1) { if (dst - odst == 4) bits = 32; else goto enoent; } /* If nothing was written to the destination, we found no address. */ if (dst == odst) goto enoent; /* If prefix length overspecifies mantissa, life is bad. */ if ((bits / 8) > (dst - odst)) goto enoent; /* Extend address to four octets. */ while (size-- > 0) *dst++ = 0; return bits; enoent: errno = ENOENT; return (-1); emsgsize: errno = EMSGSIZE; return (-1); } static int getbits(const char *src, int *bitsp) { static const char digits[] = "0123456789"; int n; int val; char ch; val = 0; n = 0; while ((ch = *src++) != '\0') { const char *pch; pch = strchr(digits, ch); if (pch != NULL) { if (n++ != 0 && val == 0) /* no leading zeros */ return (0); val *= 10; val += (pch - digits); if (val > 128) /* range */ return (0); continue; } return (0); } if (n == 0) return (0); *bitsp = val; return (1); } static int getv4(const char *src, u_char *dst, int *bitsp) { static const char digits[] = "0123456789"; u_char *odst = dst; int n; u_int val; char ch; val = 0; n = 0; while ((ch = *src++) != '\0') { const char *pch; pch = strchr(digits, ch); if (pch != NULL) { if (n++ != 0 && val == 0) /* no leading zeros */ return (0); val *= 10; val += (pch - digits); if (val > 255) /* range */ return (0); continue; } if (ch == '.' || ch == '/') { if (dst - odst > 3) /* too many octets? */ return (0); *dst++ = val; if (ch == '/') return (getbits(src, bitsp)); val = 0; n = 0; continue; } return (0); } if (n == 0) return (0); if (dst - odst > 3) /* too many octets? */ return (0); *dst++ = val; return (1); } static int inet_net_pton_ipv6(const char *src, u_char *dst) { return inet_cidr_pton_ipv6(src, dst, 16); } #define NS_IN6ADDRSZ 16 #define NS_INT16SZ 2 #define NS_INADDRSZ 4 static int inet_cidr_pton_ipv6(const char *src, u_char *dst, size_t size) { static const char xdigits_l[] = "0123456789abcdef", xdigits_u[] = "0123456789ABCDEF"; u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; const char *xdigits, *curtok; int ch, saw_xdigit; u_int val; int digits; int bits; if (size < NS_IN6ADDRSZ) goto emsgsize; memset((tp = tmp), '\0', NS_IN6ADDRSZ); endp = tp + NS_IN6ADDRSZ; colonp = NULL; /* Leading :: requires some special handling. */ if (*src == ':') if (*++src != ':') goto enoent; curtok = src; saw_xdigit = 0; val = 0; digits = 0; bits = -1; while ((ch = *src++) != '\0') { const char *pch; if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) pch = strchr((xdigits = xdigits_u), ch); if (pch != NULL) { val <<= 4; val |= (pch - xdigits); if (++digits > 4) goto enoent; saw_xdigit = 1; continue; } if (ch == ':') { curtok = src; if (!saw_xdigit) { if (colonp) goto enoent; colonp = tp; continue; } else if (*src == '\0') goto enoent; if (tp + NS_INT16SZ > endp) return (0); *tp++ = (u_char) (val >> 8) & 0xff; *tp++ = (u_char) val & 0xff; saw_xdigit = 0; digits = 0; val = 0; continue; } if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && getv4(curtok, tp, &bits) > 0) { tp += NS_INADDRSZ; saw_xdigit = 0; break; /* '\0' was seen by inet_pton4(). */ } if (ch == '/' && getbits(src, &bits) > 0) break; goto enoent; } if (saw_xdigit) { if (tp + NS_INT16SZ > endp) goto enoent; *tp++ = (u_char) (val >> 8) & 0xff; *tp++ = (u_char) val & 0xff; } if (bits == -1) bits = 128; endp = tmp + 16; if (colonp != NULL) { /* * Since some memmove()'s erroneously fail to handle overlapping * regions, we'll do the shift by hand. */ const int n = tp - colonp; int i; if (tp == endp) goto enoent; for (i = 1; i <= n; i++) { endp[-i] = colonp[n - i]; colonp[n - i] = 0; } tp = endp; } if (tp != endp) goto enoent; /* * Copy out the result. */ memcpy(dst, tmp, NS_IN6ADDRSZ); return (bits); enoent: errno = ENOENT; return (-1); emsgsize: errno = EMSGSIZE; return (-1); } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/libfwbuilder-config.h.in000066400000000000000000000021671303637203600262300ustar00rootroot00000000000000 #undef FWBUILDER_XML_VERSION #define FREEXMLBUFF(x) xmlFree((void*)(x)) /* * Template files directory dir * DO NOT USE THIS CONSTANT DIRECTLY - USE Constants class instead! */ #undef RES_DIR #undef HAVE_LIBSNMP #undef UCD_SNMP #undef NET_SNMP #undef HAVE_INET_NET_NTOP #undef HAVE_GOODLIBRESOLV #undef HAVE_LWRES #undef HAVE_LWRES_GETIPNODE #undef HAVE_GETOPT_H /* gethostbyname_r */ #undef HAVE_FUNC_GETHOSTBYNAME_R_6 #undef HAVE_FUNC_GETHOSTBYNAME_R_5 #undef HAVE_FUNC_GETHOSTBYNAME_R_3 /* gethostbyaddr_r */ #undef HAVE_GETHOSTBYADDR_R_5 #undef HAVE_GETHOSTBYADDR_R_7 #undef HAVE_GETHOSTBYADDR_R_8 /* first argument of gethostbyaddr_r may be char* or void* */ #undef GETHOSTBYADDR_FIRST_ARG_CHARPTR #undef GETHOSTBYADDR_FIRST_ARG_VOIDPTR /* xmlSaveFile */ #undef HAVE_XMLSAVEFORMATFILEENC #undef HAVE_LIBXSLT_XSLTCONFIG_H /* strtok_r */ #undef HAVE_STRTOK_R #undef WORDS_LITTLEENDIAN #undef WORDS_BIGENDIAN /* * newer versions of UCD-SNMP use this function. This should be preferred way, * but Mandrake 8.2 comes with ucd-snmp v.4.2.3 which does not have it. */ #undef HAVE_SNPRINT_OBJID #define FS_SEPARATOR "/" fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/memcheck.h000066400000000000000000000317501303637203600234620ustar00rootroot00000000000000 /* ---------------------------------------------------------------- Notice that the following BSD-style license applies to this one file (memcheck.h) only. The rest of Valgrind is licensed under the terms of the GNU General Public License, version 2, unless otherwise indicated. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- This file is part of MemCheck, a heavyweight Valgrind tool for detecting memory errors. Copyright (C) 2000-2008 Julian Seward. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---------------------------------------------------------------- Notice that the above BSD-style license applies to this one file (memcheck.h) only. The entire rest of Valgrind is licensed under the terms of the GNU General Public License, version 2. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- */ #ifndef __MEMCHECK_H #define __MEMCHECK_H /* This file is for inclusion into client (your!) code. You can use these macros to manipulate and query memory permissions inside your own programs. See comment near the top of valgrind.h on how to use them. */ #include "valgrind.h" /* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !! This enum comprises an ABI exported by Valgrind to programs which use client requests. DO NOT CHANGE THE ORDER OF THESE ENTRIES, NOR DELETE ANY -- add new ones at the end. */ typedef enum { VG_USERREQ__MAKE_MEM_NOACCESS = VG_USERREQ_TOOL_BASE('M','C'), VG_USERREQ__MAKE_MEM_UNDEFINED, VG_USERREQ__MAKE_MEM_DEFINED, VG_USERREQ__DISCARD, VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE, VG_USERREQ__CHECK_MEM_IS_DEFINED, VG_USERREQ__DO_LEAK_CHECK, VG_USERREQ__COUNT_LEAKS, VG_USERREQ__GET_VBITS, VG_USERREQ__SET_VBITS, VG_USERREQ__CREATE_BLOCK, VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE, /* This is just for memcheck's internal use - don't use it */ _VG_USERREQ__MEMCHECK_RECORD_OVERLAP_ERROR = VG_USERREQ_TOOL_BASE('M','C') + 256 } Vg_MemCheckClientRequest; /* Client-code macros to manipulate the state of memory. */ /* Mark memory at _qzz_addr as unaddressable for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_NOACCESS(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_NOACCESS, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similarly, mark memory at _qzz_addr as addressable but undefined for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_UNDEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similarly, mark memory at _qzz_addr as addressable and defined for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_DEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similar to VALGRIND_MAKE_MEM_DEFINED except that addressability is not altered: bytes which are addressable are marked as defined, but those which are not addressable are left unchanged. */ #define VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Create a block-description handle. The description is an ascii string which is included in any messages pertaining to addresses within the specified memory range. Has no other effect on the properties of the memory range. */ #define VALGRIND_CREATE_BLOCK(_qzz_addr,_qzz_len, _qzz_desc) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__CREATE_BLOCK, \ _qzz_addr, _qzz_len, _qzz_desc, \ 0, 0); \ _qzz_res; \ })) /* Discard a block-description-handle. Returns 1 for an invalid handle, 0 for a valid handle. */ #define VALGRIND_DISCARD(_qzz_blkindex) \ (__extension__ ({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__DISCARD, \ 0, _qzz_blkindex, 0, 0, 0); \ _qzz_res; \ })) /* Client-code macros to check the state of memory. */ /* Check that memory at _qzz_addr is addressable for _qzz_len bytes. If suitable addressibility is not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_MEM_IS_ADDRESSABLE(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE,\ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Check that memory at _qzz_addr is addressable and defined for _qzz_len bytes. If suitable addressibility and definedness are not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_MEM_IS_DEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CHECK_MEM_IS_DEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Use this macro to force the definedness and addressibility of an lvalue to be checked. If suitable addressibility and definedness are not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_VALUE_IS_DEFINED(__lvalue) \ VALGRIND_CHECK_MEM_IS_DEFINED( \ (volatile unsigned char *)&(__lvalue), \ (unsigned long)(sizeof (__lvalue))) /* Do a memory leak check mid-execution. */ #define VALGRIND_DO_LEAK_CHECK \ {unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DO_LEAK_CHECK, \ 0, 0, 0, 0, 0); \ } /* Just display summaries of leaked memory, rather than all the details */ #define VALGRIND_DO_QUICK_LEAK_CHECK \ {unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DO_LEAK_CHECK, \ 1, 0, 0, 0, 0); \ } /* Return number of leaked, dubious, reachable and suppressed bytes found by all previous leak checks. They must be lvalues. */ #define VALGRIND_COUNT_LEAKS(leaked, dubious, reachable, suppressed) \ /* For safety on 64-bit platforms we assign the results to private unsigned long variables, then assign these to the lvalues the user specified, which works no matter what type 'leaked', 'dubious', etc are. We also initialise '_qzz_leaked', etc because VG_USERREQ__COUNT_LEAKS doesn't mark the values returned as initialised. */ \ {unsigned long _qzz_res; \ unsigned long _qzz_leaked = 0, _qzz_dubious = 0; \ unsigned long _qzz_reachable = 0, _qzz_suppressed = 0; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__COUNT_LEAKS, \ &_qzz_leaked, &_qzz_dubious, \ &_qzz_reachable, &_qzz_suppressed, 0); \ leaked = _qzz_leaked; \ dubious = _qzz_dubious; \ reachable = _qzz_reachable; \ suppressed = _qzz_suppressed; \ } /* Get the validity data for addresses [zza..zza+zznbytes-1] and copy it into the provided zzvbits array. Return values: 0 if not running on valgrind 1 success 2 [previously indicated unaligned arrays; these are now allowed] 3 if any parts of zzsrc/zzvbits are not addressable. The metadata is not copied in cases 0, 2 or 3 so it should be impossible to segfault your system by using this call. */ #define VALGRIND_GET_VBITS(zza,zzvbits,zznbytes) \ (__extension__({unsigned long _qzz_res; \ char* czza = (char*)zza; \ char* czzvbits = (char*)zzvbits; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__GET_VBITS, \ czza, czzvbits, zznbytes, 0, 0 ); \ _qzz_res; \ })) /* Set the validity data for addresses [zza..zza+zznbytes-1], copying it from the provided zzvbits array. Return values: 0 if not running on valgrind 1 success 2 [previously indicated unaligned arrays; these are now allowed] 3 if any parts of zza/zzvbits are not addressable. The metadata is not copied in cases 0, 2 or 3 so it should be impossible to segfault your system by using this call. */ #define VALGRIND_SET_VBITS(zza,zzvbits,zznbytes) \ (__extension__({unsigned int _qzz_res; \ char* czza = (char*)zza; \ char* czzvbits = (char*)zzvbits; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__SET_VBITS, \ czza, czzvbits, zznbytes, 0, 0 ); \ _qzz_res; \ })) #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/physAddress.cpp000066400000000000000000000044661303637203600245360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWObjectDatabase.h" #include //#include using namespace libfwbuilder; using namespace std; const char *physAddress::TYPENAME={"physAddress"}; physAddress::physAddress() : Address() { setPhysAddress("00:00:00:00:00:00"); } void physAddress::fromXML(xmlNodePtr root) throw(FWException) { FWObject::fromXML(root); const char* n=FROMXMLCAST(xmlGetProp(root,TOXMLCAST("address"))); assert(n!=NULL); setStr("address", n); FREEXMLBUFF(n); } xmlNodePtr physAddress::toXML(xmlNodePtr parent) throw(FWException) { xmlNodePtr me = FWObject::toXML(parent, false); xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName())); xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment())); xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False"))); return me; } std::string physAddress::getPhysAddress() const { return getStr("address"); } void physAddress::setPhysAddress(const std::string &s) { setStr("address",s); } FWReference* physAddress::createRef() { // FWObjectReference *ref=new FWObjectReference(); FWObjectReference *ref = getRoot()->createFWObjectReference(); ref->setPointer(this); return ref; } bool physAddress::isAny() const { return getPhysAddress()==""; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/physAddress.h000066400000000000000000000030761303637203600241770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PHYS_ADDRESS_HH_FLAG__ #define __PHYS_ADDRESS_HH_FLAG__ #include "fwbuilder/FWObject.h" #include "fwbuilder/Address.h" #include "fwbuilder/ObjectMatcher.h" namespace libfwbuilder { class physAddress : public Address { private: public: DECLARE_FWOBJECT_SUBTYPE(physAddress); DECLARE_DISPATCH_METHODS(physAddress); physAddress(); virtual void fromXML(xmlNodePtr parent) throw(FWException); virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException); std::string getPhysAddress() const; void setPhysAddress(const std::string &s); virtual FWReference* createRef(); bool isAny() const; virtual bool isPrimaryObject() const { return false; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/snmp.cpp000066400000000000000000001621161303637203600232170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #ifdef HAVE_LIBSNMP #include #include #include #include #include "fwbuilder/physAddress.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Inet6AddrMask.h" #include "fwbuilder/IPv4.h" /* * we do not really use getops here, but net-snmp does. On FreeBSD, if * port devel/libgnugetopt is installed, it installs file * /usr/local/include/getopt.h. Definition of getopt in this file * conflicts with that in unistd.h, so this module does not * compile. To solve this problem, I put -I/usr/include first in * INCLUDEPATH in Makefiles and #define _GETOPT_H here, so that when * it is included from /usr/local, its internal wrapper macro * _GETOPT_H will have been defined and include file won't be * processed */ #define _GETOPT_H #include "fwbuilder/snmp.h" #ifdef UCD_SNMP #include #endif #include #include #include #include #include /* #ifdef _WIN32 #define snprintf sprintf_s #endif */ /** * Define this if you need extra debug output. */ #undef SNMP_CRAWLER_DEBUG using namespace std; using namespace libfwbuilder; /* Compiled OIDs */ /* We use #define so the compiler can do string concatenation for snprintf */ #define SNMP_INTERFACE_ASTATUS ".1.3.6.1.2.1.2.2.1.7" #define SNMP_INTERFACE_OSTATUS ".1.3.6.1.2.1.2.2.1.8" #define SNMP_INTERFACE_INDEX ".1.3.6.1.2.1.2.2.1.1" #define SNMP_INTERFACES_DESCR ".1.3.6.1.2.1.2.2.1.2" #define SNMP_INTERFACES_PHYSA ".1.3.6.1.2.1.2.2.1.6" #define SNMP_INTERFACES_TYPE ".1.3.6.1.2.1.2.2.1.3" #define SNMP_ADDR_INDEX_TABLE ".1.3.6.1.2.1.4.20.1.2" #define SNMP_NMASK_TABLE ".1.3.6.1.2.1.4.20.1.3" #define SNMP_ADDR_TABLE ".1.3.6.1.2.1.4.20.1.1" #define SNMP_BCAST_TABLE ".1.3.6.1.2.1.4.20.1.4" #define SNMP_AT_TABLE_NET ".1.3.6.1.2.1.3.1.1.3" #define SNMP_AT_TABLE_PHYS ".1.3.6.1.2.1.3.1.1.2" const char *SNMPQuery::SNMP_SYSNAME = ".1.3.6.1.2.1.1.5.0"; const char *SNMPQuery::SNMP_SYSDESCR = ".1.3.6.1.2.1.1.1.0"; const char *SNMPQuery::SNMP_CONTACT = ".1.3.6.1.2.1.1.4.0"; const char *SNMPQuery::SNMP_LOCATION = ".1.3.6.1.2.1.1.6.0"; const char *SNMPQuery::SNMP_ROUTE_DST_TABLE = ".1.3.6.1.2.1.4.21.1.1"; const char *SNMPQuery::SNMP_ROUTE_NM_TABLE = ".1.3.6.1.2.1.4.21.1.11"; const char *SNMPQuery::SNMP_ROUTE_TYPE_TABLE = ".1.3.6.1.2.1.4.21.1.8"; const char *SNMPQuery::SNMP_ROUTE_IF_TABLE = ".1.3.6.1.2.1.4.21.1.2"; const char *SNMPQuery::SNMP_ROUTE_GW_TABLE = ".1.3.6.1.2.1.4.21.1.7"; const int SNMPQuery::SNMP_DIRECT_ROUTE = 3; const char* SNMPQuery::SNMP_IP_MIB_RFC4293_V6_INDEX = ".1.3.6.1.2.1.4.34.1.3.2.16"; const char* SNMPQuery::SNMP_IP_MIB_RFC4293_V6_PREFIX = ".1.3.6.1.2.1.4.34.1.5.2.16"; /** * Following interface types correspond to point-to-point interfaces. * (in ascending order!) */ const int SNMPCrawler::PTP_INTERFACE_TYPES[]={ 17, // sdlc 18, // ds1 19, // e1 20, // basicISDN 21, // primaryISDN 22, // propPointToPointSerial 23, // ppp 28, // slip 30, // ds3 32 // frameRelay. According to 'vk' it could be also broadcast // capable in some weird setup, but we assume it is p-t-p only. }; /* * temporary database object, needs this to be able to create * interfaces and then add ip addresses to them */ static FWObjectDatabase *snmp_tmp_db = NULL; #include SNMPQuery::SNMPQuery(string h,string c, int retries_, long timeout_) { hostname = h; community = c; retries = retries_; timeout = timeout_; descr = ""; contact = ""; location = ""; } void SNMPQuery::init(string h, string c, int retries_, long timeout_) { hostname = h; community = c; retries = retries_; timeout = timeout_; descr = ""; contact = ""; location = ""; char *snmp_out_opt = (char*)("n"); snmp_out_toggle_options(snmp_out_opt); if (snmp_tmp_db==NULL) snmp_tmp_db = new FWObjectDatabase(); } SNMPQuery::~SNMPQuery() { } void SNMPQuery::fetchAll(Logger *logger,SyncFlag *stop_program) throw(FWException) { if(community.empty()) throw FWException("No SNMP community specified"); if(hostname.empty()) throw FWException("No SNMP hostname specified"); SNMPConnection c(hostname, community); c.connect(retries, timeout); CHECK_STOP_AND_THROW_EXCEPTION; fetchSysInfo (logger,stop_program, &c); CHECK_STOP_AND_THROW_EXCEPTION; fetchInterfaces(logger,stop_program, &c); CHECK_STOP_AND_THROW_EXCEPTION; fetchArpTable (logger,stop_program, &c); CHECK_STOP_AND_THROW_EXCEPTION; fetchRoutingTable (logger,stop_program, &c); CHECK_STOP_AND_THROW_EXCEPTION; } void SNMPQuery::fetchArpTable(Logger *logger,SyncFlag *stop_program, SNMPConnection *connection) throw(FWException) { std::ostringstream str; *logger << "ARP table\n"; arptable.clear(); SNMPConnection *c; if(connection) { c=connection; } else { if(community.empty()) throw FWException("No SNMP community specified"); if(hostname.empty()) throw FWException("No SNMP hostname specified"); c=new SNMPConnection(hostname, community); try { c->connect(retries, timeout); } catch(...) { // If program was stopped, show this, rather // than error. throw; } } vector v; try { *logger << "Walking atNetAddress table...\n"; multimap nw=c->walk(SNMP_AT_TABLE_NET ); CHECK_STOP_AND_THROW_EXCEPTION; *logger << "Walking atPhysAddress table...\n"; multimap pw=c->walk(SNMP_AT_TABLE_PHYS ); CHECK_STOP_AND_THROW_EXCEPTION; try { // int preflen = strlen(SNMP_AT_TABLE_NET); for(multimap::iterator j = nw.begin(); j!=nw.end(); ++j) { CHECK_STOP_AND_THROW_EXCEPTION; if((*j).second->type!=SNMPVariable::snmp_ipaddr) { *logger << "unexpected result type in '" << SNMP_AT_TABLE_NET << "' table. Skipping it.\n"; continue; } InetAddr ip = dynamic_cast((*j).second)->getInetAddrValue(); str << "Learned: " << ip.toString(); for(multimap::iterator k = pw.begin(); k!=pw.end(); ++k) { string pa_oid= k->first; if ( pa_oid.find( ip.toString() )!=string::npos ) { string hwaddr=dynamic_cast(k->second)->toHexString(); arptable.insert(make_pair(ip,hwaddr)); str << " at " << hwaddr; break; } } *logger << str; // *logger << "\n"; } } catch(...) { for(multimap::iterator j = nw.begin(); j!=nw.end(); ++j) delete (*j).second; for(multimap::iterator j = pw.begin(); j!=pw.end(); ++j) delete (*j).second; throw; } for(multimap::iterator j = nw.begin(); j!=nw.end(); ++j) delete (*j).second; for(multimap::iterator j = pw.begin(); j!=pw.end(); ++j) delete (*j).second; } catch (FWException &ex) { SNMPVariable::freeVarList(v); if(!connection) delete c; // If program was stopped, show this, rather // than error. throw; } if(!connection) delete c; *logger << "Done fetching ARP table\n"; } /** * Fetches routing table. If interfaces have been already found * it will contain also reference to interface object associated * with the route. */ void SNMPQuery::fetchRoutingTable(Logger *logger,SyncFlag *stop_program, SNMPConnection *connection) throw(FWException) { std::ostringstream str; *logger << "Routing table\n"; routes.clear(); SNMPConnection *c; if(connection) { c=connection; } else { if(community.empty()) throw FWException("No SNMP community specified"); if(hostname.empty()) throw FWException("No SNMP hostname specified"); c=new SNMPConnection(hostname, community); try { c->connect(retries, timeout); } catch(...) { // If program was stopped, show this, rather // than error. throw; } } CHECK_STOP_AND_THROW_EXCEPTION; vector v; try { // Get Indices and destinations multimap w=c->walk(SNMP_ROUTE_DST_TABLE); CHECK_STOP_AND_THROW_EXCEPTION; try { for(multimap::iterator j = w.begin(); j!=w.end(); ++j) { CHECK_STOP_AND_THROW_EXCEPTION; if((*j).second->type!=SNMPVariable::snmp_ipaddr) { str << "unexpected result type in '" << SNMP_ROUTE_DST_TABLE << "' table. Skipping it.\n"; *logger << str; continue; } InetAddr dst = dynamic_cast((*j).second)->getInetAddrValue(); string rname=(*j).first.substr(strlen(SNMP_ROUTE_DST_TABLE)+1); v=c->get(string(SNMP_ROUTE_NM_TABLE)+"."+rname); if(v[0]->type!=SNMPVariable::snmp_ipaddr) { str << "unexpected result type in '" << SNMP_ROUTE_NM_TABLE << "'table. Skipping it.\n"; *logger << str; SNMPVariable::freeVarList(v); continue; } InetAddr nm = dynamic_cast(v[0])->getNetmaskValue(); SNMPVariable::freeVarList(v); v=c->get(string(SNMP_ROUTE_TYPE_TABLE)+"."+rname); long type = SNMPVariable::varList2Int(v); SNMPVariable::freeVarList(v); v=c->get(string(SNMP_ROUTE_GW_TABLE)+"."+rname); if(v[0]->type!=SNMPVariable::snmp_ipaddr) { str << "unexpected result type in '" << SNMP_ROUTE_GW_TABLE << "'table. Skipping it.\n"; *logger << str; SNMPVariable::freeVarList(v); continue; } InetAddr gw = dynamic_cast(v[0])->getInetAddrValue(); SNMPVariable::freeVarList(v); v=c->get(string(SNMP_ROUTE_IF_TABLE)+"."+rname); int ifindex = SNMPVariable::varList2Int(v); SNMPVariable::freeVarList(v); map::iterator ici = interfaces.find(ifindex); InterfaceData route_intf; if(ici==interfaces.end()) { str << "Route references non-existing interface '" << ifindex << "' in '" << string(SNMP_ROUTE_IF_TABLE)+"."+rname << "' variable. Ignoring interface reference.\n"; *logger << str; route_intf.name = "(interface not found)"; } else { #ifdef SNMP_CRAWLER_DEBUG str << "Found interface # " << ifindex << " associated with the route: " << string(SNMP_ROUTE_IF_TABLE)+"."+rname << "\n"; *logger << str; #endif route_intf = ici->second; } bool isdef= type!=SNMP_DIRECT_ROUTE && nm.getLength() == 0 && dst == InetAddr("0.0.0.0"); if (isdef) route_intf.ext = true; IPRoute rt(dst, nm, gw, route_intf, type==SNMP_DIRECT_ROUTE); routes.push_back(rt); str << "route: " << rt.getDestination().toString() << "/" << rt.getNetmask().getLength() << " gw " << rt.getGateway().toString() << " " << rt.getInterface().name << string( (rt.getInterface().ext)?"(Ext)":"") << "\n"; *logger << str; } } catch(...) { for(multimap::iterator j = w.begin(); j!=w.end(); ++j) delete (*j).second; throw; } for(multimap::iterator j = w.begin(); j!=w.end(); ++j) delete (*j).second; w.clear(); } catch (FWException &ex) { SNMPVariable::freeVarList(v); if(!connection) delete c; // If program was stopped, show this, rather // than error. throw; } if(!connection) delete c; *logger << "Done fetching routing table\n"; } bool SNMPQuery::isDefault(const IPRoute &r) const { return !r.isDirect() && r.getNetmask().getLength() == 0 && r.getDestination() == InetAddr("0.0.0.0"); } void SNMPQuery::walkInterfaceIndexTable(Logger *logger, SNMPConnection *c, const char* oid, map > &addr) { std::ostringstream str; multimap w; w = c->walk(oid); CHECK_STOP_AND_THROW_EXCEPTION; for (multimap::iterator j = w.begin(); j!=w.end(); ++j) { CHECK_STOP_AND_THROW_EXCEPTION; if ((*j).second->type != SNMPVariable::snmp_int) { str << "unexpected result type in '" << oid << "' table. Skipping it.\n"; *logger << str; continue; } long ind = SNMPVariable::var2Int((*j).second); string iname = (*j).first.substr(strlen(oid)+1); /* * Example (two interfaces, first has two addresses): * * ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.10.3.14.201 = 1 * ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.100.100 = 1 * ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.222.22.22.222 = 2 * * at this point iname is watever text we get after * "ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex." , ind is an index */ addr[ind].push_back(iname); str << "interface #" << ind << ": " << iname << "\n"; *logger << str; } for (multimap::iterator j = w.begin(); j!=w.end(); ++j) { delete (*j).second; } w.clear(); } void SNMPQuery::getAddressAndNetmask(Logger * /* UNUSED logger */, SNMPConnection *c, std::string adentry, InetAddr **addr, InetAddr **netmask) { std::ostringstream str; vector v; list components; istringstream iss(adentry); char item[4]; while (iss.getline(item, 4, '.')) { components.push_back(item); } if (components.size()==4) { // IPv4 address // get netmasks v = c->get(string(SNMP_NMASK_TABLE)+"."+adentry); if (v.size()!=1) throw FWException("Can't get netmask"); if (v[0]->type!=SNMPVariable::snmp_ipaddr) throw FWException("Wrong return type for netmask"); *netmask = new InetAddr(dynamic_cast( v[0])->getNetmaskValue().toString()); SNMPVariable::freeVarList(v); // get addresss v = c->get(string(SNMP_ADDR_TABLE)+"."+adentry); if(v.size()!=1) throw FWException("Can't get IP address"); if(v[0]->type!=SNMPVariable::snmp_ipaddr) throw FWException("Wrong return type for IP address"); *addr = new InetAddr(dynamic_cast( v[0])->getInetAddrValue().toString()); SNMPVariable::freeVarList(v); } else { // Assuming everything that is not IPv4 is IPv6 // get prefix string oid = string(SNMP_IP_MIB_RFC4293_V6_PREFIX) + "." + adentry; v = c->get(oid); if (v.size()!=1) throw FWException("Can't get prefix data"); string pref = v[0]->toString(); SNMPVariable::freeVarList(v); // response to this query has type OBJECT_ID. Corresponding // SNMPVariable class returns dot-separated string representation // (SNMPVariable_Bits) // We need to find the last octet, which is the prefix we need. pref = pref.substr(pref.rfind(".") + 1); *netmask = new InetAddr(AF_INET6, atoi(pref.c_str())); // to build proper ipv6 address need to convert adentry to // a ':' separated hex representation ostringstream str_addr; bool first = true; for (list::iterator i=components.begin(); i!=components.end(); ++i) { if (!first) str_addr << ":"; str_addr << hex << atoi(i->c_str()); ++i; str_addr << hex << atoi(i->c_str()); first = false; } *addr = new InetAddr(AF_INET6, str_addr.str()); } } void SNMPQuery::fetchInterfaces(Logger *logger, SyncFlag *stop_program, SNMPConnection *connection) throw(FWException) { std::ostringstream str; interfaces.clear(); SNMPConnection *c; if(connection) { c=connection; } else { if(community.empty()) throw FWException("No SNMP community specified"); if(hostname.empty()) throw FWException("No SNMP hostname specified"); c=new SNMPConnection(hostname, community); try { c->connect(retries, timeout); } catch(...) { // If program was stopped, show this, rather // than error. throw; } } CHECK_STOP_AND_THROW_EXCEPTION; multimap w; vector v; try { map > addr; *logger << "Getting IPv4 addresses."; walkInterfaceIndexTable(logger, c, SNMP_ADDR_INDEX_TABLE, addr); *logger << "Getting IPv6 addresses using IP-MIB RFC4293.\n"; *logger << "This MIB is only supported by latest versions of net-snmp\n"; walkInterfaceIndexTable(logger, c, SNMP_IP_MIB_RFC4293_V6_INDEX, addr); // **************************************************************** *logger << "Collecting full interfaces info\n"; w = c->walk(SNMP_INTERFACE_INDEX); CHECK_STOP_AND_THROW_EXCEPTION; str << w.size() << " interfaces found\n"; *logger << str; for (multimap::iterator j = w.begin(); j!=w.end(); ++j) { CHECK_STOP_AND_THROW_EXCEPTION; // Get index long ifindex = SNMPVariable::var2Int((*j).second); char oid[1024]; // Get admin status snprintf(oid, sizeof(oid), SNMP_INTERFACE_ASTATUS ".%ld", ifindex); v=c->get(oid); if(v.size()!=1) throw FWException( string("Unexpected response length for OID: ") + oid); int astatus = SNMPVariable::varList2Int(v); SNMPVariable::freeVarList(v); if (!astatus) { str << "Interface #" << ifindex << " disabled by admin - skipping.\n"; *logger << str; continue; } // Get operational status snprintf(oid, sizeof(oid), SNMP_INTERFACE_OSTATUS ".%ld", ifindex); v=c->get(oid); if(v.size()!=1) throw FWException( string("Unexpected response length for OID: ") + oid); int ostatus = SNMPVariable::varList2Int(v); SNMPVariable::freeVarList(v); /* gather all information for interface ifindex and create Interface object */ // Get desriptions snprintf(oid, sizeof(oid), SNMP_INTERFACES_DESCR ".%ld", ifindex); v=c->get(oid); string descr = SNMPVariable::varList2String(v); SNMPVariable::freeVarList(v); list &addlist = addr[ifindex]; // Get physical address snprintf(oid, sizeof(oid), SNMP_INTERFACES_PHYSA ".%ld", ifindex); v=c->get(oid); if(v.size()!=1) throw FWException(string("Unexpected response length for OID: ")+oid); if(v[0]->type!=SNMPVariable::snmp_string) throw FWException(string("Unexpected response type for: ")+oid); string physa = dynamic_cast(v[0])->toHexString(); SNMPVariable::freeVarList(v); // Get type snprintf(oid, sizeof(oid), SNMP_INTERFACES_TYPE ".%ld", ifindex); v=c->get(oid); if(v.size()!=1) throw FWException(string("Unexpected response length for OID: ")+oid); int itype = SNMPVariable::varList2Int(v); SNMPVariable::freeVarList(v); InterfaceData idata; idata.name = descr; idata.snmp_type = itype; idata.ext = false; idata.ostatus = ostatus; //snmp_tmp_db->add( &interfaces[ifindex] ); if (physa!="") idata.mac_addr = physa; str << "Adding interface #" << ifindex << " " << idata.name << " MAC: " << idata.mac_addr << endl; *logger << str; if (addlist.empty()) { str << " no IP addresses." << endl; *logger << str; } for (list::iterator ali = addlist.begin(); ali!=addlist.end(); ali++) { CHECK_STOP_AND_THROW_EXCEPTION; InetAddr *ad = NULL; InetAddr *nm = NULL; getAddressAndNetmask(logger, c, *ali, &ad, &nm); InetAddrMask *iam = NULL; if (ad->isV6()) iam = new Inet6AddrMask(); else iam = new InetAddrMask(); iam->setAddress(*ad); iam->setNetmask(*nm); idata.addr_mask.push_back(iam); str << " " << descr << " IP address" << " " << iam->toString() << "\n"; *logger << str; if (ad) delete ad; if (nm) delete nm; } interfaces[ifindex] = idata; } // index walk. for (multimap::iterator j = w.begin(); j!=w.end(); ++j) { delete (*j).second; } w.clear(); } catch (FWException &ex) { SNMPVariable::freeVarList(v); for (multimap::iterator j = w.begin(); j!=w.end(); ++j) { delete (*j).second; } w.clear(); if (!connection) delete c; // If program was stopped, show this, rather // than error. throw; } if (!connection) delete c; *logger << "Done fetching interfaces\n"; } void SNMPQuery::fetchSysInfo(Logger *logger, SyncFlag *stop_program, SNMPConnection *connection) throw(FWException) { std::ostringstream str; descr = ""; contact = ""; location = ""; sysname = ""; SNMPConnection *c; if(connection) { c=connection; } else { if(community.empty()) { throw FWException("No SNMP community specified"); } if(hostname.empty()) { throw FWException("No SNMP hostname specified"); } c=new SNMPConnection(hostname, community); try { c->connect(retries, timeout); } catch(...) { // If program was stopped, show this, rather // than error. throw; } } try { vector v; *logger << "Getting System name\n"; v=c->get(SNMP_SYSNAME); sysname = SNMPVariable::varList2String(v); SNMPVariable::freeVarList(v); CHECK_STOP_AND_THROW_EXCEPTION; *logger << "Getting Description\n"; v=c->get(SNMP_SYSDESCR); descr = SNMPVariable::varList2String(v); SNMPVariable::freeVarList(v); CHECK_STOP_AND_THROW_EXCEPTION; *logger << "Getting Location\n"; v=c->get(SNMP_LOCATION); location = SNMPVariable::varList2String(v); SNMPVariable::freeVarList(v); CHECK_STOP_AND_THROW_EXCEPTION; *logger << "Getting Contact Info\n"; v=c->get(SNMP_CONTACT); contact = SNMPVariable::varList2String(v); SNMPVariable::freeVarList(v); CHECK_STOP_AND_THROW_EXCEPTION; } catch(...) { if(!connection) delete c; // If program was stopped, show this, rather // than error. throw; } if(!connection) delete c; *logger << "Done fetching sysinfo\n"; } vector* SNMPQuery::getRoutes() { return &routes; } map* SNMPQuery::getArpTable() { return &arptable; } map* SNMPQuery::getInterfaces() { return &interfaces; } const string& SNMPQuery::getSysname() { return sysname; } const string& SNMPQuery::getDescr() { return descr; } const string& SNMPQuery::getContact() { return contact; } const string& SNMPQuery::getLocation() { return location; } // ----------------------------------------------- bool SNMPConnection::lib_initialized = false; SNMPConnection::SNMPConnection(const string &p, const string &c) { connected = false; session_data = NULL; peer = p; community = c; if(!lib_initialized) { init_snmp("fwbuilder"); lib_initialized = true; } } SNMPConnection::~SNMPConnection() { if(connected) disconnect(); } void SNMPConnection::connect(int retries, long timeout) throw(FWException) { if(connected) throw FWException("SNMPSession: already connected"); session_data = new struct snmp_session; snmp_sess_init( session_data ); session_data->version = SNMP_VERSION_1; session_data->peername = cxx_strdup(peer.c_str()); session_data->community = (unsigned char *)cxx_strdup(community.c_str()); session_data->community_len = community.length(); session_data->retries = retries; session_data->timeout = timeout; session = snmp_open(session_data); if(!session) throw FWException("SNMPSession: error while establishing connection."); connected=true; } void SNMPConnection::disconnect() throw(FWException) { if(!connected) throw FWException("SNMPSession: already disconnected"); snmp_close(session); delete session_data->peername; delete session_data->community; delete session_data; session_data = NULL; connected = false; } multimap SNMPConnection::walk(const string &variable) throw(FWException) { multimap res; oid root[MAX_OID_LEN]; size_t rootlen; rootlen = MAX_OID_LEN; // get_node(variable.c_str(), root, &rootlen); //TODO: error check read_objid(variable.c_str(), root, &rootlen); //TODO: error check oid name[MAX_OID_LEN]; size_t name_length; /* get first object to start walk */ memmove(name, root, rootlen * sizeof(oid)); name_length = rootlen; bool running=true; while(running) { /* create PDU for GETNEXT request and add object name to request */ struct snmp_pdu *pdu = snmp_pdu_create(SNMP_MSG_GETNEXT); snmp_add_null_var(pdu, name, name_length); /* do the request */ struct snmp_pdu *response = NULL; int status = snmp_synch_response(session, pdu, &response); if(status == STAT_SUCCESS) { if(response->errstat == SNMP_ERR_NOERROR) { for(struct variable_list *vars = response->variables; vars; vars = vars->next_variable ) { if ((vars->name_length < rootlen) || (memcmp(root, vars->name, rootlen * sizeof(oid))!=0)) { /* not part of this subtree */ running = false; continue; } char n[MAX_NAME_LEN]; #ifdef HAVE_SNPRINT_OBJID snprint_objid (n, sizeof(n), vars->name, vars->name_length); #else sprint_objid (n, vars->name, vars->name_length); #endif res.insert(make_pair(string(n),SNMPVariable::create(vars))); if ((vars->type != SNMP_ENDOFMIBVIEW) && (vars->type != SNMP_NOSUCHOBJECT) && (vars->type != SNMP_NOSUCHINSTANCE)){ /* not an exception value */ memmove((char *)name, (char *)vars->name, vars->name_length * sizeof(oid)); name_length = vars->name_length; } else { /* an exception value, so stop */ running = false; } } } else { /* error in response, print it */ if(response->errstat == SNMP_ERR_NOSUCHNAME) { throw FWException("SNMPSession: error: End of MIB"); } else { throw FWException(string("SNMPSession: SNMP error: ")+ snmp_errstring(response->errstat)); } } // } else if (status == STAT_TIMEOUT) // { // throw FWException("SNMPSession: SNMP timeout"); } else { // status == STAT_ERROR if (response != NULL) { throw FWException(string("SNMPSession: SNMP error: '") + string(snmp_errstring(response->errstat)) + "'"); snmp_free_pdu(response); } else { std::ostringstream str; str << "SNMPSession: SNMP error, status "; str << status; int liberr,syserr; char *errstr = (char*)(""); snmp_error(session, &liberr, &syserr, &errstr); str << " " << errstr; throw FWException(str.str()); } } } return res; } vector SNMPConnection::get(const string &variable) throw(FWException) { if(!connected) throw FWException("SNMPSession: not connected"); struct snmp_pdu *pdu = snmp_pdu_create(SNMP_MSG_GET); oid anOID[MAX_OID_LEN]; size_t anOID_len = MAX_OID_LEN; // get_node(variable.c_str(), anOID, &anOID_len); //TODO: error check read_objid(variable.c_str(), anOID, &anOID_len); //TODO: error check snmp_add_null_var(pdu, anOID, anOID_len); struct snmp_pdu *response; int status = snmp_synch_response(session, pdu, &response); if(status == STAT_SUCCESS && response->errstat == SNMP_ERR_NOERROR) { vector res; for(struct variable_list *vars = response->variables; vars; vars = vars->next_variable ) { try { res.push_back(SNMPVariable::create(vars)); } catch(const FWException &ex) { SNMPVariable::freeVarList(res); throw; } } if (response) snmp_free_pdu(response); return res; } else { if (response) snmp_free_pdu(response); throw FWException("SNMPSession: Error getting variable "+ variable); } } SNMPVariable *SNMPVariable::create(struct variable_list *vars) throw(FWException) { switch(vars->type) { case ASN_INTEGER: return new SNMPVariable_Int(*vars->val.integer); case ASN_OCTET_STR: return new SNMPVariable_String(vars->val.string, vars->val_len); case ASN_BIT_STR: return new SNMPVariable_Bits(vars->val.bitstring, vars->val_len); case ASN_APP_COUNTER64: return new SNMPVariable_Counter64(vars->val.counter64); case ASN_OBJECT_ID: return new SNMPVariable_Bits(vars->val.bitstring, vars->val_len); // return new SNMPVariable_OID(*vars->val.objid); case ASN_IPADDRESS: return new SNMPVariable_IPaddr(vars->val.string, vars->val_len); default: char x[32]; snprintf(x, sizeof(x), "%d", (int)vars->type); throw FWException(string("Unknown SNMP variable type: ") + x); } } string SNMPVariable_Int::toString() { char x[32]; snprintf(x, sizeof(x), "%ld", value); return x; } string SNMPVariable_Bits::toString() { string res; for (unsigned int i=0; i &v) { vector::iterator j; for(j=v.begin(); j!=v.end(); ++j) delete (*j); v.clear(); } string SNMPVariable::varList2String(vector &v) { string res; vector::iterator j; for(j=v.begin(); j!=v.end(); ++j) res+=(*j)->toString(); return res; } long SNMPVariable::var2Int(SNMPVariable *var) throw(FWException) { if(var->type != SNMPVariable::snmp_int) throw FWException("Could not extract integer from non-int SNMP variable."); return dynamic_cast(var)->getIntValue(); } long SNMPVariable::varList2Int(vector &v) throw(FWException) { if(v.size()!=1) throw FWException("Empty SNMP variable list returned. Could not extract integer"); return SNMPVariable::var2Int(v[0]); } SNMPCrawler::SNMPCrawler() {} SNMPCrawler::SNMPCrawler(const InetAddr &_seed, const string &_community, bool _recursive, bool _do_dns, bool _follow_ptp, unsigned int _dns_threads, int _snmp_retries, long _snmp_timeout, int _dns_retries, int _dns_timeout, const vector *_limit_to_networks) { init(_seed, _community, _recursive, _do_dns, _follow_ptp, _dns_threads, _snmp_retries, _snmp_timeout, _dns_retries, _dns_timeout, _limit_to_networks); } SNMPCrawler::~SNMPCrawler() { } void SNMPCrawler::init(const InetAddr &_seed, const string &_community, bool _recursive, bool _do_dns, bool _follow_ptp, unsigned int _dns_threads, int _snmp_retries, long _snmp_timeout, int _dns_retries, int _dns_timeout, const vector *_limit_to_networks) { limit_to_networks = _limit_to_networks; community = _community; snmp_retries = _snmp_retries; snmp_timeout = _snmp_timeout; recursive = _recursive; do_dns = _do_dns; follow_ptp = _follow_ptp; dns_threads = _dns_threads; dns_retries = _dns_retries; dns_timeout = _dns_timeout; queue.clear(); found.clear(); networks.clear(); queue[_seed]=""; } /** * This method attempts to guess what interface might be associated * with given route. It could be more than one. */ list SNMPCrawler::guessInterface( const IPRoute &r, const map &intf) const { list res; map::const_iterator i; for(i=intf.begin(); i!=intf.end(); ++i) { for (list::const_iterator j=i->second.addr_mask.begin(); j!=i->second.addr_mask.end(); ++j) { if ((*j)->belongs(r.getGateway())) { res.push_back((*i).second); break; } } } return res; } bool SNMPCrawler::included(const InetAddr &a) const { if (!limit_to_networks) return true; // no include list provided. All hosts are OK. // currently we allow the user to specify only ipv4 in the inlcude list if (a.isV6()) return true; for (vector::const_iterator i=limit_to_networks->begin(); i!=limit_to_networks->end(); ++i) { if ((*i).belongs(a)) return true; } return false; } bool SNMPCrawler::alreadyseen(const InetAddr &a) const { return found.find(a) != found.end(); } /** * loopback : All addresses on the net 127.0.0.0/255.0.0.0 */ const InetAddrMask SNMPCrawler::LOOPBACK_NET( InetAddr::getLoopbackAddr(), InetAddr("255.0.0.0")); const InetAddrMask SNMPCrawler::IPV6_LOOPBACK_NET( InetAddr::getLoopbackAddr(AF_INET6), InetAddr(AF_INET6, 128)); const InetAddr SNMPCrawler::PTP_NETMASK(InetAddr::getAllOnes()); bool SNMPCrawler::point2point(const InetAddrMask &n, const InterfaceData& intf) const { return *(n.getNetmaskPtr())==PTP_NETMASK || point2point(intf); } bool SNMPCrawler::point2point(const InterfaceData& intf) const { int itype = intf.snmp_type; for(unsigned int i=0;i<(sizeof(PTP_INTERFACE_TYPES)/sizeof(int));i++) { if(PTP_INTERFACE_TYPES[i]==itype) return true; else if(PTP_INTERFACE_TYPES[i]>itype) return false; } return false; } /** * Check if address one which we are ignoring. * This include hosts on loopback, special addresses * as "0.0.0.0". */ bool SNMPCrawler::special(const InetAddr &a) const { if (a.isAny()) return true; if (a.isV4()) return LOOPBACK_NET.belongs(a); if (a.isV6()) return IPV6_LOOPBACK_NET.belongs(a); return false; } bool SNMPCrawler::special(const InetAddrMask &n) const { return n==LOOPBACK_NET || n==IPV6_LOOPBACK_NET || n.getAddressPtr()->isBroadcast() || n.getAddressPtr()->isMulticast() || n.getAddressPtr()->isAny(); } //TODO: multiple threads (via pool). void SNMPCrawler::run_impl(Logger *logger, SyncFlag *stop_program) throw(FWException) { if (snmp_tmp_db==NULL) snmp_tmp_db = new FWObjectDatabase(); std::ostringstream str; time_t now=time(NULL); str << "SNMPCrawler started at " << asctime(localtime(&now)) << ". Seed host: " << (*(queue.begin())).first.toString() << "\n"; *logger << str; snmp_tmp_db->destroyChildren(); SNMP_discover_query q; do { CHECK_STOP_AND_RETURN; map::iterator i=queue.begin(); if(i==queue.end()) { break; } InetAddr task = (*i).first; string task_phys_address = (*i).second; queue.erase(i); str << "\nProcessing " << task.toString() << "\n"; *logger << str; // Now in task we have element to probe q.init(task.toString(), // fake host - IP in dotted notation community, snmp_retries, snmp_timeout ); CrawlerFind *res = new CrawlerFind(); found[task] = *res; delete res; found[task].found_phys_addr = task_phys_address; try { q.fetchArpTable(logger,stop_program); found[task].have_snmpd = true; } catch(const FWException &ex) { // fetch failed str << ex.toString() << "\n"; str << "Failed to fetch ARP table from " << task.toString(); if (!ex.toString().empty()) str << " : " << ex.toString(); str << "\n"; *logger << str; continue; } catch (std::string s) { str << s << "\n"; str << "Failed to fetch ARP table from " << task.toString(); str << " : " << s; str << "\n"; *logger << str; continue; } map* at = q.getArpTable(); str << "Got " << long(at->size()) << " entries\n"; *logger << str; int qplus=0, rplus=0, dplus=0; for(map::iterator j=at->begin();j!=at->end();++j) { CHECK_STOP_AND_RETURN; InetAddr c = (*j).first; string pa = (*j).second; if (included(c) && !alreadyseen(c) && !special(c)) { if(recursive) { qplus++; queue[c]=pa; } else { rplus++; found[c]=CrawlerFind(); found[c].found_phys_addr=pa; } } else dplus++; } if (qplus) { str << "Adding " << qplus << " hosts to queue\n"; *logger << str; } if (rplus) { str << "Adding " << rplus << " hosts to results\n"; *logger << str; } if (dplus) { str << "Skipping " << dplus << " hosts as duplicate, excluded or virtual\n"; *logger << str; } set interface_broadcasts; try { q.fetchInterfaces(logger,stop_program); found[task].have_snmpd = true; //cerr << "Copying list of interfaces" << endl; //map intf = q.getInterfaces(); //cerr << "Done" << endl; map* intf = q.getInterfaces(); map::iterator j; for (j=intf->begin(); j!=intf->end(); ++j) { // If interface is down or does not have ip address, it // will be ignored. if (!j->second.ostatus) continue; if (j->second.addr_mask.size()==0) continue; list::iterator n; for (n=j->second.addr_mask.begin(); n!=j->second.addr_mask.end(); ++n) { InetAddrMask *net = *n; const InetAddr *addr = net->getAddressPtr(); const InetAddr *netm = net->getNetmaskPtr(); (void)netm; //UNUSED if (addr==NULL) continue; //InetAddrMask net(*addr, *netm); interface_broadcasts.insert( *(net->getBroadcastAddressPtr())); if (!special(*net) && included(*(net->getAddressPtr())) && !point2point(*net, j->second)) { str << "Network " << net->toString() << "\n"; *logger << str; // NOTE: net is a pointer to InetAddrMask object // created in fetchInterfaces when we filled // map interfaces with InterfaceData objects. // This object is destroyed when all InterfaceData // objects are destroyed. Create a copy. networks.insert(*net); } } } } catch(FWException &ex) { // fetch failed str << ex.toString() << "\n"; str << "Failed to fetch list of interfaces from " << task.toString() << "\n"; *logger << str; } try { q.fetchSysInfo(logger,stop_program); found[task].have_snmpd = true; found[task].sysname = q.getSysname (); found[task].descr = q.getDescr (); found[task].contact = q.getContact (); found[task].location = q.getLocation (); } catch (const FWException &ex) { // fetch failed str << ex.toString() << "\n"; str << "Failed to fetch sysinfo from " << task.toString() << "\n"; *logger << str; } try { q.fetchRoutingTable(logger,stop_program); found[task].have_snmpd = true; vector* routes = q.getRoutes(); qplus=0; rplus=0; dplus=0; int nplus=0; for (vector::iterator j=routes->begin(); j!=routes->end(); ++j) { InterfaceData intf; bool have_intf; const InterfaceData& real_i = j->getInterface(); intf = real_i; have_intf = !intf.name.empty(); InetAddrMask net(j->getDestination(), j->getNetmask()); if (!have_intf) { // No interface reported for this route by SNMP // we can try to guess it by route information. // Since interface is used. list gi = guessInterface(*j, *(q.getInterfaces())); // From all resulting interfaces we select one // using following rules: // // 1. If all interfaces are down we select any of them // since this route will be ignored because of it. // // 2. From interfaces which are UP, we select first one // with Point-to-Point attribute enabled. // list::const_iterator k; for(k=gi.begin(); k!=gi.end(); ++k) { if(!have_intf) { // first interface ever found intf=*k; have_intf = true; } else { if ((*k).ostatus) { // Candidate is up // Store it. intf = *k; have_intf = true; } else { // Candidate is down. // We take it into account only // if everything found so far is down. if (!intf.ostatus) intf = *k; } } if(have_intf && intf.ostatus && point2point(intf)) break; } if (have_intf) str << "Guessed that network " << net.toString() << " is using interface " << intf.name << "\n"; *logger << str; } // If route is associated with an interface which is down, // ignore it. if (have_intf && !intf.ostatus) { str << "Skipping route for network " << net.toString() << " which is associated with interface which is" << " currently down."; *logger << str; continue; } if (!special(net) && included(*(net.getAddressPtr())) ) { if (point2point(net, intf)) { const InetAddr *c = net.getAddressPtr(); // For all addresses found in the routing table // we must check if they are broadcast addresses // for some of our interfaces, and if yes, ignore them. // (see task #36520). if (included(*c) && !alreadyseen(*c) && !special(*c) && !interface_broadcasts.count(*c)) { if(recursive && follow_ptp) { qplus++; queue[*c]=""; } else { rplus++; found[*c] = CrawlerFind(); } } else { dplus++; } } else { str << "Network " << net.toString() << " found (via " << string(((*j).isDirect())?"direct":"indirect") << " route).\n"; *logger << str; networks.insert( InetAddrMask(j->getDestination(), j->getNetmask())); nplus++; } } InetAddr gw((*j).getGateway()); if (included(gw) && !alreadyseen(gw) && !special(gw) && !interface_broadcasts.count(gw)) { bool isptp=point2point(net, intf); if(recursive && (!isptp || (isptp && follow_ptp))) { qplus++; queue[gw]=""; } else { rplus++; found[gw]=CrawlerFind(); } } } if (qplus) { str << "Adding " << qplus << " hosts to queue\n"; *logger << str; } if (nplus) { str << "Adding " << nplus << " networks to results\n"; *logger << str; } if (rplus) { str << "Adding " << rplus << " hosts to results\n"; *logger << str; } if (dplus) { str << "Skipping " << dplus << " hosts as duplicate, excluded or virtual\n"; *logger << str; } } catch(const FWException &ex) { // fetch failed str << ex.toString() << "\n"; str << "Failed to fetch routing table from " << task.toString() << "\n"; *logger << str; } catch (...) { *logger << "Unsupported exception\n"; } // We add interfaces _after_ fetching routing table, // since it's updates 'ext' attribute based on rounting // table. found[task].interfaces = *(q.getInterfaces()); } while(recursive); if(do_dns) bacresolve_results(logger,stop_program); snmp_tmp_db->clear(); // at this point all children have been destroyed anyway now=time(NULL); str << "SNMPCrawler - done at " << asctime(localtime(&now)) << "\n"; *logger << str; } void SNMPCrawler::bacresolve_results(Logger *logger, SyncFlag *) throw(FWException) { *logger << "Resolving names\n"; set resolv_set; for (map::iterator j=found.begin(); j!=found.end(); ++j) { HostEnt he = DNS::getHostByAddr((*j).first); found[(*j).first].dns_ok = true; found[(*j).first].name = he.name; found[(*j).first].aliases = he.aliases; *logger << ((*j).first).toString() << " : " << he.name << "\n"; } *logger << "Finished.\n"; } set SNMPCrawler::getNetworks() { return networks; } map SNMPCrawler::getAllIPs() { return found; } CrawlerFind::CrawlerFind() { have_snmpd = false; dns_ok = false; } CrawlerFind::~CrawlerFind() { } void SNMP_interface_query::run_impl(Logger *logger, SyncFlag *stop_program) throw(FWException) { fetchSysInfo(logger, stop_program); CHECK_STOP_AND_THROW_EXCEPTION; fetchInterfaces(logger, stop_program); #if 0 // See #2084 this takes forever on decides with large routing // tables. Also it is unclear if routing table data is really // used to determine external interface. Besides, we only have // concept of external/internale on platforms that support // security levels (PIX) and there we guess levels by matching // addresses against RFC1918 and let the user user set levels // manually anyway. // We try to fetch routing table, to find // which interface is "external". // We do not fail if this query does not succeed. try { fetchRoutingTable(logger, stop_program); } catch(FWException &ex) { *logger << "Error fetching routing table, external interface will not be detected.\n"; } #endif } void SNMP_sysdesc_query::run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException) { fetchSysInfo(logger,stop_program); } void SNMP_discover_query::run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException) { fetchArpTable(logger,stop_program); if(fetch_inerfaces) fetchInterfaces(logger,stop_program); } #undef SNMP_CRAWLER_DEBUG #else #ifndef _WIN32 # warning ucd-snmp library not found - SNMP functionality will be disabled. #endif #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/snmp.h000066400000000000000000000337311303637203600226640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2001 NetCitadel, LLC Author: Vadim Zaliva lord@crocodile.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SNMP_HH_FLAG__ #define __SNMP_HH_FLAG__ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #ifdef HAVE_LIBSNMP #include #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/BackgroundOp.h" #include "fwbuilder/FWException.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InterfaceData.h" #include "fwbuilder/IPRoute.h" #include "fwbuilder/dns.h" #ifdef UCD_SNMP #include #include #include #endif #ifdef NET_SNMP #include #include #endif namespace libfwbuilder { class SNMPConnection; class SNMPVariable { friend class SNMPConnection; public: virtual ~SNMPVariable() {} enum { snmp_int = ASN_INTEGER, snmp_string = ASN_OCTET_STR, snmp_bits = ASN_BIT_STR, snmp_counter64 = ASN_APP_COUNTER64, snmp_oid = ASN_OBJECT_ID, snmp_ipaddr = ASN_IPADDRESS } type; /** * Returns std::string representation of this variable */ virtual std::string toString() = 0; static std::string varList2String(std::vector &v); static long varList2Int(std::vector &v) throw(FWException); static long var2Int(SNMPVariable *var) throw(FWException); static void freeVarList(std::vector &v); protected: static SNMPVariable *create(struct variable_list *v) throw(FWException); }; class SNMPVariable_Int : public SNMPVariable { friend class SNMPVariable; public: virtual std::string toString(); long getIntValue() { return value; } protected: SNMPVariable_Int(long v) { type=snmp_int; value=v; } long value; }; class SNMPVariable_Bits : public SNMPVariable { friend class SNMPVariable; public: virtual ~SNMPVariable_Bits() { delete value; } virtual std::string toString(); protected: SNMPVariable_Bits(u_char *v, size_t l) { type = snmp_bits; if (v) { len=l; value = (uint32_t*)(new unsigned char[len]); memcpy((void*)value, v, len); } else { value = NULL ; len = 0 ; } } const uint32_t *value; size_t len; }; /** * Unfortunately SNMP does not distinguish Netmask and InetAddr * types. On our framework they are different, and thus * we have to do late type conversion. * (lord) */ class SNMPVariable_IPaddr : public SNMPVariable { friend class SNMPVariable; public: virtual std::string toString(); virtual InetAddr getInetAddrValue() throw(FWException); virtual InetAddr getNetmaskValue() throw(FWException); protected: SNMPVariable_IPaddr(u_char *v, size_t l) throw(FWException) { type = snmp_ipaddr; if(v) { len=l; value=new unsigned char[len]; memcpy((void*)value, v, len); } else { throw FWException("Invalid data for snmp_ipaddress variable."); } } const unsigned char *value; size_t len; }; class SNMPVariable_String : public SNMPVariable { friend class SNMPVariable; public: virtual std::string toString(); virtual const std::string toHexString(); protected: SNMPVariable_String(u_char *v, size_t l) { type=snmp_string; if(v) { for(u_char *p=v; l; p++,l--) { value+=*p; } } else value=""; } std::string value; }; class SNMPVariable_Counter64 : public SNMPVariable { friend class SNMPVariable; public: virtual std::string toString(); protected: SNMPVariable_Counter64(struct counter64 *v) { type=snmp_counter64; if(v) { high=v->high; low=v->low; } else { high=low=0l; } } unsigned long high; unsigned long low; }; class SNMPVariable_OID : public SNMPVariable { friend class SNMPVariable; public: virtual std::string toString(); protected: SNMPVariable_OID(oid v) { type=snmp_oid; value=v; } oid value; }; class SNMPConnection { public: SNMPConnection(const std::string &peer, const std::string &community); virtual ~SNMPConnection(); /** * Optional parameter timeout is in milliseconds. */ void connect(int retries=SNMP_DEFAULT_RETRIES, long timeout=SNMP_DEFAULT_TIMEOUT) throw(FWException); void disconnect() throw(FWException); std::vector get(const std::string &variable) throw(FWException); std::multimap walk(const std::string &variable) throw(FWException); private: std::string peer; std::string community; bool connected; struct snmp_session *session, *session_data; static bool lib_initialized; }; class SNMPQuery : public BackgroundOp { private: static const char *SNMP_INTERFACE_ASTATUS; static const char *SNMP_INTERFACE_OSTATUS; static const char *SNMP_INTERFACE_INDEX ; static const char *SNMP_INTERFACES_DESCR ; static const char *SNMP_INTERFACES_PHYSA ; static const char *SNMP_INTERFACES_TYPE ; static const char *SNMP_ADDR_INDEX_TABLE ; static const char *SNMP_NMASK_TABLE ; static const char *SNMP_ADDR_TABLE ; static const char *SNMP_BCAST_TABLE ; static const char *SNMP_AT_TABLE_NET ; static const char *SNMP_AT_TABLE_PHYS ; static const char *SNMP_ROUTE_DST_TABLE ; static const char *SNMP_ROUTE_NM_TABLE ; static const char *SNMP_ROUTE_TYPE_TABLE ; static const char *SNMP_ROUTE_IF_TABLE ; static const char *SNMP_ROUTE_GW_TABLE ; static const int SNMP_DIRECT_ROUTE ; static const char *SNMP_SYSNAME ; static const char *SNMP_SYSDESCR ; static const char *SNMP_CONTACT ; static const char *SNMP_LOCATION ; static const char *IP_MIB_PREFIX ; static const char *IP_MIB_ENTIFINDEX_PREFIX ; static const char *RFC1213_MIB_PREFIX ; static const char *RFC1213_MIB_PREFIX_IPROUTEDEST_PREFIX ; static const char* SNMP_IP_MIB_RFC4293_V4_INDEX; static const char* SNMP_IP_MIB_RFC4293_V6_INDEX; static const char* SNMP_IP_MIB_RFC4293_V6_PREFIX; std::string hostname, community; std::string descr, contact, location, sysname; std::map interfaces; std::map arptable; std::vector routes; int retries; long timeout; void walkInterfaceIndexTable(Logger *logger, SNMPConnection *c, const char* OID, std::map > &addr); void getAddressAndNetmask(Logger *logger, SNMPConnection *c, std::string adentry, InetAddr **addr, InetAddr **netmask); public: SNMPQuery() {} SNMPQuery(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT); virtual ~SNMPQuery(); void init(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT); void fetchArpTable(Logger *,SyncFlag *stop_program, SNMPConnection *connection=NULL) throw(FWException); void fetchInterfaces(Logger *,SyncFlag *stop_program, SNMPConnection *connection=NULL) throw(FWException); void fetchSysInfo(Logger *,SyncFlag *stop_program, SNMPConnection *connection=NULL) throw(FWException); void fetchAll(Logger *,SyncFlag *stop_program) throw(FWException); void fetchRoutingTable(Logger *,SyncFlag *stop_program, SNMPConnection *connection=NULL) throw(FWException); std::map* getInterfaces(); std::map* getArpTable(); std::vector* getRoutes(); const std::string& getSysname (); const std::string& getDescr (); const std::string& getContact (); const std::string& getLocation (); protected: bool isDefault(const IPRoute &) const; }; class SNMP_interface_query : public SNMPQuery { public: SNMP_interface_query() : SNMPQuery() {} SNMP_interface_query(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT) : SNMPQuery(hostname, community, retries_, timeout_) {} void init(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT) { SNMPQuery::init(hostname, community, retries_, timeout_); } virtual void run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException); }; class SNMP_sysdesc_query : public SNMPQuery { public: SNMP_sysdesc_query() : SNMPQuery() {} SNMP_sysdesc_query(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT) : SNMPQuery(hostname, community, retries_, timeout_) {} void init(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT) { SNMPQuery::init(hostname, community, retries_, timeout_); } virtual void run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException); }; class SNMP_discover_query : public SNMPQuery { private: bool fetch_inerfaces; public: SNMP_discover_query() : SNMPQuery() {} SNMP_discover_query(std::string hostname, std::string community, int retries_=SNMP_DEFAULT_RETRIES, long timeout_=SNMP_DEFAULT_TIMEOUT, bool _f=true):SNMPQuery(hostname, community, retries_, timeout_) { fetch_inerfaces=_f; } virtual void run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException); }; class CrawlerFind: public HostEnt { public: CrawlerFind(); virtual ~CrawlerFind(); bool have_snmpd ; std::string descr, contact, location, sysname; std::map interfaces; /** * What physical address host had in ARP table when it was found. * (optional) */ std::string found_phys_addr; //set when DNS resolution succeeded. bool dns_ok ; }; class SNMPCrawler : public BackgroundOp { private: const std::vector *limit_to_networks ; static const InetAddrMask LOOPBACK_NET ; static const InetAddrMask IPV6_LOOPBACK_NET ; static const InetAddr PTP_NETMASK ; std::map queue; std::map found; std::set networks; std::string community; int snmp_retries ; long snmp_timeout ; bool recursive ; bool do_dns ; bool follow_ptp ; unsigned int dns_threads ; int dns_retries ; int dns_timeout ; static const int PTP_INTERFACE_TYPES[]; protected: bool included (const InetAddr &) const ; bool alreadyseen (const InetAddr &) const ; bool special (const InetAddrMask &) const ; bool special (const InetAddr &) const ; bool point2point (const InetAddrMask &, const InterfaceData&) const ; bool point2point (const InterfaceData&) const ; std::list guessInterface( const IPRoute &r, const std::map &intf) const; public: SNMPCrawler(); SNMPCrawler(const InetAddr &seed, const std::string &_community, bool _recursive=true, bool _do_dns=true, bool _follow_ptp=false, unsigned int _dns_threads=10, int _retries=SNMP_DEFAULT_RETRIES, long _timeout=SNMP_DEFAULT_TIMEOUT, int _dns_retries=RES_DFLRETRY, int _dns_timeout=RES_TIMEOUT, const std::vector *include=NULL); virtual ~SNMPCrawler(); void init(const InetAddr &seed, const std::string &_community, bool _recursive=true, bool _do_dns=true, bool _follow_ptp=false, unsigned int _dns_threads=10, int _snmp_retries=SNMP_DEFAULT_RETRIES, long _snmp_timeout=SNMP_DEFAULT_TIMEOUT, int _dns_retries=RES_DFLRETRY, int _dns_timeout=RES_TIMEOUT, const std::vector *include=NULL); std::map getAllIPs(); std::set getNetworks(); virtual void run_impl(Logger *logger,SyncFlag *stop_program) throw(FWException); void bacresolve_results(Logger *logger,SyncFlag *stop_program) throw(FWException); }; } #endif #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/uint128.cpp000066400000000000000000000003611303637203600234450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC */ #include "uint128.h" using namespace std; ostream &operator<<(ostream &o, const uint128 &n) { o << n.to_string(); return o; } fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/uint128.h000066400000000000000000000320751303637203600231210ustar00rootroot00000000000000/* * Copyright (c) 2008 * Evan Teran * * Permission to use, copy, modify, and distribute this software and its * documentation for any purpose and without fee is hereby granted, provided * that the above copyright notice appears in all copies and that both the * copyright notice and this permission notice appear in supporting * documentation, and that the same name not be used in advertising or * publicity pertaining to distribution of the software without specific, * written prior permission. We make no representations about the * suitability this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * Commented out the line that #includes * and ran through astyle: * astyle --style=ansi --indent=spaces --convert-tabs uint128.h * * --vk 11/16/2010 */ #ifndef UINT128_20050119_H_ #define UINT128_20050119_H_ #include #include #include // #include #include #include #include #include // #define __STDC_FORMAT_MACROS #include // for sprintf formats for "long long" // convinience macro #define U128_C(s) uint128(#s) class uint128 { public: typedef uint64_t base_type; typedef uint128 Self; public: static const int size = (sizeof(base_type) + sizeof(base_type)) * CHAR_BIT; private: base_type lo; base_type hi; public: uint128(base_type _lo, base_type _hi) : lo(_lo), hi(_hi) {} // constructors for all basic types uint128() : lo(0), hi(0) {} uint128(int value) : lo(static_cast(value)), hi(0) { if (value < 0) hi = static_cast(-1); } uint128(unsigned int value) : lo(static_cast(value)), hi(0) {} uint128(float value) : lo(static_cast(value)), hi(0) {} uint128(double value) : lo(static_cast(value)), hi(0) {} uint128(const Self &value) : lo(value.lo), hi (value.hi) {} uint128(base_type value) : lo(value), hi(0) {} uint128(const uint32_t value[4]): lo((uint64_t(value[2])<<32)|value[3]),hi((uint64_t(value[0])<<32)|value[1]) {} uint128(const std::string &sz) : lo(0), hi(0) { // do we have at least one character? if (!sz.empty()) { // make some reasonable assumptions int radix = 10; bool minus = false; std::string::const_iterator i = sz.begin(); // check for minus sign, i suppose technically this should only apply // to base 10, but who says that -0x1 should be invalid? if (*i == '-') { ++i; minus = true; } // check if there is radix changing prefix (0 or 0x) if (i != sz.end()) { if (*i == '0') { radix = 8; ++i; if (i != sz.end()) { if (*i == 'x') { radix = 16; ++i; } } } while (i != sz.end()) { unsigned int n; const char ch = *i; if (ch >= 'A' && ch <= 'Z') { if (((ch - 'A') + 10) < radix) { n = (ch - 'A') + 10; } else { break; } } else if (ch >= 'a' && ch <= 'z') { if (((ch - 'a') + 10) < radix) { n = (ch - 'a') + 10; } else { break; } } else if (ch >= '0' && ch <= '9') { if ((ch - '0') < radix) { n = (ch - '0'); } else { break; } } else { /* completely invalid character */ break; } (*this) *= radix; (*this) += n; ++i; } } // if this was a negative number, do that two's compliment madness :-P if (minus) { *this = -*this; } } } Self &operator=(const Self &other) { if (&other != this) { lo = other.lo; hi = other.hi; } return *this; } public: // comparison operators bool operator==(const Self &o) const { return hi == o.hi && lo == o.lo; } bool operator!=(const Self &o) const { return hi != o.hi || lo != o.lo; } bool operator<(const Self &o) const { return (hi == o.hi) ? lo < o.lo : hi < o.hi; } bool operator>(const Self &o) const { return (hi == o.hi) ? lo > o.lo : hi > o.hi; } bool operator<=(const Self &o) const { return *this < o || *this == 0; } bool operator>=(const Self &o) const { return *this > o || *this == 0; } public: // unary operators bool operator!() const { return !(hi != 0 || lo != 0); } Self operator-() const { // standard 2's compliment negation return ~Self(*this) + 1; } Self operator~() const { Self t(*this); t.lo = ~t.lo; t.hi = ~t.hi; return t; } Self &operator++() { if (++lo == 0) { ++hi; } return *this; } Self &operator--() { if (lo-- == 0) { --hi; } return *this; } public: // basic math operators Self &operator+=(const Self &b) { const base_type old_lo = lo; lo += b.lo; hi += b.hi; if (lo < old_lo) { ++hi; } return *this; } Self &operator-=(const Self &b) { // it happens to be way easier to write it // this way instead of make a subtraction algorithm return *this += -b; } Self &operator*=(const Self &b) { // check for multiply by 0 // result is always 0 :-P if (b == 0) { hi = 0; lo = 0; } else if (b != 1) { // check we aren't multiplying by 1 Self a(*this); Self t = b; lo = 0; hi = 0; for (int i = 0; i < size; ++i) { if ((t & 1) != 0) { *this += (a << i); } t >>= 1; } } return *this; } Self &operator|=(const Self &b) { hi |= b.hi; lo |= b.lo; return *this; } Self &operator&=(const Self &b) { hi &= b.hi; lo &= b.lo; return *this; } Self &operator^=(const Self &b) { hi ^= b.hi; lo ^= b.lo; return *this; } Self &operator/=(const Self &b) { Self remainder; __do_div(*this, b, *this, remainder); return *this; } Self &operator%=(const Self &b) { Self quotient; __do_div(*this, b, quotient, *this); return *this; } Self &operator<<=(const Self& rhs) { int n = rhs.to_integer(); if (n >= size) { hi = 0; lo = 0; } else { const int halfsize = size / 2; if (n >= halfsize) { n -= halfsize; hi = lo; lo = 0; } if (n != 0) { // shift high half hi <<= n; const base_type mask(~(base_type(-1) >> n)); // and add them to high half hi |= (lo & mask) >> (halfsize - n); // and finally shift also low half lo <<= n; } } return *this; } Self &operator>>=(const Self& rhs) { int n = rhs.to_integer(); if (n >= size) { hi = 0; lo = 0; } else { const int halfsize = size / 2; if (n >= halfsize) { n -= halfsize; lo = hi; hi = 0; } if (n != 0) { // shift low half lo >>= n; // get lower N bits of high half const base_type mask(~(base_type(-1) << n)); // and add them to low qword lo |= (hi & mask) << (halfsize - n); // and finally shift also high half hi >>= n; } } return *this; } Self operator+(const int &u) { Self temp(*this); temp += u; return temp; } Self operator&(const int &u) { Self temp(*this); temp &= u; return temp; } Self operator<<(const int &u) { Self temp(*this); temp <<= u; return temp; } Self operator>>(const int &u) { Self temp(*this); temp >>= u; return temp; } public: int to_integer() const { return static_cast(lo); } base_type to_base_type() const { return lo; } std::string to_string() const { char buf[33]; if (hi) sprintf(buf, "%" PRIX64"%08" PRIX64, (uint64_t)hi,(uint64_t)lo); else sprintf(buf,"%" PRIX64,(uint64_t)lo); return buf; } private: template static void __do_div(const T &numerator, const T &denominator, T "ient, T &remainder) { static const int bits = sizeof(T) * CHAR_BIT; if (denominator == 0) { throw std::domain_error("divide by zero"); } else { T n = numerator; T d = denominator; T x = 1; T answer = 0; while ((n >= d) && (((d >> (bits - 1)) & 1) == 0)) { x <<= 1; d <<= 1; } while (x != 0) { if (n >= d) { n -= d; answer |= x; } x >>= 1; d >>= 1; } quotient = answer; remainder = n; } } }; std::ostream &operator<<(std::ostream &o, const uint128 &n); typedef uint128 uint128_t; namespace std { template<> struct numeric_limits { static const bool is_specialized = true; // static uint128 min() throw() // { // return 0; // } // // static uint128 max() throw() // { // return uint128( // std::numeric_limits::max(), // std::numeric_limits::max() // ); // } static const bool is_signed = false; static const bool is_integer = true; static const bool is_exact = true; static const int digits = 128; static const int digits10 = 39; static const int radix = 2; static uint128 epsilon() throw() { return 0; } static uint128 round_error() throw() { return 0; } static const int min_exponent = 0; static const int min_exponent10 = 0; static const int max_exponent = 0; static const int max_exponent10 = 0; static const bool has_infinity = false; static const bool has_quiet_NaN = false; static const bool has_signaling_NaN = false; static const float_denorm_style has_denorm = denorm_absent; static const bool has_denorm_loss = false; static uint128 infinity() throw() { return static_cast(0); } static uint128 quiet_NaN() throw() { return static_cast(0); } static uint128 signaling_NaN() throw() { return static_cast(0); } static uint128 denorm_min() throw() { return static_cast(0); } static const bool is_iec559 = false; static const bool is_bounded = true; static const bool is_modulo = true; static const bool traps = false; static const bool tinyness_before = false; static const float_round_style round_style = round_toward_zero; }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwbuilder/valgrind.h000066400000000000000000007056021303637203600235200ustar00rootroot00000000000000/* -*- c -*- ---------------------------------------------------------------- Notice that the following BSD-style license applies to this one file (valgrind.h) only. The rest of Valgrind is licensed under the terms of the GNU General Public License, version 2, unless otherwise indicated. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- This file is part of Valgrind, a dynamic binary instrumentation framework. Copyright (C) 2000-2008 Julian Seward. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---------------------------------------------------------------- Notice that the above BSD-style license applies to this one file (valgrind.h) only. The entire rest of Valgrind is licensed under the terms of the GNU General Public License, version 2. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- */ /* This file is for inclusion into client (your!) code. You can use these macros to manipulate and query Valgrind's execution inside your own programs. The resulting executables will still run without Valgrind, just a little bit more slowly than they otherwise would, but otherwise unchanged. When not running on valgrind, each client request consumes very few (eg. 7) instructions, so the resulting performance loss is negligible unless you plan to execute client requests millions of times per second. Nevertheless, if that is still a problem, you can compile with the NVALGRIND symbol defined (gcc -DNVALGRIND) so that client requests are not even compiled in. */ #ifndef __VALGRIND_H #define __VALGRIND_H #include /* Nb: this file might be included in a file compiled with -ansi. So we can't use C++ style "//" comments nor the "asm" keyword (instead use "__asm__"). */ /* Derive some tags indicating what the target platform is. Note that in this file we're using the compiler's CPP symbols for identifying architectures, which are different to the ones we use within the rest of Valgrind. Note, __powerpc__ is active for both 32 and 64-bit PPC, whereas __powerpc64__ is only active for the latter (on Linux, that is). */ #undef PLAT_x86_linux #undef PLAT_amd64_linux #undef PLAT_ppc32_linux #undef PLAT_ppc64_linux #undef PLAT_ppc32_aix5 #undef PLAT_ppc64_aix5 #if !defined(_AIX) && defined(__i386__) # define PLAT_x86_linux 1 #elif !defined(_AIX) && defined(__x86_64__) # define PLAT_amd64_linux 1 #elif !defined(_AIX) && defined(__powerpc__) && !defined(__powerpc64__) # define PLAT_ppc32_linux 1 #elif !defined(_AIX) && defined(__powerpc__) && defined(__powerpc64__) # define PLAT_ppc64_linux 1 #elif defined(_AIX) && defined(__64BIT__) # define PLAT_ppc64_aix5 1 #elif defined(_AIX) && !defined(__64BIT__) # define PLAT_ppc32_aix5 1 #endif /* If we're not compiling for our target platform, don't generate any inline asms. */ #if !defined(PLAT_x86_linux) && !defined(PLAT_amd64_linux) \ && !defined(PLAT_ppc32_linux) && !defined(PLAT_ppc64_linux) \ && !defined(PLAT_ppc32_aix5) && !defined(PLAT_ppc64_aix5) # if !defined(NVALGRIND) # define NVALGRIND 1 # endif #endif /* ------------------------------------------------------------------ */ /* ARCHITECTURE SPECIFICS for SPECIAL INSTRUCTIONS. There is nothing */ /* in here of use to end-users -- skip to the next section. */ /* ------------------------------------------------------------------ */ #if defined(NVALGRIND) /* Define NVALGRIND to completely remove the Valgrind magic sequence from the compiled code (analogous to NDEBUG's effects on assert()) */ #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { \ (_zzq_rlval) = (_zzq_default); \ } #else /* ! NVALGRIND */ /* The following defines the magic code sequences which the JITter spots and handles magically. Don't look too closely at them as they will rot your brain. The assembly code sequences for all architectures is in this one file. This is because this file must be stand-alone, and we don't want to have multiple files. For VALGRIND_DO_CLIENT_REQUEST, we must ensure that the default value gets put in the return slot, so that everything works when this is executed not under Valgrind. Args are passed in a memory block, and so there's no intrinsic limit to the number that could be passed, but it's currently five. The macro args are: _zzq_rlval result lvalue _zzq_default default value (result returned when running on real CPU) _zzq_request request code _zzq_arg1..5 request params The other two macros are used to support function wrapping, and are a lot simpler. VALGRIND_GET_NR_CONTEXT returns the value of the guest's NRADDR pseudo-register and whatever other information is needed to safely run the call original from the wrapper: on ppc64-linux, the R2 value at the divert point is also needed. This information is abstracted into a user-visible type, OrigFn. VALGRIND_CALL_NOREDIR_* behaves the same as the following on the guest, but guarantees that the branch instruction will not be redirected: x86: call *%eax, amd64: call *%rax, ppc32/ppc64: branch-and-link-to-r11. VALGRIND_CALL_NOREDIR is just text, not a complete inline asm, since it needs to be combined with more magic inline asm stuff to be useful. */ /* ------------------------- x86-linux ------------------------- */ #if defined(PLAT_x86_linux) typedef struct { unsigned int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "roll $3, %%edi ; roll $13, %%edi\n\t" \ "roll $29, %%edi ; roll $19, %%edi\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { volatile unsigned int _zzq_args[6]; \ volatile unsigned int _zzq_result; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %EDX = client_request ( %EAX ) */ \ "xchgl %%ebx,%%ebx" \ : "=d" (_zzq_result) \ : "a" (&_zzq_args[0]), "0" (_zzq_default) \ : "cc", "memory" \ ); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ volatile unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %EAX = guest_NRADDR */ \ "xchgl %%ecx,%%ecx" \ : "=a" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_CALL_NOREDIR_EAX \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* call-noredir *%EAX */ \ "xchgl %%edx,%%edx\n\t" #endif /* PLAT_x86_linux */ /* ------------------------ amd64-linux ------------------------ */ #if defined(PLAT_amd64_linux) typedef struct { unsigned long long int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rolq $3, %%rdi ; rolq $13, %%rdi\n\t" \ "rolq $61, %%rdi ; rolq $51, %%rdi\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { volatile unsigned long long int _zzq_args[6]; \ volatile unsigned long long int _zzq_result; \ _zzq_args[0] = (unsigned long long int)(_zzq_request); \ _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \ _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \ _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \ _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \ _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %RDX = client_request ( %RAX ) */ \ "xchgq %%rbx,%%rbx" \ : "=d" (_zzq_result) \ : "a" (&_zzq_args[0]), "0" (_zzq_default) \ : "cc", "memory" \ ); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ volatile unsigned long long int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %RAX = guest_NRADDR */ \ "xchgq %%rcx,%%rcx" \ : "=a" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_CALL_NOREDIR_RAX \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* call-noredir *%RAX */ \ "xchgq %%rdx,%%rdx\n\t" #endif /* PLAT_amd64_linux */ /* ------------------------ ppc32-linux ------------------------ */ #if defined(PLAT_ppc32_linux) typedef struct { unsigned int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \ "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned int _zzq_args[6]; \ unsigned int _zzq_result; \ unsigned int* _zzq_ptr; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 3,%1\n\t" /*default*/ \ "mr 4,%2\n\t" /*ptr*/ \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" /*result*/ \ : "=b" (_zzq_result) \ : "b" (_zzq_default), "b" (_zzq_ptr) \ : "cc", "memory", "r3", "r4"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "cc", "memory", "r3" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc32_linux */ /* ------------------------ ppc64-linux ------------------------ */ #if defined(PLAT_ppc64_linux) typedef struct { unsigned long long int nraddr; /* where's the code? */ unsigned long long int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \ "rotldi 0,0,61 ; rotldi 0,0,51\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned long long int _zzq_args[6]; \ register unsigned long long int _zzq_result __asm__("r3"); \ register unsigned long long int* _zzq_ptr __asm__("r4"); \ _zzq_args[0] = (unsigned long long int)(_zzq_request); \ _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \ _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \ _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \ _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \ _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \ _zzq_ptr = _zzq_args; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1" \ : "=r" (_zzq_result) \ : "0" (_zzq_default), "r" (_zzq_ptr) \ : "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned long long int __addr __asm__("r3"); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2" \ : "=r" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4" \ : "=r" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc64_linux */ /* ------------------------ ppc32-aix5 ------------------------- */ #if defined(PLAT_ppc32_aix5) typedef struct { unsigned int nraddr; /* where's the code? */ unsigned int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \ "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned int _zzq_args[7]; \ register unsigned int _zzq_result; \ register unsigned int* _zzq_ptr; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ _zzq_args[6] = (unsigned int)(_zzq_default); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 4,%1\n\t" \ "lwz 3, 24(4)\n\t" \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" \ : "=b" (_zzq_result) \ : "b" (_zzq_ptr) \ : "r3", "r4", "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc32_aix5 */ /* ------------------------ ppc64-aix5 ------------------------- */ #if defined(PLAT_ppc64_aix5) typedef struct { unsigned long long int nraddr; /* where's the code? */ unsigned long long int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \ "rotldi 0,0,61 ; rotldi 0,0,51\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned long long int _zzq_args[7]; \ register unsigned long long int _zzq_result; \ register unsigned long long int* _zzq_ptr; \ _zzq_args[0] = (unsigned int long long)(_zzq_request); \ _zzq_args[1] = (unsigned int long long)(_zzq_arg1); \ _zzq_args[2] = (unsigned int long long)(_zzq_arg2); \ _zzq_args[3] = (unsigned int long long)(_zzq_arg3); \ _zzq_args[4] = (unsigned int long long)(_zzq_arg4); \ _zzq_args[5] = (unsigned int long long)(_zzq_arg5); \ _zzq_args[6] = (unsigned int long long)(_zzq_default); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 4,%1\n\t" \ "ld 3, 48(4)\n\t" \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" \ : "=b" (_zzq_result) \ : "b" (_zzq_ptr) \ : "r3", "r4", "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned long long int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc64_aix5 */ /* Insert assembly code for other platforms here... */ #endif /* NVALGRIND */ /* ------------------------------------------------------------------ */ /* PLATFORM SPECIFICS for FUNCTION WRAPPING. This is all very */ /* ugly. It's the least-worst tradeoff I can think of. */ /* ------------------------------------------------------------------ */ /* This section defines magic (a.k.a appalling-hack) macros for doing guaranteed-no-redirection macros, so as to get from function wrappers to the functions they are wrapping. The whole point is to construct standard call sequences, but to do the call itself with a special no-redirect call pseudo-instruction that the JIT understands and handles specially. This section is long and repetitious, and I can't see a way to make it shorter. The naming scheme is as follows: CALL_FN_{W,v}_{v,W,WW,WWW,WWWW,5W,6W,7W,etc} 'W' stands for "word" and 'v' for "void". Hence there are different macros for calling arity 0, 1, 2, 3, 4, etc, functions, and for each, the possibility of returning a word-typed result, or no result. */ /* Use these to write the name of your wrapper. NOTE: duplicates VG_WRAP_FUNCTION_Z{U,Z} in pub_tool_redir.h. */ #define I_WRAP_SONAME_FNNAME_ZU(soname,fnname) \ _vgwZU_##soname##_##fnname #define I_WRAP_SONAME_FNNAME_ZZ(soname,fnname) \ _vgwZZ_##soname##_##fnname /* Use this macro from within a wrapper function to collect the context (address and possibly other info) of the original function. Once you have that you can then use it in one of the CALL_FN_ macros. The type of the argument _lval is OrigFn. */ #define VALGRIND_GET_ORIG_FN(_lval) VALGRIND_GET_NR_CONTEXT(_lval) /* Derivatives of the main macros below, for calling functions returning void. */ #define CALL_FN_v_v(fnptr) \ do { volatile unsigned long _junk; \ CALL_FN_W_v(_junk,fnptr); } while (0) #define CALL_FN_v_W(fnptr, arg1) \ do { volatile unsigned long _junk; \ CALL_FN_W_W(_junk,fnptr,arg1); } while (0) #define CALL_FN_v_WW(fnptr, arg1,arg2) \ do { volatile unsigned long _junk; \ CALL_FN_W_WW(_junk,fnptr,arg1,arg2); } while (0) #define CALL_FN_v_WWW(fnptr, arg1,arg2,arg3) \ do { volatile unsigned long _junk; \ CALL_FN_W_WWW(_junk,fnptr,arg1,arg2,arg3); } while (0) /* ------------------------- x86-linux ------------------------- */ #if defined(PLAT_x86_linux) /* These regs are trashed by the hidden call. No need to mention eax as gcc can already see that, plus causes gcc to bomb. */ #define __CALLER_SAVED_REGS /*"eax"*/ "ecx", "edx" /* These CALL_FN_ macros assume that on x86-linux, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ __asm__ volatile( \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $4, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ __asm__ volatile( \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $8, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ __asm__ volatile( \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $12, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ __asm__ volatile( \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $16, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ __asm__ volatile( \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $20, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ __asm__ volatile( \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $24, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ __asm__ volatile( \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $28, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ __asm__ volatile( \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $32, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ __asm__ volatile( \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $36, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ __asm__ volatile( \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $40, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5, \ arg6,arg7,arg8,arg9,arg10, \ arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ __asm__ volatile( \ "pushl 44(%%eax)\n\t" \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $44, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5, \ arg6,arg7,arg8,arg9,arg10, \ arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ _argvec[12] = (unsigned long)(arg12); \ __asm__ volatile( \ "pushl 48(%%eax)\n\t" \ "pushl 44(%%eax)\n\t" \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $48, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_x86_linux */ /* ------------------------ amd64-linux ------------------------ */ #if defined(PLAT_amd64_linux) /* ARGREGS: rdi rsi rdx rcx r8 r9 (the rest on stack in R-to-L order) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS /*"rax",*/ "rcx", "rdx", "rsi", \ "rdi", "r8", "r9", "r10", "r11" /* These CALL_FN_ macros assume that on amd64-linux, sizeof(unsigned long) == 8. */ /* NB 9 Sept 07. There is a nasty kludge here in all these CALL_FN_ macros. In order not to trash the stack redzone, we need to drop %rsp by 128 before the hidden call, and restore afterwards. The nastyness is that it is only by luck that the stack still appears to be unwindable during the hidden call - since then the behaviour of any routine using this macro does not match what the CFI data says. Sigh. Why is this important? Imagine that a wrapper has a stack allocated local, and passes to the hidden call, a pointer to it. Because gcc does not know about the hidden call, it may allocate that local in the redzone. Unfortunately the hidden call may then trash it before it comes to use it. So we must step clear of the redzone, for the duration of the hidden call, to make it safe. Probably the same problem afflicts the other redzone-style ABIs too (ppc64-linux, ppc32-aix5, ppc64-aix5); but for those, the stack is self describing (none of this CFI nonsense) so at least messing with the stack pointer doesn't give a danger of non-unwindable stack. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ "addq $128,%%rsp\n\t" \ VALGRIND_CALL_NOREDIR_RAX \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $8, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $16, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $24, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $32, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 88(%%rax)\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $40, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ _argvec[12] = (unsigned long)(arg12); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 96(%%rax)\n\t" \ "pushq 88(%%rax)\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $48, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_amd64_linux */ /* ------------------------ ppc32-linux ------------------------ */ #if defined(PLAT_ppc32_linux) /* This is useful for finding out about the on-stack stuff: extern int f9 ( int,int,int,int,int,int,int,int,int ); extern int f10 ( int,int,int,int,int,int,int,int,int,int ); extern int f11 ( int,int,int,int,int,int,int,int,int,int,int ); extern int f12 ( int,int,int,int,int,int,int,int,int,int,int,int ); int g9 ( void ) { return f9(11,22,33,44,55,66,77,88,99); } int g10 ( void ) { return f10(11,22,33,44,55,66,77,88,99,110); } int g11 ( void ) { return f11(11,22,33,44,55,66,77,88,99,110,121); } int g12 ( void ) { return f12(11,22,33,44,55,66,77,88,99,110,121,132); } */ /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* These CALL_FN_ macros assume that on ppc32-linux, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-16\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,16\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-16\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,16\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ _argvec[11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-32\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,16(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,32\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ _argvec[11] = (unsigned long)arg11; \ _argvec[12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-32\n\t" \ /* arg12 */ \ "lwz 3,48(11)\n\t" \ "stw 3,20(1)\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,16(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,32\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc32_linux */ /* ------------------------ ppc64-linux ------------------------ */ #if defined(PLAT_ppc64_linux) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* These CALL_FN_ macros assume that on ppc64-linux, sizeof(unsigned long) == 8. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-128\n\t" /* expand stack frame */ \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,128" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-128\n\t" /* expand stack frame */ \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,128" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-144\n\t" /* expand stack frame */ \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,144" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-144\n\t" /* expand stack frame */ \ /* arg12 */ \ "ld 3,96(11)\n\t" \ "std 3,136(1)\n\t" \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,144" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc64_linux */ /* ------------------------ ppc32-aix5 ------------------------- */ #if defined(PLAT_ppc32_aix5) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* Expand the stack frame, copying enough info that unwinding still works. Trashes r3. */ #define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \ "addi 1,1,-" #_n_fr "\n\t" \ "lwz 3," #_n_fr "(1)\n\t" \ "stw 3,0(1)\n\t" #define VG_CONTRACT_FRAME_BY(_n_fr) \ "addi 1,1," #_n_fr "\n\t" /* These CALL_FN_ macros assume that on ppc32-aix5, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(64) \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(64) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(64) \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(64) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(72) \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,64(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(72) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(72) \ /* arg12 */ \ "lwz 3,48(11)\n\t" \ "stw 3,68(1)\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,64(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(72) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc32_aix5 */ /* ------------------------ ppc64-aix5 ------------------------- */ #if defined(PLAT_ppc64_aix5) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* Expand the stack frame, copying enough info that unwinding still works. Trashes r3. */ #define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \ "addi 1,1,-" #_n_fr "\n\t" \ "ld 3," #_n_fr "(1)\n\t" \ "std 3,0(1)\n\t" #define VG_CONTRACT_FRAME_BY(_n_fr) \ "addi 1,1," #_n_fr "\n\t" /* These CALL_FN_ macros assume that on ppc64-aix5, sizeof(unsigned long) == 8. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(128) \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(128) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(128) \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(128) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(144) \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(144) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(144) \ /* arg12 */ \ "ld 3,96(11)\n\t" \ "std 3,136(1)\n\t" \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(144) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc64_aix5 */ /* ------------------------------------------------------------------ */ /* ARCHITECTURE INDEPENDENT MACROS for CLIENT REQUESTS. */ /* */ /* ------------------------------------------------------------------ */ /* Some request codes. There are many more of these, but most are not exposed to end-user view. These are the public ones, all of the form 0x1000 + small_number. Core ones are in the range 0x00000000--0x0000ffff. The non-public ones start at 0x2000. */ /* These macros are used by tools -- they must be public, but don't embed them into other programs. */ #define VG_USERREQ_TOOL_BASE(a,b) \ ((unsigned int)(((a)&0xff) << 24 | ((b)&0xff) << 16)) #define VG_IS_TOOL_USERREQ(a, b, v) \ (VG_USERREQ_TOOL_BASE(a,b) == ((v) & 0xffff0000)) /* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !! This enum comprises an ABI exported by Valgrind to programs which use client requests. DO NOT CHANGE THE ORDER OF THESE ENTRIES, NOR DELETE ANY -- add new ones at the end. */ typedef enum { VG_USERREQ__RUNNING_ON_VALGRIND = 0x1001, VG_USERREQ__DISCARD_TRANSLATIONS = 0x1002, /* These allow any function to be called from the simulated CPU but run on the real CPU. Nb: the first arg passed to the function is always the ThreadId of the running thread! So CLIENT_CALL0 actually requires a 1 arg function, etc. */ VG_USERREQ__CLIENT_CALL0 = 0x1101, VG_USERREQ__CLIENT_CALL1 = 0x1102, VG_USERREQ__CLIENT_CALL2 = 0x1103, VG_USERREQ__CLIENT_CALL3 = 0x1104, /* Can be useful in regression testing suites -- eg. can send Valgrind's output to /dev/null and still count errors. */ VG_USERREQ__COUNT_ERRORS = 0x1201, /* These are useful and can be interpreted by any tool that tracks malloc() et al, by using vg_replace_malloc.c. */ VG_USERREQ__MALLOCLIKE_BLOCK = 0x1301, VG_USERREQ__FREELIKE_BLOCK = 0x1302, /* Memory pool support. */ VG_USERREQ__CREATE_MEMPOOL = 0x1303, VG_USERREQ__DESTROY_MEMPOOL = 0x1304, VG_USERREQ__MEMPOOL_ALLOC = 0x1305, VG_USERREQ__MEMPOOL_FREE = 0x1306, VG_USERREQ__MEMPOOL_TRIM = 0x1307, VG_USERREQ__MOVE_MEMPOOL = 0x1308, VG_USERREQ__MEMPOOL_CHANGE = 0x1309, VG_USERREQ__MEMPOOL_EXISTS = 0x130a, /* Allow printfs to valgrind log. */ VG_USERREQ__PRINTF = 0x1401, VG_USERREQ__PRINTF_BACKTRACE = 0x1402, /* Stack support. */ VG_USERREQ__STACK_REGISTER = 0x1501, VG_USERREQ__STACK_DEREGISTER = 0x1502, VG_USERREQ__STACK_CHANGE = 0x1503 } Vg_ClientRequest; #if !defined(__GNUC__) # define __extension__ /* */ #endif /* Returns the number of Valgrinds this code is running under. That is, 0 if running natively, 1 if running under Valgrind, 2 if running under Valgrind which is running under another Valgrind, etc. */ #define RUNNING_ON_VALGRIND __extension__ \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* if not */, \ VG_USERREQ__RUNNING_ON_VALGRIND, \ 0, 0, 0, 0, 0); \ _qzz_res; \ }) /* Discard translation of code in the range [_qzz_addr .. _qzz_addr + _qzz_len - 1]. Useful if you are debugging a JITter or some such, since it provides a way to make sure valgrind will retranslate the invalidated area. Returns no value. */ #define VALGRIND_DISCARD_TRANSLATIONS(_qzz_addr,_qzz_len) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DISCARD_TRANSLATIONS, \ _qzz_addr, _qzz_len, 0, 0, 0); \ } /* These requests are for getting Valgrind itself to print something. Possibly with a backtrace. This is a really ugly hack. */ #if defined(NVALGRIND) # define VALGRIND_PRINTF(...) # define VALGRIND_PRINTF_BACKTRACE(...) #else /* NVALGRIND */ /* Modern GCC will optimize the static routine out if unused, and unused attribute will shut down warnings about it. */ static int VALGRIND_PRINTF(const char *format, ...) __attribute__((format(__printf__, 1, 2), __unused__)); static int VALGRIND_PRINTF(const char *format, ...) { unsigned long _qzz_res; va_list vargs; va_start(vargs, format); VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, VG_USERREQ__PRINTF, (unsigned long)format, (unsigned long)vargs, 0, 0, 0); va_end(vargs); return (int)_qzz_res; } static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...) __attribute__((format(__printf__, 1, 2), __unused__)); static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...) { unsigned long _qzz_res; va_list vargs; va_start(vargs, format); VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, VG_USERREQ__PRINTF_BACKTRACE, (unsigned long)format, (unsigned long)vargs, 0, 0, 0); va_end(vargs); return (int)_qzz_res; } #endif /* NVALGRIND */ /* These requests allow control to move from the simulated CPU to the real CPU, calling an arbitary function. Note that the current ThreadId is inserted as the first argument. So this call: VALGRIND_NON_SIMD_CALL2(f, arg1, arg2) requires f to have this signature: Word f(Word tid, Word arg1, Word arg2) where "Word" is a word-sized type. Note that these client requests are not entirely reliable. For example, if you call a function with them that subsequently calls printf(), there's a high chance Valgrind will crash. Generally, your prospects of these working are made higher if the called function does not refer to any global variables, and does not refer to any libc or other functions (printf et al). Any kind of entanglement with libc or dynamic linking is likely to have a bad outcome, for tricky reasons which we've grappled with a lot in the past. */ #define VALGRIND_NON_SIMD_CALL0(_qyy_fn) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL0, \ _qyy_fn, \ 0, 0, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL1(_qyy_fn, _qyy_arg1) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL1, \ _qyy_fn, \ _qyy_arg1, 0, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL2(_qyy_fn, _qyy_arg1, _qyy_arg2) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL2, \ _qyy_fn, \ _qyy_arg1, _qyy_arg2, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL3(_qyy_fn, _qyy_arg1, _qyy_arg2, _qyy_arg3) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL3, \ _qyy_fn, \ _qyy_arg1, _qyy_arg2, \ _qyy_arg3, 0); \ _qyy_res; \ }) /* Counts the number of errors that have been recorded by a tool. Nb: the tool must record the errors with VG_(maybe_record_error)() or VG_(unique_error)() for them to be counted. */ #define VALGRIND_COUNT_ERRORS \ __extension__ \ ({unsigned int _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__COUNT_ERRORS, \ 0, 0, 0, 0, 0); \ _qyy_res; \ }) /* Mark a block of memory as having been allocated by a malloc()-like function. `addr' is the start of the usable block (ie. after any redzone) `rzB' is redzone size if the allocator can apply redzones; use '0' if not. Adding redzones makes it more likely Valgrind will spot block overruns. `is_zeroed' indicates if the memory is zeroed, as it is for calloc(). Put it immediately after the point where a block is allocated. If you're using Memcheck: If you're allocating memory via superblocks, and then handing out small chunks of each superblock, if you don't have redzones on your small blocks, it's worth marking the superblock with VALGRIND_MAKE_MEM_NOACCESS when it's created, so that block overruns are detected. But if you can put redzones on, it's probably better to not do this, so that messages for small overruns are described in terms of the small block rather than the superblock (but if you have a big overrun that skips over a redzone, you could miss an error this way). See memcheck/tests/custom_alloc.c for an example. WARNING: if your allocator uses malloc() or 'new' to allocate superblocks, rather than mmap() or brk(), this will not work properly -- you'll likely get assertion failures during leak detection. This is because Valgrind doesn't like seeing overlapping heap blocks. Sorry. Nb: block must be freed via a free()-like function specified with VALGRIND_FREELIKE_BLOCK or mismatch errors will occur. */ #define VALGRIND_MALLOCLIKE_BLOCK(addr, sizeB, rzB, is_zeroed) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MALLOCLIKE_BLOCK, \ addr, sizeB, rzB, is_zeroed, 0); \ } /* Mark a block of memory as having been freed by a free()-like function. `rzB' is redzone size; it must match that given to VALGRIND_MALLOCLIKE_BLOCK. Memory not freed will be detected by the leak checker. Put it immediately after the point where the block is freed. */ #define VALGRIND_FREELIKE_BLOCK(addr, rzB) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__FREELIKE_BLOCK, \ addr, rzB, 0, 0, 0); \ } /* Create a memory pool. */ #define VALGRIND_CREATE_MEMPOOL(pool, rzB, is_zeroed) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CREATE_MEMPOOL, \ pool, rzB, is_zeroed, 0, 0); \ } /* Destroy a memory pool. */ #define VALGRIND_DESTROY_MEMPOOL(pool) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DESTROY_MEMPOOL, \ pool, 0, 0, 0, 0); \ } /* Associate a piece of memory with a memory pool. */ #define VALGRIND_MEMPOOL_ALLOC(pool, addr, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_ALLOC, \ pool, addr, size, 0, 0); \ } /* Disassociate a piece of memory from a memory pool. */ #define VALGRIND_MEMPOOL_FREE(pool, addr) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_FREE, \ pool, addr, 0, 0, 0); \ } /* Disassociate any pieces outside a particular range. */ #define VALGRIND_MEMPOOL_TRIM(pool, addr, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_TRIM, \ pool, addr, size, 0, 0); \ } /* Resize and/or move a piece associated with a memory pool. */ #define VALGRIND_MOVE_MEMPOOL(poolA, poolB) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MOVE_MEMPOOL, \ poolA, poolB, 0, 0, 0); \ } /* Resize and/or move a piece associated with a memory pool. */ #define VALGRIND_MEMPOOL_CHANGE(pool, addrA, addrB, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_CHANGE, \ pool, addrA, addrB, size, 0); \ } /* Return 1 if a mempool exists, else 0. */ #define VALGRIND_MEMPOOL_EXISTS(pool) \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_EXISTS, \ pool, 0, 0, 0, 0); \ _qzz_res; \ }) /* Mark a piece of memory as being a stack. Returns a stack id. */ #define VALGRIND_STACK_REGISTER(start, end) \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_REGISTER, \ start, end, 0, 0, 0); \ _qzz_res; \ }) /* Unmark the piece of memory associated with a stack id as being a stack. */ #define VALGRIND_STACK_DEREGISTER(id) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_DEREGISTER, \ id, 0, 0, 0, 0); \ } /* Change the start and end address of the stack id. */ #define VALGRIND_STACK_CHANGE(id, start, end) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_CHANGE, \ id, start, end, 0, 0); \ } #undef PLAT_x86_linux #undef PLAT_amd64_linux #undef PLAT_ppc32_linux #undef PLAT_ppc64_linux #undef PLAT_ppc32_aix5 #undef PLAT_ppc64_aix5 #endif /* __VALGRIND_H */ fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/000077500000000000000000000000001303637203600217135ustar00rootroot00000000000000fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp000066400000000000000000000154431303637203600247730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include "BaseCompiler.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; FWCompilerException::FWCompilerException(Rule *r, const string &err) : FWException(err) { rule=r; } bool BaseCompiler::haveErrorsAndWarnings() { return (int(errors_buffer.tellp()) > 0); } string BaseCompiler::getErrors(const string &comment_sep) { ostringstream ostr; istringstream istr(errors_buffer.str()); while (!istr.eof()) { string tmpstr; getline(istr, tmpstr); if (tmpstr.length()) ostr << comment_sep << tmpstr << endl; } return ostr.str(); } void BaseCompiler::clearErrors() { errors_buffer.str(""); rule_errors.clear(); } string BaseCompiler::getErrorsForRule(Rule *rule, const std::string &comment_sep) { string rule_label = rule->getLabel(); rule_errors[rule_label].sort(); ostringstream ostr; list::iterator it; string prev; // used to remove duplicate messages for (it=rule_errors[rule_label].begin(); it!=rule_errors[rule_label].end(); ++it) { if (*it != prev) ostr << comment_sep << *it << endl; prev = *it; } return ostr.str(); } /* * Error and warning format: * * fw-object-name:ruleset-name:rule-number: message */ string BaseCompiler::stdErrorMessage(FWObject *fw, FWObject *ruleset, FWObject *rule, const std::string &errstr) { ostringstream tmpstr; // TODO: (some day) get rid of the argument @fw and use attribute // ".ruleset_owner" instead. Set this attribute in the place where // we prepare rules for processing and copy them to the // queue. This way, when CompilerDriver prepares rules from the // cluster, it can override the same attribute to make error and // warning messges refer to correct object that really owns rule // sets. string ruleset_owner; if (ruleset) { ruleset_owner = ruleset->getStr(".ruleset_owner"); } if (ruleset_owner.empty() && fw) ruleset_owner = fw->getName(); tmpstr << ruleset_owner << ":"; if (ruleset) tmpstr << ruleset->getName(); tmpstr << ":"; if (rule && Rule::cast(rule)) tmpstr << Rule::cast(rule)->getPosition(); tmpstr << ": "; tmpstr << level_macro << ": "; tmpstr << errstr; return tmpstr.str(); } string BaseCompiler::setLevel(const string &level, const string &errstr) { string str = errstr; while (str.at(str.length() - 1) == '\n') str = str.substr(0, str.length() - 1); size_t n = str.find(level_macro); if (n != string::npos) str.replace(n, level_macro.length(), level); return str; } void BaseCompiler::message(const std::string &level, FWObject *fw, FWObject *ruleset, FWObject *rule, const string &errstr) { string str = setLevel(level, stdErrorMessage(fw, ruleset, rule, errstr)); printError(str); Rule *cast_rule = Rule::cast(rule); if (cast_rule) { cast_rule->setCompilerMessage(str); rule_errors[cast_rule->getLabel()].push_back(str); } } void BaseCompiler::printError(const string &errstr) { if (!inEmbeddedMode()) { cout << flush; cerr << errstr << endl; } errors_buffer << errstr << endl; } /* * Note that when this code runs as part of the command line compiler * rather than as a single-rule compile function inside the GUI (that * is, it is not in embedded mode) and if test mode was activated * (usually via command line flag "-xt"), then abort() behaves as * error(), that is, it prints error message but does not terminate * the process but just returns. In embedded mode it always throws * exception to stop compiling */ void BaseCompiler::abort(const string &errstr) throw(FWException) { printError(errstr); if (inEmbeddedMode()) throw FatalErrorInSingleRuleCompileMode(errors_buffer.str()); status = FWCOMPILER_ERROR; if (test_mode) return; throw FWException("Fatal error"); } void BaseCompiler::abort(FWObject *fw, FWObject *ruleset, FWObject *rule, const string &errstr) throw(FWException) { message("error", fw, ruleset, rule, errstr); if (inEmbeddedMode()) throw FatalErrorInSingleRuleCompileMode(errors_buffer.str()); status = FWCOMPILER_ERROR; if (test_mode) return; throw FWException("Fatal error"); } void BaseCompiler::error(const string &str) { status = FWCOMPILER_ERROR; printError(str); } void BaseCompiler::error(FWObject *fw, FWObject *ruleset, FWObject *rule, const string &errstr) { status = FWCOMPILER_ERROR; message("error", fw, ruleset, rule, errstr); } void BaseCompiler::warning(const string &str) { status = FWCOMPILER_WARNING; printError(str); } void BaseCompiler::warning(FWObject *fw, FWObject *ruleset, FWObject *rule, const string &errstr) { status = FWCOMPILER_WARNING; message("warning", fw, ruleset, rule, errstr); } void BaseCompiler::info(const string &str) { if (!inEmbeddedMode()) { cout << str << endl << flush; } } void BaseCompiler::errorRegExp(std::list *err_regexp) { err_regexp->clear(); err_regexp->push_back("([^:]*):([^:]*):.*[Ee]rror:"); err_regexp->push_back("(Error(:| )[^\n]*)"); } void BaseCompiler::warningRegExp(std::list *warn_regexp) { warn_regexp->clear(); warn_regexp->push_back("([^:]*):([^:]*):.*[Ww]arning:"); warn_regexp->push_back("(Warning(:| )[^\n]*)"); } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/BaseCompiler.h000066400000000000000000000127041303637203600244350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BASE_COMPILER_HH__ #define __BASE_COMPILER_HH__ #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Rule.h" #include "fwcompiler/exceptions.h" #include namespace fwcompiler { class FWCompilerException : public libfwbuilder::FWException { libfwbuilder::Rule *rule; public: FWCompilerException(libfwbuilder::Rule *r,const std::string &err); libfwbuilder::Rule *getRule() const { return rule; } }; class BaseCompiler { std::string level_macro; // all errors generated by the compiler std::stringstream errors_buffer; // a dictionary mapping rule label to the list of errors associated // with it. std::map > rule_errors; // in test mode we trat fatal errors as errors and continue after // printing error message bool test_mode; // this is single-rule-compile mode; compiler is embedded in the GUI bool embedded_mode; /** * assembles standard error message using format similar to * the error message format of gcc. Useful to prepare errors * and warnings before calling error() or warning() methods */ std::string stdErrorMessage(libfwbuilder::FWObject *fw, libfwbuilder::FWObject *ruleset, libfwbuilder::FWObject *rule, const std::string &errstr); std::string setLevel(const std::string &level, const std::string &errstr); void printError(const std::string &errstr); void message(const std::string &level, libfwbuilder::FWObject *fw, libfwbuilder::FWObject *ruleset, libfwbuilder::FWObject *rule, const std::string &errstr); public: typedef enum {FWCOMPILER_SUCCESS, FWCOMPILER_WARNING, FWCOMPILER_ERROR} termination_status; protected: termination_status status; public: virtual void setTestMode() { test_mode = true; } bool inTestMode() { return test_mode; } virtual void setEmbeddedMode() { embedded_mode = true; } bool inEmbeddedMode() { return embedded_mode; } termination_status getStatus() { return status; } /** * prints error message and aborts the program. If compiler is * in testing mode (flag test_mode==true), then just prints * the error message and returns. */ virtual void abort(const std::string &errstr) throw(libfwbuilder::FWException); virtual void abort(libfwbuilder::FWObject *fw, libfwbuilder::FWObject *ruleset, libfwbuilder::FWObject *rule, const std::string &errstr) throw(libfwbuilder::FWException); /** * prints an error message and returns */ virtual void error(const std::string &warnstr); virtual void error(libfwbuilder::FWObject *fw, libfwbuilder::FWObject *ruleset, libfwbuilder::FWObject *rule, const std::string &warnstr); /** * prints warning message */ virtual void warning(const std::string &warnstr); virtual void warning(libfwbuilder::FWObject *fw, libfwbuilder::FWObject *ruleset, libfwbuilder::FWObject *rule, const std::string &warnstr); /** * prints info message. These are only printed to stdout if compiler * is not in embedded mode. In embedded mode info messages are ignored. */ virtual void info(const std::string &warnstr); virtual ~BaseCompiler() {}; BaseCompiler() { test_mode = false; embedded_mode = false; level_macro = "%LEVEL%"; status = FWCOMPILER_SUCCESS; }; std::string getErrors(const std::string &comment_sep); bool haveErrorsAndWarnings(); void clearErrors(); std::string getErrorsForRule(libfwbuilder::Rule *rule, const std::string &comment_sep); /** * fills a list of strings with regular expressions that match * error messages */ static void errorRegExp(std::list *err_regexp); /** * fills a list of strings with regular expressions that match * warning messages */ static void warningRegExp(std::list *warn_regexp); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Compiler.cpp000066400000000000000000001554021303637203600242000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include #include "Compiler.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; int Compiler::prolog() { temp = new Group(); temp->setName("Temp Group"); fw->add(temp, false); return 0; } void Compiler::epilog() { } void Compiler::abort(const string &errstr) throw(FWException) { BaseCompiler::abort(fw, source_ruleset, NULL, errstr); } void Compiler::abort(FWObject *rule, const string &errstr) throw(FWException) { BaseCompiler::abort(fw, source_ruleset, rule, errstr); } void Compiler::error(const string &errstr) { BaseCompiler::error(fw, source_ruleset, NULL, errstr); } void Compiler::error(FWObject *rule, const string &errstr) { BaseCompiler::error(fw, source_ruleset, rule, errstr); } void Compiler::warning(const string &errstr) { BaseCompiler::warning(fw, source_ruleset, NULL, errstr); } void Compiler::warning(FWObject *rule, const string &errstr) { BaseCompiler::warning(fw, source_ruleset, rule, errstr); } int Compiler::getCompiledScriptLength() { return int(output.tellp()); } string Compiler::getCompiledScript() { string res; res=output.str(); /* * NB: according to Rogue Wave docs, method basic_stringbuf::seekpos is public, * however implementation that comes with g++ 3.x declares it as protected * * Method str(const char*) is not described in Rogue Wave docs at * all. Stroustrup does not methion it either. */ // output.rdbuf()->seekpos(0); output.str(""); return res; } void Compiler::_init(FWObjectDatabase *_db, Firewall *_fw) { initialized = false; _cntr_ = 1; group_registry = NULL; temp_ruleset = NULL; debug = 0; debug_rule = -1; rule_debug_on = false; verbose = true; single_rule_mode = false; single_rule_ruleset_name = ""; single_rule_position = -1; dbcopy = NULL; persistent_objects = NULL; fw = NULL; fwopt = NULL; fw_id = -1; if (_db != NULL && _fw != NULL) { assert(_fw->getRoot() == _db); dbcopy = _db; fw = _fw; fwopt = fw->getOptionsObject(); fw_id = fw->getId(); // string fw_str_id = FWObjectDatabase::getStringId(_fw->getId()); // dbcopy = new FWObjectDatabase(*_db); // copies entire tree // fw = Firewall::cast( // dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_str_id))); // fwopt = fw->getOptionsObject(); // fw_id = fw->getId(); } } Compiler::Compiler(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) { source_ruleset = NULL; ruleSetName = ""; osconfigurator = NULL; countIPv6Rules = 0; ipv6 = ipv6_policy; persistent_objects = NULL; _init(_db, fw); } Compiler::Compiler(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) { source_ruleset = NULL; ruleSetName = ""; osconfigurator = _oscnf; countIPv6Rules = 0; ipv6 = ipv6_policy; persistent_objects = NULL; _init(_db, fw); } // this constructor is used by class Preprocessor, it does not call _init Compiler::Compiler(FWObjectDatabase*, bool ipv6_policy) { source_ruleset = NULL; ruleSetName = ""; osconfigurator = NULL; countIPv6Rules = 0; ipv6 = ipv6_policy; initialized = false; _cntr_ = 1; persistent_objects = NULL; fw = NULL; temp_ruleset = NULL; debug = 0; debug_rule = -1; rule_debug_on = false; verbose = true; single_rule_mode = false; } Compiler::~Compiler() { deleteRuleProcessors(); dbcopy = NULL; } void Compiler::setPersistentObjects(Library* po) { persistent_objects = po; dbcopy->reparent(persistent_objects); persistent_objects->fixTree(); } void Compiler::setSourceRuleSet(RuleSet *rs) { FWObject *copy_rs = dbcopy->findInIndex(rs->getId()); source_ruleset = RuleSet::cast(copy_rs); } void Compiler::setSingleRuleCompileMode(const string &rule_id) { if (!rule_id.empty()) { Rule *rule = Rule::cast( dbcopy->findInIndex(FWObjectDatabase::getIntId(rule_id))); if (rule) { single_rule_mode = true; single_rule_compile_rule = rule; single_rule_position = rule->getPosition(); single_rule_ruleset_name = rule->getParent()->getName(); } } } string Compiler::createRuleLabel(const std::string &prefix, const string &txt, int rule_num) { ostringstream str; if (!prefix.empty()) str << prefix << " "; str << rule_num << " "; str << "(" << txt << ")"; return str.str(); } string Compiler::getUniqueRuleLabel() { ostringstream str; str << "R_" << _cntr_; _cntr_++; return str.str(); } void Compiler::compile() { assert(fw); } void Compiler::_expand_group_recursive(FWObject *o, list &ol) { /* * ref #50: ignore various Options child objects. In particular this * skips ClusterGroupOptions object which is a child of * FailoverClusterGroup and StateSyncClusterGroup objects. */ if (FWOptions::cast(o)) return; /* special case: MultiAddress. This class inherits ObjectGroup, but * should not be expanded if it is expanded at run time * * This is now redundant since we use class MultiAddressRunTime for * run-time address tables */ MultiAddress *adt = MultiAddress::cast(o); if ((Group::cast(o)!=NULL && adt==NULL) || (adt!=NULL && adt->isCompileTime())) { for (FWObject::iterator i2=o->begin(); i2!=o->end(); ++i2) { FWObject *o1 = FWReference::getObject(*i2); assert(o1); _expand_group_recursive(o1, ol); } } else { if (o->getId() == FWObjectDatabase::ANY_ADDRESS_ID) { o->ref(); ol.push_back( o ); } else { Address *oaddr = Address::cast(o); if (oaddr && oaddr->hasInetAddress()) { if (MatchesAddressFamily(o)) { o->ref(); ol.push_back( o ); } } else { // not an address object at all o->ref(); ol.push_back( o ); } } } } /* * Common interface to the operation of expanding of a group * recursively. This just calls internal function * _expand_group_recursive() */ void Compiler::expandGroup(FWObject *grp, list &ol) { for (FWObject::iterator i1=grp->begin(); i1!=grp->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); assert(o); _expand_group_recursive(o, ol); } } /** * object 's' here is really src or dst or srv. Its children objects * should all be references */ void Compiler::expandGroupsInRuleElement(RuleElement *s) { list cl; expandGroup(s, cl); s->clearChildren(); //s->setAnyElement(); cl.sort(FWObjectNameCmpPredicate()); for(FWObject::iterator i2=cl.begin(); i2!=cl.end(); ++i2) { if (!s->validateChild(*i2)) abort(s->getParent(), "Object '" + (*i2)->getName() + "' can not be used in rule element " + s->getTypeName()); s->addRef( *i2 ); } } void Compiler::_expand_addr_recursive(Rule *rule, FWObject *s, list &ol, bool expand_cluster_interfaces_fully) { // Interface *rule_iface = Interface::cast(dbcopy->findInIndex(rule->getInterfaceId())); bool on_loopback = false; if (PolicyRule::isA(rule)) { RuleElement *intf_re = PolicyRule::cast(rule)->getItf(); Interface *rule_iface = Interface::cast(FWObjectReference::getObject(intf_re->front())); on_loopback = ( rule_iface && rule_iface->isLoopback() ); } list addrlist; for (FWObject::iterator i1=s->begin(); i1!=s->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); assert(o); Address *addr = Address::cast(o); // this condition includes Host, Firewall and Interface if (addr && !addr->hasInetAddress()) { addrlist.push_back(o); continue; } // IPv4, IPv6, Network, NetworkIPv6 if (addr && addr->hasInetAddress() && MatchesAddressFamily(o)) { addrlist.push_back(o); continue; } if (o->getId() == FWObjectDatabase::ANY_ADDRESS_ID || MultiAddress::cast(o)!=NULL || Interface::cast(o) || physAddress::cast(o)) { addrlist.push_back(o); continue; } } if (addrlist.empty()) { if (RuleElement::cast(s)==NULL) ol.push_back(s); } else { for (list::iterator i2=addrlist.begin(); i2!=addrlist.end(); ++i2) { Interface *i2itf = Interface::cast(*i2); if (i2itf) { /* * skip copy of the member interface added in CompilerDriver::copyFailoverInterface */ if (i2itf->getBool("member_interface_copy")) continue; /* * Special case is loopback interface - skip it, but only if this rule is * not attached to loopback! * * Correction 10/20/2008: if user put loopback interface object into * rule element, keep it. However if we expanded it from a host or * firewall object, then skip it unless the rule is attached to * loopback interface. */ if (i2itf->isLoopback()) { if (RuleElement::cast(s) || on_loopback) _expand_interface( rule, i2itf, ol, expand_cluster_interfaces_fully); } else // this is not a loopback interface _expand_interface( rule, i2itf, ol, expand_cluster_interfaces_fully); continue; } _expand_addr_recursive(rule, *i2, ol, expand_cluster_interfaces_fully); } } } void Compiler::_expand_interface(Rule *rule, Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully) { /* * if this is an interface with dynamic address, then simply use it * (that is, do not use its children elements "Address") */ if (iface->isDyn()) { ol.push_back(iface); return; } /* * we use physAddress only if Host option "use_mac_addr_filter" of the * parent Host object is true */ FWObject *p = Host::getParentHost(iface); //FWObject *p = iface->getParentHost(); Host *hp = Host::cast(p); if (hp==NULL) return; // something is very broken FWOptions *hopt = hp->getOptionsObject(); bool use_mac = (hopt!=NULL && hopt->getBool("use_mac_addr_filter")); for (FWObject::iterator i1=iface->begin(); i1!=iface->end(); ++i1) { FWObject *o= *i1; if (physAddress::cast(o)!=NULL) { if (use_mac) ol.push_back(o); continue; } // Skip bridge ports Interface *subint = Interface::cast(o); if (subint) { if (subint->isBridgePort()) continue; _expand_interface(rule, subint, ol, expand_cluster_interfaces_fully); continue; } if ( ! iface->isUnnumbered() && Address::cast(o)!=NULL && MatchesAddressFamily(o)) ol.push_back(o); } if (expand_cluster_interfaces_fully && iface->isFailoverInterface()) { // See #1234 Cluster failover interface expands to its own addresses, // plus addresses of the corresponding member interface FailoverClusterGroup *fg = FailoverClusterGroup::cast( iface->getFirstByType(FailoverClusterGroup::TYPENAME)); Interface* member_intf = fg->getInterfaceForMemberFirewall(fw); if (member_intf) _expand_interface(rule, member_intf, ol, expand_cluster_interfaces_fully); else { // per #1394, if the cluster interface used in the rule does not // belong to the cluster being compiled, expand it to its own // address and addresses of all corresponding member interfaces for (FWObjectTypedChildIterator it = fg->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *other_intf = Interface::cast(FWObjectReference::getObject(*it)); assert(other_intf); _expand_interface(rule, other_intf, ol, expand_cluster_interfaces_fully); } } } } bool compare_addresses(FWObject *o1, FWObject *o2) { Address *a1 = Address::cast(o1); Address *a2 = Address::cast(o2); if (a1 == NULL || a2 == NULL) { // one or both could be MultiAddress objects (e.g. DNSName) return o1->getName() < o2->getName(); } const InetAddr *addr1 = a1->getAddressPtr(); const InetAddr *addr2 = a2->getAddressPtr(); if (addr1 == NULL) return true; if (addr2 == NULL) return false; return *addr1 < *addr2; } /** * internal: scans children of 's' and, if found host or firewall with * multiple interfaces, replaces reference to that host or firewall * with a set of references to its interfaces. Argument 's' should be * a pointer at either src or dst in the rule * */ void Compiler::_expand_addr(Rule *rule, FWObject *s, bool expand_cluster_interfaces_fully) { list cl; _expand_addr_recursive(rule, s, cl, expand_cluster_interfaces_fully); list expanded_addresses; for (FWObject::iterator i=cl.begin(); i!=cl.end(); ++i) { expanded_addresses.push_back(*i); } expanded_addresses.sort(compare_addresses); s->clearChildren(); for (list::iterator i1=expanded_addresses.begin(); i1!=expanded_addresses.end(); ++i1) { s->addRef( *i1 ); } } /** * replace address range objects in the rule element 're' with series of * regular address obejcts. Drop objects that do not match current * address family. */ void Compiler::_expandAddressRanges(Rule *rule, FWObject *re) { list cl; for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); assert(o!=NULL); // if this is address range, check if it matches current address // family. If it is not address range, put it back into the rule element // If it is address range but it does not match address family, // throw it away. AddressRange *aro = AddressRange::cast(o); if (aro) { if (MatchesAddressFamily(o)) { InetAddr a1 = aro->getRangeStart(); InetAddr a2 = aro->getRangeEnd(); vector vn = libfwbuilder::convertAddressRange(a1,a2); if (vn.size() == 0) { abort(rule, "Address Range object '" + aro->getName() + "' can not be converted to set of addresses"); } for (vector::iterator i=vn.begin(); i!=vn.end(); i++) { Network *h = dbcopy->createNetwork(); h->setName(string("%n-")+(*i).toString()+string("%") ); h->setNetmask(*(i->getNetmaskPtr())); h->setAddress(*(i->getAddressPtr())); persistent_objects->add(h, false); cl.push_back(h); // see GroupRegistry::registerGroupObject() if (group_registry != NULL) { group_registry->setGroupRegistryKey( h, group_registry->getGroupRegistryKey(aro)); } } } } else { cl.push_back(o); } } re->clearChildren(); for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->addRef( *i1 ); } void Compiler::normalizePortRange(int &rs,int &re) { if (rs<0) rs=0; if (re<0) re=0; if (rs!=0 && re==0) re=rs; } void Compiler::debugRule() { for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++) { Rule *rule = Rule::cast( *i ); if (rule == NULL) continue; if (rule_debug_on && rule->getPosition()==debug_rule ) { info(debugPrintRule(rule)); info("\n"); } } } /* * basic rule printing, not very useful. This method is overloaded in * derived classes */ string Compiler::debugPrintRule(libfwbuilder::Rule *rule) { return rule->getLabel(); } /** * adds rule processor to the chain and, if debugging is ON, also * adds rule processor "Debug" after that. Do not add Debug after * certain processors, such as SimplePrintProgress */ void Compiler::add(BasicRuleProcessor* rp) { rule_processors.push_back(rp); if (rule_debug_on && dynamic_cast(rp)==NULL) rule_processors.push_back(new Debug()); } void Compiler::runRuleProcessors() { list::iterator i=rule_processors.begin(); (*i)->setContext(this); list::iterator j=i; ++i; for ( ; i!=rule_processors.end(); ++i) { (*i)->setContext(this); (*i)->setDataSource( (*j) ); j=i; } while ((*j)->processNext()) ; } void Compiler::deleteRuleProcessors() { while (rule_processors.size() > 0) { BasicRuleProcessor *rp = rule_processors.front(); rule_processors.pop_front(); delete rp; } } Compiler::Begin::Begin() : BasicRuleProcessor("") { init=false; }; Compiler::Begin::Begin(const std::string &n) : BasicRuleProcessor(n) { init=false; }; bool Compiler::Begin::processNext() { assert(compiler!=NULL); if (!init) { for (FWObject::iterator i=compiler->source_ruleset->begin(); i!=compiler->source_ruleset->end(); ++i) { Rule *rule = Rule::cast(*i); if (rule == NULL) continue; if (rule->isDisabled()) continue; if (rule->isDummyRule()) { compiler->warning(rule, "Rule contains dummy object and is not parsed."); continue; } Rule *r = Rule::cast(compiler->dbcopy->create(rule->getTypeName())); compiler->temp_ruleset->add(r); r->duplicate(rule); tmp_queue.push_back( r ); } init = true; if (!name.empty()) compiler->info(string(" ") + name); return true; } return false; } bool Compiler::printTotalNumberOfRules::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); slurp(); if (tmp_queue.size()==0) return false; if (compiler->verbose) { ostringstream str; str << " processing " << tmp_queue.size() << " rules"; compiler->info(str.str()); } return true; } bool Compiler::createNewCompilerPass::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); slurp(); if (tmp_queue.size()==0) return false; compiler->info(pass_name); return true; } bool Compiler::Debug::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); slurp(); if (tmp_queue.size()==0) return false; if (compiler->rule_debug_on) { string n = prev_processor->getName(); ostringstream str; str << endl << "--- " << n << " " << setw(74-n.length()) << setfill('-') << "-"; compiler->info(str.str()); for (std::deque::iterator i=tmp_queue.begin(); i!=tmp_queue.end(); ++i) { Rule *rule = Rule::cast(*i); if (compiler->rule_debug_on && rule->getPosition()==compiler->debug_rule ) { compiler->info(compiler->debugPrintRule(rule)); compiler->info("\n"); } } } return true; } bool Compiler::singleRuleFilter::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; if (!compiler->single_rule_mode) { tmp_queue.push_back(rule); return true; } if (compiler->single_rule_ruleset_name == compiler->ruleSetName && rule->getPosition() == compiler->single_rule_position) tmp_queue.push_back(rule); return true; } bool Compiler::simplePrintProgress::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; std::string rl=rule->getLabel(); if (rl!=current_rule_label) { if (compiler->verbose) { std::string s=" rule "+rl; compiler->info(s); } current_rule_label=rl; } tmp_queue.push_back(rule); return true; } /** * re_type can be either RuleElementSrc::TYPENAME or RuleElementDst::TYPENAME * or some other rule element */ bool Compiler::splitIfRuleElementMatchesFW::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); int nre = re->size(); list cl; for (list::iterator i1=re->begin(); nre>1 && i1!=re->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); Address *a = Address::cast(obj); assert(a!=NULL); if (a->getId() == compiler->fw->getId() || a->getInt("parent_cluster_id") == compiler->fw->getId() || compiler->complexMatch(a, compiler->fw)) { cl.push_back(*i1); nre--; Rule *new_rule = Rule::cast( compiler->dbcopy->create(rule->getTypeName()) ); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); RuleElement *new_re = RuleElement::cast( new_rule->getFirstByType(re_type)); new_re->clearChildren(); new_re->setAnyElement(); new_re->addRef( a ); tmp_queue.push_back(new_rule); } } if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->remove( (*i1) ); } tmp_queue.push_back(rule); return true; } /* * This rule processor replaces firewall object in given rule element * with run-time DNSName object with name "self" and source name (A * record) set to "self". This is a trick in that when compliers see * objects like that in a rule, they just put source name in the * generated code verbatim. This is useful for firewall platforms that * support keyword "self" (e.g. PF). * * Always call this RE after splitIfFirewallInSrc or splitIfFirewallInDst */ bool Compiler::ReplaceFirewallObjectWithSelfInRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); if (obj == compiler->fw) { DNSName *self = DNSName::cast( compiler->persistent_objects->findObjectByName( DNSName::TYPENAME, "self")); if (self == NULL) { self = compiler->dbcopy->createDNSName(); self->setName("self"); self->setRunTime(true); self->setSourceName("self"); compiler->persistent_objects->add(self, false); } re->addRef(self); re->removeRef(compiler->fw); break; } } tmp_queue.push_back(rule); return true; } bool Compiler::RegisterGroupsAndTablesInRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; if (compiler->group_registry != NULL) { RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *obj = FWReference::getObject(*i); if (ObjectGroup::cast(obj)!=NULL && obj->size() > 0) { compiler->registerGroupObject(re, ObjectGroup::cast(obj)); } } } tmp_queue.push_back(rule); return true; } void Compiler::registerGroupObject(RuleElement *re, ObjectGroup *grp) { assert(group_registry!=NULL); list objects; expandGroup(grp, objects); group_registry->registerGroup(grp, objects); group_registry->registerGroupInRE(re, grp); } bool Compiler::equalObj::operator()(FWObject *o) { return o->getId()==obj->getId(); } bool Compiler::singleObjectNegation::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *rel = RuleElement::cast(rule->getFirstByType(re_type)); assert(rel); if (rel->getNeg() && rel->size()==1) { if (rel->getTypeName() == RuleElementItfInb::TYPENAME || rel->getTypeName() == RuleElementItfOutb::TYPENAME || rel->getTypeName() == RuleElementItf::TYPENAME ) { rel->setNeg(false); rel->setBool("single_object_negation", true); } else { FWObject *o = rel->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Address *reladdr = Address::cast(o); if ( reladdr && reladdr->countInetAddresses(true)==1 && !compiler->complexMatch(reladdr, compiler->fw)) { rel->setNeg(false); rel->setBool("single_object_negation", true); } } } tmp_queue.push_back(rule); return true; } /* * Process negation in the "Interface" rule element. Scan objects in * this RE, replace cluster interfaces with interfaces of the member, * then replace them with a list of all other interfaces of the member. * * Note that normally compiler should call * replaceClusterInterfaceInItf before calling this processor. This * means that this processor should never see cluster interfaces in * the RE. However I keep the code that deals with them in place to be * able to use this processor without prior call to * replaceClusterInterfaceInItf if necessary. * * TODO: make this code assert() if cluster interface appears in RE/ * * Note that rule processor singleObjectNegationItf deals with single * object negation in Interface rule elements. */ bool Compiler::fullInterfaceNegationInRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *itfre = RuleElement::cast(rule->getFirstByType(re_type)); if (itfre==NULL) compiler->abort(rule, "Missing interface rule element"); FWOptions *fwopt = compiler->getCachedFwOpt(); if (itfre->getNeg()) { // Use getByTypeDeep() to pick subinterfaces (vlans and such) list all_interfaces = compiler->fw->getByTypeDeep(Interface::TYPENAME); list work_interfaces; // skip unprotected interfaces bug #2710034 "PF Compiler in 3.0.3 // Unprotected Interface Bug" for (FWObject::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *intf = Interface::cast(*i); if (intf == NULL) continue; if (intf->isUnprotected()) continue; if (intf->isLoopback()) continue; // skip bridge ports, but use them if this is bridging firewall if ( ! fwopt->getBool("bridging_fw") && intf->isBridgePort()) continue; if (intf->getOptionsObject()->getBool("cluster_interface")) continue; work_interfaces.push_back(intf); } for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i) { // Only interface objects are allowed in the "Interface" rule element Interface *rule_iface = Interface::cast(FWReference::getObject(*i)); if (rule_iface == NULL) continue; // If this interface belongs to a cluster (which can only happen // if the rule set belongs to a cluster), then replace it with // corresponding interface of the member if (rule_iface->isFailoverInterface()) { FailoverClusterGroup *fg = FailoverClusterGroup::cast( rule_iface->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg) rule_iface = fg->getInterfaceForMemberFirewall(compiler->fw); } if (rule_iface) work_interfaces.remove(rule_iface); } itfre->reset(); itfre->setNeg(false); FWObject::iterator i; for (i=work_interfaces.begin(); i!=work_interfaces.end(); ++i) itfre->addRef(*i); } tmp_queue.push_back(rule); return true; } /* * Call this processor before ItfNegation (and in some compilers, * singleItfNegation). */ bool Compiler::replaceClusterInterfaceInItfRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *itfre = RuleElement::cast(rule->getFirstByType(re_type)); if (itfre==NULL) compiler->abort(rule, "Missing interface rule element"); map interface_replacement; for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i) { Interface *member_iface = NULL; // Only interface objects are allowed in the "Interface" rule element FWObject *o = FWReference::getObject(*i); Interface *rule_iface = Interface::cast(o); if (rule_iface == NULL) continue; // If this interface belongs to a cluster (which can only happen // if the rule set belongs to a cluster), then replace it with // corresponding interface of the member if (rule_iface->isFailoverInterface()) { FailoverClusterGroup *fg = FailoverClusterGroup::cast( rule_iface->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg) member_iface = fg->getInterfaceForMemberFirewall(compiler->fw); } if (member_iface) { interface_replacement[rule_iface] = member_iface; } } map::iterator r; for (r = interface_replacement.begin(); r != interface_replacement.end(); ++r) { itfre->removeRef(r->first); itfre->addRef(r->second); } itfre->sort(FWObjectNameCmpPredicate(true)); tmp_queue.push_back(rule); return true; } bool Compiler::eliminateDuplicatesInRE::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; if (comparator==NULL) comparator = new equalObj(); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); list cl; for(list::iterator i=re->begin(); i!=re->end(); ++i) { FWObject *obj = FWReference::getObject(*i); if (obj == NULL) continue; comparator->set(obj); bool found = false; for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { FWObject *o2 = *i1; if ( (*comparator)(o2) ) { found=true; break; } } if (!found) cl.push_back(obj); } if (!cl.empty()) { re->clearChildren(); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->addRef( (*i1) ); } tmp_queue.push_back(rule); return true; } void Compiler::recursiveGroupsInRE::isRecursiveGroup(int grid, FWObject *obj) { for (FWObject::iterator i=obj->begin(); i!=obj->end(); i++) { FWObject *o = FWReference::getObject(*i); if (Group::cast(o)!=NULL) { if (o->getId()==grid || obj->getId()==o->getId()) { compiler->abort( "Group '" + o->getName() + "' references itself recursively"); } isRecursiveGroup(grid,o); isRecursiveGroup(o->getId(),o); } } } bool Compiler::recursiveGroupsInRE::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re == NULL || re->isAny()) { tmp_queue.push_back(rule); return true; } std::list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if (Group::cast(o)!=NULL) isRecursiveGroup(o->getId(),o); } tmp_queue.push_back(rule); return true; } /* * counts children of obj recursively (that is, its direct children objects, plus * their children objects, etc. */ int Compiler::emptyGroupsInRE::countChildren(FWObject *obj) { if (obj->size()==0) return 0; int n=0; for (FWObject::iterator i=obj->begin(); i!=obj->end(); i++) { FWObject *o = FWReference::getObject(*i); // Check if this is a group, if yes, then count its children // recursively. Group itself does not count since it can be // empty, too. However if this is MultiAddress object with // run-time processing, it does not count as an empty group // since we have no way to know at compile time if it will // have some addresses at run time. So we just count it as a // regular object. if (MultiAddress::cast(o)!=NULL && MultiAddress::cast(o)->isRunTime()) n++; else { if (Group::cast(o)!=NULL) n += countChildren(o); else n++; // but if it is not a group, then we count it. } } return n; } bool Compiler::emptyGroupsInRE::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re == NULL || re->isAny()) { tmp_queue.push_back(rule); return true; } std::list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if ( MultiAddress::cast(o)!=NULL && MultiAddress::cast(o)->isRunTime()) continue; if (Group::cast(o)!=NULL && countChildren(o)==0) cl.push_back(o); } if (!cl.empty()) { if ( compiler->fw->getOptionsObject()->getBool ("ignore_empty_groups") ) { for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) { FWObject *o= *i; ostringstream str; str << "Empty group or address table object '" << o->getName() << "'"; re->removeRef(o); compiler->warning(rule, str.str()); } if (re->isAny()) { ostringstream str; str << "After removal of all empty groups and address table objects rule element " << re->getTypeName() << " becomes 'any' in the rule " << rule->getLabel() << endl << "Dropping rule " << rule->getLabel() << " because option 'Ignore rules with empty groups' is in effect"; compiler->warning(rule, str.str()); return true; // dropping this rule } } else { std::string gr; int cntr = 0; for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) { FWObject *o= *i; if (cntr>0) gr += ","; gr += o->getName(); cntr++; } ostringstream str; str << "Empty group or address table object" << " '" << gr << "' is used in the rule" << " but option 'Ignore rules with empty groups' is off"; compiler->abort(rule, str.str()); } } tmp_queue.push_back(rule); return true; } /** * swaps MultiAddress objects that require run-time expansion with * MultiAddressRunTime equivalents */ bool Compiler::swapMultiAddressObjectsInRE::processNext() { Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); if (re == NULL || re->isAny()) { tmp_queue.push_back(rule); return true; } list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if (MultiAddress::cast(o)!=NULL && MultiAddress::cast(o)->isRunTime()) cl.push_back(MultiAddress::cast(o)); } if (!cl.empty()) { for (list::iterator i=cl.begin(); i!=cl.end(); i++) { MultiAddress *ma = *i; // Need to make sure the ID of the MultiAddressRunTime // object created here is stable and is always the same // for the same MultiAddress object. In particular this // ensures that we reuse tables between policy and NAT rules // in compiler for PF. There could be other similar cases // (object-group in compielr for pix may be ?) string mart_id_str = FWObjectDatabase::getStringId(ma->getId()) + "_runtime"; int mart_id = FWObjectDatabase::registerStringId(mart_id_str); MultiAddressRunTime *mart = MultiAddressRunTime::cast( compiler->dbcopy->findInIndex(mart_id)); if (mart==NULL) { mart = new MultiAddressRunTime(ma); // need to ensure stable ID for the runtime object, so // that when the same object is replaced in different // rulesets by different compiler passes, chosen // runtime object has the same ID and is identified as // the same by the compiler. mart->setId( mart_id ); compiler->dbcopy->addToIndex(mart); compiler->persistent_objects->add(mart); } re->removeRef(ma); re->addRef(mart); } tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } bool Compiler::expandMultipleAddressesInRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); if (re) compiler->_expand_addr(rule, re, true); tmp_queue.push_back(rule); return true; } bool Compiler::checkForObjectsWithErrors::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; for (FWObject::iterator it1=rule->begin(); it1!=rule->end(); it1++) { RuleElement *re = RuleElement::cast(*it1); if (re == NULL || re->isAny()) continue; for (FWObject::iterator it2=re->begin(); it2!=re->end(); it2++) { FWObject *obj = FWReference::getObject(*it2); if (obj->getBool(".rule_error")) { // it is ok to call abort this late in rule // processing. If the error was fatal, the code that // encounter it should have called abort() then. If it // continued, then we are in test mode and this call to // abort will continue too. In the worst case, we end up // with duplicate error messages in the test mode. compiler->abort(rule, obj->getStr(".error_msg")); } } } tmp_queue.push_back(rule); return true; } bool Compiler::replaceFailoverInterfaceInRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); if (re == NULL || re->isAny()) { tmp_queue.push_back(rule); return true; } // list of pointers to cluster interfaces used in the RE list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { Interface *intf = Interface::cast(FWReference::getObject(*i)); if (intf==NULL) continue; if (intf->isFailoverInterface()) cl.push_back(intf); else { // this could be a copy of cluster interface which belongs // to the firewall. This is done in // Compiler::processFailoverGroup. Dont use interface name // to distinguish cluster interface. Better method is to // check for the variable "cluster_interface". if (intf->getOptionsObject()->getBool("cluster_interface")) cl.push_back(intf); } } if (!cl.empty()) { for (list::iterator i=cl.begin(); i!=cl.end(); i++) { Interface *intf = *i; FailoverClusterGroup *fg = FailoverClusterGroup::cast( intf->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg) { Interface *other_interface = fg->getInterfaceForMemberFirewall(compiler->fw); re->removeRef(intf); re->addRef(other_interface); } else { string base_interface_id = intf->getOptionsObject()->getStr("base_interface_id"); if (!base_interface_id.empty()) { FWObject *base_interface = compiler->dbcopy->findInIndex( FWObjectDatabase::getIntId(base_interface_id)); if (base_interface) { re->removeRef(intf); re->addRef(base_interface); } } } } } tmp_queue.push_back(rule); return true; } bool Compiler::FindAddressFamilyInRE(FWObject *parent, bool ipv6) { Address *addr = Address::cast(parent); if (addr!=NULL) { const InetAddr *inet_addr = addr->getAddressPtr(); if (ipv6) return (inet_addr && inet_addr->isV6()); else return (inet_addr && inet_addr->isV4()); } for (FWObject::iterator i=parent->begin(); i!=parent->end(); i++) { FWObject *o = FWReference::getObject(*i); if (FindAddressFamilyInRE(o, ipv6)) return true; } return false; } void Compiler::DropAddressFamilyInRE(RuleElement *rel, bool drop_ipv6) { list objects_to_remove; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o = FWReference::getObject(*i); // skip "Any" if (o->getId() == FWObjectDatabase::ANY_ADDRESS_ID) continue; if (Address::cast(o) && Address::cast(o)->hasInetAddress()) { const InetAddr *inet_addr = Address::cast(o)->getAddressPtr(); if (inet_addr) { if (drop_ipv6 && inet_addr->isV6()) objects_to_remove.push_back(o); if (!drop_ipv6 && inet_addr->isV4()) objects_to_remove.push_back(o); } } } for (list::iterator i = objects_to_remove.begin(); i != objects_to_remove.end(); ++i) rel->removeRef(*i); } bool Compiler::dropRuleWithEmptyRE::isREEmpty(Rule *rule, const std::string &re_type) { RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); return re->size()==0; } /* * TODO: why rule elements Service, Interface and Time are not checked * for policy rules? */ bool Compiler::dropRuleWithEmptyRE::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; if (PolicyRule::cast(rule) && (isREEmpty(rule, RuleElementSrc::TYPENAME) || isREEmpty(rule, RuleElementDst::TYPENAME))) { if (!warning_str.empty()) compiler->warning(rule, warning_str); return true; } if (NATRule::cast(rule) && (isREEmpty(rule, RuleElementOSrc::TYPENAME) || isREEmpty(rule, RuleElementODst::TYPENAME) || isREEmpty(rule, RuleElementOSrv::TYPENAME) || isREEmpty(rule, RuleElementTSrc::TYPENAME) || isREEmpty(rule, RuleElementTDst::TYPENAME) || isREEmpty(rule, RuleElementTSrv::TYPENAME))) { if (!warning_str.empty())compiler->warning(rule, warning_str); return true; } if (RoutingRule::cast(rule) && (isREEmpty(rule, RuleElementRDst::TYPENAME) || isREEmpty(rule, RuleElementRGtw::TYPENAME) || isREEmpty(rule, RuleElementRItf::TYPENAME))) { if (!warning_str.empty()) compiler->warning(rule, warning_str); return true; } tmp_queue.push_back(rule); return true; } void Compiler::DropByServiceTypeInRE(RuleElement *rel, bool drop_ipv6) { list objects_to_remove; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o = FWReference::getObject(*i); // skip "Any" if (o->getId() == FWObjectDatabase::ANY_SERVICE_ID) continue; Service *svc = Service::cast(o); if (svc == NULL) { cerr << endl; cerr << "Rule " << Rule::cast(rel->getParent())->getLabel() << " Rule element " << rel->getTypeName() << endl; o->dump(true, false); } assert(svc); // Note that all service objects except for ICMPService and // CustomService can be used in both ipv4 and ipv6 contexts. if (drop_ipv6) { if (svc->isV6Only()) objects_to_remove.push_back(o); } else { if (svc->isV4Only()) objects_to_remove.push_back(o); } } for (list::iterator i = objects_to_remove.begin(); i != objects_to_remove.end(); ++i) rel->removeRef(*i); } bool Compiler::catchUnnumberedIfaceInRE(RuleElement *re) { bool err = false; Interface *iface; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if (o==NULL) { //Rule *rule = Rule::cast(re->getParent()); FWReference *refo = FWReference::cast(*i); string errmsg = string("catchUnnumberedIfaceInRE: Can't find object ") + string("in cache, ID=") + FWObjectDatabase::getStringId(refo->getPointerId()); abort(re->getParent(), errmsg); } err |= ((iface=Interface::cast(o))!=NULL && (iface->isUnnumbered() || iface->isBridgePort()) ); } return err; } Address* Compiler::getFirstSrc(PolicyRule *rule) { RuleElementSrc *src = rule->getSrc(); FWObject *o = FWReference::getObject(src->front()); return Address::cast(o); } Address* Compiler::getFirstDst(PolicyRule *rule) { RuleElementDst *dst = rule->getDst(); FWObject *o = FWReference::getObject(dst->front()); return Address::cast(o); } Service* Compiler::getFirstSrv(PolicyRule *rule) { RuleElementSrv *srv = rule->getSrv(); FWObject *o = FWReference::getObject(srv->front()); return Service::cast(o); } Interval* Compiler::getFirstWhen(PolicyRule *rule) { RuleElementInterval *when = rule->getWhen(); if (when==NULL) return NULL; // when is optional element FWObject *o = FWReference::getObject(when->front()); return Interval::cast(o); } Interface* Compiler::getFirstItf(PolicyRule *rule) { RuleElementItf *itf = rule->getItf(); if (itf==NULL || itf->size()==0) return NULL; // itf is optional element FWObject *o = FWReference::getObject(itf->front()); return Interface::cast(o); } Address* Compiler::getFirstOSrc(NATRule *rule) { RuleElementOSrc *osrc = rule->getOSrc(); assert(osrc!=NULL); FWObject *o = FWReference::getObject(osrc->front()); return Address::cast(o); } Address* Compiler::getFirstODst(NATRule *rule) { RuleElementODst *odst = rule->getODst(); assert(odst!=NULL); FWObject *o = FWReference::getObject(odst->front()); return Address::cast(o); } Service* Compiler::getFirstOSrv(NATRule *rule) { RuleElementOSrv *osrv = rule->getOSrv(); assert(osrv!=NULL); FWObject *o = FWReference::getObject(osrv->front()); return Service::cast(o); } Address* Compiler::getFirstTSrc(NATRule *rule) { RuleElementTSrc *tsrc = rule->getTSrc(); assert(tsrc!=NULL); FWObject *o = FWReference::getObject(tsrc->front()); return Address::cast(o); } Address* Compiler::getFirstTDst(NATRule *rule) { RuleElementTDst *tdst = rule->getTDst(); assert(tdst!=NULL); FWObject *o = FWReference::getObject(tdst->front()); return Address::cast(o); } Service* Compiler::getFirstTSrv(NATRule *rule) { RuleElementTSrv *tsrv = rule->getTSrv(); assert(tsrv!=NULL); FWObject *o = FWReference::getObject(tsrv->front()); return Service::cast(o); } /* * Compares given object with firewall or its parent cluster (if any). * Compares only IDs of these objects. Relies on class CompilerDriver * to set integer variable "parent_cluster_id" in the firewall object * if it is a member of a cluster. */ bool Compiler::isFirewallOrCluster(FWObject *obj) { int fw_id = fw->getId(); int cluster_id = fw->getInt("parent_cluster_id"); return obj->getId() == fw_id || obj->getId() == cluster_id; } string Compiler::printComment(Rule *rule, string &prev_rule_label, const std::string &prefix, bool suppress_comment) { ostringstream res; string rl = rule->getLabel(); if (rl != prev_rule_label) { if ( ! inSingleRuleCompileMode()) { res << prefix << " " << endl; res << prefix << " Rule " << rl << endl; } string comm = rule->getComment(); if ( ! suppress_comment && ! comm.empty()) { string::size_type c1, c2; c1 = 0; while ( (c2 = comm.find('\n', c1)) != string::npos ) { res << prefix << " " << comm.substr(c1, c2 - c1) << endl; c1 = c2 + 1; } string remainder = comm.substr(c1); if (!remainder.empty()) res << prefix << " " << remainder << endl; } string err = getErrorsForRule(rule, prefix + " "); if (!err.empty()) res << err << endl; prev_rule_label = rl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) res << prefix << " " << err << endl; return res.str(); } Address* Compiler::correctForCluster(Address *addr) { #ifdef DEBUG_FOR_DMZ cerr << "Compiler::correctForCluster " << addr << endl; if (addr) { cerr << " addr: " << addr->getName() << endl; } #endif Interface *intf = Interface::cast(addr); if (intf) { #ifdef DEBUG_FOR_DMZ cerr << " intf: " << intf->getName() << " isFailoverInterface: " << intf->isFailoverInterface() << endl; #endif } if (intf && intf->isFailoverInterface()) { FailoverClusterGroup *fg = FailoverClusterGroup::cast( intf->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg) { Address *other_intf = fg->getInterfaceForMemberFirewall(fw); #ifdef DEBUG_FOR_DMZ cerr << " fg: " << fg->getName() << endl; cerr << " other_intf: " << other_intf << endl; #endif if (other_intf) return other_intf; } } return addr; } /* keep only rules that have ipv4 addresses in src and dst * * This rule processor assumes all groups and multi-address objects * have already been expanded. * * TODO: figure out what to do with rules that have mix of ipv4 and ipv6 * addresses in different rule elements (such as ipv4 address in odst * and ipv6 address in tdst or similar) */ bool Compiler::DropRulesByAddressFamilyAndServiceType::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; for(FWObject::iterator it=rule->begin(); it!=rule->end(); ++it) { RuleElement *re = RuleElement::cast(*it); if (re == NULL) continue; // probably RuleOptions object bool orig_any = re->isAny(); if (orig_any) continue; FWObject *first_object = FWReference::getObject(re->front()); if (Address::cast(first_object) != NULL) compiler->DropAddressFamilyInRE(re, drop_ipv6); if (Service::cast(first_object) != NULL) compiler->DropByServiceTypeInRE(re, drop_ipv6); if (!orig_any && re->isAny()) { // removing all ipv6 addresses from rule element makes it 'any', drop // this rule if (!warning_str.empty()) compiler->warning(rule, warning_str); return true; } } tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Compiler.h000066400000000000000000001140731303637203600236440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_HH__ #define __COMPILER_HH__ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwcompiler/BaseCompiler.h" #include "fwcompiler/RuleProcessor.h" #include "fwcompiler/exceptions.h" #include "fwcompiler/GroupRegistry.h" #include #include #include #include #include namespace libfwbuilder { class FWObject; class FWOptions; class FWObjectDatabase; class InetAddr; class Address; class Cluster; class FailoverClusterGroup; class StateSyncClusterGroup; class Service; class Interval; class IPv4; class IPv6; class Network; class NetworkIPv6; class AddressRange; class Host; class physAddress; class Firewall; class Interface; class Rule; class RuleSet; class PolicyRule; class NATRule; class RuleElement; }; namespace fwcompiler { class OSConfigurator; /* * operations (see Compiler_ops.cc) */ /** * this operator compares two objects to determine if they are * equivalent */ bool operator==(const libfwbuilder::Address &o1,const libfwbuilder::Address &o2); bool operator==(const libfwbuilder::Service &o1,const libfwbuilder::Service &o2); bool operator==(const libfwbuilder::Interval &o1,const libfwbuilder::Interval &o2); /** * this method finds intersection of two objects. Objects must * be of such types that have address (Host, Firewall, * Interface, Network) , otherwise it throws an exception * * TODO: implement this as a virtual method of respective classes * * this method is intended for internal use only */ std::vector _find_obj_intersection(libfwbuilder::Address *o1, libfwbuilder::Address *o2); /** * this method finds intersection of two services. If one or * both objects are not services, it throws exception * * this method is intended for internal use only */ std::vector _find_srv_intersection(libfwbuilder::Service *o1, libfwbuilder::Service *o2); /** * this method finds intersection of two ranges of ports * * this method is intended for internal use only */ bool _find_portrange_intersection(int rs1,int re1,int rs2,int re2,int &rsr,int &rer); struct threeTuple { libfwbuilder::Address *src; libfwbuilder::Address *dst; libfwbuilder::Service *srv; }; class Compiler : public BaseCompiler { void _init(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw); virtual void _expand_group_recursive(libfwbuilder::FWObject *o, std::list &ol); virtual void _expand_addr_recursive(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s, std::list &ol, bool expand_cluster_interfaces_fully); /* bool _complexMatchWithInterface(libfwbuilder::Address *obj1, */ /* libfwbuilder::Interface *iface, */ /* bool recognize_broadcasts=true); */ /* bool _complexMatchWithAddress(const libfwbuilder::InetAddr *obj1_addr, */ /* libfwbuilder::Interface *iface, */ /* const std::string &address_type, */ /* bool recognize_broadcasts); */ bool checkIfAddressesMatch(const libfwbuilder::Address *a1, const libfwbuilder::Address *a2); protected: int _cntr_; bool initialized; int countIPv6Rules; bool ipv6; std::map object_comparison_cache; std::map rule_elements_cache; std::list rule_processors; /** * if object is Address, check if it matches address family * (i.e. if it is IPv6 or IPv4). If it is service, always return true. */ bool MatchesAddressFamily(libfwbuilder::FWObject *o); /** * this method finds intersection of two atomic rules. Resulting * rule may have multiple objects in src,dst and srv, so * converting to atomic may be necessary. If rules can not be * compared, then it throws an exception. If rules are compatible * but have nothing in common, then this method returns rule with * empty src,dst,srv. Use isEmpty(Rule &r) to check for this * condition * * This method creates and returns new object of class Rule * and does not modify r1 and r2 * * This method works only with interface, src, dst and srv and * completely ignores action and other rule options. * */ void getIntersection(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2, libfwbuilder::PolicyRule &res); /** * this function checks if two rules intersect - that is, if there * is a non-empty intersection for each rule element. This * function does not calculate intersection, it just verifies that * it does exsit. */ bool intersect(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2); /** * add rule processor to the list */ void add(BasicRuleProcessor* rp); /** * assembles chain of rule processors and executes it */ void runRuleProcessors(); /** * deletes chain of rule processors */ void deleteRuleProcessors(); /* * the following variables are simply a cache for frequently used * objects */ int fw_id; libfwbuilder::FWOptions *fwopt; public: int debug; int debug_rule; bool rule_debug_on; bool verbose; bool single_rule_mode; std::string single_rule_ruleset_name; int single_rule_position; libfwbuilder::Rule *single_rule_compile_rule; fwcompiler::OSConfigurator *osconfigurator; libfwbuilder::FWObjectDatabase *dbcopy; libfwbuilder::Library *persistent_objects; libfwbuilder::Firewall *fw; // group registry is optional, the object shuld be created outside // of the compiler and set using function setGroupRegistry(). GroupRegistry *group_registry; std::string ruleSetName;; libfwbuilder::RuleSet *source_ruleset; libfwbuilder::RuleSet *temp_ruleset; libfwbuilder::Group *temp; std::stringstream output; void registerGroupObject(libfwbuilder::RuleElement *re, libfwbuilder::ObjectGroup *grp); void registerIPv6Rule() { countIPv6Rules++; } bool haveIPv6Rules() { return countIPv6Rules > 0; } /** * returns first object referenced by given rule * element. Dereferences FWReference if first object is * reference. Uses cache, therefore is faster than * RuleElement::getFirst(true) */ libfwbuilder::Address* getFirstSrc(libfwbuilder::PolicyRule *rule); libfwbuilder::Address* getFirstDst(libfwbuilder::PolicyRule *rule); libfwbuilder::Service* getFirstSrv(libfwbuilder::PolicyRule *rule); libfwbuilder::Interval* getFirstWhen(libfwbuilder::PolicyRule *rule); libfwbuilder::Interface* getFirstItf(libfwbuilder::PolicyRule *rule); libfwbuilder::Address* getFirstOSrc(libfwbuilder::NATRule *rule); libfwbuilder::Address* getFirstODst(libfwbuilder::NATRule *rule); libfwbuilder::Service* getFirstOSrv(libfwbuilder::NATRule *rule); libfwbuilder::Address* getFirstTSrc(libfwbuilder::NATRule *rule); libfwbuilder::Address* getFirstTDst(libfwbuilder::NATRule *rule); libfwbuilder::Service* getFirstTSrv(libfwbuilder::NATRule *rule); /** * these methods compare two objects to determine if one of them * "shades" the other */ bool checkForShadowing(const libfwbuilder::Address &o1, const libfwbuilder::Address &o2); bool checkForShadowing(const libfwbuilder::Service &o1, const libfwbuilder::Service &o2); void resetObjectComparisonCache() { object_comparison_cache.clear(); } /** * a method to check for unnumbered interface in a rule * element (one can not use unnumbered interfaces in rules). */ bool catchUnnumberedIfaceInRE(libfwbuilder::RuleElement *re); /** * return true if any address object in source or destination is * of given type (can be IPv4 or IPv6). */ bool FindAddressFamilyInRE(libfwbuilder::FWObject *re, bool ipv6); /** * find ipv6 or ipv4 address objects in the given rule element * and remove reference to them */ void DropAddressFamilyInRE(libfwbuilder::RuleElement *rel, bool drop_ipv6); /** * similarly, remove reference to objects in service rule elements * based on their compatibility with ipv6 context. */ void DropByServiceTypeInRE(libfwbuilder::RuleElement *rel, bool drop_ipv6); /** * rule processor that "injects" rules into the conveyor */ class Begin : public BasicRuleProcessor { bool init; public: Begin(); Begin(const std::string &n); virtual bool processNext(); }; /** * this processor prints number of rules in the queue on cout * if compiler->verbose is true */ class printTotalNumberOfRules : public BasicRuleProcessor { public: virtual bool processNext(); }; /** * this processor creates what amounts to the new compiler * pass: it slurps all rules into buffer, then prints its own * name on cout and the releases rules to the next processor * one at a time. This way processors after this one in the * chain get to start working on the whole rule set from its * beginning. */ class createNewCompilerPass : public BasicRuleProcessor { std::string pass_name; public: createNewCompilerPass(const std::string &_name) : BasicRuleProcessor("New compiler pass") { pass_name=_name; }; virtual bool processNext(); }; /** * this processor prints rule numbers on cout (trivial * progress indicator) */ class simplePrintProgress : public BasicRuleProcessor { std::string current_rule_label; public: simplePrintProgress() : BasicRuleProcessor("Print progress") {}; virtual bool processNext(); }; /** * this processor splits rule if one of its rule elements * contains firewall itself. This processor is actually only a * base class. Derive it and pass rule element type name as a * second argument of its constructor. */ class splitIfRuleElementMatchesFW : public PolicyRuleProcessor { std::string re_type; public: splitIfRuleElementMatchesFW(const std::string &n, std::string _type) : PolicyRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * prepare for negation of single objects in rule elements */ class singleObjectNegation : public BasicRuleProcessor { std::string re_type; public: singleObjectNegation(const std::string &n,std::string _type): BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /* * replace interfaces in the give RE with a set of all other * interfaces of the firewall. */ class fullInterfaceNegationInRE : public BasicRuleProcessor { std::string re_type; public: fullInterfaceNegationInRE(const std::string &n, std::string _type) : BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * replace cluster interface objects with inetrfaces of the member * firewall in the Interface rule element */ class replaceClusterInterfaceInItfRE : public BasicRuleProcessor { std::string re_type; public: replaceClusterInterfaceInItfRE(const std::string &n, std::string _type) : BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * eliminates duplicates in RuleElement 're_type'. Inherit * your own class using this one and supply actual rule * element type name through its constructor. * * Function class equalObj compares IDs of two object and * declares objects equal if their ID are the same. To * change comparison algorithm, inherit from this class, * overload its operator(), then create its instance in * constructor of eliminateDuplicatesInRE and assign to * member 'comparator' */ class equalObj { protected: libfwbuilder::FWObject *obj; public: equalObj(){obj=NULL;} virtual ~equalObj() {} void set(libfwbuilder::FWObject *o) {obj=o;} virtual bool operator()(libfwbuilder::FWObject *o); }; class eliminateDuplicatesInRE : public BasicRuleProcessor { std::string re_type; protected: equalObj *comparator; public: eliminateDuplicatesInRE(const std::string &n,const std::string _type): BasicRuleProcessor(n) { re_type=_type; comparator=NULL; } ~eliminateDuplicatesInRE() { if (comparator!=NULL) delete comparator; } virtual bool processNext(); }; /** * this processor checks for recursive groups, i.e. groups * that reference themselves */ class recursiveGroupsInRE : public BasicRuleProcessor { std::string re_type; void isRecursiveGroup(int grid, libfwbuilder::FWObject *gr); public: recursiveGroupsInRE(const std::string &n,const std::string &_type) : BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * This rule processor checks for empty groups. Normally this * is a fatal error and compilation should be aborted, but * firewall option "ignore_rules_with_empty_groups" causes * compiler to remove this object from the rule element and * drop the rule all together if there are no more objects * left (rule element becomes "any") and continue work * (warning should be issued though). */ class emptyGroupsInRE : public BasicRuleProcessor { std::string re_type; int countChildren(libfwbuilder::FWObject *obj); void findEmptyGroupsInRE(); public: emptyGroupsInRE(const std::string &n,const std::string &_type) : BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; /** * Replace MultiAddress objects that require run-time address * expansion with corresponding MultiAddressRunTime objects */ class swapMultiAddressObjectsInRE : public BasicRuleProcessor { std::string re_type; public: swapMultiAddressObjectsInRE(const std::string &name, const std::string &t) : BasicRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; /** * this inspector replaces references to hosts and firewalls * in rule element with references to their interfaces */ class expandMultipleAddressesInRE : public BasicRuleProcessor { std::string re_type; public: expandMultipleAddressesInRE(const std::string &name, const std::string &t) : BasicRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; /** * drop rules that have ipv4 or ipv6 addresses (depending * on the argument ipv6 passed to the constructor) */ class DropRulesByAddressFamilyAndServiceType : public BasicRuleProcessor { std::string warning_str; bool drop_ipv6; public: DropRulesByAddressFamilyAndServiceType( const std::string &n, bool ipv6) : BasicRuleProcessor(n) { drop_ipv6 = ipv6; warning_str = ""; } virtual bool processNext(); protected: DropRulesByAddressFamilyAndServiceType( const std::string &n, const std::string &w, bool ipv6) : BasicRuleProcessor(n) { drop_ipv6 = ipv6; warning_str = w; } }; /** * Drop rule if any address object in source or destination is * ipv4 address. */ class DropIPv4Rules : public DropRulesByAddressFamilyAndServiceType { public: DropIPv4Rules(const std::string &n) : DropRulesByAddressFamilyAndServiceType(n, false) {}; }; /** * Drop rule if any address object in source or destination is * ipv6 address. */ class DropIPv6Rules : public DropRulesByAddressFamilyAndServiceType { public: DropIPv6Rules(const std::string &n) : DropRulesByAddressFamilyAndServiceType(n, true) {}; }; class DropIPv6RulesWithWarning : public DropRulesByAddressFamilyAndServiceType { public: DropIPv6RulesWithWarning(const std::string &n, const std::string &w) : DropRulesByAddressFamilyAndServiceType(n, w, true) {}; }; /** * drop rules that have empty rule elements */ class dropRuleWithEmptyRE : public BasicRuleProcessor { std::string warning_str; bool isREEmpty(libfwbuilder::Rule *rule, const std::string &re_type); public: dropRuleWithEmptyRE(const std::string &name) : BasicRuleProcessor(name) { warning_str = ""; } virtual bool processNext(); protected: dropRuleWithEmptyRE(const std::string &name, const std::string &_warning) : BasicRuleProcessor(name) { warning_str = _warning; } }; class dropRuleWithEmptyREWithWarning : public dropRuleWithEmptyRE { public: dropRuleWithEmptyREWithWarning(const std::string &name, const std::string &_warning) : dropRuleWithEmptyRE(name, _warning) { } }; /** * if MultiAddress object failed to convert itself to a group * of addresses and compiler runs in a test mode, we use dummy * test addresses instead. The error is detected by * preprocessor and at the moment not associated with any rule * (because preprocessor works with MultiAddress objects and * does not check which rule they are used in to improve * performance). This processor adds error message to the * rule using MultiAddress obejct like this. */ class checkForObjectsWithErrors : public BasicRuleProcessor { public: checkForObjectsWithErrors(const std::string &name) : BasicRuleProcessor(name) {} virtual bool processNext(); }; /** * Replace cluster interface object with corresponding real * interface */ class replaceFailoverInterfaceInRE : public BasicRuleProcessor { std::string re_type; public: replaceFailoverInterfaceInRE(const std::string &name, const std::string &t) : BasicRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; /** * generic rule debugger: prints name of the previous rule * processor in a chain and then a rule if its number is * compiler->debug_rule. Uses virtual method * Compiler::debugPrintRule to actually print the rule */ class Debug : public BasicRuleProcessor { public: virtual bool processNext(); }; /** * this rule processor skips all rules except the one with ID * set by call to setSingleRuleMode() */ class singleRuleFilter : public BasicRuleProcessor { public: virtual bool processNext(); }; /** * split rules with more than one service object, so that each * rule has services that satisfy some common criteria defined by * the virtual function groupingCode() */ class groupServices : public BasicRuleProcessor { protected: virtual int groupingCode(const libfwbuilder::Service *srv) =0; public: groupServices(const std::string &name) : BasicRuleProcessor(name) {} virtual bool processNext(); }; /** * split rules with more than one service object, so that each * rule has services with the same protocol */ class groupServicesByProtocol: public groupServices { protected: virtual int groupingCode(const libfwbuilder::Service *srv); public: groupServicesByProtocol(const std::string &name) : groupServices(name){} }; /** * split rules with more than one service object, so that all * tcp and udp services are in one rule and all other * protocols are in the other */ class groupTCPUDPServices: public groupServices { protected: virtual int groupingCode(const libfwbuilder::Service *srv); public: groupTCPUDPServices(const std::string &name) : groupServices(name){} }; /** * separate service object that satisfies condition * implemented in the virtual method "condition" so we have * exactly one such object per rule. */ class separateServiceObject : public BasicRuleProcessor { protected: virtual bool condition(const libfwbuilder::Service *srv) =0; public: separateServiceObject(const std::string &name); virtual bool processNext(); }; /** * separate TCP/UDP services (regardless of their source or * destination port configuration) */ class separateTCPUDP : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateTCPUDP(const std::string &name) : separateServiceObject(name) {} }; /** * separate TCP/UDP services that specify source port (can * not be used in combination with destination port with * multiport) */ class separateSrcPort : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateSrcPort(const std::string &name) : separateServiceObject(name) {} }; /** * separate TCP/UDP services that specify both source and * destination port */ class separateSrcAndDstPort : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateSrcAndDstPort(const std::string &name) : separateServiceObject(name) {} }; /** * separate Tag services so we have exactly one per rule. */ class separateTagged : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateTagged(const std::string &name) : separateServiceObject(name) {} }; /** * separate Custom services so we have exactly one per rule. */ class separateCustom : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateCustom(const std::string &name) : separateServiceObject(name) {} }; class separateUserServices : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateUserServices(const std::string &name) : separateServiceObject(name) {} }; /** * separate IPService objects with tos attrubute so we have * exactly one per rule. */ class separateTOS : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateTOS(const std::string &name) : separateServiceObject(name) {} }; /** * split rules with more than one IPService object with * options, so that each rule has only one such service */ class splitIpOptions : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: splitIpOptions(const std::string &name) : separateServiceObject(name) {} }; /** * separate TCP services with flags (can't use those in combination * with others in groups of services) */ class separateTCPWithFlags : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separateTCPWithFlags(const std::string &name) : separateServiceObject(name) {} }; /** * separate TCP and UDP services that match port ranges and * "any tcp" or "any udp" objects */ class separatePortRanges : public separateServiceObject { protected: virtual bool condition(const libfwbuilder::Service *srv); public: separatePortRanges(const std::string &name) : separateServiceObject(name) {} }; /** * verify if custom services used in rules are configured for * this platform */ class verifyCustomServices : public BasicRuleProcessor { public: verifyCustomServices(const std::string &name) : BasicRuleProcessor(name) {} virtual bool processNext(); }; /** * simply check if TCPService object with "established" flag * set is used in Service and abort with an error saying that * target firewall does not support this. Use for pretty much * every platform except ipfw and router ACLs */ class CheckForTCPEstablished : public BasicRuleProcessor { public: CheckForTCPEstablished(const std::string &name) : BasicRuleProcessor(name) {} virtual bool processNext(); }; /** * simply check if UserService objectis used in Service and * abort with an error saying that target firewall does not * support this. */ class CheckForUnsupportedUserService : public BasicRuleProcessor { public: CheckForUnsupportedUserService(const std::string &name) : BasicRuleProcessor(name) {} virtual bool processNext(); }; /** * This rule processor replaces firewall object with * DNSName object "self" configured as run-time with source * name "self". */ class ReplaceFirewallObjectWithSelfInRE : public BasicRuleProcessor { std::string re_type; public: ReplaceFirewallObjectWithSelfInRE(const std::string &n, std::string _type) : BasicRuleProcessor(n) { re_type=_type; } virtual bool processNext(); }; class RegisterGroupsAndTablesInRE : public BasicRuleProcessor { std::string re_type; public: RegisterGroupsAndTablesInRE(const std::string &n, const std::string _type) : BasicRuleProcessor(n) { re_type = _type; } virtual bool processNext(); }; friend class Compiler::RegisterGroupsAndTablesInRE; /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * returns cached firewall object ID */ int getFwId() { return fw_id; } /** * returns pointer to the cached firewall options object */ libfwbuilder::FWOptions* getCachedFwOpt() { return fwopt; } /** * internal: scans children of 's' and, if finds host or * firewall with multiple interfaces, replaces reference to * that host or firewall with a set of references to its * interfaces. Argument 's' should be a pointer at either src * or dst in the rule. Some platforms may require alterations * to * this algorithm, that's why it is virtual. */ virtual void _expand_addr(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s, bool expand_cluster_interfaces_fully); /** * internal: scans child objects of interface iface, both IPv4 * and physAddress, and puts them in the list ol. Policy * compilers for platforms that support matching on MAC * address should reimplement this method and do whatever is * right for them (e.g. create combined address objects to * fuse information from IPv4 and physAddress together). * * Parameter @expand_cluster_interfaces_fully is used when * interface @iface belogns to a cluster and is failover * interface. If @expand_cluster_interfaces_fully is true, * this function scans failover group associated with this * interface and takes address of the member firewall for * which the policy is being compiled. If the cluster * interface belongs to a cluster that is not being compiled, * addresses of all members are returned instead. The address * of the cluster interface is always returned even when * @expand_cluster_interfaces_fully is false. */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, std::list &ol, bool expand_cluster_interfaces_fully); /** * internal: like _expand_addr, but expands address range * objects */ void _expandAddressRanges(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s); /* * normalizes port range (makes sure that niether range start * nor end is <0 and so on */ void normalizePortRange(int &rs,int &re); /** * This method returns true if one of the following conditions is met: * * 1. obj1 is the same as obj2 (compares ID of both objects), or * 2. obj1 is a child of obj2 on any depth, or * 3. address of obj1 matches that of any obj2's interfaces, or * 4. address of obj1 is a broadcast address of one of * the interfaces of obj2 * 5. address of obj1 is a broadcast (255.255.255.255) */ bool complexMatch(libfwbuilder::Address *obj1, libfwbuilder::Address *obj2, bool recognize_broadcasts=true, bool recognize_multicasts=true); libfwbuilder::Address* correctForCluster(libfwbuilder::Address *adr); /** * Compares given object with firewall or its parent cluster * (if any). Compares only IDs of these objects. Relies on * class CompilerDriver to set integer variable * "parent_cluster_id" in the firewall object if it is a * member of a cluster. */ bool isFirewallOrCluster(libfwbuilder::FWObject *obj); /** * This method finds interface of obj2 (which is usually * firewall object, but not necessarily so) which is connected * to the subnet on which obj1 is located. It also works if * obj1 is a network object, in this case it looks for the * interface that belongs to that network. */ libfwbuilder::Interface* findInterfaceFor( const libfwbuilder::Address *o1, const libfwbuilder::Address *o2); /** * This method finds an interface of the firewall obj2 which * belongs to the subnet on which obj1 is located and returns * IPv4 address object of this interface. It also works if * obj1 is a network object, in this case it looks for the * interface that belongs to that network. * * If obj1 is an Interface object, then corresponding Interface * object belonging to the firewall is returned (if found). */ libfwbuilder::FWObject* findAddressFor( const libfwbuilder::Address *o1, const libfwbuilder::Address *o2); virtual ~Compiler(); Compiler(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); Compiler(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); /* * TODO: Refactor Compiler to not hide BaseCompiler */ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" Compiler(libfwbuilder::FWObjectDatabase *_db, bool ipv6_policy); /** * overloaded methods: uses current firewall and ruleset objects */ virtual void abort(const std::string &errstr) throw(libfwbuilder::FWException); virtual void abort(libfwbuilder::FWObject *rule, const std::string &errstr) throw(libfwbuilder::FWException); virtual void error(const std::string &errstr); virtual void error(libfwbuilder::FWObject *rule, const std::string &errstr); virtual void warning(const std::string &errstr); virtual void warning(libfwbuilder::FWObject *rule, const std::string &errstr); #pragma GCC diagnostic pop void setDebugLevel(int dl) { debug=dl; } void setDebugRule(int dr) { debug_rule = dr; rule_debug_on = true; } void setVerbose(bool v) { verbose=v; } void setSingleRuleCompileMode(const std::string &rule_id); bool inSingleRuleCompileMode() { return single_rule_mode; } void setSourceRuleSet(libfwbuilder::RuleSet *rs); libfwbuilder::RuleSet* getSourceRuleSet() { return source_ruleset; } void setRuleSetName(const std::string &name) { ruleSetName = name; } std::string getRuleSetName() { return ruleSetName; } void setPersistentObjects(libfwbuilder::Library* po); std::string getCompiledScript(); int getCompiledScriptLength(); void setGroupRegistry(GroupRegistry *gr) { group_registry = gr; } void expandGroup(libfwbuilder::FWObject *grp, std::list &ol); void expandGroupsInRuleElement(libfwbuilder::RuleElement *s); /** * this method should return platform name. It is used * to construct proper error and warning messages. */ virtual std::string myPlatformName() { return ""; } std::string getUniqueRuleLabel(); virtual std::string createRuleLabel(const std::string &prefix, const std::string &txt, int rule_num); virtual std::string printComment(libfwbuilder::Rule *rule, std::string &prev_rule_label, const std::string &prefix, bool suppress_comment=false); /** * prolog return number of rules found */ virtual int prolog(); virtual void compile(); virtual void epilog(); /** * prints rule marked for debugging (its number * is in * debug_rule member variable) */ void debugRule(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Compiler_helpers.cpp000066400000000000000000000012551303637203600257160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ */ #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "Compiler.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Network.h" #include "fwbuilder/Service.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWServiceReference.h" using namespace fwcompiler; using namespace libfwbuilder; fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Compiler_object_match.cpp000066400000000000000000000134531303637203600267010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "fwbuilder/libfwbuilder-config.h" #include "Compiler.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/ObjectMatcher.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; bool Compiler::complexMatch(Address *obj1, Address *obj2, bool recognize_broadcasts, bool recognize_multicasts) { if (obj1==NULL || obj2==NULL) return false; ObjectMatcher om; om.setRecognizeBroadcasts(recognize_broadcasts); om.setRecognizeMulticasts(recognize_multicasts); om.setIPV6(ipv6); return om.complexMatch(obj1, obj2); } /** * This method finds interface of obj2 (which is usually * firewall object, but not necessarily so) which is connected * to the subnet on which obj1 is located. */ Interface* Compiler::findInterfaceFor(const Address *obj1, const Address *obj2) { list interfaces = obj2->getByTypeDeep(Interface::TYPENAME); list::iterator j; for (j=interfaces.begin(); j!=interfaces.end(); ++j ) { Interface *iface=Interface::cast(*j); assert(iface); if (iface->getId() == obj1->getId()) return iface; if ( iface->isRegular() && obj1->getAddressPtr() != NULL) { if (obj1->getAddressPtr()->isV4()) { FWObjectTypedChildIterator k= iface->findByType(IPv4::TYPENAME); for ( ; k!=k.end(); ++k ) { Address *addr = Address::cast(*k); assert(addr); if (checkIfAddressesMatch(addr, obj1)) return iface; } } if (obj1->getAddressPtr()->isV6()) { FWObjectTypedChildIterator k= iface->findByType(IPv6::TYPENAME); for ( ; k!=k.end(); ++k ) { Address *addr = Address::cast(*k); assert(addr); if (checkIfAddressesMatch(addr, obj1)) return iface; } } } } return NULL; } FWObject* Compiler::findAddressFor(const Address *obj1, const Address *obj2) { list interfaces = obj2->getByTypeDeep(Interface::TYPENAME); list::iterator j; for (j=interfaces.begin(); j!=interfaces.end(); ++j ) { Interface *iface=Interface::cast(*j); assert(iface); if (iface->getId() == obj1->getId() ) return iface; if ( iface->isRegular() && obj1->getAddressPtr()) { if (obj1->getAddressPtr()->isV4()) { FWObjectTypedChildIterator k= iface->findByType(IPv4::TYPENAME); for ( ; k!=k.end(); ++k ) { Address *addr = Address::cast(*k); assert(addr); if (checkIfAddressesMatch(addr, obj1)) return (*k); } } if (obj1->getAddressPtr()->isV6()) { FWObjectTypedChildIterator k= iface->findByType(IPv6::TYPENAME); for ( ; k!=k.end(); ++k ) { Address *addr = Address::cast(*k); assert(addr); if (checkIfAddressesMatch(addr, obj1)) return (*k); } } } } return NULL; } bool Compiler::checkIfAddressesMatch(const Address *a1, const Address *a2) { if (a1->getId() == a2->getId()) return true; if (*(a1->getAddressPtr()) == *(a2->getAddressPtr()) ) return true; if ((Network::constcast(a2)!=NULL || NetworkIPv6::constcast(a2)!=NULL || Interface::constcast(a2->getParent())) && a2->belongs(*(a1->getAddressPtr()))) return true; if ((Network::constcast(a1)!=NULL || NetworkIPv6::constcast(a1)!=NULL || Interface::constcast(a1->getParent())) && a1->belongs(*(a2->getAddressPtr()))) return true; return false; } bool Compiler::MatchesAddressFamily(FWObject *o) { if (Address::cast(o)) { const InetAddr *inet_addr = Address::cast(o)->getAddressPtr(); if (inet_addr) { if (ipv6) { if (inet_addr->isV6()) return true; } else { if (inet_addr->isV4()) return true; } } else { // Address object with no ip address (e.g. dynamic interface // or run-time address table) return true; } return false; } // not an address object at all return true; } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Compiler_ops.cpp000066400000000000000000000543151303637203600250620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Compiler.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; /* * Interface has both address and a netmask, however what we need here is only * its address. If we were to use both, we would get the same behaviour as if * it was network, not just an interface of a single host. */ vector fwcompiler::_find_obj_intersection(Address *op1, Address *op2) { vector res; const InetAddr *addr1 = op1->getAddressPtr(); const InetAddr *netm1 = op1->getNetmaskPtr(); const InetAddr *addr2 = op2->getAddressPtr(); const InetAddr *netm2 = op2->getNetmaskPtr(); if (addr1==NULL || addr2==NULL) return res; const InetAddrMask n1( *addr1, (Interface::cast(op1)) ? InetAddr(InetAddr::getAllOnes()) : (*netm1) ); const InetAddrMask n2( *addr2, (Interface::cast(op2)) ? InetAddr(InetAddr::getAllOnes()) : (*netm2) ); vector intersection = libfwbuilder::getOverlap(n1,n2); for (vector::iterator i=intersection.begin(); i!=intersection.end(); i++) { InetAddrMask *n= &(*i); if (n->getNetmaskPtr()->isHostMask()) { IPv4 *h = new IPv4(); h->setAddress(*(n->getAddressPtr())); h->setName("h-"+n->getAddressPtr()->toString()); op1->getRoot()->add(h,false); res.push_back(h); } else { Network *net = new Network(); net->setAddress(*(n->getAddressPtr())); net->setNetmask(*(n->getNetmaskPtr())); net->setName("n-"+n->getAddressPtr()->toString()); op1->getRoot()->add(net,false); res.push_back(net); } } return res; } bool fwcompiler::_find_portrange_intersection(int rs1,int re1, int rs2,int re2, int &rsr,int &rer) { if (re2rs1 && re2rs1 && re2rs1 && rs2re1) { rsr=rs2; rer=re1; return true; } if (rs2>re1) return false; if (rs2re1) { rsr=rs1; rer=re1; return true; } if (rs1==rs2 && re1==re2) { rsr=rs1; rer=re1; return true; } return false; } vector fwcompiler::_find_srv_intersection(Service *op1, Service *op2) { vector res; if (op1->getTypeName()==op2->getTypeName()) { if ( IPService::cast(op1)) { /* TODO: check ip flags */ if (op1->getStr("protocol_num")==op2->getStr("protocol_num")) { res.push_back(op1); } return res; } if ( ICMPService::cast(op1)) { int t1=op1->getInt("type"); int t2=op2->getInt("type"); if (t1!=-1 && t2!=-1 && t1==t2) { res.push_back(op1); return res; } if (t1!=-1 && t2==-1) { res.push_back(op1); return res; } if (t1==-1 && t2!=-1) { res.push_back(op2); return res; } return res; } if ( TCPService::cast(op1) || UDPService::cast(op1) ) { int srs1=static_cast(op1)->getSrcRangeStart(); int sre1=static_cast(op1)->getSrcRangeEnd(); int drs1=static_cast(op1)->getDstRangeStart(); int dre1=static_cast(op1)->getDstRangeEnd(); int srs2=static_cast(op2)->getSrcRangeStart(); int sre2=static_cast(op2)->getSrcRangeEnd(); int drs2=static_cast(op2)->getDstRangeStart(); int dre2=static_cast(op2)->getDstRangeEnd(); int srsR,sreR,drsR,dreR; if ( ! _find_portrange_intersection(srs1,sre1,srs2,sre2,srsR,sreR) ) return res; if ( ! _find_portrange_intersection(drs1,dre1,drs2,dre2,drsR,dreR) ) return res; FWObject *nserv; if ( TCPService::cast(op1) ) { nserv=new TCPService(); op1->getRoot()->add(nserv,false); } if ( UDPService::cast(op1) ) { nserv=new UDPService(); op1->getRoot()->add(nserv,false); } nserv->setName(op1->getName()+"-"+op2->getName()); TCPUDPService::cast(nserv)->setSrcRangeStart(srsR); TCPUDPService::cast(nserv)->setSrcRangeEnd(sreR); TCPUDPService::cast(nserv)->setDstRangeStart(drsR); TCPUDPService::cast(nserv)->setDstRangeEnd(dreR); res.push_back(nserv); return res; } } /* * if objects are of the different types, then the only case allowed is * when one object is IPService */ if ( ! IPService::cast(op1) && IPService::cast(op2)) res.push_back(op1); if ( ! IPService::cast(op2) && IPService::cast(op1)) res.push_back(op2); return res; } /*************************************************************************/ bool fwcompiler::operator==(const Service &o1,const Service &o2) { if (o1.getId()==o2.getId()) return true; if (o1.getTypeName()==o2.getTypeName()) { if ( IPService::constcast(&o1)) { return (o1.getInt("protocol_num")==o2.getInt("protocol_num") && o1.getStr("fragm")==o2.getStr("fragm") && o1.getStr("short_fragm")==o2.getStr("short_fragm") && o1.getStr("lsrr")==o2.getStr("lsrr") && o1.getStr("ssrr")==o2.getStr("ssrr") && o1.getStr("rr")==o2.getStr("rr") && o1.getStr("ts")==o2.getStr("ts") ); } if ( ICMPService::constcast(&o1)) { return (o1.getInt("type")==o2.getInt("type")) && (o1.getInt("code")==o2.getInt("code")); } if ( UDPService::constcast(&o1) ) { int srs1=static_cast(&o1)->getSrcRangeStart(); int sre1=static_cast(&o1)->getSrcRangeEnd(); int drs1=static_cast(&o1)->getDstRangeStart(); int dre1=static_cast(&o1)->getDstRangeEnd(); int srs2=static_cast(&o2)->getSrcRangeStart(); int sre2=static_cast(&o2)->getSrcRangeEnd(); int drs2=static_cast(&o2)->getDstRangeStart(); int dre2=static_cast(&o2)->getDstRangeEnd(); return (srs1==srs2 && sre1==sre2 && drs1==drs2 && dre1==dre2); } if ( TCPService::constcast(&o1)) { int srs1=static_cast(&o1)->getSrcRangeStart(); int sre1=static_cast(&o1)->getSrcRangeEnd(); int drs1=static_cast(&o1)->getDstRangeStart(); int dre1=static_cast(&o1)->getDstRangeEnd(); int srs2=static_cast(&o2)->getSrcRangeStart(); int sre2=static_cast(&o2)->getSrcRangeEnd(); int drs2=static_cast(&o2)->getDstRangeStart(); int dre2=static_cast(&o2)->getDstRangeEnd(); const TCPService *tcp1=TCPService::constcast(&o1); const TCPService *tcp2=TCPService::constcast(&o2); return ( tcp1->getAllTCPFlags()==tcp2->getAllTCPFlags() && tcp1->getAllTCPFlagMasks()==tcp2->getAllTCPFlagMasks() && srs1==srs2 && sre1==sre2 && drs1==drs2 && dre1==dre2 ); } } return false; } bool fwcompiler::operator==(const Address &o1,const Address &o2) { if (o1.getId()==o2.getId()) return true; const InetAddr* o1b; const InetAddr* o1e; const InetAddr* o2b; const InetAddr* o2e; if (Interface::isA(&o1) && Interface::isA(&o2)) { const Interface *i1=Interface::constcast(&o1); const Interface *i2=Interface::constcast(&o2); if ( !i1->isRegular() && !i2->isRegular() ) { return i1->getName()==i2->getName(); } } if (physAddress::isA(&o1) && physAddress::isA(&o2)) { const physAddress *o1_pa =physAddress::constcast(&o1); const physAddress *o2_pa =physAddress::constcast(&o2); return o1_pa->getPhysAddress()==o2_pa->getPhysAddress(); } if (AddressRange::isA(&o1)) { o1b = &(AddressRange::constcast(&o1)->getRangeStart()); o1e = &(AddressRange::constcast(&o1)->getRangeEnd()); } else if (Network::isA(&o1)) { o1b = o1.getAddressPtr(); o1e = o1.getBroadcastAddressPtr(); } else { o1b = o1.getAddressPtr(); o1e = o1.getAddressPtr(); } if (AddressRange::isA(&o2)) { o2b = &(AddressRange::constcast(&o2)->getRangeStart()); o2e = &(AddressRange::constcast(&o2)->getRangeEnd()); } else if (Network::isA(&o2)) { o2b = o2.getAddressPtr(); o2e = o2.getBroadcastAddressPtr(); } else { o2b = o2.getAddressPtr(); o2e = o2.getAddressPtr(); } if (o1b==NULL || o2b==NULL || o1e==NULL || o2e==NULL) return false; return ((*o1b) == (*o2b) && (*o1e) == (*o2e)); } bool fwcompiler::operator==(const Interval &o1,const Interval &o2) { if (o1.getId()==o2.getId()) return true; int smin1, shour1, sday1, smonth1, syear1, sdayofweek1; int emin1, ehour1, eday1, emonth1, eyear1, edayofweek1; int smin2, shour2, sday2, smonth2, syear2, sdayofweek2; int emin2, ehour2, eday2, emonth2, eyear2, edayofweek2; o1.getStartTime( &smin1, &shour1, &sday1, &smonth1, &syear1, &sdayofweek1); o1.getEndTime( &emin1, &ehour1, &eday1, &emonth1, &eyear1, &edayofweek1); o2.getStartTime( &smin2, &shour2, &sday2, &smonth2, &syear2, &sdayofweek2); o2.getEndTime( &emin2, &ehour2, &eday2, &emonth2, &eyear2, &edayofweek2); return (smin1==smin2 && emin1==emin2 && shour1==shour2 && ehour1==ehour2 && sday1==sday2 && eday1==eday2 && smonth1==smonth2 && emonth1==emonth2 && syear1==syear2 && eyear1==eyear2 && sdayofweek1==sdayofweek2 && edayofweek1==edayofweek2); } /************************************************************************* bool fwcompiler::operator<=(const Address &o1,const Address &o2) { return (o1 == o2 || o1 < o2); } bool fwcompiler::operator<=(const Service &o1,const Service &o2) { return (o1 == o2 || o1 < o2); } */ /*************************************************************************/ #define RETURN(x) { object_comparison_cache[cache_key] = x; return x; } bool Compiler::checkForShadowing(const Service &o1, const Service &o2) { int cache_key = o1.getId() + (o2.getId() << 16); map::iterator it = object_comparison_cache.find(cache_key); if (it!=object_comparison_cache.end()) return it->second; if (o1.getId()==o2.getId()) RETURN(true); if (o1.isAny() && o2.isAny()) RETURN(false); if ( ! o1.isAny() && o2.isAny()) RETURN(true); if ( o1.isAny() && !o2.isAny()) RETURN(false); if (o1.getTypeName()==o2.getTypeName()) { const IPService *ip1; const IPService *ip2; if ((ip1=IPService::constcast(&o1))!=NULL) { ip2 = IPService::constcast(&o2); /* * Both objects are IPService * * can't use Service::getProtocolNumber member because it is not * defined as 'const'. Can't redefine it either since that will break * binary compatibility (as of v2.0.4) */ if (o1.getStr("fragm")!=o2.getStr("fragm") || o1.getStr("short_fragm")!=o2.getStr("short_fragm") || o1.getStr("lsrr")!=o2.getStr("lsrr") || o1.getStr("ssrr")!=o2.getStr("ssrr") || o1.getStr("rr")!=o2.getStr("rr") || o1.getStr("ts")!=o2.getStr("ts") ) RETURN(false); if (ip1->getTOSCode()!=ip2->getTOSCode() || ip1->getDSCPCode()!=ip2->getDSCPCode()) RETURN(false); if (o1.getInt("protocol_num")==o2.getInt("protocol_num")) RETURN(true); if (o1.getInt("protocol_num")!=0 && o2.getInt("protocol_num")==0) RETURN(true); RETURN(false); } if ( ICMPService::constcast(&o1)) { bool res = (o1.getInt("type")!=-1 && o2.getInt("type")==-1); RETURN(res); } if ( TCPService::constcast(&o1) ) { const TCPService *t1=TCPService::constcast(&o1); const TCPService *t2=TCPService::constcast(&o2); /* it seems STL does not define operator!= for class std::set */ if ( !( t1->getAllTCPFlags() == t2->getAllTCPFlags() && t1->getAllTCPFlagMasks() == t2->getAllTCPFlagMasks() ) ) RETURN(false); } if ( TCPService::constcast(&o1) || UDPService::constcast(&o1) ) { int srs1=static_cast(&o1)->getSrcRangeStart(); int sre1=static_cast(&o1)->getSrcRangeEnd(); int drs1=static_cast(&o1)->getDstRangeStart(); int dre1=static_cast(&o1)->getDstRangeEnd(); int srs2=static_cast(&o2)->getSrcRangeStart(); int sre2=static_cast(&o2)->getSrcRangeEnd(); int drs2=static_cast(&o2)->getDstRangeStart(); int dre2=static_cast(&o2)->getDstRangeEnd(); if (srs1==0 && sre1==0) sre1 = 65536; if (drs1==0 && dre1==0) dre1 = 65536; if (srs2==0 && sre2==0) sre2 = 65536; if (drs2==0 && dre2==0) dre2 = 65536; bool res = (srs1>=srs2 && sre1<=sre2 && drs1>=drs2 && dre1<=dre2); RETURN(res); } if ( TagService::constcast(&o1)) { string tagvalue1 = TagService::constcast(&o1)->getCode(); string tagvalue2 = TagService::constcast(&o2)->getCode(); bool res = (tagvalue1 == tagvalue2); RETURN(res); } if ( UserService::constcast(&o1)) { string uid1 = UserService::constcast(&o1)->getUserId(); string uid2 = UserService::constcast(&o2)->getUserId(); bool res = (uid1 == uid2); RETURN(res); } RETURN(false); } /* * if objects are of the different types, then the only case allowed is * when one object is IPService */ if (IPService::constcast(&o2) && ! IPService::constcast(&o1) ) { /* if o2 is IP Service and o1 is not, then o2 only shades o1 * when all flags are cleared in o2 */ bool res = ( o2.getInt("protocol_num")==0 && o2.getStr("fragm")!="True" && o2.getStr("short_fragm")!="True" && o2.getStr("lsrr")!="True" && o2.getStr("ssrr")!="True" && o2.getStr("rr")!="True" && o2.getStr("ts")!="True"); RETURN(res); } RETURN(false); throw FWException("trying to compare objects of incompatible types: \ o1: "+o1.getName()+" ("+o1.getTypeName()+") o2: "+o2.getName()+" ("+o2.getTypeName()+")"); } bool Compiler::checkForShadowing(const Address &o1,const Address &o2) { int cache_key = o1.getId() + (o2.getId() << 16); map::iterator it = object_comparison_cache.find(cache_key); if (it!=object_comparison_cache.end()) return it->second; if (o1.getId()==o2.getId()) RETURN(true); if (Interface::isA(&o1)) { const Interface *intf=Interface::constcast(&o1); if (!intf->isRegular()) RETURN(false); } if (Interface::isA(&o2)) { const Interface *intf=Interface::constcast(&o2); if (!intf->isRegular()) RETURN(false); } if (physAddress::isA(&o1) && physAddress::isA(&o2)) { const physAddress *o1_pa =physAddress::constcast(&o1); const physAddress *o2_pa =physAddress::constcast(&o2); bool res = (o1_pa->getPhysAddress()==o2_pa->getPhysAddress()); RETURN(res); } const InetAddr *o1b; const InetAddr *o1e; const InetAddr *o2b; const InetAddr *o2e; if (AddressRange::isA(&o1)) { o1b = &(AddressRange::constcast(&o1)->getRangeStart()); o1e = &(AddressRange::constcast(&o1)->getRangeEnd()); } else { if (Network::isA(&o1)) { o1b = static_cast(&o1)->getFirstHostPtr(); o1e = static_cast(&o1)->getLastHostPtr(); } else { o1b = o1.getAddressPtr(); o1e = o1.getAddressPtr(); } } if (AddressRange::isA(&o2)) { o2b = &(AddressRange::constcast(&o2)->getRangeStart()); o2e = &(AddressRange::constcast(&o2)->getRangeEnd()); } else { if (Network::isA(&o2)) { o2b = static_cast(&o2)->getFirstHostPtr(); o2e = static_cast(&o2)->getLastHostPtr(); } else { o2b = o2.getAddressPtr(); o2e = o2.getAddressPtr(); } } #if 0 cerr << "# o1=" << o1.getName() << " [" << o1.getTypeName() << "] " << o1b->toString() << "-" << o1e->toString() << "(" << o1.dimension() << ")" << " o2=" << o2.getName() << " [" << o2.getTypeName() << "] " << o2b->toString() << "-" << o2e->toString() << "(" << o2.dimension() << ")" << " " << int( ((*o1b)>(*o2b) || (*o1b)==(*o2b)) && ((*o1e)<(*o2e) || (*o1e)==(*o2e)) ) << endl; #endif // if any of the objects has no ip address, then we can not // check for shadowing and return false. examples of objects with // no real ip address: physAddress, Interface with no child IPv4/IPv6 // object. High level compilers should make sure they process rules // to the point where no such objects are left before they call // this method. if (o1b==NULL || o2b==NULL || o1e==NULL || o2e==NULL) RETURN(false); if (o1.isAny() && o2.isAny()) RETURN(true); if (o1.isAny() && !o2.isAny()) RETURN(false); if (!o1.isAny() && o2.isAny()) RETURN(true); bool res = ( ((*o2b) < (*o1b) || (*o1b) == (*o2b)) && ((*o1e) < (*o2e) || (*o1e) == (*o2e)) ); RETURN(res); } bool Compiler::intersect(PolicyRule &r1, PolicyRule &r2) { string act1 = r1.getActionAsString(); string act2 = r2.getActionAsString(); bool res_act; res_act = (act1=="Continue" || act2=="Continue" || act1==act2); if (res_act==false) return false; RuleElementItf *intf1_re = r1.getItf(); FWObject *rule1_iface = FWObjectReference::getObject(intf1_re->front()); int iface1 = rule1_iface->getId(); RuleElementItf *intf2_re = r2.getItf(); FWObject *rule2_iface = FWObjectReference::getObject(intf2_re->front()); int iface2 = rule2_iface->getId(); // int iface1 = r1.getInterfaceId(); // int iface2 = r2.getInterfaceId(); // bool res_iface; // res_iface = (intf1_re->isAny() || intf2_re->isAny() || iface1==iface2); // if (res_iface==false) return false; // if both rules have interfaces and these interfaces are different, they // cant intersect if ( ! intf1_re->isAny() && ! intf2_re->isAny() && iface1!=iface2) return false; vector v1 = _find_obj_intersection( getFirstSrc(&r1) , getFirstSrc(&r2) ); if (v1.empty()) return false; vector v2 = _find_obj_intersection( getFirstDst(&r1) , getFirstDst(&r2) ); if (v2.empty()) return false; vector v3 = _find_srv_intersection( getFirstSrv(&r1) , getFirstSrv(&r2) ); if (v3.empty()) return false; return true; } void Compiler::getIntersection(PolicyRule &r1, PolicyRule &r2, PolicyRule &res) { string act1 = r1.getActionAsString(); string act2 = r2.getActionAsString(); /* * "CONTINUE" is "broad" action, so chose another one, whatever it is */ if (act1=="Continue") res.setAction(act2); if (act2=="Continue") res.setAction(act1); string any_id; // FWObject *any; RuleElementSrc *nsrc = res.getSrc(); nsrc->clearChildren(); RuleElementDst *ndst = res.getDst(); ndst->clearChildren(); RuleElementSrv *nsrv = res.getSrv(); nsrv->clearChildren(); RuleElementItf *intf_re = r1.getItf(); FWObject *rule1_iface = FWObjectReference::getObject(intf_re->front()); int iface1 = rule1_iface->getId(); intf_re = r2.getItf(); FWObject *rule2_iface = FWObjectReference::getObject(intf_re->front()); int iface2 = rule2_iface->getId(); if (iface1 != iface2) return ; string lbl = "'" + r1.getLabel() + "' & '" + r2.getLabel() + "'"; res.setLabel(lbl); vector v1 = _find_obj_intersection( getFirstSrc(&r1) , getFirstSrc(&r2) ); vector v2 = _find_obj_intersection( getFirstDst(&r1) , getFirstDst(&r2) ); vector v3 = _find_srv_intersection( getFirstSrv(&r1) , getFirstSrv(&r2) ); for (vector::iterator i1=v1.begin(); i1!=v1.end(); ++i1) nsrc->addRef(*i1); for (vector::iterator i2=v2.begin(); i2!=v2.end(); ++i2) ndst->addRef(*i2); for (vector::iterator i3=v3.begin(); i3!=v3.end(); ++i3) nsrv->addRef(*i3); } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/GroupRegistry.cpp000066400000000000000000000052451303637203600252520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "GroupRegistry.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" using namespace libfwbuilder; using namespace std; GroupRegistry::GroupRegistry() {} /* * Generate stable key to be used as a key in rule_element_groups map. * This key should not change when rule processors create copies of * rules, this means we can't use rule and rule element ID. */ string GroupRegistry::getREKey(libfwbuilder::RuleElement *re) { Rule *rule = Rule::cast(re->getParent()); return rule->getLabel() + "_" + re->getTypeName(); } void GroupRegistry::registerGroup(FWObject *grp, const list &objects) { for (list::const_iterator it=objects.begin(); it!=objects.end(); ++it) { FWObject *o = FWReference::getObject(*it); string str_id = FWObjectDatabase::getStringId(o->getId()); group_registry[str_id].insert(grp->getName()); setGroupRegistryKey(o, str_id); } } /* * register a group as a member of given rule element. */ void GroupRegistry::registerGroupInRE(RuleElement *re, FWObject *grp) { string key_str = getREKey(re); rule_element_groups[key_str].insert(grp->getName()); } set GroupRegistry::getGroupsForRE(RuleElement *re) { string key_str = getREKey(re); return rule_element_groups[key_str]; } set GroupRegistry::getGroupsForObject(FWObject *obj) { return group_registry[getGroupRegistryKey(obj)]; } string GroupRegistry::getGroupRegistryKey(FWObject *obj) { return obj->getStr(".group_registry_key"); } void GroupRegistry::setGroupRegistryKey(FWObject *obj, const std::string &key) { obj->setStr(".group_registry_key", key); for (FWObject::iterator i=obj->begin(); i!=obj->end(); i++) { setGroupRegistryKey(*i, key); } } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/GroupRegistry.h000066400000000000000000000036631303637203600247210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GROUP_REGISTRY_HH__ #define __GROUP_REGISTRY_HH__ #include "fwbuilder/FWObject.h" #include #include #include namespace libfwbuilder { class RuleElement; }; class GroupRegistry { // key: object Id, value: a set of names of groups it belongs to std::map > group_registry; // key: rule element id, value: a set of names of groups that belonged to it std::map > rule_element_groups; std::string getREKey(libfwbuilder::RuleElement *re); public: GroupRegistry(); void registerGroup(libfwbuilder::FWObject *grp, const std::list &objects); void registerGroupInRE(libfwbuilder::RuleElement *re, libfwbuilder::FWObject *grp); std::set getGroupsForRE(libfwbuilder::RuleElement *re); std::set getGroupsForObject(libfwbuilder::FWObject *obj); std::string getGroupRegistryKey(libfwbuilder::FWObject *obj); void setGroupRegistryKey(libfwbuilder::FWObject *obj, const std::string &key); }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp000066400000000000000000000732571303637203600245520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "NATCompiler.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/CustomService.h" #include #include #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; int NATCompiler::prolog() { Compiler::prolog(); NAT *nat = NAT::cast(fw->getFirstByType(NAT::TYPENAME)); assert(nat); if (source_ruleset == NULL) source_ruleset = nat; source_ruleset->renumberRules(); temp_ruleset = new NAT(); // working copy of the policy fw->add( temp_ruleset ); temp_ruleset->setName(source_ruleset->getName()); int global_num = 0; string label_prefix = ""; if (source_ruleset->getName() != "NAT") label_prefix = source_ruleset->getName(); int rule_counter = 0; for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++) { Rule *r = Rule::cast(*i); if (r == NULL) continue; // skip RuleSetOptions object /* * do not remove disabled rules just yet because some * compilers might use RuleSet::insertRuleAtTop() and other * similar methods from prolog() or * addPredefinedPolicyRules()() and these methods renumber * rules (labels stop matching rule positions when this is * done because labels are configured in prolog() method of * the base class. See fwbuilder ticket 1173) */ //if (r->isDisabled()) continue; //r->setInterfaceId(-1); if (r->getLabel().empty()) r->setLabel( createRuleLabel(label_prefix, "NAT", r->getPosition()) ); r->setAbsRuleNumber(global_num); global_num++; rule_counter++; } initialized = true; return rule_counter; } bool NATCompiler::checkForShadowing(NATRule &r1, NATRule &r2) { Address *osrc1; //=getFirstOSrc(&r1); Address *odst1; //=getFirstODst(&r1); Service *osrv1; //=getFirstOSrv(&r1); Address *osrc2; //=getFirstOSrc(&r2); Address *odst2; //=getFirstODst(&r2); Service *osrv2; //=getFirstOSrv(&r2); FWObject::iterator i1 = r1.begin(); osrc1 = Address::cast(FWReference::cast((*i1)->front())->getPointer()); i1++; odst1 = Address::cast(FWReference::cast((*i1)->front())->getPointer()); i1++; osrv1 = Service::cast(FWReference::cast((*i1)->front())->getPointer()); i1 = r2.begin(); osrc2 = Address::cast(FWReference::cast((*i1)->front())->getPointer()); i1++; odst2 = Address::cast(FWReference::cast((*i1)->front())->getPointer()); i1++; osrv2 = Service::cast(FWReference::cast((*i1)->front())->getPointer()); if (osrc1==NULL || odst1==NULL || osrv1==NULL) throw FWException("Can not compare rules because rule "+r1.getLabel()+" has a group in one of its elements. Aborting."); if (osrc2==NULL || odst2==NULL || osrv2==NULL) throw FWException("Can not compare rules because rule "+r2.getLabel()+" has a group in one of its elements. Aborting."); return ( Compiler::checkForShadowing(*osrc1, *osrc2) && Compiler::checkForShadowing(*odst1, *odst2) && Compiler::checkForShadowing(*osrv1, *osrv2) ); // if ( (*osrc2 <= *osrc1) && (*odst2 <= *odst1) && (*osrv2 <= *osrv1) ) return 1; return false; } /* * TODO: implement this */ bool NATCompiler::cmpRules(NATRule&, NATRule&) { return false; } bool NATCompiler::classifyNATRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()!=NATRule::Unknown) return true; RuleElementTSrc *tsrcre = rule->getTSrc(); RuleElementTDst *tdstre = rule->getTDst(); RuleElementTSrv *tsrvre = rule->getTSrv(); Service *osrv = compiler->getFirstOSrv(rule); Address *tsrc = compiler->getFirstTSrc(rule); Address *tdst = compiler->getFirstTDst(rule); Service *tsrv = compiler->getFirstTSrv(rule); if (rule->getAction() == NATRule::Branch) { rule->setRuleType(NATRule::NATBranch); if (!tsrcre->isAny() || !tdstre->isAny() || !tsrvre->isAny()) { tsrcre->clearChildren(); tsrcre->setAnyElement(); tdstre->clearChildren(); tdstre->setAnyElement(); tsrvre->clearChildren(); tsrvre->setAnyElement(); compiler->warning( rule, "Translated Src, Dst and Srv are ignored in the NAT " "rule with action 'Branch'"); } return true; } if (tsrc->isAny() && tdst->isAny() && tsrv->isAny()) { rule->setRuleType(NATRule::NONAT); return true; } bool osrv_defines_src_port = false; (void)osrv_defines_src_port; //UNUSED bool osrv_defines_dst_port = false; (void)osrv_defines_dst_port; //UNUSED bool tsrv_translates_src_port = false; bool tsrv_translates_dst_port = false; if (TCPUDPService::cast(osrv) && TCPUDPService::cast(tsrv)) { TCPUDPService *tu_osrv = TCPUDPService::cast(osrv); TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv); osrv_defines_src_port = (tu_osrv->getSrcRangeStart() != 0 && tu_osrv->getDstRangeStart() == 0); osrv_defines_dst_port = (tu_osrv->getSrcRangeStart() == 0 && tu_osrv->getDstRangeStart() != 0); tsrv_translates_src_port = (tu_tsrv->getSrcRangeStart() != 0 && tu_tsrv->getDstRangeStart() == 0); tsrv_translates_dst_port = (tu_tsrv->getSrcRangeStart() == 0 && tu_tsrv->getDstRangeStart() != 0); if (tsrv_translates_dst_port && tu_osrv->getDstRangeStart() == tu_tsrv->getDstRangeStart() && tu_osrv->getDstRangeEnd() == tu_tsrv->getDstRangeEnd()) tsrv_translates_dst_port = false; // osrv and tsrv define the same ports if (tsrv_translates_src_port && tu_osrv->getSrcRangeStart() == tu_tsrv->getSrcRangeStart() && tu_osrv->getSrcRangeEnd() == tu_tsrv->getSrcRangeEnd()) tsrv_translates_src_port = false; // osrv and tsrv define the same ports } if (!osrv->isAny() && !tsrv->isAny() && !( *osrv == *tsrv ) ) // have operator==, but do not have operator!= { bool translation_ok = true; if (osrv->getTypeName() != tsrv->getTypeName()) { translation_ok = false; // see #1685. Custom service needs special treatment if (CustomService::isA(osrv) && (Service::cast(osrv)->getProtocolName() == Service::cast(tsrv)->getProtocolName())) translation_ok = true; } if (!translation_ok) compiler->abort(rule, "NAT rule can not change service types: " + osrv->getTypeName() + " to " + tsrv->getTypeName()); } /* * SDNAT rule is rather special. We should split it onto two normal * rules, one SNAT and another DNAT and run this rule processor again * for each. This algorithm should be implemented for each platform * separately. Platforms where it does not seem possible to implement * at all should catch SDNAT rules and abort in their own * verifyNATRule processor. */ if ( ( ! tsrc->isAny() && ! tdst->isAny() ) || ( ! tsrc->isAny() && tsrv_translates_dst_port) || ( ! tdst->isAny() && tsrv_translates_src_port) ) { rule->setRuleType(NATRule::SDNAT); return true; } if ( (! tsrc->isAny() && tdst->isAny()) || (tsrc->isAny() && tdst->isAny() && tsrv_translates_src_port) ) { if ( ! tsrc->isAny() && Network::isA(tsrc) ) /* * this is Netnat rule ( NETMAP in iptables) * we always do additional sanity checks in VerifyRules */ rule->setRuleType(NATRule::SNetnat); else rule->setRuleType(NATRule::SNAT); return true; } if ( (tsrc->isAny() && ! tdst->isAny() ) || (tsrc->isAny() && tdst->isAny() && tsrv_translates_dst_port) ) { /* this is load balancing rule if there are multiple objects in TDst */ if ( tdstre->size()>1 ) rule->setRuleType(NATRule::LB); else { if (! tdst->isAny() && Network::isA(tdst) ) /* * this is Netnat rule ( NETMAP in iptables) * we always do additional sanity checks in VerifyRules */ rule->setRuleType(NATRule::DNetnat); else { /* * treat it as redirect only if TDst is a firewall object. Use DNAT * if it is interface or an address; this allows for "redirects" to specific * interface on the firewall which comes useful for example if http proxy is * running only on internal interface. */ if ( tdst->getId()==compiler->fw->getId()) rule->setRuleType(NATRule::Redirect); else rule->setRuleType(NATRule::DNAT); // if ( compiler->complexMatch(tdst,compiler->fw) ) rule->setRuleType(NATRule::Redirect); // else rule->setRuleType(NATRule::DNAT); } } return true; } compiler->abort(rule, "Unsupported NAT rule"); return false; } bool NATCompiler::ExpandMultipleAddresses::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *rel; switch (rule->getRuleType()) { case NATRule::NONAT: case NATRule::Return: { rel=rule->getOSrc(); assert(rel); compiler->_expand_addr(rule, rel, true); rel=rule->getODst(); assert(rel); compiler->_expand_addr(rule, rel, true); break; } case NATRule::SNAT: case NATRule::SDNAT: { rel=rule->getOSrc(); assert(rel); compiler->_expand_addr(rule, rel, true); rel=rule->getODst(); assert(rel); compiler->_expand_addr(rule, rel, true); rel=rule->getTSrc(); assert(rel); compiler->_expand_addr(rule, rel, false); rel=rule->getTDst(); assert(rel); compiler->_expand_addr(rule, rel, false); break; } case NATRule::DNAT: { rel=rule->getOSrc(); assert(rel); compiler->_expand_addr(rule, rel, true); rel=rule->getODst(); assert(rel); compiler->_expand_addr(rule, rel, false); rel=rule->getTSrc(); assert(rel); compiler->_expand_addr(rule, rel, false); rel=rule->getTDst(); assert(rel); compiler->_expand_addr(rule, rel, false); break; } case NATRule::Redirect: { rel=rule->getOSrc(); assert(rel); compiler->_expand_addr(rule, rel, true); rel=rule->getODst(); assert(rel); compiler->_expand_addr(rule, rel, false); rel=rule->getTSrc(); assert(rel); compiler->_expand_addr(rule, rel, false); break; } default: break; } return true; } bool NATCompiler::ExpandAddressRanges::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *rel; rel=rule->getOSrc(); assert(rel); compiler->_expandAddressRanges(rule,rel); rel=rule->getODst(); assert(rel); compiler->_expandAddressRanges(rule,rel); rel=rule->getTSrc(); assert(rel); compiler->_expandAddressRanges(rule,rel); rel=rule->getTDst(); assert(rel); compiler->_expandAddressRanges(rule,rel); return true; } bool NATCompiler::ExpandGroups::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *osrc=rule->getOSrc(); assert(osrc); RuleElement *odst=rule->getODst(); assert(odst); RuleElement *osrv=rule->getOSrv(); assert(osrv); RuleElement *tsrc=rule->getTSrc(); assert(tsrc); RuleElement *tdst=rule->getTDst(); assert(tdst); RuleElement *tsrv=rule->getTSrv(); assert(tsrv); compiler->expandGroupsInRuleElement(osrc); compiler->expandGroupsInRuleElement(odst); compiler->expandGroupsInRuleElement(osrv); compiler->expandGroupsInRuleElement(tsrc); compiler->expandGroupsInRuleElement(tdst); compiler->expandGroupsInRuleElement(tsrv); return true; } bool NATCompiler::expandGroupsInItfInb::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; RuleElementItfInb *itf = rule->getItfInb(); compiler->expandGroupsInRuleElement(itf); tmp_queue.push_back(rule); return true; } bool NATCompiler::expandGroupsInItfOutb::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; RuleElementItfOutb *itf = rule->getItfOutb(); compiler->expandGroupsInRuleElement(itf); tmp_queue.push_back(rule); return true; } bool NATCompiler::checkForUnnumbered::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if ( compiler->catchUnnumberedIfaceInRE( rule->getOSrc() ) || compiler->catchUnnumberedIfaceInRE( rule->getODst() ) || compiler->catchUnnumberedIfaceInRE( rule->getTSrc() ) || compiler->catchUnnumberedIfaceInRE( rule->getTDst() ) ) compiler->abort( rule, "Can not use unnumbered interfaces in rules. "); tmp_queue.push_back(rule); return true; } bool NATCompiler::ConvertToAtomicForOriginal::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); for (FWObject::iterator i1=osrc->begin(); i1!=osrc->end(); ++i1) { for (FWObject::iterator i2=odst->begin(); i2!=odst->end(); ++i2) { for (FWObject::iterator i3=osrv->begin(); i3!=osrv->end(); ++i3) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getOSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); s=r->getODst(); assert(s); s->clearChildren(); s->addCopyOf( *i2 ); s=r->getOSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i3 ); tmp_queue.push_back(r); } } } return true; } bool NATCompiler::ConvertToAtomicForAddresses::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); for (FWObject::iterator i1=osrc->begin(); i1!=osrc->end(); ++i1) { for (FWObject::iterator i2=odst->begin(); i2!=odst->end(); ++i2) { for (FWObject::iterator i4=tsrc->begin(); i4!=tsrc->end(); ++i4) { for (FWObject::iterator i5=tdst->begin(); i5!=tdst->end(); ++i5) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getOSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); s=r->getODst(); assert(s); s->clearChildren(); s->addCopyOf( *i2 ); // s=r->getOSrv(); assert(s); // *s=*osrv; s=r->getTSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i4 ); s=r->getTDst(); assert(s); s->clearChildren(); s->addCopyOf( *i5 ); // s=r->getTSrv(); assert(s); // *s=*tsrv; tmp_queue.push_back(r); } } } } return true; } bool NATCompiler::ConvertToAtomicForOSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); for (FWObject::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getOSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomicForTSrc::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); for (FWObject::iterator i1=tsrc->begin(); i1!=tsrc->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getTSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomicForTDst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementTDst *tsrc=rule->getTDst(); assert(tsrc); for (FWObject::iterator i1=tsrc->begin(); i1!=tsrc->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getTDst(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomicForTSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementTSrv *tsrc=rule->getTSrv(); assert(tsrc); for (FWObject::iterator i1=tsrc->begin(); i1!=tsrc->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getTSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomicForItfInb::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementItfInb *itf_inb_re=rule->getItfInb(); assert(itf_inb_re); for (FWObject::iterator i1=itf_inb_re->begin(); i1!=itf_inb_re->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s = r->getItfInb(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomicForItfOutb::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementItfOutb *itf_outb_re=rule->getItfOutb(); assert(itf_outb_re); for (FWObject::iterator i1=itf_outb_re->begin(); i1!=itf_outb_re->end(); ++i1) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s = r->getItfOutb(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool NATCompiler::ConvertToAtomic::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); for (FWObject::iterator i1=osrc->begin(); i1!=osrc->end(); ++i1) { for (FWObject::iterator i2=odst->begin(); i2!=odst->end(); ++i2) { for (FWObject::iterator i3=osrv->begin(); i3!=osrv->end(); ++i3) { for (FWObject::iterator i4=tsrc->begin(); i4!=tsrc->end(); ++i4) { for (FWObject::iterator i5=tdst->begin(); i5!=tdst->end(); ++i5) { for (FWObject::iterator i6=tsrv->begin(); i6!=tsrv->end(); ++i6) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getOSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); s=r->getODst(); assert(s); s->clearChildren(); s->addCopyOf( *i2 ); s=r->getOSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i3 ); s=r->getTSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i4 ); s=r->getTDst(); assert(s); s->clearChildren(); s->addCopyOf( *i5 ); s=r->getTSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i6 ); tmp_queue.push_back(r); } } } } } } return true; } bool NATCompiler::MACFiltering::checkRuleElement(RuleElement *re) { bool res=true; std::list lst; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if (physAddress::isA(o)) { lst.push_back(o); res=false; } } for (FWObject::iterator i1=lst.begin(); i1!=lst.end(); i1++) re->removeRef(*i1); return res; } bool NATCompiler::MACFiltering::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *osrc=rule->getOSrc(); RuleElement *odst=rule->getODst(); string lbl=rule->getLabel(); if ( ! checkRuleElement(osrc) ) { if (last_rule_lbl!=lbl) compiler->warning( rule, "MAC address matching is not supported. One or several MAC addresses removed from Original Source "); if (osrc->empty() || osrc->isAny()) compiler->abort( rule, "Original Source becomes 'Any' after all MAC addresses have been removed"); last_rule_lbl=lbl; } if ( ! checkRuleElement(odst) ) { if (last_rule_lbl!=lbl) compiler->warning( rule, "MAC address matching is not supported. One or several MAC addresses removed from Original Destination "); if (odst->empty() || odst->isAny()) compiler->abort( rule, "Original Destination becomes 'Any' after all MAC addresses have been removed"); last_rule_lbl=lbl; } return true; } /* * splits rule if ODst has multiple objects that belong to different * subnets */ bool NATCompiler::splitODstForSNAT::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getRuleType()==NATRule::SNAT) { RuleElementODst *rel=rule->getODst(); if (!rel->isAny() && rel->size()>1) { map > il; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o = FWReference::getObject(*i); Address *a=Address::cast(o); string iid=""; Interface *iface=compiler->findInterfaceFor( a , compiler->fw ); if (iface!=NULL) iid=iface->getId(); il[iid].push_back( a ); } if (il.size()>1) { map >::iterator j; for (j=il.begin(); j!=il.end(); j++) { NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementODst *nodst=r->getODst(); nodst->clearChildren(); list::iterator k; for (k= j->second.begin(); k!=j->second.end(); k++) nodst->addRef( *k ); tmp_queue.push_back(r); } } else tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } string NATCompiler::debugPrintRule(libfwbuilder::Rule *r) { NATRule *rule = NATRule::cast(r); RuleElementOSrc *osrcrel = rule->getOSrc(); RuleElementODst *odstrel = rule->getODst(); RuleElementOSrv *osrvrel = rule->getOSrv(); RuleElementTSrc *tsrcrel = rule->getTSrc(); RuleElementTDst *tdstrel = rule->getTDst(); RuleElementTSrv *tsrvrel = rule->getTSrv(); RuleElementItfInb *itf_inb_rel = rule->getItfInb(); RuleElementItfOutb *itf_outb_rel = rule->getItfOutb(); ostringstream str; // str << setw(70) << setfill('-') << "-"; int no = 0; FWObject::iterator i1 = osrcrel->begin(); FWObject::iterator i2 = odstrel->begin(); FWObject::iterator i3 = osrvrel->begin(); FWObject::iterator i4 = tsrcrel->begin(); FWObject::iterator i5 = tdstrel->begin(); FWObject::iterator i6 = tsrvrel->begin(); FWObject::iterator i7 = itf_inb_rel->begin(); FWObject::iterator i8 = itf_outb_rel->begin(); while ( i1!=osrcrel->end() || i2!=odstrel->end() || i3!=osrvrel->end() || i4!=tsrcrel->end() || i5!=tdstrel->end() || i6!=tsrvrel->end() || i7!=itf_inb_rel->end() || i8!=itf_outb_rel->end()) { str << endl; string osrc = " "; string odst = " "; string osrv = " "; string tsrc = " "; string tdst = " "; string tsrv = " "; string itf_inb = " "; string itf_outb = " "; if (osrcrel->getNeg()) osrc = "!"; if (odstrel->getNeg()) odst = "!"; if (osrvrel->getNeg()) osrv = "!"; if (tsrcrel->getNeg()) tsrc = "!"; if (tdstrel->getNeg()) tdst = "!"; if (tsrvrel->getNeg()) tsrv = "!"; if (itf_inb_rel->getNeg()) itf_inb = "!"; if (itf_outb_rel->getNeg()) itf_outb = "!"; int osrc_id = -1; int odst_id = -1; int osrv_id = -1; int tsrc_id = -1; int tdst_id = -1; int tsrv_id = -1; int itf_inb_id = -1; int itf_outb_id = -1; if (i1!=osrcrel->end()) { FWObject *o = FWReference::getObject(*i1); osrc += o->getName(); osrc_id = o->getId(); } if (i2!=odstrel->end()) { FWObject *o = FWReference::getObject(*i2); odst += o->getName(); odst_id = o->getId(); } if (i3!=osrvrel->end()) { FWObject *o = FWReference::getObject(*i3); osrv += o->getName(); osrv_id = o->getId(); } if (i4!=tsrcrel->end()) { FWObject *o = FWReference::getObject(*i4); tsrc += o->getName(); tsrc_id = o->getId(); } if (i5!=tdstrel->end()) { FWObject *o = FWReference::getObject(*i5); tdst += o->getName(); tdst_id = o->getId(); } if (i6!=tsrvrel->end()) { FWObject *o = FWReference::getObject(*i6); tsrv += o->getName(); tsrv_id = o->getId(); } if (i7!=itf_inb_rel->end()) { FWObject *o = FWReference::getObject(*i7); itf_inb += o->getName(); itf_inb_id = o->getId(); } if (i8!=itf_outb_rel->end()) { FWObject *o = FWReference::getObject(*i8); itf_outb += o->getName(); itf_outb_id = o->getId(); } int w = 0; if (no==0) { str << rule->getLabel(); w = rule->getLabel().length(); } str << setw(8-w) << setfill(' ') << " "; str << setw(16) << setfill(' ') << osrc.c_str() << "(" << osrc_id << ")"; str << setw(16) << setfill(' ') << odst.c_str() << "(" << odst_id << ")"; str << setw(10) << setfill(' ') << osrv.c_str() << "(" << osrv_id << ")"; // str << endl; // // str << setw(8) << setfill(' ') << " "; str << setw(16) << setfill(' ') << tsrc.c_str() << "(" << tsrc_id << ")"; str << setw(16) << setfill(' ') << tdst.c_str() << "(" << tdst_id << ")"; str << setw(10) << setfill(' ') << tsrv.c_str() << "(" << tsrv_id << ")"; str << setw(10) << setfill(' ') << itf_inb.c_str() << "(" << itf_inb_id << ")"; str << setw(10) << setfill(' ') << itf_outb.c_str() << "(" << itf_outb_id << ")"; ++no; if ( i1!=osrcrel->end() ) ++i1; if ( i2!=odstrel->end() ) ++i2; if ( i3!=osrvrel->end() ) ++i3; if ( i4!=tsrcrel->end() ) ++i4; if ( i5!=tdstrel->end() ) ++i5; if ( i6!=tsrvrel->end() ) ++i6; if ( i7!=itf_inb_rel->end() ) ++i7; if ( i8!=itf_outb_rel->end() ) ++i8; } return str.str(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/NATCompiler.h000066400000000000000000000431511303637203600242050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NAT_COMPILER_HH__ #define __NAT_COMPILER_HH__ #include "fwcompiler/Compiler.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include namespace fwcompiler { #define DECLARE_NAT_RULE_PROCESSOR(_Name) \ friend class _Name; \ class _Name : public NATRuleProcessor { \ public: \ _Name(const std::string &n) : \ NATRuleProcessor(n) {}; \ virtual ~_Name() {}; \ virtual bool processNext(); \ }; class NATCompiler : public Compiler { protected: /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); public: NATCompiler(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : Compiler(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); /** * detect if rule r2 shades rule r1 * returns: * * true if r2 shades r1 */ bool checkForShadowing(libfwbuilder::NATRule &r1, libfwbuilder::NATRule &r2); /** * detects if rules r1 and r2 are identical (that is, have the * same effect, rather than use the same objects) * * returns: * * true if r1 is identical to r2 */ bool cmpRules(libfwbuilder::NATRule &r1, libfwbuilder::NATRule &r2); /** * this processor assigns NATRuleType value to the rule, thus * classifying it for further processing */ DECLARE_NAT_RULE_PROCESSOR(classifyNATRule); /** * this class expands groups in src,dst,srv. It creates * references to new objects "in place" (that is, it does not * create new rules but rather uses rule elements of the old * ones) */ DECLARE_NAT_RULE_PROCESSOR(ExpandGroups); /** * this inspector replaces hosts and firewalls in src or dst * with references to their interfaces */ DECLARE_NAT_RULE_PROCESSOR(ExpandMultipleAddresses); /** * checks for unnumbered interface in rule elements (one can * not use unnumbered interfaces in rules). Call after * ExpandMultipleAddresses so that we have single object in * each rule element. */ class checkForUnnumbered : public NATRuleProcessor { public: checkForUnnumbered(const std::string &n) : NATRuleProcessor(n) {} virtual bool processNext(); }; /** * this processor splits rule element if src or dst contains * address range */ DECLARE_NAT_RULE_PROCESSOR(ExpandAddressRanges); /** * splits SNAT rule if ODst has multiple objects that belong * to subnets different interfaces of the firewall are on. We * need this to be able to pick interfaces of the firewall * for SNAT rule in ReplaceFirewallObjectsTSrc */ DECLARE_NAT_RULE_PROCESSOR(splitODstForSNAT); /** * this processor converts to atomic rules using all combinations * of objects in OSrc,ODst,TSrc,TDSt. It ignores OSrv and TSrv. */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForAddresses); /** * this processor converts to atomic rules using all * combinations of objects in OSrc,ODst,OSrv. It ignores * all "translated" rule elements. */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOriginal); /** * this processor converts to atomic rules only for OSrcv */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOSrv); /** * this processor converts to atomic rules only for TSrc */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForTSrc); /** * this processor converts to atomic rules only for TDst */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForTDst); /** * this processor converts to atomic rules only for TSrv */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForTSrv); /** * this processor converts to atomic rules only for ItfInb */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForItfInb); /** * this processor converts to atomic rules only for ItfOutb */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForItfOutb); /** * this processor converts to atomic rules using all combinations * of OSrc,ODst,OSrv,TSrc,TDst,TSrv */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomic); /** * single object negation in OSrc */ class singleObjectNegationOSrc : public singleObjectNegation { public: singleObjectNegationOSrc(const std::string &n): singleObjectNegation(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * single object negation in ODst */ class singleObjectNegationODst : public Compiler::singleObjectNegation { public: singleObjectNegationODst(const std::string &n): singleObjectNegation(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * single object negation in ItfInb */ class singleObjectNegationItfInb : public Compiler::singleObjectNegation { public: singleObjectNegationItfInb(const std::string &n): singleObjectNegation(n,libfwbuilder::RuleElementItfInb::TYPENAME) {} }; /** * single object negation in ItfOutb */ class singleObjectNegationItfOutb : public Compiler::singleObjectNegation { public: singleObjectNegationItfOutb(const std::string &n): singleObjectNegation(n,libfwbuilder::RuleElementItfOutb::TYPENAME) {} }; /** * processes rules with negation in ItfOutb */ class ItfOutbNegation : public Compiler::fullInterfaceNegationInRE { public: ItfOutbNegation(const std::string &name) : fullInterfaceNegationInRE( name, libfwbuilder::RuleElementItfOutb::TYPENAME) {} }; /** * processes rules with negation in ItfInb */ class ItfInbNegation : public Compiler::fullInterfaceNegationInRE { public: ItfInbNegation(const std::string &name) : fullInterfaceNegationInRE( name, libfwbuilder::RuleElementItfInb::TYPENAME) {} }; /** * replace cluster interface objects with inetrfaces of the member * firewall in the Interface rule element */ class replaceClusterInterfaceInItfInb : public Compiler::replaceClusterInterfaceInItfRE { public: replaceClusterInterfaceInItfInb(const std::string &name) : replaceClusterInterfaceInItfRE( name, libfwbuilder::RuleElementItfInb::TYPENAME) {} }; /** * replace cluster interface objects with inetrfaces of the member * firewall in the Interface rule element */ class replaceClusterInterfaceInItfOutb : public Compiler::replaceClusterInterfaceInItfRE { public: replaceClusterInterfaceInItfOutb(const std::string &name) : replaceClusterInterfaceInItfRE( name,libfwbuilder::RuleElementItfOutb::TYPENAME) {} }; /** * expand groups in Interface rule element */ DECLARE_NAT_RULE_PROCESSOR(expandGroupsInItfInb); /** * expand groups in Interface rule element */ DECLARE_NAT_RULE_PROCESSOR(expandGroupsInItfOutb); /** * deals with recursive groups in OSrc. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInOSrc : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInOSrc(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * deals with recursive groups in ODst. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInODst : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInODst(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * deals with recursive groups in OSrv. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInOSrv : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInOSrv(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * deals with recursive groups in TSrc. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInTSrc : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInTSrc(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementTSrc::TYPENAME) {} }; /** * deals with recursive groups in TDst. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInTDst : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInTDst(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * deals with recursive groups in TSrv. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInTSrv : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInTSrv(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementTSrv::TYPENAME) {} }; /** * deals with empty groups in OSrc. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInOSrc : public Compiler::emptyGroupsInRE { public: emptyGroupsInOSrc(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * deals with empty groups in ODst. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInODst : public Compiler::emptyGroupsInRE { public: emptyGroupsInODst(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * deals with empty groups in OSrv. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInOSrv : public Compiler::emptyGroupsInRE { public: emptyGroupsInOSrv(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * deals with empty groups in TSrc. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInTSrc : public Compiler::emptyGroupsInRE { public: emptyGroupsInTSrc(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementTSrc::TYPENAME) {} }; /** * deals with empty groups in TDst. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInTDst : public Compiler::emptyGroupsInRE { public: emptyGroupsInTDst(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * deals with empty groups in TSrv. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInTSrv : public Compiler::emptyGroupsInRE { public: emptyGroupsInTSrv(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementTSrv::TYPENAME) {} }; /** * splits rule if one of the objects in OSrc is firewall * itself. This is needed because some platforms require * special processing for rules dealing with packets * originated on the firewall, or headed for the firewall * (notably iptables). */ class splitIfOSrcMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfOSrcMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * itself. This is needed because some platforms require * special processing for rules dealing with packets * originated on the firewall, or headed for the firewall * (notably iptables). * splits rule if one of the objects in ODst is firewall */ class splitIfODstMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfODstMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * splits rule if one of the objects in TSrc is firewall * itself. This is needed because some platforms require * special processing for rules dealing with packets * originated on the firewall, or headed for the firewall * (notably iptables). */ class splitIfTSrcMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfTSrcMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementTSrc::TYPENAME) {} }; /** * splits rule if one of the objects in TDst is firewall * itself. This is needed because some platforms require * special processing for rules dealing with packets * originated on the firewall, or headed for the firewall * (notably iptables). */ class splitIfTDstMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfTDstMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * many firewall platforms do not support filtering by MAC * addresses. Issue warning if MAC address is used in the rule * and remove it from the rule element. * * Call this processor after ExpandMultipleAddresses. */ class MACFiltering : public NATRuleProcessor { protected: std::string last_rule_lbl; /* return value: * true - ok * false - one or more MAC addresses have been removed, issue warning */ bool checkRuleElement(libfwbuilder::RuleElement *re); public: MACFiltering(const std::string &n) : NATRuleProcessor(n) {} virtual bool processNext(); }; /** * rule processors that replace MultiAddress objects with * MultiAddressRunTime equivalents */ class swapMultiAddressObjectsInOSrc : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInOSrc(const std::string &n) : swapMultiAddressObjectsInRE( n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class swapMultiAddressObjectsInODst : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInODst(const std::string &n) : swapMultiAddressObjectsInRE( n, libfwbuilder::RuleElementODst::TYPENAME) {} }; class swapMultiAddressObjectsInTSrc : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInTSrc(const std::string &n) : swapMultiAddressObjectsInRE( n, libfwbuilder::RuleElementTSrc::TYPENAME) {} }; class swapMultiAddressObjectsInTDst : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInTDst(const std::string &n) : swapMultiAddressObjectsInRE( n, libfwbuilder::RuleElementTDst::TYPENAME) {} }; class RegisterGroupsAndTablesInOSrc : public RegisterGroupsAndTablesInRE { public: RegisterGroupsAndTablesInOSrc(const std::string &n) : RegisterGroupsAndTablesInRE(n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class RegisterGroupsAndTablesInODst : public RegisterGroupsAndTablesInRE { public: RegisterGroupsAndTablesInODst(const std::string &n) : RegisterGroupsAndTablesInRE(n, libfwbuilder::RuleElementODst::TYPENAME) {} }; }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/OSConfigurator.cpp000066400000000000000000000022631303637203600253260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSConfigurator.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; OSConfigurator::~OSConfigurator() {} OSConfigurator::OSConfigurator(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) : Compiler(_db, fw, ipv6_policy) { num_virtual_addresses_for_nat = 0; }; fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/OSConfigurator.h000066400000000000000000000036541303637203600250000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OSCONFIGURATOR_HH__ #define __OSCONFIGURATOR_HH__ #include "fwcompiler/Compiler.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/InetAddr.h" #include #include namespace fwcompiler { class OSConfigurator : public Compiler { int num_virtual_addresses_for_nat; public: virtual ~OSConfigurator(); OSConfigurator(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); virtual void processFirewallOptions() {} virtual void addVirtualAddressForNAT(const libfwbuilder::Address*) {}; virtual void addVirtualAddressForNAT(const libfwbuilder::Network*) {}; void registerVirtualAddressForNat() { num_virtual_addresses_for_nat++; } int getNumOfVirtualAddressesForNat() { return num_virtual_addresses_for_nat; } virtual std::string printFunctions() { return ""; } virtual std::string printKernelVarsCommands() { return ""; } virtual std::string configureInterfaces() { return ""; } }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp000066400000000000000000001023011303637203600253460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "PolicyCompiler.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/FailoverClusterGroup.h" #include #include #include #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; int PolicyCompiler::prolog() { Compiler::prolog(); Policy *policy = Policy::cast(fw->getFirstByType(Policy::TYPENAME)); assert(policy); if (source_ruleset == NULL) source_ruleset = policy; source_ruleset->renumberRules(); temp_ruleset = new Policy(); // working copy of the policy fw->add( temp_ruleset ); temp_ruleset->setName(source_ruleset->getName()); int global_num = 0; string label_prefix = ""; if (source_ruleset->getName() != "Policy") label_prefix = source_ruleset->getName(); int rule_counter = 0; for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++) { PolicyRule *r = PolicyRule::cast(*i); if (r == NULL) continue; // skip RuleSetOptions object /* * do not remove disabled rules just yet because some * compilers might use RuleSet::insertRuleAtTop() and other * similar methods from prolog() or * addPredefinedPolicyRules()() and these methods renumber * rules (labels stop matching rule positions when this is * done because labels are configured in prolog() method of * the base class. See fwbuilder ticket 1173) */ //if (r->isDisabled()) continue; if (r->getLabel().empty()) { RuleElementItf *itfre = r->getItf(); assert(itfre); if (itfre->isAny()) { r->setLabel( createRuleLabel(label_prefix, "global", r->getPosition()) ); } else { string interfaces = ""; for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i) { FWObject *o = FWReference::getObject(*i); if (interfaces!="") interfaces += ","; interfaces += o->getName(); } r->setLabel( createRuleLabel(label_prefix, interfaces, r->getPosition()) ); } } r->setAbsRuleNumber(global_num); global_num++; rule_counter++; } initialized = true; return rule_counter; } /* * detects if tule r2 shades rule r1. */ bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2) { RuleElement *srcrel1; RuleElement *dstrel1; RuleElement *srvrel1; RuleElement *srcrel2; RuleElement *dstrel2; RuleElement *srvrel2; FWObject::iterator i1 = r1.begin(); srcrel1 = RuleElement::cast(*i1); i1++; dstrel1 = RuleElement::cast(*i1); i1++; srvrel1 = RuleElement::cast(*i1); i1 = r2.begin(); srcrel2 = RuleElement::cast(*i1); i1++; dstrel2 = RuleElement::cast(*i1); i1++; srvrel2 = RuleElement::cast(*i1); if (srcrel1->getNeg()) return false; if (dstrel1->getNeg()) return false; if (srvrel1->getNeg()) return false; if (srcrel2->getNeg()) return false; if (dstrel2->getNeg()) return false; if (srvrel2->getNeg()) return false; /* * TODO: actually, route rule may shadow other rules if it * translates into "final" target, that is stops processing. This * may or may not be so, depending on the platform and combination * of rule options. */ if (r1.getRouting() || r2.getRouting()) return false; PolicyRule::Action r1_action = r1.getAction(); PolicyRule::Action r2_action = r2.getAction(); if (r1_action==PolicyRule::Accounting || r2_action==PolicyRule::Accounting ) return false; /* * this is delicate case: negation. We consider r2 to "shade" r1 * only if r2 is above r1 in the policy; if r1 originally had * negation and has been split, such as for example done in * fwb_ipt, then some of the produced rules have action Return. If * r2 has action != Return and r1 has action Return, we ignore r1. */ if (r1_action==PolicyRule::Return || r2_action==PolicyRule::Return ) return false; /* * the problem with branching rules is that it is combination of * the head rule and rules in the branch rather than a single rule * that can shadow other rules below them. Our current mechanism for * shadowing detection does not support this so all we can do is * skip rules with action Branch. */ if (r1_action==PolicyRule::Branch || r2_action==PolicyRule::Branch ) return false; /* * rules with action continue do not make final decision and * therefore can not shadow other rules (but can be shadowed) */ if (/* r1_action==PolicyRule::Continue || */ r2_action==PolicyRule::Continue ) return false; Address *src1; Address *dst1; Service *srv1; Address *src2; Address *dst2; Service *srv2; map::iterator it = rule_elements_cache.find(r1.getId()); if (it!=rule_elements_cache.end()) { threeTuple *tt = it->second; src1 = tt->src; dst1 = tt->dst; srv1 = tt->srv; } else { src1 = Address::cast(FWReference::cast(srcrel1->front())->getPointer()); dst1 = Address::cast(FWReference::cast(dstrel1->front())->getPointer()); srv1 = Service::cast(FWReference::cast(srvrel1->front())->getPointer()); threeTuple *tt = new struct threeTuple; tt->src = src1; tt->dst = dst1; tt->srv = srv1; rule_elements_cache[r1.getId()] = tt; } it = rule_elements_cache.find(r2.getId()); if (it!=rule_elements_cache.end()) { threeTuple *tt = it->second; src2 = tt->src; dst2 = tt->dst; srv2 = tt->srv; } else { src2 = Address::cast(FWReference::cast(srcrel2->front())->getPointer()); dst2 = Address::cast(FWReference::cast(dstrel2->front())->getPointer()); srv2 = Service::cast(FWReference::cast(srvrel2->front())->getPointer()); threeTuple *tt = new struct threeTuple; tt->src = src2; tt->dst = dst2; tt->srv = srv2; rule_elements_cache[r2.getId()] = tt; } if (src1==NULL || dst1==NULL || srv1==NULL) throw FWException("Can not compare rules because rule " + r1.getLabel() + " has a group in one of its elements. Aborting."); if (src2==NULL || dst2==NULL || srv2==NULL) throw FWException("Can not compare rules because rule " + r2.getLabel() + " has a group in one of its elements. Aborting."); if (MultiAddressRunTime::isA(src1) || MultiAddressRunTime::isA(dst1) || MultiAddressRunTime::isA(src2) || MultiAddressRunTime::isA(dst2)) return false; PolicyRule::Direction dir1 = r1.getDirection(); PolicyRule::Direction dir2 = r2.getDirection(); if (dir1 == PolicyRule::Both) dir1 = dir2; if (dir2 == PolicyRule::Both) dir2 = dir1; if (dir1 != dir2) return false; return ( Compiler::checkForShadowing(*src1, *src2) && Compiler::checkForShadowing(*dst1, *dst2) && Compiler::checkForShadowing(*srv1, *srv2) ); // complete: 3'5" return false; } /** * compare interfaces of rules r1 and r2. * * Return true if r2 shadows r1 (only inetrface rule element is * checked) * * If interface element is "all" (empty), it shadows any specific * interface in the other rule, also "all" shadows "all". If neither * is "all", return true if both rules refer the same interface, * otherwise return false. */ bool PolicyCompiler::checkInterfacesForShadowing(PolicyRule &r1, PolicyRule &r2) { RuleElementItf *intf1_re = r1.getItf(); FWObject *rule1_iface = FWObjectReference::getObject(intf1_re->front()); RuleElementItf *intf2_re = r2.getItf(); FWObject *rule2_iface = FWObjectReference::getObject(intf2_re->front()); int intf1_id = rule1_iface->getId(); int intf2_id = rule2_iface->getId(); if (intf2_re->isAny()) return true; // "eth0" -- "all" or "all" -- "all" return (intf1_id == intf2_id); } bool PolicyCompiler::cmpRules(PolicyRule &r1, PolicyRule &r2) { if (r1.getSrc()->getNeg()!=r2.getSrc()->getNeg()) return false; if (r1.getDst()->getNeg()!=r2.getDst()->getNeg()) return false; if (r1.getSrv()->getNeg()!=r2.getSrv()->getNeg()) return false; if (r2.getSrc()->getNeg()!=r2.getSrc()->getNeg()) return false; if (r2.getDst()->getNeg()!=r2.getDst()->getNeg()) return false; if (r2.getSrv()->getNeg()!=r2.getSrv()->getNeg()) return false; Address *src1=getFirstSrc(&r1); Address *dst1=getFirstDst(&r1); Service *srv1=getFirstSrv(&r1); Address *src2=getFirstSrc(&r2); Address *dst2=getFirstDst(&r2); Service *srv2=getFirstSrv(&r2); if (src1==NULL || dst1==NULL || srv1==NULL) throw FWException("Can not compare rules because rule " + r1.getLabel() + " has a group in one of its elements. Aborting."); if (src2==NULL || dst2==NULL || srv2==NULL) throw FWException("Can not compare rules because rule " + r2.getLabel() + " has a group in one of its elements. Aborting."); PolicyRule::Direction dir1=r1.getDirection(); PolicyRule::Direction dir2=r2.getDirection(); if (dir1==PolicyRule::Both) dir1=dir2; if (dir2==PolicyRule::Both) dir2=dir1; if (dir1!=dir2) return false; return ( (*src1 == *src2) && (*dst1 == *dst2) && (*srv1 == *srv2) ); } bool PolicyCompiler::InterfacePolicyRules::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itfre = rule->getItf(); assert(itfre); if (itfre->isAny()) { // rule->setInterfaceId(-1); tmp_queue.push_back(rule); return true; } for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i) { FWObject *o = FWReference::getObject(*i); if (ObjectGroup::isA(o)) { // a group in "interface" rule element. GUI checks that only // interfaces are allowed in such group, but we should check anyway. for (FWObject::iterator i=o->begin(); i!=o->end(); ++i) { FWObject *o1 = FWReference::getObject(*i); if (!Interface::isA(o1)) { compiler->warning( "Object '" + o1->getName() + "', which is not an interface, is a member of the group '" + o->getName() + "' used in 'Interface' element of a rule."); continue; } PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementItf *nitf = r->getItf(); nitf->clearChildren(); nitf->setAnyElement(); nitf->addRef(o1); tmp_queue.push_back(r); } } else { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementItf *nitf = r->getItf(); nitf->clearChildren(); nitf->setAnyElement(); nitf->addRef(o); tmp_queue.push_back(r); } } return true; } bool PolicyCompiler::ExpandGroups::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); RuleElementSrv *srv=rule->getSrv(); assert(srv); compiler->expandGroupsInRuleElement(src); compiler->expandGroupsInRuleElement(dst); compiler->expandGroupsInRuleElement(srv); return true; } bool PolicyCompiler::expandGroupsInSrv::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); compiler->expandGroupsInRuleElement(srv); tmp_queue.push_back(rule); return true; } bool PolicyCompiler::expandGroupsInItf::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itf = rule->getItf(); compiler->expandGroupsInRuleElement(itf); tmp_queue.push_back(rule); return true; } bool PolicyCompiler::ExpandMultipleAddresses::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); compiler->_expand_addr(rule, src, true); compiler->_expand_addr(rule, dst, true); tmp_queue.push_back(rule); return true; } void PolicyCompiler::addressRanges::expandAddressRangesInSrc(PolicyRule *rule) { RuleElementSrc *src = rule->getSrc(); assert(src); compiler->_expandAddressRanges(rule, src); } void PolicyCompiler::addressRanges::expandAddressRangesInDst(PolicyRule *rule) { RuleElementDst *dst = rule->getDst(); assert(dst); compiler->_expandAddressRanges(rule, dst); } bool PolicyCompiler::addressRanges::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; expandAddressRangesInSrc(rule); expandAddressRangesInDst(rule); tmp_queue.push_back(rule); return true; } Rule* PolicyCompiler::getDifference(PolicyRule &r1, PolicyRule &r2) { PolicyRule *r = new PolicyRule(); *r = r1; FWObject *nsrc = getFirstSrc(r); nsrc->clearChildren(); FWObject *ndst = getFirstDst(r); ndst->clearChildren(); Service *nsrv = getFirstSrv(r); nsrv->clearChildren(); RuleElementItf *intf_re = r1.getItf(); FWObject *rule1_iface = FWObjectReference::getObject(intf_re->front()); int iface1 = rule1_iface->getId(); intf_re = r2.getItf(); FWObject *rule2_iface = FWObjectReference::getObject(intf_re->front()); int iface2 = rule2_iface->getId(); if (iface1 != iface2) return r; /* vector v1=_substract_obj( r1.getSrc() , r2.getSrc() ); vector v2=_substract_obj( r1.getDst() , r2.getDst() ); vector v3=_substract_srv( r1.getSrv() , r2.getSrv() ); for (vector::iterator i=v1.begin(); i!=v1.end(); ++i) nsrc->addRef(*i); for (vector::iterator i=v2.begin(); i!=v2.end(); ++i) ndst->addRef(*i); for (vector::iterator i=v3.begin(); i!=v3.end(); ++i) nsrv->addRef(*i); */ return r; } list::iterator PolicyCompiler::find_more_specific_rule( PolicyRule *rule, bool check_interface, const list::iterator &start_here, const list::iterator &stop_here, PolicyRule **intersection) { list::iterator j; for (j=start_here ; j!=stop_here; j++) { PolicyRule *r = PolicyRule::cast( *j ); if (! check_interface || (rule->getStr("acl")==r->getStr("acl")) ) { try { if (! intersect( *rule, *r )) continue; if (debug>=9) { cerr << "********* getIntersection: ------------------\n"; cerr << debugPrintRule(rule); cerr << debugPrintRule(r); cerr << "----------------------------------------------\n"; } PolicyRule *ir=new PolicyRule(); /* need to place this rule into the tree somewhere so references will * get resolved */ temp_ruleset->add( ir ); /* copy attributes from the current rule we are looking at. Do not change * this part of the algorithm as pix compiler relies upon it. */ ir->duplicate(r); getIntersection(*rule , *r, *ir ); if (! ir->isEmpty()) { if (debug>=9) { cerr << debugPrintRule(ir); cerr << "------------------------------------------------\n"; } if (intersection!=NULL) *intersection=ir; return j; } } catch (FWException ex) { cerr << " *** Exception: " << ex.toString() << endl; } } } return j; } /* * checks if one of the children of RuleElement is a host, IPv4 or * network object with address 0.0.0.0 and netmask 0.0.0.0. * * Exceptions: * - object 'any' * - interface with dynamic address. * * In addition check for address A.B.C.D/0 which is most likely a * mistake if A.B.C.D != 0.0.0.0. See #475 */ Address* PolicyCompiler::checkForZeroAddr::findZeroAddress(RuleElement *re) { Address *a=NULL; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); assert(o!=NULL); MultiAddress *maddr = MultiAddress::cast(o); if (maddr && maddr->isRunTime()) continue; Address *addr = Address::cast(o); if (addr==NULL && o!=NULL) compiler->warning( re->getParent(), string("findZeroAddress: Unknown object in rule element: ") + o->getName() + " type=" + o->getTypeName()); if (addr && addr->hasInetAddress()) { if (Interface::cast(o)!=NULL && (Interface::cast(o)->isDyn() || Interface::cast(o)->isUnnumbered() || Interface::cast(o)->isBridgePort())) continue; if ( ! addr->isAny()) { const InetAddr *ad = addr->getAddressPtr(); const InetAddr *nm = addr->getNetmaskPtr(); // AddressRange has address but not netmask // AddressRange with address 0.0.0.0 is acceptable // (not equivalent to "any") if (ad->isAny() && nm!=NULL && nm->isAny()) { a = addr; break; } // Address A.B.C.D/0 is most likely a mistake if // A.B.C.D != 0.0.0.0 if ((Network::cast(addr) || NetworkIPv6::cast(addr)) && !ad->isAny() && nm!=NULL && nm->isAny()) { a = addr; break; } } } } return a; } Address* PolicyCompiler::checkForZeroAddr::findHostWithNoInterfaces( RuleElement *re) { for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); assert(o!=NULL); Host *addr = Host::cast(o); if (addr!=NULL && addr->front()!=NULL) { FWObject::iterator it; it=addr->begin(); while (it!=addr->end() && !Interface::isA(*it)) ++it; if (it==addr->end()) return addr; // has no interfaces } } return NULL; } /* * looks for objects with address 0.0.0.0 and aborts compilation if * finds such object */ bool PolicyCompiler::checkForZeroAddr::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; Address *a=NULL; a = findHostWithNoInterfaces( rule->getSrc() ); if (a==NULL) a = findHostWithNoInterfaces( rule->getDst() ); if (a!=NULL) compiler->abort( rule, "Object '"+a->getName()+ "' has no interfaces, therefore it does not have " "address and can not be used in the rule."); a = findZeroAddress( rule->getSrc() ); if (a==NULL) a = findZeroAddress( rule->getDst() ); if (a!=NULL) { string err="Object '"+a->getName()+"'"; if (IPv4::cast(a)!=NULL) // || IPv6::cast(a)!=NULL { FWObject *p=a->getParent(); Interface *iface = Interface::cast(p); if (iface!=NULL) { err+=" (an address of interface "; if (iface->getLabel()!="") err+=iface->getLabel(); else err+=iface->getName(); err+=" )"; } } err += " has address or netmask 0.0.0.0, which is equivalent to 'any'. " "This is likely an error."; compiler->abort(rule, err); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler::checkForUnnumbered::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if ( compiler->catchUnnumberedIfaceInRE( rule->getSrc() ) || compiler->catchUnnumberedIfaceInRE( rule->getDst() ) ) compiler->abort( rule, "Can not use unnumbered interfaces in rules."); tmp_queue.push_back(rule); return true; } bool PolicyCompiler::ConvertToAtomicForAddresses::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); for (FWObject::iterator i1=src->begin(); i1!=src->end(); ++i1) { for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); ++i2) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); s=r->getDst(); assert(s); s->clearChildren(); s->addCopyOf( *i2 ); tmp_queue.push_back(r); } } return true; } bool PolicyCompiler::ConvertToAtomicForIntervals::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementInterval *ivl=rule->getWhen(); if (ivl==NULL || ivl->isAny()) { tmp_queue.push_back(rule); return true; } for (FWObject::iterator i1=ivl->begin(); i1!=ivl->end(); ++i1) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getWhen(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); tmp_queue.push_back(r); } return true; } bool PolicyCompiler::ConvertToAtomic::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); RuleElementSrv *srv=rule->getSrv(); assert(srv); for (FWObject::iterator i1=src->begin(); i1!=src->end(); i1++) { for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); i2++) { for (FWObject::iterator i3=srv->begin(); i3!=srv->end(); i3++) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s; s=r->getSrc(); assert(s); s->clearChildren(); s->addCopyOf( *i1 ); s=r->getDst(); assert(s); s->clearChildren(); s->addCopyOf( *i2 ); s=r->getSrv(); assert(s); s->clearChildren(); s->addCopyOf( *i3 ); tmp_queue.push_back(r); } } } return true; } bool PolicyCompiler::checkForShadowingPlatformSpecific(PolicyRule * /*UNUSED r1 */, PolicyRule * /*UNUSED r2 */) { return true; } std::deque::iterator PolicyCompiler::findMoreGeneralRule::find_more_general_rule( PolicyRule *rule, bool check_interface, const std::deque::iterator &start_here, const std::deque::iterator &stop_here, bool reverse) { PolicyCompiler *pcomp=dynamic_cast(compiler); if (compiler->debug>=9) { cerr << "********* searching for more general rule: -------------\n"; cerr << compiler->debugPrintRule(rule); cerr << endl; } std::deque::iterator j; for (j=start_here ; j!=stop_here; j++) { PolicyRule *r = PolicyRule::cast( *j ); bool intf_cr = false; if (reverse) intf_cr = pcomp->checkInterfacesForShadowing( *r , *rule ); else intf_cr = pcomp->checkInterfacesForShadowing( *rule , *r ); if (! check_interface || intf_cr) { bool cr = false; if (reverse) cr = pcomp->checkForShadowing( *r , *rule ); else cr = pcomp->checkForShadowing( *rule , *r ); if ( cr && pcomp->checkForShadowingPlatformSpecific(rule, r)) { if (compiler->debug>=9) { cerr << r->getLabel() << ": FOUND more general rule:\n"; cerr << compiler->debugPrintRule(r); cerr << endl; } return j; } else { if (compiler->debug>=9) cerr << r->getLabel() << ": rules do not intersect \n"; continue; } } } return j; } bool PolicyCompiler::DetectShadowing::processNext() { PolicyRule *rule; rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); // to pass it to the next processor, if any if (rule->isFallback()) return true; // do not check fallback .. if (rule->isHidden()) return true; // ... and hidden rules std::deque::iterator i = find_more_general_rule(rule, true, rules_seen_so_far.begin(), rules_seen_so_far.end(), false); if (i!=rules_seen_so_far.end()) { Rule *r = *i; /* * find_more_general finds more general _or_ equivalent rule */ if (r && r->getAbsRuleNumber() != rule->getAbsRuleNumber() && ! (*r == *rule) ) { compiler->abort( r, "Rule '" + r->getLabel() + "' shadows rule '" + rule->getLabel() + "' below it"); } } rules_seen_so_far.push_back(rule); return true; } bool PolicyCompiler::DetectShadowingForNonTerminatingRules::processNext() { PolicyRule *rule; rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); // to pass it to the next processor, if any if (rule->isFallback()) return true; // do not check fallback .. if (rule->isHidden()) return true; // ... and hidden rules std::deque::iterator i = find_more_general_rule(rule, true, rules_seen_so_far.begin(), rules_seen_so_far.end(), true); // <<<<<<< NB! if (i!=rules_seen_so_far.end()) { Rule *r = *i; /* * find_more_general finds more general _or_ equivalent rule */ if (r && r->getAbsRuleNumber() != rule->getAbsRuleNumber() && ! (*r == *rule) ) { compiler->abort( rule, "Non-terminating rule '" + rule->getLabel() + "' shadows rule '" + r->getLabel() + "' above it"); } } rules_seen_so_far.push_back(rule); return true; } bool PolicyCompiler::MACFiltering::checkRuleElement(RuleElement *re) { bool res=true; std::list lst; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if (physAddress::isA(o)) { lst.push_back(o); res=false; } } for (FWObject::iterator i1=lst.begin(); i1!=lst.end(); i1++) re->removeRef(*i1); return res; } bool PolicyCompiler::MACFiltering::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElement *src=rule->getSrc(); RuleElement *dst=rule->getDst(); string lbl=rule->getLabel(); if ( ! checkRuleElement(src) ) { if (last_rule_lbl!=lbl) compiler->warning( rule, "MAC address matching is not supported. " "One or several MAC addresses removed from source in the rule"); if (src->empty() || src->isAny()) compiler->abort( rule, "Source becomes 'Any' after all MAC addresses " "have been removed in the rule"); last_rule_lbl=lbl; } if ( ! checkRuleElement(dst) ) { if (last_rule_lbl!=lbl) compiler->warning( rule, "MAC address matching is not supported. " "One or several MAC addresses removed from destination in the rule"); if (dst->empty() || dst->isAny()) compiler->abort( rule, "Destination becomes 'Any' after all MAC addresses " "have been removed in the rule "); last_rule_lbl=lbl; } return true; } string PolicyCompiler::debugPrintRule(Rule *r) { PolicyRule *rule=PolicyRule::cast(r); // FWOptions *ruleopt =rule->getOptionsObject(); RuleElementSrc *srcrel = rule->getSrc(); RuleElementDst *dstrel = rule->getDst(); RuleElementSrv *srvrel = rule->getSrv(); RuleElementItf *itfrel = rule->getItf(); // int iface_id = rule->getInterfaceId(); // Interface *rule_iface = Interface::cast(dbcopy->findInIndex(iface_id)); ostringstream str; // str << setw(70) << setfill('-') << "-"; int no=0; FWObject::iterator i1=srcrel->begin(); FWObject::iterator i2=dstrel->begin(); FWObject::iterator i3=srvrel->begin(); FWObject::iterator i4=itfrel->begin(); while ( i1!=srcrel->end() || i2!=dstrel->end() || i3!=srvrel->end() || i4!=itfrel->end()) { str << endl; string src=" "; string dst=" "; string srv=" "; string itf=" "; int src_id = -1; int dst_id = -1; int srv_id = -1; if (srcrel->getNeg()) src = "!"; if (dstrel->getNeg()) dst = "!"; if (srvrel->getNeg()) srv = "!"; if (itfrel->getNeg()) itf = "!"; if (i1!=srcrel->end()) { FWObject *o = FWReference::getObject(*i1); src += o->getName(); src_id = o->getId(); } if (i2!=dstrel->end()) { FWObject *o = FWReference::getObject(*i2); dst += o->getName(); dst_id = o->getId(); } if (i3!=srvrel->end()) { FWObject *o = FWReference::getObject(*i3); srv += o->getName(); srv_id = o->getId(); } if (i4!=itfrel->end()) { ostringstream str; FWObject *o = FWReference::getObject(*i4); str << o->getName() << "(" << o->getId() << ")"; itf += str.str(); } int w = 0; if (no==0) { str << rule->getLabel(); w = rule->getLabel().length(); } str << setw(10-w) << setfill(' ') << " "; str << setw(18) << setfill(' ') << src.c_str() << "(" << src_id << ")"; str << setw(18) << setfill(' ') << dst.c_str() << "(" << dst_id << ")"; str << setw(12) << setfill(' ') << srv.c_str() << "(" << srv_id << ")"; str << setw(8) << setfill(' ') << itf.c_str(); if (no==0) { str << setw(9) << setfill(' ') << rule->getActionAsString().c_str(); str << setw(12) << setfill(' ') << rule->getDirectionAsString().c_str(); if (rule->getLogging()) str << " LOG"; } else str << setw(18) << setfill(' ') << " "; ++no; if ( i1!=srcrel->end() ) ++i1; if ( i2!=dstrel->end() ) ++i2; if ( i3!=srvrel->end() ) ++i3; if ( i4!=itfrel->end() ) ++i4; } return str.str(); } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h000066400000000000000000000454011303637203600250220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICY_COMPILER_HH__ #define __POLICY_COMPILER_HH__ #include "fwcompiler/Compiler.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include namespace fwcompiler { #define DECLARE_POLICY_RULE_PROCESSOR(_Name) \ friend class _Name; \ class _Name : public PolicyRuleProcessor { \ public: \ _Name(const std::string &n) : \ PolicyRuleProcessor(n) {}; \ virtual ~_Name() {}; \ virtual bool processNext(); \ }; class PolicyCompiler : public Compiler { protected: /** * this method scans source_ruleset looking for atomic rule * which yields non-empty intersection with atomic rule r. * * it can start scan either from the beginning of source_ruleset, * or from iterator 'start_here' * * it returns iterator pointing at rule it has found (so we * can continue search later) * * if parameter 'intersection' is not NULL, it is assumed to * be a pointer to a pointer at the object of class Rule. It * is used to return a pointer at intersection of rule 'rule' * and rule this function had found */ std::list::iterator find_more_specific_rule(libfwbuilder::PolicyRule *r, bool check_interface, const std::list::iterator &start_here, const std::list::iterator &stop_here, libfwbuilder::PolicyRule **intersection=NULL); public: PolicyCompiler(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : Compiler(_db, fw, ipv6_policy, _oscnf) {} /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * this method substracts atomic rule r2 from atomic rule r1. * Resulting rule may have multiple objects in src,dst or srv, * so converting to atomic may be necessary. If rules can not * be compared, then it throws an exception. If resultant rule * is empty, method returns rule with empty src,dst,srv * * NOT IMPLEMENTED YET */ libfwbuilder::Rule* getDifference(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2); /** * detects if rule r2 shades rule r1 * returns: * * true if r2 shades r1 */ bool checkForShadowing(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2); /** * virtual method to let policy compiler check rules using * options specific for the given fw platform. Base class * PolicyCompiler has no visibility into platform-specific * options and can not do this. */ virtual bool checkForShadowingPlatformSpecific(libfwbuilder::PolicyRule *r1, libfwbuilder::PolicyRule *r2); /** * compare interfaces of rules r1 and r2. * * Return true if r2 shadows r1 (only inetrface rule element * is checked) * * If interface element is "all" (empty), it shadows any * specific interface in the other rule, also "all" shadows * "all". If neither is "all", return true if both rules refer * the same interface, otherwise return false. */ bool checkInterfacesForShadowing(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2); /** * detects if rules r1 and r2 are identical (that is, have the * same effect, rather than use the same objects) * * returns: * * true if r1 is identical to r2 */ bool cmpRules(libfwbuilder::PolicyRule &r1, libfwbuilder::PolicyRule &r2); /** * this processor checks if the rule is associated with an * interface and uses setInterfaceId to record its id. If the * rule is associated with multiple interfaces, this processor * splits the rule accordingly. */ DECLARE_POLICY_RULE_PROCESSOR(InterfacePolicyRules); /** * this class expands groups in src,dst,srv. It creates * references to new objects "in place" (that is, it does not * create new rules but rather uses rule elements of the old * ones) */ DECLARE_POLICY_RULE_PROCESSOR(ExpandGroups); /** * expand groups in Srv */ DECLARE_POLICY_RULE_PROCESSOR(expandGroupsInSrv); /** * expand groups in Interface rule element */ DECLARE_POLICY_RULE_PROCESSOR(expandGroupsInItf); /** * this inspector replaces references to hosts and firewalls * in dst with references to their interfaces */ class ExpandMultipleAddressesInSrc : public Compiler::expandMultipleAddressesInRE { public: ExpandMultipleAddressesInSrc(const std::string &n) : expandMultipleAddressesInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class ExpandMultipleAddressesInDst : public Compiler::expandMultipleAddressesInRE { public: ExpandMultipleAddressesInDst(const std::string &n) : expandMultipleAddressesInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; class ReplaceFirewallObjectWithSelfInSrc : public Compiler::ReplaceFirewallObjectWithSelfInRE { public: ReplaceFirewallObjectWithSelfInSrc(const std::string &n) : ReplaceFirewallObjectWithSelfInRE( n, libfwbuilder::RuleElementSrc::TYPENAME) {} }; class ReplaceFirewallObjectWithSelfInDst : public Compiler::ReplaceFirewallObjectWithSelfInRE { public: ReplaceFirewallObjectWithSelfInDst(const std::string &n) : ReplaceFirewallObjectWithSelfInRE( n, libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * single object negation in Src */ class singleObjectNegationSrc : public singleObjectNegation { public: singleObjectNegationSrc(const std::string &n): singleObjectNegation(n, libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * single object negation in Dst */ class singleObjectNegationDst : public Compiler::singleObjectNegation { public: singleObjectNegationDst(const std::string &n): singleObjectNegation(n, libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * single object negation in Itf */ class singleObjectNegationItf : public Compiler::singleObjectNegation { public: singleObjectNegationItf(const std::string &n): singleObjectNegation(n, libfwbuilder::RuleElementItf::TYPENAME) {} }; /** * processes rules with negation in Itf. * Compiler::fullInterfaceNegationInRE replaces interface object * with a set of "other" interfaces of the firewall. */ class ItfNegation : public Compiler::fullInterfaceNegationInRE { public: ItfNegation(const std::string &name) : fullInterfaceNegationInRE( name, libfwbuilder::RuleElementItf::TYPENAME) {} }; /** * replace cluster interface objects with inetrfaces of the member * firewall in the Interface rule element */ class replaceClusterInterfaceInItf : public Compiler::replaceClusterInterfaceInItfRE { public: replaceClusterInterfaceInItf(const std::string &name) : replaceClusterInterfaceInItfRE( name, libfwbuilder::RuleElementItf::TYPENAME) {} }; /** * this inspector replaces references to hosts and firewalls * in src or dst with references to their interfaces * * TODO: move to class Compiler because this might be useful * for both PolicyCompiler and NATCompiler */ DECLARE_POLICY_RULE_PROCESSOR(ExpandMultipleAddresses); /** * this processor splits rule element if src or dst contains * address range */ class addressRanges : public PolicyRuleProcessor { protected: void expandAddressRangesInSrc(libfwbuilder::PolicyRule *rule); void expandAddressRangesInDst(libfwbuilder::PolicyRule *rule); public: addressRanges(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * checks for unnumbered interface in rule elements (one can * not use unnumbered interfaces in rules). Call after * ExpandMultipleAddresses */ class checkForUnnumbered : public PolicyRuleProcessor { public: checkForUnnumbered(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; /** * this processor converts to atomic rules using all combinations * of objects in Src,Dst. It ignores Srv. */ DECLARE_POLICY_RULE_PROCESSOR(ConvertToAtomicForAddresses); /** * this processor splits rule so that each atomic rule has * exactly one Interval rule element */ DECLARE_POLICY_RULE_PROCESSOR(ConvertToAtomicForIntervals); /** * this processor converts to atomic rules */ DECLARE_POLICY_RULE_PROCESSOR(ConvertToAtomic); /** * deals with recursive groups in Src. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInSrc : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInSrc(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * deals with recursive groups in Dst. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInDst : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInDst(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * deals with recursive groups in Srv. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInSrv : public Compiler::recursiveGroupsInRE { public: recursiveGroupsInSrv(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * deals with empty groups in Src. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInSrc : public Compiler::emptyGroupsInRE { public: emptyGroupsInSrc(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * deals with empty groups in Dst. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInDst : public Compiler::emptyGroupsInRE { public: emptyGroupsInDst(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * deals with empty groups in Srv. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInSrv : public Compiler::emptyGroupsInRE { public: emptyGroupsInSrv(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementSrv::TYPENAME) {} }; /** * deals with empty groups in Itf. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInItf : public Compiler::emptyGroupsInRE { public: emptyGroupsInItf(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementItf::TYPENAME) {} }; /** * checks for host and network objects with address 0.0.0.0 */ class checkForZeroAddr : public PolicyRuleProcessor { libfwbuilder::Address *findHostWithNoInterfaces(libfwbuilder::RuleElement *re); libfwbuilder::Address *findZeroAddress(libfwbuilder::RuleElement *re); public: checkForZeroAddr(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; /** * this is a base class for the family of rule processors that * need to be able to find more general rule rule */ class findMoreGeneralRule : public PolicyRuleProcessor { protected: /** * this method scans tmp_queue looking for atomic rule * which is more general than atomic rule 'r'. * * it can starts scan at position defined by iterator * start_here and ends it at the position given by * iterator stop_here * * it returns iterator pointing at the rule it has found (so we * can continue search later) */ std::deque::iterator find_more_general_rule(libfwbuilder::PolicyRule *r, bool check_interface, const std::deque::iterator &start_here, const std::deque::iterator &stop_here, bool reverse=false); public: findMoreGeneralRule(const std::string &n) : PolicyRuleProcessor(n) {} }; /** * this inspector scans rules and detects those which "shade" * other rules below them */ class DetectShadowing : public findMoreGeneralRule { std::deque rules_seen_so_far; public: DetectShadowing(const std::string &n) : findMoreGeneralRule(n) {} virtual bool processNext(); }; /** * this inspector scans rules and detects those which "shade" * other rules above them. Use for non-terminating rules. */ class DetectShadowingForNonTerminatingRules : public findMoreGeneralRule { std::deque rules_seen_so_far; public: DetectShadowingForNonTerminatingRules(const std::string &n) : findMoreGeneralRule(n) {} virtual bool processNext(); }; /** * splits rule if one of the objects in Src is firewall * itself or a broadcast address for one of its interfaces or * multicast (multicast support is not implemented yet). This * is needed to properly choose direction and chain * later. Src may have multiple objects when this processor * is called. For firewall the iptables code compiler * generates should go into OUTPUT chain, while for all other * objects it should go into FORWARD chain. That is why we * need to split the rule and place firewall object in the * src of the rule of its own. */ class splitIfSrcMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfSrcMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * splits rule if one of the objects in Dst is firewall * itself. This is needed to properly choose direction and * chain later. See comment in splitIfInputChainObjectSrc. */ class splitIfDstMatchesFw : public Compiler::splitIfRuleElementMatchesFW { public: splitIfDstMatchesFw (const std::string &n) : splitIfRuleElementMatchesFW(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * many firewall platforms do not support filtering by MAC * addresses. Issue warning if MAC address is used in the rule * and remove it from the rule element. * * Call this processor after ExpandMultipleAddresses. */ class MACFiltering : public PolicyRuleProcessor { protected: std::string last_rule_lbl; /* return value: * true - ok * false - one or more MAC addresses have been removed, issue warning */ bool checkRuleElement(libfwbuilder::RuleElement *re); public: MACFiltering(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; /** * rule processors that replace MultiAddress objects with MultiAddressRunTime * equivalents */ class swapMultiAddressObjectsInSrc : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInSrc(const std::string &n) : swapMultiAddressObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class swapMultiAddressObjectsInDst : public Compiler::swapMultiAddressObjectsInRE { public: swapMultiAddressObjectsInDst(const std::string &n) : swapMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; class RegisterGroupsAndTablesInSrc : public RegisterGroupsAndTablesInRE { public: RegisterGroupsAndTablesInSrc(const std::string &n) : RegisterGroupsAndTablesInRE(n, libfwbuilder::RuleElementSrc::TYPENAME) {} }; class RegisterGroupsAndTablesInDst : public RegisterGroupsAndTablesInRE { public: RegisterGroupsAndTablesInDst(const std::string &n) : RegisterGroupsAndTablesInRE(n, libfwbuilder::RuleElementDst::TYPENAME) {} }; virtual int prolog(); }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Preprocessor.cpp000066400000000000000000000106371303637203600251140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Preprocessor.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/RuleSet.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static int infinite_recursion_breaker = 0; string Preprocessor::myPlatformName() { return "generic_preprocessor"; } Preprocessor::~Preprocessor() { dbcopy = NULL; } Preprocessor::Preprocessor(FWObjectDatabase *_db, Firewall *_fw, bool ipv6_policy) : Compiler(NULL, _fw, ipv6_policy) { // This is the main difference between Preprocessor and other // compilers. All compilers create a copy of the whole database // and work with it, but Preprocessor works with the original // database. Therefore it copies only pointer here. dbcopy = _db; fw_id = _fw->getId(); fwopt = _fw->getOptionsObject(); string fw_str_id = FWObjectDatabase::getStringId(_fw->getId()); fw = Firewall::cast( dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_str_id))); } void Preprocessor::convertObject(FWObject *obj) { MultiAddress *adt = MultiAddress::cast(obj); if (adt!=NULL && adt->isCompileTime()) { adt->loadFromSource(ipv6, getCachedFwOpt(), inTestMode()); } } int Preprocessor::prolog() { return 0; } void Preprocessor::findMultiAddressObjectsUsedInRules(FWObject *top) { if (top->getInt(".recursion_breaker") == infinite_recursion_breaker) return; top->setInt(".recursion_breaker", infinite_recursion_breaker); for (FWObject::iterator i=top->begin(); i!=top->end(); ++i) { FWObject *obj = *i; PolicyRule *rule = PolicyRule::cast(obj); if (rule && rule->getAction() == PolicyRule::Branch) { RuleSet *branch_ruleset = rule->getBranch(); if (branch_ruleset) findMultiAddressObjectsUsedInRules(branch_ruleset); } FWReference *ref = FWReference::cast(obj); if (ref == NULL) findMultiAddressObjectsUsedInRules(obj); else { FWObject *obj_ptr = FWReference::getObject(obj); if (obj_ptr->getInt(".loaded") == infinite_recursion_breaker) continue; obj_ptr->setInt(".loaded", infinite_recursion_breaker); try { convertObject(obj_ptr); } catch (FWException &ex) { abort(ex.toString()); } // Note that MultiAddress inherits ObjectGroup if (Group::cast(obj_ptr)) findMultiAddressObjectsUsedInRules(obj_ptr); } } } void Preprocessor::compile() { // find all MultiAddress objects used in rules of this firewall, // directly or as group members. A bit of optimisation: // MultiAddress objects (DNSName and AddressTable) can not be used // in netowrk zone of interfaces and rule actions. // Note: fw belongs to the original object tree rather than dbcopy infinite_recursion_breaker++; FWObject *rule_copy = NULL; if (single_rule_mode) { rule_copy = dbcopy->findInIndex(single_rule_compile_rule->getId()); findMultiAddressObjectsUsedInRules(rule_copy); } else { FWObject *fwcopy = dbcopy->findInIndex(fw->getId()); findMultiAddressObjectsUsedInRules(fwcopy); } /* resolving MultiAddress objects */ // convertObjectsRecursively(dbcopy); } void Preprocessor::epilog() {} fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/Preprocessor.h000066400000000000000000000042111303637203600245500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ###################################################################### Class Preprocessor performs various operations on the original copy of the object database before other compilers are called to process rules. All other cmpilers create a local copy copy of the database and work with it, but Preprocessor works with the original database. Currently Preprocessor expands MultiAddress objects. Preprocessor can be overloaded as any other Compiler with customizations added to its prolog() or compile() methods. */ #ifndef __PREPROCESSOR_HH__ #define __PREPROCESSOR_HH__ #include "fwcompiler/Compiler.h" #include "fwbuilder/FWObjectDatabase.h" #include namespace fwcompiler { class Preprocessor : public Compiler { void findMultiAddressObjectsUsedInRules(libfwbuilder::FWObject *top); public: virtual std::string myPlatformName(); virtual ~Preprocessor(); Preprocessor(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy); /** * converts a single object. convertObjects calls this method for every * object that may need to be converted */ virtual void convertObject(libfwbuilder::FWObject *obj); virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp000066400000000000000000000707131303637203600255510ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include #include "RoutingCompiler.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/IPRoute.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/MultiAddress.h" #include #include #include #include #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; int RoutingCompiler::prolog() { Compiler::prolog(); Routing *routing = Routing::cast(fw->getFirstByType(Routing::TYPENAME)); assert(routing); if (source_ruleset == NULL) source_ruleset = routing; source_ruleset->renumberRules(); temp_ruleset = new Routing(); // working copy of the routing fw->add( temp_ruleset ); temp_ruleset->setName(source_ruleset->getName()); int rule_counter = 0; for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++) { Rule *r = Rule::cast(*i); if (r == NULL) continue; // skip RuleSetOptions object if (r->getLabel().empty()) r->setLabel( createRuleLabel("", "main", r->getPosition()) ); rule_counter++; } initialized = true; return rule_counter; } bool RoutingCompiler::cmpRules(const RoutingRule &r1, const RoutingRule &r2) { if (r1.getRDst()!=r2.getRDst()) return false; if (r1.getRGtw()!=r2.getRGtw()) return false; if (r1.getRItf()!=r2.getRItf()) return false; return true; } string RoutingCompiler::debugPrintRule(Rule *r) { RoutingRule *rule = RoutingRule::cast(r); RuleElementRDst *dstrel = rule->getRDst(); RuleElementRItf *itfrel = rule->getRItf(); RuleElementRGtw *gtwrel = rule->getRGtw(); ostringstream str; // str << setw(70) << setfill('-') << "-"; string dst, itf, gtw; FWObject *obj = FWReference::getObject(itfrel->front()); itf = (obj) ? obj->getName() : "NULL"; obj = FWReference::getObject(gtwrel->front()); gtw = (obj) ? obj->getName() : "NULL"; int no = 0; FWObject::iterator i1 = dstrel->begin(); while ( i1!=dstrel->end()) { str << endl; dst = " "; if (i1 != dstrel->end()) { FWObject *o = FWReference::getObject(*i1); dst = (o) ? o->getName() : "NULL"; } int w = 0; if (no==0) { str << rule->getLabel(); w = rule->getLabel().length(); } str << setw(10-w) << setfill(' ') << " "; str << setw(18) << setfill(' ') << dst.c_str() << " "; str << setw(18) << setfill(' ') << itf.c_str() << " "; str << setw(18) << setfill(' ') << gtw.c_str() << " "; str << setw(18) << setfill(' ') << " "; ++no; if ( i1 != dstrel->end() ) ++i1; } return str.str(); } bool RoutingCompiler::ExpandMultipleAddresses::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRDst *dst = rule->getRDst(); assert(dst); RuleElementRGtw *gtw = rule->getRGtw(); assert(gtw); compiler->_expand_addr(rule, dst, true); compiler->_expand_addr(rule, gtw, false); return true; } bool RoutingCompiler::ConvertToAtomicForDST::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; //RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementRDst *dst=rule->getRDst(); assert(dst); for (FWObject::iterator it=dst->begin(); it!=dst->end(); ++it) { RoutingRule *r = compiler->dbcopy->createRoutingRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); FWObject *s = r->getRDst(); assert(s); s->clearChildren(); s->addRef(FWReference::getObject(*it)); tmp_queue.push_back(r); } return true; } bool RoutingCompiler::ExpandGroups::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRDst *dst=rule->getRDst(); assert(dst); compiler->expandGroupsInRuleElement(dst); return true; } bool RoutingCompiler::emptyRDstAndRItf::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRGtw *gtwrel=rule->getRGtw(); RuleElementRItf *itfrel=rule->getRItf(); if ( (FWReference::cast(itfrel->front())->getPointer())->getName()=="Any" &&\ (FWReference::cast(gtwrel->front())->getPointer())->getName()=="Any") { string msg; msg = "Gateway and interface are both empty in the rule"; compiler->abort(rule, msg.c_str()); } return true; } bool RoutingCompiler::singleAdressInRGtw::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRGtw *gtwrel=rule->getRGtw(); FWObject *o = FWReference::getObject(gtwrel->front()); if( gtwrel->checkSingleIPAdress(o) == false) { string msg; msg = "Object \"" + o->getName() + "\" used as a gateway in the routing rule " + rule->getLabel() + " has multiple ip adresses"; compiler->abort(rule, msg.c_str()); } return true; } // recursive network validity check bool RoutingCompiler::validateNetwork::checkValidNetwork(FWObject *o) { if( Network::cast(o) != NULL) { return ((Network *)o)->isValidRoutingNet(); } /* if we have a group containing networks and groups, we want to check them too */ if( ObjectGroup::cast(o) != NULL) { FWObjectTypedChildIterator child_i = o->findByType(FWObjectReference::TYPENAME); for ( ; child_i != child_i.end(); ++child_i) { FWObjectReference *child_r = FWObjectReference::cast(*child_i); assert(child_r); FWObject *child = child_r->getPointer(); Network *network; ObjectGroup *group; // Network if ((network=Network::cast(child)) != NULL) { if (checkValidNetwork(network) == false) { return false; } } else if ((group=ObjectGroup::cast(child)) != NULL) { // Group if (checkValidNetwork(group) == false) { return false; } } } } return true; } // Invalid routing destination network: network address and netmask mismatch. bool RoutingCompiler::validateNetwork::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRDst *dstrel=rule->getRDst(); FWObject *o = FWReference::cast(dstrel->front())->getPointer(); // currently we do not support run-time DNSName and AddressTable objects // in routing rules. MultiAddress *ma = MultiAddress::cast(o); if (ma && ma->isRunTime()) { compiler->abort(rule, "Use of dynamic run-time objects " "as destination in routing rules is not supported."); } if( checkValidNetwork(o) == false) { string msg; msg = "Object \"" + o->getName() + "\" used as destination in the routing rule " + rule->getLabel() + " has invalid netmask"; compiler->abort(rule, msg.c_str()); } return true; } // the IP address of the gateway has to be in a local network of the firewall bool RoutingCompiler::reachableAddressInRGtw::checkReachableIPAddress(FWObject *o) { // let's walk over all interfaces of this firewall list interfaces = compiler->fw->getByTypeDeep(Interface::TYPENAME); list::iterator intf; if( Host::cast(o) != NULL) { Host *host=Host::cast(o); const InetAddr *ip_host = host->getAddressPtr(); for (intf = interfaces.begin(); intf!=interfaces.end(); ++intf) { Interface *i_firewall = Interface::cast(*intf); for(FWObjectTypedChildIterator fw_ips = i_firewall->findByType(IPv4::TYPENAME); fw_ips!=fw_ips.end(); ++fw_ips) { IPv4 *ipv4_obj_firewall = IPv4::cast(*fw_ips); const InetAddr *addr = ipv4_obj_firewall->getAddressPtr(); const InetAddr *netm = ipv4_obj_firewall->getNetmaskPtr(); if (addr) { InetAddrMask fw_net(*addr, *netm); if (fw_net.belongs(*ip_host)) return true; } } } return false; } else if( Interface::cast(o) != NULL) { Interface *gw_interface=Interface::cast(o); const InetAddr *ip_gateway = gw_interface->getAddressPtr(); // walk over all interfaces of this firewall for (intf = interfaces.begin(); intf!=interfaces.end(); ++intf) { Interface *if_firewall=Interface::cast(*intf); FWObjectTypedChildIterator addresses = if_firewall->findByType(IPv4::TYPENAME); // check all IPv4 addresses of this firewall interface for ( ; addresses!=addresses.end(); ++addresses ) { IPv4 *ipv4_obj_firewall = IPv4::cast(*addresses); const InetAddr *addr = ipv4_obj_firewall->getAddressPtr(); const InetAddr *netm = ipv4_obj_firewall->getNetmaskPtr(); if (addr) { InetAddrMask fw_net(*addr, *netm); if (fw_net.belongs(*ip_gateway)) return true; } } } return false; } else if( IPv4::cast(o) != NULL) { IPv4 *ipv4=IPv4::cast(o); const InetAddr *ip_ipv4 = ipv4->getAddressPtr(); for (intf = interfaces.begin(); intf!=interfaces.end(); ++intf) { Interface *if_firewall=Interface::cast(*intf); FWObjectTypedChildIterator addresses = if_firewall->findByType(IPv4::TYPENAME); // check all IPv4 addresses of this firewall interface for ( ; addresses!=addresses.end(); ++addresses ) { IPv4 *ipv4_obj_firewall = IPv4::cast(*addresses); const InetAddr *addr = ipv4_obj_firewall->getAddressPtr(); const InetAddr *netm = ipv4_obj_firewall->getNetmaskPtr(); if (addr) { InetAddrMask fw_net(*addr, *netm); if (fw_net.belongs(*ip_ipv4)) return true; } } } return false; } else return true; return false; } // the IP address of the gateway has to be in a local network of the firewall bool RoutingCompiler::reachableAddressInRGtw::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRGtw *gtwrel=rule->getRGtw(); FWObject *o = FWReference::cast(gtwrel->front())->getPointer(); if( checkReachableIPAddress(o) == false) { string msg; msg = "Object \"" + o->getName() + "\" used as gateway in the routing rule " + rule->getLabel() + " is not reachable because it is not in any local network of the firewall"; compiler->abort(rule, msg.c_str()); } return true; } // the IP address of the gateway RGtw has to be in a network of the interface RItf bool RoutingCompiler::contradictionRGtwAndRItf::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRGtw *gtwrel=rule->getRGtw(); RuleElementRItf *itfrel=rule->getRItf(); FWObject *oRGtw = FWReference::cast(gtwrel->front())->getPointer(); FWObject *oRItf = FWReference::cast(itfrel->front())->getPointer(); if (oRItf->getName() == "Any") { return true; } if (Host::cast(oRGtw) != NULL || Interface::cast(oRGtw) != NULL || Address::cast(oRGtw)->dimension()==1) { const InetAddr* ip_interface = NULL; if ( Host::cast(oRGtw) != NULL) { Host *host=Host::cast(oRGtw); ip_interface = host->getAddressPtr(); } else if (Interface::cast(oRGtw) != NULL) { Interface *intf=Interface::cast(oRGtw); ip_interface = intf->getAddressPtr(); } else if (Address::cast(oRGtw)->dimension()==1) { Address *ipv4 = Address::cast(oRGtw); ip_interface = ipv4->getAddressPtr(); } if (ip_interface) { list obj_list = oRItf->getByType(IPv4::TYPENAME); for (list::iterator i=obj_list.begin(); i!=obj_list.end(); ++i) { Address *addr = Address::cast(*i); if (addr->belongs(*ip_interface)) return true; } } string msg; msg = "Object \"" + oRGtw->getName() + "\" used as gateway in the routing rule " + rule->getLabel() + " is not in the same local network as interface " + oRItf->getName(); compiler->abort(rule, msg.c_str()); } return true; } bool RoutingCompiler::interfaceOrGateway::processNext() { RoutingRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRItf *itfrel = rule->getRItf(); RuleElementRGtw *gtwrel = rule->getRGtw(); if (!itfrel->isAny() && !gtwrel->isAny()) { compiler->abort(rule, "Use either gateway or interface in a routing rule " "but not both at the same time"); } return true; } bool RoutingCompiler::rItfChildOfFw::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementRItf *itfrel = rule->getRItf(); if (itfrel->isAny()) return true; FWObject *o = FWReference::cast(itfrel->front())->getPointer(); // the interface is not a child of the firewall. Could be // cluster interface though. In that case make sure the // firewall is a member of that cluster. Interface *iface = Interface::cast(o); if (iface) { FWObject *parent = Host::getParentHost(iface); //FWObject *parent = iface->getParentHost(); if (parent->getId() == compiler->fw->getId()) return true; Cluster *cluster = Cluster::cast(parent); if (cluster) { list members; cluster->getMembersList(members); list::iterator it; for (it=members.begin(); it!=members.end(); ++it) { if ((*it)->getId() == compiler->fw->getId()) return true; } } } string msg; msg = "Object \"" + o->getName() + "\" used as interface in the routing rule " + rule->getLabel() + " is not a child of the firewall the rule belongs to"; compiler->abort(rule, msg.c_str()); // even though we call abort() here, it does not actually stop the // program if it runs in the test mode. return true; } /* * Call this after converting to atomic rules by DST to be sure there * is just one object in DST. */ bool RoutingCompiler::sameDestinationDifferentGateways::processNext() { slurp(); if (tmp_queue.size()==0) return false; // map destination to gateway. std::map dst_to_gw; std::map dst_to_rule; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { RoutingRule *rule = RoutingRule::cast( *k ); RuleElementRDst *dstrel = rule->getRDst(); Address *dst = Address::cast(FWReference::getObject(dstrel->front())); const InetAddr* dst_addr = dst->getAddressPtr(); const InetAddr* dst_netm = dst->getNetmaskPtr(); string key = dst_addr->toString() + "/" + dst_netm->toString(); // RuleElementRItf *itfrel = rule->getRItf(); // FWObject *itf = FWReference::cast(itfrel->front())->getPointer(); RuleElementRGtw *gtwrel = rule->getRGtw(); Address *gtw = Address::cast(FWReference::getObject(gtwrel->front())); const InetAddr* gtw_addr = gtw->getAddressPtr(); const InetAddr* gtw_netm = gtw->getNetmaskPtr(); string val = gtw_addr->toString() + "/" + gtw_netm->toString(); if (!dst_to_gw[key].empty() && dst_to_gw[key] != val) { compiler->abort( rule, "Rules " + dst_to_rule[key] + " and " + rule->getLabel() + " define routes to the same destination " + key + " via different gateways. This configuration is not supported" " for " + compiler->fw->getStr("host_OS")); } else { dst_to_gw[key] = val; dst_to_rule[key] = rule->getLabel(); } } return true; } bool RoutingCompiler::competingRules::processNext() { RoutingRule *rule = getNext(); if (rule==NULL) return false; RuleElementRItf *itfrel = rule->getRItf(); FWObject *itf = FWReference::cast(itfrel->front())->getPointer(); RuleElementRGtw *gtwrel = rule->getRGtw(); FWObject *gtw = FWReference::cast(gtwrel->front())->getPointer(); string metric = rule->getMetricAsString(); string label = rule->getSortedDstIds(); ostringstream ostr; ostr << gtw->getId() << "_" << itf->getId(); string combiId = ostr.str(); if( label == "") compiler->abort( rule, "Place 'createSortedDstIdsLabel()' before 'competingRules()' " "in the rule processor chain"); dest_it = rules_seen_so_far.find(label); if( dest_it != rules_seen_so_far.end()) { // a rule with the same destination was already seen ///std::cout << "NO NEW DEST" << std::endl; gtwitf_it = dest_it->second.find(combiId); if( gtwitf_it != dest_it->second.end() ) { // ... this gateway and interface combination were already // seen for this destination ///std::cout << "NO NEW GTWITF" << std::endl; if( gtwitf_it->second.first == metric) { // ... and same metric => rule already exists, skip ///std::cout << "SAME METRIC" << std::endl; string msg; msg = "Routing rules " + gtwitf_it->second.second + " and " + rule->getLabel() + " are identical, skipping the second one. " + "Delete one of them to avoid this warning"; compiler->warning(rule, msg.c_str()); } else { // ... but different metric => what metric should I use? => abort ///std::cout << "DIFFERENT METRIC" << std::endl; string msg; msg = "Routing rules " + gtwitf_it->second.second + " and " + rule->getLabel() + " are identical except for the metric, " + "please delete one of them"; compiler->abort(rule, msg.c_str()); } } else { // ... this gateway and interface combination is new for // this destination ///std::cout << "NEW GTWITF" << std::endl;/// if(false) { // TODO_lowPrio: if ( // !compiler->fw->getOptionsObject()->getBool // ("equal_cost_multi_path") ) ...If multipath is // turned off, perform this check. // iterate all gtwitf combis in the map // dest_it->second and search for the current metric // ... but has the same metric => what route should I // use for this destination? => abort string msg; msg = "Routing rules " + gtwitf_it->second.second + " and " + rule->getLabel() + " have the same destination and same metric," "but different gateway and interface combination. " "Set the metrics to different values or " "enable ECMP (Equal Cost MultiPath) routing"; compiler->abort( msg.c_str() ); } else { // ... and different metric OR equal_cost_multi_path enabled => OK tmp_queue.push_back(rule); } dest_it->second[combiId] = pair< string, string>( metric, rule->getLabel()); } } else { // this destination is new //std::cout << "NEW DEST" << std::endl; /// //ruleinfo tmpRuleInfo = { gtw->getStr("id") + itf->getStr("id"), metric, rule->getLabel()}; //rules_seen_so_far[label] = tmpRuleInfo; map< string, pair< string, string> > gtw_itf_tmp; gtw_itf_tmp[combiId] = pair< string, string>( metric, rule->getLabel()); rules_seen_so_far[label] = gtw_itf_tmp; tmp_queue.push_back(rule); } return true; } bool RoutingCompiler::classifyRoutingRules::processNext() { assert(compiler!=NULL); assert(prev_processor!=NULL); slurp(); if (tmp_queue.size()==0) return false; for (std::deque::iterator tmp_queue_it=tmp_queue.begin(); tmp_queue_it!=tmp_queue.end(); ++tmp_queue_it) { RoutingRule *rule = RoutingRule::cast( *tmp_queue_it); rule->setRuleType( RoutingRule::SinglePath); RuleElementRItf *itfrel=rule->getRItf(); FWObject *itf = FWReference::cast(itfrel->front())->getPointer(); RuleElementRGtw *gtwrel=rule->getRGtw(); FWObject *gtw = FWReference::cast(gtwrel->front())->getPointer(); string metric = rule->getMetricAsString(); string label = rule->getSortedDstIds(); ostringstream ostr; ostr << gtw->getId() << "_" << itf->getId(); string combiId = ostr.str(); if( label == "") compiler->abort( rule, "Place 'createSortedDstIdsLabel()' right before " "'classifyRoutingRules()' in the rule processor chain"); dest_it = rules_seen_so_far.find(label); if( dest_it != rules_seen_so_far.end()) { // a rule with the same destination was already seen //std::cout << "classifyRoutingRules:NO NEW DEST" << std::endl;/// gtwitf_it = dest_it->second.find(combiId); if( gtwitf_it == dest_it->second.end() ) { // ... this gateway and interface combination is new for this destination //std::cout << "classifyRoutingRules:NEW GTWITF" << std::endl;/// for( gtwitf_it = dest_it->second.begin(); gtwitf_it != dest_it->second.end(); gtwitf_it++) { if( gtwitf_it->second.first == metric) { // ... but has the same metric as another rule with this Dst => multipath or abort //std::cout << "classifyRoutingRules:SAME METRIC" << std::endl;/// if(true) { //TODO: if ( compiler->fw->getOptionsObject()->getBool ("equal_cost_multi_path") ) rule->setRuleType( RoutingRule::MultiPath); gtwitf_it->second.second->setRuleType( RoutingRule::MultiPath); //std::cout << "classifyRoutingRules:the rules " << rule->getLabel() << " and " << gtwitf_it->second.second->getLabel() << " were set to multipath." << std::endl;/// } } } dest_it->second[combiId] = pair< string, RoutingRule*>( metric, rule); } } else { // this destination is new //std::cout << "classifyRoutingRules:NEW DEST" << std::endl;/// map< string, pair< string, RoutingRule*> > gtw_itf_tmp; gtw_itf_tmp[combiId] = pair< string, RoutingRule*>( metric, rule); rules_seen_so_far[label] = gtw_itf_tmp; } } return true; } bool RoutingCompiler::createSortedDstIdsLabel::processNext() { RoutingRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); // create a label with a sorted dst-id-list, to find identical destinations even if the order // of the dst objects differs within one rule RuleElementRDst *dstrel=rule->getRDst(); string label = rule->getLabel(); int bracepos = label.find("("); label.erase(0, bracepos); std::list idList; for (FWObject::iterator it=dstrel->begin(); it!=dstrel->end(); ++it) { idList.insert(idList.end(), FWObjectDatabase::getStringId( (FWReference::cast(*it)->getPointer())->getId())); } idList.sort(); for (std::list::iterator it=idList.begin(); it!=idList.end(); ++it) { label += " " + *it; } ///std::cout << "createDstLabel:LABEL: '" << label << "'" << endl; rule->setSortedDstIds( label); return true; } /* * This is identical to * PolicyCompiler_ipf::processMultiAddressObjectsInRE::processNext() * TODO: move the code to the class Compiler so it can be reused. */ bool RoutingCompiler::processMultiAddressObjectsInRE::processNext() { RoutingRule *rule = getNext(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) compiler->abort( rule, "Run-time AddressTable objects are not supported."); AddressTable *at = AddressTable::cast(o); if (at && at->isRunTime()) compiler->abort( rule, "Run-time AddressTable objects are not supported."); } tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/RoutingCompiler.h000066400000000000000000000235061303637203600252140ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __ROUTING_COMPILER_HH__ #define __ROUTING_COMPILER_HH__ #include "fwcompiler/Compiler.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include namespace fwcompiler { using namespace std; #define DECLARE_ROUTING_RULE_PROCESSOR(_Name) \ friend class _Name; \ class _Name : public RoutingRuleProcessor { \ public: \ _Name(const std::string &n) : \ RoutingRuleProcessor(n) {}; \ virtual ~_Name() {}; \ virtual bool processNext(); \ }; class RoutingCompiler : public Compiler { public: RoutingCompiler(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : Compiler(_db, fw, ipv6_policy, _oscnf) {} /** * deals with empty groups in RDst. See description for * Compiler::emptyGroupsInRE */ class emptyGroupsInRDst : public emptyGroupsInRE { public: emptyGroupsInRDst(const std::string &n) : emptyGroupsInRE(n,libfwbuilder::RuleElementRDst::TYPENAME) {} }; /** * deals with recursive groups in RDst. See description for * Compiler::recursiveGroupsInRE */ class recursiveGroupsInRDst : public recursiveGroupsInRE { public: recursiveGroupsInRDst(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementRDst::TYPENAME) {} }; /** * creates a label with a sorted dst-id-list, to find identical destinations even if the order * of the dst objects differs within one rule */ DECLARE_ROUTING_RULE_PROCESSOR(createSortedDstIdsLabel); /** * checks if the Destination and the Interface are both empty */ DECLARE_ROUTING_RULE_PROCESSOR(emptyRDstAndRItf); /** * If the Gateway is a host or a network interface, it must lead to * only one IP adress. * e.g.: if a host has two interfaces, you must specify which interface * has to be used as gateway. If the inteface has two or more IP addresses, * only an IP Adress Object can be used as Gateway. */ DECLARE_ROUTING_RULE_PROCESSOR(singleAdressInRGtw); /** * Invalid routing destination network: * network address and netmask mismatch. */ friend class validateNetwork; class validateNetwork : public RoutingRuleProcessor { public: validateNetwork(const std::string &n) : RoutingRuleProcessor(n) {}; virtual ~validateNetwork() {}; virtual bool processNext(); bool checkValidNetwork(libfwbuilder::FWObject*); }; /** * the IP address of the gateway has to be * in the same local network as the firewall */ friend class reachableAddressInRGtw; class reachableAddressInRGtw : public RoutingRuleProcessor { public: reachableAddressInRGtw(const std::string &n) : RoutingRuleProcessor(n) {}; virtual ~reachableAddressInRGtw() {}; virtual bool processNext(); bool checkReachableIPAddress(libfwbuilder::FWObject*); }; /** * the IP address of the gateway has to be * in the same network as the interface */ DECLARE_ROUTING_RULE_PROCESSOR(contradictionRGtwAndRItf); /** * checks if the Interface (RItf) is a child of the current firewall */ DECLARE_ROUTING_RULE_PROCESSOR(rItfChildOfFw); /** * some OS (e.g. BSD) allow me to set up static route via * gateway or via interface, but not both in one rule. */ DECLARE_ROUTING_RULE_PROCESSOR(interfaceOrGateway); /** * for OS where we do not support ECMP, detect rules that * define routes for the same destination via different * gateways and abort. */ DECLARE_ROUTING_RULE_PROCESSOR(sameDestinationDifferentGateways); /** * checks for competing rules */ class PrintRule; class competingRules : public RoutingRuleProcessor { /** * 'rules_seen_so_far' is a nested map with the following structure * MAP MAP PAIR * |-Dst1 * | |-Gtw&Itf1- * | |-Gtw&Itf2- * | * |-Dst2 * |-Gtw&Itf1- * |-Gtw&Itf2- * |-Gtw&Itf3- * * dest gtw+itf metric label */ map< string, map< string, pair< string, string> > > rules_seen_so_far; map< string, map< string, pair< string, string> > >::iterator dest_it; map< string, pair< string, string> >::iterator gtwitf_it; public: competingRules(const std::string &name) : RoutingRuleProcessor(name){} virtual bool processNext(); }; friend class RoutingCompiler::competingRules; /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes * TODO: implement */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * this inspector replaces references to hosts and firewalls * in dst with references to their interfaces * * TODO: move to class Compiler because this might be useful * for PolicyCompiler, NATCompiler and also RoutingCompiler */ DECLARE_ROUTING_RULE_PROCESSOR(ExpandMultipleAddresses); /** * this processor converts to atomic rules using all objects * contained in Routing Destination */ DECLARE_ROUTING_RULE_PROCESSOR(ConvertToAtomicForDST); /** * this class expands groups in dst. It creates * references to new objects "in place" (that is, it does not * create new rules but rather uses rule elements of the old * ones) */ DECLARE_ROUTING_RULE_PROCESSOR(ExpandGroups); /** * this processor classifies routing rules into single and * multi path rules. Needs slurp(). */ class classifyRoutingRules : public RoutingRuleProcessor { map< string, map< string, pair< string, libfwbuilder::RoutingRule*> > > rules_seen_so_far; map< string, map< string, pair< string, libfwbuilder::RoutingRule*> > >::iterator dest_it; map< string, pair< string, libfwbuilder::RoutingRule*> >::iterator gtwitf_it; public: classifyRoutingRules(const std::string &name) : RoutingRuleProcessor(name) {} virtual bool processNext(); }; friend class RoutingCompiler::classifyRoutingRules; /** * Placeholders for MultiAddressRunTime objects */ class processMultiAddressObjectsInRE : public RoutingRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : RoutingRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInRDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInRDst(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementRDst::TYPENAME) {} }; /** * detects if rules r1 and r2 are identical (that is, have the * same effect, rather than use the same objects) * * returns: * * true if r1 is identical to r2 */ bool cmpRules(const libfwbuilder::RoutingRule &r1, const libfwbuilder::RoutingRule &r2); /** * deals with recursive groups in Dst. See description for * Compiler::recursiveGroupsInRE class recursiveGroupsInDst : public recursiveGroupsInRE { public: recursiveGroupsInSrc(const std::string &n) : recursiveGroupsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} };*/ virtual int prolog(); }; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/RuleProcessor.h000066400000000000000000000157021303637203600247000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Zaliva , Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULE_PROCESSOR_HH__ #define __RULE_PROCESSOR_HH__ #include #include "fwbuilder/Rule.h" namespace fwcompiler { class Compiler; /** * This class represents Rule processing chain elements. It * takes input from other processor and produces modified output * via getNextRule() method. * * For cases when one input rule produce several output rules * internal temporary queue is provided. * * This is abstract class. Implementator should subclass it * and implement processNext() method. * * @author Vadim Zaliva , Vadim Kurland */ class BasicRuleProcessor { public: BasicRuleProcessor() { compiler=NULL; prev_processor=NULL; name=""; do_once=false; } BasicRuleProcessor(const std::string &_name) { compiler=NULL; prev_processor=NULL; name=_name; do_once=false; } virtual ~BasicRuleProcessor() { // Delete unused elements while(!tmp_queue.empty()) { // libfwbuilder::Rule *x = tmp_queue.front(); tmp_queue.pop_front(); // delete x; } } /** * Ties this rule processor to the compiler. Parameter _comp * is policy compiler object that is using this processor. */ void setContext(Compiler *_comp) { compiler=_comp; } /** * Connects this rule processor to the previous in the chain. * Parameter _src is source processor which will be used to * obtain input from. */ void setDataSource(BasicRuleProcessor *_src) { prev_processor=_src; } /** * sets name for this rule processor. Name is used in debug * print */ void setName(const std::string &_name) { name=_name; } /** * returns name of this processor */ std::string getName() { return name; } /** * Returns next rule or NULL if no more is availiable. */ libfwbuilder::Rule *getNextRule() { while(tmp_queue.empty() && processNext()) ; if(tmp_queue.empty()) { return NULL; } else { libfwbuilder::Rule *res = tmp_queue.front(); tmp_queue.pop_front(); return res; } } /** * some processors work on the whole rule set rather than on * a single rule. This method reads input data stream while * rules are coming from the previous rule processor and fill * tmp_queue, then return true if there are rules in the * queue and false otherwise. Using this instead of getNext * in processNext in rule processors that need the whole rule * set. This method executes only once and returns false upon * subsequent calls right away. */ bool slurp() { if (!do_once) { libfwbuilder::Rule *rule; while ( (rule=prev_processor->getNextRule())!=NULL) tmp_queue.push_back(rule); do_once=true; return (tmp_queue.size()!=0); } return false; } /** * Implementor should implement this method in a manner it * process one or more source elements and adds results to tmp * queue. It is prefferable to process just one source element * at a time. * * @return false if no more elements could be produced. */ virtual bool processNext() = 0; protected: std::string name; std::deque tmp_queue; BasicRuleProcessor *prev_processor; Compiler *compiler; bool do_once; }; /** * This class provides convenient interface by adding * dynamic_cast so that pointer to the rule returned from getNext * would have type PolicyRule* */ class PolicyRuleProcessor : public BasicRuleProcessor { public: PolicyRuleProcessor() : BasicRuleProcessor() {} PolicyRuleProcessor(const std::string &_name) : BasicRuleProcessor(_name) {} /** * Returns next rule to be processed or NULL if no more is availiable. */ virtual libfwbuilder::PolicyRule* getNext() { return dynamic_cast( prev_processor->getNextRule() ); } }; /** * This class provides convenient interface by adding * dynamic_cast so that pointer to the rule returned from getNext * would have type NATRule* */ class NATRuleProcessor : public BasicRuleProcessor { public: NATRuleProcessor() : BasicRuleProcessor() {} NATRuleProcessor(const std::string &_name) : BasicRuleProcessor(_name) {} /** * Returns next rule to be processed or NULL if no more is availiable. */ virtual libfwbuilder::NATRule* getNext() { return dynamic_cast( prev_processor->getNextRule() ); } }; /** * This class provides convenient interface by adding * dynamic_cast so that pointer to the rule returned from getNext * would have type RoutingRule* */ class RoutingRuleProcessor : public BasicRuleProcessor { public: RoutingRuleProcessor() : BasicRuleProcessor() {} RoutingRuleProcessor(const std::string &_name) : BasicRuleProcessor(_name) {} /** * Returns next rule to be processed or NULL if no more is availiable. */ virtual libfwbuilder::RoutingRule* getNext() { return dynamic_cast( prev_processor->getNextRule() ); } }; }; #endif // __RULE_PROCESSOR_HH__ fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/ServiceRuleProcessors.cpp000066400000000000000000000234321303637203600267360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "Compiler.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWObjectDatabase.h" #include #include #include #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; /* * These rule processors should work for both Policy and NAT rules * without having to build specialized classes inheriting from these. */ bool Compiler::groupServices::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string re_type = PolicyRule::isA(rule) ? RuleElementSrv::TYPENAME : RuleElementOSrv::TYPENAME; RuleElement *re_srv = RuleElement::cast(rule->getFirstByType(re_type)); if (re_srv->size()==1) { tmp_queue.push_back(rule); return true; } map > services; for (FWObject::iterator i=re_srv->begin(); i!=re_srv->end(); i++) { Service *s = Service::cast(FWReference::getObject(*i)); assert(s); int proto = groupingCode(s); services[proto].push_back(s); } for (map >::iterator i1=services.begin(); i1!=services.end(); i1++) { list &sl=(*i1).second; Rule *r = Rule::cast(compiler->dbcopy->create(rule->getTypeName())); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElement *nsrv = RuleElement::cast(r->getFirstByType(re_type)); nsrv->clearChildren(); for (list::iterator j=sl.begin(); j!=sl.end(); j++) { nsrv->addRef( (*j) ); } tmp_queue.push_back(r); } return true; } int Compiler::groupServicesByProtocol::groupingCode(const Service *srv) { return srv->getProtocolNumber(); } int Compiler::groupTCPUDPServices::groupingCode(const Service *srv) { return ( TCPService::isA(srv) || UDPService::isA(srv)); } Compiler::separateServiceObject::separateServiceObject( const string &name) : BasicRuleProcessor(name) { } bool Compiler::separateServiceObject::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string re_type = PolicyRule::isA(rule) ? RuleElementSrv::TYPENAME : RuleElementOSrv::TYPENAME; RuleElement *re_srv = RuleElement::cast(rule->getFirstByType(re_type)); if (re_srv->size()==1) { tmp_queue.push_back(rule); return true; } list services; for (FWObject::iterator i=re_srv->begin(); i!=re_srv->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast(o); assert(s!=NULL); if (condition(s)) { Rule *r = Rule::cast(compiler->dbcopy->create(rule->getTypeName())); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElement *nsrv = RuleElement::cast(r->getFirstByType(re_type)); nsrv->clearChildren(); nsrv->addRef( s ); tmp_queue.push_back(r); services.push_back(s); } } for (list::iterator i=services.begin(); i!=services.end(); i++) re_srv->removeRef( (*i) ); if (!re_srv->isAny()) tmp_queue.push_back(rule); return true; } /** * separate TCP/UDP services that specify source port (can * not be used in combination with destination port with * multiport) */ bool Compiler::separateSrcPort::condition(const Service *srv) { if ( TCPService::isA(srv) || UDPService::isA(srv)) { int srs = TCPUDPService::constcast(srv)->getSrcRangeStart(); int sre = TCPUDPService::constcast(srv)->getSrcRangeEnd(); compiler->normalizePortRange(srs,sre); return (srs!=0 || sre!=0); } return false; } bool Compiler::separateSrcAndDstPort::condition(const Service *srv) { if ( TCPService::isA(srv) || UDPService::isA(srv)) { int srs = TCPUDPService::constcast(srv)->getSrcRangeStart(); int sre = TCPUDPService::constcast(srv)->getSrcRangeEnd(); int drs = TCPUDPService::constcast(srv)->getDstRangeStart(); int dre = TCPUDPService::constcast(srv)->getDstRangeEnd(); compiler->normalizePortRange(srs,sre); compiler->normalizePortRange(drs,dre); return ( (srs!=0 || sre!=0) && (drs!=0 || dre!=0) ); } return false; } bool Compiler::separateTCPUDP::condition(const Service *srv) { return ( TCPService::isA(srv) || UDPService::isA(srv)); } bool Compiler::separateTagged::condition(const Service *srv) { return ( TagService::isA(srv)); } bool Compiler::separateCustom::condition(const Service *srv) { return ( CustomService::isA(srv)); } bool Compiler::separateUserServices::condition(const Service *srv) { return ( UserService::isA(srv)); } bool Compiler::separateTOS::condition(const Service *srv) { const IPService *ip = IPService::constcast(srv); return (ip && !ip->getTOSCode().empty()); } bool Compiler::splitIpOptions::condition(const Service *srv) { const IPService *ip = IPService::constcast(srv); return (ip && ip->hasIpOptions()); } bool Compiler::separateTCPWithFlags::condition(const Service *srv) { const TCPService *s = TCPService::constcast(srv); return (s && s->inspectFlags() ); } bool Compiler::separatePortRanges::condition(const Service *srv) { if ( TCPService::isA(srv) || UDPService::isA(srv) ) { unsigned srs = TCPUDPService::constcast(srv)->getSrcRangeStart(); unsigned sre = TCPUDPService::constcast(srv)->getSrcRangeEnd(); unsigned drs = TCPUDPService::constcast(srv)->getDstRangeStart(); unsigned dre = TCPUDPService::constcast(srv)->getDstRangeEnd(); if (srs!=0 && sre==0) sre = srs; if (drs!=0 && dre==0) dre = drs; /* * I also need to separate rules that use "Any UDP" and "Any TCP" * objects. These objects have all ports set to zero and iptables code * for them should just have "-p udp" or "-p tcp" without any * "--source-port" or "--destination-port" specification. Commands * like this do not combine with commands that do specify port because * they lose their "any udp"/"any tcp" meaning as soon as * "--source-port"/"--destination-port" is added. */ if (srs==0 && sre==0 && drs==0 && dre==0) { sre = 65535; dre = 65535; } return (srs!=sre || drs!=dre); } return false; } bool Compiler::verifyCustomServices::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string re_type = PolicyRule::isA(rule) ? RuleElementSrv::TYPENAME : RuleElementOSrv::TYPENAME; RuleElement *re_srv = RuleElement::cast(rule->getFirstByType(re_type)); tmp_queue.push_back(rule); for (FWObject::iterator i=re_srv->begin(); i!=re_srv->end(); i++) { FWObject *o = FWReference::getObject(*i); assert(o!=NULL); if (CustomService::isA(o) && CustomService::cast(o)->getCodeForPlatform(compiler->myPlatformName()).empty()) throw FWException("Custom service is not configured for the platform '"+compiler->myPlatformName()+"'. Rule "+rule->getLabel()); } return true; } bool Compiler::CheckForTCPEstablished::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string re_type = PolicyRule::isA(rule) ? RuleElementSrv::TYPENAME : RuleElementOSrv::TYPENAME; RuleElement *re_srv = RuleElement::cast(rule->getFirstByType(re_type)); for (FWObject::iterator i=re_srv->begin(); i!=re_srv->end(); i++) { FWObject *o = FWReference::getObject(*i); TCPService *s = TCPService::cast( o ); if (s==NULL) continue; if (s->getEstablished()) compiler->abort( rule, string("TCPService object with option \"established\" " "is not supported by firewall platform \"") + compiler->myPlatformName() + string("\". Use stateful rule instead.")); } tmp_queue.push_back(rule); return true; } bool Compiler::CheckForUnsupportedUserService::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string re_type = PolicyRule::isA(rule) ? RuleElementSrv::TYPENAME : RuleElementOSrv::TYPENAME; RuleElement *re_srv = RuleElement::cast(rule->getFirstByType(re_type)); for (FWObject::iterator i=re_srv->begin(); i!=re_srv->end(); i++) { FWObject *o = FWReference::getObject(*i); if (UserService::isA(o)) compiler->abort( rule, string("UserService object is not supported by ") + compiler->myPlatformName()); } tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/exceptions.h000066400000000000000000000024031303637203600242440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FATALERRORINSINGLERULECOMPILEMODE_HH #define FATALERRORINSINGLERULECOMPILEMODE_HH #include "fwbuilder/FWException.h" #include class FatalErrorInSingleRuleCompileMode : public libfwbuilder::FWException { public: FatalErrorInSingleRuleCompileMode() : libfwbuilder::FWException("") {}; FatalErrorInSingleRuleCompileMode(const std::string &err) : libfwbuilder::FWException(err) {}; }; #endif fwbuilder-5.3.7/src/libfwbuilder/src/fwcompiler/fwcompiler.pro000066400000000000000000000015771303637203600246160ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib CONFIG += staticlib INCLUDEPATH += "../../../../" # SOURCES = BaseCompiler.cpp \ Compiler.cpp \ Compiler_helpers.cpp \ Compiler_ops.cpp \ Compiler_object_match.cpp \ Preprocessor.cpp \ NATCompiler.cpp \ OSConfigurator.cpp \ PolicyCompiler.cpp \ ServiceRuleProcessors.cpp \ RoutingCompiler.cpp \ GroupRegistry.cpp HEADERS = BaseCompiler.h \ Compiler.h \ Preprocessor.h \ NATCompiler.h \ OSConfigurator.h \ PolicyCompiler.h \ RuleProcessor.h \ RoutingCompiler.h \ exceptions.h \ GroupRegistry.h TARGET = fwcompiler # target.path = "$$prefix/lib" # no need to install headers in fortress #headers.files = $$HEADERS #headers.path = "$$prefix/include/fwb-4/fwcompiler" #INSTALLS += headers # and no need to install .a library INSTALLS -= target fwbuilder-5.3.7/src/libfwbuilder/src/src.pro000066400000000000000000000002021303637203600210470ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # TEMPLATE = subdirs CONFIG += ordered TARGET = src SUBDIRS = fwbuilder fwcompiler fwbuilder-5.3.7/src/libgui/000077500000000000000000000000001303637203600155565ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/ActionsDialog.cpp000066400000000000000000000175301303637203600210100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "ActionsDialog.h" #include "FWWindow.h" #include "FWObjectDropArea.h" #include "DialogFactory.h" #include "FWCmdRule.h" #include "fwbuilder/Library.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Firewall.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ActionsDialog::ActionsDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::ActionsDialog_q; m_dialog->setupUi(this); m_dialog->iptBranchDropArea->addAcceptedTypes("Policy"); //m_dialog->iptBranchDropArea->addAcceptedTypes("NAT"); //m_dialog->iptBranchDropArea->addAcceptedTypes("Routing"); m_dialog->iptBranchDropArea->setHelperText("Drop rule set object here"); m_dialog->pfBranchDropArea->addAcceptedTypes("Policy"); //m_dialog->pfBranchDropArea->addAcceptedTypes("NAT"); //m_dialog->pfBranchDropArea->addAcceptedTypes("Routing"); m_dialog->pfBranchDropArea->setHelperText("Drop rule set object here"); m_dialog->natBranchDropArea->addAcceptedTypes("NAT"); m_dialog->natBranchDropArea->setHelperText("Drop NAT rule set object here"); connectSignalsOfAllWidgetsToSlotChange(); }; ActionsDialog::~ActionsDialog() { delete m_dialog; } void ActionsDialog::loadFWObject(FWObject *o) { obj = o; setRule(Rule::cast(o)); } void ActionsDialog::validate(bool *res) { FWOptions *ruleopt =rule->getOptionsObject(); *res=true; if (platform=="iptables") { /* * http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-ROUTE * says: * * "Note that --iif, --continue, and --tee, are mutually exclusive." */ string iif = ruleopt->getStr("ipt_iif"); int cont = ruleopt->getBool("ipt_continue"); int tee = ruleopt->getBool("ipt_tee"); if ( (int(!iif.empty()) + cont + tee) > 1) { *res=false; QMessageBox::critical(this, "Firewall Builder", tr("'Change inbound interface', 'Continue packet inspection' and 'Make a copy' options are mutually exclusive"), tr("&Continue"), 0, 0, 0 ); } } } void ActionsDialog::applyChanges() { std::auto_ptr cmd( new FWCmdRuleChangeAction(m_project, obj)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); FWOptions* new_rule_options = Rule::cast(new_state)->getOptionsObject(); if (platform=="iptables" && editor=="AccountingStr") { QString rn = m_dialog->accountingvalue_str->text(); /* rule name for accounting may contain only alphanumeric characters * and no white spaces or spec. characters */ if (rn.contains(QRegExp("[^a-zA-Z0-9_]"))!=0) { QMessageBox::information( this,"Firewall Builder", tr("Rule name for accounting is converted to the iptables\nchain name and therefore may not contain white space\nand special characters."), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } } data.saveAll(new_rule_options); Rule *rule = Rule::cast(new_state); if (editor=="BranchChain") { RuleSet *ruleset = RuleSet::cast(m_dialog->iptBranchDropArea->getObject()); // if ruleset==NULL, setBranch clears setting in the rule rule->setBranch(ruleset); } if (editor=="BranchAnchor") { RuleSet *ruleset = RuleSet::cast(m_dialog->pfBranchDropArea->getObject()); // if ruleset==NULL, setBranch clears setting in the rule rule->setBranch(ruleset); } if (editor=="NATBranch") { RuleSet *ruleset = RuleSet::cast(m_dialog->natBranchDropArea->getObject()); // if ruleset==NULL, setBranch clears setting in the rule rule->setBranch(ruleset); } if (!cmd->getOldState()->cmp(new_state, true)) m_project->undoStack->push(cmd.release()); } void ActionsDialog::tagvalueChanged(int) { // QString buf; //!!! buf.setNum(m_dialog->tagvalue_int->value()); //!!! m_dialog->tagvalue_str->setText(buf); } void ActionsDialog::setRule(Rule *r) { rule = r; FWObject *o = r; while (o!=NULL && Firewall::cast(o)==NULL) o = o->getParent(); Firewall *f = Firewall::cast(o); firewall = f; FWOptions *ropt = rule->getOptionsObject(); string act = getRuleAction(rule).toStdString(); if (firewall) { // firewall can be NULL if rule set is in Deleted Objects library platform = firewall->getStr("platform"); editor = DialogFactory::getActionDialogPageName(firewall, r); } if (fwbdebug) qDebug() << "ActionsDialog::setRule" << "Action: " << getRuleAction(rule) << "editor: " << editor.c_str(); QStringList actionsOnReject = getActionsOnReject( platform.c_str() ); m_dialog->rejectvalue->clear(); m_dialog->rejectvalue->addItems( getScreenNames( actionsOnReject ) ); branchNameInput = NULL; data.clear(); data.registerOption(m_dialog->accountingvalue_str, ropt, "rule_name_accounting"); data.registerOption(m_dialog->divertPortNum, ropt, "ipfw_pipe_port_num"); data.registerOption(m_dialog->custom_str, ropt, "custom_str"); // REJECT action: data.registerOption(m_dialog->rejectvalue, ropt, "action_on_reject"); QWidget *w = m_dialog->NonePage; if (editor=="Reject") { w=m_dialog->RejectPage; } else if (editor=="AccountingStr") { w = m_dialog->AccountingStrPage; } else if (editor=="PipeArgsIPFW") { w = m_dialog->PipeArgsIPFW; } else if (editor=="CustomStr") { w = m_dialog->CustomStrPage; } else if (editor=="BranchChain") { w = m_dialog->BranchChainPage; RuleSet *ruleset = r->getBranch(); m_dialog->iptBranchDropArea->setObject(ruleset); data.registerOption( m_dialog->ipt_branch_in_mangle, ropt, "ipt_branch_in_mangle" ); } else if (editor=="BranchAnchor") { w=m_dialog->BranchAnchorPage; RuleSet *ruleset = r->getBranch(); m_dialog->pfBranchDropArea->setObject(ruleset); } else if (editor=="NATBranch") { w = m_dialog->NATBranchPage; RuleSet *ruleset = r->getBranch(); m_dialog->natBranchDropArea->setObject(ruleset); } m_dialog->widgetStack->setCurrentWidget(w); data.loadAll(); } fwbuilder-5.3.7/src/libgui/ActionsDialog.h000066400000000000000000000037161303637203600204560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ACTIONSDIALOG_H_ #define __ACTIONSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include "DialogData.h" #include #include "fwbuilder/FWObject.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" namespace libfwbuilder { class Rule; class Firewall; } class QLineEdit; class QComboBox; class FWObjectDropArea; class ActionsDialog : public BaseObjectDialog { Q_OBJECT; private: libfwbuilder::Firewall *firewall; libfwbuilder::Rule *rule; std::string editor; std::string platform; QLineEdit *branchNameInput; DialogData data; FWObjectDropArea * BranchChainArea ; FWObjectDropArea * BranchAnchorArea; FWObjectDropArea * TagIntArea ; FWObjectDropArea * TagStrArea ; public: Ui::ActionsDialog_q *m_dialog; ActionsDialog(QWidget *parent); ~ActionsDialog(); public slots: virtual void applyChanges(); virtual void tagvalueChanged(int); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); void setRule(libfwbuilder::Rule*); }; #endif fwbuilder-5.3.7/src/libgui/AddressRangeDialog.cpp000066400000000000000000000104031303637203600217420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "FWBSettings.h" #include "FWBTree.h" #include "AddressRangeDialog.h" #include "fwbuilder/Library.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; AddressRangeDialog::AddressRangeDialog(QWidget *parent): BaseObjectDialog(parent) { m_dialog = new Ui::AddressRangeDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } AddressRangeDialog::~AddressRangeDialog() { delete m_dialog; } void AddressRangeDialog::loadFWObject(FWObject *o) { obj=o; AddressRange *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->rangeStart->setText( s->getRangeStart().toString().c_str() ); m_dialog->rangeEnd->setText( s->getRangeEnd().toString().c_str() ); m_dialog->commentKeywords->loadFWObject(o); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->rangeStart->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->rangeStart); m_dialog->rangeEnd->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->rangeEnd); init=false; } void AddressRangeDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } AddressRange *s = dynamic_cast(obj); assert(s!=NULL); try { InetAddr(m_dialog->rangeStart->text().toLatin1().constData()); InetAddr(m_dialog->rangeEnd->text().toLatin1().constData()); } catch (FWException &ex) { *res = false; // show warning dialog only if app has focus if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", QString::fromUtf8(ex.toString().c_str()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } } void AddressRangeDialog::applyChanges() { std::auto_ptr cmd(new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); AddressRange *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); try { InetAddr addr_start(m_dialog->rangeStart->text().toStdString()); InetAddr addr_end(m_dialog->rangeEnd->text().toStdString()); if (addr_end < addr_start) { addr_end = addr_start; m_dialog->rangeEnd->setText(addr_end.toString().c_str()); } s->setRangeStart(addr_start); s->setRangeEnd(addr_end); } catch (FWException &ex) { } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/AddressRangeDialog.h000066400000000000000000000026561303637203600214220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ADDRESSRANGEDIALOG_H_ #define __ADDRESSRANGEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class AddressRangeDialog : public BaseObjectDialog { Q_OBJECT; Ui::AddressRangeDialog_q *m_dialog; public: AddressRangeDialog(QWidget *parent); ~AddressRangeDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // ADDRESSRANGEDIALOG_H fwbuilder-5.3.7/src/libgui/AddressTableDialog.cpp000066400000000000000000000157611303637203600217510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ProjectPanel.h" #include "AddressTableDialog.h" #include "TextFileEditor.h" #include "FWBSettings.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; AddressTableDialog::AddressTableDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::AddressTableDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } AddressTableDialog::~AddressTableDialog() { delete m_dialog; } void AddressTableDialog::loadFWObject(FWObject *o) { obj=o; AddressTable *s = dynamic_cast(obj); assert(s!=NULL); init = true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->filename->setText( s->getSourceName().c_str() ); m_dialog->r_compiletime->setChecked(s->isCompileTime() ); m_dialog->r_runtime->setChecked(s->isRunTime() ); //BrowseButton->setEnabled(s->isCompileTime() ); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->filename->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->filename); updateButtons(); init = false; } void AddressTableDialog::updateButtons() { m_dialog->editButton->setEnabled( ! m_dialog->filename->text().isEmpty()); } void AddressTableDialog::validate(bool *res) { *res=true; AddressTable *s = dynamic_cast(obj); assert(s!=NULL); if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void AddressTableDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); AddressTable *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); QByteArray cs = m_dialog->filename->text().toLocal8Bit(); s->setSourceName( (const char *)cs ); s->setRunTime(m_dialog->r_runtime->isChecked() ); updateButtons(); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } static void doReminderAboutDataDir() { if (st->isReminderAboutDataDirSuppressed()) return; QMessageBox msgBox; msgBox.setText("The file you selected is inside the " "'data directory' global preference. The path of the " "file has been converted to use the variable %DATADIR% " "so that expansion will happen properly within rules."); msgBox.setWindowModality(Qt::ApplicationModal); msgBox.setWindowFlags(Qt::Window | Qt::WindowTitleHint | Qt::CustomizeWindowHint | #if QT_VERSION >= 0x040500 Qt::WindowCloseButtonHint | #endif Qt::WindowSystemMenuHint); msgBox.setWindowTitle("Data directory conversion"); QCheckBox cb("Do not show this again", &msgBox); msgBox.addButton(&cb, QMessageBox::ResetRole); msgBox.addButton(QMessageBox::Close); msgBox.setDefaultButton(QMessageBox::Close); msgBox.setIcon(QMessageBox::Information); /* Hack alert! Disconnect signals from the checkbox so that QMessageBox doesn't know when it gets clicked, and treat it like an "OK" action. */ cb.disconnect(); msgBox.exec(); if (cb.isChecked()) st->suppressReminderAboutDataDir(true); } void AddressTableDialog::browse() { // build a dialog that will let user select existing file or enter // a name even if the file does not exist QString s = QFileDialog::getOpenFileName( this, tr("Choose a file or type the name to create new"), st->getOpenFileDir(mw->getCurrentFileName()), tr("All files (*)")); if (s.isEmpty()) return; st->setOpenFileDir(s); QString dataDir = st->getDataDir(); if (!dataDir.isEmpty()) { QString dataDirPath = QFileInfo(dataDir).canonicalFilePath(); QString filePath = QFileInfo(s).canonicalFilePath(); if (filePath.length() > 0 && filePath.startsWith(dataDirPath)) { int truncateLen = dataDirPath.length(); if (dataDirPath.at(truncateLen-1) == '/' || dataDirPath.at(truncateLen-1) == '\\') { truncateLen--; } s = filePath.replace(0, truncateLen, "%DATADIR%"); doReminderAboutDataDir(); } } m_dialog->filename->setText(s); // assign focus to the "file name" input field so that it // generates signal editFinished when user clicks // elsewhere. We use this signal to call changed() which in // turn calls applyChanges() to save data m_dialog->filename->setFocus(Qt::OtherFocusReason); updateButtons(); } void AddressTableDialog::editFile( void ) { QString filePath = m_dialog->filename->text(); if (filePath.startsWith("%DATADIR%")) { QString dataDir = st->getDataDir(); if (dataDir.isEmpty()) { QMessageBox::critical(this, "Firewall Builder", tr("Data directory setting is blank " "and path contains %DATADIR% variable")); return; } filePath.replace(0, 9, dataDir); } TextFileEditor editor(this, filePath); if (editor.load()) editor.exec(); // its modal dialog } fwbuilder-5.3.7/src/libgui/AddressTableDialog.h000066400000000000000000000027541303637203600214140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ADDRESSTABLEDIALOG_H_ #define __ADDRESSTABLEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class AddressTableDialog : public BaseObjectDialog { Q_OBJECT; Ui::AddressTableDialog_q *m_dialog; public: AddressTableDialog(QWidget *parent); ~AddressTableDialog(); void updateButtons(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void browse(); virtual void editFile( void ); }; #endif fwbuilder-5.3.7/src/libgui/AskLibForCopyDialog.cpp000066400000000000000000000064211303637203600220540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AskLibForCopyDialog.h" #include "FWBSettings.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include using namespace std; using namespace libfwbuilder; FWObject *AskLibForCopyDialog::askLibForCopyDialog( QWidget *parent, libfwbuilder::FWObjectDatabase *db, libfwbuilder::FWObject *curr) { AskLibForCopyDialog dlg(parent, db, curr); if ( dlg.exec() == QDialog::Accepted ) return dlg.getChoosenLib(); return 0; } AskLibForCopyDialog::~AskLibForCopyDialog() { delete m_dialog; } AskLibForCopyDialog::AskLibForCopyDialog( QWidget *parent, FWObjectDatabase *db, libfwbuilder::FWObject *curr): QDialog(parent), m_db(db), m_curr(curr) { m_dialog = new Ui::asklibforcopydialog_q; m_dialog->setupUi(this); loadObjects(); } void AskLibForCopyDialog::loadObjects() { list ll = m_db->getByType( Library::TYPENAME ); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { FWObject *lib = (*i); if ((lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID && ! st->getBool("UI/ShowDeletedObjects"))|| lib->getId() == FWObjectDatabase::STANDARD_LIB_ID || lib->getId() == FWObjectDatabase::TEMPLATE_LIB_ID) continue; int ind = addLib( lib ); if (m_curr == lib) m_dialog->libs->setCurrentIndex(ind); } } int AskLibForCopyDialog::addLib( FWObject *lib) { QString newlibname = QString::fromUtf8(lib->getName().c_str()); int N = m_dialog->libs->count(); int idx = 0; vector::iterator i1=idxToLibs.begin(); //vector::iterator i2=idxToTrees.begin(); for ( ; idxlibs->itemText(idx) > newlibname ) break; string icn=":/Icons/"+lib->getTypeName()+"/icon-tree"; //Resources::global_res->getObjResourceStr(lib,"icon-tree").c_str(); QPixmap pm; if ( ! QPixmapCache::find( icn.c_str(), pm) ) { pm.load( icn.c_str() ); QPixmapCache::insert( icn.c_str(), pm); } m_dialog->libs->insertItem( idx, pm, newlibname); // idx=libs->count()-1; m_dialog->libs->setCurrentIndex(idx); idxToLibs.insert(i1,lib); return idx; } FWObject *AskLibForCopyDialog::getChoosenLib() { int ind = m_dialog->libs->currentIndex(); if (0 <= ind) return idxToLibs[ind]; return 0; } fwbuilder-5.3.7/src/libgui/AskLibForCopyDialog.h000066400000000000000000000034301303637203600215160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ASKLIBFORCOPYDIALOG_H_ #define __ASKLIBFORCOPYDIALOG_H_ #include "config.h" #include "global.h" #include namespace libfwbuilder{ class FWObject; class FWObjectDatabase; } class AskLibForCopyDialog : public QDialog { Q_OBJECT private: libfwbuilder::FWObjectDatabase *m_db; std::vector idxToLibs; libfwbuilder::FWObject *m_curr; Ui::asklibforcopydialog_q *m_dialog; AskLibForCopyDialog( QWidget *parent, libfwbuilder::FWObjectDatabase *db, libfwbuilder::FWObject *curr = 0); int getIdxForLib(libfwbuilder::FWObject* lib); void loadObjects(); int addLib( libfwbuilder::FWObject *lib); libfwbuilder::FWObject *getChoosenLib(); public: ~AskLibForCopyDialog(); static libfwbuilder::FWObject *askLibForCopyDialog( QWidget *parent, libfwbuilder::FWObjectDatabase *db, libfwbuilder::FWObject *curr = 0); }; #endif fwbuilder-5.3.7/src/libgui/AttachedNetworksDialog.cpp000066400000000000000000000107161303637203600226610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 201 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "AttachedNetworksDialog.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Inet6AddrMask.h" #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; AttachedNetworksDialog::AttachedNetworksDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::AttachedNetworksDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } AttachedNetworksDialog::~AttachedNetworksDialog() { delete m_dialog; } void AttachedNetworksDialog::loadFWObject(FWObject *o) { obj=o; AttachedNetworks *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->addresses->setEnabled(false); // always read-only setDisabledPalette(m_dialog->addresses); Interface *parent_intf = Interface::cast(obj->getParent()); assert(parent_intf); m_dialog->addresses->clear(); FWObjectTypedChildIterator k = parent_intf->findByType(IPv4::TYPENAME); for ( ; k!=k.end(); ++k) { Address *addr = Address::cast(*k); addAddressToList(addr->getNetworkAddressPtr(), addr->getNetmaskPtr()); } k = parent_intf->findByType(IPv6::TYPENAME); for ( ; k!=k.end(); ++k) { Address *addr = Address::cast(*k); addAddressToList(addr->getNetworkAddressPtr(), addr->getNetmaskPtr()); } init=false; } void AttachedNetworksDialog::addAddressToList(const InetAddr *ip_addr, const InetAddr *ip_netm) { QString name("%1/%2"); QString itm; if (ip_addr->isV6()) { itm = name.arg(ip_addr->toString().c_str()).arg(ip_netm->getLength()); } else { itm = name.arg(ip_addr->toString().c_str()).arg(ip_netm->toString().c_str()); } QList items = m_dialog->addresses->findItems( itm, Qt::MatchExactly); if (items.size() == 0) m_dialog->addresses->addItem(itm); } void AttachedNetworksDialog::validate(bool *result) { if (fwbdebug) qDebug() << "AttachedNetworksDialog::validate"; *result = true; AttachedNetworks *s = dynamic_cast(obj); assert(s!=NULL); if (!validateName(this, obj, m_dialog->obj_name->text())) { *result = false; } } void AttachedNetworksDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); AttachedNetworks *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName(string(m_dialog->obj_name->text().toUtf8().constData())); m_dialog->commentKeywords->applyChanges(new_state); if (!cmd->getOldState()->cmp(new_state, true)) { if (fwbdebug) qDebug() << "Pushing FWCmdChange to undo stack"; if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/AttachedNetworksDialog.h000066400000000000000000000031731303637203600223250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ATTACHEDNETWORKSDIALOG_H_ #define __ATTACHEDNETWORKSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; namespace libfwbuilder { class InetAddr; }; class AttachedNetworksDialog : public BaseObjectDialog { Q_OBJECT; Ui::AttachedNetworksDialog_q *m_dialog; void addAddressToList(const libfwbuilder::InetAddr *ip_addr, const libfwbuilder::InetAddr *ip_netm); public: AttachedNetworksDialog(QWidget *parent); ~AttachedNetworksDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // ATTACHEDNETWORKSDIALOG_H fwbuilder-5.3.7/src/libgui/BackgroundCompileInfoWidget.cpp000066400000000000000000000042701303637203600236350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include "instDialog.h" #include "FWWindow.h" #include "BackgroundCompileInfoWidget.h" BackgroundCompileInfoWidget::BackgroundCompileInfoWidget(QWidget *parent, instDialog *instDialog, FWWindow *fwwindow) : QWidget(parent), m_fwwindow(fwwindow) { connect(instDialog, SIGNAL(autoCompileDone()), this, SLOT(autoCompileIsDone())); m_label = new QLabel(tr("Compiling firewalls in background: ")); m_label->setSizePolicy(QSizePolicy::Minimum, QSizePolicy::Minimum); m_progressBar = new QProgressBar(); m_progressBar->setMaximumWidth(100); m_progressBar->setSizePolicy(QSizePolicy::Minimum, QSizePolicy::Minimum); QHBoxLayout *hboxlayout = new QHBoxLayout(); hboxlayout->setSpacing(0); hboxlayout->setMargin(0); hboxlayout->addWidget(m_label); hboxlayout->addWidget(m_progressBar); setLayout(hboxlayout); setSizePolicy(QSizePolicy::Minimum, QSizePolicy::Minimum); connect(instDialog, SIGNAL(currentFirewallsBarMaximumValueChanged(int)), m_progressBar, SLOT(setMaximum(int))); connect(instDialog, SIGNAL(currentFirewallsBarvalueChanged(int)), m_progressBar, SLOT(setValue(int))); m_fwwindow->statusBar()->addPermanentWidget(this); } void BackgroundCompileInfoWidget::autoCompileIsDone() { m_fwwindow->statusBar()->removeWidget(this); deleteLater(); } fwbuilder-5.3.7/src/libgui/BackgroundCompileInfoWidget.h000066400000000000000000000025151303637203600233020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef BACKGROUNDCOMPILEINFOWIDGET_H #define BACKGROUNDCOMPILEINFOWIDGET_H #include class instDialog; class FWWindow; class QProgressBar; class QLabel; class BackgroundCompileInfoWidget : public QWidget { Q_OBJECT public: BackgroundCompileInfoWidget(QWidget *parent, instDialog *instDialog, FWWindow *fwwindow); private: FWWindow *m_fwwindow; QProgressBar *m_progressBar; QLabel *m_label; public slots: void autoCompileIsDone(); }; #endif // BACKGROUNDCOMPILEINFOWIDGET_H fwbuilder-5.3.7/src/libgui/BaseObjectDialog.cpp000066400000000000000000000060751303637203600214130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "FWObjectDropArea.h" #include "BaseObjectDialog.h" #include "CommentKeywords.h" #include #include #include #include #include #include void BaseObjectDialog::connectSignalsOfAllWidgetsToSlotChange() { QList all_dialog_widgets = findChildren(QString()); foreach(QWidget* w, all_dialog_widgets) { FWObjectDropArea *da = dynamic_cast(w); if (da) { connect(da, SIGNAL(objectDeleted()), this, SLOT(changed())); connect(da, SIGNAL(objectInserted()), this, SLOT(changed())); continue; } QLineEdit *le = qobject_cast(w); if (le) { connect(le, SIGNAL(editingFinished()), this, SLOT(changed())); continue; } QCheckBox *cb = qobject_cast(w); if (cb) { connect(cb, SIGNAL(stateChanged(int)), this, SLOT(changed())); continue; } QRadioButton *rb = qobject_cast(w); if (rb) { connect(rb, SIGNAL(toggled(bool)), this, SLOT(changed())); continue; } QComboBox *cmb = qobject_cast(w); if (cmb) { connect(cmb, SIGNAL(activated(int)), this, SLOT(changed())); continue; } QSpinBox *sb = qobject_cast(w); if (sb) { connect(sb, SIGNAL(editingFinished()), this, SLOT(changed())); continue; } QTextEdit *textEdit = qobject_cast(w); if (textEdit) { connect(textEdit, SIGNAL(textChanged()), this, SLOT(changed())); continue; } CommentKeywords *ck = dynamic_cast(w); if (ck) { connect(ck, SIGNAL(changed()), this, SLOT(changed())); continue; } } } void BaseObjectDialog::changed() { QWidget *s = dynamic_cast(sender()); if (fwbdebug) qDebug() << "BaseObjectDialog::changed() from " << s; if (!init) { emit changed_sign(); } } fwbuilder-5.3.7/src/libgui/BaseObjectDialog.h000066400000000000000000000031511303637203600210500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BASEOBJECTDIALOG_H_ #define __BASEOBJECTDIALOG_H_ #include "global.h" #include "fwbuilder/FWObject.h" #include #include class ProjectPanel; class BaseObjectDialog : public QWidget { Q_OBJECT; protected: libfwbuilder::FWObject *obj; bool init; ProjectPanel *m_project; public slots: virtual void changed(); public: BaseObjectDialog(QWidget *parent) : QWidget(parent) { obj = 0; init = false; m_project = NULL; } virtual ~BaseObjectDialog() {}; void attachToProjectWindow(ProjectPanel *pp) { m_project = pp; } ProjectPanel* getAssociatedProjectWindow() { return m_project; } void connectSignalsOfAllWidgetsToSlotChange(); signals: void changed_sign(); }; #endif fwbuilder-5.3.7/src/libgui/BlankDialog.cpp000066400000000000000000000025001303637203600204260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "BlankDialog.h" using namespace std; using namespace libfwbuilder; BlankDialog::BlankDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::BlankDialog_q; m_dialog->setupUi(this); obj=NULL; } BlankDialog::~BlankDialog() { delete m_dialog; } void BlankDialog::loadFWObject(FWObject *o) { obj = o; } void BlankDialog::validate(bool *res) { *res = true; } void BlankDialog::applyChanges() { } fwbuilder-5.3.7/src/libgui/BlankDialog.h000066400000000000000000000025431303637203600201020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BLANKDIALOG_H_ #define __BLANKDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class BlankDialog : public BaseObjectDialog { Q_OBJECT; Ui::BlankDialog_q *m_dialog; public: BlankDialog(QWidget *parent); ~BlankDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif fwbuilder-5.3.7/src/libgui/ClickableLabel.cpp000066400000000000000000000003111303637203600210660ustar00rootroot00000000000000#include "ClickableLabel.h" ClickableLabel::ClickableLabel(QWidget * parent, Qt::WindowFlags) { setParent(parent); } void ClickableLabel::mousePressEvent ( QMouseEvent *) { emit clicked(); } fwbuilder-5.3.7/src/libgui/ClickableLabel.h000066400000000000000000000004511303637203600205400ustar00rootroot00000000000000#ifndef CLICKABLELABEL_H #define CLICKABLELABEL_H #include class ClickableLabel : public QLabel { Q_OBJECT public: ClickableLabel(QWidget *parent = 0, Qt::WindowFlags f = 0 ); void mousePressEvent(QMouseEvent *); signals: void clicked(); }; #endif // CLICKABLELABEL_H fwbuilder-5.3.7/src/libgui/ClusterDialog.cpp000066400000000000000000000172401303637203600210270ustar00rootroot00000000000000/* * ClusterDialog.cpp - Cluster view implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "ClusterDialog.h" #include "utils.h" #include "platforms.h" #include "DialogFactory.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include #include #include #include using namespace std; using namespace libfwbuilder; ClusterDialog::~ClusterDialog() { delete m_dialog; } ClusterDialog::ClusterDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::ClusterDialog_q; m_dialog->setupUi(this); obj = NULL; connectSignalsOfAllWidgetsToSlotChange(); } void ClusterDialog::loadFWObject(FWObject *o) { obj = o; Cluster *s = dynamic_cast(obj); assert(s != NULL); QString platform = obj->getStr("platform").c_str(); // fill in platform setPlatform(m_dialog->platform, platform); // fill in host OS setHostOS(m_dialog->hostOS, platform, obj->getStr("host_OS").c_str()); updateTimeStamps(); /* Management *mgmt = s->getManagementObject(); assert(mgmt != NULL); */ m_dialog->obj_name->setText(QString::fromUtf8(s->getName().c_str())); m_dialog->commentKeywords->loadFWObject(o); m_dialog->inactive->setChecked(s->getInactive()); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->platform->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->platform); m_dialog->hostOS->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->hostOS); /* m_dialog->fwAdvanced->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->fwAdvanced); m_dialog->osAdvanced->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->osAdvanced); */ m_dialog->inactive->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->inactive); } void ClusterDialog::updateTimeStamps() { QDateTime dt; time_t t; t = obj->getInt("lastModified"); dt.setTime_t(t); m_dialog->last_modified->setText((t)? dt.toString():"-"); t = obj->getInt("lastCompiled"); dt.setTime_t(t); m_dialog->last_compiled->setText((t)? dt.toString():"-"); t = obj->getInt("lastInstalled"); dt.setTime_t(t); m_dialog->last_installed->setText((t)? dt.toString():"-"); } void ClusterDialog::platformChanged() { config_changed = true; emit changed(); QString platform = readPlatform(m_dialog->platform); setHostOS(m_dialog->hostOS, platform, ""); QString pl = readPlatform(m_dialog->platform); resetClusterGroupTypes(); } void ClusterDialog::hostOSChanged() { if (readHostOS(m_dialog->hostOS).toLatin1().constData() != obj->getStr("host_OS")) { config_changed = true; resetClusterGroupTypes(); emit changed(); } } /* * Check if type of failover and state sync groups matches current * platform/host os configuration and if not, fix it. */ void ClusterDialog::resetClusterGroupTypes() { QString host_os = readHostOS(m_dialog->hostOS); list state_sync_types; getStateSyncTypesForOS(host_os, state_sync_types); for (FWObjectTypedChildIterator it = obj->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) resetSingleClusterGroupType(*it, state_sync_types); list failover_types; getFailoverTypesForOS(host_os, failover_types); list failover_groups = obj->getByTypeDeep(FailoverClusterGroup::TYPENAME); for (list::iterator it = failover_groups.begin(); it != failover_groups.end(); ++it) resetSingleClusterGroupType(*it, failover_types); } void ClusterDialog::resetSingleClusterGroupType(FWObject *grp, list &allowed_types) { string first_allowed_type; bool match = false; foreach(QStringPair p, allowed_types) { if (first_allowed_type.empty()) first_allowed_type = p.first.toStdString(); if (grp->getStr("type") == p.first.toStdString()) match = true; } if (!match) grp->setStr("type", first_allowed_type); } void ClusterDialog::validate(bool *res) { *res = true; if (!validateName(this, obj, m_dialog->obj_name->text())) { *res = false; return; } // see #2011 - do not allow "/" in firewall object name if (m_dialog->obj_name->text().contains("/")) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this,"Firewall Builder", tr("Character \"/\" is not allowed in cluster object name"), tr("&Continue"), QString::null,QString::null, 0, 1 ); blockSignals(false); } return; } } void ClusterDialog::applyChanges() { bool autorename_chidren = false; QString dialog_txt = tr( "The name of the object '%1' has changed. The program can also " "rename IP address objects that belong to this object, " "using standard naming scheme 'host_name:interface_name:ip'. " "This makes it easier to distinguish what host or a firewall " "given IP address object belongs to when it is used in " "the policy or NAT rule. The program also renames MAC address " "objects using scheme 'host_name:interface_name:mac'. " "Do you want to rename child IP and MAC address objects now? " "(If you click 'No', names of all address objects that belong to " "%2 will stay the same.)") .arg(QString::fromUtf8(obj->getName().c_str())) .arg(QString::fromUtf8(obj->getName().c_str())); if (obj->getName() != m_dialog->obj_name->text().toUtf8().constData()) { /* see comment about this in FirewallDialog */ blockSignals(true); autorename_chidren = (QMessageBox::warning( this,"Firewall Builder", dialog_txt, tr("&Yes"), tr("&No"), QString::null, 0, 1 )==0 ); blockSignals(false); } std::auto_ptr cmd( new FWCmdChange(m_project, obj, "", autorename_chidren)); FWObject* new_state = cmd->getNewState(); Cluster *s = dynamic_cast(new_state); assert(s != NULL); string oldname = obj->getName(); string newname = string(m_dialog->obj_name->text().toUtf8().constData()); string oldplatform = obj->getStr("platform"); new_state->setName(newname); m_dialog->commentKeywords->applyChanges(new_state); string pl = readPlatform(m_dialog->platform).toLatin1().constData(); new_state->setStr("platform", pl); new_state->setStr("host_OS", readHostOS(m_dialog->hostOS).toLatin1().constData()); s->setInactive(m_dialog->inactive->isChecked()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } updateTimeStamps(); } fwbuilder-5.3.7/src/libgui/ClusterDialog.h000066400000000000000000000026571303637203600205020ustar00rootroot00000000000000/* * ClusterDialog.h - Cluster object view * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __CLUSTERDIALOG_H_ #define __CLUSTERDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "utils.h" #include "fwbuilder/FWObject.h" class ProjectPanel; class ClusterDialog : public BaseObjectDialog { Q_OBJECT; Ui::ClusterDialog_q *m_dialog; void resetSingleClusterGroupType(libfwbuilder::FWObject *grp, std::list &allowed_types); void resetClusterGroupTypes(); void updateTimeStamps(); public: ClusterDialog(QWidget *parent); ~ClusterDialog(); private: /** flag to indicate host os, platform changes */ bool config_changed; public slots: virtual void applyChanges(); virtual void platformChanged(); virtual void hostOSChanged(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif /* __CLUSTERDIALOG_H_ */ fwbuilder-5.3.7/src/libgui/ClusterGroupDialog.cpp000066400000000000000000000274721303637203600220540ustar00rootroot00000000000000/* * ClusterGroupDialog.cpp - ClusterGroup view implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "ClusterGroupDialog.h" #include "utils.h" #include "platforms.h" #include "events.h" #include "ObjectListViewItem.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "DialogFactory.h" #include "vrrpOptionsDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ClusterGroupDialog::~ClusterGroupDialog() { delete m_dialog; } ClusterGroupDialog::ClusterGroupDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::ClusterGroupDialog_q; m_dialog->setupUi(this); obj = NULL; reload = false; connectSignalsOfAllWidgetsToSlotChange(); } void ClusterGroupDialog::loadFWObject(FWObject *o) { obj = o; ClusterGroup *g = dynamic_cast(obj); assert(g != NULL); init = true; // disable manage members if host OS does not support clustering. // Parent is either 'Cluster' or 'Interface', call getParent() approprietly FWObject *parent = obj; while (parent && !Cluster::isA(parent)) parent = parent->getParent(); if (parent == NULL) { throw FWException("ClusterGroupDialog: parent is NULL!"); } cluster = Cluster::cast(parent); string host_os = cluster->getStr("host_OS"); // Sanity check // Failover type could be wrong if user changed host OS of the cluster string type = obj->getStr("type"); list possible_cluster_group_types; if (StateSyncClusterGroup::isA(o)) getStateSyncTypesForOS(host_os.c_str(), possible_cluster_group_types); if (FailoverClusterGroup::isA(o)) getFailoverTypesForOS(host_os.c_str(), possible_cluster_group_types); enable_master_column = Resources::os_res[host_os]->getResourceBool( "/FWBuilderResources/Target/protocols/" + type + "/needs_master"); if (enable_master_column) m_dialog->fwMemberTree->showColumn(2); else m_dialog->fwMemberTree->hideColumn(2); bool acceptable_failover_type = false; for (list::iterator it=possible_cluster_group_types.begin(); it!=possible_cluster_group_types.end(); ++it) { QString t = it->first; if (t == QString(type.c_str())) { acceptable_failover_type = true; break; } } if (!acceptable_failover_type && possible_cluster_group_types.size()) obj->setStr( "type", possible_cluster_group_types.front().first.toStdString()); m_dialog->obj_name->setText(QString::fromUtf8(g->getName().c_str())); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); QString grp_type = obj->getStr("type").c_str(); m_dialog->type->clear(); int cp = 0; for (list::iterator i1=possible_cluster_group_types.begin(); i1!=possible_cluster_group_types.end(); i1++,cp++) { m_dialog->type->addItem( i1->second ); if ( grp_type == i1->first ) m_dialog->type->setCurrentIndex(cp); } // init link icons, master firewall is colored m_dialog->fwMemberTree->clear(); string master_iface = g->getStr("master_iface"); for (FWObject::iterator it = g->begin(); it != g->end(); it++) { FWObject *o = FWObjectReference::getObject(*it); if (Interface::isA(o)) { if (master_iface == FWObjectDatabase::getStringId(o->getId())) { addIcon(o, true); } else { addIcon(o); } } } if (!Resources::getTargetCapabilityBool(host_os, "supports_cluster")) { m_dialog->manageMembers->setEnabled(false); m_dialog->manageMembers->setToolTip( QObject::tr("Feature not supported by host OS '%1'").arg(host_os.c_str())); } else { m_dialog->manageMembers->setEnabled(true); m_dialog->manageMembers->setToolTip( QObject::tr("Click here to manage member firewalls of this cluster group.")); } m_dialog->fwMemberTree->resizeColumnToContents(0); m_dialog->fwMemberTree->resizeColumnToContents(1); m_dialog->fwMemberTree->resizeColumnToContents(2); m_dialog->fwMemberTree->resizeColumnToContents(3); QString dlgname = DialogFactory::getClusterGroupOptionsDialogName( ClusterGroup::cast(obj)->getOptionsObject()); if (fwbdebug) qDebug() << "ClusterGroupDialog::loadFWObject dlgname=" << dlgname; m_dialog->editParameters->setEnabled(!dlgname.isEmpty()); init = false; } void ClusterGroupDialog::saveGroupType(FWObject *group) { QString host_os = cluster->getStr("host_OS").c_str(); list possible_cluster_group_types; if (StateSyncClusterGroup::isA(obj)) getStateSyncTypesForOS(host_os, possible_cluster_group_types); if (FailoverClusterGroup::isA(obj)) getFailoverTypesForOS(host_os, possible_cluster_group_types); QString grp_type = m_dialog->type->currentText(); list::iterator li = std::find_if(possible_cluster_group_types.begin(), possible_cluster_group_types.end(), findSecondInQStringPair(grp_type)); if (li != possible_cluster_group_types.end()) group->setStr("type", li->first.toLatin1().constData() ); } void ClusterGroupDialog::addIcon(FWObject *o, bool master) { FWObject *iface = o; assert(Interface::cast(iface)!=NULL); FWObject *fw = Host::getParentHost(iface); // FWObject *fw = Interface::cast(iface)->getParentHost(); // because iface can be subinterface bool valid = cluster->validateMember(Firewall::cast(fw)); QString iface_name = QString::fromUtf8(iface->getName().c_str()); QString fw_name = QString::fromUtf8(fw->getName().c_str()); QString iface_icn_file = (":/Icons/" + iface->getTypeName() + "/icon-ref").c_str(); QString fw_icn_file = (":/Icons/" + fw->getTypeName() + "/icon-ref").c_str(); QPixmap iface_pm; if (!QPixmapCache::find(iface_icn_file, iface_pm)) { iface_pm.load(iface_icn_file); QPixmapCache::insert(iface_icn_file, iface_pm); } QPixmap fw_pm; if (!QPixmapCache::find(fw_icn_file, fw_pm)) { fw_pm.load(fw_icn_file); QPixmapCache::insert(fw_icn_file, fw_pm); } ObjectListViewItem *item = new ObjectListViewItem(m_dialog->fwMemberTree); int col = 0; item->setText(col, fw_name); item->setIcon(col, QIcon(fw_pm)); col++; item->setText(col, iface_name); item->setIcon(col, QIcon(iface_pm)); col++; // note that if enable_master_column==false, this column is hidden // but we still need to create an item in this column. if (master) item->setText(col, tr("Master")); else item->setText(col, tr("")); col++; if (valid) { item->setText(col, "OK"); item->setToolTip( col, tr("Firewall %1 can be used as a member of this cluster").arg(fw->getName().c_str())); } else { item->setText(col, tr("Invalid")); item->setToolTip( col, tr("Firewall %1 can not be used as a member of this cluster\n because its host OS or platform does not match those of the cluster.").arg(fw->getName().c_str())); item->setBackgroundColor(col, QColor(255, 0, 0, 100)); } item->setProperty("type", iface->getTypeName().c_str()); item->setFWObject(iface); } void ClusterGroupDialog::changed() { if (fwbdebug) qDebug() << "ClusterGroupDialog::changed()"; if (!reload) BaseObjectDialog::changed(); } void ClusterGroupDialog::validate(bool *res) { *res = true; if (!validateName(this, obj, m_dialog->obj_name->text())) { *res = false; } } void ClusterGroupDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); ClusterGroup *g = dynamic_cast(new_state); assert(g != NULL); QString oldname = obj->getName().c_str(); new_state->setName(string(m_dialog->obj_name->text().toUtf8().constData())); m_dialog->commentKeywords->applyChanges(new_state); saveGroupType(new_state); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } /* * This method is connected to the "Edit members" button and opens dialog * where user chooses cluster member firewalls and interfaces */ void ClusterGroupDialog::openClusterConfDialog() { try { QWidget *w = DialogFactory::createClusterConfDialog(this, obj); if (w == NULL) { return; // some dialogs may not be implemented yet } QDialog *d = dynamic_cast(w); assert(d != NULL); // connect obj changed signal //connect(d, SIGNAL(membersChanged()), this, SLOT(objectChanged())); if (d->exec() == QDialog::Accepted) { // modal dialog, dialog saves data into the object // update object tree (if members have changed, the object // properties summary text may have to change too) mw->activeProject()->updateObjectInTree(obj, true); // reload object to reflect changes in members loadFWObject(obj); // mark as modified changed(); } delete d; } catch (FWException &ex) { QMessageBox::critical( this, "Firewall Builder", tr("FWBuilder API error: %1").arg(ex.toString().c_str()), tr("&Continue"), QString::null, QString::null, 0, 1); return; } } void ClusterGroupDialog::openObject(QTreeWidgetItem *item) { ObjectListViewItem *otvi = dynamic_cast(item); assert(otvi != NULL); FWObject *o = otvi->getFWObject(); if (o != NULL) { QCoreApplication::postEvent( mw, new showObjectInTreeEvent(o->getRoot()->getFileName().c_str(), o->getId())); } } void ClusterGroupDialog::objectChanged() { reload = true; loadFWObject(obj); reload = false; } /* * this method is connected to the "Edit protocol parameters" button * and opens dialog where user edits state sync and failover * (heartbeat/openais/vrrp/carp/conntrack/etc) protocol parameters. */ void ClusterGroupDialog::openParametersEditor() { FWOptions *gr_opt = ClusterGroup::cast(obj)->getOptionsObject(); QDialog *dlg = dynamic_cast( DialogFactory::createClusterGroupOptionsDialog(this, gr_opt)); if (dlg) { if (dlg->exec() == QDialog::Accepted) { // modal dialog, dialog saves data into the object // update object tree (if protocol type has changed, the // object properties summary text may have to change too) mw->activeProject()->updateObjectInTree(obj, true); changed(); } delete dlg; } } fwbuilder-5.3.7/src/libgui/ClusterGroupDialog.h000066400000000000000000000034071303637203600215110ustar00rootroot00000000000000/* * ClusterGroupDialog.h - ClusterGroup object view * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __CLUSTERGROUPDIALOG_H_ #define __CLUSTERGROUPDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include "fwbuilder/FWObject.h" class ProjectPanel; namespace libfwbuilder { class Cluster; } class ClusterGroupDialog : public BaseObjectDialog { Q_OBJECT; libfwbuilder::Cluster *cluster; Ui::ClusterGroupDialog_q *m_dialog; bool enable_master_column; void saveGroupType(libfwbuilder::FWObject *group); public: ClusterGroupDialog(QWidget *parent); ~ClusterGroupDialog(); private: /** flag to indicate that a reload of the obj takes place */ bool reload; /** * add fw/interface link icon to the fwMemberTree * * @param o fwobject to add a link for * @param set_background if true, a different background color is used */ void addIcon(libfwbuilder::FWObject *o, bool set_background = false); public slots: virtual void changed(); virtual void applyChanges(); virtual void validate(bool*); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void openClusterConfDialog(); void openObject(QTreeWidgetItem *item); void objectChanged(); void openParametersEditor(); }; #endif /* __CLUSTERDIALOG_H_ */ fwbuilder-5.3.7/src/libgui/ClusterInterfaceWidget.cpp000066400000000000000000000234461303637203600227010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ClusterInterfaceWidget.h" #include "FWBSettings.h" #include "ui_ClusterInterfaceWidget.h" #include #include using namespace libfwbuilder; using namespace std; ClusterInterfaceWidget::ClusterInterfaceWidget(QWidget *parent) : QWidget(parent), m_ui(new Ui::ClusterInterfaceWidget) { cisw = dynamic_cast(parent); m_ui->setupUi(this); interfaceBox = new QHBoxLayout(); this->layout()->addItem(interfaceBox); this->layout()->addItem(new QSpacerItem(20, 40, QSizePolicy::Minimum, QSizePolicy::Minimum)); } ClusterInterfaceWidget::~ClusterInterfaceWidget() { delete m_ui; foreach(InterfacesList list, this->lists) { delete list.list; delete list.label; delete list.layout; } } void ClusterInterfaceWidget::changeEvent(QEvent *e) { QWidget::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: m_ui->retranslateUi(this); break; default: break; } } void ClusterInterfaceWidget::setFirewallList(QList firewalls) { foreach ( Firewall* fw, firewalls ) { os = fw->getStr("host_OS").c_str(); QVBoxLayout *layout = new QVBoxLayout(); //qFindChild(this, "interfaceBox") interfaceBox->addLayout(layout); //this->m_ui->interfaceBox->addLayout(layout); //create label with firewall name QLabel *label = new QLabel(QString::fromUtf8(fw->getName().c_str()), this); layout->addWidget(label); // create object tree QTreeWidget *list = new QTreeWidget(this); list->header()->setVisible(false); layout->addWidget(list); // create firewall item in tree QTreeWidgetItem* firewall = new QTreeWidgetItem(list, QStringList() << QString::fromUtf8(fw->getName().c_str())); roots[list] = firewall; firewall->setIcon(0, QIcon(":/Icons/Firewall/icon-tree")); // interfaces and subinterfaces creation FWObjectTypedChildIterator iter = fw->findByType(Interface::TYPENAME); for ( ; iter != iter.end() ; ++iter ) { Interface *iface = Interface::cast(*iter); //if (iface->isLoopback()) continue; QTreeWidgetItem *ifaceitem = new QTreeWidgetItem(firewall, QStringList() << QString::fromUtf8(iface->getName().c_str())); ifaceitem->setData(0, Qt::UserRole, qVariantFromValue(iface));//QVariant(QVariant::UserType, iface)); ifaceitem->setIcon(0, QIcon(":/Icons/Interface/icon-tree")); ifaceitem->setDisabled(!interfaceSelectable(iface)); if (!interfaceSelectable(iface)) // works only for elements which does not have child elements ifaceitem->setFlags(ifaceitem->flags() & ~Qt::ItemIsSelectable); else ifaceitem->setFlags(Qt::ItemIsSelectable | Qt::ItemIsEnabled); FWObjectTypedChildIterator iter2 = iface->findByType(Interface::TYPENAME); for ( ; iter2 != iter2.end() ; ++iter2 ) { //if (iface->isLoopback()) return; Interface *subiface = Interface::cast(*iter2); QTreeWidgetItem *subitem = new QTreeWidgetItem(ifaceitem, QStringList() << QString::fromUtf8(subiface->getName().c_str())); subitem->setData(0, Qt::UserRole, qVariantFromValue(subiface));//QVariant(QVariant::UserType, subitem)); subitem->setDisabled(!interfaceSelectable(subiface)); subitem->setIcon(0, QIcon(":/Icons/Interface/icon-tree")); if (!interfaceSelectable(subiface)) subitem->setFlags(subitem->flags() & ~Qt::ItemIsSelectable); else ifaceitem->setFlags(Qt::ItemIsSelectable | Qt::ItemIsEnabled); } } list->topLevelItem(0)->setFlags(list->topLevelItem(0)->flags() & ~Qt::ItemIsSelectable); list->expandAll(); // add data to map InterfacesList newlist; newlist.label = label; newlist.layout = layout; newlist.list = list; newlist.firewall = fw; lists[fw] = newlist; } } bool ClusterInterfaceWidget::setCurrentInterface(const QString& name) { string label; bool setLabel = true; int gotItems = 0; foreach(InterfacesList list, this->lists.values()) { foreach(QTreeWidgetItem *item, list.list->findItems(name, Qt::MatchCaseSensitive | Qt::MatchExactly | Qt::MatchRecursive)) { Interface *iface = item->data(0, Qt::UserRole).value(); if (iface == NULL) continue; if ( item == roots[list.list] ) continue; // skip firewall object if ( interfaceSelectable(iface) ) // interface is good for use in cluster { list.list->setCurrentItem(item); gotItems++; if (label.length() == 0) label = iface->getLabel(); else if (label != iface->getLabel()) setLabel = false; break; } } } if (gotItems < this->lists.values().count()) return false; this->m_ui->name->setText(name); if (setLabel) this->m_ui->label->setText(QString::fromUtf8(label.c_str())); return true; } void ClusterInterfaceWidget::nameChanged(QString newname) { cisw->setTabText(cisw->indexOf(this), newname); } ClusterInterfaceData ClusterInterfaceWidget::getInterfaceData() { ClusterInterfaceData res; res.os = os; res.name = this->m_ui->name->text(); res.label = this->m_ui->label->text(); res.comment = this->m_ui->comment->toPlainText(); foreach(InterfacesList ifacelist, this->lists.values()) { QTreeWidgetItem *item = ifacelist.list->selectedItems().first(); Interface* iface = item->data(0, Qt::UserRole).value(); FWObject *parent_fw = Host::getParentHost(iface); res.interfaces.append(qMakePair(Firewall::cast(parent_fw), iface)); } return res; } bool ClusterInterfaceWidget::interfaceSelectable(Interface* iface) { libfwbuilder::Cluster cluster; // cluster.add(iface, false); cluster.setStr("host_OS", os.toStdString()); Resources* os_res = Resources::os_res[os.toStdString()]; string os_family = os.toStdString(); if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( os_family)); QString err; bool res = true; if (st->getBool("Objects/Interface/autoconfigureInterfaces")) res = int_prop->validateInterface(&cluster, iface, false, err); if (res) res = int_prop->isEligibleForCluster(iface); if (fwbdebug) qDebug() << "interface" << iface->getName().c_str() << "can be used in cluster:" << res; return res; } bool ClusterInterfaceWidget::isValid() { // this->lists is QMap where // InterfacesList contains information about object trees and // labels in this widget. Map this->lists is filled in // setFirewallList() from the list of firewalls (new InterfacesList is // created for each firewall) foreach(InterfacesList ifacelist, this->lists.values()) { // get selected items of object tree - QTreeWidget pointed by // ifacelist.list QList items = ifacelist.list->selectedItems(); if (items.isEmpty()) // nothing is selected in one of interface lists { QMessageBox::warning(this,"Firewall Builder", tr("Some of the cluster interfaces do not have any " "member firewall interface selected"), "&Continue", QString::null, QString::null, 0, 1 ); return false; } if (roots.values().contains(items.first())) { // firewall is the item selected in one of interface lists QMessageBox::warning(this,"Firewall Builder", tr("Please select interface of the member firewall " "rather than the firewall object to be used " "with cluster interface"), "&Continue", QString::null, QString::null, 0, 1 ); return false; } if (!interfaceSelectable(ifacelist.list->selectedItems().first()->data(0, Qt::UserRole).value())) { // selected interface item can not be used in this cluster QMessageBox::warning(this,"Firewall Builder", tr("%1 can not be used as cluster interface.") .arg(ifacelist.list->selectedItems().first()->text(0)), "&Continue", QString::null, QString::null, 0, 1 ); return false; } } // at least one item is selected in all object trees and it is not firewall object return true; } fwbuilder-5.3.7/src/libgui/ClusterInterfaceWidget.h000066400000000000000000000051131303637203600223350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef CLUSTERINTERFACEWIDGET_H #define CLUSTERINTERFACEWIDGET_H #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include # include # include #else # include # include # include #endif #include #include #include #include "global.h" #include #include #include #include #include #include #include #include class ClusterInterfacesSelectorWidget; struct ClusterInterfaceData; #include "ClusterInterfacesSelectorWidget.h" Q_DECLARE_METATYPE(libfwbuilder::Interface*) namespace Ui { class ClusterInterfaceWidget; } struct InterfacesList { QVBoxLayout *layout; QTreeWidget *list; QLabel *label; libfwbuilder::Firewall *firewall; }; class ClusterInterfaceWidget : public QWidget { Q_OBJECT public: ClusterInterfaceWidget(QWidget *parent = 0); ~ClusterInterfaceWidget(); void setFirewallList(QList); bool setCurrentInterface(const QString&); ClusterInterfaceData getInterfaceData(); bool interfaceSelectable(libfwbuilder::Interface*); bool isValid(); protected: void changeEvent(QEvent *e); private: Ui::ClusterInterfaceWidget *m_ui; QMap lists; ClusterInterfacesSelectorWidget *cisw; QString os; QMap roots; QHBoxLayout* interfaceBox; public slots: void nameChanged(QString); }; #endif // CLUSTERINTERFACEWIDGET_H fwbuilder-5.3.7/src/libgui/ClusterInterfaceWidget.ui000066400000000000000000000107611303637203600225300ustar00rootroot00000000000000 ClusterInterfaceWidget 0 0 578 463 Form Name: Label: Comment: 0 0 0 70 16777215 70 Select firewall interfaces to use with cluster interface and choose its name. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">Configuration of cluster interfaces depends on the failover protocol chosen on the next page. If the protocol creates its own new interface, such as <span style=" font-weight:600;">CARP</span> that creates interface <span style=" font-weight:600; font-style:italic;">carp0</span>, then the cluster interface object represents it and should have name <span style=" font-weight:600; font-style:italic;">carp0</span>. If failover protocol does not create new interfaces, such as <span style=" font-weight:600;">heartbeat</span> or <span style=" font-weight:600;">OpenAIS</span>, then cluster interface should have the same name as corresponding member firewall interfaces, that is <span style=" font-weight:600; font-style:italic;">eth0</span>, <span style=" font-weight:600; font-style:italic;">eth1.102</span>, <span style=" font-weight:600; font-style:italic;">vlan200</span>, and so on. In the latter case cluster interface is an abstraction used to define mapping between corresponding interfaces of the member firewalls and to provide place for the configuration of the failover protocol.</p></body></html> true name textChanged(QString) ClusterInterfaceWidget nameChanged(QString) 95 25 2 92 nameChanged(QString) fwbuilder-5.3.7/src/libgui/ClusterInterfacesSelectorWidget.cpp000066400000000000000000000141441303637203600245600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ClusterInterfacesSelectorWidget.h" #include using namespace libfwbuilder; using namespace std; ClusterInterfacesSelectorWidget::ClusterInterfacesSelectorWidget(QWidget *parent): QTabWidget(parent) { connect(&newInterface, SIGNAL(clicked()), this, SLOT(addNewInterface())); connect(&delInterface, SIGNAL(clicked()), this, SLOT(closeTab())); newInterface.setIcon(QIcon(":/Icons/add.png")); delInterface.setIcon(QIcon(":/Icons/del.png")); newInterface.setToolTip(tr("Add new interface")); delInterface.setToolTip(tr("Delete current interface")); /* this->setCornerWidget(&delInterface, Qt::TopRightCorner); this->setCornerWidget(&newInterface, Qt::TopLeftCorner); this->cornerWidget(Qt::TopRightCorner)->show(); this->cornerWidget(Qt::TopLeftCorner)->show();*/ noTabs = false; } ClusterInterfacesSelectorWidget::~ClusterInterfacesSelectorWidget() { this->clear(); } void ClusterInterfacesSelectorWidget::setFirewallList(QList firewalls) { while ( this->count() ) this->removeTab(0); fwlist = firewalls; set interfaces; foreach ( Firewall* fw, firewalls ) { foreach( FWObject *obj, fw->getByTypeDeep(Interface::TYPENAME) ) { Interface *iface = Interface::cast(obj); interfaces.insert(iface->getName()); } } set usedInterfaces; foreach ( string name, interfaces ) { int used = 0; foreach ( Firewall* fw, firewalls ) { foreach( FWObject *obj, fw->getByTypeDeep(Interface::TYPENAME) ) { Interface *iface = Interface::cast(obj); if (iface->getName() == name ) { used++; break; } } } if ( used == firewalls.count() ) usedInterfaces.insert(name); } foreach(string name, usedInterfaces) this->addInterface(QString::fromUtf8(name.c_str())); } ClusterInterfaceWidget* ClusterInterfacesSelectorWidget::addNewInterface() { if (noTabs) { this->removeTab(0); noTabs = false; this->delInterface.setEnabled(true); } ClusterInterfaceWidget* widget = new ClusterInterfaceWidget(this); widget->setFirewallList(this->fwlist); this->editors.append(widget); this->addTab(widget, tr("New interface")); return widget; } void ClusterInterfacesSelectorWidget::addInterface(const QString& name) { ClusterInterfaceWidget* widget = addNewInterface(); widget->setObjectName(name+"_widget"); if (!widget->setCurrentInterface(name)) { this->removeTab(this->indexOf(widget)); this->editors.removeAll(widget); delete widget; } } void ClusterInterfacesSelectorWidget::closeTab() { this->editors.removeAll(dynamic_cast(this->widget(this->currentIndex()))); this->removeTab(this->currentIndex()); if (this->count()==0) { noTabs = true; this->delInterface.setEnabled(false); QLabel *label = new QLabel(tr("This cluster has no interfaces. Add interface using button ."), this); this->addTab(label, tr("No interfaces")); } } QList ClusterInterfacesSelectorWidget::getInterfaces() { QList res; foreach ( ClusterInterfaceWidget* editor, this->editors ) { if (this->indexOf(editor) != -1) res.append(editor->getInterfaceData()); } return res; } void ClusterInterfacesSelectorWidget::clear() { QTabWidget::clear(); foreach(ClusterInterfaceWidget *editor, editors) delete editor; editors.clear(); fwlist.clear(); } bool ClusterInterfacesSelectorWidget::isValid() { // this->editor is a list of ClusterInterfaceWidgets // each of them contains data about one cluster interface foreach (ClusterInterfaceWidget *editor, this->editors) { // all cluster interfaces should be valid here if (!editor->isValid()) return false; } // checking if one firewall interface is used in two different cluster interfaces foreach(ClusterInterfaceWidget *editor1, this->editors) { foreach(ClusterInterfaceWidget *editor2, this->editors) { if (editor1 == editor2) continue; // skip checking interfaces for same editor QPair iface1, iface2; foreach(iface1, editor1->getInterfaceData().interfaces) { foreach(iface2, editor2->getInterfaceData().interfaces) { // compare pointers to interfaces selected in two different tabs if (iface1.second == iface2.second) { QMessageBox::warning(this,"Firewall Builder", tr("Interface %1 of firewall %2 is used in more than one cluster interface.") .arg(iface1.second->getName().c_str()).arg(iface1.first->getName().c_str()), "&Continue", QString::null, QString::null, 0, 1 ); return false; } } } } } return true; } fwbuilder-5.3.7/src/libgui/ClusterInterfacesSelectorWidget.h000066400000000000000000000037171303637203600242310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef CLUSTERINTERFACESSELECTORWIDGET_H #define CLUSTERINTERFACESSELECTORWIDGET_H #include #include #include #include #include class ClusterInterfaceWidget; #include "ClusterInterfaceWidget.h" struct ClusterInterfaceData { QString os; QString name; QString label; QString comment; QList > interfaces; }; class ClusterInterfacesSelectorWidget : public QTabWidget { Q_OBJECT public: ClusterInterfacesSelectorWidget(QWidget *parent = 0); ~ClusterInterfacesSelectorWidget(); void setFirewallList(QList); QList getInterfaces(); bool isValid(); private: QList editors; QList fwlist; QToolButton newInterface; QToolButton delInterface; bool noTabs; public slots: ClusterInterfaceWidget* addNewInterface(); void addInterface(const QString& name); void closeTab(); void clear(); }; #endif // CLUSTERINTERFACESSELECTORWIDGET_H fwbuilder-5.3.7/src/libgui/ColDesc.cpp000077500000000000000000000022251303637203600176020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ColDesc.h" #include "platforms.h" using namespace std; ColDesc::ColDesc() { this->type = Unknown; } ColDesc::ColDesc(const string &platform, const string &origin, ColumnType type) { this->origin = origin.c_str(); this->name = getReadableRuleElementName(platform, origin); this->type = type; } fwbuilder-5.3.7/src/libgui/ColDesc.h000077500000000000000000000025521303637203600172520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef COLDESC_H #define COLDESC_H #include #include #include class ColDesc { public: enum ColumnType { GroupHandle, RuleOp, Object, Action, Direction, Options, Time, Comment, Metric, Unknown }; ColDesc(const std::string &platform, const std::string &origin, ColumnType type); ColDesc(); QString name; QString origin; ColumnType type; }; Q_DECLARE_METATYPE(ColDesc) #endif // COLDESC_H fwbuilder-5.3.7/src/libgui/ColorLabelMenuItem.cpp000066400000000000000000000071471303637203600217550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ColorLabelMenuItem.h" #include "FWBSettings.h" #include #include #include #include #include #include using namespace std; ColorLabelMenuItem::ColorLabelMenuItem(QWidget *parent) : QWidget(parent) { m_widget = new Ui::colorLabelMenuItem_q; m_widget->setupUi(this); setup( m_widget->noneBtn, "#FFFFFF", tr("no color") ); setup( m_widget->redBtn, st->getLabelColor(FWBSettings::RED ), st->getLabelText(FWBSettings::RED )); setup( m_widget->orangeBtn, st->getLabelColor(FWBSettings::ORANGE), st->getLabelText(FWBSettings::ORANGE)); setup( m_widget->yellowBtn, st->getLabelColor(FWBSettings::YELLOW), st->getLabelText(FWBSettings::YELLOW)); setup( m_widget->greenBtn, st->getLabelColor(FWBSettings::GREEN ), st->getLabelText(FWBSettings::GREEN )); setup( m_widget->blueBtn, st->getLabelColor(FWBSettings::BLUE ), st->getLabelText(FWBSettings::BLUE )); setup( m_widget->purpleBtn, st->getLabelColor(FWBSettings::PURPLE), st->getLabelText(FWBSettings::PURPLE)); setup( m_widget->grayBtn, st->getLabelColor(FWBSettings::GRAY ), st->getLabelText(FWBSettings::GRAY )); } void ColorLabelMenuItem::setup(QToolButton *btn, const QString &c, const QString &t) { QPixmap pm(8,8); pm.fill( QColor(c) ); QPainter p( &pm ); p.drawRect( pm.rect() ); btn->setIcon(QIcon(pm)); btn->setToolTip(t); } void ColorLabelMenuItem::colorClicked() { if (isVisible() && parentWidget() && parentWidget()->inherits("QPopupMenu") ) parentWidget()->close(); emit returnColor(color); // signal } void ColorLabelMenuItem::noneColorClicked() { color=""; colorClicked(); } void ColorLabelMenuItem::redColorClicked() { color=st->getLabelColor(FWBSettings::RED); colorClicked(); } void ColorLabelMenuItem::orangeColorClicked() { color=st->getLabelColor(FWBSettings::ORANGE); colorClicked(); } void ColorLabelMenuItem::yellowColorClicked() { color=st->getLabelColor(FWBSettings::YELLOW); colorClicked(); } void ColorLabelMenuItem::greenColorClicked() { color=st->getLabelColor(FWBSettings::GREEN); colorClicked(); } void ColorLabelMenuItem::blueColorClicked() { color=st->getLabelColor(FWBSettings::BLUE); colorClicked(); } void ColorLabelMenuItem::purpleColorClicked() { color=st->getLabelColor(FWBSettings::PURPLE); colorClicked(); } void ColorLabelMenuItem::grayColorClicked() { color=st->getLabelColor(FWBSettings::GRAY); colorClicked(); } fwbuilder-5.3.7/src/libgui/ColorLabelMenuItem.h000066400000000000000000000033031303637203600214100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COLORLABELMENUITEM_H_ #define __COLORLABELMENUITEM_H_ #include "config.h" #include class QToolButton; class ColorLabelMenuItem : public QWidget { Q_OBJECT void setup(QToolButton *btn, const QString &c, const QString &t); QString color; public: Ui::colorLabelMenuItem_q *m_widget; ColorLabelMenuItem(QWidget *parent); ~ColorLabelMenuItem() { delete m_widget; }; public slots: virtual void colorClicked(); virtual void noneColorClicked(); virtual void redColorClicked(); virtual void orangeColorClicked(); virtual void yellowColorClicked(); virtual void greenColorClicked(); virtual void blueColorClicked(); virtual void purpleColorClicked(); virtual void grayColorClicked(); signals: void returnColor(const QString &c); }; #endif // __COLORLABELMENUITEM_H fwbuilder-5.3.7/src/libgui/CommentEditorPanel.cpp000066400000000000000000000045011303637203600220130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "CommentEditorPanel.h" #include "FWBSettings.h" #include "ObjectManipulator.h" #include "FWWindow.h" #include "FWCmdRule.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; CommentEditorPanel::~CommentEditorPanel() { delete m_widget; } CommentEditorPanel::CommentEditorPanel(QWidget *p) : BaseObjectDialog(p) { m_widget = new Ui::CommentEditorPanel_q; m_widget->setupUi(this); rule=NULL; } QString CommentEditorPanel::text() { return m_widget->editor->toPlainText(); } void CommentEditorPanel::setText(QString s) { m_widget->editor->setText(s); } void CommentEditorPanel::changed() { emit changed_sign(); } void CommentEditorPanel::applyChanges() { std::auto_ptr cmd( new FWCmdRuleChangeComment(m_project, rule)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); new_state->setComment( string(m_widget->editor->toPlainText().toUtf8().constData()) ); if (!cmd->getOldState()->cmp(new_state, true)) m_project->undoStack->push(cmd.release()); } void CommentEditorPanel::loadFWObject(FWObject *obj) { Rule *r = Rule::cast(obj); rule = r; setText(QString::fromUtf8(r->getComment().c_str())); } void CommentEditorPanel::validate(bool* b) { *b=true; } fwbuilder-5.3.7/src/libgui/CommentEditorPanel.h000066400000000000000000000030351303637203600214610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMMENTEDITORPANEL_H__ #define __COMMENTEDITORPANEL_H__ #include "config.h" #include "BaseObjectDialog.h" #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" class CommentEditorPanel : public BaseObjectDialog { Q_OBJECT; Ui::CommentEditorPanel_q *m_widget; public: CommentEditorPanel(QWidget *p); ~CommentEditorPanel(); libfwbuilder::Rule *rule; QString text(); void setText(QString s); public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif fwbuilder-5.3.7/src/libgui/CommentKeywords.cpp000066400000000000000000000052541303637203600214220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "CommentKeywords.h" #include "utils.h" #include "fwbuilder/FWObject.h" #include "KeywordsDialog.h" using namespace std; using namespace libfwbuilder; CommentKeywords::CommentKeywords(QWidget *parent) : QWidget(parent) { m_ui.setupUi(this); } void CommentKeywords::applyChanges(FWObject *newObj) { newObj->setComment(m_ui.comment->getText().toUtf8().constData()); newObj->clearKeywords(); foreach (QString keyword, m_keywords) { newObj->addKeyword(keyword.toUtf8().constData()); } } void CommentKeywords::loadFWObject(FWObject *obj) { m_obj = obj; m_keywords.clear(); set keywords = obj->getKeywords(); set::const_iterator iter; for (iter = keywords.begin(); iter != keywords.end(); ++iter) { m_keywords.append(QString::fromUtf8((*iter).c_str())); } QString comment = QString::fromUtf8(obj->getComment().c_str()); m_ui.comment->setTextDefault(comment, "Enter comment here"); updateKeywordsLabel(); m_ui.comment->setReadOnly(obj->isReadOnly()); setDisabledPalette(m_ui.comment); m_ui.keywordsButton->setEnabled(!obj->isReadOnly()); } void CommentKeywords::setReadOnlyComment(const QString &comment) { m_ui.comment->setText(comment); m_ui.comment->setReadOnly(true); m_ui.keywordsButton->setEnabled(false); } void CommentKeywords::keywordsClicked() { KeywordsDialog dialog(m_obj); if (dialog.exec() == QDialog::Accepted) { m_keywords = dialog.getKeywords(); emit changed(); } updateKeywordsLabel(); } void CommentKeywords::updateKeywordsLabel() { QString result; m_keywords = sortStrings(m_keywords); foreach (QString keyword, m_keywords) { if (!result.isEmpty()) result += ", "; result += keyword; } if (result.isEmpty()) result = "No keywords"; m_ui.keywordsLabel->setText(result); } fwbuilder-5.3.7/src/libgui/CommentKeywords.h000066400000000000000000000027071303637203600210670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CommentKeywords_h_ #define __CommentKeywords_h_ #include "fwbuilder/FWObject.h" #include class CommentKeywords : public QWidget { private: Q_OBJECT; Ui_CommentKeywords_q m_ui; libfwbuilder::FWObject *m_obj; QStringList m_keywords; void updateKeywordsLabel(); public: CommentKeywords(QWidget *parent = 0); void applyChanges(libfwbuilder::FWObject *newObj); void loadFWObject(libfwbuilder::FWObject *obj); void setReadOnlyComment(const QString &comment); signals: void changed(); public slots: virtual void keywordsClicked(); }; #endif /* CommentKeywords_h_ */ fwbuilder-5.3.7/src/libgui/CompilerDriverFactory.cpp000066400000000000000000000043451303637203600225460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "CompilerDriverFactory.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWObjectDatabase.h" #include "CompilerDriver_ipt.h" #include "CompilerDriver_pf.h" #include "CompilerDriver_ipf.h" #include "CompilerDriver_ipfw.h" #include "CompilerDriver_iosacl.h" #include "CompilerDriver_pix.h" #include "CompilerDriver_procurve_acl.h" #include "CompilerDriver_nxosacl.h" #include "../juniper_lib/CompilerDriver_junosacl.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; CompilerDriver* CompilerDriverFactory::createCompilerDriver(Firewall *fw) { string platform = fw->getStr("platform"); if (platform == "iptables") return new CompilerDriver_ipt(fw->getRoot()); if (platform == "pf") return new CompilerDriver_pf(fw->getRoot()); if (platform == "ipf") return new CompilerDriver_ipf(fw->getRoot()); if (platform == "ipfw") return new CompilerDriver_ipfw(fw->getRoot()); if (platform == "iosacl") return new CompilerDriver_iosacl(fw->getRoot()); if (platform == "nxosacl") return new CompilerDriver_nxosacl(fw->getRoot()); if (platform == "junosacl") return new CompilerDriver_junosacl(fw->getRoot()); if (platform == "pix" || platform == "fwsm") return new CompilerDriver_pix(fw->getRoot()); if (platform == "procurve_acl") return new CompilerDriver_procurve_acl(fw->getRoot()); return NULL; } fwbuilder-5.3.7/src/libgui/CompilerDriverFactory.h000066400000000000000000000022031303637203600222020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_FACTORY_HH__ #define __COMPILER_DRIVER_FACTORY_HH__ #include "CompilerDriver.h" namespace libfwbuilder { class Firewall; }; class CompilerDriverFactory { public: static fwcompiler::CompilerDriver *createCompilerDriver(libfwbuilder::Firewall *fw); }; #endif fwbuilder-5.3.7/src/libgui/CompilerOutputPanel.cpp000066400000000000000000000145521303637203600222440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "CompilerOutputPanel.h" #include "FWBSettings.h" #include "ObjectManipulator.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "CompilerDriverFactory.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwcompiler/BaseCompiler.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerOutputPanel::CompilerOutputPanel(QWidget *parent) : BaseObjectDialog(parent) { m_widget = new Ui::CompilerOutputPanel_q; m_widget->setupUi(this); } CompilerOutputPanel::~CompilerOutputPanel() { delete m_widget; } void CompilerOutputPanel::changed() { emit changed_sign(); } void CompilerOutputPanel::applyChanges() { } void CompilerOutputPanel::loadFWObject(FWObject *obj) { if (fwbdebug) qDebug("CompilerOutputPanel::loadFWObject obj id=%s", FWObjectDatabase::getStringId(obj->getId()).c_str()); m_widget->compiler_output_panel->clear(); QCoreApplication::processEvents(QEventLoop::ExcludeUserInputEvents); list err_re; BaseCompiler::errorRegExp(&err_re); foreach(string re, err_re) { error_re.push_back(QRegExp(re.c_str())); } list warn_re; BaseCompiler::warningRegExp(&warn_re); foreach(string re, warn_re) { warning_re.push_back(QRegExp(re.c_str())); } QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); mw->showStatusBarMessage(tr("Compiling rule...") ); FWObject *p = obj; // use Firewall::cast to match both Firewall and Cluster while (!Firewall::cast(p)) p = p->getParent(); Firewall *fw = Firewall::cast(p); Rule *rule = Rule::cast(obj); CompilerDriver *dr = CompilerDriverFactory::createCompilerDriver(fw); QTextCharFormat format; QTextCharFormat normal_format; QTextCharFormat bold_format; QTextCharFormat error_format; QTextCharFormat warning_format; QTextCursor cursor(m_widget->compiler_output_panel->textCursor()); format = cursor.charFormat(); format.setFont(st->getCompilerOutputFont()); normal_format = format; normal_format.setForeground(QBrush(Qt::black)); bold_format = format; bold_format.setProperty(QTextFormat::FontWeight, 99); bold_format.setForeground(QBrush(Qt::black)); error_format = format; error_format.setForeground(QBrush(Qt::red)); error_format.setProperty(QTextFormat::FontWeight, 99); warning_format = format; warning_format.setForeground(QBrush(Qt::blue)); warning_format.setProperty(QTextFormat::FontWeight, 99); //m_widget->compiler_output_panel->clear(); if (dr == NULL) { // we have no compiler for this platform or unknown platform format = error_format; cursor.insertText( QObject::tr("Compiler for firewall platform %1 not found") .arg(fw->getStr("platform").c_str()), format); cursor.insertText("\n"); cursor.insertBlock(); return; } // run in test mode to prevent fatal errors from causing exit dr->setTestMode(); if (fwbdebug) dr->setDebugRule(rule->getPosition()); else dr->setEmbeddedMode(); try { QMapIterator it( dr->compileSingleRule(FWObjectDatabase::getStringId(rule->getId()))); QTextCursor cursor = m_widget->compiler_output_panel->textCursor(); while (it.hasNext()) { it.next(); QString dbg; if (fwbdebug) dbg = QString("(id: %1)").arg( FWObjectDatabase::getStringId(rule->getId()).c_str()); QString title("%1 / %2 / rule %3 %4\n"); cursor.insertText(title .arg(it.key()) .arg(rule->getParent()->getName().c_str()) .arg(rule->getPosition()) .arg(dbg), bold_format); foreach (QString line, it.value().trimmed().split("\n")) { format = normal_format; list::const_iterator it; for (it=error_re.begin(); it!=error_re.end(); ++it) { if ((*it).indexIn(line) != -1) { format = error_format; break; } } for (it=warning_re.begin(); it!=warning_re.end(); ++it) { if ((*it).indexIn(line) != -1) { format = warning_format; break; } } cursor.insertText(line + "\n", format); } cursor.insertText("\n"); cursor.insertBlock(); } } catch (FWException &e) { m_widget->compiler_output_panel->append(e.toString().c_str()); m_widget->compiler_output_panel->append("\n"); } QApplication::restoreOverrideCursor(); delete dr; } void CompilerOutputPanel::validate(bool* b ) { *b=true; } void CompilerOutputPanel::closeEvent(QCloseEvent *) { } void CompilerOutputPanel::resizeEvent ( QResizeEvent * /*UNUSED event */ ) { this->m_widget->compiler_output_panel->setVerticalScrollBarPolicy(Qt::ScrollBarAlwaysOn); this->m_widget->compiler_output_panel->setVerticalScrollBar(new QScrollBar()); this->m_widget->compiler_output_panel->verticalScrollBar()->show(); } fwbuilder-5.3.7/src/libgui/CompilerOutputPanel.h000066400000000000000000000033271303637203600217070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILEROUTPUTPANEL_H__ #define __COMPILEROUTPUTPANEL_H__ #include "config.h" #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" #include #include class ProjectPanel; class CompilerOutputPanel : public BaseObjectDialog { Q_OBJECT; libfwbuilder::RoutingRule *rule; Ui::CompilerOutputPanel_q *m_widget; std::list error_re; std::list warning_re; public: CompilerOutputPanel(QWidget* parent); ~CompilerOutputPanel(); public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void closeEvent(QCloseEvent *e); protected: virtual void resizeEvent ( QResizeEvent * event ); }; #endif fwbuilder-5.3.7/src/libgui/ConfirmDeleteObjectDialog.cpp000066400000000000000000000066351303637203600232630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "definitions.h" #include "ConfirmDeleteObjectDialog.h" #include "FindWhereUsedWidget.h" #include "ObjectManipulator.h" #include "FWWindow.h" #include "FWBTree.h" #include "UsageResolver.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Resources.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Library.h" //#include #include #include #include #include using namespace std; using namespace libfwbuilder; ConfirmDeleteObjectDialog::ConfirmDeleteObjectDialog(QWidget*p) : QDialog(p) { m_dialog = new Ui::ConfirmDeleteObjectDialog_q; m_dialog->setupUi(this); } ConfirmDeleteObjectDialog::~ConfirmDeleteObjectDialog() { delete m_dialog; } void ConfirmDeleteObjectDialog::load(vector objs) { if (objs.size()==0) return; vector::iterator i; for( i=objs.begin(); i!=objs.end(); ++i) { findForObject(*i); } } void ConfirmDeleteObjectDialog::findForObject(FWObject *obj) { QPixmap pm0; loadIcon(pm0, obj); map > reference_holders; UsageResolver().findAllReferenceHolders(obj, obj->getRoot(), reference_holders); set simplified_holders; map >::iterator it; for (it=reference_holders.begin(); it!=reference_holders.end(); ++it) { foreach(FWObject *o, it->second) { if (o == obj || o->isChildOf(obj)) continue; simplified_holders.insert(o); } } int itemCounter = 0; foreach(FWObject *o, simplified_holders) { QTreeWidgetItem *item = FindWhereUsedWidget::createQTWidgetItem(obj, o); if (item==NULL) continue; m_dialog->objectsView->addTopLevelItem(item); itemCounter++; } if (itemCounter==0) { QStringList qsl; qsl << QString::fromUtf8( obj->getName().c_str()) << "" << tr("Not used anywhere"); QTreeWidgetItem *item = new QTreeWidgetItem(m_dialog->objectsView, qsl); item->setIcon(0,QIcon(pm0)); } m_dialog->objectsView->resizeColumnToContents(0); m_dialog->objectsView->resizeColumnToContents(1); } fwbuilder-5.3.7/src/libgui/ConfirmDeleteObjectDialog.h000066400000000000000000000031701303637203600227170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CONFIRMDELETEOBJECTDIALOG_H_ #define __CONFIRMDELETEOBJECTDIALOG_H_ #include "config.h" #include #include "FindWhereUsedWidget.h" #include #include namespace libfwbuilder { class FWObject; } class QListWidgetItem; class ConfirmDeleteObjectDialog : public QDialog { Q_OBJECT private: libfwbuilder::FWObject *object; FindWhereUsedWidget * fwu; std::map listItemsMapping; Ui::ConfirmDeleteObjectDialog_q *m_dialog; public: ConfirmDeleteObjectDialog(QWidget*p ); ~ConfirmDeleteObjectDialog(); public slots: void load(std::vector objs); void findForObject(libfwbuilder::FWObject *obj); signals: }; #endif fwbuilder-5.3.7/src/libgui/CustomServiceDialog.cpp000066400000000000000000000150251303637203600222000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "CustomServiceDialog.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include "FWWindow.h" using namespace libfwbuilder; using namespace std; CustomServiceDialog::CustomServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::CustomServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } CustomServiceDialog::~CustomServiceDialog() { delete m_dialog; } void CustomServiceDialog::loadFWObject(FWObject *o) { obj=o; CustomService *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); /* fill in m_dialog->platform */ m_dialog->platform->clear(); int cp=0; QString default_platform = st->value(SETTINGS_PATH_PREFIX"/CustomService/Platform").toString(); QMap platforms = getAllPlatforms(); QMap::iterator i; for (i=platforms.begin(); i!=platforms.end(); i++,cp++) { // cerr << "m_dialog->platform: key=" << i.key() // << " data=" << i.data() << endl; /* * here i.key is m_dialog->platform m_dialog->code ( "ipf", "ipfw", * "iptables", "pf") while i.data is human readable name ("ipfilter", * "PF" ) */ platformReverseMap[i.value()] = i.key(); m_dialog->platform->addItem(i.value()); if (default_platform=="") default_platform = i.key(); if (default_platform==i.key()) m_dialog->platform->setCurrentIndex(cp); string platform_code = i.key().toStdString(); allCodes[i.key()] = QString(s->getCodeForPlatform(platform_code).c_str()); } fillDialogInputFields(); QString protocol = s->getProtocol().c_str(); if (protocol == "") protocol = "any"; m_dialog->protocol->clear(); m_dialog->protocol->addItem("any"); m_dialog->protocol->addItem("tcp"); m_dialog->protocol->addItem("udp"); m_dialog->protocol->addItem("icmp"); m_dialog->protocol->addItem("ipv6-icmp"); bool standard_protocol = false; int proto_index = 0; for (; proto_index < m_dialog->protocol->count(); ++proto_index) { if (protocol == m_dialog->protocol->itemText(proto_index)) { m_dialog->protocol->setCurrentIndex(proto_index); standard_protocol = true; break; } } if (!standard_protocol) { m_dialog->protocol->addItem(protocol); m_dialog->protocol->setCurrentIndex(proto_index); } int af = s->getAddressFamily(); if (af == AF_INET6) m_dialog->ipv6->setChecked(true); else m_dialog->ipv4->setChecked(true); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->code->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->code); // do not make "platform" widget disabled when object is read-only // to let the user flip between platforms to see the configuration. See #2669 m_dialog->protocol->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->protocol); m_dialog->ipv4->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ipv4); m_dialog->ipv6->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ipv6); init=false; } void CustomServiceDialog::changed() { if (!init) { QString pl = platformReverseMap[m_dialog->platform->currentText()]; allCodes[pl] = m_dialog->code->text().toUtf8().constData(); } BaseObjectDialog::changed(); } void CustomServiceDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void CustomServiceDialog::platformChanged() { init=true; fillDialogInputFields(); init=false; // changed(); } void CustomServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); CustomService *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); QMap platforms = getAllPlatforms(); QMap::iterator i; for (i=platforms.begin(); i!=platforms.end(); i++) { QString platform = i.key(); QString code = allCodes[platform]; s->setCodeForPlatform( platform.toUtf8().constData(), string(code.toUtf8().constData())); } QString protocol = m_dialog->protocol->lineEdit()->text(); s->setProtocol(string(protocol.toUtf8().constData())); int af = (m_dialog->ipv6->isChecked()) ? AF_INET6 : AF_INET; s->setAddressFamily(af); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void CustomServiceDialog::fillDialogInputFields() { QString npl = platformReverseMap[m_dialog->platform->currentText()]; showPlatform = npl; st->setValue(SETTINGS_PATH_PREFIX"/CustomService/Platform", showPlatform); m_dialog->code->setText(allCodes[showPlatform]); } fwbuilder-5.3.7/src/libgui/CustomServiceDialog.h000066400000000000000000000033361303637203600216470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CUSTOMSERVICEDIALOG_H_ #define __CUSTOMSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include #include namespace libfwbuilder { class FWObject; }; class ProjectPanel; class CustomServiceDialog : public BaseObjectDialog { Q_OBJECT QMap platformReverseMap; QMap allCodes; QString showPlatform; Ui::CustomServiceDialog_q *m_dialog; protected: void fillDialogInputFields(); public: CustomServiceDialog(QWidget *parent); ~CustomServiceDialog(); public slots: virtual void changed(); virtual void platformChanged(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // CUSTOMSERVICEDIALOG_H fwbuilder-5.3.7/src/libgui/DNSNameDialog.cpp000066400000000000000000000072151303637203600206340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "DNSNameDialog.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" using namespace std; using namespace libfwbuilder; DNSNameDialog::DNSNameDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::DNSNameDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } DNSNameDialog::~DNSNameDialog() { delete m_dialog; } void DNSNameDialog::loadFWObject(FWObject *o) { obj=o; DNSName *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->dnsrec->setText( s->getSourceName().c_str() ); m_dialog->r_compiletime->setChecked(s->isCompileTime() ); m_dialog->r_runtime->setChecked(s->isRunTime() ); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->dnsrec->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->dnsrec); if (st->getBool("Objects/DNSName/useNameForDNSRecord")) m_dialog->dnsrec->setEnabled(false); init=false; } void DNSNameDialog::validate(bool *res) { *res=true; DNSName *s = dynamic_cast(obj); assert(s!=NULL); if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void DNSNameDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); DNSName *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); s->setRunTime(m_dialog->r_runtime->isChecked() ); if (st->getBool("Objects/DNSName/useNameForDNSRecord") && m_dialog->obj_name->text() != m_dialog->dnsrec->text()) m_dialog->dnsrec->setText(m_dialog->obj_name->text().trimmed()); s->setSourceName( m_dialog->dnsrec->text().trimmed().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/DNSNameDialog.h000066400000000000000000000025561303637203600203040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DNSNAMEDIALOG_H_ #define __DNSNAMEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class DNSNameDialog : public BaseObjectDialog { Q_OBJECT; Ui::DNSNameDialog_q *m_dialog; public: DNSNameDialog(QWidget *parent); ~DNSNameDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif fwbuilder-5.3.7/src/libgui/DialogData.cpp000066400000000000000000000230131303637203600202520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "utils.h" #include "global.h" #include "DialogData.h" #include "fwbuilder/FWObject.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; DialogOption::DialogOption(QWidget *_w, FWObject *_o, const char* _a) { w = _w; obj = _o; attr = _a; dtype = Unknown; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=Bool; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=Bool; if (dynamic_cast(w)!=NULL) dtype=Int; } DialogOption::DialogOption(QWidget *_w, FWObject *_o, const char* _a,QStringList _m) { w = _w; obj = _o; attr = _a; mapping = _m; dtype = Unknown; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=Bool; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=String; if (dynamic_cast(w)!=NULL) dtype=Bool; if (dynamic_cast(w)!=NULL) dtype=Int; } DialogData::DialogData() {} DialogData::~DialogData() { options.clear(); } void DialogData::clear() { options.clear(); } void DialogData::registerOption(QWidget *widget, libfwbuilder::FWObject *obj, const char* attr) { options.push_back( DialogOption(widget,obj,attr) ); } void DialogData::registerOption(QWidget *widget, libfwbuilder::FWObject *obj, const char* attr,QStringList mapping) { options.push_back( DialogOption(widget,obj,attr,mapping) ); } void DialogData::loadToWidget( DialogOption &dopt , bool override) { if (dynamic_cast(dopt.w)!=NULL) { QComboBox *cbx = dynamic_cast(dopt.w); QString s = (override) ? dopt.override_str_val : QString(dopt.obj->getStr(dopt.attr.toLatin1().constData()).c_str()); int current_item = 0; if (!dopt.mapping.empty()) { /* * REMINDER: * Mapping is defined by an array of strings in the following format: * * "Linux 2.4" , "linux24", * "IPFilter" , "ipf", * "Cisco PIX" , "pix", * NULL, NULL * * Odd strings correspond to the data in the widget, while even * strings define what is stored in the object (counting strings in * the array from 1). */ int idx = 0; QStringList::iterator i1 = dopt.mapping.begin(); QStringList::iterator i2 = dopt.mapping.begin(); ++i2; if (fwbdebug) { qDebug("loadToWidget -- QComboBox dopt.mapping.count()=%d",dopt.mapping.count()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("loadToWidget -- QComboBox s=%s",s.toAscii().constData()); #else qDebug("loadToWidget -- QComboBox s=%s",s.toLatin1().constData()); #endif } while ( idx < dopt.mapping.count()/2 ) { if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("loadToWidget -- QComboBox (*i1)=%s",(*i1).toAscii().constData()); qDebug("loadToWidget -- QComboBox (*i2)=%s",(*i2).toAscii().constData()); #else qDebug("loadToWidget -- QComboBox (*i1)=%s",(*i1).toLatin1().constData()); qDebug("loadToWidget -- QComboBox (*i2)=%s",(*i2).toLatin1().constData()); #endif } if (s== (*i2)) { current_item = idx; } i1++; i1++; i2++; i2++; idx++; } } else { // no mapping, just scan items and find current current_item= cbx->findText(s,Qt::MatchExactly); } cbx->setCurrentIndex( current_item ); } if (dynamic_cast(dopt.w)!=NULL) { QCheckBox *cbx=dynamic_cast(dopt.w); cbx->setChecked( (override)?dopt.override_int_val:dopt.obj->getBool(dopt.attr.toLatin1().constData()) ); } if (dynamic_cast(dopt.w)!=NULL) { QLineEdit *edit=dynamic_cast(dopt.w); edit->setText( (override) ? dopt.override_str_val : QString(dopt.obj->getStr(dopt.attr.toLatin1().constData()).c_str()) ); } if (dynamic_cast(dopt.w)!=NULL) { QTextEdit *edit=dynamic_cast(dopt.w); edit->setText( (override) ? dopt.override_str_val : QString(dopt.obj->getStr(dopt.attr.toLatin1().constData()).c_str()) ); } if (dynamic_cast(dopt.w)!=NULL) { QRadioButton *rbtn=dynamic_cast(dopt.w); rbtn->setChecked( (override)?dopt.override_int_val:dopt.obj->getBool(dopt.attr.toLatin1().constData()) ); } if (dynamic_cast(dopt.w)!=NULL) { QSpinBox *sbx = dynamic_cast(dopt.w); sbx->setValue( (override)?dopt.override_int_val:dopt.obj->getInt(dopt.attr.toLatin1().constData()) ); } } void DialogData::loadAll() { for (list::iterator i=options.begin(); i!=options.end(); ++i) loadToWidget( *i ); } void DialogData::saveAll(FWObject *new_obj) { for (list::iterator i=options.begin(); i!=options.end(); ++i) { FWObject *use_obj = (new_obj!=NULL) ? new_obj : i->obj; if (dynamic_cast(i->w)!=NULL) { QComboBox *cbx = dynamic_cast(i->w); QString s = cbx->currentText(); if (fwbdebug) qDebug() << "DialogData::saveAll() QComboBox" << i->w->objectName() << "s=" << s.toUtf8(); if ( !i->mapping.empty() && !s.isNull() ) { if (fwbdebug) qDebug("Remapping..."); /* * REMINDER: * Mapping is defined by an array of strings in the following format: * * char *mapping[] = { * "Linux 2.4" , "linux24", * "IPFilter" , "ipf", * "Cisco PIX" , "pix", * NULL, NULL * }; * * Odd strings correspond to the data in the widget, while even * strings define what is stored in the object (counting strings in * the array from 1). */ QStringList::iterator i1 = i->mapping.begin(); QStringList::iterator i2 = i->mapping.begin(); ++i2; while (i1!=i->mapping.end()) { if (fwbdebug) qDebug() << " (*i1)=" << *i1; if (s== (*i1)) { s= *i2; break; } i1++; i1++; i2++; i2++; } } if (s.isEmpty()) s=""; use_obj->setStr(i->attr.toLatin1().constData(), s.toLatin1().constData()); } if (dynamic_cast(i->w)!=NULL) { QCheckBox *cbx=dynamic_cast(i->w); use_obj->setBool(i->attr.toLatin1().constData(), cbx->isChecked() ); } if (dynamic_cast(i->w)!=NULL) { QLineEdit *edit=dynamic_cast(i->w); use_obj->setStr(i->attr.toLatin1().constData(), edit->text().toLatin1().constData() ); } if (dynamic_cast(i->w)!=NULL) { QTextEdit *edit=dynamic_cast(i->w); use_obj->setStr(i->attr.toLatin1().constData(), edit->toPlainText().toLatin1().constData() ); } if (dynamic_cast(i->w)!=NULL) { QRadioButton *rbtn=dynamic_cast(i->w); use_obj->setBool(i->attr.toLatin1().constData(), rbtn->isChecked() ); } if (dynamic_cast(i->w)!=NULL) { QSpinBox *sbx = dynamic_cast(i->w); use_obj->setInt( i->attr.toLatin1().constData(), sbx->value() ); } } } void DialogData::setWidgetValue(const char *attr,const QString &val) { for (list::iterator i=options.begin(); i!=options.end(); ++i) { if (i->attr == attr) { i->overrideValue(val); loadToWidget( *i , true ); break; } } } void DialogData::setWidgetValue(const char *attr,int val) { for (list::iterator i=options.begin(); i!=options.end(); ++i) { if (i->attr == attr) { i->overrideValue(val); loadToWidget( *i , true ); break; } } } fwbuilder-5.3.7/src/libgui/DialogData.h000066400000000000000000000065171303637203600177310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DIALOGOPTIONS_H_ #define __DIALOGOPTIONS_H_ #include "config.h" #include class QWidget; #include #include namespace libfwbuilder { class FWObject; }; class DialogData; class DialogOption { friend class DialogData; public: enum DataType { Unknown, String, Int, Bool }; private: QWidget *w; libfwbuilder::FWObject *obj; QString attr; QStringList mapping; QString override_str_val; int override_int_val; DataType dtype; DialogOption(QWidget *widget, libfwbuilder::FWObject *obj, const char* attr); DialogOption(QWidget *widget, libfwbuilder::FWObject *obj, const char* attr, QStringList mapping); void overrideValue(const QString &val) { override_str_val=val; } void overrideValue(int val) { override_int_val=val; } DataType type() { return dtype; } }; class DialogData { std::list options; void loadToWidget( DialogOption &dopt , bool override=false ); public: DialogData(); ~DialogData(); /** * destroy all registered options, prepare for reuse */ void clear(); /** * registers an option that is stored in object 'obj' as an attribute * 'attr' and controlled by widget 'widget' in the dialog. */ void registerOption(QWidget *widget, libfwbuilder::FWObject *obj, const char *attr); /** * like the method above, plus adds a maping between option value * rendered in the widget and value stored in the object * attribute. This is mostly used for combo boxes. Mapping is defined * by an array of strings in the following format: * * "Linux 2.4" , "linux24", * "IPFilter" , "ipf", * "Cisco PIX" , "pix", * NULL, NULL * * Odd strings correspond to the data in the widget, while even * strings define what is stored in the object (counting strings in * the array from 1). */ void registerOption(QWidget *widget, libfwbuilder::FWObject *obj, const char *attr, QStringList map); /** * sets value 'val' in the widget that corresponds to attribute 'attr' */ void setWidgetValue(const char *attr,const QString &val); void setWidgetValue(const char *attr,int val); /** * loads all options from their respective object attributes to widgets */ void loadAll(); /** * saves all options from their widgets to object attributes */ void saveAll(libfwbuilder::FWObject *new_obj=NULL); }; #endif fwbuilder-5.3.7/src/libgui/DialogFactory.cpp000066400000000000000000000344601303637203600210200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "DialogFactory.h" #include "LibraryDialog.h" #include "RuleSetDialog.h" #include "AddressRangeDialog.h" #include "IPv4Dialog.h" #include "IPv6Dialog.h" #include "PhysicalAddressDialog.h" #include "DNSNameDialog.h" #include "AddressTableDialog.h" #include "AttachedNetworksDialog.h" #include "NetworkDialog.h" #include "NetworkDialogIPv6.h" #include "UserDialog.h" #include "CustomServiceDialog.h" #include "ICMPServiceDialog.h" #include "IPServiceDialog.h" #include "TCPServiceDialog.h" #include "UDPServiceDialog.h" #include "GroupObjectDialog.h" #include "DynamicGroupDialog.h" #include "HostDialog.h" #include "FirewallDialog.h" #include "ClusterDialog.h" #include "ClusterGroupDialog.h" #include "InterfaceDialog.h" #include "TimeDialog.h" #include "TagServiceDialog.h" #include "iptAdvancedDialog.h" #include "ipfAdvancedDialog.h" #include "ipfwAdvancedDialog.h" #include "pfAdvancedDialog.h" #include "pixAdvancedDialog.h" #include "junosaclAdvancedDialog.h" #include "nxosaclAdvancedDialog.h" #include "iosaclAdvancedDialog.h" #include "ipcopAdvancedDialog.h" #include "secuwallAdvancedDialog.h" #include "procurveaclAdvancedDialog.h" #include "linux24IfaceOptsDialog.h" #include "secuwallIfaceOptsDialog.h" #include "vlanOnlyIfaceOptsDialog.h" #include "bsdIfaceOptsDialog.h" #include "pixosIfaceOptsDialog.h" #include "clusterMembersDialog.h" #include "linux24AdvancedDialog.h" #include "linksysAdvancedDialog.h" #include "freebsdAdvancedDialog.h" #include "openbsdAdvancedDialog.h" #include "solarisAdvancedDialog.h" #include "macosxAdvancedDialog.h" #include "pixosAdvancedDialog.h" #include "junosAdvancedDialog.h" #include "nxosAdvancedDialog.h" #include "iosAdvancedDialog.h" #include "ipcoposAdvancedDialog.h" #include "secuwallosAdvancedDialog.h" #include "RuleOptionsDialog.h" #include "RoutingRuleOptionsDialog.h" #include "NATRuleOptionsDialog.h" #include "vrrpOptionsDialog.h" #include "carpOptionsDialog.h" #include "pixFailoverOptionsDialog.h" #include "conntrackOptionsDialog.h" #include "heartbeatOptionsDialog.h" #include "openaisOptionsDialog.h" #include "pfsyncOptionsDialog.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Resources.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include #include "ProjectPanel.h" using namespace std; using namespace libfwbuilder; BaseObjectDialog *DialogFactory::createDialog(QWidget *parent, const QString &objType) { if (objType==UserService::TYPENAME) return new UserDialog(parent); if (objType==Policy::TYPENAME) return new RuleSetDialog(parent); if (objType==NAT::TYPENAME) return new RuleSetDialog(parent); if (objType==Routing::TYPENAME) return new RuleSetDialog(parent); if (objType==Library::TYPENAME) return new LibraryDialog(parent); if (objType==IPv4::TYPENAME) return new IPv4Dialog(parent); if (objType==IPv6::TYPENAME) return new IPv6Dialog(parent); if (objType==physAddress::TYPENAME) return new PhysicalAddressDialog(parent); if (objType==DNSName::TYPENAME) return new DNSNameDialog(parent); if (objType==AddressTable::TYPENAME) return new AddressTableDialog(parent); if (objType==AddressRange::TYPENAME) return new AddressRangeDialog(parent); if (objType==Firewall::TYPENAME) return new FirewallDialog(parent); if (objType==Cluster::TYPENAME) return new ClusterDialog(parent); if (objType==StateSyncClusterGroup::TYPENAME) return new ClusterGroupDialog(parent); if (objType==FailoverClusterGroup::TYPENAME) return new ClusterGroupDialog(parent); if (objType==Host::TYPENAME) return new HostDialog(parent); if (objType==Interface::TYPENAME) return new InterfaceDialog(parent); if (objType==AttachedNetworks::TYPENAME) return new AttachedNetworksDialog(parent); if (objType==Network::TYPENAME) return new NetworkDialog(parent); if (objType==NetworkIPv6::TYPENAME) return new NetworkDialogIPv6(parent); if (objType==CustomService::TYPENAME) return new CustomServiceDialog(parent); if (objType==IPService::TYPENAME) return new IPServiceDialog(parent); if (objType==ICMPService::TYPENAME) return new ICMPServiceDialog(parent); if (objType==ICMP6Service::TYPENAME) return new ICMPServiceDialog(parent); if (objType==TCPService::TYPENAME) return new TCPServiceDialog(parent); if (objType==UDPService::TYPENAME) return new UDPServiceDialog(parent); if (objType==ObjectGroup::TYPENAME) return new GroupObjectDialog(parent); if (objType==DynamicGroup::TYPENAME) return new DynamicGroupDialog(parent); if (objType==ServiceGroup::TYPENAME) return new GroupObjectDialog(parent); if (objType==TagService::TYPENAME) return new TagServiceDialog(parent); if (objType==IntervalGroup::TYPENAME) return new GroupObjectDialog(parent); if (objType==Interval::TYPENAME) return new TimeDialog(parent); if (objType==RoutingRule::TYPENAME) return new RoutingRuleOptionsDialog(parent); if (objType==Rule::TYPENAME) return new RuleOptionsDialog(parent); if (objType==PolicyRule::TYPENAME) return new RuleOptionsDialog(parent); if (objType==NATRule::TYPENAME) return new NATRuleOptionsDialog(parent); return NULL; } QWidget *DialogFactory::createFWDialog(QWidget *parent, FWObject *o) throw(FWException) { string platform = o->getStr("platform"); string host_os = o->getStr("host_OS"); Resources* platform_res = Resources::platform_res[platform]; if (platform_res==NULL) throw FWException( (const char*)(QObject::tr("Support module for %1 is not available"). arg(platform.c_str()).toLocal8Bit().constData())); Resources* os_res = Resources::os_res[host_os]; if (os_res==NULL) throw FWException( (const char*)(QObject::tr("Support module for %1 is not available"). arg(host_os.c_str()).toLocal8Bit().constData())); string os_family = os_res->getResourceStr( "/FWBuilderResources/Target/family"); string dlgname = platform_res->Resources::getResourceStr( "/FWBuilderResources/Target/dialog"); if (platform == "iptables" && os_family == "ipcop") dlgname = "ipcop"; if (platform == "iptables" && os_family == "secuwall") dlgname = "secuwall"; if (dlgname=="junosacl") return new junosaclAdvancedDialog(parent,o); if (dlgname=="nxosacl") return new nxosaclAdvancedDialog(parent,o); if (dlgname=="iosacl") return new iosaclAdvancedDialog(parent,o); if (dlgname=="ipcop") return new ipcopAdvancedDialog(parent,o); if (dlgname=="ipf") return new ipfAdvancedDialog(parent,o); if (dlgname=="ipfw") return new ipfwAdvancedDialog(parent,o); if (dlgname=="iptables") return new iptAdvancedDialog(parent,o); if (dlgname=="pf") return new pfAdvancedDialog(parent,o); if (dlgname=="pix") return new pixAdvancedDialog(parent,o); if (dlgname=="secuwall") return new secuwallAdvancedDialog(parent,o); if (dlgname=="procurveacl") return new procurveaclAdvancedDialog(parent,o); cerr << "Firewall settings dialog for " << dlgname << " is not implemented" << endl; return NULL; } QWidget *DialogFactory::createOSDialog(QWidget *parent,FWObject *o) throw(FWException) { string host_os = o->getStr("host_OS"); Resources *os = Resources::os_res[host_os]; if (os==NULL) throw FWException( (const char*)(QObject::tr("Support module for %1 is not available"). arg(host_os.c_str()).toLocal8Bit().constData())); string dlgname = os->Resources::getResourceStr( "/FWBuilderResources/Target/dialog"); // string os=o->getStr("host_OS"); if (dlgname=="linux24") return new linux24AdvancedDialog(parent, o); if (dlgname=="sveasoft") return new linksysAdvancedDialog(parent, o); if (dlgname=="freebsd") return new freebsdAdvancedDialog(parent, o); if (dlgname=="openbsd") return new openbsdAdvancedDialog(parent, o); if (dlgname=="solaris") return new solarisAdvancedDialog(parent, o); if (dlgname=="macosx") return new macosxAdvancedDialog(parent, o); if (dlgname=="pix_os") return new pixosAdvancedDialog(parent, o); if (dlgname=="junos") return new junosAdvancedDialog(parent, o); if (dlgname=="nxos") return new nxosAdvancedDialog(parent, o); if (dlgname=="ios") return new iosAdvancedDialog(parent, o); if (dlgname=="ipcop") return new ipcoposAdvancedDialog(parent, o); if (dlgname=="secuwall") return new secuwallosAdvancedDialog(parent, o); cerr << "OS settings dialog for " << dlgname << " is not implemented" << endl; return NULL; } QWidget *DialogFactory::createIfaceDialog(QWidget *parent,FWObject *o) throw(FWException) { FWObject *h = Host::getParentHost(o); //FWObject *h = Interface::cast(o)->getParentHost(); string host_OS = h->getStr("host_OS"); Resources *os = Resources::os_res[host_OS]; if (os==NULL) throw FWException((const char*)( QObject::tr("Support module for %1 is not available"). arg(host_OS.c_str()).toLocal8Bit().constData())); string dlgname = os->Resources::getResourceStr( "/FWBuilderResources/Target/interface_dialog"); // add further dlgname support here ... if (dlgname=="secuwall") return new secuwallIfaceOptsDialog(parent, o); if (dlgname=="linux24") return new linux24IfaceOptsDialog(parent, o); if (dlgname=="bsd") return new bsdIfaceOptsDialog(parent, o); if (dlgname=="pix_os") return new pixosIfaceOptsDialog(parent, o); if (dlgname=="vlan_only") return new vlanOnlyIfaceOptsDialog(parent, o); cerr << "Interface settings dialog for OS " << host_OS << " is not implemented" << endl; return NULL; } QWidget *DialogFactory::createClusterConfDialog(QWidget *parent, FWObject *o) throw(FWException) { FWObject *objparent = o->getParent(); while (objparent && objparent->getTypeName()!="Cluster") objparent = objparent->getParent(); assert(objparent); string host_OS = objparent->getStr("host_OS"); Resources *os = Resources::os_res[host_OS]; string dlgname = os->Resources::getResourceStr("/FWBuilderResources/Target/cluster_dialog"); // add further dlgname support here ... if (dlgname == "basic") return new clusterMembersDialog(parent, o); cerr << "Cluster configuration dialog for OS " << host_OS << " is not implemented" << endl; return NULL; } /* * Create cluster group options dialog; dialog class depends on the * cluster group type. Argument is FWOptions object which is * a child of ClusterGroup object */ QString DialogFactory::getClusterGroupOptionsDialogName(FWObject *o) { FWObject *cluster_group = o->getParent(); assert(ClusterGroup::cast(cluster_group)!=NULL); string type = ClusterGroup::cast(cluster_group)->getStr("type"); FWObject *fw = o; while (fw && Firewall::cast(fw)==NULL) fw = fw->getParent(); if (fw) { string host_OS = fw->getStr("host_OS"); Resources *os = Resources::os_res[host_OS]; return os->Resources::getResourceStr( "/FWBuilderResources/Target/protocols/" + type + "/dialog").c_str(); } return QString(); } QWidget *DialogFactory::createClusterGroupOptionsDialog( QWidget *parent, FWObject *o) throw(libfwbuilder::FWException) { QString dlgname = getClusterGroupOptionsDialogName(o); if (dlgname == "conntrack") return new conntrackOptionsDialog(parent, o); if (dlgname == "pfsync") return new pfsyncOptionsDialog(parent, o); if (dlgname == "pix_state_sync") return new pixFailoverOptionsDialog(parent, o); if (dlgname == "vrrp") return new vrrpOptionsDialog(parent, o); if (dlgname == "carp") return new carpOptionsDialog(parent, o); if (dlgname == "heartbeat") return new heartbeatOptionsDialog(parent, o); if (dlgname == "openais") return new openaisOptionsDialog(parent, o); // Add more cluster group options dialog here return NULL; } string DialogFactory::getActionDialogPageName(Firewall *fw, Rule *rule) { string platform = fw->getStr("platform"); string act = getRuleAction(rule).toStdString(); string editor_page; try { editor_page = Resources::getTargetCapabilityStr( platform, "actions/" + act + "/dialog_page"); } catch (FWException &ex) { } return editor_page; } fwbuilder-5.3.7/src/libgui/DialogFactory.h000066400000000000000000000040151303637203600204560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _DIALOGFACTORY_HH_ #define _DIALOGFACTORY_HH_ #include "BaseObjectDialog.h" #include namespace libfwbuilder { class FWObject; class FWException; class Firewall; class Rule; }; class DialogFactory { public: static BaseObjectDialog *createDialog(QWidget *parent,const QString &objType); static QWidget *createFWDialog(QWidget *parent,libfwbuilder::FWObject *o) throw(libfwbuilder::FWException); static QWidget *createOSDialog(QWidget *parent,libfwbuilder::FWObject *o) throw(libfwbuilder::FWException); static QWidget *createIfaceDialog(QWidget *parent,libfwbuilder::FWObject *o) throw(libfwbuilder::FWException); static QWidget *createClusterConfDialog(QWidget *parent, libfwbuilder::FWObject *o) throw(libfwbuilder::FWException); static QString getClusterGroupOptionsDialogName(libfwbuilder::FWObject *o); static QWidget *createClusterGroupOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o) throw(libfwbuilder::FWException); static std::string getActionDialogPageName(libfwbuilder::Firewall *fw, libfwbuilder::Rule *rule); }; #endif fwbuilder-5.3.7/src/libgui/DiscoveryDruid.cpp000066400000000000000000002425651303637203600212370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005, 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "events.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "DiscoveryDruid.h" #include "ProjectPanel.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include #include #include #include #include #include "fwbuilder/HostsFile.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Inet6AddrMask.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" #include "fwbuilder/dns.h" #include "fwbuilder/snmp.h" #include "fwbuilder/Logger.h" #include "FWBSettings.h" #include "ObjectManipulator.h" #include "FWWindow.h" #include "networkZoneManager.h" #include "IOSImporter.h" #include "IPTImporter.h" #include "PIXImporter.h" using namespace std; using namespace libfwbuilder; DiscoveryDruid::DiscoveryDruid(QWidget *parent, bool start_with_import) : QDialog(parent) { init = true; discovered_fw = NULL; m_dialog = new Ui::DiscoveryDruid_q; m_dialog->setupUi(this); setControlWidgets(this, m_dialog->stackedWidget, m_dialog->nextButton, m_dialog->finishButton, m_dialog->backButton, m_dialog->cancelButton, m_dialog->titleLabel); QTextCursor cursor(m_dialog->discoverylog->textCursor()); normal_format = cursor.charFormat(); error_format = normal_format; error_format.setForeground(QBrush(Qt::red)); error_format.setAnchorHref("http://somewhere.com"); error_format.setAnchor(true); // weight must be between 0 and 99. Qt 4.4.1 does not seem to mind if // it is >99 (just caps it) but older versions assert error_format.setProperty(QTextFormat::FontWeight, 99); warning_format = normal_format; warning_format.setForeground(QBrush(Qt::blue)); warning_format.setProperty(QTextFormat::FontWeight, 99); warning_format.setAnchor(true); warning_format.setAnchorHref("http://somewhere.com"); dm_method = new QButtonGroup; dm_method->addButton(m_dialog->dm_fromfile,0); dm_method->addButton(m_dialog->dm_importdns,1); dm_method->addButton(m_dialog->dm_usesnmp,2); dm_method->addButton(m_dialog->dm_import_config,3); connect(dm_method, SIGNAL( buttonClicked(int) ), this, SLOT( changedDiscoveryMethod(int) ) ); connect(m_dialog->dnsfromlist, SIGNAL( clicked(bool) ), this, SLOT( changedNameServer() ) ); connect(m_dialog->dnscustom, SIGNAL( clicked(bool) ), this, SLOT( changedNameServer() ) ); connect(m_dialog->nameserverlist, SIGNAL( editTextChanged(QString) ), this, SLOT( changedNameServer() ) ); connect(m_dialog->nameserverline, SIGNAL( textChanged(QString) ), this, SLOT( changedNameServer() ) ); thread = NULL; timer = new QTimer(this); prg_timer = new QTimer(this); unBar = NULL; unProg = 0; connect(prg_timer,SIGNAL(timeout()),this,SLOT(updatePrg())); setDiscoveryMethod_file(); flt_obj = new Filter(); flt_obj_d = new FilterDialog(this); flt_obj_d->setFilter(flt_obj); flt_last = new Filter(); flt_last_d = new FilterDialog(this); flt_last_d->setFilter(flt_last); flt_net = new Filter(); flt_net_d = new FilterDialog(this); flt_net_d->setFilter(flt_net); assert(mw->activeProject()->db()); fillLibraries(m_dialog->libs, mw->activeProject()->db()); m_dialog->libs->setEditable(true); m_dialog->libs->lineEdit()->setText(mw->getCurrentLib()->getName().c_str()); m_dialog->DNSprogress->hide(); m_dialog->DNSprogress_2->hide(); #ifndef HAVE_GOODLIBRESOLV m_dialog->dm_importdns->hide(); m_dialog->snmpdnsparameters->hide(); #endif #ifndef HAVE_LIBSNMP m_dialog->dm_usesnmp->setEnabled(false); #endif restore(); importPlatformChanged(m_dialog->import_platform->currentIndex()); showPage(CHOOSE_METHOD_PAGE); setNextEnabled(CHOOSE_METHOD_PAGE, true); if (start_with_import) { m_dialog->dm_import_config->setDown(true); setDiscoveryMethod_Import(); setAppropriate( CHOOSE_METHOD_PAGE, false ); // show the first page of the "import policy" track of the wizard showPage( IMPORT_CONFIG_PAGE ); setNextEnabled(IMPORT_CONFIG_PAGE, false); cancelButton->show(); } prg_timer->start(100); init = false; } void DiscoveryDruid::nextClicked() { if (nextRelevant( currentPage() ) > -1) showPage(nextRelevant( currentPage() )); } void DiscoveryDruid::backClicked() { if (previousRelevant( currentPage() ) > -1) showPage(previousRelevant( currentPage() )); } void DiscoveryDruid::finishClicked() { if (current_task == BT_IMPORT && discovered_fw != NULL) { if (selectedPlatform() == "pix" && currentPage() == NETWORK_ZONES_PAGE) { // read and configure network zones list all_interfaces = discovered_fw->getByTypeDeep(Interface::TYPENAME); list::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *iface = Interface::cast(*it); string network_zone_str_id = ""; QList ltwi = m_dialog->iface_nz_list->findItems( iface->getName().c_str(), Qt::MatchExactly ); if ( ! ltwi.empty()) { QTableWidgetItem *itm2 = ltwi[0]; assert(itm2!=NULL); int row = itm2->row(); QComboBox *cb = dynamic_cast( m_dialog->iface_nz_list->cellWidget(row, 3)); assert(cb!=NULL); int network_zone_int_id = cb->itemData(cb->currentIndex(), Qt::UserRole).toInt(); if (network_zone_int_id != 0) network_zone_str_id = FWObjectDatabase::getStringId( network_zone_int_id); else network_zone_str_id = ""; } // only set network zone if it is supported and is not // empty. See #2014 if (!network_zone_str_id.empty()) iface->setStr("network_zone", network_zone_str_id); } } QCoreApplication::postEvent( mw->activeProject(), new expandObjectInTreeEvent( mw->activeProject()->getFileName(), discovered_fw->getId())); QCoreApplication::postEvent( mw->activeProject(), new showObjectInTreeEvent( mw->activeProject()->getFileName(), discovered_fw->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent( mw->activeProject()->getFileName(), discovered_fw->getId())); } QDialog::accept(); } void DiscoveryDruid::cancelClicked() { QDialog::reject(); } DiscoveryDruid::~DiscoveryDruid() { save(); delete flt_obj; delete flt_last; delete flt_net; delete flt_obj_d; delete flt_last_d; delete flt_net_d; delete m_dialog; delete dm_method; } const char * DISCOVERY_DRUID_PREFIX="DiscoveryDruid/"; const char * DISCOVERY_DRUID_DISCOVERYMETHOD="DiscoveryMethod"; const char * DISCOVERY_DRUID_FILENAME ="Filename"; const char * DISCOVERY_DRUID_DOMAINNAME ="Domainname"; const char * DISCOVERY_DRUID_USELONGNAME ="UseLongName"; const char * DISCOVERY_DRUID_NAMESERVER ="NameServer"; const char * DISCOVERY_DRUID_DNSTIMEOUT ="DNSTimeout"; const char * DISCOVERY_DRUID_DNSRETRIES ="DNSRetries"; const char * DISCOVERY_DRUID_SEEDHOST ="SeedHost"; const char * DISCOVERY_DRUID_SNMPINADDR ="SNMPInAddr"; const char * DISCOVERY_DRUID_SNMPINMASK ="SNMPInMask"; const char * DISCOVERY_DRUID_SNMPRECURSIVE ="SNMPRecursive"; const char * DISCOVERY_DRUID_SNMPFOLLOWP2P ="SNMPFollowP2P"; const char * DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED="SnmpIncludeUnnumbered"; const char * DISCOVERY_DRUID_SNMPDODNS ="SNMPDoDNS"; const char * DISCOVERY_DRUID_SNMPCOMMUNITY ="SNMPCommunity"; const char * DISCOVERY_DRUID_SNMPRETRIES ="SNMPRetries"; const char * DISCOVERY_DRUID_SNMPTIMEOUT ="SNMPTimeout"; const char * DISCOVERY_DRUID_SNMPDNSRETRIES ="DNSRetries"; const char * DISCOVERY_DRUID_SNMPDNSTIMEOUT ="DNSTimeout"; const char * DISCOVERY_DRUID_SNMPDNSTHREADS ="SNMPDnsThreads"; const char * DISCOVERY_DRUID_IMPORRT_CONFIG_PLATFORM = "ImportPlatform"; void DiscoveryDruid::restore() { int i; QString s; //Restore from settings dm_method->button(st->getInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DISCOVERYMETHOD))->setChecked(true); changedDiscoveryMethod(dm_method->checkedId()); //m_dialog->filename->setText(st->getStr( // QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_FILENAME)); //m_dialog->domainname->setText(st->getStr( // QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DOMAINNAME)); m_dialog->uselongname->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_USELONGNAME)); //m_dialog->nameserverline->setText(st->getStr( // QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_NAMESERVER)); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DNSTIMEOUT); m_dialog->dnstimeout->setValue((i)?i:2); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DNSRETRIES); m_dialog->dnsretries->setValue((i)?i:1); m_dialog->seedhostname->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SEEDHOST)); m_dialog->snmpinaddr->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINADDR)); m_dialog->snmpinmask->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINMASK)); m_dialog->snmprecursive->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRECURSIVE)); m_dialog->snmpfollowp2p->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPFOLLOWP2P)); m_dialog->snmpincludeunnumbered->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED)); m_dialog->snmpdodns->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDODNS)); s=st->getStr(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPCOMMUNITY); m_dialog->snmpcommunity->setText((s.isEmpty())?"public":s); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRETRIES); m_dialog->snmpretries->setValue((i)?i:1); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPTIMEOUT); m_dialog->snmptimeout->setValue((i)?i:2); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSRETRIES); m_dialog->snmpdnsretries->setValue((i)?i:1); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSTIMEOUT); m_dialog->snmpdnstimeout->setValue((i)?i:2); i=st->getInt(QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSTHREADS); m_dialog->snmpdnsthreads->setValue((i)?i:5); m_dialog->import_platform->setCurrentIndex(st->getInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_IMPORRT_CONFIG_PLATFORM)); } void DiscoveryDruid::save() { // Save to settings st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DISCOVERYMETHOD, dm_method->checkedId()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_USELONGNAME, m_dialog->uselongname->isChecked()); if (current_task==BT_DNS) { st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DNSTIMEOUT, m_dialog->dnstimeout->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_DNSRETRIES, m_dialog->dnsretries->value()); } else { st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSRETRIES, m_dialog->snmpdnsretries->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSTIMEOUT, m_dialog->snmpdnstimeout->value()); } st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SEEDHOST, m_dialog->seedhostname->text()); st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINADDR, m_dialog->snmpinaddr->text()); st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINMASK, m_dialog->snmpinmask->text()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRECURSIVE, m_dialog->snmprecursive->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPFOLLOWP2P, m_dialog->snmpfollowp2p->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED, m_dialog->snmpincludeunnumbered->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDODNS, m_dialog->snmpdodns->isChecked()); st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPCOMMUNITY, m_dialog->snmpcommunity->text()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRETRIES, m_dialog->snmpretries->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPTIMEOUT, m_dialog->snmptimeout->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDNSTHREADS, m_dialog->snmpdnsthreads->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_IMPORRT_CONFIG_PLATFORM, m_dialog->import_platform->currentIndex()); } void DiscoveryDruid::dnsFinish(QHostInfo host) { QList list = host.addresses(); unBar->hide(); if (userIsTyping) { //abandon the test result if (current_task==BT_DNS) { changedNameServer(); } else { changedSeedHost(); } } else { //get the test result if (list.isEmpty()) { QPalette palette = errMessage->palette(); palette.setColor(errMessage->foregroundRole(), Qt::darkRed); errMessage->setPalette(palette); errMessage->setText( "host name not found"); isSeedHostOK=false; } else { QPalette palette = errMessage->palette(); palette.setColor(errMessage->foregroundRole(), Qt::darkGreen); errMessage->setPalette(palette); errMessage->setText( "host name verified"); isSeedHostOK=true; } nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK); } } void DiscoveryDruid::changedSelected( const int &page ) { if (init) return; switch (page) { case READ_HOSTS_FILE_PAGE: // Reading file in hosts format { setNextEnabled(page, false); changedHostsFileName(); m_dialog->filename->setFocus(); break; } case IMPORT_CONFIG_PAGE: // import config { m_dialog->obj_name->setFocus(); setBackEnabled(page, true); setFinishEnabled(page, false); break; } case IMPORT_DNS_ZONE_PAGE: // Import DNS zone { changedDomainName(); m_dialog->domainname->setFocus(); //setNextEnabled(page,false); break; } case NAME_SERVER_PAGE: // Name server { if (page>FromPage) getNameServers(); disconnect(timer,SIGNAL(timeout()),0,0); connect(timer,SIGNAL(timeout()),this,SLOT(checkHostName())); changedNameServer(); m_dialog->nameserverline->setFocus(); //setNextEnabled(page,false); break; } case SNMP_DISCOVERY_PAGE: // Network discovery using SNMP { disconnect(timer,SIGNAL(timeout()),0,0); connect(timer,SIGNAL(timeout()),this,SLOT(checkHostName())); isSeedHostOK=false; isSNMPInclNetOK=false; changedSeedHost(); changedInclNet(); m_dialog->seedhostname->setFocus(); break; } case NETWORK_SCAN_OPTIONS_PAGE: // Network scan options { m_dialog->snmprecursive->setFocus(); //setNextEnabled(page,false); break; } case SNMP_PARAMETERS_PAGE: // SNMP and DNS reverse lookup queries parameters { checkSNMPCommunity(); m_dialog->snmpcommunity->setFocus(); break; } case BACKGROUND_PROCESS_PAGE: // Background process (import from hosts and from config file) { m_dialog->discoveryprogress->setValue(-1); m_dialog->discoverylog->clear(); m_dialog->discoveryStopButton->setEnabled(true); m_dialog->logSaveButton->setEnabled(false); QApplication::processEvents(QEventLoop::ExcludeUserInputEvents,100); setNextEnabled(page, false); cancelButton->hide(); setBackEnabled(page, false); disconnect(timer, SIGNAL(timeout()), 0, 0); connect(timer, SIGNAL(timeout()), this, SLOT(updateLog())); timer->setSingleShot(false); timer->start(1000); startBackgroundProcess(); break; } case CHOOSE_NETWORKS_PAGE: // Networks { fillListOfNetworks(); fillNetworks(); backButton->setEnabled(false); nextButton->setEnabled(m_dialog->networklist->count ()>0 || Objects.size()>0); break; } case CHOOSE_OBJECTS_PAGE: // Objects { if (Networks.size()==0) setBackEnabled(page,false); fillListOfObjects(); fillObjects(); nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0); break; } case ADJUST_OBJECT_TYPES_PAGE: // Adjust Object type { setBackEnabled(page,true); fillTypeChangingList(); break; } case TARGET_LIB_PAGE: // Target library { break; } case CREATE_OBJECTS_PAGE: // Objects creation ... { setBackEnabled(page,false); cancelButton->hide(); createRealObjects(); setNextEnabled(page, false); setFinishEnabled(page, true); finishButton->setFocus(); break; } case NETWORK_ZONES_PAGE: // Network zones for PIX { setBackEnabled(page, false); cancelButton->hide(); setNextEnabled(page, false); setFinishEnabled(page, true); finishButton->setFocus(); fillNetworkZones(); break; } default : {} } FromPage = page; } void DiscoveryDruid::startBackgroundProcess() { switch (current_task) { case BT_HOSTS: case BT_IMPORT: { m_dialog->discoveryprogress->setMaximum(100); m_dialog->discoveryprogress->setValue(0); m_dialog->discoveryprogress->setEnabled(false); m_dialog->discoveryStopButton->setEnabled(false); break; } case BT_DNS: case BT_SNMP: { m_dialog->discoveryprogress->setMaximum(0); m_dialog->discoveryprogress->setValue(-1); break; } default: {} } switch (current_task) { case BT_HOSTS: startHostsScan(); break; case BT_DNS: startDNSScan(); break; case BT_SNMP: startSNMPScan(); break; case BT_IMPORT: startConfigImport(); break; default: {} } } void DiscoveryDruid::browseHostsFile() { QString s = QFileDialog::getOpenFileName( this, "Choose a file", st->getOpenFileDir(), "All files (*)"); if (s.isEmpty()) return; st->setOpenFileDir(s); m_dialog->filename->setText(s); } void DiscoveryDruid::browseForImport() { QString s = QFileDialog::getOpenFileName( this, "Choose a file", st->getOpenFileDir(), "All files (*)"); if (s.isEmpty()) return; st->setOpenFileDir(s); m_dialog->import_filename->setText(s); } void DiscoveryDruid::updatePrg() { if (unBar!=NULL) { unBar->setValue(unProg++); } } void DiscoveryDruid::getNameServers() { // this is not supported anymore since all resolver functions // have been removed from class DNS m_dialog->nameserverlist->setEnabled(false); m_dialog->dnsfromlist->setEnabled(false); m_dialog->dnscustom->setChecked(true); } void DiscoveryDruid::setDiscoveryMethod_file() { m_dialog->processname->setText(tr("Hosts file parsing ...")); current_task = BT_HOSTS; for (int i=0; iprocessname->setText(tr("DNS zone transfer ...")); current_task = BT_DNS; for (int i=0; iprocessname->setText(tr("Network discovery using SNMP ...")); current_task = BT_SNMP; for (int i=0; iprocessname->setText(tr("Import configuration from file ...")); current_task = BT_IMPORT; for (int i=0; ifilename->text()); thread->setTargetWidget(this); thread->start(); } void DiscoveryDruid::startConfigImport() { if (thread!=NULL) { delete thread; } QFile cf( m_dialog->import_filename->text() ); if (cf.open( QIODevice::ReadOnly ) ) { QTextStream stream(&cf); QString s = stream.readAll(); cf.close(); std::string *buffer = new std::string( s.toLatin1().constData() ); //if (fwbdebug) qDebug(buffer->c_str()); // count lines, gather some general stats on the config file. std::string::size_type pos, n; pos = 0; int line_count = 0; while ( (n=buffer->find('\n', pos))!=std::string::npos) { line_count++; pos = n+1; } m_dialog->discoveryprogress->setMaximum(line_count); // need to pick right platform string based on // m_dialog->import_platform->currentItem() string platform = selectedPlatform(); // // ConfigImport "owns" buffer - it is deleted // in destructor of ConfigImport // thread = new ConfigImport(buffer, platform, m_dialog->obj_name->text().toStdString()); thread->setTargetWidget(this); thread->start(); } else { QMessageBox::critical(this, tr("Discovery error"), tr("Could not open file %1").arg(m_dialog->import_filename->text())); setBackEnabled(currentPage(),true); } } string DiscoveryDruid::selectedPlatform() { string platform = ""; switch (m_dialog->import_platform->currentIndex()) { case IMPORT_IOS: platform = "iosacl"; break; case IMPORT_IPT: platform = "iptables"; break; case IMPORT_PIX: platform = "pix"; break; } return platform; } InetAddr DiscoveryDruid::getNS() { string ns; if (m_dialog->dnscustom->isChecked()) { ns=m_dialog->nameserverline->text().toLatin1().constData(); try { return InetAddr(ns); } catch (FWException &ex) { /* perhaps not address but host name */ list addr; try { addr=DNS::getHostByName(ns); } catch (FWException &ex) { return InetAddr(); } return addr.front(); } } return NameServers[m_dialog->nameserverlist->currentText()]; } void DiscoveryDruid::startDNSScan() { // this is not supported since all resolver functions have been // removed from class DNS } InetAddr DiscoveryDruid::getSeedHostAddress() { if (fwbdebug) qDebug() << QString("DiscoveryDruid::getSeedHostAddress(): Seed host name %1"). arg(m_dialog->seedhostname->text()); libfwbuilder::InetAddr seed_host_addr; if (!m_dialog->seedhostname->text().isEmpty()) { try { QString a = getAddrByName( m_dialog->seedhostname->text(), AF_INET); if (fwbdebug) qDebug() << QString("DiscoveryDruid::getSeedHostAddress() address: %1"). arg(a); return InetAddr( a.toLatin1().constData() ); } catch(const FWException &ex) { } try { seed_host_addr = InetAddr( m_dialog->seedhostname->text().toLatin1().constData()); return seed_host_addr; } catch(const FWException &ex) { } } return seed_host_addr; } void DiscoveryDruid::changedDomainName() { if (m_dialog->domainname->text().isEmpty()) { nextButton->setEnabled(false); } else { nextButton->setEnabled(true); } } void DiscoveryDruid::changedNameServer() { userIsTyping=true; isSNMPInclNetOK=true; if(m_dialog->dnscustom->isChecked()) { nextButton->setEnabled(false); QString s=m_dialog->nameserverline->text(); HostName=s; if (s.isEmpty()) { timer->stop(); m_dialog->DNSprogress_2->hide(); QPalette palette = m_dialog->nameserver_error->palette(); palette.setColor(m_dialog->nameserver_error->foregroundRole(), Qt::darkRed); m_dialog->nameserver_error->setPalette(palette); m_dialog->nameserver_error->setText("Enter valid host name or address."); nextButton->setEnabled(false); return; } if(isInetAddr(s)) { timer->stop(); m_dialog->DNSprogress_2->hide(); QString rs=testInetAddr(s); if (rs.isEmpty()) { m_dialog->nameserver_error->setText(" "); nextButton->setEnabled(true); } else { QPalette palette = m_dialog->nameserver_error->palette(); palette.setColor(m_dialog->nameserver_error->foregroundRole(), Qt::darkRed); m_dialog->nameserver_error->setPalette(palette); m_dialog->nameserver_error->setText(rs); nextButton->setEnabled(false); } } else { unBar=m_dialog->DNSprogress_2; unBar->show(); timer->setSingleShot(true); timer->start(1000); errMessage=m_dialog->nameserver_error; userIsTyping=false; QPalette palette = errMessage->palette(); palette.setColor(errMessage->foregroundRole(), Qt::black); errMessage->setPalette(palette); errMessage->setText("DNS resolution in progress..."); unProg = 0; } } else { timer->stop(); m_dialog->DNSprogress_2->hide(); m_dialog->nameserver_error->setText(" "); nextButton->setEnabled(true); } } void DiscoveryDruid::typedCustomNS() { if(!m_dialog->dnscustom->isChecked()) { m_dialog->dnscustom->setChecked(true); } } bool DiscoveryDruid::isInetAddr(const QString s) { QRegExp r=QRegExp("^(\\d|\\.)+$",Qt::CaseInsensitive); //non wildcard return r.exactMatch(s); } QString DiscoveryDruid::testInetAddr(const QString s) { QString res; QRegExp r=QRegExp("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",Qt::CaseInsensitive); //non wildcard if (r.exactMatch(s)) { try { InetAddr(s.toLatin1().constData()); } catch(const FWException &ex) { res=ex.toString().c_str(); } } else { res="Wrong IPv4 format"; } return res; } void DiscoveryDruid::changedHostsFileName() { QFile f; f.setFileName(m_dialog->filename->text()); if (f.exists()) { setNextEnabled(currentPage(),true); } else { setNextEnabled(currentPage(),false); } } void DiscoveryDruid::changedSNMPOptions() { } void DiscoveryDruid::stopBackgroundProcess() { if (fwbdebug) qDebug("stopBackgroundProcess bop=%p isRunning=%d", bop,(bop!=NULL)?bop->isRunning():-1); if (bop!=NULL && bop->isRunning()) { addToLog("Terminating task. Please wait..."); bop->stop_operation(); m_dialog->discoveryStopButton->setEnabled(false); } } void DiscoveryDruid::addNetwork() { int count = m_dialog->networkresultlist->count(); int upd_max=(count > 10)?count/10:1; int updc=upd_max; int t=0; QProgressDialog pd(tr("Adding objects ..."), tr("Cancel"), 0, count,this); QListWidgetItem* item=(QListWidgetItem*)m_dialog->networkresultlist->item(0); int i = 0; while (item) { if (item->isSelected()) { QString k=item->text(); if (!Networks[k].isSelected) { Networks[k].isSelected=true; m_dialog->networklist->addItem(item->text()); } } i++; item=(QListWidgetItem*)m_dialog->networkresultlist->item(i); if (updc--<=0) { pd.setValue(t); qApp->processEvents(); if (pd.wasCanceled()) { break; } updc=upd_max; } t++; } nextButton->setEnabled(m_dialog->networklist->count ()>0 || Objects.size()>0); } void DiscoveryDruid::removeNetwork() { QListWidgetItem* item1=m_dialog->networklist->item(0); QListWidgetItem* item2; while (item1!=0) { item2=m_dialog->networklist->item( m_dialog->networklist->row(item1)+1); if (item1->isSelected()) { Networks[item1->text()].isSelected=false; delete item1; } item1=item2; } nextButton->setEnabled(m_dialog->networklist->count ()>0 || Objects.size()>0); } void DiscoveryDruid::setNetworkFilter() { flt_net_d->exec(); fillListOfNetworks(); } void DiscoveryDruid::removeNetworkFilter() { flt_net->clear(); fillListOfNetworks(); } void DiscoveryDruid::addObject() { int count = m_dialog->objectresultlist->count(); int upd_max=(count > 10)?count/10:1; int updc=upd_max; int t=0; QProgressDialog pd(tr("Adding objects ..."), tr("Cancel"), 0, count,this); QListWidgetItem* item=(QListWidgetItem*)m_dialog->objectresultlist->item(0); int i = 0; while (item) { if (item->isSelected()) { QString k=item->text(); if (!Objects[k].isSelected) { Objects[k].isSelected=true; m_dialog->objectlist->addItem(item->text()); } } i++; item=(QListWidgetItem*)m_dialog->objectresultlist->item(i); if (updc--<=0) { pd.setValue(t); qApp->processEvents(); if (pd.wasCanceled()) { break; } updc=upd_max; } t++; } nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0); } void DiscoveryDruid::removeObject() { QListWidgetItem* item1=m_dialog->objectlist->item(0); QListWidgetItem* item2; while (item1!=0) { item2=m_dialog->objectlist->item( m_dialog->objectlist->row(item1)+1); if (item1->isSelected()) { Objects[item1->text()].isSelected=false; delete item1; } item1=item2; } nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0); } void DiscoveryDruid::setLastFilter() { flt_last_d->exec(); fillTypeChangingList(); } void DiscoveryDruid::setObjectFilter() { flt_obj_d->exec(); fillListOfObjects(); } void DiscoveryDruid::removeLastFilter() { flt_last->clear(); fillTypeChangingList(); } void DiscoveryDruid::removeObjectFilter() { flt_obj->clear(); fillListOfObjects(); } void DiscoveryDruid::selectAllResNets() { m_dialog->networkresultlist->selectAll(); } void DiscoveryDruid::selectAllNets() { m_dialog->networklist->selectAll(); } void DiscoveryDruid::selectAllResObjs() { m_dialog->objectresultlist->selectAll(); } void DiscoveryDruid::selectAllObjs() { m_dialog->objectlist->selectAll(); } void DiscoveryDruid::fillNetworkZones() { m_dialog->iface_nz_list->clear(); QStringList labels; labels << QObject::tr("Name") << QObject::tr("Label") << QObject::tr("Address") << QObject::tr("Network Zone"); m_dialog->iface_nz_list->setHorizontalHeaderLabels(labels); NetworkZoneManager netzone_manager; netzone_manager.load(mw->activeProject()->db()); list all_interfaces = discovered_fw->getByTypeDeep(Interface::TYPENAME); list::iterator it; int row = 0; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *iface = Interface::cast(*it); m_dialog->iface_nz_list->insertRow(row); QTableWidgetItem* itm; itm = new QTableWidgetItem(iface->getName().c_str()); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 0, itm); itm = new QTableWidgetItem(iface->getLabel().c_str()); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 1, itm); QString addr_str; const InetAddr* addr = iface->getAddressPtr(); if (addr) addr_str = addr->toString().c_str(); itm = new QTableWidgetItem(addr_str); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 2, itm); QComboBox *widget = new QComboBox(); netzone_manager.packComboBox(widget, -1); m_dialog->iface_nz_list->setCellWidget(row, 3, widget); row++; } m_dialog->iface_nz_list->resizeColumnToContents(3); } void DiscoveryDruid::fillNetworks() { ObjectDescriptor buf; m_dialog->networklist->clear(); bool f=false; QMap::iterator i; for(i=Networks.begin(); i!=Networks.end(); ++i) { buf=i.value(); if (buf.isSelected) { m_dialog->networklist->addItem(new QListWidgetItem(i.key())); f=true; } } nextButton->setEnabled(f); } void DiscoveryDruid::fillObjects() { ObjectDescriptor buf; m_dialog->objectlist->clear(); bool f=false; QMap::iterator i; for(i=Objects.begin(); i!=Objects.end(); ++i) { buf=i.value(); if (buf.isSelected) { m_dialog->objectlist->addItem(new QListWidgetItem(i.key())); f=true; } } nextButton->setEnabled(f); } void DiscoveryDruid::fillTypeChangingList() { ObjectDescriptor buf; m_dialog->typeChangingList->clear(); QMap::iterator i; for(i=Objects.begin(); i!=Objects.end(); ++i) { buf=i.value(); if (buf.isSelected) { QString ins; if ( flt_last->test(buf) ) { ins=(buf.interfaces.size())? QString("%1").arg(buf.interfaces.size()):""; QStringList sl; sl << buf.toString().c_str() << ins << buf.type.c_str(); new QTreeWidgetItem( m_dialog->typeChangingList, sl ); } } } m_dialog->typeChangingList->resizeColumnToContents(0); m_dialog->typeChangingList->resizeColumnToContents(1); } void DiscoveryDruid::loadDataFromDNS() { // this is not supported since all resolver functions have been // removed from class DNS } void DiscoveryDruid::loadDataFromFile() { m_dialog->objectresultlist->clear(); int t=0; HostsFileImport *himport = dynamic_cast(thread); assert(himport!=NULL); int count = himport->hosts.size(); if (count > 0) { int upd_max=(count > 10)?count/10:1; int updc=upd_max; QProgressDialog pd(tr("Prepare objects ..."), tr("Cancel"), 0, count,this); vector::iterator i; for(i = himport->hosts.begin(); i != himport->hosts.end(); ++i) { if (i->type.empty()) { i->type=IPv4::TYPENAME; } i->isSelected=false; Objects[i->toString().c_str()] = *i; if (updc--<=0) { pd.setValue(t); qApp->processEvents(); if (pd.wasCanceled()) { break; } updc=upd_max; } t++; } } } void DiscoveryDruid::loadDataFromImporter() { ConfigImport *confimp = dynamic_cast(thread); assert(confimp!=NULL); Importer *imp = confimp->getImporterObject(); if (imp!=NULL) { Firewall *fw = imp->finalize(); qApp->processEvents(); // to flush the log if (fw) // fw can be NULL if import was uncussessful { discovered_fw = fw; ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); //pp->m_panel->om->reload(); //pp->m_panel->om->autoRenameChildren(fw, ""); QCoreApplication::postEvent(mw, new reloadObjectTreeEvent(filename)); if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, fw->getId())); QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, fw->getId())); // Open first created Policy ruleset object FWObject *first_policy = fw->getFirstByType(Policy::TYPENAME); if (first_policy) QCoreApplication::postEvent( mw, new openRulesetEvent(filename, first_policy->getId())); } } } void DiscoveryDruid::saveScanLog() { QString s = QFileDialog::getSaveFileName( this, "Choose a file", st->getOpenFileDir(), "Text file (*.txt)"); if (s.isEmpty()) return; st->setOpenFileDir(s); if (s.endsWith(".txt")) s += ".txt"; QFile f(s); if (f.open(QIODevice::WriteOnly)) { if (fwbdebug) { qDebug("Saving crawler log to file: %d chars", m_dialog->discoverylog->toPlainText().length()); qDebug("--------------------------------"); } QTextStream strm(&f); QString txt = m_dialog->discoverylog->toPlainText(); strm << txt << endl; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("%s",txt.toAscii().constData()); #else if (fwbdebug) qDebug("%s",txt.toLatin1().constData()); #endif if (fwbdebug) qDebug("--------------------------------"); f.close(); } } void DiscoveryDruid::startSNMPScan() { #ifdef HAVE_LIBSNMP bool use_incl=!m_dialog->snmpinaddr->text().isEmpty() && !m_dialog->snmpinmask->text().isEmpty(); if (use_incl) { try { InetAddrMask in( InetAddr(m_dialog->snmpinaddr->text().toLatin1().constData()), InetAddr(m_dialog->snmpinmask->text().toLatin1().constData()) ); include_networks.push_back(in); } catch (const FWException &ex) { //TODO: do something usefull } } libfwbuilder::SNMPCrawler *q = new SNMPCrawler(); q->init(getSeedHostAddress(), m_dialog->snmpcommunity->text().toLatin1().constData(), m_dialog->snmprecursive->isChecked(), false, m_dialog->snmpfollowp2p->isChecked(), 0, m_dialog->snmpretries->value(), 1000000L*m_dialog->snmptimeout->value(), 0, 0, (use_incl) ? &include_networks : NULL); m_dialog->discoveryprogress->setMaximum(0); unBar = m_dialog->discoveryprogress; bop=q; try { logger = bop->start_operation(); if (fwbdebug) logger->copyToStderr(); addToLog("Collecting data ..."); disconnect(timer, SIGNAL(timeout()), 0, 0); connect(timer, SIGNAL(timeout()), this, SLOT(updateLog())); timer->setSingleShot(false); timer->start(100); } catch(const FWException &ex) { delete q; q=NULL; } #endif } void DiscoveryDruid::loadDataFromCrawler() { #ifdef HAVE_LIBSNMP SNMPCrawler *q=(SNMPCrawler*)bop; Objects.clear(); Networks.clear(); set::iterator m; set discovered_networks = q->getNetworks(); if (fwbdebug) qDebug() << QString("got %1 networks").arg(discovered_networks.size()); for (m=discovered_networks.begin(); m!=discovered_networks.end(); ++m) { ObjectDescriptor od; InetAddrMask *net = *m; if (fwbdebug) qDebug() << QString("network %1").arg(net->toString().c_str()); // if address in *m is ipv6, recreate it as Inet6AddrMask and // use type NetworkIPv6 if (net->getAddressPtr()->isV6()) { Inet6AddrMask in6am(*(net->getAddressPtr()), *(net->getNetmaskPtr())); od.sysname = in6am.toString(); // different from ipv6 od.type = NetworkIPv6::TYPENAME; } else { od.sysname = net->toString(); od.type = Network::TYPENAME; } od.addr = *(net->getAddressPtr()); od.netmask = *(net->getNetmaskPtr()); od.isSelected = false; Networks[od.sysname.c_str()]= od; } map t = q->getAllIPs(); if (fwbdebug) qDebug() << QString("got %1 addresses").arg(t.size()); m_dialog->discoveryprogress->setMaximum( t.size() ); m_dialog->discoveryprogress->setValue(0); int cntr = 0; map::iterator j; for(j = t.begin(); j!=t.end(); ++j,++cntr) { m_dialog->discoveryprogress->setValue( cntr ); ObjectDescriptor od( (*j).second ); od.addr = (*j).first; od.type=(od.interfaces.size()>1)? (Host::TYPENAME):(IPv4::TYPENAME); od.isSelected=false; if (od.sysname.empty()) { od.sysname = string("h-") + od.addr.toString(); if (m_dialog->snmpdodns->isChecked()) { QString hostName = getNameByAddr( od.addr.toString().c_str() ); if (!hostName.isEmpty()) od.sysname = hostName.toLatin1().constData(); } addToLog( QString(od.addr.toString().c_str()) + " : " + od.sysname.c_str()); } Objects[od.toString().c_str()]=od; set::iterator si; for(si=od.dns_info.aliases.begin(); si!=od.dns_info.aliases.end(); ++si) { od.sysname=(*si); Objects[od.toString().c_str()]=od; } } #endif } void DiscoveryDruid::fillListOfNetworks() { m_dialog->networkresultlist->clear(); int t=0; int count = Networks.size(); if (count > 0) { int upd_max=(count > 10)?count/10:1; int updc=upd_max; QProgressDialog pd(tr("Copying results ..."), tr("Cancel"), 0, count,this); QMap::iterator i; for (i=Networks.begin(); i!=Networks.end(); ++i) { if ( flt_net->test(i.value()) ) { m_dialog->networkresultlist->addItem(new QListWidgetItem(i.key())); if (updc--<=0) { pd.setValue(t); qApp->processEvents(); if (pd.wasCanceled()) { break; } updc=upd_max; } } t++; } } } void DiscoveryDruid::fillListOfObjects() { m_dialog->objectresultlist->clear(); int t=0; int count = Objects.size(); if (count > 0) { int upd_max=(count > 10)?count/10:1; int updc=upd_max; QProgressDialog pd(tr("Copying results ..."), tr("Cancel"), 0,count,this); QMap::iterator i; for(i=Objects.begin(); i!=Objects.end(); ++i) { if ( flt_obj->test(i.value()) ) { m_dialog->objectresultlist->addItem(new QListWidgetItem(i.key())); if (updc--<=0) { pd.setValue(t); qApp->processEvents(); if (pd.wasCanceled()) { break; } updc=upd_max; } } t++; } } } void DiscoveryDruid::customEvent(QEvent *event) { int evtype=(int)event->type(); if (evtype == ProgressEv) { ProgressEvent *e = (ProgressEvent*)event; m_dialog->discoveryprogress->setValue(e->value); } else if (evtype == DoneEv) { cancelButton->show(); timer->stop(); disconnect(timer,SIGNAL(timeout()),0,0); updateLog(); m_dialog->logSaveButton->setEnabled(true); // actually create objects switch (current_task) { case BT_HOSTS: loadDataFromFile(); break; case BT_IMPORT: loadDataFromImporter(); break; default: break; } thread->wait(); QString er = thread->getError(); delete thread; thread=NULL; switch (current_task) { case BT_HOSTS: if (Objects.size()>0) { nextButton->setDefault(true); nextButton->setFocus(); nextButton->setEnabled(true); backButton->setEnabled(false); } else { backButton->setEnabled(true); nextButton->setEnabled(false); } break; case BT_IMPORT: { // if imported PIX, need to show one more page to select network zones if (selectedPlatform() == "pix") { setNextEnabled(currentPage(), true); setFinishEnabled(currentPage(), false); } else { setNextEnabled(currentPage(), false); setFinishEnabled(currentPage(), true); finishButton->setFocus(); } break; } default: break; } } } void DiscoveryDruid::updateLog() { if (fwbdebug) qDebug("DiscoveryDruid::updateLog"); if (current_task==BT_HOSTS || current_task==BT_IMPORT) { QString buf; if (thread!=NULL) { while(thread->Log->ready()) { buf = thread->Log->getLine().c_str(); addToLog(buf); } } } else if (current_task==BT_SNMP) { if (monitorOperation() > 0) { //m_dialog->discoveryprogress->setValue(prg++); } else { timer->stop(); disconnect(timer,SIGNAL(timeout()),0,0); if (fwbdebug) qDebug("Crawler finished"); loadDataFromCrawler(); cancelButton->show(); FWException * ex=bop->get_latest_error(); if (ex!=NULL) { QMessageBox::critical(this, tr("Discovery error"), ex->toString().c_str()); } if (Objects.size()>0 || Networks.size()>0) { if (Networks.size()==0) setAppropriate( 8,0); nextButton->setEnabled(true); nextButton->setDefault(true); nextButton->setFocus(); backButton->setEnabled(false); } else { nextButton->setEnabled(false); backButton->setEnabled(true); } m_dialog->logSaveButton->setEnabled(true); delete bop; bop=NULL; unBar=NULL; m_dialog->discoveryprogress->setMaximum(100); m_dialog->discoveryprogress->setValue(100); m_dialog->discoveryStopButton->setEnabled(false); } } else if (current_task==BT_DNS) { if (monitorOperation() > 0) { //m_dialog->discoveryprogress->setMaximum(0); //m_dialog->discoveryprogress->setValue( // m_dialog->discoveryprogress->progress()+1); } else { timer->stop(); disconnect(timer,SIGNAL(timeout()),0,0); loadDataFromDNS(); cancelButton->show(); FWException * ex=bop->get_latest_error(); if (ex!=NULL) { QMessageBox::critical(this, tr("Discovery error"), ex->toString().c_str()); } if (Objects.size()>0) { nextButton->setEnabled(true); nextButton->setDefault(true); nextButton->setFocus(); backButton->setEnabled(false); } else { nextButton->setEnabled(false); backButton->setEnabled(true); } m_dialog->logSaveButton->setEnabled(true); delete bop; bop=NULL; unBar=NULL; m_dialog->discoveryprogress->setMaximum(100); m_dialog->discoveryprogress->setValue(100); m_dialog->discoveryStopButton->setEnabled(false); } } } void DiscoveryDruid::addToLog(const QString &buf) { if (buf.isEmpty()) return; foreach(QString line, buf.trimmed().split("\n")) { QTextCharFormat format = normal_format; if (line.contains("Parser error")) format = error_format; if (line.contains("Parser warning")) format = warning_format; if (line.contains("SNMP error, status 2 Timeout")) format = warning_format; QString txt = line; while (!txt.isEmpty() && (txt.endsWith("\n") || txt.endsWith("\r"))) txt.chop(1); if (format == error_format || format == warning_format) format.setAnchorHref(txt); QTextCursor cursor = m_dialog->discoverylog->textCursor(); cursor.insertBlock(); cursor.insertText(txt, format); } m_dialog->discoverylog->ensureCursorVisible(); } void DiscoveryDruid::changedSeedHost() { m_dialog->seedhosterror_message->setText(" "); userIsTyping = true; errMessage = m_dialog->seedhosterror_message; HostName = m_dialog->seedhostname->text(); if (HostName.isEmpty()) { timer->stop(); m_dialog->DNSprogress->hide(); QPalette palette = m_dialog->seedhosterror_message->palette(); palette.setColor( m_dialog->seedhosterror_message->foregroundRole(), Qt::darkRed); m_dialog->seedhosterror_message->setPalette(palette); m_dialog->seedhosterror_message->setText( "Enter a valid host name or address."); isSeedHostOK=false; } else { if(isInetAddr(HostName)) { // seems to be an IP Address m_dialog->DNSprogress->hide(); timer->stop(); QRegExp r = QRegExp( "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$", Qt::CaseInsensitive); //non wildcard if (r.exactMatch(HostName)) { try { InetAddr(HostName.toLatin1().constData()); QPalette palette = m_dialog->seedhosterror_message->palette(); palette.setColor( m_dialog->seedhosterror_message->foregroundRole(), Qt::darkGreen); m_dialog->seedhosterror_message->setPalette(palette); m_dialog->seedhosterror_message->setText( "Address verified"); isSeedHostOK=true; } catch(const FWException &ex) { QPalette palette = m_dialog->seedhosterror_message->palette(); palette.setColor( m_dialog->seedhosterror_message->foregroundRole(), Qt::darkRed); m_dialog->seedhosterror_message->setPalette(palette); m_dialog->seedhosterror_message->setText( ex.toString().c_str()); // need to return focus to the input field in case of error //m_dialog->seedhostname->setFocus(); isSeedHostOK=false; } } else { QPalette palette = m_dialog->seedhosterror_message->palette(); palette.setColor( m_dialog->seedhosterror_message->foregroundRole(), Qt::darkRed); m_dialog->seedhosterror_message->setPalette(palette); m_dialog->seedhosterror_message->setText("Wrong IPv4 format"); isSeedHostOK=false; } } else {// it looks like a DNS name isSeedHostOK = false; QPalette palette = m_dialog->seedhosterror_message->palette(); palette.setColor( m_dialog->seedhosterror_message->foregroundRole(), Qt::black); m_dialog->seedhosterror_message->setPalette(palette); m_dialog->seedhosterror_message->setText( "DNS resolution in progress..."); unProg = 0; unBar=m_dialog->DNSprogress; errMessage=m_dialog->seedhosterror_message; m_dialog->DNSprogress->show(); timer->setSingleShot(true); timer->start(1000); } } nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK); } void DiscoveryDruid::changedInclNet() { setNextEnabled(currentPage(),false); m_dialog->confineerror_message->setText(" "); bool use_incl=!m_dialog->snmpinaddr->text().isEmpty() && !m_dialog->snmpinmask->text().isEmpty(); if (use_incl) { try { InetAddr a(m_dialog->snmpinaddr->text().toLatin1().constData()); InetAddr n(m_dialog->snmpinmask->text().toLatin1().constData()); InetAddrMask(a,n); m_dialog->confineerror_message->setText(" "); isSNMPInclNetOK=true; } catch (const FWException &ex) { isSNMPInclNetOK=false; m_dialog->confineerror_message->setText(ex.toString().c_str()); } } else { if (!m_dialog->snmpinaddr->text().isEmpty() || !m_dialog->snmpinmask->text().isEmpty()) { isSNMPInclNetOK=false; m_dialog->confineerror_message->setText(tr("Incomlete network specification.")); } else { m_dialog->confineerror_message->setText(" "); isSNMPInclNetOK=true; } } nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK); } int DiscoveryDruid::monitorOperation() { QString buf; bool fl; if (fwbdebug) qDebug("monitorOperation bop=%p isRunning=%d", bop,(bop!=NULL)?bop->isRunning():-1); fl=false; while( logger->ready() ) { buf= logger->getLine().c_str(); if (buf.endsWith('\n')) buf = buf.left(buf.length() - 1); addToLog(buf); /*if (fwbdebug) qDebug("monitorOperation appending the following buf: (1)"); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug(buf.toAscii().constData()); #else if (fwbdebug) qDebug(buf.toLatin1().constData()); #endif if (fwbdebug) qDebug("----------------------------------------------");*/ fl=true; } if (fl) { return 1; } if (bop==NULL) { return 0; // BackgroundOp has been disconnected } if (bop->isRunning()) { return 1; } // send signal "completed", argument is 0 if ok and -1 if error FWException *ex=bop->get_latest_error(); if (ex) { buf= ex->toString().c_str(); if (buf.endsWith('\n')) buf = buf.left(buf.length() - 1); addToLog(buf); /*if (fwbdebug) qDebug("monitorOperation appending the following buf: (2)"); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug(buf.toAscii().constData()); #else if (fwbdebug) qDebug(buf.toLatin1().constData()); #endif if (fwbdebug) qDebug("----------------------------------------------");*/ // completed(-1); // this sends signal to another widget } else { // completed(0); // this sends signal to another widget } return 0; } void DiscoveryDruid::checkHostName() { if (!HostName.isEmpty()) { userIsTyping=false; QHostInfo::lookupHost(HostName, this, SLOT(dnsFinish(QHostInfo))); } } void DiscoveryDruid::checkSNMPCommunity() { if (m_dialog->snmpcommunity->text().isEmpty()) { m_dialog->snmpcommunity_message->setText(tr("Empty community string")); setNextEnabled(currentPage(),false); } else { m_dialog->snmpcommunity_message->setText(""); setNextEnabled(currentPage(),true); } } void DiscoveryDruid::changeTargetObject(const QString &buf) { QTreeWidgetItem* item=m_dialog->typeChangingList->topLevelItem(0); while (item!=0) { if (item->isSelected()) { Objects[item->text(0)].type=buf.toLatin1().constData(); item->setText(2,buf); } item=m_dialog->typeChangingList->topLevelItem( m_dialog->typeChangingList->indexOfTopLevelItem(item)+1); } } void DiscoveryDruid::selectAllLast() { m_dialog->typeChangingList->selectAll(); } void DiscoveryDruid::unselectAllLast() { m_dialog->typeChangingList->selectAll(); } void DiscoveryDruid::typeAddress() { changeTargetObject(IPv4::TYPENAME); } void DiscoveryDruid::typeHost() { changeTargetObject(Host::TYPENAME); } void DiscoveryDruid::typeFirewall() { changeTargetObject(Firewall::TYPENAME); } /* * Guess OS from the sysDescr string returned by the host. Returned OS * name is always lower case one word, such as "linux", "ios" * * Examples of sysDescr strings: * * IOS (tm) 3600 Software (C3620-IK9O3S-M), Version 12.2(13), RELEASE SOFTWARE (fc1) * Linux guardian 2.4.20 #2 Wed Nov 17 11:49:43 CET 2004 mips * Linux crash 2.6.24-22-server #1 SMP Mon Nov 24 20:06:28 UTC 2008 x86_64 * Apple AirPort - Apple Computer, 2006. All rights Reserved * Cisco Secure FWSM Firewall Version 2.3(4) * Cisco PIX Firewall Version 6.2(1) * Cisco Adaptive Security Appliance Version 8.2(0)227 */ QString DiscoveryDruid::guessOS(const string &sysDescr) { QStringList elements = QString(sysDescr.c_str()).split(" "); QString first = elements[0].toLower(); if (first == "cisco") { if (elements[1].toLower() == "adaptive" && elements[2].toLower() == "security" && elements[3].toLower() == "appliance") return "pix"; if (elements[1].toLower() == "pix") return "pix"; if (elements[1].toLower() == "secure" && elements[2].toLower() == "fwsm") return "pix"; } if (first == "darwin") return "macosx"; if (first == "apple") return "macosx"; return first; } FWObject* DiscoveryDruid::addInterface(FWObject *parent, InterfaceData *in, bool skip_ip_address_check) { ObjectManipulator *om = mw->activeProject()->m_panel->om; if (!m_dialog->snmpincludeunnumbered->isChecked() && !skip_ip_address_check) { if (in->addr_mask.size()==0) return NULL; if (in->addr_mask.front()->getAddressPtr()->isAny()) return NULL; } QString obj_name = in->name.c_str(); Interface *itf = NULL; itf = Interface::cast( mw->createObject(parent, QString(Interface::TYPENAME), obj_name)); QString iname = om->getStandardName(itf, physAddress::TYPENAME, "mac"); iname = om->makeNameUnique(itf, iname, physAddress::TYPENAME); physAddress *paddr = physAddress::cast( mw->createObject(itf, physAddress::TYPENAME, iname) ); paddr->setPhysAddress(in->mac_addr); itf->setLabel(in->label); itf->setSecurityLevel(in->securityLevel); if (fwbdebug) qDebug() << "Interface=" << obj_name << "type=" << in->interface_type.c_str(); if (!in->interface_type.empty()) { itf->getOptionsObject()->setStr("type", in->interface_type); if (in->interface_type == "8021q") itf->getOptionsObject()->setInt("vlan_id", in->vlan_id); } else { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(parent)); if (int_prop->looksLikeVlanInterface(obj_name)) { QString base_name; int vlan_id; int_prop->parseVlan(obj_name, &base_name, &vlan_id); itf->getOptionsObject()->setStr("type", "8021q"); itf->getOptionsObject()->setInt("vlan_id", vlan_id); } } if (in->addr_mask.size()==0 || in->addr_mask.front()->getAddressPtr()->isAny()) { itf->setUnnumbered(true); } else { list::iterator n; for (n=in->addr_mask.begin(); n!=in->addr_mask.end(); ++n) { const InetAddr *addr = (*n)->getAddressPtr(); const InetAddr *netm = (*n)->getNetmaskPtr(); if (addr->isV4()) { try { QString iname = om->getStandardName(itf, IPv4::TYPENAME, "ip"); iname = om->makeNameUnique(itf, iname, IPv4::TYPENAME); IPv4 *ipv4= IPv4::cast( om->createObject(itf, IPv4::TYPENAME, iname) ); ipv4->setAddress(*addr); ipv4->setNetmask(*netm); } catch (FWException &ex) { cerr << "FWException: " << ex.toString() << endl; } } if (addr->isV6()) { try { QString iname = om->getStandardName(itf, IPv6::TYPENAME, "ip"); iname = om->makeNameUnique(itf, iname, IPv6::TYPENAME); IPv6 *ipv6 = IPv6::cast( om->createObject(itf, IPv6::TYPENAME, iname) ); ipv6->setAddress(*addr); ipv6->setNetmask(*netm); } catch (FWException &ex) { cerr << "FWException: " << ex.toString() << endl; } } } } return itf; } void DiscoveryDruid::createRealObjects() { ObjectDescriptor od; string type, name, a; int t=0; m_dialog->lastprogress->setValue(0); m_dialog->lastprogress->setMaximum( Objects.size()); QMap::iterator i; for (i=Networks.begin(); i!=Networks.end(); ++i) { od=i.value(); if (od.isSelected) { type = od.type; // Network or NetworkIPv6 name = od.sysname; a = od.addr.toString().c_str(); Address *net = Address::cast( mw->createObject(type.c_str(), name.c_str())); assert(net!=NULL); net->setName(name); net->setAddress(od.addr); net->setNetmask(od.netmask); mw->moveObject(m_dialog->libs->currentText(), net); } } for (i=Objects.begin(); i!=Objects.end(); ++i) { od = i.value(); type = od.type; name = od.sysname; QString os = guessOS(od.descr); a = od.addr.toString(); if (od.isSelected) { if (type==Host::TYPENAME || type==Firewall::TYPENAME) { FWObject *o=NULL; o = mw->createObject(type.c_str(), name.c_str()); o->setName(name); if (type==Firewall::TYPENAME) { if (os == "linux") { o->setStr("platform", "iptables"); o->setStr("host_OS", "linux24"); } if (os == "freebsd") { o->setStr("platform", "pf"); o->setStr("host_OS", "freebsd"); } if (os == "openbsd") { o->setStr("platform", "pf"); o->setStr("host_OS", "openbsd"); } if (os == "ios") { o->setStr("platform", "iosacl"); o->setStr("host_OS", "ios"); } if (os == "pix" || os == "fwsm") { o->setStr("platform", "pix"); o->setStr("host_OS", "pix_os"); } if (os == "apple") { o->setStr("platform", "ipfw"); o->setStr("host_OS", "macosx"); } if (os == "solaris") { o->setStr("platform", "ipf"); o->setStr("host_OS", "solaris"); } Resources::setDefaultTargetOptions( o->getStr("platform"), Firewall::cast(o) ); Resources::setDefaultTargetOptions( o->getStr("host_OS"), Firewall::cast(o) ); } if (od.interfaces.size()==0) { Interface *itf= Interface::cast( mw->createObject(o,Interface::TYPENAME,"nic1") ); if (od.addr.isV4()) { IPv4 *ipv4= IPv4::cast( mw->createObject(itf, IPv4::TYPENAME, a.c_str()) ); ipv4->setAddress(od.addr); ipv4->setNetmask(InetAddr()); } if (od.addr.isV6()) { IPv6 *ipv6 = IPv6::cast( mw->createObject(itf, IPv6::TYPENAME, a.c_str()) ); ipv6->setAddress(od.addr); ipv6->setNetmask(InetAddr()); } } else { if (fwbdebug) { map::iterator i; for (i=od.interfaces.begin(); i!=od.interfaces.end(); ++i) { InterfaceData *intf = &(i->second); QString str("Discovered interface %1: %2"); qDebug() << str.arg(intf->name.c_str()).arg(intf->mac_addr.c_str()); } } list interface_tree; std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(o)); int_prop->rearrangeInterfaces(od.interfaces, interface_tree); if (interface_tree.size() != od.interfaces.size()) { // Some interfaces have been converted to subinterfaces // Show warning QMessageBox::warning( this, "Firewall Builder", tr( "Some discovered interfaces have been rearranged in " "fwbuilder objects and recreated as subinterfaces to " "reflect VLANs, bonding and bridging configurations. " "The algorithm used to guess correct relationship " "between interfaces and subinterfaces is imperfect " "because of the limited information provided by SNMP " "daemon. Pelase review created objects to make sure " "generated configuration is accurate. " "\n" "\n" "The program expects MAC addresses of bonding, bridge " "and vlan interfaces to be the same. It is especially " "important to review and fix generated objects if you " "use MAC address spoofing." ), tr("&Continue"), 0, 0, 0 ); } list::iterator it; for (it=interface_tree.begin(); it!=interface_tree.end(); ++it) { InterfaceData *in = *it; // if this interface has subinterfaces, add even if it // has no ip address (last arg) FWObject *intf = addInterface( o, in, in->subinterfaces.size()!=0); if (intf == NULL) continue; list::iterator sit; for (sit=in->subinterfaces.begin(); sit!=in->subinterfaces.end(); ++sit) { InterfaceData *subint = *sit; addInterface(intf, subint, true); } } } if (!od.descr.empty()) { FWOptions* opt=(dynamic_cast(o))->getOptionsObject(); opt->setStr("snmp_description",od.descr); opt->setStr("snmp_location", od.location); opt->setStr("snmp_contact", od.contact); } mw->moveObject(m_dialog->libs->currentText(), o); } else if (type==Network::TYPENAME) { Network *net=dynamic_cast( mw->createObject(type.c_str(),name.c_str()) ); assert(net!=NULL); net->setName(name); net->setAddress(InetAddr(a)); net->setNetmask(InetAddr(InetAddr(a))); mw->moveObject(m_dialog->libs->currentText(), net); } else if (type==IPv4::TYPENAME) { IPv4 *obj=dynamic_cast( mw->createObject(type.c_str(),name.c_str()) ); assert(obj!=NULL); obj->setName(name); obj->setAddress(InetAddr(a)); obj->setNetmask(InetAddr(InetAddr::getAllOnes())); mw->moveObject(m_dialog->libs->currentText(), obj); } } m_dialog->lastprogress->setValue(t++); qApp->processEvents(); } m_dialog->lastprogress->setValue(Objects.size()); ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); QCoreApplication::postEvent(mw, new reloadObjectTreeEvent(filename)); } void DiscoveryDruid::importPlatformChanged(int cp) { if (fwbdebug) qDebug("DiscoveryDruid::importPlatformChanged(): %d",cp); switch (cp) { case IMPORT_IOS: m_dialog->import_text->setText( QObject::tr("Firewall Builder can import Cisco IOS access lists " "from the router configuration saved using 'show run' " "or any other command that saves running config. The name " "of the created firewall object, all of its interfaces " "and their addresses will be configured automatically if " "this information can be found in the configuration file." ) ); break; case IMPORT_PIX: m_dialog->import_text->setText( QObject::tr("Firewall Builder can import Cisco PIX and ASA " "configuration saved with 'show run' command. " "The name of the created firewall object, all of " "its interfaces and their addresses will be " "configured automatically if this information can " "be found in the configuration file." ) ); break; case IMPORT_IPT: m_dialog->import_text->setText( QObject::tr("Firewall Builder can import iptables rules " "from a file in iptables-save format. Firewall " "name and addresses of its interfaces need " "to be configured manually because iptables-save " "file does not have this information. " ) ); break; } } //---------------------------------------------------------------------- ObjectDescriptor::ObjectDescriptor() {} ObjectDescriptor::ObjectDescriptor(const ObjectDescriptor& od) { have_snmpd = od.have_snmpd; descr = od.descr; contact = od.contact; location = od.location; sysname = od.sysname; interfaces = od.interfaces; MAC_addr = od.MAC_addr; dns_info.name = od.dns_info.name; dns_info.aliases = od.dns_info.aliases; addr = od.addr; type = od.type; isSelected = od.isSelected; netmask = od.netmask; } #ifdef HAVE_LIBSNMP ObjectDescriptor::ObjectDescriptor(const libfwbuilder::CrawlerFind& cf) { have_snmpd = cf.have_snmpd; descr = cf.descr; contact = cf.contact; location = cf.location; sysname = cf.sysname; interfaces = cf.interfaces; MAC_addr = cf.found_phys_addr; dns_info.name = cf.name; dns_info.aliases = cf.aliases; } #endif ObjectDescriptor::~ObjectDescriptor() {}; ObjectDescriptor& ObjectDescriptor::operator=(const ObjectDescriptor& od) { have_snmpd = od.have_snmpd; descr = od.descr; contact = od.contact; location = od.location; sysname = od.sysname; interfaces = od.interfaces; MAC_addr = od.MAC_addr; dns_info.name = od.dns_info.name; dns_info.aliases = od.dns_info.aliases; addr = od.addr; type = od.type; isSelected = od.isSelected; netmask = od.netmask; return *this; } // ================================================================ WorkerThread::WorkerThread() : QThread() { Log = new QueueLogger(); } WorkerThread::~WorkerThread() { delete Log; } void WorkerThread::setProgress(int p) { ProgressEvent *event = new ProgressEvent(); event->value=p; QApplication::postEvent(Widget,event); } void WorkerThread::done() { DoneEvent *event=new DoneEvent(); QApplication::postEvent(Widget,event); } QString WorkerThread::getError() { return last_error; } void WorkerThread::run() { done(); } // ================================================================ HostsFileImport::HostsFileImport(const QString &f) : WorkerThread() { file_name = f; } void HostsFileImport::run() { *Log << "Discovery method: " << "Read file in hosts format. \n"; map > reverse_hosts; HostsFile *hf; /* * read hosts file here */ hf=new HostsFile(); last_error=""; setProgress(10); *Log << "Parsing file: " << file_name.toLatin1().constData() << "\n"; if (!file_name.isEmpty()) { try { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) hf->parse( file_name.toAscii().constData() ); #else hf->parse( file_name.toLatin1().constData() ); #endif } catch ( FWException &ex ) { last_error = ex.toString().c_str(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) *Log << "Exception: " << last_error.toAscii().constData() << "\n"; #else *Log << "Exception: " << last_error.toLatin1().constData() << "\n"; #endif delete hf; done(); return; } reverse_hosts=hf->getAll(); delete hf; setProgress(50); *Log << "Loading the list ...\n"; /* * convert map format */ hosts.clear(); map >::iterator i; int count=reverse_hosts.size(); int t=0; for (i=reverse_hosts.begin(); i!=reverse_hosts.end(); ++i) { ObjectDescriptor od; od.addr = (*i).first; od.sysname = ((*i).second).front(); hosts.push_back( od ); setProgress(50+(t++)*50/count); } } *Log << "done.\n"; setProgress(100); done(); } // ================================================================ ConfigImport::ConfigImport(string *b, const std::string &p, const std::string &fwname) : WorkerThread() { buffer = b; platform = p; this->fwname = fwname; } ConfigImport::~ConfigImport() { if (imp) delete imp; if (buffer) delete buffer; } void ConfigImport::run() { *Log << "Discovery method: Import firewall configuration.\n"; std::istringstream instream(*buffer); imp = NULL; if (platform == "iosacl") imp = new IOSImporter(mw->getCurrentLib(), instream, Log, fwname); if (platform == "iptables") imp = new IPTImporter(mw->getCurrentLib(), instream, Log, fwname); if (platform == "pix") imp = new PIXImporter(mw->getCurrentLib(), instream, Log, fwname); // add other platforms here when available if (imp) { try { imp->run(); } catch(ImporterException &e) { last_error = e.toString().c_str(); *Log << e.toString() << "\n"; } } else { *Log << "Can not import configuration for choosen platform\n"; } done(); } void DiscoveryDruid::objNameChanged(QString) { m_dialog->nextButton->setEnabled(!(m_dialog->obj_name->text().isEmpty() || m_dialog->import_filename->text().isEmpty())); m_dialog->nextButton->setDefault(true); } fwbuilder-5.3.7/src/libgui/DiscoveryDruid.h000066400000000000000000000214411303637203600206700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DISCOVERYDRUID_H_ #define __DISCOVERYDRUID_H_ #include "config.h" #include #include #include #include #include "fwbuilder/Interface.h" #include "fwbuilder/InterfaceData.h" #include "fwbuilder/dns.h" #include "fwbuilder/snmp.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Logger.h" #include "FilterDialog.h" #include "fakeWizard.h" #include #include #include #include using namespace std; using namespace libfwbuilder; class Importer; #define IMPORT_IOS 0 #define IMPORT_PIX 1 #define IMPORT_IPT 2 // ---------------- OBJECT DESCRIPTOR ------------------ // class ObjectDescriptor { public: bool have_snmpd ; string descr, contact, location, sysname ; string type; bool isSelected; map interfaces ; string MAC_addr ; libfwbuilder::HostEnt dns_info ; libfwbuilder::InetAddr addr ; libfwbuilder::InetAddr netmask ; ObjectDescriptor(); ObjectDescriptor(const ObjectDescriptor& od); std::string toString() { ostringstream ost; ost << sysname; //if(interfaces.size()>1) // ost <<" [" <(ProgressEv)) {value=0;} int value; }; class DoneEvent : public QEvent { public: DoneEvent():QEvent(static_cast(DoneEv)) {} }; // ---------------- WORKER THREAD ------------------ // typedef enum {BT_NONE,BT_HOSTS,BT_DNS,BT_SNMP,BT_IMPORT} BackgroundTask; class WorkerThread : public QThread { QWidget *Widget; protected: QString last_error; public: Logger *Log; void setProgress(int p); void done(); void setTargetWidget(QWidget *w) {Widget=w;} QString getError(); WorkerThread(); virtual ~WorkerThread(); virtual void run(); }; class HostsFileImport : public WorkerThread { QString file_name; public: vector hosts; HostsFileImport(const QString &f); virtual void run(); }; class ConfigImport : public WorkerThread { std::string *buffer; Importer *imp; std::string platform; std::string fwname; public: ConfigImport(std::string *buffer, const std::string &platform, const std::string &fwname); virtual ~ConfigImport(); virtual void run(); Importer* getImporterObject() { return imp; } }; // ---------------- DISCOVERY DRUID ------------------ // class DiscoveryDruid : public QDialog, public FakeWizard { Q_OBJECT; private: WorkerThread *thread; BackgroundTask current_task; Filter * flt_obj; Filter * flt_last; Filter * flt_net; FilterDialog * flt_obj_d; FilterDialog * flt_last_d; FilterDialog * flt_net_d; Ui::DiscoveryDruid_q * m_dialog; QButtonGroup * dm_method; QTextCharFormat normal_format; QTextCharFormat error_format; QTextCharFormat warning_format; bool init; bool isSeedHostOK; bool isSNMPInclNetOK; bool userIsTyping; //QueueLogger * logger; Logger * logger; BackgroundOp *bop; QHostInfo *dns; int FromPage; QMap Objects; QMap Networks; QMap NameServers; vector include_networks; QTimer* timer; QTimer* prg_timer; int unProg; QProgressBar *unBar; QLabel *errMessage; QString HostName; libfwbuilder::Firewall *discovered_fw; void setDiscoveryMethod_file(); void setDiscoveryMethod_DNS(); void setDiscoveryMethod_SNMP(); void setDiscoveryMethod_Import(); void startBackgroundProcess(); void DataFromCrawler(); int monitorOperation(); void restore(); void save(); QString guessOS(const string &sysDescr); void rearrangeInterfaces( const QString &os, std::map &interfaces, std::list &interface_tree); FWObject* addInterface(libfwbuilder::FWObject *parent, libfwbuilder::InterfaceData *in, bool skip_ip_address_check); void addToLog(const QString &buf); std::string selectedPlatform(); public: DiscoveryDruid(QWidget *parent, bool start_with_import=false); virtual ~DiscoveryDruid(); void fillListOfObjects(); void fillTypeChangingList(); void fillObjects(); void fillNetworks(); void loadDataFromFile(); void loadDataFromImporter(); void loadDataFromCrawler(); void loadDataFromDNS(); void fillListOfNetworks(); void fillNetworkZones(); void createRealObjects(); // void stripObjects(); void getNameServers(); InetAddr getNS(); InetAddr getSeedHostAddress(); bool isInetAddr(const QString s); QString testInetAddr(const QString s); virtual void customEvent(QEvent *event); public slots: virtual void changedSelected( const int &page ); virtual void changedDiscoveryMethod(int); virtual void browseHostsFile(); virtual void browseForImport(); virtual void saveScanLog(); virtual void startHostsScan(); virtual void startDNSScan(); virtual void startSNMPScan(); virtual void startConfigImport(); virtual void importPlatformChanged(int cp); virtual void changedDomainName(); virtual void changedHostsFileName(); virtual void changedSNMPOptions(); virtual void changedSeedHost(); virtual void changedInclNet(); virtual void stopBackgroundProcess(); virtual void addNetwork(); virtual void removeNetwork(); virtual void setNetworkFilter(); virtual void removeNetworkFilter(); virtual void setLastFilter(); virtual void removeLastFilter(); virtual void addObject(); virtual void removeObject(); virtual void setObjectFilter(); virtual void removeObjectFilter(); virtual void updateLog(); virtual void updatePrg(); virtual void checkHostName(); virtual void checkSNMPCommunity(); virtual void selectAllResNets(); virtual void selectAllNets(); virtual void selectAllResObjs(); virtual void selectAllObjs(); virtual void selectAllLast(); virtual void unselectAllLast(); virtual void changeTargetObject(const QString &buf); virtual void typeAddress(); virtual void typeHost(); virtual void typeFirewall(); virtual void dnsFinish(QHostInfo); virtual void changedNameServer(); virtual void typedCustomNS(); // virtual void createObjects(const QString &buf); virtual void nextClicked(); virtual void backClicked(); virtual void cancelClicked(); virtual void finishClicked(); virtual void objNameChanged(QString name); signals: }; #define CHOOSE_METHOD_PAGE 0 #define READ_HOSTS_FILE_PAGE 1 #define IMPORT_CONFIG_PAGE 2 #define IMPORT_DNS_ZONE_PAGE 3 #define NAME_SERVER_PAGE 4 #define SNMP_DISCOVERY_PAGE 5 #define NETWORK_SCAN_OPTIONS_PAGE 6 #define SNMP_PARAMETERS_PAGE 7 #define BACKGROUND_PROCESS_PAGE 8 #define CHOOSE_NETWORKS_PAGE 9 #define CHOOSE_OBJECTS_PAGE 10 #define ADJUST_OBJECT_TYPES_PAGE 11 #define TARGET_LIB_PAGE 12 #define CREATE_OBJECTS_PAGE 13 #define NETWORK_ZONES_PAGE 14 const int WIZARD_PAGES = 15; const bool WIZARD_FILE_PAGES[] = {1,1,0,0,0,0,0,0,1,0,1,0,1,1,0}; const bool WIZARD_DNS_PAGES[] = {1,0,0,1,1,0,0,0,1,0,1,0,1,1,0}; const bool WIZARD_SNMP_PAGES[] = {1,0,0,0,0,1,1,1,1,1,1,1,1,1,0}; const bool WIZARD_IMPORT_PAGES[] = {1,0,1,0,0,0,0,0,1,0,0,0,0,0,1}; #endif fwbuilder-5.3.7/src/libgui/DynamicGroupDialog.cpp000066400000000000000000000266711303637203600220170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "DynamicGroupDialog.h" #include "events.h" #include "FWBTree.h" #include "FWCmdChange.h" #include "FWObjectPropertiesFactory.h" #include "FWWindow.h" #include "fwbuilder/DynamicGroup.h" #include #include #include using namespace std; using namespace libfwbuilder; DynamicItemDelegate::DynamicItemDelegate(DynamicGroupDialog *dialog, QObject *parent) : QItemDelegate(parent), m_dialog(dialog) { } QWidget *DynamicItemDelegate::createEditor(QWidget *parent, const QStyleOptionViewItem &option, const QModelIndex &index) const { Q_UNUSED(option) if (index.column() == 0) { QToolButton *button = new QToolButton(parent); QPixmap pixmap; if (!QPixmapCache::find(":/Icons/neg", pixmap)) { pixmap.load(":/Icons/neg"); QPixmapCache::insert(":/Icons/neg", pixmap); } button->setIcon(QIcon(pixmap)); button->setProperty("row", QVariant(index.row())); connect(button, SIGNAL(clicked()), m_dialog, SLOT(deleteFilterClicked())); return button; } else { QComboBox *combo = new QComboBox(parent); connect(combo, SIGNAL(activated(int)), this, SLOT(comboActivated(int))); return combo; } } void DynamicItemDelegate::comboActivated(int abc) { Q_UNUSED(abc) /* Don't wait until we lose focus on the combobox */ emit commitData(dynamic_cast(sender())); } void DynamicItemDelegate::setEditorData(QWidget *editor, const QModelIndex &index) const { if (index.column() == 0) return; QString value = index.model()->data(index, Qt::EditRole).toString(); QComboBox *combo = static_cast(editor); combo->clear(); if (index.column() == 1) { if (value == DynamicGroup::TYPE_NONE) { combo->addItem("None selected", DynamicGroup::TYPE_NONE); combo->setCurrentIndex(0); } combo->addItem("Any type", DynamicGroup::TYPE_ANY); if (value == DynamicGroup::TYPE_ANY) { combo->setCurrentIndex(combo->count() - 1); } combo->insertSeparator(2); QList types = FWBTree::getObjectTypes(); foreach (const char *type, types) { combo->addItem(FWBTree().getTranslatableObjectTypeName(type), type); if (value == type) { combo->setCurrentIndex(combo->count() - 1); } } } else if (index.column() == 2) { if (value == DynamicGroup::KEYWORD_NONE) { combo->addItem("None selected", DynamicGroup::KEYWORD_NONE); combo->setCurrentIndex(0); } combo->addItem("Any keyword", DynamicGroup::KEYWORD_ANY); if (value == DynamicGroup::KEYWORD_ANY) { combo->setCurrentIndex(combo->count() - 1); } combo->insertSeparator(2); QStringList list; const set &keywords = m_dialog->getCurrentObj()->getAllKeywords(); set::const_iterator iter; for (iter = keywords.begin(); iter != keywords.end(); ++iter) { list.append(QString::fromUtf8((*iter).c_str())); } foreach (QString item, sortStrings(list)) { combo->addItem(item, item); if (item == value) { combo->setCurrentIndex(combo->count() - 1); } } } } void DynamicItemDelegate::setModelData(QWidget *editor, QAbstractItemModel *model, const QModelIndex &index) const { if (index.column() == 0) return; QComboBox *combo = static_cast(editor); QString value = combo->itemData(combo->currentIndex()).toString(); model->setData(index, value, Qt::EditRole); } /*****************************************************************/ DynamicGroupDialog::DynamicGroupDialog(QWidget *parent) : BaseObjectDialog(parent), m_reloadObjFilter(false) { m_ui.setupUi(this); connectSignalsOfAllWidgetsToSlotChange(); m_model = new QStandardItemModel; connect(m_model, SIGNAL(dataChanged(const QModelIndex &, const QModelIndex &)), this, SLOT(changed())); DynamicItemDelegate *delegate = new DynamicItemDelegate(this, m_ui.criteriaView); m_ui.criteriaView->setItemDelegate(delegate); m_ui.criteriaView->setModel(m_model); m_ui.criteriaView->resizeColumnsToContents(); m_ui.criteriaView->verticalHeader()->hide(); QStringList headers; headers << "Name" << "Properties"; m_ui.matchedView->setHeaderLabels(headers); connect(m_ui.matchedView, SIGNAL(itemDoubleClicked(QTreeWidgetItem *, int)), this, SLOT(gotItemDoubleClicked(QTreeWidgetItem *, int))); } void DynamicGroupDialog::applyChanges() { if (obj->isReadOnly()) return; FWCmdChange *change = new FWCmdChange(m_project, obj); DynamicGroup *newState = DynamicGroup::cast(change->getNewState()); newState->setName(m_ui.nameEdit->text().toUtf8().constData()); m_ui.commentKeywords->applyChanges(newState); list filters; int rows = m_model->rowCount(); for (int ii = 0; ii < rows; ii++) { QString type = m_model->data(m_model->index(ii, 1)).toString(); QString keyword = m_model->data(m_model->index(ii, 2)).toString(); string filter; DynamicGroup::makeFilter(filter, type.toUtf8().constData(), keyword.toUtf8().constData()); filters.push_back(filter); } newState->setFilter(filters); if (obj->cmp(newState, true)) { delete change; } else { m_project->undoStack->push(change); } m_loadedObjFilter = filters; } void DynamicGroupDialog::loadObjFilter() { DynamicGroup *objGroup = dynamic_cast(obj); /* We remove the rows instead of calling clear so the headers don't flicker. */ //m_model->clear(); while (m_model->rowCount() > 0) { m_model->removeRow(0); } QStringList headers; headers << "Del" << "Type" << "Keyword"; m_model->setHorizontalHeaderLabels(headers); const list &filter = objGroup->getFilter(); list::const_iterator iter; for (iter = filter.begin(); iter != filter.end(); ++iter) { string type, keyword; objGroup->splitFilter(*iter, type, keyword); QList items; items << new QStandardItem(QString()); items << new QStandardItem(QString::fromUtf8(type.c_str())); items << new QStandardItem(QString::fromUtf8(keyword.c_str())); m_model->appendRow(items); int row = m_model->rowCount() - 1; m_ui.criteriaView->openPersistentEditor(m_model->index(row, 0)); m_ui.criteriaView->openPersistentEditor(m_model->index(row, 1)); m_ui.criteriaView->openPersistentEditor(m_model->index(row, 2)); } QHeaderView *header = m_ui.criteriaView->horizontalHeader(); /* Try to force at least some minimum size, as the ResizeToContents doesn't always seem to work */ header->resizeSection(0, 35); header->setStretchLastSection(true); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) header->setResizeMode(0, QHeaderView::ResizeToContents); header->setResizeMode(1, QHeaderView::ResizeToContents); #else header->setSectionResizeMode(0, QHeaderView::ResizeToContents); header->setSectionResizeMode(1, QHeaderView::ResizeToContents); #endif m_reloadObjFilter = false; m_loadedObjFilter = filter; m_loadedAllKeywords = obj->getAllKeywords(); } void DynamicGroupDialog::loadFWObject(FWObject *o) { DynamicGroup *objGroup = dynamic_cast(o); const list &filter = objGroup->getFilter(); if (obj != o || m_reloadObjFilter || m_loadedObjFilter != filter || m_loadedAllKeywords != o->getAllKeywords()) { obj = o; loadObjFilter(); } m_ui.nameEdit->setText(QString::fromUtf8(o->getName().c_str())); m_ui.commentKeywords->loadFWObject(o); FWObjectDatabase *root = obj->getRoot(); m_ui.matchedView->clear(); m_ui.matchedView->setDB(root); FWObject::tree_iterator tree_iter; for (tree_iter = root->tree_begin(); tree_iter != root->tree_end(); ++tree_iter) { FWObject *elem = (*tree_iter); if (elem == root) continue; if (!objGroup->isMemberOfGroup(elem)) continue; QTreeWidgetItem *item = new QTreeWidgetItem(m_ui.matchedView); item->setText(0, QString::fromUtf8(elem->getName().c_str())); item->setText(1, FWObjectPropertiesFactory::getObjectProperties(elem)); item->setData(0, Qt::UserRole, QVariant(elem->getId())); QString icon = ":/Icons/"; icon += elem->getTypeName().c_str(); icon += "/icon-ref"; QPixmap pixmap; if (!QPixmapCache::find(icon, pixmap)) { pixmap.load(icon); QPixmapCache::insert(icon, pixmap); } item->setIcon(0, QIcon(pixmap)); m_ui.matchedView->addTopLevelItem(item); } } void DynamicGroupDialog::validate(bool *result) { Q_UNUSED(result) } void DynamicGroupDialog::addMatchClicked() { int newRow = m_model->rowCount(); QList items; items << new QStandardItem("") << new QStandardItem(DynamicGroup::TYPE_NONE) << new QStandardItem(DynamicGroup::KEYWORD_NONE); m_model->insertRow(newRow, items); m_ui.criteriaView->openPersistentEditor(m_model->index(newRow, 0)); m_ui.criteriaView->openPersistentEditor(m_model->index(newRow, 1)); m_ui.criteriaView->openPersistentEditor(m_model->index(newRow, 2)); m_ui.criteriaView->resizeColumnsToContents(); QHeaderView *header = m_ui.criteriaView->horizontalHeader(); header->setStretchLastSection(true); m_ui.criteriaView->scrollToBottom(); /* How come insertRow() doesn't do this for us? */ emit changed(); } void DynamicGroupDialog::deleteFilterClicked() { QToolButton *button = dynamic_cast(sender()); int row = button->property("row").toInt(); m_model->removeRow(row); m_reloadObjFilter = true; emit changed(); } void DynamicGroupDialog::gotItemDoubleClicked(QTreeWidgetItem *item, int) { int objId = item->data(0, Qt::UserRole).toInt(); FWObject *o = m_project->db()->findInIndex(objId); if (o == 0) return; QCoreApplication::postEvent(m_project, new showObjectInTreeEvent(o->getRoot()->getFileName().c_str(), objId)); QCoreApplication::postEvent(mw, new openObjectInEditorEvent(o->getRoot()->getFileName().c_str(), objId)); } fwbuilder-5.3.7/src/libgui/DynamicGroupDialog.h000066400000000000000000000047031303637203600214540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DynamicGroupDialog_h__ #define __DynamicGroupDialog_h__ #include "config.h" #include #include #include #include "fwbuilder/FWObject.h" #include "ObjectListView.h" #include "ObjectIconView.h" #include "BaseObjectDialog.h" #include #include #include class ObjectListViewItem; class ProjectPanel; class DynamicGroupDialog : public BaseObjectDialog { Q_OBJECT; Ui::DynamicGroupDialog_q m_ui; QStandardItemModel *m_model; bool m_reloadObjFilter; std::list m_loadedObjFilter; std::set m_loadedAllKeywords; void loadObjFilter(); public: DynamicGroupDialog(QWidget *parent); libfwbuilder::FWObject *getCurrentObj() { return obj; } public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool *); void addMatchClicked(); void deleteFilterClicked(); void gotItemDoubleClicked(QTreeWidgetItem *item, int); }; class DynamicItemDelegate : public QItemDelegate { Q_OBJECT; DynamicGroupDialog *m_dialog; public: DynamicItemDelegate(DynamicGroupDialog *dialog, QObject *parent = 0); QWidget *createEditor(QWidget *parent, const QStyleOptionViewItem &option, const QModelIndex &index) const; void setEditorData(QWidget *editor, const QModelIndex &index) const; void setModelData(QWidget *editor, QAbstractItemModel *model, const QModelIndex &index) const; public slots: void comboActivated(int); }; #endif /* __DynamicGroupDialog_h__ */ fwbuilder-5.3.7/src/libgui/FWBAboutDialog.cpp000066400000000000000000000027031303637203600210150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWBAboutDialog.h" #include "fwbuilder/Constants.h" #include "../../VERSION.h" FWBAboutDialog::FWBAboutDialog(QWidget *parent): QDialog(parent) { m_aboutDialog = new Ui::AboutDialog_q; m_aboutDialog->setupUi(this); QString pgm = m_aboutDialog->titleLbl->text(); m_aboutDialog->titleLbl->setText(pgm.arg(GENERATION)); m_aboutDialog->revLbl->setText(VERSION); m_aboutDialog->apiLbl->setText(""); ABOUT_DLG_BLANKS; setWindowTitle(QString("Firewall Builder: About...")); adjustSize(); }; FWBAboutDialog::~FWBAboutDialog() { delete m_aboutDialog; }; fwbuilder-5.3.7/src/libgui/FWBAboutDialog.h000066400000000000000000000022571303637203600204660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ABOUTDIALOG_H_ #define __ABOUTDIALOG_H_ #ifndef ABOUT_DLG_BLANKS #define ABOUT_DLG_BLANKS #endif #include class FWBAboutDialog: public QDialog { Q_OBJECT Ui::AboutDialog_q *m_aboutDialog; void fillTheBlanks(); public: FWBAboutDialog(QWidget *parent); ~FWBAboutDialog(); }; #endif fwbuilder-5.3.7/src/libgui/FWBApplication.cpp000066400000000000000000000041111303637203600210610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWBSettings.h" #include "FWBApplication.h" #include "FWWindow.h" #include "fwbuilder/FWException.h" #include #include using namespace libfwbuilder; using namespace std; void FWBApplication::quit() { if (fwbdebug) qDebug() << "FWBApplication::quit()"; timeout = 0; if (mw->isVisible()) mw->hide(); if (st->getCheckUpdates()) { QTimer::singleShot(100, this, SLOT(delayedQuit())); } else delayedQuit(); } void FWBApplication::delayedQuit() { if (fwbdebug) qDebug() << "FWBApplication::delayedQuit()"; QApplication::quit(); } bool FWBApplication::notify(QObject *receiver, QEvent *event) { try { return QApplication::notify(receiver, event); } catch (const libfwbuilder::FWException &ex) { cerr << "Caught FWException: " << ex.toString() << std::endl; QCoreApplication::exit(1); } catch (const std::string &s) { cerr << s << std::endl; QCoreApplication::exit(1); } catch (const std::exception &ex) { cerr << ex.what() << std::endl; QCoreApplication::exit(1); } catch (...) { cerr << "Caught unsupported exception" << std::endl; QCoreApplication::exit(1); } return false; } fwbuilder-5.3.7/src/libgui/FWBApplication.h000066400000000000000000000023211303637203600205270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWBAPPLICATION_H_ #define __FWBAPPLICATION_H_ #include class FWBApplication : public QApplication { Q_OBJECT; int timeout; public: FWBApplication(int &argc, char **argv) : QApplication(argc, argv) {} virtual bool notify(QObject *receiver, QEvent *event); public slots: void quit(); void delayedQuit(); }; #endif fwbuilder-5.3.7/src/libgui/FWBMainWindow_q.ui000066400000000000000000002037511303637203600210600ustar00rootroot00000000000000 FWBMainWindow_q true 0 0 1124 846 0 0 1000 500 Firewall Builder :/Images/fwbuilder3.png:/Images/fwbuilder3.png 2 0 0 950 285 524287 524287 Qt::BottomDockWidgetArea 2 0 0 100 200 10000 10000 QTabWidget::West 2 Output 0 Find 20 12 20 20 0 0 0 160 32767 32767 QFrame::NoFrame QFrame::Plain 0 11 Editor 0 0 0 12 12 0 0 80 0 80 16777215 :/Icons/Cluster/icon Qt::AlignCenter Qt::Vertical 0 58 0 0 200 200 16777215 285 Qt::StrongFocus QFrame::NoFrame QFrame::Sunken 39 0 0 0 0 0 0 16777215 16777215 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 0 0 0 Qt::Horizontal TopToolBarArea false 0 0 1124 26 &Edit Object Tools &Help Rules &File Open Recent Window View Undo Stack 2 2 false true :/Icons/newfile_25.png:/Icons/newfile_25.png &New Object File New Object File :/Icons/openfile_25.png:/Icons/openfile_25.png &Open... Open Ctrl+O :/Icons/save_25.png:/Icons/save_25.png &Save Save Ctrl+S Save &As... Save As true &Print... Print Ctrl+P E&xit Exit &Cut Cut Ctrl+X false C&opy Copy Ctrl+C &Paste Paste Ctrl+V Ctrl+F &Contents... Contents &Index... Index &About About :/Icons/newfile_25.png:/Icons/newfile_25.png New New :/Icons/openfile_25.png:/Icons/openfile_25.png Open Open :/Icons/save_25.png:/Icons/save_25.png Save Save &Close Close :/Icons/Compile:/Icons/Compile Compile Compile Compile rules of all firewall and cluster objects Compile rules of all firewall and cluster objects Compile rules of all firewall and cluster objects :/Icons/Install:/Icons/Install Install Install Install firewall policy of all firewall and cluster objects Install firewall policy of all firewall and cluster objects Install firewall policy of all firewall and cluster objects false :/Icons/back_25.png:/Icons/back_25.png Back Back Move back to the previous object Move back to the previous object :/Icons/newobject_25.png:/Icons/newobject_25.png &New Object New Object Create New Object Ctrl+N :/Icons/search_25.png:/Icons/search_25.png &Find Object Find Object Find object in the tree Find object in the tree Ctrl+F P&references... Preferences... Edit Preferences Add File to &RCS Add File to RCS Delete Delete &Export Library Export Library To a File Import &Library Import Library From a File &Debug Debug Propert&ies Propert&ies Show File Properties Ctrl+I &Discard Discard Discard Changes and Overwrite With Clean Copy Of The Head Revision From RCS Co&mmit Commit Commit Opened File to RCS and Continue Editing Lock Lock Unlock Unlock Object Discovery Object Discovery new item new item Find Conflicting Objects in Two Files Find Conflicting Objects in Two Files Import &Firewall Import Policy Firewall Builder Help true Clear Menu New Object File Release Notes true Object Tree Ctrl+T true Rules true Editor Panel true Undo Stack :/Icons/Inspect:/Icons/Inspect Inspect Import Addresses From File Discover networks and hosts using SNMP :/Icons/forward_25.png:/Icons/forward_25.png Forward Move forward to the next object QUndoView QListView

qundoview.h
ObjectEditorDockWidget QDockWidget
ObjectEditorDockWidget.h
1 InterfaceDialog QWidget
InterfaceDialog.h
1 FirewallDialog QWidget
FirewallDialog.h
1 UserDialog QWidget
UserDialog.h
1 RuleSetDialog QWidget
RuleSetDialog.h
1 LibraryDialog QWidget
LibraryDialog.h
1 IPv4Dialog QWidget
IPv4Dialog.h
1 IPv6Dialog QWidget
IPv6Dialog.h
1 PhysicalAddressDialog QWidget
PhysicalAddressDialog.h
1 AddressRangeDialog QWidget
AddressRangeDialog.h
1 ClusterDialog QWidget
ClusterDialog.h
1 ClusterGroupDialog QWidget
ClusterGroupDialog.h
1 HostDialog QWidget
HostDialog.h
1 NetworkDialog QWidget
NetworkDialog.h
1 NetworkDialogIPv6 QWidget
NetworkDialogIPv6.h
1 CustomServiceDialog QWidget
CustomServiceDialog.h
1 IPServiceDialog QWidget
IPServiceDialog.h
1 ICMPServiceDialog QWidget
ICMPServiceDialog.h
1 TCPServiceDialog QWidget
TCPServiceDialog.h
1 UDPServiceDialog QWidget
UDPServiceDialog.h
1 TagServiceDialog QWidget
TagServiceDialog.h
1 GroupObjectDialog QWidget
GroupObjectDialog.h
1 TimeDialog QWidget
TimeDialog.h
1 RoutingRuleOptionsDialog QWidget
RoutingRuleOptionsDialog.h
1 RuleOptionsDialog QWidget
RuleOptionsDialog.h
1 NATRuleOptionsDialog QWidget
NATRuleOptionsDialog.h
1 DNSNameDialog QWidget
DNSNameDialog.h
1 AddressTableDialog QWidget
AddressTableDialog.h
1 ActionsDialog QWidget
ActionsDialog.h
1 CommentEditorPanel QWidget
CommentEditorPanel.h
1 MetricEditorPanel QWidget
MetricEditorPanel.h
1 CompilerOutputPanel QWidget
CompilerOutputPanel.h
1 BlankDialog QWidget
BlankDialog.h
1 AttachedNetworksDialog QWidget
AttachedNetworksDialog.h
1 DynamicGroupDialog QWidget
DynamicGroupDialog.h
1 addToRCSAction triggered() FWBMainWindow_q fileAddToRCS() -1 -1 20 20 compileAction triggered() FWBMainWindow_q compile() -1 -1 20 20 debugAction triggered() FWBMainWindow_q debug() -1 -1 20 20 editCopyAction triggered() FWBMainWindow_q editCopy() -1 -1 20 20 editCutAction triggered() FWBMainWindow_q editCut() -1 -1 20 20 editDeleteAction triggered() FWBMainWindow_q editDelete() -1 -1 20 20 editFindAction triggered() FWBMainWindow_q editFind() -1 -1 20 20 editPasteAction triggered() FWBMainWindow_q editPaste() -1 -1 20 20 editPrefsAction triggered() FWBMainWindow_q editPrefs() -1 -1 20 20 fileCloseAction triggered() FWBMainWindow_q fileClose() -1 -1 20 20 fileCommitAction triggered() FWBMainWindow_q fileCommit() -1 -1 20 20 fileCompareAction triggered() FWBMainWindow_q fileCompare() -1 -1 20 20 fileDiscardAction triggered() FWBMainWindow_q fileDiscard() -1 -1 20 20 fileExitAction triggered() FWBMainWindow_q fileExit() -1 -1 20 20 fileNewAction triggered() FWBMainWindow_q fileNew() -1 -1 20 20 fileOpenAction triggered() FWBMainWindow_q fileOpen() -1 -1 20 20 filePrintAction triggered() FWBMainWindow_q filePrint() -1 -1 20 20 filePropAction triggered() FWBMainWindow_q fileProp() -1 -1 20 20 fileSaveAction triggered() FWBMainWindow_q fileSave() -1 -1 20 20 fileSaveAsAction triggered() FWBMainWindow_q fileSaveAs() -1 -1 20 20 helpAboutAction triggered() FWBMainWindow_q helpAbout() -1 -1 20 20 helpContentsAction triggered() FWBMainWindow_q helpContents() -1 -1 20 20 helpIndexAction triggered() FWBMainWindow_q helpIndex() -1 -1 20 20 installAction triggered() FWBMainWindow_q install() -1 -1 20 20 libExportAction triggered() FWBMainWindow_q fileExport() -1 -1 20 20 libImportAction triggered() FWBMainWindow_q fileImport() -1 -1 20 20 newObjectAction triggered() FWBMainWindow_q newObject() -1 -1 20 20 ObjectLockAction triggered() FWBMainWindow_q lockObject() -1 -1 20 20 ObjectUnlockAction triggered() FWBMainWindow_q unlockObject() -1 -1 20 20 toolbarFileNew triggered() FWBMainWindow_q fileNew() -1 -1 20 20 toolbarFileOpen triggered() FWBMainWindow_q fileOpen() -1 -1 20 20 toolbarFileSave triggered() FWBMainWindow_q fileSave() -1 -1 20 20 policyImportAction triggered() FWBMainWindow_q importPolicy() -1 -1 20 20 helpAction triggered() FWBMainWindow_q help() -1 -1 370 359 actionClearRecentFiles triggered() FWBMainWindow_q clearRecentFilesMenu() -1 -1 370 359 release_Notes_Action triggered() FWBMainWindow_q showReleaseNotes() -1 -1 370 359 actionObject_Tree triggered() FWBMainWindow_q toggleViewObjectTree() -1 -1 370 359 actionEditor_panel triggered() FWBMainWindow_q toggleViewEditor() -1 -1 370 359 editorPanelTabWidget currentChanged(int) FWBMainWindow_q editorPanelTabChanged(int) 511 708 540 422 actionUndo_view triggered() FWBMainWindow_q toggleViewUndo() -1 -1 554 422 inspectAction triggered() FWBMainWindow_q inspect() -1 -1 571 422 ImportAddressesFromFileAction triggered() FWBMainWindow_q toolsImportAddressesFromFile() -1 -1 571 422 SNMPDiscoveryAction triggered() FWBMainWindow_q toolsSNMPDiscovery() -1 -1 571 422 clearRecentFilesMenu() showReleaseNotes() toggleViewObjectTree() toggleViewRules() toggleViewEditor() toggleViewSearch() editorPanelTabChanged(int) toggleViewUndo() showSummary() showTutorial() inspect() toolsImportAddressesFromFile() toolsSNMPDiscovery() back() forward() fwbuilder-5.3.7/src/libgui/FWBSettings.cpp000066400000000000000000001207251303637203600204300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "FWBSettings.h" #include "FWWindow.h" #include "ObjectManipulator.h" #include "fwbuilder/FWObjectDatabase.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef _WIN32 # include # include # include #else # include // for access(2) #endif #include using namespace std; using namespace libfwbuilder; const char* DTDSetpath = SETTINGS_PATH_PREFIX "/System/DTDPath"; const char* ResSetpath = SETTINGS_PATH_PREFIX "/System/ResPath"; const char* compression = SETTINGS_PATH_PREFIX "/DataFile/compression"; const char* wdirSetpath = SETTINGS_PATH_PREFIX "/Environment/WDir"; const char* datadirSetpath = SETTINGS_PATH_PREFIX "/Environment/DataDir"; const char* ofdirSetpath = SETTINGS_PATH_PREFIX "/Environment/OpenFileDir"; const char* startupActionSetpath = SETTINGS_PATH_PREFIX "/Environment/StartupAction"; const char* labelColorPath = SETTINGS_PATH_PREFIX "/ColorLabels/color_"; const char* labelTextPath = SETTINGS_PATH_PREFIX "/ColorLabels/text_"; const char* diffColorPath = SETTINGS_PATH_PREFIX "/Diff/color_"; const char* lastEditedSetpath = SETTINGS_PATH_PREFIX "/Environment/LastEdited"; const char* autoSave = SETTINGS_PATH_PREFIX "/Environment/autoSave"; const char* expandTreeSetpath = SETTINGS_PATH_PREFIX "/UI/ExpandTree"; const char* MergeLibsSetpath = SETTINGS_PATH_PREFIX "/UI/MergeLibraries"; const char* infoStyleSetpath = SETTINGS_PATH_PREFIX "/UI/InfoWindowStyle"; const char* infoWindowHSetpath = SETTINGS_PATH_PREFIX "/UI/InfoWindowHeight"; const char* groupModeSetpath = SETTINGS_PATH_PREFIX "/UI/GroupViewMode"; const char* groupColsSetpath = SETTINGS_PATH_PREFIX "/UI/GroupViewColumns"; const char* customTemplatesEn = SETTINGS_PATH_PREFIX "/UI/customTemplatesEnabled"; const char* objTooltips = SETTINGS_PATH_PREFIX "/UI/objTooltips"; const char* tooltipDelay = SETTINGS_PATH_PREFIX "/UI/tooltipDelay"; const char* showUndoPanel = SETTINGS_PATH_PREFIX "/UI/showUndoPanel"; const char* userWorkflowFlags = SETTINGS_PATH_PREFIX "/UI/userWorkFlowFlags"; const char* iconsWithText = SETTINGS_PATH_PREFIX "/UI/IconWithText"; const char* emptyRCSLog = SETTINGS_PATH_PREFIX "/RCS/emptyLog"; const char* rcsFilePreviewStyle = SETTINGS_PATH_PREFIX "/RCS/FilePreviewStyle"; const char* rcsFilePreviewSortColumn = SETTINGS_PATH_PREFIX "/RCS/FilePreviewSortColumn"; const char* dontSaveStdLib = SETTINGS_PATH_PREFIX "/DataFormat/dontSaveStdLib"; const char* WindowGeometrySetpath= SETTINGS_PATH_PREFIX "/Layout/"; const char* screenPositionSetpath= SETTINGS_PATH_PREFIX "/ScreenPos/"; const char* showIconsInRules = SETTINGS_PATH_PREFIX "/UI/Icons/ShowIconsInRules"; const char* showDirectionText = SETTINGS_PATH_PREFIX "/UI/Icons/ShowDirectionTextInRules"; const char* iconsInRulesSize = SETTINGS_PATH_PREFIX "/UI/Icons/IconsInRulesSize"; const char* rulesFont = SETTINGS_PATH_PREFIX "/UI/Fonts/RulesFont"; const char* treeFont = SETTINGS_PATH_PREFIX "/UI/Fonts/TreeFont"; const char* uiFont = SETTINGS_PATH_PREFIX "/UI/Fonts/UiFont"; const char* compilerOutputFont = SETTINGS_PATH_PREFIX "/UI/Fonts/CompilerOutputFont"; const char* clipComment = SETTINGS_PATH_PREFIX "/UI/ClipComment"; const char* checkUpdates = SETTINGS_PATH_PREFIX "/UI/CheckUpdates"; const char* updateAvailableWarningLastTime = SETTINGS_PATH_PREFIX "/UI/updateAvailableWarningLastTime"; const char* announcementLastTime = SETTINGS_PATH_PREFIX "/UI/announcementLastTime/%1"; const char* checkUpdatesProxy = SETTINGS_PATH_PREFIX "/UI/CheckUpdatesProxy"; const char* reminderAboutStandardLibSuppressed = SETTINGS_PATH_PREFIX "/UI/reminderAboutStandardLibSuppressed"; const char* reminderDataDir = SETTINGS_PATH_PREFIX "/UI/reminderDataDir"; const char* introDialogEnabled = SETTINGS_PATH_PREFIX "/UI/introDialogEnabled"; const char* newFirewallPlatform = SETTINGS_PATH_PREFIX "/Objects/NewFireallPlatform"; const char* newClusterFailoverProtocol = SETTINGS_PATH_PREFIX "/Objects/newClusterFailoverProtocol"; const char* abTestingGroup = SETTINGS_PATH_PREFIX "/abTestingGroup"; const char* startsCounter = SETTINGS_PATH_PREFIX "/startsCounter"; const char* targetStatus = SETTINGS_PATH_PREFIX "/TargetStatus/"; const char* SSHPath = SETTINGS_PATH_PREFIX "/SSH/SSHPath"; const char* SCPPath = SETTINGS_PATH_PREFIX "/SSH/SCPPath"; const char* DiffPath = SETTINGS_PATH_PREFIX "/Diff/DiffPath"; const char* appGUID = "/fwbuilder_gui/ApplicationGUID"; const char* appGUID_4_0 = "/4.0/ApplicationGUID"; const char* appGUID_4_1 = "/4.1/ApplicationGUID"; #ifdef _WIN32 const char* SSHTimeout = "Sessions/fwb_session_with_keepalive/PingIntervalSecs"; #else const char* SSHTimeout = SETTINGS_PATH_PREFIX "/SSH/SSHTimeout"; #endif const char * displayUnmodifiedRules = SETTINGS_PATH_PREFIX "/Diff/displayUnmodifiedRules"; /** * Settings path defined here should match Windows registry paths used * in the Windows installer/uninstaller scripts. * * Path used for uuid_settings should not include version to ensure * uuid persistence across upgrades. This means do not use getApplicationNameForSettings() */ FWBSettings::FWBSettings(bool testData) : QSettings(QSettings::UserScope, "netcitadel.com", testData?"fwb_test_data":getApplicationNameForSettings()) { if (testData) { this->clear(); } uuid_settings = new QSettings(QSettings::IniFormat, QSettings::UserScope, "netcitadel.com", "FirewallBuilder"); #ifdef _WIN32 ssh_timeout_setings_object = new QSettings(QSettings::UserScope, "SimonTatham", "PuTTY"); #else ssh_timeout_setings_object = this; #endif } FWBSettings::~FWBSettings() { delete uuid_settings; #ifdef _WIN32 delete ssh_timeout_setings_object; #endif } /** * to preserve behavior of the old versions of fwbuilder on Unix, the * default working dir is set to "." - current dir. * * On Windows default working dir is set to * "Documents and settings/USERNAME/Firewalls" */ void FWBSettings::init(bool force_first_time_run) { bool ok = false; first_run = false; ok = contains(reminderAboutStandardLibSuppressed); if (!ok) suppressReminderAboutStandardLib(true); ok = uuid_settings->contains(appGUID); if (!ok) { ok = uuid_settings->contains(appGUID_4_1); if (ok) { uuid_settings->setValue( appGUID, uuid_settings->value(appGUID_4_1).toString()); uuid_settings->remove(appGUID_4_1); } else { ok = uuid_settings->contains(appGUID_4_0); if (ok) { uuid_settings->setValue( appGUID, uuid_settings->value(appGUID_4_0).toString()); uuid_settings->remove(appGUID_4_0); } else { qsrand(time(NULL)); uuid_settings->setValue(appGUID, QUuid::createUuid().toString()); first_run = true; } } } if (force_first_time_run) first_run = true; if (first_run) { suppressReminderAboutStandardLib(false); } else { // enable custom templates for existing users for backwards // compatibility. New users will have this disabled for simplicity. ok = contains(customTemplatesEn); if (!ok) setCustomTemplatesEnabled(true); } ok = contains(abTestingGroup); if (!ok) { // a/b group codes are "1" and "2" setABTestingGroup(QTime::currentTime().second() % 2 + 1); } ok = contains(introDialogEnabled); if (!ok) { setIntroDialogEnabled(true); } ok = contains(startsCounter); if (!ok) { setValue(startsCounter, 0); } setValue(startsCounter, getStartsCounter() + 1); // disable invitation to watch quick start guide after 5 starts if (getStartsCounter() > 5) setIntroDialogEnabled(false); /* * I am seeing two particular uuids a lot in the logs, both coming * from thousands of different instances all over the world. I * have no idea why so many different systems assigned themselves * the same uuid which is supposed to be random and * unique. Apparently QUuid::createUuid() returns predictable uuid * in some cases. Versions of the program before 4.0.2 did not * call qsrand() to re-seed random generator because Qt * documentation says that createUuid() does that. Interestingly, * if I run google search for the first of the two uuids, I get * some results which means exactly the same uuid was generated by * an unrelated program in some completely unrelated case. * Anyway, I am going to "flush" these two repeatable uuids to * reduce systematic error in counting how many instances of * fwbuilder are running out there. */ QString my_uuid = getAppGUID(); if (my_uuid == "b7203c47-06bf-4878-9ff5-6afffb2db546" || my_uuid == "46759a87-7956-431f-a171-ccb754ef239e") { qsrand(time(NULL)); uuid_settings->setValue(appGUID, QUuid::createUuid().toString()); } // By default sort RCS File preview by date, which is column 1 ok = contains(rcsFilePreviewSortColumn); if (!ok) setRCSFilePreviewSortColumn(1); ok = contains(infoStyleSetpath); if (!ok) setValue(infoStyleSetpath,2); ok = contains(infoWindowHSetpath); if (!ok) setValue(infoWindowHSetpath,200); ok = contains(dontSaveStdLib); if (!ok) setDontSaveStdLib(true); ok = contains(startupActionSetpath); if (!ok) setStartupAction(2); ok = contains(showDirectionText); if (!ok) setShowDirectionText(true); #ifdef _WIN32 QString wd = getWDir().replace('/','\\'); #else QString wd = getWDir(); #endif if ( ! wd.isEmpty()) { QDir wdir(wd); if (!wdir.exists() && !wdir.mkdir(wd)) { QString err = QString(QObject::tr("Working directory %1 does not exist and could not be created.\nIgnoring this setting.")).arg(wd);; if (app != NULL) { QMessageBox::critical( 0,"Firewall Builder", err, "&Continue", 0, 0, 0 ); } else { qDebug() << err; } setWDir(""); } } ok = contains(objTooltips); if (!ok) setObjTooltips(true); QString c; if (getLabelColor(RED ).isEmpty()) { setLabelColor(RED ,"#C86E6E"); setLabelText(RED,"Red"); } if (getLabelColor(ORANGE).isEmpty()) { setLabelColor(ORANGE,"#C08B5A"); setLabelText(ORANGE,"Orange"); } if (getLabelColor(YELLOW).isEmpty()) { setLabelColor(YELLOW,"#C0BA44"); setLabelText(YELLOW,"Yellow"); } if (getLabelColor(GREEN ).isEmpty()) { setLabelColor(GREEN ,"#8BC065"); setLabelText(GREEN ,"Green"); } if (getLabelColor(BLUE ).isEmpty()) { setLabelColor(BLUE ,"#7694C0"); setLabelText(BLUE ,"Blue"); } if (getLabelColor(PURPLE).isEmpty()) { setLabelColor(PURPLE,"#A37EC0"); setLabelText(PURPLE,"Purple"); } if (getLabelColor(GRAY ).isEmpty()) { setLabelColor(GRAY ,"#C0C0C0"); setLabelText(GRAY ,"Gray"); } if (getDiffColor(ADD_COLOR).isEmpty()) { setDiffColor(ADD_COLOR,"#8BC065"); } if (getDiffColor(EDIT_COLOR).isEmpty()) { setDiffColor(EDIT_COLOR,"#7694C0"); } if (getDiffColor(MOVE_COLOR).isEmpty()) { setDiffColor(MOVE_COLOR,"#C0C0C0"); } if (getDiffColor(REMOVE_COLOR).isEmpty()) { setDiffColor(REMOVE_COLOR,"#C86E6E"); } ok = contains(showIconsInRules); if (!ok) setShowIconsInRules(true); ok = contains(iconsInRulesSize); if (!ok) setIconsInRulesSize(SIZE25X25); ok = contains(rulesFont); if (!ok) setRulesFont(QApplication::font()); ok = contains(treeFont); if (!ok) setTreeFont(QApplication::font()); ok = contains(uiFont); if (!ok) setUiFont(QApplication::font()); ok = contains(compilerOutputFont); if (!ok) setCompilerOutputFont(QApplication::font()); if (fwbdebug) qDebug() << "Default application font:" << QApplication::font(); ok = contains(iconsWithText); if (!ok) setIconsWithText(true); ok = contains(clipComment); if (!ok) setClipComment(true); ok = contains(checkUpdates); if (!ok) { setCheckUpdates(true); setTimeOfLastUpdateAvailableWarning(0); } ok = contains(compression); if (!ok) setCompression(false); #ifndef _WIN32 if (getSSHPath().isEmpty()) setSSHPath("ssh"); if (getSCPPath().isEmpty()) setSCPPath("scp"); #endif // default timeout is 30 sec (default value of ServerAliveCountMax is 3) // do this for both Linux and windows ! if (!haveSSHTimeout()) setSSHTimeout(10); // Note: hasKey calls QSettings::contains using path given as // argument, prepended with SETTINGS_PATH_PREFIX if (!hasKey("Window/maximized")) setInt("Window/maximized", 1); if (!hasKey("Objects/DNSName/useCompileTimeForNewObjects")) setBool("Objects/DNSName/useCompileTimeForNewObjects", true); if (!hasKey("Objects/DNSName/useNameForDNSRecord")) setBool("Objects/DNSName/useNameForDNSRecord", false); if (!hasKey("Objects/AddressTable/useCompileTimeForNewObjects")) setBool("Objects/AddressTable/useCompileTimeForNewObjects", true); if (!hasKey("Objects/PolicyRule/defaultLoggingState")) setBool("Objects/PolicyRule/defaultLoggingState", true); if (!hasKey("Objects/PolicyRule/defaultStateful")) setBool("Objects/PolicyRule/defaultStateful", true); if (!hasKey("Objects/PolicyRule/defaultAction")) setInt("Objects/PolicyRule/defaultAction", 0); if (!hasKey("Objects/PolicyRule/defaultDirection")) setInt("Objects/PolicyRule/defaultDirection", 0); if (!hasKey("Objects/PolicyRule/defaultInterface")) setInt("Objects/PolicyRule/defaultInterface", 0); if (!hasKey("Objects/Interface/autoconfigureInterfaces")) setBool("Objects/Interface/autoconfigureInterfaces", true); } bool FWBSettings::isReminderAboutStandardLibSuppressed() { return value(reminderAboutStandardLibSuppressed).toBool(); } void FWBSettings::suppressReminderAboutStandardLib(bool f) { setValue(reminderAboutStandardLibSuppressed, f); } bool FWBSettings::isReminderAboutDataDirSuppressed() { return value(reminderDataDir).toBool(); } void FWBSettings::suppressReminderAboutDataDir(bool f) { setValue(reminderDataDir, f); } bool FWBSettings::hasKey(const QString &attribute) { return QSettings::contains(SETTINGS_PATH_PREFIX "/" + attribute); } QString FWBSettings::getAppGUID() { return uuid_settings->value(appGUID).toString(); } QString FWBSettings::getStr(const QString &attribute) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; return value(path).toString(); } void FWBSettings::setStr(const QString &attribute, const QString &val) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; setValue(path,val); } bool FWBSettings::getBool(const QString &attribute) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; return value(path).toBool(); } void FWBSettings::setBool(const QString &attribute, bool val ) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; setValue(path,val); } int FWBSettings::getInt(const QString &attribute) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; return value(path).toInt(); } void FWBSettings::setInt(const QString &attribute, int val ) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; setValue(path,val); } QStringList FWBSettings::getList(const QString &attribute) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; return value(path).toStringList(); } void FWBSettings::setList(const QString &attribute, QStringList &list) { QString path = SETTINGS_PATH_PREFIX "/" + attribute; setValue(path, list); } QString FWBSettings::getWDir() { return value(wdirSetpath).toString();} void FWBSettings::setWDir(const QString &wd) { setValue(wdirSetpath, wd);} QString FWBSettings::getDataDir() { return value(datadirSetpath).toString();} void FWBSettings::setDataDir(const QString &d) { setValue(datadirSetpath, d); FWObject::setDataDir(d.toUtf8().constData()); } int FWBSettings::getInfoStyle() { return value(infoStyleSetpath).toInt();} void FWBSettings::setInfoStyle(int s) { setValue(infoStyleSetpath,s);} int FWBSettings::getInfoWindowHeight() { return value(infoWindowHSetpath).toInt();} void FWBSettings::setInfoWindowHeight(int h) { setValue(infoWindowHSetpath,h);} QString FWBSettings::getGroupViewMode() { return value(groupModeSetpath).toString();} void FWBSettings::setGroupViewMode(const QString &m) { setValue(groupModeSetpath,m);} QString FWBSettings::getGroupViewColumns() { return value(groupColsSetpath).toString();} void FWBSettings::setGroupViewColumns(const QString &m) { setValue(groupColsSetpath,m);} int FWBSettings::getStartupAction() { return value(startupActionSetpath).toInt();} void FWBSettings::setStartupAction(int sa) { setValue( startupActionSetpath , sa );} int FWBSettings::getExpandTree() { return value(expandTreeSetpath).toInt(); } void FWBSettings::setExpandTree(int f) { setValue( expandTreeSetpath , f ); } int FWBSettings::getMergeLibs() { return value(MergeLibsSetpath).toInt(); } void FWBSettings::setMergeLibs(int f) { setValue( MergeLibsSetpath , f ); } bool FWBSettings::getObjTooltips() { return value( objTooltips ).toBool();} void FWBSettings::setObjTooltips(bool f) { setValue( objTooltips, f); } int FWBSettings::getTooltipDelay() { return value( tooltipDelay ).toInt(); } void FWBSettings::setTooltipDelay(int v) { setValue( tooltipDelay, v); } QString FWBSettings::getLastEdited() { return value(lastEditedSetpath).toString();} void FWBSettings::setLastEdited(const QString &file) { setValue(lastEditedSetpath,file);} QString FWBSettings::getOpenFileDir(const QString &existingPath) { QString ret = getWDir(); if (!ret.isEmpty() && QFileInfo(ret).isDir()) return ret; ret = value(ofdirSetpath).toString(); if (!ret.isEmpty() && QFileInfo(ret).isDir()) return ret; if (!existingPath.isEmpty()) { ret = getFileDir(existingPath); if (QFileInfo(ret).isDir()) return ret; } return userDataDir.c_str(); } void FWBSettings::setOpenFileDir(const QString &d) { QString dirPath = d; QFileInfo info(d); if (!info.isDir()) { dirPath = info.dir().path(); } setValue(ofdirSetpath, dirPath); } void FWBSettings::save() { } bool FWBSettings::getRCSLogState() { return value( emptyRCSLog ).toBool(); } void FWBSettings::setRCSLogState(bool f) { setValue( emptyRCSLog , f ); } int FWBSettings::getRCSFilePreviewStyle() { return value(rcsFilePreviewStyle).toInt(); } void FWBSettings::setRCSFilePreviewStyle(int style) { setValue(rcsFilePreviewStyle, style); } int FWBSettings::getRCSFilePreviewSortColumn() { return value(rcsFilePreviewSortColumn).toInt(); } void FWBSettings::setRCSFilePreviewSortColumn(int col) { setValue(rcsFilePreviewSortColumn, col); } bool FWBSettings::getAutoSave() { return value( autoSave ).toBool(); } void FWBSettings::setAutoSave(bool f) { setValue( autoSave, f); } bool FWBSettings::getCompression() { return value(compression).toBool(); } void FWBSettings::setCompression(bool f) { setValue(compression, f); } bool FWBSettings::getDontSaveStdLib() {return value(dontSaveStdLib).toBool();} void FWBSettings::setDontSaveStdLib( bool f) { setValue(dontSaveStdLib,f);} bool FWBSettings::getShowUndoPanel() {return value(showUndoPanel).toBool();} void FWBSettings::setShowUndoPanel(bool f) {setValue(showUndoPanel, f);} bool FWBSettings::getIconsWithText() { return value(iconsWithText).toBool(); } void FWBSettings::setIconsWithText(bool f) {setValue(iconsWithText, f);} bool FWBSettings::haveScreenPosition(const QString &wname) { QString val = value(QString(screenPositionSetpath)+wname ).toString(); bool res=(!val.isEmpty()); if (fwbdebug) { qDebug("FWBSettings::haveScreenPosition wname '%s' ret=%d", wname.toLatin1().constData(), res); } return res; } QPoint FWBSettings::getScreenPosition(const QString &wname) { QString val = value(QString(screenPositionSetpath)+wname ).toString(); int x = val.section(',',0,0).toInt(); int y = val.section(',',1,1).toInt(); int width = 150; // won't get closer to the screen edge than this int height = 150; QDesktopWidget *d = QApplication::desktop(); // get geometry of the screen that contains mw QRect sg = d->screenGeometry(mw); if (x+width > sg.width()) x=sg.width()-width; if (y+height > sg.height()) y=sg.height()-height; if (x<0) x=(sg.width()-width)/2; if (y<0) y=(sg.height()-height)/2; if (fwbdebug) { qDebug("FWBSettings::getScreenPosition wname '%s' x=%d y=%d", wname.toLatin1().constData(), x,y ); } return QPoint(x,y); } void FWBSettings::saveScreenPosition(const QString &wname, const QPoint &p) { int x = p.x(); int y = p.y(); if (x<0) x=0; if (y<0) y=0; QString val =QString("%1,%2").arg(x).arg(y); if (fwbdebug) { qDebug("FWBSettings::saveScreenPosition wname '%s' x=%d y=%d", wname.toLatin1().constData(), x,y ); } setValue(QString(screenPositionSetpath)+wname, val ); } bool FWBSettings::haveGeometry(QWidget *w) { QString name=w->objectName(); QString val = value(QString(WindowGeometrySetpath)+name,"").toString(); return (!val.isEmpty()); } void FWBSettings::restoreGeometry(QWidget *w) { QString name=w->objectName(); QString val = value(QString(WindowGeometrySetpath)+name ).toString(); int x = val.section(',',0,0).toInt(); int y = val.section(',',1,1).toInt(); int width = val.section(',',2,2).toInt(); int height = val.section(',',3,3).toInt(); QDesktopWidget *d = QApplication::desktop(); // get geometry of the screen that contains mw QRect sg = d->screenGeometry(mw); if (width > sg.width() || height > sg.height()) { w->showMaximized(); return; } if (x+width > sg.width()) x=sg.width()-width; if (y+height > sg.height()) y=sg.height()-height; if (x<0) x=(sg.width()-width)/2; if (y<0) y=(sg.height()-height)/2; if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("FWBSettings::restoreGeometry widget '%s' vis=%d x=%d y=%d", name.toAscii().constData(), w->isVisible(), x,y); #else qDebug("FWBSettings::restoreGeometry widget '%s' vis=%d x=%d y=%d", name.toLatin1().constData(), w->isVisible(), x,y); #endif } w->resize( QSize(width,height) ); } void FWBSettings::restoreGeometry(QWidget *w, const QRect &dg) { QString name=w->objectName(); QString defval =QString("%1,%2,%3,%4") .arg(dg.x()).arg(dg.y()).arg(dg.width()).arg(dg.height()); QString val = value(QString(WindowGeometrySetpath)+name , defval ).toString(); int x = val.section(',',0,0).toInt(); int y = val.section(',',1,1).toInt(); int width = val.section(',',2,2).toInt(); int height = val.section(',',3,3).toInt(); QDesktopWidget *d = QApplication::desktop(); // get geometry of the screen that contains mw QRect sg = d->screenGeometry(mw); if (width > sg.width() || height > sg.height()) { w->showMaximized(); return; } if (x+width > sg.width()) x=sg.width()-width; if (y+height > sg.height()) y=sg.height()-height; if (x<0) x=(sg.width()-width)/2; if (y<0) y=(sg.height()-height)/2; if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("FWBSettings::restoreGeometry widget '%s' vis=%d x=%d y=%d", name.toAscii().constData(), w->isVisible(), x,y); #else qDebug("FWBSettings::restoreGeometry widget '%s' vis=%d x=%d y=%d", name.toLatin1().constData(), w->isVisible(), x,y); #endif } w->resize( QSize(width,height) ); } void FWBSettings::saveGeometry(QWidget *w) { QString name = w->objectName(); // QRect g = w->geometry(); // g.moveTopLeft(w->frameGeometry().topLeft()); QPoint p = w->pos(); QSize s = w->size(); int x = p.x(); int y = p.y(); if (x<0) x=0; if (y<0) y=0; QString val =QString("%1,%2,%3,%4") .arg(p.x()) .arg(p.y()) .arg(s.width()) .arg(s.height()); if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("FWBSettings::saveGeometry widget '%s' vis=%d val=%s", name.toAscii().constData(), w->isVisible(), val.toAscii().constData()); #else qDebug("FWBSettings::saveGeometry widget '%s' vis=%d val=%s", name.toLatin1().constData(), w->isVisible(), val.toLatin1().constData()); #endif } setValue(QString(WindowGeometrySetpath)+name, val); } QString FWBSettings::getLabelColorStr(enum LabelColors c) { switch (c) { case RED: return "red"; case ORANGE: return "orange"; case YELLOW: return "yellow"; case GREEN: return "green"; case BLUE: return "blue"; case PURPLE: return "purple"; case GRAY: return "gray"; default: return "default"; } } QString FWBSettings::getDiffColorStr(enum LabelColors c) { switch (c) { case ADD_COLOR: return "add"; case EDIT_COLOR: return "edit"; case MOVE_COLOR: return "move"; case REMOVE_COLOR: return "remove"; default: return "default"; } } QString FWBSettings::getLabelColor(enum LabelColors c) { return value(QString(labelColorPath) + getLabelColorStr(c)).toString(); } void FWBSettings::setLabelColor(enum LabelColors c,const QString &s) { setValue(QString(labelColorPath) + getLabelColorStr(c), s); } QString FWBSettings::getLabelText(enum LabelColors c) { return value(QString(labelTextPath) + getLabelColorStr(c)).toString(); } void FWBSettings::setLabelText(enum LabelColors c, const QString &s) { setValue(QString(labelTextPath) + getLabelColorStr(c),s); } QString FWBSettings::getDiffColor(FWBSettings::LabelColors c) { return value(QString(diffColorPath) + getDiffColorStr(c)).toString(); } void FWBSettings::setDiffColor(FWBSettings::LabelColors c, const QString &s) { setValue(QString(diffColorPath) + getDiffColorStr(c), s); } QString FWBSettings::getSSHPath() { return value(SSHPath).toString(); } void FWBSettings::setSSHPath(const QString &path) { setValue(SSHPath,path); } QString FWBSettings::getSCPPath() { return value(SCPPath).toString(); } void FWBSettings::setSCPPath(const QString &path) { setValue(SCPPath,path); } QString FWBSettings::getDiffPath() { return value(DiffPath).toString(); } void FWBSettings::setDiffPath(const QString &path) { setValue(DiffPath,path); } // Putty uses different parameter name for the server alive interval // and keeps it as part of the session, stored in registry. Using // separate QSettings object on windows that controls putty session // "fwb_session_with_keepalive". On all other platforms // ssh_timeout_setings_object == this bool FWBSettings::haveSSHTimeout() { return ssh_timeout_setings_object->contains(SSHTimeout); } int FWBSettings::getSSHTimeout() { return ssh_timeout_setings_object->value(SSHTimeout).toInt(); } void FWBSettings::setSSHTimeout(int value_sec) { ssh_timeout_setings_object->setValue(SSHTimeout, value_sec); } void FWBSettings::getPrinterOptions(QPrinter *printer, int &pageWidth, int &pageHeight) { QString name = getStr("PrintSetup/printerName"); if (!name.isEmpty()) printer->setPrinterName( getStr("PrintSetup/printerName")); #ifndef _WIN32 printer->setPrinterSelectionOption( getStr("PrintSetup/printerSelectionOption")); #endif #ifndef Q_OS_MAC printer->setOutputFileName(getStr("PrintSetup/outputFileName")); #endif printer->setOrientation( QPrinter::Orientation(getInt("PrintSetup/orientation"))); printer->setPageSize( QPrinter::PageSize(getInt("PrintSetup/pageSize"))); printer->setPageOrder( QPrinter::PageOrder(getInt("PrintSetup/pageOrder"))); // int res = getInt("PrintSetup/resolution"); // if (res>0) printer->setResolution(res); printer->setColorMode( QPrinter::ColorMode(getInt("PrintSetup/colorMode"))); printer->setFullPage( getBool("PrintSetup/fullPage")); // printer->setFromTo(getInt("PrintSetup/fromPage"),getInt("PrintSetup/toPage")); // printer->setNumCopies(getInt("PrintSetup/numCopies")); pageWidth = getInt("PrintSetup/pageWidth"); pageHeight = getInt("PrintSetup/pageHeight"); } void FWBSettings::setPrinterOptions(QPrinter *printer, int pageWidth, int pageHeight) { setStr("PrintSetup/printerName",printer->printerName()); #ifndef _WIN32 setStr("PrintSetup/printerSelectionOption", printer->printerSelectionOption()); #endif setStr("PrintSetup/outputFileName",printer->outputFileName()); setInt("PrintSetup/orientation",printer->orientation()); setInt("PrintSetup/pageSize",printer->pageSize()); setInt("PrintSetup/pageOrder",printer->pageOrder()); // setInt("PrintSetup/resolution",printer->resolution()); setInt("PrintSetup/colorMode",printer->colorMode()); setBool("PrintSetup/fullPage",printer->fullPage()); // setInt("PrintSetup/fromPage",printer->fromPage()); // setInt("PrintSetup/toPage",printer->toPage()); // setInt("PrintSetup/numCopies",printer->numCopies()); setInt("PrintSetup/pageWidth",pageWidth); setInt("PrintSetup/pageHeight",pageHeight); } FWBSettings::IconSize FWBSettings::getIconsInRulesSize() { QString val = value(QString(iconsInRulesSize)).toString(); if ("SIZE25X25" == val) return SIZE25X25; if ("SIZE16X16" == val) return SIZE16X16; return SIZE25X25; } void FWBSettings::setIconsInRulesSize(FWBSettings::IconSize size) { setValue(QString(iconsInRulesSize), QString(SIZE25X25 == size ? "SIZE25X25":"SIZE16X16")); } bool FWBSettings::getShowIconsInRules() { return value(showIconsInRules).toBool(); } void FWBSettings::setShowIconsInRules(bool showIcons) { setValue(showIconsInRules, showIcons); } bool FWBSettings::getShowDirectionText() { return value(showDirectionText).toBool(); } void FWBSettings::setShowDirectionText(bool showText) { setValue(showDirectionText, showText); } QFont FWBSettings::getRulesFont() { return getFontByType(rulesFont); } void FWBSettings::setRulesFont(const QFont &font) { setValue(rulesFont, font.toString()); } QFont FWBSettings::getTreeFont() { return getFontByType(treeFont); } void FWBSettings::setTreeFont(const QFont &font) { setValue(treeFont, font.toString()); } QFont FWBSettings::getUiFont() { return getFontByType(uiFont); } void FWBSettings::setUiFont(const QFont &font) { setValue(uiFont, font.toString()); } QFont FWBSettings::getCompilerOutputFont() { return getFontByType(compilerOutputFont); } void FWBSettings::setCompilerOutputFont(const QFont &font) { setValue(compilerOutputFont, font.toString()); } QFont FWBSettings::getFontByType(const char *type) { QFont font = QFont(); bool ok = font.fromString(value(type).toString()); if (ok) return font; return QApplication::font(); } bool FWBSettings::getClipComment() { return value(clipComment).toBool(); } void FWBSettings::setClipComment(bool clip) { setValue(clipComment, clip); } bool FWBSettings::getCheckUpdates() { return value(checkUpdates).toBool(); } void FWBSettings::setCheckUpdates(bool f) { setValue(checkUpdates, f); } uint FWBSettings::getTimeOfLastUpdateAvailableWarning() { return value(updateAvailableWarningLastTime).toUInt(); } void FWBSettings::setTimeOfLastUpdateAvailableWarning(uint v) { setValue(updateAvailableWarningLastTime, v); } uint FWBSettings::getTimeOfLastAnnouncement(const QString &announcement) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QByteArray h = QCryptographicHash::hash(announcement.toAscii().constData(), QCryptographicHash::Md5).toHex(); #else QByteArray h = QCryptographicHash::hash(announcement.toLatin1().constData(), QCryptographicHash::Md5).toHex(); #endif return value(QString(announcementLastTime).arg(h.constData())).toUInt(); } void FWBSettings::setTimeOfLastAnnouncement(const QString &announcement, uint v) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QByteArray h = QCryptographicHash::hash(announcement.toAscii().constData(), QCryptographicHash::Md5).toHex(); #else QByteArray h = QCryptographicHash::hash(announcement.toLatin1().constData(), QCryptographicHash::Md5).toHex(); #endif setValue(QString(announcementLastTime).arg(h.constData()), v); } QString FWBSettings::getCheckUpdatesProxy() { return value(checkUpdatesProxy).toString(); } void FWBSettings::setCheckUpdatesProxy(const QString &proxy_line) { setValue(checkUpdatesProxy, proxy_line); } void FWBSettings::getExpandedObjectIds(const QString &filename, const QString &lib, std::set &ids) { ids.clear(); QString ids_str = value( QString(SETTINGS_PATH_PREFIX "/") + "Window/" + filename + "/" + lib + "/ExpandedTreeItems").toString(); QStringList strl = ids_str.split(","); for (QStringList::iterator i=strl.begin(); i!=strl.end(); ++i) ids.insert(FWObjectDatabase::getIntId(i->toStdString())); } void FWBSettings::setExpandedObjectIds(const QString &filename, const QString &lib, const std::set &ids) { QStringList strl; for (set::const_iterator i=ids.begin(); i!=ids.end(); ++i) strl.push_back(FWObjectDatabase::getStringId(*i).c_str()); setValue( QString(SETTINGS_PATH_PREFIX "/") + "Window/" + filename + "/" + lib + "/ExpandedTreeItems", strl.join(",")); } int FWBSettings::getTreeSectionSize(const QString &filename, const QString &lib, int section_index) { int v = value( QString(SETTINGS_PATH_PREFIX "/Window/%1/%2/TreeSection/%3") .arg(filename).arg(lib).arg(section_index)).toInt(); if (v <= 0) v = 300; return v; } void FWBSettings::setTreeSectionSize(const QString &filename, const QString &lib, int section_index, int size) { setValue( QString(SETTINGS_PATH_PREFIX "/Window/%1/%2/TreeSection/%3") .arg(filename).arg(lib).arg(section_index), size); } int FWBSettings::getVisibleRuleSetId(const QString &filename, const QString &lib) { string str_id = value( QString(SETTINGS_PATH_PREFIX "/") + "Window/" + filename + "/" + lib + "/OpenedRuleSet").toString().toStdString(); return FWObjectDatabase::getIntId(str_id); } void FWBSettings::setVisibleRuleSet(const QString &filename, const QString &lib, FWObject *ruleset) { setValue(QString(SETTINGS_PATH_PREFIX "/") + "Window/" + filename + "/" + lib + "/OpenedRuleSet", FWObjectDatabase::getStringId(ruleset->getId()).c_str() ); } void FWBSettings::getCollapsedRuleGroups(const QString &filename, const QString &firewall, const QString &ruleset, QStringList &collapsed_groups) { QString key = "Window/" + filename + "/" + firewall + "/" + ruleset + "/CollapsedRuleGroups"; QString strl = value(QString(SETTINGS_PATH_PREFIX "/") + key).toString(); // QT regexp does not support negative lookbehind that we need to // find all "," if they are not preceded by a "\". Will split the // string on all commas, then find elements of the array that end // with "\" and combine them with the following ones. QStringList lst = strl.split(","); QStringListIterator i(lst); while (i.hasNext()) { QString group_name = i.next(); while (group_name.endsWith("\\") && i.hasNext()) group_name += QString(",") + i.next(); group_name.replace("\\,", ","); collapsed_groups.push_back(group_name); } if (fwbdebug) qDebug() << "FWBSettings::getCollapsedRuleGroups" << key << collapsed_groups.join(" ||| "); } void FWBSettings::setCollapsedRuleGroups(const QString &filename, const QString &firewall, const QString &ruleset, const QStringList &collapsed_groups) { QStringList lst; foreach(QString group_name, collapsed_groups) { group_name.replace(",", "\\,"); lst.push_back(group_name); } QString key = "Window/" + filename + "/" + firewall + "/" + ruleset + "/CollapsedRuleGroups"; QString val = lst.join(","); if (fwbdebug) qDebug() << "FWBSettings::setCollapsedRuleGroups" << key << val; setValue(QString(SETTINGS_PATH_PREFIX "/") + key, val); } QStringList FWBSettings::getRecentFiles() { return getList("recentFiles"); } void FWBSettings::setRecentFiles(QStringList &list) { return setList("recentFiles", list); } QString FWBSettings::getNewFirewallPlatform() { return value(newFirewallPlatform).toString(); } void FWBSettings::setNewFirewallPlatform(const QString &platform) { setValue(newFirewallPlatform, platform); } QString FWBSettings::getNewClusterFailoverProtocol() { return value(newClusterFailoverProtocol).toString(); } void FWBSettings::setNewClusterFailoverProtocol(const QString &platform) { setValue(newClusterFailoverProtocol, platform); } QString FWBSettings::getTargetStatus(const QString &platform, const QString &default_stat) { QString var_path = targetStatus + platform; bool ok = contains(var_path); if (!ok) return default_stat; return value(var_path).toString(); } void FWBSettings::setTargetStatus(const QString &platform, const QString &status) { QString var_path = targetStatus + platform; setValue(var_path, status); } int FWBSettings::getABTestingGroup() { return value(abTestingGroup).toInt(); } void FWBSettings::setABTestingGroup(int n) { setValue(abTestingGroup, n); } int FWBSettings::getStartsCounter() { return value(startsCounter).toInt(); } bool FWBSettings::isIntroDialogEnabled() { return value(introDialogEnabled).toBool(); } void FWBSettings::setIntroDialogEnabled(bool f) { setValue(introDialogEnabled, f); } bool FWBSettings::customTemplatesEnabled() { return value(customTemplatesEn).toBool(); } void FWBSettings::setCustomTemplatesEnabled(bool f) { setValue(customTemplatesEn, f); } bool FWBSettings::getDisplayUnmodifiedRules() { return value(displayUnmodifiedRules).toBool(); } void FWBSettings::setDisplayUnmodifiedRules(bool f) { setValue(displayUnmodifiedRules, f); } fwbuilder-5.3.7/src/libgui/FWBSettings.h000066400000000000000000000212331303637203600200670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWBSETTINGS_H_ #define __FWBSETTINGS_H_ #include "../../VERSION.h" #include #include #include #include #include #define SETTINGS_PATH_PREFIX "/" GENERATION #include class QWidget; /* * startup actions. I know, enum would be better, but QComboBox * operates with integers and it is much simpler to just store item * numbers in preferences. */ #define LoadStandardObjects 0 #define LoadLastEditedFile 1 class FWBSettings : public QSettings { public: enum LabelColors { RED, ORANGE, YELLOW, GREEN, BLUE, PURPLE, GRAY, ADD_COLOR, EDIT_COLOR, MOVE_COLOR, REMOVE_COLOR }; enum IconSize{ SIZE25X25, SIZE16X16}; private: QSettings *uuid_settings; QSettings *ssh_timeout_setings_object; bool first_run; QString getLabelColorStr(enum LabelColors c); QString getDiffColorStr(enum LabelColors c); public: FWBSettings(bool testData = false); ~FWBSettings(); static QString getApplicationNameForSettings() { return "FirewallBuilder" GENERATION; } void init(bool force_first_time_run=false); void save(); bool isFirstRun() { return first_run; } QString getWDir(); void setWDir(const QString &wd); QString getDataDir(); void setDataDir(const QString &dataDir); QString getOpenFileDir( const QString &existingPath = ""); void setOpenFileDir( const QString &d ); int getInfoStyle(); void setInfoStyle(int s); QString getGroupViewMode(); void setGroupViewMode(const QString &mode); QString getGroupViewColumns(); void setGroupViewColumns(const QString &mode); int getStartupAction(); void setStartupAction(int sa); int getExpandTree(); void setExpandTree(int sa); int getMergeLibs(); void setMergeLibs(int sa); bool getObjTooltips(); void setObjTooltips(bool f); int getTooltipDelay(); void setTooltipDelay(int v); QString getLastEdited(); void setLastEdited(const QString &file); int getInfoWindowHeight(); void setInfoWindowHeight(int h); bool getRCSLogState(); void setRCSLogState(bool f); int getRCSFilePreviewStyle(); void setRCSFilePreviewStyle(int style); int getRCSFilePreviewSortColumn(); void setRCSFilePreviewSortColumn(int col); bool getAutoSave(); void setAutoSave(bool f); bool getCompression(); void setCompression(bool f); bool getDontSaveStdLib(); void setDontSaveStdLib( bool f); bool hasKey(const QString &attribute); QString getStr(const QString &attribute); void setStr(const QString &attribute, const QString &val); bool getBool(const QString &attribute); void setBool(const QString &attribute, bool f ); int getInt(const QString &attribute); void setInt(const QString &attribute, int v ); QStringList getList(const QString &attribute); void setList(const QString &attribute, QStringList &list); bool haveGeometry(QWidget *w); void restoreGeometry(QWidget *w); void restoreGeometry(QWidget *w, const QRect &defaultGeometry); void saveGeometry(QWidget *w); bool haveScreenPosition(const QString &wname); QPoint getScreenPosition(const QString &wname); void saveScreenPosition(const QString &wname, const QPoint &p); QString getLabelColor(enum LabelColors c); void setLabelColor(enum LabelColors c,const QString &s); QString getLabelText(enum LabelColors c); void setLabelText(enum LabelColors c, const QString &s); QString getDiffColor(enum LabelColors c); void setDiffColor(enum LabelColors c,const QString &s); QString getSSHPath(); void setSSHPath(const QString &path); QString getSCPPath(); void setSCPPath(const QString &path); QString getDiffPath(); void setDiffPath(const QString &path); bool haveSSHTimeout(); int getSSHTimeout(); void setSSHTimeout(int value_sec); void getPrinterOptions(QPrinter *printer,int &pageWidth,int &pageHeight); void setPrinterOptions(QPrinter *printer,int pageWidth,int pageHeight); QString getAppGUID(); bool isReminderAboutStandardLibSuppressed(); void suppressReminderAboutStandardLib(bool f); bool isReminderAboutDataDirSuppressed(); void suppressReminderAboutDataDir(bool f); enum IconSize getIconsInRulesSize(); void setIconsInRulesSize(enum IconSize size); bool getShowIconsInRules(); void setShowIconsInRules(bool showIcons); bool getShowDirectionText(); void setShowDirectionText(bool showText); QFont getRulesFont(); void setRulesFont(const QFont &font); QFont getTreeFont(); void setTreeFont(const QFont &font); QFont getUiFont(); void setUiFont(const QFont &font); QFont getCompilerOutputFont(); void setCompilerOutputFont(const QFont &font); bool getClipComment(); void setClipComment(bool); bool getCheckUpdates(); void setCheckUpdates(bool); uint getTimeOfLastUpdateAvailableWarning(); void setTimeOfLastUpdateAvailableWarning(uint v); uint getTimeOfLastAnnouncement(const QString &announcement); void setTimeOfLastAnnouncement(const QString &announcement, uint v); QString getTargetStatus(const QString &platform, const QString &default_stat); void setTargetStatus(const QString &plaform, const QString &status); QString getCheckUpdatesProxy(); void setCheckUpdatesProxy(const QString &proxy_line); void getExpandedObjectIds(const QString &filename, const QString &lib, std::set &ids); void setExpandedObjectIds(const QString &filename, const QString &lib, const std::set &ids); int getTreeSectionSize(const QString &filename, const QString &lib, int section_index); void setTreeSectionSize(const QString &filename, const QString &lib, int section_index, int size); int getVisibleRuleSetId(const QString &filename, const QString &lib); void setVisibleRuleSet(const QString &filename, const QString &lib, libfwbuilder::FWObject *ruleset); void getCollapsedRuleGroups(const QString &filename, const QString &firewall, const QString &ruleset, QStringList &collapsed_groups); void setCollapsedRuleGroups(const QString &filename, const QString &firewall, const QString &ruleset, const QStringList &collapsed_groups); QStringList getRecentFiles(); void setRecentFiles(QStringList &list); QString getNewFirewallPlatform(); void setNewFirewallPlatform(const QString &platform); QString getNewClusterFailoverProtocol(); void setNewClusterFailoverProtocol(const QString &protocol); bool getShowUndoPanel(); void setShowUndoPanel(bool); bool getIconsWithText(); void setIconsWithText(bool f); int getABTestingGroup(); void setABTestingGroup(int n); int getStartsCounter(); bool isIntroDialogEnabled(); void setIntroDialogEnabled(bool f); bool customTemplatesEnabled(); void setCustomTemplatesEnabled(bool f); bool getDisplayUnmodifiedRules(); void setDisplayUnmodifiedRules(bool); private: QFont getFontByType(const char*type); }; #endif fwbuilder-5.3.7/src/libgui/FWBTree.cpp000066400000000000000000000672261303637203600175350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include #include #include #include "FWBTree.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include #include #include #include "utils.h" using namespace std; using namespace libfwbuilder; QStringList FWBTree::standardFolders; QSet FWBTree::standardIDs; QMap FWBTree::systemGroupTypes; QMap FWBTree::systemGroupNames; QMap FWBTree::systemGroupPaths; QMap FWBTree::copyMenuState; QMap FWBTree::cutMenuState; QMap FWBTree::pasteMenuState; QMap FWBTree::deleteMenuState; FWBTree::FWBTree() { init_statics(); } void FWBTree::init_statics() { if (systemGroupPaths.size() == 0) { // Names of the standard folders should be translatable. // Function isStandardFolder() takes this into account. standardFolders << "Objects"; standardFolders << "Objects/Addresses"; standardFolders << "Objects/DNS Names"; standardFolders << "Objects/Address Tables"; standardFolders << "Objects/Address Ranges"; standardFolders << "Objects/Groups"; standardFolders << "Objects/Hosts"; standardFolders << "Objects/Networks"; standardFolders << "Services"; standardFolders << "Services/Custom"; standardFolders << "Services/Groups"; standardFolders << "Services/IP"; standardFolders << "Services/ICMP"; standardFolders << "Services/TCP"; standardFolders << "Services/UDP"; standardFolders << "Services/TagServices"; standardFolders << "Services/Users"; standardFolders << "Firewalls"; standardFolders << "Clusters"; standardFolders << "Time"; systemGroupPaths[Library::TYPENAME] = ""; systemGroupPaths[IPv4::TYPENAME] = "Objects/Addresses"; systemGroupPaths[IPv6::TYPENAME] = "Objects/Addresses"; systemGroupPaths[DNSName::TYPENAME] = "Objects/DNS Names"; systemGroupPaths[AddressTable::TYPENAME] = "Objects/Address Tables"; systemGroupPaths[AddressRange::TYPENAME] = "Objects/Address Ranges"; systemGroupPaths[ObjectGroup::TYPENAME] = "Objects/Groups"; systemGroupPaths[DynamicGroup::TYPENAME] = "Objects/Groups"; systemGroupPaths[Host::TYPENAME] = "Objects/Hosts"; systemGroupPaths[Network::TYPENAME] = "Objects/Networks"; systemGroupPaths[NetworkIPv6::TYPENAME] = "Objects/Networks"; systemGroupPaths[ServiceGroup::TYPENAME] = "Services/Groups"; systemGroupPaths[CustomService::TYPENAME] = "Services/Custom"; systemGroupPaths[IPService::TYPENAME] = "Services/IP"; systemGroupPaths[ICMPService::TYPENAME] = "Services/ICMP"; systemGroupPaths[ICMP6Service::TYPENAME] = "Services/ICMP"; systemGroupPaths[TCPService::TYPENAME] = "Services/TCP"; systemGroupPaths[UDPService::TYPENAME] = "Services/UDP"; systemGroupPaths[UserService::TYPENAME] = "Services/Users"; systemGroupPaths[TagService::TYPENAME] = "Services/TagServices"; systemGroupPaths[Firewall::TYPENAME] = "Firewalls"; systemGroupPaths[Cluster::TYPENAME] = "Clusters"; systemGroupPaths[Interval::TYPENAME] = "Time"; systemGroupTypes[Firewall::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[Firewall::TYPENAME]= "Firewalls" ; systemGroupTypes[Cluster::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[Cluster::TYPENAME]= "Clusters"; systemGroupTypes[Host::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[Host::TYPENAME]= "Hosts" ; systemGroupTypes[Network::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[Network::TYPENAME]= "Networks" ; systemGroupTypes[NetworkIPv6::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[NetworkIPv6::TYPENAME]= "Networks" ; systemGroupTypes[IPv4::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[IPv4::TYPENAME]= "Addresses" ; systemGroupTypes[IPv6::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[IPv6::TYPENAME]= "Addresses" ; systemGroupTypes[DNSName::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[DNSName::TYPENAME]= "DNS Names" ; systemGroupTypes[AddressTable::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[AddressTable::TYPENAME]= "Address Tables" ; systemGroupTypes[AddressRange::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[AddressRange::TYPENAME]= "Address Ranges" ; systemGroupTypes[ObjectGroup::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[ObjectGroup::TYPENAME]= "Groups" ; systemGroupTypes[DynamicGroup::TYPENAME]= ObjectGroup::TYPENAME; systemGroupNames[DynamicGroup::TYPENAME]= "Groups" ; systemGroupTypes[CustomService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[CustomService::TYPENAME]= "Custom"; systemGroupTypes[IPService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[IPService::TYPENAME]= "IP" ; systemGroupTypes[ICMPService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[ICMPService::TYPENAME]= "ICMP" ; systemGroupTypes[ICMP6Service::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[ICMP6Service::TYPENAME]= "ICMP" ; systemGroupTypes[TCPService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[TCPService::TYPENAME]= "TCP" ; systemGroupTypes[UDPService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[UDPService::TYPENAME]= "UDP" ; systemGroupTypes[TagService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[TagService::TYPENAME]= "TagServices" ; systemGroupTypes[UserService::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[UserService::TYPENAME]= "Users" ; systemGroupTypes[ServiceGroup::TYPENAME]= ServiceGroup::TYPENAME; systemGroupNames[ServiceGroup::TYPENAME]= "Groups" ; systemGroupTypes[Interval::TYPENAME]= IntervalGroup::TYPENAME; systemGroupNames[Interval::TYPENAME]= "Time" ; systemGroupTypes[Interface::TYPENAME]= ""; systemGroupNames[Interface::TYPENAME]= ""; systemGroupTypes[Library::TYPENAME]= FWObjectDatabase::TYPENAME; systemGroupNames[Library::TYPENAME]= "FWObjectDatabase"; standardIDs.insert("syslib000"); standardIDs.insert("syslib001"); standardIDs.insert("sysid0"); standardIDs.insert("sysid1"); standardIDs.insert("sysid2"); standardIDs.insert("sysid99"); standardIDs.insert("stdid01"); standardIDs.insert("stdid01_1"); standardIDs.insert("stdid02"); standardIDs.insert("stdid02_1"); standardIDs.insert("stdid03"); standardIDs.insert("stdid03_1"); standardIDs.insert("stdid04"); standardIDs.insert("stdid04_1"); standardIDs.insert("stdid05"); standardIDs.insert("stdid05_1"); standardIDs.insert("stdid06"); standardIDs.insert("stdid06_1"); standardIDs.insert("stdid07"); standardIDs.insert("stdid07_1"); standardIDs.insert("stdid08"); standardIDs.insert("stdid08_1"); standardIDs.insert("stdid09"); standardIDs.insert("stdid09_1"); standardIDs.insert("stdid10"); standardIDs.insert("stdid10_1"); standardIDs.insert("stdid11"); standardIDs.insert("stdid11_1"); standardIDs.insert("stdid12"); standardIDs.insert("stdid12_1"); standardIDs.insert("stdid13"); standardIDs.insert("stdid13_1"); standardIDs.insert("stdid14"); standardIDs.insert("stdid14_1"); standardIDs.insert("stdid15"); standardIDs.insert("stdid15_1"); standardIDs.insert("stdid16"); standardIDs.insert("stdid16_1"); standardIDs.insert("stdid17"); standardIDs.insert("stdid17_1"); standardIDs.insert("stdid18"); standardIDs.insert("stdid18_1"); standardIDs.insert("stdid19"); standardIDs.insert("stdid19_1"); // these can not be replaced with set because they // are effectively three-state: if the key is missing in the // map, the result is assumed to be "true", otherwise it is // either "true" or "false" depending on the map entry. copyMenuState[""] = false; copyMenuState["Firewalls"] = false; copyMenuState["Clusters"] = false; copyMenuState["Objects"] = false; copyMenuState["Objects/Addresses"] = false; copyMenuState["Objects/DNS Names"] = false; copyMenuState["Objects/Address Tables"] = false; copyMenuState["Objects/Address Ranges"] = false; copyMenuState["Objects/Groups"] = false; copyMenuState["Objects/Hosts"] = false; copyMenuState["Objects/Networks"] = false; copyMenuState["Services"] = false; copyMenuState["Services/Custom"] = false; copyMenuState["Services/Groups"] = false; copyMenuState["Services/ICMP"] = false; copyMenuState["Services/IP"] = false; copyMenuState["Services/TCP"] = false; copyMenuState["Services/UDP"] = false; copyMenuState["Services/TagServices"] = false; copyMenuState["Time"] = false; cutMenuState[""] = true; cutMenuState["Firewalls"] = false; cutMenuState["Clusters"] = false; cutMenuState["Objects"] = false; cutMenuState["Objects/Addresses"] = false; cutMenuState["Objects/DNS Names"] = false; cutMenuState["Objects/Address Tables"] = false; cutMenuState["Objects/Address Ranges"] = false; cutMenuState["Objects/Groups"] = false; cutMenuState["Objects/Hosts"] = false; cutMenuState["Objects/Networks"] = false; cutMenuState["Services"] = false; cutMenuState["Services/Custom"] = false; cutMenuState["Services/Groups"] = false; cutMenuState["Services/ICMP"] = false; cutMenuState["Services/IP"] = false; cutMenuState["Services/TCP"] = false; cutMenuState["Services/UDP"] = false; cutMenuState["Services/Users"] = false; cutMenuState["Services/TagServices"] = false; cutMenuState["Time"] = false; pasteMenuState[""] = false; pasteMenuState["Firewalls"] = true; pasteMenuState["Clusters"] = true; pasteMenuState["Objects"] = false; pasteMenuState["Objects/Addresses"] = true; pasteMenuState["Objects/DNS Names"] = true; pasteMenuState["Objects/Address Tables"] = true; pasteMenuState["Objects/Address Ranges"] = true; pasteMenuState["Objects/Groups"] = true; pasteMenuState["Objects/Hosts"] = true; pasteMenuState["Objects/Networks"] = true; pasteMenuState["Services"] = false; pasteMenuState["Services/Custom"] = true; pasteMenuState["Services/Groups"] = true; pasteMenuState["Services/ICMP"] = true; pasteMenuState["Services/IP"] = true; pasteMenuState["Services/TCP"] = true; pasteMenuState["Services/UDP"] = true; pasteMenuState["Services/Users"] = true; pasteMenuState["Services/TagServices"] = true; pasteMenuState["Time"] = true; deleteMenuState[""] = true; deleteMenuState["Firewalls"] = false; deleteMenuState["Clusters"] = false; deleteMenuState["Objects"] = false; deleteMenuState["Objects/Addresses"] = false; deleteMenuState["Objects/DNS Names"] = false; deleteMenuState["Objects/Address Tables"] = false; deleteMenuState["Objects/Address Ranges"] = false; deleteMenuState["Objects/Groups"] = false; deleteMenuState["Objects/Hosts"] = false; deleteMenuState["Objects/Networks"] = false; deleteMenuState["Services"] = false; deleteMenuState["Services/Custom"] = false; deleteMenuState["Services/Groups"] = false; deleteMenuState["Services/ICMP"] = false; deleteMenuState["Services/IP"] = false; deleteMenuState["Services/TCP"] = false; deleteMenuState["Services/UDP"] = false; deleteMenuState["Services/Users"] = false; deleteMenuState["Services/TagServices"] = false; deleteMenuState["Time"] = false; } } /** * returns true if object 'obj' is a system group. System groups are * those that hold other objects. Unlike user-defined groups, system * groups always contain only objects themselves and never contain * references to objects. User-defined groups, on the other hand, * always contain only references to objects. * */ bool FWBTree::isSystem(FWObject *obj) { if (Library::isA(obj)) return (obj->getId()==FWObjectDatabase::STANDARD_LIB_ID || obj->getId()==FWObjectDatabase::DELETED_OBJECTS_ID); if (FWObjectDatabase::isA(obj)) return true; return isStandardFolder(obj); } /** * returns true if @obj is a standard folder,e.g. "Firewalls", "Objects", * "Objects/Hosts" etc. */ bool FWBTree::isStandardFolder(FWObject *obj) { string path = obj->getPath(true); // relative path return (standardFolders.contains(QString::fromUtf8(path.c_str()))); } bool FWBTree::isStandardId(FWObject *obj) { return standardIDs.contains(FWObjectDatabase::getStringId(obj->getId()).c_str()); } bool FWBTree::validateForInsertion(FWObject *target, FWObject *obj, QString &err) { if (fwbdebug) qDebug("FWBTree::validateForInsertion target %s obj %s", target->getTypeName().c_str(), obj->getTypeName().c_str()); FWObject *ta = target; if (IPv4::isA(ta) || IPv6::isA(ta)) ta=ta->getParent(); err = QObject::tr("Impossible to insert object %1 (type %2) into %3\n" "because of incompatible type.") .arg(obj->getName().c_str()) .arg(obj->getTypeName().c_str()) .arg(ta->getName().c_str()); if (Host::isA(ta) && Interface::isA(obj)) return true; if (Firewall::isA(ta) && Interface::isA(obj)) return true; if (Interface::isA(ta) && IPv4::isA(obj)) return true; if (Interface::isA(ta) && IPv6::isA(obj)) return true; if (Interface::isA(ta) && physAddress::isA(obj)) return true; FWBTree objtree; if (objtree.isSystem(ta)) { QString parentType = systemGroupTypes[obj->getTypeName().c_str()]; QString parentName = systemGroupNames[obj->getTypeName().c_str()]; /* parentType or/and parentName are going to be empty if information * about object obj is missing in systemGroupTypes/Names tables */ if (parentType.isEmpty() || parentName.isEmpty()) return false; if (ta->getTypeName() == string(parentType.toLatin1()) && ta->getName() == string(parentName.toLatin1()) ) return true; return false; } Host *hst = Host::cast(ta); Firewall *fw = Firewall::cast(ta); Interface *intf = Interface::cast(ta); FWObject *parent_fw = ta; while (parent_fw && Firewall::cast(parent_fw)==NULL) parent_fw = parent_fw->getParent(); if (parent_fw && Interface::isA(obj)) { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(parent_fw)); return int_prop->validateInterface(ta, obj, false, err); } if (fw!=NULL) { // inserting some object into firewall or cluster if (!fw->validateChild(obj)) return false; return true; } if (hst!=NULL) return (hst->validateChild(obj)); if (intf!=NULL) { if (!intf->validateChild(obj)) return false; return true; } Group *grp=Group::cast(ta); if (grp!=NULL) return grp->validateChild(obj); return false; } void FWBTree::getStandardSlotForObject(const QString &objType, QString &parentType, QString &parentName) { parentType = systemGroupTypes[objType]; parentName = systemGroupNames[objType]; } /** * this method finds standard system folder for an object of a given * type in a given library. This method implemented our standard tree * structure (the one that is created in the method createNewLibrary) */ FWObject* FWBTree::getStandardSlotForObject(FWObject* lib,const QString &objType) { QString path = systemGroupPaths[objType]; if (path.isEmpty()) return lib; QString level1 = path.section('/',0,0); QString level2 = path.section('/',1,1); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObject::iterator i=std::find_if(lib->begin(),lib->end(), FWObjectNameEQPredicate(static_cast(level1.toAscii()))); #else FWObject::iterator i=std::find_if(lib->begin(),lib->end(), FWObjectNameEQPredicate(static_cast(level1.toLatin1()))); #endif if (i==lib->end()) return NULL; FWObject *l1obj = *i; if (level2.isEmpty()) return l1obj; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) i=std::find_if(l1obj->begin(),l1obj->end(), FWObjectNameEQPredicate(static_cast(level2.toAscii()))); #else i=std::find_if(l1obj->begin(),l1obj->end(), FWObjectNameEQPredicate(static_cast(level2.toLatin1()))); #endif if (i==l1obj->end()) return NULL; return (*i); } FWObject* FWBTree::createNewLibrary(FWObjectDatabase *db) { FWObject *nlib = db->create(Library::TYPENAME); db->add(nlib); nlib->setName( string(QObject::tr("New Library").toUtf8()) ); FWObject *o1 = db->create(ObjectGroup::TYPENAME); o1->setName("Objects"); nlib->add(o1); FWObject *o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Addresses"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("DNS Names"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Address Tables"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Groups"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Hosts"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Networks"); o1->add(o2); o2 = db->create(ObjectGroup::TYPENAME); o2->setName("Address Ranges"); o1->add(o2); o1 = db->create(ServiceGroup::TYPENAME); o1->setName("Services"); nlib->add(o1); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("Groups"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("ICMP"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("IP"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("TCP"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("UDP"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("Users"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("Custom"); o1->add(o2); o2 = db->create(ServiceGroup::TYPENAME); o2->setName("TagServices"); o1->add(o2); o1 = db->create(ObjectGroup::TYPENAME); o1->setName("Firewalls"); nlib->add(o1); o1 = db->create(ObjectGroup::TYPENAME); o1->setName("Clusters"); nlib->add(o1); o1 = db->create(IntervalGroup::TYPENAME); o1->setName("Time"); nlib->add(o1); return nlib; } /* * return string that can be translated for the object type name */ QString FWBTree::getTranslatableObjectTypeName(const QString &type_name) { if (type_name == Library::TYPENAME) return QObject::tr("Library"); if (type_name == Firewall::TYPENAME) return QObject::tr("Firewall"); if (type_name == Cluster::TYPENAME) return QObject::tr("Cluster"); if (type_name == Host::TYPENAME) return QObject::tr("Host"); if (type_name == Interface::TYPENAME) return QObject::tr("Interface"); if (type_name == AttachedNetworks::TYPENAME) return QObject::tr("Attached Networks"); if (type_name == Network::TYPENAME) return QObject::tr("Network"); if (type_name == NetworkIPv6::TYPENAME) return QObject::tr("Network IPv6"); if (type_name == IPv4::TYPENAME) return QObject::tr("Address"); if (type_name == IPv6::TYPENAME) return QObject::tr("Address IPv6"); if (type_name == DNSName::TYPENAME) return QObject::tr("DNS Name"); if (type_name == AddressTable::TYPENAME) return QObject::tr("Address Table"); if (type_name == AddressRange::TYPENAME) return QObject::tr("Address Range"); if (type_name == ObjectGroup::TYPENAME) return QObject::tr("Object Group"); if (type_name == DynamicGroup::TYPENAME) return QObject::tr("Dynamic Group"); if (type_name == CustomService::TYPENAME) return QObject::tr("Custom Service"); if (type_name == IPService::TYPENAME) return QObject::tr("IP Service"); if (type_name == ICMPService::TYPENAME) return QObject::tr("ICMP Service"); if (type_name == ICMP6Service::TYPENAME) return QObject::tr("ICMP6 Service"); if (type_name == TCPService::TYPENAME) return QObject::tr("TCP Service"); if (type_name == UDPService::TYPENAME) return QObject::tr("UDP Service"); if (type_name == TagService::TYPENAME) return QObject::tr("TagService"); if (type_name == UserService::TYPENAME) return QObject::tr("User Service"); if (type_name == ServiceGroup::TYPENAME) return QObject::tr("Service Group"); if (type_name == Interval::TYPENAME) return QObject::tr( "Time Interval"); if (type_name == physAddress::TYPENAME) return QObject::tr( "MAC Address"); if (type_name == Policy::TYPENAME) return QObject::tr( "Policy Rule Set"); if (type_name == NAT::TYPENAME) return QObject::tr( "NAT Rule Set"); if (type_name == Routing::TYPENAME) return QObject::tr( "Routing Rule Set"); if (type_name == FailoverClusterGroup::TYPENAME) return QObject::tr("Failover group"); if (type_name == StateSyncClusterGroup::TYPENAME) return QObject::tr("State synchronization group"); return ""; } QString FWBTree::getTranslatableNewObjectMenuText(const QString &type_name) { if (type_name == Library::TYPENAME) return QObject::tr("New Library"); if (type_name == Firewall::TYPENAME) return QObject::tr("New Firewall"); if (type_name == Cluster::TYPENAME) return QObject::tr("New Cluster"); if (type_name == Host::TYPENAME) return QObject::tr("New Host"); if (type_name == Interface::TYPENAME) return QObject::tr("New Interface"); if (type_name == AttachedNetworks::TYPENAME) return QObject::tr("New Attached Networks"); if (type_name == Network::TYPENAME) return QObject::tr("New Network"); if (type_name == NetworkIPv6::TYPENAME) return QObject::tr("New Network IPv6"); if (type_name == IPv4::TYPENAME) return QObject::tr("New Address"); if (type_name == IPv6::TYPENAME) return QObject::tr("New Address IPv6"); if (type_name == DNSName::TYPENAME) return QObject::tr("New DNS Name"); if (type_name == AddressTable::TYPENAME) return QObject::tr("New Address Table"); if (type_name == AddressRange::TYPENAME) return QObject::tr("New Address Range"); if (type_name == ObjectGroup::TYPENAME) return QObject::tr("New Object Group"); if (type_name == DynamicGroup::TYPENAME) return QObject::tr("New Dynamic Group"); if (type_name == CustomService::TYPENAME) return QObject::tr("New Custom Service"); if (type_name == IPService::TYPENAME) return QObject::tr("New IP Service"); if (type_name == ICMPService::TYPENAME) return QObject::tr("New ICMP Service"); if (type_name == ICMP6Service::TYPENAME) return QObject::tr("New ICMP6 Service"); if (type_name == TCPService::TYPENAME) return QObject::tr("New TCP Service"); if (type_name == UDPService::TYPENAME) return QObject::tr("New UDP Service"); if (type_name == TagService::TYPENAME) return QObject::tr("New TagService"); if (type_name == UserService::TYPENAME) return QObject::tr("New User Service"); if (type_name == ServiceGroup::TYPENAME) return QObject::tr("New Service Group"); if (type_name == Interval::TYPENAME) return QObject::tr( "New Time Interval"); if (type_name == physAddress::TYPENAME) return QObject::tr( "New MAC Address"); if (type_name == Policy::TYPENAME) return QObject::tr( "New Policy Rule Set"); if (type_name == NAT::TYPENAME) return QObject::tr( "New NAT Rule Set"); if (type_name == Routing::TYPENAME) return QObject::tr( "New Routing Rule Set"); if (type_name == FailoverClusterGroup::TYPENAME) return QObject::tr("New failover group"); if (type_name == StateSyncClusterGroup::TYPENAME) return QObject::tr("New state synchronization group"); return ""; } QList FWBTree::getObjectTypes() { QList ret; ret.append(Firewall::TYPENAME); ret.append(Cluster::TYPENAME); ret.append(Host::TYPENAME); ret.append(Network::TYPENAME); ret.append(NetworkIPv6::TYPENAME); ret.append(IPv4::TYPENAME); ret.append(IPv6::TYPENAME); ret.append(DNSName::TYPENAME); ret.append(AddressTable::TYPENAME); ret.append(AddressRange::TYPENAME); ret.append(ObjectGroup::TYPENAME); ret.append(DynamicGroup::TYPENAME); return ret; } QList FWBTree::getServiceTypes() { QList ret; ret.append(CustomService::TYPENAME); ret.append(IPService::TYPENAME); ret.append(ICMPService::TYPENAME); ret.append(ICMP6Service::TYPENAME); ret.append(TCPService::TYPENAME); ret.append(UDPService::TYPENAME); ret.append(TagService::TYPENAME); ret.append(UserService::TYPENAME); ret.append(ServiceGroup::TYPENAME); return ret; } fwbuilder-5.3.7/src/libgui/FWBTree.h000066400000000000000000000070031303637203600171650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWBTREE_H #define FWBTREE_H #include #include #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; }; class FWBTree { static QStringList standardFolders; static QMap systemGroupTypes; static QMap systemGroupNames; static QMap systemGroupPaths; static QSet standardIDs; static QMap copyMenuState; static QMap cutMenuState; static QMap pasteMenuState; static QMap deleteMenuState; void init_statics(); public: FWBTree(); bool isSystem(libfwbuilder::FWObject *obj); bool isStandardFolder(libfwbuilder::FWObject *obj); bool isStandardId(libfwbuilder::FWObject *obj); bool validateForInsertion(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj, QString &err); /** * returns boolean value that defines whether menu item "Copy" * should be enabled when object with a path objPath is selected * in the tree. By default menu items are enabled, so this method * returns True if object path is unknown. */ bool getCopyMenuState(const QString &objPath) { if (copyMenuState.count(objPath)!=0) return copyMenuState[objPath]; else return true; } bool getCutMenuState(const QString &objPath) { if (cutMenuState.count(objPath)!=0) return cutMenuState[objPath]; else return true; } bool getPasteMenuState(const QString &objPath) { if (pasteMenuState.count(objPath)!=0) return pasteMenuState[objPath]; else return true; } bool getDeleteMenuState(const QString &objPath) { if (deleteMenuState.count(objPath)!=0) return deleteMenuState[objPath]; else return true; } void getStandardSlotForObject(const QString &objType, QString &parentType, QString &parentName); libfwbuilder::FWObject* getStandardSlotForObject(libfwbuilder::FWObject* lib, const QString &objType); libfwbuilder::FWObject* createNewLibrary(libfwbuilder::FWObjectDatabase *db); QString getTranslatableObjectTypeName(const QString &type_name); QString getTranslatableNewObjectMenuText(const QString &type_name); static QList getObjectTypes(); static QList getServiceTypes(); }; #endif fwbuilder-5.3.7/src/libgui/FWCmdAddObject.cpp000066400000000000000000000253341303637203600207710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWCmdChange.h" #include "FWCmdAddObject.h" #include "FWWindow.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include #include using namespace libfwbuilder; using namespace std; /******************************************************** * FWCmdAddObject * * This command controls adding an object to another object. This can * be adding an object to a system group or adding interface to a host * or address to an interface and so on, where object itself becomes a * child rather than reference to it gets created. * ********************************************************/ FWCmdAddObject::FWCmdAddObject(ProjectPanel *project, FWObject *grp, FWObject *mem, QString text, QUndoCommand* macro): FWCmdChange(project, grp, text, false, macro) { member = mem; require_complete_tree_reload = false; if (text.isEmpty()) { setText(QObject::tr("Add object to group")); } else { setText(text); } } FWCmdAddObject::~FWCmdAddObject() { if (member->getRefCounter() <= 1) delete member; else member->unref(); } void FWCmdAddObject::undo() { // Remove object this->member from the group but do not delete it. // We still keep pointer to it in this->newState FWObject* grp = getObject(); grp->remove(member, false); if (fwbdebug) qDebug() << "FWCmdAddObject::undo() member->ref_counter=" << member->getRefCounter(); if (Firewall::isA(member) && project->getCurrentRuleSet()->isChildOf(member)) { // need to close ruleset view project->closeRuleSetPanel(); } QString filename = QString::fromUtf8(grp->getRoot()->getFileName().c_str()); QCoreApplication::postEvent( mw, new removeObjectFromTreeEvent(filename, member->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent(filename, grp->getId())); // see comment in redo() QCoreApplication::sendPostedEvents(mw, 0); QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, grp->getId())); if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, grp->getId())); QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, grp->getId())); } void FWCmdAddObject::prepareStatesForRedo() { // newState should have the new group member. Add it to the group. // This member could have been added to the newState, if so, // remove it but increment reference counter. FWObject* grp = getObject(); FWObject *new_grp = getNewState(); if (member == NULL) { // Find new object among children of newState. member can be // NULL if FWCmdAddObject object is created before the new // object can be created. This is the case when we copy whole // subtree from one data file to another in // ObjectManipulator::actuallyPasteTo(). There we call // FWObjectDatabase::recursivelyCopySubtree which needs parent // object as a parameter, so we have to create newState before // new object is created. for (list::iterator i=new_grp->begin(); i!=new_grp->end(); ++i) { FWObject *co = *i; if (!grp->hasChild(co)) { member = co; break; } } } if (new_grp->hasChild(member)) { member->ref(); new_grp->remove(member, false); // and do not delete } } void FWCmdAddObject::redo() { prepareStatesForRedo(); FWObject* grp = getObject(); grp->add(member); if (fwbdebug) qDebug() << "FWCmdAddObject::redo()" << member->getName().c_str() << "-->" << grp->getName().c_str() << "member->ref_counter=" << member->getRefCounter() << "reload=" << require_complete_tree_reload << "editor=" << mw->isEditorVisible(); QString filename = QString::fromUtf8(grp->getRoot()->getFileName().c_str()); // updateObjectAndSubtreeImmediatelyEvent updates the part of the // tree where object we just added is attached. This rebuilds // subtree. However, if the object was copied from another data // file and dragged with it some other objects (as dependencies) // in other parts of the tree, rebulding the subtree is // insufficient, we need to reload the whole tree. The caller should have // set flag require_complete_tree_reload to signal that. if (require_complete_tree_reload) QCoreApplication::postEvent( mw, new reloadObjectTreeImmediatelyEvent(filename)); else { QCoreApplication::postEvent( mw, new insertObjectInTreeEvent(filename, grp->getId(), member->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent( filename, grp->getId())); } // when user clicks in the undo stack window, the program executes // all undo/redo commands up to the line they clicked on. This // means bunch of redo() commands can execute at once. All events // they posted, however, will be processed after that. If these // redo() commands added or removed objects in the tree, the tree // widget in ObjectManipulator gets updated after that has // happened and gets out of sync with object // tree. sendPostedEvents() should send events posted up to this // point to the receiver immediately, which in this case should // update widgets to keep them in sync. QCoreApplication::sendPostedEvents(mw, 0); QCoreApplication::postEvent(mw, new dataModifiedEvent(filename, grp->getId())); // post openObjectInEditorEvent first so that editor panel opens // this matters if the tree needs to scroll to show the object when // showObjectInTreeEvent is posted because vertical size of the tree // changes when editor opens //if (mw->isEditorVisible()) QCoreApplication::postEvent(mw, new openObjectInEditorEvent( filename, member->getId())); QCoreApplication::postEvent(mw, new showObjectInTreeEvent( filename, member->getId())); } void FWCmdAddObject::notify() { } /******************************************************** * FWCmdAddUserFolder * ********************************************************/ FWCmdAddUserFolder::FWCmdAddUserFolder(ProjectPanel *project, FWObject *parentFolder, const QString &userFolder, QString text, QUndoCommand *macro) : FWCmdChange(project, parentFolder, text, false, macro), m_userFolder(userFolder) { } void FWCmdAddUserFolder::redo() { FWCmdChange::redo(); FWObject *obj = getObject(); QString fileName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new addUserFolderEvent (fileName, obj->getId(), m_userFolder)); } void FWCmdAddUserFolder::undo() { FWCmdChange::undo(); FWObject *obj = getObject(); QString fName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new removeUserFolderEvent(fName, obj->getId(), m_userFolder)); } /* We don't want to display the system folder after we add a user folder, so we just swallow the notify. */ void FWCmdAddUserFolder::notify() { } /******************************************************** * FWCmdAddLibrary * ********************************************************/ FWCmdAddLibrary::FWCmdAddLibrary(ProjectPanel *project, FWObject *root, FWObject *lib, QString text, QUndoCommand* macro): FWCmdAddObject(project, root, lib, text, macro) { assert(FWObjectDatabase::cast(root)!=NULL); if (text.isEmpty()) { setText(QObject::tr("Add library")); } else { setText(text); } } FWCmdAddLibrary::~FWCmdAddLibrary() {} void FWCmdAddLibrary::undo() { FWObject* root = getObject(); FWObject* lib = member; root->remove(lib, false); QString filename = QString::fromUtf8(FWObjectDatabase::cast(root)->getFileName().c_str()); QCoreApplication::postEvent( mw, new removeTreePageEvent(filename, lib->getId())); // switch to another library QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, FWObjectDatabase::STANDARD_LIB_ID)); } void FWCmdAddLibrary::redo() { prepareStatesForRedo(); FWObject* root = getObject(); FWObject* lib = member; getObject()->add(lib); QString filename = QString::fromUtf8(FWObjectDatabase::cast(root)->getFileName().c_str()); QCoreApplication::postEvent( mw, new addTreePageEvent(filename, lib->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent(filename, lib->getId())); QCoreApplication::postEvent(mw, new dataModifiedEvent(filename, lib->getId())); // post openObjectInEditorEvent first so that editor panel opens // this matters if the tree needs to scroll to show the object when // showObjectInTreeEvent is posted because vertical size of the tree // changes when editor opens //if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, lib->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, lib->getId())); } fwbuilder-5.3.7/src/libgui/FWCmdAddObject.h000066400000000000000000000050141303637203600204270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDADDOBJECT_H #define FWCMDADDOBJECT_H #include "FWCmdChange.h" /******************************************************** * FWCmdAddObject ********************************************************/ class FWCmdAddObject : public FWCmdChange { protected: libfwbuilder::FWObject *member; bool require_complete_tree_reload; virtual void notify(); void prepareStatesForRedo(); public: FWCmdAddObject(ProjectPanel *project, libfwbuilder::FWObject *grp, libfwbuilder::FWObject *member, QString text=QString(), QUndoCommand* macro=0); ~FWCmdAddObject(); void setNeedTreeReload(bool f) { require_complete_tree_reload = f; } virtual void redo(); virtual void undo(); }; class FWCmdAddUserFolder : public FWCmdChange { QString m_userFolder; public: FWCmdAddUserFolder(ProjectPanel *project, libfwbuilder::FWObject *parentFolder, const QString &userFolder, QString text = QString(), QUndoCommand *macro = 0); virtual void redo(); virtual void undo(); virtual void notify(); }; /******************************************************** * FWCmdAddLibrary ********************************************************/ class FWCmdAddLibrary : public FWCmdAddObject { public: FWCmdAddLibrary(ProjectPanel *project, libfwbuilder::FWObject *root, libfwbuilder::FWObject *lib, QString text=QString(), QUndoCommand* macro=0); ~FWCmdAddLibrary(); virtual void redo(); virtual void undo(); }; #endif fwbuilder-5.3.7/src/libgui/FWCmdBasic.cpp000066400000000000000000000150551303637203600201720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWCmdBasic.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Firewall.h" #include using namespace libfwbuilder; #include "FWCmdRule.h" FWCmdBasic::FWCmdBasic(ProjectPanel *project, QUndoCommand* macro):QUndoCommand(macro) { this->project = project; } FWObject* FWCmdBasic::getObject() { return getObject(obj_id); } FWObject* FWCmdBasic::getObject(int id) { return project->db()->findInIndex(id); } bool FWCmdBasic::mergeWith(const QUndoCommand *other) { if (fwbdebug) { qDebug() << "FWCmdBasic::mergeWith(const QUndoCommand *other) other=" << other; qDebug() << "cmd:" << other->text(); } const FWCmdTerm* term = dynamic_cast(other); return term != 0; } bool FWCmdMacro::mergeWith(const QUndoCommand *other) { if (fwbdebug) { qDebug() << "FWCmdMacro::mergeWith(const QUndoCommand *other) other=" << other; qDebug() << "cmd:" << other->text(); } const FWCmdTerm* term = dynamic_cast (other); return term != 0; } void undoAndRemoveLastCommand(QUndoStack* undoStack) { if (fwbdebug) qDebug() << "undoAndRemoveLastCommand(QUndoStack undoStack)"; undoStack->undo(); if (fwbdebug) qDebug() << "count:" << undoStack->count(); if (undoStack->count() == 1) { undoStack->clear(); } else { FWCmdTerm* cmd = new FWCmdTerm(); undoStack->push(cmd); } } void FWCmdBasic::setDiffType(Rule *rule, DiffType::Type diffType) { if (!rule) return; DiffType::Type origDiffType = static_cast(project->getDiffType(rule->getId())); m_diffLog.insert(rule->getId(), origDiffType); addStatistics(rule, diffType, origDiffType); // If we do changes to an inserted rule, we ignore that // We want to know that we added a rule. // Exception: if we remove it ... // If we move an edited rule, we ignore that too :) if (((origDiffType == DiffType::Add) && (diffType != DiffType::Remove)) || ((origDiffType == DiffType::Edit) && (diffType == DiffType::Move))) { diffType = origDiffType; } project->setDiffType(rule->getId(), diffType); } void FWCmdBasic::resetDiffType(Rule *rule) { if (!rule) return; DiffType::Type currentDiffType = static_cast(project->getDiffType(rule->getId())); DiffType::Type origDiffType = static_cast(m_diffLog.value(rule->getId())); removeStatistics(rule, currentDiffType, origDiffType); project->setDiffType(rule->getId(), origDiffType); } void FWCmdBasic::addStatistics(Rule *rule, DiffType::Type diffType, DiffType::Type origDiffType) { foreach (Firewall *fw, UsageResolver().findFirewallsForObject(rule, project->db())) { std::list rulesets; rulesets.push_back(fw->getPolicy()); rulesets.push_back(fw->getNAT()); rulesets.push_back(fw->getRouting()); foreach(RuleSet *ruleSet, rulesets) { if (ruleSet && rule->isChildOf(ruleSet)) { // We only set the move DiffType if that's the only change // That a rule is added or edited is more important if ((diffType == DiffType::Move) && (origDiffType != DiffType::None)) continue; if (diffType == DiffType::Edit) { if (origDiffType == DiffType::Move) modifyStatistics(ruleSet->getId(), origDiffType, false); // We only set the edit DiffType on existing rules // That we edit a newly created rule is normal - but we want to know that it was added if (origDiffType == DiffType::Add) continue; } // When deleting rules that are added - we only remove the add statistics if (diffType == DiffType::Remove) { modifyStatistics(ruleSet->getId(), origDiffType, false); if (origDiffType == DiffType::Add) continue; } // The actual update modifyStatistics(ruleSet->getId(), diffType, true); } } } } void FWCmdBasic::removeStatistics(Rule *rule, DiffType::Type diffType, DiffType::Type origDiffType) { foreach (Firewall *fw, UsageResolver().findFirewallsForObject(rule, project->db())) { std::list rulesets; rulesets.push_back(fw->getPolicy()); rulesets.push_back(fw->getNAT()); rulesets.push_back(fw->getRouting()); foreach(RuleSet *ruleSet, rulesets) { if (ruleSet && rule->isChildOf(ruleSet)) { if ((origDiffType == DiffType::Add) && (diffType == DiffType::Remove)) { // When reinserting a previously removed rule, that was added to the rule set. // we only need to update the add statistics modifyStatistics(ruleSet->getId(), origDiffType, true); continue; } // The actual update modifyStatistics(ruleSet->getId(), diffType, false); modifyStatistics(ruleSet->getId(), origDiffType, true); } } } } void FWCmdBasic::modifyStatistics(int id, DiffType::Type diffType, bool increment) { if (diffType == DiffType::None) return; int n = project->getStatistics().value( QPair(id, diffType)); project->getStatistics().insert( QPair(id, diffType), increment ? ++n : --n); } fwbuilder-5.3.7/src/libgui/FWCmdBasic.h000066400000000000000000000046071303637203600176400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDBASIC_H #define FWCMDBASIC_H #include #include #include #include "ProjectPanel.h" #include "fwbuilder/FWObject.h" class FWCmdMacro : public QUndoCommand { public: FWCmdMacro(QString text) : QUndoCommand() {setText(text);} int id() const {return 1;} bool mergeWith(const QUndoCommand *other); }; class FWCmdBasic : public QUndoCommand { int obj_id; protected: ProjectPanel *project; public: FWCmdBasic(ProjectPanel *project, QUndoCommand* macro = 0); int objectId() {return obj_id;} void setObject(libfwbuilder::FWObject *object) {obj_id = object->getId();} libfwbuilder::FWObject* getObject(); libfwbuilder::FWObject* getObject(int id); int id() const {return 1;} bool mergeWith(const QUndoCommand *other); QHash m_diffLog; void setDiffType(libfwbuilder::Rule *rule, DiffType::Type diffType); void resetDiffType(libfwbuilder::Rule *rule); private: void addStatistics(libfwbuilder::Rule *rule, DiffType::Type diffType, DiffType::Type origDiffType); void removeStatistics(libfwbuilder::Rule *rule, DiffType::Type diffType, DiffType::Type origDiffType); void modifyStatistics(int id, DiffType::Type diffType, bool increment); }; class FWCmdTerm : public QUndoCommand { public: FWCmdTerm() : QUndoCommand() {setText("Terminator");} int id() const {return 1;} }; void undoAndRemoveLastCommand(QUndoStack* undoStack); #endif // FWCMDBASIC_H fwbuilder-5.3.7/src/libgui/FWCmdChange.cpp000066400000000000000000000203051303637203600203300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWCmdChange.h" #include "FWWindow.h" #include "ColDesc.h" #include "RuleSetView.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Rule.h" #include "events.h" #include #include using namespace libfwbuilder; using namespace std; /******************************************************** * FWCmdChange ********************************************************/ FWCmdChange::FWCmdChange(ProjectPanel *project, FWObject *obj, QString text, bool _rename_children, QUndoCommand* macro): FWCmdBasic(project, macro) { setObject(obj); rename_children = _rename_children; first_time = true; FWObjectDatabase* db = obj->getRoot(); if (db == obj) { this->oldState = new FWObjectDatabase(); this->newState = new FWObjectDatabase(); } else { this->oldState = db->create(obj->getTypeName()); this->newState = db->create(obj->getTypeName()); } bool was_clean = (db->isDirty() == false); // Note: if obj is a group that holds references to other objects, // duplicateForUndo() increments reference counters in those objects // and subsequently raises "dirty" flag in the database. this->oldState->duplicateForUndo(obj); this->newState->duplicateForUndo(obj); if (was_clean) db->setDirty(false); if (text.isEmpty()) { setText(QObject::tr("Edit ") + QString::fromUtf8(obj->getName().c_str())); } else { setText(text); } } FWCmdChange::~FWCmdChange() { delete (oldState); delete (newState); } void FWCmdChange::undo() { if (fwbdebug) qDebug() << "FWCmdChange::undo()"; FWObject* obj = getObject(); try { obj->duplicateForUndo(oldState); } catch (FWException &ex) { qDebug() << "FWCmdChange::undo() caught FWException: " << ex.toString().c_str(); } notify(); } void FWCmdChange::redo() { if (fwbdebug) qDebug() << "FWCmdChange::redo()"; FWObject* obj = getObject(); try { obj->duplicateForUndo(newState); } catch (FWException &ex) { qDebug() << "FWCmdChange::redo() caught FWException: " << ex.toString().c_str(); } notify(); } void FWCmdChange::notify() { if (fwbdebug) qDebug() << "FWCmdChange::notify()"; FWObject* obj = getObject(); QString filename = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); if (oldState->getName() != newState->getName()) { // objectNameChangedEvent event triggers actions, such as // automatic renaming of child objects. This should only be // done once, even if we have the same data file opened in // several project panels. // // Use sendEvent to make sure event is processed right now and // is not postponed. This is important when this command is // executed as part of a group undo/redo (when user clicks in // the undo panel). If this command is posted to event queue, // it is executed after bunch of objects are deleted and may // need to operate on one of them. // if (first_time) { QCoreApplication::sendEvent( mw->activeProject(), new objectNameChangedEvent( filename, obj->getId(), QString::fromUtf8(oldState->getName().c_str()), QString::fromUtf8(newState->getName().c_str()), rename_children)); first_time = false; } } QCoreApplication::postEvent( mw, new updateObjectEverywhereEvent(filename, obj->getId())); if (mw->isEditorVisible()) { QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, obj->getId())); } QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, obj->getId())); } /******************************************************** * FWCmdChangeName ********************************************************/ FWCmdChangeName::FWCmdChangeName(ProjectPanel *project, FWObject *obj) : FWCmdChange(project, obj, QObject::tr("Rename object")) {} /* * Command FWCmdChangeName is used in ObjectManipulator::autorename() * functions that rename children objects when the name of a firewall * or its interface changes. This command should not open object it * renamed in the editor. If it does, the object in the editor changes * when user renames fw or interface. This is especially unexpecred if * renaming was triggered by them changing the name of fw or interface * and then hitting Tab. User expectation is that keyboard should * switch to the next element in the dialog, even if some side effects * do happen. Changing the object in the editor looks confusing. */ void FWCmdChangeName::notify() { FWObject* obj = getObject(); QString filename = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); // when object's name changes, its position in the tree changes // too to keep the tree sorted. Need to update the object // everywhere, as well as its parent's subtree. QCoreApplication::postEvent(mw, new updateObjectInTreeEvent(filename, obj->getId())); QCoreApplication::postEvent(mw, new reloadRulesetEvent(filename)); QCoreApplication::postEvent(mw, new dataModifiedEvent(filename, obj->getId())); } /******************************************************** * FWCmdLockObject * * locking object creates problems with virtual method * FWObject::shallowDuplicate and the same virt method in derived * classes because they make object read-only and then try to modify * it. It is easier to have specialized command that just sets or * clears read-only flag and does nothing else. * ********************************************************/ FWCmdLockObject::FWCmdLockObject(ProjectPanel *project, FWObject *obj, QString name) : FWCmdChange(project, obj, name) { } void FWCmdLockObject::undo() { FWObject* obj = getObject(); obj->setReadOnly(getOldState()->getRO()); notify(); } void FWCmdLockObject::redo() { FWObject* obj = getObject(); obj->setReadOnly(getNewState()->getRO()); notify(); } /******************************************************** * FWCmdChangeOptionsObject * * This command is used to change failover or state protocol parameters * (CARP, conntrack, heartbeat, vrrp, pfsync, openais) ********************************************************/ FWCmdChangeOptionsObject::FWCmdChangeOptionsObject(ProjectPanel *project, FWObject *obj) : FWCmdChange(project, obj, QObject::tr("Edit protocol parameters")) {} void FWCmdChangeOptionsObject::notify() { FWObject* obj = getObject(); QString filename = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); // obj here is a FWOptions. We need to select its parent in the // tree and redraw it in the rule set panel. To do so, using // obj->getParent(). Note that parent object hasn't changed, so we // send showObjectInTreeEvent rather than // updateObjectInTreeEvent. QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, obj->getParent()->getId())); QCoreApplication::postEvent(mw, new reloadRulesetEvent(filename)); QCoreApplication::postEvent(mw, new dataModifiedEvent(filename, obj->getId())); } fwbuilder-5.3.7/src/libgui/FWCmdChange.h000066400000000000000000000053011303637203600177740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDCHANGE_H #define FWCMDCHANGE_H #include "FWCmdBasic.h" /******************************************************** * FWCmdChange ********************************************************/ class FWCmdChange : public FWCmdBasic { libfwbuilder::FWObject *oldState; libfwbuilder::FWObject *newState; bool rename_children; bool first_time; protected: virtual void notify(); public: FWCmdChange(ProjectPanel *project, libfwbuilder::FWObject *obj, QString text=QString(), bool rename_children = false, QUndoCommand* macro = 0); ~FWCmdChange(); libfwbuilder::FWObject* getOldState() {return oldState;} libfwbuilder::FWObject* getNewState() {return newState;} virtual void redo(); virtual void undo(); }; /******************************************************** * FWCmdChangeName ********************************************************/ class FWCmdChangeName : public FWCmdChange { protected: virtual void notify(); public: FWCmdChangeName(ProjectPanel *project, libfwbuilder::FWObject *obj); }; /******************************************************** * FWCmdLockObject * * This command locks or unlocks object ********************************************************/ class FWCmdLockObject : public FWCmdChange { protected: public: FWCmdLockObject(ProjectPanel *project, libfwbuilder::FWObject *obj, QString text=QString()); virtual void redo(); virtual void undo(); }; /******************************************************** * FWCmdChangeOptionsObject ********************************************************/ class FWCmdChangeOptionsObject : public FWCmdChange { protected: virtual void notify(); public: FWCmdChangeOptionsObject(ProjectPanel *project, libfwbuilder::FWObject *obj); }; #endif // FWCMDCHANGE_H fwbuilder-5.3.7/src/libgui/FWCmdDeleteObject.cpp000066400000000000000000000122521303637203600214760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWCmdChange.h" #include "FWCmdDeleteObject.h" #include "FWWindow.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include #include using namespace libfwbuilder; using namespace std; /******************************************************** * FWCmdDeleteObject * * This command really deletes the object from the object tree, it * does not move it Deleted Objects library. We use this command when * user deletes objects from Deleted Objects. * ********************************************************/ FWCmdDeleteObject::FWCmdDeleteObject(ProjectPanel *project, FWObject *obj, QString text, QUndoCommand* macro): FWCmdChange(project, obj, text, false, macro) { delobj = obj; delobj->ref(); parent = delobj->getParent(); if (text.isEmpty()) { setText(QObject::tr("Delete object")); } else { setText(text); } } FWCmdDeleteObject::~FWCmdDeleteObject() { if (delobj) { if (delobj->getRefCounter() <= 1) delete delobj; else delobj->unref(); } } void FWCmdDeleteObject::undo() { QString filename = project->getFileName(); if (delobj && !parent->hasChild(delobj)) { parent->add(delobj); if (fwbdebug) qDebug() << "FWCmdDeleteObject::undo()" << "delobj->getRefCounter()=" << delobj->getRefCounter(); QCoreApplication::postEvent( mw, new insertObjectInTreeEvent(filename, parent->getId(), delobj->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent(filename, parent->getId())); QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, parent->getId())); if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, delobj->getId())); QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, delobj->getId())); } } void FWCmdDeleteObject::redo() { QString filename = project->getFileName(); QCoreApplication::postEvent( mw, new removeObjectFromTreeEvent(filename, delobj->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent(filename, parent->getId())); QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, parent->getId())); if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, parent->getId())); QCoreApplication::postEvent( mw, new showObjectInTreeEvent(filename, parent->getId())); parent->remove(delobj, false); if (fwbdebug) qDebug() << "FWCmdDeleteObject::redo()" << "delobj->getRefCounter()=" << delobj->getRefCounter(); } void FWCmdDeleteObject::notify() { } /********************************************************************/ FWCmdRemoveUserFolder::FWCmdRemoveUserFolder(ProjectPanel *project, FWObject *parentFolder, const QString &userFolder, QString text, QUndoCommand *macro) : FWCmdChange(project, parentFolder, text, false, macro), m_userFolder(userFolder) { } void FWCmdRemoveUserFolder::redo() { FWCmdChange::redo(); FWObject *obj = getObject(); QString fName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new removeUserFolderEvent(fName, obj->getId(), m_userFolder)); } void FWCmdRemoveUserFolder::undo() { FWCmdChange::undo(); FWObject *obj = getObject(); QString fName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new addUserFolderEvent(fName, obj->getId(), m_userFolder)); } /* We don't want to display the system folder after we remove a user folder, so we just swallow the notify. */ void FWCmdRemoveUserFolder::notify() { } fwbuilder-5.3.7/src/libgui/FWCmdDeleteObject.h000066400000000000000000000036451303637203600211510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDDELETEOBJECT_H #define FWCMDDELETEOBJECT_H #include "FWCmdChange.h" /******************************************************** * FWCmdDeleteObject ********************************************************/ class FWCmdDeleteObject : public FWCmdChange { libfwbuilder::FWObject *parent; libfwbuilder::FWObject *delobj; protected: virtual void notify(); public: FWCmdDeleteObject(ProjectPanel *project, libfwbuilder::FWObject *obj, QString text=QString(), QUndoCommand* macro=0); ~FWCmdDeleteObject(); virtual void redo(); virtual void undo(); }; class FWCmdRemoveUserFolder : public FWCmdChange { QString m_userFolder; public: FWCmdRemoveUserFolder(ProjectPanel *project, libfwbuilder::FWObject *parentFolder, const QString &userFolder, QString text = QString(), QUndoCommand *macro = 0); virtual void redo(); virtual void undo(); virtual void notify(); }; #endif fwbuilder-5.3.7/src/libgui/FWCmdMoveObject.cpp000066400000000000000000000317041303637203600212050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWCmdChange.h" #include "FWCmdMoveObject.h" #include "FWWindow.h" #include "FWBSettings.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Library.h" #include "fwbuilder/RuleElement.h" #include #include using namespace libfwbuilder; using namespace std; /******************************************************** * FWCmdMoveObject * * This command controls moving an object to another place in the * tree, including different library. List of pointers to FWObject * passed to constructor is used to remove all references to this * object. This is done when object is deleted by moving it to the * "Deleted objects" library. If the list is empty, no references * will be removed. * * Unlike in FWComdAddObject, the object @obj always belongs to the * tree, either in its old place or in the new place. There is no need * for us to delete it in the destructor. * * This command should only operate on moving objects from one place * in the tree to another but within the same data file * ********************************************************/ FWCmdMoveObject::FWCmdMoveObject( ProjectPanel *project, FWObject *old_p, FWObject *new_p, FWObject *o, map > &reference_holder_objects, QString text, QUndoCommand* macro) : FWCmdBasic(project, macro), oldUserFolder(QString::fromUtf8(o->getStr("folder").c_str())), reference_holders(reference_holder_objects) { old_parent = old_p; new_parent = new_p; current_parent = NULL; obj = o; if (text.isEmpty()) { setText(QObject::tr("Move object")); } else { setText(text); } } FWCmdMoveObject::~FWCmdMoveObject() { } void FWCmdMoveObject::undo() { FWObject *dummySource = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID); FWObject *dummyDestination = dummySource; FWObject *dummyService = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_SERVICE_ID); FWObject *dummyInterface = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_INTERFACE_ID); obj->setStr("folder", oldUserFolder.toUtf8().constData()); if (new_parent->hasChild(obj) && !old_parent->hasChild(obj)) { new_parent->remove(obj, false); old_parent->add(obj); current_parent = old_parent; } if (fwbdebug) qDebug() << "FWCmdMoveObject::undo() obj->ref_counter=" << obj->getRefCounter(); if (reference_holders.size()) { map >::iterator it; for (it=reference_holders.begin(); it!=reference_holders.end(); ++it) { int obj_id = it->first; foreach(FWObject *o, it->second) { FWObject *cobj = project->db()->findInIndex(obj_id); if (RuleElement::cast(o)) { setDiffType(Rule::cast(o->getParent()), DiffType::Edit); if ( (o->getChildrenCount() == 1)) { if (RuleElementSrc::cast(o) && st->getInt("Objects/PolicyRule/defaultSource")) { o->removeRef(dummySource); } else if (RuleElementDst::cast(o) && st->getInt("Objects/PolicyRule/defaultDestination")) { o->removeRef(dummyDestination); } else if (RuleElementSrv::cast(o) && st->getInt("Objects/PolicyRule/defaultService")) { o->removeRef(dummyService); } else if (RuleElementItf::cast(o) && st->getInt("Objects/PolicyRule/defaultInterface")) { o->removeRef(dummyInterface); } } } if (cobj) o->addRef(cobj); if (RuleElement::cast(o)) resetDiffType(Rule::cast(o->getParent())); } } } notify(); } void FWCmdMoveObject::redo() { obj->setStr("folder", ""); if (!new_parent->hasChild(obj) && old_parent->hasChild(obj)) { old_parent->remove(obj, false); new_parent->add(obj); current_parent = new_parent; } if (fwbdebug) qDebug() << "FWCmdMoveObject::redo()" << "obj: " << obj->getName().c_str() << "(" << obj->getTypeName().c_str() << ")" << "obj->ref_counter=" << obj->getRefCounter(); if (reference_holders.size()) { FWObject *dummySource = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID); FWObject *dummyDestination = dummySource; FWObject *dummyService = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_SERVICE_ID); FWObject *dummyInterface = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_INTERFACE_ID); map >::iterator it; for (it=reference_holders.begin(); it!=reference_holders.end(); ++it) { int obj_id = it->first; foreach(FWObject *o, it->second) { FWObject *cobj = project->db()->findInIndex(obj_id); if (cobj) o->removeRef(cobj); if (RuleElement::cast(o)) { setDiffType(Rule::cast(o->getParent()), DiffType::Edit); if ( (o->getChildrenCount() == 1)) { FWObject *anyobj = FWObjectReference::getObject(*o->begin()); if (RuleElementSrc::cast(o) && st->getInt("Objects/PolicyRule/defaultSource")) { if (!Address::cast(anyobj)->isAny()) continue; if (!dummySource || (new_parent->getRoot()->getStringId(dummySource->getId()) != "dummyaddressid0")) continue; o->addRef(dummySource); } else if (RuleElementDst::cast(o) && st->getInt("Objects/PolicyRule/defaultDestination")) { if (!Address::cast(anyobj)->isAny()) continue; if (!dummyDestination || (new_parent->getRoot()->getStringId(dummyDestination->getId()) != "dummyaddressid0")) continue; o->addRef(dummyDestination); } else if (RuleElementSrv::cast(o) && st->getInt("Objects/PolicyRule/defaultService")) { if (!Service::cast(anyobj)->isAny()) continue; if (!dummyService || (new_parent->getRoot()->getStringId(dummyService->getId()) != "dummyserviceid0")) continue; o->addRef(dummyService); } else if (RuleElementItf::cast(o) && st->getInt("Objects/PolicyRule/defaultInterface")) { if (!Address::cast(anyobj)->isAny()) continue; if (!dummyInterface || (new_parent->getRoot()->getStringId(dummyInterface->getId()) != "dummyinterfaceid0")) continue; o->addRef(dummyInterface); } } } } } } notify(); } void FWCmdMoveObject::notify() { // This command should only operate on moving objects from one // place in the tree to another but within the same data file QString filename = project->getFileName(); // QCoreApplication::postEvent( // mw, new reloadObjectTreeImmediatelyEvent(filename)); if (Library::isA(obj) && FWObjectDatabase::isA(obj->getParent())) { // library was undeleted abd moved from Deleted obj library to root QCoreApplication::postEvent( mw, new removeObjectFromTreeEvent(filename, obj->getId())); QCoreApplication::postEvent( mw, new addTreePageEvent(filename, obj->getId())); QCoreApplication::postEvent( mw, new updateObjectAndSubtreeImmediatelyEvent(filename, obj->getId())); } else { QCoreApplication::postEvent( mw, new removeObjectFromTreeEvent(filename, obj->getId())); QCoreApplication::postEvent( mw, new insertObjectInTreeEvent(filename, current_parent->getId(), obj->getId())); } QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, old_parent->getId())); QCoreApplication::postEvent( mw, new dataModifiedEvent(filename, new_parent->getId())); FWObject *new_obj = NULL; if (current_parent->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) { if (Library::isA(obj)) { // See #1740 // looks like the object that moved into Deleted Objects is // another library. Show Deleted Objects library if it is enabled. // if (fwbdebug) qDebug() << "Moved library to Deleted objects" << "old_parent=" << old_parent; if (st->getBool("UI/ShowDeletedObjects")) new_obj = current_parent; // should be "deleted objects" lib else { // new_obj = old_parent; // this does not work! new_obj = project->m_panel->om->getNextUserLib(obj); if (new_obj == NULL) { // no user libraries left, show "Standard" new_obj = old_parent->getRoot()->findInIndex( FWObjectDatabase::getIntId("syslib000")); } if (new_obj == NULL) new_obj = old_parent->getRoot()->front(); if (fwbdebug) qDebug() << "FWCmdMoveObject::notify() new_obj=" << new_obj; } } else new_obj = old_parent; } else { new_obj = obj; } QCoreApplication::postEvent(mw, new openLibraryForObjectEvent( filename, new_obj->getId())); // post openObjectInEditorEvent first so that editor panel opens. // This matters if the tree needs to scroll to show the object when // showObjectInTreeEvent is posted because vertical size of the tree // changes when editor opens if (mw->isEditorVisible()) QCoreApplication::postEvent(mw, new openObjectInEditorEvent( filename, new_obj->getId())); QCoreApplication::postEvent(mw, new showObjectInTreeEvent( filename, new_obj->getId())); } /****************************************************************/ FWCmdMoveToFromUserFolder::FWCmdMoveToFromUserFolder(ProjectPanel *project, FWObject *parent, FWObject *obj, const QString &oldFolder, const QString &newFolder, QString text, QUndoCommand *macro) : FWCmdChange(project, obj, text, false, macro), m_parentId(parent->getId()), m_oldFolder(oldFolder), m_newFolder(newFolder) { } void FWCmdMoveToFromUserFolder::redo() { FWCmdChange::redo(); FWObject *obj = getObject(); QString fileName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new moveToFromUserFolderEvent (fileName, m_parentId, obj->getId(), m_oldFolder, m_newFolder)); } void FWCmdMoveToFromUserFolder::undo() { FWCmdChange::undo(); FWObject *obj = getObject(); QString fileName = QString::fromUtf8(obj->getRoot()->getFileName().c_str()); QCoreApplication::postEvent(mw, new moveToFromUserFolderEvent (fileName, m_parentId, obj->getId(), m_newFolder, m_oldFolder)); } fwbuilder-5.3.7/src/libgui/FWCmdMoveObject.h000066400000000000000000000050121303637203600206430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDMOVEOBJECT_H #define FWCMDMOVEOBJECT_H #include "FWCmdChange.h" #include #include /******************************************************** * FWCmdMoveObject ********************************************************/ class FWCmdMoveObject : public FWCmdBasic { libfwbuilder::FWObject *old_parent; libfwbuilder::FWObject *new_parent; libfwbuilder::FWObject *current_parent; libfwbuilder::FWObject *obj; QString oldUserFolder; std::map > reference_holders; protected: virtual void notify(); public: FWCmdMoveObject(ProjectPanel *project, libfwbuilder::FWObject *old_parent, libfwbuilder::FWObject *new_parent, libfwbuilder::FWObject *obj, std::map > &reference_holders, QString text=QString(), QUndoCommand* macro = 0); ~FWCmdMoveObject(); virtual void redo(); virtual void undo(); }; /*************************************************************/ class FWCmdMoveToFromUserFolder : public FWCmdChange { int m_parentId; QString m_oldFolder; QString m_newFolder; public: FWCmdMoveToFromUserFolder(ProjectPanel *project, libfwbuilder::FWObject *parent, libfwbuilder::FWObject *obj, const QString &oldFolder, const QString &newFolder, QString text = QString(), QUndoCommand *macro = 0); virtual void redo(); virtual void undo(); }; #endif fwbuilder-5.3.7/src/libgui/FWCmdRule.cpp000066400000000000000000000506001303637203600200530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWWindow.h" #include "FWCmdRule.h" #include "FindObjectWidget.h" #include "events.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include using namespace libfwbuilder; /******************************************************** * FWCmdRule ********************************************************/ FWCmdRule::FWCmdRule(ProjectPanel *project, RuleSet* ruleset, QUndoCommand* macro) : FWCmdBasic(project, macro) { this->ruleset = ruleset; } RuleSetView* FWCmdRule::getRuleSetView() { RuleSet* crs = project->getCurrentRuleSet(); if (crs != ruleset) project->openRuleSet(ruleset, true); return project->getCurrentRuleSetView(); } RuleSetModel* FWCmdRule::getRuleSetModel() { RuleSetView* rsv = getRuleSetView(); return (rsv != NULL)?(RuleSetModel*)getRuleSetView()->model():NULL; } void FWCmdRule::notify() { QCoreApplication::postEvent( mw, new dataModifiedEvent(project->getFileName(), ruleset->getId())); } void FWCmdRule::redo() { RuleSetModel* md = getRuleSetModel(); redoOnModel(md); notify(); } void FWCmdRule::undo() { RuleSetModel* md = getRuleSetModel(); undoOnModel(md); notify(); } /******************************************************** * FWCmdRuleInsert ********************************************************/ FWCmdRuleInsert::FWCmdRuleInsert(ProjectPanel *project, RuleSet* ruleset, int position, bool isAfter, Rule* ruleToInsert): FWCmdRule(project, ruleset) { this->position = position; this->isAfter = isAfter; this->ruleToInsert = ruleToInsert; this->insertedRule = 0; setText(QObject::tr("insert rule")); } FWCmdRuleInsert::~FWCmdRuleInsert() { if (ruleToInsert) delete ruleToInsert; if (insertedRule && insertedRule->getRefCounter() == 1) { delete insertedRule; } } void FWCmdRuleInsert::redoOnModel(RuleSetModel *md) { if (insertedRule == 0) { if (ruleToInsert == 0) { if (position == 0 && !isAfter) { insertedRule = md->insertNewRule(); } else { QModelIndex index = md->indexForPosition(position); insertedRule = md->insertNewRule(index, isAfter); } } else { QModelIndex index; if (position!=0 || isAfter) index = md->indexForPosition(position); insertedRule = md->insertRule(ruleToInsert, index, isAfter); } insertedRule->ref(); } else { md->insertRule(insertedRule); } getRuleSetView()->selectRE(insertedRule,0); setDiffType(insertedRule, DiffType::Add); } void FWCmdRuleInsert::undoOnModel(RuleSetModel *md) { QModelIndex index = md->index(insertedRule); resetDiffType(insertedRule); getRuleSetView()->scrollTo(index, QAbstractItemView::PositionAtCenter); getRuleSetView()->unselect(); md->removeRow(index.row(), index.parent()); } /******************************************************** * FWCmdRuleDelete ********************************************************/ FWCmdRuleDelete::FWCmdRuleDelete(ProjectPanel *project, RuleSet* ruleset, QList &rulesToDelete, QUndoCommand* macro) : FWCmdRule(project, ruleset, macro) { copyRules(rulesToDelete); setText(QObject::tr("delete rules")); } void FWCmdRuleDelete::copyRules(QList &rules) { if (fwbdebug) qDebug() << "FWCmdRuleDelete::copyRules(QList &rules)"; QList positions; positions.append(-100); foreach(Rule* rule, rules) { int pos = rule->getPosition(); for(int i=positions.size()-1; i>=0; i-- ) { if (pos > positions.at(i)) { positions.insert(i+1, pos); rule->ref(); rulesToDelete.insert(i, rule); break; } } } if (fwbdebug) qDebug() << "size:" << rulesToDelete.size(); row = getRuleSetModel()->index(rulesToDelete.first(),0).row() - 1; } FWCmdRuleDelete::~FWCmdRuleDelete() { if (fwbdebug) qDebug() << "FWCmdRuleDelete::~FWCmdRuleDelete()"; foreach(Rule* rule, rulesToDelete) { if (rule != 0) { if (rule->getRefCounter() <= 1) { if (fwbdebug) qDebug() << "* delete rule:" << rule->getId(); delete rule; } else { if (fwbdebug) qDebug() << "* unref rule:" << rule->getId(); rule->unref(); } } } } void FWCmdRuleDelete::redoOnModel(RuleSetModel *md) { if (fwbdebug) qDebug() << "FWCmdRuleDelete::redoOnModel(RuleSetModel *md)"; foreach(Rule* rule, rulesToDelete) { setDiffType(rule, DiffType::Remove); QModelIndex index = md->index(rule, 0); md->removeRow(index.row(), index.parent()); } // invalidate selection in RuleSetView getRuleSetView()->unselect(); } void FWCmdRuleDelete::undoOnModel(RuleSetModel *md) { md->restoreRules(rulesToDelete); foreach(Rule* rule, rulesToDelete) { resetDiffType(rule); } } /******************************************************** * FWCmdRuleDeleteFromGroup ********************************************************/ FWCmdRuleDeleteFromGroup::FWCmdRuleDeleteFromGroup( ProjectPanel *project, RuleSet* ruleset, QList rulesToDelete, QUndoCommand* macro) : FWCmdRuleDelete(project, ruleset, rulesToDelete, macro) { setText(QObject::tr("delete rules from group")); } void FWCmdRuleDeleteFromGroup::undoOnModel(RuleSetModel *md) { md->restoreRules(rulesToDelete, false); foreach(Rule* rule, rulesToDelete) { resetDiffType(rule); } } /******************************************************** * FWCmdRuleColor ********************************************************/ FWCmdRuleColor::FWCmdRuleColor( ProjectPanel *project, RuleSet* ruleset, QList &rules, const QString &newColor) : FWCmdRule(project, ruleset), newColor(newColor) { foreach(Rule* rule, rules) { int id = rule->getId(); FWOptions *ropt = rule->getOptionsObject(); QString oldColor = QString::fromUtf8(ropt->getStr("color").c_str()); oldColors[id] = oldColor; } setText(QObject::tr("change rule(s) color")); } void FWCmdRuleColor::redoOnModel(RuleSetModel *md) { QModelIndexList indexes; foreach(int ruleId, oldColors.keys()) { Rule* rule = Rule::cast(getObject(ruleId)); if (rule != 0) { indexes.append(md->index(rule, 0)); } } md->changeRuleColor(indexes, newColor); } void FWCmdRuleColor::undoOnModel(RuleSetModel *md) { QModelIndexList indexes; foreach(int ruleId, oldColors.keys()) { indexes.clear(); Rule* rule = dynamic_cast(getObject(ruleId)); if (rule != 0) { indexes.append(md->index(rule, 0)); } md->changeRuleColor(indexes, oldColors[ruleId]); } } /******************************************************** * FWCmdRuleMove ********************************************************/ FWCmdRuleMove::FWCmdRuleMove(ProjectPanel *project, RuleSet* ruleset, int firstId, int lastId, bool direction) : FWCmdRule(project, ruleset), firstId(firstId), lastId(lastId), direction(direction) { setText((direction)?QObject::tr("move rule up"):QObject::tr("move rule down")); } void FWCmdRuleMove::redoOnModel(RuleSetModel *md) { move(md, direction); for (int id = firstId; id <= lastId; ++id) setDiffType(Rule::cast(getObject(id)), DiffType::Move); } void FWCmdRuleMove::undoOnModel(RuleSetModel *md) { move(md, !direction); for (int id = firstId; id <= lastId; ++id) resetDiffType(Rule::cast(getObject(id))); } void FWCmdRuleMove::move(RuleSetModel *md, bool direction) { Rule* firstRule = Rule::cast(getObject(firstId)); Rule* lastRule = Rule::cast(getObject(lastId)); QModelIndex index = md->index(firstRule, 0); QModelIndex parent = index.parent(); int first = index.row(); index = md->index(lastRule, 0); int last = index.row(); if (direction) { // up md->moveRuleUp(parent , first, last); } else { // down md->moveRuleDown(parent , first, last); } project->getCurrentRuleSetView()->setSelectedRows( md->index(firstRule, 0), md->index(lastRule, 0)); } /******************************************************** * FWCmdRuleRenameGroup ********************************************************/ FWCmdRuleRenameGroup::FWCmdRuleRenameGroup( ProjectPanel *project, RuleSet* ruleset, QString oldName, QString newName) : FWCmdRule(project, ruleset), oldName(oldName), newName(newName) { setText(QObject::tr("Rename group of rules")); } void FWCmdRuleRenameGroup::redoOnModel(RuleSetModel *md) { project->getRenamedGroups().insert(project->getRenamedGroups().key(oldName, oldName), newName); QModelIndex grp = md->index(oldName); md->renameGroup(grp, newName); } void FWCmdRuleRenameGroup::undoOnModel(RuleSetModel *md) { project->getRenamedGroups().insert(project->getRenamedGroups().key(newName), oldName); QModelIndex grp = md->index(newName); md->renameGroup(grp, oldName); } /******************************************************** * FWCmdRuleRemoveFromGroup ********************************************************/ FWCmdRuleRemoveFromGroup::FWCmdRuleRemoveFromGroup( ProjectPanel* project, RuleSet* ruleset, Rule* firstRule, Rule* lastRule, const QString groupName, QUndoCommand* macro) : FWCmdRule(project, ruleset, macro), firstRule(firstRule), lastRule(lastRule), groupName(groupName) { setText(QObject::tr("remove object(s) from group ")+groupName); } void FWCmdRuleRemoveFromGroup::redoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) setDiffType(Rule::cast(getObject(id)), DiffType::Move); QModelIndex group = md->index(groupName); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); md->removeFromGroup(group, first.row(), last.row()); } void FWCmdRuleRemoveFromGroup::undoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) resetDiffType(Rule::cast(getObject(id))); QModelIndex group = md->index(groupName); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); if (group.isValid()) { // Group still present in the ruleset. rules need to be added to rhis group. if (first.row() - 1 == group.row()) { md->addToGroupAbove(first.row(), last.row()); } else { md->addToGroupBelow(first.row(), last.row()); } } else { // Group was deleted. It should be created again. md->createNewGroup(groupName, first.row(), last.row()); } } /******************************************************** * FWCmdRuleNewGroup ********************************************************/ FWCmdRuleNewGroup::FWCmdRuleNewGroup( ProjectPanel* project, RuleSet* ruleset, Rule* firstRule, Rule* lastRule, const QString groupName) : FWCmdRule(project, ruleset), firstRule(firstRule), lastRule(lastRule) { this->groupName = getRuleSetModel()->findUniqueNameForGroup(groupName); setText(QObject::tr("create new group ")+this->groupName); } void FWCmdRuleNewGroup::redoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) setDiffType(Rule::cast(getObject(id)), DiffType::Move); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); QModelIndex index = md->createNewGroup(groupName, first.row(), last.row()); project->getCurrentRuleSetView()->setFirstColumnSpanned(index.row(), QModelIndex(), true); } void FWCmdRuleNewGroup::undoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) resetDiffType(Rule::cast(getObject(id))); QModelIndex group = md->index(groupName); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); md->removeFromGroup(group, first.row(), last.row()); } /******************************************************** * FWCmdRuleAddToGroup ********************************************************/ FWCmdRuleAddToGroup::FWCmdRuleAddToGroup( ProjectPanel* project, RuleSet* ruleset, Rule* firstRule, Rule* lastRule, bool isAbove) : FWCmdRule(project, ruleset), firstRule(firstRule), lastRule(lastRule), isAbove(isAbove) { setText((isAbove)?QObject::tr("add to group above"):QObject::tr("add to group below")); } void FWCmdRuleAddToGroup::redoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) setDiffType(Rule::cast(getObject(id)), DiffType::Move); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); groupName = (isAbove)? md->addToGroupAbove(first.row(), last.row()): md->addToGroupBelow(first.row(), last.row()); } void FWCmdRuleAddToGroup::undoOnModel(RuleSetModel *md) { for (int id = firstRule->getId(); id <= lastRule->getId(); ++id) resetDiffType(Rule::cast(getObject(id))); QModelIndex group = md->index(groupName); QModelIndex first = md->index(firstRule, 0); QModelIndex last = md->index(lastRule, 0); md->removeFromGroup(group, first.row(), last.row()); } /******************************************************** * FWCmdRuleChange ********************************************************/ FWCmdRuleChange::FWCmdRuleChange( ProjectPanel *project, RuleSet* ruleset, FWObject *obj, QString text, QUndoCommand* macro) : FWCmdChange(project, obj, text, false, macro), ruleset(ruleset) { } Rule* FWCmdRuleChange::selectAffectedRule() { RuleSetView* rsv = project->getCurrentRuleSetView(); RuleSetModel* md = (RuleSetModel*)rsv->model(); Rule* currentRule = md->getRule(rsv->currentIndex()); if(currentRule == 0 || (currentRule->getId() != getRule()->getId())) rsv->selectRE(getRule(), 0); return currentRule; } void FWCmdRuleChange::redo() { prepareRuleSetView(); FWCmdChange::redo(); Rule *affectedRule = selectAffectedRule(); if (affectedRule) setDiffType(affectedRule, DiffType::Edit); } void FWCmdRuleChange::undo() { prepareRuleSetView(); FWCmdChange::undo(); Rule *affectedRule = selectAffectedRule(); if (affectedRule) resetDiffType(affectedRule); } void FWCmdRuleChange::notify() { RuleSetView* rsv = project->getCurrentRuleSetView(); RuleSetModel* md = (RuleSetModel*)rsv->model(); Rule* rule = getRule(); md->rowChanged(md->index(rule, 0)); // rsv->updateColumnSizeForIndex(md->index(rule, 0)); QCoreApplication::postEvent( mw, new dataModifiedEvent(project->getFileName(), ruleset->getId())); } void FWCmdRuleChange::prepareRuleSetView() { RuleSet* crs = project->getCurrentRuleSet(); if (crs != ruleset) project->openRuleSet(ruleset, true); } libfwbuilder::Rule* FWCmdRuleChange::getRule() { return Rule::cast(getObject()); } /******************************************************** * FWCmdRuleChangeAction * * This command is used when user modifies parameters of an action, not * when they change action of a rule. * ********************************************************/ FWCmdRuleChangeAction::FWCmdRuleChangeAction( ProjectPanel *project, FWObject *obj) : FWCmdRuleChange(project, RuleSet::cast(obj->getParent()), obj, QObject::tr("Edit Rule Action")) {}; void FWCmdRuleChangeAction::notify() { FWCmdRuleChange::notify(); if (mw->isEditorVisible()) { QCoreApplication::postEvent( mw, new openOptObjectInEditorEvent(project->getFileName(), getRule()->getId(), ObjectEditor::optAction)); } } /******************************************************** * FWCmdRuleChangeComment ********************************************************/ FWCmdRuleChangeComment::FWCmdRuleChangeComment( ProjectPanel *project, FWObject *obj) : FWCmdRuleChange(project, RuleSet::cast(obj->getParent()), obj, QObject::tr("Edit Rule Comment")) { } void FWCmdRuleChangeComment::notify() { FWCmdRuleChange::notify(); if (mw->isEditorVisible()) { QCoreApplication::postEvent( mw, new openOptObjectInEditorEvent( project->getFileName(), getRule()->getId(), ObjectEditor::optComment)); } } /******************************************************** * FWCmdRuleChangeOptions ********************************************************/ FWCmdRuleChangeOptions::FWCmdRuleChangeOptions( ProjectPanel *project, FWObject *obj) : FWCmdRuleChange(project, RuleSet::cast(obj->getParent()), obj, QObject::tr("Edit Rule Options")) {}; void FWCmdRuleChangeOptions::notify() { FWCmdRuleChange::notify(); if (mw->isEditorVisible()) { QCoreApplication::postEvent( mw, new openObjectInEditorEvent( project->getFileName(), getRule()->getId())); } } /******************************************************** * FWCmdRuleChangeRe ********************************************************/ FWCmdRuleChangeRe::FWCmdRuleChangeRe( ProjectPanel *project, RuleSet* ruleset, FWObject *obj, int position, int column, int number, QString text, QUndoCommand* macro) : FWCmdRuleChange(project, ruleset, obj, text, macro) { this->column = column; this->number = number; this->position = position; } Rule* FWCmdRuleChangeRe::getRule() { return Rule::cast(getObject()->getParent()); } void FWCmdRuleChangeRe::notify() { FWCmdRuleChange::notify(); project->getCurrentRuleSetView()->selectObject(position, column, number); mw->findObjectWidget->reset(); } /******************************************************** * FWCmdRuleNegateRE ********************************************************/ FWCmdRuleNegateRE::FWCmdRuleNegateRE( ProjectPanel *project, RuleSet* ruleset, RuleElement* ruleElement, int position, int column) : FWCmdRuleChangeRe(project, ruleset, ruleElement, position, column, 0, QObject::tr("Negate")) { } void FWCmdRuleNegateRE::redo() { prepareRuleSetView(); RuleElement* ruleElement = RuleElement::cast(getObject()); ruleElement->toggleNeg(); RuleSetView* rsv = project->getCurrentRuleSetView(); RuleSetModel* md = (RuleSetModel*)rsv->model(); md->rowChanged(md->index(getRule(), 0)); selectAffectedRule(); notify(); } void FWCmdRuleNegateRE::undo() { prepareRuleSetView(); RuleElement* ruleElement = RuleElement::cast(getObject()); ruleElement->toggleNeg(); RuleSetView* rsv = project->getCurrentRuleSetView(); RuleSetModel* md = (RuleSetModel*)rsv->model(); md->rowChanged(md->index(getRule(), 0)); selectAffectedRule(); notify(); } fwbuilder-5.3.7/src/libgui/FWCmdRule.h000066400000000000000000000223201303637203600175160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWCMDRULE_H #define FWCMDRULE_H #include "FWCmdBasic.h" #include "RuleSetView.h" #include "RuleSetModel.h" #include "FWCmdChange.h" #include #include namespace libfwbuilder { class RuleSet; class RuleElement; class Rule; class FWObject; } /******************************************************** * FWCmdRule ********************************************************/ class FWCmdRule : public FWCmdBasic { protected: libfwbuilder::RuleSet* ruleset; RuleSetView* getRuleSetView(); RuleSetModel* getRuleSetModel(); virtual void notify(); public: FWCmdRule(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, QUndoCommand* macro=0); virtual void redo(); virtual void undo(); virtual void redoOnModel(RuleSetModel *md)=0; virtual void undoOnModel(RuleSetModel *md)=0; }; /******************************************************** * FWCmdRuleInsert ********************************************************/ class FWCmdRuleInsert : public FWCmdRule { int position; libfwbuilder::Rule * ruleToInsert; libfwbuilder::Rule * insertedRule; bool isAfter; public: FWCmdRuleInsert(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, int position=0, bool isAfter=false, libfwbuilder::Rule* ruleToInsert=0); ~FWCmdRuleInsert(); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); const libfwbuilder::Rule* getInsertedRule() const { return insertedRule; } }; /******************************************************** * FWCmdRuleDelete ********************************************************/ class FWCmdRuleDelete : public FWCmdRule { int row; void copyRules(QList &rules); protected: QList rulesToDelete; public: FWCmdRuleDelete(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, QList &rulesToDelete, QUndoCommand* macro=0); ~FWCmdRuleDelete(); virtual void redoOnModel(RuleSetModel *md); virtual void undoOnModel(RuleSetModel *md); const QList getDeletedRules() const { return this->rulesToDelete; } }; /******************************************************** * FWCmdRuleDeleteFromGroup ********************************************************/ class FWCmdRuleDeleteFromGroup : public FWCmdRuleDelete { // int ruleId; // int row; // libfwbuilder::Rule* deletedRule; // QList rulesToDelete; public: FWCmdRuleDeleteFromGroup(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, QList rulesToDelete, QUndoCommand* macro=0); // void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleColor ********************************************************/ class FWCmdRuleColor : public FWCmdRule { QString newColor; QHash oldColors; QList ruleIds; public: FWCmdRuleColor(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, QList &rules,const QString &newColor); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleRenameGroup ********************************************************/ class FWCmdRuleRenameGroup : public FWCmdRule { QString oldName; QString newName; public: FWCmdRuleRenameGroup(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, QString oldName, QString newName); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleRemoveFromGroup ********************************************************/ class FWCmdRuleRemoveFromGroup : public FWCmdRule { libfwbuilder::Rule* firstRule; libfwbuilder::Rule* lastRule; QString groupName; public: FWCmdRuleRemoveFromGroup(ProjectPanel* project, libfwbuilder::RuleSet* ruleset, libfwbuilder::Rule* firstRule, libfwbuilder::Rule* lastRule, const QString groupName, QUndoCommand* macro=0); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleNewGroup ********************************************************/ class FWCmdRuleNewGroup : public FWCmdRule { libfwbuilder::Rule* firstRule; libfwbuilder::Rule* lastRule; QString groupName; public: FWCmdRuleNewGroup(ProjectPanel* project, libfwbuilder::RuleSet* ruleset, libfwbuilder::Rule* firstRule, libfwbuilder::Rule* lastRule, const QString groupName); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleAddToGroup ********************************************************/ class FWCmdRuleAddToGroup : public FWCmdRule { libfwbuilder::Rule* firstRule; libfwbuilder::Rule* lastRule; bool isAbove; QString groupName; public: FWCmdRuleAddToGroup(ProjectPanel* project, libfwbuilder::RuleSet* ruleset, libfwbuilder::Rule* firstRule, libfwbuilder::Rule* lastRule, bool isAbove = true); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleMove ********************************************************/ class FWCmdRuleMove : public FWCmdRule { int firstId; int lastId; bool direction; // true - up, false - down; void move(RuleSetModel *md, bool direction); public: FWCmdRuleMove(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, int firstId, int lastId, bool direction=true); void redoOnModel(RuleSetModel *md); void undoOnModel(RuleSetModel *md); }; /******************************************************** * FWCmdRuleChange ********************************************************/ class FWCmdRuleChange : public FWCmdChange { libfwbuilder::RuleSet* ruleset; protected: void prepareRuleSetView(); libfwbuilder::Rule* selectAffectedRule(); virtual libfwbuilder::Rule* getRule(); public: FWCmdRuleChange(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, libfwbuilder::FWObject *obj, QString text=QString(), QUndoCommand* macro = 0); virtual void redo(); virtual void undo(); virtual void notify(); }; /******************************************************** * FWCmdRuleChangeAction ********************************************************/ class FWCmdRuleChangeAction : public FWCmdRuleChange { public: FWCmdRuleChangeAction(ProjectPanel *project, libfwbuilder::FWObject *obj); virtual void notify(); }; /******************************************************** * FWCmdRuleChangeComment ********************************************************/ class FWCmdRuleChangeComment : public FWCmdRuleChange { public: FWCmdRuleChangeComment(ProjectPanel *project, libfwbuilder::FWObject *obj); virtual void notify(); }; /******************************************************** * FWCmdRuleChangeOptions ********************************************************/ class FWCmdRuleChangeOptions : public FWCmdRuleChange { public: FWCmdRuleChangeOptions(ProjectPanel *project, libfwbuilder::FWObject *obj); virtual void notify(); }; /******************************************************** * FWCmdRuleChangeRe ********************************************************/ class FWCmdRuleChangeRe : public FWCmdRuleChange { int position; int column; int number; protected: virtual libfwbuilder::Rule* getRule(); public: FWCmdRuleChangeRe(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, libfwbuilder::FWObject *obj, int position, int column, int number, QString text=QString(), QUndoCommand* macro = 0); virtual void notify(); }; /******************************************************** * FWCmdRuleNegateRE ********************************************************/ class FWCmdRuleNegateRE : public FWCmdRuleChangeRe { public: FWCmdRuleNegateRE(ProjectPanel *project, libfwbuilder::RuleSet* ruleset, libfwbuilder::RuleElement* ruleElement, int position, int column); virtual void redo(); virtual void undo(); }; #endif // FWCMDRULE_H fwbuilder-5.3.7/src/libgui/FWObjectClipboard.cpp000066400000000000000000000061111303637203600215440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000-2004 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "FWObjectClipboard.h" #include "FWWindow.h" #include "ProjectPanel.h" using namespace std; using namespace libfwbuilder; FWObjectClipboard* FWObjectClipboard::obj_clipboard=NULL; FWObjectClipboard::FWObjectClipboard() { assert(obj_clipboard==NULL); obj_clipboard=this; } FWObjectClipboard::~FWObjectClipboard() { clear(); obj_clipboard=NULL; } void FWObjectClipboard::clear() { if (fwbdebug) qDebug("FWObjectClipboard::clear size()=%d", int(size())); for (vector >::iterator i=ids.begin(); i!=ids.end(); ++i) { int obj_id = i->first; ProjectPanel *proj_p = i->second; assert(proj_p); FWObject *obj = proj_p->db()->findInIndex(obj_id); if (obj) { if (fwbdebug) qDebug("FWObjectClipboard::clear unref obj=%p (%s)", obj, obj->getName().c_str()); obj->unref(); } } ids.clear(); } void FWObjectClipboard::add(FWObject *obj, ProjectPanel * proj_p) { if (fwbdebug) { qDebug("FWObjectClipboard::add obj=%p (id=%d %s) proj_p=%p", obj, obj->getId(), FWObjectDatabase::getStringId(obj->getId()).c_str(), proj_p ); } obj->ref(); ids.push_back( pair(obj->getId(), proj_p) ); } void FWObjectClipboard::remove(FWObject* obj) { int id = obj->getId(); for (vector >::iterator i=ids.begin(); i!=ids.end(); ++i) { int obj_id = i->first; if (obj_id == id) { ids.erase(i); break; } } } FWObject* FWObjectClipboard::getObject() { if (ids.size()>0) { pair p = ids.back(); return p.second->db()->findInIndex( p.first ); } else return NULL; } FWObject* FWObjectClipboard::getObjectByIdx (int idx) { if (idx < int(ids.size())) { pair p = ids[idx]; return p.second->db()->findInIndex( p.first ); } else return NULL; } fwbuilder-5.3.7/src/libgui/FWObjectClipboard.h000066400000000000000000000040531303637203600212140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000-2006 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _FWOBJECT_CLIPBOARD_H #define _FWOBJECT_CLIPBOARD_H #include #include #include "fwbuilder/FWObject.h" class ProjectPanel ; class FWObjectClipboard { std::vector > ids; public: FWObjectClipboard(); ~FWObjectClipboard(); /** * adds an object to the clipboard */ void add(libfwbuilder::FWObject*, ProjectPanel *proj_p); /** * returns the last added object */ libfwbuilder::FWObject* getObject(); /** * removes object from the clipboard if it is there */ void remove(libfwbuilder::FWObject*); /** * clear the clipboard */ void clear(); libfwbuilder::FWObject* getObjectByIdx (int idx); std::vector >::iterator begin() { return ids.begin(); } std::vector >::iterator end() { return ids.end(); } std::vector >::reverse_iterator rbegin() { return ids.rbegin(); } std::vector >::reverse_iterator rend() { return ids.rend(); } int size() { return ids.size(); } static FWObjectClipboard *obj_clipboard; }; #endif fwbuilder-5.3.7/src/libgui/FWObjectDrag.cpp000066400000000000000000000073571303637203600205370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "FWObjectDrag.h" #include //Added by qt3to4: #include #include using namespace std; using namespace libfwbuilder; /***************************************************************************** * * Class FWObjectDrag * *****************************************************************************/ QString FWObjectDrag::FWB_MIME_TYPE="x-fwobject/pointer"; FWObjectDrag::FWObjectDrag(list ol, QWidget *dragSource, const char* /*name*/) : QDrag( dragSource ) { objlist=ol; QMimeData *mime = new QMimeData; mime->setData(FWB_MIME_TYPE, encodedData()); setMimeData(mime); } FWObjectDrag::~FWObjectDrag() { } QByteArray FWObjectDrag::encodedData() const { QByteArray a; //if (QString(mime)==FWB_MIME_TYPE) QDataStream stream(&a, QIODevice::WriteOnly); int n = objlist.size(); stream << n; for (list::const_iterator i=objlist.begin(); i!=objlist.end(); ++i) { FWObject *o = *i; stream.writeRawData( (const char*)(&o) , sizeof(FWObject*) ); } #if 0 a.resize( sizeof(FWObject*) * objlist.size() + sizeof(int) ); void *dst = a.data(); int n = objlist.size(); memcpy( dst, &n, sizeof(int) ); dst += sizeof(int); for (list::iterator i=objlist.begin(); i!=objlist.end(); ++i) { FWObject *o = *i; memcpy( dst, &o, sizeof(FWObject*) ); dst += sizeof(FWObject*); } #endif return a; } bool FWObjectDrag::decode( QDropEvent *ev, list &ol) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QByteArray rawdata = ev->encodedData( static_cast(FWB_MIME_TYPE.toLatin1()) ); #else QByteArray rawdata = ev->mimeData()->data(FWB_MIME_TYPE); #endif ol.clear(); QDataStream stream(&rawdata, QIODevice::ReadOnly); int n = 0; stream >> n; for (int i=0; iaccept(); return true; } bool FWObjectDrag::decode( QDragEnterEvent *ev, list &ol) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QByteArray rawdata = ev->encodedData( static_cast(FWB_MIME_TYPE.toLatin1()) ); #else QByteArray rawdata = ev->mimeData()->data(FWB_MIME_TYPE); #endif ol.clear(); QDataStream stream(&rawdata, QIODevice::ReadOnly); int n = 0; stream >> n; for (int i=0; iaccept(); return true; } Qt::DropAction FWObjectDrag::start(Qt::DropActions action) { if (fwbdebug) qDebug("FWObjectDrag::start"/*, action*/); return QDrag::start(action); } fwbuilder-5.3.7/src/libgui/FWObjectDrag.h000066400000000000000000000035161303637203600201750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECTDRAG_H_ #define __FWOBJECTDRAG_H_ //#include //Added by qt3to4: #include #include #include #include #include namespace libfwbuilder { class FWObject; }; /***************************************************************************** * * Class FWObjectDrag * *****************************************************************************/ class FWObjectDrag : public QDrag { private: std::list objlist; public: static QString FWB_MIME_TYPE; FWObjectDrag(std::list ol, QWidget *dragSource = 0, const char* name = 0); ~FWObjectDrag(); virtual Qt::DropAction start(Qt::DropActions action = Qt::CopyAction); QByteArray encodedData() const; static bool decode( QDropEvent *ev, std::list &ol); static bool decode( QDragEnterEvent *ev, std::list &ol); }; #endif fwbuilder-5.3.7/src/libgui/FWObjectDropArea.cpp000066400000000000000000000153621303637203600213520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "events.h" #include "FWObjectDropArea.h" #include "FWObjectDrag.h" #include "FWObjectClipboard.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleSet.h" #include #include #include #include #include #include //Added by qt3to4: #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; FWObjectDropArea::~FWObjectDropArea() { delete m_objectDropArea; } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObjectDropArea::FWObjectDropArea(QWidget*p, const char * n, Qt::WFlags f): #else FWObjectDropArea::FWObjectDropArea(QWidget*p, const char * n, Qt::WindowFlags f): #endif QWidget(p) { setObjectName( QString(n) ); setWindowFlags( f ); m_objectDropArea = new Ui::FWObjectDropArea_q; m_objectDropArea->setupUi(this); object=NULL; helperText = tr("Drop object here."); } void FWObjectDropArea::paintEvent(QPaintEvent *) { int w=width(); int h=height(); QPainter p(this); QPixmap bufferpixmap; bufferpixmap = QPixmap( w , h ); bufferpixmap.fill( Qt::white ); QPainter tp( &bufferpixmap ); tp.setBrush(Qt::black); tp.drawLine(0,0,w-1,0); tp.drawLine(w-1,0,w-1,h-1); tp.drawLine(w-1,h-1,0,h-1); tp.drawLine(0,h-1,0,0); tp.fillRect(1, 1, w-2, h-2, Qt::white); if (object!=NULL) { QPixmap pm; QString icn_file = (":/Icons/"+object->getTypeName()+"/icon").c_str(); if ( ! QPixmapCache::find( icn_file, pm) ) { pm.load( icn_file ); QPixmapCache::insert( icn_file, pm); } tp.drawPixmap( ((w-pm.width())/2), (h/2)-(2+pm.height()) , pm ); QString t=QString::fromUtf8(object->getName().c_str()); int t_x=2; int t_y=2+h/2; int t_w=w-4; int t_h=h/2-4; tp.drawText( t_x, t_y , t_w, t_h , Qt::AlignHCenter|Qt::AlignTop|Qt::TextWordWrap, t ); } else { QString t = helperText ; int t_x = 2; int t_y = 2; int t_w = w-4; int t_h = h-4; tp.drawText( t_x, t_y , t_w, t_h , Qt::AlignHCenter|Qt::AlignVCenter|Qt::TextWordWrap, t ); } tp.end(); p.drawPixmap( 0, 0, bufferpixmap ); } void FWObjectDropArea::insertObject(libfwbuilder::FWObject *o) { if (object!=o) { object=o; update(); emit objectInserted(); } } void FWObjectDropArea::deleteObject() { object=NULL; update(); emit objectDeleted(); } void FWObjectDropArea::contextMenuEvent (QContextMenuEvent * e) { QMenu *popup; popup=new QMenu(this); QAction *sitAct = popup->addAction( tr("Show in the tree") , this , SLOT( showInTreeObject( )) ); QAction *editAct = popup->addAction( tr("Edit") , this , SLOT( editObject( )) ); popup->addSeparator(); QAction *psAct = popup->addAction( tr("Paste") , this , SLOT( pasteObject( )) ); popup->addSeparator(); QAction *dlAct = popup->addAction( tr("Delete") , this , SLOT( deleteObject( )) ); sitAct->setEnabled(object!=NULL); editAct->setEnabled(object!=NULL); dlAct->setEnabled(object!=NULL); psAct->setEnabled(FWObjectClipboard::obj_clipboard->size()>0); popup->exec(e->globalPos ()); delete popup; } void FWObjectDropArea::dropEvent( QDropEvent *ev) { if (fwbdebug) { qDebug("FWObjectDropArea::dropEvent drop event mode=%d", ev->dropAction()); qDebug(" src widget = %p", ev->source()); } list dragol; if (FWObjectDrag::decode(ev, dragol)) { if (dragol.size()>0) { insertObject(dragol.front()); } } } void FWObjectDropArea::dragEnterEvent( QDragEnterEvent *ev) { list dragol; if (FWObjectDrag::decode(ev, dragol)) { if (dragol.size()>0) { FWObject * o = dragol.front(); bool ok = false ; if (acceptedTypes.size()==0) ok = true ; for (int p = 0 ; p < acceptedTypes.size(); p++) { QString type =o->getTypeName().c_str(); if (type==acceptedTypes[p]) { ok = true ; break ; } } if (!ok) { ev->setAccepted(false); return ; } } } ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); } void FWObjectDropArea::pasteObject() { vector >::iterator i; for( i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { FWObject *co= i->second->db()->findInIndex(i->first); insertObject(co); } } void FWObjectDropArea::showInTreeObject() { ProjectPanel * pp = mw->activeProject(); if (pp!=NULL) { QCoreApplication::postEvent( pp, new showObjectInTreeEvent(pp->getFileName(), object->getId())); } } void FWObjectDropArea::editObject() { ProjectPanel * pp = mw->activeProject(); if (pp!=NULL) { if (RuleSet::cast(object)!=NULL) QCoreApplication::postEvent( pp, new openRulesetEvent(pp->getFileName(), object->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(pp->getFileName(), object->getId())); QCoreApplication::postEvent( pp, new showObjectInTreeEvent(pp->getFileName(), object->getId())); } } void FWObjectDropArea::mouseDoubleClickEvent(QMouseEvent *) { if (object!=NULL) editObject(); } fwbuilder-5.3.7/src/libgui/FWObjectDropArea.h000066400000000000000000000047501303637203600210160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECTDROPAREA_H_ #define __FWOBJECTDROPAREA_H_ #include "config.h" #include #include "fwbuilder/FWObject.h" #include #include #include #include #include #include class QWidget; class QPixmap; class QMenu; class QContextMenuEvent; class QDropEvent; class QDragEnterEvent; class FWObjectDropArea : public QWidget//Ui::FWObjectDropArea_q { Q_OBJECT; private: libfwbuilder::FWObject *object; QVector acceptedTypes ; QString helperText ; protected: void paintEvent(QPaintEvent *ev); void contextMenuEvent (QContextMenuEvent * e); void dropEvent( QDropEvent *ev); void dragEnterEvent( QDragEnterEvent *ev); public: Ui::FWObjectDropArea_q *m_objectDropArea; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObjectDropArea(QWidget*p, const char * n = 0, Qt::WFlags f = 0); #else FWObjectDropArea(QWidget*p, const char * n = 0, Qt::WindowFlags f = 0); #endif ~FWObjectDropArea(); libfwbuilder::FWObject * getObject(){return object;}; void setObject(libfwbuilder::FWObject * o){ object = o ;}; void addAcceptedTypes (QString type){acceptedTypes.push_back(type);}; bool isEmpty() {return object==NULL;}; void setHelperText(const QString &text) { helperText=text; } virtual void mouseDoubleClickEvent ( QMouseEvent * event ); public slots: void insertObject(libfwbuilder::FWObject *o); void deleteObject(); void pasteObject(); void showInTreeObject(); void editObject(); signals: void objectDeleted(); void objectInserted(); }; #endif fwbuilder-5.3.7/src/libgui/FWObjectPropertiesFactory.cpp000066400000000000000000001430701303637203600233370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils_no_qt.h" #include "utils.h" #include #include #include #include #include #include "FWObjectPropertiesFactory.h" #include "platforms.h" #include "DialogFactory.h" #include "FWBTree.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Cluster.h" #include #include #include using namespace std; using namespace libfwbuilder; /* * This method returns brief summary of properties, guaranteed to be 1 * line of text */ QString FWObjectPropertiesFactory::getObjectPropertiesBrief(FWObject *obj) { QString res; QTextStream str(&res, QIODevice::WriteOnly); FWObject *parent_obj = obj->getParent(); try { if (Library::isA(obj)) { if (obj->isReadOnly()) str << "(read only)"; } else if (IPv4::isA(obj)) { str << IPv4::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str << "/"; str << IPv4::cast(obj)->getNetmaskPtr()->toString().c_str(); } } else if (IPv6::isA(obj)) { str << IPv6::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str << "/"; str << QString("%1").arg(IPv6::cast(obj)->getNetmaskPtr()->getLength()); } } else if (physAddress::isA(obj)) { str << physAddress::cast(obj)->getPhysAddress().c_str(); } else if (DNSName::isA(obj)) { str << DNSName::cast(obj)->getSourceName().c_str(); } else if (AddressTable::isA(obj)) { str << AddressTable::cast(obj)->getSourceName().c_str(); } else if (AddressRange::isA(obj)) { AddressRange *ar=AddressRange::cast(obj); str << ar->getRangeStart().toString().c_str(); str << " - "; str << ar->getRangeEnd().toString().c_str(); } else if (Firewall::cast(obj)) { if (Firewall::cast(obj)->needsCompile()) str << " * "; QString platform = obj->getStr("platform").c_str(); QString version = obj->getStr("version").c_str(); QString readableVersion = getVersionString(platform,version); QString hostOS = obj->getStr("host_OS").c_str(); str << platform << "(" << readableVersion << ") / " << hostOS; } else if (Host::isA(obj)) { const InetAddr *addr = Address::cast(obj)->getAddressPtr(); if (addr) str << addr->toString().c_str(); else str << "(no ip address)"; } else if (Network::isA(obj)) { Network *n=Network::cast(obj); str << n->getAddressPtr()->toString().c_str(); str << "/"; str << n->getNetmaskPtr()->toString().c_str(); } else if (NetworkIPv6::isA(obj)) { NetworkIPv6 *n=NetworkIPv6::cast(obj); str << n->getAddressPtr()->toString().c_str(); str << "/"; str << QString("%1").arg(n->getNetmaskPtr()->getLength()); } else if (ClusterGroup::cast(obj)!=NULL) { ClusterGroup *g = ClusterGroup::cast(obj); str << QObject::tr("type: ") << g->getStr("type").c_str(); } else if (Group::cast(obj)!=NULL) // just any group { Group *g=Group::cast(obj); str << g->size() << " " << QObject::tr(" objects"); } else if (Interface::isA(obj)) { Interface *intf = Interface::cast(obj); // trigger late initialization of options object // if its read-only or part of the read-only tree, I can't help it. if (!obj->isReadOnly()) intf->getOptionsObject(); str << intf->getLabel().c_str() << " "; QStringList q; FWObject *parent = Host::getParentHost(intf); //FWObject *parent = intf->getParentHost(); if (parent) { bool supports_security_levels = false; bool supports_network_zones = false; try { supports_security_levels = (!parent->getStr("platform").empty() && Resources::getTargetCapabilityBool( parent->getStr("platform"), "security_levels")); supports_network_zones = (!parent->getStr("platform").empty() && Resources::getTargetCapabilityBool( parent->getStr("platform"), "network_zones")); } catch (FWException &ex) { } if (supports_security_levels) { QString str; str.setNum(intf->getSecurityLevel()); q.push_back(QString("sec level: %1").arg(str)); } if (supports_network_zones) { int id = FWObjectDatabase::getIntId(intf->getStr("network_zone")); if (id > 0) { FWObject *nz_obj = obj->getRoot()->findInIndex(id); if (nz_obj) q.push_back( QString("network zone: %1") .arg(nz_obj->getName().c_str())); else q.push_back(QString("network zone: not configured")); } } } if (intf->isDyn()) q.push_back("dyn"); if (intf->isUnnumbered()) q.push_back("unnum"); if (intf->isDedicatedFailover()) q.push_back("failover"); if (intf->isBridgePort()) q.push_back("bridge port"); if (intf->isSlave()) q.push_back("slave"); if (intf->isUnprotected()) q.push_back("unp"); if (!q.empty()) str << q.join(","); } else if (IPService::isA(obj)) { str << QObject::tr("protocol: %1").arg(obj->getStr("protocol_num").c_str()); } else if (ICMPService::isA(obj) || ICMP6Service::isA(obj)) { str << QObject::tr("type: %1").arg(obj->getStr("type").c_str()) << " " << QObject::tr("code: %1").arg(obj->getStr("code").c_str()); } else if (TCPService::isA(obj) || UDPService::isA(obj)) { int sps,spe,dps,dpe; sps=TCPUDPService::cast(obj)->getSrcRangeStart(); spe=TCPUDPService::cast(obj)->getSrcRangeEnd(); dps=TCPUDPService::cast(obj)->getDstRangeStart(); dpe=TCPUDPService::cast(obj)->getDstRangeEnd(); str << sps << ":" << spe << " / "; str << dps << ":" << dpe; } else if (TagService::isA(obj)) { str << "Pattern: \"" << obj->getStr("tagcode").c_str() << "\"" ; } else if (UserService::isA(obj)) { const UserService* user_srv = UserService::constcast(obj); str << "User id: \"" << user_srv->getUserId().c_str() << "\"" ; } else if (RuleSet::cast(obj) != NULL) { QStringList attrs; RuleSet *rs = RuleSet::cast(obj); if (rs->isTop()) attrs.push_back("top ruleset"); if (rs->isDual()) attrs.push_back("ipv4/ipv6"); else { if (rs->isV4()) attrs.push_back("ipv4"); if (rs->isV6()) attrs.push_back("ipv6"); } attrs.push_back(QString("%1 rules").arg(rs->getRuleSetSize())); str << attrs.join(" "); } else if (Interval::isA(obj)) { } } catch (FWException &ex) { cerr << ex.toString() << endl; } return QString::fromUtf8(res.toStdString().c_str()); } /* * More detailed list of properties, still one line, no fancy * formatting and no HTML. This is used in object group list view and * for printing. */ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj) { QString res; QTextStream str(&res, QIODevice::WriteOnly); FWObject *parent_obj = obj->getParent(); try { if (IPv4::isA(obj)) { str << IPv4::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str << "/"; str << IPv4::cast(obj)->getNetmaskPtr()->toString().c_str(); } } else if (IPv6::isA(obj)) { str << IPv6::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str << "/"; str << QString("%1").arg(IPv6::cast(obj)->getNetmaskPtr()->getLength()); } } else if (physAddress::isA(obj)) { str << physAddress::cast(obj)->getPhysAddress().c_str(); } else if (DNSName::isA(obj)) { str << QObject::tr("DNS record: ") << DNSName::cast(obj)->getSourceName().c_str(); } else if (AddressTable::isA(obj)) { str << QObject::tr("Address Table: ") << AddressTable::cast(obj)->getSourceName().c_str(); } else if (AddressRange::isA(obj)) { AddressRange *ar=AddressRange::cast(obj); str << ar->getRangeStart().toString().c_str(); str << " - "; str << ar->getRangeEnd().toString().c_str(); } else if (Firewall::cast(obj)) { QString platform = obj->getStr("platform").c_str(); QString version = obj->getStr("version").c_str(); QString readableVersion = getVersionString(platform,version); QString hostOS = obj->getStr("host_OS").c_str(); QDateTime dt; time_t t; t = obj->getInt("lastModified");dt.setTime_t(t); QString t_modified = (t)? dt.toString():"-"; t = obj->getInt("lastCompiled");dt.setTime_t(t); QString t_compiled = (t)? dt.toString():"-"; t = obj->getInt("lastInstalled");dt.setTime_t(t); QString t_installed = (t)? dt.toString():"-"; str << platform << "(" << readableVersion << ") / " << hostOS; } else if (Host::isA(obj)) { const InetAddr *addr = Address::cast(obj)->getAddressPtr(); if (addr) str << addr->toString().c_str(); else str << "(no ip address)"; FWObject *co=obj->getFirstByType("Interface"); if (co!=NULL) { physAddress *paddr=(Interface::cast(co))->getPhysicalAddress(); if (paddr!=NULL) str << " " << paddr->getPhysAddress().c_str(); } } else if (Network::isA(obj)) { Network *n=Network::cast(obj); str << QString("%1/%2") .arg(n->getAddressPtr()->toString().c_str()) .arg(n->getNetmaskPtr()->toString().c_str()); } else if (NetworkIPv6::isA(obj)) { NetworkIPv6 *n=NetworkIPv6::cast(obj); str << QString("%1/%2") .arg(n->getAddressPtr()->toString().c_str()) .arg(n->getNetmaskPtr()->getLength()); } else if (ClusterGroup::cast(obj)!=NULL) { ClusterGroup *g = ClusterGroup::cast(obj); str << QObject::tr("Type: ") << g->getStr("type").c_str() << " "; QStringList members; FWObjectTypedChildIterator j = obj->findByType(FWObjectReference::TYPENAME); for ( ; j!=j.end(); ++j) { FWObject *obj = FWReference::getObject(*j); if (Interface::cast(obj)) { FWObject *fw = obj->getParent(); members.push_back( QString("%1:%2") .arg(fw->getName().c_str()).arg(obj->getName().c_str())); } } if (members.size() != 0) { members.push_front(QObject::tr("Members:")); str << members.join(" "); } } else if (DynamicGroup::cast(obj) != 0) { DynamicGroup *objGroup = DynamicGroup::cast(obj); str << QObject::tr("%1 filters").arg(objGroup->getFilter().size()); } else if (Group::cast(obj)!=NULL) // just any group { Group *g=Group::cast(obj); str << QObject::tr("%1 objects").arg(g->size()); } else if (Firewall::cast(obj)) { } else if (Interface::isA(obj)) { Interface *intf = Interface::cast(obj); QString label = QString::fromUtf8(intf->getLabel().c_str()); if (label != "") str << QObject::tr("Label: %1").arg(label) << " "; QString intf_type = intf->getOptionsObject()->getStr("type").c_str(); if (intf_type != "" && intf_type.toLower() != "ethernet") str << QObject::tr("Type: ") << intf_type << " "; QStringList addr; FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME); for ( ; j!=j.end(); ++j) { addr << getObjectProperties(*j); } if (addr.size() != 0) { if (addr.size() > 1) addr.push_front(QObject::tr("Addresses:")); else addr.push_front(QObject::tr("Address:")); str << addr.join(" "); } } else if (IPService::isA(obj)) { str << QObject::tr("protocol: %1").arg(obj->getStr("protocol_num").c_str()); } else if (ICMPService::isA(obj) || ICMP6Service::isA(obj)) { str << QObject::tr("type: %1").arg(obj->getStr("type").c_str()) << " " << QObject::tr("code: %1").arg(obj->getStr("code").c_str()); } else if (TCPService::isA(obj) || UDPService::isA(obj)) { int sps,spe,dps,dpe; sps=TCPUDPService::cast(obj)->getSrcRangeStart(); spe=TCPUDPService::cast(obj)->getSrcRangeEnd(); dps=TCPUDPService::cast(obj)->getDstRangeStart(); dpe=TCPUDPService::cast(obj)->getDstRangeEnd(); str << sps << ":" << spe << " / "; str << dps << ":" << dpe; } else if (TagService::isA(obj)) { str << QObject::tr("Pattern: \"%1\"").arg(obj->getStr("tagcode").c_str()); } else if (UserService::isA(obj)) { const UserService* user_srv = UserService::constcast(obj); str << QObject::tr("User id: \"%1\"").arg(user_srv->getUserId().c_str()); } else if (Interval::isA(obj)) { } } catch (FWException &ex) { cerr << ex.toString() << endl; } return res; } QString FWObjectPropertiesFactory::stripHTML(const QString &str) { // note that str may contain multiple lines // separated by
and/or '\n' QRegExp htmltag1 = QRegExp("<[^>]+>"); QRegExp htmltag2 = QRegExp("]+>"); QRegExp htmltd = QRegExp("
"); QString res = str; res = res.replace(htmltd,": "); res = res.remove(htmltag1); res = res.remove(htmltag2); return res; } /* * Nicely formatted list of properties, HTML. This one is used for the * tree tooltips. */ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj, bool showPath, bool tooltip, bool accentName, bool richText) { QString str; FWObject *parent_obj = obj->getParent(); QString path = obj->getPath().c_str(); path = path.section('/',2,-1); if (obj->getId() == FWObjectDatabase::ANY_ADDRESS_ID || obj->getId() == FWObjectDatabase::ANY_SERVICE_ID || obj->getId() == FWObjectDatabase::ANY_INTERVAL_ID) { return "to modify this field drag and \ndrop an object from the tree here"; } if (showPath) { str += QObject::tr("Library: "); str += QString::fromUtf8(obj->getLibrary()->getName().c_str()) + "
\n"; if (!tooltip) { str += QObject::tr("Object Id: "); str += QString(FWObjectDatabase::getStringId(obj->getId()).c_str()) + "
\n"; } } if (FWBTree().isSystem(obj)) { QString object_path = obj->getPath(true).c_str(); if (object_path == "Objects") return QObject::tr("This system folder holds objects that represent IPv4 and IPv6 addresses and networks"); if (object_path == "Objects/Addresses") return QObject::tr("This system folder holds objects that represent IPv4 and IPv6 addresses"); if (object_path == "Objects/DNS Names") return QObject::tr("This system folder holds objects that represent DNS A records"); if (object_path == "Objects/Address Tables") return QObject::tr("This system folder holds objects that read IP addresses from external files"); if (object_path == "Objects/Address Ranges") return QObject::tr("This system folder holds objects that represent IPv4 and IPv6 address ranges"); if (object_path == "Objects/Groups") return QObject::tr("This system folder holds objects that represent groups of IPv4 and IPv6 addresses, networks and other groups"); if (object_path == "Objects/Hosts") return QObject::tr("This system folder holds objects that represent hosts or servers that have one or more interfaces"); if (object_path == "Objects/Networks") return QObject::tr("This system folder holds objects that represent IPv4 and IPv6 networks"); if (object_path == "Services") return QObject::tr("This system folder holds objects that represent IP, ICMP, TCP and UDP services"); if (object_path == "Services/Groups") return QObject::tr("This system folder holds objects that represent groups of IP, ICMP, TCP and UDP services"); if (object_path == "Services/Custom") return QObject::tr("This system folder holds objects that represent custom (user-defined) services"); if (object_path == "Services/IP") return QObject::tr("This system folder holds objects that represent IP services"); if (object_path == "Services/ICMP") return QObject::tr("This system folder holds objects that represent ICMP and ICMPv6 services"); if (object_path == "Services/TCP") return QObject::tr("This system folder holds objects that represent TCP services"); if (object_path == "Services/UDP") return QObject::tr("This system folder holds objects that represent UDP services"); if (object_path == "Services/Users") return QObject::tr("This system folder holds objects that represent user names"); if (object_path == "Services/TagServices") return QObject::tr("This system folder holds objects that represent tags"); if (object_path == "Firewalls") return QObject::tr("This system folder holds objects that represent firewalls"); if (object_path == "Clusters") return QObject::tr("This system folder holds objects that represent firewall clusters"); if (object_path == "Time") return QObject::tr("This system folder holds objects that represent time intervals"); } if (Library::isA(obj)) { switch (obj->getId()) { case FWObjectDatabase::STANDARD_LIB_ID: return QObject::tr("A library of predefined read-only address and service objects that come with the program"); ; case FWObjectDatabase::DELETED_OBJECTS_ID: return QObject::tr("This library holds objects that have been deleted. You can undelete them by clicking right mouse button and using menu item 'Move to ...' to move them back to another library"); ; default: return QObject::tr("A library of user-defined objects; this is where you create your objects"); } } str += QObject::tr("Object Type: "); string d = Resources::global_res->getObjResourceStr(obj,"description"); str += QString(d.c_str()) + "
\n"; str += QObject::tr("Object Name: "); if (accentName) str += ""; str += QString::fromUtf8(obj->getName().c_str()); if (accentName) str += ""; str += "
\n"; try { if (IPv4::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += IPv4::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str += "/"; str += IPv4::cast(obj)->getNetmaskPtr()->toString().c_str(); } } else if (IPv6::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += IPv6::cast(obj)->getAddressPtr()->toString().c_str(); if (parent_obj && Interface::isA(parent_obj)) { str += "/"; str += QString("%1").arg(IPv6::cast(obj)->getNetmaskPtr()->getLength()); } } else if (physAddress::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += physAddress::cast(obj)->getPhysAddress().c_str(); } else if (DNSName::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += QObject::tr("DNS record:"); str += MultiAddress::cast(obj)->getSourceName().c_str(); str += "
\n"; str += (MultiAddress::cast(obj)->isRunTime())?QObject::tr("Run-time"):QObject::tr("Compile-time"); } else if (AddressTable::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += QObject::tr("Table file:"); str += MultiAddress::cast(obj)->getSourceName().c_str(); str += "
\n"; str += (MultiAddress::cast(obj)->isRunTime())?QObject::tr("Run-time"):QObject::tr("Compile-time"); } else if (AddressRange::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; AddressRange *ar=AddressRange::cast(obj); str += ar->getRangeStart().toString().c_str(); str += " - "; str += ar->getRangeEnd().toString().c_str(); } else if (Host::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; FWObjectTypedChildIterator j = obj->findByType( Interface::TYPENAME); for ( ; j!=j.end(); ++j) { str += (*j)->getName().c_str(); str += ": "; str += getObjectProperties(*j); str += "
"; } } else if (Network::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; Network *n=Network::cast(obj); str += n->getAddressPtr()->toString().c_str(); str += "/"; str += n->getNetmaskPtr()->toString().c_str(); } else if (NetworkIPv6::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; NetworkIPv6 *n=NetworkIPv6::cast(obj); str += n->getAddressPtr()->toString().c_str(); str += "/"; str += QString("%1").arg(n->getNetmaskPtr()->getLength()); } else if (ClusterGroup::cast(obj)!=NULL) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; ClusterGroup *g = ClusterGroup::cast(obj); str += QObject::tr("type: %1
").arg(g->getStr("type").c_str()); FWObjectTypedChildIterator j = obj->findByType(FWObjectReference::TYPENAME); for ( ; j!=j.end(); ++j) { FWObject *obj = FWReference::getObject(*j); if (Interface::cast(obj)) { FWObject *fw = obj->getParent(); str += QObject::tr("Group member %1:%2
"). arg(fw->getName().c_str()).arg(obj->getName().c_str()); } } } else if (DynamicGroup::cast(obj) != 0) { DynamicGroup *objGroup = DynamicGroup::cast(obj); str += QObject::tr("%1 filters
\n").arg(objGroup->getFilter().size()); } else if (Group::cast(obj)!=NULL) // just any group { if (showPath && !tooltip) str += "Path: " + path + "
\n"; Group *g = Group::cast(obj); str += QObject::tr("%1 objects
\n").arg(g->size()); int n = 0; list ll = *g; ll.sort(FWObjectNameCmpPredicate()); for (FWObject::iterator i=ll.begin(); i!=ll.end(); ++i,++n) { if (n>20) // arbitrary number { str += "       . . . "; break; } else { FWObject *o1=*i; if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer(); str += QString(o1->getTypeName().c_str()) + " " + QString::fromUtf8(o1->getName().c_str()) + "
\n"; } } } else if (Firewall::cast(obj)) { // Note: Firewall::cast(obj) matched Firewall and Cluster QString platform = obj->getStr("platform").c_str(); QString version = obj->getStr("version").c_str(); QString readableVersion = getVersionString(platform,version); QString hostOS = obj->getStr("host_OS").c_str(); QDateTime dt; time_t lm=obj->getInt("lastModified"); time_t lc=obj->getInt("lastCompiled"); time_t li=obj->getInt("lastInstalled"); dt.setTime_t(lm); QString t_modified = (lm)? dt.toString():"-"; if (lm>lc && lm>li) t_modified=QString("")+t_modified+""; dt.setTime_t(lc); QString t_compiled = (lc)? dt.toString():"-"; if (lc>lm && lc>li) t_compiled=QString("")+t_compiled+""; dt.setTime_t(li); QString t_installed = (li)? dt.toString():"-"; if (li>lc && li>lm) t_installed=QString("")+t_installed+""; if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += ""; str += QString("\n"; str += QString("\n"; str += QString("\n"; str += QString("\n"; str += QString("\n"; str += QString("\n"; str += "
Platform:") + platform + "
Version:") + readableVersion + "
Host OS:") + hostOS + "
Modified:") + t_modified + "
Compiled:") + t_compiled + "
Installed:") + t_installed + "
"; } else if (Interface::isA(obj)) { FWObject *parent_host = obj; QStringList short_path; //short_path.push_front(QString::fromUtf8(obj->getName().c_str())); do { parent_host = parent_host->getParent(); if (parent_host == NULL) break; short_path.push_front(QString::fromUtf8(parent_host->getName().c_str())); } while (Host::cast(parent_host) == NULL); str += QString("Parent: %1
\n").arg(short_path.join("/")); Interface *intf = Interface::cast(obj); str += "Label: "; str += QString::fromUtf8(intf->getLabel().c_str()); str += "
"; FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME); for ( ; j!=j.end(); ++j) { str += getObjectProperties(*j); str += "
"; } string intf_type = intf->getOptionsObject()->getStr("type"); if (!intf_type.empty()) { str += "Interface Type: "; str += intf_type.c_str(); if (intf_type == "8021q") { int vlan_id = intf->getOptionsObject()->getInt("vlan_id"); str += QString(" VLAN ID=%1").arg(vlan_id); } str += "
"; } physAddress *paddr = intf->getPhysicalAddress(); if (paddr!=NULL) { str += "MAC: "; str += paddr->getPhysAddress().c_str() ; str += "
"; } QString q; if (intf->isDyn()) q=" dyn"; if (intf->isUnnumbered()) q=" unnum"; if (intf->isBridgePort()) q=" bridge port"; FWObject *p=obj; while (p!=NULL && !Firewall::cast(p)) p=p->getParent(); if (p!=NULL && (p->getStr("platform")=="pix" || p->getStr("platform")=="fwsm")) { int sl = intf->getSecurityLevel(); q=q+QString("sec.level %1").arg(sl); } if (intf->isUnprotected()) q=q+" unp"; if (q!="") str += " (" + q + ")"; str += "
\n"; if (showPath && !tooltip) str += "Path: " + path + "
\n"; } else if (CustomService::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; CustomService *s = dynamic_cast(obj); bool first=true; map platforms = Resources::getPlatforms(); for (map::iterator i=platforms.begin(); i!=platforms.end(); i++) { string c=s->getCodeForPlatform( (*i).first ); if ( c!="" ) { if (first) { str += ""; first=false; } str += QString("\n") .arg((*i).second.c_str()).arg(c.c_str()); } } if (!first) str += "
%1%2
"; } else if (IPService::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += QObject::tr("protocol ") + obj->getStr("protocol_num").c_str(); } else if (ICMPService::isA(obj) || ICMP6Service::isA(obj)) { if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += QObject::tr("type: ") + obj->getStr("type").c_str() + " " + QObject::tr("code: ") + obj->getStr("code").c_str(); } else if (TCPService::isA(obj) || UDPService::isA(obj)) { int sps,spe,dps,dpe; sps=TCPUDPService::cast(obj)->getSrcRangeStart(); spe=TCPUDPService::cast(obj)->getSrcRangeEnd(); dps=TCPUDPService::cast(obj)->getDstRangeStart(); dpe=TCPUDPService::cast(obj)->getDstRangeEnd(); if (showPath && !tooltip) str += "Path: " + path + "
\n"; str += ""; str += QString("\n") .arg(sps).arg(spe); str += QString("\n") .arg(dps).arg(dpe); str += "
source port range%1:%2
destination port range%1:%2
"; } else if (TagService::isA(obj)) { str += QObject::tr("Pattern: \"%1\"").arg(obj->getStr("tagcode").c_str()); } else if (UserService::isA(obj)) { const UserService* user_srv = UserService::constcast(obj); str += QObject::tr("User id: \"%1\"").arg(user_srv->getUserId().c_str()); } else if (Interval::isA(obj)) { } } catch (FWException &ex) { cerr << ex.toString() << endl; } if (richText) return str; return FWObjectPropertiesFactory::stripHTML(str); } /* * Do not translate literals 'pipe', 'queue', 'divert' below, these refer * to actual ipfw parameters and should not be localized. */ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) { QString par = ""; if (rule!=NULL) { QString act = getRuleAction(rule); FWObject *o = rule; while (o!=NULL && Firewall::cast(o)==NULL) o=o->getParent(); if (o==NULL) return ""; Firewall *f=Firewall::cast(o); string platform=f->getStr("platform"); FWOptions *ropt = rule->getOptionsObject(); string editor = DialogFactory::getActionDialogPageName(f, rule); if (editor == "None") return ""; if (PolicyRule::isA(rule)) { switch (PolicyRule::cast(rule)->getAction()) { case PolicyRule::Reject: par = ropt->getStr("action_on_reject").c_str(); break; case PolicyRule::Accounting : par = ropt->getStr("rule_name_accounting").c_str(); break; case PolicyRule::Custom: par = ropt->getStr("custom_str").c_str(); break; case PolicyRule::Branch: { FWObject *branch_ruleset = rule->getBranch(); if (branch_ruleset) par = branch_ruleset->getName().c_str(); // ropt->getStr("branch_name").c_str(); break; } case PolicyRule::Pipe : if (platform=="ipfw") { par = QString("divert ") + ropt->getStr("ipfw_pipe_port_num").c_str(); } break; default : {} } } if (NATRule::isA(rule)) { switch (NATRule::cast(rule)->getAction()) { case NATRule::Translate: break; case NATRule::Branch: FWObject *branch_ruleset = rule->getBranch(); if (branch_ruleset) par = branch_ruleset->getName().c_str(); break; } } } return par; } QString FWObjectPropertiesFactory::getRuleActionPropertiesRich(Rule *rule) { FWObject *p=rule; while (p!=NULL && !Firewall::cast(p)) p=p->getParent(); if (p==NULL) { qDebug() << "FWObjectPropertiesFactory::getRuleActionPropertiesRich(): " << "Can not locate parent firewall for the rule:"; rule->dump(false, true); return ""; } string platform=p->getStr("platform"); QString act = getActionNameForPlatform(Firewall::cast(p), rule); QString par = getRuleActionProperties(rule); QString res = QObject::tr("Action : %1
").arg(act); if (!par.isEmpty()) { res += QObject::tr("Parameter: %1").arg(par); } return res; } QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule) { if (rule == NULL) return ""; QList > options; PolicyRule *prule = PolicyRule::cast(rule); FWObject *o = rule; while (o!=NULL && Firewall::cast(o)==NULL) o = o->getParent(); assert(o!=NULL); Firewall *f = Firewall::cast(o); string platform = f->getStr("platform"); FWOptions *ropt = rule->getOptionsObject(); if (platform!="iosacl" && platform!="procurve_acl") { if (ropt->getBool("stateless")) { options << qMakePair(QObject::tr("Stateless"), QString("")); } else { options << qMakePair(QObject::tr("Stateful"), QString("")); } } if (platform=="iptables") { if (prule) { if (prule->getTagging()) { options << qMakePair(QObject::tr("tag:"), QString(prule->getTagValue().c_str())); } if (prule->getClassification()) { options << qMakePair(QObject::tr("class:"), QString(ropt->getStr("classify_str").c_str())); } } if (!ropt->getStr("log_prefix").empty()) { options << qMakePair(QObject::tr("Log prefix:"), QString(ropt->getStr("log_prefix").c_str())); } if (!ropt->getStr("log_level").empty()) { options << qMakePair( QObject::tr("Log Level:"), QString(getScreenName(ropt->getStr("log_level").c_str(), getLogLevels(platform.c_str())))); } if (ropt->getInt("ulog_nlgroup")>1) { options << qMakePair( QObject::tr("Netlink group:"), QString(ropt->getStr("ulog_nlgroup").c_str())); } if (ropt->getInt("limit_value")>0) { QString arg; if (ropt->getBool("limit_value_not")) arg = " ! "; arg += QString(ropt->getStr("limit_value").c_str()); if (!ropt->getStr("limit_suffix").empty()) { arg += getScreenName(ropt->getStr("limit_suffix").c_str(), getLimitSuffixes(platform.c_str())); } options << qMakePair(QString("Limit value:"), arg); } if (ropt->getInt("limit_burst")>0) { options << qMakePair(QString("Limit burst:"), QString(ropt->getStr("limit_burst").c_str())); } if (ropt->getInt("connlimit_value")>0) { QString arg; if (ropt->getBool("connlimit_above_not")) arg = " ! "; arg += QString(ropt->getStr("connlimit_value").c_str()); options << qMakePair(QObject::tr("connlimit value:"), arg); } if (ropt->getInt("hashlimit_value")>0) { QString arg; if (ropt->getBool("hashlimit_value_not")) arg = " ! "; arg += QString(ropt->getStr("hashlimit_value").c_str()); if (!ropt->getStr("hashlimit_suffix").empty()) { arg += getScreenName(ropt->getStr("limit_suffix").c_str(), getLimitSuffixes(platform.c_str())); } options << qMakePair( QString("hashlimit name:"), QString(ropt->getStr("hashlimit_name").c_str())); options << qMakePair(QString("hashlimit value:"), arg); if (ropt->getInt("hashlimit_burst")>0) { options << qMakePair( QString("haslimit burst:"), QString(ropt->getStr("hashlimit_burst").c_str())); } } if (ropt->getBool("firewall_is_part_of_any_and_networks")) { options << qMakePair(QObject::tr("Part of Any"), QString("")); } } else if (platform=="ipf") { if (!ropt->getStr("ipf_log_facility").empty()) { options << qMakePair( QObject::tr("Log facility:"), QString(getScreenName(ropt->getStr("ipf_log_facility").c_str(), getLogFacilities(platform.c_str())))); } if (!ropt->getStr("log_level").empty()) { options << qMakePair( QObject::tr("Log level:"), QString(getScreenName(ropt->getStr("log_level").c_str(), getLogLevels(platform.c_str())))); } if (ropt->getBool("ipf_return_icmp_as_dest")) { options << qMakePair( QObject::tr("Send 'unreachable'"), QString("")); } if (ropt->getBool("ipf_keep_frags")) { options << qMakePair( QObject::tr("Keep information on fragmented packets"), QString("")); } }else if (platform=="pf") { if (prule) { if (prule->getTagging()) { options << qMakePair(QObject::tr("tag:"), QString(prule->getTagValue().c_str())); } if (prule->getClassification()) { options << qMakePair(QObject::tr("queue:"), QString(ropt->getStr("pf_classify_str").c_str())); } } if (!ropt->getStr("log_prefix").empty()) { options << qMakePair(QObject::tr("Log prefix:"), QString(ropt->getStr("log_prefix").c_str())); } if (ropt->getInt("pf_rule_max_state")>0) { options << qMakePair( QObject::tr("Max state:"), QString(ropt->getStr("pf_rule_max_state").c_str())); } if (ropt->getBool("pf_keep_state")) { options << qMakePair( QObject::tr("Force 'keep-state'"), QString("")); } if (ropt->getBool("pf_no_sync")) { options << qMakePair(QString("no-sync"), QString("")); } if (ropt->getBool("pf_pflow")) { options << qMakePair(QString("pflow"), QString("")); } if (ropt->getBool("pf_sloppy_tracker")) { options << qMakePair(QString("sloppy-tracker"), QString("")); } if (ropt->getBool("pf_source_tracking")) { options << qMakePair( QObject::tr("Source tracking"), QString("")); options << qMakePair( QObject::tr("Max src nodes:"), QString(ropt->getStr("pf_max_src_nodes").c_str())); options << qMakePair( QObject::tr("Max src states:"), QString(ropt->getStr("pf_max_src_states").c_str())); } if (ropt->getBool("pf_synproxy")) { options << qMakePair(QString("synproxy"), QString("")); } if (ropt->getBool("pf_modulate_state")) { options << qMakePair(QString("modulate_state"), QString("")); } }else if (platform=="ipfw") { ; }else if (platform == "iosacl" || platform == "procurve_acl") { if (ropt->getBool("iosacl_add_mirror_rule")) { options << qMakePair( QObject::tr("Add mirrored rule"), QString("")); } }else if (platform=="pix" || platform=="fwsm") { string vers = "version_"+f->getStr("version"); options << qMakePair(QObject::tr("Version:"), QString(vers.c_str())); if ( Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/pix_rule_syslog_settings")) { if (!ropt->getStr("log_level").empty()) { options << qMakePair( QObject::tr("Log level:"), QString(getScreenName(ropt->getStr("log_level").c_str(), getLogLevels(platform.c_str())))); } if (ropt->getInt("log_interval")>0) { options << qMakePair( QObject::tr("Log interval:"), QString(ropt->getStr("log_interval").c_str())); } if (ropt->getBool("disable_logging_for_this_rule")) { options << qMakePair( QObject::tr("Disable logging for this rule"), QString("")); } } } if (prule) options << qMakePair( QObject::tr("Logging: "), (prule->getLogging()) ? QObject::tr("on") : QObject::tr("off")); QStringList res; res << ""; QList >::iterator it; for (it=options.begin(); it!=options.end(); ++it) { QPair p = *it; res << ""; } res << "
" + p.first + "" + p.second + "
"; QString html = res.join("\n"); if (fwbdebug) qDebug() << html; return html; } QString FWObjectPropertiesFactory::getNATRuleOptions(Rule *rule) { QString res; if (rule!=NULL) { res=""; FWObject *o = rule; while (o!=NULL && Firewall::cast(o)==NULL) o=o->getParent(); assert(o!=NULL); Firewall *f=Firewall::cast(o); string platform=f->getStr("platform"); FWOptions *ropt = rule->getOptionsObject(); if (fwbdebug) qDebug() << "getNATRuleOptions: platform: " << platform.c_str(); if (platform=="iptables") { if (ropt->getBool("ipt_use_snat_instead_of_masq")) res += QObject::tr("use SNAT instead of MASQ
"); if (ropt->getBool("ipt_nat_random")) res += QObject::tr("random
"); if (ropt->getBool("ipt_nat_persistent")) res += QObject::tr("persistent
"); } if (platform=="pf") { if (ropt->getBool("pf_bitmask")) res+=QObject::tr("bitmask
"); if (ropt->getBool("pf_random")) res+=QObject::tr("random
"); if (ropt->getBool("pf_source_hash")) res+=QObject::tr("source-hash
"); if (ropt->getBool("pf_round_robin")) res+=QObject::tr("round-robin
"); if (!res.isEmpty()) res += ","; if (ropt->getBool("pf_static_port")) res+=QObject::tr("static-port
"); } } return res; } QString FWObjectPropertiesFactory::getInterfaceNameExamplesForHostOS(const QString &host_os) { Resources *os_resources = Resources::os_res[host_os.toStdString()]; if (os_resources == NULL) return ""; string os_family = os_resources-> getResourceStr("/FWBuilderResources/Target/family"); if (os_family == "linux24" || os_family == "ipcop" || os_family == "openwrt" || os_family == "dd-wrt-nvram" || os_family == "dd-wrt-jffs" || os_family == "sveasoft") return "eth0, eth0.100, vlan100, br0, etc"; if (os_family == "openbsd" || os_family == "freebsd" || os_family == "macosx") return "en0, fxp0, vlan100, etc"; if (os_family == "ios" || os_family == "pix_os") return "FastEthernet0/0, etc"; if (os_family == "procurve") return "vlan 10, a1, b1, etc"; return ""; } fwbuilder-5.3.7/src/libgui/FWObjectPropertiesFactory.h000066400000000000000000000040561303637203600230040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWOBJECTPROPERTIESFACTORY_H #define __FWOBJECTPROPERTIESFACTORY_H #include namespace libfwbuilder { class FWObject; class PolicyRule; class Rule; } class FWObjectPropertiesFactory { public: /** * returns a one line property of the object for the second column of * the tree view */ static QString getObjectPropertiesBrief(libfwbuilder::FWObject *obj); static QString getObjectProperties(libfwbuilder::FWObject *obj); static QString getObjectPropertiesDetailed(libfwbuilder::FWObject *obj, bool showPath=false, bool tooltip=false, bool accentName=true, bool richText=true); static QString getRuleActionProperties(libfwbuilder::Rule *rule); static QString getRuleActionPropertiesRich(libfwbuilder::Rule *rule); static QString getPolicyRuleOptions(libfwbuilder::Rule *rule); static QString getNATRuleOptions(libfwbuilder::Rule *rule); static QString stripHTML(const QString &str); static QString getInterfaceNameExamplesForHostOS(const QString &host_os); }; #endif fwbuilder-5.3.7/src/libgui/FWObjectSelectionModel.cpp000077500000000000000000000027511303637203600225640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FWObjectSelectionModel.h" #include "fwbuilder/Firewall.h" using namespace libfwbuilder; FWObjectSelectionModel::FWObjectSelectionModel() { selectedObject = 0; selectedObjectOld = 0; } void FWObjectSelectionModel::setSelected(FWObject * so, const QModelIndex &index) { save(); this->selectedObject = so; this->index = index; } void FWObjectSelectionModel::save() { indexOld = index; selectedObjectOld = selectedObject; } void FWObjectSelectionModel::restore() { index = indexOld; selectedObject = selectedObjectOld; } void FWObjectSelectionModel::reset() { QModelIndex index; setSelected(NULL, index); } fwbuilder-5.3.7/src/libgui/FWObjectSelectionModel.h000077500000000000000000000025301303637203600222240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWOBJECTSELECTIONMODEL_H #define FWOBJECTSELECTIONMODEL_H #include namespace libfwbuilder { class FWObject; } class FWObjectSelectionModel { public: libfwbuilder::FWObject *selectedObject; libfwbuilder::FWObject *selectedObjectOld; QModelIndex index; QModelIndex indexOld; FWObjectSelectionModel(); void setSelected(libfwbuilder::FWObject *, const QModelIndex &index); void reset(); void save(); void restore(); }; #endif // FWOBJECTSELECTIONMODEL_H fwbuilder-5.3.7/src/libgui/FWWIndow_single_rule_compile.cpp000066400000000000000000000036661303637203600240410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com refactoring and bugfixes: vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "events.h" #include #include "FWWindow.h" #include "fwbuilder/Rule.h" using namespace Ui; using namespace libfwbuilder; using namespace std; void FWWindow::singleRuleCompile(Rule *rule) { if (activeProject()) { attachEditorToProjectPanel(activeProject()); QString title_txt; QPixmap title_icon; buildEditorTitleAndIcon( rule, ObjectEditor::optNone, &title_txt, &title_icon, m_mainWindow->m_space->subWindowList(QMdiArea::StackingOrder).size() > 1); m_mainWindow->editorDockWidget->setWindowTitle(title_txt); m_mainWindow->output_box->show(); m_mainWindow->editorPanelTabWidget->setCurrentIndex( EDITOR_PANEL_OUTPUT_TAB); m_mainWindow->editorDockWidget->show(); m_mainWindow->output_box->loadFWObject(rule); QCoreApplication::postEvent( activeProject(), new makeCurrentRuleVisibleInRulesetEvent(activeProject()->getFileName())); } } fwbuilder-5.3.7/src/libgui/FWWindow.cpp000066400000000000000000001556511303637203600200030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003, 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "check_update_url.h" #include "../../VERSION.h" #include "utils.h" #include "utils_no_qt.h" #include #include #include "FWBApplication.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectManipulator.h" #include "FWObjectClipboard.h" #include "FWBTree.h" #include "FWBSettings.h" #include "FWObjectPropertiesFactory.h" #include "upgradePredicate.h" #include "ObjConflictResolutionDialog.h" #include "ObjectTreeViewItem.h" #include "RuleSetView.h" #include "ObjectEditor.h" #include "PrefsDialog.h" #include "LibExportDialog.h" #include "findDialog.h" #include "FindObjectWidget.h" #include "FindWhereUsedWidget.h" #include "CompilerOutputPanel.h" #include "longTextDialog.h" #include "Help.h" #include "TutorialDialog.h" #include "MDIEventFilter.h" #include "FWBAboutDialog.h" #include "debugDialog.h" #include "filePropDialog.h" #include "instConf.h" #include "instDialog.h" #include "HttpGet.h" #include "StartTipDialog.h" #include "events.h" #include "importAddressListWizard/ImportAddressListWizard.h" #include "snmpNetworkDiscoveryWizard/SNMPNetworkDiscoveryWizard.h" #include "importFirewallConfigurationWizard/ImportFirewallConfigurationWizard.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Tools.h" #include "fwbuilder/dns.h" //#include "fwbuilder/crypto.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Management.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Interface.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/FWObject.h" #include "BackgroundCompileInfoWidget.h" #include #include #include #include #include #include #include #include #include #ifndef _WIN32 # include // for access(2) #else # undef index #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "temporarydir.h" extern bool regCheck(); using namespace libfwbuilder; using namespace std; using namespace Ui; FWWindow::FWWindow() : QMainWindow(), // QMainWindow(NULL, Qt::Desktop), m_space(0), previous_subwindow(0), instd(0), editorOwner(0), printer(0), searchObject(0), replaceObject(0), auto_load_from_rcs_head_revision(0), oe(0), findObjectWidget(0), findWhereUsedWidget(0), undoGroup(0) { instd = new instDialog(this); m_mainWindow = new Ui::FWBMainWindow_q(); m_mainWindow->setupUi(dynamic_cast(this)); this->setupGlobalToolbar(); //setCentralWidget(m_space); psd = NULL; prepareFileOpenRecentMenu(); setCompileAndInstallActionsEnabled(false); // ProjectPanel *proj = newProjectPanel(); // showSub(proj); #ifdef Q_OS_MACX m_mainWindow->m_space->setViewMode(QMdiArea::TabbedView); #endif findObjectWidget = new FindObjectWidget( m_mainWindow->find_panel, NULL, "findObjectWidget"); findObjectWidget->setFocusPolicy( Qt::NoFocus ); m_mainWindow->find_panel->layout()->addWidget( findObjectWidget ); findObjectWidget->show(); findWhereUsedWidget = new FindWhereUsedWidget( m_mainWindow->find_panel, NULL, "findWhereUsedWidget"); findWhereUsedWidget->setFocusPolicy( Qt::NoFocus ); m_mainWindow->find_panel->layout()->addWidget( findWhereUsedWidget ); findWhereUsedWidget->hide(); // compiler_output = new CompilerOutputPanel(m_mainWindow->output_panel); // m_mainWindow->output_panel->layout()->addWidget(compiler_output); // compiler_output->show(); // Designer adds editorDockWidget to the child widget of the main // window and I can't seem to be able to get rid of this // intermediatery child widget (named "widget"). Reparent editor // dock panel. m_mainWindow->editorDockWidget->setParent(this); addDockWidget(Qt::BottomDockWidgetArea, m_mainWindow->editorDockWidget); m_mainWindow->editorDockWidget->hide(); oe = new ObjectEditor((QWidget*)m_mainWindow->objectEditorStack); m_mainWindow->editorDockWidget->setupEditor(oe); m_mainWindow->editorDockWidget->hide(); undoGroup = new QUndoGroup(this); undoAction = undoGroup->createUndoAction(this); undoAction->setShortcut(tr("Ctrl+Z")); m_mainWindow->undoView->setGroup(undoGroup); if (st->getShowUndoPanel()) m_mainWindow->undoDockWidget->show(); else m_mainWindow->undoDockWidget->hide(); connect(m_mainWindow->undoDockWidget, SIGNAL(visibilityChanged(bool)), this, SLOT(undoViewVisibilityChanged(bool))); redoAction = undoGroup->createRedoAction(this); QList redoShortcuts; redoShortcuts << tr("Ctrl+Y") << tr("Shift+Ctrl+Z"); redoAction->setShortcuts(redoShortcuts); m_mainWindow->editMenu->insertAction(m_mainWindow->editMenu->actions().at(0), undoAction); m_mainWindow->editMenu->insertAction(undoAction, redoAction); printer = new QPrinter(QPrinter::HighResolution); current_version_http_getter = new HttpGet(); connect(current_version_http_getter, SIGNAL(done(const QString&)), this, SLOT(checkForUpgrade(const QString&))); connect( m_mainWindow->findAction, SIGNAL( triggered() ), this, SLOT(search()) ); connect( m_mainWindow->editMenu, SIGNAL (aboutToShow() ), this, SLOT( prepareEditMenu() )); connect( m_mainWindow->viewMenu, SIGNAL (aboutToShow() ), this, SLOT( prepareViewMenu() )); connect( m_mainWindow->ObjectMenu, SIGNAL (aboutToShow() ), this, SLOT( prepareObjectMenu() )); connect( m_mainWindow->fileMenu, SIGNAL (aboutToShow() ), this, SLOT( prepareFileMenu() )); connect( m_mainWindow->toolsMenu, SIGNAL (aboutToShow() ), this, SLOT( prepareToolsMenu() )); connect( m_mainWindow->menuWindow, SIGNAL (aboutToShow() ), this, SLOT( prepareWindowsMenu() )); connect( m_mainWindow->RulesMenu, SIGNAL (aboutToShow()), this, SLOT(prepareRulesMenu())); connect( m_mainWindow->m_space, SIGNAL(subWindowActivated(QMdiSubWindow*)), this, SLOT(subWindowActivated(QMdiSubWindow*))); ruleStaticActions = m_mainWindow->RulesMenu->actions(); m_mainWindow->RulesMenu->actions().clear(); disableActions(false); ProjectPanel *proj = newProjectPanel(); showSub(proj); proj->setActive(); setSafeMode(false); // findObject->setMinimumSize( QSize( 0, 0 ) ); QWidget *tabbar= m_mainWindow->m_space->findChild(); if (tabbar) tabbar->installEventFilter(new MDIEventFilter()); m_temporaryDir = new TemporaryDir(QDir::tempPath().append("/fwbuilder-tempdir-")); } FWWindow::~FWWindow() { delete m_temporaryDir; QList subwindows = m_mainWindow->m_space->subWindowList( QMdiArea::StackingOrder); foreach (QMdiSubWindow* sw, subwindows) { //ProjectPanel *pp = dynamic_cast(sw->widget()); sw->close(); delete sw; } delete m_mainWindow; } void FWWindow::prepareFileOpenRecentMenu() { for (int i = 0; i < MAXRECENTFILES; ++i) { recentFileActs[i] = new QAction(this); recentFileActs[i]->setVisible(false); connect(recentFileActs[i], SIGNAL(triggered()), this, SLOT(openRecentFile())); m_mainWindow->menuOpen_Recent->addAction(recentFileActs[i]); } openRecentSeparatorAct = m_mainWindow->menuOpen_Recent->addSeparator(); m_mainWindow->menuOpen_Recent->addAction(m_mainWindow->actionClearRecentFiles); updateRecentFileActions(); } void FWWindow::clearRecentFilesMenu() { QStringList empty_list; st->setRecentFiles(empty_list); updateRecentFileActions(); } void FWWindow::updateRecentFileActions() { QStringList files = st->getRecentFiles(); QMap file_name_counters; int numRecentFiles = qMin(files.size(), (int)MAXRECENTFILES); for (int i = 0; i < numRecentFiles; ++i) { QString file_name = QFileInfo(files[i]).fileName(); int c = file_name_counters[file_name]; // default constructed value is 0 file_name_counters[file_name] = c + 1; } for (int i = 0; i < numRecentFiles; ++i) { QString file_name = QFileInfo(files[i]).fileName(); int c = file_name_counters[file_name]; // if c > 1, we have two files with the same name but different path QString text = (c > 1) ? files[i] : file_name; recentFileActs[i]->setText(text); recentFileActs[i]->setData(files[i]); recentFileActs[i]->setVisible(true); } for (int j = numRecentFiles; j < MAXRECENTFILES; ++j) recentFileActs[j]->setVisible(false); openRecentSeparatorAct->setVisible(numRecentFiles > 0); } /* * Add file name to the "File/Open Recent" menu. */ void FWWindow::updateOpenRecentMenu(const QString &fileName) { QStringList files = st->getRecentFiles(); files.removeAll(fileName); files.prepend(fileName); while (files.size() > MAXRECENTFILES) files.removeLast(); st->setRecentFiles(files); updateRecentFileActions(); } void FWWindow::openRecentFile() { QAction *action = qobject_cast(sender()); if (action) { QString file_path = action->data().toString(); if (fwbdebug) qDebug() << "Open recently opened file " << file_path; QMdiSubWindow* sw = alreadyOpened(file_path); if (sw != NULL) { // activate window with this file m_mainWindow->m_space->setActiveSubWindow(sw); return; } loadFile(file_path, false); QCoreApplication::postEvent(this, new updateSubWindowTitlesEvent()); } } void FWWindow::registerAutoOpenDocFile(const QString &filename, bool load_from_rcs_head) { openDocFiles.append(filename); auto_load_from_rcs_head_revision = load_from_rcs_head; } ProjectPanel *FWWindow::newProjectPanel() { ProjectPanel *projectW = new ProjectPanel(m_mainWindow->m_space); projectW->initMain(this); return projectW; } void FWWindow::showSub(ProjectPanel *pp) { QList subwindows = m_mainWindow->m_space->subWindowList( QMdiArea::StackingOrder); bool windows_maximized = (subwindows.size()>0) ? subwindows[0]->isMaximized() : st->getInt("Window/maximized"); if (fwbdebug) qDebug() << "FWWindow::showSub" << "subwindows=" << subwindows << "current window maximized: " << int((subwindows.size()>0) ? subwindows[0]->isMaximized() : 0) << "settings: " << st->getInt("Window/maximized"); QMdiSubWindow *sub = new QMdiSubWindow; pp->mdiWindow = sub; sub->setWidget(pp); sub->setAttribute(Qt::WA_DeleteOnClose); m_mainWindow->m_space->addSubWindow(sub); connect( sub, SIGNAL(aboutToActivate()), pp, SLOT(aboutToActivate())); if (fwbdebug) qDebug() << "Show subwindow maximized: " << windows_maximized; if (windows_maximized) pp->setWindowState(Qt::WindowMaximized); else pp->setWindowState(Qt::WindowNoState); sub->show(); /* * for reasons I do not understand, QMdiArea does not send signal * subWindowActivated when the very first subwindow comes up. I * think it should, but at least QT 4.4.1 on Mac does not do * it. Calling the slot manually so that editor panel can be * attached to the current project panel. */ attachEditorToProjectPanel(pp); if (isEditorVisible()) oe->open(pp->getSelectedObject()); } ProjectPanel* FWWindow::activeProject() { QList subwindows = m_mainWindow->m_space->subWindowList( QMdiArea::StackingOrder); if (subwindows.size() == 0) return NULL; QMdiSubWindow *w = subwindows.last(); // last item is the topmost window // QMdiSubWindow *w = m_mainWindow->m_space->currentSubWindow(); // if (w) return dynamic_cast(w->widget()); // if (fwbdebug) // qDebug() << "FWWindow::activeProject(): currentSubWindow() returns NULL, trying activeSubWindow()"; // w = m_mainWindow->m_space->activeSubWindow(); if (w) return dynamic_cast(w->widget()); return NULL; } void FWWindow::updateWindowTitle() { if (activeProject()) { setWindowTitle("Firewall Builder " + activeProject()->getFileName()); } else { setWindowTitle("Firewall Builder"); } } void FWWindow::startupLoad() { if (st->getCheckUpdates()) { QString update_url = CHECK_UPDATE_URL; // Use env variable FWBUILDER_CHECK_UPDATE_URL to override url to test // e.g. export FWBUILDER_CHECK_UPDATE_URL="file://$(pwd)/update_%1" // char* update_check_override_url = getenv("FWBUILDER_CHECK_UPDATE_URL"); if (update_check_override_url != NULL) update_url = QString(update_check_override_url); // start http query to get latest version from the web site QString url = QString(update_url).arg(VERSION).arg(st->getAppGUID()); if (!current_version_http_getter->get(QUrl(url)) && fwbdebug) { qDebug() << "HttpGet error: " << current_version_http_getter->getLastError(); qDebug() << "Url: " << url; } } if (activeProject()) { activeProject()->loadStandardObjects(); activeProject()->readyStatus(true); activeProject()->loadState(true); } foreach (QString file, openDocFiles) { loadFile(file, auto_load_from_rcs_head_revision); updateOpenRecentMenu(file); } QCoreApplication::postEvent(this, new updateSubWindowTitlesEvent()); showIntroDialog(); QCoreApplication::postEvent(mw, new updateGUIStateEvent()); } void FWWindow::showIntroDialog() { if (st->isIntroDialogEnabled()) { // Show dialog inviting user to look at the "Quick start" // guide on the web site. QMessageBox msg_box; msg_box.setText("" "

Welcome to Firewall Builder

" "

Quick Start Guide

" "

" "There is a short online guide that provides basic information " "to help new users save time when first learning " "to use Firewall Builder." "

" "

" "In this guide you will learn:" "

" "

" "

    " "
  • Layout of the application windows
    • " "
  • Location of frequently used command buttons
    • " "
  • How to create and edit objects
    • " "
  • Where to find predefined system objects
    • " "
" "

" "" ); QPixmap pm; pm.load(":/Images/fwbuilder3-128x128.png"); msg_box.setWindowModality(Qt::ApplicationModal); #if QT_VERSION >= 0x040500 msg_box.setWindowFlags( Qt::Window | Qt::WindowTitleHint | Qt::CustomizeWindowHint | Qt::WindowCloseButtonHint | Qt::WindowSystemMenuHint); #else msg_box.setWindowFlags( Qt::Window | Qt::WindowTitleHint | Qt::CustomizeWindowHint | Qt::WindowSystemMenuHint); #endif msg_box.setWindowTitle(tr("Welcome to Firewall Builder")); msg_box.setIconPixmap(pm); msg_box.setInformativeText(tr("The guide will open in the web browser")); QCheckBox cb(tr("Do not show this again"), &msg_box); msg_box.addButton(&cb, QMessageBox::ResetRole); // is this role right ? QPushButton *watch_button = msg_box.addButton(tr("Watch the guide"), QMessageBox::AcceptRole); msg_box.addButton(QMessageBox::Close); /* Hack alert! Disconnect signals from the checkbox so that QMessageBox doesn't know when it gets clicked. We check it directly ourselves to see what state it's in when the user clicks "close" or "watch". */ cb.disconnect(); msg_box.setDefaultButton(watch_button); msg_box.exec(); if (cb.isChecked()) { st->setIntroDialogEnabled(false); } if (msg_box.clickedButton() == watch_button) { int ab_group = st->getABTestingGroup(); QString url("http://www.fwbuilder.org/4.0/quick_start_guide_%1.html"); QDesktopServices::openUrl(QUrl(url.arg(ab_group), QUrl::StrictMode)); } return; } if (!st->getBool("UI/NoStartTip")) { StartTipDialog *stdlg = new StartTipDialog(this); stdlg->run(); } } void FWWindow::helpAbout() { FWBAboutDialog ad(this); ad.exec(); } void FWWindow::debug() { debugDialog dd(this); dd.exec(); } void FWWindow::fileNew() { // if the only project panel window that we have shows default // object tree (i.e. its filename is empty) and has no unsaved // changes, then load file into. Otherwise create new project // window. ProjectPanel *proj = activeProject(); if (proj && proj->getFileName().isEmpty() && !proj->db()->isDirty()) { activeProject()->fileNew(); } else { std::auto_ptr proj(newProjectPanel()); if (proj->fileNew()) { showSub(proj.get()); QCoreApplication::postEvent(mw, new updateGUIStateEvent()); //prepareFileMenu(); //updateGlobalToolbar(); //prepareRulesMenu(); proj.release(); } } } void FWWindow::fileOpen() { QString dir; QMdiSubWindow *last_active_window = m_mainWindow->m_space->activeSubWindow(); QString file_name = QFileDialog::getOpenFileName( this, tr("Open File"), st->getOpenFileDir(mw->getCurrentFileName()), "FWB files (*.fwb *.fwl *.xml);;All Files (*)"); if (file_name.isEmpty()) { m_mainWindow->m_space->setActiveSubWindow(last_active_window); return; } st->setOpenFileDir(file_name); // Using absoluteFilePath(), see #1334 QFileInfo fi(file_name); QString file_path = fi.absoluteFilePath(); if (fwbdebug) qDebug() << "FWWindow::fileOpen():" << "File name: " << file_name << "Absolute file path: " << file_path; QMdiSubWindow* sw = alreadyOpened(file_name); if (sw != NULL) { if (fwbdebug) qDebug() << "This file is already opened"; // activate window with this file m_mainWindow->m_space->setActiveSubWindow(sw); return; } QFileInfo file_path_info(file_path); if (!file_path_info.exists() || !file_path_info.isReadable()) { QMessageBox::warning( this,"Firewall Builder", tr("File '%1' does not exist or is not readable").arg(file_path)); return; } if (loadFile(file_path, false)) { updateOpenRecentMenu(file_name); // reset actions, including Save() which should now // be inactive QCoreApplication::postEvent(mw, new updateGUIStateEvent()); //prepareFileMenu(); //prepareRulesMenu(); //updateGlobalToolbar(); QCoreApplication::postEvent(this, new updateSubWindowTitlesEvent()); } else m_mainWindow->m_space->setActiveSubWindow(last_active_window); } QMdiSubWindow* FWWindow::alreadyOpened(const QString &file_name) { QFileInfo fi(file_name); QString file_path = fi.absoluteFilePath(); if (fwbdebug) qDebug() << "FWWindow::alreadyOpened():" << "File name: " << file_name << "Absolute file path: " << file_path; foreach(QMdiSubWindow* sw, m_mainWindow->m_space->subWindowList()) { ProjectPanel * pp = dynamic_cast(sw->widget()); if (pp!=NULL) { if (fwbdebug) qDebug() << "Opened file" << pp->getFileName(); if (pp->getFileName() == file_path) return sw; } } return NULL; } bool FWWindow::loadFile(const QString &file_name, bool load_rcs_head) { /* We always create new project panel, deleting the old one if it's the default (standard objects) one with no changes. Otherwise we leave behind traces of the old project panel. */ ProjectPanel *oldProj = activeProject(); ProjectPanel *proj = newProjectPanel(); if (proj->loadFile(file_name, load_rcs_head)) { if (oldProj != 0 && oldProj->getFileName().isEmpty() && (oldProj->db() == NULL || !oldProj->db()->isDirty())) { oldProj->fileClose(); } showSub(proj); } else { delete proj; return false; } proj->readyStatus(true); proj->loadState(true); if (st->getBool("/Diff/AutoCompile")) autoCompile(); return true; } void FWWindow::fileClose() { if (fwbdebug) qDebug("FWWindow::fileClose()"); if (activeProject()) { ProjectPanel * project = activeProject(); if (!project->saveIfModified()) return; // abort operation project->saveState(); project->fileClose(); // reset actions, including Save() which should now // be inactive QCoreApplication::postEvent(mw, new updateGUIStateEvent()); //prepareFileMenu(); //prepareRulesMenu(); //updateGlobalToolbar(); } if (fwbdebug) qDebug("subWindowList().size()=%d", m_mainWindow->m_space->subWindowList().size()); } void FWWindow::fileExit() { if (fwbdebug) qDebug() << "FWWindow::fileExit()"; bool window_maximized_state = false; if (activeProject()) { QList subWindowList = m_mainWindow->m_space->subWindowList(); for (int i = 0 ; i < subWindowList.size(); i++) { window_maximized_state = subWindowList[i]->isMaximized(); ProjectPanel * project = dynamic_cast(subWindowList[i]->widget()); if (project!=NULL) { if (!project->saveIfModified() || !project->checkin(true)) return; // aborted //if (!project->saveIfModified()) return; // abort operation project->saveState(); project->fileClose(); } } } st->setInt("Window/maximized", window_maximized_state); app->quit(); } void FWWindow::toolsImportAddressesFromFile() { if (activeProject()) { ImportAddressListWizard wiz(this); wiz.exec(); } } void FWWindow::toolsSNMPDiscovery() { if (activeProject()) { SNMPNetworkDiscoveryWizard wiz(this); wiz.exec(); } } void FWWindow::importPolicy() { if (activeProject()) { if (!activeProject()->m_panel->om->isObjectAllowed(Firewall::TYPENAME)) return; ImportFirewallConfigurationWizard wiz(this, db()); wiz.exec(); } } void FWWindow::showEvent(QShowEvent *ev) { st->restoreGeometry(this, QRect(100,100,1000,600) ); QMainWindow::showEvent(ev); } void FWWindow::hideEvent(QHideEvent *ev) { st->saveGeometry(this); QMainWindow::hideEvent(ev); } void FWWindow::prepareEditMenu() { if (!activeProject()) { m_mainWindow->editCopyAction->setEnabled(false); m_mainWindow->editDeleteAction->setEnabled(false); m_mainWindow->editCutAction->setEnabled(false); m_mainWindow->editPasteAction->setEnabled(false); return; } bool dupMenuItem=true; bool moveMenuItem=true; bool copyMenuItem=true; bool pasteMenuItem=true; bool delMenuItem=true; bool newMenuItem=true; bool inDeletedObjects = false; activeProject()->m_panel->om->getMenuState( false, dupMenuItem, moveMenuItem, copyMenuItem, pasteMenuItem, delMenuItem, newMenuItem, inDeletedObjects ); m_mainWindow->editCopyAction->setEnabled(copyMenuItem); m_mainWindow->editDeleteAction->setEnabled(delMenuItem); m_mainWindow->editCutAction->setEnabled(delMenuItem); m_mainWindow->editPasteAction->setEnabled(pasteMenuItem); } void FWWindow::prepareViewMenu() { if (!activeProject()) { m_mainWindow->actionObject_Tree->setEnabled(false); m_mainWindow->actionEditor_panel->setEnabled(false); return; } m_mainWindow->actionObject_Tree->setEnabled(true); m_mainWindow->actionEditor_panel->setEnabled(true); m_mainWindow->actionObject_Tree->setChecked( activeProject()->m_panel->treePanelFrame->isVisible()); m_mainWindow->actionEditor_panel->setChecked( m_mainWindow->editorDockWidget->isVisible()); m_mainWindow->actionUndo_view->setChecked( m_mainWindow->undoDockWidget->isVisible()); } void FWWindow::prepareObjectMenu() { if (!activeProject()) { m_mainWindow->newObjectAction->setEnabled(false); m_mainWindow->findAction->setEnabled(false); m_mainWindow->ObjectLockAction->setEnabled(false); m_mainWindow->ObjectUnlockAction->setEnabled(false); return; } m_mainWindow->ObjectUnlockAction->setEnabled( activeProject()->m_panel->om->isCurrentObjectUnlockable()); m_mainWindow->ObjectLockAction->setEnabled( activeProject()->m_panel->om->isCurrentObjectLockable()); } void FWWindow::prepareFileMenu() { if (!activeProject()) { m_mainWindow->fileCloseAction->setEnabled(false); m_mainWindow->fileSaveAction->setEnabled(false); m_mainWindow->fileSaveAsAction->setEnabled(false); m_mainWindow->addToRCSAction->setEnabled(false); m_mainWindow->fileCommitAction->setEnabled(false); m_mainWindow->fileDiscardAction->setEnabled(false); m_mainWindow->filePropAction->setEnabled(false); m_mainWindow->libExportAction->setEnabled(false); m_mainWindow->libImportAction->setEnabled(false); m_mainWindow->policyImportAction->setEnabled(false); return; } bool real_file_opened = (activeProject()->getFileName() != ""); bool in_rcs = (activeProject()->getRCS() != NULL && activeProject()->getRCS()->isCheckedOut()); bool needs_saving = (db() && db()->isDirty()); m_mainWindow->fileSaveAction->setEnabled(real_file_opened && needs_saving); m_mainWindow->fileCloseAction->setEnabled(real_file_opened); m_mainWindow->filePropAction->setEnabled(real_file_opened); m_mainWindow->filePrintAction->setEnabled(real_file_opened); m_mainWindow->libExportAction->setEnabled(real_file_opened); FWObject *lib = activeProject()->getCurrentLib(); bool f = ( lib == NULL || lib->getId()==FWObjectDatabase::TEMPLATE_LIB_ID || lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID || lib->isReadOnly() ); bool new_object_op_possible = !f; m_mainWindow->libImportAction->setEnabled(new_object_op_possible); m_mainWindow->policyImportAction->setEnabled(new_object_op_possible); m_mainWindow->addToRCSAction->setEnabled(real_file_opened && !in_rcs); m_mainWindow->fileCommitAction->setEnabled( real_file_opened && in_rcs && needs_saving); m_mainWindow->fileDiscardAction->setEnabled( real_file_opened && in_rcs && needs_saving); m_mainWindow->fileNewAction->setEnabled(true); m_mainWindow->fileOpenAction->setEnabled(true); m_mainWindow->fileSaveAsAction->setEnabled(true); } void FWWindow::prepareToolsMenu() { #ifdef HAVE_LIBSNMP m_mainWindow->SNMPDiscoveryAction->setEnabled(true); #else m_mainWindow->SNMPDiscoveryAction->setEnabled(false); #endif } void FWWindow::prepareWindowsMenu() { windowsPainters.clear(); windowsTitles.clear(); m_mainWindow->menuWindow->clear(); QAction *close = m_mainWindow->menuWindow->addAction("Close"); QAction *closeAll = m_mainWindow->menuWindow->addAction("Close All"); QAction *tile = m_mainWindow->menuWindow->addAction("Tile"); QAction *cascade = m_mainWindow->menuWindow->addAction("Cascade"); QAction *next = m_mainWindow->menuWindow->addAction("Next"); QAction *previous = m_mainWindow->menuWindow->addAction("Previous"); QAction *minimize = m_mainWindow->menuWindow->addAction("Minimize"); QAction *maximize = m_mainWindow->menuWindow->addAction("Maximize"); m_mainWindow->menuWindow->addSeparator(); connect(minimize, SIGNAL(triggered()), this, SLOT(minimize())); connect(maximize, SIGNAL(triggered()), this, SLOT(maximize())); connect(close, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(closeActiveSubWindow())); connect(closeAll, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(closeAllSubWindows())); connect(tile, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(tileSubWindows())); connect(cascade, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(cascadeSubWindows())); connect(next, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(activateNextSubWindow())); connect(previous, SIGNAL(triggered()), m_mainWindow->m_space, SLOT(activatePreviousSubWindow())); QList subWindowList = m_mainWindow->m_space->subWindowList(); minimize->setEnabled(subWindowList.size() > 0); maximize->setEnabled(subWindowList.size() > 0); close->setEnabled(subWindowList.size() > 0); closeAll->setEnabled(subWindowList.size() > 0); tile->setEnabled(subWindowList.size() > 0); cascade->setEnabled(subWindowList.size() > 0); next->setEnabled(subWindowList.size() > 0); previous->setEnabled(subWindowList.size() > 0); QActionGroup * ag = new QActionGroup(this); ag->setExclusive (true); for (int i = 0 ; i < subWindowList.size(); i++) { windowsPainters.push_back (subWindowList[i]); ProjectPanel * pp = dynamic_cast( subWindowList[i]->widget()); if (pp!=NULL) { if (fwbdebug) qDebug("FWWindow::prepareWindowsMenu() pp=%p", pp); //if (pp->isClosing()) continue ; QString text = subWindowList[i]->windowTitle(); windowsTitles.push_back(text); QAction * act = m_mainWindow->menuWindow->addAction(text); ag->addAction(act); act->setCheckable ( true ); if (subWindowList[i] == m_mainWindow->m_space->activeSubWindow()) act->setChecked(true); connect(act, SIGNAL(triggered()), this, SLOT(selectActiveSubWindow())); } } } /* * returns list of file names (full canonical path) of the data files * currently opened in the program */ QStringList FWWindow::getListOfOpenedFiles() { QStringList res; QList subWindowList = m_mainWindow->m_space->subWindowList(); for (int i = 0 ; i < subWindowList.size(); i++) { ProjectPanel * pp = dynamic_cast(subWindowList[i]->widget()); if (pp!=NULL) { res.push_back(pp->getFileName()); // full path } } return res; } void FWWindow::activatePreviousSubWindow() { if (fwbdebug) qDebug() << "FWWindow::activatePreviousSubWindow()"; m_mainWindow->m_space->setActiveSubWindow(previous_subwindow); } /** * QMdiArea emits this signal after window has been activated. When * window is 0, QMdiArea has just deactivated its last active window, * and there are no active windows on the workspace. * * During the call to this method @subwindow is already current (equal * to the pointer returned by m_mainWindow->m_space->currentSubWindow()) */ void FWWindow::subWindowActivated(QMdiSubWindow *subwindow) { if (subwindow==NULL) return; if (fwbdebug) qDebug() << "FWWindow::subWindowActivated" << "subwindow=" << subwindow << "(" << subwindow->windowTitle() << ")" << "previous_subwindow=" << previous_subwindow << "(" << QString((previous_subwindow) ? previous_subwindow->windowTitle() : "") << ")" << "isMaximized()=" << subwindow->isMaximized(); if (previous_subwindow == subwindow) return; previous_subwindow = subwindow; ProjectPanel *pp = dynamic_cast(subwindow->widget()); if (pp) { QCoreApplication::postEvent(mw, new updateGUIStateEvent()); pp->setActive(); if (isEditorVisible()) openEditor(pp->getSelectedObject()); } } void FWWindow::attachEditorToProjectPanel(ProjectPanel *pp) { findObjectWidget->attachToProjectWindow(pp); findWhereUsedWidget->attachToProjectWindow(pp); oe->attachToProjectWindow(pp); } void FWWindow::editPrefs() { PrefsDialog pd(this); pd.exec(); } void FWWindow::editFind() { } void FWWindow::helpContents() { } void FWWindow::helpContentsAction() { } void FWWindow::helpIndex() { } QPrinter* FWWindow::getPrinter() { return printer; } void FWWindow::closeEvent(QCloseEvent* ev) { if (fwbdebug) qDebug("FWWindow::closeEvent"); if (activeProject()) st->setInt("Window/maximized", activeProject()->mdiWindow->isMaximized()); QList subWindowList = m_mainWindow->m_space->subWindowList(); for (int i = 0 ; i < subWindowList.size();i++) { ProjectPanel * pp = dynamic_cast( subWindowList[i]->widget()); if (pp!=NULL) { if (!pp->saveIfModified()) { ev->ignore(); return; } pp->saveState(); pp->fileClose(); } } } bool FWWindow::event(QEvent *event) { if (event->type() >= QEvent::User) { fwbUpdateEvent *ev = dynamic_cast(event); int obj_id = ev->getObjectId(); /* * TODO: * * db() returns pointer to the FWObjectDatabase object that * belongs to the current active project panel. If the event * was sent for an object that does not belong to the active * panel, the object @obj won't be found in this * database. Event has project file name as another parameter, * need to use that to localte right project panel instead of * just calling activeProject(). * * This happens when two data files are open and object tree * panels are detached. User can try to open an object from * file A by double clicking in the tree, while active panel * shows file B. See ticket #1804 "With 2 files open and * object trees undocked you cannot open objects from both * object trees" */ FWObject *obj = db()->findInIndex(obj_id); ProjectPanel *pp = activeProject(); if (fwbdebug) qDebug() << this << "event:" << ev->getEventName() << "object:" << ((obj!=NULL) ? QString::fromUtf8(obj->getName().c_str()) : ""); switch (event->type() - QEvent::User) { case UPDATE_GUI_STATE_EVENT: prepareFileMenu(); prepareEditMenu(); updateGlobalToolbar(); // do not return, let ProjectPanel process the same event as well break; case OPEN_OBJECT_IN_EDITOR_EVENT: { if (pp && obj) { openEditor(obj); // pp->editObject(obj); pp->mdiWindow->update(); } ev->accept(); return true; } case OPEN_OPT_OBJECT_IN_EDITOR_EVENT: { if (pp && obj) { openOptEditor( obj, dynamic_cast(event)->opt_code); // pp->editObject(obj); pp->mdiWindow->update(); } ev->accept(); return true; } case UPDATE_SUBWINDOW_TITLES_EVENT: { QMap short_name_counters; QMap short_titles; QMap long_titles; foreach(QMdiSubWindow* sw, m_mainWindow->m_space->subWindowList()) { ProjectPanel * pp = dynamic_cast(sw->widget()); if (pp!=NULL) { // string returned by getPageTitle() may also // include RCS revision number. Compare only // file name, without the path and rev number // to make sure we show long paths for two // subwindows where file names are identical, // regardless of the RCS revision number. QString file_name = pp->getFileName(); // full path QFileInfo fi(file_name); QString short_name = fi.fileName(); int c = short_name_counters[short_name]; short_name_counters[short_name] = c + 1; short_titles[sw] = pp->getPageTitle(false); long_titles[sw] = pp->getPageTitle(true); if (fwbdebug) qDebug() << "Subwindow " << sw << "file_name " << file_name << "short_name " << short_name << "short_name_counter " << c << "short_title " << short_titles[sw] << "long_title " << long_titles[sw]; } } foreach(QMdiSubWindow* sw, m_mainWindow->m_space->subWindowList()) { QString short_name = short_titles[sw]; if (short_name_counters[short_name] > 1) sw->setWindowTitle(long_titles[sw]); else sw->setWindowTitle(short_titles[sw]); } ev->accept(); return true; } case CLOSE_EDITOR_PANEL_EVENT: { hideEditor(); ev->accept(); return true; } case CLEAR_EDITOR_PANEL_EVENT: { clearEditorAndSearchPanels(); ev->accept(); return true; } } // dispatch event to all projectpanel windows foreach(QMdiSubWindow* sw, m_mainWindow->m_space->subWindowList()) QCoreApplication::sendEvent(sw->widget(), event); event->accept(); return true; } //if (fwbdebug) qDebug() << this << "event:" << event; return QMainWindow::event(event); } void FWWindow::selectActiveSubWindow(/*const QString & text*/) { QObject * sender_ = sender (); QAction * act = (QAction*) sender_ ; QString text = act->text(); if (text=="[Noname]") text=""; if (fwbdebug) qDebug() << "FWWindow::selectActiveSubWindow()" << "text=" << text; for (int i = 0 ; i < windowsTitles.size();i++) { if (windowsTitles[i]==text) { m_mainWindow->m_space->setActiveSubWindow(windowsPainters[i]); } } } void FWWindow::minimize() { if (fwbdebug) qDebug("FWWindow::minimize"); if (m_mainWindow->m_space->activeSubWindow()) { m_mainWindow->m_space->activeSubWindow()->showMinimized (); st->setInt("Window/maximized", 0); QList subWindowList = m_mainWindow->m_space->subWindowList(); for (int i = 0 ; i < subWindowList.size();i++) { ProjectPanel * pp = dynamic_cast( subWindowList[i]->widget()); if (pp!=NULL) { pp->loadState(false); } } } } void FWWindow::maximize() { if (fwbdebug) qDebug("FWWindow::maximize"); if (m_mainWindow->m_space->activeSubWindow()) { m_mainWindow->m_space->activeSubWindow()->showMaximized (); st->setInt("Window/maximized", 1); } } void FWWindow::updateTreeFont () { QFont font = st->getTreeFont(); QList subWindowList = m_mainWindow->m_space->subWindowList(); for (int i = 0 ; i < subWindowList.size();i++) { ProjectPanel * pp = dynamic_cast (subWindowList[i]->widget()); if (pp!=NULL) { std::vector trees = pp->m_panel->om->getTreeWidgets(); for (unsigned int o = 0 ; o < trees.size(); o++) { trees[o]->setFont(font); } } } } void FWWindow::checkForUpgrade(const QString& server_response) { if (fwbdebug) qDebug() << "FWWindow::checkForUpgrade server_response: " << server_response << " http_getter_status: " << current_version_http_getter->getStatus(); disconnect(current_version_http_getter, SIGNAL(done(const QString&)), this, SLOT(checkForUpgrade(const QString&))); /* * getStatus() returns error status if server esponded with 302 or * 301 redirect. Only "200" is considered success. */ if (current_version_http_getter->getStatus()) { /* * server response may be some html or other data in case * connection goes via proxy, esp. with captive portals. We * should not interpret that as "new version is available" */ uint now = QDateTime::currentDateTime().toTime_t(); uint last_update_available_warning_time = st->getTimeOfLastUpdateAvailableWarning(); bool update_available = (server_response.trimmed() == "update = 1"); if (update_available && (now - last_update_available_warning_time > 24*3600) ) { QMessageBox::warning( this,"Firewall Builder", tr("A new version of Firewall Builder is available at" " http://www.fwbuilder.org")); st->setTimeOfLastUpdateAvailableWarning(now); } else { // format of the announcement string is very simple: it is just // announcement = URL // All on one line. QRegExp announcement_re = QRegExp("announcement\\s*=\\s*(\\S+)"); if (announcement_re.indexIn(server_response.trimmed()) != -1) { QStringList list = announcement_re.capturedTexts(); if (list.size() > 1) { QString announcement_url = list[1]; uint last_annluncement_time = st->getTimeOfLastAnnouncement( announcement_url); if (fwbdebug) qDebug() << "announcement_url=" << announcement_url << "last_annluncement_time=" << last_annluncement_time; if (last_annluncement_time == 0) { // We have an announcement to make and this user has not // seen it yet. st->setTimeOfLastAnnouncement(announcement_url, now); Help *h = Help::getHelpWindow(this); h->setSource(QUrl(announcement_url)); } } } } } else { if (fwbdebug) qDebug("Update check error: %s", current_version_http_getter->getLastError(). toLatin1().constData()); } } /* * This slot is called after one of the mdi windows is closed. This * is where the decision is made as to wether we should terminate the * program when the last MDI window is closed. Bug #2144114 "fwbuilder * exits if the last object file is closed" requests for the program * to continue after the last window is closed. */ void FWWindow::projectWindowClosed() { // if (m_space->subWindowList().size() == 0) QCoreApplication::exit(0); } void FWWindow::help() { Help *h = Help::getHelpWindow(this); h->setSource(QUrl("main.html")); h->raise(); h->show(); } void FWWindow::showReleaseNotes() { QStringList version_components = QString(VERSION).split("."); assert(version_components.size() >= 3); QString version_no_build = QString("%1.%2.%3") .arg(version_components[0]) .arg(version_components[1]) .arg(version_components[2]); QString file_name = QString("release_notes_%1.html").arg(version_no_build); // Show "release notes" dialog only if corresponding file // exists. QString contents; Help *h = Help::getHelpWindow(this); h->setName("Firewall Builder Release Notes"); if (h->findHelpFile(file_name).isEmpty()) { // the file does not exist - find the latest release note // use release_notes_5.3.0 to find the release notes directory h->showAllReleaseNotes(h->findHelpFile(QString("release_notes_5.3.0.html"))); h->raise(); h->show(); // use the generated list of release notes and select the first one h->showReleaseNotesSelected(); } else { h->showAllReleaseNotes(h->findHelpFile(file_name)); // I do not know why, but url "file://file_name" does not seem to work. // But "file:file_name" works. h->setSource(QUrl("file:" + file_name)); h->raise(); h->show(); //h->exec(); // Class Help uses attribute Qt::WA_DeleteOnClose which // means the system will delete the object on close. No // need to delete it explicitly if it was shown. } } void FWWindow::enableBackAction() { m_mainWindow->backAction->setEnabled(true); } void FWWindow::activateRule(ProjectPanel* project, QString fwname, QString setname, int rule) { // Find firewall object tree item FWObject* firewall = NULL; foreach(QTreeWidgetItem* item, project->getCurrentObjectTree()->findItems(fwname, Qt::MatchExactly | Qt::MatchRecursive, 0)) { if (Firewall::cast(dynamic_cast(item)->getFWObject())!=NULL) { firewall = dynamic_cast(item)->getFWObject(); break; } } if (firewall == NULL) return; FWObject::const_iterator i = find_if(firewall->begin(), firewall->end(), FWObjectNameEQPredicate(string(setname.toUtf8().constData()))); if (i==firewall->end()) return; RuleSet *set = RuleSet::cast(*i); if (set == NULL) return; QCoreApplication::postEvent( mw, new openRulesetImmediatelyEvent(project->getFileName(), set->getId())); FWObject *ruleObject = set->getRuleByNum(rule); if (ruleObject == NULL) return; QCoreApplication::postEvent(mw, new selectRuleElementEvent(project->getFileName(), ruleObject->getId(), ColDesc::Action)); } void FWWindow::undoViewVisibilityChanged(bool visible) { if(mw->isVisible()) st->setShowUndoPanel(visible); } void FWWindow::updateGlobalToolbar() { ProjectPanel* pp = activeProject(); if (pp) { list fws; if (pp->db() != NULL) pp->findAllFirewalls(fws); setCompileAndInstallActionsEnabled(fws.size() != 0); } else setCompileAndInstallActionsEnabled(false); } void FWWindow::setupGlobalToolbar() { setUnifiedTitleAndToolBarOnMac(false); if (st->getBool("/UI/IconWithText")) m_mainWindow->toolBar->setToolButtonStyle(Qt::ToolButtonTextUnderIcon); else m_mainWindow->toolBar->setToolButtonStyle(Qt::ToolButtonIconOnly); setUnifiedTitleAndToolBarOnMac(true); } /* * This method constructs main menu "Rules" and enables or disables items * as appropriate. */ void FWWindow::prepareRulesMenu() { if (fwbdebug) qDebug() << "FWWindow::prepareRulesMenu()"; cleanRulesMenu(); ProjectPanel* pp = activeProject(); if (pp) { RuleSetView* rsv = activeProject()->getCurrentRuleSetView(); if (fwbdebug) qDebug() << "FWWindow::prepareRulesMenu() rsv=" << rsv; if(rsv) { if (rsv->selectedRulesCount() == 0) rsv->addGenericMenuItemsToContextMenu(m_mainWindow->RulesMenu); else rsv->addRowMenuItemsToMenu(m_mainWindow->RulesMenu); } m_mainWindow->RulesMenu->addSeparator(); m_mainWindow->RulesMenu->addActions(ruleStaticActions); list fws; pp->findAllFirewalls(fws); setCompileAndInstallActionsEnabled(fws.size() != 0); } } void FWWindow::cleanRulesMenu() { if (fwbdebug) qDebug() << "FWWindow::cleanRulesMenu()"; m_mainWindow->RulesMenu->actions().clear(); m_mainWindow->RulesMenu->clear(); } void FWWindow::showStatusBarMessage(const QString &txt) { statusBar()->showMessage(txt); // Keep status bar message little longer so user can read it. See #272 QTimer::singleShot( 1000, statusBar(), SLOT(clearMessage())); QApplication::processEvents(QEventLoop::ExcludeUserInputEvents, 100); } void FWWindow::setCompileAndInstallActionsEnabled(bool en) { if (fwbdebug) qDebug() << "FWWindow::setCompileAndInstallActionsEnabled en=" << en; m_mainWindow->compileAction->setEnabled(en ); m_mainWindow->installAction->setEnabled(en ); m_mainWindow->inspectAction->setEnabled(en ); } void FWWindow::setEnabledAfterRF() { if (fwbdebug) qDebug() << "FWWindow::setEnabledAfterRF()"; m_mainWindow->compileAction->setEnabled( true ); m_mainWindow->installAction->setEnabled( true ); m_mainWindow->inspectAction->setEnabled( true ); } void FWWindow::selectRules() { if (fwbdebug) qDebug() << "FWWindow::selectRules()"; m_mainWindow ->compileAction->setEnabled( true ); m_mainWindow ->installAction->setEnabled( true ); m_mainWindow ->inspectAction->setEnabled( true ); if (activeProject()) activeProject()->selectRules(); } void FWWindow::disableActions(bool havePolicies) { if (fwbdebug) qDebug() << "FWWindow::disableActions()"; m_mainWindow ->compileAction->setEnabled(havePolicies); m_mainWindow ->installAction->setEnabled(havePolicies); m_mainWindow ->inspectAction->setEnabled(havePolicies); } void FWWindow::compile() { if (activeProject()) { activeProject()->save(); // if there is no file name associated with the project yet, // user is offered a chance to choose the file. If they hit // Cancel in the dialog where they choose the file name, // operation should be cancelled. We do not get direct // information whether they hit Cancel so the only way to // check is to verify that the file has been saved at this // point. if (activeProject()->db()->isDirty()) return; std::set emp; instd->show(this->activeProject(), false, false, emp); } } void FWWindow::install() { if (activeProject()) { activeProject()->save(); // see comment in FWWindow::compile() if (activeProject()->db()->isDirty()) return; std::set emp; instd->show(this->activeProject(), true, false, emp); } } void FWWindow::compile(set vf) { if (fwbdebug) qDebug("FWWindow::compile preselected %d firewalls", int(vf.size())); if (activeProject()) { activeProject()->save(); // see comment in FWWindow::compile() if (activeProject()->db()->isDirty()) return; instd->show(this->activeProject(), false, true, vf); } } void FWWindow::install(set vf) { if (activeProject()) { activeProject()->save(); // see comment in FWWindow::compile() if (activeProject()->db()->isDirty()) return; instd->show(this->activeProject(), true, true, vf); } } void FWWindow::inspect() { if (activeProject()) { activeProject()->save(); // see comment in FWWindow::compile() if (activeProject()->db()->isDirty()) return; this->activeProject()->inspectAll(); } } void FWWindow::autoCompile() { if (activeProject() && !activeProject()->db()->isDirty()) { instDialog *idlg = new instDialog(this); new BackgroundCompileInfoWidget(this, idlg, this); idlg->autoCompile(this->activeProject()); } } void FWWindow::addNewObjectMenu(QMenu *m) { QMenu *old_menu = m_mainWindow->newObjectAction->menu(); if (old_menu) delete old_menu; m_mainWindow->newObjectAction->setMenu( m ); } void FWWindow::showNewObjectMenu() { m_mainWindow->newObjectAction->menu()->popup(QCursor::pos()); } QString FWWindow::getTemporaryDirPath() const { if (m_temporaryDir->isValid()) return m_temporaryDir->path(); return QString(); } fwbuilder-5.3.7/src/libgui/FWWindow.h000066400000000000000000000251341303637203600174400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FWWINDOW_H_ #define __FWWINDOW_H_ //#include //#include #include "RCS.h" #include "HttpGet.h" #include "printerStream.h" #include "ObjectEditor.h" #include "instDialog.h" #include #include #include #include #include #include #include class ObjectManipulator; class ObjectTreeView; class ProjectPanel; class QMdiArea; class QMdiSubWindow; class QPrinter; class QTabWidget; class QTextEdit; class QTimer; class QTreeWidgetItem; class QDockWidget; class QUndoGroup; class RuleSetView; class findDialog; class FindObjectWidget; class FindWhereUsedWidget; class CompilerOutputPanel; class TemporaryDir; namespace Ui { class FWBMainWindow_q; class pageSetupDialog_q; }; namespace libfwbuilder { class FWObjectDatabase; class Firewall; class PolicyRule; class RuleSet; class Rule; class FWObject; class FWReference; }; #define MAXRECENTFILES 5 #define EDITOR_PANEL_EDITOR_TAB 2 #define EDITOR_PANEL_SEARCH_TAB 1 #define EDITOR_PANEL_OUTPUT_TAB 0 class FWWindow : public QMainWindow { Q_OBJECT; Ui::pageSetupDialog_q *psd; QMdiArea *m_space; QMdiSubWindow *previous_subwindow; instDialog *instd; HttpGet *current_version_http_getter; QString noFirewalls; QWidget *editorOwner; QPrinter *printer; libfwbuilder::FWObject *searchObject; libfwbuilder::FWObject *replaceObject; //int lastFirewallIdx; QStringList openDocFiles; bool auto_load_from_rcs_head_revision; QAction *recentFileActs[MAXRECENTFILES]; QAction *openRecentSeparatorAct; QAction *undoAction; QAction *redoAction; void clearFirewallTabs(); ProjectPanel *newProjectPanel(); void showSub(ProjectPanel *projectW); void attachEditorToProjectPanel(ProjectPanel *pp); QList ruleStaticActions; TemporaryDir *m_temporaryDir; public: QVector windowsTitles; QVector windowsPainters; // Passwords are cached to this map if user enables remember password. // Key is QPair // and value is QPair QMap, QPair > passwords; ObjectEditor *oe; FindObjectWidget *findObjectWidget; FindWhereUsedWidget *findWhereUsedWidget; QUndoGroup *undoGroup; ProjectPanel* activeProject(); void updateWindowTitle(); void updateTreeFont(); void updateRecentFileActions(); void updateOpenRecentMenu(const QString &fileName); void updateGlobalToolbar(); void setupGlobalToolbar(); void enableBackAction(); public slots: void selectActiveSubWindow (/*const QString & text*/); void subWindowActivated(QMdiSubWindow*); void editorPanelTabChanged(int); void minimize(); void maximize(); virtual void search(); virtual void restoreRuleSetTab(); virtual void editFind(); virtual void toggleViewObjectTree(); virtual void toggleViewEditor(); virtual void toggleViewUndo(); virtual void helpContents(); virtual void helpContentsAction(); virtual void helpIndex(); virtual void help(); virtual void showReleaseNotes(); virtual void fileNew(); virtual void fileOpen(); virtual void openRecentFile(); virtual void clearRecentFilesMenu(); virtual void fileClose(); virtual void fileSave(); virtual void fileSaveAs(); virtual void fileDiscard(); virtual void fileCommit(); virtual void fileImport(); virtual void fileExport(); virtual void filePrint(); virtual void fileExit(); virtual void fileProp(); virtual void fileAddToRCS(); virtual void fileCompare(); virtual void editCopy(); virtual void editCut(); virtual void editDelete(); virtual void editPaste(); virtual void editPrefs(); virtual void importPolicy(); virtual void startupLoad(); virtual void helpAbout(); virtual void debug(); virtual void compile(std::set vf); virtual void compile(); virtual void install(std::set vf); virtual void install(); virtual void inspect(); virtual void autoCompile(); virtual void insertRule(); virtual void addRuleAfterCurrent(); virtual void moveRule(); virtual void moveRuleUp(); virtual void moveRuleDown(); virtual void removeRule(); virtual void copyRule(); virtual void cutRule(); virtual void pasteRuleAbove(); virtual void pasteRuleBelow(); virtual void newObject(); virtual void lockObject(); virtual void unlockObject(); virtual void prepareEditMenu(); virtual void prepareViewMenu(); virtual void prepareObjectMenu(); virtual void prepareFileMenu(); virtual void prepareToolsMenu(); virtual void prepareWindowsMenu(); virtual void prepareFileOpenRecentMenu(); virtual void prepareRulesMenu(); virtual void cleanRulesMenu(); virtual void toolsImportAddressesFromFile(); virtual void toolsSNMPDiscovery(); virtual void checkForUpgrade(const QString&); virtual void projectWindowClosed(); void tableResolutionSettingChanged(int ); void activateRule(ProjectPanel*, QString, QString, int); void undoViewVisibilityChanged(bool); public: Ui::FWBMainWindow_q *m_mainWindow; FWWindow(); ~FWWindow(); RCS * getRCS(); void registerAutoOpenDocFile(const QString &file_name, bool load_from_rcs_head); void load(QWidget *dialogs_parent,RCS *rcs); void load(QWidget *dialogs_parent); void loadLibrary(const std::string &libfpath); bool loadFile(const QString &filename, bool load_rcs_head); void save(); bool checkin(bool unlock); int findFirewallInList(libfwbuilder::FWObject *f); QStringList getListOfOpenedFiles(); QMdiSubWindow* alreadyOpened(const QString &file_path); bool editingLibrary(); QString chooseNewFileName(const QString &fname, const QString &title); void setFileName(const QString &fname); bool saveIfModified(); /** * selects whatever is current in rules */ void selectRules(); void disableActions(bool havePolicies); void setCompileAndInstallActionsEnabled(bool en); void setEnabledAfterRF(); QString getCurrentFileName(); void setupAutoSave(); void findObject(libfwbuilder::FWObject *); void findWhereUsed(libfwbuilder::FWObject *obj, ProjectPanel *pp); bool exportLibraryTest(std::list &selectedLibs); void exportLibraryTo(QString fname,std::list &selectedLibs, bool rof); void findExternalRefs(libfwbuilder::FWObject *lib, libfwbuilder::FWObject *root, std::list &extRefs); void setSafeMode(bool f); void setStartupFileName(const QString &fn); libfwbuilder::FWObject* getCurrentLib(); libfwbuilder::FWObject* createObject(const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL); libfwbuilder::FWObject* createObject(libfwbuilder::FWObject *parent, const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL); void moveObject(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void moveObject(const QString &targetLibName, libfwbuilder::FWObject *obj); ObjectTreeView* getCurrentObjectTree(); void findAllFirewalls (std::list &fws); void showDeletedObjects(bool f); // void select(); // void unselect(); QPrinter* getPrinter(); libfwbuilder::FWObjectDatabase* db(); QString printHeader(); static void printFirewallFromFile(QString fileName, QString firewallName, QString outputFileName); /** * show text string on status bar for 1 sec */ void showStatusBarMessage(const QString &txt); //wrapers for some Object Editor functions bool isEditorVisible(); void showEditor(); void hideEditor(); void closeEditor(); void clearEditorAndSearchPanels(); void openEditor(libfwbuilder::FWObject *o); void openOptEditor(libfwbuilder::FWObject *, ObjectEditor::OptType t); void blankEditor(); libfwbuilder::FWObject* getOpenedEditor(); ObjectEditor::OptType getOpenedOptEditor(); virtual void closeEditorPanel(); virtual void openEditorPanel(); bool requestEditorOwnership(QWidget *w, libfwbuilder::FWObject *o, ObjectEditor::OptType otype, bool validate = true); void singleRuleCompile(libfwbuilder::Rule *rule); void buildEditorTitleAndIcon(libfwbuilder::FWObject *obj, ObjectEditor::OptType t, QString *title_txt, QPixmap *pm, bool include_file_name); void showIntroDialog(); void addNewObjectMenu(QMenu*); void showNewObjectMenu(); QString getTemporaryDirPath() const; protected: virtual void showEvent(QShowEvent *ev); virtual void hideEvent(QHideEvent *ev); virtual void closeEvent(QCloseEvent *ev); virtual bool event(QEvent *event); protected slots: void activatePreviousSubWindow(); }; #endif fwbuilder-5.3.7/src/libgui/FWWindowPrint.cpp000066400000000000000000000254141303637203600210110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "PrintingProgressDialog.h" #include "PrintingController.h" #include "ProjectPanel.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; void FWWindow::filePrint() { if (!activeProject()) { if (fwbdebug) qDebug() << "There isn't any selected subwindow"; return; } int pageWidth = 0; int pageHeight = 0; bool fullPage = false; float margin = 0; float table_scaling = 1.0; bool print_header = true; bool print_legend = true; bool print_objects = true; bool newPageForSection = false; int tableResolution = 100; FWObject *firewall_to_print = NULL; FWObject *current_ruleset = activeProject()->getCurrentRuleSet(); if (current_ruleset) firewall_to_print = current_ruleset->getParent(); else { // no ruleset is open in the right panel firewall_to_print = activeProject()->getSelectedObject(); } // Need error dialog if (!Firewall::cast(firewall_to_print)) return; if (!st->getStr("PrintSetup/newPageForSection").isEmpty()) newPageForSection = st->getBool("PrintSetup/newPageForSection"); if (!st->getStr("PrintSetup/printHeader").isEmpty()) print_header = st->getBool("PrintSetup/printHeader"); if (!st->getStr("PrintSetup/printLegend").isEmpty()) print_legend = st->getBool("PrintSetup/printLegend"); if (!st->getStr("PrintSetup/printObjects").isEmpty()) print_objects = st->getBool("PrintSetup/printObjects"); if (!st->getStr("PrintSetup/tableResolution").isEmpty()) { tableResolution = st->getInt("PrintSetup/tableResolution"); // for backwards compatibility, convert resolution from an index // in a table to float 0..1.0 // Previously values were from the following list: // 50%, 75%, 100%, 150%, 200%, default 100% int old_res[] = {50, 75, 100, 150, 200 }; if (tableResolution <= 4 ) tableResolution = old_res[tableResolution]; } QDialog dlg; psd = new Ui::pageSetupDialog_q(); psd->setupUi(&dlg); connect(psd->tableResolution, SIGNAL(valueChanged(int)), this, SLOT(tableResolutionSettingChanged(int))); psd->newPageForSection->setChecked(newPageForSection); psd->printHeader->setChecked(print_header); psd->printLegend->setChecked(print_legend); psd->printObjects->setChecked(print_objects); psd->tableResolution->setValue(tableResolution); if ( dlg.exec() == QDialog::Accepted ) { newPageForSection = psd->newPageForSection->isChecked(); print_header = psd->printHeader->isChecked(); print_legend = psd->printLegend->isChecked(); print_objects = psd->printObjects->isChecked(); tableResolution = psd->tableResolution->value(); st->setBool("PrintSetup/newPageForSection", newPageForSection); st->setBool("PrintSetup/printHeader", print_header); st->setBool("PrintSetup/printLegend", print_legend); st->setBool("PrintSetup/printObjects", print_objects); st->setInt("PrintSetup/tableResolution", tableResolution); st->getPrinterOptions(printer, pageWidth, pageHeight); table_scaling = float(tableResolution) / 100; //printer->setResolution(resolution); printer->setFullPage(fullPage); if (fwbdebug) qDebug() << "Running QPrintDialog"; QPrintDialog pdialog(printer, this); pdialog.setWindowTitle(tr("Print configuration of %1") .arg(firewall_to_print->getName().c_str())); #ifndef Q_OS_MACX pdialog.addEnabledOption(QAbstractPrintDialog::PrintPageRange); pdialog.setMinMax(1,9999); pdialog.setPrintRange(QAbstractPrintDialog::AllPages); #endif if (pdialog.exec() == QDialog::Accepted) { if (fwbdebug) qDebug() << "QPrintDialog finished"; int fromPage = printer->fromPage(); int toPage = printer->toPage(); if (fromPage==0) fromPage = 1; if (toPage==0) toPage = 9999; showStatusBarMessage(tr("Printing..." )); PrintingProgressDialog *ppd = new PrintingProgressDialog(this, printer, 0, false); QString headerText = mw->printHeader(); #if defined(Q_OS_MACX) printerStream pr(printer, table_scaling, margin, print_header, headerText, NULL); #else printerStream pr(printer, table_scaling, margin, print_header, headerText, ppd); ppd->show(); #endif pr.setFromTo(fromPage, toPage); if (fwbdebug) qDebug() << "Printer resolution (dpi):" << printer->resolution(); if ( !pr.begin()) { ppd->hide(); delete ppd; return; } PrintingController prcontr(&pr); prcontr.printFirewall(firewall_to_print, activeProject()); if (print_legend) prcontr.printLegend(newPageForSection); if (print_objects) prcontr.printObjects(firewall_to_print, newPageForSection); ppd->hide(); delete ppd; pr.end(); if (printer->printerState() == QPrinter::Aborted) { showStatusBarMessage(tr("Printing aborted")); QMessageBox::information( this,"Firewall Builder", tr("Printing aborted"), tr("&Continue"), QString::null,QString::null, 0, 1 ); } else showStatusBarMessage(tr("Printing completed")); } else { if (fwbdebug) qDebug() << "QPrintDialog cancelled"; showStatusBarMessage(tr("Printing cancelled")); } st->setPrinterOptions(printer,pageWidth,pageHeight); } delete psd; psd = NULL; } void FWWindow::tableResolutionSettingChanged(int ) { if (psd) { QString res_lbl = QString("%1 %").arg(psd->tableResolution->value()); psd->tableResolutionLabel->setText(res_lbl); } } class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << endl; return false; } }; void FWWindow::printFirewallFromFile(QString fileName, QString firewallName, QString outputFileName) { if (outputFileName=="") { outputFileName = "print.pdf"; } if (firewallName=="") { return ; } if (fileName=="") { return; } if (!QFile::exists(fileName)) { qDebug() << "Input file does not exist"; return; } FWObjectDatabase * objdb = new FWObjectDatabase(); UpgradePredicate up; QPrinter *printer = new QPrinter(QPrinter::HighResolution); try { objdb->load(fileName.toLatin1().constData(), &up, Constants::getDTDDirectory()); } catch (...) { qDebug() << "Could not read input file"; return; } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObject* obj = objdb->findObjectByName(Firewall::TYPENAME, firewallName.toAscii().data()); #else FWObject* obj = objdb->findObjectByName(Firewall::TYPENAME, firewallName.toLatin1().data()); #endif if (obj!=NULL) { int pageWidth = 0; int pageHeight = 0; bool fullPage = false; float margin = 0; float table_scaling = 1.0; bool print_header = true; bool print_legend = true; bool print_objects = true; bool newPageForSection = false; int tableResolution = 100; if (!st->getStr("PrintSetup/newPageForSection").isEmpty()) newPageForSection = st->getBool("PrintSetup/newPageForSection"); if (!st->getStr("PrintSetup/printHeader").isEmpty()) print_header = st->getBool("PrintSetup/printHeader"); if (!st->getStr("PrintSetup/printLegend").isEmpty()) print_legend = st->getBool("PrintSetup/printLegend"); if (!st->getStr("PrintSetup/printObjects").isEmpty()) print_objects = st->getBool("PrintSetup/printObjects"); if (!st->getStr("PrintSetup/tableResolution").isEmpty()) tableResolution = st->getInt("PrintSetup/tableResolution"); table_scaling = float(tableResolution) / 100; st->getPrinterOptions(printer,pageWidth,pageHeight); //printer->setResolution(resolution); printer->setFullPage(fullPage); printer->setOutputFileName (outputFileName); int fromPage = 1; int toPage = 9999; QString headerText = fileName; //mw->printHeader(); printerStream pr(printer, table_scaling, margin, print_header, headerText, NULL); pr.setFromTo(fromPage,toPage); if ( !pr.begin()) return; PrintingController prcontr(&pr); prcontr.printFirewall(obj, NULL); if (print_legend) prcontr.printLegend(newPageForSection); if (print_objects) prcontr.printObjects(obj, newPageForSection); } else { qDebug() << "Error: can't find firewall " << firewallName; } } fwbuilder-5.3.7/src/libgui/FWWindow_editor.cpp000066400000000000000000000277231303637203600213470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003, 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "events.h" #include #include "FWBTree.h" #include "FWWindow.h" #include "FindObjectWidget.h" #include "FindWhereUsedWidget.h" #include "RuleSetModel.h" #include "RuleSetView.h" #include "platforms.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Library.h" #include #include #include #include #include using namespace libfwbuilder; /* * when ProjectPanel is created, it sends bunch of stateChange events * which lead to calls to ProjectPanel::changeEvent() method. This * method checks if editor is visible and contains modified data. Since * we create default ProjectPanel object in the constructor of * FWWindow, the first call to ProjectPanel::changeEvent() comes when * object editor has not been create yet. This is why we need to check * for oe != NULL here and below. */ bool FWWindow::isEditorVisible() { return oe != NULL && m_mainWindow->editorDockWidget->isVisible() && m_mainWindow->editorPanelTabWidget->currentIndex() == EDITOR_PANEL_EDITOR_TAB; } void FWWindow::editorPanelTabChanged(int idx) { if (idx == EDITOR_PANEL_EDITOR_TAB) { ProjectPanel *pp = activeProject(); if (pp) { oe->open(pp->getSelectedObject()); } } } /***************************************************************** * there are too many functions that open, close and hide editor panel. * TODO: need to get rid of redundant ones */ void FWWindow::showEditor() { m_mainWindow->objectEditorStack->setCurrentIndex(oe->getCurrentDialogIndex()); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_EDITOR_TAB); m_mainWindow->editorDockWidget->show(); // editor } void FWWindow::hideEditor() { closeEditorPanel(); } void FWWindow::closeEditor() { m_mainWindow->editorDockWidget->close(); // editor } void FWWindow::closeEditorPanel() { m_mainWindow->editorDockWidget->hide(); // editor } void FWWindow::clearEditorAndSearchPanels() { findWhereUsedWidget->clear(); findObjectWidget->clear(); if (oe != NULL) oe->blank(); } void FWWindow::openEditorPanel() { } void FWWindow::openEditor(FWObject *obj) { if (FWBTree().isSystem(obj)) return; attachEditorToProjectPanel(activeProject()); /* * See #1060 when user finished editing one of the input fields * (QLineEdit) in the object editor and hit Tab, focus moved to * the next field but its contents did not get highlighted as * usual, but instead cusror was positioned after the last * character. This happened because FWCmdChange::notify() reloaded * contents of the editor. We can't avoid doing this because we * have to update the editor when user cycles through undo/redo * operations. It is hard to detect when redo() is called for the * first time when user just finished editing something (and even * if that was possible, what if they execute undo or redo some * time later while looking at the same object in the * editor). Will detect situation when editor is reloaded with the * same object and restore focus on the same input field. If this * field is QLineEdit, will also select contents to emulate * correct behavior when user moves between input fields using * Tab. */ QWidget *current_focus_widget = QApplication::focusWidget(); bool reopen = (getOpenedEditor() == obj && current_focus_widget && m_mainWindow->editorDockWidget->isAncestorOf(current_focus_widget)); QLineEdit *line_edit = dynamic_cast(current_focus_widget); bool restore_line_edit_selection = line_edit != NULL && line_edit->hasSelectedText(); if (fwbdebug) { qDebug() << "FWWindow::openEditor " << " obj: " << " " << obj->getName().c_str() << " " << obj->getTypeName().c_str() << " reopening in the editor: " << reopen << " current_focus_widget=" << current_focus_widget; } QString title_txt; QPixmap title_icon; buildEditorTitleAndIcon( obj, ObjectEditor::optNone, &title_txt, &title_icon, m_mainWindow->m_space->subWindowList(QMdiArea::StackingOrder).size() > 1); QSize old_size = m_mainWindow->objectEditorStack->size(); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_EDITOR_TAB); m_mainWindow->editorDockWidget->setWindowTitle(title_txt); m_mainWindow->objectTypeIcon->setPixmap(title_icon); m_mainWindow->editorDockWidget->show(); // editor oe->open(obj); m_mainWindow->objectEditorStack->resize(old_size); // #2465 If the object we are about to open in the editor is a // firewall and if a ruleset visible in RuleSetView belongs to // another firewall, switch ruleset to the ruleset of the new // firewall which we looked at last time. // FWObject *parent_fw = Host::getParentHost(obj); if (fwbdebug) qDebug() << "parent firewall:" << parent_fw << QString((parent_fw)? parent_fw->getName().c_str() : ""); if (parent_fw != NULL) // this includes Cluster { RuleSetView* rsv = activeProject()->getCurrentRuleSetView(); if (rsv) { RuleSet* current_ruleset = NULL; RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (parent_fw != current_ruleset->getParent()) { FWObject *old_rs = activeProject()->m_panel->om->findRuleSetInHistoryByParentFw( parent_fw); if (old_rs == NULL) old_rs = parent_fw->getFirstByType(Policy::TYPENAME); if (old_rs != NULL) QCoreApplication::postEvent( activeProject(), new openRulesetImmediatelyEvent( activeProject()->getFileName(), old_rs->getId())); } } } if (reopen) { if (fwbdebug) { qDebug() << "FWWindow::openEditor " << "New widget about to get focus:" << current_focus_widget; } if (current_focus_widget) { current_focus_widget->setFocus(Qt::TabFocusReason); if (restore_line_edit_selection) line_edit->selectAll(); } } } void FWWindow::openOptEditor(FWObject *obj, ObjectEditor::OptType t) { attachEditorToProjectPanel(activeProject()); if (fwbdebug) qDebug() << "FWWindow::openOptEditor " << " obj: " << " " << obj->getName().c_str() << " " << obj->getTypeName().c_str() << " option: " << t; QString title_txt; QPixmap title_icon; buildEditorTitleAndIcon( obj, t, &title_txt, &title_icon, m_mainWindow->m_space->subWindowList(QMdiArea::StackingOrder).size() > 1); QSize old_size = m_mainWindow->objectEditorStack->size(); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_EDITOR_TAB); m_mainWindow->editorDockWidget->setWindowTitle(title_txt); //m_mainWindow->editorDockWidget->setWindowIcon(title_icon); m_mainWindow->objectTypeIcon->setPixmap(title_icon); m_mainWindow->editorDockWidget->show(); // editor oe->openOpt(obj, t); m_mainWindow->objectEditorStack->resize(old_size); if (fwbdebug) qDebug() << "FWWindow::openOptEditor done"; } void FWWindow::buildEditorTitleAndIcon(libfwbuilder::FWObject *obj, ObjectEditor::OptType t, QString *title_txt, QPixmap *pm, bool include_file_name) { QList subwindows = m_mainWindow->m_space->subWindowList( QMdiArea::StackingOrder); QMdiSubWindow *top_subw = subwindows.last(); // last item is the topmost window ProjectPanel *top_pp = dynamic_cast(top_subw->widget()); QStringList editor_title; FWObject *o = obj; Rule *rule = NULL; FWObject *ruleset = NULL; while (o) { if (Rule::cast(o)) { rule = Rule::cast(o); editor_title.push_front(QString("rule #%1").arg(rule->getPosition())); } else editor_title.push_front(QString::fromUtf8(o->getName().c_str())); if (Library::cast(o)) break; if (RuleSet::cast(o)) ruleset = o; o = o->getParent(); } if (include_file_name) editor_title.push_front( QString("[%1]").arg(top_pp->getFileName())); else editor_title.push_front(" "); // to force '/' in front of object path *title_txt = editor_title.join(" / "); if (pm) { FWObject *obj_for_icon = obj; if (ruleset) obj_for_icon = ruleset; if (rule && t == ObjectEditor::optAction) { QString icn = ":/Icons/" + getRuleAction(rule) + "/icon-big"; LoadPixmap(icn, *pm); // in utils.cpp } else doSetObjectIcon(obj_for_icon, pm, 2); // big icon } } void FWWindow::blankEditor() { m_mainWindow->editorDockWidget->setWindowTitle(""); oe->blank(); } FWObject* FWWindow::getOpenedEditor() { return oe->getOpened(); } ObjectEditor::OptType FWWindow::getOpenedOptEditor() { return oe->getOpenedOpt(); } void FWWindow::findObject(FWObject *o) { if (activeProject()) { attachEditorToProjectPanel(activeProject()); findWhereUsedWidget->hide(); findObjectWidget->findObject(o); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_SEARCH_TAB); // search tab findObjectWidget->show(); m_mainWindow->editorDockWidget->show(); } } void FWWindow::search() { if (activeProject()) { attachEditorToProjectPanel(activeProject()); m_mainWindow->actionEditor_panel->setChecked(true); findWhereUsedWidget->hide(); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_SEARCH_TAB); // search tab findObjectWidget->show(); m_mainWindow->editorDockWidget->show(); } } void FWWindow::findWhereUsed(FWObject * obj, ProjectPanel *pp) { if (fwbdebug) qDebug() << "FWWindow::findWhereUsed findWhereUsedWidget=" << findWhereUsedWidget << " project panel: " << pp; attachEditorToProjectPanel(pp); findObjectWidget->hide(); m_mainWindow->editorPanelTabWidget->setCurrentIndex(EDITOR_PANEL_SEARCH_TAB); // search tab findWhereUsedWidget->show(); findWhereUsedWidget->find(obj); m_mainWindow->editorDockWidget->show(); } /* * TODO: deprecate this */ bool FWWindow::requestEditorOwnership(QWidget*, FWObject*, ObjectEditor::OptType, bool) { if (!isEditorVisible()) return false; return true; } fwbuilder-5.3.7/src/libgui/FWWindow_wrappers.cpp000066400000000000000000000301421303637203600217110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003, 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectManipulator.h" #include "FWObjectClipboard.h" #include "FWBTree.h" #include "FWBSettings.h" #include "RuleSetView.h" #include "FindObjectWidget.h" #include "FindWhereUsedWidget.h" #include "events.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObject.h" #include /* * Methods in this module are just wrappers and call the same method * in the topmost object of the ProjectPanel class (MDI subwindow). * * TODO: see if most of these methods can be called directly using * pointer to the ProjectPanel object. Remove most, if not all, * wrappers in the FWWindow class. */ using namespace libfwbuilder; using namespace std; using namespace Ui; /*************************************************************************/ bool FWWindow::saveIfModified() { if (activeProject()) return activeProject()->saveIfModified(); return false; } QString FWWindow::chooseNewFileName(const QString &fname, const QString &title) { if (activeProject()) return activeProject()->chooseNewFileName(fname,title); return ""; } void FWWindow::setFileName(const QString &fname) { if (activeProject()) activeProject()->setFileName(fname); } void FWWindow::fileProp() { if (activeProject()) activeProject()->fileProp(); } void FWWindow::fileSave() { if (activeProject()) { activeProject()->fileSave(); QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); } } void FWWindow::fileSaveAs() { if (activeProject()) { activeProject()->fileSaveAs(); QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); } } void FWWindow::fileCommit() { if (activeProject()) { activeProject()->fileCommit(); // reset actions, including Save() which should now // be inactive QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); } } /* * discard changes done to the file and check out clean copy of the * head revision from RCS */ void FWWindow::fileDiscard() { if (activeProject()) { activeProject()->fileDiscard(); QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); //prepareRulesMenu(); //updateGlobalToolbar(); } } void FWWindow::fileAddToRCS() { if (activeProject()) { activeProject()->fileAddToRCS(); QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); } } void FWWindow::load(QWidget*) { if (activeProject()) activeProject()->loadStandardObjects(); } void FWWindow::load(QWidget*, RCS *_rcs) { if (activeProject()) activeProject()->loadFromRCS(_rcs); } void FWWindow::save() { if (activeProject()) activeProject()->save(); } void FWWindow::loadLibrary(const string &libfpath) { if (activeProject()) activeProject()->loadLibrary(libfpath); } void FWWindow::fileImport() { if (activeProject()) { activeProject()->fileImport(); QCoreApplication::postEvent(this, new updateGUIStateEvent()); //prepareFileMenu(); //prepareRulesMenu(); //updateGlobalToolbar(); } } void FWWindow::fileCompare() { if (activeProject()) activeProject()->fileCompare(); } void FWWindow::findExternalRefs(FWObject *lib, FWObject *root, list &extRefs) { if (activeProject()) activeProject()->findExternalRefs(lib, root, extRefs); } bool FWWindow::checkin(bool unlock) { if (activeProject()) return activeProject()->checkin(unlock); return false; } void FWWindow::setSafeMode(bool f) { if (activeProject()) activeProject()->setSafeMode(f); } bool FWWindow::exportLibraryTest(list &selectedLibs) { /* VERY IMPORTANT: External library file must be self-contained, * otherwise it can not be exported. * * check if selected libraries have references to objects in other * libraries (not exported to the same file). Exporting such libraries * pulls in other ones because of these references. This is confusing * because it means we end up with multiple copies of such objects (in * exported library file and in user's data file). When user imports * this library and opens their file, it is impossible to say which * library an object belongs to. * * This is prohibited. We check if exported set of libraries has such * references and refuse to export it. The user is supposed to clean * it up by either moving objects into the library they are trying to * export, or by rearranging objects. The only exception for this is * library "Standard", which is assumed to be always present so we can * have references to objects in it. */ if (activeProject()) return activeProject()->exportLibraryTest(selectedLibs); return false; } void FWWindow::exportLibraryTo(QString fname,list &selectedLibs, bool rof) { if (activeProject()) activeProject()->exportLibraryTo(fname,selectedLibs, rof); } void FWWindow::fileExport() { if (activeProject()) activeProject()->fileExport(); } int FWWindow::findFirewallInList(FWObject *f) { if (activeProject()) return activeProject()->findFirewallInList(f); return -1; } /* * There is a problem with using QTextBrowser widget or QTextEdit in * read-only mode in that QT for some reason disables Ctrl-C and other * basic copy/paste keyboard shortcuts when these widgets are * read-only. When user hits Ctrl-C when one of such widgets is * active, the program tries to copy object instead of expected effect * of copying text from the QTextEdit. */ void FWWindow::editCopy() { QWidget *w = QApplication::focusWidget(); if (fwbdebug) qDebug() << "FWWindow::editCopy" << w; if (w->inherits("QTextEdit")) { dynamic_cast(w)->copy(); return; } if (activeProject()) { activeProject()->editCopy(); } } void FWWindow::editCut() { if (activeProject()) { activeProject()->editCut(); } } void FWWindow::editDelete() { if (activeProject()) { activeProject()->editDelete(); } } void FWWindow::editPaste() { if (activeProject()) { activeProject()->editPaste(); } } void FWWindow::toggleViewObjectTree() { if (activeProject()) { activeProject()->toggleViewTree(m_mainWindow->actionObject_Tree->isChecked()); } } void FWWindow::toggleViewEditor() { if (m_mainWindow->actionEditor_panel->isChecked()) { if (activeProject()) openEditor(activeProject()->m_panel->om->getSelectedObject()); else m_mainWindow->editorDockWidget->show(); } else m_mainWindow->editorDockWidget->hide(); } void FWWindow::toggleViewUndo() { if (m_mainWindow->actionUndo_view->isChecked()) m_mainWindow->undoDockWidget->show(); else m_mainWindow->undoDockWidget->hide(); } void FWWindow::insertRule() { if (activeProject()) activeProject()->insertRule(); } void FWWindow::addRuleAfterCurrent() { if (activeProject()) activeProject()->addRuleAfterCurrent(); } void FWWindow::removeRule() { if (activeProject()) activeProject()->removeRule(); } void FWWindow::moveRule() { if (activeProject()) activeProject()->moveRule(); } void FWWindow::moveRuleUp() { if (activeProject()) activeProject()->moveRuleUp(); } void FWWindow::moveRuleDown() { if (activeProject()) activeProject()->moveRuleDown(); } void FWWindow::copyRule() { if (activeProject()) activeProject()->copyRule(); } void FWWindow::cutRule() { if (activeProject()) activeProject()->cutRule(); } void FWWindow::pasteRuleAbove() { if (activeProject()) activeProject()->pasteRuleAbove(); } void FWWindow::pasteRuleBelow() { if (activeProject()) activeProject()->pasteRuleBelow(); } void FWWindow::newObject() { if (activeProject()) { activeProject()->newObject(); } } // ObjectManipulator::lockObject calls // mw->reloadAllWindowsWithFile(activeProject()) to update // other windows void FWWindow::lockObject() { if (activeProject()) activeProject()->lockObject(); } // ObjectManipulator::unlockObject calls // mw->reloadAllWindowsWithFile(activeProject()) to update // other windows void FWWindow::unlockObject() { if (activeProject()) activeProject()->unlockObject(); } void FWWindow::setupAutoSave() { if (activeProject()) activeProject()->setupAutoSave(); } QString FWWindow::getCurrentFileName() { if (activeProject()) return activeProject()->getFileName(); return ""; } RCS * FWWindow::getRCS() { if (activeProject()) return activeProject()->getRCS(); return 0; } /* * reset tab via callback because calling setCurrentPage from * ruleSetTabChanged causes recursive call to ruleSetTabChanged */ void FWWindow::restoreRuleSetTab() { if (activeProject()) activeProject()->restoreRuleSetTab(); } FWObject* FWWindow::getCurrentLib() { if (activeProject()) return activeProject()->getCurrentLib(); return 0; } FWObject* FWWindow::createObject(const QString &objType, const QString &objName, FWObject *copyFrom) { FWObject *res = NULL; if (activeProject()) { res = activeProject()->createObject(objType, objName, copyFrom); } return res; } FWObject* FWWindow::createObject(FWObject *parent, const QString &objType, const QString &objName, FWObject *copyFrom) { FWObject *res = NULL; if (activeProject()) { res = activeProject()->createObject(parent, objType, objName, copyFrom); } return res; } void FWWindow::moveObject(FWObject *target, FWObject *obj) { if (activeProject()) { activeProject()->moveObject(target, obj); } } void FWWindow::moveObject(const QString &targetLibName, FWObject *obj) { if (activeProject()) { activeProject()->moveObject(targetLibName, obj); } } ObjectTreeView* FWWindow::getCurrentObjectTree() { if (activeProject()) return activeProject()->getCurrentObjectTree(); return 0; } void FWWindow::findAllFirewalls (std::list &fws) { if (activeProject()) activeProject()->findAllFirewalls (fws); } void FWWindow::showDeletedObjects(bool f) { if (activeProject()) activeProject()->showDeletedObjects(f); } /* void FWWindow::select() { if (activeProject()) activeProject()->select(); } void FWWindow::unselect() { if (activeProject()) activeProject()->unselect(); } */ FWObjectDatabase* FWWindow::db() { if (activeProject()) return activeProject()->db(); return NULL; } QString FWWindow::printHeader() { if (activeProject()) return activeProject()->printHeader(); return ""; } bool FWWindow::editingLibrary() { if (activeProject()) return activeProject()->editingLibrary(); return false; } fwbuilder-5.3.7/src/libgui/FilterDialog.cpp000066400000000000000000000345531303637203600206410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "VERSION.h" #include "FilterDialog.h" #include "ObjectManipulator.h" #include "ObjectDescriptor.h" #include "FWBSettings.h" #include "fwbuilder/Library.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; FilterDialog::FilterDialog(QWidget *parent) : QDialog(parent) { m_dialog = new Ui::FilterDialog_q; m_dialog->setupUi(this); } FilterDialog::~FilterDialog() { delete m_dialog; } void FilterDialog::setFilter(Filter * f) { flt=f; /* QString p_n; QString p_a; int f_a,f_n,f_w,f_c; f_w=flt->isWildcard(); f_c=flt->isCaseSens(); f_a=flt->flt_addr; f_n=flt->flt_name; p_a=flt->getAddrPattern(); p_n=flt->getNamePattern(); init(f_w,f_c,f_a,f_n,p_a,p_n); */ //table->setColumnStretchable(2,true); } void FilterDialog::apply() { updateData(); if (validate()) { update(); accept(); } else { QMessageBox::critical(this,tr("Filter error"),tr("Invalid RegExp.") ); } } void FilterDialog::save() { QString dir = LastFile; if (dir.isEmpty()) dir = st->getOpenFileDir(); QString s = QFileDialog::getSaveFileName( this, "Save file dialog", dir, "FWBuilder filter files (*.fwf)"); if (s.isEmpty()) return; st->setOpenFileDir(s); if (!s.endsWith(".fwf")) s += ".fwf"; xmlDocPtr doc; xmlNodePtr node; //xmlNodePtr tree; doc = xmlNewDoc(TOXMLCAST("1.0")); doc->children = xmlNewDocNode(doc, NULL, TOXMLCAST("FWB_FILTER"), NULL); xmlSetProp(doc->children, TOXMLCAST("version"), TOXMLCAST( VERSION )); xmlSetProp(doc->children, TOXMLCAST("CaseSensitive"), TOXMLCAST( ((m_dialog->case_sensitive->isChecked())?"1":"0") )); xmlSetProp(doc->children, TOXMLCAST("Match"), TOXMLCAST( QString("%1").arg(m_dialog->combo->currentIndex()).toLatin1().constData() )); QString buf; int n=m_dialog->table->rowCount(); for (int i=0;ichildren, NULL, TOXMLCAST("FWB_FILTER_ITEM"), NULL); buf=QString("%1").arg(((QComboBox*)m_dialog->table->cellWidget(i,0))->currentIndex()); xmlSetProp(node,(const xmlChar*) "Target", TOXMLCAST(buf.toLatin1().constData()) ); buf=QString("%1").arg(((QComboBox*)m_dialog->table->cellWidget(i,1))->currentIndex()); xmlSetProp(node, (const xmlChar*) "Type", TOXMLCAST(buf.toLatin1().constData()) ); xmlSetProp(node, (const xmlChar*) "Pattern", TOXMLCAST(m_dialog->table->item(i,2)->text().toLatin1().constData())); } xmlSaveFile(s.toLatin1().constData(),doc); xmlFreeDoc(doc); } void FilterDialog::load() { QString s = QFileDialog::getOpenFileName( this, "Open file dialog", st->getOpenFileDir(), "FWBuilder filter files (*.fwf)"); if (s.isEmpty()) return; st->setOpenFileDir(s); xmlDocPtr doc=xmlParseFile(s.toLatin1().constData()); //TODO: use local codepage if (doc == NULL) { qDebug("Document not parsed successfully."); return; } xmlNodePtr node= xmlDocGetRootElement(doc); if (node == NULL) { qDebug("empty document"); xmlFreeDoc(doc); return; } if (xmlStrcmp(node->name,(const xmlChar*) "FWB_FILTER")) { qDebug("document of the wrong type. (FWB_FILTER)"); xmlFreeDoc(doc); return; } xmlChar *xmlbuf; QString qbuf; xmlbuf=xmlGetProp(node,(const xmlChar*) "CaseSensitive"); qbuf=FROMXMLCAST(xmlbuf); FREEXMLBUFF(xmlbuf); m_dialog->case_sensitive->setChecked(qbuf.toInt()); xmlbuf=xmlGetProp(node,(const xmlChar*) "Match"); qbuf=FROMXMLCAST(xmlbuf); FREEXMLBUFF(xmlbuf); m_dialog->combo->setCurrentIndex(qbuf.toInt()); node=node->xmlChildrenNode; while (node != NULL) { if (xmlStrcmp(node->name,(const xmlChar*) "FWB_FILTER_ITEM")) { qDebug("document of the wrong type. (FWB_FILTER_ITEM)"); xmlFreeDoc(doc); return; } addPattern(); int n=m_dialog->table->rowCount()-1; xmlbuf=xmlGetProp(node,(const xmlChar*) "Target"); qbuf=FROMXMLCAST(xmlbuf); FREEXMLBUFF(xmlbuf); ((QComboBox*)m_dialog->table->cellWidget(n,0))->setCurrentIndex( qbuf.toInt()); xmlbuf=xmlGetProp(node,(const xmlChar*) "Type"); qbuf=FROMXMLCAST(xmlbuf); FREEXMLBUFF(xmlbuf); ((QComboBox*)m_dialog->table->cellWidget(n,1))->setCurrentIndex( qbuf.toInt()); xmlbuf=xmlGetProp(node,(const xmlChar*) "Pattern"); qbuf=FROMXMLCAST(xmlbuf); FREEXMLBUFF(xmlbuf); m_dialog->table->item(n,2)->setText(qbuf); node=node->next; } LastFile=s; } void FilterDialog::update() { QRegExp r; Filter newflt; newflt.setMatchAny(m_dialog->combo->currentIndex()); newflt.setCaseSens(m_dialog->case_sensitive->isChecked()); newflt.clear(); int n=m_dialog->table->rowCount(); for(int i=0; itable->cellWidget(i,0))->currentIndex()) { case FWF_ADDRESS: { newflt.addAddrRegExp(r); break; } case FWF_NAME: { newflt.addNameRegExp(r); break; } default : { } } } if (newflt.isValid()) { *flt=newflt; } /* bool res=false; Filter newflt; newflt.setAddrPattern( addresspattern->text()); newflt.setNamePattern( namepattern->text()); newflt.setWildcard( radioButton1->isChecked()); newflt.setCaseSens( casesens->isChecked()); newflt.flt_name = name_checkbox->isChecked(); newflt.flt_addr = addr_checkbox->isChecked(); if (newflt.isValid()) { *flt=newflt; res=true; } return res; */ } bool FilterDialog::validate() { bool res=true; QRegExp r; int n=m_dialog->table->rowCount(); for(int i=0; itable->selectRow(i); return res; } } return res; } QRegExp FilterDialog::constructRegExp(int p) { QRegExp r; QString buf; r.setCaseSensitivity((m_dialog->case_sensitive->isChecked())? Qt::CaseSensitive:Qt::CaseInsensitive); switch(((QComboBox*)m_dialog->table->cellWidget(p,1))->currentIndex()) { case FWF_CONTAINS: { r.setPatternSyntax(QRegExp::Wildcard); buf=m_dialog->table->item(p,2)->text().toLatin1().constData(); break; } case FWF_IS_EQUAL_TO: { r.setPatternSyntax(QRegExp::RegExp); buf="^"; buf+=m_dialog->table->item(p,2)->text().toLatin1().constData(); buf+="$"; break; } case FWF_STARTS_WITH: { r.setPatternSyntax(QRegExp::RegExp); buf="^"; buf+=m_dialog->table->item(p,2)->text().toLatin1().constData(); break; } case FWF_ENDS_WITH: { r.setPatternSyntax(QRegExp::RegExp); buf=m_dialog->table->item(p,2)->text().toLatin1().constData(); buf+="$"; break; } case FWF_MATCHES_WILDCARD: { r.setPatternSyntax(QRegExp::Wildcard); buf=m_dialog->table->item(p,2)->text().toLatin1().constData(); break; } case FWF_MATCHES_REGEXP: { r.setPatternSyntax(QRegExp::RegExp); buf=m_dialog->table->item(p,2)->text().toLatin1().constData(); break; } default : { } } r.setPattern(buf); return r; } void FilterDialog::addPattern() { updateData(); QStringList trg; trg+=tr("Name"); trg+=tr("Address"); QStringList tp; tp+=tr("Contains"); tp+=tr("Is equal to"); tp+=tr("Starts with"); tp+=tr("Ends with"); tp+=tr("Matches Wildcard"); tp+=tr("Matches RegExp"); int n=m_dialog->table->rowCount(); m_dialog->table->setRowCount(n+1); QComboBox *cb = new QComboBox(m_dialog->table); cb->addItems(trg); m_dialog->table->setCellWidget(n,0,cb); cb = new QComboBox(m_dialog->table); cb->addItems(tp); m_dialog->table->setCellWidget(n,1,cb); QTableWidgetItem *itm = new QTableWidgetItem; itm->setFlags(itm->flags() | Qt::ItemIsEditable); m_dialog->table->setItem(n,2,itm); /*m_dialog->table->setItem(n,0,new QTableWidgetItem(m_dialog->table,trg)); m_dialog->table->setItem(n,1,new QTableWidgetItem(m_dialog->table,tp)); //table->setItem(n,2,new QTableWidgetItem(table,QTableWidgetItem::Always)); m_dialog->table->setItem(n,2,new QTableWidgetItem(m_dialog->table,QTableWidgetItem::WhenCurrent,""));*/ } void FilterDialog::removePattern() { int r=m_dialog->table->currentRow(); m_dialog->table->removeRow(r); } void FilterDialog::clearPatterns() { m_dialog->table->setRowCount(0); // for (int i=table->rowCount()-1;i>0;i--) // table->removeRow(i); } void FilterDialog::updateData() { int row=m_dialog->table->currentRow(); QTableWidgetItem * item=m_dialog->table->item(row,2); QWidget * w =m_dialog->table->cellWidget (row,2 ); if (w) item->setText ( ((QComboBox*)w)->currentText() ); } //------------------------------------------------------------------ bool Filter::isCaseSens() { return CaseSensitive; } void Filter::addNameRegExp(const QRegExp &r) { name_patterns.push_back(r); } void Filter::addAddrRegExp(const QRegExp &r) { addr_patterns.push_back(r); } QString Filter::getNamePatternString(int p) { return name_patterns[p].pattern(); } QString Filter::getAddrPatternString(int p) { return addr_patterns[p].pattern(); } int Filter::getNamePatternsNumber() { return name_patterns.size(); } int Filter::getAddrPatternsNumber() { return addr_patterns.size(); } bool Filter::isNameWildcard(int p) { return name_patterns[p].patternSyntax() == QRegExp::Wildcard; } bool Filter::isAddrWildcard(int p) { return addr_patterns[p].patternSyntax() == QRegExp::Wildcard; } Filter & Filter::operator=(const Filter& f) { addr_patterns=f.addr_patterns; name_patterns=f.name_patterns; CaseSensitive=f.CaseSensitive; MatchAny=f.MatchAny; return *this; } /* void FilterDialog::closeEvent(QCloseEvent *e) { if (fwbdebug) qDebug("FilterDialog::closeEvent got close event: %p",e); hide(); } */ Filter::Filter() { CaseSensitive=true; MatchAny=true; } Filter::~Filter() { } void Filter::addNamePattern(const QString &s,bool wc) { name_patterns.push_back(QRegExp(s,Qt::CaseSensitive,wc?QRegExp::Wildcard:QRegExp::RegExp)); } void Filter::addAddrPattern(const QString &s,bool wc) { addr_patterns.push_back(QRegExp(s,Qt::CaseSensitive,wc?QRegExp::Wildcard:QRegExp::RegExp)); } void Filter::clear() { name_patterns.clear(); addr_patterns.clear(); } void Filter::setCaseSens(bool b) { CaseSensitive=b; } void Filter::setMatchAny(bool b) { MatchAny=b; } bool Filter::isMatchAny () { return MatchAny; } bool Filter::testName(const QString &s) { int cmp; if (name_patterns.isEmpty()) { return addr_patterns.isEmpty() || !MatchAny; } for (int i=0;i=0) return true; } else { if(cmp<0) return false; } } return !MatchAny; } bool Filter::testAddr(const QString &s) { int cmp; if (addr_patterns.isEmpty()) { return (name_patterns.isEmpty() || !MatchAny); } for (int i=0;i=0) return true; } else { if(cmp<0) return false; } } return !MatchAny; } bool Filter::test(const ObjectDescriptor &od) { QString name=od.sysname.c_str(); QString addr=od.addr.toString().c_str(); return (MatchAny)? testAddr(addr) || testName(name): testAddr(addr) && testName(name); } bool Filter::isValid() { bool res=true; //TODO: Filter validity test return res; } fwbuilder-5.3.7/src/libgui/FilterDialog.h000066400000000000000000000054251303637203600203020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FILTERDIALOG_H_ #define __FILTERDIALOG_H_ #include "config.h" #include #include "fwbuilder/FWObject.h" #include "fwbuilder/Resources.h" #include #include class QRegExp; class ObjectDescriptor; enum {FWF_ANY = 0, FWF_ALL = 1}; enum {FWF_NAME = 0,FWF_ADDRESS = 1}; enum {FWF_CONTAINS = 0, FWF_IS_EQUAL_TO = 1, FWF_STARTS_WITH = 2, FWF_ENDS_WITH =3, FWF_MATCHES_WILDCARD = 4, FWF_MATCHES_REGEXP = 5}; class Filter { private: bool CaseSensitive; bool MatchAny; QVector addr_patterns; QVector name_patterns; public: Filter(); ~Filter(); void addNamePattern(const QString &s,bool wc); void addNameRegExp(const QRegExp &r); void addAddrPattern(const QString &s,bool wc); void addAddrRegExp(const QRegExp &r); void setCaseSens(bool b); bool isCaseSens (); void setMatchAny(bool b); bool isMatchAny (); bool testName(const QString &s); bool testAddr(const QString &s); bool test(const ObjectDescriptor &od); bool isValid(); void clear(); int getNamePatternsNumber(); int getAddrPatternsNumber(); QString getNamePatternString(int p); QString getAddrPatternString(int p); bool isNameWildcard(int p); bool isAddrWildcard(int p); Filter& operator=(const Filter& f); }; class FilterDialog : public QDialog { Q_OBJECT private: Filter * flt; Ui::FilterDialog_q *m_dialog; bool validate(); void update(); QString LastFile; QRegExp constructRegExp(int p); public: FilterDialog(QWidget *parent); ~FilterDialog(); void setFilter(Filter *); public slots: virtual void apply(); virtual void save(); virtual void load(); virtual void addPattern(); virtual void removePattern(); virtual void clearPatterns(); virtual void updateData(); }; #endif fwbuilder-5.3.7/src/libgui/FilterLineEdit.cpp000066400000000000000000000034721303637203600211330ustar00rootroot00000000000000/**************************************************************************** ** ** Copyright (c) 2007 Trolltech ASA ** ** Use, modification and distribution is allowed without limitation, ** warranty, liability or support of any kind. ** ****************************************************************************/ #include "FilterLineEdit.h" #include #include FilterLineEdit::FilterLineEdit(QWidget *parent) : QLineEdit(parent) { clearButton = new QToolButton(this); QPixmap pixmap(":/Icons/neg2"); clearButton->setIcon(QIcon(pixmap)); clearButton->setIconSize(pixmap.size()); clearButton->setCursor(Qt::ArrowCursor); clearButton->setStyleSheet("QToolButton { border: none; padding: 0px; }"); clearButton->hide(); connect(clearButton, SIGNAL(clicked()), this, SLOT(clear())); connect(this, SIGNAL(textChanged(const QString&)), this, SLOT(updateCloseButton(const QString&))); int frameWidth = style()->pixelMetric(QStyle::PM_DefaultFrameWidth); setStyleSheet(QString("QLineEdit { padding-right: %1px; } ").arg(clearButton->sizeHint().width() + frameWidth + 1)); QSize msz = minimumSizeHint(); setMinimumSize(qMax(msz.width(), clearButton->sizeHint().height() + frameWidth * 2 + 2), qMax(msz.height(), clearButton->sizeHint().height() + frameWidth * 2 + 2)); } void FilterLineEdit::resizeEvent(QResizeEvent *) { QSize sz = clearButton->sizeHint(); int frameWidth = style()->pixelMetric(QStyle::PM_DefaultFrameWidth); clearButton->move(rect().right() - frameWidth - sz.width(), (rect().bottom() + 1 - sz.height())/2); } void FilterLineEdit::updateCloseButton(const QString& text) { clearButton->setVisible(!text.isEmpty()); } fwbuilder-5.3.7/src/libgui/FilterLineEdit.h000066400000000000000000000013271303637203600205750ustar00rootroot00000000000000/**************************************************************************** ** ** Copyright (c) 2007 Trolltech ASA ** ** Use, modification and distribution is allowed without limitation, ** warranty, liability or support of any kind. ** ****************************************************************************/ #ifndef FilterLineEdit_h #define FilterLineEdit_h #include class QToolButton; class FilterLineEdit : public QLineEdit { Q_OBJECT public: FilterLineEdit(QWidget *parent = 0); protected: void resizeEvent(QResizeEvent *); private slots: void updateCloseButton(const QString &text); private: QToolButton *clearButton; }; #endif /* FilterLineEdit_h */ fwbuilder-5.3.7/src/libgui/FindObjectWidget.cpp000066400000000000000000000566301303637203600214470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "FindObjectWidget.h" #include "FWWindow.h" #include "FWObjectDropArea.h" #include "FWBTree.h" #include "FWBSettings.h" #include "ObjectTreeView.h" #include "RuleSetView.h" #include "ObjectEditor.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "events.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/MultiAddress.h" #include "fwbuilder/Interface.h" #include "fwbuilder/AddressRange.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; #define MAX_SEARCH_ITEMS_COUNT 10 class FindAndReplaceError : public FWException { public: FindAndReplaceError(const string &err) : FWException(err) {} }; FindObjectWidget::FindObjectWidget(QWidget*p, ProjectPanel *pp, const char * n, Qt::WindowFlags f) : QWidget(p,f) { project_panel = pp; m_widget = new Ui::findObjectWidget_q; m_widget->setupUi(this); setObjectName(n); replaceDisable(); m_widget->srScope->setCurrentIndex( st->getInt(SETTINGS_PATH_PREFIX"/Search/Scope")); m_widget->findDropArea->setHelperText( tr("Drop object you want to find here")); m_widget->replaceDropArea->setHelperText( tr("Drop object to replace with here")); connect(m_widget->findDropArea, SIGNAL(objectDeleted()), this, SLOT(objectDeleted())); } void FindObjectWidget::keyPressEvent( QKeyEvent* ev ) { if (ev->key()==Qt::Key_Enter || ev->key()==Qt::Key_Return) { if (fwbdebug) qDebug() << "FindObjectWidget::keyPressEvent Qt::Key_Enter"; ev->accept(); find(); return; } } void FindObjectWidget::findObject(FWObject *o) { if (fwbdebug) qDebug("FindObjectWidget::findObject"); show(); m_widget->findDropArea->insertObject(o); } void FindObjectWidget::enableAll() { m_widget->useRegexp->setEnabled (true); m_widget->findAttr->setEnabled (true); m_widget->attribute->setEnabled (true); } void FindObjectWidget::disableAll() { m_widget->useRegexp->setEnabled (false); m_widget->findAttr->setEnabled (false); m_widget->attribute->setEnabled (false); } void FindObjectWidget::objectInserted() { FWObject *o = m_widget->findDropArea->getObject(); if (o == NULL) return; // disableAll(); // see #1757 QString n = QString::fromUtf8(o->getName().c_str()); m_widget->findAttr->blockSignals(true); if (m_widget->findAttr->count()>=MAX_SEARCH_ITEMS_COUNT) m_widget->findAttr->removeItem(MAX_SEARCH_ITEMS_COUNT-1); m_widget->findAttr->lineEdit()->setText(n); m_widget->findAttr->blockSignals(false); reset(); } void FindObjectWidget::reset() { lastFound = NULL; lastAttrSearch = ""; found_objects.clear(); } void FindObjectWidget::clear() { m_widget->findDropArea->deleteObject(); m_widget->replaceDropArea->deleteObject(); lastFound = NULL; lastAttrSearch = ""; found_objects.clear(); } /** * This slot is called when user deletes an object from the "find" * drop area. See #1785 */ void FindObjectWidget::objectDeleted() { m_widget->findAttr->blockSignals(true); m_widget->findAttr->lineEdit()->setText(""); m_widget->findAttr->blockSignals(false); } /** * This slot is called when @attribute or @findAttr fields change * (that is, whenever user changes attribute they want to match or type * in the input field to change the value) */ void FindObjectWidget::findAttrChanged(const QString &ns) { if (ns!=lastAttrSearch) reset(); lastAttrSearch = ns; m_widget->findDropArea->blockSignals(true); m_widget->findDropArea->deleteObject(); // for #1757 m_widget->findDropArea->blockSignals(false); } void FindObjectWidget::find() { if (m_widget->findAttr->currentText().isEmpty() && m_widget->findDropArea->isEmpty()) return; if (m_widget->findAttr->currentText() != m_widget->findAttr->itemText(0)) { if (m_widget->findAttr->count()>=MAX_SEARCH_ITEMS_COUNT) m_widget->findAttr->removeItem(MAX_SEARCH_ITEMS_COUNT-1); m_widget->findAttr->insertItem(0, m_widget->findAttr->lineEdit()->text()); if (fwbdebug) qDebug("FindObjectWidget::find() : m_widget->findAttr->text(0)=%s", m_widget->findAttr->itemText(0).toLatin1().constData()); } findNext(); } bool FindObjectWidget::matchID(int id) { if (m_widget->findDropArea->isEmpty()) return true; int s_id = m_widget->findDropArea->getObject()->getId(); return s_id==id; } bool FindObjectWidget::matchAttr(FWObject *obj) { if (!m_widget->findDropArea->isEmpty()) return true; QString s = m_widget->findAttr->currentText(); if (s.isEmpty()) return true; bool res = false; int attrN = m_widget->attribute->currentIndex(); switch (attrN) { case 0: // Name or label { QString name = QString::fromUtf8( obj->getName().c_str() ); QString label; if (Interface::isA(obj)) label = QString::fromUtf8( Interface::cast(obj)->getLabel().c_str() ); if (m_widget->useRegexp->isChecked()) { res = (name.indexOf( QRegExp(s) )!=-1 || (!label.isEmpty() && label.indexOf( QRegExp(s) )!=-1)); } else { res = (name == s || (!label.isEmpty() && label == s)); } //res= ( name == s ); break; } case 1: // Address { if ( ! m_widget->useRegexp->isChecked()) { AddressRange *ar = AddressRange::cast(obj); if (ar) { const InetAddr &inet_addr_start = ar->getRangeStart(); const InetAddr &inet_addr_end = ar->getRangeEnd(); // if address entered by the user has /NN perfix length or // /255.255.255.0 netmask, do not match it to address ranges if ( ! s.contains("/")) { int af = AF_INET; if (s.contains(':')) af = AF_INET6; InetAddr addr = InetAddr(af, s.toStdString()); res = (inet_addr_start == addr || inet_addr_end == addr || (inet_addr_start < addr && addr < inet_addr_end)); break; } } } Address *a = Address::cast(obj); if (a!=NULL) { const InetAddr *inet_addr = a->getAddressPtr(); if (inet_addr) { QString addr = inet_addr->toString().c_str(); if (m_widget->useRegexp->isChecked()) res = ( addr.indexOf( QRegExp(s) )!=-1 ); else res= ( addr == s ); } //res= ( addr == s ); } break; } case 2: // port if (TCPService::cast(obj)!=NULL || UDPService::cast(obj)!=NULL) { if (m_widget->useRegexp->isChecked()) { QString port; port.setNum(TCPUDPService::cast(obj)->getSrcRangeStart()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getSrcRangeEnd()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getDstRangeStart()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getDstRangeEnd()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); } else { bool conversion_status = false; int port = s.toInt(&conversion_status); res |= (conversion_status && (port == TCPUDPService::cast(obj)->getSrcRangeStart())); res |= (conversion_status && (port == TCPUDPService::cast(obj)->getSrcRangeEnd())); res |= (conversion_status && (port == TCPUDPService::cast(obj)->getDstRangeStart())); res |= (conversion_status && (port == TCPUDPService::cast(obj)->getDstRangeEnd())); } break; } break; case 3: // protocol num. if (IPService::cast(obj)!=NULL) { if (m_widget->useRegexp->isChecked()) { QString proto; proto.setNum(obj->getInt("protocol_num")); res |= ( proto.indexOf( QRegExp(s) )!=-1 ); } else { bool conversion_status = false; int proto = s.toInt(&conversion_status); res |= (conversion_status && (proto == obj->getInt("protocol_num"))); } break; } break; case 4: // icmp type if (ICMPService::cast(obj)!=NULL) { if (m_widget->useRegexp->isChecked()) { QString icmptype; icmptype.setNum(obj->getInt("type")); res |= ( icmptype.indexOf( QRegExp(s) )!=-1 ); } else { bool conversion_status = false; int icmptype = s.toInt(&conversion_status); res |= (conversion_status && (icmptype == obj->getInt("type"))); } break; } break; } return res; } /* * Walks the whole tree and fills found_objects list */ void FindObjectWidget::_findAll() { treeSeeker = project_panel->db()->tree_begin(); for (; treeSeeker != project_panel->db()->tree_end(); ++treeSeeker) { FWObject *o = *treeSeeker; if( RuleElement::cast(o->getParent())!=NULL) { if (m_widget->srScope->currentIndex()==3) // scope == selected firewalls { if ( !inSelectedFirewall(RuleElement::cast(o->getParent())) ) { continue; } } else if (m_widget->srScope->currentIndex()==0) continue ; // scope == tree only } else { /* if not in rules, then in the tree. */ if (m_widget->srScope->currentIndex()>1) continue; // scope in (firewalls only , selected firewalls) } FWObject *obj = o; if (FWReference::cast(o)!=NULL) { FWReference *r = FWReference::cast(o); obj = r->getPointer(); } if (matchAttr(obj) && matchID(obj->getId())) { // If object we have found belongs to the deleted objects lib // but this library is hidden, don't show it. if (obj->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID && !st->getBool("UI/ShowDeletedObjects")) continue; // Note that if o is a reference, we should add reference // to found_objects found_objects.push_back(o); } } } /* * Group::duplicateForUndo(), which is used in FWCmdChange::redo() and * undo() breaks FWObject::tree_iterator because it adds or removes * objects to groups. To work around this problem, we fill list * found_objects on the first call to findNext() and then just iterate * over items in this list later. */ void FindObjectWidget::findNext() { if (fwbdebug) qDebug("FindObjectWidget::findNext"); if ( m_widget->findAttr->currentText().isEmpty() && m_widget->findDropArea->isEmpty()) return; if (m_widget->findAttr->count()>MAX_SEARCH_ITEMS_COUNT) m_widget->findAttr->removeItem(0); FWObject *o = NULL; // if scope is "policies of opened firewall" then we need to get // pointer to the currently opened firewall object RuleSet* current_rule_set = project_panel->getCurrentRuleSet(); if (current_rule_set) selectedFirewall = Firewall::cast(current_rule_set->getParent()); else selectedFirewall = NULL; if (fwbdebug) qDebug() << "selectedFirewall: " << selectedFirewall; loop: if (found_objects.size() == 0) { QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); _findAll(); QApplication::restoreOverrideCursor(); found_objects_iter = found_objects.begin(); } if (found_objects_iter == found_objects.end()) { reset(); if (m_widget->srScope->currentIndex()==3) // scope ==selected firewalls { if ( QMessageBox::warning( this,"Firewall Builder", tr("Search hit the end of the policy rules."), tr("&Continue at top"), tr("&Stop"), QString::null, 0, 1 )==0 ) goto loop; } else { if (fwbdebug) qDebug("widget that has focus: %p",mw->focusWidget()); bool r= ( QMessageBox::warning( this,"Firewall Builder", tr("Search hit the end of the object tree."), tr("&Continue at top"), tr("&Stop"), QString::null, 0, 1 )==0); if (fwbdebug) qDebug("widget that has focus: %p",mw->focusWidget()); if (r) goto loop; } return; } o = *found_objects_iter; ++found_objects_iter; assert(o!=NULL); lastFound = o; if (fwbdebug) { qDebug() << "Found object: o=" << o << "id=" << FWObjectDatabase::getStringId(o->getId()).c_str() << "name=" << o->getName().c_str() << "type=" << o->getTypeName().c_str(); } showObject(o); } bool FindObjectWidget::validateReplaceObject() { if (m_widget->findDropArea->isEmpty()) { QMessageBox::warning( this, "Firewall Builder", tr("Search object is missing.")); return false; } if (m_widget->replaceDropArea->isEmpty()) { QMessageBox::warning( this, "Firewall Builder", tr("Replace object is missing.")); return false; } FWObject* findObj = m_widget->findDropArea->getObject(); FWObject* replObj = m_widget->replaceDropArea->getObject(); if (findObj==replObj || findObj->getId() == replObj->getId()) { QMessageBox::warning( this,"Firewall Builder", tr("Cannot replace object with itself.")); return false; } bool obj_1_address = Address::cast(findObj)!=NULL || MultiAddress::cast(findObj)!=NULL || ObjectGroup::cast(findObj)!=NULL; bool obj_2_address = Address::cast(replObj)!=NULL || MultiAddress::cast(replObj)!=NULL || ObjectGroup::cast(replObj)!=NULL; bool obj_1_service = Service::cast(findObj)!=NULL || ServiceGroup::cast(findObj); bool obj_2_service = Service::cast(replObj)!=NULL || ServiceGroup::cast(replObj); if ((obj_1_address && obj_2_address) || (obj_1_service && obj_2_service)) return true; QMessageBox::warning( this,"Firewall Builder", tr("Search and Replace objects are incompatible.")); return false; } void FindObjectWidget::replace() { if (!validateReplaceObject()) return; if (lastFound==NULL) { find(); return; } if (lastFound->isReadOnly()) { QMessageBox::critical(this, "Firewall Builder", tr("Can not modify read-only object %1") .arg(lastFound->getPath().c_str())); return; } _replaceCurrent(); } void FindObjectWidget::replaceAll() { if (!validateReplaceObject()) return; reset(); /* * replaceAll() may potentially make many replacements. Check read-only * condition early if possible to avoid popping many error dialogs. */ if (m_widget->srScope->currentIndex()==3) // scope == selected firewalls { RuleSet* current_rule_set = project_panel->getCurrentRuleSet(); if (current_rule_set) selectedFirewall = Firewall::cast(current_rule_set->getParent()); else selectedFirewall = NULL; if (selectedFirewall == NULL) { QMessageBox::critical(this, "Firewall Builder", tr("Please select a firewall object")); return; } if (selectedFirewall->isReadOnly()) { QMessageBox::critical(this, "Firewall Builder", tr("Can not modify read-only object %1") .arg(selectedFirewall->getPath().c_str())); return; } } findNext(); // fill found_objects and position to the first found one int count = 0; try { for (found_objects_iter=found_objects.begin(); found_objects_iter!=found_objects.end(); ++found_objects_iter) { lastFound = *found_objects_iter; _replaceCurrent(); count++; } } catch (FindAndReplaceError &ex) { } QMessageBox::information( this, "Firewall Builder", tr("Replaced %1 objects.").arg(count)); } void FindObjectWidget::_replaceCurrent() { FWObject *o = lastFound; FWObject *p = lastFound->getParent(); if (p==NULL || o==NULL) return; if (FWReference::cast(o)==NULL) return; if (p->isReadOnly()) { QMessageBox msg_box; msg_box.setWindowModality(Qt::ApplicationModal); msg_box.setWindowTitle("Find and Replace Error"); msg_box.setText(tr("Can not modify read-only object %1") .arg(p->getPath().c_str())); QPushButton *btn_continue = msg_box.addButton( QObject::tr("Continue"), QMessageBox::AcceptRole); Q_UNUSED(btn_continue); QPushButton *btn_stop = msg_box.addButton( QObject::tr("Stop"), QMessageBox::RejectRole); msg_box.setDefaultButton(btn_stop); msg_box.show(); msg_box.raise(); msg_box.exec(); if (msg_box.clickedButton() == btn_stop) { // interrupt "replace all" operation throw FindAndReplaceError("Attempt to modify read-only object"); } return; } FWObject *replace_object = m_widget->replaceDropArea->getObject(); std::auto_ptr cmd( new FWCmdChange(project_panel, p, QObject::tr("Replace object"))); FWObject *new_state = cmd->getNewState(); new_state->removeRef(FWReference::cast(o)->getPointer()); // check for duplicates -------- if (RuleElement::cast(new_state)==NULL || !RuleElement::cast(new_state)->isAny()) { // avoid duplicates int cp_id = replace_object->getId(); FWObject *oo; FWReference *ref; list::iterator j; for(j=new_state->begin(); j!=new_state->end(); ++j) { oo = *j; if (cp_id==oo->getId() || ((ref=FWReference::cast(oo))!=NULL && cp_id==ref->getPointerId())) { // replacement object is already a member of this // group or rule element. Do not insert it again to // avoid duplicates. Also check if new_state is // different from old_state. It can be the same if // original object was not a member of the group so // the call to removeRef() above did nothing. This // happens when user hits Replace, then hits it // again without finding next. if (!cmd->getOldState()->cmp(new_state, true)) project_panel->undoStack->push(cmd.release()); return; } } } new_state->addRef(replace_object); if (!cmd->getOldState()->cmp(new_state, true)) project_panel->undoStack->push(cmd.release()); } bool FindObjectWidget::inSelectedFirewall( RuleElement* r) { FWObject *f=r; while (f!=NULL && Firewall::cast(f)==NULL) f=f->getParent(); if (f==NULL) return false; return selectedFirewall==(Firewall::cast(f)); } void FindObjectWidget::replaceEnable() { m_widget->replaceButton->setEnabled (true); m_widget->repNextButton->setEnabled (true); m_widget->replaceAllButton->setEnabled(true); } void FindObjectWidget::replaceDisable() { m_widget->replaceButton->setEnabled (false); m_widget->repNextButton->setEnabled (false); m_widget->replaceAllButton->setEnabled(false); } /** * Show object that we have found in the tree or in rules but retain focus * so that user can find next one by just hitting Return on the keyboard. */ void FindObjectWidget::showObject(FWObject* o) { if (fwbdebug) qDebug("FindObjectWidget::showObject o: %s parent: %s", o->getName().c_str(), o->getParent()->getName().c_str()); FWReference* ref = FWReference::cast(o); if (ref!=NULL && RuleElement::cast(o->getParent())!=NULL) { // found object in rules QCoreApplication::sendEvent( project_panel, new showObjectInRulesetEvent( project_panel->getFileName(), ref->getId())); return; } if (!FWBTree().isStandardFolder(o) && Group::cast(o->getParent())!=NULL && !FWBTree().isStandardFolder(o->getParent())) { QCoreApplication::sendEvent( mw, new showObjectInTreeEvent(project_panel->getFileName(), o->getParent()->getId())); return; } QCoreApplication::sendEvent( mw, new showObjectInTreeEvent(project_panel->getFileName(), o->getId())); } void FindObjectWidget::init() { m_widget->findDropArea->deleteObject(); m_widget->replaceDropArea->deleteObject(); } void FindObjectWidget::firewallOpened(Firewall *f) { if (f==NULL) return; selectedFirewall = f; m_widget->srScope->setItemText( 3, tr("Policy of firewall '")+f->getName().c_str()+"'" ); } void FindObjectWidget::findPrev() { } void FindObjectWidget::replaceNext() { replace(); findNext(); } void FindObjectWidget::scopeChanged() { st->setValue(SETTINGS_PATH_PREFIX"/Search/Scope", m_widget->srScope->currentIndex ()); } fwbuilder-5.3.7/src/libgui/FindObjectWidget.h000066400000000000000000000054261303637203600211110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FINDOBJECTWIDGET_H_ #define __FINDOBJECTWIDGET_H_ #include "config.h" #include #include "ProjectPanel.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" class QRegExp; class ObjectDescriptor; class QWidget; class FindObjectWidget : public QWidget { Q_OBJECT; private: QString lastAttrSearch; libfwbuilder::FWObject *lastFound; libfwbuilder::FWObject::tree_iterator treeSeeker; std::list found_objects; std::list::iterator found_objects_iter; libfwbuilder::Firewall* selectedFirewall; ProjectPanel *project_panel; void _findAll(); void _replaceCurrent(); bool matchName(const QString &name); bool matchID(int id); bool matchAttr(libfwbuilder::FWObject* obj); bool validateReplaceObject(); bool inSelectedFirewall( libfwbuilder::RuleElement* r); virtual void keyPressEvent( QKeyEvent* ev ); public: Ui::findObjectWidget_q *m_widget; FindObjectWidget(QWidget*p, ProjectPanel *pp, const char * n = 0, Qt::WindowFlags f = 0); ~FindObjectWidget() { delete m_widget; }; void findObject (libfwbuilder::FWObject *o); void attachToProjectWindow(ProjectPanel *pp) { project_panel = pp; } public slots: virtual void enableAll(); virtual void disableAll(); virtual void objectInserted(); virtual void find(); virtual void findNext(); virtual void reset(); virtual void findAttrChanged(const QString&); virtual void findPrev(); virtual void replaceNext(); virtual void replace(); virtual void replaceAll(); virtual void replaceEnable(); virtual void replaceDisable(); void showObject(libfwbuilder::FWObject* o); void init(); void clear(); void firewallOpened(libfwbuilder::Firewall *f); void scopeChanged(); void objectDeleted(); signals: void close(); }; #endif fwbuilder-5.3.7/src/libgui/FindWhereUsedWidget.cpp000066400000000000000000000246251303637203600221330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "events.h" #include "FindWhereUsedWidget.h" #include "FWWindow.h" #include "FWObjectDropArea.h" #include "ObjectManipulator.h" #include "FWBTree.h" #include "FWBSettings.h" #include "ObjectTreeView.h" #include "RuleSetView.h" #include "ProjectPanel.h" #include "ColDesc.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; FindWhereUsedWidget::FindWhereUsedWidget(QWidget *p, ProjectPanel *pp, const char * n, Qt::WindowFlags f, bool f_mini) : QWidget(p) { project_panel = pp; m_widget = new Ui::findWhereUsedWidget_q; m_widget->setupUi(this); setObjectName(n); setWindowFlags(f); flShowObject=true; if (f_mini) { m_widget->pushButton2->hide(); m_widget->dropBox->hide(); } else { connect(m_widget->dropArea,SIGNAL(objectDeleted()),this,SLOT(init())); } } FindWhereUsedWidget::~FindWhereUsedWidget() { delete m_widget; } void FindWhereUsedWidget::setShowObject(bool fl) { flShowObject=fl; } /** * This signal is emitted when the user activates an item by single- * or double-clicking (depending on the platform, i.e. on the * QStyle::SH_ItemView_ActivateItemOnSingleClick style hint) or * pressing a special key (e.g., Enter). */ void FindWhereUsedWidget::itemActivated(QTreeWidgetItem* item, int) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObject *container = (FWObject*)(qVariantValue(item->data(1, Qt::UserRole))); #else FWObject *container = (FWObject*)(item->data(1, Qt::UserRole).value()); #endif if (flShowObject && container!=NULL) { showObject(container); } } /** * This signal is emitted when the user clicks inside the widget. * * The specified item is the item that was clicked, or 0 if no item * was clicked. The column is the item's column that was clicked. If * no item was clicked, no signal will be emitted. * */ void FindWhereUsedWidget::itemClicked(QTreeWidgetItem* item, int) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) FWObject *container = (FWObject*)(qVariantValue(item->data(1, Qt::UserRole))); #else FWObject *container = (FWObject*)(item->data(1, Qt::UserRole).value()); #endif if (flShowObject && container!=NULL) { showObject(container); } } void FindWhereUsedWidget::find() { findFromDrop(); } void FindWhereUsedWidget::find(FWObject *obj) { m_widget->dropArea->insertObject(obj); find(); } void FindWhereUsedWidget::_find(FWObject *obj) { object = obj; m_widget->resListView->clear(); resset.clear(); if (fwbdebug) qDebug() << "FindWhereUsedWidget " << this << ": initiate search for " << obj->getName().c_str() << " project_panel " << project_panel; if (project_panel==NULL) return; FWObjectDatabase *db = obj->getRoot(); map > reference_holders; UsageResolver().findAllReferenceHolders(obj, db, reference_holders); // rearrange reference holder object we just found to be able to sort them QMap widget_items; map >::iterator it; for (it=reference_holders.begin(); it!=reference_holders.end(); ++it) { FWObject *c_obj = db->findInIndex(it->first); if (!m_widget->includeChildren->isChecked() && c_obj != obj) continue; foreach(FWObject *container, it->second) { QTreeWidgetItem *item = createQTWidgetItem(c_obj, container); if (item==NULL) continue; QStringList item_str; item_str << item->text(0) << item->text(1) << item->text(2); widget_items[item_str.join("/")] = item; } } // TODO: This is not ideal because lines are sorted alphabetically. // Rules should be sorted by their numbers numerically. QStringList keys = widget_items.keys(); qSort(keys); foreach(QString k, keys) { QTreeWidgetItem *item = widget_items[k]; m_widget->resListView->addTopLevelItem(item); } m_widget->resListView->resizeColumnToContents(0); m_widget->resListView->resizeColumnToContents(1); show(); } void FindWhereUsedWidget::init() { object = NULL; m_widget->resListView->clear(); resset.clear(); } void FindWhereUsedWidget::clear() { m_widget->dropArea->deleteObject(); // this emits signal that calls init() } void FindWhereUsedWidget::findFromDrop() { _find(m_widget->dropArea->getObject()); } void FindWhereUsedWidget::showObject(FWObject* o) { if (fwbdebug) qDebug("FindWhereUsedWidget::showObject o=%s (%s)", o->getName().c_str(), o->getTypeName().c_str()); if (object==NULL || o==NULL) return; if (RuleElement::cast(o)!=NULL || RuleElement::cast(o->getParent())!=NULL) { QCoreApplication::postEvent( project_panel, new showObjectInRulesetEvent(project_panel->getFileName(), o->getId())); return; } if (Rule::cast(o)!=NULL) { QCoreApplication::postEvent( project_panel, new openRulesetImmediatelyEvent(project_panel->getFileName(), o->getParent()->getId())); QCoreApplication::postEvent( project_panel, new selectRuleElementEvent(project_panel->getFileName(), o->getId(), ColDesc::Action)); return; } project_panel->unselectRules(); if (Group::cast(o)!=NULL) { QCoreApplication::postEvent( project_panel, new showObjectInTreeEvent(project_panel->getFileName(), o->getId())); project_panel->unselectRules(); } else { QCoreApplication::postEvent( project_panel, new showObjectInTreeEvent(project_panel->getFileName(), o->getId())); project_panel->unselectRules(); } } QTreeWidgetItem* FindWhereUsedWidget::createQTWidgetItem(FWObject *o, FWObject *container) { if (fwbdebug) qDebug() << "FindWhereUsedWidget::createQTWidgetItem" << "container:" << container->getName().c_str() << "(" << container->getTypeName().c_str() << ")"; QString c1, c2; FWObject *fw = NULL; Rule *r = NULL; RuleSet *rs = NULL; QPixmap object_icon; QPixmap parent_icon; FWBTree tree_format; if (tree_format.isSystem(container) || Library::cast(container)) return NULL; // container can be a Rule if user searched for an object used in action if (RuleElement::cast(container)!=NULL || Rule::cast(container)!=NULL) { fw = container; while (fw!=NULL && Firewall::cast(fw)==NULL) // Firewall::cast matches also Cluster { if (Rule::cast(fw)) r = Rule::cast(fw); if (RuleSet::cast(fw)) rs = RuleSet::cast(fw); fw = fw->getParent(); } if (fw==NULL || r==NULL || rs==NULL) return NULL; c1 = QString::fromUtf8(fw->getName().c_str()); QString ruleset_kind; if (NAT::isA(rs)) { ruleset_kind = tr("NAT rule set"); } else if (Policy::isA(rs)) { ruleset_kind = tr("Policy rule set"); } else if (Routing::isA(rs)) { ruleset_kind = tr("Routing rule set"); } else { ruleset_kind = tr("Rule set of unknown type"); } QString rule_element_name; if (RuleElement::cast(container)!=NULL) rule_element_name = getReadableRuleElementName( fw->getStr("platform"), container->getParent()->getTypeName()); if (Rule::cast(container)!=NULL) rule_element_name = "Action"; c2 += tr("%1 \"%2\" / Rule %3 / %4"). arg(ruleset_kind). arg(rs->getName().c_str()). arg(Rule::cast(r)->getPosition()). arg(rule_element_name); loadIcon(parent_icon, fw); } else { c1 = QString::fromUtf8(container->getName().c_str()); c2 = tr("Type: ")+QString::fromUtf8(container->getTypeName().c_str()); loadIcon(parent_icon, container); } loadIcon(object_icon, o); QStringList qsl; qsl << QString::fromUtf8(o->getName().c_str()) << c1 << c2; QTreeWidgetItem* item = new QTreeWidgetItem(qsl); item->setIcon(1, QIcon(parent_icon)); item->setIcon(0, QIcon(object_icon)); item->setData(1, Qt::UserRole, qVariantFromValue((void*)container)); return item; } fwbuilder-5.3.7/src/libgui/FindWhereUsedWidget.h000066400000000000000000000044121303637203600215700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FINDWHEREUSEDWIDGET_H_ #define __FINDWHEREUSEDWIDGET_H_ #include "config.h" #include #include "ProjectPanel.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include #include class QRegExp; class ObjectDescriptor; class QWidget; namespace libfwbuilder { class FWReference; } class FindWhereUsedWidget : public QWidget { Q_OBJECT private: ProjectPanel *project_panel; bool flShowObject; libfwbuilder::FWObject* object; std::set resset; Ui::findWhereUsedWidget_q *m_widget; void showObject(libfwbuilder::FWObject*); void _find(libfwbuilder::FWObject *obj); public: FindWhereUsedWidget(QWidget*p, ProjectPanel* pp, const char * n = 0, Qt::WindowFlags f = 0, bool f_mini=false); ~FindWhereUsedWidget(); void setShowObject(bool fl); void attachToProjectWindow(ProjectPanel *pp) { project_panel = pp; } static QTreeWidgetItem* createQTWidgetItem(libfwbuilder::FWObject* obj, libfwbuilder::FWObject* container); public slots: virtual void find(); virtual void find(libfwbuilder::FWObject *obj); void init(); void clear(); void itemActivated(QTreeWidgetItem*, int); void itemClicked(QTreeWidgetItem*, int); void findFromDrop(); signals: void close(); }; #endif fwbuilder-5.3.7/src/libgui/FirewallCodeViewer.cpp000066400000000000000000000130161303637203600220050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FirewallCodeViewer.h" #include "ui_FirewallCodeViewer.h" #include #include #include #include "QFileInfo" #include "global.h" #include "FWBSettings.h" #include "QProcess" #include "QMessageBox" #include "PrefsDialog.h" #include "ProjectPanel.h" #include #include #include FirewallCodeViewer::FirewallCodeViewer(QStringList files, QString name, ProjectPanel *project, QWidget *parent) : QDialog(parent), ui(new Ui::FirewallCodeViewer_q), m_project(project) { ui->setupUi(this); this->files = files; foreach(QString file, files) ui->fileSelector->addItem(file.split("/").last()); fileSelected(0); ui->path->setText(name); QMenu *menu = new QMenu(); QAction *showDiff = new QAction(tr("Show diff"), this); QAction *showDiffSelectFile = new QAction(tr("Show diff with custom file..."), this); menu->addAction(showDiff); menu->addAction(showDiffSelectFile); ui->diffBtn->setMenu(menu); ui->diffBtn->setDefaultAction(showDiff); connect(showDiff, SIGNAL(triggered()), this, SLOT(showDiff())); connect(showDiffSelectFile, SIGNAL(triggered()), this, SLOT(showDiffSelectFile())); } FirewallCodeViewer::~FirewallCodeViewer() { delete ui; } void FirewallCodeViewer::changeEvent(QEvent *e) { QDialog::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: ui->retranslateUi(this); break; default: break; } } void FirewallCodeViewer::showDiff(const QString &sourceFileName, const QString &destinationFileName) { if (st->getDiffPath().isEmpty()) { int ret = QMessageBox::warning(this, tr("Could not start diff program"), tr("You have not configured an external diff program yet.\n" "Do you want to do it now?"), QMessageBox::Yes, QMessageBox::No ); if (ret == QMessageBox::Yes) { PrefsDialog pd(this); pd.selectTab("Diff"); pd.exec(); } return; } if (!QFileInfo(destinationFileName).isFile()) return; QStringList args; if (!QFileInfo(sourceFileName).isFile()) { QString newSourceFileName = QFileDialog::getOpenFileName( this, tr("Select source file for diff..."), st->getOpenFileDir()); if (!QFileInfo(newSourceFileName).isFile()) return; args << newSourceFileName; } else { args << sourceFileName; } args << destinationFileName; QProcess *process = new QProcess(); connect(process, SIGNAL(finished(int)), process, SLOT(deleteLater())); connect(process, SIGNAL(error(QProcess::ProcessError)), this, SLOT(processError(QProcess::ProcessError))); process->start(st->getDiffPath(), args); } void FirewallCodeViewer::fileSelected(int idx) { if (pages.contains(idx)) { ui->pages->setCurrentIndex(pages[idx]); } else { QFile f(this->files.at(idx)); f.open(QFile::ReadOnly); QTextBrowser *browser = new QTextBrowser(ui->pages); browser->setPlainText(f.readAll()); ui->pages->addWidget(browser); pages.insert(idx, ui->pages->indexOf(browser)); ui->pages->setCurrentWidget(browser); } } void FirewallCodeViewer::processError(QProcess::ProcessError error) { if (error == QProcess::FailedToStart) { int ret = QMessageBox::warning(this, tr("Could not start diff program"), tr("Could not start the configured diff program.\n" "Do you want to check the preferences?"), QMessageBox::Yes, QMessageBox::No ); if (ret == QMessageBox::Yes) { PrefsDialog pd(this); pd.selectTab("Diff"); pd.exec(); } } } void FirewallCodeViewer::hideCloseButton() { ui->closeButton->hide(); } void FirewallCodeViewer::showDiff() { QString fileName = this->files.at(ui->fileSelector->currentIndex()); QString autoCompiledFileName; QDir tempDir(m_project->getTemporaryDirPath()); if (tempDir.exists()) autoCompiledFileName = QString(tempDir.absolutePath()).append("/").append(fileName.split("/").last()); showDiff(autoCompiledFileName, fileName); } void FirewallCodeViewer::showDiffSelectFile() { showDiff(this->files.at(ui->fileSelector->currentIndex()), ""); } fwbuilder-5.3.7/src/libgui/FirewallCodeViewer.h000066400000000000000000000037561303637203600214640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FIREWALLCODEVIEWER_H #define FIREWALLCODEVIEWER_H #include #include #include #include namespace Ui { class FirewallCodeViewer_q; } class ProjectPanel; #include class FirewallCodeViewer : public QDialog { Q_OBJECT QStringList files; QMap pages; public: FirewallCodeViewer(QStringList files, QString path, ProjectPanel *project, QWidget *parent = 0); ~FirewallCodeViewer(); protected: void changeEvent(QEvent *e); private: Ui::FirewallCodeViewer_q *ui; ProjectPanel *m_project; void showDiff(const QString &destinationFileName, const QString &sourceFileName); public slots: void fileSelected(int); void processError(QProcess::ProcessError); void hideCloseButton(); void keyPressEvent(QKeyEvent *event) { if (dynamic_cast(this->parent()) == NULL) return QDialog::keyPressEvent(event); event->setAccepted(false); } void showDiff(); void showDiffSelectFile(); }; #endif // FIREWALLCODEVIEWER_H fwbuilder-5.3.7/src/libgui/FirewallCodeViewer.ui000066400000000000000000000113631303637203600216430ustar00rootroot00000000000000 FirewallCodeViewer_q 0 0 673 510 Firewall code viewer 14 75 true Firewall / ruleset Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter 0 0 File: 0 0 Qt::Horizontal 40 20 16777215 16777215 0 0 Show diff QToolButton::MenuButtonPopup 0 0 0 0 0 Qt::Horizontal 40 20 Close Qt::Horizontal 289 20 pushButton clicked() FirewallCodeViewer_q reject() 374 500 447 408 fileSelector currentIndexChanged(int) FirewallCodeViewer_q fileSelected(int) 90 53 4 78 fileSelected(int) fwbuilder-5.3.7/src/libgui/FirewallDialog.cpp000066400000000000000000000320011303637203600211430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "FirewallDialog.h" #include "DialogFactory.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; FirewallDialog::~FirewallDialog() { delete m_dialog; } FirewallDialog::FirewallDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::FirewallDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } void FirewallDialog::loadFWObject(FWObject *o) { try { obj = o; Firewall *s = dynamic_cast(obj); assert(s!=NULL); init = true; QString platform = obj->getStr("platform").c_str(); /* fill in platform */ setPlatform(m_dialog->platform, platform); fillVersion(); /* fill in host OS */ setHostOS(m_dialog->hostOS, platform, obj->getStr("host_OS").c_str()); /* ---------------- */ updateTimeStamps(); Management *mgmt=s->getManagementObject(); assert(mgmt!=NULL); // FWOptions *opt =s->getOptionsObject(); m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->inactive->setChecked(s->getInactive()); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->platform->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->platform); m_dialog->version->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->version); m_dialog->hostOS->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->hostOS); m_dialog->fwAdvanced->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->fwAdvanced); m_dialog->osAdvanced->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->osAdvanced); // snmpCommunity->setEnabled(!o->isReadOnly()); // setDisabledPalette(snmpCommunity); m_dialog->inactive->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->inactive); } catch (FWException &ex) { qDebug() << "Caught FWException:" << ex.toString().c_str(); } init=false; } void FirewallDialog::updateTimeStamps() { QDateTime dt; time_t t; t = obj->getInt("lastModified"); dt.setTime_t(t); m_dialog->last_modified->setText((t)? dt.toString():"-"); t = obj->getInt("lastCompiled"); dt.setTime_t(t); m_dialog->last_compiled->setText((t)? dt.toString():"-"); t = obj->getInt("lastInstalled"); dt.setTime_t(t); m_dialog->last_installed->setText((t)? dt.toString():"-"); } /* fill in version */ void FirewallDialog::fillVersion() { m_dialog->version->clear(); list vl; getVersionsForPlatform(readPlatform(m_dialog->platform), vl); QString v = obj->getStr("version").c_str(); bool found_version = false; int cp = 0; for (list::iterator i1=vl.begin(); i1!=vl.end(); i1++,cp++) { if (fwbdebug) qDebug() << "Adding version " << i1->second; m_dialog->version->addItem( i1->second ); if ( v == i1->first ) { found_version = true; m_dialog->version->setCurrentIndex( cp ); } } if (!found_version && !obj->isReadOnly()) { // version configured in the object does not match any valid // version for this platform. obj->setStr("version", vl.front().first.toStdString()); fillVersion(); } } void FirewallDialog::saveVersion(FWObject *o) { QString pl = readPlatform(m_dialog->platform); list vl; getVersionsForPlatform( pl.toLatin1().constData(), vl); QString v = m_dialog->version->currentText(); list::iterator li = std::find_if(vl.begin(),vl.end(),findSecondInQStringPair(v)); if (li!=vl.end()) o->setStr("version", li->first.toLatin1().constData() ); } void FirewallDialog::platformChanged() { if (fwbdebug) qDebug() << "FirewallDialog::platformChanged()"; fillVersion(); QString platform = readPlatform(m_dialog->platform); setHostOS( m_dialog->hostOS, platform, ""); QString pl = readPlatform(m_dialog->platform); m_dialog->fwAdvanced->setEnabled( pl!="unknown" ); //changed(); } void FirewallDialog::hostOSChanged() { if (fwbdebug) qDebug() << "FirewallDialog::hostOSChanged()"; QString ho = readHostOS(m_dialog->hostOS); m_dialog->osAdvanced->setEnabled( ho!="unknown_os" ); //changed(); } void FirewallDialog::validate(bool *res) { *res = true; if (!validateName(this, obj, m_dialog->obj_name->text())) { *res = false; return; } // see #2011 - do not allow "/" in firewall object name if (m_dialog->obj_name->text().contains("/")) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this,"Firewall Builder", tr("Character \"/\" is not allowed in firewall object name"), tr("&Continue"), QString::null,QString::null, 0, 1 ); blockSignals(false); } return; } } void FirewallDialog::applyChanges() { if (fwbdebug) qDebug() << "FirewallDialog::applyChanges()"; bool autorename_chidren = false; QString dialog_txt = tr( "The name of the object '%1' has changed. The program can also " "rename IP address objects that belong to this object, " "using standard naming scheme 'host_name:interface_name:ip'. " "This makes it easier to distinguish what host or a firewall " "given IP address object belongs to when it is used in " "the policy or NAT rule. The program also renames MAC address " "objects using scheme 'host_name:interface_name:mac'. " "Do you want to rename child IP and MAC address objects now? " "(If you click 'No', names of all address objects that belong to " "%2 will stay the same.)") .arg(QString::fromUtf8(obj->getName().c_str())) .arg(QString::fromUtf8(obj->getName().c_str())); if (obj->getName() != m_dialog->obj_name->text().toUtf8().constData()) { /* * when we open this warning dialog, FirewallDialog class * loses focus and obj_name lineEdit widget sends signal * "editingfinished" again. To the user this looks like the * warning dialog popped up twice (in fact two copies of the * same warning dialog appear at the same time, one exactly on * top of another). To avoid this, block signals for the * duration while we show the dialog. Note that documentation * does not mention that QObject::blockSignals() affects not * only the widget but all its children, but it seems to work * that way. Tested with Qt 4.6.1. See #1171 */ blockSignals(true); autorename_chidren = (QMessageBox::warning( this,"Firewall Builder", dialog_txt, tr("&Yes"), tr("&No"), QString::null, 0, 1 )==0 ); blockSignals(false); } if (fwbdebug) qDebug() << "Sending FWCmdChange autorename_chidren=" << autorename_chidren; std::auto_ptr cmd( new FWCmdChange(m_project, obj, "", autorename_chidren)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); Firewall *s = dynamic_cast(new_state); Management *mgmt = s->getManagementObject(); assert(mgmt!=NULL); string old_name = obj->getName(); string new_name = string(m_dialog->obj_name->text().toUtf8().constData()); string old_platform = obj->getStr("platform"); string old_host_os = obj->getStr("host_OS"); string old_version = obj->getStr("version"); new_state->setName(new_name); m_dialog->commentKeywords->applyChanges(new_state); s->setInactive(m_dialog->inactive->isChecked()); saveVersion(new_state); string new_version = new_state->getStr("version"); string new_platform = readPlatform(m_dialog->platform).toLatin1().constData(); if (new_platform.empty()) new_platform = "unknown"; new_state->setStr("platform", new_platform ); if (old_platform!=new_platform) { if (fwbdebug) qDebug() << "FirewallDialog::applyChanges() platform has changed" << old_platform.c_str() << "->" << new_platform.c_str() << "clearing option 'compiler'"; platformChanged(); FWOptions *opt =s->getOptionsObject(); opt->setStr("compiler", ""); // Set default options for the new platform Resources::setDefaultTargetOptions(new_platform, s); } string new_host_os = readHostOS(m_dialog->hostOS).toLatin1().constData(); if (new_host_os.empty()) new_host_os = "unknown_os"; new_state->setStr("host_OS", new_host_os); if (old_host_os!=new_host_os) { if (fwbdebug) qDebug() << "FirewallDialog::applyChanges() host_OS has changed" << old_host_os.c_str() << "->" << new_host_os.c_str(); hostOSChanged(); // Set default options for the new host os Resources::setDefaultTargetOptions(new_host_os, s); } if (new_platform.empty()) { QMessageBox::critical( this, "Firewall Builder", tr("Platform setting can not be empty"), tr("&Continue"), 0, 0, 0 ); return; } if (new_host_os.empty()) { QMessageBox::critical( this, "Firewall Builder", tr("Host OS setting can not be empty"), tr("&Continue"), 0, 0, 0 ); return; } if (old_platform!=new_platform || old_host_os!=new_host_os || old_name!=new_name || old_version!=new_version) { if (fwbdebug) qDebug("FirewallDialog::applyChanges() scheduling call " "to reopenFirewall()"); m_project->registerRuleSetRedrawRequest(); } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } updateTimeStamps(); } void FirewallDialog::openFWDialog() { try { QWidget *w = DialogFactory::createFWDialog(mw, obj); if (w==NULL) return; // some dialogs may not be implemented yet QDialog *d=dynamic_cast(w); assert(d!=NULL); d->setWindowModality(Qt::WindowModal); // d->open(); d->exec(); delete d; } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("FWBuilder API error: %1").arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } } void FirewallDialog::openOSDialog() { try { QWidget *w = DialogFactory::createOSDialog(mw, obj); if (w==NULL) return; // some dialogs may not be implemented yet QDialog *d=dynamic_cast(w); assert(d!=NULL); d->exec(); delete d; } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("FWBuilder API error: %1").arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } } fwbuilder-5.3.7/src/libgui/FirewallDialog.h000066400000000000000000000032051303637203600206140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLDIALOG_H_ #define __FIREWALLDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class FirewallDialog : public BaseObjectDialog { Q_OBJECT; Ui::FirewallDialog_q *m_dialog; void fillVersion(); void saveVersion(libfwbuilder::FWObject *o); void updateTimeStamps(); public: FirewallDialog(QWidget *parent); ~FirewallDialog(); public slots: virtual void applyChanges(); virtual void platformChanged(); virtual void hostOSChanged(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void openFWDialog(); virtual void openOSDialog(); }; #endif // FIREWALLDIALOG_H fwbuilder-5.3.7/src/libgui/FirewallInstaller.cpp000066400000000000000000000701441303637203600217130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "CompilerDriver.h" #include "Configlet.h" #include "FWBSettings.h" #include "FWWindow.h" #include "FirewallInstaller.h" #include "SSHSession.h" #include "SSHUnx.h" #include "instDialog.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include #include #ifndef _WIN32 # include // for access(2) and getdomainname #endif #include #include using namespace std; using namespace libfwbuilder; bool FirewallInstaller::parseManifestLine(const QString &line, QString *local_file_name, QString *remote_file_name, bool *main_script) { // generated IOS and PIX scripts use '!' as a comment which places // manifest marker at offset of 1 char from the beginning of the // line if (line.indexOf(MANIFEST_MARKER) == -1) return false; if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("Manifest line: '%s'", line.toAscii().constData()); #else qDebug("Manifest line: '%s'", line.toLatin1().constData()); #endif QString workline = line.split(MANIFEST_MARKER)[1].trimmed(); if (workline.startsWith("*")) { *main_script = true; workline = workline.remove(0, 1).trimmed(); } QString local, remote; int i = 0; for(i=0; itoAscii().constData() #else << local_file_name->toLatin1().constData() #endif << "remote_name:" #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) << remote_file_name->toAscii().constData() #else << remote_file_name->toLatin1().constData() #endif << "main_script:" << *main_script; return true; } /* * FirewallInstaller::readManifest reads manifest from the generated * script and applies logic to decide the path and name of all files * that will be copied to the firewall. Manifest format: # files: * local_file_name remote_file_name the '*' is optional and marks the "main" script, that is, the script that should be executed on the firewall to activate policy. The part '# files:' is manifest marker and must be reproduced just so. Parts are separated by one or more spaces. Remote name is optional, if it is missing, it is assumed to be equal to the local name. This provides for backwards compatibility with previous versions where manifest did not include remote name. Manifest can consit of multiple lines to describe multiple files, although only one line can have '*'. Installation process is controlled by several variables that the user can change in the "advanced" dialog for the firewall platform: Tab "Compiler": - output file name - script name on the firewall - for PF and ipfilter additionally .conf file name on the firewall Tab "Installer": - directory on the firewall where script should be installed - command that installer should execute on the firewall These variables have default values if input fields are left blank in the dialog as follows: output file name: the name of the firewall object, plus extension ".fw". For PF two files are generated: .fw and .conf; for ipfilter files .fw, -ipf.conf and -nat.conf are generated. script name on the firewall: the same as the output file name directory on the firewall: "/etc" command that installer executes to activate policy: installer runs script .fw If user enters alternative name in the "script name on the firewall", it is used when generated script is copied to the firewall. There are two input fields in the dialogs for PF and ipf where user can enter alternative name for the .fw script and .conf file. The name can be relative or absolute path. If it is a relative path or just a file name, it is treated as a file name in the directory specified by the "directory on the firewall" input field in the "Installer" tab. If the name is an absolute path, the directory entered in "directory on the firewall..." input field is ignored. If user entered alternative name for the script on the firewall, the command that installer should execute to activate it must be entered as well. If the alternative name was entered as an absolute path, activation command should take this into account and use the same absolute path. The command can start with "sudo " if user account used to copy and activate policy is not root. */ bool FirewallInstaller::readManifest(const QString &script, QMap *all_files) { if (fwbdebug) qDebug("FirewallInstaller::readManifest"); // Read generated config file (cnf->script), find manifest // and schedule copying of all files listed there. QFile cf(script); if (cf.open(QIODevice::ReadOnly )) { QTextStream stream(&cf); QString line; do { line = stream.readLine(); if (line.isNull()) break; QString local_name; QString remote_name; bool main_script = false; if (parseManifestLine(line, &local_name, &remote_name, &main_script)) { QFileInfo loc_file_info(local_name); if (!loc_file_info.isAbsolute()) { QFileInfo cnf_file_info(cnf->script); if (cnf_file_info.isAbsolute()) local_name = cnf_file_info.dir().path() + "/" + local_name; } if (remote_name.isEmpty()) { QFileInfo loc_file_info(local_name); remote_name = cnf->fwdir + "/" + loc_file_info.fileName(); } // This is the manifest line with "*", it marks the main script // we should run. if (main_script) { // Override directory variable if remote file name // is an absolute path. This is used later to // replace %FWDIR% macro // Override fwbscript as well // This is used later to replace %FWSCRIPT% macro // getDestinationDir() returns corrected directory // depending on the user (root/regular) and temp install // flag setting QFileInfo rem_file_info(remote_name); if (rem_file_info.isAbsolute()) { cnf->fwdir = rem_file_info.dir().path(); cnf->remote_script = getDestinationDir(cnf->fwdir) + rem_file_info.fileName(); } else { cnf->remote_script = getDestinationDir(cnf->fwdir) + remote_name; } } (*all_files)[local_name] = remote_name; } } while (!line.isNull()); cf.close(); if (cnf->remote_script.isEmpty()) { // manifest did not include line with '*' cnf->remote_script = getDestinationDir(cnf->fwdir) + cnf->script; } // Now that we have found the main script and know its // location (in case user provided absolute path for the // remote file name variable) we can update remote path for // all files QMap::iterator it; for (it=all_files->begin(); it!=all_files->end(); ++it) { QString local_name = it.key(); QString remote_name = it.value(); QFileInfo rem_file_info(remote_name); if (rem_file_info.isAbsolute()) (*all_files)[local_name] = getDestinationDir(rem_file_info.dir().path()) + rem_file_info.fileName(); else (*all_files)[local_name] = getDestinationDir(cnf->fwdir) + remote_name; } // make sure remote_name has '/' as a separator. If the program // runs on windows, QFileInfo may return path with native // separators '\' cnf->remote_script = QDir::fromNativeSeparators(cnf->remote_script); for (it=all_files->begin(); it!=all_files->end(); ++it) { QString local_name = it.key(); (*all_files)[local_name] = QDir::fromNativeSeparators(it.value()); } return true; } else { QMessageBox::critical( inst_dlg, "Firewall Builder", tr("Generated script file %1 not found.").arg(script), tr("&Continue") ); return false; } } bool FirewallInstaller::packInstallJobsList(Firewall*) { return false; } void FirewallInstaller::packSSHArgs(QStringList &args) { QString ssh = st->getSSHPath(); QStringList ssh_argv; parseCommandLine(ssh, ssh_argv); #ifdef _WIN32 args += ssh_argv; /* * putty ignores protocol and port specified in the session file if * command line option -ssh is given. * * On the other hand,the sign of session usage is an empty user name, * so we can check for that. If user name is empty, then putty will * use current Windows account name to log in to the firewall and this * is unlikely to work anyway. This seems to be a decent workaround. */ if (ssh.contains("plink.exe", Qt::CaseInsensitive)) { args.push_back("-ssh"); args.push_back("-t"); if (cnf->putty_session.isEmpty()) { args.push_back("-load"); args.push_back("fwb_session_with_keepalive"); } if (!cnf->pwd.isEmpty()) { args.push_back("-pw"); args.push_back(cnf->pwd); } } #else args.push_back(argv0.c_str()); args.push_back("-X"); // fwbuilder works as ssh wrapper args += ssh_argv; args.push_back("-o"); args.push_back(QString("ServerAliveInterval=%1").arg(st->getSSHTimeout())); args.push_back("-t"); args.push_back("-t"); #endif if (!cnf->sshArgs.isEmpty()) args += cnf->sshArgs.split(" ", QString::SkipEmptyParts); if (cnf->verbose) args.push_back("-v"); if (!cnf->user.isEmpty()) { args.push_back("-l"); args.push_back(cnf->user); } if (!cnf->putty_session.isEmpty()) { args.push_back(cnf->putty_session); } else { args.push_back(cnf->maddr); } } void FirewallInstaller::packSCPArgs(const QString &local_name, const QString &remote_name, QStringList &args) { if (fwbdebug) qDebug() << "packSCPArgs" << "local_name=" << local_name << "remote_name=" << remote_name; QString file_with_path = getFullPath(local_name); QString scp = st->getSCPPath(); QStringList scp_argv; parseCommandLine(scp, scp_argv); QString mgmt_addr = cnf->maddr; /* * bug #2618686 "built-in installer can not handle ipv6 management * address". If cnf->maddr is ipv6 address, it needs to be placed in * [ ] for scp (otherwise scp interprets ':' as a separator between * host name and port number). * Note that this is only necessary for scp; ssh takes ipv6 addresses * without [ ] just fine. */ try { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) InetAddr addr(AF_INET6, cnf->maddr.toAscii().constData()); #else InetAddr addr(AF_INET6, cnf->maddr.toLatin1().constData()); #endif if (fwbdebug) qDebug("SCP will talk to the firewall using address %s ( %s )", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf->maddr.toAscii().constData(), #else cnf->maddr.toLatin1().constData(), #endif addr.toString().c_str()); /* * It looks like if cnf->maddr is a host name, then InetAddr * does not fail but just creates address '::'. * InetAddr throws exception if it is given ipv4 address. * Only add [ ] if this is legitimate ipv6 address (not '::') */ if (!addr.isAny()) mgmt_addr = '[' + cnf->maddr + ']'; } catch(FWException &ex) { // Assume cnf->maddr is ipv4 or host name ; } #ifdef _WIN32 args += scp_argv; /* * See #1832. plink.exe and pscp.exe do not try to interpret target * host name as session name if they see "-load session_name" on the * command line. This means if user wants to use session, we can not * load session fwb_session_with_keepalive. */ if (scp.contains("pscp.exe", Qt::CaseInsensitive)) { if (cnf->putty_session.isEmpty()) { args.push_back("-load"); args.push_back("fwb_session_with_keepalive"); } if (!cnf->pwd.isEmpty()) { args.push_back("-pw"); args.push_back(cnf->pwd); } } #else args.push_back(argv0.c_str()); args.push_back("-Y"); // fwbuilder works as scp wrapper args += scp_argv; args.push_back("-o"); // "3" here is the default value of ServerAliveCountMax parameter // This way, overall timeout will be the same for ssh and scp args.push_back(QString("ConnectTimeout=%1").arg(st->getSSHTimeout() * 3)); #endif if (!cnf->scpArgs.isEmpty()) args += cnf->scpArgs.split(" ", QString::SkipEmptyParts); args.push_back("-q"); args.push_back(file_with_path); /* * bug #2618772: "test install" option does not work. To fix, I * put macro for the temp directory in in res/os/host_os.xml XML * elements root/test/copy reg_user/test/copy. That macro * is read and processed by getDestinationDir() * * Also note that pscp.exe supports "-l user" command line arg, * but unix scp does not. Both support user@target format though * and it works with sessions for pscp.exe */ QString user_spec; if (!cnf->user.isEmpty()) user_spec = cnf->user + "@"; QString target; if (!cnf->putty_session.isEmpty()) target = QString("%1%2:%3").arg(user_spec) .arg(cnf->putty_session) .arg(fwcompiler::CompilerDriver::escapeFileName(remote_name)); else target = QString("%1%2:%3").arg(user_spec) .arg(mgmt_addr) .arg(fwcompiler::CompilerDriver::escapeFileName(remote_name)); args.push_back(target); if (fwbdebug) qDebug() << "args=" << args; } /* * take next job from job_list and execute it. * * Note that this slot is called when SSHSession emits signal * sessionFinished. This happens outside of control of the * instDialog. If user clicked Cancel or Finish button (even though * Finish should not be active, but still), runJobs() should not * continue. Check for this condition using instDialog::isFinished() * */ void FirewallInstaller::runJobs() { if (fwbdebug) qDebug("FirewallInstaller::runJobs"); if (inst_dlg->isFinished()) return; if (job_list.size()==0) { if (fwbdebug) qDebug("FirewallInstaller::runJobs: job list is empty"); QTimer::singleShot( 1000, inst_dlg, SLOT(mainLoopInstall())); return; } instJob current_job = job_list.front(); job_list.pop_front(); switch (current_job.job) { case COPY_FILE: copyFile(current_job.argument1, current_job.argument2); break; case EXECUTE_COMMAND: executeCommand(current_job.argument1); break; case ACTIVATE_POLICY: activatePolicy(current_job.argument1, current_job.argument2); break; case RUN_EXTERNAL_SCRIPT: executeExternalInstallScript(current_job.argument1, current_job.argument2); break; } } /* * copyFile starts background process and returns. Process object * emits signal finished() which will be connected to slot * commandFinished(). This slot checks termination status of the process * and if it was successfull, it schedules call to runJobs() */ void FirewallInstaller::copyFile(const QString &local_name, const QString &remote_name) { //QString platform = cnf->fwobj->getStr("platform").c_str(); // QTextCodec::setCodecForCStrings(QTextCodec::codecForName("latin1")); QStringList args; packSCPArgs(local_name, remote_name, args); inst_dlg->addToLog( tr("Copying %1 -> %2:%3\n") #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) .arg(QString::fromUtf8(local_name.toAscii().constData())) #else .arg(QString::fromUtf8(local_name.toLatin1().constData())) #endif .arg(cnf->maddr) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) .arg(QString::fromUtf8(remote_name.toAscii().constData()))); #else .arg(QString::fromUtf8(remote_name.toLatin1().constData()))); #endif if (cnf->verbose) inst_dlg->displayCommand(args); qApp->processEvents(); // Need session for scp copy because we need to enter password runSSHSession( new SSHUnx(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, "", list()), true ); } void FirewallInstaller::executeExternalInstallScript(const QString &command, const QString &script_args) { FWObjectDatabase *db = cnf->fwobj->getRoot(); assert(db); QString wdir = getFileDir( mw->getRCS()->getFileName() ); QStringList args; //args.push_back(command.trimmed()); args.push_back("-f"); args.push_back(db->getFileName().c_str()); if (wdir!="") { args.push_back("-d"); args.push_back(wdir); } args += script_args.trimmed().split(" ", QString::SkipEmptyParts); args.push_back(cnf->fwobj->getName().c_str()); if (cnf->verbose) inst_dlg->displayCommand(args); qApp->processEvents(); inst_dlg->setUpProcessToInstall(); if (!inst_dlg->executeCommand(command.trimmed(), args)) QTimer::singleShot( 0, inst_dlg, SLOT(mainLoopInstall())); } void FirewallInstaller::executeCommand(const QString &cmd) { QStringList args; packSSHArgs(args); args.push_back( cmd ); if (cnf->verbose) inst_dlg->displayCommand(args); qApp->processEvents(); QString path = args.at(0); args.pop_front(); inst_dlg->setUpProcessToInstall(); if (!inst_dlg->executeCommand(path, args)) QTimer::singleShot( 0, inst_dlg, SLOT(mainLoopInstall())); } // ************************************************************************ void FirewallInstaller::activatePolicy(const QString&, const QString&) { QTimer::singleShot( 0, this, SLOT(runJobs())); } /* * parameter intermediate: if true, then this session is part of the * set required to complete install on single firewall, such as when * we need to copy several files and then activate policy. If this * parameter is false, the session is final and installer terminates * when it finishes. This only applies to when session finishes * successfully. If session finishes with an error, we always * terminate installer. */ void FirewallInstaller::runSSHSession(SSHSession *s, bool intermediate) { if (fwbdebug) qDebug("FirewallInstaller::runSSHSession()"); session = s; session->setOptions(cnf); session->setFWBPrompt(fwb_prompt); connect(session,SIGNAL(printStdout_sign(const QString&)), inst_dlg, SLOT(addToLog(const QString&))); if (intermediate) connect(session,SIGNAL(sessionFinished_sign()), this, SLOT(runJobs())); else connect(session,SIGNAL(sessionFinished_sign()), inst_dlg, SLOT(installerSuccess())); connect(session,SIGNAL(sessionFatalError_sign()), inst_dlg, SLOT(installerError())); connect(session,SIGNAL(updateProgressBar_sign(int,bool)), inst_dlg, SLOT(updateProgressBar(int,bool))); session->startSession(); } QString FirewallInstaller::getFullPath(const QString &file ) { if (QDir::isRelativePath(file)) return cnf->wdir + "/" + file; else return file; } /* * This method builds and returns activation command * This method is used for all firewall platforms but PIX */ QString FirewallInstaller::getActivationCmd() { if (!cnf->activationCmd.isEmpty()) { return cnf->activationCmd; } FWOptions *fwopt = cnf->fwobj->getOptionsObject(); QString configlet_name = "installer_commands_"; if (cnf->user=="root") configlet_name += "root"; else configlet_name += "reg_user"; string host_os = cnf->fwobj->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); // installer configlets should be different for each OS, but if // some OS can use the same script, it will be placed in the file // under os_family name. For example: // for linksys/sveasoft configlet is in src/res/configlets/sveasoft // but since linux24 and openwrt can use the same script, it is // located in src/res/configlets/linux24 (openwrt.xml file defines // family as "linux24") Configlet configlet(host_os, os_family, configlet_name); configlet.removeComments(); configlet.collapseEmptyStrings(true); // test run and rollback were deprecated in 4.2.0. On Linux, BSD // and PIX rollback was implemented by rebooting firewall which is // too heavy-handed and it did not work on BSD at all. configlet.setVariable("test", false); configlet.setVariable("run", true); configlet.setVariable("with_rollback", false); configlet.setVariable("no_rollback", true); configlet.setVariable("firewall_name", QString::fromUtf8(cnf->fwobj->getName().c_str())); configlet.setVariable("with_compression", cnf->compressScript); configlet.setVariable("no_compression", ! cnf->compressScript); // On FreeBSD where we can generate either shell script or rc.conf // file, installation commands differ. // // TODO: find more generic way to do this so that GUI installer does not // have to be aware of the differences in generated file format. configlet.setVariable("rc_conf_format", fwopt->getBool("generate_rc_conf_file")); configlet.setVariable("shell_script_format", ! fwopt->getBool("generate_rc_conf_file")); replaceMacrosInCommand(&configlet); return configlet.expand().trimmed(); } void FirewallInstaller::replaceMacrosInCommand(Configlet *conf) { /* replace macros in activation commands: * * {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in * {{$fwdir}} -- directory on the firewall * {{$fwscript}} -- script name on the firewall * {{$rbtimeout}} -- rollbak timeout */ /* * TODO: it does not make sense to split remote_script and then * reassemble it again from the file name and cnf.fwdir. We should set * variable $remote_script and use it in the configlets instead, but * keep $fwbscript and $fwdir for backwards compatibility */ /* * remote_script is a full path, which in case of Cisco can be * something like "flash:file.fw". This means we have a problem with * QFileInfo that interprets it as path:filename on Window or just * file name with no directory path on Unix. As the result, fwbscript * becomes just "file.fw" on Windows and stays "flash:file.fw" on * Unix. */ /* * TODO: there must be a better place to fill cnd.fwscript than * this. All I need to do is fill it before calling summary() and * before launching installer that uses it in * FirewallInstaller::replaceMacrosInCommand() */ QString fwscript = fwcompiler::CompilerDriver::escapeFileName( QFileInfo(cnf->remote_script).fileName()); if (fwscript.indexOf(":")!=-1) fwscript = fwscript.section(':', 1, 1); cnf->fwscript = fwscript; if (fwbdebug) { qDebug() << "Macro substitutions:"; qDebug() << " $fwdir=" << cnf->fwdir; qDebug() << " cnf->script=" << cnf->script; qDebug() << " cnf->remote_script=" << cnf->remote_script; qDebug() << " $fwscript=" << cnf->fwscript; qDebug() << " $firewall_name=" << QString::fromUtf8( cnf->fwobj->getName().c_str()); } conf->setVariable("fwbprompt", fwb_prompt); conf->setVariable("fwdir", cnf->fwdir); conf->setVariable("fwscript", cnf->fwscript); conf->setVariable("firewall_name", QString::fromUtf8(cnf->fwobj->getName().c_str())); } /* * Returned directory path always ends with separator ("/") */ QString FirewallInstaller::getDestinationDir(const QString &fwdir) { QString dir = fwdir; if (fwbdebug) qDebug() << "FirewallInstaller::getDestinationDir: " << "destination directory=" << dir << "cnf->fwdir=" << cnf->fwdir; if (!dir.endsWith(QDir::separator())) return dir + "/"; return dir; } QString FirewallInstaller::getGeneratedFileFullPath(Firewall *fw) { /* bug #1617501: "Install fails after compile". The "output file" * setting that user enters in the "Compiler" tab of fw advanced * dialog can be either local or absolute path. */ QString generated_file = getGeneratedFileName(fw); QFileInfo gen_file_info(generated_file); if (!gen_file_info.isAbsolute()) { QFileInfo fwb_file_info = QFileInfo(mw->getRCS()->getFileName()); generated_file = fwb_file_info.dir().path() + "/" + generated_file; } return QDir::toNativeSeparators(generated_file); } QString FirewallInstaller::getGeneratedFileName(Firewall *fw) { FWOptions *fwopt = fw->getOptionsObject(); QString generated_file; QString ofname = QString::fromUtf8(fwopt->getStr("output_file").c_str()).trimmed(); if (!ofname.isEmpty()) { generated_file = ofname; } else generated_file = QString::fromUtf8(fw->getName().c_str()) + ".fw"; return generated_file; } void FirewallInstaller::terminate() { if (session != NULL) { session->terminate(); } } fwbuilder-5.3.7/src/libgui/FirewallInstaller.h000066400000000000000000000064531303637203600213620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLINSTALLER_H_ #define __FIREWALLINSTALLER_H_ #include "config.h" #include "instConf.h" #include "instDialog.h" #include "Configlet.h" #include #include #include #include #include #include #include #include class SSHSession; class instDialog; namespace libfwbuilder { class Firewall; } enum instJobType {COPY_FILE, EXECUTE_COMMAND, ACTIVATE_POLICY, RUN_EXTERNAL_SCRIPT}; class instJob { public: instJobType job; QString argument1; QString argument2; instJob(instJobType jt, const QString &a1, const QString &a2) { job = jt; argument1 = a1; argument2 = a2; } }; class FirewallInstaller : public QObject { Q_OBJECT protected: instDialog *inst_dlg; instConf *cnf; QProcess proc; // session is used when we run built-in installer SSHSession *session; std::list job_list; QString fwb_prompt; void runSSHSession(SSHSession *s, bool intermediate=false); QString getFullPath(const QString &file ); bool parseManifestLine(const QString &line, QString *local_file_name, QString *remote_file_name, bool *main_script); void executeExternalInstallScript(const QString &script, const QString &script_args); public: FirewallInstaller(instDialog *_dlg, instConf *_cnf, const QString &prompt) { inst_dlg = _dlg; cnf = _cnf; fwb_prompt = prompt; session = NULL; } void packSSHArgs(QStringList &args); void packSCPArgs(const QString &local_name, const QString &remote_name, QStringList &args); QString getActivationCmd(); void replaceMacrosInCommand(Configlet *configlet); virtual QString getDestinationDir(const QString &dir); void terminate(); virtual bool packInstallJobsList(libfwbuilder::Firewall*); virtual void copyFile(const QString &local_name, const QString &remote_name); virtual void executeCommand(const QString &cmd); virtual void activatePolicy(const QString &script, const QString &args); static QString getGeneratedFileFullPath(libfwbuilder::Firewall *fw); static QString getGeneratedFileName(libfwbuilder::Firewall *fw); virtual bool readManifest(const QString &conffie, QMap *all_files); public slots: void runJobs(); }; #endif fwbuilder-5.3.7/src/libgui/FirewallInstallerCisco.cpp000066400000000000000000000251251303637203600226730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "FirewallInstallerCisco.h" #include "instDialog.h" #include "SSHPIX.h" #include "SSHIOS.h" #include "SSHNXOS.h" #include "Configlet.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" #include #include #include #include using namespace std; using namespace libfwbuilder; FirewallInstallerCisco::FirewallInstallerCisco(instDialog *_dlg, instConf *_cnf, const QString &_p): FirewallInstaller(_dlg, _cnf, _p) { // string platform = cnf->fwobj->getStr("platform"); // if (cnf->fwdir.isEmpty()) // { // if (platform=="nxosacl") cnf->fwdir = "volatile:"; // else cnf->fwdir = "flash:"; // } } bool FirewallInstallerCisco::packInstallJobsList(Firewall*) { if (fwbdebug) qDebug("FirewallInstallerCisco::packInstallJobList script=%s", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf->script.toAscii().constData()); #else cnf->script.toLatin1().constData()); #endif job_list.clear(); Management *mgmt = cnf->fwobj->getManagementObject(); assert(mgmt!=NULL); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); if (pis->getCommand()!="") { QString cmd = pis->getCommand().c_str(); QString args = pis->getArguments().c_str(); job_list.push_back( instJob(RUN_EXTERNAL_SCRIPT, cmd, args)); inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args)); return true; } // Load configuration file early so we can abort installation if // it is not accessible // Note about option "install only acl, icmp, telnet, ssh, nat, // global and static" for PIX. This option used to read generated // config but cuts off everything before the magic comment line // "!################". This way, it only read object-group, // access-list, access-group, nat, static and global commands. It // skipped all interface configurations, timeouts and inspector // commands. It is difficult to implement now that we (can) use // scp to copy configuration to the firewall. We would have to // create temporary file with modified configuration in order to // do this. To avoid hassles with temporary files, we move the // same function to the compiler. The checkbox moves to the // "script" tab of the pix advanced settings dialog and when it is on, // compiler generates the script with only acl, icmp, telnet, ssh // nat,static and global commands // // This mode of installation is not supported on IOS at all. QString ff; QFileInfo script_info(cnf->script); if (script_info.isAbsolute()) ff = cnf->script; else ff = cnf->wdir + "/" + cnf->script; QFile data(ff); if (data.open(QFile::ReadOnly)) { QTextStream strm(&data); QString line; do { line = strm.readLine(); config_lines.push_back(line.trimmed()); } while (!strm.atEnd()); } else { QMessageBox::critical( inst_dlg, "Firewall Builder", tr("Can not read generated script %1").arg(ff), tr("&Continue"), QString::null,QString::null, 0, 1 ); return false; } string platform = cnf->fwobj->getStr("platform"); if (cnf->useSCPForRouter) { QMap all_files; // readManifest() modifies cnf (assigns cnf->remote_script) ! if (readManifest(cnf->script, &all_files)) { QMap::iterator it; for (it=all_files.begin(); it!=all_files.end(); ++it) { QString local_name = it.key(); QString remote_name = it.value(); job_list.push_back(instJob(COPY_FILE, local_name, remote_name)); } } QString cmd = getActivationCmd(); job_list.push_back(instJob(ACTIVATE_POLICY, cmd, "")); } else { job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, "")); } return true; } void FirewallInstallerCisco::activatePolicy(const QString&, const QString&) { QStringList args; packSSHArgs(args); if (cnf->verbose) inst_dlg->displayCommand(args); SSHCisco *ssh_object = NULL; if (cnf->fwobj->getStr("platform")=="pix" || cnf->fwobj->getStr("platform")=="fwsm") { ssh_object = new SSHPIX(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, cnf->epwd, list()); } else if (cnf->fwobj->getStr("platform")=="nxosacl") { ssh_object = new SSHNXOS(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, cnf->epwd, list()); } else // ios { ssh_object = new SSHIOS(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, cnf->epwd, list()); } /* * TODO: * the structure of scriptlets (command templates) for PIX and * IOS is nice and generic, it uses generalized "pre_config" * and "post_config" hooks in SSHPIX / SSHIOS classes. Need to * do the same for Unix firewalls. */ QString cmd = ""; QStringList pre_config_commands; QStringList post_config_commands; string version = cnf->fwobj->getStr("version"); bool version_lt_124 = XMLTools::version_compare(version, "12.4") < 0; bool version_ge_124 = XMLTools::version_compare(version, "12.4") >= 0; string host_os = cnf->fwobj->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); // installer configlets should be different for each OS, but if // some OS can use the same script, it will be placed in the file // under os_family name. For example: // for PIX configlet is in src/res/configlets/pix_os // but since fwsm and pix can use the same script and fwsm_os.xml // declares family as "pix_os", it uses the same configlet. Configlet pre_config(host_os, os_family, "installer_commands_pre_config"); pre_config.removeComments(); // test run and rollback were deprecated in 4.2.0. On Linux, BSD // and PIX rollback was implemented by rebooting firewall which is // too heavy-handed and it did not work on BSD at all. pre_config.setVariable("test", false); pre_config.setVariable("run", true); pre_config.setVariable("schedule_rollback", false); pre_config.setVariable("cancel_rollback", false); pre_config.setVariable("save_standby", cnf->saveStandby); pre_config.setVariable("version_lt_124", version_lt_124); pre_config.setVariable("version_ge_124", version_ge_124); replaceMacrosInCommand(&pre_config); Configlet post_config(host_os, os_family, "installer_commands_post_config"); post_config.removeComments(); post_config.setVariable("test", false); post_config.setVariable("run", true); post_config.setVariable("schedule_rollback", false); post_config.setVariable("cancel_rollback", false); post_config.setVariable("save_standby", cnf->saveStandby); post_config.setVariable("version_lt_124", version_lt_124); post_config.setVariable("version_ge_124", version_ge_124); replaceMacrosInCommand(&post_config); ssh_object->loadPreConfigCommands( pre_config.expand().split("\n", QString::SkipEmptyParts) ); ssh_object->loadPostConfigCommands( post_config.expand().split("\n", QString::SkipEmptyParts) ); Configlet activation(host_os, os_family, "installer_commands_reg_user"); activation.removeComments(); replaceMacrosInCommand(&activation); activation.setVariable("using_scp", cnf->useSCPForRouter); activation.setVariable("not_using_scp", ! cnf->useSCPForRouter); activation.setVariable("using_nxos_session", cnf->useNXOSSession); activation.setVariable("not_using_nxos_session", ! cnf->useNXOSSession); if ( ! cnf->useSCPForRouter) { activation.setVariable("fwbuilder_generated_configuration_lines", config_lines.join("\n")); } ssh_object->loadActivationCommands( activation.expand().split("\n", QString::SkipEmptyParts) ); runSSHSession(ssh_object); return; } bool FirewallInstallerCisco::readManifest(const QString &script, QMap *all_files) { if (fwbdebug) qDebug("FirewallInstaller::readManifest"); QString dest_dir = getDestinationDir(cnf->fwdir); // path returned by getDestinationDir always ends with separator // in case of IOS, it is ":" QFileInfo file_base(script); QString remote_file = dest_dir + file_base.fileName(); qDebug() << "001 REMOTE FILE:" << remote_file; QString local_name = script; cnf->remote_script = remote_file; (*all_files)[local_name] = remote_file; return true; } QString FirewallInstallerCisco::getDestinationDir(const QString &fwdir) { if (fwbdebug) qDebug() << "FirewallInstallerCisco::getDestinationDir: " << "fwdir=" << fwdir; QString dir = fwdir; if (!dir.endsWith(":")) return dir + ":"; return dir; } fwbuilder-5.3.7/src/libgui/FirewallInstallerCisco.h000066400000000000000000000032331303637203600223340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLINSTALLERCISCO_H_ #define __FIREWALLINSTALLERCISCO_H_ #include "config.h" #include "FirewallInstaller.h" #include #include #include #include #include namespace libfwbuilder { class Firewall; } class FirewallInstallerCisco : public FirewallInstaller { Q_OBJECT; protected: QStringList config_lines; virtual QString getDestinationDir(const QString &dir); virtual bool readManifest(const QString &conffie, QMap *all_files); public: FirewallInstallerCisco(instDialog *_dlg, instConf *_cnf, const QString &_p); virtual bool packInstallJobsList(libfwbuilder::Firewall*); virtual void activatePolicy(const QString &script, const QString &args); }; #endif fwbuilder-5.3.7/src/libgui/FirewallInstallerJuniper.cpp000066400000000000000000000213721303637203600232470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "FirewallInstallerJuniper.h" #include "instDialog.h" #include "SSHJUNOS.h" #include "Configlet.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" #include #include #include #include using namespace std; using namespace libfwbuilder; FirewallInstallerJuniper::FirewallInstallerJuniper(instDialog *_dlg, instConf *_cnf, const QString &_p): FirewallInstaller(_dlg, _cnf, _p) { // string platform = cnf->fwobj->getStr("platform"); // if (cnf->fwdir.isEmpty()) // { // if (platform=="nxosacl") cnf->fwdir = "volatile:"; // else cnf->fwdir = "flash:"; // } } bool FirewallInstallerJuniper::packInstallJobsList(Firewall*) { if (fwbdebug) qDebug("FirewallInstallerJuniper::packInstallJobList script=%s", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf->script.toAscii().constData()); #else cnf->script.toLatin1().constData()); #endif job_list.clear(); Management *mgmt = cnf->fwobj->getManagementObject(); assert(mgmt!=NULL); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); if (pis->getCommand()!="") { QString cmd = pis->getCommand().c_str(); QString args = pis->getArguments().c_str(); job_list.push_back( instJob(RUN_EXTERNAL_SCRIPT, cmd, args)); inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args)); return true; } // Load configuration file early so we can abort installation if // it is not accessible // Note about option "install only acl, icmp, telnet, ssh, nat, // global and static" for PIX. This option used to read generated // config but cuts off everything before the magic comment line // "!################". This way, it only read object-group, // access-list, access-group, nat, static and global commands. It // skipped all interface configurations, timeouts and inspector // commands. It is difficult to implement now that we (can) use // scp to copy configuration to the firewall. We would have to // create temporary file with modified configuration in order to // do this. To avoid hassles with temporary files, we move the // same function to the compiler. The checkbox moves to the // "script" tab of the pix advanced settings dialog and when it is on, // compiler generates the script with only acl, icmp, telnet, ssh // nat,static and global commands // // This mode of installation is not supported on IOS at all. QString ff; QFileInfo script_info(cnf->script); if (script_info.isAbsolute()) ff = cnf->script; else ff = cnf->wdir + "/" + cnf->script; QFile data(ff); if (data.open(QFile::ReadOnly)) { QTextStream strm(&data); QString line; do { line = strm.readLine(); config_lines.push_back(line.trimmed()); } while (!strm.atEnd()); } else { QMessageBox::critical( inst_dlg, "Firewall Builder", tr("Can not read generated script %1").arg(ff), tr("&Continue"), QString::null,QString::null, 0, 1 ); return false; } string platform = cnf->fwobj->getStr("platform"); // Currently we only support scp for Junos cnf->useSCPForRouter = true; if (cnf->useSCPForRouter) { QMap all_files; // readManifest() modifies cnf (assigns cnf->remote_script) ! if (readManifest(cnf->script, &all_files)) { QMap::iterator it; for (it=all_files.begin(); it!=all_files.end(); ++it) { QString local_name = it.key(); QString remote_name = it.value(); job_list.push_back(instJob(COPY_FILE, local_name, remote_name)); } } QString cmd = getActivationCmd(); job_list.push_back(instJob(ACTIVATE_POLICY, cmd, "")); } else { job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, "")); } return true; } void FirewallInstallerJuniper::activatePolicy(const QString&, const QString&) { QStringList args; packSSHArgs(args); if (cnf->verbose) inst_dlg->displayCommand(args); SSHJunos *ssh_object = new SSHJunos(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, cnf->epwd, list()); /* * TODO: * the structure of scriptlets (command templates) for PIX and * IOS is nice and generic, it uses generalized "pre_config" * and "post_config" hooks in SSHPIX / SSHIOS classes. Need to * do the same for Unix firewalls. */ QString cmd = ""; QStringList pre_config_commands; QStringList post_config_commands; string host_os = cnf->fwobj->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); // installer configlets should be different for each OS, but if // some OS can use the same script, it will be placed in the file // under os_family name. For example: // for PIX configlet is in src/res/configlets/pix_os // but since fwsm and pix can use the same script and fwsm_os.xml // declares family as "pix_os", it uses the same configlet. Configlet pre_config(host_os, os_family, "installer_commands_pre_config"); replaceMacrosInCommand(&pre_config); Configlet post_config(host_os, os_family, "installer_commands_post_config"); post_config.removeComments(); post_config.setVariable("test", false); post_config.setVariable("run", true); post_config.setVariable("schedule_rollback", false); post_config.setVariable("cancel_rollback", false); replaceMacrosInCommand(&post_config); ssh_object->loadPreConfigCommands( pre_config.expand().split("\n", QString::SkipEmptyParts) ); ssh_object->loadPostConfigCommands( post_config.expand().split("\n", QString::SkipEmptyParts) ); Configlet activation(host_os, os_family, "installer_commands_reg_user"); activation.removeComments(); replaceMacrosInCommand(&activation); activation.setVariable("using_scp", cnf->useSCPForRouter); activation.setVariable("not_using_scp", ! cnf->useSCPForRouter); if ( ! cnf->useSCPForRouter) { activation.setVariable("fwbuilder_generated_configuration_lines", config_lines.join("\n")); } ssh_object->loadActivationCommands( activation.expand().split("\n", QString::SkipEmptyParts) ); runSSHSession(ssh_object); return; } bool FirewallInstallerJuniper::readManifest(const QString &script, QMap *all_files) { if (fwbdebug) qDebug("FirewallInstaller::readManifest"); QString dest_dir = getDestinationDir(cnf->fwdir); // path returned by getDestinationDir always ends with separator // in case of IOS, it is ":" QFileInfo file_base(script); QString remote_file = dest_dir + file_base.fileName(); qDebug() << "001 REMOTE FILE:" << remote_file; QString local_name = script; cnf->remote_script = remote_file; (*all_files)[local_name] = remote_file; return true; } QString FirewallInstallerJuniper::getDestinationDir(const QString &fwdir) { if (fwbdebug) qDebug() << "FirewallInstallerCisco::getDestinationDir: " << "fwdir=" << fwdir; QString dir = fwdir; if (!dir.endsWith("/")) return dir + "/"; return dir; } fwbuilder-5.3.7/src/libgui/FirewallInstallerJuniper.h000066400000000000000000000032431303637203600227110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLINSTALLERJUNIPER_H_ #define __FIREWALLINSTALLERJUNIPER_H_ #include "config.h" #include "FirewallInstaller.h" #include #include #include #include #include namespace libfwbuilder { class Firewall; } class FirewallInstallerJuniper : public FirewallInstaller { Q_OBJECT; protected: QStringList config_lines; virtual QString getDestinationDir(const QString &dir); virtual bool readManifest(const QString &conffie, QMap *all_files); public: FirewallInstallerJuniper(instDialog *_dlg, instConf *_cnf, const QString &_p); virtual bool packInstallJobsList(libfwbuilder::Firewall*); virtual void activatePolicy(const QString &script, const QString &args); }; #endif fwbuilder-5.3.7/src/libgui/FirewallInstallerProcurve.cpp000066400000000000000000000164271303637203600234450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "FirewallInstallerProcurve.h" #include "instDialog.h" #include "SSHPIX.h" #include "SSHIOS.h" #include "SSHProcurve.h" #include "Configlet.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/XMLTools.h" #include #include #include #include using namespace std; using namespace libfwbuilder; FirewallInstallerProcurve::FirewallInstallerProcurve(instDialog *_dlg, instConf *_cnf, const QString &_p): FirewallInstallerCisco(_dlg, _cnf, _p) { } bool FirewallInstallerProcurve::packInstallJobsList(Firewall*) { if (fwbdebug) qDebug("FirewallInstallerProcurve::packInstallJobList script=%s", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf->script.toAscii().constData()); #else cnf->script.toLatin1().constData()); #endif job_list.clear(); Management *mgmt = cnf->fwobj->getManagementObject(); assert(mgmt!=NULL); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); if (pis->getCommand()!="") { QString cmd = pis->getCommand().c_str(); QString args = pis->getArguments().c_str(); job_list.push_back( instJob(RUN_EXTERNAL_SCRIPT, cmd, args)); inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args)); return true; } // Load configuration file early so we can abort installation if // it is not accessible QString ff; QFileInfo script_info(cnf->script); if (script_info.isAbsolute()) ff = cnf->script; else ff = cnf->wdir + "/" + cnf->script; QFile data(ff); if (data.open(QFile::ReadOnly)) { QTextStream strm(&data); QString line; do { line = strm.readLine(); config_lines.push_back(line.trimmed()); } while (!strm.atEnd()); } else { QMessageBox::critical( inst_dlg, "Firewall Builder", tr("Can not read generated script %1").arg(ff), tr("&Continue"), QString::null,QString::null, 0, 1 ); return false; } #ifdef SCP_SUPPORT_FOR_PROCURVE if (cnf->useSCPForRouter) { QMap all_files; // readManifest() modifies cnf (assigns cnf->remote_script) ! if (readManifest(cnf->script, &all_files)) { QMap::iterator it; for (it=all_files.begin(); it!=all_files.end(); ++it) { QString local_name = it.key(); QString remote_name = it.value(); job_list.push_back(instJob(COPY_FILE, local_name, remote_name)); } } QString cmd = getActivationCmd(); job_list.push_back(instJob(ACTIVATE_POLICY, cmd, "")); } else { job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, "")); } #endif job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, "")); return true; } void FirewallInstallerProcurve::activatePolicy(const QString&, const QString&) { QStringList args; packSSHArgs(args); if (cnf->verbose) inst_dlg->displayCommand(args); SSHProcurve *ssh_object = NULL; ssh_object = new SSHProcurve(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, cnf->epwd, list()); /* * TODO: * the structure of scriptlets (command templates) for PIX and * IOS is nice and generic, it uses generalized "pre_config" * and "post_config" hooks in SSHPIX / SSHIOS classes. Need to * do the same for Unix firewalls. */ QString cmd = ""; QStringList pre_config_commands; QStringList post_config_commands; string version = cnf->fwobj->getStr("version"); string host_os = cnf->fwobj->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); // installer configlets should be different for each OS, but if // some OS can use the same script, it will be placed in the file // under os_family name. For example: // for PIX configlet is in src/res/configlets/pix_os // but since fwsm and pix can use the same script and fwsm_os.xml // declares family as "pix_os", it uses the same configlet. Configlet pre_config(host_os, os_family, "installer_commands_pre_config"); pre_config.removeComments(); // test run and rollback were deprecated in 4.2.0. On Linux, BSD // and PIX rollback was implemented by rebooting firewall which is // too heavy-handed and it did not work on BSD at all. pre_config.setVariable("test", false); pre_config.setVariable("run", true); pre_config.setVariable("schedule_rollback", false); pre_config.setVariable("cancel_rollback", false); pre_config.setVariable("save_standby", cnf->saveStandby); replaceMacrosInCommand(&pre_config); Configlet post_config(host_os, os_family, "installer_commands_post_config"); post_config.removeComments(); post_config.setVariable("test", false); post_config.setVariable("run", true); post_config.setVariable("schedule_rollback", false); post_config.setVariable("cancel_rollback", false); post_config.setVariable("save_standby", cnf->saveStandby); replaceMacrosInCommand(&post_config); ssh_object->loadPreConfigCommands( pre_config.expand().split("\n", QString::SkipEmptyParts) ); ssh_object->loadPostConfigCommands( post_config.expand().split("\n", QString::SkipEmptyParts) ); Configlet activation(host_os, os_family, "installer_commands_reg_user"); activation.removeComments(); replaceMacrosInCommand(&activation); activation.setVariable("using_scp", false); activation.setVariable("not_using_scp", true); if ( ! cnf->useSCPForRouter) { activation.setVariable("fwbuilder_generated_configuration_lines", config_lines.join("\n")); } ssh_object->loadActivationCommands( activation.expand().split("\n", QString::SkipEmptyParts) ); runSSHSession(ssh_object); return; } fwbuilder-5.3.7/src/libgui/FirewallInstallerProcurve.h000066400000000000000000000027171303637203600231070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLINSTALLERPROCURVE_H_ #define __FIREWALLINSTALLERPROCURVE_H_ #include "config.h" #include "FirewallInstallerCisco.h" #include #include #include #include #include namespace libfwbuilder { class Firewall; } class FirewallInstallerProcurve : public FirewallInstallerCisco { Q_OBJECT; public: FirewallInstallerProcurve(instDialog *_dlg, instConf *_cnf, const QString &_p); virtual bool packInstallJobsList(libfwbuilder::Firewall*); virtual void activatePolicy(const QString &script, const QString &args); }; #endif fwbuilder-5.3.7/src/libgui/FirewallInstallerUnx.cpp000066400000000000000000000141671303637203600224110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "FirewallInstallerUnx.h" #include "instDialog.h" #include "SSHUnx.h" #include "FWWindow.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include #include #include #ifndef _WIN32 # include // for access(2) and getdomainname #endif #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; bool FirewallInstallerUnx::packInstallJobsList(Firewall* fw) { if (fwbdebug) { qDebug() << "FirewallInstallerUnx::packInstallJobList"; qDebug() << "cnf->user=" << cnf->user; } job_list.clear(); inst_dlg->addToLog(QString("Installation plan:\n")); Management *mgmt = cnf->fwobj->getManagementObject(); assert(mgmt!=NULL); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); if (pis->getCommand()!="") { QString cmd = pis->getCommand().c_str(); QString args = pis->getArguments().c_str(); job_list.push_back( instJob(RUN_EXTERNAL_SCRIPT, cmd, args)); inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args)); return true; } /* read manifest from the conf file */ if (fwbdebug) qDebug("FirewallInstaller::packInstallJobsList read manifest from %s", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf->script.toAscii().constData()); #else cnf->script.toLatin1().constData()); #endif /* * Note that if output file is specified in firewall settings dialog, * it can be an absolute path. In this case compiler puts additional * generated files (if any) in the same directory. The manifest in the * .fw file does not specify directory path so that the .fw file and * all additional files can be moved together someplace else. We take * dir path from the .fw file and if it is not empty, assume that all * other files are located there as well. */ // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); //key: local_file_name val: remote_file_name QMap all_files; // readManifest() modifies cnf ! if (readManifest(cnf->script, &all_files)) { QMap::iterator it; for (it=all_files.begin(); it!=all_files.end(); ++it) { QString local_name = it.key(); QString remote_name = it.value(); job_list.push_back(instJob(COPY_FILE, local_name, remote_name)); inst_dlg->addToLog(QString("Copy file: %1 --> %2\n") .arg(local_name) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) .arg(remote_name).toAscii().constData()); #else .arg(remote_name).toLatin1().constData()); #endif } } else { inst_dlg->opError(fw); return false; } if (job_list.size()==0) { QMessageBox::critical( inst_dlg, "Firewall Builder", tr("Incorrect manifest format in generated script. " "Line with \"*\" is missing, can not find any files " "to copy to the firewall.\n%1").arg(cnf->script), tr("&Continue"), QString::null,QString::null, 0, 1 ); return false; } if (cnf->copyFWB) { QString dest_dir = getDestinationDir(cnf->fwdir); QFileInfo fwbfile_base(cnf->fwbfile); job_list.push_back(instJob( COPY_FILE, fwbfile_base.fileName(), dest_dir)); inst_dlg->addToLog(QString("Copy data file: %1 --> %2\n") .arg(fwbfile_base.fileName()) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) .arg(dest_dir).toAscii().constData()); #else .arg(dest_dir).toLatin1().constData()); #endif } QString cmd = getActivationCmd(); job_list.push_back(instJob(ACTIVATE_POLICY, cmd, "")); inst_dlg->addToLog(QString("Run script %1\n").arg(cmd)); inst_dlg->addToLog(QString("\n")); return true; } // ************************************************************************ void FirewallInstallerUnx::activatePolicy(const QString &cmd, const QString&) { executeSession(cmd); } void FirewallInstallerUnx::executeSession(const QString &cmd) { QStringList args; packSSHArgs(args); args.push_back( cmd ); if (cnf->verbose) inst_dlg->displayCommand(args); inst_dlg->enableStopButton(); qApp->processEvents(); runSSHSession( new SSHUnx(inst_dlg, cnf->fwobj->getName().c_str(), args, cnf->pwd, "", list()), false ); } fwbuilder-5.3.7/src/libgui/FirewallInstallerUnx.h000066400000000000000000000027341303637203600220530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FIREWALLINSTALLERUNX_H_ #define __FIREWALLINSTALLERUNX_H_ #include "config.h" #include "FirewallInstaller.h" #include #include #include namespace libfwbuilder { class Firewall; } class FirewallInstallerUnx : public FirewallInstaller { Q_OBJECT void executeSession(const QString &cmd); public: FirewallInstallerUnx(instDialog *_dlg, instConf *_cnf, const QString &_p) : FirewallInstaller(_dlg, _cnf, _p) {} virtual bool packInstallJobsList(libfwbuilder::Firewall*); virtual void activatePolicy(const QString &script, const QString &args); }; #endif fwbuilder-5.3.7/src/libgui/FirewallSelectorWidget.cpp000066400000000000000000000203101303637203600226700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FirewallSelectorWidget.h" #include using namespace std; using namespace libfwbuilder; FirewallSelectorWidget::FirewallSelectorWidget(QWidget *parent): QTableWidget(parent) { // this->setHorizontalHeaderLabels(QStringList() << tr("Title") << tr("Use") << tr("Master")); } FirewallSelectorWidget::~FirewallSelectorWidget() { clear(); } void FirewallSelectorWidget::setFirewallList(list firewalls, bool select) { QSet nonuniq; foreach (Firewall* fw1, firewalls) { foreach (Firewall* fw2, firewalls) { if (fw1 != fw2 && fw1->getName() == fw2->getName() && fw2->getLibraryName() != fw1->getLibraryName()) { nonuniq.insert(fw1); nonuniq.insert(fw2); } } } this->clear(); Firewall *fw; for (list::iterator it = firewalls.begin(); it != firewalls.end(); it++) { fw = *it; QTableWidgetItem *title = new QTableWidgetItem(QIcon(":/Icons/Firewall/icon"), QString::fromUtf8(fw->getName().c_str())); if (nonuniq.contains(fw)) title->setText((fw->getLibraryName() + " / " + fw->getName()).c_str()); title->setFlags(Qt::ItemIsEnabled); QCheckBox *box = new QCheckBox(this); connect(box, SIGNAL(toggled(bool)), this, SLOT(usageChanged(bool))); QRadioButton *radio = new QRadioButton(this); radio->setEnabled(false); TableRow rw; rw.firewall = fw; rw.master = radio; rw.title = title; rw.use = box; int rowNumber = this->rowCount(); boxrow[box] = rowNumber; radiorow[radio] = rowNumber; this->insertRow(rowNumber); rows[rowNumber] = rw; this->setItem(rowNumber, 0, title); this->setCellWidget(rowNumber, 1, box); this->setCellWidget(rowNumber, 2, radio); if (select) box->setChecked(true); } this->sortItems(0, Qt::AscendingOrder); } void FirewallSelectorWidget::usageChanged(bool st) { int row = this->boxrow[dynamic_cast(sender())]; if (!st) rows[row].master->setChecked(st); rows[row].master->setEnabled(st); bool isMaster = false, isSelected = false; foreach(TableRow row, this->rows.values()) { if (row.use->isChecked()) isSelected = true; if (row.master->isChecked() && row.use->isChecked()) isMaster = true; } if (isSelected && !isMaster) { foreach(TableRow row, this->rows.values()) { if (row.use->isChecked()) { row.master->setChecked(true); break; } } } } QList > FirewallSelectorWidget::getSelectedFirewalls() { QList > res; foreach(TableRow row, this->rows.values()) { if (row.use->isChecked()) res.append(qMakePair(row.firewall, row.master->isChecked())); } return res; } bool FirewallSelectorWidget::isValid() { QString host_os, platform, version; QList > fws = this->getSelectedFirewalls(); if (fws.count() == 0) { QMessageBox::critical( this, "Firewall Builder", tr("You should select at least one firewall to use " "with the cluster"), "&Continue", QString::null, QString::null, 0, 1); return false; } for ( int i = 0; i < fws.count(); i++) { if (host_os.isEmpty()) host_os = fws.at(i).first->getStr("host_OS").c_str(); else if (host_os != fws.at(i).first->getStr("host_OS").c_str()) { QMessageBox::critical( this, "Firewall Builder", tr("Host operation systems of chosen firewalls are different"), "&Continue", QString::null, QString::null, 0, 1); return false; } if (platform.isEmpty()) platform = fws.at(i).first->getStr("platform").c_str(); else if (platform != fws.at(i).first->getStr("platform").c_str()) { QMessageBox::critical( this, "Firewall Builder", tr("Platforms of chosen firewalls are different"), "&Continue", QString::null, QString::null, 0, 1); return false; } #ifdef COMPARE_MEMBER_VERSIONS_FOR_CLUSTER if (version.isEmpty()) version = fws.at(i).first->getStr("version").c_str(); else if (version != fws.at(i).first->getStr("version").c_str()) { QMessageBox::critical( this, "Firewall Builder", tr("Versions of chosen firewalls are different"), "&Continue", QString::null, QString::null, 0, 1); return false; } #endif } int ok = false; // check for at least one same interface in all firwalls if ( fws.count() ) { FWObjectTypedChildIterator intrs = fws.first().first->findByType(Interface::TYPENAME); for ( ; intrs!=intrs.end(); ++intrs ) { //if (Interface::cast(*intrs)->isLoopback()) continue; string name = Interface::cast(*intrs)->getName(); int got = 0; for ( int j = 0; j < fws.count(); j++) { FWObjectTypedChildIterator intrs2 = fws.at(j).first->findByType(Interface::TYPENAME); for ( ; intrs2!=intrs2.end(); ++intrs2 ) { if (Interface::cast(*intrs2)->getName() == name) { got ++; break; } } } if (got == fws.count()) { ok = true; break; } } }/* foreach ( string name, interfaces ) { int used = 0; foreach ( Firewall* fw, firewalls ) { FWObjectTypedChildIterator iter = fw->findByType(Interface::TYPENAME); for ( ; iter != iter.end(); ++iter ) { Interface *interface = Interface::cast(*iter); if (interface->getName() == name ) { used++; break; } } } if ( used == firewalls.count() ) usedInterfaces.insert(name); }*/ if (!ok) { QMessageBox::critical( this, "Firewall Builder", tr("Cluster firewalls should have at least one common inteface"), "&Continue", QString::null, QString::null, 0, 1); } return ok; } void FirewallSelectorWidget::clear() { //QTableWidget::clear(); for (int i =0; i < this->rows.keys().count(); i++) { this->removeRow(i); boxrow.remove(rows[i].use); radiorow.remove(rows[i].master); delete this->rows[i].master; delete this->rows[i].use; } boxrow.clear(); radiorow.clear(); rows.clear(); this->setRowCount(0); // QTableWidget::clear(); } void FirewallSelectorWidget::resizeEvent(QResizeEvent*) { int total = this->viewport()->width(); if (total < 100) total = int(this->width() * 0.95); int controls; if ( total/3 > 100 ) controls = 100; else controls = total/3; this->setColumnWidth(0, total - controls*2); this->setColumnWidth(1, controls); this->setColumnWidth(2, controls); } fwbuilder-5.3.7/src/libgui/FirewallSelectorWidget.h000066400000000000000000000035461303637203600223510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FIREWALLSELECTORWIDGET_H #define FIREWALLSELECTORWIDGET_H #include #include #include #include #include #include #include #include struct TableRow { libfwbuilder::Firewall* firewall; QTableWidgetItem* title; QCheckBox* use; QRadioButton* master; }; class FirewallSelectorWidget : public QTableWidget { Q_OBJECT public: FirewallSelectorWidget(QWidget *parent = NULL); ~FirewallSelectorWidget(); void setFirewallList(std::list, bool select = false); // pointer to firewall , master QList > getSelectedFirewalls(); bool isValid(); virtual void resizeEvent (QResizeEvent*); private: QMap boxrow; QMap radiorow; QMap rows; public slots: void usageChanged(bool); void clear(); }; #endif // FIREWALLSELECTORWIDGET_H fwbuilder-5.3.7/src/libgui/GroupObjectDialog.cpp000066400000000000000000000605121303637203600216310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "events.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "FWBSettings.h" #include "FWObjectPropertiesFactory.h" #include "GroupObjectDialog.h" #include "FWObjectDrag.h" #include "FWObjectClipboard.h" #include "ObjectTreeView.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Group.h" #include "fwbuilder/Resources.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/FWObjectReference.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/FWIntervalReference.h" #include "fwbuilder/Service.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; bool compare_addrs(const InetAddr *one, const InetAddr *two) { if (one->isV4() + two->isV4() == 1) return one->isV4(); QString oneip; QString twoip; QList onenumbers; QList twonumbers; if (one->isV4()) { oneip = one->toString().c_str(); foreach (QString part, oneip.split(".")) onenumbers.append(part.toInt()); twoip = two->toString().c_str(); foreach (QString part, twoip.split(".")) twonumbers.append(part.toInt()); } else { bool ok; oneip = one->toString().c_str(); foreach (QString part, oneip.split(":")) onenumbers.append(part.toInt(&ok, 16)); twoip = two->toString().c_str(); foreach (QString part, twoip.split(":")) twonumbers.append(part.toInt(&ok, 16)); } for (int i=0; i < onenumbers.count(); i++) { if (onenumbers.at(i) != twonumbers.at(i)) return onenumbers.at(i) < twonumbers.at(i); } return false; } class GroupObjectWidgetItem: public QTreeWidgetItem { FWObjectDatabase * db; public: GroupObjectWidgetItem(QTreeWidget *parent, FWObjectDatabase *db): QTreeWidgetItem(parent) { this->db = db; } bool operator<( const QTreeWidgetItem & other ) const { int col = this->treeWidget()->sortColumn(); if ( col != 1) return this->text(col) < other.text(col); FWObject *otherobj = db->findInIndex(other.data(0, Qt::UserRole).toInt()); FWObject *thisobj = db->findInIndex(this->data(0, Qt::UserRole).toInt()); if (otherobj->getTypeName() != thisobj->getTypeName()) return thisobj->getTypeName() < otherobj->getTypeName(); if (IPv4::isA(thisobj) || IPv6::isA(thisobj)) { return compare_addrs(Address::cast(thisobj)->getAddressPtr(), Address::cast(otherobj)->getAddressPtr()); } if (Service::isA(thisobj)) { return Service::cast(thisobj)->getProtocolNumber() < Service::cast(otherobj)->getProtocolNumber(); } if(AddressRange::isA(thisobj)) { return compare_addrs(&AddressRange::cast(thisobj)->getRangeStart(), &AddressRange::cast(otherobj)->getRangeStart()); } if (Host::isA(thisobj)) { return compare_addrs(Host::cast(thisobj)->getAddressPtr(), Host::cast(otherobj)->getAddressPtr()); } return this->text(col) < other.text(col); } }; enum GroupObjectDialog::viewType GroupObjectDialog::vt = GroupObjectDialog::Icon; #define LIST_VIEW_MODE "list" #define ICON_VIEW_MODE "icon" GroupObjectDialog::GroupObjectDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::GroupObjectDialog_q; m_dialog->setupUi(this); obj = NULL; selectedObject = NULL; new_object_menu = NULL; listView = new ObjectListView( m_dialog->objectViewsStack, "listView" ); QStringList sl; sl << "Name" << "Properties"; listView->setHeaderLabels (sl); listView->setAcceptDrops( true ); listView->setDragDropMode( QAbstractItemView::DragDrop ); listView->setContextMenuPolicy ( Qt::CustomContextMenu ); iconView = new ObjectIconView( m_dialog->objectViewsStack, "iconView" ); iconView->setContextMenuPolicy ( Qt::CustomContextMenu ); m_dialog->objectViewsStack->addWidget(iconView); m_dialog->objectViewsStack->addWidget(listView); if (st->getGroupViewMode() == ICON_VIEW_MODE) m_dialog->objectViewsStack->setCurrentWidget(iconView); else m_dialog->objectViewsStack->setCurrentWidget(listView); listView->setSelectionMode(QAbstractItemView::ExtendedSelection); iconView->setSelectionMode(QAbstractItemView::ExtendedSelection); m_dialog->iconViewBtn->setCheckable(true); m_dialog->listViewBtn->setCheckable(true); //listView->hide(); //iconView->show(); m_dialog->iconViewBtn->setAutoRaise(false); m_dialog->listViewBtn->setAutoRaise(false); connect( iconView, SIGNAL( currentItemChanged(QListWidgetItem*,QListWidgetItem*) ), this, SLOT( iconViewCurrentChanged(QListWidgetItem*) ) ); connect( iconView, SIGNAL (itemSelectionChanged()), this, SLOT (iconViewSelectionChanged())); connect( iconView, SIGNAL( dropped(QDropEvent*) ), this, SLOT( dropped(QDropEvent*) ) ); connect( iconView, SIGNAL( customContextMenuRequested(const QPoint&) ), this, SLOT( iconContextMenu(const QPoint&) ) ); connect( iconView, SIGNAL( delObject_sign() ), this, SLOT( deleteObj() ) ); connect( iconView, SIGNAL(itemDoubleClicked(QListWidgetItem*)), this, SLOT(itemDoubleClicked(QListWidgetItem*))); connect( listView, SIGNAL( currentItemChanged(QTreeWidgetItem*,QTreeWidgetItem*) ), this, SLOT( listViewCurrentChanged(QTreeWidgetItem*) ) ); connect( listView, SIGNAL (itemSelectionChanged()), this, SLOT (listViewSelectionChanged())); connect( listView, SIGNAL( dropped(QDropEvent*) ), this, SLOT( dropped(QDropEvent*) ) ); connect( listView, SIGNAL( customContextMenuRequested(const QPoint&) ), this, SLOT( listContextMenu(const QPoint&) ) ); connect( listView, SIGNAL( delObject_sign() ), this, SLOT( deleteObj() ) ); connect( listView, SIGNAL(itemDoubleClicked(QTreeWidgetItem*,int)), this, SLOT(itemDoubleClicked(QTreeWidgetItem*, int))); QString s = st->getGroupViewColumns(); int col0 = s.section(',',0,0).toInt(); int col1 = s.section(',',1,1).toInt(); if (col0 == 0) col0 = listView->width()/2; listView->setColumnWidth(0,col0); listView->setColumnWidth(1,col1); QString mode = st->getGroupViewMode(); if (mode==ICON_VIEW_MODE) switchToIconView(); else switchToListView(); connectSignalsOfAllWidgetsToSlotChange(); } GroupObjectDialog::~GroupObjectDialog() { delete m_dialog; } void GroupObjectDialog::iconViewSelectionChanged() { if (fwbdebug) qDebug("GroupObjectDialog::iconViewSelectionChanged()"); selectedObjects.clear(); for (int it=0; itcount(); ++it) { QListWidgetItem *itm = iconView->item(it); if (itm->isSelected()) { int obj_id = itm->data(Qt::UserRole).toInt(); if (fwbdebug) qDebug("obj_id=%d", obj_id); selectedObjects.push_back(obj_id); } } } void GroupObjectDialog::listViewSelectionChanged() { if (fwbdebug) qDebug("GroupObjectDialog::listViewSelectionChanged()"); selectedObjects.clear(); for (int it=0; ittopLevelItemCount(); ++it) { QTreeWidgetItem *itm = listView->topLevelItem(it); if (itm->isSelected()) { int obj_id = itm->data(0, Qt::UserRole).toInt(); if (fwbdebug) qDebug("obj_id=%d", obj_id); selectedObjects.push_back(obj_id); } } } void GroupObjectDialog::iconViewCurrentChanged(QListWidgetItem *itm) { if (itm==NULL) { selectedObject=NULL; return; } int obj_id = itm->data(Qt::UserRole).toInt(); FWObject *o = m_project->db()->findInIndex(obj_id); selectedObject = o; } void GroupObjectDialog::listViewCurrentChanged(QTreeWidgetItem *itm) { if (itm==NULL) { selectedObject=NULL; return; } int obj_id = itm->data(0, Qt::UserRole).toInt(); FWObject *o = m_project->db()->findInIndex(obj_id); selectedObject = o; } /* * used to add an object for paste and drop operations */ void GroupObjectDialog::insertObject(FWObject *o) { assert(o!=NULL); Group *g = dynamic_cast(obj); assert(g!=NULL); if ( ! g->validateChild(o) || g->isReadOnly() ) return; // see #1976 do not allow pasting object that has been deleted // note that we call insertObject() from dropEvent(), not only from paste() if (o->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) return; if (fwbdebug) qDebug("Adding object %s to the group %s", o->getName().c_str(), g->getName().c_str()); /* avoid duplicates */ int cp_id = o->getId(); for (int it=0; ittopLevelItemCount(); ++it) { QTreeWidgetItem *itm = listView->topLevelItem(it); int obj_id = itm->data(0, Qt::UserRole).toInt(); if(obj_id==cp_id) return; } addIcon(o, ! FWBTree().isSystem(obj) ); changed(); } void GroupObjectDialog::addIcon(FWObject *fwo) { FWObject *o=fwo; bool ref=false; if (FWReference::cast(o)!=NULL) { o=FWReference::cast(o)->getPointer(); ref=true; } addIcon(o,ref); } void GroupObjectDialog::addIcon(FWObject *o, bool ref) { if (Resources::global_res->getResourceBool( string("/FWBuilderResources/Type/") + o->getTypeName() + "/hidden") ) return; QString obj_name=QString::fromUtf8(o->getName().c_str()); QString icn_filename = (":/Icons/"+o->getTypeName()+((ref)?"/icon-ref":"/icon")).c_str(); QPixmap pm; if ( ! QPixmapCache::find( icn_filename, pm) ) { pm.load( icn_filename ); QPixmapCache::insert( icn_filename, pm); } QListWidgetItem *list_item = new QListWidgetItem(QIcon(pm), obj_name, iconView); list_item->setData(Qt::UserRole, QVariant(o->getId())); iconView->addItem(list_item); GroupObjectWidgetItem *tree_item = new GroupObjectWidgetItem(listView, m_project->db()); tree_item->setText(0, obj_name); tree_item->setText(1, FWObjectPropertiesFactory::getObjectProperties(o) ); tree_item->setIcon(0, QIcon(pm) ); tree_item->setData(0, Qt::UserRole, QVariant(o->getId())); listView->addTopLevelItem(tree_item); } void GroupObjectDialog::loadFWObject(FWObject *o) { obj = o; Group *g = Group::cast(obj); assert(g!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(g->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled( !FWBTree().isSystem(obj) ); listView->clear(); iconView->clear(); listView->setDB(o->getRoot()); iconView->setDB(o->getRoot()); iconView->setResizeMode( QListWidget::Adjust ); iconView->setGridSize( QSize(50, 40) ); switch (vt) { case Icon: if ( ! m_dialog->iconViewBtn->isChecked() ) m_dialog->iconViewBtn->toggle(); iconView->raise(); break; case List: if ( ! m_dialog->listViewBtn->isChecked() ) m_dialog->listViewBtn->toggle(); listView->raise(); break; } for (FWObject::iterator i=g->begin(); i!=g->end(); i++) addIcon( *i ); listView->header()->resizeSections(QHeaderView::ResizeToContents); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly() && !FWBTree().isSystem(o)); setDisabledPalette(m_dialog->obj_name); m_dialog->newButton->setEnabled(!o->isReadOnly()); // listView->setEnabled(!o->isReadOnly()); setDisabledPalette(listView); // iconView->setEnabled(!o->isReadOnly()); setDisabledPalette(iconView); init=false; if (FWBTree().isSystem(g)) { m_dialog->newButton->hide(); return; } if (new_object_menu) { new_object_menu->clear(); m_dialog->newButton->setMenu(NULL); delete new_object_menu; } new_object_menu = new QMenu(this); new_object_menu->setObjectName("GroupObjectDialog_newObjectMenu"); int add_to_group_id = g->getId(); list types_list; g->getAllowedTypesOfChildren(types_list); foreach(string tn, types_list) { if (tn == FWObjectReference::TYPENAME || tn == FWServiceReference::TYPENAME || tn == FWIntervalReference::TYPENAME) continue; if (fwbdebug) qDebug() << "Adding type" << tn.c_str() << "to the new object menu"; m_project->m_panel->om->addNewObjectMenuItem( new_object_menu, tn.c_str(), "", add_to_group_id); } m_dialog->newButton->setMenu( new_object_menu ); m_dialog->newButton->show(); } void GroupObjectDialog::validate(bool *res) { *res=true; if (!validateName(this, obj, m_dialog->obj_name->text())) { *res=false; return; } } void GroupObjectDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); string oldname = obj->getName(); string newname = string(m_dialog->obj_name->text().toUtf8().constData()); if (oldname != newname) { if (fwbdebug) qDebug() << "oldname=" << oldname.c_str() << "newname=" << newname.c_str(); new_state->setName(newname); } m_dialog->commentKeywords->applyChanges(new_state); set oldobj; set newobj; for (int it=0; ittopLevelItemCount(); ++it) { QTreeWidgetItem *itm = listView->topLevelItem(it); int obj_id = itm->data(0, Qt::UserRole).toInt(); newobj.insert(obj_id); } for (FWObject::iterator j=obj->begin(); j!=obj->end(); ++j) { FWObject *o = *j; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); oldobj.insert(o->getId()); } set diff; set_difference( oldobj.begin(), oldobj.end(), newobj.begin(), newobj.end(), inserter(diff,diff.begin())); /* diff contains objects present in oldobj but not in newobj - these objects were deleted from the group */ for (set::iterator k=diff.begin(); k!=diff.end(); ++k) { FWObject *o = m_project->db()->findInIndex(*k); // Note: FWBTree::isSystem() would not work for new_state because // it is not part of the tree and isSystem() relies on the tree path if (FWBTree().isSystem(obj)) { m_project->m_panel->om->deleteObject(o); } else { new_state->removeRef(o); } } diff.clear(); set_difference( newobj.begin(), newobj.end(), oldobj.begin(), oldobj.end(), inserter(diff,diff.begin())); /* diff contains objects present in newobj but not in oldobj - these objects were added to the group */ for (set::iterator k1=diff.begin(); k1!=diff.end(); ++k1) { FWObject *o = m_project->db()->findInIndex(*k1); if (FWBTree().isSystem(obj)) { m_project->pasteTo(new_state, o); } else { new_state->addRef(o); } } saveColumnWidths(); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void GroupObjectDialog::switchToIconView() { //if (vt == Icon) return; vt = Icon; if ( ! m_dialog->iconViewBtn->isChecked() ) m_dialog->iconViewBtn->toggle(); m_dialog->objectViewsStack->setCurrentWidget(iconView); st->setGroupViewMode(ICON_VIEW_MODE); } void GroupObjectDialog::switchToListView() { //if (vt == List) return; vt = List; if ( ! m_dialog->listViewBtn->isChecked() ) m_dialog->listViewBtn->toggle(); m_dialog->objectViewsStack->setCurrentWidget(listView); st->setGroupViewMode(LIST_VIEW_MODE); } // This method is attached to the context menu item "Edit" void GroupObjectDialog::openObject() { if (selectedObject!=NULL) { QCoreApplication::postEvent( m_project, new showObjectInTreeEvent(selectedObject->getRoot()->getFileName().c_str(), selectedObject->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(selectedObject->getRoot()->getFileName().c_str(), selectedObject->getId())); } } void GroupObjectDialog::dropped(QDropEvent *ev) { if (fwbdebug) qDebug("GroupObjectDialog::dropped"); list ol; if (FWObjectDrag::decode(ev, ol)) { if (ol.size()==0) return; for (list::iterator i=ol.begin(); i!=ol.end(); ++i) insertObject( *i ); if (fwbdebug) qDebug("GroupObjectDialog::dropped ev->acceptAction()"); ev->setAccepted(true); // see comment in ObjectTreeView.cpp explaining the purpose of // flag process_mouse_release_event ObjectTreeView *otv = m_project->getCurrentObjectTree(); otv->ignoreNextMouseReleaseEvent(); } if (fwbdebug) qDebug("GroupObjectDialog::dropped done"); } void GroupObjectDialog::iconContextMenu(const QPoint & pos) { FWObject *o = NULL; QListWidgetItem *itm = iconView->itemAt(pos); if (itm) { int obj_id = itm->data(Qt::UserRole).toInt(); o = m_project->db()->findInIndex(obj_id); selectedObject = o; } setupPopupMenu(iconView->mapToGlobal(pos)); } void GroupObjectDialog::listContextMenu(const QPoint & pos) { FWObject *o=NULL; QTreeWidgetItem *itm = listView->itemAt(pos); if (itm) { int obj_id = itm->data(0, Qt::UserRole).toInt(); o = m_project->db()->findInIndex(obj_id); selectedObject = o; } setupPopupMenu(listView->viewport()->mapToGlobal(pos)); } void GroupObjectDialog::setupPopupMenu(const QPoint &pos) { QMenu *popup = new QMenu(this); if (selectedObject!=NULL) { if (selectedObject->isReadOnly() ) popup->addAction(tr("Open"), this, SLOT(openObject())); else popup->addAction(tr("Edit"), this, SLOT(openObject())); } QAction *copyID = popup->addAction(tr("Copy"), this, SLOT(copyObj())); QAction *cutID = popup->addAction(tr("Cut"), this, SLOT(cutObj())); QAction *pasteID = popup->addAction(tr("Paste"), this, SLOT(pasteObj())); QAction *delID = popup->addAction(tr("Delete"),this, SLOT(deleteObj())); copyID->setEnabled(selectedObject!=NULL && ! FWBTree().isSystem(selectedObject) ); cutID->setEnabled(selectedObject!=NULL && ! FWBTree().isSystem(obj) && ! obj->isReadOnly() ); // see #1976 do not allow pasting object that has been deleted FWObject *obj_in_clipboard = FWObjectClipboard::obj_clipboard->getObject(); bool obj_deleted = (obj_in_clipboard && obj_in_clipboard->getParent()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID); pasteID->setEnabled(! FWBTree().isSystem(obj) && ! obj->isReadOnly() && ! obj_deleted); delID->setEnabled(selectedObject!=NULL && ! FWBTree().isSystem(obj) && ! obj->isReadOnly() ); popup->exec( pos ); } void GroupObjectDialog::copyObj() { FWObjectClipboard::obj_clipboard->clear(); for(vector::iterator it=selectedObjects.begin(); it!=selectedObjects.end(); ++it) { FWObject* selectedObject = m_project->db()->findInIndex(*it); if (selectedObject!=NULL && ! FWBTree().isSystem(selectedObject) ) { FWObjectClipboard::obj_clipboard->add(selectedObject, this->m_project ); } } } void GroupObjectDialog::cutObj() { copyObj(); deleteObj(); } void GroupObjectDialog::pasteObj() { vector >::iterator i; for (i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { insertObject( m_project->db()->findInIndex(i->first) ); } } void GroupObjectDialog::deleteObj() { // make a copy of the list of selected objects because selection // changes when we delete items vector tv; copy(selectedObjects.begin(),selectedObjects.end(),inserter(tv,tv.begin())); for(vector::iterator it=tv.begin(); it!=tv.end(); ++it) { if (fwbdebug) qDebug("GroupObjectDialog::deleteObj() (*it)=%d", (*it)); FWObject* selectedObject = m_project->db()->findInIndex(*it); // Bugfix: Do not delete an object in locked group with the Delete key set res_tmp; m_project->db()->getRoot()->findWhereObjectIsUsed(selectedObject, m_project->db()->getRoot(), res_tmp); foreach(FWObject* o, res_tmp) { if (FWObjectReference::cast(o)) if (Group::cast(o->getParent())) if (o->isReadOnly()) return; } int o_id = selectedObject->getId(); for (int it=0; ittopLevelItemCount(); ++it) { QTreeWidgetItem *itm = listView->topLevelItem(it); if (o_id == itm->data(0, Qt::UserRole).toInt()) { listView->takeTopLevelItem(it); break; } } for (int it=0; itcount(); ++it) { QListWidgetItem *itm = iconView->item(it); if (o_id == itm->data(Qt::UserRole).toInt()) { iconView->takeItem(it); break; } } } changed(); } void GroupObjectDialog::saveColumnWidths() { if (fwbdebug) qDebug("GroupObjectDialog::saveColumnWidths()"); QString s = QString("%1,%2") .arg(listView->columnWidth(0)) .arg(listView->columnWidth(1)); st->setGroupViewColumns(s); } void GroupObjectDialog::selectObject(FWObject *o) { int o_id = o->getId(); for (int it=0; ittopLevelItemCount(); ++it) { QTreeWidgetItem *itm = listView->topLevelItem(it); if (o_id == itm->data(0, Qt::UserRole).toInt()) { listView->setCurrentItem(itm); break; } } for (int it=0; itcount(); ++it) { QListWidgetItem *itm = iconView->item(it); if (o_id == itm->data(Qt::UserRole).toInt()) { iconView->setCurrentItem(itm); break; } } } void GroupObjectDialog::newObject() { m_dialog->newButton->showMenu(); } void GroupObjectDialog::itemDoubleClicked(QListWidgetItem*) { openObject(); } void GroupObjectDialog::itemDoubleClicked(QTreeWidgetItem*, int) { openObject(); } fwbuilder-5.3.7/src/libgui/GroupObjectDialog.h000066400000000000000000000054671303637203600213060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GROUPOBJECTDIALOG_H_ #define __GROUPOBJECTDIALOG_H_ #include "config.h" #include #include #include #include "fwbuilder/FWObject.h" #include "ObjectListView.h" #include "ObjectIconView.h" #include "BaseObjectDialog.h" #include class ObjectIconViewItem; class ObjectListViewItem; class QMenu; class ProjectPanel; class GroupObjectDialog : public BaseObjectDialog { Q_OBJECT; Ui::GroupObjectDialog_q *m_dialog; ObjectIconView *iconView; ObjectListView *listView; QMenu *new_object_menu; std::vector selectedObjects; libfwbuilder::FWObject *selectedObject; void addIcon(libfwbuilder::FWObject *o); void addIcon(libfwbuilder::FWObject *o, bool ref); void setupPopupMenu(const QPoint&); void saveColumnWidths(); public: GroupObjectDialog(QWidget *parent); ~GroupObjectDialog(); enum viewType { Icon, List }; // making insertObject() public so we can use it in unit tests void insertObject(libfwbuilder::FWObject *o); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void switchToIconView(); virtual void switchToListView(); virtual void openObject(); virtual void dropped(QDropEvent *ev); virtual void iconContextMenu(const QPoint & pos); virtual void listContextMenu(const QPoint & pos); void copyObj(); void cutObj(); void pasteObj(); void deleteObj(); void iconViewCurrentChanged(QListWidgetItem *itm); void listViewCurrentChanged(QTreeWidgetItem *itm); void iconViewSelectionChanged(); void listViewSelectionChanged(); void selectObject(libfwbuilder::FWObject *o); void newObject(); void itemDoubleClicked(QListWidgetItem*); void itemDoubleClicked(QTreeWidgetItem*, int); private: static enum viewType vt; public: }; #endif // GROUPOBJECTDIALOG_H fwbuilder-5.3.7/src/libgui/Help.cpp000066400000000000000000000133011303637203600171500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "fwbuilder/Constants.h" #include "Help.h" #include "FWWindow.h" #include #include #include #include using namespace std; using namespace libfwbuilder; Help* Help::help_window = NULL; Help::Help(QWidget *, const QString &title, bool _load_links_in_browser) : QDialog(NULL) { load_links_in_browser = _load_links_in_browser; m_dialog = new Ui::HelpView_q; m_dialog->setupUi(this); setWindowTitle("Firewall Builder Help"); setWindowFlags( windowFlags() | Qt::WindowStaysOnTopHint); delayed_open = false; http_getter = new HttpGet(); connect(http_getter, SIGNAL(done(const QString&)), this, SLOT(downloadComplete(const QString&))); connect(m_dialog->comboBox, SIGNAL(currentIndexChanged(int)), this, SLOT(showReleaseNotesSelected())); QString locale = QLocale::system().name(); //"en_US"; // Set up path to help qtextBrowser find contents, such as files for paths.append(QString(Constants::getResourcesDirectory().c_str()) + "/help/" + locale); paths.append(QString(Constants::getResourcesDirectory().c_str()) + "/help/" + "en_US"); m_dialog->textview->setSearchPaths(paths); m_dialog->textview->setOpenLinks(true); m_dialog->textview->setOpenExternalLinks(true); setName(title); resize(600, 700); //raise(); flags = windowFlags()| Qt::WindowMinimizeButtonHint; m_dialog->comboBox->hide(); }; Help::~Help() { delete m_dialog; } Help* Help::getHelpWindow(QWidget* w) { if (help_window == NULL) { help_window = new Help(w, "Firewall Builder"); help_window->setWindowFlags(Qt::Window | Qt::WindowTitleHint | Qt::CustomizeWindowHint | Qt::WindowMinimizeButtonHint); #if QT_VERSION >= 0x040500 help_window->setWindowFlags(help_window->windowFlags() | Qt::WindowCloseButtonHint); #endif } return help_window; } void Help::setName(const QString &name) { m_dialog->objectname->setText(name); } void Help::setSource(const QUrl &url) { if (url.toString().startsWith("http:")) { delayed_open = true; if (!http_getter->get(QUrl(url)) && fwbdebug) { qDebug() << "HttpGet error: " << http_getter->getLastError(); qDebug() << "Url: " << url; } } else { delayed_open = false; m_dialog->textview->setSource(url); } } void Help::downloadComplete(const QString& server_response) { if (fwbdebug) qDebug() << "Help::downloadComplete" << "status=" << http_getter->getStatus(); /* * getStatus() returns error status if server esponded with 302 or * 301 redirect. Only "200" is considered success. */ if (http_getter->getStatus()) { m_dialog->textview->setHtml(server_response); /* here is additional layer of protection: if I make a mistake * and feed empty page as an announcement, do not show it to * the user. If the user is behind captive portal or dns * intercept that feeds them fancy page that consists of only * a chunk of javascript and empty body, do not show it * either. One example of such case is dnsadvantage.com */ QString c = m_dialog->textview->toPlainText(); if (fwbdebug) qDebug() << "Announcement in plain text:" << c; if (!c.isEmpty() && delayed_open) { raise(); show(); } } } QString Help::findHelpFile(const QString &file_base_name) { QString locale = QLocale::system().name(); //"en_US"; QFile f; foreach(QString p, paths) { QString try_file_path = p + "/" + file_base_name; if (fwbdebug) qDebug("Checking help file %s", try_file_path.toLatin1().constData()); if (QFile::exists(try_file_path)) return try_file_path; } return ""; } void Help::showAllReleaseNotes(const QString &path) { m_dialog->comboBox->show(); QStringList filters; filters << "release_notes_*.html"; QDir dir; dir.setPath(QFileInfo(path).path()); m_dialog->comboBox->addItems(dir.entryList(filters, QDir::NoFilter, QDir::Name | QDir::Reversed)); } void Help::showReleaseNotesSelected() { if (!m_dialog->comboBox->isVisible()) return; QString file_name = m_dialog->comboBox->currentText(); setSource(QUrl("file:" + file_name)); } void Help::closeEvent(QCloseEvent *event) { m_dialog->comboBox->hide(); window_geometry = QWidget::saveGeometry(); QDialog::closeEvent(event); } void Help::hideEvent(QHideEvent *event) { restoreGeometry(window_geometry); QDialog::hideEvent(event); } void Help::showEvent(QShowEvent *event) { restoreGeometry(window_geometry); QDialog::showEvent(event); } void Help::show() { Help::showNormal(); } fwbuilder-5.3.7/src/libgui/Help.h000066400000000000000000000037241303637203600166250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HELP_H_ #define __HELP_H_ #include "config.h" #include "ui_helpview_q.h" #include "HttpGet.h" #include "global.h" #include "FWWindow.h" #include #include #include #include #include #include class Help : public QDialog { Q_OBJECT; QStringList paths; QByteArray window_geometry; Qt::WindowFlags flags; bool load_links_in_browser; HttpGet *http_getter; bool delayed_open; public: Ui::HelpView_q *m_dialog; Help(QWidget *parent, const QString &title, bool load_links_in_browser=true); virtual ~Help(); void setSource(const QUrl &url); QString findHelpFile(const QString &file_base_name); void showAllReleaseNotes(const QString &path); void setName(const QString &name); virtual void closeEvent(QCloseEvent *event); virtual void hideEvent(QHideEvent *event); virtual void showEvent(QShowEvent *event); static Help* getHelpWindow(QWidget *parent); static Help* help_window; public slots: void downloadComplete(const QString&); void show(); void showReleaseNotesSelected(); }; #endif fwbuilder-5.3.7/src/libgui/HostDialog.cpp000066400000000000000000000113341303637203600203210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "HostDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Host.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include "FWWindow.h" using namespace std; using namespace libfwbuilder; HostDialog::HostDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::HostDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } HostDialog::~HostDialog() { delete m_dialog; } void HostDialog::loadFWObject(FWObject *o) { obj=o; Host *s = dynamic_cast(obj); assert(s!=NULL); init = true; Management *mgmt=s->getManagementObject(); assert(mgmt!=NULL); FWOptions *opt =s->getOptionsObject(); m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); // snmpCommunity->setText( mgmt->getSNMPManagement()->getReadCommunity().c_str() ); m_dialog->MACmatching->setChecked( opt->getBool("use_mac_addr_filter") ); m_dialog->commentKeywords->loadFWObject(o); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); // snmpCommunity->setEnabled(!o->isReadOnly()); // setDisabledPalette(snmpCommunity); m_dialog->MACmatching->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->MACmatching); init=false; } void HostDialog::validate(bool *res) { *res = true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void HostDialog::applyChanges() { bool autorename_chidren = false; QString dialog_txt = tr( "The name of the object '%1' has changed. The program can also " "rename IP address objects that belong to this object, " "using standard naming scheme 'host_name:interface_name:ip'. " "This makes it easier to distinguish what host or a firewall " "given IP address object belongs to when it is used in " "the policy or NAT rule. The program also renames MAC address " "objects using scheme 'host_name:interface_name:mac'. " "Do you want to rename child IP and MAC address objects now? " "(If you click 'No', names of all address objects that belong to " "%2 will stay the same.)") .arg(QString::fromUtf8(obj->getName().c_str())) .arg(QString::fromUtf8(obj->getName().c_str())); if (obj->getName() != m_dialog->obj_name->text().toUtf8().constData()) { /* see comment about this in FirewallDialog */ blockSignals(true); autorename_chidren = (QMessageBox::warning( this,"Firewall Builder", dialog_txt, tr("&Yes"), tr("&No"), QString::null, 0, 1 )==0 ); blockSignals(false); } std::auto_ptr cmd( new FWCmdChange(m_project, obj, "", autorename_chidren)); FWObject* new_state = cmd->getNewState(); Host *s = dynamic_cast(new_state); assert(s!=NULL); Management *mgmt = s->getManagementObject(); assert(mgmt!=NULL); FWOptions *opt =s->getOptionsObject(); string oldname=obj->getName(); new_state->setName(string(m_dialog->obj_name->text().toUtf8().constData())); m_dialog->commentKeywords->applyChanges(new_state); opt->setBool("use_mac_addr_filter", m_dialog->MACmatching->isChecked()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/HostDialog.h000066400000000000000000000025511303637203600177670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HOSTDIALOG_H_ #define __HOSTDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class HostDialog : public BaseObjectDialog { Q_OBJECT; Ui::HostDialog_q *m_dialog; public: HostDialog(QWidget *parent); ~HostDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // HOSTDIALOG_H fwbuilder-5.3.7/src/libgui/HttpGet.cpp000066400000000000000000000106171303637203600176460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "HttpGet.h" #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) #include "config.h" #include "global.h" #include #include #include #include #include "FWBSettings.h" using namespace std; extern int getRegistrationStatus(); HttpGet::HttpGet(QObject *parent) : QObject(parent), strm(&contents) { last_error = ""; status = true; connect(&http, SIGNAL(requestFinished(int, bool)), this, SLOT(httpDone(int, bool))); } bool HttpGet::get(const QUrl &_url) { url = _url; QTextStream err(&last_error, QIODevice::WriteOnly); if (strm.isOpen()) { contents.clear(); strm.reset(); } if (!url.isValid()) { err << "Error: Invalid URL"; status = false; return false; } if (url.scheme() != "http" && url.scheme() != "file") { err << "Error: URL must start with 'http:' or 'file:'"; status = false; return false; } if (url.scheme() == "http" && url.path().isEmpty()) { err << "Error: URL has no path"; status = false; return false; } if (url.scheme() == "file") { QTimer::singleShot(0, this, SLOT(fileDone())); return true; } QString proxy = st->getCheckUpdatesProxy(); if (!proxy.isEmpty()) { QStringList parsed_proxy = proxy.split(':'); QString proxy_host = parsed_proxy[0]; QString proxy_port = "80"; if (parsed_proxy.size()>1) proxy_port = parsed_proxy[1]; if (proxy_port.isEmpty()) proxy_port = "80"; http.setProxy(proxy_host, proxy_port.toInt()); } http.setHost(url.host(), url.port(80)); QHttpRequestHeader hdr(QLatin1String("GET"), url.toString()); hdr.setValue("Host", url.host()); QString locale = QLocale::system().name();//"en_US";// QString os; #if defined(Q_WS_MAC) os = "MacOSX"; #else #if defined(Q_WS_WIN) os= "Windows"; #else os = QString("%1; %2").arg(OS).arg(DISTRO); #endif #endif QString agent = QString("fwbuilder/%1 (%2; %3; b:999999; s:%5; u)") .arg(VERSION).arg(os).arg(locale).arg(sig); hdr.setValue("User-Agent", agent); request_id = http.request(hdr, NULL, &strm); return true; } void HttpGet::fileDone() { QString file_path = url.path(); QFileInfo fi(file_path); if (fi.exists() && fi.isReadable()) { QFile data(file_path); if (data.open(QFile::ReadOnly)) { QTextStream strm(&data); QString line = strm.readAll(); status = true; emit done(line); return; } } status = false; QTextStream err(&last_error, QIODevice::WriteOnly); err << "Error: can not read file '" << file_path << "' (url=" << url.toString() << ")"; emit done(""); } void HttpGet::httpDone(int id, bool error) { if (request_id == id) { status = true; last_error = ""; QHttpResponseHeader resp = http.lastResponse(); QTextStream err(&last_error, QIODevice::WriteOnly); if (error) { err << "Error: " << qPrintable(http.errorString()); status = false; } if (resp.isValid() && resp.statusCode()!=200) { err << "Error: " << resp.reasonPhrase(); status = false; } emit done(toString()); } } void HttpGet::abort() { http.abort(); } #else // QT_VERSION 5.0.0+ HttpGet::HttpGet(QObject *parent) : QObject(parent) {} #endif // QT_VERSION < QT_VERSION_CHECK(5, 0, 0) fwbuilder-5.3.7/src/libgui/HttpGet.h000066400000000000000000000042531303637203600173120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef HTTPGET_H #define HTTPGET_H #include #include #include #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) #include #include #include class HttpGet : public QObject { Q_OBJECT; private: QHttp http; QUrl url; QBuffer strm; bool status; QString last_error; QByteArray contents; int request_id; public: HttpGet(QObject *parent = 0); bool get(const QUrl &url); QString getLastError() { return last_error; } bool getStatus() { return status; } QString toString() { return QString(contents); } void abort(); signals: void done(const QString &res); private slots: void httpDone(int id, bool error); void fileDone(); }; #else // QT_VERSION = 5.0.0+ class HttpGet : public QObject { Q_OBJECT; public: HttpGet(QObject *parent = 0); bool get(const QUrl &url) { Q_UNUSED(url) return false; } QString getLastError() { return QString("HttpGet is disabled when compiled with Qt 5"); } bool getStatus() { return false; } QString toString() { return QString(); } void abort() {} signals: void done(const QString &res); private slots: void httpDone(int id, bool error) { Q_UNUSED(id) Q_UNUSED(error) } void fileDone() {} }; #endif // QT_VERSION < QT_VERSION_CHECK(5, 0, 0) #endif fwbuilder-5.3.7/src/libgui/ICMPServiceDialog.cpp000066400000000000000000000070061303637203600214560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "ICMPServiceDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include #include #include #include #include #include #include #include #include #include "FWWindow.h" using namespace std; using namespace libfwbuilder; ICMPServiceDialog::ICMPServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::ICMPServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } ICMPServiceDialog::~ICMPServiceDialog() { delete m_dialog; } void ICMPServiceDialog::loadFWObject(FWObject *o) { obj=o; ICMPService *s = dynamic_cast(obj); assert(s!=NULL); // if (ICMP6Service::isA(o)) // { // m_dialog->editorTitle->setText("ICMP6 Service"); // m_dialog->editorLabel->setPixmap( // QPixmap(QString::fromUtf8(":/Icons/ICMP6Service/icon"))); // } else // { // m_dialog->editorTitle->setText("ICMP Service"); // m_dialog->editorLabel->setPixmap( // QPixmap(QString::fromUtf8(":/Icons/ICMPService/icon"))); // } init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->icmpType->setValue( s->getInt("type") ); m_dialog->icmpCode->setValue( s->getInt("code") ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->icmpType->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->icmpType); m_dialog->icmpCode->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->icmpCode); init=false; } void ICMPServiceDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void ICMPServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); new_state->setInt("type", m_dialog->icmpType->value() ); new_state->setInt("code", m_dialog->icmpCode->value() ); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/ICMPServiceDialog.h000066400000000000000000000026471303637203600211310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ICMPSERVICEDIALOG_H_ #define __ICMPSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class ICMPServiceDialog : public BaseObjectDialog { Q_OBJECT; Ui::ICMPServiceDialog_q *m_dialog; public: ICMPServiceDialog(QWidget *parent); ~ICMPServiceDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // ICMPSERVICEDIALOG_H fwbuilder-5.3.7/src/libgui/IPServiceDialog.cpp000066400000000000000000000177011303637203600212410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "IPServiceDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ServiceGroup.h" #include #include #include #include #include #include #include #include #include #include "FWWindow.h" using namespace libfwbuilder; using namespace std; IPServiceDialog::IPServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::IPServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } IPServiceDialog::~IPServiceDialog() { delete m_dialog; } void IPServiceDialog::setCodeLabel() { if (m_dialog->use_dscp->isChecked()) { m_dialog->code_label->setText( tr("DSCP code or class:")); } else { m_dialog->code_label->setText( tr("TOS code (numeric):")); } } void IPServiceDialog::loadFWObject(FWObject *o) { obj=o; IPService *s = dynamic_cast(obj); assert(s!=NULL); init = true; //apply->setEnabled( false ); // See #893 No need to show object attributes if the object is "Any" if (obj->getId() == FWObjectDatabase::ANY_SERVICE_ID) { m_dialog->object_attributes_1->hide(); m_dialog->object_attributes_2->hide(); m_dialog->object_attributes_3->hide(); m_dialog->commentKeywords->setReadOnlyComment( QObject::tr( "When used in the Service field of a rule, " "the Any object will match all " "IP, ICMP, TCP or UDP services. To update your rule to " "match only specific " "service, drag-and-drop an object from " "the Object tree into the field in the rule.")); //m_dialog->comment->setReadOnly(true); //setDisabledPalette(m_dialog->comment); } else { m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->protocolNum->setValue( s->getProtocolNumber() ); m_dialog->any_opt->setChecked( s->getBool("any_opt") ); m_dialog->lsrr->setChecked( s->getBool("lsrr") ); m_dialog->ssrr->setChecked( s->getBool("ssrr") ); m_dialog->rr->setChecked( s->getBool("rr") ); m_dialog->timestamp->setChecked( s->getBool("ts") ); m_dialog->all_fragments->setChecked( s->getBool("fragm") ); m_dialog->short_fragments->setChecked( s->getBool("short_fragm") ); m_dialog->router_alert->setChecked( s->getBool("rtralt") ); string tos = s->getTOSCode(); string dscp = s->getDSCPCode(); if (!dscp.empty()) { m_dialog->use_dscp->setChecked(true); m_dialog->code->setText(dscp.c_str()); } else { m_dialog->use_tos->setChecked(true); m_dialog->code->setText(tos.c_str()); } setCodeLabel(); anyOptionsStateChanged(); m_dialog->commentKeywords->loadFWObject(o); m_dialog->object_attributes_1->show(); m_dialog->object_attributes_2->show(); m_dialog->object_attributes_3->show(); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->protocolNum->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->protocolNum); m_dialog->any_opt->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->any_opt); m_dialog->lsrr->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->lsrr); m_dialog->ssrr->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ssrr); m_dialog->rr->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->rr); m_dialog->timestamp->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->timestamp); m_dialog->router_alert->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->router_alert); m_dialog->all_fragments->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->all_fragments); m_dialog->short_fragments->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->short_fragments); m_dialog->use_tos->setEnabled(!o->isReadOnly()); m_dialog->use_dscp->setEnabled(!o->isReadOnly()); m_dialog->code->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->code); //anyOptionsStateChanged(); } init = false; } void IPServiceDialog::changed() { if (fwbdebug) qDebug() << "IPServiceDialog::changed()"; setCodeLabel(); BaseObjectDialog::changed(); } void IPServiceDialog::anyOptionsStateChanged() { bool any_opt_state = m_dialog->any_opt->isChecked(); if (any_opt_state) { m_dialog->lsrr->setChecked(false); m_dialog->ssrr->setChecked(false); m_dialog->rr->setChecked(false); m_dialog->timestamp->setChecked(false); m_dialog->router_alert->setChecked(false); } m_dialog->lsrr->setEnabled(!any_opt_state); m_dialog->ssrr->setEnabled(!any_opt_state); m_dialog->rr->setEnabled(!any_opt_state); m_dialog->timestamp->setEnabled(!any_opt_state); m_dialog->router_alert->setEnabled(!any_opt_state); changed(); } void IPServiceDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void IPServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); string oldname=obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); new_state->setInt("protocol_num", m_dialog->protocolNum->value() ); new_state->setBool("any_opt", m_dialog->any_opt->isChecked() ); new_state->setBool("lsrr", m_dialog->lsrr->isChecked() ); new_state->setBool("ssrr", m_dialog->ssrr->isChecked() ); new_state->setBool("rr", m_dialog->rr->isChecked() ); new_state->setBool("ts", m_dialog->timestamp->isChecked() ); new_state->setBool("fragm", m_dialog->all_fragments->isChecked() ); new_state->setBool("short_fragm", m_dialog->short_fragments->isChecked() ); // router-alert IP option has only one defined value - "0". All other // values are reserved atm. RFC 2113 new_state->setBool("rtralt", m_dialog->router_alert->isChecked() ); if (m_dialog->router_alert->isChecked()) new_state->setInt("rtralt_value", 0); IPService *ip = IPService::cast(new_state); if (m_dialog->use_dscp->isChecked()) { ip->setDSCPCode(m_dialog->code->text().toUtf8().constData()); ip->setTOSCode(""); } else { ip->setTOSCode(m_dialog->code->text().toUtf8().constData()); ip->setDSCPCode(""); } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/IPServiceDialog.h000066400000000000000000000027631303637203600207100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPSERVICEDIALOG_H_ #define __IPSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class IPServiceDialog : public BaseObjectDialog { Q_OBJECT; Ui::IPServiceDialog_q *m_dialog; void setCodeLabel(); public: IPServiceDialog(QWidget *parent); ~IPServiceDialog(); public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void anyOptionsStateChanged(); }; #endif // IPSERVICEDIALOG_H fwbuilder-5.3.7/src/libgui/IPv4Dialog.cpp000066400000000000000000000205141303637203600201660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "IPv4Dialog.h" #include "ProjectPanel.h" #include "fwbuilder/Library.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; IPv4Dialog::IPv4Dialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::IPv4Dialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } IPv4Dialog::~IPv4Dialog() { delete m_dialog; } void IPv4Dialog::loadFWObject(FWObject *o) { obj=o; IPv4 *s = dynamic_cast(obj); assert(s!=NULL); dnsBusy=false; init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); /* * if this is an address that belongs to an interface, we can't move * it from library to library just like that. Only IPv4 objects that * belong to the standard group "Addresses" can be moved. */ if ( Interface::isA( obj->getParent() ) ) { showNetmask=true; m_dialog->netmaskLabel->show(); m_dialog->netmask->show(); } else { showNetmask=false; m_dialog->netmaskLabel->hide(); m_dialog->netmask->hide(); } /* catch exceptions separately so even if we have a bad address, we * still can show netmask */ try { m_dialog->address->setText( s->getAddressPtr()->toString().c_str() ); } catch (FWException &ex) {} try { if ( Interface::isA( obj->getParent() ) ) m_dialog->netmask->setText( s->getNetmaskPtr()->toString().c_str() ); } catch (FWException &ex) {} //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->address->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->address); m_dialog->netmask->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->netmask); m_dialog->dnsLookup->setEnabled(!o->isReadOnly()); init=false; } void IPv4Dialog::validate(bool *result) { if (fwbdebug) qDebug() << "IPv4Dialog::validate()"; *result=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *result=false; return; } IPv4 *s = dynamic_cast(obj); assert(s!=NULL); try { InetAddr( m_dialog->address->text().trimmed().toLatin1().constData() ); } catch (FWException &ex) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", tr("Illegal IP address '%1'").arg(m_dialog->address->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } if (showNetmask) { try { InetAddr nm( m_dialog->netmask->text().trimmed().toLatin1().constData() ); if (!nm.isValidV4Netmask()) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); // Do not allow netmask with zeroes inside. QMessageBox::critical( this, "Firewall Builder", tr("Netmasks with zeroes in the middle are not supported"), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } return; } } catch (FWException &ex) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", tr("Illegal netmask '%1'").arg(m_dialog->netmask->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } } } void IPv4Dialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); IPv4 *s = dynamic_cast(new_state); assert(s!=NULL); new_state->setName(m_dialog->obj_name->text().toUtf8().constData()); m_dialog->commentKeywords->applyChanges(new_state); try { s->setAddress( InetAddr(m_dialog->address->text().trimmed().toLatin1().constData()) ); } catch (FWException &ex) { } if ( showNetmask ) { try { s->setNetmask( InetAddr(m_dialog->netmask->text().trimmed().toLatin1().constData()) ); } catch (FWException &ex) { } } else s->setNetmask(InetAddr()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void IPv4Dialog::DNSlookup() { if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() dnsBusy=%d", dnsBusy); if (!dnsBusy) { QString name = m_dialog->obj_name->text().trimmed(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() name=%s", name.toAscii().constData()); #else if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() name=%s", name.toLatin1().constData()); #endif dnsBusy=true; QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString addr = getAddrByName(name, AF_INET); QApplication::restoreOverrideCursor(); dnsBusy=false; if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() done"); if (! addr.isEmpty()) { m_dialog->address->setText( addr ); changed(); return; } if ( Interface::isA(obj->getParent()) ) { FWObject *host = obj->getParent()->getParent(); assert(host!=NULL); name = host->getName().c_str(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() name=%s", name.toAscii().constData()); #else if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() name=%s", name.toLatin1().constData()); #endif dnsBusy=true; QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString addr = getAddrByName(name, AF_INET); QApplication::restoreOverrideCursor(); dnsBusy=false; if (fwbdebug) qDebug("IPv4Dialog::DNSlookup() done"); if ( ! addr.isEmpty()) { m_dialog->address->setText( addr ); changed(); return; } QMessageBox::warning( this,"Firewall Builder", tr("DNS lookup failed for both names of the address object '%1' and the name of the host '%2'.") .arg(m_dialog->obj_name->text()).arg(name), "&Continue", QString::null,QString::null, 0, 1 ); return; } QMessageBox::warning( this,"Firewall Builder", tr("DNS lookup failed for name of the address object '%1'.") .arg(name), "&Continue", QString::null,QString::null, 0, 1 ); return; } } fwbuilder-5.3.7/src/libgui/IPv4Dialog.h000066400000000000000000000027471303637203600176430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPV4DIALOG_H_ #define __IPV4DIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class QDns; class ProjectPanel; class IPv4Dialog : public BaseObjectDialog { Q_OBJECT; bool showNetmask; bool dnsBusy; //QDns *lookup; Ui::IPv4Dialog_q *m_dialog; public: IPv4Dialog(QWidget *parent); ~IPv4Dialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void DNSlookup(); }; #endif // IPV4DIALOG_H fwbuilder-5.3.7/src/libgui/IPv6Dialog.cpp000066400000000000000000000205021303637203600201650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "IPv6Dialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" using namespace std; using namespace libfwbuilder; IPv6Dialog::IPv6Dialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::IPv6Dialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } IPv6Dialog::~IPv6Dialog() { delete m_dialog; } void IPv6Dialog::loadFWObject(FWObject *o) { obj=o; IPv6 *s = dynamic_cast(obj); assert(s!=NULL); dnsBusy=false; init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); /* * if this is an address that belongs to an interface, we can't move * it from library to library just like that. Only IPv4 objects that * belong to the standard group "Addresses" can be moved. */ if ( Interface::isA( obj->getParent() ) ) { showNetmask=true; m_dialog->netmaskLabel->show(); m_dialog->netmask->show(); } else { showNetmask=false; m_dialog->netmaskLabel->hide(); m_dialog->netmask->hide(); } /* catch exceptions separately so even if we have a bad address, we * still can show netmask */ try { m_dialog->address->setText(InetAddr(AF_INET6, 0).toString().c_str() ); const InetAddr *inet_addr = s->getAddressPtr(); m_dialog->address->setText( inet_addr->toString().c_str()); } catch (FWException &ex) {} try { if ( Interface::isA( obj->getParent() ) ) m_dialog->netmask->setText( QString("%1").arg( s->getNetmaskPtr()->getLength()) ); } catch (FWException &ex) {} //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->address->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->address); m_dialog->netmask->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->netmask); init=false; } void IPv6Dialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } IPv6 *s = dynamic_cast(obj); assert(s!=NULL); try { InetAddr(AF_INET6, m_dialog->address->text().trimmed().toLatin1().constData() ); } catch (FWException &ex) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical(this, "Firewall Builder", tr("Illegal IP address '%1'").arg(m_dialog->address->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } if ( showNetmask ) { try { bool ok = false; InetAddr(AF_INET6, m_dialog->netmask->text().trimmed().toInt(&ok)); if (!ok) throw FWException(""); } catch (FWException &ex) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical(this, "Firewall Builder", tr("Illegal netmask '%1'").arg(m_dialog->netmask->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } } } void IPv6Dialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); IPv6 *s = dynamic_cast(new_state); assert(s!=NULL); string oldname=obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); try { s->setAddress( InetAddr(AF_INET6, m_dialog->address->text().trimmed().toLatin1().constData()) ); } catch (FWException &ex) { } if ( showNetmask ) { try { bool ok = false; s->setNetmask( InetAddr(AF_INET6, m_dialog->netmask->text().trimmed().toInt(&ok)) ); if (!ok) throw FWException(""); } catch (FWException &ex) { } } else s->setNetmask(InetAddr(AF_INET6, 0)); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void IPv6Dialog::DNSlookup() { if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() dnsBusy=%d", dnsBusy); if (!dnsBusy) { QString name = m_dialog->obj_name->text().trimmed(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() name=%s", name.toAscii().constData()); #else if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() name=%s", name.toLatin1().constData()); #endif dnsBusy=true; QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString addr = getAddrByName(name, AF_INET6); QApplication::restoreOverrideCursor(); dnsBusy=false; if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() done"); if (! addr.isEmpty()) { m_dialog->address->setText( addr ); changed(); return; } if ( Interface::isA(obj->getParent()) ) { FWObject *host = obj->getParent()->getParent(); assert(host!=NULL); name = host->getName().c_str(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() name=%s", name.toAscii().constData()); #else if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() name=%s", name.toLatin1().constData()); #endif dnsBusy=true; QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString addr = getAddrByName(name, AF_INET6); QApplication::restoreOverrideCursor(); dnsBusy=false; if (fwbdebug) qDebug("IPv6Dialog::DNSlookup() done"); if ( ! addr.isEmpty()) { m_dialog->address->setText( addr ); changed(); return; } QMessageBox::warning( this,"Firewall Builder", tr("DNS lookup failed for both names of the address object '%1' and the name of the host '%2'.") .arg(m_dialog->obj_name->text()).arg(name), "&Continue", QString::null,QString::null, 0, 1 ); return; } QMessageBox::warning( this,"Firewall Builder", tr("DNS lookup failed for name of the address object '%1'.") .arg(name), "&Continue", QString::null,QString::null, 0, 1 ); return; } } fwbuilder-5.3.7/src/libgui/IPv6Dialog.h000066400000000000000000000027471303637203600176450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPV6DIALOG_H_ #define __IPV6DIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class QDns; class ProjectPanel; class IPv6Dialog : public BaseObjectDialog { Q_OBJECT; bool showNetmask; bool dnsBusy; //QDns *lookup; Ui::IPv6Dialog_q *m_dialog; public: IPv6Dialog(QWidget *parent); ~IPv6Dialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void DNSlookup(); }; #endif // IPV6DIALOG_H fwbuilder-5.3.7/src/libgui/IconSetter.cpp000066400000000000000000000030251303637203600203410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "IconSetter.h" #include "FWBTree.h" #include "utils.h" void IconSetter::setObjectIcon(libfwbuilder::FWObject *obj, QPixmap *pm, int icon_size) { QString icn_alias; QString icn_sfx; switch (icon_size) { case 0: icn_sfx = "icon-tree"; break; case 2: icn_sfx = "icon-big"; break; default: icn_sfx = "icon"; break; } if (obj->getRO()) icn_alias = ":/Icons/lock"; else { if (FWBTree().isSystem(obj)) icn_alias = ":/Icons/SystemGroup/" + icn_sfx; else icn_alias = QString(":/Icons/") + obj->getTypeName().c_str() + "/" + icn_sfx; } LoadPixmap(icn_alias, *pm); } fwbuilder-5.3.7/src/libgui/IconSetter.h000066400000000000000000000021551303637203600200110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ICONSETTER_H #define ICONSETTER_H #include "config.h" #include "global.h" #include "fwbuilder/FWObject.h" #include class IconSetter { public: static void setObjectIcon(libfwbuilder::FWObject *obj, QPixmap *pm, int icon_size); }; #endif // ICONSETTER_H fwbuilder-5.3.7/src/libgui/Icons/000077500000000000000000000000001303637203600166315ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Icons/accept_16.png000066400000000000000000000016461303637203600211130ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<HIDATxlS[hTW]щIJꌯ1mJSAOQ,~(ҟDT*je -6ҏ4PTj &<ܹ{{Ɵ88X4?467[Rptoraq^_W_,ƞn_ׇiVĸs]+P|-kfa'@h\EM RzlOʕ~$I< )\ْKSFYr{{"ɠ 7 ϣw۸e BR8C.4E^/rF[ѐtm r:;Ѿc fCT|$ 9|Ö%IHQw˸]ےבɜP)%߱TOEs@emdF:*fp89qbf,3ML!Hr=My^be6jB状Vyp_֍Al%&l%m.(~8G 0U<IENDB`fwbuilder-5.3.7/src/libgui/Icons/accept_25.png000066400000000000000000000035021303637203600211040ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌVklWΝ7^~$6qhQPBmLi>"- -BP@"?ȟ>~Q)JU@.AIZUmNym]{wggIQ;:=wW zܮ""כbsWT o_**@̓9U !B Eje|)R XZ,} 'Oyw=a֏զ LcPp 7 RMeB " /Pj U֎ W݃đ@PĚ5Yd{ž@C7 ^ۗ=' X#V ðҊ% 𩕴螺uY8U$ 7xTQJQ ]DoHН3Y]-m(rt]C[[zσK5Jc]ی#۵U "Z*I%%%$RG@r}֪Nu+TE3̌΂' 3č8yS;>"J.ٖmiv7DYNg3::0@ؔ܌[lƅn TZC| (́Xƶv^{gȺiaSx"J둩ʼnn`$U!+Bkj3:7IRyC>ɓ'ۅ~,qEرɓH90 & ܄npd4'JnX^sSsNdYhoz8R6݁>Dl%OTQ bq̏sr!5S(مwZ.=?n\c)tuuaddloߎKW1X g-ĩMڊ!f*36k+6DZ)H,P)U=˗/cd2OGLJQ40:tm ɋ\K9qP/Pl,R )˗h|irۑP΁?nR%5h·GUk1__Ւ";N$ tfБPǁ```TO=4޼ځmNXHU4|Q~cps_EV>4_;!T e_'2e^QgD2?7x+YH#V&~R9}pdt8]װv{өJe?Go@4['d@V * Õ'<2ѠEuV*3#?e&XF&8iMGӢ+Z{NF{|]ˎdֳx#(({-Usڽ4G:S Q(Mq s_?^?h,lz-kO3+`E o:' JsnIOOu|y骾_o$FNO1 Y(P &i_f7D7֐+Cw_XVh\Md{o_ w/pIENDB`fwbuilder-5.3.7/src/libgui/Icons/accept_64.png000066400000000000000000000170741303637203600211200ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx{ \yw{Wu]-B ;.p@xp gsbgbN!L0-c;`$#0Z[KյWe.p&]{z߾{KaOphi$̖WOm]*yZivZ<^|3i;1b#dM_߲f؇ [?ҟ  #|/:#+^}9 8BBJA5Cĝb4Hpy%BHAjK}Rƿ.׽zkL(!CmM&ԩ?Pϻo6:&Nٳwd7xz!e5g"̙0ͩŇ+/Ѿkމt6ǀ~) HЀ44[A>-7Oi>T+?6u|b.ܼNܻNT'!,{'y8}&wƂzPW~Aa(n~x-Uc緧ېΤdyDF`v| "f/Auƶ?Gͻ?3Z[݂SS (ej )9NqdKSlVM5ASDrHX2ߖӇ6S:]- "7"l hƼPBمXf5s`eS{y="Er|τA!εĄ LEuZ8 ʝs))8*BQaU?-~8.% a?ckPUIpΥCSLR"AH(e i'Isi;AqƫVO,1MoBae>aS!!Z06[,9G0e@6ކ3&׾ёQHmXH.ux BLH<7hLkff:[Ҫz2 *nZn)jSj[+o|S b'l$グbo$JX*.YD<%WPZ!$l\8)5 ,i }R (G[ ƃdZX -d&b0/v16n7=fva82ЇcCH'lrƋ%kqCƂl.NxSʡg섯LMkuk]Qj'\Bѵ[b>3JV1󍰺RP!2?s2xMjQa0kvߎK)0C 0.\.LFam;j`1 [#kZtt`&T`Sf*J9< uQ CD%w:evݎF 'GzIRC˺vcě;&qġRګ9'\DetcPRZ(kKsjaEB7Ga9F0K 7S«/HT( X{8|C4n * (_gEP鄬r]d\4NVZ0z4 @[bZaL;/q Θz\~~`=6l3@y'/i?]b |M%R][86ٳTnhRpѴeTsJ8"25\kKwNWDmj,õeo%.A`/33 Zs;,S~Ft-1m=gشiv[ , ahdp3\c&4a>  }az)Ue͚w|-`♗LG^uM~pEcgW*xzOPM .٩n<yH>{N2omـ;FGM o5-PQD0ȴ"b 3Y]9: ~lh4=zj޽[u3Fּg>':>c42nϞ|!k~CsmXDT*e?SCr}GoHDHsN זB*r0ͥz?*. O} Zz6aCm}ttBnϾ_W'&jmM P"YNӧak/9F錀ׂ6' i7úN[Tq’ڒ :\ .b&M9΃MjlP}~w7vmR]u<3`1\ϠT+bs;N(Xv<< x+ Ib97~GqPriՖMZ% HĐ%"{}5 .V#[v-JiZ=AErJ^ˣϢ.#NwxmzܾCExb:{FSLJ&٠+Q O%ؚ&DYLok^]} D!0z:SuKVL(qH°Ke|Gʆuqz|Gs jZ-R 0s26t)[(w.zfr**ET2JAc1U䕥3yŤ=kgICۜZ+Z؟(F?RgV, U%2 6@df*8o%v݃sg]RoYɃ|NT"7eSe( <~FQ [w`{ù<' ~D^El`81/ N[P xW5=jg5Wb<}Ow~tO1| QH@HХ,+,J^iQcF)7oގ#;Oʝa8n$bSgۄN?4 y^ۮ>Euuc¤Xi PKTKyWY|rrrq^}jd{AW/7|`WDX_o2jxG(kvx[weMի`6\,^cw(5kF{L[_ h!Y_8ݶTk,s[Kꔒ*ybeAE+ycJ1|;l/O .-A"UBDZܹRuU s5Gej#INUۄFLOKB[1]O ~ֵgF9ni42[~"P,_0-S(T=bplڰb}ՠƒ\iS.c}HbwV7]ºscɉ'@_/k!:=IJ$# ˓QWƃ-ڐf̀> xWT`H= =C d}7'/>@xniQnQ] i];i@5֝h)c5Uro?iPs][)CnIWb .8F=6a7]LUuWMjaD589}Ξww?#kPn2w:jE±d+ǤYufX!lXwU7_肚 uΙv]Q>Fgd,"$gCp193G=UFO AI :oűX/S:{]gZ8W?b^_\}hυ%T =DLڻhVچh.ݙj b0]TkHMt8Y"zĺmC>B~dRз³@wL۞{>huȢusi#r\OI*q@ iy^"&׮4,8vLl,^aAц~vN Z1b-/+@mԽwd< X[6֚~Zh+""2|27? VdF-5 д,7-1U>}Zw/J Z*ka{~~ǫӗU͹Ry=I)eangJDWpL_@*KcHT:s8bWׁ ZK"i{Bj9HI FaԚ]%)[LfD].Pl{pW[?`^? sKfQH̕gu?f."\r蚵Zn y "|^HO\/󂈟Xo~o{ZP?H-72W#|$1G";] eqۺsNK94U54UjYny8}ƎT7WFQ ڒm߽+[7dح@lY b\"\ۭ(/ "6nK[qx*8:3gs2{sb/n8Na11C})avtugq_qucIkc Ox4\˱4/_lu ?#\/g%r%ڦQhL&4tdi, UMGG+mV}΢Wec@GqT^ѳ zU_}r&yVQu=r 01A DJLLi1ߌmJI6DU%XrQ(S!u^*W/pXOg1_ZRn?M:_F+6%RTgNHQd]$2 aC" xD~8߼ Y!(__7"$92DejKڳ@j w:Rn VqX >/?v7/99_/IOmm3IQ8%C?#hVo O*iAIENDB`fwbuilder-5.3.7/src/libgui/Icons/accounting_16.png000066400000000000000000000013341303637203600220000ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<~IDATxڄSMkQ=w2OM5U+~P1mAD*.]ݹR*t[ q!Y+VF+!I;$3&Q{}{y#%+shFTυ9wG X}㷗~~qiH@p󄓿48 =L TJE-zF. S~WO16xU( U|-M̞2} t~ 9 $5wN_tu(gF,n.gr)`DG5zu]ѝPa&-JZQ2 +ɔl$+hׄ+qIq{~ef@ ֧ W"3B<5*@߀q_}IޛLk1S'LMWԣozj[~G1=FIENDB`fwbuilder-5.3.7/src/libgui/Icons/accounting_64.png000066400000000000000000000057051303637203600220110ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< gIDATx[ݏG;9NBHHNQ8`ER@+" ! "B!"`H@ xIJs'ޯfnw=8+n~U9-G]\~ؾ+bXeӀh@b{Z@#Sm`<*:JeC>σ\}x<~<|Onc؅h-y O@w#ؼ ЛdA,ڡϝk>n;ϖKU岖@HK3p&D %Jnن~ "!? 6 &@tQ[my#KϒO1#ݧD hphHMv,yl$Qw&5 @ 6PB=(EF0j1aQaF9:mI!Up) ʧ418eocZ-|q3d9/%Ƴ~S }3d(#؞9ddԞ|&5? tާ/^] R7bݤ"~M¿Μs|1tWٝs &.}S3Ifp/M¿W^α=HO] fTU/Ao'^;3 vR67_Ys߸1ߚ9 dn+ +;I X%*RC?ln>b5l VuK˯L1I:B ֫s.}tY:#!ĮNv> v~NDAO",*b;ţ}[$ VMN*{?q_޽SIˮhK݃hCw!cRUܙ4fd;WGg/Is$&O'A> !G (D݃gRZO% VWW촜`>&xt~&Gi\MZd=xWkSQ@?(CtxkU%*T?gCsIɏ<}d 2HarI7j ~&|AIr995Px1 "<^SgR{]X~[wTۜ] G%p^mUR0TLLj܏z iiU Ǿp̎iwN'(a?]3U~U7֊zc5jG%J3F}]4Xœ:xSixX>];>37>0ԘgZӈG>fňL&%1eKTNL!~(eE'Tycjq$оw7&9~sÔ22F_ LlT2j2tH@k4uڲAqmhf>%p<;@|U,:SmHOh0;ejLS\%M2*)n"JH m6f4q#6UBŸ%{<#=R,h)})B3I$PZ~D*izmʨM'&J]/(E*Uц(MRs3n+jުAQNAi *c*+pUc.S0I"n&hO3H,L 67̷93(# n 3d ضsU0e$u?í%d a~\p)h M&'-*o %mQE.>؆S3 `Nxb%ӭ<ٚ <T#rSl/Kr.JZ# <5^&hrT|5Q_غmI8:NpzpIjJ hEZS Fhk֜5Az7M~9ӝ!Җݖu+=+KkDlIENDB`fwbuilder-5.3.7/src/libgui/Icons/add.png000066400000000000000000000011151303637203600200650ustar00rootroot00000000000000PNG  IHDR00WtEXtSoftwareAdobe ImageReadyqe<IDATxZJ@-Im-Z*oћބ_CsEOB(A1m mfݘB۔hI ۝7;)afrAkKkݖ9T?9mv!?:wo1eCHE(ej,̢J#!4bc@#7!T B, d4b.ϸ!ĂFxH0\&/~ cg FbɄBjJ \u-W }+_&~: 2&^>!wc:/5W |//GX'qDXs9حTyT՚9@3T`m~` >ZV6_0LѴ >c gah=It̼ܩN<SK>NjHIENDB`fwbuilder-5.3.7/src/libgui/Icons/address-neg_16.png000066400000000000000000000011551303637203600220430ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڌOAǿoGwKеTb7œ9x o#/ē18@I<QPX@l֥ü}Cs \wgr:r҇/S$qkmԻ_~FfıvdUh% kGY IbWRxS'ش\\~`jȜޯ,X^ҵ&')0MOdMcl~N½zJ b")h6T}uma_"kCt `l0%\W͜wP5>ͱ k^(4w"HR;tnvpD=bɾBrOuǺ2߯/x%r :+? @oIENDB`fwbuilder-5.3.7/src/libgui/Icons/address-neg_25.png000066400000000000000000000017261303637203600220470ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<xIDATxڼT]HQ~Zj+)u#WWVt]]?L F^BLljD l͵USfھ}so6z~{~{>Fe 6f|ប%cjhsڳ?@M̬|{bk4W'&/e>f1msb:F>8*[e.N  X8Fqsxx‘WGXP1P~ɷaY|EH&/(Ä;C .+nǹ|wƨ9H3 P}[o( $ebE*+& zLǁ3B mٜۮv``l./!,WޔCs5vWW)߁z"D7)ܔ G; m@H},&$i1D/fsQ,Y5;LHY&j]xz*lr5#@yaæ(`S)$I1aW>v=I51u|GCF!F*W*-i&z&j5twwCoo0kZ.hnnFñPW5z ;b=7<h4J6LPXX@W3qee s8ؚr---Akk+\.  <]ѥ:}]{8:htM b@ii)x^Z& H ؋H2kjkknCKK˪&###`6iw_kK{q͇;/[V_6eF#l6:R,fy'p1noIENDB`fwbuilder-5.3.7/src/libgui/Icons/address-ref_25.png000066400000000000000000000017171303637203600220520ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<qIDATxڼUMLA~;SE0T-CFBxEH⁃ Op0Ƌ Q/hS-b[(]g@)ėLf{{(@l`bey/6# 9V<{7(Pشe=opgaLd1 wT׮dkpuӯYeQ>g!O @TdͺH0 si<6ֽ>ͅ˜SDAZo5q4~)cMӶ}[oxcj`z9l#*Dz9I\$BP|<%Z:6&mlx B.a6p*l8^(ɋk,~0"ͩ{K+RH&Z"'/Hʔph Ou8{IU0'q&a9$=$7)^OOAlz>q >X÷EBRD§EB"q-ny<EZqwh`}"EBĄE`hF$`JMw8BabHd"5XxB$Ҋ@e1Fp:vydYZwx=Š4:L{^"F㽌 Ń+Fgg'x<IHI}>TVVi!. TTT ʖfb(.dffBcc#CaQ;Gx :KCUUC^mL&SK"VC~"]Q 77WZt:0P[[+4 iiHϩdO#.Z ]]]Rڠ~cY\4qpΥ9A*+H"%ZZZ yyy/ܧ284,% 4=VTT$fddMMMDŃ)D mH)IENDB`fwbuilder-5.3.7/src/libgui/Icons/address6-neg_16.png000066400000000000000000000012021303637203600221220ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<$IDATxڔRKa~o~Q"_СB([d'^=D E"(E<+ݙܝyoY ~|3`Maɥx#| {@q0fiS7 _F 8wv&Z_.\$) ~Ld=c  dq$kH56"2})r MfYݼ:Wo01T'x-\h99p]HAYBy g13`;yW#XyDm(ܕ XS[;8$n 3&6?P@H ௘:yolZ=7]( OT(=`2gPj pQqt3hڅ jU$NYѼ wUsնSoz7Kե%B ?mX,?0Vsݪ8wh\ $Z܃c @̍TɃ`9LR<U X H69D,K1 0qj IENDB`fwbuilder-5.3.7/src/libgui/Icons/address6-neg_25.png000066400000000000000000000020711303637203600221270ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬTmh[U~Hod-n:j6?"ꟵMm ?ůAGQJePZ4t]72q`Ef6ۊ$^9kX\u/{ϛWI{-u7t U@es5KOl,Kbh >Շ>>h,R,("V J[׀Y_\=DӞιR QQGͧ6/Lfds@8k;KH*U~" ^ߖ&gbI|gScU};%.&f"BL 2 )Y22<}'@S )2P[*;vwza?BuU8SiJQRR 9d,ʎlfT_f5 &Y(!SL܍ Q\7%v̚]Mg(&f-|9LjC"d]aǏZ(8` &Rt&o\Ė - ӻ4haLtL!d6F N@_Xz1Fzh5~ۍ ~/ȼ!Ɋ!bǞ2 cFѼD'Ȟ%p9^LH.s,ĊQ &׌Kddi=|ې$jmihEL,vN+dT$YJX(̽+ `{boIgǛ*IENDB`fwbuilder-5.3.7/src/libgui/Icons/address6_16.png000066400000000000000000000012411303637203600213560ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<CIDATxڤKSaǿϹr64h$FEeQPB7qA^U·QQ \6H*z"ETܴ]ZӚGu5^nnw Hj=F7 3ԧ 0ZQQ hN'rj٭*ʢX*=B +䜬o/09UΜk%4p JVE ӫElmgPt `R)FclۙFPr+g*w-RA}Dj:#0X, 4N Q "bZ SC0z {_z~}]e>v^VG9_n=4}vذǕ kyy,{:`9iS//Ȑ4ru5 $ o 72vJ 3dd-ş*7px?w?j*XE5kVAG׍W$CI"~ A1A)! _;n,pӐ,&=GOGnEqK|\hxJ:$b&M wG?~@[rM"/ @|Hpo ^ n wJ<^ 2|rŴw澷aY[$IoH;AcA( @ @:"cL^6Qy]+ph7~܃û`^?>{2; 1C$MQ$04$ @ eU `Aay=ȼ yݍIO$i4,P 284Im"N t"ۿIJJl6Oĩg̞VEJr `=sP;Z6^;2nJϲe;n4h/܌g qjj^),QMmhpϝ/?.Xl`^q1Eh3y/={:_F{dcm0іXZ  IVܱگ)^VO{`|x"{1|'ۖ,Y7޿17mu#gC {ɼoޱcnz;2P&]9/8ptk WZ9Kmj/+Nz'wa9z%ɾ&SoG_n'] n ^"?sLnr{QO,Kx 28&|ˌmWd))} GK8Vot}蚞8( Fg5==5z}j 5 QL熣4vRLV+%L5*Q܃J7)`a4h, 0tgƩGio1,g~+Lu '[inA6KAC ,l_:P :ZPTVsVM&:p-&MΝ(}kO Hi8-fH=ykr"]~y޶kzzjxz+-|[9-&z69m|ro^}޼a׬]~wFGʷ :ynu3հY>wżEW9Ɯ b3D!$\&םw+Y M ֜ua}8W7+~~( ]:]]h6v+^E IW_SE|%gȑ7* #sPt:v0H .x+oߴizȰ~w`@֘(i>i>$/LVXP32Ewރ#n˘1ƴxiȮS#F :9Z,fp[]rr;{6|S9j !b6_3x+\'&[5?5޹6v9}l .,v`?2涶 t9&-[vlCғoq 4W l)ُ)vLcѣ榢"O_$VvD >([45LdL*kU[vgENv={ ݴ4F5860J=xBǰUE>jwAY4v؇` t1UM0*/4Ģb|U;d'ɢs۠NP}ۯ V-į]=ҒKҔ~(= <Cް۔M',sΝ;?g`L=Mt~x[o[wƥ!~/۰aöoƮU'T1P I!Tɚ'N,+v\ⲥKtJ CĤb6By^yf'|fZ,S8F^Z:q;"ͻsT(ʫ iB3ė5pG^h%0o@7X,Smzѡ){ ^`O K!} nXþ+AԽ!Pw -b\bSPU xS^gXw\~mNu4CHwE0ގȺ**y3=92_y-v7@H*qNX{(?#0&k-H ^i* 7p-]"+1-ˎJclՍ 6F:L2C2MѕڭI%hl̟MsəM W Zd IENDB`fwbuilder-5.3.7/src/libgui/Icons/address_25.png000066400000000000000000000014571303637203600213010ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxTMLA~3 BA 1BBb 05nꦶ:2zu16\}[-r(e_+(%@)@dzIG iWOt.wEB ( ǐ7n 67.H˝9y{=a$I\fe2A"RUfг ^%~7ՁZu / T h2} $Ba­&fߎ €lc']oZfT _cWjS ?(ע  xdkg 6SLs_L&U6%o4R' ,X@Bdcx"th?Pkhd+ϼ>޻8=Զ `0>}tף<>>!wDJVQFU+ dM NwJ-)m\Xn'w9D."HtBC?(--XR촤 ,D;I٭֋j퐠`Wީ:A!c S ?wBrrc8_Xh̊HLd{I5@BͫN|2#$Xz91s<nC0:AtxӶlْz}1рD%NRd;w絒Iqls$ ٹϿ5%%enttrӊ勳o]ZS8 jL6m$-{EnHf|Mc@rgJWR5˲ݝ'˛%G^TTT*++ʔԣ@==zʡTgt:%0]gl [sXL o?$ĠyI ?B$obe[qN$ea}X b8sH@O% IrͰ{Q>D.ƹjFb&`(pc2' mj=rHE+_},ZՓ ) uygc<>a„.{޽_呑7Su.z.|D̨jNp@L%srr6m+~X]K2<``"h$B*8Z"5`@`f\!Npy|4`l)^n1ًpmY `4.! E3#I2.!aRE0d<c }Ubӵ]5+_t/}A'[^eݐO v8VJ.sMJoǭ=w\۪Uӈ+]ssOtuu9#UA111$ ?3MJ붋.{K$]=ILLAkL@-,6ׄe;vS'I11P.By\kfe<TpsU^HC5iY>//߳`pN4ގ(w'TO-Vk0[߂R/=f_4H<@ƍY 凂/epkY6`< 7SVػw/}>? CG8q"\։o֕,d]B6o޼ѣĮZy@`kiiyj>yO8+Aj Kgpr۷?c9p566mX~^NV^jwLk=YOĿO5fϿbgkkW8f͚gy6”`Gc)))TSVV c u_a:}Tqq1T}x?R%T52FA&'\ԓQo/`ǫ!ʬj*<ˤXqWU{~{PNB9)-5 m`c]\A9IENDB`fwbuilder-5.3.7/src/libgui/Icons/addresstable-neg_16.png000066400000000000000000000010571303637203600230540ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxb?%D^Dt?#3#3#VN9?}i ԺwF D/RaÍ  102gbbϧo>z 003s0pry$xx9O}%PBa]BJ'0 ;ԏQWUoǷ>ccPq ^/$@eXncdPaqjBl@Q Y2|kW_2) 0prd2\Ԅ f9Y>>| # Sr+„€ \|0bn###\Z0$$6#k8ࣲ r' }sj 0ȆG`s.P1̲ llp1&l6#{G@+|B,(b,aI( z/޿b))m$IENDB`fwbuilder-5.3.7/src/libgui/Icons/addresstable-neg_25.png000066400000000000000000000016361303637203600230570ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<@IDATxڼVKSQν é+e9bRB~4IbPE}}P |!2BЭHȗݞs{w'ۜR8;4,W&'C4"3ʄ/.G^I2@] R%, QAQ0P zr2:z}9Dږ ͂VKG|_}ͤROWh#RsJpFh4̫vY*Lm6<88l߿/&J\a+ %%%0Ɖ z 9l a?0$ SSSPWWX Z[[!0eMo4/)i-]ysJURxHPiKARmb5ݾS/B}ps|?eDQm q{ P)fn%ei+.q[d2099(fwZԾaCcؾtB:ʈj-ndW9& t62+*jH8,,>ɏk-33< pIENDB`fwbuilder-5.3.7/src/libgui/Icons/addresstable_16.png000066400000000000000000000011331303637203600223000ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxb?%D^Dt?#3#3#VN9?}i ԺwF D/RaÍ  102gbbϧo>z 003s0pry$xx9O}%PBa]BJ'0 ;ԏQWUoǷ>ccPq ^/$@eXncdPaqjBl@Q Y2|kW_2) 0prd2\Ԅ f9Y>>| # Sr+0\ ٹ2 6gc,@P.|ngff~~]/_s32|F$by> }sj *-wձ@9Geeܽj\ htuL0XDXQ1 _ оG# }9IENDB`fwbuilder-5.3.7/src/libgui/Icons/addresstable_25.png000066400000000000000000000014171303637203600223050ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڼV[kA>3{IK VK', ·҂oV)ETV4JJQh@Ԧݠd33nmι7g.˄ۍpDl7g , }2,Z/T2F'N;ĠoaGF "2XYw1M,ZNT[L&q A)nM':;Fo%pYpW88S'k:dM 0wL?@]&!n/ K_-$pLh|p[~DS5Yc ai0J=TN{ݵZnj}N0֬tfx:Ij)M_^<Jhi5{N.˗n jo7s_;ı;,x 2N8{cxmx=I9@w:˽D#oێIn8'TJ1&UL!EGf$/+ˬ}nv43Zթ%Y7.mIHH&% 8я!AOM_I98IENDB`fwbuilder-5.3.7/src/libgui/Icons/addresstable_64.png000066400000000000000000000062201303637203600223050ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< 2IDATx[{pT}n6MH Xk0#TuFmKQCVgԩiJ+NjhuS0G8wRFk@P(;VL0V7UmLU˂CƠR҅3aC]]PBD4x\45NoF QXp]{0_bqVĴިQ0\5l AMu$*!8:P D1UM #мRfsWͽ[P l\PAYu3(UgPuԨ8`6!hB]4@D].6=W946n73F0mԏ 5][ Sa)jXGSr$eX4et+YY=ؕ7?B¬cXPc&(ɴFk+oZn{f . k5|Xbx ~ v_GJ:\adBi lp^\Bkz?_,5c :ȑ}4w;=TW@9I߀ݲ(" 4NOP^Q,Ș319ZdumV 95 8Z'RqR<)H[TZ#:Lѓ)xh0Բ UV406q }ʗGJ IiH.w&Z,}zD fG]F01 ĈY.Uh GV,*FlqW1@/Dqhccr`;W-v2AIh:/ZLN֯}f̻7 {܈T/؋j1 ,\ε X+6 M\m8At $Ǟٍ+aaΥW}ꙋ7 Z,uwj%X#`Gv㼵N!Ύ]=KlP\(OÆ%gk0=.@0\YvPf\qp؀y%M P ;2tA@J1?.Y :O*|=06_, +0Y`*A_d>6OsRt3-SL&WŐed C*JWj4-`R( "P툍nf Ӷ.6`03 dpHh|91޻R[l>\.iPb?..:Xߡ6sWٟٚIDh :<׌c> "v& /tBooc"]2OŋD00.r i`|יdVv>cmT3h>iS=9cj3lϪ M}㱴>kh$5i)/hw7 IwN:Pa<誮>[ɔ"6VC c{n`aMU;Ỷd] +QNƄ'^Gâv]W99vHx(o7$4VVs ]5]veZR;].`*[{}W|-?LuK=p"<^\8@mbk)e p˿ P̄jQh?^T2R.V9~ݚ@-;=ſ5E{" C{f˕7q~] Wx] ~|ϪoDZfxmaÚʼn -&P4F IֶwLC9=ho+{,x) ;z |Fv 84_?s+X_][oQϱZL3[z?J@$(1C,x%D:z@[ "!g>qPɮ߽0Y6UEQ|''E]cD]"М1z?I>,'ooy; aElWҡi&imZBkJ|}tszu9ksy.G%/Nnc?hIA#.G}_muœ@v_rh=!ͽfXPEZ0wW?(]`%n88SS>3a;C󟺒q/\OY+w?w 8|Vf .3|Փ~i7*r9"KSSqAu:U-E>R}On2{ڔ` Ƙ+AEQ@v|V#RN\Snq|&e+>V@@܊ū`gVLK0eIENDB`fwbuilder-5.3.7/src/libgui/Icons/apply.png000066400000000000000000000007041303637203600204650ustar00rootroot00000000000000PNG  IHDR bKGDiBըIDATxc`DP1l =0)6S Wn_Aqjx5óIsŢWL/A7Bg1 ]@Ɗ%pCʼVMH a@@T!5_c#cM Ãkg0a!=x]:+;+a@ZYaC]G,ٚ7e(5 frTI EzTXtSoftwarexsPMLOMLLV033Q7070TH.,.t(-H,L/J|jx3zTXtSignaturex3O104K411HH2532H33N140NI6NKw/oAIENDB`fwbuilder-5.3.7/src/libgui/Icons/back_16.png000066400000000000000000000007411303637203600205470ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڤSJ`=7iQR]8n}_s_@_@\G(*J)UIRhB_2ܛs'7$W.Is "o'=So +9A.8?ÀkÐAw!Rvg+.HcL$Y&w=3LW&j|F$99`R2+_^k$ kmu910:c )HRyX;(rTqc~O")C}P^ͧ(-Y zrq@${[Dfxp /UOV6\SY'HĝU_ǵS}v~r@ IsWy#g]b9IENDB`fwbuilder-5.3.7/src/libgui/Icons/back_25.png000066400000000000000000000014431303637203600205470ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴV;hTA=3﷫F%`?hJ1U(&Xhao+EP APEVHa,I6&{o3n&ͼ;{|Vh<6ެu1ߪlqwH<[g?v]Aj"0@sn8h[(pa:G S=u@_(B4ύs&3n\ qIp512B4Gh Jej$8Lv82"z^M PŲFyPq̲¦G%:2uHGf}_@b'T^cz677oHع` SEb\ ٖ`V,D~J %s&I>(o?*U;#sTr4<[xVˈ0?Qt)"3X(6kaaAq ՗Lj8(EKJӯno8OYm Ri3^Vk~{/e!≆|e%%&hjE#Gм{C%v!NRQ+Zfxldz9m)[cg;=Y'x#V/K"/Ǐ2;VHfЦkQ~K{DiD65o&eF\/\Tψ_Z $ 0 4,IENDB`fwbuilder-5.3.7/src/libgui/Icons/back_32.png000066400000000000000000000013221303637203600205410ustar00rootroot00000000000000PNG  IHDR DgAMA7tEXtSoftwareAdobe ImageReadyqe<`PLTETÈE9d˳s{Wݖifûk z)v!~7hp}.m`y&q~0z-nz tRNS\\IDATxb',@H 2AVRRL6@aQ* bB` PBU͇gQ PyBR-*!YFFHBU^ |e9Y!daa㕖 <~;D98$y9="*V`ned`/(@iQnI!F<@aj~a~.In 1~~ [x8$! { pM P  SHIENDB`fwbuilder-5.3.7/src/libgui/Icons/big-down-arrow.png000066400000000000000000000007001303637203600221720ustar00rootroot00000000000000PNG  IHDRw=gAMA1_wIDATx픽nA]'Mx GHxހ:-eZ$%o!!D !d zR8 ) sfճ.EQhZ1mW%劃GYNcfa1rrxӷhA6 ńWBrRrvWlk{hp]Zp]o#CB"լ7j{KHDBdIdz^͢uԈIВzngǨf:؄@tHPL'S޼V,1FfSNJlmGy% ;m=hJv^08-IENDB`fwbuilder-5.3.7/src/libgui/Icons/big-left-arrow.png000066400000000000000000000010661303637203600221630ustar00rootroot00000000000000PNG  IHDR++]bKGDiBը[IDATxԻKQ񯯯%//v]"rl jk#ۃ ZjpsbD^2k<>AWWe!>e[mTdek_k_| L)­[EzTXtSoftwarexsPMLOMLLV033Q7070TH.,.t(-H,L/J|jx3zTXtSignaturex3JLN427NLNM4IN41KK6I24365I2LJN p IENDB`fwbuilder-5.3.7/src/libgui/Icons/big-right-arrow.png000066400000000000000000000010471303637203600223450ustar00rootroot00000000000000PNG  IHDRw=bKGDiBըLIDATxӹNA.v6* i|} -l,(l!$@.{,F%S̑' ,#Ʒ"mv[?M@J)Mېvmp(L@AASSH)J`L|bh&Q}̽csm6( d2P,f'<}Vu giqyL( %4(@D!n ,ۦ׿SX DGP!C1vlv1&wz\Pq}bX&^sq0p"yo{8m2_'*G6*u' 'NVEX^0"EzTXtSoftwarexsPMLOMLLV033Q7070TH.,.t(-H,L/J|jx3zTXtSignaturex3050M2KH36HN444N5KM6L26INJ5L_WvIENDB`fwbuilder-5.3.7/src/libgui/Icons/big-up-arrow.png000066400000000000000000000006001303637203600216460ustar00rootroot00000000000000PNG  IHDRw=gAMA1_7IDATx=N1Fߌ^6 wq~B6% g*?{z(@,yt{ˆ%K>aDz={xNZoP!$MeٺCr>p|OYdM9cDD >cӪ |.0 <',1FT'z+VdDq1+3-Xh"򖥬_`a+F8UDfV.hk0}瑔uJxQHu C {hc>3L?GI3,ڝ@, J03y3a RF2 e8>(/F b N߼K.??W~|4ÿ ?d/X`z_? @Իm3| 3{ϯ? 30߯`.F =n3079Y~%f 0o3{] _@},*Ga|ENĢc@x+7s0:]P rƄ'Xo`@'/_`Cb믟 a b@{g ƪ ?^ ߙ!N  qg ]wA@'&CL ~p>삿_0?bZx,_[0J䓤G't70볧i34@t?Bf>CfX @&,@, A]P@A9ЇwHi;|@fglEFm0IENDB`fwbuilder-5.3.7/src/libgui/Icons/both_16.png000066400000000000000000000012511303637203600206000ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<KIDATxڌk@ǿ3df--HPCo ^x{aZk+N=N~_,` Zi0ΐ| qpri!G,0gY+G'Z*4f>#mJx@'RBRP evkl!E$@JŸT('a桯lP^C(ݖvbK?f Y}so1N1piD$0K{}{#z!Y /UlA'q(F,L0oԣMj ,+T$[Yn^b~) bPե Eh"4MJ Xa^],cXel>" a` 5p d=;M{H͛^_;2:^6^[$` פxpѹ8ąkuxq-}=Xmh[95DEyʀp H(F hÜQ``$t+ϛh;pXi=Ym[!ؾ?Z%HL/IENDB`fwbuilder-5.3.7/src/libgui/Icons/both_25.png000066400000000000000000000021121303637203600205750ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڤV]lUt?P)%t bLD >H '|>MI'O11B4AʏԐRJHC*;;3lV;&'w;3LJZFsY^$*!FfhQN03qrs+2, %HXwܩ^ o; #w煄_}G,esЯHy:vZ|>,%} )0v;C8Kdhm% sM]ǺU($'8k kt.Q (؝%x03|cHUΧGHpptp\ySǫ04Q] XлR8w>NL*_!jL>xϯŎ{5OZ 0E$PyIENDB`fwbuilder-5.3.7/src/libgui/Icons/both_64.png000066400000000000000000000065071303637203600206140ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< IDATx[kl}^ǎ_W'@bC PDJUQ ZRGUTjE҇h>@ TTPQ[;%!@_3{fvvDJdzgss8azu.uY7ٟ(W'+d-d>3W{A]Fη*Gd_.kJӧE"U'o``}F_X)%?ay1oPVقj5s;X5"G{r, j2Y4vjGOWnٕ_Ds_yqu:"+!+v߳3] 7':QWWŧssZpbkvf)՗jm7UcWg=x̜ή6*1˖G] $„D9y<ٽ}lsbq%1:cLǛX/rCgI/t4Q γ?Ӂ{zj{Km}x"<>ǩgQH9Ew⨒*҈DC[#z}^zI~SRM%893ɦ@h[kiT>L.BmHz_cQFuY >寚ǻPS3 h8=Ta3e|dqr'U?K\7Q;뜗H) :9{?t~525zٶD2vEE|BG*1=ɏA! s* BǞ=Zk|㜴QGLakY)\ Ѫw%7=RBsY)K ]X>!iF0s4(#Ih-P^*K1 Kp.&t!6(%:1(I Z(߅^(aø:( AJ0nK#홈8D#AE)dJeOkVwDHtLEcVX?h?̊/3 7bkUYxiWq9F͌JUW,ERdva8{5%)6,B Oj\ >`bjݼ/B3|3a#BU[{~B1W1E"AT)~)}iWg@1!]j`6i񊗙 .1Pͣ0bFޡiO_V,<ldeblAA,[^)$WΊD LqnokW}W-+tJ8}p1ywd(5*Ƃc߈+&J=2QNO\Ma6V*2E`EP>K8s/VP>W$9Aܲe\J]@V<|ֵ@BdB(cDHo W UBU`}bn~at@D}{(ayXʄŲ\$oGer-TJ=-w1y*.=,ILgH 8ڜꑘIdbË5ӌĬ:,u lEЅ0RE+:MkӁa@Z!3pM)D;/͑=sЇaB7,l5PCI喜LgmpK&^8}kǞ^?ޅ49"d?7ػO46iTt|lh4 RTiJVwѱ.4?9cOdsIU\~3sݪ„P5pOcX WQ$k)4Ƨ sED ayd 0r6oeQV-@41 ~z04cn@)b*JLJ0,HX̿HΟp5o^e@z3hA}_zwR@(T ;]™A!iN@@T{{oNxjgC:вQc[FjJ0`a Vu7Wn'Mr#}6Wz>̏z| 09%bZx.s GlWy^SJ_j<୷g06rU;<ұ6`d y1K1dlW k\^_38u.G@`տA3ݞS$#s9 ?szx D/J\_u^<&g|TpuslON%ŏG8ǘɶm `e0/50p {܁5T<bK ɍi|S'iH _F00KrAJd+/>j5ny.2&v%e@ UQAKxemg {ؖF6~ƇqLLXY/sވ =J|5@5^u\t6Fbv9F=utLxer.h'IENDB`fwbuilder-5.3.7/src/libgui/Icons/branch_16.png000066400000000000000000000011371303637203600211040ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڌRMkQ=L;DBT`E PR;Q.nݸj BA*UYVi@ژƤ3M;=ߌM1z{νB#YC2؀hf =Yܻozu0Dp'k8(Xxu6_5A(H˽@s7-!| Ow>A)x˟QUn,QWimyּ^[!x;D 0{u2RLJJ0݆*HrE+!=)>hm0CW;ʽRu`++1vP Fme .܅R͍UCMN{Ȃ]ۓqEI{׆%"p$|mџ+' 2fq )0%'H+AZy 0nNqVUBl>1a%Mg,q]\-!P}~81ma-حx^yBPBKb(қ};Krd`gd4%IENDB`fwbuilder-5.3.7/src/libgui/Icons/branch_25.png000066400000000000000000000024711303637203600211060ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔV[lUNwJ6) rABRJ$LAKBMPI"Ky Rۥ{3uۓ{fϙ?3L#< ibb̘Nd,ATt ~jJ>ɋD7 \cǫv H'8F_RXFSs%lXoA"X,LÙyLLY&fD:f`1'gF,c3ʋk-b{fN,i N%ecXToR@p 9qկEwEQsjh$"4uP E ;H' S0w;RZuK? n~MR,AYEVՄGhzDRVc,UXunNˈ~M^D&mt JgD)Y…INێsuM)-^T(D%ǗljJ9! deXBɘʂ UKT(:&Fy< 8ÈK׆G1\m)K ,u$=׊3?§ű}P w鑜 SwSca1Vöup-gN-{,U4\A`)p>5IENDB`fwbuilder-5.3.7/src/libgui/Icons/branch_64.png000066400000000000000000000101461303637203600211070ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[[]G]U>~n;1qH gda0)Ȍ R猘O!!vb;hWo穚v{mm[\9]kvUYYk;dVrz_xQK"/S'F^= vcO,GL$Ef`F?n;۞_Ԋ{9@թѭP Ű@q9bP+S{~ud8Je1пH Aw}Bc "'Q8.\xIhSW'y? GK!⥥AUsM1|?-RMuΐG('.MF ϑQj:@*56Jp6}egVŅI_=k >ONq@o bPPDдoۤpk f]r_RA1>,9!GPHwJwRSUP'c h f H4ɿY5ؽgSoԾ![&={Mc>zRdcRpœ5߽W(k}e~o?D_L11>JHh|-8g88AQ+Ŀģ[ w5ǻw4 ŻkmD̽nH 8ILs> &,6~nmQ  ZEżFJ2~r^.#z"ٞH( tmd]p%!CN8DH_AXp`hp(nT.!`>Zu sլ&H(˾@ZS%7,fjSs7f IKTj9!ı O3VzW6o9 N9T2R"c=CAo\?h1ٌZBS@gh?C3޺B`MI#۫<ON0f'O^lNp0b$n8es-3):P:'uB tџ._B~k"c@=G=_1.BF!U(8"zΝye:&'g^&T}V|=`Us<G &"D\l-!i'n3* 3iޢB/9aOc}H{NMNv.{ovS~Ipyh%asu;Yw]sL $&U6rluc* =~8a6Fǥ@I:[( ][#J%@HjOQ]2-g &{Ն I9Ws697^"[Am)Oq쳆pcTD FO-àB0Vz WD'Nܫ9.4!Y}ˇKhEʶ {l1ZA՚Wʂ l@AX?a+<ܦ :E J#Mߋ൬BԾmһxL!!!M2IB1~ӕ$;q?P-wE[aZx>D⴦m}bh%dc75Z˷LG,d$kR{(?H,:)"F ʵһ6:BKН7. wf3^[Xnv@ō(=̈́_pL[ Id!s }W~8{߱QrW{ qi6Mn|ye!ZpA( {}db%_gh,5Lo?mƬ9RzA;sOsr`/+ѽۓ<S.}e_V!vi;fd3IJ[*~PJ[*,?D@ܮ:AL\vi}чʠCjߑKv!q'$Uù! 9!Sxk8GH|ԗߏ:Їu## C 4fU[h.8uHVB :H0t j>@ϭ'!vaL{eh8;ۋ&dCq/\dtf ZVc=Y"V9ʷu" R(&raO?I"rLNB"_ilA 8JeCw_p+018ҋ;jrMQYzsb:O9A݊  ikQx R"g)5_4ul.t/e1Եsݳ1d>!EmRiYաNOP?cjqu.r^)dukK뱡 2(d,úa">^ M3Ieh09מLB6! + V6̑1LS?sh7m _^_!\!XINc9աm/ IH\̜!l1?{%V>+'+cn‚0Tވm`sV'|0>|̞}L sc'F>lـbq gI1^K[T{ڛp.1<֯_jUC }F@ 3;gg$%l|8;=0/6Wuᗟn㎥hpԇ<%D3vI/IENDB`fwbuilder-5.3.7/src/libgui/Icons/cancel.png000066400000000000000000000007061303637203600205670ustar00rootroot00000000000000PNG  IHDR bKGDiBըIDATx=0_q2ݑܼw q+[@Llt 4Hi\%WOmqM3d'8{i1uQbXnѶ HХW>J= V8r JFk\@-6WkU3Ljjvpyk@Dh];R a^`>蓀d-|.Zfm؅EzTXtSoftwarexsPMLOMLLV033Q7070TH.,.t(-H,L/J|jx3zTXtSignaturex3HL1643H233J43JK447H57J66H42H$Q;IENDB`fwbuilder-5.3.7/src/libgui/Icons/cert_druid_logo.png000066400000000000000000000146501303637203600225110ustar00rootroot00000000000000PNG  IHDR@@iqgAMA|Q cHRMz%u0`:o3IDATxb?.L@Aـ٠b,Hjaz pz@8 O<K1?sA1/1'$@XP*Ȁmy[x.@< XJ @p0 *Ķ@C迈 N9E@5 Ď@, @,Ă e Ux beʖ+{f_VASgfbY,1 4 N @ XP]caao5;?|W?s'_Ι_Ww=翁aV;@ DEHvh 0a jxȮԌ%Wm?@;^~ݟǥ,'=.1@R0Z  ( F$ x_sW yw 3}iiyJʇv b-HA Xv()7 ɆO];_~x'w?Rm|Muq&61@R(H& ( &(V{_'/;a+v;84e 04M?Ʒ Ngg9)4@)Te FVR6?5`w͓?{/^!`$}µg?]paKs݁ #vUDl~ JVLTW馿~_y]o7L||`@qm;`-M?ooirHXE -HXV +`(6^k0EW9g ^O~Ҷ&_ PRxoӀsi?9kn.~c3@GH*@Y|&*`#@QM3#6=<%muTS~7_7io?ĥw:֩Hg?g+{?72 9W0@:W~@l~ RcZjܖPc`5LΕž :ryʗA |N}_ 4ڧ}_lEr^r?HK_pb}HZQDj<A$ V}.A=sUZX}=Ma``X韁N e,WyDaa20@ T͏DJz{ А,?&=IcSu܏5 ]3? 韀'0`:g|W6PeH,}>q43@P T-ZX X̃5_Rc[` }vO7E-/m{){3?AȆaPtqqMoXV PPj2X"d%-WTx `#@ P[ 0O,~;/(Mc3%PWp #cP ,ET}Ln TS@f1Fу%wohM_@|0@ʠɀV0b#@LySn` wp[% )8@)AT;8٠ *@v]Ua^) dηϯ<7㿚,E|h (@6?1NyG (`k+0@)]_7'Ab0 o*?gN4/vLy?ʏ39$fXPHx{D3[@ԓ؟ 8H* :@$9x/ ?$.)׸z;0Su_khXK m{ d\Y 6x )`"@wЈx34P@eD30:[P禦-x u D,ڠ) ɥ`9}ۄ m fO࿴&qTI h@DLp@ 'a%&CԔI=8U@t=h &wA u,tGn-J) k;Yh.A48i Ǟ@2ZC5 1F@ jj{;5_!)y0= C<] Abc-R 2A]'/ k]-0=ZAY̺_\Lس@\Fj  b AXQo= 9PL7AGu`4 0O⢑ *`pS(uOyv&@gT1@Zx H MM=ρ1a!(34@&"RǑ=oBm#E ٵ; _keҒn2( #D@*> L/}zx-Ԑc&( G8L 8C(`)!aa(_߼?'x4^V 8L/֗S?qD7A=e7y Z {~  Y8++B0 N@i`@\qZK @YԘ&!abW `ovz`mY`01 2PCHZcDLcEB\Ymr#ː 4hl zJѠyʢlGx2`;0Ҳ#@>4@-A]@ fh!VNac_}/HV4!|f V<* A0u5Pσǵh )Ym"s~ b :AfT6G[p-%yhW<S-kU 5eQ- 9@vКK y8 P6]~ `X = ,0:@ x:4U kr9%wq62 z ȩ8lE?BE54Z%uHHȅ"( Y J %t`]6 l6ՏDL2vR@'0 &1@M&x` H%C`êxS@ |XAU!,"`3c |h ja`) BKRp_YD=π44g1l>Kȅ!( RQjPzn؇%PFr6cՏDL `$-aA @d1ikW9_%uW1>!D\PRe55Ȭ0(KAoɀh&G1 @y Ը::-bz -Zk'B"@ 05,=/%m*,bul (V]@lQk P_҅=4 @-1P ((0qpWPpoeW?8lKLag;r --|A q :h Pg@ȩEjbд4luD\)3Q@|/y#`vgX(06Dc u@\ATF 0 >"Dl l, )ÃR(v@S>PAcd`/h$tZ`?ٿOq ,鯃z P;`+G>ƒ9l~ Rf`* A#/BR)U #h P-y}յ|O^|ɲw/ ; Uh (߇1@ a#hê=F H l4T*Aj0 jH !P3􁑁7h FFF *1| tDZ ( X ,CN R0ԁBAA"Vh *@1 */@hxkdzD]<(%<=V͏Di` X@,j"gPT'"A=A4hy6؊qXǹ^ȵzary*A@ud Zz@ 1ePi j:E"T96R4Ȱ @.8AV6yVJVAyY,;F "ԠyMĠ4(p@I?͏4 ,pCil=ɛ #IENDB`fwbuilder-5.3.7/src/libgui/Icons/check.png000066400000000000000000000003361303637203600204160ustar00rootroot00000000000000PNG  IHDRH-bKGD pHYs  ~tIME *rtkIDATxQ CYG|HM1BҴ5cPȨ`fߴ%{%֎Yt ?$SԒ90r [O]}zՉ UIENDB`fwbuilder-5.3.7/src/libgui/Icons/classify_16.png000066400000000000000000000011321303637203600214570ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڔSkAk+)OJAh/*bzA^zѿ%7DH "4&ٝĭI>v޾y%bsy W2]FCIONj$aɠ5ە2@ƂhV\|rNyGZ0Bԡ+?E0t*5v+cھ{4P{Cg$mg,?߇Zb sfq)O.EɊ4U4k߰G<aQf:cKg6*Y#ڈ'd X)^T_DUY 97|.6H1z7]%Dq#Lߦ ŲJ,"R[u0 ise ,+!}}_ǣ@H]@bM9s' K.Ks%#S9:Hkޥ=M(7ń\𻃾w^ 0?U)IENDB`fwbuilder-5.3.7/src/libgui/Icons/classify_25.png000066400000000000000000000030201303637203600214550ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڜVilTUfii-Eei˖R)DAm /$.D" ~-A`(""T X6N;yfSK|;e2EcL0s-Uy&$'LCЋA<I?LJNL#|W;foU&l# ' .~v;Bq "=ƉϿE/" >d/CmdfR?X'R$ LZ XbwNxU&*֟}܅%KySVfޖRq0˽Z&Ib7e\SNºE _^ZH/qn-o7(־):ϑm6 ҂ŰA7Ǡ􌕘`<(secC%{ P(Z45@^۬LسG##Bv3T'P\-wyŞysK='.2'̉%rƣ*5X/juHڅ#ECS߿5F0Nm6!iN{\?{䳕[<[ łNdJ ;^8|nNaS#]HQ0 hЀLI6?뛡:&$<&e " -$:Zg+MdA  P9Bt?t"[(X V,Ed!MԠiMa @DIDBSj6AGHYK":d3O!Vr~# FE 4>)'4&q_ z' aD bIO0HsS_&[75PSN-m_^]I$ \52}?*}UKG| z߱'n8/mzc6uҙѲs٧ԑ`$G=tfm>u>@{69D"E冦5ۚf!7xvF~.m~ ]O_;17@)=YW?wg_ͯzZ9""~@͙.E֖ 8%7"!{ bwZscqӽ"MapT45Q?衎1bǐ=IyQu5p _X-!#E@$ag]wE "cL A ԯr쩌:%V.$'hQ)A nQK m=RaTS,Po8rH%,YCω*v0Z7r-٪=Ƃf~:SY=uMWPեǭO:&?vRy$a^|;TO|G/))J kK`Vi|e򸫜ԧROr2'2'EWܰ>1-Uۥ  IENDB`fwbuilder-5.3.7/src/libgui/Icons/classify_64.png000066400000000000000000000071221303637203600214670ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< IDATx[{p\Uν&mg6N R"ce|"8 DqQQ!fԶGڴiνmMR83ww*}XKe'el.Ac!5n6ӈbepe@j9D"dtBn 8/pWw6u""7r{C!е1]Y wR[;HyxC[;Md+U[ ]peP<S)?n2cG#tyk7`mO@w{7xHp`dyY^Iqso$|e$$w׿]u>pؼs]hZG2AlZ"2A _л_|ږ^/>hd?O#&'["<|뤻}98q ;d#DM&l+jket)j[[+Gs_l]iBɓ={ :{ xR+>k'KɊ-@~@b.D ~}7C/O+p3jQ8lE2brMk:ѱh^k1c(ycH, *v' R) t媦վv ' ";<'t g"a暦&f @nLU;=z}5P.Q?Dai' m{T=7(zT˽/%vP23teYmvt#72PHs K w 4f#{ryH94˰eft5waYS\3!F4DC669r9K LLZn8m S@!j i3;C#E܍#CGʂ?Xٵ,No&ol5{7n@Kw7@(}#/iQ4D,su*$B dUg>~XnG12G()C|-%8U{#W-G ^< xlE$6 rR&VN[ʕ p9UHȍ'w+k3½Qnlٵ͍ %pr~$< EM;=d`.֠|t#MB%yYY^Yr4PD@kخԀz,;Rw| ^" Q/ȃEӬA[zsÊOL tU*|jՇtt$A $IJq 9r(u$jȦZ,E$r{`m}:SAP5j.@fAe)uʃnN!FFe:|YhZMa b9>x"Lj7(|P|%.0wوn 6\^3TۧǙr>JL_Jzֹ1u,($YWh@^d[ff#zߟn .=s/>CL܋$\5ǖXʝ@ Wbĩ樂2Ne̕B@fVZiB?T˒YH@id$K_*f;Ykɴ?Ii` _ޓwQ>GϖT k.|ucD'h gh|ߕW8GŠ '08'f4+T3WBi <櫣tSRFsׄ )HOie;k Kς|:O=5Ht;O& :K?#4Mrӫ5;d\|U?¥F=b "pՂi؟H57su,8 T7_}s_U  aW=Hʺ⺨_ټD`а}usv=Y@F\R6 R{mgzJuۿjxv:}j|sֶr}YzaP`j-h]wɳ`<ʙE0v[OC;}m dH6H8Hi>Wge~0b3;[`S\S)S)$v[._W5 a0۱3]6.tO; Z&gMcF$Hk߃[qƃo/,p|\䮯mFjZB5R{^u HL7mfd&X~[nXQ HcDR:_"5r9׺ZmR2 z^XHB$D]$L!w1y4aY6chY0ZB:q^>C,.V`p꺓PrN|@'t08!Vk}b&B=cU 59|H4.[$AU Cƒ1}6Z(TOy$l52}C"p,3{'R4tNcU{KV婔 } AΊU 1IټI+XH`|)il[~0$K`thɬgM R,)#hWG0Oy' `\㏿1Q"u~ yr9Ztp6HҖE/of^|5b %*/-哘w m?k\3]+ %e~M ##:,7XO.eMm ^c SX 诅ĄKDZCԏQ4Ͼ,I(]T=2 Q Q Ν=YW.¼\ɓx 1*-7UlZT1f!`_`ٻIENDB`fwbuilder-5.3.7/src/libgui/Icons/clock-group-neg_16.png000066400000000000000000000015671303637203600226520ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxt]HQuUiˬADeHb" * CL%dᅔhYA%eUkʯ\p}wᅭ;CBsxNJ"Y~yYeZa C^=|>3$HӘ"7 jd!uql1]Rkɨ8y-pX`U~A [2dW"l* &&&TaC;@[q/ uH)+&p8\ J\ '^:m]R#4u J'bp\%X6DB(B0ˉ<*rp}}==0O; -C*Ch^KpdFKK3FII)=I)!n|@4D pdv8{YDX٥ 0)e0X Khα18(w.VUŊeiiȩ*ϕ` ~xlF9儚cerjM/@I(dl λ?|R4F`l_|⧬N e2\ M*ah0|^غ_ؼ4ӼׯbY2k}y{1=8Œs:!If&!,O!# exLCeu&Sr U\})>-d t:DHT45 :UX[OQJgtC/`*q4% DQ8$rkTش2 k!3,uUWq'Ac{x./* V ͛4زdHtڙqx|y1i[\3I _"C%0xg'FRŃiD#adY 2R͛"G-6ݒL!2LW .ZTTq#fL&,ZM`Ĺ(dObQ.uZ:+ǀ3!S1bUU ]T!䝩QPZ= |E+(ҷ 1NbIPLɷlUq;04oN&)k#&aBڵg nZh(/X g{IsF>i oV5ec]cc9ETfq5`N) &$5~0c!T)z$(y{ BjP5;Ng#\x51zX;bD3F8F8EnzkWRf cLRa~()qyM/&q,@h! ܇ڊ?Ϝ]pAQ ٪(O0? tԮ4<{#ҬY}XBbRd|wHp_rw&>v\#.ƲTM'qeӦǥot[:3 &THrEʽx$! ,!($vWt!EFˤٵsxQSo;J[]2Doy˖+pk !#+}?sKIɰRc+MVro E{ +z(rLEP7RYC:of}Ȋ9H. ;X ]ycQ_/+ye;b›ňYw~c,*]iǢO֥.Z30"aAEᰰ \%wcG,SF/Y6"EFFd3 EVT(x$s#áW]O'?;ۄo*9^<σS<8 I:.@\ɿcM]{ W^z/='exD+p8˅X,Ffpuhxӊ2|@',|=/0t%'i Xe"F0D < zmGK( xQli_SENcGbH2$Ip/-cm C00&@e2#L '!J e)!ʏqnp<xP4 9E PaPKsiQ[C0>Fϯ+ȉp" ٌ ALK?iz2 =[൧O^Q_z/rMdN |v^M]]423䋋5G6~V…/4(o`MC@ϸa1`N%2ȲѱT|).rXL1A.!@r&"DƁqL߈IvCtE!X{ѠXug;QQ|xttt[|҉E ()Ys-Wo EQDmm-wŔ4HEȔg=zq蒳c{vvbee###Agggiaa!ipSTWn~iITTTmmmohh4ׇ'm76ڳiX4^jʴThybzzN݄((Ձqm0L.ߕѱ7HkqqQ{Qyyy|տb`Z]gdD[Vpb̲[ӄ5IMM2335gSS{a&l+Eڿ 64dقIENDB`fwbuilder-5.3.7/src/libgui/Icons/clock-group_16.png000066400000000000000000000015431303637203600220750ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxtILQ3f:mŘF.nT\Ƹƣ4(bśA&`B@+ՈRV%]Nqʁ)_./{QbX0x&$gDQJ" |ɡnmXƶl`PVCK7W!|5"k+YZƇ۫hU3N?Wo"nϺMRm:E= %feE@8]+ 9gc"ahȋX<[N*,9fFNS1iXU &|>?8BIśz۷TZV(v0 QbJCMǛԄ=e.ҫ_)׵@PȆ'gcXkž$!c8sa!H.6V0B<;ҩ4n7"&, Uv#Q<}/9'ko_j9KyE)ՄEWIP4 e3#8GW_oR(cHXL`YIF^a/N\w#c2y1&AvދsgMDxp: v3b` C¬x!R\veu+`s,D]]5F~ 0(azZveAnkvrzKi,^Ha,v@ADF9 ( .Q4ӳUdɿRŚs} 4?NF qIENDB`fwbuilder-5.3.7/src/libgui/Icons/clock-group_25.png000066400000000000000000000023671303637203600221020ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴhu~ݏ~5wM7ݚIiH"pL[!abAL!hj`dRQa,H I#E-r7vw<X^aC;/#yW4_5U9&pNq2[Ŧ:pø1>Gc2,8`€- By\MWJw4΀&z)ǾlTiCNigҴ d*vGO~N_C$1*r;* i:;;X; JCGKYS9GɥdP#Lm ;3<ۢK}[(*1QB L}\lyJ`vp"M!#)o^LX,_`mJt\IENDB`fwbuilder-5.3.7/src/libgui/Icons/clock-group_64.png000066400000000000000000000126431303637203600221030ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<EIDATx[y\qw͹3{+t+@9J؎ 6)TQ?LىM$P)e q:v+1_ߛ .)fgg믻V??̃e#!jho>YcNSH%ihD턕r5S[ epz?MځF~ӻ+gLKfM:6zVyaHnHCvw58ov3_7i˄VҤ(f% "C'`pxV}+~HQWټ'nYzA뀓yy^ԚXTB'+ +J[ m {kW*.%Kh+vke*y++ִY飲)-IZd4x`'LJ ([ƝrHt섂Cnёغ~շ*?~%wxѱs{:Ӳy=?`[y.{sy%iL@A7?|0(A ϽZ~g+/|ˏʯlM:R2UV <"@w"2L,?АHJY{Hc5NJ?8#+;a|W2^3 9ظ]()4&iH{xFE;ANF֤0iM 弌$HH+>R S}CY2'zҨQwsA^~ڴiuwЂ *op1AȤIl b6 Q݁/K{2zoa5{Dds7`EDLa8<cD_1D;b- D#2k|' >7s١3G uKK̦LҡrA/;rrJrGci.?D fikYڲ&b@H\9.)ΟRp7ٴ!lo6YOWF&hD|蛕>II4 /".fq6<$0R<-\/?|%e(Bu=9h~9Ә1{h"͝Yv#Mn*y؎11TNqp;DC%qGr %R9s?9aidAܹzȶ梊$;稈8LW!Hڑ!~tsY{>]/" Bam1)WtjIu@g=1@DyRm^=b f0@o+P'S `(!&G^;IWm֢ވ~BZH8ӎE]."LO*tZy>.aJO[UO]1Z*~ m#DεQ@qd `1_C vabPuOmCb1mUQ I2֎1' %'k34%w2ƳL<nMoAZ_ovpU]5D٪ `C7G=v7b>t vPԘȹQirXRңJNze.Y4rۨ#}T9ßiRQiA aEd[ʬHb3>JΩǷ~<% Ru+Vr $*F>; N?@39(qp2hƛl`FØ`7q Hիe=i'MqKGrOu˗?PantRr#+т 'Glv.Leb8"=#~3uဧzRZ}eԚ7h`рCCPp=^})}o~yawMxP 2QR R Fdg&+˸/ͭ9ŜZ](Sưu'56:đdVoN}}}TJ pFwDsSˆJ]fX2 `ȈO zM:ꨥiÆnm۶˅#8 6ڨed.6QTbn'E]Lj7~y-feomU$̮F~D?S̵W-K{>e83GrS 2,)F\pSfb:ћTO34bk Xxo_/]f ͞=W^viz =)s:P&߅G{R>JշZz(M@?w `Eɶ|\/d^pЃb |m_1 T9_^{ۧid?hxFnK4)9{O` j6&&DZ4;^t۽.%G̲ChF|sȈ*l@ wF&(9F {]XVr!ftYq< VC')ӠF} 7 Nf|0}+:jvx{ BNR2V}*w}!^cN@irJp>qރTkD8 1f'B闙Oʜ7575*?J΋tԆd(L_N㕋U9FJ-k} r |R&:;vDW 𚂼*9HSՆsqk OA H-#أㅣJpկ9}&gZAN-cn:*#Jh!p‰aE1Qrhw|)4P8Pm>>AxRzFqƍE]Gm=hq]'qLc>#݊ ³IU=Qj.$ZT#KQP@ǵ.9*&8._')UrGtZGoE~&}:XK 0Eqr9ۚWRZ٘e%#&Tr6(Zx?֭R08#PXÁ ^{iq~+8q`ժSrN&Υ{ڀ1JK24-6|La%L֡q%nb4UH[oӻiKFFcst֍oF}QXH6m@ʕtw7.^?70Z ^Ft[Wm~'zR3'^&ήN~)%箻k_.Ϝ`&YN) MG+'z `pR5f{Zu㓜kpNϙ.㋙t9gwE3gB^.";G|֎4ePO%0uvɺ+9>=T.TS#׼NDf6iވɯFJ@Zث1ucҕIugw @(A2j@~Ƅz ǜ0%gi55FWr8 : h|CL?f蕋C5*WTt4VziKn qTWJmRIw;=5iN c.UPFcc F*IZkr#-8덾q+9+%xTX@s>JΤ;[KOuBoWc!߸w=Z}&'Fjqk B;F9t-7Dz.^'(9x&(9Q{$2{LlwnAMco ؘ o]n~ 'mV?8 %B>>7( +l(Gu%/["c#jPr쏦.q)Cd&0R҉ } z7iu0ok4_+Zuv$y gL3eq[{>LO0XZ@ 8aALdJ'[Go^g_i|RW8_saH1S^ %g]co#ncfYveJ*f폥oV좴˟?Ǣ%tVH6.ZJLJDXGha*uYFUŦ\enP(005$ynl<78<$o<%s@u@l ]y!@46DF|_gwfE·}t{m0u-|-/afo;S9x\*mڑVBɵ fOTa y@5̩n'Y|IENDB`fwbuilder-5.3.7/src/libgui/Icons/clock-neg_16.png000066400000000000000000000015151303637203600215110ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATx|KhQ#3I&M+Ƣ_WHB\M\;Aq!J}"Ph*TqR҇MNNf&3s6TQp/wΙbU12'·s!qLAZzg(tN"vK\B>"b0+@7)tB|fjZ{heswV:.ӆHZETϢ"dA]"ގxC0kx=5hLj=# -rؾ勈E%4%8G–4m u|IJ4]؋tS!i Nq/BX[< 6,Bo%ض2亮'bBuoO!>H~?ΝBTBDA5A@˰eY@4| ,AE( 9z kHYA!B@U\SfYEA/`Xc#n/.@^\ؙLs, y JT^yn:#@Vi2KGGб;eJ2 SDq``d==x7jo ,~r@ņߋ\A$rK'HeK% b|x? y6Fڴ?R?c+leԡԬuQm<).M"aѻwb*#oah (wI ITjg2 I+.wu4M bBM(ʤ8 ah8q8*Պ46t"#ԕ='D]aXZd]"`D$ ۗ_mZ2}=E2J$"3AdN5MF)iAq ؖ%3ee塈c8y_!J}riLM* SRTiE6\rJK5MRpk59ҍ_`)B(i߲q144$AӧOܹsr t .Le)U_NeO#7P@Z=ѮJ>޽N={nDSK^^~0K! C ^y~OzlbbBv$yŋ8p$YȥӤu`Jt&qӤФ I.D`||7oFZšCP,$ CΒtRC-2;am[(o"i(N(`$Md8p^CpFz 5XIJwƆgxmC B.P-BO0+栱NFmA 0J6'-\qnˁF-e70ޛGsɞ]U>ox(}p<Ԥ=ssxUAj1̌S$~Δq꼁`mu0=19>aшou,l7 ,/౹At@ ]tQps 1<"Y.ԦZB m|LޙzrOWMLd/jD0[`Yc~} ,+̼P& wg`*CSId yZ,RrRQLz=)EBu.t'/4166tD\!]G^p(h8g f+-enś ҾM͒ HON r۲0X PU.#s$T2>ȱ:HAq0 R6II`eaxxXDf"DTN@0*0 "u(5+|>v lڔj4#8(< 鎮575AeS ARm)"jdRV6shl2sVI"p"ࠚP,bH\M T@Ȯi (~iۇ|>˞h*8XS/Ŏڲ.UQ;`AK\%^n7ޱb2C46s\+8G⡡ aB(A244T*[klZA>^"ͭT3λzL hi ྀXDS>lݺUcǎaؾ}T$=0?&Q(o*5-aTR ' Çc͢/n_6.\K(MHPɡg!Hp^:;=-YD4݌"x<Bo'DKɬ % :m hPG!8 Rىn56$ʿҬ>}d@1I%c,ڹpo7VӻbxpAYgD2|~W6?%b1<"::: K.hwX$R+[sh۟_SRO ҃ʵ5|FQ|ʽGh7IENDB`fwbuilder-5.3.7/src/libgui/Icons/clock_16.png000066400000000000000000000016571303637203600207510ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<QIDATxTSOƯ7MlҘT[M[׭',"RRD=^O"PA$*"He"lw[VtM6d6y}Ib|}c^>kLzJJ1t v w< xe%_LD#[w !I2w iY!Vubf$~C'ݓw]7| C(nFjA'N̥kgF\>x6/KCUP2&xRmMlC=O52GRB8);}@3U)Hk ~ʵJNSMyr:qNHa7Db^76]zv ^IENDB`fwbuilder-5.3.7/src/libgui/Icons/clock_25.png000066400000000000000000000033551303637203600207460ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڄV]lW=sٝݙ{ko Ѻ$ROH x$J@} T¨0>6^$_Ao2C{p JNb5nCsAs|f6l3Ȗ/T2BZ>ve:P_V n/ VZ׎NwLflv,$J=- pZID4"]CQkqcnocCB_oP'3.&| YK@O zַ\^֍E ~ՅgjUot}]>{2| AbtD^gJ2&-vy;(E?hqgScy8?ت6^ֶ@Dw\'YQIu  uD ň NO>e"1N0J bu+ZBU pZ/}DN%&Ezx^}W+8 9'|ouv/2H'NyRbζ!w} *3~{(48EgZGԲ)ByL}T%c6LC$D^`mm !kDa marxH!l0Ȋ6y#(1p( vjhlm !8\Cl VCIҥ .HQn!'X8<6P% .H`tW8GԥJ&_$5f$4Z,3{.։@ 8~)$c\R۔QDZMn6Vh>AW6,B2ϣYUm0bBzl.E7b ֆpqcrEfhIT&&Oҋ/qNfdD"*uS-5٪98g $"NxS/$e3gv˥r37\0\3!ꨧrش#ܞ^A>Dn bIDFwA:GC6Z ?CH&9T%*luzrH푾NQ:w>"1ThQ+aED~N+^pDehpwwժ>SWAUdaA Mds=yd0 !%#QFnG|/mX4q~;ըɩ5#|U;ARk$+FV졄Q. d1ҁha aOdܢ!wC))YMOYO)T. Xĩ޹D~ ?{.DP ]脩F~/֔-ߦC)`wӶ^Qȳ5 L_L_xQjр:L cX'#F o*ģ>w5|N 0nFsck ?s8%L$| uGiu^asQ''<|'x#b0Lߓ5IT]As#ݫ[Ąt:D}*YRbQy ZTʳ{hEˣ{Btʄ"jBb8pfjO B3FBVw^7@4*!֍bb4]F fLzBwx"9;H,Q*j g0 vq;rsCoΌ!iutū??oVr=Sz^]8B8(1@E,2KzIS,j%wZFAqb Y&) %~3 N E zHi NEAH[8'e Q(4~"I oWlvU +<ݘepwvQ`%Em@tTq(Ԅn4 0eSwLOFJfeCЕ% c!Tx L$K18asߜڬI"K$uco<4j_vߧ+*S&m[w^X`!\o񽰼t2,2.sc%x=b wg> ?@QPCYz}poTCZJ׏#-n;ũKL"25F[CKJ`RXc%lvgNdG vQ3Elyʅ~”9#˜$b+=߇|嫰r8Yn6<Ó5+6S5S$x4*||ZrD"$й¨B]I iHq;Γ*h͚>QY‹;ztf< s+:iJ1\y>\r%p-߄KΝ;U?1HSi'|bWh AJdKԆH>f_p6HMXfu2lLvUTrgȉ-T>y~ѢEpͷ>aFÝw ~;Oa:ԵT)yRtCWaV%nXjsϽpꩧž=KWžB8(5OC+ ?sA8P  uny{I}rKH>e"=@4<gԆI^r<-MvDw%b(q 0-Xj?.rٶܯ%2ڟֆj .L'Eg8BY7mmL 9SNL+ ~LvÆ `, PU0wB$*'8QB(oժo'<\m 1>F^Pp}M -uv[_9FZA2 B06hs>عܻ+2Y! _IIҖ{<M$dJ4ܛjvP"܃?\N ڻlv-ye!3S%Z+g-veN0n!~5Wg-\6b[n3TMC23~eT[;>,^~yo/}";kG6N&t6CMA%pg:Š7m7oR0Y1Kl_mnc)}L|^z R6]xڃ*)Z[C4J>DÓAb{5*2Tby$Jk?|!cvI-f;36[Zo޺u'Xm lG__> /wvC!$]m7]:v+N`%+o =ɖT!Fͭ5@^Rܶ(3ށ/< <zann63I)0r0nKLWl얧n8UADFLm؅+Ҝjj &<80ޫ0]-h9jX% .n~H CB(-# mB `l,0ƛ'l!\GxP'S:6)n(`% ?宣wRUƗkèg0) H`n{̤ &'T‘$m^R'}ϏN+`e;8G_[6;+S@O߃D~(zڮNY2lUZh ]fW*7uq~S#9:%-܋krn"NFK M(Uq %c㚞Y Pa  l]+֣`|cǼ굪<'| mEW뉆եgySD|:3sɟ?z30? %(\3Q~TB[ :((;6#xB? 0.4w IENDB`fwbuilder-5.3.7/src/libgui/Icons/close.png000066400000000000000000000003151303637203600204430ustar00rootroot00000000000000PNG  IHDRw=bKGD pHYs  ~tIME +gZIDATx; CY'S`17F IHhtf,hHϡ7L*+ NC `E|Io45IENDB`fwbuilder-5.3.7/src/libgui/Icons/cluster-neg_16.png000066400000000000000000000016661303637203600221060ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<XIDATxlS[lE]lfCQ(r3-!QM[F#&bI+EX%`Vm^ .qғ̜&Ľ#!Qt@|\eUƬX4]ʃm*uT+VY)W[Ҙ`BS .ٞ1LYQp #, QeJüriL8 ODQ;-+(],0W=SޕJd[\[i,N-R[wBMO`smpo'B(Tg~5\SEgg?ZOlmuՉ= {ɓVԄ QAS/:\Ov+ҦގdQ4}s.*zΕf })mms3i80MMۿwn@hj:M P]N觗1x!}ܲ-.bEu5DH W *|)#rueٷE~l s4Bbts{̝}և9YP^@^ >2t"{]/]B]nFj# (_O.3WDa|uص aLžA'q1|EE(:aΑyK$rta,d2Xf v:mmm0J!=Z;Y["uǃY-Z[[01.Jwh}뽽ǭme$ݝ┖hl|wrMfmɵx}Nyjg%cK ?OKqnNw~lIENDB`fwbuilder-5.3.7/src/libgui/Icons/cluster-neg_25.png000066400000000000000000000027531303637203600221040ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڤ lE3wAP@Z1E "F@01i@jD&V"F `b)"mxH$G`zl-Ĺ|{o{OBq2UeSASa]~ N6lh&BSبX =lA  k { )0:#ӡ`„i s;Tx_0uEV$#aܱ )Lv`KCB8@ZtBЇhE:AFi !#ISLF߃väL7t g0(˶!J6L;-3ZEGAP0LI5S[+G"ț?pP:[hknjKˁ{\k,8fpʑA' $EMB}Sw/l}8Fmӓ A]6?u #Yh]?nPߎAC0X]h -m-݋Kȑalϙ3 7Ia59w]:Hu)Pえ 6\? Cw~ޫ!=;Rf TR)j ƻڤ4 o RRpϵv7'K$^.&فptئYս`qe&wɧS3Yz IHI01! 麹ȑik#) `˾f]m-3h~YBv'u:';D{6ҹ>H˪8\ c?\;`Rba tn3ȹ[zۏ{4~jy&':ܤ0E{C`GASclL<1EDgYde@GklsFne \  HOnhV;l=6ۅ YOqսƽpLVtEHB$9 :;/ny&]٘c:VESLz`ii +++ԖwhKcMw:2m߈xyٳu:ƒ!Üa1JP3ײdvvǏfqq^WC\_},Cv') Jy [Ꚙ@Phaddf4::d2/V]<@iϭGɯ]ojuy9!AE `MOO[Ο?9VmܶsT0eHh6I{*EfMNN"ayyIǥb r_:b0g槬FMQ*0<58b`-v&YI(m\b0:I*x2&8&{=$3bkoXbk1 x%=K9+\XZ"E-I! o"z1=2|dr I} 2:#DY/۴mɇ$tҡ2c(0Z%ˌnqcQ&ؖEV{zd3-?Y7(E,n-J?Bؾ]6N@8p~ŵf+M# DɩW :\L%'.]6㧭(>؊y{5}v`LuJlZ9[?mդVȡ'Og}68sr^Fg?{z{BUˍ~!vv}0+t v7t7Nĺ<0l,zy=p96-fFKNW({՜b}i-x3|5]/NU 3[F7¯w( |m:SP)Idfk&"ppU#:fv}X:Rw:9(P'(!`XlkD+Y;bG kb9D-aceR8">V=Ga8}xƥp;[YDm+N\㥽`iw#[ LWÍK6+j7W2Q}isw"umc ,q OgS,ALV\LNvAs=6jWc\X=Yu/p#9^iEg]:lagT:#ίMʬs\PlF|7v*zo$k|&j13$-ƁfvI4xA &t_+I.h/d6k”v3tcٽҌ ˚ЈW T.~=>J{6 Qd l mF$S1x\,oY֯ӞNEX8VM<@IENDB`fwbuilder-5.3.7/src/libgui/Icons/cluster_64.png000066400000000000000000000131341303637203600213330ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[k$U>VU?3;w^{#!R ?(B@ JODDď $# ![&N^x׻ytO}UkFm][U{wsΝ#/i?L4"V$yVv!'"-liQȲRT}pUŜ(Zp[6|0 ny`xrP2\O8.oG1q!pߗ g yXkE>D|_PRF3"-|V߿οı3jCj  <8 n$ u"{Fޭ5cdfU1f̷XD +fƫ"]# Noge\[>#cU@䅈2- {r*\x \Cd@(ʌCX`Idl*v1c 84 '%fa1"qa,\q!wy3|F,hcqC| yS݂lKHqLѲ* \Bʮ,zEkW0W7DNnj( G([Mp<{ǔȉ\7]"XҸ^jf,+1ʉJ0\+3^Z72 *Z$;Ibrs,cVox]"d}srk6)/ǹ)YU1gE$F+,MXs4#=6i197jy=wW+I3m'RIh$ۣaE3x+ 1Rw4[u*D㓝SU7W0VGickUc) kJQY,,Hfj =qR+-]otUG)ril+t>w.74(& Q׮!+Moϕp3ad ž2W/\ʠU_f}Zg_="nhU0Y_Z,4ȁ2炊ș inJ E D&$ 4D^}+B.oLw3gΙM%b -,BGhLn>-Jb_6!~pEA(Y6HLV ߩQ́vTW[J"W MAzz>\N7$zc"V!:\S T^ElX{At#0ˎc)oX.=1LLf$&Wv*Oqץ5qJ~ ǟnD/[[s1ZypTW0š G^nls 2lY!LLZߪG`QId~-eIkMAp:7y튳Z{SC2II)~$?qe /ٟTϱ 9C ؽ~j]R~Z KM|QE./lR-+%lɓ|p=%#@mzEl=u CjU75V,bFM$n-Ctʻ8j-UqEҵ*Z5E q)mGDRViu(a`! ܞJ^pi+gvL2\,?L]VTհȥ5$A9FЀ x'H.C+fY=.2B_>aG*".8e@0~)'\@="㗌M[~/bUx {۴Km*yRw=1c2&}2cW-o$-Y M9G|g|ʰJN Jږ|cS`*R2RNZzZ(Ɩo;~ZBLKK]ᇮe ݊eh uNTLh6U|ҭY ǣH 7%*«*0Q !h-uSY3;)ȶW0VUN›琖.zhWT;P:F-VݹCKrQ$0]Qps#Uwz KM 8 +dL W\B;+)@)_l(BBW[[՜:Wpg mtVܗWc\.ׅ7Pdv?U7zީȖe=sMVvyͿ0D.#p5X)(2Z! ѮJ}U-ft-̰ΆSP9Ⳬ>v%<ɨʱzޯɻ[]FQlҕ؃`=ӤXmRPC1Lm@J)Fqfk2ُvpfYv<>T .~뀕8t~AN$*bk<U+Ռ~cjw"#Nrh)]Z\ m#7MkRIjpMr 5-+UWFYHطK0kc}͵ЌTR ;:$?e?hvBtWW&Y-g2r@ S|z~Ĺ~^ձ͝TfB.g8Uk ,ʋ-w%|lZN:0ev=Mv{sQC3Q«]*`vqż۱]7ֳAvzTٿ{u*#Nˠ K]x䷮$ z*ISo9u>Qwi.o} \iSqPlQ1S߁(& ]j{IM IVgHw k\>ᏽSk–xw|~cNUS/@n6b_߼KpBNIENDB`fwbuilder-5.3.7/src/libgui/Icons/compile_16.png000066400000000000000000000012441303637203600212760ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<FIDATxbfdddaae"~~?h-P+, ?CCĔM2rr >Ͻ@  `ddT_S/'g-mBWϺCG1032bea}_+# &;;o@Ђp2df|^Kjgbf`bac` \{O6AA/stT˂,_zsΟٳE3fL[d[l\s^8sW6C8%(mI&hne_^|wwfcF7٩_ϼl@/3׿p/ed5biXɕAa1̧wHH@G1oo8]kO3,_=xCc Gs͘6$o[AFVbR#n6h e]"&4S]?А,~(`f#7gfC4͂ir2z%A|Q гbIENDB`fwbuilder-5.3.7/src/libgui/Icons/compile_25.png000066400000000000000000000021121303637203600212710ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxbd x *P#d yK[;R-]? yg<}U; ٖ03'&LQVUSp+oܾqϟ; @ 33sJjLEeU#Ǐ1abbrHHJ` `x^r-`zGNSUWW=pãGdr\԰ʺZGO_dGX2(( ɵJ z_r j N R/]ao$[{36v>|~@_??crsw;wÇlPs]SШֶUU)PJC}p?xt")v0}bgh4W?P;˞>~F)4,dj[g$۷oַWkZf{l M^1($p݇{7y- 7~g-PS!;{EPݺsodu-,a$1:{NDX^?C!ƽԠk=k k{3+692\hWAL n\"}kp-{?ê͎ <}-z)~z_{~G>G@Ϳ,gEL'!+n ]`=~agnFS) 0]8zsТ `^ 'OH~L,k)e8s= 1}s+Ek0On-E[x%ߓ FE>z Ƶ\AD% pDLi = 6R?dI{ؾniPBRG/2v>;\ ^MbIENDB`fwbuilder-5.3.7/src/libgui/Icons/continue_16.png000066400000000000000000000013771303637203600215010ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxTS=oAݳYGVX*) - A_$SPX &QX%MD"i(REAٱ}gߝ}ٳiΛI\4R;'8;k6_o$vvvJlv38&?h2h4n?j wR|Z\\0MS1aRF ㈮~_Qq "\.C\.Ga而{)tʤjJM_\oQ:'1+d $5pP qjGGGAt Ԕ9j&@L%>WWHb/,꩹,A*`?%eB U I-c$%IO X,+(aQkt@HTVp"~\M=|1,\ϣ}@T`L+z~x<>ZVJjڬU)I kZYd53Q~Fx`B!Z86/3lM&y33[eZ+L&3j2(fD8} Nz^.Pq%+M0^K^1mmmƠBX<& ωxS~FFѾ0Tz '"ױbi0IENDB`fwbuilder-5.3.7/src/libgui/Icons/continue_25.png000066400000000000000000000024701303637203600214740ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌV;lUެ׿ )!HJiQ@AAAGEȦt [ ŲS" RDА873ޛJ 뽞ٷsϹY/"9r߿k}&N*JVv7`?c{ d}}RCp|J+%JkQSnv$jEN ol D9 b!,qT590ښdxxH &<}VKNV@WlR.3I !<aJ>www*kkk~%E!Wq &Jo)JҒNIX : Kȅqd"4 ##G(ls{S~J|aucz||"K5DkEdӱ#*@\*=4@@a&<A2(ҰeUP(H>;j6')׫Dd :ĉgыu{eh'U=qptD!N,0⊀r 胁yA3!I.D= GhA;tE gz*O%y,5sd|dxLa%x }~A2dMP6T,}0)h FDsȈu|1({wT,`>Q]̷RtW;yK@pri Ðבah7W^ Ipr^-;eC-9j6MDiM ((t< 2T󆃐MZjdJKs`͇f=G \.WA|혐o$|u{̂F/]SKKKwAt,$W|Qs_ۄǞeWva KfqqqGF⏇G'SQ>0Iktjx~ř#\)aҍoCr}ӈK8d?T֗;<(|dtt02hoͷ}ҖQD@,}:77wgh|!?Y,>!ٌa`oȷ`¤59@^K333WkO4~Ow3].aIM7sZ--~O2 +h#>߄_XXuUIENDB`fwbuilder-5.3.7/src/libgui/Icons/continue_64.png000066400000000000000000000126221303637203600214770ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<4IDATx[{q?ܻ{]z했P"*/*23=J0sE yjCh+AӿSTxĀxw,< 1&tB#$]$7Q7FX!BRPoC3c${o );y;:: .|^bYpF@qd`m`|Aj"#6:.$?%^aĉpsFȣm`}`1L-S]ȡYbJ/|;UxMׁ'9<"rq[h)fpxފ!(}/y^hӠ6 z%"8,X˅g|rL da8Ҽ!HJxIqD\5@x½YS:DlpF/ٳgo]H@4v7+Պ1V}2k2BEkJ88'YU@$<w߿B @ۉ6$8hl$:N> *JQ.ol+ ,ġx/#=5WbcP` /;8#e'DMO4Y>$ۛ$bV D-'?je Pvg۷ά[ݻw_TՑ@{/Z ]qo[ (4,)%0Pq> ј,\pG3-?P&k_4R`M"WH\ 0} >wkBCp/ͭ>S@ޤ`㦕.(3SXy J:8(`b(SQA )nL+HZsqk9I2@B0AsID2wwgKz-O>[}c=Z^&E 9>jM$'6.| veBS\ do?j`y,UȠ=" *WAQEs`ڴ|S+DݱyQi",fC 3Py%`זaP]E{rQ(TFHVCfncS-e6 :HΦ Q5Y/R0hAqO{{xR͡ŭzXI:2BeC$Y&Lg=Sj/֧ܙ229bt2cf@ &ұ ز ] k`3TUe~^u S7\zq2 B=},+aO-j߁DiUd0TTCPfq7lUJ{Zc!4l,blEי! B( 7Y ;Fɋ;:zp}Չru^%:+@J{`*EXՃEMK}zb#04#7qjDXڄvQ:(3%|8 J T\FZ c̃ﬔ.iκ,jDz0 DʼnP( B*K+ [ʙ5' E~/$q/\l8G𠼅2*ڰ 6P()`XNյ*32 詞êh<ϳ,5M 4Z>Nq rN!F lB&(  jN.WbsRqTдУ1&76JUANkF YrV6V)_ 3" c xp=X"l-RQGP^8T7V=)X{YO|ߊ XQ&F6qv*~D$AXC"b86EZt#hHs_4}FWuFu z'2YדՖ\>U-G8 Rc UMhT.㶖F="*BfBOs.Oi6(!"ВDi)nv0jk;QXb@iiyW DX:VgeL?GuߡBkn2GTݜͦIf !K7=sS|ڼR 8Džn k^L"z4hT1%³k&m NiDD^ %DD?F u]\?PE bAexeAYzCzF$[4DO՟&c7K6Aި!%(c`N i-8\Tw vuƿa .(W@UTjx r%cyhJj%,O*J.o9nx98xhT{̙Y3.Fkoo6pUW+J@@8sfX+1ny0Yvd1V2 F(3) ^Q:b0NfS <֭[_/ _G}x p|< !9ociJ${|#6ӜIPI0u1(C+$'X7J1OMLC)n } L Huڕ`)|6IQAj,w%E9<0eTpjIJ Ah}F@dhhu8+hi(TV婕.Ԍ}V԰d-u(H:&M+* 4wl`#vzw"Pe~(|uOOF`>kC<ɿySY. I{JEXaik|?4AY<øKh܎:K)hV>K[Գqf^ŋJYŒUR h]vd6\T2IS[!%=BAk> BǭuޫnY#XJ˫'fxd.U- գ8-27^##!C7%8mpMR>97(z^x~Ԅ$8H$]h ֥.R"QB;|}]]]_[Β &\s$cc|`e]V8q] [4c,nv=:O 6#gquQT(7/M.?GhG$d5 \ܨf>2fR{4i_P4v%V5gΜ /+xsb [y.> ǿA4YDMzlؽed.psRN.C ~r+Wл?s{>IxQ|R޾>p>+!J5ބ\YDIFRSH0c&'Ay|ggw} w<@/%{{'QgmXkTESUMwjY5{ggc3y|h݅yqO"@ q  yۏc\Wf+ Vg*[c׆c]mY(bՁw=xDVt6 D`܁y;mgtJ%Rckn<~H tKz*D><7_ I[߬b~|6bCd?M:ZןA Vz1Z"#/f=^~.hBK${/edl4…KbMLz2lM~ -(7ASi;vRw_E}G PF#a2>>^]3u;uN车cd@p)i^h,c,Ѡ "\O\:j(}^`{4n>3mvw@4JKKwՔJ ocG:ޟתVAk0B" Pr_;>oN5p\n6mXC]젷k]O§خCg ңRZﰖob,yװ>[+{.Z^e%YfuR,mZx`tւ{46NwNH45wբByrXk\;6P2f\S!Ӯ77'8IlqneZ(BZQw.U,J5&H 3'luBP4J絪Wj;N(vFG^$YOHʍk볃vuu?.qǵVA"hߵkמ-MMMu~ ឞay'm’*3;Udt#:פScF;%iW⌑09GJҳR5ߵ$ wBd9߰VX$ @$ @$ @$ @Xf׿ ˼qIENDB`fwbuilder-5.3.7/src/libgui/Icons/del.png000066400000000000000000000032641303637203600201100ustar00rootroot00000000000000PNG  IHDR00WtEXtSoftwareAdobe ImageReadyqe<VIDATxoU3gf{ink K@C ^0lLmbbl}ĘhjA}HA @lwnw.efpLfg~9dYI<=楳7p9pkK$=me{^k"-+WqdcXj=Lta(SI{3'c=1JWGH?t*!Fe EbqY4}jy}i_#q*R,-"bц wQ4RnU,rAPG /Whd(TZ1im *T|E0a?$p=MFH$ OZr*h.-?]#T(݆_ KY{^z:S?5%Bu3*%Z 4 #U7_ KDјxP!bdābdKUKk'T/WPG[7$Pcȹ χN~~E3:4=.KTd<'HCQf*qsT./¤ڄoH6c[iU+~`l$QT͜hPq,5J)~?)Ts pV_حBcWNo~GH+Jq_O:4sLzzFLn뫠 0f&ӵ.!hI~Z Z\-$P^Qj.lMyѯɋ(e%<_X%|ȝ* 8i$1gkz<. Y K8 <eL&Js. (UtLaSN_{78 `:B^N)I6K’e2|!~W ;14ӬD8ۋ9qjk,k-CBvrx6&Ãc Jo@@&$bdz,m)a2S !!Pջ$dY0_ sv9s$`yf؀w:I,u fpDKszi) ҋ鴐 s:>-g71k[ؘE]$xu;:C#5 #Śu/<\."^K[zL 0<0j!a(fmi10ɸ̿y}g ;kZzJ]UW;Oq)|sg8jz=I~!4 Rg0«ٴi^N9 ɕKɦ )uUqt!UeS)Y~MvȖ 4QƧ YE ~̨YT@oY`-RW Jvr*ȟ 0:Dڄ *$}Ҭh?;#=|Tr fu*Ɛ4+!)I9,7'Jʄv|y($yAr,@wDU-2=F ,+epItbK%Z"Q'"4J+ڇ8)J4:nrR_AQ,@x%̺H 'O?;ZV=vX%6gЅ"> S??08tÄ֫g7z X%KkEbNc7?F*}FA1:}Wm^9v$7L_IENDB`fwbuilder-5.3.7/src/libgui/Icons/deny_25.png000066400000000000000000000027441303637203600206130ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌVKUSU=3DQ1Ұ1!AQN#e%ܸR•q pQT$qbHt羪n qy^9jaxjgM=Ez+vQ?9V;Z_ _ٵYjbgF[8&616uZMZרJ} }L|&-+9B!Oq'D> PiQZ2-۽UAN~PPJ~٦ S`] 76^s&aRDBJ⽩6H&F`{Ʊv0ؘ"MR (M"4jV6q Thh R)@!4i@jZm66~_{{̚87< X5}>g曙ofQZ8  2nӖo^=TqWos~|~D9(ʠ/(Q\gPY)E V Cہ6*#Jx#)~aV=pEWk՟}d_?F(`8 YޒCoQl^,n0㾋[}h᱃4TlFe܋gG \||w] ZqUV@zVUx צ&{x|T _{Wn@hu:o:>G͉Şŷ_E d_ٝ;.x^CVG?P9J^(u#xOC(\YQʀCnZ73x*P@H6KٻJX*s~,D@2AQ)(8lڨ+v!*M/W\nv P'<o?.5j9c &?{p+B“Aֹ _]aPp%Tt`/Ǝ!"~f݁֞á|cwot%>+ЬTaHHJg,[]xVytxk3zS5HF᷷j3}՗:N$;n_㩧*O6`|l4GXV"e.AI8| H%+:4X@tmr D2H-.۳r*5<מ+|`L4 {].n9UL?CP~ESؔOZ>p܉| 3DJc3܎Zgh߰1 1]9wlGK!9\0QU7SIs@'/vr)Ac@2RNb-t O\lթ01> cSFGο/ &W~&|Q Xiedsյw_ٝ.LN&^#!KO8eL*uTx3BDh'd]]2ۨj+o>v PcW ɹ+ ǀmP. Y1 J6{>͎kq *'񀕦pL*H0dA%,F37x‰SQƻbW1%3/MW*!?*c,D%zKFB<%VI M Jft"4RrVbE%|n0;Rտ~^y|Dos"V|{(N)ArQXY-4$צs2*Z2+A.Q99YZ7o٬T>~IWgH sS: _G' PWqkL8hY o%'rjCV8 t6 DI#Sfb+ L TJ(R6Z%phĬR T)+u ' A-`%YmZ87fq|+DiU*?!.68NHRAaVXިd9E%)w9 A?ϤE/^6 1Yz3 (#0>v x,e(8(T)9^NJ[,zS2Lwe ‹58P8 CJW>(ыtsq9][?5F!gƨP**W{Foz,:OٟC3/t|Q#wEIU!!|YJۇJւQ"@ZXUf% ܇䲁`QJxߡ0If`qq,YPM~auAw@%&Ǵ|0.Yj$J 74ioItdc2 kp_ n3=X)#IIΙO(Ol\% m*uT\JcZ$NC `e2)𣷮<#e<@  Ka$8ZĊzgBOI)XMWIUt1r\iq b "*w0'}{WOY8Ӡ;0`=/8zX"{6:ā,I o8+ԁ+~V|i2^QNu$*`ZFJiA\;u4?\^8V AQͣϖ8s@iHDCN<`X!`J ]LGh~45`߂W`d,A"/%ma i0c F:*T\b Ь!C ]Hδ]]Pp3aAx+4-|`aUyz+nr]-S|@g9yPI褿m%..U25>2I~Q<*&79amRoH6M &>B>P\Kq}}T@'_;:cde&b@ DA @yHt&sv=91'B!6~hEK> 75CƸnrp?oE#;D!ګ%` 2zzN -a V42Jw1AIYx!M’ 7YJ׾ۤ4`'p,x8+76ǨFR36TH msx_Qʓ%T0l8*8VL}CYm\,BXa|1f:F}be#ed䩡9&Lgg؂w>VheI>JQcVd~-9lɏW|Ղ=o2Dʣ^dcZۆt(e,7jH'2RRP. KS ?K1Տm1rIK\IP HawOh`7wG8r\47n"SL2p}uˆ68uM::dH(ΡAtjb9"4J mN?@aV*MveZ@R QF[v01mO@duc{QJwz@52P>WY7{etr~ ]]T@KW[ *o&8tP C#D#ƀwoA>fPh\AwәMpub_Fg腩~kr_Ifżhm~7 Ahʭ~1G[Mӌ,q0 deEP65=L9Z^_lCh(4ـ/ۇ9+Vlط-I /o.R!1[4V ;fH{yQ^&\JC -8BKS4NMyGkt]W?-P%23]CL2`+JY{vR~  YlxJ KZFjLv(kX+?H!O]hu0i90s;!H3=CwOui$`|C7-B%FP 鍡YSO섀Nq# C!(pfz4(!i5a (RH24a -$/o'M`n.)I]@C>Y|Mڍd֘~vҥ_|"(ܻ as"~QHQdڏT:TR i]%޾Gzg((dyS28G׬Rrboߟ"bDB}Jƒ'D ~cbg&텚z<%m:4 &'@낙U"~$R`D\q}z&9F"M&4OV'MMt7Y-邛eBzbq&k BA ; C?{_W+D,~x7-?CR㖷44S + n8Mrp?[|]'_k\G!Lzk؁bLoX>Ct;OP<<bC|=ߗ>ٴ ⹀ )8CS3SC>Z'ᣛHCK6w][\;K\v?@뿎ⱪɒ >%yZ9ن8'Y *B Aӣ0A~5PlE:*W_xѝx(MI?ݰi/M# vQ룼>wA+D@v|_K]P" s Zg"|o'x./-^o}dm/w! } /~Fi QӘ0;nF O%V1( 8mD!M] :^AAz`w>o>ZɱWv(dw&Dza#)aYAYȔ u{:&< ]$ _p(4o ˔G ?B.OL\[h96 Gؐ_ #2R21Kx>I 9??gq v$;Q67;sPX=:˾+ȣv* tZz&q@g^q=QƆNT\=6o njwI/;kN]wDxnOE|o|KVte0a)k:R8r P ΟwO2&i/=ףOa5K{~է.onX<_a!oyIÑY N&Pn BR1!4/Hsy~l`wnTo]=udoׯ?J㞶J˰[d:,_L v:;ޏ%՞מ-䒝!t=նm#7,뛵+õ($l"%[3SsTK}f#H N4M0fIAy~^dhJX^y 3Doӹ?=<`yBf\tuU` ) Og'"-l6YbcpwDX O0@OvdnQ(jp}{i hc$9t)8ˡh,J}FqJCgY:ej5ض=$1^P TUS k;[r"]TIy_,kTRB}pd 񬉇ZŵD8:#((XX뷗#Xi)H"שOIENDB`fwbuilder-5.3.7/src/libgui/Icons/domainname-neg_25.png000066400000000000000000000021071303637203600225240ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬVIOdUkjWY`LGCD;`X7 ,Z6&uaDtB}/`E(M{^Uu5tz|; Ox " !I҄!I%MOO( Bt]?k"" N6>>.ġ/?DvD2.!k45)q7|Sɥ SW*&m99ڧh}&_&7%hjƄ)H-&1 tlLڈԪig) <A ct!r%śh؀.J:Hemd= Y,\*@' kГs*9}@+¥hFC嵧| ?쯟ܻɨ) X@zֆm$ ttt`ooo_WZ""gfh $kkk)z{{.PQ6+UCHNjJ*$154TI52d}MM 'I]}BxbIPTV\5G1c nlvy۴%o2?R{z?5^Z@/b+ d'&<yjimӉ߅p,c5uqwA8ˊQ΢}}}8::B$ ϓn|PYrf3eǪ=OE5 />㿰L܌3FWIENDB`fwbuilder-5.3.7/src/libgui/Icons/domainname-ref_25.png000066400000000000000000000020141303637203600225240ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬU=HdW7;F0m e*! AD¦эـl,V+kBXJ  }37盙ΰ9q}qs9JkL,BB$nj q (%i5!E߷G;La "m(R lLtZmjjJ I~0J,56f//+E|O\+mL|\424&(+$~їI̳pAxzLY:g"]&Ww)Q.t y"&Jl%GF@RIi}oJk6‹8p][ W a4L Kg8:9;+𻻻dW šXIc``B㶶6kIn ~sssB///coo===upJM>QjrR&"wvvꉉ 777ZO-$fд+# 3 }jQя5+j[\\D__bX%/s$XbBCZ8 9$ে&<+?UuhhnD|c예E1DFlKEUt1YWJ H`{{XZZ* R dI- $&mD >dp"9888?mmm 2{UrRNVJUU՘TLqTdmm >pT 23lnno{*b5r67Qno۱* .KΎ[[[x9Y43&~fy<%ߨd½@<B 4~MuԈo>ޓ9cΈmllw\E v-9E$mD^n`Nc"i"ma;)E;|>VbhlTI4*w:uTDl6krơs 1ħ0]ZuPqn cF6[R|<a}}=4c4`6XXH"TƬ|Hx;&  cާl*nZOѭcs>9gg֌~R]_hZo77ߺ87CB O[S\IENDB`fwbuilder-5.3.7/src/libgui/Icons/domainname_25.png000066400000000000000000000017311303637203600217570ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<{IDATxڼV;O\W}qAq [)vcvR,8Q(A8I.p{>c23wGv%'#}:3";cb%h0"FM9333XRBuaFejH>iFIR~͛NH1 pm`N$Ys-UMVϤIB4T!?}$i@;njC(Vu4IHU`dEpe8 cDM&A-FS$ݑı:eezDՎm_]Wmҕ_Iu9Ad6go^HrK7+ DIX&q//ߞ*\ou_Z-嫨l=˪z*+:a9)I gTEl piIXY)%DӘ.u鞌dp)ξO2 8~ogg+++w y*eQ.L;#8S6wf"a-looh(Yx><<]7,U*bX3\.>x`z&%9aZ 3ϩ:Ee4XG̙3k +8пR8|HkEDH;ou46hHZMsmyN~3`@ۨ}q[ OC;yitpCxmG]x5<̊RXS5C Ƽ"" 43f3`JB@pA1MIOPϓdHzsB?b. g\$F?"4F<@Y0 :Iۉ77E˜5K' ٫u5KD鐒B7e 99'ZV@ xq/Ubb vJ2Ր$E(05NEG]~9 @pBk:Zyz}_BdX` m%H8#lj1K"tRA6IHS4qo~8} 3gc#gbC+FA^hU|$*jkTl'=BOg$kb:9Mwzz4B_}ǹ$* 1ZAFۚ:ܰb,`yls'y9T" X!_RZR!1—ô'NȸgϞ}e}.5v^zZ&zy~ 8ݻ'-۷ŋrk.iqFq]j(x|;$>|ݻ"߿o>uVLxvlQdzfQcG+k˕s )G+ U2a(@+ N|嗓JՃ`J=zb۠v!v]eP 2Uh!- )͟;wlx'89L .Ti^1V" ZE3- ƍ++"] /H]> cU9=G>?W;@z "<>.hfS,dբ}~\/^{_uO/YuM,<|}мYiDh2cXi|?-o=gK p-8zwN&QK;^k{lHmH5QsD>cժY]KgU~࣏ ٮ~*3*yRfͳ'JO/;>GDmPEpV/fEp>wpfAEp> H_o3YYJ۸؝!, 6`{;R@RϺP+q4ix0԰H"DR7Eł+iֿ1jwj7G!8wwz<wfCl W0:ryJR u8i *bqVv'Kz`MY|"s(_ٞʪ9$w%E9<07\Rnn]ӕgk"͛ ?԰&~zϞ=t!ڽ{t:99>>|HW\ϟ+c@ OLL Wz5u%bYqӠ/_.;wH_v@*0={Fyh+bhPy9k8di˖- &+իWsW0&Ze5]aQkڰa޾}?~G,Vׯ?ajǚWmۄ:c㾙jǎ3sq]5^緐wU aL3 o,xM"Ed!ab7B^,?8:՟{9H-cǎ#GlT]MUUsn\00Uw&f*eB `ĥKkg@qaa\ODsۇ|Byʮ zuIENDB`fwbuilder-5.3.7/src/libgui/Icons/down-arrow.png000066400000000000000000000006641303637203600214440ustar00rootroot00000000000000PNG  IHDR r|gAMA abKGD pHYs  tIME3ܧ1IDATxmn0?7H$$6+Re ЂʃЅw`(-(&w$K=Wǟn yTUwU:{y{*Vk-V-V 0!Pu9 \W7_#iN4MNSaݲZ8NEqc:i & f3Z]fI(M!@$,EtJ#nԳSFYFr6z=?xZ,DQDE.Aw]'D쵯gnz_ƻ8NHT!7+xJ> IENDB`fwbuilder-5.3.7/src/libgui/Icons/drag_object.png000066400000000000000000000014421303637203600216030ustar00rootroot00000000000000PNG  IHDR$0yGbKGD pHYs  ~tIME +agIDATxՙ@ǿ)RۃV0 rlX78g 4ŕr.X+! ),sUՙD F?}?3(E!iUE fC L T|5@.0DѠ\  @iӬy| ֑9L0 b2~9 $&u aț2q0S4M,Œe"0e̹RJBT#+J:($=523~<σeMS1ŸU|>CG^EȬBT4U8|8,WJ,yߥ8$P pwQ4d2F][V x!') I땴-vt^ݮ. kgԔ&Ufz0tF1lӬssP`}}}Q4@6{$ö\{$!e uGl1d{(;=Tvt;E/!45'T(Y}$9sS, IDATxtRMHTQ}wf+-Lk-4J%"*A"h.BM J" 4H-J"rF{v3Fw}= PC lBًT\A "/]ϫ ۉTͦ(尢:$hgW[P9 iK؟M+pMDCyspTslX͟]żd'_P)]Nd?-.'E%rI72*= LgKeu>>Љ!ca<<[bO"f9ݢz6X kO=,:MȌL@3h gQvj%F*CӿI0EW̲)ƞͷ& uj2 wo_#G]}%D; IDATxڔilTUoMg)tK Z HAvCBR`1ۈ!1`4~JL0j0| 64hE0EieOg}) %'͝{u;Nye$RB. 50p_ɷ# O0n"yd?I2v4~*RG܊ wCS I>E2b]k-7}[6Y}Ic?ew,VXPKz yQrp@p[5= 7Vl d3.obͥ7`hh.AQ :^˗o\B FU:i@%o866 >$ÐR#D@Nq,,W 'rBJEK1m $KcIg*0 Hh*3͵5q C =MJR&}}dQHݩjkܖe.B4qQeq~gpXCH! Nbٺ 9S٠4[QKQ}@(r * {Gan1ӧ A9&/歰_^13=xi#i}&jgfjlPH,ѴLt##;lspr =kx7-2<ɊS4으NY\ɧC$.FyȌ*jx/!$tcnM"?|4F©T%Bqw,}N^u&r vͩnX48]ǒXɣ86xsɭuLz)[&/b-i!7/ yWlܡRRf(1Z_g{%8+$+!>"ٓbs$b5HɣBx)i;+#clkɕ@!+/?`4CM/MA} >0׾-n`޿立)1G5:F yi-H"/ZoLw 8񵵵hll1%I±cА4@qoPH˂哎=pY]=Hlܢbsހ GÇQQQ1 7ﶇCW\df8 ϑ {&"rqmBc ٳ&k0C܌{U&> T7D3 `#p&dٲ\IU㴮׋V`hh۶mCGGaߚ́!19MD) ϺÛ n w'a;mg OT#\n_UU1g:LɌ,{6n7o;{Q_SSJuuuF 34Dßi&uG]DȡG~ o>߿ LסBO> 〤A387Ojwn IDATxڔilTUo737fPbi-L&,M?h!11'Ř(4>(K(l$P"KN҅.t0{zޛtZyws9ql$kH% q|pX}o-;)1B:I)2<2O}޷_-s'4bc7N=R/*d/2 x ĺ+MW쾵+l r8Í8`?`{A$Tഠnu'6۬*20ZGNcMGQ(FC ,(^iYqudHC4ASI*gpXChmY 6BTd,JrvB񚈳:jwJC(('$ oxB2/v&C )+qqDh!Qp-64O1Q1IISt6A  HzToNg#xZ >w)T>+NR8<&p*x!$)0Is-y1KZVL+RA[Ǵ0K/̈E!/BK=)GѲXV,r̨]m?≯LyٲE䙅 [2 Fr>1U@z8oB?*˄̌dFIYj|ai`*(;V쿤HUWRTlW9dq_$Bɐb&Q·o2>c#em/l=wdi~Qu3ˀSyx.rr!!NX4(NænrxѶ擎,yB^Ġkb!7T:!кr#TuϋmKyhHk=2iF0RСC)s$>*<0G ,9&$ ;7<1]3ogqi]]݂~^-WJOB(qW.=\\P[[Sd8 y"f!3 paπqiX? vBggVTVVe}罔g)ȴg!"&9u9p555&0sgnܻ'ӣ8۞<%p{@4N }}}"IPPP`Yq(;*^hz6Qw&kFk Ց9oXN)5eЕ544۷oN MIDATx\SkWLI&Ƥcmiۺ@RhT*BE[PWGX.mַYҮ#ɾlIɔ ;0;s۶d%PLЎmڱyߟ^Qd?QlfD _{^j@ɥT pXR5Mp$E؈kGm>Ι(-9t҅GR ; $va{#ځd[;ue2T`B/Yu RtbP"v3,A|>T9M3cbtvxZs12^+H=XF4wLbzw*3'5/^f^r IDATxڄ[lUgn;nҖZ "B"hx0DQ0cFbL@D(M,U"MRʽ ۽{73 X`g2=w=\?pHcI^IieY@IGIIcҦp_Qo- ߐ+;U`qtКä =l {1cWǿ2~9%Plтt#fpUݍ][]~,Ԃ T_;^2X(ݿNzM2zk@@2F`JRpB}C&PXCFTSĕ$OZZI&. V q8XBU X-[aloU\@ JPEɲcL$6, _ d{1yS`A /zR!PEo3ӕiǃĐgI-H)<Beȸ|2fN_GxAmqʃ ͡LJZbW[sGM, ~ɩLx;hoYMf`k`Ic!fls_PHҊF\bULP#ÂɴFdiŨiOhut^3\WieՀɑJ'9w"C1Ac4}K7vB~;Ñ_?@ HQ-VTO s Eh.AΔSgsd{o_?6H;w:nPno)r}8p8$n"/ r1t !]ɋS_mq8û5yfH_ݸ5˓MX&ʂaNY;QJh#G;:0tOTH{ }'#!($Uǂ3d<Z^ts?IENDB`fwbuilder-5.3.7/src/libgui/Icons/dynamic-group_64.png000066400000000000000000000211641303637203600224320ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< @iTXtXML:com.adobe.xmp IDATx[ \u=Ui$$,8$`CS2E) &T⥜)Lb1$ 2Kd   vfYz͌zF;{}/|?mjj';:KZg%v=~1s6Lm^3.65Uv t+e}^]6z籿ix:J-eKnV=E` nMm. 3\xHSXN _ }I8w]Wo5< I(Uףc&@+JW(uj$]6eEh3ѳAF߬/DHF"(IC%\G!P&*{toM$<~6P,B=ڵ_"wFŭh ,hXb1.!65~WT| |8x%"P9XgCYEKVQ| rbgDѵhMt107% *=z!|R(B"!/GW!< G0E"3!!$mXl^NC+|*&Acw:,"+x@_w4ux?A /E!B +.c.M$mH^@  ,.*kO|^Yp9b0(w)Hq #\h<*fQ ;H O0+>/ ;y/ D/.gNdcӕӸP4h TMoL%`kR/k ~:mVz<`cCdD5}=9(D(k ܡɎyWž{'8=2A-Rp@i_ ,*i+I=@o]; XJ/ pD ìB R_9/+4yܞХن9PǺ׊D&'jeW iP#"˜W&M+߯F  ,QQ *zrem? 12\BTe𵇕YD9װoi=/qEM>TPΌ*RRr$x'kWuky!Z _`vaux!KSi5-XLE 9;(h;qkI?+^ HwТڋDB"ahqg]Ֆ AoV" R$GYX?(t)5LHu:Ƈs-cll2;5kūNhb\]p`sU+k=|'G:OYLCb ߾c/oN<$X!I[MS HX57J}{z 鄰N̍I7v{:$ȴZ(Zz+20ҵVGw#7<߇#:5g|' xyFH0R:Mu(76#n>w cU"uL30~*G'~1v_Z(OLqTIp%{(.4D FAdU Mm&Ը}E_.DZ@W *ХA&P;?_$,k+h ͈E-+Ubz靭[W!Z߃IzHmp .D!~ۈo"vAUӧfsk%W-܅AG0z%jĠ®il 7t&5ܵ'?2 hv6$ށqįȟbdBIV I̘n=8rJ!Cbڰ%\-5_Bc=YzU}0z.#$^szMЋ+\j9EГ#jjOBRݧZWچNL,? N(X[nCyŗ1pkJogZH@xAX07BB}ٓ!Myn-y\X"kO~Ǥm"? ㆛1acR0 ~/%VF0h/P &% 2Ub7dH- ;h c(4E%}0$q O$dl 1F ̚ QμN;AnK ]4H (](T[b-h7!CqW$g]~䝣&\C6Cl|T-df xԮd x A*`BMJѰ-V؟g'?J߬5đL>ӂ+ @X#B1i8W$%j\ΆA5" 2Լ|,n\4{ŝqz}+Vjd} rF \HBr< aH+ABoCE;3oˆelHE+HHF0?Ձ8yW~*x?'fC-w9@"X@B'$ &N4$݉Ba jqa"DIi"-h!9ݔ0 ĎIJ8DB/B>YS&ƚJF05.ΊXt$X^?2 (yg^ٔ n[]_ :ۮ=n?[ R3!l mS#'_\SUJ =Vɱ ҺEҁ> -?{.,%bsE5&ZT65Lڠ qKeO]0=S9#ѯ>m | &1$vx$J8F! pY/yVযXt < f 3 ޣq8~Ey"T{W/w( >~(K"^ nEAUxC(Fp#%[{o{GQy Oxj[h15'Hrqv$!!`h,+y9e7e}7xOq5%9qgF9y)lyjL?&?\B+; }]gz_o"mۀO6=z7(4* ˑLMyJ? ~rO^e*$1a+u)7 H@Y9qXxt!"׃,YBmp}k&QWVYuꯟ{L'|X_X/1* { a'*ao:V8TŴ_[TRV##-ԚiEnPH*2s, Ş]/ `h]_6#'$SǷ'8>G(c .ϔ?pOZdO2 gU7|SśRIAcz=80"{ʞM9ٰw'(WMMnwQ "Lxpj'79e.MsT1cO(k7FM*4??ߋ}84rفFv1" ,2>8.v?F V|iT.Ϯ$L B u~d2C"m:ۢ;)wA=;Deya(ŷP@y~1ϖ?;?.{1z!շo?3Y{_笠RB\$T߯ShBT+''7B@&Iȉx*ͼ9G5ΣŇNCbzA3%IOA㍩W`62!yߗ.':zgu=5f\7exCEzeyHdP{[\O A= Js2H ' d<=>3D=u?67Kij%nu>FeL(wOiu5@>H'D)}O୑&?IFg8P n[//kn/|Ov.Q7QjqWq+Tg1XTׇ[F+;g[Ubij DLJsYiF$QSv<egE'(0^/Ć?uZO!jbms\F':(k'{B8Գ4,d+>ZA+9?3&`CV7GbTG["Bp!#ԂtyW|`"3HĿA[AdMr ! ) 0x)U IENDB`fwbuilder-5.3.7/src/libgui/Icons/error.png000066400000000000000000000037141303637203600204750ustar00rootroot00000000000000PNG  IHDR00WgAMA abKGD pHYs  ~tIME AIIDATxϋdW?d0D% Lѕ" Y•?@0 1+q EC Qdh2aLtWwU=.ޫWݓ#޻={=ککɣ\kg8AK#%3خj+Kޘ/Ћ{ ,gF^ԔzE`'XmC@ , ^DMplDWƲ/LMํƵfnP[!`,#uUZIeKBpv̫nlyb\z?DK\^T̂QAO)Dg"α0c2M67h*qy:<۱zƸǭ(Z-W XWyF$86q)lxO%nUCIEB#7rx̐땑uj􀾍FJHCE:[12OGGIۥQ|gC7Ls)AUJ]XBQ"08[\x8q5]׋ `o/#[Q)eF"cE3cPHhKWf)wP)<#͟CT;u&;߱IZod2h䣑wQ[ܽR;@||1$w*{ChyDLꚛ +?$KXA۫N䡩G~;d%bnMuD_ 6&MbʴqDmPb-*fG&,)=T}6r8%Ul>6 ԑSU kk$B{iJ4tbV>b-+ysDۅk\t^[hr;|D[ED%"6-7Pq(l^; Ӧ~Hc" >li4ժt O^ !Wxs?R5N)DKzN W Uוm^IUf5e(t&"лC2Qj3ڸ/#%daUVv FcvP3MFXXƝW鉛J<=ٷ/>Vd H;/h:e,rz&ȼ .cso^dDgWP^ɄwI 5Pc2x}.d?n| +Vl_?{zNdEC4Y&&,-0++n- PVō]sag^#Xt{Uſ&)o<8=+;u]>ElDkNEɇw rS;S;S QNʱbIENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group-neg_16.png000066400000000000000000000014331303637203600250350ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڤS]HSa~6g2K]+\d2] QXxSN%A "Յ$xQ5b?ks^xyy?!A-dyy#S8<%.Hc}#‘o J?M*9i+Z7EntSeXxܤB>hQvyn$q#f܋]R36& q˯R@d-ư "XY%(ȫyT Iʹ90Bfb1NGF¡xs<3 l, 2UK!#Χ80²H{j5]x?ߵGSygA(Ɗ F(lndxX.f2=D5Zt idU R" Z5Z#~$d^ A8h8]< ?Pނoh+*zΆJS`y /CLL&'[f3h~ :;0Xs8p♝-@x%d,!Bxf(ʪ|paqh4|.64ޝo==H3@ Eqى}YR:4D&vH}?y.vJ Yi*lIZs_ KCx6IENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group-neg_25.png000066400000000000000000000030161303637203600250340ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴkLTGw߻]]yCPQ#VmK#`&JUci5jcE%IMcVZ,4E ], .>)/ss93朙9gS~SHZ)+R"":"_j6hBm1|> ;@4d,cd[''VF J>C*@vEH. K,A>9>=g^`]}È?rxO =`3{\BS:tr'A>Mp@:"jFHhih,t½N8bbL} z"%=`R"_)[x-y#r%{kWQc#HSڒ {wΥIENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group-ref_25.png000066400000000000000000000026511303637203600250430ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<KIDATxڴU[lEvmY[K+ iA$i(DQk!%# >( `I ЄCn~t->hӜ:gfw.m9/}{cBօ'EŤ! }Aa kt:Dd%eLكn '_Ċ0hI:DR@ێ6TTâ?֡[TSb*P--Mj)Сt. vK0}(41{J(W$(EJXGlw!)"EsI` .u]Gqq1^p"g `aaL0qt̗߄m[DU7S)* S6spe"B!j|#Mt>Q[e"`7ŀmYENFP`D1eYe3&~rZipYb ŵt'qEmm-ϨgΜ`'#|vݹI%+ p &~At6[Ϧ84x`'&LMM99Fgg'[0e^<CjlMW_0p}#, ߖhllD__N8}_i+}ݛmc8sq)__]w*A^&LOOc8p z+,*[!zC ?TTp%.cћ/YcF 7j:,zQ*g4IENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group_16.png000066400000000000000000000012001303637203600242560ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<"IDATxڤSAhA};hkF(*TDQ,m/bO<)B%z(xADb661h[jf7 4 "80|{cEZM{r9-W&GN-i USc? ܃#ZOZkgi)BEi6ɽS`gHܟbJQ(x- wV{k Vߙ_V s[0a0n;ŏҞ@vb"$3=B |X'V52b pdc뛸^M6OXE 7hGo08!C (DڍGQNas{0 .o8T(C3A)(A%++ZPY! n0S$Å-oF2/e8JsMl}!ͨ>[8WKWKڲꧤ|yLәb`O99loHKmfcG}{u__1[|9=IENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group_25.png000066400000000000000000000025641303637203600242740ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴUklUNvmYZaV@` " j&DDb1ĄT$  CҖn󞹞;V1A;9sgNwss.֌ ݒd99PpLVG&k~gWw׶?u[ "|M8]D!3M zES1qO? 'dB̆Lh&d2=O,i!HK֮ 7p`,߂p8Y`%\0I5IShat M\ d#Z[pOvؼ9ȥ,ѻ/x0&q0zw]uuuؤ3s({Xp?wmfp_>z].e#MqXD&cl:OѠqgo6,REl+~&V39 ",b42YS oU@G 1r " 2!YVCytN! [LIۂ9(Q6ʨ_UC@ I4mdu==gaZU`Zu &$'7gCm`UX"*~ ?}G3 xad9+a]<EA~> c`.\Dę¢UQP3hZd]l3/&Ì+ҩN9Kf.ņ$KQn U3kc"x>GØQіU!56Ѿ( a#yLI዗@߆OEuEG@C5>.G"V)7om Ȑcx\tXvF:" ܓ^5V-dHCQU>Ղ;'$yhkc6rHb<ޅ?Й(iFh_0Hw_9sH7{dY~ C$c1(qJBB!4KJ0@v&>]ύ|+^#cuzl;a batZjzZ }gHtȒrѤTf%!wQg8ݥ/Z5JTA~9qfL&ieIނqվh߽\:yZ uo-*޷KژE<}ܭ6<A84ɍ  +>"zzhLMʱ %u3 67lܿo6󮻣8r*-Kh{;vgV?u3 s⤐N)/M35~+oI ܿQ׀LRL3Iwoi]sv?5$;IENDB`fwbuilder-5.3.7/src/libgui/Icons/failover-cluster-group_64.png000066400000000000000000000120501303637203600242660ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[y]U?w}3vfqҸ4,!aQihPEV*A * "*4 4IcMڮ3vdy{wlg!{G޽~|w ]_S6`01FMcT0Vx;z;Ʈd.%00.G,|]O<?6-ZX\.йW^G>`^l5=j{U*U<;K"A:`VQ j-,,P!F;+,WXV:SZss=-d&Wi~jl6)zsmXs >~d>j #2M,Ӓn<r9>AvsXpP1W}WPi0 (2 ̅lxP] @108%2 j}kehr 9C\3DQD1~)R?s>s؝U(,;H)40"Ff,Tb+0 p|?Ր)ʻ&eL^0idzwl @b>c| ӡ\&߉ mdM `4ujm QaZ7Tcd- M9NEcfNH>@u]J\tބ,o®RB:@7 OR)[ ;C/,96-cyAϓ|ծ)i`t5s 5D"΃th!'4Vh4FvA ::<].@I Of8G'ו K0+ID@#u <Uā.o}q`.D2GN Б6} DDäQUF$=Zv[E#{Q(Fl&Kr8iR RdB߀OȮKliWYJGiJqFaC*!Q ϩ`UBBhz"@ L|xv@j6tJ؍|{lm@0^|S7]x6*E}B|P.9W ӑ=f9 g)+K15_뷌'w}8ul\wχ2B9t3̰: 뤚KXW2gi}nz)Y@6x}RpԺϮltA33K ՘kө3*>yE(c7`$aQ9@]TGԾ(6oY7vHxa'_=It?9gBX|]'0GS>CFԚ#~":`a-w7M8|8#)nr,-/jB` f/~8޳t/=Dt[p ݠDxc0}+tai& qGy8ü_ Y%Lm4<4, $͎@ ,"uZ+f4 f ̿G>GT;^DLԁԈ;f0(B$Bsl"֎w:AcsqJ-W6~ dZVȘ+/! #u-s/{yR+ǁ !1q}c_=HL<-~)J2fУހ" T! BRa/zG>]4C2M 4<f `\Gr ؙ;}?A;vSgOѿ?Y8:@b^ڇ  c>0\ =I^{>WdCҼ󉻸ۣ`=< /ϣ>^ipl kαmzϿ@Ko;?aghS0ޢEΓ nMoS;h xC2#T pKZX9=4Ԧ{CrV[49P1-*}Dͭڐ2lX[tX94N_MqCGiDC;d.QR%!I훺߷zN~#@I;%2ˠm7DT!&wfZɵF3:i&+Oo.hD"hBPgd"jUhеT7+e~mr4weK5ft`G =0 0a\hnB[YKqW47  M]%2~Cz!#tpC"8Ne)0Yj?pNX8XmkV_T Z6s%APhHSЬOL> 0@6u&(L\X뭠%Ҷ7%g@IS=rN` .;(\Q1Єy%> 47?9t6Ox"1-ۖugaJL+C1˵rbȡRDm|tr5pCAQ5st7%(&{M-IL=[-Wʸצu§fv{:V"@l`aY,2_igP`^xI(i7@QBڬJX^^e(55TxcKuLQk;)s[yޯk Lv}gZA[Pr-uϙ/h$tIF VK5lq9xvNkއ?\iC[V'Et{8& @_ OUgd ,:3gIM}q"D/vb|xXUi;ʅ7Xau5֮ bue)//Y^Wn[\StLx75AmAȁy`JZj!A #>:BL~[k%k6wE74kL)K&\!j[~pS pe:@J08q3 [/pHxW@ROd D1+Xʊ¡Xۦ 퍮I}nzƚ}^<3ak$Wg ssle 0^1RѠ_.ܹJR'nv5;Dl9z 6  M:‹4ahřm @痋g0<~B*~vkd9]Ϊn0y1y1r3&;xY5{,xnXZ"S̿/ ntT!<՚·n:N4'@0jW17<ЃXrn◱Q[4RyX0~]B̬͉Pzsor'?NKsBYj/WԹK|qe3&q괮F& Gy6Hq^Æ.9k,:MwȟL=GHT= .bAYdD9{E wH{ ;F1, BΏ[#Q)]v՟qGz1E\AgK`ó@2 Lʍ5rKݰYDVPFR K*!  |{L7$I>s7 PlV! xeX xVM@x8't hcT9I#=0f",4Wqɵzr$9?9Y8M>7 *ߟV}r9Q~{OԸ4KiP"cp-/'a^kHn=¸e"E%N_V`~ۍw_䳐HWCvͻxÈz>,7̄^0RpQ?c^K^Z1gߏQh }x,]0vI#3Xhx(8L4_9$ k|ݬ\*S 늻*>  }fL 0~Ґ]Fid twoȝT[^ZIvo{*cwݮ 2v3,y5f6ꦰwct|%_Hmnp 6o]'0IzS|`AM?BOeZf+IENDB`fwbuilder-5.3.7/src/libgui/Icons/firewall-neg_16.png000066400000000000000000000011401303637203600222150ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڤ;oAN!$!D @4H j~gBM*&HH< [<g^grƐPL"1ǽߞ{vWT3 ZZ,U=60n "iN"{լpްegXŕsd3LrL]0(4-Ժ`!f-%59]lg۱ɭn2xx.]Vȳߐȹ\ȧ4BPٝjoƜ)L:b% W@b \Mb=5" ;q0>.`bCp"p^\p (b9^l}荼Q1F{y1cnQ|sE YP-]PrGW+xmqeC[X"J?=5"o .>xd{Ee {n[V UvW?Z[ɝuty8k7>R3ϼ=82`Q?J.:dAIENDB`fwbuilder-5.3.7/src/libgui/Icons/firewall-neg_25.png000066400000000000000000000023651303637203600222270ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڼVO\U D5ac7Fvâ W `%?41,hK4&ՠ@yYNν|}gJ)ߗp=E_5$jKOPr.) K?+zJ'gp-\ۈnq!4oQ~C%C(IrYᓫ p$@ځk>jQ!KANgvU9QZC$Mv A/(qÍ=(gS 2ەK_yh"5W) lt%psb*@`wՑގa)"@1x"PH?ԁm!%9*D̴HV qF%Hр u(iY"CYqFN1_ie֝s4PK/XH9n{)&iej7 z@X9Rgn t3c1`cԂg *b@r G8LH ڮ02y]M{)T <_h8B7Uި> -[-H50x$IT9a5tA9re)7rfbW~> $cmӃ/)lp^cpzSa4zD'tm1 |+*gC߰MNaJ0akGz`9J*{ 477G4Eoo/- Ƣ:WT(DWfS >(ݘDgg'ׇd2i̧\Zޤ59Uh;e)T)j P(4 T2m* p{f&.Qy&CM…De Q-hWܞ9IGGֆ`qqр|>= JFFFv 4Š?P s%>g.fkܜRSSS‚ OG&'ۘ1<< u$'d#O018>{W,#Y@7Iw&(%;VP<)Cj5̜q֎D Byn'-NlmmaaazDZh?k{xNxS)ZSA6A177I]fT_#!Px6Qk"QIL-82OLL`ww7 ER1FGGfnUI=o%6)V_z^c%0em^YYIDg1C|"ᩩ)TU4 ,--'wǗJ%!L???'vwaN.jԯZMIENDB`fwbuilder-5.3.7/src/libgui/Icons/firewall_16.png000066400000000000000000000011701303637203600214510ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxS=oAq8!!")P"H jJ*h@M@HDDba"l}hE iwOUy9}!O9߯EE2r3=#c%GĠ A4}<]wJ& S&pM XsMr#j9`D0krIǑ;!xxe7Z5dD:F5+$~h%Rl֘CF(' f\$u/^'*YXIc(kK}P` o%vL",M\dCXQXț>;ܞyҋNKDӄv=uW 2&_O: ˔Mم[.^=@,gGٰX,3,K y~vt5 ?5Fs=5 }7`Ch6IENDB`fwbuilder-5.3.7/src/libgui/Icons/firewall_25.png000066400000000000000000000016511303637203600214550ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<KIDATxVnG={cpX H@By,mF_E| 6l@vHH$ cGcyvl"FDϩsϩjm_vuNl8Ufi%)M;b;g##%&@;QcZYH)bq@)A ӹ$΢8TF)B0HC1W~~ IF'^ߝB@5eߙJ"i8[yF䣊`$X)_GIam}> Jӷ뻃u)0vPv:XP\Ù@HT7ImԘ`d9ĊՓY(D'ɗ COز ̉ NIrK團 L=Ed\jQ 0NjHC`d~q6i)Fx$~kyM@=eJgy_/@ E""t''6c<|:'oX9|R8Dd@m[H\Y[ZCl;CЀ5Kֶ`R<]w :I.sE'-a{9ooE%ӗ-B3x$@X82 ۻk{gݗsggg1ALjU]]}{{30` 1c ٞ{@En\jbҔcJ"Mmző|xha@Dg^kz @qLqY7 T z(IQj>ƣ+gQEMDK[ L-O?Kh_BڈSDO[>mthۓ*0__c $vϣ}Yc&#=\{qA@X&Ao\qn)&5m\;zV \#@9ԝN}v0c\IfBZZB[vp&)͡uM^COxJ/Me~pוQ&|=rKj-?_JNHC>QOD^x d; #([q/)3(3ɛ Zp(yL,RJZ)\' 1<)݃]uٶMT]hJuc]AB3YzQoJ`M E\y?@;Bn4 =I\mۢ@۵b\t)ck!$ aB0)}|azL`ge> sx`eo09qs*:Rtd@@xK$:]S!\ Ր{%L U0(z,Nd R:h:4$4HP$uML`yT1nێUןw Lt9bzZ./ư^i-z'<ȑc!k)mJ;̄F dŠ3?=DxQx.V/l 'G0D=!6&dIp5t}/x%m쵦Vu6hK>TQDai-Ԫ( MYpq ӫ_Utz" Elngi8#3w?6TcʌaEX 39 hP,][_'tJRz_ @fWqxhU .}5Zmߝޖj\J 9h7!$8)sB7of CM`.Ɲ^1gG si9*jGM6Kt8Ѽ:vY@ 7trBV*B:N`Z YRQ 65(.isF{}xE⹨a7I_6EL.Z #lQVr&!a¿b)[2?bj091$(/0 U%Y}1  k}UUYY})oEKOa+3t#|!j84Fj2h* Ulrn>{YX@`Bx_.34]%:2a:wU5cV8}l ܸ+3Gs xfh d,܀*i_A4g%V4'Y)sPdJ)%qHs$kh3c{ɘaTuQ!:xm Mg'mAH|sE  Scfj]+`$]7P[Sm os "$L\>Jr LJyl;OXrabTJz»275CShӸmAxfۀzqDL=@E,I< O8e9?9W1pB!ʹrk5 05d$dyԃ;JHHǃ0TW_t^mybYFC Ueq7+e{OԜpAݞԘ;k{'>m/$X2~-|m-G&~{S(P@Z8YVIr. ŬQU$jN\޽XȕP&5RN|@.q< a6=܂]2Ij8soPSQa綘~u^ȚͻD`GYTy#厝 P\J76^^%{>K#eq9\qq\ƅ0D$ oϝdrp)Õ~qPѾe3xfZ | y7& ZOلGbg- [təbG4(XSo&C4Ex~o2< j FB#A.{^l*=n쏄ͬ|kIBK|;Bm﷭cY;JI#ckآv?⽪9T0MBx[Odˌ xdG2NSq{} m \fZU @_#b&0s>6Rvz8`'q!B>2Π6<׃ՂP,B;e*}l=? thanB>ߔЖr&ÍזY) KnW>XSz_Dʥlj jN-2穼"PjPxCW^mY4C"J{k"IgdSA>kJj#T9 ~w ڳ׎&+8"s,aMuW'&CF(Tc%uԑ`Iy9p~\T ? ?(ödޮv4`>Bzی͋} ?"x:]U:}KD^{*5Ϋ84޽ ۶pN`)e\Ⱥ"v )3V.9'w?\v7 0[V!/,=` 1c0G~f\cKIENDB`fwbuilder-5.3.7/src/libgui/Icons/firewall_64.xpm000066400000000000000000001024551303637203600215040ustar00rootroot00000000000000/* XPM */ static char *firewall_64[] = { /* width height ncolors chars_per_pixel */ "64 64 1595 2", /* colors */ " c #000000", " . c #B1B1B1", " X c #D2C2B7", " o c #653114", " O c #ECE5E1", " + c #376099", " @ c #5272A3", " # c #983F0E", " $ c #6A6868", " % c #3A5271", " & c #AFAFAF", " * c #365E98", " = c #C54E0C", " - c #1A4C8D", " ; c #9E9D9B", " : c #355E97", " > c #973D0D", " , c #903E10", " < c #6581AF", " 1 c #C44C0B", " 2 c #ADADAD", " 3 c #903C10", " 4 c #C5AB9D", " 5 c #496FA4", " 6 c #916349", " 7 c #7F93B8", " 8 c #184A8B", " 9 c #BC4B0D", " 0 c #302F2F", " q c #ABABAB", " w c #BB4B0C", " e c #873B11", " r c #BB490C", " t c #7F858D", " y c #803A14", " u c #A7846F", " i c #863910", " p c #A9A9A9", " a c #793B17", " s c #7E3A12", " d c #7F3813", " f c #607BAA", " g c #B2480D", " h c #295795", " j c #A7A7A7", " k c #929499", " l c #B2460D", " z c #7D3811", " x c #753913", " c c #BDA595", " v c #42679D", " b c #215497", " n c #265592", " m c #996D54", " M c #A9450E", " N c #734832", " B c #B2907D", " V c #743512", " C c #40659B", " Z c #77492C", " A c #A3A3A3", " S c #A7430C", " D c #446495", " F c #878F98", " G c #A0420F", " H c #6B3413", " J c #A1A1A1", " K c #9F420E", " L c #6E86B1", " P c #A34308", " I c #6D86B0", " U c #6B778D", " Y c #9F9F9F", " T c #974110", " R c #8E8D8B", " E c #6B84AE", " W c #963F0F", " Q c #9D9D9D", " ! c #963D0F", " ~ c #5F5153", " ^ c #4E70A2", " / c #174C8D", " ( c #285CA1", " ) c #335C98", " _ c #C24C0C", " ` c #9B9B9B", " ' c #325C97", " ] c #315C96", " [ c #C14A0B", " { c #8C3C0F", " } c #BFBEBB", " | c #685E69", ". c #999999", ".. c #7F3C16", ".X c #843D11", ".o c #853B12", ".O c #8B3A0E", ".+ c #2F5A94", ".@ c #B9490D", ".# c #B8490C", ".$ c #CDCCCC", ".% c #979797", ".& c #B8470C", ".* c #798FB5", ".= c #124688", ".- c #6C717A", ".; c #4369A1", ".: c #82390F", ".> c #833710", "., c #004594", ".< c #ABA8A4", ".1 c #5D7BAA", ".2 c #959595", ".3 c #0B346A", ".4 c #7B3812", ".5 c #8F5C40", ".6 c #AF460D", ".7 c #643623", ".8 c #96A0B7", ".9 c #7A3611", ".0 c #939393", ".q c #5B77A8", ".w c #BAC3D7", ".e c #596A85", ".r c #723713", ".t c #A6450E", ".y c #235392", ".u c #723513", ".i c #A6430E", ".p c #814725", ".a c #713512", ".s c #919191", ".d c #A5430D", ".f c #B8C1D5", ".g c #C6C6C5", ".h c #693614", ".j c #215190", ".k c #3C639A", ".l c #E1D6CF", ".z c #8C9BB7", ".x c #AFB3B5", ".c c #20518F", ".v c #8F8F8F", ".b c #898E93", ".n c #9BABC9", ".m c #8698BB", ".M c #6084BA", ".N c #9C400E", ".B c #8D8D8D", ".V c #4B4049", ".C c #704328", ".Z c #335E9B", ".A c #8C8B8C", ".S c #C84D0B", ".D c #8E3E14", ".F c #8B8B8B", ".G c #943D10", ".H c #6882AE", ".J c #B0AEAC", ".K c #983E0A", ".L c #6782AD", ".P c #415F8B", ".I c #97A7C5", ".U c #B0ACAC", ".Y c #7C93BB", ".T c #793F1D", ".R c #898989", ".E c #BF4C0C", ".W c #724020", ".Q c #6680AC", ".! c #913B0D", ".~ c #4A6EA1", ".^ c #BF4A0C", "./ c #95A5C3", ".( c #893C0F", ".) c #8A3A10", "._ c #878787", ".` c #BE480B", ".' c #BCBCBB", ".] c #823B12", ".[ c #804E31", ".{ c #536C96", ".} c #B6490D", ".| c #823912", "X c #858585", "X. c #B6470D", "XX c #104689", "Xo c #494F54", "XO c #B29483", "X+ c #803910", "X@ c #9AA3B4", "X# c #838383", "X$ c #758DB4", "X% c #CAB7AB", "X& c #783812", "X* c #758BB4", "X= c #AC460D", "X- c #AD440E", "X; c #783612", "X: c #5979A9", "X> c #A57F69", "X, c #818181", "X< c #773611", "X1 c #4B4C4C", "X2 c #A3B0CA", "X3 c #64575E", "X4 c #495475", "X5 c #889CC0", "X6 c #6F3513", "X7 c #A1AEC8", "X8 c #A4A2A0", "X9 c #7187B0", "X0 c #CBD2E4", "Xq c #6E3312", "Xw c #A3A29F", "Xe c #A2410D", "Xr c #9B4210", "Xt c #97684E", "Xy c #1E4F90", "Xu c #A2A09E", "Xi c #39619A", "Xp c #5473A4", "Xa c #1D4F8F", "Xs c #B4BDD4", "Xd c #A1A09D", "Xf c #9A400F", "Xg c #1C4F8E", "Xh c #9F7963", "Xj c #7B7B7B", "Xk c #ECE4E0", "Xl c #A09E9C", "Xz c #375F98", "Xx c #8296BA", "Xc c #1B4D8D", "Xv c #7A4121", "Xb c #9F9E9B", "Xn c #B79C8B", "Xm c #8196B9", "XM c #C64D0C", "XN c #1A4D8C", "XB c #9C3F07", "XV c #C54D0B", "XC c #D0BFB4", "XZ c #E4E3E2", "XA c #AEAEAD", "XS c #9E9C9A", "XD c #926449", "XF c #C54B0B", "XG c #194B8B", "XH c #AB8772", "XJ c #8A3C13", "XK c #98999E", "XL c #777777", "XP c #2D5A98", "XI c #BC4A0C", "XU c #11488D", "XY c #667284", "XT c #7B3C18", "XR c #757575", "XE c #9B9897", "XW c #3F4040", "XQ c #627EAB", "X! c #DCCDC3", "X~ c #873A10", "X^ c #71819C", "X/ c #456A9F", "X( c #737373", "X) c #824D2C", "X_ c #90A1C1", "X` c #B3470D", "X' c #838386", "X] c #8C5E43", "X[ c #7E3711", "X{ c #763A13", "X} c #43689D", "X| c #717171", "o c #7D3710", "o. c #0C4488", "oX c #275692", "oo c #A6A6A5", "oO c #763813", "o+ c #AA460E", "o@ c #A3B0CD", "o# c #757F8C", "o$ c #7F8182", "o% c #885C3F", "o& c #753612", "o* c #5F5D5C", "o= c #A9440D", "o- c #A4A4A3", "o; c #6D3714", "o: c #A9420D", "o> c #65789A", "o, c #6D6D6D", "o< c #A1430F", "o1 c #A0430E", "o2 c #6F87B1", "o3 c #A1410F", "o4 c #A6420A", "o5 c #6C3313", "o6 c #5375A6", "o7 c #A0410E", "o8 c #6B6B6B", "o9 c #6C85AE", "o0 c #8296BD", "oq c #9CAAC6", "ow c #6F7986", "oe c #97400F", "or c #696969", "ot c #5171A4", "oy c #5071A3", "ou c #5E6572", "oi c #676767", "op c #183C6C", "oa c #C34D0C", "os c #C4CCE0", "od c #335D97", "of c #174B8C", "og c #8E3D10", "oh c #DDCFC7", "oj c #ADB9D0", "ok c #883C14", "ol c #9B9A9A", "oz c #325B96", "ox c #DCCFC6", "oc c #7D92B8", "ov c #16498B", "ob c #A1A8B7", "on c #9A9A99", "om c #7C92B7", "oM c #ACB7CF", "oN c #C1AA9B", "oB c #BA4A0D", "oV c #8B3B0D", "oC c #15478A", "oZ c #B94A0C", "oA c #DACDC4", "oS c #7B90B6", "oD c #144789", "oF c #CECDCC", "oG c #8A7365", "oH c #B9480C", "oJ c #395B89", "oK c #BFA899", "oL c #B8460B", "oP c #703B1A", "oI c #CCCBCA", "oU c #B0470D", "oY c #7C3712", "oT c #5D7AA9", "oR c #0B448A", "oE c #4D6896", "oW c #B0450D", "oQ c #7B3711", "o! c #8C9FC0", "o~ c #743814", "o^ c #949493", "o/ c #5C78A8", "o( c #733813", "o) c #5B78A7", "o_ c #7D492A", "o` c #8B9DBF", "o' c #5D5D5D", "o] c #A7440E", "o[ c #723612", "o{ c #3F649C", "o} c #713611", "o| c #235291", "O c #723412", "O. c #225290", "OX c #12407D", "Oo c #713411", "OO c #5B5B5B", "O+ c #889BBC", "O@ c #A5420C", "O# c #E1D5CE", "O$ c #9E410F", "O% c #AD8D7A", "O& c #693313", "O* c #E0D5CD", "O= c #9D410E", "O- c #9E9EA0", "O; c #8D8C8C", "O: c #575757", "O> c #C94E0B", "O, c #735641", "O< c #6983AE", "O1 c #C3AEA0", "O2 c #754122", "O3 c #555555", "O4 c #734120", "O5 c #6781AC", "O6 c #8C3D11", "O7 c #76849D", "O8 c #C04B0C", "O9 c #96A6C3", "O0 c #9D745D", "Oq c #4B6DA1", "Ow c #8A3D0F", "Oe c #8B3B10", "Or c #BEBDBC", "Ot c #4A6DA0", "Oy c #BF490B", "Ou c #98989A", "Oi c #703F1D", "Op c #8E3C09", "Oa c #B74A0D", "Os c #2E5995", "Od c #515151", "Of c #2D5994", "Og c #693E20", "Oh c #B7480D", "Oj c #6F3D1C", "Ok c #804D30", "Ol c #114789", "Oz c #82726A", "Ox c #2C5993", "Oc c #B6480C", "Ov c #7C3915", "Ob c #753A18", "On c #BBB9B9", "Om c #473A3A", "OM c #4F4F4F", "ON c #778EB5", "OB c #BCC6DB", "OV c #7A828D", "OC c #9A9592", "OZ c #E5DBD5", "OA c #838282", "OS c #793712", "OD c #758CB3", "OF c #AD450D", "OG c #AFB3C1", "OH c #783711", "OJ c #713814", "OK c #4A4654", "OL c #723615", "OP c #783511", "OI c #5978A8", "OU c #AC430C", "OY c #956C55", "OT c #18417C", "OR c #703613", "OE c #5876A7", "OW c #484452", "OQ c #703413", "O! c #A4420E", "O~ c #7F4625", "O^ c #6F3412", "O/ c #7F7E7E", "O( c #5676A5", "O) c #9CACCC", "O_ c #948F8C", "O` c #673514", "O' c #A3A19E", "O] c #3A629A", "O[ c #73330C", "O{ c #456291", "O} c #B5BED4", "O| c #A17A64", "+ c #5D6977", "+. c #573022", "+X c #474747", "+o c #9A3F0E", "+O c #7B7A7A", "++ c #454545", "+@ c #98A8C8", "+# c #94654A", "+$ c #C64E0B", "+% c #923E10", "+& c #C64C0B", "+* c #79401F", "+= c #9D7660", "+- c #B69B89", "+; c #434343", "+: c #913C0F", "+> c #926348", "+, c #ADADAB", "+< c #88888A", "+1 c #BD4B0C", "+2 c #414141", "+3 c #647FAC", "+4 c #BCBDBD", "+5 c #795236", "+6 c #637FAB", "+7 c #CDBCB0", "+8 c #93A4C3", "+9 c #883B10", "+0 c #BC490B", "+q c #883910", "+w c #476BA0", "+e c #643B28", "+r c #3F3F3F", "+t c #627DAA", "+y c #803A12", "+u c #778EB8", "+i c #91A2C1", "+p c #B4480D", "+a c #46699F", "+s c #453A3B", "+d c #45699E", "+f c #3D3D3D", "+g c #7F3811", "+h c #0E4589", "+j c #90A0C0", "+k c #EEEEEE", "+l c #B3460C", "+z c #7E3810", "+x c #6E7E98", "+c c #56372E", "+v c #773913", "+b c #295593", "+n c #07448C", "+m c #0D4388", "+M c #285592", "+N c #773713", "+B c #717070", "+V c #7A4B2D", "+C c #ECECEC", "+Z c #AB450E", "+A c #763712", "+S c #97A0B3", "+D c #AB430E", "+F c #A5A5A3", "+G c #4D362F", "+H c #909095", "+J c #753511", "+K c #4C5670", "+L c #393939", "+P c #EAEAEA", "+I c #8E9093", "+U c #5576A7", "+Y c #A1440E", "+T c #7088B1", "+R c #A2420F", "+E c #BAA190", "+W c #6D6C6C", "+Q c #D4C4BA", "+! c #9FADC8", "+~ c #E8E8E8", "+^ c #A9AFBE", "+/ c #653515", "+( c #A1400E", "+) c #3E5276", "+_ c #6C3212", "+` c #653315", "+' c #A0400D", "+] c #9EABC7", "+[ c #814320", "+{ c #353535", "+} c #9F400C", "+| c #8D99B3", "@ c #734526", "@. c #5272A4", "@X c #919AAD", "@o c #983F0F", "@O c #5172A3", "@+ c #696868", "@@ c #E4E4E4", "@# c #1A4C8E", "@$ c #9E9D9C", "@% c #355E98", "@& c #973D0E", "@* c #5070A2", "@= c #65432C", "@- c #903E11", "@; c #9D9D9B", "@: c #345E97", "@> c #888A8D", "@, c #4A6FA6", "@< c #78787A", "@1 c #7F95B9", "@2 c #C44C0C", "@3 c #95A6C8", "@4 c #AFBAD1", "@5 c #8F3E10", "@6 c #313131", "@7 c #C34C0B", "@8 c #E2E2E2", "@9 c #8F3C10", "@0 c #9C9B9A", "@q c #823E17", "@w c #174A8B", "@e c #7D93B7", "@r c #164A8A", "@t c #863D11", "@y c #E0E0E0", "@u c #3D3A4A", "@i c #6D3D20", "@p c #2D2D2D", "@a c #853910", "@s c #713C1A", "@d c #5F7BAA", "@f c #A4B3D0", "@g c #B1480D", "@h c #5E7BA9", "@j c #DCDCDC", "@k c #7C3811", "@l c #8DA0C0", "@z c #B0460C", "@x c #42679E", "@c c #7B3810", "@v c #7C3611", "@b c #8D9EC0", "@n c #743913", "@m c #41679D", "@M c #784B2E", "@N c #5F5E5E", "@B c #292929", "@V c #0A4388", "@C c #8C9EBF", "@Z c #DADADA", "@A c #255592", "@S c #743713", "@D c #A8450E", "@F c #733712", "@G c #40659C", "@H c #79360E", "@J c #A8430E", "@K c #C8C8C5", "@L c #76492C", "@P c #5D5C5C", "@I c #D8D8D8", "@U c #235390", "@Y c #723511", "@T c #899CBC", "@R c #6B3614", "@E c #3E639A", "@W c #6B3414", "@Q c #9F420F", "@! c #6A3413", "@~ c #D6D6D6", "@^ c #8B8E93", "@/ c #9F400F", "@( c #E0D4CC", "@) c #3F5370", "@_ c #D4D4D4", "@` c #898C91", "@' c #755742", "@] c #9D3E0D", "@[ c #9AA9C6", "@{ c #C3C0C0", "@} c #888A90", "@| c #DED2CA", "# c #A3ABBB", "#. c #D2D2D2", "#X c #AEBAD3", "#o c #6C7685", "#O c #943D0E", "#+ c #993E09", "#@ c #754021", "## c #D8DEEF", "#$ c #933D0D", "#% c #8B8989", "#& c #4D6EA2", "#* c #555454", "#= c #C14C0C", "#- c #873D15", "#; c #164A8D", "#: c #D0D0D0", "#> c #8C3C10", "#, c #BFBEBC", "#< c #913D0B", "#1 c #7B93B8", "#2 c #793D1B", "#3 c #AEACA8", "#4 c #834E32", "#5 c #14488B", "#6 c #8A94A9", "#7 c #2F5A95", "#8 c #7E3C16", "#9 c #525251", "#0 c #843B12", "#q c #8A3A0E", "#w c #B8490D", "#e c #B7490C", "#r c #515050", "#t c #798FB6", "#y c #833911", "#u c #124689", "#i c #CCCCCC", "#p c #B7470C", "#a c #788FB5", "#s c #6F3C1B", "#d c #A8B4CD", "#f c #7B838D", "#g c #8D3907", "#h c #778DB4", "#j c #516A92", "#k c #86380A", "#l c #CACACA", "#z c #5C4A47", "#x c #04448F", "#c c #8B9EC1", "#v c #E4DAD3", "#b c #793611", "#n c #03428E", "#m c #C8C8C8", "#M c #7B4A2A", "#N c #AC440B", "#B c #5977A7", "#V c #919192", "#C c #E2D8D1", "#Z c #5877A6", "#A c #C6C6C6", "#S c #5C697F", "#D c #703512", "#F c #693615", "#G c #A5410E", "#H c #703312", "#J c #3C639B", "#K c #683614", "#L c #205190", "#P c #5675A4", "#I c #A3410C", "#U c #A43F0D", "#Y c #6F7A8B", "#T c #C4C4C4", "#R c #747B86", "#E c #3B619A", "#W c #484847", "#Q c #81573D", "#! c #0E4E9C", "#~ c #9C400F", "#^ c #8598BB", "#/ c #673213", "#( c #1E4F8E", "#) c #4F72A7", "#_ c #7F97BF", "#` c #5E7598", "#' c #C2C2C2", "#] c #7B7B79", "#[ c #6882AF", "#{ c #C74D0B", "#} c #C0C0C0", "#| c #8A8B8B", "$ c #734222", "$. c #6782AE", "$X c #8F8A86", "$o c #6682AD", "$O c #8C3C13", "$+ c #BEBEBE", "$@ c #7C5138", "$# c #4B3D40", "$$ c #6580AC", "$% c #95A5C4", "$& c #5A6F94", "$* c #ADACAA", "$= c #BE4A0C", "$- c #7D8592", "$; c #8F3B0C", "$: c #943C07", "$> c #7B4F37", "$, c #893A10", "$< c #BCBCBC", "$1 c #81868C", "$2 c #486CA0", "$3 c #813D12", "$4 c #943A07", "$5 c #A8B6D0", "$6 c #96979A", "$7 c #476A9F", "$8 c #813912", "$9 c #BABABA", "$0 c #2B5894", "$q c #B5470D", "$w c #466A9E", "$e c #803911", "$r c #0F4689", "$t c #CBB9AD", "$y c #B9BAB9", "$u c #2A5893", "$i c #9BA3B6", "$p c #85380C", "$a c #295692", "$s c #7B4C2D", "$d c #AC440E", "$f c #A7A4A4", "$g c #773612", "$h c #A3B0CB", "$j c #AB440D", "$k c #B6B6B6", "$l c #3D659F", "$z c #6F3714", "$x c #79482B", "$c c #879CC0", "$v c #7289B2", "$b c #6E3713", "$n c #7189B1", "$m c #6E3513", "$M c #B4B4B4", "$N c #74340F", "$B c #6E3313", "$V c #7087B0", "$C c #A2410E", "$Z c #8D8F91", "$A c #B2B2B2", "$S c #9A4210", "$D c #928E8C", "$F c #5473A5", "$G c #D3C3B8", "$H c #5373A4", "$J c #8B8D8F", "$K c #B89E8D", "$L c #99400F", "$P c #5273A3", "$I c #B2BDD3", "$U c #B0B0B0", "$Y c #375F99", "$T c #9E3F0A", "$R c #1B4D8E", "$E c #365F98", "$W c #983E0E", "$Q c #8196BA", "$! c #C6CEE0", "$~ c #C54D0C", "$^ c #B0BBD1", "$/ c #AEAEAE", "$( c #C44D0B", "$) c #903D10", "$_ c #7F94B8", "$` c #ACACAC", "$' c #873E11", "$] c #426DA7", "$[ c #823B16", "${ c #BB4A0C", "$} c #4F6175", "$| c #A1A6B5", "% c #AAAAAA", "%. c #863A10", "%X c #913A07", "%o c #834D2E", "%O c #607CAA", "%+ c #A8A8A8", "%@ c #5F7CA9", "%# c #BFC6D9", "%$ c #B2470D", "%% c #7D3911", "%& c #B2450D", "%* c #014492", "%= c #43689E", "%- c #A6A6A6", "%; c #B1450C", "%: c #564C47", "%> c #656F7A", "%, c #B0450B", "%< c #BDA495", "%1 c #004291", "%2 c #4D3731", "%3 c #BCA494", "%4 c #753613", "%5 c #41669C", "%6 c #255491", "%7 c #A4A4A4", "%8 c #743612", "%9 c #40669B", "%0 c #A8440D", "%q c #733611", "%w c #6C3714", "%e c #6C3514", "%r c #A2A2A2", "%t c #262625", "%y c #6B3513", "%u c #735949", "%i c #A0410F", "%p c #A5420A", "%a c #9F410E", "%s c #818B9C", "%d c #A0A0A0", "%f c #58433F", "%g c #9CAAC7", "%h c #6B85AE", "%j c #9BAAC6", "%k c #9E9E9E", "%l c #714426", "%z c #6B83AE", "%x c #194D8F", "%c c #888B8F", "%v c #AFBBD3", "%b c #903D13", "%n c #A89C94", "%m c #224D84", "%M c #9C9C9C", "%N c #4E6FA2", "%B c #C24D0C", "%V c #D1D1D0", "%C c #C3AC9E", "%Z c #9B9C9B", "%A c #4D6FA1", "%S c #325B97", "%D c #DCCFC7", "%F c #9E745C", "%G c #8D3B10", "%H c #9A9A9A", "%J c #7D5235", "%K c #305B95", "%L c #853C12", "%P c #14498A", "%I c #C0AA9B", "%U c #AAB7CE", "%Y c #989898", "%T c #B84A0C", "%R c #843A11", "%E c #B8480C", "%W c #5F7CAC", "%Q c #833A10", "%! c #124788", "%~ c #B7480B", "%^ c #314B6B", "%/ c #82380F", "%( c #997057", "%) c #8D3806", "%_ c #AF470D", "%` c #BAB9B6", "%' c #1A569D", "%] c #AF450D", "%[ c #7A808B", "%{ c #7A3711", "%} c #69361E", "%| c #C9C9C8", "& c #858FA3", "&. c #B1917F", "&X c #5B78A8", "&o c #723813", "&O c #AFB3BF", "&+ c #5A78A7", "&@ c #929292", "&# c #754A2D", "&$ c #4C4B4A", "&% c #A6440E", "&& c #A6420E", "&* c #8C8F96", "&= c #713412", "&- c #3D649B", "&; c #889BBD", "&: c #215290", "&> c #703411", "&, c #879BBC", "&< c #C7B2A5", "&1 c #B5B3B1", "&2 c #163F78", "&3 c #8799BC", "&4 c #20508F", "&5 c #926A50", "&6 c #8699BB", "&7 c #C4C3C3", "&8 c #A14209", "&9 c #2F60A1", "&0 c #683113", "&q c #9C3F0E", "&w c #C2C1C1", "&e c #944010", "&r c #8C8C8C", "&t c #233C67", "&y c #933E0F", "&u c #4D6FA4", "&i c #744122", "&p c #C0BFBF", "&a c #85898F", "&s c #8A8A8A", "&d c #6781AD", "&f c #973D09", "&g c #96A6C4", "&h c #8B3D11", "&j c #BF4B0C", "&k c #888888", "&l c #4A6DA1", "&z c #8A3B10", "&x c #4C5257", "&c c #496DA0", "&v c #B59786", "&b c #94A4C2", "&n c #8A3910", "&m c #E8DFD9", "&M c #22599E", "&N c #BCBBBB", "&B c #2D5995", "&V c #868686", "&C c #505151", "&Z c #2C5994", "&A c #433941", "&S c #B6480D", "&D c #6E3D1C", "&F c #B5480C", "&G c #004497", "&H c #813811", "&J c #104589", "&K c #2B5793", "&L c #848484", "&P c #B5460C", "&I c #768EB5", "&U c #CBB8AC", "&Y c #A5B3CC", "&T c #783912", "&R c #793713", "&E c #7C4B2D", "&W c #3D3B3B", "&Q c #758CB4", "&! c #A6806A", "&~ c #828282", "&^ c #A4B1CB", "&/ c #AC450D", "&( c #493733", "&) c #703814", "&_ c #773511", "&` c #873603", "&' c #808080", "&] c #6F3613", "&[ c #B5B5B4", "&{ c #10407F", "&} c #6F3413", "&| c #5676A6", "* c #7188B0", "*. c #CBD3E4", "*X c #808BA1", "*o c #7E7E7E", "*O c #CBB1A2", "*+ c #5574A5", "*@ c #663514", "*# c #7C7C7C", "*$ c #39609A", "*% c #386099", "*& c #9A3F0F", "** c #1C4E8E", "*= c #7E563C", "*- c #376098", "*; c #81411E", "*: c #993F0E", "*> c #D2C0B6", "*, c #C0C1C2", "*< c #924011", "*1 c #7A7A7A", "*2 c #D1C0B5", "*3 c #7B879C", "*4 c #1B4C8D", "*5 c #AFAFAE", "*6 c #9F9D9B", "*7 c #93654A", "*8 c #C54E0B", "*9 c #8195B9", "*0 c #1A4C8C", "*q c #913E10", "*w c #EAE3DE", "*e c #8095B8", "*r c #8B3D14", "*t c #E4E2E2", "*y c #AEADAD", "*u c #605150", "*i c #787878", "*p c #CFBEB3", "*a c #903C0F", "*s c #8F3C0E", "*d c #82878F", "*f c #767676", "*g c #637FAC", "*h c #883B11", "*j c #637DAC", "*k c #563F2F", "*l c #627DAB", "*z c #747474", "*x c #617DAA", "*c c #91A2C2", "*v c #383E43", "*b c #803813", "*n c #B3480D", "*m c #44699E", "*M c #727272", "*N c #7E3811", "*B c #DDDCDB", "*V c #B2460C", "*C c #8EA0BF", "*Z c #B1460B", "*A c #43679D", "*S c #0C4388", "*D c #275592", "*F c #A6A5A5", "*G c #707070", "*H c #794B2D", "*J c #AA450E", "*K c #F1EBE8", "*L c #A5A5A4", "*P c #784B2C", "*I c #F0EBE7", "*U c #7A7F87", "*Y c #656C79", "*T c #6D3814", "*R c #743511", "*E c #6E6E6E", "*W c #A8430C", "*Q c #6D3614", "*! c #72370F", "*~ c #76492A", "*^ c #87593E", "*/ c #2F5386", "*( c #23446D", "*) c #78340B", "*_ c #A1420F", "*` c #39629D", "*' c #6C6C6C", "*] c #A0420E", "*[ c #8C8E92", "*{ c #744728", "*} c #6E86B0", "*| c #B3BED6", "= c #9EABC8", "=. c #6B3212", "=X c #6D86AF", "=o c #252323", "=O c #6A6A6A", "=+ c #724526", "=@ c #734327", "=# c #973F0F", "=$ c #724326", "=% c #885435", "=& c #686868", "=* c #5070A3", "== c #9D9D9C", "=- c #91654B", "=; c #4F70A2", "=: c #7484A2", "=> c #7D3F1D", "=, c #4E70A1", "=< c #C34C0C", "=1 c #865233", "=2 c #335C97", "=3 c #174A8C", "=4 c #D1D0CF", "=5 c #8E3C10", "=6 c #9B9B9A", "=7 c #325C96", "=8 c #6E4122", "=9 c #ADB8D0", "=0 c #315C95", "=q c #7C8496", "=w c #863D12", "=e c #AAABAC", "=r c #747677", "=t c #BA4B0D", "=y c #7C91B7", "=u c #7B91B6", "=i c #723E1C", "=p c #C0A99A", "=a c #8C6146", "=s c #B9490C", "=d c #989797", "=f c #626262", "=g c #5F7BAB", "=h c #6E7E9C", "=j c #537BB3", "=k c #698CC2", "=l c #7C3A12", "=z c #5E7BAA", "=x c #3D68A4", "=c c #969595", "=v c #606060", "=b c #7C3812", "=n c #CBCAC9", "=m c #B0460D", "=M c #05448E", "=N c #5D79A9", "=B c #8690A3", "=V c #8C3704", "=C c #5C79A8", "=Z c #80370C", "=A c #733913", "=S c #8F9298", "=D c #7A3610", "=F c #094388", "=G c #4B6794", "=H c #A7450E", "=J c #3F659C", "=K c #A7430E", "=L c #235391", "=P c #C8C6C6", "=I c #723512", "=U c #3E659B", "=Y c #929191", "=T c #02408B", "=R c #713511", "=E c #3E639B", "=W c #5B3323", "=Q c #6A3614", "=! c #3D639A", "=~ c #908F8F", "=^ c #E1D6CE", "=/ c #5A5A5A", "=( c #C5C4C3", "=) c #8F8F8E", "=_ c #9E400F", "=` c #A3410A", "=' c #9D400E", "=] c #C4AFA1", "=[ c #953F10", "={ c #99A9C6", "=} c #7C411F", "=| c #943F0F", "- c #989AA4", "-. c #8C8B8B", "-X c #565656", "-o c #6982AE", "-O c #8E3E13", "-+ c #943D0F", "-@ c #8C3E11", "-# c #74787A", "-$ c #C04C0C", "-% c #8C3C11", "-& c #8D634A", "-* c #5C4F52", "-= c #4B6EA1", "-- c #72401F", "-; c #71401E", "-: c #9FA7B8", "-> c #8B3A10", "-, c #2F5A96", "-< c #7E3C17", "-1 c #4A6CA0", "-2 c #525252", "-3 c #8A3A0F", "-4 c #703E1D", "-5 c #833B12", "-6 c #814E31", "-7 c #893A0E", "-8 c #B7490D", "-9 c #2E5895", "-0 c #2D5894", "-q c #868585", "-w c #B7470D", "-e c #505050", "-r c #7F4E2F", "-t c #788FB6", "-y c #823911", "-u c #114689", "-i c #BBBAB9", "-p c #2C5893", "-a c #B6470C", "-s c #E6DCD6", "-d c #844B2A", "-f c #4E4E4E", "-g c #768DB4", "-h c #BBC5DA", "-j c #6B7C9C", "-k c #8B3706", "-l c #CAB7AA", "-z c #AD460D", "-x c #AE440E", "-c c #AC440C", "-v c #A7A4A2", "-b c #4D688F", "-n c #5877A7", "-m c #486594", "-M c #703513", "-N c #4A4A4A", "-B c #A4430E", "-V c #6C7993", "-C c #B5B4B3", "-Z c #A4410E", "-A c #8B7D76", "-S c #5675A5", "-D c #673614", "-F c #B3B2B1", "-G c #3A619A", "-H c #1E4F8F", "-J c #9B400F", "-K c #8498BB", "-L c #1D4F8E", "-P c #B1B0AF", "-I c #1C4D8D", "-U c #A09E9B", "-Y c #81401D", "-T c #8296B9", "-R c #C74D0C", "-E c #7D553A", "-W c #80401C", "-Q c #444444", "-! c #C64D0B", "-~ c #D1BFB4", "-^ c #8C3E14", "-/ c #D0BFB3", "-( c #A5AAB7", "-) c #913D0F", "-_ c #EAE2DD", "-` c #89898B", "-' c #8B654B", "-] c #BEBEBF", "-[ c #7E3E1A", "-{ c #424242", "-} c #893E11", "-| c #9C3B06", "; c #777776", ";. c #833D15", ";X c #6480AC", ";o c #ACACAA", ";O c #BD4A0C", ";+ c #A9B6D2", ";@ c #7F5032", ";# c #404040", ";$ c #637EAB", ";% c #883A10", ";& c #8F6045", ";* c #92A3C2", ";= c #AAAAA8", ";- c #803B12", ";; c #949799", ";: c #B4490D", ";> c #95959A", ";, c #466A9F", ";< c #3E3E3E", ";1 c #91A1C1", ";2 c #EFEFEF", ";3 c #2A5894", ";4 c #A9A8A7", ";5 c #949599", ";6 c #B4470D", ";7 c #85380D", ";8 c #B3470C", ";9 c #773A13", ";0 c #44689D", ";q c #0D4488", ";w c #EDEDED", ";e c #285692", ";r c #A7A6A5", ";t c #773813", ";y c #763612", ";u c #EBEBEB", ";i c #AA440D", ";p c #B5B6B6", ";a c #DBD9D8", ";s c #A5A4A3", ";d c #753611", ";f c #784A2B", ";g c #6E3714", ";h c #A9440C", ";j c #503828", ";k c #B6C1D8", ";l c #383838", ";z c #7089B1", ";x c #A0AEC9", ";c c #E9E9E9", ";v c #A1430E", ";b c #7087B1", ";n c #1E5192", ";m c #EEE8E4", ";M c #5A453F", ";N c #A1410E", ";B c #57697E", ";V c #6C3312", ";C c #D8D5D5", ";Z c #363636", ";A c #48648D", ";S c #744627", ";D c #5373A5", ";F c #1C4F90", ";G c #5273A4", ";H c #624533", ";J c #98400F", ";K c #5271A4", ";L c #343434", ";P c #E5E5E5", ";I c #983E0F", ";U c #263C65", ";Y c #898B8E", ";T c #5071A2", ";R c #784121", ";E c #7E401D", ";W c #355D98", ";Q c #323232", ";! c #C44D0C", ";~ c #5A7198", ";^ c #E3E3E3", ";/ c #5A80B9", ";( c #345D97", ";) c #C34D0B", ";_ c #7F94B9", ";` c #184B8C", ";' c #8F3D10", ";] c #865132", ";[ c #8E3D0F", ";{ c #9C9A9A", ";} c #303030", ";| c #873E12", ": c #7E92B8", ":. c #7D92B7", ":X c #C2CADD", ":o c #16498A", ":O c #473D40", ":+ c #863C11", ":@ c #00367B", ":# c #CFCFCC", ":$ c #913C08", ":% c #BA4A0C", ":& c #2E2E2E", ":* c #BA480C", ":= c #556D93", ":- c #CECDCB", ":; c #B9480B", ":: c #7D3B12", ":> c #4A3A39", ":, c #D9CBC2", ":< c #2C2C2C", ":1 c #DDDDDD", ":2 c #B1490D", ":3 c #A7A8A8", ":4 c #CCCBC9", ":5 c #B1470D", ":6 c #B1450D", ":7 c #7C3711", ":8 c #5D7AA8", ":9 c #8D9FC0", ":0 c #82360D", ":q c #DBDBDB", ":w c #909398", ":e c #7B3710", ":r c #743813", ":t c #AF450B", ":y c #5C78A7", ":u c #8C9DBF", ":i c #255492", ":p c #282828", ":a c #7189B5", ":s c #8B9DBE", ":d c #A8440E", ":f c #D9D9D9", ":g c #245491", ":h c #8E9196", ":j c #99918D", ":k c #6F89B3", ":l c #A7420D", ":z c #8D8F95", ":x c #723411", ":c c #262626", ":v c #D7D7D7", ":b c #A1A2A2", ":n c #9F430F", ":m c #878C99", ":M c #9F410F", ":N c #7A4526", ":B c #002E67", ":V c #8298BF", ":C c #9FA0A0", ":Z c #9BAAC7", ":A c #DFD3CB", ":S c #222222", ":D c #D3D3D3", ":F c #C4AEA0", ":G c #953E0F", ":H c #99A8C5", ":J c #DDD1C9", ":K c #A98975", ":L c #D1D1D1", ":P c #86898E", ":I c #4D6FA2", ":U c #555554", ":Y c #C14B0C", ":T c #646566", ":R c #1E1E1E", ":E c #8C3B10", ":W c #305B96", ":Q c #747579", ":! c #7F3D17", ":~ c #7A3A1C", ":^ c #B4B9C5", ":/ c #2F5995", ":( c #454A62", ":) c #843A12", ":_ c #13478A", ":` c #CDCDCD", ":' c #2E5994", ":] c #B8480D", ":[ c #8FA1C5", ":{ c #798EB6", ":} c #A8B5CD", ":| c #ABA9A5", "> c #CBCBCB", ">. c #004495", ">X c #B6460B", ">o c #AF470E", ">O c #365788", ">+ c #A6B3CB", ">@ c #AE470D", "># c #C9C9C9", ">$ c #5F6C82", ">% c #793711", ">& c #A0B0CF", ">* c #CAB6A9", ">= c #723814", ">- c #AD450C", ">; c #E4D9D3", ">: c #5A78A8", ">> c #5978A7", ">, c #0E3064", ">< c #AC430B", ">1 c #919292", ">2 c #939DB5", ">3 c #B6B5B3", ">4 c #713413", ">5 c #3D649C", ">6 c #A5420E", ">7 c #AA4309", ">8 c #3763A0", ">9 c #703412", ">0 c #807E7E", ">q c #5776A5", ">w c #A4420D", ">e c #C5C5C5", ">r c #683514", ">t c #A4A19E", ">y c #3B629A", ">u c #002C6A", ">i c #A3400C", ">p c #A84107", ">a c #1F508F", ">s c #3A6299", ">d c #8E8E8F", ">f c #9C410F", ">g c #1E508E", ">h c #C3C3C3", ">j c #6A85B1", ">k c #736964", ">l c #9B3F0E", ">z c #865538", ">x c #8497BA", ">c c #828A97", ">v c #944011", ">b c #C84E0C", ">n c #C74E0B", ">m c #933E10", ">M c #703E29", ">N c #2C3C5D", ">B c #8A8A8B", ">V c #3A506E", ">C c #BFBFBF", ">Z c #AEADAB", ">A c #6581AC", ">S c #783E1D", ">D c #7C5038", ">F c #BE4B0C", ">G c #BDBDBD", ">H c #82878D", ">J c #403A49", ">K c #777675", ">L c #BE490C", ">P c #94A4C3", ">I c #BD490B", ">U c #643D27", ">Y c #868687", ">T c #BBBBBB", ">R c #476B9F", ">E c #87390E", ">W c #2B5994", ">Q c #B5480D", ">! c #7E4D30", ">~ c #91A2C0", ">^ c #B4480C", ">/ c #B5460D", ">( c #803811", ">) c #0F4589", ">_ c #B9B9B9", ">` c #2A5793", ">' c #295792", ">] c #8E939C", ">[ c #B3460B", ">{ c #783913", ">} c #7C4B2E", ">| c #AC470E", ", c #0E4388", ",. c #8E919C", ",X c #07448B", ",o c #748CB4", ",O c #B7B7B7", ",+ c #773712", ",@ c #ECECEB", ",# c #AB450D", ",$ c #B14409", ",% c #7A492C", ",& c #6F3814", ",* c #AB430D", ",= c #763511", ",- c #79492B", ",; c #728AB2", ",: c #B7C2D8", ",> c #7F4827", ",, c #B5B5B5", ",< c #15529C", ",1 c #718AB1", ",2 c #A8430A", ",3 c #BBA190", ",4 c #B3B3B3", ",5 c #8E8E92", ",6 c #6D6C6B", ",7 c #764728", ",8 c #A1420D", ",9 c #6D3212", ",0 c #EEE7E3", ",q c #5C6978", ",w c None", /* pixels */ ",w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w@Z$9>C#' .*EX(X(*M+{@6;Q@p:S:p:<@B:R.2,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w#.#m> #T.0X#&~X =&-Q+f-{:c:<+L;Z@6;e#A$+$k . 2 j A%r%r Y `%H%H `. %Y%H `%H%H%H%H%H p-2&L,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w,w-Qo'%Y%d%k%k%r% $A$<>#:D:v:1;P+C,w+C@@@8:q:D#i>e>C>_$M & q%+%7%r%d Y Q%M%H%H. . . . . %--X.R,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w.R@6-Q%H$<$k$k>_#':`@~@j;^+~,w,w,w,w,w+P@y:v#:>##'>G,O$A$/% j A J Y%k%M `%H%H. . . . . %--X&s,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w$MX1;<:&.F$9$A$A,,$+#m:L@I@y;P;u,w,w,w,w;c@y:v#:#l>e>C>_$M & q:3*F;4*L;sX8XwXdO'>tXuol. . j-X&L,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,wo,#W&$%tX >T$A$A,,$+>#@_:q;^;u,w,w,w,w,w,w,@XZ*B=nOr%`&1.J#3:|.*Y+ $},q+I@0. %7or*',w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w+O#r#*=oOA>T$A,4$y.g%|=(oI=4oF:-:#:4 }:bOu#V*[.b$1*U#Row#oXY>$#S.e#j-b;A.PoJ>O*/%m%^:P@;. J*foi+C,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w=c@P@N 0&s>G,4XAO-$6;;$Z+HXK:w>],.:m>c& *X*3O7X^=h-jo>#`;~.{=GO{ D@,.;$l*`.ZXP h b*(>H ;. JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w$M@+ $++*#$U$koo,5- &O-($|obX@.8>2+|.z+@@3:[X5o0.Y+u:a>j <%WX:o6&uX/ C#E *%K&K%6;nop t*6. JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,wX|+Bo'=v%M$9o-;5:^##X0osOB;k%v$5o@.n+8o!&3*9=y-gX9%z;X@d#B;G=,>R v#J$Y 'Ox n&:;F.3#f-U. JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w=/>K>0OM.F>Go-;>OG*.%#.f$I=9>+;x@[&b*C&;XxocON,1o9.Q f&+Xp%N&c*A@E*%%S-9;e.j#(%x:BOVXl. JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w$k&r@po* R:U&k>G;s k+^$!.wXsoj#dX7:Z$%X_@T>x: #t,; I&d*x=C*+=;-1*m=UXiodOs$a=L-HXN#;>uo#Xb. JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w@~@p;};}&W#%=f.F>G+F=S# :XO}@4:}X2oq&g;1o`#^;_#tX**}.H;$:8>q@OOq+a%9O] :-,;3%6>aXc@rOl:@;Bo^=6 JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w-Q+;+;XWon,6O;>G*L:h-:-h$^%U&^+].I;*@C&6*e=uX$+T-o+3%@#Z$P%A>R v.k$Eoz-p:i#L-I 8%!+m#n>V+<@$ JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w*zOOo'-{$*XE=c,,;r:z$i,:oM&Y+!:H>P@lO+Xm@e&I$n E.Q%O>>Xp%N$2X}=!*-=7-0*D&:-L;`oC+m@V=T@)>B== JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w%Y*M*z-N#,@{-.%r;=&*+S*|#dX7%j./+jO+>x:..*,; I$.+t:y*+@*Ot*mo{*$od:'+bo|Xa*0#5+h@V@V=T@)>B== JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w$A&~&ko8On;C.v.%+,@^@X#X$h%gO9;1:s-K 7:{OD L.H*j=N&|otOq+d@G-G;W#7>`.yXy@#ov-u=F@V@V=T@)>B== JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w:f&V. %k.B,w&@X,-P@}#6;+= .I*c:u.m@1=u&Q$VO<*g=zOE$H:I+w@x#J$Y ]>W@A.c$R=3#uo.@V@V@V=T@)>B== JXLor,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w.v$A+4 J*t=~>Y-F%c=B@f={+8:9&,$Q#1&I;z%h>A=g>:;D ^&cX}&- + '&BoX&:-Lof:_;q@V@V@V@V=T@)>B==%rXR=O,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w 2>h#.$f;a=)&k-C@>%s>&$%+jO+>xoc-t,; I.L*lo/-S=*&l*m=J-G;(:/$a@U#( -#5$r@V@V@V@V@V=T@)>B==%-=/*i,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w p>h:D Q> . &@&[-`=qO)+io`-K 7:{,o*}.H;$oT&|;KOq$w%5>y@%:W>`=L>a*4:o&J@V@V@V@V@V@V=T@)>B==%-=/&~,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,4$+:L.s&N.U;{*5>1$->~@b.m$_oS&Qo2-o+6@h-n@.#&$7@m#JXz=0$0:i&4-I@w#uo.@V@V@V@V@V@V=T@)>B==%-O:.R,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w>T &#}.F;p*y-q J;o*d=:#c-Tom#h* E.Q%Oo)$F=;-1;0=E*%=2Os+M&:XgXGoD, @V@V@V@V@V@V@V=T@)>B==%-O:.R,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w$`%r$U&'$`@K#]&k>3&a+x$c@e#a,; I$o+t&X#P;T.~+d@G>s@:.+>'@U>gXN%P>)=F@V@V@V@V@V@V@V=T@)>B==%-O:&s,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w#'.s YXR%7%V; *o-i@`-V:V#t,o*}#[XQ:8O( @-=;,%5>y@%%K$u:g>aXc@rXX@V@V@V@V@V@V@V@V@V=T@)>B== j#9X',w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w*1&s=& Q.$*f*o.'$J U#_&Q;b-o*g.1-n@.:I+w@m.kXz ]&Z n#L** 8.=*S@V@V@V@V@V@V@V@V,X%1 %;Y:C=eXo:j,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w*zXjo'=d=P*iX,&p%Z#Y=X$v E$$@dOI$F ^&c%=>5*% )Of;eO.-L /XUoR+n=M=M#x%*%*.,>.&GOX>,ou$XO_OC%:oGX!XC XX%XOXH B@|,w,w,w", ",w,w,w,w,w,w+Wo,&C=Y&wO/#|&7>Z%[$&:kO5+t.q+U#) 5$]=x>8&9 (&M%',<#!XUOT&{&2;U&t>N>J@u&AOm+s+c+. N>D$>$@@i#@=%;]=1%o#2&R+*&v,w,w,w", ",w,w,w,w,w,w:T=v-Q>d-].Ao$.x*, F:==k.M;/=joyoE-m+KX4+):(OKOW.V$#:O:>%2&(+G=W.7%}oY.|;7Op#+*)@H+},2o4%p;h+Z M M M M*J&%;. m,w,w,w", ",w,w,w,w,w,w*G&x*v=r-v$D>k-A%nOz*u |X3 ~-*#z;M%f>U+e>M:~ d*b:0#g$::$.K P&8=`>7,2-c%,@z>^;O%/$g>^-!@7@7oaoa=<=<=<=<@2XI-O+#,w,w,w", ",w,w,w*> 4*O%u*k;j;H@'O,@=.C-6;ROP>(=Z&`=V%)$4XB*!O[>p,$:t:t>-;6:*%E$=+$XVXVoaoa=< _ _#= =-7.9oU#=>F>F>F>F>F>F>F>F&j.#-%>z,w,w,w", ",w,w,w.[-<$[>($poV#k-k%X#<&f-|$TO@><#N;8%E%EOy.S=A#H&S$~ _ _ _#=-$-$.E>F>F>F>F>F>F>F>F>F _#q#D>@ _>F>F>F>F>F>F>F>F&j=s.G&i,w,w,w", ",w,w,w*T:G%0o=%&OhOh:Y#{-!XV$($(;) _ _#=-$-$.EO8o~&0:5#=>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F#= >>ro+ _>F>F>F>F>F>F>F>F&j${@/O4,w,w,w", ",w,w,woP&q-$;!#=-$-$&j>F>F>F>F>F>F>F>F>F>F>F>FO8 z ooU#=>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F#=#U*Q M _>F>F>F>F>F>F>F>F&j${:M--,w,w,w", ",w,w,w#4$):%&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&j e#/.6#=>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F#=>i$b%i$=&j>F>F>F>F>F>F>F>F+1o]-4=^,w,w", ",w,w,w.5@-:%&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&j*hO&&&>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F-$*Z&o=[ r#=-$-$-$-$-$#=#=#=oa=t&D:A,w,w", ",w,w,w+>.o.#&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&j+%#D#~${&j>F>F>F&j&j&j&j&j&j&j-$-$-$#=#=&jXV;9>m&F#w&S&S&S&S+p%_oUoUX`*J#s+Q,w,w", ",w,w,w:K#8.#&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>FO8*&.a-J${O8O8O8O8&jXIXI${.#.##e+p+p+p@g@gOF$C.r-y&y#>;%$,$,->-y%8$g$g+N a#M,3,w,w", ",w,w,wXn:!.#&j>F>F>F>F&j&j&j&j&j&j&j&j&j&jXIXIXI=#>9=5:5Oa>Q*n;:&/o7O$$L {:E$,+A$g$g+/*@>r#K&=&]o;,&@So&;yOH>%%%+zo OLX]>*#v,w,w", ",w,w,w$KOb.}O8>F>F;O;OXI${${${:%oZoZ#w#w&S*_+R=_$e;g.a#b:7;d%y.h@R@Ro;;gOR=R#D.aOQ>4o[=DX+.: ,$W@&&&-x+DOh;! _ _;!oB.D%(,w,w,w,w", ",w,w,w$GOj gXI w+l:l>6.N-)+:.)*N@kX&-D.h=Q%wo;;g.a=Ro&@Y:x&_@v#yOe.!@]$d#G.>$8oW#p#=#=#=#=#=-$-$-$&j&j&j&j>F>F>F-$Oh$O m,w,w,w,w", ",w,w,woA=i;y$zo;o;o;o;o;$mOQ-MO^o5o5o5@WX6$;*:@J@JOUXI&j>F>F>F>F>F>F>F-$+p+q%R$(>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F-$.#;[+V,w,w,w,w", ",w,w,w O=-o_@s%e@W@! H,+&H.)#O='o:%;${>fOJ-$+1>F>F>F>F>F>F>F>F>F>F>F>F-$Oc+9X{XV>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&j${#~*H,w,w,w,w", ",w,w,w,w*7..*s@/#GX`.@%T:%${${XI;O>F${#~&).&>F>F>F>F>F>F>F>F>F>F>F>F>F&j r=[ xXV>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&j${#~;f,w,w,w,w", ",w,w,w,w 6Ov%$;O;O>F&j&j&j&j>F>F>F>F$=,*;gX->F>F>F>F>F>F>F>F>F>F>F>F>F&j r=[@n [>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F&jXI+';S>;,w,w,w", ",w,w,w,w+--W>Q-$>F>F>F>F>F>F>F>F>F>FO8:5o;X->F>F>F>F>F>F>F>F>F>F>F>F>F&j;O='&) l&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>FO8%_=+O#,w,w,w", ",w,w,w,w%3-Y>Q-$>F>F>F>F>F>F>F>F>F>F-$ g@Ro7>F>F>F>F>F>F>F>F>F>F>F>F>F>F#=@D$z:6&j>F>F>F>F>F>F>F>F>F.E-$-$#= _ _ _>n#e=$%D,w,w,w", ",w,w,w,woNO4 g-$>F>F>F>F>F>F>F>F>F>F-$+p%4;I>F>F>F>F>F>F>F>F>F>F>F>F>F>Foa>|%w$j%B#=oaoaoaXVXV-!#{O>Oy&P>/%]>w-Z@/*qO6.WoK,w,w,w", ",w,w,w,w:,%l@g#=>F>F>F>F>F>F>F>F>F>F-$>Q:7;I>F>F-$-$-$%Boaoa$(XVXV#{.SXF.`-B#D+o-w:6O!O!*_=[=|og.X$3::>{+vo(&]O Xq#/,9O2-~,w,w,w", ",w,w,w,w.l=+.6O8>F>F>F>F>F>F>F>F&j-$oaoB@k@9#{#{-wX.-w;i=K.i>foe=|-@;|=w;-;t;V>=>{oOOQ+J*R&>&}XqOoOH*N i&z&e+Yo1;v%a%G,-,w,w,w,w", ",w,w,w,w>;;S$C;O-$-$%Boa$(XV-!+&>L$q l$C zX<$'$' s-5;- VO o[+_+_=.=.o}%q>%-3>EOwXr$S>f K*] !.uX[Xe@z*V>X:;.^XV;!$~#=:M;f,w,w,w,w", ",w,w,w,w,w*~:M 1;OoHoW:d*_Xf>v-@:+ s.4,=*R$N-5-5+y#F&T=5 W;J #>l.N,8*W S-coL>[%~-!XVXV;!$~&j@k%.-8XM#=-$-$.E>F>F&jXI+(*{&m,w,w,w", ",w,w,w,w,w$s%L T-}.]:7oQ@c:e=b=l#0&h*< W-J#IoHoH-aOJ@o>IXVXV$~$~$~;!oaoa%B-$#=#=>F>F>F>F>F+$%%OS%_ _>F>F>F>F>F>F>F&jOF=+@(,w,w,w", ",w,w,w,w,w&5-'Og@F@t@5 WO=.dOF;6:* [#{-!XV;!-$-$-R=A-JXI&j>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F$~@k=I-z _>F>F>F>F>F>F>F#=:2%l:A,w,w,w", ",w,w,w,w,w:J*I#Q.O+0O>XV;!;!%B-$-$.E>F>F>F>F>F>F=<:r*a.#.E>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F;!$e$B+Z _>F>F>F>F>F>F>F-$@g$ &U,w,w,w", ",w,w,w,w,w,w,wOY i%$#=>F>F>F>F>F>F>F>F>F>F>F>F>F _ z$,>Q-$>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F>F;!X~+`=H*8-$#= _ _ _ _=<$~Oh>S+E,w,w,w", ",w,w,w,w,w,w,w&!ok%$#=>F>F>F>F>F>F>F>F>F>F>F>F>F _+9Oe>Q-$>F>F>F>F>F>F>F>F&j&j.E-$-$-$#=#=>b:EO`@Q:];6=mX=-zX=@D.t=H:n.T+-,w,w,w", ",w,w,w,w,w,w,w u@q%_#=>F>F>F>F>F>F>F>F>F>F>F>F>F _.(%Q+p#=&j-$-$-$-$#=#=&j:%${=s&S&S+p:5:5X`@a@R+gXJ-^ y=}-d,> Z+5*=-E=a:F,w,w,w", ",w,w,w,w,w,w,w%F&j&j&j&j&j&j-$-$-$-$-$&j>F#$%{,#oB-8>Q g g@g>@>o M@oXf-+X~*r#-=>.p:N$x;@-&XhX>O|Xn*p-l-/#C;m,0,w,w,w,w,w", ",w,w,w,w,w,w,w$tX),#=<$=XIXI${oZ=s.#.}.}.}*n*nOF G&nX;@5 3%G:)-[+[Xv=@&#@L@M%J%J*^O0%F&.O1=]*2*w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w,w+7>}o< 9OF;No3-J;'%bXJXT*;;E=8=+@ ,7,%&E*P>!Ok;&O%oN%I-/-_OZXk,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w,w", ",w,w,w,w,w,w,w-so%@ROjOj-;O4Oi-rXtXD+==p c&Qł"z)I3OdDB`XpB }KcËS · a-+QU`2 )v)8v_RIENDB`fwbuilder-5.3.7/src/libgui/Icons/folder-neg_25.png000066400000000000000000000023661303637203600216760ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڼLSW}ﵴ*8)cd1#09Yb E!3#d.\K3$F" Y7P"zXhl}s9>B)qcw8~M( yu\w,8力lȬ!l`KO,qk T%#qI*(`" ]K9Ѳ 3B VܟБ_bEَ{S>5}e@R 5B: d K"TȄzgQ:74~tZwC'?BY@r1[s ڱ ة>RoQ&)aשN  _Wfhŝ8~\X[Nqq}r+jVž=@dO(mz Jj(SP"hU/_{{{۝KyPyC.Bk*VWئ!qOu4ggȘ=0>Jx1*Y৚v \61@%@koT/&=~eb#V{'cgJT_/Ur!tb q5SU_nJxj˖ؠY!~-SBp7hH#?74<଴Jw)qi8[ww5۹s߬fg[S? BZ)F&cr`*Ё䇐&~C޽1-#s\g[cuuFeÇK =L~j~g9ï" yd#GbP6a "\gdIENDB`fwbuilder-5.3.7/src/libgui/Icons/folder-ref_25.png000066400000000000000000000017011303637203600216710ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<cIDATxVMLQl[JZ 7c™Ą $ě7cOk8Q 'bjx($%$Gt罷B@kofvv7[@Vo+~$!'Bm׺Kjoh1FII[mzqP:MVӨSdCYqZyR;96^̼}{40~,AИqKmJ#Mެ#Y?w7ҢLyy#2P%}J+dӕfjw딍;*MiEHRl)  PH98^Jx̃6.C-Ttl]tm2$gd^kbZ pW5pQ`d"?S :-IJ{X(1 dCj~ގQyˎɱ잻=ίU`W?ߎ0P}wBŭE'V d fn$'}9'`>mHm;J)hdd+Y3@άv@ɏ# xR,..p5C˃I,L459u͚ubhx O arrVVVIᰬDI"I p[Kl@  0:: BH,--ɤzE<~ةU U!IDt?$ zKT `nn)>dtNuʭK`Ay{aaHGGJ%lvvVnzz(j[ޢz1c  #`2DLG8 H^ xZ; O?L""IENDB`fwbuilder-5.3.7/src/libgui/Icons/folder1.png000066400000000000000000000007611303637203600206770ustar00rootroot00000000000000PNG  IHDRagAMA7tEXtSoftwareAdobe ImageReadyqe<IDATxb?% (c{bH6`E]z[ON/?!"ÈW.ONY3p31 F66fU2 . C@axo@ LQȀ_!W0 @ Zo?2l?!>~g`d$!™T/P@ 4ϧ LL ?@ k  ?|g'X?4@auȹ׻oX] @.##ÿl3?`x|7_A\@`v7s FJ3@^QfIENDB`fwbuilder-5.3.7/src/libgui/Icons/folder_16.png000066400000000000000000000010061303637203600211150ustar00rootroot00000000000000PNG  IHDRa pHYs  IDAT8JQ-MB Q$/؉be#`hؤX(nd̜AȲ33?gw"2?ar WOk݃&/OkŃ=..? @)Ҹ7+͙^&wPߜva[ZJ؅2/N}PT?Y(U ?(B&ul 7jRZ2&{IK<82: rAVid6DFyhN|q$¤q~7_=3߾,+~ 0H=DIENDB`fwbuilder-5.3.7/src/libgui/Icons/folder_25_.png000066400000000000000000000015301303637203600212560ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxVMhQ&$U*TV "GA(x`O͛(xG<+!PXشIMv3yKR*"n27g7f7HDp; [)ݾvlO>dsԃNL"{FT:`@VTKaB)23ӤSt}>+ 7φ>g^*ƾMh~Huܝ9n=cf^W!yBБ>H!\.Tg XϥےUۇ%{Q-HntPQ#]%ސQUZQ~j0zqDu;5k>+ܙjYN0j50PafMF*RfT ?b`n DxZ w ȆrJS<8ẠovDZʫgǗ5<-]gHR.UdFU:(k) a)H8QD X"@'<  @(`V8eNٝr~.}ѴNuk QppX؜o`6$)F{؝M>ru_utMfY/,6>ZI=A5\&|%'`^zz!_lgz @*eRP9 sY gdn{3}ғ}u ϜĤn5w}̍@^$ pO;a6俿ccK|i bsa򧞽-5kLuT5Gׁ /6,{_ׇ&wI2( c )M耟yսGC:#4G4k e|\̕Lx}x-J}OUf" e{O9C" xhFMz4z|11 *x}ZX"[> z̸5=屆D5DQH!;܅g?so}'IaCwAߛq3Tf2YgPvIoCoq1`sꣿ x*j^4U0+Phı܀S'3~UX`oȭ/~a=,Go)Xg*xWS^jTʊ{'@~u0ѿ?b92ltQoq/eXݿ dO;/_b"J4&n *Fn .6!V#!Z?f*Xwʯk9v?);q|BfwOِ:0yC"߃*#Ol?VhKU:Gvk4Fm5·`A}| |&T?˱-ͽX1}_0>퀙NU OjIUO/?1t_|T{[g8LQYSK/Ʒ^d"4/_nK_"(Itڸg>Y+ocv?{S 54 BgL9лdMۭwd4] gil)O5lWXަ,opjjIa&П͆H *mdzKiv >D i>bWƑF9oDdnr6l>g/ dj8f!LlR bVŊLԴ1GڦƘôɠn4{ V_ OBHHXΠS:{Q^*M7XE {6p5܉v+Ѿ{6,8mˌ PyQa6hJGMUi"13(GH墍R6\vZ>aq {)-A3- ؝Bx6-(AG "tk (ቊ-O6ϑplHI{H$% ǘ <}3R C(ˬ$mr 6d)IPl~}bU5:.'yìu5p/zm=0pA!j khp\zzۍ|eF 6 o\̽ FQ4Xr7h<"0Z@,83I]G-+vWfp".Z@6ܤa.KˆTXh)q_Q+[KTJk AzNXfb^h)Y;a9YfRP nxdm$mE0"zMRfМʌ3R)qqBH kX`)c%X1];lANM m؀yU,CkEcjg=û^KzMTY4- [_UȞ/sj3ꭰ@\i|;glD: h>A|ĔC֪nzT’ raA%:lؠ+pj}]E1UNA"VрպE:uSodBŖ"]b-!FO!*`VCR2_LJ}HM15/ꃝ^<<]qP۱|i#1?u*fMmΥAb~hEe^֍-2[2㝛tqa'UԷ,7 Ry $)uTJTRSJ`0IΖ1>V eMj@ewm7CԌȮY%h.8VY.t`Ulۘa 9h/uF<[<@ɞ0c. )ap2a ))D 0~%Vr-[_)xfYl ~ZZ ̖>nЌLɔfP}uVMEۙN6Tx,Cnrj4-M_,P9Yd~>0AD"V(yWS`Tb/H||i#FUl>\NE7a;T S.<Şdn^|lt95ApkLz/XF'$ Ju$c'ֵr&FYl.mC\c[JT2 6 r6,ȵsOÄ jT@&Ǭ2[-]֗yjk%WrN`ŊWg6v< .*ڄDJA 2nf|pu&t2*k%;|yA]Hhs}8 ,W28j  I Qm%n7\j3@YGk7GΐC= .d^c~i1YX:յ#3R:>KB$3JE{o3L('jЪ4kfmzgܺ3/ ֏Zd>ÉM[!sx;fDy`5:?{ X\ `[Gz$ƌ}82h[f2..C19l!P@I%SQ%AAK$YĤ*{sYw.\f9v[ }鹫3Fp!37іG<4G?(6 ^5]i֚-kg* /jiTG]2CC#c{tCeWK|:+$Tf2˽[0cܽ.\+[Ҳ!mM{Rź>c~o`L.81kw6nJ>vW'-AC$7WA=+l1t}Egqn-S%>Ha0F+m3v/N.wierIENDB`fwbuilder-5.3.7/src/libgui/Icons/forward_25.png000066400000000000000000000014711303637203600213140ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVAkA~3;MkbШh/ڃXEу^jE=yЋVO < "xE"zR4fwf7لjcM}̼7{޼7#ZT]iDXAWpW=XovAo;u4@vqE{Mgl+bB=6;b)X3&}7|NW=ēѫSWy{@ݝ$ H}ݺczS984ŻviGޡάtJ%ź@4P nCf LsEU "͢f2Y;nWdC-M/8Y_"FNm)wԋs6GhG,fXC-iZvR@˫W4]Ms_r=mQ.,(My4MʤRV655`%Opy"Kߧ{ѳ*Xv8AقTbpq3o|/9fE @al!>'GykNUxsddEBp4ٞaY|\K&I: :OD NMkźcX:ut f}3U>QTEqe2InIoNmcce MsWKk.-cLRR%5@&L?ȍ^N 9@3@AO[lF-w`)::;(zIENDB`fwbuilder-5.3.7/src/libgui/Icons/generic.png000066400000000000000000000015501303637203600207540ustar00rootroot00000000000000PNG  IHDR$0yGbKGD pHYs  ~tIME +3.ɝIDATxn ى]U}^uݮ4tr2!`9L56Ih|NbD3`j C-#r{1EeZq[O0. UD;h`2h!%"PI̼BRJAʊ]> T0$].ŹEY5IO*yi, L` eKだtQ8v{,ܔfc{m%2ٷuk=0ƌX%^_FDI/Ӛ \;jl^Jz.b Զ. ,#BJE< -ܗzbPsZ8Z65h|x5GcheMS~e-ݪ~8n"~܂:- `3ek"4Zi3.k&Yln2@$T H/R9ncn%sh1LVU9sZkAow2.A ,Pi+UVnqYKTU6A/Qpr%Tz:wO 8mU,G!N.Љl~ 5ǠTM$,=_GV7e"J̟QZX:NsYk@aY&`{_iu hbhZ+wXkP۶xyж<z'] \iq> CwKy%2ݓnE ~N}bWIENDB`fwbuilder-5.3.7/src/libgui/Icons/host-neg_16.png000066400000000000000000000011151303637203600213670ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڜSKn0RImE)H7^{S۬2D#XNdQ"G M <={pB b%la=VJ 94cl_P۶( Zk/9d2l7`k5x eaM]J4M$DȾm }.Jj5 EF!Bp[WHk-U9*#g!oH CmHB *X*0B 2LFR~$Kd~Jj~9QMP XtHTdkDWY’-%$N`)?f'g~AɋpSI"l,[AZ뛞.!ekGP Qod4vvM8?S9A6% J3BMxiYlX}=2fKf˲ T2oՖОN'@u ]( RbWRnD({_2,Ν E)la!2dik,ǂ}D+KjBW t$I *~C]J+isgbZ*|Yb΋tNZDhƊ+so*'Wf#(C< NVjLQѥ=*1@6+!25Tk^ej# ,_Dh(K^dbdY-JJ|Pb)Y͟k 2{yzx2L|3(Ta% 5P͘(4M'_ ݄j(rrϹ1Hm bffWWWc~jj }oDtSգRW"d^MVׇQ,--7of$*ɅBޞޤA-u+8h%&ۃBA>!°ymvs9S_:lH<=7-`iwg IENDB`fwbuilder-5.3.7/src/libgui/Icons/host-ref_25.png000066400000000000000000000021451303637203600213760ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔV;H$YUUWw2`i2,; "&̀.n"줂" N0bm{tN{P﹟kLUWHlP&>怣!&0X,RP ˲H4M}jy^Ɔ$ ^}F)x-2A~}$Mij1912i+ bqo/(j8JE(#)&"tEL⸏$?5c'z)[y! v.igEzQ)db$^fBm1m J혺qQR(=t=,a_ Aڒ.O#bOYh˿)9@b3 {$)kV гc4ߑ2CRYFm_O΢z$賧_L ۘȆ LP/|h)E}o~l_qY! XK48(ovwwl~Ͳ-DZc%"$p?4)3(1 OեmeupjbsCx(#~ZFH{{{wlԃRg,.}0 u~trrB?|I UE>,yZie+7DVWW) 8onn^(<n]yO}[0g쬵mMOOe}.//SG(FCLAMNN}]̇h>fy8>u%̶@333TV䳞ZBReBz#111k :ល4??ăDG.O | @IENDB`fwbuilder-5.3.7/src/libgui/Icons/host_16.png000066400000000000000000000011211303637203600206150ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڜSKn0}HA A.SNW^@骻ujXlYEvHKf0"(r޼a9[\ yM"ߞ^q(P%<c>1J)TUsLSsO_" cnZ@]k Tշw.D?)Yh:Vڢ@8ҌJMy@ĉ$>Pi!qGxE bq$ 2!P& W@ ^ZDhGQc\L uF%ktm!W¦b4DyC 6F,uˌ )w#bSQVbgJnPe:!or2eH){`o;uP{BAi?>=#Ij^&auMӀћ'TX,,;Uc >{g {l= ׳^X5>n 謶qb8ql6Sq/_""`IENDB`fwbuilder-5.3.7/src/libgui/Icons/host_64.png000066400000000000000000000065661303637203600206420ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< IDATx[MUu/  (bd2l?4Y% #4?P" D쾷NUvg?gQ?m֩S>C=9x_|3ħ~JxE?>?o& X/Y7,Y~60o99r9@I*QgyjCXgE2u&)0İJA e `=_,פ@ $9Є$",{ڼrmȃ)? 8iMg=yNX\U`K㰑9;t_pc>ru=H]q08<7RUv0zQ֍@U%8J$^>RPԸQ2'IJ) S:u Lbj{XFR+aq^AX.X$YW00`i%lǀ!X1\X;\M꽬Ⱥ*,ZA,/ =)N dVۖ"m'ґ#YjmA<6luXѾ'D! 7svc!{`xX)G9rXg3Q ѨYN H`f ؾ pP}.B|³qP#Ǽhn`B'fip N5UZvfvf8+a|pV6yc>8(h,eλ1g4E%D=@61X<}0/Yc?Қ.+98r+<niæL *v]"ǖk6g3E,)bHkq4C"X XVG:h:F#rQʂI0taY !f)*0иJՋ)[@A.GC?p#D(pöXsI|0,,(aG "@sNi,W waHԝ5Q>Sd7} +HT(`Ca"i >uR l7(,Dlb?(׀[A]>DT#5p08* +lViq)vA(/#bxai[+ǖg[WmT Lӑ@u۔C L;H,xϽ8G EnB 08g\ McB)dAq g3ݱ4OtתPрjWk+FҙۓQ b!Qg NH;(c˖ |(t@]B.09[y{K]m!thd=x8eAG0y^CNz>J55MZAZ&L;A xo|SU۵m&xxz_oCQ ֖shQG:' g}gManvk=p~ ]%.O @6v8(`vp0PdO2<t moapZ]4 ;S,k їxlKTd]Qkࢃc^!&Xe!F}Fpd-k&]䥬 Y[ Gxl4>"&MJU\Cպ/W~i yGuZ쭴6_>TsW~X |$>"5`L"x p;~M?v .EpQx}1u=g,]()xcR/v QOIF6!WC,rFX9?w(aX|B\mRI-A`ku%J{0UUE@ ОɌknbO7&no>O=S#Tٸ ݱ8m(K[ex"!ٯiRo$V.@l+ %;G++s]@(|IL#im`5)5@DL(bWleS&( G7w87շx2-9@O0!z^ n|${сe$Ta{\9>?R/>wn {42K?rX ӗG֣kVHCцϖoCSt_xᅵ}n~zxw:۷͛7/B)A ?x`"c!_,R_=ױ{=x<`>?v @Je@l=9N7:(FTuw}^d^}/7|3LS/P6-+Ml`̟9={ҥKʕ+.߽{W.wnŋᥗ^RClq~)ܻw/ܿ??}][oexTs"zd-"9F#ۉ0"@oXk'xz Kc? +\YC)pފ a8aXx- ;[%/^{wyB|]l_|Yiɨ_ 'o/ޠ9b$!J nݺG_2<іeL"GN3 NZ+?97n`8*J"Ln?01h:[:V1I𫯾'x|h[>>j}`hѵ1IENDB`fwbuilder-5.3.7/src/libgui/Icons/host_64.xpm000066400000000000000000000373301303637203600206530ustar00rootroot00000000000000/* XPM */ static char *host_64[] = { /* width height ncolors chars_per_pixel */ "64 64 470 2", /* colors */ " c #B1B1B1", " . c #878B95", " X c #506380", " o c #C7CDE1", " O c #AFAFAF", " + c #325573", " @ c #BFBFC2", " # c #787879", " $ c #ADADAD", " % c #ABABAB", " & c #6F737A", " * c #A9A9A9", " = c #A7A7A7", " - c #B8B7BB", " ; c #A5A5A5", " : c #DBD8DA", " > c #3369A2", " , c #879BC3", " < c #6E6E6F", " 1 c #164875", " 2 c #4F77AD", " 3 c #A3A3A3", " 4 c #B4B3B7", " 5 c #6A87B7", " 6 c #6C6C6D", " 7 c #A1A1A1", " 8 c #B2BCD6", " 9 c #9F9F9F", " 0 c #4A6287", " q c #26649F", " w c #9D9D9D", " e c #9B9B9B", " r c #656666", " t c #C1C9DE", " y c #999999", " u c #AAA9AD", " i c #6F737D", " p c #3E6EA6", " a c #A9A9AC", " s c #3D6EA5", " d c #989798", " f c #758EBB", " g c #979797", " h c #2B2D2D", " j c #748EBA", " k c #175D9A", " l c #165D99", " z c #DBDADD", " x c #949394", " c c #939393", " v c #A0ADCE", " b c #5C5C5D", " n c #919191", " m c #395876", " M c #8F8F8F", " N c #114673", " B c #8B8B8B", " V c #21629D", " C c #898989", " Z c #878787", " A c #505051", " S c #858585", " D c #396CA4", " F c #838383", " G c #547AAE", " H c #BAC3DA", " J c #C8C6CA", " K c #818181", " L c #4A4A4B", " P c #7F7F7F", " I c #7D7D7D", " U c #7B7B7B", " Y c #9DA8C4", " T c #7A797A", " R c #C0BEC2", " E c #797979", " W c #6081B3", " Q c #777777", " ! c #295173", " ~ c #1D609C", " ^ c #757575", " / c #737373", " ( c #EEEDEF", " ) c #727172", " _ c #6C7076", " ` c #717171", " ' c #888FA2", " ] c #899CC4", " [ c #346AA2", " { c #889CC3", " } c #393A3A", " | c #5078AD", ". c #7F7F82", ".. c #6B88B7", ".X c #6D6D6D", ".o c #6B6B6B", ".O c #E6E5E7", ".+ c #27659F", ".@ c #696969", ".# c #676767", ".$ c #72767F", ".% c #767779", ".& c #C3CADF", ".* c #656565", ".= c #AAAAAC", ".- c #2E2E2F", ".; c #737576", ".: c #636363", ".> c #636E84", "., c #616161", ".< c #5F5F5F", ".1 c #A5A4A7", ".2 c #A4A4A6", ".3 c #6D6F70", ".4 c #5D5D5D", ".5 c #A3A2A5", ".6 c #5B5B5B", ".7 c #A1A0A3", ".8 c #6786B6", ".9 c #595959", ".0 c #575757", ".q c #AFB9D5", ".w c #23639E", ".e c #555555", ".r c #556476", ".t c #9B9A9D", ".y c #535353", ".u c #90A1C7", ".i c #245E95", ".p c #969698", ".a c #4F4F4F", ".s c #959497", ".d c #949496", ".f c #435C78", ".g c #4D4D4D", ".h c #939295", ".j c #4B4B4B", ".k c #909092", ".l c #494949", ".z c #9CAACC", ".x c #C4C3C5", ".c c #8E8E90", ".v c #474747", ".b c #C3C1C4", ".n c #5B6775", ".m c #454545", ".M c #F6F6F6", ".N c #4672A9", ".B c #434343", ".V c #BDBDBE", ".C c #414141", ".Z c #F2F2F2", ".A c #A9B5D2", ".S c #3F3F3F", ".D c #B9B9BA", ".F c #8990A2", ".G c #366BA3", ".H c #8A9DC4", ".J c #EDECED", ".K c #3B3B3B", ".L c #818083", ".P c #6D89B8", ".I c #6C89B7", ".U c #EAEAEA", ".Y c #E8E8E8", ".T c #353535", ".R c #AFAFB0", ".E c #333333", ".W c #CBCEDC", ".Q c #315573", ".! c #96A6C9", ".~ c #ADADAE", ".^ c #E2E2E2", "./ c #C4CBDF", ".( c #6D7483", ".) c #4170A7", "._ c #ABABAC", ".` c #2F2F2F", ".' c #7890BC", ".] c #DFDEDF", ".[ c #2D2D2D", ".{ c #2B2B2B", ".} c #DCDCDC", ".| c #818286", "X c #292929", "X. c #D8D8D8", "XX c #536787", "Xo c #8499C1", "XO c #A1A1A2", "X+ c #6C778F", "X@ c #9F9FA0", "X# c #25649F", "X$ c #D2D2D2", "X% c #77787C", "X& c #666668", "X* c #9B9B9C", "X= c #CFCECF", "X- c #636465", "X; c #526372", "X: c #CECECE", "X> c #5E6E8B", "X, c #CCCCCC", "X< c #587CB0", "X1 c #959596", "X2 c #CACACA", "X3 c #5E5E60", "X4 c #C8C8C8", "X5 c #C6C6C6", "X6 c #908F91", "X7 c #2E67A1", "X8 c #C4C4C4", "X9 c #D5D4D8", "X0 c #8E8D8F", "Xq c #C2C2C2", "Xw c #565858", "Xe c #4773A9", "Xr c #8C8B8D", "Xt c #6383B4", "Xy c #C0C0C0", "Xu c #D1D0D4", "Xi c #8A898B", "Xp c #BEBEBE", "Xa c #ABB6D3", "Xs c #888789", "Xd c #878788", "Xf c #BCBCBC", "Xg c #868587", "Xh c #858586", "Xj c #BABABA", "Xk c #8B9EC4", "Xl c #B8B8B8", "Xz c #828383", "Xx c #537AAE", "Xc c #6E8AB8", "Xv c #B6B6B6", "Xb c #4A4C4C", "Xn c #B8C1D9", "Xm c #6A6E72", "XM c #B5B4B5", "XN c #B4B4B4", "XB c #7E7D7F", "XV c #B2B2B2", "XC c #888C96", "XZ c #7B7B7C", "XA c #B0B0B0", "XS c #444646", "XD c #98A7CA", "XF c #56729D", "XG c #74787F", "XH c #586674", "XJ c #AEAEAE", "XK c #424444", "XL c #4371A8", "XP c #5F81B3", "XI c #787779", "XU c #7A91BD", "XY c #135186", "XT c #ACACAC", "XR c #404242", "XE c #677286", "XW c #757576", "XQ c #AAAAAA", "X! c #BABABD", "X~ c #747375", "X^ c #A6B2D1", "X/ c #A8A8A8", "X( c #A5B2D0", "X) c #A6A6A6", "X_ c #A4A4A4", "X` c #A4A2A4", "X' c #A2A2A2", "X] c #6C6D6D", "X[ c #7C7D80", "X{ c #6B6B6C", "X} c #B3BDD7", "X| c #A0A0A0", "o c #B1B0B4", "o. c #9F9E9F", "oX c #9E9E9E", "oo c #676768", "oO c #9C9C9C", "o+ c #ADACB0", "o@ c #9A9A9A", "o# c #989898", "o$ c #5A7DB1", "o% c #597DB0", "o& c #969696", "o* c #949494", "o= c #DAD9DC", "o- c #D0D5E6", "o; c #929292", "o: c #2F68A1", "o> c #909090", "o, c #7C88A4", "o< c #5F6977", "o1 c #4A74AB", "o2 c #8E8E8E", "o3 c #9F9EA2", "o4 c #8196C0", "o5 c #4974AA", "o6 c #9E9EA1", "o7 c #6484B4", "o8 c #575758", "o9 c #8C8C8C", "o0 c #5A6772", "oq c #8A8A8A", "ow c #ACB7D3", "oe c #888888", "or c #868686", "ot c #8D9FC5", "oy c #CBC9CD", "ou c #848484", "oi c #386BA3", "op c #708BB9", "oa c #636D7E", "os c #828282", "od c #818081", "of c #808080", "og c #C6C5C8", "oh c #506689", "oj c #7E7E7E", "ok c #7C7C7C", "ol c #99A8CA", "oz c #767980", "ox c #7A7A7A", "oc c #787878", "ov c #7B92BD", "ob c #767676", "on c #BCBBBE", "om c #F1F0F2", "oM c #747474", "oN c #A7B3D1", "oB c #727272", "oV c #707070", "oC c #B6B5B8", "oZ c #3E5A77", "oA c #6E6E6E", "oS c #6D6C6D", "oD c #B5BED8", "oF c #6C6C6C", "oG c #B1B1B3", "oH c #6A6A6A", "oJ c #B0AFB2", "oK c #E5E4E6", "oL c #797A7C", "oP c #686868", "oI c #E3E2E4", "oU c #666666", "oY c #94A4C8", "oT c #646464", "oR c #5B7EB1", "oE c #636263", "oW c #646F85", "oQ c #626262", "o! c #A8A7AA", "o~ c #415C7D", "o^ c #185D9A", "o/ c #606060", "o( c #D2D6E7", "o) c #5E5E5E", "o_ c #5C5C5C", "o` c #D7D6D8", "o' c #5A5A5A", "o] c #4B75AB", "o[ c #A09FA2", "o{ c #8297C0", "o} c #585858", "o| c #9D9D9F", "O c #AFBAD5", "O. c #565656", "OX c #545454", "Oo c #526373", "OO c #525252", "O+ c #98979A", "O@ c #727478", "O# c #577CB0", "O$ c #3A6CA4", "O% c #4E4E4E", "O& c #718CB9", "O* c #FFFFFF", "O= c #6D7073", "O- c #4C4C4C", "O; c #194973", "O: c #7389B1", "O> c #FCFBFC", "O, c #8B8E97", "O< c #C5C4C6", "O1 c #9BA9CB", "O2 c #CAD0E2", "O3 c #F7F7F7", "O4 c #444444", "O5 c #7C93BD", "O6 c #BEBEBF", "O7 c #878789", "O8 c #404040", "O9 c #BCBABD", "O0 c #A8B4D1", "Oq c #BBBABC", "Ow c #EFEFEF", "Oe c #3C3C3C", "Or c #898FA2", "Ot c #807F82", "Oy c #B4B4B5", "Ou c #383838", "Oi c #B6BFD8", "Op c #E7E7E7", "Oa c #E5E5E5", "Os c #323232", "Od c #C5CCE0", "Of c #303030", "Og c #5D7FB2", "Oh c #5C7FB1", "Oj c #1A5E9B", "Ok c #A8A8A9", "Ol c #DCDBDC", "Oz c #D3D7E7", "Ox c #A3B0CF", "Oc c #DBDBDB", "Ov c #D9D9D9", "Ob c #A3A2A4", "On c #859AC2", "Om c #787C87", "OM c #D7D7D7", "ON c #4D76AC", "OB c #838B9F", "OV c #4C76AB", "OC c #6886B6", "OZ c #D3D3D3", "OA c #24639E", "OS c #9A9A9B", "OD c #CFCFCF", "OF c #506E9B", "OG c #CDCDCD", "OH c #3B6DA4", "OJ c #BEC6DC", "OK c #CBCBCB", "OL c #959496", "OP c #5F5F61", "OI c #949495", "OU c #939294", "OY c #385880", "OT c #C7C7C7", "OR c #5B5D5D", "OE c #CDD3E4", "OW c #909091", "OQ c #C5C5C5", "O! c #8F8E90", "O~ c #8C8C8D", "O^ c #565758", "O/ c #C1C1C1", "O( c #7E94BE", "O) c #BFBFBF", "O_ c #D0CFD3", "O` c #20619D", "O' c #496FA1", "O] c #BDBDBD", "O[ c #BBBBBB", "O{ c #848485", "O} c #214D73", "O| c #B9B9B9", "+ c #7A808F", "+. c #B7B7B7", "+X c #C8C7CB", "+o c #818082", "+O c #808081", "++ c #B5B5B5", "+@ c #48494A", "+# c #B3B3B3", "+$ c #2A66A0", "+% c None", /* pixels */ "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+% P P PoV.o.o.o.o.j.C+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+% P P P P.oob /oBO%.,o)o_oUor S FosXTXT % % %XTXTXTXT g+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+% PoFoVoVoVo/oFoFoMoM+%XvXlO|.YO3.UOaOcOMOGX2X5O/O]XlXv+# OXJXTXT % % %XTXTXTXTXT P+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%XKO/O/O/O/O/O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOMOGX2X5O/O]XlXv+# OXJXTXT % % %XTXTXTXTXT P+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%XS hO/O/O/O/O/O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOMOGX2X5O/O]XlXv+# OXJXTXT % % %XTXTXTXTXT.*+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%X]XwXR wO/O/O/O/O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOMOGX2X5O/O]XlXv+# OXJXTXQX)X)X) 3XQXTXTXT.o+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%XbOROR nO/O/O/O/O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOZXyXpXj $XQX/ 7o9oc ^O=o<.n.noZ mokX'XTXTXT.o+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%X-.3.3oPO/O/O/O/O/ODOTOZX:X8OQOTXA coqocO@.$ i iXEoW.>XXoh 0OFo$ONo]XLO$oi.+ qoB 7XTXTXT.o+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%Xz.;.; rO/O/O/o#.%.|X%O,XC ..FOrOB YX^olXD.u.H {O5ovO&..OCoRoR |o]XeO$O$+$ q VOo wXTXTXT.o+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%.c.c qX#Oj k k l l l l l l l l l l l.Qo#XTXT K+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%.*.*oE R R #O/XfokO:XU.P..XtoRo$OVo].)O$.G.+ q ~ k k l l l l l l l l l l l l.Qo#XTXT K+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%OXOXo8 4 4X~O/O/X|X>op...8oRoR 2o].NO$ D+$ qO` k k l l l l l l l l l l l l l.Qo#XTXTob+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%.K.K L 4 4X&O/O/XAoa.. 5OhoRXxo]o5OHO$X7 q.wo^ k l l l l l l l l lXY N !.QX;Xmo#XTXTO.+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%.EOs.- u uOt++O/O) _..XPoRO#o]o] sO$ > qX#Oj k k l lXY N !.QX;o0oB So#o@ wX|X' =XTXTO.+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%o9X u u.s nO/OD SXFoRo%OVo].)O$.G.+.i 1O} +X;o0oB So# e 9 3X_X/X/XT % % %XTXTXTXT.6+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+% u u.XO/OMX_ XoRO'OYo~.f.rXHoBoko#oO ; % OXN++XlXv+# OXJXTXT g nou =XTXTXT.o+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+% u u+OO/OMXNXGoBoko#oXXAXfX4ODX$OcOMOGX2X5O/O]XlXv+# OXJXTXTo2o* ;XT g KO..*+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+% FOeXB.c bO/OMODXyX:Ov.Z.MO3O3O3.UOaOcOMOGX2X5O/O]XlXv+# OXJXT K.oo)o'.0.@ S+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%.*.EO8Xh.6O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOMOGX2X5O/O]XlXQoroQ.4.:O.oBo#o#+% SoBo9+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%oB.EOfO^+@O/OMOMOpOpOw.Z.MO3O3O3.UOaOcOMOGX_ok I.X*o|OL.7oCoGoGOy.= a a+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%.*o#o# Fo;o#o#o#o#o#o#o#o#o#o# ; ;o9OWOIXO.5+XX9Oom (oKoI zo=X9X9XhO-oo T.koJo+ u u a a+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%o9o#o#XpOPo6 u u.b :.JO*O*O*O>om (oKoI zo=X9X9XuX9ogogon -o u u a a+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%o#XpO7 a u u.b :.JO*O*O*O>om (oKoI zo=X9X9X9X9ogOU Pod.h u u a a+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%o9o#XpO7 a u u.b :.JO*O*O*O>.Oo`X=oI zo=X9X9X9X9Oq. ;+#+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%oV a u+%X0+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%", "+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%" }; fwbuilder-5.3.7/src/libgui/Icons/import_64_1.png000066400000000000000000000147031303637203600214070ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< @iTXtXML:com.adobe.xmp  IDATx[iX{w]b؀q+& "D(B@?(B H  pX7 Gb;`i{뙝{{gzT={nxpKE+>-6vGK:`s/R^ni)IuZ!p}& םYu^| *_Dh#mW&z?Wם+ MXw@O+BXLh] W?(įCcCY h|pCl0kL,YT(m|ʂHDE|U=<.mNЫw7_<ւt=ԣ+bqG(_w> ;#޿'.*&7UW8Q[-?}/QŜzo-ӣp R ]sG̮N 7?r5zO9fRY4~G +UrR;}m2$].cCF޸N/;FV#WΒ~ծ^ 8_4P|.`8T.P jY B M+R'Vbq8MrQڳLSYQI 'O"ZMos[Y4lQBlW ۺ!9وmR>>0Ucs0  15>k񡬴8n/ O.`8fr[4RR]w>Fqc2LwKTɧφ!p-S @Qד.(8BʢaƬBI![ʶπFm}sa2`L CHI%2ň1njbZSCT%rQ kp"wd ⌒}=)%&.Z/^tO^gba#c1,XlE8NoWJ^ڤՇ8)+`$.#LEA|) C>/Ki0]ڇ&P ;d@0{}pa*., 6$LN ~Td1 $ R&7 h--.AQQD8~S2R*d_ySvڜ [-v'8С%@NȒI C- ~W֍)kS*AfCj- }LňGy\v\x\!O8PV E`s+θ?qDb dBs'FpRI1b ߽5#3F-- 7Ci+>>p'l93Z@GTwm|I~yξMpG_Tj7Jrm G1G2}?)7v<7pק )6_=/+qW&|j_JtKZb24h %ɽ}L[c5(*)8R:<߃ӗc#+cILJ[ #}_ye #F'Ѡ Z  cܴ RD :G/ ,GŇ-X,m&U0,rPaVYS}iz2O9}Z|'X]c Lcx { VSBB=ƤR* >jf͉vw#wb[ Nc6) kRk“~<ϛ^f8hS ؅-b7YG߈C 3 d0\+@u!W`A|<{Kx +NK!k{ʻ^{Uw9aTVLx^ tQ<|AG~a礅r޵\6ݷbSLk:}JGQ؂RgbF0}.ݖ勏ǕgNI2m!;Ū=*r ;.: v!Jv?];`?b*ׂSٴ6o|Il[CicbǏW-tc{eS:`>E%_،&.zKR=٨H:?"Iߺ'e۾|oq=o$X61zFG }%xYOnKB"*Ǭw_<^5L `Y{ >>ov^|cce?:y`Or7~ IENDB`fwbuilder-5.3.7/src/libgui/Icons/inbound_16.png000066400000000000000000000006501303637203600213040ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<JIDATxڤJ@$V Л*,}@|A ޴z*Ŋ$6KζJ75s$2`]gn2m`ke1 @uxOIіQ0i BJ ܷY2@ER#p i$V"S0E 4T[!e%CT+5PYC p%E=Ȁ/|KȊn;X =ƐR5Z\Z#LȂ5qPl^Asw`]rQq%IENDB`fwbuilder-5.3.7/src/libgui/Icons/inbound_25.png000066400000000000000000000012251303637203600213030ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<7IDATxVKQ>wfWt\Y(%#|b{-譈^5z4ނ(%_=B%X‚-wFw2wtǗǝ;s~;9wƈmv36L[kĬ̎cB.\8Ds/bُQj UDee&⍅6AJV’z_%l51w)nB5⁸SJK@gGIu4bEh$PRM(Iv&Ah|bUrƫ Zd$FR͐0W 7=p’m{TF6B|`}j-Acp^}v:~b5!e;,vj>]yj<>WoL"FN⚺ @š:wQ{?|Z;̩A_3:5i=q2V0&pnۗ[YO)7 T YIENDB`fwbuilder-5.3.7/src/libgui/Icons/inbound_64.png000066400000000000000000000033221303637203600213060ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<tIDATx[k\E?3G6-!o->OO >}oB(> KHui6P(F1iGwٽ3ݍ&fw;wo3gv֚s:t@ȉnls~Yԅ̏:'OQlVcg_" ")HHi~蓨暰n-@+jWWےAxlKex)]#t@x5Ӄ ,m $g+M\4V H /xA-փ`V{hy!#h:_J-G"e]#zMXLP!mAMA &:Jhݚ~x ゜G$ւ C]"Qگ@A1T)`쪳44=vվ<΄ZAY FiEY`7Cbc3 r P@Qv 7PG R@)7AJU <5OQ0V;@6f7iAgV{e@>'w{Nȉ/yoak)1&7^ų.o1GN^ioѼ٘ ϵ}1H+IztGR"۸ه[M# v>Cf%+]kGfq,>IAI݂1 N ȗvBKg 2]o&BuaJ4WU> wAosqE X.h *feG\ )d7Aԓ`[ 𥵧 kkKs΂v43{сtat!a}֯}h#{?nN_lv 9Qҹ46!&y\='[-i] hӊH?mE5'r_RWuVgrRi*d R=y"ȉ[@H,)wktf+?{j/ЪCKC{y廈K1I@?W5Jtv%P+OwyUvڬ19G!o+sK]O?ՎT)Ǐ_C U1S+Fwd:to`{#aB`|&z=T1 < מ)fWpeD8*gnHv%O@FQͻXsI!ښD@e$7]=S}ۻ{!MM6B{aM,K$ J-a`Ӥ{O\Ǥ:5f/U9rC)Heőv޳ VQ&b̿KIfpPEO0t*B7 ;*Q%6f~-x}+6n^RaS0uD΋UǥJӼP}* i$#BKu0`:Np8^tnR A316C+fur.QXD5 /ju^zE71 j2(1QD##ɣIe|85Pm5᧫Ƶ;M^:I[T1uk||- Ps֩w;<{e5&0&K$,MS - EeҌ%r5I<[4 9ms)8/?Լt*Db K6X< [qvF I(B $9?5( L:‚LAnېaY(yD@,p vG"\!㐻΂ Ǚ0^}~5 sBzw ׁ92tM"&n2BܜI<7Hcs;{JlHM@u]p<(ϩiŗ1Ñ8ۑM8X3T*zTV2i{]q65)0G0< W[ Еc?,Jѧ!$;ǵؙ-{UH/T! {TAa53Lkia.۾/20 liF)&DJ#A/!L('k|wM~p&Re!+L dsYnUw"#! a_EBuE G> )xyNB]E89†-09\%܀ fy,1DAT4zNG(RR$(jԀ c/7w{B􂂒9fIM(4Fk۶UM ˝ˇI8 H=[ [LہMRě5h)!KIrhtL;hZ0-Nf[uLoG 7eF%F$1bO%$C|Fx9g8,#B!X-QCbm=rnM< b)$sI9ư; 8 ŕ^!>Zs-H.Y9i)7ofKF])4d``555hkk " ҂_?@ @ߏ2Z { *rZe[Epi hmmzijfFz A"( yF{"~rيI 766cccP$h̭'a]MTgӑÇq7T*#2d}}8~8J׷L:Mcι/^{m%Q)IlubKDQ144$H$jpႠ{n{\'rsxB~W$###*hjjj=11$$~Bp@x%W2(:;;D]]]䞲'\F}A;]Zɭn 0:U"IENDB`fwbuilder-5.3.7/src/libgui/Icons/interface-ref_25.png000066400000000000000000000023451303637203600223630ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴV]Hde~8;̪Mf(v xtQdEvuA7 Q˺$J:̙}̬clds;>~g$۶q>6KՇ3<:AaJo}g9gw3꺎LF$)S9EM*ߊM ! **RU5F0K!Z5īg KP ͢@-Ta{MXC$DM(ꐟ>R DH4rl77ak'*aKަ$y3ΓDI @81;๡;`&{-z!hB3LDE4eqn$h&^rg!FkTRJִI6ek9yF.Jы *SDlg3$hGhi.|.1֟DEPD&o\RԊ ԑ#Ojv$E!@FdHBiG6뇢@LEX yCCy yIAfȰclGnC>OI4敼H$x=ã0vvvNe杚x2,RwR8S~"0L\`$`ss_-.*l߇+! >n]5>NgMNB$e K0\~I-1.p ObBq'c>Wׯ_x/̀]9R.ڰD]iKN3>V]B*166V\[\\@ GY"uBEḖ!SCJ:,JAVVVK΢bX[ QqF{ߑϼ0٢'''YP0Y,CA狪igQW[]Wdy("@ *c #(ˋXZZ: "4bCt9RĄnhhSSSDɣ}18(HUU G%@KK 122Rƫw/H(m2D<===>.8L$9OhtHZ -d W1 IENDB`fwbuilder-5.3.7/src/libgui/Icons/interface-sub-neg_16.png000066400000000000000000000017121303637203600231440ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<lIDATx\Le_}fAJ@L46fMZl53W6kjO":tMk5GRL3 BwYlg>>Ad]2 I$ŒO$n'_!=t9ngքWsf>6t/<(5 phVf^ b ީJf=v uUXii}&F4ʼn JHduŨ}A[1c_bVX UixewӱTx^Z ho! ҘxH(-7 yŜ N% )Qmdr.㛽#^94m6\n?E <T͠QazpP./3LJYھiP#:X -p*ȴXxQRxgg/p{p{=HuumKx1^<~5ɋNǺ:,fonndJ3$zIdYVFz~>ˆeWT|Y,뛚(޵ IVy9EEE-ND"$Fym}DOhhzB>.`-0k#IENDB`fwbuilder-5.3.7/src/libgui/Icons/interface-sub-neg_25.png000066400000000000000000000033311303637203600231430ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<{IDATxڄU PU9RE l_eJcVMū*bLͳ)4K1g>+$фBqF0E{x?{9υ7[w{Z{'1JӲOt۴ mG})!sEsI6Xπg[O=fQ=^^+3eg;Әi]2vLG0q)o$~p܏SAϰ{cd/~ߍ?'X3+OkF^o@V6|"`xo=eKhI@l)*O)X؂{D*,"DZwcQY:È!xćg! 08S*,Lf E 7$  $֨,q˄V=.\ ߇];\Bű]ލq_ ~?|>ܸt dPQz`aYQ{(yݺynT}:Z+{v 鼁vsx===R ;._8'V?sY[; kr,W,R |Hoݍ_u 42!-GgȹI8q}ҥTw"aي:.qߌ=+8.n۱{nGP#nPE|ٖTSy]T&e/"I2-hv]EہX0Eql6撒 -|X Xٛuc+WⓝQ7pv*pH_ ?󥥓-DCxha @vkqzL=^JNC)` N"TɄƦ&txNU'~z$*E:Kxs }_t1@ܯ{">^)F%Ɔ$Ulɻ}vxdrYߌ;]utVٛXI$N~)h3OQDɣm頽h 4s%@id=jNwi&҅is2% ӱMY˪% 1YPT "o1Y,ρH4C+v@ru t4C*T/e!KE%j@X%.QIf ': C.wچ Pr5^=]$Ô :Up!/mTQ[.A -Lh+jeBn(y J'ܘ˭Z:6c>=#Oy!$N&Y&v[#Oֹm dT@8 JJGӀJ(rPoˋ$$*ftD<\^&/h)7+M/:ɽ2ŰL.'<sh-1 (KX[!g/.*eT2ZiKjRg:@Ӱ/ Iv/+%tk<-Ad ˳՟?<*+4ʼgѻ3ҍ+#i,_Bm^ua݊b21({pWyO`bbh$OO`09H/BӐ1E[֓0=2`n) Ep#PQP ---غuÐŃaQxBSĤQ\D(KXɞ={n7*++q)|>466*4r# —ŕ}6 q?1o-kd||Qf't@kk+dy!m=ׯC$G zl"^[mw7ᖸPT7oCU 1@Mq0 QH9c%@y3+++so۶[|Df#sR("S,"8T?y,|](t w_HR^x+IIENDB`fwbuilder-5.3.7/src/libgui/Icons/interface-sub_16.png000066400000000000000000000015171303637203600224000ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڜ]hg1 i$ JTc*JJz޴ B"--X0*XhZ5ڊ(1d]m|=+};ys͠BFpBpKj'Ÿw~Ple&%R|ߩbE7Xlrt(@_C  _ok[]-&E `٫7^xe"5*SV>-5:A35Mbp\i߳.ZP@՘e&.3s.mMk=,VaJZ><Wyغ`t|voHӌM*_m1!s{ViH ݌b]_X2ԝwizK?l k[Rgyh |tp35o@ak/Eh &G=y_5P1O(S;}TMj Vpfʲ)礟kc0mc쑃5L4Mopp>&cwNxh '8|s-b;ܺ ?sV@ G6cn9NK1t\|7^$y?ן,o⥚=ϛ^@Ke"@^dfFpafi=QlkGOvd憱i,T08~-;:oE6v 'HeYLT1V z84SnV,rbkav".o+LDďBRMA HxS#<ׄ]`LRU 5 ޵jzh!ʕL-H0E{#B.2Ή=H+yDSzc6Z +E\y#Cc=ZJ0gY_ %#CQޞJ!}" $C9ALKxcWAzx{ PTPa-THB|p0ԻDe}2ynAA!=NQ;H%9BljD"`]R'&Zƛ1,"( CDǤ:u]]! Y:9mFpHK<'NiQotKq/XS "칯 ×׌׿/RQIi\9XrNIENDB`fwbuilder-5.3.7/src/libgui/Icons/interface_16.png000066400000000000000000000007401303637203600216060ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڤS=KP=iĤ]D"?@TpQC_[*bpG%1ib4y&-1{=]^@wK̞Q2MòPW=NCv i EQWLN?1! u tM8xMYu:@*D;ԛTMi(o 9Ӡ/Y0`p>ѨiVrH݅9lRoGe+"wT EQy-7:MmaN1!D^[CrzIENDB`fwbuilder-5.3.7/src/libgui/Icons/interface_25.png000066400000000000000000000022451303637203600216100ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<GIDATxڴVKlE}=;_^oloDD"|'A" qA!P9!η{]rʦW5==SUU(ЛqդKꀤ[ $u ,IdKy%ɖaY6?/< q\XuL墧&N>B.! SaK R1;3I(Q@dt)+~D\p%B(!K1Ia( 2)b|`*xu}{?~87G$>"DyEBw$""0aD4lVPw΋ 'נ*w7s,o!%Q BiAX10b!BO_DTUxp-.펭>%/dQ,blQ W:Zw$2IO0Iyp(Cv[F>0ej{U'p%{gtŤ}UԚ5 nN u(8󈲖U8{דp\>A{h7a{H=ДulY% ?My6Brcij<6c\b{{>w8&FYGZ >NC)lPX)P.{bcc`Sp8&Byke XFg灵y_HH% jIIFH !5{b,8 Q4p)<-b,SԌ;B4H^Fǻ@2R RgbJJrAL[q9M[AY8Y[م3.^%  >D/d:T*7Gb#Y@V:"a ӆ˦ƞb;2Lxl +f$i4>2@U#-y+ss;]q.t!KF"''zki,{s *k&R!A.7066\.AݟҥX^^>9b] ,,h)m:7/TDO+{ [ӎ(DVl3'THIENDB`fwbuilder-5.3.7/src/libgui/Icons/interface_64.png000066400000000000000000000073041303637203600216140ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<fIDATx[I\G{,gbۃ$1 &DRS q""q!A)YXqbb;3سUU=Ƕ1=u߿UϒRqI蟅fz[_ t߂0DW[[Q !6[p4%lض>5loEly"z'= l.mQPԜׅN $p^O!id;m|Zf._BKŰ )ި7 t`qiQ#隭 ѕVk,ffgQ5[HlZ˲j*#YJ @t `G[AR{mpl*`8=߼TD8\(C>-0Zچ@@>K`N psܗ%**%|FJ!d"P]x![} Nჲd PEQ"c"c:Cc>Lz}y<&+cg껴$-;Dk.A8{ƜkBm: Ŭ ;r6,0\xV@|3|,@j3Pc@nk"ILk@ۄn؅9j#wJ cĠ .r8dSb=1UPN'w$|~ZWxdPm+C|O#߳0z7TeXn.ùٳpfcMIHƄ$k-2۾?Aq2 qb(0}9;>8:F0Rv?cqx{0SFVh{:jlPKL S:/7ɍ6y'ʈ ]?8qصxr(.*ș>#|'w/|:F%4Qàָ,!AE;[ ?a4kx(.Y`]8:@!9TD=߇>7kbpdK}5kzje!nF)2_F ۋ8` w/ޝH 8G8hM@F< f v 5}]I< N=[ts`iȑT>@ cmu5w Dj /DbQsKlpo*؊/P 5ᖌc~Cc0mqDq$;EEť%^A4̏l X!Oށ#?|`ߨ 3Mo8oa gc/P:EPRL]0:2a%{$LŎPJ<|_6 8 WxA=@Jw>]߃< [RKbM0RB$tza$э73C-@4m,$z 2b]xp}(Çܰ (?ć\>h-/;gPPVCϢ@ G{(~3^Ayom0 ZE TSSpE_yq$P 'O‰ޯ vN;@yEk >Nҏ|&-ot  ~jl6@O@"T^kQJW!Ēht>6: 97.d6cQ :<);)4/F PIa[BLҨ:Ar@etD?fWD9,-P6"֏P|Qx7j#0*k{*BNO#>'q}~޸Q66cāNX,nN D4@:%WyT0ExQHQ\s@|Mta`:itmD{=wtTsB"%s5HKDGSN"qoRdĘ%hL$hoQ9['U ~k6+GX X{Rc'Uf̲4H~;Y@n̠8!u P(p!w~ޔA !EM:֜OjF@g ae|eYt&uoD Ԙw\ȽL<Rj NMSD}C>ymW}{]{Z+H˹iH` da{-&$沶܏MWh ZUc|S=țR_Sg}ƀ3y",ʸ(OZAOb=ҏxw^XTƭZ<|~8ҵ? %e.zaDVB&l bQ[X#"6}x}G1eff.MM=+!moQDŽTѣGWL%^<:غ.Whˢw|y86߯Ǝ:|Sj4Vo 0@AL3d}֪8FGG(M2]RFdhhaD.kFg%$&Ѕ>n>vm@dDxi&Jp̚nm8yWpTY]6|z[+ğ޽*ʚb*M9oQctuORaL1G+#.RaS'?䪌7]ZXNORLUz5)ZP. ͑hUF7 vGz/K<$)&FjIֺpworZ k[N[knq1R׫轡^QΦAX;"o1aIENDB`fwbuilder-5.3.7/src/libgui/Icons/key.png000066400000000000000000000004461303637203600201330ustar00rootroot00000000000000PNG  IHDRabKGD pHYs  ~tIME|IDATxc`)'Ϟ22p2RlET.&h#L4eN%II@ba`pÆ k=]gOQ P.fx u{#  !.C1^Yi;[{~\^ss"(x:ME鬻X ``@8 :=BXIENDB`fwbuilder-5.3.7/src/libgui/Icons/left-arrow.png000066400000000000000000000006671303637203600214320ustar00rootroot00000000000000PNG  IHDR r|gAMA abKGD pHYs  tIMEO4IDATx1n1EЅ Prp1F d@$Zj xS.,Y|?t:a"D"R>DbQ?)^4IA =Y2& ,QsuFvf36OyGSU-+_/|V\.:zJ!Ԓk%뭽fu@$s5ɩCK^=OYOf41iZP-ڳ_vt;dٚB10Q4L~Ƹ>HDx$xUū puoʤaIENDB`fwbuilder-5.3.7/src/libgui/Icons/library-neg_16.png000066400000000000000000000016611303637203600220640ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<SIDATx\SkHQ~oVnKmŰabZ?*aw+)fԟa䚙 GEQaQifhZkJtu]vy>yqFl!+& 0t'@-oŌ\/>﹢$X䂚P: "JURtz }֟{OZ}aꉈXA:.9( xH 9_iX+y]~!mym\*19԰gRIE?)lLf(I7j~uO%@@`٩#=P]\usyccE -]aj b S;#@ ×zãĵŷND,.V ;EE[Rv*B5 4 `=#"p=RVklTmpvCVL1dJ͋Xyq}fox>I7C_AHAxQԙ SO~^[w5͡*EZ$ł d+ɋ(~sawgD{6]'|uXCRK ﯋ևdAg!;xVffڞp27bNЄgS4Zhcp~79;-.m j+!i *hy=svVrDj\l;t5H^N8tZGU|m0! n1aծz<8u*C6#"CsH6*+Փ'12;RzH v*Y~ N;y3m^궕wy9"1| rD^j) B*ٚ t ?@6W8xKFEM p-!@I',6򼅚:% ?KZ';8!ZȻA@HP`ܬ@c {[9cBh!fpEt$S:ND~Xn9nQD+ɠ)mۭYe3gKRbz17Jz @=c٫W мRK̢I={3>ap<UUe}3r{LYB% GRpTùtz+A7+aFiІ(N̐~<:9í&xK.-q_Ec {eW_~blZn;~ )pl<˔VͫGPy?t&LL㎢"XY"WzAaLGO*:ؙ؄2BYQ7#ɉ˗YcPs^i^u5DL\xbrX0Q\CmMg`L6^'E9;g( nOuRd.6{ghףG"d[V*~~}_ (X,&IENDB`fwbuilder-5.3.7/src/libgui/Icons/library-ref_25.png000066400000000000000000000026061303637203600220670ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<(IDATxڴVmLSg>- Vݒ¨hYl,d d[\0X22g %.lιe&N%)KmJ2YBcX}=}sι%a!A2Qhh.lxlBTs(2'ˇah768 'l؞nmm/ƈ>J:2g~訬~rR߃NAon4=#wK|q$^,"i+c1<}7\l1h;.IB7\n,=叺S]{=ZxA&j!zȷ _?溜}W+ԇxLء) YbjᝢȀEf"XM` P!y~/kX [gtE⼭Vi C@P൛K_g'UmsbKJYP$8~vS۳'-]= zʼHD={*#MKtv,taр9qVc?9!n$vp8*ZreU40mzૼa:}*'xٶKn6|? 1"EIENDB`fwbuilder-5.3.7/src/libgui/Icons/library_16.png000066400000000000000000000014701303637203600213130ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxlS]HTA>3^u]w1Ӱ5,z )"BABߤ #|Hy!^%$,д2 t5Wl+uu4WRܵ3;3 J)G%"aCuu;7Zh6*Ӻw}w+zhWIdSs=Uf \gնIS ߿Q,*))q%ZF2nn4x+Yq.=zas:?2~U=\eqxӜf)fn݋{Sr,wOE o v DtKT_^V6;M#q.I#'vqE@"1, s-EB EgF"Er( 1( )y$kJ= >`J2Gi)$jl(Ohq[ @uZVE*tty?RQ[1@p%Uՠ03M "5pEe\C1 +~钄*!ˁ@\7boo,c"/_ۙT[oO̍~/ u1T" al wٮB9l8{}%xv 0m"c@>IENDB`fwbuilder-5.3.7/src/libgui/Icons/library_25.png000066400000000000000000000025561303637203600213210ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVklTE{}Kb[B%HƄG$(Q+&ĄD*ƨI-P6RX /K߻{{3ݤNrrgwΜ~|sb9D{E VVrfScIOχmpQBMpm!5qۉ_xE(1YC.uW6?vVI;fԢB#}9p?W~ ")*EJDfpa?׼z(J9R{}t(EDw!4 kY\weY!G׬Yc}8}aJbrB]lvV|WBu^dު=ֶ6 <*򲍛7BjmP~ݥnx(ӿd$6_'8D"Kt]o)j\.ohX 'ٳgO%`tkѵ-I^]>^,R4o`t,%HC!mu|T3wT>_#B!sww~艃ZH JXto,$R,"K% xAFw)"9*8L*:l.g+]˓R&kEwռ" xlݺugo %k./^5ZC8MӸqFo~rPw?Z@^/VGW||TJZ|p#Wo[ jnީz l`aq@0nR$]JZ\$ɮ`047z Gp&ҁo{UB/5.OufDB&&'o9i O;^qX}sY`-?RC$*5 '!dE>@TUF u*F'{#sǓYSJi$r?\8_jZ AL6k |JxdVa >mfi|VxwW?PP5;j]6?Ex[+u2@qk__"9nBMm]sMDE}~ EaYzzjJf{ ';kۑ3&AUV L"`AC~c_]^3[I/wv<{xTNa(,W)\:_v3T2q2XS$pe2p*}yI]kg `İ'RD"Obu˻?31_1==mVȹm?x[f'X߻eZ(w?6@Dc:ɮ~M/=~_;nȆɩH^5Ru?p˱Y-<'Kxpbg]D6FTÿ|=ύ36IڧoZ=n &R^ ^H,&D©qDzC'jvc*c[ [[ْ׽ `u82EϽHLn}򱎑Ʌ2> *jhjׇ'X$jO`U mcBb ;wQG\yx{gcIIvBh{0Fwz~Foؔ:1 W-i{<76-!8)]! F*U-_-_6Z\_@;>=JA\ W1TVN!SH|d]f Fw:_Οj3.h=T!}iN!U $GmNTs Pnï2-,jqcDk"F:::6zv<զ/HU;ƧJl5klf^'$ b٤D-THppmL}tQ^q߁C]胞FJة/w6 Uue+Q JM ;јc8?1H|PSSؙ@_'(XQ1]h衺[7rntwDy7b7K .X#X6lLB! 0oRϧ+.FP&ePt!+PFtTWa߰ϼH"HӏPk9|eU/km U.Ǽcm\hT&%8B,h,"Fj1Ꜹt"dT)/^V ۂ7\xg;ϬdwUtlXaDTNio[`D# 485 q 8˓DV6^/F"/y'LN_ϼgkH,v@wOc>x'#o.3$ quQ &󽳫>-A9 zHHQ~$7`rgN@G. njz" s) 鴈O!uԵյp*>mX3FAOǑN8GTƅC"x߯8@ѹax ?nuSŅy[0f\FPN{Nt~3Ra.`T7BgT\yh $}; xٲJKm0F ws u42=9%B~e\t]Wn  JoThM2 `(%*`kQ[ l˂`5-D ]9CtnSc4Lew%5Hl! zKu?G)x#@V`7X$`n0fA2@9ߓ]DnK8tq"^/g5Fh)c'F)R޵2Yr[>R*F`"O[ZUXDԋlp"O1[l}OŸ1y OfBj*x" N3*1(}Eq?loؚMevt r \1RZĐW]6Vx^=L/[:246C7M'ۼ4EdL <;ȓDh4r. I5(TKW)*BED[|h)Zxሥ}==ݲc=pTm6YxN?ں"3%bqK&Bn. (O)R51&3A(>*p{2D\v8>YL:?{`pxruKwwEbVA0|@4$ ~/,M+vw0@xATYщbb3 Gk<%sz@iƚeCm.Wi_;4n8帆_,g*aٯء@d4)`&׹لǐ`< ,]N@Ph@sYn9tg>SwwOF¶ʍթoM4 &C㯤*xj,b7/HFgg ` 2 (` 3Ev]? 0= |\S𫡠bוQ+bU]COFV*85kj24[ UsAo @)17)epS,7 @3F  Dk Ou@"BH{#xe(o+K:|`"y;4 K\EڧYPhHuK#iV~RZ("f@n=f %"R PjsD^(BP,'f< \M644}xU *Nu8㯹*"tJay#D< 'OPg";N㡵ubYÏ (;S9'VM7U 6I[H&!0^TG cȊȫ6Vbg?8F'/Һm/˟q@}}y?wi{K&~CcM_9xצoϺp̓?r.HفQM=yWMC!73_]45|W1:) N/K&Ry اZ49>=lCK獟*w >p~2G4 ۯ3v[Z<<gpOx-?:P9gF&ujΔ\`̟ eοYrhvAm&q+v`a0\<:\>}[!gaseODB. ?c>{*koݾ앀ObɌNA{|ō?O_/0,q9`˄MͫFz卞2x IxHiGefH = Z ey×#o? >|zIENDB`fwbuilder-5.3.7/src/libgui/Icons/lock.png000066400000000000000000000011301303637203600202620ustar00rootroot00000000000000PNG  IHDRagAMA abKGDkk;(0 pHYs  tIME *8` 2IDATxujQ;II@u#R7A][ NBUĕ ҅+HK3I;ML2^N3sw_h\8fS k8Rq}}>N3f樦b!~>?LOao@ Ju s!0 cLdi&2U]}pYnq|\e,o la3[\\Hl!e Ft)٩H[P,cm1,0"+| [͝RZ!!ù\ϻɓkkt:g1,A4o`Y_O{<|Ihآ87"c,ǰ筳S @co?G9UKmlq 7* x{MDkՒ.^07ӯVuR!?FIQj<ULKIENDB`fwbuilder-5.3.7/src/libgui/Icons/log.png000066400000000000000000000024721303637203600201250ustar00rootroot00000000000000PNG  IHDRcgAMA|Q cHRMz%u0`:oIDATxb?2O)F7 Ys0 B 5S:th7_0Dw^{o; 1DADot @ @$5,YT=$[^`^懼FU!3/BDafP ;03 "1 "8Ed @ɒQ!PP}HT),pgOBHw#>Lpw%H&!&& JD"w |lɃ߾}X,b,XWZ54(d +\"ɒׯ(h@Ar'?CI+}Ap ,(N^… O< +V;}⌲d.@gϞ8A) d e˖_&@d{,” _ d.@͛7?N] y&tRE YJK%s~  @۷ŋ>Xr:0Z },niA 8yKDH(n660orۗ*PB RA °e&PgO50ؔ.yvp<ؠ9Nm A(_W(%d8ȀǓ%;`< j۶nAAR   B@ݥac0S 6 30@ P,YD@n oRIENDB`fwbuilder-5.3.7/src/libgui/Icons/log_16.png000066400000000000000000000013211303637203600204230ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<sIDATxڌKHqǿq"P6#KJ"B)(P+˓x:DA)p:>mtoaKֺݙٙ鿳*?=eaz|2a8h/X>]׭ǐm߯ #~@튎Eq (rs`;`+_с3/ JO166Gb1XSd``)+WR q;G^z`޾?M)RZV|Kz6$X A$" Bk'4H- \ ((D h|8"rn$hHpXq@7 0!(D;Nή A9- f*}xʯ?v)x{Q{Y ;W&rA0+~};cX[(Ԟqh(N z&U\?*PuvgNp=*{jk/vӎ'qGIRT\?Ϗ?++iM!%Vv64AmWxd*xs<j@lDΎ4 }}P,V G&WFF.3DeKנ@ ZkF@#2O’.K^7/&'nYb%Ln455!77߹PE8'|iYS *rLKfNs[OU 4oupE q~*9:^N|©LlR@ ede)DӝNOL:]fK?hK- ɟL-r1 Yu3ftODIENDB`fwbuilder-5.3.7/src/libgui/Icons/log_64.png000066400000000000000000000073251303637203600204400ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<wIDATx[iT랞}afąDEJR.XUV,#&F("X1ravg^νo{EU{ιgι4M6/肞p}'ȯ;9uuX!}rxr5t~~zMOބ;`,`]W rrXǰ򹆇hѻo^>FD <}-*!ʠwE _okB2F) ib\pṸP7~lFÏ݂-'t٨8(9k> xwծ5h Hs.Vx>-GgV0nep9h5<߰9Y0y,s!~a5=n.@#WYg ޒ30WRIӑSI7 }d(//uL*eu+ː onxY8]$%>On>LZ9u|v.`WD_FMS/n%DNK|Q'A+[_.EB,jvb:Cdz=? (|\YA~Yguqz%b !% KHxZPF|#'G겛PP7;/ 3\VQWTQɷ_=bP2@jibK2()m皒W\/gv#_# ᷀Ռj.0Ey}x-赡P4$6J/f8x|H-`ժUD"ON:8}}~M}g{9:޸q[;Zbx"\UD6RŇ%3U^Yun Oӿ܊zbᅧPI=TR$yfƄ~kcgS50젊& [yCl7+|>PIRx\Sͩy\&tK1v)7;"7m3rŔ*zE!T$e9ǢtLG鉅[\ 5Camī;9؂lRxyg=)a93m^=܎SOÙN$RlVLdK;"a'C>(h&Z>,`Ng诽g$ڎcRLwd0ۂ E'VGЉeȼ<V=NjNꆳ}>v!Qw ?`;yI\: f XP@Rs(,_Ņ>Uk]sTWcwJUi[S=)=5/; MJ0;jFbxh.e-T7v ЍsnlKKv4[?~s\t@<Z;kw&v jcE4yQZ LjC7~$tAQXUZTT=b5$!phО,#\US?`%MM—ihmN $|hj C'W*#zͿ`vd 0>R Eƅ?y `#vXJZUƐݨ,({V`ܜ /^ ƶI#[f[SԄR]nm ^Ew2[@_S]+:އwSO@nr*J(HH>ak?LYb QKL)]1aOK&lT#n\=9wFX_X+eJ( נ >%Wjxi[DžRJp"4h4*:::m"ޕS-[B8W  [eZs5 Ziʕ+{֜1['(7ڎB͖s!/m DrV>BTGGY Y|BWh6E'\jMFDBV{h@j}? mۑxe#%(XAڃ5p@q7GŎG8۟gҬ3A:4Rr0Xe=q;;נbx3SUJ>&b-;J/#[ū)6Pa,mzTn@%umiYe XY!vt ء.!|N.C4,-+!ៃV1n;HʧtSwXv;['ߵc`Eyǃ8l.LsZ4=K0t;"12ٙ<c&6S$%OvjH\O‡pL .֧|6+l2x*SiMUxauTᅥ9(uxkƮ&!r=x)o׎SMIilb̾r9fJdz,}.62 n [H50փ$|D|?ZW@L=̼#g(9 me7P&t{"݆v.|97D( -yl1)1_  f20Y/I?$2+gZpD^`R7lAk/d)0Inp ϝ;*i)>nK+? K_'~W8 ڜ6h{TPV_@RYT¶+ըC^y63fR4aE|S0g80BiҺ^{=umnMl_jj)!-!gfp`EtY? 2l (S4H,c&ㄑl6}JpLz;R0{cln5|ue˴99,D5\7TFP=YyLQ."Mt֪#yk#z|naHehe4A.=J%c{|.fvhc)o kڬCYp =V )9ԜVqIT,Q}^kG웵'%=b[Ag 6HWZ(#L3XF SK=CGTU,PV&'ۿ𙟟-:L[[b>V1v5M=q6Pb1Am͉ɓ'\ O%PfM]q :[dEEEtuc'_;XNuv!ɶ/ "zǾ=[6xjۀ-5oJ*8xSq)yOL#:?B ;{cz/IENDB`fwbuilder-5.3.7/src/libgui/Icons/nat_16.png000066400000000000000000000004721303637203600204320ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxb?%H- ɤ'0$J32L,f5d9V3p2yʓ 1 ÿ=@f)s;Qۿ|ct/qш n&0 ^ /7( #ÒBF ~F_ T^'\ z20\ t@X8U"L H\,8 `NKIENDB`fwbuilder-5.3.7/src/libgui/Icons/nat_25.png000066400000000000000000000021141303637203600204250ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬME]=5ٹ*Y"(<^b.Aɋxh"A xQX%he'fv̬3z٧_gpχy_ܲ1HshNB@! v.M *hw7=j  [.`hޢT,8be` v[&!HأdU6&4 ڊA90*Tt1a|9N.6('ۨ eY( Ek oe \x2ASĥH qa9t<z磕z4n c؈LB4ܴ5RAKUc8l&Y\Xi\\4.>GR׵sXzq D4Vxg(D<\Z1*!VMi"QT *Ehxg#?nb %d$&~?=G䰸MTǍ ϾasC eN?B(gx}\lY #MFO须I{4Ы~&ok%8qL_鿅_>^͚?, CȯmERz~3' S=6 cO\. -%6nNft=iY+I'DA#*+C΄m 18znu 8"Iܛ>NvO7 )hR 8(.£cj +Kp .Ј!AC&'XĹrJwG Wz=#MS/Y{+N.2rޅ<͐9Qrif̕X7-;½l5i-qZeD/[t@Ѭ< ǕŸկC Uݗ? 03ְIENDB`fwbuilder-5.3.7/src/libgui/Icons/nat_64.png000066400000000000000000000062341303637203600204370ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< >IDATx[M%G>{3q&Yh00[DDQ*qQt"č":D F,F%lL@D Ĉ Λ޽uW}73}5U]U]9;T?$";{T-L) /H)ϾIm_h>̱{ěx߫.7^cjЫᮗ,S<)BY26ԗ$;G}]O-=߷:CË2Fe^z{`߂\P\%P/^zjiZ)p k EmJʿQ~?Rg>S9a%mStEE.LJwrMe$.t/߭t\Bk*-}U yY#Q< eȶ=H]^8YMet=$Pj^S3qMNLm).ycLv_sUX2v3] is6֐1-t5NtgyVԁTI-Ea(Gw*bD`HYW, M15%@ʆ˝u'%<0IF8PKB3<9f,f/[g-`tGјP sҝ* gT&9L8'H테gc]mDMڎ =Gb{)]۫ժ{ǼL~c[5D~w5)e .`ZbrQ=Sd2:o8R,U ߦV82ϭv6}f:,>bt}69 ." e5b[K8~7M}: ȶQ[i~q_`e@GF@:3b(a8 Fx60 S4HmH%VJJan? H$̽6&'\@FHiԣĆUM /: lC\=ćC]0ҠHR!0 LH | fXoL`)@{(ӌFp S&S6v9}@h$Uw'Q&+,+Vf `&4ᳪ@׾'88888=)y\K&{qܟBCc$ffiFNHL,0n3Qqc=M&Qqm $~K:b_ xwӗ#/% [Wg![樷S٩z>qK]꤄oT؟ !O@\QG*Y }M;^HGɐ,sA$jiBKa0€rsǏB[!VpIImCUMD`IK '#[6(ܞ8<`!1;=G' aLa`Xrao>H|B%L]]⤙iK X%d "t]@_Z8!CD(P!kGcoS0⺹l@A)Sf8Bu1̍c>k.L0k3h 6?dYi?Խt6S<F=_^XSMjZ a6YZ;q3UTrR?u5+I9"> {:< Sr_2Wm' r|l0ݠS0gª`P)P؉rMDhd 5nAoO˧?=-6D9u(ꂫC|.jZ@E'J/Tx\~so8=ŧg]Ϋ=EK}x" fQT1ϼ+cͻ.&F~~}XG ˥;1!ҾB[Ak{7>o/B~7>+Y6xpn$6S(#"pXBlN(3̓Z̞jAc7cvw@mH||QɮH:֊W99(KH7gZKbP`ӄ!8ƒuN6[ I'9÷ 'ȕP$ٜ`|=5|9\\"Z6îk,%|5YZgd 0Jv*EpW=J'@t Haxs2sK@474mۈ88;"$dbO!6|+8~ i^;1ĵm;3~s'OgĒ%8"G|ǐ5yWC| `Gh+6q{׃W* jΘ.땊3\v[(`γ"Z?1f>z!YtLS{Nq)8 61: `Q4V1 %m4Fu#AH@&JmG%yqHAHqwNibMv oc"$:Qs(Dmi̗4N-Nq~S^p=؊dk? ]#d91tM\59843O:gl@5cۑAXD+i:; o(,bz[wk?acߪk흊!`~naInGk(@Y'(am(u v㿉@`rɳ,f6tݤzX\ԓSb1rg8 .ǒ<X; SLnl\uWtkK,5*ԍI[nd{[|/DB`6wJۀ}:Uf,g~7fy؜^|OFqQߔ$=6qK_[4#gZ yu |sh\&yήp:1M)* ,E΂&Ws϶yKʨ*VS kyrS\%}fqp,84.0]FuYƮj0%Yxlh-zQxN- 5 K'FTt7] ̺n:IDATxڴVKKQKnTJQJuՍ 1nW.ĕRBѬ;Aĝ+C%&6i&3s{$əǝ| ]ic;ŵeY-sGXSu|_n۝o04ּO+Z)Y(Tm8z9+e:Hd6Upk5U(rTr,]ee#_!|#0S7\BfsbAR)7K Еm@$O@5#aټ ҅e:-e rE;:ʖDh 2= ZPl{QT;Aƀ@Dwu %KJ'05Ar%T 1FLQ *Ȗuj&57o9 x!gB\jQ3Alll&iꪷ}{-uCܟ q]]^NłdHT@L򷅾]4;c`vv9liԂsMt2&JcXL$ILZ*aT?,$H$40>>Ϸ@/// Q>PSRt:- no==ҝYl6 MD~Bw~:aA?IENDB`fwbuilder-5.3.7/src/libgui/Icons/network-ref_25.png000066400000000000000000000020231303637203600221050ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬVKIgzf4aͮ mA< ^ {nwfųEH^<{X7G5,`r z踓ўY[q4TOWo !Y[[ٶ 9cg|GTkjr? kX{3o fgg5|/^&VarU2Y?qŸh8p19[SR"!2(RI(c|"<(Z:R&? f΀A PV@!PmR7l :zHP|uuU ]'bR rYe+M4 g#g A$0… !5E1a~ ?.L*(ĸ4\2mAZ[*R]J/ sᓭ JpI[IENDB`fwbuilder-5.3.7/src/libgui/Icons/network6-neg_16.png000066400000000000000000000010161303637203600221710ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڔSJ@=S'mS)sӝZk?}UKREݻA)n(U$7iH/\nf93'7L 2GɝETu1`6Z.򛝎|>X,Wk۲.PEZaDF}_Qjª&I[3IWȴL(iȞBN8 3DvYX1bijo 9/DU%""n([acFaZ%#B*<9`HGxNw4ʴ,,rw~a;e7G8mn$;kq&<ز%0ܓg1!\NV.vB&]A;; zBOs?& ATT+vսz`5"6IENDB`fwbuilder-5.3.7/src/libgui/Icons/network6-neg_25.png000066400000000000000000000024061303637203600221750ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڜV[HeU܏&5;Ì3R8S4M63hLЃMTJ8Z BD̀=HШCSD=s:s˾z̼wk__ko1#,oxx8*$I_NL&1>nl!%B1ESSDj_W$ <ٴic+e#i"a `ӚJQAA3@iYbAY iH@ ^yHA:"[n,3C\:TEa1$ qB4-!nK0). >E>=>mPCś_t["QKƖ\T(P,J-Ri5&s.jx]fff؈1a||(  D & iRc(v܎9CgY@O~pΜ}9 c acccp8 EQ I0,k1%Bzzzlxx$TP" TFGGi({$h4X,&&23ųנ$6C`-iCHHVo&dppX * h>ADt"#mؕg "W@ AVGUsR[ۧ!Kd %C J $94KH C Te M뎊]Y(&cP2!e{Y(NQ9^RO:C^HzsEU2R7H1; ɬ:ՠ젫릐IgT@W<$Ϗ4R'Lw>N]vvvBCSc~DjlllAL >sxde$'~Wϓ%uּ7Z# hIENDB`fwbuilder-5.3.7/src/libgui/Icons/network6_16.png000066400000000000000000000011511303637203600214220ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe< IDATxڌSMhA&NݸɆB[%jBSDċCN^PD{Q(śQzPkVBؑofJ}x72(l2%z뺰m1 AJvna-R-jݢVڮtL=5Ӆ$dþp }?&'LN<jv@΢j5oB'=a4poF711OdW.y7 5Y"t)P%""yԛ j d‘me_ <OR.L;W v'q r&׾~#GqMߩԿ¹U^VUfq1'Xxh4"L J%./\0pOV1q7VZUze !`Yx1~Q"s f084ʡ Hi|x$yKzXbი66Lj`{jwu.6dhRs^E dIENDB`fwbuilder-5.3.7/src/libgui/Icons/network6_25.png000066400000000000000000000021551303637203600214270ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬVMlE};NjDZ_ZZHZ8q'N \"TrA !~rhBVqvn3bk3{}c&gaa88`A fS]!GQI|Ž|ccc/cfffW 0 ؾ09Sr Yl%XT*#9 CN E)ű $H*YL0An.) `ijNHqR9yn ")D-\&5x (u0MN"JVMhP}7r&@bT7a) 9ᘭAE&&&v5oqq%II"pɌja w64u[j25](3Tʲz&Mx$O%P"v6C#l9HMF`-Ł~i*Ek^ͩ.bjjn#!Z";S''_W~WkTU\..UhJ)n]kS~m)[7O[@]tK믾s[#VǷ@%"5WԑrɾL&:KWCO9~u-) *1ub7quRlѠoȱ-2Ul`B1g;~qkLԳûϬ%s .,6N"}:4ŕ+ӝҷ<ܡl!dAqZmWLׇOgowWG+::/񽨦,x$er@7FӺR6mk(ݕɲ8yxIxO~mR6ț 5]# '!S8dIuyM@hb<\a3&6kl 0 B~/:H0fȃ=8Owȶ 2 };>ݚMCy.6*k:&<Ё0p: M- "GC Z4#@?WqX$jehA[F]_feu=(g^@DYQgYtl3w @zG8SҰ9Dق{+,HJT$}{ɛ@-%!f DEEԧ<{;A Qq:;85\S(,9``wg !pTRpTA4!MK .G:9 e 774nЅqAYRDS]B |dY dpFԚ{ޕ [sbSzPZ37 r֩䭫)”ɼO. !  #)#B};3x쬄, p,"ħ' E sܸl4ߗDp-\ h#ZY c0:7gnɕ4kݣ Wz MKfWDJ"4xFo;dJ٠H0reh3#ܽH/rO 0`LNXoeeb"Hg[5 A}{ U0 aLBm0hP+^oܠtbp&MyA=@|VzF#*WK\2Y[E"x_G2-At-hz@gD@;c= LyiWs|2>h x䂀rJ Rd9wX2y'C3 B_..Gޒ 2f5=Q! K}Þm`Qe5wD)VV@ʏI/C] 1VUAQ )XG1_H§kGrj7hh=υ (IzXJP|o l8IkqKԃA&\pܽr=WoIV{acX X &gdpK n]A#x gD@{eWN´׃¨X5A(,>&)a3 Ù5j'Y=1ɕYknW/\7jJ23qwSOcijK>Oƛ!Dej݇yG!|^ 5g.O\}%0,Ԙh9D'f31Tp__8p`_M|U;ݝ&ݙNN<72&&&d?"HВ%KD>f(+8pdȣsRP& wzZ㑶T\ q#<}YQ_m%|QP=h5F*bfbR)Ӂ۹\gtb E\2[O?ڵk?n^> B&y^w_R[dV@.ƍxbjii[%ΩaLNNJ@ضMPH "W-Zth4ʑ3G!!|>(4y`PwCCE"Zz5577;.xݱSt 4 NRbHOx+CTkںmcݷ!`kQp+̅]/P' {6|ǎdL֫Od_7:_M_o_Q'3" 6<=Vѥ=qfStϭm7E, G7w啕fsدY]ח(拌|;@So^!c [.s׹-w]/y璻*C:(WG7>GG]XDi;{N޹䳶fnܸ<b١v=o٣Ї`>7ڊ6Md;VN^ |2+#:)_?31_UR]n߲%@cRSzˑе*us3g ݴiS/q:9/ o?wfblQe(|y0K fy7YP ˱^+N8n6l-[ 4wrTk)<kna_!u;6{#FVZ5Շ}qHػwנm5zJ)ԟҬ', Y "U04'>>>|DzFɅ.Mъ܁0M zQ 4B7u'*Oj8k~el>Kqw,C 뱱&%aamF۷oĬߌu/!DuLQ`jK<4LWAD`dÕ Tj$))Ьk*nWS 6`%Q9~vt-Z|-x_'ɉ.ZG[m3o]u =@lg-Kj%H+tCetнPH&I9Mf' R.I߼tԩniL{r.`yW/L~ճ<8@J\ث޶x#_ʉ.{ĘLӃ0͛sV2hz LJݩ?c֭[f:\O S؊PblPbh]"HR<7<65lFHf:s~Oh0J+ִPz̀~dRtQGӚVjkt;G)'[;1 1 @ wM[BS)5, 0h(q+Nk(SN4H=WTye b&)Wȑc2M>~92.,T ؊ ֕X*=B*EU1&ְꊣ@Q(T~γsA0ˌUC NI :eŴdx9E%2֭k`NJ+pIENDB`fwbuilder-5.3.7/src/libgui/Icons/network_16.png000066400000000000000000000007771303637203600213510ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڌNAƿEX=Dcx2j&RJ  @aovD ;,QD\rr9%0a2vRJ *9Wvh6`0`0@EH7B>7J!&8D tܻ VaɒXK{YVHo ^JE"b |)7r?9;[rM u+Y5{!."0IENDB`fwbuilder-5.3.7/src/libgui/Icons/network_64.png000066400000000000000000000047571303637203600213560ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< IDATx[MoYGy80(HD0b@bC$Ď_ ,†Q,"e"DlXDAƞYFL_U @EW^nꎭJ9{Oܼy Ny`ф;1v{# ƍ8|_$S#ݞqLa˳H?K ]n[m!WDak)< KZosdI7I$6 ( }cFPhL@F+G%c(8_I/%!šHГ*sh}O#|( (\c` -N0C q1*(V:R<Y=+̩Ey>ǽjU_@OfuP  5e@JѪ9F; %%qkϼE [~ ✂crg\Q6;eؘ$"-iud8A_I2W*J}Scb^3s  AyKü{ڒ=s0  h*!YoܩF{MQlces 06< RMYJ5IfDʁ% +%gf `0*V)IH#Aq,H62nNQ %PO׮)$dN0JC (ڻ'n << z[tf54ϸm$ > 0W8[20ٴڟmdTv\8u8ґ$ _Xy'/ڻ,y8*{x Ee#4k{ 6wʸ{(7<0x*W=W 3P:gB&f&)i|׎Kչfm6۲z>!B ?sH/ڻWJI鵵!pd5&Gij]%eMЍ4?OxZzIْ a{2j(԰=f39U$06׌aYic0c\㝈]@ybUV v}x(t}@bdPwl4enɔVj(6@CQG8L>(kH][ ZQ%R@=^̧@dY 8g;?X7|~W(+;j|dCbJd Ib4U A }eG˶9h~O=3%h*Te>eO $!2#Hʺ&fO,x+u7c,x'U;ek%"P>$ ԻRo/E6y6YZkG< u IZ \ 8;_JE Ի^/6ZGlg^d} =G,u@WBr/xpNNPw* d{+rd5HB\S}H@tJIF {=%&f͕_ww|// ۓywߘcZ|{lK?<J 1QK k߿hմ=g'vi9D||LYxmXYs9j?/(ժ-xw~w[ZZޭ[ٳ??}0 ?(_Js :`c΁r[\"W?T*rԩ Hpaa87+(`}e}_dhS'U1l;E}tykò+|Ocޏ$S:17M$7^6̻N+ڵk= @e`R 96q @AdRP9AA<@10330X@^ 2@Y0DD 2@!V> bDP Pe@X!2L6MDD !1XHCT @2`6\id d%ǕIENDB`fwbuilder-5.3.7/src/libgui/Icons/newobject_16.png000066400000000000000000000013161303637203600216260ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<pIDATxڄSKQ?w쇳ήEBZ@T'_ BD>؃HAP/=`lFVkd:ۙIW5̽ιs1.St'ZUs7 s0F:877| K_ >,}r@lkoY+E=ůq9X KOJkxN}3=m33Lyu9m/! @fYskkW'&hwOϾz.AN/yYjrbj= $J`3M0Q5vbcR66V-:.Sԃ11@?Xf@m܃yHlSmccn#e(`ӸGpZgx\b d] ^by mQDC嬛\άf cL!΅4H2R#OG ˋ\9KO][U-z4,'s޿ ЗR&%q]}A=h@:0 #Uf'jvATDd 8c(Gܶo7o3`\xoV#b IENDB`fwbuilder-5.3.7/src/libgui/Icons/newobject_25.png000066400000000000000000000022461303637203600216310ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<HIDATx̖]h\Es/7_`6D &)QHӴT)VTA,'"X_,"h M"$MTLLMi̶~d;{wnM837sΙ˄1KrQ`5f{>žJ 7I1++^%yJ9)ꬻ3pYxEGb~LO,]7xJڑT8m+n_Vs߰m脑OqC/0BlgII^"'SUjs7lz"&kLjCn-\y]$Ӳ*jt仏f:Z;:: }FVǾl[h'zN|! V*.=D37<#g"}Wj{/|lY>>К/& J7 bI?<0 xۻz:NF-uG?Y4Q!9*pSHEVS3퓨g#O +z ǏAΩRUW!^By\ qe  Kn/ "O8$L+A΁n#m@ZBP<9v0KD&Ybr i-/XoklxP38Ό{7a<'p}C`%.~^$u 6 LuqB([ R+Wh %ضp} < O8ǵɩ µ -]0E>` a*S&h tc=%M5)PԂsVR Vrwl7Ԅ\"2 ݵy>p9r ־PysY#$Qڵ|aF;(2<tjQ=Q5j`s֖LrJ&6W~ s\s6 JXa(U+<м0/"oNczj1=Ist+ht3Rq+eեXc/J3S{B,H?_".O{@V*qfYA $0p-ld_!{$koƖIENDB`fwbuilder-5.3.7/src/libgui/Icons/newobject_32.png000066400000000000000000000014331303637203600216240ustar00rootroot00000000000000PNG  IHDR DgAMA7tEXtSoftwareAdobe ImageReadyqe<`PLTEfƵDDD_q딮9o$TuٌӠ *f#ܸ{; tRNS\\IDATxb'`( VF11A`q .))".T) ĸA`i1AqI4Q/*.)+ @ $88  dedYQTXDd7A@GBI@H<4GFEVVP L@KBgcc>> tDXI@M ?yyAv ) n B@ + `\JJ]T! T7$GH77TPBHZ @ 䤤$$$xQpr HPXJRS<@@Hb*+$ r?7Щ@WHKHH(;; 7!k [W*p(  In Ap@|)@P(Jd$! A Da@I@10 CR@ X\@10cp@(0IIENDB`fwbuilder-5.3.7/src/libgui/Icons/no.png000066400000000000000000000014041303637203600177520ustar00rootroot00000000000000PNG  IHDRw=bKGD pHYs  ~tIME ,$"ڝIDATxAOAvhb[ z0hA+jHb0K[ڡl˴z( [xd{o&wP jsn肋įHZC`^mC" ELew]wsifl;s.?Μ9B (GgbSJX6el埙ŎM/ >34'N+Q/q ¹JGcqv&'T TTErc:ր<#I>vn F 1VP_E4 )[v"qnyהA_HL7ƶA,F5@,dL X~dʌV}aDJw/:+Gd͉9+Y`!sorјia 0x#4ئ8x1FTo#Rg`ZEF5$*hL޲}[(xg;4{Pu5+j,~3aaK$ .Ʌ FYod< T)Z %NUr+6t785ߊܻqZ_iWVRWs&‘SUKPw48I,/soZֹ*jY+d}/X1-$b_(IENDB`fwbuilder-5.3.7/src/libgui/Icons/object-group-neg_25.png000066400000000000000000000026671303637203600230270ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<YIDATxڴVmlSU~(֮* Da4nHgj&d00A(! B`#! "ְe ls|mA!x{s~Kc7i&+.=):VO;זxd"(z@v BR!5L$,T O^~?͵ɠ 2bMmEO3x"ۧm<5g 縞ܽj`3(o&۱Fq2݆߳\,  A4 i[,vkFq(e aNB <Kr$RfhNp3 ɌS0VH< c`"p 4B_(ڏN˛E%f<(S,$,6a& 5]x;Q7}`u tPN_g1D^>(i9{lt@PFbM]iv@5tɤ |M%E| HXj>A+v% |f Æ  ~?444@uuut:Y1aLad^7cmm-$ C1'z۷oO]N!!4%Z Ddz%!GJJJXoo/- 65&nJ^/_O[||J؆+c6r\g|044d8QyxQW>QLJ}RyO555pظq#477>jiiCkᥢُ{4>}`ppv@;LqiH4GXx3؝IENDB`fwbuilder-5.3.7/src/libgui/Icons/object-group-ref_25.png000066400000000000000000000027061303637203600230240ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<hIDATxڜVkLW>3]^[" FE5Ӛ-CI&5iZĤ&jZiFښ6`\aQ,˲;˖]$_Νs7c d})"ٿu$cfԾwUыF&雤|jxkE5/j8(Le꺝]&J;Or W~Zf$UFp V$p|@A}{50U ,+sB/8~"8<%^9kj~vSBE(8ڐǢ`-(rO&5pԸuL^@Smk较U W`IZLMLO8E>*%"TI0 j1b'@`дJ(D B@G4AMN- I ]Sf(̑|9 $Xو©@NൺCZ1g),DkTm܅ns*WB.}I !Z;pW0C^ E/fx3S޿L T{pXp(|)ơ=\7c`q-<9( <[ Ad,DԪwH?Q5$Ea*Hio\;ts*9@ FH7$8ٞڽ90C, :9M>M0HpIcfAJH}{*%+c?yxadK"FN-|`@J̮ Q1zXSԘ)q-=H_I Ϛ_b'NHwD`K,ijdk=1dN~i1Ot>v),P3.\:8p~f3a}`1v"[( #IΝ; ҳx?(xeI(42.gaF CS zhVI<eܽ};t&C1Xt9.B [aajzH#Z,*9úϮs2[gI6[4Q|32vH.H:.'Zd-qK VnCKWj9=l,nхh="G[hB0\PI:;qeV Tl2T?|Y;vڍ]͍\^>L'^ı<ʣ'hƫeWkH8|4i) PYչZ0FP}G{I?,rj;>/s}t}ZR b 4D!1`!&$ "Hb"?L  D"eˣ- n>vY8ɗ{sw\9ygsl|_Y{;#ѺuiglS+wtl9|6oیL?7E\V+Il8-Lp|[77w t~+Ը#l+, h'ˡ)8>Qz*jv_3kgՀTUYZwh0SE@dղLGo ݯ%2V + ũ?F4#S`2Jl$elm~%;xl˂=ǡwҗk XtoU?S>=nZOP̱؆ΦEpW*YR[ =t(jˮ*욊+տ;y]867 !($XP] _MCU=|B9hj fl1mnyߦb)(EټEBmGlsH1r6C1`/& As$܁Kh 53$L 'NJ#xi:E1T(Ez7jK.LA 0=F0|O1 xuߒ t zRfZlj}DT$IprA@7L\ʉV][EܰЛ`Ծ ؝B*V ԸΌt{A!8R3(' ܩt!I~BW>ŝÖ8IW㇚֍(M[j2ыB4ލTH{n/8G(K{ZvOb ~ Truقc'䣮[ܡȮL^8DKXR\:퉱58-bL3eB7*']k"j%ynQɫ8]y{#spATa<2W+6(21WfTtFe˪iȁTB8~B8O3kM41Fd[_[eS O͂^ǁE:IEX@tջt$Gc^k")#ȾJS$ͼT-I?ZJڔƳ*&$Q Dȵ㭇!)X.UwzZ\ҙ^gCM(v_,MD1.Qcs&"{($!WIt؋IENDB`fwbuilder-5.3.7/src/libgui/Icons/object-group_64.png000066400000000000000000000126311303637203600222530ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<;IDATx[y]U}w-z[gkBSVTB $DY$PEJ?t j BA"Em'S7vbg{wߛyo<O2Ngz9s,?u>=.?{߮oVcfl+wxK\cF~ 0(nz .}?_уRuUBrrݸO2zrmM.o rgG\o8T~K=Kz).) ˇ˶ /r,mH"#:_64u[q6z@<8Ok lU93卨h K3?,\?KKR,1$H\<zҞ0XY[/c@ 򙈐0ڽy,ᏝgS4Do%|o{[o&b @i,P[gݤS'L0y^8eBio+y\21O2)t( lήavKĘ7S vc_!:x%zCݲ-_ I!Mi4ehoŠzd"Mŝ * Z*L;ܺ:A8w.psCS":ss 4Zިĉ?O]ٳ- m! 0 iJ]T5Jj8CoU_BY+*;`vIJ1}+TEmpZH_q {+[ Ĵ\aiYZH8+rYS*7|mNe{ʰoAWN'ٷO^@nȺM\xqFɠWъBڈU}cW-"M˸JVeК(D &Eʛ\A@T#שrGR&+`o>.#8iIsqlJ?gVRX+ rlW[H/lp7u{)0amjfElW:g͘;@ys#MJ|zX.KBɲmSrR$a>k2khl_vX>b<'a Yy"j1~W1zK(% M~Jr.3eN o7c9>jy P@ Ȥ] Qr >_t5]d`寔ؓ0/'\f`ZMa 0AJyev=<#dVefiX=҃k W!AQ;s-eaNQK6e@Jy.ɯR6tL!H< 5I!#h m2@P l&?a~WR: ϤT>҆`iH],C1X?D;󂭔C>WіV bitRͶ$zHzm.9_=niRϰ noٞIO1R*WT]2DMz_n$&dEOToP.?=>VSllSO5K-{212-1Ā8ͫ0 ОO|Gc˘uaE>ärmj Dgz2dlܣaE^Om= '>=4 rZTذK M|[?'"δáQ-2c]AQ8c̦\ Ä<8e3_Q_-_vpXYJ9s=G;njo@z O.= d+ghZ:W)I8: sˁe긯x6][!NO07d(nG\κj"%[< ;l.z˶D^^Nb7+oh7UvBRt i98@+mk3[0)_}#c<%D^9*п LX ښ \ BL`F/ܿH}cT%Z+P \!xɩTt(Hw'Ѡr h9Ws-ìZhV^R)sJo4Y((bst[w;wr3, zi\i Bec_-_X" -Uavǐ̷6#}]I@t ذ%Vt .@bd9gǗ4)`Vࣁ" z0*!.ﻜ0tli$&h}/-A,keHKgW]vR`cmp؅-MpIZSUSpMrGH"tcTL0})L;U fθz]$(>͓k[^˜j.U}xeJ&tHKb G]WϸK"쀄g4Aibf$vS WlM_|C HU=;cMtP..K3K/!>U1btX#A/h5 ZvS O)tK8]e2l(17Z jIeh9[je鋱Y'1a&p1jژ盨ZF]T]+gsF*Ir{ ð%Eٴm>aKLRL2BY;^˕;һ&OExt8}NHwa+W: z`\+@*Ms-rWR!s>W;u#3c^VhK5J˄۔Jz}p@1x%_F`޾M14As@%* ֋LTγWxlO?HΘ]N?=]o-!x Ǹ~f ^os=xw} ~QP=Hߥe*FעG!Ezq`;1_IENDB`fwbuilder-5.3.7/src/libgui/Icons/ok.png000066400000000000000000000012541303637203600177520ustar00rootroot00000000000000PNG  IHDRw=bKGD pHYs  ~tIME ,5o9IDATxk`?K)[*x!7!@+xP8ۆ1az'du+f bҚui%fⲶHC~ᅄ V8tM ;Ng߀i x8@é!vm3w_2G),am|ϥ)ح8~l?Ve {.DEբ6s=Ib +TQ$VGdҩѓSU& kJ0"BHaqPiM^#3uLuM &&{*A@r>g1 ύ3|Ws[]SiE,,tuL]a,YL5l;j$'=1h~4.~PQ2T05?Sqqڝc%wn4zkxp^j0.Qwܽr|ϥP.`f|/mQ{VB.^č[Wi?0+%2Y^iiy56-}Kהdҩ@ה:։~>]IIENDB`fwbuilder-5.3.7/src/libgui/Icons/openfile_16.png000066400000000000000000000014241303637203600214470ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڌSKq~~wӹ.R!bbARшҫ覲$". L Rhnms6w{?~Y8y9!R\T뱾^1>25RLXKkB0Pdf'rkSpbZ&c;ɃDpt }'ΐCCgxʺ0ۢ pߨOw ne wOX2Ή Rb@_54txv5!Y^t'_<ޗ*7{N#Uî3f WGcpNCрg.5W!q޽| 8͟Y됭_Pd˟5Tb||5zK^2{A|" AB֏ML^Dq \ g@$mZõ`((8ygid#}mO,~#&ތ<:'PaƏ!g:6heoI4(}.mҰ֮a`LMK4G C8nԘC֛"&$mQMȖN5-O |T6@WB ,&p A6Bj= (u+Uw')t!KYn5jA->Nv#$tq `CvE@?%.!HW!`-AZZGc9`Q@0"쵥< ˨IENDB`fwbuilder-5.3.7/src/libgui/Icons/options_25.png000066400000000000000000000022621303637203600213420ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<TIDATxڤV[hUΙ33;[bmk+(%D)"EQ E|/퓈⋾bA6HAԇS(D/nQZJϙ]qB_B\ደә_3xq)DyXa3F~/s0\sǘpZpH-;5k:nuWw{|/]-peD"xr.MFvĝ=\ZÄ ~Lbۭ: ΋6Dws/Z;Xq<2=nH`C;"\&}j.41 Mz n8KrV F+9J{kza]J,s1^r?TMyr^Y@܀ZDq;6zhqer2guˆ"+㣊{pk`6Ýu5V?VIo#*aVޡeYp׊'#er<g[VU2@/FD9aı rHzr,* ʉLX(HEbqAF1,TDۥkbIԪx g;]JYg+]#6 )J I ̢χ'Rr _s)Ū+1/$,;/t׫Jn[+]̀ST嶬eof*WLw9R"QU+5U\TuzU$2$k7 A!$i'Z=QTVh$ήHK"kZ#ZʾchURO+ƊGiG} ]NF9>T^d0ò8? ر_ 2֧IENDB`fwbuilder-5.3.7/src/libgui/Icons/options_64.png000066400000000000000000000100171303637203600213420ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[kUsf{>ܲ˶Zbb!B&$~` "5Q>ZE(y@-v{9sD{2~ˤHoon/ ! 3hn W9IKk@̛7q=WhŸƋ$ Լ Ra+Wsg灚Hc`yh49q dE{h-qv8d[p{sުQE %?mژ1^+7- $;Hq{C67 _4YAςplՀ T`,J?cgKpn2_*+2GS'Ojb0,\Zͳ'bϕ40cN!ɗ|w|r~{)q49xO܏]Xc,&XLr-ʳ'VɴQ59bx 0lb(+0$`y9lQ`"̙?>ӯcW*hjϾW(W( MKѤ ol@&5F cs-?[G68y: r?*Z^zzh#)IV(J1ůN"C &!(uC~y+8agnc%˫[|(b^ AY| L2]|oB6 sWv;#{161LıEkE\[|ؔ"H*0-IJ$vD=%b}(68~Sܵc;z7LiS ࢮ">^s 4zɏZ:Aݝ>{<za,87JcӸdXҁn;Rm݆yN#3Wwvbc/3|Nq}PEr%OZi>&D׃ωۮScwϢwcJM˿cT0a>^d•CY3Ϭ9g 0j;}$Z빹hKW&u.F߃;v܉eWU 4~+6c-G;e?fJ49az' J '8>m{.1%ݏSoX q^j/OFRf>ϝ]zd ؿ/…m*k2$ L28*Zj ȾKJM% Ck~h*t.Pu7egFHǵ y;wd8LѳbT@:baTxI2dIZڵ ۿ| GӁ^ /ƚ)gcEӖ ߡ.i$6)t[I'6޽KVѐC}VձqwH`Xؿñve_@"KZ;K8bDp\IG*Uf`"%CSZ֧[j2c@Ex (x2.Xەu2289xP,АHCe-JuAKVO6-hw`8e->:z'bHVΧd:O@ >mM^H*}qC64"jJE G$xw@ /OFsgypIKWC$9 z"fIpեy)Ψ+9S7l FXH &hddX2A*#ΣBkW<m|<& ~"y *ѰƮ8rbXE2MQZb.|r4^p ^JB %ʜ r_ ΏCg쥚g.ža;ngS'%RQm pB/ Vtr!4% "[wd؟BdF}7*8?0a!hOCw.́5O;:5>q2IHUxx-su#e3(!Z֖ ^\B ^1F6'Ƒ+ٹvR)j_BcJGy:Hln<HRf5Q ]MO9vkhkBBB`d <ݙܕf Pqpbt d>>kӝ{qo`x/wIENDB`fwbuilder-5.3.7/src/libgui/Icons/outbound_16.png000066400000000000000000000006131303637203600215040ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<-IDATxb?%cxm`!99J L312212!M @4Y|4~8/4{1X3|G 1yXro >y5_XY}|1j3:r1ra-W(zr(q-rwG;N].8wٱ5@kAװ`ݰVfj1~mȅ]qQZGذ` ҇HF/SƭJɉɑޣpX06N8_Ԧ+(;A6ՖQ94?6u03KIENDB`fwbuilder-5.3.7/src/libgui/Icons/outbound_64.png000066400000000000000000000032531303637203600215120ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<MIDATx[[k\U%sIf6I4@Hی$m jWAA> > ^@ T|E/Pz 6\e[3uf&M:s2;,>3g&o&|V::뀮0/hk}۴ ~pqvJe++KCLÄ+'N{>,zǦ0:Sn3Dx@1퀮91zx?/kݴ/cFeNzb߄',H:giogũЗ(kTPX. ׋Ўu>}&HcIgSaU*w0t7!կH-0 Nf(1g'g120הv pc 7Qr ҔD3B<0<3a)^Q߭`-vi^E4Ƿa$}W"(W؁Id¼ySnQv%&7ÏB6sw ٓԉ)0 C]Pq(T%+Q:( zLTCtާMJޟ9rrG~Mէ-TAA{6ZgYm'WmFӻ޿k?v^躦KS EWƾw`t)~0g"R$=~X(8% Vk >xLCf?\UR%#|NS؞ٮ<>_#eĹL8Lu3X`뽄++z mO_;Co2x|4[^ "c"#GH&Cy D39C:˼Sx^rWf^^z s?9gRY7mbWU'ԏL"oV)+W2vU ԡSΨh@ ltV]_)U D՟Id2xXk^8G_n}"H~C9qޠnN6Ow2 <~Dj>^)IR/'`|DP 0(thh>V w4sm+hQ/ =*@@VR Sa3J૯/E*;1e~3o<Z}## |b@;ߔ]OEbi -(S,7 JeEC^,X9hEKVbBk*lj>>~ws󾀈@Ҵ  +t@B2 6~sb=96}! FV~ުa*yz!E#!u#xx n%~L}JH4?FLС [! ::{zR[P>|![?&&TVYq?l]G3+Bbw_t xj*\ꚛx2L50pjmp!fT< H nbOfd@ZMs\[ִgo(|98C LNJ}tK4G $89wo(^@HχA- f3*} ds܋D$l1-\%w*$_u:4̈Vhj9H"rMa R 23sEEZqb⅂N R) wqUV`c/+33)7Etvwn0K3\ @T דIENDB`fwbuilder-5.3.7/src/libgui/Icons/physaddress-neg_25.png000066400000000000000000000020131303637203600227410ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴU[HTQ3:SFOFhjjbPһB1?"d SIH%c&c +#$~T :)%Ng̽Ӆ5>k+!~֎Yu*y.@$Ρmj'Xp%GN&3dҹ΁mͱ!Q~#hWw* BqE1NwY&KɌdQ†p$V|,Q;Þ1h,l>i'\/XoȥY㮌ak!c|)2nPl P\=+ ᚚ>8S T)j$%21_OIi`Acy<̟{EF<~>J(`8H?zs0THV^F2[Y +[^d|Mq%KwЏq󗦿7oXz+n)qX[PKRN'acm-yßET$ Dyy' >0h4 }>8qfb%ȑ ~$*dKݒ|-\9T[8kSiMW}֙l:`h;R.(Q2T'UV\EC@}QM\5!LT\I:-ϒɹ9xua *2GLIx~%8Qۧ+U*#<P%mŠ>}zgގ;xD8Z?h(u=FZ[ڣ*:4Q}J%bB>1$-Eq\M]6ZjG Gvz{] ~s\̫}J>bl[P *`-<\O{_? )J> >IENDB`fwbuilder-5.3.7/src/libgui/Icons/physaddress-ref_25.png000066400000000000000000000013211303637203600227450ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<sIDATxڼUkQ!5`.'KXL!cPiғ`Nz& VckoJ.PDHbS(fҤv7ہٷ3.AD8hiRjdTds痰Dz|Ce@3Q 3 6Z>x'fHe%n7Z(H:ȿ݁:뤓}"? M3K zƞh I_Lݽ ⃌JVV qXyæ=g,{ OoCCqBz8qoq{Y_vM_UYa+EiM@*XO:6gkqrГ= |8ǂ\]A^K:''ߒi@f1ꝍ\$IRmb:+ 'D#j!NC(b̐j0E`Rp8n[`"t+(FZYJ7سr z9z̡BNSU.a,FJ$ |P.Έ3aD @bcl!)77rAÔd2eh0bK~4#<(`m[OIENDB`fwbuilder-5.3.7/src/libgui/Icons/physaddress_16.png000066400000000000000000000010611303637203600221740ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڔK(DaϽ3lPJfʚBc yЈX EQlG!%y6i{f\ʿ}sw"enP3Sdmj_~BZXY G`۷۬u}쁝I8:l%x,~` ,% M zD.P`nQ9~`R |zCM3Vʼ]S5x^+2Sf68TL#;t{[+BL]}$%ƤR~q'-(h}ͭ,ZP}H%t~67}!|7v,H%5\U1vV}<_"4&{by:@AIeI0۸ 0`6^WXȘ4cGx=2[gvCm&DBԧ/_V~IENDB`fwbuilder-5.3.7/src/libgui/Icons/physaddress_25.png000066400000000000000000000010601303637203600221730ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxb?璬[Y'd S0dߒ dg⣫AZS/,\mlGA>B+њa "rX-xdyL{ԃ l`+B2읍G]lzg0w|$#8ad5q-n31FXfOQǛ^ιɈK.Ex3b 8 ?w^`ħY{skc:|id@4'IXT0zLuob-#]slg'`\r <3.0g0@ N<8NVޛ ,/>9bK{CNs ć|rdryd+";,r&`Ug%G%669r #P҆TȊxR=#=]IGNiIENDB`fwbuilder-5.3.7/src/libgui/Icons/physaddress_64.png000066400000000000000000000055671303637203600222160ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< IDATxZ pTl^$bj0Hc):ig,X;0-ڎPGk; L3#SHGPQ<,T@bx$$!$Yf7M6~{ߛM ̓U3sc ō=DI&86C:y"mHY&g-_)[^=W"6Uz).WumQwD 2 tb=6UdF X ʝjk8Nxr#|Ν;WlsQA%tAkPC+٠SعP}0tzn렍Ao^0w]DA ?-x)-;n|Tދp?mh9` QMQS 'x)ԙ^mh5$VaKm? ^̼ؽ{ǒ1d~4_h ^ J&?f,<Ń_=RVV#xƩ 6Pw2 8bx+QdZB׿.Y=F >{#}MٳCzi% >  m< /:?Xǽw9`9 \{fcńL}jކ({f=Nm 6A ;"m6t0pXYMMM2bM^c9cؠ($ ϋΖ.%q $botJ]^86`WTcإ݀}A-IPIh겟BTl2u/DE鑵ЌqE]*_k&+ l<8)(#%yE$Z *EhucE(^k>yFE;B-`/F_rwoߠS$& r bnI@_Cz[K5`\kO4nTdQo=-`]g0Cs+ENY'Wm}^t08EoxBYi^07H˟Akʢ~Zn>4 V^R=J ,@Oڡa kaZƜ"&>|”yDQ]zoZ[o8Xx$*M'Y+>͠1xF-XjlmG^v7&,UL8\wZ>LY&>*y233DPQJg ՠ<fuDQrmvTze! ͎&.ƆGSQ~"Dݞ.X[t%6 F_)>4s3+Xgas=5HѓWǩ# YڿDm)x?Zד8^Qk=&{!/9#JN^CJ0\5 |'K4?iݱcGmޡGcQ6o{r F}&lpBx}-Z=i!ɳqL<̖8mo2 RMP"l6?^PPp7,>sG}͛?Iy?8 Io=u`eđwN;pyD! ~%QsF]xFܒZtV|"Q4aƦZh d̃3܅ >'gz?Z[yB4׫II): ׺C5L .Z"u㜛֐ēUd sA-&,vIx7Rߥֹ@:2\xXYD >LB^~ͨu1E6lsk ܏!< $gR)͋BU7Cd4`S,6SLgr#`xm=UZ܅Ye|o<V\[;;;(]L4wсc___o*jxO?|J[.@*OW6H)zқMC%RhP32ӥhO.yIF$@]^TdR5C舦Sdp=XNƁ']P~IJjG}o C|67SxēŔ@=f=؄hzCjZtp@PSu[e1E bJJ<0,wZ6x`RSRI*SmBJ<1z=']GcbYL.eJPW OZԊ)IxUSʓlYH1r%.IENDB`fwbuilder-5.3.7/src/libgui/Icons/pipe_16.png000066400000000000000000000012651303637203600206060ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<WIDATxڤSKhQ=͛dM۱F1,nZ\ .7ŵ.v/B]QEi]DI&I5I3#(\8\{yG\E;up)? $iɲkSSw`_߬,Q]rk6; # `$D!BxMytIi_4Τ^)t"Pal0c f*ٷ#Н˿ ^rr77)Uu\z8k(UKP`0Om. JSJbƎuw`(.Z/`:5,i|cHHնdqqQBx_~`4(!6lXXy̗amBS Q6 aL9WA^s5FMhR`6C!I(%AfjA\,bԪq8mH(WڤXQWLԺir[j$8bݮlI}d.MMqδ\V+݆QR|$8 [vךKExFdӑ|>N">ó.P[onm)ˑߠ]IENDB`fwbuilder-5.3.7/src/libgui/Icons/pipe_25.png000066400000000000000000000021621303637203600206030ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxV[hU\_l tR/!>XE$ Dk|)}S,T M%jLlnIv;{ٝ3m, 3|3{., !F,kᖇY 퉼;=n˵t8: Z_} o ]eyi{~42 w,/ܽkHO(ߏZMb"+;&]]wRffg-kw`(3<:0 ʂ܄rjrp-of"ϝ-l,x . /cCY&Ȣkot| w!9(,PM@W5SCx ?JJd'~|B!/#;P[UUmtȲMѩpuRXB"+?(5 8>_Ht:S(q^EQD.GWw .Pl/4Xr&ټtכwV!4*RYjK=-Gx)D"\. Ypf 哘`, pRa6E+T d2i^dYuVQ!kJ$M}?,}oA$ӈ&&2&=ӽ2qv,)LrbxN}s_HvbU ڪzIZ.S5_ha޽!hpŢɩfL*+%D"x<#71=3%Jm Fk\MmCu0Lds Εl 8 1TN׳Yh)|LmZl\-RMUP^#d-m ՎU= oð YBF_Gu+`W-z7)y1#Lb4 B=!z~q,K5U!:psn?#fױj,Vfk,R JmvËR BX$ F x“-x1gdI;81D:2vu*hoo2L&iDÑT:>Տ4UqI:I8]0 y'> 10,q}]M,#ʪ*WA@౦VZW(p$"G6ȷPhĒ/Cme(B !bAQE|1Z|>؎UQ;֋;Ӄo &XE$ Dk|)}S,T M%jLlnIv;{ٝ3m, 3|3{., !F,kᖇY 퉼;=n˵t8: Z_} o ]eyi{~42 w,/ܽkHO(ߏZMb"+;&]]wRffg-kw`(3<:0 ʂ܄rjrp-of"ϝ-l,x . /cCY&Ȣkot| w!9(,PM@W5SCx ?JJd'~|B!/#;P[UUmtȲMѩpuRXB"+?(5 8>_Ht:S(q^EQD.GWw .Pl/4Xr&ټtכwV!4*RYjK=-Gx)D"\. Ypf 哘`, pRa6E+T d2i^dYuVQ!kJ$M}?,}oA$ӈ&&2&=ӽ2qv,|x!Ɔ W_mf2QY^RFs41MstƍUqB @)2iSJ\>QL&C^sSɅ& 2RJ|gV=;Te.haqx]*x=tK.Cq?NeB/i4$I蟈'q<>Ps楀vñm./h4H$<=~!Bg7SܢOM]BaCڝ6dVC2S|wpv=P24j$\a,s~m=b:^Ur N+~z1G'"q,HGa)AuY<&H}* ~A&1zf~By0oBx\X3՝r!?8+3 sBC!y TƉ^?EipblLuc8"עY=/O A)vHƬ}kW}5Q׮>coV!tP*}\0o.~pj0N~ jˈʙI#*ljf`V]7VwD q\76\:Zవrnnvh\gb4$@ hnqZ~!p1KLƚX̛倠,a r@soAb(XI&cQ-$bk0BC"lcj<8 >ui 6 Ej>BK6mMؓzԙU`BsBN<dAF6ctzM6`޼NҏS1aH]}بTҞq ,X` puIENDB`fwbuilder-5.3.7/src/libgui/Icons/protect_net.png000066400000000000000000000034761303637203600216770ustar00rootroot00000000000000PNG  IHDR@@iqgAMA abKGD pHYs  ~tIME;6IDATxMo/K$T$D׈ &u|o@ɗ'@:G|r{(  +oTuٙa)z%reaggf<3 \ h/ a3 lf&@L  Cupp֭jRާRT !"P-{aW~b6w޽{MyxKKKhQJcD"<~R ,@./Xd2òZF\ Fib͛ @R )eP.D rZ3 Z'x e8m4֚R.377^n(B DkB2+++DQ*䝁(TWat]cp-ӧ#cFT O4Njct=?@iKKDx@zr3NjyÇd Ky I˛謋xhl]w{‘ ۲h;AA, b1 `GRW^&hlihivlZk;ጛZk f3q|!9w]L-a[ fsj/0^]J޷3HEvr0-}::>Z[[ܠip\ߵ;<bZ˗/r(o| >R )%ss3U*v힊{O*27ibqZxU,y=pevw0w(G v:-W%:d)zcGI1@'l4!,vql++u1Ž#Q~qtAMilPM]B-$fd5zR eBi԰H>*2Yb}~o#[yD+ż#VxQE8uz:@mm_+Ʊg g,;g =& ]$6׍5SoS\?ۀ qA6cMvvIx]L%@cOO 6\u~ce^6N׍ɾMyZY;YhHyUsI_{w~9&L]ggme`.m+w0_,qA!.ȦeDTˤ\va`9"(,Zs\8v';VB="L%@3>hlv\^a>cv5]'I a _YaLƢ4k!prmqyPq9i'`P3riklWmN*$x\rL Dѱgl>4ߛXNO2 l&Tn4a$X.p=w"&0 kϭ{N*i_= CWk,lfm@ۀ a3 lZ7IENDB`fwbuilder-5.3.7/src/libgui/Icons/protect_net_and_dmz.png000066400000000000000000000034711303637203600233660ustar00rootroot00000000000000PNG  IHDR@@iqgAMA abKGD pHYs  ~tIME&%IDATxMo/K$ĪhkR`OQ_5 dh^|R C~" -l@E|].wwvfrX,r%aggf<3 Zx/ Q3 jf*@DT 8͛Z6d2sJ~E!</w޲a+W|j6w-yxG\\.F)9ɓs16b|J.5 *bxN///vgg/68ጇ{Cx"FW^R(Pqqo9^ɹ& * RJff|gjl=:Te.hc_8d2^\\m^t-?/}qB-nwb6t)kI1DܧlmmPXz8eIR<<~!BG7gJc[-]h HyU=zS\ojMXg:kW_g+WT 8oܶ™Y8"|v/#.'Z&33\wD \׿qp@O<~^F>gQ*tI Q֗}8/'wgsÐ\Ժoɤ3gaET Q5S6 jDm@OʫKIENDB`fwbuilder-5.3.7/src/libgui/Icons/question.png000066400000000000000000000024261303637203600212120ustar00rootroot00000000000000PNG  IHDR00WgAMA aIDATx]lU3tnhY-)m4@$)IE ԏuӐQ_,$в7&$Axа$R)H%E)Zch-vfBav9ܹsϜC9C&qڿ^6{^hƾJf$sy?(|yG+fLl |EJ*'-QFN+<؂=@5@7ϰzbq`mQOmRC&MMMLc(Jܾ}`݊dEH.,,>W½.b %1ё1ڠ mQQ[  o^,ނ9ĕ.hIc:S6nj!/8q+ Ͼ+4o3ȃEϟy"纮n3O!ܢ<qT}۾lN&,y}7~r_#]Ʉ%Oh_`"Fvs 3W*h%%%ZMM A :%Kgt(꿬`{LMBbDgB([{һ30Һ#,UZBeA75666{"KpItʰm۶6+&&?!GN_?IENDB`fwbuilder-5.3.7/src/libgui/Icons/queue_16.png000066400000000000000000000006061303637203600207730ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<(IDATxڜJ@Y[m6P}\sԻM}<AҤ:M {ڝfIJ=!/%%%P j699<\uWkfQu `k樆6ЀfCT-g)<{)u|-w~)y"'z,eN[hS̔$MmNjQmd:k&D6@ѷFH_S4>z\)~ư@fIENDB`fwbuilder-5.3.7/src/libgui/Icons/queue_25.png000066400000000000000000000006241303637203600207730ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<6IDATxb?ȳDYys܊ `d#To~Cv:D\,@ y[&fQ^`61En@|8qENA$-dm z')@@EA$KDpQD| >vY\ "Pj %PE/20VF $Dd?`bc3@OQ06̥ W\ wL bĒ0˥`3pat4Bֈb0yN(IENDB`fwbuilder-5.3.7/src/libgui/Icons/rangeaddress-neg_25.png000066400000000000000000000011411303637203600230530ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVKBQ>Mt piih]J%%hH4†ӻ=w}~p|/6a>c|^cT^{ɭ u7YlSlۆA;@ލsX0,j!n$ofYܼ8<+|Or vT,(x3gCO$wMMErِ&wAkM.# ~kx ڣ=07o;:}`b.`ojFh'O.8d2T**-t:P(`\D2S& dYHRH$ CVffX3~[:BE;h44VU|ғX}M~?u"hL50bDv1A٤kz"F%N!i X,FRI^L| 1^O@,]p8, I3ĘNacb_ ]3LGGIENDB`fwbuilder-5.3.7/src/libgui/Icons/rangeaddress-ref_25.png000066400000000000000000000011371303637203600230630ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVAKQY7Ov"%7^^CG2#Jl< .*ءH<-v|յ`؝~o7+nvp ۰UBvZeW9}?R#bNL`[$dogR{#Z{.U`;6gԉ1?H3qkB#$ibA7IVC?>悧@?9"VjØ/EdYHZ~!ZH}iv񌳃Τ\-W.Au߉eEJRҳ:s0|͐m* )N/D2oRF\Zf |>dkdօ.|=Z 2 iShx&X :v! "TUx<Lf1I0aj6TT(`00DW ؤDQ46Gq˝QFfτ͈bd.ɏIENDB`fwbuilder-5.3.7/src/libgui/Icons/rangeaddress_16.png000066400000000000000000000004541303637203600223120ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxb$D&0.RM@pa& sÃJ0Ćb8)N%tx80aH ?`BF(al$VFV0aXqm#yi"N9Dty:fA| `a|r`&mP # ,ǜ (%G@\aJn\0 388n 0? 0 GFFE آ%vũ ;_23'#O \+#+( `w`=7 u/dafAGtˌbB9WIAQ*eA@O{XyvL$̈A̒x8$9"v@jp3IENDB`fwbuilder-5.3.7/src/libgui/Icons/rangeaddress_64.png000066400000000000000000000035071303637203600223170ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[mlSU~n?}aQ&?Ƈ8㏅!?h1Q4, 1H%QcpQ $ D+l&]vk׮=-w-r7}s1NF*֐-$%#8n"F)q̄)3# xٛd[a;;0r  4Np]c{K^ ~r\XXx<҂1WC0P~:o l sY噂MT+8TޛPa obz` <dT| G.qyR @sn &Yc<;GN JybJW_7,r*g4󫃓荭D58]*m"[EL18~pR2Yj Ds[IҌ_cǎ;*d0Ӓb?ow*H Vڷ2ٛ|䪀*<5r[n^97"`4'R g{@䦧gdzi^ŜM@q`NNUWWHYbMG < 6V'Mn{eΝd2&T<֔D™)$a YS}dCdd7P |\7l뎆Epwg<y -Y`r(![`⤢OVIKfEzV[AI0L/= ~ār拔It|{J|it c}0·%p@ :}xLQC@]{nO~4}}o ف/nO?/^B;(s#M80E'#-ܴ y_|O/LU@nD҂ 䤑8rn´ 9.vߵVc0R)kxO/՚Ԛ@ކ| $F|#CVc cvݝ ^yᚵT3:Zu6 q q{|K8/\_~M3:Z1w5[%+9Ɲ/M益#iRf:ߨ_a.+C&9?~u> $!fѪU= :EB*:0[+iZzJ=@>] bd'pDsVEEE/Gv{Wmmmݻl:3M4˦=IՙR&|dmaPܱO#gQdI],B.fҌ/۠reuhfj0&LV sũx̀ILeZi:`Zi:@/\XYܥAs'fڬ7ݻJLS1&:Ka]<:K1r6v8qjEE.VMbcdWN1;p:hwS1SDi:Yf wYtZL(VSf? v^A574Nu߄ة0nk J>߰d{[Nk™z7r:A x>cNJ'A9362IVq!G+H긍bFV"5$u&)-c;Z?v$U 6Tv8F%RqpUw(^6/}~ÔR_9 MT0U uo=f\7[nr?f?ѓzP"\[&XmM^*kw& ?\8MfNK. .:RB*~'>wfk,Ӹ|flDAS͓Çx"voAbx(>2uB:ה_=~| ABkyE\!jk݉g[GɟpQ[|-uaUL᝷d'6n=n;QB誴xsl0?+aU1RȿY*m;byIk=tSa+ adϾj+Vd8^.Qр|h }'_;ޤ& F!5!Nr6D 9ڋ'RT1 5)9i]X5BzZ S[F-kGimqƓO$gaf_LѵM 0hEIENDB`fwbuilder-5.3.7/src/libgui/Icons/reject_25.png000066400000000000000000000031551303637203600211250ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌilTUϽmwtNhS@$$ ~!/"1HHH$. %DF4aTAmfZf6t:[! C%7͛;w9wt\TS]2U]B( `~>==ar >33c[̱J3kژ˽Q bgLySS`@Ost5>zƳɇBz׽R[ -n XR /@Ls90&'c| [ۦt7lqboFr x@)N0u{Ҁi (ϻ ~d}W6wD""Gq  a~d0f0(te5݁v]iڢ74>mm)>VRruW,%c5ƵFZAUE" 8j]3avm=!@qa5B.ߢEhJ,ߒP{`*NUhK jL?g̕gd   EuX݊=ZsWiЈJy@5[8`5S*nn)mwlw;wT`4qpR$B,%\r0؉I,)BIXl(Qen80m[+ֶv:EP"Au0H$\Z$GŒ /^jڴŎHDEOI7*\V(jaTpx!Uj/kk=]dHF6dL rk[ 6( )-#H\b3yȮ!ګ`e` p@ap3;Z._pMKk46;ȤZvOp03 ?n޻kĔ FQCUИ8cm8=DJ(11; #bRO濩h0nZDQc_L1#OINǢ ]@eF:J3G*76#S1<e6J20&3.fY_Q71z"Ł(AHЁJhbl :2+ "¡QPȥHӑǮk;;*F{I D3A3x?)Vћ aTg ywѩo>S RӟBUUz@U@AlHUb 54S`t׼+=g2n:U'(Ps2xV:EsFw%*_(m9ǵ܉Bx= ӏ:M(Kk430IENDB`fwbuilder-5.3.7/src/libgui/Icons/reject_64.png000066400000000000000000000141071303637203600211270ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[yly\(!,#Yd[R3qZ#jhm 'MѢ@9?qRNRv hb ;v-;֖|P(ޢ%ޝy;ܵ(En 9vwv6@}.PR?-f@@'Ac#BR^&D[#!֖z;{-uvwQK{Eq"ǡR6מ]^nOͧ6...r~q2q^=\^!`m8|tok$]Gk{}ۡSNs41@BE|)O1wOnP4 voemYT!Wzʨ:AHYGR]{=q&S'l}<" ԉg}Fo>Iddymʹq  ^NkG1<=.Swк7߹!2 {{@BȻݯ Q;A?zko=ӷ!g/ /?Ǣݸ{mX-ְSY2Ssٟwڰ7|30oBw{X j҄WU1!aUBL *@aRBp{( Wo~ ݯCV×J62ȧ`јvT0ojp1{jr|ˠƄn͏nl{s"P WF/=Bb]/Qk+p 60Zy M̰!Zc}--W#bfal-'JAU5Z] }^Ok׽l MC?. 'Yq&e\/>74|MwF}ng8<~hO|k qB2rRQ׈NW)@&l&c ;?|a2,:yu%[JU׌7K6GpRɢ|@\a[`G8cT6@0< K{xk'dx\ÎŪ>VmX3\;wlt}Tf)6"mmǩN]((?9IYr3i2J% [E1X`p I3z֭[7|vw]]}‹L>cL},kI:o"3%#T}elu|跴{IJ;F˧NRn|S]LQ\8>o /kPscoQ:7}+ۦ†s:@"R[?h$y BgYSk:iSj߰^@ڶ\D1wޡG(s8K iED+*]j{=Ofa0S51Ӝ(]YO~2Yqj3OSnzckNCJВ-w0E5hmgh3 @#Xχ uw4 tҮU"m * ܓ?ԔRHPp 4?@ٖ6Zv$ag4m31w>чz=*ّ̼(e A3*AH:!gh_Bgϒc_ C)mCC4xG}%)Kjzzwmfݸ @ݶ{NqEUJ˜O[wj FL쳭/4[dͳ&ٿv;eE Kg KxfU*;WL]wc_<^9N]Vt<ʵC" |; !1u8 ˥XwBU@9PT r/_? ڢ>TP@رSÖpD8}=xnS=r 8rF W"!hCY,<3P…Ձ M(yʣ.ݶl GA u㶭UL18KBGu`I?<6tK@_)DB"v*I/tV+~ų/pȼi<NUTY6Yxf9BE_*[[rz-vF,({B5(KX8jHo/Y~=u<3,- H3ce 0\\vC|S%*@ܡJ;X 2VªIaX̻4*=\dr `kggGYbb 0X3EXTy^ $+m.]e-!Jw`l&ʳ0f m4_@;v---dquugblh!6q6ˆEy5>0oTߘ, 5G)ʵJd5}uaפ\CEeXs 2Bb̖$YsHc]!6stzbtcNz e̙hL{GDD2'T==U<̦)shs!I  X[ $4hzPŖm9X Ȁ>8زD!G"#3sn~J| Vlm ]w+#f(Rnb2*:^%V9&m{wh{vbazF=k/ɚWṞV Ѱ4,yg̤/l@ZU،{oR|JTUm+nV_xj(!BQan!Q) K8QJBxZ,M++V(D"ƛ4ߞrd꺼q2INs"](FBi&$̩sT^X^M?dQH-2>Bh2-a>GdH=KO=ILG=aԬBK:TLD*MK{3 zse5)ul^}+B 2ZSVUc~C -ML矣$$pH}GL K+>k~6.t<,Gm(FDI_|iB+AAݺ5FCYBH;GEԊXY_=u,(c|8ehVh]=% .aLww#}LM@ccLqL,iTX7Dh+9F2N(I8٭_7a׾^+IU;e C-lYƕUEͪmO9o_,CoO9K6.,R S%kqL9{WH^ܰYg"u)]p w]E^ j_i_QHiTYH΄UL%S`EŅ͎܁U wmDFCw(PTjHXN}*\SIޢSZvb `+ToK{ɂƻcc bSwEYm(Щ4||"ϸ}<}rhw$bRg "O0Y|uZgMq!jJx!-«,$,PDvC2Lkx'1ZlzxVع\]4tIvqpep%?z)y3P;f}-ø)%-󔟙"lkoZ j`3 |kP+@|zfXF;Dr|xl~!oeThN^˃;]k(9roB <8=s(pJss t]|55eIk<0]>=Fc/HYv=B7;viViR M.٘gOXlQJ;H m!5ؔF'_(,(['0. r9r~F;Txl}k;d7#ʚ@^gJ2 4-"oC(rEaR'32877yP UO;yl'y}7/FF eEpXRZ :3jht75pfZpYuE8߿䓔wZM\o1}nfA:1P8Siz?T(p{/\ܺ+-z!TSz}-W~Wu+\5_$_ض2_.'2tWvnL ~ɆNFe⨂%t{P:5M/}4?s_L@/Y#3iO\|Ы~CC?*3;7XdQN2[_&V=xY~uG3 N][ǻ(KU6}SF*l\"Խ4pL]tY|WskuU^촦 s**tIʻ*T Ox@su߂k5B7G$J çʵ / ፈ8~5:se#x%ly1tVC9tܱ5tGV 5Ku/`BS:g^%"];q

 S1fQ`|TDCi.$1I`!ق# 1Z8 ̩"B z o0\ ӯ(K&X-HH/ Hy73p g? @{.3\yF\0ڭmml3` 2 ⢠ 1DDB4!Fb9bb$ E8Qc]\}?(f/yis9߹|2x3"ʾsFά[f3LG C/yY'!ţ9hOct<)\R s88(UC<` A@Cy 4|^g0 BB_naaoWW+ȍW1ߞF?yϪ{8w(J 2r"EISh-<׎W{ /-;n<1{HR`Wngk9=8ub0if0s1o-!!HJ;f }iN!8x'̄26ו#[Ͱ:\Z f$fsm6 ǠuTP*dHnHM;t;U0b3E77!`TUÐA@jTTf` ^ ?‹y`C$|m"|y3jIjWZѪQA-Sa{I8R|lvo?a]whw8>j10P-ĪPR2 bEAǃ[v;foalo5Y R$ %엓bjuy.7zrTq0LCqO =Aǎ僵W۪m뻪d ܊8%1d%2x=6xܤvzGܪ>p"\[RudL*AU/Y(3 Ek#unW9+*`%ɡ_DǯbD9C@pj߿nܠ˚h"%]af4PY՝eۼ?.фn?̥(ücX<~;hcsu TZL a`?ttkQ8RvE|Dg|i7k_ ȋ^ ;(uR,.lT]j脥R8a 8LtN Η"BGq[M:>OpXȪtT㺌jFĜQ=g^7/KyώT0%bZYk)x?`t6^v0u]|O, "3xR‹PB$?5hTBu-䴺h]u3>i80$p@$d(9;{|;;d0, \L,< NwСab[ 5XO+7W*[ɡ_&O.ר-)Ni+y>8DapU7V="?MVk|81d. %|p$FAmCA>`?_;K׆zy< \ʏy?Q`8Epϣ^w9pzp 9KG?륰3 fxfא:Oc%e WtEv8-ѨQ?T>bYk2dioUzufQљR0ӭ`P({~3AV3Fm k R5<=iZ*Z4Sk}U-"ݩ6,/RKlI B>Äiw );hO/:uԱ]wљxXqV'K(ni(0?pf+&݁Vn nX&- U_@QJSQ/EvcAAJM|)1f*EPl`@6'5pWW6 ggmVkV!|Cu<]W8遨O`)Kq!x&S٬LRit5P&{wT0ɠlx˜#R{]vM`7 -HD2x:R{C;\¦n;ᇧ.:=~!&b1ŎZge3TI$DOGw r"(6L Z5*]#'@pJcI7Afoy|&cx1ᅀ_@p%Pw]e!,4+{X,a5mq/W,jfJ0p gX&I]wq07a{탻*/wjc!)ЦXAy:}282' &}5PG όybV9O?_>sj~jVXcq~gR8N/Ec5]03FQQ#gPRw싒QQ㰔XcRɘ)$0_#ٟpzIENDB`fwbuilder-5.3.7/src/libgui/Icons/routing_25.png000066400000000000000000000017771303637203600213500ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڼVmLQ~Ν;_۲5P?+RZ|%E-6%÷ڲb*k0̰f{3:;9Q@_α۷b ʼnUf'j `00ơw*ޙGK 0#akd =}D6  6 *e\qlj5 jQ̩r:PqN2'"/xg## B40P8-Sr3G1V/D[76B]MoDAIePqbW5LO,#$So7xr[}A4~ ,Z2M:OC&h g/DEH7ohض%%P:qaKf=P5*ِv1n+L;e+u>pХV̗b#W{aftzU@~())ߪP]6!ISfXwNVoG|˞vs؉:hS I4+>b)'<,n#7h%vp3ŽE8 &T~uu[.h郌Ʊۈdq8s9Zj"B=O8(MEfDT.hQ,::)GmCt=w>5՛JrNIENDB`fwbuilder-5.3.7/src/libgui/Icons/routing_64.png000066400000000000000000000073671303637203600213540ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[ tE{\H AC$Ȣx uDET4xe]TQdAVň (AH $0IꩭL$f~թj]W]q[eJV^WŬ‹O6rAJ9px^1wr ƀÊz&EbچJ:/K[_X򵦋ʊXlT 6mW~Ox*ӟ1>nd(ƇDxj?DDC%I6vE5VDZBHLb(k'@*Q" cJW1B:mf}~Y0IJ%i+GÄR"jh%H{?؍7jxG)|w6ؒIv%F$ 5`{ σ |Iv 4e1L.j$ĉjѐ+@AAvx? !,5W*WRi?;D41ّTiZˣML2@>[ĽCMDo'qe0wށiAQ=x6k^lzmd۽a4~%ZŖ%`c~ک({7 8ɌW#AMBGT΀@ i:==O4U rФԮ($<o_̀s$$ ZCbfd3HRyw S6tNJxYIA7zA\f|]v+#DNoGzz,)rtGu.4{"V/Ej"zĂW0 >B~Pll۳ KV${\p̂BwakD$b9ظ5gy]e!c"Slz21q a1lgY=1FЫ>>)=McIs&9a_[ }ڕC,.68ODI,T0QUU{J2Aմ D_ &}6Qp4 D8'b 뫠oP4Ft5]C@-3NϴdE^ZN>nsλGL[b.y}}qbG|~o¯ѣG#kpW< zz[mfdv q/qSqAYjƚP窇g;q!WEF<I$TTWg;1x=)hn3) oKqZ0ן09L >+<]< Y4xcCbXYsn8s^3)51axyʫैqUAxΞ+^ӑ/ވƌrf4I<% 9R,ސ DzO0I¢[_3-Lh?`(̘0RpK&-ׯ&a ;o m4Fw:'hE(lVVmE~vO ?IA V|1| , DB5p&1Pɋ1_cE"\R Vp+L+'RHQ8!0l'=Ejܜƴ?c'w$1ܜt糁؃8d2q- LZ) c,__۟w\5 y۷ >/d"4X̲b 1aބh[JW9IMl^L*N-< 5xp0xRXTK| x>:][_v{`8VVlTO,~h ]6h𸰯q݄<v(pFp|XB5s: )sknIX{PW2nd@`3N{YYލP۸EC guXe@H" `RDPjPJG) (_ԟscÎ\42~@(,:bNj:o2L?Mkq IcPfA hp`Kѿuк*sXdz St܄C$7WHZfK +[fJ>M̾r6 \+^, ~MMM"BGoycy9rdD;"p`Ș> f?\gP)gMItss לpK6l`ZE{];V= Y6X[q=wI jq}Co¯cyT㰃bta+װOP2fe!0ﯪ/5W*G^i1'7-3tn)-VXB7}2 z@Şr2e N텝iK#V $\$D reAS<+J2!.JŘU?F1R }E"\ t#hvT G \G9z|TáRYJVä.hfTw޾ͱ63Y"VaWoe+z;A = GukQCwbZ˟+brgoG`\[*& !Ɇ )! ?وOĖ<晫ir䧒pPe]xdfKv53gķ͉[vbQU~nvg.dߍ (8;?wuZ;  nݺa֬YGq77Ɵ>^oZUJVU ^g½{:LR QZZޠ̈߮\9 (>9SĽy҄tO#WW3q0}Xa-AXB)UHU@nHK$ؼGlڂW ƐcOڍj!YA0+ ہl@{, 6giشa5/ ߘШF …n1&Xwi"RsS\}f15)fa\a(o%t:ho/+p l˂MTֈ4Z +L8U*dz x#Ђ_O3J~FU Ѿ1fm'(C xUzOC>@h 8N xټ:u*&0܄@4W$y(zyO9s~[Z飇@bL(AQ/b$^1TP^Xiԝ`3AUT }dKpΔئRC8@c֭EpQmd8C6VS9e*^8:)G#D2?3!2@ʅG̈́ >Ěʰ/kU%2C$X[_owŀ?;Y?•~{] ;€$V23u IENDB`fwbuilder-5.3.7/src/libgui/Icons/rules_druid_logo.png000066400000000000000000000124761303637203600227120ustar00rootroot00000000000000PNG  IHDR@@iqbKGDC pHYs  d_tIME !NtIDATx͛oٵ?ުd")J4CIoClx0Jbxav0@&ψ'(?]UVuEJC\X]s-*|gy}<@U#"8FEAeF{?8sW1[n1RU~!*Z޽'|BUUyν{(`@/'@e\t,PUB|eaaAUO~B]קKOʏcȲ c {{{xY\\DU󜵵5VVVlnnr ,{P%eY{O]xi 10]D1c??.FѫG?.]{nc(vt]>~OeEAeyy(]bTUEYTUEUUuM]8禀??jZ93?k65/k-^zEQtչIyN]OlVÂl;h]Lg?|'OG={sn~2`Z;_{IZk !`<Çh (DCN"=cmiEp^ٳ}94z e8s?YeUR~t-+,-t1=:;Kn/1pn({;t:y֓ǀ"F>0sC&㒪*qBYVTR{cr)(#>RȰ,LJ|cyЅ`h-W\Ν;cXX\0l5[[۔UMD+^dr#6_\\PB"!R$!]v5 U%mHO@Űv)"c(ly*nB g8Ra>U.]xR}c0.%Hn2+IXu8] # !P@]GJW'z%d1D| LJ%D8|;ڵklnnctxujOY$d@C">l|Q)I0/:c"찳3evApg8qp0`4b<)LJ&eIYVLX ".$p!]x>C5@ gC`Bܺuy"'4D(@PMZt> OM@(4'0|LBƼ] x ;KA Z\P2s|Ǽ{Ӱ`4!&|+pAטk4k40|c >&ڸ@^_Γ}wt:ׯsiC`y fljj&OZM0qV>C@DBPBl)D؜.qg\]..>Y[]o ,1"hԩIuP_' iXnغǜ+cG%y@n șHx7Si ۬r~6n"D[o'BC\B+uTqRa/_ܹs?ׯ]`}}eF#TM}^P-I6 )"姮ؚ~B_8[oEeo~\} άaJ|q32ڐ Eo'"r&+++\X_drm4\&#ƜCSCs'9Mh@ ,?2߿l5EqU?_ Dnȭ }3Ns]ǖ! ZkP\Sқ~󏵀~s#rqm~K]t{Da !L"VrQ 4ęMsܗ=cp´FeIxLdym^ש~Z 5!ew7q ymE|lmm1 0dïZ;oAZpNQk@VαP_:7ٜ*9@ (R~NeA+΅mcǧB'dRV*.=b}F9ƻP[vz'`RxWs0N5,1gE۸mGmlIJՄ.q2DC !挢T>%~alcԳYq,cmr|BEY`d.sO }>A%G0DI:%n&SmyM\|$31JSf? 1Fw-2U n= ,30tDAc{Mo대e#,y᎞e'M+|B-Q*LzgΏ\GV 5;MG=)C#zɾ쾢(/iq0]Vcs,.-}!'^lY*b7{h+ u:;. {E81ʸl&E1*@nZ!s>4"w,ɅE9.:O?5p ^(yS0/2#ƣgg:FRyW0D L_d$aK {VmRqmpZX QdJBFPE4WaT~`]"DTa9I/ 5S8=XX=Ϸ_)k+_SjᛘihaWQ8);`^k6F,LJD:F),ZX.*cC4;Q4yׇBBe9:E/TbKҐ$Uu9r-g}H\' y ^H=D#?ȱ9V7^[q]BU=ҷJ(}YX4J&-}>$V h<'à``_+ D % [`fJrO٤܂PT(I Hk03siFtP|pU{ 2~5#-جXP6^d!S t$M0k #XmejQx'',)佊!$7s;2ӯ_u:)23a$iɞJīJRr*PtXCT~I͵B4<gUF!xj^t GOT׿@4ך9tKYAF`P+Sa?=Gƻ>6E_#D37q9LK!BRvȎmԀpRVGafA&-5%a6*^R@.V/^ dd&F+@AR3L+0vVGj&AQ]UiC.q*b?dұJ!$@?AD!6<_|XaD:a)S^9j+]Q- $>G`@-(b 58W(6Vi`OJâU{tmFoa4TuIͷ1\̶$ U52&Q\hN!ax,6pZMnm'7JGRKJ 6FYrJӪ^ ʌ%ǟ}k7_ @n- BHR#"`+G) H.ЕNѠ_\+_{'1KB[yL>޵ 䞋ycy&oWʠ1)tMch~+Mmx$t56Q' kDs?=v,o|p~};G%'{W縇TQ:g825(GM0 掿dY9fpM9_29IIIװ6oKrxRFAesrj¹R6I rfǔqleH Ɔ:,/BgE. n.Nh}Qvx\+Q%2&!vm $wj!ec%v96Xp(q፷xOpՄc&@׎,o`;isxұ>h50L|"{$κؼH)01) yWcUe~arK7k_&`q4TkmqR+SA]ɲ,sCȌ0X^[__7|k[`3 vR.]  %U6._xEn|?8_EQV.\aŗ=/_@Vt(ʹ WXk~TC6IENDB`fwbuilder-5.3.7/src/libgui/Icons/ruleset_16.png000066400000000000000000000004621303637203600213320ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxb?%[@i O`s@.Z>&t300^/o?@؀y?8V^ǁcd €k6ftu0/pㅹA?~edA^@$z!R/ oX, { Xp_L(Ja4b,HNfb4;&k~CaIENDB`fwbuilder-5.3.7/src/libgui/Icons/ruleset_25.png000066400000000000000000000013761303637203600213370ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڼVkAۻ{ 6ZYZڛ@+ ~2Q ((D1F$D 1"bPK}3ݻ{Ipav7P''a,?C bY#UE /cX1^>A,"$4MA"ɫU9f+RG0KYTpjr&<МI|Py&GS׺Jx]ƻ"uiv:CLB? qa ǹ\9P Ƃko5g\aksODseHJ wg%krXYZkc&R:d6p{Ub騹hCRw9v⚧tыH*πYmSTnj*W!ڏwXDwH`tbwN0wٜb졝ykw~c ?\"㭪I.mR9YIsLw9WO0}sU|~ [h"+>|Tu2ZxeX55::oH {Zt<ţ.#zC%67O ΁? =&iIENDB`fwbuilder-5.3.7/src/libgui/Icons/ruleset_64.png000066400000000000000000000035251303637203600213400ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[E3#XhҿA +?S+ *X(! $1ZQ "RPy&9̞{v~߻{M&Lfv>Qյ}v;ZmV3d/^wQrj3w&x'ōJ/OnMoSh[}\qۮ[#U;(CEu]4v?*(ֺvbkd.1H$8/v(}Q&';eoy,8;Hc,DŽH(;4G]`;-Mh3L"M(P\Ŝ&6OC,ZE@Hpn  )UHٜԹӧT*I?f3?ԍp/q:r=2 cK$Pk0^<^9o^l;yHpjs%We] #'7qі> &LlB,niE0(w/g#6,x<8Ğ!..&%^ \p/y *$hy+~BSD}5 rƧe@Aʫp^pU`i`n!.;;U$Th_D9OUTByV P^U1tt,PL$GIlXnK/gTuM'9E(UAq~(ujab'B]?{dM v;Uq$PEﺒ\h!#X;fJ$4b>.#SBLX Yya< }^MTx\[8AzվGiab!1v0_M$PHV/X9CR*@^ìi*Ŭڰ#"Cdu~.v"*ݧ;%0L%O]tפ C3UpX ]E[Jq3j[ýHOλ1ψ.Osr+@wy:Q?x"l^ׅaD#3z~1H-&_-+_.)`SZ[ծ L ]'НCaT{_w|"ay&Q&uq^7guvs ze2au~#j+?x_cx9pcFүFZz95`X_N Qt,'&#@'s,4g"Q_o{>3@9'v:8AR]D?\Lq %$k( ^i4/}xLQ!#;!ESQYL$GvJSQ<2_Ui$ P2(, ʔD A|U[`XU .j+Bdk;>v0z8\{%5k KX&f!_ac(~hH"J|!]JHVEOe3U=y`QGE5`ʝFp}npɂR+!yP -}듡Hrvq8Ɛ(N-YZo } % ƃET`vGoq7}'߱ #//ZE 0 fheIENDB`fwbuilder-5.3.7/src/libgui/Icons/save_16.png000066400000000000000000000012501303637203600206010ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<JIDATxtSAoAfwvYP ⡑zf< `*ُ:(A^P&6}`gaրg%^#qW@H$юZ,/ .$QvK4 $8I:dvLL@2UY܊ -ek7u#F'ON ՊfW_o}k0s|.otm]gs;~a06; +a0Fn}ԽqApe_BoƋGou+[ƬIENDB`fwbuilder-5.3.7/src/libgui/Icons/save_25.png000066400000000000000000000024021303637203600206010ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڬVOU?g<K` ]ՄW&ָ[?@V4B\TncQSK}{ssgP?cs~sƇ7˖k1#cڕ<ctPVOJB455E暟N;;>ysRcffhdBBō 5ަCmczBu<88HKKK"C!bͱe³wA <|==sႰ=!.έ:6XG *K%ݥB48$"lL"mnnRoE5<=$ZP !!" Sv#M6'c|H0֦iPi#|<`pHps.Oz}cT)SGiJ#d8PI >&Mږ]Yu.-8#KY{< \>襥,t,?0ऑBRe57$F)AdB7ۈZa $k/D p"BL474r 亷K?~őz1^z}՜L~Qzۋ1,E_גkqsO#o[Ol:KDAYTOU@ 8&sNKKtKcRu 'y&/c$÷WT@<$& 2Y"XķD5KPS;3X1䡉lH޷^|Rb )00A)d[] ԏP[d5nCd+K&L8eUER.aV8V]LFs)HیȕXYJҙZO@ĤR rPP DwyrvT8#c-Y_.ZDgGҀ$J_*z"P rY*}n߱ 9xYLlt/Hwv, !/iɻغQV+i!8$h:z>A~ڽ\n4x`|%uC&K &I z `J'{a}YK87f5U?::w:[yk!S9U'#&&H-gy=(cμno.YޒrˌA}V.ׂ}u,~DFiu>l>Q >i' C%~ߍ1A)(%p@ EGWv\՘` &b ,mC@uh*hSVD1W Vjx8h|@mRq w^p[#"Eqc['Z<6Y~ G\Ҳ'Ou|+3"'ԽBxbx`P a G_; !Ɯ'EmI dnb2BcˉL]~r3p{cBdF%gT6_#` CUuY:>V(_B#%wTa:ڨ⩝ɡ'/k 0.YrBѬIENDB`fwbuilder-5.3.7/src/libgui/Icons/search_25.png000066400000000000000000000036051303637203600211160ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<'IDATxTVil\=ov;cg `RPPUVT*!G?QP"&JX%uT)M)lڐ"xq/̼=ko>sϹk}|_N[6gOĔ{X,ۍض$Eol( ^;˲7xqEx؎Aq]<eM{p\=sD}.QS5Gȓ < M  b%zy>=bbcR3iU߆Tu(&d)( oK_ޅZحi<,@5xe% G7m;^u ˓lö#eadK+f/47mivbKR$}s]'e>?h(,3c 9e<8^KgP\RN8x LA}l6'5v'Q4Tu]a`J@f u.WD:yKVy!guƠoj@€iI6IAazΦ3W F7?Kgoc4UYܱxsrf" nr4'!$Lʆ%0"dUUAG"B"Egf&u%%0yFm ]J^""rh + TQ|awDٞ/snT(ja;q "rSD,8 UQQo(Tx:;QX:")S ]]!3<5B A CҾ@Ƀ ~E("dsPɮjFzO >%EtiS9DXZIMVEBEB)-KXa\ЎXt::;ѣc؞X ;{!*!PKyY]jKn uNb!vwlolU5iD7BY?{ͫC8}HdTEr,6F)9 Mwd;zc;9ڕ+(hrxLunoߦ[V=chk;ALN:N]zA6sY\#wlgi>=ee3?pڲ4)?xQ !9YAK 1XQYUS*{>H]-)AiEoU[B]Ļ[y?#V|"ՕQvSD-fv6ew㙝nVM!W>aCGih3珮\!5z J/**D.}vJ[ 65ٻLHP߂^O1Ԋ]S+,Zi2\GMzÿǾ5R7nv r7?#$W׎(T}*Qƺ9xԾиEC?>oG??ۋU%u}VH_51 b}=Xn3YaCM .&oa/ n`.?TX~#\M(kHs3ry0~54-*_ ˆq\8w}1<+hi_n\> 0~88OIENDB`fwbuilder-5.3.7/src/libgui/Icons/self-neg_16.png000066400000000000000000000014771303637203600213560ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxڤS]HQ=wfֵuM]\15DGIT BzQ‚ P}+{ @\`)K"ADJWCP4]rWuwgvg"J90|3߹~\B)\½SZnJX-L|2vYS8 1`[sFsD PۯDpXCk 'XҨpVШHaz pa['\R)JC# /E N1@aL!?3K+2r[G@Ipӯh^C*y% V^8/SvnHlX}M} .mw,\n]r3?jL7ï*҂O $J:fWH-/<&t>5VoE<:L:yVw3>6>>ž>󭭈ܙDPL:! a'A\§3Á==hz77e, `\ |sENTx (\ss 1E8} 9K?DyXhK8& A0\Y RS2d*aO>Z,IB}4A T3GߨoYY0fgcnjla}9 _$f5oKf3Vʝ?Ov].a?~tx<IENDB`fwbuilder-5.3.7/src/libgui/Icons/self-neg_25.png000066400000000000000000000023061303637203600213460ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<hIDATxڴVmL[e~Ba|̀dpΡ ѿd,F1A 1 QLdDP挆1AM@"J)zΥe@iMH<ɓ=_ecTk !}$HxV'EB ڀ=ڣ0J@>W@O{AȻuBWPtjZ9Y N+{ҳthLHZ%./J !_zѪIJl `DXg#0>}֗^<#W# ->AhSb8eedR3qŒ?ͪh~ 8{ w\J U\POV7"Y~siƆ~Ł=cJXWGj>Tr2f{Hu?XPv/`_ScpfX=/fkHJ䵔1Ik;Vay뱰Wxr|' i/HԍIaIJ ?Qۄi" 9:<Α9>_+|Ϛ]bt=55aT Zayg@??|01S,j=>+$߫.3^1,xzDSNpU M UnMr3pRCD-~xqKD8?> 3#@ݱB\7wԅHFxSuVS5ҲٳQ|؃+12erX$<8YLZ]1Fg]syY%\ lGT;x 1 cO^2L}UDҺYdu#':pD3_4PiOlI`** [c=rich$8zgwUU)ӧNݮ5wvnOnTןZ$ȱX8%ѻ`UP#FP+7Ke3j[4˼Fsc7~H킺MkHgŞZ!"cnz$Xk/ -A{hKBIENDB`fwbuilder-5.3.7/src/libgui/Icons/self-ref_25.png000066400000000000000000000020461303637203600213520ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVoE}3^{"YA(rA9p)ܢTSrP JnP]CT:ÛٵcH0Ռw[({M|xCcd$q`x/WmH8>b8 +%k d,VlD.$ 1(~K#H- 9Grq;Dw_!J^jB~OhF]r5ij2IK/ޒ|r>u-ڗ¹2bW>7>y4-}\5bo~k,Ӹ!هKCrv:fKNGD NN3%7^Wbx M R٩M y^x5'Qp٬@3$!t[\%LZZ&cV!L_$o+Ax>L/sDSLk_=z///cff\YMحeLz077վu; HQ{GZU*ϫzAK* L$F ϣn?Vfx_c$+q066cmm46YATX4ҔJ%VVVԔ}L<)mzzrzKKKmL3aE湰Bpf0y<=">IENDB`fwbuilder-5.3.7/src/libgui/Icons/self_16.png000066400000000000000000000011401303637203600205720ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxSnA=wvWv%h A@!OihCBC DqLl<8")X޽s=w-%4Ʈ _mIX "ƁZT %$ճ{`'w{̈́ 5bxBLZYM=FMEKeSnLôȺxO7.4^ % %?^t83ю@6d}ЉAiaJ伂QjEGJj(}ŰߩǛn,(Õ/a9,<wD$Y2sJq J| vJnSeŮ}9a[ܿnhи0NP'` C_LpaI=sṼn= 'W#qHk&9?LIENDB`fwbuilder-5.3.7/src/libgui/Icons/self_25.png000066400000000000000000000016431303637203600206020ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<EIDATxVkTWνofޛ$ԤG$+!4`K7v@]m n\tQP,SHL$QѠq8&NJa@) 'û;y/B^aHA]k9L1RcV5XmU`$\1 ; D[Aj!3޻P JS:OA K  n .We*P]_J: ݞPxKTãW&oE~Kyi*9Vꡚ`fb6OZyʬ 8Huᱼx\Q5;ǩCՒ>iC:Y!mYxT#1==tJbēFKvsm#/̪)$T[e0![ʇj P\Zhhl;둨tqrpxaz[N,϶VfKH&E6SQW|4xur};"Jɿ>6a [̉Q.Q;@UJu8RYV xq3S*B9]aLa={Aˑ䡃uUpwuo03)I͔i_L׎*250X'{ɗkV(o]xގUrO+v,$7BOiupeܹ2Vޘa)%&s"0I%12~U@{#6qZ%-/evA?Z uu`FPIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-custom-neg_16.png000066400000000000000000000015531303637203600233700ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe< IDATx|KhSAϙ;][5 *hDJhXōPu!B7 F.7(bJ3iMLڤI87=ps>9g 10|Gf{>xZgu^Wg@({3vY6_nþeր9{дDl#(dTM A zN0*lJ-v<͖`f_@־cZ&(gT?Yҽd_U "}) sL|٣b:A+̐$~>&/8wi wiOo9Et4rA;͇z\jE"o>H}gu}תrapکWI _" 5OͼɓogG%1%6R+ oݢqUzk͉A%sFfsտ'0: l+8enU!BavVK$̜Va/@ h",^bN8R-vD,$eG4f R%\ZB`NЦ%6"bQT5fQ k(V'byb3ԷK% 3еJvtrBKI*@.7.p<ֱѥ(Ȧȱj $wN mCQ9?{IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-custom-neg_25.png000066400000000000000000000031021303637203600233600ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڤV{lSeGn6)["LP2#&a &ƄG hTCCL&d.$[\L!cű=ڱ}{{繷Ion{w~;w-ck5qڏ?Z~nE<l6[,9cц騈Z>j 8vr'h LN]t,1&31UA$f1 =ǿ ҷ4NV0FQh?ˬ*I"cAhģs$zvƥܨj&HXw~<^ݺP d*Y쇽/8} kTkNv "]~}K|Xlǃ\FU.Ɣ`J^* Z]pMx5om҃GI\O~p?ZF$" -L #qrij{"wuN}#gv6S@zN߈6c/Fˎ01]=$=Mns{1n` ٧"TR rڠ gR!]Rjo*WrHm} 4gKyDvN6M:̓ץoTx[S'&Z;rjO\Q|i4ӅX:` Z'6|at 9xQ@|GXm(-\WFS5v5GdE~g3JJcjV0o!1O|Zl'8KFҐ#L&)$3TB"`vć6rk>AdQHXD}#.R+85S|`⼁r)y 0~TJUg Qos^h0v>jtؔnW.gFڽhk6y]Emz%A]ُmVnRzn7N]]rRiСChhhHA)WS6BHNn(ɔ%&b ѩb8p˱{n,_|]1*^3#I e^L6lOZi\"0Kj TYQwSF_cvk׮I^*yEbKT`2rdKuPԈ")Fr4)*Rt,"hM&NVx<TWW=5j߾Zo+ T2 (eLB8`֧Wgjq:l۶ UUUӤ]mmmBxIų֏$aBu;PꝜ$O  /C3~Ǿ}b =zK,ÇקBqwߴ<[ɵ m*4dN6*GD@`I B$zM~?Q[[_.)Du"$g53dRڍMK [ StKt?}N.{}KR:à9kaj윍:vVG"69[pnɐIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-custom-ref_25.png000066400000000000000000000026741303637203600234000ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<^IDATxڤVmle]ޮѮ[1 mA$fB˘A$j0&? QL0&d: ,F奃Fe]ۻ^]_f7< EQ@먲\U;a,3?mL&~pJ6yck*bfkUQ)(Yؿ.ӇQ-'#3 ct蜦H%2fVͨAs^ĽHR<Y13'@Z4B=OΔJ$uɫ%*.*y!eJrbB-~tvh 낚x ObϹ8!^;A~sLbwW+2zvaXӣf*2]zj&8$.tyR~ /Dz>=U@6~ N_0}B_f!ʞ UnZ WېW)tZbڞ=0W@djY_*IƄؕ*J A*$0 ʴ4/46J %/ ma,LRސpN]X#1^=jZIu>O&\X ]:wsOV[љLy9# 8 rTu ޳`@ A+`n}R(*\`̹!2ޢIyZˑtUHx Zp7CaevPw ;ÓFu:y$d^% i պ`xPH`iqc.8,]bj.tuu-&h[YڶMVz/m/Ab׮]  Y }Z5V mrZ)/ ʇhf)T4 }>ۇQ/țqPP(ѱy"yXE6O& T2557E|}Vӎ̙3;h;<2#mdT7J^<ɉLiJꥣm]w?De-(w{Zx,b}7ӈu BS!M#7ǏI^)P$yPA!^)v+MЍٳ7?C^ą187AXN͹b|0(heqYzWjOGqt"ELӇLQZ*Q"ˏ0RQY.q[Q/H W9ˣg7ltOȡy$ ɅG2{r`@g^-icLH!y}OdTՠpyC2 rRWͶty¤u^fhu,ڣJZdžw}<wBT.}Hn3OF&G g/{&E`]2[kJKZ8? fNPk)bqx=He&U[Ez0uIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-custom_25.png000066400000000000000000000030401303637203600226120ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڤVile~9v]Eo)B)Zci@ В51C%?BDh01$ *&D&H!P6iKñ- =3;;7e|so=_qS GF+<4[eePsá t:7pv4mDEp.)&hg#MI>̌ݝ˖<㩩,CKr֯ ,X߆O#8ϧ4 iq ¼5Φ5XꜥT$3`g㦾fO;)xsmGɒyD2vJ(7//\Ԙoao]Ǩ{`m6cqӫ]( HL 0 =RX꽘9 RM*!k70֊yB So4 ?ndW`xGRQ)&Ǥ_^h\L G"bFHB}>y9fp ;);٬=| #OeD+/RZ %SJq\&8ٟ0L48/>8?ҲX6xoԟC̝gx$*BbT  C*c4\nJKBC4nǭ-;!bp(qQ@ bvG1A }k]ω9M6dԇnfc \K܊tu*Uq!++Zii-#c'쩑:A5Z׈׭E(3o)a:f]jVR#E>([=YK͖uTwɥ2h@t }C(ԨPDk2j 2!:Q4'^$q_r~G%!&Ӝf1"q;\DsAAW2K,#͉NUЙJj"˗/zV۔ę|&03D/*h<,#<DA m,d\$2dQT)~@#zxi1j+OdR T)]I~S.d:QVtb;jsR&N[EsBhtEG]<^!kix*85O\Lb-ĺ][YTqD+BMw;9Ib2X2 |&纻ZGZTs_JLF|:JE냡kgEocXYziYʆ օ54bՏ[V1G,gjy有%ET0[o pd@wW!ZU/oA&\"5IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-custom_64.png000066400000000000000000000146671303637203600226360ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<YIDATx[ Tՙjz[DQ$*j{0FKǸcsK2$f$ce&QtLp  2(ɪlM{uuuoi'r$VKUzo{u#+@ ] #PThFBv!xc?st(F=F8}9Xq`|dma1qEab<#u9Z+1>qbqγŵxXǘ؂`|Ǻr>{l*tIMdU^^rUBx,.n궩oȦҰBs&4mm?B(*7̳j5#P4(h :6Vp8±z(-Ȳݥwp0Pk ڴqiUVVl;z΃KVg(oI;&js.{ Svx`<9*PޒYJdXߦvug"de.È| }/f.L;daS- r&a.]6G_T*uզf9g(R{!9#ؖ뱷'\J%6cQO| @w峇T'stul~L( Қ(#[wlJ1M&>HpQUOkhJЌѝhzϞ` Лa1ꜽ{v Xъ8kx1JyF--?|t04X(㓳 zG_NO/h(A҈{\8C˗Z~$['QqXbڄ2{pQuo\Zr_9ǠU 9pi ;ʜshz\u>D+ℨGsTBwySЇQ 8x+yg`t-[e3~Syw,O>,V-s߾Okн8r'>zgǜE&1C9ƍ'yj>JC;3:gB{xqwG֮]G<󻺺n|_W2چ\j)tI*um{i?tɒ%OƑI0ܘ-\h{t$M,<[c8ˇxdΝ}O[o8( o޼[db֭뮟E0\nmmmRޞL~C#%E(Rb+4s9✡[J-0^X9?%QKxu~ڱl59A P\5>aЂ/Rmd*ޙ( 3jkڏ3(fXTCr5#DW#J+א@t$?K='_ɧIDݭ1ez[󮢖sy tIZm (bx͂@mfWQ4y+;z^}#|/]LCPr+㎊(q)k{OSk'Om7z,JørD7sFߚޱ[wr*7 o 'JhۊTW+ضkBb uDA9E;O$ ]FfuQD h72b>οS6>f, z"2j*}T3+(Ы8-蚧 Q!a&PS4 A*<!Xrd,bp\zqw6(Z@Thb/&a[*U ,Uir)&CG!QA( e,RNt`y`=BþΞPu(sJc%TṔ:ԷcB<5evyuUJ1KzJAB++wʻY 7Иj9hmD ϙ.^F) Ǵ$NɥN@ēޖ[\tRКЬ#Ÿ| V贴&`=/x;؋tYYiJ~0tG{7!f(4fjSƄǔX e ՞C(5R5Ӓ}(GQ\#.󳫞ePz?! tA~sUS_Ɂqz\m9 %:gG|d=wK+X vb=Kj< )  vZGIPwS_qԕKzء89bq-uv%^ ns @2$.du h\u}`%hP0@&?(~ӛ(bo=t*H_TЌ/`'(mxPD{5&0Aq5UD㦡($緁G 3D g$Qbxk3%h )!DTCς+TYAsҀGi^BV®?z00]ΧK(*\Jz.FciMh}OXa`|k)L=0ބJHaeq0P`)XeiV1 ""GyJɓR/N{xQF"lV'U?^*PPV<ڒ,% \1]ȋ@hoƒVk85(1NPNtP?m,7?EyCo,D;M IJpui ҄Xy?Qwؠr;^ 9qP.7bbN_rEKt:xeBm9`_%*Əq~B#T"J(&Y^K m6S4z۬+16 l)ھq YHT1Qݝ״T4E60 [@7 ƛކXg^P.h22OPj+gtmY4k483aؘ$aPx8$\ǫgk c˟wl(8+;Pͬof0C21>7Q V*m]9]\_1,8ݶCUF]754VAicӡ=ߓ(D(fzEO , <{ ,y)T:+u<p!`YpðVse).cNXrYcnmFs^4ui Ti9 tI- r QbGљ`s54@ϡ+4xi-n^ynYjvd9t& .Sބ[p=`ÕT-7>GfŠLw2f@#q98yq)՝[IrAdJ"vNwkyC OўUc~5oa(RPVLU{=ށ=.=T1FZR %,Q9tU^y#OO}st/ k5e [e傐v r<R@p ݥДa|iXj9yKz̖/EH᜞J`6 Iq(ַЬ&51ܞr}'k,s,ƕ n7+٢1^Vp]ς3\1` `?4{`y=Kwtl2!=XUP RUl:79eS▅K̾!FsWi!)OՀ %0Ǽny}ߑTw[XzgF <0 s{(2c0SQ ٓ4C+5W*f!OlUf6Ա`>J:2 ;NGN%7WlOxALeSZͪfba6Z@e)4fAe Bܡa;`<,3;9 t'-0^2ڠF#VL Bf /e`O){lj 0s5 bsVCxԈ z ͖kfK'iQ;f~VP|v8S_V{NX<jpsm!^,i@iy(0?nIPlPք-J˗OU2cy")&> ;\q\+zqm:D::7xʂS/殐%)!JD<$&Id̗N(&8u@<-eMJ !%#MkTQ8vXrpp)TBbɍ \!3-[ ~/<63RXNa\x}>/#^ # Z1M W|\<%nXCh+WD6pI,jz%V0}`_;< dդ[JRۢb'ޛ֯/Cg!};%%HT*C;1 )ː!`li.yP$_&ozqV/sqC#E~WC;KVq:EN9d8gFaRlE}6= 4WEI̫8IR^\V")>r* /PZFJ0 1RWxtܙTl%_.C5'!ՙ#,PP`ٯjTf 8Q$^oԫ: @iSvWOAnG"י=U +c`Iz8/( q,br2Disl1>0`!C5u;;'֥C6 %%'z*9QVCm4jwYDے NJ|1"kRݞg )S:6v;x-HK vyvk ˚Oluڟt*B;Oj(,%e *>jkOBSVqOu\뻃FFw;+J}M"j[&KfVO:K"-}`{o4qٲ߁z*Fn@%t8Y%OGA+>v< 2cHb @SSN5WC"么V-a;Qg ?kʮ~ T8e^ZN˪B}ȗ`xYXs_W"=I:i d+9: Pԯzγ&ei9unxq 2YQ?~!J\?GͯϣUוQ6Pc}2={CbNeJ'R(Xp8bPgk(V0V>r9̀1\l tN#OYJMSkDJ"T PYUjQE* V/PWcJP06*._3B#E5AeO]GtMkc`2,B3X/RˠynM]X2A%1^'*ƝIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-group-neg_16.png000066400000000000000000000014321303637203600232060ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxtR[HTQ]3gMVT((,#诏",?DgO+,g3w::؂a^}$xto8?!\WDoNKX n'rH.sIMqIX-Rf'Q\*?1W:$*ʊ]Xʩ8b2a$0IĨb90BVClt0 DtH5ZZ\8,A`'յS4W ߧھRf5ڸVJO}3ʪꫩM[2~>ӋddټW`n&1 r3=g6_"mg |>ѸK|֎!^z rh&J.h߃wAU5: \"Ui!wBM3 %(٨_ֽRq': gPc,"95c/, |g.2܀d$tƀ⥓zb8;O>g8o$5"W3#-^}l;wX{aU&8$L} τ+&Ek_IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-group-neg_25.png000066400000000000000000000032321303637203600232060ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<7?E(cH!N;69=o\@7_,YrGɜsa y\+!qR2,2 0lw[Su$C_+%7=={A$wMDeߒ:&VBYQm/0ȧB9`BNG@<] 4g`sT?B%xس@m?fPRF6$Ov᝵Rq]iǖ=.'_. KTV8""$WHm⊨oZm[&o R"ӡӆoIT+$Μ}v)s67Jfk$n#A.PJs-\ CW|dLvn_ѿ3R z,DـSS 4G]*<- 1|WG&ǐ/i p|)9;Zf(DSbVB PDZ)M,ZӉy?tiNO8y^?Wyblr(/`7)Ir ]"Zg95\X!;2LfFd(Yfw?R{ ?Tt'%_ꚓXu Cg FWtatj:t}}}*uFooT>S<Ul+E*HveΚցU,mD ^8|0qAl޼>蛶@Owv:U]~<50:HB*tt, }W7]۷#@jjjpqر甖-2"t/g$ٖ,K # SdJ3}axkЀAb1tttEc/j?QmC$ Z /|˿}mzǃNj۷Qa sOX>gBPPܔLL*V惒| C%@e8qׯѣG̮plxUn+N6Mـ_'>=dAM-40@FΝ;k.7\ RF)ܲIP}"DJrZfw_?{Mb_Nė/W䒏#2܂KzZe4V,taIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-group-ref_25.png000066400000000000000000000027701303637203600232170ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴU]LSg~OiKilhR ƌ?8Ldzel1&,fqWX]y5llA/Ƃ8AL4v@Rj9޶ӌ#I;<}mg;HͫPWSrX\Yc.=$z/}7m~tx1Py34L* Qd-kU~ܭDqՎ\Hw)?jF5 kC} 5HsNZʼGS-$ K&stjv)P,مvM58Jv0fWb[6nDYhdVA *NiLY.0Pqdk!iD Qjދ5 Ϗs!' <;Q_R2oy3O@H}<*mZT]dX`Ohh붩bn+\ z#؃$@0?$#MY G$Pr(dk|56Ds3\.;v ny~477KtlC SCSYBXA Ra Aa#MgPt!Ioo/>L&|o7Z2TL%DUh SҜW҉C1'u`rrG$ף9A|sY2[D%1di4H^R~ǪySnzzzp8N]Ꝯ́%)JHr?Cgbd@lHi$$k.444d,*x\I*%Դ+E# 4t zٌlѣG$(Tdo0bY#&hA^bKѡr_mtxw:GSxpےP@S z'un6i\ҙla86@I5ç+1gxb byɂ ?vw⭏T~QK@k[xC5V_̌O2Ax=<"7zu%݈N ^LA-!f‚>5]蒧6x]3%_ ,-BnKLZANAL~a;:#}zލљz H+3率B4lAN#,q[$+A{~σ㈤G|X1 +No[Gt| 0\2{N1WWr,OLGUKnWҭN\ tOS-3>`G;#TCg`e4YF'0}^^`Vk*IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-group_25.png000066400000000000000000000031431303637203600224400ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴmlSe}KuVҕ a:Q? F%&81T0|EcP^#@P&6غ9umח{{&%$6y&}LzL v[T^tI)o* IQy9!DQ4Ҩk8k;u3JL9 C<DH Fs ;,!#hco)`NDg{U} m?9HBt0ݫ%f$Q^=M[N0:(  1颲2ԯXV"Acf2P=ǯ gwCz9D-'!Dp3s?%<@0{Gq&_&3,Ht^'U'$Ҧ!]m^y9\9:N.2o]6 *9ڥQew_~zV0›HU! x*‹ c*8G:T-uHd};PkVfjܒ,,2a: -TN+py\0|+I7(3n5$Z?]NBh!Ky-xȮ%^{ngGgf.WTG2P0-.WQ|LB)N!z7CK^Fyz#<)+yN[׽ o:Kc~=9}T.89Y^qA!54|! )"&k~_;6h( 3n]*)&O_mؚcЩNgUNRن0%2+$S JǺN"A%E1MlAxJXc=ky3r'(Lg&w%QUyecǤʡe<:>V A?"4XfRydd-BS=F J}D+k<*L ȧ餥@@mY$Զe!\v\PO 0BM^|)-+mC-A^{7Y@?RhɴRQD;j^h+jr"6'LH5E?:S#yasanOLa\ړK \[NCz'*e 2NZ1'W7mfΘJpLdBt6CHuܩvh#Pz!$7bi)LS3wg=Gr5 O#Q ū*Mld*;D}:k=?ůwD]~⛬T}f4̄.%j)M+7Xq^>qޢy u'%g8iw0gQZ= n7| օ@<5$H^@-e.omZe_)8Bd=z]xvΪFh~E)x֍S3IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-group_64.png000066400000000000000000000161661303637203600224540ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx{ ]u^{%!! a,#^F/`L{&$LRS=T8q l2.v*,BBKKo;߹6$cgܪwsw_ye1KKyj*`X@}hs6{3zwUjc̈B~JPB+y0yع 4\#sw95\, 36s0(+K6O/@ 3{d(w]q &&b50zHg'u <<-gQ`c 4¡P9o+j4pU,?v}\AE$,?<W$G:3 ju;ӥl OVFx.[_=jA<\^ `ӀG0HЎΏozmҰBtB7:!32]@)-`5nYbu9+s,ᚡaZD־tx#=H6%`:BtJh4(7IS'JOWvT%xqn+|p2A'25Ihsy-$#A&Kl0MN_r? r(VΎڞ.j28D|9@w- ; L %5"%.rS {]c,,쳂P*ع-6 @eOӐNr4&L)_bl`fw( f%vYQ>!B轨\ZbλXR+Z"\*\7{$& ~75蘚0< jqS!mQ-hM=߬: sXW;4d%+.G^Mdd=xk]W1ke?BR*{_rWb!FYG}N ӌO z7ܺ7׎E4BgBW/xtdXe#+na Sg~am tΆ{{8/ p&Uoh|~W"u{WT $=Zs p:UG _;424j]RyeaTh<9D*Gc) @!UeTrH(|WƉ4DH-H*ҥE _D£E:X@BLw FVRā]DȠZ[h4 ' фv+DM2#A] (Ak\P#Ǩ5j'3+[j–&W ^_E9{<ϷՄy""{SQR:K|_i{~F8Vz6V޳N+k#+Nֽf>gDo\;h42'']XvXh a}aE9 CbC$Qm4x,:gk:V!f:^|f|X=ʇ jFIާ|kL+ݠ҇xUP12,]2YKugѯ]=Jg,VLk0Ǒ{9~rL- :Bf) A ]"4t$$&.sEཿmˏVLp?xeE&#cJa#XwzWsS3LFtwNC5Rj/{{mO4N-h(G}!Sٻ{sڴy moNG Vs@%AK-D:]̕UHxY{y"tDNI4*sebqF(>;0=CF~dtN2?S1+r%5mוzx.TiXXZ%HR|uiW%\K~ ^+P~aXҍT0xҋg smvc,Ee5eer~ͯ"7S@t>_…gwa$[C$pPTXш?1a4A {w0`&e/1V$e$bzjA!15nՠ?'q'&H2uoZk Na_J-|S?1ӻM!rIoCkb:C]S!52eHP-9j# QkGb4J7(2u~~&Ofn~ ߟYD0ٺP,364{}^70C12xGpvGlno?(m: _4˘RyQo*Q(SbY7d,+Erkת|. #z_L~ͻn_Rc:mI$$^wxGʕ,: 2&>d#6`Gذ?~x/t?0WK~de\JE:1 Nb/.j q#*W͌Y3F=p@Ds+eޛ2/vWf; ;̎m㻯~e\h$9+ԙ!Vλ#]Ёp.3 :]adIˌ5/!S=ޅ*aZPRs+ơӣ\sLZgsƧ'=;~a r{̄$ =f4]ڔ}Տ{^a4"#i>±2=4 ðX]%]ȞEWh4]Uk^qu7vYTѐ ɋv[Оk VT/!iMՄCuF7U5[oNQf9zE1p #r:ZYqp<5"!RѰ+逘I<%SעScsT1={F9Gտ}|=f/<8GUz ΢xG+c`՝j7nΪ˙i@@'lC(]p/3i~b43Nnd5|v!ք(RY %AlCefutqn`Sƣ3bPc͠yi:l ˫hQVL u)ӂFŸn$GnCKb?jzZmWNzuU3F tDla ~"59 ML6| #[PP~^X\*YP!Dkhi2UF9D/Ϊbr.6ᥰךƺޓ:~ikN:?P&$Y>ћqyQ#@0 ^1$Ԩn=VybQ( Uk*{"a@P?30>\޺zc7QNXpD*K#b3sPl@?I#˸ \R1 Û,A,\] /)a[AO16#)={)E-GS $3Oց ?_~s mkYU@` m(o9 Vl̅÷ʹgo} Qu wQžQE9ۍtߺƞ3LJћbs*ʢD7Asj }HV=а*-‡LUnރ5`{.%}Js=@78q<]?vEGM-9ţ~#u4`c]6)ҰG'+h>|$K/. CSs{QP ޼sCF**,xAzW{1|2\$GSgj\OL!M ,dtzE^q|$wtW"_2&pDMe 5KXZ \'Uq~4cّX5YyIEͫw˜DV`!_bn;TtyB<ѓ,Q$?u7瀗yQ;ZNEt Z:*kzj-i F"h~JM+7%D=~K+H8Q\Wuu?(>]s_3M[oHfsg/ZK #Yjظ|)07IP<']9`hI%0ZYKol>x(-+h2(l\5c\RϟaY,w|ĈtLD;m&>D %76ZHRe`PBv䁡Y_a!buXD.J Xw, )̜2z.(X"˧xXc| E,R J-K#/M"t7:,#HL=QU4 _W]٬>ӯ^EцȌ~l򲇹Juy^XyH$(#_]SV5_|L]ZbumC/O~PArj("74AEoLo̹|\5FGNJgيܬ7 d(]:bo"EYk 3xFţz7")-s004JnWvPuPpu'$NtUn Wx"EˡdV̯DZꆋO`72Q=VT_ \ffu~Gn-HD{tVGʐ$(ΓR]ۮO҈fFVP! 1"\/6\=8O67I(t\-} :zlJ:K%[JҘ&N=h Q)r8^-XjhQoO]Bz Z4Ŏ d'Kh.}#CRjGPŭ KwahNi[j'# --d +Ms:}34(Lj5M1|rI# C*6Vnj҉‰gњ|3FhgrI$=Nhv\~N3:#bɺH:G_ -ÉRa_s>"39@1R1u6yK!KszI48h?&W8 0dβg̩P ;2c4ޕFVFmOQ8XAmnٻ\Ula# M<'.&5_Ѭ F S+jbﬠN`FWێ.}~C?䋯΄m='ca~ն9 j-;Y(,M lk442nRʇj~"""NAؼvxzXʿ mic zbp@Z>Q|I>_Tj;+ S;)5$H7٣zie@5 ˨W:`%ԪpuUI=^X}Jͱ?ړMڿSoFϭtAz~>n{i&U2*ktH5L-0?}圔GAC:c Po"7 gy3cU\ _r@nnZ} GuO &q&>IBoX~c 8~|u37h..u:BK?YM/ $'yNԢj1G0װBz|& [jSqb.*.&k _t;.O:3]鞶[ Hٮy y_ԣ-d+w2eRjr'[CFZ066ψ;&is$w='_s}O?=A>[f۞e侫޿>/sT{ ˠR?}!= -L jdϰJw]?x`VSdJpJ'olϢGX,pF`FBOZoiBSK 2 NTYɣq^ `2+{ZWl=1x[) >^~QşqcMb3b>LЅs Q* 42i3}I=)D-!8~/.=I¦u^7 ;1RY?$qT;r*Bť)E2#d.їA%g¨GC<.Q7y\ h7aگh+iu zD#yfFEOKh>sFLJP`ҧ=hE#kJ7к1D[`4رm9$w )uJ),0thV(ud04E=\z}tOcb~- ;]삉ucnd_~>.(U<-? kA]IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp-neg_16.png000066400000000000000000000016721303637203600230100ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<\IDATxtRmLSW~ν;2sj:s(ct[Ga1 F?,Ye41p,s&j  ~m)mjⓜ<'>{' G8:3آl!nh t:5{w1Ii0j#hg1+^Wn.݂&NITU@f~?zh0XBg+\;z7u ̝K q\b-+,c5a3>6j0c^c5ZeW(`Qbt ?~an`PLw`׼NI6r ,Hdq%<>֮ͫ6U8K:?>FM< Dlԃ@ Dgo<<e&cCR,_q𛩜żh.߶5bs}Hz@HXp\8MW)|gGV1JN6A!r.ScP(Q.e"0\פ T@RIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp-neg_25.png000066400000000000000000000037641303637203600230140ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌU pT{wo}&$ &C:E0VieP+mmh F8RE(!j"kIv7}s 3?;|$uj~i6imUϒ;9+bc Y! 殑NY~ԓeF> Iyw^m2y9HMFiJO^o|?wtG 2^(gU2"XBS㪫kh'PQG$Ey<镞YMsF5 <*V|<kq*/=%+Z,DiLue@02-L:Sv jIS@FNjV>ٻ]9 7Bב8;u:GW.}~VQ|OӐb@ 4F ,{"$ƏWLg,M(FY٭FgnnG֓(N-DÝ:TuStҝ[{ğNB"9Oȩ)mF,*^wfӶll+x0 ʦԘ T 3 me_h?X_NG&Rv8~]sCDZ¶Ψ⫑& auةΔ]$]N%!Oƒ >콽l'j.LqǪ%8 'ґF[{DWiwﶲ4o M׿?[u~oL5Zɔ?XlmҵYXf] z`U<=Wo|yY( 3>ųtViKȺ)lAG{tts*)·GF9Gh<_DGaoș1P10|EFf)%6~f\_ n T]ݡqK8sf i68CgptZ+Y7}LQiq.wU%F=:!/".s+G&;|}@F!&zP@A$0u$>qR]alaúwRBCW#AJԪDߤA-Cl˥(u4 Xx_/Bt,Fzc'DxChyܶE_ (vA0`4f~!~L`B*J?8ꅩ*w /->m a߅pONr>jWQ ,BՎŗ`h[BӨ"jχ^1 -arbR8|tCiÇٳZQN'OR{ƢL"8@jEx=eBM`MwKV@, -[#GtСCXf4F#B3F3PaW8GI@&9g3)^1R]af7oV@^i^2` 0O)!rt4nGF 4 FXRnMs2sL\pv˗/G}}rěU9UnrHBiIJ&}6\B4q,,}fGii)n&ywx vcL*$^j#dWCdj;>,es?94&(TTT`ڵ8}Z$5+nO^5gh!Ri]H= n"ad"Q8¹se\.lݺ;9OX Tj+Y Jٓ[qeϮ};ܡq})9^CʿsH\a1'~fx??+Td@ Mf%~ԸM7UW@T 15 xe(rҗ~!2z}3?g-/knX|r3ӗ~񝹭 [9?=BUIUqG{$ئXvBU Oױ޼Â&tm&]v:D,TElx;^tya3 #ř;6IQ؛$sN/cn(T#~pN#2اU+QAom,{;A"Iyݟn`BC/].+yb1.#Lo-1ehZ?P$(@bC .=w"n$UdS8;C}2  fT#rO7]f7" :88X&#@טFw+޴34EbLr̦$eUpߔd $tZ\l*-1P(sW۪篃ݺ :jk}ǩڧY,c3͗(@Y x(/]z45$;o>E=g`A٭8:/dՓ{]X\l[SĖҷ ~8rϟ'sm)4ADcdyg)_m9XL&yގca1hK~NVKeCrYg^{+_HRy9^gߟb#}l|`v9Q L ~/nٷ(2:MwwJ(ܷek)X XDI%iZKINUkccs0+f38-*>C-:W,.Hκ 76&' HJPs3--dl2ںCN|(nv/ q9 wggC`r2EKrϝ#I|É((O-Sª ŨZ) 1%%$cip#G>{`luoT镕rVO"9\`7v'mޟIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp6-neg_25.png000066400000000000000000000035111303637203600230700ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATx|V PTs,, ,!!oATB6%֎c(MHt|!cӴhBL^44!V_ !6S *"a޻G 7sg?2_eԳrhC$VYådxEG@/@|Fk]"%)1w`%v SE<õu\ g;tXL8yP= A:5v\3X~-\͇m;7/5ńF3`(oA$vs34D 3Ӷikk߬D& Qs@r iiɝ!=)TOKq8u:$«* j̏KH@la6] ~tكԸ xbx0XXIbDXB eH쏵9mkUx3aQ`#|ek1%ij3^`r>zAuh4!ܭL" s`)"TC(+V\=tC"7HխRW+fk0;s9^ֿG2E2,LH5:xDBNմ{czo8&6>)2ފD[˫QQXQsxfnG~i _Cܵߨ h=c(n?JdnIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp6-ref_25.png000066400000000000000000000035521303637203600231000ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe< IDATxڔU{lS]߇&O'aS*cZEUJekK(BN`VcCjccUTieA` 1I8O;ع R>=|w~scFӴφ glMfMlhؼBWT]强h5xDLUtVVh Oͪ_B%Ng h;V@K`͠+$e>ۆg435l`O'W_^͇Ix,X[qtੇ-Nl N`<'?ߗ1u./oF2pl QMh¿Œ%/lYMjB{Lv\ b*N3cusG"1ށ,yk$?h:+ o<8KE(bz3:}.dw3?|& A3ۂe3K\:#闱$69rWnm;S&vܿ<~?߶f'*eْ*Չ vA27n LN@QRg,¿PYbo'Iر1=E ![ٍX^a(4g^ccc~LO&(CA͹HĪ QEbŘ$ф2=er"02V+*#91e4j.Ȑ ߵQYMbeOQ]:`:I5DLŲ U!\eoQ{ tZgb#V1r#m0> #dQ'2st| (zU|tLDk(b!ZCK>JYlIMu džٛ|s $/mPvhWŽZGQ%2*Z3Yd6<06h)oC'&]M-LߘgڳD%7kHp` (yWo?nuq` `Z(Sm_ׯ6gW؆S/:&|룛8}Uw𩰂ymy 7i΂tQH=ff6fZ/-{3*Ud!ʥ&qo8w#op ՘ѦyHrE>\Mi+gjn'ɹ tpFÀjxJ p: }OzNk[nN#:}HΥe2^ N?h&H:@Y(zS9)ʸ,'#7n#㬬 sd!JyP!=xUrt%|--M±ކ^݁eRIX&`RzxIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp6_25.png000066400000000000000000000037401303637203600223250ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔU{pTg{{#dؐ첄%4Ph;"2ʔ>P::Vgh;-XMCmblZޔ&aC llv{ߞ gwreUw\q',eM{+ɱN^9 2\%A`fx5 TO"YU2 %#}22GO=BP%xRBF͠~*&۝vO6:"%v=>+bBH[Qu4=RIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp6_64.png000066400000000000000000000174541303637203600223370ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx{ UՕ:Ý(0Cl[饣A>k/D55Ơmi1vcH'Fe*[UwL_g[*(}߽}k׿>%YE8$aݯKǸX1h nN jA_-1{mwcPhW{,[v%h㴠E5ھQ'kFM'ӣ&}1ڵǘ7}mڷfKw1*HGZXIZ4wN~|AV zV+e?8QsA]sKtnWQr?z:aOyeR2/nHܷ;x/'+i?Ǐ雼[~}|k5bA "hqnxvU X!7fa3i|L޹[n ZOf߷.A9h)L&bci[kG7>xǒe{ cM`Pڢ.hkȂf4}tV-C&z=n1`B(kTH;V'ƧzkV fPII$] Q1 P bx.O%K1CAk 2\sͤ!Za~`S4g +RS˩Aa_<Xw" 3 A'L[ْxٲe9;uXSA~H@g]4| c~dІm;E󋿄A=1NL^u*8V:|mQN!gӾ3f|7_^pwy ,8ְ%eR'@ʕ+OEǴ~SOX^\\v/n.q;t[c <)syf$YN)!<.Нw;&Mv>oB/X䥺rV.#WI}[ous~lV. _T"fuؓ#4 Es+FVh0ƧXlqܫq TZ\> -h~',ӆqPP{-[lYuN1WH򭾮K=rYg4@Q(je0 ~λu;Bm i,'U35Js\lu(G}C"p:ct|oloLIʷcc]Cg,lGu|y'اR# _Vh3^#`5׸(+6J O>WvOE/m8QzN!EȪ?o?ؐJ>/=}b=ԱlVq,COѵ^{=8}(YEr8)@zAv̪ o)8`^HY g5n|z>ewu5*6:Vf_|B߈ xn_pdh @~|Br&cx/7O(3wtAutUG Pd~ٟ]OE܁9; \__Ϟ^l3,șB?.Mr<````  5d8Jqۼ:#;PpMaUMANۅvl%\[ΨW(?^Ƞwq3j_?am#cL~СC;(#knnn>c0(}C8"oyxc.]1[qٝ],]bokԗy竴~0lG}8L>󹦦4 Sk9MF.l0?R&í?muJ|su] {%'G;D&; Ώ@.L9 @}uZ4Abv4\իW3ax8Gyb MRebcݓPce__r:9Bn ϟmWp|qnl2)^%@]lL={{ˍ=mN:ɳa/bWx< 8_v{΂3bl(g5kxն^ݽ`pp0}7]P݀sP?sF -7EY/q-7+9x(|N{A!\2wV)o¨cfh+W@Iނsa,Xpi*U7߲3ƱE_'otMEkx2SdJMzZkiƓYtHs(tu4 Iѝa| &A{5 _@fl%uQNq$_e䌠KVYCRˡ=/*ǸOp&· k z^HlGU.hdhkFC{kwEEK 0ߴ(E{b$)$5n^HY{MU%X=)KLBGVwOm'LVҚP=(vi>TjM/pNWTIG]+EROP=F.OTZtRdTM2P (` a4<|pANKTU)/`7j+C dPXfj e,}X: Lҁ:BG6(>g1i:wS2q2%rgSQ\*6}Ms0IXiHM  aA!` $*Bp.So!s|=IW`x"/P?JO*m %S+CEea a$ pŤ]rYmY$ k.[lS-AQS,S?U7=O3nRsоA*Wc6PTh!pjDLno[1pL{08(?FVWB.<<,h/f|/g oj:OO/ 5#z-eG/Y_mNP7 L059X;[Ev'm@/5M{(C#Cr Kַ^~LKLڡ}5vмXg+!N- g%(e( %xiHVD8ps$ž#<і(Yϑ g=j4ipC-iZ )dMThnSlwn F75E̯@*aXSTYIUi #﵇Bdla$~@ )xJ;.8DFoDΑ&RW^H*}ȥΥ{4+Eҙ졦Cc;/X * sFUv@z:D!czL#U~f]p@@?E! UU4Ds >;#"^iO b/Y%243ӣѫޱ1C/)n)K"?ȯX΂GdJ g&i^BQ})q_4{ ”z* CL/ ˨ T#-9!в#sG#IbC$Odż"~iIg9RbN@+ju f?6ys5x9@;1E³ ?ㄢ[im:k&0IRf|`tLXVnˮhu %;%J9{=NngY)^L}WXU4^~NI@"B}IZBrVz+ݔ; ٻX?%@Es]/l0Fx!:>ї -a]X4O'Wy;7% ~J[ >Ay_1O7prKa`W6+f%VgR[ 8vc˲/+N s1b 4ѕ$es#WS_+ozMr'ю{Mi 2͊tܱ5}*I'jIjMqN6]CUc"N@6RYh߫6UV>ߔ?ضS2Hß j[XՓE)W;[UAYK{M7f酟ultv\-rb* ! JfզJsݧxu@F%r;)e ]_yڷ*X lJ ɊR"PH d'MXE5UMgmT5@_ ˖Cq J uD={d_ āEA}A`G+1[!szݼ2ro6@VHE:@|` Dcx[J`ASd69w[i]Ԣ6cMYpf^l'qކYB`~iܠ0 ("63d-c^lVF9jщJdI%)x c^.1gsdwYXQBOr3geQO2nREnPd FY_e*M>{ ^d"f ,5U`M: ոz`"L)xer^\1lYW%geZ,V[8(%o9.&umt2iΕ [tB$(f;v> tNt9lQU vĊ@C ݽNG˙v M@\R `);WcpFxkHI Sb=&ݎ5ˢDsFymhUoJTX,|de% k{!Pi1z삛Vt%4 ɤ#LC߾ae͘Tȁ *2hHE%'Tؽn0[ $&>ީ ExE"+; K#:NAaD22 JSӉU!##JH EaL]" {Hb4p@|jɱ$N]I6Siq pŷfb'Jp*.;5|se%nӟj]& {W9vg:X~1ق-mp>1qxKt!p< Vi)n12^˹ LXV=7AtFsېll8f)?{WW8#!op@!p[I,w ^I**WFFaewWBƹ;Sf(2~g㙫-'=t\3@jK֎sf]O#%ʁ1ˮ) =BES?С'S>۾hj/`U. F$mp9 bR&UBde9L9Tn8wdaWFðLC0L9%Qgu+z/R^"XiJI90˴榁y!oJG5gj?:w@{] 4WA]1M8GRZơHeGx8=7\')㜯P}&}i RɓIQ"]~Tĺ2;%MxhKvw\*Nk5;6ހs)W:I @w;֑ٝR!hjtAy_FMJrmPIP#d0qkU>`_>$ C%vtLkAZ):;d;{60f|Yj/;r5+e/Tm5'w۪Ѽ"md5%IEd2U+_vo$et"z+)j}bk6j

SfG|=ۿ:`z^n6v+&S΃=jBR޻ej|yvFkv>!:íZ4Xh ,aNZ,(LWK `g]Ď"xi$UHHHP=zHR\k'ħVvyXPօ6˧ "*TtԶ"q"44QƦlٲ0 ֽ-*Ƌv\Փwr -rQإe Gš2؜!h02< iPlhj2Lƭ񞙖 @"Jo[ "oF%GMg]0}@lKC]"W+Ԋݼ[w݌W}! )Aeouu.x'zgv§b qzaU#Us&3lxV8Gn~Zr表3mXުr\8 CwI))~a1=ZqFcPnPs2?7^ry,k+2uRH]P?{AgxoXL #[uy5o@]X&i( 9G..6=?w z{m{t!a8",8wfEqX6^CxƳWSS2yqL-qP0mt( 2x| 0E |9 b%@٭@ՌڔɸKߙ6yG*:kھS Q3'ݸ _-qq)*ujr{c'{Ԇ[iiYC{w\i\ŧ"_M2ӷޮsZIwAGלpj5kS, #VCjv 6 3oȻBgQ33pΎڴk5Y j^< _PpܠKd]'[YYi>™O+i*;i ,|{Q lӯw;f=?P{ b߼۠Q_r폍S$|f,X[\j]\iQF ,GXhjceQր>`dA%Fq6AR=i?aJ"Vm}% #i:9[_o4oYeÚpxÂaZ_+VԵs%60uf/jg'Шb|u9\鏵b0n5SJMPǣV<"ts׭R,-CPmt#`ã Dk%6AЃm E؁/jšZιW]OP@_)LFSլ?-`ʱƭzH;s+ K4}G0ɘ7")ѫvʀ n *rR4ϻBS"p%1()+JX&0Z3pv[|̀E)+dhP*LB X364#Uo`S ~ JF iGN,I# V3U Kƭc"VSp ŀ[ZVح V Z5\ 5R(nSʌVc{/Vk쭃S@.` R(*٭BXṶⴱ51T)(XX1 Z"V #2e8ۃ'`MY0#1&bTE+J &n%I IQ>^Y>%E[80n-zfQWLMbRA$ Ǝ@*#^@ JXqݎqn4ֈ+HLJ ,2)# xb2EFtg(tIDATƭAϼ@0'T#HGKbؔ@@J ᑱѽ0٤ $B%Ų582UI/PrXXƭf(qh~ꬔ*;ϛ#.ei!} `ǔ`0V?]ukIENDB`fwbuilder-5.3.7/src/libgui/InstallFirewallViewItem.cpp000066400000000000000000000021511303637203600230270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "InstallFirewallViewItem.h" using namespace std; using namespace libfwbuilder; InstallFirewallViewItem::InstallFirewallViewItem(QTreeWidget* parent, const QString& st, bool slt ): QTreeWidgetItem(parent, QStringList(st)) { showLastTimes = slt; } fwbuilder-5.3.7/src/libgui/InstallFirewallViewItem.h000066400000000000000000000023231303637203600224750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTALLFIREWALLVIEWITEM_H #define INSTALLFIREWALLVIEWITEM_H #include #include #include namespace libfwbuilder { class FWObject; } class InstallFirewallViewItem : public QTreeWidgetItem { public: InstallFirewallViewItem(QTreeWidget * parent, const QString & text, bool slt ); bool showLastTimes; }; #endif fwbuilder-5.3.7/src/libgui/InterfaceDialog.cpp000066400000000000000000000453621303637203600213140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "InterfaceDialog.h" #include "DialogFactory.h" #include "ProjectPanel.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Library.h" #include "fwbuilder/Interface.h" #include "fwbuilder/InterfaceData.h" #include "fwbuilder/Management.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; InterfaceDialog::InterfaceDialog(QWidget *parent) : BaseObjectDialog(parent) { netzone_manager = new NetworkZoneManager(); m_dialog = new Ui::InterfaceDialog_q; m_dialog->setupUi(this); /* seclevel->hide(); seclevelLabel->hide(); netzone->hide(); netzoneLabel->hide(); */ obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } InterfaceDialog::~InterfaceDialog() { delete netzone_manager; delete m_dialog; } void InterfaceDialog::loadFWObject(FWObject *o) { obj=o; Interface *s = dynamic_cast(obj); assert(s!=NULL); init = true; if (st->getBool("Objects/Interface/autoconfigureInterfaces")) { /* * guessSubInterfaceTypeAndAttributes() changes some attributes of * the object (mostly compensating for missing functions in * auto-upgrade scripts but also makes some guesses based on the * interface name, such as sets its vlan ID if its name looks like * it might be a vlan interface). Since we make changes in the * object here, do it before loading it into the dialog so that it * does not look like it has changed in applyChanges() even if the * user hasn't touched it, which causes new undo command to be * created out of nowhere. * * TODO: better way of course is to call * guessSubInterfaceTypeAndAttributes in places where user changes * something relevant in the interface to complement their changes * and right after the interface has been created. */ FWObject *parent_host = Host::getParentHost(s); if (parent_host) { // parent_host may be NULL if interface object is located // in the Deleted Objects library interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( parent_host); int_prop->guessSubInterfaceTypeAndAttributes(s); delete int_prop; } } m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->label->setText( QString::fromUtf8(s->getLabel().c_str()) ); m_dialog->regular->setChecked(! s->isDyn() && ! s->isUnnumbered() && ! s->isBridgePort() ); m_dialog->dynamic->setChecked( s->isDyn() ); m_dialog->unnumbered->setChecked( s->isUnnumbered() ); m_dialog->dedicated_failover->setChecked( s->isDedicatedFailover() ); m_dialog->management->setChecked( s->isManagement() ); m_dialog->commentKeywords->loadFWObject(s); if (s->isBridgePort()) { m_dialog->regular->hide(); m_dialog->dynamic->hide(); m_dialog->unnumbered->hide(); m_dialog->management->hide(); m_dialog->unprotected->hide(); m_dialog->dedicated_failover->hide(); m_dialog->bridge_port_label->show(); } else { m_dialog->regular->show(); m_dialog->dynamic->show(); m_dialog->unnumbered->show(); m_dialog->management->show(); m_dialog->unprotected->show(); m_dialog->dedicated_failover->show(); m_dialog->bridge_port_label->hide(); } FWObject *f = Host::getParentHost(s); if (f) { m_dialog->advancedconfig->setEnabled(true); /* if parent is a host, hide firewall related settings */ if (Host::isA(f)) { m_dialog->management->setEnabled(false); m_dialog->unprotected->setEnabled(false); m_dialog->dedicated_failover->setEnabled(false); m_dialog->seclevel->setEnabled(false); m_dialog->seclevelLabel->setEnabled(false); m_dialog->netzone->setEnabled(false); m_dialog->netzoneLabel->setEnabled(false); // Can;t let user try to open "advanced interface settings" // dialog because Host does not have "platform" and "host_OS" // attributes but that dialog depends on them. m_dialog->advancedconfig->setEnabled(false); } bool supports_security_levels = false; bool supports_network_zones = false; bool supports_unprotected = false; bool supports_advanced_ifaces = false; try { // platform specific supports_security_levels = Resources::getTargetCapabilityBool( f->getStr("platform"), "security_levels"); supports_network_zones = Resources::getTargetCapabilityBool( f->getStr("platform"), "network_zones"); supports_unprotected = Resources::getTargetCapabilityBool( f->getStr("platform"), "unprotected_interfaces"); // OS specific supports_advanced_ifaces = Resources::getTargetCapabilityBool( f->getStr("host_OS"), "supports_advanced_interface_options"); // disable advanced options dialog if this is main interface of a cluster if (Cluster::isA(s->getParent())) supports_advanced_ifaces = false; } catch (FWException &ex) { } if (fwbdebug) qDebug() << "parent=" << f->getName().c_str() << "Firewall::isA(f)=" << Firewall::isA(f) << "host_OS=" << f->getStr("host_OS").c_str() << "supports_advanced_ifaces=" << supports_advanced_ifaces; /* if parent is a firewall or a fw cluster, it is more complex ... */ if (Firewall::isA(f) || Cluster::isA(f)) { if (supports_security_levels) { m_dialog->seclevel->setEnabled(true); m_dialog->seclevelLabel->setEnabled(true); m_dialog->seclevel->setValue( obj->getInt("security_level") ); } else { m_dialog->seclevel->setEnabled(false); m_dialog->seclevelLabel->setEnabled(false); m_dialog->seclevel->setValue(0); } if (supports_unprotected) { m_dialog->unprotected->setEnabled(true); m_dialog->unprotected->setChecked( obj->getBool("unprotected") ); } else { m_dialog->unprotected->setEnabled(false); } if (supports_advanced_ifaces) { m_dialog->advancedconfig->setEnabled(!o->isReadOnly()); } else { m_dialog->advancedconfig->setEnabled(false); } // disable interface options group if this is main interface // of a cluster. This applies to subinterfaces as // well. Current implementation can not generate configuration // code for interfaces and subinterfaces of member firewalls // from cluster interface or subinterface objects m_dialog->interfaceOptionsGroup->setEnabled(!Cluster::isA(f)); if (supports_network_zones) { m_dialog->netzone->setEnabled(true); m_dialog->netzoneLabel->setEnabled(true); netzone_manager->load(m_project->db()); int id = FWObjectDatabase::getIntId(obj->getStr("network_zone")); if (id==-1) id = 0; netzone_manager->packComboBox(m_dialog->netzone, id); } else { m_dialog->netzone->setEnabled(false); m_dialog->netzoneLabel->setEnabled(false); m_dialog->netzone->clear(); } } } m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->label->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->label); m_dialog->regular->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->regular); m_dialog->dynamic->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->dynamic); m_dialog->unnumbered->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->unnumbered); m_dialog->management->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->management); m_dialog->unprotected->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->unprotected); m_dialog->dedicated_failover->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->dedicated_failover); m_dialog->seclevel->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->seclevel); m_dialog->netzone->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->netzone); //apply->setEnabled( false ); init = false; } void InterfaceDialog::validate(bool *res) { *res = true; QString obj_name = m_dialog->obj_name->text(); // validateName checks for name duplicates if (!validateName(this, obj, obj_name)) { *res = false; return; } FWObject *parent_host = Host::getParentHost(obj); interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( parent_host); QString err; /* * TODO: * See if basicValidateInterfaceName() can be rolled into * validateInterface() */ if ( ! int_prop->basicValidateInterfaceName( Interface::cast(obj), obj_name, err)) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this,"Firewall Builder", err, tr("&Continue"), QString::null,QString::null, 0, 1 ); blockSignals(false); } return; } // validateInterface() checks validity of vlan inetrface name if (st->getBool("Objects/Interface/autoconfigureInterfaces") && ! int_prop->validateInterface(obj->getParent(), obj_name, err)) { /* * Here is the annoying part: if user entered interface name * that does not pass checks in interfaceProperties, this * dialog will pop warning dialog to tell them this every time * the dialog loses focus even if they did not change * anything. This happens when they click on any other part of * the GUI or even switch to another application. For example * this happens when user adds subinterface to an interface * with intention to make the subint a vlan. The new interface * object is created with default name, when they change the * name to, say, eth0 (and the parent is eth0), this causes * the error message to appear when they switch the focus. If * they switch to another application while cursor was in the * object name field, the pop-up appears as well. */ *res = false; // show warning dialog only if app has focus if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this,"Firewall Builder", err, tr("&Continue"), QString::null,QString::null, 0, 1 ); blockSignals(false); } } delete int_prop; } void InterfaceDialog::applyChanges() { bool autorename_children = false; list subinterfaces = obj->getByType(Interface::TYPENAME); if (obj->getName() != m_dialog->obj_name->text().toUtf8().constData() && ( obj->getByType(IPv4::TYPENAME).size() || obj->getByType(IPv6::TYPENAME).size() || obj->getByType(physAddress::TYPENAME).size() || subinterfaces.size() ) ) { QString dialog_txt = tr( "The name of the interface '%1' has changed. The program can also " "rename IP address objects that belong to this interface, " "using standard naming scheme 'host_name:interface_name:ip'. " "This makes it easier to distinguish what host or a firewall " "given IP address object belongs to when it is used in " "the policy or NAT rule. The program also renames MAC address " "objects using scheme 'host_name:interface_name:mac'. " "Do you want to rename child IP and MAC address objects now? " "(If you click 'No', names of all address objects that belong to " "interface '%2' will stay the same.)") .arg(QString::fromUtf8(obj->getName().c_str())) .arg(QString::fromUtf8(obj->getName().c_str())); /* see comment about this in FirewallDialog */ blockSignals(true); autorename_children = (QMessageBox::warning( this, "Firewall Builder", dialog_txt, tr("&Yes"), tr("&No"), QString::null, 0, 1 )==0 ); blockSignals(false); } std::auto_ptr cmd( new FWCmdChange(m_project, obj, "", autorename_children)); FWObject* new_state = cmd->getNewState(); Interface *intf = Interface::cast(new_state); assert(intf!=NULL); string oldname = obj->getName(); string oldlabel = intf->getLabel(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); intf->setLabel( string(m_dialog->label->text().toUtf8().constData()) ); intf->setDyn( m_dialog->dynamic->isChecked() ); intf->setUnnumbered( m_dialog->unnumbered->isChecked() ); intf->setDedicatedFailover( m_dialog->dedicated_failover->isChecked() ); // NOTE: new_state is a copy of the interface but it is not attached to // the tree and therefore has no parent. Need to use original object obj // to get the pointer to the parent firewall. FWObject *f = Host::getParentHost(obj); //FWObject *f = Interface::cast(obj)->getParentHost(); bool supports_security_levels = false; bool supports_network_zones = false; bool supports_unprotected = false; try { supports_security_levels= Resources::getTargetCapabilityBool(f->getStr("platform"), "security_levels"); supports_network_zones= Resources::getTargetCapabilityBool(f->getStr("platform"), "network_zones"); supports_unprotected = Resources::getTargetCapabilityBool(f->getStr("platform"), "unprotected_interfaces"); } catch (FWException &ex) { } if (Firewall::isA( f ) || Cluster::isA( f )) { if (supports_security_levels) new_state->setInt("security_level", m_dialog->seclevel->value() ); if (supports_unprotected) new_state->setBool("unprotected", m_dialog->unprotected->isChecked() ); if (supports_network_zones) { new_state->setStr("network_zone", FWObjectDatabase::getStringId( m_dialog->netzone->itemData( m_dialog->netzone->currentIndex(), Qt::UserRole).toInt())); // new_state->setStr("network_zone", // FWObjectDatabase::getStringId( // netzone_manager->getNetzoneIdByListIndex( // m_dialog->netzone->currentIndex() ) // ) // ); } intf->setManagement( m_dialog->management->isChecked() ); } if (!cmd->getOldState()->cmp(new_state, true)) { // Complement changes made by the user with our guesses, but // do this only if user changed something. if (st->getBool("Objects/Interface/autoconfigureInterfaces")) { // ticket #328: automatically assign vlan id to interface based on // interface name FWObject *parent_host = Host::getParentHost(obj); interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( parent_host); int_prop->setPerformVlanChecks(true); int_prop->guessSubInterfaceTypeAndAttributes(intf); delete int_prop; } if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void InterfaceDialog::openIfaceDialog() { try { QWidget *w = DialogFactory::createIfaceDialog(this, obj); if (w==NULL) return; // some dialogs may not be implemented yet QDialog *d=dynamic_cast(w); assert(d!=NULL); d->exec(); delete w; } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("FWBuilder API error: %1").arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } } fwbuilder-5.3.7/src/libgui/InterfaceDialog.h000066400000000000000000000030501303637203600207450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INTERFACEDIALOG_H_ #define __INTERFACEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include "networkZoneManager.h" #include #include "fwbuilder/FWObject.h" #include #include class ProjectPanel; class InterfaceDialog : public BaseObjectDialog { Q_OBJECT; NetworkZoneManager *netzone_manager; Ui::InterfaceDialog_q *m_dialog; public: InterfaceDialog(QWidget *parent); ~InterfaceDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void openIfaceDialog(); }; #endif // INTERFACEDIALOG_H fwbuilder-5.3.7/src/libgui/InterfaceEditorWidget.cpp000066400000000000000000000407201303637203600225000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "InterfaceEditorWidget.h" #include "ui_InterfaceEditorWidget.h" #include "FWObjectPropertiesFactory.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include #include #include using namespace libfwbuilder; using namespace std; InterfaceEditorWidget::InterfaceEditorWidget(QWidget *parent) : QWidget(parent), m_ui(new Ui::InterfaceEditorWidget) { tabw = dynamic_cast(parent); this->interfacep = NULL; m_ui->setupUi(this); setClusterMode(false); this->m_ui->name->setText(""); // blank interface name this->m_ui->label->clear(); this->m_ui->comment->clear(); // addNewAddress(); } InterfaceEditorWidget::InterfaceEditorWidget(QWidget *parent, Interface *iface) : QWidget(parent), m_ui(new Ui::InterfaceEditorWidget) { tabw = dynamic_cast(parent); this->interfacep = iface; m_ui->setupUi(this); setClusterMode(false); this->m_ui->name->setText(interfacep->getName().c_str()); this->m_ui->label->setText(interfacep->getLabel().c_str()); // if (iface->getPhysicalAddress() != NULL) // m_ui->mac->setText(iface->getPhysicalAddress()->getPhysAddress().c_str()); this->m_ui->comment->setPlainText(iface->getComment().c_str()); if ( this->interfacep->isDyn() ) this->m_ui->type->setCurrentIndex(1); if ( this->interfacep->isUnnumbered() ) this->m_ui->type->setCurrentIndex(2); FWObjectTypedChildIterator adriter = iface->findByType(IPv4::TYPENAME); for ( ; adriter != adriter.end(); ++adriter ) { Address *addr = Address::cast(*adriter); int row = addNewAddress(addr->getAddressPtr()->toString().c_str(), addr->getNetmaskPtr()->toString().c_str(), addr->getAddressPtr()->isV4()); fwaddrs[row] = addr; } FWObjectTypedChildIterator adriter2 = iface->findByType(IPv6::TYPENAME); for ( ; adriter2 != adriter2.end(); ++adriter2 ) { Address *addr = Address::cast(*adriter2); int row = addNewAddress(addr->getAddressPtr()->toString().c_str(), addr->getNetmaskPtr()->toString().c_str(), addr->getAddressPtr()->isV4()); fwaddrs[row] = addr; } } InterfaceEditorWidget::InterfaceEditorWidget(QWidget *parent, ClusterInterfaceData data) : QWidget(parent), m_ui(new Ui::InterfaceEditorWidget) { clusterMode = true; tabw = dynamic_cast(parent); m_ui->setupUi(this); this->interfacep = NULL; this->m_ui->name->setText(data.name); this->m_ui->label->setText(data.label); this->m_ui->comment->setText(data.comment); setHostOS(data.os); list types; getFailoverTypesForOS(os, types); QStringList typenames; QString lastProtocol = st->getNewClusterFailoverProtocol(); int toSelect = 0; foreach(QStringPair pair, types) { typenames << pair.second; if (pair.second == lastProtocol) toSelect = typenames.count() - 1; } this->m_ui->protocol->clear(); this->m_ui->protocol->insertItems(0, typenames); this->m_ui->protocol->setCurrentIndex(toSelect); this->protocolChanged(this->m_ui->protocol->currentText()); } void InterfaceEditorWidget::setData(InterfaceData *data) { this->m_ui->name->setText(data->name.c_str()); this->m_ui->label->setText(data->label.c_str()); // this->m_ui->mac->setText(data->mac_addr.c_str()); this->m_ui->comment->clear(); if ( data->isDyn ) this->m_ui->type->setCurrentIndex(1); else if ( data->isUnnumbered ) this->m_ui->type->setCurrentIndex(2); else this->m_ui->type->setCurrentIndex(0); foreach(QPushButton *btn, this->buttons.keys()) btn->click(); if ( !data->isDyn && !data->isUnnumbered ) { foreach( InetAddrMask* addr, data->addr_mask ) { addNewAddress(addr->getAddressPtr()->toString().c_str(), addr->getNetmaskPtr()->toString().c_str(), !addr->getAddressPtr()->isV6()); } } } void InterfaceEditorWidget::deleteAddress() { QPushButton *button = dynamic_cast(sender()); QPair items = buttons[button]; buttons.remove(button); int row = items.first->row(); this->m_ui->addresses->removeRow(row); delete types[row]; // shift elements up in these maps int idx = row; for (; idx < (rows.size() - 1); idx++) { types[row] = types[row+1]; rows[row] = rows[row+1]; fwaddrs[row] = fwaddrs[row+1]; } types.remove(idx); rows.remove(idx); fwaddrs.remove(idx); this->addressChanged(-1, -1); } InterfaceEditorWidget::~InterfaceEditorWidget() { delete m_ui; foreach(QPushButton* btn, buttons.keys()) delete btn; foreach(QComboBox* box, types.values()) delete box; } int InterfaceEditorWidget::addNewAddress() { int row = this->m_ui->addresses->rowCount(); fwaddrs[row] = NULL; this->m_ui->addresses->insertRow(row); QTableWidgetItem *addrItem = new QTableWidgetItem(); QTableWidgetItem *netItem = new QTableWidgetItem(); this->m_ui->addresses->setItem(row, 0, addrItem); this->m_ui->addresses->setItem(row, 1, netItem); QPushButton *button = new QPushButton(this->m_ui->addresses); button->setText(tr("Remove")); connect(button, SIGNAL(clicked()), this, SLOT(deleteAddress())); this->m_ui->addresses->setCellWidget(row, 3, button); QComboBox *box = new QComboBox(); box->addItem("IPv4"); box->addItem("IPv6"); this->m_ui->addresses->setCellWidget(row, 2, box); buttons[button] = qMakePair(addrItem, netItem); rows[row] = qMakePair(addrItem, netItem); types[row] = box; return row; } int InterfaceEditorWidget::addNewAddress(QString address, QString netmask, bool ipv4) { int row = addNewAddress(); types[row]->setCurrentIndex(!ipv4); rows[row].first->setText(address); rows[row].second->setText(netmask); return row; } void InterfaceEditorWidget::changeEvent(QEvent *e) { QWidget::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: m_ui->retranslateUi(this); break; default: break; } } void InterfaceEditorWidget::nameEdited(QString newname) { tabw->setTabText(tabw->indexOf(this), newname); } Interface* InterfaceEditorWidget::getInterface() { return this->interfacep; } EditedInterfaceData InterfaceEditorWidget::getInterfaceData() { EditedInterfaceData res; res.name = this->m_ui->name->text(); res.label = this->m_ui->label->text(); res.comment = this->m_ui->comment->toPlainText(); res.type = this->m_ui->type->currentIndex(); res.protocol = this->m_ui->protocol->currentText(); // res.mac = this->m_ui->mac->text(); bool noAddrs = false; // if (clusterMode) // noAddrs = Resources::os_res[os.toStdString()]->getResourceBool( // "/FWBuilderResources/Target/protocols/" // + this->m_ui->protocol->currentText().toLower().toStdString() + "/no_ip_ok"); if (this->m_ui->protocol->currentText() == "None") noAddrs = true; if (!noAddrs) for ( int i = 0; i < this->m_ui->addresses->rowCount(); i++ ) { AddressInfo info; if (rows[i].first == NULL) continue; // deleted row info.address = rows[i].first->text(); info.netmask = rows[i].second->text(); info.ipv4 = types[i]->currentIndex() == 0; res.addresses.insert(fwaddrs[i], info); } return res; } void InterfaceEditorWidget::typeChanged(int type) { if (clusterMode) return; if (type != 0) { while ( this->m_ui->addresses->rowCount() > 0 ) this->m_ui->addresses->removeRow(0); foreach ( QPushButton* btn, buttons.keys() ) delete btn; foreach ( QComboBox* box, types.values() ) delete box; types.clear(); buttons.clear(); fwaddrs.clear(); rows.clear(); this->m_ui->addresses->setEnabled(false); this->m_ui->addAddress->setEnabled(false); } else { this->m_ui->addresses->setEnabled(true); this->m_ui->addAddress->setEnabled(true); } } bool InterfaceEditorWidget::isValid() { #if 0 // do not do this check in the wizard because there are too many // combinations: most protocols can work with and without an // address on the cluster interfaces and only one (VRRP) requires // it. Unfortunately attribute in the OS resource file only tells // when it is ok to have no address, but does not tell when it must // be there. And we do this check in the compiler anyway. Tcikets // #1180, #1172 bool no_addr_ok = true; if (clusterMode) { no_addr_ok = Resources::os_res[os.toStdString()]->getResourceBool( "/FWBuilderResources/Target/protocols/" + this->m_ui->protocol->currentText().toLower().toStdString() + "/no_ip_ok") || this->m_ui->protocol->currentText() == "None"; } if (clusterMode && no_addr_ok && this->m_ui->addresses->rowCount() != 0) { QMessageBox::warning( this, "Firewall Builder", tr("Failover protocol %1 does not require IP address for interface %2") .arg(this->m_ui->protocol->currentText()) .arg(this->m_ui->name->text()), "&Continue", QString::null, QString::null, 0, 1 ); return false; } if (!no_addr_ok && this->m_ui->addresses->rowCount() == 0) { if ( (this->m_ui->type->currentIndex() == 0) && (this->m_ui->addresses->rowCount() == 0) ) { QMessageBox::warning( this, "Firewall Builder", tr("Failover protocol %1 requires an IP address for interface %2") .arg(this->m_ui->protocol->currentText()) .arg(this->m_ui->name->text()), "&Continue", QString::null, QString::null, 0, 1 ); return false; } } #endif if (this->m_ui->name->text().isEmpty()) { setError("Firewall Builder", tr("Interface name can not be blank." "
" "
" "Interface name must match the name of the physical interface, " "such as 'eth0', 'fxp0', 'ethernet0', etc")); return false; } for (int i = 0; i < this->m_ui->addresses->rowCount(); i++) { if (types[i] == NULL) continue; // deleted row QString address = this->m_ui->addresses->item(i, 0)->text(); QString netmask = this->m_ui->addresses->item(i, 1)->text(); if ( !validateAddress( address, netmask, this->m_ui->type->currentIndex() == 0, types[i]->currentIndex() == 1) ) { return false; } } return true; } bool InterfaceEditorWidget::validateAddress(const QString &addr, const QString &netm, bool regular, bool ipv6) { if ( regular && ( addr.isEmpty() || netm.isEmpty() ) ) { setError("Firewall Builder", tr("Empty address or netmask field")); return false; } try { if (ipv6) InetAddr(AF_INET6, addr.toLatin1().constData()); else InetAddr(addr.toLatin1().constData()); } catch (FWException &ex) { setError("Firewall Builder", tr("Invalid address '%1/%2'").arg(addr).arg(netm)); return false; } try { bool ok = false ; int ilen = netm.toInt (&ok); if (ok) { if (ilen < 0 || (ipv6 && ilen > 128) || (!ipv6 && ilen > 32)) { setError("Firewall Builder", tr("Invalid netmask '%1/%2'").arg(addr).arg(netm)); return false; } } else { if (ipv6) InetAddr(AF_INET6, netm.toLatin1().constData()); else InetAddr(netm.toLatin1().constData()); } } catch (FWException &ex) { setError("Firewall Builder", tr("Invalid netmask '%1/%2'").arg(addr).arg(netm)); return false; } return true; } void InterfaceEditorWidget::resizeEvent ( QResizeEvent * ) { int total = this->m_ui->addresses->viewport()->width(); if (total < 100) total = int(this->m_ui->addresses->width() * 0.95); int controls; if ( total/4 > 130 ) controls = 130; else controls = total/4; this->m_ui->addresses->setColumnWidth(0, (total - controls*2)/2); this->m_ui->addresses->setColumnWidth(1, (total - controls*2)/2); this->m_ui->addresses->setColumnWidth(2, controls); this->m_ui->addresses->setColumnWidth(3, controls); } void InterfaceEditorWidget::addressChanged(int row, int col) { // if (m_ui->addresses->rowCount() >= 1) // m_ui->addAddress->setText(tr("Add another address")); // else m_ui->addAddress->setText(tr("Add address")); if ( row < 0 || col < 0 || rows.isEmpty() || row > m_ui->addresses->rowCount() || col > 1 ) return; if (!rows.keys().contains(row)) return; QString address = this->rows[row].first->text(); QString netmask = this->rows[row].second->text(); if ( address.isEmpty() || netmask.isEmpty() ) return; bool regular = this->m_ui->type->currentIndex() == 0; bool ipv6 = this->types[row]->currentIndex() == 1; if (!validateAddress(address, netmask, regular, ipv6)) this->m_ui->addresses->editItem(this->m_ui->addresses->item(row, col)); } void InterfaceEditorWidget::setClusterMode(bool st) { clusterMode = st; this->m_ui->name->setEnabled(!st); this->m_ui->protocol->setVisible(st); this->m_ui->protocolLabel->setVisible(st); // this->m_ui->mac->setVisible(!st); // this->m_ui->macLabel->setVisible(!st); this->m_ui->type->setVisible(!st); this->m_ui->typeLabel->setVisible(!st); } void InterfaceEditorWidget::protocolChanged(QString name) { if (clusterMode) { bool noaddr = (name == "None"); if (noaddr) while ( this->m_ui->addresses->rowCount() ) this->m_ui->addresses->removeRow(0); this->m_ui->addresses->setEnabled(!noaddr); this->m_ui->addAddress->setEnabled(!noaddr); st->setNewClusterFailoverProtocol(name); } } void InterfaceEditorWidget::setExplanation(const QString& text) { this->m_ui->explanation->setText(text); this->m_ui->explanation->setFont(QApplication::font()); } void InterfaceEditorWidget::setProtocolIndex(int idx) { this->m_ui->protocol->setCurrentIndex(idx); } void InterfaceEditorWidget::setHostOS(const QString &s) { os = s; QString name_prompt = FWObjectPropertiesFactory::getInterfaceNameExamplesForHostOS(os); if (fwbdebug) qDebug() << "Interface name prompt:" << name_prompt; #if (QT_VERSION >= 0x040700) this->m_ui->name->setPlaceholderText(name_prompt); this->m_ui->label->setPlaceholderText("outside, inside, etc (optional)"); #endif this->m_ui->name->setToolTip(name_prompt); this->m_ui->label->setToolTip("outside, inside, etc (optional)"); } void InterfaceEditorWidget::setError(const QString &title, const QString &text) { errorTitle = title; errorText = text; } void InterfaceEditorWidget::showError() { QMessageBox::warning(this, errorTitle, errorText, "&Continue", QString::null, QString::null, 0, 1); } fwbuilder-5.3.7/src/libgui/InterfaceEditorWidget.h000066400000000000000000000066041303637203600221500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTERFACEEDITORWIDGET_H #define INTERFACEEDITORWIDGET_H #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "InterfacesTabWidget.h" #include "FWBSettings.h" #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include # include # include #else # include # include # include #endif #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/StateSyncClusterGroup.h" namespace Ui { class InterfaceEditorWidget; } struct EditedInterfaceData; struct ClusterInterfaceData; struct AddressInfo { bool ipv4; QString address; QString netmask; }; class InterfaceEditorWidget : public QWidget { Q_OBJECT; public: InterfaceEditorWidget(QWidget *parent, libfwbuilder::InterfaceData* data); InterfaceEditorWidget(QWidget *parent, libfwbuilder::Interface *iface); InterfaceEditorWidget(QWidget *parent, ClusterInterfaceData data); InterfaceEditorWidget(QWidget *parent); ~InterfaceEditorWidget(); void setData(libfwbuilder::InterfaceData *data); libfwbuilder::Interface* getInterface(); EditedInterfaceData getInterfaceData(); bool isValid(); void updateColumnsSizes(); void setClusterMode(bool); void setProtocolIndex(int); void setHostOS(const QString &s); private: QTabWidget *tabw; QToolButton *addAddr, *delAddr; libfwbuilder::Interface *interfacep; Ui::InterfaceEditorWidget *m_ui; QMap > buttons; QMap > rows; QMap types; QMap fwaddrs; bool validateAddress(const QString &addr, const QString &netm, bool regular, bool ipv4); bool clusterMode; QString os, errorTitle, errorText; void setError(const QString &title, const QString &text); public slots: int addNewAddress(); int addNewAddress(QString address, QString netmask, bool ipv4 = true); void deleteAddress(); void nameEdited(QString); void typeChanged(int); void addressChanged(int, int); void protocolChanged(QString); void setExplanation(const QString&); void showError(); protected: void changeEvent(QEvent *e); void resizeEvent ( QResizeEvent * ); }; #endif // INTERFACEEDITORWIDGET_H fwbuilder-5.3.7/src/libgui/InterfaceEditorWidget.ui000066400000000000000000000221471303637203600223360ustar00rootroot00000000000000 InterfaceEditorWidget 0 0 434 359 Form Name: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 25 Label: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 25 Type: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 0 Static IP address Dynamic IP address Unnumbered interface Qt::Horizontal QSizePolicy::Minimum 48 20 0 0 Add address Qt::Horizontal 228 23 50 IP Address Netmask Type Remove explanation text true 0 0 Failover protocol: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 0 Qt::Horizontal 298 20 0 0 Comment: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 0 0 40 16777215 70 name label type comment protocol addresses name textEdited(QString) InterfaceEditorWidget nameEdited(QString) 140 31 6 69 addAddress clicked() InterfaceEditorWidget addNewAddress() 289 456 289 238 type currentIndexChanged(int) InterfaceEditorWidget typeChanged(int) 139 123 4 168 addresses cellChanged(int,int) InterfaceEditorWidget addressChanged(int,int) 53 430 3 314 protocol currentIndexChanged(QString) InterfaceEditorWidget protocolChanged(QString) 102 309 5 278 nameEdited(QString) closeTab(int) addNewAddress() typeChanged(int) addressChanged(int,int) addressChanged(int,int,int,int) protocolChanged(QString) fwbuilder-5.3.7/src/libgui/InterfacesTabWidget.cpp000066400000000000000000000161541303637203600221470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "InterfacesTabWidget.h" #include "ui_InterfacesTabWidget.h" using namespace libfwbuilder; InterfacesTabWidget::InterfacesTabWidget(QWidget *parent) : QTabWidget(parent), m_ui(new Ui::InterfacesTabWidget) { m_ui->setupUi(this); clusterMode = false; clear(); connect(&newInterface, SIGNAL(clicked()), this, SLOT(addNewInterface())); connect(&delInterface, SIGNAL(clicked()), this, SLOT(closeTab())); newInterface.setIcon(QIcon(":/Icons/add.png")); delInterface.setIcon(QIcon(":/Icons/del.png")); newInterface.setToolTip(tr("Add new interface")); delInterface.setToolTip(tr("Delete current interface")); this->setCornerWidget(&delInterface, Qt::TopRightCorner); this->setCornerWidget(&newInterface, Qt::TopLeftCorner); this->cornerWidget(Qt::TopRightCorner)->show(); this->cornerWidget(Qt::TopLeftCorner)->show(); noTabs = true; } InterfacesTabWidget::~InterfacesTabWidget() { delete m_ui; } void InterfacesTabWidget::changeEvent(QEvent *e) { QTabWidget::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: m_ui->retranslateUi(this); break; default: break; } } QMap InterfacesTabWidget::getData() { QMap res; for ( int i = 0; i < this->count(); i++ ) { InterfaceEditorWidget *w = dynamic_cast( this->widget(i)); if (w == NULL || w->getInterface() == NULL) continue; InterfaceEditorWidget *intEditor = dynamic_cast( this->widget(i)); if (intEditor != NULL) res[intEditor->getInterface()] = intEditor->getInterfaceData(); } return res; } QList InterfacesTabWidget::getNewData() { QList res; for ( int i = 0; i < this->count(); i++ ) { InterfaceEditorWidget *w = dynamic_cast( this->widget(i)); if ( w != NULL && w->getInterface() == NULL) res.append(w->getInterfaceData()); } return res; } QList InterfacesTabWidget::getDeletedInterfaces() { return deleted; } void InterfacesTabWidget::addInterface(Interface *iface) { if (noTabs) { this->removeTab(0); noTabs = false; this->delInterface.setEnabled(true); } InterfaceEditorWidget *w = new InterfaceEditorWidget(this, iface); w->setClusterMode(clusterMode); this->addTab(w, iface->getName().c_str()); } void InterfacesTabWidget::addNewInterface() { if (noTabs) { this->removeTab(0); noTabs = false; this->delInterface.setEnabled(true); } InterfaceEditorWidget *w = new InterfaceEditorWidget(this); w->setClusterMode(clusterMode); w->setHostOS(host_OS); addTab(w, ""); // deliberately create new interface with blank name setCurrentIndex(count() - 1); } void InterfacesTabWidget::setTemplate(FWObject* obj) { currentTemplate = obj; } void InterfacesTabWidget::clear() { while ( this->count() ) this->removeTab(0); this->addNewInterface(); } void InterfacesTabWidget::closeTab() { if (noTabs) return; int idx = this->currentIndex(); QWidget *w = this->widget(idx); Interface *iface = dynamic_cast(w)->getInterface() ; if ( iface != NULL ) deleted.append( iface ); this->removeTab(idx); delete w; if (this->count() == 0) { noTabs = true; QString text; if (!this->clusterMode) text = tr("This firewall has no interfaces. Add interface using button ."); else text = tr("This cluster has no interfaces. Add interface using button ."); QLabel *label = new QLabel(text, this); label->setAlignment(Qt::AlignCenter); this->addTab(label, tr("No interfaces")); this->delInterface.setEnabled(false); } } bool InterfacesTabWidget::isValid() { for (int i = 0; i< this->count(); i++) { InterfaceEditorWidget* w = dynamic_cast( this->widget(i)); if (w == NULL) continue; if (!w->isValid()) { this->setCurrentWidget(w); w->showError(); return false; } } return true; } void InterfacesTabWidget::setCornerWidgetsVisible(bool st) { this->cornerWidget(Qt::TopRightCorner)->setVisible(st); this->cornerWidget(Qt::TopLeftCorner)->setVisible(st); } void InterfacesTabWidget::addInterfaceFromData(InterfaceData* idata) { InterfaceEditorWidget *w = new InterfaceEditorWidget(this); w->setData(idata); addTab(w, idata->name.c_str()); } void InterfacesTabWidget::addTab(QWidget* widget, const QString& title) { if ( dynamic_cast(widget) != NULL || (noTabs && dynamic_cast(widget) != NULL)) { widget->setObjectName(title+"_widget"); if (!noTabs) dynamic_cast(widget)->setExplanation(explanation); QTabWidget::addTab(widget, title); } } void InterfacesTabWidget::setClusterMode(bool st) { clusterMode = st; for ( int i = 0; i < this->count() ; i++ ) { InterfaceEditorWidget *w = dynamic_cast( this->widget(i)); if (w!=NULL) w->setClusterMode(st); } newInterface.setVisible(!st); delInterface.setVisible(!st); } void InterfacesTabWidget::addClusterInterface(ClusterInterfaceData data) { InterfaceEditorWidget *w = new InterfaceEditorWidget(this, data); w->setClusterMode(true); this->addTab(w, data.name); } void InterfacesTabWidget::setExplanation(const QString& text) { explanation = text; for( int i = 0; i < this->count(); i++ ) { InterfaceEditorWidget* w = dynamic_cast( this->widget(i)); if (w!=NULL) w->setExplanation(text); } } void InterfacesTabWidget::setHostOS(const QString &s) { host_OS = s; for ( int i = 0; i < this->count(); i++ ) { InterfaceEditorWidget *w = dynamic_cast( this->widget(i)); if (w != NULL) w->setHostOS(host_OS); } } fwbuilder-5.3.7/src/libgui/InterfacesTabWidget.h000066400000000000000000000057621303637203600216170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTERFACESTABWIDGET_H #define INTERFACESTABWIDGET_H #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include # include # include #else # include # include # include #endif #include "fwbuilder/Interface.h" #include "fwbuilder/InterfaceData.h" #include "fwbuilder/FWObjectDatabase.h" #include "InterfaceEditorWidget.h" #include "ClusterInterfaceWidget.h" namespace Ui { class InterfacesTabWidget; } struct AddressInfo; struct EditedInterfaceData { QString name; QString label; QString comment; QString mac; int type; // 0 - regular, 1 - dynamic, 2 - unnumbered QString protocol; QMultiMap addresses; }; class InterfacesTabWidget : public QTabWidget { Q_OBJECT; public: InterfacesTabWidget(QWidget *parent = 0); ~InterfacesTabWidget(); QMap getData(); QList getNewData(); QList getDeletedInterfaces(); bool isValid(); void setCornerWidgetsVisible(bool); void setClusterMode(bool); void setHostOS(const QString &s); protected: void changeEvent(QEvent *e); private: Ui::InterfacesTabWidget *m_ui; QToolButton newInterface; QToolButton delInterface; QWidget newInterfaceWidget; QHBoxLayout newInterfaceLayout; libfwbuilder::FWObject *currentTemplate; QList deleted; bool clusterMode; QString explanation; bool noTabs; QString host_OS; public slots: void addInterface(libfwbuilder::Interface*); void clear(); void addNewInterface(); void setTemplate(libfwbuilder::FWObject*); void closeTab(); void addInterfaceFromData(libfwbuilder::InterfaceData*); void addClusterInterface(ClusterInterfaceData); void setExplanation(const QString&); virtual void addTab(QWidget*, const QString&); }; #endif // INTERFACESTABWIDGET_H fwbuilder-5.3.7/src/libgui/InterfacesTabWidget.ui000066400000000000000000000013011303637203600217660ustar00rootroot00000000000000 InterfacesTabWidget 0 0 400 300 TabWidget Tab 1 Tab 2 closeTab(int) fwbuilder-5.3.7/src/libgui/KeywordsDialog.cpp000066400000000000000000000103601303637203600212110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "KeywordsDialog.h" #include "utils.h" #include "fwbuilder/FWObject.h" #include #include using namespace std; using namespace libfwbuilder; KeywordsDialog::KeywordsDialog(FWObject *obj, QWidget *parent) : QDialog(parent), m_obj(obj) { m_ui.setupUi(this); m_ui.newKeywordButton->setDefault(true); connect(m_ui.addKeywordButton, SIGNAL(clicked()), this, SLOT(gotAddClick())); connect(m_ui.removeKeywordButton, SIGNAL(clicked()), this, SLOT(gotRemoveClick())); connect(m_ui.newKeywordButton, SIGNAL(clicked()), this, SLOT(gotNewKeywordClick())); connect(m_ui.allKeywordsListView, SIGNAL(doubleClicked(const QModelIndex &)), this, SLOT(gotAllKeywordsDoubleClick(const QModelIndex &))); const set &keywords = m_obj->getKeywords(); const set &allKeywords = m_obj->getAllKeywords(); set::const_iterator iter; for (iter = keywords.begin(); iter != keywords.end(); ++iter) { m_currKeywords.insert(QString::fromUtf8((*iter).c_str())); } for (iter = allKeywords.begin(); iter != allKeywords.end(); ++iter) { m_allKeywords.insert(QString::fromUtf8((*iter).c_str())); } m_allModel = new QStringListModel(sortStrings(m_allKeywords.toList())); m_ui.allKeywordsListView->setModel(m_allModel); m_currModel = new QStringListModel(sortStrings(m_currKeywords.toList())); m_ui.currKeywordsListView->setModel(m_currModel); } KeywordsDialog::~KeywordsDialog() { delete m_allModel; delete m_currModel; } QStringList KeywordsDialog::getKeywords() { return m_currModel->stringList(); } void KeywordsDialog::gotAddClick() { QStringList all = m_allModel->stringList(); QItemSelection selection = m_ui.allKeywordsListView->selectionModel()->selection(); foreach (QItemSelectionRange range, selection) { for (int ii = range.top(); ii <= range.bottom(); ii++) { m_currKeywords.insert(all.at(ii)); } } m_currModel->setStringList(sortStrings(m_currKeywords.toList())); } void KeywordsDialog::gotRemoveClick() { QStringList curr = m_currModel->stringList(); QItemSelection selection = m_ui.currKeywordsListView->selectionModel()->selection(); foreach (QItemSelectionRange range, selection) { for (int ii = range.top(); ii <= range.bottom(); ii++) { m_currKeywords.remove(curr.at(ii)); } } m_currModel->setStringList(sortStrings(m_currKeywords.toList())); } void KeywordsDialog::gotAllKeywordsDoubleClick(const QModelIndex &) { gotAddClick(); } void KeywordsDialog::gotNewKeywordClick() { QString newKeyword = m_ui.newKeywordLineEdit->text().simplified(); if (!validateKeyword(this, newKeyword)) return; m_currKeywords.insert(newKeyword); m_allKeywords.insert(newKeyword); m_currModel->setStringList(sortStrings(m_currKeywords.toList())); m_allModel->setStringList(sortStrings(m_allKeywords.toList())); m_ui.newKeywordLineEdit->clear(); } bool KeywordsDialog::validateKeyword(QWidget *parent, const QString &keyword) { if (keyword.isEmpty()) return false; if (keyword.contains(',')) { QMessageBox::warning(parent, "Firewall Builder", tr("Keyword cannot contain a comma"), "&OK", QString::null, QString::null, 0, 1); return false; } return true; } fwbuilder-5.3.7/src/libgui/KeywordsDialog.h000066400000000000000000000032061303637203600206570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Theron Tock This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __KeywordsDialog_h_ #define __KeywordsDialog_h_ #include "fwbuilder/FWObject.h" #include #include class QStringListModel; class KeywordsDialog : public QDialog { private: Q_OBJECT; Ui_KeywordsDialog_q m_ui; libfwbuilder::FWObject *m_obj; QStringListModel *m_allModel; QStringListModel *m_currModel; QSet m_allKeywords; QSet m_currKeywords; public: KeywordsDialog(libfwbuilder::FWObject *obj, QWidget *parent = 0); ~KeywordsDialog(); QStringList getKeywords(); public slots: void gotAddClick(); void gotRemoveClick(); void gotAllKeywordsDoubleClick(const QModelIndex &); void gotNewKeywordClick(); public: static bool validateKeyword(QWidget *parent, const QString &keyword); }; #endif /* KeywordsDialog_h_ */ fwbuilder-5.3.7/src/libgui/LibExportDialog.cpp000066400000000000000000000060671303637203600213230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWWindow.h" #include "LibExportDialog.h" #include "FWBSettings.h" #include "longTextDialog.h" #include "ProjectPanel.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include #include #include #include #include #include #include #include #include #include #ifndef _WIN32 # include // for access(2) #endif #include #include using namespace std; using namespace libfwbuilder; LibExportDialog::~LibExportDialog() { delete m_dialog; } LibExportDialog::LibExportDialog( QWidget* parent, const char* name, bool ) : QDialog(parent) { setWindowTitle(name); m_dialog = new Ui::LibExport_q; m_dialog->setupUi(this); init(); } void LibExportDialog::init() { // resize( QSize(500, 450) ); m_dialog->exportRO->setChecked(true); m_dialog->libs->clear(); list ll = mw->activeProject()->db()->getByType(Library::TYPENAME); int n=0; string libicn; for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++,n++) { /*if (libicn.empty()) libicn=Resources::global_res->getObjResourceStr(*i,"icon-tree").c_str();*/ mapOfLibs[n]= (*i); QPixmap pm; QString icn = (":/Icons/" + (*i)->getTypeName() + "/icon-tree").c_str(); //QString icn = libicn.c_str(); if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } QListWidgetItem *item = new QListWidgetItem(QString::fromUtf8((*i)->getName().c_str())); item->setIcon(QIcon(pm)); /*m_dialog->libs->addItem(QIcon(pm), QString::fromUtf8((*i)->getName().c_str()), n);*/ m_dialog->libs->addItem(item); } } fwbuilder-5.3.7/src/libgui/LibExportDialog.h000066400000000000000000000025741303637203600207670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LIBEXPORTDIALOG_H_ #define __LIBEXPORTDIALOG_H_ #include #include #include #include class RCSFilePreview; namespace libfwbuilder { class FWObject; class FWReference; }; class LibExportDialog : public QDialog{ Q_OBJECT void init(); public: std::map mapOfLibs; LibExportDialog(QWidget* parent=0, const char* name=0, bool modal = false ); ~LibExportDialog(); Ui::LibExport_q *m_dialog; protected slots: }; #endif fwbuilder-5.3.7/src/libgui/LibraryDialog.cpp000066400000000000000000000100121303637203600210000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "LibraryDialog.h" #include "FWBSettings.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; LibraryDialog::LibraryDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::LibraryDialog_q; m_dialog->setupUi(this); obj=NULL; //layout()->setSizeConstraint(QLayout::SetFixedSize); Qt::WindowFlags flags = windowFlags(); flags &= ~Qt::WindowMaximizeButtonHint; flags &= ~Qt::WindowMinimizeButtonHint; setWindowFlags(flags); connectSignalsOfAllWidgetsToSlotChange(); } LibraryDialog::~LibraryDialog() { delete m_dialog; } void LibraryDialog::loadFWObject(FWObject *o) { obj=o; Library *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled( obj->getId() != FWObjectDatabase::STANDARD_LIB_ID); // apply->setEnabled( obj->getId() != "syslib000" ); // comment->setEnabled( !m_project->isSystem(obj) ); color=obj->getStr("color").c_str(); if (color=="") color="#FFFFFF"; // white is the default fillColor(); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); m_dialog->colorButton->setEnabled(!o->isReadOnly()); init=false; } void LibraryDialog::changeIds(FWObject *root) { if (FWBTree().isStandardId(root)) root->setId(FWObjectDatabase::generateUniqueId()); for (FWObject::iterator i=root->begin(); i!=root->end(); i++) changeIds( *i ); } void LibraryDialog::applyChanges() { if (FWBTree().isSystem(obj)) return; std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); QString oldcolor = new_state->getStr("color").c_str(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); new_state->setStr("color", color.toLatin1().constData()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void LibraryDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void LibraryDialog::changeColor() { if (!isTreeReadWrite(this,obj)) return; QColor clr = QColorDialog::getColor( QColor(color), this ); if (!clr.isValid()) return; color = clr.name(); fillColor(); emit changed(); } void LibraryDialog::fillColor() { QPixmap pm(40,14); pm.fill( QColor(color) ); QPainter p( &pm ); p.drawRect( pm.rect() ); m_dialog->colorButton->setIcon(QIcon(pm)); } fwbuilder-5.3.7/src/libgui/LibraryDialog.h000066400000000000000000000030741303637203600204570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LIBRARYDIALOG_H_ #define __LIBRARYDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class LibraryDialog : public BaseObjectDialog { Q_OBJECT; libfwbuilder::FWObject *obj; bool init; QString color; void fillColor(); void changeIds(libfwbuilder::FWObject *root); public: Ui::LibraryDialog_q *m_dialog; LibraryDialog(QWidget *parent); ~LibraryDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void changeColor(); }; #endif // LIBRARYDIALOG_H fwbuilder-5.3.7/src/libgui/MDIEventFilter.cpp000066400000000000000000000005331303637203600210440ustar00rootroot00000000000000#include "MDIEventFilter.h" #include #include #include #include bool MDIEventFilter::eventFilter(QObject *obj, QEvent *event) { if (event->type() == QEvent::Wheel) { event->accept(); return true; } else { return QObject::eventFilter(obj, event); } } fwbuilder-5.3.7/src/libgui/MDIEventFilter.h000066400000000000000000000003471303637203600205140ustar00rootroot00000000000000#ifndef MDIEVENTFILTER_H #define MDIEVENTFILTER_H #include #include class MDIEventFilter : public QObject { Q_OBJECT protected: bool eventFilter(QObject *obj, QEvent *event); }; #endif // MDIEVENTFILTER_H fwbuilder-5.3.7/src/libgui/MainRes.qrc000066400000000000000000000606471303637203600176400ustar00rootroot00000000000000 Icons/back_25.png Icons/forward_25.png Images/fwbuilder3-256x256-fade.png Images/fwbuilder3-256x256.png Images/fwbuilder3-72x72.png Images/network_zone_dialog.png Images/logo1.png Images/library_switch_screenshot.png Icons/import_64_1.png Icons/inspect.png Icons/tutorial_64.png Icons/tutorial_64_1.png Icons/accept_25.png Icons/accept_64.png Icons/accept_16.png Icons/accounting_25.png Icons/accounting_64.png Icons/accounting_16.png Icons/rangeaddress_25.png Icons/rangeaddress_64.png Icons/rangeaddress-neg_25.png Icons/rangeaddress-neg_16.png Icons/rangeaddress-ref_25.png Icons/rangeaddress_16.png Icons/addresstable_25.png Icons/addresstable_64.png Icons/addresstable-neg_25.png Icons/addresstable-neg_16.png Icons/addresstable-ref_25.png Icons/addresstable_16.png Icons/network_25.png Icons/network_64.png Icons/network-neg_25.png Icons/network-neg_16.png Icons/network-ref_25.png Icons/network_16.png Icons/blank.png Icons/blank.png Icons/both_25.png Icons/both_64.png Icons/both_16.png Icons/branch_25.png Icons/branch_64.png Icons/branch_16.png Icons/classify_25.png Icons/classify_64.png Icons/classify_16.png Icons/cluster_25.png Icons/cluster_64.png Icons/cluster-neg_25.png Icons/cluster-neg_16.png Icons/cluster-ref_25.png Icons/cluster_16.png Icons/user_25.png Icons/user_64.png Icons/user-neg_25.png Icons/user-ref_25.png Icons/user_16.png Icons/compile_25.png Icons/continue_25.png Icons/continue_64.png Icons/continue_16.png Icons/custom_25.png Icons/custom_64.png Icons/custom_16.png Icons/service-custom_25.png Icons/service-custom_64.png Icons/service-custom-neg_25.png Icons/service-custom-neg_16.png Icons/service-custom-ref_25.png Icons/service-custom_16.png Icons/domainname_25.png Icons/domainname_64.png Icons/domainname-neg_25.png Icons/domainname-neg_16.png Icons/domainname-ref_25.png Icons/domainname_16.png Icons/deny_25.png Icons/deny_64.png Icons/deny_16.png Icons/failover-cluster-group_25.png Icons/failover-cluster-group_64.png Icons/failover-cluster-group-neg_25.png Icons/failover-cluster-group-neg_16.png Icons/failover-cluster-group-ref_25.png Icons/failover-cluster-group_16.png Icons/firewall_25.png Icons/firewall_64.png Icons/firewall-neg_25.png Icons/firewall-neg_16.png Icons/firewall-ref_25.png Icons/firewall_16.png Icons/host_25.png Icons/host_64.png Icons/host-neg_25.png Icons/host-neg_16.png Icons/host-ref_25.png Icons/host_16.png Icons/service-icmp6_25.png Icons/service-icmp6_64.png Icons/service-icmp6-neg_25.png Icons/service-icmp6-neg_16.png Icons/service-icmp6-ref_25.png Icons/service-icmp6_16.png Icons/service-icmp_25.png Icons/service-icmp_64.png Icons/service-icmp-neg_25.png Icons/service-icmp-neg_16.png Icons/service-icmp-ref_25.png Icons/service-icmp_16.png Icons/service-ip_25.png Icons/service-ip_64.png Icons/service-ip-neg_25.png Icons/service-ip-neg_16.png Icons/service-ip-ref_25.png Icons/service-ip_16.png Icons/address_25.png Icons/address_64.png Icons/address-neg_25.png Icons/address-neg_16.png Icons/address-ref_25.png Icons/address_16.png Icons/address6_25.png Icons/address6_64.png Icons/address6-neg_25.png Icons/address6-neg_16.png Icons/address6-ref_25.png Icons/address6_16.png Icons/inbound_25.png Icons/inbound_64.png Icons/inbound_16.png Icons/install_25.png Icons/interface_25.png Icons/interface_64.png Icons/interface-neg_25.png Icons/interface-neg_16.png Icons/interface-ref_25.png Icons/interface_16.png Icons/clock_25.png Icons/clock_64.png Icons/clock-neg_25.png Icons/clock-neg_16.png Icons/clock-ref_25.png Icons/clock_16.png Icons/clock-group_25.png Icons/clock-group_64.png Icons/clock-group-neg_25.png Icons/clock-group-neg_16.png Icons/clock-group-ref_25.png Icons/clock-group_16.png Icons/library_25.png Icons/library_64.png Icons/library-neg_25.png Icons/library-neg_16.png Icons/library-ref_25.png Icons/library_16.png Icons/log_25.png Icons/log_64.png Icons/log_16.png Icons/nat_25.png Icons/nat_64.png Icons/nat_16.png Icons/branch_25.png Icons/branch_64.png Icons/branch_16.png Icons/network_25.png Icons/network_64.png Icons/network-neg_25.png Icons/network-neg_16.png Icons/network-ref_25.png Icons/network_16.png Icons/network6_25.png Icons/network6_64.png Icons/network6-neg_25.png Icons/network6-neg_16.png Icons/network6-ref_25.png Icons/network6_16.png Icons/object-group_25.png Icons/object-group_64.png Icons/object-group-neg_25.png Icons/object-group-neg_16.png Icons/object-group-ref_25.png Icons/object-group_16.png Icons/dynamic-group_25.png Icons/dynamic-group_64.png Icons/dynamic-group-neg_25.png Icons/dynamic-group-neg_16.png Icons/dynamic-group-ref_25.png Icons/dynamic-group_16.png Icons/options_25.png Icons/options_64.png Icons/options_16.png Icons/outbound_25.png Icons/outbound_64.png Icons/outbound_16.png Icons/pipe_25.png Icons/pipe_64.png Icons/pipe_16.png Icons/ruleset_25.png Icons/ruleset_64.png Icons/ruleset_16.png Icons/reject_25.png Icons/reject_64.png Icons/reject_16.png Icons/back_25.png Icons/route_25.png Icons/route_64.png Icons/route_16.png Icons/routing_25.png Icons/routing_64.png Icons/routing_16.png Icons/service-group_25.png Icons/service-group_64.png Icons/service-group-neg_25.png Icons/service-group-neg_16.png Icons/service-group-ref_25.png Icons/service-group_16.png Icons/state-sync-cluster-group_25.png Icons/state-sync-cluster-group_64.png Icons/state-sync-cluster-group-neg_25.png Icons/state-sync-cluster-group-neg_16.png Icons/state-sync-cluster-group-ref_25.png Icons/state-sync-cluster-group_16.png Icons/folder_25.png Icons/folder_64.png Icons/folder_16.png Icons/service-tcp_25.png Icons/service-tcp_64.png Icons/service-tcp-neg_25.png Icons/service-tcp-neg_16.png Icons/service-tcp-ref_25.png Icons/service-tcp_16.png Icons/tag_25.png Icons/tag_64.png Icons/tag_16.png Icons/service-tag_25.png Icons/service-tag_64.png Icons/service-tag-neg_25.png Icons/service-tag-neg_16.png Icons/service-tag-ref_25.png Icons/service-tag_16.png Icons/translate_25.png Icons/translate_16.png Icons/service-udp_25.png Icons/service-udp_64.png Icons/service-udp-neg_25.png Icons/service-udp-neg_16.png Icons/service-udp-ref_25.png Icons/service-udp_16.png Icons/user_25.png Icons/user_64.png Icons/user-neg_25.png Icons/user-neg_16.png Icons/user-ref_25.png Icons/user_16.png Icons/lock.png Icons/neg.png Icons/neg2.png Icons/physaddress_25.png Icons/physaddress_64.png Icons/physaddress-neg_25.png Icons/physaddress-ref_25.png Icons/physaddress_16.png Icons/add.png Icons/apply.png Icons/back_32.png Icons/big-down-arrow.png Icons/big-left-arrow.png Icons/big-right-arrow.png Icons/big-up-arrow.png Icons/blank_2x16.png Icons/books1.png Icons/cancel.png Icons/close.png Icons/del.png Icons/down-arrow.png Icons/drag_object.png Icons/error.png Icons/firewall_64.png Icons/firewall_64.xpm Icons/floppy.png Icons/folder1.png Icons/generic.png Icons/host_64.png Icons/host_64.xpm Icons/info_16.png Icons/info_25.png Icons/key.png Icons/left-arrow.png Icons/newfile_25.png Icons/newobject_25.png Icons/newobject_32.png Icons/no.png Icons/ok.png Icons/openfile_25.png Icons/protect_host.png Icons/protect_net.png Icons/protect_net_and_dmz.png Icons/question.png Icons/redo.png Icons/ref.png Icons/right-arrow.png Icons/rules_druid_logo.png Icons/save_25.png Icons/search_25.png Icons/stop.png Icons/uncheck.png Icons/undo.png Icons/up-arrow.png Icons/warning.png Icons/yes.png Images/fwbuilder3-128x128.png Images/fwbuilder3.png Tutorial/getting_started/html/page0.html Tutorial/getting_started/html/page1.html Tutorial/getting_started/html/page2.html Tutorial/getting_started/html/page3.html Tutorial/getting_started/html/page4.html Tutorial/getting_started/html/page5.html Tutorial/getting_started/html/page6.html Tutorial/getting_started/html/page7.html Tutorial/getting_started/html/page8.html Tutorial/getting_started/html/page9.html Tutorial/getting_started/html/page10.html Tutorial/getting_started/html/page11.html Tutorial/getting_started/html/page12.html Tutorial/getting_started/html/page13.html Tutorial/getting_started/html/page14.html Tutorial/getting_started/html/page15.html Tutorial/getting_started/html/page16.html Tutorial/getting_started/html/page17.html Tutorial/getting_started/html/page18.html Tutorial/getting_started/html/page19.html Tutorial/getting_started/html/page20.html Tutorial/getting_started/html/page21.html Tutorial/getting_started/html/page22.html Tutorial/getting_started/html/page23.html Tutorial/getting_started/html/page24.html Tutorial/getting_started/html/page25.html Tutorial/getting_started/html/page26.html Tutorial/getting_started/html/page27.html Tutorial/getting_started/html/page28.html Tutorial/getting_started/html/page29.html Tutorial/getting_started/html/page30.html Tutorial/getting_started/html/page31.html Tutorial/getting_started/html/page32.html Tutorial/getting_started/images/0.png Tutorial/getting_started/images/1.png Tutorial/getting_started/images/2.png Tutorial/getting_started/images/3.png Tutorial/getting_started/images/4.png Tutorial/getting_started/images/5.png Tutorial/getting_started/images/6.png Tutorial/getting_started/images/7.png Tutorial/getting_started/images/8.png Tutorial/getting_started/images/9-1.png Tutorial/getting_started/images/9-2.png Tutorial/getting_started/images/10.png Tutorial/getting_started/images/11.png Tutorial/getting_started/images/12.png Tutorial/getting_started/images/13.png Tutorial/getting_started/images/14.png Tutorial/getting_started/images/15.png Tutorial/getting_started/images/16.png Tutorial/getting_started/images/17.png Tutorial/getting_started/images/18.png Tutorial/getting_started/images/19.png Tutorial/getting_started/images/20.png Tutorial/getting_started/images/21.png Tutorial/getting_started/images/22.png Tutorial/getting_started/images/23.png Tutorial/getting_started/images/24.png Tutorial/getting_started/images/25.png Tutorial/getting_started/images/26.png Tutorial/getting_started/images/27.png Tutorial/getting_started/images/28.png Tutorial/getting_started/images/29.png Tutorial/getting_started/images/30.png Tutorial/getting_started/images/32.png Tutorial/getting_started/images/new_button.png Tutorial/getting_started/stylesheets/style.css fwbuilder-5.3.7/src/libgui/MetricEditorPanel.cpp000066400000000000000000000050641303637203600216410ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "config.h" #include "global.h" #include "MetricEditorPanel.h" #include "FWBSettings.h" #include "ObjectManipulator.h" #include "FWWindow.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; MetricEditorPanel::~MetricEditorPanel() { delete m_widget; } MetricEditorPanel::MetricEditorPanel(QWidget *p) : BaseObjectDialog(p) { m_widget = new Ui::MetricEditorPanel_q; m_widget->setupUi(this); //spin_box->setMinValue( minValue); //spin_box->setMaxValue( maxValue); //spin_box->setValue( value); } int MetricEditorPanel::value() { return m_widget->spin_box->value(); } void MetricEditorPanel::changed() { emit changed_sign(); } void MetricEditorPanel::applyChanges() { rule->setMetric( value() ); } void MetricEditorPanel::loadFWObject(libfwbuilder::FWObject *obj) { RoutingRule *r=RoutingRule::cast(obj); if (r==NULL) return; rule=r; FWObject *o = r; while (o!=NULL && Firewall::cast(o)==NULL) o=o->getParent(); assert(o!=NULL); m_widget->spin_box->setMinimum( 0); m_widget->spin_box->setMaximum( 255); m_widget->spin_box->setValue( r->getMetric()); } void MetricEditorPanel::validate(bool* b ) { *b=true; } void MetricEditorPanel::closeEvent(QCloseEvent *) { } fwbuilder-5.3.7/src/libgui/MetricEditorPanel.h000066400000000000000000000036321303637203600213050ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __METRICEDITORPANEL_H__ #define __METRICEDITORPANEL_H__ #include "config.h" #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Firewall.h" class MetricEditorPanel : public BaseObjectDialog { Q_OBJECT; libfwbuilder::RoutingRule *rule; Ui::MetricEditorPanel_q *m_widget; public: MetricEditorPanel(QWidget* p); ~MetricEditorPanel(); int value(); public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void closeEvent(QCloseEvent *e); }; #endif fwbuilder-5.3.7/src/libgui/NATRuleOptionsDialog.cpp000066400000000000000000000142671303637203600222420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "NATRuleOptionsDialog.h" #include "RuleSetView.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "FWCmdRule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include "../cisco_lib/ASA8TwiceNatLogic.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; NATRuleOptionsDialog::~NATRuleOptionsDialog() { delete m_dialog; } NATRuleOptionsDialog::NATRuleOptionsDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::NATRuleOptionsDialog_q; m_dialog->setupUi(this); init=false; } void NATRuleOptionsDialog::loadFWObject(FWObject *o) { obj = o; FWObject *p = obj; while ( !Firewall::cast(p) ) p = p->getParent(); platform = p->getStr("platform").c_str(); string version = p->getStr("version"); Rule *rule = dynamic_cast(o); FWOptions *ropt = rule->getOptionsObject(); // m_dialog->editorTitle->setText(QString("%1 / %2 / %3 ") // .arg(QString::fromUtf8(p->getName().c_str())) // .arg(rule->getTypeName().c_str()) // .arg(rule->getPosition())); int wid = 0; if (platform=="ipf") wid=0; if (platform=="ipfw") wid=0; if (platform=="pix" || platform=="fwsm") wid = 3; if (platform=="iptables") wid=1; if (platform=="pf") wid=2; m_dialog->widgetStack->setCurrentIndex(wid); m_dialog->widgetStack->widget(wid)->raise(); data.clear(); if (platform=="iptables") { data.registerOption(m_dialog->ipt_use_snat_instead_of_masq, ropt, "ipt_use_snat_instead_of_masq"); data.registerOption(m_dialog->ipt_nat_random, ropt, "ipt_nat_random"); data.registerOption(m_dialog->ipt_nat_persistent, ropt, "ipt_nat_persistent"); } if (platform=="pf") { data.registerOption(m_dialog->pf_pool_type_none, ropt, "pf_pool_type_none"); data.registerOption(m_dialog->pf_bitmask, ropt, "pf_bitmask"); data.registerOption(m_dialog->pf_random, ropt, "pf_random"); data.registerOption(m_dialog->pf_source_hash, ropt, "pf_source_hash"); data.registerOption(m_dialog->pf_round_robin, ropt, "pf_round_robin"); data.registerOption(m_dialog->pf_static_port, ropt, "pf_static_port"); } if (platform=="pix" || platform=="fwsm") { if (libfwbuilder::XMLTools::version_compare(version,"8.3")>=0) { m_dialog->asa8_nat_dns->setEnabled(true); m_dialog->asa8_nat_auto->setEnabled(true); m_dialog->asa8_nat_dynamic->setEnabled(true); m_dialog->asa8_nat_static->setEnabled(true); data.registerOption(m_dialog->asa8_nat_dns, ropt, "asa8_nat_dns"); NATRule *nat_rule = NATRule::cast(rule); ASA8TwiceNatStaticLogic twice_nat_logic(nat_rule); // set asa8_nat_auto to True if none of these are set yet if (!ropt->getBool("asa8_nat_dynamic") && !ropt->getBool("asa8_nat_static")) { ropt->setBool("asa8_nat_auto", true); } data.registerOption(m_dialog->asa8_nat_auto, ropt, "asa8_nat_auto"); data.registerOption(m_dialog->asa8_nat_dynamic, ropt, "asa8_nat_dynamic"); data.registerOption(m_dialog->asa8_nat_static, ropt, "asa8_nat_static"); // update text label of radio button asa8_nat_auto QString rule_state_auto; switch (twice_nat_logic.getAutomaticType()) { case ASA8TwiceNatStaticLogic::STATIC: rule_state_auto = "static"; break; case ASA8TwiceNatStaticLogic::DYNAMIC: rule_state_auto = "dynamic"; break; } QString button_txt = tr( "Automatically detect NAT type \"static\" or \"dynamic\". " "This rule is currently set to type \"%1\""); m_dialog->asa8_nat_auto->setText(button_txt.arg(rule_state_auto)); } else { m_dialog->asa8_nat_dns->setEnabled(false); m_dialog->asa8_nat_auto->setEnabled(false); m_dialog->asa8_nat_dynamic->setEnabled(false); m_dialog->asa8_nat_static->setEnabled(false); } } init = true; data.loadAll(); //apply->setEnabled( false ); init=false; } void NATRuleOptionsDialog::validate(bool *res) { *res = true; } void NATRuleOptionsDialog::applyChanges() { std::auto_ptr cmd( new FWCmdRuleChangeOptions(m_project, obj)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); FWOptions* new_rule_options = Rule::cast(new_state)->getOptionsObject(); init = true; data.saveAll(new_rule_options); init = false; if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/NATRuleOptionsDialog.h000066400000000000000000000031131303637203600216730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NATRULEOPTIONSDIALOG_H_ #define __NATRULEOPTIONSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "DialogData.h" #include "fwbuilder/FWObject.h" class RuleSetView; class ProjectPanel; class NATRuleOptionsDialog : public BaseObjectDialog { Q_OBJECT; DialogData data; QString platform; RuleSetView *rsv; Ui::NATRuleOptionsDialog_q *m_dialog; public: NATRuleOptionsDialog(QWidget *parent); ~NATRuleOptionsDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // __NATRULEOPTIONSDIALOG_H fwbuilder-5.3.7/src/libgui/NetworkDialog.cpp000066400000000000000000000217701303637203600210420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "NetworkDialog.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Inet6AddrMask.h" #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; NetworkDialog::NetworkDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::NetworkDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } NetworkDialog::~NetworkDialog() { delete m_dialog; } void NetworkDialog::loadFWObject(FWObject *o) { obj = o; Network *s = dynamic_cast(obj); assert(s!=NULL); init = true; // See #893 No need to show address and mask 0.0.0.0 to the user // if the object is "Any", especially because the same object is // used as "any" for both ipv4 and ipv6 rules. It can be confusing // if they see address "0.0.0.0" while they want to find object // "any" for ipv6. // see also #2454, trying to do even more handholding for users // who do not understand what "any" means in a rule. if (obj->getId() == FWObjectDatabase::ANY_ADDRESS_ID) { m_dialog->object_attributes->hide(); m_dialog->commentKeywords->setReadOnlyComment( QObject::tr( "When used in the Source or Destination field of a rule, " "the Any object will match all " "IP addresses. To update your rule to match only specific " "IP addresses, drag-and-drop an object from " "the Object tree into the field in the rule.")); } else { m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->address->setText( s->getAddressPtr()->toString().c_str() ); m_dialog->netmask->setText( s->getNetmaskPtr()->toString().c_str() ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->object_attributes->show(); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->address->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->address); m_dialog->netmask->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->netmask); } init = false; } void NetworkDialog::validate(bool *result) { if (fwbdebug) qDebug() << "NetworkDialog::validate"; *result = true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *result = false; return; } Network *s = dynamic_cast(obj); assert(s!=NULL); try { InetAddr( m_dialog->address->text().toStdString() ); } catch (FWException &ex) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", tr("Illegal IP address '%1'").arg(m_dialog->address->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } return; } InetAddr addr(m_dialog->address->text().toStdString()); try { QString len = m_dialog->netmask->text() ; bool ok = false ; int ilen = len.toInt(&ok); if (ok) { // permit netmask 0.0.0.0 if the address is also 0.0.0.0 if (addr.isAny() && ilen == 0) return; if (ilen>0 && ilen < 32) { return ; } else { *result = false; QMessageBox::critical( this, "Firewall Builder", tr("Illegal netmask '%1'").arg( m_dialog->netmask->text() ), tr("&Continue"), 0, 0, 0 ); return; } } InetAddr nm( m_dialog->netmask->text().toStdString() ); if (nm.isAny()) { // permit netmask 0.0.0.0 if the address is also 0.0.0.0 if (addr.isAny()) return; else { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); // Do not allow netmask of 0 bits See #251 QMessageBox::critical( this, "Firewall Builder", tr("Network object should not have netmask '0.0.0.0'"), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } return; } } if (!nm.isValidV4Netmask()) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); // Do not allow netmask with zeroes inside. QMessageBox::critical( this, "Firewall Builder", tr("Netmasks with zeroes in the middle are not supported"), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } return; } } catch (FWException &ex) { *result = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", tr("Illegal netmask '%1'").arg( m_dialog->netmask->text() ), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } } void NetworkDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); Network *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName(string(m_dialog->obj_name->text().toUtf8().constData())); m_dialog->commentKeywords->applyChanges(new_state); try { s->setAddress(InetAddr(m_dialog->address->text().toStdString())); } catch (FWException &ex) { // exception thrown if user types illegal m_dialog->address or // m_dialog->netmask } try { QString len = m_dialog->netmask->text() ; bool ok = false ; int ilen = len.toInt (&ok); if (ok) { s->setNetmask(InetAddr(ilen)); } else { s->setNetmask(InetAddr(m_dialog->netmask->text().toStdString())); } } catch (FWException &ex) { // exception thrown if user types illegal m_dialog->address or // m_dialog->netmask // bool ok = false ; } if (!cmd->getOldState()->cmp(new_state, true)) { if (fwbdebug) qDebug() << "Pushing FWCmdChange to undo stack"; if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void NetworkDialog::addressEntered() { try { QString addr = m_dialog->address->text(); InetAddrMask address_and_mask(string(addr.toStdString())); if (addr.contains('/')) { m_dialog->address->setText( address_and_mask.getAddressPtr()->toString().c_str()); m_dialog->netmask->setText( address_and_mask.getNetmaskPtr()->toString().c_str()); } } catch (FWException &ex) { // exception thrown if user types illegal m_dialog->address do // not show error dialog. This method is called by // editingFinished signal and therefore is invoked when user // switches focus from the address input widget to some other // widget or even when user switches to another application to // look up the address. Error dialog interrupts the workflow // in the latter case which is annoying. } } fwbuilder-5.3.7/src/libgui/NetworkDialog.h000066400000000000000000000026441303637203600205060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NETWORKDIALOG_H_ #define __NETWORKDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class NetworkDialog : public BaseObjectDialog { Q_OBJECT; Ui::NetworkDialog_q *m_dialog; public: NetworkDialog(QWidget *parent); ~NetworkDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void addressEntered(); }; #endif // NETWORKDIALOG_H fwbuilder-5.3.7/src/libgui/NetworkDialogIPv6.cpp000066400000000000000000000132711303637203600215440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "NetworkDialogIPv6.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Inet6AddrMask.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; NetworkDialogIPv6::NetworkDialogIPv6(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::NetworkDialogIPv6_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } NetworkDialogIPv6::~NetworkDialogIPv6() { delete m_dialog; } void NetworkDialogIPv6::loadFWObject(FWObject *o) { obj=o; NetworkIPv6 *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->address->setText( s->getAddressPtr()->toString().c_str() ); m_dialog->netmask->setText( QString("%1").arg( s->getNetmaskPtr()->getLength()) ); m_dialog->commentKeywords->loadFWObject(o); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->address->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->address); m_dialog->netmask->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->netmask); init=false; } void NetworkDialogIPv6::changed() { //apply->setEnabled( true ); emit changed_sign(); } void NetworkDialogIPv6::validate(bool *res) { *res = true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res = false; return; } NetworkIPv6 *s = dynamic_cast(obj); assert(s != NULL); try { InetAddr(AF_INET6, m_dialog->address->text().toStdString() ); } catch (FWException &ex) { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical(this, "Firewall Builder", tr("Illegal IPv6 address '%1'").arg( m_dialog->address->text()), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } bool ok = false; int range = m_dialog->netmask->text().toInt(&ok); // Do not allow netmask of 0 bits. See #251 if (ok && range > 0 && range < 128) { return; } else { *res = false; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical(this, "Firewall Builder", tr("Illegal netmask '%1'").arg( m_dialog->netmask->text() ), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } } } void NetworkDialogIPv6::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); NetworkIPv6 *s = dynamic_cast(new_state); assert(s!=NULL); string oldname=obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); try { s->setAddress( InetAddr(AF_INET6, m_dialog->address->text().toStdString()) ); bool ok = false; s->setNetmask( InetAddr(AF_INET6, m_dialog->netmask->text().toInt(&ok)) ); if (!ok) throw FWException(""); } catch (FWException &ex) { /* exception thrown if user types illegal m_dialog->address or * m_dialog->netmask */ } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void NetworkDialogIPv6::addressEntered() { try { QString addr = m_dialog->address->text(); Inet6AddrMask address_and_mask(string(addr.toStdString())); if (addr.contains('/')) { m_dialog->address->setText( address_and_mask.getAddressPtr()->toString().c_str()); m_dialog->netmask->setText( QString().setNum( address_and_mask.getNetmaskPtr()->getLength())); } } catch (FWException &ex) { // exception thrown if user types illegal m_dialog->address } } fwbuilder-5.3.7/src/libgui/NetworkDialogIPv6.h000066400000000000000000000027341303637203600212130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NETWORKDIALOGIPV6_H_ #define __NETWORKDIALOGIPV6_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class NetworkDialogIPv6 : public BaseObjectDialog { Q_OBJECT; Ui::NetworkDialogIPv6_q *m_dialog; public: NetworkDialogIPv6(QWidget *parent); ~NetworkDialogIPv6(); public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void addressEntered(); }; #endif // NETWORKDIALOG_H fwbuilder-5.3.7/src/libgui/ObjConflictResolutionDialog.cpp000066400000000000000000000412271303637203600236700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Resources.h" #include "ObjConflictResolutionDialog.h" #include "FWObjectPropertiesFactory.h" #include "FWBSettings.h" #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ObjConflictResolutionDialog::ObjConflictResolutionDialog(QWidget *parent): QDialog(parent) { m_dialog = new Ui::ObjConflictResolutionDialog_q; m_dialog->setupUi(this); setObjectName("ObjConflictResolutionDialog"); alwaysCurrent=false; alwaysNew =false; m_dialog->dlgIcon->setPixmap( QMessageBox::standardIcon( QMessageBox::Warning ) ); defaultLeftButtonText = tr("Keep current object"); defaultRightButtonText = tr("Replace with this object"); if (st->haveGeometry(this)) st->restoreGeometry(this); richText = true; } ObjConflictResolutionDialog::~ObjConflictResolutionDialog() { saveGeometry(); } QString ObjConflictResolutionDialog::makeBold(const QString &str) { QString bold = (richText)?QString(""):""; QString unbold = (richText)?QString(""):""; return QString("%1%2%3").arg(bold).arg(str).arg(unbold); } int ObjConflictResolutionDialog::run(FWObject *o1, FWObject *o2) { // some simple cases where we don't have to ask the user and can make // decision automatically. // CustomService object, if one of the objects adds code string // for a platform which was absent in another if (CustomService::isA(o1) && CustomService::isA(o2)) { bool o1_adds_code_string = false; bool o2_adds_code_string = false; bool code_changes = false; map platforms = Resources::getPlatforms(); for (map::iterator i=platforms.begin(); i!=platforms.end(); i++) { string c1 = CustomService::cast(o1)->getCodeForPlatform( (*i).first ); string c2 = CustomService::cast(o2)->getCodeForPlatform( (*i).first ); if (c1 != c2 && !c1.empty() && !c2.empty()) code_changes = true; if (c1 != c2 && c1.empty()) o2_adds_code_string = true; if (c1 != c2 && c2.empty()) o1_adds_code_string = true; } if (fwbdebug) { qDebug() << "Comparing to CustomService objects:"; qDebug() << "o1=" << o1->getName().c_str() << "o2=" << o2->getName().c_str(); qDebug() << "code_changes=" << code_changes << "o1_adds_code_string=" << o1_adds_code_string << "o2_adds_code_string=" << o2_adds_code_string; } if (!code_changes && o1_adds_code_string) return QDialog::Rejected; } // fill in dialogs even though the user might have // checked checkbox that makes decision without // them having to click a button. This is so that // classes that inherit from ObjConflictResolutionDialog // can use data collected in this method. Particularly // CompareObjectsDialog::run needs it QString leftBtnTxt, rightBtnTxt; bool leftCB, rightCB, leftBtn, rightBtn; leftBtnTxt = defaultLeftButtonText; rightBtnTxt = defaultRightButtonText; leftCB=rightCB=leftBtn=rightBtn=true; QString p1, p2; FWObject *delObjLib1 = o1->getRoot()->getById( FWObjectDatabase::DELETED_OBJECTS_ID ); FWObject *delObjLib2 = o2->getRoot()->getById( FWObjectDatabase::DELETED_OBJECTS_ID ); if (delObjLib1!=NULL && o1->isChildOf(delObjLib1)) { /* This is the case when an object present in the file we are * trying to load has been deleted in the tree. We can not * just ignore deleted object in the tree and load a copy from * the file because it will create a conflict (two objects * with the same ID). I am not sur eI can delete object from * here either. It is unclear how to solve this problem * correctly. Defer to the user. */ p1=tr("Object '%1' has been deleted").arg(makeBold(o1->getName().c_str())); rightBtnTxt = tr("Delete"); leftCB = rightCB = leftBtn = false; } else p1= FWObjectPropertiesFactory::getObjectPropertiesDetailed(o1, true, false, false); if (delObjLib2!=NULL && o2->isChildOf(delObjLib2)) { /* This is the case where object o2 has been deleted in the * file we are trying to load but is present in the tree. One * situation when this occurs is when we preloaded bunch of * libraries and this object is in one of them but has been * deleted in the file. We should ignore deleted objects in * the file and use copy present in the tree. */ cerr << "Deleted object found: o2 " << o2->getId() << " " << o2->getName() << endl; return QDialog::Rejected; p2=tr("Object '%1' has been deleted").arg(makeBold(o2->getName().c_str())); leftBtnTxt = tr("Delete"); leftCB = rightCB = rightBtn = false; } else p2= FWObjectPropertiesFactory::getObjectPropertiesDetailed(o2, true, false, false); m_dialog->useCurrentObj->setText(leftBtnTxt); m_dialog->useNewObj->setText(rightBtnTxt); m_dialog->useNewObj->setEnabled(rightBtn); m_dialog->newAll->setEnabled(rightCB); m_dialog->useCurrentObj->setEnabled(leftBtn); m_dialog->currentAll->setEnabled(leftCB); if (leftBtn) m_dialog->useCurrentObj->setFocus(); else m_dialog->useNewObj->setFocus(); QString f1= FWObjectDatabase::cast(o1->getRoot())->getFileName().c_str(); QString f2= FWObjectDatabase::cast(o2->getRoot())->getFileName().c_str(); current_filename = f1; new_filename = f2; current_objname = o1->getName().c_str(); new_objname = o2->getName().c_str(); current_properties = p1; new_properties = p2; if (f1.isEmpty()) f1=tr("Object '%1' in the objects tree").arg(makeBold(o1->getName().c_str())); else f1=tr("Object '%1' in file %2").arg(makeBold(o1->getName().c_str())).arg(f1); f2=tr("Object '%1' in file %2").arg(makeBold(o2->getName().c_str())).arg(f2); m_dialog->currentObjLbl->setText(f1); m_dialog->newObjLbl->setText(f2); m_dialog->currentObj->clear(); m_dialog->newObj->clear(); QString s; s="\n"; s+=p1; s+="

"; s+=o1->getComment().c_str(); m_dialog->currentObj->moveCursor(QTextCursor::Start); m_dialog->currentObj->append( s ); m_dialog->currentObj->scrollToAnchor("top"); s="\n"; s+=p2; s+="
"; s+=o2->getComment().c_str(); m_dialog->newObj->moveCursor( QTextCursor::Start ); m_dialog->newObj->append( s ); m_dialog->newObj->scrollToAnchor("top"); if (alwaysCurrent) return QDialog::Rejected; if (alwaysNew) return QDialog::Accepted; return QDialog::exec(); } void ObjConflictResolutionDialog::saveGeometry() { st->saveGeometry(this); } /* * Important * * normally close event is sent when user clicks "close window" button * on the window titlebar. When this event is processed in this method, * the window is still visible so it is safe to retrieve and use its * geometry (it is bad to get geometry of the window when it is hidden * because at that time window manager decorations do not exist * anymore, so window's position on the screen is shiften up and to * the left). * * It seems under certain window manager (at this time it is unknown * which one) in Gnome "close event" is generated after the window is * closed by clicking one of the buttons at the bottom (choosing which * objects to keep). We call saveGeometry from accept and reject to * get size and position when user clicks those buttons. Window is * then closed and (it seems) window manager sends "close" event to * it. By the time when we get control in this method, the window is * already closed and geometry returned for it would be incorrect. * * Finally, I decided to make it so the user can not close conflict * resolution dialog using titlebar button. The user is suppposed to * make a decision, and although closing dialog was equivalent to * clicking one of the choice buttons, it wasn't obvious. So it is * better to disable this completely and make it obvious for the user * that they must make a choice. */ void ObjConflictResolutionDialog::closeEvent(QCloseEvent *e) { if (fwbdebug) qDebug("ObjConflictResolutionDialog::closeEvent"); e->ignore(); } void ObjConflictResolutionDialog::setFlags() { alwaysCurrent = m_dialog->currentAll->isChecked(); alwaysNew = m_dialog->newAll->isChecked(); } void ObjConflictResolutionDialog::accept() { if (fwbdebug) qDebug("ObjConflictResolutionDialog::accept(): isVisible=%d", isVisible()); QDialog::accept(); } void ObjConflictResolutionDialog::reject() { if (fwbdebug) qDebug("ObjConflictResolutionDialog::reject(): isVisible=%d", isVisible()); QDialog::reject(); } // ################################################################ CompareObjectsDialog::CompareObjectsDialog(QWidget *p) : ObjConflictResolutionDialog(p) { richText = false; num_conflicts = 0; column_width[0] = 30; column_width[1] = 30; column_width[2] = 30; column_width[3] = 30; m_dialog->currentAll->hide(); m_dialog->useCurrentObj->hide(); defaultLeftButtonText = ""; defaultRightButtonText = tr("Next"); m_dialog->dialogHeading->setText( tr("The following two objects have the same internal ID but different attributes:") ); m_dialog->newAll->setText( tr("Skip the rest but build report") ); clearReport(); // Note : these keys match strings generated by // FWObjectPropertyFactory::getObjectPropertiesDetailed // That is, getObjectPropertiesDetailed generates text like this: // // Library: TestLibrary // Object Id: id3F3D04676 // Object Type: Firewall // Object Name: guardian // // Keys in report_attributes must match strings before ':' exactly report_attributes.push_back("Name"); report_attributes.push_back("Library"); report_attributes.push_back("Object Id"); report_attributes.push_back("Object Type"); report_attributes.push_back("Object Name"); report_attributes.push_back("Path"); } void CompareObjectsDialog::writeColumn(ostringstream &sstr, int column_num, const QString &txt) { int col_width = column_width[column_num]; sstr << txt.toLatin1().constData() << setw(col_width-txt.length()) << setfill(' ') << ' '; } int CompareObjectsDialog::run(FWObject *o1,FWObject *o2) { ostringstream str; int res = ObjConflictResolutionDialog::run(o1,o2); /* currentObj->setTextFormat(Qt::PlainText); QString l_text = currentObj->text(0); // QTextEdit returns whole paragraph as one line // Since we enforce PlainText, all html formatting // is lost and individual lines are glued together // with some character that prints as '?' // Could be chr(0) ? if (fwbdebug) qDebug("%s",l_text.ascii()); newObj->setTextFormat(Qt::PlainText); QString r_text = newObj->text(0); if (fwbdebug) qDebug("%s",r_text.ascii()); str << l_text << endl; str << r_text << endl; str << endl; */ num_conflicts++; QString prop1 = FWObjectPropertiesFactory::stripHTML(current_properties); QString prop2 = FWObjectPropertiesFactory::stripHTML(new_properties); QStringList proplist1 = prop1.split("\n"); QStringList proplist2 = prop2.split("\n"); QMap propdict1; QMap propdict2; int n = 0; QStringList::Iterator i1 = proplist1.begin(); for ( ; i1!=proplist1.end(); ++i1,++n) { ostringstream tstr; tstr << "key_" << n; QString k = (*i1).section(':',0,0).trimmed(); QString v = (*i1).section(':',1).trimmed(); if (v=="") { v = k; k = tstr.str().c_str(); } if (fwbdebug) qDebug() << QString("proplist1: k='%1' v='%2'") .arg(k).arg(v); propdict1[k] = v; } n = 0; QStringList::Iterator i2 = proplist2.begin(); for ( ; i2!=proplist2.end(); ++i2,++n) { ostringstream tstr; tstr << "key_" << n; QString k = (*i2).section(':',0,0).trimmed(); QString v = (*i2).section(':',1).trimmed(); if (v=="") { v = k; k = tstr.str().c_str(); } if (fwbdebug) qDebug() << QString("proplist2: k='%1' v='%2'") .arg(k).arg(v); propdict2[k] = v; } QStringList::Iterator i3 = report_attributes.begin(); for ( ; i3!=report_attributes.end(); ++i3) { QString attr = *i3; if (fwbdebug) qDebug() << "report_attributes: attr=" << attr; if (!propdict1.contains(attr) || !propdict2.contains(attr)) continue; writeColumn(str, 1, attr); writeColumn(str, 2, propdict1[attr]); writeColumn(str, 3, propdict2[attr]); str << endl; propdict1[attr] = ""; propdict2[attr] = ""; } QMap::Iterator mi1 = propdict1.begin(); for ( ; mi1!=propdict1.end(); ++mi1) { QString key = mi1.key(); QString val = mi1.value(); if (fwbdebug) qDebug() << QString("propdict1: key=%1 val=%2") .arg(key).arg(val); if (val=="") continue; if (key.startsWith("key_")) writeColumn(str, 1, " "); else writeColumn(str, 1, key); if (propdict1.contains(key)) writeColumn(str, 2, propdict1[key]); else writeColumn(str, 2, " "); if (propdict2.contains(key)) writeColumn(str, 3, propdict2[key]); else writeColumn(str, 3, " "); str << endl; propdict1[key] = ""; propdict2[key] = ""; } QMap::Iterator mi2 = propdict2.begin(); for ( ; mi2!=propdict2.end(); ++mi2) { QString key = mi2.key(); QString val = mi2.value(); if (fwbdebug) qDebug() << QString("propdict2: key=%1 val=%2") .arg(key).arg(val); if (val=="") continue; if (key.startsWith("key_")) writeColumn(str, 1, " "); else writeColumn(str, 1, key); if (propdict1.contains(key)) writeColumn(str, 2, propdict1[key]); else writeColumn(str, 2, " "); if (propdict2.contains(key)) writeColumn(str, 3, propdict2[key]); else writeColumn(str, 3, " "); str << endl; } str << setw(78) << setfill('-') << '-' << endl; report.push_back( QString(str.str().c_str()) ); return res; } void CompareObjectsDialog::clearReport() { report.clear(); } list CompareObjectsDialog::getReport() { ostringstream str; str << "File 1: " << current_filename.toLatin1().constData() << endl; str << "File 2: " << new_filename.toLatin1().constData() << endl; str << setw(78) << setfill('-') << '-' << endl; report.push_front( QString(str.str().c_str()) ); return report; } fwbuilder-5.3.7/src/libgui/ObjConflictResolutionDialog.h000066400000000000000000000062141303637203600233320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJCONFLICTRESOLUTIONDIALOG_H_ #define __OBJCONFLICTRESOLUTIONDIALOG_H_ #include #include "fwbuilder/FWObjectDatabase.h" #include namespace libfwbuilder { class FWObject; }; class ObjConflictResolutionDialog : public QDialog { Q_OBJECT bool alwaysCurrent; bool alwaysNew; protected: QString current_filename; QString new_filename; QString current_objname; QString new_objname; QString current_properties; QString new_properties; QString defaultLeftButtonText; QString defaultRightButtonText; bool richText; void saveGeometry(); QString makeBold(const QString &str); public: Ui::ObjConflictResolutionDialog_q *m_dialog; ObjConflictResolutionDialog(QWidget *parent); virtual ~ObjConflictResolutionDialog(); virtual int run( libfwbuilder::FWObject *o1, libfwbuilder::FWObject *o2); public slots: virtual void closeEvent(QCloseEvent *e); void setFlags(); protected slots: virtual void accept(); virtual void reject(); }; class MergeConflictRes : public libfwbuilder::FWObjectDatabase::ConflictResolutionPredicate, ObjConflictResolutionDialog { public: MergeConflictRes(QWidget *p) : ObjConflictResolutionDialog(p) {} virtual bool askUser(libfwbuilder::FWObject *o1,libfwbuilder::FWObject *o2) { int res=run(o1,o2); return (res==QDialog::Accepted); } }; class CompareObjectsDialog : public libfwbuilder::FWObjectDatabase::ConflictResolutionPredicate, ObjConflictResolutionDialog { std::list report; QStringList report_attributes; int num_conflicts; int column_width[4]; void writeColumn(std::ostringstream &sstr, int column_num, const QString &txt); public: CompareObjectsDialog(QWidget *p); virtual int run( libfwbuilder::FWObject *o1, libfwbuilder::FWObject *o2); void clearReport(); std::list getReport(); int getNumberOfConflicts() { return num_conflicts; } virtual bool askUser(libfwbuilder::FWObject *o1,libfwbuilder::FWObject *o2) { run(o1,o2); return QDialog::Accepted; } }; #endif fwbuilder-5.3.7/src/libgui/ObjectDescriptor.cpp000066400000000000000000000052061303637203600215320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "ObjectDescriptor.h" // #include snmp.h only after all Qt headers; see #2185 #include "fwbuilder/snmp.h" using namespace std; using namespace libfwbuilder; ObjectDescriptor::ObjectDescriptor() {} ObjectDescriptor::ObjectDescriptor(const ObjectDescriptor& od) { have_snmpd = od.have_snmpd; descr = od.descr; contact = od.contact; location = od.location; sysname = od.sysname; interfaces = od.interfaces; MAC_addr = od.MAC_addr; dns_info.name = od.dns_info.name; dns_info.aliases = od.dns_info.aliases; addr = od.addr; type = od.type; isSelected = od.isSelected; netmask = od.netmask; } #ifdef HAVE_LIBSNMP ObjectDescriptor::ObjectDescriptor(const libfwbuilder::CrawlerFind *cf) { have_snmpd = cf->have_snmpd; descr = cf->descr; contact = cf->contact; location = cf->location; sysname = cf->sysname; interfaces = cf->interfaces; MAC_addr = cf->found_phys_addr; dns_info.name = cf->name; dns_info.aliases = cf->aliases; } #endif ObjectDescriptor::~ObjectDescriptor() {}; ObjectDescriptor& ObjectDescriptor::operator=(const ObjectDescriptor& od) { have_snmpd = od.have_snmpd; descr = od.descr; contact = od.contact; location = od.location; sysname = od.sysname; interfaces = od.interfaces; MAC_addr = od.MAC_addr; dns_info.name = od.dns_info.name; dns_info.aliases = od.dns_info.aliases; addr = od.addr; type = od.type; isSelected = od.isSelected; netmask = od.netmask; return *this; } fwbuilder-5.3.7/src/libgui/ObjectDescriptor.h000066400000000000000000000041041303637203600211730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTDESCRIPTOR_H_ #define __OBJECTDESCRIPTOR_H_ #include #include "fwbuilder/InterfaceData.h" #include "fwbuilder/dns.h" #include #include // avoid #include "snmp.h" since it conflicts with Qt, see #2185 namespace libfwbuilder { class CrawlerFind; }; class ObjectDescriptor { public: bool have_snmpd ; std::string descr, contact, location, sysname ; std::string type; bool isSelected; std::map interfaces ; std::string MAC_addr ; libfwbuilder::HostEnt dns_info ; libfwbuilder::InetAddr addr ; libfwbuilder::InetAddr netmask ; ObjectDescriptor(); ObjectDescriptor(const ObjectDescriptor& od); std::string toString() { std::ostringstream ost; ost << sysname; //if(interfaces.size()>1) // ost <<" [" < ObjectDescriptorList; #endif fwbuilder-5.3.7/src/libgui/ObjectEditor.cpp000066400000000000000000000312711303637203600206430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "ObjectEditor.h" #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "BaseObjectDialog.h" #include "FirewallDialog.h" #include "InterfaceDialog.h" #include "DialogFactory.h" #include "FWBTree.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "GroupObjectDialog.h" #include "ActionsDialog.h" #include "MetricEditorPanel.h" #include "CommentEditorPanel.h" #include "ObjectManipulator.h" #include "Help.h" #include "events.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Host.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Interface.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Rule.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include using namespace std; using namespace libfwbuilder; #define OBJTREEVIEW_WIDGET_NAME "ObjTreeView" ObjectEditor::ObjectEditor( QWidget *parent): QObject(parent), opened(0), current_dialog_idx(-1), current_dialog_name(""), editorStack(dynamic_cast(parent)), m_project(0), openedOpt(optNone) { /* * To add a dialog for the new object type: * * - In Designer: * - create new dialog, inherit from QWidget, e.g. class FooDialog * - add new page to objectEditorStack in FWBMainWindow_q * - drop QWidget into this page * - promote this widget to class FooDialog, include file FooDialog.h * - set name of this widget to "w_FooDialog" * - add grid layout to the stack page, set all margins to 0 * - Add call to registerObjectDialog() here using name "w_FooDialog" */ registerObjectDialog(editorStack, Firewall::TYPENAME, "w_FirewallDialog"); registerObjectDialog(editorStack, Interface::TYPENAME, "w_InterfaceDialog"); registerObjectDialog(editorStack, UserService::TYPENAME, "w_UserDialog"); registerObjectDialog(editorStack, Policy::TYPENAME, "w_PolicyDialog"); registerObjectDialog(editorStack, NAT::TYPENAME, "w_NATDialog"); registerObjectDialog(editorStack, Routing::TYPENAME, "w_RoutingDialog"); registerObjectDialog(editorStack, Library::TYPENAME, "w_LibraryDialog"); registerObjectDialog(editorStack, IPv4::TYPENAME, "w_IPv4Dialog"); registerObjectDialog(editorStack, IPv6::TYPENAME, "w_IPv6Dialog"); registerObjectDialog(editorStack, physAddress::TYPENAME, "w_PhysicalAddressDialog"); registerObjectDialog(editorStack, AddressRange::TYPENAME, "w_AddressRangeDialog"); registerObjectDialog(editorStack, Cluster::TYPENAME, "w_ClusterDialog"); registerObjectDialog(editorStack, FailoverClusterGroup::TYPENAME, "w_FailoverClusterGroupDialog"); registerObjectDialog(editorStack, StateSyncClusterGroup::TYPENAME, "w_StateSyncClusterGroupDialog"); registerObjectDialog(editorStack, Host::TYPENAME, "w_HostDialog"); registerObjectDialog(editorStack, AttachedNetworks::TYPENAME, "w_AttachedNetworksDialog"); registerObjectDialog(editorStack, Network::TYPENAME, "w_NetworkDialog"); registerObjectDialog(editorStack, NetworkIPv6::TYPENAME, "w_NetworkDialogIPv6"); registerObjectDialog(editorStack, CustomService::TYPENAME, "w_CustomServiceDialog"); registerObjectDialog(editorStack, IPService::TYPENAME, "w_IPServiceDialog"); registerObjectDialog(editorStack, ICMPService::TYPENAME, "w_ICMPServiceDialog"); registerObjectDialog(editorStack, ICMP6Service::TYPENAME, "w_ICMP6ServiceDialog"); registerObjectDialog(editorStack, TCPService::TYPENAME, "w_TCPServiceDialog"); registerObjectDialog(editorStack, UDPService::TYPENAME, "w_UDPServiceDialog"); registerObjectDialog(editorStack, TagService::TYPENAME, "w_TagServiceDialog"); registerObjectDialog(editorStack, ServiceGroup::TYPENAME, "w_ServiceGroupDialog"); registerObjectDialog(editorStack, ObjectGroup::TYPENAME, "w_ObjectGroupDialog"); registerObjectDialog(editorStack, DynamicGroup::TYPENAME, "w_DynamicGroupDialog"); registerObjectDialog(editorStack, IntervalGroup::TYPENAME, "w_IntervalGroupDialog"); registerObjectDialog(editorStack, Interval::TYPENAME, "w_TimeDialog"); registerObjectDialog(editorStack, RoutingRule::TYPENAME, "w_RoutingRuleOptionsDialog"); registerObjectDialog(editorStack, PolicyRule::TYPENAME, "w_RuleOptionsDialog"); registerObjectDialog(editorStack, NATRule::TYPENAME, "w_NATRuleOptionsDialog"); registerObjectDialog(editorStack, AddressTable::TYPENAME, "w_AddressTableDialog"); registerObjectDialog(editorStack, DNSName::TYPENAME, "w_DNSNameDialog"); registerOptDialog(editorStack, optAction, "w_ActionsDialog"); registerOptDialog(editorStack, optComment, "w_CommentEditorPanel"); registerOptDialog(editorStack, optMetric, "w_MetricEditorPanel"); //registerOptDialog(editorStack, optRuleCompile, "w_CompilerOutputPanel"); registerObjectDialog(editorStack, "BLANK", "w_BlankDialog"); // BaseObjectDialog *w = new BaseObjectDialog(parent); // stackIds["BLANK"] = editorStack->addWidget(w); // dialogs[stackIds["BLANK"]] = w; } void ObjectEditor::registerObjectDialog(QStackedWidget *stack, const QString &obj_type, const QString &dialog_name) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) BaseObjectDialog *w = qFindChild(stack, dialog_name); #else BaseObjectDialog *w = stack->findChild(dialog_name); #endif if (w==NULL) { qDebug() << "Dialog widget missing for the object type " << obj_type << " Expected the following name for the dialog object: " << dialog_name; } assert(w); int dlg_id = stack->indexOf(w->parentWidget()); stackIds[obj_type] = dlg_id; dialogs[dlg_id] = w; } void ObjectEditor::registerOptDialog(QStackedWidget *stack, ObjectEditor::OptType opt_type, const QString &dialog_name) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) BaseObjectDialog *w = qFindChild(stack, dialog_name); #else BaseObjectDialog *w = stack->findChild(dialog_name); #endif if (w==NULL) { qDebug() << "Dialog widget missing for the option " << opt_type << " Expected the following name for the dialog object: " << dialog_name; } assert(w); int dlg_id = stack->indexOf(w->parentWidget()); stackIds[getOptDialogName(opt_type)] = dlg_id; dialogs[dlg_id] = w; } void ObjectEditor::attachToProjectWindow(ProjectPanel *pp) { if (fwbdebug) qDebug() << "ObjectEditor::attachToProjectWindow pp=" << pp; m_project = pp; QMapIterator it(dialogs); while (it.hasNext()) { it.next(); it.value()->attachToProjectWindow(pp); } } QWidget* ObjectEditor::getCurrentObjectDialog() { if (current_dialog_idx >= 0) return dialogs[current_dialog_idx]; else return NULL; } QString ObjectEditor::getOptDialogName(OptType t) { return QString("OptionDialog_%1").arg(t); } void ObjectEditor::activateDialog(const QString &dialog_name, FWObject *obj, enum OptType opt) { disconnectSignals(); current_dialog_name = dialog_name; current_dialog_idx = stackIds[current_dialog_name]; editorStack->setCurrentIndex(current_dialog_idx); connect(this, SIGNAL(loadObject_sign(libfwbuilder::FWObject*)), dialogs[ current_dialog_idx ], SLOT(loadFWObject(libfwbuilder::FWObject*))); opened = obj; openedOpt = opt; load(); //show(); connect(this, SIGNAL(validate_sign(bool*)), dialogs[ current_dialog_idx ], SLOT(validate(bool*))); connect(this, SIGNAL(applyChanges_sign()), dialogs[ current_dialog_idx ], SLOT(applyChanges())); connect(dialogs[ current_dialog_idx ], SIGNAL(changed_sign()), this, SLOT(changed())); } void ObjectEditor::open(FWObject *obj) { if (stackIds.count(obj->getTypeName().c_str())!=0) { if (fwbdebug) qDebug() << "ObjectEditor::open obj=" << obj << QString((obj)?obj->getName().c_str():"") << QString((obj)?obj->getTypeName().c_str():""); activateDialog(obj->getTypeName().c_str(), obj, optNone); } else blank(); } void ObjectEditor::openOpt(FWObject *obj, OptType t) { if (stackIds.count(getOptDialogName(t))!=0) { if (fwbdebug) qDebug() << "ObjectEditor::openOpt obj=" << obj << QString((obj)?obj->getName().c_str():"") << QString((obj)?obj->getTypeName().c_str():"") << "t=" << t; if (Rule::cast(obj)==NULL) return; activateDialog(getOptDialogName(t), obj, t); } else blank(); } void ObjectEditor::disconnectSignals() { disconnect( SIGNAL(loadObject_sign(libfwbuilder::FWObject*)) ); disconnect( SIGNAL(validate_sign(bool*)) ); disconnect( SIGNAL(applyChanges_sign()) ); if (current_dialog_idx>=0) dialogs[current_dialog_idx]->disconnect( this ); } void ObjectEditor::purge() { if (fwbdebug) qDebug("ObjectEditor::purge"); activateDialog("BLANK", NULL, optNone); openedOpt = optNone; } void ObjectEditor::load() { emit loadObject_sign(opened); } void ObjectEditor::changed() { QWidget *s = dynamic_cast(sender()); if (fwbdebug) qDebug() << "ObjectEditor::changed() from " << s << "isVisible()=" << s->isVisible(); if (!validate()) { // change is not good, reload data into the editor to clear and reset it. load(); return; } emit applyChanges_sign(); if (!s->isVisible()) { /* * Pass focus to the ProjectPanel that is active at the moment * to avoid switch described in #2335. Do this only if editor * panel is invisible because we get changed() signal in other * cases too, such as when user uses Tab to switch between * input fields or clicks outside the editor. */ ProjectPanel *pp = mw->activeProject(); if (fwbdebug) qDebug() << "ObjectEditor::changed() pass focus to active ProjectPanel" << "pp=" << pp; if (pp) pp->setFocus(Qt::OtherFocusReason); } if (fwbdebug) qDebug() << "ObjectEditor::changed() done "; } bool ObjectEditor::validate() { if (fwbdebug) qDebug() << "ObjectEditor::validate()" << "isVisible()=" << getCurrentObjectDialog()->isVisible(); bool isgood = true; emit validate_sign( &isgood ); return isgood; } void ObjectEditor::blank() { if (fwbdebug) qDebug() << "ObjectEditor::blank()"; purge(); } fwbuilder-5.3.7/src/libgui/ObjectEditor.h000066400000000000000000000064571303637203600203200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTEDITOR_H_ #define __OBJECTEDITOR_H_ #include "config.h" #include "global.h" #include "qdialog.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include #include class ObjectTreeViewItem; class QComboBox; class QMenu; class QStackedWidget; class ProjectPanel; class BaseObjectDialog; class ObjectEditor : public QObject { Q_OBJECT; QMap stackIds; QMap dialogs; libfwbuilder::FWObject *opened; int current_dialog_idx; QString current_dialog_name; QStackedWidget *editorStack; ProjectPanel *m_project; void disconnectSignals(); public: enum OptType{optAction, optComment, optMetric, optNone}; private: OptType openedOpt; void registerObjectDialog(QStackedWidget *stack, const QString &obj_type, const QString &dialog_name); void registerOptDialog(QStackedWidget *stack, ObjectEditor::OptType opt_type, const QString &dialog_name); void activateDialog(const QString &dialog_name, libfwbuilder::FWObject *obj, enum OptType opt); public: ObjectEditor(QWidget *parent); virtual ~ObjectEditor() {} void attachToProjectWindow(ProjectPanel *pp); QString getOptDialogName(OptType t); void open(libfwbuilder::FWObject *o); void openOpt(libfwbuilder::FWObject *, OptType t); libfwbuilder::FWObject* getOpened() { return opened; }; OptType getOpenedOpt() {return openedOpt;}; void load(); void purge(); bool validate(); int getCurrentDialogIndex() { return current_dialog_idx; }; QWidget* getCurrentObjectDialog(); public slots: void changed(); void blank(); signals: /** * the dialog class should have a slot that can load object's data * into dialog elements when ObjectEditor emits this signal */ void loadObject_sign(libfwbuilder::FWObject *); /** * the dialog class should have a slot that can verify data entered by * user in the dialog elements when ObjectEditor emits this * signal. The validation result is returned in variable "bool *res" */ void validate_sign(bool *res); /** * the dialog class should have a slot that applies changes made by * the user and saves data in the object. */ void applyChanges_sign(); }; #endif fwbuilder-5.3.7/src/libgui/ObjectEditorDockWidget.cpp000066400000000000000000000041721303637203600226100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "ObjectEditorDockWidget.h" #include "ObjectEditor.h" #include #include ObjectEditorDockWidget::ObjectEditorDockWidget(const QString &title, QWidget *parent, Qt::WindowFlags flags) : QDockWidget(title, parent, flags) { editor = NULL; connect(this, SIGNAL(topLevelChanged(bool)), this, SLOT(topLevelChanged(bool))); } ObjectEditorDockWidget::ObjectEditorDockWidget(QWidget *parent, Qt::WindowFlags flags) : QDockWidget(parent, flags) { editor = NULL; connect(this, SIGNAL(topLevelChanged(bool)), this, SLOT(topLevelChanged(bool))); } void ObjectEditorDockWidget::setupEditor(ObjectEditor *ed) { editor = ed; } void ObjectEditorDockWidget::closeEvent(QCloseEvent *event) { if (fwbdebug) qDebug() << "ObjectEditorDockWidget::closeEvent()"; if (!editor->validate()) { editor->load(); // bad changes in the editor, reset event->ignore(); return; } event->accept(); if (fwbdebug) qDebug() << "ObjectEditorDockWidget::closeEvent() done"; } void ObjectEditorDockWidget::topLevelChanged(bool topLevel) { if (topLevel) adjustSize(); } fwbuilder-5.3.7/src/libgui/ObjectEditorDockWidget.h000066400000000000000000000030151303637203600222500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTEDITORDOCKWIDGET_H_ #define __OBJECTEDITORDOCKWIDGET_H_ #include "config.h" #include #include class ObjectEditor; class ObjectEditorDockWidget : public QDockWidget { Q_OBJECT ; ObjectEditor *editor; public: ObjectEditorDockWidget(const QString &title, QWidget *parent = 0, Qt::WindowFlags flags = 0); ObjectEditorDockWidget(QWidget *parent = 0, Qt::WindowFlags flags = 0); void setupEditor(ObjectEditor *ed); virtual void closeEvent(QCloseEvent *event); public slots: void topLevelChanged(bool topLevel); }; #endif fwbuilder-5.3.7/src/libgui/ObjectIconView.cpp000066400000000000000000000142221303637203600211350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "FWBTree.h" #include "ProjectPanel.h" #include "ObjectIconView.h" #include "ObjectIconViewItem.h" #include "FWObjectDrag.h" #include "FWBSettings.h" #include "FWObjectPropertiesFactory.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Resources.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; /**************************************************************************** * * class ObjectIconView * ****************************************************************************/ ObjectIconView::ObjectIconView(QWidget* parent, const char*, Qt::WindowFlags) : QListWidget(parent) { db = NULL; //setWindowFlags(f); setDragEnabled(true); setViewMode(QListView::IconMode); setSpacing(10); setAcceptDrops(true); //startingDrag = false; } bool ObjectIconView::event(QEvent *event) { if (event->type() == QEvent::ToolTip) { QHelpEvent *he = (QHelpEvent*) event; QPoint pos = he->pos(); if (st->getObjTooltips()) { int cx = pos.x(), cy = pos.y(); //viewportToContents(pos.x(),pos.y(),cx,cy); FWObject *obj = NULL; QRect cr; QListWidgetItem *itm = itemAt( QPoint(cx,cy) ); QModelIndex ind = indexAt( QPoint(cx,cy) ); if (itm==NULL) return false; int obj_id = itm->data(Qt::UserRole).toInt(); obj = db->findInIndex(obj_id); if (obj==NULL) return false; cr = rectForIndex(ind); cr = QRect( cr.left() - horizontalOffset(), cr.top() - verticalOffset(), cr.width(), cr.height()); QRect global = QRect( viewport()->mapToGlobal(cr.topLeft()), viewport()->mapToGlobal(cr.bottomRight())); QToolTip::showText(mapToGlobal( he->pos() ), FWObjectPropertiesFactory::getObjectPropertiesDetailed( obj, true, true), this, global); } return true; } return QListWidget::event(event); } QDrag* ObjectIconView::dragObject() { QListWidgetItem *ivi = currentItem(); // currentItem returns NULL if the list is empty if (ivi==NULL) return NULL; int obj_id = ivi->data(Qt::UserRole).toInt(); FWObject *obj = db->findInIndex(obj_id); QString icn = Resources::global_res->getObjResourceStr(obj, "icon-ref").c_str(); list dragobj; dragobj.push_back(obj); FWObjectDrag *drag = new FWObjectDrag(dragobj, this); //QPixmap pm = QPixmap::fromMimeSource( icn_filename ); QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } drag->setPixmap( pm ); drag->setHotSpot(QPoint( pm.rect().width() / 2, pm.rect().height() / 2 )); return drag; } void ObjectIconView::dragEnterEvent( QDragEnterEvent *ev) { if (fwbdebug) qDebug("ObjectIconView::dragEnterEvent"); // ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QWidget *fromWidget = ev->source(); #else QWidget *fromWidget = qobject_cast(ev->source()); #endif // The source of DnD object must be the same instance of fwbuilder if (!fromWidget) { ev->setAccepted(false); return; } if (!ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE)) { ev->setAccepted(false); return; } list dragol; if (!FWObjectDrag::decode(ev, dragol)) ev->setAccepted(false); for (list::iterator i=dragol.begin();i!=dragol.end(); ++i) { FWObject *dragobj = *i; assert(dragobj!=NULL); if (FWBTree().isSystem(dragobj)) { // can not drop system folder anywhere ev->setAccepted(false); return; } // see #1976 do not allow pasting object that has been deleted if (dragobj->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) { ev->setAccepted(false); return; } } ev->setAccepted(true); } void ObjectIconView::dragMoveEvent( QDragMoveEvent *ev) { if (fwbdebug) qDebug("ObjectIconView::dragMoveEvent"); ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); } void ObjectIconView::dropEvent(QDropEvent *ev) { if (fwbdebug) qDebug("ObjectIconView::dropEvent"); // QListWidget::dropEvent(ev); emit dropped(ev); } void ObjectIconView::keyPressEvent( QKeyEvent* ev ) { if (ev->key()==Qt::Key_Delete) { emit delObject_sign(); } QListWidget::keyPressEvent(ev); } void ObjectIconView::mousePressEvent ( QMouseEvent * event ) { if (fwbdebug) qDebug("ObjectIconView::mousePressEvent"); startingDrag = true; QListWidget::mousePressEvent(event); } void ObjectIconView::mouseMoveEvent ( QMouseEvent * event ) { if (startingDrag) { startingDrag = false; QDrag *dr = dragObject(); if (dr) dr->start(); } QListWidget::mouseMoveEvent(event); } fwbuilder-5.3.7/src/libgui/ObjectIconView.h000066400000000000000000000034321303637203600206030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTICONVIEW_H_ #define __OBJECTICONVIEW_H_ #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; }; class ObjectIconView : public QListWidget { Q_OBJECT ; libfwbuilder::FWObjectDatabase *db; bool startingDrag; protected: virtual QDrag* dragObject(); virtual void dragEnterEvent( QDragEnterEvent *ev); virtual void dropEvent(QDropEvent *ev); virtual void dragMoveEvent( QDragMoveEvent *ev); virtual void keyPressEvent( QKeyEvent* ev ); void mousePressEvent ( QMouseEvent * event ); void mouseMoveEvent ( QMouseEvent * event ); bool event ( QEvent * event ); public: ObjectIconView(QWidget* parent, const char * name = 0, Qt::WindowFlags f = 0); void setDB(libfwbuilder::FWObjectDatabase *_db) { db = _db; } signals: void delObject_sign(); void dropped(QDropEvent *ev); }; #endif fwbuilder-5.3.7/src/libgui/ObjectIconViewItem.h000066400000000000000000000037341303637203600214270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTICONVIEWITEM_H #define __OBJECTICONVIEWITEM_H #include #include #include #include namespace libfwbuilder { class FWObject; } class ObjectIconViewItem : public QListWidgetItem { libfwbuilder::FWObjectDatabase *db; QMap props; int ID; public: ObjectIconViewItem(QListWidget *parent) : QListWidgetItem(parent) { db = NULL; ID=-1; } ObjectIconViewItem(QListWidget *parent, const QString &text, const QPixmap &icon ) : QListWidgetItem(parent) { db = NULL; setText(text); setIcon(QIcon(icon)); ID=-1; } libfwbuilder::FWObject *getFWObject() { if (ID > -1) return db->getById(ID, true); else return NULL; } int getFWObjectID() {return ID; } void setFWObject(libfwbuilder::FWObject *obj) { db = obj->getRoot(); ID = obj->getId(); } QString getProperty(const QString &name) { return props[name]; } void setProperty(const QString &name,const QString &val) { props[name]=val; } }; #endif fwbuilder-5.3.7/src/libgui/ObjectListView.cpp000066400000000000000000000154031303637203600211620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "FWBTree.h" #include "ProjectPanel.h" #include "ObjectListView.h" #include "ObjectListViewItem.h" #include "FWObjectDrag.h" #include "FWBSettings.h" #include "FWObjectPropertiesFactory.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; /**************************************************************************** * * class ObjectListView * ****************************************************************************/ ObjectListView::ObjectListView(QWidget* parent, const char*, Qt::WindowFlags f) : QTreeWidget(parent) { db = NULL; setWindowFlags(f); /*setColumnWidthMode(0, QTreeWidget::Maximum); setColumnWidthMode(1, QTreeWidget::Maximum); setItemMargin( 2 );*/ setFocusPolicy( Qt::StrongFocus ); setFocus(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) header()->setClickable(true); header()->setMovable(false); #else header()->setSectionsClickable(true); header()->setSectionsMovable(false); #endif setSortingEnabled(true); sortByColumn ( 0, Qt::AscendingOrder ); connect(header(), SIGNAL(sectionClicked (int)), this, SLOT(sectionClicked (int))); } bool ObjectListView::event(QEvent *event) { if (event->type() == QEvent::ToolTip) { QHelpEvent *he = (QHelpEvent*) event; QPoint pos = he->pos(); if (st->getObjTooltips()) { int cx = pos.x(), cy = pos.y(); //viewportToContents(pos.x(),pos.y(),cx,cy); FWObject *obj=NULL; QRect cr; QTreeWidgetItem *itm = itemAt(QPoint(cx,cy - header()->height())); if (itm==NULL) return false; int obj_id = itm->data(0, Qt::UserRole).toInt(); obj = db->findInIndex(obj_id); if (obj==NULL) return false; cr = visualItemRect(itm); QRect global = QRect( viewport()->mapToGlobal(cr.topLeft()), viewport()->mapToGlobal(cr.bottomRight())); //finally stretch rect up to component's width and even more //(it fixes bug with horizontal scroll) global.setWidth(width() + horizontalOffset()); QToolTip::showText(mapToGlobal( he->pos() ), FWObjectPropertiesFactory::getObjectPropertiesDetailed(obj, true, true), this, global); } return true; } return QTreeWidget::event(event); } QDrag* ObjectListView::dragObject() { QTreeWidgetItem *ovi = currentItem(); // currentItem returns NULL if the list is empty if (ovi==NULL) return NULL; int obj_id = ovi->data(0, Qt::UserRole).toInt(); FWObject *obj = db->findInIndex(obj_id); QString icn = (":/Icons/"+obj->getTypeName()+"/icon-ref").c_str(); //Resources::global_res->getObjResourceStr(obj, "icon-ref").c_str(); list dragobj; dragobj.push_back(obj); FWObjectDrag *drag = new FWObjectDrag(dragobj, this); //QPixmap pm = QPixmap::fromMimeSource( icn_filename ); QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } drag->setPixmap( pm ); drag->setHotSpot( QPoint( pm.rect().width() / 2, pm.rect().height() / 2 ) ); return drag; } void ObjectListView::dragMoveEvent( QDragMoveEvent *ev) { if (fwbdebug) qDebug("ObjectListView::dragMoveEvent"); ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); } void ObjectListView::dragEnterEvent( QDragEnterEvent *ev) { if (fwbdebug) qDebug("ObjectListView::dragEnterEvent"); //ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QWidget *fromWidget = ev->source(); #else QWidget *fromWidget = qobject_cast(ev->source()); #endif // The source of DnD object must be the same instance of fwbuilder if (!fromWidget) { ev->setAccepted(false); return; } if (!ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE)) { ev->setAccepted(false); return; } list dragol; if (!FWObjectDrag::decode(ev, dragol)) ev->setAccepted(false); for (list::iterator i=dragol.begin();i!=dragol.end(); ++i) { FWObject *dragobj = *i; assert(dragobj!=NULL); if (FWBTree().isSystem(dragobj)) { // can not drop system folder anywhere ev->setAccepted(false); return; } // see #1976 do not allow pasting object that has been deleted if (dragobj->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) { ev->setAccepted(false); return; } } ev->setAccepted(true); } void ObjectListView::dropEvent(QDropEvent *ev) { if (fwbdebug) qDebug("ObjectListView::dropEvent"); emit dropped(ev); } void ObjectListView::keyPressEvent(QKeyEvent *ev) { if (ev->key()==Qt::Key_Delete) { emit delObject_sign(); } QTreeWidget::keyPressEvent(ev); } void ObjectListView::mousePressEvent(QMouseEvent *event) { startingDrag = true; QTreeWidget::mousePressEvent(event); } void ObjectListView::mouseMoveEvent(QMouseEvent *event) { if (startingDrag) { QDrag *dr = dragObject(); if (dr) dr->start(); startingDrag = false; } QTreeWidget::mouseMoveEvent(event); } void ObjectListView::sectionClicked ( int logicalIndex ) { sortByColumn ( logicalIndex, Qt::AscendingOrder ); } fwbuilder-5.3.7/src/libgui/ObjectListView.h000066400000000000000000000035111303637203600206240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTLISTVIEW_H_ #define __OBJECTLISTVIEW_H_ #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; }; class ObjectListView : public QTreeWidget { Q_OBJECT ; libfwbuilder::FWObjectDatabase *db; bool startingDrag; protected: virtual QDrag* dragObject(); virtual void dragEnterEvent( QDragEnterEvent *ev); virtual void dragMoveEvent( QDragMoveEvent *ev); virtual void dropEvent(QDropEvent *ev); virtual void keyPressEvent( QKeyEvent* ev ); void mousePressEvent ( QMouseEvent * event ); void mouseMoveEvent ( QMouseEvent * event ); bool event ( QEvent * event ); public: ObjectListView(QWidget* parent, const char * name = 0, Qt::WindowFlags f = 0); void setDB(libfwbuilder::FWObjectDatabase *_db) { db = _db; } public slots: void sectionClicked ( int logicalIndex ) ; signals: void delObject_sign(); void dropped(QDropEvent *ev); }; #endif fwbuilder-5.3.7/src/libgui/ObjectListViewItem.cpp000066400000000000000000000053511303637203600220020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ObjectListViewItem.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include using namespace libfwbuilder; bool ObjectListViewItem::operator< ( const QTreeWidgetItem & other ) const { QTreeWidget * widget = treeWidget() ; if (widget==NULL) return false; int col = widget->sortColumn (); if (col==1) { FWObject *right = ((ObjectListViewItem*)(&other))->getFWObject(); FWObject *left = this->getFWObject(); TCPUDPService * rtcpudp = TCPUDPService::cast(right); TCPUDPService * ltcpudp = TCPUDPService::cast(left); IPService * rip = IPService::cast(right); IPService * lip = IPService::cast(left); ICMPService * ricmp = ICMPService::cast(right); ICMPService * licmp = ICMPService::cast(left); if (rtcpudp != NULL && ltcpudp != NULL) { int ls = ltcpudp->getDstRangeStart(); int rs = rtcpudp->getDstRangeStart(); if (lsgetDstRangeEnd(); int re = rtcpudp->getDstRangeEnd(); if (legetProtocolNumber(); int rpn = rip->getProtocolNumber(); return (lpn < rpn); } if (ricmp != NULL && licmp != NULL) { int lpn = licmp->getInt("code"); int rpn = ricmp->getInt("code"); return (lpn < rpn); } } return QTreeWidgetItem::operator < (other); } fwbuilder-5.3.7/src/libgui/ObjectListViewItem.h000066400000000000000000000042321303637203600214440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTLISTVIEWITEM_H #define OBJECTLISTVIEWITEM_H #include "global.h" #include #include "FWWindow.h" #include "fwbuilder/FWObjectDatabase.h" #include #include namespace libfwbuilder { class FWObject; } class ObjectTreeView; class ObjectListViewItem : public QTreeWidgetItem { libfwbuilder::FWObjectDatabase *db; QMap props; QString lib; int ID; public: ObjectListViewItem(QTreeWidget *parent) : QTreeWidgetItem(parent) { db = NULL; ID = -1; } ObjectListViewItem(QTreeWidgetItem *parent) : QTreeWidgetItem(parent) { db = NULL; ID = -1; } libfwbuilder::FWObject *getFWObject() const { if (ID > -1) return db->getById(ID, true); else return NULL; } int getFWObjectID() {return ID; } void setFWObject(libfwbuilder::FWObject *obj) { db = obj->getRoot(); ID = obj->getId(); } ObjectTreeView* getTree(); QString getLib() { return lib; } void setLib(const QString &l) { lib=l; } QString getProperty(const QString &name) { return props[name]; } void setProperty(const QString &name,const QString &val) { props[name]=val; } virtual bool operator< ( const QTreeWidgetItem & other ) const; }; #endif fwbuilder-5.3.7/src/libgui/ObjectManipulator.cpp000066400000000000000000001651661303637203600217230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils_no_qt.h" #include "platforms.h" #include "events.h" #include "listOfLibrariesModel.h" #include "ProjectPanel.h" #include "ObjectManipulator.h" #include "ObjectEditor.h" #include "ObjectTreeViewItem.h" #include "ObjectTreeView.h" #include "FWObjectClipboard.h" #include "FWObjectPropertiesFactory.h" #include "FWBSettings.h" #include "findDialog.h" #include "newGroupDialog.h" #include "FindObjectWidget.h" #include "AskLibForCopyDialog.h" #include "FindWhereUsedWidget.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "FWBTree.h" #include "FWWindow.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/DynamicGroup.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/TagService.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; HistoryItem::~HistoryItem() {} ObjectManipulator::~ObjectManipulator() { delete m_objectManipulator; delete libs_model; } ObjectManipulator::ObjectManipulator(QWidget *parent): QWidget(parent), current_tree_view(0) { m_objectManipulator = new Ui::ObjectManipulator_q; m_objectManipulator->setupUi(this); setObjectName(tr("Object Manipulator")); libs_model = new ListOfLibrariesModel(); m_objectManipulator->libs->setModel(libs_model); m_project = NULL; treeWidth = -1; treeHeight = -1; active = false; current_tree_view=NULL; previous_lib_index = -1; // used in duplicateWithDependencies() dedup_marker_global_counter = time(NULL); popup_menu = NULL; // buildNewObjectMenu(); } void ObjectManipulator::setupProject(ProjectPanel *project) { m_project = project; } vector ObjectManipulator::getTreeWidgets() { vector res; for (int i=0; irowCount(); ++i) { QTreeWidget *objTreeView = libs_model->getTreeWidget(i); if (objTreeView == NULL) continue; res.push_back(objTreeView); } return res; } void ObjectManipulator::showDeletedObjects(bool f) { try { FWObject *dobj = m_project->db()->findInIndex( FWObjectDatabase::DELETED_OBJECTS_ID); if (fwbdebug) qDebug("ObjectManipulator::showDeletedObjects f=%d dobj=%p", f, dobj); if (dobj==NULL) { dobj = m_project->db()->create(Library::TYPENAME); dobj->setId(FWObjectDatabase::DELETED_OBJECTS_ID); dobj->setName("Deleted Objects"); dobj->setReadOnly(false); m_project->db()->add(dobj); } QModelIndex idx = libs_model->getIdxForLib(dobj); if (fwbdebug) qDebug("ObjectManipulator::showDeletedObjects idx.row()=%d", idx.row()); if (f) { if (idx.isValid()) return; addLib( dobj ); openLib( dobj ); } else { if (!idx.isValid()) return; QTreeWidget *otv = libs_model->getTreeWidget(idx); if (fwbdebug) qDebug("ObjectManipulator::showDeletedObjects otv=%p", otv); assert(otv!=NULL); m_objectManipulator->widgetStack->removeWidget( otv ); removeLib(idx.row()); } } catch(FWException &ex) { /* we get exception if file is opened read-only and there is no "deleted * objects" library yet */ } } QString ObjectManipulator::getStandardName(FWObject *parent, const string&, const string &namesuffix) { QStringList names; FWObject *po = parent; while (po!=NULL) { names.push_front(QString::fromUtf8(po->getName().c_str())); if (Host::cast(po)) break; po = po->getParent(); } // names.push_back(QString::fromUtf8(parent->getName().c_str())); names.push_back(namesuffix.c_str()); return names.join(":"); } void ObjectManipulator::currentTreePageChanged(int i) { QWidget *w = m_objectManipulator->widgetStack->widget(i); switchingTrees(w); } void ObjectManipulator::switchingTrees(QWidget* w) { ObjectTreeView *new_otv = dynamic_cast(w); if (!new_otv) return;//assert(new_otv) if (current_tree_view!=NULL) current_tree_view->becomingHidden(); new_otv->becomingVisible(); current_tree_view = new_otv; } /* * Make the name of the object @obj unique across all children of the * given @target object. If this object is an interface, use pattern * and increment the number until the name becomes * unique. For all other types use pattern - * * This method has ugly side-effect: if @obj is an Interface, this * method needs to check its type. To do that, it calls * Interface::getOptionsObject() which creates options object if it * does not exits. To do initial options configuration, it needs * access to the parent. We call Interface::getOptionsObject() in copt * and startDrag methods to make sure interfaces have options objects * before copy or drag operation starts to avoid this problem here. * * In case of copy/paste or d&d of an interface, the naming * conventions are dictated by the platform of the new parent firewall * rather than the old one, which in this case is either or * its parent. So we'll use @target to get proper interfaceProperties * object which will do checks for us. */ void ObjectManipulator::makeNameUnique(FWObject *target, FWObject *obj) { Interface *intf = Interface::cast(obj); if (intf) { // check if this is vlan subinterface. We should not change // names of those if (intf->getOptionsObject()->getStr("type") == "8021q") return; // one of the typical usage patterns is to create vlan // interface "eth0.101" and then immediately try to copy/paste // it to under br0 to make it bridge port. In this case // interface eth0.101 won't have type "8021q" just yet because // the user did not open interface "advanced" settings dialog // to set its type and VLAN ID. Users assume that if its name // is "eth0.101", then it must be vlan interface. We should // follow this assumption too. Also, check for names "vlanNNN" // as well. // QString obj_name = QString::fromUtf8(obj->getName().c_str()); FWObject *fw = target; while (fw && !Firewall::cast(fw)) fw = fw->getParent(); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(fw)); if (int_prop->looksLikeVlanInterface(obj_name)) return; } QString newname = makeNameUnique(target, QString::fromUtf8(obj->getName().c_str()), obj->getTypeName().c_str()); obj->setName(string(newname.toUtf8())); } QString ObjectManipulator::makeNameUnique(FWObject* parent, const QString &obj_name, const QString &obj_type) { int suffix = 1; QString basename = obj_name; QString newname = basename; if (fwbdebug) qDebug("ObjectManipulator::makeNameUnique parent=%s obj_name=%s", parent->getName().c_str(), obj_name.toStdString().c_str()); if (obj_type == Interface::TYPENAME) { QRegExp rx("([a-zA-Z-]+)(\\d{1,})"); if (rx.indexIn(obj_name) != -1) { basename = rx.cap(1); suffix = rx.cap(2).toInt(); } } /* * Check if there is another object with the same name. Note that * FWObject::findObjectByName() searches in depth, but we only need to * scan child objects of the first level. */ while (true) { if (fwbdebug) qDebug("ObjectManipulator::makeNameUnique newname=%s basename=%s suffix=%d", newname.toStdString().c_str(), basename.toStdString().c_str(), suffix); FWObject::const_iterator i = find_if( parent->begin(), parent->end(), FWObjectNameEQPredicate(newname.toStdString())); if (i==parent->end()) break; if (obj_type == Interface::TYPENAME) newname = QString("%1%2").arg(basename).arg(suffix); else newname = QString("%1-%2").arg(basename).arg(suffix); suffix++; } return newname; } static void addKeywordsMenu(ObjectManipulator *om, QMenu *menu) { QMenu *keywordsMenu = menu->addMenu(om->tr("Keywords")); QMenu *addKeywords = keywordsMenu->addMenu(om->tr("Add")); addKeywords->addAction(om->tr("New Keyword..."), om, SLOT(addNewKeywordSlot())); addKeywords->addSeparator(); QStringList addList; const set &allKeywords = om->getSelectedObject()->getAllKeywords(); set::const_iterator iterz; for (iterz = allKeywords.begin(); iterz != allKeywords.end(); ++iterz) { addList.append(QString::fromUtf8((*iterz).c_str())); } addList = sortStrings(addList); QStringList data; data << "add" << ""; foreach (QString add, addList) { QAction *act = addKeywords->addAction(add, om, SLOT(processKeywordSlot())); data[1] = add; act->setData(data); } bool allLocked = true; QMenu *removeKeywords = keywordsMenu->addMenu(om->tr("Remove")); QSet toRemove; foreach (FWObject *obj, om->getCurrentObjectTree()->getSelectedObjects()) { if (obj->isReadOnly()) continue; allLocked = false; const set &keywords = obj->getKeywords(); set::const_iterator iter; for (iter = keywords.begin(); iter != keywords.end(); ++iter) { toRemove.insert(QString::fromUtf8((*iter).c_str())); } } if (toRemove.isEmpty()) { removeKeywords->setDisabled(true); } else { data[0] = "remove"; foreach (QString str, sortStrings(toRemove.toList())) { QAction *act = removeKeywords->addAction(str, om, SLOT(processKeywordSlot())); data[1] = str; act->setData(data); } } if (allLocked) { keywordsMenu->setDisabled(true); } } void ObjectManipulator::addSubfolderActions(QList &AddObjectActions, FWObject *currentObj, ObjectTreeViewItem *item, bool &addSubfolder) { addSubfolder = item != 0; string path; if (currentObj == NULL) { path = item->getUserFolderParent()->getPath(true); } else { path = currentObj->getPath(true); } //Do not allow to create subfolders on real objects if(item==0 && (currentObj!=NULL &&!Firewall::isA(currentObj) &&!Cluster::isA(currentObj) &&!IPv4::isA(currentObj) &&!IPv6::isA(currentObj) &&!DNSName::isA(currentObj) &&!AddressTable::isA(currentObj) &&!AddressRange::isA(currentObj) &&!Host::isA(currentObj) &&!Network::isA(currentObj) &&!NetworkIPv6::isA(currentObj) &&!DynamicGroup::isA(currentObj) &&!CustomService::isA(currentObj) &&!IPService::isA(currentObj) &&!ICMPService::isA(currentObj) &&!ICMP6Service::isA(currentObj) &&!TCPService::isA(currentObj) &&!UDPService::isA(currentObj) &&!TagService::isA(currentObj) &&!ServiceGroup::isA(currentObj) &&!UserService::isA(currentObj) &&!Interval::isA(currentObj) )) { addSubfolder = true; } if (path.find("Firewalls") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Firewall::TYPENAME)); } if (path.find("Clusters") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Cluster::TYPENAME)); } if (path.find("Objects/Addresses") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, IPv4::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, IPv6::TYPENAME)); } if (path.find("Objects/DNS Names") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, DNSName::TYPENAME)); } if (path.find("Objects/Address Tables") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, AddressTable::TYPENAME)); } if (path.find("Objects/Address Ranges") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, AddressRange::TYPENAME)); } if (path.find("Objects/Hosts") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Host::TYPENAME)); } if (path.find("Objects/Networks") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Network::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, NetworkIPv6::TYPENAME)); } if (path.find("Objects/Groups") == 0) { //We don't want to add subfolders to groups of objects. //Unfortunately the main folders are objectgroups themselves. //This is a temporary workaround if(path!="Objects/Groups") { addSubfolder = false; } AddObjectActions.append( addNewObjectMenuItem(popup_menu, ObjectGroup::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, DynamicGroup::TYPENAME)); } if (path.find("Services/Custom") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, CustomService::TYPENAME)); } if (path.find("Services/IP") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, IPService::TYPENAME)); } if (path.find("Services/ICMP") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, ICMPService::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, ICMP6Service::TYPENAME)); } if (path.find("Services/TCP") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, TCPService::TYPENAME)); } if (path.find("Services/UDP") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, UDPService::TYPENAME)); } if (path.find("Services/TagServices") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, TagService::TYPENAME)); } if (path.find("Services/Groups") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, ServiceGroup::TYPENAME)); } if (path.find("Services/Users") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, UserService::TYPENAME)); } if (path.find("Time") == 0) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Interval::TYPENAME)); } } void ObjectManipulator::contextMenuRequested(const QPoint &pos) { QList::iterator iter; QList AddObjectActions; bool addSubfolder = false; if (popup_menu == NULL) { popup_menu = new QMenu(this); popup_menu->setObjectName("objectTreeContextMenu"); } else popup_menu->clear(); /* in extended selection mode there may be several selected items */ ObjectTreeView *objTreeView = getCurrentObjectTree(); if (objTreeView == NULL) return; QTreeWidgetItem *item = objTreeView->itemAt(pos);//clicked item if (fwbdebug) qDebug("ObjectManipulator::contextMenu selectedObjects.size=%d", getCurrentObjectTree()->getNumSelected()); ObjectTreeViewItem *otvi=dynamic_cast(item); if (otvi==NULL) return; // happens when user clicks outside an item lastClickedItem = otvi; FWObject *obj = otvi->getFWObject(); if (obj == 0) { assert(otvi->getUserFolderParent() != 0); QAction *action = popup_menu->addAction(tr("Delete"), this, SLOT(removeUserFolder())); /* The user-defined folder doesn't get counted as a selected obj */ if (objTreeView->getNumSelected() > 0) { action->setEnabled(false); } addSubfolderActions(AddObjectActions, NULL, otvi, addSubfolder); for (iter=AddObjectActions.begin(); iter!=AddObjectActions.end(); iter++) (*iter)->setEnabled(true); popup_menu->exec(QCursor::pos()); return; } if (!getCurrentObjectTree()->isSelected(otvi->getFWObject())) openObjectInTree( otvi, true ); //if (currentObj==NULL) currentObj=otvi->getFWObject(); FWObject *currentObj = getSelectedObject(); if (item->childCount() > 0) { if (item->isExpanded()) popup_menu->addAction(tr("Collapse"), this, SLOT(collapseCurrentTreeNode())); else popup_menu->addAction(tr("Expand"), this, SLOT(expandCurrentTreeNode())); popup_menu->addSeparator(); } QAction *edtID; if (currentObj->isReadOnly()) edtID = popup_menu->addAction(tr("Inspect"), this, SLOT( editSelectedObject())); else edtID = popup_menu->addAction(tr("Edit"), this, SLOT( editSelectedObject())); if (RuleSet::cast(currentObj)) popup_menu->addAction(tr("Open"), this, SLOT( openSelectedRuleSet())); QMenu *duptargets = NULL; QAction *dupID = NULL; QMenu *movetargets = NULL; int moveTargetsCounter = 0; if (!Interface::isA(currentObj) && !physAddress::isA(currentObj) && RuleSet::cast(currentObj)==NULL && !Library::isA(currentObj) && !FWBTree().isStandardFolder(currentObj)) { duptargets = popup_menu->addMenu( tr("Duplicate ...") ); movetargets = popup_menu->addMenu( tr("Move ...") ); connect ( duptargets, SIGNAL ( triggered(QAction*) ), this, SLOT( duplicateObj(QAction*) ) ); connect ( movetargets, SIGNAL ( triggered(QAction*) ), this, SLOT( moveObj(QAction*) ) ); /* we add " ... to library ..." submenu to the "Move " menu item only * if user did not select a library, or if they selected several * objects. Method moveObj knows that library should not be moved * into another library. */ bool libSelected = (getCurrentObjectTree()->getNumSelected()==1 && Library::isA(getCurrentObjectTree()->getSelectedObjects().front())); FWObject *cl = getCurrentLib(); vector::iterator i; int N = libs_model->rowCount(); for (int row=0 ; rowindex(row, 0); FWObject *lib = libs_model->getLibrary(idx); if (lib == NULL) continue; if ( lib->getId()==FWObjectDatabase::STANDARD_LIB_ID || lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID || lib->isReadOnly()) continue; dupID = duptargets->addAction( tr("place in library %1").arg( QString::fromUtf8(lib->getName().c_str()))); dupID->setData(row); // can't move to the same library if (lib == cl) continue; // skip current library if (!libSelected) { moveTargetsCounter++; QAction* mact = movetargets->addAction( tr("to library %1").arg( QString::fromUtf8(lib->getName().c_str()))); mact->setData(row); } } } if (Library::isA(currentObj) && currentObj->getParent()->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) { popup_menu->addAction( tr("Undelete"), this, SLOT(undeleteLibrary())); } popup_menu->addSeparator(); QAction *copyID = popup_menu->addAction(tr("Copy"), this, SLOT(copyObj())); QAction *cutID = popup_menu->addAction(tr("Cut"), this, SLOT(cutObj())); QAction *pasteID = popup_menu->addAction(tr("Paste"), this, SLOT(pasteObj())); popup_menu->addSeparator(); QAction * delID = popup_menu->addAction( tr("Delete"), this, SLOT( delObj() ) ); popup_menu->addSeparator(); if (getCurrentObjectTree()->getNumSelected()==1) { if ( (Firewall::isA(currentObj) || Host::isA(currentObj)) && ! currentObj->isReadOnly() ) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Interface::TYPENAME)); } if ((Firewall::isA(currentObj) || Cluster::isA(currentObj)) && ! currentObj->isReadOnly()) { AddObjectActions.append( addNewObjectMenuItem(popup_menu, Policy::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, NAT::TYPENAME)); } if (Interface::isA(currentObj) && ! currentObj->isReadOnly()) { Interface *iface = Interface::cast(currentObj); FWObject *h = Host::getParentHost(iface); //FWObject *h = iface->getParentHost(); bool supports_advanced_ifaces = false; try { /* * ignore raised exception; this just means that the host_OS * option is undefined for this target (e.g. for a host). */ supports_advanced_ifaces = Resources::getTargetCapabilityBool (h->getStr("host_OS"), "supports_subinterfaces"); } catch (FWException &ex) { } /* * check if this interface can have subinterfaces. Show "Add Interface" * menu item only if host_os has attribute "supports_subinterfaces" * and if parent interface (currentObj) has the type that can have * subinterfaces. Also, cluster interfaces can't have subinterfaces * and only one level of subinterfaces is allowed. */ if (supports_advanced_ifaces && Firewall::isA(currentObj->getParent())) { list subint_types; getSubInterfaceTypes(iface, subint_types); if (subint_types.size()) addNewObjectMenuItem(popup_menu, Interface::TYPENAME); // popup_menu->addAction( // tr("Add Interface"), this, SLOT( newInterface() ) ); } AddObjectActions.append( addNewObjectMenuItem(popup_menu, IPv4::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, IPv6::TYPENAME)); AddObjectActions.append( addNewObjectMenuItem(popup_menu, physAddress::TYPENAME)); /* * Add menu item to let user add AttachedNetworks object * to an interface, but only if this object does not exist yet. * * Actions added to AddObjectActions are * enabled and disabled all together based on the decision * made in getMenuState() (argument newMenuItem). But we * should always allow the user to add AttachedNetworks * object to an interface. */ FWObject *att = currentObj->getFirstByType(AttachedNetworks::TYPENAME); if (att == NULL) addNewObjectMenuItem(popup_menu, AttachedNetworks::TYPENAME); // Check if we should add menu item that creates failover // group. if parent is a cluster, allow one vrrp type // FailoverClusterGroup per Interface only FWObject *parent = NULL; parent = currentObj->getParent(); if (parent != NULL && Cluster::isA(parent)) { QAction *failover_menu_id = addNewObjectMenuItem( popup_menu, FailoverClusterGroup::TYPENAME); // QAction *failover_menu_id = popup_menu->addAction( // tr("Add Failover Group"), this, // SLOT( newFailoverClusterGroup() ) ); failover_menu_id->setEnabled( currentObj->getFirstByType( FailoverClusterGroup::TYPENAME) == NULL); } } if (Cluster::isA(currentObj) && ! currentObj->isReadOnly()) { AddObjectActions.append( addNewObjectMenuItem( popup_menu, Interface::TYPENAME, "Add cluster interface")); // allow multiple state syncing groups per cluster // Rationale: these groups may represent different state syncing // protocols that can synchronize different things. AddObjectActions.append( addNewObjectMenuItem( popup_menu, StateSyncClusterGroup::TYPENAME)); } addSubfolderActions(AddObjectActions, currentObj, NULL, addSubfolder); if (addSubfolder) { QAction *action = popup_menu->addAction(QIcon(":/Icons/SystemGroup/icon-tree"), tr("New Subfolder"), this, SLOT(addSubfolderSlot())); action->setData(currentObj->getId()); AddObjectActions.append(action); } popup_menu->addSeparator(); QAction *findID = popup_menu->addAction( tr("Find"), this, SLOT( findObject())); QAction *whereUsedID = popup_menu->addAction( tr("Where used"), this, SLOT( findWhereUsedSlot())); findID->setEnabled( !FWBTree().isStandardFolder(currentObj)); whereUsedID->setEnabled( !FWBTree().isStandardFolder(currentObj)); } popup_menu->addSeparator(); popup_menu->addAction( tr("Group"), this, SLOT( groupObjects() ) ) ->setDisabled(getCurrentObjectTree()->getNumSelected()==1); addKeywordsMenu(this, popup_menu); if (Firewall::cast(currentObj)!=NULL || (ObjectGroup::cast(currentObj)!=NULL && currentObj->getName()=="Firewalls")) { bool canCreateCluster = true; if (getCurrentObjectTree()->getNumSelected() > 1) { foreach( FWObject *obj, getCurrentObjectTree()->getSelectedObjects()) { if (!Firewall::isA(obj)) { canCreateCluster = false; break; } } } else canCreateCluster = false; popup_menu->addAction( tr("New cluster from selected firewalls"), this, SLOT( newClusterFromSelected() ) )->setEnabled(canCreateCluster); popup_menu->addSeparator(); popup_menu->addAction( tr("Compile"), this, SLOT( compile())); popup_menu->addAction( tr("Install"), this, SLOT( install())); popup_menu->addAction( tr("Inspect"), this, SLOT( inspect())); } if (Interface::cast(currentObj)!=NULL) { popup_menu->addSeparator(); FWObject *h = Host::getParentHost(currentObj); if (h != NULL) { list top_level_interfaces = h->getByType(Interface::TYPENAME); top_level_interfaces.sort(FWObjectNameCmpPredicate()); addSubinterfaceSubmenu(popup_menu, top_level_interfaces); } } popup_menu->addSeparator(); QAction* lckID = popup_menu->addAction(tr("Lock"), this, SLOT(lockObject())); QAction* unlckID = popup_menu->addAction(tr("Unlock"), this, SLOT(unlockObject())); lckID->setEnabled(isCurrentObjectLockable()); unlckID->setEnabled(isCurrentObjectUnlockable()); if (fwbdebug) { /* keep this for debugging */ popup_menu->addSeparator(); popup_menu->addAction( tr("dump"), this, SLOT( dumpObj())); } if (getCurrentObjectTree()->getNumSelected()==1) { edtID->setEnabled( !FWBTree().isStandardFolder(currentObj)); } else edtID->setEnabled(false); bool dupMenuItem = true; bool moveMenuItem = true; bool copyMenuItem = true; bool pasteMenuItem = true; bool delMenuItem = true; bool newMenuItem = true; bool inDeletedObjects = false; getMenuState( (moveTargetsCounter>0), dupMenuItem, moveMenuItem, copyMenuItem, pasteMenuItem, delMenuItem, newMenuItem, inDeletedObjects); if (dupID) dupID->setEnabled(dupMenuItem); copyID->setEnabled(copyMenuItem); pasteID->setEnabled(pasteMenuItem); cutID->setEnabled(delMenuItem); delID->setEnabled(delMenuItem); // can not move object if can not delete it if (movetargets) movetargets->setEnabled(delMenuItem); // if (inDeletedObjects) movID->setText( tr("Undelete...") ); for (iter=AddObjectActions.begin(); iter!=AddObjectActions.end(); iter++) (*iter)->setEnabled(newMenuItem); popup_menu->exec(QCursor::pos()); } /* * Add menu item "Make subinterface of ..." and submenu with list of * top level interfaces. */ void ObjectManipulator::addSubinterfaceSubmenu( QMenu *menu, const list &top_level_interfaces) { QMenu *submenu = menu->addMenu( tr("Make subinterface of...")); int submenu_items_counter = 0; list::const_iterator it; for (it=top_level_interfaces.begin(); it!=top_level_interfaces.end(); ++it) { Interface *intf = Interface::cast(*it); bool skip_interface = false; foreach(FWObject *obj, getCurrentObjectTree()->getSelectedObjects()) { if (obj == intf) { skip_interface = true; break; } if (!intf->validateChild(obj)) { skip_interface = true; break; } } if (skip_interface) continue; if (intf->isLoopback()) continue; // can not add interfaces to a read-only parent interface if (intf->isReadOnly()) continue; QString itf_name = QString::fromUtf8(intf->getName().c_str()); FWObject *parent_fw = Host::getParentHost(intf); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( parent_fw)); if (int_prop->looksLikeVlanInterface(itf_name)) continue; QAction *a = submenu->addAction( QIcon(":/Icons/Interface/icon-tree"), itf_name); a->setData(intf->getId()); connect( submenu, SIGNAL(triggered(QAction*)), this, SLOT(makeSubinterface(QAction*))); submenu_items_counter++; } submenu->setEnabled(submenu_items_counter != 0); } bool ObjectManipulator::getDeleteMenuState(FWObject *obj) { if (obj->isReadOnly()) return false; QString objPath = obj->getPath(true).c_str(); bool del_menu_item_state = FWBTree().getDeleteMenuState(objPath); // can't delete last policy, nat and routing child objects // also can't delete "top" policy ruleset if (del_menu_item_state && RuleSet::cast(obj)) { Firewall *fw = Firewall::cast(obj->getParent()); // fw can be NULL if this ruleset is in the Deleted objects // library if (fw==NULL) return del_menu_item_state; list child_objects = fw->getByType(obj->getTypeName()); if (child_objects.size()==1) del_menu_item_state = false; } return del_menu_item_state; } void ObjectManipulator::getMenuState(bool haveMoveTargets, bool &dupMenuItem, bool &moveMenuItem, bool ©MenuItem, bool &pasteMenuItem, bool &delMenuItem, bool &newMenuItem, bool &inDeletedObjects) { inDeletedObjects = false; if (m_project->db() == NULL) { dupMenuItem = false; moveMenuItem = false; copyMenuItem = false; pasteMenuItem = false; delMenuItem = false; newMenuItem = false; return; } dupMenuItem = true; moveMenuItem = true; copyMenuItem = true; pasteMenuItem = true; delMenuItem = true; newMenuItem = true; FWObject *del_obj_library = m_project->db()->findInIndex( FWObjectDatabase::DELETED_OBJECTS_ID); FWObject *current_library = getCurrentLib(); if (getCurrentObjectTree()==NULL) return; // delete, cut and copy menu items will be enabled only if all // selected objects have the same parent (so user can not select // an interface and one but not all of its addresses for deletion, // see #1676) FWObject *parent = NULL; vector so = getCurrentObjectTree()->getSelectedObjects(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { FWObject *obj= *i; QString object_path = obj->getPath(true).c_str(); if (parent == NULL) parent = obj->getParent(); else { if (parent != obj->getParent()) { delMenuItem = false; copyMenuItem = false; } } if (AttachedNetworks::isA(obj)) { dupMenuItem = false; moveMenuItem = false; copyMenuItem = false; pasteMenuItem = false; newMenuItem = false; continue; } copyMenuItem = copyMenuItem && FWBTree().getCopyMenuState(object_path); pasteMenuItem = pasteMenuItem && FWBTree().getPasteMenuState(object_path) && FWObjectClipboard::obj_clipboard && (FWObjectClipboard::obj_clipboard->size()!=0); delMenuItem = delMenuItem && getDeleteMenuState(obj); delMenuItem = delMenuItem && current_library != NULL && current_library->getId() != FWObjectDatabase::STANDARD_LIB_ID; #if DISABLE_PASTE_MENU_ITEM_IF_PASTE_IS_ILLEGAL if (pasteMenuItem) { /* * We used to enable Paste menu item only if object can be * pasted. The problem with this is that there was no * indication why Paste operation was not allowed. Since * we call validateForPaste during actual Paste operation * anyway, it is more user friendly to let them try and * actually see the error if it fails. */ vector >::iterator i; for (i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { FWObject *co= m_project->db()->findInIndex(i->first); if (co==NULL) { continue ; //QString s2 = obj->getTypeName().c_str(); } QString s3 = obj->getTypeName().c_str(); QString err; bool validated = FWBTree().validateForInsertion(obj, co, err); pasteMenuItem = pasteMenuItem && validated; } } #endif dupMenuItem= (dupMenuItem && ! FWBTree().isStandardFolder(obj) && ! Library::isA(obj) ); inDeletedObjects = (del_obj_library!=NULL && obj->isChildOf(del_obj_library)); dupMenuItem = dupMenuItem && !inDeletedObjects; // can't move system objects or libraries moveMenuItem = moveMenuItem && ! FWBTree().isStandardFolder(obj) && ! Library::isA(obj); // can't move interfaces unless parent host object is also selected if ( Interface::isA(obj) && std::find(so.begin(),so.end(),obj->getParent())==so.end()) moveMenuItem = false; // can't move ip addresses if parent is interface if (IPv4::isA(obj) && IPv6::isA(obj) && Interface::isA(obj->getParent())) moveMenuItem = false; // can't move physAddress objects moveMenuItem = moveMenuItem && ! physAddress::isA(obj); // can't move read-only objects moveMenuItem = moveMenuItem && ! obj->isReadOnly(); // can't move libraries unless in deleted objects if (Library::isA(obj) && ! inDeletedObjects) moveMenuItem = false; // can't move if there is only one user-defined library in the tree // but we dont care about number of libraries if this will become // 'undelete' operation if (!haveMoveTargets && ! inDeletedObjects) moveMenuItem = false; newMenuItem= (newMenuItem && ! obj->isReadOnly() ); Interface *intf = Interface::cast(obj); if (intf && (intf->isDyn() || intf->isUnnumbered() || intf->isBridgePort()) ) newMenuItem = false; } } bool ObjectManipulator::isCurrentObjectLockable() { FWObject *currentObj = getSelectedObject(); return (currentObj && !currentObj->getParent()->isReadOnly() && !currentObj->getRO()); } bool ObjectManipulator::isCurrentObjectUnlockable() { FWObject *currentObj = getSelectedObject(); return (currentObj && !currentObj->getParent()->isReadOnly() && currentObj->getRO()); } void ObjectManipulator::filterFirewallsFromSelection(vector &so, set &fo) { Firewall *fw; ObjectGroup *gr; Cluster *cl; for (vector::iterator i=so.begin(); i!=so.end(); ++i) { cl = Cluster::cast(*i); if (cl != NULL) { list members; cl->getMembersList(members); // display warning if no firewalls could be extracted for a cluster if (members.size() == 0) { QMessageBox::warning(this, "Firewall Builder", QObject::tr("No firewalls assigned to cluster '%1'"). arg(cl->getName().c_str()), "&Continue", QString::null, QString::null, 0, 1 ); continue; } fo.insert(cl); continue; } fw = Firewall::cast(*i); if (fw!=NULL) { fo.insert(fw); continue; } gr = ObjectGroup::cast(*i); if (gr!=NULL) { extractFirewallsFromGroup(gr,fo); } } } void ObjectManipulator::extractFirewallsFromGroup(ObjectGroup *gr, set &fo) { set oset; m_project->db()->findObjectsInGroup(gr, oset); set::iterator i; for(i=oset.begin();i!=oset.end();++i) if (Firewall::cast(*i)) fo.insert(Firewall::cast(*i)); } FWObject* ObjectManipulator::prepareForInsertion(FWObject *target, FWObject *obj) { if (fwbdebug) qDebug("prepareForInsertion %s --> %s", obj->getName().c_str(), target->getName().c_str()); FWObject *ta = target; if (IPv4::isA(ta) || IPv6::isA(ta)) ta = ta->getParent(); if (Library::isA(target)) ta = FWBTree().getStandardSlotForObject(target, obj->getTypeName().c_str()); QString err; if (! FWBTree().validateForInsertion(ta, obj, err)) { QMessageBox::critical( this,"Firewall Builder", err, "&Continue", QString::null, QString::null, 0, 1 ); return NULL; } return ta; } void ObjectManipulator::editSelectedObject() { if (fwbdebug) qDebug("ObjectManipulator::editSelectedObject"); ObjectTreeView *objTreeView = getCurrentObjectTree(); if (objTreeView == NULL) return; if (objTreeView->getNumSelected()==0) return; FWObject *obj = getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; // do not edit system folders (#1729) if (FWBTree().isSystem(obj)) return; if (RuleSet::cast(obj)!=NULL) { // Open rule set object in the editor if it is already opened // in RuleSetView. If we just opened it in RuleSetView, check // if the editor is visible and if yes, open the object in the // editor right away. See #1331 if (m_project->getCurrentRuleSet() == obj) { QCoreApplication::postEvent( mw, new openObjectInEditorEvent( m_project->getFileName(), obj->getId())); } else { QCoreApplication::postEvent( m_project, new openRulesetEvent( m_project->getFileName(), obj->getId())); if (mw->isEditorVisible()) QCoreApplication::postEvent( mw, new openObjectInEditorEvent( m_project->getFileName(), obj->getId())); } } else QCoreApplication::postEvent( mw, new openObjectInEditorEvent( m_project->getFileName(), obj->getId())); } void ObjectManipulator::openSelectedRuleSet() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj = getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; if (RuleSet::cast(obj)!=NULL && m_project->getCurrentRuleSet()!=obj) QCoreApplication::postEvent( m_project, new openRulesetEvent(m_project->getFileName(), obj->getId())); } bool ObjectManipulator::editObject(FWObject *obj) { if (fwbdebug) qDebug("ObjectManipulator::editObject"); if (!mw->isEditorVisible()) mw->showEditor(); return switchObjectInEditor(obj); } bool ObjectManipulator::switchObjectInEditor(FWObject *obj) { if (fwbdebug) qDebug("ObjectManipulator::switchObjectInEditor"); if (obj && fwbdebug) { qDebug("obj: %s", obj->getName().c_str()); FWObject *edt_obj = mw->getOpenedEditor(); if (edt_obj) qDebug("in editor: %s", edt_obj->getName().c_str()); } if (RuleSet::cast(obj)!=NULL) { if (obj!=m_project->getCurrentRuleSet()) { m_project->openRuleSet(obj); } } if (!mw->isEditorVisible()) return false; if (!mw->requestEditorOwnership(this, obj, ObjectEditor::optNone, true)) { if (fwbdebug) qDebug("Can not get editor panel ownership"); return false; } if (fwbdebug) qDebug("Open object in editor"); mw->openEditor(obj); // opens object in the editor //currentObj = obj; active = true; if (fwbdebug) qDebug("ObjectManipulator::switchObjectInEditor done"); return true; // successfully (re)opened obj in the editor } void ObjectManipulator::closeObject() { //currentObj = NULL; if (mw->isEditorVisible()) mw->hideEditor(); } void ObjectManipulator::selectionChanged(QTreeWidgetItem *cur) { if (fwbdebug) qDebug("ObjectManipulator::selectionChanged"); QTreeWidget *qlv = getCurrentObjectTree(); if (qlv==NULL) return; ObjectTreeViewItem* otvi = dynamic_cast(cur); if (otvi==NULL) return; FWObject *obj = otvi->getFWObject(); if (obj==NULL) return; if (fwbdebug) qDebug("ObjectManipulator::selectionChanged obj=%s", obj->getName().c_str()); FWObject *o = obj; //if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (history.empty() || otvi != getCurrentHistoryItem() ) { mw->enableBackAction(); addObjectToHistory(otvi, o); } //currentObj = obj; active = true; update(); if (fwbdebug) qDebug("ObjectManipulator::selectionChanged done"); } void ObjectManipulator::openObjectInTree(ObjectTreeViewItem *otvi, bool register_in_history) { openObjectInTree(otvi->getFWObject(), register_in_history); } /* * I could use default value for the parameter register_in_history, * but that caused problems when this method was used as a slot */ void ObjectManipulator::openObjectInTree(QTreeWidgetItem *item) { ObjectTreeViewItem *otvi = dynamic_cast(item); openObjectInTree(otvi, true); } void ObjectManipulator::openObjectInTree(FWObject *obj) { openObjectInTree(obj,true); } /* This method is called from the GroupObjectDialog when user double * clicks on the object in a group, so first we should check if this * object is shown in the tree and if not, find and open it. */ void ObjectManipulator::openObjectInTree(FWObject *obj, bool /*register_in_history*/) { if (fwbdebug) qDebug() << "ObjectManipulator::openObjectInTree" << "obj:" << ((obj)?obj->getName().c_str():"NULL") << "id:" << ((obj)?obj->getId():0); if (obj==NULL) return; openLibForObject(obj); //raise(); FWObject *o=obj; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); ObjectTreeViewItem *otvi = allItems[o]; // this changes selection and thus calls slot slectionChanged showObjectInTree(otvi); if (fwbdebug) qDebug() << "ObjectManipulator::openObjectInTree" << "libs->currentIndex=" << m_objectManipulator->libs->currentIndex(); updateCreateObjectMenu(obj->getLibrary()); if (fwbdebug) qDebug() << "ObjectManipulator::openObjectInTree: done"; } void ObjectManipulator::openLibForObject(FWObject *obj) { // if obj is Library, its getLibrary() method returns itself. If // this library has been deleted and is now in the Deleted Objects // library, getIdxForLib() is not going to find it. if (FWObjectDatabase::isA(obj->getParent())) m_objectManipulator->libs->setCurrentIndex( libs_model->getIdxForLib(obj->getLibrary()).row()); else { FWObject *parent = obj->getParent(); FWObject *lib = parent->getLibrary(); // see #2648 if a library was deleted with all of its // contents, then it is possible that variable lib may point // to such deleted library, which is located inside of the // "Deleted Objects" library. if (lib->getParent()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) lib = m_project->db()->findInIndex( FWObjectDatabase::DELETED_OBJECTS_ID); m_objectManipulator->libs->setCurrentIndex( libs_model->getIdxForLib(lib).row()); } } void ObjectManipulator::showObjectInTree(ObjectTreeViewItem *otvi) { if (fwbdebug) qDebug("ObjectManipulator::showObjectInTree"); if (otvi==NULL) return; ObjectTreeView* otv = otvi->getTree(); if (fwbdebug) qDebug() << "ObjectManipulator::showObjectInTree" << "current_tree_view=" << current_tree_view << "new_otv=" << otv; // otv->raise(); m_objectManipulator->widgetStack->setCurrentWidget(otv); otvi->getTree()->clearSelection(); otvi->getTree()->scrollToItem(otvi); otvi->getTree()->setCurrentItem(otvi); otvi->setSelected(true); // otvi->getTree()->setFocus(Qt::OtherFocusReason); } void ObjectManipulator::libChangedById(int obj_id) { for (int i=0; irowCount(); ++i) { QModelIndex idx = libs_model->index(i, 0); FWObject *l = libs_model->getLibrary(idx); if (l == NULL) continue; if (l->getId() == obj_id) { libChanged(i); m_objectManipulator->libs->setCurrentIndex(i); return; } } } FWObject* ObjectManipulator::getNextUserLib(FWObject *after_this) { QString sid2 = "syslib000"; QString sid3 = "syslib001"; FWObject *lib = NULL; if (after_this != NULL) lib = after_this->getLibrary(); for (int i=0; irowCount(); ++i) { QModelIndex idx = libs_model->index(i, 0); FWObject *l = libs_model->getLibrary(idx); if (l == NULL) continue; if (l == lib) continue; QString sid1 = FWObjectDatabase::getStringId(l->getId()).c_str(); if ( sid1 == sid2 || sid1 == sid3) continue; return l; } return NULL; } void ObjectManipulator::libChanged(int list_row) { if (fwbdebug) qDebug() << "ObjectManipulator::libChanged list_row=" << list_row; previous_lib_index = list_row; QTreeWidget *objTreeView = libs_model->getTreeWidget(list_row); if (objTreeView == NULL) { if (fwbdebug) { qDebug() << "There is no object tree widget associated with this row"; qDebug() << "Scanning all rows:"; for (int i=0; irowCount(); ++i) { qDebug() << "Row" << i; QTreeWidget *objTreeView = libs_model->getTreeWidget(i); FWObject *lib = libs_model->getLibrary(i); qDebug() << "lib=" << lib << "objTreeView=" << objTreeView; } } return; } ObjectTreeViewItem *otvi = dynamic_cast(objTreeView->currentItem()); if (otvi == NULL) { if (objTreeView->invisibleRootItem()->childCount() > 0) otvi = dynamic_cast( objTreeView->invisibleRootItem()->child(0)); else assert(false); } showObjectInTree( otvi ); QCoreApplication::postEvent(mw, new updateGUIStateEvent()); return; } void ObjectManipulator::updateCreateObjectMenu(FWObject* lib) { bool f = ( lib == NULL || lib->getId()==FWObjectDatabase::TEMPLATE_LIB_ID || lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID || lib->isReadOnly() ); bool new_object_op_possible = !f; emit libraryAccessChanged(new_object_op_possible); // m_objectManipulator->newButton->setEnabled(new_object_op_possible); QAction *noa = (QAction*)(mw->findChild("newObjectAction")); noa->setEnabled(new_object_op_possible); } FWObject* ObjectManipulator::getCurrentLib() { int idx = m_objectManipulator->libs->currentIndex(); if (idx == -1 ) return NULL; FWObject *lib = libs_model->getLibrary(idx); return lib; } ObjectTreeView* ObjectManipulator::getCurrentObjectTree() { return libs_model->getTreeWidget(m_objectManipulator->libs->currentIndex()); // return current_tree_view; } void ObjectManipulator::openLib(FWObject *obj) { openObjectInTree(obj->getLibrary(), false); } void ObjectManipulator::newObject() { // m_objectManipulator->newButton->showMenu(); buildNewObjectMenu(); } void ObjectManipulator::select() { FWObject *currentObj = getSelectedObject(); if (fwbdebug) qDebug() << "ObjectManipulator::select()" << "currentObj=" << currentObj << ((currentObj)?currentObj->getName().c_str():" [unknown] "); if (currentObj==NULL) return; m_objectManipulator->libs->setCurrentIndex( libs_model->getIdxForLib(currentObj->getLibrary()).row()); // TODO: I forget why do we need flag "active", check this. ObjectTreeViewItem *otvi = allItems[currentObj]; if (otvi) { active = true; } if (fwbdebug) qDebug("ObjectManipulator::select() done"); } void ObjectManipulator::unselect() { FWObject *currentObj = getSelectedObject(); if (currentObj==NULL) return; for (int i=0; irowCount(); ++i) { QTreeWidget *otv = libs_model->getTreeWidget(i); if (otv == NULL) continue; otv->clearSelection(); } active=false; } list ObjectManipulator::findClustersUsingFirewall(FWObject *fw) { list res; list all_clusters; findAllClusters(all_clusters); list::iterator it; for (it=all_clusters.begin(); it!=all_clusters.end(); ++it) { Cluster *cl = *it; list members; cl->getMembersList(members); if (std::find(members.begin(), members.end(), Firewall::cast(fw)) != members.end()) res.push_back(cl); } return res; } void ObjectManipulator::findAllFirewalls(list &fws) { if (fwbdebug) qDebug("ObjectManipulator::findAllFirewalls"); list fwlist; findByObjectType(m_project->db(), Firewall::TYPENAME, fwlist); for (list::iterator m=fwlist.begin(); m!=fwlist.end(); m++) fws.push_back(Firewall::cast(*m)); } void ObjectManipulator::findAllClusters(list &clusters) { list cllist; findByObjectType(m_project->db(), Cluster::TYPENAME, cllist); for (list::iterator m=cllist.begin(); m!=cllist.end(); m++) clusters.push_back(Cluster::cast(*m)); } void ObjectManipulator::simulateInstall() { if (fwbdebug) qDebug("ObjectManipulator::simulateInstall"); if (getCurrentObjectTree()->getNumSelected()==0) return; Firewall *fw; vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { fw= Firewall::cast( *i ); if (fw!=NULL) { fw->updateLastCompiledTimestamp(); fw->updateLastInstalledTimestamp(); } } } FWObject* ObjectManipulator::getSelectedObject() { QTreeWidgetItem *cur = getCurrentObjectTree()->currentItem(); if (cur) { ObjectTreeViewItem* otvi = dynamic_cast(cur); return otvi->getFWObject(); } return NULL; } void ObjectManipulator::reopenCurrentItemParent() { QTreeWidgetItem *itm = getCurrentObjectTree()->currentItem(); if (itm) itm = itm->parent(); if (!itm) return; itm->parent()->setExpanded(false); itm->parent()->setExpanded(true); getCurrentObjectTree()->scrollToItem(itm, QAbstractItemView::EnsureVisible); getCurrentObjectTree()->update(); } void ObjectManipulator::loadSectionSizes() { for (int i=0; irowCount(); ++i) { QTreeWidget *objTreeView = libs_model->getTreeWidget(i); FWObject *lib = libs_model->getLibrary(i); if (lib == NULL || objTreeView == NULL) continue; objTreeView->header()->resizeSection( 0, st->getTreeSectionSize( m_project->getFileName(), lib->getName().c_str(), 0)); objTreeView->header()->resizeSection( 1, st->getTreeSectionSize( m_project->getFileName(), lib->getName().c_str(), 1)); } } void ObjectManipulator::saveSectionSizes() { for (int i=0; irowCount(); ++i) { QTreeWidget *objTreeView = libs_model->getTreeWidget(i); FWObject *lib = libs_model->getLibrary(i); if (lib == NULL || objTreeView == NULL) continue; st->setTreeSectionSize( m_project->getFileName(), lib->getName().c_str(), 0, objTreeView->header()->sectionSize(0)); st->setTreeSectionSize( m_project->getFileName(), lib->getName().c_str(), 1, objTreeView->header()->sectionSize(1)); } } void ObjectManipulator::loadExpandedTreeItems() { if (fwbdebug) qDebug() << "ObjectManipulator::loadExpandedTreeItems()"; for (int i=0; irowCount(); ++i) { if (fwbdebug) qDebug() << "i=" << i; ObjectTreeView *objTreeView = libs_model->getTreeWidget(i); FWObject *lib = libs_model->getLibrary(i); if (lib == NULL || objTreeView == NULL) continue; set expanded_objects; st->getExpandedObjectIds(m_project->getFileName(), lib->getName().c_str(), expanded_objects); objTreeView->ExpandTreeItems(expanded_objects); // there is no need to resize columns because call to //loadExpandedTreeItems is usually followed by the call to loadSectionSizes //objTreeView->header()->resizeSections(QHeaderView::ResizeToContents); } } void ObjectManipulator::saveExpandedTreeItems() { for (int i=0; irowCount(); ++i) { ObjectTreeView *objTreeView = libs_model->getTreeWidget(i); FWObject *lib = libs_model->getLibrary(i); if (lib == NULL || objTreeView == NULL) continue; st->setExpandedObjectIds(m_project->getFileName(), lib->getName().c_str(), objTreeView->getListOfExpandedObjectIds()); } } void ObjectManipulator::setAttributesColumnEnabled(bool) { for (int i=0; irowCount(); ++i) { ObjectTreeView *objTreeView = libs_model->getTreeWidget(i); if (objTreeView == NULL) continue; objTreeView->showOrHideAttributesColumn(); } } void ObjectManipulator::findWhereUsedRecursively(FWObject *obj, FWObject *top, set &resset) { UsageResolver().findWhereUsedRecursively(obj, top, resset, this->m_project->db()); } list ObjectManipulator::findFirewallsForObject(FWObject *o) { return UsageResolver().findFirewallsForObject(o, this->m_project->db()); } fwbuilder-5.3.7/src/libgui/ObjectManipulator.h000066400000000000000000000405441303637203600213600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTMANIPULATOR_H_ #define __OBJECTMANIPULATOR_H_ #include "config.h" #include "global.h" #include "utils.h" #include #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ObjectGroup.h" #include "UsageResolver.h" #include class ObjectTreeView; class ObjectTreeViewItem; class QComboBox; class QPixmap; class QUndoCommand; class ListOfLibrariesModel; class ProjectPanel; namespace libfwbuilder { class Firewall; class Cluster; class Library; } class HistoryItem { ObjectTreeViewItem *itm; int objId; public: HistoryItem(ObjectTreeViewItem *oi, int id) { itm=oi; objId=id; } ~HistoryItem(); ObjectTreeViewItem* item() { return itm; } int id() const { return objId; } }; class FindHistoryItemByObjectId { int id; public: FindHistoryItemByObjectId(int i) { id = i; } bool operator()(const HistoryItem &itm); }; class ObjectManipulator : public QWidget { Q_OBJECT; ListOfLibrariesModel *libs_model; // std::vector idxToLibs; // std::vector idxToTrees; int previous_lib_index; QSet ids ; /* * this is where we keep information about user's object browsing * history. Even though latest versions of the GUI do not offer * buttons "Back" and "Forward", history is still used to * determine which rule set object to open when user double clicks * on a firewall. We want to open the rule set they looked at * last. This whole browsing history infrastructure might be an * overkill for the simple purpose like that, but I'll keep it * around beause I do not want to make drastic changes so close to * the release date and it may become useful again in the * future. Otherwise, we can get rid of it later. --vk 07/22/2011 */ std::list history; std::list::iterator current_history_item; int cacheHits; //libfwbuilder::FWObject *currentObj; ObjectTreeView *current_tree_view; int treeWidth; int treeHeight; bool active; QMenu *popup_menu; ObjectTreeViewItem *lastClickedItem; /* this is a reverse idex of all objects in all trees. We use it to * quickly locate given object in the tree and open it */ std::map allItems; ProjectPanel *m_project; int dedup_marker_global_counter; void buildNewObjectMenu(); ObjectTreeViewItem* insertObject(ObjectTreeViewItem *itm, libfwbuilder::FWObject *obj); void insertSubtree( ObjectTreeViewItem *itm,libfwbuilder::FWObject *obj ); QString getTreeLabel(libfwbuilder::FWObject *obj, int col); void showObjectInTree(ObjectTreeViewItem *otvi); void setObjectIcon(libfwbuilder::FWObject *obj, QPixmap *pm); void removeLib(int idx); void makeNameUnique(libfwbuilder::FWObject* p,libfwbuilder::FWObject* obj); void expandOrCollapseCurrentTreeNode(QTreeWidgetItem*, bool); /* find the name of the interface that was created last */ QString findNewestInterfaceName(libfwbuilder::FWObject *parent); libfwbuilder::FWObject* actuallyCreateObject( libfwbuilder::FWObject *parent, const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL, QUndoCommand* macro = 0); void extractFirewallsFromGroup(libfwbuilder::ObjectGroup *gr, std::set &fo); libfwbuilder::FWObject* actuallyPasteTo(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj, std::map &map_ids); void actuallyDeleteObject(libfwbuilder::FWObject *obj, QUndoCommand* macro = 0); void findWhereUsedRecursively(libfwbuilder::FWObject *obj, libfwbuilder::FWObject *top, std::set &resset); void refreshSubtree(QTreeWidgetItem *parent, QTreeWidgetItem *itm); libfwbuilder::FWObject* newLibrary(QUndoCommand* macro); libfwbuilder::FWObject* newHost(QUndoCommand* macro); libfwbuilder::FWObject* newInterface(QUndoCommand* macro); libfwbuilder::FWObject* newFirewall(QUndoCommand* macro); libfwbuilder::FWObject* newCluster(QUndoCommand* macro, bool fromSelected = false); libfwbuilder::FWObject* newClusterIface(QUndoCommand* macro); libfwbuilder::FWObject* newStateSyncClusterGroup(QUndoCommand* macro); libfwbuilder::FWObject* newFailoverClusterGroup(QUndoCommand* macro); libfwbuilder::FWObject* newInterfaceAddress(QUndoCommand* macro); libfwbuilder::FWObject* newInterfaceAddressIPv6(QUndoCommand* macro); libfwbuilder::FWObject* newPhysicalAddress(QUndoCommand* macro); libfwbuilder::FWObject* newPolicyRuleSet (QUndoCommand* macro); libfwbuilder::FWObject* newNATRuleSet (QUndoCommand* macro); libfwbuilder::FWObject* newAttachedNetworks(QUndoCommand* macro); public slots: virtual void libChanged(int l); virtual void switchingTrees(QWidget* w); virtual void currentTreePageChanged(int i); void expandCurrentTreeNode(); void collapseCurrentTreeNode(); void newClusterFromSelected(); void selectionChanged(QTreeWidgetItem *cur); void removeUserFolder(); void moveItems(ObjectTreeViewItem *dest, const std::list &items); /** * open object obj in the editor. Does not open editor panel * if it is closed. Asks FWWindow permission to own editor. */ bool switchObjectInEditor(libfwbuilder::FWObject *obj); /** * same as above but opens editor panel if it is closed. This is * an entry point for menu items 'edit', all 'new object' as well * as doubleclick */ bool editObject(libfwbuilder::FWObject *obj); /* * forget about currently opened object; close editor panel if it is open */ void closeObject(); void editSelectedObject(); void openSelectedRuleSet(); void contextMenuRequested(const QPoint &pos); /* * Internal: this method is used in actuallyPasteTo(). This * method checks if the target object is appropriate and replaces * it with parent if needed. Also does validation and shows error * dialogs if validation fails. Returns new parent or NULL if * validation fails. */ libfwbuilder::FWObject* prepareForInsertion(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); libfwbuilder::FWObject* createObject(const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL, QUndoCommand* macro = 0); libfwbuilder::FWObject* createObject(libfwbuilder::FWObject *parent, const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL, QUndoCommand* macro = 0); void newObject(); void createNewObject(); void newFirewallSlot(); void copyObj(); void cutObj(); void pasteObj(); void delObj(QUndoCommand* macro = 0); void dumpObj(); void compile(); void install(); void inspect(); void duplicateObj(QAction*); void moveObj(QAction*); void undeleteLibrary(); void groupObjects(); void openObjectInTree(QTreeWidgetItem *otvi); void openObjectInTree(libfwbuilder::FWObject *obj); void find(); void findObject(); virtual void lockObject(); virtual void unlockObject(); virtual void simulateInstall(); virtual void findWhereUsedSlot(); void addSubfolderSlot(); void addNewKeywordSlot(); void processKeywordSlot(); void makeSubinterface(QAction*); public: Ui::ObjectManipulator_q *m_objectManipulator; ObjectManipulator(QWidget *parent); ~ObjectManipulator(); void setupProject(ProjectPanel *project); void libChangedById(int id); libfwbuilder::FWObject* getNextUserLib(libfwbuilder::FWObject *after_this=NULL); std::vector getTreeWidgets(); void filterFirewallsFromSelection( std::vector &so, std::set &fo); QString getStandardName(libfwbuilder::FWObject *parent, const std::string &objtype, const std::string &namesuffix); QString makeNameUnique(libfwbuilder::FWObject* parent, const QString &obj_name, const QString &obj_type); void autorename(libfwbuilder::FWObject *obj); void autorename(std::list &obj_list, const std::string &objtype, const std::string &namesuffix); void autorenameVlans(std::list &obj_list); std::string getFolderNameString(libfwbuilder::FWObject *obj); void reload(); void loadObjects(); void clearObjects(); /* Add/remove user folder from tree */ void addUserFolderToTree(libfwbuilder::FWObject *obj, const QString &folder); void removeUserFolderFromTree(libfwbuilder::FWObject *obj, const QString &folder); void moveToFromUserFolderInTree(libfwbuilder::FWObject *parent, libfwbuilder::FWObject *objToMove, const QString &oldFolder, const QString &newFolder); void reopenCurrentItemParent(); void insertSubtree(libfwbuilder::FWObject *parent, libfwbuilder::FWObject *obj); void removeObjectFromTreeView(libfwbuilder::FWObject *obj ); void addLib(libfwbuilder::FWObject *lib); void removeLib(libfwbuilder::FWObject *lib); void openLibForObject(libfwbuilder::FWObject *obj); void openObjectInTree(libfwbuilder::FWObject *obj, bool register_in_history); void openObjectInTree(ObjectTreeViewItem *otvi, bool register_in_history); void removeObjectFromHistory(libfwbuilder::FWObject *obj); void addObjectToHistory(ObjectTreeViewItem* otvi, libfwbuilder::FWObject *obj); ObjectTreeViewItem* getCurrentHistoryItem(); /* * searches history trying to find an object that has given * parent. Used to find which rule set of the firewall user * looked at last. */ libfwbuilder::FWObject* findRuleSetInHistoryByParentFw( libfwbuilder::FWObject* parent); void expandObjectInTree(libfwbuilder::FWObject *obj); libfwbuilder::FWObject* duplicateObject(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void moveObject(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void moveObject(const QString &targetLibName, libfwbuilder::FWObject *obj); // This method is called toprocess event objectMovedEvent. this event is // posted by FWCmdMoveObject after the object is moved from one // part of the tree to another, including when an object moves to the // Deleted Objects library void objectMoved(libfwbuilder::FWObject *obj); libfwbuilder::FWObject* pasteTo(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void updateLibColor(libfwbuilder::FWObject *lib); void updateLibName(libfwbuilder::FWObject *lib); void autoRenameChildren(libfwbuilder::FWObject *obj, const QString &oldName); void updateObjectInTree(libfwbuilder::FWObject *obj, bool subtree=false); void updateCreateObjectMenu(libfwbuilder::FWObject* lib); ObjectTreeView* getCurrentObjectTree(); libfwbuilder::FWObject* getSelectedObject(); /** * this method opens given library in the tree */ void openLib(libfwbuilder::FWObject *lib); /** * returns pointer at a library that is currently opened in the tree */ libfwbuilder::FWObject* getCurrentLib(); /** * this method makes sure the system library is NOT opened in the * tree. If it is, it switches to the 'User' library. If one of * the user's libraries is already opened, it does nothing. */ void closeSystemLib(); void deleteObject(libfwbuilder::FWObject *obj, QUndoCommand* macro = 0); /** * select whatever object is current in the tree (used to restore * selected state of the tree item after it was unselected) */ void select(); /** * unselect whatever object is currently selected */ void unselect(); /** * controls whether "Deleted Objects" library is shown */ void showDeletedObjects(bool f); /** * checks if currently selected object can be locked. Note that * if its parent or any object all the way up to the library is * read-only, then the state of the current object can not be * changed which makes it not lockable. */ bool isCurrentObjectLockable(); bool isCurrentObjectUnlockable(); /** * get boolean flags that describe state of the menu items. * Can be used for both pop-up context menu and the main menu. */ void getMenuState(bool haveMoveTargets, bool &dupMenuItem, bool &moveMenuItem, bool ©MenuItem, bool &pasteMenuItem, bool &delMenuItem, bool &newMenuItem, bool &inDeletedObjects); bool getDeleteMenuState(libfwbuilder::FWObject *obj); void updateLastInstalledTimestamp(libfwbuilder::FWObject *o); void updateLastCompiledTimestamp(libfwbuilder::FWObject *o); std::list findFirewallsForObject( libfwbuilder::FWObject *o); void findAllFirewalls(std::list &fws); std::list findClustersUsingFirewall(libfwbuilder::FWObject *fw); void findAllClusters(std::list &fws); void loadExpandedTreeItems(); void saveExpandedTreeItems(); void loadSectionSizes(); void saveSectionSizes(); void setAttributesColumnEnabled(bool f); QAction* addNewObjectMenuItem(QMenu *menu, const char* type_name, const QString &text=QString(), int add_to_group_id=-1); void addSubinterfaceSubmenu( QMenu *menu, const std::list &top_level_interfaces); bool isObjectAllowed(const QString &type_name); bool isObjectAllowed(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void reminderAboutStandardLib(); void addSubfolderActions(QList &AddObjectActions, libfwbuilder::FWObject *currentObj, ObjectTreeViewItem *item, bool &addSubfolder); signals: void libraryAccessChanged(bool writable); }; #endif fwbuilder-5.3.7/src/libgui/ObjectManipulator_create_new.cpp000066400000000000000000000704301303637203600241040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "events.h" #include "listOfLibrariesModel.h" #include "ObjectManipulator.h" #include "ObjectTreeView.h" #include "newFirewallDialog.h" #include "newClusterDialog.h" #include "newHostDialog.h" #include "newGroupDialog.h" #include "FWCmdChange.h" #include "FWCmdAddObject.h" #include "FWBTree.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Library.h" #include "fwbuilder/Management.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/UserService.h" #include #include #include #include using namespace std; using namespace libfwbuilder; void ObjectManipulator::buildNewObjectMenu() { QMenu* newObjectPopup = new QMenu( mw ); newObjectPopup->setObjectName("newObjectPopup"); addNewObjectMenuItem(newObjectPopup, Library::TYPENAME, tr( "New &Library")); newObjectPopup->addSeparator(); foreach (const char *type, FWBTree::getObjectTypes()) { addNewObjectMenuItem(newObjectPopup, type); } newObjectPopup->addSeparator(); foreach (const char *type, FWBTree::getServiceTypes()) { addNewObjectMenuItem(newObjectPopup, type); } newObjectPopup->addSeparator(); addNewObjectMenuItem(newObjectPopup, Interval::TYPENAME); mw->addNewObjectMenu(newObjectPopup); mw->showNewObjectMenu(); } QAction* ObjectManipulator::addNewObjectMenuItem(QMenu *menu, const char* type_name, const QString &text, int add_to_group_id) { QString icon_path=":/Icons/"; QAction *act; QString menu_item_text = text; if (menu_item_text.isEmpty()) menu_item_text = FWBTree().getTranslatableNewObjectMenuText(type_name); act = menu->addAction(QIcon(icon_path + QString(type_name) + "/icon-tree"), menu_item_text, this, SLOT( createNewObject() )); act->setObjectName(QString("newObject_") + type_name); QMap d; d["type_name"] = QVariant(QString(type_name)); d["add_to_group"] = QVariant(add_to_group_id); act->setData(QVariant(d)); return act; } void ObjectManipulator::createNewObject() { const QAction *action = dynamic_cast(sender()); assert(action!=NULL); QVariant v = action->data(); if (!v.isValid()) return; QMap d = v.value >(); QVariant v1 = d["type_name"]; QString type_name = v1.value(); QVariant v2 = d["add_to_group"]; int add_to_group_id = v2.value(); if (fwbdebug) qDebug() << "ObjectManipulator::createNewObject()" << "type:" << type_name << "add_to_group_id:" << add_to_group_id; FWObject *new_obj = NULL; if (!isObjectAllowed(type_name)) return; QString descr = FWBTree().getTranslatableObjectTypeName(type_name); // FWCmdMacro should be used for commands grouping FWCmdMacro* macro = 0; if (add_to_group_id == -1) macro = new FWCmdMacro( FWBTree().getTranslatableNewObjectMenuText(type_name)); else macro = new FWCmdMacro(tr("Create and add to group")); if (type_name == Firewall::TYPENAME || type_name == Cluster::TYPENAME || type_name == Host::TYPENAME) { // These three functions call separate modal dialogs that can // be cancelled by the user if (type_name == Firewall::TYPENAME) new_obj = newFirewall(macro); if (type_name == Cluster::TYPENAME) new_obj = newCluster(macro); if (type_name == Host::TYPENAME) new_obj = newHost(macro); if (new_obj == NULL) { delete macro; return; } } if (type_name == Library::TYPENAME) new_obj = newLibrary(macro); if (type_name == Interface::TYPENAME) new_obj = newInterface(macro); if (type_name == IPv4::TYPENAME) new_obj = newInterfaceAddress(macro); if (type_name == IPv6::TYPENAME) new_obj = newInterfaceAddressIPv6(macro); if (type_name == physAddress::TYPENAME) new_obj = newPhysicalAddress(macro); if (type_name == FailoverClusterGroup::TYPENAME) new_obj = newFailoverClusterGroup(macro); if (type_name == StateSyncClusterGroup::TYPENAME) new_obj = newStateSyncClusterGroup(macro); if (type_name == Policy::TYPENAME) new_obj = newPolicyRuleSet(macro); if (type_name == NAT::TYPENAME) new_obj = newNATRuleSet(macro); //if (type_name == Routing::TYPENAME) new_obj = newRoutingRuleSet(); if (type_name == AttachedNetworks::TYPENAME) new_obj = newAttachedNetworks(macro); if (new_obj == NULL) new_obj = createObject(type_name, descr, NULL, macro); if (new_obj == NULL) { delete macro; return; } if (add_to_group_id != -1) { FWObject *grp = m_project->db()->findInIndex(add_to_group_id); if (fwbdebug) qDebug() << "ObjectManipulator::createNewObject()" << "Adding to group grp=" << grp; if (grp) { FWCmdChange *cmd = new FWCmdChange( m_project, grp, QObject::tr("Add object to group"), false, macro); FWObject *new_state = cmd->getNewState(); new_state->addRef(new_obj); // if we add new object to a group, we should still open // the object in the editor rather than the group. Command // that adds it to the group opens the group though. Send // event to open the object. QCoreApplication::postEvent( mw, new openObjectInEditorEvent( m_project->getFileName(), new_obj->getId())); } } QCoreApplication::postEvent( m_project, new expandObjectInTreeEvent( m_project->getFileName(), new_obj->getId())); if (Firewall::cast(new_obj)!=NULL) // Cluster too { FWObject *ruleset = new_obj->getFirstByType(Policy::TYPENAME); if (ruleset) QCoreApplication::postEvent( m_project, new openRulesetEvent( m_project->getFileName(), ruleset->getId())); } //directly move object to it's subfolder list newObjs; newObjs.push_back(new_obj); moveItems(lastClickedItem, newObjs); lastClickedItem = NULL; m_project->undoStack->push(macro); } void ObjectManipulator::newFirewallSlot() { QString descr = FWBTree().getTranslatableObjectTypeName(Firewall::TYPENAME); // FWCmdMacro should be used for commands grouping FWCmdMacro* macro = 0; macro = new FWCmdMacro( FWBTree().getTranslatableNewObjectMenuText(Firewall::TYPENAME)); FWObject *new_obj = newFirewall(macro); if (new_obj == NULL) { delete macro; return; } QCoreApplication::postEvent( m_project, new expandObjectInTreeEvent( m_project->getFileName(), new_obj->getId())); FWObject *ruleset = new_obj->getFirstByType(Policy::TYPENAME); if (ruleset) QCoreApplication::postEvent( m_project, new openRulesetEvent( m_project->getFileName(), ruleset->getId())); m_project->undoStack->push(macro); } FWObject* ObjectManipulator::createObject(const QString &objType, const QString &objName, FWObject *copyFrom, QUndoCommand* macro) { if (fwbdebug) qDebug("ObjectManipulator::createObject check 1"); FWObject *lib = getCurrentLib(); int i = 0; if (fwbdebug) { qDebug("lib: %s %s", lib->getName().c_str(), FWObjectDatabase::getStringId(lib->getId()).c_str()); qDebug("libs->count()=%d", m_objectManipulator->libs->count() ); } while ( lib->getId()==FWObjectDatabase::STANDARD_LIB_ID || lib->getId()==FWObjectDatabase::TEMPLATE_LIB_ID || lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID || lib->isReadOnly() ) { if (i>=m_objectManipulator->libs->count()) { // if (fwbdebug) // qDebug("ObjectManipulator::createObject return NULL"); // return NULL; lib = getCurrentLib(); break; } // lib = idxToLibs[i]; lib = libs_model->getLibrary(i); if (fwbdebug) { qDebug("i=%d",i); qDebug("lib: %s %s", lib->getName().c_str(), FWObjectDatabase::getStringId(lib->getId()).c_str()); } i++; } FWObject *parent = FWBTree().getStandardSlotForObject(lib, objType); if (parent==NULL) { QMessageBox::warning(this,"Firewall Builder", QObject::tr( "Type '%1': new object can not be created because\n" "corresponding branch is missing in the object tree.\n" "Please repair the tree using command 'fwbedit checktree -f file.fwb'.") .arg(objType), "&Continue", QString::null, QString::null, 0, 1 ); return NULL; } return actuallyCreateObject(parent, objType, objName, copyFrom, macro); } FWObject* ObjectManipulator::createObject(FWObject *parent, const QString &objType, const QString &objName, FWObject *copyFrom, QUndoCommand* macro) { FWObject *lib = getCurrentLib(); int i = 0; assert(parent!=NULL); if (fwbdebug) { qDebug("ObjectManipulator::createObject 2: parent=%s", parent->getName().c_str()); qDebug("ObjectManipulator::createObject 2: objType=%s objName=%s", objType.toLatin1().constData(), objName.toLatin1().constData()); } while ( lib->getId()==FWObjectDatabase::STANDARD_LIB_ID || lib->getId()==FWObjectDatabase::TEMPLATE_LIB_ID || lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID || lib->isReadOnly() ) { if (i >= m_objectManipulator->libs->count()) { lib=getCurrentLib(); break; } // lib = idxToLibs[i]; lib = libs_model->getLibrary(i); i++; } if (parent==NULL) parent=lib; return actuallyCreateObject(parent, objType, objName, copyFrom, macro); } FWObject* ObjectManipulator::actuallyCreateObject(FWObject *parent, const QString &objType, const QString &objName, FWObject *copyFrom, QUndoCommand* macro) { FWObject *nobj=NULL; if (!isTreeReadWrite(this, parent)) return NULL; nobj = m_project->db()->create(objType.toLatin1().constData()); assert(nobj!=NULL); if (copyFrom!=NULL) nobj->duplicate(copyFrom, true); if (nobj->isReadOnly()) nobj->setReadOnly(false); QString new_name = makeNameUnique(parent, objName, objType); nobj->setName( string(new_name.toUtf8().constData()) ); if (objType == DNSName::TYPENAME) { if (st->getBool("Objects/DNSName/useCompileTimeForNewObjects")) DNSName::cast(nobj)->setRunTime(false); else DNSName::cast(nobj)->setRunTime(true); if (st->getBool("Objects/DNSName/useNameForDNSRecord")) DNSName::cast(nobj)->setSourceName(nobj->getName()); } if (objType == AddressTable::TYPENAME) { if (st->getBool("Objects/AddressTable/useCompileTimeForNewObjects")) AddressTable::cast(nobj)->setRunTime(false); else AddressTable::cast(nobj)->setRunTime(true); } FWCmdAddObject *cmd = new FWCmdAddObject( m_project, parent, nobj, QObject::tr("Create new %1").arg(objType), macro); FWObject *new_state = cmd->getNewState(); new_state->add(nobj); if (!macro) m_project->undoStack->push(cmd); m_project->db()->setDirty(true); if (objType == IPService::TYPENAME || objType == ICMPService::TYPENAME || objType == UDPService::TYPENAME || objType == TCPService::TYPENAME) reminderAboutStandardLib(); return nobj; } FWObject* ObjectManipulator::newLibrary(QUndoCommand* macro) { FWObject *nlib = FWBTree().createNewLibrary(m_project->db()); // m_project->createNewLibrary(m_project->db()); // At this point new library is already inserted into the object tree // but it has not been added to the QTreeWidget yet. FWCmdAddLibrary *cmd = new FWCmdAddLibrary( m_project, m_project->db(), NULL, QObject::tr("Create library"), macro); FWObject *new_state = cmd->getNewState(); m_project->db()->remove(nlib, false); new_state->add(nlib); // m_project->undoStack->push(cmd); m_project->db()->setDirty(true); return nlib; } FWObject* ObjectManipulator::newPolicyRuleSet(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; QString name = "Policy"; Firewall * fw = Firewall::cast(currentObj); if (fw!=NULL) { int count = 0; for (FWObjectTypedChildIterator it = fw->findByType(Policy::TYPENAME);it != it.end(); ++it) count++; if (count>0) { name+="_"; name+=QString().setNum(count); } } FWObject *o = createObject(currentObj, Policy::TYPENAME, name, NULL, macro); this->getCurrentObjectTree()->sortItems(0, Qt::AscendingOrder); return o; } FWObject* ObjectManipulator::newNATRuleSet(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; QString name = "NAT"; Firewall * fw = Firewall::cast(currentObj); if (fw!=NULL) { int count = 0; for (FWObjectTypedChildIterator it = fw->findByType(NAT::TYPENAME); it != it.end(); ++it) count++; if (count>0) { name += "_"; name += QString().setNum(count); } } FWObject *o = createObject(currentObj, NAT::TYPENAME, name, NULL, macro); this->getCurrentObjectTree()->sortItems(0, Qt::AscendingOrder); return o; } FWObject* ObjectManipulator::newFirewall(QUndoCommand* macro) { FWObject *parent = FWBTree().getStandardSlotForObject(getCurrentLib(), Firewall::TYPENAME); assert(parent); ObjectTreeViewItem* parent_item = allItems[parent]; assert(parent_item); newFirewallDialog *nfd = new newFirewallDialog(this, parent); if (mw->isEditorVisible()) mw->hideEditor(); nfd->setWindowModality(Qt::WindowModal); nfd->setWindowFlags(Qt::Window); nfd->exec(); FWObject *nfw = nfd->getNewFirewall(); delete nfd; if (nfw!=NULL) { FWCmdAddObject *cmd = new FWCmdAddObject( m_project, parent, NULL, QObject::tr("Create new Firewall"), macro); FWObject *new_state = cmd->getNewState(); parent->remove(nfw, false); new_state->add(nfw); } return nfw; } FWObject* ObjectManipulator::newCluster(QUndoCommand* macro, bool fromSelected) { FWObject *parent = FWBTree().getStandardSlotForObject(getCurrentLib(), Cluster::TYPENAME); assert(parent); ObjectTreeViewItem* parent_item = allItems[parent]; assert(parent_item); newClusterDialog *ncd = new newClusterDialog(this, parent); if (mw->isEditorVisible()) mw->hideEditor(); if (fromSelected) { if (fwbdebug) qDebug() << "ObjectManipulator::newCluster: creating cluster from selected firewalls"; ncd->setFirewallList(getCurrentObjectTree()->getSelectedObjects(), true); } else { list fwlist; mw->findAllFirewalls(fwlist); vector fwvector; foreach(Firewall* fw, fwlist) fwvector.push_back(FWObject::cast(fw)); ncd->setFirewallList(fwvector); } if ( ncd->exec() != QDialog::Accepted) return NULL; FWObject *ncl = ncd->getNewCluster(); delete ncd; if (ncl) { if (fwbdebug) qDebug() << "ObjectManipulator::newCluster checkpoint 1"; FWCmdAddObject *cmd = new FWCmdAddObject( m_project, parent, NULL, QObject::tr("Create new Cluster"), macro); // newCluster dialog may create backup copies of member firewalls, // to see them in the tree need to reload it. cmd->setNeedTreeReload(true); FWObject *new_state = cmd->getNewState(); parent->remove(ncl, false); new_state->add(ncl); // if (macro) // m_project->undoStack->push(cmd); } return ncl; } void ObjectManipulator::newClusterFromSelected() { FWCmdMacro* macro = new FWCmdMacro( FWBTree().getTranslatableNewObjectMenuText(Cluster::TYPENAME)); FWObject *ncl = newCluster(macro, true); if (ncl == NULL) { delete macro; return; } m_project->undoStack->push(macro); } FWObject* ObjectManipulator::newClusterIface(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; QString new_name = makeNameUnique(currentObj, findNewestInterfaceName(currentObj), Interface::TYPENAME); return createObject(currentObj, Interface::TYPENAME, new_name, NULL, macro); } /* * Creates new state sync group; this method is called by context menu item * associated with Cluster object. * By default assume conntrack protocol and set group type accordingly. */ FWObject* ObjectManipulator::newStateSyncClusterGroup(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; FWObject *o = NULL; FWObject *cluster = currentObj; while (cluster && !Cluster::isA(cluster)) cluster = cluster->getParent(); assert(cluster != NULL); QString host_os = cluster->getStr("host_OS").c_str(); list lst; getStateSyncTypesForOS(host_os, lst); if (lst.size() == 0) { // No state sync. protocols for this host OS QMessageBox::warning( this,"Firewall Builder", tr("Cluster host OS %1 does not support state synchronization").arg(host_os), "&Continue", QString::null, QString::null, 0, 1 ); return NULL; } QString group_type = lst.front().first; o = createObject(currentObj, StateSyncClusterGroup::TYPENAME, tr("State Sync Group"), NULL, macro); o->setStr("type", group_type.toStdString()); return o; } /* * Creates new failover group; this method is called by context menu item * associated with Interface object if its parent is a Cluster object * By default assume VRRP protocol and set group type accordingly. */ FWObject* ObjectManipulator::newFailoverClusterGroup(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; FWObject *o = NULL; QString group_type; if (Interface::isA(currentObj)) { group_type = "vrrp"; } else { qWarning("newClusterGroup: invalid currentObj"); return NULL; } o = createObject(currentObj, FailoverClusterGroup::TYPENAME, tr("Failover group"), NULL, macro); o->setStr("type", group_type.toStdString()); return o; } /* * Creates new AttachedNetworks object; this method is called by * context menu item associated with Interface object */ FWObject* ObjectManipulator::newAttachedNetworks(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; if (Interface::isA(currentObj)) { FWObject *no = createObject(currentObj, AttachedNetworks::TYPENAME, tr("Attached Networks"), NULL, macro); FWObject *parent_host = Host::getParentHost(currentObj); string name = parent_host->getName() + ":" + currentObj->getName() + ":attached"; no->setName(name); return no; } else { qWarning("newAttachedNetworks: invalid currentObj"); return NULL; } } FWObject* ObjectManipulator::newHost(QUndoCommand* macro) { FWObject *parent = FWBTree().getStandardSlotForObject(getCurrentLib(), Host::TYPENAME); assert(parent); newHostDialog *nhd = new newHostDialog(this, parent); if (mw->isEditorVisible()) mw->hideEditor(); nhd->exec(); FWObject *o = nhd->getNewHost(); delete nhd; if (o!=NULL) { FWCmdAddObject *cmd = new FWCmdAddObject( m_project, parent, NULL, QObject::tr("Create new Host"), macro); FWObject *new_state = cmd->getNewState(); parent->remove(o, false); new_state->add(o); } return o; } QString ObjectManipulator::findNewestInterfaceName(FWObject *parent) { time_t newest_interface = 0; QString newest_interface_name = "Interface"; // look for interfaces on the same level (do not use getByTypeDeep() because // it also finds subinterfaces) // find interface that was created last and use its name as a prototype for (FWObjectTypedChildIterator it = parent->findByType(Interface::TYPENAME); it != it.end(); ++it) { if (newest_interface < (*it)->getCreationTime()) { newest_interface = (*it)->getCreationTime(); newest_interface_name = (*it)->getName().c_str(); } } return newest_interface_name; } FWObject* ObjectManipulator::newInterface(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; Interface *new_interface = NULL; FWObject *parent = NULL; // Note that Firewall::cast matches Firewall and Cluster if (Host::isA(currentObj) || Firewall::cast(currentObj)) parent = currentObj; if (Interface::isA(currentObj)) { FWObject *h = Host::getParentHost(currentObj); //FWObject *h = Interface::cast(currentObj)->getParentHost(); bool supports_advanced_ifaces = false; supports_advanced_ifaces = Resources::getTargetCapabilityBool(h->getStr("host_OS"), "supports_subinterfaces"); if (supports_advanced_ifaces) { parent = currentObj; } else { parent = h; } } if (parent == NULL) { // since we can;t find quitable parent for the new interface, // we can't create it. return NULL; } QString new_name = makeNameUnique(parent, findNewestInterfaceName(parent), Interface::TYPENAME); new_interface = Interface::cast( createObject(parent, Interface::TYPENAME, new_name, NULL, macro)); if (new_interface == NULL) return NULL; if (Interface::isA(parent)) { FWObject *parent_host = Host::getParentHost(parent); interfaceProperties *int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject( parent_host); int_prop->guessSubInterfaceTypeAndAttributes(new_interface); delete int_prop; //guessSubInterfaceTypeAndAttributes(new_interface); } else new_interface->getOptionsObject()->setStr("type", "ethernet"); return new_interface; } FWObject* ObjectManipulator::newInterfaceAddress(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; if (Interface::isA(currentObj)) { Interface *intf = Interface::cast(currentObj); if (intf && (intf->isDyn() || intf->isUnnumbered() || intf->isBridgePort()) ) return NULL; QString iname = getStandardName(currentObj, IPv4::TYPENAME, "ip"); iname = makeNameUnique(currentObj, iname, IPv4::TYPENAME); return createObject(currentObj, IPv4::TYPENAME, iname, NULL, macro); } // if current object is not interface, create address in the standard folder return createObject(IPv4::TYPENAME, FWBTree().getTranslatableObjectTypeName(IPv4::TYPENAME), NULL, macro); } FWObject* ObjectManipulator::newInterfaceAddressIPv6(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; if (Interface::isA(currentObj)) { Interface *intf = Interface::cast(currentObj); if (intf && (intf->isDyn() || intf->isUnnumbered() || intf->isBridgePort()) ) return NULL; QString iname = getStandardName(currentObj, IPv4::TYPENAME, "ipv6"); iname = makeNameUnique(currentObj, iname, IPv4::TYPENAME); return createObject(currentObj, IPv6::TYPENAME, iname, NULL, macro); } // if current object is not interface, create address in the standard folder return createObject(IPv6::TYPENAME, FWBTree().getTranslatableObjectTypeName(IPv6::TYPENAME), NULL, macro); } FWObject* ObjectManipulator::newPhysicalAddress(QUndoCommand* macro) { FWObject *currentObj = getSelectedObject(); if ( currentObj->isReadOnly() ) return NULL; if (Interface::isA(currentObj)) { Interface *intf = Interface::cast(currentObj); if (intf->getByType(physAddress::TYPENAME).empty()) { QString iname=QString("%1:%2:mac") .arg(QString::fromUtf8(currentObj->getParent()->getName().c_str())) .arg(QString::fromUtf8(currentObj->getName().c_str())); return createObject(currentObj, physAddress::TYPENAME, iname, NULL, macro); } } return NULL; } void ObjectManipulator::reminderAboutStandardLib() { if (st->isReminderAboutStandardLibSuppressed()) return; st->suppressReminderAboutStandardLib(true); QMessageBox::information( this,"Firewall Builder", QObject::tr( "" "Did you know that Firewall Builder comes with over a hunderd " "standard address and service objects that represent " "often used protocols and services? You can " "find them in the object library \"Standard\"." "
" "
" "
" "" "" )); } fwbuilder-5.3.7/src/libgui/ObjectManipulator_new_object_checks.cpp000066400000000000000000000022711303637203600254250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id: ObjectManipulator_create_new.cpp 2747 2010-03-20 20:57:09Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "ObjectManipulator.h" using namespace std; using namespace libfwbuilder; bool ObjectManipulator::isObjectAllowed(const QString&) { return true; } bool ObjectManipulator::isObjectAllowed(FWObject*, FWObject*) { return true; } fwbuilder-5.3.7/src/libgui/ObjectManipulator_ops.cpp000066400000000000000000000717521303637203600226010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "events.h" #include "ObjectManipulator.h" #include "ObjectEditor.h" #include "ObjectTreeViewItem.h" #include "ObjectTreeView.h" #include "newGroupDialog.h" #include "FWObjectClipboard.h" #include "FindObjectWidget.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "FWCmdChange.h" #include "FWCmdAddObject.h" #include "FWCmdDeleteObject.h" #include "FWCmdMoveObject.h" #include "FWBTree.h" #include "FWWindow.h" #include "KeywordsDialog.h" #include "ProjectPanel.h" #include "ConfirmDeleteObjectDialog.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; /* * this method initiates automatic renaming of children objects if necessary */ void ObjectManipulator::autoRenameChildren(FWObject *obj, const QString &oldName) { if (fwbdebug) qDebug() << "ObjectManipulator::autoRenameChildren changing name " << oldName.toLatin1() << "->" << QString::fromUtf8(obj->getName().c_str()); if (oldName == QString::fromUtf8(obj->getName().c_str())) return; QTreeWidgetItem *itm = allItems[obj]; assert(itm!=NULL); if ((QString::fromUtf8(obj->getName().c_str())!=oldName) && (Host::isA(obj) || Firewall::cast(obj)!=NULL || Interface::isA(obj))) { autorename(obj); } } void ObjectManipulator::autorename(FWObject *obj) { if (fwbdebug) qDebug() << "ObjectManipulator::autorename obj=" << obj->getName().c_str(); if (Host::isA(obj) || Firewall::cast(obj)!=NULL || Cluster::isA(obj)) { list il = obj->getByType(Interface::TYPENAME); for (list::iterator i=il.begin(); i!=il.end(); ++i) autorename(*i); list obj_list = obj->getByType(StateSyncClusterGroup::TYPENAME); for (list::iterator i=il.begin(); i!=il.end(); ++i) autorename(obj_list, StateSyncClusterGroup::TYPENAME, "members"); } if (Interface::isA(obj)) { list subinterfaces = obj->getByType(Interface::TYPENAME); list ipv4_list = obj->getByType(IPv4::TYPENAME); list ipv6_list = obj->getByType(IPv6::TYPENAME); list pa_list = obj->getByType(physAddress::TYPENAME); list failover_list = obj->getByType(FailoverClusterGroup::TYPENAME); list attached_list = obj->getByType(AttachedNetworks::TYPENAME); if (ipv4_list.size() || ipv6_list.size() || pa_list.size() || failover_list.size() || subinterfaces.size() || attached_list.size()) { list vlans; for (list::iterator j=subinterfaces.begin(); j!=subinterfaces.end(); ++j) { Interface *intf = Interface::cast(*j); if (intf->getOptionsObject()->getStr("type") == "8021q") vlans.push_back(intf); } if (vlans.size()) autorenameVlans(vlans); for (list::iterator j=subinterfaces.begin(); j!=subinterfaces.end(); ++j) autorename(*j); autorename(ipv4_list, IPv4::TYPENAME, "ip"); autorename(ipv6_list, IPv6::TYPENAME, "ip6"); autorename(pa_list, physAddress::TYPENAME, "mac"); autorename(failover_list, FailoverClusterGroup::TYPENAME, "members"); autorename(attached_list, AttachedNetworks::TYPENAME, "attached"); } } } void ObjectManipulator::autorename(list &obj_list, const string &objtype, const string &namesuffix) { for (list::iterator j=obj_list.begin(); j!=obj_list.end(); ++j) { FWObject *obj = *j; QString old_name = obj->getName().c_str(); FWObject *parent = obj->getParent(); QString name = getStandardName(parent, objtype, namesuffix); name = makeNameUnique(parent, name, objtype.c_str()); if (name != old_name) { FWCmdChange* cmd = new FWCmdChangeName(m_project, obj); FWObject* new_state = cmd->getNewState(); new_state->setName(string(name.toUtf8())); m_project->undoStack->push(cmd); } } } void ObjectManipulator::autorenameVlans(list &obj_list) { for (list::iterator j=obj_list.begin(); j!=obj_list.end(); ++j) { FWObject *obj = *j; FWObject *parent = obj->getParent(); FWObject *fw = parent; while (fw && Firewall::cast(fw)==NULL) fw = fw->getParent(); assert(fw); QString obj_name = QString::fromUtf8(obj->getName().c_str()); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(fw)); if (int_prop->looksLikeVlanInterface(obj_name)) { // even though we only call this function if the type of // this interface is 8021q, need to check its naming // schema as well. We can't automatically rename // interfaces that do not follow known naming convention. QString base_name; int vlan_id; int_prop->parseVlan(obj_name, &base_name, &vlan_id); if (base_name != "vlan") { QString new_name = QString("%1.%2") .arg(QString::fromUtf8( parent->getName().c_str())) .arg(vlan_id); if (new_name != QString::fromUtf8(obj->getName().c_str())) { FWCmdChange* cmd = new FWCmdChangeName(m_project, obj); FWObject* new_state = cmd->getNewState(); new_state->setName(string(new_name.toUtf8())); m_project->undoStack->push(cmd); } } } } } FWObject* ObjectManipulator::duplicateObject(FWObject *targetLib, FWObject *obj) { if (!isTreeReadWrite(this, targetLib)) return NULL; // we disable copy/cut/paste/duplicate menu items for objects that // can't be copied or duplicated in // ObjectManipulator::getMenuState() but will check here just in // case if (AttachedNetworks::isA(obj)) return NULL; openLib(targetLib); FWObject *new_parent = FWBTree().getStandardSlotForObject( targetLib, obj->getTypeName().c_str()); if (new_parent == NULL) new_parent = obj->getParent(); QString newName = makeNameUnique(new_parent, QString::fromUtf8(obj->getName().c_str()), obj->getTypeName().c_str()); if (!isObjectAllowed(new_parent, obj)) return NULL; return createObject(obj->getTypeName().c_str(), newName, obj); } void ObjectManipulator::moveObject(FWObject *targetLib, FWObject *obj) { FWObject *cl=getCurrentLib(); if (cl==targetLib) return; FWObject *grp = NULL; if (FWObjectDatabase::isA(targetLib)) grp = targetLib; else { grp = FWBTree().getStandardSlotForObject( targetLib, obj->getTypeName().c_str()); } if (grp==NULL) grp=targetLib; if (!grp->isReadOnly()) { map > reference_holders; FWCmdMoveObject *cmd = new FWCmdMoveObject(m_project, obj->getParent(), grp, obj, reference_holders, "Move object"); m_project->undoStack->push(cmd); } if (fwbdebug) qDebug("ObjectManipulator::moveObject all done"); } /* * targetLibName is the name of the target library in Unicode */ void ObjectManipulator::moveObject(const QString &targetLibName, FWObject *obj) { list ll = m_project->db()->getByType( Library::TYPENAME ); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { FWObject *lib=*i; if (targetLibName==QString::fromUtf8(lib->getName().c_str())) { if (fwbdebug) qDebug("ObjectManipulator::moveObject found lib %s", lib->getName().c_str() ); moveObject(lib,obj); } } } FWObject* ObjectManipulator::pasteTo(FWObject *target, FWObject *obj) { map map_ids; return actuallyPasteTo(target, obj, map_ids); } FWObject* ObjectManipulator::actuallyPasteTo(FWObject *target, FWObject *obj, std::map &map_ids) { //FWObject *res = NULL; FWObject *ta = prepareForInsertion(target, obj); if (ta == NULL) return NULL; if (!isObjectAllowed(ta, obj)) return NULL; // we disable copy/cut/paste/duplicate menu items for objects that // can't be copied or duplicated in // ObjectManipulator::getMenuState() but will check here just in // case if (AttachedNetworks::isA(obj)) return NULL; if (fwbdebug) qDebug() << "ObjectManipulator::actuallyPasteTo" << "target=" << target->getPath().c_str() << "ta=" << ta->getPath().c_str(); QString new_name = makeNameUnique( ta, obj->getName().c_str(), obj->getTypeName().c_str()); try { /* clipboard holds a copy of the object */ if (obj->getRoot() != ta->getRoot()) { if (fwbdebug) qDebug("Copy object %s (%d) to a different object tree", obj->getName().c_str(), obj->getId()); FWCmdAddObject *cmd = new FWCmdAddObject(m_project, target, NULL, QObject::tr("Paste object")); FWObject *new_state = cmd->getNewState(); cmd->setNeedTreeReload(true); // recursivelyCopySubtree() needs access to the target tree root // when it copies subtree, so have to copy into the actual target // tree. FWObject *nobj = m_project->db()->recursivelyCopySubtree(target, obj, map_ids); if (new_name != nobj->getName().c_str()) nobj->setName(string(new_name.toUtf8())); target->remove(nobj, false); new_state->add(nobj); m_project->undoStack->push(cmd); return nobj; } Group *grp = Group::cast(ta); if (grp!=NULL && !FWBTree().isSystem(ta)) { if (fwbdebug) qDebug("Copy object %s (%d) to a regular group", obj->getName().c_str(), obj->getId()); /* check for duplicates. We just won't add an object if it is already there */ int cp_id = obj->getId(); list::iterator j; for (j=grp->begin(); j!=grp->end(); ++j) { FWObject *o1=*j; if(cp_id==o1->getId()) return o1; FWReference *ref; if( (ref=FWReference::cast(o1))!=NULL && cp_id==ref->getPointerId()) return o1; } FWCmdChange *cmd = new FWCmdChange( m_project, grp, QObject::tr("Paste object")); //cmd->setNeedTreeReload(false); FWObject *new_state = cmd->getNewState(); new_state->addRef(obj); m_project->undoStack->push(cmd); return obj; } else { /* add a copy of the object to system group , or * add ruleset object to a firewall. */ if (fwbdebug) qDebug("Copy object %s (%d) to a system group, " "a ruleset to a firewall or an address to an interface", obj->getName().c_str(), obj->getId()); FWObject *nobj = m_project->db()->create(obj->getTypeName()); assert(nobj!=NULL); //nobj->ref(); nobj->duplicate(obj, true); if (new_name != nobj->getName().c_str()) nobj->setName(string(new_name.toUtf8())); // If we paste interface, reset the type of the copy // See #299 if (Interface::isA(obj) && Interface::isA(ta)) { Interface *new_intf = Interface::cast(nobj); new_intf->getOptionsObject()->setStr("type", "ethernet"); // see #391 : need to reset "mamagement" flag in the copy // to make sure we do not end up with two management interfaces new_intf->setManagement(false); } FWCmdChange *cmd = new FWCmdAddObject(m_project, ta, nobj, QObject::tr("Paste object")); FWObject *new_state = cmd->getNewState(); // adding object to new_state is reduntant but // FWCmdAddObject supports this for consistency new_state->add(nobj); m_project->undoStack->push(cmd); return nobj; } } catch(FWException &ex) { QMessageBox::warning( this,"Firewall Builder", ex.toString().c_str(), "&Continue", QString::null,QString::null, 0, 1 ); } return NULL; } void ObjectManipulator::lockObject() { if (fwbdebug) qDebug() << "ObjectManipulator::lockObject selected:" << getCurrentObjectTree()->getNumSelected(); if (getCurrentObjectTree()->getNumSelected()==0) return; try { FWObject *obj; vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj= *i; FWObject *lib = obj->getLibrary(); // these lbraries are locked anyway, do not let the user // lock objects inside because they won't be able to unlock them. if (lib->getId()!=FWObjectDatabase::STANDARD_LIB_ID) { std::auto_ptr cmd( new FWCmdLockObject(m_project, obj, tr("Lock object ") + QString::fromUtf8(obj->getName().c_str()))); FWObject* new_state = cmd->getNewState(); new_state->setReadOnly(true); if (!cmd->getOldState()->cmp(new_state, true)) m_project->undoStack->push(cmd.release()); } } // Arguably, locking an object should not change lastModified timestamp // because none of the attributes that affect generated policy change. //QCoreApplication::postEvent( // mw, new dataModifiedEvent(m_project->getFileName(), 0)); } catch (FWException &ex) { qDebug() << ex.toString().c_str(); } } void ObjectManipulator::unlockObject() { if (fwbdebug) qDebug() << "ObjectManipulator::unlockObject selected:" << getCurrentObjectTree()->getNumSelected(); if (getCurrentObjectTree()->getNumSelected()==0) return; try { FWObject *obj; vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj= *i; FWObject *lib = obj->getLibrary(); if (lib->getId()!=FWObjectDatabase::STANDARD_LIB_ID) { std::auto_ptr cmd( new FWCmdLockObject(m_project, obj, tr("Unlock object ") + QString::fromUtf8(obj->getName().c_str()))); FWObject* new_state = cmd->getNewState(); new_state->setReadOnly(false); if (!cmd->getOldState()->cmp(new_state, true)) m_project->undoStack->push(cmd.release()); } } } catch (FWException &ex) { qDebug() << ex.toString().c_str(); } } void ObjectManipulator::deleteObject(FWObject *obj, QUndoCommand* macro) { bool firstAction = true ; Q_UNUSED(firstAction); if (fwbdebug) qDebug() << "ObjectManipulator::deleteObject" << "obj=" << obj << "name=" << obj->getName().c_str(); FWObject *object_library = obj->getLibrary(); FWObject *parent = obj->getParent(); Q_UNUSED(parent); FWObject *deleted_objects_lib = m_project->db()->findInIndex( FWObjectDatabase::DELETED_OBJECTS_ID ); if (deleted_objects_lib == NULL) { FWObject *dobj = m_project->db()->createLibrary(); dobj->setId(FWObjectDatabase::DELETED_OBJECTS_ID); dobj->setName("Deleted Objects"); dobj->setReadOnly(false); m_project->db()->add(dobj); deleted_objects_lib = dobj; } if (object_library->getId() == FWObjectDatabase::STANDARD_LIB_ID) return; if (obj->isReadOnly()) return; if (obj->getId() == FWObjectDatabase::STANDARD_LIB_ID || obj->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) return; bool is_library = Library::isA(obj); bool is_firewall = Firewall::cast(obj) != NULL; // includes Cluster too bool is_deleted_object = (deleted_objects_lib!=NULL && obj->isChildOf(deleted_objects_lib)); // ruleset_visible == true if 1) we delete firewall object and one of its // rulesets is visible in the project panel, or 2) we delete ruleset object // which is visible in the project panel bool ruleset_visible = ( (is_firewall && m_project->getCurrentRuleSet()->isChildOf(obj)) || (m_project->getCurrentRuleSet() == obj)); mw->findObjectWidget->reset(); QCoreApplication::postEvent( mw, new closeObjectEvent(m_project->getFileName(), obj->getId())); #if 0 // Remove object we are about to delete from the clipboard. // Sequence "delete then paste" is risky if the object is pasted into // a group or rule where only reference is added FWObjectClipboard::obj_clipboard->remove(obj); #endif try { if (fwbdebug) qDebug() << "ObjectManipulator::deleteObject" << "is_library=" << is_library << "is_firewall= " << is_firewall << "ruleset_visible=" << ruleset_visible << "is_deleted_object="<< is_deleted_object; if (is_deleted_object) { unselect(); FWCmdDeleteObject *cmd = new FWCmdDeleteObject( m_project, obj, QString("Delete object"), macro); if (macro==0) m_project->undoStack->push(cmd); return; } if (is_library && obj->isReadOnly()) obj->setReadOnly(false); if (is_library) parent = m_project->db()->getFirstByType(Library::TYPENAME); actuallyDeleteObject(obj, macro); if (ruleset_visible) m_project->closeRuleSetPanel(); } catch (FWException &ex) { if (fwbdebug) qDebug() << "ObjectManipulator::deleteObject:" << "catch: restoreOverrideCursor"; QApplication::restoreOverrideCursor(); QMessageBox::warning( this,"Firewall Builder", ex.toString().c_str(), "&Continue", QString::null,QString::null, 0, 1 ); throw(ex); } if (fwbdebug) qDebug("ObjectManipulator::deleteObject done"); firstAction = false ; } /* * Here we build set of dependencies for @obj, create command to * delete it and push it to the undo stack. */ void ObjectManipulator::actuallyDeleteObject(FWObject *obj, QUndoCommand* macro) { map > reference_holders; UsageResolver().findAllReferenceHolders(obj, m_project->db(), reference_holders); FWObject *deleted_objects_lib = m_project->db()->findInIndex( FWObjectDatabase::DELETED_OBJECTS_ID); FWCmdMoveObject *cmd = new FWCmdMoveObject( m_project, obj->getParent(), deleted_objects_lib, obj, reference_holders, QString("Delete object"), macro); if (macro == 0) m_project->undoStack->push(cmd); } void ObjectManipulator::objectMoved(FWObject* obj) { openLibForObject(obj); } void ObjectManipulator::groupObjects() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *co = getCurrentObjectTree()->getSelectedObjects().front(); newGroupDialog ngd(this, m_project->db()); if (ngd.exec()==QDialog::Accepted) { QString objName = ngd.m_dialog->obj_name->text(); QString libName = ngd.m_dialog->libs->currentText(); QString type = ObjectGroup::TYPENAME; if (Service::cast(co)!=NULL) type=ServiceGroup::TYPENAME; if (Interval::cast(co)!=NULL) type=IntervalGroup::TYPENAME; FWObject *parent = NULL; FWObject *newgrp = NULL; list ll = m_project->db()->getByType( Library::TYPENAME ); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { FWObject *lib=*i; if (libName==QString::fromUtf8(lib->getName().c_str())) { /* TODO: need to show a dialog and say that chosen library is * read-only. this is not critical though since newGroupDialog fills * the pull-down only with names of read-write libraries */ if (lib->isReadOnly()) return; parent = FWBTree().getStandardSlotForObject(lib,type); if (parent==NULL) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("ObjectManipulator::groupObjects(): could not find standard slot for object of type %s in library %s", type.toAscii().constData(),lib->getName().c_str()); #else if (fwbdebug) qDebug("ObjectManipulator::groupObjects(): could not find standard slot for object of type %s in library %s", type.toLatin1().constData(),lib->getName().c_str()); #endif return; } newgrp = m_project->db()->create(type.toStdString()); newgrp->setName(string(objName.toUtf8().constData())); break; } } if (newgrp==NULL) return; FWCmdAddObject *cmd = new FWCmdAddObject( m_project, parent, newgrp, QObject::tr("Create new group")); FWObject *new_state = cmd->getNewState(); new_state->add(newgrp); vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) newgrp->addRef(*i); m_project->undoStack->push(cmd); } } static void doKeyword(vector objs, bool doAdd, const string &keyword, ProjectPanel *project) { vector::const_iterator iter; for (iter = objs.begin(); iter != objs.end(); ++iter) { FWObject *obj = *iter; FWCmdChange *cmd = new FWCmdChange(project, obj); FWObject *newObj = cmd->getNewState(); if (doAdd) { newObj->addKeyword(keyword); } else { newObj->removeKeyword(keyword); } if (!obj->cmp(newObj)) { project->undoStack->push(cmd); } else { delete cmd; } } } void ObjectManipulator::addNewKeywordSlot() { QString keyword = QInputDialog::getText(0, tr("Add New Keyword"), tr("Enter new keyword to add to selected objects")); keyword = keyword.simplified(); if (fwbdebug) { qDebug() << "ObjectManipulator::addNewKeyword: " << keyword; } if (!KeywordsDialog::validateKeyword(0, keyword)) return; doKeyword(getCurrentObjectTree()->getSelectedObjects(), true, keyword.toUtf8().constData(), m_project); } void ObjectManipulator::processKeywordSlot() { const QObject *qObj = sender(); if (qObj == 0) return; const QAction *qAct = dynamic_cast(qObj); QStringList list = qAct->data().toStringList(); if (list.size() != 2) return; if (fwbdebug) { qDebug() << "ObjectManipulator::processKeyword:" << list; } doKeyword(getCurrentObjectTree()->getSelectedObjects(), (list[0] == "add"), list[1].toUtf8().constData(), m_project); } void ObjectManipulator::addSubfolderSlot() { const QAction *qAct = dynamic_cast(sender()); if (qAct == 0) return; FWObject *obj = getCurrentObjectTree()->getCurrentObject(); assert(obj->getId() == qAct->data().toInt()); QString folder = QInputDialog::getText(0, tr("Add Subfolder"), tr("Enter new subfolder name")); folder = folder.simplified(); if (folder.isEmpty()) return; if (folder.contains(',')) { QMessageBox::warning(this, "Firewall Builder", tr("Subfolder cannot contain a comma"), "&OK", QString::null, QString::null, 0, 1); return; } /* See if the subfolder already exists */ string folderStr = folder.toUtf8().constData(); set folders = stringToSet(obj->getStr("subfolders")); if (folders.find(folderStr) != folders.end()) return; folders.insert(folderStr); if (fwbdebug) { qDebug() << "ObjectManipulator::addSubfolder: " << folder; } FWCmdAddUserFolder *cmd = new FWCmdAddUserFolder(m_project, obj, folder, tr("Add subfolder")); FWObject *newObj = cmd->getNewState(); newObj->setStr("subfolders", setToString(folders)); m_project->undoStack->push(cmd); } void ObjectManipulator::removeUserFolder() { ObjectTreeViewItem *item = dynamic_cast (getCurrentObjectTree()->currentItem()); if (item == 0 || item->getUserFolderParent() == 0) return; ObjectTreeViewItem *parent = dynamic_cast (item->parent()); assert(parent != 0); vector objs; for (int ii = 0; ii < item->childCount(); ii++) { ObjectTreeViewItem *child = dynamic_cast (item->child(ii)); FWObject *obj = child->getFWObject(); if (obj->getRO()) { QMessageBox::critical(this, "Firewall Builder", tr("Folder with locked object " "cannot be deleted")); return; } objs.push_back(obj); } if (objs.size() > 0) { QApplication::setOverrideCursor(QCursor(Qt::WaitCursor)); ConfirmDeleteObjectDialog confirm(this); confirm.load(objs); QApplication::restoreOverrideCursor(); if (confirm.exec() == QDialog::Rejected) return; } FWCmdMacro *macro = new FWCmdMacro(tr("Delete user folder")); QList children = item->takeChildren(); while (!children.isEmpty()) { ObjectTreeViewItem *child = dynamic_cast (children.takeFirst()); assert(child != 0); FWObject *obj = child->getFWObject(); if (mw->isEditorVisible() && mw->getOpenedEditor() == obj) { mw->hideEditor(); } deleteObject(obj, macro); } FWCmdRemoveUserFolder *cmd = new FWCmdRemoveUserFolder(m_project, parent->getFWObject(), item->getUserFolderName(), "", macro); FWObject *newObj = cmd->getNewState(); set folders = stringToSet(newObj->getStr("subfolders")); folders.erase(item->getUserFolderName().toUtf8().constData()); newObj->setStr("subfolders", setToString(folders)); m_project->undoStack->push(macro); } fwbuilder-5.3.7/src/libgui/ObjectManipulator_slots.cpp000066400000000000000000000352771303637203600231460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "events.h" #include "listOfLibrariesModel.h" #include "ObjectManipulator.h" #include "ObjectEditor.h" #include "ObjectTreeViewItem.h" #include "ObjectTreeView.h" #include "newGroupDialog.h" #include "FWObjectClipboard.h" #include "FindObjectWidget.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "FWCmdChange.h" #include "FWCmdAddObject.h" #include "FWBTree.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "ConfirmDeleteObjectDialog.h" #include "FWCmdMoveObject.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; void ObjectManipulator::undeleteLibrary() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj = getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; // check that obj is in Deleted objects library. We do not show menu item // "Undelete" if it isnt, but will double check anyway if (Library::isA(obj) && obj->getParent()->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) { map > reference_holders; FWCmdMoveObject *cmd = new FWCmdMoveObject( m_project, obj->getParent(), obj->getRoot(), obj, reference_holders, QString("Undelete library object"), 0); m_project->undoStack->push(cmd); } } /* * moveObj is a slot called from the context menu */ void ObjectManipulator::moveObj(QAction* action) { int libid = action->data().toInt(); if (getCurrentObjectTree()->getNumSelected()==0) return; ObjectTreeView* ot=getCurrentObjectTree(); ot->freezeSelection(true); FWObject *obj; FWObject *targetLib = libs_model->getLibrary(libid); vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj= *i; if (fwbdebug) { qDebug("ObjectManipulator::moveObj obj=%p obj: %s", obj, obj->getName().c_str() ); } if (Library::isA(obj)) { /* We can only move library to the root of the tree. This case only * happens when user tries to undelete a library. */ moveObject(m_project->db(),obj); } else { if (obj->isChildOf(targetLib)) continue; if ( FWBTree().isSystem(obj) || Interface::isA(obj) || Interface::isA(obj->getParent())) continue; moveObject(targetLib, obj); } QCoreApplication::postEvent( mw, new dataModifiedEvent(m_project->getFileName(), obj->getId())); } ot->freezeSelection(false); } void ObjectManipulator::copyObj() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj; FWObjectClipboard::obj_clipboard->clear(); vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj = *i; if ( ! FWBTree().isSystem(obj) ) { // while obj is still part of the tree, do some clean up // to avoid problems in the future. Create // InterfaceOptions objects for interfaces because we'll // need them for various validations during paste // operation. Interface *intf = Interface::cast(obj); if (intf) intf->getOptionsObject(); FWObjectClipboard::obj_clipboard->add(obj, m_project); mw->showStatusBarMessage( tr("Copy object '%1' to clipboard'").arg( QString::fromUtf8(obj->getName().c_str()))); } } } void ObjectManipulator::cutObj() { // Start macro to hide the name of the undo command created in // delObj. Normally its name is "Delete object". FWCmdMacro* macro = new FWCmdMacro(tr("Cut object")); copyObj(); delObj(macro); // works with the list getCurrentObjectTree()->getSelectedObjects() m_project->undoStack->push(macro); } void ObjectManipulator::pasteObj() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *target_object = getCurrentObjectTree()->getSelectedObjects().front(); if (target_object==NULL) return; vector >::iterator i; int idx = 0; FWObject *last_object = NULL; Q_UNUSED(last_object); map map_ids; if (fwbdebug) { qDebug() << "**************** pasteObj loop starts"; qDebug() << "Target object: " << target_object->getPath().c_str(); } // If we copy many objects in the following loop, and some of them // are groups that refer other objects in the same batch, then it // is possible that an object would be copied by // FWObjectDatabase::recursivelyCopySubtree() by the way of a // reference from a group, and then the same object is found in // the list of objects to be copied AGAIN. Since this object is // already present in the target object tree by the time it needs // to be copied again, actuallyPasteTo() chooses the path for // copying of objects inside the same tree and creates a copy. To // avoid this, prepare a list of objects to be copied before copy // operation starts. list copy_objects; for (i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { FWObject *co = FWObjectClipboard::obj_clipboard->getObjectByIdx(idx); copy_objects.push_back(co); idx++; } for (list::iterator i=copy_objects.begin(); i!=copy_objects.end(); ++i) { FWObject *co = *i; if (fwbdebug) qDebug("Copy object %s (id=%d, root=%p)", co->getName().c_str(), co->getId(), co->getRoot()); if (map_ids.count(co->getId()) > 0) continue; // Check if we have already copied the same object before QString buff; buff.sprintf(".copy_of_%p", co->getRoot()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string dedup_attribute = buff.toAscii().constData(); #else string dedup_attribute = buff.toLatin1().constData(); #endif buff.sprintf("%d", co->getId()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QByteArray bytes = buff.toAscii(); #else QByteArray bytes = buff.toLatin1(); #endif FWObject *n_obj = target_object->getRoot()->findObjectByAttribute(dedup_attribute, bytes.constData()); if (n_obj) continue; last_object = actuallyPasteTo(target_object, co, map_ids); } if (fwbdebug) qDebug("**************** pasteObj loop done"); } void ObjectManipulator::duplicateObj(QAction *action) { int libid = action->data().toInt(); if (getCurrentObjectTree()->getNumSelected()==0) return; ObjectTreeView* ot=getCurrentObjectTree(); ot->freezeSelection(true); FWObject *obj; FWObject *nobj = NULL; vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj= *i; if ( FWBTree().isSystem(obj) || Interface::isA(obj) ) continue; FWObject *cl = libs_model->getLibrary(libid); nobj = duplicateObject(cl, obj); } if (nobj) editObject(nobj); ot->freezeSelection(false); } /* * Note: this slot gets controlwhen user presses "Delete" key in * addition to menu items activation */ void ObjectManipulator::delObj(QUndoCommand* macro) { if (fwbdebug) qDebug("ObjectManipulator::delObj selected %d objects ", getCurrentObjectTree()->getNumSelected()); if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *current_library = getCurrentLib(); if (current_library->getId() == FWObjectDatabase::STANDARD_LIB_ID) return; FWObject *obj; vector so = getCurrentObjectTree()->getSimplifiedSelection(); vector so2; for (vector::iterator i=so.begin(); i!=so.end(); ++i) { bool del_obj_status = getDeleteMenuState(*i); if (fwbdebug) qDebug("ObjectManipulator::delObj object: %s del_obj_status=%d", (*i)->getName().c_str(), del_obj_status); if (del_obj_status) so2.push_back(*i); } if (so2.size()==0) return; if (so2.size() > 1 || ! Library::isA(so2.front())) { QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); ConfirmDeleteObjectDialog * dlg = new ConfirmDeleteObjectDialog(this); dlg->load(so2); QApplication::restoreOverrideCursor(); if(dlg->exec()==QDialog::Rejected ) return; } /* need to work with a copy of the list of selected objects because * some of the methods we call below clear list * getCurrentObjectTree()->getSelectedObjects() */ try { for (vector::iterator i=so2.begin(); i!=so2.end(); ++i) { obj= *i; if ( ! FWBTree().isSystem(obj) ) { if (Library::isA(obj)) { list ll=m_project->db()->getByType(Library::TYPENAME); if (ll.size()==1) return; if (QMessageBox::warning( this,"Firewall Builder", tr( "When you delete a library, all objects that belong to it\n" "disappear from the tree and all groups and rules that reference them.\n" "Do you still want to delete library %1?") .arg(QString::fromUtf8(obj->getName().c_str())), tr("&Yes"), tr("&No"), QString::null, 0, 1 )!=0 ) continue; } if (mw->isEditorVisible() && mw->getOpenedEditor()==obj) mw->hideEditor(); deleteObject(obj, macro); } } } catch(FWException &ex) { } } void ObjectManipulator::dumpObj() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj=getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; obj->dump(true,false); } void ObjectManipulator::compile() { if (getCurrentObjectTree()->getNumSelected()==0) return; vector so = getCurrentObjectTree()->getSimplifiedSelection(); set fo; filterFirewallsFromSelection(so, fo); if (fwbdebug) qDebug("ObjectManipulator::compile filtered %d firewalls", int(fo.size())); m_project->compile(fo); } void ObjectManipulator::install() { if (getCurrentObjectTree()->getNumSelected()==0) return; vector so = getCurrentObjectTree()->getSimplifiedSelection(); set fo; filterFirewallsFromSelection(so,fo); m_project->install(fo); } void ObjectManipulator::inspect() { if (getCurrentObjectTree()->getNumSelected()==0) return; vector so = getCurrentObjectTree()->getSimplifiedSelection(); set fws; filterFirewallsFromSelection(so,fws); set fwset; foreach(Firewall *fw, fws) if (Cluster::isA(fw)) { std::list cfws; Cluster::cast(fw)->getMembersList(cfws); foreach(Firewall *f, cfws) fwset.insert(f); } else { fwset.insert(fw); } m_project->inspect(fwset); } void ObjectManipulator::find() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj=getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; m_project->setFDObject(obj); } void ObjectManipulator::findObject() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj=getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; mw->findObject( obj ); } void ObjectManipulator::findWhereUsedSlot() { if (getCurrentObjectTree()->getNumSelected()==0) return; FWObject *obj = getCurrentObjectTree()->getSelectedObjects().front(); if (obj==NULL) return; mw->findWhereUsed(obj, m_project); } void ObjectManipulator::makeSubinterface(QAction *act) { int intf_id = act->data().toInt(); FWObject *new_parent_interface = m_project->db()->findInIndex(intf_id); assert(new_parent_interface!=NULL); if (getCurrentObjectTree()->getNumSelected()==0) return; ObjectTreeView* ot = getCurrentObjectTree(); ot->freezeSelection(true); FWObject *obj; vector so = getCurrentObjectTree()->getSimplifiedSelection(); for (vector::iterator i=so.begin(); i!=so.end(); ++i) { obj = *i; if (obj->getParent() == new_parent_interface) continue; if (fwbdebug) qDebug() << "ObjectManipulator::makeSubinterface" << "obj=" << obj << obj->getName().c_str() << "new parent:" << new_parent_interface->getName().c_str(); // new_parent_interface->reparent(obj); map > reference_holders; FWCmdMoveObject *cmd = new FWCmdMoveObject( m_project, obj->getParent(), new_parent_interface, obj, reference_holders, QString("Make an interface a subinterface"), 0); m_project->undoStack->push(cmd); } ot->freezeSelection(false); } fwbuilder-5.3.7/src/libgui/ObjectManipulator_tree_ops.cpp000066400000000000000000000653101303637203600236110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "listOfLibrariesModel.h" #include "ObjectManipulator.h" #include "ObjectEditor.h" #include "ObjectTreeViewItem.h" #include "ObjectTreeView.h" #include "FWObjectClipboard.h" #include "FWObjectPropertiesFactory.h" #include "FWBSettings.h" #include "newFirewallDialog.h" #include "newClusterDialog.h" #include "newHostDialog.h" #include "findDialog.h" #include "newGroupDialog.h" #include "FindObjectWidget.h" #include "AskLibForCopyDialog.h" #include "FindWhereUsedWidget.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "events.h" #include "FWCmdChange.h" #include "FWCmdAddObject.h" #include "FWCmdMoveObject.h" #include "IconSetter.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "DialogFactory.h" #include "FWBTree.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "ConfirmDeleteObjectDialog.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Host.h" #include "fwbuilder/AttachedNetworks.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Interface.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Management.h" #include #include #include #include using namespace std; using namespace libfwbuilder; #define OBJTREEVIEW_WIDGET_NAME "ObjTreeView" /* * This method decides what should be shown in the columns 0 and 1 of * the tree for the given object */ QString ObjectManipulator::getTreeLabel(FWObject *obj, int col) { switch (col) { case 0: { QString name = QString::fromUtf8(obj->getName().c_str()); if (Interface::isA(obj)) { Interface *intf = Interface::cast(obj); QString label = QString::fromUtf8(intf->getLabel().c_str()); if (label.isEmpty()) return name; else return QString("%1 (%2)").arg(name).arg(label); } else return name; break; } case 1: return FWObjectPropertiesFactory::getObjectPropertiesBrief(obj); } return ""; } void ObjectManipulator::expandObjectInTree(FWObject *obj) { FWObject *o = FWReference::getObject(obj); if (fwbdebug) qDebug() << "ObjectManipulator::expandObjectInTree" << "o=" << QString::fromUtf8(o->getName().c_str()); //if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer(); QTreeWidgetItem *it = allItems[o]; if (it==NULL) { if (fwbdebug) qDebug() << "#### Tree node not found"; return; } expandOrCollapseCurrentTreeNode(it, true); } void ObjectManipulator::expandOrCollapseCurrentTreeNode(QTreeWidgetItem *item, bool expand) { QTreeWidgetItem *parent = item->parent(); if (expand && parent != NULL && ! parent->isExpanded()) parent->setExpanded(true); item->setExpanded(expand); for (int i=0; ichildCount(); ++i) expandOrCollapseCurrentTreeNode(item->child(i), expand); } void ObjectManipulator::expandCurrentTreeNode() { if (getCurrentObjectTree()->getNumSelected()==0) return; QTreeWidgetItem *item = getCurrentObjectTree()->currentItem(); expandOrCollapseCurrentTreeNode(item, true); } void ObjectManipulator::collapseCurrentTreeNode() { if (getCurrentObjectTree()->getNumSelected()==0) return; QTreeWidgetItem *item = getCurrentObjectTree()->currentItem(); expandOrCollapseCurrentTreeNode(item, false); } static ObjectTreeViewItem *findUserFolder(ObjectTreeViewItem *parent, const QString &folder) { if (folder.isEmpty()) return parent; ObjectTreeViewItem *otvi = 0; int childNo = 0; while(parent->child(childNo) != NULL && otvi == 0) { ObjectTreeViewItem *sub = dynamic_cast(parent->child(childNo)); if (sub != 0 && sub->getUserFolderParent() != 0 && sub->getUserFolderName() == folder) { otvi = sub; return otvi; break; } else { otvi = findUserFolder(sub, folder); } childNo++; } // for (int ii = 0; ii < parent->childCount(); ii++) { // while(parent->childCount() > 0) { // ObjectTreeViewItem *sub = // dynamic_cast(parent->child(ii)); // if (sub != 0 && // sub->getUserFolderParent() != 0 && // sub->getUserFolderName() == folder) { // return sub; // } // parent = sub; // } // } return otvi; } ObjectTreeViewItem* ObjectManipulator::insertObject(ObjectTreeViewItem *itm, FWObject *obj) { if (FWReference::cast(obj)!=NULL) return NULL; if (Resources::global_res->getObjResourceBool(obj,"hidden") ) return NULL; if (Resources::global_res->getResourceBool( string("/FWBuilderResources/Type/") + obj->getTypeName() + "/hidden")) return NULL; ObjectTreeViewItem *item = itm; if (!obj->getStr("folder").empty()) { item = findUserFolder(itm, obj->getStr("folder").c_str()); /* If we can't find the user folder, put it under the system folder and get rid of the folder attribute */ if (item == 0) { item = itm; obj->setStr("folder", ""); } } ObjectTreeViewItem *nitm = new ObjectTreeViewItem(item); nitm->setLib(""); nitm->setText( 0, getTreeLabel(obj, 0) ); nitm->setText( 1, getTreeLabel(obj, 1) ); QPixmap pm; doSetObjectIcon(obj, &pm, 0); nitm->setIcon( 0, QIcon(pm) ); // nitm->setIcon( 1, QIcon(pm) ); if (FWBTree().isSystem(obj)) { nitm->setFlags(nitm->flags() & ~Qt::ItemIsDragEnabled); } else { nitm->setFlags(nitm->flags() | Qt::ItemIsDragEnabled); } nitm->setProperty("type", obj->getTypeName().c_str() ); nitm->setFWObject( obj ); allItems[obj] = nitm; // itm->sortChildren(0, Qt::AscendingOrder); return nitm; } void ObjectManipulator::insertSubtree(FWObject *parent, FWObject *obj) { ObjectTreeViewItem* parent_item = allItems[parent]; insertSubtree(parent_item, obj); QTreeWidgetItem *itm = allItems[parent]; if (itm==NULL) return; refreshSubtree(itm, NULL); } void ObjectManipulator::insertSubtree(ObjectTreeViewItem *itm, FWObject *obj) { this->m_objectManipulator->filter->clear(); ObjectTreeViewItem *nitm = insertObject(itm, obj); if (nitm==NULL) return; if (FWBTree().isStandardFolder(obj)) nitm->setExpanded( st->getExpandTree()); set subfolders = stringToSet(obj->getStr("subfolders")); set::const_iterator iter; for (iter = subfolders.begin(); iter != subfolders.end(); ++iter) { ObjectTreeViewItem *sub = new ObjectTreeViewItem(nitm); sub->setUserFolderParent(obj); // FWObject* newFolder = obj->getRoot()->create("ObjectGroup"); // newFolder->setParent(obj); // sub->setFWObject(newFolder); QString name = QString::fromUtf8((*iter).c_str()); sub->setUserFolderName(name); sub->setText(0, name); sub->setIcon(0, QIcon(LoadPixmap(":/Icons/SystemGroup/icon-tree"))); } if (Cluster::isA(obj)) { for (FWObjectTypedChildIterator it = obj->findByType(StateSyncClusterGroup::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); } if (Cluster::isA(obj) || Firewall::isA(obj)) { for (FWObjectTypedChildIterator it = obj->findByType(Policy::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(NAT::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(Routing::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(Interface::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); return ; } if (Interface::isA(obj)) { for (FWObjectTypedChildIterator it = obj->findByType(Interface::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(IPv4::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(IPv6::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(physAddress::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(FailoverClusterGroup::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); for (FWObjectTypedChildIterator it = obj->findByType(AttachedNetworks::TYPENAME); it != it.end(); ++it) insertSubtree( nitm, *it ); return; } for (list::iterator m=obj->begin(); m!=obj->end(); m++) { FWObject *o1=*m; if (FWReference::cast(o1)!=NULL) continue; insertSubtree(nitm, o1); } } void ObjectManipulator::removeObjectFromTreeView(FWObject *obj) { removeObjectFromHistory(obj); int current_lib_idx = m_objectManipulator->libs->currentIndex(); ObjectTreeView *objTreeView = libs_model->getTreeWidget(current_lib_idx); assert(objTreeView); objTreeView->clearLastSelected(); ObjectTreeViewItem *itm = allItems[obj]; allItems[obj] = NULL; if (itm && itm->parent()) { itm->parent()->takeChild(itm->parent()->indexOfChild(itm)); delete itm; } if (Library::isA(obj)) { removeLib(obj); } } bool FindHistoryItemByObjectId::operator()(const HistoryItem &itm) { return (itm.id() == id); } FWObject* ObjectManipulator::findRuleSetInHistoryByParentFw(FWObject* parent) { list::reverse_iterator it = history.rbegin(); for (; it!=history.rend(); ++it) { FWObject *obj = mw->activeProject()->db()->findInIndex(it->id()); if (RuleSet::cast(obj)) { FWObject *parent_fw = Host::getParentHost(obj); if (parent_fw != NULL && parent_fw == parent) return obj; } } return NULL; } void ObjectManipulator::removeObjectFromHistory(FWObject *obj) { if (fwbdebug) qDebug() << "ObjectManipulator::removeObjectFromHistory" << "obj:" << obj->getName().c_str() << "id=" << obj->getId() << "history.size()=" << history.size(); history.remove_if(FindHistoryItemByObjectId(obj->getId())); if (fwbdebug) qDebug() << "ObjectManipulator::removeObjectFromHistory" << "history.size()=" << history.size(); if (history.empty()) mw->enableBackAction(); } void ObjectManipulator::addObjectToHistory(ObjectTreeViewItem* otvi, FWObject *obj) { history.push_back( HistoryItem(otvi, obj->getId()) ); current_history_item = history.end(); current_history_item--; } ObjectTreeViewItem* ObjectManipulator::getCurrentHistoryItem() { return current_history_item->item(); } void ObjectManipulator::updateLibColor(FWObject *lib) { QString clr = lib->getStr("color").c_str(); QModelIndex index = libs_model->getIdxForLib(lib); if (index.isValid()) { QTreeWidget *objTreeView = libs_model->getTreeWidget(index); if (clr=="" || clr=="#000000" || clr=="black") clr="#FFFFFF"; QPalette palette = objTreeView->palette(); palette.setColor(QPalette::Active, QPalette::Base, QColor( clr )); palette.setColor(QPalette::Inactive, QPalette::Base, QColor( clr )); objTreeView->setPalette(palette); } } void ObjectManipulator::updateLibName(FWObject *lib) { QModelIndex index = libs_model->getIdxForLib(lib); if (index.isValid()) { QString newlibname = QString::fromUtf8(lib->getName().c_str()); libs_model->setName(index, newlibname); libs_model->sort(0, Qt::AscendingOrder); QModelIndex lib_idx = libs_model->getIdxForLib(lib); m_objectManipulator->libs->setCurrentIndex(lib_idx.row()); } } /* * Update tree item for the given object, including its name and brief summary * of properties. If @subtree=true, do the same for all its children as well. */ void ObjectManipulator::updateObjectInTree(FWObject *obj, bool subtree) { if (fwbdebug) qDebug() << "ObjectManipulator::updateObjectInTree" << "obj=" << obj->getName().c_str() << "subtree=" << subtree; QTreeWidgetItem *itm = allItems[obj]; if (itm==NULL) return; // first, update tree item that represents @obj. Its name or label // (second column) might have changed QString old_itm_text = itm->text(0); itm->setText( 0, getTreeLabel(obj, 0) ); itm->setText( 1, getTreeLabel(obj, 1) ); QPixmap pm_obj; IconSetter::setObjectIcon(obj, &pm_obj, 0); itm->setIcon(0, pm_obj ); //getCurrentObjectTree()->updateTreeIcons(); if (itm->parent()) refreshSubtree(itm->parent(), itm); // now if we need to update subtree, call refreshSubtree() if (subtree) refreshSubtree(itm, NULL); } void ObjectManipulator::clearObjects() { if (fwbdebug) qDebug("ObjectManipulator::clearObjects %p start",this); while (history.size()!=0) history.pop_back(); int N = libs_model->rowCount(); for (int i=N-1; i>=0; i--) { QTreeWidget *objTreeView = libs_model->getTreeWidget(i); if (objTreeView == NULL) continue; m_objectManipulator->widgetStack->removeWidget(objTreeView); // delete otv; removeLib(i); } libs_model->removeRows(0, libs_model->rowCount()); libs_model->addStaticItems(); current_tree_view = NULL; if (fwbdebug) qDebug("ObjectManipulator::clearObjects done"); } void ObjectManipulator::reload() { FWObject *current_lib = getCurrentLib(); FWObject *currentObj = getSelectedObject(); saveExpandedTreeItems(); saveSectionSizes(); loadObjects(); openLib(current_lib); loadExpandedTreeItems(); loadSectionSizes(); if (currentObj) openObjectInTree(currentObj); } void ObjectManipulator::loadObjects() { if (fwbdebug) qDebug("ObjectManipulator::loadObjects %p start", this); clearObjects(); FWObject *firstUserLib = NULL; list ll = m_project->db()->getByType( Library::TYPENAME ); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { FWObject *lib = (*i); if (fwbdebug) qDebug("ObjectManipulator::loadObjects %p lib %p %s %s", this, lib, FWObjectDatabase::getStringId(lib->getId()).c_str(), lib->getName().c_str() ); if ( lib->getId()==FWObjectDatabase::DELETED_OBJECTS_ID && ! st->getBool("UI/ShowDeletedObjects")) continue; if ( lib->getId()!=FWObjectDatabase::STANDARD_LIB_ID && lib->getId()!=FWObjectDatabase::TEMPLATE_LIB_ID && firstUserLib==NULL) firstUserLib = *i; addLib( lib ); if (fwbdebug) qDebug() << "ObjectManipulator::loadObjects" << this << "added lib" << lib->getName().c_str(); } if (firstUserLib==NULL) firstUserLib = ll.front(); openLib( firstUserLib ); if (fwbdebug) qDebug() << "ObjectManipulator::loadObjects done" << this; } void ObjectManipulator::addLib(FWObject *lib) { if (fwbdebug) qDebug() << "Object Manipulator::addLib lib: " << lib->getName().c_str(); ObjectTreeView *objTreeView = new ObjectTreeView( m_project, m_objectManipulator->widgetStack, OBJTREEVIEW_WIDGET_NAME ); QString newlibname = QString::fromUtf8(lib->getName().c_str()); int idx = libs_model->rowCount(); if (fwbdebug) qDebug() << "Adding at idx=" << idx; QPixmap pm; doSetObjectIcon(lib, &pm, 0); libs_model->insertRows(idx, 1); QModelIndex model_idx = libs_model->index(idx, 0); libs_model->setData(model_idx, newlibname, lib, objTreeView); libs_model->sort(0, Qt::AscendingOrder); // after sorting the row of the new library may be different from where we added it QModelIndex lib_idx = libs_model->getIdxForLib(lib); m_objectManipulator->libs->setCurrentIndex(lib_idx.row()); QSizePolicy policy(QSizePolicy::Expanding, QSizePolicy::Expanding); policy.setHorizontalStretch(0); policy.setVerticalStretch(0); policy.setHeightForWidth(objTreeView->sizePolicy().hasHeightForWidth()); objTreeView->setSizePolicy(policy); m_objectManipulator->widgetStack->addWidget( objTreeView ); m_objectManipulator->widgetStack->show(); objTreeView->show(); updateLibColor( lib ); connect(m_objectManipulator->widgetStack, SIGNAL( currentChanged(int) ), this, SLOT( currentTreePageChanged(int) ) ); connect(objTreeView, SIGNAL( editCurrentObject_sign() ), this, SLOT( editSelectedObject()) ); connect(objTreeView, SIGNAL( switchObjectInEditor_sign(libfwbuilder::FWObject*) ), this, SLOT( switchObjectInEditor(libfwbuilder::FWObject*)) ); connect(objTreeView, SIGNAL( deleteObject_sign(libfwbuilder::FWObject*) ), this, SLOT( delObj() ) ); connect(objTreeView, SIGNAL( objectDropped_sign(libfwbuilder::FWObject*) ), this, SLOT( openObjectInTree(libfwbuilder::FWObject*) ) ); connect(objTreeView, SIGNAL( contextMenuRequested_sign(const QPoint&) ), this, SLOT( contextMenuRequested(const QPoint&) ) ); connect(objTreeView, SIGNAL(currentItemChanged(QTreeWidgetItem*,QTreeWidgetItem*) ), this, SLOT(selectionChanged(QTreeWidgetItem*))); connect(objTreeView, SIGNAL(moveItems_sign(ObjectTreeViewItem *, const std::list &)), this, SLOT(moveItems(ObjectTreeViewItem *, const std::list &))); ObjectTreeViewItem *itm1=new ObjectTreeViewItem( objTreeView ); itm1->setLib(""); itm1->setExpanded(true); itm1->setFlags(itm1->flags() & ~Qt::ItemIsDragEnabled); itm1->setText( 0, getTreeLabel(lib, 0) ); itm1->setText( 1, getTreeLabel(lib, 1) ); itm1->setIcon( 0, pm); itm1->setProperty("type", lib->getTypeName().c_str() ); itm1->setFWObject( lib ); allItems[lib] = itm1; for (list::iterator m=lib->begin(); m!=lib->end(); m++) insertSubtree( itm1, (*m) ); objTreeView->updateTreeIcons(); // apparently sortByColumn does not work in QT 4.5, use sortItems objTreeView->sortItems(0, Qt::AscendingOrder); objTreeView->header()->resizeSections(QHeaderView::ResizeToContents); m_objectManipulator->filter->connect(m_objectManipulator->filter, SIGNAL(textChanged(QString)), objTreeView, SLOT(setFilter(QString))); } void ObjectManipulator::removeLib(FWObject* lib) { if (fwbdebug) qDebug() << "ObjectManipulator::removeLib lib=" << lib; QModelIndex idx = libs_model->getIdxForLib(lib); if (idx.isValid()) removeLib( idx.row() ); } void ObjectManipulator::removeLib(int row) { if (fwbdebug) qDebug() << "ObjectManipulator::removeLib row=" << row; libs_model->removeRows(row, 1); m_objectManipulator->libs->setCurrentIndex(libs_model->rowCount() - 1); //libs_model->reset(); } void ObjectManipulator::refreshSubtree(QTreeWidgetItem *parent, QTreeWidgetItem *itm) { if (fwbdebug) qDebug() << "ObjectManipulator::refreshSubtree parent:" << parent->text(0) << "itm:" << QString((itm)?itm->text(0):""); QScrollBar* scrollbar = getCurrentObjectTree()->verticalScrollBar(); // remember current scrolling position int y_pos = scrollbar->value(); /* * re-sorting parent tree item causes havoc. If I do not * collapse/expand it, I get strange glitches in display. */ parent->sortChildren(0, Qt::AscendingOrder);//(); if (fwbdebug) qDebug("ObjectManipulator::refreshSubtree expand/collapse parent"); /* * workaround for QT4 bug * http://www.qtsoftware.com/developer/task-tracker/index_html?method=entry&id=233975 * Affects QT 4.4.1 * * This has a side effect in that the tree loses its scrollong * position and scrolls all the way to the top. If the object * being edited was in the middle or close to the bottom, it disappears * from view. Call to scrollToItem() fixes this. */ parent->setExpanded(false); parent->setExpanded(true); if (itm) getCurrentObjectTree()->scrollToItem(itm, QAbstractItemView::EnsureVisible); scrollbar->setValue(y_pos); getCurrentObjectTree()->update(); } void ObjectManipulator::moveItems(ObjectTreeViewItem *dest, const list &items) { string folder; if (dest->getUserFolderParent() != 0) { folder = dest->getUserFolderName().toUtf8().constData(); } else { folder = dest->getFWObject()->getStr("folder"); } FWCmdMacro *macro = new FWCmdMacro(tr("Move objects")); list::const_iterator iter; for (iter = items.begin(); iter != items.end(); ++iter) { FWObject *obj = *iter; FWCmdMoveToFromUserFolder *cmd = new FWCmdMoveToFromUserFolder (m_project, obj->getParent(), obj, obj->getStr("folder").c_str(), folder.c_str(), "", macro); FWObject *newObj = cmd->getNewState(); newObj->setStr("folder", folder); } m_project->undoStack->push(macro); } void ObjectManipulator::addUserFolderToTree(FWObject *obj, const QString &folder) { ObjectTreeViewItem *item = allItems[obj]; if (item == 0) return; ObjectTreeViewItem *sub = new ObjectTreeViewItem(item); FWObject* newFolder = obj->getRoot()->create(ObjectGroup::TYPENAME); newFolder->setParent(obj); newFolder->setName(folder.toUtf8().constData() ); sub->setFWObject(newFolder); allItems[newFolder] = sub; obj->setStr("folder", folder.toUtf8().constData()); newFolder->setStr("folder", getFolderNameString(newFolder)); sub->setUserFolderParent(obj); sub->setUserFolderName(folder); sub->setText(0, folder); sub->setIcon(0, QIcon(LoadPixmap(":/Icons/SystemGroup/icon-tree"))); refreshSubtree(item, sub); } std::string ObjectManipulator::getFolderNameString(libfwbuilder::FWObject *obj) { std::string result = ""; FWObject *parent = obj->getParent(); while(parent != NULL) { result = parent->getName() + "/" + result; parent = parent->getParent(); } result = result + obj->getName(); return result; } void ObjectManipulator::removeUserFolderFromTree(FWObject *obj, const QString &folder) { ObjectTreeViewItem *item = allItems[obj]; if (item == 0) return; ObjectTreeViewItem *sub = findUserFolder(item, folder); if (sub == 0) return; QList children = sub->takeChildren(); while (!children.isEmpty()) { ObjectTreeViewItem *child = dynamic_cast (children.takeFirst()); assert(child != 0); FWObject *obj = child->getFWObject(); if (mw->isEditorVisible() && mw->getOpenedEditor() == obj) { mw->hideEditor(); } delete child; } item->removeChild(sub); delete sub; refreshSubtree(item, 0); } void ObjectManipulator::moveToFromUserFolderInTree(FWObject *obj, FWObject *objToMove, const QString &oldFolder, const QString &newFolder) { ObjectTreeViewItem *parent = allItems[obj]; ObjectTreeViewItem *toMove = allItems[objToMove]; if (parent == 0 || toMove == 0) return; ObjectTreeViewItem *oldItem = findUserFolder(parent, oldFolder); ObjectTreeViewItem *newItem = findUserFolder(parent, newFolder); oldItem->removeChild(toMove); newItem->addChild(toMove); refreshSubtree(newItem, 0); } fwbuilder-5.3.7/src/libgui/ObjectSelectorWidget.cpp000066400000000000000000000103431303637203600223360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "ObjectSelectorWidget.h" #include "ObjectDescriptor.h" #include "FilterDialog.h" #include #include #include #include using namespace std; using namespace libfwbuilder; ObjectSelectorWidget::ObjectSelectorWidget(QWidget *parent) : QWidget(parent) { m_dialog = new Ui::ObjectSelectorWidget_q; m_dialog->setupUi(this); flt_obj = new Filter(); flt_obj_d = new FilterDialog(this); flt_obj_d->setFilter(flt_obj); } ObjectSelectorWidget::~ObjectSelectorWidget() { delete flt_obj; delete flt_obj_d; } void ObjectSelectorWidget::init(const QList &objects) { this->objects = objects; fillListOfObjects(); } void ObjectSelectorWidget::updateObjectsToUse() { objects_to_use.clear(); QListWidgetItem* item = m_dialog->objectList->item(0); while (item != NULL) { QString name = item->text().split(" ")[0]; QString addr = item->data(Qt::UserRole).toString(); objects_to_use << name << addr; item = m_dialog->objectList->item(m_dialog->objectList->row(item)+1); } } void ObjectSelectorWidget::fillListOfObjects() { m_dialog->objectResultList->clear(); foreach(ObjectDescriptor od, objects) { QString addr = od.addr.toString().c_str(); QString name = QString::fromUtf8(od.sysname.c_str()); if ( flt_obj->test(od) ) { QString item_text("%1 %2"); QListWidgetItem *itm = new QListWidgetItem(item_text.arg(name).arg(addr)); itm->setData(Qt::UserRole, QVariant(addr)); m_dialog->objectResultList->addItem(itm); } } updateObjectsToUse(); emit selectionChanged(); } void ObjectSelectorWidget::addFilter() { flt_obj_d->exec(); fillListOfObjects(); } void ObjectSelectorWidget::removeFilter() { flt_obj->clear(); fillListOfObjects(); } void ObjectSelectorWidget::selectAllResults() { m_dialog->objectResultList->selectAll(); } void ObjectSelectorWidget::unselectAllResults() { m_dialog->objectResultList->clearSelection(); } void ObjectSelectorWidget::selectAllUsed() { m_dialog->objectList->selectAll(); } void ObjectSelectorWidget::unselectAllUsed() { m_dialog->objectList->clearSelection(); } void ObjectSelectorWidget::addObject() { QListWidgetItem* item = (QListWidgetItem*)m_dialog->objectResultList->item(0); int i = 0; while (item) { if (item->isSelected() && m_dialog->objectList->findItems( item->text(), Qt::MatchExactly).size() == 0) { QString addr = item->data(Qt::UserRole).toString(); QListWidgetItem *item2 = new QListWidgetItem(item->text()); item2->setData(Qt::UserRole, QVariant(addr)); m_dialog->objectList->addItem(item2); } i++; item = (QListWidgetItem*)m_dialog->objectResultList->item(i); } updateObjectsToUse(); emit selectionChanged(); } void ObjectSelectorWidget::removeObject() { QListWidgetItem* item1 = m_dialog->objectList->item(0); QListWidgetItem* item2; while (item1!=0) { item2 = m_dialog->objectList->item(m_dialog->objectList->row(item1)+1); if (item1->isSelected()) { delete item1; } item1 = item2; } updateObjectsToUse(); emit selectionChanged(); } fwbuilder-5.3.7/src/libgui/ObjectSelectorWidget.h000066400000000000000000000043101303637203600220000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTSELECTORWIDGET_H_ #define __OBJECTSELECTORWIDGET_H_ #include "ui_objectselectorwidget_q.h" #include "ObjectDescriptor.h" #include "fwbuilder/InetAddr.h" #include class Filter; class FilterDialog; class ObjectSelectorWidget : public QWidget { Q_OBJECT; Ui::ObjectSelectorWidget_q *m_dialog; Filter * flt_obj; FilterDialog * flt_obj_d; QList objects; QStringList objects_to_use; // configure this as a proprty so it can be accessed as a field after // registering with registerField(). Now it can be accessed from // other pages of the wizard Q_PROPERTY(QStringList objectsToUse READ getObjectsToUse WRITE setObjectsToUse); public: ObjectSelectorWidget(QWidget *parent); virtual ~ObjectSelectorWidget(); void init(const QList &objects); int count() { return objects_to_use.count(); } void fillListOfObjects(); void updateObjectsToUse(); QStringList getObjectsToUse() { return objects_to_use; } void setObjectsToUse(const QStringList &lst) { objects_to_use = lst; } public slots: void addFilter(); void removeFilter(); void selectAllResults(); void unselectAllResults(); void selectAllUsed(); void unselectAllUsed(); void addObject(); void removeObject(); signals: void selectionChanged(); }; #endif fwbuilder-5.3.7/src/libgui/ObjectTreeView.cpp000066400000000000000000001040031303637203600211410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBSettings.h" #include "FWBTree.h" #include "FWObjectDrag.h" #include "FWObjectPropertiesFactory.h" #include "FWWindow.h" #include "IconSetter.h" #include "ObjectManipulator.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ProjectPanel.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/Interface.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/TCPUDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/FWServiceReference.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Network.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; /**************************************************************************** * * class ObjectTreeView * ****************************************************************************/ ObjectTreeView::ObjectTreeView(ProjectPanel* project, QWidget* parent, const char * name, #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) Qt::WFlags f) : #else Qt::WindowFlags f) : #endif QTreeWidget(parent), m_project(project) { setObjectName(name); this->setParent(parent, f); setFont(st->getTreeFont()); QPalette updated_palette = palette(); updated_palette.setColor( QPalette::Inactive, QPalette::Highlight, QColor("silver")); // palette().color(QPalette::Highlight).lighter(300)); setPalette(updated_palette); setExpandsOnDoubleClick(false); setDragEnabled(true); item_before_drag_started=NULL; lastSelected = NULL; second_click = false; selectionFrozen = false; expandOrCollapse = false; Lockable = false; Unlockable = false; visible = false; /* * note about process_mouse_release_event * * we use mouseReleaseEvent event to switch object opened in the * editor panel (i.e. we open new object when mouse button is * released rather than when it is pressed). This allows us to * start drag without switching object in the editor. The problem * is that mouseReleaseEvent is received in this widget after the * d&d ends with a drop somewhere else, which triggers call to * mouseReleaseEvent which switches object in the * editor. This is undesired when the editor shows a group and we * try to drag and drop an object into that group. Flag * process_mouse_release_event is used to suppress object * switching when mouseReleaseEvent is called after * successfull drop. */ process_mouse_release_event = true; connect(this, SIGNAL(currentItemChanged(QTreeWidgetItem*,QTreeWidgetItem*)), this, SLOT(currentItemChanged(QTreeWidgetItem*))); connect(this, SIGNAL(itemSelectionChanged()), this, SLOT(itemSelectionChanged())); connect(this, SIGNAL(itemCollapsed(QTreeWidgetItem*)), this, SLOT(itemCollapsed(QTreeWidgetItem*))); connect(this, SIGNAL(itemExpanded(QTreeWidgetItem*)), this, SLOT(itemExpanded(QTreeWidgetItem*))); QStringList qsl; qsl.push_back(tr("Object")); qsl.push_back(tr("Attributes")); setHeaderLabels(qsl); //header()->hide(); header()->setDefaultAlignment(Qt::AlignLeft); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) header()->setResizeMode(QHeaderView::Interactive); #else header()->setSectionResizeMode(QHeaderView::Interactive); #endif showOrHideAttributesColumn(); setMinimumSize( QSize( 100, 0 ) ); setAutoScroll(true); setAutoScrollMargin(50); setAllColumnsShowFocus( true ); setSelectionMode( ExtendedSelection ); setAcceptDrops( true ); setDragDropMode( QAbstractItemView::DragDrop ); setRootIsDecorated( true ); setFocusPolicy(Qt::StrongFocus); connect(this, SIGNAL(itemChanged(QTreeWidgetItem*,int)), this, SLOT(updateFilter())); // disable sorting, otherwise gui crashes when built with // QT 4.3.4 (discovered on Ubuntu Hardy). Crash happened when // second object was added to any branch of the tree. // // This causes crash with Qt 4.6 as well // // setSortingEnabled(true); } void ObjectTreeView::paintEvent(QPaintEvent *ev) { QTreeWidget::paintEvent(ev); } void ObjectTreeView::drawRow(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index ) const { // qDebug() << "ObjectTreeView::drawRow" // << "QStyleOptionViewItem.state=" << int(option.state) // << "hasFocus()=" << hasFocus() // << "isActiveWindow()=" << isActiveWindow(); // QWidget *fw = QApplication::focusWidget(); // qDebug() << "Currently has focus:" << fw; // this is a patch for #2475 // Looks like the state remains State_Active even when the tree view widget // loses focus (as long as parent window is active). QStyleOptionViewItem new_opt = option; if ( ! hasFocus()) new_opt.state &= ~QStyle::State_Active; QTreeWidget::drawRow(painter, new_opt, index); } bool ObjectTreeView::event( QEvent *event ) { if (event->type() == QEvent::ToolTip) { QHelpEvent *he = (QHelpEvent*) event; QPoint pos = he->pos(); if (st->getObjTooltips()) { int cx = pos.x(), cy = pos.y(); FWObject *obj=NULL; QRect cr; QTreeWidgetItem *itm = itemAt(QPoint(cx, cy - header()->height())); if (itm==NULL) return false; ObjectTreeViewItem *oivi = dynamic_cast(itm); assert(oivi!=NULL); obj = oivi->getFWObject(); if (obj==NULL) return false; if (obj->getId() == FWObjectDatabase::ANY_ADDRESS_ID || obj->getId() == FWObjectDatabase::ANY_SERVICE_ID || obj->getId() == FWObjectDatabase::ANY_INTERVAL_ID || obj->getId() == FWObjectDatabase::DUMMY_ADDRESS_ID || obj->getId() == FWObjectDatabase::DUMMY_SERVICE_ID || obj->getId() == FWObjectDatabase::DUMMY_INTERFACE_ID) return false; cr = visualItemRect(itm); QRect global = QRect( viewport()->mapToGlobal(cr.topLeft()), viewport()->mapToGlobal(cr.bottomRight())); //finally stretch rect up to component's width and even more //(it fixes bug with horizontal scroll) global.setWidth(width() + horizontalOffset()); QToolTip::showText(mapToGlobal( he->pos() ), FWObjectPropertiesFactory::getObjectPropertiesDetailed(obj, true, true), this, global); } return true; } return QTreeWidget::event(event); } void ObjectTreeView::currentItemChanged(QTreeWidgetItem*) { expandOrCollapse = false; } void ObjectTreeView::itemCollapsed(QTreeWidgetItem* itm) { expandOrCollapse = true; ObjectTreeViewItem *otvi = dynamic_cast(itm); assert(otvi!=NULL); FWObject *o = otvi->getFWObject(); if (o) { int id = o->getId(); expanded_objects.erase(id); } } void ObjectTreeView::itemExpanded(QTreeWidgetItem* itm) { expandOrCollapse = true; ObjectTreeViewItem *otvi=dynamic_cast(itm); assert(otvi!=NULL); FWObject *o = otvi->getFWObject(); if (o) { int id = o->getId(); expanded_objects.insert(id); } } /* * This method makes list selectedObjects flat. If user selects * several objects in the tree, and some of them have children, QT * puts all the children in the selected objects list even if * corresponding subtrees are collapsed. This method eliminates these * selected children objects. * */ std::vector ObjectTreeView::getSimplifiedSelection() { vector so = selectedObjects; vector so2 = selectedObjects; for (vector::iterator i=so2.begin(); i!=so2.end(); ++i) { for (vector::iterator j=i; j!=so2.end(); ++j) { vector::iterator k=std::find(so.begin(),so.end(),*j); if ( (*j)->isChildOf( *i ) && k!=so.end()) so.erase( k ); } } return so; } FWObject* ObjectTreeView::getCurrentObject() { QTreeWidgetItem *ovi = currentItem(); ObjectTreeViewItem *otvi=dynamic_cast(ovi); if (otvi==NULL) return NULL; return otvi->getFWObject(); } void ObjectTreeView::focusInEvent(QFocusEvent* ev) { QTreeWidget::focusInEvent(ev); QTreeWidgetItem *ci = currentItem(); if (ci) repaint(); } void ObjectTreeView::focusOutEvent(QFocusEvent* ev) { QTreeWidget::focusOutEvent(ev); QTreeWidgetItem *ci = currentItem(); if (ci) repaint(); } void ObjectTreeView::updateTreeIcons() { QTreeWidgetItemIterator it(this); for ( ; *it; ++it) { QTreeWidgetItem *itm = *it; ObjectTreeViewItem *otvi = dynamic_cast(itm); FWObject *obj = otvi->getFWObject(); /* We can have obj==0 if it's a user-create subfolder */ if (obj == 0) continue; QPixmap pm_obj; IconSetter::setObjectIcon(obj, &pm_obj, 0); itm->setIcon(0, pm_obj ); } update(); } void ObjectTreeView::startDrag(Qt::DropActions supportedActions) { QTreeWidgetItem *ovi = currentItem(); if (ovi==NULL) return; FWObject *current_obj = getCurrentObject(); /* User-defined folders can't be dragged */ if (current_obj == 0) return; if (fwbdebug) qDebug("ObjectTreeView::startDrag: this: %p current_obj: %s", this, current_obj->getName().c_str()); /* can't drag system folders in fact, I have to allow to drag system folders because otherwise QListView triggers highlighting of objects in the tree when user drags mouse cursor across them. This is weird behavior and there does not seem to be any way to turn it off. It happens close to the end of void QListView::mouseMoveEvent( QMouseEvent * e) (See code after they decided that they do not need to call startDrag()) if (FWBTree().isSystem(obj)) return NULL; */ if ((current_obj->getId() == FWObjectDatabase::DUMMY_ADDRESS_ID) || (current_obj->getId() == FWObjectDatabase::DUMMY_INTERFACE_ID) || (current_obj->getId() == FWObjectDatabase::DUMMY_SERVICE_ID)) return; QString icn = (":/Icons/"+current_obj->getTypeName()+"/icon-ref").c_str(); vector so = getSimplifiedSelection(); list dragobj; for (vector::iterator v=so.begin(); v!=so.end(); v++) { //m_project->check4Depends(*v, dragobj); if (fwbdebug) qDebug("ObjectTreeView::startDrag: adding object to drag list: %s", (*v)->getName().c_str()); // while obj is still part of the tree, do some clean up // to avoid problems in the future. Create // InterfaceOptions objects for interfaces because we'll // need them for various validations during paste/drop // operation. Interface *intf = Interface::cast(*v); if (intf) intf->getOptionsObject(); dragobj.push_back( *v ); } FWObjectDrag *drag = new FWObjectDrag(dragobj, this); QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } if (dragobj.size()>1) { QPixmap npm(32,32); QPainter p( &npm ); p.fillRect( 0,0,32,32, QBrush( QColor("white"),Qt::SolidPattern ) ); p.setBackgroundMode( Qt::TransparentMode ); p.drawPixmap( 0, 32-pm.rect().height(), pm); p.setPen( QColor("red") ); p.setBrush( QBrush( QColor("red"),Qt::SolidPattern ) ); p.drawPie( 16, 0, 16,16, 0, 5760 ); QString txt; txt.setNum(dragobj.size()); QRect br=p.boundingRect(0, 0, 1000, 1000, Qt::AlignLeft|Qt::AlignVCenter, txt ); p.setPen( QColor("white") ); p.drawText( 24-br.width()/2 , 4+br.height()/2, txt ); p.end(); npm.setMask( npm.createHeuristicMask() ); drag->setPixmap( npm ); } else drag->setPixmap( pm ); /* * This fragment returns selection in the tree back to the object that * was selected before drag operation has started. This help in the * following case: * * - open a group for editing (group is selected in the tree) * - left-click on another object in the tree, start dragging it * * at this point selection in the tree returns to the group, so when * user finishes d&d operation, the selection in the tree is consisten * with object currently opened in the editor panel. * * There is a problem with this however. If user wants to put an * object from a different library into the group, they have to switch * to that library before doing d&d. When they switch, ObjectTree * shown in the left panel becomes different from the tree in which * the group is located. When d&d finishes, the ObjectTree object * receives mouseReleaseEvent event. Since it is not the right * tree object, it can not properly restore selection and choses an * object that was previously opened in that tree, which in turn * changes the object opened in the editor panel. To make things * worse, this event is only delivered to the tree object on Mac OS X. * * */ if (fwbdebug) qDebug("ObjectTreeView::dragObject() this=%p visible=%d", this,visible); drag->start(supportedActions); } void ObjectTreeView::dragEnterEvent( QDragEnterEvent *ev) { ev->setAccepted(ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); ev->setDropAction(Qt::MoveAction); } static bool isValidDropTarget(QTreeWidgetItem *item, list &objs) { ObjectTreeViewItem *dest = dynamic_cast(item); if (dest == 0) return false; bool dragIsNoop = true; list::const_iterator iter; for (iter = objs.begin(); iter != objs.end(); ++iter) { FWObject *dragobj = *iter; assert(dragobj != 0); if (Interface::cast(dragobj) != 0 || Interface::cast(dragobj->getParent()) != 0 || Policy::cast(dragobj) != 0 || NAT::cast(dragobj) != 0 || Routing::cast(dragobj) != 0) return false; /* See if destination is a user folder */ if (dest->getUserFolderParent() != 0) { /* Dragged object has to match parent of user folder */ if (dest->getUserFolderParent() != dragobj->getParent()) { return false; } /* Are we dragging within the same user folder? */ if (dest->getUserFolderName() != QString::fromUtf8(dragobj->getStr("folder").c_str())) { dragIsNoop = false; } } else { /* OK to drag onto parent itself, or object that shares parent */ if (dragobj->getParent() != dest->getFWObject() && dragobj->getParent() != dest->getFWObject()->getParent()) { return false; } /* Are we dragging to a new place? */ if ((FWBTree().isSystem(dest->getFWObject()) && dragobj->getStr("folder") != "") || (dest->getFWObject()->getStr("folder") != dragobj->getStr("folder"))) { dragIsNoop = false; } } } return !dragIsNoop; } void ObjectTreeView::dragMoveEvent(QDragMoveEvent *ev) { /* Call the parent so that auto-scrolling works properly */ QTreeWidget::dragMoveEvent(ev); list objs; if (ev->source() != this || !FWObjectDrag::decode(ev, objs) || !isValidDropTarget(itemAt(ev->pos()), objs)) { ev->setAccepted(false); return; } ev->setDropAction(Qt::MoveAction); ev->setAccepted(true); } void ObjectTreeView::dropEvent(QDropEvent *ev) { // only accept drops from the same instance of fwbuilder if (ev->source() == NULL) return; ObjectTreeViewItem *dest = dynamic_cast(itemAt(ev->pos())); if (dest == 0) { notWanted: ev->setAccepted(false); return; } list objs; if (!FWObjectDrag::decode(ev, objs)) goto notWanted; /* Make sure the drop event is on an object that can handle it */ if (ev->source() != this || !isValidDropTarget(dest, objs)) goto notWanted; emit moveItems_sign(dest, objs); ev->setAccepted(true); } void ObjectTreeView::dragLeaveEvent( QDragLeaveEvent *ev) { QTreeWidget::dragLeaveEvent(ev); clearSelection(); } void ObjectTreeView::mouseMoveEvent( QMouseEvent * e ) { /* This stops highlighting of stuff in the tree when the user clicks and tries to drag something non-draggable. */ if (state() == DragSelectingState) return; QTreeWidget::mouseMoveEvent(e); if (e==NULL) return; } void ObjectTreeView::mousePressEvent( QMouseEvent *e ) { if (fwbdebug) qDebug("ObjectTreeView::mousePressEvent"); second_click = false; process_mouse_release_event = true; if (fwbdebug) { qDebug() << "ObjectTreeView::mousePressEvent :: currentItem=" << ((currentItem())?currentItem()->text(0):"nil"); qDebug() << "ObjectTreeView::mousePressEvent :: lastSelected=" << ((lastSelected)?lastSelected->text(0):"nil"); } lastSelected = currentItem(); QTreeWidget::mousePressEvent(e); if (e->button() == Qt::LeftButton) { startingDrag = true; } if (e->button() == Qt::RightButton) emit contextMenuRequested_sign(e->pos()); } /* * Two modes of operation of this widget: * * 1. this widget can intercept single mouse click and return * selection back to the object that was current before it. If user * double ckicks mouse button, then this reset is not done and new * object is selected. This is done using timer. * * 2. this widget can act as usual QListView does, that is, select an object * on a single click. * * uncomment the line that starts timer for mode #1. * * * we use mouseReleaseEvent event to switch object opened in the * editor panel (i.e. we open new object when mouse button is released * rather than when it is pressed). This allows us to start drag * without switching object in the editor. The problem is that * mouseReleaseEvent is received in this widget after the d&d ends * with a drop somewhere else, which triggers call to * mouseReleaseEvent which switches object in the editor. This * is undesired when the editor shows a group and we try to drag and * drop an object into that group. Flag process_mouse_release_event is * used to suppress object switching when mouseReleaseEvent is * called after successfull drop. * */ void ObjectTreeView::mouseReleaseEvent( QMouseEvent *e ) { if (fwbdebug) qDebug("ObjectTreeView::mouseReleaseEvent 1 this=%p process_mouse_release_event=%d", this,process_mouse_release_event); QTreeWidget::mouseReleaseEvent(e); if (!process_mouse_release_event) { // just do not switch object in the editor, otherwise // process this event as usual process_mouse_release_event = true; return; } if (fwbdebug) qDebug("ObjectTreeView::mouseReleaseEvent 2 selectedObjects.size()=%d getCurrentObject()=%p current object %s", int(selectedObjects.size()), getCurrentObject(), (getCurrentObject()!=NULL)?getCurrentObject()->getName().c_str():"nil"); if (expandOrCollapse) return; // user expanded or collapsed subtree, // no need to change object in the editor // Experiment: single click on the object in the tree should not open // it in the editor #if 0 if (selectedObjects.size()==1) emit switchObjectInEditor_sign( getCurrentObject() ); else { // user selected multiple objects // do not let them if editor has unsaved changes // if (mw->isEditorVisible() && mw->isEditorModified()) emit switchObjectInEditor_sign( getCurrentObject() ); else mw->blankEditor(); } #endif } /* * normally QAbstractItemView::edit starts in-place editing. We use * double click to open object in a separate editor panel */ bool ObjectTreeView::edit(const QModelIndex &index, EditTrigger trigger, QEvent *event) { if (fwbdebug) qDebug("ObjectTreeView::edit"); if (trigger==QAbstractItemView::DoubleClicked) editCurrentObject(); return QTreeWidget::edit(index, trigger, event); } /* * sends signal that should be connected to a slot in * ObjectManipulator which opens editor panel if it is closed and then * opens current object in it */ void ObjectTreeView::editCurrentObject() { if (fwbdebug) qDebug("ObjectTreeView::editCurrentObject"); emit editCurrentObject_sign(); if (fwbdebug) qDebug("ObjectTreeView::editCurrentObject done"); } void ObjectTreeView::keyPressEvent( QKeyEvent* ev ) { FWObject *obj = getCurrentObject(); if (obj) { if (ev->key()==Qt::Key_Enter || ev->key()==Qt::Key_Return) { if (fwbdebug) qDebug() << "ObjectTreeView::keyPressEvent Qt::Key_Enter"; editCurrentObject(); ev->accept(); return; } if (ev->key()==Qt::Key_Delete) { emit deleteObject_sign(obj); ev->accept(); return; } } QTreeWidget::keyPressEvent(ev); } void ObjectTreeView::keyReleaseEvent( QKeyEvent* ev ) { QTreeWidget::keyReleaseEvent(ev); } void ObjectTreeView::itemOpened () { if (fwbdebug) qDebug("ObjectTreeView::itemOpened"); editCurrentObject(); } void ObjectTreeView::clearLastSelected() { lastSelected = NULL; } void ObjectTreeView::resetSelection() { if (lastSelected) { if (fwbdebug) qDebug() << "ObjectTreeView::resetSelection :: lastSelected=" << lastSelected->text(0); setCurrentItem(lastSelected); lastSelected->setSelected(true); } } void ObjectTreeView::itemSelectionChanged() { if (fwbdebug) qDebug("ObjectTreeView::itemSelectionChanged selectionFrozen=%d", selectionFrozen); if (selectionFrozen) return; /* in extended selection mode there may be several selected items */ selectedObjects.clear(); QList selected = selectedItems(); QList::Iterator it; for (it=selected.begin(); it!=selected.end(); it++) { QTreeWidgetItem *itm = (*it); ObjectTreeViewItem *otvi = dynamic_cast(itm); FWObject *obj = otvi->getFWObject(); if (obj == 0) continue; selectedObjects.push_back(otvi->getFWObject()); if (fwbdebug) qDebug( "ObjectTreeView::selectionChanged: selected otvi=%p object %s", otvi, otvi->getFWObject()->getName().c_str()); } if (fwbdebug) qDebug("ObjectTreeView::itemSelectionChanged completed"); /* now list selectedObjects holds all selected items */ } bool ObjectTreeView::isSelected(FWObject* obj) { for (vector::iterator i=selectedObjects.begin(); i!=selectedObjects.end(); ++i) { if ( (*i)==obj) return true; } return false; } int ObjectTreeView::getNumSelected() { return selectedObjects.size(); } void ObjectTreeView::updateAfterPrefEdit() { setFont(st->getTreeFont()); } void ObjectTreeView::ExpandTreeItems(const set &ids) { if (fwbdebug) qDebug() << "ObjectTreeView::ExpandTreeItems()"; QTreeWidgetItemIterator it(this); for ( ; *it; ++it) { QTreeWidgetItem *itm = *it; ObjectTreeViewItem *otvi=dynamic_cast(itm); FWObject *obj = otvi->getFWObject(); if (obj == 0) continue; if (ids.count(obj->getId())) itm->setExpanded(true); } } void ObjectTreeView::showOrHideAttributesColumn() { if (st->getBool("UI/ShowObjectsAttributesInTree")) setColumnCount(2); else setColumnCount(1); } QSet ObjectTreeView::resolveChildren(QTreeWidgetItem *parent) { QSet children; children.insert(parent); if (parent->childCount() == 0) return children; for (int i=0; ichildCount(); i++) children.unite(resolveChildren(parent->child(i))); return children; } QSet ObjectTreeView::resolveParents(QTreeWidgetItem *child) { QSet parents; parents.insert(child); if (child->parent() == NULL) return parents; parents.unite(resolveParents(child->parent())); return parents; } void ObjectTreeView::updateFilter() { if (filter.isEmpty()) return; setFilter(filter); } static bool filterMatchesPortRange(const QStringList &args, FWObject *obj) { if (!obj) return false; // We traverse the service group. If the children are references // they may be pointing to ports if (obj->getTypeName() == ServiceGroup::TYPENAME) { for (list::const_iterator it=obj->begin(); it!=obj->end(); ++it) { FWServiceReference *ref = FWServiceReference::cast(*it); if (ref && filterMatchesPortRange(args, ref->getPointer())) return true; } } TCPUDPService *service = dynamic_cast(obj); if (!service) return false; QRegExp rx("\\s*([><]?)\\s*(\\d*)(?:-(\\d*))?"); foreach (const QString &arg, args) { if (!rx.exactMatch(arg)) continue; int lowerBound = rx.cap(2).toInt(), upperBound = lowerBound; if (rx.pos(3) != -1) { upperBound = rx.cap(3).toInt(); } if (rx.pos(1) != -1) { if (rx.pos(3) != -1) // [><] cannot be combined with range continue; if (rx.cap(1) == ">") { upperBound = 65535; ++lowerBound; // Adjust for using >= below } else {// "<" lowerBound = 1; --upperBound; // Adjust for using <= below } } if (lowerBound > upperBound) continue; int ds = service->getDstRangeStart(), de = service->getDstRangeEnd(), ss = service->getSrcRangeStart(), se = service->getSrcRangeEnd(); if (ds && de && (lowerBound <= ds) && (de <= upperBound)) return true; if (ss && se && (lowerBound <= ss) && (se <= upperBound)) return true; } // End foreach return false; } static bool filterMatchesIpAddress(const QStringList &args, FWObject *obj) { if (!obj) return false; // We traverse the object group. If the children are references // they may be pointing to adresses if (obj->getTypeName() == ObjectGroup::TYPENAME) { for (list::const_iterator it=obj->begin(); it!=obj->end(); ++it) { FWObjectReference *ref = FWObjectReference::cast(*it); if (ref && filterMatchesIpAddress(args, ref->getPointer())) return true; } } Address *addr = dynamic_cast(obj); if (!addr) return false; QRegExp rx("\\s*([.:0-9a-fA-F]+)(?:/([.:0-9a-fA-F]+))?"); InetAddrMask searchAddrAndMask; foreach (const QString &arg, args) { if (!rx.exactMatch(arg)) continue; try { std::string netmask = rx.cap(2).isEmpty() ? "32" : rx.cap(2).toStdString(); InetAddr ipv4addr(rx.cap(1).toStdString()); InetAddr ipv4mask(netmask); searchAddrAndMask = InetAddrMask(ipv4addr, ipv4mask); } catch (const FWException) { // Could not create IPv4 object. Trying IPv6. try { int netmask = rx.cap(2).isEmpty() ? 128 : rx.cap(2).toInt(); InetAddr ipv6addr(AF_INET6, rx.cap(1).toStdString()); InetAddr ipv6mask(AF_INET6, netmask); searchAddrAndMask = InetAddrMask(ipv6addr, ipv6mask); } catch (const FWException) { // Could not create IPv6 object. // User did not submit a valid IP address return false; } } const InetAddr *searchAddr = searchAddrAndMask.getAddressPtr(); if (addr->getTypeName() == AddressRange::TYPENAME) { AddressRange *addrRange = dynamic_cast(obj); if (addrRange && (searchAddr->addressFamily() == addrRange->getRangeStart().addressFamily()) ) { if ( !(searchAddr->opLT(addrRange->getRangeStart())) && !(searchAddr->opGT(addrRange->getRangeEnd())) ) return true; } continue; // Next argument } const InetAddr *inetAddr = addr->getAddressPtr(); if ( inetAddr && (inetAddr->addressFamily() == searchAddr->addressFamily()) ) { if (addr->getTypeName() == Network::TYPENAME) { if (addr->belongs(*searchAddr)) return true; } if (searchAddrAndMask.belongs(*inetAddr)) return true; } } // End foreach return false; } static bool filterMatchesCommand(const QString &text, ObjectTreeViewItem *item) { QRegExp rx("(?:(port)|(ip)):(.*)", Qt::CaseInsensitive); if (!rx.exactMatch(text)) return false; QStringList args = rx.cap(3).split(",", QString::SkipEmptyParts); if (rx.pos(1) != -1) return (filterMatchesPortRange(args, item->getFWObject())); else return (filterMatchesIpAddress(args, item->getFWObject())); } static bool filterMatches(const QString &text, ObjectTreeViewItem *item) { if (text.isEmpty()) return true; if (item->text(0).contains(text, Qt::CaseInsensitive)) return true; // Support for port and ip search if (filterMatchesCommand(text, item)) return true; if (item->getUserFolderParent() != 0) return false; FWObject *obj = item->getFWObject(); QByteArray utf8 = text.toUtf8(); set keys = obj->getKeywords(); set::const_iterator iter; for (iter = keys.begin(); iter != keys.end(); ++iter) { QString keyword = QString::fromUtf8((*iter).c_str()); if (keyword.contains(text, Qt::CaseInsensitive)) return true; } return false; } static uint qHash(const QStringList &list) { uint ret = 0; for (int ii = 0; ii < list.size(); ii++) { ret += qHash(list.at(ii)); } return ret; } void ObjectTreeView::doExpandedState(bool save, QStringList &list, QTreeWidgetItem *item) { list.append(item->text(0)); if (save) { if (item->isExpanded()) expandedState.insert(list); } else { if (expandedState.contains(list)) item->setExpanded(true); } for (int ii = 0; ii < item->childCount(); ii++) { doExpandedState(save, list, item->child(ii)); } list.removeLast(); } void ObjectTreeView::setFilter(QString text) { if (filter.isEmpty() && !text.isEmpty()) { QStringList list; for (int ii = 0; ii < topLevelItemCount(); ii++) { doExpandedState(true, list, topLevelItem(ii)); } } else if (text.isEmpty() && !filter.isEmpty()) { QStringList list; for (int ii = 0; ii < topLevelItemCount(); ii++) { doExpandedState(false, list, topLevelItem(ii)); } expandedState.clear(); } filter = text; if (fwbdebug) qDebug() << "ObjectTreeView::setFilter " << text; list expand; for (QTreeWidgetItemIterator wit(this); *wit; ++wit) { ObjectTreeViewItem *otvi = dynamic_cast(*wit); if (filterMatches(text, otvi)) { (*wit)->setHidden(false); if (Firewall::cast(otvi->getFWObject()) != 0) { expand.push_back(otvi); } QTreeWidgetItem *parent = (*wit)->parent(); while (parent != 0) { parent->setHidden(false); parent = parent->parent(); } } else { (*wit)->setHidden(true); } } list::const_iterator iter; for (iter = expand.begin(); iter != expand.end(); ++iter) { QTreeWidgetItem *item = *iter; item->setHidden(false); for (int ii = 0; ii < item->childCount(); ii++) { expand.push_back(item->child(ii)); } } if (!text.isEmpty()) this->expandAll(); } fwbuilder-5.3.7/src/libgui/ObjectTreeView.h000066400000000000000000000124441303637203600206150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OBJECTTREEVIEW_H_ #define __OBJECTTREEVIEW_H_ #include #include #include #include #include #include #include #include #include #include #include #include #include namespace libfwbuilder { class FWObject; }; class ProjectPanel; class ObjectTreeViewItem; class ObjectTreeView : public QTreeWidget { Q_OBJECT; QTreeWidgetItem *item_before_drag_started; QTreeWidgetItem *lastSelected; QItemSelection lastSelection; bool second_click; bool selectionFrozen; bool expandOrCollapse; bool Lockable; bool Unlockable; bool startingDrag; bool visible; bool process_mouse_release_event; std::set expanded_objects; std::vector selectedObjects; ProjectPanel* m_project; QSet resolveChildren(QTreeWidgetItem*); QSet resolveParents(QTreeWidgetItem*); QString filter; QSet expandedState; void doExpandedState(bool save, QStringList &list, QTreeWidgetItem *item); protected: bool event( QEvent *event ); virtual void dragEnterEvent( QDragEnterEvent *ev); virtual void dragMoveEvent( QDragMoveEvent *ev); virtual void dropEvent(QDropEvent *ev); virtual void dragLeaveEvent( QDragLeaveEvent *ev); virtual void keyPressEvent( QKeyEvent* ev ); virtual void mousePressEvent( QMouseEvent *e ); virtual void mouseReleaseEvent( QMouseEvent *e ); //virtual void mouseDoubleClickEvent( QMouseEvent *e ); virtual void mouseMoveEvent( QMouseEvent *e ); virtual void keyReleaseEvent( QKeyEvent* ev ); virtual void focusInEvent(QFocusEvent*); virtual void focusOutEvent(QFocusEvent*); virtual bool edit(const QModelIndex &index, EditTrigger trigger, QEvent *event); void startDrag(Qt::DropActions supportedActions); virtual void paintEvent(QPaintEvent *ev); void drawRow(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index ) const; public: ObjectTreeView(ProjectPanel* project, QWidget* parent = 0, const char * name = 0, #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) Qt::WFlags f = 0); #else Qt::WindowFlags f = 0); #endif void freezeSelection(bool f) { selectionFrozen = f; } std::vector& getSelectedObjects() { return selectedObjects; } bool isSelected(libfwbuilder::FWObject* obj); int getNumSelected(); libfwbuilder::FWObject* getCurrentObject(); void editCurrentObject(); void clearLastSelected(); void becomingVisible() { visible=true; } void becomingHidden() { visible=false; } void updateAfterPrefEdit(); /* Under some circumstances, user may select several host or fw * objects so that their children objects are selected as well * (e.g. when shift-click is used). "Delete objects" or "group * objects" operations will work on all children objects, which leads * to unexpected results since it is not obvious to the user that * children objects were selected (since they are invisible). We need * to remove them from the list before we delete or perform other * actions. */ std::vector getSimplifiedSelection(); void ignoreNextMouseReleaseEvent() { process_mouse_release_event = false; } void ExpandTreeItems(const std::set &ids); const std::set& getListOfExpandedObjectIds() { return expanded_objects; } void showOrHideAttributesColumn(); public slots: void itemSelectionChanged(); void resetSelection(); void currentItemChanged(QTreeWidgetItem *cur); void itemCollapsed(QTreeWidgetItem *itm); void itemExpanded(QTreeWidgetItem *itm); void itemOpened (); virtual void updateTreeIcons(); void setFilter(QString); void updateFilter(); signals: // void showObjectInfo_sign(libfwbuilder::FWObject *); void editCurrentObject_sign(); void switchObjectInEditor_sign(libfwbuilder::FWObject*); void objectDropped_sign(libfwbuilder::FWObject *); void deleteObject_sign(libfwbuilder::FWObject *); void contextMenuRequested_sign(const QPoint&); void moveItems_sign(ObjectTreeViewItem *dest, const std::list &items); }; #endif fwbuilder-5.3.7/src/libgui/ObjectTreeViewItem.cpp000066400000000000000000000053701303637203600217670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "ObjectTreeViewItem.h" #include "ObjectTreeView.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include #include #include using namespace std; using namespace libfwbuilder; ObjectTreeView* ObjectTreeViewItem::getTree() { return dynamic_cast(treeWidget()); } QVariant ObjectTreeViewItem::data(int column, int role) const { if (column == 0 && role == Qt::FontRole) { QFont item_font = QTreeWidgetItem::data(column, role).value(); FWObject *obj = getFWObject(); Firewall *o = NULL; if (obj!=NULL && ( getProperty("type")==Firewall::TYPENAME || getProperty("type")==Cluster::TYPENAME)) { o = Firewall::cast( obj ); } if (o!=NULL) { bool mf = !o->getInactive() && (o->needsCompile()) ; item_font.setBold (mf); item_font.setStrikeOut(o->getInactive()); return QVariant(item_font); } else return QVariant(item_font); } return QTreeWidgetItem::data(column, role); } static int getRank(FWObject *obj) { /* User-defined folders are first */ if (obj == 0) return 0; if (Interface::cast(obj) != 0) return 5; if (Policy::cast(obj) != 0) return 2; if (NAT::cast(obj) != 0) return 3; if (Routing::cast(obj) != 0) return 4; return 1; } bool ObjectTreeViewItem::operator<(const QTreeWidgetItem &other) const { const ObjectTreeViewItem *otvi = dynamic_cast(&other); int rank1 = getRank(otvi->objptr); int rank2 = getRank(objptr); if (rank1 == rank2) return text(0).toLower() < otvi->text(0).toLower(); return rank1 > rank2; } fwbuilder-5.3.7/src/libgui/ObjectTreeViewItem.h000066400000000000000000000046141303637203600214340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTTREEVIEWITEM_H #define OBJECTTREEVIEWITEM_H #include #include #include #include namespace libfwbuilder { class FWObject; } class ObjectTreeView; class ObjectTreeViewItem : public QTreeWidgetItem { libfwbuilder::FWObject *objptr; libfwbuilder::FWObject *userFolderParent; QString userFolderName; QMap props; QString lib; public: ObjectTreeViewItem(QTreeWidget *parent) : QTreeWidgetItem(parent), objptr(0), userFolderParent(0) {} ObjectTreeViewItem(QTreeWidgetItem *parent) : QTreeWidgetItem(parent), objptr(0), userFolderParent(0) {} libfwbuilder::FWObject *getFWObject() const { return objptr; } libfwbuilder::FWObject *getUserFolderParent() { return userFolderParent; } void setFWObject(libfwbuilder::FWObject *obj) { objptr=obj; } void setUserFolderParent(libfwbuilder::FWObject *obj) { userFolderParent = obj; } void setUserFolderName(const QString &name) { userFolderName = name; } const QString &getUserFolderName() { return userFolderName; } ObjectTreeView* getTree(); QString getLib() { return lib; } void setLib(const QString &l) { lib=l; } QString getProperty(const QString &name) const { return props[name]; } void setProperty(const QString &name, const QString &val) { props[name]=val; } QVariant data (int column, int role) const; virtual bool operator< ( const QTreeWidgetItem & other ) const; }; #endif fwbuilder-5.3.7/src/libgui/PhysicalAddressDialog.cpp000066400000000000000000000061411303637203600224660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "PhysicalAddressDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/physAddress.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; PhysicalAddressDialog::PhysicalAddressDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::PhysAddressDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } PhysicalAddressDialog::~PhysicalAddressDialog() { delete m_dialog; } void PhysicalAddressDialog::loadFWObject(FWObject *o) { obj=o; physAddress *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->pAddress->setText( s->getPhysAddress().c_str() ); m_dialog->commentKeywords->loadFWObject(o); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->pAddress->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->pAddress); init=false; } void PhysicalAddressDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void PhysicalAddressDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); physAddress *s = dynamic_cast(new_state); assert(s!=NULL); string oldname=obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); s->setPhysAddress( m_dialog->pAddress->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/PhysicalAddressDialog.h000066400000000000000000000027251303637203600221370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PHYSICALADDRESSDIALOG_H_ #define __PHYSICALADDRESSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class PhysicalAddressDialog : public BaseObjectDialog { Q_OBJECT; bool showNetmask; Ui::PhysAddressDialog_q *m_dialog; public: PhysicalAddressDialog(QWidget *parent); ~PhysicalAddressDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // PHYSICALADDRESSDIALOG_H fwbuilder-5.3.7/src/libgui/PixmapFactory.cpp000066400000000000000000000032571303637203600210570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA This class is a simple wrapper for QPixmapCache, it automatically creates pixmap if it is not found in the cache */ #include "config.h" #include "global.h" #include "utils.h" #include "PixmapFactory.h" #include #include #include using namespace std; QPixmap PixmapFactory::getPixmap(const std::string &icn_filename) { QPixmap pm; if ( ! QPixmapCache::find( icn_filename.c_str(), pm) ) { pm.load( icn_filename.c_str() ); QPixmapCache::insert( icn_filename.c_str(), pm); if (fwbdebug) qDebug("Created new pixmap from file %s: isNull=%d w=%d h=%d hasAlpha=%d", icn_filename.c_str(), pm.isNull(), pm.width(), pm.height(), pm.hasAlpha() ); } return pm; } fwbuilder-5.3.7/src/libgui/PixmapFactory.h000066400000000000000000000020421303637203600205130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include class PixmapFactory { public: PixmapFactory() {} static QPixmap getPixmap(const std::string &icn_name); }; fwbuilder-5.3.7/src/libgui/PrefsDialog.cpp000066400000000000000000000576371303637203600205030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied wdarranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "check_update_url.h" #include "../../VERSION.h" #include "utils.h" #include "platforms.h" #include "PrefsDialog.h" #include "FWBSettings.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "HttpGet.h" #include "RuleSetView.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* #include #include #include #include #ifdef _WIN32 # include # include # include #else # include #endif */ #include using namespace std; void PrefsDialog::setButtonColor(QPushButton *btn,const QString &colorCode) { QPixmap pm(40,14); pm.fill( QColor(colorCode) ); QPainter p( &pm ); p.drawRect( pm.rect() ); btn->setIcon(QIcon(pm)); } PrefsDialog::~PrefsDialog() { disconnect(¤t_version_http_getter, SIGNAL(done(const QString&)), this, SLOT(checkForUpgrade(const QString&))); delete m_dialog; } PrefsDialog::PrefsDialog(QWidget *parent) : QDialog(parent) { m_dialog = new Ui::prefsDialog_q; m_dialog->setupUi(this); m_dialog->tabWidget->setCurrentIndex(0); m_dialog->wDir->setText(st->getWDir()); m_dialog->dataDir->setText(st->getDataDir()); m_dialog->objTooltips->setChecked( st->getObjTooltips() ); m_dialog->advTooltipMode->setChecked(st->getBool("UI/AdvancedTooltips")); m_dialog->advTooltipMode->setEnabled(st->getObjTooltips()); // m_dialog->tooltipDelay->setValue( st->getTooltipDelay() ); m_dialog->enableCustomTemplates->setChecked( st->customTemplatesEnabled() ); m_dialog->deletedObj->setChecked( st->getBool("UI/ShowDeletedObjects") ); m_dialog->attributesInTree->setChecked( st->getBool("UI/ShowObjectsAttributesInTree") ); m_dialog->new_dns_name_compile_tm->setChecked( st->getBool("Objects/DNSName/useCompileTimeForNewObjects")); m_dialog->new_dns_name_run_tm->setChecked( ! st->getBool("Objects/DNSName/useCompileTimeForNewObjects")); m_dialog->use_name_for_dns_record->setChecked( st->getBool("Objects/DNSName/useNameForDNSRecord")); m_dialog->new_addr_tbl_compile_tm->setChecked( st->getBool("Objects/AddressTable/useCompileTimeForNewObjects")); m_dialog->new_addr_tbl_run_tm->setChecked( ! st->getBool("Objects/AddressTable/useCompileTimeForNewObjects")); m_dialog->toolbarIconsText->setChecked(st->getIconsWithText()); m_dialog->emptyRCSLog->setChecked( st->getRCSLogState() ); m_dialog->autosaveFile->setChecked(st->getBool("Environment/autoSaveFile")); m_dialog->autosaveInterval->setValue( st->getInt("Environment/autoSaveFilePeriod")); m_dialog->dataFileCompression->setChecked( st->getCompression() ); // dontSaveStdLib->setChecked( st->getDontSaveStdLib() ); m_dialog->sshPath->setText( st->getSSHPath() ); m_dialog->scpPath->setText( st->getSCPPath() );; m_dialog->sshTimeout->setValue( st->getSSHTimeout() ); m_dialog->rememberSshPass->setChecked( st->getBool("Environment/RememberSshPassEnabled") ); m_dialog->autoCompileChk->setChecked( st->getBool("/Diff/AutoCompile")); m_dialog->diffPath->setText( st->getDiffPath() ); m_dialog->showTips->setChecked( st->getBool("UI/NoStartTip") ); m_dialog->rulesLoggingOn->setChecked( st->getBool("Objects/PolicyRule/defaultLoggingState") ); m_dialog->rulesDefaultStateful->setChecked( st->getBool("Objects/PolicyRule/defaultStateful")); m_dialog->rulesDefaultAction->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultAction")); m_dialog->rulesDefaultDirection->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultDirection")); m_dialog->rulesDefaultSource->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultSource")); m_dialog->rulesDefaultDestination->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultDestination")); m_dialog->rulesDefaultService->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultService")); m_dialog->rulesDefaultInterface->setCurrentIndex( st->getInt("Objects/PolicyRule/defaultInterface")); m_dialog->autoconfigure_interfaces->setChecked( st->getBool("Objects/Interface/autoconfigureInterfaces") ); // set label icons colors and text strings using user's settings QString t; colors[FWBSettings::RED]=st->getLabelColor(FWBSettings::RED); t=st->getLabelText (FWBSettings::RED); setButtonColor(m_dialog->redBtn,colors[FWBSettings::RED]); m_dialog->redText->setText(t); colors[FWBSettings::ORANGE]=st->getLabelColor(FWBSettings::ORANGE); t=st->getLabelText (FWBSettings::ORANGE); setButtonColor(m_dialog->orangeBtn,colors[FWBSettings::ORANGE]); m_dialog->orangeText->setText(t); colors[FWBSettings::YELLOW]=st->getLabelColor(FWBSettings::YELLOW); t=st->getLabelText (FWBSettings::YELLOW); setButtonColor(m_dialog->yellowBtn,colors[FWBSettings::YELLOW]); m_dialog->yellowText->setText(t); colors[FWBSettings::GREEN]=st->getLabelColor(FWBSettings::GREEN); t=st->getLabelText (FWBSettings::GREEN); setButtonColor(m_dialog->greenBtn,colors[FWBSettings::GREEN]); m_dialog->greenText->setText(t); colors[FWBSettings::BLUE]=st->getLabelColor(FWBSettings::BLUE); t=st->getLabelText (FWBSettings::BLUE); setButtonColor(m_dialog->blueBtn,colors[FWBSettings::BLUE]); m_dialog->blueText->setText(t); colors[FWBSettings::PURPLE]=st->getLabelColor(FWBSettings::PURPLE); t=st->getLabelText (FWBSettings::PURPLE); setButtonColor(m_dialog->purpleBtn,colors[FWBSettings::PURPLE]); m_dialog->purpleText->setText(t); colors[FWBSettings::GRAY]=st->getLabelColor(FWBSettings::GRAY); t=st->getLabelText (FWBSettings::GRAY); setButtonColor(m_dialog->grayBtn,colors[FWBSettings::GRAY]); m_dialog->grayText->setText(t); m_dialog->chShowIcons->setChecked(st->getShowIconsInRules() ); m_dialog->showDirectionText->setChecked(st->getShowDirectionText()); if (FWBSettings::SIZE25X25 == st->getIconsInRulesSize()) m_dialog->rb25->setChecked(true); else m_dialog->rb16->setChecked(true); changeShowIcons(); rulesFont = st->getRulesFont(); treeFont = st->getTreeFont(); uiFont = st->getUiFont(); compilerOutputFont = st->getCompilerOutputFont(); m_dialog->rulesFontDescr->setText(getFontDescription(rulesFont)); m_dialog->treeFontDescr->setText(getFontDescription(treeFont)); m_dialog->compilerOutputFontDescr->setText(getFontDescription(compilerOutputFont)); m_dialog->chClipComment->setChecked(st->getClipComment() ); m_dialog->checkUpdates->setChecked(st->getCheckUpdates() ); m_dialog->checkUpdatesProxy->setText(st->getCheckUpdatesProxy() ); #if !defined(Q_OS_WIN32) m_dialog->plink_hint->hide(); #endif // Diff Viewer colors[FWBSettings::ADD_COLOR]=st->getDiffColor(FWBSettings::ADD_COLOR); setButtonColor(m_dialog->addColorBtn, colors[FWBSettings::ADD_COLOR]); colors[FWBSettings::EDIT_COLOR]=st->getDiffColor(FWBSettings::EDIT_COLOR); setButtonColor(m_dialog->editColorBtn, colors[FWBSettings::EDIT_COLOR]); colors[FWBSettings::MOVE_COLOR]=st->getDiffColor(FWBSettings::MOVE_COLOR); setButtonColor(m_dialog->moveColorBtn, colors[FWBSettings::MOVE_COLOR]); colors[FWBSettings::REMOVE_COLOR]=st->getDiffColor(FWBSettings::REMOVE_COLOR); setButtonColor(m_dialog->removeColorBtn, colors[FWBSettings::REMOVE_COLOR]); m_dialog->displayUnmodifiedRulesChk->setChecked(st->getDisplayUnmodifiedRules()); // Fill lists of platforms and host OS QMap platforms = getAllPlatforms(false); QMap os = getAllOS(false); m_dialog->enabled_platforms->setRowCount(platforms.size()); m_dialog->enabled_platforms->setColumnCount(1); int row = 0; QMap::iterator it; for (it=platforms.begin(); it!=platforms.end(); ++it) { QString name = it.key(); QString readable_name = it.value(); QTableWidgetItem *cb = new QTableWidgetItem(readable_name); m_dialog->enabled_platforms->setItem(row, 0, cb); QString res_status = Resources::platform_res[name.toStdString()]->getResourceStr( "/FWBuilderResources/Target/status/").c_str(); QString prefs_status = st->getTargetStatus(name, res_status); cb->setCheckState((prefs_status=="disabled") ? Qt::Unchecked : Qt::Checked); cb->setData(Qt::UserRole, name); row++; } m_dialog->enabled_platforms->horizontalHeader()->setStretchLastSection(true); m_dialog->enabled_platforms->sortItems(0); m_dialog->enabled_platforms->update(); m_dialog->enabled_os->setRowCount(os.size()); m_dialog->enabled_os->setColumnCount(1); row = 0; for (it=os.begin(); it!=os.end(); ++it) { QString name = it.key(); QString readable_name = it.value(); QTableWidgetItem *cb = new QTableWidgetItem(readable_name); m_dialog->enabled_os->setItem(row, 0, cb); QString res_status = Resources::os_res[name.toStdString()]->getResourceStr( "/FWBuilderResources/Target/status/").c_str(); QString prefs_status = st->getTargetStatus(name, res_status); cb->setCheckState((prefs_status=="disabled") ? Qt::Unchecked : Qt::Checked); cb->setData(Qt::UserRole, name); row++; } m_dialog->enabled_os->horizontalHeader()->setStretchLastSection(true); m_dialog->enabled_os->sortItems(0); m_dialog->enabled_os->update(); } QString PrefsDialog::getFontDescription(const QFont &font) { ostringstream str; str << font.family().toLatin1().constData() << " " << font.pointSize(); return QString(str.str().c_str()); } void PrefsDialog::changeColor(QPushButton *btn, FWBSettings::LabelColors colorCode) { QColor clr = QColorDialog::getColor( QColor(colors[colorCode]), this); if (!clr.isValid()) return; colors[colorCode]= clr.name(); setButtonColor(btn,colors[colorCode]); } void PrefsDialog::changeRedColor() { changeColor(m_dialog->redBtn, FWBSettings::RED); } void PrefsDialog::changeOrangeColor() { changeColor(m_dialog->orangeBtn, FWBSettings::ORANGE); } void PrefsDialog::changeYellowColor() { changeColor(m_dialog->yellowBtn, FWBSettings::YELLOW); } void PrefsDialog::changeGreenColor() { changeColor(m_dialog->greenBtn, FWBSettings::GREEN); } void PrefsDialog::changeBlueColor() { changeColor(m_dialog->blueBtn, FWBSettings::BLUE); } void PrefsDialog::changePurpleColor() { changeColor(m_dialog->purpleBtn, FWBSettings::PURPLE); } void PrefsDialog::changeGrayColor() { changeColor(m_dialog->grayBtn, FWBSettings::GRAY); } void PrefsDialog::changeAddColor() { changeColor(m_dialog->addColorBtn, FWBSettings::ADD_COLOR); } void PrefsDialog::changeEditColor() { changeColor(m_dialog->editColorBtn, FWBSettings::EDIT_COLOR); } void PrefsDialog::changeMoveColor() { changeColor(m_dialog->moveColorBtn, FWBSettings::MOVE_COLOR); } void PrefsDialog::changeRemoveColor() { changeColor(m_dialog->removeColorBtn, FWBSettings::REMOVE_COLOR); } void PrefsDialog::changeIconSize25() { //st->setIconsInRulesSize(FWBSettings::SIZE25X25); } void PrefsDialog::changeIconSize16() { //st->setIconsInRulesSize(FWBSettings::SIZE16X16); } void PrefsDialog::changeShowIcons() { bool areShown = m_dialog->chShowIcons->isChecked(); m_dialog->rb16->setEnabled(areShown); m_dialog->rb25->setEnabled(areShown); } void PrefsDialog::changeRulesFont() { changeFont(rulesFont); m_dialog->rulesFontDescr->setText(getFontDescription(rulesFont)); } void PrefsDialog::changeTreeFont() { changeFont(treeFont); m_dialog->treeFontDescr->setText(getFontDescription(treeFont)); } void PrefsDialog::changeCompilerOutputFont() { changeFont(compilerOutputFont); m_dialog->compilerOutputFontDescr->setText(getFontDescription(compilerOutputFont)); } void PrefsDialog::changeFont(QFont &font) { bool ok; QFont f = QFontDialog::getFont(&ok, font, this); if (ok) { font = f; } } void PrefsDialog::findWDir() { QString wd = m_dialog->wDir->text(); if (wd.isEmpty()) wd = st->getWDir(); if (wd.isEmpty()) wd = st->getOpenFileDir(); QString dir = QFileDialog::getExistingDirectory( this, tr("Find working directory"), wd, QFileDialog::ShowDirsOnly); if (dir.isEmpty()) return; st->setOpenFileDir(dir); m_dialog->wDir->setText(dir); } void PrefsDialog::findDataDir() { QString dataDir = m_dialog->dataDir->text(); if (dataDir.isEmpty()) dataDir = st->getDataDir(); if (dataDir.isEmpty()) dataDir = st->getOpenFileDir(); QString dir = QFileDialog::getExistingDirectory( this, tr("Find data directory"), dataDir, QFileDialog::ShowDirsOnly); if (dir.isEmpty()) return; st->setOpenFileDir(dir); m_dialog->dataDir->setText(dir); } void PrefsDialog::findSSH() { QString sshPath = m_dialog->sshPath->text(); if (!QFileInfo(sshPath).isFile()) sshPath = st->getSSHPath(); if (!QFileInfo(sshPath).isFile()) sshPath = st->getOpenFileDir(); QString fp = QFileDialog::getOpenFileName( this, tr("Find Secure Shell utility"), sshPath); if (fp.isEmpty()) return; st->setOpenFileDir(fp); m_dialog->sshPath->setText(fp); } void PrefsDialog::findSCP() { QString scpPath = m_dialog->scpPath->text(); if (!QFileInfo(scpPath).isFile()) scpPath = st->getSCPPath(); if (!QFileInfo(scpPath).isFile()) scpPath = st->getOpenFileDir(); QString fp = QFileDialog::getOpenFileName( this, tr("Find SCP utility"), scpPath); if (fp.isEmpty()) return; st->setOpenFileDir(fp); m_dialog->scpPath->setText(fp); } void PrefsDialog::findDiff() { QString diffPath = m_dialog->diffPath->text(); if (!QFileInfo(diffPath).isFile()) diffPath = st->getDiffPath(); if (!QFileInfo(diffPath).isFile()) diffPath = st->getOpenFileDir(); QString fp = QFileDialog::getOpenFileName( this, tr("Find Diff utility"), diffPath); if (fp.isEmpty()) return; st->setOpenFileDir(fp); m_dialog->diffPath->setText(fp); } void PrefsDialog::accept() { QString wd=m_dialog->wDir->text(); /* check if the default working directory does not exist yet */ st->setWDir( wd ); st->setDataDir(m_dialog->dataDir->text()); st->setObjTooltips( m_dialog->objTooltips->isChecked() ); st->setBool("UI/AdvancedTooltips", m_dialog->advTooltipMode->isChecked()); st->setCustomTemplatesEnabled(m_dialog->enableCustomTemplates->isChecked()); // st->setTooltipDelay( m_dialog->tooltipDelay->value() ); // QToolTip::setWakeUpDelay( st->getTooltipDelay()*1000 ); st->setBool("UI/ShowDeletedObjects", m_dialog->deletedObj->isChecked()); st->setBool("UI/ShowObjectsAttributesInTree", m_dialog->attributesInTree->isChecked()); st->setIconsWithText(m_dialog->toolbarIconsText->isChecked()); ProjectPanel *pp = mw->activeProject(); if (pp) { pp->m_panel->om->setAttributesColumnEnabled( m_dialog->attributesInTree->isChecked()); if (m_dialog->attributesInTree->isChecked()) pp->m_panel->om->loadSectionSizes(); } st->setBool("Objects/DNSName/useCompileTimeForNewObjects", m_dialog->new_dns_name_compile_tm->isChecked()); st->setBool("Objects/DNSName/useNameForDNSRecord", m_dialog->use_name_for_dns_record->isChecked()); st->setBool("Objects/AddressTable/useCompileTimeForNewObjects", m_dialog->new_addr_tbl_compile_tm->isChecked()); st->setBool("Objects/PolicyRule/defaultLoggingState", m_dialog->rulesLoggingOn->isChecked()); st->setBool("Objects/PolicyRule/defaultStateful", m_dialog->rulesDefaultStateful->isChecked()); st->setInt("Objects/PolicyRule/defaultAction", m_dialog->rulesDefaultAction->currentIndex()); st->setInt("Objects/PolicyRule/defaultDirection", m_dialog->rulesDefaultDirection->currentIndex()); st->setInt("Objects/PolicyRule/defaultSource", m_dialog->rulesDefaultSource->currentIndex()); st->setInt("Objects/PolicyRule/defaultDestination", m_dialog->rulesDefaultDestination->currentIndex()); st->setInt("Objects/PolicyRule/defaultService", m_dialog->rulesDefaultService->currentIndex()); st->setInt("Objects/PolicyRule/defaultInterface", m_dialog->rulesDefaultInterface->currentIndex()); st->setBool("Objects/Interface/autoconfigureInterfaces", m_dialog->autoconfigure_interfaces->isChecked()); st->setRCSLogState( m_dialog->emptyRCSLog->isChecked() ); st->setBool("Environment/autoSaveFile", m_dialog->autosaveFile->isChecked()); st->setInt("Environment/autoSaveFilePeriod", m_dialog->autosaveInterval->value() ); st->setCompression(m_dialog->dataFileCompression->isChecked()); // st->setDontSaveStdLib( dontSaveStdLib->isChecked() ); st->setLabelColor(FWBSettings::RED, colors[FWBSettings::RED]); st->setLabelColor(FWBSettings::ORANGE, colors[FWBSettings::ORANGE]); st->setLabelColor(FWBSettings::YELLOW, colors[FWBSettings::YELLOW]); st->setLabelColor(FWBSettings::GREEN, colors[FWBSettings::GREEN]); st->setLabelColor(FWBSettings::BLUE, colors[FWBSettings::BLUE]); st->setLabelColor(FWBSettings::PURPLE, colors[FWBSettings::PURPLE]); st->setLabelColor(FWBSettings::GRAY, colors[FWBSettings::GRAY]); st->setLabelText (FWBSettings::RED, m_dialog->redText->text() ); st->setLabelText (FWBSettings::ORANGE, m_dialog->orangeText->text() ); st->setLabelText (FWBSettings::YELLOW, m_dialog->yellowText->text() ); st->setLabelText (FWBSettings::GREEN, m_dialog->greenText->text() ); st->setLabelText (FWBSettings::BLUE, m_dialog->blueText->text() ); st->setLabelText (FWBSettings::PURPLE, m_dialog->purpleText->text() ); st->setLabelText (FWBSettings::GRAY, m_dialog->grayText->text() ); st->setShowIconsInRules(m_dialog->chShowIcons->isChecked()); st->setShowDirectionText(m_dialog->showDirectionText->isChecked()); FWBSettings::IconSize sz = m_dialog->rb25->isChecked() ? FWBSettings::SIZE25X25 : FWBSettings::SIZE16X16; st->setIconsInRulesSize(sz); st->setRulesFont(rulesFont); st->setTreeFont(treeFont); st->setUiFont(uiFont); st->setCompilerOutputFont(compilerOutputFont); st->setClipComment(m_dialog->chClipComment->isChecked()); st->setCheckUpdatesProxy(m_dialog->checkUpdatesProxy->text()); // annoyingly, widget shotTip has the name opposite to its meaning. // When it is checked, we do not show tip of the day. st->setBool("UI/NoStartTip", m_dialog->showTips->isChecked()); st->setSSHPath( m_dialog->sshPath->text() ); st->setSCPPath( m_dialog->scpPath->text() ); st->setSSHTimeout(m_dialog->sshTimeout->value()); st->setBool("/Diff/AutoCompile", m_dialog->autoCompileChk->isChecked()); st->setDiffPath( m_dialog->diffPath->text() ); st->setBool("Environment/RememberSshPassEnabled", m_dialog->rememberSshPass->isChecked()); st->setCheckUpdates(m_dialog->checkUpdates->isChecked()); st->setDiffColor(FWBSettings::ADD_COLOR, colors[FWBSettings::ADD_COLOR]); st->setDiffColor(FWBSettings::EDIT_COLOR, colors[FWBSettings::EDIT_COLOR]); st->setDiffColor(FWBSettings::MOVE_COLOR, colors[FWBSettings::MOVE_COLOR]); st->setDiffColor(FWBSettings::REMOVE_COLOR, colors[FWBSettings::REMOVE_COLOR]); st->setDisplayUnmodifiedRules( m_dialog->displayUnmodifiedRulesChk->isChecked() ); for (int row=0; row < m_dialog->enabled_platforms->rowCount(); ++row) { QTableWidgetItem *itm = m_dialog->enabled_platforms->item(row, 0); st->setTargetStatus(itm->data(Qt::UserRole).toString(), (itm && itm->checkState() == Qt::Unchecked) ? "disabled" : "active"); } QStringList disabled_os; for (int row=0; row < m_dialog->enabled_os->rowCount(); ++row) { QTableWidgetItem *itm = m_dialog->enabled_os->item(row, 0); st->setTargetStatus(itm->data(Qt::UserRole).toString(), (itm && itm->checkState() == Qt::Unchecked) ? "disabled" : "active"); } if (!wd.isEmpty()) { QDir d; d.mkdir( wd ); } if (pp) { RuleSetView* rsv = pp->getCurrentRuleSetView(); if (rsv) rsv->updateAll(); } mw->setupAutoSave(); mw->showDeletedObjects(st->getBool("UI/ShowDeletedObjects")); mw->updateTreeFont(); mw->setupGlobalToolbar(); // app->setFont(st->getTreeFont()); QDialog::accept(); } void PrefsDialog::checkSwUpdates() { st->setCheckUpdatesProxy(m_dialog->checkUpdatesProxy->text()); connect(¤t_version_http_getter, SIGNAL(done(const QString&)), this, SLOT(checkForUpgrade(const QString&))); QString url = QString(CHECK_UPDATE_URL).arg(VERSION).arg(st->getAppGUID()); current_version_http_getter.get(QUrl(url)); } void PrefsDialog::checkForUpgrade(const QString& server_response) { disconnect(¤t_version_http_getter, SIGNAL(done(const QString&)), this, SLOT(checkForUpgrade(const QString&))); if (current_version_http_getter.getStatus()) { /* * server response may be some html or other data in case * connection goes via proxy, esp. with captive portals. We * should not interpret that as "new version is available" */ if (server_response.trimmed() == "update = 1") { QMessageBox::warning( this,"Firewall Builder", tr("A new version of Firewall Builder is available at" " http://www.fwbuilder.org")); } else { QMessageBox::information( this,"Firewall Builder", tr("Your version of Firewall Builder is up to date.")); } } else { QMessageBox::critical( this,"Firewall Builder", tr("Error checking for software updates:\n%1"). arg(current_version_http_getter.getLastError())); } } void PrefsDialog::objTooltipsEnabled(bool enabled) { if (!enabled && m_dialog->advTooltipMode->isChecked()) m_dialog->advTooltipMode->setChecked(false); m_dialog->advTooltipMode->setEnabled(enabled); } void PrefsDialog::selectTab(const QString &name) { for (int i = m_dialog->tabWidget->count(); i >= 0; i--) { if (m_dialog->tabWidget->tabText(i) == name) { m_dialog->tabWidget->setCurrentIndex(i); return; } } } fwbuilder-5.3.7/src/libgui/PrefsDialog.h000066400000000000000000000052231303637203600201300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PREFSDIALOG_H_ #define __PREFSDIALOG_H_ #include "config.h" #include #include "FWBSettings.h" #include "HttpGet.h" #include #include #include #include #include class QPushButton; class QTreeWidgetItem; class PrefsDialog : public QDialog { Q_OBJECT void setButtonColor(QPushButton *btn,const QString &colorCode); void changeColor(QPushButton *btn,FWBSettings::LabelColors colorCode); std::map colors; Ui::prefsDialog_q *m_dialog; HttpGet current_version_http_getter; QFont rulesFont; QFont treeFont; QFont uiFont; QFont compilerOutputFont; void changeFont(QFont &font); public: PrefsDialog(QWidget *parent); ~PrefsDialog(); QString getFontDescription(const QFont &font); public slots: virtual void accept(); virtual void findWDir(); virtual void findDataDir(); virtual void findSSH(); virtual void findSCP(); virtual void findDiff(); virtual void changeRedColor(); virtual void changeOrangeColor(); virtual void changeYellowColor(); virtual void changeGreenColor(); virtual void changeBlueColor(); virtual void changePurpleColor(); virtual void changeGrayColor(); virtual void changeAddColor(); virtual void changeEditColor(); virtual void changeMoveColor(); virtual void changeRemoveColor(); virtual void changeIconSize25(); virtual void changeIconSize16(); virtual void changeShowIcons(); virtual void changeRulesFont(); virtual void changeTreeFont(); virtual void changeCompilerOutputFont(); virtual void checkSwUpdates(); virtual void checkForUpgrade(const QString&); virtual void objTooltipsEnabled(bool); void selectTab(const QString &name); }; #endif // __PREFSDIALOG_H fwbuilder-5.3.7/src/libgui/PrintingController.cpp000066400000000000000000000443431303637203600221300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "RuleSetView.h" #include "FWBSettings.h" #include "FWObjectPropertiesFactory.h" #include "ProjectPanel.h" #include "PrintingController.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Interface.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/RuleElement.h" #include #include #include #include using namespace libfwbuilder; using namespace std; QString legendList[] = { Firewall::TYPENAME, QObject::tr("Firewall"), Host::TYPENAME, QObject::tr("Host"), IPv4::TYPENAME, QObject::tr("Address"), IPv6::TYPENAME, QObject::tr("Address"), AddressRange::TYPENAME, QObject::tr("Addres Range"), Interface::TYPENAME, QObject::tr("Interface"), Network::TYPENAME, QObject::tr("Network"), ObjectGroup::TYPENAME, QObject::tr("Group of objects"), CustomService::TYPENAME, QObject::tr("Custom Service"), IPService::TYPENAME, QObject::tr("IP Service"), ICMPService::TYPENAME, QObject::tr("ICMP Service"), ICMP6Service::TYPENAME, QObject::tr("ICMP Service"), TCPService::TYPENAME, QObject::tr("TCP Service"), UDPService::TYPENAME, QObject::tr("UDP Service"), ServiceGroup::TYPENAME, QObject::tr("Group of services"), Interval::TYPENAME, QObject::tr("Time Interval"), "", "" }; class pixmapOrText { public: QString text; QPixmap pixmap; pixmapOrText(const QString &t,const QPixmap &w); }; pixmapOrText::pixmapOrText(const QString &t,const QPixmap &w) : text(t), pixmap(w) { } list PrintingController::findAllUsedByType(list &result, FWObject *obj, const string &type_name) { if (RuleElement::cast(obj)!=NULL) { for (list::iterator m=obj->begin(); m!=obj->end(); m++) { FWObject *o=*m; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (o->getTypeName()==type_name) result.push_back(o); } } if (RuleSet::cast(obj)!=NULL) { for (list::iterator m=obj->begin(); m!=obj->end(); m++) { if (Rule::cast(*m)!=NULL) { for (list::iterator n=(*m)->begin(); n!=(*m)->end(); n++) { if (RuleElement::cast(*n)!=NULL) { findAllUsedByType(result,*n,type_name); } } } } } if (Firewall::cast(obj)) // cast matches Firewall and Cluster { FWObject *ruleSet; const char* const child_types[] = {Policy::TYPENAME, NAT::TYPENAME, Routing::TYPENAME, NULL}; for (const char* const *cptr = child_types; *cptr; ++cptr) { for (FWObjectTypedChildIterator it = obj->findByType(*cptr); it != it.end(); ++it) { ruleSet = *it; findAllUsedByType(result, ruleSet, type_name); } } result.sort(); result.unique(); } return result; } int PrintingController::addObjectsToTable(list &objects, QTableWidget *tbl, int &row, int &col) { int added =0; string icon_path="/FWBuilderResources/Type/"; QPixmap bfr(32,32); QPainter bfrp(&bfr); for (list::iterator i=objects.begin(); i!=objects.end(); ++i) { if (Address::cast(*i)!=NULL && Address::cast(*i)->isAny()) continue; if (Service::cast(*i)!=NULL && Service::cast(*i)->isAny()) continue; if (Interval::cast(*i)!=NULL && Interval::cast(*i)->isAny()) continue; if (col>=tbl->columnCount()) { col = 0; row++; tbl->insertRow(row); } string type_name = (*i)->getTypeName(); QString icn = (":/Icons/"+type_name+"/icon").c_str(); QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } bfrp.fillRect(0,0,32,32,QColor("white")); bfrp.drawPixmap(4,4,pm); tbl->setItem(row,col, new QTableWidgetItem(QIcon(bfr), QString::fromUtf8((*i)->getName().c_str()))); QString descr = FWObjectPropertiesFactory::getObjectProperties(*i); QString comment = QString::fromUtf8((*i)->getComment().c_str()); // collapse paragraphs //comment.replace("\n\n", " "); //comment.replace("\n", ""); //comment.replace(" ", "\n"); tbl->setItem(row,col+1, new QTableWidgetItem(descr)); tbl->setItem(row,col+2, new QTableWidgetItem(comment)); //tbl->item(row,col+2)->setWordWrap(true); added++; if (fwbdebug) qDebug("objTbl: row=%d col=%d '%s'", row, col, (*i)->getName().c_str()); col = col+3; } return added; } bool PrintingController::addObjectsByTypeToTable(FWObject *parent, const string &type_name, QTableWidget *tbl, int &row, int &col) { list objects; findAllUsedByType(objects, parent, type_name); int added = addObjectsToTable(objects, tbl, row, col); if (fwbdebug) qDebug("Objects table: type %s, added %d", type_name.c_str(), added); if (added) { if (col!=0) { row++; col=0; tbl->insertRow(row); } return true; } return false; } void PrintingController::findAllGroups(list &objects, list &groups) { if (fwbdebug) qDebug("findAllGroups: arg1 size %d", int(objects.size())); for (FWObject::iterator obj=objects.begin(); obj!=objects.end(); ++obj) { if (fwbdebug) qDebug(" %s",(*obj)->getName().c_str()); FWObject *o = *obj; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (Group::cast(o)!=NULL && std::find(groups.begin(),groups.end(),o)==groups.end()) { groups.push_back(o); if (fwbdebug) qDebug("Add group %s to groups",o->getName().c_str()); findAllGroups(*o,groups); } } } void PrintingController::printRuleSet(FWObject *fw, const string &ruleset_type_name, ProjectPanel *project) { FWObjectTypedChildIterator j =fw->findByType(ruleset_type_name); for ( ; j!=j.end(); ++j ) { RuleSet * ruleset = RuleSet::cast(*j) ; QString name = QObject::tr("Policy: "); name += ruleset->getName().c_str(); pr->printText("\n"); pr->printText(name); RuleSetView *ruleView = RuleSetView::getRuleSetViewByType( project, ruleset, NULL); ruleView->setSizePolicy( QSizePolicy( (QSizePolicy::Policy)7, (QSizePolicy::Policy)7) ); ruleView->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff); ruleView->setVerticalScrollBarPolicy(Qt::ScrollBarAlwaysOff); ruleView->setMaximumHeight(pr->getPageHeight()); ruleView->restoreCollapsedGroups(); if (fwbdebug) qDebug("Viewport: %dx%d", ruleView->viewport()->width(),ruleView->viewport()->height()); if (fwbdebug) qDebug("Size: %dx%d",ruleView->width(),ruleView->height()); pr->printRuleSetView(ruleView); delete ruleView; } } void PrintingController::printFirewall(FWObject *fw, ProjectPanel *project) { if (Firewall::cast(fw)==NULL) return ; string platform = fw->getStr("platform"); string version = fw->getStr("version"); string hostOS = fw->getStr("host_OS"); QString readableVersion = getVersionString(QString(platform.c_str()), QString(version.c_str())); pr->beginPage(); // resets yPos pr->printText(QObject::tr("Firewall name: %1").arg( QString::fromUtf8(fw->getName().c_str()))); pr->printText(QObject::tr("Platform: ") + platform.c_str()); pr->printText(QObject::tr("Version: ") + readableVersion); pr->printText(QObject::tr("Host OS: ") + hostOS.c_str()); const char* const child_types[] = {Policy::TYPENAME, NAT::TYPENAME, Routing::TYPENAME, NULL}; for (const char* const *cptr = child_types; *cptr; ++cptr) { if (fwbdebug) qDebug("******** %s", *cptr); printRuleSet(fw, *cptr, project); } } void PrintingController::printLegend(bool newPageForSection) { if (fwbdebug) qDebug("******** Legend"); if (newPageForSection) { pr->flushPage(); pr->beginPage(); // resets yPos } else pr->printText("\n"); pr->printText(QObject::tr("Legend")); pr->printText(" "); QTableWidget *legendTbl = new QTableWidget(1,2); configureQTableForPrint(legendTbl); string icon_path="/FWBuilderResources/Type/"; int row = 0; int col = 0; QPixmap pm; QPixmap bfr(32,32); QPainter bfrp(&bfr); for (int i=0; !legendList[i].isEmpty(); ++i,++i) { if (row >= legendTbl->rowCount()) legendTbl->insertRow(row); QString type_name = legendList[i]; QString objName = legendList[i+1]; if (type_name==CustomService::TYPENAME) { col++; row=0; } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("Legend table: row=%d col=%d %s %s", row, col, type_name.toAscii().constData(), objName.toAscii().constData()); #else if (fwbdebug) qDebug("Legend table: row=%d col=%d %s %s", row, col, type_name.toLatin1().constData(), objName.toLatin1().constData()); #endif QString icn = ":/Icons/"+type_name+"/icon"; QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } bfrp.fillRect(0,0,32,32,QColor(Qt::white)); bfrp.drawPixmap(4,4,pm); QTableWidgetItem *itm = new QTableWidgetItem; itm->setIcon(QIcon(bfr)); itm->setText(objName); legendTbl->setItem(row, col, itm); row++; } legendTbl->resizeColumnToContents(0); legendTbl->resizeColumnToContents(1); for (int i=0; irowCount(); ++i) legendTbl->resizeRowToContents(i); QSize sh = legendTbl->sizeHint(); legendTbl->resize(sh.width(),sh.height()); if (fwbdebug) qDebug("legendTbl size: %dx%d", legendTbl->width(),legendTbl->height()); pr->printQTable(legendTbl, false, false); } void PrintingController::printObjects(FWObject *firewall_to_print, bool newPageForSection) { if (fwbdebug) qDebug("******** Objects"); if (newPageForSection) { pr->flushPage(); pr->beginPage(); // resets yPos } else pr->printText("\n"); pr->printText(QObject::tr("Objects")); pr->printText(" "); bool haveObjGroups = false; bool haveSrvGroups = false; QTableWidget *fwObjTbl = new QTableWidget(1,3); configureQTableForPrint(fwObjTbl); QString descr; int row = 0; int col = 0; addObjectsByTypeToTable(firewall_to_print, Firewall::TYPENAME, fwObjTbl, row, col); for (int i=0; icolumnCount(); ++i) fwObjTbl->resizeColumnToContents(i); for (int i=0; irowCount(); ++i) fwObjTbl->resizeRowToContents(i); QSize sh = fwObjTbl->sizeHint(); fwObjTbl->resize(sh.width(), sh.height()); pr->printQTable(fwObjTbl, false, false); pr->printText(" "); QTableWidget *objTbl = new QTableWidget(1,6); configureQTableForPrint(objTbl); row = 0; col = 0; addObjectsByTypeToTable(firewall_to_print, Host::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, Network::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, NetworkIPv6::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, IPv4::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, IPv6::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, AddressRange::TYPENAME, objTbl, row, col); haveObjGroups = addObjectsByTypeToTable( firewall_to_print, ObjectGroup::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, IPService::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, ICMPService::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, ICMP6Service::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, TCPService::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, UDPService::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, CustomService::TYPENAME, objTbl, row, col); haveSrvGroups = addObjectsByTypeToTable( firewall_to_print, ServiceGroup::TYPENAME, objTbl, row, col); addObjectsByTypeToTable(firewall_to_print, Interval::TYPENAME, objTbl, row, col); for (int i=0; icolumnCount(); ++i) objTbl->resizeColumnToContents(i); for (int i=0; irowCount(); ++i) objTbl->resizeRowToContents(i); sh = objTbl->sizeHint(); objTbl->resize(sh.width(), sh.height()); pr->printQTable(objTbl, false, false); if (haveObjGroups || haveSrvGroups) { if (fwbdebug) qDebug("******** Groups"); pr->printText("\n"); pr->printText(QObject::tr("Groups")); pr->printText(" "); list groups; list objects; findAllUsedByType(objects, firewall_to_print, ObjectGroup::TYPENAME); findAllGroups(objects,groups); objects.clear(); findAllUsedByType(objects, firewall_to_print, ServiceGroup::TYPENAME); findAllGroups(objects,groups); for (FWObject::iterator obj=groups.begin(); obj!=groups.end(); ++obj) { QTableWidget *objTbl = new QTableWidget(1,6); configureQTableForPrint(objTbl); row = 0; col = 0; list groupMembers; for (FWObject::iterator j=(*obj)->begin(); j!=(*obj)->end(); ++j) { FWObject *o = *j; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); groupMembers.push_back(o); } int added = addObjectsToTable( groupMembers, objTbl, row, col); if (fwbdebug) qDebug("Group %s: added %d group members", (*obj)->getName().c_str(),added); if (added == 0) { objTbl->setItem(row, col, new QTableWidgetItem(QObject::tr("EMPTY")) ); } for (int i=0; icolumnCount(); ++i) objTbl->resizeColumnToContents(i); for (int i=0; irowCount(); ++i) objTbl->resizeRowToContents(i); pr->printText((*obj)->getName().c_str()); pr->printQTable(objTbl, false, false); pr->printText("\n"); } } } void PrintingController::configureQTableForPrint(QTableWidget *tbl) { tbl->resize(pr->getWorkspaceWidth(), pr->getWorkspaceHeight()); tbl->setSizePolicy( QSizePolicy( (QSizePolicy::Policy)7, (QSizePolicy::Policy)7) ); tbl->setShowGrid(false); tbl->setFrameStyle(QFrame::NoFrame | QFrame::Plain); tbl->horizontalHeader()->hide(); tbl->verticalHeader()->hide(); tbl->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff); tbl->setVerticalScrollBarPolicy(Qt::ScrollBarAlwaysOff); } fwbuilder-5.3.7/src/libgui/PrintingController.h000066400000000000000000000043451303637203600215730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PRINTINGCONTROLLER_HH_ #define __PRINTINGCONTROLLER_HH_ #include "fwbuilder/FWObject.h" #include "printerStream.h" #include "ProjectPanel.h" #include #include class PrintingController { printerStream *pr; public: PrintingController(printerStream *_pr) { pr = _pr; } std::list findAllUsedByType( std::list &result, libfwbuilder::FWObject *obj, const std::string &type_name); int addObjectsToTable(std::list &objects, QTableWidget *tbl, int &row, int &col); bool addObjectsByTypeToTable(libfwbuilder::FWObject *parent, const std::string &type_name, QTableWidget *tbl, int &row, int &col); void findAllGroups(std::list &objects, std::list &groups); void printRuleSet(libfwbuilder::FWObject *fw, const std::string &ruleset_type_name, ProjectPanel *project); void printFirewall(libfwbuilder::FWObject *fw, ProjectPanel *project); void printLegend(bool newPageForSection); void printObjects(libfwbuilder::FWObject *firewall_to_print, bool newPageForSection); void configureQTableForPrint(QTableWidget *tbl); }; #endif fwbuilder-5.3.7/src/libgui/PrintingProgressDialog.cpp000066400000000000000000000050461303637203600227260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PrintingProgressDialog.h" #include #include #include #include #include #include PrintingProgressDialog::PrintingProgressDialog(QWidget *parent,QPrinter *p,int nPages,bool disableCancel) : QDialog(parent) { m_dialog = new Ui::printingProgressDialog_q; m_dialog->setupUi(this); connect( m_dialog->Cancel, SIGNAL( clicked() ), this, SLOT( abortPrinting() ) ); printer=p; setNPages(nPages); m_dialog->text->setText(""); if (disableCancel) m_dialog->Cancel->hide(); } PrintingProgressDialog::~PrintingProgressDialog() { delete m_dialog; } void PrintingProgressDialog::setCurrentPageNo(int n) { if (totalPages) m_dialog->text->setText(tr( "Printing (page %1/%2)" ).arg(n).arg(totalPages)); else m_dialog->text->setText(tr( "Printing page %1" ).arg(n) ); m_dialog->progressBar->setValue(n); QApplication::processEvents(QEventLoop::AllEvents,50); } void PrintingProgressDialog::genericProgressIndicator(int n,const QString &txt) { m_dialog->text->setText(txt); m_dialog->progressBar->setValue(n); QApplication::processEvents(QEventLoop::ExcludeUserInputEvents,10); } void PrintingProgressDialog::abortPrinting() { if (printer->abort()) m_dialog->text->setText( tr("Aborting print operation") ); else m_dialog->text->setText( tr("Cannot abort printing") ); } void PrintingProgressDialog::setNPages(int n) { totalPages=n; m_dialog->progressBar->setMinimum(0); m_dialog->progressBar->setMaximum(totalPages); m_dialog->progressBar->reset(); //m_dialog->progressBar->setTotalSteps(totalPages); } fwbuilder-5.3.7/src/libgui/PrintingProgressDialog.h000066400000000000000000000027571303637203600224010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PRINTINGPROGRESSDIALOG_H_ #define __PRINTINGPROGRESSDIALOG_H_ #include #include #include #include #include class PrintingProgressDialog : public QDialog { Q_OBJECT QPrinter *printer; int totalPages; Ui::printingProgressDialog_q *m_dialog; public: PrintingProgressDialog(QWidget *parent,QPrinter *p,int nPages,bool disableCancel); ~PrintingProgressDialog(); void setCurrentPageNo(int n); void genericProgressIndicator(int n,const QString &txt); void setNPages(int n); public slots: void abortPrinting(); }; #endif fwbuilder-5.3.7/src/libgui/ProjectPanel.cpp000066400000000000000000001015711303637203600206550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com refactoring and bugfixes: vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include #include #include #include #include #include #include "fwbuilder/RuleSet.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "FWBSettings.h" #include "FWBTree.h" #include "FWObjectPropertiesFactory.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "RCS.h" #include "RuleSetView.h" #include "findDialog.h" #include "events.h" #include "ObjectTreeView.h" #include "FWObjectClipboard.h" #include "WorkflowIcons.h" #include "FirewallCodeViewer.h" #include "RuleSetDiffDialog.h" #include "temporarydir.h" #include #include #include #include #include #include #include #include #include #include #include #include using namespace Ui; using namespace libfwbuilder; using namespace std; void ProjectPanel::initMain(FWWindow *main) { mainW = main; mdiWindow = NULL; treeReloadPending = false; // mdiWindow changes state several times right after it is opened, // but we call saveState to store splitter position and its geometry // when state changes. Flag "ready" is false after ProjectPanel is created // and until FWWindow decides that ProjectPanel is ready for operation. // Do not load or save state if flag ready is false. ready = false; int total_width = DEFAULT_H_SPLITTER_POSITION; //int total_height = DEFAULT_V_SPLITTER_POSITION; //UNUSED if (mainW) { total_width = mainW->width(); //total_height = mainW->height(); //UNUSED } setMainSplitterPosition(DEFAULT_H_SPLITTER_POSITION, total_width - DEFAULT_H_SPLITTER_POSITION); loading_state = false; oldState=-1; main->undoGroup->addStack(undoStack); fd = new findDialog(this, this); fd->hide(); m_panel->icons->setUpSignals(this); } void ProjectPanel::reset() { undoStack->clear(); delete rcs; rcs = NULL; firewalls.clear(); visibleFirewall = NULL; visibleRuleSet = NULL; clearFirewallTabs(); clearObjects(); FWObjectClipboard::obj_clipboard->clear(); } ProjectPanel::ProjectPanel(QWidget *parent): QWidget(parent), // , Qt::WindowSystemMenuHint|Qt::Window), mainW(0), rcs(0), systemFile(true), safeMode(false), editingStandardLib(false), editingTemplateLib(false), ruleSetRedrawPending(false), objdb(0), origObjdb(0), fd(0), autosaveTimer(new QTimer(static_cast(this))), ruleSetTabIndex(0), visibleFirewall(0), visibleRuleSet(0), lastFirewallIdx(-2), changingTabs(false), noFirewalls(tr("No firewalls defined")), m_panel(0), undoStack(0) { if (fwbdebug) qDebug("ProjectPanel constructor"); m_panel = new Ui::ProjectPanel_q(); m_panel->setupUi(this); m_panel->om->setupProject(this); m_panel->toolbar->hide(); undoStack = new QUndoStack(this); setWindowTitle(getPageTitle()); if (fwbdebug) qDebug("New ProjectPanel %p", this); connect(m_panel->topSplitter, SIGNAL(splitterMoved(int,int)), this, SLOT(splitterPositionChanged(int,int))); m_diffLog = QHash(); m_renamedGroups = QHash(); m_statistics = QHash, int>(); } ProjectPanel::~ProjectPanel() { if (fwbdebug) qDebug() << "ProjectPanel::~ProjectPanel()"; undoStack->clear(); if (rcs) delete rcs; if (objdb) delete objdb; if (origObjdb) delete origObjdb; delete m_panel; if (fwbdebug) qDebug() << "ProjectPanel::~ProjectPanel() done"; } QString ProjectPanel::getPageTitle(bool file_path) { QString default_caption = tr("Untitled"); if (rcs) { QString caption; if (file_path) caption = rcs->getFileName(); // full path else { QFileInfo fi(rcs->getFileName()); caption = fi.fileName(); } if (rcs->isInRCS()) caption= caption + ", rev " + rcs->getSelectedRev(); if (rcs->isRO()) caption = caption + " " + tr("(read-only)"); if (caption.isEmpty()) return default_caption; return caption; } else return default_caption; } void ProjectPanel::restoreRuleSetTab() { if (fwbdebug) qDebug("ProjectPanel::()"); m_panel->ruleSets->setCurrentIndex(ruleSetTabIndex); m_panel->toolbar->show(); } void ProjectPanel::loadObjects() { m_panel->om->loadObjects(); } void ProjectPanel::loadObjects(FWObjectDatabase*) { m_panel->om->loadObjects(); } void ProjectPanel::clearObjects() { m_panel->om->clearObjects(); } const QString ProjectPanel::getTemporaryDirPath() const { if (mainW->getTemporaryDirPath() != QString()) { if (!rcs->getFileName().isEmpty()) { QFileInfo fi(rcs->getFileName()); return QString(mainW->getTemporaryDirPath()) .append("/").append(fi.baseName()); } return mainW->getTemporaryDirPath(); } return QString(); } void ProjectPanel::clearFirewallTabs() { if (fwbdebug) qDebug() << "ProjectPanel::clearFirewallTabs"; m_panel->ruleSets->hide(); while (m_panel->ruleSets->count()!=0) { QWidget *p = m_panel->ruleSets->widget(0); m_panel->ruleSets->removeWidget( m_panel->ruleSets->widget(m_panel->ruleSets->indexOf(p))); delete p; } m_panel->rulesetname->setText(""); m_panel->ruleSets->show(); ruleSetViews.clear(); } void ProjectPanel::closeRuleSetPanel() { if (fwbdebug) qDebug() << "ProjectPanel::closeRuleSetPanel"; clearFirewallTabs(); visibleRuleSet = NULL; } void ProjectPanel::ensureObjectVisibleInRules(FWReference *obj) { if (fwbdebug) qDebug() << "ProjectPanel::ensureObjectVisibleInRules"; FWObject *p=obj; while (p && RuleSet::cast(p)==NULL ) p=p->getParent(); if (p==NULL) return; // something is broken // p is a pointer to RuleSet object @obj belongs to if (p != getCurrentRuleSet()) openRuleSet(p); getCurrentRuleSetView()->setFocus(); getCurrentRuleSetView()->selectRE( obj ); } RuleSetView * ProjectPanel::getCurrentRuleSetView() { return dynamic_cast(m_panel->ruleSets->currentWidget()); } void ProjectPanel::reopenFirewall() { if (fwbdebug) qDebug("ProjectPanel::reopenFirewall()"); time_t last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::reopenFirewall(): checkpoint 1: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); if (ruleSetRedrawPending) return; int currentPage = m_panel->ruleSets->currentIndex(); SelectionMemento memento; RuleSetView* rv = dynamic_cast(m_panel->ruleSets->currentWidget()); if (rv) rv->saveCurrentRowColumn(memento); last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::reopenFirewall(): checkpoint 2: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); // since reopenFirewall deletes and recreates all RuleSetView // widgets, it causes significant amount of repaint and // flicker. Disable updates for the duration of operation to avoid // that. m_panel->ruleSets->setUpdatesEnabled(false); changingTabs = true; clearFirewallTabs(); last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::reopenFirewall(): checkpoint 3: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); if (visibleRuleSet==NULL) return ; for (int i =0 ; i < m_panel->ruleSets->count (); i++) m_panel->ruleSets->removeWidget(m_panel->ruleSets->widget(i)); m_panel->rulesetname->setTextFormat(Qt::RichText); updateFirewallName(); last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::reopenFirewall(): checkpoint 4: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); RuleSetView* rulesetview = RuleSetView::getRuleSetViewByType(this, visibleRuleSet, NULL); if (rulesetview) { m_panel->ruleSets->addWidget(rulesetview); last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::reopenFirewall(): checkpoint 5: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); m_panel->ruleSets->setCurrentIndex(currentPage); m_panel->toolbar->show(); rv = dynamic_cast(m_panel->ruleSets->currentWidget()); rv->restoreCurrentRowColumn(memento); changingTabs = false; mainW->updateGlobalToolbar(); m_panel->ruleSets->setUpdatesEnabled(true); m_panel->ruleSets->show(); } } int ProjectPanel::findFirewallInList(FWObject *f) { vector::iterator i; int n=0; for (i=firewalls.begin(); i!=firewalls.end(); i++,n++) { if ( (*i)->getId()==f->getId() ) return n; } return -1; } void ProjectPanel::updateFirewallName() { if (visibleRuleSet==NULL) return ; QString name; // mw->buildEditorTitleAndIcon(visibleRuleSet, ObjectEditor::optNone, // &name, NULL, false); // name = "" + name + ""; FWObject *fw = visibleRuleSet->getParent(); name = QString("%1 / %2") .arg(QString::fromUtf8(fw->getName().c_str())) .arg(QString::fromUtf8(visibleRuleSet->getName().c_str())); m_panel->rulesetname->setText(name ); } void ProjectPanel::openRuleSet(FWObject * obj, bool immediately) { //mw->blankEditor(); visibleRuleSet = RuleSet::cast(obj); if (immediately) redrawRuleSets(); else registerRuleSetRedrawRequest(); } void ProjectPanel::selectRules() { // `unselect(); RuleSetView* rv = dynamic_cast( m_panel->ruleSets->currentWidget()); if (rv) rv->setFocus(); } void ProjectPanel::unselectRules() { bool havePolicies = (m_panel->ruleSets->count()!=0); /* commented this out so that when I hit "Edit" in the object's pop-down * menu in a rule, ruleset wont lose focus when object editor is opened. * If rule set loses focus, the object's background turns from "selected" color * to white and user loses context (which object is shown in the object editor) */ if (havePolicies) { RuleSetView* rv=dynamic_cast(m_panel->ruleSets->currentWidget()); if (rv && rv->getSelectedObject()!=getSelectedObject()) { rv->clearFocus(); } } mainW->disableActions(havePolicies); } void ProjectPanel::editCopy() { if (fwbdebug) qDebug() << "ProjectPanel::editCopy() isManipulatorSelected()=" << isManipulatorSelected(); if (isManipulatorSelected()) copyObj(); else { if (m_panel->ruleSets->count()!=0) { RuleSetView *rsv = dynamic_cast(m_panel->ruleSets->currentWidget()); if (rsv) rsv->copySelectedObject(); } } } void ProjectPanel::editCut() { if (fwbdebug) qDebug() << "ProjectPanel::editCut() isManipulatorSelected()=" << isManipulatorSelected(); if (isManipulatorSelected()) cutObj(); else { if (m_panel->ruleSets->count()!=0) { RuleSetView *rsv = dynamic_cast(m_panel->ruleSets->currentWidget()); if (rsv) rsv->cutSelectedObject(); } } } void ProjectPanel::editDelete() { if (fwbdebug) qDebug() << "ProjectPanel::editDelete() isManipulatorSelected()=" << isManipulatorSelected(); if (isManipulatorSelected()) deleteObj(); } void ProjectPanel::editPaste() { if (fwbdebug) qDebug() << "ProjectPanel::editPaste() isManipulatorSelected()=" << isManipulatorSelected(); if (isManipulatorSelected()) pasteObj(); else { if (m_panel->ruleSets->count()!=0) { RuleSetView *rsv = dynamic_cast(m_panel->ruleSets->currentWidget()); if (rsv) rsv->pasteObject(); } } } void ProjectPanel::setFileName(const QString &fname) { systemFile = false; rcs->setFileName(fname); db()->setFileName(fname.toLatin1().constData()); //setWindowTitle(getPageTitle()); QCoreApplication::postEvent(mw, new updateSubWindowTitlesEvent()); } //wrapers for some ObjectManipulator functions FWObject* ProjectPanel::getCurrentLib() { return m_panel->om->getCurrentLib(); } void ProjectPanel::updateObjectInTree(FWObject *obj, bool subtree) { m_panel->om->updateObjectInTree(obj, subtree); } FWObject* ProjectPanel::createObject(const QString &objType, const QString &objName, FWObject *copyFrom) { return m_panel->om->createObject(objType, objName, copyFrom); } FWObject* ProjectPanel::createObject(FWObject *parent, const QString &objType, const QString &objName, FWObject *copyFrom) { return m_panel->om->createObject(parent, objType, objName, copyFrom); } void ProjectPanel::moveObject(FWObject *target, FWObject *obj) { m_panel->om->moveObject(target, obj); } void ProjectPanel::moveObject(const QString &targetLibName, FWObject *obj) { m_panel->om->moveObject(targetLibName, obj); } FWObject* ProjectPanel::pasteTo(FWObject *target, FWObject *obj) { return m_panel->om->pasteTo(target, obj); } ObjectTreeView* ProjectPanel::getCurrentObjectTree() { return m_panel->om->getCurrentObjectTree(); } void ProjectPanel::findAllFirewalls (std::list &fws) { m_panel->om->findAllFirewalls(fws); } void ProjectPanel::showDeletedObjects(bool f) { m_panel->om->showDeletedObjects(f); } void ProjectPanel::select() { m_panel->om->select(); } void ProjectPanel::unselect() { m_panel->om->unselect(); } void ProjectPanel::clearManipulatorFocus() { m_panel->om->clearFocus(); } void ProjectPanel::copyObj() { m_panel->om->copyObj(); } bool ProjectPanel::isManipulatorSelected() { return m_panel->om->getCurrentObjectTree()->hasFocus(); } void ProjectPanel::cutObj() { m_panel->om->cutObj(); } void ProjectPanel::pasteObj() { m_panel->om->pasteObj(); } void ProjectPanel::newObject() { m_panel->om->newObject(); } void ProjectPanel::deleteObj() { m_panel->om->delObj(); } FWObject* ProjectPanel::getSelectedObject() { return m_panel->om->getSelectedObject(); } void ProjectPanel::reopenCurrentItemParent() { m_panel->om->reopenCurrentItemParent(); } void ProjectPanel::lockObject() { m_panel->om->lockObject(); } void ProjectPanel::unlockObject() { m_panel->om->unlockObject(); } void ProjectPanel::setFDObject(FWObject *o) { fd->setObject(o); fd->show(); } void ProjectPanel::resetFD() { fd->reset(); } void ProjectPanel::insertRule() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->insertRule(); } void ProjectPanel::addRuleAfterCurrent() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->addRuleAfterCurrent(); } void ProjectPanel::removeRule() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->removeRule(); } void ProjectPanel::moveRule() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->moveRule(); } void ProjectPanel::moveRuleUp() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->moveRuleUp(); } void ProjectPanel::moveRuleDown() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->moveRuleDown(); } void ProjectPanel::copyRule() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->copyRule(); } void ProjectPanel::cutRule() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->cutRule(); } void ProjectPanel::pasteRuleAbove() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->pasteRuleAbove(); } void ProjectPanel::pasteRuleBelow() { if (visibleRuleSet==NULL || m_panel->ruleSets->count()==0) return; getCurrentRuleSetView()->pasteRuleBelow(); } bool ProjectPanel::editingLibrary() { return (rcs!=NULL && ( rcs->getFileName().endsWith(".fwl")) ); } void ProjectPanel::createRCS(const QString &filename) { rcs = new RCS(filename); systemFile = true; } RCS * ProjectPanel::getRCS() { return rcs; } /* * This slot is connected to the "add rule" button in the mini-toolbar * at the top of the rule set view */ void ProjectPanel::addRule() { if (visibleRuleSet==NULL || getCurrentRuleSetView()==NULL) return ; getCurrentRuleSetView()->insertRule(); } /* * This slot is connected to the "diff rule" button in the mini-toolbar * at the top of the rule set view */ void ProjectPanel::diffThis() { RuleSetDiffDialog rdd(this); rdd.exec(); } void ProjectPanel::compileThis() { if (visibleRuleSet==NULL) return ; save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; set fw; Firewall *f = Firewall::cast(visibleRuleSet->getParent()); if (f) { fw.insert(f); mainW->compile(fw); } } void ProjectPanel::installThis() { if (visibleRuleSet==NULL) return ; save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; set fw; Firewall *f = Firewall::cast(visibleRuleSet->getParent()); if (f) { fw.insert(f); mainW->install(fw); } } void ProjectPanel::inspectThis() { if (visibleRuleSet==NULL) return; save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; Firewall *f = Firewall::cast(visibleRuleSet->getParent()); set fwlist; if (Cluster::isA(f)) { std::list cfws; Cluster::cast(f)->getMembersList(cfws); foreach(Firewall *fw, cfws) fwlist.insert(fw); } else { fwlist.insert(f); } this->inspect(fwlist); } void ProjectPanel::inspectAll() { ObjectManipulator *om = this->findChild(); list fws; om->findAllFirewalls(fws); set fwset; foreach(Firewall *fw, fws) { if (Cluster::isA(fw)) { std::list cfws; Cluster::cast(fw)->getMembersList(cfws); foreach(Firewall *f, cfws) fwset.insert(f); } else { fwset.insert(fw); } } this->inspect(fwset); } void ProjectPanel::compile() { if (mw->isEditorVisible() && !mw->requestEditorOwnership(NULL,NULL,ObjectEditor::optNone,true)) return; save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; //fileSave(); mainW->compile(); } void ProjectPanel::compile(set vf) { if (mw->isEditorVisible() && !mw->requestEditorOwnership(NULL, NULL, ObjectEditor::optNone, true)) return; save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; //fileSave(); mainW->compile(vf); } void ProjectPanel::install(set vf) { save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; mainW->install(vf); } void ProjectPanel::install() { save(); // see comment in FWWindow::compile() if (db()->isDirty()) return; mainW->install(); } void ProjectPanel::inspect(set fws) { if (fws.empty()) return; QMessageBox messageBox(this); messageBox.addButton(tr("Cancel"), QMessageBox::RejectRole); messageBox.addButton(tr("Compile and Inspect files"), QMessageBox::AcceptRole); messageBox.setIcon(QMessageBox::Critical); set needCompile; foreach(Firewall *fw, fws) if (fw->needsCompile()) needCompile.insert(fw); if (!needCompile.empty()) { QString text; QStringList names; foreach(Firewall *fw, needCompile) names.append(fw->getName().c_str()); if (needCompile.size() > 1 && needCompile.size() < 5) { QString last = names.last(); names.pop_back(); QString firewalls = "\"" + names.join("\", \"") + "\" " + tr("and") + " \"" + last + "\""; text = tr("Firewall objects %1 have been modified and need to be recompiled.").arg(firewalls); } else if (needCompile.size() == 1) text = tr("Firewall object \"%1\" has been modified and needs to be recompiled.").arg(names.first()); else { text = tr("%1 firewall objects have been modified and need to be recompiled.").arg(needCompile.size()); } messageBox.setText(text); messageBox.exec(); if (messageBox.result() == QMessageBox::Accepted) { this->compile(needCompile); } return; } QStringList files; QSet filesMissing; Firewall *first_fw = NULL; foreach(Firewall *fw, fws) { if (first_fw == NULL) first_fw = fw; /* * get full path to the generated file. The path is built from * the file name returned by * FirewallInstaller::getGeneratedFileName() and directory * path from the .fwb file. Note that we use the same * algorithm when GUI launches policy compiler, except there * the path is passed to it via "-d" command line option. */ QString mainFile = FirewallInstaller::getGeneratedFileFullPath(fw); // QString mainFile = FirewallInstaller::getGeneratedFileName(fw); if (QFile::exists(mainFile)) { instConf cnf; cnf.fwobj = fw; cnf.script = mainFile; QMap res; FirewallInstaller(NULL, &cnf, "").readManifest(mainFile, &res); QStringList current_files = res.keys(); foreach(QString file, current_files) { if (!QFile::exists(file)) filesMissing.insert(fw); else files.append(file); } } else filesMissing.insert(fw); } if (!filesMissing.isEmpty()) { QString text; QStringList names; foreach(Firewall *fw, filesMissing) names.append(fw->getName().c_str()); if (filesMissing.size() > 1 && filesMissing.size() < 5) { QString last = names.last(); names.pop_back(); QString firewalls = "\"" + names.join("\", \"") + "\" " + tr("and") + " \"" + last + "\""; text = tr("Can not read generated files for the firewall objects %1. You need to compile them to create the files.").arg(firewalls); } else if (filesMissing.size() == 1) text = tr("Can not read generated files for the firewall objects %1. You need to compile it to create the files.").arg(names.first()); else { text = tr("Can not read generated files for the %1 firewall objects. You need to compile then to create the files.").arg(filesMissing.size()); } messageBox.setText(text); messageBox.exec(); if (messageBox.result() == QMessageBox::Accepted) { this->compile(fws); } return; } if (files.empty()) return; QString viewer_title; if (fws.size() > 1) viewer_title = tr("Multiple firewalls"); else viewer_title = QString("%1").arg(first_fw->getName().c_str()); FirewallCodeViewer *viewer = new FirewallCodeViewer(files, viewer_title, this, this); viewer->show(); } QString ProjectPanel::printHeader() { QString headerText = rcs->getFileName().section("/",-1,-1); if (rcs->isInRCS()) headerText = headerText + ", rev " + rcs->getSelectedRev(); return headerText; } void ProjectPanel::registerRuleSetRedrawRequest() { if (!ruleSetRedrawPending) { ruleSetRedrawPending = true; //redrawRuleSets(); QTimer::singleShot( 0, this, SLOT(redrawRuleSets()) ); } } void ProjectPanel::redrawRuleSets() { ruleSetRedrawPending = false; reopenFirewall(); } void ProjectPanel::aboutToActivate() { if (fwbdebug) qDebug() << "ProjectPanel::aboutToActivate " << this; } void ProjectPanel::showEvent(QShowEvent *ev) { if (fwbdebug) qDebug() << "ProjectPanel::showEvent " << this << "title " << mdiWindow->windowTitle(); QWidget::showEvent(ev); // we get this event when MDI window is maximized or restored // loadState(); // visibilityChangedForTreePanel(true); } void ProjectPanel::hideEvent(QHideEvent *ev) { if (fwbdebug) qDebug() << "ProjectPanel::hideEvent " << this << "title " << mdiWindow->windowTitle(); QWidget::hideEvent(ev); } void ProjectPanel::closeEvent(QCloseEvent * ev) { if (fwbdebug) qDebug() << "ProjectPanel::closeEvent " << this << "title " << mdiWindow->windowTitle(); if (!saveIfModified() || !checkin(true)) { ev->ignore(); return; } saveState(); fileClose(); mw->updateWindowTitle(); //QCoreApplication::postEvent(mw, new closeEditorPanelEvent()); QCoreApplication::postEvent(mw, new clearEditorPanelEvent()); QTimer::singleShot( 0, mw, SLOT(projectWindowClosed()) ); } QString ProjectPanel::getFileName() { if (rcs!=NULL) return rcs->getFileName(); else return ""; } void ProjectPanel::splitterMoved(int , int) { } void ProjectPanel::resizeEvent(QResizeEvent*) { } void ProjectPanel::registerTreeReloadRequest() { treeReloadPending = true; QTimer::singleShot(0, this, SLOT(reloadTree())); } void ProjectPanel::reloadTree() { if (treeReloadPending) { m_panel->om->reload(); treeReloadPending = false; } } void ProjectPanel::registerObjectToUpdateInTree(FWObject *o, bool update_subtree) { if (fwbdebug) qDebug() << "ProjectPanel::registerObjectToUpdateInTree()" << "o=" << o->getName().c_str() << "update_subtree=" << update_subtree << "updateObjectsInTreePool.size()=" << updateObjectsInTreePool.size(); if (updateObjectsInTreePool.find(o->getId()) == updateObjectsInTreePool.end()) { updateObjectsInTreePool[o->getId()] = update_subtree; QTimer::singleShot(0, this, SLOT(updateObjectInTree())); } } void ProjectPanel::updateObjectInTree() { if (fwbdebug) qDebug() << "ProjectPanel::updateObjectInTree()" << "updateObjectsInTreePool.size()=" << updateObjectsInTreePool.size(); while (updateObjectsInTreePool.size() > 0) { map::iterator it = updateObjectsInTreePool.begin(); FWObject *obj = db()->findInIndex(it->first); m_panel->om->updateObjectInTree(obj, it->second); updateObjectsInTreePool.erase(it); } mdiWindow->update(); } void ProjectPanel::registerModifiedObject(FWObject *o) { if (fwbdebug) qDebug() << "ProjectPanel::registerModifiedObject " << "lastModifiedTimestampChangePool.size()=" << lastModifiedTimestampChangePool.size() << "o=" << o->getName().c_str() << "(" << o->getTypeName().c_str() << ")" << "id=" << o->getId(); FWObject *modified_object = o; /* * a bit of optimization: the purpose of registering modified * object here is to update "last modified" timestamp in the * firewall object it belongs to. One of the frequent cases is * when @o is rule element because user made some change to * it. Massive find and replace operations can cause waves of * registrations of rule elements, all of which belong to the * same rule set. If I register rule set instead, there will be * just one object to register. */ if (RuleElement::cast(o)) { while (RuleSet::cast(modified_object) == NULL) modified_object = modified_object->getParent(); } if (lastModifiedTimestampChangePool.find(modified_object->getId()) == lastModifiedTimestampChangePool.end()) { if (fwbdebug) qDebug() << "ProjectPanel::registerModifiedObject " << "Add object" << modified_object->getName().c_str() << "id=" << modified_object->getId(); lastModifiedTimestampChangePool.insert(modified_object->getId()); QTimer::singleShot( 0, this, SLOT(updateLastModifiedTimestampForAllFirewalls())); } } void ProjectPanel::updateLastModifiedTimestampForAllFirewalls() { if (fwbdebug) qDebug() << "ProjectPanel::updateLastModifiedTimestampForAllFirewalls" << "lastModifiedTimestampChangePool.size()=" << lastModifiedTimestampChangePool.size(); if (lastModifiedTimestampChangePool.size() == 0) return; mw->showStatusBarMessage( tr("Searching for firewalls affected by the change...")); //QApplication::processEvents(QEventLoop::ExcludeUserInputEvents,100); QApplication::setOverrideCursor(QCursor( Qt::WaitCursor)); set firewalls_to_update; while (lastModifiedTimestampChangePool.size() > 0) { set::iterator it = lastModifiedTimestampChangePool.begin(); FWObject *obj = db()->findInIndex(*it); lastModifiedTimestampChangePool.erase(it); if (fwbdebug) qDebug() << "Modified object: " << obj->getName().c_str(); if (FWBTree().isSystem(obj)) continue; list fws = m_panel->om->findFirewallsForObject(obj); if (fws.size()) { Firewall *f; for (list::iterator i=fws.begin(); i!=fws.end(); ++i) { f = *i; if (f==obj) continue; firewalls_to_update.insert(f); } } } if (fwbdebug) qDebug() << "Will update " << firewalls_to_update.size() << " firewalls"; for (set::iterator it=firewalls_to_update.begin(); it!=firewalls_to_update.end(); ++it) { Firewall *f = *it; // when user locks firewall object, this code tries to // update last_modified timestamp in it because it // depends on itself. Dont. if (f->isReadOnly()) continue; f->updateLastModifiedTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(getFileName(), f->getId())); list clusters = m_panel->om->findClustersUsingFirewall(f); if (clusters.size() != 0) { list::iterator it; for (it=clusters.begin(); it!=clusters.end(); ++it) { Cluster *cl = *it; if (cl->isReadOnly()) continue; cl->updateLastModifiedTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(getFileName(), cl->getId())); } } } QApplication::restoreOverrideCursor(); } void ProjectPanel::toggleViewTree(bool f) { if (f) m_panel->treePanelFrame->show(); else m_panel->treePanelFrame->hide(); } void ProjectPanel::setActive() { undoStack->setActive(true); } void ProjectPanel::splitterPositionChanged(int,int) { saveMainSplitter(); } fwbuilder-5.3.7/src/libgui/ProjectPanel.h000066400000000000000000000247721303637203600203310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PROJECTPANEL_H #define PROJECTPANEL_H #include "ui_projectpanel_q.h" #include #include namespace libfwbuilder { class FWObjectDatabase; class Firewall; class PolicyRule; class RuleSet; class Rule; class RuleElement; class FWObject; class FWReference; }; class QWidget; class QMdiSubWindow; class QTextEdit; class QUndoStack; class ObjectTreeView; class ObjectManipulator; class findDialog; class FWWindow; class RuleSetView; class RCS; class FWBTree; #define DEFAULT_H_SPLITTER_POSITION 250 #define DEFAULT_V_SPLITTER_POSITION 450 namespace DiffType { enum Type { None, Add, Remove, Edit, Move }; } class ProjectPanel: public QWidget { Q_OBJECT; FWWindow *mainW; RCS *rcs; bool systemFile; bool safeMode; bool editingStandardLib; bool editingTemplateLib; bool ruleSetRedrawPending; bool ready; libfwbuilder::FWObjectDatabase *objdb, *origObjdb; findDialog *fd; QTimer *autosaveTimer; std::map ruleSetViews; int ruleSetTabIndex; libfwbuilder::FWObject *visibleFirewall; libfwbuilder::RuleSet *visibleRuleSet ; std::vector firewalls; int lastFirewallIdx; bool changingTabs; QString noFirewalls; bool loading_state; // set of object IDs for objects that have been modified recently. // Method updateLastModifiedTimestampForAllFirewalls() uses this // to update lastModified timestamp of all firewalls using these objects. std::set lastModifiedTimestampChangePool; // IDs of objects that need to be updated in the tree. Method // updateObjectInTree() processes them. The key in the map is object ID, // value is a boolean flag, true means need to update the object and // subtree under it. std::map updateObjectsInTreePool; bool treeReloadPending; QHash m_diffLog; QHash m_renamedGroups; QHash, int> m_statistics; public: QMdiSubWindow *mdiWindow; Ui::ProjectPanel_q *m_panel; QSet copySet; QUndoStack *undoStack; void readyStatus(bool f) { ready=f; } libfwbuilder::RuleSet* getCurrentRuleSet () {return visibleRuleSet;}; RuleSetView* getCurrentRuleSetView() ; void openRuleSet(libfwbuilder::FWObject *obj, bool immediately=false); void closeRuleSet(libfwbuilder::FWObject *obj) { if ((libfwbuilder::FWObject*)(visibleRuleSet)==obj) visibleRuleSet=NULL;}; ProjectPanel(QWidget *parent); ~ProjectPanel(); void initMain(FWWindow *main); void reset(); void loadObjects(); void loadObjects(libfwbuilder::FWObjectDatabase *db); void clearObjects(); libfwbuilder::FWObjectDatabase* db() { return objdb; }; libfwbuilder::FWObjectDatabase* origDb() { return origObjdb; } bool hasObject(libfwbuilder::FWObject* obj) { return objdb->findInIndex(obj->getId()); }; void setDiffType(int id, enum DiffType::Type type) { m_diffLog.insert(id, type); } int getDiffType(int id) { return m_diffLog.value(id, DiffType::None); } const QHash& getDiffLog() { return m_diffLog; } QHash& getRenamedGroups() { return m_renamedGroups; } QHash, int>& getStatistics() { return m_statistics; } int getStatistics(int ruleSetId, DiffType::Type diffType) { return m_statistics.value(QPair(ruleSetId, diffType), 0); } const QString getTemporaryDirPath() const; // libfwbuilder::RuleElement* getRE(libfwbuilder::Rule* r, int col ); //wrapers for some ObjectManipulator functions libfwbuilder::FWObject* getCurrentLib(); libfwbuilder::FWObject* createObject(const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL); libfwbuilder::FWObject* createObject(libfwbuilder::FWObject *parent, const QString &objType, const QString &objName, libfwbuilder::FWObject *copyFrom=NULL); void updateObjectInTree(libfwbuilder::FWObject *obj, bool subtree=false); FWWindow* getWindow (){ return mainW;} void moveObject(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); void moveObject(const QString &targetLibName, libfwbuilder::FWObject *obj); void registerModifiedObject(libfwbuilder::FWObject *o); void registerObjectToUpdateInTree(libfwbuilder::FWObject *o, bool update_subtree); void registerTreeReloadRequest(); void registerRuleSetRedrawRequest(); libfwbuilder::FWObject* pasteTo(libfwbuilder::FWObject *target, libfwbuilder::FWObject *obj); ObjectTreeView* getCurrentObjectTree(); void findAllFirewalls(std::list &fws); void showDeletedObjects(bool f); void select(); void unselect(); void copyObj(); bool isManipulatorSelected(); void cutObj(); void pasteObj(); void deleteObj(); libfwbuilder::FWObject* getSelectedObject(); void reopenCurrentItemParent(); void setManipulatorFocus(); void clearManipulatorFocus(); //find dialog functions wrapers void setFDObject(libfwbuilder::FWObject *o); void resetFD(); void clearFirewallTabs(); void closeRuleSetPanel(); void ensureObjectVisibleInRules(libfwbuilder::FWReference *obj); libfwbuilder::FWObject* getVisibleFirewall() { return visibleFirewall; } RuleSetView* getRuleSetViews(libfwbuilder::FWObject *o) {return ruleSetViews[o];}; int findFirewallInList(libfwbuilder::FWObject *f); void updateFirewallName(); void selectRules(); void unselectRules(); void editCopy(); void editCut(); void editDelete(); void editPaste(); bool saveIfModified(bool include_discard_button=true); QString chooseNewFileName(const QString &fname, const QString &title); void setFileName(const QString &fname); void restoreDepends(libfwbuilder::FWObject *obj_old, libfwbuilder::FWObject *nobj, const std::map &objByIds); QString getPageTitle(bool file_path=false); void setActive(); private: public slots: void newObject(); virtual void lockObject(); virtual void unlockObject(); virtual void insertRule(); virtual void addRuleAfterCurrent(); virtual void moveRule(); virtual void moveRuleUp(); virtual void moveRuleDown(); virtual void removeRule(); virtual void copyRule(); virtual void cutRule(); virtual void pasteRuleAbove(); virtual void pasteRuleBelow(); virtual void reopenFirewall(); virtual void redrawRuleSets(); virtual void restoreRuleSetTab(); virtual void fileProp(); virtual bool fileNew(); virtual void fileClose(); virtual void fileSave(); virtual void fileSaveAs(); virtual void fileCommit(); virtual void fileDiscard(); virtual void fileAddToRCS(); virtual void fileImport(); virtual void fileCompare(); virtual void fileExport(); virtual void compile(std::set vf); virtual void compile(); virtual void install(std::set vf); virtual void install(); virtual void inspect(std::set vf); void splitterMoved ( int pos, int index ); virtual void autoSave(); virtual void compileThis(); virtual void installThis(); virtual void inspectThis(); virtual void inspectAll(); virtual void addRule(); virtual void diffThis(); void updateLastModifiedTimestampForAllFirewalls(); void updateObjectInTree(); void reloadTree(); void aboutToActivate(); void splitterPositionChanged(int, int); public: QString getFileName(); bool editingLibrary(); void createRCS( const QString &filename); bool loadFromRCS(RCS *rcs); void loadStandardObjects(); bool loadFile(const QString &fileName, bool load_rcs_head); void save(); void saveState(); void loadState(bool open_objects=true); void saveMainSplitter(); void loadMainSplitter(); void loadOpenedRuleSet(); void saveOpenedRuleSet(); void saveLastOpenedLib(); void loadLastOpenedLib(); void loadFirstNonStandardLib(); bool checkin(bool unlock); libfwbuilder::FWObject* loadLibrary(const std::string &libfpath); bool exportLibraryTest(std::list &selectedLibs); void exportLibraryTo(QString fname, std::list &selectedLibs, bool rof); void findExternalRefs(libfwbuilder::FWObject *lib, libfwbuilder::FWObject *root, std::list &extRefs); void setSafeMode(bool f) { safeMode=f; } void setupAutoSave(); RCS * getRCS(); QString printHeader(); void toggleViewTree(bool f); protected: int oldState ; virtual void showEvent(QShowEvent *ev); virtual void hideEvent(QHideEvent *ev); virtual void closeEvent(QCloseEvent *ev); virtual void resizeEvent(QResizeEvent *ev); virtual bool event(QEvent *ev); void setMainSplitterPosition(int w1, int w2); void collapseTree(); void collapseRules(); }; #endif fwbuilder-5.3.7/src/libgui/ProjectPanel_events.cpp000066400000000000000000000400761303637203600222430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include #include #include #include #include #include #include #include "fwbuilder/RuleSet.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "ProjectPanel.h" #include "events.h" #include "FWBTree.h" #include "FWWindow.h" #include "RCS.h" #include "RuleSetView.h" #include "RuleSetModel.h" #include "ColDesc.h" #include #include #include using namespace Ui; using namespace libfwbuilder; using namespace std; bool ProjectPanel::event(QEvent *event) { if (event->type() >= QEvent::User) { fwbUpdateEvent *ev = dynamic_cast(event); int event_code = event->type() - QEvent::User; QString data_file = ev->getFileName(); int obj_id = ev->getObjectId(); FWObject *obj = db()->findInIndex(obj_id); if (fwbdebug) qDebug() << this << "rcs:" << rcs << "rcs->getFileName():" << QString((rcs!=NULL) ? rcs->getFileName() : "") << "file:" << data_file << "event:" << ev->getEventName() << "object:" << ((obj!=NULL) ? QString::fromUtf8(obj->getName().c_str()) : "") << "(" << ((obj!=NULL) ? obj->getTypeName().c_str() : "") << ")" << "id=" << ((obj!=NULL) ? obj->getId() : -1); if (event_code == UPDATE_GUI_STATE_EVENT && mdiWindow != NULL) { m_panel->om->updateCreateObjectMenu(getCurrentLib()); ev->accept(); return true; } if ((rcs && rcs->getFileName() == data_file) || (!rcs && data_file.isEmpty())) { switch (event_code) { case RELOAD_OBJECT_TREE_EVENT: registerTreeReloadRequest(); ev->accept(); return true; case RELOAD_OBJECT_TREE_IMMEDIATELY_EVENT: m_panel->om->reload(); ev->accept(); return true; case RELOAD_RULESET_EVENT: registerRuleSetRedrawRequest(); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case MAKE_CURRENT_RULE_VISIBLE_IN_RULESET_EVENT: { RuleSetView* rsv = getCurrentRuleSetView(); if (rsv) rsv->makeCurrentRuleVisible(); ev->accept(); return true; } case RELOAD_RULESET_IMMEDIATELY_EVENT: redrawRuleSets(); //reopenFirewall(); // update rule set title as well //updateFirewallName(); ev->accept(); return true; } if (obj == NULL) return false; switch (event_code) { case DATA_MODIFIED_EVENT: { // This event does not trigger any updates in the UI, // this purely data structure update event. FWObject *p = obj; while (p && Firewall::cast(p)==NULL) p = p->getParent(); Firewall *f = Firewall::cast(p); // when user locks firewall object, this code tries to // update last_modified timestamp in it because it // depends on itself. Dont. if (f && !f->isReadOnly()) { f->updateLastModifiedTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, f->getId())); } registerModifiedObject(obj); QCoreApplication::postEvent(mw, new updateGUIStateEvent()); ev->accept(); return true; } case UPDATE_OBJECT_EVERYWHERE_EVENT: { Rule *rule = NULL; RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (RuleElement::cast(obj)) rule = Rule::cast(obj->getParent()); if (Rule::cast(obj)) rule = Rule::cast(obj); if (rule && current_ruleset && md && rule->isChildOf(current_ruleset)) { md->rowChanged(md->index(rule, 0)); ev->accept(); return true; } if (rule) { QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj_id)); ev->accept(); return true; } if (rsv) rsv->updateObject(obj); if (Library::cast(obj)) { m_panel->om->updateLibName(obj); m_panel->om->updateLibColor(obj); } QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); // QCoreApplication::postEvent( // this, new reloadRulesetEvent(data_file)); ev->accept(); return true; } case OBJECT_NAME_CHANGED_EVENT: { objectNameChangedEvent *name_change_event = dynamic_cast(event); m_panel->om->updateObjectInTree(obj); if (name_change_event->rename_children) { // This performs automatic renaming of child objects if necessary m_panel->om->autoRenameChildren(obj, name_change_event->old_name); } ev->accept(); return true; } case UPDATE_LAST_COMPILED_TIMESTAMP_EVENT: if (rcs && !rcs->isRO() && Firewall::cast(obj) && !obj->isReadOnly()) { Firewall::cast(obj)->updateLastCompiledTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); ev->accept(); return true; } break; case UPDATE_LAST_INSTALLED_TIMESTAMP_EVENT: if (rcs && !rcs->isRO() && Firewall::cast(obj) && !obj->isReadOnly()) { Firewall::cast(obj)->updateLastInstalledTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); ev->accept(); return true; } break; } // Events below this should only be processed if // ProjectPanel has been attached to an MDI window. There // is no MDI window right after project panel is created // but some operations may already be performed. See // FWWindow::fileOpen where ProjectPanel is cfeated and // file is opened before MDI window is attached. So the UI // update events below will only be processed if MDI // window exists. if (mdiWindow == NULL) return false; switch (event->type() - QEvent::User) { case INSERT_OBJECT_IN_TREE_EVENT: { FWObject *parent = db()->findInIndex( dynamic_cast(event)->parent_id); m_panel->om->insertSubtree(parent, obj); ev->accept(); return true; } case REMOVE_OBJECT_FROM_TREE_EVENT: { m_panel->om->removeObjectFromTreeView(obj); ev->accept(); return true; } case ADD_TREE_PAGE_EVENT: m_panel->om->addLib(obj); ev->accept(); return true; case REMOVE_TREE_PAGE_EVENT: m_panel->om->removeLib(obj); ev->accept(); return true; case UPDATE_OBJECT_IN_TREE_EVENT: registerObjectToUpdateInTree(obj, false); ev->accept(); return true; case UPDATE_OBJECT_AND_SUBTREE_IN_TREE_EVENT: registerObjectToUpdateInTree(obj, true); ev->accept(); return true; case UPDATE_OBJECT_AND_SUBTREE_IMMEDIATELY_EVENT: m_panel->om->updateObjectInTree(obj, true); ev->accept(); return true; case OPEN_RULESET_EVENT: openRuleSet(obj); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case OPEN_RULESET_IMMEDIATELY_EVENT: openRuleSet(obj, true); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case SELECT_RULE_ELEMENT_EVENT: { RuleSetView* rsv = getCurrentRuleSetView(); rsv->selectRE(Rule::cast(obj), dynamic_cast(event)->column_type); rsv->setFocus(Qt::OtherFocusReason); ev->accept(); return true; } case SHOW_OBJECT_IN_RULESET_EVENT: { // if obj is child of RuleElement (i.e. a reference object) FWReference *ref = FWReference::cast(obj); if (ref) { RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (current_ruleset && obj->isChildOf(current_ruleset)) { clearManipulatorFocus(); rsv->selectRE(ref); rsv->setFocus(Qt::OtherFocusReason); } else { FWObject *rs = obj; while (rs && RuleSet::cast(rs)==NULL) rs = rs->getParent(); if (rs) { // reopen rule set right now, before we post event // to show the object in it. openRuleSet(rs); QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj_id)); } } ev->accept(); return true; } // if obj is RuleElement - select its first element RuleElement *re = RuleElement::cast(obj); if (re && re->size() > 0) { QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj->front()->getId())); ev->accept(); return true; } // if obj is Rule - select its comment (the only common rule element) Rule *rule = Rule::cast(obj); if (rule) { RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (current_ruleset && rule->isChildOf(current_ruleset)) { rsv->selectRE(rule, ColDesc::Comment); rsv->setFocus(Qt::OtherFocusReason); ev->accept(); return true; } else { // this rule does not belong to the current ruleset // reopen rule set right now, before we post event // to show the object in it. openRuleSet(rule->getParent(), true); QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj->getId())); } ev->accept(); return true; } ev->accept(); return true; } case SHOW_OBJECT_IN_TREE_EVENT: //m_panel->om->setFocus(); m_panel->om->openObjectInTree(obj); ev->accept(); return true; case EXPAND_OBJECT_IN_TREE: m_panel->om->expandObjectInTree(obj); ev->accept(); return true; case OPEN_LIBRARY_FOR_OBJECT_EVENT: m_panel->om->openLibForObject(obj); ev->accept(); return true; case CLOSE_OBJECT_EVENT: if (RuleSet::cast(obj)) { if (visibleRuleSet == obj) { clearFirewallTabs(); closeRuleSet(obj); } } else { m_panel->om->closeObject(); mdiWindow->update(); } ev->accept(); return true; case ADD_USER_FOLDER_EVENT: m_panel->om->addUserFolderToTree(obj, dynamic_cast(event)->m_userFolder); ev->accept(); return true; case REMOVE_USER_FOLDER_EVENT: m_panel->om->removeUserFolderFromTree(obj, dynamic_cast(event)->m_userFolder); ev->accept(); return true; case MOVE_TOFROM_USER_FOLDER_EVENT: moveToFromUserFolderEvent *moveEvent = dynamic_cast(event); m_panel->om->moveToFromUserFolderInTree(obj, db()->findInIndex(moveEvent->m_objIdToMove), moveEvent->m_oldFolder, moveEvent->m_newFolder); ev->accept(); return true; } } return false; } //if (fwbdebug) qDebug() << this << "event:" << event; return QWidget::event(event); } fwbuilder-5.3.7/src/libgui/ProjectPanel_file_ops.cpp000066400000000000000000001421661303637203600225420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com refactoring and bugfixes: vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "events.h" #include #include #include #include #include #include #include #include "fwbuilder/Constants.h" #include "ProjectPanel.h" #include #include "FWWindow.h" #include "RCS.h" #include "filePropDialog.h" #include "FWBSettings.h" #include "RCSFilePreview.h" #include "FindObjectWidget.h" #include "FWObjectClipboard.h" #include "upgradePredicate.h" #include "ObjConflictResolutionDialog.h" #include "LibExportDialog.h" #include "longTextDialog.h" #include "FWBTree.h" #include "ObjectTreeView.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include "memcheck.h" #define LONG_ERROR_CUTOFF 1024 using namespace Ui; using namespace libfwbuilder; using namespace std; bool ProjectPanel::saveIfModified(bool include_discard_button) { if (fwbdebug) qDebug() << "ProjectPanel::saveIfModified()"; if (db() && db()->isDirty()) // if (db() && db()->isDirty() && rcs && !rcs->getFileName().isEmpty()) { QString message = "Some objects have been modified but not saved.\n"; message += "Do you want to save "; message += rcs->getFileName(); message += " changes now ?"; if (include_discard_button) { switch (QMessageBox::information(this, "Firewall Builder", message, tr("&Save"), tr("&Discard"), tr("&Cancel"), 0, // Enter = button 0 2 ) ) // Escape == button 2 { case 0: save(); break; case 1: // discard db()->setDirty(false); break; case 2: // cancel return false; } } else { switch (QMessageBox::information(this, "Firewall Builder", message, tr("&Save"),tr("&Cancel"), 0, // Enter = button 0 1 ) ) // Escape == button 1 { case 0: save(); break; case 1: // cancel return false; } } } return true; } QString ProjectPanel::chooseNewFileName(const QString &fname, const QString &title) { // when file open dialog is created using static function // QFileDialog::getSaveFileName, its behavior is different on // Linux and Mac (did not check on windows) // Native dialog usd by Qt on Mac automatically adds .fwb suffix // to the file name user enters if it does not have any suffix. It // checks for the conflicts with exitsing files _after_ the suffix // has been added. On Linux dialog created by the static function // QFileDialog::getSaveFileName does not add suffix and checks for // conflicts using the name without one. Since I used to add // suffix here but did not check for the conflict again after // that, it was possible for the user to enter name with no suffix // and that way overwrite old file without warning. Will avoid // static fucntion and instead build dialog manually and use // setDefaultSuffix() to enforce suffix. QFileDialog fd(this); fd.setFileMode(QFileDialog::AnyFile); fd.setDefaultSuffix("fwb"); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) fd.setFilter(tr( "FWB Files (*.fwb);;All Files (*)" ) ); #else fd.setNameFilter(tr( "FWB Files (*.fwb);;All Files (*)" ) ); #endif fd.setWindowTitle(title); fd.setDirectory(st->getOpenFileDir(fname)); fd.setAcceptMode(QFileDialog::AcceptSave); QString fn; if (fd.exec()) { QStringList fileNames = fd.selectedFiles(); fn = fileNames.front(); QFileInfo finfo(fn); if (finfo.suffix().isEmpty()) fn += ".fwb"; st->setOpenFileDir(fn); } return fn; } void ProjectPanel::fileProp() { if (rcs!=NULL) { filePropDialog fpd(this,rcs); fpd.setPrinter(mainW->getPrinter()); fpd.exec(); } } bool ProjectPanel::fileNew() { if (fwbdebug) qDebug("ProjectPanel::fileNew()"); QString nfn = chooseNewFileName( st->getWDir(), tr("Choose name and location for the new file")); if ( !nfn.isEmpty() ) { //if (!saveIfModified() || !checkin(true)) return; if (!systemFile && rcs!=NULL) fileClose(); // fileClose calls load(this) else loadStandardObjects(); visibleFirewall = NULL; setFileName(nfn); save(); setupAutoSave(); loadFirstNonStandardLib(); QCoreApplication::postEvent(mw, new updateSubWindowTitlesEvent()); } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("ProjectPanel::fileNew() rcs=%p rcs->getFileName()='%s'", rcs, rcs == 0 ? "" : rcs->getFileName().toAscii().constData()); #else if (fwbdebug) qDebug("ProjectPanel::fileNew() rcs=%p rcs->getFileName()='%s'", rcs, rcs == 0 ? "" : rcs->getFileName().toLatin1().constData()); #endif return (rcs!=NULL); } bool ProjectPanel::loadFile(const QString &fileName, bool load_rcs_head) { if (fwbdebug) qDebug() << "ProjectPanel::loadFile fileName=" << fileName.toLocal8Bit() << "load_rcs_head=" << load_rcs_head; RCSFilePreview fp(this); bool hasRCS = fp.showFileRLog(fileName); // class RCS automatically selected head revision when it opens // file and reads RCS log. User can choose different revision // using RCSFilePreview. If they do, RCSFilePreview::getSelectedRev() // returns selected revision. However if they do not choose, or // dialog is never executed, getSelectedRev() returns head. // if load_rcs_head == true, we do not run RCSFilePreview dialog // which meand it will return head revision automatically. int dlg_res = QDialog::Accepted; if (hasRCS && !load_rcs_head) dlg_res = fp.exec(); if (dlg_res!=QDialog::Accepted) return false; if (!saveIfModified() || !checkin(true)) return false; if (!systemFile && rcs!=NULL) { if (mw->isEditorVisible()) mw->hideEditor(); reset(); } //try to get simple rcs instance from RCS preview RCS *new_rcs = fp.getSelectedRev(); //if preview cannot give RCS, //get a new RCS from file dialog if (new_rcs==NULL) new_rcs = new RCS(fileName); if (new_rcs==NULL) return false; try { new_rcs->co(); if (loadFromRCS(new_rcs)) { if (new_rcs->isTemp()) unlink(new_rcs->getFileName().toLocal8Bit().constData()); st->setOpenFileDir(getFileDir(fileName)); // For Diff Viewer if (origObjdb) delete origObjdb; origObjdb = new FWObjectDatabase(*objdb); origObjdb->reIndex(); return true; } } catch (FWException &ex) { return false; } return false; } void ProjectPanel::fileClose() { if (fwbdebug) qDebug("ProjectPanel::fileClose(): start"); if (mw->isEditorVisible()) mw->hideEditor(); if (!saveIfModified() || !checkin(true)) return; reset(); mdiWindow->close(); mw->setCompileAndInstallActionsEnabled(false); if (fwbdebug) qDebug("ProjectPanel::fileClose(): done"); } /* * slot that is called by a timer if user turned on auto-save feature * using controls in the Preferences dialog. Need to save only if data * was modified (flag "dirty" is set). */ void ProjectPanel::autoSave() { if (db() && db()->isDirty() && rcs && !rcs->getFileName().isEmpty()) fileSave(); } void ProjectPanel::fileSave() { save(); } void ProjectPanel::fileSaveAs() { if (mw->isEditorVisible()) mw->hideEditor(); /* we need to save data into the current file before we save it into a * new file, provided we do have current file if (!systemFile && rcs && !rcs->isRO() && !rcs->isTemp() && !rcs->getFileName().isEmpty() && (!saveIfModified() || !checkin(true)) ) return; */ /* need to close the file without asking and saving, then reopen it again */ QString oldFileName = rcs->getFileName(); QString newFileName = chooseNewFileName( oldFileName, tr("Choose name and location for the file")); if (!newFileName.isEmpty()) { db()->setDirty(false); // so it wont ask if user wants to save rcs->abandon(); if (rcs!=NULL) delete rcs; rcs = new RCS(""); setFileName(newFileName); save(); mw->updateOpenRecentMenu(newFileName); } } void ProjectPanel::fileCommit() { save(); if (!checkin(true)) return; rcs->co(); } /* * discard changes done to the file and check out clean copy of the * head revision from RCS */ void ProjectPanel::fileDiscard() { if (QMessageBox::warning(this, "Firewall Builder", tr("This operation discards all changes that have been saved " "into the file so far, closes it and replaces it with a clean " "copy of its head revision from RCS." "\n" "All changes will be lost if you do this.\n"), tr("&Discard changes"), tr("&Cancel"), QString::null, 1 )==0 ) { /* need to close the file without asking and saving, then * reopen it again */ QString fname = rcs->getFileName(); db()->setDirty(false); // so it wont ask if user wants to save rcs->abandon(); /* do everything fileClose() does except do not close mdiWindow * because we'll need it again to reopen the file into */ if (mw->isEditorVisible()) mw->hideEditor(); if (rcs) delete rcs; rcs=NULL; FWObjectClipboard::obj_clipboard->clear(); firewalls.clear(); visibleFirewall = NULL; visibleRuleSet = NULL; clearFirewallTabs(); clearObjects(); /* loadFile calls fileClose, but only if file is currently * open, which it isn't because we reset rcs to NULL */ loadFile(fname, false); } } void ProjectPanel::fileAddToRCS() { if (!saveIfModified()) return; if (rcs && rcs->isCheckedOut()) return; try { if (!rcs->isInRCS() && !rcs->isRO()) { rcs->add(); rcs->co(); QMessageBox::information( this,"Firewall Builder", tr("File %1 has been added to RCS.").arg(rcs->getFileName()), tr("&Continue"), QString::null,QString::null, 0, 1 ); } } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error adding file to RCS:\n%1").arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); } QCoreApplication::postEvent(mw, new updateSubWindowTitlesEvent()); } void ProjectPanel::fileImport() { resetFD(); QString fname = QFileDialog::getOpenFileName( mainW, tr("Choose a file to import"), st->getWDir(), "FWB library files (*.fwl);;FWB Files (*.fwb);;All Files (*)"); if (fname.isEmpty()) return; // Cancel - keep working with old file FWObject *new_lib = loadLibrary( fname.toLocal8Bit().constData() ); loadObjects(); m_panel->om->openLib(new_lib); } void ProjectPanel::fileCompare() { resetFD(); QMessageBox initial_question( QMessageBox::Information, "Firewall Builder", tr("This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file.

This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations.

This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change.

Do you want to proceed ?"), QMessageBox::Yes | QMessageBox::No); initial_question.setTextFormat( Qt::RichText ); if (initial_question.exec() != QMessageBox::Yes) return; QString fname1 = QFileDialog::getOpenFileName( mainW, tr("Choose the first file"), st->getOpenFileDir(), "FWB files (*.fwb);;FWB Library Files (*.fwl);;All Files (*)"); if (fname1.isEmpty()) return; // Cancel st->setOpenFileDir(fname1); QString fname2 = QFileDialog::getOpenFileName( mainW, tr("Choose the second file"), st->getOpenFileDir(), "FWB files (*.fwb);;FWB Library Files (*.fwl);;All Files (*)"); if (fname2.isEmpty()) return; // Cancel st->setOpenFileDir(fname2); MessageBoxUpgradePredicate upgrade_predicate(mainW); FWObjectDatabase *db1; FWObjectDatabase *db2; FWObject *dobj; try { db1 = new FWObjectDatabase(); db1->load(fname1.toLocal8Bit().constData(), &upgrade_predicate, Constants::getDTDDirectory()); dobj = db1->findInIndex(FWObjectDatabase::DELETED_OBJECTS_ID); if (dobj) db1->remove(dobj, false); } catch(FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error loading file %1:\n%2"). arg(fname1).arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } try { db2 = new FWObjectDatabase(); db2->load(fname2.toLocal8Bit().constData(), &upgrade_predicate, Constants::getDTDDirectory()); dobj = db2->findInIndex(FWObjectDatabase::DELETED_OBJECTS_ID); if (dobj) db2->remove(dobj, false); } catch(FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error loading file %1:\n%2"). arg(fname2).arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); return; } try { // CompareObjectsDialog is just like ObjConflictResolutionDialog // except it always returns 'accepted' and keeps record // of all object differences so we can print report in the end CompareObjectsDialog cod(this); db1->merge(db2, &cod); list report = cod.getReport(); delete db1; delete db2; ostringstream str; str << cod.getNumberOfConflicts(); QMessageBox mb( QMessageBox::Information, "Firewall Builder", tr("Total number of conflicting objects: %1.\nDo you want to generate report?").arg(str.str().c_str()), QMessageBox::Yes | QMessageBox::No); if (mb.exec() == QMessageBox::Yes) { // save report to a file QString fn = QFileDialog::getSaveFileName( this, tr("Choose name and location for the report file"), st->getOpenFileDir(fname1), tr( "TXT Files (*.txt);;All Files (*)" )); if (fn.isEmpty()) return; // Cancel st->setOpenFileDir(fn); if (!fn.endsWith(".txt")) fn += ".txt"; if (fwbdebug) qDebug() << QString("Saving report to %1").arg(fn); QFile report_file(fn); if (report_file.open(QIODevice::WriteOnly)) { QTextStream report_stream(&report_file); for (list::iterator i=report.begin(); i!=report.end(); ++i) { report_stream << *i; } report_file.close(); } else { QMessageBox::critical( this,"Firewall Builder", tr("Can not open report file for writing. File '%1'").arg(fn), tr("&Continue"), QString::null,QString::null, 0, 1 ); } } } catch(FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Unexpected error comparing files %1 and %2:\n%3"). arg(fname1).arg(fname2).arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); } } void ProjectPanel::fileExport() { LibExportDialog ed; list selectedLibs; map::iterator i; int lib_idx = -1; do { if (ed.exec()!=QDialog::Accepted) return; QList selitems = ed.m_dialog->libs->selectedItems(); for (i=ed.mapOfLibs.begin(); i!=ed.mapOfLibs.end(); i++) if (selitems.contains(ed.m_dialog->libs->item(i->first))) selectedLibs.push_back(i->second); lib_idx=ed.m_dialog->libs->currentRow (); if (lib_idx<0 || selectedLibs.size()==0) { QMessageBox::critical( this,"Firewall Builder", tr("Please select a library you want to export."), "&Continue", QString::null,QString::null, 0, 1 ); return; } } while (!exportLibraryTest(selectedLibs)); FWObject *selLib = ed.mapOfLibs[ lib_idx ]; QString path = st->getOpenFileDir() + QString::fromUtf8(selLib->getName().c_str()) + ".fwl"; resetFD(); QString fname = QFileDialog::getSaveFileName( this, "Choose a filename to save under", path, "Firewall Builder library files (*.fwl)"); if (fname.isEmpty()) return; if (QFile::exists(fname) && QMessageBox::warning( this,"Firewall Builder", tr("The file %1 already exists.\nDo you want to overwrite it ?") .arg(fname), tr("&Yes"), tr("&No"), QString::null, 0, 1 )==1 ) return; st->setOpenFileDir(path); exportLibraryTo(fname,selectedLibs,ed.m_dialog->exportRO->isChecked()); } bool ProjectPanel::exportLibraryTest(list &selectedLibs) { /* VERY IMPORTANT: External library file must be self-contained, * otherwise it can not be exported. * * check if selected libraries have references to objects in other * libraries (not exported to the same file). Exporting such libraries * pulls in other ones because of these references. This is confusing * because it means we end up with multiple copies of such objects (in * exported library file and in user's data file). When user imports * this library and opens their file, it is impossible to say which * library an object belongs to. * * This is prohibited. We check if exported set of libraries has such * references and refuse to export it. The user is supposed to clean * it up by either moving objects into the library they are trying to * export, or by rearranging objects. The only exception for this is * library "Standard", which is assumed to be always present so we can * have references to objects in it. */ QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); list externalRefs; for (list::iterator i=selectedLibs.begin(); i!=selectedLibs.end(); ++i) findExternalRefs( *i, *i, externalRefs); QApplication::restoreOverrideCursor(); if (fwbdebug) qDebug("LibExportDialog::accept externalRefs.size()=%d", int(externalRefs.size()) ); /* * if externalRefs.size()!=0, then there were some references pointing * outside of the libraries we export. Some of these references may * point at other libraries we export, lets find these. */ list externalRefs2; for (list::iterator i=externalRefs.begin(); i!=externalRefs.end(); ++i) { FWObject *tgt = (*i)->getPointer(); FWObject *tgtlib = tgt->getLibrary(); if (std::find(selectedLibs.begin(),selectedLibs.end(),tgtlib)!=selectedLibs.end()) continue; externalRefs2.push_back(*i); } if (externalRefs2.size()!=0) { QString objlist = ""; QString s = ""; for (list::iterator i=externalRefs2.begin(); i!=externalRefs2.end(); ++i) { FWReference *robj = *i; FWObject *selLib = robj->getLibrary(); FWObject *pp = robj->getParent(); FWObject *tgt = robj->getPointer(); FWObject *tgtlib = tgt->getLibrary(); if (fwbdebug) { qDebug("LibExportDialog::accept tgt: %s pp_type: %s lib: %s", tgt->getName().c_str(), pp->getTypeName().c_str(), tgtlib->getName().c_str()); } if (std::find(selectedLibs.begin(),selectedLibs.end(),tgtlib)!=selectedLibs.end()) continue; if (RuleElement::cast(pp)!=NULL) { FWObject *fw = pp; FWObject *rule = pp; FWObject *ruleset = pp; FWObject *iface = pp; while (rule!=NULL && Rule::cast(rule)==NULL) rule=rule->getParent(); while (ruleset!=NULL && RuleSet::cast(ruleset)==NULL) ruleset=ruleset->getParent(); while (iface!=NULL && Interface::cast(iface)==NULL) iface=iface->getParent(); while (fw!=NULL && Firewall::cast(fw)==NULL) fw=fw->getParent(); s = QObject::tr("Library %1: Firewall '%2' (%3 rule #%4) uses " "object '%5' from library '%6'") .arg(selLib->getName().c_str()) .arg(fw->getName().c_str()) .arg(ruleset->getTypeName().c_str()) .arg(Rule::cast(rule)->getPosition()) .arg(tgt->getName().c_str()) .arg(tgtlib->getName().c_str()); } else { s = QObject::tr("Library %1: Group '%2' uses object '%3' from library '%4'") .arg(selLib->getName().c_str()) .arg(pp->getName().c_str()) .arg(tgt->getName().c_str()) .arg(tgtlib->getName().c_str()); } s = s + "\n"; if (fwbdebug) qDebug() << s; objlist = objlist + s; } longTextDialog ltd( this, tr("A library that you are trying to export contains references\n" "to objects in the other libraries and can not be exported.\n" "The following objects need to be moved outside of it or\n" "objects that they refer to moved in it:"), objlist ); ltd.exec(); return false; } return true; } void ProjectPanel::exportLibraryTo(QString fname,list &selectedLibs, bool rof) { QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); FWObjectDatabase *ndb = db()->exportSubtree( selectedLibs ); QApplication::restoreOverrideCursor(); if (rof) { for (list::iterator i=selectedLibs.begin(); i!=selectedLibs.end(); ++i) { FWObject *nlib= ndb->findInIndex( (*i)->getId() ); if (nlib && nlib->getId()!=FWObjectDatabase::DELETED_OBJECTS_ID) nlib->setReadOnly( true ); } } try { xmlSetCompressMode(st->getCompression() ? 9 : 0); ndb->saveFile( fname.toLocal8Bit().constData() ); } catch (FWException &ex) { /* error saving the file. Since XMLTools does not return any useful * error message in the exception, let's check for obvious problems here */ QString err; if (access( fname.toLocal8Bit().constData(), W_OK)!=0 && errno==EACCES) err=QObject::tr("File is read-only"); QMessageBox::critical( this,"Firewall Builder", QObject::tr("Error saving file %1: %2") .arg(fname).arg(err), "&Continue", QString::null, QString::null, 0, 1 ); } } void ProjectPanel::setupAutoSave() { if ( st->getBool("Environment/autoSaveFile") && rcs!=NULL && rcs->getFileName()!="") { int p = st->getInt("Environment/autoSaveFilePeriod"); autosaveTimer->start( p*1000*60 ); connect( autosaveTimer, SIGNAL(timeout()), this, SLOT(autoSave()) ); } else autosaveTimer->stop(); } void ProjectPanel::findExternalRefs(FWObject *lib, FWObject *root, list &extRefs) { FWReference *ref=FWReference::cast(root); if (ref!=NULL) { FWObject *plib = ref->getPointer()->getLibrary(); if ( plib->getId()!=FWObjectDatabase::STANDARD_LIB_ID && plib->getId()!=FWObjectDatabase::DELETED_OBJECTS_ID && plib!=lib ) extRefs.push_back(ref); return; } else { for (FWObject::iterator i=root->begin(); i!=root->end(); i++) findExternalRefs(lib, *i, extRefs); } } /** * Load library or several libraries from an external file. Return * pointer to the last new imported library. */ FWObject* ProjectPanel::loadLibrary(const string &libfpath) { MessageBoxUpgradePredicate upgrade_predicate(mainW); FWObject *last_new_lib = NULL; try { FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(libfpath, &upgrade_predicate, Constants::getDTDDirectory()); FWObject *dobj = ndb->findInIndex(FWObjectDatabase::DELETED_OBJECTS_ID); if (dobj) ndb->remove(dobj, false); set duplicate_ids; db()->findDuplicateIds(ndb, duplicate_ids); map id_mapping; for (set::iterator it=duplicate_ids.begin(); it!=duplicate_ids.end(); ++it) { FWObject *obj = ndb->findInIndex(*it); assert(obj!=NULL); int new_id = FWObjectDatabase::generateUniqueId(); obj->setId(new_id); id_mapping[*it] = new_id; // cerr << "Duplicate ID: " << *it // << " " << FWObjectDatabase::getStringId(*it) // << obj->getPath() // << endl; } ndb->fixReferences(ndb, id_mapping); int new_lib_id = -1; // check for duplicate library names FWObjectTypedChildIterator it2 = ndb->findByType(Library::TYPENAME); for (; it2!=it2.end(); ++it2) { QString new_name = m_panel->om->makeNameUnique( db(), QString::fromUtf8((*it2)->getName().c_str()), Library::TYPENAME); (*it2)->setName(string(new_name.toUtf8())); if ((*it2)->getId() != FWObjectDatabase::STANDARD_LIB_ID) new_lib_id = (*it2)->getId(); } MergeConflictRes mcr(this); db()->merge(ndb, &mcr); delete ndb; last_new_lib = db()->findInIndex(new_lib_id); } catch(FWException &ex) { QString error_txt = ex.toString().c_str(); if (error_txt.length() > LONG_ERROR_CUTOFF) { error_txt.truncate(LONG_ERROR_CUTOFF); error_txt += "\n\n" + tr("(Long error message was truncated)"); } QMessageBox::critical( this,"Firewall Builder", tr("The program encountered error trying to load file %1.\n" "The file has not been loaded. Error:\n%2"). arg(libfpath.c_str()).arg(error_txt), tr("&Continue"), QString::null,QString::null, 0, 1 ); } return last_new_lib; } /* * Load standard library objects */ void ProjectPanel::loadStandardObjects() { if (fwbdebug) qDebug("ProjectPanel::load(): start"); editingStandardLib = false; editingTemplateLib = false; MessageBoxUpgradePredicate upgrade_predicate(mainW); resetFD(); try { // need to drop read-only flag on the database before I load new objects if (objdb) { objdb->destroyChildren(); delete objdb; } objdb = new FWObjectDatabase(); objdb->setReadOnly( false ); mw->showStatusBarMessage(tr("Loading system objects...")); // always load system objects if (fwbdebug) qDebug("ProjectPanel::load(): sysfname = %s", Constants::getStandardObjectsFilePath().c_str()); objdb->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(""); if (fwbdebug) qDebug("ProjectPanel::load(): create User library"); FWObject *userLib = FWBTree().createNewLibrary(objdb); userLib->setName("User"); userLib->setStr("color","#d2ffd0"); objdb->setDirty(false); objdb->setFileName(""); createRCS(""); //setWindowTitle(getPageTitle()); QCoreApplication::postEvent(mw, new updateSubWindowTitlesEvent()); loadObjects(); setupAutoSave(); time_t last_modified = objdb->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::load(): done last_modified=%s dirty=%d", ctime(&last_modified), objdb->isDirty()); // For Diff Viewer if (origObjdb) delete origObjdb; origObjdb = new FWObjectDatabase(*objdb); origObjdb->reIndex(); } catch(FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error loading file:\n%1").arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); } } bool ProjectPanel::loadFromRCS(RCS *_rcs) { resetFD(); editingStandardLib = false; editingTemplateLib = false; bool forceSave=false; // use this flag to force 'save' operation if file should be renamed MessageBoxUpgradePredicate upgrade_predicate(mainW); assert(_rcs!=NULL); rcs = _rcs; try { /* load the data file */ systemFile = false; clearObjects(); if (objdb) { objdb->destroyChildren(); delete objdb; } objdb = new FWObjectDatabase(); // need to drop read-only flag on the database before I load new objects objdb->setReadOnly( false ); // always loading system objects mw->showStatusBarMessage(tr("Loading system objects...") ); objdb->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(""); // objects from a data file are in database ndb mw->showStatusBarMessage(tr("Reading and parsing data file...")); FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(rcs->getFileName().toLocal8Bit().constData(), &upgrade_predicate,Constants::getDTDDirectory()); time_t oldtimestamp = ndb->getTimeLastModified(); /* loadingLib is true if user wants to open a library or master library file */ bool loadingLib = editingLibrary(); if (fwbdebug) { list ll = ndb->getByType(Library::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { qDebug("* Found library %s %s in the data file", FWObjectDatabase::getStringId((*i)->getId()).c_str(), (*i)->getName().c_str() ); } } /* if user opens library file, clear read-only flag so they can edit it */ if (loadingLib) { list ll = ndb->getByType(Library::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { if ((*i)->getId()==FWObjectDatabase::STANDARD_LIB_ID) editingStandardLib=true; if ((*i)->getId()==FWObjectDatabase::TEMPLATE_LIB_ID) editingTemplateLib=true; (*i)->setReadOnly( false ); } } mw->showStatusBarMessage(tr("Merging with system objects...") ); MergeConflictRes mcr(mainW); objdb->merge(ndb, &mcr); ndb->destroyChildren(); delete ndb; objdb->setFileName(rcs->getFileName().toLocal8Bit().constData()); objdb->resetTimeLastModified(oldtimestamp); objdb->setDirty(false); if (fwbdebug) { qDebug("* Merge is done"); list ll = db()->getByType(Library::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { qDebug("* Library %s %s in the data file", FWObjectDatabase::getStringId((*i)->getId()).c_str(), (*i)->getName().c_str() ); } } /* this is a hack: 'Standard' library should be read-only. I * have too many files I already converted to the new API/DTD * and I am too lazy to convert them again, so I patch it up * here. * * However, if I am editing standard library, it should not be * read-only. */ FWObject *slib = objdb->findInIndex(FWObjectDatabase::STANDARD_LIB_ID); if (slib!=NULL ) { if (fwbdebug) qDebug("standard library read-only status: %d, " "editingStandardLib: %d", slib->isReadOnly(), editingStandardLib); slib->setReadOnly(! editingStandardLib); } /* if the file name has an old extension .xml, change it to .fwb and * warn the user */ QString fn = rcs->getFileName(); QFileInfo ofinfo(fn); if ( ofinfo.suffix()=="xml") { if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("Need to rename file: %s", fn.toAscii().constData()); qDebug(" dirPath: %s", ofinfo.dir().absolutePath().toAscii().constData()); qDebug(" filePath: %s", ofinfo.absoluteFilePath().toAscii().constData()); #else qDebug("Need to rename file: %s", fn.toLatin1().constData()); qDebug(" dirPath: %s", ofinfo.dir().absolutePath().toLatin1().constData()); qDebug(" filePath: %s", ofinfo.absoluteFilePath().toLatin1().constData()); #endif } QString newFileName = ofinfo.dir().absolutePath() + "/" + ofinfo.completeBaseName() + ".fwb"; bool needToRename = true; /* need these dances with symlinks to fix bug #1008956: * "Existing .fwb file gets overwritten if has wrong * extension" */ QFileInfo nfinfo(newFileName); if (nfinfo.exists() && ofinfo.isSymLink() && ofinfo.readLink()==newFileName) { // .xml file is a symlink pointing at .fwb file // no need to rename needToRename = false; } if (needToRename) { if (nfinfo.exists()) { /* .fwb file exists but .xml is not a symlink * .fwb is a separate file with the same name. * * tell the user we need to rename old file but * the new file exists, then ask them to choose a * new name. If the user chooses the same name and * agrees to overwrite the file, just use this * name. If the user hits cancel, tell them they * need to choose a new name and open "file save" * dialog again. * * Show the first dialog only once. If user hits * Cancel, they see shorted version of the dialog * and will be presented with "save file" dialog * again. */ QMessageBox::warning( this,"Firewall Builder", tr("Firewall Builder uses file extension '.fwb' and\n" "needs to rename old data file '%1' to '%2',\n" "but file '%3' already exists.\n" "Choose a different name for the new file.") .arg(fn).arg(newFileName).arg(newFileName), tr("&Continue"), QString::null,QString::null, 0, 1 ); newFileName = chooseNewFileName( fn, tr("Choose name and location for the new file")); if (newFileName.isEmpty()) { QString oldFileName = ofinfo.absoluteFilePath() + ".bak"; rename(oldFileName.toLocal8Bit().constData(), fn.toLocal8Bit().constData()); QMessageBox::warning( this,"Firewall Builder", tr("Load operation cancelled and data file reverted" "to original version."), tr("&Continue"), QString::null,QString::null, 0, 1 ); loadStandardObjects(); return false; } nfinfo.setFile(newFileName); } rename(fn.toLocal8Bit().constData(), newFileName.toLocal8Bit().constData()); QMessageBox::warning( this,"Firewall Builder", tr("Firewall Builder uses file extension '.fwb'. Your data" "file '%1' \nhas been renamed '%2'") .arg(fn).arg(newFileName), tr("&Continue"), QString::null,QString::null, 0, 1 ); } fn = newFileName; } rcs->setFileName(fn); db()->setFileName(fn.toLocal8Bit().constData()); //setWindowTitle(getPageTitle()); //QCoreApplication::postEvent(mw, new updateSubWindowTitlesEvent()); mainW->disableActions(m_panel->ruleSets->count()!=0); time_t last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::load(): load complete dirty=%d " "last_modified=%s", db()->isDirty(), ctime(&last_modified)); } catch(FWException &ex) { QString trans = ex.getProperties()["failed_transformation"].c_str(); QString elem = ex.getProperties()["failed_element"].c_str(); if(!trans.isEmpty() || !elem.isEmpty()) { QString msg = tr("Exception: %1").arg(ex.toString().c_str()); if (!trans.isEmpty()) { trans.truncate(LONG_ERROR_CUTOFF); msg+="\n"+tr("Failed transformation : %1").arg(trans); } if (!elem.isEmpty()) { elem.truncate(LONG_ERROR_CUTOFF); msg+="\n"+tr("XML element : %1").arg(elem); } QMessageBox::critical( this,"Firewall Builder", tr("The program encountered error trying to load data file.\n" "The file has not been loaded. Error:\n%1").arg(msg), tr("&Continue"), QString::null,QString::null, 0, 1 ); } else { // this was not XML error, perhaps permissions or other // filesystem problem QString error_txt = QString::fromUtf8(ex.toString().c_str()); if (error_txt.length() > LONG_ERROR_CUTOFF) { error_txt.truncate(LONG_ERROR_CUTOFF); error_txt += "\n\n" + tr("(Long error message was truncated)"); } QMessageBox::critical( this,"Firewall Builder", tr("The program encountered error trying to load data file.\n" "The file has not been loaded. Error:\n%1").arg( error_txt), tr("&Continue"), QString::null,QString::null, 0, 1 ); } // load standard objects so the window does not remain empty loadStandardObjects(); return false; } db()->setReadOnly( rcs->isRO() || rcs->isTemp() ); // clear dirty flag for all objects, recursively if (!forceSave) db()->setDirty(false); mw->showStatusBarMessage(tr("Building object tree...")); QCoreApplication::processEvents(QEventLoop::ExcludeUserInputEvents, 100); loadObjects(); QCoreApplication::processEvents(QEventLoop::ExcludeUserInputEvents, 100); mw->showStatusBarMessage(tr("Indexing...") ); db()->reIndex(); setupAutoSave(); time_t last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::load(): all done: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); return true; } bool ProjectPanel::checkin(bool unlock) { /* doing checkin only if we did checkout so rcs!=NULL */ QString rlog=""; if (systemFile || rcs==NULL || !rcs->isCheckedOut() || rcs->isTemp()) return true; if (rcs->isDiff()) { // if the file hasn't changed, do not need to ask for the comment if ( ! st->getRCSLogState()) { RCSFileSaveDialog_q fsd; QDialog *fsd_dialog = new QDialog(this); fsd.setupUi(fsd_dialog); fsd.checkinDialogTitle->setText( QString("") + tr("Checking file %1 in RCS").arg(rcs->getFileName()) + QString("") ); if ( fsd_dialog->exec()== QDialog::Rejected ) { if (fwbdebug) qDebug() << "RCSFileSaveDialog_q user hit Cancel"; delete fsd_dialog; return false; } bool empty_rcslog = fsd.nolog->isChecked(); if (empty_rcslog) { rlog = ""; st->setRCSLogState(true); } else rlog = fsd.rcslog->toPlainText(); delete fsd_dialog; } } /***********************************************************************/ try { if (fwbdebug) qDebug("about to check the file in"); rcs->ci(rlog,unlock); if (fwbdebug) qDebug("done"); } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error checking in file %1:\n%2") .arg(rcs->getFileName()).arg(ex.toString().c_str()), tr("&Continue"), QString::null, QString::null, 0, 1 ); } /***********************************************************************/ return true; } void ProjectPanel::save() { if (fwbdebug) qDebug("ProjectPanel::save: rcs=%p rcs->isRO=%d " "rcs->isTemp=%d rcs->getFileName=%s", rcs, rcs->isRO(), rcs->isTemp(), rcs->getFileName().toLocal8Bit().constData()); //undoStack->clear(); if (!rcs->isRO() && !rcs->isTemp()) { try { if (rcs->getFileName().isEmpty()) fileSaveAs(); // eventually calls this method again else { /* editingLibfile is true if user edits a library or master library file */ mw->showStatusBarMessage( tr("Saving data to file %1").arg(rcs->getFileName())); bool editingLibfile = editingLibrary(); /* **************************************************************** * * REMOVE THIS * * or may be not. The savings of not storing standard objects in each file * are minimal but this code seems to be leaking too * ****************************************************************** */ //if (st->getDontSaveStdLib()) // this is now default if (false) { list userLibs; list ll = db()->getByType(Library::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { if (fwbdebug) qDebug("ProjectPanel::save() lib %s", (*i)->getName().c_str() ); /* skip standard and template libraries unless we edit them */ int id = (*i)->getId(); if (id==FWObjectDatabase::STANDARD_LIB_ID && !editingStandardLib) continue; if (id==FWObjectDatabase::TEMPLATE_LIB_ID && !editingTemplateLib) continue; if (fwbdebug) qDebug(" add"); userLibs.push_back( *i ); } QApplication::setOverrideCursor(QCursor( Qt::WaitCursor)); FWObjectDatabase *ndb = db()->exportSubtree(userLibs); if (editingLibfile) { /* exported libraries are always read-only */ list ll = ndb->getByType(Library::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { if ((*i)->getId()!=FWObjectDatabase::STANDARD_LIB_ID && (*i)->getId()!=FWObjectDatabase::DELETED_OBJECTS_ID) (*i)->setReadOnly( true ); } } ndb->resetTimeLastModified( db()->getTimeLastModified() ); xmlSetCompressMode(st->getCompression() ? 9 : 0); ndb->saveFile( rcs->getFileName().toLocal8Bit().constData()); delete ndb; QApplication::restoreOverrideCursor(); // reset "dirty" flag only after we actually save the data // fixes #389 db()->setDirty(false); // and reset actions, including Save() which should now // be inactive QCoreApplication::postEvent(mw, new updateGUIStateEvent()); //mw->prepareFileMenu(); } else { QApplication::setOverrideCursor(QCursor( Qt::WaitCursor)); xmlSetCompressMode(st->getCompression() ? 9 : 0); db()->saveFile( rcs->getFileName().toLocal8Bit().constData()); QApplication::restoreOverrideCursor(); } } } catch (FWException &ex) { QApplication::restoreOverrideCursor(); /* error saving the file. Since XMLTools does not return any useful * error message in the exception, let's check for obvious problems here */ QString err; if (access( rcs->getFileName().toLocal8Bit().constData(), W_OK)!=0 && errno==EACCES) err=tr("File is read-only"); else err=ex.toString().c_str(); QMessageBox::critical( this,"Firewall Builder", tr("Error saving file %1: %2") .arg(rcs->getFileName()).arg(err), tr("&Continue"), QString::null, QString::null, 0, 1 ); } } } fwbuilder-5.3.7/src/libgui/ProjectPanel_state_ops.cpp000066400000000000000000000243451303637203600227410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com refactoring and bugfixes: vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "ProjectPanel.h" #include "FWBSettings.h" #include "RCS.h" #include "RuleSetView.h" #include "ObjectTreeView.h" #include #include #include #include "fwbuilder/Library.h" #include "fwbuilder/RuleSet.h" using namespace Ui; using namespace libfwbuilder; using namespace std; void ProjectPanel::saveState() { QString file_name ; if (rcs!=NULL) file_name = rcs->getFileName(); if (fwbdebug) qDebug( ) << "ProjectPanel::saveState " << this << "title " << mdiWindow->windowTitle() << "file_name=" << file_name << "ready=" << ready; if (!ready) return; st->setInt("Window/" + file_name + "/x", mdiWindow->x()); st->setInt("Window/" + file_name + "/y", mdiWindow->y()); st->setInt("Window/" + file_name + "/width", mdiWindow->width ()); st->setInt("Window/" + file_name + "/height", mdiWindow->height ()); saveMainSplitter(); m_panel->om->saveExpandedTreeItems(); m_panel->om->saveSectionSizes(); if (fwbdebug) qDebug() << "ProjectPanel::saveState " << "rcs=" << rcs << "getCurrentRuleSetView()=" << getCurrentRuleSetView(); saveLastOpenedLib(); if (getCurrentRuleSetView()) saveOpenedRuleSet(); if (fwbdebug) qDebug("ProjectPanel::saveState() done"); } void ProjectPanel::loadState(bool) { if (rcs==NULL) return; QString filename = rcs->getFileName(); // This function can end up being called recursively because some // of the operations it performs trigger various events such as // "visibility changed" or "show". if (loading_state) return; loading_state = true; if (fwbdebug) { qDebug() << QString("ProjectPanel::loadState filename=%1 isMaximized=%2") .arg(filename).arg(mdiWindow->isMaximized()); qDebug() << "mdiWindow=" << mdiWindow; qDebug() << QString("ready=%1").arg(ready); } if (!ready) return; if (!mdiWindow->isMaximized() && mdiWindow) { if (fwbdebug) qDebug("ProjectPanel::loadState show normal"); setWindowState(0); int x = st->getInt("Window/"+filename+"/x"); int y = st->getInt("Window/"+filename+"/y"); int width = st->getInt("Window/"+filename+"/width"); int height = st->getInt("Window/"+filename+"/height"); if (width==0 || height==0) { x = 10; y = 10; width = 600; height= 600; } if (fwbdebug) qDebug("ProjectPanel::loadState set geometry: %d %d %d %d", x,y,width,height); mdiWindow->setGeometry(x,y,width,height); } loadMainSplitter(); m_panel->om->loadExpandedTreeItems(); m_panel->om->loadSectionSizes(); loadLastOpenedLib(); loadOpenedRuleSet(); time_t last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug() << QString("ProjectPanel::loadState filename=%1 DONE dirty=%2 last_modified=%3") .arg(filename).arg(db()->isDirty()).arg(ctime(&last_modified)); loading_state = false; } void ProjectPanel::saveMainSplitter() { QString fileName ; if (rcs!=NULL) fileName = rcs->getFileName(); #ifdef TREE_IS_DOCKABLE // Save position of splitters regardless of the window state // Do not save if one of tree panel is floating if (!m_panel->treeDockWidget->isWindow()) { QList sl = m_panel->topSplitter->sizes(); QString arg = QString("%1,%2").arg(sl[0]).arg(sl[1]); if (sl[0] || sl[1]) st->setStr("Window/" + fileName + "/MainWindowSplitter", arg ); if (fwbdebug) { QString out1 = " save Window/" + fileName + "/MainWindowSplitter"; out1+= " " + arg; qDebug() << out1; } } #else QList sl = m_panel->topSplitter->sizes(); QString arg = QString("%1,%2").arg(sl[0]).arg(sl[1]); if (sl[0] || sl[1]) st->setStr("Window/" + fileName + "/MainWindowSplitter", arg ); if (fwbdebug) { QString out1 = " save Window/" + fileName + "/MainWindowSplitter"; out1+= " " + arg; qDebug() << out1; } #endif } void ProjectPanel::loadMainSplitter() { QString fileName ; if (rcs!=NULL) fileName = rcs->getFileName(); if (fwbdebug) qDebug() << QString("ProjectPanel::loadMainSplitter() filename=%1") .arg(fileName); QString h_splitter_setting = "Window/" + fileName + "/MainWindowSplitter"; QString val = st->getStr(h_splitter_setting); int w1 = 0; int w2 = 0; QStringList ws = val.split(','); bool ok = false; w1 = ws[0].toInt(&ok, 10); if (!ok || w1 == 0) w1 = DEFAULT_H_SPLITTER_POSITION; if (ws.size() > 1) { w2 = ws[1].toInt(&ok, 10); if (!ok || w2 == 0) w2 = mdiWindow->width() - w1; } else w2 = mdiWindow->width() - w1; if (fwbdebug) qDebug() << h_splitter_setting << ":" << w1 << "x" << w2; setMainSplitterPosition(w1, w2); } void ProjectPanel::setMainSplitterPosition(int w1, int w2) { if (w1 && w2) { QList sl; sl.push_back(w1); sl.push_back(w2); if (fwbdebug) qDebug("Setting main splitter position: %d,%d", w1, w2); m_panel->topSplitter->setSizes( sl ); } } void ProjectPanel::collapseTree() { QList sl; sl.push_back(0); sl.push_back(mdiWindow->width()); m_panel->topSplitter->setSizes( sl ); } void ProjectPanel::collapseRules() { QList sl; sl.push_back(mdiWindow->width()); sl.push_back(0); m_panel->topSplitter->setSizes( sl ); } void ProjectPanel::loadOpenedRuleSet() { if (rcs==NULL) return; QString filename = rcs->getFileName(); if (m_panel->om->getCurrentLib() == NULL) return; int id = st->getVisibleRuleSetId( filename, m_panel->om->getCurrentLib()->getName().c_str()); if (id > 0) { FWObject *obj = db()->getById(id, true); if (obj) { m_panel->om->openObjectInTree(obj); time_t last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::loadOpenedRuleSet(): checkpoint 1: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); openRuleSet(obj); last_modified = db()->getTimeLastModified(); if (fwbdebug) qDebug("ProjectPanel::loadOpenedRuleSet(): checkpoint 2: " "dirty=%d last_modified=%s", db()->isDirty(), ctime(&last_modified)); } } } void ProjectPanel::saveOpenedRuleSet() { if (rcs==NULL) return; QString filename = rcs->getFileName(); if (visibleRuleSet!=NULL) { st->setVisibleRuleSet(filename, visibleRuleSet->getLibrary()->getName().c_str(), visibleRuleSet); getCurrentRuleSetView()->saveCollapsedGroups(); } } void ProjectPanel::saveLastOpenedLib() { QString filename = ""; if (rcs!=NULL) filename = rcs->getFileName(); FWObject* obj = m_panel->om->getCurrentLib(); if (obj!=NULL) { std::string sid = FWObjectDatabase::getStringId(obj->getId()); st->setStr("Window/" + filename + "/LastLib", sid.c_str() ); } } void ProjectPanel::loadLastOpenedLib() { if (fwbdebug) qDebug("ProjectPanel::loadLastOpenedLib()"); QString filename = ""; if (rcs!=NULL) filename = rcs->getFileName(); QString sid = st->getStr("Window/" + filename + "/LastLib"); if (filename!="" && sid!="") { if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("ProjectPanel::loadLastOpenedLib(): filename=%s " "opening lib id=%s", filename.toAscii().constData(), sid.toAscii().constData()); #else qDebug("ProjectPanel::loadLastOpenedLib(): filename=%s " "opening lib id=%s", filename.toLatin1().constData(), sid.toLatin1().constData()); #endif int last_lib_id = FWObjectDatabase::getIntId(sid.toStdString()); if (last_lib_id > 0 && last_lib_id != FWObjectDatabase::DELETED_OBJECTS_ID) { m_panel->om->libChangedById(last_lib_id); m_panel->om->getCurrentObjectTree()->setFocus(Qt::OtherFocusReason); return; } } loadFirstNonStandardLib(); m_panel->om->getCurrentObjectTree()->setFocus(Qt::OtherFocusReason); } void ProjectPanel::loadFirstNonStandardLib() { list all_libs = db()->getByType(Library::TYPENAME); FWObject *first_non_system_lib = NULL; for (list::iterator i=all_libs.begin(); i!=all_libs.end(); ++i) { int lib_id = (*i)->getId(); if (lib_id == FWObjectDatabase::DELETED_OBJECTS_ID) continue; if (lib_id == FWObjectDatabase::STANDARD_LIB_ID) continue; if (lib_id == FWObjectDatabase::TEMPLATE_LIB_ID) continue; if (first_non_system_lib==NULL) first_non_system_lib = (*i); if ((*i)->getName()=="User") { first_non_system_lib = *i; break; } } if (first_non_system_lib) m_panel->om->libChangedById(first_non_system_lib->getId()); } fwbuilder-5.3.7/src/libgui/PrototypeDialogClass.cpp000066400000000000000000000043261303637203600224020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "PrototypeDialog.h" #include "ObjectManipulator.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Prototype.h" // should be an include file for the object type #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; void PrototypeDialog::loadFWObject(FWObject *o) { obj=o; Prototype *s = dynamic_cast(obj); assert(s!=NULL); init=true; fillLibraries(libs,obj); obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); comment->setText( QString::fromUtf8(s->getComment().c_str()) ); apply->setEnabled( false ); init=false; } void PrototypeDialog::changed() { apply->setEnabled( true ); } void PrototypeDialog::validate(bool *res) { *res=true; } void PrototypeDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); new_state->setName( string(obj_name->text().utf8()) ); new_state->setComment( string(comment->text().utf8()) ); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/PrototypeDialogClass.h000066400000000000000000000026331303637203600220460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PROTOTYPEDIALOG_H_ #define __PROTOTYPEDIALOG_H_ #include "config.h" #include #include "fwbuilder/FWObject.h" class PrototypeDialog : public PrototypeDialog_q { Q_OBJECT libfwbuilder::FWObject *obj; bool init; public: PrototypeDialog() : PrototypeDialog_q() { obj=NULL; } public slots: virtual void changed(); virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void closeEvent(QCloseEvent *e); }; #endif // __PROTOTYPEDIALOG_H fwbuilder-5.3.7/src/libgui/QThreadLogger.cpp000066400000000000000000000034501303637203600207540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "QThreadLogger.h" #include #include #include using namespace std; using namespace libfwbuilder; QThreadLogger::QThreadLogger() : Logger() {} Logger& QThreadLogger::operator<< (char c) { emit lineReady(QString(c)); return *this; } Logger& QThreadLogger::operator<< (char *str) { emit lineReady(QString(str)); return *this; } Logger& QThreadLogger::operator<< (const char *str) { emit lineReady(QString(str)); return *this; } Logger& QThreadLogger::operator<< (const std::string &str) { emit lineReady(QString(str.c_str())); return *this; } Logger& QThreadLogger::operator<< (int i ) { QString s; s.setNum(i); emit lineReady(s); return *this; } Logger& QThreadLogger::operator<< (long l ) { QString s; s.setNum(l); emit lineReady(s); return *this; } Logger& QThreadLogger::operator<< (std::ostringstream &sstr) { emit lineReady(QString(sstr.str().c_str())); return *this; } fwbuilder-5.3.7/src/libgui/QThreadLogger.h000066400000000000000000000027621303637203600204260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _QTHREAD_LOGGER_H_ #define _QTHREAD_LOGGER_H_ #include "fwbuilder/Logger.h" #include class QThreadLogger : public QObject, public libfwbuilder::Logger { Q_OBJECT; public: QThreadLogger(); virtual Logger& operator<< (char c) ; virtual Logger& operator<< (char *str) ; virtual Logger& operator<< (const char *str) ; virtual Logger& operator<< (const std::string &str) ; virtual Logger& operator<< (int i ) ; virtual Logger& operator<< (long l ) ; virtual Logger& operator<< (std::ostringstream &sstr); signals: void lineReady(const QString &txt); }; #endif fwbuilder-5.3.7/src/libgui/RCS.cpp000066400000000000000000001012771303637203600167210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "FWBApplication.h" #include "RCS.h" // need this for FS_SEPARATOR #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Tools.h" //#include "FWWindow.h" #include #include #include #include #include #include #include #include #if defined(_WIN32) # include # include # include # include # include #else # include # include # include # if defined(TM_IN_SYS_TIME) # include # else # include # endif #endif #include using namespace std; using namespace libfwbuilder; QString RCS::rcs_file_name = ""; QString RCS::rlog_file_name = ""; QString RCS::rcsdiff_file_name = ""; QString RCS::ci_file_name = ""; QString RCS::co_file_name = ""; RCSEnvFix* RCS::rcsenvfix = NULL; bool RCS::rcs_available = false; /*********************************************************************** * * class Revision * ***********************************************************************/ Revision::Revision() { } Revision::Revision(const QString &file, const QString &r) { filename = file; rev = r; } Revision::Revision(const Revision &r) { filename = r.filename ; rev = r.rev ; date = r.date ; author = r.author ; locked_by = r.locked_by; log = r.log ; } void Revision::operator=(const Revision &r) { filename = r.filename ; rev = r.rev ; date = r.date ; author = r.author ; locked_by = r.locked_by; log = r.log ; } bool Revision::operator<(const Revision &r) const { for(int i=1; ; i++) { QString v1= rev.section(".",i,i); QString v2=r.rev.section(".",i,i); if (v1=="" && v2=="") return false; if (v1==v2) continue; if (v1=="" && v2!="") return true; if (v1!="" && v2=="") return false; if (v1.toInt()>v2.toInt()) return false; if (v1.toInt()tm_gmtoff/60; if (tzoffset<0) { tzoffset = -1*tzoffset; tzsign = "-"; } else { tzsign = "+"; } #else // global variable timezone has seconds West of GMT (positive in // timezones west of GMT) tzoffset = ((ltm->tm_isdst>0)?timezone-3600:timezone)/60; if (tzoffset<0) { tzoffset = -1*tzoffset; tzsign = "+"; } else { tzsign = "-"; } #endif TZOffset.sprintf("%02d:%02d",tzoffset/60,tzoffset%60); TZOffset = tzsign + TZOffset; if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("tzoffset: %d TZOffset: '%s'",tzoffset,TZOffset.toAscii().constData()); #else qDebug("tzoffset: %d TZOffset: '%s'",tzoffset,TZOffset.toLatin1().constData()); #endif #ifdef _WIN32 /* need this crap because Windows does not set environment variable TZ * by default, but rcs absolutely requires it. Even though I am using * option "-z" with all RCS commands, stupid RCS on windows does not * work if env var TZ is not set */ env.push_back( QString("TZ=GMT")+TZOffset ); /* * NB: need to prepend installation directory in front of PATH on * windows, otherwise ci fails when GUI is launched by windows * explorer through file extension association. When the program is * launched from menu "Start", its working directory is the dir. where * it is installed. Since windows implies a '.' in front of PATH, * everything works. When the program is started with some other * directory as current dir, RCS tools fail without any error message. */ env.push_back( QString("PATH=%1;%2").arg(getPathToBinary("").c_str()).arg(getenv("PATH")) ); #endif /* also need to set env variable USER for rcs tools, but if the user name * contains spaces, replace them with underscores (like "John Smith") * * global variable QString user_name is set in common/init.cpp */ QString uname = user_name; env.push_back( QString("USER=") + uname); env.push_back( QString("LOGNAME=") + uname); if (getenv("TMP") != NULL) env.push_back( QString("TMP=") + getenv("TMP")); if (getenv("TEMP")!=NULL) env.push_back( QString("TEMP=") + getenv("TEMP")); } QStringList* RCSEnvFix::getEnv() { if (env.empty()) return NULL; return &env; } /*********************************************************************** * * class RCS * ***********************************************************************/ void RCS::init() { if (rcs_file_name=="") { #ifdef _WIN32 string ts; ts = getPathToBinary(RCS_FILE_NAME); rcs_file_name = ts.c_str(); ts = getPathToBinary(RLOG_FILE_NAME); rlog_file_name = ts.c_str(); ts = getPathToBinary(RCSDIFF_FILE_NAME); rcsdiff_file_name = ts.c_str(); ts = getPathToBinary(CI_FILE_NAME); ci_file_name = ts.c_str(); ts = getPathToBinary(CO_FILE_NAME); co_file_name = ts.c_str(); #else rcs_file_name = RCS_FILE_NAME ; rlog_file_name = RLOG_FILE_NAME ; rcsdiff_file_name = RCSDIFF_FILE_NAME ; ci_file_name = CI_FILE_NAME ; co_file_name = CO_FILE_NAME ; #endif } // now check if rcs tools are available. To test, try to run rlog // with no arguments QStringList arglist; QProcess rcs_proc; rcs_proc.start( rlog_file_name, arglist ); rcs_proc.waitForStarted(); if (rcs_proc.state() != QProcess::Running) { rcs_proc.close(); // rlog (and probably other RCS tools) are unavailable if (fwbdebug) qDebug() << "RCS tools unavailable"; rcs_available = false; return; } rcs_proc.waitForFinished(); rcs_proc.close(); rcs_available = true; } RCS::RCS(const QString &file) { if (rcsenvfix==NULL) rcsenvfix = new RCSEnvFix(); if (fwbdebug) qDebug() << "RCS::RCS(" << file << ")"; // Using absoluteFilePath() rather than canonicalFilePath, see #1334 QFileInfo fi(file); if (fi.exists()) filename = fi.absoluteFilePath(); else filename = file; if (fwbdebug) qDebug() << "filename=" << filename; checked_out = false; locked = false; inrcs = false; tracking_file = false; ro = false; temp = false; ciproc = new QProcess(); proc = new QProcess(); connect(proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout() ) ); connect(proc, SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr() ) ); if (!fi.exists()) { inrcs = false; tracking_file = true; return; } try { QString rcspath = filename.left( filename.lastIndexOf("/") ); QDir rcsdir; rcsdir.cd(rcspath); /* * rlog is started with environment defined by RCSEnvFix, which does * not have env. var LANG so it always runs in english */ QString rl = rlog(); QStringList split_log = rl.split(QRegExp("------|======")); QString head_section = split_log[0]; QRegExp head_rx("head:\\s+([0-9\\.]+)\\s*\\n"); int pos = head_rx.indexIn( head_section ); if (pos>-1) head = head_rx.cap(1); QStringList::iterator i; for (i=split_log.begin(),++i; i!=split_log.end(); ++i) { QString section = *i; if (section.length()==0) continue; int match = -1; Revision r(filename); r.rev = ""; r.log = ""; QRegExp rev_rx("revision\\s+([0-9\\.]+)"); match = rev_rx.indexIn( section ); if (match>-1) { r.rev = rev_rx.cap(1); } QRegExp lock_rx("revision\\s+([0-9\\.]+)\\s+locked by:\\s+(\\S+);"); lock_rx.setMinimal(true); match = lock_rx.indexIn( section ); if (match>-1) { r.locked_by = lock_rx.cap(2); locked = true; locked_by = lock_rx.cap(2); locked_rev = r.rev; } // older implementation copied revision and "locked by" to r.log // we'll do the same here to maintain compatibility QRegExp rev2_rx("(revision.+)\\n"); rev2_rx.setMinimal(true); match = rev2_rx.indexIn( section ); if (match>-1) { r.log += rev2_rx.cap(1) + "\n"; } QRegExp date_rx("date:\\s+([^;]+);\\s+author:\\s+(\\S+);"); date_rx.setMinimal(true); match = date_rx.indexIn( section ); if (match>-1) { r.date = date_rx.cap(1); r.author = date_rx.cap(2); } QRegExp log_rx("date:.*\\n(.*)$"); log_rx.setMinimal(true); match = log_rx.indexIn( section ); if (match>-1) r.log += log_rx.cap(1); r.log.replace('\r',""); if (r.rev != "") { revisions.push_back(r); if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("revision %s: '%s'", r.rev.toAscii().constData(), r.log.toAscii().constData()); #else qDebug("revision %s: '%s'", r.rev.toLatin1().constData(), r.log.toLatin1().constData()); #endif } } // sort list revisions; its defined like this: // QList revisions qSort(revisions); inrcs = true; tracking_file = true; selectedRev = head; } catch (FWException &ex) { inrcs = false; tracking_file = true; } } RCS::~RCS() { delete ciproc; delete proc; } QStringList* RCS::getEnv() { if (rcsenvfix==NULL) rcsenvfix = new RCSEnvFix(); return rcsenvfix->getEnv(); } RCSEnvFix* RCS::getRCSEnvFix() { if (rcsenvfix==NULL) rcsenvfix = new RCSEnvFix(); return rcsenvfix; } void RCS::readFromStdout() { QString s = QString(proc->readAllStandardOutput()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) //qDebug("RCS::readFromStdout() reads: %s",s.toAscii().constData()); #else //qDebug("RCS::readFromStdout() reads: %s",s.toLatin1().constData()); #endif stdoutBuffer=stdoutBuffer + s; } void RCS::readFromStderr() { QString s = QString(proc->readAllStandardError()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) //qDebug("RCS::readFromStderr() reads: %s", s.toAscii().constData()); #else //qDebug("RCS::readFromStderr() reads: %s", s.toLatin1().constData()); #endif stderrBuffer=stderrBuffer + s; } void RCS::setFileName(const QString &fn) { QFileInfo fi(fn); if (fi.exists()) filename = fi.absoluteFilePath(); else filename = fn; if (fwbdebug) qDebug() << "RCS::setFileName fn =" << fn << "filename =" << filename; } /********************************************************************* * trivial RCS integration */ void RCS::abandon() { if (!isInRCS() || !rcs_available) return; /* check out head revision and unlock it */ QStringList arglist; arglist << "-q" << "-f" << QString("-z") + rcsenvfix->getTZOffset() << QString("-u") << filename ; stdoutBuffer=""; stderrBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join(" ").toAscii().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toAscii().constData(), arglist.join(" ").toAscii().constData()); #else if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join(" ").toLatin1().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toLatin1().constData(), arglist.join(" ").toLatin1().constData()); #endif proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( co_file_name, arglist ); proc->waitForStarted(); if (fwbdebug) qDebug("running co"); if (proc->state() == QProcess::Running) { proc->waitForFinished(); if (proc->exitCode() == 0 && proc->state() == QProcess::NotRunning) { if (fwbdebug) qDebug("finished successfully"); checked_out = false; locked = false; selectedRev = head; return; } } /* error. */ selectedRev = ""; checked_out=false; QString err = tr("Error checking file out: %1").arg(stderrBuffer); QMessageBox::critical(app->activeWindow(), "Firewall Builder", err, tr("&Continue") ); throw(FWException(err.toLatin1().constData())); } /** * initial RCS checkin */ void RCS::add() throw(libfwbuilder::FWException) { int i = filename.lastIndexOf("/"); QString rcspath = filename.left(i); QDir rcsdir; if (!rcs_available) { QString err = QObject::tr("RCS tools are unavailable"); if (fwbdebug) qDebug() << err; throw(FWException(err.toStdString())); } if (fwbdebug) qDebug() << "RCS::add() will run " << rcs_file_name; rcsdir.cd(rcspath); if (!rcsdir.exists("RCS")) rcsdir.mkdir("RCS"); QStringList arglist; arglist << "-q" << "-i" << "-kb" << QString("-z") + rcsenvfix->getTZOffset() << "-t-\"Initial checkin\"" << filename; stdoutBuffer=""; stderrBuffer=""; proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( rcs_file_name, arglist ); proc->waitForStarted(); if (proc->state() == QProcess::Running) { proc->waitForFinished(); if (proc->state() == QProcess::NotRunning && proc->exitCode()==0) { arglist.clear(); arglist << "-q" << "-u" << QString("-z") + rcsenvfix->getTZOffset() << filename; stdoutBuffer=""; stderrBuffer=""; proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( ci_file_name, arglist ); proc->waitForStarted(); if (proc->state() == QProcess::Running) { proc->waitForFinished(); if (proc->state() == QProcess::NotRunning && proc->exitCode()==0) { inrcs = true; selectedRev = "1.1"; head = "1.1"; return; } } } } QByteArray outp = proc->readAllStandardOutput(); QString msg = QObject::tr("Fatal error during initial RCS checkin of file %1 :\n %2\nExit status %3") .arg(filename).arg(outp.data()).arg(proc->exitCode()); throw(FWException( msg.toLatin1().constData() )); } bool RCS::isInRCS() { if (!rcs_available) return false; if (tracking_file) return inrcs; QStringList arglist; arglist << QString("-z") + rcsenvfix->getTZOffset() << "-R" << filename; stdoutBuffer=""; stderrBuffer=""; proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( rlog_file_name, arglist ); proc->waitForStarted(); if (proc->state() != QProcess::Running) throw(FWException("Fatal error running rlog ")); while (proc->state() == QProcess::Running) ; // cxx_sleep(1); if (proc->state() == QProcess::NotRunning && proc->exitCode()==1) { /* exist status '1' means the file is not in RCS */ inrcs=false; if (fwbdebug) { QByteArray outp = proc->readAllStandardOutput(); qDebug("Error running rlog: %s",outp.data()); } return false; } inrcs=true; return true; } bool RCS::co(bool force) throw(libfwbuilder::FWException) { return co(selectedRev,force); } /** * RCS checkout * * possible situations: * * 1. file is not in RCS - do nothing, return false * * 2. need to open file read-only * * 2.1 requested revision is emty or the head: no need to * checkout, just return true * * 2.2 need to open read-only, older revision: do checkout of that * revision into temporary file without locking, change file name, * set flag 'temp' * * 3. need to open read-write, but file is locked * * 3.1 file is locked by the same user: offer user a choice * open read-only or continue editing or cancel * * 3.2 file is locked by another user: offer a choice open read-only * or cancel * * 4. need to open read-write, any revision: do normal checkout and * lock * */ bool RCS::co(const QString &rev,bool force) throw(libfwbuilder::FWException) { /* first check if filename is already in RCS */ if (!rcs_available || !isInRCS()) return false; if (ro) { if (rev==head || rev=="") return true; /* check out requested revision to stdout * * TODO: right now it loads the whole file into memory, then writes it * to the temp file. It should be more efficient to read and write in * chunks. * */ QStringList arglist; arglist << QString("-q") << QString("-kb") << QString("-z") + rcsenvfix->getTZOffset() << QString("-p")+rev << filename; stdoutBuffer=""; stderrBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join("\n").toAscii().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toAscii().constData(), arglist.join(" ").toAscii().constData()); #else if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join("\n").toLatin1().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toLatin1().constData(), arglist.join(" ").toLatin1().constData()); #endif proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( co_file_name, arglist ); proc->waitForStarted(); if (fwbdebug) qDebug("running co"); if (proc->state() == QProcess::Running) { proc->waitForFinished(); if (proc->state() == QProcess::NotRunning && proc->exitCode()==0) { if (fwbdebug) qDebug("finished successfully"); #ifdef _WIN32 char tname[1024]; strncpy(tname, filename.left(filename.lastIndexOf("/")+1).toLatin1().constData(),sizeof(tname)-20); strcat(tname,"tmpXXXXXX"); _mktemp(tname); int fd = _open(tname, _O_RDWR|_O_CREAT|_O_EXCL|_O_BINARY , _S_IREAD|_S_IWRITE ); #else char tname[PATH_MAX]; strncpy(tname, filename.toLatin1().constData(), sizeof(tname)-20 ); strcat(tname,"_temp_XXXXXX"); int fd = mkstemp(tname); #endif if (fd<0) { QString err = tr("Error creating temporary file ")+tname+QString(" :\n")+strerror(errno); QMessageBox::critical(app->activeWindow(), "Firewall Builder", err, tr("&Continue") ); throw(FWException(err.toLatin1().constData())); } #ifdef _WIN32 if (_write(fd,stdoutBuffer.toLatin1().constData(),stdoutBuffer.length() )<0) { _close(fd); #else if ( write(fd,stdoutBuffer.toLatin1().constData(),stdoutBuffer.length() )<0) { close(fd); #endif QString err = tr("Error writing to temporary file ")+tname+QString(" :\n")+strerror(errno); QMessageBox::critical(app->activeWindow(), "Firewall Builder", err, tr("&Continue") ); throw(FWException(err.toLatin1().constData())); } close(fd); filename = tname; temp = true; checked_out = false; locked = false; selectedRev = rev; return true; } } selectedRev = head; QString err = tr("Error checking file out: %1").arg(stderrBuffer); QMessageBox::critical(app->activeWindow(), "Firewall Builder", err, tr("&Continue") ); throw(FWException(err.toLatin1().constData())); } else { /* global variable QString user_name is set in common/init.cpp */ QString me = user_name; if (locked) { /* the file is already locked, can not just check it out like that */ if (me!=locked_by) { switch (QMessageBox::warning( app->activeWindow(),"Firewall Builder", tr("File is opened and locked by %1.\nYou can only open it read-only.") .arg(locked_by), "Open &read-only", "&Cancel", QString::null, 0, 1 ) ) { case 0: ro=true; return false; case 1: throw(FWException("cancel opening file")); break; } } if (force) goto checkout; switch ( QMessageBox::warning(app->activeWindow(), "Firewall Builder", tr("Revision %1 of this file has been checked out and locked by you earlier.\n\ The file may be opened in another copy of Firewall Builder or was left opened\n\ after the program crashed.").arg(locked_rev), tr("Open &read-only"), tr("&Open and continue editing"), tr("&Cancel"), 0, 2 ) ) { case 0: ro=true; return false; case 1: /* continue working with the file */ checked_out = true; locked = true; selectedRev = locked_rev; return true; case 2: throw(FWException("cancel opening file")); break; } } /* if the user wanted specific revision and it should be opened * read-only, we need to check it out into a temporary file without * locking */ checkout: /* check out and lock */ QStringList arglist; arglist.clear(); arglist << "-q"; if (force) arglist << "-f"; arglist << QString("-l")+rev << QString("-z") + rcsenvfix->getTZOffset() << filename; stdoutBuffer=""; stderrBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join("\n").toAscii().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toAscii().constData(), arglist.join(" ").toAscii().constData()); #else if (fwbdebug) qDebug("starting co with environment '%s'", rcsenvfix->getEnv()->join("\n").toLatin1().constData()); if (fwbdebug) qDebug("executing command '%s %s'", co_file_name.toLatin1().constData(), arglist.join(" ").toLatin1().constData()); #endif proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( co_file_name, arglist ); proc->waitForStarted(); if (fwbdebug) qDebug("running co"); if (proc->state() == QProcess::Running) { proc->waitForFinished(); if (proc->state() == QProcess::NotRunning && proc->exitCode()==0) { if (fwbdebug) qDebug("finished successfully"); checked_out = true; locked = true; selectedRev = rev; return true; } } /* error. */ selectedRev = head; QString err = tr("Error checking file out: %1").arg(stderrBuffer); QMessageBox::critical(app->activeWindow(), "Firewall Builder", err, tr("&Continue") ); throw(FWException(err.toLatin1().constData())); } return false; } bool RCS::ci( const QString &_lm, bool unlock) throw(libfwbuilder::FWException) { /* first check if filename is already in RCS */ if (!rcs_available || !isInRCS()) return false; QString logmsg = _lm; if (logmsg.isEmpty()) logmsg="_"; // otherwise ci adds "*** empty log message ***" if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("RCS::ci log message (%d characters): '%s'", logmsg.length(), logmsg.toAscii().constData()); #else qDebug("RCS::ci log message (%d characters): '%s'", logmsg.length(), logmsg.toLatin1().constData()); #endif QStringList arglist; if (unlock) arglist << "-u"; else arglist << "-l"; arglist << QString("-z") + rcsenvfix->getTZOffset(); arglist << filename; stdoutBuffer=""; stderrBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("starting ci with environment '%s'", rcsenvfix->getEnv()->join("\n").toAscii().constData()); #else if (fwbdebug) qDebug("starting ci with environment '%s'", rcsenvfix->getEnv()->join("\n").toLatin1().constData()); #endif QByteArray rcslog = logmsg.toUtf8(); QString obuf; /* * under some circumstances, ci may exit immediately (e.g. when there * were no changes done to the file and it won't expect any rcs log * record on stdin). In this case slot completeCI is called * immediately, even before we have a chance to enter event loop. We * need to make sure we do not enter event loop if this happens. We * use flag ciRunning to check for that. * * Also it seems on windows all data is sent to the process and slot * is called while we still are inside launch, so that once we exit * from it, all is done and there is no need to enter event loop. */ ciRunning=true; ciproc->setEnvironment(*rcsenvfix->getEnv()); ciproc->start( ci_file_name, arglist ); ciproc->waitForStarted(); if (ciproc->state() != QProcess::Running) {//if not started if (fwbdebug) qDebug("Checkin error: file=%s error=%s", filename.toLatin1().constData(),obuf.toLatin1().constData()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) throw( FWException( (obuf+"\n"+ arglist.join(" ")+"\n"+ rcsenvfix->getEnv()->join("\n")).toAscii().constData() ) ); #else throw( FWException( (obuf+"\n"+ arglist.join(" ")+"\n"+ rcsenvfix->getEnv()->join("\n")).toLatin1().constData() ) ); #endif } /* make a copy, omitting trailing '\0' so it won't get sent to ci */ QByteArray rcslogCopy; rcslogCopy = rcslog; ciproc->write((const char*)rcslogCopy, rcslog.length()); QByteArray arr; arr = "\n.\n"; ciproc->write((const char*)(arr),arr.length()); if (fwbdebug) qDebug("all data sent to ci"); ciproc->waitForFinished(); if (fwbdebug) qDebug("ci exited"); if (ciproc->state() == QProcess::NotRunning && ciproc->exitCode()==0) { if (fwbdebug) qDebug("ci exited normally"); if (unlock) { checked_out = false; locked = false; } return true; } return true; } /** * rlog - run rlog in the background and collect RCS log * * As it turns out, we can not trust rlog option "-zLT" to properly * convert timezone information on Windows. This might be abug in the * ported rlog. When timezone is east of GMT, ci properly converts * when file is checked in, but rlog uses wrong sing and substracts * offset instead of adding it. Suppose we are in Japan time zone * (GMT+9), and file is checked in at 15:00 local time. Ci properly * writes checkin time as 6:00 GMT, but rlog reports it as 21:00 on a * previous day (it does -9 hours instead of +9 hours ). Option * "-z+09:00" works properly * */ QString RCS::rlog() throw(libfwbuilder::FWException) { if (!rcs_available) throw(FWException(QObject::tr("RCS tools are unavailable").toStdString())); QStringList arglist; arglist << QString("-z") + rcsenvfix->getTZOffset() << filename; // proc->addArgument( "-zLT" ); if (fwbdebug) qDebug("Running rlog: %s %s", rlog_file_name.toLocal8Bit().constData(), arglist.join(" ").toLocal8Bit().constData()); stdoutBuffer = ""; stderrBuffer = ""; //proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( rlog_file_name, arglist ); proc->waitForStarted(); if (proc->state() != QProcess::Running) { proc->close(); throw(FWException("Fatal error running rlog ")); } if (fwbdebug) qDebug("Running rlog"); proc->waitForFinished(); if (fwbdebug) qDebug("Running rlog: finished reading"); // Note: we convert rlog comments to Utf8. Local8Bit does not seem // to work on windows, produces '????' #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QString rlogTxt = QString::fromUtf8(stdoutBuffer.toAscii().constData()); #else QString rlogTxt = QString::fromUtf8(stdoutBuffer.toLatin1().constData()); #endif if (proc->state() == QProcess::NotRunning && proc->exitCode()==0) return rlogTxt; QString msg=QObject::tr("Fatal error running rlog for %1").arg(filename); throw( FWException( msg.toLatin1().constData() ) ); } QStringList RCS::rcsdiff(const QString&) throw(libfwbuilder::FWException) { isDiff(); QString temp = stdoutBuffer; return temp.split("\n"); } bool RCS::isDiff(const QString &rev) throw(libfwbuilder::FWException) { if (!rcs_available) throw(FWException(QObject::tr("RCS tools are unavailable").toStdString())); QStringList arglist; arglist << "-q"; if (rev!="") arglist << QString("-r")+rev; else { if (selectedRev!="") arglist << QString("-r")+selectedRev; } arglist << QString("-z") + rcsenvfix->getTZOffset() << filename; stdoutBuffer=""; stderrBuffer=""; proc->setEnvironment(*rcsenvfix->getEnv()); proc->start( rcsdiff_file_name, arglist ); proc->waitForStarted(); if (proc->state() == QProcess::Running) { proc->waitForFinished(); /*while (proc->state() == QProcess::Running) { QByteArray ba = proc->readAllStandardOutput(); if (ba.size()!=0) stdoutBuffer=stdoutBuffer + QString(ba); }*/ } else throw(FWException("Fatal error running rcsdiff ")); // while (proc->state() == QProcess::Running) ; // cxx_sleep(1); if (proc->state() == QProcess::NotRunning) return (proc->exitCode()!=0); QString msg = QObject::tr( "Fatal error running rcsdiff for file %1").arg(filename); throw( FWException( msg.toLatin1().constData() ) ); } QString RCS::getHead() { if (isInRCS()) return head; return ""; } QString RCS::getSelectedRev() { if (isInRCS()) return selectedRev; return ""; } fwbuilder-5.3.7/src/libgui/RCS.h000066400000000000000000000141251303637203600163610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RCS_H_FLAG__ #define __RCS_H_FLAG__ #include "config.h" #include #include #include #include "fwbuilder/FWException.h" class RCS; class RCSFilePreview; class Revision { friend class RCS; public: QString filename; QString rev; QString date; QString author; QString locked_by; QString log; Revision(); Revision(const Revision &r); Revision(const QString &file, const QString &rev=""); bool operator<(const Revision &r) const; bool operator==(const Revision &r) const; bool operator!=(const Revision &r) const; void operator=(const Revision &r); }; /* * this class just sets environment variable TZ on Windows if it is not set */ class RCSEnvFix { QStringList env; QString TZOffset; public: RCSEnvFix(); QStringList* getEnv(); QString getTZOffset() { return TZOffset; } }; class RCS : public QObject { friend class RCSFilePreview; Q_OBJECT; /* * RCSEnvFix object should be initialized in constructor of RCS so * it is created _after_ we complete initialization and assign * appRootDir because it needs appRootDir to set up PATH on * Windows. */ static RCSEnvFix *rcsenvfix; static QString rcs_file_name; static QString rcsdiff_file_name; static QString rlog_file_name; static QString ci_file_name; static QString co_file_name; static bool rcs_available; QString stdoutBuffer; QString stderrBuffer; QProcess *proc; QProcess *ciproc; bool ciRunning;; bool tracking_file; bool inrcs; bool checked_out; bool locked; QString locked_by; QString locked_rev; QString head; // head revision QString selectedRev; // selected revision bool ro; // if file is to be opened read-only QString filename; bool temp; // if filename is a temporary file QList revisions; /** * Retrieves RCS log. */ QString rlog() throw(libfwbuilder::FWException); public: RCS( const QString &filename ); virtual ~RCS(); static void init(); /** * returns head revision of the file */ QString getFileName() { return filename; } void setFileName(const QString &fn); QList::iterator begin() { return revisions.begin(); } QList::iterator end() { return revisions.end(); } void add() throw(libfwbuilder::FWException); /** * this makes RCS object "forget" about the file */ void abandon(); /** * tells whether the file associated with RCS object is in RCS */ bool isInRCS(); /** * RCS checkout. Returns true if successfull and false if file is * not in RCS. In case of error throws exception */ bool co(const QString &rev,bool force=false) throw(libfwbuilder::FWException); /** * checks out currently selected revision (set using setSelectedRev) */ bool co(bool force=false) throw(libfwbuilder::FWException); /** * RCS checkin. Returns true if successfull and false if file is * not in RCS. In case of error throws exception */ bool ci(const QString &logmsg =" ", bool unlock=false) throw(libfwbuilder::FWException); /** * Retrieves RCS diff. */ QStringList rcsdiff(const QString &rev="") throw(libfwbuilder::FWException); /** * checks if the working copy of the file is different from RCS * revision 'rev'. If rev is empty string, selected revision is * used. If no revision has been selected, the latest revision of * the default branch is used. * * This is essentially just a code returned by rcsdiff with all * its output ignored. */ bool isDiff(const QString &rev="") throw(libfwbuilder::FWException); /** * these two methods just return status */ bool isCheckedOut() { return checked_out; } bool isLocked() { return locked; } QString getLockedBy() { return locked_by; } /** * class RCS helps carry flag 'read-only' together with the rest * of the file info */ void setRO(bool f) { ro=f; } bool isRO() { return ro; } /** * flag 'temp' indicates checkout has been done into temporary file */ bool isTemp() { return temp; } /** * returns head revision of the file */ QString getHead(); /** * returns selected revision of the file. If the file has been * checked out, this is the revision that was chosen for checkout; * if the file is not in RCS, this method returns an empty string; * if file was not checked out, or a head revision was checked * out, this method returns the head. */ QString getSelectedRev(); void setSelectedRev(const QString &rev) { selectedRev=rev; } static QStringList* getEnv(); static RCSEnvFix* getRCSEnvFix(); public slots: virtual void readFromStdout(); virtual void readFromStderr(); }; #endif fwbuilder-5.3.7/src/libgui/RCSFilePreview.cpp000066400000000000000000000206041303637203600210550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "RCS.h" #include "RCSFilePreview.h" #include "FWBSettings.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWException.h" #include "fwbuilder/XMLTools.h" #include #include #include // #include #include #include using namespace std; using namespace libfwbuilder; bool RCSViewItem::operator<(const QTreeWidgetItem &other) const { int col = treeWidget()->sortColumn(); QString col_txt_1 = text(col); QString col_txt_2 = other.text(col); if (col==0) // column 0 is revision number return (XMLTools::version_compare( col_txt_1.toStdString(), col_txt_2.toStdString()) < 0); return (col_txt_1 < col_txt_2); } RCSFilePreview::RCSFilePreview(QWidget *parent): QDialog(parent) { if (fwbdebug) qDebug("RCSFilePreview: constructor"); m_widget = new Ui::RCSFilePreview_q; m_widget->setupUi(this); connect( m_widget->cancelButton, SIGNAL( clicked() ), this, SLOT( reject() ) ); connect( m_widget->RCSTreeView, SIGNAL( itemActivated( QTreeWidgetItem*, int ) ), this, SLOT( accept() ) ); if (st->getRCSFilePreviewStyle()==1) m_widget->list_view->setChecked(true); else m_widget->tree_view->setChecked(true); m_widget->RCSTreeView->setAllColumnsShowFocus( true ); m_widget->RCSTreeView->setSelectionMode(QAbstractItemView::SingleSelection ); m_widget->RCSTreeView->setRootIsDecorated( false ); // m_widget->RCSTreeView->sortByColumn( 0, Qt::AscendingOrder ); if (fwbdebug) qDebug("RCSFilePreview: constructor done"); rcs = NULL; RO = false; } RCSFilePreview::~RCSFilePreview() { if (fwbdebug) qDebug("~RCSFilePreview() rcs=%p", rcs); // if (rcs!=NULL) delete rcs; st->setRCSFilePreviewSortColumn(m_widget->RCSTreeView->sortColumn()); } void RCSFilePreview::openReadOnly() { if (rcs!=NULL) rcs->setRO(true); RO = true; accept(); } void RCSFilePreview::openFile() { accept(); } void RCSFilePreview::selectedRevision(QTreeWidgetItem *itm) { if (itm == m_widget->RCSTreeView->topLevelItem(0)) return; QString rev = itm->text(0); assert(rcs!=NULL); rcs->setSelectedRev(rev); m_widget->comment->setText( rcsComments[rev] ); if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("RCSFilePreview::selectedRevision : %s", rev.toAscii().constData()); #else qDebug("RCSFilePreview::selectedRevision : %s", rev.toLatin1().constData()); #endif } bool RCSFilePreview::showFileRLog( const QString &filename ) { if (fwbdebug) qDebug("RCSFilePreview::showFileRLog filename=%s rcs=%p", filename.toLocal8Bit().constData(),rcs); current_file = filename; m_widget->RCSTreeView->disconnect( SIGNAL(currentItemChanged(QTreeWidgetItem*, QTreeWidgetItem*))); m_widget->RCSTreeView->clear(); if (rcs!=NULL) delete rcs; rcs = new RCS(filename); if (rcs->revisions.size()==0) { QTreeWidgetItem *itm = new QTreeWidgetItem(m_widget->RCSTreeView); itm->setText( 0, tr("File is not in RCS") ); // addToRCS->setEnabled(true); m_widget->comment->setText(""); return false; } // addToRCS->setEnabled(false); QTreeWidgetItem *rootItm = new QTreeWidgetItem( m_widget->RCSTreeView ); rootItm->setText( 0, filename.right( filename.length()-filename.lastIndexOf("/")-1 ) ); rootItm->setExpanded(true); rcsComments.clear(); QList::iterator i; QList itemList; QList::iterator ili; RCSViewItem* latest_revision_item = NULL; RCSViewItem* latest_date_item = NULL; string latest_revision = "1.0"; QString latest_date = ""; for (i=rcs->revisions.begin(); i!=rcs->revisions.end(); ++i) { rcsComments[(*i).rev] = (*i).log; RCSViewItem *itm = NULL; if (st->getRCSFilePreviewStyle()==1) { // List style itm = addRevision(*i, rootItm); itemList.push_back(itm); } else { // tree style if ((*i).rev.indexOf(QRegExp("^[0-9]+\\.[0-9]+$"))!=-1) { itm = addRevision(*i, rootItm); itemList.push_back(itm); } if ((*i).rev.indexOf(QRegExp("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"))!=-1) { QString branch_root = (*i).rev.section(".",0,1); for (ili=itemList.begin(); ili!=itemList.end(); ++ili) { if ((*ili)->text(0) == branch_root) { QTreeWidgetItem *br = *ili; if (br!=NULL) itm = addRevision((*i), br); } } } } string itm_revision = (*i).rev.toStdString(); if (XMLTools::version_compare(itm_revision, latest_revision) > 0) { latest_revision = itm_revision; latest_revision_item = itm; } // This relies on the date string in the rcslog output // being in sortable format. This is so for the "C" or "en_US" // locale, but I am not sure about other locales. if ((*i).date > latest_date) { latest_date = (*i).date; latest_date_item = itm; } } m_widget->RCSTreeView->expandAll(); m_widget->RCSTreeView->sortByColumn(st->getRCSFilePreviewSortColumn(), Qt::AscendingOrder); // connect signal before setting current item so that // selectedRevision gets control and updates rcs log panel connect( m_widget->RCSTreeView, SIGNAL(currentItemChanged(QTreeWidgetItem*, QTreeWidgetItem*)), this, SLOT(selectedRevision(QTreeWidgetItem*))); RCSViewItem* show_item = NULL; if (m_widget->RCSTreeView->sortColumn()==0 && latest_revision_item) show_item = latest_revision_item; if (m_widget->RCSTreeView->sortColumn()==1 && latest_date_item) show_item = latest_date_item; if (show_item) { show_item->setSelected(true); m_widget->RCSTreeView->expandItem(show_item->parent()); m_widget->RCSTreeView->setCurrentItem(show_item); m_widget->RCSTreeView->scrollToItem(show_item); } // resize after parent of the current item was expanded m_widget->RCSTreeView->resizeColumnToContents ( 0 ); m_widget->RCSTreeView->resizeColumnToContents ( 1 ); return true; } RCSViewItem* RCSFilePreview::addRevision(Revision &rev, QTreeWidgetItem *parent_item) { RCSViewItem *itm = new RCSViewItem(parent_item); itm->setText(0, rev.rev); itm->setText(1, rev.date); itm->setText(2, rev.author); itm->setText(3, QString(" ") + rev.locked_by); return itm; } void RCSFilePreview::switchToTreeView() { st->setRCSFilePreviewStyle(0); // 0 for backward compatibility if (!current_file.isEmpty()) showFileRLog(current_file); } void RCSFilePreview::switchToListView() { st->setRCSFilePreviewStyle(1); if (!current_file.isEmpty()) showFileRLog(current_file); } RCS* RCSFilePreview::getSelectedRev() { if (fwbdebug) qDebug("RCSFilePreview::getSelectedRev rcs=%p",rcs); return rcs; } void RCSFilePreview::closeEvent(QCloseEvent *event) { if (fwbdebug) qDebug("RCSFilePreview::closeEvent"); st->setRCSFilePreviewSortColumn(m_widget->RCSTreeView->sortColumn()); QDialog::closeEvent(event); } fwbuilder-5.3.7/src/libgui/RCSFilePreview.h000066400000000000000000000040011303637203600205130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RCSFILEPREVIEW_H_ #define __RCSFILEPREVIEW_H_ #include #include "RCS.h" #include #include #include class RCSViewItem : public QTreeWidgetItem { public: RCSViewItem(QTreeWidget *parent) : QTreeWidgetItem(parent) {} RCSViewItem(QTreeWidgetItem *parent) : QTreeWidgetItem(parent) {} virtual bool operator<(const QTreeWidgetItem &other) const; }; class RCSFilePreview : public QDialog { Q_OBJECT Ui::RCSFilePreview_q *m_widget; RCS *rcs; QString current_file; std::map rcsComments; bool RO; RCSViewItem* addRevision(Revision &rev, QTreeWidgetItem *parent_item); public: RCSFilePreview(QWidget *parent); ~RCSFilePreview(); RCS* getSelectedRev(); bool showFileRLog( const QString &filename ); public slots: virtual void openReadOnly(); virtual void selectedRevision(QTreeWidgetItem *itm); virtual void openFile(); virtual void switchToTreeView(); virtual void switchToListView(); virtual void closeEvent(QCloseEvent *event); }; #endif fwbuilder-5.3.7/src/libgui/RoutingRuleOptionsDialog.cpp000066400000000000000000000065671303637203600232530ustar00rootroot00000000000000/* Copyright (C) 2005 Compal GmbH, Germany Author: Roman Hoog Antink Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "ProjectPanel.h" #include "RoutingRuleOptionsDialog.h" #include "RuleSetView.h" #include "FWWindow.h" #include "FWCmdRule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; RoutingRuleOptionsDialog::~RoutingRuleOptionsDialog() { delete m_dialog; } RoutingRuleOptionsDialog::RoutingRuleOptionsDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::RoutingRuleOptionsDialog_q; m_dialog->setupUi(this); } void RoutingRuleOptionsDialog::loadFWObject(FWObject *o) { obj=o; FWObject *p = obj; while ( !Firewall::cast(p) ) p = p->getParent(); platform = p->getStr("platform").c_str(); Rule *rule = dynamic_cast(o); FWOptions *ropt = rule->getOptionsObject(); int wid = 0; if (platform=="iptables") wid = 0; else wid = 1; /* if (platform=="ipf") wid = 1; if (platform=="pf") wid = 2; if (platform=="ipfw") wid = 3; */ m_dialog->wStack->setCurrentIndex( wid ); m_dialog->wStack->widget(wid)->raise(); data.clear(); if (platform=="iptables") { data.registerOption(m_dialog->routing_non_critical_rule, ropt, "no_fail"); } init = true; data.loadAll(); init = false; } void RoutingRuleOptionsDialog::validate(bool *res) { *res=true; } void RoutingRuleOptionsDialog::applyChanges() { std::auto_ptr cmd( new FWCmdRuleChangeOptions(m_project, obj)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); FWOptions* new_rule_options = Rule::cast(new_state)->getOptionsObject(); init=true; data.saveAll(new_rule_options); init=false; if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/RoutingRuleOptionsDialog.h000066400000000000000000000037021303637203600227040ustar00rootroot00000000000000/* Copyright (C) 2005 Compal GmbH, Germany Author: Roman Hoog Antink Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __ROUTINGRULEOPTIONSDIALOG_H_ #define __ROUTINGRULEOPTIONSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "DialogData.h" #include "fwbuilder/FWObject.h" class RuleSetView; class ProjectPanel; class RoutingRuleOptionsDialog : public BaseObjectDialog { Q_OBJECT; DialogData data; QString platform; RuleSetView *rsv; Ui::RoutingRuleOptionsDialog_q *m_dialog; public: RoutingRuleOptionsDialog(QWidget *parent); ~RoutingRuleOptionsDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // __ROUTINGRULEOPTIONSDIALOG_H fwbuilder-5.3.7/src/libgui/RuleGroupPanel.cpp000066400000000000000000000032161303637203600211700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleGroupPanel.h" #include "RuleSetView.h" RuleGroupPanel::RuleGroupPanel(QWidget * parent, RuleSetView * rsv, int row) : QFrame(parent) { this->row = row; this->rsv = rsv; this->setupUi(this); setContentsMargins(3,3,3,3); showHideRuleGroupButton->hide(); connect(showHideRuleGroupButton, SIGNAL(pressed()), this,SLOT(showHideRuleGroup())); } void RuleGroupPanel::mousePressEvent( QMouseEvent * event ) { if (event->buttons() == Qt::RightButton) { rsv->firstSelectedRow = row; rsv->contextMenu(row,0,event->globalPos ()); } } void RuleGroupPanel::mouseDoubleClickEvent( QMouseEvent * event ) { rsv->firstSelectedRow = row ; rsv->renameGroup(); } void RuleGroupPanel::showHideRuleGroup() { rsv->showHideRuleGroup(this); } fwbuilder-5.3.7/src/libgui/RuleGroupPanel.h000066400000000000000000000024061303637203600206350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include class RuleSetView ; class RuleGroupPanel : public QFrame, public Ui::RuleGroupPanel { Q_OBJECT public: int row ; RuleSetView * rsv ; RuleGroupPanel (QWidget * parent,RuleSetView * rsv, int row) ; public slots: void showHideRuleGroup(); public: virtual void mousePressEvent ( QMouseEvent * event ); virtual void mouseDoubleClickEvent ( QMouseEvent * event) ; }; fwbuilder-5.3.7/src/libgui/RuleNode.cpp000066400000000000000000000054631303637203600200070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleNode.h" RuleNode::RuleNode(Type type, const QString &str ) { this->type = type; this->name = str; parent = 0; } RuleNode::~RuleNode() { qDeleteAll(children); } void RuleNode::add(RuleNode * node) { children << node; node->parent = this; } void RuleNode::prepend(RuleNode * node) { children.prepend(node); node->parent = this; } void RuleNode::insert(int pos, RuleNode* node) { children.insert(pos, node); node->parent = this; } bool RuleNode::isInGroup() { if (parent == 0) return false; return !parent->isRoot(); } bool RuleNode::isRoot() { return type == RuleNode::Root; } QString RuleNode::groupName() { if (isInGroup()) return parent->name; return QString(); } QString RuleNode::nameOfSuccessorGroup() { if (parent == 0 || isInGroup()) return QString(); int idx = parent->children.indexOf(this); if (idx < (parent->children.size() - 1) && parent->children[idx + 1]->type == Group) { return parent->children[idx + 1]->name; } return QString(); } QString RuleNode::nameOfPredecessorGroup() { if (parent == 0 || isInGroup()) return QString(); int idx = parent->children.indexOf(this); if (idx > 0 && parent->children[idx - 1]->type == Group) { return parent->children[idx - 1]->name; } return QString(); } bool RuleNode::isOutermost() { if (type != RuleNode::Rule) return false; return this == this->parent->children.first() || this == this->parent->children.last(); } bool RuleNode::operator==(const RuleNode &rn) const { if (rn.type != this->type) return false; if (this->type == Group) { return this->name == rn.name; } else { return this->rule == rn.rule; } } void RuleNode::resetSizes() { for(int i=0;iresetAllSizes(); } } fwbuilder-5.3.7/src/libgui/RuleNode.h000066400000000000000000000033001303637203600174400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULENODE_H #define RULENODE_H #include #include #define MAX_COLUMNS 20 namespace libfwbuilder { class Rule; } class RuleNode : public QObject { public: enum Type { Root, Group, Rule }; RuleNode(Type type, const QString &str = ""); ~RuleNode(); Type type; QString name; //TODO This field is unused in real application RuleNode *parent; QList children; libfwbuilder::Rule* rule; QSize sizes[MAX_COLUMNS]; void prepend(RuleNode * node); void add(RuleNode* ); void insert(int pos, RuleNode* node); bool isInGroup(); bool isRoot(); bool isOutermost(); QString groupName(); QString nameOfSuccessorGroup(); QString nameOfPredecessorGroup(); void resetSizes(); void resetAllSizes(); bool operator==(const RuleNode &rn) const; }; #endif // RULENODE_H fwbuilder-5.3.7/src/libgui/RuleOptionsDialog.cpp000066400000000000000000000505341303637203600216740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "ProjectPanel.h" #include "RuleOptionsDialog.h" #include "RuleSetView.h" #include "FWWindow.h" #include "FWCmdRule.h" #include "FWObjectDropArea.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Rule.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; RuleOptionsDialog::~RuleOptionsDialog() { delete m_dialog; } RuleOptionsDialog::RuleOptionsDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::RuleOptionsDialog_q; m_dialog->setupUi(this); m_dialog->pfTagDropArea->addAcceptedTypes("TagService"); m_dialog->iptTagDropArea->addAcceptedTypes("TagService"); connectSignalsOfAllWidgetsToSlotChange(); firewall = NULL; init=false; } void RuleOptionsDialog::loadFWObject(FWObject *o) { obj = o; firewall = o; // use Firewall::cast to match both Firewall and Cluster while (!Firewall::cast(firewall)) firewall = firewall->getParent(); platform = firewall->getStr("platform").c_str(); string version = firewall->getStr("version"); // build a map for combobox so visible combobox items can be localized QStringList route_options = getRouteOptions_pf_ipf(platform); QStringList route_load_options = getRouteLoadOptions_pf(platform); QStringList classify_options_ipfw = getClassifyOptions_ipfw(platform); Rule *rule = dynamic_cast(o); FWOptions *ropt = rule->getOptionsObject(); PolicyRule *policy_rule = PolicyRule::cast(rule); int wid=0; if (platform=="iptables") wid=1; if (platform=="ipf") wid=2; if (platform=="pf") wid=3; if (platform=="ipfw") wid=4; if (platform=="pix" || platform=="fwsm") wid=5; if (platform=="iosacl" || platform=="procurve_acl") wid=6; if (platform=="junosacl") wid=7; m_dialog->wStack->widget(wid)->raise(); m_dialog->wStack->setCurrentWidget(m_dialog->wStack->widget(wid)); QStringList logLevels=getLogLevels( obj->getStr("platform").c_str() ); m_dialog->ipt_logLevel->clear(); m_dialog->ipt_logLevel->addItems(getScreenNames(logLevels)); m_dialog->ipf_logLevel->clear(); m_dialog->ipf_logLevel->addItems(getScreenNames(logLevels)); m_dialog->pix_logLevel->clear(); m_dialog->pix_logLevel->addItems(getScreenNames(logLevels)); QStringList logFacilities=getLogFacilities( obj->getStr("platform").c_str()); m_dialog->ipf_logFacility->clear(); m_dialog->ipf_logFacility->addItems(getScreenNames(logFacilities)); QStringList limitSuffixes=getLimitSuffixes( obj->getStr("platform").c_str()); m_dialog->ipt_limitSuffix->clear(); m_dialog->ipt_limitSuffix->addItems(getScreenNames(limitSuffixes)); m_dialog->ipt_hashlimit_suffix->clear(); m_dialog->ipt_hashlimit_suffix->addItems(getScreenNames(limitSuffixes)); fillInterfaces(m_dialog->ipt_iif); fillInterfaces(m_dialog->ipt_oif); fillInterfaces(m_dialog->ipf_route_opt_if); fillInterfaces(m_dialog->pf_route_opt_if); data.clear(); if (platform=="iptables") { data.registerOption(m_dialog->ipt_logPrefix, ropt, "log_prefix"); data.registerOption(m_dialog->ipt_logLevel, ropt, "log_level", logLevels); data.registerOption(m_dialog->ipt_nlgroup, ropt, "ulog_nlgroup"); data.registerOption(m_dialog->ipt_limit, ropt, "limit_value"); data.registerOption(m_dialog->ipt_limitSuffix, ropt, "limit_suffix", limitSuffixes); data.registerOption(m_dialog->ipt_limit_not, ropt, "limit_value_not"); data.registerOption(m_dialog->ipt_burst, ropt, "limit_burst"); data.registerOption(m_dialog->ipt_connlimit, ropt, "connlimit_value"); data.registerOption(m_dialog->ipt_connlimit_above_not, ropt, "connlimit_above_not"); data.registerOption(m_dialog->ipt_connlimit_masklen, ropt, "connlimit_masklen"); data.registerOption(m_dialog->ipt_hashlimit, ropt, "hashlimit_value"); data.registerOption(m_dialog->ipt_hashlimit_suffix, ropt, "hashlimit_suffix"); data.registerOption(m_dialog->ipt_hashlimit_burst, ropt, "hashlimit_burst"); data.registerOption(m_dialog->cb_srcip, ropt, "hashlimit_mode_srcip"); data.registerOption(m_dialog->cb_dstip, ropt, "hashlimit_mode_dstip"); data.registerOption(m_dialog->cb_srcport, ropt, "hashlimit_mode_srcport"); data.registerOption(m_dialog->cb_dstport, ropt, "hashlimit_mode_dstport"); data.registerOption(m_dialog->ipt_hashlimit_dstlimit, ropt, "hashlimit_dstlimit"); data.registerOption(m_dialog->ipt_hashlimit_name, ropt, "hashlimit_name"); data.registerOption(m_dialog->ipt_hashlimit_size, ropt, "hashlimit_size"); data.registerOption(m_dialog->ipt_hashlimit_max, ropt, "hashlimit_max"); data.registerOption(m_dialog->ipt_hashlimit_expire, ropt, "hashlimit_expire"); data.registerOption(m_dialog->ipt_hashlimit_gcinterval, ropt, "hashlimit_gcinterval"); // in v3.0 attribute "assume fw is part of any" used to be a // checkbox and therefore stored as boolean in the rule // options. Old "on" maps to the new "on", which means old "True" // maps to "1". Old "off" maps to "use global" though. string old_val = ropt->getStr("firewall_is_part_of_any_and_networks"); if (old_val == "True") ropt->setStr("firewall_is_part_of_any_and_networks", "1"); if (old_val == "False") ropt->setStr("firewall_is_part_of_any_and_networks", ""); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("Follow global setting")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption(m_dialog->ipt_assume_fw_is_part_of_any, ropt, "firewall_is_part_of_any_and_networks", threeStateMapping); data.registerOption(m_dialog->ipt_stateless, ropt, "stateless"); data.registerOption(m_dialog->ipt_mark_connections, ropt, "ipt_mark_connections"); data.registerOption(m_dialog->classify_str, ropt, "classify_str"); // Route data.registerOption(m_dialog->ipt_iif, ropt, "ipt_iif" ); data.registerOption(m_dialog->ipt_oif, ropt, "ipt_oif" ); data.registerOption(m_dialog->ipt_gw, ropt, "ipt_gw" ); data.registerOption(m_dialog->ipt_continue, ropt, "ipt_continue" ); data.registerOption(m_dialog->ipt_tee, ropt, "ipt_tee"); FWObject *o = policy_rule->getTagObject(); m_dialog->iptTagDropArea->setObject(o); m_dialog->iptTagDropArea->update(); } if (platform=="ipf") { data.registerOption(m_dialog->ipf_logFacility, ropt, "ipf_log_facility", logFacilities); data.registerOption(m_dialog->ipf_logLevel, ropt, "log_level", logLevels); data.registerOption(m_dialog->ipf_masq_icmp, ropt, "ipf_return_icmp_as_dest"); data.registerOption(m_dialog->ipf_stateless, ropt, "stateless"); data.registerOption(m_dialog->ipf_keep_frags, ropt, "ipf_keep_frags"); // Route data.registerOption(m_dialog->ipf_route_option, ropt, "ipf_route_option", route_options); data.registerOption(m_dialog->ipf_route_opt_if, ropt, "ipf_route_opt_if"); data.registerOption(m_dialog->ipf_route_opt_addr, ropt, "ipf_route_opt_addr"); } if (platform=="pf") { bool ge_4_5 = XMLTools::version_compare(version, "4.5")>=0; m_dialog->pf_no_sync->setEnabled(ge_4_5); m_dialog->pf_pflow->setEnabled(ge_4_5); data.registerOption(m_dialog->pf_logPrefix, ropt, "log_prefix"); data.registerOption(m_dialog->pf_stateless, ropt, "stateless"); data.registerOption(m_dialog->pf_keep_state, ropt, "pf_keep_state"); data.registerOption(m_dialog->pf_no_sync, ropt, "pf_no_sync"); data.registerOption(m_dialog->pf_pflow, ropt, "pf_pflow"); data.registerOption(m_dialog->pf_sloppy_tracker, ropt, "pf_sloppy_tracker"); data.registerOption(m_dialog->pf_rule_max_state, ropt, "pf_rule_max_state"); data.registerOption(m_dialog->pf_source_tracking, ropt, "pf_source_tracking"); data.registerOption(m_dialog->pf_max_src_nodes, ropt, "pf_max_src_nodes"); data.registerOption(m_dialog->pf_max_src_states, ropt, "pf_max_src_states"); data.registerOption(m_dialog->pf_max_src_conn, ropt, "pf_max_src_conn"); data.registerOption(m_dialog->pf_overload_table, ropt, "pf_max_src_conn_overload_table"); data.registerOption(m_dialog->pf_flush, ropt, "pf_max_src_conn_flush"); data.registerOption(m_dialog->pf_global, ropt, "pf_max_src_conn_global"); data.registerOption(m_dialog->pf_max_src_conn_rate_num, ropt, "pf_max_src_conn_rate_num"); data.registerOption(m_dialog->pf_max_src_conn_rate_seconds, ropt, "pf_max_src_conn_rate_seconds"); data.registerOption(m_dialog->pf_modulate, ropt, "pf_modulate_state"); data.registerOption(m_dialog->pf_synproxy, ropt, "pf_synproxy"); // Tag FWObject *o = policy_rule->getTagObject(); m_dialog->pfTagDropArea->setObject(o); m_dialog->pfTagDropArea->update(); // Classify data.registerOption(m_dialog->pf_classify_str, ropt, "pf_classify_str"); // Route data.registerOption(m_dialog->pf_fastroute, ropt, "pf_fastroute"); data.registerOption(m_dialog->pf_route_load_option, ropt, "pf_route_load_option", route_load_options); data.registerOption(m_dialog->pf_route_option, ropt, "pf_route_option", route_options); data.registerOption(m_dialog->pf_route_opt_if, ropt, "pf_route_opt_if"); data.registerOption(m_dialog->pf_route_opt_addr, ropt, "pf_route_opt_addr"); } if (platform=="ipfw") { data.registerOption(m_dialog->ipfw_stateless, ropt, "stateless"); /* #2367 */ // Classify data.registerOption(m_dialog->ipfw_classify_method, ropt, "ipfw_classify_method", classify_options_ipfw); data.registerOption(m_dialog->usePortNum, ropt, "ipfw_pipe_queue_num"); } if (platform=="iosacl" || platform=="procurve_acl") { data.registerOption(m_dialog->iosacl_add_mirror_rule, ropt, "iosacl_add_mirror_rule"); } if (platform=="pix" || platform=="fwsm") { string vers = "version_" + version; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (Resources::platform_res[platform.toAscii().constData()]->getResourceBool( "/FWBuilderResources/Target/options/" + vers + "/pix_rule_syslog_settings")) #else if (Resources::platform_res[platform.toLatin1().constData()]->getResourceBool( "/FWBuilderResources/Target/options/" + vers + "/pix_rule_syslog_settings")) #endif { m_dialog->pix_disable_rule_log->setEnabled(true); m_dialog->pix_logLevel->setEnabled(true); m_dialog->pix_log_interval->setEnabled(true); data.registerOption(m_dialog->pix_disable_rule_log, ropt, "disable_logging_for_this_rule"); data.registerOption(m_dialog->pix_logLevel, ropt, "log_level",logLevels); data.registerOption(m_dialog->pix_log_interval, ropt, "log_interval"); } else { m_dialog->pix_disable_rule_log->setEnabled(false); m_dialog->pix_logLevel->setEnabled(false); m_dialog->pix_log_interval->setEnabled(false); } } if (platform=="junosacl") { data.registerOption(m_dialog->counterLineEdit, ropt, "counter_name"); } init = true; data.loadAll(); m_dialog->pf_max_src_nodes->setEnabled( m_dialog->pf_source_tracking->isChecked()); m_dialog->pf_max_src_states->setEnabled( m_dialog->pf_source_tracking->isChecked()); connlimitAboveLabelChange(); limitLabelChange(); //apply->setEnabled(false); init=false; } void RuleOptionsDialog::changed() { //apply->setEnabled(true); m_dialog->pf_max_src_nodes->setEnabled( m_dialog->pf_source_tracking->isChecked()); m_dialog->pf_max_src_states->setEnabled( m_dialog->pf_source_tracking->isChecked()); bool enable_overload_options = ( m_dialog->pf_max_src_conn->value()>0 || ( m_dialog->pf_max_src_conn_rate_num->value()>0 && m_dialog->pf_max_src_conn_rate_seconds->value()>0) ); m_dialog->pf_overload_table->setEnabled(enable_overload_options); m_dialog->pf_flush->setEnabled(enable_overload_options); m_dialog->pf_global->setEnabled(enable_overload_options); iptRouteContinueToggled(); // #2367 BaseObjectDialog::changed(); } void RuleOptionsDialog::validate(bool *res) { *res=true; } void RuleOptionsDialog::applyChanges() { std::auto_ptr cmd( new FWCmdRuleChangeOptions(m_project, obj)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); FWOptions* new_rule_options = Rule::cast(new_state)->getOptionsObject(); init = true; data.saveAll(new_rule_options); init = false; /* #2367 */ PolicyRule *policy_rule = PolicyRule::cast(new_state); if (policy_rule) { FWOptions *ropt = policy_rule->getOptionsObject(); if (platform=="iptables") { FWObject *tag_object = m_dialog->iptTagDropArea->getObject(); // if tag_object==NULL, setTagObject clears setting in the rule policy_rule->setTagging(tag_object != NULL); policy_rule->setTagObject(tag_object); policy_rule->setClassification( ! ropt->getStr("classify_str").empty()); policy_rule->setRouting( ! ropt->getStr("ipt_iif").empty() || ! ropt->getStr("ipt_oif").empty() || ! ropt->getStr("ipt_gw").empty()); } if (platform=="pf") { FWObject *tag_object = m_dialog->pfTagDropArea->getObject(); // if tag_object==NULL, setTagObject clears setting in the rule policy_rule->setTagging(tag_object != NULL); policy_rule->setTagObject(tag_object); policy_rule->setClassification( ! new_rule_options->getStr("pf_classify_str").empty()); policy_rule->setRouting( ! new_rule_options->getStr("pf_route_option").empty() && new_rule_options->getStr("pf_route_option") != "none"); } if (platform=="ipf") { policy_rule->setRouting( ! new_rule_options->getStr("ipf_route_option").empty() && new_rule_options->getStr("ipf_route_option") != "none"); } if (platform=="ipfw") { policy_rule->setClassification( new_rule_options->getInt("ipfw_classify_method") > -1); } } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void RuleOptionsDialog::cancelChanges() { //apply->setEnabled(false); close(); } void RuleOptionsDialog::connlimitAboveLabelChange() { if (m_dialog->ipt_connlimit_above_not->isChecked()) m_dialog->ipt_connlimit_above_label->setText( "Match if the number of existing connections is below this " "(translates into option ! --connlimit-above)"); else m_dialog->ipt_connlimit_above_label->setText( "Match if the number of existing connections is above this " "(translates into option --connlimit-above)"); changed(); } void RuleOptionsDialog::limitLabelChange() { if (m_dialog->ipt_limit_not->isChecked()) m_dialog->ipt_limit_label->setText( "Maximum average matching rate (negated) " "(translates into option ! --limit rate)"); else m_dialog->ipt_limit_label->setText( "Maximum average matching rate " "(translates into option --limit rate)"); changed(); } void RuleOptionsDialog::iptRouteContinueToggled() { if (m_dialog->ipt_continue->isChecked()) { m_dialog->ipt_iif->setCurrentIndex(0); m_dialog->ipt_tee->setChecked(false); } m_dialog->ipt_iif->setEnabled( ! m_dialog->ipt_continue->isChecked() ); m_dialog->ipt_tee->setEnabled( ! m_dialog->ipt_continue->isChecked() ); } void RuleOptionsDialog::fillInterfaces(QComboBox* cb) { QSet deduplicated_interface_names; list interfaces = firewall->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=interfaces.begin(); i!=interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->isLoopback()) continue; deduplicated_interface_names.insert(iface->getName().c_str()); if (Cluster::isA(firewall)) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( iface->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { for (FWObject::iterator it=failover_group->begin(); it!=failover_group->end(); ++it) { FWObject *mi = FWReference::getObject(*it); if (Interface::isA(mi) && ! iface->isLoopback()) { deduplicated_interface_names.insert(mi->getName().c_str()); } } } } } QStringList sorted_interfaces; QSetIterator it(deduplicated_interface_names); while (it.hasNext()) { sorted_interfaces << it.next(); } sorted_interfaces.sort(); cb->clear(); cb->addItem(""); cb->addItems(sorted_interfaces); } fwbuilder-5.3.7/src/libgui/RuleOptionsDialog.h000066400000000000000000000035271303637203600213410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULEOPTIONSDIALOG_H_ #define __RULEOPTIONSDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "DialogData.h" #include "fwbuilder/FWObject.h" class RuleSetView; class ProjectPanel; class RuleOptionsDialog : public BaseObjectDialog { Q_OBJECT; DialogData data; QString platform; RuleSetView *rsv; Ui::RuleOptionsDialog_q*m_dialog; libfwbuilder::FWObject *firewall; public: RuleOptionsDialog(QWidget *parent); ~RuleOptionsDialog(); void fillInterfaces(QComboBox *); // #2367 public slots: virtual void changed(); virtual void applyChanges(); virtual void cancelChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void connlimitAboveLabelChange(); virtual void limitLabelChange(); virtual void iptRouteContinueToggled(); // #2367 }; #endif // __RULEOPTIONSDIALOG_H fwbuilder-5.3.7/src/libgui/RuleSetDialog.cpp000066400000000000000000000172711303637203600207750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "RuleSetDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Host.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/FWException.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Policy.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; RuleSetDialog::RuleSetDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::RuleSetDialog_q; m_dialog->setupUi(this); obj = NULL; platform = ""; connectSignalsOfAllWidgetsToSlotChange(); } RuleSetDialog::~RuleSetDialog() { delete m_dialog; } void RuleSetDialog::loadFWObject(FWObject *o) { obj = o; this->setEnabled(!o->isReadOnly()); RuleSet *s = dynamic_cast(obj); assert(s!=NULL); init = true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); // ipv4_6_rule_set QComboBox: // 0 - ipv4 // 1 - ipv6 // 2 - dual int idx = 0; if (s->isV4()) idx = 0; if (s->isV6()) idx = 1; if (s->isDual()) idx = 2; m_dialog->ipv4_6_rule_set->setCurrentIndex(idx); m_dialog->top_rule_set->setChecked(s->isTop()); FWObject *fw = o; while (fw && (!Firewall::isA(fw) && !Cluster::isA(fw))) fw = fw->getParent(); // if rule set object is in DeletedObjects library, it does not have parent // firewall if (fw!=NULL) { platform = fw->getStr("platform"); fwopt = Firewall::cast(fw)->getOptionsObject(); FWOptions *rulesetopt = s->getOptionsObject(); if (platform == "iptables") { m_dialog->top_rule_set->setToolTip( QApplication::translate("RuleSetDialog_q", "On iptables \"top\" rule set goes into \n" "the built-in chains INPUT, OUTPUT,\n" "FORWARD; if this flag is unchecked,\n" "rules go into user-defined chain \n" "with the name the same as the name of \n" "the rule set.", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) 0, QApplication::UnicodeUTF8)); #else 0)); #endif if (Policy::isA(obj)) { // if this attribute is absent, we consider it False, so for // backwards compatibility the rule set is considered // filter+mangle rather than mangle only. m_dialog->iptables_only->show(); bool f = rulesetopt->getBool("mangle_only_rule_set"); m_dialog->ipt_filter_table->setChecked(!f); m_dialog->ipt_mangle_table->setChecked(f); } else m_dialog->iptables_only->hide(); } else { m_dialog->iptables_only->hide(); } if (platform == "pf") m_dialog->top_rule_set->setToolTip( QApplication::translate("RuleSetDialog_q", "If this flag is unchecked, rules go \n" "into anchor with the name the same as\n" "the name of the rule set.", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) 0, QApplication::UnicodeUTF8)); #else 0)); #endif if (platform == "iosacl" || platform == "pix" || platform=="fwsm") m_dialog->top_rule_set->setToolTip( QApplication::translate("RuleSetDialog_q", "If this flag is unchecked, generated\n" "access list will not be assigned to\n" "interfaces with \"ip access-group\"\n" "command. The name of the rule set will\n" "be used as a prefix for names of\n" "access access lists generated for it.", #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) 0, QApplication::UnicodeUTF8)); #else 0)); #endif if (platform == "ipf" || platform == "ipfw") m_dialog->top_rule_set->hide(); else m_dialog->top_rule_set->show(); } init=false; } void RuleSetDialog::validate(bool *res) { *res = true; if (!validateName(this, obj, m_dialog->obj_name->text())) { *res = false; return; } // Do not allow ':' in the rule set names because this character is // used as a separator in error and warning messages QString pattern("([a-zA-Z0-9_-+=@%^]+)"); // branch (anchor) names for PF may end with "/*" if (platform == "pf") pattern = "([a-zA-Z0-9_-+=@%^]+)(/\\*)?"; QRegExp rx(pattern); if (!rx.exactMatch(m_dialog->obj_name->text())) { *res = false ; if (QApplication::focusWidget() != NULL) { blockSignals(true); QMessageBox::critical( this, "Firewall Builder", tr("Rule set name '%1' is invalid. Only '[a-z][A-Z][0-9]_-+=@%^' characters are allowed.").arg( m_dialog->obj_name->text() ), tr("&Continue"), 0, 0, 0 ); blockSignals(false); } return ; } } void RuleSetDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); RuleSet *s = dynamic_cast(new_state); assert(s!=NULL); FWOptions *rulesetopt = s->getOptionsObject(); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); switch (m_dialog->ipv4_6_rule_set->currentIndex()) { case 1: s->setV6(); break; case 2: s->setDual(); break; default: s->setV4(); break; } s->setTop(m_dialog->top_rule_set->isChecked()); if (platform == "iptables" && Policy::isA(s)) { rulesetopt->setBool("mangle_only_rule_set", m_dialog->ipt_mangle_table->isChecked()); } if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/RuleSetDialog.h000066400000000000000000000027161303637203600204400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __RULESETDIALOG_H_ #define __RULESETDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWOptions.h" class ProjectPanel; class RuleSetDialog : public BaseObjectDialog { Q_OBJECT; std::string platform; libfwbuilder::FWOptions *fwopt; Ui::RuleSetDialog_q *m_dialog; public: RuleSetDialog(QWidget *parent); ~RuleSetDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // RULESETDIALOG_H fwbuilder-5.3.7/src/libgui/RuleSetDiffDelegate.cpp000066400000000000000000000047151303637203600221000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetDiffDelegate.h" #include #include "config.h" #include "global.h" #include "utils.h" #include "FWBSettings.h" #include "fwbuilder/Rule.h" #include "RuleSetDiffDialog.h" using namespace libfwbuilder; using namespace std; RuleSetDiffDelegate::RuleSetDiffDelegate(QObject *parent, FWObjectSelectionModel *selectionModel, QAbstractProxyModel *model, ProjectPanel *project) : RuleSetViewDelegate(parent, selectionModel), m_model(model), m_project(project) {} void RuleSetDiffDelegate::paint(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index) const { RuleSetViewDelegate::paint(painter, option, m_model->mapToSource(index)); } QSize RuleSetDiffDelegate::sizeHint(const QStyleOptionViewItem &option, const QModelIndex &index) const { return RuleSetViewDelegate::sizeHint(option, m_model->mapToSource(index)); } QString RuleSetDiffDelegate::getRuleColor(RuleNode *node) const { int changeType = m_project->getDiffType(node->rule->getId()); switch (changeType) { case DiffType::Add: return QString(st->getDiffColor(FWBSettings::ADD_COLOR)); case DiffType::Edit: return QString(st->getDiffColor(FWBSettings::EDIT_COLOR)); case DiffType::Move: return QString(st->getDiffColor(FWBSettings::MOVE_COLOR)); case DiffType::Remove: return QString(st->getDiffColor(FWBSettings::REMOVE_COLOR)); default: break; } return QString(); } fwbuilder-5.3.7/src/libgui/RuleSetDiffDelegate.h000066400000000000000000000030161303637203600215360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETDIFFDELEGATE_H #define RULESETDIFFDELEGATE_H #include "RuleSetViewDelegate.h" #include "ProjectPanel.h" #include class RuleSetDiffDelegate : public RuleSetViewDelegate { Q_OBJECT public: RuleSetDiffDelegate(QObject *parent, FWObjectSelectionModel *selectionModel, QAbstractProxyModel *model, ProjectPanel *project); void paint (QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index) const; QSize sizeHint (const QStyleOptionViewItem &, const QModelIndex &) const; private: QAbstractProxyModel *m_model; ProjectPanel *m_project; virtual QString getRuleColor(RuleNode *node) const; }; #endif // RULESETDIFFDELEGATE_H fwbuilder-5.3.7/src/libgui/RuleSetDiffDialog.cpp000066400000000000000000000343101303637203600215570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetDiffDialog.h" #include "RuleSetDiffModel.h" #include #include #include #include #include "RuleSetView.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/Library.h" #include "RuleSetDiffDelegate.h" #include "FWObjectSelectionModel.h" #include "FWCmdRule.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/RuleElement.h" #include "RuleSetModel.h" #include "FWBSettings.h" #include "global.h" using namespace libfwbuilder; using namespace std; static bool sortByName(const FWObject *a, const FWObject *b) { return a->getName() < b->getName(); } RuleSetDiffDialog::RuleSetDiffDialog(ProjectPanel *project, QWidget *parent) : QDialog(parent), ui(new Ui::RuleSetDiffDialog_q), m_project(project) { ui->setupUi(this); connect(ui->firewall, SIGNAL(currentIndexChanged(int)), this, SLOT(updateRuleSetList())); connect(ui->ruleset, SIGNAL(currentIndexChanged(int)), this, SLOT(updateRuleSetView())); connect(ui->originalRuleSetView->horizontalScrollBar(), SIGNAL(valueChanged(int)), this, SLOT(horizontalScrollBarValueChanged(int))); connect(ui->currentRuleSetView->horizontalScrollBar(), SIGNAL(valueChanged(int)), this, SLOT(horizontalScrollBarValueChanged(int))); connect(ui->originalRuleSetView, SIGNAL(clicked(QModelIndex)), this, SLOT(itemClicked(QModelIndex))); connect(ui->currentRuleSetView, SIGNAL(clicked(QModelIndex)), this, SLOT(itemClicked(QModelIndex))); connect(ui->originalRuleSetView, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(itemDoubleClicked(QModelIndex))); connect(ui->currentRuleSetView, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(itemDoubleClicked(QModelIndex))); connect(ui->originalRuleSetView, SIGNAL(expanded(QModelIndex)), this, SLOT(itemExpanded(QModelIndex))); connect(ui->currentRuleSetView, SIGNAL(expanded(QModelIndex)), this, SLOT(itemExpanded(QModelIndex))); connect(ui->originalRuleSetView, SIGNAL(collapsed(QModelIndex)), this, SLOT(itemCollapsed(QModelIndex))); connect(ui->currentRuleSetView, SIGNAL(collapsed(QModelIndex)), this, SLOT(itemCollapsed(QModelIndex))); ui->displayUnmodifiedRulesBtn->setChecked(st->getDisplayUnmodifiedRules()); connect(ui->displayUnmodifiedRulesBtn, SIGNAL(clicked()), this, SLOT(displayUnmodifiedRules())); m_currentObjdb = m_project->db(); if (m_currentObjdb) m_currentUserLibrary = findUserLibrary(m_currentObjdb); m_originalObjdb = m_project->origDb(); if (m_originalObjdb) m_originalUserLibrary = findUserLibrary(m_originalObjdb); updateFirewallList(); showMaximized(); } Library* RuleSetDiffDialog::findUserLibrary(FWObjectDatabase *db) { Library *lib = NULL; foreach (FWObject *obj, db->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } RuleSetDiffDialog::~RuleSetDiffDialog() { delete ui; } void RuleSetDiffDialog::updateFirewallList() { if (!m_currentUserLibrary) return; list clusters = m_currentUserLibrary->getByTypeDeep(Cluster::TYPENAME); clusters.sort(sortByName); foreach (FWObject *cluster, clusters) if (m_originalUserLibrary->getById(cluster->getId(), true)) ui->firewall->addItem(QString::fromStdString((cluster->getName())), QVariant(cluster->getId())); list firewalls = m_currentUserLibrary->getByTypeDeep(Firewall::TYPENAME); firewalls.sort(sortByName); foreach(FWObject *firewall, firewalls) if (m_originalUserLibrary->getById(firewall->getId(), true)) ui->firewall->addItem(QString::fromStdString(firewall->getName()), QVariant(firewall->getId())); } void RuleSetDiffDialog::updateRuleSetList() { ui->ruleset->clear(); if (!m_currentUserLibrary) return; FWObject *currentFirewall = m_currentUserLibrary->getById( ui->firewall->itemData(ui->firewall->currentIndex()).toInt(), true); FWObject *originalFirewall = m_originalUserLibrary->getById( ui->firewall->itemData(ui->firewall->currentIndex()).toInt(), true); if (!currentFirewall || !originalFirewall) return; foreach (FWObject *ruleset, static_cast >(*currentFirewall)) { if ((ruleset->getTypeName() == Policy::TYPENAME) || (ruleset->getTypeName() == NAT::TYPENAME) || (ruleset->getTypeName() == Routing::TYPENAME)) if (originalFirewall->getById(ruleset->getId())) ui->ruleset->addItem(QString::fromStdString(ruleset->getName()), QVariant(ruleset->getId())); } } void RuleSetDiffDialog::updateRuleSetView() { if (!m_currentUserLibrary || !m_originalUserLibrary || !ui->ruleset->count()) return; FWObject *currentRuleSet = m_currentUserLibrary->getById( ui->ruleset->itemData(ui->ruleset->currentIndex()).toInt(), true); FWObject *originalRuleSet = m_originalUserLibrary->getById(currentRuleSet->getId(), true); if (!currentRuleSet || !originalRuleSet) return; RuleSetModel *currentRuleSetModel, *originalRuleSetModel; if (Policy::isA(currentRuleSet)) { currentRuleSetModel = new PolicyModel(Policy::cast(currentRuleSet), this); originalRuleSetModel = new PolicyModel(Policy::cast(originalRuleSet), this); } if (NAT::isA(currentRuleSet)) { currentRuleSetModel = new NatModel(NAT::cast(currentRuleSet), this); originalRuleSetModel = new NatModel(NAT::cast(originalRuleSet), this); } if (Routing::isA(currentRuleSet)) { currentRuleSetModel = new RoutingModel(Routing::cast(currentRuleSet), this); originalRuleSetModel = new RoutingModel(Routing::cast(originalRuleSet), this); } RuleSetDiffModel *originalDiffModel = new RuleSetDiffModel(this, originalRuleSetModel, m_project); RuleSetDiffDelegate *originalDelegate = new RuleSetDiffDelegate(originalDiffModel, new FWObjectSelectionModel(), originalDiffModel, m_project); ui->originalRuleSetView->setModel(originalDiffModel); ui->originalRuleSetView->setItemDelegate(originalDelegate); originalDiffModel->displayUnmodifiedRules(ui->displayUnmodifiedRulesBtn->isChecked()); ui->originalRuleSetView->expandAll(); RuleSetDiffModel *currentDiffModel = new RuleSetDiffModel(this, currentRuleSetModel, m_project); RuleSetDiffDelegate *currentDelegate = new RuleSetDiffDelegate(currentDiffModel, new FWObjectSelectionModel(), currentDiffModel, m_project); ui->currentRuleSetView->setModel(currentDiffModel); ui->currentRuleSetView->setItemDelegate(currentDelegate); currentDiffModel->displayUnmodifiedRules(ui->displayUnmodifiedRulesBtn->isChecked()); ui->currentRuleSetView->expandAll(); setLabelColor(ui->addColorLbl, st->getDiffColor(FWBSettings::ADD_COLOR)); ui->addTextLbl->setText(QString(tr("Add (%1)")) .arg(QString::number(m_project->getStatistics(currentRuleSet->getId(), DiffType::Add)))); setLabelColor(ui->editColorLbl, st->getDiffColor(FWBSettings::EDIT_COLOR)); ui->editTextLbl->setText(QString(tr("Edit (%1)")) .arg(QString::number(m_project->getStatistics(currentRuleSet->getId(), DiffType::Edit)))); setLabelColor(ui->moveColorLbl, st->getDiffColor(FWBSettings::MOVE_COLOR)); ui->moveTextLbl->setText(QString(tr("Move (%1)")) .arg(QString::number(m_project->getStatistics(currentRuleSet->getId(), DiffType::Move)))); setLabelColor(ui->removeColorLbl, st->getDiffColor(FWBSettings::REMOVE_COLOR)); ui->removeTextLbl->setText(QString(tr("Remove (%1)")) .arg(QString::number(m_project->getStatistics(currentRuleSet->getId(), DiffType::Remove)))); } void RuleSetDiffDialog::setLabelColor(QLabel *label, const QString &color) { QPalette palette; palette.setColor(QPalette::Window, QColor(color)); label->setAutoFillBackground(true); label->setPalette(palette); } void RuleSetDiffDialog::horizontalScrollBarValueChanged(int val) { ui->originalRuleSetView->horizontalScrollBar()->setValue(val); ui->currentRuleSetView->horizontalScrollBar()->setValue(val); } void RuleSetDiffDialog::itemClicked(const QModelIndex &index) { if (sender() == ui->currentRuleSetView) selectItem(index, true); else if (sender() == ui->originalRuleSetView) selectItem(index, false); } void RuleSetDiffDialog::itemDoubleClicked(const QModelIndex &index) { if (sender() == ui->currentRuleSetView) selectItem(index, true, true); else if (sender() == ui->originalRuleSetView) selectItem(index, false, true); } void RuleSetDiffDialog::selectItem(const QModelIndex &index, bool sourceIsCurrentRuleSetView, bool doubleClick) { RuleSetDiffModel *srcProxyModel, *dstProxyModel; RuleSetModel *ruleSetModel; QTreeView *view; if (sourceIsCurrentRuleSetView) { srcProxyModel = static_cast(ui->currentRuleSetView->model()); dstProxyModel = static_cast(ui->originalRuleSetView->model()); ruleSetModel = static_cast(dstProxyModel->sourceModel()); view = ui->originalRuleSetView; } else { srcProxyModel = static_cast(ui->originalRuleSetView->model()); dstProxyModel = static_cast(ui->currentRuleSetView->model()); ruleSetModel = static_cast(dstProxyModel->sourceModel()); view = ui->currentRuleSetView; } RuleNode *node = static_cast(srcProxyModel->mapToSource(index).internalPointer()); if (node->type == RuleNode::Rule) { Rule *rule = Rule::cast(ruleSetModel->getRuleSet()->getById(node->rule->getId(), true)); if (rule) { view->setCurrentIndex(dstProxyModel->mapFromSource( ruleSetModel->indexForPosition( rule->getPosition()))); if (doubleClick) { ui->originalRuleSetView->scrollTo(ui->originalRuleSetView->currentIndex(), QAbstractItemView::PositionAtCenter); ui->currentRuleSetView->scrollTo(ui->currentRuleSetView->currentIndex(), QAbstractItemView::PositionAtCenter); } return; } } if (node->type == RuleNode::Group) { if (sourceIsCurrentRuleSetView) { view->setCurrentIndex(dstProxyModel->mapFromSource( ruleSetModel->index( m_project->getRenamedGroups().key(node->name, node->name)))); } else { view->setCurrentIndex(dstProxyModel->mapFromSource( ruleSetModel->index( m_project->getRenamedGroups().value(node->name, node->name)))); } if (doubleClick) { ui->originalRuleSetView->scrollTo(ui->originalRuleSetView->currentIndex(), QAbstractItemView::PositionAtCenter); ui->currentRuleSetView->scrollTo(ui->currentRuleSetView->currentIndex(), QAbstractItemView::PositionAtCenter); } return; } view->clearSelection(); } void RuleSetDiffDialog::itemExpanded(const QModelIndex &index) { expandCollapseItem(index, true); } void RuleSetDiffDialog::itemCollapsed(const QModelIndex &index) { expandCollapseItem(index); } void RuleSetDiffDialog::expandCollapseItem(const QModelIndex &index, bool expand) { RuleSetDiffModel *srcProxyModel, *dstProxyModel; RuleSetModel *ruleSetModel; QTreeView *view; if (sender() == ui->currentRuleSetView) { srcProxyModel = static_cast(ui->currentRuleSetView->model()); dstProxyModel = static_cast(ui->originalRuleSetView->model()); ruleSetModel = static_cast(dstProxyModel->sourceModel()); view = ui->originalRuleSetView; } else if (sender() == ui->currentRuleSetView) { srcProxyModel = static_cast(ui->originalRuleSetView->model()); dstProxyModel = static_cast(ui->currentRuleSetView->model()); ruleSetModel = static_cast(dstProxyModel->sourceModel()); view = ui->currentRuleSetView; } else { return; } RuleNode *node = static_cast(srcProxyModel->mapToSource(index).internalPointer()); if (node->type == RuleNode::Group) { if (expand) { view->expand(dstProxyModel->mapFromSource(ruleSetModel->index(node->name))); } else { view->collapse(dstProxyModel->mapFromSource(ruleSetModel->index(node->name))); } } } void RuleSetDiffDialog::displayUnmodifiedRules() { RuleSetDiffModel *originalDiffModel = static_cast(ui->originalRuleSetView->model()); RuleSetDiffModel *currentDiffModel = static_cast(ui->currentRuleSetView->model()); if (!originalDiffModel || !currentDiffModel) return; originalDiffModel->displayUnmodifiedRules(ui->displayUnmodifiedRulesBtn->isChecked()); ui->originalRuleSetView->expandAll(); currentDiffModel->displayUnmodifiedRules(ui->displayUnmodifiedRulesBtn->isChecked()); ui->currentRuleSetView->expandAll(); } fwbuilder-5.3.7/src/libgui/RuleSetDiffDialog.h000066400000000000000000000044411303637203600212260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETDIFFDIALOG_H #define RULESETDIFFDIALOG_H #include #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; class Library; } class ProjectPanel; class RuleSetModel; namespace Ui { class RuleSetDiffDialog_q; } class RuleSetDiffDialog : public QDialog { Q_OBJECT public: explicit RuleSetDiffDialog(ProjectPanel *project, QWidget *parent = 0); ~RuleSetDiffDialog(); public slots: void updateFirewallList(); void updateRuleSetList(); void updateRuleSetView(); void horizontalScrollBarValueChanged(int val); void itemClicked(const QModelIndex &index); void itemDoubleClicked(const QModelIndex &index); void selectItem(const QModelIndex &index, bool sourceIsCurrentRuleSetView, bool doubleClick = false); void itemExpanded(const QModelIndex &index); void itemCollapsed(const QModelIndex &index); void expandCollapseItem(const QModelIndex &index, bool expand = false); void displayUnmodifiedRules(); private: Ui::RuleSetDiffDialog_q *ui; ProjectPanel *m_project; libfwbuilder::FWObjectDatabase *m_currentObjdb; libfwbuilder::FWObjectDatabase *m_originalObjdb; libfwbuilder::Library *m_currentUserLibrary; libfwbuilder::Library *m_originalUserLibrary; libfwbuilder::Library* findUserLibrary(libfwbuilder::FWObjectDatabase *db); void setLabelColor(QLabel *label, const QString& color); }; #endif // RULESETDIFFDIALOG_H fwbuilder-5.3.7/src/libgui/RuleSetDiffModel.cpp000066400000000000000000000035051303637203600214220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetDiffModel.h" #include "RuleNode.h" #include "fwbuilder/Rule.h" using namespace libfwbuilder; RuleSetDiffModel::RuleSetDiffModel(QObject *parent, RuleSetModel *model, ProjectPanel *project) : QSortFilterProxyModel(parent), m_project(project), m_displayUnmodifiedRules(false) { setSourceModel(model); } void RuleSetDiffModel::displayUnmodifiedRules(bool val) { beginResetModel(); m_displayUnmodifiedRules = val; endResetModel(); } bool RuleSetDiffModel::filterAcceptsRow(int source_row, const QModelIndex &source_parent) const { if (m_displayUnmodifiedRules) return true; QModelIndex index = sourceModel()->index(source_row, 0, source_parent); if (index.isValid()) { RuleNode *node = static_cast(index.internalPointer()); if (!node) return false; if (RuleNode::Rule != node->type) return true; if (m_project->getDiffType(node->rule->getId()) != DiffType::None) return true; } return false; } fwbuilder-5.3.7/src/libgui/RuleSetDiffModel.h000066400000000000000000000026231303637203600210670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2013 UNINETT AS Author: Sirius Bakke This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETDIFFMODEL_H #define RULESETDIFFMODEL_H #include #include "ProjectPanel.h" #include "RuleSetModel.h" class RuleSetDiffModel : public QSortFilterProxyModel { Q_OBJECT public: explicit RuleSetDiffModel(QObject *parent, RuleSetModel *model, ProjectPanel *project); void displayUnmodifiedRules(bool val); protected: bool filterAcceptsRow(int source_row, const QModelIndex &source_parent) const; private: ProjectPanel* m_project; bool m_displayUnmodifiedRules; signals: public slots: }; #endif // RULESETDIFFMODEL_H fwbuilder-5.3.7/src/libgui/RuleSetModel.cpp000066400000000000000000001420661303637203600206370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include #include #include #include #include #include #include #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Interface.h" #include "FWBSettings.h" #include "RuleSetModel.h" #include "FWObjectPropertiesFactory.h" using namespace libfwbuilder; using namespace std; //////////////////////////////////////////////////////////////////////// // RuleSetModelIterator //////////////////////////////////////////////////////////////////////// RuleSetModelIterator::RuleSetModelIterator() { row = 0; model = 0; } bool RuleSetModelIterator::isValid() { return model != 0 && row>=0 && model->rowCount(parent) > row; } bool RuleSetModelIterator::hasNext() { if (model->rowCount(parent) - 1 > row) return true; return (parent.isValid()) ? (model->rowCount() - 1 > parent.row()) : false; } bool RuleSetModelIterator::hasPrev() { if (row > 0) return true; return (parent.isValid()) ? (parent.row() > 0) : false; } RuleSetModelIterator& RuleSetModelIterator::operator= (const RuleSetModelIterator& it) { model = it.model; parent = it.parent; row = it.row; return *this; } RuleSetModelIterator& RuleSetModelIterator::operator++ () { QModelIndex index = this->index(); if (model->hasChildren(index)) { parent = index; row = 0; } else { row++; if (row >= model->rowCount(parent)) { if (parent.isValid()) { row = parent.row() + 1; parent = parent.parent(); } } } return *this; } RuleSetModelIterator& RuleSetModelIterator::operator-- () { row--; if (row < 0) { if (parent.isValid()) { row = parent.row(); parent = parent.parent(); } } else { QModelIndex index = this->index(); if (model->hasChildren(index)) { parent = index; row = model->rowCount(parent) - 1; } } return *this; } bool RuleSetModelIterator::operator== ( RuleSetModelIterator& it) { return (parent == it.parent) && (row == it.row); } bool RuleSetModelIterator::operator!= ( RuleSetModelIterator& it ) { return !this->operator==(it); } QModelIndex RuleSetModelIterator::index() { // qDebug() << "RuleSetModelIterator::index() row:" << row; return model->index(row, 0,parent); } //////////////////////////////////////////////////////////////////////// // RuleSetModel //////////////////////////////////////////////////////////////////////// RuleSetModel::RuleSetModel(RuleSet *ruleset, QObject *parent) : QAbstractItemModel(parent) { root = 0; this->ruleset = ruleset; initModel(); } void RuleSetModel::initModel() { //if (fwbdebug) qDebug() << "RuleSetModel::initModel"; if (root) delete root; root = new RuleNode(RuleNode::Root,"root"); int row = 1; QHash groups; RuleNode* node; RuleNode* group; QTime t; t.start(); for (FWObject::iterator i=ruleset->begin(); i!=ruleset->end(); i++, row++) { Rule *r = Rule::cast( *i ); if (r == NULL) continue; // skip RuleSetOptions // rulesByPosition[r->getPosition()] = r; node = new RuleNode(RuleNode::Rule, QString()); node->rule = r; if (r->getRuleGroupName().empty()) { root->add(node); } else { //Add rule to group QString groupName = QString::fromUtf8(r->getRuleGroupName().c_str()); if (!groups.contains(groupName)) { group = new RuleNode(RuleNode::Group, groupName); groups.insert(groupName, group); root->add(group); } else { group = groups.value(groupName); } group->add(node); } } //if (fwbdebug) qDebug("Model init: %d ms", t.elapsed()); } int RuleSetModel::rowCount(const QModelIndex &parent) const { if (parent.column() > 0) return 0; RuleNode *parentNode = nodeFromIndex(parent); if (!parentNode) return 0; return parentNode->children.count(); } int RuleSetModel::columnCount(const QModelIndex &parent) const { Q_UNUSED (parent) return header.size()+1; } QVariant RuleSetModel::data(const QModelIndex &index, int role) const { switch (role) { case Qt::DisplayRole: return getDataForDisplayRole(index); case Qt::UserRole: return getColumnDesc(index); case Qt::DecorationRole: return getDecoration(index); default: return QVariant(); } } QVariant RuleSetModel::getDecoration(const QModelIndex &index) const { if (!index.isValid()) return QVariant(); if (index.column() != 0) return QVariant(); RuleNode *node = nodeFromIndex(index); if (!node || node->type != RuleNode::Rule) return QVariant(); if (node->rule && !node->rule->isDisabled()) return QVariant(); QVariant res; QString icn_file = ":/Icons/neg"; QPixmap pm; LoadPixmap(":/Icons/neg", pm); res.setValue( QIcon(pm) ); return res; } QVariant RuleSetModel::getColumnDesc(const QModelIndex &index) const { //if (fwbdebug) qDebug() << "RuleSetModel::getColumnDesc "<< index.column(); QVariant res; if (index.column()>0 && index.column()<=header.size()) { res.setValue(header.at(index.column()-1)); } return res; } QVariant RuleSetModel::getDataForDisplayRole(const QModelIndex &index) const { //if (fwbdebug) qDebug() << "RuleSetModel::getDataForDisplayRole"; RuleNode *node = nodeFromIndex(index); if (!node) return QVariant(); if (node->type == RuleNode::Group) { return getGroupDataForDisplayRole(index,node); } else if (node->type == RuleNode::Rule) { return getRuleDataForDisplayRole(index,node); } return QVariant(); } QVariant RuleSetModel::getGroupDataForDisplayRole(const QModelIndex &index, RuleNode* node) const { //if (fwbdebug) qDebug() << "RuleSetModel::getGroupDataForDisplayRole"; int first = node->children.first()->rule->getPosition(); int last = node->children.last()->rule->getPosition(); return (index.column() == 0)? QString("%1 (%2 - %3)") .arg(node->name) .arg(first) .arg(last) :QVariant(); } QVariant RuleSetModel::headerData(int section, Qt::Orientation orientation, int role) const { //if (fwbdebug) qDebug() << "RuleSetModel::headerData"; // too chatty if (orientation == Qt::Vertical) return QVariant(); if (role != Qt::DisplayRole) return QVariant(); if (section>0 && section <= header.size()) return header[section-1].name; return QVariant(); } Rule * RuleSetModel::findRuleForPosition(int position) const { for (FWObject::iterator i=ruleset->begin(); i!=ruleset->end(); i++) { Rule *r = Rule::cast( *i ); if (r == 0) { continue; } if (r->getPosition() == position) { return r; } } return 0; } Rule * RuleSetModel::getRule(QModelIndex index) const { if (!index.isValid()) return 0; RuleNode* node = nodeFromIndex(index); if (RuleNode::Rule != node->type) return 0; return node->rule; } QModelIndex RuleSetModel::indexForPosition(int position) const { Rule * res = findRuleForPosition(position); return (res == 0)?QModelIndex():index(res, 0); } QModelIndex RuleSetModel::index(int row, int column, const QModelIndex &parent) const { // if (fwbdebug) // qDebug() << "RuleSetModel::index(int row, int column, const QModelIndex &parent)" // << "row=" << row // << "column=" << column; if (row < 0 || column < 0) return QModelIndex(); RuleNode *parentNode = nodeFromIndex(parent); RuleNode *childNode = parentNode->children.value(row); if (!childNode) return QModelIndex(); return createIndex(row, column, childNode); } QModelIndex RuleSetModel::index(QString groupName) const { if (!groupName.isEmpty()) { int row = 0; foreach(RuleNode *node, root->children) { if (node->type == RuleNode::Group && node->name == groupName) { return createIndex(row, 0, node); } row++; } } return QModelIndex(); } QModelIndex RuleSetModel::index(int row, int column, QString groupName) const { // if (fwbdebug) // qDebug() << " RuleSetModel::index(int row, int column, QString groupName)"; QModelIndex parent = index(groupName); return (parent.isValid()) ? index(row, column, parent) : QModelIndex(); } QModelIndex RuleSetModel::index(Rule *rule, libfwbuilder::RuleElement *re) const { // if (fwbdebug) // qDebug() << "RuleSetModel::index(libfwbuilder::Rule *rule, int col)"; int col = columnForRuleElementType(re->getTypeName().c_str()); return index(rule, col); } QModelIndex RuleSetModel::index(Rule *rule, int col) const { // if (fwbdebug) // qDebug() << "RuleSetModel::index(libfwbuilder::Rule *rule, int col) " << col; if (col < 0 || rule == 0) return QModelIndex(); QModelIndex parent; QString groupName = QString::fromUtf8(rule->getRuleGroupName().c_str()); if (!groupName.isEmpty()) { QList topLevel = root->children; int row = 0; foreach (RuleNode * node, topLevel) { if (node->type == RuleNode::Group && node->name == groupName) { parent = createIndex(row, 0, node); break; } row++; } } RuleNode *parentNode = nodeFromIndex(parent); int row = 0; RuleNode* child = NULL; foreach(RuleNode *node, parentNode->children) { if (node->type == RuleNode::Rule && node->rule == rule) { child = node; break; } row++; } if (child == NULL) return QModelIndex(); return createIndex(row, col, child); } int RuleSetModel::columnForRuleElementType(QString typeName) const { // if (fwbdebug) // qDebug() << "RuleSetModel::columnForRuleElementType(QString typeName)"; int col = 1; foreach (ColDesc cd, header) { if (cd.origin == typeName) break; col++; } return col; } int RuleSetModel::columnByType(ColDesc::ColumnType type) { // if (fwbdebug) // qDebug() << "RuleSetModel::columnByType(ColDesc::ColumnType type)"; int col = 1; foreach (ColDesc cd, header) { if (cd.type == type) break; col++; } return col; } RuleNode* RuleSetModel::nodeFromIndex(const QModelIndex &index) const { if (index.isValid()) { return static_cast(index.internalPointer()); } else { return root; } } QModelIndex RuleSetModel::parent(const QModelIndex &child) const { RuleNode *node = nodeFromIndex(child); if (!node) return QModelIndex(); RuleNode *parentNode = node->parent; if (!parentNode) return QModelIndex(); RuleNode *grandparentNode = parentNode->parent; if (!grandparentNode) return QModelIndex(); int row = grandparentNode->children.indexOf(parentNode); return createIndex(row, 0, parentNode); } RuleElement * RuleSetModel::getRuleElementByRole(Rule* r, string roleName) const { return RuleElement::cast( r->getFirstByType(roleName) ); } bool RuleSetModel::isEmpty() { return root->children.size() == 0; } Firewall* RuleSetModel::getFirewall() const { FWObject *f=ruleset; while (f!=NULL && (!Firewall::isA(f) && !Cluster::isA(f))) f=f->getParent(); // f can be NULL if user is looking at deleted ruleset which is a child // of the library DeletedObjects return Firewall::cast(f); } void RuleSetModel::insertRuleToModel(Rule *rule, QModelIndex &index, bool isAfter) { QModelIndex parent = index.parent(); RuleNode *newNode = new RuleNode(RuleNode::Rule, QString()); newNode->rule = rule; if (index.isValid()) { RuleNode *node = nodeFromIndex(index); int idx = node->parent->children.indexOf(node); if (isAfter) idx++; emit beginInsertRows(parent, idx, idx); node->parent->children.insert(idx, newNode); newNode->parent = node->parent; emit endInsertRows(); } else { emit beginInsertRows(parent, 0, 0); root->children.prepend(newNode); newNode->parent = root; emit endInsertRows(); } QModelIndex newIndex = this->index(rule); rowChanged(newIndex); } Rule* RuleSetModel::insertNewRule() { Rule *newrule = getRuleSet()->insertRuleAtTop(); initRule(newrule); QModelIndex index; insertRuleToModel(newrule, index); return newrule; } Rule* RuleSetModel::insertNewRule(QModelIndex &index, bool isAfter) { if (!index.isValid()) return insertNewRule(); RuleNode *node = nodeFromIndex(index); int pos = node->rule->getPosition(); Rule *newrule = isAfter?ruleset->appendRuleAfter(pos):ruleset->insertRuleBefore(pos); initRule(newrule); string groupName = node->rule->getRuleGroupName(); newrule->setRuleGroupName(groupName); insertRuleToModel(newrule, index, isAfter); return newrule; } Rule* RuleSetModel::insertRule(Rule *rule, QModelIndex &index, bool isAfter) { Rule *newrule = 0; if (index.isValid()) { RuleNode *node = nodeFromIndex(index); int pos = node->rule->getPosition(); newrule = isAfter?ruleset->appendRuleAfter(pos):ruleset->insertRuleBefore(pos); initRule(newrule, rule); string groupName = node->rule->getRuleGroupName(); newrule->setRuleGroupName(groupName); insertRuleToModel(newrule, index, isAfter); } else { newrule = getRuleSet()->insertRuleAtTop(); initRule(newrule, rule); QModelIndex index; insertRuleToModel(newrule, index); } return newrule; } void RuleSetModel::insertRule(Rule *rule) { Rule * targetRule = ruleset->getRuleByNum(rule->getPosition()); if (targetRule==NULL) { ruleset->add(rule); if (isEmpty()) { QModelIndex index; insertRuleToModel(rule, index); } else { RuleSetModelIterator it = end(); --it; QModelIndex index = it.index(); insertRuleToModel(rule, index, true); } } else { QModelIndex index = this->index(targetRule); /* * Bugfix: when inserting a new rule abow a group, doing undo and then redo * we need to check which group the rule really belongs to */ if (targetRule->getStr("group") != rule->getStr("group")) { // The new rule at the index we are about to re-insert // are not in the same group as the old rule was // We'll get the group name from the rule above the current index targetRule = ruleset->getRuleByNum(rule->getPosition() - 1); if (targetRule) { index = this->index(targetRule); ruleset->insert_after(targetRule,rule); insertRuleToModel(rule, index, true); } else { // We are inserting on the top and there's no rule above // the current index. Let's just insert the rule at the top then, // and not put it into the group below rule->setParent(ruleset); ruleset->insert_before(ruleset->getRuleByNum(0), rule); index = QModelIndex(); insertRuleToModel(rule, index); } } else { ruleset->insert_before(targetRule,rule); insertRuleToModel(rule, index, false); } } ruleset->renumberRules(); } void RuleSetModel::restoreRule(Rule *) { } void RuleSetModel::restoreRules(QList rules, bool topLevel) { // qDebug() << "RuleSetModel::restoreRules(QList rules)"; int pos = rules.first()->getPosition()-1; int last = 0; Rule* pivotRule = 0; QModelIndex pivotIndex; //The very top rule should be inserted BEFORE others if (pos < 0) { Rule* rule = rules.first(); pivotRule = ruleset->getRuleByNum(0); ruleset->insert_before(pivotRule, rule); pivotIndex = index(pivotRule, 0); if (topLevel && pivotIndex.parent().isValid()) { pivotIndex = pivotIndex.parent(); } insertRuleToModel(rule, pivotIndex, false); pivotRule = rule; last++; } else { pivotRule = ruleset->getRuleByNum(pos); } pivotIndex = index(pivotRule, 0); // We need a toplevel index if (topLevel && pivotIndex.parent().isValid()) { pivotIndex = pivotIndex.parent(); } for (int i=rules.size()-1; i>=last; i--) { Rule* rule = rules.at(i); ruleset->insert_after(pivotRule, rule); insertRuleToModel(rule, pivotIndex, true); } ruleset->renumberRules(); } void RuleSetModel::removeRow(int row,const QModelIndex &parent) { removeRows(row,1,parent); } bool RuleSetModel::removeRows(int row, int count, const QModelIndex &parent) { //if (fwbdebug) qDebug() << "RuleSetModel::removeRows " << row << " , " << count ; if (count < 1 || row < 0 || (row + count > rowCount(parent))) return false; RuleNode *parentNode = nodeFromIndex(parent); int lastRow = row + count - 1; beginRemoveRows(parent,row,lastRow); for (int i = 0; ichildren.at(row); if (oldNode->type == RuleNode::Group || ruleset->deleteRule(oldNode->rule) ) { parentNode->children.removeAt(row); delete oldNode; } else { //TODO: May be we need some othe action in this case qWarning() << "Failed to remove rule"; break; } } endRemoveRows(); return true; } void RuleSetModel::moveRuleUp(const QModelIndex &group, int first, int last) { RuleNode *groupNode = nodeFromIndex(group); if (groupNode->isRoot()) { if (first == 0) return; if (root->children.at(first - 1)->type == RuleNode::Group) { addToGroupAbove(first, last); return; } } else { if (first == 0) { removeFromGroup(group, first, last); return; } } int pos = first - 1; QList list; removeToList(list, group, first, last); for(int i = 0; i< list.size(); i++) { ruleset->moveRuleUp(list.at(i)->rule->getPosition()); } insertFromList(list, group, pos); } void RuleSetModel::moveRuleDown(const QModelIndex &group, int first, int last) { RuleNode *groupNode = nodeFromIndex(group); int childrens = groupNode->children.size(); if (groupNode->isRoot()) { if (last == childrens - 1) return; if (root->children.at(last + 1)->type == RuleNode::Group) { addToGroupBelow(first, last); return; } } else { if (last == childrens - 1) { removeFromGroup(group, first, last); return; } } int pos = first + 1; QList list; removeToList(list, group, first, last); for(int i = list.size() - 1; i>=0 ; i--) { ruleset->moveRuleDown(list.at(i)->rule->getPosition()); } insertFromList(list, group, pos); } void RuleSetModel::removeToList(QList &list, const QModelIndex &group, int first, int last) { emit beginRemoveRows(group, first, last); int count = last - first + 1; RuleNode *parent = nodeFromIndex(group); for (int i=0; ichildren.at(first); parent->children.removeAt(first); } emit endRemoveRows(); } void RuleSetModel::insertFromList(const QList &list, const QModelIndex &group, int position) { int first = position; int last = position + list.size() - 1; emit beginInsertRows(group, first, last); RuleNode *parent = nodeFromIndex(group); for (int i=list.size()-1; i>=0; i--) { parent->children.insert(position, list.at(i)); } emit endInsertRows(); } bool RuleSetModel::isIndexRule(const QModelIndex index) { if (!index.isValid()) return false; RuleNode* node = static_cast(index.internalPointer()); if (node == 0) return false; return node->type == RuleNode::Rule; } void RuleSetModel::changeRuleColor(const QList &indexes, const QString &c) { QModelIndex i1 = index(indexes.first().row(), 0, indexes.first().parent()); QModelIndex i2 = index(indexes.last().row(), header.size() - 1, indexes.last().parent()); foreach(QModelIndex index, indexes) { if (!index.isValid()) return; RuleNode* node = nodeFromIndex(index); if (node->rule==0) return; FWOptions *ropt = node->rule->getOptionsObject(); ropt->setStr("color", c.toLatin1().constData()); } emit dataChanged(i1, i2); } void RuleSetModel::changeGroupColor(const QModelIndex index, const QString &c) { if (!index.isValid()) return; RuleNode* group = nodeFromIndex(index); if (group->type != RuleNode::Group) return; foreach (RuleNode* node, group->children) { if (node->rule==0) continue; FWOptions *ropt = node->rule->getOptionsObject(); ropt->setStr("color", c.toLatin1().constData()); } groupChanged(index); } void RuleSetModel::renameGroup(QModelIndex group, const QString &newName) { QString newGroupName = findUniqueNameForGroup(newName); RuleNode* groupNode = nodeFromIndex(group); //Set new group name for all children of this node. foreach (RuleNode* node, groupNode->children) { node->rule->setRuleGroupName(newGroupName.toUtf8().data()); } groupNode->name = newGroupName; rowChanged(group); } void RuleSetModel::rowChanged(const QModelIndex &index) { nodeFromIndex(index)->resetSizes(); emit dataChanged(createIndex(index.row(), 0, index.internalPointer()), createIndex(index.row(), header.size()-1,index.internalPointer())); } void RuleSetModel::groupChanged(const QModelIndex &group) { RuleNode* groupNode = nodeFromIndex(group); QModelIndex i1 = index(0,0,group); QModelIndex i2 = index(groupNode->children.size() - 1, header.size()-1, group); emit dataChanged(i1, i2); } QString RuleSetModel::findUniqueNameForGroup(const QString &groupName) { int count = 0; bool exactNameExists = false; QRegExp rx("^(.*)-(\\d+)$"); foreach (RuleNode *node, root->children) { if (node->type != RuleNode::Group) continue; QString name = node->name; exactNameExists = exactNameExists || (name == groupName); if (rx.exactMatch(name)) { QString nameSection = rx.capturedTexts().at(1); QString countSection = rx.capturedTexts().at(2); int curCnt = countSection.toInt(); if (nameSection == groupName && curCnt>count) count = curCnt; } } QString uniqueGroupName = (exactNameExists)? groupName + "-" + QString::number(++count):groupName; //if (fwbdebug) qDebug() << "uniqueGroupName" << uniqueGroupName ; return uniqueGroupName; } QModelIndex RuleSetModel::createNewGroup(QString groupName, int first, int last) { //if (fwbdebug) qDebug() << "RuleSetModel::createNewGroup" << groupName << first << last; QString uniqueGroupName = findUniqueNameForGroup(groupName); RuleNode *group = new RuleNode(RuleNode::Group, uniqueGroupName); // remove selected rules emit beginRemoveRows(QModelIndex(), first, last); int count = last - first + 1; for(int i=0; ichildren.at(first); group->add(node); root->children.removeAt(first); node->rule->setRuleGroupName(uniqueGroupName.toUtf8().data()); } emit endRemoveRows(); // Add new group after the selected rules int groupPos = first; emit beginInsertRows(QModelIndex(), groupPos, groupPos); root->insert(groupPos, group); emit endInsertRows(); return index(groupPos, 0, QModelIndex()); } void RuleSetModel::removeFromGroup(QModelIndex group, int first, int last) { if (!group.isValid()) return; RuleNode *groupNode = nodeFromIndex(group); if (groupNode->type != RuleNode::Group) return; //if (fwbdebug) qDebug() << "RuleSetModel::removeFromGroup " << groupNode->name << first << "-" << last; /* if items touch bottom of the group or we are going to move all items from the group then we will insert them after the group node one level up, Else we will insert them before\ the group node. */ int count = last-first+1; bool moveAllItems = count == groupNode->children.size(); bool insertBefore = first == 0; int insertPosition = (insertBefore || moveAllItems)?group.row():(group.row()+1); // Remove nodes from the tree emit beginRemoveRows(group, first, last); QList moving; for(int i = first; i<= last; i++) { RuleNode *node = groupNode->children.at(first); node->rule->setRuleGroupName(""); moving << node;; groupNode->children.removeAt(first); } emit endRemoveRows(); QModelIndex rootIndex = group.parent(); // if all Items were moved from the group then group should be removed as well if (moveAllItems) { emit beginRemoveRows(rootIndex, group.row(), group.row()); root->children.removeAt(group.row()); delete groupNode; emit endRemoveRows(); } emit beginInsertRows(rootIndex, insertPosition, insertPosition + count -1); // Insert rows to calculated position. int pos = insertPosition; for(int i=0; iinsert(pos++,moving.at(i)); } emit endInsertRows(); } QString RuleSetModel::addToGroupAbove(int first, int last) { RuleNode *targetGroup = root->children.at(first - 1); moveToGroup(targetGroup, first, last); return targetGroup->name; } QString RuleSetModel::addToGroupBelow(int first, int last) { RuleNode *targetGroup = root->children.at(last + 1); moveToGroup(targetGroup, first, last, false); return targetGroup->name; } void RuleSetModel::moveToGroup(RuleNode *targetGroup, int first, int last, bool append) { //if (fwbdebug) qDebug() << "RuleSetModel::moveToGroup " << targetGroup->name << first << last << append; // Remove nodes from the tree QList rules; emit beginRemoveRows(QModelIndex(), first, last); int count = last - first + 1; for(int i=0; ichildren.at(first); rules << node; root->children.removeAt(first); node->rule->setRuleGroupName(targetGroup->name.toUtf8().data()); } emit endRemoveRows(); // Add rules to the group int row = (append)?first - 1:first; QModelIndex targetGroupIndex = createIndex(row, 0, targetGroup);; emit beginInsertRows(targetGroupIndex, (append)?targetGroup->children.size():0, (append)?(targetGroup->children.size()+count-1):(count-1) ); for(int i=0; iadd(rules.at(i)); else targetGroup->prepend(rules.at(count - i - 1)); } emit endInsertRows(); } void RuleSetModel::setEnabled(const QModelIndex &index, bool flag) { if (!index.isValid()) return; RuleNode *node = nodeFromIndex(index); if (node->type != RuleNode::Rule) return; //if (fwbdebug) qDebug() << "RuleSetModel::setEnabled " << index.row() << "->" << flag; if (flag) node->rule->enable(); else node->rule->disable(); rowChanged(index); } void RuleSetModel::deleteObject(QModelIndex &index, FWObject* obj) { RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); if (re==NULL || re->isAny()) return; // int id = obj->getId(); // if (fwbdebug) // { // qDebug("RuleSetView::deleteObject row=%d col=%d id=%s", // index.row(), index.column(), FWObjectDatabase::getStringId(id).c_str()); // qDebug("obj = %p",re->getRoot()->findInIndex(id)); // int rc = obj->ref()-1; obj->unref(); // qDebug("obj->ref_counter=%d",rc); // } re->removeRef(obj); if (re->isAny()) re->setNeg(false); rowChanged(index); // if (fwbdebug) // { // qDebug("RuleSetView::deleteObject re->size()=%d", int(re->size())); // qDebug("obj = %p",re->getRoot()->findInIndex(id)); // int rc = obj->ref()-1; obj->unref(); // qDebug("obj->ref_counter=%d",rc); // } } bool RuleSetModel::insertObject(QModelIndex &index, FWObject *obj) { // if (fwbdebug) qDebug("RuleSetModel::insertObject -- insert object %s", // obj->getName().c_str()); ColDesc colDesc = index.data(Qt::UserRole).value(); if (colDesc.type != ColDesc::Object && colDesc.type != ColDesc::Time) return false; RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); assert (re!=NULL); if (! re->validateChild(obj) ) { if (RuleElementRItf::cast(re)) { QMessageBox::information( NULL , "Firewall Builder", QObject::tr( "A single interface belonging to " "this firewall is expected in this field."), QString::null,QString::null); } else if (RuleElementRGtw::cast(re)) { QMessageBox::information( NULL , "Firewall Builder", QObject::tr( "A single ip address is expected " "here. You may also insert a host " "or a network adapter leading to " "a single ip adress."), QString::null,QString::null); } return false; } if (re->getAnyElementId()==obj->getId()) return false; if ( !re->isAny()) { /* avoid duplicates */ int cp_id = obj->getId(); list::iterator j; for(j=re->begin(); j!=re->end(); ++j) { FWObject *o=*j; if(cp_id==o->getId()) return false; FWReference *ref; if( (ref=FWReference::cast(o))!=NULL && cp_id==ref->getPointerId()) return false; } } re->addRef(obj); rowChanged(index); return true; } void RuleSetModel::getGroups(QList &list) { list.clear(); int row = 0; foreach(RuleNode *node, root->children) { if (node->type == RuleNode::Group) { list.append(createIndex(row, 0, node)); } row++; } } RuleSetModelIterator RuleSetModel::begin() { RuleSetModelIterator it; if (root->children.isEmpty()) return it; it.model = this; it.row = 0; return it; } RuleSetModelIterator RuleSetModel::end() { RuleSetModelIterator it; if (root->children.isEmpty()) return it; it.model = this; it.row = root->children.size(); return it; } bool RuleSetModel::isGroup(const QModelIndex &index) const { RuleNode* node = nodeFromIndex(index); return node != NULL && node->type == RuleNode::Group; } void RuleSetModel::resetAllSizes() { emit layoutAboutToBeChanged (); root->resetAllSizes(); emit layoutChanged (); } QString RuleSetModel::getPositionAsString(RuleNode *node) const { return QString::number(node->rule->getPosition()); } ActionDesc RuleSetModel::getRuleActionDesc(Rule* r) const { ActionDesc res; res.name = getRuleAction(r); Firewall *f = getFirewall(); if (f) { res.displayName = getActionNameForPlatform(f, r); res.tooltip = FWObjectPropertiesFactory::getRuleActionPropertiesRich(r); } else { res.displayName = res.name; res.tooltip = ""; } res.argument = FWObjectPropertiesFactory::getRuleActionProperties(r); return res; } int RuleSetModel::getRulePosition(QModelIndex index) { Rule* rule = 0; if (index.isValid()) { rule = nodeFromIndex(index)->rule; } return (rule == 0)?0:rule->getPosition(); } void RuleSetModel::objectChanged(FWObject* object) { Q_UNUSED(object) /* * See #2373 * * Signal dataChanged() is connected to the slot * RuleSetView::updateAllColumnsSize() that just calls resizeColumns() * and does not do anything different depending on the model * index. Can just call it once using different signal. QModelIndexList relatedIndexes = findObject(object); if (fwbdebug) qDebug() << "RuleSetModel::objectChanged" << "object=" << object->getName().c_str() << "relatedIndexes.size()=" << relatedIndexes.size(); foreach(QModelIndex index, relatedIndexes) { emit dataChanged(index, index); } */ emit layoutChanged(); } QModelIndexList RuleSetModel::findObject(FWObject* object) { QModelIndexList list; RuleSetModelIterator it = begin(); RuleSetModelIterator end = this->end(); while (it != end) { QModelIndex index = it.index(); RuleNode* node = nodeFromIndex(index); if (node->type == RuleNode::Group) { ++it; continue; } Rule* rule = node->rule; // iterate through columns int column = 0; foreach(ColDesc colDesc, header) { column++; if (colDesc.type == ColDesc::Object || colDesc.type == ColDesc::Time) { // try to find the object RuleElement* re = getRuleElementByRole( rule, colDesc.origin.toStdString()); if (re->isAny()) continue; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *obj= *i; if (FWReference::cast(obj)!=NULL) obj=FWReference::cast(obj)->getPointer(); if (obj==NULL) continue ; if (object == obj) { list.append(this->index(rule, re)); break; } } } else if (colDesc.type == ColDesc::Action) { PolicyRule * pr = PolicyRule::cast(rule); if (pr != 0) { if (pr->getAction() == PolicyRule::Branch) { if (pr->getBranch() == object) { list.append(this->index(rule, column)); } } else if (pr->getTagging()) { if (pr->getTagObject() == object) { list.append(this->index(rule, column)); } } } } } ++it; } return list; } void RuleSetModel::copyRuleWithoutId(Rule* fromRule, Rule* toRule) { if (fromRule!=NULL && toRule!=NULL) { int oldPos = toRule->getPosition(); toRule->duplicate(fromRule); toRule->setPosition(oldPos); } } //////////////////////////////////////////////////////////////////////// // PolicyModel //////////////////////////////////////////////////////////////////////// void PolicyModel::configure() { supports_logging = false; supports_rule_options = false; supports_time = false; string platform; if (getFirewall()) { platform = getFirewall()->getStr("platform"); try { supports_logging = Resources::getTargetCapabilityBool( platform, "logging_in_policy"); supports_rule_options = Resources::getTargetCapabilityBool( platform, "options_in_policy"); supports_time = Resources::getTargetCapabilityBool( platform, "supports_time"); } catch(FWException &ex) { } } header << ColDesc(platform, RuleElementSrc::TYPENAME, ColDesc::Object) // 1 << ColDesc(platform, RuleElementDst::TYPENAME, ColDesc::Object) // 2 << ColDesc(platform, RuleElementSrv::TYPENAME, ColDesc::Object) // 3 << ColDesc(platform, RuleElementItf::TYPENAME, ColDesc::Object) // 4 << ColDesc(platform, "Direction", ColDesc::Direction) // 5 << ColDesc(platform, "Action", ColDesc::Action); // 6 if (supports_time) header << ColDesc(platform, RuleElementInterval::TYPENAME, ColDesc::Time); // 7 if (supports_logging && supports_rule_options) header << ColDesc(platform, "Options", ColDesc::Options); header << ColDesc(platform, "Comment", ColDesc::Comment); } QVariant PolicyModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const { QVariant res; QTime t; if (index.column() == 0) { res.setValue(getPositionAsString(node)); } else if (index.column() <= header.size()) { int idx = index.column()-1; switch (header[idx].type) { case ColDesc::Action : res.setValue(getRuleActionDesc(node->rule)); break; case ColDesc::Direction : res.setValue(getRuleDirection(node->rule)); break; case ColDesc::Options : res.setValue(getRuleOptions(node->rule)); break; case ColDesc::Comment : res.setValue(QString::fromUtf8(node->rule->getComment().c_str())); break; default : res.setValue(getRuleElementByRole(node->rule, header[idx].origin.toStdString())); } } return res; } QString PolicyModel::getRuleDirection(Rule* r) const { PolicyRule *policyRule = PolicyRule::cast( r ); QString dir = policyRule->getDirectionAsString().c_str(); if (dir.isEmpty() || dir == "Undefined") dir = "Both"; return dir; } QStringList PolicyModel::getRuleOptions(Rule* r) const { QStringList res; PolicyRule *policyRule = PolicyRule::cast( r ); FWOptions *ropt = policyRule->getOptionsObject(); if (policyRule->getLogging()) res << "Log"; if (!policyRule->getOptionsObject()->getStr("counter_name").empty()) res << "Accounting"; if ( ! isDefaultPolicyRuleOptions(r->getOptionsObject())) res << "Options"; FWObject *firewall = r; // use Firewall::cast to match both Firewall and Cluster while (!Firewall::cast(firewall)) firewall = firewall->getParent(); string platform = firewall->getStr("platform"); if (policyRule->getTagging()) { FWObject *tobj = PolicyRule::cast(policyRule)->getTagObject(); if (tobj) { if (platform=="iptables") { res << tr("Tag %1%2") .arg(QString::fromUtf8(tobj->getName().c_str())) .arg( QString( (ropt->getBool("ipt_mark_connections"))?" (conn)":"")); } else res << tr("Tag %1").arg( QString::fromUtf8(tobj->getName().c_str())); } } if (policyRule->getClassification()) { QString par; if (platform=="iptables") par = ropt->getStr("classify_str").c_str(); if (platform=="pf") par = ropt->getStr("pf_classify_str").c_str(); if (platform=="ipfw") { if (ropt->getInt("ipfw_classify_method") == DUMMYNETPIPE) { par = "pipe"; } else { par = "queue"; } par = par + " " + ropt->getStr("ipfw_pipe_queue_num").c_str(); } if (!par.isEmpty()) res << tr("Classify %1").arg(par); } if (policyRule->getRouting()) { res << "Route"; } return res; } void PolicyModel::initRule(Rule *new_rule, Rule *old_rule) { //if (fwbdebug) qDebug() << "PolicyModel::initRule"; PolicyRule *newrule_as_policy_rule = PolicyRule::cast(new_rule); if (newrule_as_policy_rule) { FWOptions *ruleopt = newrule_as_policy_rule->getOptionsObject(); newrule_as_policy_rule->setLogging(supports_logging && st->getBool("Objects/PolicyRule/defaultLoggingState")); switch (st->getInt("Objects/PolicyRule/defaultAction")) { case 1: newrule_as_policy_rule->setAction(PolicyRule::Accept); break; default: newrule_as_policy_rule->setAction(PolicyRule::Deny); break; } switch (st->getInt("Objects/PolicyRule/defaultDirection")) { case 0: newrule_as_policy_rule->setDirection(PolicyRule::Both); break; case 1: newrule_as_policy_rule->setDirection(PolicyRule::Inbound); break; case 2: newrule_as_policy_rule->setDirection(PolicyRule::Outbound); break; } if (st->getInt("Objects/PolicyRule/defaultSource")) newrule_as_policy_rule->setDummySource(); if (st->getInt("Objects/PolicyRule/defaultDestination")) newrule_as_policy_rule->setDummyDestination(); if (st->getInt("Objects/PolicyRule/defaultService")) newrule_as_policy_rule->setDummyService(); if (st->getInt("Objects/PolicyRule/defaultInterface")) newrule_as_policy_rule->setDummyInterface(); ruleopt->setBool("stateless", ! st->getBool("Objects/PolicyRule/defaultStateful") || getStatelessFlagForAction(newrule_as_policy_rule)); } copyRuleWithoutId(old_rule, new_rule); } bool PolicyModel::checkRuleType(libfwbuilder::Rule *rule) { return rule->getTypeName() == PolicyRule::TYPENAME; } //////////////////////////////////////////////////////////////////////// // NatModel //////////////////////////////////////////////////////////////////////// void NatModel::configure() { supports_actions = false; supports_inbound_interface = false; supports_outbound_interface = false; string platform; if (getFirewall()) { platform = getFirewall()->getStr("platform"); try { supports_actions = Resources::getTargetCapabilityBool( platform, "actions_in_nat"); supports_inbound_interface = Resources::getTargetCapabilityBool( platform, "inbound_interface_in_nat"); supports_outbound_interface = Resources::getTargetCapabilityBool( platform, "outbound_interface_in_nat"); } catch(FWException &ex) { } } header << ColDesc(platform, RuleElementOSrc::TYPENAME, ColDesc::Object) // 1 << ColDesc(platform, RuleElementODst::TYPENAME, ColDesc::Object) // 2 << ColDesc(platform, RuleElementOSrv::TYPENAME, ColDesc::Object) // 3 << ColDesc(platform, RuleElementTSrc::TYPENAME, ColDesc::Object) // 4 << ColDesc(platform, RuleElementTDst::TYPENAME, ColDesc::Object) // 5 << ColDesc(platform, RuleElementTSrv::TYPENAME, ColDesc::Object); // 6 if (supports_inbound_interface) header << ColDesc(platform, RuleElementItfInb::TYPENAME, ColDesc::Object); if (supports_outbound_interface) header << ColDesc(platform, RuleElementItfOutb::TYPENAME, ColDesc::Object); if (supports_actions) header << ColDesc(platform, "Action", ColDesc::Action); header << ColDesc(platform, "Options", ColDesc::Options) // 7 << ColDesc(platform, "Comment", ColDesc::Comment); // 8 } QVariant NatModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const { //if (fwbdebug) qDebug() << "NatModel::getRuleDataForDisplayRole"; QVariant res; if (index.column() == 0) { res.setValue(getPositionAsString(node)); } else if (index.column() <= header.size()) { int idx = index.column()-1; switch (header[idx].type) { case ColDesc::Action : res.setValue(getRuleActionDesc(node->rule)); break; case ColDesc::Options : res.setValue(getRuleOptions(node->rule)); break; case ColDesc::Comment : res.setValue(QString::fromUtf8(node->rule->getComment().c_str())); break; default : res.setValue(getRuleElementByRole(node->rule, header[idx].origin.toStdString())); } } return res; } QStringList NatModel::getRuleOptions(Rule* r) const { QStringList res; if (!isDefaultNATRuleOptions(r->getOptionsObject())) res << "Options"; return res; } void NatModel::initRule(Rule *new_rule, Rule *old_rule) { //if (fwbdebug) qDebug() << "NatModel::initRule"; NATRule *natRule = NATRule::cast(new_rule); if (natRule) natRule->setAction(NATRule::Translate); copyRuleWithoutId(old_rule, new_rule); } bool NatModel::checkRuleType(libfwbuilder::Rule *rule) { return rule->getTypeName() == NATRule::TYPENAME; } //////////////////////////////////////////////////////////////////////// // RoutingModel //////////////////////////////////////////////////////////////////////// void RoutingModel::configure() { //if (fwbdebug) qDebug() << "RoutingModel::configure"; supports_routing_itf = false; supports_metric = false; string platform; string host_os; if (getFirewall()) { platform = getFirewall()->getStr("platform"); host_os = getFirewall()->getStr("host_OS"); try { supports_routing_itf = Resources::getTargetCapabilityBool( host_os, "supports_routing_itf"); supports_metric = Resources::getTargetCapabilityBool( host_os, "supports_metric"); } catch(FWException &ex) { } } header << ColDesc(platform, RuleElementRDst::TYPENAME, ColDesc::Object) // 1 << ColDesc(platform, RuleElementRGtw::TYPENAME, ColDesc::Object); // 2 if (supports_routing_itf) header << ColDesc(platform, RuleElementRItf::TYPENAME, ColDesc::Object); if (supports_metric) header << ColDesc(platform, "Metric", ColDesc::Metric); header << ColDesc(platform, "Options", ColDesc::Options) << ColDesc(platform, "Comment", ColDesc::Comment); } QVariant RoutingModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const { //if (fwbdebug) qDebug() << "RoutingModel::getRuleDataForDisplayRole"; QVariant res; if (index.column() == 0) { res.setValue(getPositionAsString(node)); } else if (index.column() <= header.size()) { int idx = index.column()-1; switch (header[idx].type) { case ColDesc::Metric : res.setValue(QString::fromUtf8(RoutingRule::cast(node->rule)->getMetricAsString().c_str())); break; case ColDesc::Options : res.setValue(getRuleOptions(node->rule)); break; case ColDesc::Comment : res.setValue(QString::fromUtf8(node->rule->getComment().c_str())); break; default : res.setValue(getRuleElementByRole(node->rule, header[idx].origin.toStdString())); } } return res; } QStringList RoutingModel::getRuleOptions(Rule* r) const { QStringList res; if (!isDefaultRoutingRuleOptions(r->getOptionsObject())) res << "Options"; return res; } void RoutingModel::initRule(Rule *new_rule, Rule *old_rule) { //if (fwbdebug) qDebug() << "RoutingModel::initRule"; copyRuleWithoutId(old_rule, new_rule); } bool RoutingModel::checkRuleType(libfwbuilder::Rule *rule) { return rule->getTypeName() == RoutingRule::TYPENAME; } fwbuilder-5.3.7/src/libgui/RuleSetModel.h000066400000000000000000000220211303637203600202700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETMODEL_H #define RULESETMODEL_H #include #include #include #include #include #include "RuleNode.h" #include "ColDesc.h" namespace libfwbuilder { class Firewall; class RuleSet; class RuleElement; class Rule; class FWObject; } class RuleSetModel; //////////////////////////////////////////////////////////////////////// // RuleSetModelIterator //////////////////////////////////////////////////////////////////////// class RuleSetModelIterator { friend class RuleSetModel; public: RuleSetModelIterator(); bool isValid(); bool hasNext(); bool hasPrev(); RuleSetModelIterator& operator= (const RuleSetModelIterator&); RuleSetModelIterator& operator++ (); RuleSetModelIterator& operator-- (); bool operator== ( RuleSetModelIterator& ); bool operator!= ( RuleSetModelIterator& ); QModelIndex index(); private: QAbstractItemModel *model; int row; QModelIndex parent; }; //////////////////////////////////////////////////////////////////////// // ActionDesc //////////////////////////////////////////////////////////////////////// class ActionDesc { public: QString name; QString displayName; QString tooltip; QString argument; }; Q_DECLARE_METATYPE(ActionDesc) //////////////////////////////////////////////////////////////////////// // RuleSetModel //////////////////////////////////////////////////////////////////////// class RuleSetModel : public QAbstractItemModel { Q_OBJECT public: QList header; RuleSetModel(libfwbuilder::RuleSet* ruleset, QObject *parent = 0); ~RuleSetModel() {delete root;} int rowCount(const QModelIndex &parent) const; int columnCount(const QModelIndex &parent) const; QVariant data(const QModelIndex &index, int role) const; QVariant headerData(int section, Qt::Orientation orientation, int role) const; QModelIndex index(int row, int column, const QModelIndex &parent) const; QModelIndex index(int row, int column, QString groupName) const; QModelIndex index(libfwbuilder::Rule *rule, int col=0) const; QModelIndex index(libfwbuilder::Rule *rule, libfwbuilder::RuleElement *re) const; QModelIndex index(QString groupName) const; QModelIndex indexForPosition(int position) const; QModelIndex parent(const QModelIndex &child) const; bool isEmpty(); bool isGroup(const QModelIndex &index) const; libfwbuilder::RuleSet* getRuleSet() {return ruleset;} libfwbuilder::Firewall* getFirewall() const; libfwbuilder::Rule* insertNewRule(); libfwbuilder::Rule* insertNewRule(QModelIndex &index, bool isAfter = false); libfwbuilder::Rule* insertRule(libfwbuilder::Rule *rule, QModelIndex &index, bool isAfter = false); void insertRule(libfwbuilder::Rule *rule); virtual void initRule(libfwbuilder::Rule *new_rule, libfwbuilder::Rule *old_rule = NULL) = 0; void removeRow(int row,const QModelIndex &parent); bool removeRows(int row, int count, const QModelIndex &parent); void renameGroup(QModelIndex group, const QString &newName); void removeFromGroup(QModelIndex group, int first, int last); QModelIndex createNewGroup(QString groupName, int first, int last); QString addToGroupAbove(int first, int last); QString addToGroupBelow(int first, int last); void moveRuleUp(const QModelIndex &group, int first, int last); void moveRuleDown(const QModelIndex &group, int first, int last); void changeRuleColor(const QList &indexes, const QString &c); void changeGroupColor(const QModelIndex index, const QString &c); bool isIndexRule(const QModelIndex index); RuleNode *nodeFromIndex(const QModelIndex &index) const; int getRulePosition(QModelIndex index); libfwbuilder::Rule * findRuleForPosition(int position) const; libfwbuilder::Rule * getRule(QModelIndex index) const; void setEnabled(const QModelIndex &index, bool flag); virtual bool checkRuleType(libfwbuilder::Rule *rule) = 0; void deleteObject(QModelIndex &index, libfwbuilder::FWObject* obj); bool insertObject(QModelIndex &index, libfwbuilder::FWObject *obj); int columnByType(ColDesc::ColumnType type); void rowChanged(const QModelIndex &index); void groupChanged(const QModelIndex &index); void getGroups(QList &list); RuleSetModelIterator begin(); RuleSetModelIterator end(); void resetAllSizes(); QString findUniqueNameForGroup(const QString &groupName); void restoreRules(QList rules, bool topLevel = true); void restoreRule(libfwbuilder::Rule* rule); void objectChanged(libfwbuilder::FWObject* object); protected: libfwbuilder::RuleElement *getRuleElementByRole(libfwbuilder::Rule* r, std::string roleName) const; void insertRuleToModel(libfwbuilder::Rule *rule, QModelIndex &index, bool isAfter = false); int columnForRuleElementType(QString) const; QString getPositionAsString(RuleNode *node) const; ActionDesc getRuleActionDesc(libfwbuilder::Rule* r) const; void copyRuleWithoutId(libfwbuilder::Rule* fromRule, libfwbuilder::Rule* toRule); private: libfwbuilder::RuleSet *ruleset; RuleNode *root; // QHash rulesByPosition; void initModel(); QVariant getDecoration(const QModelIndex &index) const; QVariant getDataForDisplayRole(const QModelIndex &index) const; QVariant getGroupDataForDisplayRole(const QModelIndex &index, RuleNode* node) const; virtual QVariant getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const = 0; QVariant getColumnDesc(const QModelIndex &index) const; void moveToGroup(RuleNode *targetGroup, int first, int last, bool append=true); void removeToList(QList &list, const QModelIndex &group, int first, int last); void insertFromList(const QList &list, const QModelIndex &parent, int position); QModelIndexList findObject (libfwbuilder::FWObject* object); }; //////////////////////////////////////////////////////////////////////// // PolicyModel //////////////////////////////////////////////////////////////////////// class PolicyModel : public RuleSetModel { public: PolicyModel(libfwbuilder::RuleSet* ruleset, QObject *parent = 0) : RuleSetModel(ruleset, parent) {configure();} void initRule(libfwbuilder::Rule *new_rule, libfwbuilder::Rule *old_rule = NULL); bool checkRuleType(libfwbuilder::Rule *rule); private: bool supports_time; bool supports_logging; bool supports_rule_options; QVariant getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const; QString getRuleDirection(libfwbuilder::Rule* r) const; QStringList getRuleOptions(libfwbuilder::Rule* r) const; void configure(); }; //////////////////////////////////////////////////////////////////////// // NatModel //////////////////////////////////////////////////////////////////////// class NatModel : public RuleSetModel { public: NatModel(libfwbuilder::RuleSet* ruleset, QObject *parent = 0) : RuleSetModel(ruleset, parent) {configure();} void initRule(libfwbuilder::Rule *new_rule, libfwbuilder::Rule *old_rule = NULL); bool checkRuleType(libfwbuilder::Rule *rule); private: bool supports_actions; bool supports_inbound_interface; bool supports_outbound_interface; QVariant getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const; QStringList getRuleOptions(libfwbuilder::Rule* r) const; void configure(); }; //////////////////////////////////////////////////////////////////////// // RoutingModel //////////////////////////////////////////////////////////////////////// class RoutingModel : public RuleSetModel { public: RoutingModel(libfwbuilder::RuleSet* ruleset, QObject *parent = 0) : RuleSetModel(ruleset, parent) {configure();} void initRule(libfwbuilder::Rule *new_rule, libfwbuilder::Rule *old_rule = NULL); bool checkRuleType(libfwbuilder::Rule *rule); private: bool supports_routing_itf; bool supports_metric; QVariant getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const; QStringList getRuleOptions(libfwbuilder::Rule* r) const; void configure(); }; #endif // RULESETMODEL_H fwbuilder-5.3.7/src/libgui/RuleSetView.cpp000066400000000000000000003144461303637203600205140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003-2009 NetCitadel, LLC Author: Illiya Yalovoy Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA This module has been completely rewritten by yalovoy@gmail.com in 2009 */ #include "config.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "RuleSetView.h" #include "RuleSetModel.h" #include "ColDesc.h" #include "FWObjectSelectionModel.h" #include "RuleSetViewDelegate.h" #include "FWBSettings.h" #include "FWObjectClipboard.h" #include "FWObjectPropertiesFactory.h" #include "FWObjectDrag.h" #include "FWWindow.h" #include "FWBTree.h" #include "FWCmdRule.h" #include "ProjectPanel.h" #include "FindObjectWidget.h" #include "events.h" #include "DialogFactory.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Network.h" #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; RuleSetView::RuleSetView(ProjectPanel *project, QWidget *parent):QTreeView(parent) { if (fwbdebug) qDebug("RuleSetView::RuleSetView"); this->project = project; fwosm = new FWObjectSelectionModel(); setContextMenuPolicy(Qt::CustomContextMenu); setSelectionMode(QAbstractItemView::ContiguousSelection); setSelectionBehavior(QAbstractItemView::SelectRows); setAllColumnsShowFocus(false); setDragEnabled(true); setAcceptDrops(true); setDragDropMode(QAbstractItemView::DragDrop); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) header()->setResizeMode(QHeaderView::Interactive); header()->setMovable(false); #else header()->setSectionResizeMode(QHeaderView::Interactive); header()->setSectionsMovable(false); #endif connect (this, SIGNAL (customContextMenuRequested(const QPoint&)), this, SLOT (showContextMenu(const QPoint&))); connect (this, SIGNAL( doubleClicked(const QModelIndex&) ), this, SLOT( itemDoubleClicked(const QModelIndex&) ) ); connect (this, SIGNAL (collapsed(QModelIndex)), this, SLOT (saveCollapsedGroups())); connect (this, SIGNAL (expanded(QModelIndex)), this, SLOT (saveCollapsedGroups())); connect (this, SIGNAL (collapsed(QModelIndex)), this, SLOT (updateAllColumnsSize())); connect (this, SIGNAL (expanded(QModelIndex)), this, SLOT (updateAllColumnsSize())); initActions(); popup_menu = new QMenu(this); this->setHorizontalScrollMode(QAbstractItemView::ScrollPerPixel); this->setVerticalScrollMode(QAbstractItemView::ScrollPerPixel); this->header()->setStretchLastSection(false); } RuleSetView::~RuleSetView() { if (fwbdebug) qDebug("RuleSetView::~RuleSetView"); delete fwosm; delete compileRuleAction; delete moveRuleUpAction; delete moveRuleDownAction; delete removeFromGroupAction; delete newGroupAction; delete insertRuleAction; delete addRuleAfterCurrentAction; delete addToGroupAboveAction; delete addToGroupBelowAction; delete removeRuleAction; delete copyRuleAction; delete cutRuleAction; delete pasteRuleAboveAction; delete pasteRuleBelowAction; delete disableRuleAction; delete enableRuleAction; delete setColorEmptyAction; delete setColorRedAction; delete setColorBlueAction; delete setColorOrangeAction; delete setColorPurpleAction; delete setColorGrayAction; delete setColorYellowAction; delete setColorGreenAction; } void RuleSetView::init() { if (fwbdebug) qDebug("RuleSetView::init"); /* * #2474 : I want standard Qt classes to paint column 0 and area * to the left of the clumn 0 because that is where [+] and [-] * appear when we have rule groups. However I want to avoid using * the same standard color used to highlight currently selected * object in rules. To do that, I reset QPalette::Highlight color * in the palette used to draw everything in the rules. I am going * to have to reset palette back to the standard color in * RuleSetViewDelegate when I paint individual cells. */ QPalette updated_palette = palette(); updated_palette.setColor(QPalette::Highlight, QColor("silver")); setPalette(updated_palette); setUpdatesEnabled(false); QTime t; t.start(); configureGroups(); if (fwbdebug) qDebug("RuleSetView configureGroups: %d ms", t.restart()); restoreCollapsedGroups(); if (fwbdebug) qDebug("RuleSetView restoreCollapsedGroups: %d ms", t.restart()); resizeColumns(); if (fwbdebug) qDebug("RuleSetView resizeColumns: %d ms", t.restart()); setUpdatesEnabled(true); } void RuleSetView::configureGroups() { RuleSetModel* md = ((RuleSetModel*)model()); QList list; md->getGroups(list); QModelIndex parent; foreach(QModelIndex index, list) { setFirstColumnSpanned(index.row(), parent, true); } } void RuleSetView::initActions() { // Compile rule compileRuleAction = createAction(tr("Compile Rule"), SLOT(compileCurrentRule()), QKeySequence(Qt::Key_X)); addAction(compileRuleAction ); compileRuleAction->setVisible(true); compileRuleAction->setEnabled(true); // Move rule up moveRuleUpAction = createAction(tr("Move Rule Up"), SLOT( moveRuleUp()), QKeySequence(Qt::CTRL + Qt::Key_PageUp)); addAction(moveRuleUpAction ); // Move rule down moveRuleDownAction = createAction(tr("Move Rule Down"), SLOT( moveRuleDown()), QKeySequence(Qt::CTRL + Qt::Key_PageDown)); addAction(moveRuleDownAction ); // Remove rules from group removeFromGroupAction = createAction(tr("Remove From the Group"), SLOT( removeFromGroup())); // New group newGroupAction = createAction(tr("New Group"), SLOT( newGroup())); // Insert Rule insertRuleAction = createAction( tr("Insert New Rule"), SLOT( insertRule() ) ); addRuleAfterCurrentAction = createAction(tr("Add New Rule Below"), SLOT( addRuleAfterCurrent() )); addToGroupAboveAction = createAction("addToGroupAboveAction", SLOT( addToGroupAbove() )); addToGroupBelowAction = createAction("addToGroupBelowAction", SLOT( addToGroupBelow() )); // Remove rule removeRuleAction = createAction(tr("Remove Rule"), SLOT( removeRule())); // Clipboard operations copyRuleAction = createAction(tr("Copy Rule"), SLOT( copyRule() )); cutRuleAction = createAction(tr("Cut Rule"), SLOT( cutRule() )); pasteRuleAboveAction = createAction(tr("Paste Rule Above"), SLOT( pasteRuleAbove() )); pasteRuleBelowAction = createAction(tr("Paste Rule Below"), SLOT( pasteRuleBelow() )); //Disable or Enable rules disableRuleAction = createAction(tr("Enable Rule"), SLOT( disableRule() )); enableRuleAction = createAction(tr("Disable Rule"), SLOT( enableRule() )); //Change color actions QPixmap pcolor(16,16); setColorEmptyAction = createAction(tr("No Color"), SLOT( setColorEmpty() )); pcolor.fill(QColor(255,255,255)); setColorEmptyAction->setIcon(QIcon(pcolor)); setColorEmptyAction->setVisible(true); setColorRedAction = createAction(st->getLabelText(FWBSettings::RED), SLOT( setColorRed() )); pcolor.fill(st->getLabelColor(FWBSettings::RED)); setColorRedAction->setIcon(QIcon(pcolor)); setColorRedAction->setVisible(true); setColorBlueAction = createAction(st->getLabelText(FWBSettings::BLUE), SLOT( setColorBlue() )); pcolor.fill(st->getLabelColor(FWBSettings::BLUE)); setColorBlueAction->setIcon(QIcon(pcolor)); setColorBlueAction->setVisible(true); setColorOrangeAction = createAction(st->getLabelText(FWBSettings::ORANGE), SLOT( setColorOrange() )); pcolor.fill(st->getLabelColor(FWBSettings::ORANGE)); setColorOrangeAction->setIcon(QIcon(pcolor)); setColorOrangeAction->setVisible(true); setColorPurpleAction = createAction(st->getLabelText(FWBSettings::PURPLE), SLOT( setColorPurple() )); pcolor.fill(st->getLabelColor(FWBSettings::PURPLE)); setColorPurpleAction->setIcon(QIcon(pcolor)); setColorPurpleAction->setVisible(true); setColorGrayAction = createAction(st->getLabelText(FWBSettings::GRAY), SLOT( setColorGray() )); pcolor.fill(st->getLabelColor(FWBSettings::GRAY)); setColorGrayAction->setIcon(QIcon(pcolor)); setColorGrayAction->setVisible(true); setColorYellowAction = createAction(st->getLabelText(FWBSettings::YELLOW), SLOT( setColorYellow() )); pcolor.fill(st->getLabelColor(FWBSettings::YELLOW)); setColorYellowAction->setIcon(QIcon(pcolor)); setColorYellowAction->setVisible(true); setColorGreenAction = createAction(st->getLabelText(FWBSettings::GREEN), SLOT( setColorGreen() )); pcolor.fill(st->getLabelColor(FWBSettings::GREEN)); setColorGreenAction->setIcon(QIcon(pcolor)); setColorGreenAction->setVisible(true); } QAction* RuleSetView::createAction(QString label, const char* member, const QKeySequence &shortcut) { QAction* action = new QAction(label, this); action->setShortcut(shortcut); connect (action, SIGNAL(triggered()), this, member); action->setEnabled(false); action->setVisible(false); return action; } RuleSetView* RuleSetView::getRuleSetViewByType(ProjectPanel *project, RuleSet *ruleset, QWidget *parent) { if (fwbdebug) qDebug("RuleSetView::getRuleSetViewByType"); if (Policy::isA(ruleset)) return new PolicyView(project, Policy::cast(ruleset), parent); if (NAT::isA(ruleset)) return new NATView(project, NAT::cast(ruleset), parent); if (Routing::isA(ruleset)) return new RoutingView(project, Routing::cast(ruleset), parent); return NULL; } void RuleSetView::makeCurrentRuleVisible() { scrollTo( currentIndex(), QAbstractItemView::PositionAtCenter); } void RuleSetView::selectRE(QModelIndex index) { if (fwbdebug) qDebug() << "RuleSetView::selectRE(QModelIndex index)" << index; if (fwosm->index != index) { fwosm->selectedObject = NULL; fwosm->index = index; setCurrentIndex(index); scrollTo( index, QAbstractItemView::PositionAtCenter); } } void RuleSetView::selectRE(libfwbuilder::FWReference *ref) { if (fwbdebug) qDebug() << "RuleSetView::selectRE(libfwbuilder::FWReference *ref)"; /* need to find row and column this object is in and show it */ RuleElement *re = RuleElement::cast(ref->getParent()); assert(re); selectRE(re, ref->getPointer()); } void RuleSetView::selectRE(libfwbuilder::Rule *rule, int col) { if (fwbdebug) qDebug() << "RuleSetView::selectRE(libfwbuilder::Rule *rule, int col)"; RuleSetModel* md = ((RuleSetModel*)model()); selectRE(md->index(rule, col)); } void RuleSetView::selectRE(libfwbuilder::Rule *rule, ColDesc::ColumnType type) { if (fwbdebug) qDebug() << "RuleSetView::selectRE(libfwbuilder::Rule *rule, ColDesc::ColumnType type)"; RuleSetModel* md = ((RuleSetModel*)model()); int col = md->columnByType(type); selectRE(rule, col); } void RuleSetView::selectRE(libfwbuilder::RuleElement *re, libfwbuilder::FWObject *obj) { if (fwbdebug) qDebug() << "RuleSetView::selectRE(libfwbuilder::RuleElement *re, libfwbuilder::FWObject *obj)"; Rule *rule = Rule::cast(re->getParent()); assert(rule!=NULL); RuleSetModel* md = ((RuleSetModel*)model()); QModelIndex index = md->index(rule, re); selectRE(index); setCurrentIndex(index); fwosm->setSelected(obj, index); } int RuleSetView::getColByType(ColDesc::ColumnType type) const { RuleSetModel* md = ((RuleSetModel*)model()); return md->columnByType(type); } void RuleSetView::mousePressEvent( QMouseEvent* ev ) { //TODO: provide custom implementation of QTreeView::mousePressEvent( ev ); for column != 0 QTreeView::mousePressEvent( ev ); const QModelIndex index = currentIndex();//indexAt (ev->pos()); if (index.column() == 0) { fwosm->setSelected(NULL, index); return; } FWObject *object = getObject(ev->pos(), index); // if (fwbdebug) qDebug("RuleSetView::contentsMousePressEvent " // "obj=%s row=%d col=%d", // (object)?object->getName().c_str():"NULL", index.row(), index.column()); if (object) { selectObject(object, index); startingDrag = (fwosm->index.row()==index.row() && fwosm->index.column()==index.column() && fwosm->selectedObject==object); } else { fwosm->setSelected(NULL, index); } } void RuleSetView::mouseReleaseEvent( QMouseEvent* ev ) { //if (fwbdebug) qDebug() << "RuleSetView::mouseReleaseEvent"; QTreeView::mouseReleaseEvent(ev); const QModelIndex index = indexAt (ev->pos()); if (index.column() == 0) return; RuleSetModel* md = ((RuleSetModel*)model()); if (md->getRuleSet()->size()!=0) { ev->accept(); }; // if (md->getRuleSet()->size()!=0 && // mw->isEditorVisible() && !switchObjectInEditor( currentIndex()) ) // { // ev->accept(); // }; } /* * Why using persistent QMenu object for the popup menu: * * If user hits Cmd-Q on Mac while popup menu is open, we get a * crash. The problem is that when close event propagates and * eventually closes the popup menu, RuleSetView::showContextMenu() * tries to delete QMenu object and we get the following error and * crash: "QObject: Do not delete object, 'qt_scrollarea_viewport', * during its event handler!". Instead of making sure we do not delete * the object in some circumstances, or find a way to delete it * safely, it is much easier to just avoid having to delete it at all. */ void RuleSetView::showContextMenu(const QPoint& pos) { popup_menu->clear(); const QModelIndex index = indexAt ( pos); if (index.isValid()) { int column = index.column(); RuleNode* node = static_cast(index.internalPointer()); if (node->type == RuleNode::Group) { addGroupMenuItemsToContextMenu(popup_menu); } else { compileRuleAction->setEnabled(!node->rule->isDisabled()); if (column < 1) { addRowMenuItemsToMenu(popup_menu); } else { addColumnRelatedMenu(popup_menu, index, node, pos); } addCommonRowItemsToContextMenu(popup_menu); } } else { addGenericMenuItemsToContextMenu(popup_menu); } popup_menu->exec(mapToGlobal(pos)); // delete menu; } void RuleSetView::addCommonRowItemsToContextMenu(QMenu *menu) const { menu->addSeparator(); menu->addAction(compileRuleAction); } void RuleSetView::mouseMoveEvent( QMouseEvent* ev ) { if (startingDrag) { QDrag* drag = dragObject(); if (drag) drag->start(Qt::CopyAction | Qt::MoveAction); //just start dragging startingDrag = false; return; } QTreeView::mouseMoveEvent(ev); } QDrag* RuleSetView::dragObject() { FWObject *obj = fwosm->selectedObject; if (obj==NULL) return NULL; // TODO: use FWBTree::setObjectIcon() QString icn = (":/Icons/" + obj->getTypeName() + "/icon").c_str(); list dragobj; dragobj.push_back(obj); FWObjectDrag *drag = new FWObjectDrag(dragobj, this, NULL); QPixmap pm = LoadPixmap(icn); drag->setPixmap( pm ); return drag; } void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index, RuleNode* node, const QPoint& pos) { RuleSetModel* md = ((RuleSetModel*)model()); ColDesc colDesc = index.data(Qt::UserRole).value(); switch (colDesc.type) { case ColDesc::Action: { Firewall *f = md->getFirewall(); if (f == NULL) break; string platform = f->getStr("platform"); QString action_name; if (NATRule::isA(node->rule)) { if (Resources::isTargetActionSupported(platform,"Translate")) { action_name = getActionNameForPlatform( f, NATRule::getActionAsString(NATRule::Translate)); menu->addAction( QIcon(LoadPixmap(":/Icons/Continue/icon")), action_name, this, SLOT( changeActionToTranslate() )); } if (Resources::isTargetActionSupported(platform,"Branch")) { action_name = getActionNameForPlatform( f, NATRule::getActionAsString(NATRule::Branch)); menu->addAction( QIcon(LoadPixmap(":/Icons/NATBranch/icon")), action_name, this, SLOT( changeActionToNATBranch() )); } } else { if (Resources::isTargetActionSupported(platform,"Accept")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Accept)); menu->addAction( QIcon(LoadPixmap(":/Icons/Accept/icon")), action_name, this, SLOT( changeActionToAccept() )); } if (Resources::isTargetActionSupported(platform,"Deny")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Deny)); menu->addAction( QIcon(LoadPixmap(":/Icons/Deny/icon")), action_name, this, SLOT( changeActionToDeny() )); } if (Resources::isTargetActionSupported(platform,"Reject")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Reject)); menu->addAction( QIcon(LoadPixmap(":/Icons/Reject/icon")), action_name, this, SLOT( changeActionToReject() )); } if (Resources::isTargetActionSupported(platform,"Accounting")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Accounting)); menu->addAction( QIcon(LoadPixmap(":/Icons/Accounting/icon")), action_name, this, SLOT( changeActionToAccounting() )); } if (Resources::isTargetActionSupported(platform,"Pipe")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Pipe)); menu->addAction( QIcon(LoadPixmap(":/Icons/Pipe/icon")), action_name, this, SLOT( changeActionToPipe() )); } /* * #2367 if (Resources::isTargetActionSupported(platform,"Tag")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Tag)); menu->addAction( QIcon(LoadPixmap(":/Icons/Tag/icon")), action_name, this, SLOT( changeActionToTag() )); } if (Resources::isTargetActionSupported(platform,"Classify")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Classify)); menu->addAction( QIcon(LoadPixmap(":/Icons/Classify/icon")), action_name, this, SLOT( changeActionToClassify() )); } if (Resources::isTargetActionSupported(platform,"Route")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Route)); menu->addAction( QIcon(LoadPixmap(":/Icons/Route/icon")), action_name, this, SLOT( changeActionToRoute() )); } */ if (Resources::isTargetActionSupported(platform,"Custom")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Custom)); menu->addAction( QIcon(LoadPixmap(":/Icons/Custom/icon")), action_name, this, SLOT( changeActionToCustom() )); } if (Resources::isTargetActionSupported(platform,"Branch")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Branch)); menu->addAction( QIcon(LoadPixmap(":/Icons/Branch/icon")), action_name, this, SLOT( changeActionToBranch() )); } if (Resources::isTargetActionSupported(platform,"Continue")) { action_name = getActionNameForPlatform( f, PolicyRule::getActionAsString(PolicyRule::Continue)); menu->addAction( QIcon(LoadPixmap(":/Icons/Continue/icon")), action_name, this, SLOT( changeActionToContinue() )); } } menu->addSeparator (); QAction *paramID; paramID = menu->addAction( tr("Parameters"), this, SLOT( editSelected() )); PolicyRule *rule = PolicyRule::cast( node->rule ); if (rule!=NULL) { string act = rule->getActionAsString(); if (Resources::getActionEditor(platform,act)=="None") paramID->setEnabled(false); } break; } case ColDesc::Direction: menu->addAction( QIcon(LoadPixmap(":/Icons/Inbound/icon")), tr("Inbound"), this, SLOT( changeDirectionToIn() )); menu->addAction( QIcon(LoadPixmap(":/Icons/Outbound/icon")), tr("Outbound"), this, SLOT( changeDirectionToOut() )); menu->addAction( QIcon(LoadPixmap(":/Icons/Both/icon")), tr("Both"), this, SLOT( changeDirectionToBoth() )); break; case ColDesc::Comment: menu->addAction( tr("Edit") , this , SLOT( editSelected() ) ); break; case ColDesc::Metric: menu->addAction( tr("Edit") , this , SLOT( editSelected() ) ); break; case ColDesc::Options: menu->addAction( QIcon(LoadPixmap(":/Icons/Options/icon")), tr("Rule Options"), this, SLOT( editSelected() )); if (md->getRuleSet()->getTypeName() == Policy::TYPENAME) { menu->addAction( QIcon(LoadPixmap(":/Icons/Log/icon")), tr("Logging On"), this, SLOT( changeLogToOn() )); menu->addAction( QIcon(LoadPixmap(":/Icons/Blank/icon")), tr("Logging Off"), this, SLOT( changeLogToOff() )); } break; case ColDesc::Object: case ColDesc::Time: { RuleElement *re = getRE(index); if (re==NULL) return; FWObject *object = getObject(pos, index); QAction *editID = menu->addAction( tr("Edit") , this , SLOT( editSelected() ) ); menu->addSeparator(); QAction *copyID = menu->addAction( tr("Copy") , this , SLOT( copySelectedObject() ) ); QAction *cutID = menu->addAction( tr("Cut") , this , SLOT( cutSelectedObject() ) ); QAction *pasteID = menu->addAction( tr("Paste") , this , SLOT( pasteObject() ) ); QAction *delID =menu->addAction( tr("Delete") , this , SLOT( deleteSelectedObject() ) ); menu->addSeparator(); QAction *fndID = menu->addAction( tr("Where used") , this , SLOT( findWhereUsedSlot())); QAction *revID = menu->addAction( tr("Reveal in tree") ,this , SLOT( revealObjectInTree() ) ); menu->addSeparator(); if (re->isDummy()) { if (isDummy(re, getObjectNumber(fwosm->selectedObject, index))) menu->addAction( tr("Convert to Any"), this, SLOT ( convertToAny() ) ); } QAction *negID = menu->addAction( tr("Negate") , this , SLOT( negateRE() ) ); if (object == NULL || re->isAny()) editID->setEnabled(false); copyID->setEnabled(!re->isAny()); cutID->setEnabled(!re->isAny()); delID->setEnabled(!re->isAny()); // see #1976 do not allow pasting object that has been deleted // also disable "Paste" if object in the clipboard is a rule FWObject *obj_in_clipboard = FWObjectClipboard::obj_clipboard->getObject(); pasteID->setEnabled(true); if (obj_in_clipboard == NULL) pasteID->setEnabled(false); else { if (Rule::cast(obj_in_clipboard) != NULL) pasteID->setEnabled(false); FWObject *lib = obj_in_clipboard->getLibrary(); if (lib != NULL && lib->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) pasteID->setEnabled(false); } string cap_name; if (Policy::cast(md->getRuleSet())!=NULL) cap_name="negation_in_policy"; if (NAT::cast(md->getRuleSet())!=NULL) cap_name="negation_in_nat"; Firewall *f = md->getFirewall(); if (f == NULL) break; bool supports_neg=false; try { supports_neg = Resources::getTargetCapabilityBool( f->getStr("platform"), cap_name); } catch (FWException &ex) { QMessageBox::critical( NULL , "Firewall Builder", ex.toString().c_str(), QString::null,QString::null); } negID->setEnabled(supports_neg && !re->isAny()); fndID->setEnabled(!re->isAny()); revID->setEnabled(!re->isAny()); break; } default : menu->addAction( tr("Edit") , this , SLOT( editRE() ) ); } } void RuleSetView::addGenericMenuItemsToContextMenu(QMenu *menu) const { if (((RuleSetModel*)model())->isEmpty()) menu->addAction(tr("Insert New Rule"), this, SLOT( insertRule() )); else { menu->addAction(tr("Add New Rule on Top"), this, SLOT( insertNewRuleOnTop())); menu->addAction(tr("Add New Rule at the Bottom"), this, SLOT( insertNewRuleAtBottom())); } menu->addSeparator(); menu->addAction(tr("Paste Rule"), this, SLOT( pasteRuleBelow())); } void RuleSetView::addGroupMenuItemsToContextMenu(QMenu *menu) const { menu->addAction( tr("Rename group"), this, SLOT( renameGroup() )); menu->addSeparator(); addChangeColorSubmenu(menu); } void RuleSetView::addChangeColorSubmenu(QMenu *menu) const { QMenu *subcolor = menu->addMenu(tr("Change color") ); subcolor->addAction(setColorEmptyAction); subcolor->addAction(setColorRedAction); subcolor->addAction(setColorOrangeAction); subcolor->addAction(setColorYellowAction); subcolor->addAction(setColorGreenAction); subcolor->addAction(setColorBlueAction); subcolor->addAction(setColorPurpleAction); subcolor->addAction(setColorGrayAction); } void RuleSetView::addRowMenuItemsToMenu(QMenu *menu) const { if (fwbdebug) qDebug() << "RuleSetView::addRowMenuItemsToMenu menu=" << menu; menu->addAction(removeFromGroupAction); menu->addAction(newGroupAction); menu->addAction(addToGroupAboveAction); menu->addAction(addToGroupBelowAction); menu->addSeparator(); addChangeColorSubmenu(menu); menu->addSeparator(); menu->addAction( insertRuleAction ); menu->addAction( addRuleAfterCurrentAction ); menu->addAction( removeRuleAction ); menu->addSeparator(); menu->addAction( moveRuleUpAction); menu->addAction( moveRuleDownAction); menu->addSeparator(); menu->addAction(copyRuleAction); menu->addAction(cutRuleAction); menu->addAction(pasteRuleAboveAction); menu->addAction(pasteRuleBelowAction); menu->addSeparator(); menu->addAction(enableRuleAction); menu->addAction(disableRuleAction); } void RuleSetView::itemDoubleClicked(const QModelIndex& index) { if (!index.isValid()) return; if (index.row() < 0) return; if (index.column() == 0) return; // double click on rule number does nothing // ColDesc colDesc = index.data(Qt::UserRole).value(); // if (fwosm->selectedObject!=NULL) // { // QCoreApplication::postEvent( // mw, // new showObjectInTreeEvent( // project->getFileName(), fwosm->selectedObject->getId())); // } editSelected(index); } void RuleSetView::editSelected(const QModelIndex& index) { ColDesc colDesc = index.data(Qt::UserRole).value(); FWObject *obj = fwosm->selectedObject; // see #2454 -- we do not want to switch object tree view to the standard // objects library when user double clicks on object "any" if (obj != NULL && (obj->getId() != FWObjectDatabase::ANY_ADDRESS_ID && obj->getId() != FWObjectDatabase::ANY_SERVICE_ID && obj->getId() != FWObjectDatabase::ANY_INTERVAL_ID)) { QCoreApplication::postEvent( mw, new showObjectInTreeEvent( project->getFileName(), fwosm->selectedObject->getId())); } if (!mw->isEditorVisible()) mw->showEditor(); switchObjectInEditor(index); } void RuleSetView::editSelected() { editSelected(currentIndex()); } bool RuleSetView::switchObjectInEditor(const QModelIndex& index, bool validate) { RuleSetModel* md = ((RuleSetModel*)model()); if (!isTreeReadWrite(this,md->getRuleSet())) return false; if ( index.column()<=0 || index.row()==-1 ) return false; FWObject *object = NULL; ObjectEditor::OptType operation = ObjectEditor::optNone; /* * We need to know WHAT we are going to edit 1. Object 2. OptType * Object == null, OptType = optNone => blank * Object == Rule, OptType = optNone => Rule Options * Object == Rule, OptType != optNone => Virtual Object (Action, Comment ...) * Object != Rule, OptType = optNone => Regular Object Editor Then we compare our object 'obj' and OptType with what we already have in ObjectEditor/ If they are the same, then we do nothing, otherwise we open obj in the Object Editor */ ColDesc colDesc = index.data(Qt::UserRole).value(); RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return false; Rule *rule = node->rule; switch (colDesc.type) { case ColDesc::Comment: object = rule; operation = ObjectEditor::optComment; break; case ColDesc::Metric: object = rule; operation = ObjectEditor::optMetric; break; case ColDesc::Direction: break; case ColDesc::Action: { //PolicyRule *prule = PolicyRule::cast( rule ); object = rule; operation = ObjectEditor::optAction; break; } case ColDesc::Options: { /* both policy and routing rules have options. so cast to * Rule here. */ assert(rule); object = rule; operation = ObjectEditor::optNone; break; } default: { if ( fwosm->selectedObject!=NULL) { object = fwosm->selectedObject; break; } } } if (!mw->isEditorVisible()) mw->showEditor(); if (!mw->requestEditorOwnership(this, object, operation, validate)) return false; if (object==mw->getOpenedEditor() && operation==mw->getOpenedOptEditor()) { if (fwbdebug) qDebug("RuleSetView::switchObjectInEditor same object is already opened in the editor"); return true; } if (object == NULL) { QCoreApplication::postEvent(mw, new clearEditorPanelEvent()); //mw->blankEditor(); } else if (operation==ObjectEditor::optNone) { QCoreApplication::postEvent( mw, new openObjectInEditorEvent( mw->activeProject()->getFileName(), object->getId())); //mw->openEditor(object); } else if(Rule::cast(object)!=NULL) { QCoreApplication::postEvent( mw, new openOptObjectInEditorEvent(project->getFileName(), object->getId(), operation)); //mw->openOptEditor(object, operation); } return true; } QModelIndexList RuleSetView::getSelectedRows() const { QModelIndexList selection = selectedIndexes(); QModelIndexList res; for (QList::iterator i = selection.begin(); i != selection.end(); ++i) { if(!(*i).column()) { res.append(*i); } } return res; } void RuleSetView::setSelectedRows(const QModelIndex firstIndex, const QModelIndex lastIndex) { fwosm->reset(); selectionModel()->clear(); setCurrentIndex(firstIndex); selectionModel()->select(QItemSelection(firstIndex, lastIndex), QItemSelectionModel::Rows | QItemSelectionModel::Select); fwosm->setSelected(0, firstIndex); } void RuleSetView::removeRule() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; mw->findObjectWidget->reset(); QModelIndexList selection = getSelectedRows(); if (!selection.isEmpty()) { QMap > itemsInGroups; QList rulesToDelete; // Sort rules to the corresponding groups foreach (QModelIndex index, selection) { if (!index.isValid() || !md->isIndexRule(index)) continue; if (mw->isEditorVisible() && mw->getOpenedEditor()==md->nodeFromIndex(index)->rule) mw->closeEditor(); QModelIndex parent = index.parent(); if (parent.isValid()) { itemsInGroups[parent] << index.row(); } RuleNode* node = md->nodeFromIndex(index); if (node->type == RuleNode::Rule) rulesToDelete << node->rule; } //Special case - all rows are inside one group (excluding the //first item of the group) if (itemsInGroups.size() == 1 && itemsInGroups[itemsInGroups.keys().first()].size() == rulesToDelete.size()) { bool containsFirstRow = false; foreach(int row, itemsInGroups[itemsInGroups.keys().first()]) { if (0 == row) { containsFirstRow = true; break; } } if (!containsFirstRow) { FWCmdRuleDeleteFromGroup* cmd = new FWCmdRuleDeleteFromGroup(project, md->getRuleSet(), rulesToDelete); project->undoStack->push(cmd); return; } } FWCmdMacro* macro = new FWCmdMacro("delete rules"); // Remove items from groups QList groups = itemsInGroups.keys(); if (!groups.isEmpty()) { foreach(QModelIndex group, groups) { qSort(itemsInGroups[group]); Rule* first = md->nodeFromIndex(md->index(itemsInGroups[group].at(0), 0, group))->rule; Rule* last = md->nodeFromIndex(md->index(itemsInGroups[group].at(itemsInGroups[group].size() - 1), 0, group))->rule; QString groupName = md->nodeFromIndex(group)->name; FWCmdRuleRemoveFromGroup* cmd = new FWCmdRuleRemoveFromGroup(project, md->getRuleSet(), first, last, groupName, macro); Q_UNUSED(cmd); } } // Remove rows if (!rulesToDelete.isEmpty()) { FWCmdRuleDelete* cmd = new FWCmdRuleDelete(project, md->getRuleSet(), rulesToDelete, macro); Q_UNUSED(cmd); } project->undoStack->push(macro); } } void RuleSetView::renameGroup() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); foreach(QModelIndex index, selection) { if (!index.isValid()) continue; RuleNode *group = md->nodeFromIndex(index); // Process only groups. Skip all rules. if(group->type != RuleNode::Group) continue; QString oldGroupName = group->name; bool ok = false; QString newGroupName = QInputDialog::getText( this, "Rename group", tr("Enter group name:"), QLineEdit::Normal, oldGroupName, &ok); if (ok && !newGroupName.isEmpty() && newGroupName != oldGroupName) { project->undoStack->push(new FWCmdRuleRenameGroup(project, md->getRuleSet(), oldGroupName, newGroupName)); } } } void RuleSetView::setRuleColor(const QString &c) { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndexList selection = getSelectedRows(); // Current behaviour is following: // if we have only groups selected then recolor groups // if there are rules in selection then selected groups will be ignored and only selected rules will be recolored QList rules; QList groups; foreach (QModelIndex index, selection) { if (md->isIndexRule(index)) { rules << index; } else { groups << index; } } QList ruleList; if (rules.isEmpty()) { // Let's recolor groups - there are no rules in the selection foreach(QModelIndex grpIndex, groups) { foreach(RuleNode* node, md->nodeFromIndex(grpIndex)->children) { ruleList.append(node->rule); } } } else { // There are rules in selection, so recolor them foreach (QModelIndex index, rules) { ruleList.append(md->nodeFromIndex(index)->rule); } } project->undoStack->push(new FWCmdRuleColor(project, md->getRuleSet(), ruleList, c)); } void RuleSetView::setColorEmpty() { setRuleColor(""); } void RuleSetView::setColorRed() { setRuleColor(st->getLabelColor(FWBSettings::RED)); } void RuleSetView::setColorBlue() { setRuleColor(st->getLabelColor(FWBSettings::BLUE)); } void RuleSetView::setColorOrange() { setRuleColor(st->getLabelColor(FWBSettings::ORANGE)); } void RuleSetView::setColorPurple() { setRuleColor(st->getLabelColor(FWBSettings::PURPLE)); } void RuleSetView::setColorGray() { setRuleColor(st->getLabelColor(FWBSettings::GRAY)); } void RuleSetView::setColorYellow() { setRuleColor(st->getLabelColor(FWBSettings::YELLOW)); } void RuleSetView::setColorGreen() { setRuleColor(st->getLabelColor(FWBSettings::GREEN)); } void RuleSetView::enableRule() { setEnabledRow(true); } void RuleSetView::disableRule() { setEnabledRow(false); } void RuleSetView::setEnabledRow(bool flag) { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); if (!selection.isEmpty()) { foreach (QModelIndex index, selection) { if (!index.isValid()) continue; RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) continue; Rule* rule = node->rule; if (!rule->isDisabled() == flag) continue; FWCmdRuleChange* cmd = new FWCmdRuleChange( project, md->getRuleSet(), rule, (flag)?tr("Enable rule"):tr("Disable rule")); Rule* newState = Rule::cast(cmd->getNewState()); if (flag) newState->enable(); else newState->disable(); project->undoStack->push(cmd); } } updateSelectionSensitiveActions(); } void RuleSetView::newGroup() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); // we cannot perform this action if the selection contains groups or rules assigned to groups if (!selection.isEmpty() && isOnlyTopLevelRules(selection)) { bool ok; QString newGroupName = QInputDialog::getText( this, "Rename group", tr("Enter group name:"), QLineEdit::Normal, tr("New Group"), &ok); if (ok && !newGroupName.isEmpty()) { FWCmdRuleNewGroup* cmd = new FWCmdRuleNewGroup( project, md->getRuleSet(), md->nodeFromIndex(selection.first())->rule, md->nodeFromIndex(selection.last())->rule, newGroupName); project->undoStack->push(cmd); } } } void RuleSetView::addToGroupAbove() { addToGroup(true); } void RuleSetView::addToGroupBelow() { addToGroup(false); } void RuleSetView::addToGroup(bool isAbove) { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); // we cannot perform this action if the selection contains groups or rules assigned to groups if (!selection.isEmpty() && isOnlyTopLevelRules(selection)) { FWCmdRuleAddToGroup* cmd = new FWCmdRuleAddToGroup( project, md->getRuleSet(), md->nodeFromIndex(selection.first())->rule, md->nodeFromIndex(selection.last())->rule, isAbove); project->undoStack->push(cmd); } } void RuleSetView::moveRuleUp() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); // we cannot perform this action if the selection contains groups or rules assigned to groups if (!selection.isEmpty() && isOneLevelRules(selection)) { RuleSetModelIterator it = md->begin(); QModelIndex top = it.index(); if (top.parent() == selection.first().parent() && top.row() == selection.first().row()) return; FWCmdRuleMove* cmd = new FWCmdRuleMove(project, md->getRuleSet(), md->nodeFromIndex(selection.first())->rule->getId(), md->nodeFromIndex(selection.last())->rule->getId()); project->undoStack->push(cmd); } } void RuleSetView::moveRuleDown() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; QModelIndexList selection = getSelectedRows(); // we cannot perform this action if the selection contains groups or rules assigned to groups if (!selection.isEmpty() && isOneLevelRules(selection)) { RuleSetModelIterator it = md->end(); --it; QModelIndex bottom = it.index(); if (bottom.parent() == selection.last().parent() && bottom.row() == selection.last().row()) return; FWCmdRuleMove* cmd = new FWCmdRuleMove(project, md->getRuleSet(), md->nodeFromIndex(selection.first())->rule->getId(), md->nodeFromIndex(selection.last())->rule->getId(), false); project->undoStack->push(cmd); } } bool RuleSetView::isOnlyTopLevelRules(const QModelIndexList &list) const { foreach (QModelIndex index, list) { if (!index.isValid()) return false; RuleNode* node = static_cast(index.internalPointer()); if (node==0 || node->type != RuleNode::Rule || node->parent->type != RuleNode::Root) return false; } return true; } bool RuleSetView::isOneLevelRules(const QModelIndexList &list) { RuleNode *parent = 0; foreach (QModelIndex index, list) { if (!index.isValid()) return false; RuleNode* node = static_cast(index.internalPointer()); if (node==0 || node->type != RuleNode::Rule) return false; if (parent == 0) parent = node->parent; else if (parent != node->parent) return false; } return true; } void RuleSetView::copyRule() { RuleSetModel* md = ((RuleSetModel*)model()); QModelIndexList selection = getSelectedRows(); if ( !selection.isEmpty() ) { FWObjectClipboard::obj_clipboard->clear(); foreach (QModelIndex index, selection) { RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) continue; FWObject *rule = node->rule; if (rule) FWObjectClipboard::obj_clipboard->add( rule, project ); } } } void RuleSetView::cutRule() { copyRule(); removeRule(); } void RuleSetView::pasteRuleAbove() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndexList selection = getSelectedRows(); QModelIndex index = currentIndex(); vector >::iterator i; for (i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { Rule *rule = Rule::cast(createInsertTemplate(i->second, i->first)); if (!rule || !md->checkRuleType(rule)) continue; project->undoStack->push( new FWCmdRuleInsert( project, md->getRuleSet(), md->getRulePosition(index), false, rule)); } } void RuleSetView::pasteRuleBelow() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = currentIndex(); vector >::reverse_iterator i; for (i= FWObjectClipboard::obj_clipboard->rbegin(); i!=FWObjectClipboard::obj_clipboard->rend(); ++i) { Rule *rule = Rule::cast(createInsertTemplate(i->second, i->first)); if (!rule || !md->checkRuleType(rule)) continue; project->undoStack->push( new FWCmdRuleInsert( project, md->getRuleSet(), md->getRulePosition(index), true, rule)); } } FWObject* RuleSetView::createInsertTemplate(ProjectPanel* proj_p, int id) { RuleSetModel* md = ((RuleSetModel*)model()); FWObject* co = proj_p->db()->findInIndex(id); FWObject* t = 0; if (!Rule::cast(co)) return 0; if (proj_p!=project) { // rule is being copied from another project file map map_ids; t = project->db()->recursivelyCopySubtree(md->getRuleSet(), co, map_ids); // Note that FWObjectDatabase::recursivelyCopySubtree adds // a copy it creates to the end of the list of children of // the object passed as its first arg., which is in this // case ruleset. This works only if we paste rule at the // bottom of ruleset, otherwise need to move them to the // proper location. t->ref(); md->getRuleSet()->remove(t); project->m_panel->om->reload(); } else { t = proj_p->db()->create(co->getTypeName()); t->duplicate(co); } if (fwbdebug) { cerr << "rulesrt->getRoot()=" << md->getRuleSet()->getRoot() << " " << "proj_p->db()=" << proj_p->db() << " " << "proj_p file=" << proj_p->getFileName().toStdString() << " " << "id=" << id << " " << "co=" << co << " " << "co->getRoot()=" << co->getRoot() << endl; cerr << "Validating database index" << endl; proj_p->db()->getRoot()->validateIndex(); } return t; } bool RuleSetView::canChange(RuleSetModel* md) { if(!isTreeReadWrite(this,md->getRuleSet())) return false; if (md->getFirewall()==NULL) return false; return true; } void RuleSetView::insertRule(QModelIndex index, bool isAfter) { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; project->undoStack->push( new FWCmdRuleInsert( project, md->getRuleSet(), md->getRulePosition(index), isAfter)); } void RuleSetView::insertRule() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndexList selection = getSelectedRows(); QModelIndex index; if (!selection.isEmpty()) { index = selection.first(); } insertRule(index); } void RuleSetView::addRuleAfterCurrent() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndexList selection = getSelectedRows(); if (selection.isEmpty()) { insertRule(QModelIndex()); } else { QModelIndex lastSelectedIndex = selection.last(); insertRule(lastSelectedIndex, true); } } void RuleSetView::insertNewRuleOnTop() { insertRule(QModelIndex()); } void RuleSetView::insertNewRuleAtBottom() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; RuleSetModelIterator it = md->end(); --it; Rule* posRule = md->nodeFromIndex(it.index())->rule; project->undoStack->push( new FWCmdRuleInsert( project, md->getRuleSet(), posRule->getPosition(), true)); } void RuleSetView::removeFromGroup() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; if (md->getFirewall()==NULL) return; QModelIndexList selection = getSelectedRows(); QMap > itemsInGroups; // Get all rules sorted by groups foreach (QModelIndex index, selection) { if (!index.isValid() || !md->isIndexRule(index)) continue; QModelIndex parent = index.parent(); if (parent.isValid()) { itemsInGroups[parent] << index.row(); } } // Remove groups from the end to the begin QList groups = itemsInGroups.keys(); qSort(groups); QListIterator i(groups); i.toBack(); while (i.hasPrevious()) { QModelIndex group = i.previous(); qSort(itemsInGroups[group]); QModelIndex first = md->index(itemsInGroups[group].first(), 0, group); QModelIndex last = md->index(itemsInGroups[group].last(), 0, group); FWCmdRuleRemoveFromGroup *cmd = new FWCmdRuleRemoveFromGroup(project, md->getRuleSet(), md->nodeFromIndex(first)->rule, md->nodeFromIndex(last)->rule, md->nodeFromIndex(group)->name); project->undoStack->push(cmd); // md->removeFromGroup(group, itemsInGroups[group].first(), itemsInGroups[group].last()); } // QCoreApplication::postEvent( // mw, new dataModifiedEvent(project->getFileName(), md->getRuleSet()->getId())); } FWObject *RuleSetView::getObject(const QPoint &pos, const QModelIndex &index) { if (!index.isValid() || index.column() == 0) return 0; RuleNode* node = static_cast(index.internalPointer()); if (node->type == RuleNode::Group) return 0; QRect vrect = visualRect(index); if (!vrect.isValid()) return 0; const int relativeY = pos.y() - vrect.top(); if (relativeY < 0 || relativeY > vrect.height()) return 0; const int itemHeight = RuleSetViewDelegate::getItemHeight(); RuleElement *re = getRE(index); if (re==NULL) return 0; int oy=0; FWObject *o1=NULL; FWObject *obj=NULL; FWObject *prev=NULL; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { o1= *i; if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer(); if (relativeY>oy && relativeY(index.internalPointer()); if (node->type == RuleNode::Group) return 0; RuleElement *re = getRE(index); if (re==NULL) return 0; int n=1; FWObject *o1=NULL; FWObject *obj=NULL; FWObject *prev=NULL; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { o1= *i; if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer(); if (n == number) { obj=o1; break; } n++; prev=o1; } if (obj==NULL) obj=prev; return obj; } int RuleSetView::getObjectNumber(FWObject *object, const QModelIndex &index) { if (!index.isValid() || index.column() == 0) return 0; RuleNode* node = static_cast(index.internalPointer()); if (node->type == RuleNode::Group) return 0; RuleElement *re = getRE(index); if (re==NULL) return 0; int n=1; FWObject *o1=NULL; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { o1= *i; if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer(); if (object == o1) break; n++; } return n; } void RuleSetView::selectObject(int position, int column, int number) { RuleSetModel* md = ((RuleSetModel*)model()); QModelIndex index = md->indexForPosition(position); if (index.isValid()) { index = md->index(index.row(), column, index.parent()); FWObject* obj = getObject(number, index); selectObject(obj, index); } else { unselect(); } } void RuleSetView::selectObject(FWObject *object, const QModelIndex &index) { fwosm->setSelected(object, index); setCurrentIndex(index); viewport()->update((viewport()->rect())); } void RuleSetView::changeDirectionToIn() { changeDitection( PolicyRule::Inbound ); } void RuleSetView::changeDirectionToOut() { changeDitection( PolicyRule::Outbound ); } void RuleSetView::changeDirectionToBoth() { changeDitection( PolicyRule::Both ); } void RuleSetView::changeDitection(PolicyRule::Direction dir) { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; if (md->getFirewall()==NULL) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return; PolicyRule *rule = PolicyRule::cast( node->rule ); PolicyRule::Direction old_dir=rule->getDirection(); if (dir!=old_dir) { FWCmdRuleChange* cmd = new FWCmdRuleChange( project, md->getRuleSet(), rule, tr("Change direction")); PolicyRule* newState = PolicyRule::cast(cmd->getNewState()); newState->setDirection( dir ); project->undoStack->push(cmd); } } void RuleSetView::changeAction(int act) { if (fwbdebug) qDebug() << "RuleSetView::changeAction act=" << act; RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; if (md->getFirewall()==NULL) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return; std::auto_ptr cmd( new FWCmdRuleChange(project, md->getRuleSet(), node->rule, tr("Change action"))); Rule* newRule = dynamic_cast(cmd->getNewState()); if (PolicyRule::isA(newRule)) { PolicyRule *rule = PolicyRule::cast( newRule ); FWOptions *ruleopt = rule->getOptionsObject(); PolicyRule::Action old_act=rule->getAction(); if (fwbdebug) qDebug() << "PolicyRule old_action=" << old_act; if (act!=old_act) { rule->setAction(PolicyRule::Action(act)); ruleopt->setBool("stateless", getStatelessFlagForAction(rule)); project->undoStack->push(cmd.release()); } } else if (NATRule::isA(newRule)) { NATRule *rule = NATRule::cast( newRule ); NATRule::NATAction old_act = rule->getAction(); if (fwbdebug) qDebug() << "NATRule old_action=" << old_act << "NATRule::Translate=" << NATRule::Translate << "NATRule::Branch=" << NATRule::Branch; if (act!=old_act) { rule->setAction(NATRule::NATAction(act)); project->undoStack->push(cmd.release()); } } // See #957. It makes sense to open action in the edtor only // if this action has some parameters to edit. FWObject *fw = node->rule; while (fw && Firewall::cast(fw)==NULL) fw = fw->getParent(); if (fw) { QString editor = DialogFactory::getActionDialogPageName( Firewall::cast(fw), node->rule).c_str(); editor = editor.toLower(); // open action in the editor if the editor is already visible // or if it is not, only if there is something to edit in this // action if (mw->isEditorVisible() || (!editor.isEmpty() && editor != "none")) QCoreApplication::postEvent( mw, new openOptObjectInEditorEvent( project->getFileName(), node->rule->getId(), ObjectEditor::optAction)); } } void RuleSetView::changeActionToAccept() { changeAction( PolicyRule::Accept ); } void RuleSetView::changeActionToDeny() { changeAction( PolicyRule::Deny ); } void RuleSetView::changeActionToReject() { changeAction( PolicyRule::Reject ); } void RuleSetView::changeActionToAccounting() { changeAction( PolicyRule::Accounting ); } void RuleSetView::changeActionToPipe() { changeAction( PolicyRule::Pipe ); } void RuleSetView::changeActionToCustom() { changeAction( PolicyRule::Custom ); } void RuleSetView::changeActionToContinue() { changeAction( PolicyRule::Continue ); } void RuleSetView::changeActionToBranch() { changeAction( PolicyRule::Branch ); } void RuleSetView::changeActionToTranslate() { changeAction( NATRule::Translate ); } void RuleSetView::changeActionToNATBranch() { changeAction( NATRule::Branch ); } void RuleSetView::changeLogToOn() { changeLogging(true); } void RuleSetView::changeLogToOff() { changeLogging(false); } void RuleSetView::changeLogging(bool flag) { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return; PolicyRule *rule = PolicyRule::cast( node->rule ); if (rule->getLogging() == flag) return; FWCmdRuleChange* cmd = new FWCmdRuleChange( project, md->getRuleSet(), rule, tr("Change logging")); PolicyRule* newState = PolicyRule::cast(cmd->getNewState()); newState->setLogging( flag ); project->undoStack->push(cmd); } void RuleSetView::negateRE() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return; RuleElement *re = getRE(index); if (re==NULL) return; int position = Rule::cast(re->getParent())->getPosition(); int column = index.column(); project->undoStack->push( new FWCmdRuleNegateRE(project, md->getRuleSet(), re, position, column)); } void RuleSetView::revealObjectInTree() { FWObject* selectedObject = fwosm->selectedObject; if (selectedObject!=NULL) QCoreApplication::postEvent( mw, new showObjectInTreeEvent(selectedObject->getRoot()->getFileName().c_str(), selectedObject->getId())); } void RuleSetView::findWhereUsedSlot() { if ( fwosm->selectedObject!=NULL) mw->findWhereUsed(fwosm->selectedObject, project); } void RuleSetView::deleteSelectedObject() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; if ( fwosm->selectedObject!=NULL) { deleteObject(index, fwosm->selectedObject, tr("delete ")+QString::fromUtf8(fwosm->selectedObject->getName().c_str())); } } void RuleSetView::copySelectedObject() { if ( fwosm->selectedObject!=NULL) { FWObjectClipboard::obj_clipboard->clear(); FWObject *obj = fwosm->selectedObject; FWObjectClipboard::obj_clipboard->add(obj, project ); mw->showStatusBarMessage( tr("Copy object '%1' to clipboard'").arg( QString::fromUtf8(obj->getName().c_str()))); } } void RuleSetView::cutSelectedObject() { RuleSetModel* md = ((RuleSetModel*)model()); if(!isTreeReadWrite(this,md->getRuleSet())) return; if ( fwosm->selectedObject!=NULL) { QModelIndex index = currentIndex(); FWObjectClipboard::obj_clipboard->clear(); FWObjectClipboard::obj_clipboard->add( fwosm->selectedObject, project ); deleteObject(index, fwosm->selectedObject, tr("cut ") + QString::fromUtf8(fwosm->selectedObject->getName().c_str())); } } void RuleSetView::pasteObject() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; vector >::iterator i; for (i= FWObjectClipboard::obj_clipboard->begin(); i!=FWObjectClipboard::obj_clipboard->end(); ++i) { ProjectPanel *proj_p = i->second; FWObject *co= proj_p->db()->findInIndex(i->first); if (Rule::cast(co)!=NULL) pasteRuleAbove(); else { // object in the clipboard is not a rule QModelIndex index = currentIndex(); if (index.isValid()) { RuleNode *node = md->nodeFromIndex(index); if (node->type != RuleNode::Rule) return; copyAndInsertObject(index, co); } } } } void RuleSetView::convertToAny() { RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; FWObject *obj = fwosm->selectedObject; if (obj!=NULL) { QString text = tr("convert to Any from ")+QString::fromUtf8(fwosm->selectedObject->getName().c_str()); RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); int position = Rule::cast(re->getParent())->getPosition(); int column = index.column(); int number = getObjectNumber(obj, index); FWCmdRuleChangeRe* cmd = new FWCmdRuleChangeRe( project, ((RuleSetModel*)model())->getRuleSet(), re, position, column, number, text, 0); RuleElement *newRe = RuleElement::cast(cmd->getNewState()); newRe->removeRef(obj); if (newRe->isAny()) newRe->setNeg(false); project->undoStack->push(cmd); } } void RuleSetView::dragEnterEvent( QDragEnterEvent *ev) { ev->setAccepted( ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) ); } void RuleSetView::dropEvent(QDropEvent *ev) { // only accept drops from the same instance of fwbuilder if (ev->source() == NULL) return; RuleSetModel* md = ((RuleSetModel*)model()); if (!canChange(md)) return; QModelIndex index = indexAt (ev->pos()); if (!index.isValid()) return; list dragol; if (!FWObjectDrag::decode(ev, dragol)) return; for (list::iterator i=dragol.begin(); i!=dragol.end(); ++i) { FWObject *dragobj = *i; assert(dragobj!=NULL); if (fwbdebug) qDebug("RuleSetView::dropEvent dragobj=%s", dragobj->getName().c_str()); if (!validateForInsertion(index, dragobj)) continue; if (ev->source()!=this) { // since ev->source()!=this, this is d&d of an object from // the tree into rule or from another file. copyAndInsertObject(index, dragobj); } else { // since ev->source()==this, this is d&d of an object from // one rule to another. clearSelection(); if (ev->keyboardModifiers() & Qt::ControlModifier) { insertObject( index, dragobj, "copy-drop "+QString::fromUtf8(dragobj->getName().c_str())); } else //move { QModelIndex srcIndex = fwosm->index; // When object is dragged (moved) from one RE to // another, this should appear as single undo // command. Also, we should delete it first and insert // later so that we leave rule set view with the row // where it was inserted selected. FWCmdMacro* macro = new FWCmdMacro(tr("Move object")); deleteObject( srcIndex, dragobj, "move-delete "+QString::fromUtf8(dragobj->getName().c_str()), macro); insertObject( index, dragobj, "move-drop "+QString::fromUtf8(dragobj->getName().c_str()), macro); project->undoStack->push(macro); } } } QCoreApplication::postEvent( mw, new dataModifiedEvent(project->getFileName(), md->getRuleSet()->getId())); setCurrentIndex(index); ev->accept(); } bool RuleSetView::useDummy(RuleElement *re) const { if (re->getTypeName() == "Src") return (st->getInt("Objects/PolicyRule/defaultSource")); if (re->getTypeName() == "Dst") return (st->getInt("Objects/PolicyRule/defaultDestination")); if (re->getTypeName() == "Srv") return (st->getInt("Objects/PolicyRule/defaultService")); if (re->getTypeName() == "Itf") return (st->getInt("Objects/PolicyRule/defaultInterface")); return false; } void RuleSetView::setDummy(RuleElement *re) { if (re->getDummyElementId() > 0) re->addRef(re->getRoot()->findInIndex(re->getDummyElementId())); } bool RuleSetView::isDummy(RuleElement *re, int child) const { child--; //Convert from 1-index based to 0-index based if (child < 0) return false; if (!re) return false; FWObject::const_iterator i1 = re->begin(); if (i1 == re->end()) return false; while (child--) if (i1++ == re->end()) return false; if (FWReference *ref = FWReference::cast(*i1)) if (ref->getPointerId() == re->getDummyElementId()) return true; return false; } void RuleSetView::deleteObject(QModelIndex index, libfwbuilder::FWObject *obj, QString text, QUndoCommand* macro) { RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); //if (re==NULL || re->isAny()) return; if (re==NULL) return; if (re->isAny() && !useDummy(re)) return; int position = Rule::cast(re->getParent())->getPosition(); int column = index.column(); int number = getObjectNumber(obj, index); if (isDummy(re, number) && useDummy(re)) return; FWCmdRuleChangeRe* cmd = new FWCmdRuleChangeRe( project, ((RuleSetModel*)model())->getRuleSet(), re, position, column, number, text, macro); RuleElement *newRe = RuleElement::cast(cmd->getNewState()); newRe->removeRef(obj); if (newRe->isAny()) newRe->setNeg(false); if (newRe->isAny() && useDummy(newRe)) setDummy(newRe); if (macro == 0) project->undoStack->push(cmd); } bool RuleSetView::insertObject(QModelIndex index, FWObject *obj, QString text, QUndoCommand* macro) { RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); assert (re!=NULL); int position = Rule::cast(re->getParent())->getPosition(); int column = index.column(); int number = getObjectNumber(obj, index); FWCmdRuleChangeRe* cmd = new FWCmdRuleChangeRe( project, ((RuleSetModel*)model())->getRuleSet(), re, position, column, number, text, macro); RuleElement *newRe = RuleElement::cast(cmd->getNewState()); newRe->addRef(obj); newRe->removeRef(newRe->getRoot()->findInIndex(newRe->getDummyElementId())); if (macro == 0) project->undoStack->push(cmd); return true; } /* RuleElementItd::validateChild() accepts any Interface object. We * should apply additional restriction though: only interface of the * same firewall should be allowed. It turns out to be very hard to * implement this restriction in RuleElementItd::validateChild() * because when the operation is performed via redo(), the * RuleElementItf object we have to use is not part of the tree and * therefore does not have any parent firewall to compare with. */ bool RuleSetView::validateForInsertionToInterfaceRE(RuleElementItf *re, FWObject *obj) { return re->validateChild(obj) && re->checkItfChildOfThisFw(obj); } bool RuleSetView::validateForInsertion(QModelIndex index, FWObject *obj) { ColDesc colDesc = index.data(Qt::UserRole).value(); if (colDesc.type != ColDesc::Object && colDesc.type != ColDesc::Time) return false; RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); assert (re!=NULL); return validateForInsertion(re, obj); } bool RuleSetView::validateForInsertion(RuleElement *re, FWObject *obj, bool quiet) { if (RuleSet::cast(obj)!=NULL) return false; // see #1976 do not allow pasting object that has been deleted if (obj && obj->getLibrary()->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) return false; if (! re->validateChild(obj) ) { if (!quiet) { if (RuleElementRItf::cast(re)) { QMessageBox::information( NULL , "Firewall Builder", QObject::tr( "A single interface belonging to this firewall is " "expected in this field."), QString::null,QString::null); } else if (RuleElementRGtw::cast(re)) { QMessageBox::information( NULL , "Firewall Builder", QObject::tr( "A single ip adress is expected here. You may also " "insert a host or a network adapter leading to a single " "ip adress."), QString::null,QString::null); } } return false; } if (re->getAnyElementId()==obj->getId()) return false; if (re->getDummyElementId()==obj->getId()) return false; if ( !re->isAny()) { /* avoid duplicates */ int cp_id = obj->getId(); list::iterator j; for(j=re->begin(); j!=re->end(); ++j) { FWObject *o=*j; if(cp_id==o->getId()) return false; FWReference *ref; if( (ref=FWReference::cast(o))!=NULL && cp_id==ref->getPointerId()) return false; } } // This includes RuleElementItfInb and RuleElementItfOutb of nat rules if (RuleElementItf::cast(re) || RuleElementRItf::cast(re)) return validateForInsertionToInterfaceRE(RuleElementItf::cast(re), obj); return true; } /* Call validateForInsertion() before calling this function to make * sure @object can be inserted in the RE the @index points to. */ void RuleSetView::copyAndInsertObject(QModelIndex &index, FWObject *object) { if (!validateForInsertion(index, object)) return; RuleSetModel* md = ((RuleSetModel*)model()); bool need_to_reload_tree = false; if (md->getRuleSet()->getRoot()!=object->getRoot()) { // object is being copied from another project file FWObject *target = FWBTree().getStandardSlotForObject( md->getRuleSet()->getLibrary(), object->getTypeName().c_str()); map map_ids; object = project->db()->recursivelyCopySubtree(target, object, map_ids); need_to_reload_tree = true; } insertObject( index, object, "insert "+QString::fromUtf8(object->getName().c_str())); if (need_to_reload_tree) { project->m_panel->om->reload(); project->m_panel->om->openObjectInTree(object); // but still need to reopen this ruleset project->m_panel->om->openObjectInTree(md->getRuleSet()); } } void RuleSetView::dragMoveEvent( QDragMoveEvent *ev) { RuleSetModel* md = ((RuleSetModel*)model()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QWidget *fromWidget = ev->source(); #else QWidget *fromWidget = qobject_cast(ev->source()); #endif // The source of DnD object must be the same instance of fwbuilder if (fromWidget) { if (ev->mimeData()->hasFormat(FWObjectDrag::FWB_MIME_TYPE) && !md->getRuleSet()->isReadOnly()) { if (ev->keyboardModifiers() & Qt::ControlModifier) ev->setDropAction(Qt::CopyAction); else ev->setDropAction(Qt::MoveAction); QModelIndex index = indexAt (ev->pos()); ColDesc colDesc = index.data(Qt::UserRole).value(); if (index.column()<0 || ( colDesc.type != ColDesc::Object && colDesc.type != ColDesc::Time) ) { ev->setAccepted(false); return; } RuleElement *re = getRE(index); if (re==NULL) { ev->setAccepted(false); return; } bool acceptE = true; list dragol; if (FWObjectDrag::decode(ev, dragol)) { for (list::iterator i=dragol.begin(); i!=dragol.end(); ++i) { FWObject *dragobj = NULL; dragobj = dynamic_cast(*i); if(dragobj!=NULL) { acceptE &= validateForInsertion(re, dragobj, true); } } ev->setAccepted( acceptE ); return; } } } ev->setAccepted(false); } void RuleSetView::unselect() { clearSelection(); setCurrentIndex(QModelIndex()); fwosm->setSelected(NULL, QModelIndex()); } FWObject* RuleSetView::getSelectedObject() { return fwosm->selectedObject; } void RuleSetView::saveCurrentRowColumn(SelectionMemento &memento) { RuleSetModel* md = ((RuleSetModel*)model()); QModelIndex index = fwosm->index; if (index.isValid()) { RuleNode* node = md->nodeFromIndex(index); if (node && node->rule) { memento.column = index.column(); FWObject *rule = node->rule; if (rule) memento.rule_id = node->rule->getId(); else memento.rule_id = -1; return; } } memento.column = -1; memento.rule_id = -1; } void RuleSetView::restoreCurrentRowColumn(SelectionMemento &memento) { if (memento.rule_id != -1) { RuleSetModel* md = ((RuleSetModel*)model()); Rule *rule = Rule::cast(project->db()->findInIndex(memento.rule_id)); QModelIndex index = md->index(rule, memento.column); selectRE(index); } } void RuleSetView::updateCurrentCell() { RuleSetModel* md = ((RuleSetModel*)model()); md->rowChanged(fwosm->index); updateColumnSizeForIndex(fwosm->index); } /* * looks like this method can be called when we print from the command * line. Variable project==NULL at that time. */ void RuleSetView::saveCollapsedGroups() { if (project) { QStringList collapsed_groups; QString filename = project->getRCS()->getFileName(); RuleSetModel* md = ((RuleSetModel*)model()); QList groups; md->getGroups(groups); foreach (QModelIndex index, groups) { if (!isExpanded(index)) { RuleNode* node = static_cast(index.internalPointer()); collapsed_groups.push_back(node->name); } } Firewall *f = md->getFirewall(); if (f) st->setCollapsedRuleGroups( filename, f->getName().c_str(), md->getRuleSet()->getName().c_str(), collapsed_groups); } } /* * looks like this method can be called when we print from the command * line. Variable project==NULL at that time. */ void RuleSetView::restoreCollapsedGroups() { if (project) { QTime t; t.start(); RuleSetModel* md = ((RuleSetModel*)model()); QStringList collapsed_groups; QString filename; filename = project->getRCS()->getFileName(); if (fwbdebug) qDebug("restoreCollapsedGroups begin: %d ms", t.restart()); Firewall *f = md->getFirewall(); if (f) st->getCollapsedRuleGroups( filename, f->getName().c_str(), md->getRuleSet()->getName().c_str(), collapsed_groups); if (fwbdebug) qDebug("restoreCollapsedGroups getCollapsedRuleGroups: %d ms", t.restart()); QList groups; md->getGroups(groups); if (fwbdebug) { qDebug("restoreCollapsedGroups getGroups: %d ms", t.restart()); qDebug() << "Groups:" << groups.size(); } foreach (QModelIndex index, groups) { RuleNode* node = static_cast(index.internalPointer()); setExpanded(index, !collapsed_groups.contains(node->name) ); } if (fwbdebug) qDebug("restoreCollapsedGroups foreach setExpanded: %d ms", t.restart()); } } int RuleSetView::rowHeight(const QModelIndex& index) const { return QTreeView::rowHeight(index); } void RuleSetView::updateWidget() { updateGeometries(); } bool RuleSetView::showToolTip(QEvent *event) { if (!st->getObjTooltips()) return true; QHelpEvent *he = (QHelpEvent*) event; QPoint pos = viewport()->mapFromGlobal(he->globalPos()); QString toolTip=""; QModelIndex index = indexAt(pos); if (!index.isValid()) { if (st->getBool("UI/AdvancedTooltips")) return false; toolTip = QObject::tr( "" "Policy, NAT and routing rules are shown here. " "
  • Rules use objects, if you want " "to use an object like IP address in a rule, " "you need to first create it in the object tree
    • " "
  • Drag and drop objects from the tree to " "the desired field (source, destination, etc.) in " "the rule.
    • " "
  • To add a rule, click the '+' button at " "the top of the window
    • " "
  • To open menu of operations such as " "'add rule', 'remove rule' etc, click right mouse button
    • " "
"); QToolTip::showText(mapToGlobal( he->pos() ), toolTip, this); return true; } RuleSetModel* md = ((RuleSetModel*)model()); RuleNode *node = md->nodeFromIndex(index); int column = index.column(); if (node->type == RuleNode::Rule) { QVariant v = index.data(Qt::DisplayRole); ColDesc colDesc = index.data(Qt::UserRole).value(); if (column == 0) { if (st->getBool("UI/AdvancedTooltips")) return false; // rule number column toolTip = QObject::tr( "" "To open menu of operations such as 'add rule', " "'remove rule' etc, click right mouse button.
" "To compile the rule and see generated firewall " "configuration, first select it by clicking inside of it " "and then hit 'X' on keyboard html>"); QToolTip::showText(mapToGlobal( he->pos() ), toolTip, this); return true; } else { switch (colDesc.type) { case ColDesc::Comment: if (!st->getClipComment()) return false; toolTip = v.value(); break; case ColDesc::Options: { Rule* rule = node->rule; if (PolicyRule::cast(rule)!=NULL ) { // if (!isDefaultPolicyRuleOptions(rule->getOptionsObject())) toolTip = FWObjectPropertiesFactory::getPolicyRuleOptions(rule); } if (NATRule::cast(rule)!=NULL ) { // if (!isDefaultNATRuleOptions( rule->getOptionsObject())) toolTip = FWObjectPropertiesFactory::getNATRuleOptions(rule); } } break; case ColDesc::Direction: if (st->getBool("UI/AdvancedTooltips")) { toolTip = QObject::tr("Direction: %1
") .arg(v.value()); } else { toolTip = QObject::tr("Direction: %1
" "To change the direction, " "click right mouse button to open " "the list of possible settings") .arg(v.value()); } break; case ColDesc::Action: if (st->getBool("UI/AdvancedTooltips")) { toolTip = v.value().tooltip; } else { toolTip = QObject::tr("%1 To change the action, " "click right mouse button to open " "the list of possible settings") .arg(v.value().tooltip); } break; default: FWObject *object = getObject(pos, index); if (object == 0) return true; toolTip = FWObjectPropertiesFactory::getObjectPropertiesDetailed( object, true, true); if (st->getBool("UI/AdvancedTooltips")) { if (object->getId() == FWObjectDatabase::ANY_ADDRESS_ID || object->getId() == FWObjectDatabase::ANY_SERVICE_ID || object->getId() == FWObjectDatabase::ANY_INTERVAL_ID) return false; } } } } else { toolTip = node->name; } if (toolTip.isEmpty()) { QToolTip::hideText(); return true; } if (fwbdebug) qDebug() << "Toolip: " << toolTip; QRect cr = visualRect(index); cr = QRect(cr.left() - horizontalOffset() - 2, cr.top() - verticalOffset() - 2, cr.width() + 4, cr.height() + 4); QRect global = QRect( viewport()->mapToGlobal(cr.topLeft()), viewport()->mapToGlobal(cr.bottomRight())); QToolTip::showText(mapToGlobal( he->pos() ), toolTip, this, global); return true; } bool RuleSetView::event( QEvent * event ) { if (event->type() == QEvent::ToolTip) { return showToolTip(event); } return QTreeView::event(event); } void RuleSetView::resizeColumns() { header()->resizeSections(QHeaderView::ResizeToContents); } void RuleSetView::updateAllColumnsSize() { resizeColumns(); } void RuleSetView::updateColumnSizeForIndex(QModelIndex index) { ((RuleSetModel*)model())->nodeFromIndex(index)->resetSizes(); //TODO: update only corresponding column resizeColumns(); } void RuleSetView::updateSectionSizesForIndex(QModelIndex idx1, QModelIndex idx2) { Q_UNUSED(idx1) Q_UNUSED(idx2) updateAllColumnsSize(); } void RuleSetView::setModel(QAbstractItemModel *model) { connect (model, SIGNAL (dataChanged(QModelIndex,QModelIndex)), this, SLOT (updateSectionSizesForIndex(QModelIndex,QModelIndex))); connect (model, SIGNAL (layoutChanged()), this, SLOT (updateAllColumnsSize())); QTreeView::setModel(model); connect (selectionModel(), SIGNAL(selectionChanged(QItemSelection,QItemSelection)), this, SLOT(updateSelectionSensitiveActions())); } void RuleSetView::repaintSelection() { QModelIndex index = currentIndex(); fwosm->setSelected(project->getSelectedObject(), index); viewport()->update((viewport()->rect())); } void RuleSetView::updateAll() { // May be it needs to invalidate all precalculated sizes. ((RuleSetModel*)model())->resetAllSizes(); viewport()->update((viewport()->rect())); updateAllColumnsSize(); } RuleElement* RuleSetView::getRE(QModelIndex index) { return (RuleElement *)index.data(Qt::DisplayRole).value(); } void RuleSetView::keyPressEvent( QKeyEvent* ev ) { RuleSetModel* md = ((RuleSetModel*)model()); if (md->getFirewall()==NULL) return; project->selectRules(); RuleElement *re; QModelIndex oldIndex = fwosm->index; int objno = getObjectNumber(fwosm->selectedObject, oldIndex); if (ev->key()==Qt::Key_Left || ev->key()==Qt::Key_Right) { int shift= (ev->key()==Qt::Key_Left) ? -1 : 1; int newColumn = oldIndex.column() + shift; if ((newColumn <= 0) || (newColumn > md->header.size())) return; /* keyboard 'Left' or 'Right', switch to the object with the same * number in the cell to the left or to the right */ QModelIndex newIndex = md->index(oldIndex.row(), newColumn, oldIndex.parent()); re = getRE(newIndex); if (re==NULL) { fwosm->setSelected(NULL, newIndex); setCurrentIndex(newIndex); return; } FWObject *newObj = getObject(objno, newIndex); selectObject(newObj, newIndex); return; } if (ev->key()==Qt::Key_PageDown || ev->key()==Qt::Key_PageUp || ev->key()==Qt::Key_End || ev->key()==Qt::Key_Home) { QTreeView::keyPressEvent(ev); QModelIndex newIndex = md->index(currentIndex().row(), oldIndex.column(), currentIndex().parent()); re = getRE(newIndex); FWObject *object = NULL; if (re != NULL) { object = FWReference::getObject(re->front()); selectObject(object, newIndex); } else { fwosm->setSelected(NULL, newIndex); setCurrentIndex(newIndex); } return; } if (ev->key()==Qt::Key_Down || ev->key()==Qt::Key_Up) { re = getRE(oldIndex); FWObject *object = md->getFirewall(); QModelIndex newIndex = oldIndex; FWObject::iterator i; if (re == NULL && !md->isGroup(oldIndex)) { // Non-object column. Just move focus up or down; QTreeView::keyPressEvent(ev); newIndex = md->index(currentIndex().row(), oldIndex.column(), currentIndex().parent()); if (!md->isGroup(newIndex)) { selectionModel()->select( newIndex, QItemSelectionModel::Rows | QItemSelectionModel::Select); setCurrentIndex(newIndex); fwosm->setSelected(NULL, newIndex); ev->accept(); } return; } else { if (md->isGroup(oldIndex)) { object = NULL; } else { FWObject *prev = NULL; for (i=re->begin(); i!=re->end(); ++i) { object = FWReference::getObject(*i); if (ev->key()==Qt::Key_Up && object==fwosm->selectedObject) break; if (ev->key()==Qt::Key_Down && prev==fwosm->selectedObject) break; prev = object; } if (ev->key()==Qt::Key_Up) object = prev; if (ev->key()==Qt::Key_Down && i == re->end()) object = NULL; } if (object == NULL) { // It needs to move to another row QTreeView::keyPressEvent(ev); newIndex = md->index(currentIndex().row(), oldIndex.column(), currentIndex().parent()); selectionModel()->select( newIndex, QItemSelectionModel::Rows | QItemSelectionModel::Select); if (oldIndex.row() == newIndex.row()) { // we are stuck! It's very first or last row. object = fwosm->selectedObject; } else { re = getRE(newIndex); if (re != NULL) { // NOT a group if (ev->key()==Qt::Key_Up) { i = re->end(); --i; } else { i = re->begin(); } object = FWReference::getObject(*i); } else { if (!md->isGroup(newIndex)) { setCurrentIndex(newIndex); fwosm->setSelected(NULL, newIndex); ev->accept(); return; } object = md->getFirewall(); } } } else { // select other object in current cell } } selectObject(object, newIndex); ev->accept(); return; } if (ev->key()==Qt::Key_Delete) { deleteSelectedObject(); } if (ev->key()==Qt::Key_Enter || ev->key()==Qt::Key_Return) { editSelected(); } QTreeView::keyPressEvent(ev); } void RuleSetView::compileCurrentRule() { RuleSetModel* md = ((RuleSetModel*)model()); //if (!isTreeReadWrite(this, md->getRuleSet())) return; if (md->getFirewall()==NULL) return; QModelIndex index = currentIndex(); if (!index.isValid()) return; RuleNode* node = static_cast(index.internalPointer()); if (node == 0 || node->type != RuleNode::Rule || node->rule == 0) return; mw->singleRuleCompile(node->rule); } void RuleSetView::updateSelectionSensitiveActions() { // qDebug() << "RuleSetView::updateSelectionSensitiveActions(QItemSelection selected,QItemSelection deselected)"; RuleSetModel* md = ((RuleSetModel*)model()); QModelIndexList selectedIndexes = getSelectedRows(); bool compileRuleActionEnabled = false; int selectionSize = selectedIndexes.size(); if (selectionSize==1) { QModelIndex index = selectedIndexes.at(0); if (index.isValid()) { RuleNode* node = md->nodeFromIndex(index); if (node!=0 && node->type == RuleNode::Rule && node->rule != 0) { compileRuleActionEnabled = !node->rule->isDisabled(); } } } compileRuleAction->setEnabled(compileRuleActionEnabled); if (selectionSize == 0) { setActionState(removeFromGroupAction, false); setActionState(newGroupAction, false); setActionState(moveRuleUpAction, false); setActionState(moveRuleDownAction, false); setActionState(addToGroupAboveAction, false); setActionState(addToGroupBelowAction, false); setActionState(insertRuleAction, false); setActionState(addRuleAfterCurrentAction, false); setActionState(removeRuleAction, false); setActionState(disableRuleAction, false); setActionState(enableRuleAction, false); setActionState(copyRuleAction, false); setActionState(cutRuleAction, false); setActionState(pasteRuleAboveAction, false); setActionState(pasteRuleBelowAction, false); setColorEmptyAction->setEnabled(false); setColorRedAction->setEnabled(false); setColorBlueAction->setEnabled(false); setColorOrangeAction->setEnabled(false); setColorPurpleAction->setEnabled(false); setColorGrayAction->setEnabled(false); setColorYellowAction->setEnabled(false); setColorGreenAction->setEnabled(false); } else { bool inGroup = true; bool outermost = false; bool topLevelOnly = true; int disabled = 0; int enabled = 0; foreach(QModelIndex index, selectedIndexes) { if (index.isValid()) { RuleNode* node = md->nodeFromIndex(index); topLevelOnly = topLevelOnly && (node->type == RuleNode::Rule); if (node!=0 && node->type == RuleNode::Rule && node->rule != 0) { bool isInGroup = node->isInGroup(); inGroup = inGroup && isInGroup; topLevelOnly = topLevelOnly && !isInGroup; outermost = outermost || (node->isOutermost() && isInGroup); Rule *r = node->rule; if (r->isDisabled()) disabled++; else enabled++; } } } setActionState(disableRuleAction, enabled > 0); setActionState(enableRuleAction, disabled > 0); enableRuleAction->setText( (disabled==1)?tr("Enable Rule"):tr("Enable Rules")); disableRuleAction->setText( (enabled==1)?tr("Disable Rule"):tr("Disable Rules")); if (selectionSize > 1) { copyRuleAction->setText(tr("Copy Rules")); cutRuleAction->setText(tr("Cut Rules")); moveRuleUpAction->setText(tr("Move Rules Up")); moveRuleDownAction->setText(tr("Move Rules Down")); removeRuleAction->setText(tr("Remove Rules")); } else { copyRuleAction->setText(tr("Copy Rule")); cutRuleAction->setText(tr("Cut Rule")); moveRuleUpAction->setText(tr("Move Rule Up")); moveRuleDownAction->setText(tr("Move Rule Down")); removeRuleAction->setText(tr("Remove Rule")); } if (topLevelOnly) { QString addToGroupLabel = tr("Add To the Group "); QString nn; nn = md->nodeFromIndex(selectedIndexes.first())->nameOfPredecessorGroup(); if (!nn.isEmpty()) { addToGroupAboveAction->setText(addToGroupLabel + nn); setActionState(addToGroupAboveAction, true); } else { setActionState(addToGroupAboveAction, false); } nn = md->nodeFromIndex(selectedIndexes.last())->nameOfSuccessorGroup(); if (!nn.isEmpty()) { addToGroupBelowAction->setText(addToGroupLabel + nn); setActionState(addToGroupBelowAction, true); } else { setActionState(addToGroupBelowAction, false); } } else { setActionState(addToGroupAboveAction, false); setActionState(addToGroupBelowAction, false); } setActionState(removeFromGroupAction, outermost); setActionState(newGroupAction, topLevelOnly); setActionState(moveRuleUpAction, true); setActionState(moveRuleDownAction, true); setActionState(insertRuleAction, true); setActionState(addRuleAfterCurrentAction, true); setActionState(removeRuleAction, true); setActionState(copyRuleAction, true); setActionState(cutRuleAction, true); setActionState(pasteRuleAboveAction, true); setActionState(pasteRuleBelowAction, true); setColorEmptyAction->setEnabled(true); setColorRedAction->setEnabled(true); setColorBlueAction->setEnabled(true); setColorOrangeAction->setEnabled(true); setColorPurpleAction->setEnabled(true); setColorGrayAction->setEnabled(true); setColorYellowAction->setEnabled(true); setColorGreenAction->setEnabled(true); } } void RuleSetView::updateObject(FWObject* object) { RuleSetModel* md = ((RuleSetModel*)model()); md->objectChanged(object); } void RuleSetView::setActionState(QAction *action, bool state) { action->setEnabled(state); action->setVisible(state); } //////////////////////////////////////////////////////////////////////////// // PolicyView //////////////////////////////////////////////////////////////////////////// PolicyView::PolicyView(ProjectPanel *project, Policy *p, QWidget *parent):RuleSetView(project, parent) { QItemSelectionModel *sm = QTreeView::selectionModel(); RuleSetModel* model = new PolicyModel(p,this); setModel(model); delete sm; RuleSetViewDelegate *dlgt = new RuleSetViewDelegate(this, fwosm); dlgt->setStandardHighlightColor(palette().color(QPalette::Highlight)); setItemDelegate(dlgt); init(); } //////////////////////////////////////////////////////////////////////////// // NATView //////////////////////////////////////////////////////////////////////////// NATView::NATView(ProjectPanel *project, NAT *p, QWidget *parent):RuleSetView(project, parent) { QItemSelectionModel *sm = QTreeView::selectionModel(); RuleSetModel* model = new NatModel(p,this); setModel(model); delete sm; RuleSetViewDelegate *dlgt = new RuleSetViewDelegate(this, fwosm); dlgt->setStandardHighlightColor(palette().color(QPalette::Highlight)); setItemDelegate(dlgt); init(); } //////////////////////////////////////////////////////////////////////////// // RoutingView //////////////////////////////////////////////////////////////////////////// RoutingView::RoutingView(ProjectPanel *project, Routing *p, QWidget *parent):RuleSetView(project, parent) { QItemSelectionModel *sm = QTreeView::selectionModel(); RuleSetModel* model = new RoutingModel(p,this); setModel(model); delete sm; RuleSetViewDelegate *dlgt = new RuleSetViewDelegate(this, fwosm); dlgt->setStandardHighlightColor(palette().color(QPalette::Highlight)); setItemDelegate(dlgt); init(); } fwbuilder-5.3.7/src/libgui/RuleSetView.h000066400000000000000000000234711303637203600201540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003-2009 NetCitadel, LLC Author: Illiya Yalovoy Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETVIEW_H #define RULESETVIEW_H #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include #else # include #endif #include #include "fwbuilder/Rule.h" #include "ColDesc.h" using namespace std; namespace libfwbuilder { class FWObject; class Firewall; class FWReference; class RuleElement; class RuleSet; class Policy; class NAT; class Routing; class RuleElement; class RuleElementItf; class NATRule; class RoutingRule; } class ProjectPanel; class FWObjectSelectionModel; class RuleNode; class RuleSetModel; class SelectionMemento { public: SelectionMemento() { rule_id = -1; column = -1; } int rule_id; int column; }; class RuleSetView : public QTreeView { Q_OBJECT; public: RuleSetView(ProjectPanel *project, QWidget *parent); ~RuleSetView(); static RuleSetView* getRuleSetViewByType(ProjectPanel *project, libfwbuilder::RuleSet *ruleset, QWidget *parent); virtual void init(); virtual void initActions(); void selectRE(QModelIndex index); /** * selects rule element a reference 'ref' belongs to */ void selectRE(libfwbuilder::FWReference *ref); /** * makes specified column of a rule current. */ void selectRE(libfwbuilder::Rule *rule, int col); void selectRE(libfwbuilder::Rule *rule, ColDesc::ColumnType type); /** * makes specified rule element current and selects object in it. */ void selectRE(libfwbuilder::RuleElement *re, libfwbuilder::FWObject *obj); void makeCurrentRuleVisible(); void selectObject(int position, int column, int number); void repaintSelection(); void updateAll(); void updateCurrentCell(); void saveCurrentRowColumn(SelectionMemento &memento); void restoreCurrentRowColumn(SelectionMemento &memento); void unselect(); libfwbuilder::FWObject* getSelectedObject(); void moveRule() {} //This method is colled from the class ProjectPanel.cpp:944 void restoreCollapsedGroups(); int getColByType(ColDesc::ColumnType) const; virtual int rowHeight(const QModelIndex&) const; void updateWidget(); void setModel(QAbstractItemModel *model); void addToGroup(bool isAbove); void addRowMenuItemsToMenu(QMenu *menu) const; void addGenericMenuItemsToContextMenu(QMenu *menu) const; int selectedRulesCount() const { return getSelectedRows().size(); } public slots: void showContextMenu(const QPoint&); void insertRule(); void insertNewRuleOnTop(); void insertNewRuleAtBottom(); void addRuleAfterCurrent(); void moveRuleUp(); void moveRuleDown(); void removeRule(); void disableRule(); void enableRule(); void copyRule(); void cutRule(); void pasteRuleAbove(); void pasteRuleBelow(); void renameGroup(); void removeFromGroup(); void newGroup(); void addToGroupAbove(); void addToGroupBelow(); void setColorEmpty(); void setColorRed(); void setColorBlue(); void setColorOrange(); void setColorPurple(); void setColorGray(); void setColorYellow(); void setColorGreen(); void setRuleColor(const QString &c); void itemDoubleClicked(const QModelIndex& index); void editSelected(); void changeDirectionToIn(); void changeDirectionToOut(); void changeDirectionToBoth(); void changeActionToAccept(); void changeActionToDeny(); void changeActionToReject(); void changeActionToAccounting(); void changeActionToPipe(); void changeActionToCustom(); void changeActionToBranch(); void changeActionToContinue(); void changeActionToTranslate(); void changeActionToNATBranch(); void changeLogToOn(); void changeLogToOff(); void negateRE(); void revealObjectInTree(); void findWhereUsedSlot(); void deleteSelectedObject(); void copySelectedObject(); void cutSelectedObject(); void pasteObject(); void convertToAny(); void saveCollapsedGroups(); void updateAllColumnsSize(); void updateColumnSizeForIndex(QModelIndex); void updateSectionSizesForIndex(QModelIndex, QModelIndex); void updateObject(libfwbuilder::FWObject* object); void compileCurrentRule(); void updateSelectionSensitiveActions(); void setSelectedRows(const QModelIndex firstIndex, const QModelIndex lastIndex); protected: FWObjectSelectionModel *fwosm; virtual void mousePressEvent( QMouseEvent* ev ); virtual void mouseReleaseEvent( QMouseEvent* ev ); virtual void mouseMoveEvent( QMouseEvent* ev ); virtual void dragEnterEvent( QDragEnterEvent *ev); virtual void dropEvent( QDropEvent *ev); virtual void dragMoveEvent( QDragMoveEvent *ev); virtual QDrag* dragObject(); virtual bool event( QEvent * event ); virtual void keyPressEvent( QKeyEvent* ev ); bool validateForInsertion(QModelIndex index, libfwbuilder::FWObject *obj); void deleteObject(QModelIndex index, libfwbuilder::FWObject *obj, QString text, QUndoCommand* makro = 0); bool insertObject(QModelIndex index, libfwbuilder::FWObject *obj, QString text, QUndoCommand* makro = 0); bool validateForInsertion(libfwbuilder::RuleElement *re, libfwbuilder::FWObject *obj, bool quiet=false); bool validateForInsertionToInterfaceRE(libfwbuilder::RuleElementItf *re, libfwbuilder::FWObject *obj); QAction* createAction(QString label, const char* member, const QKeySequence &shortcut = 0); private: //this bool var is needed for starting drag when user moves the mouse //but not when he just clicks selected record bool startingDrag; QAction *compileRuleAction; QAction *removeFromGroupAction; QAction *newGroupAction; QAction *moveRuleUpAction; QAction *moveRuleDownAction; QAction *insertRuleAction; QAction *addRuleAfterCurrentAction; QAction *addToGroupAboveAction; QAction *addToGroupBelowAction; QAction *removeRuleAction; QAction *copyRuleAction; QAction *cutRuleAction; QAction *pasteRuleAboveAction; QAction *pasteRuleBelowAction; QAction *disableRuleAction; QAction *enableRuleAction; QAction *setColorEmptyAction; QAction *setColorRedAction; QAction *setColorBlueAction; QAction *setColorOrangeAction; QAction *setColorPurpleAction; QAction *setColorGrayAction; QAction *setColorYellowAction; QAction *setColorGreenAction; QMenu *popup_menu; libfwbuilder::FWObject *getObject(const QPoint &pos, const QModelIndex &index); libfwbuilder::FWObject *getObject(int number, const QModelIndex &index); int getObjectNumber(libfwbuilder::FWObject *object, const QModelIndex &index); void selectObject(libfwbuilder::FWObject *object, const QModelIndex &index); ProjectPanel* project; void addGroupMenuItemsToContextMenu(QMenu *menu) const; void addChangeColorSubmenu(QMenu *menu) const; void addCommonRowItemsToContextMenu(QMenu *menu) const; void setEnabledRow(bool flag); QModelIndexList getSelectedRows() const; bool isOnlyTopLevelRules(const QModelIndexList &list) const; bool isOneLevelRules(const QModelIndexList &list); void editSelected(const QModelIndex &index); bool switchObjectInEditor(const QModelIndex &index, bool validate=true); void addColumnRelatedMenu(QMenu *menu,const QModelIndex &index, RuleNode *node, const QPoint& pos); void changeDitection(libfwbuilder::PolicyRule::Direction dir); void changeAction(int act); void changeLogging(bool flag); void configureGroups(); bool showToolTip(QEvent *event); void resizeColumns(); void copyAndInsertObject(QModelIndex &index, libfwbuilder::FWObject *object); libfwbuilder::RuleElement* getRE(QModelIndex index); bool canChange(RuleSetModel* md); void insertRule(QModelIndex index, bool isAfter = false); libfwbuilder::FWObject* createInsertTemplate(ProjectPanel* proj_p, int id); void setActionState(QAction *action, bool state); bool useDummy(libfwbuilder::RuleElement* re) const; void setDummy(libfwbuilder::RuleElement* re); bool isDummy(libfwbuilder::RuleElement* re, int child) const; }; class PolicyView : public RuleSetView { public: PolicyView(ProjectPanel *project, libfwbuilder::Policy *p, QWidget *parent); virtual ~PolicyView() {} private: }; class NATView : public RuleSetView { public: NATView(ProjectPanel *project, libfwbuilder::NAT *p, QWidget *parent); virtual ~NATView(){} }; class RoutingView : public RuleSetView { public: RoutingView(ProjectPanel *project, libfwbuilder::Routing *p, QWidget *parent); virtual ~RoutingView() {} }; #endif // RULESETVIEW_H fwbuilder-5.3.7/src/libgui/RuleSetViewDelegate.cpp000066400000000000000000000532701303637203600221420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBSettings.h" #include "RuleSetViewDelegate.h" #include "RuleNode.h" #include "ColDesc.h" #include "FWObjectSelectionModel.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Interface.h" #include #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include #else # include #endif #include using namespace libfwbuilder; using namespace std; //////////////////////////////////////////////////////////////////////////// // RuleSetViewDelegate //////////////////////////////////////////////////////////////////////////// RuleSetViewDelegate::RuleSetViewDelegate(QObject *parent, FWObjectSelectionModel *selectionModel) : QItemDelegate(parent) { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::RuleSetViewDelegate"; this->sectionModel = selectionModel; } void RuleSetViewDelegate::paint(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paint"; QStyleOptionViewItem newOpt = option; QFont font = st->getRulesFont(); newOpt.font = font; RuleNode * node; if (index.isValid()) { node = static_cast(index.internalPointer()); } else { QItemDelegate::paint(painter, newOpt, index); return; } painter->save(); painter->setFont(font); if (node->type == RuleNode::Group) { paintGroup(painter, newOpt, index, node); } else if (index.column() == 0) { paintRowHeader(painter, newOpt, index, node); } else { paintRule(painter, newOpt, index, node); } painter->restore(); } /* * This paints the leftmost column in the rule set view (where rule * number appears) */ void RuleSetViewDelegate::paintRowHeader(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const { Q_UNUSED(node); QStyleOptionViewItem newOpt = option; newOpt.displayAlignment = Qt::AlignRight; QItemDelegate::paint(painter, newOpt, index); painter->setPen( QColor("lightgray") ); painter->drawRect(option.rect); } void RuleSetViewDelegate::paintGroup(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const { Q_UNUSED(node); //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintGroup"; painter->fillRect(option.rect,QColor("lightgray")); QItemDelegate::paint(painter, option, index); } void RuleSetViewDelegate::drawIcons(QPainter *painter, QRect rect, const QStringList &icons) const { int x = rect.left(); int y = rect.top(); int iconWidth = 0; for (int i=0; idrawPixmap(x, y, pm); iconWidth = pm.width(); x += iconWidth + ICON_TEXT_GAP; } } void RuleSetViewDelegate::drawIconAndText(QPainter *painter, QRect rect, QString icon, QString text, bool negation) const { int x = rect.left(); int y = rect.top(); int iconWidth = 0; if (st->getShowIconsInRules()) { if (!icon.isEmpty()) { QPixmap pm; LoadPixmap(calculateIconName(icon, negation), pm); painter->drawPixmap(x,y,pm); iconWidth = pm.width(); } else { if (FWBSettings::SIZE25X25 == st->getIconsInRulesSize()) iconWidth = 25; else iconWidth = 16; } x += iconWidth + ICON_TEXT_GAP; } if (!text.isEmpty()) { painter->drawText(x, y, rect.width() - iconWidth - ICON_TEXT_GAP, rect.height(), Qt::AlignLeft|Qt::AlignVCenter, text ); } } void RuleSetViewDelegate::drawSelectedFocus(QPainter *painter, const QStyleOptionViewItem &option, QRect &rect) const { if (option.state & QStyle::State_HasFocus) { painter->fillRect(rect, option.palette.brush( QPalette::Highlight )); painter->setPen( option.palette.highlightedText().color() ); } else { painter->setPen( option.palette.text().color() ); } } void RuleSetViewDelegate::paintRule(QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const { QVariant v = index.data(Qt::DisplayRole); if (!v.isValid()) return; if (node != 0) { QString color = getRuleColor(node); if (!color.isEmpty()) { painter->fillRect(option.rect, QColor(color)); } else { if (option.state & QStyle::State_Selected) { painter->fillRect(option.rect, option.palette.color(QPalette::Highlight)); } } } QStyleOptionViewItem new_opt = option; new_opt.palette.setColor(QPalette::Highlight, standard_highlight); ColDesc colDesc = index.data(Qt::UserRole).value(); switch (colDesc.type) { case ColDesc::Object : paintObject(painter, new_opt, v); break; case ColDesc::Direction : paintDirection(painter, new_opt, v); break; case ColDesc::Action : paintAction(painter, new_opt, v); break; case ColDesc::Time : paintObject(painter, new_opt, v); break; case ColDesc::Options : paintOptions(painter, new_opt, v); break; case ColDesc::Comment : paintComment(painter, new_opt, v); break; case ColDesc::Metric : paintMetric(painter, new_opt, v); break; default: QItemDelegate::paint(painter, new_opt, index); } painter->setPen( QColor("lightgray") ); painter->drawRect(new_opt.rect); } void RuleSetViewDelegate::paintDirection( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintDirection"; DrawingContext ctx = initContext(option.rect, true); // useEnireSpace=true QString dir = v.value(); if (option.state & QStyle::State_Selected) drawSelectedFocus(painter, option, ctx.objectRect); QString text = (st->getShowDirectionText())?dir:""; ctx = initContext(option.rect, false); // useEnireSpace=false drawIconAndText(painter, ctx.drawRect, dir, text); } void RuleSetViewDelegate::paintAction( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintAction"; DrawingContext ctx = initContext(option.rect, true); // useEnireSpace=true ActionDesc actionDesc = v.value(); if (option.state & QStyle::State_Selected) drawSelectedFocus(painter, option, ctx.objectRect); QString text = constructActionText(actionDesc); ctx = initContext(option.rect, false); // useEnireSpace=false drawIconAndText(painter, ctx.drawRect, actionDesc.name, text); } void RuleSetViewDelegate::paintOptions( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { DrawingContext ctx = initContext(option.rect, true); // useEnireSpace=true if (option.state & QStyle::State_Selected) drawSelectedFocus(painter, option, ctx.objectRect); QStringList icons = v.value(); // draw option icons vertically instead of horizontally #2367 // for options "Tag", "Classify" and "Route" the "icon name" actually // consists of the name of the icon, plus space and parameter int y = ctx.objectRect.top(); foreach(QString icon, icons) { QRect itemRect = QRect(ctx.objectRect.left(), y, ctx.objectRect.width(), ctx.itemHeight); QString parameter = icon.section(" ", 1); if (icon.contains("Log")) parameter = tr("log"); if (icon.contains("Options")) parameter = tr("(options)"); if (icon.contains("Accounting")) parameter = tr("(counter)"); drawIconAndText(painter, itemRect.adjusted( HORIZONTAL_MARGIN, VERTICAL_MARGIN, -HORIZONTAL_MARGIN, -VERTICAL_MARGIN), icon, parameter, false); y += ctx.itemHeight; } } void RuleSetViewDelegate::paintComment( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintComment"; DrawingContext ctx = initContext(option.rect, true); QString comment = v.value(); if (option.state & QStyle::State_Selected) drawSelectedFocus(painter, option, ctx.objectRect); painter->drawText( ctx.drawRect, Qt::AlignLeft|Qt::AlignTop, comment); } void RuleSetViewDelegate::paintMetric( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintMetric"; DrawingContext ctx = initContext(option.rect, true); QString metric = v.value(); if (option.state & QStyle::State_Selected) drawSelectedFocus(painter, option, ctx.objectRect); ctx = initContext(option.rect, false); // useEnireSpace=false drawIconAndText(painter, ctx.drawRect, QString(), metric); } void RuleSetViewDelegate::paintObject( QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const { //if (fwbdebug) qDebug() << "RuleSetViewDelegate::paintObject"; RuleElement *re = (RuleElement *)v.value(); if (re==NULL) return; DrawingContext ctx = initContext(option.rect, true); int y = ctx.objectRect.top(); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o1 = FWReference::getObject(*i); if (o1==NULL) continue ; QRect itemRect = QRect(ctx.objectRect.left(), y, ctx.objectRect.width(), ctx.itemHeight); if (sectionModel->selectedObject == o1) { drawSelectedFocus(painter, option, itemRect); } else { painter->setPen( option.palette.text().color() ); } QString icon; if (!re->isAny() && !re->isDummy()) icon = QString(o1->getTypeName().c_str()); // + "/icon"; QString text = objectText(re, o1); if (re->isDummy()) painter->setPen( QColor("darkred") ); drawIconAndText(painter, itemRect.adjusted(HORIZONTAL_MARGIN, VERTICAL_MARGIN, -HORIZONTAL_MARGIN, -VERTICAL_MARGIN), icon, text, re->getNeg()); if ((sectionModel->selectedObject == o1) && !(option.state & QStyle::State_HasFocus) && !re->isAny() && !re->isDummy()) { painter->setPen( QColor("red") ); painter->drawRect(itemRect.left()+1, itemRect.top()+1, itemRect.width()-2, itemRect.height()-2); } y += ctx.itemHeight; } } QSize RuleSetViewDelegate::drawIconInRule( QPainter *p, int x, int y, QString name, bool neg) const { if (!st->getShowIconsInRules()) return QSize(); QPixmap pm; if (FWBSettings::SIZE16X16 == st->getIconsInRulesSize()) { if (!neg) { pm = getPixmap(name, Tree); } else { pm = getPixmap(name, NegTree); } } if (FWBSettings::SIZE25X25 == st->getIconsInRulesSize()) { if (!neg) { pm = getPixmap(name, Normal); } else { pm = getPixmap(name, Neg); } } p->drawPixmap( x, y + RULE_ITEM_GAP/2, pm ); return pm.size(); } QPixmap RuleSetViewDelegate::getPixmap(QString name, PixmapAttr pmattr) const { string icn = "icon"; if (pmattr == Neg) icn="icon-neg"; if (pmattr == Ref) icn="icon-ref"; if (pmattr == Tree) icn="icon-tree"; if (pmattr == NegTree) icn="icon-neg-tree"; QString icn_file = ":/Icons/" + name + "/" + icn.c_str(); QPixmap pm; LoadPixmap(icn_file, pm); return pm; } QSize RuleSetViewDelegate::sizeHint(const QStyleOptionViewItem & option, const QModelIndex & index) const { QStyleOptionViewItem newOpt = option; QFont font = st->getRulesFont(); newOpt.font = font; QSize res; RuleNode * node; if (index.isValid()) { node = static_cast(index.internalPointer()); } else { return QItemDelegate::sizeHint(newOpt, index); } if (node->type == RuleNode::Rule) { if (node->sizes[index.column()].isValid()) { return node->sizes[index.column()]; } res = calculateCellSizeForRule(newOpt, index, node) + QSize(1,1); node->sizes[index.column()] = res; // make sure cell height is equal to max height of all cells // in the same row. See #2665 QSize tallest_cell = QSize(0, 0); for (int c=0; c<=index.column(); ++c) { QSize cell_size = node->sizes[c]; if (cell_size.isValid()) { int max_height = qMax(tallest_cell.height(), cell_size.height()); tallest_cell.setHeight(max_height); node->sizes[c].setHeight(max_height); } } return res; } //Fix for older Qt versions where width of spanned column is taken into accoun res = QItemDelegate::sizeHint(newOpt, index); res.setWidth(20); return res; } int RuleSetViewDelegate::getItemHeight(QString s, int flag, bool text) { QSize iconSize = getIconSize(); QSize textSize = text?getTextSize(s,flag):QSize(0,0); return qMax(iconSize.height(), textSize.height()) + 2*VERTICAL_MARGIN; } QSize RuleSetViewDelegate::getIconSize() { if (st->getShowIconsInRules()) { if (FWBSettings::SIZE16X16 == st->getIconsInRulesSize()) return QSize(16,16); if (FWBSettings::SIZE25X25 == st->getIconsInRulesSize()) return QSize(25,25); } return QSize(); } QSize RuleSetViewDelegate::getTextSize(QString s, int flag) { QFontMetrics fontMetrics(st->getRulesFont()); return fontMetrics.size(flag,s); } QSize RuleSetViewDelegate::calculateCellSizeForRule( const QStyleOptionViewItem & option, const QModelIndex & index, RuleNode * node ) const { Q_UNUSED(option); Q_UNUSED(node); QSize iconSize = getIconSize(); Q_UNUSED(iconSize); int itemHeight = getItemHeight(); QSize result = QSize(50,itemHeight); ColDesc colDesc = index.data(Qt::UserRole).value(); QSize calculated; switch (colDesc.type) { case ColDesc::Object : calculated = calculateCellSizeForObject(index); break; case ColDesc::Time : calculated = calculateCellSizeForObject(index); break; case ColDesc::Comment : calculated = calculateCellSizeForComment(index); break; case ColDesc::Action : calculated = calculateCellSizeForIconAndText(index); break; case ColDesc::Direction : calculated = calculateCellSizeForIconAndText(index); break; case ColDesc::Options : calculated = calculateCellSizeForOptions(index); break; default : calculated = QSize(0,0); } result = result.expandedTo(calculated); return result; } QSize RuleSetViewDelegate::calculateCellSizeForComment(const QModelIndex & index) const { QString text = index.data(Qt::DisplayRole).value(); if (text.isNull() && text.isEmpty()) return QSize(0,0); QSize res = getTextSize(text, 0); if (st->getClipComment()) res.setHeight(0); return res + QSize(10, 0); } QSize RuleSetViewDelegate::calculateCellSizeForObject(const QModelIndex & index) const { RuleElement *re = (RuleElement *)index.data(Qt::DisplayRole).value(); if (re == 0) return QSize(0,0); int itemHeight = getItemHeight(); QSize iconSize = getIconSize(); int h = 0; int w = 0; for (FWObject::iterator j=re->begin(); j!=re->end(); j++) { FWObject *o1= *j; FWObject *o2 = o1; string o1ref = ""; if (FWReference::cast(o1)!=NULL) { o1ref = FWReference::cast(o1)->getPointerId(); o2=FWReference::cast(o1)->getPointer(); } if (o2!=NULL) { QString ot = objectText(re,o2); QSize size = getTextSize(ot,Qt::TextSingleLine); h += itemHeight; w = qMax(w,iconSize.width() + size.width()+ICON_TEXT_GAP); } } QSize res = QSize(w+HORIZONTAL_MARGIN*2,h); // QModelIndex idx = index; // Unused return res; } QString RuleSetViewDelegate::constructActionText(ActionDesc &actionDesc) const { QString text; if (st->getShowDirectionText()) { text = actionDesc.displayName + (actionDesc.argument.isEmpty()?"":(":"+actionDesc.argument)); } else if (!actionDesc.argument.isEmpty()) { text = actionDesc.argument; } if (text.length() > 20) text = text.left(17) + "..."; return text; } QSize RuleSetViewDelegate::calculateCellSizeForIconAndText( const QModelIndex & index) const { QVariant v = index.data(Qt::DisplayRole); ActionDesc actionDesc = v.value(); QString text = constructActionText(actionDesc); if (text == "Undefined") text = "Both"; QSize iconSize = getIconSize(); QSize textSize = getTextSize(text,Qt::TextSingleLine); int h = qMax(iconSize.height(), textSize.height()); int w = iconSize.width() + ICON_TEXT_GAP + textSize.width() + HORIZONTAL_MARGIN*2; return QSize(w, h); } QSize RuleSetViewDelegate::calculateCellSizeForOptions( const QModelIndex & index) const { QVariant v = index.data(Qt::DisplayRole); QStringList icons = v.value(); // for options "Tag", "Classify" and "Route" the "icon name" actually // consists of the name of the icon, plus space and parameter int itemHeight = getItemHeight(); QSize iconSize = getIconSize(); int h = 0; int w = 0; foreach(QString icon, icons) { QString parameter = icon.section(" ", 1); QSize size = getTextSize(parameter, Qt::TextSingleLine); h += itemHeight; w = qMax(w, iconSize.width() + size.width() + ICON_TEXT_GAP); } return QSize(w+HORIZONTAL_MARGIN*2, h); } QString RuleSetViewDelegate::objectText(RuleElement *re,FWObject *obj) const { QString any_object_name = QString(tr("Any")); if (re->isAny()) { if (RuleElementTSrc::isA(re) || RuleElementTDst::isA(re) || RuleElementTSrv::isA(re)) return QString(tr("Original")); if (RuleElementRDst::isA(re)) return QString(tr("Default")); if (RuleElementRGtw::isA(re) || RuleElementRItf::isA(re)) return QString(""); if (RuleElementItfInb::isA(re)) return QString(tr("Auto")); if (RuleElementItfOutb::isA(re)) return QString(tr("Auto")); return any_object_name; } if (Interface::isA(obj)) { QString lbl= Interface::cast(obj)->getLabel().c_str(); if ( !lbl.isEmpty() ) return lbl; } if (obj->getName() == "Any") return any_object_name; else return QString::fromUtf8(obj->getName().c_str()); } DrawingContext RuleSetViewDelegate::initContext( QRect rect, bool useEnireSpace) const { DrawingContext ctx; ctx.iconSize = getIconSize(); ctx.itemHeight = getItemHeight(); ctx.objectRect = QRect(rect.left()+1, rect.top()+1, rect.width()-1, useEnireSpace?rect.height()-1:ctx.itemHeight); ctx.drawRect = ctx.objectRect.adjusted(HORIZONTAL_MARGIN, VERTICAL_MARGIN, -HORIZONTAL_MARGIN, -VERTICAL_MARGIN); return ctx; } QString RuleSetViewDelegate::getRuleColor(RuleNode *node) const { FWOptions *ropt = node->rule->getOptionsObject(); return QString(ropt->getStr("color").c_str()); } fwbuilder-5.3.7/src/libgui/RuleSetViewDelegate.h000066400000000000000000000106161303637203600216040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Illiya Yalovoy This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RULESETVIEWDELEGATE_H #define RULESETVIEWDELEGATE_H #include #include "RuleSetModel.h" class RuleNode; class FWObjectSelectionModel; namespace libfwbuilder { class RuleElement; class FWObject; } //////////////////////////////////////////////////////////////////////////// // RuleSetViewDelegate //////////////////////////////////////////////////////////////////////////// class DrawingContext { public: QRect objectRect; QRect drawRect; int itemHeight; QSize iconSize; }; class RuleSetViewDelegate : public QItemDelegate { Q_OBJECT; QColor standard_highlight; public: RuleSetViewDelegate(QObject *parent, FWObjectSelectionModel *selectionModel); void paint (QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index) const; QSize sizeHint (const QStyleOptionViewItem &, const QModelIndex & ) const; void setStandardHighlightColor(const QColor &c) { standard_highlight = c; } static const int RULE_ITEM_GAP = 4; static const int VERTICAL_MARGIN = 2; static const int HORIZONTAL_MARGIN = 2; static const int ICON_TEXT_GAP = 2; static QSize getIconSize(); static QSize getTextSize(QString, int flag); static int getItemHeight(QString s = "AiqyW", int flag = Qt::TextSingleLine, bool text = true); private: enum PixmapAttr { Normal, Neg, Ref, Tree, NegTree }; FWObjectSelectionModel *sectionModel; QString objectText(libfwbuilder::RuleElement *re,libfwbuilder::FWObject *obj) const; QPixmap getPixmap(QString name, PixmapAttr pmattr = Normal) const; DrawingContext initContext(QRect rect, bool useEnireSpace = false) const; QSize calculateCellSizeForRule(const QStyleOptionViewItem & option, const QModelIndex & index, RuleNode * node ) const; QSize calculateCellSizeForObject(const QModelIndex & index) const; QSize calculateCellSizeForComment(const QModelIndex & index) const; QSize calculateCellSizeForIconAndText(const QModelIndex & index) const; QSize calculateCellSizeForOptions(const QModelIndex & index) const; QSize drawIconInRule(QPainter *p, int x, int y, QString name, bool neg) const; void drawIconAndText(QPainter *painter, QRect rect, QString icon, QString text, bool negation = false) const; void drawIcons(QPainter *painter, QRect rect, const QStringList &icons) const; void drawSelectedFocus(QPainter *painter, const QStyleOptionViewItem &option,QRect &rect) const; void paintGroup (QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const; void paintRule (QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const; void paintRowHeader (QPainter *painter, const QStyleOptionViewItem &option, const QModelIndex &index, RuleNode * node) const; void paintObject(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; void paintDirection(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; void paintAction(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; void paintOptions(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; void paintComment(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; void paintMetric(QPainter *painter, const QStyleOptionViewItem &option, const QVariant &v) const; QString constructActionText(ActionDesc &actionDesc)const; virtual QString getRuleColor(RuleNode * node ) const; }; #endif // RULESETVIEWDELEGATE_H fwbuilder-5.3.7/src/libgui/SSHCisco.cpp000066400000000000000000000357501303637203600177120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SSHCisco.h" #include #include #include #include #include #include #include #include #include #include #ifndef errno extern int errno; #endif using namespace std; SSHCisco::SSHCisco(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHSession(_par,_h,args,_p,_ep,_in) { normal_prompt="> $"; fwb_prompt="--**--**--"; enable_prompt="# $|# *Access Rules Download Complete"; config_prompt="\\(config(|-.*)\\)#"; pwd_prompt_1="'s password: $"; pwd_prompt_2="'s password: $"; epwd_prompt="Password: "; ssh_pwd_prompt="'s password: "; ssoft_config_prompt="> "; putty_pwd_prompt="Password: "; passphrase_prompt="Enter passphrase for key "; errorsInit.push_back("Permission denied"); errorsInit.push_back("Invalid password"); errorsInit.push_back("Access denied"); errorsInit.push_back("Unable to authenticate"); errorsInit.push_back("Too many authentication failures"); errorsLoggedin.push_back("Invalid password"); errorsLoggedin.push_back("ERROR: "); errorsLoggedin.push_back("Not enough arguments"); errorsLoggedin.push_back("cannot find"); errorsEnabledState.push_back("ERROR: "); errorsEnabledState.push_back("Type help"); errorsEnabledState.push_back("Not enough arguments"); errorsEnabledState.push_back("Invalid"); errorsEnabledState.push_back("invalid"); errorsEnabledState.push_back("cannot find"); errorsEnabledState.push_back( "An object-group with the same id but different type"); errorsEnabledState.push_back("cannot add route entry"); local_event_loop = new QEventLoop(); comment_symbol = '!'; } void SSHCisco::loadPreConfigCommands(const QStringList &cl) { pre_config_commands = cl; } void SSHCisco::loadPostConfigCommands(const QStringList &cl) { post_config_commands = cl; } void SSHCisco::loadActivationCommands(const QStringList &cl) { activation_commands = cl; foreach(QString line, activation_commands) { /* * store names of access-lists and object-groups * actually used in the config */ if (line.indexOf("access-list ")==0) newAcls.push_back(line.section(' ',1,1)); if (line.indexOf("object-group ")==0) newObjectGroups.push_back(line.section(' ',1,1)); } emit updateProgressBar_sign(activation_commands.size(), true); } SSHCisco::~SSHCisco() { } QString SSHCisco::cmd(QProcess*, const QString &cmd) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("Command '%s'", cmd.toAscii().constData()); #else if (fwbdebug) qDebug("Command '%s'", cmd.toLatin1().constData()); #endif sendCommand(cmd); //stdoutBuffer = ""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) //proc->write( (cmd + "\n").toAscii() ); #else //proc->write( (cmd + "\n").toLatin1() ); #endif state = EXECUTING_COMMAND; local_event_loop->exec(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("Command '%s' completed", cmd.toAscii().constData()); #else if (fwbdebug) qDebug("Command '%s' completed", cmd.toLatin1().constData()); #endif return stdoutBuffer; } bool SSHCisco::checkForErrors() { QStringList *errptr; switch (state) { case LOGGEDIN: case WAITING_FOR_ENABLE: errptr = &errorsLoggedin; break; case ENABLE: errptr = &errorsEnabledState; break; default: errptr = &errorsInit; break; } for (QStringList::const_iterator i=errptr->begin(); i!=errptr->end(); ++i) { QString line = *i; if ( stdoutBuffer.lastIndexOf(line, -1)!=-1 ) { if (fwbdebug) qDebug() << "Got known error message: " << line; emit printStdout_sign( tr("\n*** Fatal error :") ); emit printStdout_sign( line + "\n" ); stdoutBuffer=""; // terminate(); sessionComplete(true); // finish with error status return true; } } return false; } void SSHCisco::stateMachine() { if (checkForErrors()) return; if (fwbdebug) qDebug() << "SSHCisco::stateMachine() state=" << state << "(ENABLE=" << ENABLE << ")" << "(PUSHING_CONFIG=" << PUSHING_CONFIG << ")" << " stdoutBuffer=" << stdoutBuffer; switch (state) { case NONE: { if ( cmpPrompt(stdoutBuffer,QRegExp(pwd_prompt_1)) || cmpPrompt(stdoutBuffer,QRegExp(pwd_prompt_2)) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) proc->write( (pwd + "\n").toAscii() ); #else proc->write( (pwd + "\n").toLatin1() ); #endif break; } /* we may get to LOGGEDIN state directly from NONE, for example when * password is supplied on command line to plink.exe */ if (cmpPrompt(stdoutBuffer, QRegExp(normal_prompt)) ) { stdoutBuffer=""; state=LOGGEDIN; emit printStdout_sign( "\n"); emit printStdout_sign( tr("Logged in") + "\n" ); emit printStdout_sign( tr("Switching to enable mode...") + "\n"); stdoutBuffer=""; proc->write( "enable\n" ); } /* we may even get straight to the enable prompt, e.g. if * user account is configured with "privilege 15" */ if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { state=WAITING_FOR_ENABLE; stateMachine(); break; } QString fingerprint; //int n1,n2; if (stdoutBuffer.indexOf(newKeyOpenSSH)!=-1 || stdoutBuffer.indexOf(newKeyPlink)!=-1 || stdoutBuffer.indexOf(newKeySSHComm)!=-1) { /* new key */ bool unix_y_n = (stdoutBuffer.indexOf(newKeyOpenSSH)!=-1 || stdoutBuffer.indexOf(newKeySSHComm)!=-1); if (fwbdebug) qDebug("New host key message detected"); fingerprint = findKeyFingerprint(stdoutBuffer); QString msg = newKeyMsg.arg(host).arg(fingerprint).arg(host); stopHeartBeat(); int res = QMessageBox::warning( parent, tr("New RSA key"), msg, tr("Yes"), tr("No"), 0, 0, -1 ); if (fwbdebug) qDebug("User said: res=%d", res); startHeartBeat(); stdoutBuffer=""; if (res==0) { if (unix_y_n) proc->write( "yes\n" ); else proc->write( "y\n" ); break; } else { sessionComplete(true); // finish with error status return; // state=EXIT; // goto entry; } } } break; case LOGGEDIN: if ( cmpPrompt(stdoutBuffer,QRegExp(epwd_prompt)) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (!epwd.isEmpty()) proc->write( (epwd + "\n").toAscii() ); #else if (!epwd.isEmpty()) proc->write( (epwd + "\n").toLatin1() ); #endif else proc->write( "\n" ); state=WAITING_FOR_ENABLE; } break; case WAITING_FOR_ENABLE: if ( cmpPrompt(stdoutBuffer,QRegExp(epwd_prompt)) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (!epwd.isEmpty()) proc->write( (epwd + "\n").toAscii() ); #else if (!epwd.isEmpty()) proc->write( (epwd + "\n").toLatin1() ); #endif else proc->write( "\n" ); state=WAITING_FOR_ENABLE; break; } if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { emit printStdout_sign( tr("In enable mode.")); emit printStdout_sign( "\n"); state=ENABLE; // and go to ENABLE target in switch /* give classes derived from SSHCisco a chance to do * something before we switch to config mode. If is * SSHCisco class, the stateMachine method will simply call * itself and will fall through to the ENABLE state. */ stateMachine(); break; } case ENABLE: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { if (pre_config_commands.size()>0) { stdoutBuffer=""; QString cmd = pre_config_commands.front(); pre_config_commands.pop_front(); if (cmd.indexOf("reload in")!=-1) state = SCHEDULE_RELOAD_DIALOG; sendCommand(cmd); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) //proc->write( (cmd + "\n").toAscii() ); #else //proc->write( (cmd + "\n").toLatin1() ); #endif break; } stdoutBuffer=""; if (backup) { /* the problem is that QProcess uses select and thus * is tightly integrated into event loop. QT uses * internal private flag inside QProcess to * specifically prevent recursive calls to * readyReadStdout (look for d->socketReadCalled in * kernel/qprocess_unix.cpp ). So, I _must_ exit this * callback before I can send commands to the process * and collect the output. */ QTimer::singleShot( 0, this, SLOT(PIXbackup()) ); break; } state = WAITING_FOR_CONFIG_PROMPT; // kick it so we get some output from the router and // continue the state machine proc->write("\n"); } break; case SCHEDULE_RELOAD_DIALOG: if ( cmpPrompt(stdoutBuffer, QRegExp("System config.* modified\\. Save?")) ) { stdoutBuffer=""; proc->write( "n" ); // no \n needed break; } if ( cmpPrompt(stdoutBuffer, QRegExp("Proceed with reload?")) ) { stdoutBuffer=""; proc->write( "y" ); // no \n needed break; } if ( cmpPrompt(stdoutBuffer, QRegExp("SHUTDOWN")) ) { stdoutBuffer=""; proc->write( "\n" ); state = ENABLE; break; } if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { // reload did not ask for confirmation stdoutBuffer=""; proc->write( "\n" ); state = ENABLE; break; } break; case EXECUTING_COMMAND: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { //QCoreApplication::exit(); state = COMMAND_DONE; if (fwbdebug) qDebug("Switching to COMMAND_DONE state; state=%d", state); if (local_event_loop->isRunning()) local_event_loop->exit(); } break; case WAITING_FOR_CONFIG_PROMPT: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { /* install full policy */ state = PUSHING_CONFIG; // and drop to PUSHING_CONFIG case if (!dry_run) emit printStdout_sign(tr("Pushing firewall configuration")); emit printStdout_sign( "\n"); stdoutBuffer = ""; proc->write("\n"); ncmd=0; } break; case PUSHING_CONFIG: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt))) // config_prompt)) ) { // see SF bug 2973136 , fwbuilder bug #1347 // looks like if user hits Cancel to cancel install at just right // moment, the process can get killed when control is already // inside this block. Adding test for proc != NULL to be sure. if ( activation_commands.size() != 0 && proc != NULL) { QString s; do { s = activation_commands.front(); activation_commands.pop_front(); emit updateProgressBar_sign(activation_commands.size(),false); s.replace('\"','\''); if (!quiet) { QString rl=""; if (s.indexOf(QString("%1 Rule ").arg(comment_symbol)) != -1) rl = s.mid(7); if ( !rl.isEmpty()) { emit printStdout_sign( tr("Rule %1").arg(rl) + "\n" ); } } } while (stripComments && s[0] == comment_symbol); sendCommand(s); } else { /* activation_commands.size()==0 */ state = EXIT_FROM_CONFIG; emit printStdout_sign( tr("End") + "\n" ); // kick it so we get some output from the router and // continue the state machine if (proc) proc->write("\n"); } } break; case EXIT_FROM_CONFIG: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { /* * Execute post_config_commands */ if (post_config_commands.size()>0) { stdoutBuffer = ""; QString cmd = post_config_commands.front(); post_config_commands.pop_front(); sendCommand(cmd); break; } stdoutBuffer=""; state = EXIT; proc->write( "exit\n"); } break; case EXIT: // emit printStdout_sign( tr("Terminating session\n") ); // terminate(); // state=FINISH; break; case FINISH: break; default: break; } } fwbuilder-5.3.7/src/libgui/SSHCisco.h000066400000000000000000000040121303637203600173420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHCISCO_H_ #define __SSHCISCO_H_ #include "config.h" #include "global.h" #include "SSHSession.h" #include #include #include #include class QEventLoop; class SSHCisco : public SSHSession { Q_OBJECT; int nLines; int ncmd; protected: QEventLoop *local_event_loop; QStringList newAcls; QStringList currentAcls; QStringList newObjectGroups; QStringList currentObjectGroups; QStringList pre_config_commands; QStringList post_config_commands; QStringList activation_commands; char comment_symbol; public: SSHCisco(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHCisco(); virtual bool checkForErrors(); virtual void stateMachine(); QString cmd(QProcess *proc,const QString &cmd); void loadPreConfigCommands(const QStringList &cl); void loadPostConfigCommands(const QStringList &cl); void loadActivationCommands(const QStringList &cl); }; #endif fwbuilder-5.3.7/src/libgui/SSHIOS.cpp000066400000000000000000000064641303637203600173040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "SSHIOS.h" #include using namespace std; SSHIOS::SSHIOS(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHCisco(_par,_h,args,_p,_ep,_in) { normal_prompt=">$"; fwb_prompt="--**--**--"; enable_prompt="#$"; pwd_prompt_1="'s password: $"; pwd_prompt_2="Password: "; epwd_prompt="Password: "; ssh_pwd_prompt="'s password: "; ssoft_config_prompt="> "; putty_pwd_prompt="Password: "; passphrase_prompt="Enter passphrase for key "; errorsInit.clear(); errorsInit.push_back("Permission denied"); errorsInit.push_back("Invalid password"); errorsInit.push_back("Access denied"); errorsInit.push_back("Unable to authenticate"); errorsInit.push_back("Too many authentication failures"); errorsLoggedin.clear(); errorsLoggedin.push_back("Invalid password"); errorsLoggedin.push_back("ERROR: "); errorsLoggedin.push_back("Not enough arguments"); errorsLoggedin.push_back("cannot find"); errorsEnabledState.clear(); errorsEnabledState.push_back("ERROR: "); errorsEnabledState.push_back("Type help"); errorsEnabledState.push_back("Not enough arguments"); errorsEnabledState.push_back("invalid input detected"); errorsEnabledState.push_back("Invalid"); errorsEnabledState.push_back("cannot find"); } SSHIOS::~SSHIOS() { } // IOS state machine needs to be able to deal with // "reload in ... " command void SSHIOS::stateMachine() { if (checkForErrors()) return; switch (state) { case SCHEDULE_RELOAD_DIALOG: if ( cmpPrompt(stdoutBuffer, QRegExp("System config.* modified\\. Save?")) ) { stdoutBuffer=""; proc->write( "no\n" ); break; } if ( cmpPrompt(stdoutBuffer,QRegExp("Proceed with reload?")) ) { stdoutBuffer=""; proc->write( "y\n" ); state = ENABLE; break; } break; case PUSHING_CONFIG: if ( cmpPrompt(stdoutBuffer, QRegExp("Destination filename [.*]?")) ) { stdoutBuffer=""; proc->write("\n"); // accept default file name } else SSHCisco::stateMachine(); break; default: SSHCisco::stateMachine(); break; } } fwbuilder-5.3.7/src/libgui/SSHIOS.h000066400000000000000000000024461303637203600167450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHIOS_H_ #define __SSHIOS_H_ #include "config.h" #include "global.h" #include "SSHCisco.h" #include class SSHIOS : public SSHCisco { Q_OBJECT; public: SSHIOS(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHIOS(); virtual void stateMachine(); }; #endif fwbuilder-5.3.7/src/libgui/SSHJUNOS.cpp000066400000000000000000000307731303637203600175500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SSHJUNOS.h" #include #include #include #include #include #include #include #include #include #include #ifndef errno extern int errno; #endif using namespace std; SSHJunos::SSHJunos(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHSession(_par,_h,args,_p,_ep,_in) { normal_prompt="% $"; // shell fwb_prompt="--**--**--"; enable_prompt="> $"; // operational prompt config_prompt="# $"; // configuration prompt pwd_prompt_1="'s password: $"; /* * TODO * Do not change pwd_prompt_2 without extensive testing * This must be tested on actual hardware/os * Will prevent login on wrong regex, with silent error - timeout */ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wunknown-escape-sequence" pwd_prompt_2="Password:\w?"; #pragma GCC diagnostic pop epwd_prompt="Password: "; ssh_pwd_prompt="'s password: "; ssoft_config_prompt="> "; putty_pwd_prompt="Password: "; passphrase_prompt="Enter passphrase for key "; errorsInit.clear(); errorsInit.push_back("Permission denied"); errorsInit.push_back("Invalid password"); errorsInit.push_back("Access denied"); errorsInit.push_back("Unable to authenticate"); errorsInit.push_back("Too many authentication failures"); errorsLoggedin.clear(); errorsLoggedin.push_back("Invalid password"); errorsLoggedin.push_back("ERROR: "); errorsLoggedin.push_back("Not enough arguments"); errorsLoggedin.push_back("cannot find"); errorsEnabledState.clear(); errorsEnabledState.push_back("ERROR: "); errorsEnabledState.push_back("Type help"); errorsEnabledState.push_back("Not enough arguments"); errorsEnabledState.push_back("invalid input detected"); errorsEnabledState.push_back("Invalid"); errorsEnabledState.push_back("cannot find"); errorsEnabledState.push_back("error: configuration database modified"); errorsEnabledState.push_back("error: configuration database locked by:"); errorsConfigState.clear(); errorsConfigState.push_back("error: configuration check-out failed"); errorsConfigState.push_back("syntax error"); } SSHJunos::~SSHJunos() { } void SSHJunos::loadPreConfigCommands(const QStringList &cl) { pre_config_commands = cl; } void SSHJunos::loadPostConfigCommands(const QStringList &cl) { post_config_commands = cl; } void SSHJunos::loadActivationCommands(const QStringList &cl) { activation_commands = cl; foreach(QString line, activation_commands) { /* * store names of access-lists and object-groups * actually used in the config */ if (line.indexOf("access-list ")==0) newAcls.push_back(line.section(' ',1,1)); if (line.indexOf("object-group ")==0) newObjectGroups.push_back(line.section(' ',1,1)); } emit updateProgressBar_sign(activation_commands.size(), true); } bool SSHJunos::checkForErrors() { QStringList *errptr; switch(state) { case LOGGEDIN: errptr = &errorsLoggedin; break; case ENABLE: case WAITING_FOR_CONFIG_PROMPT: errptr = &errorsEnabledState; break; case CONFIG: case PUSHING_CONFIG: errptr = &errorsConfigState; break; default: errptr = &errorsInit; break; } for (QStringList::const_iterator i=errptr->begin(); i!=errptr->end(); ++i) { QString line = *i; if (stdoutBuffer.lastIndexOf(line, -1) != -1) { error = true; if (fwbdebug) qDebug() << "Got known error message: " << line; emit printStdout_sign(tr("\n*** Fatal error :")); emit printStdout_sign(line + "\n"); stdoutBuffer=""; if (state == CONFIG || state == PUSHING_CONFIG) { emit printStdout_sign(tr("\n*** Doing a rollback")); sendCommand("rollback 0"); } if (state == WAITING_FOR_CONFIG_PROMPT) { state = EXIT_FROM_CONFIG; return true; } sessionComplete(true); // finish with error status terminate(); return true; } } return false; } void SSHJunos::stateMachine() { if (checkForErrors()) return; if (fwbdebug) qDebug() << "SSHJunos::stateMachine() state=" << state << "(ENABLE=" << ENABLE << ")" << "(CONFIG=" << CONFIG << ")" << "(PUSHING_CONFIG=" << PUSHING_CONFIG << ")" << " stdoutBuffer=" << stdoutBuffer; switch (state) { case NONE: { if ( cmpPrompt(stdoutBuffer, QRegExp(pwd_prompt_1)) || cmpPrompt(stdoutBuffer, QRegExp(pwd_prompt_2)) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) proc->write( (pwd + "\n").toAscii() ); #else proc->write( (pwd + "\n").toLatin1() ); #endif break; } /* we may get to LOGGEDIN state directly from NONE, for example when * password is supplied on command line to plink.exe. * This only happens with the root user */ if (cmpPrompt(stdoutBuffer, QRegExp(normal_prompt))) { stdoutBuffer=""; state=LOGGEDIN; emit printStdout_sign("\n"); emit printStdout_sign( tr("Logged in") + "\n"); emit printStdout_sign( tr("Switching to operational promt...") + "\n"); stdoutBuffer=""; proc->write("cli\n"); } /* we get straight to operational prompt as a normal user */ if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt))) { state = WAITING_FOR_ENABLE; stateMachine(); break; } QString fingerprint; if (stdoutBuffer.indexOf(newKeyOpenSSH) != -1 || stdoutBuffer.indexOf(newKeyPlink) != -1 || stdoutBuffer.indexOf(newKeySSHComm) != -1) { /* new key */ bool unix_y_n = (stdoutBuffer.indexOf(newKeyOpenSSH) != -1 || stdoutBuffer.indexOf(newKeySSHComm) != -1); if (fwbdebug) qDebug("New host key message detected"); fingerprint = findKeyFingerprint(stdoutBuffer); QString msg = newKeyMsg.arg(host).arg(fingerprint).arg(host); stopHeartBeat(); int res = QMessageBox::warning(parent, tr("New RSA key"), msg, tr("Yes"), tr("No"), 0, 0, -1); if (fwbdebug) qDebug("User said: red=%d", res); startHeartBeat(); stdoutBuffer=""; if (res==0) { if (unix_y_n) proc->write("yes\n"); else proc->write("y\n"); break; } else { sessionComplete(true); // finish with error status return; } } if (stdoutBuffer.indexOf("Terminal type?") != -1) { stdoutBuffer=""; proc->write("ansi\n"); return; } } break; case LOGGEDIN: if (cmpPrompt(stdoutBuffer, QRegExp(normal_prompt))) { stdoutBuffer=""; proc->write("cli\n"); state=WAITING_FOR_ENABLE; stdoutBuffer=""; break; } case WAITING_FOR_ENABLE: if (cmpPrompt(stdoutBuffer,QRegExp(enable_prompt))) { emit printStdout_sign( tr("In operational prompt.")); emit printStdout_sign("\n"); state=ENABLE; stateMachine(); break; } case ENABLE: if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt))) { if (pre_config_commands.size() > 0) { stdoutBuffer=""; QString cmd = pre_config_commands.front(); pre_config_commands.pop_front(); sendCommand(cmd); break; } stdoutBuffer=""; state = WAITING_FOR_CONFIG_PROMPT; // Trying to get exclusive configuration prompt proc->write("configure exclusive\n"); // kick it so we get some output from the router and // continue the state machine proc->write("\n"); } break; case WAITING_FOR_CONFIG_PROMPT: if (cmpPrompt(stdoutBuffer, QRegExp(config_prompt))) { /* install full policy */ state = PUSHING_CONFIG; if (!dry_run) emit printStdout_sign(tr("Pushing firewall configuration")); emit printStdout_sign("\n"); stdoutBuffer=""; proc->write("\n"); ncmd=0; } break; case PUSHING_CONFIG: if (cmpPrompt(stdoutBuffer, QRegExp(config_prompt))) { // see SF bug 2973136 , fwbuilder bug #1347 // looks like if user hits Cancel to cancel install at just right // moment, the process can get killed when control is already // inside this block. Adding test for proc != NULL to be sure. if (activation_commands.size() != 0 && proc != NULL) { QString s; do { s = activation_commands.front(); activation_commands.pop_front(); emit updateProgressBar_sign(activation_commands.size(), false); s.replace('\"', '\''); if (!quiet) { QString rl=""; if (s.indexOf(QString("%1 Rule ").arg(comment_symbol)) != -1) rl = s.mid(7); if ( !rl.isEmpty()) { emit printStdout_sign( tr("Rule %1").arg(rl) + "\n"); } } } while (stripComments && s[0] == comment_symbol); sendCommand(s); } else { /* activation_commands.size() == 0 */ proc->write("exit\n"); state = EXIT_FROM_CONFIG; emit printStdout_sign( tr("End") + "\n"); // kick it so we get some output from the router and // continue the state machine if (proc) proc->write("\n"); } } break; case EXIT_FROM_CONFIG: if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt))) { /* * Execute post_config_commands */ if (post_config_commands.size() > 0) { stdoutBuffer=""; QString cmd = post_config_commands.front(); post_config_commands.pop_front(); sendCommand(cmd); break; } stdoutBuffer=""; state = EXIT; proc->write("\n"); } break; case EXIT: if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) || cmpPrompt(stdoutBuffer, QRegExp(normal_prompt)) ) { stdoutBuffer=""; proc->write("exit\n"); if (error) { sessionComplete(true); // finish with error status terminate(); } } break; case FINISH: break; default: break; } } fwbuilder-5.3.7/src/libgui/SSHJUNOS.h000066400000000000000000000037661303637203600172170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHJUNOS_H_ #define __SSHJUNOS_H_ #include "config.h" #include "global.h" #include "SSHSession.h" #include #include #include class QEventLoop; class SSHJunos : public SSHSession { Q_OBJECT; int nLines; int ncmd; protected: QEventLoop *local_event_loop; QStringList newAcls; QStringList currentAcls; QStringList newObjectGroups; QStringList currentObjectGroups; QStringList pre_config_commands; QStringList post_config_commands; QStringList activation_commands; QStringList errorsConfigState; char comment_symbol; public: SSHJunos(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHJunos(); virtual bool checkForErrors(); virtual void stateMachine(); QString cmd(QProcess *proc, const QString &cmd); void loadPreConfigCommands(const QStringList &cl); void loadPostConfigCommands(const QStringList &cl); void loadActivationCommands(const QStringList &cl); }; #endif fwbuilder-5.3.7/src/libgui/SSHNXOS.cpp000066400000000000000000000070641303637203600174360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "SSHNXOS.h" #include using namespace std; SSHNXOS::SSHNXOS(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHCisco(_par,_h,args,_p,_ep,_in) { normal_prompt=">$"; fwb_prompt="--**--**--"; enable_prompt="# $"; pwd_prompt_1="'s password: $"; pwd_prompt_2="Password: "; epwd_prompt="Password: "; ssh_pwd_prompt="'s password: "; ssoft_config_prompt="> "; putty_pwd_prompt="Password: "; passphrase_prompt="Enter passphrase for key "; errorsInit.clear(); errorsInit.push_back("Permission denied"); errorsInit.push_back("Invalid password"); errorsInit.push_back("Access denied"); errorsInit.push_back("Unable to authenticate"); errorsInit.push_back("Too many authentication failures"); errorsLoggedin.clear(); errorsLoggedin.push_back("Invalid password"); errorsLoggedin.push_back("ERROR: "); errorsLoggedin.push_back("Not enough arguments"); errorsLoggedin.push_back("cannot find"); errorsEnabledState.clear(); errorsEnabledState.push_back("ERROR: "); errorsEnabledState.push_back("Type help"); errorsEnabledState.push_back("Not enough arguments"); errorsEnabledState.push_back("invalid input detected"); errorsEnabledState.push_back("Invalid"); errorsEnabledState.push_back("cannot find"); } SSHNXOS::~SSHNXOS() { } // NXOS state machine needs to be able to deal with // "reload in ... " command void SSHNXOS::stateMachine() { if (checkForErrors()) return; // We need too delete files when doing scp with session if ( cmpPrompt(stdoutBuffer, QRegExp("Do you want to delete .* \\(yes/no/abort\\) \\[y\\] ")) ) { stdoutBuffer=""; proc->write( "yes\n" ); } switch (state) { case SCHEDULE_RELOAD_DIALOG: if ( cmpPrompt(stdoutBuffer, QRegExp("System config.* modified\\. Save?")) ) { stdoutBuffer=""; proc->write( "no\n" ); break; } if ( cmpPrompt(stdoutBuffer,QRegExp("Proceed with reload?")) ) { stdoutBuffer=""; proc->write( "y\n" ); state = ENABLE; break; } break; case PUSHING_CONFIG: if ( cmpPrompt(stdoutBuffer, QRegExp("Destination filename [.*]?")) ) { stdoutBuffer=""; proc->write("\n"); // accept default file name } else SSHCisco::stateMachine(); break; default: SSHCisco::stateMachine(); break; } } fwbuilder-5.3.7/src/libgui/SSHNXOS.h000066400000000000000000000024531303637203600171000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHNXOS_H_ #define __SSHNXOS_H_ #include "config.h" #include "global.h" #include "SSHCisco.h" #include class SSHNXOS : public SSHCisco { Q_OBJECT; public: SSHNXOS(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHNXOS(); virtual void stateMachine(); }; #endif fwbuilder-5.3.7/src/libgui/SSHPIX.cpp000066400000000000000000000215201303637203600173000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SSHPIX.h" #include #include #include #include #include #include #include #include using namespace std; SSHPIX::SSHPIX(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHCisco(_par,_h,args,_p,_ep,_in) { } SSHPIX::~SSHPIX() { } void SSHPIX::stateMachine() { if (checkForErrors()) return; if (fwbdebug) qDebug() << "SSHPIX::stateMachine() state=" << state << "(ENABLE=" << ENABLE << ")" << "(PUSHING_CONFIG=" << PUSHING_CONFIG << ")" << " stdoutBuffer=" << stdoutBuffer; switch (state) { case ENABLE: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { if (pre_config_commands.size()>0) { stdoutBuffer=""; QString cmd = pre_config_commands.front(); pre_config_commands.pop_front(); if (cmd.indexOf("reload in")!=-1) state = SCHEDULE_RELOAD_DIALOG; sendCommand(cmd); break; } stdoutBuffer=""; if (backup) { /* the problem is that QProcess uses select and thus * is tightly integrated into event loop. QT uses * internal private flag inside QProcess to * specifically prevent recursive calls to * readyReadStdout (look for d->socketReadCalled in * kernel/qprocess_unix.cpp ). So, I _must_ exit this * callback before I can send commands to the process * and collect the output. */ QTimer::singleShot( 0, this, SLOT(PIXbackup()) ); break; } state = WAITING_FOR_CONFIG_PROMPT; // kick it so we get some output from the router and // continue the state machine proc->write("\n"); } break; case EXECUTING_COMMAND: if ( cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ) { //QCoreApplication::exit(); state = COMMAND_DONE; if (fwbdebug) qDebug("Switching to COMMAND_DONE state; state=%d", state); if (local_event_loop->isRunning()) local_event_loop->exit(); } break; case GET_ACLS: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { QTimer::singleShot( 0, this, SLOT(getACLs()) ); } break; case GET_OG: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { QTimer::singleShot( 0, this, SLOT(getObjectGroups()) ); } break; case CLEAR_ACLS: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { QTimer::singleShot( 0, this, SLOT(clearACLs()) ); } break; case CLEAR_OG: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { QTimer::singleShot( 0, this, SLOT(clearObjectGroups()) ); } break; case EXIT: break; case FINISH: break; default: SSHCisco::stateMachine(); break; } } void SSHPIX::PIXbackup() { if (fwbdebug) qDebug("SSHPIX::PIXbackup "); bool sv = verbose; verbose = false; emit printStdout_sign( tr("Making backup copy of the firewall configuration")); emit printStdout_sign( "\n"); cmd(proc, "terminal pager 0"); if (state==FINISH) return; if (fwbdebug) qDebug("terminal pager 0 done"); QString cfg = cmd(proc, "show run"); if (fwbdebug) qDebug("show run done"); verbose = sv; if (fwbdebug) qDebug("state=%d", state); /* if state changed to FINISH, there was an error and ssh terminated */ if (state==FINISH) return; if (state==COMMAND_DONE) { ofstream ofs(backupFile.toLatin1().constData()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) ofs << cfg.toAscii().constData(); #else ofs << cfg.toLatin1().constData(); #endif ofs.close(); backup = false; // backup is done state = ENABLE; } proc->write( "\n" ); } void SSHPIX::getACLs() { if (fwbdebug) qDebug("SSHPIX::getACLs "); bool sv=verbose; bool sq=quiet; verbose=false; quiet=true; QString sa = cmd(proc,"show access-list"); QStringList showAcls; showAcls=sa.split("\n"); verbose=sv; quiet=sq; /* if state changed to FINISH, there was an error and ssh terminated */ if (state==FINISH) return; if (state==COMMAND_DONE) { for (QStringList::iterator i=showAcls.begin(); i!=showAcls.end(); i++) { // if (fwbdebug) qDebug("%s",(*i).ascii()); if ((*i).indexOf("access-list ")==0 && (*i).indexOf(";")==-1) { QString an=(*i).section(' ',1,1); if (an!="cached" && currentAcls.indexOf(an)==-1) currentAcls.push_back(an); } } state=GET_OG; } proc->write( "\n" ); } void SSHPIX::clearACLs() { if (fwbdebug) qDebug("SSHPIX::clearACLs "); emit printStdout_sign( "\n"); emit printStdout_sign(tr("*** Clearing unused access lists")); emit printStdout_sign( "\n"); QString ca; while (currentAcls.size()!=0) { ca=currentAcls.front(); currentAcls.pop_front(); if (newAcls.indexOf(ca)==-1)//newAcls.end()) { if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("clear access-list %s",ca.toAscii().constData()); #else qDebug("clear access-list %s",ca.toLatin1().constData()); #endif cmd(proc,QString("clear access-list %1").arg(ca)); /* if state changed to FINISH, there was an error and ssh terminated */ if (state==FINISH) return; } } state=CLEAR_OG; proc->write( "\n" ); } void SSHPIX::getObjectGroups() { if (fwbdebug) qDebug("SSHPIX::getObjectGroups "); bool sv=verbose; bool sq=quiet; verbose=false; quiet=true; QString sog = cmd(proc,"show object-group"); QStringList showOG; showOG=sog.split("\n"); verbose=sv; quiet=sq; /* if state changed to FINISH, there was an error and ssh terminated */ if (state==FINISH) return; if (state==COMMAND_DONE) { for (QStringList::iterator i=showOG.begin(); i!=showOG.end(); i++) { // if (fwbdebug) qDebug("%s",(*i).ascii()); if ((*i).indexOf("object-group ")==0) { QString ogn=(*i).section(' ',1,1); if (currentObjectGroups.indexOf(ogn)==-1)//currentObjectGroups.end()) currentObjectGroups.push_back(ogn); } } state=CLEAR_ACLS; } proc->write( "\n" ); } void SSHPIX::clearObjectGroups() { if (fwbdebug) qDebug("SSHPIX::clearObjectGroups "); emit printStdout_sign( "\n"); emit printStdout_sign(tr("*** Clearing unused object groups")); emit printStdout_sign( "\n"); QString ca; while (currentObjectGroups.size()!=0) { ca=currentObjectGroups.front(); currentObjectGroups.pop_front(); if (newObjectGroups.indexOf(ca)==-1)//==newObjectGroups.end()) { if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("clear object-group %s",ca.toAscii().constData()); #else qDebug("clear object-group %s",ca.toLatin1().constData()); #endif cmd(proc, QString("clear object-group %1").arg(ca)); /* if state changed to FINISH, there was an error and ssh terminated */ if (state==FINISH) return; } } state = EXIT_FROM_CONFIG; emit printStdout_sign( tr("*** End ") + "\n" ); proc->write( "exit\n" ); } fwbuilder-5.3.7/src/libgui/SSHPIX.h000066400000000000000000000027631303637203600167550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHPIX_H_ #define __SSHPIX_H_ #include "config.h" #include "global.h" #include "SSHCisco.h" #include #include #include #include class SSHPIX : public SSHCisco { Q_OBJECT; public: SSHPIX(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHPIX(); virtual void stateMachine(); public slots: void PIXbackup(); void getACLs(); void clearACLs(); void getObjectGroups(); void clearObjectGroups(); }; #endif fwbuilder-5.3.7/src/libgui/SSHProcurve.cpp000066400000000000000000000121701303637203600204460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "SSHProcurve.h" #include using namespace std; /* * HP "normal" prompt looks something like this: * * ProCurve Switch 3500-24> [ * * Enable password prompt also uses ansi codes: * Password: [?25h[?25h[?25l * * once in enable mode, the prompt looks like this: * * ProCurve Switch 3500-24# ^[[24;1H^[[24;26H^[[24;1H^[[?25h^[[24;26H * * but we clear all ANSI sequences in SSHSession::readFromStdout() */ SSHProcurve::SSHProcurve(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const std::list &_in) : SSHCisco(_par,_h,args,_p,_ep,_in) { normal_prompt = "> *$"; enable_prompt = "# *$"; // matches config prompt too epwd_prompt = "Password: *$"; hp_greeting_prompt = "Press any key to continue *$"; pwd_prompt_1 = "'s password: $"; pwd_prompt_2 = "Password: "; comment_symbol = ';'; errorsLoggedin.push_back("Unable to verify password"); } SSHProcurve::~SSHProcurve() { } // Procurve state machine needs to be able to deal with // "reload after ... " command void SSHProcurve::stateMachine() { if (checkForErrors()) return; switch (state) { case NONE: /* * Procurve prints a full page greeting right after it accepts user password * and provides prompt "Press any key to continue". Press "any key" to * proceed. */ if (cmpPrompt(stdoutBuffer, QRegExp(hp_greeting_prompt))) { stdoutBuffer=""; proc->write("\n"); break; } else SSHCisco::stateMachine(); break; case SCHEDULE_RELOAD_DIALOG: if ( cmpPrompt(stdoutBuffer, QRegExp("Do you want to save current configuration [y/n]?")) ) { stdoutBuffer=""; proc->write( "no\n" ); break; } if ( cmpPrompt( stdoutBuffer, QRegExp("System will be rebooted at the scheduled time .*Do you want to continue [y/n]? ")) ) { stdoutBuffer=""; proc->write( "y\n" ); state = ENABLE; break; } break; case PUSHING_CONFIG: if ( cmpPrompt(stdoutBuffer, QRegExp("Destination filename [.*]?")) ) { stdoutBuffer=""; proc->write("\n"); // accept default file name } else SSHCisco::stateMachine(); break; case EXIT_FROM_CONFIG: if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) ) { /* * Execute post_config_commands */ if (post_config_commands.size()>0) { stdoutBuffer = ""; QString cmd = post_config_commands.front(); post_config_commands.pop_front(); sendCommand(cmd); break; } stdoutBuffer=""; state = EXIT; // Use command "logout" to log out from enable mode // instead of exit, which exits to normal mode. proc->write( "logout\n"); } break; case EXIT: if ( cmpPrompt(stdoutBuffer,QRegExp("Do you want to log out [y/n]?")) ) { stdoutBuffer=""; proc->write("y\n"); // accept default file name state = FINISH; } break; default: SSHCisco::stateMachine(); break; } } /* * for some reason ssh session to a ProCurve always finishes with * return code 255 */ void SSHProcurve::finished(int retcode) { if (fwbdebug) qDebug("SSHProcurve::processExited proc=%p retcode=%d", proc, retcode); // background process has exited now, we do not need proc object anymore cleanUp(); QString exitStatus = (retcode)?QObject::tr("ERROR"):QObject::tr("OK"); emit printStdout_sign(tr("SSH session terminated, exit status: %1"). arg(retcode) + "\n"); // Consider return code 0 and 255 a success, this is different from SSHSession // sessionComplete(retcode!=0 && retcode!=255); if (fwbdebug) qDebug("SSHProcurve::processExited done"); } fwbuilder-5.3.7/src/libgui/SSHProcurve.h000066400000000000000000000026331303637203600201160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHPROCURVE_H_ #define __SSHPROCURVE_H_ #include "config.h" #include "global.h" #include "SSHCisco.h" #include class SSHProcurve : public SSHCisco { Q_OBJECT; QString hp_greeting_prompt; public: SSHProcurve(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHProcurve(); virtual void stateMachine(); public slots: virtual void finished( int code ); }; #endif fwbuilder-5.3.7/src/libgui/SSHSession.cpp000066400000000000000000000610521303637203600202670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SSHSession.h" #include "instConf.h" #include #include #include #include #include #include #include #include #include #include #include #include #ifdef _WIN32 # include #endif //#define STATE_MACHINE_DEBUG 1 using namespace std; const char *SSHSession::newKeyOpenSSH ="Are you sure you want to continue connecting (yes/no)?"; const char *SSHSession::newKeyPlink ="Store key in cache? (y/n)"; const char *SSHSession::newKeyVsh ="Accept and save? (y/n)"; const char *SSHSession::newKeySSHComm ="You can get a public key's fingerprint by running"; const char *SSHSession::fingerprintPrompt1="key fingerprint is"; const char *SSHSession::fingerprintPrompt2="Key fingerprint:"; SSHSession::SSHSession(QWidget *_par, const QString &_h, const QStringList &_args, const QString &_p, const QString &_ep, const list &_in) { parent = _par; host = _h; args = _args; pwd = _p; epwd = _ep; input = _in; quiet = false; verbose = false; closeStdin = false; error = false; endOfCopy = false; send_keepalive = false; session_completed = false; proc = NULL; retcode = 0; heartBeatTimer = new QTimer(this); connect(heartBeatTimer, SIGNAL(timeout()), this, SLOT(heartBeat()) ); newKeyMsg = tr("You are connecting to the firewall '%1' for the first time. It has provided you its identification in a form of its host public key. The fingerprint of the host public key is: \"%2\" You can save the host key to the local database by pressing YES, or you can cancel connection by pressing NO. You should press YES only if you are sure you are really connected to the firewall '%3'."); fwb_prompt=""; quiet=false; verbose=false; backup=false; incremental=false; dry_run=false; stripComments = false; wdir=""; script=""; backupFile=""; save_diff=""; diff_pgm=""; diff_file=""; } QString SSHSession::findKeyFingerprint(QString &buffer) { const char *fp = fingerprintPrompt1; int n1,n2; if ( (n1=buffer.indexOf(fp))==-1) { fp = fingerprintPrompt2; if ( (n1=buffer.indexOf(fp))==-1) return QString(""); } n1 += strlen(fp)+1; n2 = buffer.indexOf("\n", n1+4); return buffer.mid(n1,n2-n1); } void SSHSession::startSession() { proc = new QProcess(); retcode = -1; startHeartBeat(); if (fwbdebug) qDebug("SSHSession::startSession this=%p proc=%p heartBeatTimer=%p", this, proc, heartBeatTimer); connect(proc,SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout() ) ); connect(proc,SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr() ) ); connect(proc,SIGNAL(finished( int, QProcess::ExitStatus )), this, SLOT(finished( int ) ) ); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("latin1")); #endif assert(args.size() > 0); QStringList arguments; QStringList::const_iterator i=args.begin(); QString program = *i; ++i; for ( ; i!=args.end(); ++i) { arguments << *i; //proc->addArgument( *i ); cmd += *i; } QStringList env; #ifdef _WIN32 env.push_back( QString("APPDATA=")+getenv("APPDATA") ); env.push_back( QString("HOMEPATH=")+getenv("HOMEPATH") ); env.push_back( QString("HOMEDRIVE=")+getenv("HOMEDRIVE") ); env.push_back( QString("ProgramFiles=")+getenv("ProgramFiles") ); /* NB: putty absolutely needs SystemRoot env. var. */ env.push_back( QString("SystemRoot=")+getenv("SystemRoot") ); env.push_back( QString("TEMP=")+getenv("TEMP") ); env.push_back( QString("USERNAME=")+getenv("USERNAME") ); env.push_back( QString("USERPROFILE=")+getenv("USERPROFILE") ); env.push_back( QString("HOME=")+getenv("HOMEPATH") ); env.push_back( QString("USER=")+getenv("USERNAME") ); #else env.push_back( QString("HOME=")+getenv("HOME") ); env.push_back( QString("USER=")+getenv("USER") ); #endif env.push_back( QString("TMP=")+getenv("TMP") ); env.push_back( QString("PATH=")+getenv("PATH") ); env.push_back( QString("KRB5CCNAME=")+getenv("KRB5CCNAME") ); env.push_back( QString("SSH_AUTH_SOCK=")+getenv("SSH_AUTH_SOCK") ); // emit printStdout_sign( tr("Running command %1\n").arg(cmd) ); proc->setEnvironment(env); if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("Launch external ssh client %s", program.toAscii().constData()); #else qDebug("Launch external ssh client %s", program.toLatin1().constData()); #endif qDebug("Arguments:"); QStringList::const_iterator i; for (i=arguments.begin(); i!=arguments.end(); ++i) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug(" %s", (*i).toAscii().constData()); #else qDebug(" %s", (*i).toLatin1().constData()); #endif } proc->start(program, arguments); if ( !proc->waitForStarted() ) { emit printStdout_sign( tr("Failed to start ssh") + "\n" ); return; } if (fwbdebug) qDebug("SSHSession::startSession started child process"); logged_in = false; enable = false; configure = false; state = NONE; } SSHSession::~SSHSession() { if (fwbdebug) qDebug("SSHSession::destructor"); terminate(); if (fwbdebug) qDebug("SSHSession::destructor done"); } /* * this is redundant and wrong. Should just copy a pointer to instConf * object and use that instead of making local copy of each flag. */ void SSHSession::setOptions(instConf *cnf) { setQuiet(cnf->quiet); setVerbose(cnf->verbose); setBackup(cnf->backup); setBackupFile(cnf->backup_file); //setIncr(cnf->incremental); setDryRun(cnf->dry_run); setSaveStandby(cnf->saveStandby); setStripComments(cnf->stripComments); setWDir(cnf->wdir); setScript(cnf->script); setSaveDiff(cnf->save_diff); setDiffPgm(cnf->diff_pgm); setDiffFile(cnf->diff_file); // do not send comments to cisco and procurve devices // We used to provide an option for this on instOptions dialog but // it has been disabled. Possibly we'll re-enable it in the future, but // it seems wasteful to send comments to devices. Besides, Procurve // does not like it anyway. stripComments = true; } void SSHSession::terminate() { if (fwbdebug) qDebug() << "SSHSession::terminate this=" << this << "proc=" << proc << "heartBeatTimer=" << heartBeatTimer; // Ticket #1426, SF bug 2990333. If installation process generates // a lot of output and keeps the GUI busy updating buffers and // progress log display, it becomes possible for the user to hit // Cancel and place corresponding event in the queue after the // process has actually finished but before its signal "finished" // could be processed by the slot SSHSession::terminated(). This // causes problems because we disconnect this signal here so we // never process it anymore. Also, it looks like QProcess does not // change its own state to indicate it is no longer running if its // signal processExited has not been processed. This means that // even though the background process has finished and exited, // QProcess still thinks it is running. We try to send terminate // and then kill signals to it in this function, to no avail. In // the end, the program crashes trying to destroy QProcess object // which still thinks it is running. //qApp->processEvents(); stopHeartBeat(); if (proc != NULL) { if (proc->state() == QProcess::Running) { if (fwbdebug) qDebug() << "SSHSession::terminate " << "waiting for pending signal 'finished()', if any"; // this processes events and lets QProcess send signal finished() // in case user hit Cancel at just right time when background process // already exited but QProcess has not noticed this yet. if (proc != NULL) proc->waitForFinished(100); } // If QProcess sent signal finished() while we were waiting in // waitForFinished(), the signal has been processed in // SSHSession::finished and proc has already been deleted. if (proc == NULL) { if (fwbdebug) qDebug("SSHSession::terminate proc==NULL"); return; } #ifdef _WIN32 if (proc->pid() != NULL) #else if (proc->pid() != -1) #endif { if (proc->state() == QProcess::Running) { Q_PID pid = proc->pid(); if (fwbdebug) qDebug() << "SSHSession::terminate " << "terminating child process pid=" << pid; emit printStdout_sign(tr("Stopping background process")); /* * on windows proc->terminate() posts a WM_CLOSE * message to all toplevel windows of the child * process. However, since our child process is a * console app (ssh client), this does nothing. Need * to use proc->kill() on windows right away to avoid * timeout. */ #ifdef _WIN32 proc->kill(); #else proc->terminate(); #endif if (fwbdebug) qDebug() << "SSHSession::terminate terminate signal sent," << "waiting for it to finish"; int time_to_wait = 20; for (int timeout = 0; proc != NULL && proc->state() == QProcess::Running && timeout < time_to_wait; timeout++) { // print countdown only if we've been waiting more than 3 sec if (timeout > 3) emit printStdout_sign( tr( "Background process is still running. " "Will wait %1 sec").arg(time_to_wait - timeout)); QString s = QString(proc->readAllStandardOutput()); if (!quiet) { s.replace('\r',""); emit printStdout_sign(s); } QApplication::processEvents( QEventLoop::ExcludeUserInputEvents,1); // check if proc is still running after we processed events if (proc != NULL) proc->waitForFinished(1000); } // proc can be NULL at this point if it had sent signal finished() // which we processed in the call to waitForFinished() above if (proc == NULL) { if (fwbdebug) qDebug("SSHSession::terminate proc==NULL"); return; } if (fwbdebug) qDebug() << "SSHSession::terminate " << "Reading last output buffers"; QString s = QString(proc->readAllStandardOutput()); if (!quiet) { s.replace('\r',""); emit printStdout_sign(s); } if (fwbdebug) qDebug() << "SSHSession::terminate done reading I/O buffers. Disconnecting signals"; disconnect(proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout() ) ); disconnect(proc, SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr() ) ); disconnect(proc, SIGNAL(finished(int, QProcess::ExitStatus)), this, SLOT(finished(int) ) ); if (proc->state() == QProcess::Running) { if (fwbdebug) qDebug() << "SSHSession::terminate Still running, killing"; proc->kill(); } } delete proc; proc = NULL; retcode = -1; } } if (fwbdebug) qDebug("SSHSession::terminate done"); } bool SSHSession::checkForErrors() { return true; } void SSHSession::stateMachine() { } /* * signal wroteToStdin is connected to slot readyToSend. Can not send * next line in this slot because on win32 it emits the signal and * thus calls the same slot recursively, without exiting first. On * Linux and Mac it seems to exit and then emit the signal and call * slot on the next pass of the even loop. Since on win32 this does * not happen, need to schedule sending next line via single shot * timer instead of calling it directly. */ void SSHSession::readyToSend() { QTimer::singleShot( 0, this, SLOT(sendLine()) ); } void SSHSession::sendLine() { int n=0; while (input.size()!=0 && n<10) { string s = input.front(); s = s + "\n"; #if STATE_MACHINE_DEBUG if (fwbdebug) qDebug("SSHSession::sendLine : %d lines to go -- %s", int(input.size()), s.c_str()); #endif input.pop_front(); stdoutBuffer=""; /* it is important that we use writeToStdin(QByteArray &) rather than * writeToStdin(QString &) because the latter performs implicit * conversion into local locale assuming the string is in Unicode. The * string in our case is actually in whatever encoding the firewall * script is written to the local filesystem, which may or may not be * UTF-8 but is definitely not Unicode. The conversion not only breaks * comments that were entered in UTF-8, it makes QProcess miscalculate * number of characters in comment lines using UTF-8 which in turns * breaks the script even worse because it glues consequitive lines * together. Apparently this has been fixed in latest versions of QT * 3.x but this is still broken in QT 3.1 which is shipping with * RedHat 9 and some other still popular distributions. Since we need * to support old QT 3.x, the code must work around this problem. */ QByteArray buf; buf = s.c_str(); proc->write/*ToStdin*/(buf); n++; } emit updateProgressBar_sign(input.size(),false); if (input.size()==0) { if (fwbdebug) qDebug("SSHUnx::sendLine - entire file sent, closeStdin=%d", closeStdin); endOfCopy = true; } } void SSHSession::allDataSent() { if (fwbdebug) qDebug("SSHSession::allDataSent closing stdin"); disconnect(proc,SIGNAL(bytesWritten(qint64)),this,SLOT(readyToSend())); #ifdef _WIN32 Sleep(2000); #endif proc->closeWriteChannel(); #ifdef _WIN32 Sleep(1000); #endif readFromStdout(); } void SSHSession::startHeartBeat() { if (fwbdebug) qDebug() << "SSHSession::startHeartBeat" << QTime::currentTime().toString(); heartBeatTimer->start(100); } void SSHSession::stopHeartBeat() { if (fwbdebug) qDebug() << "SSHSession::stopHeartBeat" << QTime::currentTime().toString(); heartBeatTimer->stop(); send_keepalive = false; } void SSHSession::heartBeat() { // if (fwbdebug) // qDebug() << "SSHSession::heartBeat begin" << QTime::currentTime().toString(); if (send_keepalive) proc->write("\n"); readFromStderr(); readFromStdout(); if (endOfCopy && closeStdin) { allDataSent(); endOfCopy = false; } // if (fwbdebug) // qDebug() << "SSHSession::heartBeat end " << QTime::currentTime().toString(); } void SSHSession::readFromStdout() { if (fwbdebug) qDebug() << "SSHSession::readFromStdout" << QTime::currentTime().toString() << "################ proc=" << proc; if (proc) { QByteArray ba = proc->readAllStandardOutput(); int basize = ba.size(); if (basize==0) return; QString buf(ba); /* regex to match minimal set of ANSI terminal codes used by HP Procurve * and Linux if shell prompt is configured to show colors. * * Matches ESC [ n ; m H (move cursor to position), ESC ? 25 l and ESC ? 25 h * (hide and show cursor) and a few others */ QRegExp suppress_ansi_codes( "\x1B\\[((\\d*A)|(\\d*B)|(\\d*C)|(\\d*D)|(\\d*G)|(\\?\\d+l)|(\\d*J)|(2K)|(\\d*;\\d*[fHmr])|(\\?25h)|(\\?25l))"); QRegExp cursor_next_line("\x1B\\d*E"); while (buf.indexOf(suppress_ansi_codes) != -1) buf.replace(suppress_ansi_codes, ""); buf.replace(cursor_next_line, "\n"); stdoutBuffer.append(buf); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug() << buf.toAscii().constData() << "\n"; #else if (fwbdebug) qDebug() << buf.toLatin1().constData() << "\n"; #endif bool endsWithLF = buf.endsWith("\n"); QString lastLine = ""; // split on LF QStringList bufLines = buf.split("\n", QString::KeepEmptyParts); // if buf ends with a LF character, the last element in the list is // an empty string if (endsWithLF && bufLines.last().isEmpty()) bufLines.pop_back(); // if buf does not end with LF, last element in the list is // incomplete line of text if (!endsWithLF) { lastLine = bufLines.last(); bufLines.pop_back(); } if (bufLines.size() > 0) { /* * elements that are left in the list are all complete * lines of text. * * IMPORTANT: QT processes events when we emit signal * here. This means SSHSession::readFromStdout() (this * method) gets called recursively. If we print log lines * one by one, more log lines will be printed after the * first and they end up appearing in a strange order. * * See bug #465 */ QString s = pendingLogLine + bufLines.join("\n"); pendingLogLine = ""; if (!quiet) { s.replace('\r', ""); emit printStdout_sign(s); } } pendingLogLine += lastLine; if (fwbdebug) qDebug() << "SSHSession::readFromStdout" << QTime::currentTime().toString() << "calling stateMachine()"; stateMachine(); } if (fwbdebug) qDebug() << "SSHSession::readFromStdout" << QTime::currentTime().toString() << "---------------- end"; } /* * note: we set qprocess channel mode to "merged" but despite that * QProcess does not seem to merge stdout and stderr on Windows * (QT 4.4.0) * Will merge them here */ void SSHSession::readFromStderr() { if (proc) { QByteArray ba = proc->readAllStandardError(); if (ba.size()!=0) { QString s=QString(ba); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (fwbdebug) qDebug("SSHSession::readFromStderr buf=%s", s.toAscii().constData()); #else if (fwbdebug) qDebug("SSHSession::readFromStderr buf=%s", s.toLatin1().constData()); #endif emit printStdout_sign(s); stdoutBuffer.append(s); stateMachine(); } } } /* * See #1699: * * on windows, when ssh session fails because of an authentication * failure or other error, we get two calls to this function: first * with parameter err=true when an error line has been detected * somewhere in the state machine by function checkForErrors() and * then one more time when ssh client process terminates and * SSHSession::finished() calls sessionComplete(). On Windows using * plink and pscp while talking to Cisco ssh client terminates with * return code 0 even when authentication fails. The first call to * sessionComplete() sets session status to "Failure", but since * return code from ssh client was 0, the second call to this function * resets status to "Success". Using flag session_completed to avoid * this reset and use the status set by the first call. * */ void SSHSession::sessionComplete(bool err) { if (fwbdebug) qDebug("SSHSession::sessionComplete err=%d", err); heartBeatTimer->disconnect(SIGNAL(timeout())); if (session_completed) { if (fwbdebug) qDebug("SSHSession::sessionComplete session is already completed"); } else { error = err; if (error) emit sessionFatalError_sign(); else emit sessionFinished_sign(); } if (fwbdebug) qDebug("SSHSession::sessionComplete done"); session_completed = true; } void SSHSession::cleanUp() { disconnect(proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout() ) ); disconnect(proc, SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr() ) ); disconnect(proc, SIGNAL(finished(int, QProcess::ExitStatus)), this, SLOT(finished(int) ) ); delete proc; proc = NULL; } void SSHSession::finished(int retcode) { if (fwbdebug) qDebug("SSHSession::processExited proc=%p retcode=%d", proc, retcode); // background process has exited now, we do not need proc object anymore cleanUp(); //QString exitStatus = (retcode)?QObject::tr("ERROR"):QObject::tr("OK"); emit printStdout_sign(tr("SSH session terminated, exit status: %1") .arg(retcode) + "\n"); sessionComplete( retcode!=0 ); if (fwbdebug) qDebug("SSHSession::processExited done"); } bool SSHSession::cmpPrompt(const QString &str, const QString &prompt) { #if STATE_MACHINE_DEBUG if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("SSHSession::cmpPrompt: str='%s' prompt='%s'", str.toAscii().constData(),prompt.toAscii().constData()); #else qDebug("SSHSession::cmpPrompt: str='%s' prompt='%s'", str.toLatin1().constData(),prompt.toLatin1().constData()); #endif // QT_VERSION #endif bool res = false; if (!str.isEmpty()) { res = (str.lastIndexOf(prompt,-1) != -1); if (!res) { QString s = str.trimmed(); res = (s.lastIndexOf(prompt,-1) != -1); } } #if STATE_MACHINE_DEBUG if (fwbdebug) qDebug("SSHSession::cmpPrompt: res=%d",res); #endif return res; } bool SSHSession::cmpPrompt(const QString &str,const QRegExp &prompt) { #if STATE_MACHINE_DEBUG if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("SSHSession::cmpPrompt: str='%s' prompt='%s' (regexp)", str.toAscii().constData(),prompt.pattern().toAscii().constData()); #else qDebug("SSHSession::cmpPrompt: str='%s' prompt='%s' (regexp)", str.toLatin1().constData(),prompt.pattern().toLatin1().constData()); #endif // QT_VERSION #endif if (str.isEmpty()) return false; bool res=(str.lastIndexOf(prompt,-1)!=-1); #if STATE_MACHINE_DEBUG if (fwbdebug) qDebug("SSHSession::cmpPrompt: res=%d",res); #endif return res; } void SSHSession::sendCommand(const QString &cmd) { stdoutBuffer = ""; if (!dry_run) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) proc->write((cmd + "\n").toAscii()); #else proc->write((cmd + "\n").toLatin1()); #endif } else { emit printStdout_sign(QString("[DRY RUN] %1\n").arg(cmd)); proc->write("\n"); } } fwbuilder-5.3.7/src/libgui/SSHSession.h000066400000000000000000000132051303637203600177310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHSESSION_H_ #define __SSHSESSION_H_ #include "config.h" #include "global.h" #include #include #include #include #include #include #include #include class QTimer; class instConf; class QWidget; class SSHSession : public QObject { Q_OBJECT protected: QWidget *parent; QProcess *proc; int retcode; QTimer *heartBeatTimer; QString stdoutBuffer; QString stderrBuffer; QString ssh; QString cmd; QStringList args; std::list input; bool closeStdin; bool logged_in; bool enable; bool configure; bool endOfCopy; bool send_keepalive; bool session_completed; enum State { NONE, LOGGEDIN, WAITING_FOR_ENABLE, PRE_CONFIG_COMMANDS, SCHEDULE_RELOAD_DIALOG, ENABLE, CONFIG, COMMAND_SENT, WAITING_FOR_SHOW_RUN, WAITING_FOR_CONFIG_PROMPT, CLEAR_CONFIG, PUSHING_CONFIG, GET_ACLS, CLEAR_ACLS, GET_OG, CLEAR_OG, EXIT_FROM_CONFIG, SAVE_CONFIG, SAVE_STANDBY, RUN_SCRIPT, EXIT, FINISH, EXECUTING_COMMAND, COMMAND_DONE }; enum State state; int phase; bool verbose; bool quiet; bool error; bool backup; bool incremental; bool dry_run; bool saveStandby; bool stripComments; QString wdir; QString script; QString backupFile; QString diff_pgm; bool save_diff; QString diff_file; QString normal_prompt; QString fwb_prompt; QString enable_prompt; QString config_prompt; QString pwd_prompt_1; QString pwd_prompt_2; QString putty_pwd_prompt; QString ssh_pwd_prompt; QString thinkfinger_pwd_prompt; QString ssoft_prompt1; QString ssoft_prompt2; QString ssoft_config_prompt; QString sudo_pwd_prompt_1; QString sudo_pwd_prompt_2; QString passphrase_prompt; QString epwd_prompt; QStringList errorsInit; QStringList errorsLoggedin; QStringList errorsEnabledState; QString pendingLogLine; QString pwd; QString epwd; QString host; static const char* newKeyOpenSSH; static const char* newKeyPlink; static const char* newKeyVsh; static const char* newKeySSHComm; static const char* fingerprintPrompt1; static const char* fingerprintPrompt2; QString newKeyMsg; bool cmpPrompt(const QString &str,const QString &prompt); bool cmpPrompt(const QString &str,const QRegExp &prompt); void startHeartBeat(); void stopHeartBeat(); protected: virtual void sendCommand(const QString &cmd); void cleanUp(); public: SSHSession(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHSession(); virtual bool checkForErrors(); virtual void stateMachine(); void startSession(); void terminate(); void setOptions(instConf *cnf); void setCloseStdin(bool f) { closeStdin=f; } void setFWBPrompt(const QString &p) { fwb_prompt=p; } void setQuiet(bool f) { quiet=f; } void setVerbose(bool f) { verbose=f; } void setBackup(bool f) { backup=f; } void setIncr(bool f) { incremental=f; } void setDryRun(bool f) { dry_run=f; } void setSaveStandby(bool f) { saveStandby=f; } void setStripComments(bool f) { stripComments=f; } void setWDir(const QString &wd) { wdir=wd; } void setScript(const QString &cf) { script=cf; } void setBackupFile(const QString &cf) { backupFile=cf; } void setSaveDiff(bool f) { save_diff=f; } void setDiffPgm(const QString &v) { diff_pgm=v; } void setDiffFile(const QString &v) { diff_file=v; } bool getErrorStatus() { return error; } void sessionComplete(bool err); QString findKeyFingerprint(QString &buffer); public slots: virtual void readFromStdout(); virtual void readFromStderr(); virtual void finished( int code ); void readyToSend(); void sendLine(); void allDataSent(); void heartBeat(); signals: void printStdout_sign(const QString &line); void sessionFinished_sign(); void sessionFatalError_sign(); void updateProgressBar_sign(int n,bool setsize); }; #endif fwbuilder-5.3.7/src/libgui/SSHUnx.cpp000066400000000000000000000247171303637203600174250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SSHUnx.h" #include #include #include #include #include #include #include #include using namespace std; SSHUnx::SSHUnx(QWidget *_par, const QString &_h, const QStringList &args, const QString &_p, const QString &_ep, const list &_in) : SSHSession(_par,_h,args,_p,_ep,_in) { normal_prompt = "> "; enable_prompt = "# "; pwd_prompt_1 = "'s password: "; pwd_prompt_2 = "'s password: "; thinkfinger_pwd_prompt = "Password or swipe finger:"; epwd_prompt = "Password: "; ssh_pwd_prompt = "'s password: "; ssoft_config_prompt = "> "; sudo_pwd_prompt_1 = "Password:"; sudo_pwd_prompt_2 = "[sudo] password for "; putty_pwd_prompt = "Password: "; passphrase_prompt = "Enter passphrase for key "; errorsInit << "Permission denied"; errorsInit << "Invalid password"; errorsInit << "Unable to authenticate"; errorsInit << "Sorry, try again"; errorsInit << "Too many authentication failures"; errorsLoggedin << "No such file or directory"; errorsLoggedin << "Cannot allocate memory"; shell_errors << "Syntax error:"; shell_errors << "No command .* found"; shell_errors << "Command not found"; shell_errors << "[fF]ile .* does not exist"; // some ifconfig errors shell_errors << "[iI]nterface .* does not exist"; shell_errors << "ifconfig: .*: Device busy"; shell_errors << "permission denied"; shell_errors << "interface name too long"; shell_errors << "cloning name too long"; shell_errors << "error in parsing address"; shell_errors << "can't set"; shell_errors << ".* malformed"; shell_errors << ".* failed"; shell_errors << ".* not allowed for the AF"; shell_errors << "internal error"; shell_errors << "unable to allocate .*"; shell_errors << "unable to get .*"; shell_errors << "unknown .* protocol"; shell_errors << "[iI]nvalid .* protocol"; shell_errors << "Can't assign requested address"; // some /sbin/ip errors shell_errors << "Object .* is unknown, try \"ip help\""; shell_errors << "Cannot find device"; shell_errors << "Error: an inet prefix is expected rather than"; iptables_errors << "'iptables --help' for more information."; iptables_errors << "'iptables-restore --help' for more information."; iptables_errors << "iptables-restore: line .* failed"; pfctl_errors << "pfctl: Syntax error in config file:"; pfctl_errors << "Syntax error in config file:"; pfctl_errors << "skipping rule due to errors"; pfctl_errors << "errors in queue definition"; pfctl_errors << "error setting skip interface(s)"; pfctl_errors << "errors in altq config"; route_add_errors << "Error: Routing rule .* couldn't be activated"; } SSHUnx::~SSHUnx() { } bool SSHUnx::checkForErrors(QStringList *errptr) { #if STATE_MACHINE_DEBUG if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug( QString("SSHUnx::stateMachine: Checking for errors. Buffer='%1'"). arg(stdoutBuffer).toAscii().constData()); #else qDebug( QString("SSHUnx::stateMachine: Checking for errors. Buffer='%1'"). arg(stdoutBuffer).toLatin1().constData()); #endif // QT_VERSION #endif foreach (QString err, *errptr) { if (stdoutBuffer.lastIndexOf(QRegExp(err), -1) != -1) { if (fwbdebug) qDebug("SSHUnx::stateMachine: MATCH. Error detected."); emit printStdout_sign( tr("\n*** Fatal error :") ); emit printStdout_sign( stdoutBuffer + "\n" ); stdoutBuffer = ""; sessionComplete(true); // finish with error status return true; } } return false; } bool SSHUnx::checkForErrors() { switch (state) { case LOGGEDIN: if (checkForErrors(&errorsLoggedin)) return true; break; default: if (checkForErrors(&errorsInit)) return true; break; } if (checkForErrors(&iptables_errors)) return true; if (checkForErrors(&pfctl_errors)) return true; if (checkForErrors(&route_add_errors)) return true; if (checkForErrors(&shell_errors)) return true; return false; } void SSHUnx::stateMachine() { if (checkForErrors()) return; #if STATE_MACHINE_DEBUG if (fwbdebug) qDebug("SSHUnx::stateMachine: state=%d",state); #endif //entry: switch (state) { case NONE: { if ( cmpPrompt(stdoutBuffer, ssh_pwd_prompt) || cmpPrompt(stdoutBuffer, putty_pwd_prompt) || cmpPrompt(stdoutBuffer, thinkfinger_pwd_prompt) || stdoutBuffer.lastIndexOf(passphrase_prompt, -1)!=-1 || cmpPrompt(stdoutBuffer, sudo_pwd_prompt_1) || cmpPrompt(stderrBuffer, sudo_pwd_prompt_1) || cmpPrompt(stdoutBuffer, sudo_pwd_prompt_2) || cmpPrompt(stderrBuffer, sudo_pwd_prompt_2) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) proc->write( pwd.toAscii() ); #else proc->write( pwd.toLatin1() ); #endif proc->write( "\n" ); break; } // we may get to LOGGEDIN state directly from NONE, for // example when password is supplied on command line to // plink.exe if (cmpPrompt(stdoutBuffer,normal_prompt) || cmpPrompt(stdoutBuffer,fwb_prompt)) { state = PUSHING_CONFIG; // start sending keepalive chars (just "\n", done in // SSHSession::heartBeat()) to keep session alive and to // force firewall to restore session state after policy // has been reloaded and state possibly purged. // // Disabled for SF bug 3020381 // We should really use ssh kkepalives instead. See // FirewallInstaller::packSSHArgs() where we add command lne // options to activate ssh keepalive. This does not work // on Windows with plink.exe that does not support these // command line options ! // // #ifdef _WIN32 send_keepalive = true; #endif if (!quiet) emit printStdout_sign( tr("Logged in") + "\n" ); if (fwbdebug) qDebug("SSHUnx::stateMachine logged in"); goto push_files; } if (fwbdebug) qDebug() << stdoutBuffer; QString fingerprint; //int n1,n2; if (stdoutBuffer.indexOf(newKeyOpenSSH)!=-1 || stdoutBuffer.indexOf(newKeyPlink)!=-1 || stdoutBuffer.indexOf(newKeyVsh)!=-1 || stdoutBuffer.indexOf(newKeySSHComm)!=-1) { /* new key */ bool unix_y_n = (stdoutBuffer.indexOf(newKeyOpenSSH)!=-1 || stdoutBuffer.indexOf(newKeySSHComm)!=-1); fingerprint = findKeyFingerprint(stdoutBuffer); QString msg = newKeyMsg.arg(host).arg(fingerprint).arg(host); stopHeartBeat(); int res =QMessageBox::warning( parent, tr("New RSA key"), msg, tr("Yes"), tr("No"), 0, 0, -1 ); if (fwbdebug) qDebug("User said: res=%d", res); startHeartBeat(); stdoutBuffer=""; if (res==0) { if (unix_y_n) proc->write( "yes\n" ); else proc->write( "y\n" ); break; } else { sessionComplete(true); // finish with error status return; // state=EXIT; // goto entry; } } } break; /* in this state we may need to enter sudo password */ case PUSHING_CONFIG: push_files: if ( cmpPrompt(stdoutBuffer, sudo_pwd_prompt_1) || cmpPrompt(stderrBuffer, sudo_pwd_prompt_1) || cmpPrompt(stdoutBuffer, sudo_pwd_prompt_2) || cmpPrompt(stderrBuffer, sudo_pwd_prompt_2) ) { stdoutBuffer=""; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) proc->write( pwd.toAscii() ); #else proc->write( pwd.toLatin1() ); #endif proc->write( "\n" ); break; } /* if (!quiet && !verbose) { emit printStdout_sign( stdoutBuffer ); } */ stdoutBuffer=""; if (input.size()!=0) { if (fwbdebug) qDebug("SSHUnx::stateMachine - sending a file"); emit updateProgressBar_sign(input.size(),true); connect(proc,SIGNAL(bytesWritten(qint64)),this,SLOT(readyToSend())); sendLine(); break; } break; /* we get to this state when previous ssh or scp command terminates */ case FINISH: if ( (proc->state()==QProcess::NotRunning) && (proc->exitStatus()==QProcess::NormalExit)) { emit printStdout_sign( "\n"); emit printStdout_sign( tr("Done") ); emit printStdout_sign( "\n"); delete proc; proc=NULL; state=NONE; break; } else { emit printStdout_sign( "\n"); emit printStdout_sign( tr("Error in SSH") ); emit printStdout_sign( "\n"); // terminate(); sessionComplete(true); // finish with error status proc=NULL; } emit sessionFinished_sign(); break; default: break; } } fwbuilder-5.3.7/src/libgui/SSHUnx.h000066400000000000000000000030411303637203600170550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SSHUNX_H_ #define __SSHUNX_H_ #include "config.h" #include "global.h" #include "SSHSession.h" #include #include class SSHUnx : public SSHSession { Q_OBJECT; QStringList shell_errors; QStringList iptables_errors; QStringList pfctl_errors; QStringList route_add_errors; public: SSHUnx(QWidget *parent, const QString &host, const QStringList &args, const QString &pwd, const QString &epwd, const std::list &in); virtual ~SSHUnx(); virtual bool checkForErrors(); virtual void stateMachine(); bool checkForErrors(QStringList *errptr); }; #endif fwbuilder-5.3.7/src/libgui/SimpleIntEditor.cpp000066400000000000000000000035751303637203600213470ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "config.h" #include "global.h" #include "SimpleIntEditor.h" #include "FWBSettings.h" #include #include #include #include using namespace std; SimpleIntEditor::SimpleIntEditor(int minValue, int maxValue, int value, const QString &title): QDialog() { m_dialog = new Ui::SimpleIntEditor_q; m_dialog->setupUi(static_cast(this)); if (!title.isEmpty()) setWindowTitle(title); m_dialog->spin_box->setMinimum( minValue); m_dialog->spin_box->setMaximum( maxValue); m_dialog->spin_box->setValue( value); } int SimpleIntEditor::value() { return m_dialog->spin_box->value(); } fwbuilder-5.3.7/src/libgui/SimpleIntEditor.h000066400000000000000000000032111303637203600207770ustar00rootroot00000000000000/* Firewall Builder Routing add-on Copyright (C) 2004 Compal GmbH, Germany Author: Tidei Maurizio Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #ifndef __SIMPLEINTEDITOR_H__ #define __SIMPLEINTEDITOR_H__ #include "config.h" #include class SimpleIntEditor : public QDialog { Q_OBJECT public: Ui::SimpleIntEditor_q *m_dialog; SimpleIntEditor(int minValue, int maxValue, int value, const QString &title); ~SimpleIntEditor() { delete m_dialog; }; int value(); //public slots: // virtual void loadFromFile(); }; #endif fwbuilder-5.3.7/src/libgui/SimpleTextEditor.cpp000066400000000000000000000054461303637203600215400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "SimpleTextEditor.h" #include "FWBSettings.h" #include #include #include #include #include using namespace std; SimpleTextEditor::SimpleTextEditor(QWidget *parent, const QString &txt, bool enableLoadFromFile, const QString &title) : QDialog(parent) { m_dialog = new Ui::SimpleTextEditor_q; m_dialog->setupUi(static_cast(this)); if (enableLoadFromFile) m_dialog->inputFromFileButton->show(); else m_dialog->inputFromFileButton->hide(); if (!title.isEmpty()) setWindowTitle(title); //editor->setTextFormat(QTextEdit::PlainText); m_dialog->editor->setPlainText(txt); } SimpleTextEditor::~SimpleTextEditor() { delete m_dialog; } QString SimpleTextEditor::text() { return m_dialog->editor->toPlainText(); } void SimpleTextEditor::loadFromFile() { if (QMessageBox::warning(this, tr("Firewall Builder"), tr("Warning: loading from file discards " "current contents of the script."), "&Load", "&Cancel", QString::null, 0, 1 ) != 0) { return; } QString filename = QFileDialog::getOpenFileName(this, tr("Choose file"), st->getOpenFileDir()); if (filename.isEmpty()) return; st->setOpenFileDir(filename); ifstream ifile(filename.toLatin1().constData()); if (!ifile) { QMessageBox::warning( this,"Firewall Builder", tr("Could not open file %1").arg(filename), "&Continue", QString::null, QString::null, 0, 1 ); return; } m_dialog->editor->clear(); char buf[1024]; while (ifile.getline(buf,1024)) { m_dialog->editor->append( buf ); } } fwbuilder-5.3.7/src/libgui/SimpleTextEditor.h000066400000000000000000000025251303637203600212000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SIMPLETEXTEDITOR_H__ #define __SIMPLETEXTEDITOR_H__ #include "config.h" #include class SimpleTextEditor : public QDialog { Q_OBJECT public: Ui::SimpleTextEditor_q *m_dialog; SimpleTextEditor(QWidget *parent, const QString &txt, bool enableLoadFromFile=true, const QString &title=""); ~SimpleTextEditor(); QString text(); public slots: virtual void loadFromFile(); }; #endif fwbuilder-5.3.7/src/libgui/SimpleTextView.cpp000066400000000000000000000025501303637203600212150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "SimpleTextView.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; void SimpleTextView::setText(QString s) { m_dialog->textview->setText(s); } void SimpleTextView::setName(QString s) { m_dialog->objectname->setText(s); } fwbuilder-5.3.7/src/libgui/SimpleTextView.h000066400000000000000000000026211303637203600206610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SIMPLETEXTVIEW_H_ #define __SIMPLETEXTVIEW_H_ #include "config.h" #include #include class SimpleTextView : public QDialog { Q_OBJECT private: public: Ui::SimpleTextView_q *m_dialog; SimpleTextView(QWidget *parent) : QDialog(parent) { m_dialog = new Ui::SimpleTextView_q; m_dialog->setupUi(this); }; virtual ~SimpleTextView() { delete m_dialog; }; virtual void setText(QString s); virtual void setName(QString s); public slots: signals: }; #endif fwbuilder-5.3.7/src/libgui/StartTipDialog.cpp000066400000000000000000000141051303637203600211550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "StartTipDialog.h" #include "startup_tip_url.h" #include "FWBSettings.h" #include "FWWindow.h" #include "Help.h" #include "fwbuilder/Constants.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; StartTipDialog::StartTipDialog(QWidget *parent): QDialog(parent) { setAttribute(Qt::WA_DeleteOnClose); setModal(false); http_getter = new HttpGet(); connect(http_getter, SIGNAL(done(const QString&)), this, SLOT(downloadComplete(const QString&))); m_dialog = new Ui::StartTipDialog_q; m_dialog->setupUi(this); QString pgm = m_dialog->program_name->text(); m_dialog->program_name->setText(pgm.arg(GENERATION)); m_dialog->program_version->setText(VERSION); QString locale = QLocale::system().name(); //"en_US"; QStringList paths; paths.append(QString(Constants::getResourcesDirectory().c_str()) + "/help/" + locale); paths.append(QString(Constants::getResourcesDirectory().c_str()) + "/help/" + "en_US"); m_dialog->textview->setSearchPaths(paths); m_dialog->textview->setOpenLinks(true); m_dialog->textview->setOpenExternalLinks(true); current_tip = -1; // preload tips that come with the package // we use separate Help() object for the tip of the day becayse it should // have different size and should not be persistent Help *h = new Help(NULL, ""); int tip_no = 1; while (true) { QString tip_file; tip_file.sprintf("tip%02d.html", tip_no); QString contents; if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("Trying tip file %s", tip_file.toAscii().constData()); #else qDebug("Trying tip file %s", tip_file.toLatin1().constData()); #endif QString help_file = h->findHelpFile(tip_file); if (!help_file.isEmpty()) { tips.append("file:" + tip_file); tip_no++; } else break; } delete h; current_tip = tips.size() - 1; if (fwbdebug) qDebug("Have %d tips", tips.size()); first_run = st->getBool("UI/FirstRun"); } StartTipDialog::~StartTipDialog() { delete m_dialog; delete http_getter; }; /* * disconnect signal in case dialog is closed before http query completes. * This does happen in unit tests and might happen on slow machines or * slow internet connections */ void StartTipDialog::closeEvent(QCloseEvent*) { disconnect(http_getter, SIGNAL(done(const QString&)), this, SLOT(downloadComplete(const QString&))); } /* * Returns file name for a random tip */ QString StartTipDialog::getRandomTip() { if (tips.size()) { int n = rand() % tips.size(); if (fwbdebug) qDebug("Showing tip %d", n); return tips[n]; } return ""; } void StartTipDialog::run() { if (first_run) { showTip(0); st->setBool("UI/FirstRun", false); } else { if (http_getter->get(QUrl(STARTUP_TIP_URL))) { start_time = time(NULL); } else { if (fwbdebug) qDebug("Can not connect to the url %s", STARTUP_TIP_URL); showTip(getRandomTip(), false); } } } void StartTipDialog::downloadComplete(const QString &txt) { // Do not show dialog if download took too long (time out occurred) if (time(NULL) - start_time < 15) { QString tip; if (http_getter->getStatus()) { showTip(txt); } else { if (fwbdebug) { qDebug() << "Error connecting to the url " << STARTUP_TIP_URL; qDebug() << http_getter->getLastError(); } showTip(getRandomTip(), false); } } else { if (fwbdebug) qDebug("Suppressing startup tip dialog because download took too long"); } } void StartTipDialog::showTip(const QString &txt, bool new_tip) { if (fwbdebug) qDebug("Show tip %s", txt.toStdString().c_str()); if (new_tip) { tips.append(txt); current_tip = tips.size() - 1; } QUrl url(txt); if (url.isValid() && (url.scheme() == "file" || url.scheme() == "http")) m_dialog->textview->setSource(url); else m_dialog->textview->setText(txt); show(); raise(); } void StartTipDialog::showTip(int tip_idx) { if (fwbdebug) qDebug("Show tip #%d", tip_idx); showTip(tips[tip_idx], false); } void StartTipDialog::close() { if (m_dialog->donotshow->isChecked()) st->setBool("UI/NoStartTip", true); QDialog::close(); } void StartTipDialog::nextTip() { if (current_tip < (tips.size() - 1)) { current_tip++; showTip(current_tip); } else run(); // gets next tip, caches it and shows it } void StartTipDialog::prevTip() { current_tip--; if (current_tip < 0) current_tip = 0; showTip(current_tip); } void StartTipDialog::showGettingStartedTutorial() { int ab_group = st->getABTestingGroup(); QString url("http://www.fwbuilder.org/4.0/quick_start_guide_%1.html"); QDesktopServices::openUrl(QUrl(url.arg(ab_group), QUrl::StrictMode)); } fwbuilder-5.3.7/src/libgui/StartTipDialog.h000066400000000000000000000033001303637203600206150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __STARTTIPDIALOG_H_ #define __STARTTIPDIALOG_H_ #include "config.h" #include "ui_starttipdialog_q.h" #include "HttpGet.h" #include #include #include #include class StartTipDialog : public QDialog { Q_OBJECT; HttpGet *http_getter; QStringList tips; int current_tip; time_t start_time; bool first_run; void showTip(const QString &txt, bool new_tip=true); void showTip(int tip_idx); QString getRandomTip(); virtual void closeEvent(QCloseEvent *event); public: Ui::StartTipDialog_q *m_dialog; StartTipDialog(QWidget *parent = NULL); virtual ~StartTipDialog(); void run(); public slots: void downloadComplete(const QString&); void nextTip(); void prevTip(); void showGettingStartedTutorial(); virtual void close(); }; #endif fwbuilder-5.3.7/src/libgui/TCPServiceDialog.cpp000066400000000000000000000206061303637203600213550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "TCPServiceDialog.h" #include "FWCmdChange.h" #include "ProjectPanel.h" #include "fwbuilder/Library.h" #include "fwbuilder/TCPService.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; TCPServiceDialog::TCPServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::TCPServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } TCPServiceDialog::~TCPServiceDialog() { delete m_dialog; } void TCPServiceDialog::loadFWObject(FWObject *o) { obj=o; TCPService *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->ss->setValue( TCPUDPService::cast(s)->getSrcRangeStart() ); m_dialog->se->setValue( TCPUDPService::cast(s)->getSrcRangeEnd() ); m_dialog->ds->setValue( TCPUDPService::cast(s)->getDstRangeStart() ); m_dialog->de->setValue( TCPUDPService::cast(s)->getDstRangeEnd() ); m_dialog->urg_m->setChecked( s->getBool("urg_flag_mask") ); m_dialog->ack_m->setChecked( s->getBool("ack_flag_mask") ); m_dialog->psh_m->setChecked( s->getBool("psh_flag_mask") ); m_dialog->rst_m->setChecked( s->getBool("rst_flag_mask") ); m_dialog->syn_m->setChecked( s->getBool("syn_flag_mask") ); m_dialog->fin_m->setChecked( s->getBool("fin_flag_mask") ); m_dialog->urg_s->setChecked( s->getBool("urg_flag") ); m_dialog->ack_s->setChecked( s->getBool("ack_flag") ); m_dialog->psh_s->setChecked( s->getBool("psh_flag") ); m_dialog->rst_s->setChecked( s->getBool("rst_flag") ); m_dialog->syn_s->setChecked( s->getBool("syn_flag") ); m_dialog->fin_s->setChecked( s->getBool("fin_flag") ); m_dialog->established->setChecked( s->getBool("established") ); m_dialog->commentKeywords->loadFWObject(o); toggleEstablished(); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->ss->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ss); m_dialog->se->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->se); m_dialog->ds->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ds); m_dialog->de->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->de); m_dialog->urg_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->urg_m); m_dialog->ack_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ack_m); m_dialog->psh_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->psh_m); m_dialog->rst_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->rst_m); m_dialog->syn_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->syn_m); m_dialog->fin_m->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->fin_m); m_dialog->urg_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->urg_s); m_dialog->ack_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ack_s); m_dialog->psh_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->psh_s); m_dialog->rst_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->rst_s); m_dialog->syn_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->syn_s); m_dialog->fin_s->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->fin_s); m_dialog->established->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->established); init=false; } void TCPServiceDialog::validate(bool *res) { *res = true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res = false; return; } } void TCPServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); // check port ranges (bug #1695481, range start must be <= range end) // See #981 Do this check in applyChanges() rather than validate so we // can update end of range input fields instead of signalling invalid // configuration. int sps = m_dialog->ss->value(); int spe = m_dialog->se->value(); int dps = m_dialog->ds->value(); int dpe = m_dialog->de->value(); if (sps > spe) m_dialog->se->setValue( m_dialog->ss->value() ); if (dps > dpe) m_dialog->de->setValue( m_dialog->ds->value() ); spe = m_dialog->se->value(); dpe = m_dialog->de->value(); TCPUDPService::cast(new_state)->setSrcRangeStart(m_dialog->ss->value()); TCPUDPService::cast(new_state)->setSrcRangeEnd(m_dialog->se->value()); TCPUDPService::cast(new_state)->setDstRangeStart(m_dialog->ds->value()); TCPUDPService::cast(new_state)->setDstRangeEnd(m_dialog->de->value()); new_state->setBool("urg_flag_mask", m_dialog->urg_m->isChecked() ); new_state->setBool("ack_flag_mask", m_dialog->ack_m->isChecked() ); new_state->setBool("psh_flag_mask", m_dialog->psh_m->isChecked() ); new_state->setBool("rst_flag_mask", m_dialog->rst_m->isChecked() ); new_state->setBool("syn_flag_mask", m_dialog->syn_m->isChecked() ); new_state->setBool("fin_flag_mask", m_dialog->fin_m->isChecked() ); new_state->setBool("urg_flag", m_dialog->urg_s->isChecked() ); new_state->setBool("ack_flag", m_dialog->ack_s->isChecked() ); new_state->setBool("psh_flag", m_dialog->psh_s->isChecked() ); new_state->setBool("rst_flag", m_dialog->rst_s->isChecked() ); new_state->setBool("syn_flag", m_dialog->syn_s->isChecked() ); new_state->setBool("fin_flag", m_dialog->fin_s->isChecked() ); new_state->setBool("established", m_dialog->established->isChecked()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } void TCPServiceDialog::toggleEstablished() { bool using_established = m_dialog->established->isChecked(); m_dialog->urg_m->setEnabled( !using_established ); m_dialog->ack_m->setEnabled( !using_established ); m_dialog->psh_m->setEnabled( !using_established ); m_dialog->rst_m->setEnabled( !using_established ); m_dialog->syn_m->setEnabled( !using_established ); m_dialog->fin_m->setEnabled( !using_established ); m_dialog->urg_s->setEnabled( !using_established ); m_dialog->ack_s->setEnabled( !using_established ); m_dialog->psh_s->setEnabled( !using_established ); m_dialog->rst_s->setEnabled( !using_established ); m_dialog->syn_s->setEnabled( !using_established ); m_dialog->fin_s->setEnabled( !using_established ); m_dialog->flags_lbl_1->setEnabled( !using_established ); m_dialog->flags_lbl_2->setEnabled( !using_established ); m_dialog->flags_lbl_3->setEnabled( !using_established ); m_dialog->flags_lbl_u->setEnabled( !using_established ); m_dialog->flags_lbl_a->setEnabled( !using_established ); m_dialog->flags_lbl_p->setEnabled( !using_established ); m_dialog->flags_lbl_r->setEnabled( !using_established ); m_dialog->flags_lbl_s->setEnabled( !using_established ); m_dialog->flags_lbl_f->setEnabled( !using_established ); } fwbuilder-5.3.7/src/libgui/TCPServiceDialog.h000066400000000000000000000026771303637203600210320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TCPSERVICEDIALOG_H_ #define __TCPSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class TCPServiceDialog : public BaseObjectDialog { Q_OBJECT; Ui::TCPServiceDialog_q *m_dialog; public: TCPServiceDialog(QWidget *parent); ~TCPServiceDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); virtual void toggleEstablished(); }; #endif // TCPSERVICEDIALOG_H fwbuilder-5.3.7/src/libgui/TagServiceDialog.cpp000066400000000000000000000062371303637203600214460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "TagServiceDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; TagServiceDialog::~TagServiceDialog() { delete m_dialog; } TagServiceDialog::TagServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::TagServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } void TagServiceDialog::loadFWObject(FWObject *o) { obj=o; TagService *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->tagcode->setText( s->getCode().c_str() ); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->tagcode->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->tagcode); init=false; } void TagServiceDialog::validate(bool *res) { *res=true; TagService *s = dynamic_cast(obj); assert(s!=NULL); if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } } void TagServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); TagService *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); s->setCode( m_dialog->tagcode->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/TagServiceDialog.h000066400000000000000000000026011303637203600211020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TAGSERVICEDIALOG_H_ #define __TAGSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class TagServiceDialog : public BaseObjectDialog { Q_OBJECT; Ui::TagServiceDialog_q *m_dialog; public: ~TagServiceDialog(); TagServiceDialog(QWidget *parent); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif fwbuilder-5.3.7/src/libgui/TextEditWidget.cpp000066400000000000000000000051271303637203600211650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "TextEditWidget.h" #include #include TextEditWidget::TextEditWidget(QWidget *parent) : QTextEdit(parent) { modified = false; showingDefault = false; connect(this, SIGNAL(undoAvailable(bool)), this, SLOT(dirty(bool))); } void TextEditWidget::dirty(bool f) { modified = f; // if undo is available, the widget has some changed text. } void TextEditWidget::focusInEvent(QFocusEvent * event) { hasFocus = true; QTextEdit::focusInEvent(event); if (showingDefault && !isReadOnly()) { clear(); showingDefault = false; } } void TextEditWidget::focusOutEvent(QFocusEvent * event) { hasFocus = false; QTextEdit::focusOutEvent(event); if (modified) emit textChanged(); // newTextAvailable(); if (toPlainText().isEmpty()) { showingDefault = true; setText(defaultText); } } void TextEditWidget::setTextDefault(const QString &text, const QString &theDefault) { /* Sometimes the text area gets left in italics mode. */ setFontItalic(false); defaultText = theDefault; if (text.isEmpty() && !hasFocus) { setText(theDefault); showingDefault = true; } else { /* We can get a setTextDefault call when the object is being reloaded, but after focus has been set on the text edit field. If it's the same text we're setting (which it should be), we skip setting it so that we don't lose the proper place where the user clicked. */ if (!hasFocus || getText() != text) { setText(text); } showingDefault = false; } } QString TextEditWidget::getText() { if (!modified && showingDefault) return ""; return toPlainText(); } fwbuilder-5.3.7/src/libgui/TextEditWidget.h000066400000000000000000000026561303637203600206360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TEXTEDITWIDGET_H__ #define __TEXTEDITWIDGET_H__ #include class QFocusEvent; class QKeyEvent; class TextEditWidget : public QTextEdit { Q_OBJECT; bool modified; bool showingDefault; bool hasFocus; QString defaultText; signals: void textChanged(); public slots: void dirty(bool); public: TextEditWidget(QWidget *parent); virtual void focusInEvent(QFocusEvent *event); virtual void focusOutEvent(QFocusEvent* event); void setTextDefault(const QString &text, const QString &theDefault); QString getText(); }; #endif fwbuilder-5.3.7/src/libgui/TextFileEditor.cpp000066400000000000000000000125261303637203600211630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "TextFileEditor.h" #include "FWBSettings.h" #include #include #include #include #include #include #include #include using namespace std; TextFileEditor::TextFileEditor(QWidget *parent, const QString &file_name, const QString &title) : QDialog(parent) { this->file_name = file_name; m_dialog = new Ui::TextFileEditor_q; m_dialog->setupUi(static_cast(this)); if (!title.isEmpty()) setWindowTitle(title); } bool TextFileEditor::load() { QFile rf(file_name); if ( ! rf.exists()) { if (QMessageBox::warning( this, "Firewall Builder", tr("The file %1 does not exist but it will be created " "when you save your changes.").arg(file_name), tr("&Open the file"), tr("&Cancel"), QString::null, 0, 1 ) == 1) return false; return true; } QFileInfo fi(file_name); if ( ! fi.isWritable()) { switch ( QMessageBox::critical( this, "Firewall Builder", tr("The file is read-only, you can't save the changes."), tr("&View the file"), tr("&Cancel"), QString::null, 0, 1 )) { case 0: // open read-only m_dialog->editor->setReadOnly(true); m_dialog->ok_button->hide(); m_dialog->cancel_button->setText(tr("Close")); break; default: // cancel return false; } } if (rf.open(QIODevice::ReadOnly)) { original_data = rf.readAll(); m_dialog->editor->setPlainText(original_data); rf.close(); } else { m_dialog->editor->setPlainText(rf.errorString()); } return true; } TextFileEditor::~TextFileEditor() { delete m_dialog; } void TextFileEditor::save() { QFile owf(file_name); if ( ! owf.exists()) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (owf.open(QIODevice::WriteOnly) && owf.write(m_dialog->editor->toPlainText().toAscii().constData()) >= 0) #else if (owf.open(QIODevice::WriteOnly) && owf.write(m_dialog->editor->toPlainText().toLatin1().constData()) >= 0) #endif { owf.close(); QDialog::accept(); return; } else QMessageBox::critical( this,"Firewall Builder", tr("Error saving data to file '%1': %2") .arg(file_name).arg(owf.errorString()), "&Continue", QString::null, QString::null, 0, 1 ); return; } QString tmp_file_name = file_name + ".tmp"; QFile wf(tmp_file_name); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if (wf.open(QIODevice::WriteOnly) && wf.write(m_dialog->editor->toPlainText().toAscii().constData()) >= 0) #else if (wf.open(QIODevice::WriteOnly) && wf.write(m_dialog->editor->toPlainText().toLatin1().constData()) >= 0) #endif { wf.close(); QFile old_file(file_name); if (old_file.remove() && wf.rename(tmp_file_name, file_name)) { QDialog::accept(); return; } else QMessageBox::critical( this,"Firewall Builder", tr("Can not rename file %1 to %2: %3") .arg(tmp_file_name).arg(file_name).arg(wf.errorString()), "&Continue", QString::null, QString::null, 0, 1 ); } else QMessageBox::critical( this,"Firewall Builder", tr("Error saving data to a temporary file '%1': %2") .arg(tmp_file_name).arg(wf.errorString()), "&Continue", QString::null, QString::null, 0, 1 ); } void TextFileEditor::closeEvent(QCloseEvent* ev) { if (m_dialog->editor->toPlainText() != original_data) { switch ( QMessageBox::critical( this, "Firewall Builder", tr("Dialog contains modified data. Do you want to save it?"), tr("&Save"), tr("&Discard"), tr("&Cancel"), 0, // enter: button 0 2 )) // escape: button 2 { case 0: save(); QDialog::closeEvent(ev); break; case 1: QDialog::closeEvent(ev); break; case 2: ev->ignore(); return; } } QDialog::closeEvent(ev); } fwbuilder-5.3.7/src/libgui/TextFileEditor.h000066400000000000000000000026611303637203600206270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ADDRESSTABLEEDITOR_H__ #define __ADDRESSTABLEEDITOR_H__ #include "config.h" #include class TextFileEditor : public QDialog { Q_OBJECT; QString file_name; QString original_data; public: Ui::TextFileEditor_q *m_dialog; TextFileEditor(QWidget *parent, const QString &file_name, const QString &title=""); ~TextFileEditor(); // load data, return true if successful bool load(); protected: virtual void closeEvent(QCloseEvent *ev); public slots: virtual void save(); }; #endif fwbuilder-5.3.7/src/libgui/TimeDialog.cpp000066400000000000000000000216571303637203600203130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "TimeDialog.h" #include "ProjectPanel.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/Interval.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWBSettings.h" using namespace libfwbuilder; using namespace std; TimeDialog::TimeDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::TimeDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } TimeDialog::~TimeDialog() { delete m_dialog; } void TimeDialog::loadFWObject(FWObject *o) { obj=o; Interval *s = dynamic_cast(obj); assert(s!=NULL); init = true; // See #893 No need to show object attributes if the object is "Any" if (obj->getId() == FWObjectDatabase::ANY_INTERVAL_ID) { m_dialog->object_attributes_1->hide(); m_dialog->object_attributes_2->hide(); m_dialog->commentKeywords->setReadOnlyComment( QObject::tr( "When used in the Time Interval field of a rule, " "the Any object will match any time of the day or day " "of the week. To update your rule to " "match only specific " "service, drag-and-drop an object from " "the Object tree into the field in the rule.")); } else { m_dialog->cbStart1_2->setCheckState(Qt::Unchecked); m_dialog->cbStart2_2->setCheckState(Qt::Unchecked); m_dialog->cbStart3_2->setCheckState(Qt::Unchecked); m_dialog->cbStart4_2->setCheckState(Qt::Unchecked); m_dialog->cbStart5_2->setCheckState(Qt::Unchecked); m_dialog->cbStart6_2->setCheckState(Qt::Unchecked); m_dialog->cbStart7_2->setCheckState(Qt::Unchecked); m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->commentKeywords->loadFWObject(o); int fromH = obj->getInt("from_hour"); int fromM = obj->getInt("from_minute"); if (fromH<0) fromH=0; if (fromM<0) fromM=0; m_dialog->startTime->setTime( QTime( fromH, fromM ) ); int y=obj->getInt("from_year"); int m=obj->getInt("from_month"); int d=obj->getInt("from_day"); bool using_start_date = (y>0 && m>0 && d>0); m_dialog->startDate->setDate( (using_start_date)?QDate( y, m, d ):QDate() ); m_dialog->useStartDate->setChecked(using_start_date); // from_weekday is -1 for "All days" // m_dialog->startDOW->setCurrentIndex( obj->getInt("from_weekday") + 1 ); QString sFromWeekday = s->getDaysOfWeek().c_str(); if (sFromWeekday=="-1") sFromWeekday="0,1,2,3,4,5,6"; // Sunday is cbStart7 if (sFromWeekday.contains('0')) m_dialog->cbStart7_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('1')) m_dialog->cbStart1_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('2')) m_dialog->cbStart2_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('3')) m_dialog->cbStart3_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('4')) m_dialog->cbStart4_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('5')) m_dialog->cbStart5_2->setCheckState(Qt::Checked); if (sFromWeekday.contains('6')) m_dialog->cbStart6_2->setCheckState(Qt::Checked); int toH = obj->getInt("to_hour"); int toM = obj->getInt("to_minute"); if (toH<0) toH=0; if (toM<0) toM=0; m_dialog->endTime->setTime( QTime( toH, toM ) ); y=obj->getInt("to_year"); m=obj->getInt("to_month"); d=obj->getInt("to_day"); bool using_end_date = (y>0 && m>0 && d>0); m_dialog->endDate->setDate( (using_end_date)?QDate( y, m, d ):QDate() ); m_dialog->useEndDate->setChecked(using_end_date); m_dialog->object_attributes_1->show(); m_dialog->object_attributes_2->show(); setDisabledPalette(m_dialog->obj_name); //setDisabledPalette(m_dialog->comment); setDisabledPalette(m_dialog->startTime); setDisabledPalette(m_dialog->useStartDate); setDisabledPalette(m_dialog->startDate); //setDisabledPalette(startDOW); setDisabledPalette(m_dialog->endTime); setDisabledPalette(m_dialog->useEndDate); setDisabledPalette(m_dialog->endDate); //setDisabledPalette(endDOW); enableAllWidgets(); //apply->setEnabled( false ); } init = false; } void TimeDialog::enableAllWidgets() { m_dialog->obj_name->setEnabled(!obj->isReadOnly()); m_dialog->startTime->setEnabled(!obj->isReadOnly()); m_dialog->useStartDate->setEnabled(!obj->isReadOnly()); m_dialog->startDate->setEnabled(!obj->isReadOnly() && m_dialog->useStartDate->isChecked()); m_dialog->endTime->setEnabled(!obj->isReadOnly()); m_dialog->useEndDate->setEnabled(!obj->isReadOnly()); m_dialog->endDate->setEnabled(!obj->isReadOnly() && m_dialog->useEndDate->isChecked()); } void TimeDialog::useStartOrEndDate() { enableAllWidgets(); changed(); } void TimeDialog::validate(bool *res) { *res=true; } void TimeDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); Interval *interval = dynamic_cast(new_state); assert(interval!=NULL); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); if (m_dialog->useStartDate->isChecked()) { new_state->setInt( "from_day" , m_dialog->startDate->date().day() ); new_state->setInt( "from_month" , m_dialog->startDate->date().month() ); new_state->setInt( "from_year" , m_dialog->startDate->date().year() ); } else { new_state->setInt( "from_day" , -1 ); new_state->setInt( "from_month" , -1 ); new_state->setInt( "from_year" , -1 ); } new_state->setInt( "from_minute" , m_dialog->startTime->time().minute()); new_state->setInt( "from_hour" , m_dialog->startTime->time().hour() ); if (m_dialog->useEndDate->isChecked()) { new_state->setInt( "to_day" , m_dialog->endDate->date().day() ); new_state->setInt( "to_month" , m_dialog->endDate->date().month() ); new_state->setInt( "to_year" , m_dialog->endDate->date().year() ); } else { new_state->setInt( "to_day" , -1 ); new_state->setInt( "to_month" , -1 ); new_state->setInt( "to_year" , -1 ); } new_state->setInt( "to_minute" , m_dialog->endTime->time().minute() ); new_state->setInt( "to_hour" , m_dialog->endTime->time().hour() ); QStringList weekDays ; if (m_dialog->cbStart7_2->checkState ()==Qt::Checked) weekDays.append("0"); if (m_dialog->cbStart1_2->checkState ()==Qt::Checked) weekDays.append("1"); if (m_dialog->cbStart2_2->checkState ()==Qt::Checked) weekDays.append("2"); if (m_dialog->cbStart3_2->checkState ()==Qt::Checked) weekDays.append("3"); if (m_dialog->cbStart4_2->checkState ()==Qt::Checked) weekDays.append("4"); if (m_dialog->cbStart5_2->checkState ()==Qt::Checked) weekDays.append("5"); if (m_dialog->cbStart6_2->checkState ()==Qt::Checked) weekDays.append("6"); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) interval->setDaysOfWeek(weekDays.join(",").toAscii().data()); #else interval->setDaysOfWeek(weekDays.join(",").toLatin1().data()); #endif if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/TimeDialog.h000066400000000000000000000026631303637203600177540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TIMEDIALOG_H_ #define __TIMEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class TimeDialog : public BaseObjectDialog { Q_OBJECT; Ui::TimeDialog_q *m_dialog; void enableAllWidgets(); public: TimeDialog(QWidget *parent); ~TimeDialog(); public slots: virtual void applyChanges(); virtual void useStartOrEndDate(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // __TIMEDIALOG_H fwbuilder-5.3.7/src/libgui/Tutorial/000077500000000000000000000000001303637203600173615ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/000077500000000000000000000000001303637203600225505ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/000077500000000000000000000000001303637203600235145ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page0.html000066400000000000000000000021621303637203600253770ustar00rootroot00000000000000
Getting Started Page 0

This tutorial introduces you to the Firewall Builder program. It walks you through using the tool, from starting it to building and installing simple firewall configuration. This tutorial is also available online on our web site.

You can keep this tutorial open and move along from one step to the next while you perform the steps it describes.

Let's create our first firewall object. To do this, we'll use the object creation menu, accessed by clicking this icon above the object tree: . Choose New Firewall from the menu that appears and then click "Next".

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page1.html000066400000000000000000000026731303637203600254070ustar00rootroot00000000000000
Getting Started Page 1

The first page of the New Firewall wizard appears. In this page of the wizard we can enter the name for the new firewall object (here it is "guardian"), its platform ("iptables") and its host OS ("Linux 2.4/2.6").

The name of the new firewall object can be anything you want. However, if you want to use SNMP to populate the interface objects, or if you want to use DNS lookups to populate IP address objects, you must name the firewall object the same name as the actual firewall machine.

There are three ways a new firewall can be created: you can use a pre-configured template firewall object, create it from scratch, or use SNMP to create a firewall object with interfaces but an empty policy. This turorial demonstrates the first method, using a template object.

We are going to use one of the standard templates distributed with Firewall Builder, so we'll leave the standard template library path and name in the Template file input field. Click Next to move on to the next page of the tutorial.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page10.html000066400000000000000000000014051303637203600254570ustar00rootroot00000000000000
Getting Started Page 10

The tree and editor panels in Firewall Builder 4.0 are detachable and can "float". You can rearrange them on the screen to keep them away when you do not need them but still within reach so you can quickly find objects and change their properties. Use main menu "View" to open and close panels; the tree panel can be opened and closed using keyboard shortcut Ctrl+T.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page11.html000066400000000000000000000006021303637203600254560ustar00rootroot00000000000000
Getting Started Page 11

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page12.html000066400000000000000000000007641303637203600254700ustar00rootroot00000000000000
Getting Started Page 12

You can right-click on the object in the tree to open a pop-up menu. Choose Edit to edit the object.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page13.html000066400000000000000000000024071303637203600254650ustar00rootroot00000000000000
Getting Started Page 13

Every object in Firewall Builder has basic attributes such as Name and Comment. Other attributes depend on the object type.

Attributes of the firewall object include Platform (can be iptables, pf, ipfilter, etc.), Version (platform-dependent) and Host OS. Buttons Host OS Settings and Firewall Settings open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.

Object dialogs in Firewall Builder 4.0 do not have button "Apply". When you make changes in the editor, object attributes are updated immediately as soon as you click on another GUI element or hit Tab or Enter.

Tip

Firewall Builder 4.0 has full Undo/Redo functions of unlimited depth. You can monitor undo stack if you open it using main menu "View / Undo stack".

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page14.html000066400000000000000000000016261303637203600254700ustar00rootroot00000000000000
Getting Started Page 14

Drop-down list "Platforms" switches between supported firewall platforms "iptables", "ipfilter", "pf", "ipfw", "Cisco IOS ACL" and "Cisco ASA (PIX)". The choice of the host OS depends on chosen firewall platform. For example, for "iptables" the program offers "Linux 2.4/2.6", "OpenWRT", "Sveasoft" and "IPCOP". Host OS choices for the firewall platform "PF" are "OpenBSD" and "FreeBSD" and so on.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page15.html000066400000000000000000000014331303637203600254650ustar00rootroot00000000000000
Getting Started Page 15

Objects located below the Firewall object in the tree represent interfaces of the firewall. We refer to them as "children" of the firewall object. Screenshot below shows properties of interface eth0. To open it in the editor, double-click it in the tree.

IP and MAC addresses of interfaces are represented by child objects in the tree located below the corresponding interface.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page16.html000066400000000000000000000013571303637203600254730ustar00rootroot00000000000000
Getting Started Page 16

An interface object has several attributes that define its function, such as "Management interface", "external", and so on.

Detailed explanation of the attributes of the Interface object and other objects is available in the online version of the tutorial

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page17.html000066400000000000000000000016701303637203600254720ustar00rootroot00000000000000
Getting Started Page 17

Screenshot below shows IP address of interface eth0. The address and netmask are attributes of the child object of the type "IPv4 address". Here the address is "192.0.2.1" and netmask "255.255.255.0". (Netmask can also be specified using slash notation, such as 24, without the actual slash.) Button DNS Lookup can be used to determine IP address using DNS. The program runs DNS query for the "A" record for the name of the parent firewall object. (This only works if the firewall object has the same name as the actual firewall machine.)

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page18.html000066400000000000000000000012011303637203600254610ustar00rootroot00000000000000
Getting Started Page 18

Let's inspect the properties of the firewall object. Double-click on the firewall "guardian" in the tree to open it in the editor panel, then click the Firewall Settings button in the editor. This opens a new dialog that looks like this:

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page19.html000066400000000000000000000013501303637203600254670ustar00rootroot00000000000000
Getting Started Page 19

The next few pages show other tabs of the advanced settings dialog. You can find detailed explanations of all parameters in the online help and Firewall Builder Users Guide.

This page defines various parameters for the built-in policy installer. The installer uses an SSH client (pscp.exe and plink.exe on Windows) to transfer the generated script to the firewall machine and activate it there.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page2.html000066400000000000000000000024061303637203600254020ustar00rootroot00000000000000
Getting Started Page 2

This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, a web server or a Cisco router. We'll choose "fw template 3", a firewall with three interfaces, for this example. Click Next to create a new firewall object using the chosen template.

Note that the template firewall object comes completely configured, including addresses and netmasks for its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure addresses of interfaces to match those used on your network. We'll see how this is done later on.

Clicking "Next" brings us to the next page of the wizard where we can change configuration of the interfaces of the template firewall.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page20.html000066400000000000000000000011561303637203600254630ustar00rootroot00000000000000
Getting Started Page 20

You can define shell commands that will be included in the generated script at the beginning and at the end of it. These commands can do anything you want, such as configure some subsystems, set up routing, and so on.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page21.html000066400000000000000000000007151303637203600254640ustar00rootroot00000000000000
Getting Started Page 21

This tab provides controls for various parameters for logging.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page22.html000066400000000000000000000013631303637203600254650ustar00rootroot00000000000000
Getting Started Page 22

Screenshot below shows options for the script generation. Notice that Firewall Builder can produce the iptables script in two formats: 1) as a shell script that calls the iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page23.html000066400000000000000000000012001303637203600254540ustar00rootroot00000000000000
Getting Started Page 23

Starting with v3.0, Firewall Builder can generate both IPv4 and IPv6 policies. This tab controls the order in which they are added to the script if you have defined rules for both address families in the Policy objects of the firewall.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page24.html000066400000000000000000000031001303637203600254560ustar00rootroot00000000000000
Getting Started Page 24

Let's take a look at the policy of the template firewall shown below. These rules are intended to be an example, a starting point to help you create your own policy. Most likely you will want to modify the rules to suite your requirements. Explanations of the rules given here are brief because the goal of Getting Started is only to demonstrate how to use Firewall Builder.

  • Rule 0: This is an anti-spoofing rule. It blocks incoming packets on the external interface that have source addresses that belong to the firewall or your internal or DMZ networks. The rule is associated with outside interface and has Direction set to "Inbound".
  • Rule 1: This rule permits any packets on the loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
  • Rule 2: Permit ssh access from internal network to the firewall machine. Notice service object "ssh" in the column Service. (This object can be found in the Standard objects library in the Services/TCP folder.)

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page25.html000066400000000000000000000016541303637203600254730ustar00rootroot00000000000000
Getting Started Page 25

Firewall Builder 4.0 allows you to compile single policy or NAT rule and see generated firewall configuration right there in the GUI. To do this, select any object in the rule you want to process or highlight its leftmost element where rule number is shown, then click right mouse button to open context menu. Click "Compile rule" (keyboard shortcut is "X") to see the result in the panel at the bottom of the main window. The is a great way to experiment with rules and see what is being generated in response to your changes.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page26.html000066400000000000000000000007411303637203600254700ustar00rootroot00000000000000
Getting Started Page 26

Generated iptables script appears in the panel at the bottom of the main window:

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page27.html000066400000000000000000000034131303637203600254700ustar00rootroot00000000000000
Getting Started Page 27

Access policy rules belong to the object "Policy", which is a child object of the firewall and can be found in the tree below it. As with any other object in Firewall Builder, the Policy object has some attributes that you can edit if you double-click on it in the tree.

  • Policy can be IPv4, IPv6, or combined IPv4 and IPv6. In the last case you can use a mix of IPv4 and IPv6 address objects in the same policy (in different rules), and Firewall Builder will automatically figure out which one is which and sort them out.
  • Policy can translate into only the mangle table (used for modifying packets) or a combination of the filter table (used for allowing/blocking packets) and the mangle table. In the latter case, the policy compiler decides which table to use based on the rule action and service object. Some actions, such as "Tag" (which translates into iptables target MARK), go into mangle table.
  • The "Top rule set" is the one the compiler will use to populate iptables built-in chains INPUT/OUTPUT/FORWARD. (If you have only one rule set, then mark it as the top rule set.) If a policy is not marked as "top rule set", generated rules will go into a user-defined chain with the same name as the policy object.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page28.html000066400000000000000000000022111303637203600254640ustar00rootroot00000000000000
Getting Started Page 28

Here are the pre-configured NAT rules:

  • Rule 0: Tells the firewall that no address translation should be done for packets traveling from network 192.168.2.0 to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty).
  • Rule 1: Packets coming into the firewall from internal and DMZ networks are translated so that their source address will change to that of the outside interface on the firewall.
  • Rule 2: Packets coming from the Internet to the interface "outside" will be translated and forwarded to the internal server on DMZ represented by the host object "server on dmz".

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page29.html000066400000000000000000000026411303637203600254740ustar00rootroot00000000000000
Getting Started Page 29

Now we can compile the policy of the firewall "guardian" and generate the iptables script. To do so, use toolbar button located right above the panel that shows policy and NAT rules. This button compiles rules of the firewall that is opened at the moment. Compiler processes Policy, NAT and Routing rules even though the panel shows only one kind of rules at a time. Another button with the same picture is located in the main toolbar under the main menu bar compiles all firewall objects defined in the object tree. Of course there is no difference if you only have one firewall object.

A new dialog appears that allows you to choose which firewalls you want to compile. The program keeps track of the changes and automatically selects firewalls that require recompile because some object they depend on has changed recently. Obviously this is only useful if you have several firewalls in the object tree. Since the checkbox next to the "guardian" firewall is already checked, click Next to proceed.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page3.html000066400000000000000000000021271303637203600254030ustar00rootroot00000000000000
Getting Started Page 3

Clicking "Next" brings us to the next page of the wizard where we can change configuration of the interfaces of the template firewall. Template object is preconfigured with generic IP addresses that likely do not match addressing scheme you use on your network. This page of the wizard allows you to change addresses to match your setup.

Here each tab represents an interface of the firewall (eth0, eth1, eth2 and lo). You can change interface name, label, its type and edit, add or remove IP addresses. You can manage both IPv4 and IPv6 addresses on this page of the wizard.

After you adjust IP addresses of all interfaces, click Finish button to create firewall object.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page30.html000066400000000000000000000007731303637203600254700ustar00rootroot00000000000000
Getting Started Page 30

Firewall Builder calls the appropriate policy compiler. The dialog displays compiler progress and results.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page31.html000066400000000000000000000021741303637203600254660ustar00rootroot00000000000000
Getting Started Page 31

Tip

If compiler finds problems with configuration and issues any warning or error messages, the program highlights them using different color (blue for warnings and red for errors). Click on the warning and error message and the GUI will switch to the firewall object, open corresponding rule set and highlight the rule that caused the message.

Compiler generates an iptables script in a ".fw" file with the name the same as the firewall object (guardian.fw). The file is placed in the same directory as the .fwb data file. Generated iptables script supports standard startup script parameters "start", "stop", "status", "reload" and can be used in place of the standard system firewall script in the /etc/init.d/ directory.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page32.html000066400000000000000000000036061303637203600254700ustar00rootroot00000000000000
Getting Started Page 32

Firewall Builder can also transfer generated script to the firewall and activate it there. It uses ssh to do this (putty on Windows). To use the installer, click on the "Install" toolbar button located above the firewall policy panel or in the main toolbar. Firewall Builder will compile the policy (if it is not compiled already) and then open a dialog where you can configure the parameters of the installer. Here you need to enter a password to authenticate to the firewall. Section Section 8.7 of the Users Guide has detailed instructions for setting up and using the installer.

Firewall Builder 4.0 can cache password you entered so you don't have to enter it again and again if you need to reinstall firewall policy several times. The password is never stored on disk in any form, it is only cached in the memory of the running fwbuilder process and discarded when you stop the program. You will need to enter it again when you use the program again after that. However this feature really helps speed up policy update if you need to do it several times. To activate it you need to turn it on in the "Installer" tab of the global preferences dialog (menu Edit / Preferences) and then turn on checkbox "Remember passwords" in the installer dialog. Passwords are stored in a dictionary indexed by the firewall name and user name configured in the "Installer" tab of the firewall object dialog. This means you can have different passwords for different firewall objects.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page4.html000066400000000000000000000015721303637203600254070ustar00rootroot00000000000000
Getting Started Page 4

The newly created firewall object is shown below. Its name is "guardian", and it appears in the object tree in the left hand side of the main window in the folder "Firewalls". Double-clicking the object in the tree opens it in the editor panel at the bottom panel of the main window. The editor for the firewall object allows you to change its name, platform and host OS, and also provides buttons that open dialogs for "advanced" settings for the firewall platform and host OS.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page5.html000066400000000000000000000007651303637203600254130ustar00rootroot00000000000000
Getting Started Page 5

Now would be a good time to save the data to a disk file. To do so use main menu File/Save As.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page6.html000066400000000000000000000012421303637203600254030ustar00rootroot00000000000000
Getting Started Page 6

Firewall Builder uses file extension ".fwb" for the data files. Pick location and name for the new data file, then click Save.

Note that once the firewall data is saved to a file, its name appears in the main window title. Here it is "test.fwb"

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page7.html000066400000000000000000000016011303637203600254030ustar00rootroot00000000000000
Getting Started Page 7

Let's take a little tour of the network and service objects that come standard with the program. You can use these pre-configured objects to build access Policy, NAT, and Routing rules for your firewall.

Objects in the tree are organized in libraries. You can switch between libraries using the drop-down menu above the tree. Firewall Builder comes with a collection of address, service and time interval objects in the library called "Standard". Let's take a look at them.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page8.html000066400000000000000000000012311303637203600254030ustar00rootroot00000000000000
Getting Started Page 8

Folder Objects/Hosts contains a few host objects used in standard firewall templates. Folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/html/page9.html000066400000000000000000000012541303637203600254110ustar00rootroot00000000000000
Getting Started Page 9

Firewall Builder also comes with an extensive collection of service objects. The following screenshots show some TCP and UDP objects (all of them do not fit in the screenshot).

fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/000077500000000000000000000000001303637203600240155ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/0.png000066400000000000000000001017231303637203600246660ustar00rootroot00000000000000PNG  IHDR@iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx |E>\Ư;$̈́˙`7d#&\* , (*A.^&"KDLBALTw}&3@5 uy뭧~ǿvaN MPg0UjE0#oPmG2`D["~)*JPApWO4NU*İ!>Bӓ؈"D;Jᐘ+ƩʵFtRޕ5 [CiVG$2™l@;D2|jTb0>l;v]%1 vpck-`*1$D1D[u[3NDMH$k4C!4]{[אلz" Bc F4`0\5V9v{7M3|ԵI;oKVDe?dkb%<, MJ&O=o!!d+kxN dԤ"=o| 1^uU.}$ T/ /5-Jȩj߆Ha t1sX}xHY|RRQ 2=!JRƧ_WNX]:,׮ %š򪚀_-Mvi$.|q' !ksuUx&k;գ@ }VYHC:x u=!|4)AEDU}ԹZ',?Kr]xzmYasQm:ze1r]Yc&V⛽--*mq@~K=cl TCkWcO[~+Jcdl8 -jV9T>.Ӕ9R4Zf6f jL5*|\r l?PǨ5&uԗ o|資ᑵ[Dyv4G]2 h~ ܵVءO3<uZ=$K-|wV<[ ;o6פ:Yw&ˑJ sP8v _~`+N|^05mгؘ3< h䟚\ɧ;ib'1觏F)P9IIA߅-g-iIx G uS B;sDZz=P׈VhpݙʗMfB_%zdN؆^_r#3R_8eRJ}x;vN.hU".Z[^:5RRRxLCfy+ŐuBg x˅kpUNcől*(/8V)fnhy9Iyu>sd*,傳h{]iw3Iq;9ԁOݢ]#^<`B5-+w?-ǎbڇk%wsPʽg;G|:;xKT혪?bJ25P#.uZ_]֭4ӺfOݤD"]<k2d>4\xuXVO&<)ꤎ|tm A~^ĊA<SJzi]5v:Rzr\1wX{)&[? uifzM{%t8E>n\]jO$-EWo=tE}):"u `T-f~qD!s]`\g=Hin %o-SY9IWm.\˥TI)ahQ50NËNNPE e G*}a^oStn#2hУ"UQeFY|Ilҡ9nj=7Xz-GLq ǝFTQAH,xIg0(':QR©JphK*|hG4&X*uI;ʽy,@@xX(\phyydSKhNRWK)LΆe-Huma-T,u,O6 O}vCFP/%S_ﴉcWo׻ܕfWyB\(Oyc;w$΍A^XݨCN#XU=T-Œ1\=oj_bFd6::%t1+c{# ˩KE"%pΘ}G{>kuGxܙ6Ly5_}Cn )j.24BJY@[z%3E0QK6,?.jU d߱ ! !g2]cw3`,I pUGAj޻wOj4v/y0Vf!A}{zyyyϿkƷa2#TP@ws*j\P9< I:+ R4 orإ ;Um$Db y3,m9j /^>̬et8Z$U gVB7myg*c`3_{fI~;"[w 0y Nl0{FnNXkGlڠfl$.գy.u S­%X5*fϝ2'iHt9K#SsaȨ s/OV! ?XY 50vJJ)9A  h,Oyds^nrʇޓS 9oN%C %:n['_hvH *ϖ77m?œUwu_߻~!WKL WغYCK6 ˟}BkH 0pԙqH%H1PGWOxWFLKRW k˖ͿK +Zo-yyws7_w߫^sU￷?l1SYxjucǎeef/¸1*ʾCR8MW᱿>%Gz=*{E7SoNͩ-야-f5Aieepax1H*?l`%]0޽hgz7RE}oK *wܴiȦ-su}[{>D.]=9_pz|4!i]^h~.B;ːam}gӫD70_ZG^/_$QۿW ɾ+ZI'2fLNާ!wuĻxTbqÓ2}հ^ܣaCSDʇkטNW0xssz {y!fTL Kf<5Ϝ3nbT4eXiiRKK sE֥ LY%e?ܳo'^~c{G_ ~O-/vTZyi%^xTIj\|*_ 81 ;~EySosnxu^uߒ3W 5Hk&{&M,ڒl6tXJ%E7U IꋥBШ0{S۵SڂǛS[+[% x wyaO٫ޛ{ ` z{i1B "Ac/uw:yr|T^r?xw cJ6T7(GͥH Oq-V=vYCe[-w\{S<*wƊ|'.=kT{W\C/ 08Ν;`JE>ꋥ=*{χJHvԥczssz {6¬JIIIJJV\jxXvĕO=.n9iwRnjkhCyq]:[*|~cηUU}gRxx{k]u׮zcGѣFz=936~\~ts=Fԛ8n㫟xĦXa-b*ޔ׽[1oN]ͩ-야ߒ4]{͇ȝ6}3ʃ,>lxh]߲w/GńC2%Ϟ1grtu7掙/ܩszk]VZ::qGTgzg= t4t3ᕏ<5j$~TƑyh;̞Rܛzg{uSn rc>awز>?yְ̙xSoEKVzBr`sb:u+NeQ╊¢ ngbJ! o77uV۵S}ssz mV+VR}oV˦lM|Yl_]X+1cF bO 7 oҐٛ\nHÐFdpm2S!e\μ$jmvcɞuJ.'bBUlx|)j"PC9!Pq2CWlxfF1Q_I#6R/%^[oQĻZNpu"95Bթw^~g:o,=W2t1aln٨5TYW_03"ɐVk@U份%pA~GQnhCr ǃϫBc0 >/% @{FW{:L7C+B #|un WFJ:-`0&H3% h"/6k 2 @`>2EWde !jUDos Fؚcu1Z _%ݍlZYE @Fa ʘ`|Z,+wû1l/S SԤĄZqD0rwnvX,'Aue9 5[a^;@MX6@ 4⽔os=+ =Ga.0kuZJ>X,%0IL8T;9djyIۈ8j={N皤XXX9so":._/mP'W9M e6m) ֫GYÌX|!>$=0K[ TåS_+ xK*N|BlBlEazl}q-:w,h:E3ow76*DÕ[v4b$|j|h-!lc:d!?fO wquAVQjnX@"H {%JI'23$=uy4𣤼 52-z ZyjQut#c4*?<xu DfIu9(wrXWjGi(]c^`.SwmPJx|2hݳK2XTvsoa _"e39GEl*j,?uiIȞ{ptwe ΣGcӠV![跽r+v:,1Tw>UKZ3ȋDD^[)s}*5F{QP $jF}tjB2oZkܜqa}hxc#`P*q:bČR$OSe.2}2+N/'?)mHpj$G|-UjS(srF6!О<[/ B b7] tD #%zO5 {ڑ ࠞvPVdZ1 #z<咓^Dsd=. cz(i 3Lπ#XZ*Jͮ f0/wu +Ċ%rPBs?) IDATJhH!>|WD刑Nb.]O-1sڏam`{ @jg,呄%VF*,S,"7j$HCԺ4I`b pZ-|Q‘'W¸*v+ '(sI<Z#jH?E $02@dX-B%d܀tdRӪU{yr1^K;M$VKZW˅42 ~08Ej{?#]u`bJ^5p/}"{lw`f!H[ٻ$`.饆p$wHs0\:j5>Կ } Jxd Z4uANd@ ` FMHԗ$uxEt8S !7tB铒D ݍ%0qrQR1 tu8]ʍ\t]}':t#anW ]tώoO:Ez3ہE^h#||]2=]0[Бk&`D^O&u:P.x p^&MїHe @:GCiM8rAtzBaޓ_vON)Fˡu:IJK:8L-jf7v$fi`F[C_BgHL_cjN. :p&ԡO,k 1̅defI8!.ۃ+8Xn@`!/E#fj;1 ϘIdvK0aҙ`|C{#_tbܠ:t[,+뀲|3vJ ȆTcͺ6%ׅI))zCE'NKi> :Rvި6KH3tQGHNxGZD*5Zǟ; }PCTRCRH35|'~JjmOjc^]|ٙstAA|gz#/"ZUh,|̥"v6QtC%uHtqXg/qL"a eݥ2g.@ EHu9^J of񲲒B3GHrqhNlGu%$iuk2*~S~2'+Cc:a9qZ3)#) BomXW7v 4s aWkH&>=o'ԧ)SwpM`Eh#FLc cnxOKzE ş ')LZ最[eN ,lIAKvlRi@V!^+LI*},>q ma%_sWvHqD0Z/pϽEZ;bb6 7-V=i-|=^CZ0Weĉ_iaH}OI'fH}^SÃڂ3ZA'N5j9b-]]ՊC""r)RpNq[5QS݌5J&J=vxd||AG >,|LDaca Oa8Y ;Ekat_,!"Fݔ I̦d3.N9s-e.q Yi>0OF *4f-[ZA+uh(/ob /Rb*O?) 7e~vyNO);_%s jCuDRM;ʁq".T`!<^N^LϞ.2Z\ ̬m/ø^ܫb),L͊H/}ESy\ȑ-ܑXJ 'q{`',Cf?Iل< Y8J-Xm J[kT+ 1€/ s-6/9v®6f.Y!.Z\TWLlT11,r'@vMw3/_ %GɹR:.9̥7"T&!_䅜A66p(R@d|1~hd0Kڨ\ni\7QK:.@AD?ec0F%Wߢc[3$D)ܴ֯jE  h`0`0"m,*- `0&HmkeX C PKר $`0jCY @0 ;V!hCy!jC t|^`%  Pz 2}Pzr_ۤ+4X)@dIdGM* BktM2l.0WU)2}vɫM* DUyyyE^rbt(JP/9([aZHz7FGwkC$L Y.Wܾ݁cWxL# mJY{ lV+Ec~V悥fs;nby1d4 !եS5,JV%VH 4(y7e,sXh(%~jUOP'ɥuvUަ@ %7`1"Cc0(1 #% VIq(PulgQQc :݇_l:40c`*Jb.JR@KRAt@C֟ymU~$uvGf|ρ$a h*l.b 14!6(,VUO=T0;>Oj$7zg[D%m1q3N6]oF^?Rp״XiC?VqͿAgD-5PzWLb1$ [TfߢIMNNyX#ng7[qn>c:`10{r)I77\ =IGPZwq|[RmSy5Y$Gf[06zj,!-k1>v4vllw5cGm-u!:;OI6/+^D^KƘ:5'TB DFDfyE^&!NL}MK ʚ)1!5yrHr'4ѽ:UO4b.4rY!:P?v`ɞ7 uK(͞L*5>JK5C[wy\6 Q.,r<ּ+`p9ʾźs$uD"c2ۨWEXVC="|~ YSgcsz/s-Dt/I ;"6j# էt̷ڢȎ<뒙dlb/{בJ jvCWe-FqBO_S'"bYWcQ(s &X< ͺOΏ1pDipQq 3*5U\x6F^cr2:]&>FҬ^j-x6> (>x"c^וhu;$Zkx+j @hGSY07;}"өgS3W5" .|ࣸ~(j3'4D^nkHVAё-V`\`i!imذȞО6:4ZlAPKq'_8Y6>vNQC-fᙼd4qr$d2;wϼۘ=mPǛ߃Sz\%=HELh#HzN:~$4䙼`s1j)%"WےD;gF/:ɒ5ܛ%R %st~pn±#\3yLC!Zq&u'&_.`zo#zU%" /`D b# G`^^uaIJ.km?wwNulrkG~@k P%oٔa mRR{00?cC N1[kҴܝ[ЈV^UM* 튅%C++(S:;[ŖZ^`g1M*F^n*)5eNԕYHv(gehy ud@#ߎcșBRSF'݇r7x77pj]XASga֧G,s7JIp{A`tB!/t*7ߓ|7~2qt׽0P&Z>s?#A\\/^t!D}O}Cr J/m='Suzp?%g̺>_1Bŋ6PZ_fz(%:7L&q#sww(yIkGEӎ%aD"RSE* 5c]KNw` zq”C%/=(DyXf%}]4JR.'߯{;sh\4q(T֊sV^$cǧѣV>/i&cdْ'~"̳Ͼ镜J^[X| k׬]|bY`ަj}U׬nvP T_5^KHAO@oqqL%s-YE) 5s4DMް]dCĞds t L= x4$*&3\wڱF觗\])(kUKk钥8-q ,^y2;. y=hh{oDs)0mϋ Ub먎D1!J氹D WOce ;qv2ʲ籒?."6SuxЅ9+u4"߉|㽦^ڽ'hN$Q5{v+o[.z8tgN7IXcfh`5ӭ) u ]o$h0mr Ҁ7mL*Wr]$uRODRT'Zƒ~ Jg9y%rŽ |UED)kv¯$OX37#5hBTCA$o9ӼRĞ^F%d9"^Z$|b#} ]=ozSE"\ (X!vKtkuMb3ZM^Xhz6 6#uH/Ł>K;HuX%XmŞqμzDJ(r\hn` MR3<`m3WvޕV@gS"*o_{L&JsO=Դۦߕq cw#9?{'oG oV‚Wȑ#;J:# 'ӱZa1'Rc8Q7! #~V+.)$ b(>$fzL;W )}4RGeSK #3p~ $*WOw1b;"E/yVts>>3f54Ư)1~9|G-MY"Y7`N IDATE%@G ,#"yIAA<jFKO ix6I|#gۼg$]C?ՉΤ=|ȼ3Siz3!х,; N0@RUXNzj ^z06Qxp&ᄳG޲ֽz:PZ$ 3tk#|hyA>sIÄ.+ឆC3Hѧm{qBtD\Ғx-KAvPnvzzTt.:$`\Dj(Y Sl[ܒu?C lс@n ,/":$y.6. 3=bɌmSL(pxkF3 ;iY-YX? Yyt/\`.|o٦OyF^ia|{!sM=-(^;L9?%<v@K ?YjeEt=Ie8o)L'`tazi eH.[~P%6Gi֮Y-))D@\.3Z¡YC?o;g[aR_۶owT3oy8p}sϺgw׼W>RbX!"Y Wݙf?b)Kj~}z&_qךC]ج .eO">}ho(>J6)NOOo*p@`rD˧|Q 9s/T{)=4z] I;z(p_W]El nrJ)TBF0dY9:w{i-5ּf֜Y`[E @n"_ЩW dy‹WB5`+Z=J&,&:lq=E[qjӫ^ (E/`[JmDCׂO?bWV\ٳgQ>?OyЁnӑy]fTTԺ@&O).ХWW57w3YYk \wSUo7gf-{|%e ȀɇOH%E88-N5d[ggߕ4 W?Z6u'WRq᳗2aF܊ѣn]Ī2RY 83nǂ8ȑw̾cϛX vvK_/q?#3 edf I +R /^lI[L۶~S\>ub[oS٦1$:6HyU 7gaaM㤪sU Θ3#=# 6\NHC//;n}s6ˆQJ:Ce#cu6Ol8{b/<*yH2@J9cԩ ǹyCƆohBlͤp#ͮ6d]vmXFۅ޽hn[| )~k@˪WǘyFܺ|΍9 ojOu rIM.$dBC%RpڊO@47A`澏|4lȰ{{.M=o$h0&>AUt蟇^˃*2 _aNqbTeFkJr m;vqp6@^e-XWߩO>MXǎػwoɊdGR&sx:,fl|!3K1$Pp&rQӛ~yCI84ۓ.xYVڣ4p־- Ll_neryHtŹKyBA]==<&H<WGi2Z{?9g5{??9MҲzXi?tT ˟vĕO=ޥ oGWxE.rOJ5NQuү6=Eܛ֬ˣ,RgΙtGri+0FU /ZD^g̙;U`Nf,c﫯c=j;B;Kf@AC@.}ƪ(O%gc DJ^/%F dRTsA_Ɇ CNaWbOQ ߙbZE-ol|PRBmP)e@`$xuY9 J.sU >*J2uu"t[t_~=\j ܜmHim(EX~h{ױ*Х3C^E؈Oc}C%e֜=K\c)Ӛ *|̖ټ!TtƧWe sR[+.~GZIV C xڞ`gAm`v@ 9/3yBR4I92۶Oִ#=ce Ny0ݲGɜx[b`{rmKvP}u]|SS&Ua=Y#|tU891U5@G2).r[Ƣ764u7Vp6pH|yWg8/EL UxBElH܁σf<Í׽qjb>ٵO_y.zxYp{a+^¦Iu18Ymb fV>E;}^xm_ ?Bn@uD2w(., \*\nK^dO^l{溮jZSfHp“ @|^ H!r&0†|^a v%Y*$q-<]&K o JbƎ{/Ay]2s5C HqÈA.[BX<666%)y"hcnȫjh] P՚{"[[\m$"'/*luZZemPT% Xꈭb:@Vh R2a)_}v@Fe-XܪTo w:}W6IZwpo,&ªX+yXB;ڃӁ.,Ύ!5s.M 'Wy'Sҩq;":XP+%>ɥk,{(R[$a2srHx!+t(!_\>et ?~iD.׃Llu:,݅C+neµ ;X^ lRnX.Ll/|'yS;f\AS>[A,:"H5hѤLlf!B u DzlbYYSN- X aTL-  `yHuMumk>Ϙ`cݷosx.vN`Z/uGX}/v()<;wC3C-{Ov&!_byٛG;|FJy{ N}߰:1eJ G{{'௵Ҍ b!r Jm+\uVHl\n җ=!鐷Rѐ9<b"akf]3aVn>KcJ9-:T4u-Fw^WɃHw;9QfBN_by+96q?x~m 6 s6񝽼X{y^C+a%} ϚfQNVp9ࢹ|ݿ2O(M5k!gCKJ( 5eF+ko} ɲOGdUmo٘5a:PYaf!3MR'mc% hF)9Om\./kL#-$WM:y`n|mR[ݵtRm㹅YjM?M1{>GW7.P+#(9 ˖{Q=9y ="G)MM|t%Ulȳ. S"-tF8/@t:eCg~^sO&=-`̩KNn|14Tv I[*}]/L9Zrtţ+rJ.q`pK| kf+}]Q=pu<'g R*X C"Cyy{`G3O~kPBRuҰc:l1K;haYFgҜWe i M[yNC^m۲MEc\VXky`Ԍԗ7XUA!JA90tмO&qK3&֊,NI ί˖|J𨞒 ;.>/8ꟴ-Gk(t^*,`H懓>6:Ӏ}IvhdLQ=Kv1 &O[j%ii+\AC%\Iݰj snQzbUuJ)%hޢ^_w 'ʗ=t*z>$A{gTE$R8)q]:aC4SG:u|jbczInȣ! aՁJ*)0v2Ot1E!^ak.~áJ^NDi[ij]6j7iyG-maԎٳfGN>?>%/+xi|b 4+`0,C!!/fyy,!VUq.tZ fCuP(vBtH]l7ʪ`C4h v4 9Āt u@B+׬fw;=>ד{ι~Nwϻ|^RuG"/о9#6nZn&قH`8py!ucz!h IDAT8_8l  |xhm/ iiԱo=C1[ZZtRZz3:.v,aH}roJٶFq]l;+mhe=r{@VէA$p.sփm\‹.f1R!?VQXu9x[uo7@Vv_N{Y +8/=h[/+R"#HU ܀~bvCb?h woTD%m\-8AcM0K$wyu/c_!(ȣ}(k!1@=Xv*fQY?R*wN.͟D+ۺW!#6Ј mkwԪ!-)SK^kF'έa`h-5[:/tgd2dH بyX̆E!ҨSM$8/}K:)m <6ZE^6)  lּ& +8/F^Vr q^N Xpy1 8$bpzXH;΋|H!w#/j$@Vq^$@ y9V#"σLWP(;mmpĽF[G>z4h@py!RAvRl 8aA0nj>pyvC-DZ` Zl 9#q2(pm%$@qH5/j=\ZX&鞤,v-WZBbvlGMSBSId:ZWllEÛ;K?BUh,h4RbBBH-hp@DZɐ*fi7b K8/FSI#aW}*"q4v..|JgAx4Pra[hnm͙re!SPS~@py]y]jI_GED^"+(i3ICnyP#'N|Rǥ{`afV& +m:ɱ]u-d(v?{xo@dx@|:TzMV"-4mT(bzw=2k }lf6,Θ>kʔG-UྡƧP((fW>.N&#oqpۅ_ZBSݖ=! .Ej?"  Dy)HLP t,IDyvmjr/ĔS6 -(9eaa74h X6j4IH)wF#e= yiS@H 8/F^ې hq^)I$ w#HmH48/F^$;΋W$s6$@(Tv]$@$pElvR}Es$ЮTةbBrk0uY9(:/줪ͦbBH9.cUR6Tv>a5F$);+buo)gLπ[oe_gI Dy*n[~AT̾ R2ͽG4W[/}tY}EzW|ܦ2O@2T $hbS1J"zBlh>XUޑzɾ3/Ol)y왐27~ڊ Ys^ i'U? 7D7/(,@#G:;:eggL4H DyɝTJ )R2T̖P1]VȜdю;a]c׎EEb鳧hˡwA{ %%mT^RTq/Q^##[׆o!^jc&}P;C[ZZR1[a_2,TaH}rn;\oZC-opNnWVhCqir:u*a'VzE;M(A1N Jh$F y W[$7?3Tv['ڱ6^tܹF +Z\P UkVAri̒@Re]vg~Y6*Vuy *f| 3j䠪տR1}սb;KU*=X`Ѣ{n|SݽW'~3FɁ`v:9 j}9UxI߱%ӦZ,{V<mg5lb7v.6赠t}R\ԔTd_TH{w׾M:7ZW@jRPP77/+;]JWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \Ue8dEr.So %5qRS&EGM,k,5&IScaTd~)_9BHVrBI+韌T!.OEe)T~h}RQ>k-?UFU$2$p牲ņCV٘RiӮY*bө}_W P)pˉ{@mHx%ls;9OtTlfAXQՔ YJ,x)XAjz Ԣk%(8^鄩}MU!f]^{Ey5" #-*B=Ȟ]Hy#-vRBog0UkO2$|:$ 9 7ndҫBL g琒L&. 4nxw?g9MxL{6t#/gm#2Rԃ1V oٵMƒ0TV[WK$ʕkA_Gěh۷N8u:8R}xDetH!2pstI\bDHLwm*oyijp7nLɃ#Mw0<%pAT}B} V;b߲k҃:*yPBoZ /kpIyR{!~c=WMyX-ZkS+ }띾%:AKզ7.TԆt9XU8G*={ yO o,x2(=,)`N9/ ~0ྑ VA-PG)B:UiGlNU4Gyhz, 3$rA"ԗl5I%KxxXKDWClSo?>Yp<"~W}r=a SоF|PEJ6T b֯k_~D7zj27z0X'}\#%O w!]A/N|.֑Q} fhE=.QC]LO ;tIb;Sșuf!IQ>w oT={W/WJ`zH?5F]hY9>ph/o_gjԗ د;ODW*k̃ :S}nbvAf[EZ%e{?Ɗfz5] lk~vA4\#P\GQ @5PG=ߚ țApCCԭG[egF[{xE9 I/&KnjL޸cW:}te(U}wAEF[:9"VIOgHUD\XwtBcg^RZ]3rQ+"<ț Vؼ#'gf -\m5I0 ?VUх|qܙ5Yzto<^ Dc-IcjdgW}&ʼn{\WVG#=p6 z֐|j=UW&]~hA]]l2m\Ug;C6TPM{87w`?A@U.)}T& :=f-S7JQhOj; @@߿1ٟU {C`UyPf%*cUTA㸴 @o iV14$&k[/h'| ~W=,A@ ؿsC?  k(\z@@ؿsS? Y 󤪫 ` wvkT "֜ Cx&Qʤe3) k7$!@M A@ InQx,&{lH@@}L/kqb x,G^aWzU}<  LWփ uw!@te{ dTߍ  &@ȫ?1>@$@KhOIH @@ o   x>_  .#kw.cA@']x+   yRs {   #gd@   :,   !f9   $#,ɕ1v%pTyyyM ;ݳG#y;/܁`)<2ʃ Oԉ|Je{Пe& [!QA k!18w5IO5$w5h@@Z@^ЖKJ1ɤ4p^b6w77hQ08܉p:+;kႅ%EEp>@Ip(N-Is x w4KsA;B׶12Li˶muqp|t8&ppmҙnrAC+Iax"Z o:=xиBO~8(;ȥw[Z4b#{vwVz5]z Dѳ4wط(syT ?}7<džlrhᶰ<#3z@HUZS+FNMbQq#+*,yQdC iHwXގ7t)Y@9 947G~oB}85)="oF܏DM~9]}k5.0[jT0%u_}2`۞{"QώwwDנa.;;P#@+gZc_ܲ=<5 m*rΨ蝟Zv|?HAYc(η|Ίj}Ι5y¼swf}6RPT}# 0k6oL9  ~SN嫗i*fwx֊a{,@{kSgIϒ}x?7o»0Aq\js@s㓽W^!Pq 5b~uk~o@ڤ(~jwݗ/]|sؑcīsfZͩoc܆ ~ ;|_1Ξ?w.$@kc#`ǭ;O;˯a1ߖpTxgdYҴYfU Aq RW}1O;CbBN.tƌs?g,9P) -N9{SP\_߈gˁ޾yyRȈgJ¡:żgWS)0sF@j'H=YJ*۾J壟 CK;J?-&?;!oĄ^+vgy> /&>mhyTGO;d\L\C$:55%Ł4|  b$S}sخ{yysfω #tZڷܻ溞;vddP:vtQjR˽' a7nx|Ұ,uQL;K{8.;ve]Ve 5܉b~OXYTVߧ$yRwߡڛE*t}犊 VnN?k#ΊK Lj)A( C<1vH_u z6xxFVhYA[ k{2k]Ll E34fuV#lsՔaj=3lifǪiX/maE3qG*č̲NGzm}m+%cqżyVQ%p.˄gțzuVZǺ#4 *INK8&~"Y2 {9)i*=7IJth*fogjYuBNJڳGw)zD<*^}/j;oŽ KS&9*<:Zሿ<<ֿ} LMn#ƍ2j=F8Z:~9sǟ۫=4fQ#F]rsRt 5bdē znEɋۛF)Y+cp\)/o*j) z2z_PeA*ƍE7ADD{GǍƨmeww\t.ܔ$;Cw$@@wqv+\dK[8˶;PL|!as ~G9{xR{(@swnBVP.$xzlx ΓZɆB  k< M  x׎ NyDA[GN?GX[C6hU7-+&*}bu!>TTwlx< DYupA3m~#Ah5ZM@@Mk "9VC]l   M<{#{p'xΝbi+N*/oax$pg HzٝDl `M`G?;Zِ*?8OR %Nΐ^Y}O=]BTg?oGO$OrɦǠ  9%~wIϝ%gcX| .Q٤#Z ۂ_>O51 JʌykGnRY2WdPkpB9)׎S6~qe-}?|' vC!'?-~,a=cڅwE&~'-msg˿ttYgimt!EⶑV@@@]DmܹcּOu'^*/N{qԙWVV7ݤ&ݪ#w4#䘨5T$} tګ + PiDr$G^Zlkdorx2ӗm|c,9WFŕ~PC!fX)+W4YtUqU4hH1̆O9&Av²Љ(37PRRRw |ڬLV 1~`zU² IDAT4[gZJN@Tū&~w:Bhkwn۶0׮~([dv/UW/ʠUfG'VPSOpظUKَB9h֪w>+Pǘ1+W# sRSSc0>WQ,+fowV\jOSKY:(esTPLMj 4흻,Vf'ZuFN~Y)}C֯\OسGIISyKRGk֪'*<. 4p0QZh]源]ͳLZҾ OPSKY:(esTPLMj -اQK;Ձt.刿hw:?sB`_oߞeOJ?14rdyڄ j5mP'ԤQBS$S}&rne \)/o*j)"SgmOJS.E3X@ 4tL><Ь{1Gm+s=OR Jp74Q-6i7 a9v±a8=3dԈjv +zWjvɩw~kf.IKB!&^>?hybER- ݵ$m  EIZt6 ڱ}Gh]@o};X.MuGppدA'A F)N>'`Im @>#E‡  $@p  `$3 &9&\E5.|   @x΁0 ,~4\@mo"II/U%ݣ3 9I: 3gVWbVETg?oGO$OjUSpηcM?&&UR|6:fHCp[ Z*3s>{X) dm\YR$g 9׮? p$[6,L|d(7aDя~d謗fuf\)-on9\O>丱z>&lw/ӻjyn@ o5كmZY=]pz[o7y~9!WZغyK!Q&/olN?|x^$kolfvE_'MK U >2:jC&Ka.&ty^*K]W/^SgIbP${n[Kwdi1uάc۽k5볥jq5Q(nkC6}mw/re.p%PXNj f1yuđ<;G2i׏rS=Q4~iKU\8{7hMj~sqxc舰E V7ȭt& tTdjؾ7դ:(_$S΢V:G8nLiCSfС-N9{Pt5:Ls){R-Γ:x5kVQ0ׯ_cVguU+R# 9tډF1)=+}#").z剧JgȷuHyI0kR O{;vݵ; > '?rűJRLVD& (:$TK9\Nב&qW[Z2ke#YGkeWvu骪˃5+/v>R|~$:]r&PrF~Z]ot V|YTnсyhIbF ׍^fo߰sF '{z0a3qUljY/&LM5 7dcI鉇|󱕫ī8loеǯzIE1Mr RJ/> ?3yf9~!/F ]!i@ǽ4*%gBzX.,NZw,wt;v XY"CH ~ռw K !s۵wdy"Vk%(IQq zQؗ}]=q<` q_擆j~46 1o9DS+}ms@}YzH)nki^jDj`XVʴ\^p1YŅ=֭\;I;.kE"#^lZJ/p5wy_̞5wiTY./6p| nM棉AV!kwˮJmV_]K_r[(l:jZ !^^AZMO0w \PSOsظUKCt&!&Nںm[^$2IiO1ju#=H0k';YqosQۻ_Cf1CcVZG5'z1voZ4흻>Yfۚ6I62ٮgn'&Ek Buzu%)E-\ W6qL.ZЃ&JiЈ$駟~ c<;9ԑ^lD"|bfC$cg,.;O͛^ofMͭG y~Μ|mQd;$V>Y)yd\ƌ'g?U)?P5߻t zkk^.O*?7?عdk9s>}+\O8&~"]Ҿ-'IhDQ9Yك333m/Xh]溗~Cp0aַhAU[6fw}M8WⶖvQ$Rʡ l79܂E V-]Eu})M5CXv̈́q .Wx/9k$4\)VgQ~sSŧy2e?4FбH~/[hL7W#ehZwJpc4=L?)I73fv}똑͸1# 4T؋hEWrсpSˮ)% i  `29(!I@H.TLX@@@;AivlYNA.&zRTk<ΨIJT;_O>\@^>Q\1d'@Ug|\<7$xs@@]&˖@  I  B5]@MpI%j@Mr-8@@P0@@܅X@@@ < 6B0_   `' ]@@B5)X@@se6ā.  @H`4p@džo  IXQ_c7%Inix$H@ܖjn G569%䶛@MMA@m &A`  qP(Z嵒"m2o mAYIg5XC=68C 6O!RA1{T^e5C>HY2Wd|hd*S7޹ja#%ԙ2XL/^Z?}b  ͭD*=#+HZ܄ aI)&e6NJrx$dvNHT%oc;CUNC>Hjn!C$“E7n>S=scߟ۷#!g}9܃XuKs;^܁on9 4'{s\ߔSuueZ> *޹e{gxj@ڊUgWl蝽M[~5QT[s\!4ۂkoxXZJoٜf<~捛)A2Ҹs5`Yǎ+8{nkgYa0?.Ln)2}->K׫Y_N%=)#i D dP P;tw x$ɤLA5^#ꀀtʼOJ,~>>i="VSf}tKEjjC$C3̜Č>_!GԹx&Sm [ +e-)I 5zY;֨Nt$cF[3 eX{w ;0Ąē4a(KM_p훗'*) = :#H4d A w2X"@:<ۢũLYYjAR|^v\ao}$/N>rq3q 7hR@@!"oJe5Wywn|x+e>}Y|~99!0\Chn[r,+;QLa0?M U+Ge/Ç~wSI3BY@ZM6lp?I Q '%;W\(-,PFJ`} ]OOM]rOH!sۥ#W*T^2} Ee5W;ܸs`G4ț J#+Kw[+K[/I* XVW&i6!'Fz=[~&<7E˭m5m c'0KzAGMMuBM cW-e{^gdc񟌜l_uuFVưa-kj43nB4z\J>W4;fN(Bn|!oEnt j4_Y/ڱÝ,7IJR:5ᚚA1^=8< Y-ZCf1CcVZGE-B1 E8d?@ nB@2!QJKϓ'L4eH[c%2?ӳc&̣r?@eLI]H4.^޳G[jb4pfBJHGKf3&0]BTKo;_ -v yם ;/z.t){]s7ݖgVO h5ip^74AC 6 $5W~#. >H,@~.cPp \)/g\mg]|?mFv  ",\0p"$'…kf@Mj.8}=5&G@w0pkv֛G@M͍dA@ ~[o E+_Qɂ s$H@ܜjo  D5Ƀ66R7'@M򠍍TA@ xy|S垐)rhB[ xԤ5+H/1-Fhp5S')(KI.tD %̀A4 ?-Pp?Is;@@ & l   I-פPmi,)>3DYj_W pN?D5iZG5o4ZEm{Ivm&9qֆ%EE伕"g`Q,m5jzpAM]%l(* U&gD^CY}(?͍[zt`ޤËgxf";Өp>nR\$ 5{$ڕʭ[-'9Os#㊸Z磝k׭wO mmaX< j"񭛷Dhizmy}ƍ ?ly<2WW\)xmCݗg #TV_^0b@HCdN bܝ#Q  ?;?p{IDAT?`Ģ5(O'ZMu+Ke4g ͩo\~5KjD&ju?vc'V +,-\x^iic!K$jc⚪]#ώݷ|gG?;vܘώ~w7+f Z69ƨeiPGVS Cm-]FȡzAIÚtό/h ݈S󮔗wghSL>Ï=iڒ4ҝBmmI=l&n8?믳.Kߥ~'sinMR;:I:.WR .| #W[}FflZq<{z.4i;`ejA.+mXڢi'HaΈVٸROiCAtK 4{q!8KrbUQ`wV;H ?4("aܟqW6tvQ܎ wUmԶ0fKfvf]3}t!NnCthRTzn:f={t񗱃o?3!뙰,uѺu!}C'%N%Kޚ0)qLD^-~<ݷo_~w=լP?14o|!O׵K@Ҵ6\iҞw$!';'uqj@Q#FF<0Ԇ/{ܟGv?vF4)eJDFFդKrS qT^?{jK2yQ"c?իwߧbf!~||>Qk]vh#CآE2fylj[Vgڳ'Lg&LYũ GQ< M7tO)bZf˫ƪ{kwpV**Oa!޳KC=\e4ӬAU67NW;6YrĸmӍg\W.\υ%6[[8I r 6JX?4\-0Pz,7LےR‹3oV.k찮IIx&gpϬ>32D  i:v]okŨ  1l`ᦒrNљ!@ xO:pwg.xݍKC ) >%6;RGg mZcO "࢚D{܅Zmq4`8Nvv' g m!?|[_1=YD_͏aK1 @5Nl;K y4'ԱÝOFK)+WPL%%|V?wk Xwwx|,`=0Oښ9۸1l㉷[ EVWWڹw[pD   JgI4/aJdq{|.U',_uY40*{c&5k I{ׇ4 (JlZ;MشE2.BƀNRy!#aӽ'}P7nx|ҐZ*V,;5u>!{)~,_8QUmM;|jtHcwK B))vp7ޜsV3֚Bkh^;K8]#]$Ck [eU-_,\+ GuCdފũ HpYcz| ^]/#[^(U}Ӵu?HHK2*E2ZCƬ\w>iۂN 76n᪥dSvlqsߵJ1`li% HH[bGzR9Fi0TTWۗ ̒tFN6\ӏZw ZlxYb "&ckrtQ-|Kl;>M /%44|dh4%͉KCbiEGdgeGEgdfG?,[)'NHԤt{;.CK(NA&;BJ;OJ?g.Zn/s .?<sJ_;< 3S~ԺKǓEh٣ؿ5`|D͢'{ ypY@f s˫ƪ{7 ƻ슟Pg~}wP6̛6ׅXm-\OC| :ܨmeww\t.ܔ$,h3~STJ͏έ3gp]MrfVƲ;Ɔ@:Y.sCwBl>ȶ VthEjpW8kEc!]x!V!@C &yk,@x6B=eI-uq^R1P4]PPЎ;kscuIÚ4 >-04I5hɡ3ĶaF%.K3i `ZǰeF(z&QX#VA뉸ـFۦ@6d7p<$3G& @@O5L@@6IqC/: .cG<h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ S&9+@5h  IN  6@M8jS) Pl.  N!p   `$ SaOIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/10.png000066400000000000000000000251521303637203600247500ustar00rootroot00000000000000PNG  IHDReV_?iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs  PIDATx] PWM Pf,"hbPP4@HTĨ!("Dχ /`<2 yDX52x"^6@V3aaf鮦9{Nwz3n'ef}w>fR,T,%aJ;넗#7>}"Ldz`*8R+ @?XOuҺyݫ._+KKKYbrbO켉`Ϛ8T|S.S9<[pwssKJ\0߾]=)i)̘]wk!ׯ_~-"S[S[ҒG'(y9gkWTpJRNgN{/_,oy|g%Fq7;³Nr/zχ[ly&Xw~0D~Oxs켉תRVݝr@EvB WTTׂ(Zn#tڿժ\T NeWAvʉy?ƶQU"BLt`U5 eE0 ʈH⑌;t!ڄܳimfgg/&UeKix&wx*ׁ5g͚őyp~x{0*Yi׼݅Ièɓ&w=bI&vS qC'u6ȩ"H ?7GU%^ZSg223&f{Jv^6n*8W<׹g2S9YDz)B8FfNߪbyf]^RQzZ qPo4iI?8s 9iEN!Ck8\YD,ެ?8 qWuqL;PH[4W\hpsݭ^:9%f755%$&^rLO] E=9e1,4(d&8 v(Fm JӘ1+h2_'D Ih3MhWdsM9);:{ťb_|apj6!'3;\Oݧ[hrćy)  W[oav̙E>|{" LǩfOGR ";kt_kK"BB9"(2 ꌙ37l#!C1Yň53(d&LqǕ+V8&=!R9G{^DE47>)sj(Fl MLMyuǵ4\g&I"^|;ҟJx+:Zg8Ǜ9x11oԴ:<ך('$6jcq5nV1 M(P%>n})6c>Zdz6Lf5Q+xK O{-^%f#!!uKndY,-IGZtǂy-i.;7S:0iзs%hN!  8;;z RHNq[~:k΀xd=<2\23MBs_ȇ17((ɢ2ȯ)?NQ TMoJKOvrqM0 tkL ]=BQӮ}ƳN[Czxy@XI!=UE'?9s=.v !v`"yʛIs,"A6n7b׾X 8'7$^BNai؍fv, O\v(?Fe{$b! {? ؕZObQ;9 )zouLȊP:S H@w0) `]=2~C]Oav_>Q 3x.6Emb~G*<|oFZ*a2x&}5!9uhS~vR9Lе/ ܍vk˴^8::MJf` >xQzo`""8j"(4q3XxTTوpuHdܮGo\4reҢFǘ^ ob9[z_t+ sJC ‚3j^i գyd$`xL} 9#z|(5p~zC⋃(Zo?êW:ۙMɖ=pw&pUV2'$mjG^43'^Cd33^ D@J>LD#3G@%OSD{y6OjP{Pd8_JOP9~jJQǏw^NC9 #`#[S ~ʰ > o͆޶IDxΗ^:E&_ʊJ 5,앱2J-(k~h$L5c k" ^KX](z0/}Jy-=39)=/] >3\8!/'4JF&U+Wᎋ=@Ҫ7W7pOD"=2 >)-_WAzzz%V ϝ=`sO ӯ.}Z}L:?Ƶ4Αp.F;->c?ephX3lIz،3~i'wF%#P_S#oa'%&M֑TJϑI<Ԛvy&#)1@0_cIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/11.png000066400000000000000000005130501303637203600247500ustar00rootroot00000000000000PNG  IHDR/iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx}`ŵYzoV$rm0 = %BOL7`\MdIVo3ߎZVn^Wfܙg;37AzAq9ݥэl(G!l۫ m|mU_*mwlcϥWAigo\{裬 - "JOB%"{rڙy3gR}M~~h~_1ؿy9up3?&kI+]xxy;m\^ -}b";Ce=ĝfoUQU t-EDʤ2 |!1 a_rEV}:tR"hix p E# {ys =>ԽO<+i-'J@R*GGxh/$6!"(U&>у$1xpR}GiٛHfc5oe۟yR@8]PejGv<l:gm;|ј0x_WvP7kd+ZBeKn89v 9M;/QZq[l'm|xAu4 r A\ŃꆴM轪ۆk쀿ETL 9b MÂ8a/B~lU#a q{0*1<<|QC4w*X   L:@ + )ѕWTP$T=[EeϾLA&8a`yyAvmD!kc'ޔ4Zgh~ Qn=R9nĖO {w~H, L{/z vNn]^3R[{{{ ygLf컓k'$SBQu b[_]ûZO͈j5:'mijhgd eZT %ģwJ|dg=04\Bq@ h 9>iCiڌ4a(q6Tؽl ը$STcښ؄-5>DY83ه8j0Ԏ鋅7ć <~).o:kqF.>&0}Pӊ*0Ibi= 4oRK'-hm|^BKKaLٕ͆4݅5-t|zi̱zb:V7!*‹**/] n׍g':th}&plj0?^~!xhފF¸k0}L<1gÖC 24J^|%JJW6̮qix¤1}\++1#.|5?1Y qQxh|j2> \s4l'm#GBm&+1 /mDNAR`2ZYtXu-8}|>vSsۗMG^zn}a6% oD^xs5>\W]Xg4zָ)oDN}2k9 OmXOmpqX: ёᘽ }NGi.=l6Y8UX߽d Yfݖ 5qLkQX݈Ҙ<϶Fޘ47^ +Z,M1l+&f#_-,EfNókh@872d<GMBjME)HYܛDeگnp9r cYvKiԓ$NE")cFҢm0`0ң&ӱu %eۅt`7A8w~;Ji\-* v'K+{5`0%rQU6Eaq9V/4/9}jk*O sX~*N{r=6+2 a(r1:E}rQHjÏG5hnN9Q|Q,]ZkN/nn" o7 UO~7z #eLK)'d9Z{^F"n`j*+kZ~xmZnp9rIc3x(4S-Ǚ4i06hYT0 a& kOKy9)BэxuY:y-&H*vcSz3qqaZB [mH*p+1q@*Mu1p,ܐ i995$;wa$f&LiDmuM&J!4ctIM~3yKg6/=3FQSbRDi>![Cg/SCL6qS[e?^]<%^L3jV%kib5ؖ&ZmȊ ǎ&0!\6MC/w½{n4prˎb|}147\G m hjQUl)mfCoJQ@9@XZێ,۸__[WWOByM>\2.Ew+c#-l*,g>σ.Deu~\} >F)MiA,QLV@V$N+b(lcikwŸ ]G(#QB!h/ #[|S4OHeSh"Hٶc;\NG%  h+tIù8<ی囊PTR(&70:/DS.+;;1&rnڎ \\DMq*`9٨5ɏ UZS?Qu8qt|4{WDYEwrQ]|s[ykHx-YiD;F(^_ZPRMA9㇅`%MFaXTjxilE1*17'yVnUTTe4娬(ł凌ۋ&Z6o 'Hj^Ρ6#]^$_v?x X)cauxbw;䀊nA4>G3zo@L|P k.8{*>>2IC=,@t]QNX %9c ;+>j6Ǭhk눷JhuRyD9hDe&"˚R3(((h^٢%ꕊD09V,i ֲm"PW>ԶFчS =S~+/P]˛R-Im4֝x±yVT4ckY.:\>ВǬ舆 *kqakI#z.ø$Q|lvjD&:.[8& qSI #P#p:|/w%Zvrg5CctXy| llQE%bgC,$W=C#ivnDR[)Q+^8ɟW3X`ڊ, oB]%ش Vtca ȥ4HIM'Mƀx|xp_GS\q| YFBx%%*pL뇺Jj_or#I1sR=ñs6,^#F9637EALWsu!:>²9 vvL¹'ֶO,,VQ#Բ+@tEP.+|XOM( t?%' X;`WI!>A]k#q^b#۱QQS%@Fjo X]5tmi `ok&E}M[F8cFŐJ.z+ƖV:E|L99uWJ1"K ѿwox7^}z;81 '凡B`J1Q_*iN%~8`3 \8ᄐz isQ[Q@H^^Ԃ-!-X\euƄ /fz4x06og\Q5;ܗCn@5׎k璑&U,i Г]:]2a(&Ϥy R[8fZ.(vˋBy0hn[Zak#&s p *nt,L*aWjU8_xA d%M LHCd;3$D^/nbDyPQC,ܼm\B.VI|Ђ>leZ-.Hrן@ 49ji jVZ+S? *4cEѨ&Zv(I/F㣩F>&z1. #8GF%_qdq[Z(ԴGT槥u'Ӗ(T0tP3IZ11s||+Hgel,":jxzGqf݂V֧ZT I(diE%T}Ds5N+'f87aI=["bG7rqt=U9AvN-ng>>h .Dp-Gkk #)j 87e`^4@y32e 2m& 4S":iS//SVEǤQS~Z 3hQs3Q=WqU[-3qz:ӱ mpa٩;ٔUx:/E ,DEGaǟpK&DsE3ռ8n7x-WPR mxY3K\uSxkĭS#t n`p>9c @381ڌKhK/r'KDqO#=466 ôeY]]-iyV5w䁹\]F|Latˆvc,Wmmqƈ \^MZ"LhAM\y& &VUwVIKդM:C}KK,iy -i5uMQ*ɫP|,S3 0T.Z%*ᵟv kz\w^pڰצ${HꈥZxعvF38n_j:ȑcc7Qg^z%kY?i94B'x<7Z"ra{ iW78Z8L4qtlhHpKJe@D Zx.a!% K>jX<- zV LV]-!*paxhQщIM^UG0OK3FZI$xBZ^H$$:hA?tDjTjDh8"/k )JdGpRv)vr.!-d-A*^'2$ٛLږwk'1&Z-o OwuB"e(d7ko%K[oM#ky6FNM&NnMD=Vw*Fԟ4X ynngݜrt#rLg',*;ؼAQMT ^Y]ZFF%9F^!JKw!ZP)˹=Z 4@VYYIͨŢ J+&3Xt H[ZRVf&F#WT_vv6b n+7/fIIЊ'gdH5H̵j,$ 0//Mpjzƥ JTآL$%&999FU4p%-i,@7->&dJ*&$p6zd6%:J_^+ZUU5kCM IDATE@(7&|ש) ML\Ĉ^0ǰC!!~n鲏qn#:\w5ؾc ?${? N <*N:Q yG՚g]-koش^@mΜ9,s*}o[u1cDU m۷0 UGSW?`AH^g]Se zfrߟ;싶ˁ́2SeFwxk=v0[PesOMS 7fLЬP O *BbW<.x_;wML'2fGgkיyHs9fc (4L#!l5'CmSl_At&;ٶ2QK?~X5>ԨgTGK733E?yMl9M?O#y}L:D* `,DRr"O¡pzA*B /dW @^V˗ILnGW&'ol(,FV=5sˁ#-:ȎImD9xcl 2+jn0VGSJpHЖV2CF dv%-iN4Ҕ*mNRO5RU Ҋm4s*҈]s)X*Uґ)`b,+-G0iAnMڎM#h)e-). 4_C0266hnKD^zDIkk1XjP&Dh\Gpn<)!+%:|yM-J 4o5͸BZox]C#5Y2 (xu5AvI!|sT6uOI7p'ض?e< CNVo@-5ziɔSlܸ7k֬BAk0%xuXJ yY9 (5iFuǜj5g1A1~g4AGjC(/iqV%M_5XN+M`şJ[<|^~%cV{h~Ѐx x EWp8oPaH׏<0H a{I+ (gA:2c |1:^~e-qv 8woj5<&}i Awdio`xP? kUoWjGLGf_Y`R]C+jOGa4FSUޢv5y UoFN)S/{<ܙut֙g0pz~̴YxqఞZ9ƪI'p+vLW]u%.MX/)'\)-Yq~ ^~,6Qc.//vrECڭ<*G;eaiNoM6o61<*E'MyL!|݇@/t~SjS2&8n}P [?mnPþԌ{LZ"o?ӵ@eaJ nP~2]rE8`0%m7Bˍ0-!M\@1v(.'g1bw5DtMsvM37ඕ_@u\C6bA>mUѥANgf|O=ɲukA}MTӧŘ l䨶;H\E`GP/vv:S,_}eu0h<>Qdszao@|qHs2MgepS>u)T*Z 6G hK .H#<)_lVǿFIM;8ZrkPyPEj9IAز^Ꞝ5&Fg@F`9 ӥ4smzcG h 4doEi.5sN<O>#}i4y⤓&am3N7@ƹhiˋ.A+7Osg_y<Ғ srrC #pcrZOI<͑ޕx)Nk!sxt90m$|yqq^_ dl -5Dg]z_ɧ_ >Y%˗r~v,G rPpyصYSy\,u7{;ԥsXa#{1'?`3礏}F3Q_K۰``D$gJ+X&uoTVγ*rϝyT N,[>e}oAආNI֬19B-)8(ٝ)X,K!T>3Bmy G̒`H=hi.\!00$|-}OEc_q_4UܛS{lWGWcxO&б o:\y͵xwf_УIc@E@:˱l40/VȪkL^<>:.CҾ@ydDD{۟qOU{߸@wh_ Z}hX A/D荢)1M{G7:14g6U4o_[o6`)\$]yT<8Kb.\d6`Z F eVJdN$ M#_8N1O>r,=85a<憅v^^ <ЂU>),fKS (nox(:jSm4TV́S7 Fq9r@jHN[ !_s\PF0ґc)gv9Af&E{c-Țx>:1./'(v^[gxj;KPV_ѹyP$Kន\Ь YX?L@Rf;aj(yoMy?m/"yTSgg̩iCPZKv9rr`PJ-E0 `hneX`YS u#Ѽ}%"m,Ac٧h;aۡ )hҙx14=xc相~Hw> /= Zxn?:0i:M'8oL/քc3q^J Rt`]AsAzQvNI[8[-1^i.¦\K{$ M`J1GDx#uk vS8Gk7\m۶c"=PQY^;q1pUV^ӌC'3_yh|X\쑩z& /wټk,e:Vdc_yÅ-43 Rɥ)W4%TJFuM5L0-54V Pۇ'-41.ЏSfqxFZ_fD ST+@xcR'kG*C9\uKq:)n*kʱF[*_3Wq>0!KL"bL&4owcKN$dKpkL3נEzŤkPV=) h΄VNb6SgIC QgߛEݤD|r*&+ < tt=b:[kK= \7p9rs`PEiiB弜dDzm>EC!- UZ+lCtL? YF:M7!3ktio'rI&JP!d=$EDszӌɔo w .({r ' 3}V PsKԋz^˹&77k׭ŶͽL>!9lW 7m4_p抣{R{Sq]p9p`7(c{σN-}rˁ́}GGH, ;g %riNW~\IU{.\ B # '}֮S&p`w~V]99v.\B;&mpLݶm+O*V(yh(6~1薛5=ʛ^"E7pĈ \*dR8HִcpCdWեĀQW1U\G;<܂[hB\l1@m.0@ Iiá  sFvhK3sv!{Z>NL2oWT`ͺ nMŽb1P(g[JfRi ;u RRRF_jg \]w <}S7E<{`PkΐF)+ubt;{mv;v (LwS&||.\ o' IDATt f,f/޾iZM6 7''0@%hjVg!+S|&d\〃T:QgqSqifaQ+MGT&:d['6i hz8A,Uqc1?/oY($&'N]8Am N8㑔hUtt4{} 8}(? 1E'zR<X" mc[x֢1j7@&+A7b:4ʗԁ9z22^ 8?cfR_ G:X9g[ K]d rI8Ӎ7o$'#`XJᶂmƍKDUm58tyЙb ѷo_ι<#p+";;h..vrpO^ }q nÏ!Ǝ6n"k*Q}|0|0Zy'6qnkk]w.\tt Ir;s59+P &!M~F#p|(ى_'g=O׮5Z`n<奦0y4u)jc֓a!t. zL˩Q t %s>^#`K9lP[JKpyJ}>^1t4hL:iwZn! RfW7]PH2B`1ޞ'qrww*G[ヒW#-_O; /̚Sr} A_7Wq]kcc{~WO5W_5FP6cydi:K =|0qG'Ƿߎo}~dzi)6gz>PC44?ʒ]@:tj|1"AH[C\=>24+d"cmL(5[9p9}[7UTVъUy±_nms)>8Sp qm'&wM,K@QUm7# o3n&X+=ytn@NcYYݙ^%0|F J)휼ѝʧ)z}Yrmp<$&:ƔAS#6ѕeG%OD[S8]Mp6Gעߛرs{ `L322L;X1 (h,"YD_UN*(ʪ*W^e9|G5+fo~x1g)?8@ 4˶SFzgyle_imV>j/oB@)הze4{qܗq-슟Og*B d#NĕW~fӑZhI[!aşS9C5~8NY깴E É69 EKQZyilc &''ql#xt⒥K H)Li/7;'is ̌QZjg݆O/1BwԈϥJ[@ց֛-ͱ~oXn-V-Yj)gil]w眃W]? ĤPG3ktیƣߓءP9}g@DM=ˆC?ŘoRXg ^i[ CAҦy֣O.$<٬7nI)8}p-w/3+Q0mDf}!~i~y{s4*\vyxWj[\7CcBOB5l5d G`_ls|8."y̭؆a`%6rb@A~ѽ3ϘO 5/3]s; 껂iSPF[o#E xՌpOD&5^y|1>TwڛnBuu| StKJ˨T_!iԯσ4IJHH4KO=}j&A?~{ ( ?4L2΁JcT&"dJ\bo~븃?O&Zt+HfԴT1|4J?4h̙ckiFf &E{}ww7O=08 ,] <9XP*|o?Oiwhvx 0qE*dn_K k9@5rcy%njg?[u o|{qe>\9?yO,}tZierh4m۶:q.u1ӾҾ~8iƑԓOԓtmp!4#l۶ /+7ˁ9 4G&gsm5Բ""ͽ$e ?Yp\p]r 9N=s-[;Feɝ?C:æ[)La5+߁~s6L6292USsXMmN/_VWB؀s1B@BhAhr0z8$$$ ҮlfxݦM 3|P{6Js;5Tj,(_A_̸<,;?=:\T✋.¤ [Ca)ÿ~6|$M)'O!&\'@5Xh:܌Hs;%s4g=4ON0K->cޔF^mJ LIJ9/Vb91N`I+K=~xpb+鉧l]<ؘ[<|2}-`vRiy8*uf>KeRaGN㌉[)iL۟: * '3Meno-՘jrt=cM0̘^c#kC"( @kCS3͏`q.>up0 U_i r[iFA,}m _MMFA| ׮J8cviΛ'3`@F84DD9@6yp0ʣXͭ"?3iE]*8ӴIKPURjI=^yu6 g?6qْ-WlbA*EW|zq3zL3ӳL\ X)Q4ħVz*'SyiFso=s^]Z=z||tznoͫWͫ|\ 78XK@Bb<.*d_ʤVAD#;o}k3E-0o>N>iF9?1~ߚtw'Ʃ$$з@?L}"9OF(Pbmy"ź[0yYT@~7GpTnH`I Sz'S8 |ShL0عØ2̏h(ǪD?ϒM!M }@'>7_駟 ^ FϤ-(HhIp-m~g[Ak ۸陽W:݋ ;lWq;pZ3-'A/}p@B?7|"8qIp^Cc~TQ$B?,P~ i7N&"VXSӏ NU:s͘)0t>^qg /}cߢkZ}f򏥥!aG ]Q6J*H@?|o w2k,UvY,ԅ9XځuS?mo\7qOs6- BŦ +i싏6QZ%e v寍g\}n =P\[//TNqPj=/6vFӷρ=@A~Cmڑ27dxn&}}+"zy4Eù`*u}҄(*7#Ą|B.%؂Wj%a 8q-?x(LmeeԷl@) 4?c}ݕqx6^σ4uOӶt- -xm f.Ew GT/(J`j`mtzfuxyp:ZSоBWtl}fZդɓABY7iAvh@AhoI imu:Ea"6Jt>.>SrfU;yY<ޙQj,x!."S*_u'c|2O:@ȼtr-SзGz~O+'}͘:y*b6'yy623 v1f'xnC1q a8OvOHLoE\Z 4 :2GƵOg=t%ݫ{$@. IDAT1p-%N\̛$38yϟ73q^IL$qcc6 꽷+}:wKG"KXw9g]^{Z{dݚuVoWB ^ x1ƀ*ːgRkUne̝wߥ 5x&|i4΍у:}%SSR`_8tU" \#MAnajV+v4{ŀ^ ?٣ŻCPmwyh%z)hC:(JG'okZ5iۤI㤹"R2 X?#=c~s6{x^(/b?0q|5!YbR{e$|)¾ڱ{`^ vj5@mnʞʒ}c1x7#FA[v y1'E&иOĘ+@$^8(ڏ.dNXgX4Ľ>j':gW-~=Far"i Uɬż:.2,،n1,קnm [-Vp``~[86F-cf X!|)Ogʮ("jyߵkEJ/D96Rԋzeh?7ƮD9`=1QыQw%p7;>pI'-[uqIO ܤa@ܜq1rh.<-!cS1 gю Xn!R_fUDMHȕwO8A'7(P9i!bm&=r5-*<<{f>pa40`*᧾mX3Ri/^I|3,?p<7CYk&Zx97G?[.N`4~}ܹ!iVۮupg=:YrxC`=4]TP(l(oKb1pI֑C#ȃ6@TڋB' v5ߺEZ iCӯS,kh{ I 炏5]A Zj׈!bu xt:e=RZ^" &Au36)"C(V~e^-N[&JxL`Ib/$^u%ه<£%r1'յuz$A񆓹=1C~o/{{z}O?NFxGZf[0L{zv 4QnԈqPa(TgpOcѥ>x ITى#PHv<8-=7@~%j?B)-3.w]vݥq$ -.oxQ.֨vCcN@VYT)gG\4PD 8\""ax9oMs); .3BJFHJ@(ɰ81/Qyձi?w9c|^Gp^*ɞlu* W-t"HN{ě/.3`&??F:)1#,X0?UK8q:,ݕEτ ;>cc n.┸$ ­΀>wW12cliǟ>ǣ.±4 } ;F;Bа+e"B2$==$YٳRU^%qWd#bcY=G~L`9R&uuJwo-% jʰAl)2n8=j!|D%fiW04 3 &?32?}0 ίu$4,0xcC" /CGD̙3sUQd|iQsa8 :ͽ|Yt~9i:fX"oV "{ !Z+ϯ:rИvHnf4WL\WUK~~eDnƕQx|Ġ8d\3' |g1)e޽ȣZgv: \s´@eS˾fж BWF3}?^Ǝcq`wA }]S\ McjNw7F nZº)!b q@Æ =<zXQ ٤cWn{k/|8FT,9's`ײA"HviI813)L+%!*X$?ܜ{vph=\qRq`7~<*Ͱs yK2,а<{pazf5/끃dΝ2"3SΞ;')޳쎥*>~y/H?y ?6)S%^SSS1N&-\'u`?2bHxUf|Qj:żI,,m }oB`w߁۰PSy衕 rv+m?pօ, >t %h38e3_gYesrB@~z7 pzs@1&qGa>muoʲHW/t2x?gMX.{v 'f{e-_pQB7b /䜬7Hq%K m۷I\\j_t;qg >M־a<+_Wdpx³cGȣ,8] u @wWU}űxI,DsL?B2 IbE_X9 0  Za4&4JS}8rX.J5H$!_B1M%#%"&L00,-l8F}^ٵe 5K6XN?%Itp'˔SP_47тn j 頻ǞLՈ)K1ZZJEE;eYO>ŽCnϺ e֏%/+P~[ܙ ^@2QXT$ f}r;vI#&hl,7W>Ŏzĥ ؍Su/s/KRR&r)lش]"CPW[7OYō;8$(?r臅neelܸEja}2k4. aCeJP="u5 e]rQINę>Ѳe|m;󁥤cf =Ԭ~|݅zU/y.P.@<$ywݹ\? G竖eKH7[nx.))-SgF `K~5-_"9 ~g-|SJQ'f"'Ɖ xi\t! v,ps_~RXP)Fn_嗗Wh?&&򻖃8+M Yq,z9kL6 .ϐܳ.6Ni=|j_h%99S3>Xl =Bk0V.\E&Yx!D^1XM1MO׾L6qλCp$_jSsK=~("'[gt[?1QZd=Ɲ*X}60TEEǢf` S\rgc9scǎɐtɇr^N:-ɑ UaQ,]zcӁna|S 8"AqL81VORH<HTbc@~4uJ}OqghhƹAHĄc'uF iPšM7zh,@Yl/N:qmL_4].Ê#('3$iPX( c'_wc-hZQp+ƃδC|/cV \Mrk$5-MDo.`CCC4 kC(!*=vcA6qi$%Y淤\⫯7UR*7ID'@@ qpT1]*E {I&NAi1)%$UNZ`QY>dB4ݒY "F3K2saK] F?$F1RϴFr1BXN6U|!rty qH dĨ*r07K'JaBrI$8> ak` csW%ʯ6m県T%j! 8 N9/q8 I㮶J.<6n*mbv3ym R\^.w|,y?c \3 3O9z$pwTeY ϴ[n!  ĉc +8TY<%r6 d+IGFhDȤI?M>[;b쏿Ac$,js|„: JHumCvYrD~߭&/G؁[cs%q 򙡊/aHDD5P{v`/i Ur,f-X$gȜs9Z8V=f [Ɋc8_USqNRٵcu\Fe`"j366V[$buEŶ6Vab'~o4I;j-`U{aa>ql XuJSOp ķYWS6(' xz~뉯>)-PQ~W5g`6%!EBt0#AjqmPqBPck hWgGLj@[͠ u,X9{^GJpt:j'W3$@8HM]Fk1PcX ћ3ԉSuP&|85΅i~F 0?Dr/]¢- XXQOiLw#C B攈A1+d1a&{ۑ: EEFLT@{e* MtU! hosf1q:83@4m(p>#NT^Y7ay M hwDr:!$6$Mf` Œt~^Lt*VP}þb{ۋj~yE9 iC%)ez퐨Q^菝8&'LDѣGǖ/,Cy)h >˱2s.>Òs<,鑳RTT"w> )A[2ci0$(DrTbw;8NW eXm(5rn{r'LEc$o~\#B_)<(caP`5AK nbƩj9SRU9i`}44;872Xl9C$vXJ  %-RIˮi5gEx 3aB>E 4qD@}/!.p|o .hdB} r{@B=-?bj{5k?OB^E=ޛ"f!&8 Ѳ|5J x_)ƮNEcG6w|f lTU;gzj*M&i#{Y,e޺t *oEyne1V Z ׂ;ډ Q@ Mey 3&=a8K15WV=$Y% |+a=#aZ&]_;k|CٿGzIp@n?<3 au88ָʟ ?8=PfnV~  ^ wDceHA`|@Dݔ`0 ?* h+[3}鍼@A1 A瞈n ,0 qH ubg.XˏQq 3pP)=vkŪք&X &/[,(#ϔkQjC;r oP'muOVmSG +Ҍ?>#lq(CKkcZP?.^2e1F&$(ӗc[le&\a\L `:L3/Cߎ;G  mL}Sk&D6ռ7hwVwEayb77b"Xp7}re9L뫱Agڥpv@;GĤH{e42&W_3;q8tg)>JbB^q_Fdi!x{2,{ IDATM~xç)0!z1&/m@8?0L.qYq4`7qz۟<==xwXLBJ.g=||qKe c G(avcL>si{yeQĭ88e;8-M]{9lw{sݕ(&$3sW{|g`ᵧw=ZZ xSw*!d_ܨByoz1oYУIWeԟ<'GwwסmR;z.p% >r {9TT5qD#Ez>D| 'Ryه *¼qsb%*w ' ϧ&Uس7 ~aSe;cS9-w-Z}E\o/Dظ7k!'DJ1 Q7!ƇMHE2 rD=F)N [F90h+)I@HϜC#*# |O - k wH}O~iIiQ} z=LeF稇PTT\[>ӽ[rwHL ƁRV\uTݰ-,ZwaCp:_*+n(O Nj8 1*]r!'UPnBb7h=&O {jϖW]Pzڴ}y1Fʩ& @:pWBӗ cǰ/kG}PI #"#|VJt,XE2R d9bKˢ *RH)0?Rûط;ȶ6~Md}$3͔2qRXWJ8K*+ME DQrhW$epUt;w=84TKZPQ9 3pbͼD[`A 4}gȉq7;rpBOU& JMpBBHkf bz}ܫTMc~@g{B!ׅ , iu FHxdr\[0h"O`pڥuƸ -8b5`6 p)/ٳ M=%O#(DISac<;qOU\VR&njZ綸y^w@gn@ ~ ȭJK@ysu cxPj ZI Y9B'$ (|qo_)4GI+T%/G|/YB\ . 4_2--N{w8+t) Eq>RX0r%BCg0YR/Z*+5Z;S⢔GKvМo~r&֚`@?TEDnL;C*rrOSeN%H1=6]-ݍ7t|U$M\3)SBu02l1iͳ㯅z4oB+8żK/F;g^wϳ̎}pcV8)vF=Z7ǖJU M`c]:l>gb`bpQI Eyɻ/-%0SR*3ab)Y8sxl1]L3Qv)q0 xQB!`]_K&͚$[ z'y$=3]Õ( *;/rbhx!!Ğ y?Pq}-d֧oC~͎vb{&18>(\IS|~{ZH=x/?4*hxU'L:srr=X0bdfvWĔ$&)iWg.lt03rp6B~3u -˔c Ƽ3ux<ߛt{eݦ~[q^͛xCP8!EVosg·+KAȴJ:43=Be}/Ǡ/L'.*Y=~Hq}rKnܸHD5}IsxTc+% f`saf/!XB}a;u79ӄ &/L<2.5ILz^#c@-і@ssYvuuTY' *|f0p:̳_eZh _H\w$w`J4AjP$iޗpyƲKJJRAz``2{>{|=WWZ));ZRB/Pi)Wiܸ CY]؆5> 9(̘AMm <0洜a 0.H-E]8Dh1&Oh+bph*b"c4-{\Nۂ]Ox ?*xHxw?dfuO/\ qT;)^TVz[Yg/=9\Lq~gycD"@u3aƏ*~ 'B*Xk,0p'{61M~q pDL s!Jc4G8̈́n\JiХh/iFH|8Xm6?'Wʖ[,B6F"AN'*L3oؿX,\1XUg1#Qc3w$e*y̳{<$x|P<%7 \ (˻JOK߿L8Q.#=&?.If7< \\?dljPhV;L%w/w;hz۱*߸$i'uˈ%3$qd_Fg6Y?J ` %+~X(vc’%KT}vIKKE ĦIwzVD=ϯk5(MWM9uL,{*2j7hf`5IO+Gvi_4 7?~ bіyKrz3ڿ}GԶ'_C Q4HNS|O}i߿`?rtiFsSV -NW_\/hRUBrYYYZƬٳW+uW^}&k< 7oެYήw)g͙uz.Ν;+kw? :B8e3u=V,>[E㊈_tOx$"aXHK"f7\My=Sm S9 jw_&:1tR.id= )$`tC%l[nHXbn L6QE{v֪;ڄ%f.qm'ƌ`bڐ(\wH$\ȟ6 *#Q1ַB )l@LQp\{+d.~ IXB?QG3VЗ,6MgA]qc{i4] Ή\́c8ˊ% Rd>rtHt/ /¤YυҀ7qdz'$! \L< cGzbhP_?BU288P _]32F+.^} ΂^CHG1u (-Oiig57rh=rZjፖM`ZTt>qJ[`0^^OP: %dfc$6uu5[4~b Ϡ YwO+Dq_Hq:Ze wV'$W$F/݇|K :TfQIhW@1 ŻgQџ .jTN\48#<$&4qq!z>Z*OS)i82__.L<#=y0ХRti ᴣێ8ȎF qbL)k<71"Sә٘{-Ւ{Q3@ [l [pb\p 9&7F LsK= c1}9s>tn'q7wO~U6w֚6#0vx}1s>ly6o$ iʁA )y2ylL_0|'h-J>.}"VF4(<ǎ#$MWMPb$( -p?TJ 8.7ޔp?=hA$<" z5\p:9^^~HҒerp, _d8&|x!`$8983~v\lw덅hY*>-_u$9c{kT //JYd $yw"=&Μ-减/ܖ9/$QW ~%:[%=;9WcD.*:ޠܱ}K%Øzp,IK+0?B*zJ=h9{Nuhrm*]#P :II2{4ɁƸxU@6%źFQ2j(3f!C*\cK+(zTIOOp19LqAc$7jdRJ8" gF} HYrYS%?(;I4$C˹[MDJJK9 +2#>⥋2eTX`: CqfPTĕWIp "?(+$w]/Vl뇝>"]M3B6 2aYr)LLBTUIZf{}ben\@UbA{U pS;ΘBcIw\lKr-pxl'=W*frwd8#Oܭ+\d}A]Ek˷1=v{w2*ȅ&蔈bVAC: Ә&}Oq,LSQёoiή{_uP}"lE?CIXD`1s־2TIiO;wn3-0?9t{YNK Q⸢(<] eT*&5A`95pÅ6G:qܒМZankzo j8@ {T^e钟^{*0cM> GF(#HWڻeݻ<@ lY3{O=<&jNjgۯ qZmZ[Wvt M~#0%0=87,О<{13:ȶٕdL/c08v62e3y6eeG\Ɲ`ObL>~$Upw ‚͈?הg ^.jx %Lo<4ohx$'nW,C$29T^@Č;ʥ &@ k3AH $5WՊ#BW7eJ$kmoDf$Z) 9Ys^_]M^G˥s<,?>(@!7x%I%?MR1rHYbl`HrJ*$p H#%-#M+ߛ2}$!1A~%}%eH 6H} :HhZ2U \뭍Uݚ w76%zLr9Y0x.C&u&(Iab jAQ$#ki=`EkG8?B+` NXW` 3t;8}na8bɀCCeZ$&Rvf䉀g) VmjIiGd4/߳=LMx1ĹaVF#YD7:p_$Ff|1ˏ qq2aBsdX5S_,cp욃γ夁NFX7zPQy) a )-'ɩ0vPͅ0< %E}8A)/fy=I8eyA8<ϗ0 'Om۶>5u4^ |0FIOtGN"&'BaO47JCm:e&C_2'41_ X! \07D P/?#iQ>RY(6 D,AwpDz[x0 `  bZ #mLAx ☬.RExpH ? <ˏ5xN<7O-׷`ˍvYzw,^W f&˦ͧN?/. V-n H]UM:xT"(ŢV_YI5ԏ`y#>oI{#:/b'" aOGxw]?%%KLZ^YtoY6/ς{KwHUu8Fˑ+I<-oZ,?*]J7!k!._rW™)x+' 6:[H]}n>#-0 NHL դrKޫ^ +9aUI8׺bwAy? !9|\n|;u$L4ƄpN=M?PU7JuW-ͥP&p G& =73).?f>R#er *Dw 0~;$u0,XDrrR?p{{J0tt5IYę o퐘8_Ր?@ymz~܍xD('B|@7pbLSC'!d*nt% VV:`c+N+.9Ό}T֝%KO|ݽ,ŀ^ t!dDT9&#q A @m SU{(;ś`!=$gxxS(A|˨r.LK9x@I5mrpAp8 \53 g9ctkn~j.I{ M?lDf X_lX#%w½2x8}~7Wb/, t!/ozv6Ǟn z_p9-CY@ r[pF0{8#Ȣ"%n0_@ --MlpD Fm?4g-vL}ƞC2bq l;q9@Z@|XC%6(V /p?ȩx φErIߴtL=Ŋf߀uɉc8~0Ww^bXR<8)%/@WBϘHtō^A-XJNKRX 15%&@K!]]}"04):ؠhAr_5O'XY])e#eI$sU5U5[&9Vhh .NȆ ֬m0Y SȪ0S8/HxT]')Ufe&MN@>OMݎ~r?bԠ{BOƣ]2xx,PB#C%tą}g=ޠE}dX;X@>zX;I $c(ѱr)%o/{ŀ^ XMk,zO<*pk?ԕVɱ3y8$aa*tB3 674/4HА/15ƄHLS6YE)di8^'mh_yf/#'Ƹkeܩ)rE+%~P-dR## ' p0((XzwWux0gE?x >c,=9d3ި(uS=x/bAkf (E1@dQ2fwXe P Z8`~L#Cya6(h8I?#H{L8[,E;(~V5ğ ZhTUTu>&9F9ѐ#]uJiA)/7ҽz8޽{l,TZZ,' kd:ƺ :h^ x1 8wXu.0 )%hɾ e$"9B CJCN̖Q-_si[ R"/XM ¿ånp F30D6YJ[JE`P )R_$k׼'{6̱J(o1۠߯$jr!5% X?zo~-￷!QduVM=zeܸqq/:1TGi!' j) dU!dTD~6o֦V9uGH| ,VIPl}hPTT_&oV bpSfH X E lc3T[4c\&?`zfr!p,G5V~͹FIbb]\[Hr>e|d%Yp{VHV0^Ь&H8ccc;>oV)$1o{n!mXFnu%6_jNI:{e4 09Ba:hE Yp0_8kO4p2%1$!KMLE )C Z(_6ÃpxxL0I9AhJQ<ȍB G \A]gcZ: I/]/a{QHo@֢KTу4,C2mC[Ne''M"; v( LiVD&n"Z^gYaz319@c)i{\6̣m-|wZ5R5w${`YO޿W@.0(dSB'ʿU +.N` ;=Yaw˅辣"#ƍIS'ɖ%.ɔ &}}Id-q9s ꎖ ٳeMYriL`Nߛ%|n* ,K/ʾ{^$ /\eVKRʼe2Y##d܌*>-+-AIZND1.s{D#mxXYh¹yKYzqiVݭ  Y2__I_Tw\tP>kܱĈbk֭W BS77Z뢂Zq0YKȟQ&/9lEC׼&ֺ`Z%\IJșSLP~ee)h>)>(r<61Hθ>-_YKcm6 K3m6uB#lmp\LI"H$"9A-C5H&B\Y'}B  R&5[&͚$GA1_'gvj \4S/'o!.0=sQΔ9s풠 Yt"`_).(NTub}WKiQDFDݏ#eew) "mL=E&Μ(ZRȒ%slocGʲоRUW["A>A9!C 61Ve6B3Td҉'GTlKtA~ KBhTR,V'r~_Gc0vqޤ\;2pgDNۦd#~l{>oڽI6y~z`NNB p1qf4Wѯ_^Sz{kΝjiMM=9'kGҒ`1%HװPK L5@Z?aggyW͏VA!{(ڦır;G *rr|._xޛS6(fYv)dd>*bzQ ' e 8C޷bilt\KBXE{ ӣ^ h2(IzRu,?(!R㪒re;SJUH+U_0dB G ޵ZG_u|WZFE-{0B d/;onx0aZy>w?3sISic"H`,`E欣^}jc +--UO5q!B?SkMzĕ\ 5F#CJ.](^P!};Oi @*kKh:6{cnR^X&IdUSŚY)_ȏ9]vǍA#ɬZ7jQ|zT [a YB{HXx7R9:ֽDi;lh}J]T>xX\Le)m'zoX6.])_;aߝ:uiN0w;KO,12KeOe^iر}睅ϕP.ZJ:ΡW|*˖-xDGՈdm33N9rX>CYx1 t>@RK p9 w6ɾe gɾ:EI).Y*Awy̿qe͚5:%ʢErKʶb/A۶i-\}ph^.QQ2)xI`S䤝.Z^cyYZ gn?^o+-zO֮]N|}%''GN$;UU4qIb?嘿g?E6aޣeرjz b  $H(~2QnQ>_ 1G+p ڦZ\(x*I\k-*N։CrAM ߇r?Ht̔+ilX!g{uTb 9=j|+a5M~4몸qc 9NPch7w;戗wIьdx_XG&{W ;u* 3DECLP3ib՝OޕCdРrwNLB^~lڼB,#)Gte׮Ū2p}GG7oҾjٵk_r 瘄$ k(y'"Ec7|oꤩrjn۪Gx 0n"+SOɐCu\rO!+>^ >Ӷʴi$!.}A~$""Bb{$vO>?_ΖQ-姏˷:? O,Nɦ @[l#GȪի$*:J"[ oZ[eĉ.D*k*DB}3]R߉/N̅TZxlYțo)ÆS7jAYy5FL%Ke狭[`d@syrW[bڗsHQ|A9| W .Û @wl=oˁ`{ɡej;%˟3j͇Z "TO%rO]-e"IBxlcذ#»f5IS7z5 4Ml,3qDELB{iCRut~Z6S1Tf|FiB}B@cd鰸ZӞGXD̿}֛ "o_;,ǶCZ=H<o,tr`?>1qhu``$NO'NgE[| EhߑV @aim}h;_ _o_}I쇿ȕ^7˝͘s52k86(pu43o$ܦ͒={w ! 7(rvivr1_$HEjAAA 3FHx4(?PƏ34Jٹs3F :c|C뿤J~ >丬P/ M2cJo3dz:cNТ%RA+ M+MCG$ǷL:U8?u S6!./U(S-T$O8$f䄜ZVqYn̒#)0 ?pOwusg 9UU&Օ?YggHeglr"HXN#?W$2 'w].S%_ ~Z(ʠ>biu7/7,68A`ٙ٪BQr4g#W` 3 /ݼZz8P;&=ׁ2T2?">=WKJkq.\,RSp&XNpy@P@u*?GoDp5_KCiQ۾}6Kd=ُ~D>"K+ptKJD/^Q6 a7xv>F6z쑁MtΑ8ZvSB svFt Ȥ$}kظa$SڈA(vL>xOϟxRNUV3J"}d jp[#'bdj)sJݙ"O?+J: 6peu.|颍<1hڏ&Zes 4WYD| qgA5np!xȑnuH sz$o_GkY܋x{Vi}wb-ϧ.]/Fߑ)/-ܓy'eނyyf]M3Q\u]gr{u+xƈeeN\շi*BJdT)o?u1?L1W%؏{\$nVQyi!Bg1Ğ-y&c{Eh}0 c_S\s3fR6{  +X&7olte:ؑXfgl1XjqupU):b3)(Ҙ+3e]8/Iې6|M&NEwP?aEC,v{ %kVQ5u,{+5<|M<>[푠oJӠY-}f&u1\zo>}6%g.z9 bp^ޒ8yb>L`MF1>ķ~f45GHѶ h3*9v ]% O W/rQG+JcTAVB͎"ut㕚'^U223$ 8@}UZa^W@BzaٳeZ Ҿֳ;ߠva;L_~21-w7^ھ.v=ك{[Ocߟ ;i!?v5jMʄ.gt771t:cyڇW)4ewfޙ6:&EAgoO  j+Mʊ$+]؄3:?=3(&ֿFH +2#Tfރ@ 6z@s+BLA 0+4<:AOJܿy$b~Ծy ?ryZ` пfnp]>B>y0s;=π"E>tuv:xCs `MUY̾/J@wD2Il?#U a=-%' r)P=e$iǒyod{dM8(ƎRqk޽TIp/l1LUC:_7L&R-[~]3ܬ]cq!ԇc{T]\{zgӜ!xBԗ@ͶtK/QqM2oc!PcؾJo9~fpA\Nhxd1oΆVY)r'nu2ÝpH ٫}Pn0T.j\yO?.YX4-MGa7:En~f7xxxH&̊so燌 җ`8glN]'%蘔T n^~gz]IoJ34m0WkM^Z/@W/npOu=3q7WXK/ҷ|%9ʨQL+ꥨ_=SM/+7R%6#9Ssʤg *mjQ E@FOO2 <\ `J780Xg~(Z[uR\X"aQa@!$5{F1H0pDUyD|0PwQ3Q6}+7Fj F/#w&y< 0ܔaޙ{^J gTsLgKkz)fM05WC #dO6P7 a >]i}1"aj5OcҚrLԳh<7d2y\_MYp=P"O -a-"}Xmcy:$1Xxτ9=JN%Y-%Rk8Sf[ޒ]vOu3þϬ}y6m0K%{f36ڒAr6JzE`iW_QO(bRZ0.mtBٵ~␩A[[#aK_+~ԡKA666y&(2)wm6(; hR,O}:]`jaC!<%ڇJrH08N; |T=`smb{hFIA '"yH_aggL߀<|6̳yoK+<ʹ՞uLymVBo4Qbs;RM䡾KKVK+q}ɰa}\+W[[p=]h?#DGG'"fOj{ b:Ia08B6h~c =τ788X31s|}%e)Kkc;VM12N[SKdɎr;td4.@C1ѰBvu6MX[o|)yo3e4aKQ4D(aD axƠ7l?5oԎ-`'x{Ye=7걆iOw_/Æ SSiqE/e4@#|HH(|Uب =o cZ+C!-VT[Ptuv`\<~n&Cmmʋjd{IFzF{ސiqrc >-;rx=vm+D\DXD$rt+'f<jwEEEV.Y6l!,0^ ?i+b,W)^-aA2)j`$U)I}%N@{UMoly l l';.)9=n0PV &'R`9^>pz!g^<&en\eI>͛hr;';G_ʹZ 8*0t O'"e7{/\/x`+oɓa%(:F.EMX& \r* KJM8LǑk46l/Z2H;];w \9M9ԛiaigi{t9BXӍYw ):8\^.X{3fbێ"NyA~+(PVǶ.lX"YrH%^mUGJJKa-N`Nsb cQrlP*B5hLذJ>:E{BYTK:L 3ծq N%fkf`hރTZOoGxpZis_"Hÿ|.<ȺW-%?kD{Pcm4}fL:8-y1Z_t)Rٓ?פnrV T KrNآu}&':FR=RE+`C)@bߪٖ[nB5BbtP̜ݱt9oiS(7w.B`y0xNVU0w\w|NZ!E-BfN,7Q*?8cazi)&Nt]ϝG{+z\7p;!K/Լokewn= Oڷ_zϺ/.R屿3~t'鿜%,yrϫž<,X*8kdD?lcU[dfb AQ%9yaZf"pџG)),1IɃ9NIt{c>μ;+ƇHn,]&>Y}~7H~"˪_W p0o_25r,lXC0ߐu0 mrNOc&$|N.r%gMWM<}%2r͌@[.!wLQJcMyP 5Wư3阖?$dHEi,ʊJ["IѸQ }ytiHڙVHg<RUY·yjbj@wYYR^UaC.?wSzZ:,fG} (rXrOGTr 8u%_VT- NHB.%2 vrk!F8*qQvOFoxc'a8F£`iG/oԣ'4LNhqr]Ie8zۭB:;3胝 я>A;& x{\4i\ Ɂ VcPzap 7L SҜ0e_+afל:Fup泃D5'ہ $M]tE*3Ԥb_ Hk"3rJ%?.c m!!{_0/w/uC4"]*pZ?tR k39ħ Dž  m0POo4DuB ?5Au aUr=[7Zn(7'"'<)q%6:FJ>&́.}IrG/7U)ER ˆtVpq|S21=1Q.8Wi89O>P"`39*OWݾiY ?D 7SA$z~EP {[8fsm4ݴ?/;nƀ˥{@F(rYmpHb2M4' g?pk"c-\aC=tD ̇a?)9z]ڣl@1-V HP3kd{"ǚo}5?n? GUEIIjν{n̿$Dxٴb$XpJLjLUN>2sUt9qL3}>P5ޱ["#Ѿywϗ>-E'GMV~Jz9' g/ӥLzH2yw+S*yḉj^w\0"bR,./8W9tPL8IWOVB”"KKNgu? om?͈> `"A'LZ}h6;zHXl Xς x5bI@DmN&#Fϛgl Y=r[3ס-H$ePp6l\"-9Ծxf F,c xtL&a^ Ȿko8uFI9Uksv9R>\OBJ"ƾ6m0굁vf2oٽO {j.w^s(lq0a"@tt^liǏq b[:=X t%X2"dnH'rÔ{͂=}<$ Wikڠjޟni?~03nMwk> 9c^dw`Ƀ&˰a粿*.q- ܡ#RZdK쿉̣C잵L8Q@Ѷ7"A:=Dɓ,x2CA^?*F%7\|]!FԾc(:bIB$c2ٮ: hT>Ï-x Տ (G!-O, >.5 v@uD(|]zJtB탣r4ͽBr @0&DWEi=Di#XРPX9_v %^)&h-IH>G2yxF;iاwS姴wL,^ZBh[_X"i~SJ srDFb^v!ǯj ɬ}7w98޼3W+PǟSl_ߙ1vxw؋v5ZLIwm߂M>ޛ]Msڗmtf>6[&LںitnGָZw3Ll_OU3y=[(}1Su~="m)29Q&B܂8zd@7F70 VNWPOW;H$ >] .I˜HeYl\ܔqk%R ~{J4,P@1}"E˥rۏ&ϮxNX9$h`,S{V}Jf^?e%NP(Tۡax:|H &b$DdeJjrnW.E~,&sN>v8<{BLB<_ aZR@Y*H=?9^=|ݶAvpr3{J4i:u>&FP(9\f9a pď*OMoLs & F̛Zzf?^)Hjp&2oH<4F'Uĝ$MF4ᬚ|.i&q)J$Dg@8᪽3>SMEL?Zh)SQ.+SOOJiu#b 8؆&hw\MŻ6@C BDa`-qA}W {歹/|Zऒ?c=nYgCG{KQ8̃m&2لc/:Rq|weΏuY Aue /( v?%{A)UJ̯jlR*2B?'`]8:{p-LhՖF?hA}_|)#Ś>R;c|sB:%-򛷊VWʡA? [<%qȁ_Dӟ;/X%21>vgOS?%!CZ]лwHdp'7ϦM^S1s5I.u {sN3X3 TЁ@|DN2 C"CZXl p`r 6\?" +b,+8ܶаHnϤey:kIcͯ-ԫCviX1sΫ8mHЄٮM \~uKPX7`ۯHnևX$07h?ĶY'C0yoޙga }= c&5Oxq;tM;iE;+q=9rA~yP= ZlĎFekv8?lqlowȇߚ0;Ew@}Y_s{qcf>7Uzᘊ;m ڬe9 7ϫWֳ g)W'%G6繫C Q8;8M$9V噱pSO>={a& |6`jQŵeD&sՆ{vnwiIUb/׫Q7]aJ,X nxoἈ@'^2.RR,T#ѐVb%UC[8^7qfJ6? ߎf99b¸ 㸲p"DiX>}ִ7)qUNVFu_V(IyǢS -A-9,X< >s̔,Nخ6Y%۶{Z3wnm2ij<[cǍoRX y\|EҒ:p ̮fxqPuQ#ڻw> Ax,Unv-]QY)ۊv@g_k)O^)+3&?uSYYYow gf̚ofO9~x/LK4 .yxB''>oActLkU ʉ oaadہ.J*e3MOިNcKܽy 1@"pcDSN=W}:GۊXTy7@au:=;]N+&X%#Ghh艃Nhɓ5/ZFh-_HqibL#_;ֹeaUG^x+WvTyu}d͆VP~E[/3ɛ6mA~XH+4I%xļ lurxa=B~)) Ku?=y_} /ȯ\Qyy 0jn@U|.TXU77c} /Ms/NɊ/vlx 7qe7oVp>MA@O1 IDATr  B:{%"DI''*vMCzR?Pv VqX^^N(Q%e t#&5믃#Upՠe^VҲݯ[j+:L\k,J?%>J]C ڝ$XY(IXE*0H}=Dn￿HH `:F9^iʱ R+/Ѝ?eRZ"MRR(Yp.i0W Yf(#?ڟO~5޹믪vjrozӖMj=oڌ}ŋ˘c0oD_Jb$nJ|RbC"ԀiSfIm!6!@"BRCa.B!#!o^o}SyhÜc?K* 9iI~eGRɆ`l 6 og5ePc\8 >.^RSR-P.Q]{,pΰc8DEAԤ58"ZR 4h;r\yOٳ(;e NI=̄H1 HI pϣ>s-kcm l9`>p\%i#0Lg:0vjRd֑+TO2}9Vdi8@ADlqQ|>{yIP0|* H<|0Y]^}b7KLL|Y\qPJKB kcp'APJoLynݽ%a1ٱ2\~`4>)sb A#@$p+.*˾yURrƠ҃}5co*]8M핞obL(JyOewFȇ/I3vrtiJ>?cў cƌi /@ 0pEJs׿b@uJemf3k !=-C y3{pg\/-,>yAϸUÈ4W5HxQm3:O~V6Y\(A#B&~i℅rYrr-iudž8/W/c^]"w|Neڕ&7ׯt?W*>5[*_(xB;~H?a .}RUjGHAD@D"7q1?UqJs$Mu~3'%'R\5(,bYa<` &Ejf`^m>JeLSVQ uVDh4m$]5<`\b`{25eTIE #Seu޲`58y4cA66+O EDx'8GmA8;a1uY4.9RArW< Ah{! uEcDX밧cXٹيi$(ضG$ Wt|\J a:TԹ!8E73<أ:Dωwc89 )g7Xx@ȫXXeBǻ^~IAn}dg|LR*+-|)'.莎B$ʉU[[#,~Q5.E+ W/76Yb"ĐypmѢw$33X'l8m9p@v4LFf8[o%~AwɒeRYS$95'JQ߸^rr ak%hQ9 CrhH‡rJBG\ p=r8Wg]%ťzSYiʓQ1s"6E“xIM!"^ =e{ Ryͨ/ H)*:pgᛱXϜaj:! `h; QcFJjz!1-ړUTc4طeIGFyCt4͸h=H^/s 9~xO[꿐FͷxTN͗%K%E~5yqivHov FI➔@ ^E^>be/[.'hSoo߈YWG &#eԸJ! qg W5)CNx3%0 oK&N<4ҕrIr1J-|Ѭy6e_M޼4|3}q'3@Βew6|ܻ՟;"uJB^M~A ع rRi9 9+E˅9ol!8 W3#_3 9n'wd7Jjq /gJg#9y{{I &@DZR^! pc:B#l]AYH|瓵 Ԋ-̕_~RjYʈJ(3onWQnc3A%(8 "l@#$'Ⱦ p1PvPy8=@г׆t9J ؂F`=#ᤤzLZjJ;U`[Oɔ[%8!Hʛ';il詣e+Qr&¿ 9zv_kfR;iP7'p|Cs=[K4XͫYϖiXFwg_Y4npܜ d 0%Cc?}a{!ȖG5pȀy^M0)ϖ1%;5}H=:oDY Pt^qk78ڇ5ij:"$By୲^\=f EX֔Vm[ZµxZoҐ ck!_#,G8eAX UBA P'`g'iR`e!;qi(MP_:VWWGj 1oF̟:4Q cpa2G p"TVЄ)MwJ^]IY¾1q}Uۿgci#,G (;eؗu=z#Mf_Lgnf}nY'GH7pL455xa\zo3a 4hLIqSh)z+Dd.#6k_/}6@<̪ g'! 'h usELk&=6%a|`7?]8NWw_{}ٞ kg˷'3wgJYxga-K|φRvų3z{^"fMvi'Ú޳!(ΐ 8ȃl߻WŝDzpDk"Ms@kU=t/DFdq/&XjktTfۮEvzqR̓㭅e.f4}L ugdjokghm}V8xޏ.fxCDt$S'Pk}l"BS_myJ ;BGD~ AޤE ARPƆ$:S G} Έh jl3󰞯RZ Zun3'o½:*PӍ"0T.pÝQY pA1־g~ z~*ggs u;x{`53p".Tp rR7E[9 Ŕ_ðgWxǛHDY"OonlVh~BUvzɎr-MrxoolF;2 k:Pk kG\ >sй9ɡԿ }<*N/ִG"A{HNN)FQDܿ,G &5y%0u[yX"s"8t}]"C.r\Ιzq]b#zZKD!j;JF%J4Cs$ڀs`rl!/7:0ZylY# `g _\5'M޻zk0 z >!\/yɠX8u 78L\w%qJB܊ d{Vhccsb -uso1!5P鲈X \C:%IK∸ǴT!7g'gʣPes%Φ {".֏> 2})rvV&%wr{֛X I;dҕufTKsCz)8s ST,QK˟0C[]h &hمTךL&Wk]+zsdh&̾,)}y2ITmҢJ5Uci lkyN%\l"qcƋi5OYߛwZF 3}E=9wh'ˤ@cv4-|B$A7ވM4}0>6M\|BS= ^Ӛ<© +'J$UmYR*(uv4EG3R#YjXT(Ώ\RVL<ó04ƾKV\#[ ~وh]0 e2}TǙA8ф]\Yˆjk%XFDE@BMN^I핞**Gݟv9}emqF5qweh?gg[ 9̤ukҽ|${`"ΐ0~:>y6城 0Mې<σ퓝Ζ֚žP0"rP\MMź<.'`ZOڹsi'"miG$y{َ Ҵ4DD}CLn BD#R7Xzp-H`utd~͞ef.?3}qW+?پ&ٮ& ܗoj\᥂"KX/ʵJ)6րVW5K3V~yO!^%tNl%IO]٦t8lZIJ$)+YgGo.~$񖼶DӲ?i꭬L2fJ΃e-U|RVT&u݇buV*'z0M>_޴K/@ ~8;m6y$'3G:)YHm\ *trj#zȍ 41mx\5Hq)sgrtrh)q(S"Ik`nz;ITX)yEzR<"Y6E(%֍y1%3Խcl2qe>`kz%bIkar5-hZpM`"B.F._N$Yx lRr(?JۨfS0D= ӂoRJQ`>8/g8iy~1D:m/հ;"LϘ ѰxrsdHP8 2boX&-(exp5\*,]J*EnF)(+?^+Ske䄑!YYh?| 1=?4@?G~n[dYiB_9,|“Zy\k2e``)yp݃pP;udv];$~X 1a#aE٣fHQ[tt4{`JK^ٵkݻr2uTY %''G_\l,]\<)"m姞y &&J y ;'\.5hnN.$ ,P/x:uݴya{҉3/jC7Y9/cѧbd /3\Spnx73?<|萬YI%&Jd0dNnŗ_Q8Ƚ zؾ9U~,SAl::BƭeRQ? |WKD%♧QCU~[RRR7^p9vq;ճUW]л x&Nx6}ce_ iYps"}Ӎf;,.2`QsFyz6MSWK z`%t[T̊.!'AWj1y{w(~ܲz/`s:c& (3577EřM@;nn /|f*z1O^7aXtLϲ] 6f^ޭ{eJ8PAs͒52S;^$u}T*qq03F&ICQ6TaM9[nvQ*I⸉'aQ F8W_}̚5K'+"sfS hƎ P(Ep"[䪫Qیȼ6^q\B#;@.wX`oXزg1eÆڎm۷ɰ.Ju]H\f@N[)ᄼ$132Hٹ'#4Z_,[Lœk}.ws/~WmX͛ fdQ%$8?hœiɔFl-ʗcҜ w\ ۊa9O(:y*lB{ 9c]e =]rrŸ OIIc>;w! U`O*x}xXrv?E V!7+WSwhvpWOxpO$Bs&i'ɎusHwi@0~$u-~}O%#%a=.q}YxۺM Z͗ܬ\E|DTCūȫyU'MGhLUQ~%ڐ,#YFH Eo-Pd4dt Hs.~y|ǩ%% p(Kv1JG~L3ML# nP$`,9 S 8uX"|CFd7$5PԲ*ɂTC@I" 8H{bp/ڵk(&_@x1O|lr$lhy |Va?X}BBC:K8R f 7hD6YaaaG)ɨ5ӱ x4% [wrD԰6ߩ Y ]{NXOj$t%C}jNAvH #供ôf@rL7/KHTRD#AL׻Wo9USYy 2t(dKݾvPҜw IDATK LgfH0莋=J"ABҁ$[²A C9D=:&c=j!`X{ԛ%[V%7cSBO0 I^:BCh b W۲,͒sG:\W`lsΞ=;3?Hhjϊ1i5sg2xqVP6iS^Cg;#A%I4ASV-7 O7[Oq3JX!SpVKA~ Ɉ #;&OP( =x%A,蚡Ijr>ᓺGgH%q+Ap_rUJ:fuü Wz1 lf8^{ǵ>c`TzehCWjħ;[?H*?U_XѠL:M!Lz~O?4VXy>r<#pvb 3$/6?{o$Yr4 zSV䄋G(T=XmݥK(=3$'#Lp0 +'+թy`!`Pa`G_IıgÆ چ,R&=sN9 ۍJlckCҘ{ <'wuy2I3۱chJB.g!2 &3{qcvJH]̠ƕɡC* q!B'l]Pn_U,ȥKfFLepm&hkɄqX]Ra(+-j{\!ahDBllTaa!|3=;e8uyY̋︢Ub'ۑW=f>ˢy,>gjdInI"i &_޺?K/T=];l)" *THf({jhgH3g\qRۖ s􅨶Ƨ'`O7B̃pLR ٞsr8p Qn|$v[,JL,+WGleFzUAo JMtUtz)I":aBF?I('׏;/l=g t_.,CL8Ii8(+Aޓ69&L:%0jhD 1+{9I(-.-`HeOK%HKw {]dĉ*)a; GW3Mcj±pFfiuL'ovnAI/oKZ%aȕ8G7L]y7LZ aTuQ)d8Q؅_TU𘭄5cVCj~0p+2R^V5dnPe;Od>x?;++fm/?g+[kp+)v!vv_ek>W!n0!!1ɠ9˖bc p=p6qoKtcI{Pڼ]Ww8d>c҃SUw>\%X5Enp~.[Ynw` "kN8dt[-,m[s+WcyYnðE҄mXl8r 1۾/(آ`lsFVF8T;.YD'KSYQ#_xT'bĮ^BAֻF;О W[PG&ae燳/u ߥ89Iy7Vz3"̞`ތC_Hٕ8kn<&ğaN(ݞO|MǛai]EwhiWpB?ЪWB+YEissg#witk4p̸|&P*q]w)t9ug"n)QZvþ46sj!59T>Z'5|afG<وfq-7hs|נ+Ē rL8ݧ6jx0Y9yu㳁S=ۧH\jqm+&خ;ylTZBP#aCR h@{ןR vHJVrHԜBKRNQ1=#pem^|b.Gjx c#J bW|-׵tvGzShnaVfڷow?X&;O 0g ?W+4Iunt;pkCsSڻtd?">AZ{q=;#ךĝok޹t3Iny6C@EO~78訷G%EraA}~p2-P62r/nžVP r̒4镜 .YOr\g5|6;+aC ICN NSL@xپG̗Ծ>as(0Ճ{ 8r =eNu4jd3uu 0. 4sv$[̗QQxHwc!qj3 z z+nWRPkrJmNߑpS%DҲ*ӞyFh9Rɏ]|ٻ{D$DH$NH|#8MFF+dWg(S : l)r2>`&eVa<(OE9̑TӽWj{8VXOtu[k'H7h5WB}oH)l+.0ߧ#ܝsSR%7Tk`G*ljۋgdp#ؖlWjQs+w4Kz[>X;2 $0?Et^?EjתB[DFE֡<|o6aP(煏WB[]i݀f֯ZL }r;\!:K.*}{hoaR,zL#dZ?mWv pű/ʕf]9O,-k*v/MA,4{Mrf WtΣW2>S+ǹpr%ZE;HFw_GQG}EˆgZAQkü3ӳvGjWvF˯C)RgࣿBa"Ϝ0<4D&aV~K3,L.0ƀ3/m+\)M+\%)%I*K+%GZsP`7gZ4mz*wpTqB~zOk.N@=8_™ی6n(v]bm^_~A~HʕpСCncw'0?xpV'c0Vo84BІUXw9n WHӧӥ1]XOn`H{3Tg!$EV@<޵[>CݽgܹS P2 c.{+>J!+O\p ̻PxLaakX/xD+}~IN*+?hnlҸIrn~8QF1V~mts;eQ+}fc^ +'_)'ׁ V&8D5/9Uj[j,ag j:DG)ͺ@#dj75;nYi@{ժU~ڴiSΣ=?[&-vcW'eHb\$|xF_:o/i"9A餸G} l޼yBi9vZVrя&ĺk(F=ݗ#o%Vo.}eRQ+k_Ik&\\8 1oqIܽS-A曐/[7T5nMX7x{G-}:azhF_ꗲj4< #ѳby쨍 ASh![ 70nMszqz|ث_u:'B2Bo6)Zj;™)j-\K8@xt^"[(_ j+v>W])ˠ v42l v;B,B OE-HFܜR$V10ǦVPZ=VQؠ8ZQ=`r}UWSnpUW]_c{ g)-[6obe"<̔*|nL]'߹tjlx5M~to~#Qr}!Ǵ8Tb3+rb_R]؉޽$ 5bMr2 IǚȾ H߈[6)*&C$OnHՂS.ȬMÓn!.T/2~k_]p 0VMQ[Ěny2zPl^`Vpm4[Ȇ֋.ñ]wܥn7RɤJwvJij򱬶IA!oԾ'HdzChiqO'~[K$袋.zH_VS%/Qfgq.1 a~ I5~;|[-6h)jݺe}-|{%#@'q`l>([d {A)Ğaょ{NZ8U!$|}醓*ЕCp+k֭D999nYojdZKLA&m#鍁'~z 8>b‹4$TBt}r%nwb5r0 J"-<&EڶE Koxoʷ)E"#pa gXAjCWKT!Sj611Q>=Njt2E: $Sbx_̝~M݀.ivneEqZ{OR |},I. ]a2$-p- ң1}Bufp֏| uHAvK6jL] -cDX0UE?"Q[w3[qK>J `{23~;3d1ځ,M VN I6hqJ EUL -Ǟ{I[R}H[/ ҃i 0kiOJ ""rX&ڄ!<2bх ap]NLO*pdϬ?fZE0s0}bNy 틍 n $5Ib) lyT)6P6 (IYLh́ ftŇpz`:l ?6"gvyA T{/dWLO`|wAǐϯ)Z| 22gX_Gl6׺ND*G!<@g_ IDAT8W/< 8Rdҽ]Mx~:[_]}l/cY/3NU2!_:p8F55Dr/;h* ǣss3<[;}9,--m̰sB23zh3{.&9pC{qO n< Z[ӤqҼ +~b8tJg3iuW۠}0 ;cpQbay(8C[x~^[/ ;ٲZ6 fyiS|=Dq5;- Wʊ{m6I뚦hm98(뗯Wc8y&_X"apYx2y;e䄑sI,ibު*K J g#:J=uGT=3Wb"#Ǐ}{ ~AkA`ş.yZΒnYpčdPe;SGZcp Z6ܠ(w}dsfPB]½;j.^* uFnai=M{X2r:$îڶiOZaFt{h/;܂sV^KëЋV3m2R6317FY v)c ZQHX"^.wP%aŢ0@+P  2FjRj*tݳm$ddˇH'} ctjJYt$tJ]B2Ίppտ~{@VʦUd͂5HMf3K86?xæu en}^iQTUKjzL ջdvT?IqVC]bĦ՛9?GW_]}`$Nj1YGTݻ[:j:<.g gݹtrjt1Wfq0c+ŽꔓbC*CqlrX s=-VۊpN?wgٞHQr<$@$A9ǻ2v/`cDIp.Âe Whn]4דx/2&RUN-6rΐQM&Jr+̏@mV*Sj W4&hIɑI*=5]u KJMZ;>H wfted>C&*a#wXv =| X%"*Xϕm7\90"w]~0HC, cɇr8R"9پGB`o1d2ұSoH.Ĉ))29:#ںKdݲuLg͗CMkB/\MKDљq2} LqQqQ8) -/-ͿzCBu),+4ZzսD̯Wb"6`q#d7KͮԎP M4mǢEPFiZ~?<0a ڬ @ 젬x~J}ܠCC>;;x-92zpGöVܡ}T J ?iOz# =pb¿'6_`8g5 8^'gWL]&+-j(ƪG ](Ƥ"rht]qr+%4"b$=+]6'}u(m!BΘ+۷`&ĝ[dU U\&KQ;zGʊ䊛IA=eȸCmDZ N SÓr,cR}Y2NswV8 8_3m`ktNnʪ]˥_tT֗9(K خćO7_IZQK/P/$b:W_QR|ٮep4I q/g1Jnx'<{IDzLHg蕌0_AqbnLNyPƏKW++ޅ%~.1]*XAj~$_וA9h#YPDC{`=ڢ|F{5@)̒>GsM=Y%O68fa0<<7g,]&}5YkH`jڷ99 P\'`n@GrL]R\>ӖH3Vɉg!ǺsUg;A3dUewe岻n4ɐX'2'ɕWe"{gL0Ӹqc*Oa4 @ :v;<5s7ɁR^W"Y#kZ%w@| ]upٍzJOhC KJJQ)x~|`#x6<̑BxpnXwx!nZk!jIpfWN ±Q/Ňvʀaq k }/?Ce"YFS|fpo:jzž={3q:p5fH+<N{ذ ܟ&Z< l MFjv2l4D9xT|Myٝdao57%D/?$IM&q]E&Tp9_N}D}_^EPaܷW2sLYvTG '_nfP Ǝ'1!Q.r1LI 8HlxK^/cyG{ `Xt+a M. ?pڗo~G]NJR'CKGZ;$͇Hέ;o6wTGJv8>ai;ҹp\i:Ti֮^,ZdԘ6nc$5`{vcv5V75'55U.?,cKZ.w.YD~c`۩^-8ӧ؟`ws|xpV4 -] E/H-=@xޕ׿UųM?xDX2(1Q맞yJ:%vxMz$ _yE [h5&IqܬF;MdDGDd.555M3j3_ V,kAo5kbL cǠ>H >?%rǔ;ehX R:5~{Vy`!z_.xnP&yȖ{dے=McVj"ڀA\?lϱc[p{+6Vi@` m!Tfs2)JcN htj"K- lumqk9+_.{h-]Ne󵓯NGQ;_~Փak۾5L/`v=E5Ǭw 'yם2IW+8o˯R `4wqZdZzkʭ(*--, ߽- KBI$)! <~I0QGMgփoFtJ?n6YrAL())I׿~."@yxq:h Wb٣t yW{6?_-$r"?˯Kl'|R'Vޛ&ׁovA 7x*q i(Oja7qL,*Iޟ&ysZ,#W> ELJHHEZdn޲~i$A/g{}Zrj샤iw6ͷތp3SL *7vnݬ ۼc= X~2 ~@WIi2gbC2%d?M jgLW_YK +,*ڿ[p!fm:Kw!~МG[HezF$W=×?  6=C}䝱a%aQar{P{obFy8xP465 X%b_c+Ʋ𣖯AOPBt8; Ɛi& (3dⱑ.%33tvT=j̄^`kĈUV,ĖIpJc5xm` ѺFppFF{zDU#j6VwS2G E~,\SO<w!kRX\p: _ZFB{Ԫ?Ixh< Xr5B8Fu"xGZCmSZG $U?= ䷡0w6MPo"Y+.=9,;eI+UWVŲoK(Dcaf]EWn+e<h&RL5}R\D|| `u*;wPܕýCg \ѱ*uc8'[#pp C\U $8UΐG3ϗ^zI=Rɹ f;!?J-ymOhhVLLX2O4@^1t1g֌Y),>jDqX7&>y{%7.6ٛ [INz:-*,V<{c걤%ʑҨޔ!Ec&8)>ȱ' ݎB i횵yN Z,'i{o?ZeXϜ'd`T_!Ea&';n n3ښqܐ@zؙH~LQāD^ٮ1 yt6뫤# *U،{ftXj=pL(t Kd=``Y,dKMQIfxU "v׺k@|͒$L^Ӱ< ^" (R,ɝSBݒ=+;V;Ȕr 0-;& ҿ#q.U]7Ţ# !βvZX̌L5p  ]:wс6^y,.x5`uݻ0PUc vxe4hGno͗3gQPX}q+H5*¼^\reO*Zy`Z+"eD41W}]n٪RL.bǮY]e7^:\Kš۶?q H[{<=TJ\$Hw' #pԔX/fˌ:5"ct')(YY&oI||OmXe&dgD G`؎d)iʖ>2vi,Ž +[q rxN>6':cEP+-/^7LY&#lq@VV;\pҝaF8P.b쬒EHrS1yOl\ɹ2?΃3r3?+_|Wѽi&=7fX3Ү]!֕ޝ{Nū$[tM6g\SCrb2B?z7Lx8x4p=@vND&M:] vwGt-c{Nᄋ|;RZ^Nťp_aLw{yg9BN?ƟɲKXl~'Ivj6F'M_in*<9~vʾδ\|ϙرc[^mǹ V0YCX Y|1Aw fpMxDžv O l_'#GHaq.9*8AM[ ջ.8&̘ X:M/7dNwoK 4_elm-@B۾z5~Iv.G.iiR<7-]2M헅->J״Bn2w{ 1P)3_P=yx>YQXg8zjXXyJc߶xyý߹GJ~gZzؽ&t}~z-#- ;ŷ-l_vQT$2h,wt_0w;ƕݐ=by}ˮ ~~gq( HgJ*c=?uBґ:|lS 썣22(BD^.!u6I+2D -T.##+C&O$*,JsUJJƌ%84HlgYzݽLM6mюv ri%nQݞmٶ{\;'hc89 |mS7Y'J*8qc1:㙃3󍕣T0m(J:vo4xXB][t+='RvEvD EP}بty0]/+<9Z"qQK!nSI5x @kq̌,DT-Y'w@kڗf8.Rl0nuv8%^gY۪ZAylVb6TU<z!o΅wO(a Q><|i̎WWqd`n~w wsߓP8i/e%}< W.R%IU`@ԏIPLO,2,{ݮ˽ՙw%f\j靔+oU&I6lek#Gzwm/r;w;rV^Z1z06@BS==ղQң֌CkT㕓c[ 4YXJ z\3xD.^`Z˧rhy62ٷk jҝWm8Y6D!L?afx$('b5>SIz^, *^ 4fQ haF o0]! W֓>|s8X6ttme|}q>So*c8iqYf - :1QFñ #8kK 467W[߮?k%niwtz,ݱ^{,ݯܾ\f@3Ndbexp.$FwTw n b[ ]w˛W2iSo{{VeF]Chy̿d[dHf  ɲd܍knTϕEVdjlEGVA9?gE,6`#854 qD!_Dp'XGr>t$%T7GɯI lPZLeYI`OwͱX@ܼ&zv̛`b,{>^Yqb|6wϖήGKciaձ$G$KJKTfjt1 rOJhK,fzte`V6l樯Ƹ|o[KVy6f];ݹl>yQ0Z^#Űf@ _SSiH7cp n\?nz%^x;x학{>QgdXp .ҒZ/OʟX tUWU.~dEqc)fw5!Pڵezeڽ{YW &ٱW2v' IP oP g=#3uxT"[O+` ;+"/E] K'>̛1Ovp6p =r T&{4gGܒ~ ܋\n, ųZ{%_% K8 nyVOĞ?G>V ][ۆ[H;23Z!͐mFӁρJˌ1Fyyyj~,8>_}Bkc@]5N_~exKXy5,##CM4U<]k#_v!SpDTUU^һ˒eMzL =x{JM7^C:&tRt*~o{p1{V,%Kuؒv8 SN킫g݄GDvn.vxA2C%"ּ-$~,`. #[7c?G`Gm۶e45 Fz47+.(`_ ܩTpK ;}v)+$G:_P,SusC :G󤨰H^ye0]ti=tN 8'[W'B)n.4ɐP>6ٷ@B"eOGyg"[D'%jt>ϧq޹[%p˗-g~(ز(оG}/W+x"3~iBNt1k+$ S=<,ⶪCSQq7+) ڠ$5&\S MNR㮺PH"1ՋWKU)ƹs稸Fh~c']*#>}"C}/{rh#T%~ F k֮r $$dݚuhڥ$'ʤImɭ7*4M ?v83ū:uG;My$oe[QL"˷=DPsUt̎yg{> qw4GuR)4R2uP:JYPd@g5a0ncR_v4{ %?l3;Y~`d8(Bi'd 3i!ovuAx+jNhLOM\UU]!YӘ W.)7]/LhcR`%*AZ8߅EFD.]HQ? qqhW[!'Cܮl= lb'uwTo 'wsj&Rd}A ҘX X+ga::3L4xC"Q,Z)bbc[f4ewwB.p<< R._{x P"E5{/d~&p)|1NDËҰ^EpTBGLl<7>}}c}WA:1rdtUUek| 3޳wwYbg]v.[W$]#!;("N⸮m]fzn*U0۟+g~t(=zTB|Ԕ;i;c~F.yYS?CJw5{H$s&^n=$G ė-q 0{_nNF-/NP={bLD߀~:[ 'Sn]'{+WI#xV??_O$>੾EPByD#ekWKeOB䦡RP[Fb|yT0cӌ3c Fzvz?4Dٴj ;X6 | _^]@'Y-K+(2>82c{s)[{1sG/ m}^-,S0y0"`1 nLC?9s@fyX\ͱNc L[|$1NB| ̃d7HŨ\Z=&CENC2mg\$/wqܨB*ECSiꤋ*w9(8`+kS޳o\v٥:zRg9/|aUU UdΝq@>fx(DBqB2;֞o}{Cg,Bό{ߘc|!Zkf_##dB  .:`JN$??zVL`)-29'&$2H"ġIv6vt|Ձؠ ̃΀i埁ÞtxR}O_|1ooIYed~x6|`EG֋M| o?㩫9W}A,IDt#=DZBOoa)zFu܌}@tBZ DL3ⴃH|Ϙ"}Xqr =:+qN{RZۅ̃gn\vؕ-%C{~l;.0B ow+xkL8E{t%~Y1xBo*'v@N8PQa»rl=ab\v.I8D;+KO}G?i=vo8N}q d4b;)wpu`VeoZ3Ҹpz-`4,'q!"(8ΡpKt]Y-:U!0+р7띯8^y~|Fv%N|ҍ+֩ixq¼o0w⦅5;|Т/y q :YVw>tbގ7f햆Ww\wgtX}I㜄(വȨeݻ}W^wޚE;fÝ,ŸcV'w-7X~]6wPBV\@ClM,͹v=b`e}-f7"Eg8Kl{W!qEѶGBrG3FbZ1*@tݖyOz\<w;⿂"9ŵɗyG|jEf:u;G{jgJtiCox;gDPP^N{"| ‰c \ 5 ~Bl+Wx_Kx p F#St)ocÒq׀> W&6`볇Z>/Pm62h&&':!7tFD9mC%B:NKY^mTC[vT@qe IDATIbg%m`$=TCaptA$&/Lsf|@e%r{`zXd{>ztEs.-.]_0˖.Sy9=s#Q*IH z{j05Idw&?&dvqLczITC`@{gNs̙i^WAyy'$svz3ӥ%95Y _'{Չ؄ֹU_>tA6I, \h+_,|nb\Se(TھU;BXj¿}%,4cTBh64niw3~R\ͤi W7<\u7mhig7S$_wsZڶW\sfئcN0nP %­ L4,7(E=mWDʾ*Br6(b&5ķpcƏʨ)N`R7O K.OUu@zi+eV28M*%qusdz>|~J¹a=YK@:>nrֆ A Ho:K; Ig ?ezzPDW'}ljݞinZI%a%|drG/V+_?'ys/|gC-X*''dg&q[ؖDb:.vM;ƂgY(i$M$G&ʴ呤GeBI]{ wЎeb]nЏXL8W-T"NO4Q=nSp98_}U/7gt^ K/vuN|~g}D̲/^H6nbRjc۳Aye2'!\z|!$:ߛz?_F1ZPHi +S-GAİT;ſ]/ý21qDgNЋP¢/i]XA]qNItR :\uߩ@V~"^'KW^ "J>]'i\HZ?Yp!ԕ翏Xa(?N1! e=HFE,K6C& }g_vujXݻO&-ikagt3}&鬬.v%LTmF5 !47CW'0A-.&sRdÕWIT3el3iӦEƩ,*y~#U>zY7wܥnܼA~_*dITq?<TZUp,̤ ܊_ɭp.8wv,˫3q Kk]3&IFBϩ̓bWT/ӦN@%ýޫxMYT&/Eu2Tk+^E>R_,UKxYLNdJĮZ0 @me Yw*>PFR{_} #̞/-U~D5̃^6l_VG悀 y(e^Q[q$*a$?o_>UJsu/ș 9t៑42եb%)(Ē5IrS}]|'_ 7+408POˊe+taAҐ$߭_w_Hl$Ho^0‰;S8.)M1}VQ1c \.vo-GOJ?WzEZ'ٳ4 D+lBݵ^Y]),wͽK wdqI@6I2mў w2Mc=lk*åOv>䎓yRNJ7ߑׯU K0ฦKZջ/_%9%^N;OdUeBFy^; Bw iX9Křf8Dz/˗,ɌჇs=j@KN='Q>f%f9PcuóCxW ].Y*\eׯ1b$ ӿH*qNvW-fg.?b6>%1ߓ…v%=C?ٹjd1G&P2]èK ۶o>}NNdu~ @i @g;ɓ&.رPHmOcj:d! '%\~%~zHOOWѣ{9iti9-3p,N_˃Hܮr2CP-W=S*᷒]0o`1 N8ΉbLOCݫ<97-4f]I " RoFbdGkcHV`aρR kACӿtUuJUr}cac rUcֹΕ>pӧO_Z\J V0S#V\X#摈&θ-r5ӾĂr`Bvx9v\209Ch}eL%գd,;q$xa`B#=:*Z #0.qhk@7vb> xG\&_/Z"ސs܁1ao'<|'p`sC.;Ns3&;GC= XhYN C1 prtw@LNa/% dA7x>c̟4, ?$iUgȑ~[XkQ(>?h- ϝ\ff܏vh;P)@QVI2ze:, f>`|N4˖/md $8(0!QҕT#}?S͛cxsu?^z4]xBL">AO)6ovM%ZܬE[Q)o5L Z5,)Pʓ,FȈ#*Hpn: by:SZ,c$0Bf@ىsCoGO#̸\l#1sdf<ԓ2O۶Pc;A8)ɱ$#םd;,"T:}O^ai ŋ$s-8,'uOC1'n=_)68C.ѵ22 %cF(;JX|ꮚLY8INpw)NLOg ,CE\pKpq4ޭ[i 30p!czgڵzVHj X9v@z1 {|'\k#,n&4;󰻷wSV5 #iH0_&7^77nMv3LUUwcIfbo?,O'ԫy6UNJ"Sk,.0nhXFi-ͅ^FW;l\ JQM+y Őv/ ) &xĎ./WV^ D ռA;:d<:saud$!64Imib1T4gO *3%wn)v.ߪ@W !Jy|k k`1L=\3qx&5)&øci Ǐ0.qHÓDֽ :Om/:݁G c+v$p*i1y~sZ%~M8?eɏC gSDLnnOw{:td?:QedfgB 9~ ZXZδǸO?W7'6fwk 7a40BtxRwa;[ۇKPxA\ΗH_zMSJ8 A!NKyaRLv *vpb:DKWsHR{JzMN8j=jugH(@HY^i wMBSP}ղiހw*l.}1>On2緫[x7. uhp{ol*MnK&]I̱"x5-Xk.Dtdht\a[˻a2yt8u-ՔB_!61?;?7ay›0|2]#Hw1{{HyhZe# jMP*}*\n<ʭI(u@aMZk r@ws3 "5%SS*`͚YXy5n]L$W'l h_y Dsى^ :o<.CWvQ9'sN$HǚSpOwQ)JQڒYE`w $j(K쟈_4bر7x Ux`[N&ϙ"1?)gr[}KJkgHQm^n<{2wP)Þ{k6KR$0|,]TpFM%nl7Wf 1d˞oޯM)n\4\ynh1 htb_cN T9MQۛId9u(SwY3 JhZ:܉ FLWRsa`Yb9?چkx~GeIHоz 4RL#&Oz_1)`WCAv|2bHJM{>BJ!Qw^7}vջ-dVu7ҦY9dÑ "+Sd{f0HO*E:ABÚUꛕ;-Fu!!6h-FIuI@*|EKҫJ wK@X*A)I E1q7H"̗5]tqMH&$H0wQnQ]/EQa_`q4C:tJ&Tq}yȱddܩ$ zz.\(Y$6Ry#x,YX.ĩμ>5@ܺJq(y{{LJq|2\5 ɣ;Hک4cf--,F -½;7Z`NmRd234ʬ_0_!H~]0^J$v$/7wW ޸'pxҒRCm+YyAvU9+)zɕJDX/ÂC=ȴ'vwA]mh.*4Ѿ gKL\J4;c,b>aN71pcܷ@`~lgɰҿPW9pye}rlT1*/S)/m7wdy4khEr#]o@>[<Q+Ej w/73'UbG[k#ح <( YroeO&$K.H˺GxJ|LI[X[(6LWjjT~FJtMn]!\׷_:!ȃiU!s73L9jB֮Z:uoZăE;WRHC+40M1j*F DC9xy*MT4fyo/[ڕ2ztMo^vmUm ѩn*uW2X)Ru=T.ЛW6`%g|ԇ[AHtl1MQ̴LOLgN%#KYə#su^>=N^w X4gw{liXBdZ-įC\As*/[sH9 `1 _yY;C71f~d԰ݺU&2fYÝW71pz /SC|7mZGc0J7$Vdt.EG-?ph0n l|=['R ;BGeR.c0T-Ji&g7t[~2(=p`EY[ddfIxJjӢuڷ*7Tii \BR+aG+Y#WH&BahƱIxF5UA5md{egK% xsS|*R%rI*Tcrjbv4(H(aS8&'%R6$$zƢݹ@=|谜ʿcԢ &cwP¸5!$L1$U\0kE@A6,.9 X&5@ZhP M$`Oȕ#mQ6p0;5 -WU+g|5q7M n  C֥i֎ ['iRN< .Hî$: Nh!@XwF1PJq5qqXsaqc;j7Wjk040T: f4gQNx#1?$ ofgRvT?#;Dci& 7Tj`c6< $!/ I"ijmt[j? Qz# k•"]㦙0!ul4'&{H\vI "{Cϋyg~08`ꦃpg%FO'i0 cZ;٧M 6ϖ%G{D5WKLTlYEsX,H%ҠWAԕ` vRJh/I#?/ ]ȩP] gAJtI#A֮Zz`wj,{@\r-$ޒ)#{h a㇩֜m[U62` gy\ X8l(I57qԯT$~'`u k^SeY`;㻫ɋk w$1`n.7J9en @]\zTS+%9%rlq9*d a INwT'xnC& 껖u#1ԥ_VmZ/%e, _X :G^_@:"=-FGP2jmbݒ-}Cl"HK8rM7ҷ[B`ZtP+" FJ2'&v%Jq ;HB/؝ÓD&4ͻ&,fM֛ݞ3 bͧY0nrXme6dֶxԓDcUBd TXo0QsAOš9**#Xz*֬[&>Y-ȪϖK%AȉRV} .5G:w,Q1QsINI}D򉰂E2zyzQ)).z6˖[SN`,vTl TV~\Qz x5V΋ .Vlob3A뜞jY]lA)8\|:ԔFyT.NT2]}ϹAx;zUPTWLA_菣h-7. h]Ȏcb39.e \94IILx]6H[-m*׼k)GվWP(g XcZ!5 =Tis!i^:5Z kijY-'$JR$xQ D)؞{G~g:Dw};ICH$$C)@(9{dDi+yzbUqQ+H iq1Uu:&1@ɉnj]+ z`4 38p280sױ>k6IصؑcZPj8[G`8wua>B v֗+)j6[Y6y[ B+JmM["C ]뎩j(wZ#}6@LqTg0 l,^]vg`t}peR WmЈHVȸ$?X#o@zޯJR6;νȶCE[7u 6pae/䳷Ja}G2 hIC'=`@V˸ia7b5^qkq6m&=.dHh=( X3)P"iϦpABXp@ڴmӬ2xxэ$"| sLDkD lG_{8z@yu\p3 *,]vAA`\C_7"/q=>da7WYsajsG@vyoeqX(|a%Ϫ ~$>F R  LL)ΞzJjTMҥ|*C TLe͝+n=dA ASU[ ܨNs%`sגE q27F C?u;nݺ D˸"S!ʂ 5 <kp4&xf1M.gfO"?4 kOh|GMH<;M9/;wפaO¤& Ӝ=o{:tw[|9R֮]+'OoKBJQi`9a›F糕+WM^gQ7ngC~ gv)ZTqE@9 GeHa&-oL;̷)Nt>fa6uu7#5*#mL^]l9wף/0NQvTZ钆3E^L|^(-{$ ˗ɩd*e~C޽K8)Çdg}d-7Lr/[H|CdPh-pr1ar'˺f5kT(; 12au[fcQ)'Np, M IW̙,^cǎɦ͛09ʤIRʗY ۂ5a„FYG}$ IwZ@,#GƮ kMt-ZϪ>\PB5fpsjL@0ǒtF@}{Om6IY!DI?&[6oqel/z:[+s9R~2 ^nE1E333eu$D><(&̛7O>3Xf(rUd[n"L#@LvBbo'M5?s]=zCyNx%_㕍 mΝRZT*AYHI`p@я3g哏>Plna@q~zIKOSB] =\9z]x65n5U9:mܸQ֯_&8ɫ=j9.NTɬx, ;PVȑ;dԈQZwlۺUQ^xAkG\PnڴINddj.^礮KEA&,>}qYS)m,u)V~GP7~<,w)+-Sœ2\7႒{OJٲi[gʲMʌzmby붭n@y 4e:q2J. \Z! M#7K$[#Ӣ=%3@naiY) ;1OM?c:'| . j/!8/3geБߡ ͵|M]3hO\N$BJ g䎶y2>(O8#g`],X VT7%Du_h(?>6 W$w Ry+@ޑ+TJ?N$Tw??KhOy6*b+pG'3e㦍njl! Lݝew*Y㞏8C1AM;4+=/~!?~藲~ٱ;^L0'-xo#(voKUa6pI/ W*t8\s۹PVȖO]!qBBZaдu\;Ѿ>jڝ7aF/EFsT4O(.2D^EYR\uy/oiFt*Ytq٧Ip$OOO?Whh,\P9$$O>DOgE< e YND ̣0W|?I"FjAj a|p{6HiR;j9B!K/A* /11/RY~9s+ly+fLx?gDa}V:!KH o*'2J[,i;Wȉy}Qt3qd!$evyq@fs=`]0BppG:"TEw^Zq`&t.8C[&;,ᘑcesdaB 8tgݘ9?w༉pV&Aۦ&R90]0,HezypӟX&@g'׏ٺu~I,y;WQd="U;6Bp_ oU1UB$0Oe>V,6ֆb|E#3g(miⱏp3/_dDK: 0G~X婧;B48':QMX28YBؔ/9Z+FV.q_slcBchQQRڦȢՋb|NV|Ƨ3MR`QcvrTOTuw1u@QB*r0@u L|  T"wu[B5x):O:U$w N9wƥT/ ѣ{ؑSwZ!% B!B 09 .J<n믿.}䆻J,YЇIlxmg %"eMH΍g#[y dbSdI\'\t <]"<yUd?@֕aY52=a cv r2,w̟e5Me,7E'cl .^z%X-vIi].7TEn&wS'eaXdzy],/B>`A s ka"c_(3A3F15O[ μ؟]}^ <nVpv<5 c.̇pz~Ŋ3NgO4e0LY6|_Khs-4:S0e(Cֻ3ŁOLB81ݽ1]vv^Q@G-=^CH`^&K) cH87Z7ն.86.pdmY3,.ӢO3a(wUC_ODd Y8Ć`HYʙ +ECQmR.{ZQ I=cLdʖhhXn+T p}0T^/ 4җFxf0OzW?[8⩟KZ}by6egǓDZpgOӄ'(g6\I:!fr6tN/X[ԭ\w&~hʽ)7k~|\xd6Gwמc̳>暐--3h'v8_ˇt qXǝ:2 +Xu4Gq1 g>s, %0θpE1Y'3L2l/xVg6,ZQS>5[#]LVu$m7.ˉyPI8xqHh +hf.2 #~|<&]`s@ulw{+iӉ ofnj}NWڇLZW8Ή8vR)ߏ x܃9}X Y@yS.Ty}z{*tzo_Um "*}ݫ@B%ee( -45^%Ҧ\DOT$5rg2͆*erusdzw3L {W$p.Cc fs}ɁCI4]%OgYq91wx:p{#\"5*ƶ14mMF.Vi`1&諾iu#U۩47xaj&^ZǏ~\IcCVT{> k'"dZ`2$yqﳲjr+7T){ʪt.S,3FM~t1t7adďqsǟ۝u4r:3zނ} .B< K,Vap'B#$w#41KPZQ'eCHSzm b8Ws(+J <'N0]$.Z VsτՈW瞓{De:LrӤ!rxq }fȟwujXݻW 隳)5˜OWqw}= +V0^=iejQk+`5d2櫦|}' A ĉ RUg^C')ŕ3(z!-,ƍS.,:;;HBud֯aÆ{p^nFBYFkahKTFEwݾPFqUqm?= ҧF3Y'l9΍LX~<W}jdRNˮ%B]1|*4"ȴ[^*GGFRX%CVD)>S"UJhv9)]{_^ZHIIֱ Ƴ7lo;5{J%Zh=iJx̞#+$@.5<ȣЗ{H}UtqL0мCA>v4hB(L n \ 駟ʗKUdNm 8g(] ~d3*4$L>ƄcGUiڵ_$!)Ao'¢D OmRTPW+`&+;%^UUbE$0  BS}+EE!{N̸-Vv< _SXDW_U] 1…4X%!<gϞ`4X YXxByv5]%?#)e]CWZg~%}Po."w='%%ܻ*ȢZ Ŵ> BID!$q;hS'KכovfK4Z;pG)|/Zҫ_衰R^+#*h-!`\G k׬ 9y M|tV|lBel L(ND|H-`6}1II,9X:uZe3f<ܳt Xu\էJ~ ݥ;Ŵ&0Æ!ίtE^ۄ} Ie=KzFt#!߶@; ʢb 0N]%"h#}e0AõM]mⷦ{b/J>ˈ.dvA_+/|?q33Mwnߜg3ӷᷛ nh0yA7Sp}MwdѣGOt:/O|U7nwr]?lM^nŧCxLi~S80i1ݤaws k\4ОpiƄ= eokՆݝi ٺ0^Sr JTjL rU7C)Il7ք;*{f{Rȃڦ+!qrӳMdž }FWPVRYj?}rVSitA+owW08fXW 7!tŘch4(bĻFa\4ܱ?p2c)h5庒Umrѧ 0qZL\`TЧc֘aqoD}G^3_#}^S`ݠM &փifoan 8qFY'n֊;BQF_ԼCA.#sOVcݞ!wHdFz*\ 70:ʚW4 nBw(v$wrtR0H4Z-8=YF]=g+[C/?T@ZVz*Lt F7ԝ/VmJLz|=jh17hf:D^I2U|sGG+i*?{0r?[!H}k4!Z)L P3XJs#ks+.Mij5,97 :ܞ❀]UdvִG?f_柉8}~oS -upr?0!+'>$Q`IFdKɬٲ*ZF͔<3,koYZ׸2M–~sZh\͠$̠;:R95g~SnK %ti} uy`MUDzH r9+/ÇbiZNe9ڗnhR2nΈzzŜr/[PE4xK]wJğ,~[Sg6@gbr5Lw,fQƸ1 ðu6&Xi}Cno7n Xh+W?X gn9~CN4UnnIh w';ڸKOKWkZbey#M(.$&:&sjdNLU2GsO ݻwI'>>@Qد⋰Mi#BTwcxA觮L |R:x֞3'JGoII/ٵK 8*%M8##ڼy`#>e_4==]ԦCi[S ?]>fA-Q j.4"(;諾0`<ɿkLӟT%T{O@=ZQ%anя[ǜؿZچ0>tUݦGXPFDI0,Ah?w,0Vo~I<*$ptEl%ԖIPP^bTTQ(m0ELaE3sme鲥J`{Y5xۥPP_ uxzR={@` j|&.h)48!MUggJlL\PmX?n lPmTjM Bsޭ?zZɷ&}Gbcc%Yw*Jiy{`xnܸNq"׮*Spwpw9rǝw(ZZwf>-6m!'3Ot_K竕J?P!C)?8"_<,eG#wQmn%KT(WKc=&Bg.-{Q[P=F}w? zMk˒lУZ<}! S]UHݱ"W/X%*=7==Mq:k+#a~J)SӅ@Opx^ድ/{쒴ciw t/tgh>O7n| pP13gV#q12a$+ټpkD\m}?g0n1ȥ@qYvw`l%X;}R3wf?ʸ3g;v3 㕍͝'PBko7N~`W_mS6ȟ^ o[* 6 IDATqI!HITwda1l{~zVm^rԁznL9'?ȶq&e95A*r\ T@%SOS #j*@;cn_eM< YwV#Lqcc(uFus1p`|mVʹXAy|(SRueI7&RKHHIJ/N [懸[k }Qkxw ~#bNinΛz)XYcV937Ms=s!⯓dγEMǓCwOGk=!)xw64:"q`5HK/Bq}|bG]B+>!N86ŏ+*$t RJP %v g0|ae~2ƎhOlSYjM̔mi;b"R:i#%;a~^] ٭Opfqف//p7qa'8$ 7m2{Zw\f̜nEos](J8C0&3v}L[1$!Bz@;:?&"e&a` { iz~[o*yiΤ3텊;/WY= ֶ;0Ѻud0ZMƻ9ӏm#FS(2jRufJ]KໟIT֡L.\}FP^s=~֥09 t3B 0[ 3)$D!t,:`S&,XwH#CV?4D&ʯ`9$9h\pp[: +9x˕-ci$ƌ0qAA:&z}0< Wp p Bb0h-ֽz]/Ћckmi蔔j\ec}#GR|KQ˜ y? q;;:O&V|`@"s~f-`iYwyF g±f1b )gˉgW>0α_)Ҿa%#1c`Y4J3` <Bl+.~xL\(hŴv%Sz";o31c`Lc@aUOn 1#=oۻ]#^# bX&35^xO{|:xT%V9pvrAo\G0~=;KB}k w}0Sj5FZ2˜!c `oXG yC[jF3CKٔbvkL2^[Sc:'['8~f;Z]czߩJK0!:]]~xMu5xcSc۬#kj-KvaK đAu)Ɣ|UVα:;a KW=TCC*c #֪|Z;.}kkKteN4]VR2ɦLT^~UTU4>c,1lgL3fͲ܂GYiJi֥dRԥ@V.):7G738][>b(SMɓnid\շpbMS0ܜ\Oe^0R4NW['n`}?)ɸ˕4ġp7w3pG;;dܕ]i S}qg] St *W2wjp7&].e0LCnOf)/JMTmyjƞ4~;7t ڦ]3&͞b=Z,/1*{R̶>Xf$-LKXf1ݝU5`HV*a&~+h8Wq[ 鉶qMMK#pb25=u,aKL.cr%՗zT|,:Kyg ]_|NA5ĨHW!@@Ta=(y|%S8!`By=`h!^rQ 8ɰ<=Vr}C8^CԗHqGY/SkQ0t#>!\|?]d"oca1c `߆?շ ^D 2Q}raHaP?p'0sğO"c+R5a\pTJgӞ* !i>Ux'P߁x,>շD']#w) 87 @P]@wh!8/ KJX~uK'[,NG:IVlY28hpfeӭS QSҩ|ޭdW,pY)_,E'.Y:Hcuvڳeq&CY yVMbƬO".M4ؤSVTX:| y*TkcҚXA$+*+btbYHNɶ}WW"˺Fm 0Εd)UYFZQIq$X9Y*t`~,SZtߪ  &:NeY(;ŀ5V}Uf1. y"Mu,* p MtZJרM$v/VE8?uq֍2 \7lLT$>BU\xLJ6x,BVq=DY|Mƍî\ϛo#i,ˮ^Җ,ۙ=*t(^n^$׭_o?j]k׾& c7^W֛n7xK֯6KVo-X>PEeF3~7mf|R;w3!S_(jj8ؽk=,6mGbo]~e6Y_ΟL]I'4xlbr{'|[o_|եvb" / ~"z|ǟE ھ{]3e&ì*,StG t!&*OE3`(YGՠȀ3!/ssZP'AVi)--.IXnL~}=Cy6A#g`K tR1^bu092IbF0Ōruatu:pi*iy$b 94$K~5Ԣri$ks't#f](f\6Qߘ$R>46;,\-IMKv\x׹*/T-p-J*"\-OQD\gHݐB(Gju$Huzi?X 3 :nlHs:X~ub}wNZڳk, ;\5lՊxbv^~=d"]?]* hNM\}߷g(u[}j{lsv-7;DJ=afl۷=-Om=-[̮[62[8%P[ ]md,iU̘[޿vwblEEΈZ%92Y" Q|+/]S-\uhcn͕]jn'RZNv- [*ٷzO?l_vm۱2Ŭ.J^Ph%C֚^cHҠ<|$v+f| %HԬ/SƠ֡6E{Ҳa֧VU ![x5)Rp%UXRiP^YJs\X3 aj|Ħ6(uR).ϟ732y;/N7k1lVo[{UVVJϳs87umdo[\XoyN{SӢ"ț@ZZD{e&Lwi ObF1{Ab %$CWx饨#1h)PY: uf1{xi̝}kM.yծ]F APY2逕+<:0a?`(HEjtw̬l+P|e0&\G K|0H[F`p`Kit9D,)\HRdO$e7| MR3(guG?\KŵGp'q-$"Kx12+SkNzq9n0khkV?\Nm41Ir\Kuf j7)mi35@ ڊAPw~W>͐Zy$N]Ye[lvi*Iڐ>[d3{,O3hǕpIKm| RrO/ ס\N\-GҀ?+kc-"<:q9&>^sMZ$:jWԵW_cTLAwki/Ĉ ^YT|[$a߀1ALU!R&c#}4I*u`$BbjյV)Q&yՊURO2^9mZMćpQ?uiv%^ݴyw PNoM.d͙=ۗXG=;jct2yʛTp#RZ ㉇Hex")D(7J '@ƏE G8(2;a?g9{9x-1(a )ctEHi|'_~7x33@z1b 1'ZCUl3JqE!{aNR`5rG`\ 06w&l(qI<$1Jx!n.҇1L8#M}+ A3nj 5y@C,M{Ӷ8WE"~<%ƹl-~c{ 9~>Qd1W=i%_gZ/>%=f13납b)2cv(_qw1(i0rW+`/&o3SoTL86]vlsLˆlָRCaL;vj9~c€`FfAݱB{GUgױ$ǏهYcBϮ.Ȱ+._jYM /22cXo^?f[mylɒK}9 ']X5)Gܴi۷,XxiYF4SАMʸ<čUߊ-Sj(~q1p`v^(W#d֊DYU_$*q 30FHpy KV$(_zz군PHMM0U_73&H!?a|aiJz tp~^`Zcfx~Z 4664mBnn/C9e}&B`Lk`4}B:)+EG!mC@-}|bq@uzN't؈4Ek2`ؾ~ʫ2n1[xrmڼَ9b׭^m.1&=jӦM |JJ=4j+..֭[:o<˗GZ}}Ǜu=X{Gr+oۦ6}1ǻ;cǎ6{G/1d9yf{o#؟?j+8 ع232;u^j7;xd1>^ [<:&G?Ĺ ]vaζ[r0':JV]g464WU wp9-4sNȲ '!#] ?}sf7 /!i<~FfYy_9s1"!N:ㇼ*w>@TF002ʴ[oեRj=sL?W_[^^o ~2Y9SʗޣoW]uUҥK=Ē!Xh0OF(MzViLB1kFG8YĀB0VA: |WeZSWcWeNׅte'khqƇ4B)Sko x 뇢q@C΄Q&R qފ޾f؋bJsdzUHc'O. +>> ;~r&B=蒚<<ÇF"b#IMd6?14BYٵӥvYte 74 Co3I;ݘH-UFZ7҉Eké.fp~h9X4$;ti*X! KF7ͷ{vۺߖJr431* (Z}ڴ _ ,3<~*+sX1-ԩi: gc a-{q1pa!&ZE[˸c ClT=18ňQcp5aͨ9a=׊?!erV|Kv,ɰu ON䐜7k5O9L1`m־>NDJ\pF4׸E^ `dlaDWG}_1vЦ\'80&ԭ{G|Vӿ:LIHݘw 6Ӱ^JC{DF~]8;7ݙu֦)'yЂgxr[cb \w]vL)s-p/ޚ%P1ʀ5'L? $zG*9|/ q2whOB::>wP[YR#ZMMT,Rﶶ6.dZ=0{C[rn)ۥ=8hkOMRk-wBhˊ%fn]T. 8`f_b3h]*G䕕eʒjyg HI~I;tǎ+-0;iD5N4OqXmwjuj9B$ӌGtĀj#`! t#g$iRY6meUl=vٲc9neemy^۷mtMÉG{[lSdyqO;^|}y{瞱 ے.;YT/W _z. ѣGl.%7ߴ1er^|6<{' FH {HPǍ1p0@cA<'f "yzr+,SsT+Aw`q\C~5ػK>leԬdxړ&(l9RD)]R3NH)mv@ύļB>ݸFsrcɤ{[߳}svpޮ^iEyEƚv戥vح7Vw~?FIEyvR>*ΰ"m5Sy؄<;>p koP_99ϵ{gl klΌYV[`)YV!x &N~<(WD=xVuU4r".w{b'tDy L0ra=g݀@|]^k()bzwC\NwO%!m[iv;=+*5۶4yV x1l80 Kĝ0L&j!f}'askJx>G d۲y5:jŗZCbR|rݤs8ٌ ۻ]8GGtş}S* aʳHH2-W. 󬽭69_k׽}ntD[&mM:mfLj_n7wpj۸q-KFQܻWh͛?Gw?}z`# [˔w0`%ح(j&.OFГr'heN~ ݐXScec<*Jtp.LJRpX%3@י{d$֡Ne6[xǏ^H7XQQQ*Es&no&k9"7Mo&?*?d]|K]~mgp aH}mm}[F 4[nrO&wͱ]RGB$5JuyTLKLN};u=}o_oT6!76n`:<1uv@ˮR*z_vb/ IfUW}_ߕ+Y԰EO-wY\*4Y58wKxLOzҴؘn{7?Z=FĢ'?7߹xfg=ɹ QFeb`K.ܡ_zjk+5v阥2]D]&t1AtѤy*2>H~s'W=Z* ,֛zNG>iIZ/xmYw .~^y;n-::Q*: :7 0S?n}!B; ^c}u (WQ~ 2kߠl5_j8kj84Ϙ}GZvEm/}Ts[أxl "lH]LFMz= udT'tYNsONee҈4uwG}ꡇVjz1B3R3էt3{4 ;zYVКwcW_36}߷n k=K/d*i,=;V\svtѤjMy3VQY9Rk ejs6jq(|[җhS9.| g6 bڈʉw,B322H60HJۿmXY!qd}hᏥtEFfܰKk9v;zՑ $D.oD_/KMg1L1K܇ٖw;Po~%wSٵW_mU"u7#-X8O~-npouW/m @:iS[}}iꫮ{ǥxۦOnknZcݹ+K'iuuSη2ۢz#k/ &Z1E*;5IUs-\H4&: ^qhKCKZ&I!6lVj,EKK}uXHa"J~0;DW'S&OIƨO?vq1\2}׽>e56_vΑT7s:9lӄ:+|4!ߌ9p9cnUA_ ZbI,c SW$3B/phF}1Ŗ-U,F: bbRʐkOkyciR)GM1;>ymLDĶlm LbnI+ݩjlTAFX&:L,M5!˲$҅u鍢]/]ӷ 6XqD#5gٿ5SLy'93Klk &Ks,LX*v}$VM`z% |L'2~Bj/~awm:j5Ȓb+*:AG?y̮QYWݲ̞cwT+ 6}F͕M[z2۵sT?vJuLMw9%c>m@ نz:u葱24w8eGԍg=Jg#Ih˼vḠ<˟P[׌,Ka̬dOB)Wa~U5psy_ ]3KEDS%- 6@s7}IQEy4IW͠1QVQ7~Ҫ]Y (g|7oLs' !mr,O&NL2 M3d42eī\'87=bPLP:xux]|> &Eظik;iD Sk^:$λR-渳FfpG 1aD=?4s];#z"RqefŪ*eV8A-M)[{4ѓu#~+TNY=_9V5lR]nT]vZ̯&KOzmڸٞ{I[u*+-bPHRgv$| QUd¤O4&:>'+F-7gu 4uyEmL|e=M]&Xp;I./ݡ[<& ]cB7\O v{L{57_ݳ =$W\lޣc{[.;]36`h 2j$;$vͭ6A'>@D@LIngĉCKa=jo>}3mb0\~42[Nj899[$)eWJ0Ic7liZXM>Lra)VUV:lZ-7jWLɮ]7Yv&x/jkj\Ț`daf]`o]+I )~uR-ln㦭L68B{vJ핢whyejܫzb5h5]]a&(ݩu/YZɏ8@dA,#D㿧ƀ8 Zs7$ڥ__׾MlѣN>ꍝ6*SysYmM׀3g}m(~>,7mY:f>/9CIqW3k_=M<W쎻Fgv}DIqiaI^&xQWH {V)V| ULʫVquڥK/YXtJ{7ؑZmkAӦvξ/~G3nEOg\}Hڲ&kS1jRYmڼEfZ\ G <cdO{4HRD{i1p%R*l%thg>2OF NHF*oomV,u,Y7A5JЍ)p~І@/Z0WPdRigk!4C[0wTnM6ovҸmו&rgSk b}HeYk_ݯ9 \)/zaƟ'_ErC5 m;e;*66|s}'݋^֘ÚƬV}MɷkW2bź-uX7F7=m6C9=ja|{VR:Y: a$Ex!v jg /D%jցSa7Zld#c8 m&h-<0@=GFžxt>9}?_& JȲmXՌJ;(_~YO*䒀.#ȋ#u$wp8Y,75D_.|Oth.XhmiT?W4kE3xf 0C7| א*.\2io\[rmmKL| uWT\0@(hiB IDATZܣH_TO6 w$`YcįDtңu`W7I8`{ȄCR*}hn0 Đ Z0p008;54f Š`lL{GO5{4Qeʧ*%#[ymv9q`2bh4QzyiB{dK%It![^R vjQ0F$(F)Zʢ9jVo 'pOD >9 X͠ :&1Ԗh<FrC(Ie{ha?#xY#\+>4?l%3rў.;% FՆGCGk\4{OjA[DFH  ow("}2*|ejߝ T?@Jfݍ푁{xa;^y$xmh2Mnp$o2 dXiw5e`eC`s-L1>Ckݲ֓iƵFyZX.Èø7`G~Hy择b<#R`NښyTa fce_$16$} m.Oԉ Ak21"?#Ml׬L_W_}h>r #mv#% 6 N?Ka8}7~&~_%?FSr\ ̢#~xD* ۳giߜy=iuxX1N֏*F7KђաlX%&:ȧ|>ۚSf6>rt@4ֈ1K 'm0 SY1GmirV-|I* B s Ck}t!1{"I}"~~QG$zso ׾LY3a9!h_]l'Jdg=~t{4ئ{qKʎxѢSLGl,I 15'ÆyZ֩==?X0ZZ&>1Eq#ޓH=6C8+e -% 93F-Lo8ܩ_ +3?FgzY8Y1TDsΖf;;Zڴ (@LvkjjXY0G5WqnK91Gj& ǔnJx<*P *PgN1c5i2^@:6cjmr4Li-R8kٕ8?`{DնPnL:`|y\]Mg׮]nd|vBӓ.v33Hh'aA.~ I~I>i籏hl1st0/_hHzłkSN=5p 0+xÙ!jR {8"0> ot\Z'1[4WD Mbic:QkPmrF;#ˏmmM`9Mix54&Oom29:gNi`k @ُ`hpqwSBMpGĄз2 iz/4CKP߭^6ןLiLR\'7"4y@~/S}Rac ]+nHQHJ5_F&1"mBdu^_n_{ge:ĶlβQHXW׮;Rmft~[V9cUtT ʗbG%uN6cxmy@SYeғ S<f`TOZΑpK ;Q-Z2#0eLS>{W#!-`đNRa\0O;x\~7p̐z mV_/ȷʪ*?+y^3)oI$wSsZ9'9MX DjA: Љ(H|ް'UHȸ8D,T?_}Iѻ #2yP"[5əwLj$ l1sO!pի8A*,o/F.%yם"C6w\h6KNqoHu-ԍmԧzWݴf?fU9ܼfw4${sI}efHը֛Zm͙=zAUБclW===Vm#_脉zmҥ_}k?Mn%l{oUgrj_\;!Bv Zј&MA}h5,̛<W\qM29`qq; j??zH`_ioP+jnTFFӦ?® 5-_n}>/J,ޢ|uL:\UkykOxb|UسO?%v}=֠e]b첥~s۷k-ZHųUg`ˠ %T$;ڹԞ0FgbIP40$`|1A7聣GSfSU&FDGϾ `7B6 Tgϱ1a 99zG l  ad9:"}{ڂYeŵ[=iԁST,DB k˯2:0Kz /m[geŁF{aϸ45nqN烻TgB,]q\`\~M;qޙ_qQk׶||ۼy{>~C{wrL;pp>x~ȦH]n]_YrQyx&.ɟTrTLԎmV]Sokf?9e7o\XwiB{qN vO0pExd5&XH~ 3#(["'tEk?ק0.u)3M&ktI^T6GT(u*@ DLm`pHw088']1*瑚>,OZ"FΧɲOo8^cq;%VGd^ 8G 7 Z&/B EH!.OtvF ŗ^~lnwΆ>JXk\}YX7Y,diSZ'J v-Ym?Vssךލa=z%زI ~#Z×P}x]`TG&m h :3 WNw^ιs1M5WJzC}#ubKZO,@! 5]nl01)^B,t*f(5s}[߁1٧E44hnႅ]" -8X@h(K{F+У? -e-)%,!]?hczYioסq̓V6"Iqi:vo'p])끥= 0LǮ*2GTr?wrnTp%";MIIL,yR8Y%}rBn,89 9Rez噄fuLB/c` d ) .I4^ 9E#pw GM &5U4-gL`Bu%S۷osM;ߚomZS;UYAz0r&LfIg0;gLzC!= .J)rq o[N)%b*`2C]j؉ý0AѰuD̆SÏ @ㄒIZ+Nz~J:>0#AY4N}K@4`ʤ`ޤ#xc pL͕i.s91(fBx3Xvi‰K]' Ϗ|ȃqMRN li/B$ :)?^FI 'ls1K Hj {ɎŐ # T)4[JU'Ww> Wh*ZI1B*j\1.AMv!vדca_$U;g2ؑ}`4G#n%꓿oVq,+Q]7f ўm ;P)DyEujb8!IUg8Bs))!y8C7~%i%VڔF P w)SuĎُcR)HzN0C AD¾ Eu+Zŧq;`҅je}V][5y>yW9S[IX͘:#n Hb;wlF)]2axùGK**-|߉+i=ӧ9hݧÐ`|0H`|A#Q/)K>2  C4 qK:#x<`R5UP]HD#Le\ILوK&_@Y%O?U\ɳ8O`wGh3%ņ5ti{nҥ,I=Z@txGj#;|Ng)6Y8Gi&,%8qP%1<9}x~z?& H/~ҷ~YqXL0c-ˁ".']LPL/aәฬ 7_ &3y,-(G[)eJn f@_Di٠+`":Dp9;qz3!@/P x)`> •Ml/8P'G:X'c-ecCt0/s)Ot?T> ܡL\ctAڙf jRC$Y":vMp{٫7m3)DI)ǟHgmU pbvUEC6Al@X2JGz7i};ҥf/_crLa1eL$&N;=Cj(K.wvoߠ@;U@3~9KiA=^$ŧ IDATy:U͑Ĺ83? Up̾M*ty$S$X?Ym6YhQ͞5ۉ06ntl0gțDaoSP`DGmM~X>|B(K@*K::REpҥ<:DGQ6hZ&!J`c?`XYcÅ)F`^NUߺ-`fy>֓lYlu& ¤#O߲pAZ⊃>DNآH %WSAHHmz6'C~{ L^oW.GA^+R c|@wLB|F=,7K^2WG.ɻr]'r _U$!}uu^gk_[= oveW3?7DLMuPST&鲖6؋ne,jHВ{HF$rU&nu \9=q& r"eR\󺱱 nllphlyu7++=_0Xkiۘ=a'܌(y0d%'_ g%ջhY<B=x2r]3J{|R`&./u' 3O?!F:mZ}G\-v2ɥ3;?Ց2t~q.M*ޙrO5M>SE̞LM_ҙviR.щYb9:8K\ }.#kW۷ߙOdÀqDLgu87j8a:nˤe șP̠ZVib0- T0,ƓhM1JJu c)*9_> D{H X*sT<?MIk~[u Vsrv%)FC;_-^}5?Z8Dy]r[m0I[V 뗾y֭_oO?{m_&? \ՁC쇢j*GbFݤs 8,5EzTI0.]Ğyqis̳ɓtLRvղ$ujtci ԷLؔRL0kWۖ65׬io';kք|ALRa $BSO}P;X}ODs6YVX'4SvcDž/HG:kM b>[KNr~rLsGv>00;Y"mO4YQֆ ~ |P]'0mC=9&)!^ەR$CjV*hɜˡ#bF$Ex lex6E)@ cmbmK)4cpqIeJ)iٛ%A7G9t^PG5c) \!{#Rx8 [nhgeLmke?r,QMco9ҪUV~]ܰ~c=rτފ{ɟrD?v8CwNfg<ƌE;;p``)wc^8N^Ff5mJ+@ Q`-Bbȩqԅ;*sy,Y8X͊|f%%8[6lQ [0۵8VNuqsxG?qkX(bbz%=9N-{bs5,J֥S=sAjZJi"(9?sũe'Y+iTG,/\^Xx`еcX)ٟ,7y%x=rt֎OUMa|^{_fheSݒB-.?Ԥ|a>CRױ{rי:_cSh#eL#i.ե%60`uR'䘵^D0\};*U?8aB^ZiqYK6 H_Bƍ)!Z7bj]֖s@/:gQ?dـLo9> ҼM k84UA!MK3uB9h58shRJAX*i9 4*){iDNE3˘Abk8%`K6JdehMSOa1t'jq1[*CWٝOYދzx ѼLIfG"Z?i4hF2RFWinFH|u=\' ^q|c,BFK"uzdY3'hګ&rs:YiIS`M(/I>/ 46d '.5"ZDR,/X@#@1xWXoynTArBhoYA?0f-۶ecР [K'w]eڿgy핼tn#k%9\oa*s-u/ejoV')ERv Giuv B[ k\wfiݻ i'M/>^,h%1b<P&M/᧏?*wTaٞZ{ sC\sGCmuu =%H", b`"T~~İB棆Nn(穊#'1sf ǪB07 )Mq_,uaƂ#lcYI-)LogK߯4=u=wYzƁs6GqbP?*F=A>QWjԾ#%j:}h. vm-GfWhu4CQ1b}_kzi@~f:֘M<1OCL0E RahIh(Pb%pnzHvEOI[Y6֐"DP zV#v.z\vByYȡOxrKV:(6UG1JIKeKT<|y9 Kr'8Hub3\xnԀyZ ɵZ8fդm? 3dS]u e♟=VZvԸXaGE.Gٖղ WqZ]^QVZ);%l dl @iwŕiݭa۳e.qk B>Eg5h1ayǟ˖-Fժ2-T|zߴ{z|;o-Y ?vH#.,Q8`d|aҡa9^H6O@+&#umRwfy5K)&ի'htqbqkC6X8J3b2su`M Iw1UFʐs2pȌאg|$Uk CU?;m2hw1ɰ F\%QdBڵRNpKXdqU7<,<_˸Mf\wu&!><}`2N?Bf_1C{nq z1W{m۷ 0gI2lZ~{Pn7Nbe׻F.J;{Q`"H R dM__w폒x?T/H ]:Ȩ:1ያSOG$ -rqP5wOud)ޜ9* ;\xT,lԉ|(Wd+|_!RAhT:@%n`s?/fȘhAԆC|pdl'b;1/8LoIB*1Zec% WeXMBՉ}xIlIjK/kdc(<(#=lJN#:Us|Hs]tH֤1Q7: PQ[,>U<k@ѥ/rŵm$Kˮ(0 Uu-$%ƟEc?XKre:IS{eˤ,+f=S$RV*YL˭4v;n1>(O'Ċ?VI8fVdɀoA굫32ul[eeX6o@g":Ϟicst Z{.S(t2+u˾\nj@:TއwȘ3x? $^(HHc~ͣXEOسgWhN+|eZL!`PjUs( ]㗿 7cî='T@ZmF}ցak*veZ=ݺ\){ůe k0-s ^&Mp@ԟ6<%OO( $ ,9bh8֮L]'J+ֹ|i?V.$گ9_G?l̙|7[/y#귿 sO๰ծMwa (mߪ:ƑG?\Uu߹k9]rurټ'G^I$UK3\H^߰[ @M6.O2kH'ESZt"`#]&;@@,!rIr5=Ϳu5/4HظIrtqzw` 1WIev*w"Y8 4$[LuO :܀pԦH,}ʭ=0X()},6(}Tz &P>nT TlƵ:-VOJI{Q:QN۲#gǚ _3<(_n@XȲtS+zܚ5kÌ_ )7[Hk7}pЋ/LԾN& QD`Pyy=>Xޑz)g87^qp&Y{6Ni=HKt|g Ry lXֻܷO߰~z >ޯo?@ػwog>$⦅iƍCm\C<NTVG4=#?+Wm¸ LT8U P/.[p`eQ6XPƂ\+(ŝD+^&,-H8l! gQ@v,i?@.Q2Ao00o,XC؛ojE5u)y>L^yi|ƬЩxňEu*Or@{e+MJ2h}稪:FO)eִǖ:dFA"d5Or);8tV ?Ws@>'M?觱 |qZGK(\F<~GьnG0)\_}HklX8!B(ӌ@heHѰK@, 0 f ( Ðq@2prR3BHaÇ _]~f\TBW/*nT7kk]UY|5IgB=fTX~-mC{m2i}>*>,+5 gtDhYZ;X.8psAv6#'K'|4=Bq<~:/7},PލbIQQ<08! ʠqtHKOk@|ё}{]ªv 0d*IDATNZ?`j˘17T_ctqB.uK]g3PGGJ 1 מK,CLJ}.)Z'_@|%B'q@zPles- `6Ͳ l~S Ze=Zo9<)D9o0M9G>!"2`+Q?أGge"~LiRCD=Ehxb[*^(9{03y,ե J1ט VRbMt&k5WiHi*o2g4x5Afd8𹊑sG./Y|τEN<_eZAP+CX P@VSfSY8qy`>πO[<=Si8e.PLQʋ\q@>[O7J\ VxpʋbD=z^Aq-.6ZǏWY:ο.#w*~$>9'qRz 91@Ɓ˛%SgY0qIBӒORˮ5Eؔ/3c+(Ysr'T0bY嵳y'`"cȜt,MPzt 4s+i1@Ɓq@FIZT~9ha wNR+ӈN)U"?BBB^jQE g m5gLشsOtVa.LFh ɁT %hZ!q!󇅆5#+CG,{qZrUr$4I L0vLdf:+—_}U.M7E YH.%udqPD݌gVxB_E4FC2K@lXz1̒ -.m4[”S:XPa}iZғmN3YY1G4$A/|,v29܂G8R7?OސrҁC!i^{σ2ҁ'kx_Q= K Յ:]9q{〭XlA2UņP['weEcŁKe׺4l>'] 2U~<%d\'@HCӒ3O?mu|2c[si}0g_a@l 1;@s\KלP I1[c=dS=;{ʈcO1]rI`n}mݶ͌t= z@^Zo+ab,Ç۞Ih=/n&xc89ZGi/i| }z%wTfJ8#%7)w;Bׯ3ƃeFӓ\ c#=K=U26“AdWh+4X.C|\'^𑀷qbG>D(wp8P_"P5/g[u$Ӏ Vh]]Sb,1I_Dtv8fPRgu?ƃ-*:Ίs#30eC&^eʕ_ d!F{6٪Ŷ(sBd5ly,XµI"T{IB$G,i +9R Tfpۜ?ETgYd9rO{"u"`y\‰( @^~Cz.h@ ]$Κ5\Iqڻt2k?7-~޼ya<w #wbj}D`|t^207MSr}e+&v5Oh`e%Kşwg~07|swY#|- '}͗_a2ǘ6 X%=:p r1B3tTXAzF"b5 _2$㠧|&;w֗XJÊU_ ;%#_, @ oO( wXeӆMwAÿ{s sK$  ٲyKyG2D.193 W?2# 9|'?;ǎ,jBrIpWoM?[ho5;L<9X<տzF~)Z;ܹp~߿_3 T 0zVHHKڛd|@Ks`w=p(5IlzhUc<>[.kWd>zeuV 78;Vpԩ 2$e`ܛ9zϾ«ɼ!{RơK/愙î>}<*OX'TH!cƁZ##Ɍ=2``C!i ((G9R9f4tĝfYIu}MOP+5b0?:mԬoc1Prs~ԫO/ z]źOijGnij㮓iHdBKX^)ۻo<.TmIo7E5ɮb;Mn+:w,ѬG󲭢OƁ Rupn='~OHO{C[ #qdQ_nLDmk.ꉡU%)YkIVY 0`jD%s1%^yeg 5&]vgbp ^ǎ4j.zgQq5+ n@ɓ|U>Ϟ6QMtKΩR gȑ#Bi4ڶ-xcޭ[6/4s{Eyy&Җk.I8RuCԫ2Rց#*'dq!FO?%Gsr44L0$:Ye>D : x$mޟ;7 t@FsA ɓj5;0Hд }_>ƇA-oÙr$+`'3ZvLa?)-+- JūzqBp@ 49!=hX멍H-PΨuI|3Hd%zR-4R@a$6'@ʚȟu&T blQacoaR}="u\0=sJɤBg)D} <žo[&\pIN˗-]{52?6h`yxMu~oe94p3Fa dZR Bh$Ԁ7Wφh :"A"oe+څzoР} 7N`5lڴQj*,ޚ/j)J PQQn^SX5m(F-aU4*2I̍vDR٬Yۦ}?gN%#7ȡ; ,8zU2-j;!tJ{ke׀,heJ_嗶XfkM.hϧ%@'yp. X  (oX JIڂTz].y G=BׅygαZeH80C&0Y0v8[,\p5yG{o&ߢ0+<4q@ Ѐzo@a0id#v:RPzhNwF.K-Z`"(VmV44^%^{E;E0:U E1HqH1={4CjBJ=t萁`PIr;XJW%f701XJ{{a \)vM&QQ/+طc>f-Z>nV_}G@ (//7}.>.1d } xhP 6hPP((NeV+VIp-I`İԙun Y0sV UqU*& [vVVW,sM:ejLFe2~,wK{'R2sZJ^FD=93#WOڐ.iR$tn$@K{ rh},ϥ&2\ZPGD}{~Xunm^<$e77~rohQWc/֡T7 z l[NoP۹z=ׅ/2 0O>#LV ԉŒ4bMubq7*6V_]}$NiI gD^sd&R qg"]kTG}"@ dV f;wy#Ff3fw5)'~r͏ T} tl; ӓG8aͳ9T@tAEݞ8Zt&rF~s@6i'rツx)t{te!@|,)nMP*Ǹ X&ONk TeaM+ |@{ߋ J[-o.P!-Zcoɯ4}v}.lTϯ=7i8̓O^;]]4MBiuQePhFR ^RYb=zl ͓"AM5i|ܴeyX`8[$ cM%S6ƥ,-@Ɓ4K;Xߢ4`P"~P,"Vóg @7#a67C=emaot'8EKXU:dzcƁMq]iD{)L4pKLX.AsJݍȝE`j/K-+v&Brr{-B4*+kg/]#Cد`~8*?dym6]&Tؿ߀p[xFG/{xn<>cY+ ?{pw2vC2Fб;jS`$,d8pq29) wlCC! 4%*`I\P/"^ՒzE t#TM* ge9#e! arKuI)J<+ʭTpS H#ah 6d4چ)7<:Ԝp,d8ppFݾVh#0Pae\J!֊ LȭIOP]WxɯaI e3 `\8!d;wAЯwY0jW`|0¼ 쐽WrHc/\?t7(o xdާ]r bu*wIsvLӴuƁ?n_ߵa.|PsI ce[qbJIZ#S44VN GsxзGI q19[>(1Y4zhJxR@jhOȽH|!BC PqkrUxzӍ7`icj}G {B u'.9z#}ǍknBkcHM*Kvqq-R-AE~3[j#2#~9_!Dbjթ9:YVT~.srd~E4]̸iUe{PhUL"{ևАe]w[NT 촍4䆯=./ʠu-;mZ̧20)9l`1vf2\#^rM]|*1?I.'CI LIyJb HD6lXoĥ8@S'0`ȱF1Gi7<'6YkeysB2~Cq|Ncٟ24pO]{;IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/12.png000066400000000000000000001307641303637203600247600ustar00rootroot00000000000000PNG  IHDRmAkiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \~wVlwEcFybTI b Z *FJL bT|ĊZyIjQI4Am$;/?awf}.p&s}}gw۩ #w7 dFD};fo%@!@DM l&n6@>"6@j [ V @@m4[ @ղ3iѐLJ>BRS&p0 @DE"iM!rSn8" XU@U@O cu|hj|Y)^YF*G>> 4HAl@@H1?HȥVgAA|A(A4ÀOBGxUī &Q-$CQeCm  Ѡaa`J:4@B0STFtD[_+BPDѠ'Ax[m{LIMXU?T [T`$߿8!}:Γ?,h唆 Bٸ`nBt^:T ye 础hP:Γ P-pOr8NUEu%J 5%í~A}@l+dʃIyy9ՁHf?H~A :) {L=?‘ ( լMql1 I g LbD@!"t(@ˇ5RJ È#A`*" Ї)T$BjB"o##A߾?:DhB٪  ol"4!lՄEFʷ@@jB"o#l[ M [5!D@C&"X`8wln:@ |f0iV&GEσ"Gr@b$VR{ riuTׂ:"xd+"r8d>p 3șY۶يRռą.a@ᣇ'??Yf[3M3¢6[\zKFo!6cb'2:Hy A@|eI jAKT2+r\lC?%b/+vaWim鑩GZdLD=\.W3le'iHiUrYV %?%׈&sl6xtjIDھ^]U==>-OWUcͬQtRQ >lXtFy| ػy|aGA~x_`S{\5x!Ԭ(7 bŞ,wxjCƇd]v{c4f4oCƿB+"@Y{l 8bLv#Q d QHQS,|M#! = XnҠ&] EΒ#[}潌 w OZr^ӓ!43@**c@8~xn jAr{U3'_G17+rq5n5d07_^hhz7Gt>d6Z&]H4*2.JC^B\?Y\UN{u˿ֽ׼YOOu˾#M?F?;:uy ߆|mvV+K/Zk4#^c!3gUE0ZèBdž<ܜvmݠznLJET1 'hRi9%VЖOj!Uw9)35ȉ=ӅYC4"\|ekF]}9ڷ'䫫y1]M232-\D +XrAFc:^ /(P>9 0w{U|[;,!u_CW=n8 xmaq8\\%=dz1ͅF"zxU)5D3~pF}a626PDtJ0Բ@`OnN֒WL*^;+Bcp#"lNjO:N+3Ҭ!D=!㭦߅nI ev}$XyȀZE`YFgs?yC0oußLӅ8VTE(GWJ.aKfBf$:[ nVG3C1k?]PSk T@0UH eb@@~ͿG5 [A^šN ^G}m-U_vp Ȍa0F#VKYF*#FD8دLP8:ce2Eړ.bLCFI+*oϾOJ{RDB5fX$8b [H>&@G&t;.p3uVa".rW D@ l%%A#l{-@9`+:|$WN6AD~Su9Q1F<@~КkV C :DP:TI.DEjٙ gD <>$aW $LB@ఠ d(U-ze-L;JOX>VFtØ@#py eo|4m **a[i&!O Њ*YbG\#m7=mˤ3: +wÎԂ"@U㶅VDH޼=z2]N/{E3%zв}ͥK 6s"-=9^,@v\-;w;#vμ9ONߘ*D*%E/zy-;kǾ#M&ѣS$T6riΜq{jYeUFD 4MqFQzJPtk@]U іC٭e9)C}{|s5%䫫sP@Dl%ʓ82[>14,)N.a+SF dIn0T'|$yGxx A^Yzy_aK9FXHQNC Q ," -7ش;, +j^A7qe0(gqUka>D{̙UVmV:2^Y8vbw3<>%YPMd$(L t\Qq4fJT5UzPY|uh.gK%@21csO/͌ #А[?lhV 3fEN?1cltgFń[5DGYf;.̲66p~ !ٔ_k%|2_x}^V'a@|X]f+w @AJjM/8.(E:,FLeY4!"F|¶aȃwc(D**jdp]|P^:"(Ar[.r_,w?u,TE+7(l!&]V"Dj;FDgw>{ka"Y-[/}}" !0iyOslVJ_D@a~F__J޲3)rRWyo) [nà0kW27-y1ԼngnD˓f[^wr꟧Oll^r|˃F/[4XE_]3oؔf抔E%+w9l΄Ҿ߆•ˎDAx=hld劰vJ ۷kyI@⌄& ږ 8Y#{vI+mƼ@TIro5X -h4RZ@[=po+y9 VƎk6ݺJ}%71Sv= >*y%U}|p>ZSUC /8($;*}iJB|–|ѱ?ҋ@[EJ;@ַVIiE8NlT"HUu8q"Ў Nݮ}[RmrD.l-LωPz⭑zlgxx3'OpM{!Y?Ihܟ VO3Q⼕hc]"<Vc9D@IGZ=[@)y#6߸yLg"l;;ݿWv`u@B~?޲~&V!Bl5'* H{r9~ؼj,c'd_K|. {LX|s8{57-!QFD!:[UMX:[e+._ jL̹GO-~,[gW@Z o>=[#nWzjʟK97`S?'|l\Tugg>=sLpԡS:Εd9n1IKJwTY{SO ިDM! `lS^?"02Rv?dtT=r n+=uNƧ_7>τe9xP`h)_Zh3jfTHZScJw}wSaHz!vUe~}"h`QuUbH҆|~[0d?MCaӧS-/2.NɈq#M¢%L]e*L0"> O@߲k?=q^??J˳seOGU@CuʕTf>{7 5~*ݲv&+ec^DXx(aâƚ[ LW[h_rND^boB=Qeġ_~w켕Z"@C@Qrhǻ5cDhB#AZ|7~-Z:a̬g#!Y0g'>\f3PfV:ۑ췗[tΰkn͟*h ;([ɴU}25J&HC60* !^ǰ-nmTz(Ờoԗk<:-iڈgDVZ咊# v̅3unms{be+!J ohQ |*|bℤIMղt" .|~!VKf- >1% ܀l%ӶnW @;=T,KU构Bpؐ5J> NYNj<)#h}Q#V[jQ'y:8؟g^. P'`o9q@|hteg~Ҳ;tg* M?0iJɩS%@9|!v(6 En!X@&a!. IDATB0ӕXvԱNG?QxBLc?b6U*nhl6QYtR*"o[EG\+<{Ko(1[oSPt|i@;x`[  k(;doe3@JYUX퇀5ƌe|WҀn7Mz!IhQMevQcwmOX5e| Ό2 srQ7˩S7nd(jnǚ.'<^c/ LDB($Z]ߙ̣jKjSBɡ^c>fs<7|׾)y^0%6eꬩ_\)ݷG,ځFPVojBPa b K{S©+Qн'c8A]иQq'{!+V3E'S%Nyݍ SS~7źM݅:v ;!yLNsBi ҆Db(н'؜j)y@K6p+)S@Xvlۚm__pQ;{co,}Җߢ@ߙ`%l= +tw4aQP=N(f]g?= h4uyzG6Xо ŧ"mYQ/"qroP;v|gD13lmewjװQöJILبKLDq`=k(ƙkn9ܼSjV"$B܊g U-9[Xdm|A?!#d9q$?rÒ CB-XyfB]9}_T6d Ql9=ywzAɎ,[**k١?[nJzaԤ %| E9@ a#,PÐ6*ਃ2W_21n i~ݛY?zslJXSv:l{z9͈z0pffD6hVD@yDl~ e;ub~,y%2__'At*ei&ͅQʷ}y*":(b8" ޽?~O|:dΕG|}b;kԩݻwt +a턘|%"#AQT4UmX[B" ':}$3@mkTgRCL}LW/YAdaޖcigh1a+ }Q:#_/~j-AM% 1$URPoz[me(2!7]S+z`H,}& a{%V>b[qKowSLq敥L8ƺe w} *v,J['n7 Ztrq odŲ5kOm`)t┓\=UTk;+r"l#ßfjGHkYuDn9,n0[&~,8clڴa'WXv,DE% C[3enMTcB1QmG)A-kEe/:p\|YqDʇl+e&̽7%6Y橻Lo18,1xt _}&VMT"ѓw.[E>,T[ʷԲxIZǏYvac DXE|7"lC;J <7ag Yj%|Dý$$?MDS`O |s螎~#mDP,1dCJj3j"aFa_+";"l;u[+ߥ*7tGAz\3i${,XUP⨨2ih˯s b_ S]_(PүJ;`DZE@|靠a)ʲG>3}lLO&?{D;Җ y+DO@+~$sA}6=vF-ppBsW }3Wo!bǟXe٩Sk^ @㿝(̲_hE]Yv[s&;+5kcV|)KS`)rR䊔yMXeyIi/B5U56m!Ԡ'{}Xs7Ͳnw02ѩSagY^ wNfEl+;]L_vo"\>a҄SNZER\-Y[᩺ռܼ?Ȕ [2([Ff嫹ނ;Rvofxp[oXj)S EERGYt&@WOjfo:01Κ(Ej*ωJՂv%29D'6^6 tj{v:ݻwүWUjii[o_ߟ$gƎk+֬o_쐢mN +to_L?+T4}PzݝZⷛob۱ixcÇ uw#fLgF"'JX555txU(FS%/X`Б`[̓ EPl`["(UmiΖ*pexk .|~'nQ"J}鞜=> ݻl=Kg aG@AA3LI{= `] ?9l(8y'kR र !2pe+v:JU7Gϡ o61ø%,iJ9C9\;:N'xrD]MC%w KKaU} p3s57&pA;ai ,EJ4]ׁ~* A]aEF)$QG LDS]ƿ;g7{jtA-:v(ȧq=6OrWpe+fw^W*3*NW8~TP ^'7\'o}=l܆6[¶4ǎC`4ZE gJM;)4h .Y*z-3߮ӯҌ*" 슾SkPUPچT$u}++d |${3^x%糜+ ly8 W@Xr$+/a/Yo#@KگmEH|ag'$ ajIQy7=DSt(@;}NʜQqmKIJZJ3eY:(DEJy+K c~R \iז:Xj H?E&k*+D5) 0*TT["Ю1yJ[ѝl;A Oq$eͫd յWVQ0 . ([)k[9J̅CȬllM;z”`jYCz1j Ikaq͊[vfBz@z]o]@;D@QR̶uUo. d{Xh-G4 s(_+NV$eg IgI[ľ2kzp]X5]oŧ:8uKOPLPCbFD@1w5sq_`*Puj _2؏o[6+wE;|ψ2#kʾ-ۓvj0x+ߡӶ!nsv ʪn߈flˈ3ɴ9!4SҼO i)+v8Cx\`XFK^ -ph9tFܔcG?5eQlE{F5/qFUU RSNcU.ͼBR 8o;1q HU< (C6z+Nd^̍mvoQ۵R[@Lkwo@Q~sŮO0.O8(lvG&@ުWfPSw E+ݥj 4LμFU EqEPn[ljÇm],4SyMM pZ|DZ .Ln`lWꕟ5|,O4}s&|oKBs͗]-[t!#K37C`܄q|/&-kyV @<lUvY~f*"Q%ia/_/O$aORaL#'#3#}G0V2;Aآ"44p&rGΟӼ{3w=`,E@Q;E߶NK\W~@*~ az^ &? L} &V~dp Xѱ_FxEG^*ϕz5N9G #F=bd4Zkԣs޸\S. IDATyCj=ŒZyVյ;f5߯!9rDP>-l,+#=;PS+[/DwBJٮ}W ;Og,$Y񂏪XjWe mPxEG`xJU7Dϡ o61ø%,iJڜ9C9\;:tXжj˷YRptՒkfʱߧG 3K-:owжjSJ2R'R:VC-xŲb@,mʃ@m+0svo3rB>azUz$,!Fxжp5ѐؐ\9#cB.pԔY3>s8̀/e+܊2]%O<9zQ-chWQxPPz;L/3_!KS9ooL..oKhD;BD(V80)Vo~f=AhǚfY "4"([)c[e=[S[ZQ{lhm#$08p)R(G:2Nmw?(|E3!z~Ԣ&rvIC"б@۪c="vP?[Z5ûQOpO|riN0PEJ#[UmK%sf >4 UW}1o5EC@Qz 2H!8,*OяhZzX{G@Qz{ccg?AўP0pE1+weEe._z? d@OTn+L^wV; la8nYF&,`>[ٶD$,{ᏖE RJDJՊ nE@ё2TՈl=aw?nY?R!cتd.81pf.t· vGlyE1GP>d =ehL J0 !$WV^? Qpnj̓ՎM;nUrȅV-ʨS*vнakȷ [gXG1xEGVo;!Ydl(T I} [o8{+CGݸWҚٳzۺWsGfF{͛_ZB|bNlؼSvB2n «@ NzXj +NJHC|Xd22٪R_ jt /(-[WCBBrh :T?v؅);!b&2p:#ege4 !(VVmv Qv2\=N`h-G4 #~ul+dEhFjFttthگSD>b,YcO ++ C]]ݵ|;~Mu^2~U']0?h0jrSWDl%Nzj+?ou~MHfuڏ kevDZyV2~It-tG{+3e|ɬxGKޙMዢÞS1f SO (["޺RCyMܐ R%Yٜ>s-~GlYEH+-_rF`%>u*C]K4W t^.%GW-fxʑӣwg5޷x @@N<ɑR~qPo`m]5֮_ -s.]#G6x EZ[I][f6Sℭymo1E˨hۅ"Âа,ʢ/\fW/6r+^J0Z-e( tJKJk 3vbl倝7WynW=:'{*Drc܍VyvEI&O 6Y#[\~)k<5Ю]`Ax B@Qݡ9 7vXza7bP#CxaѬISw(:&[ĸ`_BC ._ ( |!|ײ4S!+`p;+6+=W޲yFh4͈pb?*貌ѳwPe\;D'Q[UWF j.S`JUyԚ"1y%NYm^mu8LW~4~kY^YEYԶj::YtuE: 0BȡaDmuܤ.L 嚸bLDa5Iaf-S3RA3[gM7Α^mGXgv1 H(VVmv sKauLs?b0̭[#~u8Y藣A!$x׳_xZc+GL? 'i$Cn8_z X;"#([)f[**^Ϲ;v.1PWWw-Y2",a VB+4cy1 lmeukw۬FM,̶KW> +k ܹgPa#Msh|9 ftJV7ߨrCA cҋvbU*X:uTX`X"*C6=w{y_'2/&G3콼h"߾y,{'~r!_[{ڶVkpm4,yllB "m}V2 &:uVogv7WrNl8W`[IڪrG9" EGޚ?r^yu Fׅ<~ɏ|Bz.Hq̠mH?r?% bŤVSU+Vܨv`>l+K @\AmVГo[AAGUp ߛu Ng:7w~s},:ȯ 1k>}U#F}:.fUFP9\+?ou~MHf{hZb2xvRP*s* m%1#AWzeוz-䶅nճ]huDS3?s,Z5* Oo\qL_+G7VZE:(9 Wu(%2|]Wnxcu/fMSlʹ_Gv@¤#Av{o+:Ot!j ]YrlŒt{AVAj[I][f6SNb,c"ЈV< Զ 3nW]V?s('{*DÎV.@_GaDGm+ W 1 ͕316šBGM:h4: l[W޲$i#'?Zo?*ڿqLmt("`@m:^r⵻;JYt" ?U۔x:1fiGZhߡ B!,DF;by+ 7l,~TkvĽg$(A:5aU5 >ڏJ8eT#v -j?*Ukd\$>(mՑ>hK(V^bz҃mE|EJ#[̽UmKP N#V"mCD$J:$toxp~S @G@@Q+2d'Y^¢uH[z{zNVRiIi*nVE@Q U^NkL bNݻ|X4Cw“%ࢅ#ڜ6,|^[6"|D6ݭ(V8nըΊewYk23RRedW |5P(NQnG>5rkVbZN Vᯯ]RS6[ZDpv/eO9qhiR"٘dXpFFE&N¾y$ٲ*7`;>hÇO'+|Qo"я[ɹ02NaNBvܪ4~ [P${3ERϟTNGY[.Iݿwp4oH@.( Uxq :m괊e Bzo[9=\cC Y!Æ rU/O9x#^ `S:ZHW%OFe>לW̌yę8p7R}wWr>Duu5)*്"([W`J]E#7Hx$Y`Lgh0v֧+Fo܄ B;I $EOkUϑ*J:0ta;XE72|/K@5Uɗ%C .Gw3JI|X:dї;7h< sgIJuǑ&/"c_MF+O0TB [U0 a`X`hxӱ[揜ޡz@N-HNut`wdba]qe>LE|EGN4GU\7\Kee+Xx^%;q3Jֈu! #([9j oc9"(V޲qU/>a"FpLCv[ز'l6We۪жv@{@@Q U]r޲->ouț,jG>7r ;aOBrfHZ=;t פW$E|m&Vj))h)k;H)pR 2zBȀDPx -ȹzD=4PٝlLҺ#G*n/8ϳ]v v ae"m% txӈϘgO3/0+Tm~l^~z[wxc'p ??ẙ1DD@QrƑl[Jsc- ]!?#bl_GL|'6Lu^m+*P<~68apRm^ӛC! ݫ<>:y5¾аt 48&,*6P2wC~7u) 8JRt -t^ni[ qtCW[-nWP#i*xHB=q'.I^Z,Y;ٱҼI<{ȿ4ˑV"@*ANSM 5@`s}G~4~vtTdx+#&F IDATZ/;`f*oyoe\$udƤ?)"e˄f{\޺pa`?/q /z/1btt8#nʱ; kalLl l.Ӣal;+, ubtwԈp:١HW F "([9aض Cэ- `?iW37m77-*`/̌E)^VtO_o{5 [TAl2OjAa~e=C0̝=w݆u<[m JU ܃{}yDQ  LB5uP SaJF'zYf>~sx׻w>/k~kMH $I)%?䓵+*ȋ<}CosY`6kXO.hG39coS ǦXC;Z=5q]2w˷޹Rd>cHv'!]jN+-wc.\dTFQa /\ه3yS,0nJ17 oГyޜGʏlm[Ѻ}A"5o'"@c+%pRnJb&hPBUvN=<'LKy.e[TS.CL  t$*)9o+ٹ%oysf)R'cO<ھמ[Og03vMYZm#N\J 1b*͟(u2#e<$޿:"W3ˮ;c`[.|q/{p<;︓?U Ef=lUe͘={g]; _>G.D_=,ݘϵ.9ۯ!">3Җ~UQ\\|_n :~ԇVqAzA]/_3Y*b5sLUZLqkCSc+ѕ]|@`J(\iS}ScʛC:-i>BQd&-ya>w܄1 I߄![Wz6jl;E[xy lS 17@#uog!C.Ga(y@ *G'Vl݊)Ė@`E;0@AD'Va'-ff_l܅BH~^ NvpKv." Uvz&H7!@xnV2DpL'֭𶰟h/*.ނW _ѭJJ?z}Ӧ;4!~Ez ayB[[eYfIa,CEML&[@LkJ8ꟲ0>B`\ͽ*ߛHePtD182YT]KO֜'8"~DlZ/Cт(H 68xlSKRM۬br%h>qУƌzlcQzk ZE?)M[hY挌 -{UwV}e歸c?cbRHżo"͵"3^5UHl?qGanOԺQk~ n/3SMǽww| C'lXCSAlƝ@٫yKH\/'vWy y|趇&D2}RNg$^xgx_8AO w[ W3N\ Xfdَr`3@A8tݻM,9V'lo>$T({pEgnZ@]zX@v Sl+@>ꏪ_/{`[wnسeϩE! RP={?qQ7RlbZYD^<5wa:Xhgfd 'B}B5.doۅAFgmw8e_Z}eg.V6ki;. 7&̚3+yg~;5vtTSL Eȕ{+$L?*y_>a~7 "D*CurdOg=8d2S1BR1-`rmD jo:~yq{L?fQ[gr"*Өh}.;'1~xiuɢ|j6xpOo:;{vJZ԰LpKDŽΎEsY@rv^[^Rr_~][zKejf{U&e%4_s5v8"Wszk0**{a/fi#(|#R~@%tu|p[rKW+*M{b>Aœ#+$׬M.oZ*~7E oDJc F[! B'߾SYh0b=*՟F/Mίl?#!Vole~6&wݬ;1hF' NB<nV:VZPhCgnC !H [α7B 8nV4A"V胫c: pLsC{ ;QʉH! ZoemCf[__6<<=~^$ӽzn: EʃCW= 2AfAͫ_fNd6!@[I/jckءPk7r%6>i{տ `0(ކA\Ђe--FKa/75 ;`an3;^pnvux7,[g.3 $U5#苫^/^9٩J A!g8}3;֟7cR'Om?:^u>5 '7;/plZG]MAVR#,j('zCnR~”[͖wU=WE^nwقD\gC*=vא41'gN.Yhv =GS^͔ Z]M[N!~&(x&v(< KhSw_3JVZqAq6juC)7%ݤDTKI$[!^(?gζ4_2jH@6y2gg&G/G3AEuP#CN{ARW[o=z1i"g "Vosl3;oCq3Xd^\rع%K~u7}bɊD"p3nVVnF!Sx(y'X е㤩 JXx"p3[jNȈHdgZZ$1  Vo{zEr7t 4DJ Ck~vD k^֕WN?a=F%EbV,.7$0EMV5@Fs-<S-[i5D|BVpUCтA)F Eb'n-'Z_Z,Mt\T+㚨!@0su-mQQFuBp~ނϒ'@e4T0 !/\ T+EN(E8,HnFKu}@ޏz+YHoVliپX! Vq\f鍻mvZTwkBC!+$eȑ3}vң=_|[$5K oXJS>L8YF*6198c m+91ysK&,Q0tTŸ;bUEՌ{.Z Bd9\c`R|.LD @r)}1O[ǞQvĸpdz|TQ'>=Ĵ,rZ:ڳSAB]JZ N|أ}rÜ6yUY a$BVO! {,\p1w>O!1=vC~c3ixD˘Bd9rhG-?qݝ~3Ϯ̘a9xߢ¼lT o/paoGhy۾cz! h-,,-+e9PuL0P.æ?mJ'''oNsVKiP;ӍXhWG,㞽{ర^ \t666=]\- @Kc@wnܴ*)1 0B8v~欙5gٖg>ZEVٹ%oysf):T6|3t܍Ys a!3Cb%n'SONC@Of>w`B @ oM|@"@*@/jkmy&]8[\Rj2e>)E%E DG44bY#8<$? }@ &؇:>.8u(ar}VS\Ri6M:Uy+YQ1b#t K̀"Q3| k'i(ϷK)KW:$oG" o_#kjk0㽒O2rYކ"tZ`JY\^.@4![CА'pXaIv Re#zH\;K*+2 *{(WL^.X\hB*{1 eLΨ**.NňiS57bƏLII)(,//c 諣 M&GgWUNLB3tVQGO^0C7^ )S$᪰!̐15/7'Qsp䭜/RM}/bKKOEݖFȊ'"[9 HRC.Fʉdt[yvkT1QVq B V!D B; oׁ  oBt Vq B V!D B; oׁ  oBt Vq &HZ[ (T]v1m!:P|SD?87IDATD8z;n,"zu-im[Tߙ0qQ2b2[9O-ktܸFoRkFD9>b2LRs=o y+7MB[BI&bՈ~BV0]?N5s"ݻ&]b)z[[UuB- Td! 4##CQR=F, Ŕʿ!*("_ll,M]y[pE[1<m5 2Ԏ⠔[SNΪZ+%P?(oA UbLU1= [[plm jvYEY7f!@C>H <y+O_j !@Ci)ji}B`V3䭴.K]5ˠ%ń!T[9NRF.Cˠ%ń!T[9NRF.Cˠ%ń!T[9NRf)plЋy+HCr.փ҃? -y~qGǙ8㙏Kq]jQ:90U@\wЃnj>\tڕKWCs!@ʏ.vW^ʛ=7kҔ )YCk׿`r]2> *6198#{&#h<|mխdvm$>l2Iy1?9T;us?;Q|;XŇ_]V~s3bRq]+Wbǫ0RCչ#_Ulۢ"!`VgϰX)yd8cŒ(rE˖Gv Yċ~˚WQr:ÈoJa(Ha"!`Ze Ԙijn :67q/Fÿ/tMת07Miwu3Ƃ(]- &_3f fܗaۑȈH320"V>Gguh>oǴ  ĝx˯l->ToXGGӥKb=x'wc.F^8V_c^DݲSϸuj6Ez,8k(k^VNn΄Rt5 aT{&w#}Rz\3g̈́Ysfmip6DJӢ;}.o@Ppc@鹚$6:FP#a(JSf> Q!tTUWyǤ̿XF(-:0^vV_J./qY"&M-(4'.\{DsI&@ Hbnoc in0 | ;ު\3lWLE?MB!@8niwUCdPR-R-Z&N$!@Hhz+kϿۮUS<;TɠQ hz+l҇T R%x@HvԢ5\4bADF)֭hMNG@[ T' 6nh^j)JbB"^TiB |) *{lk7l7![g/je3YR?<̲_4،Dl2UsRc^ϙ;UUňIV.{0%s23#=iYX #sI]2F:s q!\r]Kٛ`!/]{ZE .;z,Je+CBuufdZ^2#^)2?hll@G{A/W EumJa! !QUDTVtC#b*_' N @o\' [=@y+߸Nd%!@3A߸49t~@b Jz+[ <<ov.B_"=nQw8 DC.ф!nQ q8 ܌i B7|O&B䗀@F NH د{&Aq甇ⰃEC~hB 0 3A7Oy+ez`ގkB@ OPߝxLэy: wBAm2,b G@e&A @{ -ai]&\y+cL-3 o }TG6gRHH]mw۸qc Wt~ (PHVF{oݶ܏}Ef+6O}y];PUQc>ܳeDn@@&J*YprXEfhᛅ(Jge?ͭ/((Xrݎm;RnIL"!@mP{]CMMW3671Z[r?!OI4!6[ jk(2"yLY---#"-[|ѯw*W2DCviwnm֯BY<SQl;ӆ[6n`n+(MBr_SW64HWp3-Wؘ5/+'7g $=-Efnݶi=QLv9>$tfdL&\@AA7onRK?: pj xzڤyg5؜(\~b׎pUx I@ # wy+L2,@ !>%B ?$WE!@xh+Emc@GOAgpV BQ[9g oܩUBpǽ=tc'g ืrF Gpx}G[!yB sV~;La-G!@EGȾCCT%=U?xٯ/#I2^@DxDsKF| 0V| 6|G4LJryުNj7_|tU1%P2r`8ԖUAؔ55&SkaPʭ)BkU}%}缩C ¤Fr+XQ||%Btp[IM^<=nSf2x4 4<}j}ZM&DaĢĄDSLkLqXAyVٖƣeO0Y[)#wLHJ:gJ!*{1wºc+  rop.lIIEE^Lu'%%>u7՞-(K;,\c@y;}Ӌ^m6oG#p 60\2 0DLMXKRηB|jmVwrU{?}Vb miMλC0Sn܍(Eid0ry E*9,D{+ɜwOLJV?m}F bx(<>>^!qbl6+ㆌ`b-|xNkkҔOs&@?ZipD`y˂+Ws]mظh/J`!8HDp#nd-]l)X֤ȇW?~,U4&$b=0tMIP'KN4虠IFld|ǽZ F4lsԜ]b(pաCGF\!yOE|C9 ;^:||o3SY'3K x )kZH <@j"ĺ1;+G&RQZPjeVWx[?*N~ !BUBA9#!BzkW^b Zmݜ }°{|Ls=4E+$/f,OcUCbQS_" ǽ B]͘1'1H<J8jTO(‘}tNqYjEX],ф!8D^hŶ~,ӟ2w&}[\˻y#(^_2M o9Jѝ4_vJX,n /gsfGJx|Xˋ r]'r쟕K(]uAEG"P_sFbxeM:\)i#e=>sM L:ċo檒RzmdpR,*b sU08&:WUaPQd,ۅP^1Ja;y@oފ㍣XG0= xs[r.Ub [o^)I_#7;ei%'p[a%T{8̆b'УMih$3]sUUxACbJڅs["Q5T bȿCp/\~u"FlMi2`B0onEIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/13.png000066400000000000000000000775761303637203600247740ustar00rootroot00000000000000PNG  IHDR4iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \TǷΟA9 hEoxPˈ 5RDrS! #e^JKA6^QҒT´7яo5=rygg=YZ;^{,*F DlȄ"@ < D"@L%@qȮEyq$t20 _g LFNřD֖Rh$4&64.1qSY&`? %j5$8 :@ 씠F&@qC# D4cyTu"@ LFN"@h(nh_U"@@#SqD"@1GU'-kxKK=8F^ @qC@ɯOieI_ICE,mC]gYj,m59oUdo*xIC4@gBoe:7Z9t{3Z* ?_\NR|ʆߘ21l BdљvFmiMO׈!#Ld6gLt0cRVV&ϸ1}Õa+**ʙw{>nA`bZߛ~=&o߹u2~СPZZhY(%tpTr3LtF~$8/ncbܕ)~5W6}lO<@kb D?Gl{i'EH#z`v&"yUK/blC#{;D^̔>:T-岔vnVpZ֡h{,trs`y옪_;|!Κ晗:ݯgPJn[~<;+s'{IER6R%qcS7nS9>>jBSra/tpqDh\g? 9sȍ^cXpA9sWԞlzJm7iG<g[,F6P ^7BO呋zVNr4a3:Eƻԓ%LqvCGmҭm`\zd.:^اNӭyv—rİ<N\s~yU3ڸH L4$#hp:Rz*M򺵧Nrc0[ׯ؇]v p`ѕl~ &Y@9\ 7>!텠RymS fm Z54]Źe#U7Vp[4rk B~~t5:ɏ,Ѩ3ߞn1H Ѩ- AD%C z(c7a?;Ȉ*:޲M|YMcjfF҅>!3~, 3Ȟ|-Y$har B

nL_?)BH}}|;Zǹaa/ /]XnEkۓ@ Rc'h0Sܚ}{m>ƢX;~ ڻ,": P:wj5hEwozZyJҊPSTٙ#y"D4)]t?cFc&U7 hv}eTa"@ |l`"@ ͎ + "@xl(nxl`"@ ͎ + "@xlĢp*"@hV-mD"@ט  DVH7/L D(n#8F D~d"@ u$@qCQ6"@  K&"@#"@h(nh_:5"@@ PPGp"@@+$@qC+ҩD"@H:lD"@Z!ZNM&D"PGO\*'I&D"@@ƌ#>L2 D"@8ݸJj~"@ Dp4 "@ 5D"@'@qGA D"PjD DN"@ D7"@   D"@@ $o0f4DDLq4K᭓@-$[YB&:,'% -@{|6Pӈ D'@D"@ Z$"@P"BǍw0g㪦GqC# D(Q7-'w_hCnuG(nxԩL"@h7ϝ־}{F,&.y;CwY3'xL'< .̙$gVTL4 ʰQYhB:nɄ["@h~N;rdS?Hgb/Inv*Զ 'Np \pDnt'"nE2}t;wg[e)R9s65rԊp[> jPKΉ D9}5>0ؖ/ 9}-YbB>u{'/~[P+_ D-`^`Α5zoϩ׺1Dԩ% D:߹uG2tVRf͆­kՈ$=qnUMok.zhjEըQkʅ?STyՔIu#F@P thQAD84'7{TQ,tɦM5lzdo&߹Y-7q#b Ꝕt""A)*Y<7| n#Sv"+|ꘊM&q﮽;Nc`!Ct}B|4V]3]F,xg? D"@z?!["2n_8%K*3'DK}TL}<j lmmYOk#%?;zh<\kZ 4^#,dI D"H&nlm3&{į[q}\f!cdؔXJf;leoq [,RԿh!?2 }`z>ɩS/,+)?˙')U&2D"@i07mtdXb|P~/zLm=v4"yl,-K4)T%%sC7oz{7i.ֺf&$"@h4''ra+8}Sܧr=X$:|w_3vuVrF:YBxdJݶ{8 vB7?LǠCGKټes@`@QRs&wЁ,af$D"h]+ dZ^)twstR#|%Th:h]]PM@!`&$3V#",x4S23"D" P`[٧_g{O|)#D" fQhm5{ms= DJ↖R@"p6LQ5MTH@P tdbD D8SӷFdd@ZQbIR`iJN>giFq{g~%[y@&ju&)ւ;w5CDڳ#Ô'*1.fCKrHqYeʉ@ DVFާhe_85"r9ֆ#{"@F\n) M74/B D&Q@K! \'4AZ>1eA$`)481c=hwZUx nӦͣGc<~-~L0%bLq_.>-Hn|gk.b5CWCSm{Ѯ@)EsS0Gglϊ6>r5˿u?^T: MYLlGdUgO>e@ .eƸgLiCd>\-Y`듙YiU@`!ڷo?|ش u< ilcZ(gǁaaB?Nt܀ hڂMZ+c3vd77<mhlXݻweν1;NIel*ëbLB[WuǴwTUԴo?3{b$qpXyAy Io,V(OAsx 1nb=P22jeTAAF//1ش_uTeeJr rTI')j&;sNQcG\ w?7WyBK̿mڼgm, q"|8|8 :33|gO{?Mp[k] hB=@YVOy}UG+=cʝ[N*Io7V, _x.H D^ٹ_ Aˑd,bYRVg !ސPv Gui$uH'&c=d#f;>+Գs{ Y.ZmK#YvoOU>YֶW._ѯ!%i@K!Pc1(Ve uVrͺ~ںkLNv_-[ԹS;wJqaFѩSg͢;E?م i)Hf *]^u ?&\`ǥp! ͷ627J^-xg:ڶm[rĦMJZQ#I ;iΜU `> Ǎֹsٻe{w{酫`v9s YLTӽ$k#IoP+vHJjrԺU5UUdOH\%hyeMSֺʐ9 J`'\6̶ bM`FMRuut鍒N6Y~^}V fx*22/i!J&84^{"9`P+!vS/PȈY'[`kPRJ/4Fpl>+\l>'s—!ă1ZHTg~)R< a}}`i?xuj O&(]!l͑ )P|hNKKK- utBxKO.0%KAlL\(%v|Zݳw0 b0xɬ<&9w9s&>qY?htu;KB_A Jh %IIEYSJ }GǹL+E_;da+ E4:wj[xH43}gnܔ'+NE9vHcsU$շJR>1{Wo WOEˮS%$o&X.D{㒒YRQ@Ok27hd i | >o :l7KnFھYrKc?ahE&1uB<׀q!HN[ gMV׳Td]Sd)VLſ#}bX NkOڶ!]u .> M_D[s ؈k:D)f ;Ϸ߻MvIy8 uHLM^͔^3}}+)>L]&Iی?xഩ; (//_FF̼gxۿlr+۴7{_'5V͗@JNo+JSxC#Y&\HаC谗!kۂA}6Iomni ./UڌEěbϞSg9z׊nG32o݆3}r<CGnxv:LTW^ {5ǧB<$t9eh,d㦍}In¨'5<1 olcs*fdveW21 Q}JJXc{U.V}ru5\ ~{wO*Yb <5ΟIx\E ~oPi,nN>7rX/8}7zLqeLf;}rKs'$%,_ ruyK/. ޘеÿw~}q(@VxV$χU{>u<)*;7rqKqK]Q|P24aJ񠁥EfЈ~4jswU+Ix1 yVDalx PM'Q:B ncYq5ըMJ"uxx0>EFQV|ho9!T8XJsba3׳R]L %5woÊѣFjA IDATGbf(ko\yq'\YYO-JVE aשݣ 4rfxX}K=sASGɓ=n8/Uln[\%K*3f e6Ni4ÔćK+IDS;?CW> ծڌg7JTŏ6 A_Ӏœ&FK.Sݦuծ1ZSW׭1 r}\f!cdtw70k"Ӊ _ )!M?:M|5Nk_PP~ŋz}$[X"PB;Վ\r L4{Se-gކZز5n KO|zPs" gT/o<`#Y2nnݐ5V%CSRe7%har vr6Ƃn蕪fh8iE-=MHsO 9>k;]z^@= 3S%b8i#D0gYb>+cd8?ЄUdv^^W[ow~(w/"@ OY4O})aJƭ7.Jyy,wHxNeut' qzkH_=7@3 F? Eƶ q̀UPf sΞ>;kjяE:jT ׍Y%h}t6AX ?߭ @U%pIƴ/0QR:WCUADl>:@:)Id-M\]vWwF)"x.e ڗdJL`EfRD}!TL@XX.oE<7G݈' @s7:3< X,jS:Zh3c ֆД@a[iѱPZYYaI79<~<3c{7+ @)! :p3~ӷ`,T KKVn%kˋOq D"@X>>0}R`@`Ͳ[zZY9"vu\r,B|PbUV#Ù~Gwi bb_:?_YSuD/XeGDG,~+GsGCX͹{)** ז@vn8k` K0}=Vc! &ٵYJxX zrTl6b%z&؇cJ,UȗV)zjR+? NMx mt+Q-)AK4ID0>V45 g. ]w2OPpU#ax!O5DKǭ\Rܩ3@S_dmڵa+^VӋnh"C75{hxo-  D@T漏|,=x6ų /j D66̆b=A|~Vn n]&:9,,,`sN qJٸߧ݋vY&Lph7sj!*3wN^Ғ \OhBӰ*D 4\%=;G v/Cǎ = ꡥ$*'[ykjZjǿZ<p ]LV5~Ԣ {+M_THTLacukcDz;sNLZΏVDؼsJX5y,3p3Vo& DlDN3PNڊVFû":kΑ:%gϚ[9kl棓M-!o WbȈ<$6aӹF  t,>;?g%Z!f25.)Nxqʤ8$%2)N&_Vǔ\Å98*aPv̢6:ykxE2@Y؞J*qҖ^){fdߴyP6C຦Pq=knx^y^3_8aiDg~H,8p qꐔJXLL-]Mv]5,럸X 7T0?q\kz<L,5mù 禸NfSi`,}cUǛiCWCSh'Q Ɋ;w+%2l7Xٳb}M+u"qMSzl',+Uޫw/eDtDW{4`H!>dɂVUӽGD=(OTuIϬP|2e:+}Q񚇟CI3?@1ǮSB:JSŕp 9KꏗT'2whLxhjPJexT.WWhʣY.xrXVTX}hG ,۴<&(,pܫGm6}Ξz4!k~"3m:tfW8=̿4Yߒ C\ZCq4Z0徽Oۿ}*nԘ=|{qt4=x6ߦ'2:pLv;?މnddlڈfOZ$@9t @Sr'<*\x>@v!୫Yg+OuXկg/uhDuppPF4HYl+>L')xR5vb >}pXyAy oqsP珩S/ܗP*?iG/T@fMA 1 f---Eg[>F:yҐgnPO4̬̫\U'\KL?ɫxߍ ЄIh,d:b93-TpC[Wvvx5/X᭫'N@Y㖸&WWF:w>!5y.'Y kSд sp{˿`B<+ V(ܻ 1@rs9YxaF=7`TODc 14}^)B4Qx#ħ!O=tqvYŦ-¢j@S PeøIA{eVVCYĤm$4.,6b{jK /پ C=#o]Uei,?ߏw;JOI]^+C!?o{akk<P)h'sӧܧOvp1fl?Ѩolã6i9t$wޡC14asz (sU>?x+;Lpz*jgbfBL,ը~ 2$4dOȟaIKvǎ7x*har ,WQQ0tj=sA c4%ɧPRJ;{[Uo/cHշ V;w0-Mz 6o x0x:)MnVDбdII:JbY?7Tg+ډ@&SVW}%uuEst5\`w/IMEeR!s,snC}n詄(Ɍ7hB-C9Ro`|o ra V{lBdR))|+V$$5Zxݦmԕlo M~%I|G/ ~#h 4PCK.xocFAaM f>7hY~"8H"Du:i*Vm0Kq'. Voz&Q`V 14J[[dO8=;PRpLpx6"@;4 z|Zp.n4տM?ϧڳ#LqC D'`ƞ:BV=Mt"@92ȞwP Y_@7d"P9Y/ڙs31d#ҷc+-']QQx-۷@ukaziȸ)߸i#fbN?Lb7ǡɘkǤMoBhP,B> ł[mi˗-U]jN| XHI9 'iβW'Pάc}+01Q1׊x鳧Ǭ^~w2CT4OO8a@$<2<>!"VG 17":fuP04ўEXK@rȞ{rTlu:Qbqj碟aK۷ 츉M9Қ7Ja/#6AlS-o)Q iWճT,7漷`U*ۭ֮ "o[nmm/nS qdkxOvW. @&踆\Ty E0Hl~,}Z G8ZtSb `#<3p]UIV5ztrI&4G߾ㆇuecƻ/=!/@&3~Խ칮nl}w`$oI3!LnID2*q ̉'×4Y]܌wcD݋vЈm4~쩳[o4CG $qx(׮_WO}ULZENXUJNqla*T;[X9D*Կy+lf`JUtR <԰\\l/Y릓K2Y4:ک[3V$}phyoG'/Cb| 8z [$L@,YSC4jA\z[?:Yc;Zu ]j6̘>C虳g*GCizzxڶ}۷}㍒D@CL"'h|gw~ɍܳEE` ҠAx:uk`YB,HSO!X=;hn^,踪Us7^g=0ؖ/ 9}5VĆ' !ސPv}H޺U4kzu:6yIi)%~ B־ .Mwaeeeq=dhx i)iZ-Caْ:6H:q9t)GGG(M񃱻8S;Gq6a:(IzJAg[v/ӧK. 0vҵݱC@n-\4I9J٦]7==_d~$ Y@3`6򆇆wСmw;vl3&riN*:N$F3AE^ ӸH}ti$E65D`=l:cH#3ɦ3雰zCBWEi843 klk~7*Cfr۾s{|7ZOʒ$JJܘHЀUG2q/FРsR3}_й>oC*KeԚ(l=xH D4^25.)N?U IDATx qʤ8$Q&\z @tV}C;yvtcpـ~YÄ\JE;13.TKo/x%y}3 WsYkZwóݣIɫ.ZXw!NB.~:m [>,KrK'=sXK vVƴ"@ km#-.ed=nH2#Cnl񫢙gT/o̟?"b{q'G' c8I&ΈUe1tФwVgU9dZHIFT:XxxNJ^a}U%&&KA %> {J5fu]T%A]Gɓ)-^zȂK gyV |d b/}sTϩw+пC0+(z'.]i eQtw$|at<;88aL)8[~}rIŧ,@)L3bNV$H_7.I}$@"D7ԹM6#⺉/bX^lxaGsߜU6]v   Tt(ea Ak\sqyD\#)980``YdsII D@ :@I(+2d^}l½ e"+ʩSk y+;7fGy$gbH h_c6`@j"@Zi.s4ZɳI)0CG@" ׃h*ֶڣ!74ڷP۵\_"3L"`2:\ž]ʼ2 :hVOEO5xv6oٻg6CT-V2;Sro IJB}8Klt,8xe9<~F2  bh$" f7æAnH/`&5O%xA\0_R'1Q1׊x՟Ƭ1&vu\r0[bU*n8Xg~B׹Xnr篙Y߭8!9":6]W_ܣ,!>dIT k2󕺦{OC>S<؛s]+^|s)**R+Ou&gyV(7׵Bp&-)a+bʚ)2t V5Wo5VAHk;us۷oT*@ʶ-d,otV\3dnܩr40`吠w6E;VjGU<;DoG Kzj+Q037o/AIC;$YT8b"o-4)T%%Bgy-V1XZI 6HvgOB 2  D4i9s6G"v5_Piy9٪zZnOw:y߄h9>,ڵw?fwXm/ZglK:m)Th}/ܾര@ʡ_Q\rF CiQ8D[!]tlw@B- |ܸӧK.b_xk -֛"ql/C8q9b$wޡC1aVh"aNQ6x'+X%d/M1na;og}-{nI D\Hԋk^EҒcm2ED@j3X.h䤋Q9Ԡ'Z5˲ULQXgeќ/ |{5W=y|9md.]4#|fN9/Ϛ ?^3_78F8pk%xXgacAVR2φUrɘ4sFCGA l$oMBΓn߾f9VO͒6 Uʶ-dL`U(G,puu-+~TY2cq=6UTGZByYFg^70JI DvbATEڌK>;Z+ܓՑ0t>dpU+^@яEO PE" !':6E7Nqt"@Z=xﯶ8O+{z1|kkc n|jVBxC*lf`y 9ѱQtQhʪDAqqt"@Z5N"t()-ǿ,0ZƀK<)R%{\^&{ꩧEHA3};F  d:y =;hi\`Z$Y7q$CAq$4R"@8q䈑h"aNQ6xfW\^qK~ Y@<0^JزGE>}t,ۦP:tn#-F:K77v! 4Q"@ qЁI@r\dlJ֚.&D"P¾Pj D$@qC%D"@ZZJ!D"Ѐ(nh@"@@ #B.][Ss Dԍ@_or"@@S p1KY fj}J4sܠVE:8acUfoءxMmd"@ M@Hh&}Ԩj}Rs 7J+-;x`c6"D"Ќ\8wa,zh7gܐ!}\Ww7a'd}^AP-E;4H&DF#p]ٓVy 2gp"ؑ$A<{oHrSmHW>>qO'rק>>qq+?ٕoS7nz!cG/_ڿsp\)Y%$ DI`?E{fl`6x VVVXA-OCX* 0v|!MI={0Oq6oBq(tӐ?rQ:r1ʴӄGult,clt,kܪ[f7ܿU־S{q| ;+da!-_r ?dqu' )SqOyv<;ja#E͑{@ĹhD" &0{zTLԣTyܣWr]}fqDtD_+uW*ƈ=Y_~w2r<۷oD{<)?Ow&>HO8 UGV8sXve7%Ck%elX *ƛHɸC'U.0sqA)\^I޾k%# -rDKm۶%KM74M6Z.] (*WFCQG*_J􆨥Ʈ Y8|138O\wfM'$/:f,QiHD`xȆZCo84'7UE糇MgdJl:Ԙ!N6=ge^g=lz=ʮ~t$DVB sOWG¢wme>m[f4^f zC EhB 嵱ܥ2Qs3 <֡s_eG G7mڴ1++ ],Rw2Y \ƹ%ݩV&!))r\J2?.] e1#jJ"`X%FVU`؃8;T+I&D"| >op&LVVtQ0Ya{3EE? fk~ӊ%7tPqanީĭ~e+ v{qݰw{W$ko\cr?7suءٽfxۿl?3od,q\UVrd{'eQ"@ \{c ZG!xfzo/UAHso,jJN"tsw`P|!y +TP~E^\*3~LIU8S:MKF)y#'_y@ ٻύq#=\o###\=gxb8B/Z-gO.qq=[|.sՐ';v[ېK?&oܘ).[~ΝBBDhV,!)])x`a}Tx|VC7L@-PP XdH _w% Z.w7K/5tAB;i Ds04KI1WIȒI#VjR[XuIfPC•U’⌣ǍZ\Sr |k.fjko%DF h\W_/Yp2dA~AYIYGOwCܣ:ZG7g0ࡃG40Y|rGyBQ+ 5D=Q[O.D_+uW*:7dP<ŠWqMLlLX 5Kbr7øP[{( kQ2HkElFOjX? 7cm>/)Q =oܴ̒on߾=djɿٚb.T1=K*Oj*J*QsiVQ:+.P* Q z7hkSXP;b"@@C`J}M .;Z+ ٚՒL ZD6JJұ)iW)*, +,*&*bI9Ɋ"@@&lV/jEO+Яz5B U+)YIcr1#N81wЅ9c`fҌ8f'8Tu6:,Z8J8\Cŵב7op7a+**5Gb⢠t8>,d"@ F- “gy3KCV1&14҈=S<@.BQ+m%I!4TF!&,2LAz;7lS}}|Q+bWzF̟vމmӿxJ@6>J~Aydfkmjd˗ܥ:m)0ԍ~vvVOv?e(; DB`䰑ݶxE 9 sRRiMOyoZ4u7ovvv-Ypͺ5ΟSя*!K :@|VSJ>k>QyIvպv{ٶGlڒ<SUu|\%uϪUU豣SҦVe1C:ȍYR@V/ԋAy@@@/zRXƎ{"VTr,MnO[;ƖJa_@Hygh-9#K%~|'|d,) 2kHkvD@` ʂ:xNH`W8thg>t8LQ@'~)&CZ!zA?!OܳkQ>b%Yo  }6n-yKBNSQ*k %e%a>8l;P:_w^"?|םұom a n_2+[5KJJF5Eܠ@q8abx*`yA؂>A+!KЃ=JWCqYyE4ƕH8w{ @<.rQ@@g*_4F% nSȝfz 0 a c bs5 7DF@bS!6Q# qC4jA@ 6bs5 7DF@bS!6Q#  aMA@ wiGpn @ o;B J W [F  F  n022@ n0Z@0qy疑! `qѢ y; @=@+@`޹ed -@`(! `^-#C@hEi@ 7wn F 7-J{ Ws@0ZhQC@ [F /)IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/14.png000066400000000000000000000457471303637203600247700ustar00rootroot00000000000000PNG  IHDRk9ViCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx] \Gd?_$zlLBV(h@A (xBPrx_PQDê$LTШQhKVs, ^٨C EOOL6_z^zo߳^V :!?u*EB @B;dA$'^$,B0A1&yBhZQQ^Y:Yp0!@ @DJY1 .&ȂA B0  fE„!Y8(Af!@,H tyD'G7V`I* eA4FCÌkA MoC"hD% B Ȃ "@(If @ H DBIB0 fE! B,J>Z-Mtɩ2cig[qk *f>|t֤! 棏csqPO #sSI B &$B0YP!@D,IKʪT^BPƂ88: CIIȔHBL@@ knϾsSkGZ=L sعL7*fϏt⊡ݻw ) 8ק|1vzq)?ժJO6d(G-U0CA!((fA[#ǩ+H`Xq>ys{eeJ8QrbƴÅÇ >Vt4m]ZV1̭~]s[U)ɼx=UUUmڴ\T>'Ǿ;M6VVc޽5H]BU!A!\-o=24z_ZZA4.Yt}o('Y_U= (:^ΉZ= _kfGb!CѺWҒJAbq;w\)rKG l&,Oޕm\g*X<׬Z}c5jW'd,VkDO_S8ωA4.JA4=yB<6.vRjysy/?'CBUi sv?Y/acy-!ѧKN9MLO0Qտ\ vFmcjVkտJ"FF@i ROjJ޳*kKk\81aW7V@ ˫XLjog VKZB_H#=+h͊TV$Q')52Ԉ/!O}4a;wEQ 'Փez=)$hD tYb~~# =l^{.^Aqvgi/"&AVZ\L.O!(cAW4SW%pO,9oQޜ $ȁ'Kvffy~D+*ѱ6Nvҽ0`[چ4,^v4h ^ݦ͛BBC~g:us- 0":2]vL 7 1zDj)I4"V׫b`El\"ܓȷ/]9ᄉQS Gt|*nHa̘ JHa}Yil_{]>Kx ˄xӰ[f۩Մ@!@cÚj"4Q,\B§[;#B`dAdIHh9v35ɚ(k:%Z bN5uȂh1i1:JdATRIYTSsSG"@b"GPHkB%I(|g;r?JM^Ι|FIcM\ӺGKK@J {vd b QB!Pcx!4 B̍|YD]SR?HEP!B #zX 6W?5KwlpaC (cA0``רHbՋ\%_.}/bA_.ZC|IabMf1lۑzŚEKmFF4Z_t6c7V*C|])JJ"H/jy73By_o+nv|N2ĭ\GenMe |U%gޗ{0))VQCT~8y/|J3\\U?3#}CLO>q퀐֭q1w| mm"]HpCFߵYLǎ#6"`Ba$Jd` C&Kb6*Zf;CFH\ W KՍ0RFmd0];q1NJK/&Mp_kڦUV[W.x{j &}2m yUH7oc!P{ݢ_8rdMͯ[k Bμٶ>5Rn1tx̾fJR7*ҪGXƋ&5+rBtl-l붭 b0~ҔICqjH+SXD/1D+cA io޽z{o܃=|=_;W=tcTlTª0$sXg`H 3u6&r#ߗ}߭[EKqy"EV!$I|ݏGF4F!@<<oei RY!~M9%,t(}=+4b@D #j{ >1K$Bi"\:lL9 5ɳ5KX&J_dAuP)ZUC&41 Ȇ B@#sk!zhVT{r?[dɂh#b/`!`i9E2\#(ɸf#QB @cͩ-悧E rr"9 G^ +)mzP˦wNE@FA->h!7:yo677V&!`(`A pս>8c.ꬔ (0y9J'N_rx~Cmm) nYP*:dXvZ14=mcfxuww7t ES?L;t4eȑcTZpeq R7gE`uv]z0k_hk&ABhQ/{t s^{%8ܺwڕ8Z"2<2fE%0:__a':qk-Y&*(?),Ie#А+ӧNޜ93$w|JfGGsaV` `V9s|/BaRP}Ɨx=05pÆ$hxdaXpoëTzCW1%i߾=&P[QɫV`$ zeڦKKF_ZFυ/d6FD+kژK,aNڔnޞ=.6nӖ3Xfַ #<~Q[(Iܡ~-憭SY kĔ3zˎɓ0&"*@F`n`XKcDM$%kbYJ??6 ӧO{u+6 ({6P$}c1*QDf\; #*aMm[TGTiZ8e]'{9#hC:TP9F\ZfAFHCO񟒐5i]!KXFB.mNV)EG_vEţTQknSj"*@AeCf^ )\(&kIuY7\nmJ3,c%B"kL2ծeɋ }p.(%˭EX)x/kru čԱ킑f؜0NKAƮttv DDKYyRխkg\dɓ!`9(9^׽\5!E1Ƀ9#!d&ElʛH9?,tH #B+J_dA:9z;w^xD&ha@kɂp`dٸ:h&T^ !CL9 5˳5KX&J_dAu@Q/-~V#jilH 1EԻ(LrbW<K#H)!PP˜^#@:E 3u위EV>D̪%v=-=]R!`  Y a+WrqǨ0ш L1laGFPNڜ?11;$7lNcb%'C fm۶uqsMM EM& `R@CXCa+]28JJ.**x[xzq{_ۋl $H2 Ϟ5o֐3jgH9|W^^3Ed|dt$%gRP̂O^* 4[7G֭L aybg]$mȰQSR2J$!0atVGo֪]eq:Tm^T0ϝ?E詸QF 97g Efca0ai(l%]8ybϸ1^ N6wo9#١ n ؙU\tʰHCଝŀݎ!̘6r &#91`8<Ɉ_OD,Cїc/^g릴iSs~vuQo,l%֡&,|v,%X9!Mqvr]?.k< ;;𿄸ٯϦKSVڳkٚeRk\x32k,ZRPP$dsϽe!׮ os% by ).zb_ aZ<dsE@ǺYXT(ATVbma $0]faUҦSW$LJĚkUU%vHN dA!3 $oܪH^^}EVR64Qr|ƕ~S*ORץnO߈#h p&!9a^<OK?{n re|?vY#z0O2wˁ][B-}c1̸ps v?)W.잳ߖaڤE dC$O㬘KnzmgΉo+}qfۚmְ V5K۶>"i]ZĬP۶m |EKW.R"gGr8չ}$JSO͝nPϱ²J)Bǚ9 ѿюZ.%d^U <)$zcHs ϙ`JXIU*Z3)[M5O$NHH\jI3mG V\G,LY847̤{biŮQ_xD4KN7.$G'dnbcn,WE{vUVVݽyw$$#-ru5/6VF{v'$&&Z&wp?[9z9!Z,F,&3=Rӑ =An$ ]4HБhlђo5g1^T_AcfbØ:#ZT6|1iY~͟j*m>gr1 Ak\Bw1&=GT8u; GLQE$cIcaeeͺw|YN"`Qz-+G2v?zEp?׭T#Y@(cAf+u+|p?9LA(L}O<ڽg;Uٻ lkz%yQ=/> mlRg:9{anݡR(fAfNټe3ls$J;b#o<#snC gEBr*^\0 1'Ϛf? 1.dzugvuݗ+pn+*9%eƋK"$e8sS6R?1m3r'9L'd}1yk}ImOdծ pW ͐7gO?mp$FtKC@Fkh(fAtߴ-۶Xm ha5N}gۂY"FfG"b_L06>dF05 neKN9"U#ٳtWA])0IX">߶wQ/UY1mk^I*զ̟.J*>akSx: \q;[to{Պtnژ@&߈;V3"=r+řIDAT&vqvxк7{݅;*qnjڰU5lJiAf\O=U_YgS/H!p]<:cx.07z |E^LX)V02 :M3`۹0ݔdLUuo> 롪uk@8; N 1ٴEc>NHOazl{$w,V _s2sƤ%[E1DB%°r :5bț+4ޕh8e ) 5fr%U>do+GkgHfm?9A!y>ɭ w2aC%xwdaztBmK>@AkS}p>/>럺/XbDb,*&x)P]2qj{{GIwww᫪?sb|ft ¹sVZ1> -;ga.ф@#"soc%qVUfc(XL ~ 88FDEL㡚hۀٻ9B) Iژ6mQ={,YT=b0 ٿ/gh'>w0o̻vl)]ȊC,oMa e8_K ~ "IJ½`(#$0+;uj׮]tvK :ժDw|M&}}|d}U]P. FA@ RT\1HHP"@֍i |hں=ǭp-9h2)2"B 20{V}3$aq dk6j6|GUΜ>3ryh:#Lb-_@*k LP._Ьbe1& G@ M/송H1;'cȈ4!@":`Q@҈fPh 6Ǒqrm.UAdtk!@PƂ8;9ͅbzb`Ylmestw6$ 2[1D7Pq|ANJ$=bB32ϩw Ovv"GVP*XAd E|B`(cA~Cx:9._쭡o Ezh2)Ӿ]`mDF/Os1`Q/F Rp^+CC@YL u(tnhzj:-6SBM -H}OaPԒx=<"=ѣcǎ6agλ$F" =fnAL$m9{/^Y*ݻ?UD,؟|qbf<`ӏ/BһZ_r$+;_c8[ePï~ L,p=G aYA >t0B#!8A6fxev{ f)N!7߬U٥[᳙~HѽG6kW~xblcЬ FG,)./t 0k"l0=`U*Lp443i/꒪zJ⛺dܞ>[X. YaETL|}{ rѽ=qvvfNQ̛CބCfL@j5Z'X{aւ2@@LTQ"dALX+WceɅ~z]ʺп2!d^޳f2U`;ƍUbg/"h8)8߷-|V\398Cӌ ߫;BC?&1XR64|:fCsi2T-{駹%!<.6.kWVcYsYaq!d6oSYq A\o3 ΙQ6N=̳vB,k/2I!Ј4b.@*,]  '\yjI 84PAf#ۿ}JE*@2ޚG BI#5Q`a_.ޟ.90`" `|$rFN]&(JLBlƭ2x%XS#cfLY\Tu]}#~?0,t8=_2%P7 cI sB=+x_`+nbTqcGpf}UjEb`RhCԙ1DU/XN#[8j%iʴM[RRSUXx}-"^pOir 7]mҿ=G1$ddͲrEΏ\#)3w|żP (Ba3 d ba(3REe$m"isЂ}'ƒ|w폷j݆7N>dЛ.]7iM[r4d&ACƦ Mg1׿T*bbP#6C? y 'Xy㓿e,ٙQCPE>qI^LI;v7P2nZPEGﻵ˕h%Ǝ+CNr3O8w'("m䈑Wœ'k4hpamo׮223->zo.])rESTC|aYFt/+z+0(\ləoΔbxuƔBT%N"- ̞?Ν;ӀEL^$z5EPpYSFHBFDKx)+veg~+o\E[vnܚ&,O88>]><)](a?3<R%'KY,Q 5W|_"QfRa(5/+dr(x.u@|YW+Xw6|qo3e0O<]qKzgYƞ7IR!e1_7*bZؖs[6!i2mkX B㙳5pkk yAFi3R[[2p)B$C@@YL}dwoJ/X_MEp& Yo4,e<RR#̃0*GsTܦiʸQ _'.\h+ Eu$HD % uA56:vђEۮyRlx|5^p)36HUw9 5glaj\ ǘF\6)`R*ǒ*Sb Q]T uù޽;8?!H!`(#$x..c7+5^1p`j M3\jߟ.'!%1 %Nvڵk% #mR^| Ͽ3aJ A!#@++܌beKi"@+MPfb YU'9A' [[|ȂK 'l3)joo>4P7%M[ä& *2  - ^˵ <@]nO/S @NLeAD_dTJ!BeAnI If!@b̂ B@ :pP B,Yp0!@ @DJY1 .&ȂA B0  fE„!@ SNS B@NZ! 31uڜO27FE*rIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/15.png000066400000000000000000001121741303637203600247560ustar00rootroot00000000000000PNG  IHDRf$iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx}\cW&jWsM+TWh"h_a雮MJQLS"-c]w8avfe8y9yw>{sw1`C!`?̞OEx鳔C!por\+|~ܰ¢B6Yp%}y1q5`m"p\Y2Ɇ+9]-e05.c".C zAضՕ\Yx AXV{3}Lؘp?,b0 `>4C!pC+wËLb0!P7V>vG{>?:U1qGk46+wt4R}F2Z-s\j9 ڰzf}Q 9BEeVܡ\y_)C=uv( M̭ɋ2x?0&Vαʝ{{a \i+uK/U/pWsMw׿ǟ@`_FXyܚw? wj9#Ql2uvt6clDm;mccO<DD\T$K/ٺmu?'A#ٱUSoO~+W.k?x}۝%XE0-;y{p|Blr{s:vT_v:ΊegGo޼ &.F<.~4)A`]/ELH w"CZ4EE^ /4{׏gk>(}Ш[r9zs}PXx֢Ħ/HY"zh+#|F19{cdٵZ_gM(AJrôw26ewާ}AB`@m]m8AZd+6݀X6=EL@ uV;.Ope;:t<Zhp|,|F#g`wKʃ6W{KN1׽Z'.ّ446kCiފy)f-?_}O;=RVTWbO%5IKnB𫴸tႅ:6tYJceueo!ZO:6Z_Zfg!ܘ?sx?u rQJBh$?h{G|0QJ]J} y?qm h<պٸr)F9__2?!#`gmΦmyG-rrd&Ϝ<b,9?-zc=?ױC9aaŸώ &vFF ~ňv洺\T%?hK.=rȐ"F<~T^VccX|6׽rմ=H|!xke7_}Ti֢->w0Y4mxc W+?=br[\)p,`07IQ6صp۫.^j+GmFo&k !>4аA@d5ׁڤ`&uZ,V".3$C!м`y__;CE P'b,7p8dE@ZG,g&zVWǿzj޽ec8>#>&`:BUVW7 [~^*fm4NIXc]0C!`A:+W}WY@sv:g;bٻ*H 2&C!`4r<$=TݻK[N4~GC1Oqd5k&C!`XuŹŅEBN9"+ߛ?p_ 7Eӳu\_yҷ7s~2>s`_z+! V\CI2E2`0Z&~|삱KW+kyyд;L]g'>oCqqc;oK8 Cno{b ]]y}:{sq!GO6Џ?eؔOE>kv򧐠AIIXH017lˉx"$sEa0EW>5xWA| hUL_'7"n\1޸jzX1kEt|+yi + ;w\<{!HAmJD^"3L`0Mz},4x֭*t}w<~l, ur,zh]'.%0swL5g؅^5I @C@١3Z?yEx+×tp%mu:S{Ny[~[WNҨZfҶlߒE׫^@4wzPn=(C!ΦK1Q_Rx Cy" ;+vжdE![ӊkݶqmnñzyy"b5??+pf3of~%lFn][Yv {tA݋/ͯfX.+ْYLݤ J~Bns=ġ6C!his׮2ݼAi4}B>>6xpoŕ.|x`B[w-و 7n`np FAq=kXgXET٫ys{c &@ʛD[,nb/=x3F@ WHf Ƽ gM3 p-ϱo^[\p-Fkokf F!\EN[cy!~[ƩȵŻպ\\g~Ǻr՗:_/.ՠ_ړxnzO+EZrfqSre|ؼz92>:l<|4f9b)&C@ WvVq՗ JAAH V˰7gڼi^/zo#ܪS~ gd];v=42|j@•zߕ;8Ovt $E>xis[bDhBXjqò eW.%zn4>8HHHW~ x! ~egk9KįˑV Yh)3z _~=.$հ /_ٔ>2W"ȄςݪȸaSlGEϔp'X+JMwLnLJ` SJ6?q8ZtETHbď7+=z qYWM4x.FXG>P6D"=HW|L0G/3, QU["B) $&lU_d_)+u;k֌鋥#n5itprc.+7  +oӾ_FI OtQâ?K)_HtE}tg/ԨDhV4!8I?.ߙr_r r|" 7zI EIX6Vט=#reGGݝkBӺ\{o1rݬ^on >n^Sm 5^8 @@<-g6k@ҋEV~*{z=@Й[wYe4v0\XhUꄑHlXfz̞~({}#+W\9 Xf-fC1"fO8oLC!h!hU[⬛ Ch{N7)d0 \YHbsBnxrt0nh$3m`m/M2L۞j`i,Bu Ѕa2ec@=ʋs F:s >}F B)YD8qDž 3ڹìa:s/qS(~|삱Kާ!x!(iZaԋlԡ+@rV|V;EȶA:I!LI,X653Q>=F_-4.*n]X4oncia[$aiLEFDR7۽ގ8EH‹_du-$3 \-jsVը;e,ːknC%Y|9n_>ᮦ'gB+}]Ԩ0яdfAC!5j^?{tA~d;BH7"RP(A`Y(p:`c˯EfȐ,Buֶ5swuun!JG~S ,V55Y;-.\w/__f7/<5o!uwoIݢO>3g[F,BVj,Bl(ZkTpv2r\B–"$ԦLKff#ôJ>o7W= r^?<\ EgYZo7b!;EH}rYkFap\;8DmU+KݢN=ŲKAeVMb]7eG\fAҖ !cO4c[p`FϧHDn!84#ʐ>B!1Eُver!i,:-") 5F66JE?k,B"X#ߐkUȲ5:E^O`VX3 C! |˥=7sSd0-! >C3/uּUّ[a Ci!01녫f 4G 6C!rUY7Xʺ B}[&fa nWˊvҢ֖64UV|VMJ%FXK`^"#͵Oɬܰ0o$V=ޘ{9Wՙ+g|@#!p=o;z)4ukWy_7^&y.%ݹ#;ۧPaC}^gH^ኋ+?)zkU>TjyoC g7b%]|*ob6U:WHatA͸7߸T<-zFo.! (;>jm L( KW\F|WFkCQXXvq8plm^_Bca"bH`*8E J#7̈*rJxKa#i6WaZF_j.*Q$]۞7p3__opFճ5;[!S~`GV0j+Hؑ5k 8o4{7ׯ.(ՕQ68[HT'8="-z2{]}= c;F<]R.s|BV^ԊA}a~zm|N2`.n{a/[1$0|t+IU"+11^aVfp:DfO }KWϭ >8?^"RPTS4nΜjy.tLvw@ލF4酐ƲBdrʄX"pЮR(Nz:&yXVI~966M+wY0=NVtعm|?0t"0cĬJT%un K91Yyyo#SlEYǠ6~AlFh@zHC#hp` 0X~mAѼ^t c5e5ciѻ'~˖|P萏E|ZE&i,=Ee;mʚiOͺyDm0bH}?)[;)[xSsW0A~Q@gQ|ZcI GtԏCk:(܅ap]̿z׽<}WK/Eo![3G8vy-W% fdÜB(MVY?!T-)DX.gcr6џ?Ԍ2<$jTvG1Y: Xt 'ѹKgL\1wwqh?B)UÇKޕKi4HI]gd@>fs/ɢg IcvJ/ǏxzBI1[a21c ]mp®7`"x: @~\Mf$v DWov=&'oUp3VqxALsO+;+Ǭp?D[eNܻ!|~5…SM7DpWOJSTo_jZ9RzJDإVT lr $Xee5N#350rP@/ DgUk--nVr_o|y( ?~F+ݟS(,S|o>[2ď] D41u>D@ΞmHtE -FY~{fA➶mup5X֦h Oorb#~ jij3R)^ȖzC^5mo[cj#k2<|p?Q@N>g "[l_ZvOڽ-ɜb5ɬ1 u\GԯFkjߪ{+aVo\~1ru&p%ި )CYȎZ\~ʛŬ\Nq3߭ )&0 {PfTAe`I`aGC!p&α"C!`'I/Ihy[l^yGM7zQ5Ahi.~8 -\9fxs D X PQWU/R':m8w&(O߱롑uV2!`" ^K?;=Wٚid QZb! T}lcGBANCSA]fM)XJ>>0sL^AXuc(ԠAf^n00 4=uaS00e[ǧg-5>5{PHMw SGˆq^ﵜe "6=xǬdq:1z<]2r30ݖ>]Wn]ϲ^λ.>퍥FpeF-6ypbe%DrrJB|k+uyrzF0!EEXyC3k2<~93NáԻٖDUwJM> VB_ M6&ڥ?'i߮ZK< ꍕ*(>&mY"$HLݷwlxs\ʹ4jh0`^+27(WArzZnQFLլd  _4K~kjt:т=*Ҟ {Ϫb{txWO9 pO^W-xB͒QCx%cؓuqRQiia6"to/H~#9#9K.L# k`rZg0"U WnW> 껪] d0Z +wzZ%0ni)09oꠚ=}gR&`0B@ Wٱ#7K$7kbl~_>3r8tyXٺ֧%g;hnට\ ׹;Ү}<>ӵi=b6{K-T@PBAEgFSV"= n:Si鐔㋚h:Ydr+BfrǺu癵Y St!BPS|xn\D5rihf=ďCϟ )`stjOIU$kP5IO$}91(Ik.+AbXlx.Ӕ5v.]ǤMISB#GSH#PO 9 z|]q:sԕSS=δSLhtӎSr]RW(43g~o~W"훒̒d4FZr&S%('جkHü恽V3HFS!+ /a ިKCCT ge#J#+&&|Z|/r?ʐihF/aZ]jB=и7A8kɯM&lYt}t[?N{5z${ebç7OooД)-A8Ko*:p&mrǚo#[Ӵi"7uV%LN $Yży K\.´"ā1#Kr44TL*/$rوi{&/jp[A/O\ڲ (Gc0BژnR5`PT-ѳA0ljQ*mm&􆰜&Je'͎$5jpidYF*}9w8r ]z%[\q-ˍx(8*3Z" "ы̎mAԬ\\ 7/ǃta$Ci?r\(w^htӮg6U~),\:v>8 Y9ag4 Ó? j9ZXfC!hr,0= 3!`A C"fM1 n{j$:]CEUU h Wfv`L#0۰ZLAhVo{ 9u}^g{L!@ Sܪ|~U۶8#а+հZw5״h[ԡK0C!F@6~?jK]tOk[ٚf+w$mM B2YRSM TMzGkab-,V/iK³f趧6o]ZE*‰&N xpHEݹ|’ QD*Żq:R1^SB@2YҊY+^CZ DK$9DuY! BYIZ36N""BAT[[;lNQYuhshH&K& K -F\Jkriԏ%BVlh5\HظWǺ2 |&11'{;YnUYٕ:VJfձVdTD@"woIݢOבY94OǒP[22VFlmy^<[9X:<#7CMZq[H1rJA@R!aI'N才%!JV=5췍3k2<~93NáԻD.&i̪ccc4;t3r8tX>DrIZ6+g}<>ӵ>~:6#fʃϊti.6TtdM3mOuU?UDѮ:ޏc3N1%>StWw;GKZ=R_㫁2fD ֥rD${Q]Yy^3~ҜIDUQ^?:wk >8fIW;/V$uBzG/=rH0ƴN:z^ɢ."r:br2h7.*n]rӊD\/lXxV~YaMh6+ g7˫oZM w\zyr/Wer/?.[Wp񁧟y6+8]B^$aw7~qh!RqƏ:㯆bCL~霥 7! r7aytRwǞo(4`l@/ۡSԺd)^]$fNUWWa&C2 i%D' LPנ X D<9$QgoffДҋD?.hL7,B1:T-A $ S;(H 9Xa3YܼX,{āĀYέ'f$\a :@T~~R٤<[{b+u<ɾCBj*:||`悙X;zF=p#UW_ENZWQbZ5rʕS28S ]r*ζ##G`vf`x{eTbyey%JzNd0~:xxdZn0hj&^QI@ f996Eckc^C o{xMWK¼^ORUFwYҬ$50&`w@QNUwӧN /,0eHD>A79>+=z ւ¾hOk1pGڵ X \ťjOO*|6iأ8l?"Es8]K# +̉YPFN5CD&|BʱccCg`Mi!qqaSx}n$]C SE@auV&Ģ]Md~]6c`[Zɵ쯲!NbZ"h :ҭ U*T)Vt[n EKELP_nFAa{MiG\B=ea'rcjďLu%>Lg¥XHP.>[<7t.fgA pxrzRB.I VCyNL70螣hZQ*d>d|}G}~ 4'ЭMZ;w\I%1cWƚM`g;uާE)vJxVnVnA H]::|k@QNC?º >tYu&+ǧj_'b0lEwʥ/ur6y>g\g|%Ҿ)9juiOPW!G2cy㦎m.zt#IjH:jkS+^/2~ ,{MHS G#eڳm'蝛vFA^:j*kyČă%6X#Q TK:s:}F.yceJaEIz̀5VHbLC!B<4hcm@]0ֶG)ra[Ic:j6jjY!`8n{j-`Y]dig;a"A\+˥/L =-[H[aDs@@E Hnd(ɛ!g֥JQ|)ܘϊf+*.oRﴙ G%;W\Xr!u>HY {n\7~ 怀EϢHI\雯p-Hfw&D潾j![AEK3p9n_>ހNvԽee,+(S)o@*XE@S2HD|OODި㇏rw ^=|k_[5] htSXyMWcǺ2 |/ GL̉|[Ue$"|񺱜f)o$! w #%P| 7u68.G ڼHr|{UϮȆ?lY;OUflB3f|;l6ۚ=\xfM/Fvi8zאt?;_u|V."%v%i(ߙ" whN2/_. 1EwN2Rf|anP*Èf@He+ ZS[yt{ l{T(1 B~Db2Ery$rssrz԰(nմ8kr%7O4-v|?f5Y/b[mcQ3; Z2Le7ʶݎR‹ nɰ"C.0"ˋdbL"jV.]1wH] +2 #È;ݫW1 dr! {[;P؇ۇf0nܮ1rUNS`0EH} UmW" :fOog' `ri0ffmH%37}f֯=׹eM{4X @3Sdz:]O(i=b6{H1#b\wDIAK忿y$+ *Liծ$^NҸ/܏4;#jdhsB۠Ҹ]'wV O"ۜ%#j%pu=iW}ݛ7&x}yO.=|{齹*{qga̵/-MӬE"Lvm3g[sfZ9KeZ3l˹i8iPLޙ̣+?}~ǮFF6' c !g' B :Ejls-mOq\QGU_M冓}㎹m7 >^]$fU]]FjP~!H"C?{ iQ.  8&s_.oUKmPg!⩈3^,K9hE.kmHHTWV# TSzMnyY>3c2>#aw.ywxtq>>0sL E9'>wH_뷓QM8~5zT">\i׮z朮ĴjFɕ+wep^'R|U&(HSr9epbyeyOSN~N̂j*BOO`Z+k(K爐>G=1f-E2M(+d/??WzA P'c¹˝>uz`xf~!9gٯFmT?u%q];zxpHU[oƫ==bzlH"SoE2C4@0%Z=Ip4W?9ZB[aBXɞ2-dݖ$wͧ(+0U79?h.Z;|Ynx9B$E$QNrMU#STt[n rBd'.^l>X5'r|vScd2ʥ֩&~g$+/. s M9eE@/]NE=^EZ=dR ʝRHCB`!N>hO]vºM.:]Ihru~Z; S Z@>-<+g'd|]q,>p/Qcd&1Z Wn שđvI]̜MW_c>Nfʌ_F'|}Y;Z|59KZn{wvUѦ]3 k LlH.C;{S69Ĥ%Xr9ehEB Wjk΢R?UHc+ Us+* mtY;*ZtζKקI_O:qű(*i %$pK)ggRlX߻)sSp3q.죰GԄxiqGfǎXM)srW`\k&!-? !GyDl HHҵ9XA)#R>}tTqo܌gf$"jd fk[7:jh_&Lpr|r,a-mOE10{Зq׊x)m M_ߨW) 4uSDXx(8*XYm`+wUk͵/UN@!E$ kɧ.8H8~0PL +&fm 6U~)|Thk$t1|p8;{{{߳rŒh'LZnn{j`q23 @A@`aO4:`\۞-ڳ3 +oNW!hhʵy:]CmRϡ$ 6+dr3iC! m¢B!pΜBWX5E)GX3`Můrg%*_"1 •n:ݠ4m_>W~3D5fv%.W!K]AVb0hʵ5hYR=|!LH6(f+߱z'*XOɑniJϺ]v[ ҒQBJ;^ iaϙIM'\ݺ'&d梯O"&֢#rP\Y9{IqߤOl|W)xYm62U2_;w\<{!H& %mJ4g|8q}DF zt^:z=ncR/Jɰ; @4 (4kU޷u}_tߴ\t:0e/ •k:+}bclDE&2'2wL9ٜܝi;H懘Qp咭 AI=XP$C}l]V$4ބH0)vypTK:'dDBؕ[u.n7E{y')"+tVΙս|H <֕*&ƃI,4rVU]롃B:qUHЃ|.+gDQZF yhZ>m\2eW(C;趧r@$7bh+'{9gq8qJ[۪\dfI)e5Im(c']DwRgL$t}t0)٣ vV@'Y3䩁tku]$r~3[q.JiЗBSW6>jmw{bZ"oxU|.7Fp+ҥTkSӅ5'X(urTy~w)jGͦF79]بoѯ&k=rUVVƌg(S.aCՕ) )yu1'͙D5$%u_c{owv9n$RcڂUO=`Pk9n\TܮPa6 cS k9 GM'XCT?u.꛿Ve]'i;qKUˏ;k#Y ņ̣zo9KJbL#yʹL-깨6lΐ}>zw̚[;URH /$gSPTE,—A 0lˉx"$sAxZ"*=; OEu 4KYBb fi`"k*dM@,ž5|?$+$ V ´Ek+`9WqɖՌ8uzс4,G\T6i$+تr]h;ɾCpPaMH灏\0Kbdw\趧sp]k3!PEiՌU+WN5jO)t SH.'L:Rٙ2eP‹_dCsd,8nQIJzjR?<M&@5 |LȑDdMRP&k`ciڼn3\䈐>=1d-7k,N!b=ǫ_TTTM0GCeﳤYIk,`L;UZ =|LAMO;<J= $/Zw3\ߑvk!7WqӾ f& vIQQenf9.dG! W#˚DXhX0dZH\x\0ev;m7lQ^Q"pt4meZlB,QD4 WTZɵ쯲yIiULLHLrK.5(jKXl@Eg&ʌ!C/3/Cr|IvsXܔҎ"b ׉@8.+wkd5A(%.O?J=H?tYu&+ǧjl+o$DD? mO;fNEővI]̜MW_oJZ]|4yp B8}޸p |%]-HRZE*ԊI^ҩ#Q_YVN_wj&ч_Fi϶wnra^>{yꨩ;?3[ͮ^VKXchp':'кܿ=rk^]:w@ !\cˋ `{< Xg-m% [ᄑ7eÛWުLK8O˞kxV\ޮqRP/$ka'#YU$idMZt=&qڄ"`;RENWTT2 m|%LKm^GfqpoM:ɤ]{{-vQ D-_QzuwHkQ$.*tſ )sSpq^ވˊĨG>ɱ"Ȭ\G.MO8墤ף#_<%Vo$g$gte✉s ]!LyGHy9nT%E&/jp@I_e7PuI 1E zft*sEIS7>8 2t۱fz-]M~ d9=CG Mx/ZgҺ_mru3xB͒QCǢD w힛%%χ*8}s2D"i7`X%/R.,-A:<>1lOX\q-Wu<}aC= v]Y E%~}Ӭ\b\ 7,"!xn3d G .5\$ρgk^J˿->(:ٱkGvM 3>C@O ikA8h"`0"\`fv,'ja07*L9C!-\fǮjW`0ටG-݈5{D{M, ,eXgF[ ņM  •cvlWUX)څߒZAy-TrlX ".@V߃s=uz'{HO~ Rb^o"^~Q ኻUMRߑaDr2IXV/~/1$T{{ߝg]2<hh©EZ̎Uۯ$؀v?? %<,ͯAz_r SzakжZ'/w'N\:>IDAT|^b%[,W?`,d+mR>#\p8 䵆( fIu,N?eB&a2[aGI Bd<^KvNض{S|#9wϐ =]ȗc'.G@Z,H1-= 8ž5F0ZbcMFA"SNVH{nO̚Nc)TvitUwv厒R`9dgV f6c-k^7flZK K[S9N36wE@Z PvQ.Ry r԰(Xl!zm)Tvi0bbN+wl #"h>CP| 8us ?eI8| ɿv"3 Pu@m$.$"ܒOCa [T+f@#rJINۈH`"NR8ѪH~(#K, !C%b`0~3w-`sizE@2IZKfAR0^."ʼnOsOo H4mS8٘"mOeFE!'XtN,`okQqDlqsr:~sw ,$26WO9 SZeAP.44hh˗/w}{ ~\DN";[xQEn1+wIŮv۞x?I +mz_Bt/z%{"Ф MxβJmW Į"8n kȅ7 =V!r•5;v"vU0Vh1`Qh0!ҭKҦ$e1v!`h]]]흵cwi*gul7⸝mO1d aD{gBU:~!`AEۻ(tTQ7rW &517&z% c(H5!@%3Ȩ#qܘG#f-u"=uIy =MtOϣ{k8?9s8)eD5+w< 4gG5H-rvwwu"CP"@mo󢷸8ǧf.}(0/B.'pE ,ߛqN˅3Q"0.']ڡgJ nzR> trCрY@#,BF=ijzo:>㘝7~ce0#gT6<;}ԙ  >I5Z1 D< a\UP%O?s sJHā keĬoP]ɞ9 @XB&=~W" ]W)ڏc-rVcY.d.OɧȭܒIаqD-)  aHQ%u!F=I+8HRRW84iN[[ą9/,ڣ'Esyͻ]0Rrx'r-ڳ9ۉ,BΎ@%1A)!!8_O<@ֵ[ˊeaZ z=[{oWөt 5Bo95DLSa牃E%Y%j@u+ KIaߡ1g*!FF==I=(ۺ, AG򸠴)Au`>L}:'H#GbqHpHwK- d6bq lWnuC;BM#P#{W$gW={냝* [IpQ"]+*`A!}uE!{ MX 6`s`!Y6^+"cOʕC0e%ˆ"Z8X[n,Bۏ5""xTU9zdĠ׻յt~h;I|@h1bU2DD @nπ4@@_8؏BPM1!M!MQW!!D@:5zN_!V.Y4~4[_.8E+w,4?o`;ilҊ+N-DA?7BydfP2\b*NI|yC@3|p (\!k6 c."`TEH豧.vgY#OtZ}VDKWz(/8w,۝Ҵ2&[ֽ֌2F',Mz鋤f+~̊<5<_9UB@_2ݍ,B*U pjyכC©-l* غl U cb22b%'-Yڋs>k_mm?pJ↕,WzLwCZu\1#۾>]}R*N]'4MהאR뗭*:|R}H8/U`SYӚo!X-G,0~vmFS3r2U!ޚE*dR4zN7UBد7ſN}&. {Z=O&;vVWp:4\TWpUq葒t" /Jwz{93\!5BR7 &Yvךג,a{zcg){z67!?L'w@FUB@ |nByR_n_?0mvS"\P?C@+oi(+R^Yqq\YJCFp2PH MMˌό7إ;_Ff=}61-44tuuI\ڳi<ל4&dYcI,,,ILxk[~$J R_2MK 1=,BnJXgW^R;Y`-V0j5 koTkй~"fWdE 8)9yrvhW2_831C{D@W>"s:Y,d }%/%j]iEHOf%O8 @s{ƧekSfab _ kdhc=uEбD@|!R @@FW;h" Ⱨgt>W>E+"U`a7RF=``7l7 7buGawĹw]P^pXjaPeU~ocٗANt~l8є I#MT6qdkwGU!j:.WaxW>y$'OZʒȻ]L=ooaejq{<>=Rp5ohAvJ~T'/A8"?d~k5A(9TÝ"ֺk+x!~A@U9xŦn' ~*qbq DwosOMOo@Gbw=;5 j?}f'yЬG@gȊ|4E_\:wvب;VdMOBL4 =TcA\4 XV[-GA,%5%oM5Ka+T1~X ['Aݸ,w@ħ'f'+ONp)J.@VCeiK֎>S~#0eYAc=a)@=䶹n Gm0GwuغtfBp?pS!bJHY|GSr 7wf,p:ipXTsPvu\~^zٯ۝3`xi1T%b/H\ >haG88rQ#W!'?:>ƌG:.1Kp{L\gaE])\aTx@|N[xv )SJ.Wo_X8E,)C`oJ1K%p|}&\%Kb}aHN υG|7 \}N)Q\)yOV y SN3 <}[~=aɇN 84~[Hw6^VdΩ!4mw85}WB>+(5M(Q,\oJ9O~5nl9T oAJ`,v_9!aM={v=c9g6bqxwR8((1K {lT_zr1(PQT㝛^r0*RK1@Dh.>F/+?6GHQD3C"@̇n'*D{pXzѠcO>J`Jt?.[iX" ~+WE)\a"0@>z|EFL;X/X 5l" SUy@ "#qU" _96{m6<9 XlJh1+?!%D(spR+Te*#X_ءpQ'>:icB$[/`q#!Tm<)hԤbV+:=zԠTG5Ϯ 8om{mpJ NI\]li*]RZu*mF󌊀*S9 VɈc,dz$sƪ=?^>FU%'#EH`-F@@YtdS3X"BS"4p'-b*W*OpD%o@!ixm`r#l "-rr#"_qU#. _9,B4ho}ԦTtj,BU[q~-rr:?6xl}hv@@Gr+lb {UԪ/0ZX*0H ع2J#Izٸ`2ZLJW尯lە4q*}?ܗ }P0G_|Y);Y1Ն928΢ 6ȣ/gˈ6V6tQc_x.8fآk#ﶟHCZZ \L"4G,^Īom4.[V|FNR\oȥ~8:unq,s! 8%ZLW嶮N76)R._9>;#+B! P !3jKT..y[E=޹9[XS",B; ,V!rP ,x}G/D`#,B}afߡ@!# m ,*U""`xp*7|cDTn>"] D#S[ Grw16@Ncl!"GaYIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/16.png000066400000000000000000000706721303637203600247650ustar00rootroot00000000000000PNG  IHDR iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx\Tu?^!}5/ZPBdk@ڢ ,+5EK/\c5M@3̤Mp72>>|Ǚs0yyygf||>*@@@@3ҙ@I>   6@`&( igY46{MwA] >F } ||@ -` FM0|{@'(ܞpcA@@O ih@@\;f@@>FA@@ ipcA 2x%ߜOrH;uO 4<,جO*vl5Mm?2MuIzT(8]FsæM^ߣ` `|[>>\gl,T~r'mTv\55,6Ż,oz(8=KYYg..% KWeãp_lyOBGOŌc<$$hx& qԝ?=ީW8SS=/>v1t)IBBWolm519]:8c,O׵֬}&fVabou#5JT$S5K+WMJ~.Yf4 {%_racڴ9=5}bu\%`6eq)[aElEx]qA:ʚ0kydG?yiR-Q6-2~L@h|FuLKA"&ICue:k^h? SMlɚyɋ ~}p5_⽅y@{hjI6:9ɺHrпuu$BRZ¹++/{ߨm$|I)֔?nJ}s*e}33{攵);V[_XOL]yu]X$ zwrH6q8?֜߅ g-oh~Uė7=hg$/BN~y+:t)>%^.n!"$.y-!|+ 47s?1VDbM^EiCr7M5Fལo^ҲQsm߱zêYŖ;dz̏~xy[aO ӑ+'̌6-\+X2;o؈N2kvj>@%,>>U'a<(&G,Zlokሿo'ALFLC'$vK_vS3cRէLKMyɦMd@{enKV[l4h|Wuo_MOTBP/ :Nc I)֑Hŵ .̶e rf찌*՚[]=%嶤Ģ|z4$21.w%, 48 *x q;O,9zHHzh/]X-B]gdK[=ⓜͻ$Mߥ!h͈ѣwT{iFVl-_SW7~.׌|*2k{etsU옧#^瘴hϽָ۪1[6// nͺдD'&NݕB'MT*ҢѨ ׳w1d\SiQ+cet!}1lݶ3ѥiO5YQCsJnʢ먧vVS6-ě F'> OO)  %?xjT* c1vItblDe&ݱL7#$k4˅ MsN rN mVpp?"48ʡAƌ; 1i#c +x`ʹh1^W! &Nlt)yqJYQs-nD@X>:љG-%@=AKcU84Sm~{3>l!a?IZC92bc,=:̂@/@ HDMF7*y戝P @{gA@' >|33[n?Nw+z zlgMhч4   4xG   `;$ &x4خG@   wNX/P&0@r|:    0:B{ i@!=4C u@@@ iA@@H졆:   4xAG   `$ PC@H<#d{x $ x2C`U?`OU$B@ᬀw$`NhQRB ӀM4؄ J   H0A @@@I>   6@`&( ig@@@&4ȩcH92lLM^XPs}' E;n2f̱Qj J$>o)i 6^U '@} N})opc@@@ ipC@@ܞ@c~UaӦO D3Ċ !kW I;)pNT{%D N^HjUU~c6o|զaSC ;f1].3K虈xggM8oƋglT#ym7dX3BVfHκ4!pɈ'IzwRh9UWyS3"R?:aʏO<1u}.jT9VV[_Hf>1u-dSIM!Zɖ/Mz[~aCtjf9~%x:e|~윳_vem}{@w 2x(7\24 cƩpp7Di+ә []r9/E>QG :Ze"Ŏ._$t.@1h'L\r4L TF)Zsäe !ʑc/Jȅ94Ĥ iԚ'BmŽoӢvfeYG>lؙE=Lܘ->e'42oou 2g& 4 e AA cI"Sug(^--h"f0yqWs=Mӣi; ՍO$}x`Q4_i]#E\ *LL|$!=6L BƠ@Cw9&ixyB]3rՄBB,K3L>ǶAʒjK߄71l [oRu6Yy߸=6z&utGdr8d'@ONZY$|nrR ,8&iP{i2׬ZśIJK]87tEyc-7e E5N m퓚Ok M gMnL;+0#~ON~4:&iI=<ޜqS:m =ME ~Oў۟t.WSW1mڜI 4dn,*>Ƌ>|=?o}"5*•ka/@诊_beTQ{]\f`y-9#L7s7(Ѵ<|=Fy]#oOhiy3VؾrĤr 4GӢ&Xxj/-}iҔISCy}.6'W{t q-^~ y: ](-8iM;r%skeXG\o[r0WVN8nv=Z$pLN]ԬEݮ6M6<a{FD/6I= ֗≞hhxtsZ | U,ZlR@Bc)ܸa#YT&`+6R7㎔QvUNoS鴨?rf~`"w:_cK{Q]mIXzع>w ^O§%=V+YoC]]Uk( e3,Bo%[‚?*=]h{=(N?.m4͡  u%('P'eK M[s#>>83$ |t9ZTו>|gfn 83O7 i*g@Yт4؍A@@ ihA@@nΛaDEp qU_YSvWPXZ׼*iii XB=/ٻL-znѫ^e_[ lu3w֝p_^^Un\<{[pϠZr 7nޝ}[bf7@A{]'cHBm1%T&5vnkkx2AFiۤ'[7Zhx|– ̂dʪРP U #9%}VnC'$Y$.{ږjkj}s 򙼨p_<^>P/lݥ.{.MlRzgҜ7^v~w7_~Gm퓚Ok M gM n7N]W 7pʯ*HU7fIeѾǸS w<\@rp"vB'whDd]P I:观5Qi,9P5%CkNzݢbIJLH=Se?J_zŤDP^Nv09eq}e؅}U2swhX  A.貆z,svYf30tY˩*i㦟?mWn{Al$?O륮:UM Po/&8K[r Eޔ9|A:񏹿Cqc ({؀ҊR@h?5 ڪ`&uPQAzz" aedBR0BKTTTP\ԋ0.=HBqP]K3{ن9/3;͠Aםn=P*$( [\N!SB77vnhf$z5dJ{6l+n:80soy6-Ӧ_?O҃܁6wF| IDAT8Z( ETX4-4(XSkW ,oH&BB5Umi~.?KI㡄ӺQGK)!9 nHx>-ֱ0wӟ 3r@8ZW|S@:r )B v ś T"u%BUԻ`QZZ"ѴT[^mOe`mZ"*StHm7Th!i:JB4xF' l4\GAnXcɁ ?2V6mҐiQx{''7#$MbmzambǼ o/QIC AT3 O<o,}eGDZ(H_|ff?~ šCUkF-<a䥥/M2)tj(U}.6ױ }BCO|@ ]iݧQ)jSQNXyMKQ=r<@Opä!(0Hѯ^OM1'Al'IOwɳCM4B :   ] ? ӚV (ǒ{=Ԣ-A iC@LgBI͏m[˶T*[:z!AJnn.ENB ieh@n޴yZ[M+G}nnaa[6G+ 4H@zj^;muzR{9{ykVgH gXNjjӫed`‚Τ*e*UK )v͐3UN |e:`]_wQqT$c !s]!Ǐf5//k5?3ػ^mT7=vPHG[ ?1[nve]{޸~ߺn(?0{uڄ-G䂥#e} )IbQiHz0샀41Њһ-ϖt2z+5*sOG?`s,}_;\|@rrs^~i-2,j,~/x3/ 7ٮ̗V)դ"ͫ34Ig>~$M0%ٜI^w]s8$%jzgj;2;229Hs{ o[mq~!W|p-,c6ٱ 17`%}& >H>\ÝVU gK)raPM,Gdkhi3eqeI?-ܝΎ떦?aE)U0nQ1+T ӣgV[6n–QepD>ϝ37)%' tBVpv-OIUH'Ts~T~ M&䂕<  i!0 Gzo,} %cںd2d(z#wz19/tTb.?@6-An+ݍZر9uģu%]QeDXhG=`Y.ؿ/!e}/ktJ˔Pi}pɓCt#Z GF^b`'Z*X{+V{X4-4(:ie)|`wb#T9*gΜ3>`% o"}%/Eٴ `%Jp!l--B-j68֚B E@l0Q@d\hc娭,p!wWΡ#%MLbdn҂Ƌ2ݳ`!nYrq^H^՜iD$zz4m]bVns{\,+y z"߰K@z=U NaI TnyM I}_Els%٪ BJV\-綵[[KkMle!Pr@ȵ [KMI]Vjth^ F o}c_&*C M?*!>N?%R7&<3~vE4._xH1^3nhdn}qc顐>h|ChQ^WW@# )02`Mթꢒ}%R]3~ԗzS'Dи 5ZoE64_5^;)SE2b}3$' 2\67M!Fu .1tWE>yzebO)o 8]{:xy*.L2O: N= Ի0?xbZ5hߺ:C1:&f\b>S5>AԨiA!s}_!fۧ6\7Gɡ `&+4OUViè ZzBC}}[E슜*׬cx:S! b5l 6ݼkXM+j25^hTP1ؠEox `; 'Tݽ򷽮-44w[B@s8%PIyhwt'c.K+J~4[k6:H:CuMzL5͐Mwu Ф4#Q+Ae]~cT iv??Uե¢0Ttie-˨A  Y4Fn]kVi.77arj궊r)ضG'hH(z΂i<49IfVXCu`PL4$xEҗML6ik]NYlM\Px[߬!$?:A,oɹ~Pn? IIr6+$Dqʶ஽tjE{;WDsLײf7Ŗi*Y2 !/=q]crIؚ,2t KU,j&,Hg(PpL 'eU=؛Th} '&Б͝%5WC@s I@7pCt[s*"IwTIA@@$ !n(f3%:A2 J}w=B Jl@nzc GI3xdz~0-U~XN٢@Hlxy9YEnviќk2.]lY @95@a?Czl4Ҕ10zns2i.5P=Uz\7;tRZ4܈z(ؙsU!ͫ8Oģ iÍ`{\{C-d?1D5=%ytM#7й)L_ǧ{G_=egnuF}F C(cRG?گ_2IH^yJiFy:=_eiVdw(RjE}KICG hݕ`Üg~^K8>5)o 6 2#&>v3i'ސIwL6g0E,6Ixᥕ&L K\3gO4wxۻ@PVV:#fք.j@:l/s5JL Zr^r(i%@IC`A@hc+[^LZyF9;h߃c ~}p5f6nJ}sm)l&.{ږ͕k1u-n^>/3MXԒsH{W;@`;+h8`aBWBzhd^FzSS$PT-HYZqyDSRMI-*ꯡĄēSRߔ,dlvf~윳_B,4|&5&:teB^%)!`:%>SE( ӕ;ǍgYoa#IN{o.(kW ?pϻ~R1jp h/a.tɗ5c gntng#$tr>S=&´NK6}lEpz1m&T`N4ܺLW6l޻Ct#ZkG87P @|K+-M kw =eDT&/"Bl`Yo)>n> R聅kc@h8=5ӢgfR{_5) &N2KEmXcɁ ?2Vb‚9r>+4 Uı;w33,a_ipt{,|z܂O{% Wy' lM'guA2vflj˻f[=1C陝$(ll'-MˡlԇH:/M&2B{ًUT{b@ ^Ex0?o 1GMX%ܦ 4F-J_8H1IZ 8^e2ݵ.-zɐ+;VVPD'W:VFD:yl@hfՍ);Z&/$hԚңt?5ijdoSBBZ9_!j6P__Lmٴ^ՙ3,4pL!? @@A0yB< 57Z!h\=uvLB/O7|y .4j 6mmm_8/XҘ,$'kdT%-G73 ל&z:Jml23B8f`  c30!u[P{UMwRR~0 ц&h?S^: 肞,An +rL] A d[jIJƅEoP)rA@@82i 4+>$ M|pWxWQG^5@7ֿLAMw=6F=Kh;[ $Њ3'>>¨=UQUI'KAHv̚MX4Mp =hU՞piTp"v9;\m4$oI|}+ޯOE3ѾDŽG:|Ay-&Q3jh1סl&8  ۍ3;r^.   @PFVt)F$c{tQ`m~AԗS]}oݚ ;Ag/z󮱖-_QVQjզWW}cCf\ w li}Tj5ﭥZ°*F A-,k{Шtl Բq mChtFKS 8(c{ vP} >|}]3n*sĭ nF3Bc,`F æM' 7djb^|섉3bf2MIa'vf׮^ZjPjwɲ4~FcڴT bE!dZBAJ/R_Wf<5&s@.vAp!VY|yoHt¦?j? fs`MBaѳV{̂Cbof+~}syY9թjPy|F,,[ſ;}pwgV]:Ii ƞ(||}f+4l-nω[9ʏOL}b[.H J꼘op? ^%+\~ͩ'vOEL]7#ذIDAT oE:v-U&T0.XH<A/ 4^1-?k5om.]>틳4I"""L蟏/M׶-MU䤰<%ԙ#җ"|tg$eqjǙ|&sÆ֤/S]:P51!'PvBDJOI9s~YvɅ@۔ G3->|sfI: ;U_r!’FsfϹ-sg9nYp4KR\8Hj^Ƙ |Keo]^7$9p@& AD*\2\6¼./(if蝽_tLy:~u[ݕ{O-[21XNQWT.گFvfMt@.vj spq r>[yfғ v>"60ޑj5Q.G?Hsɏԍ[.PWsVYPF09LږWL 22Ǩ,)dj._ii_MDD0XU^ٖSե !.υ0a\^f됤Di  4c+fwpɻ{2|lx8ݭh#nvӜ+ܝx됤Q @:P7ǎ(E.`^*bs׎#1#(xG4=h.ۿ'6x =H觨wv/dO$zSO<K'lxq SpSda\A@=A DӂkoiDk!$  @͏/)o{+f7-M `^ۮRe;wZ*DjQW߻KcKAI8^Qz;+> e:YZZӞ=mHP;B,!8# ND@lX7A񢥱Gإe&-gaZnۢ"ࠞ?g&@lwiQlB(cx6$$Py|Fӡ⽅֐DN5I ^W`yA.\[d%ZIi ƞ(||}f3 ?ݱw˯~ ˹ pT@pFhcRWo4)(3^Nݍs~Yϕ\aCtdg9~%iV#UwdE(_T. PрtܳkW O!:T(S(w2FFrR|iAԣ@'Oabxu;(8?GݞpH!7Zy[E{}}W\ qYy}ù6o77BW|ΈmfXKMvfE>v͍ܲNI)We9iOr.xc\[ 6[ZZ4Z[q͘#7l"b7M4" [TX4'0Zo^[žؤ~P`IKNǻ-O7/oVv;sfόPqsꕔsr%Ͻp/6Vj;7s[_K“‚$괿% rjɋS6m͜='iq+ŵl,',H?,rm)XۘzF] /<wSNXzعvWh@z=e )*gj4V .D2@ى}:M#|cM]| cW1U1bh'YBp6|gRQ--:"]Rh#@h'!/|n٬VO} g#B? E4u^QcJVh܌7;\e ~c;Bt075<=և ipKX&/@8  nMI[^  #q,a @@ܚ>@@GIX5$ n}x8DZ%pkH"8p$ c K   `[^NOLM^wz7ᠧ t *|@gaHy>/ǐdMc؆Ip$q%4`L#?U  ngX] = ]%}08 4Ys?@ozRW['zE' 7zzz2' wwO{gY` ipw@[\(k{VxfW0h.kOR|٩3g~bݜrW7[ rp? `" M"C*d׮Vj[%ܞp#x@}֬;~׊r瞦O[f2 O^z{!o®ԶvHM@zSgٳg;;ڴaӄ aSè+teLez:\rʵ4 $eh~.+9cByuorsZX脒wUKkW]]IH mB;%3ĬkŨR,"k>LIM6bɴZmHxĮ?(M$ ]|L>ycDG*rz~\{ȼ˘+_[t:ZGe^=wW?_~S"`j:jz\ʳ#HI -<ӕ+7j۫:*թӧX\QԈ33yA^;cW/]e¢7 jU00';ɭ=1GJM?\лPhSkj?%5mʢZr1v)灁2녁(Xn$ݳbS@/yKL/[i[86O#pڵ[TxEeht׺ep"={B]L|i[5^Si)^`MMq&!{ C:;<Ŗ,٢\- 5\] Jt#|seZ13sLg~OJI 6=0&WDҸ0~Al'זd]&K>  (d2mݴ)ȹgŦظd1AaOtvFɺOT§%y(!71sPBT.KS;^ᶩϳ>cƄG #y];dp@<@Nn醉ݞxrꓞEdnO"_O:]u3lxxBz\>0}dAB $ M(0 !`WA*nO>s  .I= .y4__ߢ¢'G8 T~XNW7А4 j '(G?ǎ7 P1C1$ w1!o;P0/@00  MI{_D  #a(a@@ܛ>@@FIP7$ }|8M4?va p:]c` P7'@u$ }|\r~Γn~@`6яiϘUp"Oɾ]r"~Ws ?\p2d@G~@d@G~@d@G~@d0O9/pN:gq~8+sA:с_   D0\g&|'"\g&|'"\g&|'"\g&|'"\g&|'"\g&|'"\g&|'"\g&|'"\g&0Ιo   NB2IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/17.png000066400000000000000000000627611303637203600247660ustar00rootroot00000000000000PNG  IHDR0B5*iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \SW7Q ʿWڊ-Vg@ ZET;(VXp*E>ZUkiqcQ|+SZVřZr}M?@O\g^{B>NE @@@#3q i@@@%H\#Kaa™%^F> xI6m o`@7]u;z> m :74Ї~2 S @EG] GaँN/   y{q} x@`' Dy?"  OiPB@7ೂ*@@Z9$ t72&)ToL~_E*uzB\i0l@@Z )hfi®."ި ̫Oq-Wsء#G鈃[U;rL-jBE;o|9u2faa:5(Pnj3]JΜ;u{Z:Z_Z*E+>Բ}x-_W@@,G 7.7ŹS+Op~A2g e OwS|cŸcN"$AhuE>sؐ熸b)\,05qJ k2:&vL,CF1ٓb瑽7J_L`ϊmkJdN$= ז-Kq_dn)6yL?t̨?~ ^\$mCnFs:MtM9p m8{BΪ&?U 45"v52Ym\9 }= > ,p[Ԙޱ=cRv^o캤~uY5+Pׂ76[8Wdj~g[D> 67Ksw|AAٕWsYYaח?gy@GP5{tPK_\"˓'K:SgJHTv$$/L9y#E%~md)twx\TX_˾,."+; I];{lY{WNKپ%:j,a.V]7O Յ7W(U%\*J3F `#:],?оS'RiSui`5ix3B\ :-> ;_CbFSKe61󑕢9Yۄo%&:UtTlɊ8ِ@aI{z><5_[[^v"=SwȨ'm`ΜP-W2aijU$) ɦvGNhF $~J?? Oc >o9l*xP[dq(BuXu`G$5Sl#캅K\$0<̘I ʾ<~ b~'/\涭~}$o '6{YLV fvH Hae֍l۲칳Lϓ.wo*kUwXIٌ:ښ(5Ix1? &[iT>^9/.}Տ_;nOwnUhSRl36a!d d,|KNB7wkuGJ_ks!KX3LEJҜOt=;ir萁iӣEn~{ i7#5/]>tPYLjfӨ؁U߿??"cbo^#EΘܯoo'U6;NҜN#~aXc4`ʜ#:bH)sS܊\-'͘3)qLX/O [::0Rg>iVP9s^$Hݕl @Zi㛛»׍oe[j4K&yA'>H^rb[QUFoq]'BWdoϚ3s֒nmǺOJ5Jw Nΰ7N1' <裣^Aܐ8f}|c@@BC   cH| Ձ@@gq i1pT  JOOМ*@@@IC#F#D    @K(c0ݘJK\z'2Iu{p/i; IpiJ>Ձ(׬kQ/ 2ߟ%  ~@)= 3'! Q_@A@_@Ap $Y_.I=@@\%~g5@ܨ@yyˇ0 N g4|$d{   E3I;Hhnߞ(0 B:&J,    4"}5j?e Sh}nRjp@@@U' r [ cܖ`VRI[YZF1hT* ~sy-\CْŌD  @Ʀ{>ackZ2TNYԔ6;mZ 7.*2sc'z@|{Niɵ\vܣT NWc1&0DhE4HɔnR#/ゃ\A۠nY,t7% Typ;T\aPe \u %M351au94rOK-[hQWQpE ,YdKS&NצS`m>0>'KMm!c>G3g6eU&4}zѯܽ둒/#D.J:ٖ&% 5E[y1+ vl,c^~` Y3 `M(i Njupjµj7BQ-#ϊ1,Ĥ8O誛%ztYo J (N!] ck $hÆ:D =`>v~nO "ė~U6hJ`#>♆C;g"223ͼ[S-LXm [GP`AueqնOL'LU&UK銸,dP' vWPjko>(!a!' %T`iAՇ)t4tX,ܥ[\% f3j9K%F0*rv>1o欘~mDdok]]q!g1 Yc6}K/^4NV$ 2P.|g鯡g41 @Z@-cW',Y)//{440kOt岷g5:oL?}Yo(jzܝ{2w((c= =s||,xu.Zƃ4P\پVr4?l1m;sfN7>^_.އܺ ~N95q^ȧG^̈́Sg2\hFƻrv9*:&vLPZKrғO] 4Fn'|I^q7+ܩJS6PE94H/{m &=JBj$O*\cyZ1s A?"pϏ (Y?v ui-=3ԘcRN>#ScF ؘY^eW._R\^eejKپv2o  z ٯ$ 3Vv )\aoI+ܮ6WEـV5 Pk PnA} tX? iE-P^Wb xpJYc;\T z h[ pQfF2B;$I'}7_6 bP4M+&`4v%+P㑔 oՆsd#_Lixu\{  _w15 7U]B$5`S!Bx+T'{.3{g)ײZ}%$#I2+oURdT.c*ZnzM4j©h&:2@ ~G`P#Njd a!:kCd͚vpǁ?'#I%4rL 3o?Hpk4jvK2qAۃ0T]VI-8 ^%6'y] u,VbrƱ#mܺm֍HMNܰVNh%t^KH[uc-KHeq^6]\/r!0&gv g,Y@*k22Yn-\T]B B;zbl~ӽ"f͜%2wκ-Y#_Q덠M'3R>O<1+U$͘3)q:PZg Rk4fYE\;W4N>]sEb:b)XzoGm u:.*3 ӽj^^bɒ]Gz( B Hl Xb)v.@!$ \]C'PFoJ;˿%31Oj>* bz$ d cwb;_@]J%pd 5yR]>&A`vl6V۔l|]vnVjnxepL(crl# hƹww!i4*0 BD_~.ڨkA蝆Φ{c f쐏g"dn[^"7}@@I==!*xRAhg[ʵdjUgjZKccD@twvO]T씮kBxTiuTUw*t]Յa4CH*T6m~'7E*qQp;i[ kH׷O!ZߌwUQ \o/ܳ]Tװ>]x!<_zfe E_dZ@\%A+A ]E]hPR4I-F7sLd%!XLd;' 4gCZ CGf@\7-&KJߤtJ'{+5h%!›b {͉~hPXCJ+޳1Cg"$/G%fmE7뺄CCC[yg}p>Z?̟9(2Μ=o&D-{jWΡ#GQqVP+ŒԱcGZju{v.T.=<7;vFfbDU Ǟx`-GN:ݼU>7 ʒDK C'wAju=P-H]P rtiw*+|Å S^Ma>!rO} L#2.hKud\43l fNrHQɧE){38[z6wgNI1&8}i1#elr?(r9j.+;oa]ꛆ׾vFc0~uWݩ25wk_cEΞ?Յ>U}v2n9gΛaNuBd om~L}XթcW!^zXB70ϲ ZDn!Yɤ˗.U*~d@@qgރOHJ+DFjE<lŲ) 7R>SZNXO?jzwVEXP=!(UsnLȮ DI!ƍw𣃃 irrl c' C^;BGr^+S6kbR9m˽:#my,]pبt CQ`\:kN]49H'%LA];琼놺b\Son_usÍDPv!fp @|K{.YI]Z Jvdm.x(+-?att68Giuzekm5i04f?*rP$LE,~fI^rVNbfVqzzdڋ lb-{-N҈70mrB憵m^Ac!} 8}OK`b %7+7?O{R2AWg3D>s:ys-3s'. H?o>@/XHAO}t&NXA lc2fU 64dBjp(fH̏?꟩#"962#Y2@$ܤnR'oRz'/w@e/E5ѝ,Wx{"gI׷7ӻ( LOU,]>tP zɌFRoAװ42`?ՓNΡ?!E??yV{MMKmOmb>?A aʘGV}mkҔ)"ӗ?d/b?_\s@/_96bix IDATj Q=xtR 4RE k4~\uAa]M ȠC tV\9/&u|LuJj9!ә<R`7e˸f?ܞ17@!iiJ/d;4f V/Yꫧi @p?iV5sllzgMD8#{x%{%#ͽfFsgkAeK}B99$㺥nsR攕 JFIIy%c`k#=}5է"t 'KhBCEy44}5I.6_k/ԤCC@T$?_!}E4C26^i%UZhva/[-^hIٷe4'qݒf3[xEܯI{nIJ"YCn۱漟0afOJ,kêi1۴={:Úek=O꩖ٛ\ !B#17Tg/r֬ٓCX3պdOQv?4wo>)KqNkJ0yЀ ЗϾO},T-C@XI5XL3Ңre,ӧq#$ [°۲}/]WffƊ@.α izޢ%h&om&}TeŞU%sS;ғl% ZW޲i ;*{Jڳ`V;j=ӈ_%rL,n#]岡v֕-foX玴N&qPe\njqɚuTƽ@@Y}'8IrU]+Ҋ7n=?QKqYb=&(+[حXWh1[Gzf-\ʆ'& gz]d1ĭsdϷNne`qwɭ4YNhB5ZuH0N#- .T kZ* 6TT uc@J,ʂ$oD'{VB0;vH3zz?;h`ɞ`VѺ$~Uh1[Gzr+^gέ܊n.+{w2搟N(9g(Q0r2ng8YC?/Ky{T|)kvRn/u#j %eO.vA@ Pp+++g%$F-iaTVKwi '{ 4Z$NGU bnV̺ux$JvNbv]q-C4P]'-W%ӮsjQA3\[KE}Ӗjug S\Q/EեgZG rc,I,w;iG, +YzuIʊCuTl>Iv+<٘ uHs<-#MGD5Z'ˎVv*I |@]¿0weW<䰴Ju"|||E[BIv+<٘°Ie+z)ٳ]7kNl# 9T6B;jLW7/nԏlq8.ҳ9uFs Krk?7قTDP"eܷT]})pu3FuaMBG:pd BIjƎtҘ1-WnRO] YR|g 5*נ}]I.[(2dYY`  >cpmK >[TAZƒ+@LJ[$cpwe`_-~U*Urqe2XlCU5N _TȾ`__BT4fJQAK}[E}RbA@@2ۓ;/BjTWYBޞkJ?gUI+W&9nS`V_A˻X5F~ 풧_q*̼Sl   ]` n vo5AF)X+_pDoUwWm {:GFQ[w\`%lѪ,o7^r`*AOpMPC7p5q\w-SFð^ŨAfSLw{|1`I)%~f&VJO)~] ]_uV \骮q3}׸rv9ѦpUb_GWi iZf\+M9MRRpG[KI)VW hpk"ZWK :wa:(f6[CLXmuj+UO_Kv3,ٸISbTspᜩd mG5!2Lf)*;rכ+1h4JH<!cy~CX0ߜ{IOKxүS .`Y=!S}BC\[ǁZLU&gLꩡh K'.qW^|o1i9SbMp_b9uxPe ǕH P KCTdT]-;=A-04xR] 1\E 6J\K邎F$ L Vh)QA@@ 4%iφҵz9<`~HzQXzK_'k)#1   &A'MOp?i ѓw@ĀHz{?Jk 8&ZR6qFbǎC߰*>ZLPZeª5Ȁ7>4o p?i5-u=TPW'eEA%~@WݭN?$x#KݼLCtR7o}!w9xp,ڶesgOb„*+o ۷nǮ]=x=L KMR#$<#6ƹG"дɝ !w0LJG1u3LN|)%iMMۭQHH`MrgYۭhO84[ 1^꓏?#YV)[7FAűJ S~R_7)Bt ebǐg# @= dW!o1GO 4'yYMndQ:3A69!sZ!0\Ħ{P}32u~b.\'?RT\d1㑂 =R:Xi fl\JA%ФhD;[Z8=,4PYqځK[akQ{ay&$LٳkLj_H̑}Ҍ%#O餙L)YI C L[~⯤NerAmC \nCO{l+:%'Ȍ29 O͝ ף'g$N"C s>"G?^ǿ8ı{Fčdf_.g4J&;?̔-Ч\*uDNiˉ p@&Ǎ8v frAUH    XO?.>3#V%wI#g@p;iޙ6|劕>c PFݟN@EA@@4i v\JZ @   MJ5(Z   I\P~E-E@ĶT|@Z0P W1P7!<;ϓ&p;i.՜SM@@@I>5@@@MxzM`0=n@@BZ~!   >$n %57+QC?->Z'#3C +ivA@44{P3W._٭ AٕWsYY})?' мgsw3zlRZʉsv|~j̈a3i3'O9ӢޏuߔM/^jWϟ.ݑ7W~܅W._pb$' P}U~k[LI#؆| @ ,l  )' e_~$繨vSRnGrJ:7hĀ.YYKf&No>9o_D>\[5)sP}*w0jW/f> ٞ3aVGq,z}jZ;t'O9j*zgMu u?ȶJhԆ-G %iαg΂87o}!A1xUbY7 ޽_?ors r9hp?m۲칳L~1as۽Nxa"Mx4N:b}úIwsv渨gf3(8Rc&GaCOpIZ97roH[o{nE{ri#,YdႅQGP x oLV^ǟ vΜ3C1877Q_򻔂mQS2 |FPv!fp LB3ͷo84  :4|X@/TC馽y&p k+oICi,p(s-S4"2͆Z-? FTr%8%+7ӡ0o?RT\$T`=g(=)OzT$cuH/fͬk# @O՞qIqKpᡙ(oOې8m:9L)YI f̙8.5+7vv > 20mqRx]>ox'gd'iΖ2? Ŝ&LyiJ٥2ݣW^)8ҳ$/{!y^rKV@hsB0"ndsD[h|@ܨ8 [Q"SSXRy-Ĵe9N?JƎ.4K= 1e 7 1J2nL2x   j ih  ipA@@@jO=  pi {.a >!.,> j ;2$ ^ ^#ɯD_^A P |[>D&@_> A4C   B4xT   FIC1   -DICĀ ՂZҐT]Ȩ @@@%x iҴMtyCK@   "G.nH~T8f}ix2@@Ҁ ?@@\!T@'9;5Vuv;rxTmA   6<ӰnKx9$۲٦>$ rMh-Ѡw?+|2h $ 6   PHGg[[yHQ Ņf@%+@^a ;r?x iڪSKYd=a;    %!"RʥF,hE<4HhnUty   NYcXGH:   !ЬAX2Y%]Pܞ@ƠZ  :&X$    MOXZeA+@@@d x_(A@@F= $h @@@I8'ひҳ i]lZj֍#*    &rw^2Ko\CqA@@@IÃy a`@@@ x iU\53׭p 0sM vrg͘|x1cS02勥***6 N7 NIזKJβ5_槾֚@ ؞ՊУJ9HBlǐJƤfu &NK<7IC h֘l dPf% @VY+${f\BIDAT@@OC$  @= p3#jgz>qޙVM0~rV~Y?:?zJVzu2Loߎ СK<7=qFcgm$kGƲsWᢣwoh_Fr)QQQbcD.άļh΋pm62& @c%f.J-88lW,,\lrwR_?aԯ{g2@F `C@V/zmQ¯Ǝ^z{ 0\IjZjhPPDL܈;eGju }.^$p엫#}ѣF#ub$:lhtzKL9L(YH<˳y^O />}Nq**seK?e}̵zᐭ+?1^ܦ]#=!.:W/[>1a"ooU6eWVZ "9oJ X ?95zn"znl|{ٰvutL񣳷mQG?>8'h[x tW;߉-ӧ/sN0(%h@H%@[DV+ ʻΝChc}Sy!%yԤYEGDy*KJC/ k?r؞@Ƽi.4ܒׇjo#=ݳ;ᅱ=uH-\+뼮n ,Hu>}Ǖtu>G v}suF}ZeE8%56n!}7mHEK+o;kCGz2{og933qfJMd]"[:[S `զC9o@ CfRmn }ѢœLІ^LؼeU&(mo,b05`}8&{nݸf2#vGz2SwMl5O64?L"n$ hcֶ!1c>229x(g q*];#D=r vkCmR¤L?ytTL`6?#Z@@@ iS(|vm=xlc@M^n^#/?78 $ |b5-}.*S:$ J?^k_Zhp   p   #Ay-@p   #Ay-@p   #Ay-@p   #Ay-@p   #Ay-@p   #Ay-@p   #Ay-@p   #Ay-@p   #ߚtBEEExt:]TdCJa~kkxޞEONp% ǐJJm3qZyH$"xhm0q@@HIC5Xms<ݞ6=1T   844   Dz~{s˞])I-j#IZSћgM   'w'ݻ*ff?$F4# ]qPOY4   _ޞ`y__UUO: ص{Wt.}*"w 5@ˤXoX&j4]eb0kFhԿ_O bH 9boW NP.,L A~B?OvޯXBº>U%> Rq&V;/)E\kQqdok .S9nTOCe I@XHqQ`_& wh0Ȕ)/yxc[c0Rc&{ސK+7oKAZ6^+8>j% 9KS dWxt߁+WcYB#Go/\ыzc R _CT\(8R`6U5_6s: 0[1t9' OOnO[uGL0 j@Txp@z&94   T~44~T h+ z9)%k w g5QhJxgOᬀ2* =KcOzx2Z~4QlDs>c  W0i+>- |l1@@$ x[Xo |w W@k>?f}"jlA@Z3J 邪SBfWYFA@@a+i X[Ea04@@@10ObN%  %|@@CIbN%  %|@@CIbN%  %|@@CIbN%  %|@@CIbN%  %|@@CIbN%  %ӵ'h#E{yM   >Mu_BC@@@ܩn    ӠӈF i>c   A@}ƨ@@AI"N#  'Q(EF4@@OIP$ 8hx3F   Hq>$ g@@@@4(4   }H5" iPiD#@@@4x1jE@ҠӈF i>c   A@}ƨ@@AI"N#  'Q(EF4@@OIPJfIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/18.png000066400000000000000000002114421303637203600247570ustar00rootroot00000000000000PNG  IHDR9,daiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \Ue8/6v|IMEc3:9b/9i#8ZH^󖆔aLg8vA;ʄIf28*2gxuߵZZ{gxm^׳Ϗ.Ztbb++=J HG< F@@7>ݱŰb޽bYY?dY@{+h['10(t/hpQt!&q+v6k[z777SFn ӎڼ[{lݑoNCZZ,?`uE_445x%FA#85݆63_!;%5!*44{RsxCUP^C&]g+cmn iyHƱ-#g}TC`D꥔dEz[}ޡ:8ºyu4z.^ cb"#ChUY?Qӓz'׸d*mPׁˢǣG SAve ['z`~,&lg*;ZKG5_ڝ=0rRlT-Gk>B!hbjgإ|v-(hI6  й$y(3!hP9 j3Aq #F=aQlgcm]mQ;v/7^܏FYYg)urw!r2PG2;Ꮬw扄k%pcN~Hy 6[Xl>Ь-Ֆ_<95W=yfk.[!tѳ kT7hJz~eޓ5>96^'5Xx.*>PIxPC?7>,ߵaʧ}Z,zœgviTإ)Ssȹ>ߘ#D+B,tzeOqԇ vv-8ҠaN}l;A1 ]C@v=Ԏ5qFC1K:d(.(93>t3iji=22{~zGEEYMh!f(j&t("CGOO|A'}B:8]CBu-VΤ~ywHRzzH~̃v @j S4[C躃?IG7Hzh>~4if-Պ{",͉/%K*+ Ua21F|I\rtwKAPz^1Y/v|8;Q"Nt,TDtlc: CgR˝w@,t K<-?fPN~$yګW_Ɲ9W_o˂CBװiԧFJ6hڻYE}ۿ~N~yOx(em GX/!g"mZ_pNf>Dm>V7wHi)2@}cOFߡonfuA{Cc;FGY{w8[=s=v%65b %CR͋^zc'cPv'[hcp(tM^6$  ai# ĤV5;ˢ ,1~QGZSm4jCzamm~麭W͍۬au' JuN1l[z5Kk {z\ۻ.Qȶ!Ϳ?Q͙D>xS߬U% =6 {N+tUG)3sG oT-,)0[*Y\iew zh;UeञcNY0epsiU1/5sX"*4D1qKեf֯Kϯ.($j~l/oLS>[=kOJǕ)Lnoo+Iu*wRӓon~ǎcʑv<\o9^gҺ*kqB =cie}i}D>]GYC}UA]I=j{eh@/v\Ѷ& ʥ ̇;i瘁6txv[he 51 &E8)h*K,-%VkdOD\#8p`x]gYR9jcc`4@'e'N_n=V7mHC=Ikּ82j(/>zDI: 4ӕS9SRr~ѽ|-G>?aU|>Sb#n$nsS¸xFZwR%j5P%:* "7?K'?a +Q^mMߩ os]j1Љ./oY,{J_JnQnSد+tk[{ IҺ:CLT7Gb4:l4)C96ommQV[-B@ ;HG􍪿Jb|kiU$)VɊM} h mݭW=b7mX&b;i Y3֚M Pz9 M@,IV,/h5&_@NҬj7MVM k<.iHWe1;9=a mEmƇ]r╋ o|=X~xbHFTwKukkX%jo\i$A?@io} IJ~y5{ҤR2tzڻB "ST\Ck0y˦\|kdvH%}׮{򉤩M*ae,o%/mpVe.h[D2^a k>2NV:-o093@71u%# y^pATAfjIT+HRC|m5Uo@0P)y^›[ywϻ褳 ]Js놯[,Qnc'tγrX[jKFXt6̈́ET]JeV2܆@!JMϼBU*UUF憁WO3zpK?Ҷe_5$ZЩNnw!rjpy } \97:T [k-mh'NP~bfdV›Zq/:G.Q^V<˫~8TYf# |媚2UY5 3>K(5'5p.F=fGH+Û)_}TEk6mnRRUZDeL45犎b HZhէj ! 0_EG)L푖۟/YGw,E\mʊ-O'2gD1*/(-&$UQ $|@Zx yq?>Y{alT.]]N=‚& |A ܏BPFDޱݚpgXX5Ɗ-(/hp"܏B僷9!_OeU%~^ OQ>yG    %"P~i=:$r{f(MA@@|jx.  @@@7 < pK0@@|o @@@7 < pK0@@|o @@@7tV.hՍDF [IGNj+{ hbaHF#ils1jCݒQc(L9Y~4C_i[mE"E8  E[?I"Wa7 >훞JijDŽ}Ϥ<)09^) 5)ѯڔBP]lqRi9Z=[ًYܫ~Cy)v|H`Q8> Tt 5:]}9Ν=o᷇Ԕ݄n+*f?SΌ M$o=n2d F)CZGV7~!crG{`J33ouzb¢e\B9$ߧLka24v)SVÆ89uxj.FdϬ@ez;xa ͘Kly¤aI$dْf Q#G xPQg豣Lhe+k?*H'@+PD˱+ !a€FE%[7.g]Ń #@lZ*?/̠,N5:TX]0_9nw5A+FSK\̮kC yNoߔ? I ^.Ye zetjx/ϞM z,_ڳd=7g#tr)jFJ6v=s}Py^zSUfPw{?- +/Uv{u] L[hhpcaåewErXAO@iPQޝ{C2;nOǏ SQ-@vd]ktںʐVX&KrPwOm Wjj6m>҅Kގio̩U2!rsI^`C,1#ܵĔ1~رG֋4pB  D֣g5ydnSZOl \w\+Е'&B: }챫׮r\#/-I#BO~ƶMj%j=dkiR= 4b -4}N;HŨqJ61/c)>{,O.] 6ܡCh>c)/gȥ' g5lOFLX -6\s^<ъ.ZWMqIsUz~^pw>V.O5vTak,vr:/EnK<~x#LΩ8ehfE/-\0A\l:,^!Cy@VJ;~XQ hmp*ʎ_ٗOluGV_mTbzJ^ʲ g6+8?sJ6FjYֵ-N1q=κr.#=1(8#/*?3ۏ侑}4q*Hv.l;$s**1(;T51`<&5{yiç=5}Ѓfd̎ҲG5 yjX[Wrn@l}w͞~j__z7&LrJjגrNz$Ar@Om ٨_>0PD[!󜲮g]2(2em:-WWd |N\f=Ծ}p]}'i{}~I;&wC\hOOK/$:2*g}cR~6iG'Om?f"o2tdkOdۉ'U*6 NYWFy8P뿳.IAl>`O1s3۾{+k_t$yxȫ+_ß^F)I_ڬv'̛tNU6i=m ?5婕kV7\`ĈvUͿ IDATY|hXXFW $];t暆+u{f?W<|?rsMLzz_=gН>fw3u]9GͭT \kw蹳;!Fw^ڼӞtp`K) &~+K[ g,x8}-ʹXcc'MTp|\1Ԣn(ޱmkz.K.Tx'F=uك=J+u+j1&xDwv8$/6 wcLnjmO|tЌ YiAk]*&mtߺTKzR%bIbS=hуTN ]Bg]FHJ4g4=N4l N깤PjG^yL!.{ e* Н ^ib 0zg_ΓWx3W]q ?gp@@ `i!<[vC(u|Wnv@X1YVD6JC@L`8x"t*#;qL\Q0M՜s*i#D{s@@@4$rӨ   GiHQA@@| <M $rߛx   aL  'jkk&\ G_`uCD"x\BbphAS8RNv6~!;D.t.NY<6&6F )f&r\#$rpV,bb:"nvE!oC< "mIA.B]lqRi9GueC3ҺM\]=هbڻsO+W裏?]w@@"D(]G h֬1cS-XGzݝ59I fZ߿tԄq)է~tpLLy׸Il%}J wsQmI qU--L4Qc ley-:@"߹>Dc#M:TFAÕ{+**+J=*%-sާm**VbUU{liÕ녛y佪oݾPYRPnꫳ۷Tx3TA f@E] .u@tNg(-|1WP뤉nX=sT8ޮ*l۷;;+ s2r ,$뼊 Bf{0#"A Ѕzl(3Fk|7'}kS:2/Mwi{}&yg A@ } >C_WDn.΢?ʪ; ӞNzŁY:E֮mQ/,/@@@tCq  K7 ef nu7Fc(@n]ADEE8R}_@ l}{3<%j6&Gۍ_GA7 Pg/1u҄* F (@ t \p׺IP_$ ?@@@)In>93p @@L֌1 "   09/ ]l@[~xAX ]A Fg۳R~&@S .tcD&n'L a@@@ 3/@ bbfZ1o>=j8O)=F420AB<(&C^~Emn "D>uuK-NJ35#G[%INiÙsMU6r5%?{<;?Xpgyq/,!FF -f @@t۵{oyE͚6fljxx8eѯ^keMNnҰDuz:ۿtԄq)tG?9.~pԙԝ פ/,Z?,1>!qnւFf]fŮFj '}O:uY,mKVjiޟ>Gn3krV1>"=ux"oC^J ]I?!}'PW.p3zM9D cRr.>).<~xM_:$]:Vԃ2]:v؈G3WFAÕ{+**+J=*%-sާm**VpJl̙?XVQY^_>OUۋKHGxek/\pzҽAnpa %U}sv¬BUU9C.c4-ҳv@Է˞c%N *Cʫ:}KI畢p%u yKW.1m.<~xxCi| ~MKkv5Gt.ϞMgxy~O{ N8?n3۳uA-XCoLL2Wv>8 zŅڶ۝e1's'z 8pO@iNJ-z_^"fge 32iC-R7 ڽYdf77i6rcص / ѳZ4_H&Gk@Y Gv=5t3@/LmCV D!Rm׾ĄvuhADNJ=R_[_ #~ kq` K'WtnC>)\Km,x <4;w!kl9xL8}#{ҭp͔ ="{zcvpqt2Gc 57蕱})1~7 zBBz}r],_|ه|,c*7P2}Rp]2׌+@@72orjnתs }u$QvWPdZBVmիHI~, T#PXV[I 6=M+oA$et ۳ǭuK60У5J- }3P$sHUNJT7h)+sshifip%i)^ UxFf7-=_TfG'EoyxI1{|kޜ;$O>w7{%r7 3#};41oNF1c5yPC=5}Ѓfd̦_ZHVހ9Ln3ݻKI>itm0У5J-I<?$&pCRr' fLcL9~l޽@\RUPՌQhw?߻Fg JݞY!R0zj<彉|Ǧ)ޛPhrJH/22Ms5 j"w߿]A~P!|&DA@yx٠@@!D@@?8 .G*x Ӎ^bf‡ xbcΣ @,^b܃0 x&@ =F{s@@@4$rӨ   GiHQA@@| <M $rߛx   FA=AȫN'I:UU˴a!h[T TkW V]HxSe-N;#@dx`FSfL!F$"ۘJ.E*0//?o.@RƱڙJ'8:sBa$n^E庺K?*ԝu萛o[Ϝk적C;MH%*?Cȵ9t̯U΅U-xtQ'N $mITT]9>ȣ,5zܐI7n1%[\q偮17>w]GN{k͘6fLjh@7)bUX?^*l}=&g}M;ϩEep&8)Y1d媖f>h&3u3ukX/,Z,<$$ZS({m 1SMKw?:8I>}}¡i/x,˪*%k\CWw[TcR4PMTEeVj %nDCS>Yy":$gT!(՛t '%'zM˚ܤaG$Hk9@*)g V8̥E2zӧ^Pca,4 ʴ vDrT hE@@-NeÉ>80a |ՁGY^)Ipy:LH߂W}+رc#C*5-2[Egq9jv/mrpsjXgbZ^7gnQ~,j)(,]bOUۋK?;:a+^YǺf/Ȝ9ye|HEeEIqQGeME4|a+rV01NV#RuT8P,QbQ2PLO<;7c@RǤ1!XY쥲C L^j݈>k<XeɦSgQEAy:?Sv%&PFAÕ{+J#ZU_ݾJޢ-hѪ҃Otzӫ^"*ihZl]J@%yEgHUIZ ÉN7-H901ׯChfTnHI7F# 3Ǖ*4?z%_v5GH׮][̔gT83C\ٶowvV&yHs2rHdvS&ٺ}]}z5=-gVݫG$4qҍgNه4-Ǹ} "ow-]nٛ ';t?F s푩 J=zE.ٽY1|u &pl?ėT (ȡ6|aF&(*iAJR>EUX 4QJ@%pmE'>SU4ྰSNIkp }zHjL Rxa`B꒙JUC 9]gSTѣ {ɆPZg݅'& lz͋rVxQLzV͎G&Mۍ9} "߷mykv&T1 n@@k @6/z?[8a> |qF+HC+LT?*=XjAh*IKzJvTOܠk׭!]zӻ5/zK˩p8:3 RKW4G|9Nԫ%14G/(k?~o=!sړӹZrD[C,̺Tt#N}Y*mzU\N:ԓԶ/|i cL2T+cif)|nԅ-.>z{iOzJctG 8=g'>nt{e~𱨊}#]}#{F+'iVf^{1JXA8VbUgC*6깤4nwsr5,vpܦ͛|^N-еɀCǩyrR Pp-nH=.@gMW~*w;~K{<;}淶M T|f63t}'ir=n.0j)WsrRF8;k6.<5yªu+~7cyjZtŪW׋]fR̨RhZ་ R\ݿ߽u{\4LcX31rai .}p4}RtgUTc/Ox"eenZ~hXkJzWJz%VB,GJ@Jc'8^t64vEKz.ur\Їm:T5z Թv8p7Of&+1(W&W~*w{q?;8*@Ubɢ>߉ >㡘铦M=&'I}^Z:4?k6.L{jȘMw,;$cyw%r7 3#}6y+v)cXZN)|.ZJ.h^RE7r`3#Sy(3+;~HL^ܵ^H޻Nч\^ZZ1 *=dDnW= Ά2-z.2fzzሤdR2bx2v8p0~y(=Lɸנ&W~*ҡ347\3%LN h) -hs3画>Ҡ ,8&@g8j|VM.V^YC? `^6pUc/ 1@ecO vMBwok |?41 X6D`^Qe=]V   `WȥI5&.^?d\Wm,kte.o_/1_` VI   'h7Yrvu{穚S0@YsNW]/^6슲tAlkB[5~k^+ICT[2= ù9|a!hOѥ.ŧ=!pa?rZZo'~FeUoqo`N^ks\$r   5_[c"p@@@GU@I&uA@@dUP@"WA@@M\5l6:_8Yy֯\ bc<+gyB=>Gđrrʳ@sq1]@`/zۛ=q<0D  $ȃd&@`@"yET  AB IDATWD  $ȃd&@`@"yET  AB!qU--ͬ>_N||C]w*m+׳/_aahIg%z?4I[nZ䬢tl;i@ SM5r\wݴn,pw $so: Cd҃3V4XJS땓GʜMHkrrYP!1LEGs!! } XXɽj%2xI2M?: BT֛V&Lk{$IWH'0nNWtNuFJXD"}?~DQ|TlI[zbд&Q!y$mf P4-*m$I]ͤ|;p[gf+6c!TU94sSJ"?١QO佪oݾPYRPX%+Tu@ꫳ۷T\ s)TS#[KgpsqÕeKnGEewI,d-^ܜSga]->{.]Ex#*"sdZNR`()CQ!>Pqԙ7 \ܻ.^HU>DjYt8Zb>0s!.ew[TʼKt!CNW&yZZ~5{4Sr%E凎9c6ha+rV!zʥsJCpDRi(T``KѢ*&Yja&miC͉Nvu#u9 c:X= |0%J*l(C'j G6mtrja i5p5Fxk^,dv/J@U=3LRi&m7ߢ7&5tƞHEPCf>8+^YZ6}[7GePHc{jUVdZߍwI &囚VKJFWֺPr uƜ>\,ʝJtZm`)+sshf+ME+)SIqT^@=23)cC2/|ճhf.T |TCxJaUOCC^ath0z6P \:ƪ zmIo Y&flzJ%eR7yLry*ͣ(cP6/ v9]TVb6tjf.Yw*4TrFNKΖO_z/~voL}FlZ{I{8/ِGY~j_>6mFiii7'cͫǤ8,mFZrWI<}_ܵgӝVcLiQAMӔyiv%+4(K}##:3oN ǧdT!RCWϢPMܜjoWR9I/LF OIKdܜVcKXA^KXxS~;Y>,{e-6=U*1mդ-b\cSAoEb]Ά }uhšNͬy%ϝ%0X~t%.:sMC}}Õ=:݇_1F}ڛUxTz$鹚s'L2y[5wXYzzeiNP0cD  tG`G/vs  @[gҍ9P-us m@N?J֠YIǕn4+NJej`RFL-mƴz[w4w4F!*' NmPvQf|թܨ^\eJQl-{scA`S*F&5HԦzmݭ{1286`'3ׅ鑝  L+P|`*hw6RWo/m[ޚD~Ro4kRԺJ3,F۠͘Won=fƨg`EE1~RyEy/ɖz  >K[x#j}df ݧ=MvYw4@@ˌi zi~^C*RUg]ZvzZA@Kxkix#j N|wo'%ޯMkfYSZpG D̘۠Won==! rjolggɽ o%r5mѽ;u̶0$fFl%YtwI^o1!lwXoѶc^ZHVq;\#1c6荸JS@۟y#Cۇ_;t{n໰sm=CD{cn}{6PN]2LOKoFnl  #~d5[܏|nss~܀A}%#uug~~3\ƂMpX{0-?4z~A~ʰ<@@-/v}N$@h4މa @E[d O : @@!o0@@@'D>Ch.#Dea@@'D>Ch.#Dea@@'D>Ch.#rSGt}='+O_@TTTlLg=@ , ='SH7SHԥ~8zۛ=q<   ȃvnkth0PxA+&D5#%=oc^+Օ$! y0 'm9j¸1I#_Xdi X2Μk적C nv #awSWHڜt՗ᄑ)`S0o4t0 pFȳ[s2(@xxxBRFoZdNӓwi]w;nj᧧T{t7>!qM*ME3cJ35_|| k|%Y E^|BiSO':o.*&iZZEM˚ܤaG-u5@X4 2vCT%*HXgquux sZzY DՅ*@")1Ʈzu}Munٿ߻}{.]čU}uvϕ+⣪jv/mrps1ubz[7Sώ{t؊W1mdΜzİ9+֒9Kn* Z %qTFAÕ{+nBF$¡*Tϐ!mW@5.]}X9QuU<@y@N6ww>^YLt NW٘#<6뼹\ŒL:wU^ȞMv3S&Iٺ}]9Jvҏ}vkXbv$?i!VϜ߶owv]mƜy@~m'KC̸!F"aG*NUd}a!a*'U* WP}P  _pܿ3RLNfnǂ7m TUJVTVA*j ͮrV{'-睩9CZiLH b݅'&01Y/_V(-HqCER=q]$?(=jw3&/^rj4g A@! sόCxȾ ϡ.L} ,|i cC- 'j'eP%@վ=;zS+f7̘1?ȧVkXM7Z7 2 IK9/jns eQc O͡+j)'=I{*!&jM[tQV[Iynb/+$!'+1ZqCτخ硡0:u4 5z :7Q'D3s~>htgf777y)J޻Nc59yLjDҔzzH4mSb%r7 3#}6dz?O{jȘMw,;$ys#<>чZqCτخ'1._HJ&ÓgMuA9t5 W̊6$C :0zj6xSLqlxӊ|- Ҧ)'Ld{朁8;],oqF   `"@"#v$@@Ƚ A@@=ro҅nCQQQ'GW? .@;%Y?=@ Q v =K̃i'U Nh<^L?,n[[Up @@@@@^0@@@wuߙ x  N@"w@"'   4$raˍlgB=K!O'NȇH x@}]#FAǠ @@ޜ"" "DDPA@y)""HA4@@  ޜ"" "DDPA@y)""HA4@@  ޜ"" "DDPA@y)""HA4@@  ޜ"" "DDPA@y)""HA4@@  ޜ"" "DDPA@@H$FTs_-~?Z-U3d]| B' .݅@DNY|Al{yƼWrc %:M8{AS,+]w/;,QUYw;6\^4#zRFAÕ{+J2CSa[:.l~[-O͘z F (9\jͽ?c2@X̘#kĈT&VQ{\Jmi#>/|1WP뤉nX=s ٶowvVfxp˘CRUƅz8UE<_Vv*ٺ}@wSzZώ1U&ȞM҃ >84#2p@~e\0uO_)|NlL\5!ؤqx@Dr._ʼn,uIAع굫m1Tޱgm}cLU#ۗܥRͬ+PXȳX}w! l yc U]yTOܠ_||Pz w_|5Sl :Y2?0Mug$I҃ /]1"&,}PUY*,6} -YxED="Sb2Ue'j i#S vK _GgrN㪔jȲKiQsO]'nqW.Sv6?#WΘ>َ]E֙?YzL-l;SnZ-Mm|{wR"_QYqX}jUVRZ"IL8"Їm:F5z 4455YP>zuTAJ> _>ؘ2:)={Z}-1i^ILjeB~&⢹` mA3rQ9QWesS0͛F<>"鑇2=ޛv56Xhuś{[߹OaJquSI`FlZ'[6z$HJ#'$%2%/ِKJLڥ4T2?W)RanڌIӦӽk椯y y|*KJU]Ipk{@_և\P_pn,?VJ7}~M6iM{v7 'Nѯ{t].#x}!\9Yi[5wXYz9:ic$c,^/mDr  Ѕ<ӏwahEoT|0V^p@'r`H'uu&@:@pܵi8a@@:y5(nG/B(<8#<ְ  'DqP  GXxǑB!t$c K   qHG   y;5, {)@@"<ְ  'DqP  GXx@ocZs_S/g1"raZ]u:cIW;aN84@J 9e_0&1u$rcD{&nm}%7v@rM@@ z%+;,6>ԭ08E.:|vil IH9eˢpv`([CUp~rF$,uen\c?Ezf'ddt ]/lDzQiib!w,!7hµ7 f K c%G,:8=mz6a,BmVjNٱ=.#I)g΀s461ڌ%6|s\~P{2I\qggvDIZ;  מBFJ`zƴ[3U,Jۼ`W_}:M9 M w~=Ϭj^o`wv! "K"`9r6=/{qщ{N=YU2n؎ gB3M JG70]7W+MYYN\%qcG7h"t0RBGR͹1HˌE@?x!w7jvwv4VVJJLr>vpōsG. @jC}۾^u֧K|ghZAC1.ݔ _Uo-W7_׻ю2ssǵ;;33}}|~Øo_>\K'\&LX`4uv]}s#_o?& ޠC.Lp{+ P)cH5xz^ښZٚ4CWWRQ*mڶ\zRr` h7$4@K*vtۭFkϗ ` 1v@00dnW"R`0"f\eXR 'Mz׃չڍ~#*<:(l)Իs8$g/\euuywΑԿ^c΋ ɪ׿n&RsJo\lt\EEZA\RcJ)mi~FGU~\k JH5xz /Ք^s2glܜvgηHc --+zWJ]|JT$m5d52P%l)Tl->^ =4'Mb9yYĄ7* @oCG24N?Z1n̘''L|ŗ~Q1.=J\=aSd,iDBQzf-XO=k-6H 1KZl<MgO,>aC$B11 ,6TV{vB2!E=tІ5CL"ISvzpw$u_{znj,~m~;U?(/JԈͥC. * q;H>թ)@δxFh.AHtQK!> Ņ_dooE= \yJ"?OnJD᭼A>=3MѣUX}POl[g{-JrPL3:I$*ll2!>p⽚rx号$z`ݕF>SiTsں,/:_zWm .OO۶Iѣ֊eAa8.?*dc#_࿠Flr)~z:ڜXSX9ϗ=7n z 9?_{sؑ|wZJC8u"0fJ)>ܵJoOY8P{. 59eط/‘K W++7BCvܾyx^T WRDDGE|ڟSW/ jFD!ѐ`\:thmh^3uH=Kq?t\r]؉Ԍ{wΞNbY4xlmm[_'Z^"~p#4Ee9m VQy:_Ah+ڐ u20W'!Xh$*qq0qƬ X9nu^ F&9zٵ#KbmKk'W.@]o@hom鷑!䰨hxB$KٕFfP`OG*mIつEeq-b[mX 8\p ^wu瞮);G?mvwF릌WsF m9K( 4R]NR|Xl샳;*e0!g Ի&%6Fh6n[>"0 qE]'sE|!F"n.j̚g r6=/{qщ{`wR~d}=VpqQp 73WTߦaR F뫓>w߉&aK]{z0(-+ussWZ*)1} ?pqx_Kv{wm!a>>> Z9s[(8@rr`+FD+~^)ن 8+l-qm9 C\jʕ!X Xd?XC}{^uէL^UU =C8Ԃ ЃwSVfg{'\P6iUel"9uލv= =|:1DXOjoݣy܆bhO8q" @ʃŚ5coELjͺJR B@ ]P+.'|2Z)ᜥ<z9=;.p*8B./SIѡ$,Xh2{.)nRY~?ҹ YZ*J6m+ q%h-r80V}GS5fG*vtۭFkϗy` 1v@00dnWn& $ bWjc I"ަ>=?%uv  [ Gqك`Nlb\^[;-ܲO@P[_pٶu#mN 7*HG+ƌ3>GPͩkwf|$7Ca֊mi~FGU~\-h,V\L3ec/y68.')>ܵJy+b %/Z1ńdՍ"ں`čP?N#{v C!aӶW&"1ÍklܔٝN+XVzRP)pEs$;+"vegȸ$zsXV F'C^5FWlk፛ͅC]Y!\NV88d &_Q WJ5?6fmY?n;ruS6X@Hd Xx"/QQ7Ň!$ Xn4vg}&r_ $̙&rs= $&r_ $̙&rs= $&r_ $̙&rs= $&r_ $̙Cs;@H &ЁV @H l%a!3].,//#  hDsS&P ëPBUqRz1pJ;CЮ4 X$Eل.lnNXQ@ziGDQA;G9"$`a0: Po_bU}2x޼}fu'>eM g*m\6*r^Qc߾XS[;R!翬+Vzeύ[2HnX&Ād)WqR(\_񨥆K,X$k E7wuAl\}34yeScqwPŝ#$,&rCgs86j*>Ύ+*U*(cC,5z*NVP=+pm;OTbC Xq+⩟c'R3ݕ;{;Q*-Q%'h-m gPcVmm '5XJfԕ:KC'fRK9L!rW)5R`Iه#f::ЗUڎn.ؘp5@ ! [m5-mԝ;I\Ʀ솦;?MTKk g:Om̈́?.Яrvl{@KmmRr3X'p瞮^*`qsi5d R*&Q 8TtD;3Mݚ[ IDAT,Jۼ`W_}:UЅȝ#  188gtۯG3MҟKJgfNnh%o 88Nl+*smV^>}ဪ.A'G'jO=P)W>hkppt_fDB7UNX XM +JIN%կ`RC`ô ZA>*f}RTN9cw.Tb Q!9~zƇ6*i9H!H|GԮwe9ji8 Ws]zefg3H2ssRWk/ճצKT(p9UnEv*p怜̭7(ml4zt6/Qܻ,C26[|zށ-۸qco\S$.&2|<^**gXY*`RMX K 5rW)5RIR F-5_WgGDg5{7CA3gk%́^;Aw _l9rIn.JwqSb{b{{?CwtG(t#$`~u_W}rgEwvn>LAf/M.Ѯ׷#}\=#2!6C:D2  [%p"(r <(6]՛klڲwj_$`iw !qkw}$As7}  u_+n{7h? ]K}_*ݍ~F&C! ' u7? {_Y^R7h:y܋_wmBdﳗ_BM^s>}>8ow|̍NQF&a-Wܙ!6VA&H@n~{_1J_۠JL~*>m"#s㑺Z7 -;Bbåz  jvtG XUϽ]m,R~{/>xnV)%7EU 9 H` X~"aQ}c8盛q꽍Z }887O(ދ:noHC| +#>mv#&khAޞOok=ܔuBVJr?4_7֢L&r LX+oRwl:Cnmn_")cx ^v H4 ViF:xV6`g X̞Ogqۂ֦“4.L=+G}Ŀ'C*a<.$M>{UlXK҄5|1{i7ڿ{mLxrfYgNA׭LViVZF(oC ߢ wzI%$&/+6=N+]q/`^ʡ_.*9RΝzE0&dCyX fXq?}^wNn+2X,'ruQQrr{z3+)雠H\ ~<9u洵wE wH~9jgCd 6JvR%Cn p{;w*rvf%XFư]w7w;g.i6$`r4UE``CBumrRr;eb6G PpR ? ;8DP@V@$s4UE``C꯾ _SIWAO:"U䕽CerՓma Y&)] ,"$Dn2 76p #EQ֪GY%W:]+ˤ 5CW#/!E\Y8l{^%J9` $`%07R7 _/SI!/<_WA#GPE~ENwr."R} -JnTޡ Fohlȍ_Y^.6 ) OsE[/?*mJ;Tp#D%@HzX[DH@H[$@H A M@H L6#@H #`"7"$05MmF0$@FDn,4EH $`j0ڌ`xn6uvq@C]_vm蠨`Th@CN9dSە`Sڀޕ%ks@H Xx"@Rm9yYĄ  !ߓ,8d@O ͋GakvΰFH $`b7dggSج+9:?`LޣHLs3~=wӷPAj etY|IV!L<+}*(2?O=b[).h.lnN>"h@[Iqt&+ 1W$05PӺo_Z6uOe'>R}VU炥 tw۾d.1I !*?맷sX(#$D.9t;WS%`ND8YJTU,_U۩RW&9(5|Ssh@C +*-Q%&=s_vmUvS^wV*mϜw ՠ=4_z!WUBښsXDH N)yQ'ʛz'ᑙI}2sz՝`@z7x LD>[4_׻g5{}l RեT*lJm!@Ht`" zN'oۺQҴ".6a\^p_1pC5BN{~Zx| \zcѻpmom\ogͩkwftvs W$0A>";Z[;n7_J&xӇKLp0 ڨzVW80 w$&*] =@H <@6]՛klڲ Q<-l _ޕ}^wNn+;pCû@K$0kK=C5?E]Ι  w;wH $`,Y<.lnN >"h@2 =wӷоR{⇼Rl!~ R[0x]bo.D74hE;+9:?`L31;R3H;B $0`VaN}w;"F{555ļ`ݕGT*\Г<ù\3/4~w >^mIG59eط/λpVXSX9ϗ=7n UUN9DtćGמN{r;noQY 5R3! ${khyq؋N4ҲR77݁eGz̜` H3^;޴ ZSSן:yZɪիܧπ9wqENwq GHigT+g؝ ՠ: ZZI.g҉xu̞SiՖu(Ԍ cF+)V(fܨdO:V×|cxՁp7kMpmZI鱷cehp`Z&]݈~Øk@#ewSV&~K3-QW .CsWWRQ*!mNz=@ٙH3}HՋ^ښ>}f m%/:76 Ǘ'9EF[L1JH⣰$`gHfܨP@H B*vtۭFkϗ4T^oQ@׽s‘|wz)@k@IiBฐCCs%@H`XUCE $01MlB0$@Dn -EH $`b0؄`8H $!Zh@H`"7 p@H C1 $Dnb $0&rch-@H #&AH $` LB[$@&FM@HȍH $L&r  $1,gL.<x\o㯚Z,DY|E;+]LLIM'Sق_aZsn J#ע7@H ";r}s7}KlwyE,etY|IGO=:5+9:?`L^??O=<ݔ}Fޮg, \Qբh$׉+0!l"=3DJW"*[}ur05)rÃ/j?AU` ٶ!S^ ɨiH\z>Q@H 0Lzh:yćG.5翬+Vzeύ[2HzOn'PMi,>PX4E4(>R}VUQ{ 5ygJy̍C]m wI=9. DX^>jw0JA;"XY&_Śyb;36HA(ܨnQ>h]H <58a4KE߯B3=^9eo vD2g27/PR?b2{ @N RP%.J17**[ $/ _ofq9&zGJRM*ClΩHfto4_]j˺T |>}6N~7c+iNf R xb>Q rP +',_o= E}&ߔ EnMɠuMlfI$/08z;O"rbZ'H@ju>X|ryg{lEsuy]}9Ve!nkTEH `"׳Vz<)F?"x>Pڇ.<{z!6VfS lGtDG-e/VVL϶q횿|9B_tyǜUn.Y[7e!ΥkTz@H 꿮zΊHhm||dyp3\ozRVBQoɇW8Px cN[kjJH~w;kR^! ! $,Q|M^ IDATެh_cn֖6fG F@+7:"_WͮnC{ZZaFz$YD_>Q- 5w\8lj`-vz)gvy{ & ?pEH > OC2pCQ!hhr\j82AoH #Yޜ∐@H`"ơ"$Dnys#BH +"܊&@G) $&r+l*@H XL78"$"ȭhqH $`y0[ޜ∐@H`"ơ"$Dnys#BH +"܊&@G) $&r+l*@H X ӦƦ~-?mS\ ouJu-?pGjjKE;3BQ8 U<?~DY|E;ve;|\k˨NY2{ yE+F7q5 ±Zx"\?Yl71aQJeߡBfOZs-/L'6mmm[`9~:U@ꑫ, aYmU|N\G!i -.*zIL WH괻#G9G8r4.&H 2H5!z-- 3ԆQ;땣[f(,T`Ɲm<)VY'R+ B<6ԧqBCސhR?(/p}Z*)1} خynYtİ#w 88:Q=@SNM-'v['RSן:y1)yꑫwrw~w RlKݘ*WGqDٓ4cv<8 Hz/p$R ((JFfީ fto4_]j˺TA-[V+!I,2YR64cH C4 ?(v$@եT*lJxoM۶u=, 7PU el"o׮n(R{!\(wOw `B.lܾ#m%#W7A~+*s|1@olV0EY;t^xdЀmŕT26\UNe]Udy˸B!^2q0RfbT̂)Zޯ I4\VRq; 46 x0KgO_*a9uάn.1ӞZA1`o?Gn%.(}z%9/&$\\;n&׮q3+$:EVR=rq=O<YWT  [ި[80O?c"YJqqH52逐yqң̼CRVLǿN_K1Vº5)pT̂)Zq޿h\VzRq; 26 x~u_W}rgEwvn>l|@p'\oFDj!ڨ߫!ocFkgf44snP|u^ lbNyhݢ7$F|զzҢ}MMY[1~G3=C6XONC{P=tD{99 [yD_ߣn^+"!NO9G G8׽s‘;DH # O8%{\|J670oz $`b7>  $&rk_8~$0kz0x$vȭ}@H `"7@H `"GH &ܬGH k'W $̚&r>  $&rk_8~$0kz0x$vȭ}@H `"7@H `"GH &`?ctۯgh37ᷥW)Z$@b!H|G^ >m*TpA>*evU $XA"'5v91o[Re]SSS#!D[g>=s sՠ'mLyy;vvv^swLm>`A&*zbC$b7>M޲eQ~vvvQ 8eV[Iqtw"9 (1V~l~B.KB/W}T赅3]DD6_N͊3=iplk/TC :}WoLm D{Ya`QQ( $pD'\seo~]6&)!"8bUeGS~vuN_|BM^s>}>8ow^|<7fnfuu'>ޮ6;;~]N];QJOkjp@~2hqНņKLm4<@8YAae @@lmO?DƖTW ջr81b=re6( $pD-"uٮ;T5%ߌ]Ḵ۬ۨ%f"C.-aُR{H Y7ۯo "*&⋟UϻIRLA >*O]{=WoZ$D*7W+ W^zep\朂 i-\RGd^(R[&4< NK=&Lx*b*'0/w'z}Q6]k%5@ $@9ZBt̾}eݿt_MmZ^ӥ JR Wj7\́K+0,t a-ج_'[shy~:bs|Cw} ޠ:7AT~@J`FzFt=7erQ@#|Ppx9o^v}#kIͩkwf|$'Geo}Ik=?%un\TdM T~8a䖝XT£–‰|r[\lt\EF|XqKoO=_A;S0 $`~u_W}rgEwvn>lŁA6Q g}"$6]՛klڲw=ꐧ'l  $D_ߣnCH pa3$``"g`@H`"7x@H 0030PDH $`n0یaH $("$07m0^$@ L @H L6c/@H &rH $̍&rs1 $CࡣG"H $9xh횵/Ɗ@H 0Rtw3E@H s"qs. $F+ݯRSco?<7YbOjR[_yպԖZ!E$`V(," we;\/'@?ddI=skiw5*3cǾ}עw^7Itm(,+ c;"pt$pMs/Rml~Bי.K""5(3O h- 𷳳 '#l*Z/j?_BiUWތ]^I3J k[+{x;$Opq'>U(k,aRqJmw'zh @k>Z _gϛS.qTz( Xo$$|EHAov=AapYߨv~n@c"C.VUVT9OoWCoOY80E4(>R}VU\Yʿzw+N|xRQmuŚOyqKit<_{b*99eط/λpsWx.|/ba6cTT+#XY vܾyx}>8owL̍4**p2>x1dHP@Hxϑp_tY0sdN;O]i =v,5c]gN!*-Q%'9(cϞRʳCm.SWXM=i^qB">7$> ~nUJkkk,:Ǐw\J&\%uE.3앶Ugr8_?5A ؇T%UZcq+&b S'2k`U|pb#,Aw~.馌 O P s~πfwo=5[C߶NnhjZЁ} OdjC@ZdKR[Z[ O*ڂX]€WTu)˥ٱ=.#IɺkѹJA3=^oB3~q -mt P.4'~dր*MdlN nxRL؆ǐ&E$FFgn"44l5 kV^>},:MaDtG^* ޯ=W8N\;TrAHVq%9S G*fLn:WNM]iJg8SiՖub~q[ 4Z qAIAF YoD{$C{߰m(-,t a-եT*lJHi۶!A LDrdpkϕzefhSwvfwbjK +egfvcˇ˾ RSRx5c]}JCZz|[LqHwSV&H7bF'="A]ur.L9|o}:%c]Ι G>MccNO9ݢ Xz3 Z"!0YUYFLޣ.zs"㴪f3xn@H $̕&rs9 $D $DnƓ#$Dk $DnƓ#$Dk $DnƓ#$Dk $DnƓ#$Dk $DnƓ#$Dk $DnƓ#$m.f9`665? 9)yVJM7"cz OW$#?L"wAM?BX 2 _k.c8)f ?b8 ܣHLs3ͺF<12?O=[).QBxV#(%!K닗.n?U=6$B7 a_%sE4(>R}VUc߾XS[;RA[ HzOn훰7(hŘUUN9&@5o(.hAϲ6Pk3oܣ;tXeŚ~ܳ>M[L[:m# 2C =%_wm~˺bMa<_ܸ%VU23b Y࿠vDN82dhˣ"Gٻ@hxЦ"p֊5I@ÍP̸|hb{1%jOexTܩsA<%!Є OH(& 4$ŠD|džD [JO *> RC%;;؄&=C,mmm[`ٻLjNlgi;OwOubCJXe܊xbUJE Mh (ک 6뿷rM}PBS h|HG8vj#4%xe@,*Q;P'SWfjiHP7;v1|F;"wmp[24.3앶Ugr8Q?5A )V1jC89~3݉|X̥$prqwiRЌD@XU{d=Yٵ#KbUKk'O*CFhd?.7蛮/PR?b2{~FCElUؔp;ھV\TJoԳX 7Y&j/w8S>Ѐ~ܘ1qd (G8.*zIL WHS!{"NQށ2Ԍ%/3#[m |qcb+C 82*rg{^s4Dz7C <(rɡNe"6 pKI`|rqwiRЌD@[?M_~d}ˆxp֯prtBJO ˜ 8M#ѩr!FIl݌ éNe5Nؘ`j$3 BT.nڽ/g޹w=vhp`Z&0*ލ4A{⽧b6}4迌B%1o΄"BWWRQ*!Qm?(wSV&DbUJE MXb>ĉ H!Ž8jkkW~&Թ'<;g`(0kG`e@\!$aPI-ẅsX0Mך`.JJ#0 |Ie #2<0r|>@Z~>B./SIѡ޹@EqxgDs]2$L FyQ(LW4H" A4ƈ``^$cGk(bs"_S)]jv}ۻztɋ(B4ǩQw"9]GzMJ@3 _ņq*~Ki307$t Səaݚ?x?bظ12SL3~! )t/#MǤg޺FRBԥ=k 0V&kl\#{GpxhBrJȈL<{f͝4kƠA$9W(AEuFR7㶍FjQEqF<Jw۴FI]'Cwt霊ͅQ[;DLްqW?nJܹ/lmawS1bhI|wA'-"TL3.y } J^6j:+CϢAIY@v.lq-_?7>GhӇӄmғKڳ;_U[ [&@{nґN,K{MC /1>:(nz,p ȹ W@!wUt'/I] \(figދZ'B8CX,t,NoٳB4Lf5{~|"rop/Ƚl.">9@kjέz&;#HOe?H$jegOt͘Q.y!'7g횵Y?hϖzi؞ сWͅZsc,>4qsmߎ}:4Wq O[yg~lСAd_̗dV*e㧛­F l32ڌ>8BI-1}Zc=>wjD~AϭG<:sk4TQ=a LUf3 M3^^agʴw0s{ #'Xq{K*5\i\fm؄Yvhi+]eF٤p;(׏a[-Yّ"9-++;3ltąN8?>nHR5Rp.*7( %qAx|Nh.;tdy%/?Q&JisTWS>Wl3QF]D6Rx)w_zYNKyׯ^:v.]Dl?W*_'mLeFX֢M0IHmu$M]  )/ID/HOӯ.N+{駱ѢC!ZSu|Pkꗈl?lz5KjH֤S|ϓ&Rmyjh ԜUW Ϯ\kׯ釆 ǃמVMN}-͆Ɔwk]ohƔ# :P-7np"y`HPmNfT٪m "dc7v:^z<<<\ _}X#UW-_(u: tR(KgesT$>tjnt+Y'S$nڶ _G[Mog >|2Լ,&g1 ]uP%S";1Sr3-shp/8}&R)nY"@kJ-A Bn;:4br,z},~! )t#լ7gۑ#8<4!9%dpaݚ?x?bظ1c5/ͤ3#nY3 $Y8ѳip3_+~&RE1@ Fuua&nxjEôMwWia+(gOR ItgT]59JwoΎ[ E~ 79f;`襪Ҧv[GZ*> =H@qɼ=Õo_v͡Y8*Yf-Qco'nvB   EGۼ@PPP?d)ZZ~/Z*?(IKJ (ΠD`d3w_}?KлsFC{ &@QIuӂ"w5r?D  P}| }&BA@| O  PȽ{=@! A@~x@  .&<ƃF w~!8i   >EO9q~!wn|>5H@@5rĠ  D܃Q(FA@@<  BPȍ>xr   F %} (4@@@!7J   AP=h0 %BnA@@{` 0JM1Kk/Ԟ_]>Nk JGGҫYPz%'cy.>`=0j]&ϡ-̾¯:0zlBg@!ihI<|5%U<nܰat BnH~g}w9}3Y3$a;R$$++֬ 6.bIf>;4%S&JDž;T2%OE2mdյqOAadUn㦶ViВ)ԵkώCQVc4Q;MIW۬]XXR˄6cDz #ф2i>K/FE樨(jD6jVPQa=Ԯ>{8Zt(8ATO}t#CG8iռc85gu7xڛ |&#$%cYF':!)<^֧_??iedWzʌIm97qclf +$S+;b[7/\JԱg3y_$U+j,gx 4ﱎrJ =E׵HXfWdH4BFwnx̯ocޙ7ntBASV5Z;Mf_6'vXDLh&71"9)ߌ Í+$&kVtkMׂúN>z|iJ235*۶['7mʾS}_3WgB-}<٭]:1/LZ#Qr =1*+m}a{˯ˀhcPAj73=Vj[_;P`V;Qzn нpC ɤ_)׋RCc˗pC }uCΰ I>KSZ J"dZo]E4sc~ v|uo9"ḧvi*W5Y[M,"&2{[S6ߌ Í+d !&'e)>V['n?4) ECaѣv$*ի/[1rSYRPc~Axkɧv/&9~]I.#xiS_i5OqyWrz( evBnH\!؟>*J""S"}++қ `w[RR?19w?f=aF#&YPGW;MKWmb1I$Wd!0xBA:g<[VI$Οc>5gǔiSH2evDoߦ緳.XtAagOzv"8>˵|onɊ#?7vӶ;Y#;rGvǎ;FrU1zr"ܐBn`jaLT"/ Fj r ::"΢"vP-17JrE"h 5M< khtD~a ܬIL#"3!0xBTM͌SkraĨ0:M¨ԎqQms;CSBF e!t #ǏIK ߑu3ddFO'ڗ BF$НgDw<'~wsC xQJJL~=3N5cРA)PDW'NY8ѳiUgG^(5ζH 4C~g<C5][ZkO}UD;sa)sC^RC#M) ]XfEL.NHcX)H ф* `uua&nxjE]WhK_\RIO.Վg|Tm5gm=:( C3 9eio!*^ ድmVY{kzPIkFNNuZSB: NJ_?D0=Ft$'&lˍH# &/#;t`=$hHnKcM iJ]h2qD:i!M&/5vG`L@NGgo>V}$A@K>']|vg: .4d_;|`$5nwC/jpS0B2(7%#pCΚ  1\֧_??qsY#uhF>εrP0]ι߯rRNql <^XⴲNrJMӧwZ&x,cY٧e'cD~ܸB2MpϦgXG%RP27$P-je~4̞s7VVϟo ˊU.(Qjrw""dZO3$cYZ|铑"UOxݹ1FXgIXZq{Ø}=3GQ44Z;M,RF](rWkP6 _{%ݿ{r m{ zi+.}=OW23׿ֻlkZj#Gq! 698|~i^ C Fm FdR_`1pq6M!,0f+ +dv6hs(5 "jMI"ҷB(r P ƯJGڳO+I"e+qWc9"hx}T(UgAf g(|u:U%Vh٬ˬ]7--YcI---?ymz~;׎Z0V$nڶQ_G4:B.n!Yè͘Y9Y sh5ܸB\D8vz,JVMRhJdu3DQ٨~;ҜuˈhDr5֜SM!S&OٺmI$wG>^S-/y/w(AVúFLG0 Y]\ڎZ_n֓&/C9~LZzFXxhN쭛%GI s{)7gۑ#8<4!9%dp(z_2"$!5_>#r|H7[G0&t QK'08z4<`02SW( '%&qs'͚1h W(JW(Gm+5GgtH_GO6sCNE4 " #Fhr51:sAk-]P Lqg" dP\6$ 0!o"%k;6vGn:x rH@   aPE~Xb6  LFN@@J䅜~G}|#RKS9o,YPV+HkǑ==9R߉=2r /jiS'>2S[N]9E%'N\Jh듒_TZv2I IVX@@| 9= Ŏȇ$L7nLĕk.j*sd=ɘVnHٚUlfo"¥)߬sv{evz'RW}kMפxOfաB  `>&?|MAԠ貀rsvw=~[z) r$,UP<WT30\91я4@@LOG6Xzu{}>\7qCk  P}} &BÇA@|   PȽz<@!A@ Wu(>?W@!C  Ngj(^=|@@ @  ^Mܫ:r_@@ {!x_'(   MbE: Qd<) a@@@ATť:ߎBNɇQ7&~F4A@@{ܐ O\?+h@!!A@   ~V#BqC@@@@?r   G~ L}x_-"N'yguuu惠|<}.R?QrBnJ,@2$uܙ"%>b r:7nV2˅/? ) бxғKM+=?`v!ۡk?;2gWW#Js&x>XnG@@Gwu2ZnY c1S.d uWË5?,kHyus,f#,@@t5@]j֯kGZ௿q+,`@}+ey^ʖD+?6oZT{|1~fԄx= ;ݻboIX^Y9YFa8|~ƑkT[svwĩ[k piW e}r MK롒#^Rz|Iwfvv____{̟[Z৒9Ι l+[җ=$t|];xd~e4S.x8+?^y^aÇ=rP_lECaTq.in3*4eoM62x^ܼj%}8 VzQb.[LMaG M(Gv ±?2W@^n^r>vX;/_ߙϱ/tBF:ujir JBǙd=2d\imO)DEFqL)ϼd_ݳ,gNzPU&l B[Zy$]tF?NM{ 9]#?y`_gTodg/uijٻelkd,ˠV扷wsaQ ^MZ5گSզkLrk׬v0&F*/CGC0@$/N~j\2WgJhA܂u/y6YҴi z15+;W_sz'| jX+43&;x7M5k{>M 2^;nWP'`;F߯sR"jׯ?Ǯ߰m}PbcoU(8~ir TwҢlINߴ|\i=.8|>fR^W/7HKxHo$ n'й?tb alISsWԴ͛6=9Wl$}ʫdXmaVZlyzev5= BuG+,zʖ.D4gש[$"? @ݗ cƮݶFҩnM2SFV^Lߠ_"B6hLHNسA) SF~1ީiV^OINٻws[kW_+EbX4nz~#mb I YWn}agfْl5bREG.[̷~LIMwwIO]>s[eڣ %.E;hw?fȦ`BJ}0Aۓ?54o?dBK _vK ąR2ޱtKkRܸ$))[fj!HR^ B"q&Wo`.vEG@AQa& ڛy0hh[ձE?&6K[w>x]#oۻME-Z.mgMrl|Ok\mzӲlvT P٦0{@%Gͺ+xl Of;`襪Ҧ 7>πՔiA" p]{EryA@Y~qgQuӣA =I@M:r{>|y5r>&! Uq$4@g z7YtjK'q '#r>HA@@++ A)aTA r z(g !SKd  P}pБ2yg, vBTA H@@kmBNR6g*XS Q=䐪IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/19.png000066400000000000000000001374361303637203600247720ustar00rootroot00000000000000PNG  IHDR!T6iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx XT5އ!Ex (CSL4Rb\?Rj"~ⷦ4-#?P+4H%1Lne:^o:朽Ϝf5ϰ:kou?]++ ^b@h-J`@H 4CM YPLZ ;)#$hB-"\>.'ve+FH $ \=?rn9.Pmj@H vudv,kFƖ]7ǫS!$+hx]p '^(rRmź,V\+3I^="% ~LOW\ޫ  $\@+xh8B[k-s;q*= ?N]mط*7I#r-^=IwZT@Hyhx]p g^rp;SRRnvt5/ɋ+yOU6)AfY5q8G$Fu<4G{u-W Y36DhwtBU!|!!j&yQT4hr䯱kXCW9%՜ztCY $t^\Cy5s:fC-oEHn m h2ߖ<q^\sex+g|6vn&OUN j J=:Ʀ6 $Z6_wyT^^^T~/f8>60ݯk2}c:d>5ŤCr0GVH/|^ '>mhX U، ȕw3S Y+;뇮x^yzwo,Ͼ}ο]lD;\O3¹P4.>P>׫'o>  CAv;ɹVug, ޽Z:QzL^)8/Ίe5L3ր3а^xIHe$jQ  x`M쓕 9ZS@$w6Geew3+oߖoO,hY߬/Fn']($7\c|DH3w-}sʐECƾskόJ.U&;_~>M"7+w]D}< RZC/d\mj"|GH9Tua +(`_^.<3XC E=hDѹJ  mL<<駺>/Lu_:@f~ z-fÇlY8l}t)}v躊C'eMG˯&X|<O'%lI>+op J;  ߍ<^? (@bL0K%rz$Sx D, NKn*7t 3$"8z*M[5:%ʊkxm!J|^t#D( $:hE )ĹX)s/ ҲLC>Vwh4x{{<rh.M׳aPYn嘾6;5+Lr,8Z}pTsے'X\g>iچpB`Z{]$ck)s89:Y>!ceu1cѯz?/L%ԮZAN@;w5Bw:unv_j'f0xMwnW@r 5:%J1.kx&@ PNYVVAqQ@H0R.IH]PysU< \a2[%&z=@"W m/ݑLpA;I[۔U]Ʈ]+߮TѶX@Q{ζS%?3$™zU?JkeIv^nOO:_CO3}LQ34[Nũ8>S¾@sTkL!`)r٦Ơ)hz mnFlH 4e]&50,}8V[%Axe}18Rᶛ0oJ-pP~xMx>xNZb <&:D^|4[;uN˽Pk%ڕBL3<3ax$%C|sDQtrYW9vqy3!LGxWv|)Iy,ˡ<(ven]h. {-#FVlQ5pGGaCh9ݤu!JLBH Xn7rIU /K]AyлF ZQkԑHeP땚vO\._/֭g/ತnKwg?9!l'{ա3r霁3*a-8S2UC)hr~W{ }}D#Mǯw)w24ÀG˯W^Wj ؄gw{0f({ >=-:Yw \Qkrj.:Qb䚋O\@#!iWbv둬YzA 9@!,J_`r _!!!r&rVui")R-?8n_L.ypѲvq4rj+'TNW+>No&j~4-^d Bc8N֮]e6 *(]+h޸Z A!sWKT&T;\$mCukK_| sb>=˹txzL<>˯57ȖP}AU]MTɾjMRdԭr+Ug$NE3 WQ傗\ȥ 7Otk$/;3_swAjjbR\$ eβ[Q;k~K=:j 9+CLvqK!(QIߑpw;IF+5.Xv7M:'l8n !0c{`Z\jjn{=tPevqd0Up?VxI¬ȉFgxRi5P"u nP>b?s^ a ӿjR$XU4+aRy%&pְ2ߗznlt7ޑ3~}~[hwh( $". v7onPVjd*~C<~ǰLU8YUUSaCԏW\YE3/<ժ zQidYJ. v *vPW8R@-텲kuPh:VoZ~WA5phZk2=d܌WU]sjqxv_u֒"/ݫ]%l| NCU5Ps'-/$м 4.A{ʁ)H<;*ȿx]"k2SS ^qWyif(l315w ^r3?wSQVgS9_{㺅@HN 3 jjUҋXn hp%v|Yx*N{.*`ZR/P ͺ.<^ᢛ vӵi}&0uy x8~bFڬ7[i^WOU7u.d?ܜKJ~/)tDQ4^R혋FZ jmFj"EEmkײ9.حDʄ˨̢Y&c 8p2sY5t >xѹ՝Q|ʒ"\Uص:TmICH)SO|59OoM;ƿc2j5bc٬70 VӨ%"#^SbƔ{@ScшSkCO -^CCleq0p'qIFeR\%;?Q5:U?KBWQ2I=[;c-gE 4r9rsn%YThH&-f!-p.S]EM3%vd$~ɧOp#SrM5=@q=zSafm}l7fIx^2w^S;^}\n}طSCmzilٖ cnZ zoJ+ pRyԴԓ''OfqV&+Ŕ@q1%О|:߻wEsmTkS?3G@BmF́]fmwzu |g=Cc?X텽 u%O-M^kijr ?~ÆmfϽorR^ d;m"BJYӉ Ma' \z%PEwEٙ[>~KW! O[7e;(Iw"fIcONSEqo w0HiiԲ ۶ 9i_,~4܄yI'N 6Js(200v06) 44.6ۣ9XckJP|Q%aACv8(63ߧ ʟ͈ݟl'JȖ`PZxfM^nw!sx6T{3s7{x/Zڈ:?b\Z)^'rͿ'OFFDrm7W\؟ W]E$,csdAƦ y1rKYQa]s??lsj@훳x|74jPt(F/ _{ Qxv+}%&0Ľ۳w35ĞdݺҎ{,Q]?7.}ZPX@ AĂh\d oW(X7Iߝ:=2"lTm6G!4BÆYښuSgÇ_dIմ:f|r)7Ⱥ"'k@1-9'wY\kQwlz%}vzG z޻m=|pjj# R9zUݺ)*$JLHZC8! 註;w\xj8ͩv| u.ѳTSq8H x-%:U m-Olupp9/xV%FZ#I~;Ohjhb/2`0yɅ#_8Q3Y=o< '%^j\2&DO;z65˒BB 9:('}f~c6qncعC.@WAo~۷#o.7[h\^/jhߡun9+ޞ7϶".ʵ695 Cݭi TVz<5a-\8OJZ/Ԗs͝=kvxpWWmo\΢&T_oDP \p[y- Vc@Îy䱆Y>?GcK9{)`)~d}m/)EC֝<]=EFsݞ#[lO'36lUMF:U@_˭TrI;hnԨ(uz>ʯ}U+>7*V}B:S) Թ+zԷYl*_/Ipl2G-f0H)zKƌZfx?S~,cUKt|w};%]B X(4ߣGWҶTUVZd }-["n*fV, 4 " a6 p=56cp> ٦i2ܭ}+[GѬA4Njժp;J $`{ϱrjrTީ} / ɽ8`ڔJ`Ѧ~fn]v`ȻQcF-[ >.T꯷s#OH !y Dب<9Y\pCAcvFMlqSC{[7BX;% oE-2}jJY31]n])4:7+B4Ң)qAzSqVx˘n柟>!kVުaMXw&mc {eWMRGEOT _G?N{oۿ@V㓺2_rUI++a#ab7^`_ۘRIpBL 'y'. dV]_*tn T' Fіb W֊E1:"u :A?q4r;}{ujClR,?ӹy %ۂQ)qAYҫV^Vtq{W^7|~$ĎM{7mL3%.I6Iv;N?nCo  IDAT5w۶u0.zܲIDFF^#é>}$UKpy]D Ly`fL k Bl:""ٷeϓFs.8n`YvK^Ec7]g~(JI 8M/Ӯ}9_asp+++ws}j@H ڌeը `͘I .R5BOz4jDhϠ&_*6Tj S x Ӷׯߘ _xhXٰB̈r&b`j== $C 3?grX^ywEٙ[>~KWѰU\O{­2Ν L?iLsÉ ~3"$hZ'ٓxݻ֦1eަEs@=椐ân Uqu1A z\(MIM9_zk\o~yˣ<0UNFG $N~prrk$3~BhV&MPtaQ§+ d[kVZR6wٳf@ Amo5ɐH $Ayqo8pDq;wLrwA-UnZlW YwI$F=W$PUUe0Huƍ|ͲW`S~ k*$hI>[7nwnxzJ?GЛ /]jwƫS|mʘQ' F="'#OHRs'H^( HZ!yڸ9D7VM 'EGH $n߾hQwJv38?-Z`\;EH $hWɒ⋥ёKZs럿z7|_H $@%ߗ7[n8@H W!F+ƅSAH $`3EhhNtr,"E52"R^!Iׯ'Nzu߮mQVg%lOd_҂sRsMݬuǺ":G/"\#GHMIyE$w,~V=kSRO:!3h%dImpm`mStA71yСd&:sX⳶nߪaC/%Mݲ TuVͰi>A^\<=b&K?PZ"W$- ~r&AZY?EE? mdeΜ zng5["dRqvAFXK*&N ypPScP$4 ~Vy ޳izŻϭ[76s{ɳ'iZ"JxEDXwmp!vWKng5sLhbRB6lW4E$Z}yNToAThC^Es p+/oRn/S?l17?253ck,$iqokIZ4=nQ7,"VY J^b[@W7J./=_񵄅$I!4VH&u?Hߘa=+UMum +s S-*v掾-jht|[7IG[>ͫj㛻e7׃OjB{~4 ?I<[|v")^:(Zٴ(MN3{|#gȦMǿ k;oYÃCnK jPmz[D_=ˮܠ\KP$LyusڀhA'rz$j'?J/oLs`cj7f5ȗZ˖Q/Y.W1++uw0tmZTle岔(59 0G) FMH/ӫS6 64x !NBAr7&oyV5*,(7j@=f{pT#U՞n ڴTQ ɐC*eh@>[mB!^dS kC׃NH 435Ӯ[= Xlf޶Ə㦆 81o3)G8rxǎ-ʉQ'fNz#= 2IOt2GTڀhDً"?!p!2b4?˭pن &Nlg^á’.rDcѷW|Bbh ɫWMB]ۘCyk73Ʋmh7(됕E҅:Ux>ѱ{by8 ֝g@̸A%4z{{kUH xN9ϤFcōSJ wW D٪o_jԴ0<޹NwA}7_,;al_~]G pMpc.UbEmKZs럿忛"nc_W,,@8Ѿo(V[]1ȜOމ H֬.OwfY/$$]j ܲv2K HF:yDX0ƴE犎}u u+AIy+ ?]sߝl'`crmO- w]̹3?g6gE^xe;>ڱol""k..5" hEG:|rP(3 kEH@xY C{E2gL8` Nc#.Otlg;>jyDaAv$"$l'uqO5sSxR*$ zSPE$rz {Ш(&_*%C;> @I;m 纄  0Ni '1` X7ᩙKzrPF /N $_~%Xޒ}AN!ZvL~/i*zO,ܺ)@IN;=?mO}*/7.uɶYLr?a`s sWMPFHQ |S_'#QVD;h~hvdO-YlP@H _/N,ŧm\:f@H8sZdۢuH $\rCm~R'ɶS7eh%s9'J~&>ضuՒ$'C'K&h a7~9pe0IlMr2?;?Dݤ.LzkჹaL|'׉%0?ǃ1cr<  M@? 2(dSo$q8yspH $: 8|9>9k$@"Q$@H h4$Q@H (Y!@H W$f(W sBH $8@H W%UGBH $r} $h?Zw0/$@H:6Omr HZ+M{[Z}E?]؟=uiisH #QÅm[I=VMwEٙ[ɇٻZ~0:;~ ZTm2?\jaiXPX53óݻbg'ceqڥ+7D]hSҳ2+n=(+A%2`7ki3g)jt_a R%ѳ>ȼ%yatډFďUb&vF'{ d s{;wqQ1[֭! eO{[ClLɯOֹBDs,52~DM];tPDJdrM~ɮ%F\ =3(8$!Q#3gDSȎ3 s-8W9y<<@.:WztP@Hpq97l2u?Hߘa=kp|ˣ%UPX֕\(MIM9_zb]Ol`^52!6u x?CQA9lI-AeژRµz%kj3g+ ,r{dGt݆~Bw[f59|ŦgL'RɇC F~_o2z^*% (2mş}|sleΞ5;<8MAJO&I ߦ^b$DC6iAm,(gFnC5]%ʙSD->~,`)koAC1|P@ F=ZmΌy^(['U,]fܘq$˖M=6qcF-_4 `;V?z2@Bn[kC6-UPY6 B_1xȀ`I,KY 1EvH4zmEnGϯN0x`h8xk68(haܜpT.IM0<`X*闲+#7z~'W ġ HOy6$oxp8qrJO&K·MN9Y. aSfN[CsʷG*^1cOp9-v#eE=,/YBh`aۊLцGScHQ 'zrP4CLф+ڋdдȈ0!{E|D!P@ #kkVhQw-̑ #B FG/$% x;BK%E>v"]%KJ/^Fn.zjaέ4W1 $@cp DH $: qyw5@H X[XbO@HupZ-߾7/ هY:e{ wO >\!|(j6А IDATYa>H 8M":kĸmSfW i`e4v:z|4{Nɢ=@B9?;}hUZ3O & d;a=I D&KCBou>=z;~ܪ% $(6N8*c_MVv(1 Ǿ.h  J93]qNTxP@H X%5?*ΩZ<׵?GzGJ37^4=s+ћ@-8y7E,㖩 gd->jQbEzf4pE! kn&65*i[j/.95H 7ъFMq42BYp`m[W-+;=s DMy{9^,3V g2܈7uDG)Y{=AY{ S'K=L@>db&{=gKM]᝴h eg='3O2ݩ^'@]d%(bz/aKmʓkU"@-|Q޷q|]C <0IlM/U/m37߱sFjڄ;8] (sF[lSU^?32:ODgߡC-skU{-ќu+IBHHoS\c >}[+9pj )7% BN6uO}qദTYÅ֬֓e{i S5܃XvXGӹW ȶ_*\DHeh˝s\V[ư4a/ɿϯ5Cv]q.@#ZP7p:5܃ݡҰ)1(@@k+0ک4{!k]9k $HܷF EH $ `-o]FH EkyN @H BX[c@HEZޢ;@V8e$hQ $@+$:v $Z-j83H $ \-nap.Ew@z7sg"$\7=6"~ų4PnIpnI}A ά?39ŦQD'xsǢ(C }vf†Ӛ 8عc=;w#$h 3ߞzk(//3 GdedF pji0#4SV5"gI/׍o_/H]YYI;BJR} d` AmJD?ߜpX%%y|_F[ -ݓVM "MED"Ȯ+x'=Z- 4dUU䝎bQԐZأH$ ׅmaOJߘLĀ !x3LhrsG u-4˦2@MNi<{O߿I| ۷~XӅ;z4ڤ ۶|[H4egnD-](Ύ4&T^n].=(to9t`]w`m 9(]‚GN 4$&~汓G36e@#-] nZōWaw"bY7n΂j/+BMXxO,ܺ)[F E52'!OU~{sݸF ձ':h Rn-AD:G pN-??42 2hĄxiĺ"=!Dzxxo9JooE -WI#j܆BhM8$!Q,fΈ#z4i(Hm9ڊ" 3\DH 5q<n箝7o νfNH<΀IIkneMɅҔԔ TV1-???ˏ;\z=Yԙ^jH#r2]EX./H!6u?Hߘa=C!WI#j܆BhMXR<:ۀbn4ZnԌhK «0E$fMk\I!R !̘X>a>[jY특Ξ5;<8Z{P>k_ޔjKO (ק+FRAhAD(ǗuEԀl xkjKII?;\%~7 v@Int k EufÓuKiHDX:,Dxf@p9r0Ƞ=/Rw׸1Yl/oU` oX:jBA!?*v @ A- =dе)kSؕR¢OX+jȀצ=UOGDe V^^^I5RU)u/fr^yrd Edek!1Yn(#iiv>YŪ7n΢-ADjP4@HQ 8o*z5bTǻ?b1cO7Ў7'M-N[W$-ܐ!wةݟBQ㖭Y6i\] AQCzX0r=ðᐬe5sZC ۘAAmD^ R7$^AJ҅:Ux>ѱ{1pB\13)G8rxǎIzOaꍛhKP0 hThQwT~z6ѣz $ mvEӺ]Ӯ䋥ёKZs럿v8˵{khH! o>! AZ kÑC$8 ypP0g@K!n?k!~ $p X]b0 $@vh6Юv4KQ @]h *(Zm!ޡ=CU;~ E~krlw@H*V3nUǶ7M0kQ}}4 ֬p=@H RN#Gi~\D A&v=L 4ў2uY{OUON 3]-' ƪނI٠|7 0U`ީkkӦô4!AsS%?O \c#Gt %h*ziS( $Ъ8]\T )֋֭ .*=EON;{T{VfM̺b؉~{ǝ%Z$ܺ~˳C\pVp'֘T[TXs09ͮR,%XX3ʹ{[8&yrh.koKFIE9YW(#$J8-8W|sxy)U^ܶ& ,ڽ9K/nuUЪj *dxT#|h3d}yFkU<50hC"pm4t\;6tf]@+!羅tϯN0x`z(*&NV.l9E~4z'%?(];Iiˇ BVW,B1gdf̘ł V/_L_\ܵst$@I9Xu/=dz >+9# 4 ";6m(YcNq؟y4w/$@Ii-͐䟜>\7]g4sZf&TWqEs?k)ΝH $B /'>T&*(pܢIG_"{Rƴ#驪k#=KS89?gШaAcG}7=N\~4~Cg$̮k~^j9G =@A+nhnsKhI>AP0jܸ4BȄq.\Dւ{v >N( n0!f^)T'䃟Q? Fd,y["JAfת j[Ҡl8QiԺH 8=cI6S~?{{sݸFlMquz*,Ҷ[33=+܃9? iPc*Ξ/6Y3a^?up릌s{Cn\3o 0.Gr= RZzp!{֒o 1 =7[!VU,Z&?>=c`w,dЈA2A~9sP4 %F*n=iP( $S: FMjρCK={5̜G Li~-x(KpD>Qwu]<&۳w3@ؘؓ_͓)&DGClVX[퍬0ބ >*~鏻 i9X[&7%R䓵 %ƶU&zPB @I)iܵ歛ugbw=0sj"ޏ7[ԀV(dPzzYɅҔԔa@nprokUeSՅH\Wn꩹>Sׯx^zNX3^~@<4U"l# \bl[m' + $&K{/cDnjufL,9^bTF_T B{ށysgϚp=8wmlZ[Ck{#k xkjuRn?n{-[Ee[4z EC|cAv zFA /{ }\csLQz " 6"YNd' Q[#$jP˷(h?B3)/ IDATG8rxǎڙbzxaCâCW$-ܐ!wةݟbiq^ 6ocL?k& 9gD^ R7$^AlEqǏP#Fmn ( u}c'A3 ׯ=.0 :l-S'>"HVICH ?]LZYa4V(;%@;EQd FRQ@H hWIAҋVͥ^]-̹~;rH$@H;&BH $X˝C"$p @H 8sjyIQ1<ݎAQQuqV\鹂YS"r`;>+­+Cao@VhHNWC @.K9z;,\]~h x#9rC=@MI9n!MQMG#*oYԫϑcy7$| 8x,*fVϯPU?S!Eˊi~vG' E &h1Ϩ WKX\)D1Q4dX8 ҉3^`62̒6cpMQfnk~ŗ߽>ϗ:>ngHC@sٰ=mbMi}ÆQsڒ6ĉ>¥4 ZEgҢx57H'ATŝwGRCdu"+LS)nJ !KaH˘7˪*?5Z]!VSsa8YMӠ "/$\yC#9VZ_O~4XGشyUZ;0Co-3NJWӈ-*Qh/ղ۴uo~i2YiCdȠ.V7=#y>tMʪOO}??_J OTkӡ|P@<8ypN6@0rҪ!Rh4r%p%:Tu 7\ib7LAL'`N.7wx\\YWѕ@s1;Q?zTud먳dv\ң5P \n.qoua@E\./8}sZ:ٴ<%oWSEmhͬ Z Q4,'.>( 7ɐPUyXlOԏUBQN4rCʐw&(CUR(.aL{r L҂N6۫Se:CDSlf@_ QBf9뮳K//v§T*j I'qږ2n8.Rb<3^+ZNv>2)`@ ˥9 :Z% HXNx4: ԓ֩YK~1A=Q?^J[]PrdNږ2T-.Rbb/S8Nv>=Hv1,l/$`3\yd4S'[7_M}|=s1bH٬P1N=i:Np[T*㥴\B]p=նMlv{-΋kVsԊ)Qt:!iax-r9/M/81xznODmfqvIUx[?˵kWY.5Rٞ/U+ض+'#\SeVL1bi|2< %`5viiIN6wPtA|vR*R[Қ͊ڭ'mWҽVvJ]]_./oAKKjWIdQ`-bpZ1|:o/.  L҂ӜVl 5lw;߭;ȁ*9WAZYQ|ڸBsW-_CxLzQ1]R[_Ө%j k N%k`-bb|jSGR> ˷iN\|Q zzȰމE(nwWcL[8wP'-$ě ǠT'MTA/7>X` >M+oLOOA s.AtIe] %˽d! y4;s:W071   6Rۡo9';n G;@L0]cxvِ~&vh:nw %ç\ZVZ n]ƁݧgupOf)C|P[.GnO?嵦)) DNE ngfzsr$@},r9LJ(ӡ8S/\ZNUBJ83_i% (6.>!ywu eG_+!ir13]6oR&JX̭wSz7U^S\06~ɠM _{ctUMB$/RSZ\;!uJl\̌Y1OL3c3mUNUW^W,_"jwpRZ\6R8ҷ*Ԛҽ:_\Zui4x!?gc殹qb=gZr;'j7ʬjB'쁹5ϒ_K~9{  Kr9.a@r @W\˟]Ve[9@ \zzo@ZS@@ b|q&=?|x(xȅ#>*]_c>}@@9I\VkY;; W~:ÒˡC<@@ɹ墥UGξF/8w/ 9\̾bh*ZL*va@@9\)֪.Q.uh&sȔUYf-T:,bž S   +kUYjש|C G߂aF   ],D5wAV;O|~"8l   GSRޭv~7 Q4okk &5N-3rJc0!v}ˣGro?2@@ ^vޞˇHjK#EVtZ.hj:5a>C  =ۅ֦n7 9z,+hjlt#A@uf-l22^]TJlj↛EwG&`f.ߺme;miDJ˭  0-CMN eMqQl\|Bk,Ϻau,IOd&!}NH;2fygZY .+OvuujS[-'$tF}cĸSzafMKּnpUOJƮb\YE'JW]vUny-ZG5uعHM:nFPBD Y|D1tҒѡB 6#U>Ę;Frb4 Fk]LsΚ3h'ͨyk\u_c3vM^+~[~ݻi2vՋXܜ?k8P7g(jcU-_]]u]9x )9Y=T$']Uǧu)X>!_[-T8'O:jҚKG/Zjެn>RDtb V<𙏏6Vo+qd+bL14zIWD@ sS7OLLɦ&vm?+smZA˨'{{>dEkߵfȰ[AG?<=+mA[e3<A#MK+fg=(خ妣S:/Jmݳ3?^œ}TáN |t/ΡfA:nKt+<<NcctEUyG tRdQ֡AsXDdbD#. ÉA蹌[K3OKa;qHKca@ ?㉜DM-NvJңe]]ť|ڹÀI C$M8,b]Fwwj Z/K}xc)K:}nc펎ȣ9d8"3[&h?FIK| *7&*-7EX`{{,7/(|4@8r;~D:W)o=Y CjM8iӇŌnZ!cNfڬlWЁNA&"5^(\dÐ1s2 {`ԇ7f|=ӧ:;d펎ȣ9d8"f9 +Nv'warǠrnqQK8rSMxxTN^~Ҋ %k_PUl:qHKca@ONtRrk.wt\ؾk~>RM$Aڙh*  )f y t 'A,I_W>zZ?qjk77/7    FnP   `rȐ iN%prK@@L'`ƳbL4_:~5׳@ M!=s%0FhkK+˽`!JQܭD -c8GFW~   ˽s] @@\>$&F:v[~D "Q+EMM&L" }Fs]ZZvAiYiFG;@\'`f.!#cՕiwOEؾ~Z7 IDATLOqkO)n:~@@ ˷nۺrYm[~KJ˭ h  `i:mrZhh(}Wu˚ظ?:ehgYuqbX06~ɠMC흐:%vďϴ :]V;64,զ[*6'$OH/0茸ƈq13f'><&̀Ny p]3Ų&N.v: [Ck(߱sS瑶$t܌j$Lڍb%C:lXG }1yw2eG%*F  hL5;kf ONQN ^ſۻmmg0/Ww&yɚ}dױ9s\_pnY_Q7Z>f{꾻sXuUe#R2r>8zrS% HNxO릣S:/-|P-CmK['j7 Z+zqN6uդ5%l_ԼYSg7#| ljԍxz3mTYWV9Ębi|EThA9NN|<11p'&&M- }!7~V.ں}bںgs9!a!AAi_4][j jߚyã_mS2/5kQ6sqsa4bڴ+"n6#Zn::r4=;ze/A5j GGZyn0T& Dh#ϓN7?ңThA9}۶}ۥKCb{omמDl"2pCqw ߓ6(^Innm$jk%$auF䉊F$q P+6ND׬cHu~{6^@"yWv3`4PMSިXz{pn^AHa|dHK&:KA{G1\ؽtơ~IwEFD^8ޭBڹ1@ 1@˓/Y$wqntMnj/n;:d8"RE ʝ""^%?&vTnMN *4Fe|eZOlxw{X ۉ@_\2q)U6@e/&DNM-NvJңe]]ť\V;wv[9Ia\]ZLZ-AV+QzoL}ka n^"?iwHHz.7~ *7&*-7E؄Gǎ)P^Ŧ4袱T  P~r]s]O_I?U;ô4u;Z]ZAAp|PvF5`$}]tidꫭ>߸/|ܜ؍weɯx2uUOPELu&'    nbfi7&|m1OzP:~?ޅ?GwNtA|#f=C34J?`Œg1z71 %Hc rX ;A@@+ {2@8Mit  ^A+"@@@iNCG ^   hmiE.wzW\NOB^1?o"@yusӦν ࡇ?->X(Zs##SoT|}ޮ.~+&xr|3 %`N.gՆVK隗֖o Ȧ=;rBB s, ᛅNOkR3dP˭̣֠̌4Zppp%: x>?Ow]o{k֢l>b=q>2jv  ~F#%ⶶ6iig2(>RV^iXBV}:=xjo \oԿgz466_[]쫶^^_+Bo+9Bѹv +B=b܁;q+ Dh&DEE $ 3  vm?Ӷ%y*EDֽ^DOdŹGЩ-}3z`cFn-9Ӕ W=uGFFpCE=.pg2ԇX)Ph'NܞȝHY_(nL|(Xjnm@mzOgNO-ZOSSZ-AV+ݒVz^G7i6me?Xo+;742]X]Rut]eKSSB pp#ʏ֮wyM{g2d(u߶yys2fͦKaN~}xpJ6ZaWO~rz߻'=6.+#S*n8x?1s\|}h}t} q\ԗ8/{%@-IoJp4A@K@?K65:znjk77/w5v@@@ ^j-^BNvѡ#徵dP   JJ""\[   $\$m-徵^P   JJ""\[   $\$m-徵^P   JJ""\[   $\$m-徵^P   JJ""|HLc" l}ef)qM[750y[B%圈n.v2pEkW7WoqB+:1;\,+@zW`/sr9g߄Wtuu⻛s;AuYG^ãc + Ivu".AufG:C8 nn1>-1@ 3kmxyEYů,%~<Jx?NJ˭.Mmmm.@g DEE 1qr9C9&nYr.OF'I=.--߱{ҝ5?{iO-|B]1gs֞ NƺU+7jg_C^Z{ɍKO_/͟8q;-clh\\Zv#g4 >lT͂h_}sَM5&fI=\!akA_~tvM6 )+k^Zۃ3*.)S B3,hg*&;E:9P֑^VseՖ;ǍWtIPPR a ՃrMxpp(Tߧss |A"ekVf֢lW46Q5۬AAUoTѮ33؝c'NTU[U}Ջ^:5xpyܨ :(rzgﰼܜg ^YSx^_QBWPG&O,X_ԼYdoo#"*kAZ(BggHq*~[u-VKŢh5{m)JE*|YA-o~W-CPɯחW?llzP.۠ .}Sk67&v kۗ8r\_[>T;Ԯ l= ' :ߣiSrl݃Ӛhb;.{y^dR3dP˭V:3#GMid,X%9D@!vAԯz/kjhutҏuNh6nKEju:@ь=;: ;Ʋ{ 8D\N';yW 3g;.85=ϼyz6˪*?5]{FPdInW~Yc>}jWtaM-t=?vl<=.IYPGJlOYF!&:KYćUDžwԬ Æ^FfKEtrW>Iy< 裗:{Rv'`5vV1Nٻ?a>%2"{r7U_AG^Yg >q,,\.n,Y$wqnt^N_twYS'RǓz?Tbx=`']{ݥ^-öX:X:'=ZnRZJvah`|""^FvqQ@˥R&ۮqwu.-M5>W+6syTVUmk渃|uQ{{ݒf}d}@mzo [VKJ^idY^ .*]&-b@霸n6K˸X7iI5k)Qљ)?szjѺ쯜3mEy Z+g- 8(i$4pmjΘ9{bNfgHg8d$<<*'/?vtLiņ/s2fu %` ƗG֘VLnӓ&N ㎬8 yb'NU˗9gT()jt@O$$ `:ՖH5k)QGЙ)?ka vd '(A@@ONtRrk.wt\ؾkY:?;vnOD;iôTδ:WGn%A '03\i&B3,ywznD6NpqbwKt~ϒӭ#ک|ο|r:/w}{D4:;\"O73:vR>HtpƅQWBԗN[#" mL>ݠ88Wsd@@wO.w,MNٽ[@|_]cfpWr~ӓi:y*!y8ZnZUiujVڑn@\[̤ΥKK^,aWR47"T*UBuM.  ~I\n0A=g1Ȋ7}x=Pn   8nk0?= b  vI9g S Y3k?Tsz:Y鴗|S1'1",NHOOФg*:ҳZ^};ە{olRn E)A?gҧTײ~B:}޻Z'LB`-:S\!o  PL5Y=}d,UW~z3mTYWb@1&/ p.jҊTſRn* ~Ιꦀ+s\_pnAg|te, qB' @@ ˥ĥܙ:յ\:(5hѤuJ_kMVnc9F-1oyV~i*,]+Bo+9Ȓҽy^[F4 dSҲ+龠Gk[|5iTSB% [`2!x1#ˇbb8ňinxk卪깙s?cj>?ur  N\jB}WAtڂys(ݾ4]d* ]f+ ^)IRu¥T\ܥhܬ/C6Uv#$,ĖΟ^`*UIa?D^t.s0@TT 9  H상CYMhl0 ھxYqLԛ,QiNe:+W,v$`N./??cI!!!/|ݲ$al?P?)#cf̝~.\xvYAظEy]]]l[}7F **"[Ө?ӌflqM"~k׮J"is[$Ĭ).b|؈*-())}5UBM(”iܱsc?@Ft9pR[*6ۄ7W$6A@ˏ~|4$+~[~ݻik2vՋX{Zo l8&_p.j)#dI>jIDATAbH .1đj+Xg>>X毸f( ~򋖚7>,TDRߨj }oWwzhC0y4  UݝBB j/ΧuY8}𰈠 kڴ+"n6ۮ-5C j o0$0@@t<-8l@Wg4~WBFgYΈJ(n^{]˭nnm l= A{2Þ8+̞%ٔS{ F+:q^^_+Bo+wNp¸-aTR|28S @,x^ꦥ@wƱwX2"}\oYtI#>=F?fdDJްȺ׫ ATBӉ#H |e4pŻߓFGR2H*U\)ELC0 0{NW_L7=]jV~c4vkui1mzQwwj Z&"%H]}S֭,Bnt *IINa}~NRK'zPj!1uA-u?XRgGS-FI>\*4ѡ@{鴻;S'&ļT1(Y 3CJ:~ DB %`0;֤&?9}X(f9 v+NPp $ĄqGVF9ifSNԒ𨜼1J־ ፎZ:yLfA$17s}LN>~;SVLuw7NJ.3w厎w͏֗EI?V;-Nl&0 IW it'A,I߸>zZ?bꫭ>߸/|ܜrOD|偳֘)@.uv7.`&BHD@@@ @@L$`γbL0'up=Kg ?`߫B.{/1  MܷA@@6r^?r   }{@@q o@.zp.PuP艇oiSH&x!Tx~$W-71 \#@@|roԃr9m徽~P  8@@@ A= &\   \c@@|roԃr9m徽~P  8@@@ A= &\   \c@@|roԃr9m徽~P  8@@@ A= &\   \c@@|roԃr9m徽~P  8@@@ "A:DF.a  MܷA@@6r^?r   }{@@?48*"tIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/2.png000066400000000000000000002363471303637203600247030ustar00rootroot00000000000000PNG  IHDR.$WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx} xEvL6IP | nwAQH@`- Y$.!r" , "/A䪁ȒLD $Y өI]{nytչN?YcrUw}eޙ۷e.N=CELI buokTQYp_BE b 8p-EN*|V+*p-6>~dP1 M*ϊʋxBJ KQpq6NN3ٻ@(*BXKA|܎x@Ѿr[zOܧh%\ .&m@0-b 3~)5ɯ8ۼΘby(.[fs))6x->Ǽqj͟^,{jQGc׸}18W[XrRHP[׍Ϗeځ3/|~baՁ.xrjƒ3B&2%'hY\Rx!G6y*$@1 9F=AM  7H+xUq(q\/ԤNMPRRK9MvyT %kW:v*\gKb&LǷ%UGz~|3yGi!q=$ 1wΌ[ ˡ9ccw7#qtPgĖ_<dɀq PX/TkM"EF8FEE_8; GjMr/U1Ob2kIo϶#99p^żvqu);_wjԳEG.U@݇j?iKl\GH Pg S,vdc񫶟38 ?P\pR`KQnOEz%ߟ|6lAAj0#jl5HOY KQXח&I^_t67O?stRTT^ЩCnw:ӝJ5Wfucxb # r TPt'|%ې@ !ƿd$ώo&ei;?AV, q:T 5JHLJbGU8=-s9#ϗh܁"[b矖͓"#5 ֞ xX)v8#cArևjQ͐$)u?Xb 7TPF^z8H01 Z.b~?fi⑍e$y`ȼk1UZ,Ql(pST-+/ߊrC}gIUrêmv|q|]}/[||6s8'?дāR9g7$UPo|g"d*է: & ޸ wNMv;!^Fq b \p{X4wz<, 5')x#Y:+u8oqVԬY:&ir,-NMLbOEO5M<{N_5}IKp[9Eg-/}7KC,\yJb;a!`т ?&-s'8-A Mb QpB[g+RgʃH4dYucX-F_&[k"/?V[UEg#ĐV>lRTيЫ+|Us *9~;~8 R~Gt`}rC ~W6wDUCWE"b6{Xtķ2nIWr"J*b Q,+fuy٩M]ʉ{T >2ȅ1c⭃QYV }jmTQ-~Ꮕ TgKqipWE^7[ݺTz ihB ZxMx'8MWe腕 Vq lHLtԉ'^L֝D9bֺ>i1`?I> _"(-F" `[0x~,ςc^U@/b b zZRжG b YVS;󧬉b Zg, 1@ ZjS1@ Xb j)ҁbh) $1@ Rh)Oi1< R! Rt3zݨ%5I<Ν;ҪŠ_ؾCA~TGڏ?:h@pafSi.+sv&o)~%8nSr>`Ϯ]ʕStHz[\\ =aThXt-0;ɑb4ADjsїFQ^40d0+᮪{U]C(r۵Wﭙ:kI6n R3{/-Z, 2a}Q`Fhv&A[%h9Pdž5O>*}ڭKYP n!W#K#\_uٛVg0k sߖ^}x_z 6x?9x|U'N)_f?lߴyQmr]6O~DaruWY3ƎwU+Wnf͟}f;w^-Zf5ogg0Hn˗B-!F(1`9y}=t}m嫗xt DcN&6J*G_JGJQ8h˜4~D̞eڱG5fgBdcΞe#eo΁}%}A5?,h۴99 _+yMhv3)WR }?~fN/&cS^^7?68-$RTz1X3'Hǣ)k&Y2n{QQQ9Fqz'Od˜<|̓cw݃a I&׫8'\ ®wqLض~Sʹ3qӃ1@AsޮLEc1<A:jC MJ: (HQ8rJa6J=[dSkn3_ʊeۛ6m֦eXx ݨ-e c Õ RR: Ž"sKc03WsҘ˳M6|aj"9G`ު#!3QhQ{ |Vh̃r k6@VpXҗz+ĩAڷ#g„!6Kas .YtiXFwQ j !bQVjaSD1 RT"3E"4፵}/7I [ktƈA#$1`CV_5* 7~!~~/Lf" &R}Ct(†OVa/y9SKkKj`5 jE8)m>٭`n |a 0E l0s7:qr7=018wҳLZd8+->hP`V``T5yP*6uh+L, 2vQuvz9ywg;u򦵯{2_[8-5Mpf,IG_,JEJjR̚|a(4[I[Y$e<;c9SL:eS~Wõ~ͼ%-ݺvbhRAAs beyU g']n`Rg{)oa'Gu3}.7$i䈸[oܧ'ovd X{vNҶŒ{)h?6f$Y{cv Q`3<ʧ}Mzq@=bc*3-^i S1c&wk.}zկ_a3 `ᤣec8`Ladh-UgT+2??כ -pRQkՠuR us b]nG'M)AݐuC^6mibaK ne7& A  wy(}z"A i"5Qq&\:Y4j $pQ~[ dDE  o:p ^޻۷-$*9GϘ G@0*&6\*.$B,?(nEA{uȁ(h —%CrX`a,Hl3H A Āǜ'9b ŠZ\pYQXM8J PdΊBq31@ 3N^<[ܝ/,i) b x!F] C`bGh) Qb)h) "1@ #RN1@ pXb ‘ZqT)'b BZBj,1@ -E81@ !-E!5\ pdpUʉ b.K @82@KQ8*D @H1K!qԩzYRnr KVtP!@`Ҧ͘Z\\,"U#-AO*.3O[ZW?ik0jZzuZ}%Kop~i~%@6!Q&b%5I'鞬=Y-++ ;__ ۄaӥ|Ų-ʕStHKIM5E<ܹk)Z :,|ˉ!K m9gl@վ[o)ffj=7)"2POQmkVFދ`& msbPR[ 2~0#|xǎ+PV˕%cQUN 뒦 ]RsDžQ|L|zg?3`9 90)~)FjCtcF53~tD gE w~ dhTh;>:~7 tKO¾eKӑ2#-EnS#_{]?1zmZmYKޗ^M!šW7mhW/ό:`?ݤ /޴zO?PYs_\:^@G;9t7qؿgwC[f`"g6a54oC `)Hy I?n{>ֵ{~j*nf͟ BO:'|u+W8,~b 5 1`+&dRWf'#]XX.X;8`KmySSTs[ߎ5z`o?"т}<0`.t@pt+&t(`pWjĮ:jIjm;m i]{uYz łǞwAee&MlY0oG72:dhOkqY|IZ1HwzUzL;;KѯZ4A" s^}0T`SWO^^b R (@:{+?koAqp|xzjN d1b0 a " ab,[,zai\v[K–11.caSjaaص1c};wܽkӫج61.O1/ ;#o4 ib:+#"2>ksnMt|Go.1c{& k  .XsVMbsO_uQ!ht\/Uԡ_ ҝWCG} з ̺ؑKAʃERHX X`P |K_ZחXws32ގ+)&.RE ,b" m>8b\v&K96 8&HmͲf0e 3/]/'Ymphs ~S  GABoi/]/u񼅋RZ*} &>~9`(`Yp,aȀ{̇^-L׿k-_+^8A[8J3;3,--u8H_\`ޔ:LtiEU5x@/<|0,["b +,))]Xh*??O\+ڍ۽sG-߮f^ Od,G,/\h˃;&:ёGggL^0gviw{OO}VIHGlݻugI iN1X4W10= oO}z[oMìiS>c`Zh#uGU~}i.nڶc#F6V:Ĭ1"skP5>25lH fsv3ȣVf!opb,fn߮؉SڶX|yϛٍ;1Uc:kb lrr 00RΥ<ѱc'? s+Km`M6MPpns^ҿ pL:a41_4 nc`{ܶQZˏ7L z@-d-MRƔm ޞa²"µDt:e1@ :(̤PJ*"\K,-/ԮnW61@ g "b#tΏkb [ Tv nk[K 0ZdiU D*ʫk*0I_AP+DVTR˳eC.XM>-pV ǕU 1M!}Ukyn]ȸ-X:VN#R[H 6lCGn׫\\f6KV%^a`dNh:R(PyFKINad]lMS=miI.Yi٬RNheN2z0̥)R0lJ{0զϖ"1+i رLJ:Q-[%\vxU1( +*pHV8P271]( y X)ᘭ:)p֙Hm򦗗ZeΗsߐ /,`.n^9kɛ־RIۺ}'ԨdUN >V^St[ZJ޻2x?e<^M^ŀfyԐq̅K>U0l99Zf@k["!=rBp΀GϘ<7Eabå/~w8O Ph):r`oǞ:5OB#ȉ"bu]xKsgOګwMq[Sq=XX^Xxf'ue$0]]Mm˹-eiKNB`M w" ,a8V5'6j)UFlTHw) lg^c۷r8f4?у*\LPTW0"2 |*k{ C*NIMk߭ /|i \kDLSM5EN$d}{4d \ˆN}ҪŠϻJ=YT8mVb2c>Њ)x7WCM3gҢ8̳T_9g.*o !#5'>=1`\E2@(#HS:3m/EX 2Z K"EbI+͘٩1z4%IMV0rtsUĤ@6S? ͛RA͜4J0R[]sڜ} ` BUS:31q,SQG-CcR`yH+`b4=B̹vCij7iK9Cjvs,eEt C V1"s8Y{e1`\ڹC5N̔6bJؘ:R0: Dta}-[4ccuVyc:lq&˵^4uBb K-??o丱dk=S$ ԓ?մy3*k0r{_mWdq,IBHY.-]{NĀV!7Cns$!L x| ?ҧWiyivzGy1P 'FK^1k^argܯoxӢ~b cOO_Η9~b b!awFKڝ6B(*N…0!yʆP] ({L?'~!&să_EKV,=yR^h&X,RKQ16LYxvV-L zo`ج}K@,e!JesC^[>te ubF[ l.1DiFÀ`։ݺ}߆2er L&4{æ(+ws\^⠆TMx55|U1l2siUuՐ>}{sP h7eOyPAQ/DTcϪr&`֑49\EDd+SٿaT:!*lՌ\bW"xtṀԹ\ +nePb$H>ec>bpC}#K5_oj1(3 0X;p , R=}곳g36en4pߠMoo2+`- {V5mZۜS|xs4;Enei MQ/DTc2,+7Q:v#t8ac&wLhM2S7 )Nn::cĠRS`Yo޲k7MiQղ#-;VMϪ$7o6y~~/Lѹ[k`Doz!&+ʙc֑bɺSU9usb` / sa[>[æie+P-AZ{p[YV1s_t! ~]K:v#t8I3kiYov?/UfH bARUʞ/Eڍڋ3g:y]mݾsSC(zdY8Lߙp}WYy~haoF0H[2|LĠ\Ƣs V+]֝"Y<&XXXtHP^6-cgb&:(+Hة |d5R֦NaR0QIqc"\vyxp _Z6zC2`t[nm-Yܭg7hֵۼC (Hk`DX,_C-LĠ\Ƣp}iM urȗ0Z)bpx,H#1e+ir' `]R+ÕxA5եzQ)e!b;n3K#Ŕ˼a8czAKEE,׶nz֍Fn+ت"KKN;Ccz % Vdi kbXtC/9V"Y|1[+Z <Ei2l%MlK*KR(ۚB`R)pA?sCW"9ټa8canRprSΡ =ɅtࠐPejm 8p>jPO 3P Jն=5p͔ Tmۃm!B1@ 7YT cR:AaYx(8zB#R[@2 A=2aq .)6PQ1xK6ԧ1t\@B{3O[Bi΂u'II REDvCn9)h47yRLætܡ]"ҽ4h3S)#n254ApTMnXݍ KV)4vKPi" nKŀEUbBHy<ت{d. N|.bSQTDmzཙ'Vl90Q0g!eH`+Ũ8BsD+nIq`H9v1+ 0 )Mfާ Q ~gok; 1IK( (80<(2 Q o[[,Mi ]b.iE EoҤ0!̻- D0`}nP Ĝ 鎏`M)lh7ĭ"Zl/En+9z\ZJUOF!R2V#iIEEeTVF|b@C+aBK 1l ;+JP$-`þ5'Fr R aS80i Y%(/$b'眹ۛ }{j1h<ig!5<]r1ƹ"){cƉM>vf+&r&Ex`+O꠬>KqxH X/'(ּ7@#b쁂bТD<9q;qۥ+Y,"ya'd0+E95̹jz 4A G0<. %UJ3b [v0Tܡ4Hq+%+*8jfr8~ؙxL*m[T R HNkg%Mn|rb0aD秂wya@ EV;8 6\ (ƀ97W ᱸ {AP$(G0<a%M9/LiQ"ذ8?9Q]B ֡KKwpslPQcKpLVOu|`C1ïƦuF{,Ȓ?_1Rbt1Yκ00oVq-o:HjnSa0stb+M/AP)l3aE06Og tX!Х;9VP# E95̹jz ,AQd l*ZZ\~@RHSh%5 hhs)9V@\D*[d^Eq ~QJʾ&5Cb\&K6l 7Mo"u+`cb\Z5LZ=g2AT `jl#2Fqtѳ4]~aQ0T7i p.%ǀӊkHeKӷH9S9-[4YIWuxҴ[Hd)MsQ" 7W߼ ~֖s[9nƼwQcz6o4!kj7v9QvVAW,++q%˖v e;jVryp}N欷]vSwӫSNp(T2q*urQs!1@ @`)1@ ʀwСswJ -<]Q7u[ C<YXpBv\gdf(loF*l,]2uTn a 4kf):}_-+`06+r QBBtԍVQ!𽰃L n kgERŰnMĪZ L>Epڜ wH7{?i,Dmu~x-nnbАp=ì>@y.mj+RūT6h7pe-?hzqT\`.(]sXӤnu0`s <_l_@W3@NU N3̘C`ɕABp@C`Jwmnz B@8NizP+˘Y"쓃/^Ez`8xjLȑXuCZIO1` di,cq?n{>ֵ{~j~-ìJAy'F:~}V@B&̡E ٦ttl5R K@ f̃-X0" O+YU7VR1`XJBHV61VʥuCG<;ܖPaO̡8IJFGsXbT?i;p00R8z&K"D \5XڴS.4kjٖs*۾@'-̰҃‰@ŪX%CX, Xc061Vʥ`>y;|k(dV pfsQdqy ?WA:EQ?=/Lc tD Mdi h.C1Dzya`y)B[N4k *wTT\UD.c8g]̆AkKHV0XU7J*J'7XܹAR`mbK|jʪvn c1,> H簨 v0  ;#\bPeR|Ͻ M YV]̆e+oqX&O|€? W3M>AH'4Ͷ?枿1 }ji9" 79>݊r-ѡim ~Uʴ8sW rFiWzs{ 9!] )X1@ 5@^.((1@ @2`Kщb ZoL)#b BZBl.1@ -E71@ !-E!6` cSʈ c0K @1@KQ)eD @1@KQ %b (Ɣ2"b (1~ R~cJ1b RbFpb?h) 1b1h) #1@ ߘRF1@ ؀\b ZoL)#b BZBl.1@ -E71@ !-E!6` cSʈ c .+rv}\`׊o!~fRǎ˓vQ#1@ -[$[no)bP&1 Ӵj֡I}|Ā8{|Y_-Ep>?/^rD X``#[aeT!X60i @BBb֞֗"(P#Cqb j~):v-WƚRqAb'.xynλ5Uﴛosk|ąMg-xqA:E 1 xuVt퇼-F9Z+]᝶:}tv֡ 9_ X-H 0f%7oZ% hZIuʮ^׼:7*(4T b 8j)^,ɹX]K`?ZdaޞIsڐ{cсg8K2heg mZg.SV&@ o_pQ5ih1e !h߸̡cm`^y,P[F'O4,1<zϐdž_+ap$1@ Hj)j|[tLR N෢_~|l(ڿl沜wWx*mE:fpDcG͂+3&M`+ @h(Vd_u8sG>ݷm6~ӽn t ڡ#>ѓ/-Z3aАa#G<{,orW9Mv[0 i b@d5wtluNNKNDbܤ]Ƀ;7ii.ݑ#G@a;5GԎ];@>rHVеays׋>y\gT5g"=2Nk9ǎq323n g>?o {?۲UKp'LsTS#1@ c_i~WA JbZ' ?#ݦ;ޜB]hm)ܰN~8W%|-wZS+AoQ`hp{vtD9Rۥٻ;d¶)vO_g }|ٓg71aKA@.#BJ ~(3DGtm 6G vP;y垟N5}9Iuj6-]6|rRpD2/?נ\ZZ ?A/L:L1@ "Z挈>] T[Xr٩/EIuk2 u+554{ rCf=:-=Զ-Kv l@6m֞,EKQmeʑ@<2>x}a~?Qnf   URlX*ĕI ji L` 'ٯ}u^RKHvrm spF9|JC+K&AߚwK.$_8,<1)|+2?8gh«O'K&덯fZIsCGEr1]'O ` ̙]'2N Ϟ>m:dh=~ w= cJa] Bߠ)g | V]:93ɔ`QQQ .\+opBچw29ﵞ&7UWWǡ:+-Վ\*IY+cU\+'[6C咴D(Zjc׾,qQc mfBL=/j*!׸DM.cx=Wc¿AӮ4[~ mV#n-( 4*hr - ҇=-^]K.wsg$T>=]$GAK|@(:WgEUqF_ kq8L7SqE1Yz/"4~S5<쇵4mt5g~f>׵_:'Qy,;D'Pj)*lŵ`Ău-Z eJH x̀N?x3 }I6o Bp`7hPMxD?Z1?lr+k`5WMUoJS՘ 簔]+=c*CZ灭kgriߋ.$~bGȋ`ӏ3]MwhU}fbIG ҺEiݺU)29'+wk\{}{a-Yo|5m c@ư6J7YƄimvCiZ}bi/Ld|/7%WO^FŃߍ"V-JzB"x@weW7\dn~̄/#=c_vqִYPuk6-CpEKn5Wxƪ԰j̰+vr pاFzu{=sBOT?'׬Zc*84Ĩaz27TqT ,/e*P.'XKmWq}q֫ :{ 7Op!/Ol];|hIYFb/ I_z4WGsāW訊bgf|w|ȓJ61 xQWd<;.HiW؋߱"b=^VrOU\L^1@q"N 5@pV"1@ >^=mA>UqB1@ Vy vsB*K @h3@KQh'b  7,>vp>+  cp7&N<ŇGkv|#5zQc\XOZr)<0;Mx"9OZ'7+X#r;OC??9<5]D*>[żX"vZa5Ob-@/pGj6}tq򋓇믷z<{<ܳv FJAz:~O+<[{F tHOz>9 F1v: +4֟g<-8mj슗F.(:|ݬ1{->dࠡPBŧżXj)j}/I'*4 sw2~Vj]:j\Vj%o7 Y[)*:rV\6(@ox'`BTnO̓ WB'/,*Xʵo.&|1\ămїEYX@;|;//}ßC oiqZ; xg3ln(57sr2p3zj{u w7`mݥ߰w9K/iԅA! +<뼯>im[x<2%VJ7~xDRx5?\ o yoxnyꕊ - EE\tOsP_o"v_|;kO~z_ǮX܉(фϙ|oD[j됐ak[6弿_ i{ZYU]Zo~XQ?ޱ*s~K%~EV庡-̏2فϪ&*L xeePle &>=9T<'(uw;{}-xX* ehqzvu S3K|z[7k5q?Qߕj器giy)iU_^Yˠ>:(',+d7jf9f;3ộòd86#Tjج.j =d] 4N*5W;K \ 쌪ZY.$<`~HIIڥ=olJ#yÃ灾CuJ(ZuQA|[jflk۶mQ?zjS)UyU]U°aX{?³!e4; 򢴘{YozzQ(T;*۴wXp<:YeāTyePR46qu?Y Q:ivYuu \ X;(pW\VLlva)6W3pBHE套~"{(,A) Cp'qY3ѲV(\)Kiޛ[m,[Ml2Cz{y m+{tD5 CD$˜1"<`ߊ ~֨v_ߊEF72|]Zz֧R/[oaE xK"p-,..ŃY{tͫpsq7# ˢlQ:܌ocrDjNVr !60S5j 8\P'j ~Lycܵ(CWJqM+(V:xGi)Ջ 5,K7?+F{S_ .yz?OwW82=g=y޾\2~=7#Y;0n}yQESG9kԟCO?Z<K.p!)Mq_+ ꔔ9ؚ[Ӵi3R?u&~Z(ȯWG>b (jJ׊W¸" n*+q^b j8>o:+R.b 0oE ":8!1@ >af"v}t''1 xrߺMJ?['1`M[ Ȗvj(Y!|1@ d"*?e  AdB Ā xrG=ܜwWkΫ/i7c&.:5.z~ւtةƑb )^_=]!/>BѮ;nʯk?|wx4_gO:, =VeF1@ -^-E<qZZC+T+1>Q^z?a,4<{,q0P b l1R^,ɹX]K`?ZdaޞIsڐ{cсg8W@^7oFw]Zڌi3>=бCGP$}2A "viFU,hv̄/Z4Jl%2k@;@:umTjx"y|( gcCCkJa^bQZo)?\ᷢ_~|l(ڿl沜wWx*mE:GGٶtg1 ^p'}ydOzb)_ʶ|qI@CcG:Җ3&M`+ @h%Vd_JsG>ݷmg?鶭MOJ9',|iђEܜ gOMj2n !m1Z xA  i ѩqZZh 7ieWx ~$}͙='x"cL'ssԍeڣ.\.V ~|GKkk8Nc<ҹC;ܰq9tё'O^߸Yȅ|x>g^e"3W&nge&K2ڰy!oi٪%'LsTS#1@ €WwНlEp2T{*uh p2tr h?RSFx .$$J '4HuKtq7qv[RL$pqW?{_^E{&:lCP$"EdlcHFQPðl,*E|.Qp@eEb   |>uoR]շ9TS~7~K/$߻sewa)}Y|$zb7ʆ:ܧw_LMظM`Go#5" [j|\!L_0_6CH6ENT%evu4mܴ/(,hи)+ަM+W@Cf4oM#ݸic͑ooM|1F?j6g4ZoC<8g=VcTif5D!x7Dk$@bϨ=`ϩ !5ASiхR|Romxgr62ݕl.+dWa1C<56s8/`.yx afoSgASڳw_k!ȇFN2 b19 m/RVVGPX0ydr7eB) EFJSKXW\z E-4^cĸDd:&O\WkIV~aI̱lՙM-8h t9gU_XV]781Yc}N]{vҶCO2]R~qɋfJJNg:󳁹\I B 6_ҘҊc{w},<_|/b'FX΀Eu0ŵJO $p԰0aq [+0!?`hO3kߤ{VUֹ(&N_T}s#%?8ߕRǸykei$B"Uvb[M)B B@@pϊ6) 4;WJ!`AB B,"7F!`AB B,_kk=SgFosJ#طV`DPv㏠BQhY\y3x;ڊ35V@D вFf,b{ьC8 s B O쳸:Ś$B YHX\Y 1'5 0~뫐a%u>]}ڪu vɕDuIMYTa$b$!P*J^W2A=\ȱ0/p,&ׁfԡÇlrФU2*IZE$!P*Z@ 5QӧwVJ H| ZVMkʜgpN<%=?CVeՔ&J3E%EFia E`qV`~N_0IrKL<:ܤs$y]a_~pfug[{Ymd8OC^xq9R۱DXsAғ//5zҋ -3FZ|~f;,J|枌{խ7ёLAI13 Y{KiTbREuHjS) !G׿̀A`MK~,-/ە'ѸHaخ^JډPGfmн'a]sgcROfS/'}>/gy|p_Ec9PW +8[q@{[71I(-3A ֢ Pd?`ApNӔfɐ9+ '3눂U_r)[[UWߑi1gLh쿹͕)OV.tz-5%wGd}[w$;nnM#;6v7mNx!_ku(k;Ǐq"{L00(1f+7hۨ`3r+|ghhT/+ԞO!Zߩ`Of|A߂`ʞBԟ/.>LAVK"I0YױKG)ƍ [6޲s χ糭xYMBn~LPaO~37xdTēq/GJ߱W\TTς5#7fC?]Sn>/Z\beBD@}_}_{wJv{UVm/b:`*UX+'I׻Hu?W&c\un oa}bq}\e~02 yB"VװACŗ <+N_o@ERf')qR p~3B‹Gx9fR<=s63dc8yvdqߓސtϠ;tM7)EZ^=kfn%yO~ch ;4Kҹܹs' M2~mon۳{zJ~v<|y+ع>Q֪B\nоNE e 3S=.8qK O5Lj{ne'ON1z=(R!` zCaL<ɷtcOfXBcqT>*f ƙ-V?,hHLXWa'JjsyB  Y\O{xٵgזmF_JVMJΜvoz_&"ިI9A|/A,kC6s?g5lBUuw$?AY\OO Fij֎Rr-`ۏ%/yN~yY(yS`˳ l(N!P3j,El({'mdJ6oCt917Y`e`>ڳw_g;m@>dŪjnOsvWՊW oȯ3bYc)1+ ({uO+?v:wFY 3b b &|78 FDH #ڱ7&V )/&جSƏ7((mBk2%V7L| } D׋5S0fZMjr;6 MԨ )#%oLL];w6sݠ{'MnNjcP0ccctb7rԆʈ98 "aţ̰dϴpO9 GxewKٮC(X2(&.~]mzQ˨3?BU.+HB,);uA`kJ떇5cz']QZR͑pO~WS>]ݼ5o @@hPa~ Ad I*XS"1_~Rs֭Zo܅s8y, 0/zxWɪz=;\I,Jv0XvlÇ wnyұlxvO Gw:۵&ߒOL%B 43Ef[}=N6myXU3(F%)&W!TD Y1mE(YОΚ1 RMTY l5I19@l yƟg3/ >1@9r/όKvO̘3|1n.r Qa jB|"@T>-W3x2G$Xw|+ :Á<,.Q+[ N=l^yU, ; S3O1lL# OY;6s?M*]R6hܔ5}tÖ-_߲䆿bFB8}iN0ioUH,Vz%ڴ`rU>d]>W}Pa ِ;yk|T#!AqoJ=! "Ixl NeY5,1(g{i<:l 7D&$w18=^aoooD ]4,tލS^{]K{5%;9l;rvرU I^*q9z7o<{lv<'Lw曺,14/H!y79z=+P[EEq/Q[Ll=$hj`nĀETn.6>-4^`|Z`l8|^?-6,݆2ar;z T؛{~cxdUZ4)&jEM)<=~{o A]gBgEOgfstT`j݁e~&d t/_teu9x,n°6F[󛈊/T)!f,fuzp|yde+i:˭ m!l͎zxg\;EmGkgXY=.%Fwts}woMI۠=Sɓ':O2Aik~ҭKYy{Ŕ_Yʴ'&.\dr~{G$%kH\/u֍^uvR8wA>yd._̼?(?GpۛEq%7bnH&€@HN!`p[z_ECn f|›ؚ:I?ss aZ<[!l^oI(`dFZ#fqs .1L)bWfN٪U2S}[5^oQ5G "*/[860~C#sElX`8#3a @[Gu!ugNph␧R7}M7a㰘&A ]X\6%vsU>`l]rޜ;w4Ӭm-~’Y)ɳNH,8/9b/b2'&yw4EnU@P3k(3cqW̲?~{h!5aV2_~{qbt5d!<ܚ3`xq zf:5243232M_oketn`F&:'( A^6/o.ۿlL: o@^i 0q,\pvn`mۡ-a))˚9w\fk c+ˍľygc Cpc"q<$!X7y~doiWz_}!q,g@!PS*66# ~4z͡ȞzGI#oC~[qbc_ۺykzHUӧT23N}XL85<.'E7ʋZup/+//,$l\xx:;s+qQbGQ|Q3(!䈥5M$ @M@ Pa$V\.ō^H'WQ?=^>}Q/Ʈ~sֲGAlk ;[4ڏ>aBj+_Yٷ_{c8 5 nƇ7\QOKΞ6oNUё0k=<R@X%p05 M0#qg;iC^K L EƒS?Jn}GAЀwܰ ٖ|hbLM,>O]̳@fvRnи幢" Hj'$Tn^[tt5j%W¸tQ0g|3{C_U+jUO"Z Wtt5 BQ,MĪۺ zt{ ʺBn7>1>w2kջX 2%5h̕Z̷+)+SHSߟ Xf~oF=ܯ30BXGL|Q~V.xsmA2!_~e`q5 y%KڽsbnU cM68ٳ"6G7eҔqc%7K.WK^.7)Ļ=oCQge>"*;0~œvfP'O3]z׼!Pc~9,p3{ꁟ7V1/Ln4hx; 25q:w.swf+5&"dy_-]ZӢûꔀC<hsmel; |KyR>z|n#}B"T(sk>~e?3&8RG-#!ikKlָI$l9Y)Pp}a#n>,`YD 6xQQD&^A~6>O>~y[G޶;^q&ade"S)Bq@PJOۤ#†7NqR3?/,89<@M6nb̭2Ϭjmڴyqȋfqro37>db]ATQaXbAU9c V._Ss|5%]q`}f>2í|ջbX67~(3xE\`*x~G:6~5[=mƎ&ΰf+t p}IMψJ| 鼙?޻Wo=' BX\(*3@Av&eo[ދG.[7һ@ց3%7m8`6os3/ssMk6\מ][>po>W`={ܼl?t,sK:[I YXXظz2LMͭY %q (ڲq˙BS],kf>蓏?y;2!GJ߱W\TTς5#<;t}~E~W[D%aŕF`fLŵ %n1.)Ѽ9]̖6I:QpF93ҩFjr҉BΠtX}0 rKk,7ȊV5cbl6[ȇ7&_gR bֳwM9[Zxk#@.DY 3\UsjG8xE{j&'x9i/;%۪e6m*% B *f nផyuA "!ٰ/ k3ށH Z&QM4,:W"rMA~CGԾ.뢙/dx)]>W`eil:vXiYpg6iҤLQ&UFXW=~eƽtFұqC_,kfkK{wqhdB3+-@;wJ1Sp()7J.9~s̙c_ {un:en_[ewJ,yC,y'3!@2[4YJP/g'th!`uDs51?`ىq W\Ʃ}J@d˻/G5ٙ)(Uxt7iZ@t O6Y,89CS|˒&K26[oАs̑>e.X ֲ\<=kkC 4znӉ\ j&k&F!P*`qܨVޟJ1c) PJc5ƽ͍Q-MLDf`ѥsSĠ c5ڶgk;%%vfJJNš:vڳ[֯WҔ.+0Ʋɒ`źzy^2j׹^~tDkYE¦q*j!={V=]rv'B PǝKM#Bz @zyI@#@(;F@@BQhs.`1~] :v2wJd BX\ޕ+JZ?JZ=iBG7X:k,`IJ+;wD,kڍEmn:˗r_ǂoA"bqva,mϸ⊍sPNuYm"X\Txn+ޟYRT+'0 EˇX\=dח?ОC[p7E,~E¹d!Ȕn_ jVd:w۰q=A"'W2OhL`%N57+Y\}_LN*agVX\0wN5@Z;n!V E*J18Mźt,Xڊ>}V U{~]Պ[ z' M<ʍ}4M Ai3ك43˼<>%Ejvi+6{$K`U}|A ʢ''7{H̚0*pa\(%X\qkKoΞ*:۸A8$,Kų`ԥH"0W!U?kK94kl_^B+SRR錤cƌ38XJ|WͬSӠC-l@,XVXP:M)_wə׼{$k/g὇lڽe~VvqR2|$X*u[9}ȿjҢ23`OnСhn uD(.ۖK,VבX\SVWAQdC3p5>{,?&fqY$%^+O2d0=v℉))tFa,J7lX\ͷaq϶C:b>#9os#i:iT'k&9 &~=~G~yCx8`qX0$W×hTG&]^%eNY\02<,#OYY\)9cp5WFVWe>/˒&K2zSX&S|=a, ̢Eu-\$$5'I'nHvtwL SRݕzJ6tU '$]C\UL9w SqO4L|$XjTD,"TRIW\ɢuQTv(CZuXΔ.ݮZ9gTIˎT~֦!c IDAT9t$@PX\EvW \ƓMy)|:!0?ϯ|cUL,6TS1rc0kEOGW/m-MqS\`UՍTeWG]~U-J"PbW,[aȮڍ|4CG!"bq d B@cQQ!.R{V)/#_qKU%5J!@8GBsH B ,P( d B9cE!@aABQX`%!@P+$B +%Bp"X&!kvuqY|Mi/৶؞9K9?e8^Od M^惙{ņL| -Du6E5꽭m 2sjdH 6{Սf$$$x'Nac+F?:>7/w e^Ri1fF?"܏?BȘQu5p.>:1).+mLݾwб񟕵Z󪫋wVڱy붭@~!Wn  '}q ,a!hիX3%ڌi3Zl /4l""ϗ}QXp`cE6jnl˰G@9uuUo?9qy@XpAo>FEqЉB?_~U ]hDvnZc"d6`ֺʹlܳmK*ڑTdjJmoÎs._r,D'f*eT/FEի[B)8yy[oԢaGD-[Mmb23KBw2!4eC|u(U$ 55qݸxF?2z٫g:n )p_;v񁀤Lhn޺{zwn˙2坯:Zؼ=I__ Eվ )O):S8=S4|uӳg}5aݳ6|[xDt}{ "VH6a^u}}[:UĹ&M0^a+C`lt+>71YQt"5#3=ܹs߻pηKf0=ē:vߜ5M7jPkRSi&6|j5Ë B BCJ B !@^M!r(R2H! E"mB #@(䐒AB wP(ri!@ E! !@CB;H B P( 9d BEڄ!@!GBQ!%!@P/&B9B)$Bp"wx6!@@ CJ 0"0Z'ӄ@P%j@ErGj4A>l2!@#(9B ‡aK B !@LD!>([L! E`"%B !@(|ؒeB GP(r)!@ EÖ,!@8BB#H B |P( d BDJ!@CBQ%˄!@P&R"B‡-Y&Bp"G0!@@P>l2!@#(9B ‡aK B !@LD!>([L! E`"%B !@(|ؒeB GP(r)!@ EÖ,!@8BB#H B |P( d BDJ!@CBQ%˄!@P&R"B‡-Y&Bp"G0!@@P>l2!@#(9B ‡aK B !@LD!>([L! E`"%B !P+E9G>rIٶ7Ce'I'*SS=SR%z;9*MJ B b?ONwgC͡Џ w. vDT)!@D @B8fhɂ‚JJj@AQE€X}x\.0V 0r !H(.S7ls'1Ր! dz/!@h֬ɓ'\vp ucV@E[9f1x'f%\9#5B f53A7%wH(-a ruo;?*/ AߌF1q5 *CKnVq2S\#d@z%!|S- ' B x̹!2Fm߱ߞor4!7x;$> F@Y/t:& χxձgOG]_ ,3q!1*fc~qMmRizlQJΙ˚qYjT$KBZPDʩp!CB衣mni#e~г"(U}(L#D(2BgX2+=2H9slvV>zwTd}?juN@| x(%.B[9bQK­~LA@<vAiB*C wFalCF\;D{}eT B"@Ȋ !@D E*#B"@Ȋ !@D E*#B"z]ξVCC!@0»šV-H]B!P3h-܍0B&S:B  ;EH$e!@D  EB!B @H e!@D  EB!B @H e!@D p ;Miq bAenAgS5%]1M۷w8 w%;L W|8;0joJKMI7~\Einz[7ZFq`Q-RQ$̒s%Rպ9:k[ǫSGY-3`ehJKR)ec3M|9em+im2zrv@x$51s̜֩>豃9=!2KBVڔǧo.mʾ@Aew Jxm*RN+(X0|]cYVkYszQo9^i&Oh~p7 hQ9brCў={|qn~LxbԤG}'O|wf{ٿG:nuÇlr|ťܺykW 󞛇wޛBљS'#̇F?2:\Ik6tr(uj}^(q. 5m%/.>1tӡNpo-+`m2˛ )YLEԏ??SǑ8eY|x-voٹuWk>N)%ԕe:{'yV#VXոME2p Zvٵentq O;;h%S~:k|K/ڰ~ϪQFb6ϟg9)xrv۽NDk""]>:|[ZCްq?bي7~w!}l춭&cP`I U6+@j;i/+q}cU":KH, )&NڥEF[jRi _Ҏ(=mSSupV4u+ baD .є#֥l,bA1_iC!j2Y#X@Sd/UH &mGsA(8Eaխ[ڵk_M2ګmlk^=0o<߯Scl|CNũ›o._ͺ߻.3on OJ.lr}8:4~9Xu+V`uuIڑ/,_j x䢧+|=HᲨ1 f.QCDg B u^{ge^_%o]-{@g B "B (wUO!@B (#@(@!@P(k B D.^QG 1+;g;%]uV*7J1޺v1xG.`R?+>ܜX>;i&A^oAMLJT_4dGeR?%hU+tU%U5Cھc{ PIhqJ6v1\wb;SZ@Y0$+BAv6noJk߮=>>0`O $qYD yY޷x:K(eg ƲW~tA.X,:A+# *3u*-v ۦʙ.%7,ϗLi m{tĊ*(%@X)ALuQ̑dAYIiÞsIlRke5VS6ᥬB}6o}SS!(p7gE_]@e=5u IZ/ƿ^Ţ%dNs$A.Y2k73T;s\1缨 3ְ|(D:Aҿ*3u[,sYA$ܔܬ!Neum Q/>ְ 56P.|ܔE(/.ֹkR3sIY]*JB.; DLZ꥿Y)已G$;< /(;B7tgr5ǖ#5C 炲gA}a5?p/^]JbJ[BWKE6E!QOPGYulJFe.,[ܔV5;|mt"]8NJ\_$3 [|T"l"Qkڰg\RZT߮bU*.&m#I24h*ff 8p:dWĉܳ9~{k2DV pɦM]8tn[^^L9ʞ /,x.^8qDL8lҬ.xv_BV^T]&A[d`ge$LI b-)'𲁵ZtFZUqe]eNWlpz2OJe/A`Gd',𤮥Jy)fIYV;A6uK,Z'*3Y*E/2l<?bK Cۍ9f0G~lM>VWmdFؐ\AJ@u^^gQzA^ vq\YxPŮ0* 8uRձ *0F` IDAT ,::~FW9:|:t t]AV=kk۴ii-Bq%:LI :dJĪ%Sؼcy ]ɓd 㑏f(<#Vy~vF-錜T|F%:$@PJyeJx9ʞ,X’&ŇW* :LGRѡэt|GPEjJA%2#0nM{Cd6mk5rAD QS`DU?o-U=W,˓\`gŤeҥSꟌdJ92kӼnpYx>n̕dega/(r7 +A0t傲gaa?6tMWz+ Wl*:]5()H܎5ԥS~y@]RD`Q _=@qQ-!wue!"@;Ǐ8<G,!CZ\K=u  Eα"MB *`/VI WDT B0(E@!e(EzB "W/E *b͏ѹi Ɠ𝊛6iSZw1P' 5 t'T/6өX@ *gf/[:[bp+(ע5DZ*/e"ʌbաjBM#u&@@ܩM8vŔX E1 9CGH9Bl:R%`彏-!HZYd)3np|3(+)+wjܶIm){>/'ۺ#yAߕzβ/)'}UUyJ@QoٺseIPF$tխT5ߙr wDߊV>A!Z24E#^)$5eG:"J(t>@_jb$( HI':;6}MFY~++ڗ{|$)$b6`^Y]q ϴq`$A·:PR;l 9nue]X)!@8C%B@7tx.V(nwͨHƨc/ti(:L{7f=*Z<8+&/^:HΦaNzVWYXs?b U" :e@e)3EXt@'mebeO>vfӊ>7"*n V#94^yp#rbT{Iòh+V8ű.XMm #RM L2&9Q= YnX4mܴJ3WcUt|P|B.žFnAkqҳzͲ5&岮C!VOz8h'NPqL'?(;&6E=9S]_aؘe~/QWTM(R1K9 Xf;CG%: VY簲l-+{V*WY)u jR[K :e@e)3Eu:LE;l&,umqէ8`dSsp[;)DyYW݊R/Fɳ"%T'gEuT|ҳRӓc9ՔJ7x-$vHۣX*`0ᛒ4D$W<=qX#ɍ8MrC2UTUJeQ^JtPHUOe߹5[^gI=O.o'Qڕ:*ѮLJ#UmZIʶ>|I))nlm: ʬՔ eaS,!YQ!@.ݺmz1YbqjX\Cٱ4;J4!=f>Op׸4*q]N &B Pk=B!PPT㺜L@!@H##aG*Mܐ4ٹ}96A W!#{zP)XUĚ?=\Wk\Iʮ #ddhb7LYEtco@s$xtѳ}n8DVj{a8q=&IiFYV攲N|P.u>1MX&q>F WD=a#0׼D{v/,`؜ V EP_>O%Ѥ21m(+y,V fӮa()QDI4%YmT j+CQj45=\Mi (IMZ@(hfkRx U0SԘ14cY.*,j߮=ytU:TsA ,>ڹ4XAAI5uu](}` M@E;v^_5>(+ 3dxxRkgumqB cf4nOo{؜OM(zez^>CJIe+Bc# cd*DrJFܚh;ΊJ;7g/͜:DiCkAcJW"LA+,*u…j>e50/0ߋ,U;6ϱ:)6߮R̼..X FDZCJiDm ԃv7Im؜:aߙ&C%Ư~|lX%Ѥ2MQwVژVGhS:?u'DFl)ArFfSTߤ5i|$ߑ^vl㦍͛7gtR Ohݧw#g߻?~w{\i@+X-N|5{OXms{E[Z ]&_JIe+Bc#GDb~tB($A秤7ӷwߩgn`Sڳw_f-_РԹ*wJ:nOX’&.7 R3|XKA^W̚$Wm.ob&{͛V.}y$6'Wɯv`@6 Lzs:vLٜ%`FLq 6u_|AkEqZ\}LMAb]781Ycn &'~jYnNoV5gP*N~RÑ41֥]vcU1[_.xҷ._ S C"P#Zm!rcںG5xYD늊:,kw?Nq(P@䯨K rF\҄@ Aa[,[^V\4%rE1ٲb.JMZ Eej\ o~\^mTTK 첅v6N!P(N&!PPT'B W("HA8׌5{EͯW/(UE5}] W(p+ [c_?2T!6U:%Ȋ Rqe$x //QQCs_X "z .Dre2@!Pd3Q8;|BR"s2WDyJ C ^H*A"X}` ?1%(+dbe2ɍC^-ZN9}-^O-zz_Wqxa2a0#'  \5oW a EJA%ۣfTD2G{HzGfQ *Ŋl(,ƕ6ExEW N]u=5mٳ惏sN8dDTXXyeE[$,=6t4>HĔAj2uLRlڛy_&zY<l̸lx> L#5U(qf>H(YAm_3;xWF?JrrΙc{$7 A$sTڱ6!HKԔ2yRI ֔b-6hcS˼i,ɀJI~1!=8,A~`SzX)ݕ5GR)b"R-LMgn'fsIgbvh{A,ͿsJru2==|LElHN,xY JJkb~ZTW]U :a{vi"mu5+i^RY4nCa066Ūm䀫MlQꌈZ")'JTsI5R-<4b/hV3 8)d4hT -LEMVҴYBIim_Kl2t6;a{T2vi";],*),WDN).W,J9Nq啤sRR%uHN|9XEKIW[;+K_'jN>I JXfH~NE:ݶ_gdž&-#s͢+),WDڔ7ESjQFƎ)!{7:'RI2_O%&V=6RL&~}ImlЌY3xY{&Sq/WSI_;+jE:Gmٱ ͢+(,"F6%Mє(;ZԷu=cJp; 鬄I.CR jsu!XE\3RVcƏIHHزiK&YQV?G&S @{!$}m_ETkT`J Bg5{F@\" E! A!@ E!L!@`У!@!@BQ@$!@ (΂A;lYhEgBE7)] B oWE^5b02~{C~eN4 (iwGHt -G&A!*s\ָi7a~~j3RS)Ǖd:|&+ټo ۵~?ed73񁀤h:\s: b>rts|xui.{ۮ'{n[bBܔ'|I@x$XB(:g9sP mXJJ5ͬAHQ%(/ BhD1 O^A"* *&A%%!3: b+X>]}ު[UջgΩ:uoU`>ww>|UOsغ0Z5&qٌ;zdN|xL1c-^([[n?e/TmuٵmztԯjW)utC;Owe󛛡!9|iOHl` AyOt -jQ_0zC%zŗ^T@_}=kW߬0TD(.)ƫۗz$*=R+*du֞=zNTUbVC?[\)eHPA,i4+h}mUT ʌqS[ªhxv#CkS }rd],_ʀ+#WNsgUu!zMd0 G)Ck~=iX䴆$t!)o]JAyOtczFd29 5^/R: Hu oK5k݉/WkR _mJVO!*1i wlVPqA%O>e8Yt ŋS7wPn^3EFIr%qzD ҩuJ Ï>o S:9ͻ[7wyS\5@e9+X &!GWZ@\޻;nԏHҽǫ/H…0cX;) 7>?>v46?%ߺwV%eT˕Y}>4U`wfRĝ6PqsH8(JIO:DC:#&6 z:r5F18T$NS|1A:+HNfq6N+cqJ–`9zuSqQ3x@0ZBڽ-H~\rG{ȴgY[e >W\;?pޯV<5Q媻g(/H /W; oa۵гOOah򼵅Uby {›&n1/hHRbQ<(0b _2Pz&W nsU|JG<3$VA:ΝU(P`u(\+Rӆ~oX+VA2JΉq#^R?i*7d"&q)|u/Nl2?&ޣ.h%Tkh^|g0֖5==.K媻gv+J2>qeMʏ?pGA")8Xԛ#<"KKn,cJFjSYF@T_;F5ڽ+m|}㘻Ǭzj 2pU]ͻ0; LY)Ǝڻo򁀡Vn)VO]kf IDAT19|o5^7nw5n8rd,20%} "4L')d\N+h2P+ Kep)@Ȁ'H0Cr \Y {NX\ksF@nI[̞9+ۭj:\7n2q;U8sDDK_Jo!x7/r>_&Px&.Ԣ|v:}pUu. 9N8V>qE.n$ك@ A= H 5lE5A@2A@ad+ 􂀎1u9}کU3([ ӄ@m~եb4`H` $zz MFerdz͐(?:D> ɠE_S` =fQA#b9#6 A @.UP7&W0 Fj3SŠ6.,Ʌ#B ي0y4Le:(fe%>.wԙsgֿwڱs[-X@7H-GaL>qbwt)Q qgJ J.Y<+5SxPz({-VKJ;;m ndIs/1#!D.R2Aɥ۝4쌱VF]VNI?kjLS%Ygb<ȸ ^nƨ z2leEdz.lk7U/ѐk^(+ lK5E=RSP-Un (wni%e!X; "ރ. g5fmBjGbTD\^R2+'>]yujN`nj2Zu96[GpJ5;JU Â;@{O/]Lt\(A~1dȠۆAoe?#+N VEqNYN+V?2urUqz s%ƎkZ5rHG oqԝe,Q&GF}^4LP)g,na#w= )謯/2 4MBWGeT(\oËL|BuNXUUgN_L3᪡3RʆS@.$`q &/y9=rruOkUSj%Y-W皍[0Ն%fT3Qo~ W_CP(WSDn2JR2,spx5c*qj!Ac5۷f4*ur/FzKC8#'5 xY]"\:UdL@P,IȞͫϝ8QL\VJ=.S"J6ѐs-2bBݻP)Y`Ǣ.'9uBmEzx-p6V@ )/ 'z>W鍘qr߅z+07^xq= YÇt IOljhfIP4?0RX(Ƥ@J"/^oF u/ iEQ#j#(%{DԕrΊTpL 3%#6&$Sx&cTNk"W!5\qbJ:JDaq\U~Kq(#WnyP= |>IOnE)(ӈ292J\3AZ (ӍL65! Fb@ ѢtnlVF]UTsr VNU\w .Knu;u ~^U__ Xw _N Vrsz#/W|Ȑ!pUqzY`k1XVG^-ڱkƍr۶m' n,B$ajw4LB%GZ R2(ts]8(.D!~@pȞ3Q6VWG9qaeɇ,^9CnktT 0!N쀀NU̱`Bk\^t ?N+VUuG:4ч֪h3Z JJ5s)-piG)u_]6\=+eH,R>t2I-),W:@yۉ d`w͞bsRيϱeH,A@Hl!UsXV+m  =V=s%  V+m  =j+ʠJd$x2#Ju|wmV>MnL]aѣF^y4[ U[?S䚌7j  ÊW̙9'h-I9?S I!ӪKVd 25sfD\J_/^ty~}g4XhߖAzJ ʼ/ /0 BX~~(uȸmG] }abq(`I9lF`p37;ZEyy]P^qCRZB/JlZ1hgEQ=$g#RsE[g}ߠZ r6>h ]ջjVd ϕvܦiA7: Y.^[6-h[{>SvmڷgLei5 cȶmçT$B,A}X9.6mIAΩR* 3{^.? Ea0lw,C l|}#?~xm@a?7{洖-cD\[~T#xV5& "d>ePemGůS50OϾknh=Wڞ0/mkyS4Nb#,YRmAFJ72'_i]fY!18/jbRWٵ'6pgonc(HMy]笎VD֩ՙj![Q(C G\CG҈w[ֿ [֗a~ϘZ09lw,'M\x)E.ZV4n809F V/OwC;t>|gDև\@+LAꁍ/رcU/pTya c?f/(,8TR=qcz@# r\(5ȋZvP:2"_;_;?ƺ)Drgnո+D,h86C<4~Xʈ[>yuK]F1_덂!կ表tK(tgճ޺e/"+*Oҳ@F+`iQrBg-C!G@JdԦz;M&ERLꁱ6K԰Ǫ׎~i @QE`]\15pwRu_chqyZ9&ije gd m})WrԻE:K^NznjkH@{gѷve}ؑ:i#kO6ۨaFٓ5[~冞7tebt8/oT;;ϫjVyzC?`(=CueIK</|HӸqcD!! ~i|reeAZ`ʹmoxnۡ k@# :V^З*8}SO/3;`]aל9sj#/#%Oak)SY+npYӣby h[jU\R<`}y=|]#|xIztoWIqY˜.~d>\}XjɠI&jX~AٸQC6 \;S+RCq\e< ƍ5pQ?3r,2ưm?MJGz\kZň01z ( ?C9ͬrbuTJ|yɭm`0wtg?$e>瘅Nnjk!""]f(G5f\CGR g PdOۼCȗGmJnq( T[4+?%:VЬ|D=o܊SU˵Od*ꡂ @4WovGY_Q$5lY]eC,ʈg Kh v(ÅjsC2U-PaL2 V%AP/yY: 3 a+tW0?N@X)GqIܨs֣Ld|%/,Lz;C>7yց,GR@b}Fĉ\nެի,pC?J!P^EpR Iq >r8sR@zɧt2* Vœ'  V(] Vœc~owk0?<iN| 2&!RS6"%ZdV$ 1gbA ]X ;bG {&Țޡ+=17Emڸ!riwT ^]Q`HhM)sfb2H$&wh8 6na3ZӓŚ:ʀ}Ji1QTT颍f+ {G9wfKc玡 Zt9֭[Wo7QGØXi5fF1u— ucU"A DaN+]gb>Umw3k,u{] w˞&u iD66Ұ1"AG"GKs'A"/(!@³H0 x(Ws4Kt!Vyge KYk4nBYsqMСR@\LݦJ-<\8DQz=/L)K׭*jR#4eH}/v EzVھ?xlEJ:ޠ ´:9 :QJzS;8tt:M1oȏ:n^Du#GIis: [џ߀KC"qx˟PS&B͆*ɟE/ʟ CCd׮ݻ`ӧ:dhݭ}Yk&/ DGVo uz#UϵO/ި3aw=_f]lc ] LtgYwc¢=zrsָK1EV^F̌zj+J-{GyzCkRs4quȅCE¥1$x\z9yk(. 3Y.]ވK+ʀ۴xXnG ;~MF|Ca%j@&%BZV5eA:9">UϵoMjOXwJ:b4hujEՇ:b] SMy7qu/l8s q8)pZ̨Yԍ\wV=5^.-&,#^FXY_$:nH. <ׅ5a숩7up7k-A$&(:k7wa\sW^:{vۡS7?Lfq׭*MJdT66fd#Uϵ(8a4[t Lа^X=<;<26i)3c{18u/sZݕ&l1atӐ!o&3E:1VNƗ_u/nϝ.r詌Ąjըj֬66f Fk?;5rXe4[t [a`r,qW>ԮS;#}ݨ{FVԍ֤2ah$ uOGC /ykLNiJ2&ndыsu]B<&7k}{>wΏ xe(їjjhHn}qԃp2׾5Q<31}4[Q玝{ttMk_\ʴ\kݱ5mp츱:#ob*/\hާ;.?unԥHΔyOi_+nEjdzЪ^Hi)UI4uZR7*}g@0I8d(Ͱ!/ uG skmAŌFr T@t|t/h!G@o#`p"~w8ĀaRͰ鵗"}!H !Ѻ"Osyϖ-gr}>kVPKjR!' #2>_jjI']Bٖ-XkMi FT #؊ j =sFmz4.nlO.J`` >o/[\iWR Fm\ #ѺjZղopr۶mͬ27}V_(s[BJ.uvJ́p{/wb<;uIIo|eW6,΋fcRB4H+W4+ (=Q=tG5`q P"w.y2O:JC6@1 u9,f2˛֡$HR=}Aٯo[6Ynݲ-0${7}Ȇ> [?8· ŕ-K*ΎU#p 3P傍xWċha^T +ЍlL7~h~WkA@~5P:A!wE 1iWA bd+P ' ي"& # [QĀJ8A@V1A@ي1TK[aiK(q8; 'SC2b>7QuVTKK[?WJ-j!32R?S}LC#ri=;uMGEW}%YLT6l\¦h!3BeebBՐ HE%*f.DN/"9%H6A@DpVD Q<+AUaefΫ?YjH[\kPY F>-;@{J@ //TEEE3Uq\WH(vdCWx <+A.ϾA*}㐍r5hQD=oc2p7Rǎiϒ*8fei-_ ;P^܂g^_ImǪj=Tkŵy"@?g%cf!WC4(9jH>A5 ++u]rtEŋS7wT5:j-2#B@;u9٧.dCe!eW1ۆ p;2Z\ZT!c%].N#`Q4#uzY&NtR\hquQ4$qRX:l1qGk(y+>V%-Qj37Sx[̪[ř0yhmeq3ZѲad!$G z|]q"u>#G#ȸ\"lLa>- Qe VЮP^F_:&doUrY`!UI!PJiD upu _cHDE'ARGg=B!= d@2`UXnYepBazsXzazv-ޙ;" 6cf*bhQCr5.Ez|>q#H9r-}{S,k(ϔ"ps#nX@J.u~JCbei8ȁf[e&-]0/Zhx'jdܲ6J>P܂y+>VыGH?i%Av"ÌHg2#B04 X#9~u%#8'TqK5a=Nk/0{AFT̄aO`J~`B2|ܫ22@Iҝ:V%Jh 2V!B_;5WrYy!p$6R k]\䥊KBAI9=LmǪD@#84Zpϊ;613Z}Jop5Z#%,\8yygP.)p%BN }@Ǫ^** 1 e3\\[V2Pb_RX9 .su6e,n=,&NZtIqGaAV)i]\F1qG.9=.-)pVd b_ Bil4!@߷ >/o\H|:yjA~AZ*&ǰut$}%!\Ŏ˷ cF@I,Q1|վ!*Pc8. jX*-uRcȁF$8㐵qn~Jm AV)U\eɕmõ==P y!VXT! R .=+6 +#NJ3G4xo6h$F({СCCW)jB /iڄN\7kjԴيBU M\-T҅@Cb D# ȍA@H9bI  F g Fݽc7'U) q]j nቂ"D#LPm[v8H@݊&>2wU3{,}'~$-G_]BڏLNj1m4{cd~NX][Qګ%R#z pAIqzE>03f @ "-?)~k^ޱMG=+E.jV|yK). S /_L#B%K]geaLtz9"'vvh{viպ ӕ"glEH$$hcfvE uBVa6uGqtr*QU r@%XUdL;qLG(K@MӾ@4?QZi%uek%-3F׬[[oUEBv±ᢧ/?TnTC_ ߰>d_i4̌[ x]wuN~~[ADv"؊A Uϱ(:$T(MN]׍v'Ϟ>Uq'C=# q㶣MKDJ1 vË3^'AL2ך|R/5/ .Y6vX|?߀r6 ;\?S’%Gn&r#ɝuIUa9<@ݡn8VP귒5a6Nuc- wȎ{jw<[lK<) 3 &[ڡ* IPzk|(USֵAʑ 3vËxe F5tQ3 U׆:/AE 'G/$FeW'ʞ߿ ʞ[rA޳AxUps\dAFw|^n:-@i]#镭*G| hA@f.|*T5/uʴo־va׬=y$~=7\X7pz3uCCw,'WM:_k]pN79f+ 𻇏kā_(/`]~eM(U}Wy^tqdйgKK r  C?uy-pN79HV1AѪ 0!A6L0WR^}ϝ#?0G* .c\Em_…oNYF% ߪpzL\kVJ#5|n#gͩZeuصQFr۶m'M@[xΡAJ2vm8qTeۊ/[>g֜ 8pPǶY@玝{t?Lqŀ;uCoԴYC|zӍ7)fѽS=(.˛}-ioK1ԍ\Iݺu@7ܭwuNG4jK__p`ߎ]7pz$sʄ)- ׶.Q5pF\j+VM b!u_}CO?=' 1wxzӆ2[xȡAJ; y瞝O Ջ@@ͳbۏ[F Rėjd ! ,2j —Z[f:LiEbKuVd:9}A, D@^8D[rE@~UGA (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A (&TA (L*A  T?/%Ƃ  M~p[Qv9'KA@چ!_lT^LiWA@<Jܚ'V$eJE 2d+e.  yVys"  PM+@! [Q͉T$@-C@Z6Ү lE7'R  يjلK deޜHE 2d+e.  yVys"  PM+@! [Q͉T$@-C@Z6Ү @8̫_*zrA&-g5 C"e+JAOEn#)k:\3pUΊN<A@"A@Ί"Q$w& ~E/4rͪXUnjG#b&l_zlE!h3Hg]-%/3%G48q< r1­Fg|يє#~+ .j'߰qCRyj]t}zPcļqZ6ѣF_{I\LdN:i嫖/{wӧO6c͟3rM8()LdFbnzyϭ{Z _u/7JV Q^|eeeC I]=}Az.K‘gLcRq 8vb̈F\̪lEоl!fAjm[M4e&M[Ye]:vlq܄qب"[l =o{DzK{S߲ uU9yvlMT+̜=/mт71dh9"@G $,6/Ol~3'A`FJoܰ 0˼%}~/:\eO,5f̓x.Ȼn؁\1o۷‡d#lY+[5; Uλu?f묙۷nowG7'+ګfƌ}ηvnݼe.,ZūW߾UWζ{~zό1pu n,c"(:ư5xbJ%G[^x˗-~ĩ/͛ oڼ 24xEEx_v`$zX@8mKUFy*k԰WI^fvX)f^oWڶu^t򳙣}:KOPw} }rɷܾu[׳OϹs*w2.5)tQ@(rWIAjU=VV}73xJsA:7K5]?qRlCYɓ%W{W2B֭R\bzg_~iU ' u)SzKdh/uϬ&{^܌5kר ,oJm?2>d+]۶zgTL8:yB0,8I(\Q#Θ|;ej2/% B9o  x_2aÅ|P{tS{:tg֖`ܕ˟f߾K_G} ׁWG6>d%{C{"33g<~ݷZ]]i)?h[WW. ^|~ZٮgϞ G[ $*RcŌ>[3<ۂbTڜsC;7nTw{)HC|aoVTP*rYoIwe-G:˕?V3+-AdiSO۶m7_ߠջ/F,2vC' |u@m|;[WuRt-wu7Z\YUlкb Bq9xz(Br< ?u;d_x[.]g׭m֬Ҝ>}ڻVSn]H8xpтWhreu[䚗^~ٵ-` 2Նt XlZ+QG,

~4S}?زszׯ=vn%TU1$!#PGN8%aS[1<b(V's2p=7؃k2VD8[/xUܘgIH7Hev3uɴFi؝>18&"BA09RD+ U^ AGp}( I 5XbtАcla7`X 24gp!ieHhq" @2sIP4$@ReȢn^*{d)g)5i)5[cɮ|_dzl@}L/ 9pPJ*YAÚm`Q-? BxZ0폲x W͸V]\\QTBC(NBAH:;2(ARRj !זWX e2IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-icmp_25.png000066400000000000000000000037511303637203600222410ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔU{PTݻw.vqdQ1>":I*NMLdlI&VkڦIgɌ68iljX*A .Pvz_o{91m#pNK(x3[nRLBdZ $bY8>TXT]ÝO"A,ɁY߂@X{Z ]:}F~tv;66c'/C| tҺOfٗ5Pp O,6 N@~loRP*4В6͇\6ms ,YU}k-81mp0*`}9PSb O:\X 'Sn/ Q8vق})4-ށ)T l7:.9aF*J2_~D $;w*T>r{cяK J xnme2VkEΎnAe5- 7>wC8L _tbr5IyϽg_\Xz~[O1 <5d4 6 y!O$|3m{PSjVnI>zc&IA!4x 7pu@n!"!] 5-2H5>vn`0!9fGDY`^;$׊BT>%=Y!H@MD`zP@@"26NL!{;v g0:%u2 |Ik6ͅR)VDB9>)ie@` (IF74%<d1D`Z|>m:O$Ū xN:^𓓘fZ1F:cUN=V?? soNX p6Pd9HB&P :]XhYa@ 4T!SAuV~>Oq]!VbKTaA78""􏓄EaC:4Ē8^Xnl:C( Zx^ˆR(ť bb7QrPjP 9BXHz(I:Tf律u L둘Gr. %z?y @('!ߴPpgot"y7 fa(gb(Ȣ B }gzV |Ttd:6dSb$D̟N}qVY.je? [ZPb's|+P56Ϲw["I%X<(NɌS(|㈶Fr됶&o]/Oፋual;íڔ}lqĀ8=fw;5=%?=@hƀ]Gg3KWv5l}Ʃg[[-+,Z(3q>UX}m*5lS3mSUCnk7ʵ"cFL2nx@`e(O^P. ƟN8L_9ySVf`6Yv|B 'Xby*pob֦-~e+|ͧw}>oD{hF @*Ǚᢙivc#+j "IV+ѮOsx/c{|6$RqX8jG{M===;^xA>3y`2KjǍ16իWdbi4o@9{˖-bXDnCd"OWி&kkj#Og,82vq`,x]E;8q"&P"3?[v}> '?Tl¦xBnㄵkk@ OV8Kw-=*AL{>OEǵqƉ]e ;ÉC .…C'2PJ s⟾v}%讚k)Z. A]XXXL&%ӷɑJ̺Kk2eOڇp^o!C@@-!/-@w'S+Z-mGIN) ?\-^{c/uh]ˎW6!/p+:#mYfΜyʆuZt?dX;'L'~\7UV^pEX̽M1cƌSsJ`3MusҤge6~Gٱ"ػwoSAABvԇkd饯P^^>z bmӺ˛a{:؏@Ξr>n?uW'ͽȢyx7&NGZ 60qe2gc,n*+JK>IccH$! ~PYsܨ`f?l51+mףh4֭[HdMJa,9!-o\A<)l\SO=&ZNu \# >bwRy0 Pv@&gnKI?'q74 ]]]m~Azzx}zX/tCqμm1|t:]CXmjyʎꆿ[zhh>LA!nLGȿ[pX3ʏ]X7Y) 4"ŔeUE& `T2o@0ك4/$Oҭ=v򹶼ܘ,XìͿ>dER!D}=sO U~"evl۶mPTfhbjMphɬM->slN]cXQsàrX| {K;XĘ0g}!s{X XDŦ7djI3d6  `>w1I?<8a{@};_؅F:Ba>;BF8a6hR.Xs{W3DCx@/V SKffxg_uU=g10  +Jf!ªši{{v.łʅמ?AAiݱzՇvڐY:B,S#gw]4n^CS2A0Y__U6u o}xmjOڈŊ]Ny *]dqP2x:F' l.WWW5aQh_6}dSKf8sXrJz~Fyq [ܛ[8yib}HC!e+g&2n6'lٚVyK旟 0ї?g=[{ά\; gW>vt~~ՕXbT$ǖOVVG\mmn3X- ɞ_ѨdOeoWݯ4_s' *[;?*u#42gAZ]}SyY#'''>E^϶yCNE# / M5c"[?JX2~3p?9pl , vŽչӰd_>gpSSSy?Ⴒw`\TۆآS{Ǐ~y˿ۼo8v}(jjjqu| ҇.Ny%ϛ97_|s`oLS!s[ny$|7R>bݻҝ˗/{yøO76bٲeW)3|>;.ys%T^oZ^5o:K.DvZ?-3eB36\ƎX lQپQc,7*WȘgAfr{4gpxMy3ȱm mp%aMM|t)ʕZL"Gmf?2*Ph`r8#k++zLòGBX0ۼZR_ ˰1nLty*ʱ̿֞; "VOPO/e2døO>͇]Z>1o%Jg~RgٹQY*"UQ3:kL%"o? aYkiف|{+ 8Nd)>+ 7H2+BcLJވD tmE݌H`%>nC/z=C\s5 EKbLA4&?QT6pZzYH*!1HFk &I7~Qi(ʝ;ʆ {"Ԃբ+C+ͅJQa*6ɴ}3rnZ! $6&:ԗ fu8`C(8i;csͨ<&m"A5]`+_J$(@:B@!1$CND':-H0y0y~Ts쉮o$^l q.(J|hVw07\ל<# Q ;'Ξ$kS_:m*ZV2 Wp5TTNaRѐcq%ĴJJvi =}dSʴ]0-I%sXelavE%|ᵳ,%xc\~POgT:3΂E!\J\r#!a]O{SMŕTOds4?c[# @X%\/p 5G{F1b&x1hfUŵUW)T,,lRTS[0 wE wa(=h1VbڬbT_J+kkFԯ@fI{`ӄq1&DO kӀHBN =bXsgp (pu q:??EX"ЁUx#̺LjyRrx 7gTꩭHi$E^r$>>?jׁ933KIjB0x")tRXA/0="*iN*iӃ@&1DHz %-U9IsG7v+쑖Qh8S $pa8τlPO"M01QѦ,}5wyE.(ɢ峋VKKC+q/#Ɩ,'^5k\O|ɽv#"8-!.NLiQ6d_9=U+7keLB64߮=4z%Y%e1Q˵JRǢt}LŴ3 IChU I`^9aBӪ.Ɨͦ_ҠӪH`B /<ٶi䞎ӓm+p-E0na2<hsgG#rW`=$)&ֆsL;Xw+嗌ZDpiiNSfUtZ=/qn>*N,І٬Ҧ.(:l{tRӭ(O)]oiP0/ydY+ XuDe;ܟ I,8ʘ~ ~K"R^ (*O5#+9At#6!fEIӋQ߫WYǶXKAҠ8DYޣlࣚU3Lg̰ ' FU$v*rDQ 9gujS^x1P5 p26ɬJg*5 UC6ҽ|~ '.ϡ+8 YEd&;`@6BA^ǔD!O0A豜gw &*lI-t#d2I)In.; XG ue׉<ǁ yh0»!ٷXFস =:čŋ8f?W64CJTz,oo!Kz8P˭,g 7녎-/<_C-<sNM!?뼏 _\_ j"(O6@רY2Q ]\ !9֫.&[bبRLLC1j#֭(A>NZ3@Xe h..e$8D#QZF4-(F&[bY~#вwQ Tĵ+ Ilp׻:ӕ 0aX](Id$WoB{%+˦BV&uWPd RtO+~c̭ڴ1]!b1_4"#F(9o@Rޟ4_wߢ__BfXKM;}1 ž3h^ lX y~%^ [V 'Fh8WdYQpRU s~HQ}%uxA>CI9GcbeqQBњ%奉7H8HCOS1K# ~cf!rtψP=bLKhlXq]~ZTFBUU5@Lve̪tPKs `* @2ft5MŽWE<heTnJQw15)R!i##vUΪ[Q5cn}=^0RPFfXrLCEbԲn4[=#IGԮp0/G8UX/9>04YzyEf)2p)L&GdT車M&2@ %7|?""kaZv/٠8l~, vSbEnrk@4ח{YS~Էdٔx[Kv  z`~aȗp4VYL@, "Ë0xw £v{#H:g<֏ffyt3M#n şC&pZXlԄ"}w֬ʑV ez/.+1LwbUo#[ǣ(x`umGqSȘ7b||dZ-ErVC(NcߎcP8 ~}kNt5'Q4-c4jҷܞUpOeAn8"h5#$.eIz>,֠s T#}4ZƸ>{u1uP]NE ' '):oIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip-neg_16.png000066400000000000000000000012031303637203600224560ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<%IDATxڌ;lA;9eFS`: A  C@A $I(BD0$)1XFaΒ}<ǝ'Ͻ{υeA )uОlWSh57Dhb2^{aTp |,c56}U+C/8AYٚցS6 " 6= dFd4 NϓBBMu);$Ldo%ӼC К@;vD8*qEj/|pi޳ @IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip-neg_25.png000066400000000000000000000017261303637203600224700ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<xIDATxڼT]HQ~Zj+)u#WWVt]]?L F^BLljD l͵USfھ}so6z~{~{>Fe 6f|ប%cjhsڳ?@M̬|{bk4W'&/e>f1msb:F>8*[e.N  X8Fqsxx‘WGXP1P~ɷaY|EH&/(Ä;C .+nǹ|wƨ9H3 P}[o( $ebE*+& zLǁ3B mٜۮv``l./!,WޔCs5vWW)߁z"D7)ܔ G; m@H},&$i1D/fsQ,Y5;LHY&j]xz*lr5#@yaæ(`S)$I1aW>v=I51u|GCF!F*W*-i&z&j5twwCoo0kZ.hnnFñPW5z ;b=7<h4J6LPXX@W3qee s8ؚr---Akk+\.  <]ѥ:}]{8:htM b@ii)x^Z& H ؋H2kjkknCKK˪&###`6iw_kK{q͇;/[V_6eF#l6:R,fy'p1noIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip-ref_25.png000066400000000000000000000027741303637203600224770ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌVklURZ@+m D D aDQ,1PTEHaaĀDfA)PhEJ Ֆ].۝}Ύζ7;w99Νr5k!9z:kgt. bnjc]"!rP}Is8t&hl&[*zGRMuړ sedx<.u?D4^NA`>B`+"/(^t -*c^l?9͂ZssBO7( J~)OgpP/!O<F#':[I4Ky !vnē㟮'(.Q\+\Wܻ 1Vbk+2k`$g 1ȵ ,6c=?=q0ro fi2X6BrX^iɏx(w Sj48 8Ǡ?yRMJgc/|Ve}=D}ҴE3ZKՄX3K.ح@A&MOg8<4_Ʋ`mѓ&GVwmVu]%&FX3rh R׾M@zI$2֪E3B-ةM9.tirS-{ M<rQ9i{&M7v }%&aC(vRϯgDֽ6[(yY_%羁!C",u{9=E,ɡo((P#M6XKBt=` d `_xeM˚G$IYI:T?(H,yyak gXvD`Mс[EŰm۶£0D 6%.X ok:4$עii GWW!SɊݔBNMHeHBM`':]#mE^y賣UUUhnnNtN~Bݴs2, xTFn'"'PxsN$ibܸq#}9O;,"$TT1HIqT EPຣCCCшEUTT6Mhv`bFOSQ"?oOͫ1<<0gmmmhhh@YYN>~Ȯ$HM!$I넑0: J# PYY ߯XŬҥL_@%::PO7T`l+W2bdd%%%q׮]V Iq`YFl )l=g%{|38\K#Zсp~Ur!D3K2 JaIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip_16.png000066400000000000000000000015171303637203600217170ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxlIhAI2N▸!FE*QsR"DMDD IED\f!&@Hde23eߥރȹk7Vu> em>O(Br7b7'ΕR\!~)o1LT`uyV0%d?/PU !%`ʽt̿o~(`EEcinŌ?CǓtDjOB\ _rF$=-nc݉DƇp۷PP奿eX??-w=}G;ҳ/2@2DGO7<Dlb'jאb摘'EPt7bL/n?>Ӄt4(ܾ&<h68;3,l% CFʊ}[a|NؒݠZ-wm9?WWnbʃVƨk͎ :ŅL̅%Pd@))+_w: KYGDO?5 ل& آH5J0K,09[xq @@>䛘#F,ZQDnٽRYjAVD.!IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip_25.png000066400000000000000000000026301303637203600217140ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<:IDATxڌVmlSU~֖1(c :6  CG$5&CŠ!"? ?0!!( 0vV잾}>ڎ 끑:z,mdXާ8tU~좋09$F_n3a+v5o8/M9Mwtev ojDD;ceh"JrKjkw  YZl{T$(G+O>ٮw7Qc:K:%:{EH_0x4,#=P1@x+}Ul{LrR$|kygA J!x9={$ 99Up1;u\Սs׶8qR. E(\6dKɑ)ȵ>~>9s"<|Q*SJ<ĒɈ|hb&TE D8 21pƏ1=M 8%G.m\Me*E"`۟-}ws/ Իiaqɏ4\vu> RXER%U.s޳ڄ+^ {)bU+dL|X/06̋`T: \r6tO'˫QUCz'i h`g:琪ܥL.wIC< H˞D+i$>e;ri-pa_oчi.ll];71mj,Z y'#W3v2no.M̞n` h gBr:I wCOVⷀ1v7pN^%LXyLc@;J TU)Ϝ!B:nG?կ9p-JZA&ϽRKgA]`%sߘ.rCMrPH#Vч6@ϗ$NDn6$d \CtkGr2NDnka-d2r;45́4/܆EDLGJ=$ىCJY0*Iih^j3c@[\yBdT|Air A {gq}j`$goZM-8(H&ݰ=ВÏ`͋å;hݶY`XU iz@pe@FB@4½bhv\a+^Gf$;Ha˙m S߽RD]67NԎa\cʋIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ip_64.png000066400000000000000000000124131303637203600217170ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[ pev{zNXC1& łC8%a!R""f콛b=Xc1) cmc| eId]f4tGe|$WLKmOcg$ ItA{OeW~7h?Zi纳wqVߦ1I$W뚺w~KG+AHPH5r7t:G]tq 6tJ2lg߲Fִapg4HRA -VI8)Fp# ӳ\vS\[[5k\]__: zvygKN=Ǟ,Ν.ix`r,g$aTV'vaUhqJ2gl=cOӾ,Hd_CCCh˱رC}ȑ#OXm2p2A+(PJ V@'97ؕ#§~ʹZZZQۣ e|{b45`@uT<1 `O XNbٝ9e9`:+21V:{03T* i':>). wσ;C>N{-邌ey"JB)t΃ʄH"=`dVd~iS"%9oMb9SzTtc5ڣ)/&.I$sO/uG@҇I_>MsxAbMUl>-1,V}|ڴұe4f1 >]ZMGi759$n@ym_З/N&bzS o.bpo~s96n.Ʊ8w3>u~ki }B *x2rOĶN,{ӁlǝsH'~nXwo ?޶m NZ\@ c-5^v7??'c",]CCEwWl߱i0_8YjKss׮]_ᖝ>,h {DZ2`$J%p&=6m!˞|S&\^RY,dfԘTϛ\'96FxWeԬ"X.I":W} mC/< K 2fGGsv|^Z^E;-P, g6L|}9e W}?[a@O{tp0kTAy9W7s:w>t T> >{O8v 6A% ^! -{tk#8y>V7%^TAR>cz8͍Ymo^':B_ȶD ѽ@4$ě8mBk2pkR(3䑤j>2 W3ճ 5KQVZ ]gXbRhi L{УKf r`/Dp>Tқ[ǣ܁ 8ʐ* !&),5-m0@QiBd$-(,I ' Hz@{qͧ^ u_n`zΛ+q#$Yi~ ܪ T XB.<ȝYw ĴBb͐7{Єm" YR,E+~]cӟYlZRUXujT-G:WkT4! ǴP#3$:y H*dۃZ(gN@}C2)D@^?tѼ}0;J~n+*'<psw{M @aS(nz?)JJ:IUFR*C#o(dl7GGa_99NK g繎砀3B%*˺QW)[$kzg 0s|̡P.],(˻0UR˾Rߠ7!c )B/͟S9Da"׭L_L:(3 <]BD=~/H)zE,vs) z hGGGXӴf_Z{zzy䑗xg=Bh4Zli|, 75*`n 3grξXnIkZnU1嘴`֛{%t{ Wᤶrr(^ؖ zul222(#x e,Q'Hx7-B,yv<bzJ?]fUubhX4P@,Aaˈ4~L&)zI& 1 k%>ҧ ` >CItNqE@w.[Y`ҶgADuʗS]fwg4Z6yRM&aRy$MΨ ՌXJ+MKb eBǢ(e'9#8ϻ(Z+1)pMucc*HvK'b>7bY`+`60+$0qB?_uٓ<^  (QLJ JjB&fwL|޿&*XAB)!а-7+«k{(w0ͼVe'yIj*X1ŤA{29A#c95<6^zcKPF4>it5KI*:/K0CQ-X$P2^uKPdRܣ0M;mťp(CW3-'^Q/3nΒPfJ06 E AU+%$&IM"K`ϱIijYI*.mfdCP^|@/Մ}trO>Xh"[ p=u;1,18A*hK - ^s3 (HvƎRK\d#c g"W dV8>%bYXmK jr'SVPٜ{r14fujP2%$b7zT,9TH.pl E YVs/)fv%L7i$K. yolwy疧( _EgwOCO\r,JBKV peE3βt]xCI)xsh"4%d4TD( Pq?Wz j Կ 0q+OP pnv a9Kbf{@tZ!P+ HI()qOӌaU%w؉滈,R1ՙagqbHhu-!t%L ۜb.#%ileu::fN8rYPEPT)#mΘK|RթNqk"^\3E@@J5z)ruU Ug"E+*>#O ԰b( qJD-eIHEau­Ҙp> _Km܌FpE_% 8:|fCESJ=YtZ,@؟ HuD߯+ݞ8wD$SرhmCد8Sz@"/7C>bHv.4R?J\"54H:Z߫[Wa,*JGe4~'c*Ê9߉dl3B kQ]>GEFA*&+C.Z<TW/&Ӱ%+Q-AKG8XPQBi%ʧ`?Tu:mPѻV,3@3KEc|M>š:Q 4?PI>:#sQQR C;zEۀLbQJeq餉' 0(_H IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ipv6-neg_16.png000066400000000000000000000017341303637203600227430ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<~IDATxlS]Le~iRjǨu[MuEp7tdQ/1d,Q WcsKʀh2N$ckv2W eJY[J;~ '9yO=yޗi|}oǿñ4<<<{=zNIW0>~x +vڙ,ҖiVoKڒiEPOh X8L#Ϭ334v,eEuղvW_3'٧QIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ipv6-neg_25.png000066400000000000000000000031031303637203600227330ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌU PTU޻첰( !5ƱmK3MMC ehqmQ,uL)%"0A޹=.k"3{=sS^@Ƭ\ j! '>98c5t X$+Ɂv<`ɜ ]tګkst[*Inm L&%\V&S\$RXLGUw v\Kn=1b`W.z$t &8lx+yJ)g'cECmh3H\CvcE n\.ҡ}ie Oi%nƦ3V8&0\#YɽN=~r#ĿEUcy֭ã5r* 0-- <߉lxiM5@grFȗ*qUI/w 0؏XPD@h>T=@`aPpv >ewUv={ZEWM 4>z~(Fi扡PzJӍCE Bnc/$L=ϟǘ>Xv[c ((BX'{66eQ 1F2!233zr11܀P܈&`%eJ~7ڇ7k4萳ݻi3yae8XaE5]C5$EjNOOĤ}:=czRŋֈc SfL7/C#Vp[X,nnF,tPosZl୕mS 5IEv86Z١ǩzRX 1z+ rf!% JXKmKP"bGV =ϩ+љRJRMڂhdw uLU~`v&oB_} %?Z)(ַ7).X D2jYφzi=Um DF"b]~ti&/ "LY:a$!|96+n(D<UR+IUAuXJ}MC &3Y yfÎ1q~ݢu%) KNFAڧԳת Po^]l.9LP^0@H0ds}(A-IRSH U66yF :#1e<# #]5zgRe2XR^ c`?|p: b P L64 ٸ\C-=, z&#fd*@}w'*B.k1f?H;! 3c+#(ZEPrJП.UP (#$N!0zg#p`ElO(L `:Wnܜqk|' âǩ 08s(@( $QBl2`8VRV)j]ldZMrkԭB"4TEϽSP}MT?7q @Dru!ĥE%h[`O[N,,/ҊTvߖϱ6qd#IDY?(ps>MA84 MEgx 4P[ ,-PkjP7𸨴SbY9yeY#R_Fȱ@)yfk!ᄈJ]gɌh`6++;Ĩ-HhyĔvb MU%}{;6Iw:`"uxsY3=>dIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ipv6_25.png000066400000000000000000000027061303637203600221740ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<hIDATxڔUklULmo(Z -BGb FPQ+hS !DK!HJ,T}t;;33[_]OrwvΝ99&I˙S2nh~w 7墜 1ҏ1d.WS$ /70h9t}6eb+w#taTFd`\:Kgne+H(StW;U]SRޱI;2YcKWk4Kc#lQ񔕀:={&̔ ܍StF'@|p\ƕ݌䗡 m|ܟ=()T$'c#$z8QV.pl}Ûge6kQ%aDF VEKqhTn7>o.̝;Ӝ+qi%Y!*9" v[=I+؋oc[XǙP4NLq(b}qKH_N}+ʭFѪ@d$8n]sp)Xf;znpyv -n3N>7ul*i=9w*TyeS B70HB4(ۢ2a$<+lh}6Bhw,!aȬsVс|pN|W3od%CX8YEW}kos++ e+ni&IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-neg_16.png000066400000000000000000000020021303637203600220460ustar00rootroot00000000000000PNG  IHDRԯ,tEXtSoftwareAdobe ImageReadyqe<IDATxLkLe}e$&be 1  e cYTLFλ2HEbFf4Ȕ/&wJBo[`<9?{5PT_ʄpwF|kMy$J<$1(mmΙXN֮㙜$,CL#< U+|A-%Hg'#]]Ț74ċM8` RX!먫 BDTZ3Zs^?7qA{z/-aϧlb_D Cr yc%DW--癸x1d M7h^qld{땝eOc6~]Xe;t1Lo/![5( ~噊KT њֺq RTDC"8?W&damsv#֙3VW*ϝc77uwIȞMa-={XtW7-&Yeepǹ(JwqfUUT4Ӊt=d}DYkک$z [)~(WXIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-neg_25.png000066400000000000000000000032101303637203600220500ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<*IDATxڔ{lSUǿ޾nyp2I-/H|gL%<$B%(14 F^_sXvm׮%#s+s~}% Ϧ)+Qv%!Rs@|/cp&ʆ3О_3MfmmiB)9{vckb;+dD"s~/ V 3TIחmJ?Cޙ~OOxt(yrC¼ eiN@(XMj;uCߞ/\s(}ܫ4w@:UU"&M`waZ4k1<2;oOgً|:w !ΛDlV.3`03 bM-6$% MuZ{&pVz\ṿu`ȀGBc!]`\c_)g[ǡ8Fϥ>dzԄU^z7Ȣè0 JH^f0f;e2A$T{v1.ȣrʌ"- F߹ш\h!kJjVQw%+4LF4\YzΝ ,cy@Lv[,sV馊oAS@yzUOAdΈ*Hf$MRvwhѣH{x \#GRk'!;ÆqZg˓d#! Dj,q!m[n;"y?lp,F8V|k${hhaALκQav٬\9u^Dc.ۿGOl܈'%#E(cA1)4$fBI EЮUE(`$Ie`N0^)[[8w|sI gkkS^ -TӞ)*"qZ U/iTlav a'zm)1zE͛Q\> Z8mLP@'&A#+7d3}1s bQ pȑ^g3Y^=!QX8#v.F;RMCol2 |X7M5՞~`ʤfVv9.<E[7z/tҞMX ƨ )v-Q;} PPVt2Haֶ`Ԓ;tmƪIz~rq͚J}@ZGgk͐ee:ɀ<i+Ȋ_q5Ɛ滱mOAruuFђ%UT Y+VM b:Ʊ@O_nWE#c:P\IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-ref_25.png000066400000000000000000000032311303637203600220560ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<;IDATxڔ}lwǿ{b;NyivI[VJI0-c @[@H+Ce`6Q^D4 XKZ!* :A6ٚ';ώ}}3K=}c3uq73,dk_ٙ{}dqI;"K/Ͼ,$W5ճg؃/\(/mtj8w 8ks|W%Jw0PB@АxafeV&U'?x|IApDaE8߄U@3_KSSZH Ts0lpXԴ}7@L|݊ ף큯2׋~qk?YC.3/}G|ZS#)Ȓ*8n|s^]G%F U\ˠ?.@8xcM*2CĢb`❜]k@(νR's_BME̜}=*s%ۢm0$eOYCh=Җd&!΅]_[I4v(W+7^>[D -8.]CMo[ _X}7sQ T5PI˦!>rӦٔViDl:l>𠙿,e8Fɳ#WE^k 6ɂzv>7D̂_hP]ŻP*6[y}:Ʊq0}n_/>'N͛gϞf`ި= Ղ+4\۩*C`gf3=z###7?4MTC4̓7p uj"cn{ٽ{7͟! N:]v|ڑ}?4Q9XUK0Khp+w7C|2Mۿ?;F?)#I*Nzz]ѕkhU8rhnn yذa?hfю|EfҮZ)%/LT+r׺;ċ, l===۷ ]f6Jݢ(m[4?z>7餺~zMǟyL@kWnWۃIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tag-neg_16.png000066400000000000000000000014501303637203600226250ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATx|R[Ha~61OaMkE.*#* ,,( - nn kh@tN u}})/{^lܿUU*"ou·Q ,b lg(:!^o͗~".)9}_m'[Ca+Mͭ.cNfrq hrSms=`\+^gfxq P*;".C)W kv$~RO8ۼ Tzj ),@ @/a8,]b怔p~pG:q 3"AXZ1~wzǢ(`{<dHM9Q`5h LFs Ю+ caDکW25#fV..hkQ@AU4FT@DH iYdKΡY!&Cc}"&1T[ЍB$HXQa6\#/R,vIA])+&ؽ﹋iF{fwrWp'Iq q$8ω󰌯"]]J(J_!mhC =k;7d&J949?_J[e2Ѳihp}.iPisWo-0+49]}݀?c& yU^NMYsVG^u6 x, AG}.,EO%< ݎ۽pv1Tt t;feқBh޶eOk K_rse䢷d>4zRa[\Xы@= s*A43klYv}pt1Pi1Q ֺT\m7[PgWt@V,L(}ncxlEk0p9)Jt%1e &Jѷ׵[^Dø_(ҋoZLPq !wًc] A*rUCr06dUC>PNN/o#wMN!aB\¾дC:> AxZdԾ/Q}k6LJp֟'~h]WΠffuS?T:iTMy6 #ndpdOJY$ff< P(jŪUo>磶eeew@ gKOLj3.Hpe3I͛7#HլV@v;N>(O={|' * 4.)@"c+z0Jg9 l444 33(--ESSS;c M4"C&-VC@^*7BGo]b: 000u_UUUԢhLxG䖏 ok(UF5X&b/BauuuL3gΰ 0 ztyJv=mP}.dQfjƖ_}%Lfq"~/˅zlٲ}}} ?=*gvpKBPw?zb>;QߙR'͝)Ъ&GobʷJel)eIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tag-ref_25.png000066400000000000000000000031731303637203600226340ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڜUiLTW޼7˛e6)⊲ԭt6Vk1DԥXSS%iZh+ƖJ)+jAA 0°lAmp79ɛs=z'HAdf6=0rGLj7TRXzXW{r,{z[% [b!>{3->ZN 8OIXMS溯c$Il]!.G2 DCNgXg|y3CV a-6$ S5GdĄ2jZނs?C0)f'*wn'DggVpT7+Dv@&ua85?:P0J5D˄> Yߔ@)it-@X^ah'BRS5A 8kAW];5! !9תв}ATNp^'cתG^S| guKRXZ|GUsd&WWB wql k~A'lgV% ^-^>v}zS "f|eCCOC8ڍ'x wjEE0yaPV ´UxTE :sB pHLމަ&/F۩Z)IІ@;]BWbhsdg" ͮ{RDM /}U<.if#x5⊾YWP4u?hh:^p>B) 0ɠY>1LlURH5YMFkP3Mw"J.(b 5R BhcpOnP dGJDDnŨ¡Av'}_`9]I=nĺhp AH,񵵵(..F]]ݽPA;% TŠ+dh{'`K zl455) =zZ `u,b!)~F$ 5>aSj(//53$2e`LP`':H$[q;L[7f>&z+iӦ!==As}akˉHTd LJWYO] Q2t=@+$wl=3`oXhscISJ.Ȯ޲@j{:g31T1V2 X\+<嘧 >m=w賈Q`X `N^-M&p'&c ]L־-0B,CO~\"fh_+PRG?ʼ4PR cY 4S@^t꼉TR 8ي7?8(ZW6*ʹJ F XJuBww԰y~$6ȷ™(M+$|JE]]p4Gdeo>bb,EiyTA\9ti +Fi_0~Q3NZ0b R L:Rg:V(䂷b8 OsUXn)>!2*idSq5I\q擯ʶގt9hU HCuC!6.w|d`0CNo}k49e5GLsVw 鞇S pҶj|H)B 叇ۄfQf9>Z/P R iOO2y<_Ɍ$nUJ~?)GZYRk}}l+q0Q0Mdu8,j@2Mh~G5zDҵeА^xVyrm,fҍ ܼZ59ƨG6vbeئ@3"^ vjTL# `.TDg}HIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tag_25.png000066400000000000000000000032351303637203600220610ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<?IDATxڜUyle_+slcc 䘌CrAMpA$1hШ(!JTKntca@7vnmѭڮPqO޶{{U-bǐɜdc搵GvM^mo {JEJXeLޘ%Pu/Bo m K~IY!!:;';{69UՃG|WG8]@ L\uGy@rrZ1q+E s3+x oE,xeZo.^zDa<4wn/Z?>)5ڦo;,F9z͖35yF1*}`:V@ Uzܵ輰,p  l`NK xv;_@7lMo) 6wfӸ%eH2Z F˭:M uj**!ӚLa2~}+|Be@';x,@ݮ  OC ese/Bc@(Oyh23~ʤY*'1p@ٽZm(41q~s$.d084,`N@Ly7yfg-uJk!p*mo7`9 TU(Jz%Y\p O d /,hN.FFpH hx%Q+GPdd} 6 oFf򷑾4AQA&E t^u ShpNrCB]"8oٶS#)'潚CģI^ N`cu7lkF #Ŕ\5\~MKqecUl*=onIp 1ʙ'rRGv+:X];݀^FM^Ƒ?VmATܚkș`p"mDs7CPʄ[!gA3&Ԕ1@~o%p$wBgHf E^ˬ2oHM7At8[3pMODs oi>Jm;*B)}W~NM @2"xEӘ7J5_g7Sf tQ1=AA8FФ4 M<uVXyZ-Emb2&d\uҥj)ʪX6‘X"ZmϯRj~>C% -t ]/][N "b~OPe5LBk|wkhFS&)g%(+AܿV/caC-&.x )>=5%Ih[&E&;QRiBߞ' 93OR*`1QN'e?STRڄDEA6j 6q 8ƠO -~4ٵXGeqy=ώ׶-W$xqK%ZeUT·;K5ڪNr/(m8+IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tag_64.png000066400000000000000000000153371303637203600220720ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[xe~gN?9'''QB MVt*q~kuu]]k/,"z -=$9INeLBX\<{y sL} m8KBIclYhG]iXdrF!`| o"Q֋9\h.t B\ْ2R6[182&Qђd4e)K11o[2QTI '] 8%uF:Yi?(C)GR&PaUdh%q'W.AKN}2d9C2x5e<2ʧ^g{8A#('Ps9[hTMX c5p+_[G P|ѥ9q 25.Wq083ĂR^sd @WŞs`¼3{Hw$̙& *s;lFH`*>6gV6 Fg]2Zy- (SN ǩ: sH55Q}H ,H;jUm/C`ksÎi"/tƏ˭%#y/ގUüW 'RAϖ2],Nϣ<ұD/bM93NFBQ!_vO` e@I}"E)pّ/VPxDH) %ǮьE;f {u΢)#^!T U6V~ /_ @xF.(]Uգ`JuSm/ި+߯#pK`/9+]j י2ܗ͹U'2'M6Td4rdiD)1g0 +XޟɏEΑӐ:T-Ch 8T1YJdᐢCmل&A'IPM*/~))w-0r 8zg0lzwMܷUՃL+-JcTK)&>FH)+ӼyHG_1-#~Hz~P:3~ -UJso>wd|)ÇG9 sq*^]XJCG-Kgݤ>4A_ o[^4<[-$|FQع 5{ =/ᄰ.<58Q3thP5ry?d/!c|15n&߹Zn+»Ag-n pc aXyA}#2#vRT Eqk [Rܿ=Xȷ#HM8Hr$˵ZHVȐ̓qJWD6`z٧]d$23`R_op`$ Uyw2Rm(9w@0/ut߄JR2qs{A;A@ dV!dEM~N`ss) " > qJ[2-$MV/tV 5/ 7qaˆ|3}Wz~3.}Xr =^\T-{}zh<Ԝ5qsIS6Sq;FdB%qj/291ˏZ\ߵhR_&8۵]Ās~?1|a4o솯F,)KKD""ԌSաg 7??E>*m.\ZbTl`͑%zב0_ǃԎNs:[bSCsҀf 6GXSG˞4F Zۀ+jqѩCpLunw{?yξ?zr/cfA:;߽Uu|Sy6)|o)LHzb\yT0D}(jjA:7'H`*.1uFPgK;wy⌃»'] e U}_802O^7&gD޺ ki5A/?|\G ƅ O:tOh5#5pѦQFH$0(O2 ҨH.'Ê[~TXg|AUon>}%Ǐ'h죯oúX|䤚B~vT1LRRk۰aw'\8Nc߽z[iW\= L3ʵҽBD+@eqM!Em@(,vy1]kFf _DkV)#_v?%0zeg}xn)}?ކ^َS' =M&WY w%{]_ ";]w(3+Ti/,6DŽUb4B!d䔑R Þ!,ںԵc >-=#ShaG]!7VwOk.3V"DX&qM00n?x[Q*Z2gkF)*y?+z!T<`.,3+02ﻥ4ma(g̊믯mk7wod[Cأ+Ha2=]^Xu^JGFB*W<(F#T8Д4 ~@cXEIJݵlІ }8#pާh{;m~C`rje\y*b TЉG;قqӱNnGIW^wo"e! 1gEjAꬋZX_` .UepgJ[k鰈!fFBhXMC`kBht$-}M>A{a-dň%=ȫ_#Dh #C3+`5(&?blv/lOiðug*9Oc5 /2,HickJ#UH(wQqLۃUgEIFڝyteHM#+oJ eGw?4\2Tz) fDVw|Z%*I\ۃd؋Bذ"~\V;"7UQgs/.CCˋv0F7XͮO4o<4PAnK"ΐD pH(,! GK;!uK-hNgsa,Gi>s6 ^Pه`>՟]k਋,BG1ܶV[fCu' =jawæ͎U9Ƒ':rnRPJ7hf# g0WM0%-{eC6C`p&rm!v6'ĺ[]`3~,@u׷ӠG;ߊ F,n$LkBaɫDۆ"nDʄ9T-FLWRMfd PG6H㲡_@GD3i2k (.g芶XtcA?yɧ0CEiO)Syz%h\1\nD뚍mb=§ /!W0>}47PozO: 6Ǯ(w\A*ӇcGXm+Z]E,\pE_`бM6N\{$| KI%uwgll7 wOx׽}w ;DIcݛ D'f+bTK =xWLa:UYHzjFSffa͋« .H;R(*p.b -ʤjzHɰ\/]ximb6H9-mmwu Y0 u[ѵmA/J/یb gY[Us9C#]"dr٠)oH#2W4i3 9J#y߬Odoi1MRj7EN۽]݈b7*]U߭ޓ~1i/lc/!n`eKތdhēŧlp]ϜRI|A"%&dUBzg Lz|Qb_y4s?0g_E|S \4[³C%i_iJOw xT/#i/ے;x(I#]Ygsx%V>}+L@4:vۥ)n PPB~X"*2+!"4UJr6l~$wXP>/=_B )A(!=h!F#2kT^!?N:PW 6 ]Z_*AR4 O:iF2QKdL /&Gnv~r9Z^V\%=. )"7`?x0j>~lћ+TDvOݏ7앑jy/Olk$A4BOR+}Kd @ɖ d4sI30:Z[b`[Ӌ;1+nDMb=X#BMYKޭ>Xk;Dxl6(#Q5Iv2:,wƜGN&Sv i6SBy,[lsGqf-la45cјmD7$5t55 0A#a5 n1(C\閊SqFG=izwMM9EJ %:iDGHv#'Ѓa!A7/@H+BS u  3-S*-LAg_L>.v=Akm qK'7Q*`C3[:x)]e dg16&."!;j3L*ʀ"ji1Sаx7J mu /nq'#:QA϶"aTZRmfiULPɔGR"@mۅHLIp+xy_ktZ0$vI=>kn[d+)oT6p_c'lwޫH#~B H< k}fuXxiKV7+^8;E,5 qIAF݆OSrQSRwz,ѕ Vef7. VԱ<68%ilbFm?yMfkbOEWF>5[ n 4Z:v0:C4ӅWLih6?!LXv3@>%sogّ`X e pR~:f4@*><$U"JR· n`1ZQr7IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp-neg_16.png000066400000000000000000000016651303637203600226500ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<WIDATx\SmlSU~νmm7 SDȖ0`03"!?N1YH@ lF-vZn{{ɒ›9yO<='h}pGߧmF{CN\?p"Ŏ ]7~)D0k 8r+p`Ur$:&ѳZYcm5?]m!p2[h>`5Yp`ɇj8R +o $P̝5ϗe͜h(iAk6TC_ G8w% LhXIx<;ӧ1ck9r߶; F[a"o2DzaGzԹ=:FPveX71q-VJ1{R0oh5_k|lxj_ZvLhά:NMM7x".f޸ԛ LEb~Gi6 'O%v10lkjV-_G,osɕUܲW&̣AWp 56nb-G:Q<0i?'Cvf\<*VN J}mt}z"Q)HB#(PbQ&v-h]A9B0ekO>֞̍W?)~io6UJw]$AS1Dh㌦AEp[vODEtۏ$2({yERDpx8&?\F5#,1 ٔ\vim('E1b8rqZPQ)v62_NIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp-neg_25.png000066400000000000000000000037451303637203600226510ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌU PT{ ȲWJQi*$UFmm}hZiMj2vH'V:D M2R`b-TEAM& ݻʄf;s{wr -IH&74tZ{:w5[jOQOJL %O8+c[v{Ɏ;,VUb(k\}P32њcHҍ-ʨK|DvvbMZp:`5}x=S"w\O[]9`ldn>|PcL!`6:&gGC雦˸:?}!4WJ LSNt2&:ƃv\^ tKIl3fZ3}jznR,#7=wZRxnҼwW= hwi;^:O@W_popL*] L:S#tQ ě-$ɛ<&9ul[qTx?OYbf'Y/G,I2P@%/)SOVd_ƚԭPH%g婻gjd_Q$$@n8bTG֔@5*K'3 pM&*!Ml+r|NjP7jQ5Q]ղRwsOEac"!P4+יr7jMqL(1_Æm>ya ܟil{044+$NϟƍUWSNS.7JEu=@O" Ĕ&ؒ$55UUUp\zǵkTob-@k06zhۢdQrdض:DV~uMGƼqT]V{Ann.:;;mRZMM v>izrq BK0A *2f5IP]Xy:tWFee%-[Ǐ5:q℺c OV_cD2 ^T~ܽ@b Dyy<;w6mB{{;6o %e5F"h{GDT^+{_r)|O4y2Gs"u!3ԇ3nc#1iٮ aVܨ 75,IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp-ref_25.png000066400000000000000000000035421303637203600226470ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔUmPT~eeX&bi$mbTbSRBbM&A͘N5Ll1MDaҌD"b3UѕVXXeaYv]~sF-ޙw}99"g\'`QUiLnw]⸌Ig9(/9IJW4EwF֘*l=bS٣8>dKU$=VW\ua~?ϯh&S6lMa/VԂU?8/'kDZvidu6b"<^!WK? lo^#;/,+^ǖn+KK5/>T_NJ2TkuAV% |Hͻ`SX+Wg=S9rv'\µsxݍ>QP{Z-hSwԁOFNZv *:i U Z6c9PX@҆&9́tT}V&&'N@ H}Ct /rȴYMyvӫN1:ë(|ȧy߈S_*o7è[0E1L@g ҇Ͱؚ`(OJ8LMM[lI^$̓#%IVN'౑,TtjdV0%`V[v;ߟb`߾}07#(?-!H,祚ql:U{{;v؁H$!17ׯ_OL gQ̸!DN9jDUh%XO ma%ER^^ɏRD^^QQQZ[[cB6 ;_LE-J&v9MT<3 şqi":kkkC}}=l6:::${KA':OjS$1QJ-ԛ@nKtݺuXln$ceUYOzp:l9#qptЦ8%iOğL\.XVɸsҍrWsh*Fn|ޗ?_A >MKDp>U_3荘1U0 WLDӒojIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp_16.png000066400000000000000000000020231303637203600220660ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxdklSeƟ\ӝ-]:vA.:tqu:LEe 11&"Qb0 BFt"&0̍1lJu[uii{^OQ?&'up,bkvL819 G~#dz۠$5˷WQ~?}Wmy_7>=,/r/:19{:4I\ۊ/٭o5)~}Wcux^TnQ/lT4i2(Mʪ]kRL47i@Vc&Ϛˑ@N1L (uB$Vm܌`+4awxǕwּqK6%wO×M(6de.bŅsZo5ϟMvPcѴ HO"?_}gS}XEwa 25It $2aρVTIF G6i Dk3!e-e<IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp_25.png000066400000000000000000000037251303637203600221000ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<wIDATxڔV PTݻOvY`y-*<&4QƦҨZiکMG'4u6SMg|e* X`waB:i;{~}]mUtL呦OG2myjb{ցX9o%ҵd~7y㿮1Mi(FC<'ޡX_06S?]W*Xu{fG+36/}za-?a-xfl N |Ҽ*Oj蚴 *dr +mY?&׎4mWf 0Y(8ڪ{2y'RjNt%M˶ErJ9GkF}X"|NҾG>y"5[ރ׼hs*Q!upa޴PYKZI+"gMəOPDvZ=A3r2r](dR=rb7] =6 48 D7%b Xa~J"}ӈ979m;TؒBs1~P|2 jە#o|Y R @AA.6GE6o#O-;SSB$ 0 كgΜ}k/Җaj"=e&q slOHJ8гz?O앫-Jֶyҵ(ww[NTq" '9Vf701f7n40~s%vuTįZD֕~3[:8tLItr,|u1cAQ1*[O >DK}R$96ܼ'QXy-M+4uMnUF``BX/xARoXD: AԴ) 3a>W)pEq!Rk $F0OĮwO UFkkH*1HT0(1S/S)I #וKr2!BAN]"523,JHFR, 1GRJ^ K"ƀ4=U8Bʟ.5 *{(ijKIi R  ]޿MVWn2}?صRwsv pTY~/yMu3Z +eEHMb((D Q*-WI_fE.,lYqb S;4D5~҇fw4Q v%_<.qRHN@AЧ"/FO~:r(3m忎kc<.oQR%&F.֒L%2Z!A>j uR7P<"6 &u\ fTڻP ~bmA#=KᲕ@o|*YF)f}~% :xIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-tcp_64.png000066400000000000000000000157401303637203600221030ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx{ UՙwΝy A(Bzb+JƐ&jҾtLh۾NԘNH&@b"ADP%U E pkUwoAUI/Gzs9?کii8 <5jg^%~ $ۋ#Zɖ=o_d3TLG&B:BSFjx͏a/Șͮ/|mV 5~hID0d:[~ թT ;^ogEsv#J3x,wYYYgX1G x4tԢ hTb"9wQ󾋫w @t뿆u[ A񧢢H"GMuDQ*xk+On|k97zh;vh7o^,L_1'#ʰpj}^7{̘1pВA~*Ga"\1V7ns.Ns??*{i:{ɂ;f ٓrњP"&,Ē27Ўgaj46쾷_EH$"IN6ﯶ?1٫׬Y3ֳhyR=[^±ݿuZݹ]MMRoz]t1`ZZ??{iӦ}=!ד{|MMMX8Ԏ@Iw6ms1ٯ/sz>j'N\N%ۙ -Zd g@Ǝjl ;s?Hw3uע8\ESv{i2k.]z  ^1[| ̯|A5]7i Ns ^>+ >г08dI7P 3D p߀}5< 7 -w+=w߭/{9r_{cxJ`!>,3vzW 鰜¡)n=#YO'($9CN+_K\ =''&6X""n\ӵ]/) oIsr-_]%H[aR4whH3QR089~z-%׹n񑓰(:F`T(iNVǶ?L{{j0t=+_w>:<tP'3v˰㓧K ERLG?uе|ᣭ;vݻ0gm`'Ym_>d;805˯\0 &:!0~aggr;.x.e{Z}'k]bOx brCzG`g#>IJC.=~nN,X@ #E[{?+W>͕~I$a\\[(ށ^B.Lƒ8 FCϾ`u]lբ yimn̶iŞ в?=Gyt†kg"ه(<`ڷ6.۹obiD'R&y;6|tvveēhSkIv__ >3:>6Fһ|а>+#eCË<s1'R (@$ nk]{o]zw;|E:6R=t&>jNfմtxoY@k|4f} ǔȫb>9J/ ߂ !$S?Dw:]E7~cs,gNEqe®nSԂj*C+ʄLRaqhh*XDQd3`e"_%-SDwm8/jiX`TVORp7'bhdpJ-PARuB!q"xW^/"y kFm'niir?ƥJ^"y/7qǓu"嵣8L3Lr{=G ^Dɠ AO(ӑny*4LЋS9ڸTKӒ᷵ 8_< 8q464snleQ!3KX%c ºfr\7T:݃Y1N-7R "I:,Oi *Ss^fl8=RDI<"N}K3PLqP蠛ӲbJQy\' J-Ty&XG~]݀+a,`ҭ\Y[K@&^Djh=!"8}|/&Л>%"  "8\.G2ΒJy5s;C_w"Xy @ZT֖#mFQœ`g,AVp6 J"9X~lzLpNcx*A[<͂0P(V<\aE5gcЃނ]"$=IJz+/>w{ĺJ`47ǵuHaAObЏyDoV}&`&T| )NEnR`=B y-)! cI8v"+I ǎJxaipX5Bf6^am"DOQD|yR/ Kw@{).Ӑ?QZ|HRa#S)Q*ʚ$f<XN~͌qj8P@ l^"]EAP$}i!k+C/6 #+ 3(**298m?_59'x<&^Q2h Zd|/O,LZ/[c`7,k9{.ôl([bicw}f0L*7kV3!!+q"WdPI +e:L%t s:c5T: HChM N`S^WYhݒKt/  | ]J^BY4*ƗDhY(P(L O+_QQ$_?P!gd`BM;c称A`G8OnT;MYe6͸>™giWi i:l{LR2ӭ(N]' GVFUs?ߎĪTW!))Nu_h8k1@>.CӰcwhx(6 iE {uD&.POR .Ors&"g7Ca+f+OSE.AGIo:7J I1vX;{6K ,X' c!Kf8Pm=cLb:"ľ|QF*yr}$]+$ :2,J=IjUt) RArw'SDwH5Fc.dxǭݓ0r:C#OC@p>L|[FK]([%~]NbGl*~4]&b)FHIv{OIAMnKYΉ2UdL{PVUh)+Jos!wRb^P6N[dy,S 1p҈BOlЂf_R{x wJ*8‹;K:LyF(~M6rED%RB͟?ګb^]Q6KC 2z۞c@va0Fn[bEǑD"(@ $Z?3YQTlэBElSWޟ61t4ʲl`>|NSňH&TA~\?-7_O5ND#,"##7D(lnkIñ9'@R:zN`Fu="`-Q-u ;ڷ^r#L/Dv D#s<<9+CYQp;2s~HR}MrU6~hTRgx\,n|"%cM4 )v)*E*c6o"C"3#o㺟𨀢 7ns t1L2bj$/ je];wYCJH(ސ m@,eX:u,D,HT6.O\U?v<WEJH\ZvxM'P>2yXA {O㽚ݾH[x5C/ pmy3BHl*#jWf#9*,̗\ ,CŴÞ_a=hT![h m54Nʸ~KeV'p1=l$xD =;.'?]qߛkMC8$Kȍl":wS5}N ,a j*ק& hi Cw)TV:Mgx37e w1p02˚5 7oB՜,xJ!v|@d&UL0#Ki!Ճ@f \WEĠi];ۚslPb|, MUhCfrk@4}i/)-H@ t5ZUT. o^ԍ?p >h ; Ѥڿ`gg 08O /tV*,3 ; x I/& N s@wSׯz:uh.g,7? ԙ IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp-neg_16.png000066400000000000000000000016601303637203600226450ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<RIDATxtQhe~.w]m1W--`S:JkWP:"2EUh!"LXS6nII&5w\"L||~˙)C<>׾?R53K"ljtdFPOvAd=紋$6E$Gz ?^R8Sq| 7C݈DEAxۉI n 7fm6<6sWpĦݫP}25{:TL7Y*xh1sGNlz//y?t}xPnGKv2Wygs6^.39t]h3@4kGa:Ye4U:xhSӵ$ee eJ#ѵN^]$ůOC+JYHXQ9GM<L`'aU m4,qz t3U"w{ܩ̮R acY;KDBȿڻEB7sټWO#[L}"Ԋ(_uzFw*yȂ/lRxU^qm/^2J }=3j3 0۹6>)."gV`D/vAA-.-dXҟ s)ǍQ  B%0!`_IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp-neg_25.png000066400000000000000000000036451303637203600226520ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<GIDATxڌU lfwgg^)5V؄@R(T PF)P 9HF%"Jr(CI@ vZ]=fggofUՑ|3OEasĻ;>,)X֫W7 |ܗ [K4T9#źӠ်pj5g+_m#@o@o@7)a@UѮ}gzI"\{}$ 4/W6݌ ;x0 ޱIqk(?O =ՎG%Y,v/qsW뗷 j3-|kBR[DӐMk%0P;818屐:w˿8SL }@u&0*Cб+Mv>T >` z?7-lfCVZCcJ/bZeO1 MP:˕~ !6}HV.OpO1w^ /s裷'\uY>I}zg0ߒ ~E0EIEWۺlHhmNLļ]!)eH \X\e?~yüy6BA(w`Ow@uj.o~3/U7:}ax7tGmAAn9ᵟaf'dX'0u!&_hhzܜFOܾ[ \?m0`tQ[nth]QTJĘM-%)>gRƮ ,2>,2O:X:AbP2pIfekRp R{1㤺!`N :u*K+Jج?İbDg#0FLR+v]ޠb1/AQ0<9ៀq-ۃ,WktTn=nNŌO>y[1b2x Y}I[/Mg^ =Jn`Y^hn?[ln e:g%0]`W o>(11s2JN<nr)zTwhkBb?=oR>>/=IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp-ref_25.png000066400000000000000000000034361303637203600226530ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔUklfwvg:GpqҤA M4@iCi 4UQS* RCXHiDk $ 6q^{=yL ?+;{{{w0^ m ATU?jd_G2+ l9η5ku~0̅|,BiaًoqҧaY[XQ96mfˏRCV141}`0Xp+šcf6s\]R_KƏ Io߃ka$C+{ R_>C)IX8Mw4m4WL-O^Ƭc1+xA"Ҫ֢mPG)yd6/G' iVHe'<loP+EOp აB\.Fy&{a/ֿjC/@wR+W o\7N MNs_k ur[΍߁ZC@D,bFK'dDzUo?jXc~õɨܝ )jȍώ*P[x=|ӳ1(!x8NDtjx+X M1ݕ%19ãhnz:_//rQw'btׁ> ~NC 9Y6|x#j`}oK>z 8B,Bzya3*݅ W1pƑ+0m@c+0 U?4#&%$}DY*/R 9ag2?#_MVc IرcHӋl7` N ;iyʀNNAN]v|َ3 vuc>NN1cή }o0%Eeh`pIWuh4YtwwcΝ2]b(+[E))rZM_,s[tRsbގH8xmPr槁ڻm e̗RXFW7ltuuaϞ=r0dMoo%͓bv=K$ ʒzWhTe,= ciU]---FMMQ}}=:;;cҭ'Z[9Z)T H&]hG=o|e95\] R$lIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp_16.png000066400000000000000000000020211303637203600220660ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxdmL[uƟ}뽽/m.d d-B&&Q"a&.K\4}1h @l7aي2$+(}-m߻Ϟ|;wה! NxO^XTf/G,}]MЩ! Ԭ2/Z@bͭ]wJ5e sofKYƦD^l2x8yWگ*;>;e,HeTjsHeVO_ #]"A$UC%,appC!Ϧ΂ty " f\2)x*fq)9ͤ%MOaZY5b"pۜYbǵ1;/3Is7CPTTwƲfB뾰_昑 jA:tW[ՅQ,|s.tgJ?5X{K3f&-~r=p-lɝX_x^ +* JU82aPɶcLjR{8p\ Z Ai"NY~X(ƀaN2z&\s{fQX䪐rs.9cO~EsΪdYWLH&@Th\c"9P[–O,uϦ%@0fomOٜFo`8Pzx&QQR'\{a}lNTA 6Q0ZX橢Fff(&Nn9{1ZԠ(RZw *r`+x5N/,MzG§ImjwMSc8_sx1bIKYgjp/$Ix!5J)}i7u#r ' gF7?]SIENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp_25.png000066400000000000000000000036241303637203600221000ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<6IDATxڔU lf=^k]& "  JɁ6(Ns%6JQsUV %Bې` 6^zYn'7c;EWչͨ3.χpg?^]ڡbZ[Ձ懄)s?E }u,NSXSZ~Y1&i @bĜʤXS2v^k8 㧟>qݗ_‡_fCdjG>Y$I,˼JG:{-6-yx2"FbrxU12wLо׿P<:[at/J-dZD="9Zs`FtyGi*e- xB  DwK$Z3[pulP 7hzT(B~;Zwᳯ- BAw ;jmȅBQh- qͮ7XSW ҽ\7F ΀8ɜGSe3^)̨G#P}(*67^ <{7 69u_H)'J69^45O Fx-xSGmO_P@2{zp?ylXȉEND9 e{_lHCz>~6m(٠̊(]''2 DNɜ92۫cv'0OD&VA17Tz >=XRj <:[(`.!ɮO`Irܺw$E`#o'y8GЅKrym'̥0 {1<^W.ܐw_l☞c,IKS8s$ *Fc̰zK_N*4,V檹'އ' o^M޻Dd3UT2b~ ΖvYtl  8WJytcLiaeU@K5Idcְ$BQvPA*I W+qT5jFDžol$$bdz.SVX߮E&i*4.AXSl&rvk??%*m JjJH\8Z=âZstul[Dd TpK?B$w+t)~xrFV%sz֐(z%Pڊ>•}RKq"*|H}_"S޸pO[J;<ݪs}XwR!KsTkyV8@&5(GJj B߆TtzQV/ڎݟ},V/^ދ%6D)3Yʋ%<`Qșܵ w!s-Ĉ)FkG(؉ȱHa9iHU~ۋX&vW$v>i|dX;3V3ٵsR)tV&o66GA 4IENDB`fwbuilder-5.3.7/src/libgui/Icons/service-udp_64.png000066400000000000000000000157061303637203600221070ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<hIDATx[ xT9O2@ KmWZ R֭^˥Zں WՂ-mL2d~?MBAϽ333HxN$inY.o Zlcw1Zk1ncKa]1G1L eɴfR8i|ᇟ~ꩧbƩw57~sէͣ˾ӂ"bP,Dfސ8Vg9lwiblcmYTg 09lIjSYڥ7owinxd}E3FCIYYYn| bH'k;MTL__#=vGwww> &=Xz9|Zy2hF'pEQǺ)"!RgȈ,"+H8]y$cG}X4W]J?޸㿦Nj;KK~{oy7k 4#qiȑցbC%J&:_%Մ>O[:mX|`rxoG־}J5jO:9ZCnj>BQVyeVz,˽TdϴZ%DO|YE> !zeT_6?CUUU.]T7@93iO{8xN7Pnn.gI0> ^F&38ʞZߨ I?~MWYFڴiSOGvсL&ӥ|ˋ_K~q\߻piI"51Jr9o!#ɑIl$O u8 2eJ+'}6_>Α _q5|WT_`}B~/I`.e=13cÉ y"-JIRFe9TQQq b]=spĀ Hykh_Z lQz=f0[LHE $ M!*PȆ9H*;"l sQ3[~;=s}IPqASvئr kL F&AT쑒̲/́2ʕ4`^՞{*iUy_^P}!mݺu/0+״Ut<~Q'sl$́x]ޭ1ÒI?np>v4^9~*#g_3ܣq{q}x^Ns&=}_h6\*}4  ?ixk;p|>v{qmS賿_ 08X M(<{<]~Z1bPQDe1хI1>* iSSS{CCC>g]Cctb(Yeødd0=Z{=bX3ԠE7w^uhZkK.B1FFH]nӂh΂F؇' 󰮤G 9Dsc-[ny,JkWyo˲4w/1B9aʠj;];L( P9!sxD_»jze֧3.g u][b@zpy睏O?Xw-f;!qc=~繎wc+JG>Bc'w;2!@~7|#4XXc]#1OӑVsyx*,+k/O3h<'W * Ҍx#'xcPPsSQ:Ctp-#[d@Rr$N/bѡ5T#mT #R)n@md"AMg]J$܂KrB -D3 W%"$i@[zwOf?MoS^k4fB VAFxs_!tJRT7K";P)/s,X`*^ fTIR*TW#uOE&bawۭR^̰JIpe#Q `, Iu)A(T~1 /NTpX!gBliH)Á(DB2INj]Rc$D*ÚJԗLi>;2&(mD7L%QAT{HMaGΎonZ*rvւ .kyO$}fXdy- ).b7a5*N) n~wCNDCz^Ņ1V0zEU+ڥN機k0YsN\ CrgXi.}Z+Ҷ3BƇ|7sì?G arBΒ e' Aqx; nՁ֍I$%4/%9DrY&ܴѰY"N$8v4f(+;t`d,r^|unT]BGK00Tjezf4I{ &z}Lr\1I6@ڥC4Fq}'WӼ *jᱶ(ʊ#0e}Guv(gﱝ Y6A,ra!8"2q~oEa(7b2G4&Ө`PmHդm[FC$y$ap~@7;I=PhBJ(S 'UpQԒfU݃s@ "o7܄T3S 66e/WфN`=b8ř7s' M-[Fӧ륭`BL # D vSÜ*J}x@C9e<1^[%,̆FQI1\k=IDл%D$`쳆ѭw\g\Ǹ̍/&Z= G:p&wŔ: +3!|FA"}4 @Y^l8YjK ,xu vyh&WγrC2X^ayU40w?\$e݁2~ً3ўa]4 cD,/E۶"mPչ坊_ >PâխD<-*I9B٪S!y#Hq-r(P8( 6.0HW8PWt6dwЀ]~-^!>oGӌBmTTT #hAYTBO,r+^-v 0T`S GL.h܏ H8kFmgp̡{C6̡b*RȲA?8eBqs^77 m?7,!$ R|^U+lsFf[kMի Q@tlQ a.!ײJdXW1͉ǭ*-I]_p`6qfYeUTTJ0%i/DA,!҉d 3lFg,YEPXOdp =ޏ #9 X1 |sc>Ot+ѓ\#(d46]sqaǼPYm[taE_Ĩ@C-DЎ4»J07ǩ B'pǨ;{GӉ6;fyq40 Œ0rאPCa9Y3@xA$ܷ۟qk"B#d ?,6!rgaQ%UT5 iѷ7ٰtA '$YR ^1?3,mLs 7JjGE4̴λwsr9lFvB10Y@?f*h]-[rL!!&56 mi1Fר~tYayPJ%*:]l|ĺe]7m0%b،Fqb&!Bb,08#b_*pơj':^DAғp9Upr4tF8E2hp>j2tSM9HI O[A Ef۪Q$H: r>Bu-s‚x~N^RVN\6)> -s#Ton:I"^aՂ #xS<:,I ф TT^"E"M @*¤;;Cc5Rk6`qr#tpgVd͒]I.dD[o`n>?8O :XQ '5)W/T(Z\CߐTsJSK?or՝oP,ډf(:B 6~xuW3+{Kˈƭ .87 gzɺYTF-m њ/KGHg(6f7C!42ca-#$2@!,4|L̂zsi4~F],Ԏ8{3Qfy U `L@j(l<*B)1)Q]6[W!_H~IaQ.!Ewelѡ{F3|#GCvE)MT w5bx-sQM= !"9 +)vPRz}tg/_ 7Pዺ#SMs#6Rn9hxFhF[H evHz%Xy5Frώń9oq=O<Q-?|n:/A9 !;P-\6ڍq%ogWɾ+V3$4J-p*l"<<۠ w[lu : ,a m5uP1`Jv`?'QZ>HQ]&*~  UMqs1o u`vF4%z|;y*uF`AހxPL~yxOD= Z0 r.@ŏ%ЛchX%Cs9<TW{:54UI(<{f')}rG4jַȟ@Jk!HneI镭RteoF & 043-huQj*B)9ں*E^uw{B _'J  d~&? !;IENDB`fwbuilder-5.3.7/src/libgui/Icons/service_16.png000066400000000000000000000016731303637203600213140ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<]IDATx\S[hUΜfY4ӴD)F RTE K# RAZ`_DHQ}VZ Inٝ9=R8xp_\+?7uC^C'ln?V}UoM˚BpUtBC} *н_o Y@s]{ Y7~I8Җ׿gg(ɏ{r#< A%8U I}cW%#Yq. Bg< $1Pn)4!/Ψg_INd``_z iwUXw\PMQgdmi2@([C3Ip_ӁCbs6¿@tFڟW٨kUx[8Rywm<5ws8D'#I'hКriá L ȡIENDB`fwbuilder-5.3.7/src/libgui/Icons/service_25.png000066400000000000000000000033651303637203600213140ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڔV}u~~_wkwkVjbJՐ@%&DMK4`$[b$I8TiBzז뵽Wvwcfwfw|g7^jC lv~yywV]+<qEd> n,{'K_~˯JMiOO)=2/ԋwK}3 ԰<%|bƘDԡ^<_tu|S{m7c dL||x_}КMpRhK\>Us׋ R2Kǯ R/XsOM]Xg7CK M8&j dG~h)qO<䮭`'Ԑ-eA@n'ksdJu  HgM!2)Qp$Xkh([ 쑆Bg%Y =J;=p CI MOc3vhOXw;BPM>@)QA#.|C`@ )F !^@KvbtOdx+.ȼYk=wDM"PKS՞DCD_XD$A`ǡiM7}k$ӻATl~$ѠA`_8 *<6g l . Ź-0HNc]02$t$0(]w?FJ.후"*[$>e AH/#ڈGBoVz%}V d^DLГH̥elغ]rW|=櫗9zKȵ%`VzZmG6u] ,m(%ajZaA&W$d ՖHn.2I@U09 EQi%uĽϓq!%. y&\zsm[Hh pl'RiZ22c`VUL]FKm èhY>U/t͹jg\ydyiGTj'0grB"> p| H @܊`vƉ}Jm?ƂC%ߝW-q ryNi[=KtR( U VÂU5+/saih|wrG{Er\dO[+,.W^4Ʀ_qk0Jđ|Ο~}]a/,I1= m8X+d2c2ze_K_ IjFb~xO5kc& 0y @dgO/!E2JQG7m9y W/z9UgC~z B婛5%$,0B[:IOKxI:@+2a_Ndp9Z5^x9n98c6v-/xs|[q:N>wEb\Gc{I}=n8SE9>'^=T˯;PHcVwmƒyщk[Ƒ߯z',ws\ !7?w׏:#`Q\4wEPJkKS\y2❇ hF݀|+duO:[5fX^6JQss)8[v/&OOՍxx_(1+No$^+ 3B;ĴNv:bGWLH(lGƪ}݂E hylٙ^J^xHg,_!әŪc;;1ǕZ愱,.L =kށ#:fwH:q~u>d:?]iR_8':%dB%u ]F%zL'E!1OGUTѐEfy9'uh(xe!ŬdoRba)$*>:VFLٓxݒe/TUIL9Q!砂}#Ed'˕t|V*=l" WwrW~-MؑcU491d+5_)I]4I/#IS]8&G`tSͭy&`n7aI3>~A ͌>+v-DΩ1O:@Ho-xI59Q fc fBr AGAc-`Hhk+f#U00~JK)r ^|"K+s8q5tII *ͨ!<ě =5.. {q*RMSE*2:$J#bj}:I9ĕDCT?ɓ?e/PD9O?<B6.'?YyV>va7fLg6>$Fu"T^/1;pT~s?^#s.3 %ؖ4?d0 j=!$Lߣ6$%xIxS.Μ'?7Ϝ7=&.nN2DaX?yUx?Y]mʼn86 Đi[};{n`ޯ :uD;JhhR'؆GuΦYlF j<;.|B|dz@nR!w54sU O^cW+!D^* OOԍ*(]4H iQ}#ۊ}v}z U/c{o>hM}YXb8+ @mVݢ82>4KQPI]7RVe< += פ=j-ѐ[kuj7*pTzaVH24/JlMʚȊΞP >O4v\ J@a5Fs V GitPas,<揮&/5 .w6k4c$KNz7(D\3m8sFW҇Eڒ0;\U/T:$DEn֭ZVnp,p 0)P $㌂y@\Wv~K%4q@ϳ\Ay(DN % < Vj_~3fas@0yړ&8I 74武^9j'9LzL3J`欎̓='Q)45\@5Φn,]¼hto%?a;A"0.y0yvS sMLg' pWe>O RP視<<$MǭvƶQ $\GX,rPrUo qLV`қ 01 Ze윃 }ZoGT$qDdz;<&M-nުI `͆v-/,EAyH~ yH|7va009B4b&14~ӎN6ږIWoB. rtG?#ԏPi.a|@LkKyrDb/a̽㼹Yc+8 mx-7u~G{19, ",1('D N('hR3~9>_6ۦVMUIz6jPeN$  "y8GL©;F ~>5gƦo;`~ԝ[V#j9!wk^jUH+8ҜA3ʣ =SaE"-pVG]tJLkk{fnςni.sU8iiXPYjOj1Om}A˯^OsSJp'CyqXJGeغߋFI-+AA1-U%ʹy)@14\QNJJ mf!A~Yr0$)e!doKdgr?uD[!/wEhA4!!>cA0$}cq_]c FHQ.ʳE)IwC ]&%7:٬=J' {{.Tx*EvtO-j3Yw[pDmnuI_"y,M7:gIzSD7B΋FrAR9,:YNGES&e(c&Pg(83{ߏL Z`W>7m"]mcS NWFG/tpF h0[tګU >.(^HR5/\]k3xDgixQ%lGŒYS:Rf `{_8&a5^hB,v[D:8]ixI@Z{D^F22K>'!I!$vh~ h9 Xffu~pw SrD9()7H{H8&Nk~\{AcrSϦE3eV 71fex1B ҳ\?bf ;=l-?Ž}An%6>v j&C4o\~h|oi B,=89aS RKN5/gI)xPP ͡M]/yDTJh9ؔ(ǗGtjj4:[i+dU=&XUӓH"MIك^'AŜ\$^.ʯxuJT.*#*tQT|*dmIO.<'D@gM"#v[12W`h+ʟ0_܊ N{>@ūquey),1= q+hkYd&1JH,{zǞzK}WXGWg4R3P[Gaڰ L|vuH!$4g\ zOV.CpҌ Zҫ'n/JTO|,Nu7ݥ|9(j ꉷ߶!B QFK4,~ PTs\(.sH-VqAdĜ(?2 %Rm,ao0b^U 5|tp2}&2ɖZzb= l[om R2lʨ+ U'bckQDs4 Y5aD_a p{hK@n%A\ڍm!]jꔺvmZE=T~{ st$7!zF :ӗYwbNNyE_;0IENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group-neg_16.png000066400000000000000000000017221303637203600253210ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<tIDATxtLU?y{W,#E$`ƀ+h[6-mV\aVy]_nn$.]2Pq\?99y}yRjY:UkJPc%EsI,-ud2!À`L.4&0 $exMǭMzP|̹1Dî[НAS Ch1j3L==Ċi7!-k*H3&-Lwz_ř)eז]SG׭DvⴤX"l}}P0J;01gGI-ϯwpjתvp9a3gHB8n2vD,WV-=Cwwyu/r +`e~pp豧ȑUs&'kpm|E-|yU64T#U}ñJy3*MKf%l6Yn̢1gǎ5{_JY 0:cs:logrgIKᓹ5DuS#?ŵ1wwap+W?K܈ת RKT UVw?:D`d|]-ecǨ,4/sd&j.׉zVfgIͥaØw7<̂RVdgh6HT늋,-GEK **]'ONJ;/HY"]?JRƋ{{hKrIYO75h0(E^MlBV~XgSϩ 0czIENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group-neg_25.png000066400000000000000000000026751303637203600253310ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<_IDATxڴV}LUes\\.a$~Z1Ypt)rԈJcc!47H0Td~1k DWA ~q/ܷ9K[}yy>ϑe%*$%&p~|A+22eȐU xC e##,b'+$c vN6j ,1z$X%kHL+ݥ'$~" rtjiўuHà5QqgWYUԓl!)t3( (Q\HbJx\-\}ːIGJհ`7j|`uR0eYpU|N2ݵ.aMO)8EXx.R}P"`LEU"X{dnPڅāڪ ) r_·:,mmtqWvě8NY`Sa5Mƙ-[9VС; 5[w |P(8s?"E4? n fCM\#lʤf#+߲r(E7ok%/ܾ/ġȚ'@ďKuRS;ri-iSfI3-W6u9Ġ%ET>!N)Q }Ƨw vWW/r O<ҥj}~L:l 9$ $mߋ*(guNږu`1{/k߰JܒS# _Jq}|`RټMUwA zmye9;v`#<>X>w2&!> $;79/ KTVYa68]Z:.@Fqq -צ$k6gMω3fCc!$bqVT),[Y,{PBYY%AKnWSсГYbR_݂yDGx|>򽚓"c|,S!D:"0LشukQLr2$I2ߏ**j.u_ڳ`\g$|gp0:rLIENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group-ref_25.png000066400000000000000000000025331303637203600253250ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴV_HdUs8踺Fb+ 3(!d)a Lz1쩗_зLl#!m[]55uu;sg3P ]~9Ȅ]\>%yO":iE2Kr9@Ӽ\GKۀa x$-dzx T=K`t5KY2"mW|&y H#ϜƖ=e q@xVި7x5<ԿƱk0ɮW OiM*Lj eF}2V z eI0Ite"ʞ* gpD.ك==^9lgT$,mc mG"gę~ QrŒNC^"C aIg tp}ZJ,c" ؚ! i-OC%aV,߇@y\AOThjB,Xꡖ J=rs"9%[.Mp`jՕAjϕ߭$q2 Ұmjfl]K~ܩFKywi1:GCE}DSҙP{v$Wil6=JMJn◕)Ԧl|f8k1|hV ys5C-BQ[z.Rl{(6Yn3q-,T}8[h/( %IA^]\IhkkCIIɾuѦj\lSڪo^ұ]Nptq*Bgg٘ۥYSB,4]̹x2@6 brr@b=Znoͭrs,HK`P÷,zzzP0NLL ]XAZ4VFNd 0OFxEKQtuu!<cffZЍU'DdÎ-*o0 ^껮-R$D 3?7 )CzxԦ,[D"ɦUAA~e?%&YfuVZp3Gs:Cuץpkk+1>>Cn2͹֓*ϔ[}֗bPJeUkww7jjjbf޽ª˜6+g/.ɳ$,/ώPd܀col eIENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group_16.png000066400000000000000000000015501303637203600245510ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe< IDATx|SKh\U޹LM'5NRʹ ִĔ ,t]w.qP+ >؅PqBqպ"`fdƹs}Jݤν}wG1$f2@3AU | `C |B;[qnLB*pw B aVIĥmt pv]THb鿜-X|f)0?+RDuZ[^(jktleRqZjA7Lv!HmP /I%Y xFe4w;*~l +5'Sq1خ1$Q"$-q&0ooLN)K{Z"ônof V70t9FdБ ;e. u:=XSMLxWH#Y;@GFG0XVXB-߫(-n"=]cBC<cq[vJ^waY.<"3HX/h[,< v=lF+_qtQ,1kΘЉx9\&F&v -棍o~&X" JNЂ.ll#;^iOK-uW8wK ;rCW>e1zo>SW]}# ❻(L. 跄g ˤSiQf]rlqmY 0u[bIENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group_25.png000066400000000000000000000023371303637203600245550ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڴVoEfv?ֱMATRPS*7NP)\ *!!@ "¥T)jMDZ^{gofבU.n#=z~oy7A>sla4B/lW?.~7#) P^ڠO=6ʶ7pj3D% !ܷ8B9ZcomG|A.I.'%?ܮBBA2(=AG7ݍcsuDGOHRQ$- j>duD 5sH]el5xMP*ӽR߬#HHS (OKXz Dr/H'5D5JNB)JV6!O8(2,^I Bl@.X 8f/$''=Jr~@%8]92GY&](áվTVvJOKd{ȵ 5p.!ňBtOIF:* k%_;btBUHc~d'{]k5W4x+=JnX #daN#=I-Ȭ)sJ5~ILܭYbsj, <'7 ?ss/μB+-⡝M>#%8ME}d5A_UBLdR;2Xɡgo3;fmG#hmkE*}{/ 22[s&Qgּ|Sz9^.n֮gD~v] GK2Gٺ? ;ӗ6IENDB`fwbuilder-5.3.7/src/libgui/Icons/state-sync-cluster-group_64.png000066400000000000000000000123451303637203600245600ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[i$y~:ϙebwYY`lˑXc'$R#Br#Q"琅E "9Dq~D@ w!vcYvwξ_UuW.{z޷z#=~GXаbB.GW!ԛ]Gm?p؜86L8 ,@@"DNLXPGW Q~<[k($fˉ>+\`@}de9I B8bq,J߼A;R<&bG3*z7c( 7KU7KѼ*D( #N= 9-bCorǹۅlw(|MAw&9;G3;SrФ=T'%꥕`v1&9ݵpO@kNAxG9f}zͅQ.|3kS + ?Ek`% |w)t?F ϋ5@%gN*h^U7\X3-gz7Ru pw-'wZ ?f/jɌ3}S(ʳ\B-(Cm<,@ꎢ\4z2Xj+aWd<3ŷ|K-ѨVY3 .qLu`TR^mj9l "8l {b;j g+pE6^o9n3}VEMwVp5lK +-,wYSxo(@#qt s̈́_ra%_kPx=fZ͞\V4 HdJ=#B yvEd1OG8ѯ+Y,t51hxyqqCç . In w,ʢyѐ"V&P0qkz6 UV1ԌsgMdj }\|*MkAY)'f),xL ,弇div }Ћa˵[VWZB gQ1hwuƭ9i]VffYgi<4ya ,m5NQFHL#z 0V-(̊',nYGyGJ|{KY$:(;u*7+ϔ$wA*sɡLaJx-2]ML2[?z%'?౳bwuKynY^t7es~ȃi3] Rӻ=H>E M'cQaq#(5NTbCm禮uyFs7"=>-Z>y[3_PJ[IFm$dֶƻAxh>M:ۿяge8m 6Ŕ]xб6rdC`=|Ԛ`?JY^cL㲎pt%67*bĶV哼h[IߩЃ`a5g`es̵hU?'Q9 ?W-7Z'eڡvVy@kTZ*2 fRn1Гd+gʍK3x#&A GmRt q:«=qot3:^sg60<X {/,x'ts/Mjs^gbِYu^)wHhn+/u|-%ED?CvH xuc'be]+g:4,afԌ1·$Mhs&:CvlLeZk/2.^e_& \q:f]SjƜ O?_H[s,fQA#h{A?GM˶iQ)OFf~WzOZ|6m!(>FsMl8/unWOH4;B달F'm@>^T\H} _1 1f4Ɉhy=u9t$'fb̟g` N+Lٺ.-Q0ssQnRb#xj36ZaH>eTe/ ȯ;iUjR* Fт8X X&1Qe 1!SͿLW ꎝ;τ[3]F(㖎ݞ A|ͫcqtJ&ыMac5a۰\󁰑\EWT-@h;&e EK R-Fkq@LxQ}ݯ!˹tp6i9(7L0`\cYWxݺeI ʼg;ot%[ <%PBk Y_7JL[&F0D獪b;Y נmg\`XOa ?OT*_[ q__JP!'`a=aw7ESOS)nUr< 1ȳ( .1 Zn\A;!Gy*!h-@,&YcZ]gQ=)*l€8Z/Bs"6Px.rqp~Ui`iCM,.?@,ŤԤ0C){CkQx+|!d2raPq%tiQYE z@ r?8JWxU콱˯VU驋pX*FXg $1i1? `@'`s..N©m4W;=4ʍr D񧃅m>cvGj1eX-'Adǵ/ Bt45%k=eM>nK^ Sw2\-:bT@zQcLSwHcŎݤFPhDFB?Kjp_tdt /8_ euTA`j oMk&zBĐ$"NNo~ u3n {Y!#w^/ꜹp:HP7_;KkWR~% #~=5ԪJ%~lw^xQǏѩ?yfBnM~]3uGxAWdtdZRW-AZZ6Q GJիdfp6&P-yWhp}ٍ͢g]R)J@ތ^ly~>]+S?}IENDB`fwbuilder-5.3.7/src/libgui/Icons/tag_16.png000066400000000000000000000014051303637203600204200ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATx|{HSqǿwwBԉ0fKe"$hD$a aIQ R_0{ъP#0 2-HpM3h)91׹9w:aI8DD茫uBYkt-gd 1 TTӳ#r 28ze)99ʫ,>d+7̱KSNb|8Q UwscϯA+~zOvhwX]նz_IXW_Ѷ AFX0N' N-xjJsj8/97 vKRW_D"[Cu9\ xH3CgN Vu@Gg{q2X:{jd/gEqXF,=>&2m$X .F0fYBH9쁌UcWD ]u`v}9 t?' Ǻ=Y1`ʟRE KYh8#pC:\qR4vk'ob$Fma~&7]O#9$@EGbVZS$E"U]!#GK,ALhbߌis`.,$75,SN_=hT$j&BAf@, ЬY<V܀X3 E+Vx/c!&ȵa0Bu)$QKp>p؞~fG9R$&3O7Q}cШ(Lr I(=H}y 5 mm0+GC0]ΆZ \&>oo[ˮ!7^P X7݄2bWRƗ/R*v8ۄ!sfMp 6ܮl""rkOZ~#_GW>y/J7;bv& ZnTat0Hɸ B]| Ðuq(zGΟuPFFU[UHZ> *vp!Z?L%DTT *y;[>֛NT\-eD(d#1M:= ~ʹv*h ПA^Fc){rwT{H>y'U S [Q6_ RDUG7?ҫҗ<0w|2Ff`[EMjB)v!w(%P3`{tw?E$9Ư>51"LP}8D twB$W~볏0w?~,Kjo)ar+Ir5Ys9sz| aqzG:+wsR W}õܽ$/=`$N ォ(9\v,u;M_H k7\䌗(y̼wwww#L#T%(XIIENDB`fwbuilder-5.3.7/src/libgui/Icons/tag_64.png000066400000000000000000000120231303637203600204210ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[xTU~dfɄ $$B"e TTXD`T_WW]]+VUE*T슔 %Ld~ߝ;73Bx<ϗ{ۉvr)5 ]TLC&sV8-n=Y-ul\':tӀ]Y-J\A!@IEHeAv}I.wBs g'p AaݍO8&q ] $&hڪ!B0R@`c*VN.NPwM't5ywb`w%Hڲ..[S\fK媩̥҉iRP'x HkieD$2ezы<@#x"=oxt'9zgc/.e@9ʜ"=V"a1DiQ_DއOpl[PY+@&P{Ep*vc2#:WAf!BH {u!}a"Vv[+ #ƺN5\1罗Q3WTb=$V7#mmàGޒT>j%"9\-Sm0izmE 075ȯ yvqk3F!򆹐I/q|frU!4IE45=j%VK)tOJҡ0 䙰 &Ȓ0ȷ ١ !ɩP'&웯7((vjIH^%x*zbL~$ӑx4~|G#("^FTL QEYW CĘd=G+μ417N&\^Hшc#|˴1ͻ*(u*z7Q"v@~7,8*kAK:ntTa>=-w޵rD,HIo#Ы ׈s\ֵ~7҇LO%a#ru aZ~h#5ݥ[Ss 5} $"("d5)Eh<9` b<$?H$θ΁DA(ݴcEPT!FTG~V,7u()oD K>D`I$6r(&IP۔*V/9[HLxZ%o݇B }!)![5z ?iEWb|!:Ucg"Ka *  p4^6|QU\Z3q"n@Hjw'Tڟ 6H6m*t(BljuԊ55ޙ  ,hλ#G̞'/ac례5|c="AѬoqӞ^m*T0b4jD'.8X5'\MWJjUdLoOm͆_BC^S)9r4k]pM>dPyGbZ.oiW|zƫ2ez%e]9J_sⒸrp{ċz#si eV7R.#m{A9}Q=hҵG;bk9NgN&Q L+"q?~^kq3YKC9,iP .`9f.k@+xHe/6`2`Dv8?}7TK]e3 &) \ H"xx_>§qq8fN q_.\k*:cn`y s([Ԡ$t^ta!÷)H`oh 4;='r5߾, GfIc{C Uۖ N,6%demzVlFYECN'VGyRSFkK9 Á z/\ǏPҡCGumcz`ga&×}҅ksh8ƼRXwHOO>=糸1c(W;[\O% ?~x p%' 't AܣnGĐS|/~:/U^?QAS4d"hdo"6G&68HXh`D;R1w̅D2mbI s^Wmď0YmXnaYCkSBİmzG8WՂK(MhkvQ .Z=n=[7e&*Aaad[svGuIbsmb3S#!2E|bs7$=ELt=mJ0[ uB ,;jx@U5ŏ澸d$T w8o2YK{uOp}éS0 q;PvD% 3nbGojS"_ Oh@?n@|y/Lf;IÒh0ِkVVcB(ws:t&L犑<`dL' :>!26A"Rţӧtr]: X|X0bmunf|zaq؜ uC# '|7>تNK _$X%q w,6'יk@;S zHBĀd]B 9Ezۚ'_yc '%KnOX DVx,g } .#i'Q_)4>#x_M_'67u?( jd2B yG'aDH9EF1G8~e dn_>Fތ1g\: fRmLl9%,Q[ E(!(,* (A$[®8WPw? ͉`8{=*H͂5W)d/ \o䠇DݼdqvYmZ6N!᫃ek@wo{DŽ5oICd=֚ZgMyK~~+ wZq\)HUZ:O^9 5!(۽NUsL.?!<8Wճ8;zV}- R@#>NviJ*_x՜J?x",MME"x B9B]- Kqؐ-Q>"o ?\I w(#Z ' G+7HDXF?8tsț37ғe46y_U9U9 rbγO7ﻊRڼ^~s'#LH$B Q""B!A:%N(zn}j.4}gw΁  N6 oHUݷpDx[ 9 -SojyuCž:.yJ/PH?P%ͨ$L֮~x {Er}.6|5W:ڼWx1B64$c_JqP ]čP>Չ=Cxm~> !=s W) lx)c I@ iA8Rs!4Yo_H#nH}{cǢt/M~;L]5`*FXs> n̺.GB<|OIM!ћKxwXo#fso>7H2|&EdΖ|6!8|~MRJ)6nd (Z=d(k#ej64gx/0y)hh&7t{b[s[HLYr5!!ބ?5v2fDJQ3P?(E<8-6: *;Ssa-8a|֔I#ah@(NHrE8|0#f 4!-ƲjX לx:GNvwR(qmhˉ v&w#I; 6ӟB#q/gIo^.%ܣm+|cbiZW)B#BThH&וrmedo^c <6iE37_Q_77Q.#!F1蹪C~ewˬݹ^(HM<9jTDw&@$(r>BR%9ߜ> R;A}G n}Rw;d蟧3:Q]\'B!@q|<{"W.Q;T<{-M_wGݨ !IENDB`fwbuilder-5.3.7/src/libgui/Icons/translate_16.png000066400000000000000000000013771303637203600216520ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxTS=oAݳYGVX*) - A_$SPX &QX%MD"i(REAٱ}gߝ}ٳiΛI\4R;'8;k6_o$vvvJlv38&?h2h4n?j wR|Z\\0MS1aRF ㈮~_Qq "\.C\.Ga而{)tʤjJM_\oQ:'1+d $5pP qjGGGAt Ԕ9j&@L%>WWHb/,꩹,A*`?%eB U I-c$%IO X,+(aQkt@HTVp"~\M=|1,\ϣ}@T`L+z~x<>ZVJjڬU)I kZYd53Q~Fx`B!Z86/3lM&y33[eZ+L&3j2(fD8} Nz^.Pq%+M0^K^1mmmƠBX<& ωxS~FFѾ0Tz '"ױbi0IENDB`fwbuilder-5.3.7/src/libgui/Icons/translate_25.png000066400000000000000000000024701303637203600216450ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌV;lUެ׿ )!HJiQ@AAAGEȦt [ ŲS" RDА873ޛJ 뽞ٷsϹY/"9r߿k}&N*JVv7`?c{ d}}RCp|J+%JkQSnv$jEN ol D9 b!,qT590ښdxxH &<}VKNV@WlR.3I !<aJ>www*kkk~%E!Wq &Jo)JҒNIX : Kȅqd"4 ##G(ls{S~J|aucz||"K5DkEdӱ#*@\*=4@@a&<A2(ҰeUP(H>;j6')׫Dd :ĉgыu{eh'U=qptD!N,0⊀r 胁yA3!I.D= GhA;tE gz*O%y,5sd|dxLa%x }~A2dMP6T,}0)h FDsȈu|1({wT,`>Q]̷RtW;yK@pri Ðבah7W^ Ipr^-;eC-9j6MDiM ((t< 2T󆃐MZjdJKs`͇f=G \.WA|혐o$|u{̂F/]SKKKwAt,$W|Qs_ۄǞeWva KfqqqGF⏇G'SQ>0Iktjx~ř#\)aҍoCr}ӈK8d?T֗;<(|dtt02hoͷ}ҖQD@,}:77wgh|!?Y,>!ٌa`oȷ`¤59@^K333WkO4~Ow3].aIM7sZ--~O2 +h#>߄_XXuUIENDB`fwbuilder-5.3.7/src/libgui/Icons/tutorial_64.png000066400000000000000000000150061303637203600215150ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe< @iTXtXML:com.adobe.xmp  \IDATx[wl|66=GgM J*HhBDD QB5 E;Gy4c\waqn39ϲ7{>lxc}ٝ~ՙ9(53}W~+/;>O\wa;FB0^E3:'T| @Iih;/t1h(ьbU (9nm8jޒ~%Sfʈ&[~~D ,tͤҵ'L&veҼFq6V!0I?{^ѴWعIPiMӿ^@_DkH(wF&s)/- _"{QsYҊRQ\CƼ5P%k0&=@us !›шm\f3Rg2${K|M5#,ߑj',U;t8(7)`#YyYXG !z rsȧE,.*TpQۡ2ѳgOС5oޜ5kFm6:vg=?=rl.#]~=eggӵkɓKQ9 nܸabe'&U`n׮]fθקI&ٳgiРA4p(Fmذ.]D'NP=zВ%KxSNg/w}Ǎ rgzbb ֭߿nʯx. pڸq#-\E1r(/_V":ijgQ=z?ӨQr FXd @FPa`:S뺠0cp5^qӧOs ڌrq'#%@E#>F|\߾}y1m4(l@4 իW.o :  1t6Ǐպuk>K.Upd@tZh1cQVP$IIQER.:u.z~myYfQjxj*l8qmg!만 AwW&:Ziٲet-ڳgn`eȐ!Çz9CQ5@0!C׈є)SW^~a=l=8}$O3$BƍG_?}޿ϳ A ZjG|޼y\a׭+Mn#:F&O_n$,^~nn.fܐl6H$ \o҄ \f^RRRw… 9H`Vd(W\xݻ7ݿ01{s9// իiȑTPPɼS $NJJdi-wq޽0.!a@{x^zсf͚\BRenI)#M'b! >Qa%n=luD)6ZF3FHE_s{ڋ(CMDLMf l0/ֿvwq;]С l49`hh;8JdISDoR,]k` T E9L{.6aAM8`vtޝ/l޼*7iUq )ɤYx:}r =Oga::ŃF䣞[4Gx~#mZѣ4|X3uTsΥ7ov7}t\D_#=Nq~OI#;GZ0 rrrˇMy,cɬnݺ|uh]Jؗ d@u2_<ظh틟n.UZV0k&Ly9-7&cGk 5 *Kvbǘ;O H !movuͱJfkuՙ:cX'njҢE  >jX3bf馂9o.1oT_QĘP>nRl2S h7c fJ^^Rb<zY>9DFF._~ƌD3Kh  ZIDATx[PYF.ɩk:K 虯9`Y29g,*S\3g,P1 }Phh(5i҄rss͛7,?UR^~MݣHJOO/S؞@}I˜WNcǎCңGܹsC6RѱcG aÆ˗㔓S`I>0tRJJJEы/ &|.^ȌCJ&L@c ,H`ps>Ӛ5kô`uL+`{%ZN>M .^zɮNn![ f;@6y.]hܹ]vѴi(((H$h XlzAӓVXA'Ogϖ Dg ܸq.]DӧO(`â!C۾}.p!ݻ+*T@(fD] jCT2؀GmiAݠE۷gS| ׮]UR``f4I`l@BXX)fI,-~qW h, ut}q§G͛7w`F> BÆ 9,D)d8܁G&7b, }}}2A4= H9cA |2pfkF@PW$\->;1+B\ƍׯs\^o=rԵkWݻ7jv!ޢU W ^Gz-&Ȝ:uCd)ZOhڴ)ߟuFϞ=c7[F ~& !$]eIG6hqH"L06mڨǏ~ɣ8gb9r$˖-T+`d1-ZW^)*`Ah+z)=*iHA.գKFц &9@AO6ZK0H5w(J^lP/Ĭ uֱ3yQJ؋Ƚ!Ѫ*ZD dYJZ%;qODҠAaDoGѣGs\3fklb.xfff͛791b-_]Fo߾ڵkd:hM`Em DGG?v+$-0`(y{UF 3)),: ޶m۸`>"U咊6|w8 XBx0Ø%e~'?88jsart•,LIfH""6p|qcQIԩ`PL0{H 0` ܸq#jk: \ 13yd6be̙3YW;vgD7\(~իW (&W7qD~ZeY J;իFEAD SLh b W\ٕ^'^GQ۳wlI1,ԪU $BiO4k,B2Zפ`mLi ikXұ4 f %)庼5~}/pv m5A^!9aEW_O$!!o>^C@)p4Bm'l h4p u~,i[rP3)pEZ%!<|Se- i|԰0>z-R˵vy8G  ܹZl1Q#KY߹ ͈PH,&$;^-vj]WCUv [>}mY(swIVy@( u,v {r2>0F2QjsY mrr𑞜DD^+SAnn]gW+b8hu& eYR%I(ԁ$a{q598N7, sMpсNssiJ,>pS6/sC&&CuU&$ foEYcD{ju^7s>K"B$@(DR@YTd IENDB`fwbuilder-5.3.7/src/libgui/Icons/user-neg_16.png000066400000000000000000000014051303637203600213720ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATx|R]HSa~vgi94&%$a BPRQWuUvVE7V䍄X$-Kݏahk3>x}ލ;b^wgTAx/,7Es_L<@{[S,ƦTr5S= &H<=h ݻn'uЭcqrYc'];Pjb3wKcP}()c 2il lK\!|Mx 9 jˍ'AZ@@qr_@xD~U|ӌPIÔP^]n@^> CV'eWx2Jf$LN]+6A"{-F1:wNGER$ӳ!hh W;y%"!VPb9pD^3"pl\PPo.B%AKj0w+J+>`xIENDB`fwbuilder-5.3.7/src/libgui/Icons/user-neg_25.png000066400000000000000000000030131303637203600213670ustar00rootroot00000000000000PNG  IHDRctEXtSoftwareAdobe ImageReadyqe<IDATxڌUiLTW{2 ̰ h*uT[PiuMc 4&G6Fbm쒂uKڈj`ZF@d}f{8=y{99s/L &Y8*y,#S7Y/JP<Bxcij*r#R͘N@!J{0l_t*ֹ"v>7GZB~BrߙJ-wt6,]=NS2ye'T t 8N;޴57ӧ9W(( Ir5R ptCחc<l%2 hNETBk{.M<)00dW>A,sI8oKU?K1 8$`(͠zN+ڬ[X|bPZg"X-ȘG1QA ] (ҝw/#"CW}j:Oȷ$xEX`1u$F[KկnaSPXM~aQAbfFJջue͐q/p SJFPj(,nF&nWyBtl'ݣ -FzկpcD=dхl}j_@8џXD~'ҰarFT(NLp=|ؔq WmHS -IENDB`fwbuilder-5.3.7/src/libgui/Icons/user_16.png000066400000000000000000000015271303637203600206300ustar00rootroot00000000000000PNG  IHDRatEXtSoftwareAdobe ImageReadyqe<IDATxlS[HTaѽg]L-oli"B&E]$nDCoQ>DeFDef)IFmu/} 0|3!h|PL[{Y-wnM ;3!߷;gh9'OcY *j(tQH4"YwexKB+}ˋ`8Dt^YQ_9 6CɺZB'4&Gv`q#z5֤H7@` +cai!$'%C<(C< B+bzmezM A D2:A0KQ2œ>>24|T1do4:@!NL9&ڛmϣDQș!gr?ۗJ@ɲ{kYX)tR"%(]R˗"%.xŸF1O;qoo$BsB>qy',L&Rty5k>ʪ8s󕽓gygJ2%\<8g ŦbՐH+wRD@8 ?OZ{K)'d- Kx-özjVQZYYfêA;X J^T9e"5ڪ.yK_뗹pXDۮ˨-f|DޣyHz"ɅP ö KbUc!Mu/y2'Di21ABp &صhߛBϗF4&"P4"#0xFb">Hcys]|CjֶF500?PT5_ GQ꙯$@fVYܟβMf褏Jc:-t:p,[}rp_ gW)`IENDB`fwbuilder-5.3.7/src/libgui/Icons/user_64.png000066400000000000000000000123361303637203600206330ustar00rootroot00000000000000PNG  IHDR@@iqtEXtSoftwareAdobe ImageReadyqe<IDATx[ ]e~_Iw6a 0:*23Z#Ze25LA2N9$I$ ٺ~oEqơ}ᄏ;|qj˴\yjivcݎxجn}3??Gt2Ƥ4>@eovX -S[q]GD [U 8y"lL>}מ*xo( b q=By]P\na} ~Nu P!~[d-9[&ʅ@qJ~ xMQ42'g̟uޝiZ㔱c"ιÐ @J !jL' #8fۍΥ(\M&Wv6$Li,?T*qs^B~cZ k3@x Pt2Gj}t6peu$֋@?ODt}i,yA榱OSi|SH@Td 5W<Q!i/!0N4(jE;X- 2o,(ZJQ!UT(Mt ~x^ѓwŔoRj0r DzaJ˾S"rLIaHM8kxB I3Y1$84=/q^j. Ҵ>-2l}+\?G(V&v^ C̖Rx'A@&OԔۥ2qʥz:E*O/`;7J;&EZ;fqfqcVU$>NQJѦ*O1D$ FG@SSV6ub@Lq(L_'&K|jz V*<8abьz5+$jV/8A#b$S" ޝG z.R(j/c qt) Deaz~GM|ĽH{3H>!xc{P<]-ήO78d%-f Y!ǿfrN Zbl6Ty]=Nߵ_仗 w|XL+(C뗓Hv&F0me'DTf]`Gy!?؍eC(-8ќ(*>htD/@GQEuTw=gw~`\$Xz!Sw.uo}Go,;ɬ ]}ŷ<d+0XK>҈r=nʛ?SF8$rr;\Zf2xs΅t}=V5ݍfK} {뙸bCGp}㛱7#c.24H hǸ<,D\7+Ng{ٷ6H.5 ‚RK]펎m؎EۼܜA,}=-*?cO,b^igts * tEK84DV XmY=%NOZްGolYrM6{ŢqKq| f.*e Txq?(b˳Chtn'k:xjE {D$Ͽ<=oyx(_ӏU+rҒp3^BL#&LΖߚh#Fch>w̱:h}QVWe,\J\_G7c@NIxPuRiyz$Ŏ[aZ>)mƴ O; h靥*tܮ5U, bLԦ>~UFhܦpgڟ'#<Z>T y = h#}snFjNw"9c ˮ^'`ɫV]pdq!<ܵnx^ =3aYcO;S @<2O6h (/Ȣԓt-v__XޢT#53_Kluyi.pCqzj!n$qz B0% YvSb֓NP:ʒ  E tMQ`+ͱhڽb2.YSi$<z:.V/x=3/Lak 08A?-t1uZg4TQ %k`א, .){t+4h9$Er_r$Œ cއЃx/t![z(g5V@^AWdc4IOEuU(mg4ueŷeHB9TqbbCUM8vg(Tdo<-,Ks{1A[/ } Z)c~_tDLS F2ib2[;VeQ'3jKFnjJ_ƴ\7\t cހsr(XuzJ]M0 'N$t\ 4P8a.z౩ie,*8nC9%&,he?.;.0R}Uf IPe38^>z [a('x^v'j7ƫYd@yE2e͟st{2jFtC9_T"[DD!ҎHy^1|xqӃ #麦bs(S!st Ia7(̱ꪫGRrpdz~<4_GS2Ly•֚C+j:)3u͹M57tRfa2` Sp$fjgV6Lx|PcvpvULf,g QMnb`%p3Kw: 6]s5f& A_88~1̼x5oQ_uf6PU8X}+=-X+LVOqb.dk 5XH$jXO92m*X0*Pd[ 1 ?^3:p/o s ʷ՚掗3WaV0;rð;tSqVFhCcǐlmd$| hY$ 9z!|/*B0RӹJIi 0 P\:%w3!zWc"(F/UP)ƒR sG)7+6HUAh7nSY*XE1"Jq<|ݟL?#g(n1U)QZ"hV D,pmn(KE)n"曏d4d-,ڞʪnyg/ Kg.1Eg£v18UdtJydv|C~̭i=7?5P .G>j `f:*HQ]Yb N:f?֊.Zgpv g_iumïef-aK-igFϴ{NiSX8-F_3w#`2뙢>K)2Y,% ϯH_/jIH:'c뙢J:>=I)F(MVhp)fuhZkhUhZ&i t514F6*W4n=J3d&6<~X\%" vSVt<"YPa)gkJVA@UJAeꪫ?bAIENDB`fwbuilder-5.3.7/src/libgui/Icons/yes.png000066400000000000000000000013751303637203600201450ustar00rootroot00000000000000PNG  IHDRw=bKGD pHYs  ~tIME / 1IDATxMOa-vn[XdCMLD|IGW?' zxAD58;땩XY\DDF2~v3Oll`;_H: k脭@Q䘾04Z$ {z .I]az9EΣfd N i:U0 s-t@EX=; JUQa4H _Cͭ5K}oui$0ǣY֧SlWخlUݨYQ-I +؝Yk(UJm[)S*&MÓ_Wc`/;/p)6P{-ˤtAle̴DUz^(گ)aP^s!bqO `ia ggFsq+Z I%W a7sG(h1ʴ$d$Ch@(P(?Ro~ݥMn{b҃q+9x".ޢN'7qADa }48_voA =IENDB`fwbuilder-5.3.7/src/libgui/Images/000077500000000000000000000000001303637203600167635ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Images/fwbuilder3-128x128.png000066400000000000000000000544061303637203600225030ustar00rootroot00000000000000PNG  IHDR>asRGBbKGD pHYs.#.#x?vX7IDATxwd}y8zrY`E `EAA*2-e\w:骮|%,ɲ|$:H $"n^l;~9߾ (L,,,|>Iq a~Sm7)!"lp&{ Aub76Vaeeʐ$ ??'XYYA,C__N I߀8  "AVۑ>1A۶^yoU*b @> 蘆,N qA8T+,뺮lڷ lۆm(L84M,<σyTpخ%]#5,1 /<@v([eko=&PFIn*|e'011gH.&kn$QB,v3ډNRowc#:?֯-ck~k|?$KH$[`"V]{wGr^##egG]J"I2@D}G*bv ˲( HS翛< - x{kߋ4M>|`uR #n{%Ij?Qޭ]3-a}@Q%N111QT4C4D'潛M{L3;8pv߳ 3͏{FNnQTZ) <(܍߽$88G}ϝ@ 7d,ۆc4 ӓ7I Zts9qFLb}tm84%trpwץm{ss#=ח3.} ( Μ9s! 0d8zV9Io mߍH q=p.@ 㚾_EU&[-qG9u$IvSsنx<ϋḊ9U]eY-m{q@Z6|Ew8xı xܙ tnYS9UU%Aiۏ <"@L@ն᏶Qlw6߭5MdYDQeYeYN0 hfS9͛.LtQjbN22t]Ԅ/"ZwG gqUUNv ߽9ʎ\2u+ ewau]>cLwň O$ޞiێuDžiY0M eos&2b(8huͣZB-ewnC0A>(]m]>qW$e< }+god; Oq;]M,!@(PQMEO*A`tÀN.VW&\!I+%v7vayuTQKu'Z\(;Nݸ*Q˲?8Si @jnOqzzRf*z3kx7h4`&5,!Y?D"eYh4(ʎ7.բ 8[}DӴo_~qA ˲'}+{Nx<noD KKػw7*N;Q -73L"H@$0MT zďIᴵ b8މ{vzMMMtRכh6[p]uP[gOXPRѫ*N:Z֭{Ԗoa9rJFQȲ>j5uVA+qe8z2S}YD"P# eY'\RO,E2@,EjHꆁFZJE "u]E\~jBeV8]y7s;2͡7-Y%l6H$a&&t]G$!FsÚ"L J ,U m'췢tH$UUY+ -OAq]u]Os=9Q!J"DAݩ(2 Y9rEJ%\|Z 1+&Q %qPUA,Ş={\nܱ;AUUD{^UVQTnJiKYB^k&4"F@N$I!IEacAO?X4@8O6{<ϓi|8ڝ{e}}PU c~a'X,$%:h UFYcrrܶm8{cM߇> czz G$(h(䋐dV W^eD'[6Ow~UUH`umؿ?dYޑZnJ]$P$iTDִypNL&;]K^<kT*05CD h4]渭щՅa:׻ کfسgc8z(CeǿJ&0uTq$I$IR)J% c||1vo] DYشtR'OX!RzzzXUp3HnF臺pȣnL1#) xFc)8W/1CeT*|u`Z.\T*H$n1}$ H$bD"H$H$e`Ma[a?\@ZӍJlߔB2GLBm{tQ!ofSTJ(T焱jPl6a6|t:9k׮AuָBVMe0Y2%f'[0 bfz/zo`k~^VWWa6p1u]:umnt}痗144((*r\7t((sfN| /2+žtM|O/|?oLOb0) !)bz "D066Q\r:ai#_x9FE F7bh4}%144ݻw#3#h!3dj>usx^0g466)FL&Yis"8vM뺸~: 58~h "onw㸾sSI2OT*!={Ǐ,˨+tP6iʥ2.]OS/+={SSf)3d033Ü"EQ`&ɶP(h4`6 m[ E'? ڵk5 M!r8Ӣ6J:6Di* II0TU.9w:acdAwJڅOm_gSH8r"'Ou¶m VWWuMai{ :9Pw&E$IߎbbbtšCQV144{!‡A+"1a(yyy|["~w*s>-E GJ!8WӴ-eYuflfVg^o0qt]gh$x2(UUopN PJ>crr Sdɩ[^^F2d m#3ܰTPS.Q*r}att_?( 'į/CT,- cdd1;ql@7}hw˲̀:%j9O8pp] d"F\d)caҔp)Ò!`% b1 ###ؿ?.ATZ΀yr`vf48pr8Nq _~~ O|I,- D臱^`_"n#ܩU>AGG޶Fhیe2 ø^` ~NB&>+(Bh%19R7t4s Lall {*C(Lflu8zp.{ AYZZbaȲG}DF8Noo?~_Rvģ*YV[ְr#Gŋwf医r :=X,VH0pNy3]ov8]Ev 4*)leV ,3M@I%W`V 'OD@OO|$&''fߏFT*Q˲zktTr\g&aXI"b088cǎP(`}}}wEQ|SSz__RɦY؈'zqf_XX˗Q*~ m=<I?%Ęm7ހeYfxec}]aAOO`Iߤ0w8!Dؘ\.|>rt:{bdd1"3aS#X&67|mE$0p\HAI2)tK4[^x?x'Ӄo|ln?"2I0 ,78v[8v:͠7#T*AEZ-fNC!djuNR,Q-SSS8q2<5UC$~R F[m;d|MdYƷ˗/#`sssQ5XkYTUŁ000P<3M@`VC`Y֖(QYF8QyqJ%SY$d2z&ڶ%I9۱nB'p]\$pfpLҮwdUu7B K%|4Mb:4MC6eqpZImdd1E:׌OIl6٦-'y#üt:W^y,cbb4:+A#ʲ,Zm>N%i4 J/_*EߏgyA__/+ =σaɔeI4Z5TULNNnD˜]˴'nŋ8<2:~{+W[xL|1eY(JH0Md(Hba9BS5lFsC wPAm+++4 /vj+I[p`8`MӺ;e``9;"]`&E~rH$œAbJLdv6StV"Zg&.\_~Ľދ^{ Kj__WU#Yf̧i;RX,Be`rrT ®T*h v/,+m0TUEZJ&''{n իxnڕnZϟGRߏD"RT8A:Sa$2nQĵ1ӱ/xiB("TyBp%avvW_}, O?)6 qIGUҗBO\5 0X(jۋ{BBh4=fv ɠlcnn a!Nc.j5ccc8~8 K wdE{==='?I>}?<\CjBRmrˆ!(!uKq򑏠Zbcc.۶?ro!@QĢqZb~~T <`Y I(vݖ |W$dJK/AE4 DQ1Ϝc+(tn8Nf9 k(H!$B4١FfjZ j"L`ubT w݋l6 ˲J w~Q|uC.nCHxBξcvvcccLyv^ i?008LNN¶mdYFZ"lfڏ;2s*~mlnn7:ke'iR[X I$SCA{el)9s9XСClNpD\FfT"zNTԉJ,dt#׀Hz>]3P,qe4 v1 F{@L@$*ϣØepČ"#I:m~";w( NeBf 4vjII:f" 2={`mm9 kkkL:u@fP"&!xTW*r$Ib%dTB$ LB;M8Ct n҆m'uz% ;Xkll _G^G.c`U $^k_MmA*dL& MN!U׷$oDQd*""&TUePuZ4Mih4SNرcc[t9 uyČ伆H\t]GfpSK)+IN C, C{zzX=uVj5IHh:X"`0 q˲xWo6ë8s]W$8,2)j6!$F W|@x _ zڠ`hRbqqqNE^g:V ܫftZQl6177ҽA4m0pCN7@Ѻo RիaAhPNkpA|ũS}zֳAPUUh$cBFȃ'IwRXE_V112@CQE R8h4X'.ƒ) U`QxčʠZ^YYa/Xt݀]3b3c6Mб4hmm D"8 cssi'$r~|㥗^oۭ[6v?,/Fjgvø/B.aZ,!b NAi5kEOS$ Aa0;4,1֩Sp%ضY<3˗t:<߃(8rx?zn,!(AOO, rv N`\~ztGN!q._|GߖZ&Slp$ @:"3mbb"bΝ;ǐE* 'fh6D"[T01CȮbey _ЕNbfib8xh?&Po4D22\HG(|ǥK8x<2XD6+`6;>я"h`uq y{뿉N { 2W?o}Ї>R] piptäbk#us4֭j1h@R8xJBu,--!T*PGŧ?i .s:U$Ig~d2B,@ZǙ3yA&b+űc0::v|>)Ln32V۶hC!L矇$IX^^gz8o+?9LP4kzY%ؚn*NOOߒ;xo;|+<tR$a(<څ4PwRPAMX&iBjLꩂ%2)˸~: vލM;w<>!H@ullllq": A>jMJonl6{nݻxϞ=d2p (NFRZ:}Q *N ߇PpxU*Qw6i)c-8n<?~SSSx /`ee,FGG^Sm92i4MeYH$mBޑNLH>JgNjM,--\.chhY/>jk< Hx<|#xWp›8qr H 8ko >u^ۅE9|4<0k.LLL`xxLp"w'.iYZYkX^G?677Jx TU`k|'J.3%5wsHNQˊX766PTH$p.]eYh``u#kfD^8D""NjaeeVtiqr]uPR2NQ]BKP^MH`Y"vcATfggqAm`ii ׯ_8,NӃX,|X,+]N'SB t Uv5V+:j\Ifq1\pؽ{7VWWwNĦ % 7oRm 666$gy,3$,(]iZsR)LLM"qUΣw #(oQW~m ,`t*ke$zPr>rd=zǎu*_t]gq99TU;55o~0 #O`ff7Eil&=l6(dk.id\$zɉА9#g7&裏b߾}}bسg, "(r\ "mop (['Fq` p<x9Eai>*>܆M%+x񅗶OS_{fazzV FxUPf*('Oմ$T>l0Ba1??4111~eYV(J,PN>Dx1iPUZ{`zzd׮]c>\^}_9vQ5zyV0ȃ3X+:i2ҙ^$2zz{ ZDC)[(DE ͈N4,5Gm'88jrs9w`4,21TN=#ab(d;SBϢX,ȑ#Ğ={Xm?1 a9}KPABBs*GGGaY Gi\İiQpudRqģ2 ,^pn3""drX )#30vhb|4e[  Q,p_ypM;jБh@"yR90 ]OV6vAg؀iiRͤV/2(&''qQx^xzׯ_gfs,(*guM2E Mf! xQDhB%}`?μ8\SkՃHB$7hnt}*ؾx8- x ٳqpVqmlB*=*x$L] J)Ir^yr9?~'OdK\"Me"666Dpb߾}evê[l~B8A__%50kW{j_y,N {aAQ(>DjKL6/b. RO_cvv=Ŷ$[4: r>@йjAI;%IsLdMEΝ(>ϳȂ/|dߠ0pUEGZؕ&{}d2֓VESp:ga]! NO`<8ǹ΀WDO" Ccp|^A+%(o֐' gf3( >O^ooѣGY>4" s&[@V[aF o00NarXYYFFF}CCC;^=wAFN rjƧ>) l7d!jI FMi*U#;w1:;QT`4۸(+P"jDGmV®*ס % .x,w,2n_Jl @mlll`ll +Bk׮7ą L&166 dn9 IuK>o$s r666ɠ w&vg넛G $_AT*i,@w4̊"S y+m 8MUX\ac.S7?5-p +*kw#N>+ Bۼv,jdΌ[Y7OO#j677Y6?Rz9;k* J `R44Mj5T*J%tr333fHH,VT>߀jٳX[[C:ƣ>A|߆eYXXXbHÉ#6Mu訪q0[vP-5d σx$\r2DdOAFj".!Q>&zLFikYpNAH###Ū$mV0<<c<1 MNQ,P*u6mCDvz~~ppE/uk[ѥ!}}}ؿ?^D"'N0VyFH}|ZE.__`ttg122¦pIa>ijllgz_q`::$ЛL³z[xc`b/Q=9 z/x ШpPհ>+lqPdiUURd(OMY(:^Ea;-,õ}ILNOz?QVǮ߿?F3IIƏ lzBW"eYT*?ĉxNn\@l[hZm%4??۶Yk42("H l6'N%ǏC2iZz*gLxV4ݳ]בNCKaT"6׆oloOb"F~7L륅f֬:`:L7xE6/7?i\r%'2̓y]V< ))b&b(-KCV2ʫ&L:\A%0SrfLy$QFnUBP9X^menNsz159ڢu4FT0o7 !>S9ổ˫^Qh_ P6a6ZN`X-p5W/Xkֆx8fѽq@u뺘?11jC>RTN <{,F( h6|_  Sv,cG^2ă&#+0M0ڍUd;b||KLv IeN@ Μ9K/p+j-V/[ߋ2bcR/׹WeE r:S=/> mw wmâSUU-ٞ s{L~> =R7i(p\M)B>ĊT<8$ip*b(ԃ.S\pu ׄ`r/]kW!MAB~3˲bǷ a[㻝GΫW_}+++/ueE4: պ;\l?/&Ny-,huKl {G&ܻsiTu\4qȢM'Oh4s^r>@!Dx7n2q. @@mknA׎[.85<츶pmZ3׮]Ñ#G022|>\.]144e.,ao?e n8!V$yvgHN07ejHaY26?@vClh=8&.D GNc8>Xx 9,[0)*Ű8=cHir-(oӧOURy,g/ئB X9e󻌲Hkim < B|yy DZEXC,aov{bªNfpk&+ilNP\f\vX\GY`HTx,$R@3'jeh>b7b,D4kT4P=H/ GAEvbo~3g|lF: *Y[r<$N]]]E=܃q3ɓl";Tz{(Ép6R0@5Qp NaC*ʥ2tq191WV5HRYsFG:9V3sw|1˗PW A@@cd_R H>bٳ߹vWt<&hcA:.^J) alluRI `#qb).#_kAD 04|E j7a:="&Qla`zvz ߾tҳm z  dndA٭jK.!cxxlCCC I(XYYa-ytd,)jX^^fL}(7^ס:P[ƽ:6/"Hpltҽk\.@ƞ}X!^@!:J"&\DR,D123fĵ70vx|o8sKxS\ @ 8n*7t xtMX8210e:Mtv~ ;?q\$|pwJxZMX#i,EL'|>#x{i8 K)#RRv m x< h B ΢mhv hT,C>,,.± $"(lTE4!` ZޘC"BE T dB{{=K{M2+W&柺h:(jcʬ(5y<ׇ/9J1 Uخ5 #k-ؾq! C޴]2QHťȦ1:Їy m@4Aw-YHf@$"9 l%Ph#x_@c*~ǝ|xO<J;=@χ+uåǤ]<U#:ШTPm cT ĸ*"l( M46( B uQGd{`VkKU8f#ؼ\Guko`hoAaj9%-H4|i!abnv'f'^AfK<8^D@шXCU"pu_?!kf"pڐW$+pG{>hؘ/$1j2vA/HGapSG?7|e> N`GwwzAw!ȎgQ-Q+Uc5 b`pm&D9AxVE*"Ё{ GdTKu7>Fq2 4uh=dE{ 7$X&\W'x0-  \}DY FSQLךF26! *}ى,οt !I&zzq!2DY'DP\-Vl@Hg{_`hzlv+v{wc>$h5"`xvcr =}ȌfЬjVP-"LA$酬&WAD!@aZ =7yhZCGZI^_o6߫V?]iNtHw[^?j!v0@D%96+|zSG$!R`UXyu %CZ^Bˠ栺bt -,G$VO0o Sظv QV $^ѿ [-bWyQ*2>ITiSg B w8g r/o"#א0Eم]p *5l-c%BEm\@x ɾ ٮl"ho ۅAoϻBGM!e (F:ARQA8"lD "|< ` B(,?#=CLA#juD5 jL`64,z^D{~zq.^!"8]m6kMWt jLBj2 DG$ 06h5mbLD~TD~Zwq]F(qHd`dddwR*1Y^{25^`~%fKzf L&VlVۯ+W}7(p"8>ʍqn_` Yn jb`W5\B'+Ӝ.܊!)s۞,Royz A;7Jm}8$8ʽ/Ut$}@dLI=8Ám`kɓcasy[ۭ~bTcvnl^1ub^gCL[3Ĝn0e6n6v?N  mX~ ^YLH1%tEXtdate:create2013-06-19T15:09:20+02:00X%tEXtdate:modify2013-06-19T15:09:20+02:00aD2IENDB`fwbuilder-5.3.7/src/libgui/Images/fwbuilder3-256x256-fade.png000066400000000000000000001114071303637203600233770ustar00rootroot00000000000000PNG  IHDR\rfiCCPICC ProfilexڍkYܠ ^ YH$4">IlmD Hvw[qƥ0{p…+(|!{EܨtWyV_ιs-.t ) s~d\VNNMH.2t0,A&>>xOs` ] *S 4>s@@z&@ڌ;C nD nXNV53 u9@' uV#MJ@?XJjxz7 fDF/9u&g򇚞"Β8xdI?Q_2`9R{OWǏlա|3k.ų0F8GFG2JM!/yo($GYm9H~l_ٯ/f=̂9Q@aZlsߥ M\k01ib1vr/S[D>fPbG Q &[ڽv=jlZ[-n%+$Fŀ؁{^[ SNLq!r[%~ksWsʂ=Oߌɩitnvk[`֚Ŷ]oA[Kps[7Mk˺'WFrmoA^YZRBiT̼*l]V_m4>]i4\p[E?ObKGD pHYs  tIMEB¢ IDATxkeiZs/]i F F qdٲ! (?b"M(@33%t73=twUuU:gcwճ>S{I:׽>zZݵޞkw}i-nK/g~ƍt:;x\^[ 8_~y 1-?,?`gh"ƍ/zd3t}_Vk{ޥ1?]|7\v ^۽;^kly}xkQu?Z tnFAc̨JݵZW^y%~73X(LB)8bު ]k7Uݞ:lrmd[!nqcjQOq7nwyw]c~tJOkmw}M{^hI h4_~yp[7n+vץpGGGR嗃 *jdAYF)A Z6"g=_g2]~XqUUe1)>.ʲ1+o{;9NK@!)EQs۷g;9u޽=c ی1FM^8< a9mdҁ@aAPܼyI;sݻyʕ/ eYoq ab0,j{"Z#~joooe<?m#ڵk׿v`rݿ|ppp3IWxWS4<. x<^I1b @CCQȲpygk6ʲĝ;wp8kyY&KI8î7n޼U5^EZ,p=Fݩ]!=<ϗ[Mew=B(p||xn+^,Zcnth $INl&>˼iWDž#/鴖04vx@S+t0 [na>l$q. 9-?ᢲNY\~FUUyKwCs|P]7pܝw Eщyf u A~,F,,HF'#98?׿O`2&}g'l4%U_l/˲x6u+w: d]+<"M$ RA||`0FZ<i#|c̊Qڊ1, Py< e9ӧz366M.kjM_yo%cm3MF/sR$:osz]eYM1n) ^S+VF_JNG`pY8EQ @?yyQ#ŧ}3k_nyޔ&Ѧ2_V[k_k'6ׯZk,a jH[E<;TN6yoym\<}=2?2|S}ꩧ,?i1ﭪF/mo"l.0W}={Z \u6WUkwFFG8p۠ ]a"cXk9F_y]CNwό1f>[=?cYkwEnQ#$v>"$IR;::zG|Zm:^T9s{/ { c~f *Hcp)9$AYȲ +̇yQ+˲,{Docy? @HA 2fz#womSaxXUջǽ{ޒFIR0J>Ro27#|c1{ qg:M[~o2|M]u}SFNz{{{e|9u!ax905|>#Hݻwo/s` Ð__oe::oỢi6iI4hmԮhCtMTUc>^U3i^d][zΌ(0#cs>C|Hkoj5MNqpMM~}}6ȳD{t޳_c쉇m0I! Z wQ8@.PK=?M4#' a8K*6y}.-Z {Ȯ)r(ڽ>h׌1RUߚfXvi&\~4z=i3}Wݪ'jbMV2WnkmXM$k4w#EQ||><,cԾ[1zZpzbvlbϥu:߄Zs2Ip9uẲ X׿֨Mm {A>S4Mâ(d0zϋf3ܹsl~:C~qXƿԦz{q@YG'q2( eB\jRZӶ*K~(O?p˳MkÔ^Vk:~@k47E>Iu+ONӟ?EQk%@dL8z#|>|>ݻwW2G!GQ,,[A[j[_`wHw}37ZWD_Udȕ1-ܶkKDh48͠GBq9$Ipʕzt:ŝ;w .gAM.L2`e|իWaJi)#q̠h;|Rt#Z p[ԕ%lTvAɤ1tb(ܺu둉bzʒϑfoh ~ih4t:)j5յm,&B`vC["ɦ6|`/(6 Zz;Dz1zفkO0|YR^`%@ӛrlۤ?F3 `UU' 5z? (5Іل vi;G/Fy9|MiGƔ񻔂h/Ksf0/~FM<l`S1u4w6nT16"hN Z1ݻ'QHJ]gvpv8<TWZuVyu[n]mۛ֓CS6ѕo)7z6~ڜ~byo  W{Ǐ\NAUUvAiZOڲMJK \Mvނiyq<+NSc"7oެvF s m7%m ^!NQ"áٌ|8]0$ `@>cq\^e(E8.^%? Tϔ>YkubzaYUǗt]|;1ʲx<39P鴞J7Iq~リ)DMC'ar꒬36 @lCtݺ^gUL&Ěp8)dvd3d%<ϑ #2*$+GcikאeWʀ,Z4Iq䐯3V` L&LB2h"s.fTM xVeSS 4ut61Qi}^سC(i> rn@;&Uc"D9[5:-R9Oxgy^$KUU?x}E$71Haʟ` n:QC:>4h+*_:;sAJu@>:ʲu޽G*Kd%>MW 9zɊ1Sc P >ό:}Ya>;gy^{h:cS~k-ܹvr(%\"U}g9-3l+-58Ov5:gATH;WFhY޺^1v,QxpR N2 #tqH֥҆،(Dd t=`k$:3򺿿_/VtyBMgE888Da`4"Z37ޅ1^;m%ќN]` ZL2|_.C{x"K&j|N 5q7\I6t:a۷o]?|__(>O/Mg 1rO AINIk"CHq#Ib\8::]Rs͓2/:ߺbRsN6CCiS IDAT0 PJv&8+9,ץ5iE,?M"Leh4|>Cv65!a -Oދ@mg*.k1(V7mH\k1g*tŚrf LXxNz]#J?fXq2DpΝ<>PʁImflfMufbݼC;hLx)?:{jշ)찱j-%ՑiZ"Ý(~v20sܺuk>Frƃ1٬L Eۇkp3;g}h:ՇuMwS6 n@@n6ۢ+ZTWλ (F/p_RL5#)\8CjyM@A]nil7o%^888h4Z,%!S@@uuD{&qؓom6l`9|X?4HD4 n  8Sh!4MfeǸnBqj1IԴi)wfx߳k׮>Mu+"Ibi؝.JEdygv5#룉 n#8\FDpVTG.Q5˿p] Oq9XM)%ʋXަԶ̥n6ڕjX9/j8t/T_~O<>L5A)9G[R9勼u 3.FkLjM4i#$y>Ag-r$ p6Ç@ۑ mX'pl@"}Ew^]fU[)Pi*t[>5J^Un޼Y߃z ^EgH?ˢ(j O93\KWXkrQ'fܤ0EtdsMk1im5 fz8Gx#Ip T4m^eK^פ6?MoBgN ֝J{R[UU+ik<W,Z1%[] @͙ЊNyʕ+p(seY @ltE,C$NcbZpSݼ(dPXizNQ4;+(6g|xv$zK+˕֚N]uW7IV]#NQ~3YBR|U${vp_.z:ce v{tZK!|߷,y5kÌ%-A&,;lBpu)1|#Owד7|4ơ3=NrlD,=S\۶7.~](.tx֐T\R|W%"/-2~W$'{j;Z. 3<$INdR7eYb25s% eYG~]=eԺ]}mNY0B' wAw8>\2h3G?.8 2+:"z=DQErdpkSh#Mq-&Xg*2n+I\-6W篗+&= /B.*].˵իH yO^q~@:'chrM:뢿:[K1~ ⹸_\ 8si31$IV8B1ش! _4\qe<1zynlu!b\kq_ gDZ8hXkkE,Cۍ1Nv888@eNu/oL(y(]^SA n-@=ř ,"FhEP4嗟 8_ke0Cg?mE M;N-%d>יZ(bz}Z=%9*~[Yvq8'.򗿌8XIW^؅%p3H#|d Ƶ9jfGfae2O ڜFөe U鰐$ߛPMNu*ώH?e(Rc_2/+Y'gY+̅3/.aMj6EQM{9mIۨspGڻ͏hEV"864,$n=Ñw*J%0'L1>Q,SvL@Ҽx,VC[MMs]XkpGGGD9;~_˷+B4 $sY%&IY =w񻌾ipjj,di\A^}Uxnח+q\WJ&3[j K&xX{4Lp1ðm攏q\0; !mhMp_^ H,?%h]B-Sׁt Wk!jX(~^0&L$Pp'ӯAӸY:>jOZ2OG{DrO>$]הXu;AmqM^KGu+RXpYyp9FcV`IEB>vXHt6;ݲrM3j.oh뙳Cpe!r? mA߯'縮g#Q #%SMho keKZ⬘ÎR<Ӱ9c(7AZk`%r}a`0/Ȫ(MV0uSjjsttT#rh#'M6 8kX\ vybr3 0 /ؑV֎Mڷ, #UlD- 2$71vspRrC׾ ;'x"Wnz,%H w1iEInZYʍ={6g$* N 53EQ&ꫨ nufAwKhFںX:+j@tqퟦ)Awuyܞ3+LZ] L.-ב\5~ày0H4z[ΜIv޷)TڨyW~_W\YAEQΝ;+B^ޝLHtӁG,3CY,|0Vbw4V8ŕ֗^Z_W4 \@+ߕk@G[&-iA(!B1EƥlN%;}i_6I ׿^nvo߮yaooÀ݂㱠3k-= iB^[TgQ[ZM: OO l1Qs8 C_uY/ܓey#E Xf-եrQȲ l39GN nM Okav0ۮi$~=*eB(V gPw3IumjցsLTF/Swo޼Y3pcKgL,k)-1m|%s-r/%go%`_yngyp׸(z+9^.A2Ajw+d/-镮]ѵ@aq -<(=k䒉FysQC]BJ σK<^^$׭7|6}<ص8~'+]*:gK#d(oYr,jḰU,+8~5=*X˥t}GuD/PD]c]\Z;>7 *rF`\~/Ӏ95fZUO~MK@Mt;N"l6[UUf C ڡX}|^ױ^6#$`^S Qg]j{GXg,tn`}!eAeOPUf)Z>[syrYoݪ,;j:֑,K_ևHlp-ђSv]i,N-ԩqW. ^+%qt1hW)dR\%_ywڑnjWz|ON&ZzDQN'8r]v&k$N^iEhRkugǤI$.#p(/(ɤ" &T1$\I4aƵTBfjjMkrh\%kF6N6)tM,F/GMNՖg3,?8ȂVGn^wYBEFdߥKSVe>yLk\k*1;cL%8=c]Ii(φm\kcK: \yD.KGh8 6lB; W5'KXq !Gf>؂wݚmKA{^M޸E6_{(hY"J i#;h@f 2rZ2N8cv0RzMHm8^_/b?yJ;M::ClYj*5i7fZJZRZ0uiNXUrA×WGmiaIU 6\C2 ~B<\Z{RgM+Y>;mV,Vy Eژw泶FjO)"rȇa=&Yso+kb$0ڮ1-?͇G p$j[2~rM&:5d+5A夦). 8kv(HM6Qr>nwZ,)zkJS k%Sh/i-:3Z\7˗ v=5!] -@@$ufD-CN;N}xJ+께zߜ|̀6Y$sKK؋#lPԿc6DKy{uƅo!g|+0DBe4Ե'\s꼯^\ޥ?F)CͲ\4M:puSo%GhLy΃>RstW{i `'8j>X2ppmzsҵIX?ަ8@Xt5J/-qZsiX;M.`+IMt.[ e^W3Hw*lWHc҆$Kj8 a#7zPՇKQP֭jBXvm^imwc[dgf\5}5=x80u&8gҗcr#`A)7;Ez̔UtWexyMt&ɥ޴BK`KR֍ v*<#~ϥŸ]6cb!eNmrvql3~v8șCKrgيd\u\\ ~ājr*&GF 7875m؂kS-g'/<愬#5x_{o;$gÎGԂkjTޯkThfí&' +讏^=qb,;DVׄje^eP/K%rEX=bN]ꃳ ]U.Zb,qtKİ8 Wy\)nSSY_2PunGRgoaXS|s_91ًx#xZ-?ϋgJNEفVJ9)+s4sQ / ?w}wه|ڔt],=Mqy.k!F4ykT]i )bR0QMLRlZFw]"p-jBr?DLXc6]B/Lɳ GoAUUU$peaIۙqu\LGwKxq\*ͯ)~|:?`^xNL ` IDAT(C)#%sM]? s˺:s3k<0Zz֓~y-܅HgAONqq\JVJAy+p):dEIet (zS5W뺶%M-a \~ff0c r?P.@MY3fxN;?4ژRio@^Y ;#LӴx(HozSC)0uUC+-:D7P|]~a/.`OpL!F'] q1z^y"E{ 2u49j+ ID0.}EW,_ ,K(N0>RZZXcux-nsgreYxtZ[l$.ToЛ. לih4M&ˁaLiAњuu- tmb[M>BP#2SBR&ڵk+0@~ovIQktVmf>Pu6Qٜ9Gse~kE0:<47Fjk-ʪ |I'H: CUg3Te0 E>Ni_yaaUU 5KFf۷TOPSijh#\' 5+c.b Ά5O ^t$0҇ ŸHui$52}"*? xBpÐT:]8>>CacBj}Nb;8q݈w:D9rv3)ү]JĚ^ly <EgYNpzH`/.AAfgBM-0ps) :sE~nw1HJJ1j1V6LvZ^q:lߟ8t60ՀXTmb2X,OQT"*Xcn2Pd9{Cx(ɞPPd9< "f:M$ISO!2LӕK&+D @ךrD,1[\\Iu/id32tW]2iZ{x(I"}[$Itl ph2R \YG۷o8.q^,e &yK9Kٔtogɫ7dT#U9pAEL ${ ̃{鬸/qb9e!q}tc0\RhpA9#`v׶I?j@׉ e~ΑsqfiRzW!5> aq\g\Brq12W&Μ1:=:+`‹ͷ@W_}9RQqrXӡ-O);@dQ~z$WeY kGCO k,`(A` XQYlȊ4CKyp4G.dDWβ`" \&AܞfrҺT#An 6zj$Ӄnw%]^-b$:v"4tYŸ _߅ 6ۣ!@o"iDHkɧXsbЌUg,X*RoZ]Fd2N,bXjl49pݮgU(ӬR/79!-XQsRJYoOcV%̎|y=عAa'D|ψt诫\Q,Gc٠",zklXlVS3'##L2G~_,}.5i_ >>F888@ 3lVנqc8Gxi))?WFo}}褓c|xRVmZiy8,\VsY]xN^y-i{ט4r_nWLʒhy "όz|SEU -lpIN(KxIYq=eQ*:P)jI٠Q[ǎ7:a`4"rv4ĕh5,LAcp8+!!kv6e#c(AE,a%kl;Kic֊I|I|R\Ư7ZY:1Wz(M15a`V.:~1{(DYUE,Jx~ br\3&MRU.uMiQ 1ִSa'IGGG8w;AZ:_/ԝ^U.uJnti-U\B|i{AYO~^pmDֲq~O*5 FdN[KM4Ω8i:= |*LQn(v<z èT'` ((e+ ^:\3:kd%bf> ",B I6 i{Vt=+8c9rip_Oy僮R15اڴ\Xߐu Imϳbz i{Icʻ 9Ð4rXOcIp?ɉ c*nˆ#0yQIL|TU{Ƙ)^0+{ڛsw6[c6q,_7QS0 1ϐqpp d05G7,k/ikXrM5-2lm<^EgمZztIУ. @rE;z3mKeܤM,Ky 4O!BkQ#ۍ"~!8k2QQX?JOfQp 3tI?&&dƚDI1?ϗ?h;w ϳ]>^9zY\j"kХr&TgcaFa(v\"ZwO;"fNrd:]?3MY1 kgeSyeЂgN3SEףӁ{ ¢,J FC, p1H|tlv_{h!ȕ({K͕ ,F{:4ƞP!J$}G_ $bLmߟkXw/jirWOE+|r=;z_c.I̤dEMX3 ~F\$;`ATc *[-)&XBt"-KP *xH>͟Qk&=B4^yZ'4Eg粽1uZA-LCgM]wыL&|dx<^W!ΛTfs6-i[o*pbW ߜD_a,d+WVhׄe+U]u+c`NAΊҎ+q\`h[YIM1|w*SeQ NEj9(Do0XM}P0|6lY $00 DU--/A/~@gq#}d{7k]6Qޤ?K6д MkK?J\;-QʟF:.. t~_IM&z=+b )3s޶R cW%+RXXTAUO-hK`aa.$o=$Ko ) Z Knl'nm['J]b\h,-ԣLhaL i4W'௓We($wV5j*]d&;~qЧeXcE!yX /&؇? PL*ywD \.тSl=_84G b1$ ~" _]^!/^7wX 1U^z'1p޽ʧP")7%pO3VsET3UЪ2z{égͺb[Zr4B2br EV:kQYęr ;!*EYVOST dY ,feZ.SŤ\d?S* ʲ/@XRŗ! Cq*QǓ{0_Eϒ ]K;%]Jx;0ϝz~wȞt[JB^?TA]<5d:5Cɛf6'%IReК\mofuEBm<\i9CgD:r9Wmٚd{7 BYW֓xG_rEI8\&\l`]ڕdxX5j/2OqjbUZk4M4O5}??s8p#}JM(<8.<5h#_׺._3&K! A+]YEY,v "̏)|!"l q b:Y|.NǪ4H:1%V罋gzY.-YvZ`pbTg 3 %u8,I6@6ї WWJ1mZ`O/WtA-ل,AJ/hkZ IiZ3gRMo{ z&u/t|oIG1{ ()g"BQ* " 0/?‚,nMYI-Q^\A JIB5ܲPcY6>s5F+هL-T>OypɺVHXI^yr؛t;چd if%ib/eZ&՝q9]q"&S򌚤]Cj7Bo: 2/K}]IA(N{5y3Тg`q=$dW[Ȁbxa!"Q!e҅B| ,o@g5EYyօo#,7MDZw!gUahïΝ;N4"҇GLq"k.@WWt֭: zԺ ao]2Q8h"m)A# be4 & zFpY V~y!N%GYTLi`* J"q@y.*GEV16BpО|K_(n2)nUwXj,e+lXKy!зIazMXince38):87 TU+W(8&V&YFk\dt:q{N|ӴkNXE>32ن[XеoSv?` Wb7 a( 0|!~ XҢeQ|]ŖR,ԢJYLf9I:n!J)CY&ϋ\+%/}/%sq IDATPOUJ+58B`;pJ@QН#Ӑ&CK4k^El,٥ 1 sQg I~. ^]tM^ OOn`*k*DIE(o|c,Ǫ)|U,z_D}i,PbZ<>t!"25a,QI@[g_ =ϋ!MAm~y`5@[pD􄵑dճv\WOCGK]k5_x8pƫTwFMUGf 6"%l6k SӖw!~4[ŽVb!|[R`B@ʋzJTE k o/@ X:0P}Έ׵gEB#%])Mmaq]5Յpbcy .B$?R }NYf|tgЊvϐ->#uz¶2&jeY6N(Q kĝhZZkXc!0-mU|Z:As/p)Ԯ)]haj!)KsDٿ +:+@8@MlD%$,TgcH+:_̙>:2F1[K)";)">Bߦ7<υrJW}T3bԩcyP׶}%6("^a$ \WmtЮ5sab#8h;-z_-FZUT&r&B[MlS}9 M2FaMF\/K.BrLmU|΃ Q:yJcUm%7VC9+p.+PKhA8k%_U heu]L@\.k"a}܎0 Z~.M}ݬuE1̡ٷ,,SL=ԑ6Z)S~Cjsq|g58jv2:iWƖ2e7Ew9Z[E"man_zN[=,{5hyѷ*HmXW3^sF 0lGJL,h} Hu;999_麴,@Dtw|_h&m>]V򺺒/,-e|cub1,y7g.\oa"p]1ï ̑e4 jx?צ!_ }jF[[6h[~s*1iFX#U t`1a P\ 1ԛi4qZV땼Ɣ6Rbրj-qXYdNR!Yg%uّNQ)Tk? >ش-.4 hWSy`R{=:&Sn:U)|}.^㪱W\{V)h Ah#9eb eh%W]gF"r3pB\: T*BcީZ4]߁2aSDRQ ;9a=`Fc,e>>"Bs :mn۟9+~<1ۜ#o dO]obse-ҳ zH; ;.j;J) Eu.2r@R`",:h߃3cFF$J &X/0q+ @CK `qkJZ-=f{-V+m՟a5l rfEvb3IG!g+j߲?Ѓ#-Mv%z2|!88===VRVe+}]:$<įARS5H}6VՔ*ըa^c;*D&g vh,<$VE4z%|M؜lTۍVc-wWP 0Èj5o w^QX:)Jm8~n3*dw׊ORC{]'Fw|5qԼ^Zn?u;sS< +osιc>ISTpn*q'p"V,8JŢX@Ὓ?Pq)F]?QQ甑8PokDDXk@$݀G#1%0 a !12>hoCoR^oj7_ToO`Za^_H[KmD1:O  ?m&XCd"_ 8Wj,@(Qc5*EJ$8^ "j8H/: V+0e83zn?~YKEJlqfƭ[J |X;(Sxo0km=` qwڢyn^lܥ0[W} pj͟JцJK-8 2&y2t%]"-]owҀ5r q&]z03qD2%V 4~!E |>e`lL/5EM ]y;~sEvaaʳhM]@k(^gϗ!/%ʐe1 `#i+{դ˩JMTڊ՘r+Q2G̈aGDPi.KXg`$ )n"VBKxUxs(X)Aȑ-zGՀd( e/EK3a @?s(a@A}]w0wS9elZkt k [(XqLC"-Z(׸;h0 c42MD̰Z a,Tf%>M$LhtnPcDRTVR"XoaAyj#$Ӫ8)Է]=lBs;yz9ZS*JsbV|,@]&tUY )J :@:Mmin& CZSΰek-b;ѭ#[!Q^]f8:Z(566HIV3ݔb ج7p^E6!I}6ۃ:-gUAǛ="ԫ.s#ЭH-p N>D\|mL1!a"+Yl2HC ;8g!'S0Q1Q@i]8aANHus]0cevD諸-cAܠze YA5N)ey#eH9"°݂AJ8Fb c(2S&N]VP(%!1%VXLęF#ňX0Yt]k %sTa[,6SBERLg1PJ{|ts(VA;7h{~OU(iRu-:8 SGa 0Q%9PnFaƂyu8*)0HSC sW>;w>RO!Lc1%,b8Rk1$D7m[=0bˀJ6??+w "4P3n|1i)6CBsC *IwA*mʉw0F(D'K:B XoSB Q; e*Bm{wJF 0we7HD]3 :]# 95[|WO/1zz)L,0RD&K+5u5=1AE/ a"!,̙&Dg@T|TAYl I J3#V 5D5)% !pFqp76Qz(>Ap?Ljp\`vM1B+,RY0 ɜ2$)V0ˣ%`sg#-S}FKL$Ag1P" iIVȈ)A%ǘ0l8ouW2eL"?q6@)7~r+ST`rq0`L /+O`/d*꫔r"hCF.Q9%QnixXl6躮{X҇SvEN$SƟ[U[$a"@D1 8cty8c3oj>8p-6 :?hT nY}81 P!H07jTx 3&L!FD;cD wrE,BC70].4ֈB#b512L)&j 8A("JJvt" &4rLMؔs[a1ZF)!ZI HQ#ˣ%=0 !e)1lG 7ܫb i3(2 kY@D0)HΈ1FDkdANDS:9Yu^p̷^k;D9 bvA{Q;bb,;lVkخCwX6lGa5N*BҪ8BVZ {ι \)#UA9:Yҍ(}]X.>]J(]5w%D}cS;l&3f]Գr>VB!(#ĄR:1R(yv/g/ǷNc'TgY˄@N ZDHΰ9GǸ{.D(TP&Flެ!9~N8BM y݇@U3sZ*5eXIZX h,ou Ŕ&'r,K11 rJ898g  njc\'J_^Az) ._tclh"!!{e< =i4e@_3ymݷfIDAT@nRMRJiKktLV3~[ZtMDu8w (Av]DjJ Zye4֧+$?O,?smFL!j>k_g.0^on9SrB< %U@kQ0ɐr;^RJ68:l[39_Ym 7\hRoը yBQ7;R;[׷3%!\.Nhc{Gr|ЋwD1# UE˨-&콃6B] =Q:W0sJSnL!(9(a; w`Fg{0$Icn-er0aS+hkx﹄|q D1^cwQ:9\'%h[uSZM9x ffW[XE!910O6λ NH M%/4W8DL감~rZ{R[/Ş,XJTJA2k* ~u8^M4@+'-?i$iShsZNU_u~4Qg}[FL( 'ČLQfaDPl 8q(SPV*lbL)9 m a6\&NPG{auVFIRL0Ɩt@1&D`O?3ivb̜538G|g/9Z]Z[H@5e[Gg.}!\b̮c]kcaUZcn^+ńd''A)()z?(;a;b/q`F\L2]P *AHc-laB#*< w-NN _U7Rj~Z#8L)Rm{ܷc~cu9sz~< .jFQ"ZV^# k*. |)CQq0!"эrCg`S`[ig۰ RP"2e(1DFTʉrd!?'1w0x Mv/"R9>ܷx(+R+xaW̠{_0o \6(59Wb_Q)@)Y+?m_[ h VH)cʴ ATKXvjp_Ib9, ~Ar"` P2}jff9 Aj+/{WA'7͗sڧO[kZ?VB]U#|qA_f\Wؾ߯ x`᜽WTrkNDN5hʔQ]aBۙ9?4} ',|Yo&'@9a,b9$!"P/:qD+qugRx&@N96҄ߣv8DS`g0w 1t)SJ]׿Z?X,Ikcީ~^{Uce ^2 RJ)2NKzh=+]0)AA}9)ZsXR:cQN]Q8c9ezWDB%yGƈѓ 8B1w l?f>R'{F]mNz_+9-iE0aU :+E΁33/ѫDtOa3>CD|mC1J9~24ik"6|:9[MQZ@ \W$334#/L$`x< X:OДbB]1TV~x_1U}^M'>;` 3cCQoF],h1O+ZVJx{D#3UH+; jv9E{><7U;e.h󞝚[q}zL)uly85lUs=Y*0VC)_!/1+8O569]ש-"Ƿ[H87r+cjOp]]`|yp# rsY+=KjMh1s%ȌU'04kϨ]3p1Cs9č3}~o{a\_`#EEyv<ݤF~ HV8{>7  oWӦV4{8I۰wppMc]{V닜UӗNc33a6fgQ}F\ym#>ck;)v\-~;:׃/y.=wm}C jk5׋infObN~N>! ?F?aĆ=5`5_M'Tq. VJp8dasZHOLn}&wVQygE0  HPEaP@<14r?#{2u$jtbDA{6=Q<("qCA*Oy\V;噹sM^|vWGyz?W15s-_̗)UKuZ17ߟl;=..s7VgjHUO^gc)1&v!.K `m)m$``/]?[xF QT*d4o(/lșmSqens}nk~8X<R5 vz)Ӗ9R,bRPCRR%eKUbvؙn9BħJeRR~NցoEx pHYs   IDATxgUy/ 3 Pfu("bC1 DoUoQc41'ۓk4&`;"E X:齗~93{~3;eYϬYkw}C=ͦY J`Ӕ&۳\J`V$0wUb{Wս/ܶvB]QO~wnc-ϟ6׀6@Wm(SOݶ߿xW<=9u}` Fiө⽧o`Ѷ E*w<Ã_Rz`Jμc{mȝLyD`[6l3M ~z ߑlMwG~O|f}c-f%J`L}GV&ę.!g_|͛vaמtI?Yx#mڮdL; RmS"z^W)gz\ԷrΜ9 8X_]׃sw;=O|}Ytw<妛n6`6J`Z yklǜܯa?X7~ݯ7V e]߼v߲Vî1:_~9^X{ϯ7> [׿;V|zesC9x7^۪ aʭڪ{wױ;kmOzғoS9C׏F#˕?^3 nmR1{ 0%mx8\d7֊m6Tr-ˇ _O[omJswm^.)z#ќ=-}]e qx v;c۪;n-ܲy睛kIi\w_9=?0g=k@O;hxioP{+1/ge3{ʜ|LH@जq#8b-:'uW_ט2\K,iyv}F|]wu8.mߵv#2Z⊆=_xݙggmE,xvu䁞~}EU\o@4+&58x}?s`[vکo:c!@q=ܳu]:o_|q3#ϝ;qB葭ɗ^zikKXcأy9l=T 20+5-[6tI'C9;[7Ǿ |#e]]~ݘd~y`&K^o-Esz9؁)Wq8cuו^Xp'U x[~*g xh0/~1 tۆv9zp5K_= NЃ%mhZU`]{jI_O|ↆ`MNk< Vۆa$[SC~9,կ~`=iؼwAGo~B|ug }H8ŵn%0tx{޳Ws kxXg: ;[Sh}{}u۝g3K|~y?ٝAnBi^mM?Q_o¯ƓNq; >sz}+_iO;QzT;T"|Oxcz` v6m:*2#eԐw[[m,(򕯼acx&@Lc/}KFȨ=HtT3Vtz'|R~!4̖ u"^@Y-U_-Y7pCsuO~&A h e>L_=gl"iP;'4wkۧ>gG}]wäuy!=Ж갰N;!gn@7͎1*e*5E%?CNc~T嗏~ &a{(^-pX W{;>)O rP?ShF.9V ?Jfkx3߾N9tÊ/uU nv38(*: &0al*0z>|}鈺-+L *%>X-_^r%ݕW>Gkr^|]mX?h(Yd% ~})@,ZhٟٟZ ȯ:/Z;ʱi`_0 Ol?H[e 3wП8'^Z[hoELmLjկ~uWu]t"Zg׼ !ýdq\[ïʽ@Я?؟N,z" :AXZL"LŵK`KmzzKힺE[b̌jC>Qݗ{<_uX5]8ӫd䅨U/9=w(YQ9.x<hl iًShɷ!=7w9)CX^?aU:FŘ!]$wx `b{dNn>G$owᇷg=~V:Ug :g58tSy[1 bEk_!̩Gy֎:h#*Է-Oӊ%|>]  3ŠgK,iirU0M?_sh\&-'̦MKSSتя~;묳6?3d>T#32j>r.qkz?c6ca aW3lxp~=t 1-dD'; J``u/;YY~3U0|V+%u of& ;c 0&O?d Z Y?~/GT{9N'*=QxMc<ڼ*O>vN@,0L63 nV W[c b'[K.Z^w6`RgnĪХ~[l[׃8ѭxp]tQ{AA>ٮW"|4wn"͖bS K鐊wfPxkr8-2ds1 'VW㽠>Ж:8k٫tOGU}d odU#s7>m`̟ZRN&ؙ*W r@l%e #qe^iC>E8㍷ǣI}1N*7} #dB>wN}h{p?>Ã1dXX|̦MKS & csN1M}hɸ$mI}ޯ#A8WCd(W Xp(ם1][?t m:/xA66N R;c_7=跚O&b 麡~vu!)8y`?X;R1;j ܹ[ 7(oaS? ;fn`fr-HlZ#yS9mC^ݮ)mJy,)9>9Ñ&&J,= <է=i+H >;z1y4ņ&i;zSN:sL&L%d LP<ׄ2 "ޠ%@ 2?(|#c'0"W'm8%01%,@90oCpM1paIݿӰCn9 8)zz{;5{JxŴ([ F*s縫Km{c:MG8W7.y&&5bd:X_-ASV7 $iO~Op|U/~=xfI`^_m):;Ck#MՈ#.g2\:}A۝#1x˖?pw޽[%S0TWkWvuu߭ѻg/x"b'J~=Lcdy[޼-#:;ǎ}o~y F=*<ןoo/ZIx纯-?4~X-[~h9Vo`?6:*0,p[k+8\f_\#!H dpf;ꜫo\6cVC~C\0妼rO?JOojW-Ǘ@9%W׶r>8>[ˆ?$ZTm~he>ϼڦ /FdNجzmr"=}"Z٪Vw9mG52v!d447O_>r]_R~OIIʿe_Npm^ev ٶۧ\rIP{یm|{k "TA`^ߑ'L`FYKJ{hcǃ^Q}5MZP(^Rc>^]Peud1N>ez%я~47η^^6~}tmWkc3ɰdz :淿+ 3i7 }秞zJ@oss Ov}daU{r*o_zeѸۀ?|L-Moz_kY8gn?,Ϯ|ȵ77~Q|_:sӻI&-*N(BNt=Q)JkߺvywЧ)8>ɡ_V om7MEFד*wqUlA̸Xv;S~W/| ך1DN*!rkx^y8Pߑ{[uU}vL=`dNhAo>Z?眳w^l-˙W#-;_ Fc+[r#:4xTv}#O6e`Dӱ&992{pߚym=_>ͿϩGŻ<ڿͳcT_Y:z}[;o? m}l׆L3Ǵ_N;ŋ^(ً et+9u _~=mp4^ ̆v'CwfֵN{޶A:k5qvL+[~D;Kww[y]pҥK.%h[kxf$__x;qKnK3AU:TqO=6Fۈ+KoTTNwD,)Guڮnd_]kŖhLYg}~~?1 u@tkwaR_n+>y!Pw 3pVN>M_uԵ#[9w1~iWO&-Ǜ8'?`90DNq|0.c^'N4|~N̟kp]wϨm75[-^!$oH~3i+~=xx6U28宻ڞqz}6J!2ҴŨ |`ZC^z] _J2P~=L/o̿mK`sfn-!ne95OV|f*ZYλ[omL>n\pWnwA~<. qF@knE Q.X2N:vY-iOCIx#~  JJ2S VzNOƑ7} nϷ']qǝO)~ov-ݱ,fAݶ6>#oo-&wq- z vS-\[o|+s 7>LE V0p`>N Ui6nop, g4Rň61x d2E91q x\\$_A< 'W_G^iSS+\YW)Wm-y#aA- EﶱxTꗽw,t"2?>bNa' זG{G3Eڌ21:,&]VC?3`@)ێ@6q B;zS5ôi|J_J|ƱS'WjGGi+ӗˁ/& ?]TzLwr9:IxM,~nzvn=9ϮYw~Goo+Ckļ\{fsn/`FW b !s^f18 GR)A `< ["]Qh/)kSO-ǫk8k"%zhL!:=2Rh@s=msj+ Eb&ޢGu[;n뮿~a}Mv357}2N;Z PIs `l峂k#.ΕcIqqFprc uw22Ƀp$ syHlj'~ƀM udǣ-8{8}4r=Ro #H[#o 0#(-}sF:OyP=GJ(qRөӪ/8}`Ḑ_ƛ3Zp K N,\hQ7Ul$]+r#+VW __kއ\cu@}ѵwͼpǩɑiX}S.v8Gi}9Ts~^uyc{֯N9q[s~-7onP:LvG?cwL{o&i\lpEh<Ξztu1[L3vX>ccpD-)"dҨa,9ā*K \ѣ9pЫ.M6o;Ýϼ Z8_`CWptOZ/;>N_wM7?^ -gϚsU;Vޡ۹wemN~jtq_{uukSmpu731Tz폒p|IַnAM=jPns=3,N_WG}Tv? K_v}F BCxDfK^ue3b$NRpQ~cG%kW⍳;?їؾ >_h_/ -{5\p㯽7|K=3Po;vT0P~sWk5\u n$z !{\v#|)Ğwiv\{]wףۻqtή>(sPc_3!i38=z)[Y8ba6Lj0¬Dʴ)!87/BJ @ED:|u_“zP\urD:=e zJ07U]S \t~x$o?owvBJ{{vvxМwWp뀱Y.ٝ7}dz_>- ltʮ]]Jce|A:gB ޥ˝o%BF2 }Ah`%$у۵㓌D P`վO1_ iu-:h߼IhJ}J_Ûڕ;8Ƶ1`D-)Ƕy1тy}N{V_ݪO\Iln,0t:@=έӖUɣU 7`5d#҈VPFq-3 Ƙ\srBu ERv84 v uJ0۵Ӟk}cЎ"Zx}R=LeQ1ǚHx[xsLs{{A<]XSNrN=cW .٘Lٌ[O9àؠvRW&2)'jOdi:]ކE>Ɔ٤cr_0ǁ(C3EpRRǫ`()8&O (88b hsLƣR_ N0kve29Z‹>u pq  3OXy֟ J@szs1y]SxQ,WeYPYEckv2XԕRz?8g2M;xw6a G:#^,ݹQ<=u;o,ʼnC/q\ 6ԍCOՓ2FqMIRxPKIpzXlx\O~1tZcwaq۲Kt'Srlt[K'_Ķ^6LW&1v:&,I@(06lz09d,98 Ц'\oԮL2,Э Lrih2`{'=ϼnӮꪱ>^9#햕o{;Ƈrk,YRd)!&82'sv&[0`]V]~ed=ӞՕ񫃝L?`X\x]!T1A%Bs V N]2N] >0"(#B#2%u83NxkCRLhK̥ $C ]^=2_8“p^b&Ywo{x`뮻6 !y;^6b qdC+5`Jl.pPFJ iG?J O>f&M;x.c1R;8?EHJ\`1J@>#?FO1(nT0Cv߯NNҖ~WBco~UzQiba"XRJ0s="TE(e0˜z]CVal jGdܮe0hKJW_=v;O}S̐VzwhʊEo}+_i;J '{W[oɛ9gӻBo;Hg{DN1`D<;Oټ<5fr³QeDݜs7>۶|3LaLTOU\0-qb%:Jv޹t7[n٨.\MY>qGo5Lgny8e,2/ Nk4+zð~s ƀo^( G9$YOySڋ8C;+#z3Vzgv )g}-rɒy6gI=:'գr;}D}ks$;tO`- \G.u*HeӮ(8-~ p +3??nD0jg {ʂ7("Ay2gޕno+~՝/;򨣻zq1@9r8 ]>tꋁ[una S P;8q50/nwM#G?چdxַkh.%Ǒ0 eל]!}&' d &ϑ69mA:+-cpX?3Vڌ3>.5}avOLi[WGVE*!a/| #8V$L'QΡUx8Z˂{]5~No[*H7Nו/յ/ z~;=Ic=q84PnnFOPA6Vf NOa>5W7~ tLdGK3sy#Lj.袱]Н{I쳤- "5So <ʴ)3')e:4y |8},zkdQhJ7{aoto\?7o_PaE:eECXZABoJH&`BgkP4VJ0kص{S~aY\O+H>EO}Yx_'<9;'db9#]tpHCOxF%ua$J+2+|ڵqvp2q؇1U Ⓙ=/@* ?)u !ϒnsmFf ~Yr~*>iwM. 6qTvZ]k}VzNѩ et_eux%א:rYzV[y7#.B"D 8q࣏>!(F9LC{ݓrbk{~_Re,n?AcݻG__p֙>3>m_gN1nQ 'ECkf.HYMo.8C^xR2Ď\vW櫟62ǠĈ𭯉.X궐;%6"$!}'S-Hi.u zO>?gN ~ׂyǯޙ`f>u坊%K6?)s~IN[N;0Zk  6 Y9qv:f 0S6M19[׾ztj}x 7VPn9~QO!]#6sx`y|蹵pp(P=[b貢Ӣ#%EŘIx1"Sv9n}X!Na== ?<2_Y[v۷,_~k; /Nlـ8'Ym(e޸eWSl7^•tg>ighnsc93`vmyg2H(!DY:F %a3#&c˭D9kpa<Y._t%U2|J{yVcZ˕oڶs*q(c͏N8~3OVpq/1BS'XptHv@vC>6Z,O1m]%x~wsXi8,ZJNJ ۷-p.;Lr3{ Sl"ƺmڔaG8$Ans?#\CGK{Nc_hڤQS s""Qq>ꃋ3o$W7|pʮ!_nޫ)ZFX)<Z!WbR,GgeA cF#O-<$ȀGt*)GƇ9üSFcv]vX-]zeǟ0莣ӫk2HxH ůk0Xu>}?|2qe>3 )slI;Z,YuV7pt ~seN}3i=mmUbs>00fB0 k\˖Dݛk/x9ppݏ%9Ps(C 4V]$+ov;1^ڶÃ6`K2Bgh\8ɼ$γoyw ƏH~h:F;wYrnqMG2 Y\3r2l(JO}Y{df>76Z(;ww[=K<㯟¯2__1өO;LbSG4%ʋ0,PLK .fn/6l]PcBgeuV710ehVЊ8 /ƣAhY>sCWӮk,oup1[oFdsk%޴J>2&3 +)A1c>cCV1=ߜRp& 2Ω~~T,~|WI}&ӴW> 39D9$r3c ej/nu}/yoN3,t3QѼpMƀ];{2҂[%}Vw_>bn/ {G7̅n5'c[Npc12('S a+j0;}\a+ƍy)j6JJ(5c'Qg |.LesJGR03_2F0 /zH^{MR!N;( xsvby> rpx3`IygRxs1nl~򖷼Uٹ|)'w}s|~*r|Ё; -L.D!`2rH:!zE9'*9Dr'x\PEq, <1TKV1>4\hИm>B6xk K]љ68e 6sĐ? IDAT/vDz]{ #Xwh׿٧?y+}y] ~\o^e[>GY.=B:^$v[ + xM;IT"dr(S0!a!'מLz!nt3^YQN+q8+tX43EgOXEƩ+Dž>ړ$6n2 >,i|5ь82 Ɛu9c&%vv|8|k.{dc,'vm%qlvݜ>oћ^X?h?sw“ow7:d;ӹbz:zazE67A /G;4Dh$ݞCYC+ ݁peQJB' s }\SļCP̡<hz46 Տ4\GAn0д?#<22!K{VAƢY]1\ %o';u'͌յC?͕w*e.}&3é5}ų\Rl9|Gv3TP<\lo|c ,oLvw~G-tU.8#/nc $yuY((u"=d((Ȼ) (Ny !%O N`J?@y.F.0c`RO@8I[ NvG; p- z8q:~ k}yD2P;2D'(]~iڂGZ1 $ }AdF<:`_yœpv^ɵŷE!9IJc{i~e8}Ni~om$sDnAB J+%ЅSQF"`Ř _feH0 0 $C83i0qi)EpdI:#\69|^0;dkԍU \O_UxKnJ+__&Ȓw?>ݒZ9ip$pƙ$]/?ӆ'1Fk88~Ȥ\+AH?'Hޏ7_py2pJ8%;SAH{Kdӳbh4&r<@6yLoW2mFqlj38C!9?=Mx~Ja`$ʤ\9(r6A@]x8"(hP(ka*&3l9.Ǡl9"m^qȊ,]p:!Ms  tKxCڻ~PG-U(50  xEKv0 h]k?4K Ï1hE+D_[9}Mbt@w NS?Znlr#1pHd7Τw;x ^~VvS4rOdI)R@nu\1s|j[I#(EH1R_HoII) ㄌCL N2/`8g-be3\p4s6 FZחj6_x9vvG>:8(91=I -6n<ϋZړ5цNc%MIvIK8{J |d#ٙ%|EK_` ŏVl֟v;xWTsV0'g(p1A WfQd'4-0z8y(u2%>`@攴%'Fd&m̵1p>pEř3Z} vdlWIxr h4?55IB;y'ostʃίm0-eBIٔy>&Ӵ#|Nk׿(Q)RG19` 0DVAA6ƥn`dp>VN.`1BO]qvcI`v 1,"GY dܜO>< OvL n%zuMJnI6 7rC9\pi>pxK`2~{# 闢v[rqˆc|#A2MwRI=8!(ɡ]~,(Oh{+^r}rBfí+_ʶ 0Nԟ#(M#Ĭ1vFP1KGMIQj>(36 08ye4ghDmJF6Jv#(8@;C`&n?3l<ˁ9 yƒ<7syÇ% J V-c+7uxCd<&\/:3Nv6 ଘcP$NO( 8+g>d&d&dg1~b%tnc>͇~V9'01op)vu"S|'Exo^t>'q#z=vA>8$P=ЋG6"s%x\5ԗ6KH?D9X^;Y9y $IR+N 4r%9* uIxJHٶ1x)*+FQO0 G% Fz`wM}̧ۋ56G@Aek824<2.%|2d|D#n0av; <Ǹ$0da,8hӲ53Te.)x áOɡ1pjth'/cD>ONF4ZL >uIa?7.ȑ)Pف_.bc΍N0Јo6OJ\>e k){~3Y&)d`Z:oF9Dt &P%("Qד+~Qc6TZ"Lñ` Ozfƍ%`ɇb+W@J2C3T 8d{x|تx ~5F><q&8вndIxwm><U)r͛:E.խ I/(D:ۜ `P:& 5kXLqx}zn? ;EA`(3wގ<[o;F^epsږQ2o%S@?l!x b>G4&+ʓf --cdpǷl<;r XĜL;˭952^FƍFzڔA"3"4 Lx&,P雉rxJfl%c $sQ08v|8-q+ ʮ2tI<.).}pvBv'; Wt/)}VaКq%1關'_`^f.M;v! G<%$0(NK(AsB (?</c4B8B!:E$ڬSzxQe4_`1~"o{DZc#|CcP"88Y` d/ Vgpuxd2'(j8$Z#%`6Ƶ~c$c?'@~cX[4 x;#s#Jāq%Ȁ^2Bxj/sKt"ÉN"O%wyû< 6}ђ E~%)؀vɴWLs'!b()JǤvP:X 220טGQ`ճ#p0ΚFWr}/53p01=Ԏk@3 r*s1Hc[ 'GH $S ' /dG>d#CE:\0ze4O)xz1qc\DζVzu7 'B1%zrS$_W%~/" ?ȝN5/X4~%cpfrѦqǕAu4chmI` ]x+Xv#_6(9""g`L( CSr,O8x3pFO26Ac7ZUaنq\BN êO nF$<_m1P}x}JZ]"t9> s25yE& 3z$828\ngub?&_Pҗ}ӟ~؊)W^yEgg__e}M;cYvI>evH>.0G@xɦ__xQGVhC~Rdi͂@Bw?mvRk^8w6~#`C82CI#xƔ@81D? 鐌2tNEhER8sNNS9ftQ d|W,Nn9|h0E蒥vݹ^9ʑ_]u}j~>&LxasVx$r0ֻvp1cdyP2 ;8$F$^0l0pq6sy Z^\lc<(HȪb8 < I)81v8. <3& 8ci+Lf3 trn87|ë nvs/v8u~M/ O'1 ӷɡWۿsmu>پzISOwIO:isT|LdOdF!1z9 /pzV)*}SUߦܭk~vsOhm`ßtr{]͓?MNN=`|;=r;r-B)`?c'$FDUpn x!8%ZYRK;P/e x~mcdN6--JSO@&Ifx -x3!` \WvPd%1Vl:&s W4^2}r9wM|2z[J!'7/_@9G9/@:_U~vO8riÃ'8A,|hr'~.ec_v@eJJvoY=q`mPAc?ϋ+ϟ1^?ld4$ϛCyi aQN;|v[d 9Y"sj0J ]Du8 ^q!chJP@|d>u:+,7.pGV9t#+:» aռq^#IPDQGo^/$͟ӛ4/Få₹ N̝{ExǑl)ю~O1[/ zh#9e`A7 G Ms~旮,٧ O?eὪψ^c't7>.ydQ 67PL,` Ïzf(KX`1_h U捑F`1h pj`ƹ6Ƶ1Vs|F8ιH8 .C3ڍSWʙK`5|x+zbk25''r 5k༴v2Eȵ[ά+O|X^4$~c/կ*G[6:ͷRk~}UsTj_@&NLj_xw6m:FɅy$Sj'O_]Q W4d7;s ]ڍ]m2qan9R^l?%[=!P F(&Ƹ #QvJ v" 0NE'@xYi+ec$BkV+3F=ƢQi]N%U>uJ&3l  ,f -dדּjGUxz=Ӈ/xkDrP;wtF[8cW`c$K|]k|uW65p~;[/Kg827{ 7=jC`V}x\v$m#ZYl}&Ӵ@ƠDU/Kp @-Bt |T Xlp b(l' OA68d!h2z't^΢2q }%3 UkusPF8qpr_ dh>4"?|SV¡9F\'Gvo.7kkxV[1=yOvYO@#<pZJKF2o=}`7▕Nx^/Kk oJnӜ!Ý`'i^=y⍾;4PT66[jL"dt,R( 0O1^0eL@ @;(R(%‰Rxqh8a'"T/gVAk.`GGf,RЯ80)5 1͐2VݼI -{8idν'CF>`OpƨGfʾᖴkMg$RLh$##2{sVx/|dB`Q-vmE vHb@*8tۄ\1<3VX1`J000hvļ{)µmRSycؔ@9  4%ڴ4d;̧#,ÈOQdx\O-(9UC |ު 's̏6!X00+>9 ~%:K9 d~8$ -`]+Va>4'#3"q&s,vb=C$i3'#uv$%:C?x9}t~ŗ9}ǵJO` v9D腃-rc ө]ָ ~#ΆX\s<#'L(_b9E Q g&\\pPeL!(5E=B76[9G9s88H2=N͍vxe8|pWx`$hUnRTGp>DJou~Ycq]k9/CV{Ulgwdk^/f2SZ˜Ic_%Lp b̒o┶pIakǘ1MU" i8N% /s-2 NQ'q) #S$xB+HxR'0 sSڃ.uC1X4f^o1="gsBD6[U  ,cLsV|ROkJ2~0lpsK ›\i8/\.$J`-Rx\Z5Dvyp;@] 'e𛇲Ch![6;TE#<;tM^$J?@+CS2C38 JKh(dRWqDG+J ͒:3^>,%J`;X ;8``0/Q.JԵ"%K$[]**J:)'eI%YSvJ\*e[N\K+YV-JE ppc083}?iJl6={|VtD&_CxcJx3]҇'}V~p Mهa 2G* f<p݋aqSO$)߱q -<0fv ^j, ݍ %F̢Ep[+}Ы:tR éތAIk|wPa8K&;4hN rvt$LRJѵJ,A>N]ʹ86srPfLdHdwre 4AuY]/ّ[~ߘ&8_VםËF%:hӥȐ^ح6Й64ѡ2}7ůs}oc&`+S%80\@ic֭PBR x9X,DZaJ5*sp}GqjNhД[im\AQbtcJNV(u͏.1+YzuƇƈ'`8C-i#sr[~4bsi6X65.|jC6K( L% hP%0`!PJJ'lc#q(uǩWgH>phf r8$ڳRa$\E>Aj\8V@ԍ 0040m8$';S{G.㥟q$|p  YvTF6eqnR0ZC#Y1x[DxC%x $3zl9m,U'tD"nՁ?N |,rvlt';/溎+`W"&IBvn, ƋA̪<@2S2a#Ε1I1z0` 60P~!9'x ,c1g84Xx`$ V_B>VO4z6IIgrͪd> ^e ZV&;a_u睾Gs ʹ *X9 /=JJf28 <PG} >B`D)f6`~NaxK?*>e2Z.]fryc.F óxÓ.V/3XSOr]ʌ.FiOpջ=7Ed м|pMoNvI`Nr2E=UI%u @. mFd5>Yi3sޝG>d4~>q#cr/z % 4!^Y^]G_u$09x1.u3Vk< R3Øx2XuJ5MRr ?cD#a< C.%:.ITR\N;6&2!tK0E/KRCʹ{:/ nx4XpM*s|*xK%w{OE>LfK]/,|X4?Fzq$|O_RؤLZ!6 M :=UncRjuAgb&(#H'3~B 0Fwe|oLVpҍX;ԎgJ JQ4Zdcv;5XY@I዁G0ψSc;<G.x2Xrr] K> tvB'z{{nv5rxW?ݠwdd3#ҡK$cK1SxpMw$]BBWJYxpӡ-i9OЂC֦Ug.%t`Q/W'γ*næ %rx$ OIvK8 Y?r&#pzr{jC~`439xn6P|ga]nn%KMC7O<وCiuF&+P.K*@xւ,cG7[5z ԣEz9x0ņND"KFKdKM;`uw{+bt] |>Y-i1p( R;IN6Eb1t"hXYX+ 3bsq ϡe^ i| Np9Z$:B3" 8/`+Q 9 щFKx\x+%vN2--ю7~ \p2FLg0-'uƞ~?Uryv@heZ>B<3s^N{zdz`ENH!&ـMff;x" 7"L2ȍo8x%7O՝ fq|2?N6 6H;~|PO߉?b?pdrrS_\W(WR G&Xc#D?psaS<|08Ѯ5L *%p2Ɓvc2 ,)rЌŲ_#1(W]eFֆ2#C.>}Kя#yЋG.n#ld FKd0" <#¡=Ƥ918=8Y? Scy-C!=З ZAiAs}Є6Û`1YK9'tZӮo q.CYS&On6>e(ǗqM<-?#XGv2&;rʹj>ζorSouW\Fk/L>_jG`\KېdYIrf79@^d29=;]M$`w^e/8cǘ`6>lIԞmÖϷ>wzwC7 |tJW?8/ 5{}C|3?cAAf""vA0G'ucNJsxo#@<#SGAsNX%J&8ݟ3kA@0Ѐ>,,rl1۸ x L3&L ^P.vrTJpInX(>@.طlAX )iӇS>69QN'I$_h~,8,ll_/x܁x@l?C >ups\"i!3|Hh_{"FjO&6)d.9;7O5k7X݂2ض64N?זY&ၝc?{6?_뱪P]#r O})YN*Mx ` CSF `RCw.<(XSvmqE~H2`Kp6=8:{"f_BqeKޜp` hR=xNc tCoQuVWՑ#SDf'\~Oz ݂o|vzE <>' !wWGxQ5zt;Ə> Ek.'1z`h9]fȭH u8cf$9sZ}xQ1N?_cOP''Վq&۹RKЊ.}AɆ9W~jÑ[dHqYA3XzFR; o0Nt ^㐍l=>D UKvd.n3|5m+9YJf6$!_`XA32=ܼIĿRޥdW/ 9?[-++/Nl?hgtOLƮ;+O_4Uoeuy˂zJtm=ٞTT}tPioj {#uʥm6P,"L D>cPXD8# IDATRBg`2x6cIJX 8+\hp 7ye+lP$zr 2!c,2# ~xg87fha >e m1F% xr%eI$97[s2c`ch I F&8~.YwSrM3`A&dnK3;79h"#cSI}u% hO"Iƴ@dD>"4 %/Ft*_k7[FP[dmqk;XwQ.;Gemx'oX.js{A'2:#{ʗ{Xbb^]}I ,sg@?X(H?q8\8Sǡz p,89g pJG @9TD -V4C?Y!^`ZJz%b| i~L5v_gg}8+:K2-rFc#u2n#gp* 9 =D,,9|2j;A@F6_M_h B6գ[8;+Av!K4ZIXYɟI^.h7ce2c.k{vz@,01zg k\[fErnrc@.no?f õ2|ye %F#I "ĄpRF-BQ&cbe_4ʭJx6[ܤ ^BCo=vgNu@-%⡶is;ݰݸu[9ł眹%2Nc7C;Cb\97KpJ0p1 9៣e?6r"8c"7}B晑Sg%>$ǜµD M;G^6)ɓ^?ia\z' #$3 'z''GW+I&4n|R2MC.E8~αR&ڮ+ޑ 5l{=ԡ5k5_ 5 X]*?F^K7ׯQת`ECY>c@1(`p0hK0(,d*~ɒ4u|}li\5Qʏ=H'8,X߶n,oL4q 8LJ6)sx̌д3PF.1zF ?J,c9oE lgU7 & niuIv0Y;~8 ]~`G] 9zKKqthS[Aq.'N'$cDOW} 3 [P'/Ή'*}M}C+z+ni.Cdv`rR45SwEL;>,~vKW*:m޶m֞_#8UxH{neuXrEʺ[߶ߴfm}swOO?ku聏ql6gL ٥ Yм7hFO&G Ӳ1>҇d F][=5T%U|]js'Z-72[&?)E7Gɓ?ꍾ6~LL[6P n/UVZ?x_zo.Z3_CmY~WkGFw-wnm.]E U_Qɺñh`{=nňJ׵(X,3YL4AjSNGX! T{L''0h_͒gΌZOYsz[{ǰ>O_{C>;3z9{ʌ /f4ֳ\}=}5% 􉲭6Wkxfz`JÅecMϷݏ=cmڦN7Gڞv1hh ̾⇱rvm_ctݯԙ͚6E,f,<\I~dm\r$k81j/;fs)Kfn88cǹFG >A5c[%%[L9 DV>F@~{m  ݸ qѝdIx;?[oko3G[ۉcSzžKۍwN+:wE%mK_ zs8e=)_gWW%aieB3S)3VNpIG𳂞'k/]+'3SuWBgt T`]G#dv1|+p710%2rx)#Etã1Ʌ ڥx7~ p}A=6׊ ACIxns |c kCP#R 9N 3h#n64ԁŗvػֻ.Jg?}=k%u2wzηuEm`h6yvm%j3dZvZQ]sR(`(1 098q4mN)蜼pc¯:pIƆCӶghI z9*Zv%Z9.\`rTNǫq~`xC-3.c )+dphs٠^2.&q4x{k~vp JX ƢIt%> I£?9sj4Z{*==Y[#x6s/4ݘ#t=.%cɎNl;ڙeZszof=om- Jq;;nOKm\V^i7ܴgڱmJ=vy?l)c0\/0@11()BB -Nel0p` qKIŨs^*m{1~eFp+'/8wެ*H%}ůs8$hNvI\NW?8О̵K >%'ƟU.R1:!A2~$;r$gl:҇Lw$fl+)٨A6Rlj@&u.Ei%O6ץ4L]|=?TX`;s~xvZoׇSGh֏Ԧs<}{v-[kT8nk6nKVԷ%Š/:sG ~4nNܝ,S~>WRotq2NˎSHF "Ek7syhXjcTO$px#G@gA8C9 Xc n1|;8 zwGq]oD;\fPdl,upB"kt8G rs8eAXsL8| >I4_1{8Ն^tU;Ƴ ܞit}ë68ݬ;rg=ƨkpeW^2x~OPt.kGjh( S֯o܉dxPBQĵTF` Fap cJ#\BGrcm0iW§㜫ԖcR6$ǒz&1K1"#'808A@_0VId}l v6VC(sp|30ht8sNL .WuDZФMc}F<~{}ud^|mUێV)dl0cZ-8ك`ohlhm1%|uKnm*^\^oK:5w@@^Z~zuh}wm}{;piw_j>@[9΍^ENxKN[/Zl秗<bK> J_gD2k1UA¿nǠHTryh /s,F$;Kfqh lzCSS=1i3K`gЌ^~K_f)AnDx|RƃW{t[ α>wu<|L$cVw)`Sϵ|ތRFIOMcgzƛ1qRНw q;] `2kٚEo~፾[ýGFomلz?oOhʫفѳmzcs}f2@]`R)uFhihf#Fttۘ[($N_R,EHcO+4>2ڝ3`ԥx8YENɹ8V.C[YEtӌ>x%Wh cpܳwΡ<yu8O'8="+modH6[~wKĉ9zhKt$-~N>D3z'I[Т?=?UoDtY5RђͯxoQ獾;덾۞FZFX⺝ynwNէ/Bj?`l׾"^'}/YVo$h۷cC=൬5g/p2ڐ9?G&/^򇥚[Hsp!^)1V6a< I+9rZ)nVpr-uf7xg<7?ԁ}7Rt,/1|-Ƶ,|+We>8IhCrR/vgg\0.9<.wڼ>Kj3N,/ãt/~ ] ?x>Თ`W*)デ}wvPXvٶ=ڈ 7ԃ=%4ח|N%z^Z[F7>w7>ȲƿuK;=ml_},Uɹz-#+֯K:kP t9SaK??\^+L%˞__\K+|c1BIA M/)Kl9lnN;aXF阁0cƥ]uS'` tN?eE#a~ݰ%%cr~/4YOwo0np.AF N|Q"բpj\ l^#1Ç A^уfp^_0ơs\G-'&1O?2£cOWgڥcڎoFnn}ke#FNYpP9RvNqpZdJHad9G\8|803s}ech$8}]jN0ޘ$~yם8I';zР{'#4 +s*ڠA6_\ಷ$ɎCKo||J|>:5X{q|0.Q0Lo|b}gkBo=wDۿs]Co{.#b]PgD}a{;񒺍ty=] o2>.cˡ[[imUM"o}{h*r롱mr,h;l7PMwɼWw|P/zŐ%YD"3u >KN')[. oEf9 4mn~ԅc_ӎn.h\s5e>GtOB ~\h32.z\+fw[ P+VACGP2<Ǐ#m_uv珽egʷo׮nC;#zknղY~êYY7j neCWOoy\@O=hWѱ±mm7-n︹-o} " ۙcn꼄@DyLAYy iQTS]:E`s]{nҞz%+ ig1 pY3(_/#VTx8>CC1eN}^Gx$Y} В6Ipf{ـ^ډk-En^չ`#<~%ӏ~xdd&0L\yҐ&7s9x~xr//u}[nYm_OF_uڳ,x[MO׻+w%|Y}/?.O8n=ig\Z\:ЖYjđ~ `x]}6vrhh޶hùPDrgJK"BrL@&cM?wm]\ IDATn3 ZL!(δ SD Rʹ7L96x}adm|3žvɽ홯>S;kayۡvk֧#;kWיzoCNF9d=oN_jk,nM3'{R뷔ǀ׷H_mݶz[A3jeT9 <7gS_q( A!/wZ*وl`mp~qx r;;蘛C_we8 A 99CGftp+7 ]&Y83Onoàm:}}&ux d!@K7mt+ I0fdqF1ծcOJ_2 /+q'$?ZKvt%|}Y>\ZK'Z@ jc tL-[P[_?53]raUYO=pQ[_ :^ {톛ח\zۡ]k_فSAgYêWJ!(E NyG(`\3Z>R ϵegSf6;2' pFsq簒c3 ۖWf'gډE`oھ~5xM4Vn<מkZ'oTC?+|?$PCPJ9x/Q"OR<#,FNYfM9};;'^|_}KFVkvFP%zc+4? lİ0(2F.1>m>aRڪI#Aޅ!kK2z}Cv:duJl$m6n鿳hͪVn`cc%2ЭhY{hTwN`%+x}uV(yOڍV|b;`q~jWbwh35?b;Rm5 Kۏʏ%hoP.{WO,Z=^O7Oemol';jNjV,<;tjVᙱS3:?\ :OMo-f 3uDBy2b\e$讇N 2q" :R@N< 6?Lɰ1cah3VchB{Fd(՝`dmS8  h1z飞FFwس/~/V= TNj]h7̑[iCqCgtЦ] 'ؒsA1Yw ;N6\& d؟shCGQ5{o{͏^ةmy=sr6߱^խH-O}_`EVnV|iݲ[RK]ܡ7Z_ \Ε>-[T'h'&ۚڦ;E &D>rنՇCzn! a)R}xMNܲ{%uX~'ؑ{k94P3I+zD'au[_1"f~cd849'0vwc,vFH) hC`h2f4v} 6xhrRn{^( eՁnJJ:Ѕ'up+%N"c!CviE^ $/R @K ] Y3oK݊[;v}/;5 =m~oh}A9rv?i{d`}qǾ1}m6܅w~'m۽Nʡ~:6v;6W*@<#({xd'2E[0#[v񻽢j_*cR^_JIAhyi(__ǔLʌq*QuiH)_=8X{Or_2zϘҟ\IuNtKk,v)m+^;dlEd`\^K`r/Y LջNO,<#Ckڒ;+YדxQ7ww rSu}^KxGo޾zhr2XϘL;?}yz}mkWy=Id>V׏,_Įrb }jz.|D^?5 @I/Iro`$H>meL}7l ࢤsP 4+cq~F©Cq:t^|qFB/8tKA'' 곷b`] 0C$ΌI jV>=_IeL\{yhsiR dd< (rumpz/l{gB +%u߱ё'Oq|sT|w80~|"tkyd(!AH|NYT=X=znBkFe y+&L=7urbײ.xo}_4qa}sVo.yu>QxT5shM;_{g>v;S_-ze| g]4#6v_:NQe+[Ҹ5ct%CP [O\^:y:ɩVoRiW>(Jy(=Q:M!JcЌбYO~1j1Rx\PчѢI?X2&c_H09yaKks{g{=\6oz^˗.lwƟt+#OS3rυ#mϙ'.u:utz9q %W ++=ńF(JB"H >.NkssZuS(Ti|nnj Q蜃 pɵM8e81If0qc6dN8F'g5 .C9Ɨq*oVA ~~cm▱Y|oяOڸQ_^;Q4-Z}չglAIiUvD.^-0v$Mve8drіGGpj׾/~乷-e&wf*-y9fE_ڪ]xe…Mw.>ܱ-Ϯ11=1ۧSWO%?<Ք @[;nyQpu"@ d[ |`60&)r{"w.)ӿ1)R%nzr<׀/  qpdӀ# fCN8An`dFM.A'P983"o hx$AjAr{˒#fcjGLm[e{k_u_p-Y!s.N;-gn+m}1".|<px?>b"xy]I k۹2OsmdG4dleZ/ /S,TEc]98d+湽wXxCž_;wTfo3Ɍ_6W&]{_ o8ä<ʈ:# !G$]5P%ӷ4Mݴu+[mi?x πcN&SVIH OfFjKԭMel8`ĩ_0s'{0O8R'pVU<.V-\ƟW\{rsw;~_yߊW\6y>Ta%c,hdƇgk=>sW6usV[+cmsϴ nD=VOTzb:[/kf7׌ #[Fڮk{jS+seWO_lv߿lmo'̼>N{~vJҩtfM۲UDN&v>:R/\±zx3 J񳳟o3sqq.N;#3 :^/n#e5o(kR_A4d6c. #q;bdJ398)AtWI^Nku;}ZЇL[ӒXu8K|0fg0YPGq77.\t =eWg kh=6⍵2}m3ԯToOQJRO ޜw9g:#g<} K]۹#j<娑 /X|$] 8HtpLϔ=\|noֳ[ksmѦzp;h;3eV /V0= IDAT-mi .@]i# 7lngk| mꖠM#B塶n톲o]j+gFAv=gZSc՝ӢuGނ[nEgۏOԗt7`}~fj\6vvע+%>)O;z+Y\/%=m9XKk]3@:kTNZ(šݎߍ,0uQPx\jlY#r~Ye1J+{f>:89DZ疁Sꛀgs'fl. }S2ec3q8++^/@Lo72lXZ}m͋ڲMgQ.\-_˅:'z;jǎnz?}^emxN_ۙk:|_V5^=d[nm݁X?}]omł=msE #/'" 3O~Y36?J4>?(tVW_80sН}2>a EpFoי42ppp0xe-ݰ(:NK%(%ewa@ ))3V $NwxqbmM?x1܂,z:N_6a6ny.Mjgpu?,؉z~O^w ''׵E{[G' YJ{{[zm]r֥KK ښUMu3ծ*М;?ўy<[uCMV# {{T}9~5wO\zP-f`ƗɂȅJ.ksG?яdP;3w;HkjSR_2/7^:m<"7{%PY2LY>a_apҦF_*hKqڔ˩r:ze-l'oj)oڬ#2ES ;?ipduO7Ѝ;fg83DRi-,/'v\ʕCRIJ9\qWRc;llɶdS%r8;7:cY86.w}s=$;^mԯ# =? fĞH[Q_]bo^hX!Ї_'0Hߐ e~qo03 [4pU\Vl ]e%[+\߄|7yC_ CIwDLy­M$V r(Q՜5Ծ 4Q BeɊ5qu{,CI~>zr*)=ʕ "/rMFRYBޟ[{kBzCeSOwӄ麾~a#j@Gbm$ u!im.5eHy1j]Ͷ0BQo'0 c+Kl_ <.%SdmA,Df+WfO!o<4Z?U ĂC-J-y3}X1~yN+wE:vJp(u UP(M|?tI.=q15# P:'CJ~ɡv0u8 Ǯ1h|+W]8j?ƪs 9=EƯmx%⭨?hu5W.$\( mtMHf֫YX /{96>8&,}먠>LhKk!dV`ux>FA(%PdC1c| L(sjlo`DȪTqjǴ}A {\ Mrv6ꂠIRXn_ꅊ|^>ߙ{"{O!w1ÏSd܁D[ɜ#TYC@C@%r\HAbEרhUI@} p=WG}y z_zO_mli|* 8կMkܺ" s_]~>~G"]G~l߹jqG=4t&irsIX!QZTդvd XXj($W* zHMj8 izj/R] =_N04&ҪoݫCk[I׵~=UV;E}jW8Vzw_bpMs]Ӫ. CmwPs`y{Hf]T6G%X;H]dWߺs0'p:]0:r"' M5uD}O\0):Z 3G.qbs~~_|Eam}ޜ3q&olرX[26]U^AB>niGUN7k*izrk*c*!GHAHb^1虪e$$̙3){n~4;p`o u( E](,^H%1鷅O"'| cl&X$ ?6b0{"IG>l l ֑oa6\Z.J@YKrГ6 =ԋ2ȴ5׶Z/6 ȟd? ܳgo6qe>?e?7~mOе^dCRG;2K%JP؋@do#o0>,|Ht-\zϽVFZb hV;B> !~Qp wѹ *j s;y j:%Zw}pص=!5%=ןu1Dz8B/bJ/F[:WPaVqxTьlUr }칏mę\: D ^5vG]OmcՎF^obڂkg/%Yf"T'ϲIWi+-!6DM6H3J#VlYxdi%{X/_>ӝ;4}{ z -;Bd`Je! G a#=B:׳ڧ^ӹ[o繀[QKйrU'D&jD 垼N;ޝ@d*2˶akV[X"̔u"L:]l`d@σWk7)mض[[Ӥ}y WY[Yްʊ|;z }MǬD#{o[@i,’P(8\jg%u>nO4담#FF-MV0[>QJ HfJ=Q|uC1쥻~;!{ O@Sn{6&V|n[aZIz Y(OIzܟu\WYy!Utu.'PkU\@/?sc q{i EA8kHVX1j,Q ']);lLoiYk^[bMp%e u6vc/V {~VS]{?=_"-"R211?N];3Oh)n!_ûid!Dv"Z_XufeU' ='};"VX|Nsv=SB :0@Vj!=Ecz5;yk*PП\^չ nTe-շɟ B,;zPm#XRQBG!fDuq2 [> ð8QyR3ioh} K6:2 ]o5hms/fyZj[A+ ļƔ MO.ڥi=]cxXd%\ybҦA<($BҳlnϏgqxqMh]5:@_mBK[馤 &4/~hD#+fVx~",A?<.}@h$ |~ͽS]_ii8c - FE8HS b8 3ݥ|[lc*I|r`:Z6,&%Q 6#(l!@á/~Mk+Z8k6ƶ5e׉n5bJЏAwڕo #'&ّ҆7#(*WZe';-וMBrr*7mi&mN#a@SvKu8(8vvEԛ/.?{qۣvTwODPyR{NvʽSՅA=ۀ DcՆVRWh?)8ɔBTT&e7/N11 "6]/#fYЀ-&&}?xh1[H[9&BBc;1ElX\PM+\YCV$!؆ (O#XRXZ'$+ wj#󭡣_q b`5v$WSY_ObG ~DH`b2ye-wn#?O;˻N˭gymUpq NC1 9\!᠊Z+.׿~r6Ps06(-`{35₵ofԶۥ7/-Z-2&ɉ>@jQ^zyH"T߶aVi]0(SP!˰Ezo@ ND 2x+Xڵܷx4Bh . @b;Ep~>)Gx_HE6;J] 2{Vi2n^|:ě[a؁OXVW5%)0G0)-3Df2ÐRȉlfQ9hm]65,AwKͮڷ{( P@c !P-zN*t5k>QeMl Qĺg=/ s0b dfx?Sgm@L^ Ή ~-^: KOr qoN7K۩B?׬ t܈ ˬ..YcS-%QKzNEZ|FiBB\HH2VYg[h?bWZþ{n"[W{4>B|uTt'Xڹ=8 #F[rrfnp-aGm碫0'aW}P.yETjsu}f'%0\as&@c&`.4H엿/?"ӂP܁γ ıyB"2<ςb \rloZwC`H\h)v_Kv^2 PNK/~u78[Ü+G|^xR^R٭nmn) ^wQsح U۔Fڭ7(:9")6ʹ7w_O>L!l+~*9\Aѯce_ٖ0/]R>.60ߍ&\` n}mO!T@諱kב,`ulU ZK um>y<sN( $Ȫ*Z 5|QKb[v`sTHOHd ClO|o)DyZg__5,M@{~S5n2{=(No|t 'olQM e᠑Si?:XܡQpȽY<'QQdO}i<)XCsM%rß&[hki9F"S BD-u}ohihƮ1@l{]ڎe oXcW9zPsmD8F⑚Z(K'. ^Vh66de(_@ s{O@>ݖ2c-b7Kׇ(?ľ?C¦񃠠/64V~zkʠ6l~wZ ƳE=}pa8H݄"jΘnce.m[<+9Y4m1Vukl ڋv`8*4t4c7gSvC F C0/&K|Bv2RKk%bkdws3^^H'@ď;_iw&ҽ[u] D[yMUֈ\aB ;S&řsalܫ`Sˁ(.|PbeO?4. } x)Q'Vsd,,`/jUExrFW;~#Q\/cK H ڀ_ x5D=wʅ'Pضڂs/ʿGF c-}āVaNs˞_gC'x)(*f7uᐳ9+B?8}ȾsmВ D'F:8c8Y'Q"{ #䀽?[)T{ 3}m Pu\RBsW|΍'qsP:G B$Hh  @3UV~v=2_g۲qOW($b>}ϯ#<$*n&q }A\w^t > G6R!4ve]lgѺOdu$*$?ځ Co%0V\߼O*܃%lFUC7vF8ϟC>xm>"+2M9 Z/exAذm@˴  `%g 36~mD#ضǟS=DZ"6t~؆/[ CB)ܣƁ |H2mk:kR;)x]>0"3)WqIy7u [;~s^lcTcǣs3O  K?zh`q7ys;n?KKo'Vۅ tΏ-Clګm'Owv}?gEՅ>hlۍ =޲_e5.F ]gDx&@8 ))Q왱ўAa ch/bmi[`7(C 0f!/cxTް>lt {&#Q/ N4#\S@|ݞu>vokWnک.ͣrcUClZ|Y{]=w TfW+Fܗ'97˞9=4$uxn'<׊[:cF_ NBm?ӧC?ꋀ&i=Џȅu>`ElMjQƱHۂjhePup^( [lQ 5jGy.5|Ma " 8@~/z/}|PuoVb ](l`D3f[K[>V 6hllȬt56L¥5kv뗑`Wه~-ﰵmc^ߵ!ą(UtD^z Sv Q&; qV{V\~Žo2:+ Z",q6; "E'80`܆^hfӞĔO6\\CXRҖwN/S2 ߍC?yxUw]ϱ4!}X]U(>5b^򶊰TA=w%O}}>n_e@2kǛۆ}Q- 6m83J0j'#VV9to&=Q y~W,5t]/Y,4J0Prtq a%HD!-MRu6i?rw]O[7Zu JXˬCG!`DcP,EVp6$DMܷICHdc8*]MmΝM[57EAq/=/@WZ\WOۈK]]ݧO-@u*@y@a`w`Ͻpwj(xmtnn_a.{F኷/@+ڣ(_ ͹riDU0i%੨i=鷟Ov^}yFALmO[f4Vlꄽ7\Ux'WD>^bܔaQ)+8͚GwC5LyYY7ڌY [WYYDHfʵPq |XB+ćbGneKpubia5=!O3ˑ6DUm n8oBS?>cvW 'o܏rzvĞ'`ag"cg虰}u[ZcoC/j0'% y t H xMAw"rr`o+P, m^c-HoB)l@`[{bp ?=;w\m`²FT/͛7' !o%Mf# v Nn~(?}ۨeϞ1Dh\g,AN~#(Ϡg.94Vn_->$|QC=zVM6~΢%q{M +,#:jނJ;s00-Bŷc:v"3y܇PJB7hJ Ř[u"g 3x’7R^>4c5 V!uTn>ږ hjAҼK ܦ'@ّa+X!/D WTB.8 ^/+׽j!(c [>Lk J}ßJM16֐ݸ|gp&SI[FO( 54';b5ݵoؗ[zXǚ"&,,/0i_@_NtM:~)DrEkYىOj, ŐFO6X=){~ ;UM Oa9Ӏ3K !y$oÈ?Lf1 4|n#ԀuHJ $ L,"GNDj IxR_< {tUp6^6q]%V4FeӑjdدQt#x XA5Sekee쭥fIFn,<;nOu>?g xj,cV AK3_eVZxb,E(P-M\F%-  n&&OMX 22Ƕp D*'h I 72Uof)r)}-]Q~h h!D[g{ p @H@XXYK"L c݁ "Wl8ヘ+jP;Gf{Ο%w ~Ꮀ2' @qW{p+}5]I`7K7, |& 5ZkW 6> 9M'8p,S6ʐk՟8#cĺ~biw;\~}ՔU1h.S )?xnYQXgfY))4 v4xniwWaʔ0@N5 DJք@4qvvvсv^ =eJ#!q91m6#DK",,ahe`I`bt!1fuY}i1DQ/*3  .@~--}:)|`w(x R('ڎcЅh́_aa.%GTh$D!77{?ӏ,]~8BPܯ9mC+ފZ@ B ߁9^?ΑT5?^^{ٞ5uk[0RѳБ$8*x֏gEV*;/[Rs>λ}n#ǯN0IJEy&n5DҬ$_?! `-/66u~+eCs}&"ݻB._? B*;R\^vsse"LKU 4iDiU 0@W,3^,`{!18}{tL{>~!h"!r.p'zO/eFI|r?ue^kޗ_N@#bEy%VF [1I_-J[$kU#,G{B,74RY}2R=F#9W?=G;Y^}UVw$ סs>7U?}G`u`S>|9* ߭sTVk{OBUpkI[>ܟ~5&Sj͹UuH/3F#T_QzG3`A.qP:9zO>fz˺_&>VȁsM2/+{nׯ|V'~=;Pݝ[C@( SҘ՟B#0`Y/fGsԯ?Ke!H~|OjUVo !5<'nekNOR>-MnΕvd9g}PR; XU>8ùY3xi+ Zoew*H=w3kRS<\6;d:^_={5?8z :ﴚYW?ǁ^ާT*p^/n_@@€y{>ڏ-@\@=LW~=O7/?f<IENDB`fwbuilder-5.3.7/src/libgui/Images/fwbuilder3-72x72.png000066400000000000000000000211541303637203600223310ustar00rootroot00000000000000PNG  IHDRHHUGsRGBbKGD pHYs.#.#x?v!IDATxkpdgy}ԒfFIɞG0^ok(vmK%ETHN Cِ엄T6Jl lgs5]/A:\<68ꚞ> ADž `E{%K|`}4|'4M+2~75.4z?>se ɓC4I$HrkrP|ߏq:ZrL\& 쉉 Hd2x O?$>qXd۶mL& qe!IR2RYYYAplP. t:/vm_8@Qpl*bΝng+l6yhF"{/ʹ3L[Ql $1b? <{Z-ɓuUU{AzϞ=?W0>xuݟt/“O>) yy O~CvܽMJ L';?080{uo @$I/jLӤlyWb(癮%IɲKo&BִmnZFufyޝz?tlU@>='ODuMs0֔^z;TUd$( XLEqq}ӟ0uq }DQ@$UC HR$ZtCc\lzw( T5&]^缑tB& V% DB u-A@"@Q$b&/?>C7>N&d2 LL%tt&e366JsqdYft [U\{5MӘ,6ZvM&Aeljn\ulj" 2 EYd2d2,LM? s6mN(eNl&SUu˅`Crnp멪JRaaav{r%ihc=$I~Uo} lr;[px<Y|$I8R\.yMq}122BR=zb===4Mwap @ݦ`&:JV*VB@P,R8W/֭[f˖a ===,//366ɸ Rh4PNW_9 E˲t:lڴl6K:fqq:sC4M&>?yއeYZ-<cccJ.c||9J҆8JWw(@Zc GF[ ^4ϬVo )<<쳤R)~aDQ̙3^:7ҷmt:DQD$6|h4)r<'x?Ɏ;,YrcYRըT* 6t:evut+M7ٷojEQ" mufffx(c,.[(F״, /( i"IT*45}^<ϋX-dpa`)IR!x4IRl6\r%R(d2b1VVV+"-uGUUx+x׻ɷ M-=ZJi-644{ii IR o]ץhPl64_ c7?ѣT*d2)ٳYn64xUU hR/rTRJ&J%癛xῧ^tP5(J:u/ 3'/P^8}4+++ ~NK^LX2,k퇡$Ia8CR!FFFȑ#ؘ<55aE~IJ l69z(miW\qj5"QV$* v;-T*oeQ׽״AțIOO{aiihN>i\w/硪*ZNU;SV4M60>>N<,"J4- a_(*o6qNFqȲ^6%,_K|dN'ݕ׳3N>$I>}{UU? jCQto6ukoy,jys i߿\%\uUQT-IemKacYaa.7t:\~t:}QFGя T6I(RTuT*P*{[nbeL,>a300 &N:,(Jt,i###d2.R*Z[G鉜q3B&^0bxR "dL&C.Cev2L(PQfFf}Eℎu]z{{1MB@a,--ERŢdEQ"08[d)J  @UU<ϋއ7r p t:lێ@iyQo@jQK~.6$Q,VQ"8\DYm椓ɤ b MӢJk' B2 #bD"AZ% GI5rÇiZk(lhZZ-@daaaC!\u#344ڶt:uaV(lu=!@F0 W~Nܲ,^~eZ###\ODlwM7GN:Y Z6CCC (X (Q愺c&wZrޗrOs $Iضm[$ɲ|Rdh1@ry^넱NXkSUvt}LNNt<+ߺjO~|uI&LNNL&YYYhN1 #ZPɓ dvvoU u8p\O@>'&&v(n$QQ9zh뚦eYYld-iR.)JZ(l޼|~-Q{(V1 k}CHDՊ(αc"ӎbd2mۆeY޽;rnx)Fy^C[yơCujraD.6.rL!Ԇ@Kw2b-[JcrrF+ǶgU PHE۶9}4Ǐg||k6p[ ߸K!366 m,//ߡ8bv=@ތ뮻u2'NT*ND" oGQjTYH=p;wdݼFJAqU2d``YY\\֐Z3Ze*IjN]'p-CiJtd@x;RdPmbXɚNc=կrQwG*n _eQբD+V?B_notzGםܚI.cbbzm۔J .!ʚWZN~I[I02MT², yBu#G| ȭ|~R-4#Zڀ{Bٳt:]<, vwnȲL<'JiZF["0"5lj6pj8g' b$T“XN< TKcv$u}ĉ<3ju| f :H!LMMI>ud2>X]]/PDA!ݮwFz*RJ9M.QeTtzNPk1 2(q5WI vHhCOmǁmbwݴVE;PA4P(0<VIDZ*m;*mFFFwzJ\!6B2$#y"'!:9%K[4r)U/7ͿN< ^($¾Pjr9,[nЁ?~!mwœu7|*3<#P!cK+ C)Fex<Ǧ]ij%篁uB /"{4 &-MMMM razZG~65uX̧bX4+1 YvӶ9 Dc;k5dPpݻW@*|rŁVO$|g=Qò,ٶmu4Ml]uF0m?Eszi-}n_%QScz}œ.W3/Z^c@i7^@g%x ց kzR':O)āa-WZe-w] O_\~~q\nUʓot@/7겶Zg(CXF[m8qθڞ{k͗ HRLg%tEXtdate:create2013-06-19T15:09:20+02:00X%tEXtdate:modify2013-06-19T15:09:20+02:00aD2IENDB`fwbuilder-5.3.7/src/libgui/Images/fwbuilder3.png000066400000000000000000000022251303637203600215400ustar00rootroot00000000000000PNG  IHDRשsRGB1PLTEnnn'''222'''aaaxxxvvvuuu)v*#gT 3G%P.O"i L%4u;XN*<G7>:45 0?<7B 5333@@@kkkooo^^^JJJvvv]]]FFF666)))VVVuuuyyy888+++tttɀ:821.'xxx1.(̶www~~~}}}pppsssrrrnnnŰiii:$PdJ{{{___TTTHHH===???1M)E%P/PqDdddQQQAAA;>:C,H)R)P.Q57{2G+X.R*S1Q7AA!E*6Cc9+I!Y1CH)G,4Ep$6b5p4z.pO`KWWW>>>%CO~.6a:w 6|,sf,;tRNS 00UMZTofSa9SffSk_@P׈p}bKGDH pHYs.#.#x?vGIDAT(c`k[&;{fkk$ptr&I(&a ÃY? 0(6ĖE#4,<"2*:&U $F OHLNEgKIMKGJd$Q% BQ%D *qE+(U!y WJp 2ʥQ%dEɯoGPhljnnhmklRTJ(vOp8i!g̜5,1g : -^,lV%׬]~䒉6oٺm ML h>lu縩%tEXtdate:create2013-06-19T15:09:20+02:00X%tEXtdate:modify2013-06-19T15:09:20+02:00aD2IENDB`fwbuilder-5.3.7/src/libgui/Images/library_switch_screenshot.png000066400000000000000000000706641303637203600247700ustar00rootroot00000000000000PNG  IHDRe uiCCPICC ProfilexՖgT{rfdq90Ca2bfq׀% J\"E0aAe] 큋9V~p br3NH!i ,4sX0?*'6 4p2ةA+PN&aT!|dW9~=1HdIlv< 0r!lN`q!&jbX1rXx_/]3x)ŗeb!5<%{rZf^-ܐeq|ee:}z~2f~˓b~~V`2gd.s~Bp2sb]qne=14oc.x##2n136YCxyL#bL.@abd,\"0cq *l̮' lR08 p t"n!p<0^C( uH2,!;(PTmJR: 5@@]E4 =F) FdXV5`Cv`x5p!kf߀%<(JGYQ~HTڀ*FjP-nT?6JF}Dct4A{Clt:zz]nGoG3 F01xLSŴa.cb1X$VkF`;0v ;dp8[qppx^ owG-r|#<~?O# ~!pMI'DM-1DL /ߒH$)HD $]%>id39EI#R( %IIi\<|0E8"EDEn%:-=-zStZ !, V%%6"6KS~Tj#ui\iZ!mҝlVqe8V\S)$^"~B|P|F&B"T"WJ✄@%!ɔL%yJ'))GXR-Rc[Jaȸ$y"Ց ͑=${YvZN\F-W,wJ<,#(NO%iEIE$2SJt%;D2 J/ GF ǘQWPR><<EU*QR5NLWuFMIG@I:AR=A}zF6IMiMffc-VVmvA!XL'AJ.k{PwXgի';g7Hxl10xefiǰ𫑙QqG4cO-oLtL&U&wL)nM;M_]Њft3mff_--Sj#;,Za6Zhmni}/}dFɕ+cW_9fb˲=j+cE+۳k9:pj&_99ڜ札;\]]]i!OTݚf׹x`<)xWPШІй00AaU2*Zsukkdפ9Vt-khLtXtcg5Ìa;_r8eX؉8۸ҸxS ӉΉ<'%%%/SS4n2/M1-7m+ ҭPLq die5m]!'4t.5;=o"-uuu F;?w7o&nN-[m ]PpDE#lc⏃MS|Ĩ?Tθwڍ}oRji~^ewV~ jv\PyʩZz{A[V8\rӑ#mѨ)?=}?[P+[[R['khhho7e5M5G5p9٢rU$8u/ѿ;u3gmP{^LGB3s˳ۦW_*:'qny /z/_]R;}}._vRcW^uz fm6h>~fPo]rw} w$jDpsAʃ?ؓOk~U`.872:,٣1?2<^|BiadЋU/_^OI֫3950>3z͎2oޭx;?}2?Z~ib>3s/_>^H]XE/Bj8.7uP"@YËВGXg^7aZΪ:IClMM݈",q&ekҳf\4_+#||0Z#xc`sQϿf5tR pHYs   IDATx]|ToK$ "X߳R`{' 숊 łbA@:[ nΙݻ&,3mnv?393sFz[ I$B@0gr+Y!lRP8Kۀ,D!XVX,裏b޽xi'Oƈ#ΙHB'C` AaL",, (\t}h@!K!8w~U+10LXr%bccQ^^>h4:J%Ao4EɮZdۅ<)7m *B@0ؾM&}Ulú1nǸ_0 %tu=&w*S :GTfBZJLTmvJ{ggګpl:יY7{I /po;KQ>|q8w (!p,%֭aZ+"##;v ͚5;Ê~3tb ;~VR(!C'Rb:ZH: (\pT4Z~Uߧ/׭OuFa;8U mwFn4y_?޼;FmƫJݥUh9̶^\7WZRh,XhA-[*8W?ep2r3NI;|K:v숏?{ӧG9sc!HP>v{<¸ <>P:чX@ Xa0> #bܸ!һb o^Ht1Mpcu 1\}ք ضR=K;tE0' AF򫨨@bb"Zh!={"--M8.ٱA'#HeD0a;59i1ش5W߫P{\Ǻ^O']sPkzv Fu_mpAWFMǯ4C?_Q  ב>^dg og]tyWfUUMwzQUn]a˗7Z U<?~0`ۇ +ktMt>M!+Nu/×~ᯬ^`WBGYp~tھcoi9k̂%3~H{;V)YqhZZl)t +YZ:u@8sǶS< _û /Ḥ/ Bk, lyUJLhTY֣#jǾ~ݶj^!9qt OڙuUCƵ4԰Bj:M%eKӯތJ[9VbծqͩUhU֦ J)2l$~VACu룫p҃tqu?F\1VX ڼ1 Jhuo9:^6CK6hh3 yyCgm(ӷ%wb;;]Ҫ-}+'O/5iᏠ{p(Ljſ"{TrU[AmʠuO?bm:݄GK}arm[Y"BEY94Tf 3p Q}H6d.5,Eі!C dB#M-76e lڴI~/=qΡ(,,D۶mNà 1:8iaJMLS"PAK *G1aa éCs*W´q2SiNap=mvډ:sKS_|tz*㨺!X*J`8`nvRt@þA| zZ~"m޼YXff۸éKe{vOl'JIFc򕅶Ͽ:7<e$ QTR$ +|@\AGG")6Rì 7> +bfpQY*`+qS~uA׾V:);wQo@dIV#C-0XBYWt7́{g0씸 C/?ft$ށ㧑t8EFBQKm4(3h¡ W(r;:8q :ؙp랙;K\ ~ٟ%F\,PSӜEW;I0!WWp@-KU;ʎ"Qv.ɲXB!E:JZcF*1a&zqf7 r=-g%syG=M{rD2,dѐB2ҍ(1cԇBփyM3J.kcsAVs=+̠}hժKYQטʧ02ݫP[3_+BE$&AK32' w0輇2{*: ]ɵzQdz999nYbvǪ)nљv۞B̀3sMUyd!0a~DxA].ۙItmLS9&t6@N[VMnZ ui^PrJXuNK,3}9yРG5Ӡit#";h$@D bPB B>JqXZ̍}ӦMEx8!0ƚSΕ>LKIs8~u?YiB$TeEx- ML)y{VrN.a-ڣB61X WBbi[I=SzMzQk‚@L3`hCe%)#q#i 1`gI #rH8։;HhmWPR,q!y',eLñWgRH@!pVVVy bi{rU$7nP0< i(!TcW(ݹC2Cc";6Fi\_H@!Z!2)c)GIiI2Q^G]+z M*ux E }1ip]+ᚷ-qyY(<),=H;X-}I_`4YbcL+%hFRDGQPZ!t3Y2%C@rn'p6aSxXd䂶;Xs@^À8m6cĝʝ)[nرc8SW]\ospiSw޽ό:tfv,!̀%@c:׬8k{]G E6?#6D$bJb3ӈ~|,=n;E"!hHl/ˆ IDATe/ |>:*x]:/ǒ%K D^4 8_RoM$ َ'~C|*.q67h}A!Y623F-eb;ÇxK,9(s]j;`,P"&n/>^3uό(AyiohWRMsA LQ]u`3 ,;6N✎‘KǤi18s` k1]/>m"ʓo"44 G&)y+L ݜ"y%c (XIYR 'Ei*dיHC)_4}'fvvz&(:sy2 g %onjyY!053=d<0D J8ʢIB,yrZOwu.}.|1x퇟&qL:$iNwy4oLN;o~QB`Gf: FH: ˍ}D{8uVkRG5e5ZF3 ?E _P'm~.L& =Z~R@!pC*luf'؂oTI^w,·i$ Qg& ~WLc wWxOi!91?0i 6+Sut>jfp-45M7؎Ӟr+doD7a'=l/`uaSΦh/+0|l3['ҌŸ؍ֻԱc%m#..82=r:Jeμ Oב{MA m^y:epk#[>ފ߁߳0lydN_11nȝ;klE{%:KVD^$i&܉ o`C92՟r{1V$bФ)ܤAD q0 Wts8=qݱkO8A/hv$~ 5$@:j@t̽:JMu.^dV?v[Eb n7bMӱֲZ[s~e"6<]WWpR\KK<f|7mf~/KG_Y>tݻb k>ҿ(7i d.o}ȥ V l7$=dĈϡi) viOG}A;nF/ݎ=ZAߴ z$tk5w7wH$;uG7zUh弬9q;YK=2n]kB qЮuLi2-×Ҏ" g\O<L\?  KlY3.:ޛ.]4릧;u Xy܋BkwO],Gצ4z@ͰaޚcA;zk5i?!\IÇapfo =&(Un[C 'MBt4d1Vwe21 !y7* rc聯*L*"zO40v+Vݻ ].|U: FF8~A .޺EI+:4 ő=X:^ƪ9t!e(dѥa-~xgf!p8I ]J wQZ]vZ<<եa>;>x \+aMrp 0v Mu^%@ x|h!Q' 8zʱѰ3BJ;V<^ܟJ,Rm^;X X{Ǎ}iԑCYJ:$\\,2$✓CymUy=N=iFb/{Y2#ÕxÀz+Y UxN/8ivt֡T'5vbGw YAo2Rk=A![KBo^=555t%HYYY^CHهT*}u.K,B#=$g>ug3@Nsn$; DG9d TezD'f/:O"P4"ArC$uy9y} rܚW& *h>bI !dX@!ށݿd=M0 $wh; qwLkT=)&dXD"t|5P?) +I$u@WM{pg}~QK$@M:n](g YD" B#4ID J!>!2*IHA+CfbD@"ЈCF\yt@ !؈$CR&[ N@D']RBpB!o$j%  :IDq!!03ҶATEݑG^P=[D!9>]<%2xP^TAZ$UHy+8;1ه>zOLL á'Z{pqv#\ C`fֳñcPQ!xzm#>ѲeK|͢\ ZƐb,03#** s4i!%N:>:N*FZĠ1Hh |D#77&MUZVE#uDa"n@ϲ_Q+/dzoP\n|Ywl dep2D ۽}B~q9y͊O7&m@塸<[paa!x1Fe#߇*Z1FĊv#9FSla6D}{k.E8p"}t:K^NK~9FXM篇EH*51_jZD1R#zτ,h "HmTX4()!w_ (}A6mpi! 4SC`FLOc3_T@ $ IZ@ +X$?P7a<zyyK8TԎq<ݛ?]an!f%]\7zƬۃka~> la}E{ʳ'廳}s+ں&p{-rvAM(Xc"`4lw(R&9wp1ڹ ZJL(Y9d+t0{6xoؼMZ +/}1ptgmj|"muxh[z#UldϞ=v0%\DcĢ95)2,64C=3 EEv"33͚5C.0x>[W{rV#0atœ>DkV?L;&vqIgEW_sIFӉZ#I z+)#L?孔Njӱj/+WTN"PSj8=ٚPZ̾1O+z"^mĉb(RRRбcG,?Pp]Ax msœ% 6⩾WyYr 1bرʀ΂.iVz+-_SI"Pe {_`O<fPy3x'ldś)N"p!Pc A*Z'$YuJEn=1B|!hҋLJћ[?+qD8Ò% VLСC~'I;m۶ۿ?.( 3jWႧSYd,[ \sAx+IB L2e ^}U,Xg^D dMWrg C`4/d @"ua@jVHa9E<ܧ;l UB`Dm VQWI &o%g-ܧyiJ82L1ܔ־,Be;i|2i WLN 54Pd$gpʕޜWD@"Hu+K&j ѣ^.\&f噼A:@cA7o޼ʮ]wya+ݷVxwĉE0if9͚φԣq_Iׯ+6y#Vl$ p4&X${htRa+ϟ2]/R*V~Tol3dBm~d?^Iݹ _M]Vr>ҍxsR ^"`C@ 3bp|NO"p8CbҨ']|bda{EYjs(^k9_ ]Se@!9ߑ#G;= 2lv^AŸdj::|CXHC;7+-ŋ{6x-83SM6sL0+C9:zȰO_Q;[*f/~8od`}$U>f-3NoוvIc\@FQއ@ۯEɧN* F !xeC]?3P;K4qie#oD78#+_[:7Dw-$ |V)KBc؃>ϑn^%g*x=9 pρ{-YzH)!~KGô.8󿩾RP=F2DF@ʵwuΝ9s࣏>B-;`˖-C!iju .=x'塒y![dVU}߫W/"{ ӳWӋ;o+? [DEpu#u'7 ߽3;o!g.%3Nl$C62=@/?_'(#DK$5C@}!K 5gPݑnBB`#(l" jK"pfv]v#=ҭ[LFdk8ҿq"V#^-_{[g )$" ?S&hHШO/.^^{+9$){+CϹc$R" h&gEI?3Uss{᳒Yhm@ qo{C?S_edVn\q&6^Zhm#H6)Q Ć߁ ^E$n^ vyy5 j%Zz6}6] o.VoKڥ%bueu2T5Lb%q(++ÞǶka,X0|L񣮸{^_ 6,_Km4MP۲b2_Y@.-Y;c/k\Y: p£G1ϰ :h3V-8FڻEb}L1$%^ikt  JTtp;;h0% AML#`3 +_Y9֧hӿ²ͷQ!vfj`c@3 _gEM§E*N*cvѣ)f`,R!C1<{R^ W'L(8+Ι0VY#f(+n|.!j"dQ0kXk^ŔÆ]@07N" n< Q+ܴ?+ٖ!*j,J@48̊\9VvCDאBzs̊ C'HcdJ:-ra@JZ;|29dtb/VDc=.\2g=:;4#1Qٓ1C)Ƴ x&X!CDw_zg# %z̰(ʽ6$|2&TRuIZ$u2-2u@B٨ #HjOйsڥ.cK$ * }2*o;__:,[g;A-g\o IDATYx† -hU!ĻBq|P%|! ^BjYvc 0nSF()((\#J C`g:Y "Hkaj026t;f F:DnT vkNlM?`uHk,DO_ПF?mgܱ?eh~gB8{kAKN|Mj89eU=J_R]^o]o|%\QғGcUBu8&L1`v?P=Y3ұ vNv&]"iqUv7:g6So弁a p͹;Nfg68:veUw٧ҏڵGhUSl3eiD\oiN=+! p>I0߽-k٧**QV#ecퟏ>"o#}/BBӖvC%(--drM͊N5O 2 ؉'EոGd Y+fX&~|p~+jiH}yahOoҬ\iZ6Omw c`Oq`4K'/j̠:YBͯ[j씓"coی2ZW\fPR~ e$^p[֚p;YIKp(/V6bR k=古;~JmD18^;ܞ9N]qoEIo}~ >?MIAֆS$IZ1@%-0VuFQH,03@Ƕo%''TZ($f%%%`$}Bu85lMe, W!XI7j<])sHÍNzdҰDitD^NA_it+Z1V S&M>/1d(Bct2Ȱ$$°{4PTTTPn2z^8!stLaʢ/s{`}Lr- A9WܓmEgsJڶ;t؋t:-3H:@=#PA< 7"'kᕿ  !03`Iܢo,RɀK&R,*=^_C*Q']usldCa_bOVv!J8uy֎k‹gOl ֙hfDVWICax}Rbti2yYF(DM_W7!$3 s>fYsNMdfW_UFw@y_ cs^"\k $ X f i@l*V$/?@!C~JSZ$*fK{Odv7gJtB&~[6pS'%Z)D~tr(s_\#SާrYyp+ _^u~@ lQ1R*0K >>boKsssaI*7qê'y+8;WB]CL3fcyz-I:B!,_U(/o^>HwZ$M" 4#snhQ}Y`!H+!iHZfCD3`IwZN gߤ]c/Ē[@( 2 Aʳ4KH}S1a#&ثPBp9rp~aJWKJG%D*Dt逝(3>kѦߍ_ڊ{.Gˑ`$lU^;tDAm|?S^ ABF04@blHQ?@Xdr}dK'(BhU7Vs8U/v_ĝcŗOƂ &.iMn=oD!2 4zAy[YV/$^uE@}ڪƈt٪l܍;6c&H&fB͸ #D#r Eg,Y|xm{_7<\k{t2܊vhy ?wDƮq[ ĤWC@ dBuѣxkhI?|톇 aU}NW!4n5N% '<=yB!UJi`ݺuسgOt='}8.Kf#"y{<! aj@8tCOZ VYJ7~ઉ+xj:¨ w M<#_6<B!mv:_GokHF3]"  !\xTI 𗰰0E!"o-Q ǮEmv"Vhg-W&ˣ#Fai[ jG!gB!Kł:?뀟k"!^H'xD d +~:lQ0l.1cYvE toAfjŤ&4:B!D ׀AcIF9mE}ᅿDHОPeII%7RB!X#l p=X Ć3ي9W7qZ$6hY6 Ťj!Baz^Ix]g~dCDTڒ1yi }aթXL,& :,&Ťl1Ɇ]Md1Ml1bҵ.;&U)[@A dBēm (N?6tl]>=M:;̿I`1E\ R#>+n1ޡN[fI I#R-[L+@+kE d&͹.0q4s-" 1XxFI;:eN1ţaMn~#-&#"CQֲ;`'-&2:G`<$(u) QnU" p JEY@`۞RY\s$HJ 8_6ƞa7 zZ"9_b_rOk dž!.yG+`%4(W\̺cjUH"P{B!3hҺ M&F$c ѦvX40 GR BF~ؘ6풠7Ea\ـpS.q4KCN1b`$zbowҨZdY 2 a"" 8p+IqQ@zz:ج]lŸV_$H@ dBy4ބt`x3Rp ɸ(^O*6Ťj!BaH m h4(((ݻ,߿V/K+ ,4oU-]/B! .@ xp 1T`p!EF$''LajK2P '4Whd /kk6)~`Xsm87,+uX@nd2buqm -&5 I ! ޓ]-h9Q9I+uMrW‚0tot[f\3ec>e"@H1Ǝw/>9.R/6#dKa"cޡC.E^ _ZL 2D s?$E!%oH ^"p"RCOiUr?`DD@"@0B bo&64qQͻp-Эzҵ'?֤ꍼ C ڴڴEBⷰWU0ǂWDؓ]QPMr&oZB!p Z3wIeNolRR:Vf/ہob(W4j#P#R !e0ۊ1a M >ECKEFke6g~!-=%e0 M^P#|a-%}R|Ap_݅+]oIw8G?ۨ/Nxll1) u 9qz7 4=J|@HIBX^ S5MЛ l3a6Dm)~vDJ`]`ӓ;Yu3Oy2 m3b'"rc)~X8|"^;pEaPH'2X4a+,팹ӏum|bd @v5|&4XGmcuOǐ!B,99+u5ˬvF:4g;!L4X\[i9{rXYҺO۰m%,|ŮM I/a'}0opZp8+؈CDMJDB"@H1-KFV K`g&3SV c8/_i0\O ~Zw ;YtW9f )ʯ9[\B X @8 //S)% R:gly;>)LcƖHhr|c]iB=VA@h>^DNB35MWFo~^˷eu}g,޽V(2Aupׄº8_i?Ь~ ڹx起0qƽ~$0ӺD?]p\H z}3.0VC~r<SnXΐcJ*_J$!2 AEDz|kԪ/CH$!d!T(" Bm%!@NŤj(gabi@2B dZ S 2 Il>m`ښ٘嵶Tjg MC2*kj&48@H1ۍ_hmϥѡd!5P|U'KFl.I! pnVoVbk[z?;+E| O"F [LŤT߫m`.mwQ Vu’#]цGy;0/"9 7ﵧ~h6tZaKH?Ę;ɢҁ*MyE0 $2)|'@H1ČTtl 䉫Y0-&dv::m!fHсӒ=;UY=zwfu[񱰃/Ì_WKkWXq]U@mթ<եxXOa̳I'!$]nh*Fe`m z!wX=m6T22:w獟Ipn_b ap~#[wKESz4bt%SQzHC`Gl1,&vgOWY%ZQ$gGjP=+Tǎ8}\Dz[&iRR$N3/!BeY٭'XН,2 sQ]\/!C]XLiŗOƲfCGF9a<@Nac"@E)_H@ $xzāxk1鴦_ъ sǎ$i1"CbRHT,D!TER1KP"PHP% UuIb%u@&i1nL= -&~k%sB!HIuVdg !;vCDL\ׅ$h܍#T;xq80`|{ĭоӛzau$i@UPhp a[v:2!h޺m@+I|}V"\o<`7M51I+JI=9!d߭QR%8QsqqT˨7@DRJ`)28!d$'T"n yG{@ ETEġ;Ei8-9RE;KfQ@A t5lL Ky9oan/HMZf8p̄vgLYIDATѸ"X B1VƁ|&)ӭ}(Xx$)nTQ4p5Vc qH}*^EfQ@ITB(К0)PG QU(К93 1~(\1 &%oibF(ЊI|{%Wq-]m]VŐ> hgt#&)c`|=ѬO Fg݂|{ ǥQ-2DLJYv<~i4[BF" _6La& M/LT$]GM'QŸMː(7u4:J(7c9x#FAik w^ˈGdM?Iʽ٭ Àr0] 1IH\T{򝾻y߹(H"i~IA|fD?UU{(88"mZQ2:-Y(ivfhk$1^"ٽ2CQ.1veiUhIXD5#cTEAc1'+gpB/˾ ˁ,[(5{7j[䟋zdKcePM*IBL*bM&&E" g^o*1I#~K g#I&_]jwg^Cad1:v.|"lEM]V1)Jk2Eij&.#E?vk&/ݠnk#I\8*RFjP# DL8OPٹt4Rߍ~,R@K ՅUpZd&܃b&4EN?v>o*-c<P@9UI;1Iz ^7PUbQؓӹm=(x7bQ2u3bʔ*PQ@K1)~'𪀖CI^-%y"Ht#&Kh{>n%{CP@;P8fBu~h\&%&,c<iK=.7fZH>Z[P@;, &\Ĥ\iIԣ#rR#AP Qw(P!P Qw(P!P Qw(P!P Qw(P!P Qw(P!P Qw(P!P Qw(P!P Qw(P?f&IENDB`fwbuilder-5.3.7/src/libgui/Images/logo1.png000066400000000000000000000317101303637203600205140ustar00rootroot00000000000000PNG  IHDRHZo'iCCPICC ProfilexkAǿ X"ZOZJLzi"i ֟$6Yg7 zo֋x"^E<$"zAԿPͮ`yo~vbl絫kwԙ9E jL)㲈5E4͝ H0ߊ8'&xw}X K7V?%N"~!}%~&N;fb'WL9bfzM,.ŏ?!`/}?̒wwx87-P xuz;XJYx502ǁ?<08ApGC 0gx?R!{_(:j KJG ߧ $*b٬l8U8ƦfwztV%;4*שd_/Hn%ɦ!yh+X_1Uv»gyfhi7j[wcǹ9xOa̶_:p``:<`}$5tOFb=9n>qxe*FRKq1fҗ ʬC pHYs   IDATx|Ug{I^: I  tD".Vֶ-bY׺]uE׺bٵXEA);CB)W0Hwgss9{ʽ3O4M'GG26ݻ`mz%%%rwN>f; _@e}Vھ};GGGJaBBB>}Æ_ѣǏ؁UvFλ2ѣnwݥN388S`K.*++{?t͙3'""bԩ7tShh̟@_y[:3?EFFv 89`ن޽;pzW*_|K諘7|(d:wygϞ=ݺu lý5wh}(׃%r`~H#[s@#P;//bdeeeffP : Zs AD;<sssds|X#Psk|0#G_~7oi@^ LJ3K9Ї:uA|^zAP;HhCIC\$Jݵ z":Gc5_5:-AH n?6~7'&Ull,>!5ja~PY(}'8| G@=r ɿկf=LAAh*YҡbUUUs6lذ~!CJJiGQ=Bj^R]ZkO[U]<"kA-PXtW;l@_yv^E{B"TZ?P{@`CaiUEd+"wFP8;w,+so!,k^xql 3hZTHۺu+zF\#c`]ko5=\EJVgAogJk*S,ϋ;jKN6.Q&QSN5nh&iZY쟖l-݇/*E;0jO[{xg걔#GZto1=,4T -pBUÑr8rJ@fNtW1L~ߵaZ[CtGyPqTe@.Y&=G+5TjP6и]z1i:v{J+v}`ywȐ&0(/% vDN q=r= !|\\ժSsykv6Tl'4KՈvFN^Ò#H;9FJ38wOC^sㅵqZcDcYt*:A k;є)S@ C;l#aG`Pϸ^Iѻ,wAvغ~Xl10,VkZJaOa r`K vクlْ<""EϞ=M׹sg12?Z~YT NRgx׾e.W~#u3[Nn49_/gR&UNA]O_ZjEX.zIԗSk'.%w)9jꙖ!ӌB4ۻ -}Rx\JDG|\r ]YjOj=P䯛rJD_,rƜ9% (F!&fQ5nL?ޠ$~ٺb2u9:9:WueV[٠[(G=“#kb2:Qg͸z<2 Byħnb Zs mڝ袵{quؐ>]/{nsבY6Jz䦱aA°9O4iرl BȐMX>]iN;-Sڵ6oڜnݺ%WTNfZzBW-<ښ2Ap[ay=ޅʀEX'?yk(Ӷ[VV<$Z6-srx>y(:|'6umBXZIőEju ն*HH簐ycs dD6uwL='UV~\yΨ抱Bm\pP9␰EhS=N`!"C23AA&uW+))T Q-qUN+%;3WGjsXv941G$)Qch[j~C ? arf *A'DC$m+`Iݬ$SԔ38:os]dGIYZq ֺ/?{tDQ[X[RPRc_G:W4<#3wK5 X۽BQ}q:aDQhd6|s̰L`ѦwB./~3f}L5aOoHhD;[Z p>9 ,XqcuK;1;mUV(腿ٸO6[DD8 :̗*oaAksZjS7f7hM !oyR]>:Uv?] Q\U#\x9*mO:촄!zƔxtOwo3}_KAҘ1{_!+Å ;isK~k[BL9rܼ;OP9>>17"kI2(bA  +*$i`7 >4 B!Ҿ}Xyn^K$o=zҲ?B`F#%-bcvmn\mwke\߱ݒ6ׄ6蜺Ly;:~R*{'@5GJV "8]׳}a2ÜޭہkvĉlH Z ۸q 3 NaXic_H̻]"W Q0j? WyлM ģ9wTu ׬ʔ=K;L.N!~uG׃PE5~aKDf,-I7ŞlaV:qG? >`'+1e6~_y>ի{ /$pS4yp"Ɉ7A`ɮǒ>4 7x`X%$Dh $YH _^Q=qd>` rKEq -E@um7 /=cWBdQ2IyN~uR],2![}((m*ѫ`odؾY[`9)6~F5Z@:h弿6}\\  0̆7~b),Օ;/KoMB|f`+`^kr3^qO Q_I=wPlM7ä~ףap[NH3&+ݺwyg姞~w"8-8c GfA4 ҥKQh&::*1172a{>KZ0#]ߴi"14y睳xyݷWvp{:E#TP"XQúNOGYo2x@sVj Gx<:`I-39Wr4Gգ;][ 6glR\/1O[< vҘS55NVטӴy 62h4n&744%w5y BxKQ%udH@&|bʡ P7_K^MEl<?Utb QA'O. ?@lX%1:kٲe|KGhPl2rHfzBj5زe A32/ $$ZF;Q-4 >Bw0E?PkhFA,.S t4+--N4@rLP#$W mlYTPs׮а3<K`J!ٜM#HgH9! C ,ZW9u!f@ N)Ĝ\h`B DNx[񏀌@ c pA1aC;5?Z bl_dkH-D)$D]D/D#lͷ@lvnDD4}:b7@%`v.}9)!MwlQ?Qh5BAe0luIK#[`@+B3 T'q&^`0o}4|:5D~YA=F'+T$hޛn*;3 D~~9`F:o? m@͛Pcdc; j ՁSAQ`t!Dq)oX3 @?lFH1,:pHۦM;"oj:H<(R8#9: 3(=rh"H*ν@1!O0ؠsmqO9F!Rll9@4nRF #>M~݈wZEjQ㎀8"A`. zDQ* en"1+!fؙa˜cIsIN!@ |Yn<;vp ,@$Z`C*x<~pďė v5+!a Ȝ @-  1G8 ȋTIČQXAϛQ}i& 6`n$_1D?$s;.3S|M)gĮ*›o~4K22 1O|0l>UɫɫRi)X)[n2<Xf[nu9V8{wK l@6d~LD&^B1fdzAe3A $ Ao 42QK 9Xf$aB ݃ȁPϵ =B ڕ_f w5 pdf,\kJ:XL7>*f /0m4n׶ !-D yD *YP~ėSx@/H$jQfE n0=z䣏?e?LAp;jb>,!)acm8R| nF N8=zh3S#EbJ6ٸD!R%@c32|ߜ];|~!1vO>O'E]gI[ң>J|e„ `O C7kB/U~̙4]L+%bV\> üdn @t}(9qbJxH9%d8 ⎠0y1xXw( B{=k|v܃p̘10ṊG37bs>S{̉[vonFB_ zDe@#u 7`/a!\{{xS p;IDATdBy]w6y'!oo=S6-S'0 ˉnɋr`8k;%sǘF}`]s5>c |Z {ذa(B&{Tc 'T`xP(H!,40S@ \s Xz̚ {ay( !t3G7Q\CW.ro{Y?t>k_F@OFY]-Ua3{ VCЄԹxU::8 n 2VpEuqb.UGɪap LZW-w"GGBQ<'Jc@O "aE K=% "lP\y$ qTڝ9ΐfxģG_P[nꪐ`]%!$sw3`l``2+< 'Cl\8obơf܈4\J~:4ZA,Ac# |YSTP"o0:Z1A7O#7 8`(%xbX  ((jS fPpHGtZ^klAjGKsi <YU <w l&hC&9 ƐZ$Q (Y 1$C9_y.:#P"%%"JƐZTb}̼K jl@ ..>G 4RzU2]s{Q10ɃCڥb-}Tn,plTј2RY)q,Fq5?s!5Y*NAD4I M&uH0x#/yL2\% /*(|Ajۼq7™nբB˳ögth6G@oVE_'iD4n K!t=1 O?'f4Rh"|DB>D%Z0Hܓ# j# n yʃP_rkKS  wwE"]PfWe`5Cc^.-RrbFߊ#BH?ҋ#( ,ŠI)lho#`63CȔoɀ o@ӰX*6{ʃ5B@eP^>aⲅ-0$*jb ڂ^kxo}SVW#pGBęo3CM(IlUۂC"vTZYUZX]Q=^u<bͼmBX<{u| 6evk.QV\b jíbǙZ>nkly*N:&W#FFČ} 'L0_<~|} شv 8]mq^RS)+J`,}M%7GJ/a\}@#`cuz\ v+/& a4L,(3d$CMA@OhXZO9&њGऌ@=@AXh`m8\:Ibb96%(sDqΘ$0k3|FNsFu*t^2Al#` D5_8 ӁtJIENDB`fwbuilder-5.3.7/src/libgui/Images/network_zone_dialog.png000066400000000000000000001015131303637203600235350ustar00rootroot00000000000000PNG  IHDR\ %iCCPICC ProfilexkAǿ U,jMC 6&=I44dfvf7&5C z^īDD"?Q(PfI<4x|7} &8n77os_4 {Z$3'Ғ}LX3D K1w/ -نIXz@x ͘8H$^3--gqz?<8M#^}l0."29pvo[Yt-ՙ JI[lNaxp{ 0<#!c}>T:9|Ȣt<}TF 4VvCF>=D.'GCrCm~`Q5ۜnUdwի4/5]?h%:dܒ< U-^Kc\F1-w!FwY'_zޯHۚMksۭIh` 0#GR{2._ X.!@]hije45Y]o9 pHYs   IDATxgv^"K. EwQŊ""@"H"H{ݙs9ewoon;&f2Kf/a,X8`q ZԉNqD[%-:+bZ¸/[ke h ;9~^xCֿp8\39%W.7֯Ǜ\3Կ5>w3S hq̑M4RVϛ ZZκUW׻|۲qxN.]J+9}$: d6ΝAӛ.֤לVb8e=ľq_S&f{(_MJMQ;ҩ#cW"&-)"M[cfG o٭‡izj!wh)k}޵x-.|Q=?C_%aBC=㗭#JLjHR=c='q-wg\5I6կf~9%S3e2JGIiܸQXh@YY3W]92a,?k8غ 8~A#oGq%:GڮT>gm GCkBY:]U]Ud.IԺʽr[ xhȣv\f_JD;eu>?Kk u,GTN9Κ;Z`Zj/F?|uhF-4v=5 >n ڄqF"[i&OqvmlH߷[5t:%aG}6O3Xg]"SsOAX.h˗8wcӒ_|i=qi ;C+}Gڒ\ SxyQ+?~sI=_#}6-^"63y]h3{oF;?9fN+ p4w+n֭[F5Gؑ#7:m.w͵UצOF~|EwŃ}o T!ãAܑ?׎x0{œOR|E_mxG\ ζ:^;\9@;K_xPM"[ILQ+otauK %beG(vZalЏ1+7 *z Ii2h%[~3Ō0P-lMZDa4WPMR9s++ )3 ,rƑCƖ")|E#Ǽ}VB9&Mhhyʘ1Y s>efc~咏Dl?9}S eNa2 ^CMUUU?{hObjRfsus5(# mS標B,%i2moYX'1V}-SyU˔jdW( G/޿-щnqR`a\ *թg8sJg&VːAN])S*Ͽ`8sZ@ΆSV]OuD]%J\E>lbjl"Sj"~ply!h<{֯}ѿd3ݸvmֻZM31gL=,(2Gcb*%QsiZ?K%YYS%jĈ_8j6J!" BZx*T1&*Zo1Q?It}e*ʚM-\ )$Kg M[1'>9rWN>}%>1gR޳>CB%-3]ߕ`'ЪT69XL=;)3O,^>c^2WOr[CJ)es;;4UmrX#G*-tꓦb uΆlio)7\V(X*J"Ξ1U c+:ݰsYąMY?"[:q1@aZQ 3e,PK(SD._ryQ(+ٰ&Z.ǎ{04u%0&Rl􎲅L+!-[_ָ5qjb o\'r=,r۽$:!*-*g::J\} 粈ce ;iXA& No S ?ZDQnP  3AI fʢMg6!*y;e xM)ׯ*yw]=-LMGN v(O&|xY)>8``"?|@IZ͖5ubJ_HB]s^i'!%jH)[j%X -Ԋ(R歹8/xpLD=CtE7&b$[zUK-aUm/,b;OZZA#@Ϙl!=-_fGO)~֫3&$4c@DD"Q_ʣ4&7^QBqpPA {C$jZO[Βy  P:?˸sXpW$-Q;x\vj5++܀<65S [14[7 pfH!Kd' ZUra ܬڕ8cԮ,_u `},GΧ kV 1 P g t+/hsf ԕ{\{NiGO( ? OQ6zw..+ Ț\+"N5+nJr+5V%h1B+ GyqHyGҚ= l)̱W,SfSyGXGfXsZYV*a?aoߔ k-m.ͺH@88X{lGnիF\!#[uJЧJA;%dk4ai,b=gHˇ``I `zE ~ME@zE$*BI /zR#,E"uѰ]eDVO$7:=H̒|4BOh3bhpR:_kIA};HO$s%K@l~`HeێuIۇ_(Ľ 1C-ft칔VyNaY)i*W/y%L lZ\8g?A-Y LDhp0*[6,#.&lWSoHs[aqW!HZ+<\U`VRq \)o- {vf|Us1 c^JFC!l/7[ٲX Kb![E 3iD\B|D 0Wl`PzŝڵO؇@ް|ea1[#]pԣU<̞otPRfĤ|KT!PFE@3fNx0;ONJ % @z ,B $Nl_žn?i+Ї_Vȥ,c0iuݝɁؒ5֚7'OtikcfkJ$jZu̸t~3 R:+?^@Of"o{ttV+(GaJj1'^x_&%"Ti:uWU]Oc{g 5DsʃhثV:X7cڅD7[Ӫb׬e{/1{ +rجIb>6^3X‎klIA,N=Z0!-$nj|'"Ǝ (k`{ ?|B+b&R|hWf@J' :}oODagG7EG-811WCy3e]5O٫W\Oe\S;Kة.x"Ť&v EtwŨK唱O7m( . :"Vzd9YOǏ/1O#}wY2)B򿔕38XI;bF;$ֻ/sP-qhէOX|c VZ= ްxx3)|{v/1#E"U7ZIĨ (yĒMKKbԯ$I-w>>ZD0k+(׮g--Xi;'+6"m _hXe Up-{. y+,kP\[cAONEbo;|X/an=mEU*sAtYl?fBHX|| ٱO6 ZxLrt!-kr3^p :`i}Gʲ ukg;ρzՔcۏM[2;D ;wC>NV q$JֱViv`/aߧ:]DfDpMG~b,_b6X5I׫Vܓ ie+چ%gn̲GKg\%hUꍎNј?b_ﭽA>uD}zǠj>fyWSzwa]Zzc.)Q=4V4@+,g`Bڧ -SF}< "yC\e+E؀ v4- ?uo?J[VƁ({oEIX@T"0H%x/ǎdaJLq rdީovw[{Ǡ*텹$ c}9{F8)yQl *]sn @[x-]$EI U@*&:QhQC߶Q<-bp`B7[ai6;B-)ptE* I8'X1 DD(x"i T ܳ:.vjsq 6pkBί͛mV$ ,<W2J TBxŠ* Vm(!aY j ]fz Khl2QP*5+h'E^r Y-7*QVg@qLG L:g檇X?iYVk!QvXJM(핪Jwja% fp;Ŧ[RTcLXPdD0Rnj0Tdͮ&H`9^2l }Vǚ<#bD|hť[7YV]la) b]3CoP4,`to=#o~xVYJy4OjjFji۾hV3 :c/f-Uy>N485ˇ>s̹snܸ!E3g2edۃ__[X]QAMRy) դI%A6 5ubP ?+s}lZ^E*Z`ޥvL&?ȿΞnd+7G~=، tїWIsݧQ"5gncNYq#U<Lfv@g|f E >k׻Q:AO>[lYbE =Bm}Ia9#hpus߾}s]|mېyM>} &MlwAڞ={ŋZX*U<ccԠM@640{놵b00zlAab FA6t8-q\٭+lXS7RcjmP,D (!;2Ql+L3}wb(Д_t2. &@8[lXJsq.B bς%4;ka`Aɓ'k׎7-W\o0=pO,W3&wYdO‰'vN8[nJʘ1#_Ss1X$S~;2= x*ߑn8pʋrsJrTIPxvV]p5OW{ </jqݗY OP1Q` _Gd9`T*_ W 7W(?`L\M>wgBmF j֬9a$%uɞ={֭:D͛7tO?3o-Xʼyݛ(Q"y#nbbp) ,o6n'ԪU!m4Y)СC/e۷oVaX80" /d.U2Kɒ(]9t@x}f#%O;&F?@tA EUM!< f^`N7NF[lg%N<٪Ue˖ڵkiҤɑ#bz?pȐ!-Zwp !9y)j) (eԨYP04i;ʗ2 ~Z|мv\lO=Y >GRP[[z%KT ^?deoI680>@!X9}BR͒ȏVѩS'kn2Ļ>=lڵyhAſ{dpHڳgҰnݺ f͚!k(ԘҊ)EvX7oe/T IDATaI`ezRiSdqn9sN 0by\ΘmΓ'%c ?G|̙3}t J0De|,sYcEp D`KH{/qq Gr &)]e4Gd6WB)XcVXm1r;aaML.|)rJ>jƜ`"͚5căqŽ`,jgϞi<~1*z+̈w(ռ1f$u.]1.^`c1Ex]a`⧟~؟7D)6~믿ƦXiӦh' <XU(ڞYN:eʔ#G"vZti;[P?37ۏaʕ+fI0x+[2"$m&z)$ION2W:r)O]I1D2LP@" mH_&Wn2+s䍮[*q 6Vhvþ62CIJ0(GfHuق`fJR0Svwn;1)J)ng4 ,EN|*ΔԸqa`(O]Ç3?Vdlf/jJO$)"S1V_5`KbpeT(Ɯ2qO yBaMq7C $KZ\Uj*UTS)awkTN{B9|}*>B4nc&6w?uЦ] VSpnn;c:gIĉ<޻{K.h׺UFMlHU5O ?ϫfي*+$EGKwt0 N,FN<ޡl˯F 'DYd]}w!~t^uޥ58l03mڴ"EC{WCzX*E V=> ݂ X=ي)@V+5,ƾMkZ|i9-ޜۮ޼}}ފ'\rOmUkcxs#~:td+wQ=! 6ږGdCL [ !fϛ,|9^H,$/܉ N-3Fcّ=x51jo}۸i ,OTQ`$ɓ޾uoVA@ ѻ0W=,Gr_9tS9sW9WtOPQNV9% "2"aS%T&T%U2$6Q'Ur%Sƕ+/"Uu֦3Wŏ8'L88[kǎV+ꢺ^z-}w|_=[JG]{1k7juY2SsFTW(4('z{xMCFmJ۔q'7)X}0ExeeQ勽JM v)k/w04D#m}j:+ѠEAzdZ<më ),kYx͘#G90dB:P:6Q9 J23sΓ%w֝oY)CLԵ6Ĝs.=>Θ=cU^x-"=QoʊܺN'~O %SO uْHϜe &ϫ嘶]hJ Vq+bܽ3VZ2-7Nھ+ ]9MT= l,?9mDm[!ьH6ےLYyA%~6 JٴF4JQd)6O)jOCϟclXg"(N37*CUܹw5يt GBdiV{ no? s=_Ogp N}~l>_E&Jx]L93_|m{7N9]b?}CEU&mT4J8H Or9xd'8#|YTaڶ[eI9W~woA6 &CZm1PUh@Dhԋ=|=-$}b}sKVvں[NsʿN)#3/7O=>Vmb\lcqXt< 79bY,(R!Q!mT$,=,ꅋig ^,έ]SZuP8rNiol4- NiUl%RU:^ZLW}`v<.>fR5E9Yeǥ޳qW+~%+V*'Gz"X)R9y𸔭U^%%k߻{#n I ?HE }J\u1GY؇{[W_TJ8#vfW:?DF>Nm6jp2 Tl\݃&H=ʔ#Jʋ©b5kZʭ{Cڧ}طtfc{GR5 լgoްk= "y^ 3?Rek?s4'vΔ%Sl* qrL*g$M"L!]$OQ[RW&o)qӱ'P$ւT]E*܋UjezmAUTZ(.RެUjv ۩e}?Εb!t*(}*ON=J2E*dW'ϕjC1FB.lFG>>"[e>)-)^|Ll/{xס۵~gg%5ߺjsg"[7؀Kb{M>fZiӲO[d/';o^Ѩ>,J+'22֢Ds'u$:.`(ܹ$kZFVjމƨ}ʨm[6w/Tѝ!| lgKqDRgNk<V3o,?3ӪU+0k|IeY!7{ (C1j5EOm7]] OD$^uf/Q UhEK.\RfNmuڰ:P[?st*;_wCgGaAc)l;#&;*06Yz |_A SS~X D`pyG b[v-uOqRL,|[G.?Fa\aAk"A$(΅ i(lZV-?' X^W,@p7;|SqzM2:;?SW/^x"W8Ҍ0@l#[*B3<1c0bo{$I f㊋+N!+'&K\Zw\%}:1d_e]SJ1}CK2μ׿cO5yrtlcc>z#-عM~1k^ %J,/b@ҢE(7n qw-[`?zk"̀U\Y]+EdKEEAD2R%gЧ=-բ%lÿ8o~r+x)N{dtgS$yNQ6FcU-Zwm c|oї-r3 kDKn;u7"gM+Vu>FtkK܍>R`t9Ge/ } KעyهeR=Z;dj֬^@[xqӦMgΜ6o tI"}ݼY8\@̢Ed's>_y P߿ٳBD@sE~ 䛜?Gv]l׮m{ꅐʇ;_aZx%\T\ϓRc'4b385}Iud8XDk9~cD"KiRr;fΜ9eʋo.ϟ϶lO\C`,zڵk98q"H'~i Yfe[oҥcS2#֭[{_bym(Q0;pzIѷr2s8tzn;ntp)K^{lGn\}G^WpԹLi^5/hb715rIbOustu(PFMzS|,XpĈ̒_y#7eȐ>{"Iwʕ *91c0G`8~xoT (G֩S'RB6myPM3tkA/k>ĥ3ٴ- X9W:^HƏ5  ٥3d) ȑy63 ,¡j5|]+I\(֍؏3檈s۷o`Lh;UR%f&qɟ??P'ʂO c={Bj*1/9rRxN2^LR$5d(~3'(׆vGf'M7IIتcl\~°4]?"X5e/f7*bAP{sE:߷ћ ,!YIS 49>8Pf_2?(jNrvwd.m :BL6j+6;ur@{~Y#)A "uL q)BSXzޜϞRx2'O9RM!8:OR[=4꼟q`5pYhN봪j?e/[ o-{-ƲT.uc;!vlNJ%Mx5~s?޾rrdnaDp}2Re=Föy}dI ][Ըxr5+śmRN1S)ͲV$&8iׁLg?_G(~=T=~SݾJhz"S $n׮];< #ݜ8?%q1163g}1rGb4`} NR|SZ$ 4X3w-E ~_돭Lr3NkF yޭV$K VcvP!j6ꥫ[Vmb5o,֚>W(Y@jN{CZ I2``:"0rD/&cmzFL:$+fbJ+'u?//]8o98R_]ixs.ypcϬ]޶uצ!&Z<4˗/w^fdb-9HX\h@&K2fҥK_Qx&bDR=s;wn ]FQBxgfbJH WMܰ&rt8sZbthT.:]k"i t*VI&NzJ8Eްl=+n^f/Wwӧ ,Ș=Ho}P}D帚 [ =gӏ!Um6͞H[~!J7ܹccVʼnl=H [Y>g-QQPqT]Q2|l=$H׶E]B0_N`}jTɑ\qkMlݲ.,h- 3RZˮ vʖ*nWleؤOd lAnwDw$md% I^%a _A:CiqrakY9Bnwo^t~þ-neS\JY&RoО s%J0K:2$>b|ފ<=z(V&6J`g l2H'(0{nj+dl"4ӗ+Z; 2fg*Me[2}!N: F}{wRuRH};K!k,,fltxgĠ=e Gx=qx9LA^]V>}p:tk@Z 믿%ǡOdlaMe9g {Q+g)dHxFss/x*xlht֘Bo7xCV@f-̡SD/D>Ezj68R(&pTWg7-ɓXM 3V|94_ch(2odzZs ;99/9|>3L`1+?815烊-׫2sd|*"[*~G_alg;F&8XSF\>ai+UOSjroS,W\q͵xx/' 7&/'TYdϟw' ̸ٞ=. &~G*޽ck"kYщD-13Vr1yfJeJ%<#5Q3 aזGZJ*AUK/^vy+o^hpz/3q#G5UM[&M̜lZpH:5Vf:^-!T<ʐ_([3`٬G f,^N2_ P2e2͈|9y_B /6xFx9 r`vR*0uUH<[9Z*Or(ϫL JPi,%n+Of>q>ޔX-&5(T"f-<,<3ܶ:J*0eO]Kg/#O/7YzTןyfNU2_i)˕VRXH6rp b5 wzҍ`\A nz@J`ɮgs\+?!Ub(9&TK!n-.Z/WȕQ̮yj">nYKXvfgpr+ ["1O(O<c-{z+)|XT!BUv\g:8"ޣKXQMhBpTO]q)09-'?oD,\0;yu GqN <"U58@x3}u'm:~q݊HlfX ksȚrR5lR\Y̏LP+8N`^ee)f$j 0GaWʕG%#gd?˒\*G9CH'`ݹ-9̈0Hf̀[OY qUI0OM R!ώs7_ٍO=Fo4)V-p4yӧx&cIP[elvk>[R&Yqçsΐb| J%t9>xh\ryp9z\?Ŭ&/:2s,=i}tk@ lhgX`6&R 4<"<򡦤Wptg u(TIR =GhIwt:fvUY )IRFA z.DTg^zI:KᆤV#^Jj*eIj֪ ʷxX<tw+7ZM*9eH!H FXVn)<%J@0wwܪStt*]M/rpm u x>mjв*v5ub{  pЄڛ`Bb(7|Af\Ĩ_RGgZLj1`!g .v,^hV  /?w9B|I0̑ _>Zida$E>Ee)#2 X/>jSwځICn|{r2Xk3d),O`y0DC2` ȀPv q\cS& a1Cg&(4fM SN/'1F>Nlnp KĎ#0j#2CwmW;Vhh,ܰbǺmK6iݦ5:#/#Rufː+P U.ZΕ2p,YDG`J(c|k֬y$tFڨhgXMYY|3ov6-auV:8,>HEN|ƪ&_a0n8j@뭴iDJh昄Mk/߱lH"Y}Bܽ}wkNk꭯6zH.1XյZ9<%x8/~"dWT1Ue&Q?hL5Zq8늠a" RE,W\(wbR9#P%3* : \`.ɨK+7ڟV\@ 4b|!c1rM@sg >|x3GW^4͐xSE+G[ɁnLkICk.|l7o|K.B[ҍO! B̓3{leJ3"1O9M,=>B>T+O*Pi ⼽<(>r,[L%̝]es rU`hZt\9WLG jMÎL4qs0KkOWJD: ;nkG(MG] [PPk*^h]4_+xGA=e[#6D9]t=\G@ ^frhR(H*d+r@D!|0ačK.H/HZfY+bq 8G <ĠƢDjdԮ]#903?r"^d+!uELǐHKCu\'",+T HJDFǨO mc VYip3Ǖ0#H!L[_)05Y5'4ڬcb@AR\G餐.E WV+*Y#e+qKW'I"U(9cr pS,4y!jjCk.[i4c`˳FLDpJLJǏ5LL &yWR"A X̓䍴 !*Be+i)b!'#*Q>HYVpKCD*Y)\%HFsM6^Ցx/~J1!+҄SfN1 RKT ax#yR3đJCB9M#0<>=lAmyQw -_&BDpA _0p45VY|S@r&+t. g,TdUaq WB'Y)e Q"TR%N9!ʍ΂W@#2Ɍ8C*XAZ fX u=fi0LYDԣGpA#6aE& Xj^"l7 Շ=  X7|1ƍQ$Z1ǎRHXQ :MD-U=$d*<ց*#z$;R l հaCv[.^dm۶i6)f L));D5$vjW!"lE50VO|C 5;c Á.c_0=5gdǎ ={V'qvjI{4SImo]PAMD(#dF(# G=V:P5N'oڴ)J1v 3dkOV/M>v|@ gJk,"igaܸ l1`Re #LQW%ok,EɚXxKƛ[uA!#;l ;P^"3)EX^hQE3bZeSHvW#lh#0eHX6BK,hE xs+[QjM^Tzuw2fgR\s?.D Ŵ ь**]ax1#` 3[WV<p&>q]TH$ݞ={uՓ_x0G\#{qK Nһs-#X1ڲ՟~-6 ܙ+cR0s;`4wku0/5׶窩KUg͚~!'Tpe^K2ϥH*ZLM) (^+,{k|q_ƺ*[\ /7Q+Uak6߭m,\},ue8)*kZxq}mi1WMɕG-S֬1Sx :%Ŷ *E֨[qhGFկ_I'ׂ*UX|>FX8`xvCc; oLY>UVTFGU&Sa/l}Z ӤFG6ғK> w9Fh;8ؘ7[}}*5X `_J(_6P6H t*pa?()(඀V͚5f0JмdE@X~OMn{>*WdooM+MQ˔`E?T *:uJ81B7odѣY$(`޼y_qQ,,4+"O"[7w-l~8 % fI:(D*Ad=UV%L%^AW0`B>H-MIF3eT06[ۋ F$ eoum {dϞ=}za`\JV* GL4 t-[`0Xl8uUBMȾ|9_eb,Sl d?VtO7G̫>&e6C f~+bqX_Z15Zm-xU<>[#LAl^[GdiҤ v4xubq3!Fg{soI*{^t4eARJ" i?ȸ'/} 3Rs=<]>s 0Kt5\͗/_|EA`qXEƝ;zKkԧx~ ޱ!xzj$r N[ńqr1syZlTƄM 8ā8&[Ya^+S@kP~XrK\ni_5e7k`8dr!ĥW=c='3nzwq˥\ؼmcZjƃ=;%Ԋϩ2~%Oͣ ڤ~4n\w(g]E\_4_{,_T™K :ω ci]_|ĩ MΗjǏ>Hx_->H5ΞZAg]۵/?s^عMY?7ؿWh~ֿ79=[( ]׆ ҇^l{ՠ:lAu;x@jFƸZ*۪VWKc]Z5g\lx$Iznd>SitE93llZܦLėfɊW,Wҥ{vΜ1VI6 P;^}ߧ3&n夽R)\̾Az&>?5fNAgW? ~VCu3k |cz֍e"<,17,=8U1n7::dwKlP|Irّ>~ɺH6;}?":JDZ5~7A*wZImnm@AG=ȏMIל9בξ=C:P,S܎}SˆO "OdG 4DՎg q6!i~SoSMꊈdD?Q2sh?Y <űaCq`q h9|JU핪UcM}[`j/TݾPgoVqGjjƆumC?֐Y+7 *ʺ W.^%JD7l93¦&b!i&-e0+H)O՜iH#-1#D"Sv G0yk21gې3KouN%*0s=e_]"*WUZw4V.c 31q2g@x!%lEƈ(UkId,kZ:{vɪOI)>}jW2ZU旙QbKLr O5~Unm2mR( ؁[+ 4KアZq*J9C2Y-ej+1/ \QhRU GSmFIRP DDA~U u*T1&%EUXqqc$zQfS CD IB>b0O_~%G.A|xP>]U{ޘ3Clw.v^}/? !!B‡H H04jʁ$[EQ*UR+}5,f̵lKkiJ"ퟎVB#,EwԈb%X+{4&Fcb/Ko551^b;6Qw?o/<.–o7sֳwM+kI34S 9vjLX ST^C$'KXgn(oD:~J~;Lc&Ty@5$>No(|ė#one{ !0-r7Z$=Rys6 {Ix,8Q/I|.ZC<*>)TB案D)4 7##{D#]I`1Z +NY_ 0>nJ=&l#u>}LU; ^"S!08igʻ7/TӦ)Ө0UP5Ł`tRCL4rę i4=WkX1>j 16m?B\%o;ԊUKvYPe#T$<{R>zLV̟Z*SdSg)_(U/kpAt52d5|p_Ɖ{)T PP*(q+b!!nDg]Z SJR@HiW~N@csP\Jbrk~k_lv ށæ++YgY]{~?m ]Oai5I ,I4GJ F(z$ePb$C1aS6 J6Ac}gvs7p&@׮lZV,Oz>=; 3wm t֤Q1>~'9eaj9{[f&3kx*u,9@|d͚fE:/EC滮٠ZP˹ɗ>z_>nY}+".MUq/忭\YV,V(?ӣ3 W JMC222RSSq.>íѓ'O_Ͻ3Xt>%+t5tiii@Wj%zڂM[>_J6Wn\}-G圧K]=g:uݶ`$4~Gcr&騉&A(-|Pq8_SYS_ QNmX-}XUG}E"|EW_+vn]͞<4\e$0 qUEox-Z7(ý9æpYIj9V  >vrj'aAD)S&ܹ^u, eMƍN8TP+=O8C#WxuW\;?Q>@0)bA# ܲIViHo'T! (:{R5NQ h1gT  m׉V\<14&&&~н_]iԊI1;Yʓ{SHȌ({{{z%-A[MW S)5 v"|D)u',2V*+qcTJy8W*U-K R%p+ܻ5#UʸgT5mLH*$ 2<j zH.OR]Ar/AXAB:з&|lzB,<{4CL[ڤNT^ #jb1]{ ۴Sj9p%˪Ix %Z|P0|PIIql61 #A=f%fܾ5j&Y}<ׄGAOZ8B?0_A-d9_x5!!_bO݊ܠ)U~׬bʕLT_I0LIgb.NW# ?UO![wExZr^4AU nxGֈqv`0ZRd"rYa1qd;$(wn7 ͷ 6zWL4fǎ4(=PL$7u) F+#::z]dZ7jfklHf-N&­0:ZQLs)T5U jYQݧ*9_bsSpY9X j+oT:|,Lq~5C1j l/ ,PWVȪ[EP؅w@F+1حX ߼9gz<Ta[l"+L׼@a(mG29g6X 0ZtR9!3dF$/sn: Tr ի%͛"V=vgܰ#lچ=֪PFآ67M~(=T آ^dzv 5w`+uax=$\N 'SJ|ē[v Kk`ۛjKkH_C@dVC7; oV[1X0CD&@~01mii VEY[ ݔt)Wp+k<ܞnITԦ+%&>hdVwdյ֙S%11-))cܻ"C26 eZȡAbSF ؆*nkfzB 1@#(cVs{+*b5XBfu{cG+U>ƭ{خ_ߺhsv jQڦ̅s/_yGyx\ fGfwKd\>L<@:],+W)$ƗCC006=%@SG;֬# ;*_7LK0!(QxϠ*/ZZZ4kY~u=6$BC

9Ne[ oWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx |Tչ?y&m#*@*RX@"\D E--U `+`xA. P%9b&?}={gIfd;0w߾Y'@ۗ3@ϐy(tH!w0mT@]FO7|pa_T#F%h9k*zv{L( h.$j|spLew~@s6g B"eς(4,zsr{Ҫ:_C g7 XeK:KИUX{5u &Pg[ŅONJ=6֐*džz_QpʪkGJPNiei3[>]~&o%w˾J2F~*dexo_x'r':Cv+ ^7?vO5f{ߡgǜ <)}OU>  O*K Riŧ+TNQ$.5}ˌ _| V *֓G펞Ujv{$@aeU4g#Z${{ ZtC,xx%`fU(I*ot[J=~م,/*.ʽ 瞽eee h".īrluT8U֬u>qk tqkLgXUZzv{eЙ寔Y{ ?}(44Og5ϘTAKs$bw,ʏZndøsd_aSw}_Y"kg fe-E#e/+r6sU~7{DIIi(a۷s.hV~p됛tS !y]$ټG!\nd߮-~ {fa#r[B:{-~P3=_1<++A. кWg*=r jZgX'zSQy&}ЙSi@C@)Rvթ6q1QɢKƑ\?]VRlݺu-]aqQҟrvA`_rCȗjI)9|J9[G|~r9(Gr^rnP\:,~ON!NG |ZdxHtr;ؽ0 0$ܰ z呕JOn{xW;($WD!8BY3LƟDJέZL v%!:o[L/+*?UnPv9ΨRˁɒ'oWuV걮 >Uьf\Y?|(7Cv5j;*_سCMuOJ{v 8;xI[#cȇtfR[3 Gpcc@Hῗ?mbP whI ?|}\7x$krz^&w/N|(>U~\; z&lkps®}X!þ[QYY=+zv{!<ڿSU-1 OVAq$.U!t32Ǻ{;m]TSJeWF$\\H`reEctλwCEŏe:Qe9 8y+Y:Lwݙ(#Uß?ԙy*{ ' EqvQ\^?^"=b)M?bot‰ {匑U yN*U97 }=Kԗډccǚ,^s FcUYz<\YKD1PnEyg%͇[g'ǚ-A*`FC?3v?Q6Xu$.I Z9A_a6oD8ijCjBPu9Vˤn~EY5;^QyىO4@\8@b4oQ1eJʂwG5 gN|ٍ)e *qa)+'9eU͌ ×!ƣYfU3c_'NE*;S {+ 62=.#|*'<|MnR>Vvʚ1V2,dlu+;+ív\ѳcږiaO03Tvc7c_>wKLg@&V>Pడ҅Y_"# @P3c @ 91d@?T@HxrY@O?3F@*@ @ό '< @P3c @ 9|krC~`_QQ4ع]tk8 T MumJx{N;w2tkj@R@œj:LFE³=ن.>Zxo;@ OrS͍eMϥ|Ms-&_2.*.^yO62rI/2uJObQYlZC(l*!: bU&Tꐉ{j17F:n՝e6gU'PT{*{ѳPSao͜U^z\EUZ+@ֵQz]u`51J6JJv_aC^rH:Ck1v WfDwQ<Ż_ 4dz,6>Ri˴Yo!yn}# };2]Sös|;U;KBUELr>2 uiO2ڷeJi֏@C>ilfX&ЩK B :"Jb>$vڏl1/䢏>֩a1 JVÅwq5 6(tM:D.1x򕉰%lNlq]3vg{qqiSߴY堪iIj4R㵐UԽEٮ= "0S@u*..^7ޮ/twݳVp }X`ɪ<&])IgJC5K)+W{djq[}]wuYR sRݠkVrLe\:Ozk9g-[እ+^@o>mRޠA1֋FA*.wԵxSɤ_L9Yͳ&uO#*n1dacTCM|Cf^yyfh9>~ޙO>oY륭y7fuhKiW73:fJg!J3gL]n}T ;9fPWN"#>' Q˜4c.Xf]Z:U:0%r^!}Gzp޲liEyߛxY3f-\?~ߏA9ɯҨ?K7q!Íf;,XTW/' Nuڶy、w4zЂ۶ Эs_tzA(K?/[vMڭzG=<.K./ y̟;_6٘eWۉ[2lc@ExkSDŭo՚_EBTV0^{ufdk}aZ~ɛkYM>ڛzϜxLd.Fޤ;&3#:f+Fw@q_acqϿ7x_~6+W,=Ye;q,F=o=ݯiǿƞՏ66ܖ!~ÕXZ-۲ݙ2W+n톂Z JVUc=~A Ή?w>}kRq!cO_F88vؽ޻{_%ʧp?_.ѽr~[}ǶӌKx`L9̼ r洩qY3LU >8o'y#rxmSf*4]nE w^sCR2^n/ T6xe7B+i8n3έ:zM˨.]z͛;OvǍom֮^{k󥭻O?Yza@~B8/*q0Va 2228蹍ϩQ>p^YIـ1}WY^lA!*K_ȻΜQ>~oݺFu]wWjަgxM?MFVYp)^2|QŭjF?G&2'],DOJ=sc7<ߩs'9/\%%Ǖp3[ T{5תE9CnSAY}k447XZ4Ï^Юs>`+Qǯ^WGSR^1䕟x4K}֑#F>30ˣ* ?48''?K̜O#]|8 ٲUStUD=:кu^-KTWƎp$r ̆S3U\Ee TֻURc yfrT+YW̜>cVϫWG X~+c8d 5b}د1;kg%JeN+rFiSEFOM6fqӉKݣWuWp=1)Ǐ N>\~UEk`f5_V/혓7|TG7/0Y*۟s鷿՝z.ʜVƌۧ&,c,x?$+h(x\1lDtbYYIN($殼9mvhnY$lѹȋLuQR5UbE.2w`sŗk=}n]ɗzʗBrekh y`A/39wbY9w300GU owrE+Ao6WC굑 5ʝK?U>?!/5֭_Xf3@㹾erN)Fv9ԫD-*;Kģ]UiQ^^{noͼvüE9_nh8a3OݺmkrwWQu,3>7w9=%y5-l+<ߦ6w\]X\oxKEE$r,C>RY{WTTȷ>S%K^Frh&< -mh=, q30~Bs ΗuFxWs}n]֋V;_Qٓۃ*zEWp{iH|nd_g XgS[R*%K<߯ܠ.'/]\~܇#xQ#%q㽳ǗUn71vyΟ_+KY䧟 :Xv{1G>訜T_E ;`rKKJJ?/~~\dcpaU]w1.~!==#;\l=[7?hsQثfq>Y'l=Oz,D%hfnӦ͍r@SU!$5|jʉkm$pO*B+ӧW@u :n@su:h3Q+qQ\Ŵ0o/vKPԚF_Rnmpm$c1xHs'c׉ų^g]#jt:@1⍉رIux45yC/:khK[O$`1_\O6!٥ۖ%vd#ie&g4@>i`KZ[7ouM;y/ɓ@@!Zc0T~ssC.B[N&ZH'h|r4e΢~*>q-G=HpS/j!;dRH~*^TT<)N9#UPʁ@" \⣅G\O  *& @$'6 @: :i  Hx"i  @Q,B;= X@hݸQqSn@HIRW>QAu9 G@uZ[ @@bL@~~x $*D 'gG@@bL@~~x $?*ީKWPpx!ZhpVVƷBEկݡқ\{tc79铰?*W,ufl$bmCo>_„Jo,$嫖/]|cLVp@;r n%9n#-F1 N^SVֶXmixX6xU^ 0ꕘrsH [W/ih_WkƀٍqX@ ^I2pHKQ߶maC_eۊ*kW={7w^eeH <ׁIC]NC ).?4JQס Ir9jdURQ6{ᔌt2z(.(Y I5FSJwVzIfL///GqodʩN5dddD=Pٻ5`T%aͺyEf=}#[6<{׎` e.^K??whWbS~|̝}Kh6]/C;mg:bb.͚#=&4;:gݚջw~ӀN~WV?Z(?h&N:v䨽;wӎ_d劚NW]SyYW3f?Ɓu>l6жxA(%\[ fne0y֠>f/ 8(y͡ <ޑ O+x+rocuٶ3V:m!jltS҈<;~=Dy~̢.5;V\fJn4vc3p5Fcs2+##x˨W` fΈO}궗wy׶}ǶffL}nݻ_Au 2w4#6?JӦgNjb.nza3f6N4tL\u]3[,#꿿.(BI,nfϯIOx/o!ٹ[a*̒/Hu3g~;C@ۢ -/n7Ʋ=)NO6T8~Xn#&6I,9UwO165Diݭ.5*Va:n!ֱ+=ZTuܱ{8n~K8Xn6vjW<271uq$ \+UU`Xͨ;^ErL{i.9^3vѲ[.Z(/nݾtC׃sS{t1%ELKmaSZ嘌V .*J~ۢ2+8R(w_ȼӵT9xd_f媕-9}ƬW׺0vFQjcʴW%[[,7{UJvWwk;*sps(eN JZ[]ցukUEUXxl[uʱ:pV36fuܱ{8n~.L77r@kÍn@ʃTƞF#FGӬeN^g݌iumB-sZ;ZR~}^ fvck{c*+oht:]bgD-9D'!@T T Mu @*TyCPq@@S%OOhʘ!@ - ,ĵ)w85 T% y|U\Et$NJ -ڷݹkG\UZf ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBB@ŵ`  @ @Bׂ' >@'$ @@ T\ F@|  -Pq-q@*tBBhŋܣG۷u3 v!:]t쥌րs@@ 7u0~W%o) 5ď!@L<;@"{a @ <;@"{a @ <;@"{a @ <;@"{a @ [_xr G IDATd dDomz R)ᓦܙbuI9s\cl@S" G6LySJ:\mz4]nD~a#Nu,pi3520 vB@d,>n$<,ΣdH*0@:1pɉSq9|ܶmaC_eۊXPnjNY%kz{^͝WYK'7=7`NWw˳P͆tӽo2<_u˻LRf#@BGTkPUcƎ+[qf |vVY5OEKT~h@ GvLF@>03=*<"_ɞN%O4xȡÆ>`yҸG>_"bwy94NWVKp33 _96K3V'f5feWƶ*6jҶHpcn9jd,xxْ[cn8fSqY wY7ٻ*+/ǜV9wuٿ0)yƄ'(wԢjY'U=j{CN?C?sW^F֭׵Q5e^5rG:,[Ps_v˜v;~Mbg%JC:jӪY+r`e.:.8֩Vmmv_VFHCvSAVE` 9wrs"8ʕXke/ [c*6bXͨfQjyy7kWfᅃR3<iUKUn*H16ofҮWν>Ѽ3'ooq.Yt%Xܱhyȸ*PQ-kc"q۪7?sI+3勗/x@G\1?ff_a@Qci~0p+τ67ǁN* 7ڲfkײUII# YYM;=\ Si!C˒((җ_~`?y7Q./qˬ_42s(ҭ @}u@ 58mnZtZaDPz`>z\ _~V8aF*q~⽯fꌙݯ|K>d;[:_){ގ:aĘ[n|e?P^kΑZ]M}Bs'mm+ֵv30~Bs\Bt7dz86~섎^ Wn:M6QUx^˅y3pPxϠRXm`-e/TN#rMtZcnp˘[dh9+wc痖~^މʧ}P=6kE]מK8m7mU5(/L^T5PU([_*]y7M)A]¯m{֬[eZz[>*w]s}4 [h[zŧ7<֊.c{ɿ />fon%0~Íֺ(ڒ4 #olK j̭˿L[7;룣n>ZxN=das۟8?>ANUUΛ?/ppGCkG˒MW)_t ESQ!mVGU֥QHM`I|{}_9,iE%cKgۀ)_`0$}teoŶa6) 8.W{X Q 1.|E&$YՉeOW].X&'gDZ!Wr趾UUeg+9~rM޼_;wYy^{ 袵mj-Sd}/{I*{HOC$Lo~?/;L'BI;rv9Z`_L5<\>&D,cw1^.E}\v,4Çtv ڶl1'[(2MTqɿxM@E;!@ X!Ұ|E1u}\'O s*y!)!ief2~TӲD~@ ۅZ!ZׄP<*c{ܼzɩmzָN>&4nMtY(:!n8`z#eO|( TJNU^٦]rQvcY\p^J}Ja?xcL/Rh(m3: Hra~^t9x֓Z7m' Yy=\/VCTc6lO[~\-wu#7Yך6u2Ǽ.XX/;A-zDZb)Lze[*/DDf޽dIM?ib}S`{˛E7&f޻/:hc鱅vs}?;7<(^ybឣo].hOϢ[:cV?!P'yũ]f`=HR&rL1v~iIIϏsZ׷VVvY9ퟶ yw蛺4SD$VY?dJ1' [ā ⩿$RS&Bg%Bcl,x @x C3_T@):/&z/NcGe 49!"[*>0_HDm\H۠#F'^SjB1r?~#x=Sšdr v1$\uB0lcp ΓHGllmU}Qp&b3sN$?Cg &`ϜKo0(O4dMƟ?1^giXղ:^QL:Lg_=i\M?~5tb\^sSxb󆅰r,H*`ɶ%%='p,zeǁUCK aWVVθs0s'xRVcl@Ր$cٌshГi*l]1M0G~pϝ-c̓l>iV:x~UK0=ʮWN}u |޽o¿ߔiL=б,ّH>tӓu7 .Xo;~Lw]?#_֞{c6VW:v xD&PDYyiq#^+wDʑk[VɑnnDݿwFW:'ڹ > wIX96Q*97yKvq~7߯"Y Jm X-9+o4 $''iN/EsZo=t}/&K.k'|R׌ѐIwFQl|Brܵrɿͷ^WwBڶi+*46˯uWwnodF|,_?( Y0цN@ `(~ܳk"kX<5dT! ߙ|uWW*5|@@3Bg/<[3A d5!$m۶6]FŜc5ؽg/2TЎm[ك3~͚#=&G1s{֭Y{7 8~WxecMnxp,fOU4 @ % s2+##x˨W`}M3gD>u˻o߱m洙-Zx`;^vw=ʐ;_lsq8~qV͜65?uψiz MKo|} s:>S.թ"W2[tv;zu@U起vKnTڳJC5uѫ lzpK;VcK<T 0R /5eX~`A/6rŲffyMk.dMnZQqsb\aF_¶\s.gBr閌w7w>CiMG@F T|ͷtS&ʽ?m'>Źm͓綕EZtխ׻X_ڽROhqN?яc'tF8tp6/uK&zxczs_Í9,!@ Ӧqxo`Ay+{ZJs;TG˖.[nmT {d#3$ E[%߆{/ZU6b邥]̐da<4!_X!`Ϭ]w5.6h`tKg%3KtJw^f 9m,Uh@V7D nD|闓r\N_1>P6qģ=QՐs2I͇#mU|ϯ=K櫈=ʮWlnݳw+zw߻'O,[a>q[o+ǎEXȇG$衷iSC#+t$)eI?w潟||M^s AaQi@HuF=IĞ$Sr>?xN`}_/Ww_&c:?'y>'_:G̞9{ UWfcs(_#f7. 3ۤ-?*Ь)eyd钜rʗnZ~IDAT!$'6j^!r >4SF][~2DT-ۛڟ^>@hswN, OŴEsI˖N2]vElhM-uZ+,Y-?7@H'\$"['*W{TsjW^yVx} m.?+f[>wW?'ݷ@[>}e1mnwikwdËGxn6,BH*xRMGܓɵm9ucV-[`Unwߌ; ~T8ej蔁ccygq6䓄YϒEDZyŠTIJYOe6mWL6=nK F=|FCeB@2@œaC9nz!ݿ1_Lկ={'u~ͨ 9;tǍote뼦5߻+{EwΈ|M~Ź-vm7:r|W~6ߊ|BOB/?Un j[t\JQo-w?(7c [!KO?ѣ?ixk>0Vݣy3]nĉ4s'П6>رcHxN0A'` s'V'," $?j$ wkfOIp$ gS377knq-3*nJ.k 8w#p*!$@ڪ&W!QL^NC @2x| $hڪ@;wh*(nM'meaHRNX-(YsdӾoBM@[_gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR T<}J!@ 6@COR@H5x(@@@gR*j3J= >Pk* T#ڌR ^ |m) ۣ @@G@;_[Jo*= Pז @=jtT &oC|m) ۣ @@G@;_[Jo*= Pז @=jtT &oC|m) hix7IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/21.png000066400000000000000000000756051303637203600247620ustar00rootroot00000000000000PNG  IHDRIAґiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \T~^@vK ,J!R <^2ԄԗCE /y 03Pe^*E1$3b88o5{gύ8g=yk3^kkjt:]B @@@ }+lG(0   D ~lJ4Rx}C# [Wa,.| s7=qųřvz]xTD@@y,O(>X- b5vSt0'L?mDh'jA@@ ݏBuEG5;=TO]hJUO\1t>D,s\ևES]c]h?XpQ`Rvp9rgS8kRyŜRAy\TRS*QWܜ 1>`Exǽgo xhxnp[T.vDdSɬNw-Q*&aJKH*6Uv.4gxe;Gs@Zy,(l}PN\$][tN7u2twsV( Xr[jr{s${J6Uv-xFA{G,q nxmQR[[ݣ[j.UzYj۞2|Af5 2Wn*l61,& 8g8|tF8+bXE.|mz}]@EE4^kVix @txVRLtdVTOYft3I'*Dtmzr kQz~wNo* />^Q]pK\Y75fg5wt!ͺC՟|#W B2YP]20 e:v%$ql@nwAQ^% JdAZYAٵ*Ԯ;55wFoٺ/ohlhQJVEVa!rRCH**SżڝLIZ}K1CHxs7u{z6>$*]/Fe 9Z;YHOn2BF?3(:WXNՐ]'>C9{? wذU;ZxGT1@MZ)90%krlϏ$/jѺ/kcSs-z])3[U61촘o#g'jꀮUs?>H:O>snPŠd2٧)>B$˾w%reНt 0tɂc >A|C./l{f\G^Qjy΂ʆKl2Ҋ] QcdZaQQQwtǽ=uF\ =XJxvaohڰX5b:\}IG}uCQ0;Yߜ20*! ڱ#U?=,5 aro ҡ)壧NeI]wJp/56:BgLZZO3:)s#t7"T ^`29[}`0@*[SHߔB$%ā3vZ:hYPo('sE(x4/4f =keUqF`.Ԃ6'-طȬb TӒb; $W}4`@+twUś8x^{zҍhF:S*"5zѩ(;Q@)|`BUn)ڱvREOMc)\wQcȘOãtGkQWv`aV(=k)aZ).O,t)S%mI|^S3(╸UpD܄Jtс %Ta 8n7p]"y9s-d$*xZ7czDԽ" .ޱ=Q&wR PJY M@6/0'XIZY^EĚJgdY"WMV5T<.(x#UL4&9kޑƇ+U4\n\Wzݭ:u]{\ dΠ=pAo;Vef:4ML=eVy/-a&]ZB &W;Ħ؎uW;\aS̚o Z&k-vaµgT Z­V$.p:d1bJPb&)p* .ޱ=Mf1C j?nαcm|}Yd[2JIGfmZ /Fq ݮfE62ߩ&> G!EE5M- \fl7obTHNM-M(j7dK]SBҕgS7ؽmr.2Ko{#RrHuxٶbaKXUnkPŔaɦB憊WO3"W,h?=IYmqӴt1pM~Wq;p95\nA|ÅͪeqFs}= _o _2L}雺ؤ?E?jjj76|q_l[I]b/rsYpG.avL/Й/\K[Ao }k^Vn(YiZ+ul,~!"|Бh6u1o3.h:O3.Gh"3tіsEUs7lg0IfaB)\/iK+?XpQ`ə{Co<0T$•W^n5X"ޜ6"Sozd{υK  .p?/Us? 1*ze%rgMb  A@,Nm4M6K>`/E\ eM6{Y8&JjQ   ~A`j/<   @wj@~   <dq癡dqx  @wj@~   <dq癡dqx  @wjށ? W Ga' !,h5( [Aq!e"%,})3y{8[}Y;8Զ ŃxP``&!y(L`.yE?SQÃ;}gdM/v>:pQ{ȶd*9W#ni_ }]/LM\[iuø 54s\FAay 3TX2ok)v;3iZ Pq$Ss_˝J7DIʩzsul,:mwE$5ܸ&Mɞ;sq Sא1/'l;A[3E&N6(.枘EK,_-&=Oo*m=|hUU՞]*lM0ђΤI.[U4g͙l4$,l`۠b7)+/15yq]>EBd@e.x)G)Ʃӧ+ss_?tsL VQ()|BcG:o`W"e۵aA[v|TNu(ywcŮo9q oUIpK7ǡhAqE˕_=R8C%!9eU:]I𷙔탍L(9~x)K\}-Z3yN\K{oꔩ I !ȨٳfsՎ"PܣCS`ÇSRduJV_Q^AﺋuiVoG' ˜5)O[0IU'q-} '{~yqeKMI12nN', %APOKL}mo}}P^}Q$NΛP)rcwŮ<GsrMⰼܾ+P!a!!F6͠PKEJ_@7]ek$m~^~?B\H6mQ暼`q&$$d[m嵨<]M0>vX+^ShfhGbi#}H FBHQQ/wO VXN}͍WS̟ T4V抎C\:yÕۣ}*\5gV9w@IgH%ah(6Zy+yAC-;sᯣ}ȴ엹}ÅTا*/#FnڲIHjQy3R+^>P}4^$uq,PhW/ w7H&|UY׳rrxSQ-\Z`ړiV(V0sCֽ#(쵴BTpE˖YwFb̄,"UgW<]}Ne"ϹqVUbDm_^t4WRt䘀}M/S?Hx[ҕg[KTK ,SCTG֠ d` %9WP*\QMnּ_}q)/vR|r}*Rv޺{=$%=`GlǛoΝ<]r=%_. /pYA-W1b{!405^`6mwjB.7$$ )I菌Ur lی+f$9VylN?\_ys^ӻn ѯo?nJRU?GxŢpJ !4#1_gNvl[Epuq^*.XY?{.ٟ6YC&yp֕\ArEĭGu#KTMb5޹L7CO^lDu٣G/[rf0e+ -fFwpiF]ÊIY6-+UxhMkgΙ`)zwm:vV~fXDtOF۶jFd>K5j~l55]# ևR755m*zaKU;ZIE+-]lIZk ޞ*4.S;lZ@.~i"n:4ޝoLlVfV-C{n{+:rE SO%)JBUC[߼@& 6R2/וeTW#>q}/QVt}%~(do `>pDU5o)MM׻3&T7HCө  E6M۔xrxꦊt5LN>o/XK, m(j5y6m&}TS_[31&klX?8~Xtơ}N)&loБ;ZDrx~v^.%Y&9MMb$yMve6C2n-^tWHHΎ䬌ⷊGIMdN̔9YۖS_"gWbv̨1Mr_ B'応wY*OW셐V4Cڏ&:~=jί6Q8}Qjh 2W>淚쏷|\wxA/xkz%Ҽ`;sw IDAT%%C]XUu϶֏3vp`;P()CVGֵ~uu,>i'71U5#MH@;e#!Fg1}?9C-: =F۾!%DrEJ<ѲF=hJop-{+5NajJҟJ AxpuF<ҧ[. }4Rîym!c.@?H /pK4s1 &Pqytt- D -" AH S LŃ7K0@"El *dqWɡ:$VGA 8Fߣ Ap[PJ7Yv  `F]#(@k`ncp̥6}BY<@: n1,.042ToOSͫpaep@@0ǡN Kߝ BYU0p{Pfԃk@@.F  AKY{kgq_?YmY2B$$cP[;E (Rxm!X*bٸ8v_@s   BY\v@:q*鉁qq1dqOP 5V.*$G}hZxFKD2?Փf܇#-;ߑ1&\-s^q!/u,RࡃT໶}--u tT?c\uTmQ]V}k#oO%k]F G7]#otKo>)&3?%feT` \ZglTwyS{kW>]nA@Ay7t 'қ  7 -OHK?xWvOBE `Km۷TCkekJRY47 f>˖lI6>BHOy5O?%MH~4O?V^yiOH]x7Ād=fDDFPن`/8Au;>*w:dK*X|[N
ҷ|V*O01';peEGrH(ދN_Z\zg 'Ο-5CS$ m ,kzR`} A/gy䬈:Mw:& $+3+}!όu=7+LR ic׸$hDo.[:zԘXG k -{[0>HΞ^7xf,.{ \Vh.g_R|FӲACvZ~hrG/[?q듞~z 2?DozrG͐إ_$6JLOSR4{ɤ5r?:hEgF=I_ xGHH4za#\- ][q[׺5xٜ˝EdUq5#X[% fMϒtz0b@ Y!k/û%{a>O;P c>h%3k={0:F'n-IQl\9R'қ q-Jˊ  {ӍxW%x(RB^4C)l@[#cqJN{PI~u&Z,N}v/0mƞ={wؽ567aV{c`s>gOv8E򓂛 $6Fttri@~%@ ϡ,~AJ %ڽke~9|i4fKIJI}⫌|+XAs.S'L<8UMoܾ)999W'ܾ}hq5~Y\\_tC}x괃S,4,/FE %N g)[/ $OW7AP Vs8MGhN)~Jץ|)JOyrԆLr{o"+)O;$orJU#$&zĸdMkj//_vAuqZO=%HrSH5[RkI+ֳ̩ډDqi+L 4eon#9%nV\$ޫT,%VMƱ@Ņa?hj$[7]ZE˖YU%;nKI՝zHo ;tTM:A^6O[r X:%٣IVhiM3@(ӏʌo4w+ػcIN{Bg/qRTE4h%W|NX`CU|AY9{vuh}o߾kR#cqNȾ%>xR?vү>WMBq %ְ  mfq]8NkC$"HZt7ͤ N}wVJ4^W@t7U`M-fDq;0)k\ڍvSCmfO>5iӖtaz$%IHA33O;X>9%vjD^]45)ϛd1F%e7Ja@N EQÏUlmeʟvw$9x`TT_FY3(.֢?;q,GͻPS Ƅl9=$I>!ٸœBs]o~go$q&3]zPUÕ_Mn\%TVseIES"4?oQ5~:b!  m_?ӌƯ="ho(9=u7~r8EO|s7L3? 4чn+6Mۦ[K6[txpAv54p2!+ZS@NQ'@@]~)8JQ))pQY!}x="7O;SvP  К=3c1ER{C %φk  %kԝBI*B  '\R ,Βb}ioT  `Oif.$ KV&@ K@@xp/fܻ @@ w":`&,̽@@xp/fܻ @@ w":`&,̽@@xp/fܻ @@ w":`&,̽@@xp/fܻ @@ w":`&,̽@@xp/fܻ @@ w":`&,̽@@xp/fܻ @@ w":`&,̽@@@; LUw'FWUY)b 4T$YRԜYZ>W^}ƠfMGnjҭG%&_7-@  %Yųj'Sʗ.&M~~iB%z{gY*%E ,mƠ  m7t 'қ H7 -OHLzb#inJL9xH0ξIG3R5[ÇM<6:cTCq=kW9W([S:5As,<nu!)MLGP{ّT䛂~ByUUujg{>ͫpQ"+@Nm2mAC}HP G@@MK*\rz]Mߍw3 >z8T !:3LÕV9yqû'~8c{+BeG*|}bs8-$J{Ai޷fDJyDiݠOv3#JnW `l7   .|ٝD,P<+7TбjR"glu[y6-]%J"n }1wfC}HoӞfUsr)9wRba=ϵOVśb78@%;ِ# XB$!*tȜ ,\c$}W1|Y} Nv/ cYDXFW|TեbqcջDu{΄.|NGYi, o%%eC`@@<:`e08em2R&yIXP\_v֤khYFZUc935%5ZF?T,c1#-X2IԞ!1+ ĭjbR}nJf.TE"D۫䶤llC YuNNηuMF*+3+}!όu=4`1wIq,y|Z*2G͋dEט0c^7}-uN^ңIL>mtq3 frߗ5aD"çe*-P6d6A@!A_Xo0_hn;T~ U׳Vm]4ŭ^O%~X{?t;p]:S<0P[!s@$@=[}a^:ⶮuWq/`=)IL: J{KVg2493t[#SNijiJ~4&(,G4_p# y=F@@ -D  bb(@ @ނ   &F  "@7g>SfNttt8~Ҳ/АY!gy@%VĀFp_ª) 4j>656BCԐ]*  CF{8"͍FmϢtƶ6fqAwj[Vb16\[X$@zh1Jw}D"leזgd8]э UA@  Pr{_,mu_lwUb9=Ie/ пCXYkKv0'$[u,T ^2͖fgBYf3էVi(Zw:4f箳ָWcH/֖3_պǡ5S6*+- [+ge[Diى ֌89U+gjmP! m[69ԬEGgKtSlE'rR|0p]\hi&=z93R'čΜpV+'O$Fl=#e#pCzS(q IO Us*U>hSō?\9d@l0Y8c=xg{>͍U'Neٶ y3EEFћ ?,QM6vit8$~Seo/ӿXd2ٛ I8[_9}o3'ӧmjSMcccOAU'm߈uѲ½_dJח7qE KŢ5'fh&k%Urnֱ٫ nr6llߦɳ_''0,0HbvRΒysW_{}}wPu}7VOeꄉf(6\'b׆a@&䍛2iT]N&ϛ]${rvH{Q#JWi(6˯1|D"fq8W/hKՖ%W}=}#@+46n9?}29K6!>ϴfgb-8 &J /x]ïL+TrNT! 9YV:mR}WZӶ!;lЦo4h[WΜZ/]1dq[:oy{3J|p>2**ɹX  !4ezihVp5or5usfȩ:e*k?J IDATm᪁VU}lCW$: l͹3FaA/Ѹ٣B^NIF#4]AxKQr4TnbLӖ;3_EfMq]:ҕf _قUUs B%OUbƩ@^jȳfuhi$t^B{:7hVsqv`n-CƫhL!CӛWM)9C7{ LbGvVl鑯 5r谧~uL,!:`ep8em2&yIX V;t-:v +SÞ)(gd7F==aP;Klg6D0Ϩˑ#6GNo|=*!z3d|9E>:B]1˗y~O?\ewHR&g-\V:TX|>06̬eKS K1dg.$wZ+d1;<ŵPaIJL"!^ d~z@:k_݄a810Ro.;kڵefzD ]2*Jΐ ̣4=j\Ŏ9^5@N8 [tMx5&y 5ne_p&32YG P]γ&/0}dIy-^(H6ZƘ$5q§C/͘u3[_-H,{iV/+`43 Q-z yfdY| ׼GMO{`_Jΐ^C?2ͣ76 HYŎ3I>7neɊů@ JV7__4[Ts B}[~XE?A0Ne6郑N-mmt^c.FK8FS7}])")F׮~]F{$j!匧[RABk v :|3%) "ЩSC44%?L %9WP*\Q `% +b8aIs_FǷ%ù[; tKy^d24KFJhE %\2@@ `w1hЩ7o۪xx`M "izXeMwI|,5C!WAQkTfqOE(k1|[OA};x~@>+*܁UaX%oC`S!6h`Qfm4&b Fo=^w`U[ZwdqgA@ o)_y@   ,dqgA@@g ;K   /'8KYYb!,/=?@@@Y{ח3էV=zi:7)OyIz?܋? A3D{'O5gfcc|g8gA@@J8=]m ċ%ʲQy^`Y[iMp3^xu9TUײnaA!Mo.Z2,,,oهiY!Ljkak>y@ ®]僆=PjU3W1d(X@#{H @0g񒷊/uh(ywcŮo9qB6Cl,J 'jrCIY)I9[ WsK7ǡh ;sΔ/=\aXæ؇ oC%y<kI$F${[g5%yĈ&6A s]+/' [T6gkB"^~"Mv۾Xb'a!!F 5\!##fM6m4wF-I :7hV#>oy{ӡUyV>o8OiՍ^{&1<{}HS{ Lb'}ӡD~ ^E˖ȐQ#{WRu,ֈCFDDD57t%R&&n3 ~LIW$OK /͘?L}Ĵ7B֔R5Asi-(\)]R37,d/)"e[FDʲ4Ddywnݻ.~MVB"e+Wƛgɷ-6I80 = @>w}o̟?gz>U^Yti: W;0k jLA*e)%9N򐖊4Wae:*I`ծ5^$sg&4q}եb]a^_bF\e/D,t؈}v:"I&`]O|u!,NH/{D=HQWPKˈg[PRd v{={|uK&dcI8JrMAE:k]ek-,E?RŒRJrѹ\ѡe(@ @ (]R; -Cxw.B/I?y?%CW\2@ q"4/{{:L6.@C6nzv!c%kZC.Z$ܹrx7uhǡ\.m"xzt ?I}+-ht=z}\%q:8ϽEy6D}x6p KC04gNӋm](5A-^P#tsbU25Ff*=KuaP).G{YSD G~#@f?RKW:ZenLJ+=ʚ<[/)+P|[TZ;Jf[J&SGbK6m}BOܜ<:Y-OȖm[a y*d}YŎ͵kߊD"kDKb;*+&渾6_d0L- =6J=@K~g"!å+X3٧w+=>\QdVQ&#/~~xyY-OȖmHa g*\5ײ/ؑ}`[HdhZlGs%,5$ɈGVHGvA!]o# H{ߟJ4?^ݲWzF>痋d'd(nJ@H?|.Ze;$q*XHe(uznb}2*0\d>W+*=uޞpMu{5/(@qӻ"?n^p(k5J'Xs;Z iAদ DV2Kb:]5(nA|ƥŭ P|i,dtU+D)Xk:JQ+ TŹ*02d9rJrTP>TrYe]v$MVRkdAv]+<⛂AÞO1n̴=C~*'/@v*U/Ff:0)5qcf>&OٳoN=1Ceu*Yť6\X}m9p}!1!믿zzwmSӻmiG@d1e^\p:^hߥ0m[Ӈ<3WR,{Bv|߸%+  zL|ߨqJ q*u=9>- =7bbǢbl;iC)RY#Z7Tٞ*0G[!;{)ͻSH_uc UG>_2kp?i,4ߤZߙKl붭kK_RJMDJRZ*RiSv}⣍t;:e<=^S+\$p=w_F-xbO3kCnN]2m*&03OwQqikuКO>esSb{~ؚe[J~W; B\{a V:ם+-U{Q!!G\uUUŨwG+\BS8ٴ&f#{ q:=#!\bJdZY* K2}I!D*^zJJr+[.x wMV29"B>6ʝ+-Ua4)P"Ou%FūQ+Qe pB+LIN)*]31YMnSiR^dsa530ooPzܡ.Wth *uw?VZzd%:*eZWʚ 0fɚoN}hv>(m*UYYRtVw7Bvg\J~W;-A \ݦ#+HŇRCbW=64, M|aM隩&{5+i2JdUV;koh#p,N+-_RL}vO+X_j~ֽ;_s.к_&9%<ԐF 69>8dH?mR}+{.*JLV.\VLi3}`:m29,-\ 9&>3XnV\PV_X8]ɛ\_E; m_Q|~zг(hfF]{iKI2i#@+K=bЯxu_E g@ kw,WQU^/KJg~D3Y㳌-EEi5@fqz$S?Cݥr+K=Ev@@#7{$6n+{Q@uC @@@KŽfA@@Ž  { ,̂ {1/@X@:b4  ^",%0   ^',uh@@DYK`a@@Nw`:b5pXMMhzlyx ?A@=UM>uKjk5m:\ck&F\P&ڛ4 7^k T66|LƶMUb'@pu׶UK т'ж8=oG~\Ǩ>Uy.U|IY{h.C%m+Apw]/}? .Nݪ@A?ib]xy {peZޢy>b0Rp ^_on Dh. pFnaAaRDzSAz^7 -OHLzbuxѺlMiR@ҟ5AsZ#m6_AY"Q4iasVUbe]=jt/$g{Ӭ֢[ha#.!F^;`@ ^/yrݎ]w6㒷J7V*'Ϩ߸?ٱyˁz]qIqH+nx!\aR&oXY;ru^9{{I䈑+np;IhSV]5?#E2vtysiNŏD쐽Deh#27DTj8 ##rQ Χ=9̺Äk{cg=<fPVZ%ty3=%CBti8k*<5+nc0F)/?l:Y{TEK6@e.Q/]0DNQAA~.ձvR~%jl=e7j WIYR7B&/|Rpb]&lۺU_ׯ7BdU1[QqQZ*T$Ƀ*6 j}F]w}:u8tHSKS4n?(Wxд D D 8BBB:GIDAT8^7t* -@D cA5ch@@Z@P[[޸acc>;;4 T EYfA@@mn#dqG   6dqYpa@@|DYG,MYm0  >",#h@@&,6B@x4   n@w!  < @@@G}͂F   #>fA@@mn#dqG   6dqYpa@@|DYG,MYm0  >",#h@@&,6B@x4   n@w!  < @@@G}͂F   #>fA@@mn#dqG   6dqYpa@@|DYG,MYm0  >",#h@@&,6B@x4   n@w!  < @@@G}͂F   #>fA@@mn#dqG   6dq :IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/22.png000066400000000000000000001511431303637203600247530ustar00rootroot00000000000000PNG  IHDRMb<iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx XTպwWÐGG#u2:v)"ǏQLMHM\-$3R1?ڱ00LN'kxTsK=kfbZ{||#w][{杽w]kl$)va>< $ ̢q|\B $r Wr~Wĸt(-/CH $(Hg$@Hk޸]ZR#tR>7@@ \'z,-65uARSc$]Ng/'^h@^O \zh-s{*r:}EgDkeRȘ<~ aO%K`~H {4_I" #$op.xٻ/K-t=zi\5w񟬎QOF¶O&ӵK$urT< p.xq:زr[@yb{z\a4^Z{(ׅzI!#B+O[Iz7p,7|*M*1%ڍ-Q)gG!e8I@G \zc:IL =tu}1P[+_RNFm<==4|P[stvJ>p ȧJr j77FVD  @M|Zr_Ā"}C *:.}u2htZ9ҷ]:yAX<%S1T? ?KgoO$ g36QjGlhpK())QvxRɝFHgGLJDCSxAW C@༷-  S8d&[sm$v8T@kw6FOƦƈ"-4(̂^:fu{H[zwЁ[{Baxoܨ)],\^hsJ1Gd:x>6c:xF3@]C@Q=6]Ãf*NyPQ46 `sd/ZFI=|>hDDd4Z5&)z(I !/ᰵEu,N4]뛍ҧut/ .U_E~~w.KC@r4 '{&W0 G}C(:L0KUrxQa1>R7 :8 EHwZB'3-D8|,|Jhn3!$% AEx}!J ;U 3Б^( $=hE !hɱX3c_HAe|,?,-;-zw1O\lכ J l$q(ϬRl'˸-?i6cf-R(hzд2#,W-~ pMO5-/%I^ ڶ[o4&OFczx@*h6XU7 ?G WBaazH硇{lnZWr=6.oF!6P%)QT6"]3tvT4t8uLd-:% :. H tE]F*7Z8 cʞeauC=68Pp yTcFEDFoیm~ |p;,ZJilKuFCpH`jb吝Kͦeout/VXi7w]M=xtF'">:|[65C%8.Dh䰤gu$a9>zJ"K\5"Ȑ3ޔ lӮSIJ%*U<I) ̡  -Ag͇a:+[Hl]-HuWVz6'l8ٜPA{68_׮݄g+'L6O#qH:%lVʝ(c"zciwN^WO1v!u_c(k"u=OMS8vA^a3=v MQsYWYF+S'Ӿy~mzR@ .(5*r4A7W]SMH xvS! 2)̓x-,h!G۟TnUC  m E/;wL]`tשa^|v?*,<jxil;>~XK8 pP{\uPE+m'8yy8Q `ݥ_Uo24لv+6`O_p8&Og$QR*QERΎR"nmFι&$wVO#j\AaC/&o ,a{f\I'lZed88Oko%X'dJp1BM?[Qlm&R |yG*lU0TqÄ* KEJa#ge0f7j2;1Xt3BFG /!tip#Muԕ(Cݪr(e ;EvuU?ll*;סMl,RQOdG^&O)䵓`ӺK SܑP{oW+ ֺ֑piAkY -7 A}o6B-c\u{53JAj[/֗|]ql9&FD]]q6H`=Pmx;ry$`Hw^]ςrZgmB yyE{@"%Y>#kԉS g!^06]UdKO+$%ij1#z]ϋYb0 onl P9cSBOH $$7xp2yY0Ψc=p;+wdI@!PKC $u<>g#Fp;$*@H ^z:j$@H '7r((k2@H $&`Sc@H W`-wEH $w`H $\!z $@Zs $prWa_$@]OkyF@HX]}@H t=]?@H W`-wEH $`H 5g}!Rkc(!"ܿA&@ щX݌y ^3pD<4hh.b-] ct3W؜a:[Td$B@` ]]82.;B mP7/.~MzcF֝*Ԩ,ڬ.d:zZʜdi$r";7S<BDa߃8`ҷ?(AudI*:V6+CKi1mBm47\nҳ8;Fb2:.&_uu)sRm:*^[#}4!ߴ/K^õOSK59&01u`FE`.9,XuRr&eq@UU+LΥd̸DQ*LC;@4αR1+dha붛IC^`poc/Pq̅(3|@ ~Rv k$g Nݐ@LqQԹ>.7{ r\#|oczA45*9NSkc;\}**:9(zg g˻>v^S jd~6o-7eRı/._qV~[ȡktfk:b λ  âu¢Szpј81۷LTs<M>e);ҋAR%Nz{ذ99 %M)Cmi~!ڨcAє#3N=k:&햮YP˶n0jζE>#58D4{{ =.Y%ßy;REUHRkz8~eyYBvV]ۚwa0Y/|~s-XD[~m.ssM@/ccck=]1$Er'S~b6_h oYzKv@蠵__nr!BmM?(oR~óBnM{&ƅgY0E?̝9OWC6o>m.Αpp$2$ oiY7J=y̠;@!mã!TQT.5( 3-̀7(6G"`U&؋ X=5u^LU?jq`GaCVώN{N`k/ jzPSa'J [~2.]U+TpKki%O6=,7o| Ct!^[g'$qN/ euʔ_ƽCW[hwMnކLԝ֏I"\-BCY[եv#n(ZF c!M%{Cfbw8eɂ‚ 쐉:'BWHNOp𜗳iT,X&"Y& \$gO~ejqptt9 ѐDdܝP#ƭB~Y?oxWB3]{C., {{/}zlLB<>9~0pN%aOTN"_bޫ>\/2{QoT ]Df6w'l lSلbfMH䆍L͙9?>M/\K _>l8ue#tU5kD du}xo x&\%Kcɳ!Ds hH"PPDU:`\g,1=kpo}oϿ?1L _,eٹ%) /i:\Xt.JC)C>w3vlXú-"DYK ۰ h%.-x冟 pQ V6kz Sn\KAukb hlj-\^i0G JW7nmm_tMm3G݉2Eěg>  CێmGC86 [t&N5$zμԹi?4q'Ӈv 0'$葞fv2'mZlrA11?5* |k꿝ۢ"W*=b@H%qWn}䭒om0|*~n-6q[ IDAT^wlty[DzVtG։ɞW8hء]q}s=K.Գ޽'G8 'S[[s ^-jQACs݋BNXY'#.q1*\'\-w}\=_szɓω0ݲ{8=k" Iv=cdcКOZ;_r O vv 0| 84׆H (}q?*j࣏F@>9p]ŵ?tұ] r> Sf'&]x-Ƣk 7|V&;;V֜)H P9|QatvjJ҉rX-oll䯖z?z \9nNj^lP-?[[wO^?\93PNx.9 ׾n#%圜>12$z셵 C@H@@˹ +[qr!y1X˽jF0$8s 030PDH[ `9֙3x{OF J+6!$zëXq7@H @ cq'~7sƘSn޺pkQq }S:v1w9aK7xf\]҇mo4þ{}wߠ՟R[BﱃLIi¨ph$9wߦNso7jMp,-˱wQZ[/!tE<4y0@`r,^;`+@K j9OOsCs\cw >{ÅoR=9@ˣkjԃqU\wz ;ڍǮ((&"zibvH>_ˡ/^:Z%ҥTzX"Ŕ.eegnM\Pb-joH"l%<pr*QF`俚oI!a1(|Qr_5 N /TPџ4ܦɼyGO Hw/._;2>6.~qRدe>IA{` ys L8$)ی4!Qr6#i=[sffʌ!L(0tšrhK㱏M$2sK.8@3"m6ҡy"?$@G~RX|μ9$=bPfQ󍫇Wat_4sUV}T96}-+Ԃ%C/ 6dRh,0VvgGU^Su2D'ZzN)Vrl*Ce%U??.)53S'JT}1#!f"8B:b5 H @"',w]n_s2h&#KCMWdt9NoRwUpI=á㴩n6y\=!(:(F=(pN٪U6AM9[ .o~  _&r‚  ˬ=1Vyfs{X`֏bf pwvo-7di֊!1V^v6PDp`Sr4`<_Nѡ` XYP9r8"'Ehrn uLz"0l钥cCGN}vɱ=rEczwpX mF> 99?X0`s4`("$[̞slCl-I hamAl:i^DwQyE&stz'O"fztr}$cnw:֬Sm\ 4p\F@hjj/kZ;}"8"*{n6mq4`Hd6H #'[sd@6mmn.J cat\rK~\ Ǡu0ѧ/}m]{CRV"z'LmMT9iRf=M4vc̚ vpR_ M #ffe_iS{G5+Yt[a?р~H !<۰>>[*{ 9unibu8 4'6-} '=O}~kJ 1b['CH|-Z' -?y``H tX7mh3.?#$|c1k?4:  %p+5vimQfAH /A w\Nw t+@H xc|;i#AH $ 'S rWc_$@Ikw F@H@+M+CH $^3A"$P!k*p $Z!"$P!\6!$j/.h4`-I@H  zrD؄@H dgF4$  $ ÆKAH $oZQ#$%x$@J WFH $㞀@H qoF@M Zf@>M]kO!@M@>* `H $7FL $cH $?!>>>@H 0BXxԑ@H L4 2Zӈ#$@ o `H $)%Z^PXb:w nyaʼnwk978ӆv'7ddsAu[h0& +C6tqȏr+zHCɻ0u% !DQZNn-u[( $@!ZN>3)7o]l\|>GKJBʵᅮǮcCGYiٺyǘ*]=5|ܔICgΝt<ȡY:9[sff ~cb5cjObI7Aط|&I|hb֐d V4E"3ZԝϧwG*Z;FBb>!n@[HlLf@iIMMDscD AVڳ} f`u  -Uw |vgY;ik:b?vOǍͯWXZ@MG[9_qؑ8k`Gth8dz ɿ<:o QrgM4 4 MJP*'s|WN D6mo6cY3ެ1&E>5`%~ZN[YRFKeE?@wWCT IEE tT,mHמ@mDzjB_kwU}_\FҤ#ub/>USo*Xl,a -|764dv7o\=t޸ ;menFPYo\zw^vc+n~X: 6' ց:"%CmE-=1SAewR~YW*~ԅ3OGt*0;iȠQs8}>r[_YiIǏKJLԉm%3~5yk%3ur3/X|)׋E&zvVN"(ԇP=t{+{{4!NiLӡ,JΚ}OrLG^jz$ZxvVfh`]̊O&jtzp%vF&9/=cIIHH&|47*[͂v 2,h+764d #,LI[cV(TG^ʖwކӤ-#BcCB?מ=uEcӗK8[ znG-3EcЌFKV ViIm(s[LuQxp`An:?RN}vJяXRv^7mn?g~QPyom-OfM4TUI\V*#p>mO{M11 Ӆ;._џ)*ԛ ][1{?N8R6ox9)VLh [V$/ҳ> لmMaaSKGpwvo-7di֊!_Ջ2,w,. uťM+ a-?n;&LHor^aʢ`l:rPQw `AehTPٝ?hiJ咂 %+;4/4wv7,wd޸D~@OMΣwߞG !ѬOI\V*q/_:ʘxX0r佝kLK1nAO7iܚb) P=V(cg6`FwI"J"rֿHOG uWrrVxc[eދ ӎ y13vY*; k,;&e[DưӅ m_Tƕs`H\"&ZfJWewrhFT(UאNm.5ӑ7kˆ-q8Qe//[di8.waÝygiܴ9{zN^`hz$r=+E݌mw@-?8 /|ucm\yf'%+* U{‹tnl8!:BTp^j9g=yw-evQEDYWyɶrezöd6(TֆK,U0pkϕ{JC?`m6n ׳F+s%\Dr̔ЌQ]o/ޔ.nx<xYcG#VN bk+ݩRyK8rOw(5S0w1kTKƟBHHXCury/,7T<}aF= ?}PPJ?eAO .W]ˆ4` ]zHOM#5+ğG 6g(NYYj$HOG uL143+;vXtA >SMKM( eGFMu0-''lRmGVm2R(T֞K/unڀM1}}a2woQ 2>&N܌IHocF'c>oWʜj F%Ql\"c-3쫲;94#*~jo4sƬ|6y|fky}-[EI[RWS{ L,rV`͚W;ʘ5*C0qk7;kubLm ?Noq67̷} Û=õ*%"/X6Q6fM;*]fqƢ-/|HYY`"4?fߝDozL_8dp|7A%o7jMQy UsWz,&E݊@$8Q[yy!E3@"qB +>/zlk{a(StGC#$ZB߈ EDHp|{/ |jg`@Znݷ!;D0vո2{g]m_ @v@Nk٧S^v`O/rXܑnE`c8.QwH Fl/=nR̺%[oizB$Zλ4 o>Օ7&I"'3h+7U_Xf3 Af[>޺?)7Q"m݅Ut+e0DEMCk?ɿVn %$#Zν۴=5"wvʛO-7&ߺ 7m͘'o ?@mА&GRnn>mE -whɢ}I8;=͎(.""hoEqR" <QٝFP+F蒛AƋ`@E([Dzpw0u>JqOyxxNL@vCs]h:}넠q$7iPREzF$ wdBI<.k$1-"h31L#(4s}s.@H 8Gksܰ@H o![f@H $q^H $ro  $s; {!$X˽e&0$@Z7@H[`-8@H 8Gksܰ@H o![f@H $= u|nV:kг{ T'zCH@#P/yQ=ۭwa-WZ! IDATtyC 7OPEH/ |-wnV]R_odyuyʹ:j7i$ $ ; K⻡@H xC !`ltFM4lY+V/ZS5eJΝ4mYzK3||ڍkԞ*AP! Y{(XOPjRfh`]OT8rHlWdSggf,̬8m @w G*?^irImDzj7x-TV !)Br}V(z\*ص;j@..-5gl&"ofowUYi#de;Rw] jF PZ#H 8_vͣSoM(y//~ tlr3S [V$/ҳ>kxYS$';(+5BSŞ m9NfRذEhys-ܼ䝝[ Y"nH Yc66Vώbwa;@ uBs;HPAMNvlw`oxWڳgxe7kHQH}{Y^RY"= @$h(0I %^ =헽l钥cva&kI#o8qãvdErG=Ddz$g_E{/n6mse?HJWT(/ yVWOYq-M7: k4>E!%%N+(47@GD"AKGMtmAlB;FVN Ѻ6QWztnv&QZ]j,Ly&im~lm?"8֞+s Q@ Zn5+ğG 6ghPW>}aF= ?}*eAO .i~yuvˆ:ʠ'1t #=5E!i]_ w("AKiaݟ89~ysQ/ FwDsVn5,zN*uNڴq7\S? $;,xK)unڀM1}}a2w H "ƥ۬7h:0fƌN |z<*:e߂%?hHoctҕ t)N;H x? o7jMQyarL) "ZR-h4FZaU6mn0i(HO DE]{U0$}@Ck9z:lk{aQ+"=5 Nw9tEUEH t坃F"Ho7~;섁WDn nGklB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3XlB1$8Xn1a$3A~@H p4\hdSgnIQѝ: HB $"DŸr 8QY+Q6 $s_ˡ NNa hC iS_kwU}_\FYԞ@סN <<ӥ]e~{=U+CtRQqPa6DymYzKn\#~DV^ӧjʶ;- Qg{iBabA_|R8 ;#7q<i@d; ›et`AnԴS9/e ͞1D/?RIP#;#:aC-:a @~,s 3+>9N eAM*+Y2^?$$D6 {΢Ω  p^M$a#"=d8#7q<i~q[(>ϟmYτ\n7w__Fz?`},qjhq u|IL**["͛JY8ސY+^X'%ñN&jY ǡ;&)DH .7nҬY)^^$je//[di8Æ, Nܒr~^ tG։3o22(7ytl#oqN~l3h37:ȧHO%C9rwȃ踉Q{;I55)mCUu:^dӪ'%N+(ח "IwY?ztjfMnZR.5oI$L<-CFt3]jd#FamX9)q4A5MTC"8#7q<،H %Z.>g-Qâ-Ջ\{= ?}Яܭy4$RMKMc.4'c\R 1W:7m@&Θ>v>}" #ffe.(ޒar (JKI_a=k&)+8w(Gny7@Kஈq67̏TA4ft"J.ncK2?с@h@H@|bũSM~!~Wkoyv]=4,DÂpaQaQ}:Qh@Hsh^pa!uѰrH $:orXtG7T"$B]p[fC#$?XoN1#$,Xk1[$?XoN1#$,Xk1[$3ׯ_Zgs $@ZpS #$Zg $@ZpS #$Zg $@ZpS #$chPW2#عVEݲU9\_SbѦΏnP0D.?}m]ʬo:H]= vʼnlBH|C!_Eu4[ ^w{-oy+ikq(nhd2A[ _t&.:1u(ؓabܔICgΝtI c7^0WĎg-5 fWwEWBb?[s( 6Ƭ˔rֱʀm"ܼ f,aK ,B†!] *xA9AwҎQ{ 3#Mi7S&555c%Ѐ\<ϔͲbѲS?( $Qpñys=b#OhcǞ*{ v:^Mv[V7 (uۭ9)*G]ZV#=rͫaTK06,͜;}cUUxMŅy}|ڍkV^ӧjʶ;-1y==7Z8͢W(7&VɝSASD!xHaAk?IsX{"nX:72ڴ|JVWw]  ߄CzC*#{I6ЀGQw:8RYA}+?,aQlԘD>E4 `6f/4IvQ}\;/A=W zDfΔқrqtWWD @%U99l r5P CP`I9,, ֡/'=3J!ЪIRm)xc1%xVf]pw70M.SX;Lh|4YVlF/ܼ䝝[ YſJz2,rȎ{YlXZ\Q"Zh`7"p'HیQݴ]̠6nG׭߶sDŽ _~M9B'tDĔN{C'jp/;{v7(9N4*|EoaA[v{y$}+woڳ_(.)WW.>f˖.Y?8a6zpCZ@։R>ּn**)''gG?V&B~طJeQlԀD>Ѐ`XWpG <$fm' P(Ƴr#mL)sqQvn93{ΉOE%_ ozVśaِ̚>eƵmR#\+RK}d]ޫMWW?NڪI:umqNy&im~"8勰h0+*W Ii $%N.Z8m(6j ""IYWiB7Yot`:/ \xn!>v[S]ݡV>ozLz/K2?Л\NhqWwI( o7jMQy֡TS\lz+c˗ E4c{[aQaQz^V$|w25pp7o!skJ_'ЧO'1}='] h xrqȹV2;,]04>5fH p uP@H `-I@H `-@H `-I@H `-@H `-I@H `-@H `-I@H `-@H `-I@H `-@H `-I@H `-@H `-I@H =O.4} |q͹+u+n^[*򏗻<玆JWv<-};m - @" %/ZGkyւWa[gAa+ĨSNN=YD~O_ۥ,MSf)ƦƕW$$:UC;N 99}hg ^3V])#A:qCDHˋI*vY#"3w.JED幂ʽ2lG78D+ _ }K١644agxvmuj!wB$~6w^1m@N_-ࠢ?=iZ-j%N _]lwGO Hwj8(7eRs5]jrĘظcw}1fKw߷︉ W]f]8Wvth'<uWĎDg-5 fWwE^Bb?[sff  Njlxm"\2}b͗늦 S "?LuzcD Ar#vgipx;:L ȃ*j:=AFHS Ec'̛C}wD EPO>5׉7o\=t޸ ԬK˪>|Gyu#Z%R 5y)zfϘvzW +{IGhvF@Y!ggXYq=Ovh]nԴS"y%+[F]8(ECBB7лw*AP+epƎ>W ʏ 9vL>4=W zD:ق3>{6mn?gDιcpcs YPFH{;mtU*zD FGTr~Yd@L',»mrm(\_Etlor3Sv&JK`*>١ªÅ|y+/ܼ䝝[ YŹB^8u.pţ@~b ܰQ>)sHv0!/y9qY IDAT"nv`cvo"I'\8l$\nl/fȩHlspDN:шaNTN2M9`^peU 若\דrNAǒwjglzQVK;s˖.Y?8!a}RD4 G"_7=8qã.onn6E(-5\?0wOtCbmv*АqSHc9wR4TqV o /kC9yF7EιgX5k2@^Bஈq67̏T YqBHϧbZz/7Q%?F $|bEk aZS~?pT^ru( 6j紹i¢¤<4 EH '|;gO>c'Olmo=b4,{g@H :<Nbwěؐ@H'u>DH $X=]"$DX;6@H{*DH $Љw"l $`-Tt@H `-D8@H Z $@'Zމq($@ P%@H N$aPH $<@kK$@Hky'ơ@H xr@EH $:BC7_psu5*:x,S,D͈u.ڕ떭ʹeؽ]TԷ.ce7;sz QG^]Bk9K^Tguj7Z7{"y\PXb!1SQ[ _;uo|?][]uIsI])VEbhJV& _/kX%jBTj0 &>cBK*D<U }ZÁs\̝f >{s\8~Q]Sxqӂ lڪT_vvcFkMpJsD,uEss3k#%'O6R{/8H8)93v[?Me u8SѮGgUΙ12|r쌲RfVH[tϦ<i\}E{)"m,%Y/X77oTs;RhϊIX6gΠ%ֽJ&P tC Ufg陫QWi^HOHM/9+|TtaI& UWM!7.ܶI'}鸢}١mThWZYM9e6:=xQØ73( gU44{ n-?}ǣi(_eCNVmyLɊqg++N]1glv-~[窫~wy/TIPG~ W*5YUE??%3+m ԙ?W߰eehVERZԗrA7kE}.{9cGKqe:.#G>GBu7VvfPK#٢(=QU^GHᾂ\9ъo~˜QٗNCcR;17@ J*891S$pN0B4h )/,OU '((-.4.-6vwUDt*vg2H4ihHQ*M[ҖQ*+ʸwKDĸ3WPZygic,pHPEDznCn}m?ki$ŨE}X;3"sYOC5# ݺ}͉M:u_U̠ >F0 RPeD{/$Ki:jؑMMG 0$;yN0> B@VyL@ ,U{+߯;>+U+W,_9|] j1F;b#+ (U\ pbKmLO_։wH_% 誈DQ6HCJR/ٻ9q#};}(}pn>r}rZ]jFU^ ,2"FʻK' e H)c.яmW7'F]GtX5̴8`ww*U:&k)K)MZhT^G=7.6cF:xnc ---vN5 ^N3ss+͙ٙ1Sb*1O}yGU;W`*q݅wqe,mqtUD(H!%)T1S3sLj*f)SYQc~5{iSp)[eȂ*/U}*fcV&-Yp5cT`P~JM'AʎѩfD2|$la*DcL՜QR.LCnᰑMRW-QӢj 421;\C  `_[6CᒥO uTmxn-Stvs%jicUYY7?^vࡃ/N+9tPl${֠F{wy<,?ZRr /N:}Zpp0UZ߲ik۶͙YQ#A+N*cgD pQ:gFnnޒ162jʤogj\];k?RrxtDݘzwa‚-;o*yzhO> IȬCBB>T<ʃ @i@;g&\5#477mەKL# R-QP(_=7  >{z潜t򱣥|2r3..(:a6jg\3傦oV{P絼@բOH@/k:u"nY?>^%%sog)~XԤukVel]ijR٘bWdHHYC~fp_A?.wV|{[ck?ٳv~KgK[[_ ,MjyEY4^WҟO^z>E o +myJeeC<^>VҔwO~{y{b_O8NM8dj†zd=PF7e ?<Ζ/!5=iY2kT jFKKC!@ENhBVm,- - ^k-%;ϭgDgTl,QTzmw/ђ2-zgtkׯEtw%bRB%"FD8;1C 1^q:|n#vRݪ~Ύܗ+/'A+Rq2`6?qdt+fwڗce>}:N[F4rNF=wo(@-BЁ{TծC˶h3/oװ/\K۶#=Q?a{q~G!eMZ}#]o2hx媕+>U1Ёּq}IO_։wx  gw=%qɞ=tWT qXvcffg:g7fgҡ Yo3f93_#aSU;2Ufl>_DI5.SyixtѷBNHjX43cvl״1+Mp>sGwb" @H pk9]vgL9-"*mONz0iibH3c@tBjސۣN۸a qa/rܘq*KNUӢE4-\nEw?pkH4tHNn%aAyo>n|SڝY;F/H\2!=aa␇7iG1:<;ogM??rҘ]lm+OD4qB4?pK O'{RJt-ݸ)oA0  gY_`SoEʎEN}1VYZN\xVkNnN'4 ̂8rϫkݝAre¸ )rU`N$NJ|O  `i{A@@@-( % [2mp@@8rXj%A@@@-( % [2mp@@8rXj%A@@@-( % [2mp@@8rXj%A@@@-( % X~Ӻںs1ҫ{TK^zʵ*cO<{6,<ܝX4jjέ\u;jl@k9e˟3NϮ염Z˳wegm>l(]2^zؑ#jB@@ /]&*zR9 >kBN}:ҫ.chN (R6h-l66jo,}zTcjs~m-7+A+HJ@ZRr /N:}Zpp0 Z߲ik۶͙YQ#Av{3]bN12|Eg0rs󖌈QS&xc?S:YÓ~[_жfvcFkME2٧Q6gf~Ф@j.s[*)١Q6;9LLrk"GRW477mەK#gUΙO  >{z潜t򱣥|2r3..(:a6jg+\3傦oV{P絼@բO7(_eCNVmy>>t~J4IԘKgt+\5c >Hג) VVzb؞L+EBъo~kl?ug>{tUɔ  A pkyk}Y,(K[FwZ)ԫW/翨zz-OiWзLvKRJ^RI>p?I(?QuDS>ٮpդ܎86>»zOxXr4G:zۓ%FktIܿ躴T3rzՅL|YZi(InWZK}Iihlskjuљ_7<۩HS4ō8\⺣]I3p lJ}&5ut[7v_B 1~Ύܗ+/'A+Rq<@)Ek#FW_1+vоtg+{$ q0rs2F_~Gjꗟ[*oZ;?v00tuT1#`s媕+> ]1l 1>_ ~i~<=}['] u 5%{mP?4MauOc錉XmnޘI.HNx΃/>L5VTYm#P&$CSb:1& Q_hx;ۑ }S%~---vN2^M>1+0pnc*q{-[ @B pk9]gL9-"*mONz-iibH3c@tB:ݐۣN۸a qa/rܘq*KUӢEI5=:(!ޛϤɝ. C\51ޘ qtjt;v_0qCL4s}UƍJIM3k&n?9iMMW.l ,c9K.%@@!Z='Z9   rw/<<wC}A@@ |Cz   =Os@@@C_y=x  @-w@uuWcCW8>6ڕk5UUƞxlXx7FY^SsnAxk9e˟3ƴ+%]Y[JnXg}95׌9{ @@@_Z~MTs}) deGbT*HQȥl pٌ߲^qҧG:v6#ldla~AۚAڍ7yQ dFٜ$k}an_Yx[Gy܂(56=󱨋4pR|4\i|naYqovè#ot%YէsSf)9dq[O==hiz^mzRz\zڙ?W߰ehzfrA7+J~Zn TQ[jQ'XS'+ܼND UdFi]^a;% u3UgD\FDzl,9M%+Rş8vŐ==/*WP^~,}骢)@,A pkyk}I*(K[FwZ)ԫW/翨zz-OiWзLvKRJ^RI>p?I(?Qt?uv(^@Ԉf8E>bûzOx-9^Bj#_I˒Y~PPP5o?t]Zh28N|[o@9OrxOCM76pzZ*7KzOCcUv[S;Έ\!N}EeϮpUsPAFAA"WMm~ݸJ؞}yB~"ws`@,@mz+߯;[ow`h_378mq9m/t~Ow}BV-RU-۝~d]`@7TP责E +W\|EtMlGagŸ_ ~i <=}['] B{J={ .毺ߧlDOt67oΤCf$Fsfn7dGCwd,ύض}xnj!)1LD?!ڑ$mT(UV5sO7Ys}ZZZv[/>X ͸#:9kV;r7@@-[jZ*=lkq8ld8=Ux zpofTrv[{+5}ʊf^Tѹvqr]*f>4'! N۶͙c#L]ֳI?v-S-*#%'OAų/ ʕVI.%fss*4:w Q_@k7fI̋>9vFYY)Ӕ6)xP =px5>$n+HH~_\6?t-`_ BK!ΚSF1+,h]EY:㴝)+fjvn/j_-]ѳ+%+Rş8vŐ==/G4U.]!XS'+ܼ\6n,}骢ҠKxPJy/6]|h)=._L\S72Rnͪ i @_&'oz&Z^?ԉĉIV~K/oJ|ץWtH2C]~-,CG'-I rvIσW~pjbTd }*?*5ut/7}ál4 A^!NW;|ٱ=v$hEj.YN y[( I s,AuL@|@[=*;r"gEmۑce(絖6|j |pU;W !7 R-UiSN{tK+W\|Et]N R)Wk:bo^m%e<=}['!Y% оbj姜 w^Lߐ&xϾvei 4@@7;S4m>=hЮ/r:K2P;1Od833y_U;W ax7]AA!pj|$laכnGƋJY弪]cyn\lƶMKtS qO݃vA[% aLTKL:p2wfl֎vA@F?tMߝw0=]@k̈kԘ49Ӧ6nX(j L?w㶍 jk0aAyж6]E`0;v_dأCvyUhys{t؂%tiQ㢘BԸQ)ióvfmd% ̎9iibH3c@t1n;w1i`lgA@BǏ4fƦG;?R8!ny5Zr)$! _ɣwpc%@Bk枺~.W^W_p9/Nژ>+,Xk9[^n9IO/wu [7w@@P1@@@P˭?x     `mr6rkރj9XjA@@s@@M   Z9  &Zn{@-k@-v=c [;@@P1@@@P˭?x     `mr6rkރj9XjA@@s@@M   Z9  &Zn{@-k@-v=c [;@@P1@@@P˭?x     `mr6rkރj9XjA@@s@@M   Z9  &Zn{@-k@-v=c [;@@P1@@@P˭?x  9.i&Owz/ >U8G`Y啪݅!,EBѻ-L9\:b !1⡀Lw׏o}VYE+yGN#ã'-K]Yէ* 24gӹjS#f0㔼 6yMc& 7s|R_o(nn آ6\W{aGx|,@&0x` ؄e >rĮua~]G\1&kO:eeR~E)9: OC@4 J?,=s5qPۗLa8BΊI3tFe " A8P4rb i@Ig*?jgI?OvsqqHI[+e?H$葲ՔSNq i53fA~k{kN55*߮Ǣc;%I5U7@oM G -x#gS nI|o{)M5jie.7BvPtd6)WY{ЩAv[n^.<₢S~<lc_ZTc{Ɋqg++N]1glˡF~B|!Ee-we^?t wIR׬fgOWzd "ъo~Ex# U4 DѠԢwRԗڗzIrnǎtNADTqEA)jyґP $$YgpW{es[H)g:a@4dMdk5]z rdM]BVGJ(Ug Ox䘄N;ީL!sw:+n⭉; Rk*bbGϚT5f^A),[THY;x :/y|VTzK-델LU }k}g)=X%i)Ы=yiJٻ'fgƩgjG jN HLH|.>0t ]u7}bK۶)6.=}['!Y(iG4gR&[[әʸ h{Q.AJW弨#ʪDҞ##w?_KtCss&sWU9 GW;i E=?J]ͣ& J-a*bb/[Qٌ$q! *":q݅{^ڪLGeYc UMoz~%(,Oyͩqfl/^)`RniЌsS}SM)ԨDfnc93;wrOaekX6}*fcV&CЭt/Qb0bG}UbGrLT1;Yq34>H4tHQU΋:H!Yj_l~AE^NO9 o 6M¥i"LxՔ#S|UZ)摻% X^wR;QELzj&vzM+/֊]Ȃ 4z]+ pQY1Ck9}f/*xo];sҴo, ^KԪiQ㢌3)}άa$.n3aAyQYKZc{i7,|. QFEۙu;0qCL4s}'Ke򍆠B7)!ȝNUIKC 9 CEe "֮͠~"ǍQ%Jh\弨#ʪD١vݶ8u4>;)g7aXt3J+!t g#EyUYv#tH)u5܍. Ja*bbV5Fk_AÇk:ҡ YP!fYaN܍6.[|6C''YjGT_LͿR]J>RgĨ8CTKU &L'g }ʹPwaV;l3ԅtcI!q&@}3]}D991㟰tr|7N]Q= gG5xtG[-M%}LZ徇34k fIOG? ,>̦@ts۲5nC@@@+^i+0ʇ悉NPq ݭ,M&nv8kOg@@@ xn,~˫:-XLtYQA*K{I[Wn]ff"=3$(=8h0Sb虳2Mt)S_lIB@̧Nzn̒JuQZ- t業\д]b;II04w!.R.# 'FLG;ߩ~hkv&P ;2Y쮊Yp<ܖNof;?9`FM5}cNJ<\=]I6b]fE,%w7[W~]2fN7f{N,{H)jJ3C)a Hsї-Mr:tJg>YsFTVKC;#Bs-kdcQ]T0QYi]~^Id㎎}ɴoºh?>GLݥ1.$H6&ͨ&9y%u;7uUp-՝tl,drY .2[Wt]w6u1 sO]E)%2eJ3ChP tn4ݝ!/dծCDjPqG1N9J`ݥQHHTK8(GD;y5V;qi^j4FQM0oFM5='#ݗ`Wލw .\ .2[Wt]5n̬tÚ{N=vY@@rU$R";43>5i.4j |tw:tfːVMC\h:+)vF!#R/W(r}rZإWsA.7袚.lKnv36cK:_cƃ{vU U ޺ tBҐci}h*RJLjr3"ݟ[&3HgjKH5.wVP,u<4YF`֤QH(ye1ޚsʴ)dg)[MM~(u[5x/I2ī*O\n.dG9mɴYi62*w,H_Z12r*@8X4L_nus@cWu=km{ߴ؛7¶]zvOHd08 ZA¯ciN5޳ }!@<q   e^ ]'?29l7 C փj<(.xиLU{Xvۤ[&OᴣS#zO#ly˖Ǟgz)/uĞשcPn/(;'{5.x$|7 2RG,1>J@MA5]#fq]q-X5'=HINt\Q xi~=> ;|ެ1kvT (bD$p.tE<_s~\`CYq^53@G-z?sը/)@o3 >jPb7hтzCsT GGԲ׹A2{ ;3E}ɈtvMָ8m܍w)O3HISR R'ݬ3<sieL#̂|zp_Ψ<iS@3_oJK4,RIa:$3oX|._}Ԉ#ͼN0L( lr[{.5l(+kffZl=ˆT1ȁ~a(QT5 vFT>'# Iy|V^Rz#M}j13(~fXz2ݸٳ '%=ݬ5J1V>pYwIP9#\nW3oJ*fY5 Q]tt(ܖ]`ur@.}/⃚\{Wjt\ e]xԞO'v=kw=y cdf`4P4F6â>F$44iΊ;s5ҭy/QwrO%B*\ 5ta +怞j7nacpL!]5u@Tʠ. dZ3LN*gs S Pj*o]]:Mqu* }rM{O@yo Zp03eɍc Dg Kҧ=M.|RaРNM򱡏o ]eYcFSn~tXiPPve35])"~fXd~7njWf/{`8iPA@ 4h_/c2|3&'vUH=罤BLiarQP5OEY5fE:UFx/QNEcY嘪 Cevr&75 [Cf]ʬ]wh|ӏ[4fvV ZXcKœm\877*- jqp$1EjgKJNw5<|8%>{04ݬxj/pi8&GW\59Ɉ;7rF9%dJBGB#<GeQxOeT@L W}s9   UTiFh%MBBɂ  D\; K-<rOC^ퟙ]Ya{3h_v(ߐXޮ@H~|cZd,ՌCpktZrT j]'>,ybgK7~RT>8Ei/?;ݘV:# V?Z@@@} hQ.-~UFh{m_ٕK˷ݽ˖ŭ; v$v7nL+͌4X8On@KJwU2r=O͢mإ xrr_HM#YnLB>A@@#<]65qŻtx*Qed_AQoSΔiCb. }l/^*S= mLA;kVٚ^sξL mBrT戴 r^s \>m挱c"BךU7tcZ#8o|-n@ CG9%ronH,8kvڇ;,̱Iؑ#sڔ;|s1t5x~r/9   \޿ с@-MZƇ6j+j@@z!5A@@ t0>G=~   =M3A@@=Coi=  @-wz@O@- `|pj{@@z++s1ơ;c5:^SUwIծDE M$`ZN| ~j9ވs;g}?Sd@5vz^ڨW3h^L!Z~{{24SR#RO5桧F u-    a{]n Ő>9vFYY)W./16rƌ֛ o쏚PޜaPag陫]5#ImYfnJߝbb_Hgl_0iJ?ŵ93+j|$=H`aX&^̻wۖ+2ybrͤCg-S-R'm6):< tbvY>SA%$o'[ ryS׬fgOWL@/k:u"n˕wh>ҦP3[5g|dE¸ޮtS$z.vdrů|⸽μ)y/6]|h)=._L|,3Cp.YT "eꝣ^W੓&.s{sbmZQ[JtpIX=\핽]0-@jzٓ{R޹5myZp ';}@qذFxqw3RϹM.LN!ء;+ʸ/Pvi ,se/92۞,노q_+TB-t5BQę`&@fG!ʓK+4?gϘ C/oJ¤w4؞}yB~"uؑ#h_7<9Vrg˝R76y.;'|hlwW9#/,+K\긤x/&44^Sif52WSkhl^qe0hy&FEҪcCOo1ʂF;C fdv,JX3'L)_R3(AP:'Hρ/ z~w:jd1m[I׿u[$(W*{'JuVZb# =wW9#pn\dJHоwWUCHY*zCr `p/׋_[5,k;CuaFء) gy9-5@ ]eZa6n7nm8ur}J̍ضގ>\q,77gfgLa}S%ޱnvݹ缗T)1S):F 3zj]TƬtFCz+ `֮1BǍ3AJȂ4j_l~AEmwi!@`ysl߰%?xOsYӧGͥWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx |SU{3m!p[б(XZ2҂"* LE0yBy[D@a(PP82DJG:T ^S?Ivvr9yi'v}Z{>:{亚Jp'+14ܳD~   \ yӹrIī3))x)㗴D5FOϣZ.ȥ*nk3Lv^[\L2A   z 8 X BYh c;l$    g,Bc-ORSib ^YΗXv  !O n1ms#[6wąZ}!De,wuwe HͳlT"ѳ.4@@ZB(xYq̵Es+cйXmzV4?T.>w;5|joS6qTMܝ 0ׅP?bHM9I)rbj.[5O QjVB̋zR"jn_X>zVyQ5|j҈]ҩǘ|t-R$cRPh:ׅP?/p!{ܺ "bn lZ Q z eG2.G4X=,fPXc"j>5v+7KS`T[haC@›̗;c|_ 񑑑&SE{T~WYcǐ Xɨ}66WMR') Ei'64 GΙ}XA=(K%A?a`uׄߘ2鈴.Gy?lðD1:ZCAO_m7>fҀNtfQ'M|p۠j $4FrCA'L9K On. HU]t!Ê*<8_|\Ⱥaъ?ɫ%E+"$_=[ȿQaiKRJAJ#?d%(P\]P' n yU|ݳb#F!PWic;HGbEy߼/N.Ft67Pŭ8 ;Ꮬ6=RPjBqk k>6\vĚ7?U0f0H"gn-wf7UwX'OWbн&D7a}F:]X|x %P~37Wt;aݞߚKZՃԸ^CDR6׬'wK+ 'g?]J9ӎ+n0߼ cRB3 3=K,DGuw'or t@F/2,`Si ˙/* t @/~=hyAd2*QT:#b 73M7n `kt| jZAZ94]K`ҡ_hZ?~sJv.{ RkE(BԢr5΍Cmۥ.ך++hhlk41\_U]!F}i}{wd%WUJt=lT:]gCR)/8-.JM^#\o5 S|Ccpd6ҺzEĵ$.?c{q LT1Twe3RSPj0cl4;P]|t-|rꃄn.wZ @M{ EqG)̃zze89T֨c0;%ry޽MgΞ7ХH9}kݶLvg@׃%eicq}|?0$]S?_Pk /Zҕgҩ-4-7OЩW\l8iAU}ɉF\o'nss?èb% 7F.EF+>`7l1nC?n:j -Ԓ҈.[.47ѩ&]j] A$NјFqVTlI<({򤡔t6CU\P aqdJqҦk<;GBτOyT/ĤU7r_θwdp H$♢(Mpl5>5?_(4UF|&}(9Fo)V%B.!}ɧ ?uNlERwtm 7 B@ ;ȱxF} vz1`71~+:!FDZlw+%9jkS~iYk:<Z`@ ())-GR]{`ϡMN yvkרM^uHY5 b]TmrY"Ds2\[}E`_6Ѓ MPN*F0\Hl%AIWXVi"M jRjX!ԋĊ(>"7t%'xYE7oټYKDx5FcsADg$E[KAMV-)dm5pGGG'9 QIZW&z'_f @ob1Ŋ~Uئ'[ofN'|w̃s1qkz`x߀rPx4zsTPosn4`KvM#_X UݢU Z찵!G95RŲ 4'SqEn)w\wևMٶk%gPÕ[n+6JahDt U3_n'W>r^&e~ɺt'cp%1BkƂ "|. >\,ѭB.X+-ɷu7zk~o%b=\(obDL{#evaD  >@! @@@ 4|Ekh(@@ NTVV/]KL $Bd @ HU<#}PdZt Z:#"A!oqCA|'@sq! =z8BzK yM58WH-#֐c0>[֐#?A Rȩ/'>3ṶQ%A[em'&熂mhp$.Z)+!_W8e82VT!u6eٙ#YwUBp gKXNX1G4Yd+7qضBmd497ifM]ѹgV]kyn*>C /&㞚h* xFr )ori\ԊBe \c\.Zcj4T<467V27:h^PHCL_[(ORR:[~g9-?3DZ6D  -@2V[ ] n*%_!2K NIr VX&a/נiA ڤ/A7c: #M*L|ڐ}X ?cty 䞯LcY_|zrƀT]}Rr.*y߉.wba04uh%'ڷ?}YGWGPMߘ'gpÃ+5oFy+&=]9 ~t_v|Wج~N즧˼y{x8Wz&^(,yiɀ{ISڷ`!z5h߾GYci*&Kj6mZVҜ;nվ@ V0d^wgrC[l쳧#_!^+vܷܽwaT׏8V{fȃSuk. 6>ؐxlҌ\yر:k׭XguM5mmq:/>\'>v| fƃ/.z*=g瞃$?9Sm7ܞ)>\N>\D)3L8~׷Sg{3ΜG)gOriqvKEIǏ'}̧9JAj ^kQv· r=Q_"ŕ?{lK?3m2-ZԩSdd?6Ϟ>fOޜ)HĎ:DÜ9_1O>\u.+z,뱳h2(3)PjfStzE+"'=CgEjؼ9r6)B@Kj |;5˽\M T'Syx!OA4W{..HNM2|ڼ bWGȩӞc}k$A&݆ȬZD3Нx {!Pr9ZBWcEF|؁ycdjޕ ] ŸL)cSkAfڙ&]f- Kw_0#kiRNߗ4Lץu_=)͛ ]o̟#8h5iU$Цc@jYY>Anh䘑 -*AJ\线y(JSM=WEo$ӗs %󊗵.fRVZM88?Off׽oqt^Ӏ(x"(=l9ә3nO*7;RuWhX35AqL^5jk(Ì4uA69fi ៛vA S8T4F1oktژi-_$I'u%sD&=IM+7j=a11teϝ}sN=;LnBW8zw }@{}bkW/^Xr;I{,¦@z;wWqO2umHP@0MJDPEw.Ļ̦_+xyMޭ1G ܱ 5ZjW|ɻjN-bl9 ra2?-u҉OL:|#/-^>&E u5O禌_b1-MM/itPk'&JgjەXzB~|,9ze!}fUN>mݹ+s=B`ֻNMP-$v{k91-ܽ3~~|UH7F`؎qեWkҌfY:mb!c'=xC Xɱ1 uw/R I] 賡$89Mߣ{%a)4~ԧ$Y:U>mcΝgoۅ8FDGGwm}~ޘZ;3T|6$AQ-fQ#"nj`#|!|8>t}XZHj:d IDATls2 A DDM&_B]٪!֐c5A pk=pA4݅MЗ.zMQMM < x/A6 ;֐cG50l9{G}x>ZƧUY=u!?YZBN]C@@@'zNNe1C);jׅ2>#@ZP[o=C* ={*FR#`@@@;(6  @!A@@ p  w   !E<wPȽm)(!5@@#B/h@H@!@0   + oQo1f%YZB3 E(j~eVxsFw-@&oCSHˊ)ɠ/@DW-@<uuuY?Q]?N;2]\?ygJ"j=UPM.!!*hFmF)=-/x7_{tH<4?Mplz@ "ФKp݉c?iP0mڰqɩis.jhvdyI}ӊv^T[D~<8xv:A ws΀+>b&S$}X$ B풬hS.kSp1+ZI LSZ9l$)?}Oť6Z.W;:go]̧6ֿTm]bt"Rr%mMon< \an$*=E)S>Al=lp}S:,ov0$ܒvBF,x+=*jGtTd{`R-K-GcI͛N|`AhSw~+Ss%OO/ZPzOnH|rqݳn)ס.ϳiՑ>SA'ޥkV? >8VSN?#0w9]_ tכN+75>KL`)S=Aj.L˓*Nji0НJ^V^PhyܵDߗQomZNHWtLY`OilE̊ 1<0& wǖS_XоQrMnvr+'ФY{>wy"'n~~ M}zRl.FdҳK.)סO`4,sxSAHKJ%6#}iIi:L?o3xΝ;rSsgOJ: gl֣ -hsW?IY[aW3-}js"zus|v_J֤'v0 i3g'O\vuL & jGtTd|'H=j'&+jt uWj7/ellzo}Ƃ>CQS@{P\owײ՟WKԤ>ص%A \ 8+^FlW]ZxoF@ 4 TAW胈CA"*"F׆7&@ %@WpjE}c=s@+-4  D3-TPa-dsiYц,F%;v-@zGw   Hm6xPЁC   B   -[!l |\Fr]#_@@@epfB@tQ@}~ @ݤ*p&W>(Ǥpw!a'a \<-}P.$&PK?$#sXfBܵLAYZ'-hFu4#}tb D4\ Y:Ch8GC-@DESK9S(;WtҪ謁 ~x0m Cdy3@o<T 4Qef$~iӧEفCI}4Ljiii_DMȞ]mb   zݴi6Lϭv 5yYo}kGFzTөc>{џy BکOj   R!MiϞԛ$;r=za)--c%F-˼ ܽ=0h++xH}ˋEzr"kW D̖ۙ5vx@Z w {&<5!555i4g=7-)d{;^G3_xVul>0}{½vjy/N4E*LM8u7ܵr77J{ֹ}A4٥k^ǎJ%a㦍5;guM5%S۰qt)]ѕԋ ?kkkųA, 'DM)Sf GfGm v >/%%3|׎]]{w=4!,;Uf?KR.EfѶǴ?N>IgjfZ,ѩF.ѬG.Ynsg1_}&N]ɾ]Ս3㟑;!WiAvednz\(nz1Kק HY;PtF ZÀ +9Y2z֔K,f ٰC?AF0݂ * 4D(V˕ 1KQv)Y4@QD݀`3 Wxl\1FK'[ҽ%l8tUu`^⎯p ?Gd@h}ydzyZϤɨ f@u&:}t\SFCDHo57PfFK[j N::Ko5NKmR-Fz ,-xǝ 2fKU\@ KUsΟ^wA@ F|jyr~dLʛv!@Z^r x`r~??Ug|7[+2@ [c:;@XyBXFR-@ +f[Y7z%i6 e$} 3e?ZYݖ?N#ZA\ =H X\}EqT-}4βel\ <Ф3t_:Mjѿ4oh];[[=IMɘI䮜ݨHz\(uKG~kʯk{Wfp%6Op*:_io-]=7=-N-+V-Zx+K巛Fڕi’iI}w$my]5!o.]f̴|EZ_G=㣗/Fz$'{%n]9=H0c@|ΑNg!lƳ_h@+&=Oh`z+%BJ+Yq䰉/dLIŵ7vK9ӊhKOFL|4ZusEVmQ-)dbCJ~I0}d1,俤 r?h9O’@FD4Z.o7\W}R\L>uѬoo=?a\J*Ծӊ %ΟS4}W|$3T,=Ѕ_  F[j*vZ`r*Ntj7kTȳ'c/ =?:8iRT[Ƥz|-1 RC=z0tm~Wb yC : <,. ҺWk_בֿ6<7+zF=)PI2h$~[[{Њ=}ċ@> *y߾Ǖ!ߨַWAI (  @ @`d+-/ۮ{?>.][gj|[3P#g*1[z@qh(Op_ΘˉCӞ#&N^Z'"dݪ\vܢoS/͖˦&(*H72)ON [v@K$P^^v_"c\uimQ7qG{DVE $*H@O' aF X0;PCg,I(V!^i  'yB(:"膑D3E  ' 6Hmz$h#hBegZ.N:yғ}ʫ.   MIs|)k޾^\⊗W\ty@   (mZ?n ֞9Sr<~\W7[n=}6tyG~t&HVn<   @ZWfO óUSv4~lϟ=N8s׏? { V^9I?Ԧ3;BM]%-wC4۞\ZrWxaNH幊óͤOg NUsn9r&͛I(̟;9|fK _,Βoϳ宜ݨHz$SG? G4x"j9 mQC3-SX?~ş)9c^fy]SO_K_Ix)O?9C UhEu}|風iz4$E/Ι3oN < KS3O%/WO8iu q'NHU+V~ c+ hKmIw6/].ry:O];vdt]b͝~F+f= 9z2l0f@@%+ƲpR_L@uG%ޕt-S{_7^Pqy2B\\wc$beUbrSY)*s-Y)?җy[   -oem7Iyk^Bk뗾F{\%(7&'cES_wI8;ԝN o?l @і)@9fF.jXmf!6ѳZt QۗfʣE I:$c@@Z.|"`mm-x:@+'fn|໕H@@h3ւC   pWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \UO鳋 +(BCKTS5C#oJ ןQZkM oK.e= 3 3gy9y}338x@H $+-iH $@č+S#$@H G&8 $@H`Ć@H $FlBh@H $܄re\VѥGp R @H G&Pi;gnŃraV/AԌ@H {ؠw 5N٣s1vFlRDH $f $@$-i.$@H ؃@ը^{ S(rKU\N[J7[J-+5V)H $pD)+r~LhJJKɽQlE,d}>1ⵙM@H $,g3d_iYdqeo>F+邒K>Ԗ$@H 8MLmuYq1Ld Tbf $pX脲 ]:|d%COsUi5؈ɌR99㧼٦uܭݕsA rͦE|t4D5HY4ѠE@Haf#Xv kްu'FL,L)dgM4S!fCH ^^'OwO 5 5PfM}Z%G:]̵~1p@Ηb8f :h WTVzcqoSTu`'VaAa~Ǧ͛[Z>\| Ыl)oefi?~8׷Y>E;32"dSbdv$d_rn,jӗw*X$\M]NKO@O9{+CzӧSm˶1cඃ:# נo!iֈY+nܼ#|D^'H;[ jպKs/TSy]A|:vl5n}2߿Q"^#Ȕh66ꁿQ_, B=, lww&6TjR}իNG 4XLG4;Y츔}vmk~̊k,+.8m󡝻, H < $#+4mo~殍;Nq仾5fĪmO[A֩eC;V]jл tkڈoT8!釽ɟAu~6_n˶-*/d^I*[ q[S8-If%6n˶̬`swDkDQ ҈ 1C#DkFl'f\<ˌ X;ÁnϜfbfA~HߝvVA[~UnZA7ߝ 7z!ƭcU ܍9h3 >蟣{`Y-]~Nήh1K7_0 '`|F޳[8ʇk׊|0'@L~{swj6eU*^ڞ]vϹ^DK)EB_)]J`HOnvc 8/'ppj좾QyBAZ4˙a'S-T+z]tΜЮ-x?STMZp6ϔqCCkz,:Bp| z|y@* *3\*r?Gn %\XRF`N? q > 9%e ڴn|+gf\qU4\kӮMUYMYU}E@3Y83k:Քswu"[fB)Ic`k`TTA-sd 鰗f3?ڵ|3|C%Ãw ϝgjCɯc( $0'1۝#!%oSA IШ)GK'Z+]}ǯ aij/u}nՏz#~Au>H4' ,~ @Ao&OBoEl’L ؏hStt0Zjs  VWpp'5J.^š  3] V 28b˥`ݧT3Ii3#,URjLHZBfղXe(ί*TܨY3! _6-FMyНV>8oWд̎  ~a0z6ñ |hPan3o+tnCMW{pU~C3-&f^݅iж+yۘ* v3&p9#uBRC\X^JTJmu{D4}i6'%Ak+GRB9$n.u8_|_ܬVJ#^CGEoZwxC/ЂjM*W W 7A6 wLwX"4|`w F~H>g|O'~]i0d[0 BUsIJoԵrh SNLNq1;TY,F,2wҹ,(TufB-^TW jUUª\{uٸTJy!`nZT:;ϟ=iF0m-i1 D$\<6:fm-SLED{ܔ EHe((j}Ao߫ _Em}+EyXSU8<^n"S&еIuD_C2ZR+֟q5bͳ8n?!+IGEFB-zqw~2TkOZ1N_cjr|cs [7=w?^wL.TR+rOZT\bMfUk>QafU`>'? nێ] JhF!zIYG'Z^&ʄ`>dJ vzUwz|skP&;?\2T?JC$ ~xx^;f G>NdImo1N6s/HSUap0]/4D]XEv*O&aR%A| {Fa=q[b߱΀e#FES4(/N5HyGO)S~Mf \7lVoZյ(h_1G޽tB^@ʐAXטWyo| 56B!s 1ޘ4|.Fmk7n<Oـ׮[ + ͨ=1OAhUYX\{D$٠W².GG_{(+ . 7wCDgV.FOyhېC3,3 H <"6dd^1pi3# kaP8#64t,My`.zJu{ FR]|OצMtn[ yːCX6+1_9׆vU> X͜{w 7o1zȩ0;P2ќf2h|V]cnjجGZ<ٽsw-&)'l6Ѐl\ٶ$s}VkiVO rV~N0G[k[mtE5ãag {Lj $-#6Pq \ݤ&Q[8LpWFLѓjw @6$` ,۸"쫤1akPV}7xtٵR^Mu 8n䨑J+8GmEe "V/˟[7]5^־R+ʵ\{ ʻʱ?D &$^siȿ?)blKJ/9zh,IEl<6X k >zz :5܊ +.j* lvsc{Iɛt: ~.qбTEe$q̛;sR<>*!OC})Oa+P%< xyy4]y7?zgTBfJa "MG&`힆+:b[08EfGhjk'YeFשCPBJShڴ׊1\:`ʩktMCkc[Qn}W,]ßtD*į]~G~^k2aNIH/YvrdXԑ"7]OHOswsOXWMPbΘ4ߚslΎ\r2KhO^ fB^;4U`J;7i6X=sۯןFO:oLnN#G k1m}"\H^ jMvug/dc?Y3R  㫴Yo>pLXlS(:DλoF6v1$4xVhq3>ifK.ܫG/ůWC?}/hC4]XR&dv <}a e/PL}ui݂ÆMFSea]IEEڤ(/z',XCR2~i3uP>a ☟&v);:) .]`c":M!uAD(ѾsgY;;BOO\@p]Zͺi)>0cAxl&B,=$,Jznf!a/d 6Y6b%YkW.V i}tkQTXD~-hzC7$4q#_HW9J~ܾCx.](J,d\h޼̟ӷW_8n=t-J0,GswƍqF~`Ay3}/uT8G³ChPZaAl]CRO9~8;6b3ᷓc*b7YjSa޽=1!).uWWH^c K \cᯅc{9ZG|T,!zRU*0uu|6ak.X^iK~&x[6W)U,(X6&h7G<JAJ>!0v²%ˊ7?/тEz{\pS ;654%ߦIO|"OgUv+++nrY4X6)=R+hfR}Eo] re%)ߥ 2Ǽd?Lmg/PU!uT#慨_XHʢgdvSkQ 16>yEkdу];wea kǎGS!>MH>N M&RfXAlԲE8}M7L95 ѫ)w ]k7'.y9yϥ{)=RU9\GscGD.X_絛cޠ yTYl`6R^61G7;~k6 #_8ءL50NRV|[׬[堧[n[BJȳ!Twe؈5[WiKk7m]qm+++: 2yUbCbiHѳq?v_Rvj6#ʼw敪J-Ⱉas׾]`+9尴aKI;Vk29#V?qkQmQA+\HeqQQ=BH $U;G& wIL {4bwRnbesXG7VtXìsǾ$"6CzK:̈́륍mu.:ba9.sqXxAK:U5{5u؝l[յu53\0ylg@H $`_ٗ/jGH $@ *\9<JN9~ zi#'f[Įx簎8a.$'#f<6Ԯd_Is`9 lMM.'f[ݎx簎8a.$' 4 avxe @H $8ZdTT<6 d"cV_@^^7 jqRNj|7]_aqX09rr,tfi $@H6c3J̃@u2+ե8݈g^&E|57j nO>XؔgPiޤ Rf*!{4d 4hNL{f1rGcKKشy85w\3,H 81u܉[cU.; ƉΕ9r/)>eSe˃F;;f-k#_Z x.͛ݚ§L}2mF}񾔗hteo7 N,>.AylTΤOJ;DO}3%00|% "ܟryCDNC:M4!.EEEEE@ޠVh%2kEb8s<HV!97+~nJJ9NSJH%=N<~Am\&ONy*qЋ)SDʛ?,n8\ΕAɃC+Л4wDe˜FAQqe[9lێ%~uĭҾ?wB*]8wؑ!yc9P@.J 5w/)+1NaJr4 mCm*o{t5\;?;+,!x6{YRU)WƕBhU ?RRmV0\l9hBAryӡ17]}Ib29_,ydM[C{uYeczjN6E.9߃>ثd+|5\MVWLrPW|r|\_?"+Q{o97\S:pe xO/B]vW+ǟ~sjN} '#G',,y[M'yJ.;\΁~HZWy2U9|AAIljisl8owRn6EVRvCG!|]wس f

mOwX(vȽtʉåɥiɹeK<0!j̟;e]Bo,?mw(KW e`ˈIiaכvԐWeѓ=^]Z2:Sw޾ 3;Yc_G<պEY҅5>LIClM@  Vj7W߼ѵD9|/hȇo}bv6ьt}jpBi3E%NU<=bfm _e\%W9DŪ ֦%\gz$K3a*^_k))+FlUT=9Ϗ?_oũ d2!b5Ն>4 35j*+&,_<ť>o5[I9ԕi93+/"g wv0i|ls>F1AhmI!z ]RZ(+ `SɖElֱcl<4z^&V Ǜ|pS."W],?g\xsg341eWsso~X',*0H[YgɕWN?wI &dddHnF`6+–D7.M4dƾ̎,3'~m|h֍Q `@lHY߭Ǝ[y޹z6la)>Ӣ-xE{wɸrRATݰnCS'NV| nğhf3ɴsp)/h(ZDTJ`^B7RiJNw ,!weЧߐ DqqvcSmx1q ~lvWϺe+Dgo=,*0Ϡģ2RVؼp{4 MN!UNu' eb蛎sԍzRgE'"4]@(&͌$ ]z?&ԣ&5^ږmaaaw1xv'/Q;״Ȯz$[ P(4iBe&nDnױR>A-h& z`n)Kl8'=q {y d ~9NMƓSxV*{AOV ߫WH9gްQYs<[lc:I !-ۄ'gyNUhEť!tf5Ф]ywJ)m^)䡛6D H^^+@b1RǏΝɯoF*ޜ;:wpg):*Z7Q ߑ_K ,nWSKG`B'] P1a`[yiҲ M?p~U9'l7sڼ*Z) Ry?'st?<¾a|ٙ\ fPV.0|TmIaj: ^|Nal1>BPLa8RFQ=:9a*tcvN !p)INJ>Rp?nXȹt W.TU`7"6 Zz$\5jl#lڲX75(i˦ QD}K>".!nά9#8\685vjщk?ĒPv6=[ O"u[gOVz?e} f:U zt)8ӫ͓VwP#0 rDwx*z P݅?="7P9?ofwq|VBL`5&?KK(;>CT3?2lܾWPt>5ܱcتȠ!6cӮU(Nꌶ褰d=̌kFEv_QrM<xiѹ ?mH{p#%$oYA_ hz6C4]%xͤ&99J.t~yLVhѼE~ZL=, $džO7%'Ia^ 8Vx"D#'\Oz m2́.;u7W4$MtR')+H`x_xM̻:U7oKՁMg;5sd{YH+x/#0< V=D: ܑb2l?JȽ{++3H?\NUۯwaY9$hH-nßM\*%>NL`S+i 6CxNMCa]QQo"WRGO7mI!uHMD3Dec3y]ORhpn(?p<^y^I}RfdL+DIFGh2`YtM_n ~.e镕0 ΛpK7F xT>\h6c\СRR[x]vtvΎ泵sfvR.{Ş%sΏiigfg_S+T*m(&jVENRlzM ?\tI'/T?^S5rJs -h[aYfV:CUg]F./ګքQ: rF0и_sd0J kbFr o=hd, wV\2yk򼹺kky1q{Hb̊EqiYSe1Q]&$ <=͋_x&_3Q*lj2(}yxiWOmVG}l~՜oHR'JZmX]m>„ӻ܆m:O5m\-[y-[u_/~ɕ(aBۓ%_76~??!؅9d8rH&Ӎ 8)v+p~Ns3Ѵ0qmuR; 96) gyh/ $O*w{ܹv!J;iŤ#VYf]5Ve`6š|<ɹ^0!{@+5A?eX›={d! >'}"z6\㟾M ӛ \ed_wwDJj?@Dm<pp<V=[zx% <>ܰx&۷1\ZS*=}FU,C\Bܜ !Ԇ~~qk讫7gDY)ħh#zv3Q`יcJOrW!lD؆ Ą4(h&) flH $"6&)UtVb FiQW33izͫV=d_1a+V **fS.4St;;'OV)f('a6M(1 ffeq@H $`&k=mƟfVYXaщr(`nBV)Tt!ɆGiPP(m{s;wܸ{3ͼ3cz[e5Tj6{DH $iElf&EH $=<&|%ky(B~t&H $El./)}R0 $@uIٟfЩIn$4kDj! 5µ];ӈ J0 $ CB v xiande\¢q>6 f|@jS& ۛ:x mٺ%88%#t(( qח9}tҖ$OֲuKjkcǎ9١=CY}7S χS)j>]j`UK۳8\cw4 Ah%KFZL9%`6 {m @H Ԓ`AGTNF+[cv4<6mk# Z #a;3[WT@㥡/==v뎀t >X_w5PTgp]E=+J:Oڸa>|74 Jⅾ/@Ȩz0 $%+TE]m>j0?=}W0 M? ڨ5i&+"6 GN႓bwR>$\_aqX?#\IμG 3C4F $7"6gWԘ&mDMKIPFH $X90 3H $cxu6@@H $`eW4 ܋@H $`YzU*$@H  Xtf]j@H $l@@΃؜yl6* 18)v'5sm];ua 3pw&9yl<6pG%H $,3#$a9 $#D^Q*.X*S+Uʔ)YwJJ^6\T(?O?DNu୚twh@u@ a݆ϯ꫊MdC jϯaSݜx9s0T;^ͽ+!>!B;#:$:}le!= z# oPj8EZj-6lVJ܈;+fVol)HMK9T]Z lLix)/$UbN$h,b3}IFHPq&4w/)+1wk7Q9 ICK(P Z?~y ?;tsV#:"`٨h֑յf}}֚Pl鰇L#欥eWq9%JFXJ*Jji,CƖGMR*ED/jϤ 5:&h/F)/:z(֣mם_  lC>ul| X̽ǟ#u>bc:'žoXVD \0bS srXN6~[C*K9&{rX˹Afԛ½ ^KՆkq_Jµ윖6-%}:&9BC uC5Jx#d~`%mOzWÇ dya.r5KALLP!V X& j4P,Ao\}G=&Ln': pZ];=pCIgڷlӒAS4]Y[zb\3!xAt 풴0(ѕ{H Z"B7gJ~XvQƞsgͽz*Ę@O*МW<=/^Bw0flDE.fuYArӈ7>wXXԡ D8&--5+fn㖥Xx:=R&Ac!lMmB5ض|8%j 2i B{?Q? bf|6>zF*pbrv HEBn5ge{|afJg3ΞL;w>K`EGL>uzk۴_4OXpN|1|'CQ.}djZRBO8+j*mM41Chv?m2\[i([ZZJem lS5ad EHe\@L I3xr_xJe7=Ɋ{36j4CgCTT:/jDŁay@ɶmPuvv6KK?nTͥSrՂ]vy+ OfO:y7:q̣3EWߴyӄm(0oμyM'Β^HB&.ԢE8Q ť!㬥G1mI}w 3Y6]:FmqAi mg6? 6mV\T /I[6d wffK3kbQ0b7m95;:$ʺْǖ|t8eA@@nah~90p y'-,|hBNw ~p0R}ЯV\_,0~mfeK, ʢWg &L̢$#Ԇe#cc/*Cѐ$ oJN\1.8h "wOX%5 bbCO(K;9]A^ ́e]vFR/*ѶkO T:쭖.T&99J.\F~;zhu ?~w0qJdΈ3rOOi$k\9Jxc8}fSzlK.TK;LjWFdЩi.^O5p]2p&]Q΢j_Tȏ E4(.;`u,؜}[=z1X wY0;fΙ=KhG<س$wn15--ky xF<AXҒtGl2!օ.MC* FKWVV¤(k[-H`p_\7yMٻ=i7L^(Ewp_՝,5nrC붭n)O})ŕ"ub77nߨ$=娡K/.Re~Ws*vaVycB.-q+/'c3H)opM==Jv"n*,,vp 6'w ƕ72-.{zi-ֺTiEALtU:ڊ@H $,>6n~ $p ElF"$@.F{vn5"$@H XL@΃uYL ۩I;V7k29#kg `6ɉc FT@H q},Bҝ;^Fyi'!{!mE9@*e唬YeDS G]HsQ=]ylw@ENOK+~:=qӧ/?>b؏Vx6+] 0rvT,ӑ4|8gbInHq-Oա[Ky Ray kD?4WWi$ù?s[?AN< 8U<؝t)iݾh},bq[m\Kb6ݝ+GϊLJN1fЩƿID+#/ԃD'tL@+}E?\&p6i8KU#?<%u9و>~;:q; ]_'{y{O6S~6g̪=:V#qH8NoL] ARG 5dO і͛r\:u9Rwmmm=aؒ#ɠk-va,t6+ߩ6-2b|]iLVX|W~2"1X ~ZWȟ sPe"fWu6k@ܽHo**+ 'Kf]+4)dr^aM"!D]YNH9G4v̲`ޗ*osPmGA`@7.H5t8Q[X X9`[n-G0TCW5 =SN2nu{EՔXw?dPJ=eia <2O3K@zaGoy"@m.){t]DXAMVP)̓о]{XAh IDAT30{y'H]?\8=mQ U;2O.S|ܗZ畳r5?M{#}r1"(jKYjuwZ:*TVbŎ vkut#W+.uwZ\T$/p$7!a xss{>g}r=)S mYdP0]1YaHfXM}1b5 x+Ip{6OI0 C.7N6)9rd}MXf#LWibli2G  l] $HD=<餖`VC@ws62{`@l@koD|[Ο1qG? $ݒsOcpۅ^{uƶjh]x3q6bUx MUp#jǏ*pCa[x Y+q(mxr||E_~ɻˡjcXZQұڟ_ p-]իkr{U*._Y1OEDjB^r3vOۜہömGeKYQ<'DpCM ̊ S͆b!ޮNfJ:MģL$N$V#MU˃F4g7*@ k2FOUpQO$H ;Rj_ ڣPmBy표:eCk?`M,IVX΄'oT; r kNH S=͓ml^z9ocT+YR_ GȂ^d8YY66X{m c߉e֕Oji*qy㙨ŋ⯨dW4Oq#&Lbg-[`kzg!*3B>D$cajP% L1b.aS!8#7$`taMVZHo%! ~.f/UeE=QFdfFgi6<#/>. X=sÔ >2>wIt5ȺݹwL6;EqJX5nTՁtsCu`48#W΢d7b9)gk Jzu\RtKSt|18}v9‡'P{$.ޘm$SqPr-z N緎Nz:jNc'о3Y_Mt*#wǤ؍?LwS'l)`bъ#Gt~F# ˜OG Xb uBذ-|c!Z-2As) ċ)_G4-|s!V/ni.x=y/ RJ{Gv\7][db|N?G'"4ALݭ,,JMŠD b⡚BzVWHb$Y>qtP5߾HP!CYvob ظdf&/]a?8WIe>v" QOTDC"oV~3/zJP[!,/$2Yb4- y.P]HpNa}jp~nɂm# Fg21J|y&VNN޸%q$a$,ȐHI_Y88GX"9B2rbS! &TzzӌхEWljh5 -q iB5jsBͺ8` [G}VȣɩVMNλ??ofįljǎ^ZӋ 2}2;aJS(~hLvl,duWLii k37ji+ÁLy;6.u>+S;?YSbZ {07 9plo^H/ Ʌ_%uwQTNpjO 3&.]ܯLR~$KEu`6GB3c:F0rF[BLe%Z٩D ԍx18EB~TD-[MN-Vh?F]^gzcDTt q6}Wk.5b=tǎneYGWh6Iacs;c Vn=;Ϗõ\ _r9nyK. J+?{״[L3nկ>#=E56ןɴWDLPPi="h|Fd1sr8Ig؏6nZUo8)[AS_zA~j6(IY8;і#9Bm:>+=ڔ- izs.wHrWm/M ?qcX.6l04PJύ{.g?>?%'xf|iR@v0h l˂J&^sp"`\YIQ†gG<|p\FN>Նѻ,=]hɴ/ {BբHxXzt1H":ll#I!Px,Sqyx-O0z=]m\#}.Cc ej+Ư՚S㜡irq.poA볱ꔊ#! ! ! ! ! !*pOck5{E[e]JhI6rIHHHHHx2|6zrQ%$$$$$$$Z${;jZdU@vZ(-T:Wq.o)csG"^yl͊Jw)       h`KM1qQaV6xRFGfY|M i'M+iYwFb)g4c+T'ilױSD8M]~{+UT\qlނ zv2oYLJ,]j"y N]+ 廄z4ƩY|b&&`S7OAKVxA C}S׎Y;B^J5!V:fgwQ;d/Lgr2L[ yG F/[o>eg)$OrZz-u"&Rn!.sM % ˈ%,iL ,lfghkhDZȖSIW`F502۟7Wf)+@JHh=cml{(57UrB!yP;wq~f-L( Bu5RRXj.)B7՘i8h:<ӉĢ[H7RXF,15MR.uGBČ>eԋD-V#:ZF Z;"̸[:?21nRKhcmllf9ugѣ0 @RD2܊2VyQ2o]{YgFXb`9OvOp_*f,;1@ N|k\F搝Y  ?v&S.5a3׭]78bp =4f^̅s4 e{ dSaOB&fJ*C/ i{6OIuל;9sRILϑCG s[Yp%:8JFwIel^r".d! v'$,ѕ?u#Ln[vL Q0W4? ŅW7meYvBm@Lgh7lf7 ϝ?7c⤏6~$Ygʎ nod&sTYoQZH9^.ckWMVw9(msbxҭ% }:4RpX0+!o9FmEJ~ؘxzvel;Lw˖. 7,{ǪzUIo& JR>O.,{:Y+~:8oVlCz !R12ið/+3Y9H)||eyF*Gqa_^>By@; #9uԃᝧoX_:(UyKp}¨w!uh ߭JC}-ڀ##f ڞ}WE((66J&̍x"- $J7(X|Z>TI`e=F:lJ`#XF&nH4/e8yry^jiC{&W8z $_gՐ}ع?. XiE+>~) =c!;|d0Q9I[ޝ{dʿ[]mA,:#aUDu`9yMfF&h/MXFNYnGuJzW.])[z:SO>Pt/i#I* O8 H.]1i#M!qS wDpQcGe^Djbʷx>[{"52 6r7;r'N.<eNrǶchy)1(kVGvGɐ IDAT_A<۵s60*~Cɩ+B':Ӽ6/,IWM>6'm?1ZlZjqT61ekr< ls_ȁe{`I/ Ʌ_eڦuwQ[uAC `M,+_By!YYNҁUOSWҌ<0aVÒ5waVɰvMuT|jý}Z̹RBݝs'Cɋm{v~䩓G=Q]ݞz࿸ЏCt%N|R(׶0h7W|^k,)&픤C7f=j(*ۡhxsm߾Me+8{.[ -ݭ/ڏ\?؅sWIq Vp.4Gp5?™*x>>J [-5o07.Xfr펾r.wAN8ˉq 2׽/b0ƽ8.rzRu,m9iܰi7z:S >UpPQ$cߌ]~ɢ%$'m̼S"|h?tGD"[KЗ20h(va[#(0Y']UآhFv^ul~)Sxᅍrn(3i %Vy-BrU1+mwzP8i֬Z{n<`ҵKUJ5vԹ;R&ӡI` Kt,˩wus;u>{av+իlH+e,3>?l&.uDW,gYDϧ_--7=磷pɆFS5CrxT,ݰ "[l=ˏ(tKN +@m[iu!O3 rHZ؇ ebn^:EqquMw̸O\{b,Uڶ0n};=c:̅5v8Xl&MD:~ʝc%3_)6 &^IO'q*Æq|A.e^ڜ&TuGp@nGdpÇG֭hvk`"9z52,@Uݶ 3kytŏgRZƽ2kEX Eڑ ɴn$&L ɹau5֬^SMz Oޞ F,XG=/ny!LԸD֬|?򸘎0 _:#Ǐk"vKSfFagFԬ5( b)| ׿Gώ^l)b²Sl>p1-8Z[b%N|.]5eAs˽(|go߮DB:"ROJ@ذk&66എTC'[>&">}Q҆ B5ׯE['huc0>&?&-۷tΣXsq&W~fɯiw.Ι41f굫_{}F6{kmȯ?i"9oZEкPj4N>>U9ZkǹHN]Mf8 GuܨZޟ;o[;ݭ_fQWԠ]&6A{k+X)p'L8>Ov "FLl-q-Xu9a=C>)]Ӄ#LڽNucZoL7n,&i(%\LS=] vrKmKrQ砷\]t[u 9f$B'.ˀG@cE)=`J 4aDҼD  9(Ys"/BrلG+DV|QrY$\l#֥aQ ! $g3FcMc 0 DRѡNƓz, M30D2kk#?1g yߨSyqu)]ɍWoŅtAODfas+ r.~'rÐ#Xk{F\ Ydd&Gh.8b}$+]Kqxq gVfĹH6 o;bh͂4cta"QJPQEXј_14]YnBwF~G̴,H99kpibk(t5o`P3^39\f_1ݽUeYNM|}^tXVf<3AGs tk׭!!i[6U 0PVFnG^u@8#lV'YimR^UԈSmΖ6ȦF,dSO <:3tf?23+UXiXJ5 "Q'y4y@^xs/FnEhT%랡֕b20\3s`~n/X;~bz qP;˷'3Lݙj+y")E5 .n{܇'%5E[Ԗmn)Hܴ->v[M0MSד?7[ԠTbZԘM_"5؜Z7vfАA81h 06^$ͬO9}xAcۻ+dx)#ADf}n7Q<4VIh<`B :wE9īm'zL fJj̜-mXztm#q`e*ml.8_"&!y]ך >V_Hu{+p5{I]MK=,-r$i%$$$$$$=66HHHHHHH4il]QWB@B@B@B@B@B@Bptr`s)TB@B@B@B@B@B@B@Bm,fvԺW%6jRq jP\yt[ za籹7+*ckܥD$$$$$$$Bmln-1KHHH8B?2mVeb.m:!_[VjBSlzBncGqGwG:DžʔX$$<~qj_yV ԟ9X9L~fڠSkMAbpԵIDZ7?7⭸Eٜ믂^iS<;%[f >OOx8BLxBj]ּEţgG^yŐrA u9N_-k<P F/}4dirq,J8anA^Rs965u z1ň/;(LjB[_GFoKn=Zi:Lwо<~yܔ)u%6  W)qaAb)'e.<ȵ[ ؠ>LWئJYb$f3,m BCBc p"e/0qJ'z2B1mM@vf,tT-?4$pQI듰腆6#wcMJ+5AڔSc;T)erb:V X}s'=&a_Y#5zk7MbM&Gۆ 62 ϏZbmeJّ m,zntmRx  ʤ̿AwH0,РƖ5Ǫb=IBŮ2ɓ/%dsUG )4:%ċ]cw&ωs Ѐ)Oˠ?)mT|8KƯ}޾^l|fnoG|{U@3oSf&0r668V |.Mg-,^ Z!6dy} =hݑ؞ rCI?2S!#0Cl"afc|0^^tҫWVJb!+W,u +yo ۳F]F4ju͋ȠE1WNGR&+W|ufbR"e)PEE/Q᎚ecKK팰c4fiǼL֭OZ޼ΗoGBsVn%^o[MZ6oM Ʀߘ7%z7uG #C SSb[>-v0Z򨑣r/^H:m0Z_%pOcX)@YǪJ2,+۬1b.aSgJ ٗOcکcIIqJH Wקpҏ#/:MgP!YY~]tGD,iX5+ӉyN  [Q( %ሽ#HsD;Y.ǭv21]#{ȓF},% [UՁH_Y@Hr,`h 9=yZPkw]lgJ*pE ay7"3d6!8-hy.P]Hp}>4OFFjϴt/O΍9Ѻ93uӧhDhzjtte1;b$FT RAa*噍%ư>=]DuiAG&`-zn铧sAڌGTDVh>pnվJ)gVY/bȊ=#9b$svaŵ `Q9|"My$|d8*Af#-y8xeU66G|L%UR\R9;f3ugwW"+ 0?Zif"I,Z .'6@-<QmliȔ^mIh*//uwQ[uAC ZW]}1!*h*)HVvtD[$B[s=)2w0s50U*\&̗Z`cKg*v_N}~.wݞa& {_ I1,jp2-&Cn5:@pw"N_o߾3P`At5Y6^"Xy p̗T pnHq /2zj`zU5"['׳;iHGP'O! $#aA,-UBhj͊z^QZ$:QjBRwq\_ɻSUTVSG&w.e^z9:@\C 22 F>O>F-Mۏ[6Vm e#Z>hF]gUg,o ܶ"X wz}ks^fkQo;Ν:$Ku1D muC8iF`]bI;7]& j$Ibj~ȇ[x{U#Q=U}1{%l }Cn1o&Et:a˗M݆LtCFDf]ڐC@Bűmܴ$vIC0DW"%Bgc䙿Yq,PVdLMP;2#֍ C;9ۿM>e5֬^SMz Oޞ yy9 =/ny!LԸD֬\n[ӱQ>-Ylua`E -6[G4U:ZS-۷tsp->—\[߷/έ5dgO2'kᠫcǕq4>ktsl[v[Z٩qReK9Bna}DzunצNnŋ-\]4'lUa XNȭ,:<就p4ɄRluhH6 il-FfOH1Y6漶cuťMG1Ug.^zd^=3*I-3 %qv1dPXU79]^|ṁCRI6o^{j_4_?eV(}!Zb:6zm muwKRrx00op`lٱr:Azء#npؘa7f,'4^îfy5d(gcc80/j.?gy a#f4)ǍWL,o2|M7md?0tR ~F*BsD>KaUښVglQz6:4$GOes[Dꋐ?`oopPh4OoB؆m> gFL<ޚȞ se&[E?]654X%d60gΞ|8]n^3mR^U 7'Um,=SZQ: 9:k*I?< <\9]FF;%6ŗC.HY8zhTY5bNh/"K yUA}/k +u'm?qsf)H-')Ȉ\_T<0Nݞ] yv1zٹ/֫WJ\)5LzI;aY3r:UlX-y昋!3:&4il-}[aG۶8HQ+u IDATꆀF4d>7a:SX" Z!j$7Q<4:{6lAgWg؂{1ƧK7CjM/g09As~̪qzltE=9yڼUhOSz4Z{s4WML_8+EjMNFtTy@=pOck{E ]B@B@B@B@B@B@BYpOcllRIR8|6>hJŗhx,fvjck5<@q;R-*vuՔc ⱂ#ZA\/lp<6fEul [4ͭ%f  C JVGqX+^7jz SoiDQUrꓲdn. YVeb^4-bK93b,e>U qt B ҉@ OAe ul.$X,8Pt#Z%<b>sՒW~#}KFSԋ|nn^2Ƹ?sGymd,N7yMaG8w+xcK l>;K1db4"Z:(v䢖k 6C_O?=%W <%t>NiK<4Zױ5c$-@2/C4a|>޳T0J_6׃:#M "&E9\ (jahv5Y;Io̻u6Ƌ("A0;BJ %Εt/`fYaK_-4?D|4JҎ!rGMcmޢu#Jؚs)G @3!>Df!$kqiqzWe-VzyVkyyM!x[`8AesW:Vŀeoz}˯:bF5J۽uJp㶒^]PoSĸgHeh;Lyo |]& 2y-@a|EPdK{8U&)$ iL\~;{U_8˘ElrӐF֢aB)e<4PzS3/F_mL/\NK5W0P WGV{<ƟX:Brs,h=fF {n6ݺ͒e?7'}Bc%=a]ÒAoey7fE[[$RۺPQVW&@`Ƌ/L'T7./< 떕{'x܃ ڲ5%uwj8T*}q4ڛEՍ; hꔩ:h": K$ʀ}צ|νQ8,ܱ;:jHľ7\eMh.۫xy [ٜ~qSGq{3n}z^B:_a(7Z+UTq|jMZBDe'v4lilkc)3!v>;?6;{c=k6BΟ?ͷknGNN,.ޘ$nJ\0`wdS i̢/rE%(y rPR^cS Br~+1UO5{Wk 㝈CByseG4EIkq1?s;7L_ L#Z#09|ݹwL6;#Ք8Rl2BO hs@Nicel Q>_Ӧȸ l-=D[6oɺuILa>Nđ#KWS o4K6ߤt)ݽʭb ;Nukfc>?y!B'}Rf(/L{?zX5W8z5-#{ٜZ">ݐ~@Em.H:XDыjX \VV_V0'`Ewu!=Cɹ*@~~~FFя#'F"!~# F ž|ݛ4FC>6=='ckO"+>x?eʃC[JP6~$kO vIi. ay!߈̐ڄ㔷tiAxs9ԇ]BC1ai~iCM SpDJ3(tCt=5:nBn(.5{54AaP~YY.c1mtĀq"̂ҎZ08oH6޳C(UbL88̊}GV#9 +WMb6~xe*olny.~wޅƓS}hZEJ9jZ4AG duB_isrܶ~ /_0?P?iʤ! kl߽<;wɹЩ;i(VL&{ }3vGF% KHTN4 D%xm 1heOS7-b5l(4+5(H.]J  ~b\9o-R89뚟bLn;RgZ|;3fy&~oܸp5Eb<P߿D]=kJQӢ:bp$hC8~2eQ'm6Oymx[r9Je~O(P=1V[mߩsGo~JCNmNͲxb٠kanUw>cȰWGCjy7~>C!ܭGM6$G dmG/rֱـPy]ڐCTՊ3~_!6-ھ{pw>”S֬^-#\[޿ak|#7g/0gO`Ţh3FJYǎc=V4M: r+-Q |`v InQf4]19ll> =5lOӾJEJ*-qC⢅h䡵/ZE&/RSDrj5-*#Qٜ=G/{(jΉ;f:ˆgޜv촮Ӵ 2^LS'OIHTﮙ6\HG/0]tD ~{=vǶq,nI qu|r [S(.Ő#yO령XMDj!tFAz;Js[Ƃ3^`ƍgif}Щ-4,/T &$^ 66XR%w/_ '?5hC+Z|(uװR~pj5-#Qٜ=G/퀧  =~ * O8(VBlyo/;4yNi2z`R)B؏ _fq]Uw^I~-H˹N=b27N4+Pf3)oKyTP#^LwU&W, x3=-/y[בms]ұו7gSb*`-^-dm،rMSZCUMӷ=4GƆršA@p-ŻW5Rb`wÚ> nny&LM6y\gօT U5MyTt+! ! ! ! ! ! !"pOc{ml-%!%$$$$$Z7ilut{{8/M8gB%$$$$$$$FbvoA{E[yln#+EN%O=uWN ]ԺjJX\A8q{:]JDB@B@B@B@B@B@B-V@!v%UyBWn*@1R/*ӎ36%yG킣!=-Iv%-nHr/3(FгU$!P66|xMš~_ʸ!g9wd!KcڱHn#ZgZSooH|Jsבz/rR>KFx.yЮ۹I~qjgZ|çߔ)=x)hi oG0\~H/r1k>ܔ!RpOcu[sPPP3$|=XbLܔ(ilU+I=[n]dZ/sz__?! JG=kJs4_e-FY sP ) - ,lr(mUn4T>ةefc9 lgqO}5&%!P\M{'_r^/ #pтE&S-)? sXFj'ï7VyYgFXb` Lm:?MB]E*!$ iL\~;{U_8˘El=Uj:҇>Q#yh4ai8@M]hHh̼}^.B_ķ1 L:k\ɩMbJ}:}9sm|X$@Z-5rMSk4嬅x u2r.?4$pQe*0"6;|ٗ1:Ŀ͔)>܀_lRh ?iKA? ^r".d! v' 74-?f@JBzZWny};)26G+LC_d;L 02*r#^%2lUqŻsgAi3G ttfT V>qZ  f7tM=j#zvq(豣𡷭zqalM[Y1|K{|mx<࠮8tIgP*QF))'/RG Ci1:eC)p%\f>Q+|c>҆a ^=Vf rLS*:66U T*%*oЧC5/uKC >hL5Wq(F׈1*桘 fרYW̍7jbߺQPF&" JP63=0նéSU~U]}KQH'&|/q %DK=޴$ %?]=6L9z[87߾Cg̻'ciS'N_+.~*rc'B\ξG^ξ [^IS iܻUܥwJ  DƆ4ګWOp_'šyO}ϊKM6c?ˁv)+M`>yI6*ҏ[QQWPy\<1D|+)Ivr-"96*3D 6|g.mŽM.+yHikE$\ybȝ4Z2&j $[23uVvmRWiu#~*620l> QYqJR+e ׿+w+~IOݲYJCk"!I0CO ˋ⥋ZXߘ0{+-F',uu#h4/Kر˴_2[QҴlT6kD'P1Bsr"/݌O~#Yg&'$L,X]uhк?ׁ3/0 G'E2"V#G HgPQ5L>%p{\dK:̥RO7϶g.g ajƺBG998rHm+F#@ N$[ BBɸ>?w\Ž\a]t.}Sger7܊@#օ|!;Jn&>,Bjp@43B,CJS~ IDAT6Km9>CfbPeWH}(lWhH(>PFK@F۰v.vGlĤc̬x FGI?T?8K"ϓȳkL22iNJ$)K6KBZy!|`f2Oad ²FW07^? /ȴq,h=b\eAe+.,t&h|T%ly{yu2l0tGv3a2w頻,?; #аO>7,ymɦϯH]A )k 6atS`JUPRx`g]޵SF N8 :XO>)OzWp6~==+A&w4w:?;APw6+DžIJxW.̺@B'J/CY\Eቊbt֋)Ly Le) ;"z:̜b$'1R3vk>x~%//|uUi >^C-3{ƍIk]!!hשL%Ų݉4':z<8wՔF+݁ /Ǖ畟<;c&ߗtTmw11 dXI*L_2͒;hD ^lg29/_-ƻvmWdڃZ.֣s}ا5O'FsF !~4hK7m^dY3Bj~ƼBLLt̘wt q04a\7=A0 F&h "$qv Hswɓ_v˯̸ʝ{d|V$R5+y% >"2X%[x2q^YPMM f-c W$iB 2ף'F6h{7yt\f 4f~8Yf<͜8aOh3;sZCG#?8O5* 0${w6w6302ݝ)3O`P~3b,}kqi̶zkpwN(rJ_01Q~33/W_6S)>fPv= ]k#ԉJñ`xÖSC~!&kL!}vܳbi#F6NW˖7E&[y5+qwġa6IFȀLph-kǦlbUDëQ>лU<=r87lY{B]4)*sGEzjS]uy% >" 2ewR j{D1L{drGkO8w}C,X'v%q_aف9?$8dlq]4Cj̰+bs37]0+SŎ kv@fc@p GBʟ?y46u~7ĝ7Dºy9No[}͎Ҹӓ0[h_EgQSil>`۶ [L3kI؃} gx/Qɤ<%jd 7CiwVʉ,|n{9RrB1>1s_sbF{wN]4EG4fNSh9`K sHf:9.YՋ2Ͳeriu0۽.U Z9çor'*Bi 5G^;nmVeh ا5:,.kWVš$8 ZƆ 3v㄂+FզaoyR#SJq^7;"eHZYuR>k^*R.mdyZp V.Xت 5P`hsB֒m3pWP.:t502)ƠYu6ൃ-yd9jXF>eml%Y=v)|VjCU5rs(t{8{{Ze٬q$umXeu吀Z=y`$p%^P66!xĥ5]jh- ..?9㫴e[8"F/}+\FlΧ9#+}Pg;)I>nF=GlNO#D3M#0Ѹ걈/^qR@^{;-p^i')=vk$kg/~*'jCK ;\# /ۜ^ez55ɫ{MVV{=r2x oKfLt3ۀ-HfW-ȣ썾>اZэ[7."&tyJEE5DaQAJX;)Pvv ̪$U[PJ0wS=Ӿ#zw VݒFKa?mo+j kQ #^Fǡ]|X,tu P̝#u:ZQ]AcC…9{+$"ֿwl3] Hf1g;F>mld߀* }x)##8(j`VVtllF꯳ώ;aQ6x1Ϗ&74GD-Y>A#FQE)? 1&%k0TePA0*-J4es%0+AQ)MJcT<=qiK<"Vx~TR@,Z=hrMŲF6Ti"#oRG*D*9 = hn[90^YlѲoT_aY;`| +bOO :4fh'  &Ņ`A7/Jn ԒеBIEOK,IwRMf#RcP!񯙨il.nc۾yE%9H(!ZB5%Q(aم7aF6C׼~[?T~v˼˦U[XYpԉS׊J\rI|ƽ/;vzl- Dچ{w]*;pReqSS"cCG'_8DSW\R<%nʴSO?Y'OYlJK[aSѮ$DtHJ?nGE_CU@G rHM󭘻.'yh@JhHѦbY#u>326ٺgFٳf,ZkE$\ybȝ4Z2#R>3d 6X+$kGAAN#;P]gGHx˪čSz_@/km%utW._[!KztR*@X H.^xS&B *<آl DOq4k}xy(-T(fOf24څҼ$1C+j޺1=Ʈܣ`{~ԙ)PHC1.(E"}\a.zy?w\5-Wa&'-#e䱥F)_L!) QZT𡰃/HVrD׽Q.U$fZMhyQB,v]5~SZxj()-B\^\CfbPeWH}(WhH(PFvb~iZIG%32gƣ#-,,PS$,_f5LYS7fa1s׼T*g'R ;AZLv}QQG?{]3x`-q=MU=;K0D۫o_qzz?*–45` eN Ci2ܹ .!k'UVZŻ2w90 &UqijEW0;Th=?Pq. MR*$PPqKtPW}xXq:x+"nJ~/S\Gs $Ƴb'hr5peSUYe :{wfk>x~%<^* `Wn}.Yb| ׍7&yw&W#SJ4eyh9] L[׵ZߏZ{ڸAq'/L{3GU")!8YJ"%֯26,]3- #ēFGQ-,F4qf#Lqig.QD<E"7 1 <98W+<<1||syG4S m 1s?6%Cu/++ZLYyYgPy{q-C1k;>! >.eʬ5;j/RL7ѳ8Ԍv&a&ڸ^佳hr#GԪRN?*QL$ CR,Y;4n64Z73ml4Q˖W QTʬ:Iѱ{TTT?σTVHLjۆ gS qMv8vSg(g]ac'n܁[$o)G6f妞J()!L;f{x/r-[h"Q݈`4fr*LS< $q8Lmcs8'WX6慸bbc3R,W`5@y½b 8š4Ƌ׬2}G&ΞO5Ǣðޝz@>*Tc Bdq% MR>؍x۾]'~RUAJʋxeGq%FC  4hs>1tUאA_>6 +Z?ï⮪('ñꚍ>0;owP5ǜN4w굫_~eU4U; S(d$0PSA֚JztRydYxM.Y.7d nW G{jHL(mh6)+R,Ӕi*bffcc\q:Ҙ;ZaiV,}c:e$\i ,J[mv`OԸ(a,Gl6ƥya N0i3?-/0 0_hLC ͚⋊$O4vd*/0 Hl b~DchC̶XJS%涞K}\u]᡺ܺuS뎥M]Ad]jTH#Y439jlhohu&~b05*"ؘ+9-]̮X.,.b!3uRBr 578{Jmndd\3ltR63L 26f'6$DZ>Ț` ikz00Ǯ 1ŰA>.7GtLp;CJ^a[Rی^K^=Ol 0ʖby4?-jMYoͭVy;wireH("|2%Ojf &OY1έ;7JfL71ĕً@MQK2"&`7VS]USI*o$yJKϑO@jͪd,"n\]n$g^ζVxcw?4.來;v> s٧'k!м>f!fM$umBΦ9`eJMI)q[YL.N%b PZQ[j0 C!p5ؘ`0  }+8T+#C!`0!!3PC!`0 5طѵmk?6bAmcO\FvҹlA\y: IDATV0۟vP Nfߨ(Y" C!`0B66f̏'2<=< %*eKv 8cM"V:%kcFuf9BM*@4zMΕjk9V,C@468o8wE}f3[ q˶-HtSB]` :XBtz$Z:iv@WH^9.~!s3[:JGH^K>}44w;QJk9>Mqk97;C]"`-|>Q `z ];OŃ$!}"05]'5d7\HhRŽm ,l8j! kɶ8+[ 뿔ScЬ:|~ī(]| ~/|}Jۜs\rÔVCՀ3gϠ!Dpξ`ި\ HVɃvr1cNFا Kb.B P*I%堮Zɧ[[UΞ> }?(wx@ۑs& fE kW!A Tl=ާ6|ZfܫV2~"쏲!ăEK-[K0iq(`ѥW? 1&DD&/L*{vHNZf oLnov* &WtrXGV!SkED̈'YM9Me@|c!ZύT(Ϊ)])9#ӆ K^/D۰~ ,Tx(pco=M1ͷ }&<@DO䮵e3v{6WZR|zF:M0}].+0;uX`cc&&if8//|@WoTk`wĄfLr&ڠ9IY_) !=ԀzMjkF&zRp`jR\ Qn^_|!j%XJ*zZSIOB,;  t%4_mM$ĵD2.6E0]恹&_K/_(`|SS^67q.?:?j|E d{$s%il.kc;w:,"PLw8{iM)T^*UW?e. Ct!1~[?T~v˼&{ F :qZ1tSi^W^9y$}^reNO45Hېvν __]zNg6_,yQ+ Ҵ?j_=y N4%nʴSO?Y'OYlJ~y'M$n )\ru{%;my~nMSK׸dx99>66ɢI!]HjQ!yW};>Ivr-b1 %1azǩ?mܼ`@68+EE޵cو2{lvm̾QdUr># b ?p.XƖ D% D!N#;P]gGHx˪čSzo ׿+w+$=%; |g.KV(xJcVhk"KoDSHߜ.|QFvQ:yrVoL=6OXq\.6Oeڃd.6֣e@r/6BsrʄJf ]b p]c\Q.Ef\1.lKyf֞{*4ajGWx*T}||('"Gl Q"WHF<V d*i`W`EɸI@&+OP+枙=YSpnݶ5jtZGyWx^MB@X()QK^Kba@x0Aۉ-iy5' ɅI}xnxphJºum{?n](Χ B6J3}]jM@5@<5)X슻~-<5G3TbmO\^\CfbPWH}(WhH(PFvub~iZIG%32SXXPS$,yGSE3X@ շx8~==H0%.MM hM߽C`h c=)Ý RfNqR[]`_G&M/ zlT]yρCl6 |Z婂5&zGAOW=-uh=jXP~<{;vCFZ1*p8|o-Y A*/塚;}Ï%yIUr"ɋtśٌ[-4)Ms h'NH:e._'t2w頻²;?0k/|uUi >^.X{ƍIk]!#W)X:ub#-!Ci^_VWkO74.2f}i}eD$K^[i:$-2z}7JVx t77Nb]B=?zۊ,i.FL{"ZŖzlr/6},d1M/OCͷd8s _b2Ř`;N ^ ̜B 4w3fkNXFFH|%4iaiN˝[;c裏[kĉXd?cG65vJ,;P˓t7o2 ffiCѢ`|@ ;JaO*( {6*tOF)6uGS>[XG e[S8&dT.jbdF XF50FMn4#JA +ϸ5=Ǹ*UN+]!j2# jN eH-]ݑч##\L>s3g7kId M K {3*5Ok]66Y̠;E # "܄4Z9[1ʑ#S~ #<2PB\*3F_rAhuZQ_2i:BڏRIB\ 111c71pMV Ϙ0kN tgm4_ll8;qe [9G2ӑόj9Sv1%ܽrkcnjuV }SJFwgo)}06$̻ꤍ[r!SV׽Oy,3`1286fӯ_? fI6&8)Z]Č3h:riA!5ո=Wz/tB*HU)Qyou4"% `ߛ,S&/φQ:v0/J'WQy"CGhA/ŠVkj>I`Ky8~vn[Z_`_|7|_C~̹}qIsǯ^Wf\NÍ{dVϬq+!QL^"~/G^$0}~K,KʮH/fLWHE%̇˴!L.գ7~llb[af~Di\} yqI>{lYZZtu5QשG46(miR2:6N{n$v5 Dх,On`NskrC:2fHwKɨdRYB´`'s 2pGN߂9PV [81|{u OlpL+[H>`yKei\ړY%jp T!#wm󽂭li[z6眑KXm+J@瀕1+q66QΖɥB"RNckt`0 C"`状 `3 C!h46c6k C!`0pR646:MX`KeC!`0 6D <%,٧E`0 COccؚ&X "s%;Ui_L_VT~qՑ凋r Y8kל5K!`؁@-I{/-7aaa8Z<,47ݽs쏲G y~ vaGhƆ $$qM,S_0>Ɛ# g(pd=&jLѥ9 N7L-ЋsMaSil& F3\ݯZroR4諹7}TuP0{tAΕ dc078dGK:q+w+¦mHwޅ.S '!//|Y\r;z%o-߶e[$sp8ie($~& B1O1YqI)fL=}g9pގ`=N<{@{Bs_'kBR[UuyE>9i IDATk:pvOZcc C! }&& e@B'J/CY\Eቊbt֋)Im /Bݻv:} ##=}Hʉaekؘ!`0Occd AZ7x)RI`ܽJ<}#GƆo<<<}}/~ `W7W{95`0il֞ꞕ#Pk< !݈ZnwenCHU*%*/O 1nFD_-egf̖S!xj/g C"`}6"Ɣ6)`CS)>fRAY#njڦ'pi<9kfϚ BXN} ȡG L}a+mI0 %ilL]D0\pT|\G@G ^a舛xV ' ׄ ]T֜XH[7q^"n CeEaΣW׆*Ȱ2 W%g*شD֒`0$?(aerqX+"5%^1qQ~m\."˷%~{P9ܱLΒY2|ZKTu̳U ˯!bI)+R}u]4?iX˕%VI{/ZDMA}|Zk.;rXie-;GIjuO5ܧfm𔸶]֖I㹛A ^nEټ+/RiS=@K8->9)pP 5Mp r \vh;)ؔ@5uMjΧ9qR]u>Xډxz.$1QMm[ {ۮ?W[ &Q•s,njC f8H0%E۷a .Dq:B3mAT^~%+V}utLgxOkR}?5q^/[OMU^u\ҷ+nǒGg$VJ ɲ{6%|-j6CGA]S0@%I̬;\~>A %_ LcQp`w,ZE `cٯ%e+:ҀR?:V)#BiJ=jNj*ϫ1\Q<>B:xCx#x1Bɫk3\y~+|aTK}Ww+>d)y]SITJwm L1Oh,`.1v-\'o`Ogtل8K0'iuɍY Hv`@XdyO Q|BBpq.(9kgl/iDۉzy*{6nJG XDm$ ͝?WS`DҳY}ej^]3@UO%6zPmD7b*?ӊ=V$\Yb7zS_Lxq?4H+{I~^ ?F8nsr'bh!AC}ҀNĶzs#okE'.4.5W% 郃3:ml^n،J[^?HK[͛< ^ׅ[n;[\\R|Es$ӄ*/|/|#;-;;rXdb#aeIm7N:s 7OL85]:ɪCj ?ìڈ_&6*vӱEGjI)E" m9PW5'sPx @k 6LhH?J=ЧsɁl|+\-޴y;ѣF77>=+W.[,Յg8^ =ɋeWjD~>LN}PT?d.iؠiu5,{PghM#6bT׌ablJvqxB{G>7RP:ܹKr5wCƆo@!߆CpBE$yw|pxIfd v`Cgv!g^JMlqqCR]Nxz5oN5lɳMZC(/AS^67q.?<GC^&털(Hf D 9>O*}ؠdȼMun~#AK(&̌j5?/-cada82lx}TSsԢ0R9x`q9߻har R8a2 Nt !ₐ0*؅w=_/6{l-%7el<!#vF]"hɊVybȝ40G b ?0-CؒA{ iܻUܥwJDX_l7ǀjU۸f$j8OZR%?@5֠56az_-KV-,5_s,ܰo`[֤mH{aa֌z)nKsxqxS]XRUgދ"|!rc [L ]2HĦ.ӐN2L=!a}RWAxw_|nL-o_]6 4wRV ֍鹇5v/ X O~#BS^FPTsNcuFG4%@G{JT~W0cKz5 AF@\h (2aOWGi.MNz-I`\̸@i)/s vSU: ;F ~u?\]x-nѓ143 #Hi_$EuJ"ASStoA,RJBhSQ?N6 q˝[i^;‰1PEahqAxe" v`Qc ܽ hݙ^)8%ז 1EKi#n11Z,#޺J&`$J-ja҃?-k]HzGs"QK H:X0lXso9Ħ_E BJ~ wUn NSܹ;*J)ZY6_BΫSWkW`>cʛ_t{!]8*U"Z ~GAnd^FllQX3RdĦ.<|^K!`l{1tUאA&(I,YdK,Q$#:a{'+LhnqW}dI`¿y8@]g;kVh+VSw_QI/j~0|WAu A]swWvR*E~QOL!Fo֦e2:ibvY61_* Yx__Uw!&yFLEDa0Y(`͓TELc hH:. $05HH?3`@s@)^m0j~6Ջɳډ8!հC0uZ4P[Bl6c;Cp `س㞅ԚuzB`6[o#Y۷-$ӄQsW=l0("H}o->ʟyf0ْ/5jgG!:VMsi v[`\UIaa f~֛oc??m$oV}B%Db;QO\{@ܱ!$Ofv?;>3wg4S ==b)Dl_2KNՓ^lل"AoPĭ#?ؔPڠ 7 s#;vݫwObIdf|eJd6XI C+:$Q]^iPEMl4$L+xL>ݺh'*5 *xZtgϚ B 3_ _aف@26f$C%eؒAi&oB3|salYhl[.ϝ*d2@=9NaeQJZ% f6 l_A1w7!%ȤÂZ4ac3̀Bђ%Ѷ+/k.J1;8mEQ :e9Y ZdmNYPx֊6/C!`0 G>Zn#C!`0 OcssE(9`0 C `b]y`0 C!`7V4VMf7L,Cv(mTlk}ݔe ⲂD"^Xpb?6FE<6a0 C!`Nٕw3glTt⏹ZlG‹c1!`4袎=p.I[徶FɹSp@W w# \Gk4bF(1 T|DFcL<'Dπ!($+5@\J\O偉55߫qs㾞m33C:ꪯU|Uu7T]<pH5M >6esCBVŹNYZ,˦e1w%a<@Hzk&tStm-_徣׏Oubޯ]5$Pzg5ґpbs 5j5~Zr#ǎisKu:Wj`AOWs?c5_/@§'@j tfSzn5[`qs 劊G G5b49O+C Ê9{.)Y"O4>}r7'!@%{sKK&kb x#ޫ!A/-6Iw[X-=`y%JH 7P@K^c#k\fOix?|M}\T cmU0 ď*7"n-j2z4,ItvPۋ?IcPjwCMD$TzfH(Z?c !/U Wr\3º\36*pȱǴAڨ(6)9%^UPJj@1";Sfw5M>>b; >GDN5ހPq6 h3lc3Bv.aI/Ip-Zoa`>e_-Uj4ށ˗.?q3y -Y 6\>TCƂ n!,^X+"'ףGkԙ-ȴdIIy88FtcIDATixQrj;lOgW @ ÷_Z,&2) l6ϔ)x+rc# X"ܴ./==k56ȅ 'U-C~U^1`%p[̺`?HBPW0F供Gr*$&Sɏd;^"|)W@ydƇF s>PQ平Fy98fg3J. f(5M>AUTV=ST3yJlz,M2bɦ$yy:xU7&OM6_2]^x#UdyO^svSҊG8_ڷ8s,+W&o޲l  e s: hN̚l6ny 6%AI>]Am'sBƝ&UuL+B~4Ao4.THgko>]98K$z Lm21ݵ~^3(]ďe}`ʕ+W{ņ[ z3;U~6ܑ|DmS '^NS2/cޒw>}޾|$rHq7S}q/,pMIڴGNo&$NYc7ǏCΙ|X!f`Lު|QO" z=󃂲}{e. *^`aq;wL`hg|&L%){2l7vr@uF?Ϝqz>h"h9"A-̜wr"8@Ы!kBATfpe.|+ @y p*,D$CQ = b[Amly﵁ S-!e!ۄW$m!σ|jW|T*l/T;¡z/8+vHfH舏ۀ\ב P!?{Bql"ڡÇhh ¦Z% ˋ?o׍5' 2Er޺&cӐCƾ0:D gϝ=sZ֢pa ŰJWZaNz-fM tYNGo۱N##,ۨlް~v.4? NQj;vyׂ3SBqe`km _rXzvZfFKlu::K߽JzY; hbfb,~vڷnjj/˭GI۾ax%V0nAhN^T#EA%&I'1!ȒTi9;>qƽL3ǏBA6a(ۛ.br  WUd;S&9f1BvFap-xw36,G)*3iJ BY{^w*f晓vPMء|S 2D OMW.܊U CGpȐPu4m/xт'T<ƽՠנ{*  JM}lCD(*(nv'싏ۭ[~62pL)];K/Rp ^!遐%]/" m&9 զoܩ(x1[ 9%;/nQEr4 "M5C~KfAЊ-Y?N~?~W.\r+zvH;ٮ9irsưx|_اwښZ' `bl`\aP͓W@j~Y:f&<|p1BvV e/QVU>*^;{[gNA~2n> pVGn7իVFfKW,S>cJH?[7ڒUjUkV~cZ9{+{@<`iM-kOq!ec>*I5N&.=k[2{`$-YˡzW܂4(9TVEU{(mB[V [ \p73FO{=1b@Ȃ__&*)ILN' wάi!+WIv,Hqަ[^Hxȿsh-ORϢ"Oz^ϼt*/)ƹlV97_ph^~ռ Ba@)tbLvR_Gw^m8Q{#^&n:b5(YIZv䞣-`u!ԟHL7R6.sDCXS/4~;PcueZqR5Wiee3RhTשAs]ؽ V`78B_HG7:nO](al7q&r@Z`RGz+%ǿ&I,aYl}[FZ)܄p)oެB]5Zrُi5Uxތ3&Nyr7T LVzhĿ"ߍub>6ڝhQj\Pھb j ԖMZk5UqZڈ@ukwt?k$@H k[WT"$@HpbC@H $F{(cu7V@H _ ŵ;|ylvzq;]D5}Tn:6D9 |cݒڪ(cs w, $@.pͥ13@H I[DqCW>8I \6/47Ԩ}FkP@H >KfIoI[ F8}P.rfxh#}eFx6 yTTA 4~98oa;s?3J* =|lǏj3S!Zi/J _uHJNJ޷Sưa%/7QrjJ W @ ÷_Z,&2) l}lV {.^ҥKYɊeb YB`}Wg<p"#䂑 ÕFj4xRf @y*&B0k!== KOK[$X 4aj7&k,/\yު\<~O;(b[ss'4"?h>Ok[hN:w͜Ys@vӧU7&OM6$eegm(@l,X wM@G}BCƝ&UuL5h !JbXp|nBM] Br.^8rH*؃~ܾEnG륭SǶO-V/XQQ<'4Me/BBpHsx[g܈v.͏!>60z@& z=󃂲}{e '8meI kvv6n5Ea g"6C^I|T&ؕx(G;6M/CH=QP~3SIA5+h qC`s/C~z9p*9 tL+T5/ ssS%UMGq8Tgq:\6]]qqC Z96WwP1-m^α#*l$U{f]|[EB[}޹љrxDj&1'Ki;Ҷ;m׸Oqž.dfm Ľ -[VUQᚏ LM~aT (SRARm;v6i#,h@Opŷږ ) ׁ_h"HQpbw{(ve݋H q޵̔PX%ĴﬡJߞv_Zك~uQir[.FkskTpbz\'N_[[˵C톎r!H :MmK9mdrk3?m&m蘱 :|R _8ܠp!$aаtC ͦ7V]~oU2䝯b{ Y6~4rϾ/ܪh@r&,p*t̨1a4FR^aENᑈKb]^ٻP\/cgn5 鵤իV ,]N>-9g\i3 ?XVj=} lY8֋a֒?21}mn[fڕ8ϐ6'mYb*kհѾNW S'0k[+W%#TN,w-|lA\ $$em߶}Y"޾öR 8GR0q^DγrcNa݈E7-?3@,QCN>>,>S̷2'#uffme8sͯ'cc8[/F05Ґk]XHԠY 7?3̈?Ĉ! 2L|i&trd%6nܰ?N|{t&|0UB#,}<5l!fM[F]'?xKTǟ~ݥ`q^FγrcN?O7B¢n~6ISHk>0t HQ S%k^R[v^To?oT6:n4aEVtsòWı T_{<{O_/Xkpi\6{TҚW&J.%cw v')huѝ?2~Wi3kH+%D1ogNٵF75LYH/aY i44*Xvd5pŃeWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx} Tww(p k\0FŸ5L ѣ? [ܹK_ρGqTkS'~ŋB9r'NwG(3~O֭:|`A뭷ۻ|@9!G ӵfL?px&qU9:м:8p`MT O |7&O|{ @\|R'=H'|H 1?oCq~S97#XX899*]NxΝ;hoI'9JG0:kiG￙qŋ\#hs[p:0,tQ(}Lhek)yeA8uVϭk+k7W7.&BByyb_-/7~{qd#qޡ'8'>;SA0Th-aڭk^ U 6U"\䡄OVp{MLęDlݺw(3S'G|AOpS_Ꟃuא^Uڭ4L=w{B9Hඨ+s+BZxψvb~&CLD[]:$2!\_G ]w*1HK h)Cǜ&Te)p%d qA[Ac  8_k^O[;tѣFx{䫩#1=H:Gg+xzw5FA0qĽq{-1}r /?^[m>ݝg9ɡ"/Zի^ܒ Y IZP9x̥{JaT^uԢӬŨ |o8:9+YO6r.Q [CV!7]b&׫:DLK%R/7^0" Lni/ =_sk"Q:Qn+Hځb5ԛ0P5&çOaWnQ+e]r!"k@UHqj"ƥ5FR?_3'P"A!s~L2չy8jJAb ӤoZfQق fr`]EX~[:/4avo;) \[СS$#6}1MbThc&)C}h9R<>HybbBg9cYIY@7 3M**5 k%M]{cȈ7Fณpb{'hު w1u$_K%^/=p=)'`;ppKɤ:0uSwOY$1GdH>ֲg/ªW^6uDrQ)OjͭVe]_w `u3H+n:& Ikﭽu 't>TPcӧMIL/WW8}}\v̽s,8}|,+I853H.dtCس-B_h19XgٵrYôuF2TR_> IrRG|2jCM-B 9o `bYݺzp8rl Cy 0F7\Z#ut0ZT1_!CBTFFƹgu:q,sn7ф`ǴidZr"cuT)@Ij,ia`@F&1A3Z^5xOGxPQږݼ*q'&$Hu-D[*. Pھ-jZvKW=gˋ{N,iߓKS࿽tW+ʦ#]zjeexVv$#ʃsg^{Lxcptҕ%˖pžݺ!玝4yƣ$_3R^k;k\Beoi@2 'cAa<> "Ǡk#j,.]~̻c]d q\]mWAPLRt"dB*vsVQK.2 '=J*8&.&LHws@>MZ0# %1Buz|ݕwK~DO ɕ_4&&n21$6S'.]nwy;eoB^V6o[-JIUrM}GM'LPGigwa#͉^&>gUf\F%Rpe;FhdAZO&˗ CZй 3<隂l(]:b<pEWM4TmՁ!QdԂTg%}G=DL[.&C\Yp&ZK²@4#܂a_nބqM􏖎䀦ωo>#-_} @BuQ VB#lIU2y>S" ǿs.) ‚vJ_5|[Z(_Qb^Ӄ"`ABUb665&cY;|=~2V+LJ`pT R`2 R]VMaAũLՙ2(EP(ԥ!o#͝;wD@G.[enPc Ҕ'ӸϴzE"s5 V"E)E"@ ЮYyB6fX^0p!׮]Y5GZ3w{O}vRYs6\Z]1MUOdEjS5MBܹ3{`T:iu5-6.js5.]և߽?NI? MP{޻Ť6Ʋɓ-N9!@[;2waB7#]48sA\O}CU?/ ]$k/Rɨw}C _ . @ n=%wjP*!@ ΰMK I" 0wl\'b{^j)˂Tɪk88-[o߶Qv%yh<$o˯B9_Up:3pYN{C, R*hǥZ 0j[uWݲ%-xB6/ 6i-u)Z]^É+s .6Aǀ*h8T^5:nڱW&صfCE}B5BMWJF>a6fer"[?/p>}}vmOI.Jv2!xNjq{$k+ȨmUX6Zv.S&L/QZb_ܿ{Oz-H|v&p_ gܸr)Ǎ~z`AYf'\LԱSgc׊QUF 8*1 LҪogN3!>x!7'0+FSD O3X:orK`x-GU@uQZt.5iHѷ"wpq8ǐ*#FxqkV0 w}o?A1E則5|[/SQ!?Q/ڶm~ú^Ə,UؓNXB~Tb' Np~v!@|G'K8Rd#Y N] d$>\t8 j5 h$DjB|i%XW(Jaٚ8+r ĺ$Lqv&N/ m$s/:/i1FA1 aLH]XQ] EԾki؄?8]bmU^# UUGAZPJ.붵[rr n_!6DXSpݶDl(87|47nŲ IDAT/ɨÿR"R|GFZ <*ɖv좣{ R. *.uN.aUԁFD A @C \jKCZ Yǭ[qhLNɗ}^R¶ c|wͱ~mkBf;~ 7 $o@x`&ctu{j>\߈jٲe.TX6CCtN~L2 شqۡ}w+C@DQfHk7V_{nj:u'^VHwȬCZRt#껵01osJԗ~1o>XV,֑B/C |SR(ud[&Wqע5iFE"@X ]* ԢZRj (R mr7m}-L;=CMhJ5Q,v *nZv츸V$zc7  mr7m}-N;:FhrK)E) @ aSEE"@@QE-M`lFSR+(ud[&Wqע\GxĘt 3jbJ!:"QuiK B6N]!m&.|74#E"@P*]F8ّcFIH6XQ`Saʥ7 :X(*/2ƭF@SR(E3ЬP( Sd8Q~KUec޽fJdf"XChaTDT̮>gtR3AAQv>آݓJi`ïXpS?вBrNPzQ#[6-RqdsPG!v?{IA؀-_g3LK69rYKMXr)Ӣ[=r8<уQ*S̝;@ٿڢbUF֢ :{9?͹1{5f?ÊUe\W&}֖A2k6 Y*z!0lR$%(M$RHȢ"MK(w"Vq=n'[fk\b%-ԊQJu@/8rrr6(ōܓ'v x \˸sN/^8p)z;e̠?K@rTj^_k~ᮯw98:`zB`wĜ%,[b?U x܉B"DŲ*C6\qꙜ*VC=ˀ9$?x&-tvtڱ I h;=F`C[O"0[2&Zr7XjpCm0 ܪΊkp/ ]T'M-|-5# *A8)WQnz,W8=l^CFU^)ywze8 4]Fd&B1(A0˲*5x{ RPALN[I#XY#ٶIM3Μ5gVVzt<}Opw`KRCқ)Fq`5Q1q`Z11QH/:f9eɰO-I04>"s}jgZsI MʿZ˴MC7)Ɉ 777"ǽ|%Ïtb ݪwȼ]ٰN^N&H[ζ%%HOؤ5Ui@u aB!ӷEsUub XʸX35Nekl0~^:@, .a"d/_۰V6-=4yivQic?.o;43 vAm+n^o7o͆`ظacE03vZ^^^Ā\z !&7 ƏW¥H>*$X A^@˹8t/.YRBc  {Ƀ'?'&%%^ȸ-ϑ+ a@ $-.!'rMM/iǫGI[<־BJ]Lp1tZ|)go(~60$7ݵ3{²٦YABx!Aq.M*XzpΤﮕ]aզޝѡG(9Ь-fKy²%Z>[ p޲Y N長5ȋmuk989$~$&,_cga3[mH$vm̷3ߝ#9N%ct^#`7w߽i`Ǚs;ѭ_Nq7 gcb&]BQ>dcf ~nՐCܽޞԱÂD'cM/KN:#_yVGV~9tv$@R&W]gP.cwr#V-Q#d8#g'iK#j`0[n B@ .i`0s#{JgO|-;`+GW*1`ZW~Տ!|OiI'04\ ǿ9Iy'D7o RE;5:;%qJK55l+kZ;]Ory:Ja5*u5SpO9B׍W8xb[{`-Ǐ=5`A?z7Z#=;1x` k ~Vhd\|׻RW92HVRieWdk-~yp%.GC:Evu2и@`-uh"V]yA.o87ls2/{&Z!laEMUDD4uĉE'S.aZ'ߪNia2P(E@!Y[T2E"@hTB6j5)EkGX_5@R(@" RQNP(@35 JZU|Y[$KWY_SE"`5M#O4-6Uz33Z"P(@! Z:BV!B5[Æ'ԮAmmP+|햋E"@4BKu\+E'l|Nl%H/E# v%.`a% q~e8JEkR O1- YԱkG\wlA/'N̅/]̐(>QRh&pf 7v#8&p:'d2>C 'r 'pJS( B@!l! p[.Yq&s50%)咕ssW?vZm$F_>yfeg]Mچ, nִYfe:}tJJ VhAlްu0 [ O~W.tN XJS(KA@!x Ds% jzF#,&Q؁};:;=6!Q?+k'ۭ_LO[(@ۏ m~׫eEDDE,Y` ;%Gz Db#s颥w!YjD?ÊUe28@+sEk-#q|7Ѷh↶ACЦ!\_ȏxbi.u7 zR|悴qnRI:W@(tB+d|wN R0{ d/^82W˄&P(XC=BCF踀p9bC'NLxm yw]qvm̅H֮X{X:}m[1(l|E:F.sOO.\=`ĉ~+pF* t (ԓH^EP~cHkΟ#)ӁӄZKlaZ/O IHH !-hi^[?B̏޽ɉngKMƒݯ |+op Y )-h E"@0s <_Т{G >vm Z\eZr4xHԉ'777(ٓgs=HS0FرKNJ3#3s'd.kP(恀خQ9;x6>u[]v/v/0(Xdɭ=P#XepF9sD2!`]@RΞ;ŧ-sc]ׯ;z$&N0=ucڱ@Xd0j[߀UJ!i&%b= 'o@C(#\Ч<)EkGUEP(@2VҪ-j(TOQ/)MP(My »CMTEP(:5P;Db۵B6 rE:@F/)E)! ZGnPE,glB[ 0\RCؔ8Յ"@G@dK5J\0bK>m &L- Jykc9ٴPNH~ؘ~QȢ];clk=/'N̅/]|_ҡJ( lmq,l8 n')CdQQ@E2kG. @E%Epigř@”A䒕ssKx%>{AaWbwFϟu5*ckHx\S'XYfMu')))xgg|I0-W.tN j >7BP=ª. v;8AݕkTGaAynڿ(8Cpva#lڰI$Cdxy *lsX:i]v]\E /p<7m+O־ 8Ev6^,r ('POf>JS(E@!t&֜?Gz>18- l!`_{͑'g$}ZF?0~K?ZڻW֭,l-vZѻ899Íl  Vw·N_8o!dvPAV!m!dB)#`'u]c1ضY5~Pu)'OcPs/a A$ ~ CɳYW|rX1 vұ"3#3s'd.EBh.cΟ#lשӽ~^{~,fU 0_gom8G$ 5* *칳_|y2G8v޵y[AkфA8ktxX X,2F-oO1N{gKzN ЗP(Gx&#. ,.`5/t IDATC`_ۓrts[D>|(3 c k옱/|}ߩ tU 9ӧCK Ogx '޹cK""I:RLГˇ ASE"`/KL~0ŴKG0k@ amu`tu,E~ B6U4m}-T͗Z>oc"@41BK5_m` :5)峢4E"@Xb թjtE"\f6 S(qBK֨qh,E"@4[¦7Fl*NP(|.0>FSfL)MP(KA@dj=BXGh)brZZ" { ZKB5JA P(F<P(q-_Xbe}pPR(ӞÞr2)9M#/m2P(@Զ.l#qzK!mP-8y"b䓒'RkL{r[tR0DV-4L@"}C߸NE0+n4DUDZ&^5q) IPmYXU\ B; [Jqwƾ+e=k'([E *_=4xGdQIeFvHWNhTdBTuЩkvk>n> qϣkvfx +r`jHѹc@ %)7p\&ڭ ϓ}c}kjgBR *8VƲ7Sh|7p 5~}zJx⨴t颥w!#ANS{V-gᅥc)NSvʪˇ:CJv#wrQT)~.@$` BQQP#PSB6 _(6 p3g͇>%%ȏx%|/$i"F,OPvCkx>E"O~<_|.qbC{%ʅEϣ"çΞ?w~֝Y]]6飶Eoݸ,0oNy>o~8v~eIljZg}e>FmUO%H LP*PPPS!{\'-*Fl_2$;w<|sjr*,M:]X$rj8 ض#V8a5;Ի{ 3D .wǷiF `{vThh8 -..4t8Ӳ7q!\ΡQ8 58>k4~;i96$ 0 @}q`a'g*H4IÝVɫyGnݳO`#@@n'?i4/oᙠgR1bOw^b˖,;}d}y'tߨE 5Y0ډ%IM[H sYsfegcѡ}(=㑄 0($4u۷}ʼl xMxsBJjJ^=P{6p;gh\Z6]A[yi_uCBK#??kQV_~NBš|u%նH<( raO=yĤkw0 _ͿZ10 d*iaqFW%0\za z`̲˴"n0)#|v`be#Gv .g_@-`r,I.L@;ѥ[mHS9L0Ӻ=g;C3&M aӆYsK Z@?DSn@pk.1!{ؠ0&/]^[0|m֮sprxI^HM;3t>mߖӇ ~8JRdmҖ14)nJFkc4]BQ>^O]85PQ]E3J{#{5!-La`SkmDz+``!^oOaAȂ1Mk#l0lI'M?HjV,jAO` 7ǃQ5W}j:9kuv"`ŔV<k} ơvj?4Y3㾍15KE3kjx?V4LEa7d =|We*/ۂOYCw(XtXy^jBKJ 뵷!h 5 ]tr <}!@a/d,ݾgTK,SnAr+n%K]!CB||^{2 d_]\`F05>F(ʪj>*7 {|1R Y( Ά,T,C5.kg B)E" 6C6E"@h5#lHP!bOO@c)E"`,SѦ<̥emBY(* ikډc&{"@P:YI}`1[$HQ'[x) B Vl"K<1`Tq0(WO ضblMa>-_p‚BTߊO{;"u9:w:ºkzɗwn[l=aȵղo-~^?1lHC(V;3zL#93{[}:G7ee|ܲuRkrl#qw*b R!>`CE!`kǙ] h8ݿ3Z4G3Q0!覂W?}'FnpO>/)~S"#0>bF:BR?R"UZ/3'*t Yk{];pVn$DGW"^ԼyVzHي@JJʑOge?;yuɞѳg3g]Wl͙X>%'fb! {WFS0jVTB;j[;<_|.'6~ \J=U-*F,82$;w<|sjr*,M:]XYn 9 o.xƭg8` 0JYw{60Jʕ IWSӋ$JXBV$(qVP_NlꫯDlی$LXi3pn޴9p~^R/ l.R"фgd%}uIw}N{™QF@ܾ8Pku65k7u2 0)׮X{XRuPqpb ! (A4:'!gDD[3YH$)̒\DZCD޳{K #4ɗp@.T; QG̞0S;S|͕gHN&.]EȎxj ؿ"Փc|%4s! 7_csNN urtz Q}`D[\m5L aEEEca2(ΪJ[ّF@\PĄ``^ޜңWԞM(܎ (cVmĈwȼ]ِ H*#1B#%(掀ZOq$}#;"fGx+;j Qc$C)QiQ袜9a@ X A+Kݯ_?'!M@>a Pc̗وUTU.ݺ ~S6nSI\jmcJ ͘41x̆Mf Hg/+hME3OJ) u&CAk/l*2hDuZ|B)A0sdRɱ*RKQ;+&wyPlν51,ϣjBwuƌ3{f@G';ႁ$K|;ݙ: ϙoue^ [ _?`li _no-[_v]vp-`(H/{]$rqpk~ @3J{#{b˸[h0Sx]]ڧ_,!{y=c!  л_o;[˵fY'^s_@ 8JP]\J{!jY%\}?[|IzPLJBGQgW+*|>9L)B_@nZy#|Q+ZGߎog;.+bo+D뎁5`uRPRi |˙w=,/LoOtk,H6t@p㚃׹pfpq@HtEn?errw&m:EMLuxzqC^">"䎐!!CΕe{{p]\iX<'R #E'o\z%@D]1iЏIIV۶nAed,Tݸ[ԛ|ؾc{QIgȏii K{яysΐq{t@@%6o_'O$ѮLCG<N!`p5.`KIAxſ¥̤mO !2\_5nn4*fE;b TH}O' +78vqk;Y ///}W f8??@%R?{ĵߜ'/DZQA ZbR˩(XEV.ZR__z@=VޯxǪ JU""+s CI0g{{̚/ki_0o#p9+ a"WZFȂ2{K)7Æc(g>/0yBz{.O1Ow]}~٨,WSd/-SbЛ*GH0_Ah!_~P' 6^z+Huv$ڡuʅdxh #Mt4}۪iJF2n+r`g~rBX@@@@@@@"TmZ5Sbn3Ep$V͚ta\gҸIE0͘cVcVܳݧgN14>wLh6oXt9nmظ&mܰ|%CAF[ IDATU?ڷI7#0|T} !܄hCcJٮww{uUC5#ٌO/JDFĠ..K$ScjzdMb+efCx4Zi6jA֪ZNҖPoQr欙gNyb1a)}^zYYw{u-=-fD΁Ǒ- "aZlhKaބf4aXVXm]ԫroP(2y"".#{E6 4--Ittt  ǒH[jւ# HjH_AZk)XNFMRa3,:yU? 4L:p7a5f6-9㸩UIGJ,omil]D![=AdgkƪpDrbBl@P1jPC_YQWgG-WI!W)Ԋe)><>B(O@@@"ptu&;3nvLnӤ\V,zhUxR/iTK;(tj^.-]G}MMt^W k,dh %M-I`md}7$+P!c7oov~~$QE72=#gFJӧp埥QJvش\\<ʃZQ hK,xQ̧(aw赌b쩳çs`р|<'!* i_J1o0A֒ܜDvL#߇1w{9A_p}|dg;tiQɭ[G`QZ[\klfJ52aY;ɈTCTPEòT{^cn܂,9AI +hœPEhI7vFGm^>aj>W aSg?MG,{烀 >)нp4W&I ffBkMWv,k'(&Ib[v$6nݴnӞ:~%KY;h8`2\MJaS¤RgjJYP$bܯh/j Rգ4oum )i%g5dY(8E/c lL8;?<̢L賘s|xFԟ( 6/n>ɹ:B_Hjjcg$vq-w)Ver2";K{O{Tocm˥I0cIRXu_>56l[D37/_꾜9_ꑍF0]&lBmF%xa A0Cnܼˈ ݷ7Bvkr ej僧^YsNP"I+ޖ1.E9r${r$]6dN"׽gk.k{;ZSD?ﶝ>sN;!k\mEQAАl"W_aLv.PkM@ RIpYFZylJf~[~Ծ;#豣x!# !cC1k @CѣGQb@[zօ mb8_xyhn>9oˋƑw%Dc[vm2L$]Xb\&Oć(c5[B@@@@P1aV " Qֹ3 ={B__pthxm:z(=$U5#6[J$#qHCQhժ/D_|)+P EƋ.>zQ, cѸJKJR9NWk.%`ٓd酄H%Ha@"7>"d.g0ٸzaʝc +f1(U|gbG?$*MZᎆPTQY0= ϢfE]R A6\PTЈk|}EtݗK?b۩v&tR6FԞ/aZiqnFa4>κ<ABT@@@XbV>}h,ZJ9#G/jH\Syh4NxzR^9IxK7vD։84Hމ0bR+2qr~L .bjK[0+qI "zob+| xb %3Z]|%>/;^X/Eޣ= cWZsɲ%>5A79`_UE~O|cQ֬:c=*'m!?&&pFwլ 2h?=4F_A(ho%7?jԬb`?`a\Q b 5rP{koBIߑIﴅc]@GcOc_ZLr7Oؖ!|,-#]&"[^aҚ~!uGV'"T?+4k-Z4$tw赗IĆb$"J&}I ib xg !D)XM͛ģħO~.^a{*Ƣ2r)2"q^]P0Efc 595y&VzE>c=h%1]54.?=r[MV~~o>sgLgyg2 OJr;׾4Yr5DǥƨFzwsߩS>OD-0}x߭ Ubέ[~JR9oP CC^#=Ur XKoEc 0zx4Fg(;4jF})sz3keʳ6:qi{d<+W#ܲcG2HEk~ˡsIpd'Ot ;o?9QXjUhKbVŀ˙J}q fմ$W;Аm[~lj0Aa7LH d: A U#x#Ɗy^KI0x+Y95Z+<;f7\V۶o+(;#2ҫ$e}1X[lݲ+ `a ͹3מ?Φ3^vyϋk%9ࡃ؉lEZAZF&@k'X2˓VGGN?w,fn/tkz֐H 31E l>h d]Cܹc'kjG倌;MDgΝ]0+zׯ^ + 8,-S0U4>nƅ3uWHhjxp A83fhxݲM+{!S`LLU?{Qzc ha=5vBQXI5jA Bl;ԅj[꒱qizּk;4j^ ֻO4@ uhkʃhdzqM_CPn" Ok :BbL(H@@@A+6?da c s|5* ƥ`mqjqk)7lՌԐ'X/cnj]*emۢQW VS+9k%D@S( 3squ`"E֮9&zaBhXu  | ^;.?kڕCC̣fݚo^>#ܻybܝ1s Y@-*!BP%s> Y&D? vtte W|4' "jVz!R1J@NV[}(khSN߾sY"o'M֨!큹pv XQY^퇻UcyojӐ۱Ф+IyQMQOF0bTcܲy!z dzfHZ/i{ AT%a*wt!ksz|6  d`XΤ Gc_AhshJ=7R.;1 @okY)ۯjdW LfXVn2"Ÿh9\rRm F֍["~-Aq9Y )՞f•uXd~ܤڙdټeM*#W a=4")WSR)Js;@BW|qcRBdžoU0Ԡ _l % ornz 4B3xj Դ^1 a&@@@N G{1`cy"};3TO7ۯ_uy+u_;wq/SӁFjq=ڳwǎzj,'Atɲ% F y''gUv(#!G+ *7HTO'/gdz_bnn^m[o^whTX5h>%܀ÙӦٻ J:Y,7* _; g ;dqq3枝';ثg7Έ(ۢop?7X%]'+4EFR%OQOĕC,{LZB'$ u$Jk`)֡l;ll}(4MDOl,ĖHCfc$Olnl$L}Rg9B+VƢ:sWVĿ5U"UzbsO|}ߠ _(n2!bk^Ln>+qը w^,BL#ue~X߫6ц1WN+Uc)PX!|joT2S8nox.W+blG-xԱZhCcJٮww{u|a!eԻ[TxẐg_|_o~JsʹͱʡMԌ!MTq۷%$%P :hyr YlExc] 2(06)l b}J(hFK,;ԥx5Jum%w{u|F;7~ZJV._ f"f{3CK{$e}k)lD6V|2~8x 9" W}f׿B#.]x-1S~BX@@@@@@@RXL#Co勗.&O[غlb]^2K?&ܱSbHgh 93eEдq!]3.̄Ev{6= KšCr#>kIu2N "?-D’x}F7,)3軷ϞK"Jծ?gSiAG98'}fo>mM_- +<lxUÉULXMdՊ9r hMּQxvAiɏl,m"r~|N=,+*`Ab`9 k5Im"LՋJd5 xdP@W)eH$cz/x-.19|bpy3 %/4c׭J;f|BgfKh!ѫ+Fa9s}vt˰03/ GN3n8n.( `ΥKzN21߻&=zkfR![F:9y_V&%tdmVlqMJLR`U#z +(=QR&UY5sg'șp57bD8#v uy͜A>VkG$gIӌ=vpz{Qc~#5;4jsܒN.E&ƐI8 ҹ\lQ( H`&QRX3eE WZcT"ŪԸ_47km۾C{e}%bf9XS;v|7M7ʏRM:~ՂA9t4KKm1r|N(_(wZSOQZx{R1 q(Z+^}\K%ϋb/ֱ>g͌8ub]k+1^@ p?a3+;4OnP\Srs\ )%2d٦|AQ7@BWCbKNה)R4lJApZ/OD"&V+p(9B ܒV/|]5dYN8E/C8Г2Z ܟo>}Bd|劈Ų3q?Y6F} 1{+vcs΁dQ(|aGXk!E@Y" !9b\fI;pQ5P\QDRwjT퓰3fcӆL_1NgAk s,4u5`K 4"Y|%FGO*?LEE;pbז,&ʪ9._8 umB D~ -١tNPdZgZESgT6Z%Aey$Ez#k =:v3n]:&P5&\f]ҏI5)L[!""6]訾::-_4wO'yUJZ׶][pwƭFkي.Zzx>65Wrs쪙W@c!p2HJr1Rp}Ntqi&b$vvâv~K:6Ckm-d!Ug^WZR202nu|_2{p))# ٥1eǫf[Ǫw>zhv+waQ.=Ps_Ie2L(J`ϋ&Wɱԋ樿FSDR%]֥ee3rQ~[8tԱPa3M>+ xըQ\DE"PnON)kQD*"%G3=btbh8~%?LZeSM͹7oyrau2Fr%V@C'@soy'plVM/3(JbvT'0wɋ?3{@,UYnCWAQ%o00DUz}I:g?R; ZmJ 9 Q_);]튃,T(.8oeo~u{I<(sp=^r:@>/q/m3k{{lǮ^p.YQ6ݲOsv}GiͫJ( R D Jŭ[NdebH3wSGL^%;Q.Л"l~ ֮MD 4B܅@E@&a,~IZk2Eބ=4#t˗.w;|<:Ŀe2~<#op? Xq'|JA 3MݳwAbsU/ax5$գԛ{v |{^=lQ8>)>,RC|l1s'% HD{tt"mȇyP,?`f 6bWЀ=;:;j_?l5(Z?'ra RW,JV@\|\WMѶ /<"3v25{yS 6cL2VQj-\ZA{]':ቈ(ϊ;kj TkL}Eg-|~޵'ڈoM)%XM:6H깟5Il T҅,\BZKE9erFlHI*)-#9׉ F J-&U)kc6"z-;?MMZf$jvDZ0KcllP!ae Yo)9Q4 4ZK!@WW3?#>I|RKI,c)Wf]Jx\ d+xQ3w-fkgщ#zdPf%鐡CbV,/_A(hY@59٣YFbKc{1_1{4bahr 4q ·A#4DT:G%MovᮀU#W U?fySXl xLab ,+)a-O nZY6zQh"~b @cJٮww{u|aF=-e5x9<¬!.+Z= SAJX 1^Q49'ϝ4JƖk>PU}%5Z(28;8{†aŒ;UF#k@֨o<[h (9)yʼg?K~tbu nmRjM-ckENV[}(kXOcM'NniSl;ӛ9u6kq!x5^Iu!x%|wqP J7(ɃX]bqΣYYlU嘀#>,f5/ӷ纯O޸v;F{˫8Bo.xy5T+{\0G{7;.[[PKQvR;pߩR U\sZS.n2_P#aj4P`jPC_8WgG/W.0#J;Z,eчG$X}u.kx,ŋ-yĤDv v8P=e*(o^|&m~Fݶ=9fnh\"& ##᠒M572hn)ᚎ7r=Mt"!М84 r9M:9+([ʌ9+{O-ʥB86"%jKB^Ҍ=X<0Ol)O.#]㾦s:HJJ&=٣[}] rG.5#PΠlAb@{ 9:}1}Ab6! XcV3WC\ej@#h:gcf|׫83πu6b јuk ЯH77ƱUcwrLKɿ%۬ 蛔 \%REWKhuHvL,UYϵPsg'ș"whF\b|e>[b|^x@21-;{,xe-D4ँ_AhF<0qDCNW R;ACF<۷Etr!cB$X|KzN21@2,<̻7x-^27 ~#7[kvC>`ä3f0Rk 1A%RL~kg$o-з}kw{]$nv6Rksje2ò:wwi"0֍["Zx$?`9!M !v-^-˜'2m>WZFwQww&*"KW,MMKr @p3s&ӹ"*7r ~~~ S3Μ:3"$+  wSӲ<2x!W6P5psV[o7|(z)rD a;kQ\F&Аvplap w@oWׁf%ػÇ m{ ԃAC&#-!_axyr[R2%bHQkpfz$-d3hP>>x@NFix6)aR)|4YH"&V+p(Z=JCf6gnxZ rO+OrNӹ>!pX'd$n%hpg5||j aC vZcw勷.tYԫW;3&t^z$߆Y2K}Q#GgwrY1爺TfI;pQ߆"qEIA.&zRF}բ>.9t&N*WWs0Ò.yжef/f2?ǘD ij&aבmrhN5|*%_A(ֻCBƎzjf_ eUxB1=YogFF703bTUC/ WY'GJ<"{'B m݁eDYV_U/蘼zIc1L</ѣҍgT|%>/;^X/#6,پk{{,[([Pͧ÷M8'/U{?dTd5ΘxIAw8l=QZvnӣ|< 4tlF%_A(hB@@VDcxؿVzk7>gwk$; aKZ\?-ڛP4"wdR;BCu;\r"}>lEQ{O /ӦlvjGQy(-(Sb nXg_^=*Dٌ5A;O:T Cx*RgnĞE$B [1a`}gϠA{twtvdM,?`fcs 4-.J1&HޭSXNp M.FU{ /<"3%d;k$(q$ء򋉲|vsM)>%͇i :!ש ODD~VԤ4f[ 5v6gZKHk  #S $cQv`zw~MC,0B!"&VzE>QaO_OtאR ͼaL@@݁ k7<#>I|RKI,4 l .^&wQJx\jZFzwsߩS>OD-0}xߛ&;؀ U X z`Nhۯf: 9.Zm aiLo:Gl|F@ V 2PQq 7j5Y 4X想R^kl_AXFi!>Gݻgo7E_-lVdccuZPjz£Z+eHK%5ZiZ!Z^.]*lhP<<[m؂oKHJT4tbtKV~?⋊~mkr7 s d4|EKR'xd8_ǥh{܄ IDAT3UwGʹhBۃ@bfB"G=kP!`ϑ OKڵºGlm5^ݙͅ%?XR,οK^Mh[ .]taTB|\/rFduVppFs-%}ȱ3#ts箝Lapǒm۾ nW9y1`#G>z+p#n. 3% ԩdSZ?o5t)f,щy'lIV56hjx_,o5нՇV|:ʦOm$6vvP JLo* ZjJX-X$@Nr/\Aqƽ.^EddNbk_@:~~\?~uq"PIFfZa^H|K=l^yef`ءOHrلN9C/_[ &9o.`-ׇOF 5c jPC_W:;I)Ͽ. X=e)þtSߑ,Î(%ժs@MaëӃ_vT? Kx eKP"58ݒ$4WTt3uU1@HM& ,h^!# aƎtvY''ϒ?y_FIlU+3Pfܢ\ FI!`!R.WB m`185-t5ĥK~}MMnϏ=F6:Vhl7Z~Դ!{tgfV ~yzf% a\'ԩ.}&%ñ]MTrBJsFv*tNNޗIb >0D;{[}R3<[PɈ?mԎjE 4*W>;<;ybGQ hK,xQ̇v -ۆPvgO>l4p+z(1B}&×Ռ0Ӑ'=mr Ur׫8Ϗ(KLLy]uqLk}R7ZZ2Q4{e'bV  B#ԇ8dLȁaaݽgx-^27 }Zóf吏KD,M_jꔩ\J=b\|KzN21ߛ+ ԣd.x`[>w 'zL.pm$o8<րX}CFgWw7iC;bfɹޑr5e.|2 z=JOK1w?D(U8pel >@ -z5T6%L E4a0 I6__j%PGiL斴3tphȲ\q.^>é G߀9̢L4ө8ni*ȩ?Q;pלOrSNӹ>!pX d?V\$b?U[z5BvCJہB9u&5-#c MFEdi8_>"dDVfjj4U>AE,)<>Gr4\OC {/\{%0vB[gdf\t%a>E q(9sKaKS~ mWb7*iԧ_-#IgRru^rؑܜ1cOw#6,d̒@ֱW6fnݻ}yqX4󁽻wFDF&"<aÀ4wŮt%% )7PP&(bs=>beXqmqap!tO'55ȱ3C9fb!ZPe.\Fd'ȹLGvml)OD4eKTJvS}-%;ϟ=gM4-O<Գe^NR&-B[#Pt(nF6&>\d2 &q.!>tD$uQy;f^5AߨG-"wI)YS!SJ2;c1]eC&$rw4/|1x`aR4ѣG1m۶~ԣ]ۧZ9 2})hzz:kũ dlݴF[϶ hHpvf6 gw+"dFKke)( e() &*i ]7Ӿ;2s1>>G h}/̵.tWhk;<)g޿pCv_^4K(`[vm2L@z#Ҩr)ߙ렮\n-`YYY4WuRPDhKR"3}Y!GkD3)fD!* &>sށ1osػ@k|kP(Dܞ!R`T˒J{_w:u$"f=0+ loB.~(lƂB4$af8(۟~*d>G?$*MZP,KђK^fl<uz:K`\n7r٧XYTL}~P#FHڹkgL'nctAֹr3>ƹ FS- B#4@M 4Xb} 'P-l d'-xF703BKD։84HމP-v6[-+xT+0:&ޱzj`@`Ҙzw'Z2Kp=nԗnr>yl!"WY5u{UN ڼC~LMf1NR(kOFvKPYЅ"Y_,b欙AgQ'w5L^.L">PMP$E5r E{h*'!G&U#UGOt;\r2_op?hr{a} J{O 9mꞽ{h U/aŽ2(Ơڱc?A4Xޫg7XЎ(1(Qw]g*^aOETۍӴ{BDHYdUy+݀><uّhnw FX)bX M.FU{ /<"3-d;k$(q$ء򋉲|vh, S>|譝ƠrDDgӝs`jӐݡ^&ٻXnPd *$EIjR”kn)h XNk-!2 vq^a{*d,*#.,8YDC,`S]:D$>Jo۾'TA+麯!l!y5B^Eԗ(--Y| t5dM0wfgyg2 OJr;ienWɝ|S%b<.5G}5k供N}"j^#ބ08G^1ͯ -z+dvl>X 㹮 c 0zx4κf8nwhTX5jG"( +Q#l 0 <4W BA#l=@h[j-Rh@c^ X)k,r5Zc ZWrf29tnB~FGb/F.<R_RnШ0Gȯיfii;A@@@QFب*0쎦@ZY BU؝=u<{ztL"} jO?'Ϙӧ-XNJV :~d'NAb{|s'¬bP ͥ ,T \8ui:T/J~&1 {E9Q޸ic>l"Oi>`plLdj΃3Τ"#0Ns/7r9~A8P뗮\CfYh䗒nO֒ܜDvL#c@QI潜[v4?KUX>2xI:VꭉB6l`=߮Z)RMLuXVn2"Tx,!՞OpudiM Z)X^A*B{HA@Gm^>aj>WZF0bĈ$_H~`JھS('ۍBQ\.|%a\}||d ͋gÇ gxA(e3\YnrG9wFyl4/k6k۴̗/,8heYG4DE-_M4xRU%k[lH/xX,6rcp•8:E_9p"pfI fBkHkMWv,k'(&I`4eҦM\m'z+ח.YϠ#00eH"JæIhՔ-~EwQdB3a[JR;iȲPq.^~ʳVԽU>.PeeB-N=ǍwOkTANdɀ|s5`;9KOgd8]d4fOW9sp\;.XÇ vY>\:IS" [ >|aa?!kdlܽ~zջ޿o^|[7hT)L!FJ=aL"|F*& 9IqY8)xRퟜDjĠ(ispz䈑wl'ru @vfA@U'KJXZF.O]5|"]LjJ6!⥋\ o̊žAtp>jsY[if|% )7PP&(bs=:XX^,&k7-.,uμf}ҕ;ϟ=gMܾoK8+?=aa *1 8"jQB Wq ?ĸ/ .HW^~F$PƀQAtaDa|i qfO?=N:u>}odOFo_ʻt6ǛoV?z.,|GP[ȻQ3"oKhOߴ?Wgdd_:;;S3a#{c'KYEJB"7Wη9=rݛ|RuV1HѬE W |'5VA,Z(uWRl!XTTusC_/^.h`TB㕂jr:gN*2}ga08*2  Wsgo^ ʌX/K.INUDh *'(zydxĕ{lHIe%$6]XTwVU) x{1AһuO]]yx!ҋ׮Oa81Gɰ^V8Y*_qҵX)zAJ{NٙKe2dFn0؍2RNh|[kB,(WeDfcos$S}u]ʔGܯϿ/VSK*kvwm PɈdz:'"ER|(ufr0!߀$'2#0h}r3u՚Eo{s#39gFu).G%04>}=tAS zA;ųcǍ6D7֏  0 z5__0ߖaPS FAnߔQO b6Mc0p8! (sS7؁$'*/\?WϞZ|9VwV5t=U)~/ȓ6ūc6(ox 9k8 ]g.IϜ=SpMpoZ|)&-&S쭬6n@ts_C7Uxްe}!Zk1t{.ܲ6D  P \'=tUkH;[11.*}˄bߦ+8B|iieʠR52K`FC3rݧwyQ#>/=*)75'ꍧOP/ 88(Xh[D|%(fIz.XfX)à $:x_~*~kc|=ֳ8 k 9\1`Z&O0nEru7{.-ŭz[r}3y;6qvz=*{)ayAN;FSBC-ujǙ qj߁}ϝIF )qAнk2>Hׯ7FVU IDAT䌇?'G7Gp2~S%. 5؁ @=KaťΪQe_ N}H'RT-w$5ixu[E 1AfW˖.S9 IN:~ٲ*;l۶5RϮ% =x`k7w&|ӯ%* ,W/ _$tISOݰ~\׬]Iʷ8IE/)L33flZQ@cO>FRmƢD@! GE" 5 @ FZ4eOH$cNLk62o=  Z /6/k K+~x×aq9s],+㜻J}(N6Bg?"@ȍs#0m``G{[=#;q^ozExĔ>.b["bКF RBW-Dt_GhcpaeE\ck+WTY7Ds;'^̻VWWua#"PB1  5zŪij"֎N=6+p,X S`%/ mNuǾ+(dw&_XVqckQ5oI  |m{?P`ӺwMw\mN]/%fWPQv0-@rK9[npꕌCFB]Xp/RۭW+ ?*|YG>,X_7ϠAʗ+gg֭^I8;o7{I~(AiXwʪ8%6ok!h>6UxI.]cűoAW0 K$1rU$Ȭn71N"|jŧ(8*Iг-npdJUPTlʥv}FLH6&l_AwDQ!.rn#jy? ?ь-ѪPpQ%I)“ɫ##")S9NEe\z3DFDN3ӿ&975_k#VBbӅYSml}FL~ &%Ua 321@GVq Wg/;n$9&꽱 2  0 z5[!iA wrJ:rHv֏3thW65$8_z "pDl!k_i/#>|D*Ȗ;:D9cҡ4ċܹ{;{6Ҷa| )S /=*)75'ꍧOk1 "B-F%;S1b`k_1Hȓ ^X5z!RIð [ ©!7 ؕ9H#߮Q #4 V 8g*=ۮioX/(qtuv"Cɠ zR=Y~D׎"F`. "wp,ZԂ`Sl|!BD= 'DQKĢ}iHqp@Pڊwr\ѩ+.]8s.@d6ʒ;͟QcY&4S_O4n % &FN]8(?#?T>k l*`/Cz#L_aIV®e)֮„;镳:"KGzK<\g8|Ⓟ]'a , i*1k"ĎbvAچv=hؗ-}v*Y:J _oNu'}i<ݺuu'nx NOUy9@8x®hh9 lsUaH@*NV(d†1zo'4OىkNdmr`_ VGP 7؈k|a}- vmɹ3?ދ _>sm8G䭾ݺv [5l|Fd`lO/ϣǎ]* ;9_(W9jŪև "L01yG2oamxi^ 8=v Z8S,^N-Z(!>ٖmc0B9bۤƘG]ٶ}R;*ȟ2踚eǻugbb=񇛰C_#%z|]kju &u?uUkX+?<}4==9F3 *d&zk4KF[5_GO6w15"qGbЂ ~"C#fӳz=L; Duiiޣ l8ÜS9\*zs#@-[e,P%IShq1\~L gϝy&Q#"#uRt;l[ByRiyk'Y8ܹ!Jx(v' G Рz2Ü5땩lm,NfTt,dJ^PݶƁ4޽{L22#7B{Cy)G 4'F>V.(w(x_^tܻM 夼SZZJZUUFe[oAʈYMC5ߪ:BwjŋnjnXT͎߫~sBɿѓN@N?8/R9;%q|JLۓү _c2-5%;G=+nOܮQ f`m_/ bQOʞ0SIm_X[^-4.>nI8n0XA|]:S WVoB:5_e,va{nhH膨52i4ilbmu  B\X|_cL;*`Bk̊ؼa iή3(/)s}zI5ֈgbɞR1+[xˇO2BBw܋ӦN9¥J?y_ ~(- > .[02/̽p@@ٙV-Hj_OKFe)i\,~w4ܕ7\|-pA0 fkY0ϊzkr 0]&H58 R.ľp*,MM(-/7JqV<ЭCͫ/D^Rv"d!;BVҾN{wԻTSg{6܊dS<[5_GhcB;{nF2xzeʄG*i'?c;ݭoqAO<éGB6ԃ^Y%2e}5}'R;cqc0XNo߶E32@|7#+KSuS@<G#x- K/i1 2l kAOoȫoY0_F܁Q+ErO4S7 fHR}iq)_s%-@G-aav _elkRFl frlI*}elм :zRt˨ROi|F^^^c{0@OO, hȵ0Oyܰ9r/|zPx;"0k`|!Ž.uy jNqj` 4CGOpٝ{9*|8w*L$c*Hl}c0OOІچinR=ye˥Kw6^eKv HҌ3U/)u,)D aw6nf !F2% ?CRl\,\Ϟ>=Յ|2H_ Cbӧ۵h5p鍘M1AKi\ڜyC.3f {CĞv2IIſGFE5k(h|P {u^xZ:%.ٴyӄ 큌8~pO羌}5k,m[eQN8mÕQsNx av7/7 ڶf6}hVoa֊ם#|(:]=95ǟ| /KoJX35qׄ!mPgZYjˏb_xv츑O1Q <=8ogOckc }k{pO/u&ȡ<%"L4pМsUky.D@Y藿̐C-h"3щ_nY /wȾɔe+h\}{A.ym#B^*'Ө4ʊDGn:#}r8ya~;}@/rPBY|Qf?3 ;Ox;xuA_\+ RA q(1{҇ƦKsaߪ:B#5ξ_|1tXB D,"Sc, pߪ:Bu? u9q[ND@A#lWr%w42H ")|'˘{fzalD IDAT@ fb,0}w0V/xE6ڲk[#YY궬#Ĉe,Q@] 'DQ>zm4}HPe^ix.Ȯvߕ;;o|gO #B}5ԋ /Rp[ zQlf [;ZXNjHmYx XZ.j$@^#_Ҫ,C/;:D~co 6tpq{ˉ0b_GuⓄCD@ONlgpԓ~=5S_ 4n % &FN]84qKÏ ? K׭r` 8B9aw_G.saUA.vicJn|!F* #p󶶶ml欅 m_0On]|}ޅTٜ < r96F)aTM"opV(d†8^[3ى-}vdm}6|mC(Ʈs giN ptB(l\>q4i{Ly;Cd$Z>,[]B o=Ʌ;ٞ(:\hm} ?u׳;LB`!ֵbϵdbM7|rЬ#BX6|RX[:#psM7e9ZK$.& Y\H &];͙myyy~SXSZ -^lK[Ё]T lsu5AI1_mL=q ʀ2,~{PwjmL\ò?pbH.@HRm;N^]C5[#&c ,L/K..%T+9Ӂ m @M|ܙs7x͢=V;Ÿ !0鿔wl7/߬~0>! _GH#\&H ;u:үf"(J=q&]"PO npKSHs~w4ab]8owc|6bbD"&󚜼*0]&H ; ~B :/\J:;s5vڳ['OfU 0yB7I:3+ V= mDkܩ3TJfLNεr=OF|:B#}8,^vxH?y|T\|^$`ae4+OvAZ@FVK* |z/Z%!q%-i6ݶ⌞ b>WyXcC :-ˈ;ȓHғf:}dU2׬]Iʷ/-Vu!|h,YJ~:{ƃnM ~nʿ缠e=2c-D{9c&TJZ!Zll|P#3h^ a}^=)[eJ4l@̜҈_Ghj͡ O<éGB> w/ýWV5| "*v3{Jݽg S%X1Ž,~kن7U%?&?=!BvkI1*%N?8 pw6^eKv HҌ3U/$ [O! j)|k(L[W8.ӧm0;68(3  4%]s Q\E ҕO*e&9ȡ;n+D!fڽz~S&N0/ i틗r}P8\\ #VLݿT{ ]O2흉a=Y/7%pff4Y_^G.Jݕ}$};E᫗R z7}/L]uV{;kc$^94 l?u=)_w@@Ɓb{A Ȅ ’6+Q:JԆM.#c5-_Ghc0en_xv츑O1QDEF9\O ࠰i 8/c_sz\0}AsVY7w D'><ט)l16VRWR'}A(퐫~/-˱moyE|r/p1di…o(jυÚy(Q 5V-(]_3GFiX("  Qsh'" Qn,@D 0צ}T@0/E(w0V/xI6ڲk[mne|b? ߡ5Qmdl 5Dziv!FR" f"B37 "[wQLmi6ժv)ʥE57o(jšQg9~? *֯ :ٽlغyxm6VDt/gPQEZ *.zKu-BT > |X~ B]o°lO/Xu]  ;8Y{jA+}|!]̃ @[U IFဠ(x ! u#ĈP6D~ څafjaCXNjHmYx XZ.j$@^#_LYqAȊQ(p猲GKvut,L%Ustۧϻq]G+H1"TF iD,HݝhrFٜm&d d/x`֓XOe|OZn|*5Zz6BOjL{=_. M*v}ݮ(3Mfv7n&$xӢW#Ĉ g >tOY(cm@[[9;m_0On]^SSgs2pqƮ\f9 nA tUaH@`yZ @P0FX/扣";L{FsK6|-UiqRo)7؈k|a}o^!%Ψ*XXnq#}o`y`1".Y gyysls^^6~ūéE%'p2, tGvCoZ6)*a&5|g<ʶBQA0~{PwjlL\ò?pbH.EKHNm;BP^ :jRWMS![:me~xi*=9F3 *d&zk4SF[5_G!9kL8#%nxiqJIgVᖖ:ʅiyk'CrRh? } Ȍ>yA!4W"Kن%^V8Y*XqҵX)zAu3z3%6:dȌ a"c3e6Мdl X <ܡ}ymr6)*Pr{Li9j)jUUHߗ e[oAʈYM/`׈;QK5~_=vRhE`xC j*/}]ĺ}U,={++*a 9:'Hjچ38 [i\|ܒ%p7laX/(t ­ޖtj jůY{DixǻwnZCm.999QѩAP6.f\^ ąy[ZԱZ $PȼȬZ VH:S2w;}ݧw˨F<[u+!WU.^a$vI<$!a!\xҕK<\>pFx\SGyC^VȵcK{NR%I F؏?bDjXtLtSw|=0  uCFe Eg[Bv t Ί<|y+ZBjَW #$Bv_(ڊbCiz u 1װN%#٪ۑ#Tk' Ξ{.o[mg/_$R]{n`/!:=RԔ=x4|J=q;ͫXy0he%W>z߫v&SIIzIpN8x `A.#&@FVK* |.^xKBKZjӶm6m=|ӯ%*Ɔ@t[+̗wkaHғf:}dU2׬]Iʷ/-.Tr?%!6=̎a``\ -yV>|MPL1_/[ |)I"/K=ɧU#Ga_ܶ^]O[p럿 ŋ>+BRt;DGc C+{OòcGŧHۼsuut Mcޛ3kX㴈'suA6WCz~ }zl󱁪ţ";esT[{v0UӫO/)J*Hl}c0OOІچinR=o.\.]ڽ.[C o@f $t䘑 GIQosfI! e]V֌!"d؈Uag@K?ŒrOu! x|׭c}ƶX>BAvB`rAAA`q-< w~3I ^cnwMgy8  K_n!xV$)e?p $FJZFi6P@›=r=nnnB>6pE#agF=v`B)$t0Y;(iETC6pbOqZݸ-q;TѠ^XwJs%3lxqŠ)"ByA)Ԣ1*uyUr)'fv?jrUYlŒKFz nൕ[doΜptܷ"B9!`#'P8QI-k'G3N>͹Up.7/HRasw$G?ijMtmPi B @Fqq_7C" GSؗ ,i"3 H+e{_}1^1UgnG] "nxzaL~lƟ?sLz _~)dk$eIr eG%9s^<_ΩgKp;1lߴ g=<<䏫322 Une/계>OՇo16VRWR'}+"4QWI[<Wl PNg/ȿUPm٦؏uF_gQ﷽-*/g^\BpPشiЉJ#K~՜s*z5/cu*)~ QQ=&>:X('ܢ-a_V1 Aߟ\g 0a->| 5w"׏ AVrc6pHX]IT/ӯ L1}#_Bpմ:;VңqSsxTG&T.l̦`( ))ÿ!7S eLkNF܈1#" !.(V@Dul"֕҈"`}+if֖]_snنuͭ 3".R'Xkb/-V @D2" :BX1D@># "X,-bD@ J( "`#KCD:B>( " "?;_fD@ :BE ".Ě֏.uFXB$⵸աrT @{C]8BzQ!\* (XxdD! dTʥ+3ߗx}$4r(= W4ƣ pf{*NLY!@`{f'1$A|O~~)Րm%|J@F9B sg=۷W۶ҳ×/ ]w`Ϯ=7n&^H RSsB+4ƣ"mOJ~Ϫ0[zZ̞T{oNCHBFa^n]fU"6DP~e^T-Dlڑ#-np3r%V" .^H/w)H:"#4^C+ً ӰQ}A=@- sZC]VZ~qmu/ɥk@Ҡ0ZD"j e#`eNHX{=<2"8 O}v~C;ؙ$ׄKV1|{Ax&޳MF~ݪ»YUԓ !ܻ-;!b2i7JZ ĉc'bv1o[#ױ@ #]ܲjrZlŒKFz m4 F/9. G؉;ܷ"B9!`#'"q$sy[2s%l ZY3 *a=8*aǎ /ԃکl҈"X$kT1 #1lؼ;_JKK,g\xKe>fΘ SO!#_pn/r a4nQI<@ٓ*i1;>m\\9|Tlg'L=M9S0D`ED~6nlSN GIDAT:w4/(p~{Qآ_z%2¦LNTY s*z5/cu*)~ QQ=ѮSAY yj榛/)v߼u3bА->|@~DHҌ#=l2fHyoLܦ #ңqSsxTG)^ 0XqX"s`*o t^(*D6#NFیfDD0Z "t D@, tvA:" CaBiD@ C]P" @@G:P@D0\bacu,˫h'#[L;iXMD@vv,@DT@Gh*W@D0 ; "`*#4+v "tF ED0Jp+dn"ֆ4̂ %!!:KjXD@ڀG؆Z)gituVѩfDT.:,o0BW^dұ D@;B'v $XV=_q;4Dq0gtD@kT-]6u/²+_:w\lzb⥒a$$,D&q#-={7cI=n"R@pM'(AA{ gRIR&jE!@D@vOtE.I.ɻTgמoPO̝=7/7/\n^ݷnʿѓNV^3S"-5%;G=+nOܮ"T" @{tUVrPBPb>2]+Aas0dzhK? ؋ 4,SE >%6o\$O"@D@v1FR ;;{f;ؙ$ׄKV1|$=۵ԲJh9861:88TITU=(T|6x ׭*[gؒfRFDЂ@3wh-9T֑,a^*pL, _͙s@Xb%#=GBDq{Q_XQQa')CDט=M>r;k+G$U\H "4@;STT-PGHRZZJ=;WWW0@ aglwKpT;I)k9c /yipnosz7}/*m4$eif.#" h!;ҊX[[lxp0ދҳW-q؍mAYNer r4uM01tA(ǧD@ ̟SUQֳgy'%$&DEFDNC*mЬ" dԜ7>6Q9^M1Az-#zE %5%|u }z5#@hG]D@ Ʌj""hFf\ "N@GN.4V@D@35\D@v:vr" @G""+W4_<<tHT !P }1E" v 9=&9Eox_z)^|oĽ{| $09H#"`^X}|]-?w2㚕#ҿi뤏WAѱW>tI!Nn) /P@Lˏ7nx~gy?rkѡٻgq8@@nO/["))2(tԘ(&o ޑYSL.ߛ>ߦ썔϶|#:0JgrE\ܼJΝ PQsGٓ&8?Yw)RmU&Z {ONNQG@?_/4Q.iD@LӧMʘM1kLmmckY$l~I]ӧm/TWX}7D0 ,?"4`t#[Z4@"`eBC ڪʌL\EN}ubDM>tQ2ZBBHͺ":A @{FFoki,)=uFDt!P/FDk`, 4 m a֨Zj!!0MGS6 q@ i#'˴8̆s5bF܄ 6H!ѱ6&d9m؜GvɽPV@Dd#"tƾX>" Q@GhTpD@c#WGD0* ? "`l `" FEQD@:Bc_,@D#4*X8" Y-IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/26.png000066400000000000000000002457551303637203600247740ustar00rootroot00000000000000PNG  IHDR7FiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx XWߟVN58NLT4#jG1nx8/ͨhqMhи:qIzFB=jni{޺˹nuթSă_@z\2̧!L weaúl$q.p+< !8\O7nqhO_ȴ{OѧAXD|ա/ūƒ‹1 *i./J'W[(j=!5X ki啕]\ciGz}^DC@@ pp`Mc /![V~kZ# [xVD@@ % ,ʘt?Ę4_X{ wזXC.Y`+@yPVuq}ϪQ`U՟jO ,9+WX&;tb5UH@@ T('44Gzx3B[{d;]pZ -U+cu.IdWU6\jXQI*Q@@ PQ`c1eʺ%֬U/ch嶯%9J|WUUk” 0H!E8Z&_-((0ED F`u:.Ōnwbm3Z%9f%Q&9f$YRm^ʺ#psl,?yyRP*X,. UKݐ fcقe3~LuX^s/(7YƼx+>I.pjwrRjldPm ,jegԙ@l(ţBћ^M&b mA4KqGlye0?ZV:(* }o(BZֻWb+9cIy 9&0Bzms R"{Il޳N@qneV-Xp(n Ƽnuq~>C/lR Fe lȀ3*ӱ mfXyY`s."kli[[FL D74Ƶ4-HVₛ)D"9^E|L,Te%Y#B&eYeܩ6۔1q{Rg˫ S_B`` bG"0(|$JۙڣyhGEB^0|H8x@Y|ڷk2JĘrXjT8欸$.G؉++ tZv 7@9 {]jyNyΝKLJs?,\>tU󽔭歚c2_5 lu- [JAg$.&&r]?o #DjGS^FJnRM?MCJIӤ"@/GMqXNnjyzrTdQtZ6MLD'HX`(oۜcGK'G[RVVsG/k͊JZI'2ʼn*cab̍J++|0 ;wCcdܿwߜ"wTU>;u'N~+箠}^Z.|(eLRVGdPEYKJЖxlelvYhIyO[1q<e2z$-LTsFEܱs(嗶'U~Xo52+Έqr,Ld`9R(^%U*yD-[UA(]~pCq/#dcqy|yJcDZ;* 5@U<꘿1yf"ozpIrx/1kL|}{ݳk-Z mCrc)|T|.8o K++aOm)G]Un!#*"@tH4 U8'3OJn 29sfLy{ Z:f:Mٸ_ΖEa͜5xw{hlS7*flD+b=ڶIN6DN"I\nBsxq<%jMvAM*2m0UIU؟_C?Dz0\S&O1Ke:cquyYqee|W#$9CbFH<d*٫o-*I# ϔ'4+Н͂oSǏH#VKbL-/+ՠ*b%VVd.UV[M'iɉmV.QA(pC,۰j|mȓDgDOfZtO##Z?@U/m8!8C0C [PG$.mrF.=̔WflR|\r'OùWqFriF=O!=E[O#rY> d̳"fX &BP/s>#AU\NOcR Yj_JM2_ucנs6zW|OX^e|+p˦-5s}Y!V )5 M=-*D@VISuqIEB?_16gF(**/凼I; k40m4$K@/J Usn]]4塃t ,x+Iz\2(*d,\x҂IFK+V[q.9`Gܼ8/6ޓp!_LGHk%+ZBׅ1}6oRUclJxrJBlQh\+lp`:S-fĘ{&{]@5TK5 luV!!lت]>3aʼnO"<,(,տV5 \ YĘogqT -/36+BErV$^؉L+5jXzR>ͯjdSS Sp@@ ATBI gUW*˺%^l>"GVu\%-mHY[e&Wnā 1Ctm5(kyx'Pm+FU)+geR`A6(>IK-=/;V%¤cxYʾCc:g3O,@c:DP>6O^Ze5G੧σG& ;xk/Ţq`|zu+u7W =i uj5d1<.duur)n[XF-nʘ j"ъ$TIǜRj1c|r-Cp`֏b^<^ Cp `I[`G{s]9D$._<$I@xX)ZĚuR"H k }yd%6? I$X#{rch ܧ' } r Ԩ(嫍dE!A!0,M"PBzAXbdsY86zmF-jy=?m%W#ழ,O C!_:~j)L/+ ƽ'(ЄVWi3qx`Vˉ\RE+?oEAm=ցKhYxȗ,KAǮ-e%Tim}F^ގYqWVz8@l R`rf]?qF2Ynͨ%=$}?}DOW {1r8>O5Ĝ`!Ryt=ϙ=NK=eKb\EJ=Xr56nǎm&sRZ˙}8~ B Ux+Y^MJ*?otFB@kAp@R1{l,[ cW76U,IFȗΎ~ XyF(**B>c9oΡO-Z c+"kYZ5E2mqC@,d%ç}LXQT.JW[s<-Xb*zTXJRѓJG{trQnB銫XA}?( % Y8v4EXƏ7|58(\)מeݻpq|yK)kҸw;4Ch|~.DJgEnu(GgZ @3rpvRQm/12"@V㳘sg(NRZ<>0mN%AHo_SbGkONU2ZjZUG_Ǽm0#ecgKVSd~C@@O'r)k*X_ߞ;##eC]+dE%TJ- pd}rU~EeFILLCn<4"Roq /+qe=g3J,?=3KNuQ2L:[5Gv?e\L-\Q?eS7}jRnu'9E٦\CgWu*y{s&RN5'}6 'qyy_8xM@mhӦMZ!LiH`nW`J~#, hVVs⍅w]:\| _7%+$-q)M?FG\-ɣ=БG;)b'M>uDcuΫpEܷmR'˄q5iB)txor/0Yh r^V1n _~YgUߊ-]׳k"U/L0we8zRKPS6}_0+Y"f& 덩`5#ѯEcŒ~/gUŚk;xOWwI;!-[}eJ{ͤ.uٲ+qmk2?dx@\:J[V@xi 01G|K3YQ:v:u$]/,pQ3 st91vzEKJ#]zqkeճAn?`g:֡ v @z /O ~x{C@m^Ci 2N!͕r5+*SO v\5‚S~嵭љ,66] Xب#C>#^'r{?#%3DWs5,\^V+&HIܦryܸ kVٮ7$K;ms r5hI"i3~jʚv߳ƒK~"C)JF_w; KV,ASXQ"zӶ(,(p?)HڶM:{nC I +T|ICV!pTS![[iFVBN|XڙᮬkoH:g<$Y`-l'~HnJdbza:Z$ms0lqҺ gcDOF6RʟDFZ:W],̋fr%Yؗ9OKyYbIwĨ4l:XeeV9k5rJlŕԀa?YV "QF!qA"_NȬi7vN?Mǎd+t IDATcF_V>KOD.5l$,]NR5d?N7sBi5U>bQm*ʤvuJ 31ce7b?,_@3njRY7> h9Rf3o-Ty0 0%066~ A̰]hrHZ 6lƂecK؏].XeExڜil1vX _d-r-^^Nȸ/%%'hFֈg;&ZѠFc&eN9V\SnrOѥm2ۡCp7EH[8-k0B7IC{~a0'o23s@?|H5V*Qќl |{yBlٴFڄwm[-Po/#~O vSw*Z!`\lNη5&9p^5 F}AJ62<20}/=Mr|ϥ<:(ؑ7/m=% .__{2ݧ sKȓ}"d/UU~qC"VX-nDUXsk(+CGn\xV!E()͞G֪Jil}Nk9{f,w/iy勿a@ hY\zsӛ{'13>e( ׺p")-_uiUiًŘ2@ i[< AYK"[=pVYeܸr#fHn ]Q\]mܗ|`]ŀ)BY]_zI=Yh zs`GrD DKVW:bW܈&g\4 \Ha>M1*&ՋX鱦TjRU~ QɊwp'Zr7r FZiObV^=5lȮL\<}Oé-Y$ki*kR;]}7&_v+>hEULme }q򑝸L}ˆjX$=s_7z\@0K |.7h ;JF}_b{C[Ҝ$w؉HJH9_iًI&ۯrG\;SZ3?C4OKcV]{*T 4t<̿[avR"B"*9QvvtzA-)rLrg̴}'BD5@.\'HX`+,ʘG|Rچ\M T3-j&wW~FL rx=>wu4&J*elθ_nǥKWʛ; GLdDV e! KWn"vJbd6Q_n!$s>1GGb٬eͣ;.˳}70jʡk3.ڸ~ۄEk$$.a!L@ Fu" bn\G'V<\t` Pg:9m9?δkLŝǷm׶$d9c<>Fr"Ȼ-ݦ#g&ŗ,ðp5))T*wDŸ́ptQNŮ?W'v⪎̢@@ jոZXnd~Ue)LMjErAce9s~z\r1֥6C?ZE&iqp;ܣbō{m4ǜ{<9KX`3f@@ oG-֘@UZv%c~;݌9OjHYV"+LW]c捛I ᣗ?2"R|Rygt[MEiW+W5)SںsȾ-Y+5'X4G"voDhʘt?Ę4_VD27Jh'HXz"^" $ĭ)Iڼ6>XӦ1Ӑ}gE4e<@3s I$0[ K^I\1c|r+F֏b^j7\Ơ4DUZ8mJG:ބ!5AXA@@ P#b'.GE-XV^ьGfZIu$J"9Teu'RV?VKa>C A{ZjySi-zƒ&U}ԈDU}VUɤX8m&29&n\#? ÿ ӂ?!r}VkpZv %[Q9Ui 8ȷsoc\37^GlMNoz vӿح@PEX IqH.~6fOi=йSMO}Wn'OhО?O=-b(f]f@BIMrI+sUG\ÖW iFwZJI hǮDAW Q`d68j/mH:)p4Zi# u"I\d\Q]*ewOnLFvWR^)W r9@uOUvX$|ݐ')12H1Pȧ- )d*Hjc(~ 0$zmMcݒ N;S(H]f[8LjO ܇''qV9{mq{[a:7Gp }>| %bR^9Ǵ"x3 Kl3<6Hc-Fa}:@+ET56?-ו:/+j= ";͂?GXt lT|<$7GHe^'sLXEJETy-=fɢ%ޭ;K<#0vX|EjR7"xsm$,Z,+ W0=Dd!a6e96i"\rqtF?zi`АKLpvv̡ݣ[Z!UDORV PD,E5(Y}R@Zc Hy-&[sڒ]oA4nOвM*[/.nz\d+/Cmii]e~c[{,eESXv9v[nZaTh >Y ƌS-^,,".,%(=7pe}8ŧQ|2{g6{c]=Syh.Bv(--ʸ\M1cCK MݜK9}y2o埶3,A<4H,f_# 0i4ҁ_ ͘1oCH%ŶZ4iEF~xF %\C9.a]o#7lZ9jUuɼ:W#`.saYIFU+GCwQ'd?4>p>?8mnF}`ϧo5輾bXzYUKWa˦O52'<9 &WK ?m+i``DϽTI2`LaV^y,y!d|~у?+^'r%X)q_R")D<A<ӈύJ/+;~ŎC9|xEK/_Jc͚sδ92\4\ofBօ,S1d~44ļ VҜW~q!+@nLfjR\GVؙ-s0\Q(}yƸ|#rZE:Z~;~̬>Z&J_p2OzvHp5i'Lkems F-=j4ܛH5 -OC˸X"\y5qXY*NO_>@v( W._)gYYǍԍ*7RSK_LYi_|~m\at@.){~IW?| YcyU*۩c'ګ;V]])R7y?"<, ZZV"__!H%9s{[W| VyYUs+e]Ŷ/"X|˄Ih8TF!嶩6XMVZiOZF$$.O(}`ewka VM2*?;ihgE0sedi] XبIJ=ÂFz[ZZp8(*~pB|{[OZ I%q! i{m:Ÿo01**f{+Icgle\ <֒q(zWmr{إ9*Ɯ kǑq6olmH$,YObG>Rge i/=I;>;˯BJcwkM&Jo P?! 6OU(k ~-5 "OkYWCÆM:}.쏨Wz )JթӧJC7%zKKOSu:iVsH۶ Sgu_mT;Ԇ6©%ׁc)̠xllf4d7C!+JE,Eu7!I\&dSJll VKwHUhZW fswBk 6ײ2u7e%6Jj@,+LQF!qA"_N?Y ١6%=W˕X6U]ᯬ+b^/hk`0*״^!_Ox1^ڱs6m)uJ1/IuEVvIZnݰK?Zk+L\~|_xT3>uw1< ^4Ir?gVbGUu1zh|"r"+ KX9ͥ^Xח^&XKjP-ʫ ~u 9?PRv(9𨘾FUX~;QQHK49'r\杹3û :=114DN<9Kv$p'p?ͺ!1m\@Α2yH{2[aO mIGhRh?Yم fX .LSVN)/u¦ $%5#VZEz$k\*iSIJ)5|>->oc굈IhS7y >̔y V[hE9)+MdEU6'}0 V¿~aݚf-c}[r'rgu7@~=<q:Zk=j8nx6 &Y\uM{|{v1∫̘8xҭ^79FTг RROI\m+Ƥ??|/EIZI5hϵ|I'$?tg_F,qfLlIdZ*lM]jVٓ-`YVMx\C's_&IZ%cYN+*0 gP:{d3dXv!P*y1ĬζWa()Ʈ]86c? =K)O؊3 -d}IXN;1i) 1E$NVYR!`/\%r_Ns9֚;%7nqh&)ObWWh S}JWk/F4_ȴWf@ 5嗚q_x雪DwWq/B-Z 4{}odÖo ǙglAdùZdђEVEwҰ@cmcth4쥅`#CIqt}R`]*YSWν2*HuX8# 6F$kZ ){͔d]d:~|q }#޶]oRxcĘ9"+\Q'sNLxrWmY`ebQ~ZK:)-msʋGl$^Y伴mi/j=^ PmtHi̅BRXǨj2Kk/R` k_2d6 mXIi-W\u@t$;c!JH9mֱ #I\Z`kX5+;44]{tE)DR7BAUKN ;Sd]~ o/ v⢯4~[0ϦF-gZqqzw# uy{5aY}B佟aRRi?n\abF`['9^'ɭoż$6Wb`"<| GmZ`}׈}mkx=lam3xȝiaEѕDQTʖLFc<k\fEƥ pWZgKM><3~}pYUb̩P$8<$&0&(oKMYU 3-sEXk?lM #"$(j&"_vq~m$YyFŴHysѿZaE+"H), IDATi|y!PI\JI UYx)W2 +q+u<ݞ+2:E@{nuq}ϪQ`cğœq-WOK]xrѿEתV`A{hVm)=ٞe1 @Q`=iDUij*E#\ [` @@FU/ =!ˉ=!H x ܁<Qتds5_ף}+w'jX[8-k0B7IO\lÇ֯-מur WmxWHe{_Z cFW\[>YuQͱH ºNO`ݫAX;GWNJ˚W*V^;ʸ*#!TjU~,m@!0A4%UπRפk0${ kƚy&rw;v&>ɍrLQ-~)ZgJQ zPEj (Z$=?M=}וX7R/jP?  *\O>܁Am5 l9@JT5 |sOt-WcZ[((eƮ.Ͻ. ylRzˎt|{PX`xl-O@vnRZ#-)@iRnE@V]U #ObWO/Y`O>EП5wRbGkO0fpApBr.D\8 pܺmNQm/^*ZF.Ͻ?ʵ2㓳r~>O_b;V^ +@T( j72$KŚBL0g~Th挚C\]╹9; B&=X1ӼMS8g&wОn)ٙ+7boQ($%ܺ"ˡeVц\BON% . ˩N!00#c>WMۙڣyhGE\d3zJvMכ.OC[EWݿH_%3 #q\9Od:$dNM˥ N:[5񎐬Oʸ\M1cC#vT=˦nN5NJg)Yk%O_yU}VتFu'S[4z|4Ji YeLD.Y2.d`q)뒝ҕfqÑy=72Ѣ3HYH(ҕH9OKI,c׶t?ɜ&9=:f-Snݑ7/%y5dUٰ¨VT\qq BOO% ٯrXlۜcGKF >,y!d|~у?fRafW%¤_ dV@*d\ G) Go:zQ7,e0 [k@I,4ʥ6Ck~ +fCLE|Vי64[UM}rVMvP[i6?Yqˍ+1eI)ˋP=t&K+Obb+ObW+?KS"|t=s*K{s{tOX.D  _{͚5tO&%q!!{׵]o}VتFu"!t-̯в{z+s^{՟4UV钉WҼq1ȼ)}v?v]6}̫dUjSр++E>vPUv]*VI؉}_z7Q$}"#e}^]@[lW9dՑ2kU3%vhKHVW"[M.~BL.JjܔS"I 7 dKwHcV|!/er:Wx]ϵ} F- "zzu4 Q^/й-O6|V)IWR`׆]/9dӐYX]>gxR;R4+CsJWrBV,ܨ@ӟ9~9Rfz~ rȍ X #g@J-06MOVv! MD+Ki&鞪+!aN2tc|=5L3˷v38܎|OMpbR+m2⌺?wgksUʖ^j/&)biĎ)#ɷ6C#ѮC;4PXf3 E$& v=ڙ4k֠gHO r2n8ٛڴ੬ e}]v{3QļIJ+b}6SzMv"$+e;E$.iA}–M[0j(@-۶XͳA[a`/2"~SO`B ]G&/U>OK&~{me0{(W] * [Z] %ؕ p]o ;t-C\xPI\dK@tE p#&NBB`YDQ:/łKZ%"'?!!t8u`meQabPJay3GWم_c֜5;+=oMqB*R^؉zC4 BݱuN1Kݐ&APP@@ygl#%Uד'{Ⱥjo#qhT %Ag)g-Ϭ{ɚ{[͛s(jg|[_a؊+J+[a#s柅KMo<._N{\Swo7q7[SW'dnIŚրCAu1uc~ j2-Ĝ;CQtg=0mN%VCX0h|׹jX٢W!$N;d:3ȿ'Jys0Iy-20w\A PkDJr-ewq[C{JYyI\!-Bemd= G[\\A;MOFX0䑕$9l V._in5lQy95eh"^3モ>?ywxf_??&{1o P-1-<2I'MSHu!Xw ;%M@4n ?}2<>&̆t%} R9U)2Ӫ/rB>;zo&[Umt>.dHu[sh)_$P"P;qB1&߮M38ӦLRMvP,mI9L,PbXp\S&Oʫ C1*M T+e8AKZ}_IմBr5jʚv߳-"C<4*Z]+l Z8zTBvXOwmg A <9KVV-DS˱$%xPRBOJg=|*T{COXl .طbyDVΥUBh@ YaCi )s{2< ^4OſQqeI5yԸQxw}%[g|{DVYxՃZ!7]"Q(ձp*ScQOʷopk/@|> F.=LrivС8QI?hEQΣ1(hܶt fp?W졉ԑ Э)ϒ@:hZۀ JKK%WA~9OiR'lڰIRby㢄9 Ķa#3Kw^5!qufќbI\NI- o%Oܪ jUWs~Myc_ec^Fȑj^2~o +;I ZF@ŤJޑK Z@{&bZF]X`Ew[`]Ǔ{+C_s2DɛڙV" vAݽk7ܹ#W>clV)`>CG)]F!U+֓GɅ⬼jɅ@ZD lWyԕ[>WK``nCk~ D4Д䡫a.ֹ+=:=ztS#, Z`]_3k )us ‚h,zV0|_ۿ L>V@;q^"-*uʯq0>K ?ۋag'W:[J#ڤk0$ XXUT\J>P^C@@wCR@Z7ZЄ.A@@5.jV^y-_uiU)ɿ\,FoCАE~ K+Ֆ\UW!pu@3Fu'30U~ Qi7? _E}–ӌIAA#8:8rtnsaN)mGW9z; IDATv!u{IL|3wvX~Y^2:u=9,B3M9AԹmX͙8cNG'NA!mo[7jGQf |م ?x G #bJjc-w6jۧ/߿R*ht#3Lg(L.& y=(MHj툨3{u:_Q^Fqν[(9R6^ 먬d>)))))wH@"Je_Ee-8;RM*2a!b [Q"MgӝvB1e\~)d Q 8&}יruJ_UnPݢ(YeƵvf_Wd",(su/% % % :]5w#Q|[ͧ7}D{l'3q2 x"k'obkHEQد[ڧ%k2ea=5/٬"qaȘJa559خzX  .+i ̧ռpԀORΖN}üN%W0#LܟEƾS;8NMrQ` s,6S;p >SfWGQ1m9TK`ܧATllw=QTLnji҄IJP>"R|׸Pp/7#46~+HK\<:"}&wI&uՖ>]j(ެ{Kr/qol-vw83R" DXWf:}t̟4_֭ؕWC-_XLKq% >lLgY)* xվbm_Uݠ,{8GUVy(J%|r H>O J; ͧ34؅H@QA. 27I`q3%8FSʼ'bPH><>FMꋋйig$[ham#XvN"4"Zs/u[:}ܘggs V׽}]!\/p4V߬_ԗcZKqF Cf߂gv>L=w{>L];'NmGooܴ4w?cVq"?Y[Qd#ؾu8 !1O=T /%˛K@=K|zV\J(\ gN"XDzsn]~},* SŢ~&Q|q?;bZCDXjkg#d/uT! 1s 4/30;}nߔ)bƣu&f/u2`Y?yY۲Щ%Z|tJZezx* o ZWh @; SȆ|*퍹LJQS{MbM+T+<=YkXoA8m g2;$}`'S m֬M!\k0"~H1lڒ= &,l2xlܘqb9yQPcJZH@])`A +/ab%WMƍ |uOe8A|#fRR3gbS\(_eNzCUKYpt"5p\ǩ}ΣP_ q88|u@I2هs1=79=C8YzafL62XG b+[fz]TENWh`4K'a?H&n+f3tKA{P-vڈ }p)榏Ɯj-+٦͛,Tx[1(ގpz{U; wzzV;j֯:tO$]C/^5l(Q p<~k̊YBlzhP&`قy"yђE0Q(J~{ oe;W2`Ƕ'9y ֒ khi ̀enB~zf4)j7"8+aKZϞ=՝^Aގpz};+1rH-ZdVePqyŒ0I8M8IQಌv՝L-ǒsqSXdM=+"W)ټys0|谭a"6핝{@GFw35璘¼wTVdo>\D2: s\ш+L@bœ.cJxaʴQ;7"3iXVD8OQ i <&]h+,8h f=.O8Wi#?2a_e)nKDɐn#:KwxQZ?L+괝ZT t !61p[:Āv+@H8iSF2kl1w!C Ea1N,WrBvL~*$iesq}uYP"eSathH#Sؙ6i:kޙon?qqWhal2y 0rRzd_WVro2Yf%B +4xg FPѤ5~J9{V?-C5[.q޽z ~#tK>k%] ~\z6jȩƼ:c_ WU<&O,vЮ;0*ͤ ^! ĸ&cǞ/\e'>vƾ:GYdp2F;+E}򙮑2[bigc/E'y%t5byx'ޘr<4ֳ~#`u?;&|a6qpպ=<ˊHmn1bX)i lQq\9K?\Ĭn55Z!¨euCOXlJ_K@}miDbeH50 $.<m_ €4lB]*~'ŕKXUm=LlVf޲ώ|5:Ba+OюD/ ;#n0)בC i[Ebo߸h5BK.H$YQeR|^;?؉M7 Sg#}JQ(fB~/bbSOPMG`%cҥKRyu@=l`|krZLFVUUJ6@;14Nc/ok)9GF= ʫLԶjP`J(Vԛ 1ȅ׈ he|f*J&Q';:N t|L=ڸ|#. KHx;B[OgF4hh 1|ھjUgEͬꑀ'qtXw0%=NaWSutfVH/de;T$.I\$rT5 W)FXOmZP.iUonД}6o 8~A*H4:i4F  ך4PZϠQ65b>&/EGȸj#amn ]|[$k0lV U/S5 !dj2IBmVZl |2+I(&j/{vx;^}Xyh*+7Fk=w捙kgDAF\%Xv)))) 8XKoC`-^K2r͊PZvjvvJN|c/mw uTŹ>ɋ1{"D6x9*vK H H FULo[GP-%RZNd'vP~ V<ڡ#bH(_>fv.}?tC^R mY[Wmm'H. xzD`kek$5 d5Bo_;JӁAc5tćptL"-_r }RX6^/&=D:)H=_ǩw!Pҭ /,y f:$E\ E?_Ƥ!Ǽ%}k[F&) f=OA(.*FQ19iI&)A@_ƅx0~/VYaͰXAZ2)0K2p6ʾF$i_$S}[-cM\Ok3p]wcq汖aɢ%֢eJbQ%<:&U2F1O⡐0|x}lsHn;riu1p nѩ\N DH~P^ztE>W$<˟XO |ch[bt+ZOWoxDY嵏Ic/|4W4H,_,D&qFtEbV :@k ܫL4SVbEW-Qpz3}'1uy;?7H]/E/[i%xres ~@0 Gf}[H[6+^AÔRV] {qsǘ[zʮjCy G(9 A!xrl{4A5fU' }_#Q`tw\}o^K"XVQoڭhho.^pon[UX+"ՄFJ )%G6o%0(ш#GIy P:!UR3JzU!9U!U@[\ij7" Bbƥ֢C2Cs]HYm.KY }Fu>W=z80ZFjِNOzɆw垒LSƪkݵ{>ԡ}5ýZLk"[Zh0$uVϧёCGL E9,Bl3/M(>Pzʙam[0cHM|Z0?B^SФq}ޘSr2?}>%ToJ>ZjR)IȀeu 0Zީ .cd;ǜۦPYZxOR}g^=Ow5qb^F>w[넍zx*C*=##ӡ1>");wlrɨllmh)?T+<; & ^z<[GvU2$&$:$3Q GJZH@])`Bli!ʋ v\ǩ);; 'g 4VMdmX18|\@R\y = 600PzCXx-Xd٦20/e da&L)?_L~ƺMYtgqKںy+f͙mmp(uVl)S m@x\8q,]}zs?u:S.)G(a~CKϦϞfF( ^\|~b^^AHyn_eaB0i3 6s|EIu߰tQhII8o"|M mX05uo!^M dѯT7:'خ!٧=MPlNߌcvBo3a×j٩H_ Z3a8DV(EiFilVsTNVTdXӻz4ok2 /F_Oķɵ{*A>O.{}0edW u"vP^Ԧ8W.ђrl9b`#ͤ+isW۠s8*allI(lkHB _ŠkOK'>(Ⓘ}k%Gu%%{e;j*{22erCY{)dnB Dṳ~*[+s?h Ásudo>\D2: s\ш+'],BA,F i3"8!nDfN$aGs;R'vP"w8؉`IIfĜ'Ϙl浯6;b@'qZä2O[E@n Hy-C h{?e$sٓ*Ak&?K8vƾ:GYbp21wGwe.ǬYx)%>9iў2:xawӝ;)a b1 l֬ôiVK~e8Y  V3yI=r[OA]_^ ¹i="GyѮyD2^SwX] 4MK5_ٶu[Ѯ;ـSSQ L֦LVӨĖS5 ku*Rܖw VS:wdL^쮳9bȾXx Lk4^+qpލġ{IL8k4l4m`ϥޞVQ_vRV:1g.cVF[O^wC>6Iqk,N x^Uqj>;S[z #L>G6+'jP_YM)+VfR^U|g* \Y0ö=7j@_QӊoT uy`:J' CwҜ-Hm[+prD6/uWe`yo'%e9MI@E{&#iqVz[ 'J\%>2!0+Z2!0g4LC\ Lnjs/q͟EWWЉCRӂN)ر8@4}t̟4iP^] I/MLKS`C,]GN)v!0Z,)Sᘱ1"*DܤiF!.He1Uҭ K_ɉe8GXP%>dq_s_1IgNmM4~B_͍\:- ?95yG)1!PlAC,[- )!Ey)GѸ N4v&bW[oiS%Ԕ?E5D2hGrOjcƄ@"S!w4μ9QZL&4[!yyU$Pw!Q-;+% % %c[lLm(85`gh){:BL $\ Hؚ;RRR.iy Ḃـ ;IR,i+))))o(bcjk}-\3,W S_eLr̫Zǿ&螝{W{xoW/:Ooog#W2er~ʶK H H H !YOWT}msIЧ{hݻajUA`}RITt:qX/'{':tvmժ6@9V^u1pVVIi+G:ؼ4H*$?!1}f]Ҿ ͟^iV._ KǡӞˬcQ\TUؒozM(;VΟk+Id_#H%+Xhmo<;s,mkKaV:*Žrʘ5/XEU2;&~7b WW`鸱J\HnؒJ𭡭2EoRh(Lf!rqM(ޘOd?>)RByqDk ]~kJtbWM"3{ )>4A`s,S2W|xXTS[Q?ݿմ V-3X)'%O셜IY%e7)a}CMϨef=zޢo| sNI"QH۬LCX "`X*"X >Gk (4r""%y-r{vzj;UArG\˨{ѳGthZl\ [0Y#5X EQT43ډ"E+̊{4uQ+:_$PrJ.gw GfN +԰c~JKT)kL> ((*u%exy5Xq=-lBL eQ⼊,S\\q X}4KU#G vH43OIL1 *ujc+lݪ5ex9OCg*ϲ,π4iD8gfC\;N>RiW֟Tw}@Mc2sSN/x6Ax8~ZQxV*x+S.1BXF`frG:<:fJ\oL_rnZ# gH)P;Fo @  k))w4tM )jP'4I>+wfL *q"WIS6VbIbT C7n;k<+ګSgq|B* G%"'7Na`^}i0ȹ= ;;46ء#rתM+ac`%`>Y3q8xp\@[W_H^׆g׆} t^=.R.,zPݟ,opP027dY^č=>1.1 XleV3e`;KQ9V"և5lBfظu4V#HёHH42B;j^DBIRΛco=ƏBtG!W6n#l }JK  /,+Zd/}& ý$G5} I-!%-Ch: kayD=E(W()HYPbD` 1#2k3кmk1fukUyJ7fN(#Io|CL*yMdpiI:xFZjR)GHɀeu huq:SX:%U%Q\c@TOYЦxm.{ƨF`qe}j]~?lUx(a;JVn)sS&>dǦYd=zҔl`ђEH &yaтE&6l3n8 y.\`JlÏo!,4L8QYo4>%/?u%;ܺl}Ff%(w_x31d,^جcݚwm.<*ƃecأO_d}B. `Eph0ڗD [o!3 bBS~~4F4U](CEMAN(5z{ J*ũR+?%OѣG/JK쑢'Et ԕ"I J0 ޾ &Klᯅ8Y:`ه8 z qQ/ eu(x/و,{#gGnJ, x)BH>l)r Ոn, ,9JJ#ddoOLJŅ)lRЦA.WAw]G* /?\1q)ܷ/֕F&| =x!0S!H{C30|"CU'UXz6,Y1Ƙ}3uq8g?L $GH*+(nۦ- 5X _GFD0l VΑ8||uG󵥩#+O9V"ևBA^V.&jԞ`v渊(sH_@ֈ]29BQmiJ?u  ]r@;}8l ;}%Xe`- .Ҽ̀QXqAtXq>c D]AmL7~_ E4@æMs^* ?I%]]1#7"<71tBt/wtʪe~dɏ-,ĩXfb5f)l@M#1(&uG]RRhAZ\1vk#dOm2afV[hw Q岟 yHKO3r+bڛΎW6cPs#>ׯ6pȟe\Z4;Qo~n5EY(} LkhcD۵cknPvysISf_ ˲|O2IcQO۸nfF( }ED|~:WlD`-%bVW멎.C*Vecϕ40K) ԖชhX}9NJGYik衖}`Ytnȸ8qMoY7(J͛cMvf'ߊE6-tQ+J9[董%{Wa;LY]g*l %(Jg>5֔rR-h|b$i&Ѳ}KZ$Ң"\Pb~.K8{İ.K+g 2Ni3&L):wlb]y]a=^ 5kV0KNLR QlSxfshۡ`a{-gR^DBym?e} !5J5 ,s^FədHU"9tV(?<+EJKm4Ae>v](C`YD`-%bvkoڎUmS_S0@P R+_j)}%w'֕q)o!is}(q/F-x;aFKR b zq0p܈8( k(x!^,+?p@~{No̠Epdx&~/a)\v0ʋ4kWMIz.zD+q8q_oLq bwu9Fنr}XJ'My}8/,|ʫ3 ln@&=3931cu % ]x µe;5&eׂK4-@ mH8}Z jnΙ&26'L:lr<+O>Hko'7PY3%[& ul+ v-u;3l&WyL8YL;k)ǹJ3i)Ʈ@{m2vUvc'ncM|\A(M-b:1l^ϝfpIJ9Xp1?c,uE4ֳ~#幢~8%i߾=,n&7|V"b35Y:Z +Ez>G rUg>S" IH[IS/d0*,֬ô$ZfF2-=r#OU 4#PٕmsZ_o! IDATOX_@e׼A~~)n#:OWc VΑk#2;7m3Oس$tnSO ;Q5NޞUQ_vRV5g+2$\Zu+/`-ohg5+H+FAZ"M/tOъcY2RvCڇЕC'lAIqkcޙe}6Q"Ȑʵ*v_vh^?$PXQ4;9G0r,$}Jf-D6z5SFv}ң+.؅ Gw%X\;mh/ЪE-B)9GF= ʫL>^)$PNeXF`/ =sWs햊k j) y_wa⡼/132x%aI}˾^\N r2»%жv[";WK4~B_O&6Dk[^{XLr_<|V[oiGX18rT׽y~uUP>:!3I 8!:!,UJ@J@J@J(gBUE.[`eڷpj15mSef)lU-yJ H H H H ؓ(pVFIIwU}k [TԖeUWK TUX{}UEPKkXoV^Y`h_{Բ/\.]n~^9>vQ-[V*JD̨ley[dJ@QZ95m$I H H H H xR^Vj}ZoiDb,ڝvвSNlߺn+I¦UL ZI%kefVRJ@J@J@J$5 ;Ϊw4H Zar |rGXw=➮_BcмxM;c_Wbˋ[Q/1pDQ5=j@6/+Z%5 ΪҾM@"+*GN|ܓX7 % Ε}xIR$ X{ґiRR 8{@:56"4 8nܺ]Q-[ݭo1p^ͅwoA:8~ [oGt]zX"x |^Qi4WNǬYHۙVwmڅg",lv^Q"}K HXKk))kB {t3OF!/!($ g]hWxojjlRhh(nܸQ0wQ`TCo;wliv]ǷѲdËY;Yff+'2fg=JɀAw@M@F m0Z-jb;0R zT(g@6G!`5 m!OU^cB+;qetqEXq.t ]ix;_l[ / } +/`mVdK@@J@J&H^@ 1+& IiD)Dcˠ<zh:gP^(:ulY3 K>$Gvq &~#XX.6X*uYRoeY!yQ$ 5ܲR5VZDB[H)/:D Vn 6l+k@v6p;`Z@[f7j(,_=z@wCũ=($C š548量fL+LeÁIaɲ%4e#M9"I xDe%RR,+f3tKA{P-vڈ ۯ^f- uunꄩޢGȧ,\0 >. )RN8aŬ7gA[[+ܬ9i&k>N"qeK! HևK6UJ@J% RӠaHP,P ZҺpC ТX%WM׮GS1w\1 ޙO0eaesz##p+ {*G2훚F%I .>6`RRNK 6Iz#@0m,@L<-.@}k%GuʵJmy4#6D|{[Sݨ_G뺋ONo&oo7N7% X7j))'$@'jn5 @Iye`N !݆5n Z@n 'M~H(t#Z%T!C ,~{tD} $:8A`Bf* H֫C6FJ@J $F;+E}򙮑2[bigcIENd'Ťr *'@&tAh-dI?ڒҕ}5R+JzEqƎ;Kv5Fv[8z5M6q TGu(!'J(Ha~48=!e I~ H@@J@J%Ak Wt"X:Vt&Zs}A+ᒙ[-5%5 #irR^פouw+E_]B@)KXPJ@J36GS\"&kkO&6$4^I*Q`+pV+>ăh=C]:PZk)qP*tGNHSCHʒ5eU*l%&$B hAW55jlNV-w!pPVXyٮ4 {@BCq=ŖM %V*<:ѳ-*I T(V("AJ@J@J@J$5 leNOȮ2c[WV^'2x".XܸzCj?j f1 20_>s!z5%Mzp5zԩĩ}%lYw~;Fz]0p_,SKKKpX/.Uhոv["ܵ+D#SݵUtimO/ 7eݰtS[p^I'ޘK H H  HXG,WS}\Ў&bB:Jj469.nO$39H8 #DIdnȠQ6?یK|3w6ˀoH܋Oȟ'CRݐc^" j[F*O<J*EYuϭ ʢ.%:VXAKu:3]CXx f*&~)0]#(KTHVplBr_.18g1! 'Ci_E(*+5)*J-̝<lNP7,*q5&v qt$Q?թ/$ m`}odj$xxSi=@̹@P-$Q"T$-JRHq d+9}3x__y4Cj%\՟X?%A`}wxɲ%P샮Gڤ \D* 1ᐍ0IkX4̯|AqU%7~oԝF@> ^yYi#{ 쁡N_2'vuŐ!bF/3S+u" DX'm`Weq֫n1<ː<#;?߉@M Əq hR,J#nBG8Ν?׬] 1ݱ-o xؖ]CCVzۘt7o|#dMlѥV}j`:uTFM"L~/ѹFvjRק+yql;u O)R>ndHYh48{꬐~dmBha yce)z3M`hcжA5xc>eWJ@WlT5IuuSZQ` 4]RYa6(6˴zj }m([!/wFݟ؝w UkڸW*֐)IB\Y &5YY$\ o>2r}sdkf#J i#*g游E|¸705[zCy0c 23aՈ.km.\`-(n#ԕ%17/Ts;,VٺUk|+S}4n9Ҿ%I&q1oos11ufe33ɘ>{,?SIeʬg}qOX+~_`jTV[ g$O)R ;r2h@\%V`R`YqQ&QY[%@5LzG)f eڪ4?|`^}i0ȹ= ;;Ԥ1#бCGUVSeemı_q8ks%[ӵss{ig\]>c]>{lMyd?KZXT-ZPn}omBQUh#}JQ$:51ħuؚPޗQM5"TB>yK<&TP(uglJJ,R>4ܔOuڔN ߎ=iJw6h"L>|/m< h" 9?bܘqMJ{ȸ"i[ ~T_SC97cTѵc;r;4k5{Fc]#yAy䢢>{I3m6kXG`mLR ښ5wߞй[g׀f>,'q)X0SIIyǏ!tg_[cڥ+4ԘPX6~aH#}9ZbUUVst O+x'C{d5ȹKh eR+=r*CsoK.xÇhamU2Τ,@ؗbU_YNYyWЦYbZ\RL:IRԮH;1jJq $a_Nk2Ć~aזO"0p5^\H_cS{h~FvYqepȟBlccns,s.fF( 2ׯ3MQ}&`۳зO_ә"5۬9E PIyՎ\ _ڧWCc)2%?[R%PVoo#^jYKg}E ҹ}Iۍp]d'Fh%GV5?ŔBp-M)֣ؖys5kf/e[Af{Qd'e&b$L5ksϡm9115^s3LϜ6 OF_ISH5ޟJ5GT_0KSߜ%4ky=M}~80,ob\=gP\=[T^h'Rd5I=1Dh;ioFh\IPXJ ʲ2J}>Ky'2,bhӹ ^M~; zddP#)@5hHQVdɏGfu1q#;kb0&ѧƕ {%^3k`s}/ ,zX+sx;Ga#M="+w1/Wu,2ܾU'| xe+xwŻ)V(w# QI(Fw82NC71*dk|'gww!?MGXHzdJʘU5*h3w+UŸ;~\z6j~*4ֳ8޹"_ )aLEӧME-~gӡJ\P +_K:t} \}VŒihag.]ڀlc]^w.XF :x91<}+2^옯[Ӓ)ѯ ;K9jƏ9߬2^lv'yOA݄reRªVhw,ځ֕Ru[4!bF"wu𽜦AxąhЬbFcK\ʹd:&ĔDd#SASOKtZ lk.Hdbg5ڴNWb<Ԥ.jgSUQ|d)2u!cJGszgA?{o_EoKDQ# �a! A,3.1DE<|oTn߾.IMN}>}ԩSUj9g 7m]>Q*94ciF]u)Tw5?1ZxZ^Ua81V70`!C c^:fVc }pԭ{76B)JUxZ9ﴉ|aaE۸ $p!2i[n}3Ӛk$mވyƒ7hҖ(]Cѕi錥rJJiH[QfK& V!f'ΦыFSv-֫&6`݆3A Xx6VPT<+LT2Ο?k@r5Jπ]:!~jlg(ȿv+=\V|ʳexN}-Wl4!d7yf2%?oixg-}g)ĺ7k;NK74O4v+VHWrO=byˁN=!j.b5+Z mp_+yQi%5I+V(M5]ۥhSc;Ji'UJ`=FH˘'G|PVQC7b!t& pel*vЪUw߆E_ CEwWս ʉoXC}aƛ3yRRH#_IMZ7qZ.t IDAT6P<1)>z%_h/З Ej_Xsl$7RF]yi{;=fv/|)#[o;wWu*gŎFqQy5qZjќUsd1lr|7v3~!XbfF`D ,qP+ K:9~/Trb֮ ی"KDu~I&~@<3`+mf$0duՃN~*|cFY7QyQO }>VIF H$\`F(,yNBbl0L]%H(1.xTi_}`LtmH}`A3{H4m@}uBеW40׎&ӏbkפ$7.mKbbAb^L}:]tlCSMZn1u;F D6D@F`#`v!C >R`PZ꣚uѿ](5d*[h;0YzD_ ~0b!k<%Ibz-;$@,h)+,IqǼ?qZMUM2_ Qt6k / ʫt+NIL;L/|D# }`C%_p.+7|Q/㘗>6b 6? aqVL Lt;0#16ozgua8+-YD7W*GuY,_uF*#0@H6PlH`a#` iX{V2.ZRŧ_Qc70Ď'GxieJ̞;D,#0@(6l(`Y#@y`ѪG6%)qs).z#l*ϣ^FlLFb֮[K-[(*'N&,Z@#'L$ Af۫ӂy 1_;%M743nTvЗ`DNUT T% !_#m߱]gK9SB΄qCBb(:y$=5).o_Oy{Úf~=?}thGoEK]r(%O2OQG˱B4_ )Vk&0X}EsQ,ǀAeOt]0-y5VnM[mZn?Zи9GX0dZZKbцC(*Fl C|z3vdxa>o׉;_oPsEv|t^*]T;?qVpZ󅶵JSšmxuo4a,)@.[VVڵm筊OE۠т uﬢgd6ydjiL!H(U7,x䩎Uza2!0N*q̝TƦqKM jHPz_Z`0kkW(JbZJ?  fU5~͗iëkh9“yVvO5/>o;AKYJ1?!Pv} IŻ렮4.Oj>,)vA_iKj۱kyy` xWuo+Uʓ*ϳ j>qX"-z>ۍ.]@ԮG0Tpjա]ہy^*4mڔx U-׬w3T'w];UUU{0r.f#y7T^[M?,tLТE#WPmGU{z.y+-?nYy?xc6Z,UYc~FX1e}|4PjSǑ.ONs$㳍: VJFgGPݩ~r;?\5+ƪ? 捙G3;oMSNU,q駩7hۚmTr4ըkQܫ--'b ZF`OƝP %.%w ^UT\1V#UUf7aP yyŧD,Uc`e57r,fqFeb2onD3m4qDg *EV`Wr`uS1`s` T}.Y9Yhʞ8Ȏkn"=ѺeKv 'RVvUt)S&MX>j[d!miv7E7!c8M.<N:Ү EY#0@d 6lXkSoXH >)pb é-h"s-fӖ ڗfMKg,WRPŲI&칳J eͲV\EM9_1/jӥ8f\A 搑A>9uz;?B$H%/\&w7T+c^Qڔ1w>6ƀ TIx?VzYi;5R E4o<Αeӌ2wy'y;ܖIUF]&*\KtOS=lËY3fQrѠG-ZRF^X,ٳw%KЫs:1(!U;s A@D @<˃aO㊈q bY& pG TzzԠiJ~6:ӂ&N6ۄF8K ?~Nߝ;g/ZF`xJ7UU:rȥ]#vuyu\ ÈGВysdn42i4tU9yxGIhSiK@ۈ|_ Y[j3#-x򨢠!,{ª:MO[{]x=:Ho|ZvnX9.c$U9*Sq~u{qs힆zvZ<&TA^s/ڋeKiY#RB/L.uxK}J\8!sFˤl^8׆@z|VgUP#Pb&J :Gֹ;޿XɒA`MԼis~#~aByvHA x^MyUlg奅yi!_z1eKo4bhr`XD6Z"`i:ߐ.P#0#X#Xk\@z SyF`rMG3OS'AywcTAG1M0ǡ沚#0D![JSeF`.geWONжKu҄I~wV=. ߍR O 58cԍX 1T5}Uzs@E۴y#ծUڇmϺF`F{*|s:ReoG6^#x?.DssO>eZn-ss#0@1#a\"-v%3ڻP$bkdxF8l"M80#0#Հ7}]5uww}c?VLMlRC/{`#@^_?0ϱCiF`FD%.-<}e4ieC[+@hB0ּDU쁍0?=.ei9q`F`BwkTz#0#DlFڈ#0#s؀-0#0@!l0@vvHb¸s lW}N3#T]UQMs1N eF`"edg3Mi cP#0#0/!QbF`F` ؀5#0#0@$ l$0#0#` 'F`F`"6`#aXGF`F@F 6e(QVig}ـ-C'8w`pC칳gYRHv:B@%cU{Tō/chԮU@H=;3#Rȗ`pgqco ;ԩK:> vh*1']z2IS&I|{[4m515 XHZӋpf|\X0CY EY=/T?NKmhuwkH#z"m߾MV7xnrx6mHOtFD}o!uvGяK!x8f?C&L$x?x`;}_y4k w47ﳎ`ݿfܨD_3;Cg3>ИcbbhP3R3- 4<)˗ɹXVݍ-O\KFӄ k7 XT*ᡮR >kƍmרeVU))_Xe F8qQ.8>ց'Mߩ^TuLBC_FVЉ/2d]Fǿ:M[owRhe)ˌr$~֯YMX{LCU;tk.<ҧ>;%LO?@7M?%(%Um>vkN8c5 mӖ͞UzE@=2Exgq|/Ҡ9y9?N.KK.mVGƠA,L8݌Y9mUo]fSōQ^j9~M^7ko>n8嗸pMLw80|^]94]>=sexztxO>7:dL79Xjx~C9w qΏ4tujǗn𐾷T%w׬K>M,^ԭs7jܨY]~ɮgQ~>03 ?d~cVUMAbծh*bydf%vm=tߪu rCcM=؈ƍH6'>.nָoz{6Yv_D#Zh=CňnZA izלVubx[5iPIovaaE[bц" |*ox`Aeq5Œu<x>8:4ǚ?.t\QF/]8r|F>ZO Թ{|-ڵsr$F[(x`Yv|Xy3i~z ЇøԗԸx<}{A"EϽQOY 33]/\0WUFY>mvm:W#zֿ-_0^!BNFG]0YơahW.I:tSq3Rvc f3nl2洯~5WNe}iرCiг 4~4|@L(˳Rc23>jC+.{/ZCiq^~\ <`gtj[uypṜ:u _a*vG);QoS{Fb'!?FI7<0pa_u;Wkqu.&aE@/!>`UƲvEFeҽ.՟^^4nG7O:ڝon:caZyTm$*lݶ/kEk`eb]4`Q)';۲.]0~|PGS5\vԙ-XJ/'*,xZ5d@?;L@xnCӌ#\WYBwţy'NXfCdf"b OvAqE [%JQRXI^I;w"dx׍N1]C,#u 'F`d۶l{TWlC5Xnk݌۴y#Z̙(wjP4Da>~8cF]‰v2֪Y+:5iZ.Jȷj9s$Z,}:5|%|asbT]RYVތ#0l!a zZgFU֩Kg&k+g8(Q:AT jEIIs)'cF`E bQbA6tj߮=M:F%Šd I I{ YRJLsWhj 1Jj#0#BnkYotKfU+WIOGQ]TyV.7w Xr_7:FZ Q0tm}g-}!?`.2t5zSVĘ14k,Y֚X-Yd}EW/hG]H5k)|Ioxcoegϝڔ~*]cp+^4 jI]l#i&j٢%EEEQLL 9Z<F`Fp@ X/eMɪ/ACQ<%Cgϣ3gP^^͚;R^Ic]FwtÛ ='M[z=״63eЉ/T[n{^zp cW}(y>2og 'ԿO/NRkP^ݵF҃\Zݜ3rn޺/FϧԕgN1#0#X PrVgܛ6o;JOaV&o0%c.ڵjS]NzxTi+z-B?\AU+WJ,zd[s.Sr]j쏪^0fΞҪO W䉓me˖.f=9?Эo_+y̲y+2'2~ԠQgu\EHϥ5LλjwT_}Əty*/дӨZj]5RWyGp0#0 5V:sp?zZV/qչ_P 5V2"]<~> pgll,]~.^%A WY/F`F  hNjeLv>֠P)cToHUԳؚɇ2\e?hhP+~+#0#ɓ/ZM[ޤg4!tTJԺYkڶ}uv+$?;چ*YGmնM[hNH]`F`C y?؛D M_[A1(宆oӥPO>/KH?1eF`">MS'DW( F~!Ee՛hАARܾOClVx&M3ak1F`J3S$OS&_|ߴok'ʣ1tF`2@ AhK93fM'C:DM7"ƍۊǟ~V`@ڵkdF`,vR:EsyuEG/a1]ZΞ./WKc0]M=_J@ßiF`F}`te҃m=^SWa j r:XpI)tǢOKU*WS'*BzzLOs! tn]QrR2^ΥwӨ1dPKxgP8Ax_Ĭ ſ_7~Crc>8'jHNA{Q*hwߞ}~}{S'~@whO*칳?sܹsteUUƾwc_v0yF`FXUHY̩Sxƃvvm&a *z]qF̅%<,vu;P H_ι2' ,v%J-">U Ny%EV<( yyy ucS͝=# EEEcGi#)kQ\)2y"ϝNĒjUѲ˨㮗|}յCnj#0@q"%Vf_ʢ~{U_4|;Dr4F|y_GQxsܝq$FhGQZ-)b|Ư7h%+Oӈr gja?mիh=T6~Z| z~!W?䫮!0!<}> gMqy.g$﯎Ndy|-`WFqF` 2V9KUܷJ(pQj̵Gy!]DRb%M/b%ȥB':X@JAt߸NwsrqH,UFl9b[A^*z"\+!~᫮!0'=Rѐi,'pãfVyuaG JX_)؉ ܮ̍J#0̀U/n}V(sW2dУ<*Y W`FEZ4Vm[={"[=֊.gQ=$ qwYbEͷޔoW RNm2+VLѿ66J=ǎKo_u ! vۭ),^tF`F`F f#k/W:4F`F`@zn1 F`F` MvS?^X)fdF`F`!Pl~~HԩM3#0#0XK\7yM{ic`F`F@ XK\fz#>[]'G鄧)YB KbF`@ؗWV $/ZؾRMQɔ<*֐`Fp@H '/'͞AOtz>HƳDPr6i&|+((Yc7\xSԾ]{}8N\2=Qi]]8x:wW|3n խS*DUXlJ?ns`F`}>ߗּ֯@]"̠[YE u!jҸt 5n8RYDYCڵkD!_(Cң˹Oу l7ohJ[u՝Ww~HtsԿW6c,0#0 ^]J_N 1R:bGNKEy!t_QeN2OIIASu,ᮚwI/j#UW!Vi%l{{,U\%1eˤܜ\R M:٭ ,8y[ݺvd1QcF%ۗV}ҹ %$7 tQd\p@vԕ4 +iMEfPAn%WRխ0ө]'J|1;vSe4F`F\*pr,^Xp)qd=cY:ʝk6a{x_^ WлW7zg.,!&C4W\QHu vuu^UGs%J-ݢre#];n">eyTN},Ļ>UлooIJy%Eꑶ:MAG9q!uU{))ۏ@364cOܜ`0P*U豣Q#0#PPF3 6o; }hҸa4h%`p3LJLġօwE`~:EGGK/t .4PvZH, .=JDT:MYB,Rl@&/E2loIS SyD7vIC\nۺgF`F@<+/M26Z=T!H=ȣR\FF|ziKSv2-7a> }5b5kьZm%aۓzvhޛo)wW6%OlU[=֊.gQ=(Ye(E/3.c]F5/9 nF'oN?i$iluM:oXOֹWlڪe_80#0.B6TZ6X#0#0@"Rl3#0#D lFH#0#06`y"0#0#DlFp#0#0l`F`F(؀beF`F`؀90Pq-{c=b 6`i4XF`F(M@4QJeVNE|˗-^ll,%Np}<ނ+kӤuԥ Q{<ۃ+b_}A ҠU1R刭jJY M Y%)#6W^vʕbin޳:wL\Gvc2eT[¹йK]qwwhU66F`.Lص/kgayoIVr|Y]g%P9:Kإ۬t u2BD@u VA}OOztAA-sB/׏zT~\lc7u]IG ЕaNK@y30p\E$7]MsSPT#ozs_#=u)XJ6.Ow~H{i3)bgۢ] ֵ^ȕҠrVBli18iÁf c[b8k|_YſvZ8c#6ZrjqLjղm߱ݨus3V&_\>HmڵsQZ rWi%C/7w+^:2N_*prlۼ e‚]۷Wmzqq)5gV+@ʕ+>UN44hT*6b3 vUfYf2oT :yyy۷V.N,xs R^I1%m Ъ tŕ&5repx/3Odz ) WGNNa3<1*tF,",J*dϠ& ! olq'}A 7~CYtIyyn 3Qjʱ ڔWScz0*է͘5Cz2/xJLs)<4j(:, of EUhɎ1\u`ӻ<ޅ}rf aG$ٰ_+=|6ǧp*ԽNN5+!9RWË}y`#xp$0wT44<wOV|AӸZk7[~F<(}ĸyXaZb ԡʬrJS20OpX6?% )aPTw*vPu1ÊGە;/qёNYi_X/7+o+p)E 0x*8r+*Sqm(9b衿!udEAGx> cCB Z +4%4Vm_+:P8W8A3|6u^Ius= 0ZE#~MS9k_|1}3:v OIZ}go+!:K$1(Tu2H;rbFR1|7/!i#0#0!I)ApBYU;} >0#0a@F)eIJhjln@dZ]fDŅ Kc5l<| 07#0#0#0``!#0#0~!W;0#0#|!R(+ۣF?J2?!à`+?ՆOo\_?>:f[.U@Ygt?X'^i9Fٮ`U1R刭jJYcZC@z9E|r{{,͞;[/{vSN]y >k&-d7{|:zǼ~գzCv꒦뤘h%ծ۴iY$t/,ts%y+v̱ڪGl>=4U{80ނis Y][gŧhVm۴-8~@4hl:`s ?M. u<+ծ9Y[&^b:(tVef̒0}{)u6(}WAQOrov 0V [|_C牯Ns]oStqX7^ݓӚl}HݽPӎ-;+H}iX0Y{ y_.^Hm[測SNcG#- fQX°frۿ}~.f_/OSfN o mhoߞ}~g?jDhNM3'#OgIDAT\LihPsӎ%]!'m_<92Odz ) _ONNa3<1*tF,", J*dϠ& !'hsBRqNi8 7gGN?By12Qjʱ1YR M:Y '\u=`N.tc5H >#YKO8gNx| (Brw,O{.8u"Ft몧x`#[nE],,UM= -ݑhG/ zbV[/q;cGyI_ޚ(`%թ]mrsڪ=p݁*{ IjW=+~4_r)W oѪ*ӊNOt*c)m(U}c}Q%h/X/F#mwvv9sv޻=psΙkN}͚ˣ:Dm%=_gܟ ?ꛞW -m>nK}x˽GJ3!ngݪYXVO*h ^{] q:'q}1]b ۟rZQimKM=PxJcڧܱ-ȥjubim+}#P7 ˓s v\+ qH -{8,>G۲狏+tuK~XWYq'uv%'q,Jy=AP׶ulXaOq<8ѱls8,q>W_ҫ-$w:ʰ8Kl|h+c \t[6؟U7u U⯩sePy`V2qZ;toqYNWZ-O']@C_ճW|ϵ\~uULCfw|zam})-/oZ,nX' 臵,]nNSuaPd47Mg7\XjO#oxy<׮aVF׺Aun^댏l&3,~4S$mkVi&i;-o{iV'MU;AMYt_ַpܛ@;h-6!{'ݺ )Ǟ9~!x饗v7\柛 g{ݺO m ϽYKsaQ5}9;Ce)ζ=-Ѵfwvs~uXޱ7xk=lbQ= NuuMZoUޏ+~@}=QǮIu BRt]Ǐq7w{gnr{m[9Sxm?􍥻 k I}$pp+(]:VGy\='|?H ɁwNm-o:t;m^ر^5N^Zft6 >.;S~zTmA.;oҫrҚjhݯu~õz 7>}[yꦩ~;qo}IS]#OWb?f_+*OX_O A0c t;X}ExmiU_Z;ri,8LKnʧOa]]f 綺}jpf[IN*WM~6OumnS?-i[GZ^\u kǾ&Rبq_WeN_ ugu,J臵,]W?׌f:NKٹTśqqWZjfG, ӴU&x۠U}T~_:Vmµ+,]׬:ҷ8^hismfKn#){m~kٝ_:syT•^urGm%=8Nǹ8yiMuܶ&z /|7}\m}t F~ӧ|UrO|uLd3!WmzuS4i+0ki|IG IkiH3[_k)S@ۚlg`ת<'BO  (j@ϳ'  @S*ʯm#  P_6fvv-[T  @? `i|ܯr@@h*P~3A:7m@@HiI#  0vKdZ,!  PWغRC@Xf`3]+G6@@j `?q%T'  @@{  HPk;alS1# h726@@(P`m*@@:3~tyN8@@@3MH   `!  M6"-  0]  4(jLZ@@! 0;$HA@@Z@@(v   c(Z;33^=H5  ,  `|M9wzGGue dG@l]4\#@XQ]QA@$P>KA$@@r%  *ᢱ   `@@V@;" "P>  B@pfU" L3 @@`NӣM_@@ h1o .@C@@V@׵kֺ'O&@@U.P>.w_ b0  P P|uP~4oo,  @]|5 R." h7jP  @#u~`УGևp6@@``T+`s^<^YX s+it  *P>#2yw=/9HA{@@h#P=s~6*<@@@2La CrђG@@H`(k`Ӛq]roxۭ]m&s4)  4h7=S]qIK  H$up  :~· B@,%\$t@XIؕ ڂ  05NE@Xvw!pal6|zM  V߳^wEr  @Cv\ <3@@%5"G  ch5n[@@`jg`# ,ԧn@@ `@@`9.>u# 4(rd@@h/.J@   g`?hV@@@v(S   ̸_xmf梏7    `?7{;gkNrƍ_LB9E@@[h">5᯻>S  #y)  0 `'a  0ǚ" !NݞIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/27.png000066400000000000000000000550041303637203600247570ustar00rootroot00000000000000PNG  IHDRtiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx tU+wgpV `03AC!1c $$73@aMb$0<b d#2<$+͒G;B:wwNwZ:v}{R_]_on _~?0@Rǡ  BI=@v$$u hiiWU3@L ވRF@;0d(a4p0o{~]@@@@RǑ  BI=@v$$u    dG" P@tL 3 j[~SUԻy̠9@Pg3YٶFD=dHxkD[1UkG6FMx+:'cqWbs=+GFJԀ;p$H#/4O:/FI{V$M-ߓ^ X~^{Ϯ_DMdOҞ17j4@Gg;{I&ssi3Fyjްb|Rk zl{~jѦm.O'Mn6[NrEx7)IP=^-Z'u=)WQb/Lu HC켸-4NͺBv7WMh=7{NK Y"444cv_4*gO4f9_m*ZJ=~@e Nժ9=Y%u dy#5@h0 Δϖ sF,^y/?X jǩ pVSZVw>|VXѱOY{,S!ka35|PuߠMe%T)Ȇ)7~4ӮSϋȖ$7clU9sS;+>t֬h^,\*߮P4){WCoV@uCԔԚS'}WAJD$D9N=#\)d@ 8p$Oh |lQOK2k=q}-b /H)LrӺŒܐ\ 7-&kz`Eu[^[v#cbŚi8!y⤏L~x-0O *I.B?LD3S uJ\n+߅ZMCz ;wXI{< \LYG<(^TDzf~Osf󖢇8>mzbQN=j#!޴W>~2[f%kJ6o:ٱI3ӀN׿iM)4MqO>y5S6V!p= &kta8w^969BM/0E~3vܵ,~J Ɇ)etfiOʶ%qZcFցѩaHv ]mZߪ&v溮UFJ6!8 ezZ=zĸ8{mY=?-@kqI6!ڈ1! FG b;5G<[4yV0Q | rFgO}U=WNSwW 7y/e% ,K(S^gA6L}(&zeJTCI?y7'pyK~,ș[nfe=>K͝{D$ԩ%ׂ|(@48¢Ջ(黰d3)L̓˚>M9}JƵy T=TVM>1z M!1Tf eZڴZMVKyd[9 K:?%)p/~*Z;wϚ1p}Sq!WK)IO6ZQsWpy^p 1\Mk iU"WY[TajmHH}^xK+=Z@}2!nlQFѵRNFg&91F).{h+2mGd륫?>^V-t`tYg4~Ln Tϴⵢעeã ;?3#IibΖ5+%cbpUN=/ǢVU=\e$yw/H_/hU"W鰉2.$?;{sf-FpaD9r̙W7E</vKNO-+L"X?e?|e׀9$u[&P g4t[;AlYucV췷0 C1yO@@ 836u%<@CnYlK@Oݍ{@@@0QΛa@@HIݍ0 @@IIݛa@@HIݍ0 @@I 顉+ @@@)e.Cq|y{p+(.e{MP   :g0h4   +\N&/8=Eߑу$wܗp @@ (93  >II'w  -@@@' nS   :E0u Z4-EI=hiy<ۄA%$ uk~緮|  ^!$:|yK&V;5NϬxhS;Kܖ%V[ZZzя9v Ljj2 h  !N=r/jrr3m*ˋWU&#k1?}"@@eI)l6A¨ĩ6uX@@@ ݧ.7KNrA $7e=ub&>`-//4VWs8O\CBahŖfD#$RnO+A@@'t$z`ݦ1ƨ￵ +@@@ 4bl*;tKfTJFnG?*VɧO'NXS%.߿sWẞZMivVT OLX~#eɛ9d nl %a'%$\yW<&I؄86KU~= yK7h~-pr]Vm{W/K1+{~[r6uZaqx{%̇y~;E„eZ_ -6kƴmƍ/$x %If\ϟ&ơyU6rn<@@O]/[up@Oyh,**f$,^b4Y|etf[$Qrۆ33 \ro*S@@@Ǝ[QhDdźYI> ߟaf{7m.RrPUR}&.遂!'OɃ亘(_?-@@O 73+=ym6m^zm6W.%)0jVoVS 6[G-ߩZ:V۫J\<`Dݖ<%/IZneu[&GJ_oEmm54z9,y6&=+LYV% ȂXTqR􄣇 O@4!g.]M(h7a-j6-|p*yQ^he^y A@@%uM(c27э23EJֽ;ܬ$  ^&>uJrau:`wlgh^0KRLsl [=C ,,3`@|:u-;1o^3K*+sV{#!LkBx:[~$,  Sl/7} 75Vi J4]w)D֢}Iݯo'mXǟ=)¶n5 C@aRw ο x}]uQ Tfy3oSvd5/Zm뷟 }.^U{Vn9秿;][o.<נ N@{ql11"=4E/[tXNҺE?9W!$lap0`}Kv7:P&>':zc#|"Cx~eWdfd&OYa$e$+XGՙO{w}o{ ^0yZbJ42ÄwJX%čLKԔTz8҇4 X@ 1́--'Y{$MzwK]sMbw;AsMk e6NO1eU:p@VK<ߴ`|JE[, ( чFBR:,\i!w _L~l,ܸeO|^^[ԃ@ 0SFOHQ坪*0bq5u7uc7k(Cc:OЮiOq؄ҹmݢWLoj씢͛4@Մh4cUK=p\`IzE4{qyLXa ymMUiU"Wg>7tWu4n+K ro57$6?|ԐAxhl6w&K=p?j̭)ӾyGJ׊^5bxw@oH1|&f/]7N6T&—G>L_ ZgQ΢!Q'{i{h<8dN5(@P:.P~fէ䍒^z:EcCYr=G2~N׏250ߤ-gUݿZ kč}i,i`Dz g cԐGui~"'޹k見  0S)r "T/,w!i ]~H`Ϯ=/_r~;\ (SFTԮkw'a`kY^Fhh:C(Qts|D51\ﶣ(0tޕ[\?Jtbu-5 W+X[M,#+<ExNs5uviÏ7肺tː1bn۳+ol0bO   O$uI||U>5zQRMüB G"ن*zoUHc(MN)U!nE.(pڝHEFRc:s)W ( ¤Kg)<0;{(P` l7n;sN[B<H(Opa=zws( DVEqo$nvMe 7_]ۻށx@&uhKRz=v   j̤ΈQ 3no^M   n'pp´}v_RӴ;[ҥKB.@`z`!D  NPS3Uss!P5J \͉eGO!WORx!  QJŷ}{YՌafjh@@s|ǭrٙ('gMP  >B@IOG\W&:{ ͢ A 'GR.'uJ/ek:^|R.|84ߍV/wqVQ r/z/s9 =Ssn!II\ `.'uM2wnyЄaCv̴=V#EI?~-c@73a (L>0Лl/<t,0[*X?k:n8:={ؾIUNNkA]FL\rQ  S?N2;Tzt;ԸUxx(V_4 fI^,K"w_^c&/]jY\'OMg6J桹2:ڝ?<-Ӎ ^&5臢ym2.)W&m1(Un޴|]"a,,*;^h@n,nR@ G%uguQg͘usA=vjDު>rP䖍H=w6?(V]Mtj-F 3~3c[qҼeLm_=7.J'wi[MEtI"HvX>n{Uh_є{.i4;jh ]$@$m`N1z&\ @%x:>J҇+W-ީ1th:2= $y'T{{ywĠHQPCZUEع[nz]_Y[ǚ”So\rEG.7S:eאͻtV jIޮ'y, zfl<(sӳy U('񏏡_55dȐW6 %(9cukP2]nZbƵK w45sddpz!C^0ɆcaZz欴YMGE;+ܼg ۇBT[}\ZqcfIԒXbBR զt--;ʛe|(?XT"EAjޫ:e& t94!Ezj mgʕY~ִ)X DN @$ؽ  (Jr?I5z0)PBq%o0A((Jr\&N,XS@Mz*=jQy݆q>>@@w+Wtߠ9t1}2j| @  Bm=uMMvn6}Q]UD 7ADn';::ԝ0Ib~rPFuKϙo]55C*`tU(.7Qnٚ5ݔ9Xe7Pl#QAx <,sືİWGSV*m5   &uyA%G@@@1EuZݺ&ˎ c+{ (Ju@@@A@{ql-5[hPSv2fe껸xZk   jPrvjW`Z& q;%ЦXtSzc~pdTclÆ=&@.{Kc(_ȱ[BRw$tI@iRR1|@fQ"a>dU4i~D @P;4EhLU۫{)Wmj@@g `U\؄xFwFf]a !1QqT_ŚIfOM=ZUV*+WWOtX[nqsi3FyjVo-HH[AQ<}N:W@5hsK7v|۝j&wqޕ毨h+ҞpFz洴YrX`wɯ7ׅGҽI i!=dFMT^Mi]Ah:)!9A" VބWl򍲩Sg YS**A$04rhBetÎ' S xfje.!Z)&@u98V lRg=1!;Q9SSw=uA@IёPPޕqC+PfA:A@@ Խ&A@@@ HjPN$u/@IPT@@@I a@@ U/@Rt5 A:A@@ Խ&A@@@ Iѣcp:A@@'> |^e; Iܓ>?sKבVPoisڍ$~b1KLeP{: A@@KI]T[a@2fr6 TnJꝆ+^]> %y9;?Ņ?-  #r6U9Ycնr*\=@@@5I5j6\?7qHt{z|@k7pOR<`ګWt}S9!y  gʗsh\Ϸ *L   Akf9PgMeL}NSg?cɪ7sm5±^;'zs -Wt[7 8EFFb"Ǹ@T%m¶F0 k: S.~2:fy56j@NoPr{y+$U@2wMmͰi4"59gG~bĐmeQ   ySuMX}??{VL 49B=nt\''<?ǨL5Tp섬f]/o㓒GůX[HrOM= k װY sgOqჺm*+:}~jgEOxbšY=qGC]m?:u<3ېp"s7YVYB$X"ݤ s)7|qITrgȡ-C޼Ź}Ci0?g^n퇇%9|Rd5Yr^Xp3m?;dU|wjCzk332~rƬ}a?Pa Zrr0/8H |[g _H*%рU $`|(t:۲tN[L|Fڇ|$6]jwi?ޔlRz֔gX>^|coeJ.Wowd_*.)>we}Jd.9oյ :=n u lI4`@  sGO>{𣡽}&s`4PWw7:nd钅 Ə:];α<=7.(WT ݷ%рU $ H!/] rHj:45b +pگo/̜>`q4MjڴZMVKM]'! Z K-yCg2a4/,.Ly:[aglI`@e@}2]sDߪx4! rS͑OjHϜ6FOd!Cd6W__Zk/}p@/|}{MI{g̴O?;$d>56 һE%q  pǘ}s#Aw%&$+?>x&p"%-.3&7$bXu]MHNеȶrUJvax˵ ݧ~왩't3oSKKsւ܃{ QwN7uMHI XKeU%ݜR>uz:uAň|L 3tzD ӻ[7n>zPe3 %%)@@@B=I%zmk$X5~t{Mo޻OlPes=NjhKxu/Yp7&u@@@dt7˨D7 {:l U   Hޠ   7҆q* t7Ul.#GP   qHG   $uuB+xǑ CI]   'q0  @RW+ {9 :   qHG ~&q7X5^Uc/p1Fúm=@@׷\n3xhh[8GĒ.vǪtG ڪDpN~ 9\ޯOJFUUK]m@UP kM7n={w3=FPF626mt|P&OLy{@GO2x _K}tqi04c'EA5OM<*.湴MMg?7GynͬիE˖?*.~/ u֭/ O'WyI$bm(xȚ7okjH&ZWXhVےi*&uo]Kn#;2Vӵ߲SX㱪ß>TJFnG?*VɧO'NXSZ;{u E7hSY sS;+H~֬^񣡮fv:} BuՎS߹p]Oob6N|ށO!2weU]ڒc@EI[}.͌z)!wU=7MvsX};G ܩ ש@%ؒh*x=٧͊^Vƈ2e6VR.xu}AӖOKa )}aqa)\+8cK  H^[FiG?(?ŝj \%kEEI1 ڡ~왩'7UҜ T Ks]RR=@ ~vF2Kfnѧwn6L}toe3 %%) X @GI},\ĄD^n:Ar=$?;-* !$;0)GF0Yz;%r9@@Rp@@z{D  `l"%$ۡ@@ x G  FI=v(^H9@@Rp@@z{D  `l"%/t9x9IDDȘ؀x%u,oZL#{?@N}eo$3[.UpM]1:4"=Ӱ   |n٠ D؈ @@$t@@v&urBֵX.m B/ܺ@}tA $/rq+W{j|Dy @y ,IS{ rhК54^Lxn>6&n8qDH IDATCi6  L$5rsM}AS'p3#j6'Ol=S  N>k,[ʈAÆ * [th?r =22*S=et**G x&]ol,sA]\IS㠕DU97G "OwV2w'  &5Cf6mF?9Np{իb~-/WQ$I@Sͱ<3|3; Kqw@I]Nj4όs$@@K'~5|TG|@@c|.So1{ >@@N<pڄ@@WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \TUof\~ n[n`nZiFJeh`撩if>>cbZJjk<<<>%kj47B!r@KY"@ G@)n;{l yNN(, Y xӠ~bȇ"PVl߁WhIqo{F(@oX-Zd /]?$YgJbq /vAqࡃ*ku6 K*R4"@@e[dJש_Go޼ؿqǶyke׉u[`+,t?˷H>r1vj#LW\"(zE Xǐv'lݞ/t{Lz&.3VeLfzʥ[*X>{,LD"3cҽ1iqs?ęmӧ`|м),[i)K]4E|k͵4S ZlWחXRp!QwDp ʜz`+p8yɑ MzDf|&KyM4̏Uα yVLkڼiQR[U0*?OK99irmPZlW@@+DnϋFZ_ ɂd(~`Tok8~>3Ji,X3> K٪ Bj5o ^yQvʮ QۡqfcUBvAcÖYw={ꥩ)^SeCy| CA^:tZm!oٖ5m:rBЧ4J(r<8m~Kw^ѽP=O޽X_DWzk! 57wjM<v^fKe~\<ւ&M=]{._~K܎&;._89|MYVMyԷ ;#lF^w>>Sd?6bA;M2T c/oUA5x/UZR26UV&,Kqޚl'y]s`ȫ,eٻD_+Ξ;/p;YN &O"N{[xd L@wbyzBxg`u6|p 쌝bCO=n˲Ϧhy-G2rIJOhOSxFKՋUCcϤګsfKL(78SgDO}SZ6kv ޝ\GME9ENR߮`7ݹUۋv&T FFc v@ж]KS}ݤzM4-$%Y^JW̶UXC"풂RzJP+󪖾yl>FO3u_&%<  O|ǩ:̻yl!#Km{vل+fbȾY?q{tac6w3u<3h=cSWp퇼G.]}`Wc-ZB~8}K6A8c> N?hx7wߛE.q_M[OIx+̸nጏa{ʂ؇]kxͰ0SV[}#٩S'VBϕm/gqZwPͺ7)٧nRV=Af3oc0הoܼ 11xfǕ4~! z4}ju+],i\.}xVV3] 6.CUZɻg,бIp(&=DJXzfϚmog!oGxNBr ' n@^z|<%9%+z*څxo֩#˹[PGf2"H2?{go4nRP=ЁC;]~2Ĩܿ97'(q鲥8!;LVBC;zmG惥2ҲW@1[zȲ {Ʉgk0֓??<S`d"PT=,s̊萿!%mO8Z>$QՃA03.& GӋah8 טr3iX+#'/.9ծݒ\r;P y>ϰ~:?Wf+}dVr]Ÿj٤qmz]9%(fblo+) &O1䈞8cwԮ`pߐ1b$}nhjº/)zCgNVbo~z :>'/her钍 ;ij%k *`iq O]^bZ*>vǜB/ # 1IՓ!' @'Bٴ1l] wUc:7vz ~ނƉӣNjQ+McLOЂvBonӸB=\QWp4u"_)qwƾXBM'6ܽ}=3 5֦D 1(Jbq,ڔ2^af-7SUo!W9d`"@ C4W.3? WsB"mO1s^OmnT2{=Z^{^y!7[ *û4f x*˩- wsD=//MRz7wyk)q.*A۴S(7,29j[ "@W>˔Aۓ3h{3ca֐D^F;ƁJ.㌣{hMMOٿ^ɻtRx}#}Ng^[6ot8&p{!+ot"ǎV$PrT D82SОş2ᓃi{<1/*Puh|랸2[Opk`V<;4zr)%L.Y1g/Fz۶j3`P{+D H,U=TsgLaL-ND׽=6yMطPF=v-k_>4*"@ GU^T2 D"@@(zrS3Ox~rP 鍄Rh4r%D"@(RP5x_ez+R -6RD"@pT=ǩՄ"@ Dh^RD"@pP9hP D"Pzꕞ!@ D%@v U"@ '@^RD"@pPޖqܙ )U"@ DNE73N D"T=⥋ZUuHb* MD+0n"Q/a),,(*A`Ϋ!Ulo`B%~-[I]rƥ0t-V[DS].aQROBZzVX+pJTՐZh\ai¡36ÅC+"v¢44%V,!^dR"@ D DU$D"@@W2n"@ N@@iT*:Xkofw+.a.#+K9]唭"-UT&#XHQHmԤb%% Xǰzr U$`ْu6ڌ`= %D8;g-X+l?f%NDė^6yoc_D6 o6#(fkSP|ܽSo^چ پ}{Ka/]7FzMztvV"IvJ+k+ߛe8*$آʞ\lU>h6%]8韆瞊RBVvyVEnȡ{vO9 \9E'l^/}WC~r*ud@_~;v<Ͽ bH{ev Mr)QWb"ɛzHc[cM.pӆMU| XR\=8}glѲ8zL~ZNp“5;}Ͻ[G!a~'Z%8!~ toܠAX#ZwhFA`5AO>:rO}ؓWzu^,b%8 ֘gU>NP]/Z7:jࡃ-7N } ݊ݓhN{RiQdUaqyyy2dAPb t"5n>B 3W0rCh D5=J753\#^lMM믊aB+yP ~L0Vّ'bjUχ2NT Lu\EWj1_`Vp8!b DQTW)UP\㔶Ԣ FAH%5i.>8 c.sI;w:©6lN9q+=̞N?rȋSRo԰Q_򂌂bpkeyRđ [jͭWwmul#VS0źɄ!^CbҴߛrTu/^@~IC |B4!6Ǒ/q6vOZ !(a1&AkV7!bs3BkVxE8^ݭzl2V+4<ų5PU$ Z?djN%D*x*bNK5K}U5VKsz&E A<*l:o66@/U|{}式G5/[@Y VyqwNp>x|?d#'O?iSq0/wA2˿$  cWdM#/ űԩ;g46Q/ۧMLfR2WƑLp~_㐨?3xGϜ"'PN\Z7GƮr}ko6 }T(ݺih;*bu"H/.+׬5n}XMڊM;GN&^Zͤ'n/ ݾ;qsyr$L捪Ԝs UʱZʫ_H3exW!>!Ç%Q@d;HY&8QZ^| T2j{a HRMk{\4{͜F2ASSc`8Җc˗X93337l0)+a W<c,}:2vsVYY|H,UW-r>e/w6>]h}޿c_ >۴i|kV>B&0 Rc( IDATT<8o85Ң0I3'85XGnۚbo;N4|*6 ' ZLI\uiρ=қnlөJ5iu/i{YYY#KC?h)]:vA<*hNjE7Ԩ]:+eL'Y3bvwz8$[-SggϜ1ǡj&΂h}+Wm·fKkQ[mY-Zacde*!s(V9'85XcB!qWÇ/F| :qDb@d&.a>Jn9.$M%5~5{B¹7i/c#*{#CBYp.Y$f24kݴjy)$4U F}ġ(2/[~}0n,5ƑdU>b#MJ]Wfq!1sLK7]C4!rʑ$nI^ch+a1`M)1fMGRn!4|yseefaeg"OVIq1< %3d'Y66!Xȧ %E񋧪tb:'»8"t:jz)7QFm[6,>ֶe˃G]b~&ERrxcMDYIc_ڰ]^sZg-5w옱ZmW{2 lq#Ǝ|1Rq;0FG-bb1ǴhӿO: 8#c(a9vx"'G,1 b1#& "]p(ڼ2]hGsd:򝑼i'u͢#WRn!>"<] #0>>?b)zޤfӦ"~^T. f+xmb׮^]܇~QD84ٌ`)g'ԡ bgE=Or5?'>~O |B *HD%.>Uaz<4]!lE"LOUr &=)p!Uʮ.\6#\qӈBA_hH0M+ޢ哞n&d-I\OsXj<*`!xǨT,ª'4^36MK4;:yh\yLn"':0՛<aOh{MYM vh4g͘u9581q1Sπ>|b0nDLZ3jRTM|X:߼Xgi ]إ,j'~8N'd7y/%_Yمeq1D g˖.cֶiP FM5X[RTP%t2qhA-NMSز-A=/%]Q3a,.%,]㈦8'`*٣' (BLWᳮbbV=fv-}d?YS/;r 7,Z>/, n>Mavm8b |<-f霰NQ_jԘQGY$n 4>!>~büu.^8zhֽbL.HӧRNR)B?v<%Z4m1,iא i9#-[rq'x'\4'rhkCrHg +׸0.bioڹ}yR/K17sBQȅ\8=ODOLdVScM{_w'm[I |9龯c0̰ ?hDCDz o՟O2ˁh'K8_*("@OG O(D2!-"e#0Aa'mI{0$qם& %d׸✀dcFY-aẌn],(~ ncU)++DVL}bQ`%1V ǽ;$66 8ŕ)f>?(vߝXۧ4sg#'_.Wo]6|Y(ܺmkPC:|⸉H|r8\r9Bťs^}=`G5B$K&jL&+L^8w6n='Mh煺РݰrV߹{ǧ5 < H.lXfae\NBZNE`,6KQmkO<QC:KXuKt LZ_-܄1q3=iko_ǺǓ`LY9qOF.xvP͞5;~C|@@T#l)D)ɓ'ط5lRryHfi霰ۋX(9`5G偽wzw:ӊѫg-\peqkJUpbN={M;z\Mp\nmk{hy/S1爱#͙&"ϡg=ͩ= i9u-[؁'>9 h@P<&M5SWTn5qlڋ0ԟMrvzRLVdl'60nFWWSz׫XD4zh{nƝ,ԫnT#9,v:|hϧ~(>6>gvҎ$s= YLϰa0b 1Ƀ-ny)wAqB{3̼9n9@ûF ݉:q=@n۶-yɋ,2yP1xʊG,bf{U-IQR+cyR7wh KgDGpBZNH`,^{VyAOD=ݐUaUlOtxλ:<Z8i%4(aol{BĄ>PlJ,MdP.?((>5ku_ao#j_7:2A  5D]h{,+O<7L=w N Ք^9Ύ=,- `Gd5G3Bp#ǯyʜ6o#w'];w%%hֺΤ$8mY+w lXjmq }񀗠A;e8!-n#e Wn0nL1{2}[3fJxh<ĿZ-X6)h3-׊AzWkS<):Tl {t { ݮ t'BHIyذN$j2!-'eVy< ˸x1:t+ &{"ԇ]I|]ק3ePsT{T7BF;C+}L^zV3oݺbz^Yq[#͙zHYe[!X(px-T5^gzy Os)M'=i4|R8e(8˜ Qە֋6ijuٕkG뒰"_ vc+u8X+`,}xpZW~VZ_R٧깆UEE "iU[ӕ"#8]EBZN]@`mž=6Fnp=k""@ S\\EI D#`GV=~j D"{؊z׵aQ D"\-æU)\=伵5ʼnjN;(b)'!- =+i 8% jHk.+8TD"@elի6и%q5=4HCu:inQN D wddyxkh>x؞K>>U^{'</juwux^ L b-ef̓ȧvq3\'ʕLw|pʰsVی -^<|ϊ0j~O}7_K0 *HD%.>Uex%~{Jh3h{)Gcst6k,V{?}6WV\5~\$F㧵* n䰰F^|mV cFu x5'7AΊyJc&nM8uȱpBHjT%qv_,'!vEI;jAjy.Ǻy&C^eS 8-J X)0i4=Pb*VE'=s}l\TXzNo+nc8maMzA3ª˻t7 /ul;wOAM0MTLf?Fؓyf*aSB箝5{mY3f'[uaNxzz%ܞޞyEC&qtt0I2ܓ5"%(yixΣ o\ʪg leQ(|2sj q~2z>IѳGOL F/"YL[(`?Bf6axY#, :th8R l2VC4smڷQ>SZī9fqQO ZZp>% -1:ńy< +jxS4yxy`Ӟb& iKlR̍]d~rOsv̌_n0@XS,D1]ϺY`۹k?hǓh,^H=vnہAn/Y}*_XmN}??/I:,ڮ G~W\ '8)J h| (֙Ư[5j(ȣF,Ĝm%qKxإL1>$$@mNeelvy1 ~.uq$0.bioڹ}yqǏY󟜋g.=|G CG8|P Gͺ} .wCbӧRNIl>9 hXcco-ϝ㻘@`˶CsN (Oh܃Nr.hi+Rq[ s3Rgds؃{<)Ł&3UW>,g>SLdIYqL@RcGw3lOC?@X"2G{Y&R}_0 ^,1#HZɖvE20L<&dg{t+D$|1_zlL2\0&o1~Bq0¥sK3N#E- ]ݼJ>3#m8oZ@TPx!03s N&ee隵krAvBޖgۖms=I{A)" `CZM6 0FJn +o/ϖhłz̼Tbdc3%?:aeeeLJcӲν;$66 8UVϏ(uֵkW> xFNj]ߺXeǢp붭٪ =x&"2C?XA(y)F[1;+-߰ kd"L^8w6נ'MvŜ nAt+4,ݲYBDwtw[;,Ư_ \׹k/i;we΃T0<~e j{谋WN & qjz HTP.lXla2-ێF=qp@!⺭ Tv} {IIDATZhPݔɓ l^MB۲eK<}p{$BBz$/6 Pֻ[ԙV^={-\0ng/3nQȜ, ct -ǂ~AHڑPΡ|qv>3m/^&cj H~ <p¢'D~s<B2A*gN={M;z\cp`RlKb*Q1vļ96uۄlg'-N<'l@21Yh xt{@envMUkYQ\Mj\cTvQ7 1wf^pSLx4N!|m:|hϧ~(>v4>g6.\2A, ZךlްٷqEcӯVYd|{EeB6)KX•+V:yoz‡W hXn]#th,׬wG_/9q5mMS ®Hɦ'8ܺrUↀ%Nڼ#i?aqD{>ܡ5κuCk7)*09{9Zͣ1aԙؼѽKpNyGpծ4k gRr|R%E 6_t](X^17_[}+7g, aG6/[ Y{Rn)Ů)ܓ}[3fBE%kzx Z,ru*& EAzWkS<)ךTeKv7Oe jڗJSL D!`+ݙ\~nY,X@CN"@ D8T=gdf<9 i5BZGMNMat <;[ "@ K>U٭z23iSs9zQ)xjEmC|߱ء9ﰦ"@ }e8Uw;CM%O+*yZ]+CK4R)hxI 6lBV /|xhC?j䤼yUex%0=D%O4Lȇ#a~u @eYgiڋ/۷Zj"_;}#bB<Í6rkOޟ5ą]3]&7VM[NjݪuG;Oisg#'_.Wo][ 莬ZmT=<zMD嫗ÉZŬady)fBD"@@X Xx=^eڛ &nT/ɨ]AJ~fճLP֬ZÜ'SNA0?5lRr[ly)RHbA DT*W5f;6jt^M~5W>zN=j4BI%i;3XB^2Uf£9,]AAÇ/|cp]9v$y^b [p`WqOt2W/nYTEy)wAqB{3̼C DTeaf<<j|'<!<.́i,`rvLJUaz'NXrɓo~={t{mw#[17ASXlPM7ƣyr,(jry!F //KPZTmMVšvZu~Kz6UXW Zrqku?.4:aS,9Z;++ҊWrG81.+u +5 zޥKhOk?i ,ҿrlVM lhj4Y3f5o&DO /9+5m0JTQF怱ZTN _-}/EP XlҀr*Cf1tXa 5 jZW/n s ݖC ng֮^]֣QhY'9sqDf3e4h7G7l'80fK9Pf=Bu|i Pr_(ԨiXdi{4jB|L*0_*O Aw/s1O =çV+pێS Z\ȿ59& z{=/^̪'-x"+ _qyFZCZd{SVqAU i_Bc J;w6qGK]4|LȈ&=lrX5(yⰁ_BAaiKg8EÞ6Y*'%,]㈦8,|Vbn lZ)v*S٪lnը1@aԈQ8RRRv-}dEN\CB @c'ft2~<1 ~.uq~l9.bioڹ} q1 rsţO(턩R9[6<v~<態:uFҋ/=vT)Y*O > Sӵ0Z4m1,i%Ͷ؅aB1&N&|&;cߣ{ǎ8%<9|&xؿfӢ&| f\Z;J3 |¯w,byg869]9.=r`ƣF9g5q̑wxZy6m{m>.SѤIF70 4ɿY"?\f"RॗQKP +ZK;p.re\=G#|\ґ^q@2ڥјl[R(,޻nEM)W^ -[z,%oۥcalQ=L!iGC[d}Yhk\GU zQ/dĚ%_q_^KX*ӚZdq,ɖKeص9jDتGpX5gR!}(vȱAcJFSM,k\qTfhϪǫBNAmz&GN^dShs⡩ogΜtJ:H>7G_ 7w&D3>'kVm~x"gU 7UB#OI2 o'3xѣFϜ%ޏY(f{dƒKn~85[x-;pNj)>h80,GR_&gDK\CoNȀА!!}Cz6}C }34|x8D 1pLW 3'lHoa|ʴR&iK9R|Q&|8%Ekiʠ҉מa[NU?}G 3=>X9Ed{+|^d_pv_~;#8P&w2Oi󦡃BeTCɦ'8ܺrUbWǒv'mޑ_8z< g:ud!Qf}=ƀׂ: ?.X&c>}z憾sYj 3lݪu.;ux`Pǰ76l=!b2A%h_X۵sWRfLJNoJ Sp`-E^<x j[4\֝/9yWbdϾѭaORB|6?hW p{|TRD"@|[}@5 D"@@9 URD"@|U~P  D"PN?!S b#"lIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/29.png000066400000000000000000000714301303637203600247620ustar00rootroot00000000000000PNG  IHDR8iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx tTսӿ mb-M|D! ,| ^DVQATDr@-(Z ZAB!or\!Ij\Μyeg25g}w眙*02Wy  ӲdM0'\!@@D-3@@ry|4z<# ENOccԹdY.#7ݢk@@ Ao T ?TnjVN 2\9*vϖ};_zaJ  @?AENa;+'d0N-O:WlX?ac9 Wvr]9x  @7}GN:r45l:ՅgO0]F{_~aU({Zvd@4h zkh?_CANr=. y\etUQy RB UKr:=]Vk q[~= JD@ EO> RxFV}qcx<BN(M wѕatjmҺ/,5_sʕ|wG!.o7yB@h=r?3fggWWWv;[7U=9B"!#q q1wHy|Œ+7N\ŕZwG: {o|?4yml26v?J&*B d~Z懕qY#s[|~!Ͼp}dc`Ң)~{s奥EgsnѸ_Kd6e {憶VT9Ն @^CtN!Dm  F>{^u/lhfexrsq)w;up[jyouHT[rSUU~DmWm8FNtϮi򔜜_n*ͪ{>xsK:+6VDRSVUimZVΠb;䬕U/2wm\!_'+;[x*ob|o4x#NYբ LE` 8?9{X<4cGN}׹ݮKTqZCB߁$aSI&WRfè3X?ȩ[~L+ȩ{Qw쩬2K+;9t|쒼5燐Zdo͖iߍVR[[o`Λ.Uk]}0m2`xsuZ'TU$@H@# z:U ;ھ*`RgEBAZXPXTdr) LXV˭K}zegrߕJg $s7n C\IMHrytܥC4VT7dk1YE*vK -ϧ6v4J!wz/K7\& @ h(ulkQuBAMrI&Qr,T`AǪ)r#d>JJJh1|Tsҕ&3keM["Dͭ8׵ۢ5 mWO2 d߾\yKN)yjlb)#ˌfrd'Uw>:o>^&みVVo`fv@"?oj ښ̛[fox  *~#/| njދt͗BO-GᏜ;zisU[_m݁oO#s:3#^GImA5u%& uUF^"Wn^lY|@nӔG͇xϬƻȗޏ4W.R!{Z¬sT@NmrU)w5O @/>!3)U wGWkcD픓C^Q+58+٫Z%j6 #ΗrhkhCsݱH2KOu޽꼑AC|T=[2elٻ:SB@8 xQn_XǶOCkEs"FNY~{G"urln*+] ]={,*SWߧk S{Hv" @LԽ,mzAo mo9p\qܿZ3Ifcp'{i{Zniy:i =}N:5P@b&ĴegOʯTXЦIo;6v&vâ&@%~!Թvwu\|IB|+M;re؋ h zkhHcۇDN2HԀ Ih zkhc؇Sp@@ tښ#' ^"cH# bi<gQ# Q9E!  P"'N@q) @EyyM$ 6  @8պ M  @9eD2 @HSi@2D)C&a  @L  !DN2 @ @d@@  rʐd  "  dSL$@@9%&@@ C2d" $@)4 "@!0@@ Y h&Hڵk[;m!F]Nӟp҉'Mmr)[UQ^IOH_}՝{:[vU*dCfFM!35+,@С56z&~o26:tP_FYtSsmqKEB n=̊pLFQ 9EA),^Paӥ/}ℼwƲK9}os^|e:f'M  r*u&S`uYSM F5|W{3 ϽOBM)u1QuD* fRyv[ 9ڌП 946ZUivkY w?Onj~G;wzg_E%Cn^~k|ýΝw+//.a~db f/|:^| ǡ#.=1\&267hمS uIl)31et9 NQ#ɱ\mNJWW|kމrru >fG(꯫問?ٴa)vB^sJ\wU*6l"{K:wvG^=.ش靆SNqAR啫_]~ш+Gp%U~ȄR y dSf#h?xo1Іw6| C;7ɷ_Z[?|eSgʹn5Tshߚ7\znQu<7fϙ_[Ȁ}29PE{ͰIM%b+l<)g|f+a>7qgU~s݊gtns$uJijPƭ-\R9m˪_V浗yau&:&<6oZ-V|ZqěOSs<9t~sz8籹/|ڔq#ʇKh.p@0 _UevL vDzuu%/*D6 dգ64ҲeiԩS>rz^zKJbo>R2vZT 倾=;K=*Jo՜~ᄉNwqu GU~b񟖪r+)s'wzI+ſ(Vj*_IB2+vWY,BdP'Z4q`Y6-m2$Nl4g1ٵ{}8#Qy! _*j   rʀId-&f8ȩ  jĜg$|K c:ŦiM?tpB_aL4Y[qu'}$xLvoiE(!u϶I=s]WfʗI S3$-'6}[mOJ,u4im[]+^j^wL(KB·qD_&,3Q7q˿Me3-7̯|DƊ7k_'%H;֥ݔ1W~{lݗ;x7ss;YLU]CGPi(߹SQsp0{)DQHtһwoyWo{%=i>kWݯDVrWW|s?Uny>[\awNݺuQ3껦F=TB Sg5U"BEEfݱŕM+t˽W헞=TMݹ= n흏O&BrHG9t;rEeȭuZÇTfȄ-(Q*ak^V7;t>vQ,iQ\Wrecn#1_3_mIUlUgќR5\UlK>'-{CO&!d"vsJ)mHeد8h蕾JC.r[U0KfKz*O1ڻתCIE7{/2Xd7yr׹䨚h\{-#&c ۾! kolټe&34=xUK)x%! UF tp~xF5sB# 'f{[]*@fp)3Q4 ̸ޚmo*?߼zt:9U[l2}$GF ς Oj~upyߍsĎ;:UB6 UBgلj 5 yfiRX #DN)>Atrce-[˷Xg 5 }oahIyy\>UWcpc ]Pޔnv{\V7lKE}v*)1BYVl^49X3_*(c~閉hF`r-lQUɇtDj^7I2F!dVDGb81#K%p6 ?1FW@nOQ~cWsVor^ȍ7rdi N*7IoAD"z!%c̍7Y V:N:w/@r9y>r'U}z;n5>)oW\F/Q߱Ӣ,։ ڈl; }~3t&M47a-YK]Qլ(d4[).@D,G|V8\{ѣА>! G^6GW^}eӖ峕壨N3O9Ygppm./QrE_Avz#TLeܿmXUpRc[K>0Ly /+3#<ٔO 0\/>t7ӈ_eWe뷕~g[[6O'}]ugLt;Ԋ (Ddʝvi_|@%ٛ6T71CKz֭|搵iemT[Z>tG_U9D嶵|Pd P$s?]§k~>P={i;f TFNOG̣3giw;_^=njryiddו rT;wӫWeNfQ=\C,65^Ddv]U @{9IGUGߎ:^ IDATo_Qu:lܸQNj3цFBlGXb$ @ $&rs~Q̈́?U_pBߙ97jK5V~j>W\`ܭFmdyzQ܇}kyxf# ,G`WZ> z:ʑCvTl]v@y7TRl%[bFeI7+|ۺyt^|%y}5.AVN>73O̧++B,yzv6u09[>" ~왞%e˖&0e}~I'4wKU>Ԧ'6m4A3y 8X_ρ}-XFyY_qwr֪X_{.Z|*`%BΈL.5gT>M>[l\e۷*~YT f"5ښ̽;V:T5K._{cUy+aoJ[M3 [[p[1{’D Sy /jH3c\alxϯ0]/Qg댽ĭL?Q3 9WG""'i(V?/k$]99拯}.9+{o'}{w$k::IKNϾ}%Ҫ׊{{J'L~g&ɔ{VN*?{{R<|QVb[O.{g=~k/U5sVN~zOb͇OU+rF]CE2ˇ?P3fZk܍~9Y}}y'YyyyԮg+[2GG}CH@7݂_^:Ô{-̰a?5o;V6x8|!L-BC:beʋ-R`vGQuzXٟSje;FHs~/ ~ .ѧ'lEwMkʴ)4;3fHF1`F^=2xD]쯱q .9G3f殨{zn:kƴ}:kƌ9uip\ZF8jl4\XbKy.`ԑ7 C.K_5_s ps'^ڼ?KcL-2cQyثq{1)p`s$lm!9ۚIw>XblUS:K=WV# RP#E9~-~rSO[-KlŃdS>XГs}]uu\f[Rzz Z0ɇ٭&L؜K_2\6ڵ^gle 0|XH[gۏ"ܝq/e YO5ּsKף?0~ש-It鴨0[a㧪&.\Bg3 3+33 y?(2ԺݵV6HgŽ{WG.9dĆmyZW_0{ϴ7y"PHX"w&Mfa\[7T4p #o|vjTKNHc~N?.8P&!W"t]  @$j]cTOIż3w^a !d#)'In@̫ozbZ9Is-6iiF$"rtMU&eXa k@5؄,}N}؋ 4 95[B@" jsD>ʐ*n4ɋC! jUD uxȩg/B -32i,ZoCxR'# ?YFNÆ$Rxz|w:>'-SIc~m[DUߊWũ ka~;_rqeL@@ ^*?C2˼ݑsDc|WTᶒ_5Y9mPj!ȼ'~WmVe%ƌqܳgמvLU퟾{5ۘp۷lݿ=UF%"G_T_ywCʴ<{F䂉M  ot{_].ל䌼l䪗Y#+}Tf&%0lUD 3 L_Ǟ6O~j^Ƥq5t,K;pʎ窎[.56V^`,5^(53ue6{u*kWUU JDM+~AA+-RfmF*PO]]/?Sז_X¿/zT!9.LTo^}Oɓ[/|5S2a*eTJd@2͈rjiqWo-ھ~S{?<'_}U I5'o=f?T9)-%unƼI>ʗWi);@: @<u:>x-쌂}x;x]h\dg@CO${cth;0pjm# @z 9|[@HS2i@K)" @2O  ^DN5_@)@L}F@ rJ  L"d6 SzE@d 9%S@@ k- $S) %@^Eo@@ DNԧm@H/"/z  rJ>m# @z 9|[@HS2i@K)" @2O  ^DN5_@)@L}F@ rJ  L"d6 SzE@d 9%S?am?HX[4 @ 9eS 6@J)*<)=^#S MFBd@`" C#x B. DNHW)㦔!$H)AЩ SAH "t).T Y=:Z_W" @D9EɬL5@ DNI@OJVd=s.)S@  @8Ժ%@ r@ʬ"vʬd4   rJ(7! @Z ޺(;Ż(8 @sr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@( 1IDAT  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@(  rr@K 㬱WjaF@-ko7iwEA+rt[رo@@+ a7}+񊜤IžԈ $K%O  ~DN7g@%@,yE@ rJ9  ,"d. @[Wܻwac@ &^t4ݍ@2R N'qZA! @\J  DN9 @"@V*E@ rieP  "R) dSFN+B@9ŅJ@@ #2rZ E).T )o_ZJdz),,ӻ$d8d" Ɍw#\>/^8PE@ 9٦6H}zv5cW<8rru( @pSD@ 9gSm*!t7@$jwD,ukuSw2 mS( H9''3p_|^!DB;!'t4 @ $;r٤Uqch6/<-  $GNr)gM6}5c횪QA:|l!x/\ldV|fEK#+F@ ~Ӌ/xWbLђ\YnnU G@9mݼSN#GgI'r~zjݳ^|#j2<F2{@XSSΏ]gݛ5KM;s5ݝXvYNg mߑ] @Hed_<6̜|Uy[gT|U HS޾!_P8s=2/<ˏ$d3HUWXU3C!@LHvǗVtգ=bdթQ|?O_1\~$!jWĵ\^&OدC#@,Zxvɳ+///Dp sTu6}+p}S' (& H)3 pc@4̫uɟN~ף-!S\.J8䤛@ պ~oIuZ$Q  )'qU9=B@ :EQ  D"̺N><>Ԋ @$j]aae^08U0b׏sA@ }9m~.!Y (! @Z $3r8$BFimrd" FFEW@@ DNIG@4 rJɢ  d"$O# @ 9dU@HS'@@ h* $Y)@  FDNi4Yt@,@ y@H#8~JqiAW@@V9U6@@j]zE@d 9%S@@ k- $S) %@^Eo@@ DNԧm@H/"/z  rJ>m# @z 9|[@HS2i@K o_;k- D ȉ喇 =  @ p.# @FO  vDNi7et@&@4zF@ rJ)  4"0 SMF@ 󜶖oJZi@@aaa%-r¦Ao  @ lxgM?xj[$g$lI1@@@_[Q={#'sҷ$ 8]+# %@@DNN_@( N rr `  /@oEI@pWG@}"'}+J" ?  W$ y!g2fc5DNp+m7 AoCΤfc5DNp6H}s5cW<8rbș4rfb%I=  s9f ;}*K"t!GI]rsN1@p0 b%`QϢL0>5c9XTr'4W* 9dN/)1δ"`Ƥ#s~}]lT>a%hȋ.4.R,j&44m,m1␣SrMq:dr,`UfmdW6 /xb{o%6'({c4V(Ə/?9yl6Oh@͘ 6}qCáSO?Ґ6mܞ^9Gc@]FOcU{*]>,13a766n myHOS^)B֜UV92~=+A999k%Whrڵ| X9$;~E ˇ^^z^yGXl[ܱc绺.J"?U@‘-[\ѣ4ĉ@ƲMw M6KW~ Y򨩩ylc|Owޏ<5Ⳋ}.>;SN/ NXUo2&M<֐oی!G<6N[] @l//S[Q;osU# O.G+)$$ok6)9Dxyyҭm*;~3I^!rsrU_kWygvlW◐+gξ{먽˖ll~ -Son|7uJ-sp$3P.X>_¯ݕR*B՟#9mFE[6otyU`%sʌ7o^M|iȣciӦA La wʺx*+YQA>0+_o\o);xrzh{.@ V]{\GT a:H=jX*/V!xѧ{// UC={1VC___ߧ::E1|p9 j^t3$n1ᖊ( ʐqSDv"ڷY+ڱmG-~V(W|n*MwudS1l}JrCt\響&CK$lj%9!;~mj1y*7bsfyof]<{x󫿮Z}RQ?غmoλsN#_鼁1ޝUJcsƲ|,A nk]3/{TsNh4 9bTpY97)W%m5c@ͮ]k'[cb $>d=zKn WO.Õ\%^}KfIO%QEWE6QwX^ 2h*+ n(dNiːU~A+F̝gbejĽ>(alJf<8[>{{Ͻe]:[?t/_ymDZrT1͍Z VsgVKEvUEH{boJ @ yA rM]wn^L#kjK6l1rQ={ؽcꕲYңD([d|c 4H2 oѲLںk%=as©:V||׌F"~%UT-^c+>+sdƦĚrQ.˺rr_<8%OE1|Ӎ7huxƬO}r7SdҸys͛r 7/«F_%?>R\O"pȤnSv~[8{ `ꕃ.pGd8r,Nc1o$=n'ygɓ`˼%Օ {cgR [}zd7B]C&=k^_|%CٕDek_ D娄Km}݇)NkH|CGEyl(vN?.8PsN2l"C7#Os!Ǩzo'Z6RޑkV܆UUJXԦJLt@qrM'D|L䔬]HS淑j/0|\;:M!K'!vEC|4b*=ZRkC%x3}"!_eNYFqp@{QF"ٟ7Mc#JReqEې4r֮DSY)5^!@j >0oi}1,^Cac]UCNy#כ{TV qS\X2O@w/H鷋G^z] 9$}sXS$2\Od8%BF04֛r)Vԃ/ D#Gΐ3xr8jQ$) 4A@ 99t6 D!@  C: @ rC@@DNx Q9E!  P"'N' t&)jhN?.bn  @F %6-a9ɶh  D)C@#"/)uIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/3.png000066400000000000000000001332611303637203600246730ustar00rootroot00000000000000PNG  IHDR.# iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx xUIG ?'5*@H`E *䋠"@N@Dn$D2F gM^B挤gudgjK;~ڵZkvuKjcn\Ix@ \rIy% w   @xk^CUWA@@OyT|:_|@ ԧ"ֿ.]y"ֱ1;7X}f 3}}w~ѭ)V|2yeO%\ 4X7߬`Y} 14 :Ll?.9NՔw8/٣T"lQr iM٩[}ʻn}5i*+sb/Q L0X"@}f ObNT[DulV׵w8ڢQlECrTW:ӕQ[Ug`yeȲCPޚuEa``+L|'>E鷶###+*:ޱ jsM R:dTVd̷K71\ӛ#uƁӱ]n$~̱vT岏؅(f{g?#lЫSlbc#/|r֑GF@BdvFCo fX ZQ;Y; 1ݪ֨o߱V_꼳YECMֶW#5i#ΎZ,;lgAk?'&5㙯ﲽ{N?lߔ?s*Y;}e݉Q6:ȧ{%I=P\#eJu\&Lz(RݒKtPe9jw=8`AD@c+ݸt+ M܂Yj=(ıs2ncpݾ6GXzr:^apn3ygܴm|2dɄq PULT@k];EV\pt-+)-P:jTD}")۞cetJW7!#&dXٮڜ)u t™:%we##Wvk_pD7dZwG*.6/V5[jaXSoQex-A?I%Z} ȦÏ$C/>ۿ,HM,O~܂ԾGQ 9<$0Y uK\|B۫QZGU䙟m;VI6b/˫O 6vE^O!9mj՚dC>DE4JdHtޏQVtD5TYFؚ1 HC\4F8gne6gc#@BzFܳi; "& -h~7q Dho :2|B/2|]hU{W۷~Wh>&U}wfD;zmlv|L 7LS;UhWC֊DR&Svs`Z^XЮ2@zuGNw ܔAļجQ*9mM7D}_09׮Qc?A,U9~s}M4.4m%1DJv,+G>hݲ FiZ0; G0EA՘ɭǍ[D %5g餔-P?ɬdY#f" |(v Ubm7ߑ\CQ1(Œ:'-kEf,@@7+XbOAvce*(Q"N&5 @@ |HG! ;V{'o'gGS_}f C}b ͒EIod߬`}<&Qx@XܵTDyh$#m \LC7lZ1j@*\ hZc  `HE֙ D -RQ x @C:sH@@@*jau Yg. PHE-t1l""JN<  !Td@$  B ЉǰA@:3@Z(:6XRu@ %TB'@*\ hZc  `HE֙ D -RQ x @C:sH@@@*jau .Aڥʾ7؝4Ӆ ŋaŶ$gEjz@>W&Acu[jߔv0}9ɽS(`Y]] ۷ǒ%0Lh߸+d0u@- ]Ej0)eIs@LMl3`cdr5]\̭nY\krdJWt(K'vKN+;o}wsJQ)O&8C6bC2Jt<l~Sm/:Pe1Զ7~N`NMo=fVV]:{^zt[a[N ].]`gM9haAnu5Αl۰/z?{Kx;T}nPujHj $ P(vQ4vNѧsqz(NtTg̙S=\y}7'p`󆼢_ ?0=kßϣi{aB -;ju2m͙xa^A6oW:A[=Q_մwY͛eZ:w)z KCRq`vo G,4?yd[̞&:2ҞT־OU33٢S5Uxy`t\/xl eO&;zaZOϝ{0#[+)ˮ-;kN??M-x~ F8RUv@EbL3D;*-ꨊVVѓN~TTTe:n.v^ f>ݮM,m#koU 43|!Ay:LPHL.R2hǫ ;s* ۭ=H͛cZ:wʩ5_4u4$Mwifzk#|7@A땟|tXc?nu&O\մ>ik6Mzr Jhne:$\< g+\Tu$}KB&xFAWt$zT7Z4P좂iƝhG%@U1*UfT׬\[k׭uszuAZ |ZUPG3q:Lnѓ'&wM %}q_q_L .チk܉s4S>F`W).JCRq;,ȩѢgmb;Yڤ̨ꖲ?^]_4o!-$ 6mY6.5zu/_5sӦtJGEd!GOʭ+:"܎+U0͸ӘzQA3xw;^YD?𯼋G*fގtVk~ doo7w^Qv%4ʿ\A*]̦_1~r*=C*]@N=w,' 3reW);&&?!oI}q^:I|g%W̑:E+rHn LnEto˥U>c5E˻ڹ :Yӭm8'/]U UӤO2>ݽRg R#ꈲj{ȎfDGR9..~a+V6nTkRtnɔʯjZůYxV}/TN96oƯ 7T4j@N4NEcnj|馦YSJjRa F>sM}M7Dl¹?Ӕz=; uȨi߾=[₹VJ4>cr;neUߩOe`;h?,j(hdLg;P髊A좑UӤP=V]bU,77o;}a#_={qA+tnɦʯjZJ)fŴnM'*YTV}/TN5ۼ.ܔFPqШI9L6*ԞTUVV]5)d7mֿpZjEA Gؼ=IW=,Ƹ{}TǡM?C~D S!:sH@ з-kH C|5^wf%ͻY¸ j*‘7&/ؼ h^@N>Ag@@KE&Kxw1i쑭 _ẍ́:v,g{*x S@TlKE!]ƏsGSVxŁ l4ޠn>ˁKER4!1~< ֔w@Txoӱe*qу<vz84ot۝+2#>j=0z SVoS\k,\0qԋ۽N. ;v \*B)O#}[e/woKOjKZtEZ5[0 ߂Q5C*U`>5)WNۨrȔ ȪJH4-Ţ"enHZjQ:pR]4ȂWk7|\ڍ+<Ի/_sӀb`a&Y3h++}|<{L-$ts5ɂ; orlQN]B t6 OZṾG-HgȆ@jn7llEUGy0eSpm殢rW̟+\}w k69):".iҦj{rY2S|ͦIE:kn#4vvBk"J;QbjbKWtJn니KȸԦ$qU ٠"ב Ҩ4WP# &hGEt\5͏KLUEImsfh-R z^J;:c︃R,+XR }^D%aXUs / 7TQM#>ur:3*>34f<ݟk_ zEqd40z&eJO=4;CibsԴM.,(xE*- 'CqsHh~QHl@ U*Ga`'-0Ѳe@@IHsgK Z،EiɉC4nc6` љ u\SwVdTc3MLYn/ҙq@G"*"K%S}wK[w!5K 6=[όJǏє*ZM{=jڢ@ttS0c\WlvĻ^+#nDe^/b$S_(x]lFo*-ΰP#TDv4z(Rq'K4zDzC*BŚ(geV WK8>[c. Z^$蕝kt] ,:f5{~i{`ڝºOƠhlV^rFFk/%/-N:Yf b5ZIzZ#tY9 dVZuM~oqBet Db@2YG$>ґ±\S H|1>/^10*Ҵ& ؟dΙ=}S_='?UU )dE*2$UU.* } SԾT'JN2=ml$+9A$GMRm idd_[u*qq67VXچ;,SVbkR5#t^_ORZwTU13F#V]:{^zt_hGi1ɶFq_#j%|>]X*2bzxRF&J }].=HۘziPQ sdE1&+yE,_fQJXe_۵K9+7i_݂YΧGM7cL W*ϒdX-Ӣ Sri1 є.JpMqCofD˼8)x D4Q!=YPhTdf@4ڰyBx >atvNKҧvUb ^TȋJY?yAe_@?JnjQ]u]qX1O䌁>J~e# E`T9HeU*8#Ң8\Gܐ`mIiW. ~Av#Ա;0SލG,(4 :34(Nh[YefQS~CU*Tiq35!yQČ>"4~Ml܈1սKW0Yg@Kf<A䌁qk]/,Ģ"(8UCSUѐ?"#:\PE|/~cb̪zyD;2)WTʁ$H1q^~g_o-*yt3=;YC.UTR~Coߞ2c_U&Dnm'rd JY&6n@P1b8N>k2 KKK%9k?l ̲BAT%uk^@ _s tC R:RaH0p$eUT>My稌ݓ(NrkWxQ F̌{TE|&<7UFhtkn:F{N;pE$gWV[-RB(Q{YcݔqEh>a u(yЛ?e/^#9ٙ_`} 8(JEP'TD?}W$8"2G ֬ ;٬/!*^^jʊs^j埗]gu)/c\4HJRt @Sc"iUMivڊ0pZx5f4f4Hڸӟ53gb L@EZĸh$7@@"@GT5Q TCb LWVyyb#t.*-M}&M_؉q $5N h-(DqL"iUM* "z-xMQ6q&3lms}=֬Eg:U9kEδd%DZĸhIÁ"%,Ȍs(&h|yT`ƤM Y5Zz+7ox1!Nit,J 2IҌwG wH+)b"A9s\Ej!R5󍵵Ys̘KE* h<~ RfvUhO -TAUEeGSp|5}if̯ӧςY3##쐈} uֽOgo]/̎y'>6yZtnV7~5jhҿ;3V=*Ʃfy|&qªի̆6L~κ= R]eXsZX@۲O޶@Aݖ6PC<Q㑿l۰/z?{KN&UwoBB?׭M흚%yMȔW'}?rѣFWXfʴ| r].ݻD#`(3+RmKKRL7 %B@pI*ںgg,:̧}r@sjF8: ׮QG%򿮩KڃMK~j_v,]KKqЧS`v(_=mE{^`>u0QtYg;ձnm̦$EfvUv- iѭZ /TD'>:ѻ#\rY9U?PְWj{ hU}i>趔/#3f>0q|Ro+0eN 3^EAB@\+jۡboK컲R߲n۬: Wh\ptD^gs˦k*F2t~ y ֬\ޮ]8[y JYS^ V"&ha-ʞ؊3yoo~Ĺm+ΕoAVK?IEc}vifFro|rY6^$G% /-_gGq۶\eͱRyMl[&@;f\;Ϝ-iԇR#Ǝc7QM ,V 9lѲEǤg/Z̴(_JA&}nMy#}ΩvHExX@fF4ґ8ur5/3wӅ289s2; ;vLƸZц46XHIINQm1Ȝ9˰LJ *`:HgG?'ӢsZX._s’ʪK&YqTȷߝ1|DpЌ;gs`'B`,t@ TscsTk!g EA1 ٘[*3$4]@ @arۂ#j ' E-|-IGEG Mn%گĮ-$ X!1en=(@Qݳᣝ}_W,!xoǎ{?kF:  *?*:^|?%CyKRWUNL ?z6$`J~ľ/Aw~NE,L!COQ-N_ۧŇ@( ~@*r=#h|ۂX+mŰ"|R#!?I @@rbʎpjNK  @eyI@@N5őNсGɏ=j ߟ6v""%"v`Dţ%k=P.jX  V&pg–76"Ye'!D8@@  අ4  Eٮ];Kā @@ A>A@AHEIISfLbpԨi EAx:ћfсXAHEĺ w[[|&!{B  _IE ݭ\X9ɽS{Suu5ӡæ}XrcG(p%wK=abřFS6G.Z\[.u<-dfe\KC"dp˻[-}Tk_g/mKo ढVZYF:ZXPqA[n]v 8R|d󆼢_ ?0=kß+i,dj[6S۶(rA+Own/Y¸x"d ѣvt ~|ڬiɓ&dhp"TD}˃ڠk˶ڮSH8a0vmb###koJ=;gdE&̧}rw/-.rnZd)D=o%8"#~q]L&.,r8g<1k2%>Se׬>YvQ0::Q!A\Vخtvн1ҹIxDtNe#mc+1\g{y¬96Ž͜5s)]Q]Iѓ2#Pf:*26ptGt㝯D.ݜO"^  `eA;AǠŏ:lQMMn/7scaa-x^s嶅I'͝\EEVCݹiۦmř JxlrV,XIoF=1Jv]A=*ra>loF/.jŪg~!ä'ٻ#cnj#Lw11]y3SlxܹwLU?35%-NBw.轏=<5%VOJ>r^-  ~j K*+.U요xwHӗ_Zu!7k@@CM vHNs촁4n*1| 3kA@Z0#XR@K TfcK@* 8h 3w8Q?v‡Ӡ0FnY GTO]9E-,Clo0HE~FM)`@N׊A@@*jK  'Tpp  ДRQSX8#C@ fn?#?^|Fa@HW@!*Y a@DC/8*J(l=TkEg  0 SQbRGX<ȸŕ۵kgH X=InH9-|A !4sEv !D ( TJ*xs{$J2czuu5IЏڗ,›m6u]ѸAWm~w ϝoNs'_{C~vv {>ג3n:wq;Nt%̬ڟkUA@j&OϚ0r‚ :rk8^ooեk7n`[6S۶(rr}K /x_}-Ϝ=C3oӔ?Ξ_kGGvT/U]ط}g?k+Own/Y $`Tk˶ڮGgg0=-;"aY=;gdEg>\ \s/.8ť;Q$QQQ*/T^9vE M߭\nKƶl9/{=S\XUPzl'N^5' !v72d$\<+?0&;?F Hg+ű@n= jyK_uLˋ{=G~&sg  @^j欙ӧMOҕOR|b.dو6X; onfMCl *UFFFR1(7nHt(٬K:qo;  `eV9AWSSc"vaEd9khgM9 dƌx"JNXq\0 - 8-RM9"l|}#eʋmӶL_uΆ3a.JsI'͝@XC  'QsWX#i|wI?;hpLS3تcuݒfN}(Ubӭ}Mb[?!{$)i)~}M?ꖸv -|׹Θ:{{8[S9'vOOyU@@~j K*+.U요c;wK7h'Dd;  Щz2a#xF(-=q촁F_8tSY̍qHA@Z 82XRр@ $T'Ck@*| h/>>>ء"* (@Z&}f;R?iwIJhi@@ (Y"5_98\+ 8r8hJ),RQ!@SHEMy` @@ A@@*jK  'xr?9 _Qa7+dQ3؆Izj y HȟSKC(O  2zjL Sc@@@ T$   HE  "D`B*JLJ:vfBbv$vKO䊊Eˡ IDAT+itC_i  ZP=W8)J'ufgܾUlxrS}G/|nXT   r;ͷ&Eu,1Çlț4)}АѶl ^zq)_9@@L 8WjJUSeDUUUM-tmG>z{8G=ܗ/BIEnҸIo "ʋ+AiiԘF20+Dʢ\Z\,.B AKEۿ,IEXwl|rbrpOڴR-*CuAKEtg̘f3~,ɍ_l}~:aow~qHQYA2$'Td3Wc'b,,,n.7L-N-Y7mڸoڟ)9PF7vsMܶQ@"T$fcF%]owslkvHS^Y~A#@“U7w76!֕l1..nCʲ@@j,wTd5@@@ 57apC hnHEMA@@*rA@@k!~||CET>15H`io#yˍr$4n@,Lۛ,F"? y0 'kEG  M 5%@* 8r8hJ),RQ!@SHEMy` @@ p3/>V^^g0 @1)HE0TbyhJs&fq| B2""2ij5;+,8gs[ c&kE&aK.lG@sQ ;lݦ R뉒YΖZ`^2Bt FAiN{ˋ-<~@%&%/-.7j s'^A|yd퇿qRN_'OեeMU֓5V8&Tij$.0?]蔅kmk^sΜwuoސƯ\sz6-@"?aH '|ƒŋAj{+eIb|Ƽ }s-mQH "ǎgl\6wjr:~Mٖ,ZBj- GT\`,Rs\wJ[H3'_p9p#$`_$52ak铫Q4fR.4TQlk8>_k}a)"r*z:}7q*c#[٩d_[uڍΖ|jE ܵ97kklxwDZܲicOEQQkrukV|\{nsD4 'hсNܺ|rޱ䛒mn+-q tF=mE{^`!i~L\IRE1o8׽E^pc_v Yn|UO@%TDc*<<0xG<6%{ZvEƭ{vfȊni|*k'-{H#i-//3}Evt[Ed}FAt7ͭkۮΉ{eqWِ71cXn•ʳLفk[oE)yS%E/.<]mv)Q lwlv(m8ePNXK`܅S(--[jeڿ9W7$1-Ε«=9H5{*fֹ壘J&ug/ *"L6YB@彺Wm/[Ҿe#v`$͹bvKsrrYSJX_~lc?5əS%e Hϰ`c|a]0wՊUt9jrdWeqc%5*f˪2&dzǭ#G2tH/*"S{NXRUYYubפ߹#O_5^=NKM'@r4Hx*Ϛ|7 ^(0fΎc{Ɲ2փ@(-=q[Me17Ɲ/}?y(tǿy#>ۃ\: gP'p(H㠣ָ.o)pZoߡCjj<'c=gO}AJiVτW@K#Tg U{(LïcPDo>L_Lq#&LD>̦~Zki1^ i -<7=g[ԫLB @)<|[bŤi g-Iyĭ2s# yhg@pa@,OSA@  c|  `yHE" N(gt~l@@  HE^:&tQn@_ R?g(8ȟFa @K ..@A Sv @@@GH  %TX  #TC@* ,ox@*!A@` 7 鐠@@ @@ttH  XHE o  :HE:$h,7"4RQ`yR @@K( @@@GH  %TX  #TC@* ,ox@*!A@` 7 鐠@@ @@ttH  XHE o  :IEsI/W􉇾(fĤ$ EP@@ !]7~v`1 lț4)}АѶl ^zqi}ؖHBol7qɾ{{y5vTi >Xr&V)gz&Hyc1YEkkԛ-vvHDLL'=p_ik_˭t~><-r#G6o+:ŀӳnԈo4E@/զmji6:[yͱ, W*rLqZjҮRفk#0lE4ۨ @@ݰMHQYa# bM ,&^6 ,ͅO ]VM6۷j12=9ծע9x9lEHny;{ms}Ź;#x q_pK GEtГt{EM͵;&N0:%+sL EBaqk|d:SwwLLHc*\"2  _s’ʪK&%xg߹#O_~!1cr0Bb A'PVZZx@~FQs:GTscA8AQP{HEa? XRg@@* )A@>C@žRQO1 V'TdB|  ~1@:"'TS Y}=b @N3@@ c  `uHEV! aO(@* !>{HEa? XRg@@* )A@>C@žRQO1 V'TdB|  ~1@:"'TS Y}=b @N T|NŇT@(IEn+ mm\-oJ{;>Y~n)qYطooa%wK=abř2~,3H=vcK)8"ct8mf}q ZU`.E8K.R6)5%Bv6^I4@Rq'SΆCj444o|0C$MFAՐs^6ټ3eI̐*K/=@"`Te;%ߟڽm{с(-wm.ү Ԙ_ݸ}ͷnjʾܪK7>_:O\ǭ qb뮂 .0ӳ&uNܺ|nJm\e RVSGk_PoGSܩ[t\S'DZ nPu* HWN fxƜO?ś}s{fV= wvv餸7eЅ(mސWtgM=xy H0g!^ۙ d{dϬ4Z(jcAjStޙi4TGiKP rpRмLlݳ3{FVtH{SY>9W̢l@)P{Ts<<$/ؗ=-i >af>wŒlglSd.lK|:;5fg075Ky;ihhӲ\Nݢ㚢@G{+grOɪ_D;IGEEU^p۵=6r$2̎tRieҖ?bk&.qTI 0IVMF &[_i`SY*ZWhSMλZE^dinTZ N"SB͎sOg>:q nu&O\մ>ik6Mzr }ine:$\< g+\Tt$mF!VkuG 5H=u4ޮqܫt\65ms}=W1Y8:5+ukc~5}Ɯ^ݜ7HP}wfG:)$S]wC/׶*.)݀U!0CYئ8}UF q`rEdA\UmzJtTDzHF+1ዞ:rb%F6cW&AA\K*0qtbvYU w&l)) _I6U.x!40E5@4kUӡQ= AZ¦*Zq#ᎼyWc4rsNo3re؞L9ݹWImț2qKj`A9swΡEf{ٶrIĆ=:pъR$XSSc"v/~y[YjPSGq :' It0};UƲ*N$**ʝl5 ǚFѠjEQnsw Y1e]/TQPM TE+jA yUjt1!T4tnAC0 `&}n6|٠0? X7n^RlaV%+``*FZ`huSGÀ2X*XaC(@* Y ϭw 9hJ0tcg^T BNYQrj6ֱ2Jآ'ч͢O&0 QP;)4 si=&JP0q5Zm\Me^VLiPt5E‹ȟ#p+波\ƑЖyQTUa('ES9p=)z5]O B*ѫبک /B# f#/ WCc&9 TD ~HO$X j'``uOS2̞n.v}ؚ((^<M/v.gc`yOiG׏TGo*=_ 8l&r_p4(}|gQ.Hh-3OOᏵ[6C w_&G_|:+Ο#P ZsR쇪EPTLlY03cy1&eP|Ÿ7y`LƠ*MN~7%ԲpOTDTa#N5޻`CEƲ4lMQhb୮R IDATU۹}nPQzTGjs䈑[ɃNjE3"xE/V+@(*%Ǫ50|D{:{ۋ>e/^N%*!V(YhvZ%֒P2V6zd̔x`ܗAPUIdc4Uo.u}p_\֛ۯn,Qkaq4lM/Qhbl\>ިB f%Ցڌ+ƒEi) VL^xK# vrU,ʥd+fg10E gVϘId= ͢肐Te?:H UfTLlYjy0})M"YEUB'o"=K7?UQGֆ2oh= _(GQhy3-wTy ^*~㛔Yٳe3{E ţ-vrU&$פi̊>E#=4bNЩ~ب5LULlYjy0},M"YEUS{^5`25VQ 3k~wn&MxQXSmz6fK;v&u΂FE$Zi&r^{q"w;d4JMY0|hkD?gQ],%!~ب5ULlYjy0},M"YEUSW&k2wOKK)]x4jg6z=oGrATnWiSj;ֳ1c_Q 0 l5fѲEƌFD,{:DHGbavڷoMDN}c3 N+ S:E&N "zE5_Wod pBt՛>@"TP$j@ aK --K @@+ME{pU^ @@O(l@@ 3 ` @@!y( (yE#^*V|J62;p -@RhG,U""mB:0H "U1UU;KHkH=فh/bvTnV# -b A@ T)Z)F,hc@@kA8A**ڡj׌YU7EZ+ELA@;A8*b4h6(Щy(~ '?s|{[]i}G`kGj`.#\)۴>} s*bD(=TJH9V4=b.l6ml4ev|}TDtRaM`_֯8&8֯ftnA@@y 5/_XpK-"(4/]+qؼ=ݝ?|^Mծ״b5Lg% 6zF!,('@x@*㖭[NԮcS4QӢYtǢ1wZN}Tc_0iټe[ު]eĴo+:Lfo2'0hG?==3m#̼E.f9tPTLQbw#ës[4=m֍\^K~a:bF֮[-YxnsG5k$_;h)md᳹]iۦ2!xrZ?Gz,VL-=L׉{+~\SŔiS+A9̀g} ee'hAp}H;G=i{?>_J{Еe%> bT4!>R (>J@( "3% \B H!(`` GZk ՖbUx$kŵIN9=3g33)9PdNg?՞v&,]lLip$~5ё~6*̽M#٬yYӻ&̖ ޶+G4_ְ^͎;6\Fp-w__K#(Vq[ZnZ铏?ٻkCmhKky'?9W.)4?rȖW=tG{lٰ~ޙ&L?z蓥G,kV,{wСC}bѳsrrpF1J(N'&_mXY&y+繜rnm.=2FWϿ* v6vM]f-Mƹy}:?meNpWe],eghmr$SQӃi[f58_Ǔ{@.,5Fo˛$?yːK̐Fmo~zz^R$WbB3m*+R͙إwm n~G|cl?clDC[t Y=z-C7[M#}3JlStDr_zx!R[I>=Oy@Vd6 0oȐm; -Yhe"휫޹d;ݼ}[M]}KkmC=X!m8}3w8'jX;wPu! ηvN8I6UKl''7.Oi}sиr5~y +2kv=Mʦ,M?iw4#׊II ޽7}7۽V:uJr"(~}z}ؓVXٷOV7PseUDwzg>s:9%9) ޛsbP$ڒ%.[nI NJ%4ͥU7_bș7tP;)eZUUel`ڥtܿ}wr2~U/IHټ9RXiw+\˖.{z; vb10cڌ)ӧWBۄگk33V[~c#[th,z寓?-ĜI.c]&X+V rwS40 n:IEo1s̸t波V8$yhQ9hTᛅ9ȱ9R>o[bjT!{FgqrC R|;'7Ky>|&|H|~aڶ6@E.WNO@Xܱ8BБUQ<@4 Qq & $6qUb @l Dbs%U DI%5'IBDS>vYnkWWkSey>\n3r3UUUS;{n{EmWNmjV1:?3wvIf/Ҋ6m$fY' Q^9)c&U4S9=/ERZMꎱ#׊:cU {CysO䇇?&7gZn'+;b wwKʏ w65HNiplqdƼggUoN)1|+3n0J+{ά9@٘ҦͶ^OjFwdO0B!+m٫̟2?M-(W$yH>gE:JZO I8?߼7kAJrs8U9:%s@j?`ּ¢ŋ,x8b997a~ Xگkw9cc7̶ޒ* #CQҧNQ'2o7fhK!`_^Vq83o;zݱSnc9fKsRjiml6&M6V6xT|VqȇFz0-g^N_S_ŊMkeG(|y+W _}6]nYO>oglr%=c8AJ9=pמ]f) hW~*)Wd0GB?<`%lԵՂ7,19zdƭ؉c>"N>vo{,]`4_헟lY 2H"y&GL}jZl_^O8YۮxuދTvl#oX]oY z7+99eeK-Fn`y~8 Ҿh#]J{p-wf40n:ȼ3 򊅠egg[]/乎-ޑzMqfΒMV.2g[*>'vHczGܬxO8ӏ~q/O2͘Ud9=/o37v< Ͽ7fv½Em\vMX,33S6r4?M?[6.'ZTR2x/̛!_s-3k6~Z>|i#4z\ >h*Tx3-o&}j=n>޻Κ#?>1elcn,k>?~zoĔ1[i͈a#.^J+!= [*_ږפYNT{rܚ zpwZɦGr,3r"x=^m)"`,OfA_oh%[f&Pw}Kw(H}[m&~'Q^JF9<_M5p"a@L D`g0$&juGg(cm hxzb?B2FE(Q0w;CD~*6"HT:bO r6cjVwt M\ 4s(.1&Yan~LE<=޶%M jF6WE$2Q"vmZQq|Do':QS[c~q#\NibH2}X1mGn6`dR)Gnzԉ Ʈ4@".C?3P3PRc4ξyI1Rxk[2\W&{2í927w ZIr'pm*/TʵWrrܼF〕.~#t޶d"]Pu!#/ٷsII\w|2F}.!V|nsA*]FRы/VV^W[cS{W>Wer|tlZu UgW!1;'NJNDH'"a(VQ @HEa@J pQ&kXt zR'j@:w<;΅8I< ~M4O3٭sQ?e5bEӔ/h@)9~4fN΅T$2}kkM5ŋ}ar2|A ̔;ge)l7{gc\N%V~(DD7dcl{fț!٬_h{hʛ6oJQZ{zV*ǎ]cܺ^v"74e#zr얟+l}l)ˎ?VEE5K1a섞{;}6G0) ׊Ta6jݖ[N?3\eҕUU>#LIN񩱳iիxOq'5!ykg`ۘ(-moFV!U?}oޣG ,x=6bro]ӎҹsdu ]FBgը񣇏>J^|ߴ~'d{+*6tS'|b9s̰ ,JHHy{ߒw]MC;bdĶnwyr%+>TԷiSI9ȏ$''sdt6i̦)_>6OT#;^Qz]}Z0oAC.L䔣[7n=qꄹ7p/lnʞ+ ;q\ۻoV&iCR<:+#poA}kkNu]< IhPEѩ|C1Fÿ5Ԕ/,[xNN?I}Z{'.{ny2;Ҩa6Y36mSyRz%͛k l^p{Ut @7UHxۛׯYo۹rrMgxٟoOۤ"H4 ݋olOvz~g=}☱ w-_`uRvzeթSOUKNl{mwNޚ!Q^nIZkk妭zkeFhRڥTK3h՗\埕./˵]rr%՜o|үy +\ sq%:O9!'IGV [_6Sfy[wu/cߵr)MUFiouJ xs|ií4\nT !0?dӧM~P}{\ccdXcFbS&O鵬ܭdèұ|erwlٸuGȇ>mh5޽rlhSJ~'M\rpN_ɡTɠ^@<|RٔtګmB׵Uü/ꝲ`֘Y_H&@y;5D5jm>d"1̾N0!DR:moճW !Dy/?;;F^][SqVMm+uM'en9 W:ץ8^#ϦϱoJ_[*gS>^Umv4!cuLc{f.X؜3o+c<~6ǍWk*cǏ5*pr'ǡ+kJ?hz'lQIQMIWvdE7vq}>$N.xٍn']5u5ARK 䕤ڦ9OoϛԩsK 1=&WEn)RVjkťK=61j8il,L]NUwzs?O1zʋxkL3/շO?ւ]3jcՈP差=oiŔSSSZ{omufLjyꯪ3}M_.*ӲqwXղ)$l-xm+aa.ߺ&<3\=5n.ꇩ+(&%g5z}YK\]pxR^y< [zR/jP);X38Sn;rn솧yhw鬱Rp# AF`) ô|>lnʙ{yO=mKsS6GޢE\4v@ky(& LAz) 23fl'I(1kc.Nه&&B*;cV nwmCF)Gz_ٻ߱5F`΅TІ@6nL9ܳ3wH` @Dz'Ǎ!b!%-w6pٻlFuw,͔bjؓgNZ9D --Mݠ<cV2;I1eX]1Ǘ-\ܩY|2;絢VQ@V)XQBR1;q1eGoZϳ{mG.% ՕVQ5=*0\̓PekeԄm Q WRQWT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx\Tq_ ֗QTTH#h%Jiy@ch=t;&_* H=!:63{A |kƵ׳d޿G@@@,-w6Y/eYLVH@@@`8a̶?T<*}aA@@,7%%ٟSij1!aGF٧CAB[i9]30`   F*[BVV$op-j/EsP92P9X2VC lThu??f–s J]д6\hnrڻ1,@@@ 9UuM]F؟_kQ4yx o}Vn?:>)[ iJ)7.p,BfATAaZM_K!s-{P3U9xl9cJ'64ݘ9@4X@@ 3vsU'"Q/6V8rFsj[a Dao-gEO)1ܕ#i~`FeCy`tcSK,3A0ҤcKA#0CRU~nn9VQbb=c4 )-}b4TСiU 9ڶ7wr`1ݘU~şwӌλ+ܝ}[bé;sUZaS jC|)όܱOh~^}N ~*ҮNꏿ>"e.aB$>L!!9+&yܝ,8+ .Qsk]}D׽ limi7Ra9\SHA_:꺝Vds Pޙd7Ѷ}Bp_QݪSGye큯k>2Es}IE=!‘ݺ!T돝}z.]~?񨊪D+%F>+g. ὏*9P9C&`ē8^QpNy`^q[5} _Ȍuhb Vӽ8=;ڥjhR'îV[jTjwm/_PKiO*;V)8$¥], iXx>+ x<6Z*VY4鑘lW4NFqsquw>hiš]Ӯiw:iEz阯Zi+G`9Bʚj*_ 0Ri@2m =8OIbH`DHڙƌԭ|Ĥs¼(39  0|C)A**֋=mNρFZ |Zl;]1 `>ٽؿ-ԶwӾ8yݥ%4^ܦ0owZj4?[VϚe55h,Ee+Wi? [֕6վ4 l3Rr1 yc*I;3@swbT!3    Гw={u^i?+AwUr` +XW'>ͪt8({N<==ʪoktaB=1m9YYتFku}4g;JV_9X]<3M3M#~Xݒ j%)Chʏ]4_b2]#`o=HJ*VЬ &44Z/و?D8 {uA99tVPK vNVÊΈ|]ȩ;SZMh96~; ldQZ/׵ǽfmK:ۻ{=tFT詥+qzŒPSR)-35ݡuB7ު1?h:WZiܧl7nV5j8^{Wnl[g[RX2VC!Q! YTܨkB(Rss@/:4e]uȾ^@@@?+̐CwI&-w(Tu.}*Pi^o @@@`?3]?=(%=8%n/6ӗJꫯ@@VC#sU'4ZJ@@@`ge=[4hFQPi{˖ O kQX,T' 1lʫ醯8@@@@"Peb3sE$@@@@2_ @ X@@@DP`@N,M@   "ND0 XT'& zwq_Fk P}NKo}¸~k_c{B?ރ !F[#ôiFL~dNdN@@@G' `A@@ ʎA@@J4^@@@ ،XK /6#׀1Z '`ĮX  36v2r @@,N,-Bz   0ؚiⅺaõ~ @y+UrEC-/O/iahpBi2}ʀ{C@Mm ٠@Ԑ1JȈ!3" @AajV}M=hքJz1dK&GN?64dnIqT'$iE&gj_|ŊF `–x.]zR[fNN9m&@+#~} g-=wh#2Wl]\|X*M>jkHz OLCr}a&&CM@5Y8TFf;0@@ |Չ4ws>0Lp#ZL&ds@ L0.@iiVK̗*lC$B+%`WsBt&#V6QRA[{gWc􉀘9eRA:_q8bW?"k04#HU߅^INr+~b_6ydÍB1]Uv#`Ś޻Εv޵Q6<>Gdө?%] vԏrȧׂO>n?rsd]۲/o~hE'Ao:5{up]'L^q q43 !-°iAm"ޛ=w^YIiCqkZrDEғԤ{=1wKtF#? tXvA%4bOoIZD 2it.#pOKߚ%x:Q -Y6jD Қ /o΅;w4Jk7t6>YIŇ,L.*'ez&& _uBaXrN9i̱/N+ӆ a8o~=|T񷫟tq{KYW*ۭoo>/T\!=)6nX%O=6RJ ׽|U$mtTC;]GO1lußW]~9ϟ9o&~D5&灮(Ջ"iO>d۶SLhM<$΅WACFjN{q~BEw1T PЏpC&BʎVS9M~zxM^YA^^qi4ybTh=ț$GE]c#Z["Aۦ#ڡiimUj~mh}>1_̴]Jҿ Q2/:I{t4fO`C3>=yܿO)Ԇ36Fּ03 |5vRGGсM Tƾ zgGVVp䀽}I ?}RQy$e'Ӽ={v#k"הͭ:97%0#`>,$Mұ)vիy=܂CɸDD1 N>."aC'^ww;s,r ZF9 {4tiiUګsg:ToF: HWNhC8)&hW7dS7W?gNmٹ ~8 $խiɚIps[jϟ:=mb&%LɡM4q"rN_ ܙu'f=lɻqp#/'OLEcOgwId)ᕗ6V*J[ e:ئRj ^"1̙s-j |2 GJ١#$_IZuC|#ggϝ]YZ:sΤxfNZAҿXI*ڬ߾If+3`Bn uhm6r$_ .4=@o-^,pӒQ 6F S4v%t_$_)qg6NNa_"}`pK$-!4^$|/ӼihRzݚҲ2R)!hJ[j{>[:4=+rgRgy[[ӷe=Dz1GoJDG fJ>a],y7kUⓒJb_ivVRsߺ=sBa@s`gΝ&0k<}8X_8'gy36v7ikmbw.fV]hՉHxuSBmS}+Rl&ȺQ[ɭ~whJG}2_.4G+(b3C٫1o)֓"]=4N摬F旯\VUWW^:@Bp ]ߦ[Mߋzt[6~I0$ws4)b2 'g'a5z'*z]M+ɿ߮3ƕ@kWFg3 0}Z"Xv%vo]~Kzj}5Ս g͘E饭~;ZԮ%@RQq Sz5$(MMMJ袣7G,{gX~<%)/ORGЦ _E&^>+ 0wGNtIU:+ZAǖY_HokAu'Y[ 5K>ES5͚3uRċK ;ʹ&?"DW$\f5e/qK,|(Ek?DQzkkFWtkWwf#`D'T0keǭxv% ߻2dAA;ř[2?:;n*oj̡0aVHĠhQFߜ`,ˍIJHOSJ[ 3+oҥЋؚ?B|o֋ &mNZBvvTqH{>aDP0 .wL3pL˙̢/] 3LJ'd3`@Fԙ:I6͓2capݳC2\seUwn.bn!XɛIS2a#MdO6qpcϞ7KCMB |eu+aY3h-#4uL$Fhڒe{V洠i+׬-(VTBI{k;=֐cb>5αK}Q܅,~{X" D{2oYF/"9ZDi(u_ˮ_\Ed@<Llg0j>NσiW./jnv:3/]Tg&0Ua`91ʖ2}Pzz[.9)N% :IOME 9NJF{ͭo7#F<;]0/>ec:D@$ xyz$dߕaN hNA>A#?^ߒD$NTyz ݗljtY!pph~EZ UfN裡 ?? 5pЃiO1X[{?3[31+_B 8B FXt6qϝ&7t pBP>l]&s +w:? _V 'V]  K(Vl&z+*P/ufǢdiIĐg0PDFDh3"@7B$W>c|}*M + 3/ș IDAT|Nމ39 9*aU:cNƐHקjۜmvvt)ndu!E'=Qٌ ə2SJ_҄Ӝ {a6:qu.TY,.}fzp!= 0r%F  ~т}yck^;>O{ׄ Yz@Ь &*'%$@`X{4ӍQXwv4,r'?ヲCSQyECyWOċV+k E:qQ[ݞo<_`[kI)?-p$Уo?(gJ*I;mH/jら54Xn̗׿V7y3bq~2ЀmрٮSI sN%¼Ÿk,>;]J!%svlm#vd^/4QW,?5,/8C5FK֜,fM -ƟO4$F}tI!ЊW0ANzVwQjw2Al#)Ĝ1D5ĖTKӣ>[SZF7iIvR6Q'afo\ەP8@% 9匴'5=g Y,   `Vs'^CJl^*d vCbK}Yœ3A߲OnPMC<_Hto3:q=- v "GКΕWˣ],K>_b\bAsE;tnUR.=nr ׽|UcIФj(?ފʫ:p  &;ٛ0_YxGWc7=( %7^t 76)G+F*bceсM x" N z{{{-Jޤ;  @lzeCgjM]  rkv0I]]Π.yiaWlk &7o99KnAO/a#gۻS^~oLH@jICԝ-N/! %~A?l5k" &ZD?{ьWԨ F ƫ3=2Z5 .n&oeLYl1%̕X0ýMMj!cJFŖA%(Xٱ$<hd@>]uV~U5uVY[[oXA%io B:U;\[_JIjrtֺ57G/ Crӟaڴi Ü@Kk;wSto,] @"W4qg-Z8fAy+c9m4قs!aS`ߎY[(&WC9\8J1wS YprvjmmR~O5_u2(~i*;(?B   +Nn҄*ʙ!/dJ\ÁѱTDͦWXSGd9]mÌ.=#}Át@ .ڃ)C$]  v7rSܥG.HF!r!D.҈  3N?YiizOR^Z|/ϟ.=6mo-}2K_@=\>?}괽}nN.h!o6~87nޠn}K?<)UW[Fb]Y弗$,@ubAoR0>qطRSg>mlj/e4Ziز2g-[@bgś6)UR{ءN GƝ oХ`'ozetZqVƮ1G *Y`!U^EF򯯯NtY]]cR`lwqQ=ߖ|U:{89)IOj?=7N |u3ߋd~[ ȼӛ֝jҭ4JdEթP:   aC/kBL쬐GW_{u+g>n]/{nٻȬk^G:$t*ǫmW;9ȴQ=Zu7zޑa'BCW&w dnaN{ @@``u%N7юW;{NZ8)M߿M_@>?ho:]P.yvI[jV&ůÜ Rwlt@ [w9^#jƐ+f@`shKT V+nhCߓ͞ (1B!`t{Y7d   C3aWP@@: `Ϭ悇Nqej4Y PX4@@}Z@mW0&   `5lOd(0 `sJ0&   `jĿo"Ka@FӁC!X{L-@^_-,) wC`T1ўw<}P+uBiRqr&s)PP ; s Ь &Ww;+* vȨk"2|X u}}y*?3.Zܯy }cb3 l$^#fѫ6DDY4gv>ySX̚s3@@v++}6Bj7ow˻fJ=u&L c   0 W '.VQ`"$5\899 P=an{۫fY;_ B>s,bk|g_@`(hooۙ2XIy#e;y`% hɯdQi"4&vv@ ̮ws/FrR'璣%!...:z.)tp`pIiɂ d @ GUSjOþ PvCMm͹ѱ;~lޓaz95a( 9#"4b%ZSHЂ@? > }}%l[VRPfge{<!Ȟ=3iggGS&ɉ4˗<E+, q n|= wJ6'%xLussf6y|&%lJ`zuc=,!%2v~ޞ.\C ;M){R&Dub$]D&|i$W/p~_fj< F_Ud@„B F3=kVV4Nhsp'E+(q  '/O>21"_[b7f N/]6%=5]UċI qBjsrssruhm?2͝~m%.IJM~5.ɀ!͉tlxvm6Ce=[Xž Ð+P׫\\LyCcľ#p$#{Ǒ/L8a'D0E"C^{}F8ozxhYYэ8ʑ0z,8{W>Ǡ/:ǎKbF $f'E }%B/2?@'@ӫ%Muu(hlZAL :f— ، : 6o44>&-#`Wi2+;N}\[q(DսJȜ:q /ǐ[f@@~Tp^tȟ;d$W4B@ؒr ݯ:O7Cl?@L/MhNl>i)puu /{G&@O wNIcg^32| *Z|a/GNCH   |gG `DF   `̝ & mK ܽ:g~dT@?'i%0w"3p0Fϖ3/%Iƺ \=;p;y ;̝ B_,}nCbinKKJKA܉8hHv漴j*WN25zj}ǎ ?&lq4 ܉là89;Kض a :G"45B"_><=Nq6._dzZaIKpQP"n9)c6ZN>$M LOФ^ГA^O|y?ȟGyƿD) `90wb92"@ 55QA䩓Է xLjlԷqvvmޠrv\quBK7VI}ue%Kie"m_rO;E.@UYk8~嚕Vri— ، :2/N}XC1c2 v.$]>nneqyYt,DWdtB_!h,9F$DDub@* 8[2b^~L|sIA04QP)cܛ6DD9 MxF @@f־s'2 M_ܱ@``d#,V=wR{+;XA@@j X }Չ!q0@NhLN P,~'g~dTq@?'i%zX:@vy;Rh؝فc!"BG4 Kn.*t,9Z*% .)-!B"`s'_5}ehlЃX z=PbǎdVya( yb! $; $@sK!VvVCnn; O? /] =;mGBntnN,~0P>6%0==v _Ndy%v @@~V?w"?2DaBdɦ14ʊS_v%ݍ>193|FJDKUN:wYgBFVƍ羮Z5dMd U7od_ZUm 1#=53ABiK ܉@rRR41ע 33UN*vɛاWgn4/@I |şgBiAUf\8eKr-dl^ГA^O|y?ȟGyƿD) `9zfmԖCP"@ik 붗y3?dFJrvvV7U T.K נn`[h*Nݒz/ o)`~ ONL/PҢQLS6χ>/?5DF`-ǾdK_q㫿nbzUsO{G#«+_rO;E.@UYk8~嚕VL#ۏzP^q7W  3K |F1Mq! CN/]@ Ml$'Jՠ$%AW}-mէJUx17wrɳKRӨ#-5@ͭt&nNK:XշѶZء'>1Jk LП^?07L q#S&NX@} 룽g,{.~u=в261qcA޾#u#9x9vXd3gP//_/GǸ$AhaX@(岲АPzZ4""#3A:|0epAQB'1.;-iV#f}LZFZeVv$ӷ>nneyYt,DսJȜ:q /ǐ[f@@~VQ3 `^:%NƖc_9676 U?qV=wBSX1k-x;8n~`aV:~kC-1"@WV=wBIo1 @@@X Fube?pH@@z%^@@@@V;7# y~1g~dTq'@?'i%0w"3p0FnG3/%Iƺ \=;p;y@@N꿯pa  0xh~B|H&Rr$$8=OƬJ \RZb(p `Uϝ^*2>BX+;$:vؼ'$dS-4d @ znmSQV?*h@I&9 /qrv"Wt)vs)4ege{ %vp<ѹ9idCLrKؔ?YBJ3|e8=;b % X wSCD**Olj'둟_QYqS5CNY8=L?^5v]k% FƳqZ5+W^USUCxG"oX@@fV?w2Yw.&6%jD\1V) , ѷ7w~ɳKRӨ#-5@ͭt&nNK:XշѶZء'>1Jk LNdp 0< q#S&NX` ށ3=vӺu \HMn.NaK&NHO9xhYY8 o_y;f,]23c\BMINqrqZ0,Wb rYYhH(@@~>wb+?2D@>ä>ri— ، :2/N}XC1c2 v.$Z}Gͭ,.o5N:9!t2e /ǐ[f@@~4wbzBW#F":1M `tJjO1ܯ\ڛo! U?q&**e{F 'WW Z wp/șbL`D [;6 ̝ x0@Nc@@NC   0D `dB?qQW̞`\[ :]p  `>;1[x3mμ$]ugn{'ݶ|@ `@tt'>o}I<ǸhIHp0{ʒB C ; h p7&/[|Uͷ5_^?60}a @@Nt@'@0 /qrwmKA񐇛=N 7H7īU'K/yz{^’9QP"n9)c69L>$M LO%;pƲwZN}nyzi4*P>ZVVƦ=7;rz,8{| opcPcnjKsF E}nNnJrӢaЗBCB [!" !#&|y ͨ@H ѱqtJ6 JՈYV4tICkEi7,/' k#tb )_~92  4Չ8h$SdlɈy9K{3q=$*2w0NDBqoA$/x;8n@d&`N0w" h񅭿@N <‚ `s'X1B   VKs'V!q~dʊ)C@ Wuق~yQkj<=&yJ#m})֐=O+8JگߥxoqʖLh%[2ɞِ'?=5ЉRf@rX܉v'd2Hm`c]__wL:|Lt6I&Y;}pA嬵tD\m%X:uKŪ/TzJ ?;1@!KK{F MO A`a˱/ٶJ=n|7lӫwsvl`oyE9kO;E.@UYk8~嚕VT#ۏzP^q7W  3K }Fqss!.&6 D\1V߆4gzM?tys?-yvIRjCt1=Ȁ͉tɚx}W6C ;T'3c@ Pb d X?!;|qd >O z}weυ.zOwr^Z~w }w"h,?ED!G>crp?|0ӄ/d(t2Ia_ݲԅf5bǤe*.$Z}Gͭ,.gm͢S'`6BG2'N Aw :rl O:gAtJ-1/prio&zycsP; '`s'6ƇVk'D 4^k0B`ț& h񅭿 ` &܉ `   #k;ʎ?,  ܉,@@@d;1 AH<4XϦQ{W̞`\;_ 2܉@mμ$6pmmcx̝LACn"m$Š}- f7#Sy! $̝Hb@` |qF z~^Zc ˩ [Fi@t`D.AxB'g'R̅+=psuGi7 5.nqq~ͥ˗<=VXhۣpwDnsRT7:7'm?s}(In G;KW@ ޞ.\b@'`s'ǴO"&PYUydScr~n~Eeũ/O|WCN;]O忛O $ХMccJbm۷5\usgϟez&ddehq*:5\KD'OP|FlA<Ũ5Q5Pwo,   `0wbo!JN2D ~ߙimq{5 ƅuZq  3;^+310#mμ$15=;p;y GG @An+KOx#?Wz~hIHp0{_?eW \RZr @` Xwo|7@S7UΕ}&qcǏ{2 80jFucy ; KB'g~g ۖ!йY4)FlӮT(;>)DKޞLO+, q 4QP"n9)c69L>$M?{ԵwڕTDVͱ iO;Tm+z4jQ:) TŸr[rHWgZzZt`- -EHmo.xѸ IDAT2vu\׮Ok7 Y{g?~λuLORRZ;ńxetNV S~䷹{O #t mnijwc֯@Rz;K?w'X썲hLτ~{*^&o9n9eTnXY)NEQ}2i$@?)v2_XA uUD&lc?,ktE%Et>$\;Gn|nΫ P)),!{fC j8l>OQ9/|!LS~$.")MR `S }\}@$dC11O< "~. 䪑k%>`gGh%;ktK[G;;y._s`Fa0?@O`ʯТaDnf͐/ʇpas#zd Zvog͕ibU]L!"\6,Vf1g<7:37oy~bH/^dQ>;Ϊ ~&0N Á4$JPhaÐ+rV#}k^HnHs )TNN]?uB)bi{AWFgR˥*kriS5:C;0c@P| d?k'0LC# [zZܕT'nx6UtgNjzEʊEK;-'زGK9:64 JrLCv4ʜPY$W*&tvhN+ެ7K#kVU"ϴ%'%3?@O`?2Ӂm|Pi7  ֮"5+Xl= STJd[]V6R*|'$s;\ϥ%-KŒϹNܝEn HrM 0% 8ŅY$?I{sW=S"_ <5EFR*37H OQQQ A4fPƍ?cX ~&0ϝ`?0M6_x Dk'Â!0NB   SNC   ve Uel}[sK̞n66WW  #X;XO}zsN*@``d h)؛JM *$4qO4vO4Filj(p  .ʸcǩqG C W-1xZR!VN>єB?5kS) @`w1 ip6J'Kϥ59?RȣtG?W&Q!?wVF3=uX\m$OS,S"&Xsn%dzNnҝl,&+;Ou* 7qOPlGm 0 t[[Znpc֯t pE,sEҙy@UM__L&c7ʆtZZZOA@@`" me-ڴ5 ~#?Uږmn- \3{\]Ҋ*L g̳ Rs_t25*"gtw`[u%0Qk'</_ k}\VK]IcF.cz 4Filjۈ3 \;A_ո8?Wroku˝hTV!um*1!CcPn@߅0_Z0m;3ԥ5JM(9]x|ۗ;tF+ae J, I^X,9Ln?:YBJ_YKw<ɪ@|G`ʯ6w3Lgݖ.qX++][z;˱d2[FCNKKk' ť/,TzTeMdrr2m7jflϰR{eH  ;S~dU| A`0 !!!η}sIQL* ;ذP=7 s_ͧCUNP)),!{fC j8l>OQ9/|!T_;{ #Njx>; 8u܈x_2>08 wddGrE #K$;;BKW.Y`Fa0?@|GN4 '@ jsC nпmKQܐur*yA^:쯟-2y؃d${dOV-_v\/Pc ٳFޫ}{UB7~i]TOY84 0m LKҧ#AGN"cƶJW5}Tw9s02}|=|WSw Ӝ&_&pZd'~M;ܜ##\s9WEԋuᄾ 8um.s?ֿ>I|䳿6;dxBʆN8ݱ yX$z5eawh@`Z@s+:s9>ٙ! m볅͍U,&3,bnrONNv s (ߜ:CR4q oDdZ5@{b?kNa, %) `,0rX!a4ш֧9KUlMT?z iIߚe;sCrt0ӓ`u(s6kO @ {Ka-ٛC&at)jЀLQNCS@: MB*&tvhyv%rB MXCesdXxW?zs]JugSHwfLYIغyLn7џb=qk_틜reH @Ƒ@Ы'\0!$$UGj7ТH="6Z9?$\;6[I1zputpJG J3қA_][.q#ZK&,Ž#Rxx,9'n,Nw80hA@`< |5C¾K MF|8Zdٞ\_*Uut9W>B'L3ʈ]gUKU#qtW <_S]C -lr Bz]fܐ<ڤk{6 dxu{tL?g%87Svv%{@eoГUU]]Z_Y뮢׋FELeo }?d鴴8yP\ZooBKUD--,CM~vk 9+ũX(*oY&0  -xK )u撢T|waQ:|!7DmүW) yU}݁ZRRXB̆9=ǚiy9&f@ƋvvƋ$+J5\U}q8yσ\vgqcsW=>08/e\5rX`$\dguihg7o+"q ( xK;;=%۫WEk67˞AqqǴ?C`M:)Umk% l0YkI?ש߼}X-VbEv"j  ^@v. ,y8ZؠB/[lGBpCrt0VhClK萻Ԅ,O9t뛶>M_`|>#3 HO[R597u]Fbhcf(  ^١#A Pn*o8Ұh5W5ja]JugSHwfo_߼ [a1ammml#祜{Bcc$(UY3Sp4ʜPY$W*&tvhN+ެ#/HթjDh3mmIm:o@hoPi7  |ca+U]YbcPTJd[]VaZ)AW$-KŒϹNܝEn ooZYm7؃LZ.)Nqaq,OUϬu\VQ@ I`?_$QQQ A4fP Ѐ%0cZ1iC` K6_B 3@    sA/f    1 xiǴ`MY2.%Uel-ǽfO7\ZQ܉W` r_e^?NwU)|MF( AI`Ao Ēlj7Ȥ2Z11>#̛7J:*j| |uOaGԾ@]~aIHXg>ɞӓAǚ?3圏=/AY֏/T_]`SQA?hΞn{1=#_ڄO/eᑜYe#dp咝{{֥WDQ@PX;Akf8cnWeeϨAs';iaXUGWG"W 2F d&\~[bX)NJy֋*2xE (YxE 0K6 "g5ҷuَ7`p:juYT:P'IYr!O[/0R>Dc@'Trrʚ᎛:׮]c1CIONn3 @5~/yE 0# [zZܕT'nx6UtgNܚU)}ⱄͿ7 $?Ɩ=r^ '4&: MR5ӵЄ1T?"QHbT1CuzN_fE!_)]:U }-9) Qy $@| Lݨd%(TPHJI"5+Xl_CzJL.:qR;!3Hߑ4SaJs3wg[f@%0(\S-6؃$&gΒ$1]*_eEAITTTm,9;q4  0i ̰++&m| @6 MW !p(   z=b=;?zVbpG;;@ @aUm6[{K̞n06WW  ^;cL^G[2_/~A"ުdÈ@  YaF le4&i4?V?TihZ臱0@I>Y+` ;t)hTwѧM03FHX; NJIM<Z0mv,r;N,uTpM&C yBc?mܑg3hV;P@T"ސur*yLƚie!KLτ~{*^&o9n9eTnXY)NEQ}2i$@o ݱ b{Ao T"}\RT"ʂ61>(}UO ;Gn| >t^ou KBB=!{NO6kOK(Μs>nnb@@`ژ|opPB`SǍ5?K׈>08 wmdGr}ΎВKv*)(,8m9w?:,Q@5߽{o ̚!a_/͍g}(3XrᎏpRŪ::2BA'EmX`$6b&`7:oJ^Σ^$ttU-U5A@+AY'A<'JPhaÐ+rVe;ߜB,u!Z?]R:|)֧ X`dz&p+ܼ\&~㦵NkX mPғÌ@a5A@+A;A`,M G͟f F-t+SNl̝cdr[[)'И'4 JrLב&,29TeD s7+ HթjDh3mmI2t=- ,l,T,og7 ]w[ҪF֮,cf Zj*B2}]VaZ)9/VIZDks ;2  -/v=%gΒ$o#zf"_ M; ف$***6h̜߸ľ8iE` }o !A@@F!d8hN&:Q |N@}9jվmFwrqoi j܎U ;A`V׋\*k3(F0Nb:L'ѩ6~ҘѰ Dm|5jMcSOGs&$/fh#:MY*7eT oa #$)f4)"msl|4\JQKk2)Qr˝g:̞vXt:yRa6{C)˩w},ų@ۣczNn݁l,&+;Ou*o<%mnijs'|OUEUWwWVWV".?/G{d2TFCNKKk' ť/,TzTeMdrr2m7jflϰReH  @v-1؃ zCHHֵKJdRY=iO/ۅwk ]#!M#7}TWj>A:*;P_XB sz2=>Xs|B<]Gq漜qs 0 !V9>qAvtuPs!!;Myjx> 8u.w ~o~=Mxx/e\5rX`$-\dguihg7o+"q ( xjS,w23$I F5C¾d{Y=_]RSŪEI6,{6b&`7:oJ^Σ^$ttU-U5A&@rR2;>Ί+F%3Qى;2ЃxXp|Mu %(a95]v$7$9OcÓȀ̲_|j mR:|֧ X`dz&/,*yTeMpMkk׮ѱء''7 k Wx 0F# [zZzܕT'nx6UtgNW&y45-ubEQlmmml#祜{Bcc$(UY3]Gv4ʜPY$W*&tvhN+ެ7K#kVU"ϴ?ט H`;1040nba}C=h7j9oF f#R| jd2kאR*$zm:qR;!3HߑOZD)ϹNܝEn %@gMP&ptd'B&Ѐ&W{vgI~zfeEA<$s'_ DEE%ҘC7~ 7v -؂$@/le AnwU㏒z hb<}/#aƻ3NŎ7QD;N#d' 78w2n(@@@`:t~{tAඌm帷4pcs .]P)d'~ ?:}z XV%{m( /q'}B_>!cP17k7kXeD1n1IaaBCkk AnT=wW:ӇzIlb=g=RɓQ~z4eePOMT ß#b,#{d!@0occ᎓%XKSJM(9χ^H+2{zO,\&|<wVvXtٺZjȸ7$yzbJ>0R< =:d ))NZaWFwk L;(&)nKwKS`MX++]\zвxC /B>Leo }?d鴴8yP\ZooBKUD--,CM~vk Z8 E"-ˤ@`b ;kOlѱv"d ⡯%E%2,`Ca3%6(1d4\#۵uOaЇΫ ;P_XB sz2=>Xs|B<-P9/|!LBS d? RT]ǩF׼ ΌRULś#]~h߇/eᑜ9,-\dg‚Ӗ?~R,΁A@o `[b5C¾d+#67˞AZH$3QŪ3Yd۰Gtؖ"XMN훷::swe6@@[N%{\RY$ƽY蹬ף?@`N`?_$QQQ͠13g7n@&-LG@`|  >&{/ ;A@@|Lى=x 0D. mUel-ǽfO7\ZQ ; A`V׋\*k3(F0A`St@ P X,δ$]'4𵆆֨5MA׫xzWm gwӣ)+SzjRצROzʟb,@"t)惹$!@@JåUT&SIB%+oyCb/33h]N@T"ސu C%Oǿsc)r4.))Nf-bB2T'Bo ]m؃xB2wӅ;:VUTuuwk~eK^/rgIlD_FCNKKk'ť/,TzTe6drr2m7jflϰRgLIa*@}{ 0 !!!XM撢J861>8J7*x/3s_ͧ0CU]P)),!{fC j8l>OQ9/|܌W aQ" 7p 0L@tmc}qEy_"Gjxx,ܹ|bd;-#~G%+UTSPXpr~tX90h0  -'?m؃xK` ի"g5F|C^A7/]XUGWkEIjX+ d`"XMN훷hGxډ=x   >&ǀ@@@KNsW"߶}U2?U.Wx 0 h+UE.Otw`[d'@1@&@anȩ^˟s'I ֨5M$d'X1$sĄD2N;<єB?5kS) @{d!@0occRsrJSIB%+p]8s7sgfT_>wЦLg2iEX\m$OS,S&Xg\Gt,qDɵtw  S @%[bO t[[Znp]窊c֯t pEB˧zUP!B>Leo }?d鴴8yP\ZooBKUD--,CM~vk 9+ũX(*oY&0  -d'=xJ7xh]D&ѺamW d6o<*$PUy#7}TWj>A:*;P_XB sz2=>Xs|B<]Gq漜qs Exp%@}=NG;/ypBo{ Tڄ 0]U#J}ΎВKv*Yvv(y]"`~ xK 0fHؗl^967˞A ;wBUa(XUGWG"W 2`!0YkI?ש߼}б\$v"j  ^@v. ,y8Z0ȤoM oXHK,aNL& mR:|֧ X`dz&p+ܼ\&~㦵NkX mPғÌ@a5A@+Nc#rSyÑEYBQ dT7<*@3soW-e'*dr[[)'И'4 JrLBPs2Du"Qń9}ś|itTJd"4dxK`` -T,ogF-'(AlB>9-˷U]YbcSTJd[]V6R*|'$s;]I˒09׉Й- @v-1؃d'gΒ$1]*_GeEAvvbv J 13g7n@&-LG@`|  >&{/ ;A@@|Lى=x 0}j_նm帷4pcsuK+  d'^1Lv:}z :XV%{m( FI=PL' k_|nS<_h1Ia Qk?4FNQb"Oo;n,o?yoOLXkS)LiNC0m;Nc\.UNi*5Ѣ08KvYx$WX+ ;;BKW.Yg]:١8͛wH6  @v-1؃X̚!a_=_ ~- 3]_4i~TEIjX+ d`3s훷&{/ ;A@@|Lى=x 0}o4gUelBpۀ=ll:@@H0[2_/rfKw U^A1 %d>8=M RqԤXBKWm1IaTICkԚƦF AI`V8YBU~.UɱB%+po?畽2 |оLg2iE/*jH<7$yzbJ>1R t+!ӥtvdc1!^yU!;Nܑn@e w9j=jJ^R?w\/ Td2/{l!KLτ~{*^&o9n9eTHڨݚ=zJ+( DaI#) #Av 􆐐Ծo.)*ŏໃ { Evgܹݏԋk%wE-W)08 wddGr°;;BKW.Y`Fa0?@@#='Y3$˴WewgA\K,9sI0tU#dtRچJl#az~Sy-oZދ< EBGYR_@D ;%3%TPB \3[l/ߜG%THaߔ)bi#I1 d@z:J%7/ɡiS5:.C;0c@P| d%D 0M G͟f F-+SNl̝~ӗk0\i7jyǩ$&juBO&erB yBT)gt0/4ai 9ϡ*HT'RULlWYoȗFJ׬NUD&HCikKNJf~ ;blmpm*73 7 |WTV5ve5kR*$zm:2J w蓖%QaJs3wg[f@@v h\RY$ƽYrYG xxM ***6h̜߸:xx?"hL&t!1O*L'8A@@`@v2]4   Sg`^^⟹Uږmn- \3{\]Ҋ*@v"J4}z 3U;J: Q@(d'S!iJ"R=6~ҘѰ o Qk6"Lgȧ#zU+Vɻ3MYʪ"M0&dh  0 ;Z Na~+ wgPKk2)Qr/wVF3?âc sY$LQ6~ gBqiq ^{/UYٷo }o*7qڭ3b@f4`~ ;NܑnAo K撢T|waA;zn| |uOчΫ /, RRXB̆9=p^|9>!.s^Co M=xJR OM% 8u܈x>08 wddGrE #K$;;BKW.Y`Fa0?@@#='Y3$˴WewgAUutu0Y᪶a@6ۈA,ޤo޾y[+~";zuVT@QND@ L`55!WLFt.7`FdDqw mI*V胮FcZ_ 5CDp   Ӊ]31WnHv2"1h˄0.U* =vp}S qN`dcd1ۻJǰ=u?ĸpuO1nzNf?%Z9z1nw(u#/ w1< sDcU~m5}Bh@@ND@ c!@/k@/r_$]GǏڏwߞ׉}ϖjل=Csn{ O8w0Xh*Ls֭L4\Ed$t^V_t{t_f&7UY+'JM (JN^ɻ~{Hb$ʍ! S8q|oHy?I.GA+F≋sy^.q "G|H!칳Aϗ=23[ʜϖ= = χLKTVYa~J<`6h@M!@M`QJQ3F_^RzD2qʰ2ƏS8W/d^M9<羛}Xl|>}8ǻu<=k䌴3`cBi]]]K$",<+k _qV[%`W{k\ OG<+V0E.! %4Q#s%}uK(G`.iDĒL`oXtm}퍑Q#ۛEWB i1Jh/hW]]}w"Q[<Ո];㸊3ǎgYI7t7三5uMaܠG-,aJ9BMP=xqØԐt !V%şRZ#v14:Pr`.hBHR]$ &Hxz6Ve/gRbǫE Pʎ_8B B^Ow'])KLJs?_$$ ]UkOkhIG?Zr6<@ЁAIi1`N ۅ~P`e-Ԋ i ql ڨDI> :u̻wb6l@) G#u4k‡&m(,(;g.-q\gW4g3G=@iʺb`YN e3;,hw("gзO_Z5`YJYFF9ӓm.Ve!=YtE/ڜHc-T555VriRZY ]BIsBqʵa[MjY6ifϭQOgʲ*[&tMPbCr(C*kVbT>ZrBª65GZ;jt8&oWZuF>b>r`T5JeDJLHt8Ngsa(B.gT#e\ο\tiUJhGܥ%Yhһ]&˲]kZ!!!)Lqkص]g}~scA.Avʎpo3a ME/gWɍ =wdP%;6&[LƮ _O=jѪ)OM,ԕSm+1&E&to E  `$@m'ҍ] Κ@Uȡ|]r>@ ' Œ4+ LD7@H8-<~Ԙ9sIα͟Tݥ W,r$+"pOy=4 r۫"9%nHc??ުSnPz؈"`E TщJfЬɑG-=u6)ߛ{ޜ`pB +y'tщ:V@ УC\pIa4X ಿ,dW)4W/5{hGVZA}4pVOu܉:9V S 8]aG-pӆMqAN>yYRC 4`隆CvЄ~}8֡$()T쁹ί^{aiٙ6mFA$ic]A [Zg'$|.;iz(=_y歛33Rf wjVf>2NzT9{(-(3z ͵L?A[]UrdL,eL@/{)euVa^LRLJ*VTr3du=f:CֵX}WG GͦB fBB4I;BGK9.9)x+x; V b۽Kv]IWv[*W'N/#F̚9+"lca7;?'gֽNҎ?%i_tz-[4s֌I9K3>칳W|A-mݾ5+;KhnwgΟookV۴n$usOJ&´[ i{QyKɒbB­,te r&Ivg^HWػWJ F-Ne#T@ XB.8Ys'NӺ ܾ=]+=6mғo~9)u7}~#;֮C9hHJz;֯c*&jМg?+7I?w^+8q dL`JGݏFf͒2pG(w1Ғ)6I;B֩퉘'b-LЊ&ۛC\ ܞą?uj0 Z2OFL\=oR&NB7[n(:)#Hxc":M:ub]h~ ݍ@~4嗁Z P_qhNH9#$koٺ O)&74 4䔤 +3zdP$$ ~K^Z}#e xapMhTgN8*γɆ#ϑ#c׬^jU"d'Zwӏ?+=I?@Y<ǝ>б'N@{HXY):6TR"@~HY(мl>hqAG}3$;2t7l|O2zr^ XVHHʙ$ٝd9{2Bٻ6 z$滜S#:Q縸U6lkb&O`f_&x5U2'-1 b";+{mpe $LNߨ3geeuozPbt󟟟Ň2-mY.[ 5+s${'a#9(]D mFY53{9B4k ؒr&Iv'Y:=b^ 2dO pInT%D'euϊWo.uт;[@;Q&ɍ洜ߏ-F-gLy{6IKBOr?1*jԀ,_|Syz~"RւɪQE:b_VqdڋiãFzfڀ-4q K qFG3oH%$Zj[!zz(0+#+tpc@rB9$,dRB K{{z~dptK{0 C[[ ]5}1_ZUYWWJ`SP/(;=#6 7X?@ӷNOC :ږj;N ,Udmz}[MiE,l!;|:”f,A i"IN\.&<84X<վDfX(/Y(cdwba2,A&|`βLDիC \4+W'L<4ir8ZsR\~^ z=U5 CX>ײ&&&޾$e*rscaPqFz*kҹù$@Klׯ_7\ _kmoo[1a>z;uz4'=#qB38}W{E?[(@хF\IC-t M2脡p]z@J`p @ y'<@@HщG6;;?|#>n̂=   nK"E&wA=   ' :QۈpwNA@@@mmD`;<>lHw{.|{3!`wtv`(Io;A@B+;   &@@@@y5N   &7)I!tuu+F,١+kkk;#ځ zCamo&&vcۛ@@@@= :Ixr͚PhBo7A@@܏@Hpȕ+F'~x   &zj-u   Es'5@@OCGVB!yy@@@@<8^NYx    hW,Vv\``"̝XSp /2@@@=`׉{3W S0j-hp>6وQ BiYQߝZwn3sT,Q̝(@:I00][*n<'dytU u N59\e!A;mS}j.D'AAw&@2O!M]̸M3t VxX|~Cͷy}E')aͫSyq􊨿/[q&l!ѮтmU4qR mgNdΞi7T"$忖/$Lz:|̩rbkRkcVA-fS(Aq)"fϚ]w5:[5;i%dj%[Z \zE Ӓ}||h!8485qtP$+jLTTDTZF^o|z1Qccc+(E;BR2Wg$tټ;[y)J@@{\m^|s%$8$ŬAAgZ5S8B*M_ ?s•~Ph$5Oit7M*-E0sR_Joa޾֣DilĘz[Nmŵ3:D`$37V["ktI#kuďM\L$:iW":cbb Rs.-X,κ*0g)J8칳3$2ұ]Œ3.2V jv\ f:[<#᩺z]C>}5!,浪D~{isCDMȆ'Aӏ=›dhB"ѡ|hҨ30~EsXXpى~ެ˭}EmY_Ro&,ǹ1EfsJw\m<5:A!>}| uq/JkMBHDc՛j4 >d۴k[;vu͉ItȷˌWz}=Hk5믿֨YґtSҮYD])(  C?.#41bjji92PР Z9tm(WkEWqdlD,Cxѯ.sK G+];l*Pԋl<,?~*[GG|&9m 0|wtZ87gL~LR]74\ҝM Mo/6XY}JXBgD୯z5t^Ш2Vr.GGE:4üW$3vC$͆O#z)hN> 7,^'|;[j<9Ȁ ~ :XŧK %\`.Wun~TbhruW)fA!7Ӛ/IhKtx雚IXf6Cw֜9_ iMRV[|d<%q -;Uy^mմ$imeeFSf uuYR^P)MZ*ekjj x k,X!ژ=L-Zhޢ҆z2X{&ke`FSSmعAf&Q(g ,͑޼QmزPMjz,}I+!kJTxv*n@_~Bw`Ԝw?D2QK-{4 t_[W(KSFpԊH Wph8S]Z^x$Yz4!aaׄ~+?LY𡏆 ;5w\AH'$Im=Jin_2rߍ^쟵>)#(G.fZ0WI_ǁrzꉰ9T/(%8[L'ⅵAm.!!N{j$zdJLަ4XMR=+)>|%Z x"Fzi~۰dxgw[]-t[JXBeY"vl<&ֳZV&bgP&80qqG֑{ :Y!A%󏓉&D 88Fa+u%&TkBaВʻSΘuIj{\f3&ݐ pL \VˊqD1P No|[0TJrvtl j$Gdl(Ve#FT3J1pjV!d^_2K!w"4@$@Wn(2l`-Ue/HVǼ/Iu8eRr7N+X'K{>7H@p7^ww겺tMVڻ`ܥQ~եh  *54eY醣5`qϻA@@@@9ʩ&)n7!RUPQVtpώ8 @ǎYmWI>luK0ʎeyB@' DF_lfޙMt!:Q't]%רpYCn8]}']g   JY>_@@@TCc_Uc s'vŪk<` `DM[@@@-   "%'[U7'iNUN98   `+9Xr\Xs͇YN o,@@@ޏPhrS,+$:X"    L4*BtbY&6щ dA@@K$41wQrޱ@;0VC[.$@@@K@24Bv9r 48ϊ5a,,&N@@@@#Bjꑟkǃb;X!`54+Q    [B1Ó|zoH#    MIDATh+>l"ZݾIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/32.png000066400000000000000000001261571303637203600247630ustar00rootroot00000000000000PNG  IHDRh7U0<iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx XTs1d%;ESTP&-D|7fVv|4 H1u8*LWpz~f {630/}q ׽uڳYks勗A9^(8V*x7M[d=r=!Ó)k@@@@So'EQE   )q%RsPZ}tB@P`^@@k *v4ljknT|+\ 5j^ҊZ0#`{LX2PtNdeUujEguOyFz U?D .-F 7]E,Ð6mէԘJ]f+ P>d+A/-9t-YϚ遲& a1%W'NTG_H1Y?ѽz ถ4 2n=آN*F\kL4t! Kw !*_yDWQCqjiCXc@7~~V9EQ]_`.a\W@E2aߠSL[[D5hLryS17- wdaI#CSy/؜"gzҋ<"ӕko^y5c5N%bуxW.64>NliZ:6JR.]} (D?X!SjF!Hw)x%)!ͯ5S5R-z0D5;6=4*IJ|$_A$|/$H$[]Cmvkuu_ktAs_k.cŚW],@KֽM9 vsXL$PN"YJRs˦__*KLDҧԠT#[̿O33yGl4vA@llsEN~ܕA+UKRFOdžtOQxR3Juu 5 <ڲ%lKQre X̵eOҪ26h_jSqXƃZE]GzNm¼kͽhѴV|fy60`Znn4>`|o]Nu[|&=@ѩՈUv+wV]%" }?^)M5$7r$jؿ*`݌di+G*8.._ur䨺x@s*vhԮkP֖&6j*C[;)\姣ƒ @@>]} e m2'Oυq-[TS]5 h#`2:@@ZO[_ 5܏"p)/iBWUTl-`-'Iɒ5H%-ΫsPe.+|ɏ? s~Q?ܡvu \ Ҭ"e!/)YT*Ҫ+ \ aB$NWiU޵;mښƐdM2P,tҌ6;i;Ͷg+`8֯mSa] $Lh:]y ܺ}9-kRWWy. Jt&jC16@sr$N7[%+2Klv@3T_}GJ6/_ֶ;K&v,?dbJ dxԘltvd e,=`iTKmu|h`YĹq%bK 5cD0g }9u!s5x`yɕ?\&_ج98y$\gMvRΕ} ksۺc,6z߹!im C- tZ qj%*{ѷSLL}[\SNI3f*-yѲ.+ud߹sY>KS&|[BwW:nEQfz2&)Ԩ&=H7{Ykwmv}$Jb- 6aH-Ŋ(P#*};_{WX2=&/޽zhMG{)=G_W Y[%mN}iOoӽ\ Ri܆ TZ~\j]rH nzm゙ndXޗk\jDiL..7 %\p_?<#/^MGHxp^E+}`; m1.[{JKT(l q*K/7H[2.jRyB }_ryė/-fHGvNr(&5:6\l&m;9H(Hb4 |tkFJ h,qZ]SƍyGɤa1?ⴃ˼\ElYvf{'Vq$N3 mKr:\tBK?])XYTEjM$mRvTmlK b+wE犸/#5Z;t.#'6y۴ i mom56 &0q4򟌱 L=YtӞazcJ-lNʹIcvg8Qq@Hq^vƘlHvɢ[dRSAx衇"zvӁ ם#M?}wHڔۑL4P g{#I 4bS>K/ьI_DEϘ4QuNz`@8P Wk̝tCӠl"ů7d{䏏HɆVT&0d1QP`YqZbF$-l0%:J?i lpMD w~av#7>PQ6N;8yT\鄧٦ޏp0i3|fMo{.8;$r7nDoސ0[AvM 5`if~a~I~3}q_gIN=Wwy?T^wR"k?_#FZ::PE#>9=<7>9'L5{rѥi=z8k'O7P1l ̉tW(HhF[kÂѾSEУAt!;ُ">MFy?G5>M_D]gԜFxM<~TzwӛO0Z؝+-O2FO5e!'dxikjUfO Z^HO|/$. ~Y`11Zns^ $W 0vGE׋sn',պˆ K@zUer&O2j .D.]ӟe@,-5"56ЀvHY@ #>U͵kԳg'"mM.=sH3V)kxEth z.I8ۓ>p;Hn7d@@= q'}   v8n0@{@lOh@@ qݐ!`$ٞ6@t!C  I=m#vCA@ړg{G  nG '$A@܎ hOHIm$N2   О8ۓ>p;Hn7d@@= q'}   v8n0@{@lOh@@ qݐ!`$ٞ6@t!C  I=m#vCA@ړg{G  nG '$A@܎ hOHIm$N2   О8ۓ>p;Hn7d@@= ghk-.  @@l*!fdtD(bN5F(k?HkZ&e͈1:j/?zg;QmgpW%n $ζ },Ν;Zi-t@ qzSW^>m`G 18-*-͠<ˇ ^j^E %ؠ ܩ#nwEJ%'}oҔQÇ'c={[lSQ1\U_odz81agTD 4mzՕ VZ%QCb՜=hN|V0Y^ LVRzOT4L>:$U%Hp!=Lbm8AHMK%czx{op%C%OnCyCdƪ4?f2d; \"q.YΜ*޹5|w,];?(= 鄬Y"nȊ +P IDATJ$J)64~h"/[zICz&M>k/_kV.efͅ Ǐ}}qdgC+.?3 uChFyfɂyRK3*$<3oeh@K$N???-:wZʆdi)}}usg;ʇj+/0UynoXѡ]{vLySi;QǍnySuHʊe7w*1Ϝ9Cf :Grʉ#iU^bzƃ!aTE󣟌f}ڔ|ICLJ+tW};9߂#{ +t@2@@8[ o>;0F  @q   छ|8pi   7,+.ÇrtUop#$pGZF64pK4L{S'iZ%QCbc7 lqѤ)O8|VҐ^ k6?hm4=ppc7^VQ#ڵwFWZʮOLyvvZPLEĊIӦW]`Ub^rU}Wreۄ-Yo$O,<^x;Gn"6RA\gc}YSMx =ܸyӧ.YΜ*޹5|wJʁ1KKJp۰tjvZ/*)%=)7Us:Mpkɷbl9tin#4V!|gOR;̜zߔٶCbzfL*];?(= 鄬 sG\-rJ>fۨs8;qҴ27D;kOX>½:I3O}uO ;-MKURFE >}Js ΒIOB^~nr0-scGOZu ¦7M,".xepKG&K/~jI>pЭ_n1.^xӣ'NE_))#9w~jG|EғpUs VLW.\*5zѕ Ru;̚LELy9i[ퟯ|: ܠCo6 Pk[loL)ٛmd@  "tW-rpDDҌZ)w2( }c:b>s-zw=eN?r'.$ ɾ{PkzcHԉ97{]jfVv52+u1;+̉g֕v[NiUr =x8-tNGwzm#7PĻ~vi$0u#FPG[Agd _ae65Z^Ze=nGɔwz6k]iULjJJ% wKP. ;j?n6r`p8W/%#=#l`ԙ͑50Hh!@Yb p6$Ng$<;^x\E@@ڔgsO#i#)$6  FFhSHmA@<(  Ц8/x$NOQ@@M q)^84H6@pƳj+.U^ލ><;TJ is3c^;0p#H5{Yʖ7"qR/UUR#z `?g$Nu *8l ůPҒƍe4 @@@nJvECC Ow 2^*+)eACP^;MOc"J/^6ZDdXZZvclg>[xPl=$$$( FQ 8걨 tߌgzgcPPH̀H__R}M_tP?O>*Ή5uJep`(pr˕$H鵌E:#1dch* n8q+-;EJo'MBI4ܲ҈c8 j$tl?L=?H-*_q4[:RYUIr] 56Ee04FK],h*xA1 N\qyܨQ49ceܰ8C>>*adS>[F'L+)ђCSb[XVR!Ek5\0o[?Ux:E4R!PKePU)/VXEzzo o&3Z/#Ͳo!g]/Lk4y7P-+Rvn ___5=}ivV'7KYZTFRmQ1d]U6Q{ FMk".:rt'MDj  *:[DS(T;tt>g>NӓiYcesx '%N{hZ܀<_B,65Y.)N(b$ycUnyಮ ODЗs|amZf?.6?>'7'tye]叕4% vlQe޿Ce_t:IqQw7S& pWTuO4W%Ԋ\me! eOuWp^[xzZͭ+bxW]'NZ^o#0*UvCHтGJ|VPp< )BHp/8mdk* n0@gyn):_SCWĻg  AմSqFHS2,67q66ڂM< 9qpYoe݂.;C˹BiJDȳlgkD>gKJwO5yg.\dcEx/!pOA57hQI[:oo85}VEvI/Zf*T'Ji(۴56~ʺ{S(Q[lV-~sR9]񥛃uƯR.nifZ5W%)  | zq'=:J50[TaU|ܝ-/BS֢uQuS6> 27+FҕK.S Jt.J.s3~ gpFuBwyg6z  `?9 Xt@@@<hVG(Z=P@@ qzݐ  @ⴇx$Nrt@@HC]#uCCz   u8na{ qCuA@ 9:   `$N{.@!GA@!i=:H^70=8  ^G=P@@ qzݐ  28J5@DG:GH" ? ІX֌i6<@щBꜣrg$ΰb1R[Z:PFys\EV)5pj85)kFGNH܈@CwQ84F>~ Osaeyf efuSjHy6D@sݯ.N;o+t1c 88q(wF c+ٰ**:&vS-& z~9ٞ-6)UF&&M?|x% U:EL6J3ֿxIԐjtN|@z~l☪*M0%iH+2뮽%j wme 475LޡˆmP;$Hkr,|5B"9=8"4ees|L5!$Vwқb~T㕆@= 88q9gI&ٻ3ټ}[ܜwU=|{i;˾!ڵ.޳hNڜ<.YΜ*޹5|w*JVDl!^+r)ٳmgW'<9dxi&)/,w7nޤTXZRJa,h|-).!JĊ7VK*o淲jn^?|(߼Nܘ v+4ʿqӫTd£'G [iF Yawьۛ mdcxT(!/G&N0ͅQqq#..d04yKo^y)`2gLKM뫛;;%Qߢs砥i*JV|sǗ[֯pηnfS_RQQO/!9_A8,9J9(+U"`VWvWCuNʼ\3 n^1K˃G^MMG.y\fRqႴhǏ;"'ReWdcni|pJEF쥻|fR3ޢ ;F+5Jx KZ6޳ù>ɣD SON)+t^}MN$pJznA)MLO_y1We˗}礗U9ԲpDD$]RE]O|YEܺ}뉯 INuRPqVD@Z>dͱ+TC#"m{P1w2YꖗjȍmXu(ƣB Fa TK+?g5$X!kj0l(&OH\~%˸UW* 'AifJN﫺feuuu:'UmTĺ̌ #xgW(HA1R" _>سr']dz3dY JhL@Ҩȕ(ߌtSjh骵%,VƬPkQ>%w|8ىf8>$e칁G%~0a7u,uѲL;x@JjZV(Y{M:soI_H>u~}{1QOqIl3Ҩ-DzDGEŠWq&Μ:@YC-#bF yƏMt]iTLN68ᩱt”Z*ZjF U?1k<*ZmU6i-3w['OL>ۿGMӞvvppv^~/mK^N0@}ܗ@;'NZ wRVRJwE qAK-؀=(mNs%$}cn^֪&槚PE'OK|m*dNJ.92dMgO[uMI]qҌqp>.s¸SY4V@ Hɛ$Ǿ5L5,R23e3IYy^/JHe^*Km p،S˯Q#J'I/ J]Ic og˝ f L]w!ĩ(-ʑ0&*VQloN7@  "iQ&lgd VSw,gvJ%IFy9'5ʏr?!~WMDٺU/ 5AC/֕UJL֏z7_bԐj~}We@@ 8 G ~{7m*8KZ~XQGwJ(;$JpLZ~`XQGwJѨwp/=N/DT~K =NG8[ ؂[@taC  EawնW.x ΢ pNo"GEtI6$I߆m5x.ʚM."q:#@m.%k;@@lp   8=wl36 P@@s qzآg  m@ %@ܱE@@ڀg@K%c$6  Ks=hHm.A@<-z  8*\x.$N[ @@  qT\H;@@lp   8=wl36 P@@s 8k*J/^Po#UqҰb4zp9vdSg[ñYIWRoUb^8uM'H5{Y[2pTg쩫A.uh*3 dnL_ѯ5߱]}QCboN+VoCJN֕PޥoMjꭠԳ h<(˚3~g u{r𓅟O>?o@@;;JYӦ74uʨQ :#!iƔM۲3f| d={[lSQ1\U_o$ +W+I8&iӫT0EL$%jˋhql0Kآ记f*;]{7!1GpKJe]:ʆA]{?(7G=&8wuIJ镛PIPb%/|YS#o8Ewkr*`i dsܠÍ_t8oee}uf,FpYJCZ|c,m^#=dҰJƢ^ٰ]*-U)ޔ2rg^U6 كȇKd/1<сҐdQnj+t7q|eO搆ΝoZЮ=atA^o̤Rf4I^ڼ4yi\>// k+C2o.B].6K-V"#u~Gŏb꟧Əo4ud g<_M1vz`}*+(q%OQlS5θ߭`#4wҮ;itu#Nl6ne_};myó󛟺$d&REr:VK5vqQp[٘F~U+椃""۴LVa%jz7ъ&И9du"2إz`Hǔ;TJަ4QˏF2vRdAG7 7鑛O!Me3V_3o** ܬٮlZ~}֭_Gu?K_z{es.._*,ۜG*[Rw"Q#ϔgmrmN;uw(ay c]Y|٧|nmᢅ͏E>p{PwQfAAZ?CPsm\wm(m-1[Ε[T|;pUYb6C:ܡm«kbV. Uj56卩dC(X#JҎZ=o0K->p0JI"jழ$Eܺ}뉯 INGYKkK)3gm߱S?hw C `~4t,`UWotkֿb4DlNw4uMP3uuu:Yxkep%h5$!k"l0llQ+37ЮT,x3'0FiVqWVbMOz){[32)Uk5"Re*,{`H=jlH)Gֆ싖m\*zP̒KdEdI/\av)T# ^&QP2S O^Ig'efHAG n}iԢg]:q>4o[~+8EAgN>rԓqq8ZfKV-a | zq$ 9ս˭xuUJ~TAǸX΅hu洙ƆMYFM'pF⤇:9to8>_#wecdhR F+6Px9g$N/GwuZ'C \2pD "79p  #0p  8aG@tJ8H0# q: %x$Noe@@a8@@72  0HC G  @ܫTQz:MzȻCg+m5Cce_.8{ys~wb{mvۚ=JJ羒zHy\h;H5{Y?[2pxTo}Kj_hݛ dnL_O]OH.T[}M?|S]~f4e"۾Տ~v>q2x.ǁa_eMw y-g%APk9=-?o  ;-a8eWUN}~ڎw0+wo=Ob㟊yez>81aMӵ]{?!ٰyzWX!=vH gh:?|xiΖmbLJFbuIEjwҴUW*g*fR/C:`0HKJ3A9wLƨÉIYYigcAV͔[],FzGc*Jd (5^AW&0ox/~i Xb(hv*l? 6Ys $U4rdvTɧ쨱0L*ǛTY6 cF/uE2 Vbl☪*O4'Yi^=&Nn=O|Yq<AwWx4O'dm6%^β?ܬݼ}Sn~+ÇrK83wn>_S ,_e%3xߔٶCbzҳ#z]G5?eڄg ?7qW*] AP7 *=]|z£'G [)qCVlXbe3m/%A!e=^LOxoSEGiIYԏ>bo/ I&1eخ%XiԤnՎ7weT}\%p۰tjTei=&N;izS~w#RS;N=v,w.m$}y\*1 ;-M;ecʝK%Yl~S_82WF5ܫ̤:d)ʓ\r4IPe˶qkθ߭SXXG{)Oj[`` MCퟯ|:١@SKmU&_ߒoz}c;m޲9w~SD${ IeYd`3e;t%Vv"sSfyE9%*V}WWy`L Ч fFQJblߥJc ZQɲ) ӓgd7,nӶ/LfĤ>#Q_JɆ"鑛ŏGMcd,%,uES:jR*Ǜ,pi]KYRx-5V"_uQOrW޻F%;wqTe˶qkN^|xoiS@:uw(W f=Lbf݃:wbzo4+(I/_O>'x - -?o~LD$i(| ->uq{%!BkJ1dԐՊR'*?f9{۹skPM)033%R3%+?{3֥gDǰ^XJ;GÉe} Z|JG' ǛRx0Ȳ~Nழ$Eܺ}뉯 Iàie- R-i_kVSSCkb ֯doN:_AJ7dm^ FFƏ]_IQLO~+wf~*m ZmnU]3݆`f\WW :݌굍fJ4Y}+t3SB6}k?Tʐ7*;@VT-r0LOz){[3J`ff* %E6Y=(f%_H+1'kLzك᡿}g?dxfp|*C=ǛYRRY)<YπAO0>b 0J`^\=qf,]xIoYt'*/b"3_ޣ:!~TB`@@rLV<{f]&_.50u,jKi3{?;K. >56sѨ [ ^JRCV+ЖW9t>u;=LP-em_8idFggFy]D%kL$a+8EAgN nGɧҨIx3 CV*+'"+>q$nX<11̡Q:l\=!ÓM[Sܬ:4CnN[ooh~Kz,TtӐkB _O=op j| zqkZʋF  ?Ϗqm#@<3'=֫C :(%@k Co|YZ2;pFtG.6njuZѹiE A6 A@@8A@<'.  pHG  LӓG}p8$N#CO&ɣ8Ñ!'@E@@NH@@ 8{*J/^PHylҲ҅K_ޔ"~KYIWRoUߒ6Y[ٵ]َ8$*Y'&v v Xl/~>)as(9{c~l☪J3S+!=SZUd+5 *F"y}fMRaY:/Rl`Pg C,.8Fzmc٥ n镯"n~+ÇrˇK{Yu1ivK+<67qYSMx =ܸy/] P7^-ؗSsvmdb7~Svq -ΪHc6inn\>X#mWh(إˣbiH<9YhKY)mK?T",BJSrf\8kOs̤:ŋpHޫi9s^% y}Dxdί8?Snj:44ۍ|| )s ?Mzfi]-Uh,_`&/L-V*[EKJέ $JMC tn (-%͚ITVǾKl̰tuUs7qE6n2^)qWG>wnO-(Ku>99M%n,mz7mږ=ɔ˹+&844ۍgu$'/};jT¹s/Z,e1sJL#B]l-a(QPA4 }!f IDATN@.-dCR>7f uy$t $k1{;'MKΟ7?&"6-ri{Pw7n;?f9{۹skRFCL gp_t~#nzB,%6Ԩ^K,5~j9H,@3R휹/ٟݞS}[ֶ?`;uҌ!sYҶ2s ֯AUW* K:Nji@ħGL@WfJ 65f G}NOz){[3dUq=( =.3cD21|ĺJpuA F{7\`TWWPA"m2'p9?>ةg51ISgO2yƏMt]A2~}M;hYZXK_H>u~}{[&i?8z℧Ǝҥ QQ Iͱ|N먲8*c"h:.6qIJpuA F{7\`TWWPA"m2''dxikjUf:*=k+L\}Ydw1\I Ș V3|W"  Q!!JVV1$*0 &e͝C1]%k99>ۧjwUW7?}ʧe*[)n<0ԔTނ@R[mϿY'=>VįUj.@@BBЪ&ŖJ~CU   <Hm@,^6<   `@Pd8-!@@C>'  @2$NX@@@>8Kx  `$N c@O, 8-!@@C>'  @2$NX@@@>8Kx  `$N c@O, 8-!@@C>'  @2$NX@@@>8Kx  `$N c@O, 8-!@@C>'  @2$NX@zb) !36Y9).p2^!a$< [*:q|reksiϞ)$^v^{B `o%N~8=&qL=No,o 5˭kTݷFzfom6!Ff%NNˎ   b,M}-XH#'w\ 㺾PT26T*{*Z__7>cJȄ>mdLjM$@L}rdcOL4&yiNWSP{ueUJ8RjZv N E9@[h佻6܃Hx&.W >1 )uƩ8v K&I7čv;Ε [U SU2S3! &jvE),+Z1gw$1LxoB^}'(r}V6q8zt8񚲜gb 0ZwmN<52KXiO#;0nz(YDTU]h C64qV~$k /q^yu}#_,tu>{,U±?쪪iࣱ]&7%=~_RּEQi1j7JY松frq\#^0c>jlY8V0k<:vvBg7Oi 3f+0NL%ͷ BU2ʪ/#z̏l>(<2JǕd橆6^1|MIC럮ĉ>/OWBB25s# c$ _4iJMIY~=" 7B veO;L02P^iljdbTeY8n!hƌL+>;3O81KT3 {C]cS#; rǐ经wsBa?Vl+/[8NhĄQ2mxFk]O hr |6eA -Ctp2_ #MQ#GTTW|qiVJ^JLU˶q\#^PfE+8_' E_YңS#bN' EȁT8Ym AqќheU miJS;;וQIvg]{(ѯJ+,t?Ǖohʕ+H1| R"5kFM1dP@'Hddd2L_W\DVK hiMf *e~nvhHO,37GT{{6l0i'qjQ x\yc tǹy0x.=PoȭC(pYcUzt2wd]duB#鄳NdPYEȁTx1Pe A8#8n-.sq9tsI6]{ᅲ|w'MR;/ iTBIOYsϞçӅo07{ԯR"5{֜w }buAʽ)BIwfMs\ddeə3M$N}>t ĐHț"}>h B^JUe[o*wzcӀ 8&i.x%[K)fם,L{ac&`ĩlEσ.2U[o@@B&[RqpM?*Xn4N CIa<\'iS xX8{r#`6_G]WRVfڢMVslbu|Mb%!Viu&*kLRY6QAVj"G3 O0HI(W.qG ]O]aO6&iXڵQ5^Ek `jWqMɟOY2)_Bg_?W -Rp>)}ge VP,KהͪTծ+)[+QWi'=2:*m\BBU:1 JU-"}D8r@r<wfW#:xd<[N%Ekɔ㚊=pm[h9XBgi=ԂeyT r󴽨EzUtY_ՅWYlD>"+(m֙]Z]f]5*! BU:)"G h s=A~p;+Q:ҳk Y"[NL:X|E:W^suU݅X%HUtY_ՅW_SV"6.~Ͳvʪ0.t U鸦4CXvH1;61 X8eKܙZOTY:)%LXPl;{B Ԩq׶W˞g?N+ک\˝.[T*F7 W«^,\SV"Q[Й]B2e[d!%ܪP^(ԣ T,[ JTYOI:Rr,sD)˲Ekט=r7-/t+YT(,\ϸUBQ65I 6 ו$3k%긬3e6eL@)oPkJmn2=:l&  &q,qg|?+,$[NPEIYqD)ʲEk׸aܹrѝQݻCTOg*N"ȚA_KJڵeR,k.3IA:)-#v,'DqrP~-þ7bj`Ge۬!&|q3釴[˺YZV>ѽw{^=C}rAM|+{?]H9{  xAtNj9 @@@@Lj\   n 7N   8{Y  n qE%%pK-"@/$^([HnA@@z q@ @@@t   KJ   yo;v/7e/c!2a{{kˉU]7!6*<.O& >+UV$NʚK=o֒8Yk֒g#t6p l!p'x/~}5.l`۳4?C'Y֤us@Hl8 6o7A|D+8F`r~˦C|r{AE x8WWVKjLOfL0>cJ}}5l)F{?yJHYJW@H'i9o~m$.[/2mL9}*GY"J ǹ|kLIK޻{Wh?Q{G' E/F2=k E)cMօ9 ʺTEeVe6(ݤSO3ndjv*;ؓ+&;;;O-F cݹljk'4:'|M^H/7Fhvj Ejt٬Sh5 !SGm6Խ@.?&)'(SGהMgwC6VE@FׂK" 'u _R⬭^o:(+/cW^Gk**??%53T|qj׫5؟ZvU4}Ʈ}fۘDx%2 J;phkSHry--^{WWHŲK_GRo:· ](J7zF%:r;/v>i퓖N͛y톡?usy)׬_b+P( ʱc\@;کeƸf^7j* 쒿P@o!ɺƃQ}[>?FT_+n8q$>Qj4L bpU`2T4WG8TQ6 *U0L jYx1t>m.+'?wt&By #EF5vNstS %h~3q&^==>[4jy1#GHJ3$[k鲁ilZ"ALǙ(XYf?Ŏ3ڎ3d].F|WUB=#۸i#ɿUwx_8qgBjl=VRZr$X:{桳1$ب Ir:ؕZ< UN-InReʁPUaBBY;*?L![х[J^H?rYBZ, `xwCmxF5ѩӐ;<}] Wwin }t-BW]BTZP2 J!ؘX1Jya S(cc\erOF|72PM_ #MQ#GTTW|qI˗-ONAg4sF62\ąуy {݃©ōajQP2XB~2cF&W U왧 PT;kFMؑtFt+=|}c:Z+f[U x1h C!ts%J;;J'3#&$벎M6U])/+=%[&L@'qjaJ\鈈4?YY.(':~T©6, *1VU QsՔ~Bm0;\:N{8gϚ3ssmO.H7ryIJʷo|5f͞>{vՓ^3ޝpLo4^Dμ졷:9sƸ 5tfMs9tsI*T+lQ7R^VIDRSҨciTN̔<]jKQ sfmlpY' pŌu~'S#JUuL"!dS*N8qmÁ'9mq|~yHoʧen}HJ_>d7C P/5%U~$0~7 >\w7Nz-E}HF_[A@ ?}~RSXV$Nz-C0ct&@'ӱqf~Six+g#ypVU<Ǹ%tsq   ~"'P   `OH+$N?Z{@g\ %IDATq ,Ԃؓ= @@DO`@@8Wx  'H~  $G3 ?}r$8%&N`8Y1Ƶ>e ætvk$i@  qVZ:פXe%ήΫ]ƛ콻k8 j$UC:%A<%)9 ?U;' jwP @Tv_p/ŮiWoVsݭ­)!Ȉw9&{ykO 盜 `CV$NʚKbk'N.!7"Wobʣ76zRE<> V$NjC{g~67Mkacn'W\]=g=9Ra"ߪhhM<=A \ X8{78/_؛k**::zLJV59ʷKIK޻{N}})I#fΛuo"1ɫ֭9]sl(ZO)*HUm+Tt^{?yJH6Y;2qӶ┱~;>F*( kkOCo*ڽ-GuzU3'ꘄ3[[O48!>o]O pV@ępWg7js\Iu=Wvo8]U5M|4kkkv|y7DE:X{yuեj;ǚq%n 2-_jMkz:]Z[2!.?{`Ϟ?KUvvM>^QAɓ]Щ@UB]Fn}VSUt ӳr}Աkj)pځ @P'-ϖ:M&ѩbү̥}/72gi. Trt2=<` @P_]#M,uQbկr=5uE;-]7kFMXjl4~[TVJUTRĕvg]{(wsB.-tQڐ>!MOH&1֕QU}@ڿ r%S2~WT\PZ{< &g,Ʈs=J6<ȚMLΜA՜EYbzZgϚCŹzm>?Q%gqgקMӨY 7\nSUEiУWP%t~ɿq]9YYṲBj8(Ze:8p!9mq|CWF#9O˘/ABíf/Ⱥs{B=^Ƚ 3@{S_jwu7+89&}l {=`?xa{z68 >$`E⤇9>T{z^BB}a{s `E4`D@ DG;|Yt~~dG8<$ΐ!=k h >&c...[ɂ{F, %#9H!0}:Xk=r5%!H! 2CXH d!    q!`81@@@$N   H   ` X$N0A,' iDA@@s@@L@4   ĉ9  & qQ@8M( qb H&`A@@81@@@$N   H   ` X$N0A,' iDA@@s@@L@4   ĉ9  & qQ@8M( qb H&`A@@81@@@$N   H   ` X$N0A,' iDA@@s@@L@4   ĉ9  & qQ@8M( qb H&`A@@81@@@$N   H   ` X$N0A,' iDA@@s@@L@4   ĉ9  & qQ@8M( qb H&`A@@81@@@$N   H   `@{ݹ㽏h/uƎg95*6riل@\\\b_9+bX

emUC x[5Vz t53(nex&iDlJN6m|U{iYGǛ)zr b0d_Hlђ.Țl=tgB{{{eYrm;~I֒1)c,c8fAt (@(8͹MMUQCkk+/_eϬvU y=uk]ji;/!$` l/ Vf-̚8ebDzS*Jj?yEũ*TBQ^(giю>!C<|zQN}lcI$%%&-]z]l~|3ۿjc)cSRu5:[dU]WCoMG3$@p>z')]*5ZXTambv+!8 ()-?͜wMm?vخw5i:vmZ^]Y}ꯧvo|k_nt)OTYiW*43$HP#pYEՋ/t+1rh]ؿkx: ًsߙz^OF9dO[7"'q&}L87'7 {}{ 'Xp?Atk7.\]VZ?˄w!fB&$e$N 4ks>2Ⱦ7:oill~ *9_x?PTCs&,^(aGDd}ёm_muƧ7W\qD::*+*Ez%Ng늋֬^CpW.%+7+XVsKO׼ZSڔ§8'4r6>T*TٽG '@-}q3c䔄ME3{U-[F%Pr~Pd˾[gdΘH7 c*G'ӛ7N캜 =mAgDNz+[6U$ΰ 5/Pq8p3)TkD@B@l$8,/2<4݂og.EPaDv [  Hkx%pO/h@KL@Tq  !B3D3A< + @e\S y ]{QH,'=H3X   @HA@Bg gch#z1  $@@@  q^`1@ q>=H3X   @HA@Bg @>vO}WQ`(Er   +qmM(ӧ6@@@8b%~?IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/4.png000066400000000000000000001121741303637203600246740ustar00rootroot00000000000000PNG  IHDRf$iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx}\cW&jWsM+TWh"h_a雮MJQLS"-c]w8avfe8y9yw>{sw1`C!`?̞OEx鳔C!por\+|~ܰ¢B6Yp%}y1q5`m"p\Y2Ɇ+9]-e05.c".C zAضՕ\Yx AXV{3}Lؘp?,b0 `>4C!pC+wËLb0!P7V>vG{>?:U1qGk46+wt4R}F2Z-s\j9 ڰzf}Q 9BEeVܡ\y_)C=uv( M̭ɋ2x?0&Vαʝ{{a \i+uK/U/pWsMw׿ǟ@`_FXyܚw? wj9#Ql2uvt6clDm;mccO<DD\T$K/ٺmu?'A#ٱUSoO~+W.k?x}۝%XE0-;y{p|Blr{s:vT_v:ΊegGo޼ &.F<.~4)A`]/ELH w"CZ4EE^ /4{׏gk>(}Ш[r9zs}PXx֢Ħ/HY"zh+#|F19{cdٵZ_gM(AJrôw26ewާ}AB`@m]m8AZd+6݀X6=EL@ uV;.Ope;:t<Zhp|,|F#g`wKʃ6W{KN1׽Z'.ّ446kCiފy)f-?_}O;=RVTWbO%5IKnB𫴸tႅ:6tYJceueo!ZO:6Z_Zfg!ܘ?sx?u rQJBh$?h{G|0QJ]J} y?qm h<պٸr)F9__2?!#`gmΦmyG-rrd&Ϝ<b,9?-zc=?ױC9aaŸώ &vFF ~ňv洺\T%?hK.=rȐ"F<~T^VccX|6׽rմ=H|!xke7_}Ti֢->w0Y4mxc W+?=br[\)p,`07IQ6صp۫.^j+GmFo&k !>4аA@d5ׁڤ`&uZ,V".3$C!м`y__;CE P'b,7p8dE@ZG,g&zVWǿzj޽ec8>#>&`:BUVW7 [~^*fm4NIXc]0C!`A:+W}WY@sv:g;bٻ*H 2&C!`4r<$=TݻK[N4~GC1Oqd5k&C!`XuŹŅEBN9"+ߛ?p_ 7Eӳu\_yҷ7s~2>s`_z+! V\CI2E2`0Z&~|삱KW+kyyд;L]g'>oCqqc;oK8 Cno{b ]]y}:{sq!GO6Џ?eؔOE>kv򧐠AIIXH017lˉx"$sEa0EW>5xWA| hUL_'7"n\1޸jzX1kEt|+yi + ;w\<{!HAmJD^"3L`0Mz},4x֭*t}w<~l, ur,zh]'.%0swL5g؅^5I @C@١3Z?yEx+×tp%mu:S{Ny[~[WNҨZfҶlߒE׫^@4wzPn=(C!ΦK1Q_Rx Cy" ;+vжdE![ӊkݶqmnñzyy"b5??+pf3of~%lFn][Yv {tA݋/ͯfX.+ْYLݤ J~Bns=ġ6C!his׮2ݼAi4}B>>6xpoŕ.|x`B[w-و 7n`np FAq=kXgXET٫ys{c &@ʛD[,nb/=x3F@ WHf Ƽ gM3 p-ϱo^[\p-Fkokf F!\EN[cy!~[ƩȵŻպ\\g~Ǻr՗:_/.ՠ_ړxnzO+EZrfqSre|ؼz92>:l<|4f9b)&C@ WvVq՗ JAAH V˰7gڼi^/zo#ܪS~ gd];v=42|j@•zߕ;8Ovt $E>xis[bDhBXjqò eW.%zn4>8HHHW~ x! ~egk9KįˑV Yh)3z _~=.$հ /_ٔ>2W"ȄςݪȸaSlGEϔp'X+JMwLnLJ` SJ6?q8ZtETHbď7+=z qYWM4x.FXG>P6D"=HW|L0G/3, QU["B) $&lU_d_)+u;k֌鋥#n5itprc.+7  +oӾ_FI OtQâ?K)_HtE}tg/ԨDhV4!8I?.ߙr_r r|" 7zI EIX6Vט=#reGGݝkBӺ\{o1rݬ^on >n^Sm 5^8 @@<-g6k@ҋEV~*{z=@Й[wYe4v0\XhUꄑHlXfz̞~({}#+W\9 Xf-fC1"fO8oLC!h!hU[⬛ Ch{N7)d0 \YHbsBnxrt0nh$3m`m/M2L۞j`i,Bu Ѕa2ec@=ʋs F:s >}F B)YD8qDž 3ڹìa:s/qS(~|삱Kާ!x!(iZaԋlԡ+@rV|V;EȶA:I!LI,X653Q>=F_-4.*n]X4oncia[$aiLEFDR7۽ގ8EH‹_du-$3 \-jsVը;e,ːknC%Y|9n_>ᮦ'gB+}]Ԩ0яdfAC!5j^?{tA~d;BH7"RP(A`Y(p:`c˯EfȐ,Buֶ5swuun!JG~S ,V55Y;-.\w/__f7/<5o!uwoIݢO>3g[F,BVj,Bl(ZkTpv2r\B–"$ԦLKff#ôJ>o7W= r^?<\ EgYZo7b!;EH}rYkFap\;8DmU+KݢN=ŲKAeVMb]7eG\fAҖ !cO4c[p`FϧHDn!84#ʐ>B!1Eُver!i,:-") 5F66JE?k,B"X#ߐkUȲ5:E^O`VX3 C! |˥=7sSd0-! >C3/uּUّ[a Ci!01녫f 4G 6C!rUY7Xʺ B}[&fa nWˊvҢ֖64UV|VMJ%FXK`^"#͵Oɬܰ0o$V=ޘ{9Wՙ+g|@#!p=o;z)4ukWy_7^&y.%ݹ#;ۧPaC}^gH^ኋ+?)zkU>TjyoC g7b%]|*ob6U:WHatA͸7߸T<-zFo.! (;>jm L( KW\F|WFkCQXXvq8plm^_Bca"bH`*8E J#7̈*rJxKa#i6WaZF_j.*Q$]۞7p3__opFճ5;[!S~`GV0j+Hؑ5k 8o4{7ׯ.(ՕQ68[HT'8="-z2{]}= c;F<]R.s|BV^ԊA}a~zm|N2`.n{a/[1$0|t+IU"+11^aVfp:DfO }KWϭ >8?^"RPTS4nΜjy.tLvw@ލF4酐ƲBdrʄX"pЮR(Nz:&yXVI~966M+wY0=NVtعm|?0t"0cĬJT%un K91Yyyo#SlEYǠ6~AlFh@zHC#hp` 0X~mAѼ^t c5e5ciѻ'~˖|P萏E|ZE&i,=Ee;mʚiOͺyDm0bH}?)[;)[xSsW0A~Q@gQ|ZcI GtԏCk:(܅ap]̿z׽<}WK/Eo![3G8vy-W% fdÜB(MVY?!T-)DX.gcr6џ?Ԍ2<$jTvG1Y: Xt 'ѹKgL\1wwqh?B)UÇKޕKi4HI]gd@>fs/ɢg IcvJ/ǏxzBI1[a21c ]mp®7`"x: @~\Mf$v DWov=&'oUp3VqxALsO+;+Ǭp?D[eNܻ!|~5…SM7DpWOJSTo_jZ9RzJDإVT lr $Xee5N#350rP@/ DgUk--nVr_o|y( ?~F+ݟS(,S|o>[2ď] D41u>D@ΞmHtE -FY~{fA➶mup5X֦h Oorb#~ jij3R)^ȖzC^5mo[cj#k2<|p?Q@N>g "[l_ZvOڽ-ɜb5ɬ1 u\GԯFkjߪ{+aVo\~1ru&p%ި )CYȎZ\~ʛŬ\Nq3߭ )&0 {PfTAe`I`aGC!p&α"C!`'I/Ihy[l^yGM7zQ5Ahi.~8 -\9fxs D X PQWU/R':m8w&(O߱롑uV2!`" ^K?;=Wٚid QZb! T}lcGBANCSA]fM)XJ>>0sL^AXuc(ԠAf^n00 4=uaS00e[ǧg-5>5{PHMw SGˆq^ﵜe "6=xǬdq:1z<]2r30ݖ>]Wn]ϲ^λ.>퍥FpeF-6ypbe%DrrJB|k+uyrzF0!EEXyC3k2<~93NáԻٖDUwJM> VB_ M6&ڥ?'i߮ZK< ꍕ*(>&mY"$HLݷwlxs\ʹ4jh0`^+27(WArzZnQFLլd  _4K~kjt:т=*Ҟ {Ϫb{txWO9 pO^W-xB͒QCx%cؓuqRQiia6"to/H~#9#9K.L# k`rZg0"U WnW> 껪] d0Z +wzZ%0ni)09oꠚ=}gR&`0B@ Wٱ#7K$7kbl~_>3r8tyXٺ֧%g;hnට\ ׹;Ү}<>ӵi=b6{K-T@PBAEgFSV"= n:Si鐔㋚h:Ydr+BfrǺu癵Y St!BPS|xn\D5rihf=ďCϟ )`stjOIU$kP5IO$}91(Ik.+AbXlx.Ӕ5v.]ǤMISB#GSH#PO 9 z|]q:sԕSS=δSLhtӎSr]RW(43g~o~W"훒̒d4FZr&S%('جkHü恽V3HFS!+ /a ިKCCT ge#J#+&&|Z|/r?ʐihF/aZ]jB=и7A8kɯM&lYt}t[?N{5z${ebç7OooД)-A8Ko*:p&mrǚo#[Ӵi"7uV%LN $Yży K\.´"ā1#Kr44TL*/$rوi{&/jp[A/O\ڲ (Gc0BژnR5`PT-ѳA0ljQ*mm&􆰜&Je'͎$5jpidYF*}9w8r ]z%[\q-ˍx(8*3Z" "ы̎mAԬ\\ 7/ǃta$Ci?r\(w^htӮg6U~),\:v>8 Y9ag4 Ó? j9ZXfC!hr,0= 3!`A C"fM1 n{j$:]CEUU h Wfv`L#0۰ZLAhVo{ 9u}^g{L!@ Sܪ|~U۶8#а+հZw5״h[ԡK0C!F@6~?jK]tOk[ٚf+w$mM B2YRSM TMzGkab-,V/iK³f趧6o]ZE*‰&N xpHEݹ|’ QD*Żq:R1^SB@2YҊY+^CZ DK$9DuY! BYIZ36N""BAT[[;lNQYuhshH&K& K -F\Jkriԏ%BVlh5\HظWǺ2 |&11'{;YnUYٕ:VJfձVdTD@"woIݢOבY94OǒP[22VFlmy^<[9X:<#7CMZq[H1rJA@R!aI'N才%!JV=5췍3k2<~93NáԻD.&i̪ccc4;t3r8tX>DrIZ6+g}<>ӵ>~:6#fʃϊti.6TtdM3mOuU?UDѮ:ޏc3N1%>StWw;GKZ=R_㫁2fD ֥rD${Q]Yy^3~ҜIDUQ^?:wk >8fIW;/V$uBzG/=rH0ƴN:z^ɢ."r:br2h7.*n]rӊD\/lXxV~YaMh6+ g7˫oZM w\zyr/Wer/?.[Wp񁧟y6+8]B^$aw7~qh!RqƏ:㯆bCL~霥 7! r7aytRwǞo(4`l@/ۡSԺd)^]$fNUWWa&C2 i%D' LPנ X D<9$QgoffДҋD?.hL7,B1:T-A $ S;(H 9Xa3YܼX,{āĀYέ'f$\a :@T~~R٤<[{b+u<ɾCBj*:||`悙X;zF=p#UW_ENZWQbZ5rʕS28S ]r*ζ##G`vf`x{eTbyey%JzNd0~:xxdZn0hj&^QI@ f996Eckc^C o{xMWK¼^ORUFwYҬ$50&`w@QNUwӧN /,0eHD>A79>+=z ւ¾hOk1pGڵ X \ťjOO*|6iأ8l?"Es8]K# +̉YPFN5CD&|BʱccCg`Mi!qqaSx}n$]C SE@auV&Ģ]Md~]6c`[Zɵ쯲!NbZ"h :ҭ U*T)Vt[n EKELP_nFAa{MiG\B=ea'rcjďLu%>Lg¥XHP.>[<7t.fgA pxrzRB.I VCyNL70螣hZQ*d>d|}G}~ 4'ЭMZ;w\I%1cWƚM`g;uާE)vJxVnVnA H]::|k@QNC?º >tYu&+ǧj_'b0lEwʥ/ur6y>g\g|%Ҿ)9juiOPW!G2cy㦎m.zt#IjH:jkS+^/2~ ,{MHS G#eڳm'蝛vFA^:j*kyČă%6X#Q TK:s:}F.yceJaEIz̀5VHbLC!B<4hcm@]0ֶG)ra[Ic:j6jjY!`8n{j-`Y]dig;a"A\+˥/L =-[H[aDs@@E Hnd(ɛ!g֥JQ|)ܘϊf+*.oRﴙ G%;W\Xr!u>HY {n\7~ 怀EϢHI\雯p-Hfw&D潾j![AEK3p9n_>ހNvԽee,+(S)o@*XE@S2HD|OODި㇏rw ^=|k_[5] htSXyMWcǺ2 |/ GL̉|[Ue$"|񺱜f)o$! w #%P| 7u68.G ڼHr|{UϮȆ?lY;OUflB3f|;l6ۚ=\xfM/Fvi8zאt?;_u|V."%v%i(ߙ" whN2/_. 1EwN2Rf|anP*Èf@He+ ZS[yt{ l{T(1 B~Db2Ery$rssrz԰(nմ8kr%7O4-v|?f5Y/b[mcQ3; Z2Le7ʶݎR‹ nɰ"C.0"ˋdbL"jV.]1wH] +2 #È;ݫW1 dr! {[;P؇ۇf0nܮ1rUNS`0EH} UmW" :fOog' `ri0ffmH%37}f֯=׹eM{4X @3Sdz:]O(i=b6{H1#b\wDIAK忿y$+ *Liծ$^NҸ/܏4;#jdhsB۠Ҹ]'wV O"ۜ%#j%pu=iW}ݛ7&x}yO.=|{齹*{qga̵/-MӬE"Lvm3g[sfZ9KeZ3l˹i8iPLޙ̣+?}~ǮFF6' c !g' B :Ejls-mOq\QGU_M冓}㎹m7 >^]$fU]]FjP~!H"C?{ iQ.  8&s_.oUKmPg!⩈3^,K9hE.kmHHTWV# TSzMnyY>3c2>#aw.ywxtq>>0sL E9'>wH_뷓QM8~5zT">\i׮z朮ĴjFɕ+wep^'R|U&(HSr9epbyeyOSN~N̂j*BOO`Z+k(K爐>G=1f-E2M(+d/??WzA P'c¹˝>uz`xf~!9gٯFmT?u%q];zxpHU[oƫ==bzlH"SoE2C4@0%Z=Ip4W?9ZB[aBXɞ2-dݖ$wͧ(+0U79?h.Z;|Ynx9B$E$QNrMU#STt[n rBd'.^l>X5'r|vScd2ʥ֩&~g$+/. s M9eE@/]NE=^EZ=dR ʝRHCB`!N>hO]vºM.:]Ihru~Z; S Z@>-<+g'd|]q,>p/Qcd&1Z Wn שđvI]̜MW_c>Nfʌ_F'|}Y;Z|59KZn{wvUѦ]3 k LlH.C;{S69Ĥ%Xr9ehEB Wjk΢R?UHc+ Us+* mtY;*ZtζKקI_O:qű(*i %$pK)ggRlX߻)sSp3q.죰GԄxiqGfǎXM)srW`\k&!-? !GyDl HHҵ9XA)#R>}tTqo܌gf$"jd fk[7:jh_&Lpr|r,a-mOE10{Зq׊x)m M_ߨW) 4uSDXx(8*XYm`+wUk͵/UN@!E$ kɧ.8H8~0PL +&fm 6U~)|Thk$t1|p8;{{{߳rŒh'LZnn{j`q23 @A@`aO4:`\۞-ڳ3 +oNW!hhʵy:]CmRϡ$ 6+dr3iC! m¢B!pΜBWX5E)GX3`Můrg%*_"1 •n:ݠ4m_>W~3D5fv%.W!K]AVb0hʵ5hYR=|!LH6(f+߱z'*XOɑniJϺ]v[ ҒQBJ;^ iaϙIM'\ݺ'&d梯O"&֢#rP\Y9{IqߤOl|W)xYm62U2_;w\<{!H& %mJ4g|8q}DF zt^:z=ncR/Jɰ; @4 (4kU޷u}_tߴ\t:0e/ •k:+}bclDE&2'2wL9ٜܝi;H懘Qp咭 AI=XP$C}l]V$4ބH0)vypTK:'dDBؕ[u.n7E{y')"+tVΙս|H <֕*&ƃI,4rVU]롃B:qUHЃ|.+gDQZF yhZ>m\2eW(C;趧r@$7bh+'{9gq8qJ[۪\dfI)e5Im(c']DwRgL$t}t0)٣ vV@'Y3䩁tku]$r~3[q.JiЗBSW6>jmw{bZ"oxU|.7Fp+ҥTkSӅ5'X(urTy~w)jGͦF79]بoѯ&k=rUVVƌg(S.aCՕ) )yu1'͙D5$%u_c{owv9n$RcڂUO=`Pk9n\TܮPa6 cS k9 GM'XCT?u.꛿Ve]'i;qKUˏ;k#Y ņ̣zo9KJbL#yʹL-깨6lΐ}>zw̚[;URH /$gSPTE,—A 0lˉx"$sAxZ"*=; OEu 4KYBb fi`"k*dM@,ž5|?$+$ V ´Ek+`9WqɖՌ8uzс4,G\T6i$+تr]h;ɾCpPaMH灏\0Kbdw\趧sp]k3!PEiՌU+WN5jO)t SH.'L:Rٙ2eP‹_dCsd,8nQIJzjR?<M&@5 |LȑDdMRP&k`ciڼn3\䈐>=1d-7k,N!b=ǫ_TTTM0GCeﳤYIk,`L;UZ =|LAMO;<J= $/Zw3\ߑvk!7WqӾ f& vIQQenf9.dG! W#˚DXhX0dZH\x\0ev;m7lQ^Q"pt4meZlB,QD4 WTZɵ쯲yIiULLHLrK.5(jKXl@Eg&ʌ!C/3/Cr|IvsXܔҎ"b ׉@8.+wkd5A(%.O?J=H?tYu&+ǧjl+o$DD? mO;fNEővI]̜MW_oJZ]|4yp B8}޸p |%]-HRZE*ԊI^ҩ#Q_YVN_wj&ч_Fi϶wnra^>{yꨩ;?3[ͮ^VKXchp':'кܿ=rk^]:w@ !\cˋ `{< Xg-m% [ᄑ7eÛWުLK8O˞kxV\ޮqRP/$ka'#YU$idMZt=&qڄ"`;RENWTT2 m|%LKm^GfqpoM:ɤ]{{-vQ D-_QzuwHkQ$.*tſ )sSpq^ވˊĨG>ɱ"Ȭ\G.MO8墤ף#_<%Vo$g$gte✉s ]!LyGHy9nT%E&/jp@I_e7PuI 1E zft*sEIS7>8 2t۱fz-]M~ d9=CG Mx/ZgҺ_mru3xB͒QCǢD w힛%%χ*8}s2D"i7`X%/R.,-A:<>1lOX\q-Wu<}aC= v]Y E%~}Ӭ\b\ 7,"!xn3d G .5\$ρgk^J˿->(:ٱkGvM 3>C@O ikA8h"`0"\`fv,'ja07*L9C!-\fǮjW`0ටG-݈5{D{M, ,eXgF[ ņM  •cvlWUX)څߒZAy-TrlX ".@V߃s=uz'{HO~ Rb^o"^~Q ኻUMRߑaDr2IXV/~/1$T{{ߝg]2<hh©EZ̎Uۯ$؀v?? %<,ͯAz_r SzakжZ'/w'N\:>IDAT|^b%[,W?`,d+mR>#\p8 䵆( fIu,N?eB&a2[aGI Bd<^KvNض{S|#9wϐ =]ȗc'.G@Z,H1-= 8ž5F0ZbcMFA"SNVH{nO̚Nc)TvitUwv厒R`9dgV f6c-k^7flZK K[S9N36wE@Z PvQ.Ry r԰(Xl!zm)Tvi0bbN+wl #"h>CP| 8us ?eI8| ɿv"3 Pu@m$.$"ܒOCa [T+f@#rJINۈH`"NR8ѪH~(#K, !C%b`0~3w-`sizE@2IZKfAR0^."ʼnOsOo H4mS8٘"mOeFE!'XtN,`okQqDlqsr:~sw ,$26WO9 SZeAP.44hh˗/w}{ ~\DN";[xQEn1+wIŮv۞x?I +mz_Bt/z%{"Ф MxβJmW Į"8n kȅ7 =V!r•5;v"vU0Vh1`Qh0!ҭKҦ$e1v!`h]]]흵cwi*gul7⸝mO1d aD{gBU:~!`AEۻ(tTQ7rW &517&z% c(H5!@%3Ȩ#qܘG#f-u"=uIy =MtOϣ{k8?9s8)eD5+w< 4gG5H-rvwwu"CP"@mo󢷸8ǧf.}(0/B.'pE ,ߛqN˅3Q"0.']ڡgJ nzR> trCрY@#,BF=ijzo:>㘝7~ce0#gT6<;}ԙ  >I5Z1 D< a\UP%O?s sJHā keĬoP]ɞ9 @XB&=~W" ]W)ڏc-rVcY.d.OɧȭܒIаqD-)  aHQ%u!F=I+8HRRW84iN[[ą9/,ڣ'Esyͻ]0Rrx'r-ڳ9ۉ,BΎ@%1A)!!8_O<@ֵ[ˊeaZ z=[{oWөt 5Bo95DLSa牃E%Y%j@u+ KIaߡ1g*!FF==I=(ۺ, AG򸠴)Au`>L}:'H#GbqHpHwK- d6bq lWnuC;BM#P#{W$gW={냝* [IpQ"]+*`A!}uE!{ MX 6`s`!Y6^+"cOʕC0e%ˆ"Z8X[n,Bۏ5""xTU9zdĠ׻յt~h;I|@h1bU2DD @nπ4@@_8؏BPM1!M!MQW!!D@:5zN_!V.Y4~4[_.8E+w,4?o`;ilҊ+N-DA?7BydfP2\b*NI|yC@3|p (\!k6 c."`TEH豧.vgY#OtZ}VDKWz(/8w,۝Ҵ2&[ֽ֌2F',Mz鋤f+~̊<5<_9UB@_2ݍ,B*U pjyכC©-l* غl U cb22b%'-Yڋs>k_mm?pJ↕,WzLwCZu\1#۾>]}R*N]'4MהאR뗭*:|R}H8/U`SYӚo!X-G,0~vmFS3r2U!ޚE*dR4zN7UBد7ſN}&. {Z=O&;vVWp:4\TWpUq葒t" /Jwz{93\!5BR7 &Yvךג,a{zcg){z67!?L'w@FUB@ |nByR_n_?0mvS"\P?C@+oi(+R^Yqq\YJCFp2PH MMˌό7إ;_Ff=}61-44tuuI\ڳi<ל4&dYcI,,,ILxk[~$J R_2MK 1=,BnJXgW^R;Y`-V0j5 koTkй~"fWdE 8)9yrvhW2_831C{D@W>"s:Y,d }%/%j]iEHOf%O8 @s{ƧekSfab _ kdhc=uEбD@|!R @@FW;h" Ⱨgt>W>E+"U`a7RF=``7l7 7buGawĹw]P^pXjaPeU~ocٗANt~l8є I#MT6qdkwGU!j:.WaxW>y$'OZʒȻ]L=ooaejq{<>=Rp5ohAvJ~T'/A8"?d~k5A(9TÝ"ֺk+x!~A@U9xŦn' ~*qbq DwosOMOo@Gbw=;5 j?}f'yЬG@gȊ|4E_\:wvب;VdMOBL4 =TcA\4 XV[-GA,%5%oM5Ka+T1~X ['Aݸ,w@ħ'f'+ONp)J.@VCeiK֎>S~#0eYAc=a)@=䶹n Gm0GwuغtfBp?pS!bJHY|GSr 7wf,p:ipXTsPvu\~^zٯ۝3`xi1T%b/H\ >haG88rQ#W!'?:>ƌG:.1Kp{L\gaE])\aTx@|N[xv )SJ.Wo_X8E,)C`oJ1K%p|}&\%Kb}aHN υG|7 \}N)Q\)yOV y SN3 <}[~=aɇN 84~[Hw6^VdΩ!4mw85}WB>+(5M(Q,\oJ9O~5nl9T oAJ`,v_9!aM={v=c9g6bqxwR8((1K {lT_zr1(PQT㝛^r0*RK1@Dh.>F/+?6GHQD3C"@̇n'*D{pXzѠcO>J`Jt?.[iX" ~+WE)\a"0@>z|EFL;X/X 5l" SUy@ "#qU" _96{m6<9 XlJh1+?!%D(spR+Te*#X_ءpQ'>:icB$[/`q#!Tm<)hԤbV+:=zԠTG5Ϯ 8om{mpJ NI\]li*]RZu*mF󌊀*S9 VɈc,dz$sƪ=?^>FU%'#EH`-F@@YtdS3X"BS"4p'-b*W*OpD%o@!ixm`r#l "-rr#"_qU#. _9,B4ho}ԦTtj,BU[q~-rr:?6xl}hv@@Gr+lb {UԪ/0ZX*0H ع2J#Izٸ`2ZLJW尯lە4q*}?ܗ }P0G_|Y);Y1Ն928΢ 6ȣ/gˈ6V6tQc_x.8fآk#ﶟHCZZ \L"4G,^Īom4.[V|FNR\oȥ~8:unq,s! 8%ZLW嶮N76)R._9>;#+B! P !3jKT..y[E=޹9[XS",B; ,V!rP ,x}G/D`#,B}afߡ@!# m ,*U""`xp*7|cDTn>"] D#S[ Grw16@Ncl!"GaYIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/5.png000066400000000000000000001163511303637203600246760ustar00rootroot00000000000000PNG  IHDRjziCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx \T?-?=qL}! !AKPKk)yk^*v xMOLowfϞ=ڟzֳ]{?{~vg8vp\SAsHsupHT2JJCjAP]D8U hT(-UeeaٳZxUV!3lG>5S!xAlGN0 Ay ?S!`hݎYjk*8k*(8C3a,!:נsv5U"}mEqQ2@@h>,_f_׀ܽca%%ɜ"PR"Cw>RX>Co[P* #]*^eE\x5/Zuj[j ̇4ӁhEW|}T+ 2bKF= SJCW5> *a{haB.hʮ *^ iQdD%gm8}s_L!ĜN#ل%6|@LȄ>}ZѤ-I]{W.w1 #:.^s^W琳GdtؾJcm˥V 0]":҇Ʈ|4|eC#y(h{fW+L6ϑlZfAa)XjnJD2m2Aw%k+#zETRUcO8!jnQ%tE.͸tqƛn~;N6:F  })7Nb~"@qXdPYՖI𮁳vNF)CCA븒 Ga@ ::Mʅvxd#mQVkzM.I %$ifA7?JG[N^hi-aiFR0E{6EOC𻾪*Gؾu:~ X(ۂBJ.sB+ZȪkP ztҔW+4 ?v`UycbC ǝo~1w`+hxnO(W)8DHp^ۯ*}h$.%WЙ@K({󏓪M9(›0)Qcs5"UGOW~M>ިq% 1Hd QDIT5!PrzߗLhT7*97ͯn1p> m)m'P_5h9ڌ x,gPpވ>jEZ\߅L;ʆkTOGLcX6+䣴2@!t?Y/)>Y7P}_=gU}_&Vށ׌uOտZʟ!0( Рe]z\_U|G@ɥ($!Թ83"jSk(셐&b#FOa+pq|p$I 1`-Rg-lDEݐq#uҜR#/4&GunZEΝZmCJv$!n`.̄LԵ,pd[PS-;6tp'1J^~zx`6qB[k;uQ  E(*G~W+*&a!S:B` Aa*\4ˋҍѹ_xD!'w لH( ^pSpF)Mj 0M75ob6emA7 ߴV&h' \ M/79Pm̙ 16pA>N̊_hqn>TcuvA8b9hJBWZ} M,R!XM2`Π gU&塘a)d#Tr ^gdFI>glLK 3V"puڪʋ#>0\ fN8&ʖYnSX;ДH~"I6ܮnW0&Ӻ+Wuo5HV^n}c& йGOAEAыg5tCN|y~ҧeXu=#nʉ0xȕSrXZ4ߤQ 8kx*+e08p2Aìl}( U'GTTTHu*x1_8|YkC83Nà()kLMՆjcdh`Ehf<.~Ĭ GWyE@*HNIڢlKѵ`NWl |7[H1K\jP¢e36|Yh%,9~w!9Q>(剣Q|}$_*/4ĪkhocU5c:;J u`4D^9[d᫹ 0oM:B(k{H 6$.EѥFxo.\5ڻt \iDa[BK|R9]}]vJƴO#PFtiNolcrh''GX|5fwbVI,0! 3Ol/$f񯷑+󳥩o-هl!5 sN? |ݯ^w-_#\>\Ø ¯:E3q^J%8k\1.ҤګP J?-¶4-QwH2@ah W9.Ӄf f>BK67k9BxlX)sfed٬CK܄zC7 &rE*u (VԊ0y!.~7)x-z!NT_hn(]FC MgyXNr67:t{;(ĠS~ut7.k񱜡 ՞qQ=醍"6KaqW+N[$xђ"g¶4m|9&מhEMh]I&{[ %%jEDKQR0[$Pp!lB-<P]M}7:PSƫP(Zl;șAZT5X'KE֜ւK5Хa]刓 aw74pګ5,:t7s!xXSnC!W Wqcr`? :ԁ-<{NMj1C2U4}]ڪavYX_Xoc W#l>}rgA]0fC#|3xdPY  6ʽ<X+ O |v|Ot)`x J~o|Sv A6Qi`xGk+)/;[v5d% 7#Lۑßf2 p Jި~tD&!h-rc捗u)L4r]ʴԴ'yֶ3>M[9>6e{i@#0tP:\12&ẾXGj{nM|2|/NR8z1yj+j]-߼Gvxzvv/^UU3cSvCq2&-c"f/"lyӧErIZ2׮h'eL4sޟ06ݭ9 S >*{cfh3 -E:cX;bP+JTٙ)Pc%K1{+YWX$&7dC_1;"g> ؔp%LX-3f1I۶uN;wUc:xm 0 C6gf?7sr+((8};vBCe" XX4S5(Bxuz!ɂ￟Эod/z] $>3):#,뽝c{"W/V&|uV&a9짥CJގ($1iwݢ&{g&LDPۇ$  f=( ng@[!֌IG'+@ ݭjw|<7M7B!I qk VVpkl(%I-s_rx\ظbF< #N8[?Oy(?(MRGG=񑏉 l ɏ}R,T(NrIxF<6A!o0Ʀ C(18baWHh}TbfT>ɑy/A8>ָ}z9ϰySQ݇ΛSz63߻'ϔ-8I䋪[M^q…lH޸q4#͙ǫ9ccI2:1wmbI==N߹jѼ99Gyr$ᷔOV۹QF͇oJg/t/YC٦siشic$Tމ瞕U0L=2Ŧ Ah(;_qY{9o)zMB{𷜼Os>Ǥӆd` OrIxYYcSFDD XezSV]UFW^L騤7f\~朝:Q}Ŵi^j5ګW H?j)KU=%2\aH1rȱڜ9ôv5\@2iSQ#G|BXR/QK׮D[C%̭Ċ6 cVXk䮽6ZNbt,g#l`Mw49OnX$b)6MOb Xu#rhV K'%uY1 Z7Y8$|x#gicӢΜ48~~1DgguhH1%gL>3XyjE<>N3}nҬi-!uCL:A-'( sO2aD~ `덾J̌˘<==ƌ}bcctBj+cs% | N4@jt,7d9lش~eTgvǒλ$,ӆ N߮cb9 ܒ:vYj6ҽZދ**:V0nhOR hb&۱{`3یs{%0~Ĕ+Z%oK<˛mMy|75{nYN+>d Cs V" m>UŦ-,mwqQSbҢO tƜ,֧q`ʷ\tk] )cXt:NWW;B 7WUgJ/i/qA% E¼%f&19UT(Sʊ N|2;ErQ1ɲEV͇ý+xpuV!!i>G\ywd&!p g40΍:06 ;FoL;cJ7x{sdnbX-Wf `cy[- uXEpV5Y[ʛ rbzhn4󏡴ɜt!pչB*`>U:mHwt8LoFnaPots%&kȿn>'gl.fWW_70?H2O795/ɑE8քL묈!"4#=p+:ʵ<?H"m˄?yNV*l2Tcby|0]T!c! [B1IDsV%Ȏ~tt`p ~ ܶ%!—XNo uMټVC| RL1pBen3! nQbpag-ɚ|zSs_R6f| TVV B](k)_+=J?_khlEx#ϼVZXSS! ڲ:ccCf!bIldtw-wKRY/<! rAdR]i\\H>][V$[DW d9k83sdLLd'ڒ2nC@Һdd!Y̙f<.n|!a؁ƮcM>Ybw`U}__+2HԙtsѕZ?Ȑ dOeYC=k? 0̽9{).|={?0/-P([n(:^3'iEB 434ɖѕuk׮IGW2k|kTr+ ɞR&h=/hÃO^hCCCǧ_MqPVad@C+׮9q$Gx|岕%» .)>C@ 9=I)4uR܀d6_/%&3D>3w{sO};]y=1IÒ:(;`D%ؘ#wr7aΘ2 $J&-%2nC]pޭ;7KԀb,m L߻ /L$8,F0cl웫K>x,)JDWgba8SEq@88[}ZDM '̙=&hXpkɋ+> |r>3' 1géS !Цn>YW1B 79E]󎦰 #'/+>1Lk 9q6?2߼twKg9 #`}a7/s\x25C `|ϦŰaC!ЖJwe,VjbCiCɋ_:`XD m*r3!kl}?@1bb2߼4C!lCٚ C!`}=yBD>X_@4{0"C/DW1Ѳ5D\8! }9.}\WE|s IDAT KU؈X`}Bp*{Q\&O0hCN/Y?vlDK|XŸ| 8%AOɘl?Fw/V\Sh*& b!%9GH|R~DRC'/cdbޝ{ N?ВKօm]?yyV[kGS *eۂoH2`9޻xBVNe$"CF|X5Vl1!`K뎵j1~3~9S w ̇;Pfm0f>rXY@!VIT3qʬ Aa9±~40蘹1aGa9Bļ ;ܚy1 y#Dh|Pw^Zǜ DhWIN~QaƔ $xi=I`~ oB9-eC@G`#;ѰcB;+(i9=Z0?X4EÑŋcB_ f!WŋPV`Y%޸h4>.&sּО-U~{ǟ3o{אy-LJz3^=HP"|ȋ_aA̟;ߛϫt׫bʸ6Ap.L|OpA2m4!C|CIښ"JQ?z{Dm6V.=ѡnں 0Q:c;]Y-??8:qYB;~7,!f^m>%;u:#V"sr^_wȴ$_[w*8pfl犍1 b#P~[V8dLV"3l,}m~OU- vE'%fw*&x9 ׮]Ct(2NN +_06mǟ|nI`wUwKM[;4EJD a;؉D[Dt(}a& [xՅ.q >+ qswX:-9]\UcC8߉Ҙ(O! g>HMIQ9ql?8P^} l|z " g><k!~/׾B?@ 66z B惝4"Y NLpX/Y/;]&~p?EN_g(N:ճN=8g۱f/ף=-3޶Ͷyf:.+;\?06 CXU6hCs!Ј@:b#d;Cg4r?N8(xGeޅcJ;ubÝh-lڽܹqqd]J{kA?Mng#e0Pr _WRZRuS(T*U>DoHZ#8~-.)j% BF5du,G*6~sP!ؠTp gwh2Dd*Fv8G&XvcG%`6QmQ_ \/̫ g9h> Qxjq'긇'ӍQCoh0`A. \pn^xP &<KA9ڧ攗0M:{P^YiYTul|,W(M>ފU+q`f00X]lN^ji7QNh~" ^˲='PuY^xx8ႇAC^in&1<%ƥxF3<'Ǖ/*:v.cRFȟB>+//ܸ%vt&MႁXqu!C̈%?@AMHtzcYN1<$(3rH6ʢ"FP %TUGM.626gć#,KTd1 *ɋXv"5%dH8p0G3$Ѡw`0`0SpsHi凕42a!9d"3"ŠVi6 O08j>r1q?z<]` oĕ_RRTUAɰ״tutGRU]NHgr[\`vu y1Sd;RNXHo},|s/p|\S1n\!\ t&L" 7 _'hmV8h$+K|0SHPW|:%W-|YxOj% p $r,Z0[᫉־9qGyyD`ZtdCu}OI PQ'"H.Ep1`5t`J]"*:dqJEG Hw E]ۅ0NAUB`077IbTWW\Šhi60(((0uY಩PA+:\p8Q3g<_k)jσuEZ ,ݒG'vaQ!oi]Ysfldc.A9=?*b*#KzU6A ކ Cm ^D w::8$Q܄XSOa@5hH1Q ))3"[L8|XW>p&V?$Idfs{>/Zd̈ct[@i`" K r2lA{l}h9N NŘVv!`6®!f~̇KF>͊ F_; k`X.ėf1r|΢س1Zil .]Vjƪ+WwR+~/9#bKWw|4x| FLZ_ŋt `0`惝 XY8(Uc"`׆$VI$mm&ݟ:̇?%6>eZF62'K[f:̂FsBoz] .uFB?8~xҎ+tKdOS;:kFBqK3-pKdLLKQOifjؽz^-{#~_x? Nq00g$ s?Nä#zú57 iJ̀2sh>#m͇o{; ŝToUonJ >6yݑ9K W&wtΘFmBH;&k$3;1Bdٛ;AYCicׯ-"kƻ6(?!Qm8YT~rK/lޘ,v#]c=r.vQdn0~b?lѰ^ %@~1ac{͗'BB'!;.N2\tL잊zԤ~%%ZGK@jǎ7JL܇D$ 2RӺ 3 7/́XU8y0#b یrׯMe\_c)h㦢 \7UUpԽV"B<35m.@Nt~"ّʏ?LEݕ'{*W4 ~ S @NmXX `e"@h%O8E!MJϙv!hA,Ř'> I{*2|s@g.G0lq'Quɭ6hsi#fr<ͶNΫj:|hg{U2 䢡%Kx{^IF.N6 Ӝ A-(cD;;jy|xpeX(if>c] 2t'N=\+vp; 36bkcSΖfg `8+Mˎ|Ѽ&xN.UuV1u)jB~]l䴝 OKZ-);ujr8fm~RyL!r sneay؄Q!!k|[ppfW:NL/JNe.g>H;es3o :gqeeQձ:7B M_(9^Tq M k׮\+ eTtTx RyI  kdsĤ~ޏ^/l0{s).:lzT%K0mGI`x&C=[^^ mOz0)wXU2X !5u2By^yyIl#]sȁ+MLYU !t  Qϫ.V`i6u\1 8׵ȏ!|+* Y$% [ma$``7` 4 l Rv s5pE[<%.Нd?^m>T`{XE{vX N$N!CYIV WE{̧3`e`YGfq-ςBb/+- K2(;(,*i a]UB z%$$p'#ԁ@ljZ2rytrqiqaQ!V(uTFIiI9x+bذaFBÊ,]);)%ё+1Ah\lbib X!ͳ"\ZFDlp6)8}*"cJN3@a bhX𛦨`i$ͥ]`A/1Eo[b3ɧ6c:P/|H\.US棸橇K5`]O'vhWN҄棁Vq'SK ,߫p&4_6:zĨ2aa|>#P~YΫ:4g0f>a D{>|N°bk` ŋ1vC f>` ;y?$aCIvGF: =_VѶ5;=_|a q78bVL|a* [gnRe3°naOKDd GaqD}5*Hc<~Mw8D,\‹Gтo׃%t&@vo;db U$3m&$Y4Y}Wu8vWE b9s0T{`bh 8uQ]!`dXU+@&7^"8 yQljB"@yN/~@&ʳGo| r9AuIzA" N02^bqFnKF7gX 'ꋰRv9i lgN/_-zZ7R?Ft1?2XΓ3 KK-WL%睭%5%Hs4CM-4 vjhdXjK!V Ȅ) ֚WrDLQXJ@Rٲyh/BY *T"p$Gl) )8Vy1ˆpS`#T]2+$S&,X `xd#:lK^zX0lm 6l)^ܢE~K%#˸ҊLXK}qz-CnCдj8D-mNo! c"Q]hKF{̅ HX*YRdh+G/J5홴 #7F⳴rc  i)dHGX**"獥2<,A!RX'JmtgY[ރCiTydr{:zMM{r3 _D1axd)jlS/uO4%M8 6#஽֏/u'j}7 >Q`:0|gx#}E}s`>:3X_V{aUDdtE 66ݏ;ZN?>uXl딝 0 pC!; `AX5Cv0^YZ~b>'mM2/bI{iEF0܆? G?i|!j/h9nso~n7/mek >yŧƼԁ@u|MK>8ȱ^4T*5\AKNpIiI*g|~}uف^*nC`_ǿY-?u~'ֺ;Qq"yC`8D LUH볲⢢GSRt8S(SLEC;R\Z#~> to ]m|mMONItc9ȩ7K6w\y`vs4~y9:NM{:L=_R7yv+kW DхZt(s0=vR41/yJq| D .݁rH(JDQ^^p34:7=zT~x4,6 fɣF$% ~ATqå~n7z*Tjt74]w?sn;sٶf[SK?^Bruw\b2ڝ3VL7%٥ߕ"|=W? Woxx8?ÔkDEx&#㙙%Gl)2X"/ IDATD[4/ u%uɲS H]4M|n&QUV~:#VA u,_3"4ioh[b /C08WؾecQ Ñ=G24L7a~ȞFS_J2EtЫ殞+*14IݽlZmzJ:0e%\UQd D5K"ŭOJN$I:'5- v'EVW?;".qʟ*k eX03[XF{wĂ;u 5E|R>a\u9%.2 9_z'뽿c͎ zԃR\V|+åb=eeQ7 rMs4_D>DHZ %gIsD*AKy@W{$Wb1IN LtPuMIIQW'K3KgY@o^QDm=WZK,I"[s>aޭ#[& {NCM+^$6AVP!Zd;ՋLfNIEAYi",KvR>epfRf??6MyZ*I6iP;sf4Ib|bg(%,t`)Dl+ld9ރC)#]EMOmf^_HR~>1|T9ab0:+3 9hL;&:ޡԼsjTzv^QYYB)qɅtRU^ĕG;Vѳi:,7FX>w2Ԁn4#*GG  .>Y~_ #h E'T0:Gmdaq}bOLHï>ԘD4u~.J$i'vR:G\2Lx$'̚㞻&>4tSNH@ICe[ iv޻x?bV"\ IKBW"4EfJ AܴyRh;Mu)CSߦYVx6M _0E$Uq$9ݐiu7MR^N#=w_~}uXp+ܬ1#n]q&!h-|AV!";.z|C&!VǬ0ցgp+K?K+3v cf؄гM|7?!oc $ݛƅ%ؘI'iͼ54_81!, (*6χ>IN~hrRXc Tf>E36d@8@Ayk;czp2ۘqJ}%cj0oc\xZB;>΃sW$%~"T 6߼#/W@o|o(9T~($V !@BM ^ Wc\̽q^ 6*6vLɜB 6d5y-"(C{_vmjV4%򈔂g*n\`Ν# ikxO$0caAU*.NziM~0MHPVVOpإ$O!EDu =N=A u"g3Ym u6k+['9zp\  pY*H"hIjaSMI[@0 zKfszLCx1~@\ , ⭡p`õ%*$9(M ݔ&bf;0YoWEv$E& ܂:b$i%̗aDe2<;T.rSS"skY FXkgl.] D9ESp U\Я]Gq UΙ0Gx8Ųd>4d .k!fe},4*|92Si=~r/3g5pP9^QZ5ڙO V^$ h]J@HUEF?V\n0_Wi# #Un|`A`C!*l#s:w\RZvfKL') (|X9o^(}b[!)b M9˖-=9ɱ1:uڼdEϛ1*÷f"PX!Y6f'~Q9PA#\陼2dj-Z\\zF[WgY%?l *:7 fARk4S@YR|fZyT!~AbރpZ7sБ^x'BXgi"U&Bf[Dv嫜Сe-|s_8nI/}cr" \kR%aOT_[/.P:]X"Z,uklkELj/l|5ߡX& Z%!{"Zka%% yiQCNtBJ/l!D  'C;D{"LHWAUь{*wúc+uo`$R%QB67ve}[zSSze:VsR.xk6vV-yaodd_vߢWZއ{p Y  `|xÝW{dY~𩇗w)ŖN*5nȨ@6…}t#Ж3x;VN=߼ЖWTVIܻF`vYfx@ ӳr><Z'-& bQR^Aϵ+׊)?B P5sGOd-^Ta C\~7=<*:^Tu O#yC;A7ܼ@o_'=;~O*P+aJ0U]eL@in&1<%YVZMu:H"f>*++EԟN!Cs[Kbh P¯4 Bb Za]0!⥁Ҹz61>ш"icŁG3z&(B,!R[=$DX*"0wq,AN=I7 7D"hB/--xC[䚌BښykI=fNw>c’20OQYERD:UΊU>1 a#O-Ke'eҰ$RӜ9HQ]aQPP`g4*r( ;O^Ãɻe`C@k_ m~q5SLďU LpmbƊo ~Op/i_uM©]w?sn;mͶYKgR^x>t঑PB{bC~Fdtfncm,mMnר(2`Uǘh)#2ۗ}hy,33a.'((H|q|^G}+m|3=̇ӄG7 ?xDDm$L&4; MPޘ5#w1/~qӁ5kD((Udl#ZF@XC+Ү1AGǙD_a)e; 侀gx6YdƙՋWfwN\?{o; w)Zb.dlɒ!lA !#ԥ0)g0;b = '|2}t|6$iu-$nuO>H/%d'O=㙋3CnSVހ%.\<3?\=d(-r(9q%܇|xp'oHB"W|m-rX Pzt롭&]5 q I [ qY3)OF>rZ֌E3* CH}k^^d,1liN:o[E"90v36pY˳<_9/kWԵ=Al@Qkc 9c2~^;G=nz$Ȍ s ;( :y ~S=,񷿺?_^W_̕!9*!ONԍPceN-vJ8d0GFN_BlY{m\CBQX'NEG&dLɭ۶#d-ږ.=ѡnںoڼ Cw*,ݻoo~fL2ŠV ɢJ?555(7zm۱m m۷WE5}%B(ԋ$y^:zԱm{>?J󙟟4}d@7PH{޳x|8ҭˠ~EGVN}n j)*PA⛯ijzZ]3BҦ=si3͛3đG>G>9B_[/3MZ%vAm<"Q?<bfl⃠ 2A'RDZ򡔑ݢ'GR$/xˆ7\9*>>wgnލ>7GK!ږ_WX|UoOzaih;7/ټÍ涃dl#5,T\/J^A]LaALdNRW2ENZ 4M}!sD~Νoh/d>Jq=2A/2,sv6Fzv%/{KSHhi$%TLL)iDEO4PSn(g/}a'w= A6|f0{>sp\8۱=F\[EVmqA1tSْG>x3&z03(O6N,ŵk:Ddu#ʴ]2yͤlٴ+~k|D6rn$bH5<Vx + vG%p&OϼEIf&, Q+B9B)<3`ZŜikl |cT#nC`ɽxb@sYp?\%ʗ\b8۪<凇?񆘫dهpq.)`Y+A!Pj.B`Cu͑~F~_=y\6^6a#f 1E-^E3܊}Mí3ĸ6#X-r #3. mXzJjtu)3Fg-:eQıcm*`!d*b޸Q{Eܳ ;|WuK߼r]Oyq y5 =x4迂ҧ _}Vٮ5m3TMطmm9+flPE%W\R$]s;ةVdgeo[mY#[xvh[A@ҩZPPNGu2zc #{d.ϻh 6oGi><+.CKt@kv`y/OP[MLj4RzrJ\J3\^B3b h+Ulxa oC,Ѣݺo=q-^<>L6ﶋ?#><񘼨gM"ԬtqM͋퍲m\N@͇D0.C7n^eN8)dt;0(vo/r81k\:iB6zN/0;nҦ(v=?mɧ O~Uk֭iBQL(sFFF0G>ľ:^::m։'4BQL¤{ɏ-Qk,^Z~:) vsonãq9_tC1Tcy <ʜy(J%I;{ߞ[aA!ٜ>uڒj'U$\꣩"!,Lf>h49D).-%D}}B@Rؚ׳Dd[=@~B IDAT@tU\hlW$ DΚtOҘT/1)__"!!) xI@1*xȼ' ?R%B^KMd̊<<62O \R$eҶ]aoa}n#c c!c1F}v\ ;a* 'G+%oXE/Փg@_J(}= +#X%R%~t-`OUQ14pؿc:h5 Ws7oټzY:@%I7\2z&#Sؾhn;${-s aL{jظ IZ˪Lp`uB}Q~x1w'.!艃&O^ .ώ_7/z6|fU-{>7zkL|u #GkZ+g&Zh5TM=S/J8KtQ1%JΘ!ꀳh˒p"0jhI{aqVLCj.Gu+c$\71L7E]%'B:M_UVVkch0GSǝ-;7zc(d UH 00X髟VJ#pJRmIBQBw5PUUikLjX1\ӑۏdM 9#?(fj7@Q $)"$3zopJPj8TFߘ0ߘ19˾sνfuy{޽}{޽Fȴ}o:hPpQ}bwS>hH)I{+mA_ShoV@ ~}̹_'acǎ[s.z:;υC|BȠ--rCfC_\KXmP@Ōihh˩?KEͩ$_ Щ["?X+.I83rbeک+-E>z<\_7O %j7~aLtOןaqQ{G;.<p[nh9l Xc ЩҤ,9 OLL y ¡Q/p4"tm>)-(xp%/┨舏iJ D'@SW{Uo_[zse*4=夗+V(mB鱏>C=q4vl,^"h>.#K^ 폊 OnQ5P <?1"-.a脒xh#>.I;7l.~T$aӌH5hk'L@jϝvjk10/{u6KQ]SXA!܊@^I2|O_/P/2e Z;p(M>*AH/1Z[ 4[<脎]7iY^4gbs5aXvWd(ͳQV+6яG##Ï{QStym|'!Fx3/b5% Q]]mh5P?RtI `?HpCcMj8A(BVpJωA*1&,$=煐+}Ի`O2 3x`ț#@ $\vwqW`\0JJ(_`&"z49*. +ɣ[F_ fSsSc+<)KSLY$b'qQ4I Df?r~=/mw7-]Dt1 bbDtm Y%nCHBCcvaŽ+sAKy%ژ" ԣbV[Q[z2M&N"U50>QUۡva:;B@t $t1|*cXGP5IL8Uy'Y)ut>Pz.\>p*0|f>|Y%J >LRxV&C@Vj"V/ \X*CgiTRGs9 >hӳCd*O&0=?z>>$PgZ߯7f+Z*L{ؾke{7sUSft #C놴߶c (z"9:Nr$NPx'Tx3iϘe^M'7 cL(u'V8\wZ\w92H%jOyb GzҴ4f> S!K/_zCIiW!;n!54!B%;uUSma;W?` 8_%q*9JG쿢i =1zχ{RāΆ W.q^SuB (\zT(g '|5L<q6NJN*&Г 1+jjzmѴ&Ν>9=iNg&:uU[LU&Ppr{(l!u+Vʚ>+wsζ|>DD/_'tOa?k80tPZ }֢EǼ;7-hubo"toА~R 5;0D*)\jIoݲJ#9shIjoj-Y\# bmbrdĩ=#=!t_PvqJ_0jkUZHFB][v@wL}v*Q3sp :({F*gK8bYg964thi[)CB$#(ßiDOU?j Fq7@ePb3qPi!ª?|aA0U_'zC~Za; Q1{Z8#C@@2q@hZdWz}zW3TVD 6δ4[?jH|ٔ/&CJ739='+thK8sY bij7-y;H7K'9~dv`Zr׏2GpAR;-r\ ~].# ډ[`[)xg \2IAv-R*&*8y.7T҆@Xdq ?h 7y=ݫ[jH*6Vvv|$$_^0t"nC Kppp̄&ŶeH\$ϽVN~ \ɱ!qIa#a O]6!Qq-ρI*/T&Gω#>MĠ{n"I18i_w09n/A;ir}r]30 TmaO*yxR:K}x)h+pD{^LRo9X{P}aeZ0b _EO=шY]nk??\y*ɦkeV2R0&31)%0=Nt{~KtDK G۶ NnJhM2/ɤIpnm_rіڽ `)%<=2t˃^-FNпç1be,@$&aMzH$^wp3!#O IDAq(2A@`fB{)V} inx;|mO=tXf~fKkKۛ/:|u9Xa&$TG16wF04[׼%{6Y4uQēl/.0hOO6Z} 2C95iXC`|6bO>`5N%hޮWyTͼG$F"*BnTJXЅk>0 %A`̩0 0)%*e䘑Vӫ]r7{͚jA.tDENS_-҃yR0C! f>dD )B 0!$&`H!;#7aRd<CP̋"[{KHEi "˹1Ce@Ցh:0S뼼޽{))qUsIi5]+΋$/ҜsFF`]wm)B%᭰ ECsDCekƺFD3nWӍi]87,\P=wvHSk* /Q#90Έ۱i)8Ӯ c}qlμ,3;ȈU/,}A0y4&Q 9$ɂ@[He˨.zTp)vKtꪶV! u /GN>&\cĥ,A\kRۥs-*>@=# ٷc߸{SqZq܆ CU|F %O hXIZksS'MM"|>Uw Ss6GU W OjAwa SSdA^>EhBk5^?w kࠁ|ךmGjޒ 'ԜT|ڽr1㏩zE򣏕W>qJ"93qe!jծ[fNYAH}CGz!:o֢b8;6Xr@tg@O*"9ctLZK@J5fUGTvß^jڽZOF Tn\.Z#| s_>BUsyAp[L[ɋ޷?Ʋ9wf^WMjI*;~x{(=614t}cvTIEBYCzU{|BWB]$5ioӨ5!Q)O|xdʘ֫1E/ziWz}ze> 21;h%֒y+ac+k2H-/ZVM^M_˵|a 3~7{R[dkh@[[dqRĉVkW_ǧij΋'0 Ckr363C@M|p>,LW`=WYkd2e0|ov^FG`Tc'fҫo !8׫֠'mSy.Tkr` oW+퀒?IK8yMFPQ2XR^Kvl*)7;eZR7v!G@p[*9'vdxί x?W0 ` 2RZ\ZWɉRI/@~(ykMZhqzjS:Q6cJ7FGI07_;"jTE,;ukW VCԕ"q¥% KPv br oAɶ ZXmȘTN q7.*8%ɷpwKlpl1-nV]a y0S&( xFKCA!~Q~A~9{ϷWqE:gsߜ+;PVv^6Smm r Ľ'.'QI[ I]O.tx$nW[_qу6o$W^_zjFu*SxbJ7a :\:/DGnQy)bhrXWpI8Uc.:q]yY}ȉ'zz&P'm-&qQ~@_.k˸0n1= S?#a(-ϟdɊ9grJEſwt^]|#EsmϷ]Gʒ,AH,^z=" Rs,ib"8ik9l|EüP]wΖ~oS&x񨑧#aAe"5 :":/v =xnǭ #hIDATF7}F.ǘ WoXS1Z=8in@W4g!y[H gpɾA5 g wv$L5(dō1^)W̋&q~aZe©%BRuWC$mERUӎS`mhNZ2ZM(& X )1]l^ÃxlS Sa?[Ǝ (z@ :/R.0SLI$NƩTY6]չ/\?l)(-+@f_?I[;Ho-}1$dp鋧/LzS?]8axcff9sf^ݰ0 AOw}hc4_})E1%_1( >z735IO) dNdI\"3CVqc8d v3!L_8wPd=E@IiEy]*Y_R ɞX",9 ࡃ Jw6;c6Jeg^#¹nxfv$ʳeex %͇V2bJA(R*RYV(C`c7y1Xm#7s(5piċ-j76EXV 5# SJ }4hZߺ!o` z*j6n&MlcR RIJhz&!Z;_p*i>\ ;PX~R!G<0cCPɫ`Vmx#BNZQVM:Ր&Vp _~8Һ9l'㚌MU܂%?0`ˀ;a<-!@GSAd9hc7-{ҽrFVE)-Lei܅∄[ZR}pxY!hQۋIZh148e@u*Ax.)ѯMt[ąy/[6oķg۞K?^"QpIp-fε6#mAJJVu 3@WH7(@oi gu˳RJ%":u{VzŦа@Q&6# 窸Q+k-4/j@ 7(aVT{CLС ߥlDhcVWp֏kp-{p=8zya92)zצ]3f Ü?l-b `֩ ZOGK{3gݠ$@dIØBtvFCjUJ~6!CNDuLa(i>܇p#:6, C7P|h`i}FWa-sDy%?Zwc+7RzEy C@=?%IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/6.png000066400000000000000000000425311303637203600246750ustar00rootroot00000000000000PNG  IHDRb~iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx} tŹfjr-˫eΌ-.#KDe[2$;8,7@BaYC8, y6£Xf<Ѿ{zݯV%U93=_Wu׷;-oDHڐ #R(PV+YӡFR76T:I&&݋(T~b] Tle|4 rL{p;sAyp#pFo9/Pѯp;;(G`\Mf΢@(2 C6J${AqYGF` )#hfGm`"B4jj8rؙF).pNL΍krKl]d*޽ v6]Hbj ˥bAYmgGc~F:y>G#K87:mT$b ]5 H/֋츷 ~՘J FPZ5}Vmt"$35e ϱߺ):JpB j^j\!0ĹCdzz|uoު@-͍WFrc)J 茥v݌[ۂy"_n֣ckMS}|'^˪͚hWCf' +(4I%.1B#i4ʆG30-BĦJbM@ "`נ k>4Y[,4k166ϩr6,yh?E5hJn٠ eX<φJ@4Uf/I!0dỵz #0$܉dyS[vV׭5_9/6huaE.l=.kHFPn󺅄ݠcV?uUsl]ԾOvpbJog?7QzG 2>SԺJ^hi`(~j&?vS H,i+b#w_+ NZfxLL&QB2vU:)r [nbZĬx6S<9nkw0D5B vG`40NU}~ss㦍ӧQTEa!@㔂VSq|%rTZV0Z]T M,Khl_cW jpg̬~_hq<Xrku Smg9 kPA^rSdQb"+ *w|o֫'51.6ߩb(ҔmZ[drskaOs`=q\19$@Xk4&q7]A#R(<[si%<'_wدNWָTb7BW}ݲۻ3Z_𱝑9!O)P#cMئ5iAܑj^,zJ#I0C QS^)Af۞&2@uf|=-)~s]gi~Ku .|m?lZm*_0&j!N$ Bfm_{(a7͈ڼ#f66k+iCJV^Nܖ&sɲPfe4FhZFY(IP1*w#rsZjZQ$%F>n,$>GAX*/7zicƮx@eZTTT;ȲD$(b~*A-"LD ? F *0&EfO[huso -?rN cUL'GRuY CXP]e K*ͯ}V1k:B 7Өi]D mĮw71iXań iޱyƶ>l(O62"g?|GR\V~ 7apm*1- C/Upns4h`I,)V8\r[Q)]SN~k$JA-H>R7V%akI3mmքF6Ye| k%;i"WS"Bu3H]Sg)F/>Ce!jw†K>\ssm61D 1J"c< 1 y74eLL̜DIc7A6_ΘHs+o]h>4ԓ sOMzR5aAs5&0EyۼP\8rwwpW:MZn퍏c6d,VˑH氯tJijWݡ~g.v2R5Mt:2`RV\>0vJΌ&RYΪڰ8xf&RI޻~3 :}T.*Sg*l h%p.kJX܇G$E %?W^8ϭ⁃]r|#-M:e#j5kp8Y"0*.%Zί\*lZE0G#8EA=O뀛 a8ckp8a}GG`\TOy :G#0nqRPG#p{#?p?皷#8p=[Ь~֖bI+V]&77石J4G#@r?Ih~דXMXљsB*F%7dd In^HϹxgcڽٍWh!ݙ >fL,weNdf'4nla%K|>ڧqWz`Sމ|v*Ϛ5HjOc =24XǪ<RYl1]g~f%sG6@|hɒ d50cZe L\s?ǰC/_꫑iUݺ_ΩQv;ۍr0ǟ{k-[.)sOE7E20<&4@xr=Nuܲ4 tH VsjECOjX5_=!7Na=>H@!;,-Y׶f(sxsbka{q $X4 j͵v.NV̋<#x '3ќ)p&q J5֧5t8xß_l/o޶\J?~~gǔmoٸ= ߦ!`%v21gVUD81[w~f,mD= n|S[?xVa"imhF"y8'ݿm>֍lV ?wÆ)K[{o閽秞Vc] |*v =Znn}2@4.6A5+2{>k~? w/a#3E"l؍wb/NNĹȲ(3k=^»Zqh _r "ܴnKib$ omvwܙTIZ7] G8bnΜy{>o۷rAH7œtV1?cGhF"y8ʖXw';)y֟Q*]̞w_:%ÄELs]*l vMmZC.]mPyM?i~x{ #F )W]q硫w4~=.2-޹:~Mc^V)7FKprjpx4;,]q0,NŬ|tv;aBYl5#fiYq(q_ ]&UϼO>Q]skJ,pD T|S[`|Zo &>_?`b&7j8d=Yf+kUDLڍw̶ aZJND `ڧG6n8j]9VY1~le,Zi?r"a=4"k/=dk6ZgSꘄ5>SB5$9p~cSH4ErV{ bڸP<\>ލ(p;x-qLeoW$fUVl޼ oV a=Y֋<#x%0 ;kp#/NN[ F9fI.xƏԵذxZ*i<҉8[cōvdD3Fu ߈В֛n+ȧ-Ds5p+V7DIs]s=}mU1%㵮v_R.F6r$ˆLG;/^5o \=mt k#35keꥫ\KRce־ҕ/m~v;߯w̍uv79ُ=G6ĭ7-8i3i$%oFMv*71Hw3~Ć;wR/N[/X`@N߮ G;稧\j1 mJ g-_0(|:1NRyOFq ofщgE kb@qvj9Jq!o#mwkg7=v "ҋH)h87#p: c ԣ>3/kXl~I 6ՔLj`D߰R]a(Ug6MucdpG ޟz  eY/0‹S8KӺ||r{..GY84fYE{۸T1y".{ '-8 h~P%Z4{yb(G#C F<7(p8,%8G#HιiE9@p@^#@ھAq8(!ƹuskF#p@j#p8i!iŅ9@Vp >^#@[J{ cpc_X$@ 碤}s))G#8Cn 7p2D Bۈ03'V1, h$'E2j-q6)[nˉ#BڧƜ,AHP_5CjV녅,'2aeO![ ޻JrʦsYq5l&K<|삌NP:UsYA 9XA`=k+7Œ4b.wWp-ÒXiq_;ͭMMVeMjZth IvOqcyd1OR1ob&簢ic]Z_@A-Es(.mBw;K1h TVlpVk_o_g# oODm"{z0n<>".l΃읿A+i{7p$oGTy|5HBAW?좕]!W QV %.VflEJ`Ss:_gxsYzG8LH¹֐B.cX9~PIF*L-Sұnڴ azb%!Jbw:}g,NmLVV5b<^k9 1!B }r`trn=1X4j_Vb"{  wp.2WvӐL2BEFXG1p.vS^~"\V*t*Z[/aZA*zubcni2m@CV̀ٹμ6$}'| uMMb!MF؏x)cD{sGhxF fR`H&6 P5 ?splk7D},1,6浞ˠ(3MDk4<&Du3|+ $Vgc4vMAң 1/q't۲~;wꙓP3ưf%ƤZ4$*q8!Қ@dba:(D'WE,#ʆO:[EU]_ s ҩ-K縤 Cpn ,(}&.հ(rfc&FO$kZ3gT9sբ̩<Ŷ;Xq8 `!dw^84*Q.˲J{IMe`HҨLܬaAg8apW$"_g@6G _A 脮gRvMv62Bg]cAHH;6V1}zYZkd# ꗻDf*1GqQ~d3IDAT=)cmG#0Jd8ڄPQEzUet[+qʘתjXp*1^U"@ f< A2i,ڐ,dB V,˘F 䤏i9Fk# f" y$`=fgJҴ@ݕk#3Γ %h;h ͛m8 j5"sC:ԃ?)6q7I87y Dʫ= ID WVDjyb7]̱%Z@iM[OT!󛤡1F|W…{eA@'Kë5v)!CA) h1P' O^Hױ.f/\||yRĀ("Y-P~I}gpe'Zwá)8WSKhDhQUJ]3HNq8C$!Cf-[eңm-" ; fj AO-o7ݍ LB}E*dҭ t+=ة"fi0\G(Hӯ˰X71nF(Y4cvCDֈ%(rQhNc\_@H.靺SY]"3$t s 6)JNpwt29UӅsI87iH{^~xX_g0偸0K'oa"<]zIKl<_wOs()(3͸*(shucΎMYi0/sJЯ[Ņx,"Cnr"!kv5ZP=`>E9 BtER4Y l_KEDB d"-#RB^<]>6A\\#p!sѠ0DX*-wv=^ t/ jwt18E5lӣYG:pgmxm7vyZPt6X{ Xds1}BO0W4% S*E: f\1#+(`^n+μnQԤ=Y UH~ ֿWT"^*tBI`ȬqnzPUJV}z<$pptCti8&Ř pb#s"{hXZ회 mjG~V){~L bB.=AsHea_aӀ\fp $^пuE) nUQZȨRE%K#xNgV݅v-5 p:\[3nmpirWP?+ }`'UHF]VG>bluK"_ Ð=JL8C 2h7m;iIkr@#.I{:5WXa@66SʘHc>i(&x 37 c%JV ӈ}PJHC\U4hwEpuvmY"^{skԴ~X%Krd{_x>Ϲ(7"/xgv!ymbZ#g5i'9k"jQ";y*UJ/̨9YH! FrӅ$FA6.5 ^cCq_*F`^xe:Sx o!!W0ObZ.epw| 2E¿dcOC0b wrZz.}vpq[;(N.ހ`Pf#HT97 q!@};qJm_ynuځ*f}6@}:FTk갩JyX;Go2.Vxt)j{PhCk%/X5Eݵ6N!3ޅ&lxis  /z|3Q\Z:Mf_䖝T0!Y8G#$Ҽ("}~JZO XZɖpq#ISYMCp`>A0xLL (EQ1ڭѿGsx+rL Zچ*y{6%u]6ŷvUh3$tl,ra+軨T;zb6  jz 52qPbT~A 7Lօ?fXgMvmX  %A_ # ]Qi*W8H¹h`b132JlN EE΢=AP,KjyJjlo@Se C\#p"H 2Dw9xE U>Fj65~g#p"Flm!7#<p=y#8-kq--p8'0έ[s,5s80zwž-p8'=!J9qqzy9>IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/7.png000066400000000000000000001165041303637203600247000ustar00rootroot00000000000000PNG  IHDRaiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx |T>vS`eA@+,"](7+ Z+b[.T(JAW(*A@@*ŶZ:Rn{2gI3I&ә0}{s$osrQ(9rYGPFp E" '˥LE"@6 FC(j#9@!@m:4"@kЍ"@|]?qJ;۽K8JXE'PLJRrl֬zsra&VQHX#DT"PVMY1!J Acߨ"*@*[UɄ[R"sYJ&QXXaʡh q&/*]̭Y8A,’Ic ]aPqIʡhPgXuN.uBZ, @$IR"GRJ ahP4:xV&L*Nɏ%rx?8) k?w>/ 0ԱI DѠhd۰}+,6+v\\Hi۶̚8n L"F0Ijk*c)@A ޙ Fam ;C,8/SAƑ$eŒj_#@ A  bd@+dIb~Xഺ+ nQPj2|Ze/uʉI*a)-V2()%%EOXxo6(p" 6x%ԏ=dJS5]^ ($Yt>#DT"ШcF}i)6#DT"Ш6Q~yG4jhԇv"j#-]ޓ 1bUF`e(-|2nFiGgFlQ޻'(YԠY R,%Ps?"u'k sWd`n\?ݑOwB2}+*zK@GD%/(l+g10̍߀1?15V^qwI]Sʕv izY`wFh8Ԣ'ᝍ`;EZv~jᮮ!1a%r鈽cex` l; ~i]<41Yᑡ}}ܬ%"r%U2%24I~yɊ\%c30ǿ3m~?*T:=FTR3i?)+S2V,ܞ42MM3Ey̽a峎M\>#bpo9Y_Z7e}SWBQl ʝ̅  jHJj_+;/563TXSچDX X YSk*|ogk6GZz7 ftܡ̰į_ڴ |΂?Zg?@jaXP]m|DxW!+﫼-ýQݵ@A9%(#~><ۻʛ/7o}ΌŒ 45dzq\!;eh:0((e.1'r-=q25aC c+~VAx;%L@9k݈[7WS葋S$A,OY>nHR$yErAQ!UzF>5S,0 !CbnU8s)"/ Y]`b>Rzg<0۳>uxTvʆ+PfO'z3cZ'l[%[־_[wa3]bQwՈ&Lӛ&f%Đ0$3&))C'?f){R=4Kmmm O2NAoǦ{7s Gpng ?2 5UO.QK= #$IF}0 3mcwkanpAQx 㸼e J[gO?71aЁ/Í_IJdOw UY@Ml@:.<]sX좥\X3ZJ׏fb昝yEysdݴ \0<^E!Xt w5hMϨLH $}22A}Ur("аs/7okv&B˵VAĥRjGhPw|9 װ͡)Wqx{HÆ Td4Dꙍp5"Q`&/E1"h1oweA=%V\a1siq(Mf«>YdVPC,iyÁN6@"PuLۿ׿={{ >U/kn˖-oܸQ*},^ziFF`JH}JrZ>Y8{ҧfa` DmTl#EWgRA*db"_Y~E޲삿g#zv[$_W^u߷p)My޺YA[. @.p86Z`&*BќV ao:޾vm&Z쭕F՟##z=~U p4 pٯ7۞E_/!369tҥ t+'N|Ky3 K~*;w#_~zSAXE7g7MJP aV[jL0> fU[+ I~Dӗo |ǻ٫3{.vR{|vZnݝ ˏ50o+Wڴl>lNBƒ 50(o/Sp\xw$z}{ҹ MKqIh" FRX\檾v򗙏kԍ&π֘wlWc{$Q+l68E,V~Cm۾]+K^9y/)Ʒ6~AT;v@ ޗ@RqR4"@w3jάzc#$ g^mJ6ք 36DJQPȇ>:B{B%)l &$/Nvxw[VL`"v.Ab:4Q*.E4A*630[ixW6_O?eU꫽9#ܴhE s108{lD :n+xV/-4Q*.E@| zmLô|໫޲|JC_=?YO+l}{=Oq&&(fEd䚛nqqCZ7cИџ*Hϱ0lN={%jB#j(MhHFXRuմhޤU۸#r_s]x`+J0Q#?Vz8)ZOm7,xs֎U~WsI6YD&)nUëZ'L;ɨ$քS0бs_Rwʰ̞{>eܩoq7+6 W.j#D`Pa"#G `]t K9B&Mn˜T2VPZ0FI 7~]&#|wzSaV ogܰr7UN';9lN>^Zxl>6<|qoP4"P54.X VsLF6ܶ@bRG'/>v[k}ne2賭E5r&5W }{oBLFHC٧O0a1 !LV|dݓ2ښ)b?1yZ8pfyIWl;b䮙r( ֏0"~hdFG` f%aTs1mߟd=Xؙc &=cnim}5g`?sasc!ʂOuZv]@cnۨ9pÕ2j ܍ګ1l#F/zl۴?[ [mdqKE fbƼw7 {B'y3XiCo#vG/[w+wl(aӐrfaN^'lgCn~M|?W/Tu{QDko`Y8S=|L(o@֢<-f{D󿷭pvj=Dmʿfȫ̿>Š+WA9#53IšNġj;퉃wT-zj{ ~w_\%Sw.@W^J KGP"`AZݛ()K  ?Ÿ⣡C&4p줣翰gq QG> Nj#ŜKY۷20A6+?kaOfAiAz3ᚏ{26^]d[w%!?|ԏAG3!d 'B3ܥ|ѣVh=G_@}A@̄R/s rk"!׎Xa f0#e (>)FCU͔F0ijT"bѐ,[AೃXRfnO( k2 4d@6q `)d:L>I@UWmn5TY  0ǎWTE@oZ]3O0Jwáj#YCgiQ'vᄃp32kXu&?+;7ӖjBR«fLѧvHz,Y3Z60X@DmGgG?:I0um" L=x?›ֽl;'>p Kζw7qCOFpYzowmx4xI,k̪>SY1}ڌq(6q%D7 2Q#~Egǣ-FI0?{𡲟`>!6dlŽY{O;j 2z-p2GGKJJ[ަ'G@_xŽPnA7K &X$o,8sA@LxniIcvg0f}F̟cf'[ق6 Jom AVh#٢y <&3[lӒ-[i. {y0]\O):jRA| d䍢Lܸq_Z࿽c~[s[ ER&) @#tsܔ 7܎}H&LJp&eeԆ2.7z\70\_pB9b+_YlvV&f9!4$vB,tL::<1~[kV $R';n7g"JP#@mv#>tkduY<qre0U])tX7մ_> ~QEPj%S: q}c^ .7>7Cf#yT<4" 2^ T"6te(5,RT" ;?+.y#[D(AH5NL Id6"|X8vI䜦֚G~\(`-aYM$2. {\Ύ/\=fwr*$ R&E"@Fn&bcJC63/~ĭ Gc3,cp-`MPh%?q`x%1A/ {_3̂ j+g܅Y }?$-#soJdP&1b<Ar&jO0! ۇ_(UB3, IDATR1MBxmBC03,khD>"ﳼg{6*,r̃crv֕cP. #{S֘b"D:Em{N[Õ`0(rȿ3xd__?-jfd*[:mi|b+iN}HlMz df_fYv]:33gI/%( ^\R +3 8iXMlwYkgo'EXK̳fyyъj5FŊoۘ%yvHۑfj8%nP܌W&׉rKhh:sCMq)WkA3eZ`AL8afxvlɛeCY+fy^p}dߑfT C +R'D(H<1BF GZg<ۜm~_z덌‹`Z»/۸ 4&&}{AmƁ jPj&E)&%y#$v`͡3[11rU|nS_\&Ŕd5Gg,ܔ9)B @FN1Q(G=CorGŜ&Lp?0Mo5 `*'!po;J,q?5y]Vtm:ѤGMt厝;.yg!azagn]oөc|B<_Ehx B{r }z0<`CG bE; DŽ-o hr`wς B.8,>xwZt̿ 8 7.+ؐ?k*;~m4eR(!ɏ5 [^a-dX63 nݴ,E"PԺ =Ӯȡ>i[ ud^c6TyH+4`LGߚtpр(ڵ@G44h( m/1١ݥ5HwasUilI85M5E]Fhae@&b8&V"nIP;uh;vVcOKcD.jbRYIyۺ6yi)&9[>uϥu0v2\IJ)%8)5+ߘ<?j8Bj_XmV?ɾ|2ZD 1-bH,٘Ԍs&&&MwRM)@urve=y&k3d"5Gelݎkۅ d'Qj)5FUM6•D^%:xuxO 8UU/xޓ#',I057aq|".(uv8:I/φTF#~x(cJ;!l|!IBR--l8kQN!W_|Ecq M  a$ 7ZT )QOh&Bte-~ܙRs#"(u=YfbHVe-0+ jŖ_c21SJ͘ >`*+wbv#l."YƀWZTU+ݺutRDtDn{sX,H wD@k{W 신MLHO]\%nTJ.~m'lx}&X%.?yZr*}w3aaK[&FjѼțl^ɪA69tʵ8P =<4kƞRw}wVN\~!4Nd9Sra#ܫȴj|¶j;T("P]sÇ)} IO\0l)i3r &K^OX-mF?( A$\,(?Mj6BtPW'78T ^vs 0Q(m#4 9m#vVF6B8TxZmXŇVQjz"x=gFġVm6"PnۈgΞN o|/q$&ց񁠴η8j/m Ĉ#ƾTl}C%5CֽC9KQԺ K-8T f8T$c`Uxjfj轡 gS| Nd~w^#8? %lg)S+4U5o}&!9R3;}G??JZsWfblIcgg_nױu+.թ4K'ޥriPA+aT"%ۧR2ƣ>}t @ ;Bfhԣ8T5nܨG_Eqɐ8TՖsL%\Qvp7q(ǥơGdVy ,|M>酼 &풵ϜRq2-R70Z1}xy5n|CکؼK2UU9|{4*q]ǡkSecEhݾ޼zsޑ}M[60?py)}'#-L[zj Rޓ#YR#0EZKq.h*#=KJA(qd;C% e5Jh*NPBJ8T2PVcEơjG"P?mٵj@k""@PDYɛzǘG乾UJs(5CTs'—j<E@9j|k,3t_TcPEYՊ_A_[_ETrmWL~ʹ㫮V=WmW"{'q +zu =lkcu42cX S$OZB$1>cziJ +d3H Xl\JI[rz]o9umeJ  اSӐ?eI/7#j}-IVVPa/VZQᓑ|;C6(5Fgo-m!8@Zwߡ~>Ȫ T #`Z4ڭXl3-3d:7'/`͂8LRIM7xJ x?B! VCUC vIG;Vl,HDƇ/.Yw$ؐ" N)SsX@HJkXG'D! zq>M1nq&C"CdGv|D+˝lAFkeş+(W2|SVqFEAV3 [a 9aBH~{8&ۢg 5mFNZ:w]5UbyԊ R!G=m)z JW #.)ZW|5|X+&R+.Hz}'džmܰ9 WAh`R·Y; Q~Cux~4wgJ`dgOs^ u${9N(e!:9zۈ^Fxr.늀ζ@oJҾ~?WjR|q +!~f»4B UUe+$Iro@ Eׯ\#QLh0h94-6s}̄J +{Nք(rTFPήS26bޤyrZD*Ez51Nl}׆۞ N-+)ڈ+1&*,*9!^ JwdypLTXԨg /:gsSM-MA )4D,L=}aX|x4 Y޳=3C.g!RS:FZ/bXjy) qW_`~VW(,-ߚ72?̾Ͳu'~#~3fdy(zyI_9qy§׭Yga/^JkOӖ';ק%e5+/+H\3MR6BW?V4Y7,7,Ets8U')L+Auw3BRZz}GXLU`&o 1 ZKRsKji-olِxq֊Y}4H 4ӏPCAZX48ҳ"ڱpۻfȀ ۭ[K.Ech߭4hkna)+RdA٦ nUDfCn×m\,LL,ҽUM&Q'k:uqVe~:#N='2;2.>J$iF>72eN bڒiѼ嚅*yZ vC"LAҐ$ ~_]vLh-HZ+9p^+tĠacʅl3M `VjН^51oG2b: غ2FHx&f6:'8J&2 iKcK JJǏ>! @NܬQ}6x`$I#63g k;nƸCYѨG&$]|cKY(9\cT(Db{D@L1)*T-##>*Aq:tjk oVh-`/xfAYYCkE pqW=ʯ0w)?֨P=h,~zjQQE= ozGH&~[mYV2)]aPKaԏBƈ@hhXh;Oԏh'3EwP?+)G\ܴȡy "cQ=}c!UKz6Q^eng_}3!6/ť3/56\ k*WuRzJ"2g~OVיԫl+!.mʿx#57es\WĴg^uk@}nK;kxժ~2g^6B=ٽp|׫ls)kؽ!,u&"})˗>VQ AR_ډ7<0F{cd*.ӒRn!lnq3aԄTd-d h#6qE*szdq|}W{ْR{-;YKOLz&7s Z^A>g{g!Bo}{J^fĺiSCnRRnٻ*8a2/ٙG3!3kւ=,6IFxuO/j//T\!lfl6 2 ={?/" w? Ņ$._H &,nGޔ5恘6|@F˂J,hhH$b1on e11:Fa 5,:~2:r&$% v$Xu,zPě`Lw^q^uã/zUX +&VL-{޲31Ue7=D:+_R"IcL}>1ulJP3srQ d$ %! Q%/݂{Zb]z\{c>I?3xg;Mc~/EJF;{[?F$S#m\:,ߓ:Rs/zQ66e0,8î݈84By,-4b͝|qHB^I*2UBA IVJ-  1v.dvo="t6ll:ӑG-Kk{T11]hwaYNYzuOI͘K*Vo4Gjc&\ 97Aw* $rHФܐ!J`yXA?!dU[D@K-qD& /Ǡ"ЭN^=󥙒6LXYяnݶu !gO77y])q#GSV ➬ԛ}U7'kgy[ Y)¥\!QҤ9^ *" "bhHݪ.g' 6.Îu;毘Ow}^h*Lc"W.)#hƄeZ8fѪ̕B%0ńFd<Te',!O#T@: \x;>ݽր" IDATEgH(Ψ1P%eA /! b pɑR4$I%qY1wKB,χ{"Yee͚ٙ]lbb0w$o>48kS֚kR?Hw7B EQ+dIz_璦{ԧLc6BF=)~/b P\lbtJ!}7aJ̔{ e-h6242!&_B QHC8qqALA^L RϾ=w+CdҴ$T"$ԒpƋiڻnaگǸ[ z~ u\ʼ1S8:)@h㢻E^jfs 6/ c}aŽH-zVh@}BT,i*%?ݡL\ĤX;w;=J6u4<c& q`#0g#|[0-ҩtɉKěxn7hH p#0WF|&HTѧ[L KʏzROV5MUXG#z*|i!tT)!*gX÷~Cj[T,<_p?RuU{K(", VQNY(@!cew\9K a+øjy) qW_`~1 VVm>eSIy p[K-O?t%7mw鯥ƔɞKҜc }R]!1Wf!0 WnݕQULi;H)SxeDL . 2z0sbJ;dhZX sSJ:@ai!% K~th?$ F617:X耴A[]y=I`/\ "pmҩl\&WAJOdk-olِxq֊Yx+R0X[ ӏ 1"m:aWb;vd2+zb,۸ ҿ/{zCJ<eRAwjU觓>";sR++{'**Tj1.Nʬ$'$# 3 Q t.IVT}UVn~ރ8!6sNct 68 bL,[|غq&A\& .͢m:uOp => Q^~J&ϕ4!;w\BI#P 5 #ؿ J璤_O=Z׆;Ϋzְjm9,(++[{hD&)mk!9N^/kz+8]*8i"Y5(\*?u!؀˕W 9Kd"K^5Vbɶl˞`LUY* MQWpPOM3i 'ul+P33g墸R#A3fdy(zy˅"!+۠l&AFJp˲X׿ &z3I|Wyڢiޯ *vy[p&L~˸e?5v0Ӓ9Q<@HDog Aw*Y*d`y$HVCnȐ`y`AJ"/v?1էnu/͔U3aYg#G?2u--U=yvnuBĹJt7IX`8C$Sf.6zؑkG@RI,_=K0/ɲ)ӗzIY_q~oyAhO] b 8 SU0IL[<{#+p%& 2bBXI3v>i \__ aǺW'\~~BSadA6rIID3&,/r5V%gD*M~`r2w_'+GDuتEGGx zs"t,4zx+i^Iwu`&l7li \ tp /! b pɑR͛X̜6ZB,X_$+"2";3YS6sm !@RL۸|ㄿO ڔf lI);tP%9m0Эk>"}+B):hҗԛ|̆SO"nV4gSjk?s SbS(0m!F 1 aBBjƉ bbz퉸[Q"%!%q< ~ ΨGG藐;R楌љ/hZ;n{6jnHKml߱D# T d6-?yIHN$篙*TthNZfBpĪJs4%_iXP&e~bROz |;=J6u4Lǡ"kߤ{Vo\']r"jǛxn7hH 4g/HS-s_G=B'*Q}x_C%1ʧ胀c }zEkP<# kx^,4D, h>QDƳ~ o|ʜn$fO\/$|NO t(\-{{ bD@=; 3q $awI\D^{U٭2E_9KwxOn쑀1_ ,-ߧb# s|zw("P9K} au  ,섉H0xU^'*Q/L]X-_r/J])Id-|,ޓyR*&QVB@+uDak=/$]Ռ8ۇB,C@ӏ 1ݱ m:aG"FKAA)Jt@@+j'IUd-%R0>"}P<=59K]#jz΍;*pIt9ɕٽvpI*k@P)>hMҐT Ge#k)" 41>U$4d-d4gYHk- yȽ3Ŝ!?&"[0kjj`C IJzAe`ewZRVyC~tJ+t%>p * |@YKO"!ˆ1{Γ,/O{,850i{N~i_GpީC5샫ZEE[nAj3 Z+IWgEҶ6+V_,~YW~ꕫEEE-P#@yAvT"@ 4RP? *ʠPDm#WݴL^0mGǏ?N?-@f2d92g,ۍ3}׫Fg  +&VL-{޲31UeJD:+_C"I!3srAd5W:uD w/d5shR=ٽp|׋A)af!| v-G)/'y,z5rW'19g0'>9_j]o!z܄ѺP1vdvo="s6llB zy+IZc:F$ID1;@2ET/R ďPzAgJMdeLD%9r&=f+5jȪUCnP 3)PKBĄIh!Bۅ@W^W|ilϞ<;7nndˤkso{Z;M~ Ho.EƽWmdIؗzIY_qY O[V Aъ,>`1O"*S?}&7#׎(]|B9U4KB-<4Iy*Ih!a4M;@XC^C$¤F ClKɛHgZ߭[K.\I)"_9K>HS/\v|cu( }׺]04WJ$$ĠKF=J%waQVV(͚]7X2-O~QPv"n[cf Uw V걑C7\#g ^Ąxneҗԛ|̆?QȨ'ehElӐQgSjk?AMҳO,Jy/!($ġv` Q /K!A-!B$ҨGmK:.e^ʘ uK.]@ᅎ}&~7 j}ݵwwk!8hA)I% aSq@:0w2A,s-?zc}x7wܝ_(Yp#w>"f|jƘ9==R qY:!Ft\zԓ.91(ӾA#r(I?9Q6ByS-s_G=2Փ$VaFͻ!u%%OPG@⟪YJ>Soh(!v!zҽkJ Ov\h<@;$=A@eΒshK(ugI"@gGĩH{äo b9 %bUUeʔreR\$2)~Asf<1b>X[OF@dI (%zlsi\}SIKS<#4g@8lRv|@'*'LW|8H0h#\+~|22qY"*^ ޑ=}͢:uL0!rk(:<$o@#H_ S>Sc'Hr.((,ƢA_z/&'PJ8CNz_k, Dhr SÞ kr*iK[nXA 5}o.d~PTiiRxe:ɱG &xbM,t"ڽoF.ahD@JRf:(۸o鑏Gt$vt@O?T\\s# / 1WfC¹a[webTq mG 2%qJܠ8NF'!2g|BEipd H_iבuBRS+mqZ2Qjg?Yoe$޳FG0܈QQG 2cOR"d! 4uwZ}Eᛕ1V E˦.C`I"ISi2@P%D y1L2sLٵӏ 1݁&m:1 !ۙELwY)]m3dCI%<h͢Uə+x*JjĴ5|&$-x3Y66Jʜ~D Qwj0\ŹJD(|ȨD%! 9)p8qqs֖$hrbn!J%"^d @"}%N,XKFZ8y>=&-NͺxЛ2>_g1C~sMl a_/Ae`FHx&,tOjۤC#0AE_Cyώ IDATD.!nD!8Z 5+s___!gʨY8T2`N:a"$yVh-/xfAYYCk%24I7 q`#0g }`qY{_aRMG@eΒרѻzjQQQ bCfR?j{kX+Qm,Ev^ ׏](pGxtxrH2C 1(ǞШQY*C#<>S7F?nH ?:MiY8su:H.kЯS%zGχXlegMU1m{Kg ɒdk^]}i#Im{A^ʲAf)gyvm C]mX l E$Vxa#q3¢b N|yc46ƽjTAvq|r-yZrTGw di5eu_} vLϘrZ|}YvRz~Owwڗz-)ܲd^a.Ĥgr30_1 +nHܭ̣#nI|Lf h)CnRRnٻ*X5ZV'.~|OdN;QHHOLүWl]zZ+ 9Kɒ>^esa ˹fB.̌ldd:z*mVEc&qpImdBIq"IE V ZTڍQB H+&E*1WRd4~2/sؗ}=νp]g޽߽7쟳] +zH|$UoO?*ԉ#K3 xЇ0jT6),Iv4lM/-~`S@i! n9<[o‡XƝ&OnMwk@ u< j`\xPÉ;LݡR'h|]g5=lhi>_-8sYkHsg.xj㚱pƹStP5Kl<=Iץ!v شz^O\yT(z`>V]q}>hgONI׵+]a'tKuNY*T=vXZvɲjܟ,6)g&xO 0w F0>Rtl]&&ML&n|Wy UPS*)5Upc(;"(1cʒJѸ r*gitH.)x q{z V' V\ :"O~fEyGGzּC6/35.Zհ,pa e$K2D ޭ;Sfޭ%//h[U4'c wKZ''N\o>.a\{on"3]Ƹ \$RKkWo<_q01!:@u7(X)ʓ`}#\z&P$]WVA:;utF5*hjaQLAx/}w*$7,ID_y C ݄b2+aDZ0̓D0ޭy(1A6z1tk.zq$;Lgm&F'!߀~} /5O{/ΐ5R? l,V&>kɷLLUĐ!J8i,Z~f tN qli;K8; tFccF i弚هa36]fY$3DKRXXltgnޭ!s-:( -VMr?UH ऌNAP.:ikI{j61X GTf>*(SRSSTIL´%uljD|ŜMJ>x_':~x.:M/!d>nzK͝54ctnsv"No- FeE/#ũzRQz(]N|G_\i;huAs@g8kɲЛ Fn<ϽRF]]$"YC@ ŏUX~Κ@TV(2;%!Dpףq #zrWÝAźGKgbv'.O̚0 bWe㼄?U&q]c>W n;oAVaA4<,haTԿ.6UV_ZߜXm?6{џ7[ʧ?5|$#ɆF]Kxr)*<`PX5UFvsuK1}sIIszKs Ir%6i8(ʲ{{f;=1!? !C >ѡ)3E%O4ZΣ%/!&񀅄4]iБPKVGgx%q[&Ͳs}.50 ĕroxtvtkr%ŤY6*0ٛ׈C PN[8P.u bN˥%''cy*K,gXd4!K"N5 `_s Vw(D)CɑMBUaS?u֫6j#6vh@D@m͒#52s$h  VP{k^ öQkźt5]0a Ϛ5٫l#}ASS+2ghҍWu/ݶ䶃}33M5=H;CJܯk @A̴  YV[Z0(&hG?6=Voh4=o-m& Q.._('[>xd#d&$d;vE*5#{^{5f}ØbKD7rd7 bSNM"2|].CGgñ:&ղ`ܰ=PԔso8,ywa 1uڭ]JKr$˖ƒc(pkĤ]PCu١# {|_C(T#@WF_,6໚69ƚ%_P,~S h!+s.!Ð{pL4PJ7/sDg)j[ r"/kz.?C X"XCE0Aڎxnњ ު-,sCewPvf[uR,_д \.!)ZWEHHbIz8π%՝p0zWna'UyFi\_?vTaf2?ZtyE\J {b;\ˤpN|KW\i&eތsgΊQԉXqD kKT /譭Ea#r'! /[*5K>Ph6kmk{e_7 8B!Wʒ!wD1<*Y< O+\RH*VXh>V]q䱸O! /FT|ZQ}rSdӥ+.seq/Zɴh#j쌽,5c&*Ʊf3ʬ#\z\z..!\`eKG[_4uK$ٵmpezܔ'R3I[I;$X1)uwn j@䤤%[^T[jɉ W,$N]vV 9VZk$pY ЧƳyCGea}*s?Uj)ND˅n?J~R[Rd:YrgN\ Vhja^V\MtBjd`a} fb{XzwAÊ/*(R9rwE`_7=tnUu^T;n\CN;6ⷳj6{w@֊^mlb*2C22y!y/p5=:}taB0mw@2>C%Pڛ6$dc~?1'w`5bHnUyY%_Y"֎LnwcQGyzʦ>BxԳ=6n̳/|9v؎p'@=48ƄEE {0)--S8,+جYё*{ V(2L,I?5.p|v&fb{Xzh`DZ5 "M ,T~2n}nU,;l*=+lI:} N1Kl1[ Eb+//-Fޏ/C}rF @>] s?cጲbPb_cNm=&Y$@gϞ:b(""o/uDU\ Hɠm5KO{~Ce?q#F>`#Rٹa$ O 0Q:4KY=yI`v2%ksy,\s;G,#R?GxqRUmTX:qWx6KC5^Gp:Wfn#Џ}Gt=t6? ;itw_wɼ=%.>BĥHU87׃ f(3 ,Tj93 ],KHMHa=NJoW|*K.oR$VF:47 ݆0Ӆs4T$AˀZmg ]ZB6_j8dМwq)JIrg#=OP5Bxӫn5^)&uy9y|("q*m| VC Ǥ>.hJ`r pAx y~`Ce!&S 3겖ˆxn@㉗/w'g8Cis0&C}m!B`!Wߡs@E xWҏl]: ~R5zs@q@@ xFy9 9fv,@@P˼}@@P˼}@@P˼}@@P˼}@@P˼}@@P˼}@@cF5oIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/8.png000066400000000000000000001302611303637203600246750ustar00rootroot00000000000000PNG  IHDRZk.̴iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx x\'3: ?A@@İ*^֫c%(bd1Ą` 1UAdeYd- &Ɛc |Igҳ$i:Nޞ>]U]_z: @<u@H " @DAD;_"@w?D@wD0G[x`opCG v+lGaLS 2fi;`P.lE\J8 .cqY2"@|oѝkIvO76$,X` c@ʈo#Pix*I1DiKX4K ;"wPXXYL ǀw؍&xQDt74V8. @4Qv4O5ׄ CPhP_8M 4@eDfZҠĆI|j EU1feNS*Mo%2 ~+1%Z]|2C4 cp/goD^76LOs`oپ3jfL͘ 5JfL`ːAhPK#L]| G#(\jPb ҸbK⹪-0HA@4 /A c)IPo\hP@ 03`_gAeD-;\owXl&zZ(#xL X<[)5sP=v`=)< B# Ì;4 J`:2"еIp([d8A;2"PBXyD@1(#utuc1hiˏG;2"P@wP/?V#@ʈ@FAXyD@1(#u5 ._^2Y#X+ݭkwq ѣƈPFڇ‚(Gv]]x"`~XA "ԑ DjF@:vPs ߳O߻&X"ErP\PwD eD kϮ#G+oz*#;wŵB;ZsNúv; k"U_j-˷/+ Pzx"!}4?'ʦܲvAyd`/L'[?p6NFw8_s.w#9aP9(yERGw{Cy`Ҩx7,zXlP`U3© m^ Pi4%I "PpFsm'?\=eIAHDk7'.nSI};ce/ ^3#Fվ}7 /i_oq}1aG(ɐ=^7v\nݠ_?؎$dtG8@A|Y_I n/9_Uﮆ[%JC~ &wp3uI%G*uz=8MKRHp_$%g(̔f~;!e Wka@W5898 "u|tkg?٢Y67jH߸taFw6^EpBp25';QpCm/c Vl'~Q 7St$:n<{m!i,Bfy^U[6-T?uMWxS7p͟״~PZ+'y"H@~UcV!roZ5 = xc_]$RN8V;a/cPZ\lŲ3ΐ?Iמ]'-{j$iIEZ-]ͩ$II9rtG~a"mQ\b%zU2"ecB`+ "\=N}`B'H*vA)P T* o;;Q*ucW O*I GS?ɯ$;p+W\axRhИG7n](q[Zܐa„6cܩMMj*n}˓?Jpn\n- 5kuG} ˚ҹzm/Si5nuя~`~'5vh>*es|^)x(Z(2Cݐy)h(h =8G:E} A'B@<q/> bJw$@8dP"V"eiJfM,ѷk_[H._o:2TU3ٳUi!jJ5a܄U 98op*ú9H!۞W5Iٓ{iNh@[=E;|]M&[z O@{4 u(M"(c7ӚG,B63=}E~0w挙// |fBzX4J oFJL0kхtpKH^ (=es#p:UZJ#ZXvAA((y9hw!D$y=_q! Rs\ ۏ)2DjeG%8-fڛع#ҵ;hߩ! /.h޴95jq̌LP2jIC_:y\zW4 #;䷂ $t?y y]I97!G}mTzBZ4 F@ѓ'DUM;f,,:y*KҔ#&3!bBתqq)+R:;Yyo)*./boյ;0kY:( N" ;%ȆR(1~d^xbSRZ}tvh7=)#y_H6#-Qt`Ku|Q$ Fh-e("k2IP@|Mxls{\rY цd*g(L=l!݅5,X7z5`젞0W¹]ǵFh/Ed{U@8 .js|crb7d50FbU)~q񷋋7 TR݇Y05C#˴Z,I 0tF匳߰[H)/A}`.C.7`6#M! 8J`|ԀF%ѝL<4"Ppu,}pmݼJy0SDY˲2z3w`Y J<D. }lZN <5k:"BWA_@݁/\,";ˀ@|;]W_(@܇钷 7 tL=o >rv<=f Lw %AYro_rAre.=;W]t=4TfB1ߛ$L+?] )= }btDxTt,%_._Kcl¸1[Ewe_Э3ڊ*|]I-݁Jc,D6#P"b> ]#Ȇ 1"*Z}jX.D'ч;d*@$+I,9AH@ "urss„jK_>9s1B"k?DL=s+fQhXn]}0W{]~4ކlhy ]$# "uǾ3_TzZzcM_~_ЫYZJ #[7o8uH G֤0% "X~jRc()VM_^={e~iF[ll"޿{ޜXuC54 b{1f47&}ʂ̃0 @CuU_ggsk7+ ΂7ߊ U(UzD02fDM@(/n\'SCM#6 XhH6>.IgD\, }xԻQiuґk`6΂5kiDaq ;*qɢb-h -Jd$xA"Oa&s@g$,k`Mi&3&b݊ I1Sg'GKD!I$=u`A͊eU2ri?u,%K bRN f(b9qNQD@ 6U 6_tc1]urD[I9DO|u@ӦBFl!PXXj|E ^n\cWPukԩ+}=aGm}@s/v\74!: o*$%Nć܁X(#5(1 }; f"AL*@͂tG@&D#0fzqsU%U_Dt"#H |ڊ q:v%?R % naf͹j0gk: qC"Pɯl h=xQsX%ɲ6@0 ~IN6]T"ch!B\;A/Pr [VRB@bAD_?0P8@!h YO?8hTf 7c%;Tϵ?2ELp}֭BOxNuk7T0 D8N}Lod ݁_;1wXbǚ Dj? A6 4S6>` N eo M;g^dr)7yt~@r-ZF2/ԸϗO=b(M^eǦi$[7_a}VO[Hk5I_]`0?8T%Yf׾]bztLj@`qix*߃ X΂h|RfpϺߝ G||K志ÝTXn۹S+WQw'*))Ƈ ,l! Yf_a1 ;%ΣZ:/UK(_R1ͼ9@y0i4_jgwfF:D0y?f =o6Ȼ 3f1&G#1qtM !z޷4Q6l2hԴ5jt_[T>je.}%D@Iz۳AK,XZ\J=Bii)|8 |Jwv7ff`\$š_<٨MwDFxJ9S'O51H4ѣ7iܖX0D@ ǎOLH~)389jبEK-^uӠ)SJSƣO .e$kҾMw(Y4r#psf},m)C6]_ZSs , >4p _w M2}JOFEFI_ Ŋ3&bk2X(b m:]w%Lf ge E@,eoPHv@g<~{<|PhfAX,2>),|0ʴQi49"s2#L8a1Ʒ3q/mK[[L#!Ev.Ky:rK^BE|߃6')2NX6Dp5\(-V; 2-H:KoG݁]ӛf,("' %U>UՒwmUy`:"ރ;WX0ȋFqd1È"ȷl7,w~2YfiLqeq2bDD8u# ԓs?^ׯ}#lG!AD(rq.\AѽŵC˅8U{cAPuEgAe#C֧+s৐'C^{zv@ 53(r ̔,Δdevn|zQX,"4kךs7-[sWJ""1X ^w?W J-'ڠR '}dh#k S%^t}ϼG X$%;-~qQaS3B[=j9 k`Ĵt.H/LaBʸ!7 0{r0|ב6w0>ߩ}Ϯ f_˥6Y~{{Sskl Kf͠u)ɺw~=geƶZo_@,C@iVtzޫ~bHu20:-8fakw]x?ܰQFMzRxK/7iTdc{tb>NQN\ٝc/mA&,>uH'6n!PlGg!?} >A_Y!(O]p2,(0c+[o}ڢśLL" 2,y2{ *Q͘:4_Bͯy.CӴtԍ}d-eP ; nbQ|לGB2#Uh,eMmn|3gd M9p_m/k fO5ZHx3S,C@;pf* 2=xbc9y|f}}TvyR] |ϠP'8ܑ?rTjR"S|c-:KD548tx=?M6'/Zmz3o̕=(r~26"O2t hbܪl|#;2ej;3˜7 fc ӱJnF?uś:z?Ӝ/;;I^Rr<6X&Z/4~2Fve ,)n~QF %o_k{ntS:2/ߨ-egB pS33A#^w`X28uD@7l"JDgp7 @,@w` *; *J0FJsAB&a$*IEz EJq QF|S%Uěb, y>rF2?>i$D@)v [9ifpP;8iҀ'vPZ]Cxz@a@hV _عz$O $t۟9&JhYɱ3>KwJRVƿwx'J=r^mX;W7NgnuAcr {˹9Mw_x ٪%V$_.X- j{h߶}^ yZool,j<hRZk{u8ȡ(у|؀A?ph(T=c;S>Z a#:B\@7ܴ"!!c# 0 _PPv݁± F oޠ-TJmSJ^{o<ɩ޴jmw@g{vp[.C,">6`bW!q_p;P:`B5=׎6|+db8H du9k6 ,C1/6%.+;&{(lD9X%`Gݻ0(c x:`%tÚz61lzb iw`W@ "xd׶zDg;uPsRC@d$e[G%"m=/)_wQޣ{z2oFU߅`R"`BG[#B-+*{A/jC#iwcJ*!PU5\@R1ԱU$ A;P8vuF8@?xM vTِ M6v [|+i+~[6!`iF@ap$%7\ Oф9|[W[C6!BG&A#wxv{f9WֆqKjiwuh*qv!$f:f87VnV=m:dCrɯ:WϞ:q~u[R͞zk=SXz(mYR0asҜCXu!#O0\(]lH,!{Ȕ iؤf"Eb հ&,>'$6nI5 :)xց#LK{) _RtՄ+*<% .@=/dcC6p"3!1klHV-dCb@ h4 - iLv^;kGV)s4-Th"Z UgJC`Ҹ@qFB&XtAbCtf$Gb.3!.!M*\*-y=M;P8v`Q[@hv~c(5ž`C4k i3@ E 5)Q@;GrSa<W猽Gzy<ՍDLB#~< !8\G 4lHRD0}:5cw >ݳUMsOꖩBS5VEy >3h!YbE`̔H%w|hvuT{;xH <1ldِ$?8 )uo; HSv3/: zX2Ǯn?ȟ'j:84 ը\ ِ|t/v }4x4^6=S IE%iڀlFz #8L:S<ݻwue"P]qAQFw#iw͂#%,(op7/JJ~,35đGxOc=\{5of[^ PAx(lpsTi! "Oq |&2æx,jΧ5 ~2gaqtߊw )cE`݊U64GGFM6e =1tN;7\Rb 2SvQsf.Yο=#w NeDcݱY'NBLҸy#G#wOj-@pB۬u=8.5Ɋl*$|xgmشY>^kzhz>oJU}a4[$;#跢3I 2"P#|9 Fv6^&wo`>5g+S^M~7r#_ȁ8V׮f9s#\] rk_ˤ nlցZpM%ցNdHQ+ՄG: W2m;S.00PWV/jj&ppۆm{Ϟ:o=c}L-c4e$)QPxmxBenB;:hVI^ ;|UIVM(Y9Y:qsߝ8q}_1Y뢂Q=B!/̨A%I( <L < nټ:#Gqy1WzV1p"c/8u '|bX)`2ThXO~?vߥ+҈4{YC;4JJD"оmz (enB;EQi_}qg ±L%:S׃GЗjS?\&KJa ?+>a`6&G.? Z|N٤(#ƛV$Ov^cm{zup+@8S `ܟRlՃд{a+*L$Y_zɬK5kl|#;48>rO?saʈ 9:8hǾ1~qQVa3$HJ,v`bWIQnzWѯ#ۀDFzZޟiU U8$w/)EҢ $'a#6 IÈ@E`qBOMh] Gb|de do};CFmp-;.`EfB=0c D<JU9SK 6(,,v g%bÓ<܇,""#{(e7dC f%G3fC DרcϾ.D Ѓ-w= -._Mg!@uO^<~ 4:)~ڤ腉K_͆#~ZȆd +D3lH=+i6$X5^^y-=!QoLY8dOEq*Nc̶!O)Aِ α!)X5I_fp\pfBOUi) EoABLDϊJbx ɷg%< .b6$`L rZN:`&S`B[J#23+,e&2vf"̉݁ʣD!)h8JD6$'0FGAwg%"=m iHtkʎ Y.&& ڬDEC#DޜfC] "PPR!)&6Y?|b.\ vб`s\†T?_xaf0cMt"HUK 8_eJ_0fl)6T9\avxI,m _[3|>SwBpma+A}ď %wC 0y6͟xo 66w Z7lte_1`WzZH,u˓|&PG̜=fJ$uH2 @ru2wD;-Z5i6 jSYWϞ:q~u[ K|og95OSGőI&]}[Ldi"J$?]).lwuEmkpYL[Ѱ ,1MlB<%8MX;v;sfS ER궽zH8g̢&;l PAdII iO2fE6G<.y8UdKi/ӊ])C4͘ D4 -MPJČmr0 }~yr_g&%ve;8}@×툣CCByzd wG=_͂0H=PmSA" N+ĢAd@ -}ş8^h@fgfC)z /]%%5)Q@;Gbz*XH2v|@ i[L%΅ H \ Ns n)%Y&Y0`- -d6slHO۹_)ü{rOf(&7 ,L* ^D5 DDO0e`Ȁdv)14_~t:[ P_z:zfk^|-4[8pV";I^Rrˌ Iu@y6B.Hz$eDع"9ƶ a^_yH{F+-[n_k{F#ctݔg+lH= fx%*u1 `C>tPGʋ""PWЬD1 [.lsQ>/5ڠ"PjuP@ @|J$+lTG@ @<݁3gz OK(WYUyLJⲉW@*ыmPF|/ %*` ҸcR,3j@%tLJp!5a~ldnߣόnZSkqRo@X35.u-Z,*'1hwo0oiJvg>tZ4,؟~Io Dl_b;n?RW&Dt*̘$XV` 癔 ߝo~KX@ҽw_Svs :b.Ht,ɒ,R֪*Xdn \.J1'jy+D(')i)Z A#abkjBVԅ #xVJzw:$:+,0%(XT<4$7+sۓA5yLduճ֨?\<d߾vȔrnqvyMA@IVr :ز6UT9&O͹x]fBf|݇rnR%fP}VJ^W^8njQB)/K  p=$)I"^JTvTVae,b3)?,^+xCFP[4-!5T 4J[ fq O Y#Y%PUtؑ  RY$q`Ҳ>O7 ^O 6*.f1-5=32Q%!٦h@tnz\ߗ.B#߸*)vV=/_n٦e\Ͽ;у{r\,R׽ 1Of*(գ 6n\4wČLsmV^JuXTeLEvsa}X)9K4޺r.mPȆ$Qb),Irzf@k$KJJI4pC^q#O0q C?ec1%(o Tj؝S ƒB-=!>1ksvb@؁ aѢAquI]{fr/dM2(ק&,`egTF$K$$ȂpӾRoh***TTpo/[P3tPjn(]ePp-;=)~~0+[LJ{o<1MV6faL›fkzI:Hd dcf,[ _[̢12>f摝_,e_H]TM|4v`Wi-EK=[GUtDeC9 ^dR-) BuuN!iBC}}ށ+w ( @y҂*`A C R+LJe#e㧚DC¡G%Ǣ Z:. r|JF2 Cf%j|@ EDȪ 3D`C׍fU.&xeS5vZa]L7Px)lHءJ;P,¸ ճvbȣpAd)N0pɢ6D8쳝XE`݊U6 FGFM1P'\u5tN;7\^"Tq6$v_`+WΟ:q)78rk\ +l@:ȆDK$HpZ:={깋WLɆG@|'W_N@וi2 0vĭ{lHU$HN'֥HV៥"̻6;7o)SO/pVD(:젧G2 IDAT,! .4ɀ d<(6!ؐ`6$5=Hؐb&ā)K|$d9Z @ԡg7XD"+.=ْzTt7<.(e.ϑ.p; oQc̼.!+nQ pclG$.ݍ 'Cܑ?-+LZ;  $1S .&I\ mހvdB&\[g%I6$q A218=ЃG_I`7ܴ"A_gxG=z(9}s|%حg[*cVE 0ǢL ら|Qِl uk"]<|@h!9 QRP0߫PV:d}:/ᶷV=dCcc5P ΰ!Yp X$G C^Ȇ<,[H}cpKݪ0mvV"65F"A흕XgXqDy }7)v܍ͦũh'*Dȕh<1;DOORvx.Ȇǿe,+5C-<oeҸȆdj߸.\ |j'6!I*Zc0%xX'P'Z XL3;Sm0#lHN^{GP/ Ů!'k-5r`ށJ4*?%yk06Sِcnèa_t`ށu`祃etxbf2 l^x]]^jJ7 dJء&*o)n6$d.u\&e?c?f%{o6PU&L[ ̮u>xi5!C±yC&$4aBfCB"Fy[?`؁J-4n ų&c j¨dD# B;!!srׁ0{HOS|@8#!9[|gؐh|~@!`CP݁]%Pِ$aJAaِĠ(D/f%Vׅ2 .BOf%ju ""(E?f%`A"<=^y\`C"_FJ~,3 D  %*;PUJ"R5f(!JYz(l 4 ,[NR?E/6hNOW`QO{1y*F"bKu+Vؼp5a۹tV; Jr_y\!mA{`߮S=u!MS -ZPPpζoEXt{MHk0?8wzSڲ=wYZH5u;^9"I@iS7o䫭\(l@,!U*Uh61qWj&^/,.+rKV ǃ?b?NbKhȘd j*πe_Jmˣ@N!f h$wf}k =p?ub%ADq1у{z[<]vF4YĔ/tO*M #caa<}svyDO%*[VƵv;ˆ$NJ>{k~BUO7U*0n|4̴\"&E/L\j68o$ 2&ǿζo>/}9BQ;+96$1/ Yٓbe195o?cӇKk'UlHEET -2h77H 87Zp ft|'lg[ |bĹ3y{d5xүBv֚ I$nUZJB|Q[Gv~e-daSe؈^ tV"!!#Xl)ΰ!;$dCR0DVJ\[}g<MjDdCfxz3 -*L\P YյD @!U DuV*"#D;aC|uclHv]3ِj %%JG:ҦtGlHtVY` HblH3FdIgD]#KyYD@ؐ0h3lH})3Rb2B#>6$ %*}; @鈏T3B6`J;IAfyAX?:/R/Ok̤ `qĆ0 iqT rPݭ+4!q rqQ[eCNQ#zUG ` }X2j8} (83p vd錀:QA6óu!D/!Y?3>a<>dmlgg8aCP]c^dC8_$SZ?33-vagQ@,`?ePxX(!KP'l5+ *D"PhY\>@-E C<=hF:.S5P՗?:I_^ T{oKJTv>9ekVX%2C J;^ǘh܈Mo|% |CRPP8Sj5>_EY lex_3sёӡ{慡D<ǘx]9aȀHVAU/IqFੱ3" ^9 |q9C059d PZ0)Y5KaTnDMr)`t`UӿqMBl9bv@ٱu\.Z5zXiӳpdfܲzNz8ы ѳ6եOh#S"5ÒS= D_"[`ۃCyTGbV5i#(<=LSC\cYD\ bT)P?h퀘@ɶ@_ 9;WUDU@4D2Do*0m/6s݇rnRH;訛#kmH}j֑97k' ?\~!q=#ldhxHy/4aN)  ?ҘwOo_\ԴUXd0|[_T<<+qe`?-z_}e<.PTН_1uk~}o~NRGK_G<=xmѫ&6rVrIzSYMQ\7?@k i[5ec'fӀ-uGh@8;ZVmu/"PDOhtḉw /( >!0/lrL=iA<7~V7I">@X3-TPBj5:՗+(C;C<1kVP co r2k[h{#=" J7 )i%T`3n!Pg%JuRIdj-Mp[m-Y_bՁA5aR9ڮ J']wuI ]qyʺSJ21y@G͡mw`\H,3O> (#d$xz(ѓq~&%8 k d;3*8I.Ծm@в}{9 D@w**}UWVfN}!Zʜʜ.;"iR]fF.$!PiT{M+!v^c5K#j;WvcRܮ%~.l9uW?>{Eyyo@ ID53FL*hN·f`:+ӝ^*[g<ࡰ*ܹi#pNW^^[Y0~41~IbCS3-vb8Μ8ؙ% B0hSZR oŕv0cqp!E+̓#"6p͂۠[?gO#C{'3vibD'@-A; yJ{+n-X D&ȕhWT>WgXna ;ȸmjMpvE0 D:8v`WQޢٗhj膬aA0Qxqߝ7Mӽ%4pV (.W)o4֨?q HpM؊Ҵ&9C[c˟k4FD@J#jsWt1Mk—kēj~lx_3s#^i:+XGgJ % zLnNҶig,)6Ү(;Z05+Ɋya(Ѯzފ+)]Ae9/|P{ Fȑ;d}VY]k`vn0SA=|N}=-=tu Cv%uV\I1T?IvRi!t@cR(7.`x؆/ 8kRȿm3 mk̲s^_9{Ǡwf"J-o%bC^ vo7:M ,p'k[qKД:Egt-)˚_\V~ ]88"xa(a_V\Gu(NH [uLj;goi%mC²K"(*J{@D{rm*#Ll ۰D%" FC<Wʈ@-F[gŗ;ށ|a(Hw1x(# yVəH'pr@yNGO̒ZԺ0ZwU+iwOijčWǎ1ҮZ+O}mW߸.F\ |E-<,:!)~h({(KSYw#@$B.▚ ِh=<󄇺/#79wgJ w? C* ·ܸDUC# 5vGP$ IDATS06$څzKjbo\C%L) ҕŜnDMr)ೊ TM5 EKwԪѸ]`bUCQgcc T8'kø^]@=LSCF,IxL z>dHBv;Bx^_c4"P&3T*AL(dC RIJD藗9;_pW06P7 Q Q5ܐ6ܖnGKS:tۖ׮f9s#rYrɬL0^LJY_=-Ӄpι7dƜ;]vo%5>LeG6DdJhE_cFsˁPhpDM4\B X-(ͩ ԕ˴+mbiTUS-,Zh (tL!Gc$m0ׇ;,7)ǣ0(l&G.? @x`Cc}ٶ5Aph;¸⤀)5!LSE$ĥdJƸdg/b唍ِjm(0F7dbԨIx/Q1.Q@"xc1;몋&񆆠&4&VFQ75^ɉp>={zzgӧުzꮧYi/7CF٢SxOAhWEOd8%ǟle1E|)~W.0G4iܷXQh=-}̷)@r(=iqRbO6]?]HN>m TN a&IE*aCˍg> 6훜,MҤOc>r'R e5I[kCl1L+˅z9Qtxi{ɱE&{ KOt=}-CjĝуUOZZaMw߹-!)9W/|sID1Q.]jNI8;wr8ԣE==i݋"hI W#^܁GV kKs{vw"`tw;>?kJ7=Շ@WuL+SncwmsFwL|o/T%-` ek ȫV%m_eͶp[~.8W;T͈pXElE|7-~F<);:Fww";h5BV:^A25Nv`8 CSc]_Ŝ6Wltw;@b/`z񒗬bT0<)VPMT|_FdVD׾1{_4٣y54,/=)kmijb6%a3~H>{ +aA ɹsE:sDtJ.v忧Zi3#IN5&XоyvIwO(Tp>mуA\3OVH= )9vv+Ț6aC+9|tDc+"HWff,F_lK Qf$MK诮݁V2:#ڈ_KV56ē}s j8zwP[D4QS}=_|HdF۵u;D~e⢢=[%G"0`Yv|Vn~$FmF#`;jmtwĻȈI͉ BuepUJwjDmH1վ_khBGQ'9z[7&W~qd "EʆCǍ ȶDr $=m;i.:ːT1XF^f#TԸ9~NX@ ެ=!blE* /RE%Z6.4;qa.o=/RQ)ܮjn!)ã&M=aЊQϿ,-uX꒔YB^&Gي,GؑRE%)dNW鯸W{1BPuc*CKzŠ91_x5zioN(lbs.>~Q̾H?MlE̛wG/L:Mm}H] &omNm[ ih&<]Yא<z!yw4Ui@jGx G"`twD[:R`y,xB@C@{!οvx @}#Ў݁ށvx G@D1sm)_S-*kӢCR R4\=񍪇|i_H𭥘wm\Ptۣ1xbLG1taxz݁ 1e\Xh‡[[~ͅG 1…%t)M i.ZQ{Ses%#>{cw ?0e]baAͧW3 Km勄Q+*PdP&vmu 6`S0%)n1.ן]Zdwށ'jG=ir丂'vx[NfRH%x7ѣތ89FZuz`o;F˅oKڟ_tV5bCKmuŏ ==ckZc܁b2w/?7LSB"ܽٵגG\8SپcW&Ƃ.~^F]0C/1 [u|VT%{Ǵ#'qIZyH#Wr4.{@0dPFiZ*;qj,}\!)VAJ8FVT%EG5!pYё+rY#dMQqydvO32d$﫽#rc.Q3&+ S'NKI_15s;E5'# դ>08a@v&pEx\>;J'}.$ HKv~f߈ã;p;]QV!n+};DL>&\~>d?O} h60+!cdBnj7$!z()x*.,+B0,#uqVY_`__EzEJve{5zw :wKS*j-8MԜլ%g/R8ܐOkjNYނ9 ml\DG}UeԊH$C 0́qf^QoXϘ/JO_ilHp`Y#I+#f{ z7sVw#ޭ}+^)g'$=}-Chw@p|́K%Qa@]Ujʗ;*[` ;@SΚO @i KrRUM-;jNTAZ/hkDήgZ&g)@}G^Y& wi+WmO|ds&+t .4/ ;TW#% Ta5JHjP&[$ UKe jڳ:F&ȡR/B%IFjUszDA=;E;U6*ѳ@AӳJ [v/n{o4M/ŷEޡ! ©VCuԨMQ'*,Ka6$2# ?bLT~{A,=;ڦҚ/aC{د}U"Fwlܰd%)2^!R$P¸ HY,IX:Fz?\1'=ܣ34( BulH4>H4O M% :J"Iш~ Q$9,b{ KUܖ-ZtB i^)l, &06$Vՙ*$>eSO $(>q`"qRN1495e|^ψv}\QV2mڢݭ;8,LJĞrH^YB=Ͽ ’tlg1ca눴4u[o,h 3dkK#fˠ6$lH. ؐ '+!Qؐ|U + -ِX[b! ށу5]B[S Us;F",tn6$_g5:zX[Aw@r6$ k\#iwʀِXz^~DOݥ}/);\EETt5|pdFlHcm w"w sA@ ?в$`uc}|Qvpk!ʲ a~`ߵڹm+3XِX:F"^@ ws+=F\V@?1J{t5TEAC;:,=UK9˕[ K| wx d\(g7u!I)X0 XRLL@@@.b̷lH/jG&63c(i+ZyM_`zª%Dg߳/|[n*ٓ&GN`ɳbkwdQdꔐ#^.Itd 82|Zl΂T{7$+7KOizX"d7%>m>x^O?`J8Q^cY.g=SK\l \~B}\w`tw8"ivd eC BH_ X*ܫaq}bƊ*.Q+ޤ˗X#aqۊsOd1v݂eu0G\>Mg]WmOSdC"Gs7{.=5(4.&_bHY/@ok)ߖf hOA"-q1G܁U;;`efeWU hF_N>zlZ̾%%1)͜DyBnj7$UXQ}sĈӴEz2(>w:^ Xb2|)M"EЬ%PC`޼3>rT}aTII)szJĀ'qtpxDmŸ0=-v%i"ŬyCH"R;lH MؐcMl1#bлMGd<#98+1Gِq ;0z*ѳO0"ռf4yRA =Xw+W;+\ 黴N=bvw&2p6$V| gIDAT ;0z*Swi|i_[I ^|uKeX%qDa'l܃4|o{;܁F†t_ ≙}u`=~Dܥ]K YOqQK*UxA8av I><@/bOQ12*5jW!@Z{Lۨcӱnd߳+AgC*>txݾ#.UKA08lgy)Пxˠ\ЏaO+(xL&$g+ڌށ ,  / Y ʆ>ҩhx! q08H ؐ3ƛHِzhi,6 IoYBx_ز~+cOx \N ܇掛sKO N=BlH7" rP!)C iB&6$gH-keC1v4|~ Ԏ}ҨP¥w/b;bm!S*T / [G]7}!=;S&f%&F5Ij{j$&y^h޲}q~kzؐ.Ez?\1'=b"m; r9~Y1㈾CfAd xR*JuW!3+.|*kZhЭ gpס-">9fќaM$ށ*j^ ?˦O#.*٭v\3|IV zaCzoݭ;8,^f|}mQ*"eŏyʥ6cg,[#8r6$wj_պ*2OI( ht~P&<$0V6WOb1"uzRņ\LΆں1Gِ:<{/2wvo H0( p=#?Y0z*sLGה ߄8Ds:`TG>$/;' HY!5 XPt,@L't6&8G{Mwx&2p6$V| ;0z*Swi|i_[IneCb<\%F <Xag\ˆZ8p;`E;:ِX WoaXjCO9w LHVq6 AiF;@*Ά$ހziG@27 ΜEE~8Sc{0*6$,2Y8cؖ&c @*Ȉh㱎%).A[ ;szvCBjJE*X+G(ύ کa!X!Culx {"PM.}S83ށKِ׮nkV-$UQbI#'1NǻdZH=· /:q5Wff,%r񡢜-; \0bԂErRkQk\0 ;`E;p-Z<*cKFDjf^E#E~$aa^DXɚI}f-IKOXa&O ;!*U\%"5cۊsO_O/].#nXclj mZ %qJH->ui) _BD0tngh[L+ОDbμDP <254ۗ[ۥ[ <"gCTlHTʮ(xUt&dNK 6sZ%RGE2"xpL>&\ަ 3ޜTc)xv%j <zL C2RoE_LFՀq 0+cC"b2к'A@A)*()Z<)'g/ňR8獟>sצ NlePYu22/;t5 CP5h.:#ܜ2 :;lHʭFؐcM1#bлMGdbaNِX; (Vw4\#VP3Fm:p;X`A?Y`AIHGt؁PsY+;`ELw@jfp09} Yl#XPΆĊ/{y3Ҿd2L>CzqdړG ߙ>]ʲr@j;f6$c crQm'~@ [pP*t{| R5.ldE?hiG1Q. ʔsseEuI@;h'6>ݫ'\ V l .]S)w+!im\r$/,.*jA׻ XKٷn~l_}<5ϘLkPT.{k8hАs'lAZQ nъADx*LɖHBYܴei-h.dL?Wa {Oc-+&1)8d0ZEui{Ie㏦&a 6;`;pRXM ѣތ89FZ ŐcE#5fiSb:ov,ˊ$`џ >>6 s맊A,Ov2<i{Ie9}t^ bJ4DH'L $d=/{^ղ_W&b_|-SKHvƌԬY[ׯU^oڙnڶLa^߲zež^qB{Upd2-z'.\M8@uA,@+;PS+d eC MWaO\h^H߇,38di}?E#f1v4n'C:~:$9bGh*VB0!c_l}P?CN->9$ww+$ lͨ;@b텀]-; 7쿦 դ iaؒ1# m~0I̷Fͬm"5Skq, s2#z,5c܇@=Ξ:I@Bw`T"2 2 AK9\^z>zk5!E#5f$/=n,Hk`_ڲEˀn]Hac#͋20e͜18tAc_]8w cC)ӈ3ʐIGBGZYsmފˈSR$;RcFzqK1}O[WL&"Թo-TȨ.yݪϾ4t܇1Qʢ,OS'K6w㓽];)UlHR4d†_NZWE扷3 e߃oʄg s5s~}dIdUUrd&? w_S`C9b?\V-;5y( G@BGۄlSk2mK\|lHG&۹@ukXHyV$!7;%~Ϋ3Q1\#uls1F@־Ȯ\OFwK3^zje䫶d eC=."IͥK}%4!*ؓH @p7?(Ա͝ǸYbzͤTP.=AQTt[=<6$_="9JyPlI; 4 cԡr0d{ViZajV4v5;w mށ;0a&ro*Uň iƄOY4'!~|ϭTR"DС@pV| pL¿ }:4S.}Bv@ʩ݁g &cC"_QZ Dڤ SA;ƕKm:[rȥ.c͈ FLX7#f];8S+S I4†$k*bL܁w5x,Gsl{ʯT`DWZ7KP0ͣ8nFdN|Hp =@`,m!݁C=4Rc)8\ j0]<AHv`gtwP/)\/+2S_Rwށ!7"ڍRn(CP8:<ʻ@cFwо$ΆdᇼԊmtws ID˽;8;.CBKM~>IēwRC=S&]@#I[=??@>ypr#Ǜq,_ڧɥ6P~?3ҏlV1s_v{CytLYt}ۋF3!S.+^!2 "&N[gήwY ԯ$ R|}Vtѓ JΚ,.*) *%[<EO8$gbvtv.^ C7s'<@ʞ+9s6zYQ}WgU2{݁eɲ5ϲh*{\}C;QzUh`i/+e%{ c'N$˻n*Is!oADrH JFRCd.p^w@;je)V "g*]VWh(xYQ}D_@.쾕XF eEfszQAZȚF[u["/랝6]@`t`OdvNvd^pޕ7'piIwF{MzrH J T EJsR4S潀Sl/+ei@J GiX׳.ދcPO^R-ֵ"\VW#Z:uzN(I1_Pq2^*]Vk҃zYis4efnN:+jUvsbK&=[ZԥF,¢͞˳g5 8C/.+5rw@B,F~Y,g"r}W!½Q\,pe%u*r,;c_E z:s9Bdߜ֋J{GA" PGw + R/mHIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/9-1.png000066400000000000000000001116421303637203600250360ustar00rootroot00000000000000PNG  IHDRiz"iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx tU?O%$ B* HLaB!e" E", ɒd1ϐL8~Z::՝Sr߭ϫޫu5h?DЀ@޳i("DЎ*v D-7@ Z*Ro x/_=Iܮst(*0͂[ PŘ$Yb 0+v $EEV[)=%%S%ffEbP wP~Dԇ ,.q)Raadl̲!Ѡ7 VH=G_RCK@˅;xqDd%9EHhPDFd*D%iR,h.}%Z !n@2*8]1-CXZycOIovۃ3Lzv&l(JbKTC LͲiØ0c2T20M™wj2!*T#d*l!$+&\S; 0  FC6J5zfW%I1qcaw51½ˆ"P5sꆸZ*ځXLJW3{eCy< ?Ɍ~U^#lDo Af}FĠ@"`o!{i-aV H #S;ϱÜCA"9Hc9* DsP<s" T$"yDH $@E;̉0PH #3*-d̉2ѱC'C"Q-<(I  rv 2]NQC" ADSYڬaHL(Crk YU9ΟۺeمrѝC,/1 "0=c0>ngD9o J1)'fKŶ\h~1D"zQPP5ރ6$T,J>DZ[%TbYZEؗFuTs/IGNܽ_^v_/oǶ)4uվxt2lx*E3e =w25l1bBy\ #)47veI!)͟ <g%'Nn(CőRmbm 62!4E(_)mqł!}zj[I gbz"h[bzYK~*iS~1`Hh iz৛7@/:YDMAy025o۴3鿬z]-*h@2Fcsll :}z\Vrg1ׇ^lAJ!ӯo ?޳.Z%Hj=aD5J .8eTTH]bWmVEicD@hg2kv680b~Ea.UF}lI 3h!w+,HX+C$1(L#+5a׀"zI#Wm-K|`1nVاq E=0eϚ+)XYܙUT:VC`y/$lA&$VŋvҺ?u#Ops1Hu'O8l~NQ"6 {)(d])x^%['N]c5 IN]8x'~=5w}i9<8`SBXgm!찫o9ZQr*T,إo=5WZI7RhZ$MDe>ȮCThxUj[½ #QH xɣfklB/EcZfU{sEѯ&)z(DJ`9O)%E7*ADD[hZ#yX"P@E# Pb5"r~fw ۏT+&<].U`dOHC a.茀tjsX"(XPC ՓߟTܮstK=)FgBASN P-$B\,`1\e/DS.j9CCu lhba n;E,E;_"(|B(^0i"Iļ`9*LT$~PPv˪P3so[vmP,(2-D, IAxyb'1;*KERdU?:-???:Z .Ľ.e$לk@@]V۝#Ǥ9q⅋vqQY$9%,zf*6{MNnlll;S Wu޴6n"|'|@KR"L"U#Paj<⢊W֏͟Av4ʅ{ 4'U83-ٰ܏wovJ|rVǹ]޺q"DЎXѵKdOYnY^9yOizȘ״1)i,01$7Y㰇]q®YN^ڙ*Rvܫ3`q0G(x9gw[u.֋hx` Eo c/,.ڑ2>e\a+L^=M\KS;y*D *,*`bC ʘ7*Q0cv$!ID7F&ctt+$ V{hGO!$0q0(uD5{Qs|$V4/e SH04*+N΁KL97SoըH*AJB0ɻxbiՍ+QXJ7,EcTʯIhXՄ@aΒ!|SX(0ekw K`C}/H^0%3Z t2(Gڄ"P}hkcDt}F3KbkW%D(Tnʋa:+J >/FKCdAHTΝ9_!®#< J~+a|J^{_wo}KS7 o}60Y _XC?EHvIA\Y$G ˺y`2w3SbĨ)h杹٫Ma@۩I@ǥMb1R 6'ϕ"yT f&a, iW/ w7BpWT2+FU|%)T@ ,:20pHa;Ew.ݹsB0>%[F4y\6YXX8.S3VE`̨1ÓB^\nO k o3ӁB0>|J 24cV]>;ӾK1A͞;sh\v9!0Ov\&.LF}C?Z-$mi?k׷߸1k';௎I+V. r%HO#Wee,8~r_SQA$ϙl!O]~TYƗǾ9sOzkRT,tMA CtZ F?T\ɲ?W)7sB굫QMƂnp"Хgn멝 aÇM~;DkvunY$Io]*[J2aҏgBp#HdHW5R$Gblfu4p$k$TZz`%hHS;sz鑓bL"@zHhb_j-gx.w_8j-Z@XñȞWZnkn_$na3]N`+_Dq隋@u h^Ej&ORBӵjs"q E[d@hP$._$Ԍn E%N$1ANK"%FAB `.H[|[z-y%EAһ$Fs$ >A^fw;`P!B!Fb2? p\IRo#"H(񮑨" PRrZ$`tP0P+W&o'`™T`Ӳ%i٫iWN?6W^;SpnQ+<JkWUyU"Eފi>JL+΁ȆkeE'upfMV^>no.^ e4qځw>I`q8wdvK8fύ]Ko[ "d.#W=o6UeIx k$ ,Ot֫vfJL${ؓ]YpsPy+ XYkfO97Ep`00_ **U#j@jڙ?8.lɡt!C4|a"壞8X|;mW)G~IQB,k4Z$\#9KMX!ɑh,u<|K!c`DsQ!|`^ DI^VkB Js]W^E5U*MЩmoÿB50+>dINźS $M!ukl,:)ͱCBI ׯ_E+WӢ$y˗3ժ4y")EWv]#w ̎t~w Ե{Ov.|E ^o[qL[ꏀF"Ħmh}U#w"K]ręME>,! !"e8XWc1nEF:hV$_Yz g{k>/(-Z3k$q\#! 5rz EB"ILPzVB--DB-ޛ `D׏ i@Y?jhV$Nul9륊uYEV"!ww IG㮝ފi<uzC,weĄb!+H "ᮝ! (9]e AXFBIoE9҈$;W̄Ԏ}=dpEVV,= B7@ ^3+:H^-O[|.BI!"AsmkWů\3Nw^JUȟۼK넀\1uc kun}MPWi6Z aaێ~ǜl[-;farC&ſD W,`?=4L?=n`$I];?,?BIRqZ] p!k$fs?f깳糿T%=[+מ9}_Kdz›>Xr|Rm]dN7XB$tFX$b\^}KVCޯ IDATa@,~Z*PmE `ӑ.$7o[bzz:hx8 .Kf9zⓒؽ$wf%ٷms6GpW9`#'-Nߊ#Wu蒕CA3ڰ3Ҷ8%`6lD8v]>;5eHp,e1*#D6mؗ{ vZKT<͈B`ť![jERYUPZw.NL)m4S})S) Zf~9K~|P-6g`(ZF4r%`%b҇hH<!hX#h%ZJk?tZ {; .X*t%m }84ej!CfNa}ͼLzUd-nz1YEE{HW1+qM \b[oT]O\{1v/j-MͱQп>4Wsޚv{=)UZZ`U#hH~!kL$}@"?i~ش-H@u &D]4Z$nӝ:m`xBDJ}$8UF@E{=C@E[8-gX`.Dc"Yf%J4Z$7X$][}4V$];I?!ɛ׏kB ɇ޵(dqgY֯;QGtw| [$zך)L2 yyKLuMW/o]"zE -`k,|Ue]/޵(95ߐDZ>r-%F%>p 3s]>9ov?,5}ىz}-*jЬ 6}iQfOFOZ\ʬ C@E{7Z ij=~Py}`١EDpMuuƚwơ3|yޥ+}𑬭3eohV$76]t1tWkR8KK ӳTbsdR=37m\S=@@%!# H?ޟÒO31$ ޵%l]k%v_=LDXDދ~{7USGKcMM޵c.QvHKB+ t^IxD4l>% GL]#} 2'Ma|10!lcPxBR|i"js k޵#ޞv҃vW@+?#%VLm]جwg( c=ʚNpd͚I ""@֭5ka|.x"ݲ2s$:,7q| 7:(_61eܰ 'Lʘ;({v];?eo6w4LYyzCk4Z$vVEyѻV@d@ HnsZ$I4Z$'?<h+/ 9IoE*2ZK^V"9t-ԭi8"]b{@hd#߉"IQEfC-Jzm\TO_̷|tQpD;}媥$d?.(TwP"H#l,)#?^c)#O߃[jA=\rk-Z9y=б[X-/a|ؐfР\caɗz~:#jZ\ZQAOwl%$Y/IyL# = h":I1XH'S{FC|븴:r,44_l\h;tˀoشbn%q_Bפ;#$ĸa)KI$_E{ۭ7ɀx"‰E3[9/jw+˷;}79<YRvm8r\,햗 nLy^U^DDDݛͩu%Y<~og,_,uGʱ5&'ɩn^P0 idpg4g2i\O>neW qiy)gMw5 ;@ټ xmpʸe3K. `e2B\cRB|ILz Ŝ@kHzOwG󪝙+~#`ϻ%)@p(K0&ƥ=9g 4p?_ZfߝqfWU,q 7'Şϑc{!o'> ݓHEoW#v!2".$};Zwa9 t/W6xobvLص+|۸yDZ8hn\ Zz˂h`jbHaMOHo b %u?kR+ qi%e\~w$G_,g1dgMc0BXϑzAf1/װrB)=d_^[,?,՗aY8YvXzO<"謖x H2.UA@E""݂lUX$l[w=v+/zȑ V>QxGs2ΜK6=nb]J/ z+7򢇬x) _Mc9 [tCbT$X 6޻җPٙ,ɂq\6EQKC!+ IfӀQe/:g7BT&M޽g,MYߎ~@slc_2(~"Ωlr+/zJOxȞ;~b? Zt xgk=[s|[vuBJlMsɀ}=d䥟,sr`ڡ0l6,H^@F HzV}x:pH`U8 }Ӓ=dx"[c->k-ȰD@|Od"Շ(X֑O{eD'&!k$4jN( Ì_Lf};S;[ i'Q֒qJቮƖv^5FG=HtdvckH1k[t=88urO1;2k>x 8-Ƌ^?a}i E1)w*@IXY*y̠?2|rrEXmgE2ٳ4U%RȹeE"rb,Zc͆GϞ:rH1#2fsh'>AUJXvLDOy/ ^ ya0ݙ*=L#;7 0oXiFlE{ $1\/9hmzđHZPU*%k +fna9Ṙ;+?O13Y뛱!IN[lf7lph?c=L_;=)O~j&#f[ϑayyDשs`ců'Y/ao@=-X>v7`IJt 5ɭ7$絆?i~شjp #@LR&7$]Hm`iu/) W@WqTdf,Ԉ7*qO*H!~9DZKC"EV$-VEK^/BE!|٠ŪEYHc{Ms޼!+9ՉCY;k;,8{xʚnzc2O<Ɂ1٫}98Ѿgls ,H=Ǿ=];p_[$z2!'OHTtrUYT@&h״;='N>J3(x/;sNִ+׊"B_Ҷ / /۬"shs}!ɩ)xA[ `>#H?\i^g)JiIx~@\lĐޭ;tǶ7~>ppM+:x=dYIG,)!4ߢ鲒f$ l"C:@5)&u'|CM_b48#Ԯ[ C#W}o6H0ɏ@z7([y8k*wIK^+Ōz+UQl"  Qh*yCom=fΛ޼! os-μ)!'[FZ12,+n[w0|_Yp=쑰11FiEEVTyE@oE*Jk~< q#1-$_=Jza>hO[|.;u!'7"n""~[\aX8=Yᒌe.*̚q!_nSYlY3?c'e͜F7]Zg0@"wVeKvlX 1һ7ubC]A vyWYp3, 6:r۶2z %߶a9%sk$^D@oErêzI󪝝ĽC ek{x&`=4*[L7 Ҍ$(ɰA[vYNMqd)9s(>O5`ϔg.JCDZr/$ܮS{&^Ƈ9bk68^'tNW oU䝥ybyzBcG̘fؑټaDCX>QBFV>L#c wg:$Dc/߽O-6gj6r뒣 ̷v^R&5"o6"H̖b)I8{Vbzi0 Fh˂=̀}98d0}>3,Zw@`DAkW3RY.1&{y[rBl%t!CfNAaH U]_TWR&"P,Wᦱp$GFchzf,YtV͂ Mp`g"όokqgQSwm^}^r_C !pkͿr䰈0ByT=A0άѲFf[vgҏ#>! =7O:'!n5H=d#ޞv҃v1y@+?#%٣a&D@ -W1d#E.߶ #xidYԶ@M6ϒV) ?hk*ih[{2f)h2$8E,R iU p{3ޣ{4<A,Rӹ]iKBJI}i[~Vo X$l6pUFM$DD !#]mF {-*!GbH%Ԯ)bYвFn= Opؚ n$ÝQV7/aJy- X0hpS}k]IGZ$or|FY}|T+/ 9h==C^ < 쑖];l6xEyCc9(VhHzOUt[}+`ZвFfVEMz! F"9*I kkRǾWo1OHKe"H\XZ3X3 _ g? {t[pk>ƣS%c1kDΊPL- {jkO^SGAp>uRox,p&q[z&BZ,6x-RuYhGb`]g+k`Z$.9WEd3 "h`|ycZ64MhH67|k h9it_er \+Ǥ8Z,6[pWε !i#/a$iGl^Q/ &dDwhځE⾧PW=&sp>&ra&C/aZ9D䱇,l6Hk`C^{F"I:!+Ev!HDYi5Z,6|Nq4CVcjHzOtX(z Df!"`A7=dѫ L-vZ$=dPJ{IJJ_ū &4fwQH~FBY956U[=dʞBą9%p,%"B4eK7N#{,<{;i93Kp跬y-4{޶jJkW)ΊMc"ؒL~-V)l hKK͂:w>O5uӌ5Nfx?{^bv 3Z-₪5늫4ҋIvkGm#Z$. W!kV.cȶ3SE Y=l4b Y5ICveq rG=d?Y"]nzcuSN) ڀE74NJs}Wׯ?"iQ)?~{u CS'F-wVVPk*pOOp[? 譤mS'Eּ<3w9x}OKk!b޾o.5th![@o 1do-b.1w1d!\-]8ԥ,s8°PHU1zV Q E07ZEJ'/z*L-k$Qx<'/z(v-",RkR41"zO*R4Z,6tySczCVwHN7Iu{:U o ^6,LM^E7ࣇZ5P󮑪CVߡ" %,H JuK$b vZv }I}k;[6h}!ਵ6X$QZ'_y* ǖw>#VSsUvzuvbefqR6KC6U,օ<>hhҜˤC]HUzV Q hHS;9#_/z*L-k$QQtzCV>wX5q^C5I^z1 <o6=I , $:EY ' IފꐗzP?Ո4Z$-2򂇬<G$o %ifcK:6df75+"'OܾdK+m3?u4@O43L}Jufƫ^A-"EhU ~*5Mdewh(JU;,^%>~{LUZ8* " |5vYhZS!(VZ$.t-VYhZS)qu F1dFc:QCk9-zrB-ޛ kő'/z*Lk$|$CCVHHEg- =d B-S;ε*bc`hHzO2x:ESE];HNP{C9aZC-ފeC^!k$.Ly瓾 U3hff=d@ (!H\k! ϴ Ni [[J(1hH^;~b? Zt mƥ%O]xs'Oۭ(/@@ą0EJ YhPڬtS=i޹61拏163]nEyՍZ$.ER;! a "oz$)GQ%KxH\8SvfExCJczE9b-7hIZ#_*L @2+Р9L=M";/nXF-œk$Z3'eFD@EwSk<| S>IƴиF{ji'ozwt*(abRg"qιkXz*`LI艹>VE>ZꕗC@E{j{Z!x#vz+Zp萗zP?Ո1߱l=]h e"׎Wv\>`(>)9sG Yveϔl{Ix٬>_:GlثI34; P0- ]v PȾX9xyBKH3hEW.dٟGPv]ŃCV+$iVǾ}˽mdIDAT:Ak68^'t' SBqZE7ujG9 SNyhV$|%Ϭ.xBXIX(?1;?^ĖW%$Cs>yf0gX(U`y)4 k+.'i\#q .+} ͚9r Kukӽ?ּ-9FLy]NXOC* ÷L(~ sFo6H 5@ R (tCE*bZ1d4 Ő5 3a<2п>4UBI ׯ_E+W3> )[f-B* ǿ^pffIiY!B^;^IQhl M! MN,ppj/zrB-ޛ kő'/z*L\#q 1E|!:Z$.DX3傸 iHzO-|\|W-:)1g!^m`EB٪ӚlPFNZE!jRupT5F izrBhך5"q 'EYq!BsV,E₎"Z=gՄhHƷ<%o_pG;\#-hnlٳON wbmN3 u #G_)Kݴ@߶ \d._vuJ0H5ͮDEZ$GL+zΊH\QvfEla!.-oA#=gYЂZ$.8H!Lm]۬wb]*zrB-RUٯsB YmҢ%xLw&$9qk&fb,g=7310s6!!sV,hH!넼?x:5H@Y'C SN\hFIo "R;HzQpZű'=dLUC+|H\0r)SE{jUz!'hځe!/zp,YHN8S5փl ˍq_ർ-ݲ|1gwG$"J E -ފeC^Emn5¼Ihnq !H\Z3X3\Z$H^]8ur(Đe+$Wǧ'%B=4 \d߱5GpfvILmˁdPğz=;F.%)ǖeW Ir"yCvJƯ;wk֠#G%w {mDLQoZd6\8:N8;w.]3xคdm//8GXaY]Hh~iUtC< 4\K X}W>fl>}i ߜ0 `ĹX}?^3=R&Ѡ}jeshgXgcjg@zCQ$-b#먴 _AXEj\NIg?hHzoU)%Ϭ.yRHM;byg9|!ܥשg,1Y^Ktpk$.8H^9pÕ%kt־2h0@L I)7,J?q c~cE%"q!mͼ! /vikߌ%˗JشAvvr}%A'Z<0NL7,L-Â;-Ė2\q^ 5Z$72p!LIlL.H! H |#Y% -_xᲕ4wTvT-dw[?=[{k=p^&+ 30D? Jb1NTGɹzFб1dQm'/c*^{wT2D *\&cӀH\zILaBR}׉A$2xIOsFKL&K1kG[Wa׫u&Y,EȒZrF>maʗ?I4W]/1t.IǬ鑸TǹF!KZZ '(h]|$vCT<ad_a2I0鑸 -DȒ2CǪ @L&)Vf4`#Il{ ! H,9=R dn@ YIε Sib F2T2kI2Yu2KKfDr HvkfV^fc$34`#ځg3$^WeJHvf*Zh /, 9k$~H"dj\ /g9z4 =R.PL"d(1/IսJ,RݼxțؼʦfŴ.LodbpN| $,FXXZKtZȎI@Fˆ%CVK3a|쑴δu ؊:@ܕd(BVZR؊ц2ҀI$7Z%%DI]"do̼D$I5Sodix0DO9=R?BJ`,Ws Iĥ*^o&\L@!鑸:#!M!o\ .gg5=a| ,@֯(4in%,D`+a4Kc).[mlonnbN[Z~Y4_ ?[su+}P{Bh %Ku bz_mZwuT_=!k|W=̺_YT ڞXQr/Jry=//ڰg C7Dy /;ToVժ\82:753e$3GU쑴tq@Ȟ #uz:I{0G %B ?KǍ*K`,Qc̄H\ILB R?UB ?۰!H.IK#qis샏[LP[K3 kLCouU+WVli_yWcy[x*8숡V/~8yċotp }?l/~]XԄ'[P,aw~d6T&ڐ8*V⤘}!;}g1U$5%JI>nUު-qҀ?BvI1QH벳3=͊6$ε 2#>:d=*'H\91ۃ!$Iuذa!eBLBz0X o'L Zkk"\ \"QTuK@Lw݋w0qrv3͙2yi/ZmWmFfX$N%8ٙR$sG u6tJq uv]y](ʚş|ڛMUsxTyR@M ~?u˸ӉaE?l`'YjmHb SzCÑzqo GοLOYsN f7BT{d-ӳc5uQ>И?@mH1?iki#-*>ւT46#oPGNBgpVfx[H(+!p&D Zpׄ{$>7i7A/,`iiiSg(5Dp oKj W*=rhB!z!Z@^lsݓm7f<ĕsO\WF+s3ѡj~GBY{0T㶷}_K(_xᲕ4wTvT-EyLQmG>7^FB@vt5|.6L>)؊6$1^WLs,?A e-ZUB_*"%%ӓdUf ,*LA5hgxgn԰~x ٶ//"oxp],90p#8wasŎ)_O[ZV:*Hnϡ;;:g 7%hV#-ɇ|!`Cn n-m$9)<ц5y&agcCVG^-uAǟx톡\]V"-$ xĀ#^m; K_^ 5=U'a1pGKWoP#;; {AjP(m>hyFo <3_cגL> H_o5y+ˈor)hwu[G䁾~g(ܲ6BiߖԒT + I*5J!q! % $2RD.u>|/e?Fw} gBQ:%1y`4;wwJ,#1R!6H8B62W Px쿉=:8FȊڙ_зOs+c4!%c#6$f׋N;)t<|_sfv֢.hDB mH%&oDR:lZ= &(?3h7FJoYI`+H@16$1^%gY$jT)g)H\\MX 1I*V1rggi9湛3o]^=s7VT{/$? ÆIԮ91t¡I`#ڐ̬UDMh,y?=(NJj.YuP2^##ڐ8="TFȂn?)^0͕y`UEF]5oE>qp_8 ɥW^Vi{/2"r+*/A Ls VU@^GRǻobSYY .[P5 `܄@ u&Nx</biP !'dɻouܖ{d.ZH[+^F@`-];,Ԋ}ɵZ KiVPK犕X1ܧs['0ɕ0r:^yV֌IlF:M؊8!r mnߗ۟(oˍ: X7&fh챧v^[jє~-%+6=vŊ: @,XƤC6zA#YbHj1PGJ44-1HZ7zdD~1:ʌʇ1HHlD8^{39lZ|)\0Jˊ_Z"etLykz0D3$eGP1@jm 5<c+0`ObKQ1E\!ݐz ʀ%Gڏ 5xƤ D@AYfHČ(iActy$(SI%-"28$'=Qw6`,4 4T HF2@ǽ1OI[jʉ/ ~GH`FHHm\]n+v<,C~5v zIZJ I\)\OH _Iz0y:!)OSZ#ٓ~n8v1~h zc24un"gu `6_V I%-V1iT^u I7Z-,FҰ a6RaY)i2+b3 N>؃ kI򫙴\L|6$)88( $j1 = 73xo9S7C H5WjiHh(rG \PlݘlԀH V=ȦȺF$(ncOIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/9-2.png000066400000000000000000001102001303637203600250240ustar00rootroot00000000000000PNG  IHDRiqiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx xU7|^C/, pdP!,36A0"( 2H@V'FD\ 8 #dd1@L3SMW&>S9Թɩ{~u'ko"@JoȎYDnD0e&3E@/D,Efz^YЋ"0z_;*٣kAi*S9ϩ3X ge ;: D!p!~ I4XY.^(5e=UFlƐyWJ4|eyPhЋ] \ o47VV8CAS 4hA AkWr\T2xu*PYeL244`q,*B DlZm =UqFQڍ curn7l<=xcI[+Ay=oڶVJ%uHvnݾs̘1jF̘&uGǬZP#S'lS )OҼ*cb|Gr D.l7iΪJ}lOm@M㦱 03&T㎎AGЛ4G:RсL-W3}5b˃"PK #wu1޼HT#uxFG ̠2f};: A@01 (h/0NXQ"^Cz0E(h;& "aPcEAzQ-vLE ƊZ0ЋA-EA;1a>uqqaz,ugM"BOJbQ@_v JH^wtЅ|!C "BDyE*SL"E<( "P^ 9\#lR((Wд]BD`G$5`V osӝw.p"*s_vTZ1nVۛ %\o%8el IWR6E7J5dlnްnL2dﯖnf3$?NVǏ="ɑj& H/#RQaъU+:/ֳ۲,_|u7necZߋiKfɓ&%TQ+/WWϟ9hf,8U\м}lF#H $D=k\U ]fyb`O)X:tn6.9(l/ۙ"Hq Hmה啖a;Jҷ:>uKNЦ:й|5ç<,d5n{㦌WF 9vw[o]h7׽yցyQ99gr]v2r91J!-b}O(4+p#Ej},q}+ߖW݅T᷊ʕbÿ0I;%`k Hw\W# #!%v6pg:?q0Pk_[۲}GB'?fjs?;t=ayO3Y^\dZ,cJt߼% 0*ʙ`L-rP0j4kE4, {߁Xe2z%w]\aRY}`˿^bXS&?a|O֫qnbMwui+\]W]\x0a/6͌Һl ݓS/`-1Y2VZx*:>^7%u 7fMeM}C(QS^vz&@p+~_u^4},ٖF}$fro!<5HJ$n~\/LC,\p7G"]oɑ7W"]qY=Ɗ\s_;k款uDHn[m3\͊ M5ƢqeW#CSէY"ҀM$%N޳Dd RiH?Q2#ܾ!muQ@vdg1.uW-b}B֫>w+]S}`AOlf0'Ny#jEQS8ꏝt[)Mǎ;~9jtO^a~ly5ʽ"dž@1ܰB?d`^ʿsVGP -ӚzZxEOfÛ_r*q序<0J#o&x=#8Db촉q",+pB4:Iam).뵥S?;6el,Zvn}MyvJ: Y  6{upB-" ` ]7$;OUDI>P$E$nu%n%9hp+5bI3Sbo/cRqlQ0!'4b%:0 +, JgᾣfƓ[䓣@%4hm'G' F@sR^Jr57 뽡vr{%0-02.//y@@^hvx*G@>=穪\.#ݷ2˙܁R>K *|gD4կ* I,Ġ<ȯfu!g~сf!{6#WE]) , ڷLHTxCϋ,>E?؂ ۏ(&:b|ao:G'HDVu!A@5h;" N|{du=о7]^P]"W̮D{|u y~y!s:Eԅ'?%D8y;t_G(.ϙmlr;*BD^{hU).)^2 TNĢ@uA*0` q"?EXe#Nec.+*v @"`~wO‚ݪ@ )ёT襾 S+AU#W?uv9M|%[mj$y^2>eʴ)ǎ[r5U8ElC=2۴ac],zqveߤu{ylw9.JU"L"TwIut'p^ ;Ua.Ĕ( W[ w|^={mxchxD 6NmdR`iƟR>He;93@&pV-"w.)l5K6?v;㭫*qGWk6QJEky(!pVLD#Z4nyS.^l#{} ]vK.)U4ei+ 䌷3:uDW4ga'|f6f%Jw*K)6TL"̄IpءCܦwބ/[j?hgRN/eX(r)pk'NW @Z?,n*ס}Gr ѱQWE"a VN1{faP@^rDf2TVY^X<ERDV,ԉXo&c\ 5Bd ^ilެNx!M%1载ޅ>^,񭎼H] @1xueZE& xzQ=u\MgW\wn߿\D@,COVPy^^D](Mz@gB1G"BBY{=wu 1cO?sw)C/g>B//:(kΟ0 AB_~K ;i#Ap9K@Պ2?MoÖ.XHM/U\o{3`^Y$I2:]{vfI,奕֑"M@+x2{ÔCl6-p¦ .~wq='  _&ܰGnܸ}( 5߯XEsx5씆"DhU]YlZɛ7f @aM >ڽakl0/3ays@sXiL Az_a@"(t˝ FXM}q B0xGY9԰{(FZaGO>Yʂy +]aɢ"HEEESAޅJ'ff`ybR$FO_ *v!+<y`S\' :?)?UɵP`Ǝ_f!]8Fb^Ħrp9F<*k"DJPn]nThH&C"Ph*L";:Guw%UD ϋ;n0A} Y^X5ACbCǢ+_@se:`^ Yǎ=bz$y:l Γ4"`r^$tuous@>x2_>x9sl;R}_: M2љӝ3}u;6>ۄb)#;#Y3b,28j6"5ip$4!sf\.Ơ+ E`].;w[&]Ž2>~Pzdxxc!IY#VИQ_I ݣ/w4c$b_fxy' n#39-& wOvMx S/Gr̟2y``6ROf\`UY>k]qy?~绛]UMbUx|9cZbEXyMfDz\j`)Z ORFX~w=[1#-J:?cCfr񔩠5ӔEտbjY:Ju-SU =&}|g} R B.xȹ܎;dp[Kצ$BJ\}zE9iOo+IBɻE Lڱ[<08y$hMJ-Xv[FѥGfA&%ů{陠i0-۵@_5nژU Md,1V#?]sZnq_EGfsrTr擲"e0N -]c> Pgk@~v, e/<ޖ8ub&d/ .&{]fP}p 6EBW8']7J"kbqLqt@`jSx9D`yKSl]ZT/L΋࿫xzcɌTn7wҵ+Xs,Ey&q.g*3z"~GKBr=XDCCvY,??UsGҀ]|5y;:lY/r]5 %"Qcu5RSՔQOtaV&c}cf&/ ו4C4# IDATk`b2 ]]]L^ZʏU0Y eF};f&/x#ו`XH` "3s3y͌7p]]%-ZoO!Bu !R,00љ畎o&u! ^4K D@΋`v Y'n:w'\:+}y5z%n y6}칳=VUg,͵Y%wäYyD\t7ɒ!uj_Gl#{O]e[E>%U|9` {S i76s׬RZ`,ֽRrD hcQ9Wz`#pOȂQ) +yE;%W NTJқWUYZwtc"ܱh }AyEk|93s#A2X|?r3ިAitP5LBE c܆v<*%5.[Sao/kr*f`{֘6qLUp1Y,X4f2SAb]6"H: pR銨XRcZ&;i3;$yϿ>E3P}5:YL#6BlQ@smݱ:$EV4uܿm=*eⰧSʋ=^t=MZ }+r, Ewj<]H*B9U(FyYT}VYe9(6 VԪa΁ L,AT#;2T d#kp5"X]AX$ԋ6h&oiA@,*8˴yAA^e$Ʒ6yO /Nt*/nuq(8!IwLWYI[{ nXm"j-3=ci\9}|:m3N9]ƓzU4g*Ed,zGo,/*<2*Y%xV\g?~׷$uqEoΧxP9cpxs.)~}Qw(~k<ܸؐbE}Tѕ 1*go)mXH$-K4$7ޒ V}wߟ9䲗$K;\-0g,J*w."Hbap_~QǢmƵnB6[1^(,?ev-n1R ơ}+G*>:a`hqТXd 0g,7qtIng%{~F?}LbtJtD Μn~<#YW 'N:u.7-Kp6I_:W9ȯdO"`2 ] kM$ fMfMp:eOBˉVpE-dܬ9{tNxxxI g^x27m ƨ"~GK{ChF$ߣgO.HOcÌ]$+@_{Ysb%*5";׉N8ԓpG7o[6/Y)RZc_~1n# O~eey,.qLFueɿ#e_E6GJ=(]&YҴ,[_h&d} 7o/,4|>qvXaӞ3g"m\΋RZZj& ,3%3 4A*HP]AAc1s*BSXx-SGңf8hѤdy+mѴAHLƢb#ᾮ"/ܺV磨t^}Uw'^]]๔u?&cP/✟h&A49/ߋ I@,w$ ߋ$`_WǃC+ltՋD"B{Q&EB84@@^j" JEƣ̹W\Wh%}[)7- `2gj"1E|w1p4n\T /S c>bWe&l)O1@cQT)\mZ87B's/Yr`3YG-GKal&( %X+G###epZqc62n l&J7[bTHc@sƢp]5o0rDFNl&}W !A+pƢJkZnN!7I;w?o$ _=wSʊ7$CYyߥ4)m&VYEƘXwm[n^<OmTQӝda!w' 7fS&c(ifN4+1{dQknɾ&2Rts]3Ijw^25}M]w[ XD ~Y HVj"D ߑ\׃vGBPȿ{!Zyn&y{޲V۲m|6Hˋ i>GBQZܮ2r']Xۑq^!HҠ )ț.?mzoU&3*>l)BГj0s*qxl9/jf0Z@!09/g ĢX^9?ʫT&EB`~3ȋ\ EP "5uԄR @U`fo&P/_+B@^"E{}]5?ŚJC k ac?e U:I3Hꂀx9Ɯqf@i.ImN>RxX9cQ i3۬z4,S-ޝ.Y9mx|{9 WNT@U&fx .1}bv0ڲ9WWE خ:f4ճ7.y_\WO%?8 ?p%AIN*u 4T͝jצrkg|v<'sVugr$靕Ke7g6|9j4zmЫNX={3HgL`8*yU R;O_l_>f,eSmǞ,ة6hwE )є}9u2k 2oO= VlճX9:^J:/;zLki<QO~GJwg+LsZi^jo^Wd_գܿwȃmmp^+VL,`= h6֫wdYjʚq`g'4ԅU\ةv%= [iN[Hw&HiIs[5m:Lf<} #nh {+ƓE!A:bK ,ovmq`&&y.vܝQK8o:gEuMH"G ȼ+^-]Rp9d^+VϞ߅4BWj7)GEG6+p]G*JzŽU(Y!pqN㲹ep\ri1:]4{* `Frvܝ0aE&u4]<*}i_g} qlʨ'lw ңWS#E/6dY^+V̼V,z?g-o+y r]X.亪 yQ\uAߦr>GYr]5a 2X ;~"`f^U bu"ѫ ~ nB&c_]OEkyOe"(C 'x7p\WJ`L 6?3EWM9 U`,2X(+pwIƂ`pf,xj= Dpd bavo0D.pM 5'ؖg/7]Cqew9 7 =R~!4bʥqL&t4Dd,4agj.qqłO/8gg%NG^I(U;#]׽k9'NWl~.H=b1x5P҅t5}GE (TEr%cv]ѹw"Hꂀx W+${E5{ZU)i RJieWjѫ el>/-Ȫ\;R5[dC[x"SIVg%{55uWLY4u-/ ȞL 2 ԣ詥蕝 R%Ten̋E**Ȟ:Ar%U,KJIFQm(v1 ܰ`G4DL,`>hB`,וțL Xx{qdRN5USMC Ŏ}~vv |dt΍6f(T HL/h5ejAM#7jzG ACEK`&^]d!-&/r]̼.! h'uH4"~GKD.'hx߅}t7أ `f^-zG1JuUa:I3H.) /r]CmT=5tȋ\Wյ:I3Hꂀx9"UPb,2d8\Wc(L,H>r]7WuU `&^] >r]57WU `2 }nԉS:fƬ F@,#! %lVkZ..I͋\W3g"m\yT$ԋQy#Uss2fblw몹&H Zey=u5mNE{d,yץ\W/8B&af^ eFpͱb#*zuA:x߅dC fEzG'`MWz몉^((12* \WUk/7UdAL,^g(,]3H5#EW8c&P"metD\C1Aja&{.p]6u*24dlbԓGep:w,") 9u]d .籢F[u x\6eaz4X 3 r 6uY;MyĿ7 \Wy֥KV\ZZj$dZ1b;JzvҴ>i,ҠwSWV0j/͖}.%X`6G; vI]:{g>-Xv[FѥG0v')}7uex&OhT e3p1Vu'~?}ƴ@溊^]ۅLykz]W L" ^VAN󔡒^\WXCkf4Q̋D3#MuU(rTAb# -Xd0Lu5((Nr]b5y. 3&u`b"! 0r]Z靀U>oAc1jq*-p S"<#ՃEIfb>u( X[7cː%㡯jRevGWYNW_ޫW'1"-Tu.(uʴ75L"cxX l5kP%&=`򜺜;[뵓SnlPX$zuw_ ,3F-Gi>d;|*iX $~-}GMM#`2 ]] Z \=]dLl2A._&5fzۈVMÙyqol5BЮ5yƴaSM܃De8S vr* S5^d-g ו&ȡC=0=pjP" }$[iH"ѫ &:Zmwq}3a4Sqs6IJ> -'(Ь)aHU;^ɧH;<=) `f^4Q3{T++-t:YR)ȧeEW8c&||p]Yi}87%:wRɇ PjP"c9X@5¦wrf}wVY8;2w̵'LWx3ڊktep[K*#\}EYiOob$  Wc2v|%o.yޭUJ>sۯ-YhovϽ++Mo!5: ~ߘ kkh䂻#wi\%HMK,o[&j1-c|fLYyLx#?U6X$tuo4k2?o/h"fEW8'Ҥukaϩo5@e`0p^5u#dfE;:1wԋ\W_btoOجaF).dy4ݱw.t0~ ^Wn܌-c㓦#SW.nTP/O4Jk/94a5;wlSl=A:>޸N~u_շꗞ}z{r2z IDATE< 6z,Bճg;}SE X$zu3&hh>/-Ȫ ,M';Mt:f! ,\WZ]~VenIKq] @BL,`>2w亲ufܧK~qn1p`r^$tusLYyuUNxٺԷ_JfOQ)3Z+;&h( op]5*^]d!$&op]sHx,u0fEbxd,yQ]أj#`f^ sBB@^亪0X$zuo>r]U?=u؞EBO /^bJ3D.'ᏪfcTJEsƱ-j3.7&ha* /p][Eu"jþ}]~b騷+ 5 dLN:u.,uk>KRgF,r-{u}~*[A6kb[|.X[7c^.֧U(fZ[0D.p7B/rOlؽ?Ͻ\>[vm]♜-:+I;+|sfgUPD59Ƕίϖr}53Zƕio\y,|߸qmZU4e bd, 'F9}&]$.ב^p!JZwVIr|~?V/~+K-w4 (?v4$l1nP=. fΜFWi!ij u[jIQE\:͠ #Ģj9Ғ1.ܿbwtxz,R- )ԣ_գ8|<6Nfg Q u!Mb^4kZ={fX ˩{4I;,[DIl$8.Lݬi+ܾI‰U?͚6۰ga4R S67s7ULBb@C"Q o8\L?j/v@;җ.q/GRU% }EoPUI3VB(qwp]UL>6/lJOIMԧF,ڤuI{rAK^,uJ͸Ysҗ,L F%ARyWoo ИEBW`fM#?]uq},qd:Wk>)!Zv8-G,!n;5e j`9#U "׵^bBf"v z2 3" E^WJ8:af^.r]1&c;:s5Sf 2̋DQ:r֋\WMBAx9cQ@$m  3yuD5fbT bW UEW8c&"xTq0gC1Aja&{.p]Yy󀩚%j40RZRʕ]z2脁r \0l<"zg, G_YKWICḫoMܤ/+JoNz3p4j]q]^K A VzVcf; DjGEr$%UgLByi GOun[֐0MZ9[lؗ_HrBo3 Z..*!]=2DuݰSFAyPIB+gv=~+ 0AJKXQV,Sr]E.'7g8Ҿ;YG$$rf̥R0 \Ǘq]wOMKN$$rf>:pТI?:cBL,.@Lྠ#) o]溪taRp9%U. ȋ\@_

ZwPn r]q]hG猼,dwx3ٮ.]]k[6JVnbsB,#)Лш{i(q]ᖌ~i2ԓp-,z@V?+B F޵V"ST˅+UʻVjcy|^ZR\W&pklDXw),@U˰ 2Z\Nu9?!yCZZZj$de=WYlCJHx߀q \W2kSi!e>QEގ4'7Hb$QMt!U4r]^f@V+l:0.zѴ@>KI;llVu5\kk|˕r]nVb=5k/Q#m$u4]{dAJk#CL,XߔV݄ai9mdrL&MTܾMG~OBˉ/J:SYf*sG>u"k#+|S/;6=x;!/),v؛禭Sx_NKG>9ĉ}pJi!xDc&,^JBJ(Hi0x S͝X}z&\8 E|  TAS!`&^]O.J֫wdGʾflh 8$3גؚX"D7uư*Aގ70F̅@Je`7!\`cd o>ڊ9skg{å\e' pS* R`,҄K99+FsV=NXxQ*څs{v>Dh^#oL,:.n,@P&UaNTx4U |BJ;kh&7iALۑ9+tbr1{kt^c\W/8B)a&^]hu?&EB~([C\W~ߑR>:1wԋ\W_"c8]Wic&d,zGgf~" /r]^u6HgLDWD^Be$FHK$"Ylޓ,%xlM[ TA%nl *FsG{+Wx,X φz: zjUfN<}YǶN]뀡жx$v -kVQEHxg5uڲ{~*hR_.}ٽO< ! !(1˂+>4iӠ8/23,3>"\M+޹=l0 |G޲sٍ^:ڋI@L"y@)x¡CYs6F$# w]=p]@b ,raYϾ0d6)%%Ͼae6|?zV4Gy1t4=k y*ҡ26q36ݖ4 ;}j%70%gXiE!4/##ýF*hR_U6T[=oﲩS2p3]S-Jd༨ p*Nq΋jj&Uf^΃7`ɛ0m$ "-]rq=p[AvC E8/R" \W Zrȅ}]EYr_Wg xuMMKNX@RW) ۿNʄ6fM_>EW~/WPe09/Bz@"7:B"C!Dj"AAu5F3-p^d<.@A5u5n"Z*&EBc/c|Hq-AM!`r^$t /r]=8{(N ո5dZEBjknYHyų^[7h9X 3@q^QDŽ;E6,$FGYɛoIV>{ԻtXrK\6nA7!"=d ^UwWYeL#hQ#RImfV˕#c`qƢ@q]s6$ yrcLɟ1r3Uƚ+.n9ŎgJ77vʴ7_owl?stZnwͽmS8ѫw|̈w"3/9kG6@Lnc߂%3cVRVF)GU}4mvߖ+˩G2Ģj9Ғ1.ܿ;1hD=z;@\W d垓Ry&[**s30,4N3f5 'N)kfz-g#Z..P/✟H|@q]Y<Ѧͼma5316FM3+7ifiuP"Aj Őcw9w̠ܰ8Z/qt7}|Hs;{#$Qs ^Od\Xd<"q,`b[k?n#{tnܴq/^m#zw}ӫĔi&8 YsSZWQf:e2 ]]}AAjlUifJ"=m2 ]]hu?&EB1AsE/p;ߑuN ׵*t ᾮ2؏@#`r^$N:&"UPPb,2e9U]cm# uϛEF?\WO|^|8i8X$P0/`,2Ɯ󷦺qgТXd *g, (׵ '[S)hh 2"iK=ZTV(J.Y9Z jxPJ= ޮXd 6Mb)&j^Y.*I[;>9ٟ[֮vysNczUf_X$iԺl/]+DV[XWøA=6^B$23=*&UW ̈Q=Ѫe)YPJ:]U-1 Z⺆EW#ߣg˹m%b!3v]my}ƿ5"Ru, :#Sbek%jUj=uI,e{}?#}ʴ9k@pzNm^UlUzuUʮcs'ԱR0UHrO42{dQknɾ&2RtL:3Ijw^H-r& 'V 7+Wf=ULl_3@4:p`!ʆRY=޼W0 R_R_̠r٩YrȈxrp۹Wѻ4LViyШQ먉V4[&%>-X`N5zTVM+E9%_+8,7uӇ_gG;EGa@"ԋhAksӀ1ԈqыM*m/TXʺGe佲\T dmȤ.=ֳKGY(S}{vy= \]]sv ȋ\W@Jqۏ~3ع*M@{.[/,iL6غm3mkMZ1yC /Nq齽t~CǔB 4G!um4vtߞQl(g5:~$B:l\ |uPA B@x^$`n9f,wtٔ}c2gueP-0y 5(C@Yg^BzueceMAD *k ^4ȣ^$"hޠB+箪y\" ԋv!@V@^+.E^\W/80"/&Xdr] ӄ"s15SfDΦ9E+C j! ԋy*9zX|zu@Xkꊯ_u oKyM?;: ~#. or]8f"Dqzkr_W|RDYyz"9oY q8Otޒ V}w{[.-)sZE*:oiP/ Z {M8d\z(Mj>q3VkA̙2,ںmǴ@ .]RWIsB>ְ ui붭3.P/O}c2gu4N:?%{~k-Q8ٟv~awK%9#:UUvi?n|d xaƵk}aLC;yLGgkaq;9lНWE.7q\,sqVt䝌7H~qs$ ×.nw6Ϳ*(3Ar1psAۏ}[j ; u;Z}xˆZJ&4ǝ;E6,HCu=>?saeu|FG=M.|A :[;SeɶMuJ-GKaRKڒ:Lb,2wV}0 [iPR\y* _h }}:Ά Dh&z hKmziEc9/ u_^cܑ (|IPVjR\GMW0c%X``zB~ ~𓽅z> zf1R&/Yy6&cQH8'MoJ𫒪eSKV4ȩl8TPVpA9d%a#F\ tUD P2["P_ϛycy]S=+lkzm %}O_\Q(GfV㣰]˶Y9,5=w^}ӐS0<3p?褄,I >!hc R\Kj+_eIO\s׵'8:3խcE [ĭ@ʼnrSNZee)S&B<|?Q4^ZW`]5##u9K=?&9BE}4T^uKI@"gXMC"ǀu}p^-q]?ܷ//|f\~q]kjuɁ7ˮoaohMp"u5er"+] jVس8{ ==bڀm%sSqpANu]"cr0`]T50*.]Mn|DF˙Z;e2`5c.LB7 sɡ_h55;/:\\UwxIsˡt] z& pR7m)E[iS iӒ٥ Y"cr`]Z lacX8z$=e7 l4J:9 w֭SvȱeRQe3)pIAiir@=vpMԼYWq;[_f)眉MV\v6-̓*wN _d,:N_+kj*a`cUP7~9v,}dcC" Qc]۩;@Ox*#ڷsw=H?r$_Z`ls/ܦF9&&P-g答b3Cz3g<$HT -$S_w0G5MHLpilzru$XI-Ɔ>UXI9V/m!P|o~/t:-J[iFhOpk_`Y,<bD\$U_zlzi*苢hM7H3.źL]GbHZDU,&@\W:>aD~i.GA,oGMoM2@G\eo `HwJ[쎉x%>t(] FYMS--o/yU5}Oe/X|&" ;]FD^Cvx8y.0 U|/ U5_+6^T|]Yo0cΩ} t](J}gMAV fl^h1Oa'=ppB81lJt Đ&D6fabL<[r-o!5M v7EƢ|/"$ XWH-;^Cv<>;;ֿ5is\2'zM]vmfO}Qdnaq3ReP91l zdaָ]俭{Vh;E <7 c}[db +\ݭiVY |QiɲMfڥkJrb_Y)11tX%He'5Q,y[uk:k{l/Jp;:~Jf?Ia!nR~xpqM!oJaB! [ׄ05<9I0+Ԋ8OM)ڰ&^5%!H+ ?GFUHc]UCP̌Sȣ%Z̋u_d 6u5PS]81ꯥV=W҆ʫAjfiOR,xZ}ԊyQw^uU.(nB'}{q R+j(Yoºe5M#" e&Dk([Ytv>SM /kjq1w=yuH0zӮZ'eL=,un4S7XPn: 1x#ru-5R,Mm"/mNn3!n#n{s﮶!VUWhIZ0a鈎D#䅵UxH"0hZD~,v9/-9gvu(lW_a;˴p-5 ݟ[[@$ඓfdϹJkX2#&&G]cuհEo>6yUSv3X{Bqrs󷥉SkHpqq.p#EuQ=׺֕ h.o#}.JpNR}TWxВo%ԅ`Gw|g>17, L3{TFϾmZ=O 0mٶ _uh0i?Y9" _h> _bF["n+$_TwUx:uj.tÂ"\]04R+|?|~X8;] [\l+g mqGHUr 1J#:, CfK3C1X`ڻgeR}A|,{i:%snPSրJ^c),▥#:p* /[%]ohkغ$Y\nz$q`qo]̓F)qe:S"03/KqKtji96"bViD8b#-t"kaZwi0L̛BQ/%rQm.9FZ~bk)e8GVIjfY%Q q-d6ϏOղU I r:IX˔iX<č˩Xg5^Ugn*^LH#'D F'9[OY9n_?tͦk 3r#Jf=ZfWo _DKPc-yvomJaCᕝRͦeZx! $@Yd2Z| ]2Ȯ,K਽5YJ `(S}X'e!zFX*p }[bJ}a<H12I(V'!"pZ!y F@K XZx y[a$B^s7龕u)ϴN/cE2 E勵-Ԗ>Gif43Z@ՏG'(/dVUtH1P~<[(LYLQk^MmruR(O%*{觇)Uz%tOl:LM.FޤN@u}kEAc-naF 9/zufӆaOǬNZttJ.Sk4fӲbŸR?aEX%zX__ojN{*n"x! aEteIB860 A9N CQzם{DPD*6} \4]hW"U2/C!$ 7! (7IENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/images/new_button.png000066400000000000000000000154211303637203600267120ustar00rootroot00000000000000PNG  IHDRXiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs  IDATH UMlE]:CJӦ *q "%PoP ʅ;('‰HRCh, qNm25(˛7o&.,,#9UNW(TU,9V5;;Ad6P@A0l{U&x:dYFxԄR۳|WxG-CEQ+dA  ڗ#AP&#u^wL $zBbCMB/Ƅ">, b-W϶Ac5J><χ '^(G(?4o}SbGZѩ޳x~5JOZKaeeȃewn@dҎ`ZNIfd?+)X^^Jb!ˏ>d/fG_zTXi^k ν`=^m!oD&1RbW^thj<ʟO OO_<{\ (7-ؖoI5}iz`^;a[2 _/Jn{N m7K'IJƩ~ݪ*ɔ ,w"#P Y<VA|#w"ݫ Ī=eJ=a ^JB#n8 ;X75K]w%O&%]ƻ=vfֻq~P"b^CoM^2s\3kr݇į_w㓓~>+QŭR-*|e/Zwu3ZP'&&H,iB/0䩈LM*}j,}*>sbmϵd-{kT*555o'u]'bF=CjPLֺpttxS $_$RD8L6RX ex,fG- D@15*a4<CX###b :C /{=ƲY~sssa1vLlFW` kIENDB`fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/stylesheets/000077500000000000000000000000001303637203600251245ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/Tutorial/getting_started/stylesheets/style.css000066400000000000000000000005301303637203600267740ustar00rootroot00000000000000 p { font-family: Arial, Helvetica, "Sans Serif", sans-serif; font-size: medium; } .header td { font-family: Arial, Helvetica, "Sans Serif", sans-serif; color: #DDDDDD; } .header th { font-family: Arial, Helvetica, "Sans Serif", sans-serif; color: black; } .tip { margin-left: 20px; } img { margin-top: 10px; } fwbuilder-5.3.7/src/libgui/TutorialDialog.cpp000066400000000000000000000070371303637203600212140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "TutorialDialog.h" #include "ui_TutorialDialog.h" #include #include #include "FWBApplication.h" TutorialDialog * TutorialDialog::dialog = NULL; TutorialDialog::TutorialDialog(QString tutorial, QWidget *parent) : QDialog(NULL), ui(new Ui::TutorialDialog_q) { Q_UNUSED(parent) ui->setupUi(this); setWindowFlags(Qt::Window | Qt::WindowTitleHint | Qt::CustomizeWindowHint | Qt::WindowMinimizeButtonHint); #if QT_VERSION >= 0x040500 setWindowFlags(windowFlags() | Qt::WindowCloseButtonHint); #endif ui->contents->setOpenExternalLinks(true); dialog = this; this->initializeTutorial(tutorial); } void TutorialDialog::showTutorial(QString tutorial) { if (dialog != NULL) { dialog->initializeTutorial(tutorial); dialog->showNormal(); dialog->raise(); } else { (new TutorialDialog(tutorial))->show(); } } void TutorialDialog::initializeTutorial(QString tutorial) { this->tutorial = tutorial; doc = new QTextDocument(this); QString stylefile = QString(":/Tutorial/") + this->tutorial + "/stylesheets/style.css"; QFile f(stylefile); if (f.exists()) { f.open(QFile::ReadOnly); css_stylesheet = f.readAll(); doc->setDefaultStyleSheet(css_stylesheet); //ui->contents->setStyleSheet(stylesheet); } ui->contents->setDocument(doc); currentPage = 0; showPage(currentPage); } TutorialDialog::~TutorialDialog() { delete ui; } void TutorialDialog::changeEvent(QEvent *e) { QDialog::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: ui->retranslateUi(this); break; default: break; } } void TutorialDialog::next() { currentPage++; showPage(currentPage); } void TutorialDialog::previous() { currentPage--; showPage(currentPage); } void TutorialDialog::reset() { currentPage = 0; showPage(currentPage); } void TutorialDialog::showPage(int page) { QString filename = QString(":/Tutorial/") + this->tutorial + "/html/page" + QString::number(page) + ".html"; if (fwbdebug) qDebug() << filename; QFile src(filename); src.open(QFile::ReadOnly); QString text = src.readAll(); doc->setHtml(text); ui->contents->scrollToAnchor("top"); bool nextPageExists = QFile::exists(QString(":/Tutorial/") + this->tutorial + "/html/page" + QString::number(page+1) + ".html"); bool prevPageExists = QFile::exists(QString(":/Tutorial/") + this->tutorial + "/html/page" + QString::number(page-1) + ".html"); ui->next->setEnabled(nextPageExists); ui->prev->setEnabled(prevPageExists); } fwbuilder-5.3.7/src/libgui/TutorialDialog.h000066400000000000000000000033221303637203600206520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef TUTORIALDIALOG_H #define TUTORIALDIALOG_H #include #include namespace Ui { class TutorialDialog_q; } class TutorialDialog : public QDialog { Q_OBJECT; public: TutorialDialog(QString tutorial, QWidget *parent = 0); ~TutorialDialog(); QString tutorial; QString css_stylesheet; QTextDocument *doc; QString getScenarioForPage(int page); QString getUndoForPage(int page); QString getResetForPage(int page); void runScenario(QString scenario); static void showTutorial(QString tutorial); protected: void changeEvent(QEvent *e); private: Ui::TutorialDialog_q *ui; int currentPage; void initializeTutorial(QString tutorial); static TutorialDialog *dialog; public slots: void previous(); void next(); void reset(); void showPage(int page); }; #endif // TUTORIALDIALOG_H fwbuilder-5.3.7/src/libgui/TutorialDialog.ui000066400000000000000000000112231303637203600210370ustar00rootroot00000000000000 TutorialDialog_q 0 0 720 632 Tutorial QLayout::SetMinimumSize Qt::Horizontal 40 20 0 0 100 0 Reset false 0 0 100 0 Previous false 0 0 100 0 Next true 100 0 Close false reset clicked() TutorialDialog_q reset() 340 619 241 271 prev clicked() TutorialDialog_q previous() 242 619 241 271 next clicked() TutorialDialog_q next() 438 619 241 271 pushButton clicked() TutorialDialog_q reject() 507 603 551 609 previous() next() reset() fwbuilder-5.3.7/src/libgui/UDPServiceDialog.cpp000066400000000000000000000077361303637203600213700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "UDPServiceDialog.h" #include "ProjectPanel.h" #include "FWCmdChange.h" #include "fwbuilder/Library.h" #include "fwbuilder/UDPService.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; UDPServiceDialog::UDPServiceDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::UDPServiceDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } UDPServiceDialog::~UDPServiceDialog() { delete m_dialog; } void UDPServiceDialog::loadFWObject(FWObject *o) { obj=o; UDPService *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->ss->setValue( TCPUDPService::cast(s)->getSrcRangeStart() ); m_dialog->se->setValue( TCPUDPService::cast(s)->getSrcRangeEnd() ); m_dialog->ds->setValue( TCPUDPService::cast(s)->getDstRangeStart() ); m_dialog->de->setValue( TCPUDPService::cast(s)->getDstRangeEnd() ); m_dialog->commentKeywords->loadFWObject(o); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->ss->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ss); m_dialog->se->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->se); m_dialog->ds->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->ds); m_dialog->de->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->de); init=false; } void UDPServiceDialog::validate(bool *res) { *res = true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res = false; return; } } void UDPServiceDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); string oldname = obj->getName(); new_state->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); // check port ranges (bug #1695481, range start must be <= range end) int sps = m_dialog->ss->value(); int spe = m_dialog->se->value(); int dps = m_dialog->ds->value(); int dpe = m_dialog->de->value(); if (sps > spe) m_dialog->se->setValue( m_dialog->ss->value() ); if (dps > dpe) m_dialog->de->setValue( m_dialog->ds->value() ); spe = m_dialog->se->value(); dpe = m_dialog->de->value(); TCPUDPService::cast(new_state)->setSrcRangeStart(m_dialog->ss->value()); TCPUDPService::cast(new_state)->setSrcRangeEnd(m_dialog->se->value()); TCPUDPService::cast(new_state)->setDstRangeStart(m_dialog->ds->value()); TCPUDPService::cast(new_state)->setDstRangeEnd(m_dialog->de->value()); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/UDPServiceDialog.h000066400000000000000000000026311303637203600210220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __UDPSERVICEDIALOG_H_ #define __UDPSERVICEDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class UDPServiceDialog : public BaseObjectDialog { Q_OBJECT; Ui::UDPServiceDialog_q *m_dialog; public: UDPServiceDialog(QWidget *parent); ~UDPServiceDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // UDPSERVICEDIALOG_H fwbuilder-5.3.7/src/libgui/UsageResolver.cpp000066400000000000000000000243411303637203600210540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland Refactoring: Roman Bovsunivskiy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UsageResolver.h" #include #include #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Management.h" #include "fwbuilder/RuleSet.h" #include using namespace std; using namespace libfwbuilder; int UsageResolver::search_id_seed = 0; UsageResolver::UsageResolver() { search_id = search_id_seed; search_id_seed++; } /* * per bug #2412334, FWObjectDatabase::findWhereObjectIsUsed finds * only "direct" uses of @obj (i.e. it finds group @obj is member of, * but not other groups or rules the group is member of). However here * we need to find all objects that use @obj, including nested groups * and so on. This method is recursive wrapper around * FWObjectDatabase::findWhereObjectIsUsed() that does this. * */ void UsageResolver::findWhereUsedRecursively( FWObject *obj, FWObject *top, set &resset, FWObjectDatabase* db) { if (fwbdebug) qDebug() << "UsageResolver::findWhereUsedRecursively obj=" << obj->getName().c_str() << "(" << obj->getTypeName().c_str() << ")"; set new_obj_set; set resset_tmp_2; /* * findWhereObjectIsUsed() finds references to object 'obj' in a subtree * rooted at object 'top'. */ db->findWhereObjectIsUsed(obj, top, resset_tmp_2); /* * skip objects that are already in resset because they were found on previous * passes (recursive calls) */ set::iterator i = resset.begin(); for ( ; i!=resset.end(); ++i) if (resset_tmp_2.count(*i)) resset_tmp_2.erase(*i); /* * skip objects we have already seen to break recursive loops in rule branches */ for (i=resset_tmp_2.begin(); i!=resset_tmp_2.end(); ++i) { if ((*i)->getInt(".usage_resolver_seach_id") != search_id) { new_obj_set.insert(*i); (*i)->setInt(".usage_resolver_seach_id", search_id); } } resset.insert(new_obj_set.begin(), new_obj_set.end()); for (i = new_obj_set.begin(); i!=new_obj_set.end(); ++i) { FWObject *parent_obj = *i; FWReference *ref = FWReference::cast(parent_obj); if (ref && RuleElement::cast(ref->getParent()) == NULL) { // NB! We need parent of this ref for regular groups There // is no need to repeat search for the parent if it is // RuleElement because rule elements can not be members of // groups parent_obj = ref->getParent(); } if (fwbdebug) qDebug() << "UsageResolver::findWhereUsedRecursively" << "parent_obj=" << parent_obj->getName().c_str() << "(" << parent_obj->getTypeName().c_str() << ")"; // add new results to a separate set to avoid modifying the new_obj_set // in the middle of iteration if (Group::cast(parent_obj) && !RuleElement::cast(parent_obj)) findWhereUsedRecursively(parent_obj, top, resset, db); } } list UsageResolver::findFirewallsForObject(FWObject *o, FWObjectDatabase *db) { if (fwbdebug) qDebug("UsageResolver::findFirewallsForObject"); list fws; set resset; QTime tt; tt.start(); FWObject *f=o; while (f!=NULL && !Firewall::cast(f)) f=f->getParent(); if (f) fws.push_back(Firewall::cast(f)); findWhereUsedRecursively(o, db, resset, db); //FindWhereUsedWidget::humanizeSearchResults(resset); if (fwbdebug) { qDebug() << "UsageResolver::findFirewallsForObject" << "resset.size()=" << resset.size(); set::iterator i = resset.begin(); for ( ;i!=resset.end(); ++i) { FWObject *obj = *i; qDebug() << "UsageResolver::findFirewallsForObject" << obj->getName().c_str() << "(" << obj->getTypeName().c_str() << ")"; } } // whenever we find that a rule has been modified by the change in // the object @o, we record rule set it belongs to. We should scan // other rule sets to see if some rule somewhere might be using // one of the rule sets that changed as a branch. However in a // common situation where many rules of the same rule set are // affected, it won't make sense to search for the dependencies on // the same rule set many times. set modified_rule_sets; set::iterator i = resset.begin(); for ( ;i!=resset.end(); ++i) { FWObject *obj = *i; // We only want cluster (to pick up member changes) and rule elements if (Cluster::isA(obj)) fws.push_back(Firewall::cast(obj)); FWReference *ref = FWReference::cast(*i); if (ref && RuleElement::cast(ref->getParent()) != NULL) { obj = ref->getParent(); } Rule *r = Rule::cast(obj); if (r == NULL) r = Rule::cast(obj->getParent()); if (r && !r->isDisabled()) { f = r; while (f!=NULL && Firewall::cast(f) == NULL) f = f->getParent(); if (f && std::find(fws.begin(), fws.end(), f) == fws.end()) { fws.push_back(Firewall::cast(f)); } // check if some rule somewhere may use @ruleset as a // branch RuleSet *ruleset = RuleSet::cast(r->getParent()); assert(ruleset != NULL); modified_rule_sets.insert(ruleset); } } set::iterator i1 = modified_rule_sets.begin(); for ( ;i1!=modified_rule_sets.end(); ++i1) { RuleSet *ruleset = *i1; list other_fws = UsageResolver::findFirewallsForObject(ruleset, db); for (list::iterator fit = other_fws.begin(); fit != other_fws.end(); ++fit) { if (std::find(fws.begin(), fws.end(), *fit) == fws.end()) fws.push_back(*fit); } } if (fwbdebug) { qDebug() << QString("Program spent %1 ms searching for firewalls.") .arg(tt.elapsed()); qDebug() << "UsageResolver::findFirewallsForObject returns"; for (list::iterator i = fws.begin(); i!=fws.end(); ++i) { qDebug() << " " << (*i)->getName().c_str(); } } return fws; } /* * another wrapper around FWObjectDatabase::findWhereObjectIsUsed This * method finds all rule elements and groups that have references to * @obj and any of its children. The key in the map @res is object ID * and the value is a set of all Groups or RE that hold references to * it. */ void UsageResolver::findAllReferenceHolders( FWObject *obj, FWObject *root, std::map > &res) { set reference_holders; set res_tmp; root->getRoot()->findWhereObjectIsUsed(obj, root->getRoot(), res_tmp); foreach(FWObject* o, res_tmp) { if (fwbdebug) qDebug() << "UsageResolver::findAllReferenceHolders" << "obj=" << obj->getName().c_str() << "(" << obj->getTypeName().c_str() << ")" << "container=" << o->getName().c_str() << "(" << o->getTypeName().c_str() << ")"; if (FWReference::cast(o)) { FWObject *holder = o->getParent(); reference_holders.insert(holder); } if (Rule::cast(o) || Interface::cast(o)) reference_holders.insert(o); } int obj_id = obj->getId(); foreach(FWObject *o, reference_holders) { res[obj_id].insert(o); } for (FWObject::iterator i=obj->begin(); i!=obj->end(); ++i) { if ((*i)->getId() == -1) continue; if (FWOptions::cast(*i)) continue; if (FWReference::cast(*i)) continue; if (RuleElement::cast(*i)) continue; if (Rule::cast(*i)) continue; UsageResolver::findAllReferenceHolders(*i, root, res); } } /* * This method post-processes the list of objects found by * findFirewallsForObject to make them suitable for presentation. * First, it does deduplication. Event showObjectInRulesetEvent that * finds an object and highlights it in rules requires reference or * object itself as an argument. So, when parent is RuleElement, we * preserve the reference. But for regular groups we find and * highlight the group itself, so in that case replace reference to * the object with the group, which is its parent. * */ void UsageResolver::humanizeSearchResults(std::set &resset) { set tmp_res; // set deduplicates items automatically set::iterator i = resset.begin(); for (;i!=resset.end();++i) { FWObject *obj = *i; if (fwbdebug) qDebug() << "humanizeSearchResults:" << obj->getName().c_str() << " (" << obj->getTypeName().c_str() << ")"; FWReference *ref = FWReference::cast(*i); if (ref && RuleElement::cast(ref->getParent()) == NULL) { obj = ref->getParent(); // NB! We need parent of this ref for groups } else obj = *i; tmp_res.insert(obj); } resset.clear(); resset = tmp_res; } fwbuilder-5.3.7/src/libgui/UsageResolver.h000066400000000000000000000042731303637203600205230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland Refactoring: Roman Bovsunivskiy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef USAGERESOLVER_H #define USAGERESOLVER_H #include "global.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include #include class UsageResolver { int search_id; static int search_id_seed; public: UsageResolver(); void findWhereUsedRecursively( libfwbuilder::FWObject *, libfwbuilder::FWObject *, std::set &, libfwbuilder::FWObjectDatabase*); std::list findFirewallsForObject( libfwbuilder::FWObject*, libfwbuilder::FWObjectDatabase*); void findAllReferenceHolders( libfwbuilder::FWObject *obj, libfwbuilder::FWObject *root, std::map > &res); /** * Post-process set of FWObject* returned by * FWObjectDatabase::findWhereObjectIsUsed to make it more * suitable for the user. Since findWhereObjectIsUsed returns * actual reference objects that point at the object we search * for, humanizeSearchResults replaces them with appropriate * parent objects. These can be either groups that hold * references, or rules, which are two levels up. */ void humanizeSearchResults(std::set&); }; #endif // USAGERESOLVER_H fwbuilder-5.3.7/src/libgui/UserDialog.cpp000066400000000000000000000057771303637203600203400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBTree.h" #include "UserDialog.h" #include "FWCmdChange.h" #include "ProjectPanel.h" #include "fwbuilder/Library.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWException.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; UserDialog::UserDialog(QWidget *parent) : BaseObjectDialog(parent) { m_dialog = new Ui::UserDialog_q; m_dialog->setupUi(this); obj=NULL; connectSignalsOfAllWidgetsToSlotChange(); } UserDialog::~UserDialog() { delete m_dialog; } void UserDialog::loadFWObject(FWObject *o) { obj=o; UserService *s = dynamic_cast(obj); assert(s!=NULL); init=true; m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) ); m_dialog->userid->setText( s->getUserId().c_str() ); m_dialog->commentKeywords->loadFWObject(o); //apply->setEnabled( false ); m_dialog->obj_name->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->obj_name); m_dialog->userid->setEnabled(!o->isReadOnly()); setDisabledPalette(m_dialog->userid); init=false; } void UserDialog::validate(bool *res) { *res=true; if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; } UserService *s = dynamic_cast(obj); assert(s!=NULL); } void UserDialog::applyChanges() { std::auto_ptr cmd( new FWCmdChange(m_project, obj)); FWObject* new_state = cmd->getNewState(); UserService *s = dynamic_cast(new_state); assert(s!=NULL); string oldname = obj->getName(); s->setName( string(m_dialog->obj_name->text().toUtf8().constData()) ); s->setUserId( string(m_dialog->userid->text().toUtf8().constData()) ); m_dialog->commentKeywords->applyChanges(new_state); if (!cmd->getOldState()->cmp(new_state, true)) { if (obj->isReadOnly()) return; m_project->undoStack->push(cmd.release()); } } fwbuilder-5.3.7/src/libgui/UserDialog.h000066400000000000000000000025051303637203600177670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __USERDIALOG_H_ #define __USERDIALOG_H_ #include "config.h" #include #include "BaseObjectDialog.h" #include #include "fwbuilder/FWObject.h" class UserDialog : public BaseObjectDialog { Q_OBJECT; Ui::UserDialog_q *m_dialog; public: UserDialog(QWidget *parent); ~UserDialog(); public slots: virtual void applyChanges(); virtual void loadFWObject(libfwbuilder::FWObject *obj); virtual void validate(bool*); }; #endif // UserDialog_H fwbuilder-5.3.7/src/libgui/WorkflowIcons.cpp000066400000000000000000000053311303637203600210720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: WorkflowIcons.cpp® 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "ClickableLabel.h" #include "FWWindow.h" #include "ObjectManipulator.h" #include "ProjectPanel.h" #include "WorkflowIcons.h" #include "ui_WorkflowIcons.h" #include #include #include #include WorkflowIcons::WorkflowIcons(QWidget *parent) : QWidget(parent), ui(new Ui::WorkflowIcons_q) { ui->setupUi(this); } void WorkflowIcons::setUpSignals(QWidget *panel) { ObjectManipulator *om = panel->findChild(); connect(ui->newFirewall, SIGNAL(clicked()), om, SLOT(newFirewallSlot())); // global variable mw is null when this is running QObject *mainWindow = dynamic_cast(panel)->getWindow(); QAction *import = mainWindow->findChild("policyImportAction"); connect(ui->importConfig, SIGNAL(clicked()), import, SLOT(trigger())); connect(om, SIGNAL(libraryAccessChanged(bool)), this, SLOT(libraryAccessChanged(bool))); connect(ui->action_getting_started, SIGNAL(clicked()), this, SLOT(openTutorial())); } WorkflowIcons::~WorkflowIcons() { delete ui; } void WorkflowIcons::changeEvent(QEvent *e) { QWidget::changeEvent(e); switch (e->type()) { case QEvent::LanguageChange: ui->retranslateUi(this); break; default: break; } } void WorkflowIcons::libraryAccessChanged(bool writable) { ui->newFirewall->setEnabled(writable); ui->importConfig->setEnabled(writable); } void WorkflowIcons::openTutorial() { // if we want to show tutorial included with the package: // mw->showTutorial("getting_started"); // if we want to open the page with video tutorials in the standard browser QDesktopServices::openUrl(QUrl("http://www.fwbuilder.org/4.0/videos.html", QUrl::StrictMode)); } fwbuilder-5.3.7/src/libgui/WorkflowIcons.h000066400000000000000000000025441303637203600205420ustar00rootroot00000000000000 /* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: WorkflowIcons.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef WORKFLOWICONS_H #define WORKFLOWICONS_H #include namespace Ui { class WorkflowIcons_q; } class WorkflowIcons : public QWidget { Q_OBJECT public: WorkflowIcons(QWidget *parent = 0); void setUpSignals(QWidget *panel); ~WorkflowIcons(); protected: void changeEvent(QEvent *e); private: Ui::WorkflowIcons_q *ui; public slots: void libraryAccessChanged(bool writable); void openTutorial(); }; #endif // WORKFLOWICONS_H fwbuilder-5.3.7/src/libgui/WorkflowIcons.ui000066400000000000000000000113531303637203600207260ustar00rootroot00000000000000 WorkflowIcons_q 0 0 777 556 Form Qt::Vertical 20 210 20 Qt::Horizontal 40 20 120 120 PointingHandCursor Create new firewall :/Icons/firewall_64.png:/Icons/firewall_64.png 64 64 Qt::ToolButtonTextUnderIcon 120 120 PointingHandCursor Import existing configuration :/Icons/Import-big:/Icons/Import-big 64 64 Qt::ToolButtonTextUnderIcon 120 120 PointingHandCursor Watch "Getting Started" tutorial :/Icons/Tutorial:/Icons/Tutorial 64 64 Qt::ToolButtonTextUnderIcon Qt::Horizontal 40 20 Qt::Vertical 20 210 fwbuilder-5.3.7/src/libgui/aboutdialog_q.ui000066400000000000000000000417111303637203600207330ustar00rootroot00000000000000 AboutDialog_q true 0 0 419 311 0 0 0 255 255 255 255 255 255 255 255 255 127 127 127 170 170 170 0 0 0 255 255 255 0 0 0 255 255 255 255 255 255 0 0 0 255 255 255 0 0 0 255 255 255 255 255 255 255 255 255 127 127 127 170 170 170 0 0 0 255 255 255 0 0 0 255 255 255 255 255 255 0 0 0 255 255 255 127 127 127 255 255 255 255 255 255 255 255 255 127 127 127 170 170 170 127 127 127 255 255 255 127 127 127 255 255 255 255 255 255 0 0 0 255 255 255 Firewall Builder true 0 0 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-family:'Lucida Grande'; font-size:28pt;">Firewall Builder %1</span></p></body></html> Qt::AlignCenter Revision: Qt::AlignCenter false 0 0 Using libfwbuilder API v Qt::AlignCenter false Qt::Vertical QSizePolicy::Expanding 20 20 0 0 Copyright 2002-2012 NetCitadel, Inc Qt::AlignCenter false 0 0 Copyright 2013-2015 UNINETT AS Qt::AlignCenter false 0 20 32767 20 QFrame::NoFrame QFrame::Plain -3 Qt::ScrollBarAlwaysOff Qt::ScrollBarAlwaysOff true <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;"> <p align="center" style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><a href="https://github.com/fwbuilder"><span style=" font-family:'Lucida Grande'; font-size:13pt; text-decoration: underline; color:#0000ff;">https://github.com/fwbuilder</span></a></p></body></html> false 0 0 QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true buttonOk clicked() AboutDialog_q accept() 20 20 20 20 fwbuilder-5.3.7/src/libgui/actionsdialog_q.ui000066400000000000000000000432311303637203600212600ustar00rootroot00000000000000 ActionsDialog_q 0 0 852 229 Actions Dialog QFrame::Box QFrame::Sunken 320 0 QFrame::NoFrame QFrame::Plain 5 12 12 If rule action is 'Reject', this option defines firewall's reaction to the packet matching the rule Qt::AlignVCenter true Qt::Vertical QSizePolicy::MinimumExpanding 20 0 300 0 Qt::Horizontal QSizePolicy::MinimumExpanding 10 20 Qt::Horizontal QSizePolicy::MinimumExpanding 0 20 12 12 This action has no parameters. Qt::AlignCenter true 12 12 Rule name for accounting. (white spaces and special characters are not allowed) Qt::AlignVCenter true Qt::Vertical QSizePolicy::MinimumExpanding 20 0 12 12 Custom string: false Qt::Vertical QSizePolicy::MinimumExpanding 20 0 12 12 Divert socket port number: false Qt::Horizontal QSizePolicy::Expanding 40 20 80 0 999999 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 12 Policy ruleset object: false 0 0 100 80 9 In addition to 'filter', create branching rule in 'mangle' table as well Qt::Horizontal 41 21 Qt::Vertical QSizePolicy::MinimumExpanding 30 20 12 Policy rule set object: false 0 0 100 80 9 Qt::Horizontal 701 64 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 12 NAT Rule set object: 0 0 100 80 100 80 Qt::Horizontal 663 20 Qt::Vertical 20 33 FWObjectDropArea QWidget

FWObjectDropArea.h
1 rejectvalue activated(QString) ActionsDialog_q changed() 178 240 20 20 ipt_branch_in_mangle toggled(bool) ActionsDialog_q changed() 45 250 20 20 divertPortNum valueChanged(int) ActionsDialog_q changed() 225 218 20 20 custom_str editingFinished() ActionsDialog_q changed() 46 233 20 20 accountingvalue_str editingFinished() ActionsDialog_q changed() 46 233 20 20 changed() fwbuilder-5.3.7/src/libgui/addressrangedialog_q.ui000066400000000000000000000121741303637203600222640ustar00rootroot00000000000000 AddressRangeDialog_q true 0 0 730 248 0 0 Address Range QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Range Start: false 0 0 Range End: false 0 0 Qt::Vertical 20 103 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name rangeStart rangeEnd fwbuilder-5.3.7/src/libgui/addresstabledialog_q.ui000066400000000000000000000203451303637203600222560ustar00rootroot00000000000000 AddressTableDialog_q 0 0 774 264 500 500 Address Table QFrame::Box QFrame::Sunken 0 0 350 16 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 0 0 Compile Time 0 0 Run Time Qt::Horizontal 40 20 File name: false 0 0 0 0 0 0 Browse Choose File Edit file Qt::Horizontal QSizePolicy::Expanding 10 20 Qt::Vertical QSizePolicy::MinimumExpanding 307 16 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name r_compiletime r_runtime filename BrowseButton editButton BrowseButton clicked() AddressTableDialog_q browse() 20 20 20 20 editButton clicked() AddressTableDialog_q editFile() 20 20 20 20 editFile() fwbuilder-5.3.7/src/libgui/asklibforcopydialog_q.ui000066400000000000000000000035541303637203600224730ustar00rootroot00000000000000 asklibforcopydialog_q 0 0 221 127 Copying Object will be copied to library: 0 0 Qt::Horizontal QDialogButtonBox::Cancel|QDialogButtonBox::NoButton|QDialogButtonBox::Ok buttonBox accepted() asklibforcopydialog_q accept() 248 254 157 274 buttonBox rejected() asklibforcopydialog_q reject() 316 260 286 274 fwbuilder-5.3.7/src/libgui/askrulenumberdialog_q.ui000066400000000000000000000072561303637203600225060ustar00rootroot00000000000000 askRuleNumberDialog_q 0 0 279 119 Enter New Position For The Rule Enter new position for selected rules: false 10000 Qt::Vertical QSizePolicy::Expanding 80 20 Qt::Vertical QSizePolicy::Expanding 80 20 Qt::Vertical QSizePolicy::Expanding 80 20 &Move Alt+M true true &Cancel Alt+C true true buttonOk clicked() askRuleNumberDialog_q accept() 20 20 20 20 buttonCancel clicked() askRuleNumberDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/attachednetworksdialog_q.ui000066400000000000000000000136021303637203600231710ustar00rootroot00000000000000 AttachedNetworksDialog_q true 0 0 949 258 0 0 Network 0 0 QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Qt::Vertical QSizePolicy::Expanding 20 5 The list of addresses in this object is updated automatically and represents subnets attached to the parent interface. true Qt::Vertical 20 48 QFrame::StyledPanel QFrame::Raised QFrame::NoFrame QFrame::Plain 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name obj_name editingFinished() AttachedNetworksDialog_q changed() 20 20 20 20 fwbuilder-5.3.7/src/libgui/blankdialog_q.ui000066400000000000000000000013701303637203600207050ustar00rootroot00000000000000 BlankDialog_q 0 0 638 215 QFrame::Box QFrame::Sunken fwbuilder-5.3.7/src/libgui/bsdIfaceOptsDialog.cpp000066400000000000000000000112251303637203600217510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "bsdIfaceOptsDialog.h" #include "platforms.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "FWWindow.h" #include "Help.h" #include #include using namespace std; using namespace libfwbuilder; bsdIfaceOptsDialog::bsdIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::bsdIfaceOptsDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } int mtu = ifopt->getInt("iface_mtu"); if (mtu <=0 ) { mtu = 1500; ifopt->setInt("iface_mtu", mtu); } data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.registerOption(m_dialog->iface_configure_mtu, ifopt, "iface_configure_mtu"); data.registerOption(m_dialog->iface_mtu, ifopt, "iface_mtu"); data.registerOption(m_dialog->iface_options, ifopt, "iface_options"); data.registerOption(m_dialog->enable_stp, ifopt, "enable_stp"); data.loadAll(); // special actions for different iface types // VLAN (8021q) typeChanged(""); } bsdIfaceOptsDialog::~bsdIfaceOptsDialog() { delete m_dialog; } /* * store all data in the object */ void bsdIfaceOptsDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } data.saveAll(ifopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void bsdIfaceOptsDialog::reject() { QDialog::reject(); } void bsdIfaceOptsDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Interface OpenBSD"); h->setSource(QUrl("bsdIfaceOptsDialog.html#" + anchor)); h->raise(); h->show(); } void bsdIfaceOptsDialog::typeChanged(const QString&) { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); // enable VLAN ID line edit for type VLAN if (new_type.isEmpty() || new_type == "ethernet") { m_dialog->options_stack->setCurrentIndex(1); return; } if (new_type == "8021q") { m_dialog->options_stack->setCurrentIndex(2); return; } if (new_type == "bridge") { m_dialog->options_stack->setCurrentIndex(3); return; } // page 0 is empty m_dialog->options_stack->setCurrentIndex(0); } bool bsdIfaceOptsDialog::validate() { return true; } fwbuilder-5.3.7/src/libgui/bsdIfaceOptsDialog.h000066400000000000000000000031161303637203600214160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __BSDIFACEOPTSDIALOG_H_ #define __BSDIFACEOPTSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class bsdIfaceOptsDialog : public QDialog { Q_OBJECT; public: bsdIfaceOptsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~bsdIfaceOptsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::bsdIfaceOptsDialog_q *m_dialog; bool cluster_interface; /** validate user input for different interface types */ bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void typeChanged(const QString &new_type); }; #endif // __BSDIFACEOPTSDIALOG_H_ fwbuilder-5.3.7/src/libgui/bsdifaceoptsdialog_q.ui000066400000000000000000000240321303637203600222640ustar00rootroot00000000000000 bsdIfaceOptsDialog_q 0 0 376 318 BSD: interface settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 :/Icons/Options:/Icons/Options Options Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft Device Type Qt::Horizontal 40 20 Set MTU to 1 9000 1500 Qt::Horizontal 147 20 Qt::RightToLeft Options additional arguments for ifconfig 0 0 3 true Qt::RightToLeft VLAN ID 4095 Qt::Horizontal 140 20 Qt::Vertical 20 43 Enable STP Qt::Vertical 20 173 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() bsdIfaceOptsDialog_q accept() 316 472 20 20 buttonCancel clicked() bsdIfaceOptsDialog_q reject() 397 472 20 20 buttonHelp clicked() bsdIfaceOptsDialog_q help() 68 464 231 245 iface_type currentIndexChanged(QString) bsdIfaceOptsDialog_q typeChanged(QString) 287 196 286 261 typeChanged(QString) fwbuilder-5.3.7/src/libgui/carpOptionsDialog.cpp000066400000000000000000000053761303637203600217160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "carpOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include #include #include using namespace std; using namespace libfwbuilder; carpOptionsDialog::carpOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::carpOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); data.registerOption(m_dialog->carp_password, gropt, "carp_password"); data.registerOption(m_dialog->carp_vhid, gropt, "carp_vhid"); data.registerOption(m_dialog->advbase, gropt, "carp_advbase"); data.registerOption(m_dialog->master_advskew, gropt, "carp_master_advskew"); data.registerOption(m_dialog->default_advskew, gropt, "carp_default_advskew"); data.loadAll(); } carpOptionsDialog::~carpOptionsDialog() { delete m_dialog; } /* * store all data in the object */ void carpOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void carpOptionsDialog::reject() { QDialog::reject(); } bool carpOptionsDialog::validate() { return true; } fwbuilder-5.3.7/src/libgui/carpOptionsDialog.h000066400000000000000000000026361303637203600213570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CARPOPTIONSDIALOG_H_ #define __CARPOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class carpOptionsDialog : public QDialog { Q_OBJECT public: carpOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~carpOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::carpOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __CARPOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/carpoptionsdialog_q.ui000066400000000000000000000216501303637203600221620ustar00rootroot00000000000000 carpOptionsDialog_q 0 0 408 391 CARP protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 CARP Parameters :/Icons/Options:/Icons/Options Qt::Vertical QSizePolicy::Minimum 20 20 true CARP password Qt::RightToLeft CARP password true true Virtual Host ID Qt::RightToLeft VHID 1 255 1 Qt::Horizontal 78 20 Advertisement interval (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 1 255 1 Qt::Horizontal 78 20 Master advskew Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 254 50 Qt::Horizontal 78 20 Default advskew Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 254 100 Qt::Horizontal 78 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() carpOptionsDialog_q accept() 316 472 193 137 buttonCancel clicked() carpOptionsDialog_q reject() 397 472 20 20 fwbuilder-5.3.7/src/libgui/check_update_url.h000066400000000000000000000017671303637203600212430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef CHECK_UPDATE_URL_HH #define CHECK_UPDATE_URL_HH #define CHECK_UPDATE_URL "http://update.fwbuilder.org/update_checks/check.cgi?v=%1&uuid=%2" #endif fwbuilder-5.3.7/src/libgui/clusterMembersDialog.cpp000066400000000000000000000367441303637203600224140ustar00rootroot00000000000000/* * cluster members dialog implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "clusterMembersDialog.h" #include "global.h" #include "utils_no_qt.h" #include "FWWindow.h" #include "Help.h" #include "FWCmdChange.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; typedef std::list t_fwList; clusterMembersDialog::clusterMembersDialog(QWidget *parent, FWObject *o) : QDialog(parent), table_update(false) { m_dialog = new Ui::clusterMembersDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); // assign clustergroup object obj = o; FWObject *parent_host = Host::getParentHost(obj); host_os = parent_host->getStr("host_OS").c_str(); platform = parent_host->getStr("platform").c_str(); // if empty, retry with parent of parent (interface level) if (host_os.isEmpty()) { FWObject *parent = NULL; parent = obj->getParent(); if (parent == NULL) { throw FWException("clusterMembersDialog: parent is NULL!"); } parent = parent->getParent(); if (parent == NULL) { throw FWException("clusterMembersDialog: parent is NULL!"); } host_os = parent->getStr("host_OS").c_str(); platform = parent->getStr("platform").c_str(); } string type = obj->getStr("type"); enable_master_column = Resources::os_res[host_os.toStdString()]->getResourceBool( "/FWBuilderResources/Target/protocols/" + type + "/needs_master"); if (!enable_master_column) m_dialog->fwSelectedTable->hideColumn(2); // prepare lists of firewalls (selected, available) getSelectedMembers(); getPossibleMembers(); // init views updateAvailableTree(); updateSelectedTable(); } clusterMembersDialog::~clusterMembersDialog() { // clear member lists for (t_memberList::iterator it = available.begin(); it != available.end(); it++) { delete *it; } available.clear(); for (t_memberList::iterator it = selected.begin(); it != selected.end(); it++) { delete *it; } selected.clear(); delete m_dialog; } void clusterMembersDialog::getSelectedMembers() { // read in master interface id std::string master_iface = obj->getStr("master_iface"); for (FWObjectTypedChildIterator it = obj->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { // get fw and interface pointer from interface reference Interface *iface = NULL; iface = Interface::cast(FWReference::cast((*it))->getPointer()); assert(iface != NULL); Firewall *fw = Firewall::cast(Host::getParentHost(iface)); //Firewall *fw = Firewall::cast(iface->getParentHost()); // determine master std::string iface_id = FWObjectDatabase::getStringId(iface->getId()); bool master = false; if (iface_id == master_iface) { master = true; } // create ClusterMember object ClusterMember *new_member = createMember(fw, iface, master); if (new_member == NULL) { qWarning() << "clusterMembersDialog: could not create new " "cluster member"; return; } // attach to selected list selected.push_back(new_member); } } void clusterMembersDialog::getPossibleMembers() { t_fwList fwlist; mw->findAllFirewalls(fwlist); Firewall *fw; for (t_fwList::iterator it = fwlist.begin(); it != fwlist.end(); it++) { // does host_OS and platform match? fw = *it; if (fw->getStr("host_OS").c_str() != host_os || fw->getStr("platform").c_str() != platform) { continue; } // does the firewall provide at least one phys. interface? FWObjectTypedChildIterator iface_i = fw->findByType(Interface::TYPENAME); if (iface_i == iface_i.end()) { continue; } else { // previously selected? skip PredFindFw pred; pred.setSearchString(fw->getName().c_str()); t_memberList::iterator it = find_if(selected.begin(), selected.end(), pred); if (it != selected.end()) { continue; } // valid member, add to member list ClusterMember *new_member = createMember(fw); if (new_member == NULL) { qWarning() << "clusterMembersDialog: could not create new " "cluster member"; return; } available.push_back(new_member); } } fwlist.sort(FWObjectNameCmpPredicate()); } void clusterMembersDialog::updateSelectedTable() { table_update = true; m_dialog->fwSelectedTable->setRowCount(selected.size()); QTableWidgetItem *item = NULL; int row = 0; for (t_memberList::const_iterator it = selected.begin(); it != selected.end(); it++) { // only insert new QTableWidgetItems if none has been set, update text // if selected member text changed. item = m_dialog->fwSelectedTable->item(row, 0); const char *new_text = (*it)->fwobj->getName().c_str(); if (item == NULL) { item = new QTableWidgetItem; item->setText(new_text); item->setIcon(QIcon(getIcon((*it)->fwobj))); m_dialog->fwSelectedTable->setItem(row, 0, item); } else if (item->text() != new_text) { item->setText(new_text); } // Column "Interface" item = m_dialog->fwSelectedTable->item(row, 1); new_text = (*it)->iface_cluster->getName().c_str(); if (item == NULL) { item = new QTableWidgetItem; item->setText(new_text); item->setIcon(QIcon(getIcon((*it)->iface_cluster))); m_dialog->fwSelectedTable->setItem(row, 1, item); } else if (item->text() != new_text) { item->setText(new_text); } // Column "Master" item = m_dialog->fwSelectedTable->item(row, 2); Qt::CheckState state = (*it)->is_master ? Qt::Checked : Qt::Unchecked; if (item == NULL) { item = new QTableWidgetItem; item->setCheckState(state); m_dialog->fwSelectedTable->setItem(row, 2, item); } else if (item->checkState() != state) { item->setCheckState(state); } row++; } m_dialog->fwSelectedTable->resizeColumnsToContents(); m_dialog->fwSelectedTable->horizontalHeader()->setStretchLastSection(true); table_update = false; } void clusterMembersDialog::updateAvailableTree() { QTreeWidgetItem *fwitem; m_dialog->fwAvailableTree->clear(); for (t_memberList::const_iterator it = available.begin(); it != available.end(); it++) { ClusterMember *member = *it; fwitem = new QTreeWidgetItem; fwitem->setFlags(Qt::ItemIsEnabled); fwitem->setText(0, member->fwobj->getName().c_str()); fwitem->setIcon(0, QIcon(getIcon(member->fwobj))); // add interfaces for (t_ifaceList::const_iterator it = member->iface_list.begin(); it != member->iface_list.end(); it ++) { QTreeWidgetItem *ifitem; ifitem = new QTreeWidgetItem(fwitem); ifitem->setText(1, (*it)->getName().c_str()); ifitem->setIcon(1, QIcon(getIcon(*it))); // add label (if non empty) string label = (*it)->getLabel(); if (!label.empty()) { ifitem->setText(2, label.c_str()); } } m_dialog->fwAvailableTree->insertTopLevelItem(0, fwitem); } m_dialog->fwAvailableTree->resizeColumnToContents(0); m_dialog->fwAvailableTree->sortByColumn(0, Qt::AscendingOrder); m_dialog->fwAvailableTree->expandAll(); } ClusterMember* clusterMembersDialog::createMember(Firewall *fw, Interface *cluster_iface, bool master) { if (fw == NULL) { return NULL; } ClusterMember *new_member = new ClusterMember; new_member->fwobj = fw; new_member->is_master = master; if (cluster_iface != NULL) { new_member->iface_cluster = cluster_iface; } list interfaces = fw->getByTypeDeep(Interface::TYPENAME); interfaces.sort(FWObjectNameCmpPredicate()); list::iterator iface_i; for (iface_i=interfaces.begin(); iface_i != interfaces.end(); ++iface_i) { Interface *iface = Interface::cast(*iface_i); new_member->iface_list.push_back(iface); // init interface mapping table new_member->iface_map[iface->getName().c_str()] = iface; } return new_member; } bool clusterMembersDialog::swap(t_memberList &from, t_memberList &to, const QString fwname, const QString iface, bool master) { // move selected fw from 'from' to 'to' member list PredFindFw pred; pred.setSearchString(fwname); t_memberList::iterator it = find_if(from.begin(), from.end(), pred); if (it == from.end()) { // not found return false; } ClusterMember *member = *it; from.erase(it); member->iface_cluster = member->iface_map[iface]; member->is_master = master; to.push_back(member); return true; } void clusterMembersDialog::setMaster(QString fw, bool checked) { for (t_memberList::const_iterator it = selected.begin(); it != selected.end(); it++) { if (QString((*it)->fwobj->getName().c_str()) == fw) { (*it)->is_master = checked; } else { (*it)->is_master = false; } } updateSelectedTable(); } QPixmap clusterMembersDialog::getIcon(FWObject *o) { QString icn_file = (":/Icons/" + o->getTypeName() + "/icon").c_str(); QPixmap pm; if (!QPixmapCache::find(icn_file, pm)) { pm.load(icn_file); QPixmapCache::insert(icn_file, pm); } return pm; } void clusterMembersDialog::invalidate() { // update views updateAvailableTree(); updateSelectedTable(); // disable <--> buttons, user needs to re-select m_dialog->buttonAdd->setEnabled(false); m_dialog->buttonRemove->setEnabled(false); } void clusterMembersDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); FWObject* new_state = cmd->getNewState(); bool master_found = false; t_memberList::const_iterator it = selected.begin(); // remoive all existing references and add new ones list all_refs = new_state->getByType(FWObjectReference::TYPENAME); for (list::iterator it=all_refs.begin(); it!=all_refs.end(); ++it) new_state->remove(*it); // add selected interfaces as objref to cluster member group for (it = selected.begin(); it != selected.end(); it++) { new_state->addRef((*it)->iface_cluster); // set master interface ref id if ((*it)->is_master) { master_found = true; std::string masteriface_id = FWObjectDatabase::getStringId((*it)->iface_cluster->getId()); new_state->setStr("master_iface", masteriface_id); } } if (!master_found) { new_state->remStr("master_iface"); } emit membersChanged(); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void clusterMembersDialog::reject() { QDialog::reject(); } void clusterMembersDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Cluster-Member Management"); h->setSource(QUrl("clusterMembersDialog.html#" + anchor)); h->raise(); h->show(); } void clusterMembersDialog::availableClicked(QTreeWidgetItem *item, int) { // activate addButton if a specific interface has been selected if (item->text(1).isEmpty()) { m_dialog->buttonAdd->setEnabled(false); } else if (!m_dialog->buttonAdd->isEnabled()) { m_dialog->buttonAdd->setEnabled(true); } } void clusterMembersDialog::selectedClicked(int row, int column) { if (fwbdebug) { qDebug() << "clusterMembersDialog: selected (" << row << ", " << column << ")"; } // activate removeButton if (!m_dialog->buttonRemove->isEnabled()) { m_dialog->buttonRemove->setEnabled(true); } } void clusterMembersDialog::masterSelected(int row, int column) { if (!table_update) { if (fwbdebug) { qDebug() << "clusterMembersDialog: master is (" << row << ", " << column << ")"; } QList itemlist; itemlist = m_dialog->fwSelectedTable->selectedItems(); if (itemlist[2]->checkState() == Qt::Checked) { setMaster(itemlist[0]->text()); } else { setMaster(itemlist[0]->text(), false); } } } void clusterMembersDialog::firewallAdd() { // get selected firewall / interface QList itemlist; itemlist = m_dialog->fwAvailableTree->selectedItems(); // interface should not be empty if (itemlist[0]->text(1).isEmpty()) { qWarning() << "clusterMembersDialog: iface is empty, not adding"; return; } foreach(QTreeWidgetItem *itm, itemlist) { // move selected fw to selected member list QString fwname = itm->parent()->text(0); QString iface_cluster = itm->text(1); if (!swap(available, selected, fwname, iface_cluster)) { // swap failed, this should not happen! qWarning() << "clusterMembersDialog: swap failed for firewall " << fwname << ", interface: " << iface_cluster; return; } } // invalidate view invalidate(); } void clusterMembersDialog::firewallRemove() { // get selected firewall / interface QList itemlist; itemlist = m_dialog->fwSelectedTable->selectedItems(); // move selected fw to available member list QString fwname = itemlist[0]->text(); if (!swap(selected, available, fwname, "", false)) { // swap failed, this should not happen! qWarning() << "clusterMembersDialog: swap failed for firewall " << fwname; return; } // invalidate view invalidate(); } fwbuilder-5.3.7/src/libgui/clusterMembersDialog.h000066400000000000000000000121531303637203600220450ustar00rootroot00000000000000/* * cluster members configuration dialog * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __CLUSTERMEMBERDIALOG_H_ #define __CLUSTERMEMBERDIALOG_H_ #include #include "fwbuilder/FWObject.h" namespace libfwbuilder { class Firewall; class Interface; }; typedef std::list t_ifaceList; typedef std::map t_ifaceMap; /** * @class ClusterMember * * @brief Simple helper class to store relevant info about cluster members. * * The ClusterMember class is used to store temporary data for the configuration * of potential cluster members of a specific cluster. */ class ClusterMember { public: /** pointer to firewall object */ libfwbuilder::FWObject *fwobj; /** list of pointers to all interfaces of this firewall */ t_ifaceList iface_list; /** mapping from iface name to interface pointer */ t_ifaceMap iface_map; /** selected as cluster interface */ libfwbuilder::Interface *iface_cluster; /** flag for cluster master */ bool is_master; }; typedef std::list t_memberList; class clusterMembersDialog : public QDialog { Q_OBJECT public: clusterMembersDialog(QWidget *parent, libfwbuilder::FWObject *o); ~clusterMembersDialog(); private: libfwbuilder::FWObject *obj; bool enable_master_column; Ui::clusterMembersDialog_q *m_dialog; /** host OS of current cluster */ QString host_os; /** platform of current cluster */ QString platform; /** list of all still available firewalls */ t_memberList available; /** list of cluster members */ t_memberList selected; /** flag to indicate selected table update */ bool table_update; /** init lists of already selected firewalls */ void getSelectedMembers(); /** * init lists of available firewalls * * For this type of cluster, a valid firewall must fulfill the * following criterias: * 1. host_OS and platform must match cluster settings * 2. the firewall must at least have one interface attached */ void getPossibleMembers(); /** update view of selected members */ void updateSelectedTable(); /** update view of available firewalls */ void updateAvailableTree(); /** * create a new cluster member object from fw pointer * * @param fw pointer to firewall object * @param cluster_iface pointer to selected cluster iface * @param master flag to indicate cluster master * @return pointer to new cluster object */ ClusterMember* createMember(libfwbuilder::Firewall *fw, libfwbuilder::Interface *cluster_iface = NULL, bool master = false); /** * swap firewall cluster member info from one list to another. * * @param from list to remove firewall from * @param to list to add firewall * @param fwname firewall name as identifier * @param iface optional interface to set as cluster interface * @param master optional: set master flag * @return true if successfully swapped, false if not */ bool swap(t_memberList &from, t_memberList &to, const QString fwname, const QString iface, bool master = false); /** * set master firewall status in selected list * * @param fw name of firewall to set state * @param checked status to set (checked / unchecked) */ void setMaster(QString fw, bool checked = true); /** * returns fwobject specific pixmap to caller * * @param o object to get pixmap for * @return object's QPixmap */ QPixmap getIcon(libfwbuilder::FWObject *o); /** update all views */ void invalidate(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void availableClicked(QTreeWidgetItem *item, int); void selectedClicked(int row, int column); void masterSelected(int row, int column); void firewallAdd(); void firewallRemove(); signals: void membersChanged(); }; /** * @class PredFindFw * * @brief Predicate class to find firewalls by name * * PredFindFw can be used e.g. as parameter in find_if() function to compare * ClusterMembers in available and selected lists with a given fwname * specified by setSearchString(). */ class PredFindFw { protected: QString search_string; public: PredFindFw() {}; bool operator()(const ClusterMember *member) const { QString fwname = member->fwobj->getName().c_str(); return (fwname == search_string); } void setSearchString(const QString &string) { search_string = string; } }; #endif /* __SECUWALLCLUSTERCONFDIALOG_H_ */ fwbuilder-5.3.7/src/libgui/clusterdialog_q.ui000066400000000000000000000260321303637203600213010ustar00rootroot00000000000000 ClusterDialog_q true 0 0 917 262 0 0 Cluster 12 QFrame::Box QFrame::Sunken 12 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 32767 32767 Name: false 1 0 200 23 0 0 32767 32767 Platform: false 0 0 0 26 Qt::Horizontal 129 20 0 0 32767 32767 Host OS: false 0 0 0 26 Modified: 0 0 TextLabel Compiled: 0 0 TextLabel Installed: 0 0 TextLabel Qt::Vertical 20 34 0 0 215 0 215 16777215 Skip this firewall for batch compile and install operations Inactive cluster 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name platform hostOS inactive platform activated(int) ClusterDialog_q platformChanged() 20 20 20 20 hostOS activated(QString) ClusterDialog_q hostOSChanged() 20 20 20 20 changed() platformChanged() hostOSChanged() fwbuilder-5.3.7/src/libgui/clustergroupdialog_q.ui000066400000000000000000000274561303637203600223710ustar00rootroot00000000000000 ClusterGroupDialog_q true 0 0 1016 265 0 0 ClusterGroup 0 0 QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 32767 32767 Name: false 200 0 0 0 true 0 0 32767 32767 Type: false Qt::Horizontal 135 20 0 0 0 32 Edit Protocol Parameters... Qt::Horizontal 40 20 Qt::Vertical 20 102 0 0 QFrame::NoFrame QFrame::Plain 0 0 0 0 0 300 0 300 100000 List of current members of this cluster. Double click on an entry to load it. false QAbstractItemView::SingleSelection Firewall Interface Master Status 0 0 200 0 32767 32767 Click here to manage member firewalls of this cluster group. Manage Members... Qt::Horizontal 97 20 0 0 CommentKeywords QWidget
CommentKeywords.h
1 manageMembers fwMemberTree itemActivated(QTreeWidgetItem*,int) ClusterGroupDialog_q openObject(QTreeWidgetItem*) 262 112 411 113 editParameters clicked() ClusterGroupDialog_q openParametersEditor() 152 303 450 190 manageMembers clicked() ClusterGroupDialog_q openClusterConfDialog() 20 20 20 20 changed() openParametersEditor() fwbuilder-5.3.7/src/libgui/clustermembersdialog_q.ui000066400000000000000000000306221303637203600226540ustar00rootroot00000000000000 clusterMembersDialog_q Qt::WindowModal 0 0 859 556 cluster member configuration Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 :/Icons/Cluster/icon:/Icons/Cluster/icon Cluster Qt::Vertical QSizePolicy::Fixed 20 16 Manage member firewalls for this Cluster. Firewalls are considered valid members if they have the same host OS and platform as the Cluster object. They also need to have at minimum one physical interface attached. Qt::AlignCenter true Qt::Vertical QSizePolicy::Fixed 20 16 Available Firewalls: Tree of potential cluster members. Select an interface to assign to the cluster. QAbstractItemView::NoEditTriggers false false QAbstractItemView::ExtendedSelection QAbstractItemView::SelectRows Firewall Interface Label QFrame::NoFrame QFrame::Plain false ... :/Icons/big-right-arrow.png:/Icons/big-right-arrow.png false ... :/Icons/big-left-arrow.png:/Icons/big-left-arrow.png Qt::Vertical 20 40 Selected as Cluster-Members: true Table of already selected member firewalls with their assigned cluster interfaces. QAbstractItemView::NoEditTriggers false false true QAbstractItemView::SingleSelection QAbstractItemView::SelectRows Qt::ElideMiddle false false Name Interface Master buttonOk buttonCancel tabWidget buttonOk clicked() clusterMembersDialog_q accept() 316 472 20 20 buttonCancel clicked() clusterMembersDialog_q reject() 397 472 20 20 buttonHelp clicked() clusterMembersDialog_q help() 68 464 231 245 fwAvailableTree itemClicked(QTreeWidgetItem*,int) clusterMembersDialog_q availableClicked(QTreeWidgetItem*, int) 514 249 352 237 buttonAdd clicked() clusterMembersDialog_q firewallAdd() 352 179 352 237 buttonRemove clicked() clusterMembersDialog_q firewallRemove() 352 210 352 237 fwSelectedTable cellClicked(int,int) clusterMembersDialog_q selectedClicked(int,int) 191 249 352 237 fwSelectedTable cellChanged(int,int) clusterMembersDialog_q masterSelected(int,int) 191 272 352 237 fwbuilder-5.3.7/src/libgui/colorlabelmenuitem_q.ui000066400000000000000000000151111303637203600223160ustar00rootroot00000000000000 colorLabelMenuItem_q 0 0 124 16 4 4 8 8 true Orange 8 8 true Green 8 8 true Purple 8 8 true Blue 8 8 true Yellow 8 8 true Gray 8 8 true Red 8 8 true No color redBtn clicked() colorLabelMenuItem_q redColorClicked() orangeBtn clicked() colorLabelMenuItem_q orangeColorClicked() yellowBtn clicked() colorLabelMenuItem_q yellowColorClicked() greenBtn clicked() colorLabelMenuItem_q greenColorClicked() blueBtn clicked() colorLabelMenuItem_q blueColorClicked() purpleBtn clicked() colorLabelMenuItem_q purpleColorClicked() grayBtn clicked() colorLabelMenuItem_q grayColorClicked() noneBtn clicked() colorLabelMenuItem_q noneColorClicked() fwbuilder-5.3.7/src/libgui/commenteditorpanel_q.ui000066400000000000000000000024611303637203600223310ustar00rootroot00000000000000 CommentEditorPanel_q true 0 0 643 217 Comment Editor Panel 500 0 TextEditWidget QTextEdit
TextEditWidget.h
 editor textChanged() CommentEditorPanel_q changed() 20 20 20 20 fwbuilder-5.3.7/src/libgui/commentkeywords_q.ui000066400000000000000000000042771303637203600217010ustar00rootroot00000000000000 CommentKeywords_q 0 0 400 300 CommentKeywords 0 100 200 0 16777215 16777215 true 0 0 Keywords... true TextEditWidget QTextEdit
TextEditWidget.h
 keywordsButton clicked() CommentKeywords_q keywordsClicked() 55 277 199 149 fwbuilder-5.3.7/src/libgui/compileroutputpanel_q.ui000066400000000000000000000015461303637203600225560ustar00rootroot00000000000000 CompilerOutputPanel_q true 0 0 740 262 Script Editor 0 Qt::ScrollBarAlwaysOn fwbuilder-5.3.7/src/libgui/confirmdeleteobjectdialog_q.ui000066400000000000000000000115071303637203600236300ustar00rootroot00000000000000 ConfirmDeleteObjectDialog_q 0 0 527 494 16777215 1522 Firewall Builder 0 0 Groups and firewall policy rules shown in the list below reference objects you are about to delete. If you delete objects, they will be removed from these groups and rules. Qt::AlignVCenter true 0 0 Deleted objects are moved to the "Deleted objects" library. You can recover them later by moving back to the user's library. However if you delete an object already located in the "Deleted objects" library, it is destroyed and can not be restored. Qt::AlignVCenter true 0 0 500 200 16777215 550 QFrame::NoFrame QFrame::Plain true 16777215 500 QAbstractItemView::NoSelection Object Parent Details Delete Cancel objectsView pushButton1 pushButton2 pushButton1 clicked() ConfirmDeleteObjectDialog_q accept() 20 20 20 20 pushButton2 clicked() ConfirmDeleteObjectDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/conntrackOptionsDialog.cpp000066400000000000000000000100011303637203600227300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "conntrackOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include #include #include using namespace std; using namespace libfwbuilder; conntrackOptionsDialog::conntrackOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::conntrackOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); FWObject *p = obj; while (p && Cluster::cast(p)==NULL) p = p->getParent(); assert(p != NULL); Cluster *cluster = Cluster::cast(p); Resources *os_res = Resources::os_res[cluster->getStr("host_OS")]; assert(os_res != NULL); string default_address = os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_address"); string default_port = os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_port"); string addr = gropt->getStr("conntrack_address"); if (addr.empty()) gropt->setStr("conntrack_address", default_address); string port = gropt->getStr("conntrack_port"); if (port.empty()) gropt->setStr("conntrack_port", default_port); data.registerOption(m_dialog->use_unicast, gropt, "conntrack_unicast"); data.registerOption(m_dialog->conntrack_address, gropt, "conntrack_address"); data.registerOption(m_dialog->conntrack_port, gropt, "conntrack_port"); data.loadAll(); toggleUseUnicast(); } conntrackOptionsDialog::~conntrackOptionsDialog() { delete m_dialog; } void conntrackOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void conntrackOptionsDialog::reject() { QDialog::reject(); } bool conntrackOptionsDialog::validate() { try { InetAddr( m_dialog->conntrack_address->text().toLatin1().constData() ); } catch (FWException &ex) { try { InetAddr(AF_INET6, m_dialog->conntrack_address->text().toLatin1().constData() ); } catch (FWException &ex) { QMessageBox::critical( this, "Firewall Builder", tr("Invalid IP address '%1'").arg(m_dialog->conntrack_address->text()), tr("&Continue"), 0, 0, 0 ); return false; } } return true; } void conntrackOptionsDialog::toggleUseUnicast() { bool onoff = m_dialog->use_unicast->isChecked(); m_dialog->conntrack_address->setEnabled( ! onoff ); m_dialog->conntrack_address_label->setEnabled( ! onoff ); } fwbuilder-5.3.7/src/libgui/conntrackOptionsDialog.h000066400000000000000000000027531303637203600224140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CONNTRACKOPTIONSDIALOG_H_ #define __CONNTRACKOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class conntrackOptionsDialog : public QDialog { Q_OBJECT public: conntrackOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~conntrackOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::conntrackOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void toggleUseUnicast(); }; #endif // __CONNTRACKOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/conntrackoptionsdialog_q.ui000066400000000000000000000123651303637203600232220ustar00rootroot00000000000000 conntrackOptionsDialog_q 0 0 387 276 conntrack protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 :/Icons/Options:/Icons/Options conntrack Parameters Use unicast address for conntrackd Address: Port number (udp): 65535 Qt::Horizontal 117 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() conntrackOptionsDialog_q accept() 316 472 20 20 buttonCancel clicked() conntrackOptionsDialog_q reject() 397 472 20 20 use_unicast clicked() conntrackOptionsDialog_q toggleUseUnicast() 196 50 193 137 toggleUseUnicast() fwbuilder-5.3.7/src/libgui/customservicedialog_q.ui000066400000000000000000000221611303637203600225120ustar00rootroot00000000000000 CustomServiceDialog_q true 0 0 754 262 Custom Service QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 1 0 0 0 0 0 0 0 Platform: false Custom service object has separate code string for each supported firewall platform. 0 0 Code String: false 0 0 0 0 Custom service object has separate code string for each supported firewall platform. Qt::AlignLeading 0 0 Protocol Name: Choose one of the standard protocols from the menu or enter custom protocol string. Policy compilers can use this information to add correct protocol-specific parameters to the generated configuration. For example, iptables compiler is allowed to add "--reject-with tcp-reset" to the target REJECT only if service object belongs to protocol "tcp". true Qt::Horizontal 108 20 Address Family: IPv4 true IPv6 false Qt::Horizontal 40 20 Qt::Vertical 20 53 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name platform code platform activated(int) CustomServiceDialog_q platformChanged() 20 20 20 20 changed() fwbuilder-5.3.7/src/libgui/debugDialog.cpp000066400000000000000000000117261303637203600204770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "VERSION.h" #include "debugDialog.h" #include "RCS.h" #include "ProjectPanel.h" #include "FWWindow.h" #include #include #include #include #include #include "fwbuilder/Constants.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace std; using namespace libfwbuilder; debugDialog::debugDialog(QWidget *parent) : QDialog(parent) { m_dialog = new Ui::debugDialog_q; m_dialog->setupUi(this); /* * some variables used for remote debugging (so I can ask the user to * send me a screenshot of the "about" dialog and get the idea about * their environment etc.) */ m_dialog->debugText->append( QString("Path to executable: %1") .arg(argv0.c_str()) ); m_dialog->debugText->append( QString("Path to resources: %1") .arg(Constants::getResourcesDirectory().c_str()) ); m_dialog->debugText->append( QString("Path to locale: %1") .arg(Constants::getLocaleDirectory().c_str()) ); m_dialog->debugText->append( QString("Path to libfwbuilder data directory: %1") .arg(Constants::getDTDDirectory().c_str()) ); m_dialog->debugText->append( QString("appRootDir: %1") .arg(appRootDir.c_str()) ); m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( QString("standard objects library: %1") .arg(Constants::getStandardObjectsFilePath().c_str())); m_dialog->debugText->append( QString("standard templates library: %1") .arg(Constants::getTemplatesObjectsFilePath().c_str())); m_dialog->debugText->append( QString("user name: %1").arg(user_name) ); m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( QString("Path to rcs: %1").arg(RCS_FILE_NAME)); m_dialog->debugText->append( QString("Path to rcsdiff: %1").arg(RCSDIFF_FILE_NAME)); m_dialog->debugText->append( QString("Path to rlog: %1").arg(RLOG_FILE_NAME)); m_dialog->debugText->append( QString("Path to ci: %1").arg(CI_FILE_NAME)); m_dialog->debugText->append( QString("Path to co: %1").arg(CO_FILE_NAME)); m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( "RCS timezone setting:" ); m_dialog->debugText->append( RCS::getRCSEnvFix()->getTZOffset() ); m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( "RCS environment:" ); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) m_dialog->debugText->append( RCS::getEnv()->join("\n").toAscii() ); #else m_dialog->debugText->append( RCS::getEnv()->join("\n").toLatin1() ); #endif m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( QString("Current locale: %1") .arg(QLocale::system().name()) ); m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( QString("Versions:") ); m_dialog->debugText->append( QString(" Firewall Builder %1").arg(VERSION)); m_dialog->debugText->append( QString(" Data format version %1") .arg(libfwbuilder::Constants::getDataFormatVersion().c_str() ) ); m_dialog->debugText->append( QString(" Built with QT %1").arg(QT_VERSION_STR)); m_dialog->debugText->append( QString(" Using QT %1").arg( qVersion() ) ); m_dialog->debugText->append( QString(" Built with libxml2 %1") .arg(LIBXML_DOTTED_VERSION) ); #if !defined(Q_OS_MACX) m_dialog->debugText->append( QString(" Using libxml2 %1").arg(xmlParserVersion)); #endif m_dialog->debugText->append( "\n" ); m_dialog->debugText->append( QString("FWObjectDatabase index statistics:")); if (mw->activeProject()) { int s,h,m; mw->activeProject()->db()->getIndexStats(s,h,m); m_dialog->debugText->append( QString(" index size: %1 records").arg(s) ); m_dialog->debugText->append( QString(" hits: %1").arg(h) ); m_dialog->debugText->append( QString(" misses: %1").arg(m) ); m_dialog->debugText->append( "\n" ); } m_dialog->debugText->append( QString("QPixmapCache limit: %1 kb") .arg(QPixmapCache::cacheLimit())); } debugDialog::~debugDialog() { delete m_dialog; } fwbuilder-5.3.7/src/libgui/debugDialog.h000066400000000000000000000022251303637203600201360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __DEBUGDIALOG_H_ #define __DEBUGDIALOG_H_ #include "config.h" #include #include class debugDialog : public QDialog { Q_OBJECT Ui::debugDialog_q *m_dialog; public: debugDialog(QWidget *parent); ~debugDialog(); }; #endif // __DEBUGDIALOG_H fwbuilder-5.3.7/src/libgui/debugdialog_q.ui000066400000000000000000000044121303637203600207040ustar00rootroot00000000000000 debugDialog_q 0 0 494 280 Debugging Info 0 6 20 20 Expanding Horizontal &Close Alt+C true true debugText buttonOk buttonOk clicked() debugDialog_q close() fwbuilder-5.3.7/src/libgui/discoverydruid_q.ui000066400000000000000000002510431303637203600215010ustar00rootroot00000000000000 DiscoveryDruid_q Qt::WindowModal 0 0 660 670 0 0 0 25 Sans Serif 14 75 false true TextLabel Qt::AlignCenter 14 6 40 0 0 0 Choose discovery method used to collect information about network objects from the list below and click 'Next' to continue. Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 70 Discovery method: 6 20 6 Read file in hosts format true Import DNS zone Perform network discovery using SNMP Import configuration of a firewall or a router 0 Enter full path and file name below or click "Browse" to find it: Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 31 File in hosts format 6 Qt::Vertical QSizePolicy::Expanding 20 20 Browse ... Qt::Vertical QSizePolicy::Expanding 20 41 Qt::Vertical QSizePolicy::Expanding 20 181 0 All objects created during import will be placed in the library currently opened in the tree. Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 20 Policy import tries to parse given configuration file and preserve its logic as close as possible. However, very often target firewall configuration allows for more commands, options and their combinations than importer can understand. Rules that importer could not parse exactly are colored red in the rule sets it creates. Always inspect firewall policy created by the importer and compare it with the original. Manual changes and corrections may be required. Comments in the rules that could not be parsed show fragments of the original configuration parser did not understand. Qt::AlignVCenter true Platform: false 0 100 textLabel1 Qt::AlignVCenter true Qt::Vertical QSizePolicy::Fixed 20 10 Qt::Vertical QSizePolicy::Fixed 20 10 Firewall name: Import from file: false 0 0 Browse... Cisco Router IOS Cisco PIX, Cisco ASA iptables Qt::Horizontal 40 20 0 This discovery method creates objects for all 'A' records found in DNS domain. You will later have a chance to accept only those objects you wish and ignore others. Please enter the domain name below: Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 21 Domain name 6 Qt::Vertical QSizePolicy::Expanding 20 21 Qt::Vertical QSizePolicy::Expanding 20 21 Qt::Vertical QSizePolicy::Expanding 20 20 Objects created using this method may have long or short names. long name consists of the host name and full domain name (this is called <i>Fully Qualified Domain Name</i>). Short name consists of only host name. Check in the box below if you wish to use long name, then click next to continue: Qt::AlignVCenter true Use long names 0 DNS zone information has to be transferred from the name server authoritative for the domain. Pick the name server: Qt::AlignVCenter true Name server 6 choose name server from the list below server name or its IP address here if you wish to use different one: 200 20 false 0 0 32767 20 Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 50 20 DNS Query options 0 Timeout (sec) false Retries false 1 1 1 2 Qt::Horizontal QSizePolicy::Expanding 160 20 Qt::Horizontal QSizePolicy::Expanding 170 20 Qt::Vertical QSizePolicy::Expanding 20 131 0 This discovery method scans networks looking for hosts or gateways responding to SNMP queries. It pulls host's ARP table and uses all the entries found in it to create objects. Scan starts from the host called "seed". Enter "seed" host name or address below: Qt::AlignVCenter true 'Seed' host 6 Qt::Horizontal QSizePolicy::Expanding 211 21 true 0 20 Enter a valid host name or address. false 0 0 32767 20 Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 40 20 The scanner process can be confined to a certain network, so it won't discover hosts on adjacent networks. If you leave these fields blank, scanner will visit all networks it can find: Qt::AlignVCenter true Confine scan to this network: 6 Qt::Horizontal QSizePolicy::Expanding 271 20 Qt::Horizontal QSizePolicy::Expanding 271 20 Netmask: false Address: false false Qt::Vertical QSizePolicy::Expanding 20 70 0 The scanner process can repeat its algorithm recursively using each new host it finds as a new "seed". This allows it to find as many objects on your network as possible. On the other hand, it takes more time and may find some objects you do not really need. You can turn recursive scanning on below: Qt::AlignVCenter true Run network scan recursively QFrame::HLine QFrame::Sunken Qt::Horizontal The scanner process can find nodes beyond the boundaries of your network by following point-to-point links connecting it to the Internet or other parts of WAN. Qt::AlignVCenter true Follow point-to-point links QFrame::HLine QFrame::Sunken Qt::Horizontal The scanner process normally ignores interfaces that have no IP addresses; checking this option makes it create such interfaces as "Unnumbered" Qt::AlignVCenter true Include interfaces with no ip addresses QFrame::HLine QFrame::Sunken Qt::Horizontal Analysis of ARP table yields IP addresses for hosts on your network. In order to determine their names, scanner can run reverse name lookup queries using your name servers (DNS): Qt::AlignVCenter true Run reverse name lookup DNS queries to determine host names false 0 Enter parameters for SNMP and DNS reverse lookup queries below. (If unsure, just leave default values): Qt::AlignVCenter true SNMP query parameters: 6 SNMP 'read' community string: false number of retries: false timeout (sec): false 1 1 1 2 public Qt::Horizontal QSizePolicy::Expanding 190 20 Qt::Horizontal QSizePolicy::Expanding 250 20 Qt::Horizontal QSizePolicy::Expanding 250 20 DNS parameters: 6 Qt::Horizontal QSizePolicy::Expanding 300 20 number of retries: false timeout (sec) : false Number of threads: false 1 1 1 10000 2 1 5 false Qt::Vertical QSizePolicy::Expanding 20 80 0 0 16 75 true Process name false 6 Qt::Horizontal Stop Save scan log to file Qt::Horizontal QSizePolicy::Expanding 141 20 Process log: 0 true 0 These are the networks found by the scanner process. Choose the ones you wish to use from the list below, then click 'Next': Qt::AlignVCenter true 6 6 QAbstractItemView::MultiSelection 6 Select All Filter ... Unselect All Remove Filter 6 -> <- Qt::Vertical QSizePolicy::Expanding 20 300 6 QAbstractItemView::MultiSelection 6 Select All Unselect All 0 Choose objects you wish to use, then click 'Next': Qt::AlignVCenter true 6 6 QAbstractItemView::MultiSelection 6 Remove Filter Select All Filter ... Unselect All 6 -> <- Qt::Vertical QSizePolicy::Expanding 20 240 6 QAbstractItemView::MultiSelection 6 Select All Unselect All 0 Qt::Horizontal QSizePolicy::Expanding 30 20 Unselect All Remove Filter Filter ... Qt::Horizontal QSizePolicy::Expanding 20 20 Select All Change type of selected objects: 6 Address Host Firewall QAbstractItemView::ExtendedSelection true Object Interfaces Type Here you can change type of the objects to be created for each address discovered by the scanner. By default, an "Address" object is created for the host with just one interface with single IP address and "Host" object is created for the host with multiple interfaces, however you can change their types on this page. Qt::AlignVCenter true 0 Select target library 6 0 0 Qt::Horizontal QSizePolicy::Expanding 71 20 Qt::Vertical QSizePolicy::Expanding 20 340 0 Adding new objects to library ... Qt::AlignTop true Qt::Horizontal Qt::Vertical QSizePolicy::Expanding 20 241 Firewall Builder uses Network Zones to determine network topology. Each firewall interface must have a Network Zone configured. The Network Zone of an interface represents the set of IP networks that would be the source IP address of traffic arriving inbound on an interface. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true If you do not set the Network Zone now you can update the Network Zone configuration after the firewall has been created by double-clicking on the network interface of the firewall object and then selecting the desired object from the Network Zone dropdown list. true :/Images/network_zone_dialog.png Qt::AlignCenter 0 150 QFrame::NoFrame QFrame::Sunken 0 true true Name Label Address Security Level 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 40 20 < &Back &Next > false &Finish false &Cancel dm_fromfile filename browseButton domainname uselongname dnsfromlist nameserverlist nameserverline dnscustom dnsretries dnstimeout seedhostname snmpinaddr snmpinmask snmprecursive snmpfollowp2p snmpincludeunnumbered snmpdodns snmpretries snmptimeout snmpcommunity snmpdnsretries snmpdnstimeout snmpdnsthreads discoveryStopButton logSaveButton discoverylog networkresultlist selAllResNetButton netFilterButton pushButton7_2 remNetFilterButton addNetButton remNetButton networklist selAllNetButton pushButton7_2_2 objectresultlist remObjFilterButton selAllResButton objFilterButton unselAllResButton addObjButton remObjButton objectlist selAllObjButton unselAllObjButton unselAllLastButton removeLastFilterButton addLastFilterButton selAllLastButton addresTypeButton hostTypeButton pushButton26 typeChangingList libs addLastFilterButton clicked() DiscoveryDruid_q setLastFilter() 32 67 20 20 addNetButton clicked() DiscoveryDruid_q addNetwork() 32 67 20 20 addObjButton clicked() DiscoveryDruid_q addObject() 32 67 20 20 addresTypeButton clicked() DiscoveryDruid_q typeAddress() 32 67 20 20 browseButton clicked() DiscoveryDruid_q browseHostsFile() 32 67 20 20 stackedWidget currentChanged(int) DiscoveryDruid_q changedSelected(int) 32 67 20 20 discoveryStopButton clicked() DiscoveryDruid_q stopBackgroundProcess() 32 67 20 20 domainname textChanged(QString) DiscoveryDruid_q changedDomainName() 43 312 20 20 filename textChanged(QString) DiscoveryDruid_q changedHostsFileName() 32 67 20 20 hostTypeButton clicked() DiscoveryDruid_q typeHost() 32 67 20 20 import_browse clicked() DiscoveryDruid_q browseForImport() 572 147 20 20 import_platform activated(int) DiscoveryDruid_q importPlatformChanged(int) 244 176 20 20 logSaveButton clicked() DiscoveryDruid_q saveScanLog() 32 67 20 20 nameserverline textChanged(QString) DiscoveryDruid_q typedCustomNS() 41 205 20 20 nameserverline textChanged(QString) DiscoveryDruid_q changedNameServer() 41 205 20 20 nameserverlist activated(int) dnsfromlist animateClick() 38 149 39 124 netFilterButton clicked() DiscoveryDruid_q setNetworkFilter() 32 67 20 20 networkresultlist itemDoubleClicked(QListWidgetItem*) DiscoveryDruid_q addNetwork() 32 67 20 20 objectresultlist itemDoubleClicked(QListWidgetItem*) DiscoveryDruid_q addObject() 32 67 20 20 objFilterButton clicked() DiscoveryDruid_q setObjectFilter() 32 67 20 20 pushButton26 clicked() DiscoveryDruid_q typeFirewall() 32 67 20 20 pushButton7_2 clicked() networkresultlist clearSelection() 32 67 32 67 pushButton7_2_2 clicked() networklist clearSelection() 32 67 32 67 remNetButton clicked() DiscoveryDruid_q removeNetwork() 32 67 20 20 remNetFilterButton clicked() DiscoveryDruid_q removeNetworkFilter() 32 67 20 20 remObjButton clicked() DiscoveryDruid_q removeObject() 32 67 20 20 remObjFilterButton clicked() DiscoveryDruid_q removeObjectFilter() 32 67 20 20 removeLastFilterButton clicked() DiscoveryDruid_q removeLastFilter() 32 67 20 20 seedhostname textChanged(QString) DiscoveryDruid_q changedSeedHost() 42 160 20 20 selAllLastButton clicked() DiscoveryDruid_q selectAllLast() 32 67 20 20 selAllNetButton clicked() DiscoveryDruid_q selectAllNets() 32 67 20 20 selAllObjButton clicked() DiscoveryDruid_q selectAllObjs() 32 67 20 20 selAllResButton clicked() DiscoveryDruid_q selectAllResObjs() 32 67 20 20 selAllResNetButton clicked() DiscoveryDruid_q selectAllResNets() 32 67 20 20 snmpcommunity textChanged(QString) DiscoveryDruid_q checkSNMPCommunity() 111 76 20 20 snmpinaddr textChanged(QString) DiscoveryDruid_q changedInclNet() 109 318 20 20 snmpinmask textChanged(QString) DiscoveryDruid_q changedInclNet() 109 350 20 20 unselAllLastButton clicked() DiscoveryDruid_q unselectAllLast() 32 67 20 20 unselAllObjButton clicked() objectlist clearSelection() 32 67 32 67 unselAllResButton clicked() objectresultlist clearSelection() 32 67 32 67 obj_name textChanged(QString) DiscoveryDruid_q objNameChanged(QString) 371 103 582 211 import_filename textChanged(QString) DiscoveryDruid_q objNameChanged(QString) 300 124 583 237 objNameChanged(QString) fwbuilder-5.3.7/src/libgui/dnsnamedialog_q.ui000066400000000000000000000125111303637203600212420ustar00rootroot00000000000000 DNSNameDialog_q 0 0 712 239 DNS Name QFrame::Box QFrame::Sunken 0 0 350 16 350 16777215 QFrame::Box QFrame::Sunken Name: false 1 0 0 0 DNS Record: false 0 0 0 0 DNS 'A' record name entered in this input field will be converted to IP address using DNS query during policy compilation if checkbox "Compile time" is turned on, or during firewall policy activation if "Run Time" mode is used. This field can be automatically populated using object name, this is controlled by an option in the global Preferences dialog, tab "Objects" Compile Time Run Time Qt::Vertical 20 66 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name dnsrec r_runtime copyNameToRecord() fwbuilder-5.3.7/src/libgui/dynamicgroupdialog_q.ui000066400000000000000000000077231303637203600223270ustar00rootroot00000000000000 DynamicGroupDialog_q 0 0 934 269 Form QFrame::StyledPanel QFrame::Raised Name: Match Criteria: Qt::Horizontal 40 20 Add Match Qt::Horizontal 40 20 Matching Objects: 1 0 0 commentKeywords frame CommentKeywords QWidget
CommentKeywords.h
1 ObjectListView QTreeWidget
ObjectListView.h
 addButton clicked() DynamicGroupDialog_q addMatchClicked() 159 235 466 134 fwbuilder-5.3.7/src/libgui/events.h000066400000000000000000000343061303637203600172410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWBUILDER_EVENTS_HH #define FWBUILDER_EVENTS_HH #include "global.h" #include "ObjectEditor.h" #include "ColDesc.h" #include #include /* Custom event types. QEvent::registerEventType is only available starting QT 4.4 but we have to support QT 4.3 for Ubuntu Hardy so need to allocate types manually for now. Event types are defined as increments above QEvent::User */ enum EVENT_CODES { DATA_MODIFIED_EVENT , UPDATE_OBJECT_IN_TREE_EVENT , UPDATE_OBJECT_AND_SUBTREE_IN_TREE_EVENT , UPDATE_OBJECT_AND_SUBTREE_IMMEDIATELY_EVENT , UPDATE_OBJECT_EVERYWHERE_EVENT , UPDATE_LAST_COMPILED_TIMESTAMP_EVENT , UPDATE_LAST_INSTALLED_TIMESTAMP_EVENT , SHOW_OBJECT_IN_TREE_EVENT , SHOW_OBJECT_IN_RULESET_EVENT , SELECT_RULE_ELEMENT_EVENT, INSERT_OBJECT_IN_TREE_EVENT, REMOVE_OBJECT_FROM_TREE_EVENT, ADD_TREE_PAGE_EVENT, REMOVE_TREE_PAGE_EVENT, RELOAD_OBJECT_TREE_EVENT , RELOAD_OBJECT_TREE_IMMEDIATELY_EVENT , OPEN_RULESET_EVENT , OPEN_RULESET_IMMEDIATELY_EVENT , RELOAD_RULESET_EVENT , RELOAD_RULESET_IMMEDIATELY_EVENT , MAKE_CURRENT_RULE_VISIBLE_IN_RULESET_EVENT, OPEN_OBJECT_IN_EDITOR_EVENT , OPEN_OPT_OBJECT_IN_EDITOR_EVENT , CLOSE_OBJECT_EVENT , OBJECT_NAME_CHANGED_EVENT, OPEN_LIBRARY_FOR_OBJECT_EVENT, UPDATE_SUBWINDOW_TITLES_EVENT, UPDATE_GUI_STATE_EVENT, EXPAND_OBJECT_IN_TREE, CLOSE_EDITOR_PANEL_EVENT , CLEAR_EDITOR_PANEL_EVENT , ADD_USER_FOLDER_EVENT, REMOVE_USER_FOLDER_EVENT, MOVE_TOFROM_USER_FOLDER_EVENT, }; class fwbUpdateEvent : public QEvent { QString data_file_name; int object_id; QString event_name; public: fwbUpdateEvent(const QString &file_name, int obj_id, QEvent::Type event_type, const QString &ev_name) : QEvent(event_type), event_name(ev_name) { data_file_name = file_name; object_id = obj_id; } QString getEventName() { return event_name; } QString getFileName() { return data_file_name; } int getObjectId() { return object_id; } }; class dataModifiedEvent : public fwbUpdateEvent { public: dataModifiedEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + DATA_MODIFIED_EVENT), "dataModifiedEvent") {} }; class updateObjectInTreeEvent : public fwbUpdateEvent { public: updateObjectInTreeEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_OBJECT_IN_TREE_EVENT), "updateObjectInTreeEvent") {} }; class updateObjectAndSubtreeInTreeEvent : public fwbUpdateEvent { public: updateObjectAndSubtreeInTreeEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_OBJECT_AND_SUBTREE_IN_TREE_EVENT), "updateObjectAndSubtreeInTreeEvent") {} }; class updateObjectAndSubtreeImmediatelyEvent : public fwbUpdateEvent { public: updateObjectAndSubtreeImmediatelyEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_OBJECT_AND_SUBTREE_IMMEDIATELY_EVENT), "updateObjectAndSubtreeImmediatelyEvent") {} }; class updateObjectEverywhereEvent : public fwbUpdateEvent { public: updateObjectEverywhereEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_OBJECT_EVERYWHERE_EVENT), "updateObjectEverywhereEvent") {} }; class updateLastCompiledTimestampEvent : public fwbUpdateEvent { public: updateLastCompiledTimestampEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_LAST_COMPILED_TIMESTAMP_EVENT), "updateLastCompiledTimestampEvent") {} }; class updateLastInstalledTimestampEvent : public fwbUpdateEvent { public: updateLastInstalledTimestampEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + UPDATE_LAST_INSTALLED_TIMESTAMP_EVENT), "updateLastInstalledTimestampEvent") {} }; class showObjectInTreeEvent : public fwbUpdateEvent { public: showObjectInTreeEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + SHOW_OBJECT_IN_TREE_EVENT), "showObjectInTreeEvent") {} }; class showObjectInRulesetEvent : public fwbUpdateEvent { public: showObjectInRulesetEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + SHOW_OBJECT_IN_RULESET_EVENT), "showObjectInRulesetEvent") {} }; class selectRuleElementEvent : public fwbUpdateEvent { public: ColDesc::ColumnType column_type; selectRuleElementEvent(const QString &file_name, int obj_id, ColDesc::ColumnType ct) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + SELECT_RULE_ELEMENT_EVENT), "selectRuleElementEvent") { column_type = ct; } }; class insertObjectInTreeEvent : public fwbUpdateEvent { public: int parent_id; insertObjectInTreeEvent(const QString &file_name, int p_id, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + INSERT_OBJECT_IN_TREE_EVENT), "insertObjectInTreeEvent") { parent_id = p_id; } }; class removeObjectFromTreeEvent : public fwbUpdateEvent { public: removeObjectFromTreeEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + REMOVE_OBJECT_FROM_TREE_EVENT), "removeObjectFromTreeEvent") {} }; class addTreePageEvent : public fwbUpdateEvent { public: addTreePageEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + ADD_TREE_PAGE_EVENT), "addTreePageEvent") {} }; class removeTreePageEvent : public fwbUpdateEvent { public: removeTreePageEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + REMOVE_TREE_PAGE_EVENT), "removeTreePageEvent") {} }; class reloadObjectTreeEvent : public fwbUpdateEvent { public: reloadObjectTreeEvent(const QString &file_name) : fwbUpdateEvent(file_name, -1, QEvent::Type(QEvent::User + RELOAD_OBJECT_TREE_EVENT), "reloadObjectTreeEvent") {} }; class reloadObjectTreeImmediatelyEvent : public fwbUpdateEvent { public: reloadObjectTreeImmediatelyEvent(const QString &file_name) : fwbUpdateEvent(file_name, -1, QEvent::Type(QEvent::User + RELOAD_OBJECT_TREE_IMMEDIATELY_EVENT), "reloadObjectTreeImmediatelyEvent") {} }; class reloadRulesetEvent : public fwbUpdateEvent { public: reloadRulesetEvent(const QString &file_name) : fwbUpdateEvent(file_name, -1, QEvent::Type(QEvent::User + RELOAD_RULESET_EVENT), "reloadRulesetEvent") {} }; class reloadRulesetImmediatelyEvent : public fwbUpdateEvent { public: reloadRulesetImmediatelyEvent(const QString &file_name) : fwbUpdateEvent(file_name, -1, QEvent::Type(QEvent::User + RELOAD_RULESET_IMMEDIATELY_EVENT), "reloadRulesetImmediatelyEvent") {} }; class makeCurrentRuleVisibleInRulesetEvent : public fwbUpdateEvent { public: makeCurrentRuleVisibleInRulesetEvent(const QString &file_name) : fwbUpdateEvent(file_name, -1, QEvent::Type(QEvent::User + MAKE_CURRENT_RULE_VISIBLE_IN_RULESET_EVENT), "makeCurrentRuleVisibleInRulesetEvent") {} }; class openRulesetEvent : public fwbUpdateEvent { public: openRulesetEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OPEN_RULESET_EVENT), "openRulesetEvent") {} }; class openRulesetImmediatelyEvent : public fwbUpdateEvent { public: openRulesetImmediatelyEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OPEN_RULESET_IMMEDIATELY_EVENT), "openRulesetImmediatelyEvent") {} }; class openObjectInEditorEvent : public fwbUpdateEvent { public: openObjectInEditorEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OPEN_OBJECT_IN_EDITOR_EVENT), "openObjectInEditorEvent") {} }; class openOptObjectInEditorEvent : public fwbUpdateEvent { public: ObjectEditor::OptType opt_code; openOptObjectInEditorEvent(const QString &file_name, int obj_id, ObjectEditor::OptType opt) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OPEN_OPT_OBJECT_IN_EDITOR_EVENT), "openOptObjectInEditorEvent") { opt_code = opt; } }; class closeObjectEvent : public fwbUpdateEvent { public: closeObjectEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + CLOSE_OBJECT_EVENT), "closeObjectEvent") {} }; class objectNameChangedEvent : public fwbUpdateEvent { public: QString old_name; QString new_name; bool rename_children; objectNameChangedEvent(const QString &file_name, int obj_id, const QString &_old_name, const QString &_new_name, bool _rename_children) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OBJECT_NAME_CHANGED_EVENT), "objectNameChangedEvent") { old_name = _old_name; new_name = _new_name; rename_children = _rename_children; } }; class openLibraryForObjectEvent : public fwbUpdateEvent { public: QString old_name; QString new_name; openLibraryForObjectEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + OPEN_LIBRARY_FOR_OBJECT_EVENT), "openLibraryForObjectEvent") {} }; /* * This event is processed by FWWindow class and updates titles of all * ProjectPanel windows. */ class updateSubWindowTitlesEvent : public fwbUpdateEvent { public: updateSubWindowTitlesEvent() : fwbUpdateEvent("", -1, QEvent::Type(QEvent::User + UPDATE_SUBWINDOW_TITLES_EVENT), "updateSubWindowTitlesEvent") {} }; /* * This event is processed by FWWindow class and updates all menus and * toolbar buttins */ class updateGUIStateEvent : public fwbUpdateEvent { public: updateGUIStateEvent() : fwbUpdateEvent("", -1, QEvent::Type(QEvent::User + UPDATE_GUI_STATE_EVENT), "updateGUIStateEvent") {} }; class expandObjectInTreeEvent : public fwbUpdateEvent { public: int parent_id; expandObjectInTreeEvent(const QString &file_name, int obj_id) : fwbUpdateEvent(file_name, obj_id, QEvent::Type(QEvent::User + EXPAND_OBJECT_IN_TREE), "expandObjectInTreeEvent") {} }; class closeEditorPanelEvent : public fwbUpdateEvent { public: closeEditorPanelEvent() : fwbUpdateEvent("", -1, QEvent::Type(QEvent::User + CLOSE_EDITOR_PANEL_EVENT), "closeEditorPanelEvent") {} }; class clearEditorPanelEvent : public fwbUpdateEvent { public: clearEditorPanelEvent() : fwbUpdateEvent("", -1, QEvent::Type(QEvent::User + CLEAR_EDITOR_PANEL_EVENT), "clearEditorPanelEvent") {} }; class addUserFolderEvent : public fwbUpdateEvent { public: QString m_userFolder; addUserFolderEvent(const QString &fileName, int objId, const QString &userFolder) : fwbUpdateEvent(fileName, objId, QEvent::Type(QEvent::User + ADD_USER_FOLDER_EVENT), "addUserFolderEvent") { m_userFolder = userFolder; } }; class removeUserFolderEvent : public fwbUpdateEvent { public: QString m_userFolder; removeUserFolderEvent(const QString &fileName, int objId, const QString &userFolder) : fwbUpdateEvent(fileName, objId, QEvent::Type(QEvent::User + REMOVE_USER_FOLDER_EVENT), "removeUserFolderEvent") { m_userFolder = userFolder; } }; class moveToFromUserFolderEvent : public fwbUpdateEvent { public: int m_objIdToMove; QString m_oldFolder; QString m_newFolder; moveToFromUserFolderEvent(const QString &fileName, int objId, int objIdToMove, const QString &oldFolder, const QString &newFolder) : fwbUpdateEvent(fileName, objId, QEvent::Type(QEvent::User+MOVE_TOFROM_USER_FOLDER_EVENT), "removeUserFolderEvent"), m_objIdToMove(objIdToMove), m_oldFolder(oldFolder), m_newFolder(newFolder) {} }; #endif fwbuilder-5.3.7/src/libgui/fakeWizard.cpp000066400000000000000000000116751303637203600203630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "fakeWizard.h" #include FakeWizard::FakeWizard() { } FakeWizard::~FakeWizard() { } void FakeWizard::setControlWidgets(QWidget *_mainWidget, QStackedWidget *_stackedWidget, QPushButton *_nextButton, QPushButton *_finishButton, QPushButton *_backButton, QPushButton *_cancelButton, QLabel *_titleLabel) { mainWidget = _mainWidget; stackedWidget = _stackedWidget; nextButton = _nextButton; finishButton = _finishButton; backButton =_backButton; titleLabel = _titleLabel; cancelButton = _cancelButton; m_pageCount = stackedWidget->count(); QObject::connect( nextButton, SIGNAL( clicked() ), mainWidget, SLOT( nextClicked() )); QObject::connect( backButton, SIGNAL( clicked() ), mainWidget, SLOT( backClicked() )); QObject::connect( finishButton, SIGNAL( clicked() ), mainWidget, SLOT( finishClicked() )); QObject::connect( cancelButton, SIGNAL( clicked() ), mainWidget, SLOT( cancelClicked() )); for (int i = 0; i < m_pageCount; i++) { appropriates.push_back(true); backEnabled.push_back(true); nextEnabled.push_back(true); finishEnabled.push_back(false); pageTitles.push_back(QString()); } backEnabled[0] = false; nextEnabled[m_pageCount-1] = false; m_currentPage = 0; } void FakeWizard::setAppropriate(const int page, const bool value) { if (page >= m_pageCount) return; appropriates[page] = value; } void FakeWizard::setNextEnabled(const int page, const bool enabled) { if (page >= m_pageCount) return; nextEnabled[page] = enabled; if (page == currentPage()) nextButton->setEnabled(enabled); } void FakeWizard::setBackEnabled(const int page, const bool enabled) { if (page >= m_pageCount) return; backEnabled[page] = enabled; if (page == currentPage()) backButton->setEnabled(enabled); } void FakeWizard::setFinishEnabled(const int page, const bool enabled) { if (page >= m_pageCount) return; finishEnabled[page] = enabled; if (page == currentPage()) finishButton->setEnabled(enabled); } void FakeWizard::setTitle(const int page, const QString title) { if (page >= m_pageCount) return; pageTitles[page] = title; if (page == currentPage()) if (titleLabel) titleLabel->setText(title); } int FakeWizard::pageCount() const { return stackedWidget->count(); } int FakeWizard::previousRelevant(const int page) const { if (fwbdebug) qDebug() << "FakeWizard::previousRelevant(" << page << ")"; int prev_p = -1; for (int i = page-1; i >= 0; i--) if (appropriates[i] && appropriate(i)) { prev_p = i; break; } if (fwbdebug) qDebug() << "FakeWizard::previousRelevant: previous page" << prev_p; return prev_p; } int FakeWizard::nextRelevant(const int page) const { if (fwbdebug) qDebug() << "FakeWizard::nextRelevant(" << page << ")"; int next_p = -1; for (int i = page+1; i < m_pageCount; i++) if (appropriates[i] && appropriate(i)) { next_p = i; break; } if (fwbdebug) qDebug() << "FakeWizard::nextRelevant: next page" << next_p; return next_p; } void FakeWizard::showPage(const int page) { if (page >= m_pageCount) return; nextButton->setEnabled(nextEnabled[page] && (nextRelevant(page) > -1) ); backButton->setEnabled(backEnabled[page] && (previousRelevant(page) > -1) ); finishButton->setEnabled(finishEnabled[page]); if (titleLabel) { if (!pageTitles[page].isEmpty()) { titleLabel->setText(pageTitles[page]); titleLabel->show(); } else titleLabel->hide(); } setCurrentPage(page); stackedWidget->setCurrentIndex(page); } int FakeWizard::currentPage() const { return m_currentPage; } void FakeWizard::setCurrentPage(const int page) { m_currentPage = page; } fwbuilder-5.3.7/src/libgui/fakeWizard.h000066400000000000000000000051451303637203600200230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: alek@codeminders.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FAKEWIZARD_H__ #define __FAKEWIZARD_H__ #include #include #include #include #include class FakeWizard { protected: QWidget *mainWidget; QStackedWidget *stackedWidget; QPushButton *nextButton; QPushButton *backButton; QPushButton *finishButton; QPushButton *cancelButton; QLabel *titleLabel; int m_currentPage; int m_pageCount; std::vector nextEnabled; std::vector backEnabled; std::vector appropriates; std::vector finishEnabled; std::vector pageTitles; int nextRelevant(const int page) const; int previousRelevant(const int page) const; public : FakeWizard(); virtual ~FakeWizard(); void setControlWidgets(QWidget *_mainWidget, QStackedWidget *_stackedWidget, QPushButton *_nextButton, QPushButton *_finishButton, QPushButton *_backButton, QPushButton *_cancelButton, QLabel *_titleLabel = NULL); int pageCount() const; int currentPage() const; void showPage(const int page); void setCurrentPage(const int page); void setNextEnabled(const int page, const bool enabled); void setBackEnabled(const int page, const bool enabled); void setAppropriate(const int page, const bool value); void setFinishEnabled(const int page, const bool enabled); void setTitle(const int page, const QString title); virtual bool appropriate(const int) const { return true; } /*virtual void backClicked(); virtual void nextClicked();*/ }; #endif fwbuilder-5.3.7/src/libgui/filePropDialog.cpp000066400000000000000000000111521303637203600211620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "fwbuilder/FWObjectDatabase.h" #include "filePropDialog.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "PrintingProgressDialog.h" #include "printerStream.h" #include "RCS.h" #include #include #include #include #ifndef _WIN32 # include // for access(2) #endif #include using namespace std; filePropDialog::~filePropDialog() { delete m_dialog; } filePropDialog::filePropDialog(QWidget *parent, RCS *rcs) : QDialog(parent) { m_dialog = new Ui::filePropDialog_q; m_dialog->setupUi(this); // we have to get a reference to the printer // or we can create a new one ... m_dialog->fileLocation->setText( rcs->getFileName() ); if (rcs->isRO()) m_dialog->fileRO->setText( tr("Opened read-only") ); else m_dialog->fileRO->setText(""); time_t lm = mw->activeProject()->db()->getTimeLastModified(); QString s = ctime( &lm ); s.truncate( s.length()-1 ); // chop newline m_dialog->lastModified->setText( QString("%1 (%2)").arg(s).arg(lm) ); if (rcs->isInRCS()) { m_dialog->fileRev->setText( rcs->getSelectedRev() ); m_dialog->fileLockedBy->setText( rcs->getLockedBy() ); QList::iterator i; for (i=rcs->begin(); i!=rcs->end(); ++i) { Revision r= *i; m_dialog->fileRevHistory->append( tr("Revision %1").arg(r.rev) ); m_dialog->fileRevHistory->append( r.log ); m_dialog->fileRevHistory->append("\n"); m_dialog->fileRevHistory->moveCursor(QTextCursor::Start); } } else { m_dialog->fileRev->setText(""); m_dialog->fileLockedBy->setText(""); m_dialog->fileRevHistory->setText(""); } } void filePropDialog::setPrinter(QPrinter *p) { printer=p; } void filePropDialog::printRevHistory() { // Revision history printing: // // 1. setup printer properties // 2. create a stream // 3. split text from the QTextBrowser (fileRevHistory) into the lines // 4. send lines to the stream // //int pageWidth = 0; //int pageHeight = 0; bool fullPage = false; float margin; #if defined(Q_OS_MACX) || defined(Q_OS_WIN32) margin=1.5; #else margin=0; #endif int resolution = 150; bool printHeader = true; //bool printLegend = true; //bool printObjects = true; //bool newPageForSection = false; //int tableResolution = 2; // 50%, 75%, 100%, 150%, 200%, default 100% QPrintDialog printDialog(printer, this); #if (QT_VERSION > 0x030200) printDialog.addEnabledOption(QAbstractPrintDialog::PrintPageRange); printDialog.setPrintRange(QAbstractPrintDialog::AllPages); printDialog.setMinMax(1,9999); #endif printer->setResolution(resolution); printer->setFullPage(fullPage); if (printDialog.exec() == QDialog::Accepted) { int fromPage = printer->fromPage(); int toPage = printer->toPage(); if (fromPage==0) fromPage=1; if (toPage==0) toPage=9999; PrintingProgressDialog *ppd = new PrintingProgressDialog(this,printer,0,false); QString headerText = "Revision History:"; #if defined(Q_OS_MACX) printerStream pr(printer,1.0,margin,printHeader,headerText,NULL); #else printerStream pr(printer,1.0,margin,printHeader,headerText,ppd); ppd->show(); #endif pr.setFromTo(fromPage,toPage); if ( !pr.begin()) { ppd->hide(); delete ppd; return; } //QSize margins = printer->margins(); pr.beginPage(); // resets yPos QStringList sl; sl=m_dialog->fileRevHistory->toPlainText().split('\n'); for ( QStringList::Iterator it = sl.begin(); it != sl.end(); ++it ) { pr.printText(*it); } ppd->hide(); delete ppd; pr.end(); } } fwbuilder-5.3.7/src/libgui/filePropDialog.h000066400000000000000000000026031303637203600206300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FILEPROPDIALOG_H_ #define __FILEPROPDIALOG_H_ #include #include #include #include "config.h" #include class RCS; class QPrinter; class filePropDialog : public QDialog { Q_OBJECT Ui::filePropDialog_q *m_dialog; public: filePropDialog(QWidget *parent, RCS *rcs); ~filePropDialog(); void setPrinter(QPrinter *printer); private: QPrinter *printer; public slots: virtual void printRevHistory( ); }; #endif // __FILEPROPDIALOG_H fwbuilder-5.3.7/src/libgui/filepropdialog_q.ui000066400000000000000000000151631303637203600214430ustar00rootroot00000000000000 filePropDialog_q Qt::WindowModal 0 0 402 578 File Properties true true Location: false 0 0 location false RO false Time of last modification: false lastModified false QFrame::HLine QFrame::Sunken Qt::Horizontal Revision Control: false Revision: false 0 0 rev false Locked by user: false 0 0 lockedBy false Revision history: false true 100 16777215 Print Qt::Horizontal 40 20 100 16777215 OK true fileRevHistory bt_print bt_OK bt_OK released() filePropDialog_q close() 20 20 20 20 bt_print released() filePropDialog_q printRevHistory() 20 20 20 20 fwbuilder-5.3.7/src/libgui/filterdialog_q.ui000066400000000000000000000201311303637203600210770ustar00rootroot00000000000000 FilterDialog_q 0 0 527 407 Filter 11 6 0 6 Save Load Qt::Horizontal QSizePolicy::Expanding 96 20 Ok true Cancel Match false all any of the following: false Qt::Horizontal QSizePolicy::Expanding 51 20 0 6 48 32767 Add a new pattern + 0 6 2 Target Type Pattern Case sensitive Qt::Vertical QSizePolicy::Expanding 20 140 48 32767 Remove a pattern - combo table addButton remButton case_sensitive saveButton loadButton okButton cancelButton okButton clicked() FilterDialog_q apply() 20 20 20 20 cancelButton clicked() FilterDialog_q reject() 20 20 20 20 loadButton clicked() FilterDialog_q load() 20 20 20 20 saveButton clicked() FilterDialog_q save() 20 20 20 20 addButton clicked() FilterDialog_q addPattern() 20 20 20 20 remButton clicked() FilterDialog_q removePattern() 20 20 20 20 fwbuilder-5.3.7/src/libgui/findDialog.cpp000066400000000000000000000243131303637203600203250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "findDialog.h" #include "ProjectPanel.h" #include "FWBTree.h" #include "FWBSettings.h" #include "FWWindow.h" #include "events.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace std; #define MAX_SEARCH_ITEMS_COUNT 10 findDialog::findDialog(QWidget *p, ProjectPanel *project) : QDialog(p), treeSeeker(), m_project(project) { m_dialog = new Ui::findDialog_q; m_dialog->setupUi(this); lastFound=NULL; lastTextSearch=""; lastAttrSearch=""; m_dialog->findText->setFocus(); } void findDialog::setObject(FWObject *o) { reset(); m_dialog->findText->lineEdit()->setText( QString::fromUtf8(o->getName().c_str()) ); } void findDialog::reset() { lastFound=NULL; lastTextSearch=""; treeSeeker=m_project->db()->tree_begin(); } void findDialog::findTextChanged(const QString &ns) { if (ns!=lastTextSearch) reset(); lastTextSearch=ns; } void findDialog::findAttrChanged(const QString &ns) { if (ns!=lastAttrSearch) reset(); lastAttrSearch=ns; } void findDialog::find() { if (m_dialog->findText->currentText().isEmpty() && m_dialog->findAttr->currentText().isEmpty()) return; if (m_dialog->findText->currentText() != m_dialog->findText->itemText(0)) { if (m_dialog->findText->count()>=MAX_SEARCH_ITEMS_COUNT) m_dialog->findText->removeItem(MAX_SEARCH_ITEMS_COUNT-1); m_dialog->findText->insertItem( 0, m_dialog->findText->currentText() ); if (fwbdebug) { qDebug("findDialog::find() : findText->text(0)=%s", m_dialog->findText->itemText(0).toLatin1().constData()); } } if (m_dialog->findAttr->currentText() != m_dialog->findAttr->itemText(0)) { if (m_dialog->findAttr->count()>=MAX_SEARCH_ITEMS_COUNT) m_dialog->findAttr->removeItem(MAX_SEARCH_ITEMS_COUNT-1); m_dialog->findAttr->insertItem( 0, m_dialog->findAttr->currentText() ); if (fwbdebug) qDebug("findDialog::find() : findAttr->text(0)=%s", m_dialog->findAttr->itemText(0).toLatin1().constData()); } findNext(); } bool findDialog::matchName(const QString &name) { QString s=m_dialog->findText->currentText(); if (s.isEmpty()) return true; bool res=false; if (m_dialog->useRegexp->isChecked()) res= ( name.indexOf( QRegExp(s) )!=-1 ); else res= ( name == s ); return res; } bool findDialog::matchAttr(libfwbuilder::FWObject *obj) { QString s=m_dialog->findAttr->currentText(); if (s.isEmpty()) return true; bool res=false; int attrN = m_dialog->attribute->currentIndex(); switch (attrN) { case 0: // Address { Address *a = Address::cast(obj); if (a!=NULL) { QString addr = a->getAddressPtr()->toString().c_str(); if (m_dialog->useRegexp->isChecked()) res= ( addr.indexOf( QRegExp(s) )!=-1 ); else res= ( addr == s ); } break; } case 1: // port if (TCPService::cast(obj)!=NULL || UDPService::cast(obj)!=NULL) { if (m_dialog->useRegexp->isChecked()) { QString port; port.setNum(TCPUDPService::cast(obj)->getSrcRangeStart()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getSrcRangeEnd()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getDstRangeStart()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); port.setNum(TCPUDPService::cast(obj)->getDstRangeEnd()); res |= ( port.indexOf( QRegExp(s) )!=-1 ); } else { int port = s.toInt(); res |= (port == TCPUDPService::cast(obj)->getSrcRangeStart()); res |= (port == TCPUDPService::cast(obj)->getSrcRangeEnd()); res |= (port == TCPUDPService::cast(obj)->getDstRangeStart()); res |= (port == TCPUDPService::cast(obj)->getDstRangeEnd()); } break; } case 2: // protocol num. if (IPService::cast(obj)!=NULL) { if (m_dialog->useRegexp->isChecked()) { QString proto; proto.setNum(obj->getInt("protocol_num")); res |= ( proto.indexOf( QRegExp(s) )!=-1 ); } else { int proto = s.toInt(); res |= (proto == obj->getInt("protocol_num")); } break; } case 3: // icmp type if (ICMPService::cast(obj)!=NULL) { if (m_dialog->useRegexp->isChecked()) { QString icmptype; icmptype.setNum(obj->getInt("type")); res |= ( icmptype.indexOf( QRegExp(s) )!=-1 ); } else { int icmptype = s.toInt(); res |= (icmptype == obj->getInt("type")); } break; } } return res; } void findDialog::findNext() { if (m_dialog->findText->currentText().isEmpty() && m_dialog->findAttr->currentText().isEmpty()) return; if (m_dialog->findText->count()>10) m_dialog->findText->removeItem(0); if (m_dialog->findAttr->count()>10) m_dialog->findAttr->removeItem(0); FWObject *o=NULL; loop: QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); for (; treeSeeker!=m_project->db()->tree_end(); ++treeSeeker) { o = *treeSeeker; if( RuleElement::cast(o->getParent())!=NULL) { if (! m_dialog->searchInRules->isChecked()) continue; } else { /* if not in rules, then in the tree. */ if (! m_dialog->searchInTree->isChecked()) continue; } if (FWReference::cast(o)!=NULL) { FWReference *r=FWReference::cast(o); if ( matchName( QString::fromUtf8(r->getPointer()->getName().c_str()) ) && matchAttr( r->getPointer() )) break; } else { if (matchName( QString::fromUtf8(o->getName().c_str())) && matchAttr( o )) break; } } QApplication::restoreOverrideCursor(); if (treeSeeker==m_project->db()->tree_end()) { reset(); if ( QMessageBox::warning( this,"Firewall Builder", tr("Search hit the end of the object tree."), tr("&Continue at top"), tr("&Stop"), QString::null, 0, 1 )==0 ) goto loop; return; } assert(o!=NULL); /* found object. Shift iterator so it does not return the same object * when user hits 'find next' */ ++treeSeeker; if (FWReference::cast(o)!=NULL && RuleElement::cast(o->getParent())!=NULL) { m_project->ensureObjectVisibleInRules( FWReference::cast(o) ); QTimer::singleShot(200, this, SLOT(makeActive()) ); return; } if (Group::cast(o->getParent())!=NULL && !FWBTree().isSystem(o->getParent())) { QCoreApplication::postEvent( mw, new showObjectInTreeEvent(m_project->getFileName(), o->getParent()->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(m_project->getFileName(), o->getParent()->getId())); QTimer::singleShot(200, this, SLOT(makeActive()) ); return; } if (fwbdebug) { qDebug("Found object: o=%p id=%s name=%s type=%s", o, FWObjectDatabase::getStringId(o->getId()).c_str(), o->getName().c_str(), o->getTypeName().c_str()); } QCoreApplication::postEvent( mw, new showObjectInTreeEvent(m_project->getFileName(), o->getId())); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(m_project->getFileName(), o->getId())); QTimer::singleShot(200, this, SLOT(makeActive()) ); } void findDialog::makeActive() { activateWindow(); } void findDialog::showEvent( QShowEvent *ev) { st->restoreGeometry(this, QRect(200,100,330,140) ); QDialog::showEvent(ev); m_dialog->useRegexp->setChecked( st->getBool("Search/useRegexp") ); m_dialog->searchInTree->setChecked( st->getBool("Search/findInTree" ) ); m_dialog->searchInRules->setChecked( st->getBool("Search/findInRules") ); m_dialog->findText->setFocus(); } void findDialog::hideEvent( QHideEvent *ev) { st->saveGeometry(this); QDialog::hideEvent(ev); st->setBool("Search/useRegexp", m_dialog->useRegexp->isChecked() ); st->setBool("Search/findInTree", m_dialog->searchInTree->isChecked() ); st->setBool("Search/findInRules", m_dialog->searchInRules->isChecked() ); } fwbuilder-5.3.7/src/libgui/findDialog.h000066400000000000000000000035651303637203600200000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FINDDIALOG_H_ #define __FINDDIALOG_H_ #include "config.h" #include #include "fwbuilder/FWObject.h" class ProjectPanel; class findDialog : public QDialog { Q_OBJECT; QString lastTextSearch; QString lastAttrSearch; libfwbuilder::FWObject *lastFound; libfwbuilder::FWObject::tree_iterator treeSeeker; bool matchName(const QString &name); bool matchAttr(libfwbuilder::FWObject* obj); ProjectPanel *m_project; public: Ui::findDialog_q *m_dialog; findDialog(QWidget *p, ProjectPanel *project); void setObject(libfwbuilder::FWObject *o); ~findDialog() { delete m_dialog; }; public slots: virtual void find(); virtual void findNext(); virtual void reset(); virtual void findTextChanged(const QString&); virtual void findAttrChanged(const QString&); void makeActive(); protected: virtual void showEvent( QShowEvent *ev); virtual void hideEvent( QHideEvent *ev); }; #endif // __FINDDIALOG_H fwbuilder-5.3.7/src/libgui/finddialog_q.ui000066400000000000000000000143001303637203600205330ustar00rootroot00000000000000 findDialog_q 0 0 424 196 0 0 Qt::StrongFocus Find Object true QComboBox::InsertAtTop false Text to be found in object names: false Search in policy rules Search in the tree true Qt::Vertical QSizePolicy::Expanding 20 30 Find true QFrame::HLine QFrame::Sunken true Matching attribute: false Address TCP/UDP port Protocol number ICMP type Search for substring using regular expressions findText attribute findAttr useRegexp searchInTree searchInRules findBtn findBtn clicked() findDialog_q find() 20 20 20 20 findText activated(QString) findDialog_q findTextChanged(QString) 20 20 20 20 findText editTextChanged(QString) findDialog_q findTextChanged(QString) 20 20 20 20 findAttr activated(QString) findDialog_q findAttrChanged(QString) 20 20 20 20 findAttr editTextChanged(QString) findDialog_q findAttrChanged(QString) 20 20 20 20 attribute activated(QString) findDialog_q findAttrChanged(QString) 20 20 20 20 fwbuilder-5.3.7/src/libgui/findobjectwidget_q.ui000066400000000000000000000303331303637203600217520ustar00rootroot00000000000000 findObjectWidget_q 0 0 933 221 Form1 0 0 Find object 0 0 100 80 9 Name or label IP Address TCP/UDP port Protocol number ICMP type true Use regular expressions 0 0 Replace object 0 0 100 80 9 0 0 Scope for search and replace : 4 Tree only Tree and policy of all firewalls Policy of all firewalls policy of the opened firewall Qt::Horizontal QSizePolicy::Expanding 100 20 Find Next true true Replace Replace all Replace Current && Find Next Qt::Horizontal QSizePolicy::Expanding 110 20 Qt::Vertical QSizePolicy::MinimumExpanding 75 1 FWObjectDropArea QWidget
FWObjectDropArea.h
1 attribute findAttr srScope replaceAllButton replaceButton repNextButton findButton findDropArea objectDeleted() findObjectWidget_q enableAll() 20 20 20 20 findDropArea objectInserted() findObjectWidget_q objectInserted() 20 20 20 20 findButton clicked() findObjectWidget_q find() 20 20 20 20 findAttr activated(QString) findObjectWidget_q findAttrChanged(QString) 20 20 20 20 findAttr editTextChanged(QString) findObjectWidget_q findAttrChanged(QString) 20 20 20 20 attribute activated(QString) findObjectWidget_q findAttrChanged(QString) 20 20 20 20 replaceButton clicked() findObjectWidget_q replace() 20 20 20 20 replaceAllButton clicked() findObjectWidget_q replaceAll() 20 20 20 20 srScope activated(int) findObjectWidget_q reset() 20 20 20 20 replaceDropArea objectDeleted() findObjectWidget_q replaceDisable() 20 20 20 20 replaceDropArea objectInserted() findObjectWidget_q replaceEnable() 20 20 20 20 repNextButton clicked() findObjectWidget_q replaceNext() 20 20 20 20 srScope activated(int) findObjectWidget_q scopeChanged() 20 20 20 20 fwbuilder-5.3.7/src/libgui/findwhereusedwidget_q.ui000066400000000000000000000110641303637203600224770ustar00rootroot00000000000000 findWhereUsedWidget_q 0 0 895 199 0 0 Form1 0 0 Object: 0 0 100 80 0 0 Object is found in : 6 true true Object Used by Details Include children of the object in search. For example, if the object is a firewall, results will include all rules and groups using it, its interfaces and their addresses Include children Find FWObjectDropArea QWidget
FWObjectDropArea.h
1 resListView resListView itemClicked(QTreeWidgetItem*,int) findWhereUsedWidget_q itemClicked(QTreeWidgetItem*,int) 457 88 433 81 pushButton2 pressed() findWhereUsedWidget_q find() 76 178 447 99 itemActivated(QTreeWidgetItem*,int) itemClicked(QTreeWidgetItem*,int) find() fwbuilder-5.3.7/src/libgui/firewalldialog_q.ui000066400000000000000000000352771303637203600214400ustar00rootroot00000000000000 FirewallDialog_q true 0 0 927 284 0 0 Firewall 12 QFrame::Box QFrame::Sunken 0 0 250 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 32767 32767 Name: false 1 0 100 23 0 0 32767 32767 Platform: false 0 0 100 26 0 0 32767 32767 Version: false 0 0 100 26 0 0 32767 32767 Host OS: false 0 0 100 26 0 0 Modified: 0 0 TextLabel 0 0 Compiled: 0 0 TextLabel 0 0 Installed: 0 0 TextLabel 0 0 200 0 32767 32767 Host OS Settings ... 0 0 200 0 32767 32767 Firewall Settings ... 0 0 215 0 215 16777215 Skip this firewall for batch compile and install operations Inactive firewall Qt::Vertical QSizePolicy::MinimumExpanding 203 67 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name platform version hostOS osAdvanced fwAdvanced inactive fwAdvanced clicked() FirewallDialog_q openFWDialog() 20 20 20 20 osAdvanced clicked() FirewallDialog_q openOSDialog() 20 20 20 20 platformChanged() hostOSChanged() changed() fwbuilder-5.3.7/src/libgui/freebsdAdvancedDialog.cpp000066400000000000000000000074711303637203600224530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "freebsdAdvancedDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include "FWWindow.h" using namespace std; using namespace libfwbuilder; freebsdAdvancedDialog::~freebsdAdvancedDialog() { delete m_dialog; } freebsdAdvancedDialog::freebsdAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::freebsdAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption(m_dialog->freebsd_ip_sourceroute, fwopt, "freebsd_ip_sourceroute", threeStateMapping); data.registerOption(m_dialog->freebsd_ip_redirect, fwopt, "freebsd_ip_redirect", threeStateMapping); data.registerOption(m_dialog->freebsd_ip_forward, fwopt, "freebsd_ip_forward", threeStateMapping); data.registerOption(m_dialog->freebsd_ipv6_forward, fwopt, "freebsd_ipv6_forward", threeStateMapping); data.registerOption(m_dialog->freebsd_path_ipnat, fwopt, "freebsd_path_ipnat"); data.registerOption(m_dialog->freebsd_path_sysctl, fwopt,"freebsd_path_sysctl"); data.registerOption(m_dialog->freebsd_path_ipf, fwopt, "freebsd_path_ipf"); data.registerOption(m_dialog->freebsd_path_ipfw, fwopt, "freebsd_path_ipfw"); data.registerOption(m_dialog->freebsd_path_pfctl, fwopt, "freebsd_path_pfctl"); data.registerOption(m_dialog->freebsd_data_dir, fwopt, "data_dir"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void freebsdAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions *fwopt=(Firewall::cast(new_state))->getOptionsObject(); assert(fwopt!=NULL); data.saveAll(fwopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void freebsdAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/freebsdAdvancedDialog.h000066400000000000000000000027021303637203600221100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FREEBSDADVANCEDDIALOG_H_ #define __FREEBSDADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class freebsdAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::freebsdAdvancedDialog_q *m_dialog; public: freebsdAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~freebsdAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __FREEBSDADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/freebsdadvanceddialog_q.ui000066400000000000000000000402031303637203600227140ustar00rootroot00000000000000 freebsdAdvancedDialog_q Qt::WindowModal 0 0 507 363 FreeBSD: advanced settings QTabWidget::Rounded 2 Options Qt::Vertical QSizePolicy::Fixed 20 20 IPv4 Packet forwarding Qt::AlignCenter false No change On Off Qt::Horizontal QSizePolicy::Expanding 40 20 IPv6 Packet forwarding Qt::AlignCenter false No change On Off Forward source routed packets Qt::AlignCenter false No change On Off Generate ICMP redirects Qt::AlignCenter false No change On Off Qt::Vertical 20 83 Path 0 0 Specify directory path and a file name for the following utilities on the OS your firewall machine is running. Leave these empty if you want to use default values. Qt::AlignCenter true Qt::Horizontal QSizePolicy::Expanding 40 20 ipfw: Qt::AlignCenter false 0 0 200 0 Qt::Horizontal QSizePolicy::Expanding 40 20 pfctl: Qt::AlignCenter false 200 0 ipf: Qt::AlignCenter false 0 0 200 0 ipnat: Qt::AlignCenter false 200 0 sysctl: Qt::AlignCenter false 200 0 Qt::Vertical QSizePolicy::Expanding 20 40 Data Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory where data files (e.g. run-time address table) are found on the firewall. Qt::AlignCenter true Data directory: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 300 0 Qt::Vertical 20 155 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true tabWidget freebsd_ip_forward freebsd_ip_sourceroute freebsd_ip_redirect buttonOk buttonCancel freebsd_path_ipfw freebsd_path_ipf freebsd_path_ipnat freebsd_path_sysctl buttonOk clicked() freebsdAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() freebsdAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/fwbuilder_ph.h000077500000000000000000000075321303637203600204130ustar00rootroot00000000000000 #include #include #include #include #include #include #include #if defined __cplusplus #include "definitions.h" #include "global.h" #include "utils.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/BackgroundOp.h" #include "fwbuilder/Constants.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/InetAddr.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" #include "fwbuilder/Library.h" #include "fwbuilder/Logger.h" #include "fwbuilder/Management.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/RuleSet.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Tools.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/physAddress.h" // QT #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include // STL #include #include #include #include #include #include #include #include #include #include #include #include #include #include #endif fwbuilder-5.3.7/src/libgui/fwobjectdroparea_q.ui000066400000000000000000000016511303637203600217610ustar00rootroot00000000000000 FWObjectDropArea_q 0 0 142 102 1 1 0 0 100 100 Form1 true fwbuilder-5.3.7/src/libgui/global.h000066400000000000000000000026531303637203600171750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __GLOBAL_DEFS_ #define __GLOBAL_DEFS_ #include "../../VERSION.h" #include #include class QString; class FWBApplication; class FWWindow; class FWBSettings; extern FWBApplication *app; extern FWWindow *mw; extern FWBSettings *st; extern std::string appRootDir; extern std::string userDataDir; extern std::string argv0; extern std::string ee; extern int fwbdebug; extern QString user_name; extern int sig; #ifdef NDEBUG # undef NDEBUG # include # define NDEBUG #else # include #endif #endif fwbuilder-5.3.7/src/libgui/groupobjectdialog_q.ui000066400000000000000000000253061303637203600221460ustar00rootroot00000000000000 GroupObjectDialog_q true 0 0 934 245 0 0 Group 0 0 QFrame::Box QFrame::Sunken QGroupBox { margin: 0px; padding: 4px; } true 2 0 Qt::Horizontal 31 26 0 0 20 0 I true true true false 0 0 20 0 L true true 100 false 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 ArrowCursor Qt::Vertical QSizePolicy::Fixed 20 10 New Object Create New Object Create new object and add to this group :/Icons/newobject_25.png:/Icons/newobject_25.png false Qt::Horizontal 40 20 Qt::Vertical 20 18 250 0 250 100 true 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name ObjectListView.h iconViewBtn clicked() GroupObjectDialog_q switchToIconView() 20 20 20 20 listViewBtn clicked() GroupObjectDialog_q switchToListView() 20 20 20 20 newButton clicked() GroupObjectDialog_q newObject() 168 161 466 122 newObject() fwbuilder-5.3.7/src/libgui/gui.cw000066400000000000000000000063661303637203600167100ustar00rootroot00000000000000 findObjectWidget_q
findobjectwidget_q.h
1 0 1 0 0 789c7dd2c98eda401080e13b4f618d6f28626c8c37453960cf35518e91a21cbabbbab159bc2f4094774f55616066d04c09097e7dd0edb6799e5bbf7e7eb7e6cfb3b6135dae2c9589c69a437f389c7efff9f677f6b4f42d7c794bcb7dfa327b5a58cafa51169a3ea7f8d9f642cff3984a4a3ff2a4ab28cf9c2650317fd9a60c9c48a88072cde9862bb9a23c51864134e59133f65dc7a36c29232102e0dff69c3a3697a546cad8151242ca827319f9a14f59737a42a898f2c01907e02c29334e255d60dd520a470a059486d39311706a4e21b57628f79472192d1d3e7ec5b95281e6236c387d2520a2dc512a37761cfe2d5c121ccdfb2ace107ccdb74e7202c49af71594e0025c32e7f4c1185e2ae1947a65f8440da576f1eef0650c9c421bc397d1519ac04486377ae1c489f93216b7b1a799f21d0aa9406b233ec5cd8768b27cb37d8dbbfd7e7f3814256265ea46e9fa8ebba2acdaae4355aa32fd90c3b6be229a1063d70da4885d23406f6d46b46618cc3034f9119730fde97c5e9f4e8cfba21c86ae6b9b2497702c525dbfc50e97a4070d156295f5279a37080015a3ceeabeaf2f7898b0aa2a6d10153e429cf68a035e8c8d4fc26488522af21b264992db59968d2322ee4ddcaef9287467a46ac7716cd1923c2796132ef07450b5386829ad427e45523d595a3609fb0d17479e22edd2f4a56c1af23b4e8f0c8f545eb4691e90f625a5f707b4d738a4f4fe0ea7217dfc9bdc352d3fc445597e828b3425fcf775f61fb8fe4c11 enableAll() public disableAll() FWObjectDropArea
FWObjectDropArea.h
-1 2 1 0 5 789c7dd14baf9a4014c0f1bd9f82c8ce345e1c6084345d7075dba6cb264d17675ebc45117cdca6dfbd738e7a0bdcd4890bfffe9c17bc2c9c1fdfbf3a8b97d9b1832e978ecca07516aaafebebcf5f5f7ecfe62c74ecc767ce6afe6936771de97c6b761abf2fed77373411488e79c4e41ed7b1c1dcde72ed8b107347c979c415668bb90ea29560981d66c4e295a0b91b4a00ae68e59ad2c42178980d66ecc14a469825e51a40fa98052670c1a5c034f78c95c44c31852f99a25369ca40721d60e694462a458754f7d49a36929832528106cc8452b280c59882522bd0b4ef89d2f88cd19f7b4cb50a3c460a94bed29aee7ba60cc390d1212f94c00da36364b7d4bea16775a5b48f9dd1dc374ced29ae492b4adfbe04bae02b65a0bddba9f694c278866e74c03481e18674f96fb8a34108c23e176d4f6cc43384f4096679f1016551a6886525d3728a79bd2b119b3de4a69cce4ccb141f6173a8204f8be5103390f81a2db6c763dbb5631469912396168fed0465bd2bf0c045d7b61f6716756a57d669d1374d33c62a13b994a87d6f8ce92698010821e5e9d4f7fdf97cb95caed7777c4b92c46a92a0ded132e1fe151192095e6f58d9dfedd28876ebcd18f7fbaaa28d4fbd1062b31d2e7b786896f500b0d9ba2eda1def4a9c6588ee005189ab07ba031c7075c3c73d379331c2e5763206e8fe6f3cc73f9f677f01b5d841ae objectInserted() objectDeleted() fwbuilder-5.3.7/src/libgui/heartbeatOptionsDialog.cpp000066400000000000000000000100271303637203600227150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "heartbeatOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include #include #include using namespace std; using namespace libfwbuilder; heartbeatOptionsDialog::heartbeatOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::heartbeatOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); FWObject *p = obj; while (p && Cluster::cast(p)==NULL) p = p->getParent(); assert(p != NULL); Cluster *cluster = Cluster::cast(p); Resources *os_res = Resources::os_res[cluster->getStr("host_OS")]; assert(os_res != NULL); string default_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_address"); string default_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_port"); string addr = gropt->getStr("heartbeat_address"); if (addr.empty()) gropt->setStr("heartbeat_address", default_address); string port = gropt->getStr("heartbeat_port"); if (port.empty()) gropt->setStr("heartbeat_port", default_port); data.registerOption(m_dialog->use_unicast, gropt, "heartbeat_unicast"); data.registerOption(m_dialog->heartbeat_address, gropt, "heartbeat_address"); data.registerOption(m_dialog->heartbeat_port, gropt, "heartbeat_port"); data.loadAll(); toggleUseUnicast(); } heartbeatOptionsDialog::~heartbeatOptionsDialog() { delete m_dialog; } void heartbeatOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void heartbeatOptionsDialog::reject() { QDialog::reject(); } bool heartbeatOptionsDialog::validate() { try { InetAddr(m_dialog->heartbeat_address->text().toLatin1().constData()); } catch (FWException &ex) { try { InetAddr(AF_INET6, m_dialog->heartbeat_address->text().toLatin1().constData() ); } catch (FWException &ex) { QMessageBox::critical( this, "Firewall Builder", tr("Invalid IP address '%1'").arg(m_dialog->heartbeat_address->text()), tr("&Continue"), 0, 0, 0 ); return false; } } return true; } void heartbeatOptionsDialog::toggleUseUnicast() { bool onoff = m_dialog->use_unicast->isChecked(); m_dialog->heartbeat_address->setEnabled( ! onoff ); m_dialog->heartbeat_address_label->setEnabled( ! onoff ); } fwbuilder-5.3.7/src/libgui/heartbeatOptionsDialog.h000066400000000000000000000027531303637203600223710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HEARTBEATOPTIONSDIALOG_H_ #define __HEARTBEATOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class heartbeatOptionsDialog : public QDialog { Q_OBJECT public: heartbeatOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~heartbeatOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::heartbeatOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void toggleUseUnicast(); }; #endif // __HEARTBEATOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/heartbeatoptionsdialog_q.ui000066400000000000000000000141151303637203600231720ustar00rootroot00000000000000 heartbeatOptionsDialog_q 0 0 402 263 heartbeat protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 heartbeat Parameters :/Icons/Options:/Icons/Options Heartbeat should be configured to use unicast address of each firewall member for health checks. Firewall Builder will add policy rules to permit these automatically. Use unicast address for heartbeat Address: Enter multicat address used for heartbeat health checks here. Qt::Horizontal 56 20 Port number (udp): 65535 Qt::Horizontal 120 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() heartbeatOptionsDialog_q accept() 316 472 20 20 buttonCancel clicked() heartbeatOptionsDialog_q reject() 397 472 20 20 use_unicast toggled(bool) heartbeatOptionsDialog_q toggleUseUnicast() 204 51 200 131 toggleUseUnicast() fwbuilder-5.3.7/src/libgui/helpview_q.ui000066400000000000000000000051031303637203600202570ustar00rootroot00000000000000 HelpView_q Qt::NonModal 0 0 469 639 Help QFrame::StyledPanel QFrame::Raised 75 true Object Name false Qt::Horizontal 40 20 Close closeButton clicked() HelpView_q close() 418 588 234 319 fwbuilder-5.3.7/src/libgui/hostdialog_q.ui000066400000000000000000000074271303637203600206040ustar00rootroot00000000000000 HostDialog_q true 0 0 748 214 Host QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 MAC matching Qt::Vertical 20 98 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name MACmatching fwbuilder-5.3.7/src/libgui/icmpservicedialog_q.ui000066400000000000000000000137431303637203600221360ustar00rootroot00000000000000 ICMPServiceDialog_q true 0 0 668 230 0 0 ICMP QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 Name: false 200 0 0 0 ICMP Type: false 80 16777215 any -1 255 Qt::Horizontal 167 20 ICMP Code: false any -1 255 Qt::Vertical 20 82 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name icmpType icmpCode fwbuilder-5.3.7/src/libgui/importAddressListWizard/000077500000000000000000000000001303637203600224135ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/importAddressListWizard/ChooseObjectsPage.cpp000066400000000000000000000051051303637203600264470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "ChooseObjectsPage.h" #include "HostsFile.h" #include "ObjectDescriptor.h" #include #include using namespace std; using namespace libfwbuilder; ChooseObjectsPage::ChooseObjectsPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ChooseObjectsPage_q; m_dialog->setupUi(this); registerField("objectsToUse*", m_dialog->objectSelector, "objectsToUse", SIGNAL(selectionChanged())); } void ChooseObjectsPage::initializePage() { if (fwbdebug) qDebug() << "ChooseObjectsPage::initializePage()" << "file name" << field("fileName").toString(); try { HostsFile importer(field("fileName").toString()); importer.parse(); map imported_hosts_info = importer.getAll(); QList objects; map::iterator i; for (i=imported_hosts_info.begin(); i!=imported_hosts_info.end(); ++i) { ObjectDescriptor od; od.addr = i->first; od.sysname = i->second.front().toUtf8().constData(); objects.push_back(od); } m_dialog->objectSelector->init(objects); } catch (FWException &ex) { QMessageBox::critical( NULL , "Firewall Builder", ex.toString().c_str(), QString::null,QString::null); } } bool ChooseObjectsPage::validatePage() { if (fwbdebug) qDebug() << "ChooseObjectsPage::validatePage()"; return true; } bool ChooseObjectsPage::isComplete() const { if (fwbdebug) qDebug() << "ChooseObjectsPage::isComplete()"; return (m_dialog->objectSelector->count() > 0); } fwbuilder-5.3.7/src/libgui/importAddressListWizard/ChooseObjectsPage.h000066400000000000000000000024001303637203600261070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CHOOSEOBJECTSPAGE_H_ #define __CHOOSEOBJECTSPAGE_H_ #include "ui_chooseobjectspage_q.h" #include class ChooseObjectsPage : public QWizardPage { Q_OBJECT; Ui::ChooseObjectsPage_q *m_dialog; public: ChooseObjectsPage(QWidget *parent); virtual ~ChooseObjectsPage() {} virtual void initializePage(); virtual bool validatePage(); virtual bool isComplete() const; }; #endif fwbuilder-5.3.7/src/libgui/importAddressListWizard/CreateObjectsPage.cpp000066400000000000000000000063741303637203600264430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "events.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "CreateObjectsPage.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include #include using namespace std; using namespace libfwbuilder; CreateObjectsPage::CreateObjectsPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::CreateObjectsPage_q; m_dialog->setupUi(this); } void CreateObjectsPage::initializePage() { if (fwbdebug) qDebug() << "CreateObjectsPage::initializePage()"; int lib_index = field("libIndex").toInt(); QStringList libraries = field("libraries").toStringList(); QStringList objects = field("objectsToUse").toStringList(); if (fwbdebug) { qDebug() << "libraries=" << libraries; qDebug() << "objects=" << objects; } m_dialog->progressBar->setFormat("%v / %m"); m_dialog->progressBar->setMaximum(objects.size() / 2); FWObject *last_object = NULL; QString name; QString addr; int counter = 1; while (objects.size() > 0) { name = objects.front(); objects.pop_front(); addr = objects.front(); objects.pop_front(); QString type; try { InetAddr(AF_INET6, addr.toLatin1().constData() ); type = IPv6::TYPENAME; } catch (FWException &ex) { } if (type.isEmpty()) { try { InetAddr(AF_INET, addr.toLatin1().constData() ); type = IPv4::TYPENAME; } catch (FWException &ex) { } } if (! type.isEmpty()) { Address *obj = Address::cast(mw->createObject(type, name)); assert(obj!=NULL); obj->setName(name.toUtf8().constData()); obj->setAddress(InetAddr(addr.toStdString())); obj->setNetmask(InetAddr(InetAddr::getAllOnes())); mw->moveObject(libraries[lib_index], obj); last_object = obj; } m_dialog->progressBar->setValue(counter); qApp->processEvents(); counter++; } ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); QCoreApplication::postEvent(mw, new reloadObjectTreeEvent(filename)); QCoreApplication::postEvent( mw->activeProject(), new openLibraryForObjectEvent( filename, last_object->getId())); } fwbuilder-5.3.7/src/libgui/importAddressListWizard/CreateObjectsPage.h000066400000000000000000000022711303637203600261000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __CREATEOBJECTSPAGE_H_ #define __CREATEOBJECTSPAGE_H_ #include "ui_createobjectspage_q.h" class CreateObjectsPage : public QWizardPage { Q_OBJECT; Ui::CreateObjectsPage_q *m_dialog; public: CreateObjectsPage(QWidget *parent); virtual ~CreateObjectsPage() {} virtual void initializePage(); public slots: }; #endif fwbuilder-5.3.7/src/libgui/importAddressListWizard/FileNamePage.cpp000066400000000000000000000044151303637203600254000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "FWBSettings.h" #include "FileNamePage.h" #include #include #include #include using namespace std; //using namespace libfwbuilder; FileNamePage::FileNamePage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::FileNamePage_q; m_dialog->setupUi(this); registerField("fileName*", m_dialog->fileName); } void FileNamePage::selectAddressListFile() { QString s = QFileDialog::getOpenFileName( this, "Choose a file", st->getOpenFileDir(), "All files (*)"); if (s.isEmpty()) return; st->setOpenFileDir(s); m_dialog->fileName->setText(s); } bool FileNamePage::validatePage() { if (fwbdebug) qDebug() << "FileNamePage::validatePage()"; QString file_name = m_dialog->fileName->text(); QFileInfo f(file_name); if ( ! f.exists()) { QMessageBox::critical( NULL , "Firewall Builder", tr("File %1 does not exist").arg(file_name), QString::null,QString::null); return false; } if ( ! f.isReadable()) { QMessageBox::critical( NULL , "Firewall Builder", tr("Can not read file %1").arg(file_name), QString::null,QString::null); return false; } return true; } fwbuilder-5.3.7/src/libgui/importAddressListWizard/FileNamePage.h000066400000000000000000000022661303637203600250470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __FILENAMEPAGE_H_ #define __FILENAMEPAGE_H_ #include "ui_filenamepage_q.h" class FileNamePage : public QWizardPage { Q_OBJECT; Ui::FileNamePage_q *m_dialog; public: FileNamePage(QWidget *parent); virtual ~FileNamePage() {} virtual bool validatePage(); public slots: void selectAddressListFile(); }; #endif fwbuilder-5.3.7/src/libgui/importAddressListWizard/HostsFile.cpp000066400000000000000000000047231303637203600250250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ //#include "../../config.h" #include "HostsFile.h" #include #include #include extern int fwbdebug; using namespace std; using namespace libfwbuilder; void HostsFile::parse() throw(FWException) { QFile file(file_name); if (!file.open(QIODevice::ReadOnly | QIODevice::Text)) throw FWException("Can't open file '" + file_name.toStdString() + "'"); data.clear(); QRegExp comment("^\\s*#"); QRegExp hosts_line("^\\s*(\\S+)\\s+(\\S*)"); while ( ! file.atEnd()) { QString line = QString::fromUtf8(file.readLine().trimmed()); if (fwbdebug) qDebug() << "Line: " << line; if (comment.indexIn(line) > -1) continue; if (hosts_line.indexIn(line) > -1) { QString addr_s = hosts_line.cap(1); QStringList names = hosts_line.cap(2).split(","); if (fwbdebug) qDebug() << "cap(1)=" << hosts_line.cap(1) << "cap(2)=" << hosts_line.cap(2); try { InetAddr addr(AF_INET6, addr_s.toStdString()); foreach(QString name, names) data[addr] << name.trimmed(); } catch (FWException&) { try { InetAddr addr(addr_s.toStdString()); foreach(QString name, names) data[addr] << name.trimmed(); } catch (FWException &ex) { string err = ex.toString() + "\nIn line: " + line.toStdString(); throw FWException(err); } } } } } fwbuilder-5.3.7/src/libgui/importAddressListWizard/HostsFile.h000066400000000000000000000027171303637203600244730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __HOSTS_FILE_HH_FLAG__ #define __HOSTS_FILE_HH_FLAG__ #include #include #include /** * This class is parser for file in hosts(5) format * (e.g. /etc/hosts) */ class HostsFile { QString file_name; public: HostsFile(const QString &file_name) { this->file_name = file_name; } void parse() throw(libfwbuilder::FWException); // Returns all hosts found std::map getAll() { return data; } private: std::map data; }; #endif // _HOSTS_FILE_HH_ fwbuilder-5.3.7/src/libgui/importAddressListWizard/ImportAddressListWizard.cpp000066400000000000000000000030351303637203600277150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "ImportAddressListWizard.h" #include "FileNamePage.h" #include "ChooseObjectsPage.h" #include "SelectLibraryPage.h" #include "CreateObjectsPage.h" #include using namespace std; //using namespace libfwbuilder; ImportAddressListWizard::ImportAddressListWizard(QWidget *parent) : QWizard(parent) { QPixmap pm; pm.load(":/Images/fwbuilder3-72x72.png"); setPixmap(QWizard::LogoPixmap, pm); setWindowTitle(tr("Import address objects from a text file in /etc/hosts format")); addPage(new FileNamePage(this)); addPage(new ChooseObjectsPage(this)); addPage(new SelectLibraryPage(this)); addPage(new CreateObjectsPage(this)); resize(700, 500); } fwbuilder-5.3.7/src/libgui/importAddressListWizard/ImportAddressListWizard.h000066400000000000000000000021651303637203600273650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IMPORTADDRESSLISTWIZARD_H_ #define __IMPORTADDRESSLISTWIZARD_H_ #include class ImportAddressListWizard : public QWizard { Q_OBJECT; public: ImportAddressListWizard(QWidget *parent); virtual ~ImportAddressListWizard() {} public slots: }; #endif fwbuilder-5.3.7/src/libgui/importAddressListWizard/SelectLibraryPage.cpp000066400000000000000000000030601303637203600264570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "SelectLibraryPage.h" #include using namespace std; //using namespace libfwbuilder; SelectLibraryPage::SelectLibraryPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::SelectLibraryPage_q; m_dialog->setupUi(this); registerField("libIndex*", m_dialog->libs); registerField("libraries", this, "libraries"); setCommitPage(true); } void SelectLibraryPage::initializePage() { if (fwbdebug) qDebug() << "SelectLibraryPage::initializePage()"; fillLibraries(m_dialog->libs, mw->activeProject()->db()); for (int i=0; i < m_dialog->libs->count(); ++i) libraries << m_dialog->libs->itemText(i); } fwbuilder-5.3.7/src/libgui/importAddressListWizard/SelectLibraryPage.h000066400000000000000000000026211303637203600261260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SELECTLIBRARYPAGE_H_ #define __SELECTLIBRARYPAGE_H_ #include "ui_selectlibrarypage_q.h" class SelectLibraryPage : public QWizardPage { Q_OBJECT; Ui::SelectLibraryPage_q *m_dialog; QStringList libraries; Q_PROPERTY(QStringList libraries READ getLibraries WRITE setLibraries); public: SelectLibraryPage(QWidget *parent); virtual ~SelectLibraryPage() {} virtual void initializePage(); QStringList getLibraries() { return libraries; } void setLibraries(const QStringList &l) { libraries = l; } public slots: }; #endif fwbuilder-5.3.7/src/libgui/importAddressListWizard/chooseobjectspage_q.ui000066400000000000000000000023231303637203600267610ustar00rootroot00000000000000 ChooseObjectsPage_q 0 0 696 475 WizardPage Choose objects you wish to use ObjectSelectorWidget QWidget
ObjectSelectorWidget.h
1 addFilter() removeFilter() selectAllResults() unselectAllResults() selectAllUsed() unselectAllUsed() addObject() removeObject() fwbuilder-5.3.7/src/libgui/importAddressListWizard/createobjectspage_q.ui000066400000000000000000000027671303637203600267600ustar00rootroot00000000000000 CreateObjectsPage_q 0 0 400 300 WizardPage Adding new objects to library Qt::AlignTop true Qt::Horizontal Qt::Vertical QSizePolicy::Expanding 20 228 fwbuilder-5.3.7/src/libgui/importAddressListWizard/filenamepage_q.ui000066400000000000000000000046671303637203600257240ustar00rootroot00000000000000 FileNamePage_q 0 0 465 300 WizardPage Enter full path and file name below or click "Browse" to find it Qt::AlignVCenter true File in hosts format 6 Browse ... Qt::Vertical QSizePolicy::Expanding 444 181 browseButton clicked() FileNamePage_q selectAddressListFile() 409 73 199 149 selectAddressListFile() fwbuilder-5.3.7/src/libgui/importAddressListWizard/selectlibrarypage_q.ui000066400000000000000000000037121303637203600267760ustar00rootroot00000000000000 SelectLibraryPage_q 0 0 469 393 WizardPage Select library where objects should be created Object Library: 0 0 Qt::Horizontal 198 20 Qt::Vertical QSizePolicy::Expanding 20 308 fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/000077500000000000000000000000001303637203600244675ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_FileNamePage.cpp000066400000000000000000000041471303637203600300310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWBSettings.h" #include "IC_FileNamePage.h" #include #include #include #include #include IC_FileNamePage::IC_FileNamePage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::IC_FileNamePage_q; m_dialog->setupUi(this); registerField("fileName*", m_dialog->fileName); } void IC_FileNamePage::selectFile() { QString s = QFileDialog::getOpenFileName( this, "Choose file", st->getOpenFileDir(), "All files (*)"); if (s.isEmpty()) return; st->setOpenFileDir(s); m_dialog->fileName->setText(s); } bool IC_FileNamePage::validatePage() { QString file_name = m_dialog->fileName->text(); QFileInfo f(file_name); if ( ! f.exists()) { QMessageBox::critical( NULL , "Firewall Builder", tr("File %1 does not exist").arg(file_name), QString::null,QString::null); return false; } if ( ! f.isReadable()) { QMessageBox::critical( NULL , "Firewall Builder", tr("Can not read file %1").arg(file_name), QString::null,QString::null); return false; } return true; } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_FileNamePage.h000066400000000000000000000023031303637203600274660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IC_FILENAMEPAGE_H #define IC_FILENAMEPAGE_H #include "ui_ic_filenamepage_q.h" class IC_FileNamePage : public QWizardPage { Q_OBJECT; Ui::IC_FileNamePage_q *m_dialog; public: IC_FileNamePage(QWidget *parent); virtual ~IC_FileNamePage() {} virtual bool validatePage(); public slots: void selectFile(); }; #endif // IC_FILENAMEPAGE_H fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_FirewallNamePage.cpp000066400000000000000000000042141303637203600307120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "FWBSettings.h" #include "IC_FirewallNamePage.h" #include "ImportFirewallConfigurationWizard.h" #include #include #include #include #include IC_FirewallNamePage::IC_FirewallNamePage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::IC_FirewallNamePage_q; m_dialog->setupUi(this); m_dialog->deduplicateOnImport->setChecked(true); registerField("firewallName*", m_dialog->firewallName); registerField("deduplicate", m_dialog->deduplicateOnImport); } void IC_FirewallNamePage::initializePage() { QString platform = dynamic_cast(wizard())-> platform; QStringList *buf = &(dynamic_cast(wizard())->buffer); qDebug() << "platform=" << platform; if (platform == "pix" || platform == "fwsm" || platform == "iosacl") { QRegExp cisco_re("^hostname\\s+(\\S+)"); foreach(QString line, *buf) { if (cisco_re.indexIn(line) > -1) { QString name = cisco_re.cap(1).replace("\"", "").replace("'", ""); m_dialog->firewallName->setText(name); break; } } } setCommitPage(true); emit completeChanged(); } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_FirewallNamePage.h000066400000000000000000000022771303637203600303660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IC_FIREWALLNAMEPAGE_H #define IC_FIREWALLNAMEPAGE_H #include "ui_ic_firewallnamepage_q.h" class IC_FirewallNamePage : public QWizardPage { Q_OBJECT; Ui::IC_FirewallNamePage_q *m_dialog; public: IC_FirewallNamePage(QWidget *parent); virtual ~IC_FirewallNamePage() {} virtual void initializePage(); }; #endif // IC_FIREWALLNAMEPAGE_H fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_NetworkZonesPage.cpp000066400000000000000000000111761303637203600310210ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "events.h" #include "FWBSettings.h" #include "networkZoneManager.h" #include "IC_NetworkZonesPage.h" #include "ImportFirewallConfigurationWizard.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" #include #include #include using namespace std; using namespace libfwbuilder; IC_NetworkZonesPage::IC_NetworkZonesPage(QWidget *parent) : QWizardPage(parent), m_dialog(new Ui::IC_NetworkZonesPage_q) { m_dialog->setupUi(this); } IC_NetworkZonesPage::~IC_NetworkZonesPage() { delete m_dialog; } void IC_NetworkZonesPage::initializePage() { Firewall *fw = dynamic_cast(wizard())->getFirewall(); m_dialog->iface_nz_list->clear(); QStringList labels; labels << QObject::tr("Name") << QObject::tr("Label") << QObject::tr("Address") << QObject::tr("Network Zone"); m_dialog->iface_nz_list->setHorizontalHeaderLabels(labels); NetworkZoneManager netzone_manager; netzone_manager.load( dynamic_cast(wizard())->db()); list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator it; int row = 0; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *iface = Interface::cast(*it); m_dialog->iface_nz_list->insertRow(row); QTableWidgetItem* itm; itm = new QTableWidgetItem(iface->getName().c_str()); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 0, itm); itm = new QTableWidgetItem(iface->getLabel().c_str()); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 1, itm); QString addr_str; const InetAddr* addr = iface->getAddressPtr(); if (addr) addr_str = addr->toString().c_str(); itm = new QTableWidgetItem(addr_str); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 2, itm); QComboBox *widget = new QComboBox(); netzone_manager.packComboBox(widget, -1); m_dialog->iface_nz_list->setCellWidget(row, 3, widget); row++; } m_dialog->iface_nz_list->resizeColumnToContents(3); } void IC_NetworkZonesPage::setNetworkZones() { Firewall *fw = dynamic_cast(wizard())->getFirewall(); if (fw == NULL) return; // read and configure network zones list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); list::iterator it; for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it) { Interface *iface = Interface::cast(*it); string network_zone_str_id = ""; QList ltwi = m_dialog->iface_nz_list->findItems( iface->getName().c_str(), Qt::MatchExactly ); if ( ! ltwi.empty()) { QTableWidgetItem *itm2 = ltwi[0]; assert(itm2!=NULL); int row = itm2->row(); QComboBox *cb = dynamic_cast( m_dialog->iface_nz_list->cellWidget(row, 3)); assert(cb!=NULL); int network_zone_int_id = cb->itemData(cb->currentIndex(), Qt::UserRole).toInt(); if (network_zone_int_id != 0) network_zone_str_id = FWObjectDatabase::getStringId( network_zone_int_id); else network_zone_str_id = ""; } // only set network zone if it is supported and is not // empty. See #2014 if (!network_zone_str_id.empty()) iface->setStr("network_zone", network_zone_str_id); } } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_NetworkZonesPage.h000066400000000000000000000026111303637203600304600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef NETWORKZONESPAGE_H #define NETWORKZONESPAGE_H #include "ui_ic_networkzonespage_q.h" #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include #else # include #endif namespace Ui { class IC_NetworkZonesPage_q; } class IC_NetworkZonesPage : public QWizardPage { Q_OBJECT; Ui::IC_NetworkZonesPage_q *m_dialog; public: explicit IC_NetworkZonesPage(QWidget *parent = 0); virtual ~IC_NetworkZonesPage(); virtual void initializePage(); void setNetworkZones(); }; #endif // NETWORKZONESPAGE_H fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_PlatformWarningPage.cpp000066400000000000000000000237411303637203600314640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "IC_PlatformWarningPage.h" #include "ImportFirewallConfigurationWizard.h" #include "PreImport.h" #include "platforms.h" #include #include #include #include #include #include using namespace std; IC_PlatformWarningPage::IC_PlatformWarningPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::IC_PlatformWarningPage_q; m_dialog->setupUi(this); setField("platform", ""); // user-chosen host os and version, so far we only show these for PF registerField("hostOS*", m_dialog->hostOS); registerField("version*", m_dialog->version); registerField("addStandardComments", m_dialog->addStandardComments); m_dialog->importOptionsFrame->hide(); platformOk = false; } bool IC_PlatformWarningPage::isComplete() const { if (!platformOk) return false; if (dynamic_cast(wizard())-> platform == "pf") { QString host_os = m_dialog->hostOS->currentText(); QString version = m_dialog->version->currentText(); return (! host_os.isEmpty() && ! version.isEmpty()); } else return true; } void IC_PlatformWarningPage::initializePage() { QString fileName = field("fileName").toString(); ImportFirewallConfigurationWizard* wz = dynamic_cast(wizard()); QFile cf(fileName); if (cf.open(QIODevice::ReadOnly )) { m_dialog->configFileBrowser->clear(); m_dialog->platform->setText(tr("Unknown")); QStringList *buf = &(wz->buffer); buf->clear(); QTextStream stream(&cf); while (true) { QString line = stream.readLine().trimmed(); if (line.isNull()) break; m_dialog->configFileBrowser->append(line); *buf << line; } QTextCursor cursor = m_dialog->configFileBrowser->textCursor(); cursor.setPosition(0, QTextCursor::MoveAnchor); m_dialog->configFileBrowser->setTextCursor(cursor); m_dialog->configFileBrowser->ensureCursorVisible(); bool iptables_c = false; Q_UNUSED(iptables_c); platformOk = false; PreImport pi(buf); pi.scan(); switch (pi.getPlatform()) { case PreImport::UNKNOWN: m_dialog->platform->setText(tr("Unknown")); m_dialog->platformSpecificWarning->setText( tr("Unrecognized configuration file format, can not import.")); platformOk = false; break; case PreImport::PIX: case PreImport::FWSM: m_dialog->platform->setText(tr("Cisco PIX / CIsco ASA / Cisco FWSM")); m_dialog->platformSpecificWarning->setText( tr("Not all Cisco ASA and PIX configuration commands are " "supported by Firewall Builder. " "The following configuration components will be imported " "and can be managed using " "Firewall Builder:" "
    " "
  • Interface configurations (IP address, security level, " "name, etc.)
    • " "
  • Access lists
    • " "
  • NAT configuration
    • " "
" "The following configuration components will not be imported:" "
    " "
  • VPN
    • " "
  • Static routes
    • " "
  • Dynamic routing protocols
    • " "
  • QoS
    • " "
" )); platformOk = true; break; case PreImport::IOSACL: m_dialog->platform->setText(tr("Cisco Router IOS")); m_dialog->platformSpecificWarning->setText( tr("Not all Cisco IOS configuration commands are " "supported by Firewall Builder. The following " "configuration components will be imported and " "can be managed using Firewall Builder:" "
    " "
  • Interface configurations (IP address)
    • " "
  • Extended access lists
    • " "
" "The following configuration components will not be imported:" "
    " "
  • VPN
    • " "
  • Static routes
    • " "
  • Dynamic routing protocols (OSPF, RIP, etc.)
    • " "
  • QoS
    • " "
" )); platformOk = true; break; case PreImport::IPTABLES: m_dialog->platform->setText(tr("iptables")); m_dialog->platformSpecificWarning->setText( tr("

Firewall Builder will import all the rules defined " "in the iptables configuration. Discovered IP networks " "and IP addresses used in the iptables rules will " "automatically have objects created in the object tree. " "Each user defined chain will be created as its own Policy " "object in Firewall Builder." "

" "

" "The import process will also attempt to detect interface " "names and IP addresses based on -i and -o parameters in " "the configuration, but you may have to update the firewall " "object with additional interface information like IP addresses." "

" )); platformOk = true; break; case PreImport::IPTABLES_WITH_COUNTERS: m_dialog->platform->setText(tr("iptables")); m_dialog->platformSpecificWarning->setText( tr("This appears to be iptables configuration saved using " "command \"iptables-save -c\"" "and it includes packet counters. Please save configuration " "using command \"iptables-save\" without option \"-c\" and " "try to import it again.")); platformOk = false; break; case PreImport::PF: { m_dialog->platform->setText(tr("pf")); m_dialog->platformSpecificWarning->setText( tr("

Firewall Builder supports import PF " "configuration from a pf.conf file. Tables will be imported " "as object groups and their names will be preserved. " "Macros are expanded in place and not imported as " "objects. Import of anchors is not supported at this time." "

" "

PF version in Firewall Builder corresponds to its " "versions in OpenBSD. If you run FreeBSD 8.2 or earlier, " "choose \"3.9\"." "

" )); platformOk = true; m_dialog->version->clear(); m_dialog->hostOS->clear(); wz->host_os_list.clear(); wz->version_list.clear(); // populate host OS items using standard function from platforms.cpp // but add an empty item on top and make it current setHostOS(m_dialog->hostOS, "pf", ""); m_dialog->hostOS->insertItem(0, ""); m_dialog->hostOS->setCurrentIndex(0); for (int i=0; ihostOS->count(); ++i) { wz->host_os_list.append(m_dialog->hostOS->itemText(i)); } // populate versions using standard function from platforms.cpp // and add empty item on top list vl; getVersionsForPlatform("pf", vl); vl.push_front(QStringPair("", QObject::tr(""))); for (list::iterator i1=vl.begin(); i1!=vl.end(); i1++) { m_dialog->version->addItem( i1->second ); wz->version_list.append(i1->first); } m_dialog->importOptionsFrame->show(); break; } case PreImport::PF_REVERSE: m_dialog->platform->setText(tr("pf")); m_dialog->platformSpecificWarning->setText( tr( "

This appears to be PF configuration designed " "without use of the \"quick\" keyword, where " "the packet is evaluated by all filtering rules in " "sequential order and the last matching rule decides " "what action is to be taken. Firewall Builder uses " "different rule model, where the first matching rule " "is always final and makes the decision on the action. " "This means Firewall Builder can only import PF " "configuration written using \"quick\" " "keywords.

" )); platformOk = false; break; } wz->platform = pi.getPlatformAsString(); } emit completeChanged(); } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_PlatformWarningPage.h000066400000000000000000000024561303637203600311310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IC_PLATFORMWARNINGPAGE_H #define IC_PLATFORMWARNINGPAGE_H #include "ui_ic_platformwarningpage_q.h" #include "PreImport.h" class IC_PlatformWarningPage : public QWizardPage { Q_OBJECT; Ui::IC_PlatformWarningPage_q *m_dialog; bool platformOk; public: IC_PlatformWarningPage(QWidget *parent); virtual ~IC_PlatformWarningPage() {} virtual void initializePage(); virtual bool isComplete() const; }; #endif // IC_PLATFORMWARNINGPAGE_H fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp000066400000000000000000000232551303637203600301560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "events.h" #include "FWBSettings.h" #include "IC_ProgressPage.h" #include "ImporterThread.h" #include "ImportFirewallConfigurationWizard.h" #include "fwbuilder/Library.h" #include #include #include #include using namespace std; using namespace libfwbuilder; bool fwbdebug_ic = fwbdebug; IC_ProgressPage::IC_ProgressPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::IC_ProgressPage_q; m_dialog->setupUi(this); importer = NULL; errors_count = 0; warnings_count = 0; QTextCursor cursor(m_dialog->importLog->textCursor()); normal_format = cursor.charFormat(); error_format = normal_format; error_format.setForeground(QBrush(Qt::red)); error_format.setAnchorHref("http://somewhere.com"); error_format.setAnchor(true); // weight must be between 0 and 99. Qt 4.4.1 does not seem to mind if // it is >99 (just caps it) but older versions assert error_format.setProperty(QTextFormat::FontWeight, 99); warning_format = normal_format; warning_format.setForeground(QBrush(Qt::blue)); warning_format.setProperty(QTextFormat::FontWeight, 99); warning_format.setAnchor(true); warning_format.setAnchorHref("http://somewhere.com"); } IC_ProgressPage::~IC_ProgressPage() { disconnect(this, SLOT(logLine(QString))); disconnect(this, SLOT(importerFinished())); if (importer != NULL && importer->isRunning()) importer->stop(); } int IC_ProgressPage::nextId() const { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::nextId()"; ImportFirewallConfigurationWizard* wz = dynamic_cast(wizard()); QString platform = wz->platform; Firewall *fw = wz->getFirewall(); // Move on to the next page only if firewall object has been created // and the next page only makes sense for pix and fwsm if (fw && (platform == "pix" || platform == "fwsm")) return ImportFirewallConfigurationWizard::Page_NetworkZones; return -1; } bool IC_ProgressPage::validatePage() { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::validatePage()" << "importer=" << importer << "isRunning=" << ((importer) ? importer->isRunning() : 0); if (importer != NULL && importer->isRunning()) return false; return true; } bool IC_ProgressPage::isComplete() const { if (importer != NULL && importer->isRunning()) return false; return true; } void IC_ProgressPage::importerDestroyed(QObject *obj) { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::importerDestroyed() obj=" << obj; if (obj == importer) importer = NULL; } void IC_ProgressPage::initializePage() { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::initializePage()"; if (importer != NULL && importer->isRunning()) { if (fwbdebug_ic) qDebug() << "importer is still runnig; stopping"; importer->stop(); importer->wait(); delete importer; } m_dialog->importLog->clear(); m_dialog->errors_count_display->setText("0"); m_dialog->warnings_count_display->setText("0"); ImportFirewallConfigurationWizard* wz = dynamic_cast(wizard()); QString platform = wz->platform; QString firewallName = field("firewallName").toString(); bool deduplicate = field("deduplicate").toBool(); QStringList *buffer = &(wz->buffer); QString fileName = field("fileName").toString(); Library *lib = wz->currentLib(); importer = new ImporterThread(this, lib, *buffer, platform, firewallName, fileName, deduplicate); // lists host_os_list and version_list are used-chosen host os and version. // We ask user to choose these only for PF, so for other platforms // these lists are going to be empty. if ( wz->host_os_list.size() > 0 && wz->version_list.size() > 0) { int host_os_idx = field("hostOS").toInt(); int version_idx = field("version").toInt(); bool add_standard_comments = field("addStandardComments").toBool(); importer->setUserChoiceHostOS( wz->host_os_list.at( host_os_idx )); importer->setUserChoiceVersion( wz->version_list.at( version_idx )); importer->setAddStandardCommentsFlag(add_standard_comments); } connect(importer, SIGNAL(destroyed(QObject*)), this, SLOT(importerDestroyed(QObject*))); connect(importer, SIGNAL(finished()), this, SLOT(importerFinished())); importer->start(); } void IC_ProgressPage::cleanupPage() { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::cleanupPage()"; disconnect(this, SLOT(logLine(QString))); disconnect(this, SLOT(importerFinished())); if (importer != NULL && importer->isRunning()) importer->stop(); // if (importer != NULL && importer->isRunning()) importer->wait(); } void IC_ProgressPage::importerFinished() { if (fwbdebug_ic) qDebug() << "IC_ProgressPage::importerFinished()"; Firewall *fw = importer->getFirewallObject(); qApp->processEvents(); // to flush the log ImportFirewallConfigurationWizard* wz = dynamic_cast(wizard()); wz->setFirewall(fw); QString platform = wz->platform; if (fw) // fw can be NULL if import was uncussessful { QString fwName = field("firewallName").toString(); fw->setName(fwName.toUtf8().constData()); // lists host_os_list and version_list are used-chosen host os and version. // We ask user to choose these only for PF, so for other platforms // these lists are going to be empty. if ( wz->host_os_list.size() > 0 && wz->version_list.size() > 0) { int host_os_idx = field("hostOS").toInt(); int version_idx = field("version").toInt(); QString hostOS = wz->host_os_list.at( host_os_idx ).toLower(); QString version = wz->version_list.at( version_idx ).toLower(); if ( ! hostOS.isEmpty()) fw->setStr("host_OS", hostOS.toStdString()); if ( ! version.isEmpty()) fw->setStr("version", version.toStdString()); } setFinalPage(false); // this triggers call to nextId() } else { // fw == NULL // normally, wizard would have one more page, but since fw was not // created, this page should be the last setFinalPage(true); } emit completeChanged(); } void IC_ProgressPage::logLine(const QString &buf) { if (buf.isEmpty()) return; foreach(QString line, buf.trimmed().split("\n")) { QTextCharFormat format = normal_format; if (line.contains("Parser error")) { format = error_format; errors_count++; } if (line.contains("Error:")) { format = error_format; errors_count++; } if (line.contains("Parser warning")) { format = warning_format; warnings_count++; } if (line.contains("Warning:")) { format = warning_format; warnings_count++; } QString txt = line; while (!txt.isEmpty() && (txt.endsWith("\n") || txt.endsWith("\r"))) txt.chop(1); if (format == error_format || format == warning_format) format.setAnchorHref(txt); QTextCursor cursor = m_dialog->importLog->textCursor(); cursor.insertBlock(); cursor.insertText(txt, format); QString s; m_dialog->errors_count_display->setText(s.setNum(errors_count)); m_dialog->warnings_count_display->setText(s.setNum(warnings_count)); } m_dialog->importLog->ensureCursorVisible(); } void IC_ProgressPage::saveLog() { QString dir; dir = st->getWDir(); if (dir.isEmpty()) dir = st->getOpenFileDir(); if (dir.isEmpty()) dir = "~"; QString s = QFileDialog::getSaveFileName( this, "Choose a file", dir, "Text file (*.txt)"); if (!s.isEmpty()) { if (s.endsWith(".txt")) { s += ".txt"; } QFile f(s); if (f.open(QIODevice::WriteOnly)) { if (fwbdebug) { qDebug("Saving crawler log to file: %d chars", m_dialog->importLog->toPlainText().length()); qDebug("--------------------------------"); } QTextStream strm(&f); QString txt = m_dialog->importLog->toPlainText(); strm << txt << endl; if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("%s",txt.toAscii().constData()); #else qDebug("%s",txt.toLatin1().constData()); #endif qDebug("--------------------------------"); } f.close(); } } } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.h000066400000000000000000000032501303637203600276140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IC_PROGRESSPAGE_H #define IC_PROGRESSPAGE_H #include "ui_ic_progresspage_q.h" #include class ImporterThread; class IC_ProgressPage : public QWizardPage { Q_OBJECT; Ui::IC_ProgressPage_q *m_dialog; QTextCharFormat normal_format; QTextCharFormat error_format; QTextCharFormat warning_format; ImporterThread *importer; int errors_count; int warnings_count; public: IC_ProgressPage(QWidget *parent); virtual ~IC_ProgressPage(); virtual void initializePage(); virtual void cleanupPage(); virtual bool validatePage(); virtual bool isComplete() const; virtual int nextId () const; public slots: void saveLog(); void logLine(const QString &line); void importerDestroyed(QObject*); void importerFinished(); }; #endif // IC_PROGRESSPAGE_H fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ImportFirewallConfigurationWizard.cpp000066400000000000000000000105141303637203600340450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "events.h" #include "ImportFirewallConfigurationWizard.h" #include "IC_FileNamePage.h" #include "IC_FirewallNamePage.h" #include "IC_PlatformWarningPage.h" #include "IC_ProgressPage.h" #include "IC_NetworkZonesPage.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjConflictResolutionDialog.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/ServiceGroup.h" #include #include using namespace std; using namespace libfwbuilder; ImportFirewallConfigurationWizard::ImportFirewallConfigurationWizard( QWidget *parent, FWObjectDatabase *_db) : QWizard(parent) { fw = NULL; db_orig = _db; db_copy = new FWObjectDatabase(); db_copy->duplicate(_db, false); current_lib = Library::cast(db_copy->findInIndex(mw->getCurrentLib()->getId())); QPixmap pm; pm.load(":/Images/fwbuilder3-72x72.png"); setPixmap(QWizard::LogoPixmap, pm); pm.load(":/Images/fwbuilder3-256x256-fade.png"); setPixmap(QWizard::BackgroundPixmap, pm); setWindowTitle(tr("Import Firewall Configuration")); setPage(Page_FileName, new IC_FileNamePage(this)); setPage(Page_Platform, new IC_PlatformWarningPage(this)); setPage(Page_FirewallName, new IC_FirewallNamePage(this)); setPage(Page_Progess, new IC_ProgressPage(this)); setPage(Page_NetworkZones, new IC_NetworkZonesPage(this)); // always show cancel button setOption(QWizard::NoCancelButton, false); QRect sg = QApplication::desktop()->screenGeometry(mw); QSize screen_size = sg.size(); #if defined(Q_OS_MACX) QSize desired_size(900, 700); #else QSize desired_size(800, 700); #endif if (desired_size.width() > screen_size.width()) desired_size.setWidth(screen_size.width()); if (desired_size.height() > screen_size.height()) desired_size.setHeight(screen_size.height()); resize(desired_size); } ImportFirewallConfigurationWizard::~ImportFirewallConfigurationWizard() { delete db_copy; } void ImportFirewallConfigurationWizard::accept() { if (fwbdebug) qDebug() << "ImportFirewallConfigurationWizard::accept()" << "fw=" << fw; if (fw != NULL && (platform == "pix" || platform == "fwsm")) dynamic_cast( page(Page_NetworkZones))->setNetworkZones(); int fw_id = -1; int policy_id = -1; if (fw) { fw_id = fw->getId(); FWObject *first_policy = fw->getFirstByType(Policy::TYPENAME); policy_id = (first_policy) ? first_policy->getId() : -1; } // merge dbcopy into db CompareObjectsDialog cod(this); db_orig->merge(db_copy, &cod); ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); QCoreApplication::postEvent( mw, new reloadObjectTreeImmediatelyEvent(filename)); if (fw_id > 0) { QCoreApplication::postEvent( pp, new showObjectInTreeEvent(filename, fw_id)); QCoreApplication::postEvent( pp, new expandObjectInTreeEvent( mw->activeProject()->getFileName(), fw_id)); QCoreApplication::postEvent( mw, new openObjectInEditorEvent(filename, fw_id)); // Open first created Policy ruleset object if (policy_id > 0) QCoreApplication::postEvent( pp, new openRulesetEvent(filename, policy_id)); } QWizard::accept(); } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ImportFirewallConfigurationWizard.h000066400000000000000000000042741303637203600335200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IMPORTFIREWALLCONFIGURATIONWIZARD_H_ #define __IMPORTFIREWALLCONFIGURATIONWIZARD_H_ #include #include namespace libfwbuilder { class FWObjectDatabase; class Firewall; class Library; }; class IC_FirewallNamePage; class IC_PlatformWarningPage; class IC_ProgressPage; class ImportFirewallConfigurationWizard : public QWizard { friend class IC_FirewallNamePage; friend class IC_PlatformWarningPage; friend class IC_ProgressPage; Q_OBJECT; QString platform; QList host_os_list; QList version_list; QStringList buffer; libfwbuilder::Firewall *fw; libfwbuilder::FWObjectDatabase *db_orig; libfwbuilder::FWObjectDatabase *db_copy; libfwbuilder::Library *current_lib; public: enum { Page_FileName, Page_Platform, Page_FirewallName, Page_Progess, Page_NetworkZones }; ImportFirewallConfigurationWizard(QWidget *parent, libfwbuilder::FWObjectDatabase *db); virtual ~ImportFirewallConfigurationWizard(); libfwbuilder::Firewall* getFirewall() { return fw; } void setFirewall(libfwbuilder::Firewall* _fw) { fw = _fw; } libfwbuilder::FWObjectDatabase* db() { return db_copy; } libfwbuilder::Library* currentLib() { return current_lib; } public slots: virtual void accept(); }; #endif fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ImporterThread.cpp000066400000000000000000000102201303637203600301170ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "ImporterThread.h" #include "utils.h" #include "QThreadLogger.h" #include "IOSImporter.h" #include "IPTImporter.h" #include "PIXImporter.h" #include "PFImporter.h" #include "objectMaker.h" #include #include #include using namespace std; using namespace libfwbuilder; Logger& operator<<(Logger &logger, const QString &str) { logger << str.toUtf8().constData(); return logger; } ImporterThread::ImporterThread(QWidget *ui, FWObject *lib, const QStringList &buffer, const QString &platform, const QString &firewallName, const QString &fileName, bool deduplicate) { this->lib = lib; this->ui = ui; this->buffer = buffer; this->platform = platform; this->firewallName = firewallName; this->fileName = fileName; this->deduplicate = deduplicate; importer = NULL; stopFlag = false; addStandardComments = false; } ImporterThread::~ImporterThread() { if (fwbdebug) qDebug() << "ImporterThread::~ImporterThread()"; } void ImporterThread::setUserChoiceHostOS(const QString &s) { userChoiceHostOS = s; } void ImporterThread::setUserChoiceVersion(const QString &s) { userChoiceVersion = s; } void ImporterThread::setAddStandardCommentsFlag(bool f) { addStandardComments = f; } void ImporterThread::run() { QThreadLogger *logger = new QThreadLogger(); connect(logger, SIGNAL(lineReady(QString)), this->ui, SLOT(logLine(QString)), Qt::QueuedConnection); std::istringstream instream(buffer.join("\n").toStdString()); importer = NULL; if (platform == "iosacl") importer = new IOSImporter( lib, instream, logger, firewallName.toUtf8().constData()); if (platform == "iptables") importer = new IPTImporter( lib, instream, logger, firewallName.toUtf8().constData()); if (platform == "pix" || platform == "fwsm") importer = new PIXImporter( lib, instream, logger, firewallName.toUtf8().constData()); if (platform == "pf") importer = new PFImporter( lib, instream, logger, firewallName.toUtf8().constData()); if (importer) { if ( ! userChoiceHostOS.isEmpty()) importer->setUserChoiceHostOS(userChoiceHostOS.toStdString()); if ( ! userChoiceVersion.isEmpty()) importer->setUserChoiceVersion(userChoiceVersion.toStdString()); importer->setAddStandardCommentsFlag(addStandardComments); importer->setFileName(fileName.toUtf8().constData()); if (deduplicate) importer->prepareForDeduplication(); try { importer->run(); } catch(ImporterException &e) { *logger << e.toString() << "\n"; } catch(ObjectMakerException &e) { *logger << e.toString() << "\n"; } } else { *logger << "Can not import configuration for platform " << platform.toStdString() << "\n"; } if ( ! stopFlag) { fw = importer->finalize(); emit finished(); } deleteLater(); // mark this object for destruction on the next run of event loop } void ImporterThread::stop() { stopFlag = true; } fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ImporterThread.h000066400000000000000000000040711303637203600275730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _IMPORTERTHREAD_H_ #define _IMPORTERTHREAD_H_ #include "Importer.h" #include #include #include #include #include namespace libfwbuilder { class FWObject; class Firewall; }; class ImporterThread : public QThread { Q_OBJECT; libfwbuilder::FWObject *lib; Importer *importer; QString fileName; QStringList buffer; QString firewallName; QString platform; bool deduplicate; QWidget *ui; libfwbuilder::Firewall *fw; bool stopFlag; QString userChoiceHostOS; QString userChoiceVersion; bool addStandardComments; public: ImporterThread(QWidget *ui, libfwbuilder::FWObject *lib, const QStringList &buffer, const QString &platform, const QString &firewallName, const QString &fileName, bool deduplicate); virtual ~ImporterThread(); void run(); void stop(); libfwbuilder::Firewall* getFirewallObject() { return fw; } void setUserChoiceHostOS(const QString &s); void setUserChoiceVersion(const QString &s); void setAddStandardCommentsFlag(bool f); signals: void finished(); }; #endif fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ic_filenamepage_q.ui000066400000000000000000000074401303637203600304430ustar00rootroot00000000000000 IC_FileNamePage_q 0 0 549 528 WizardPage Enter file name to import Qt::Vertical QSizePolicy::Fixed 20 40 File name: false 0 0 Browse... Qt::Vertical QSizePolicy::Fixed 337 40 Policy import tries to parse given configuration file and preserve its logic as close as possible. However, very often target firewall configuration allows for more commands, options and their combinations than importer can understand. Rules that importer could not parse exactly are colored red in the rule sets it creates. Always inspect firewall policy created by the importer and compare it with the original. Manual changes and corrections may be required. Comments in the rules that could not be parsed show fragments of the original configuration parser did not understand. Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 337 213 browse clicked() IC_FileNamePage_q selectFile() 508 25 477 55 selectFile() fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ic_firewallnamepage_q.ui000066400000000000000000000062251303637203600313310ustar00rootroot00000000000000 IC_FirewallNamePage_q 0 0 562 438 WizardPage Enter firewall object name Qt::Vertical QSizePolicy::Fixed 20 40 Firewall object name: Qt::Horizontal 199 20 Qt::Vertical QSizePolicy::Fixed 20 40 The program can use objects that already exist in the "Standard Objects" library and user defined libraries to represent addresses and services found in the configuration being imported. This helps avoid duplicate objects. true Find and use existing objects Qt::Vertical 20 387 fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ic_networkzonespage_q.ui000066400000000000000000000064461303637203600314400ustar00rootroot00000000000000 IC_NetworkZonesPage_q 0 0 580 630 WizardPage Firewall Builder uses Network Zones to determine network topology. Each firewall interface must have a Network Zone configured. The Network Zone of an interface represents the set of IP networks that would be the source IP address of traffic arriving inbound on an interface. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true If you do not set the Network Zone now you can update the Network Zone configuration after the firewall has been created by double-clicking on the network interface of the firewall object and then selecting the desired object from the Network Zone dropdown list. true :/Images/network_zone_dialog.png Qt::AlignCenter 0 150 QFrame::NoFrame QFrame::Sunken 0 true true Name Label Address Security Level fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ic_platformwarningpage_q.ui000066400000000000000000000063521303637203600320760ustar00rootroot00000000000000 IC_PlatformWarningPage_q 0 0 631 710 WizardPage TextLabel true Firewall Platform: TextLabel Qt::Horizontal 442 20 QFrame::NoFrame QFrame::Raised 0 Host OS: Version: Qt::Horizontal QSizePolicy::Expanding 329 20 Add line numbers in the original file to comments in rules and objects fwbuilder-5.3.7/src/libgui/importFirewallConfigurationWizard/ic_progresspage_q.ui000066400000000000000000000066671303637203600305410ustar00rootroot00000000000000 IC_ProgressPage_q 0 0 609 537 WizardPage Process log: 0 true Save scan log to file Qt::Horizontal QSizePolicy::Fixed 28 20 Errors: TextLabel Qt::Horizontal QSizePolicy::Fixed 40 20 Warnings: TextLabel Qt::Horizontal 40 20 logSaveButton clicked() IC_ProgressPage_q saveLog() 160 513 304 268 saveLog() fwbuilder-5.3.7/src/libgui/instBatchOptionsDialog.cpp000066400000000000000000000033611303637203600227000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "instBatchOptionsDialog.h" #include #include #include #include using namespace std; using namespace libfwbuilder; instBatchOptionsDialog::instBatchOptionsDialog(QWidget *parent, instConf *_cnf) : instOptionsDialog(parent, _cnf) { m_dialog->dialogTitleLine->setText(QString("

")+ tr("Batch install options")+ QString("

") ); // must reset alt address in the dialog even though it is // hidden. This is because we read it in instDialog::doInstallPage // regardless of wether we perform batch install or not. m_dialog->altAddress->setText(""); m_dialog->altAddressLabel->hide(); m_dialog->altAddress->hide(); } fwbuilder-5.3.7/src/libgui/instBatchOptionsDialog.h000066400000000000000000000022171303637203600223440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INSTBATCHOPTIONSDIALOG_H_ #define __INSTBATCHOPTIONSDIALOG_H_ #include "config.h" #include "instOptionsDialog.h" class instConf; class instBatchOptionsDialog : public instOptionsDialog { Q_OBJECT private: public: instBatchOptionsDialog(QWidget *parent, instConf *_cnf); }; #endif fwbuilder-5.3.7/src/libgui/instConf.cpp000066400000000000000000000043121303637203600200450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "instConf.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Firewall.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; instConf::instConf() { clear(); } QString instConf::getCmdFromResource(const QString &resource_name) { if (fwbdebug) qDebug() << QString("instConf::getCmdFromResource resource_name=%1") .arg(resource_name); string optpath_root = "activation/reg_user/run/"; string optpath = optpath_root + resource_name.toStdString(); QString cmd = Resources::getTargetOptionStr(fwobj->getStr("host_OS"), optpath).c_str(); cmd = cmd.trimmed(); if (fwbdebug) qDebug() << "instConf::getCmdFromResource cmd=" << cmd; return cmd; } void instConf::clear() { quiet = false; verbose = false; debug = 0; incremental = false; dry_run = false; saveStandby = false; save_diff = false; diff_pgm = ""; no_gui = false; backup = false; backup_file = ""; wdir = "./"; fwobj = NULL; maddr = ""; user = ""; batchInstall = false; sshArgs = ""; scpArgs = ""; putty_session = ""; fwscript = ""; } fwbuilder-5.3.7/src/libgui/instConf.h000066400000000000000000000037771303637203600175300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INSTCONF_H_ #define __INSTCONF_H_ #include #include namespace libfwbuilder { class Firewall; }; class instConf { public: bool quiet; bool verbose; int debug; bool incremental; bool dry_run; bool save_diff; bool no_gui; bool backup; bool stripComments; bool compressScript; bool copyFWB; bool saveStandby; bool batchInstall; bool useSCPForRouter; // use scp for cisco ios, pix and hp procurve bool useNXOSSession; // use NXOS Session Manager QString pgm; QString wdir; QString diff_pgm; QString user; QString activationCmd; QString pwd; QString epwd; QString maddr; QString putty_session; QString sshArgs; QString scpArgs; QString fwdir; QString fwscript; libfwbuilder::Firewall *fwobj; QString fwbfile; QString script; QString remote_script; QString backup_file; QString diff_file; instConf(); QString getCmdFromResource(const QString &resource_name); void clear(); }; #endif fwbuilder-5.3.7/src/libgui/instDialog.cpp000066400000000000000000000635071303637203600203720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "instDialog.h" #include "ProjectPanel.h" #include "FirewallInstaller.h" #include "FWBSettings.h" #include "SSHUnx.h" #include "SSHPIX.h" #include "SSHIOS.h" #include "FWWindow.h" #include "instOptionsDialog.h" #include "instBatchOptionsDialog.h" #include "FirewallCodeViewer.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwcompiler/BaseCompiler.h" #ifndef _WIN32 # include // for access(2) and getdomainname #endif #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; instDialog::instDialog(QWidget *p) : QDialog(p) { connect(this, SIGNAL(activateRule(ProjectPanel*, QString, QString, int)), p, SLOT(activateRule(ProjectPanel*, QString, QString, int))); m_dialog = new Ui::instDialog_q; m_dialog->setupUi(this); inst_opt_dlg = NULL; //project = mw->activeProject(); setControlWidgets(this, m_dialog->stackedWidget, m_dialog->nextButton, m_dialog->finishButton, m_dialog->backButton, m_dialog->cancelButton, m_dialog->titleLabel); setWindowFlags(Qt::Dialog | Qt::WindowSystemMenuHint); list err_re; BaseCompiler::errorRegExp(&err_re); err_re.push_back("(Abnormal[^\n]*)"); err_re.push_back("(fwb_[^:]*: \\S*\\.cpp:\\d{1,}: .*: Assertion .* failed.)"); foreach(string re, err_re) { error_re.push_back(QRegExp(re.c_str(), Qt::CaseInsensitive)); } list warn_re; BaseCompiler::warningRegExp(&warn_re); foreach(string re, warn_re) { warning_re.push_back(QRegExp(re.c_str())); } QTextCursor cursor(m_dialog->procLogDisplay->textCursor()); normal_format = cursor.charFormat(); error_format = normal_format; error_format.setForeground(QBrush(Qt::red)); error_format.setAnchorHref("http://somewhere.com"); error_format.setAnchor(true); // weight must be between 0 and 99. Qt 4.4.1 does not seem to mind if // it is >99 (just caps it) but older versions assert error_format.setProperty(QTextFormat::FontWeight, 99); warning_format = normal_format; warning_format.setForeground(QBrush(Qt::blue)); warning_format.setProperty(QTextFormat::FontWeight, 99); warning_format.setAnchor(true); warning_format.setAnchorHref("http://somewhere.com"); highlight_format = normal_format; highlight_format.setProperty(QTextFormat::FontWeight, 99); currentSaveButton = m_dialog->saveMCLogButton; currentSaveButton->setEnabled(true); currentStopButton = m_dialog->stopButton; currentProgressBar = m_dialog->compProgress; currentFirewallsBar = m_dialog->compFirewallProgress; currentLabel = m_dialog->infoMCLabel; currentFWLabel = m_dialog->fwMCLabel; currentLabel->setText(""); connect(&proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout()) ); // even though we set channel mode to "merged", QProcess // seems to not merge them on windows. proc.setProcessChannelMode(QProcess::MergedChannels); m_dialog->fwWorkList->setSortingEnabled(true); connect(currentFirewallsBar, SIGNAL(valueChanged(int)), this, SIGNAL(currentFirewallsBarValueChanged(int))); isAutoCompiling = false; } /* * list fws is empty when user hits main toolbar button Compile or * Install or uses main menu Rules/Compile or Rules/Install. This list * has firewall objects to be compiled/installed when user uses * "compile-this" or "install-this" button or context menu items * "Compile" or "Install". */ void instDialog::show(ProjectPanel *proj, bool install, bool onlySelected, std::set fws) { canceledAll = false; if (isVisible() || isAutoCompiling) return; lastPage = -1; installer = NULL; finished = false; page_1_op = INST_DLG_COMPILE; compile_complete = false; rejectDialogFlag = false; isAutoCompiling = false; m_dialog->selectTable->clear(); this->project = proj; compile_only = ! install; m_dialog->warning_space->hide(); m_dialog->procLogDisplay->clear(); firewalls.clear(); clusters.clear(); compile_fw_list.clear(); install_fw_list.clear(); for (int page=0; page < pageCount(); page++) setFinishEnabled(page, false); disableStopButton(); if (!onlySelected) { findFirewalls(); } else { firewalls.clear(); clusters.clear(); foreach(Firewall* fw, fws) { if (Cluster::isA(fw)) clusters.push_back(Cluster::cast(fw)); else firewalls.push_back(fw); } firewalls.sort(FWObjectNameCmpPredicate()); clusters.sort(FWObjectNameCmpPredicate()); m_dialog->saveMCLogButton->setEnabled(true); } if (fwbdebug) qDebug() << "instDialog::show" << "firewalls.size()=" << firewalls.size() << "clusters.size()=" << clusters.size() << "install=" << install; if (firewalls.size()==0 && clusters.size()==0) { setTitle(0, tr("There are no firewalls to process.")); for (int i=0; im_dialog->batchInstall->setChecked(false); if (firewalls.size() == 1 && clusters.size() == 0) m_dialog->selectAllNoneFrame->hide(); else m_dialog->selectAllNoneFrame->show(); //m_dialog->batchInstall->setChecked(false); creatingTable = false; m_dialog->selectTable->setFocus(); m_dialog->selectInfoLabel->setText( QString("

%1

") .arg(tr("Select firewalls to compile."))); if (compile_only) { m_dialog->batchInstFlagFrame->hide(); setAppropriate(2, false); m_dialog->selectTable->hideColumn(INSTALL_CHECKBOX_COLUMN); } else { m_dialog->batchInstFlagFrame->show(); setAppropriate(2, true); m_dialog->selectTable->showColumn(INSTALL_CHECKBOX_COLUMN); } m_dialog->detailMCframe->show(); this->setVisible(true); // we just started, there is nothing to inspect in the workflow of // this wizard yet. This button will be enabled when compile phase is complete m_dialog->inspectGeneratedFiles->setEnabled(compile_complete); showPage(CHOOSE_OBJECTS); } void instDialog::autoCompile(ProjectPanel *project) { show(project, false, false, std::set()); hide(); isAutoCompiling = true; selectAllFirewalls(); nextButton->click(); } instDialog::~instDialog() { if (inst_opt_dlg != NULL) delete inst_opt_dlg; delete m_dialog; } // ======================================================================== /* * main loop: use lists compile_fw_list and install_fw_list to iterate * all firewalls and do everything. */ void instDialog::mainLoopCompile() { if (finished) return; enableStopButton(); // first compile all if (compile_fw_list.size()) { Firewall *fw = compile_fw_list.front(); compile_fw_list.pop_front(); cnf.clear(); runCompiler(fw); return; } else { // Compile is done or there was no firewalls to compile to // begin with. Check if we have any firewalls to install. Note // that we "uncheck" "install" checkboxes in the first page of // the wizard on compile failure, so we need to rebuild install_fw_list // here. fillInstallOpList(); disableStopButton(); if (compile_only) { compile_complete = true; finished = true; setFinishEnabled(currentPage(), true); this->m_dialog->finishButton->setDefault(true); QStringList files; int n = findFilesToInspect(files); m_dialog->inspectGeneratedFiles->setEnabled(n != 0); } else { compile_complete = true; showPage(COMPILE_INSTALL); // setNextEnabled(currentPage(), true); // setFinishEnabled(currentPage(), false); // m_dialog->inspectGeneratedFiles->setEnabled(compile_complete); } if (isAutoCompiling) { finishButton->click(); isAutoCompiling = false; emit autoCompileDone(); deleteLater(); } } } void instDialog::mainLoopInstall() { if (fwbdebug) qDebug("instDialog::mainLoopInstall: %d firewalls to install", int(install_fw_list.size())); if (finished) return; enableStopButton(); if (install_fw_list.size() && !canceledAll) { Firewall *fw = install_fw_list.front(); install_fw_list.pop_front(); runInstaller(fw, install_fw_list.size()>0); return; } if (canceledAll) { foreach(Firewall *fw, install_fw_list) { this->opCancelled(fw); } install_fw_list.clear(); } finished = true; setFinishEnabled(currentPage(), true); this->m_dialog->finishButton->setDefault(true); disableStopButton(); } // ======================================================================== void instDialog::showPage(const int page) { // see #1044 Hide batch install label and checkbox once user moves to // the install phase, otherwise it looks confusing. if (page_1_op == INST_DLG_INSTALL) { m_dialog->batchInstFlagFrame->hide(); } QStringList tmp; m_dialog->inspectGeneratedFiles->setEnabled( compile_complete && page_1_op == INST_DLG_COMPILE && findFilesToInspect(tmp)); if (fwbdebug) qDebug() << "instDialog::showPage page " << lastPage << "--->" << page << "page_1_op=" << page_1_op; FakeWizard::showPage(page); switch (page) { case CHOOSE_OBJECTS: // select firewalls for compiling and installing { // if user returned to this page from "compile" page, assume they // want to recompile finished = false; compile_complete = false; fillCompileSelectList(); setAppropriate(1, tableHasCheckedItems()); setNextEnabled(page, tableHasCheckedItems()); m_dialog->selectTable->setFocus(); m_dialog->nextButton->setDefault(true); break; } case COMPILE_INSTALL: { // compile, install firewalls and inspect files, depending on // the value of page_1_op setNextEnabled(page, false); setBackEnabled(page, false); fillCompileOpList(); fillInstallOpList(); // fill install_fw_list if (compile_fw_list.size()==0 && install_fw_list.size()==0) { showPage(CHOOSE_OBJECTS); return; } if (compile_fw_list.size()==0) page_1_op = INST_DLG_INSTALL; m_dialog->stackedWidget->widget(1)->layout()->removeWidget(m_dialog->logFrame); m_dialog->stackedWidget->widget(1)->layout()->addWidget(m_dialog->firewallListFrame); m_dialog->stackedWidget->widget(1)->layout()->addWidget(m_dialog->logFrame); // Page 1 of the wizard does both compile and install // controlled by flag page_1_op. May be it would be less hacky if we // used sepaarte page for installs, but that page would look exactly // like the page for compile switch (page_1_op) { case INST_DLG_COMPILE: { if (fwbdebug) qDebug() << "Page 1 compile" << "compile_complete=" << compile_complete; // run full compile cycle only if we haven't done it before // User may click Back on the "Inspect" page, this should return // them to the "compile" page but not trigger full recompile. // Flag compile_complete is set in instDialog::mainLoopCompile() if (compile_complete) { // See #2037: enable "Next" button only if there is at // least one firewall that was successfully compiled. bool can_install = false; list::iterator i; for(i=compile_fw_list.begin(); i!=compile_fw_list.end(); ++i) { Firewall *fw = *i; if (compile_status[fw] == fwcompiler::BaseCompiler::FWCOMPILER_SUCCESS || fwcompiler::BaseCompiler::FWCOMPILER_WARNING) { setNextEnabled(page, true); m_dialog->nextButton->setDefault(true); can_install = true; break; } } if (!can_install) setFinishEnabled(page, true); setBackEnabled(page, true); } else { if (!isAutoCompiling) mw->fileSave(); currentFirewallsBar->reset(); currentFirewallsBar->setFormat("%v/%m"); currentFirewallsBar->setMaximum(compile_list_initial_size); emit currentFirewallsBarMaximumValueChanged(currentFirewallsBar->maximum()); m_dialog->procLogDisplay->clear(); fillCompileUIList(); qApp->processEvents(); mainLoopCompile(); } setBackEnabled(page, true); break; } case INST_DLG_INSTALL: { if (fwbdebug) qDebug("Page 1 install"); if (install_fw_list.size() > 0) { currentFirewallsBar->reset(); currentFirewallsBar->setMaximum(install_list_initial_size); m_dialog->procLogDisplay->clear(); fillInstallUIList(); qApp->processEvents(); mainLoopInstall(); } setBackEnabled(page, false); break; } case INST_DLG_INSPECT: { QStringList files; int no_files = findFilesToInspect(files); if (no_files == 0) { QMessageBox::critical(this, tr("Error"), tr("No files were generated, there is nothing to show.")); return; } if (m_dialog->stackedWidget->count() == 3 ) m_dialog->stackedWidget->removeWidget(m_dialog->stackedWidget->widget(2)); FirewallCodeViewer *viewer; if (firewalls.size() == 1) viewer = new FirewallCodeViewer( files, QString("") + firewalls.front()->getName().c_str() + "", project, this); else viewer = new FirewallCodeViewer( files, tr("Multiple firewalls"), project, this); viewer->hideCloseButton(); viewer->setSizePolicy(QSizePolicy::Expanding,QSizePolicy::Expanding); QWidget *container = new QWidget(this); container->setObjectName("codeViewer"); QHBoxLayout *layout = new QHBoxLayout(container); layout->setContentsMargins(0,0,0,0); layout->setSpacing(6); QFrame *frame = new QFrame(container); frame->setLayout(new QHBoxLayout()); frame->layout()->addWidget(viewer); frame->setFrameShape(QFrame::Box); frame->setFrameShadow(QFrame::Plain); frame->setSizePolicy(QSizePolicy::Expanding, QSizePolicy::Expanding); m_dialog->firewallListFrame->setSizePolicy(QSizePolicy::Maximum,QSizePolicy::Minimum); m_dialog->progress_page->layout()->removeWidget(m_dialog->firewallListFrame); layout->addWidget(m_dialog->firewallListFrame); layout->addWidget(frame); frame->layout()->setContentsMargins(0,0,0,0); m_dialog->stackedWidget->addWidget(container); m_dialog->stackedWidget->setCurrentIndex(m_dialog->stackedWidget->count()-1); setNextEnabled(page, !compile_only); setBackEnabled(page, true); if (compile_only) m_dialog->finishButton->setDefault(true); else m_dialog->nextButton->setDefault(true); break; } } // end switch(page_1_op) break; } // end case 1: default: { } } lastPage = currentPage(); setCurrentPage(page); } /** * Finds files that were generated for the firewalls scheduled for * compile and fills the list. Returns number of files found. * */ int instDialog::findFilesToInspect(QStringList &files) { QList fwlist; foreach(Firewall *f, firewalls) fwlist.append(f); foreach(Cluster *c, clusters) { std::list cfws; c->getMembersList(cfws); foreach(Firewall *f, cfws) fwlist.append(f); } foreach(Firewall *f, fwlist) { /* * get full path to the generated file. The path is built from * the file name returned by * FirewallInstaller::getGeneratedFileName() and directory * path from the .fwb file. Note that we use the same * algorithm when GUI launches policy compiler, except there * the path is passed to it via "-d" command line option. */ QString mainFile = FirewallInstaller::getGeneratedFileFullPath(f); // QString mainFile = FirewallInstaller::getGeneratedFileName(f); if (!QFile::exists(mainFile)) continue; instConf cnf; cnf.fwobj = f; cnf.script = mainFile; QMap res; FirewallInstaller(NULL, &cnf, "").readManifest(mainFile, &res); foreach(QString item, res.keys()) if (QFile::exists(item)) files.append(item); } return files.size(); } struct CaseInsensitiveComparison : public std::binary_function { bool operator()(libfwbuilder::FWObject *a,libfwbuilder::FWObject *b) { return QString(a->getName().c_str()).toLower() < QString(b->getName().c_str()).toLower(); } }; void instDialog::findFirewalls() { firewalls.clear(); clusters.clear(); if (project) { project->m_panel->om->findAllFirewalls(firewalls); project->m_panel->om->findAllClusters(clusters); } firewalls.sort(CaseInsensitiveComparison()); clusters.sort(CaseInsensitiveComparison()); m_dialog->saveMCLogButton->setEnabled(true); } bool instDialog::checkSSHPathConfiguration(Firewall *fw) { if (fwbdebug) qDebug("instDialog::checkSSHPathConfiguration"); customScriptFlag = false; Management *mgmt = fw->getManagementObject(); assert(mgmt!=NULL); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); /* we don't care about ssh settings if external installer is to be used */ if ( pis->getCommand()=="" && ( st->getSSHPath().isEmpty() || st->getSCPPath().isEmpty())) { QMessageBox::critical(this, "Firewall Builder", tr("Policy installer uses Secure Shell to communicate with the firewall.\n" "Please configure directory path to the secure shell utility \n" "installed on your machine using Preferences dialog"), tr("&Continue") ); addToLog("Please configure directory path to the secure \n " "shell utility installed on your machine using \n" "Preferences dialog\n"); return false; } return true; } bool instDialog::isCiscoFamily() { string platform = cnf.fwobj->getStr("platform"); return (platform=="pix" || platform=="fwsm" || platform=="iosacl" || platform=="nxosacl"); } bool instDialog::isProcurve() { string platform = cnf.fwobj->getStr("platform"); return (platform=="procurve_acl"); } bool instDialog::isJuniper() { string platform = cnf.fwobj->getStr("platform"); return (platform=="junosacl"); } /* * "uncheck" checkbox in the "install" column to make sure we do not * try to install this firewall. Used in instDialog_compile on failure. */ void instDialog::blockInstallForFirewall(Firewall *fw) { if (Cluster::isA(fw)) { list members; Cluster::cast(fw)->getMembersList(members); for (list::iterator it=members.begin(); it!=members.end(); ++it) blockInstallForFirewall(*it); } else { QList items = m_dialog->selectTable->findItems("*", Qt::MatchWildcard); QList::iterator i; for (i=items.begin(); i!=items.end(); ++i) { int obj_id = (*i)->data(0, Qt::UserRole).toInt(); if (obj_id == fw->getId()) (*i)->setCheckState(INSTALL_CHECKBOX_COLUMN, Qt::Unchecked); } } } void instDialog::setUpProcessToCompile() { connect(&proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout()) ); // even though we set channel mode to "merged", QProcess // seems to not merge them on windows. proc.setProcessChannelMode(QProcess::MergedChannels); proc.disconnect(SIGNAL(finished(int,QProcess::ExitStatus))); connect(&proc, SIGNAL(finished(int,QProcess::ExitStatus)), this, SLOT(compilerFinished(int,QProcess::ExitStatus)) ); } void instDialog::setUpProcessToInstall() { connect(&proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout()) ); // even though we set channel mode to "merged", QProcess // seems to not merge them on windows. proc.setProcessChannelMode(QProcess::MergedChannels); proc.disconnect(SIGNAL(finished(int,QProcess::ExitStatus))); connect(&proc, SIGNAL(finished(int,QProcess::ExitStatus)), this, SLOT(installerFinished(int,QProcess::ExitStatus)) ); } /* * This method is used to launch compiler AND user-defined external * installation script. */ bool instDialog::executeCommand(const QString &path, QStringList &args) { // set codecs so that command line parameters can be encoded #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); enableStopButton(); QTime start_time; start_time.start(); proc.start(path, args); if ( !proc.waitForStarted() ) { QProcess::ProcessError err = proc.error(); opError(cnf.fwobj); addToLog( tr("Error: Failed to start program") ); addToLog(path); addToLog( tr("Last error:") ); switch (err) { case QProcess::FailedToStart: addToLog( tr("The process failed to start") ); addToLog(QString("PATH: %1").arg(getenv("PATH"))); break; case QProcess::Crashed: addToLog( tr("The process crashed some time after starting successfully.") ); break; case QProcess::Timedout: addToLog( tr("The last waitFor...() function timed out. Elapsed time: %1 ms").arg(start_time.elapsed()) ); break; case QProcess::WriteError: addToLog( tr("An error occurred when attempting to write to the process.") ); break; case QProcess::ReadError: addToLog( tr("An error occurred when attempting to read from the process. ") ); break; default: addToLog( tr("An unknown error occurred.") ); break; } addToLog( tr("Current state of QProcess:") ); switch (proc.state()) { case QProcess::NotRunning: addToLog(tr("The process is not running.")); break; case QProcess::Starting: addToLog(tr("The process is starting, but the program has not yet been invoked.")); break; case QProcess::Running: addToLog(tr("The process is running and is ready for reading and writing.")); break; } //blockInstallForFirewall(cnf.fwobj); return false; } return true; } fwbuilder-5.3.7/src/libgui/instDialog.h000066400000000000000000000173361303637203600200360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INSTDIALOG_H_ #define __INSTDIALOG_H_ #include "config.h" #include #include "instConf.h" #include "fakeWizard.h" #include "instOptionsDialog.h" #include "FirewallInstaller.h" #include "ProjectPanel.h" #include #include #include #include #include #include #include #include #include "fwbuilder/FWObjectDatabase.h" #include "fwcompiler/BaseCompiler.h" class FirewallInstaller; class instBatchOptionsDialog; class QEventLoop; class QTextEdit; class QListViewItem; class QCheckListItem; class QPushButton; class QProgressBar; class QStringList; class QTreeWidgetItem; class QTextCharFormat; //class QCheckTableItem; namespace libfwbuilder { class Firewall; class Cluster; } enum BatchOperation {BATCH_INSTALL, BATCH_COMPILE} ; enum Page1Operation {INST_DLG_COMPILE, INST_DLG_INSTALL, INST_DLG_INSPECT}; enum WizardPageNumber {CHOOSE_OBJECTS=0, COMPILE_INSTALL=1 }; #define FIREWALL_NAME_COLUMN 0 #define COMPILE_CHECKBOX_COLUMN 1 #define INSTALL_CHECKBOX_COLUMN 2 #define LAST_MODIFIED_COLUMN 3 #define LAST_COMPILED_COLUMN 4 #define LAST_INSTALLED_COLUMN 5 class instDialog : public QDialog, public FakeWizard { Q_OBJECT; Ui::instDialog_q *m_dialog; instConf cnf; Page1Operation page_1_op; FirewallInstaller *installer; ProjectPanel *project; instOptionsDialog *inst_opt_dlg; bool compile_only; bool compile_complete; // proc is used to launch external oprocess, such as compiler or // user-defined installer script QProcess proc; QString fwb_prompt; std::list firewalls; std::list clusters; std::list compile_fw_list; std::list::size_type compile_list_initial_size; std::list install_fw_list; std::list::size_type install_list_initial_size; std::map opListMapping; std::list error_re; std::list warning_re; std::map compile_status; QString path; //path of the program to execute // QStringList args; //arguments for that program bool creatingTable; BatchOperation operation; int processedRules; int lastPage; bool stopProcessFlag; bool rejectDialogFlag; bool compileFlag; bool customScriptFlag; bool showSelectedFlag; bool finished; bool onlySelected; bool secondPageVisited; bool canceledAll; bool isAutoCompiling; QTextCharFormat normal_format; QTextCharFormat error_format; QTextCharFormat warning_format; QTextCharFormat highlight_format; QPushButton *currentSaveButton; QPushButton *currentStopButton; QProgressBar *currentProgressBar; QProgressBar *currentFirewallsBar; QLabel *currentLabel; QLabel *currentFWLabel; QString currentSearchString; void fillCompileSelectList(); void setSelectStateAll(int column, Qt::CheckState); void fillCompileOpList(); void fillCompileUIList(); void fillInstallOpList(); void fillInstallUIList(); bool checkSSHPathConfiguration(libfwbuilder::Firewall*); //libfwbuilder::Firewall *findFirewallbyTableItem(QTableWidgetItem *item); void setSuccessState(QTreeWidgetItem *item); void setWarningState(QTreeWidgetItem *item); void setFailureState(QTreeWidgetItem *item); void setErrorState(QTreeWidgetItem *item); void setInProcessState(QTreeWidgetItem *item); bool checkIfNeedToCompile(libfwbuilder::Firewall *fw); bool checkIfNeedToInstall(libfwbuilder::Firewall *fw); QTreeWidgetItem *createTreeItem(QTreeWidgetItem* parent, libfwbuilder::Firewall *fw); void setFlags(QTreeWidgetItem* item); virtual void closeEvent(QCloseEvent *event); int findFilesToInspect(QStringList &files); public: instDialog(QWidget *p); virtual ~instDialog(); void summary(); void opSuccess(libfwbuilder::Firewall *fw); void opWarning(libfwbuilder::Firewall *fw); void opError(libfwbuilder::Firewall *fw); void opCancelled(libfwbuilder::Firewall *fw); QWidget* page(int n) { return m_dialog->stackedWidget->widget(n); } void displayCommand(const QStringList &args); bool runCompiler(libfwbuilder::Firewall *fw); bool runInstaller(libfwbuilder::Firewall *fw, bool installing_many_firewalls = true); QStringList prepareArgForCompiler(libfwbuilder::Firewall *fw); bool tableHasCheckedItems(); QString getActivationCmd(); void enableStopButton(); void disableStopButton(); void setUpProcessToCompile(); void setUpProcessToInstall(); bool executeCommand(const QString &path, QStringList &args); bool isFinished() { return finished; } protected: virtual void showEvent( QShowEvent *ev); virtual void hideEvent( QHideEvent *ev); bool getInstOptions(libfwbuilder::Firewall *fw, bool installing_many_firewalls = true); void prepareInstConf(libfwbuilder::Firewall *fw); void blockInstallForFirewall(libfwbuilder::Firewall *fw); void readInstallerOptionsFromSettings(); void readInstallerOptionsFromFirewallObject(libfwbuilder::Firewall *fw); void readInstallerOptionsFromDialog(libfwbuilder::Firewall *fw, instOptionsDialog *dlg); bool verifyManagementAddress(); void storeInstallerOptions(); void findFirewalls(); bool isCiscoFamily(); bool isProcurve(); bool isJuniper(); void interpretLogLine(const QString &buf); public slots: void show(ProjectPanel *project, bool install, bool onlySelected, std::set fws); void autoCompile(ProjectPanel *project); void compilerFinished(int ret_code, QProcess::ExitStatus); void installerFinished(int ret_code, QProcess::ExitStatus); void installerSuccess(); void installerError(); void showPage(const int page); void finishClicked(); void cancelClicked(); void addToLog(const QString &buf); void updateProgressBar(int n,bool setsize); void saveLog(); void inspectFiles(); void readFromStdout(); void selectAllFirewalls(); void deselectAllFirewalls(); void nextClicked(); void backClicked(); void mainLoopCompile(); void mainLoopInstall(); void stopCompile(); void stopInstall(); void tableItemChanged(QTreeWidgetItem * item, int column); void findFirewallInCompileLog(QTreeWidgetItem* item); void logItemClicked(QUrl); signals: void activateRule(ProjectPanel*, QString, QString, int); void currentFirewallsBarValueChanged(int); void currentFirewallsBarMaximumValueChanged(int); void autoCompileDone(); }; #endif fwbuilder-5.3.7/src/libgui/instDialog_compile.cpp000066400000000000000000000241101303637203600220650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "instDialog.h" #include "FWBSettings.h" #include "FWWindow.h" #include "instOptionsDialog.h" #include "instBatchOptionsDialog.h" #include "events.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwcompiler/BaseCompiler.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; bool instDialog::runCompiler(Firewall *fw) { if (fwbdebug) { qDebug() << "instDialog::runCompile"; qDebug() << "Firewall: " << fw->getName().c_str(); } // store pointer to the firewall so we can use it in // slot compilerFinished cnf.fwobj = fw; currentSearchString = tr("Compiling rule sets for firewall: "); currentFirewallsBar->setValue(compile_list_initial_size - compile_fw_list.size()); currentProgressBar->reset(); currentProgressBar->setFormat("%v/%m"); QTreeWidgetItem* item = opListMapping[fw->getId()]; assert(item!=NULL); currentFWLabel->setText(QString::fromUtf8(fw->getName().c_str())); m_dialog->fwWorkList->scrollToItem(item); setInProcessState(item); item->setText(1, tr("Compiling ...")); currentLabel->setText(tr("Compiling ...")); qApp->processEvents(); addToLog("\n"); addToLog( QObject::tr("Compiling rule sets for firewall: %1\n"). arg(QString::fromUtf8(fw->getName().c_str())) ); QStringList args = prepareArgForCompiler(fw); if (args.isEmpty()) return false; addToLog( args.join(" ") + "\n" ); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); // Launch compiler in the background QString path = args.at(0); args.pop_front(); disconnect(currentStopButton, SIGNAL(clicked()) ); connect(currentStopButton, SIGNAL(clicked()), this, SLOT(stopCompile())); currentStopButton->setText(tr("Stop")); currentStopButton->setEnabled(true); setUpProcessToCompile(); if (!executeCommand(path, args)) QTimer::singleShot( 0, this, SLOT(mainLoopCompile())); return true; } void instDialog::stopCompile() { if( fwbdebug) qDebug("instDialog::stopCompile"); stopProcessFlag = true; disconnect(currentStopButton, SIGNAL(clicked()) ); currentStopButton->setEnabled(false); proc.terminate(); //try to close proc. QTimer::singleShot( 1000, &proc, SLOT( kill() ) ); //if it doesn't respond, kill it blockInstallForFirewall(cnf.fwobj); // to terminate whole compile sequence rather than just current // compiler process, clear the list. for (list::iterator i=compile_fw_list.begin(); i!=compile_fw_list.end(); ++i) { opCancelled(*i); blockInstallForFirewall(*i); } compile_fw_list.clear(); } QStringList instDialog::prepareArgForCompiler(Firewall *fw) { FWOptions *fwopt = fw->getOptionsObject(); QStringList args; /* * I should be able to specify custom compiler for firewall with * no platform (e.g. for experiments) */ string compiler = fwopt->getStr("compiler"); if (compiler=="") { compiler=Resources::platform_res[fw->getStr("platform")]->getCompiler(); } if (compiler=="") { QMessageBox::warning( this,"Firewall Builder", tr("Firewall platform is not specified in this object.\n\ Can't compile firewall policy."), tr("&Continue"), QString::null,QString::null, 0, 1 ); return args; // still empty list } /* * On Unix compilers are installed in the standard place and are * accessible via PATH. On Windows and Mac they get installed in * unpredictable directories and need to be found * * first, check if user specified an absolute path for the compiler, * then check if compiler is registsred in preferences, and if not, * look for it in appRootDir and if it is not there, rely on PATH */ #if defined(Q_OS_WIN32) || defined(Q_OS_MACX) if ( ! QFile::exists( compiler.c_str() ) ) { string ts = string("Compilers/")+compiler; QString cmppath = st->getStr( ts.c_str() ); if (!cmppath.isEmpty()) compiler=cmppath.toLatin1().constData(); else { /* try to find compiler in appRootDir. */ string ts = getPathToBinary(compiler); if (fwbdebug) qDebug("Checking compiler in %s", ts.c_str()); if ( QFile::exists( ts.c_str() ) ) compiler = ts; } } #endif QString wdir = getFileDir(project->getRCS()->getFileName() ); args.clear(); args.push_back(compiler.c_str()); QString qs = fwopt->getStr("cmdline").c_str(); args += qs.split(" ", QString::SkipEmptyParts); args.push_back("-v"); args.push_back("-f"); args.push_back(project->getRCS()->getFileName()); // If we are compiling in the background (for diff), set wdir to temp directory if (isAutoCompiling) { QDir tempDir(project->getTemporaryDirPath()); if (!tempDir.exists()) tempDir.mkdir(project->getTemporaryDirPath()); wdir = tempDir.absolutePath(); } if (wdir!="") { args.push_back("-d"); args.push_back(wdir); } // Always pass "-o file_name" parameter to the compiler. If user // specified it in the "compiler" tab, then use that. If not, // compose it from the name of the firewall and extension // ".fw". This way we can properly encode file name for the // encoding and locale used on the system. Compiler simply takes // the name of the fw object from XML file and uses that for the // generated file name, but since the name in XML is encoded in // Utf8, the file name ended up in Utf8 regardless of the OS // encoding and locale. This caused problems, such as installer // could not then find file created by the compiler if fw name had // non-ascii characters. // If object being compiled is a Cluster, use -O instead of // -o. The parameter is a list of pairs: // member_fw_id_1,output_file_name_1,member_fw_id_2,output_file_name_2 // (all separated by commas) if (Cluster::isA(fw)) { args.push_back("-O"); QStringList name_pairs; list members; Cluster::cast(fw)->getMembersList(members); for (list::iterator it=members.begin(); it!=members.end(); ++it) { QString fw_id = project->db()->getStringId((*it)->getId()).c_str(); name_pairs.push_back( fw_id + "," + FirewallInstaller::getGeneratedFileName(*it) ); } args.push_back(name_pairs.join(",")); } else { args.push_back("-o"); // args.push_back(FirewallInstaller::getGeneratedFileFullPath(fw)); args.push_back(FirewallInstaller::getGeneratedFileName(fw)); } args.push_back("-i"); args.push_back( project->db()->getStringId(fw->getId()).c_str() ); return args; } void instDialog::compilerFinished(int ret_code, QProcess::ExitStatus status) { if( fwbdebug) qDebug("instDialog::compilerFinished " "exit code = %d exit_status=%d", ret_code, status); readFromStdout(); if (rejectDialogFlag) { rejectDialogFlag = false; QDialog::reject(); return; } // if (ret_code==0 && status==QProcess::NormalExit) if ((ret_code==fwcompiler::BaseCompiler::FWCOMPILER_SUCCESS || ret_code==fwcompiler::BaseCompiler::FWCOMPILER_WARNING) && status==QProcess::NormalExit && !isAutoCompiling) { if (ret_code==fwcompiler::BaseCompiler::FWCOMPILER_WARNING) opWarning(cnf.fwobj); else opSuccess(cnf.fwobj); // mw->updateLastCompiledTimestamp(cnf.fwobj); QCoreApplication::postEvent( mw, new updateLastCompiledTimestampEvent( project->db()->getFileName().c_str(), cnf.fwobj->getId())); if (Cluster::isA(cnf.fwobj)) { list members; Cluster::cast(cnf.fwobj)->getMembersList(members); for (list::iterator it=members.begin(); it!=members.end(); ++it) { // project->updateLastCompiledTimestamp(*it); QCoreApplication::postEvent( mw, new updateLastCompiledTimestampEvent( project->db()->getFileName().c_str(), (*it)->getId())); } } } else { blockInstallForFirewall(cnf.fwobj); opError(cnf.fwobj); } currentProgressBar->setValue(currentProgressBar->maximum()); QTimer::singleShot( 0, this, SLOT(mainLoopCompile())); return; } fwbuilder-5.3.7/src/libgui/instDialog_installer.cpp000066400000000000000000000151751303637203600224450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "CompilerDriver.h" #include "FWBSettings.h" #include "FWWindow.h" #include "FirewallInstallerCisco.h" #include "FirewallInstallerJuniper.h" #include "FirewallInstallerProcurve.h" #include "FirewallInstallerUnx.h" #include "events.h" #include "instBatchOptionsDialog.h" #include "instDialog.h" #include "instOptionsDialog.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; bool instDialog::runInstaller(Firewall *fw, bool installing_many_firewalls) { cnf.fwobj = fw; cnf.maddr = ""; if (fwbdebug) qDebug() << "instDialog::runInstaller: built-in installer" << fw->getName().c_str() << " cnf.user=" << cnf.user; if (!getInstOptions(fw, installing_many_firewalls)) { QTimer::singleShot( 0, this, SLOT(mainLoopInstall())); this->opCancelled(fw); return false; } // args.clear(); /* need to save settings so that if the user just changed ssh/scp, the * wrapper will pick changes up */ st->save(); summary(); if (checkSSHPathConfiguration(fw)) { setTitle( 1, QObject::tr("Installing policy rules on firewall '%1'"). arg(QString::fromUtf8(fw->getName().c_str() ))); currentSearchString = tr("Install firewall: "); currentFirewallsBar->setValue(install_list_initial_size - install_fw_list.size()); currentProgressBar->reset(); currentProgressBar->setFormat("%v/%m"); QTreeWidgetItem* item = opListMapping[fw->getId()]; assert(item!=NULL); currentFWLabel->setText(QString::fromUtf8(fw->getName().c_str())); m_dialog->fwWorkList->scrollToItem(item); setInProcessState(item); item->setText(1, tr("Installing ...")); currentLabel->setText(tr("Installing ...")); qApp->processEvents(); addToLog("\n"); if (fwbdebug) qDebug() << "instDialog::runInstaller:" << " cnf.user=" << cnf.user; if (installer!=NULL) delete installer; if (isCiscoFamily()) installer = new FirewallInstallerCisco(this, &cnf, fwb_prompt); else if (isProcurve()) installer = new FirewallInstallerProcurve(this, &cnf, fwb_prompt); else if (isJuniper()) installer = new FirewallInstallerJuniper(this, &cnf, fwb_prompt); else installer = new FirewallInstallerUnx(this, &cnf, fwb_prompt); if (!installer->packInstallJobsList(fw)) { QTimer::singleShot( 0, this, SLOT(mainLoopInstall())); return false; } currentProgressBar->setValue(0); disconnect(currentStopButton, SIGNAL(clicked())); connect(currentStopButton, SIGNAL(clicked()), this, SLOT(stopInstall())); installer->runJobs(); } else { opListMapping[fw->getId()]->setText(1, tr("Failure")); setFailureState(opListMapping[fw->getId()]); addToLog("Firewall policy installation failed\n"); QTimer::singleShot( 0, this, SLOT(mainLoopInstall())); } return true; } void instDialog::stopInstall() { currentStopButton->setEnabled(false); disconnect(currentStopButton, SIGNAL(clicked())); stopProcessFlag = true; // likely unused proc.terminate(); // try to close proc. QTimer::singleShot(1000, &proc, SLOT(kill())); //if it doesn't respond, kill it if (installer != NULL) { if (fwbdebug) qDebug() << "instDialog::stopInstall killing installer"; installer->terminate(); delete installer; installer = NULL; } // to terminate whole install sequence rather than just current // process, clear the list. for (list::iterator i=install_fw_list.begin(); i!=install_fw_list.end(); ++i) opCancelled(*i); install_fw_list.clear(); setFinishEnabled(currentPage(), true); } void instDialog::installerFinished(int ret_code, QProcess::ExitStatus status) { if( fwbdebug) qDebug("instDialog::installerFinished " "exit code = %d exit_status=%d", ret_code, status); // run readFromStdout() and processEvents() to make sure all // events that pass output from the external installer script have // been processed. Otherwise the output from the next installer // pass in batch install mixes with the tail of the output from // the previous one. readFromStdout(); qApp->processEvents(); if (ret_code==0 && status==QProcess::NormalExit) installerSuccess(); else installerError(); } void instDialog::installerSuccess() { opSuccess(cnf.fwobj); // project->updateLastInstalledTimestamp(cnf.fwobj); QCoreApplication::postEvent( mw, new updateLastInstalledTimestampEvent(project->db()->getFileName().c_str(), cnf.fwobj->getId())); currentProgressBar->setValue(currentProgressBar->maximum()); addToLog("Firewall policy successfully installed\n"); QTimer::singleShot( 1000, this, SLOT(mainLoopInstall())); } void instDialog::installerError() { opError(cnf.fwobj); currentProgressBar->setValue(currentProgressBar->maximum()); opListMapping[cnf.fwobj->getId()]->setText(1, tr("Failure")); addToLog("Firewall policy installation failed\n"); QTimer::singleShot( 0, this, SLOT(mainLoopInstall())); } fwbuilder-5.3.7/src/libgui/instDialog_ui_ops.cpp000066400000000000000000001316251303637203600217450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org Copyright (C) 2013 UNINETT AS Author: Sirius Bakke $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "instDialog.h" #include "FirewallInstaller.h" #include "FWBSettings.h" #include "FWWindow.h" #include "InstallFirewallViewItem.h" #include "instOptionsDialog.h" #include "instBatchOptionsDialog.h" #include "FirewallCodeViewer.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Management.h" #include "fwbuilder/StateSyncClusterGroup.h" #ifndef _WIN32 # include // for access(2) and getdomainname #endif #include #include #include using namespace std; using namespace libfwbuilder; void instDialog::enableStopButton() { currentStopButton->setText(tr("Stop")); currentStopButton->setEnabled(true); } void instDialog::disableStopButton() { currentStopButton->setEnabled(false); } bool instDialog::checkIfNeedToCompile(Firewall *fw) { return (fw->needsCompile() && !fw->getInactive()); } bool instDialog::checkIfNeedToInstall(Firewall *fw) { return (fw->needsInstall() && !fw->getInactive()); } QTreeWidgetItem* instDialog::createTreeItem(QTreeWidgetItem* parent, Firewall *fw) { QTreeWidgetItem* item; QStringList sl; sl.push_back(QString::fromUtf8(fw->getName().c_str())); if (parent) item = new QTreeWidgetItem(parent, sl); else item = new QTreeWidgetItem(sl); QString icn_filename = (":/Icons/" + fw->getTypeName() + "/icon").c_str(); QPixmap pm; if ( ! QPixmapCache::find(icn_filename, pm)) { pm.load(icn_filename); QPixmapCache::insert(icn_filename, pm); } item->setIcon(0, QIcon(pm)); item->setData(0, Qt::UserRole, QVariant(fw->getId())); // Mark cluster members // If parent!=NULL, new tree item corresponds to the cluster member item->setData(1, Qt::UserRole, QVariant(parent!=NULL)); // it is useful to know how many members does this cluster have. If this is // not a cluster, store 0 list members; if (Cluster::isA(fw)) Cluster::cast(fw)->getMembersList(members); int num_members = members.size(); item->setData(2, Qt::UserRole, QVariant(num_members)); // item->setCheckState(COMPILE_CHECKBOX_COLUMN, checkIfNeedToCompile(fw)?Qt::Checked:Qt::Unchecked); // if (!compile_only) // item->setCheckState(INSTALL_CHECKBOX_COLUMN, checkIfNeedToInstall(fw)?Qt::Checked:Qt::Unchecked); return item; } void instDialog::setFlags(QTreeWidgetItem* item) { int obj_id = item->data(0, Qt::UserRole).toInt(); Firewall *fw = Firewall::cast(project->db()->findInIndex(obj_id)); QTreeWidgetItem* parent = item->parent(); time_t lm = fw->getInt("lastModified"); time_t lc = fw->getInt("lastCompiled"); time_t li = fw->getInt("lastInstalled"); QDateTime dt; if (fwbdebug) { qDebug() << "instDialog::setFlags" << item->text(0) << "parent=" << parent << "fw=" << fw << "Firewall::isA(fw)=" << Firewall::isA(fw) << "lm=" << lm << "lc=" << lc << "li=" << li << "compile_only=" << compile_only; qDebug() << "fw->needsCompile()" << fw->needsCompile() << "checkIfNeedToCompile(fw)=" << checkIfNeedToCompile(fw); } // need to skip the secondary cluster members if platform only // allows installations on the primary (e.g. PIX). Note that // platform attribute must be the same in the cluster and member // firewalls objects. See #998 string platform = fw->getStr("platform"); bool install_only_on_primary_member = Resources::getTargetCapabilityBool( platform, "install_only_on_primary"); Cluster *cluster = NULL; FWObject *master_interface = NULL; if (parent) { int obj_id = parent->data(0, Qt::UserRole).toInt(); cluster = Cluster::cast(project->db()->findInIndex(obj_id)); if (cluster) { FWObject *state_sync_group = cluster->getFirstByType(StateSyncClusterGroup::TYPENAME); // use state sync group to find which member firewall is // master. This is only needed for platforms that install // only on master (PIX at this time) if (state_sync_group) { string master_id = state_sync_group->getStr("master_iface"); for (FWObjectTypedChildIterator grp_it = state_sync_group->findByType(FWObjectReference::TYPENAME); grp_it != grp_it.end(); ++grp_it) { FWObject *iface = FWObjectReference::getObject(*grp_it); if (FWObjectDatabase::getStringId(iface->getId()) == master_id) { master_interface = iface; break; } } } } } // Real firewalls get checkbox for install if (Firewall::isA(fw)) { bool checked = false; if (!compile_only) { checked = checkIfNeedToInstall(fw); if (cluster) { // override if checkIfNeedToCompile() is true for the // parent cluster. if (checkIfNeedToCompile(cluster)) { checked = true; } } item->setCheckState(INSTALL_CHECKBOX_COLUMN, checked?Qt::Checked:Qt::Unchecked); // If this platform requires installation only on // the master, disable and uncheck checkbox for the standby. if (install_only_on_primary_member && master_interface != NULL) { QString txt = item->text(0); if (master_interface->isChildOf(fw)) { // Master item->setText(0, QString("%1 (master)").arg(txt)); } else { // Standby item->setText(0, QString("%1 (standby)").arg(txt)); item->setCheckState(INSTALL_CHECKBOX_COLUMN, Qt::Unchecked); item->setFlags(0); } } } if (cluster==NULL) { // we are adding firewall that is not cluster member, it // needs "compile" checkbox checked = checkIfNeedToCompile(fw); item->setCheckState(COMPILE_CHECKBOX_COLUMN, checked?Qt::Checked:Qt::Unchecked); } } int num_members = 0; // Clusters only get checkbox for compile, and only if they have members. if (Cluster::isA(fw)) { list members; Cluster::cast(fw)->getMembersList(members); num_members = members.size(); if (num_members) { bool checked = checkIfNeedToCompile(fw); item->setCheckState(COMPILE_CHECKBOX_COLUMN, checked?Qt::Checked:Qt::Unchecked); } } dt.setTime_t(lm); item->setText(LAST_MODIFIED_COLUMN, (lm)?dt.toString():QString("Never")); dt.setTime_t(lc); item->setText(LAST_COMPILED_COLUMN, (lc)?dt.toString():QString("Never")); dt.setTime_t(li); item->setText(LAST_INSTALLED_COLUMN, (li)?dt.toString():QString("Never")); } /* * The following color and font manipulations are subject to QT bug * http://trolltech.no/developer/task-tracker/index_html?method=entry&id=212207 * * This requires QT 4.4.1 or 4.3 */ void instDialog::setSuccessState(QTreeWidgetItem *item) { QBrush b = item->foreground(1); b.setColor(Qt::darkGreen); item->setForeground(1,b); item->setForeground(0,b); QFont f = item->font(1); f.setBold(true); item->setFont(1,f); item->setFont(0,f); } void instDialog::setWarningState(QTreeWidgetItem *item) { QBrush b = item->foreground(1); b.setColor(QColor("orange")); item->setForeground(1,b); item->setForeground(0,b); QFont f = item->font(1); f.setBold(true); item->setFont(1,f); item->setFont(0,f); } void instDialog::setFailureState(QTreeWidgetItem *item) { QBrush b = item->foreground(1); b.setColor(Qt::darkRed); item->setForeground(1,b); item->setForeground(0,b); QFont f = item->font(1); f.setBold(true); item->setFont(1,f); item->setFont(0,f); } void instDialog::setErrorState(QTreeWidgetItem *item) { QBrush b = item->foreground(1); b.setColor(Qt::darkRed); item->setForeground(1,b); item->setForeground(0,b); QFont f = item->font(1); f.setBold(true); item->setFont(1,f); item->setFont(0,f); } void instDialog::setInProcessState(QTreeWidgetItem *item) { QBrush b = item->foreground(1); b.setColor(Qt::black); item->setForeground(1,b); item->setForeground(0,b); QFont f = item->font(1); f.setBold(true); item->setFont(1,f); item->setFont(0,f); } void instDialog::opSuccess(Firewall *fw) { if (fwbdebug) qDebug() << "instDialog::opSuccess fw=" << fw->getName().c_str(); compile_status[fw] = fwcompiler::BaseCompiler::FWCOMPILER_SUCCESS; QTreeWidgetItem* itm = opListMapping[(fw)->getId()]; if (itm) { itm->setText(1,tr("Success")); setSuccessState(itm); } currentLabel->setText(""); } void instDialog::opWarning(Firewall *fw) { if (fwbdebug) qDebug() << "instDialog::opWarning fw=" << fw->getName().c_str(); compile_status[fw] = fwcompiler::BaseCompiler::FWCOMPILER_WARNING; QTreeWidgetItem* itm = opListMapping[(fw)->getId()]; if (itm) { itm->setText(1,tr("Success with warning")); setWarningState(itm); } currentLabel->setText(""); } void instDialog::opError(Firewall *fw) { if (fwbdebug) qDebug() << "instDialog::opError fw=" << fw->getName().c_str(); compile_status[fw] = fwcompiler::BaseCompiler::FWCOMPILER_ERROR; QTreeWidgetItem* itm = opListMapping[(fw)->getId()]; if (itm) { itm->setText(1, tr("Error")); setErrorState(itm); } currentLabel->setText(""); } void instDialog::opCancelled(Firewall *fw) { compile_status[fw] = fwcompiler::BaseCompiler::FWCOMPILER_ERROR; QTreeWidgetItem* itm = opListMapping[(fw)->getId()]; // itm can be NULL, for example when we install to PIX cluster // where we skip one of the members if (itm) { itm ->setText(1, tr("Cancelled")); setErrorState(itm); } currentLabel->setText(""); } void instDialog::nextClicked() { if (currentPage() == CHOOSE_OBJECTS) { page_1_op = INST_DLG_COMPILE; showPage(COMPILE_INSTALL); return; } if (currentPage() == COMPILE_INSTALL && (page_1_op == INST_DLG_COMPILE || page_1_op == INST_DLG_INSPECT)) { // clicking "Next" on page 1 (compile/install) changes // contents of the same page page_1_op = INST_DLG_INSTALL; showPage(COMPILE_INSTALL); return; } } void instDialog::backClicked() { if (currentPage() == COMPILE_INSTALL && page_1_op == INST_DLG_COMPILE) { // clicking "Back" on page 1 in mode "compile" returns to page 0 page_1_op = INST_DLG_COMPILE; showPage(CHOOSE_OBJECTS); return; } if (currentPage() == COMPILE_INSTALL && page_1_op == INST_DLG_INSTALL) { // clicking "Back" on page 1 in mode "install" changes // contents of the same page. Ideally, I would like to be // able to move back from "install" mode to "compile" mode // without recompiling everything. This is impossible in the // current implementation because we reuse the same widgets on // the page. This will be possible when "install" becomes its // own page of the wizard. // page_1_op = INST_DLG_COMPILE; // showPage(COMPILE_INSTALL); return; } if (currentPage() == COMPILE_INSTALL && page_1_op == INST_DLG_INSPECT) { page_1_op = INST_DLG_COMPILE; showPage(COMPILE_INSTALL); return; } } void instDialog::inspectFiles() { page_1_op = INST_DLG_INSPECT; showPage(COMPILE_INSTALL); } void instDialog::prepareInstConf(Firewall *) { if (fwbdebug) qDebug("instDialog::prepareInstConf"); } void instDialog::storeInstallerOptions() { st->setValue(SETTINGS_PATH_PREFIX"/Installer/savediff",cnf.save_diff); st->setValue(SETTINGS_PATH_PREFIX"/Installer/saveStandby",cnf.saveStandby); st->setValue(SETTINGS_PATH_PREFIX"/Installer/dryrun" ,cnf.dry_run); st->setValue(SETTINGS_PATH_PREFIX"/Installer/quiet", cnf.quiet); st->setValue(SETTINGS_PATH_PREFIX"/Installer/verbose", cnf.verbose); st->setValue(SETTINGS_PATH_PREFIX"/Installer/stripComments", cnf.stripComments); st->setValue(SETTINGS_PATH_PREFIX"/Installer/compressScript", cnf.compressScript); st->setValue(SETTINGS_PATH_PREFIX"/Installer/copyFWB", cnf.copyFWB); } void instDialog::summary() { QStringList str; str.append(QObject::tr("Summary:")); str.append(QObject::tr("* Running as user : %1").arg(user_name)); str.append(QObject::tr("* Firewall name : %1") .arg(QString::fromUtf8(cnf.fwobj->getName().c_str()))); str.append(QObject::tr("* Installer uses user name : %1").arg(cnf.user)); // print destination machine address or name correctly, taking into // account putty session if any if (!cnf.putty_session.isEmpty()) str.append(QObject::tr("* Using putty session: %1").arg(cnf.putty_session)); else str.append(QObject::tr("* Management address : %1").arg(cnf.maddr)); str.append(QObject::tr("* Platform : %1") .arg(cnf.fwobj->getStr("platform").c_str())); str.append(QObject::tr("* Host OS : %1") .arg(cnf.fwobj->getStr("host_OS").c_str())); str.append(QObject::tr("* Loading configuration from file %1") .arg(cnf.fwbfile)); if (cnf.save_diff) str.append(QObject::tr("* Configuration diff will be saved in file %1"). arg(cnf.diff_file)); if (cnf.dry_run) str.append(QObject::tr("* Commands will not be executed on the firewall")); if (fwbdebug) { str.append(QObject::tr("--------------------------------")); str.append(QObject::tr("* Variables:")); str.append(QObject::tr("* fwdir= %1") .arg(cnf.fwdir)); str.append(QObject::tr("* fwscript= %1") .arg(cnf.fwscript)); str.append(QObject::tr("* remote_script= %1") .arg(cnf.remote_script)); } str.append(""); QTextCursor cursor = m_dialog->procLogDisplay->textCursor(); cursor.insertBlock(); cursor.insertText(str.join("\n"), highlight_format); } void instDialog::fillCompileSelectList() { if (fwbdebug) qDebug("instDialog::fillCompileSelectList"); Firewall *fw; Cluster *cl; QDateTime dt; creatingTable = true; m_dialog->selectTable->clear(); list working_list_of_firewalls = firewalls; for (list::iterator i=clusters.begin(); i!=clusters.end(); ++i) { cl = *i; QTreeWidgetItem* cluster_item = createTreeItem(NULL, cl); m_dialog->selectTable->addTopLevelItem(cluster_item); list members; cl->getMembersList(members); for (list::iterator member=members.begin(); member!=members.end(); ++member) { createTreeItem(cluster_item, *member); working_list_of_firewalls.remove(*member); } cluster_item->setExpanded(true); } for (list::iterator i=working_list_of_firewalls.begin(); i!=working_list_of_firewalls.end(); ++i) { fw = *i; QTreeWidgetItem* fw_item = createTreeItem(NULL, fw); m_dialog->selectTable->addTopLevelItem(fw_item); } QTreeWidgetItemIterator it(m_dialog->selectTable); while (*it) { setFlags(*it); ++it; } /* ticket #1305 * check if any of the firewall objects are members of clusters but * the clusters are not requested for compile */ QString warn1( tr("You are trying to compile policy for a firewall object that is " "a member of a cluster, however you requested compilation of only " "this member firewall and not the cluster it belongs to. Assuming " "firewall is standalone and not cluster member. Rules and parts of " "the script specific for the cluster configuration will not be " "generated.")); QStringList warn2; list all_libs = project->db()->getByType(Library::TYPENAME); foreach(FWObject *lib, all_libs) { if (lib->getId() == FWObjectDatabase::DELETED_OBJECTS_ID) continue; list all_clusters = lib->getByTypeDeep(Cluster::TYPENAME); foreach(FWObject *_cl, all_clusters) { if (std::find(clusters.begin(), clusters.end(), _cl) == clusters.end()) { Cluster *cluster = Cluster::cast(_cl); assert(cluster); foreach(FWObject *fw, firewalls) { if (cluster->hasMember(Firewall::cast(fw))) { warn2 << QString(tr("Firewall '%1' is member of cluster '%2'") .arg(QString::fromUtf8(fw->getName().c_str())) .arg(QString::fromUtf8(cluster->getPath().c_str()))); } } } } } if (!warn2.empty()) { m_dialog->warning_message_1->setText(warn1); m_dialog->warning_message_2->setText(warn2.join("\n")); m_dialog->warning_space->show(); } creatingTable = false; for (int i=0; iselectTable->columnCount(); i++) m_dialog->selectTable->resizeColumnToContents(i); setNextEnabled(0, tableHasCheckedItems()); //m_dialog->selectTable->resizeRowsToContents(); } void instDialog::displayCommand(const QStringList &args) { QStringList a1 = args; for (QStringList::iterator i=a1.begin(); i!=a1.end(); i++) { if ( (*i)=="-pw" ) { i++; *i = "XXXXXX"; break; } } QString s=a1.join(" "); addToLog( tr("Running command '%1'\n").arg(s) ); } void instDialog::updateProgressBar(int n, bool setsize) { if (fwbdebug) qDebug("instDialog::updateProgressBar n=%d setsize=%d",n,setsize); if (setsize) currentProgressBar->setMaximum(n); else currentProgressBar->setValue(currentProgressBar->maximum()-n); } void instDialog::finishClicked() { finished = true; accept(); } /* user clicked 'Cancel' */ void instDialog::cancelClicked() { if (fwbdebug) qDebug("instDialog::cancelClicked()"); finished = true; if (proc.state() == QProcess::Running) { if (fwbdebug) qDebug() << "instDialog::cancelClicked killing background process"; rejectDialogFlag = true; proc.kill(); } if (installer != NULL) { if (fwbdebug) qDebug() << "instDialog::cancelClicked killing installer"; installer->terminate(); delete installer; installer = NULL; } QDialog::reject(); } void instDialog::showEvent( QShowEvent *ev) { st->restoreGeometry(this, QRect(200,100,780,500) ); QDialog::showEvent(ev); } void instDialog::hideEvent( QHideEvent *ev) { st->saveGeometry(this); QDialog::hideEvent(ev); } void instDialog::saveLog() { /* * We use QTextEdit::append to add lines to the log buffer, each append creates a new paragraph so QTextEdit::text returns only contents of the last paragraph. Need to reassemble the whole text adding text from each paragraph separately. */ QString logText; logText = m_dialog->procLogDisplay->toPlainText(); QString s = QFileDialog::getSaveFileName( this, "Choose a file", st->getOpenFileDir(), "Text file (*.txt)"); if (s.isEmpty()) return; st->setOpenFileDir(s); if (!s.endsWith(".txt")) s += ".txt"; if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug( "Saving log to file %s", s.toAscii().constData() ); #else qDebug( "Saving log to file %s", s.toLatin1().constData() ); #endif QFile f(s); if (f.open( QIODevice::WriteOnly )) { QTextStream str( &f ); str << logText; f.close(); } } /* * Adds one line of text to the log * */ void instDialog::addToLog(const QString &buf) { if (buf.isEmpty()) return; foreach(QString line, buf.trimmed().split("\n")) { QTextCharFormat format = normal_format; list::const_iterator it; for (it=error_re.begin(); it!=error_re.end(); ++it) { if ((*it).indexIn(line) != -1) { format = error_format; break; } } for (it=warning_re.begin(); it!=warning_re.end(); ++it) { if ((*it).indexIn(line) != -1) { format = warning_format; break; } } /* See sourceforge bug https://sourceforge.net/tracker/?func=detail&aid=2847263&group_id=5314&atid=1070394 * * QTextEditor::insertHtml() becomes incrementally slow as the * amount of text already in the QTextEditor * increases. Compiling ~10 firewalls with few dozen rules * each slows the output to a crawl on Windows. Keeping each * line in a separate block makes it much faster. */ QString txt = line; while (!txt.isEmpty() && (txt.endsWith("\n") || txt.endsWith("\r"))) txt.chop(1); if (format == error_format || format == warning_format ) format.setAnchorHref(txt); QTextCursor cursor = m_dialog->procLogDisplay->textCursor(); cursor.insertBlock(); cursor.insertText(txt, format); } //m_dialog->procLogDisplayList->addItem(txt); m_dialog->procLogDisplay->ensureCursorVisible(); //qApp->processEvents(); } void instDialog::interpretLogLine(const QString &line) { if (fwbdebug) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("instDialog::interpretLogLine %s", line.toAscii().constData() ); #else qDebug("instDialog::interpretLogLine %s", line.toLatin1().constData() ); #endif QStringList words = line.trimmed().split(" "); if (fwbdebug) { for (int i=0; i=0) { bool ok; processedRules = words[1].toInt(&ok); if (ok) currentProgressBar->setValue(processedRules); if (fwbdebug) qDebug("instDialog::interpretLogLine set progress bar current=%d", processedRules); } else { if (words.first().indexOf("processing")>=0) { currentProgressBar->reset(); bool ok; int totalRules = words[1].toInt(&ok); if (ok) currentProgressBar->setMaximum(totalRules); processedRules = 0; if (fwbdebug) qDebug("instDialog::interpretLogLine set progress bar max=%d", totalRules); } else { if (words.first().indexOf("Compiling")>=0) { //currentLabel->setText(line.trimmed()); currentProgressBar->reset(); } else { if (line.indexOf("Compiled successfully")>=0) { //currentLabel->setText(line.trimmed()); currentProgressBar->setValue(currentProgressBar->maximum()); if (fwbdebug) qDebug("instDialog::interpretLogLine set progress " "bar to max"); } } } } QApplication::processEvents(QEventLoop::ExcludeUserInputEvents,1); } void instDialog::readFromStdout() { char buf[2048]; int read_status = 0; while ((read_status = proc.readLine(buf, sizeof(buf)))>0) { if (fwbdebug) { qDebug("instDialog::readFromStdout: read_status=%d buf=%s", read_status, buf); } addToLog(buf); interpretLogLine(buf); } } void instDialog::selectAllFirewalls() { if (fwbdebug) qDebug("instDialog::selectAllFirewalls"); setSelectStateAll(INSTALL_CHECKBOX_COLUMN, Qt::Checked); setSelectStateAll(COMPILE_CHECKBOX_COLUMN, Qt::Checked); tableItemChanged(NULL, 0); } void instDialog::deselectAllFirewalls() { setSelectStateAll(INSTALL_CHECKBOX_COLUMN, Qt::Unchecked); setSelectStateAll(COMPILE_CHECKBOX_COLUMN, Qt::Unchecked); tableItemChanged(NULL, 0); } void instDialog::setSelectStateAll(int column, Qt::CheckState select) { QTreeWidgetItemIterator it(m_dialog->selectTable); while (*it) { int obj_id = (*it)->data(0, Qt::UserRole).toInt(); FWObject *o = project->db()->findInIndex(obj_id); bool cluster_member = (*it)->data(1, Qt::UserRole).toBool(); int num_members = (*it)->data(2, Qt::UserRole).toInt(); Qt::ItemFlags flags = (*it)->flags(); if ((flags & Qt::ItemIsUserCheckable) != 0) { // firewalls only get checkboxes for install, if (column == INSTALL_CHECKBOX_COLUMN && Firewall::isA(o)) (*it)->setCheckState(column, select); // Cluster gets checkbox for compile. // Cluster should never get a checkbox if it has no members. // Firewall that is not a cluster member gets compile checkbox if ((column == COMPILE_CHECKBOX_COLUMN && Cluster::isA(o) && num_members) || (Firewall::isA(o) && !cluster_member)) (*it)->setCheckState(column, select); } ++it; } } void instDialog::fillCompileOpList() { compile_fw_list.clear(); QTreeWidgetItemIterator it(m_dialog->selectTable); while (*it) { if ((*it)->checkState(COMPILE_CHECKBOX_COLUMN)) { int obj_id = (*it)->data(0, Qt::UserRole).toInt(); FWObject *o = project->db()->findInIndex(obj_id); compile_fw_list.push_back(Firewall::cast(o)); } ++it; } compile_list_initial_size = compile_fw_list.size(); } void instDialog::fillCompileUIList() { if (fwbdebug) qDebug("instDialog::fillCompileUIList"); m_dialog->fwWorkList->clear(); opListMapping.clear(); Firewall * f; InstallFirewallViewItem * item; list::iterator i; for(i=compile_fw_list.begin(); i!=compile_fw_list.end(); ++i) { f = (*i); item = new InstallFirewallViewItem( NULL,//m_dialog->fwWorkList, QString::fromUtf8(f->getName().c_str()), false); item->setData(0, Qt::UserRole, QVariant(f->getId())); m_dialog->fwWorkList->insertTopLevelItem(0, item); opListMapping[f->getId()] = item; } m_dialog->fwWorkList->resizeColumnToContents(0); m_dialog->fwWorkList->sortByColumn(0, Qt::AscendingOrder); } void instDialog::fillInstallOpList() { if (fwbdebug) qDebug("instDialog::fillInstallOpList"); install_fw_list.clear(); QTreeWidgetItemIterator it(m_dialog->selectTable); while (*it) { if ((*it)->checkState(INSTALL_CHECKBOX_COLUMN)) { int obj_id = (*it)->data(0, Qt::UserRole).toInt(); FWObject *o = project->db()->findInIndex(obj_id); install_fw_list.push_back(Firewall::cast(o)); if (fwbdebug) qDebug("fillInstallOpList: Install requested for %s", o->getName().c_str()); } ++it; } install_list_initial_size = install_fw_list.size(); } void instDialog::fillInstallUIList() { if (fwbdebug) qDebug("instDialog::fillInstallUIList"); m_dialog->fwWorkList->clear(); opListMapping.clear(); Firewall * f; InstallFirewallViewItem * item; list::iterator i; for(i=install_fw_list.begin(); i!=install_fw_list.end(); ++i) { f = (*i); item = new InstallFirewallViewItem( NULL, QString::fromUtf8(f->getName().c_str()), false); m_dialog->fwWorkList->insertTopLevelItem(0, item); opListMapping[f->getId()] = item; } m_dialog->fwWorkList->resizeColumnToContents(0); m_dialog->fwWorkList->sortByColumn(0, Qt::AscendingOrder); } void instDialog::findFirewallInCompileLog(QTreeWidgetItem* item) { if (fwbdebug) qDebug("instDialog::findFirewallInCompileLog"); m_dialog->detailMCframe->show(); qApp->processEvents(); QString fw_name = item->text(0); m_dialog->procLogDisplay->moveCursor( QTextCursor::End ); m_dialog->procLogDisplay->find(currentSearchString + fw_name, QTextDocument::FindWholeWords | QTextDocument::FindCaseSensitively | QTextDocument::FindBackward); } void instDialog::tableItemChanged(QTreeWidgetItem*, int) { if (!creatingTable) setNextEnabled(0, tableHasCheckedItems()); } bool instDialog::tableHasCheckedItems() { QTreeWidgetItemIterator it(m_dialog->selectTable); while (*it) { if ((*it)->checkState(COMPILE_CHECKBOX_COLUMN) || (*it)->checkState(INSTALL_CHECKBOX_COLUMN)) return true; ++it; } return false; } /* * getInstOptions() fills attributes of the cnf object */ bool instDialog::getInstOptions(Firewall *fw, bool installing_many_firewalls) { if (fwbdebug) qDebug() << "instDialog::getInstOptions() begin" << "cnf.user=" << cnf.user << "cnf.maddr=" << cnf.maddr << "fw=" << fw; cnf.fwobj = fw; readInstallerOptionsFromSettings(); readInstallerOptionsFromFirewallObject(fw); if (inst_opt_dlg && inst_opt_dlg->m_dialog->batchInstall->isChecked()) { // in batch install mode we use the same dialog to fill cnf // without showing it to the user again readInstallerOptionsFromDialog(fw, inst_opt_dlg); } else { // In non-batch mode installer options from the dialog // overwrite options set in the fw object itself. if (inst_opt_dlg) delete inst_opt_dlg; inst_opt_dlg = new instOptionsDialog(this, &cnf, installing_many_firewalls); int resultCode = inst_opt_dlg->exec(); // 0 - rejected // 1 - accepted // -1 - cancell all clicked if (resultCode == -1) { canceledAll = true; delete inst_opt_dlg; inst_opt_dlg = NULL; return false; } if (resultCode == QDialog::Rejected) { delete inst_opt_dlg; inst_opt_dlg = NULL; return false; } readInstallerOptionsFromDialog(fw, inst_opt_dlg); inst_opt_dlg->close(); // do not delete the dialog because we may need to get data from it again if // in batch install mode. //inst_opt_dlg->deleteLater(); } if (fwbdebug) qDebug() << "instDialog::getInstOptions() end" << "cnf.user=" << cnf.user << "cnf.maddr=" << cnf.maddr; return verifyManagementAddress(); } void instDialog::readInstallerOptionsFromSettings() { if (fwbdebug) qDebug("instDialog::readInstallerOptionsFromSettings"); fwb_prompt="--**--**--"; cnf.save_diff = st->value(SETTINGS_PATH_PREFIX"/Installer/savediff").toBool(); cnf.saveStandby = st->value(SETTINGS_PATH_PREFIX"/Installer/saveStandby").toBool(); cnf.dry_run = st->value(SETTINGS_PATH_PREFIX"/Installer/dryrun").toBool(); cnf.quiet = st->value(SETTINGS_PATH_PREFIX"/Installer/quiet").toBool(); cnf.verbose = st->value(SETTINGS_PATH_PREFIX"/Installer/verbose" ).toBool(); cnf.stripComments = st->value(SETTINGS_PATH_PREFIX"/Installer/stripComments").toBool(); cnf.compressScript = st->value(SETTINGS_PATH_PREFIX"/Installer/compressScript").toBool(); cnf.copyFWB = st->value(SETTINGS_PATH_PREFIX"/Installer/copyFWB").toBool(); } void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw) { if (fwbdebug) qDebug() << "instDialog::readInstallerOptionsFromFirewallObject" << "fw=" << fw << QString( (fw) ? QString::fromUtf8(fw->getName().c_str()) : ""); FWOptions *fwopt = NULL; if (fw) { fwopt = fw->getOptionsObject(); string platform = cnf.fwobj->getStr("platform"); string host_OS = cnf.fwobj->getStr("host_OS"); cnf.user = fwopt->getStr("admUser").c_str(); QString standard_management_addr; // Note that Host::getManagementAddress() scans interfaces and // finds one marked as "management" and takes its address. // It does not use Management child object. const InetAddr *mgmt_addr = cnf.fwobj->getManagementAddress(); if (mgmt_addr) standard_management_addr = mgmt_addr->toString().c_str(); else standard_management_addr = ""; QString aaddr = fwopt->getStr("altAddress").c_str(); if (fwbdebug) qDebug() << " standard_management_addr=" << standard_management_addr << "aaddr=" << aaddr; if (!aaddr.isEmpty()) cnf.maddr = aaddr; else cnf.maddr = standard_management_addr; cnf.putty_session = ""; #ifdef _WIN32 /* * See #1724. There is a problem with pscp.exe and putty * sessions. Plink.exe accepts session name in place of the host name * on the command line, but pscp.exe does not. We ask user to enter * session name in the "alternative name or address to use to * communicate with the firewall" input field in the "Installer" tab * of the firewall settings dialog and then use it in place of the * host name in the command line for pscp.exe and plink.exe. This * works with plink.exe but breaks pscp.exe which interprets it as a * host name and fails with an error ""ssh_init: Host does not exist". * * Will try to determine if what user entered in the "alternative host * or address field" is a session name and use different command line * for pscp.exe * * * HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ */ QSettings putty_reg(QSettings::UserScope, "SimonTatham", "PuTTY\\Sessions"); QStringList sessions = putty_reg.childGroups(); if (fwbdebug) { qDebug() << putty_reg.fileName(); qDebug() << "found " << sessions.size() << " putty sessions"; foreach(QString key, sessions) { qDebug() << "putty session " << key; } } if (sessions.contains(aaddr)) { if (fwbdebug) qDebug() << "Found matching putty session" << aaddr; cnf.maddr = standard_management_addr; cnf.putty_session = aaddr; } #endif /* * if user requested test run, store firewall script in a temp * file. Always store it in a temp file on linksys */ QString s; /* user_can_change_install_dir */ bool uccid = Resources::getTargetOptionBool( host_OS, "user_can_change_install_dir"); if (uccid) s = fwopt->getStr("firewall_dir").c_str(); if (s.isEmpty()) s = Resources::getTargetOptionStr( host_OS, "activation/fwdir").c_str(); cnf.fwdir = s; /* * Generated files should be saved in the same directory where * the .fwb file is located, except if user specified full path * in the advaced settings dialog. */ cnf.script = FirewallInstaller::getGeneratedFileFullPath(fw); // cnf.script = FirewallInstaller::getGeneratedFileName(fw); cnf.remote_script = ""; // filled in FirewallInstaller::readManifest() cnf.fwbfile = project->db()->getFileName().c_str(); cnf.wdir = getFileDir( project->getRCS()->getFileName() ); cnf.diff_file = QString(cnf.fwobj->getName().c_str())+".diff"; cnf.diff_pgm = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/diff").c_str(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) cnf.diff_pgm = getPathToBinary( cnf.diff_pgm.toAscii().constData()).c_str(); #else cnf.diff_pgm = getPathToBinary( cnf.diff_pgm.toLatin1().constData()).c_str(); #endif #ifdef _WIN32 cnf.diff_pgm = cnf.diff_pgm + ".exe"; #endif cnf.sshArgs = fwopt->getStr("sshArgs").c_str(); cnf.scpArgs = fwopt->getStr("scpArgs").c_str(); cnf.useSCPForRouter = fwopt->getBool("use_scp"); cnf.useNXOSSession = fwopt->getBool("use_nxos_session"); cnf.activationCmd = fwopt->getStr("activationCmd").c_str(); if (fwbdebug) { qDebug("platform: %s", platform.c_str()); qDebug("host_OS: %s", host_OS.c_str()); qDebug("user_can_change_install_dir=%d", uccid); qDebug("firewall_dir='%s'", fwopt->getStr("firewall_dir").c_str()); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("management address: %s", cnf.maddr.toAscii().constData()); qDebug("cnf.fwdir='%s'", cnf.fwdir.toAscii().constData()); qDebug("activationCmd='%s'", cnf.activationCmd.toAscii().constData()); #else qDebug("management address: %s", cnf.maddr.toLatin1().constData()); qDebug("cnf.fwdir='%s'", cnf.fwdir.toLatin1().constData()); qDebug("activationCmd='%s'", cnf.activationCmd.toLatin1().constData()); #endif } } } void instDialog::readInstallerOptionsFromDialog(Firewall *fw, instOptionsDialog *dlg) { if (fwbdebug) qDebug() << "instDialog::readInstallerOptionsFromDialog" << "fw=" << fw; QString adm_user; FWOptions *fwopt = NULL; if (fw) { fwopt = cnf.fwobj->getOptionsObject(); adm_user = fwopt->getStr("admUser").c_str(); } cnf.batchInstall = dlg->m_dialog->batchInstall->isChecked(); cnf.dry_run = dlg->m_dialog->test->isChecked(); cnf.backup_file = dlg->m_dialog->backupConfigFile->text(); cnf.backup = !cnf.backup_file.isEmpty(); cnf.save_diff = dlg->m_dialog->saveDiff->isChecked(); cnf.saveStandby = dlg->m_dialog->saveStandby->isChecked(); /* Alternative address: - first, check dialog. User could have overriden it using dialog - then check firewall options, user could have set it in the "Install" tab of firewall settings dialog - last, if all overrides are empty, take it from the management interface - ignore alternative address if in batch mode */ if ( ! cnf.batchInstall) { QString aaddr = dlg->m_dialog->altAddress->text(); if (!aaddr.isEmpty()) { /* alternative address can also be putty session name. In any case, * leave it up to ssh to resolve it and signal an error if it can't be * resolved ( Putty session name does not have to be in DNS at all ). */ cnf.maddr = aaddr; if (fwbdebug) qDebug() << "alternative addr:" << aaddr; } } // user name set in the dialog overrides that set in the fw object // But the dialog user name input field can be left blank, in which // case we use the one configured in the object if (!adm_user.isEmpty()) cnf.user = adm_user; if (!dlg->m_dialog->uname->text().isEmpty()) cnf.user = dlg->m_dialog->uname->text(); cnf.pwd = dlg->m_dialog->pwd->text(); cnf.epwd = dlg->m_dialog->epwd->text(); cnf.quiet = dlg->m_dialog->quiet->isChecked(); cnf.verbose = dlg->m_dialog->verbose->isChecked(); cnf.stripComments = dlg->m_dialog->stripComments->isChecked(); cnf.compressScript= dlg->m_dialog->compressScript->isChecked(); cnf.copyFWB = dlg->m_dialog->copyFWB->isChecked(); dlg->savePassword(); storeInstallerOptions(); } bool instDialog::verifyManagementAddress() { /* check for a common error when none or multiple interfaces are marked as * 'management' */ if (cnf.maddr.isEmpty() && cnf.putty_session.isEmpty() && cnf.fwobj) { int nmi = 0; list ll = cnf.fwobj->getByTypeDeep(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); if (intf->isManagement()) nmi++; } if (nmi>1) { QString err = QObject::tr("Only one interface of the firewall '%1' " "must be marked as management interface.\n") .arg(QString::fromUtf8(cnf.fwobj->getName().c_str())); QMessageBox::critical(this, "Firewall Builder", err, tr("&Continue") ); addToLog(err); return false; } if (nmi==0) { QString err = QObject::tr( "One of the interfaces of the firewall '%1' " "must be marked as management interface. " "To set the management interface, double click " "on the interface of the firewall that you will " "connect to and check the box called Management " "interface in the Editor panel") .arg(QString::fromUtf8(cnf.fwobj->getName().c_str())); QMessageBox::critical(this, "Firewall Builder", err, tr("&Continue") ); addToLog(err); return false; } if (cnf.maddr == "" || cnf.maddr == QString(InetAddr::getAny().toString().c_str())) { QString err = QObject::tr( "Management interface does not have IP address, " "can not communicate with the firewall.\n"); QMessageBox::critical(this, "Firewall Builder", err, tr("&Continue") ); addToLog(err); return false; } } return true; } void instDialog::logItemClicked(QUrl data) { QStringList parts = data.toString().split(':'); if (parts[0] == "Error") return; if (parts.size()<3) { if(fwbdebug) cout << "Wrong error message clicked" << endl; return; } emit activateRule(project, parts[0], parts[1], parts[2].toInt()); } void instDialog::closeEvent(QCloseEvent *) { if (fwbdebug) qDebug() << "instDialog::closeEvent"; if (proc.state() == QProcess::Running) { if (fwbdebug) qDebug() << "instDialog::closeEvent killing process"; proc.kill(); } if (installer != NULL) { if (fwbdebug) qDebug() << "instDialog::closeEvent killing installer"; installer->terminate(); delete installer; installer = NULL; } } fwbuilder-5.3.7/src/libgui/instOptionsDialog.cpp000066400000000000000000000156301303637203600217400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "definitions.h" #include "global.h" #include "utils.h" #include "platforms.h" #include "instOptionsDialog.h" #include "instConf.h" #include "fwbuilder/Firewall.h" #include #include #include #include #include #include #include #include #include #include #include "FWBSettings.h" #include "FWWindow.h" using namespace std; using namespace libfwbuilder; instOptionsDialog::instOptionsDialog(QWidget *parent, instConf *_cnf, bool installing_many_firewalls) : QDialog(parent) { m_dialog = new Ui::instOptionsDialog_q; m_dialog->setupUi(this); cnf = _cnf; this->m_dialog->cancelAllButton->setVisible(installing_many_firewalls); int fw_id = -1; if (cnf->fwobj) { // Note cnf->fwobj == NULL during batch install fw_id = cnf->fwobj->getId(); } QString username = cnf->user; bool savePassEnabled = st->getBool("Environment/RememberSshPassEnabled"); if (savePassEnabled && !username.isEmpty()) { m_dialog->rememberPass->setEnabled(true); m_dialog->rememberPass->setChecked(true); QPair passwds = mw->passwords[qMakePair(fw_id, username)]; m_dialog->pwd->setText(passwds.first); m_dialog->epwd->setText(passwds.second); } else { m_dialog->rememberPass->setEnabled(false); m_dialog->rememberPass->setChecked(false); } m_dialog->pwd->setEchoMode(QLineEdit::Password); m_dialog->epwd->setEchoMode(QLineEdit::Password); m_dialog->uname->setText( cnf->user ); m_dialog->test->setChecked( cnf->dry_run ); m_dialog->backupConfigFile->setText( cnf->backup_file ); m_dialog->saveDiff->setChecked( cnf->save_diff ); m_dialog->saveStandby->setChecked( cnf->saveStandby ); if (!cnf->putty_session.isEmpty()) m_dialog->altAddress->setText( cnf->putty_session ); else m_dialog->altAddress->setText( cnf->maddr ); m_dialog->quiet->setChecked( cnf->quiet ); m_dialog->verbose->setChecked( cnf->verbose ); m_dialog->stripComments->setChecked( cnf->stripComments ); m_dialog->compressScript->setChecked( cnf->compressScript ); m_dialog->copyFWB->setChecked( cnf->copyFWB ); // If we have user name, bring focus to the password input field // if we do not have user name, focus goes to the user name field if (cnf->user.isEmpty()) m_dialog->uname->setFocus(); else m_dialog->pwd->setFocus(); // "batch install" checkbox moved from instDialog to instOptionsDialog m_dialog->batchInstallText->setEnabled(installing_many_firewalls); m_dialog->batchInstall->setEnabled(installing_many_firewalls); m_dialog->batchInstall->setChecked(false); QString fwname = QString::fromUtf8(cnf->fwobj->getName().c_str()); m_dialog->dialogTitleLine->setText( QString("

")+ tr("Install options for firewall '%1'").arg(fwname)+ QString("

") ); QString platform = cnf->fwobj->getStr("platform").c_str(); string version = cnf->fwobj->getStr("version"); if (platform=="pix" || platform=="fwsm" || platform=="iosacl" || platform=="nxosacl" || platform=="procurve_acl" ) { m_dialog->copyFWB->hide(); m_dialog->PIXgroupBox->hide(); } else if (platform=="junosacl") { m_dialog->copyFWB->hide(); m_dialog->PIXgroupBox->hide(); m_dialog->epwd->hide(); m_dialog->epwdLbl->hide(); } else { m_dialog->epwd->hide(); m_dialog->epwdLbl->hide(); m_dialog->PIXgroupBox->hide(); m_dialog->test->hide(); // dry run option } /* hide anyway, diff does not work for pix 6.3(3) */ m_dialog->saveDiff->hide(); m_dialog->stripComments->hide(); m_dialog->compressScript->hide(); m_dialog->PIXgroupBox->adjustSize(); //m_dialog->generalOptionsBox->adjustSize(); m_dialog->mainBox->adjustSize(); adjustSize(); if (fwbdebug) { QSize sz = sizeHint(); qDebug() << QString("instOptionsDialog: sizeHint: %1x%2") .arg(sz.width()).arg(sz.height()); sz = minimumSizeHint(); qDebug() << QString("instOptionsDialog: minimumSizeHint: %1x%2") .arg(sz.width()).arg(sz.height()); QRect bfr; bfr = m_dialog->titleFrame->geometry(); qDebug() << QString("instOptionsDialog: titleFrame: top=%1 bottom=%2") .arg(bfr.top()).arg(bfr.bottom()); bfr = m_dialog->buttonsFrame->geometry(); qDebug() << QString("instOptionsDialog: buttonsFrame: top=%1 bottom=%2") .arg(bfr.top()).arg(bfr.bottom()); } //resize( minimumSizeHint() ); //adjustSize(); //dlg->setFixedHeight( dlg->minimumSizeHint().height() ); } void instOptionsDialog::savePassword() { int fw_id = -1; if (cnf->fwobj) { // Note cnf->fwobj == NULL during batch install fw_id = cnf->fwobj->getId(); } if ( m_dialog->rememberPass->isChecked() ) mw->passwords[qMakePair(fw_id, m_dialog->uname->text())] = qMakePair(m_dialog->pwd->text(), m_dialog->epwd->text()); else mw->passwords.remove(qMakePair(fw_id, m_dialog->uname->text())); st->setBool("Environment/RememberSshPass", m_dialog->rememberPass->isChecked()); } instOptionsDialog::~instOptionsDialog() { delete m_dialog; } QString instOptionsDialog::getUName() { return m_dialog->uname->text(); } QString instOptionsDialog::getPWD() { return m_dialog->pwd->text(); } QString instOptionsDialog::getEPWD() { return m_dialog->epwd->text(); } void instOptionsDialog::cancelAll() { this->done(-1); } void instOptionsDialog::batchInstallStateChange() { if (m_dialog->batchInstall->isChecked()) { m_dialog->altAddress->setText(""); m_dialog->altAddressLabel->setEnabled(false); m_dialog->altAddress->setEnabled(false); } else { m_dialog->altAddressLabel->setEnabled(true); m_dialog->altAddress->setEnabled(true); } } fwbuilder-5.3.7/src/libgui/instOptionsDialog.h000066400000000000000000000026501303637203600214030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Illiya Yalovoy $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __INSTOPTIONSDIALOG_H_ #define __INSTOPTIONSDIALOG_H_ #include "config.h" #include class instConf; class instOptionsDialog : public QDialog { Q_OBJECT; private: int delta_y; instConf *cnf; public: instOptionsDialog(QWidget *parent, instConf *_cnf, bool installing_many_firewalls = true); ~instOptionsDialog(); void savePassword(); QString getUName(); QString getPWD(); QString getEPWD(); Ui::instOptionsDialog_q *m_dialog; public slots: void cancelAll(); void batchInstallStateChange(); }; #endif fwbuilder-5.3.7/src/libgui/instdialog_q.ui000066400000000000000000000540141303637203600205760ustar00rootroot00000000000000 instDialog_q 0 0 871 622 0 0 true 0 0 0 25 Sans Serif 14 75 false true TextLabel Qt::AlignCenter 0 0 1 0 0 Qt::LeftToRight 0 0 QFrame::Box QFrame::Plain 11 <p align="center"><b><font size="+2">Select firewalls to compile and install.</font></b></p> false true 0 0 QFrame::Box QFrame::Plain warning text goes here true warning text goes here true 0 0 QFrame::Box QFrame::Plain QFrame::Box QFrame::Plain 11 Qt::Horizontal QSizePolicy::Expanding 100 20 Select all Select none true QAbstractItemView::NoSelection Firewall Compile Install Last Modified Last Compiled Last Installed 0 QFrame::Box QFrame::Plain 11 Stop Qt::Horizontal QSizePolicy::Expanding 112 20 true false true Firewall Progress 1 0 QFrame::Box QFrame::Plain Firewalls: false 0 0 75 true firewall false 300 0 Qt::Horizontal 0 0 75 true current operation here false 300 0 Qt::Horizontal Process log 0 false Qt::Horizontal QSizePolicy::Expanding 131 20 Save log to file Inspect generated files Qt::Vertical QSizePolicy::Expanding 16 210 0 0 QFrame::NoFrame QFrame::Plain 0 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 40 20 < &Back false &Next > true true false &Finish true false &Cancel false saveMCLogButton clicked(bool) instDialog_q saveLog() 630 230 20 20 fwWorkList itemActivated(QTreeWidgetItem*, int) instDialog_q findFirewallInCompileLog(QTreeWidgetItem*) 40 69 20 20 pushButton16 clicked(bool) instDialog_q selectAllFirewalls() 43 493 20 20 pushButton17 clicked(bool) instDialog_q deselectAllFirewalls() 93 493 20 20 selectTable itemChanged(QTreeWidgetItem*,int) instDialog_q tableItemChanged(QTreeWidgetItem*,int) 389 319 389 288 procLogDisplay anchorClicked(QUrl) instDialog_q logItemClicked(QUrl) 706 264 778 269 inspectGeneratedFiles clicked() instDialog_q inspectFiles() 638 579 463 375 tableItemChanged(QTreeWidgetItem*,int) logItemClicked(QUrl) inspectFiles() fwbuilder-5.3.7/src/libgui/instoptionsdialog_q.ui000066400000000000000000000373561303637203600222240ustar00rootroot00000000000000 instOptionsDialog_q 0 0 604 662 0 0 32767 32767 Qt::StrongFocus Install options false 0 0 32767 32767 QFrame::NoFrame QFrame::Plain <p align="center"><b><font size="+2">Install options for firewall '%1'</font></b></p> false 0 0 QFrame::NoFrame QFrame::Plain 0 0 500 50 QFrame::NoFrame QFrame::Plain 0 0 User name: false Qt::Horizontal QSizePolicy::Expanding 20 22 Password or passphrase: false Enable password: false Remember passwords for the duration of the session (passwords are never stored permanently). To enable this option turn it on in Preferences and configure user name used to authenticate to the firewall in the "advanced" settings dialog of the firewall object. Qt::LeftToRight Remember passwords Check this option if you want to install all remaining firewalls automatically using the same user name, password and other parameters. This only works if you use the same user name and password to authenticate to all these firewalls. Qt::AlignVCenter true 0 0 Perform batch install 0 0 false 12 Write configuration to standby PIX Store configuration diff in a file 0 0 0 0 Make a backup copy of the firewall configuration in this file: Qt::AlignVCenter true 0 0 Address that will be used to communicate with the firewall: Qt::AlignVCenter true 200 0 32767 32767 Dry run (commands won't be executed on the firewall) Quiet install: do not print anything as commands are executed on the firewall Verbose: print all commands as they are executed on the firewall Remove comments from configuration Compress script Store a copy of fwb file on the firewall Qt::Vertical 568 37 frame15 PIXgroupBox altAddressLabel altAddress batchInstallText batchInstall copyFWB quiet compressScript test stripComments verbose backupConfigFileLbl backupConfigFile saveDiff saveStandby 0 0 32767 32767 QFrame::NoFrame QFrame::Plain Qt::Horizontal 310 20 Install Cancel Cancel All uname pwd epwd rememberPass backupConfigFile saveDiff saveStandby altAddress okButton cancelButton cancelAllButton okButton clicked() instOptionsDialog_q accept() 262 702 20 20 cancelButton clicked() instOptionsDialog_q reject() 433 702 20 20 cancelAllButton clicked() instOptionsDialog_q cancelAll() 542 809 307 420 batchInstall stateChanged(int) instOptionsDialog_q batchInstallStateChange() 301 573 301 347 cancelAll() testModeToggled() batchInstallStateChange() fwbuilder-5.3.7/src/libgui/interfacedialog_q.ui000066400000000000000000000351451303637203600215650ustar00rootroot00000000000000 InterfaceDialog_q true 0 0 1017 344 0 0 Interface 12 0 0 QFrame::Box QFrame::Sunken 12 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 Name: false 1 0 200 23 0 0 Label: false 0 0 200 23 0 0 0 0 Security level: false 0 0 0 0 <p>Each interface of the firewall must have security level associated with it.<br>Security level can be any number between 0 and 100, 0 being least secure and 100 being most secure levels. Interface with security level 0 ususally serves Internet connection.</p> <p>Each interface of the firewall must have security level associated with it.<br> Security level can be any number between 0 and 100, 0 being least secure and 100 being most secure levels. Interface with security level 0 ususally serves Internet connection.</p> QAbstractSpinBox::PlusMinus 100 0 0 Network zone: false 0 0 0 26 <p>Network zone consists of hosts and networks that can be reached through this interface of the firewall. Subnet to which this interface is directly attached must be part of its network zone. Other subnets reachable by means of routing should alse be added to the network zone. <br> If network zone for this interface consists of only one subnet, you can simply choose that network's object in the pull-down below. If your network zone should include multiple subnets, you need to create an Object Group, then put all hosts and networks which are going to be part of the network zone into that group and finally choose this group in the pull-down below.</p> <p>Network zone consists of hosts and networks that can be reached through this interface of the firewall. Subnet to which this interface is directly attached must be part of its network zone. Other subnets reachable by means of routing should alse be added to the network zone. <br> If network zone for this interface consists of only one subnet, you can simply choose that network's object in the pull-down below. If your network zone should include multiple subnets, you need to create an Object Group, then put all hosts and networks which are going to be part of the network zone into that group and finally choose this group in the pull-down below.</p> Qt::Vertical 20 70 0 0 250 0 false <p>Check if this interface is used for management (SNMP queries, remote policy install etc.)<p> Management interface Skip this interface while assigning policy rules Unprotected interface Dedicated failover interface Static IP address Address is assigned dynamically Unnumbered interface 0 0 Bridge Port Interface Qt::AlignCenter Advanced Interface Settings ... Qt::Vertical 20 40 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name label seclevel management regular dynamic unnumbered advancedconfig clicked() InterfaceDialog_q openIfaceDialog() 428 232 428 133 changed() fwbuilder-5.3.7/src/libgui/iosAdvancedDialog.cpp000066400000000000000000000050661303637203600216310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "iosAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; iosAdvancedDialog::~iosAdvancedDialog() { delete m_dialog; } iosAdvancedDialog::iosAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::iosAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* Page "General" */ data.registerOption( m_dialog->ios_set_host_name , fwoptions, "ios_set_host_name" ); data.registerOption( m_dialog->ios_ip_address , fwoptions, "ios_ip_address" ); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void iosAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void iosAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/iosAdvancedDialog.h000066400000000000000000000026141303637203600212720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IOSADVANCEDDIALOG_H_ #define __IOSADVANCEDDIALOG_H_ #include #include "DialogData.h" namespace libfwbuilder { class FWObject; }; class iosAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::iosAdvancedDialog_q*m_dialog; public: iosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~iosAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); public slots: }; #endif // __IOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/iosaclAdvancedDialog.cpp000066400000000000000000000303711303637203600223060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "iosaclAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; iosaclAdvancedDialog::~iosaclAdvancedDialog() { delete m_dialog; } iosaclAdvancedDialog::iosaclAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::iosaclAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); string vers="version_"+obj->getStr("version"); string platform = obj->getStr("platform"); // should be 'iosacl' QString s; QStringList logLevels; QStringList logLevelMapping; logLevelMapping.push_back(""); logLevelMapping.push_back(""); /* filling pop-down menu and pushing the same strings to the mapping * list at the same time so we could use translation */ s=QObject::tr("0 - System Unusable"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("0"); s=QObject::tr("1 - Take Immediate Action"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("1"); s=QObject::tr("2 - Critical Condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("2"); s=QObject::tr("3 - Error Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("3"); s=QObject::tr("4 - Warning Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("4"); s=QObject::tr("5 - Normal but significant condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("5"); s=QObject::tr("6 - Informational"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("6"); s=QObject::tr("7 - Debug Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("7"); /* do not need to translate syslog facilities, but will use the same * method just in case */ QStringList syslogFacilities; QStringList syslogFacilityMapping; syslogFacilities.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilities.push_back("LOCAL0"); syslogFacilityMapping.push_back("LOCAL0"); syslogFacilityMapping.push_back("16"); syslogFacilities.push_back("LOCAL1"); syslogFacilityMapping.push_back("LOCAL1"); syslogFacilityMapping.push_back("17"); syslogFacilities.push_back("LOCAL2"); syslogFacilityMapping.push_back("LOCAL2"); syslogFacilityMapping.push_back("18"); syslogFacilities.push_back("LOCAL3"); syslogFacilityMapping.push_back("LOCAL3"); syslogFacilityMapping.push_back("19"); syslogFacilities.push_back("LOCAL4"); syslogFacilityMapping.push_back("LOCAL4"); syslogFacilityMapping.push_back("20"); syslogFacilities.push_back("LOCAL5"); syslogFacilityMapping.push_back("LOCAL5"); syslogFacilityMapping.push_back("21"); syslogFacilities.push_back("LOCAL6"); syslogFacilityMapping.push_back("LOCAL6"); syslogFacilityMapping.push_back("22"); syslogFacilities.push_back("LOCAL7"); syslogFacilityMapping.push_back("LOCAL7"); syslogFacilityMapping.push_back("23"); bool f1=fwoptions->getBool("iosacl_acl_basic"); bool f2=fwoptions->getBool("iosacl_acl_no_clear"); bool f3=fwoptions->getBool("iosacl_acl_substitution"); bool f4=fwoptions->getBool("iosacl_add_clear_statements"); /* * If none of the new iosacl_acl_* options is set and old iosacl_add_clear_statements * option is true, set iosacl_acl_basic to true. * * If old option iosacl_add_clear_statements iss false, set * iosacl_acl_no_clear to true */ if (!f1 && !f2 && !f3) { if ( f4 ) fwoptions->setBool("iosacl_acl_basic",true); else fwoptions->setBool("iosacl_acl_no_clear",true); } Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption(m_dialog->ipv4before_2, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") << "ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first" ); /* Page "Compiler Options" */ data.registerOption( m_dialog->outputFileName, fwoptions, "output_file" ); data.registerOption( m_dialog->iosacl_acl_basic, fwoptions, "iosacl_acl_basic" ); data.registerOption( m_dialog->iosacl_use_object_groups, fwoptions, "iosacl_use_object_groups" ); /* data.registerOption( m_dialog->iosacl_acl_alwaysNew, fwoptions, "iosacl_acl_always_new" ); */ data.registerOption( m_dialog->iosacl_acl_no_clear, fwoptions, "iosacl_acl_no_clear" ); data.registerOption( m_dialog->iosacl_acl_substitution, fwoptions, "iosacl_acl_substitution" ); data.registerOption( m_dialog->iosacl_acl_temp_addr, fwoptions, "iosacl_acl_temp_addr" ); data.registerOption( m_dialog->iosacl_include_comments, fwoptions, "iosacl_include_comments" ); data.registerOption( m_dialog->iosacl_use_acl_remarks, fwoptions, "iosacl_use_acl_remarks" ); data.registerOption( m_dialog->iosacl_regroup_commands, fwoptions, "iosacl_regroup_commands" ); data.registerOption( m_dialog->iosacl_check_shadowing, fwoptions, "check_shading" ); data.registerOption( m_dialog->iosacl_ignore_empty_groups, fwoptions, "ignore_empty_groups" ); data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh" ); data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr" ); /* page Installer */ data.registerOption( m_dialog->user, fwoptions, "admUser"); data.registerOption( m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption( m_dialog->use_scp, fwoptions, "use_scp"); data.registerOption( m_dialog->filesystem, fwoptions, "filesystem"); data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str() ); m_dialog->installScriptArgs->setText( pis->getArguments().c_str() ); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->iosacl_prolog_script, fwoptions, "iosacl_prolog_script" ); data.registerOption( m_dialog->iosacl_epilog_script, fwoptions, "iosacl_epilog_script" ); /* page Logging */ data.registerOption(m_dialog->generate_logging_commands, fwoptions, "iosacl_generate_logging_commands"); data.registerOption(m_dialog->syslog_host, fwoptions, "iosacl_syslog_host"); m_dialog->syslog_facility->clear(); m_dialog->syslog_facility->addItems( syslogFacilities ); data.registerOption( m_dialog->syslog_facility, fwoptions, "iosacl_syslog_facility", syslogFacilityMapping); m_dialog->logging_trap_level->clear(); m_dialog->logging_trap_level->addItems(logLevels); data.registerOption( m_dialog->logging_trap_level, fwoptions, "iosacl_logging_trap_level", logLevelMapping); data.registerOption(m_dialog->logging_timestamp, fwoptions, "iosacl_logging_timestamp"); data.registerOption(m_dialog->logging_buffered, fwoptions, "iosacl_logging_buffered"); m_dialog->logging_buffered_level->clear(); m_dialog->logging_buffered_level->addItems(logLevels); data.registerOption( m_dialog->logging_buffered_level, fwoptions, "iosacl_logging_buffered_level", logLevelMapping); data.registerOption(m_dialog->logging_console, fwoptions, "iosacl_logging_console"); m_dialog->logging_console_level->clear(); m_dialog->logging_console_level->addItems(logLevels); data.registerOption( m_dialog->logging_console_level,fwoptions, "iosacl_logging_console_level", logLevelMapping); data.loadAll(); scriptACLModeChanged(); toggleGenerateLogging(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void iosaclAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* options = Firewall::cast(new_state)->getOptionsObject(); assert(options!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(options); const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void iosaclAdvancedDialog::reject() { QDialog::reject(); } void iosaclAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->iosacl_prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->iosacl_prolog_script->setText( edt.text() ); } void iosaclAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->iosacl_epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->iosacl_epilog_script->setText( edt.text() ); } void iosaclAdvancedDialog::scriptACLModeChanged() { m_dialog->iosacl_acl_temp_lbl->setEnabled( m_dialog->iosacl_acl_substitution->isChecked()); m_dialog->iosacl_acl_temp_addr->setEnabled( m_dialog->iosacl_acl_substitution->isChecked()); } void iosaclAdvancedDialog::toggleGenerateLogging() { m_dialog->syslog_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); m_dialog->other_logging_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); } fwbuilder-5.3.7/src/libgui/iosaclAdvancedDialog.h000066400000000000000000000032731303637203600217540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IOSACLADVANCEDDIALOG_H_ #define __IOSACLADVANCEDDIALOG_H_ #include #include "DialogData.h" #include #include class QWidget; class QSpinBox; class QComboBox; class QCheckBox; class QProcess; namespace libfwbuilder { class FWObject; }; class iosaclAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::iosaclAdvancedDialog_q *m_dialog; public: iosaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~iosaclAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); virtual void scriptACLModeChanged(); virtual void toggleGenerateLogging(); }; #endif // __IOSACLADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/iosacladvanceddialog_q.ui000066400000000000000000001326411303637203600225640ustar00rootroot00000000000000 iosaclAdvancedDialog_q Qt::WindowModal true 0 0 743 600 IOS ACL Firewall Settings false 0 Compiler Options 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 300 0 32767 22 false 20 Compiler creates multiple access lists from the same policy, two for each interface: one for inbound and another for outbound. If the policy is written in a such way that no rule can possibly be associated with an interface, this interface gets no access list at all. Also, interfaces marked as "unprotected" never get access list regardless of how the policy rules are designed. Generate separate access list for each interface Compiler creates one access list and assigns it to all interfaces. Create one access list and attach it to all interfaces 0 0 Policy Compiler Options false false If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in the policy Use object-group statements (requires IOS v12.4(20)T and later) Always permit ssh access from the management workstation with this address: true false 0 0 300 0 32767 22 Qt::Horizontal 328 20 Qt::Vertical QSizePolicy::Expanding 20 170 Script Options 20 12 20 20 0 0 20 Insert comments into generated IOSACL configuration file Comment the code Insert comments into generated IOSACL configuration file Use ACL remarks Group IOSACL commands in the script so that similar commands appear next to each other, just like IOSACL does it when you use 'show config' Group similar commands together Qt::Vertical 20 70 0 0 12 -1 Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via IPSEC tunnel. This is the way access lists were generated in older versions of Firewall Builder for IOSACL. Qt::AlignVCenter true iosacl_acl_basic Qt::ClickFocus Do not clear access lists and object group, just generate IOSACL commands for the new ones. Use this option if you have your own policy installation scripts. Qt::AlignVCenter true iosacl_acl_no_clear Qt::Vertical QSizePolicy::Expanding 20 20 "Safety net" method: First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration. Qt::AlignVCenter true iosacl_acl_substitution QFrame::StyledPanel QFrame::Sunken 11 Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24): Qt::AlignVCenter true Qt::Horizontal QSizePolicy::Expanding 120 20 0 0 200 0 120 32767 Qt::Horizontal QSizePolicy::Expanding 110 20 0 0 0 0 0 0 Installer 4 Built-in installer User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then "copy file running-config" command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for IOS v12.4 or later and is much faster than running configuration line by line. true Copy generated configuration file to the router using scp File system on the router where configuration file should be saved if it is copied with scp. Examples: "flash:", "disk0:". Should end with a colon ":". If this input field is left blank, installer uses "nvram:": true Qt::Horizontal 398 20 External install script -1 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 20 Prolog/Epilog 20 12 20 20 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::RichText Qt::AlignVCenter true 0 Logging Generate logging commands Syslog 12 Syslog host (name or IP address): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog facility: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog level ('logging trap'): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QFrame::HLine QFrame::Sunken Qt::Horizontal QFrame::HLine QFrame::Sunken Qt::Horizontal The logging timestamp command requires that the clock command be set. Qt::AlignVCenter true Enable logging timestamps on syslog file Other logging destinations and levels: 12 Internal buffer Console Qt::Vertical QSizePolicy::Expanding 675 121 IPv6 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal QSizePolicy::Expanding 20 20 OK Qt::AlignCenter false Cancel outputFileName separate_acls_for_interfaces one_acl_for_all_interfaces iosacl_ignore_empty_groups iosacl_check_shadowing mgmt_ssh mgmt_addr iosacl_acl_basic iosacl_acl_no_clear iosacl_acl_substitution iosacl_acl_temp_addr iosacl_include_comments iosacl_use_acl_remarks iosacl_regroup_commands user altAddress sshArgs scpArgs use_scp filesystem installScript installScriptArgs iosacl_prolog_script edit_prolog_button iosacl_epilog_script edit_epilog_button generate_logging_commands syslog_host syslog_facility logging_trap_level logging_timestamp logging_buffered logging_console logging_buffered_level logging_console_level ipv4before_2 ok_button cancel_button textLabel3 tabWidget ok_button clicked() iosaclAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() iosaclAdvancedDialog_q reject() 20 20 20 20 edit_prolog_button clicked() iosaclAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() iosaclAdvancedDialog_q editEpilog() 20 20 20 20 iosacl_acl_basic clicked() iosaclAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 iosacl_acl_substitution clicked() iosaclAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 generate_logging_commands toggled(bool) iosaclAdvancedDialog_q toggleGenerateLogging() 359 55 359 359 fwbuilder-5.3.7/src/libgui/iosadvanceddialog_q.ui000066400000000000000000000070151303637203600221000ustar00rootroot00000000000000 iosAdvancedDialog_q Qt::WindowModal true 0 0 597 188 IOS Advanced Configuration Options Qt::Horizontal 151 20 OK Cancel General 0 Set router name using object's name Generate commands to configure addresses for interfaces Qt::Vertical QSizePolicy::Expanding 20 40 ios_set_host_name tabWidget ios_ip_address ok_button cancel_button ok_button clicked() iosAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() iosAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ipcopAdvancedDialog.cpp000066400000000000000000000211771303637203600221520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "ipcopAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "Help.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ipcopAdvancedDialog::~ipcopAdvancedDialog() { delete m_dialog; } ipcopAdvancedDialog::ipcopAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::ipcopAdvancedDialog_q; m_dialog->setupUi(this); obj=o; QStringList slm; /* * Set dialog title dynamically to reflect description set in the * platform resource file. This is useful because the same dialog * is used for ipcop, endian and oneshield platforms. */ string platform = obj->getStr("platform"); string description = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/description"); setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str())); FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* fwoptions->setStr("firewall_dir", "/etc/rc.d/"); fwoptions->setStr("admUser", "admin"); fwoptions->setStr("activationCmd", "/etc/rc.d/rc.firewall"); fwoptions->setStr("output_file", "rc.firewall.local"); */ //QString s = fwoptions->getStr("ipv4_6_order") data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first"); data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq"); data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt"); data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt"); data.registerOption(m_dialog->logNumsyslog, fwoptions, "use_numeric_log_levels"); slm = getLogLevels( platform.c_str()); m_dialog->logLevel->clear(); m_dialog->logLevel->addItems( getScreenNames(slm)); data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm); data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG"); data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange"); data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold"); data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup"); data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix"); slm=getLimitSuffixes( platform.c_str()); m_dialog->logLimitSuffix->clear(); m_dialog->logLimitSuffix->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> logLimitSuffix, fwoptions, "limit_suffix", slm); data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value"); data.registerOption(m_dialog->logAll, fwoptions, "log_all"); data.registerOption(m_dialog->compiler, fwoptions, "compiler"); data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline"); data.registerOption(m_dialog->outputFileName, fwoptions, "output_file"); data.registerOption(m_dialog->assumeFwIsPartOfAny, fwoptions, "firewall_is_part_of_any_and_networks"); data.registerOption(m_dialog->acceptSessions, fwoptions, "accept_new_tcp_with_no_syn"); data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw"); data.registerOption(m_dialog->shadowing, fwoptions, "check_shading"); data.registerOption(m_dialog->emptyGroups, fwoptions, "ignore_empty_groups"); data.registerOption(m_dialog->localNAT, fwoptions, "local_nat"); slm=getActionsOnReject( platform.c_str()); m_dialog->actionOnReject->clear(); m_dialog->actionOnReject->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> actionOnReject, fwoptions,"action_on_reject", slm); data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); data.registerOption(m_dialog->iptDebug, fwoptions, "debug"); data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces"); data.registerOption(m_dialog->ipt_fw_dir, fwoptions, "firewall_dir"); data.registerOption(m_dialog->ipt_user, fwoptions, "admUser"); data.registerOption(m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText( pis->getCommand().c_str()); m_dialog->installScriptArgs->setText( pis->getArguments().c_str()); /* page "Prolog/Epilog" */ data.registerOption(m_dialog->prolog_script, fwoptions, "prolog_script"); data.registerOption(m_dialog->epilog_script, fwoptions, "epilog_script"); data.loadAll(); switchLOG_ULOG(); m_dialog->tabWidget->setCurrentIndex(0); } void ipcopAdvancedDialog::switchLOG_ULOG() { m_dialog->useLOG->setChecked(!m_dialog->useULOG->isChecked()); if (m_dialog->useLOG->isChecked()) m_dialog->logTargetStack->setCurrentIndex(0); else m_dialog->logTargetStack->setCurrentIndex(1); } /* * store all data in the object */ void ipcopAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); /********************* data for fwbd and install script **************/ PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); // find first interface marked as "management" const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); pis->setCommand( m_dialog->installScript->text().toLatin1().constData()); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData()); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void ipcopAdvancedDialog::reject() { QDialog::reject(); } void ipcopAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr( "Script Editor" )); if ( edt.exec() == QDialog::Accepted ) m_dialog->prolog_script->setText( edt.text()); } void ipcopAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr( "Script Editor" )); if ( edt.exec() == QDialog::Accepted ) m_dialog->epilog_script->setText( edt.text()); } void ipcopAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Firewall platform: IPCOP"); h->setSource(QUrl("ipcopAdvancedDialog.html#" + anchor)); h->raise(); h->show(); } fwbuilder-5.3.7/src/libgui/ipcopAdvancedDialog.h000066400000000000000000000030121303637203600216030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPCOPADVANCEDDIALOG_H_ #define __IPCOPADVANCEDDIALOG_H_ #include #include "DialogData.h" namespace libfwbuilder { class FWObject; }; class ipcopAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::ipcopAdvancedDialog_q *m_dialog; public: ipcopAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~ipcopAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); virtual void editProlog(); virtual void editEpilog(); public slots: virtual void switchLOG_ULOG(); }; #endif // __IPCOPADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/ipcopadvanceddialog_q.ui000066400000000000000000001302041303637203600224150ustar00rootroot00000000000000 ipcopAdvancedDialog_q Qt::WindowModal true 0 0 726 710 0 0 ipcop advanced settings false 0 0 0 Compiler 12 12 12 Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 0 0 Command line options for the compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 32767 22 rc.firewall.local true QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Maximum 30 150 0 0 Assume firewall is part of 'any' 0 0 Accept TCP sessions opened prior to firewall restart 0 0 Bridging firewall 0 0 Detect shadowing in policy rules 0 0 Ignore empty groups in rules 0 0 Enable support for NAT of locally originated connections Default action on 'Reject': false Qt::Horizontal QSizePolicy::Expanding 72 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Fixed 30 50 Always permit ssh access from the management workstation with this address: 0 0 32767 32767 Qt::Vertical QSizePolicy::Expanding 20 20 Installer Built-in installer Directory on the firewall where script should be installed Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 250 0 /etc/rc.d/ 0 true User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 250 0 admin 0 true Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 250 0 A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root') Qt::AlignVCenter true 0 0 250 0 /etc/rc.d/rc.firewall 0 true Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 100 Prolog/Epilog 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::AlignVCenter true 6 The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Edit Qt::Horizontal 40 20 Logging 20 6 use ULOG use LOG 0 0 10 log TCP seq. numbers log IP options use numeric syslog levels Log level: false log TCP options 0 10 1500 cprange false 1 queue threshold: false netlink group: false 1 32 Qt::Vertical QSizePolicy::Expanding 20 16 0 0 QFrame::VLine QFrame::Sunken Qt::Vertical 0 0 Log prefix: false 32 Logging limit: false 10000 0 0 Activate logging in all rules (overrides rule options, use for debugging) Qt::Vertical QSizePolicy::Expanding 20 40 Qt::Vertical QSizePolicy::Expanding 20 16 Script 6 These options enable auxiliary sections in the generated shell script. Qt::AlignVCenter true Qt::Horizontal QSizePolicy::MinimumExpanding 40 20 Qt::Horizontal QSizePolicy::Maximum 30 120 Turn debugging on in generated script Qt::Vertical QSizePolicy::Expanding 20 200 Verify interfaces before loading firewall policy IPv6 The order in which ipv4 and ipv6 rules should be generated: IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal 40 20 Help Qt::Horizontal QSizePolicy::Expanding 351 27 &OK true true &Cancel true tabWidget compiler compilerArgs outputFileName assumeFwIsPartOfAny acceptSessions bridge shadowing emptyGroups localNAT actionOnReject mgmt_ssh mgmt_addr buttonOk buttonCancel ipt_fw_dir ipt_user altAddress activationCmd sshArgs installScript installScriptArgs prolog_script edit_prolog_button epilog_script edit_epilog_button useLOG useULOG logTCPseq logTCPopt logIPopt logNumsyslog logLevel logprefix logLimitVal logLimitSuffix logAll verifyInterfaces iptDebug ipv4before cprange nlgroup qthreshold buttonOk clicked() ipcopAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() ipcopAdvancedDialog_q reject() 20 20 20 20 useLOG toggled(bool) ipcopAdvancedDialog_q switchLOG_ULOG() 20 20 20 20 edit_prolog_button clicked() ipcopAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() ipcopAdvancedDialog_q editEpilog() 20 20 20 20 buttonHelp clicked() ipcopAdvancedDialog_q help() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ipcoposAdvancedDialog.cpp000066400000000000000000000174511303637203600225140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "ipcoposAdvancedDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "Help.h" using namespace std; using namespace libfwbuilder; ipcoposAdvancedDialog::~ipcoposAdvancedDialog() { delete m_dialog; } ipcoposAdvancedDialog::ipcoposAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::ipcoposAdvancedDialog_q; m_dialog->setupUi(this); obj=o; string host_os = obj->getStr("host_OS"); string description = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/description"); setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str())); FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption( m_dialog->linux24_log_martians, fwopt, "linux24_log_martians", threeStateMapping); data.registerOption( m_dialog->linux24_accept_redirects, fwopt, "linux24_accept_redirects", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_echo_ignore_all, fwopt, "linux24_icmp_echo_ignore_all", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_echo_ignore_broadcasts, fwopt, "linux24_icmp_echo_ignore_broadcasts", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_ignore_bogus_error_responses, fwopt, "linux24_icmp_ignore_bogus_error_responses", threeStateMapping); data.registerOption( m_dialog->linux24_ip_dynaddr, fwopt, "linux24_ip_dynaddr", threeStateMapping); data.registerOption( m_dialog->linux24_rp_filter, fwopt, "linux24_rp_filter", threeStateMapping); data.registerOption( m_dialog->linux24_accept_source_route, fwopt, "linux24_accept_source_route", threeStateMapping); data.registerOption( m_dialog->linux24_ip_forward, fwopt, "linux24_ip_forward", threeStateMapping); data.registerOption( m_dialog->linux24_ipv6_forward, fwopt, "linux24_ipv6_forward", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_fin_timeout, fwopt, "linux24_tcp_fin_timeout" ); data.registerOption( m_dialog->linux24_tcp_keepalive_interval, fwopt, "linux24_tcp_keepalive_interval"); data.registerOption( m_dialog->linux24_tcp_window_scaling, fwopt, "linux24_tcp_window_scaling", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_sack, fwopt, "linux24_tcp_sack", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_fack, fwopt, "linux24_tcp_fack", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_ecn, fwopt, "linux24_tcp_ecn", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_syncookies, fwopt, "linux24_tcp_syncookies", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_timestamps, fwopt, "linux24_tcp_timestamps", threeStateMapping); data.registerOption( m_dialog->linux24_path_iptables, fwopt, "linux24_path_iptables" ); data.registerOption( m_dialog->linux24_path_ip6tables, fwopt, "linux24_path_ip6tables" ); data.registerOption( m_dialog->linux24_path_ip, fwopt, "linux24_path_ip"); data.registerOption( m_dialog->linux24_path_lsmod, fwopt, "linux24_path_lsmod"); data.registerOption( m_dialog->linux24_path_logger, fwopt, "linux24_path_logger"); data.registerOption( m_dialog->linux24_path_vconfig, fwopt, "linux24_path_vconfig"); data.registerOption( m_dialog->linux24_path_brctl, fwopt, "linux24_path_brctl"); data.registerOption( m_dialog->linux24_path_ifenslave, fwopt, "linux24_path_ifenslave"); data.registerOption( m_dialog->linux24_path_modprobe, fwopt, "linux24_path_modprobe"); data.registerOption( m_dialog->linux24_path_iptables_restore, fwopt, "linux24_path_iptables_restore"); data.registerOption( m_dialog->linux24_path_ip6tables_restore, fwopt, "linux24_path_ip6tables_restore"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void ipcoposAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void ipcoposAdvancedDialog::reject() { QDialog::reject(); } void ipcoposAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Host type IPCOP"); h->setSource(QUrl("ipcoposAdvancedDialog.html#" + anchor)); h->raise(); h->show(); } fwbuilder-5.3.7/src/libgui/ipcoposAdvancedDialog.h000066400000000000000000000027271303637203600221610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPCOPOSADVANCEDDIALOG_H_ #define __IPCOPOSADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class ipcoposAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::ipcoposAdvancedDialog_q *m_dialog; public: ipcoposAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~ipcoposAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); }; #endif // __IPCOPOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/ipcoposadvanceddialog_q.ui000066400000000000000000001012761303637203600227660ustar00rootroot00000000000000 ipcoposAdvancedDialog_q Qt::WindowModal 0 0 499 625 IPCOP: advanced settings QTabWidget::Rounded 2 Options Qt::Vertical QSizePolicy::Fixed 20 20 IPv4 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Expanding 40 150 IPv6 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Kernel anti-spoofing protection Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore broadcast pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore all pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Accept source route Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Accept ICMP redirects Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore bogus ICMP errors Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Allow dynamic addresses Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Fixed 141 21 Log martians Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false whats this text No change On Off Qt::Vertical QSizePolicy::Expanding 93 21 TCP 6 These parameters make sense for connections to or from the firewall host Qt::AlignCenter true Qt::Vertical QSizePolicy::Fixed 20 20 Qt::Vertical QSizePolicy::Expanding 20 30 Qt::Horizontal QSizePolicy::Expanding 100 50 Qt::Horizontal QSizePolicy::Fixed 150 20 0 1000 30 0 10000 1800 No change On Off No change On Off No change On Off No change On Off No change On Off No change On Off TCP sack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP window scaling Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP ECN Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP SYN cookies Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP keepalive time (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP fack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP timestamps Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP FIN timeout (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Path Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory path and a file name for each utility on your firewall machine. Leave these empty if you want to use default values. Qt::AlignCenter true iptables: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::RightToLeft :ip6tables ip: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false vconfig Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false brctl Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false ifenslave Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false logger: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false modprobe: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false lsmod Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false iptables-restore: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::RightToLeft :ip6tables-restore Qt::Vertical QSizePolicy::Expanding 20 60 Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true linux24_ip_forward linux24_ipv6_forward linux24_rp_filter linux24_icmp_echo_ignore_broadcasts linux24_icmp_echo_ignore_all linux24_accept_source_route linux24_accept_redirects linux24_icmp_ignore_bogus_error_responses linux24_ip_dynaddr linux24_log_martians buttonOk buttonCancel linux24_tcp_fin_timeout linux24_tcp_keepalive_interval linux24_tcp_window_scaling linux24_tcp_sack linux24_tcp_fack linux24_tcp_ecn linux24_tcp_syncookies linux24_tcp_timestamps linux24_path_iptables linux24_path_ip6tables linux24_path_ip linux24_path_vconfig linux24_path_brctl linux24_path_ifenslave linux24_path_logger linux24_path_modprobe linux24_path_lsmod linux24_path_iptables_restore linux24_path_ip6tables_restore tabWidget buttonHelp buttonCancel clicked() ipcoposAdvancedDialog_q reject() 395 447 223 239 buttonOk clicked() ipcoposAdvancedDialog_q accept() 314 447 223 239 buttonHelp clicked() ipcoposAdvancedDialog_q help() 47 447 223 239 help() fwbuilder-5.3.7/src/libgui/ipfAdvancedDialog.cpp000066400000000000000000000175051303637203600216160ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "ipfAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ipfAdvancedDialog::~ipfAdvancedDialog() { delete m_dialog; } ipfAdvancedDialog::ipfAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::ipfAdvancedDialog_q; m_dialog->setupUi(this); obj=o; QStringList slm; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); if (fwbdebug) qDebug("%s",Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); if (!Resources::getTargetOptionBool( obj->getStr("host_OS"),"user_can_change_install_dir")) { m_dialog->ipf_fw_dir->setEnabled(false); fwopt->setStr("firewall_dir",""); } m_dialog->tabWidget->setTabEnabled(6,false); //Disable tab data.registerOption(m_dialog->ipv4before_2, fwopt, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first"); data.registerOption( m_dialog->ipf_log_or_block,fwopt, "ipf_log_or_block" ); data.registerOption( m_dialog->ipf_log_body,fwopt, "ipf_log_body" ); data.registerOption( m_dialog->ipf_check_shadowing,fwopt, "check_shading" ); data.registerOption( m_dialog->ipf_eliminate_duplicates,fwopt, "eliminate_duplicates"); data.registerOption( m_dialog->ipf_accept_new_tcp_with_no_syn,fwopt, "accept_new_tcp_with_no_syn"); data.registerOption( m_dialog->ipf_ignore_empty_groups,fwopt, "ignore_empty_groups"); data.registerOption( m_dialog->ipf_return_icmp_as_dest,fwopt, "ipf_return_icmp_as_dest"); data.registerOption( m_dialog->ipf_nat_raudio_proxy,fwopt, "ipf_nat_raudio_proxy"); data.registerOption( m_dialog->ipf_nat_h323_proxy,fwopt, "ipf_nat_h323_proxy"); data.registerOption( m_dialog->ipf_nat_ipsec_proxy,fwopt, "ipf_nat_ipsec_proxy"); data.registerOption( m_dialog->ipf_nat_pptp_proxy,fwopt, "ipf_nat_pptp_proxy"); data.registerOption( m_dialog->ipf_nat_irc_proxy,fwopt, "ipf_nat_irc_proxy"); data.registerOption( m_dialog->ipf_nat_ftp_proxy,fwopt, "ipf_nat_ftp_proxy"); data.registerOption( m_dialog->ipf_nat_rcmd_proxy,fwopt, "ipf_nat_rcmd_proxy"); data.registerOption( m_dialog->ipf_nat_krcmd_proxy,fwopt, "ipf_nat_krcmd_proxy"); data.registerOption( m_dialog->ipf_nat_ekshell_proxy,fwopt, "ipf_nat_ekshell_proxy"); data.registerOption( m_dialog->ipf_fw_dir,fwopt, "firewall_dir" ); data.registerOption( m_dialog->ipf_user,fwopt, "admUser" ); data.registerOption( m_dialog->altAddress, fwopt, "altAddress"); data.registerOption( m_dialog->sshArgs, fwopt, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwopt, "scpArgs"); data.registerOption( m_dialog->activationCmd, fwopt, "activationCmd"); data.registerOption( m_dialog->ipf_manage_virtual_addr,fwopt, "manage_virtual_addr"); data.registerOption( m_dialog->ipf_configure_interfaces,fwopt, "configure_interfaces"); data.registerOption( m_dialog->ipf_debug,fwopt, "debug" ); data.registerOption( m_dialog->ipf_optimize,fwopt, "optimize" ); data.registerOption( m_dialog->ipf_dynAddr,fwopt, "dynAddr" ); slm = getLogLevels( obj->getStr("platform").c_str() ); m_dialog->logLevel->clear(); m_dialog->logLevel->addItems( getScreenNames( slm )); data.registerOption( m_dialog->logLevel, fwopt, "ipf_log_level", slm); slm = getLogFacilities( obj->getStr("platform").c_str() ); m_dialog->logFacility->clear(); m_dialog->logFacility->addItems( getScreenNames( slm )); data.registerOption( m_dialog->logFacility, fwopt, "ipf_log_facility", slm); data.registerOption( m_dialog->compiler, fwopt, "compiler" ); data.registerOption( m_dialog->compilerArgs, fwopt, "cmdline" ); data.registerOption( m_dialog->outputFileName, fwopt, "output_file" ); data.registerOption( m_dialog->fileNameOnFw, fwopt, "script_name_on_firewall"); data.registerOption( m_dialog->ipfConfFileNameOnFw, fwopt, "ipf_conf_file_name_on_firewall"); data.registerOption( m_dialog->natConfFileNameOnFw, fwopt, "nat_conf_file_name_on_firewall"); slm=getActionsOnReject( obj->getStr("platform").c_str() ); m_dialog->actionOnReject->clear(); m_dialog->actionOnReject->addItems(getScreenNames(slm)); data.registerOption( m_dialog->actionOnReject, fwopt, "action_on_reject",slm); data.registerOption( m_dialog->mgmt_ssh, fwopt, "mgmt_ssh" ); data.registerOption( m_dialog->mgmt_addr, fwopt, "mgmt_addr" ); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText( pis->getCommand().c_str() ); m_dialog->installScriptArgs->setText( pis->getArguments().c_str() ); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script" ); data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script" ); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void ipfAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void ipfAdvancedDialog::reject() { QDialog::reject(); } void ipfAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->prolog_script->setText( edt.text() ); } void ipfAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->epilog_script->setText( edt.text() ); } fwbuilder-5.3.7/src/libgui/ipfAdvancedDialog.h000066400000000000000000000027401303637203600212560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPFADVANCEDDIALOG_H_ #define __IPFADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class ipfAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::ipfAdvancedDialog_q *m_dialog; public: ipfAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~ipfAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); }; #endif // __IPFADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/ipfadvanceddialog_q.ui000066400000000000000000001244101303637203600220630ustar00rootroot00000000000000 ipfAdvancedDialog_q Qt::WindowModal 0 0 689 567 ipf: advanced settings false 11 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true 0 Compiler Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 32767 0 0 Command line options for the compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 32767 0 0 Output file name. If left blank, the file name is constructed of the firewall object name and extension ".fw" Qt::AlignVCenter true 32767 32767 Generated script (.fw file) and configuration (.conf) files can be copied to the firewall machine under different names. If these fields are left blank, the file name does not change. true Script (.fw) file name on the firewall 32767 22 ipf.conf file name on the firewall 32767 22 nat.conf file name on the firewall 32767 22 QFrame::HLine QFrame::Sunken Qt::Horizontal QFrame::HLine QFrame::Sunken Qt::Horizontal Always permit ssh access from the management workstation with this address: 0 0 32767 32767 Qt::Vertical QSizePolicy::Expanding 20 16 Find and eliminate duplicate rules Accept TCP sessions opened prior to firewall restart If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in policy 400 32767 Default action on 'Reject': Qt::AlignVCenter true 0 0 400 32767 Masquerade returned icmp as being from original packet's destination Protocol Helpers 6 Qt::Vertical QSizePolicy::Fixed 20 20 Use raudio proxy in NAT rules Use h323 proxy in NAT rules Use ipsec proxy in NAT rules Qt::Horizontal QSizePolicy::Fixed 40 100 Use ftp proxy in NAT rules Use rcmd proxy in NAT rules Use Kerberos rcmd proxy in NAT rules Use Kerberos ekshell proxy in NAT rules Qt::Vertical QSizePolicy::Expanding 20 270 Use PPTP proxy in NAT rules Use IRC proxy in NAT rules for DCC 0 0 Some protocols involve multiple associated network connections. Firewall can keep track of such connections automatically if you activate one or all of the following options: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Installer Built-in installer Directory on the firewall where configuration files should be installed Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root') Qt::AlignVCenter true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Qt::Vertical QSizePolicy::Fixed 20 20 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 20 Prolog/Epilog 6 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOff 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOff The following commands will be added verbatim after generated configuration Qt::AlignVCenter true Logging 6 Qt::Vertical QSizePolicy::Fixed 20 20 Qt::Horizontal QSizePolicy::Fixed 130 20 Qt::Horizontal QSizePolicy::Expanding 120 20 Qt::Vertical QSizePolicy::Expanding 20 240 Log facility: false Log level: false Log packet body Block if can not log Qt::Vertical QSizePolicy::Fixed 20 20 Script Options 6 Qt::Horizontal QSizePolicy::Fixed 40 70 Add virtual addresses for NAT Configure Interfaces of the firewall machine Turn debugging on in generated script If this option is on, policy compiler adds virtual addresses to the interfaces to make the firewall answer to ARP queries for addresses used in NAT rules. Optimization These options enable auxiliary sections in the generated shell script. Qt::AlignVCenter true Qt::Vertical QSizePolicy::Fixed 20 20 Qt::Vertical QSizePolicy::Expanding 20 200 Determine addresses of dynamic interfaces at run time IPv6 Enable IPv6 support The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 tabWidget ipf_nat_ftp_proxy ipf_nat_rcmd_proxy ipf_nat_raudio_proxy ipf_nat_h323_proxy ipf_nat_ipsec_proxy ipf_nat_pptp_proxy ipf_nat_irc_proxy compiler compilerArgs outputFileName mgmt_ssh mgmt_addr buttonOk buttonCancel ipf_fw_dir ipf_user altAddress activationCmd sshArgs installScript installScriptArgs prolog_script edit_prolog_button epilog_script edit_epilog_button logFacility logLevel ipf_log_or_block ipf_log_body ipf_debug ipf_configure_interfaces ipf_manage_virtual_addr ipf_optimize ipf_dynAddr ipv6_2 ipv4before_2 buttonOk clicked() ipfAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() ipfAdvancedDialog_q reject() 20 20 20 20 edit_epilog_button clicked() ipfAdvancedDialog_q editEpilog() 20 20 20 20 edit_prolog_button clicked() ipfAdvancedDialog_q editProlog() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ipfwAdvancedDialog.cpp000066400000000000000000000137011303637203600217770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "ipfwAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; ipfwAdvancedDialog::~ipfwAdvancedDialog() { delete m_dialog; } ipfwAdvancedDialog::ipfwAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::ipfwAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); if (fwbdebug) qDebug("%s",Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); if (!Resources::getTargetOptionBool( obj->getStr("host_OS"),"user_can_change_install_dir")) { m_dialog->ipfw_fw_dir->setEnabled(false); fwopt->setStr("firewall_dir",""); } if (fwopt->getStr("add_check_state_rule").empty()) fwopt->setBool("add_check_state_rule",true); data.registerOption(m_dialog->ipv4before_2, fwopt, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first" ); data.registerOption( m_dialog->ipfw_add_check_state_rule, fwopt, "add_check_state_rule"); data.registerOption( m_dialog->ipfw_check_shadowing, fwopt, "check_shading"); data.registerOption( m_dialog->ipfw_ignore_empty_groups, fwopt, "ignore_empty_groups" ); data.registerOption( m_dialog->ipfw_fw_dir, fwopt, "firewall_dir"); data.registerOption( m_dialog->ipfw_user, fwopt, "admUser"); data.registerOption( m_dialog->altAddress, fwopt, "altAddress"); data.registerOption( m_dialog->sshArgs, fwopt, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwopt, "scpArgs"); data.registerOption( m_dialog->activationCmd, fwopt, "activationCmd"); data.registerOption( m_dialog->ipfw_manage_virtual_addr, fwopt, "manage_virtual_addr"); data.registerOption( m_dialog->ipfw_configure_interfaces, fwopt, "configure_interfaces"); data.registerOption( m_dialog->ipfw_debug, fwopt, "debug"); data.registerOption( m_dialog->compiler, fwopt, "compiler" ); data.registerOption( m_dialog->compilerArgs, fwopt, "cmdline"); data.registerOption( m_dialog->outputFileName, fwopt, "output_file"); data.registerOption( m_dialog->fileNameOnFw, fwopt, "script_name_on_firewall"); data.registerOption( m_dialog->mgmt_ssh, fwopt, "mgmt_ssh" ); data.registerOption( m_dialog->mgmt_addr, fwopt, "mgmt_addr" ); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str()); m_dialog->installScriptArgs->setText(pis->getArguments().c_str()); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script" ); data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script" ); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void ipfwAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void ipfwAdvancedDialog::reject() { QDialog::reject(); } void ipfwAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->prolog_script->setText( edt.text() ); } void ipfwAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->epilog_script->setText( edt.text() ); } fwbuilder-5.3.7/src/libgui/ipfwAdvancedDialog.h000066400000000000000000000027471303637203600214540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPFWADVANCEDDIALOG_H_ #define __IPFWADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class ipfwAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::ipfwAdvancedDialog_q *m_dialog; public: ipfwAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~ipfwAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); }; #endif // __IPFWADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/ipfwadvanceddialog_q.ui000066400000000000000000000752551303637203600222660ustar00rootroot00000000000000 ipfwAdvancedDialog_q 0 0 818 565 ipfw: advanced settings false 11 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true 0 Compiler Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 32767 0 0 Command line options for the compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 32767 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 32767 32767 Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change. true Script name on the firewall 32767 22 Qt::Vertical QSizePolicy::Fixed 20 20 0 0 Add rule to accept packets matching dynamic rules created for known sessions on top of the policy (action 'check-state') 0 0 Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in policy 0 0 If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules Always permit ssh access from the management workstation with this address: 0 0 32767 32767 Qt::Horizontal 40 20 If you use the option to automatically add a rule to permit ssh access from the management workstation, another rule will be added to permit reply packets going back to the same address. This is necessary to automatically recreate dynamic ipfw rule for the ssh session used to manage the firewall after all ipfw sets are flushed and loaded with new rules. Use this option to permit ssh access from a trusted machine or a subnet that should be as narrow as possible. true Qt::Vertical QSizePolicy::Expanding 20 40 Installer Built-in installer Directory on the firewall where script should be installed Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root') Qt::AlignVCenter true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 20 Prolog/Epilog 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::AlignVCenter true 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Script Options 6 Qt::Horizontal QSizePolicy::Fixed 40 70 Add virtual addresses for NAT Configure Interfaces of the firewall machine Turn debugging on in generated script These options enable auxiliary sections in the generated shell script. Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 230 Qt::Vertical QSizePolicy::Fixed 20 20 IPv6 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 tabWidget compiler compilerArgs outputFileName ipfw_add_check_state_rule ipfw_check_shadowing ipfw_ignore_empty_groups mgmt_ssh mgmt_addr buttonOk buttonCancel ipfw_fw_dir ipfw_user altAddress activationCmd sshArgs installScript installScriptArgs prolog_script edit_prolog_button epilog_script edit_epilog_button ipfw_debug ipfw_configure_interfaces ipfw_manage_virtual_addr ipv4before_2 buttonOk clicked() ipfwAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() ipfwAdvancedDialog_q reject() 20 20 20 20 edit_epilog_button clicked() ipfwAdvancedDialog_q editEpilog() 20 20 20 20 edit_prolog_button clicked() ipfwAdvancedDialog_q editProlog() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ipservicedialog_q.ui000066400000000000000000000257041303637203600216160ustar00rootroot00000000000000 IPServiceDialog_q true 0 0 952 265 0 0 IP QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Protocol number: (0=any) false 255 Qt::Horizontal 40 20 DiffServ Use DSCP true Use TOS DSCP or TOS code (numerical, dec or hex): Qt::Vertical 20 34 6 0 0 QFrame::StyledPanel QFrame::Raised 2 2 IP options: IP service object that has this attribute turned on matches IP packets with any IP options present. Any options lsrr (loose source route) ssrr (strict source route) rr (record route) timestamp router-alert option 0 0 QFrame::StyledPanel QFrame::Raised 2 2 Fragments: all 'short' 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name protocolNum use_dscp use_tos code any_opt stateChanged(int) IPServiceDialog_q anyOptionsStateChanged() 441 64 421 150 changed() anyOptionsStateChanged() fwbuilder-5.3.7/src/libgui/iptAdvancedDialog.cpp000066400000000000000000000271561303637203600216370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "iptAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "Help.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; iptAdvancedDialog::~iptAdvancedDialog() { delete m_dialog; } iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::iptAdvancedDialog_q; m_dialog->setupUi(this); obj=o; QStringList slm; string platform = obj->getStr("platform"); string description = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/description"); setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str())); FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); if (fwbdebug) qDebug("%s",Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); //QString s = fwoptions->getStr("ipv4_6_order") data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first"); data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq"); data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt"); data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt"); data.registerOption(m_dialog->logNumsyslog, fwoptions, "use_numeric_log_levels"); slm = getLogLevels( obj->getStr("platform").c_str()); m_dialog->logLevel->clear(); m_dialog->logLevel->addItems( getScreenNames(slm)); data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm); data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG"); data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange"); data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold"); data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup"); data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix"); slm=getLimitSuffixes( obj->getStr("platform").c_str()); m_dialog->logLimitSuffix->clear(); m_dialog->logLimitSuffix->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> logLimitSuffix, fwoptions, "limit_suffix", slm); data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value"); data.registerOption(m_dialog->logAll, fwoptions, "log_all"); data.registerOption(m_dialog->compiler, fwoptions, "compiler"); data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline"); data.registerOption(m_dialog->outputFileName, fwoptions, "output_file"); data.registerOption(m_dialog->fileNameOnFw, fwoptions, "script_name_on_firewall"); data.registerOption(m_dialog->assumeFwIsPartOfAny, fwoptions, "firewall_is_part_of_any_and_networks"); data.registerOption(m_dialog->acceptSessions, fwoptions, "accept_new_tcp_with_no_syn"); data.registerOption(m_dialog->dropInvalid, fwoptions, "drop_invalid"); data.registerOption(m_dialog->logInvalid, fwoptions, "log_invalid"); data.registerOption(m_dialog->acceptESTBeforeFirst, fwoptions, "accept_established"); data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw"); data.registerOption(m_dialog->shadowing, fwoptions, "check_shading"); data.registerOption(m_dialog->emptyGroups, fwoptions, "ignore_empty_groups"); data.registerOption(m_dialog->localNAT, fwoptions, "local_nat"); data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu"); data.registerOption(m_dialog->ipv6NeighborDiscovery, fwoptions, "add_rules_for_ipv6_neighbor_discovery"); slm = getActionsOnReject( obj->getStr("platform").c_str()); m_dialog->actionOnReject->clear(); m_dialog->actionOnReject->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> actionOnReject, fwoptions,"action_on_reject", slm); data.registerOption(m_dialog->useModuleSet, fwoptions, "use_m_set"); data.registerOption(m_dialog->useKernelTz, fwoptions, "use_kerneltz"); data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped, fwoptions, "add_mgmt_ssh_rule_when_stoped"); data.registerOption(m_dialog->addVirtualsforNAT, fwoptions, "manage_virtual_addr"); data.registerOption(m_dialog->configureInterfaces, fwoptions, "configure_interfaces"); data.registerOption(m_dialog->clearUnknownInterfaces, fwoptions, "clear_unknown_interfaces"); data.registerOption(m_dialog->configure_vlan_interfaces, fwoptions, "configure_vlan_interfaces"); data.registerOption(m_dialog->configure_bridge_interfaces, fwoptions, "configure_bridge_interfaces"); data.registerOption(m_dialog->configure_bonding_interfaces, fwoptions, "configure_bonding_interfaces"); data.registerOption(m_dialog->iptDebug, fwoptions, "debug"); data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces"); data.registerOption(m_dialog->loadModules, fwoptions, "load_modules"); data.registerOption(m_dialog->iptablesRestoreActivation, fwoptions, "use_iptables_restore"); data.registerOption(m_dialog->ipt_fw_dir, fwoptions, "firewall_dir"); data.registerOption(m_dialog->ipt_user, fwoptions, "admUser"); data.registerOption(m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText( pis->getCommand().c_str()); m_dialog->installScriptArgs->setText( pis->getArguments().c_str()); /* page "Prolog/Epilog" */ data.registerOption(m_dialog->prolog_script, fwoptions, "prolog_script"); QStringList prologPlaces_ipt; prologPlaces_ipt.push_back(QObject::tr("on top of the script")); prologPlaces_ipt.push_back("top"); prologPlaces_ipt.push_back(QObject::tr("after interface configuration")); prologPlaces_ipt.push_back("after_interfaces"); // bug #2820840: can't put prolog "after policy reset" if iptables-restore if (!fwoptions->getBool("use_iptables_restore")) { prologPlaces_ipt.push_back(QObject::tr("after policy reset")); prologPlaces_ipt.push_back("after_flush"); } m_dialog->prologPlace->clear(); m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_ipt)); data.registerOption(m_dialog-> prologPlace, fwoptions, "prolog_place", prologPlaces_ipt); data.registerOption(m_dialog->epilog_script, fwoptions, "epilog_script"); data.loadAll(); switchLOG_ULOG(); if (!Resources::getTargetOptionBool( obj->getStr("host_OS"), "user_can_change_install_dir")) { m_dialog->ipt_fw_dir->setEnabled(false); //fwoptions->setStr("firewall_dir", ""); } string version = obj->getStr("version"); bool can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0); if (!can_use_module_set) m_dialog->useModuleSet->setChecked(false); m_dialog->useModuleSet->setEnabled(can_use_module_set); bool can_use_kerneltz = (XMLTools::version_compare(version, "1.4.11") >= 0); if (!can_use_kerneltz) m_dialog->useKernelTz->setChecked(false); m_dialog->useKernelTz->setEnabled(can_use_kerneltz); m_dialog->tabWidget->setCurrentIndex(0); } void iptAdvancedDialog::switchLOG_ULOG() { m_dialog->useLOG->setChecked(!m_dialog->useULOG->isChecked()); if (m_dialog->useLOG->isChecked()) m_dialog->logTargetStack->setCurrentIndex(0); else m_dialog->logTargetStack->setCurrentIndex(1); } /* * store all data in the object */ void iptAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); /********************* data for fwbd and install script **************/ PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); // find first interface marked as "management" const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); pis->setCommand( m_dialog->installScript->text().toLatin1().constData()); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData()); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void iptAdvancedDialog::reject() { QDialog::reject(); } void iptAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr( "Script Editor" )); if ( edt.exec() == QDialog::Accepted ) m_dialog->prolog_script->setText( edt.text()); } void iptAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr( "Script Editor" )); if ( edt.exec() == QDialog::Accepted ) m_dialog->epilog_script->setText( edt.text()); } void iptAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Firewall platform: iptables"); h->setSource(QUrl("iptAdvancedDialog.html#" + anchor)); h->show(); h->raise(); } fwbuilder-5.3.7/src/libgui/iptAdvancedDialog.h000066400000000000000000000027731303637203600213020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __IPTADVANCEDDIALOG_H_ #define __IPTADVANCEDDIALOG_H_ #include #include "DialogData.h" namespace libfwbuilder { class FWObject; }; class iptAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::iptAdvancedDialog_q *m_dialog; public: iptAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~iptAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); virtual void editProlog(); virtual void editEpilog(); public slots: virtual void switchLOG_ULOG(); }; #endif // __IPTADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/iptadvanceddialog_q.ui000066400000000000000000001617501303637203600221110ustar00rootroot00000000000000 iptAdvancedDialog_q Qt::WindowModal true 0 0 1054 628 0 0 iptables: advanced settings false Help Qt::Horizontal QSizePolicy::Expanding 351 27 &OK true true &Cancel true 0 0 0 Compiler Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 300 25 32767 22 0 0 Compiler command line options: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 25 32767 22 0 0 Output file name: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true 300 25 32767 22 Qt::Horizontal 40 20 If output file name is left blank, the file name is constructed of the firewall object name and extension ".fw" true Script name on the firewall: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 300 25 32767 22 Qt::Horizontal 40 20 Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change. true QFrame::HLine QFrame::Sunken Qt::Horizontal 0 0 Assume firewall is part of 'any' 0 0 Detect shadowing in policy rules 0 0 Accept TCP sessions opened prior to firewall restart 0 0 Ignore empty groups in rules 0 0 Accept ESTABLISHED and RELATED packets before the first rule 0 0 Enable support for NAT of locally originated connections Drop packets that are associated with no known connection and log them 0 0 This adds a rule on top of the policy with iptables target TCPMSS and option --clamp-mss-to-pmtu. Generation of this command is version-dependent and also depends on the setting of ip or ipv6 forwarding in host settings dialog. Clamp MSS to MTU 0 0 Bridging firewall Default action on 'Reject': false Qt::Horizontal QSizePolicy::Minimum 72 20 Compiler will automatically generate rules to permit ICMP6 packets used in IPv6 Neighbor Discovery after the rules that accept ESTABLISHED,RELATE and before the rule that drops packets in state INVALID. Add rules to accept IPv6 Neighbor Discovery packets to IPv6 policies Use module "set" for run-time Address Table objects (module is only available in iptables v 1.4.1.1 and later) Use kernel timezone instead of UTC (only available in iptables v 1.4.11 and later) QFrame::HLine QFrame::Sunken Qt::Horizontal Always permit ssh access from the management workstation with this address: 0 0 32767 32767 Qt::Horizontal 40 20 Install the rule for ssh access from the management workstation when the firewall script is run with the "block" command Qt::Vertical QSizePolicy::Expanding 20 20 Installer 6 Built-in installer 6 Directory on the firewall where script should be installed Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 250 0 User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 250 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 250 0 A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root') Qt::AlignVCenter true 0 0 250 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 100 Prolog/Epilog 6 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::AlignVCenter true 6 The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Edit Insert prolog script false 0 0 on top of the script after interface configuration after policy reset Logging 6 20 true false 20 12 use ULOG use LOG 0 0 log TCP seq. numbers log IP options use numeric syslog levels Log level: false log TCP options 0 1500 cprange false 1 queue threshold: false netlink group: false 1 32 Qt::Vertical QSizePolicy::Expanding 20 16 0 0 QFrame::VLine QFrame::Sunken Qt::Vertical 0 0 Log prefix: false 32 Logging limit: false 10000 0 0 Activate logging in all rules (overrides rule options, use for debugging) Qt::Vertical QSizePolicy::Expanding 20 40 Qt::Vertical QSizePolicy::Expanding 20 16 Script Qt::Horizontal QSizePolicy::Fixed 30 20 0 0 Load iptables modules Qt::Vertical QSizePolicy::Fixed 556 18 If debugging is turned on, the script will run with shell option "-x" that makes it print every command it executes. Warning: this produces a lot of debugging output. true 0 0 Turn debugging on in generated script Qt::Vertical QSizePolicy::Fixed 556 18 Managing interfaces and addresses 0 0 Verify interfaces before loading firewall policy 0 0 Configure Interfaces of the firewall machine Clear ip addresses and bring down interfaces not configured in fwbuilder 0 0 Configure VLAN Interfaces 0 0 Configure bridge Interfaces 0 0 Configure bonding Interfaces 0 0 Add virtual addresses for NAT Qt::Vertical QSizePolicy::Fixed 556 40 Generated script can load rules one by one by calling iptables command line utility, or activate them all at once using iptables-restore. In both cases you just run the script with command line parameter "start" to activate the policy, the script will use iptables-restore automatically if this checkbox is on true 0 0 iptables-restore replaces firewall policy in one atomic transaction Use iptables-restore to activate policy Qt::Vertical QSizePolicy::Expanding 20 200 IPv6 6 The order in which ipv4 and ipv6 rules should be generated: IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal 40 20 tabWidget assumeFwIsPartOfAny acceptSessions acceptESTBeforeFirst dropInvalid logInvalid bridge actionOnReject shadowing emptyGroups localNAT clampMSStoMTU ipv6NeighborDiscovery mgmt_ssh mgmt_addr add_mgmt_ssh_rule_when_stoped ipt_fw_dir ipt_user altAddress activationCmd sshArgs scpArgs installScript installScriptArgs prolog_script prologPlace edit_prolog_button epilog_script edit_epilog_button useLOG useULOG logTCPseq logTCPopt logIPopt logNumsyslog logLevel logprefix logLimitVal logLimitSuffix logAll loadModules iptDebug verifyInterfaces configureInterfaces clearUnknownInterfaces configure_vlan_interfaces configure_bridge_interfaces configure_bonding_interfaces addVirtualsforNAT iptablesRestoreActivation ipv4before buttonHelp buttonOk buttonCancel cprange qthreshold nlgroup buttonOk clicked() iptAdvancedDialog_q accept() 757 700 20 20 buttonCancel clicked() iptAdvancedDialog_q reject() 843 700 20 20 useLOG toggled(bool) iptAdvancedDialog_q switchLOG_ULOG() 45 66 20 20 edit_prolog_button clicked() iptAdvancedDialog_q editProlog() 822 329 20 20 edit_epilog_button clicked() iptAdvancedDialog_q editEpilog() 822 633 20 20 buttonHelp clicked() iptAdvancedDialog_q help() 30 700 20 20 fwbuilder-5.3.7/src/libgui/ipv4dialog_q.ui000066400000000000000000000152271303637203600205060ustar00rootroot00000000000000 IPv4Dialog_q true 0 0 873 319 IPv4 0 0 QFrame::Box QFrame::Sunken 2 2 350 160 350 160 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Address: false 0 0 Netmask: false 0 0 0 0 Resolve Name Qt::Vertical 20 21 Qt::Vertical 20 40 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name address netmask dnsLookup dnsLookup clicked() IPv4Dialog_q DNSlookup() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ipv6dialog_q.ui000066400000000000000000000204361303637203600205060ustar00rootroot00000000000000 IPv6Dialog_q true 0 0 712 263 IPv6 0 0 QFrame::Box QFrame::Sunken 0 0 350 16 350 16777215 QFrame::Box QFrame::Sunken 55 16777215 Name: false 200 0 0 25 0 0 55 16777215 Address: false 200 0 0 25 Network (bit length): false 0 0 0 25 Resolve Name Qt::Horizontal 40 20 Qt::Vertical 20 40 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name address address editingFinished() IPv6Dialog_q changed() 20 20 20 20 obj_name editingFinished() IPv6Dialog_q changed() 20 20 20 20 dnsLookup clicked() IPv6Dialog_q DNSlookup() 227 194 361 126 changed() fwbuilder-5.3.7/src/libgui/junosAdvancedDialog.cpp000066400000000000000000000051161303637203600221710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "junosAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; junosAdvancedDialog::~junosAdvancedDialog() { delete m_dialog; } junosAdvancedDialog::junosAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::junosAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* Page "General" */ data.registerOption( m_dialog->junos_set_host_name , fwoptions, "junos_set_host_name" ); data.registerOption( m_dialog->junos_ip_address , fwoptions, "junos_ip_address" ); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void junosAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void junosAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/junosAdvancedDialog.h000066400000000000000000000026341303637203600216400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __JUNOSADVANCEDDIALOG_H_ #define __JUNOSADVANCEDDIALOG_H_ #include #include "DialogData.h" namespace libfwbuilder { class FWObject; }; class junosAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::junosAdvancedDialog_q*m_dialog; public: junosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~junosAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); public slots: }; #endif // __JUNOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/junosaclAdvancedDialog.cpp000066400000000000000000000271511303637203600226540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "junosaclAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; junosaclAdvancedDialog::~junosaclAdvancedDialog() { delete m_dialog; } junosaclAdvancedDialog::junosaclAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::junosaclAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); string vers="version_"+obj->getStr("version"); string platform = obj->getStr("platform"); // should be 'junosacl' QString s; QStringList logLevels; QStringList logLevelMapping; logLevelMapping.push_back(""); logLevelMapping.push_back(""); /* filling pop-down menu and pushing the same strings to the mapping * list at the same time so we could use translation */ s=QObject::tr("0 - System Unusable"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("0"); s=QObject::tr("1 - Take Immediate Action"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("1"); s=QObject::tr("2 - Critical Condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("2"); s=QObject::tr("3 - Error Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("3"); s=QObject::tr("4 - Warning Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("4"); s=QObject::tr("5 - Normal but significant condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("5"); s=QObject::tr("6 - Informational"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("6"); s=QObject::tr("7 - Debug Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("7"); /* do not need to translate syslog facilities, but will use the same * method just in case */ QStringList syslogFacilities; QStringList syslogFacilityMapping; syslogFacilities.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilities.push_back("LOCAL0"); syslogFacilityMapping.push_back("LOCAL0"); syslogFacilityMapping.push_back("16"); syslogFacilities.push_back("LOCAL1"); syslogFacilityMapping.push_back("LOCAL1"); syslogFacilityMapping.push_back("17"); syslogFacilities.push_back("LOCAL2"); syslogFacilityMapping.push_back("LOCAL2"); syslogFacilityMapping.push_back("18"); syslogFacilities.push_back("LOCAL3"); syslogFacilityMapping.push_back("LOCAL3"); syslogFacilityMapping.push_back("19"); syslogFacilities.push_back("LOCAL4"); syslogFacilityMapping.push_back("LOCAL4"); syslogFacilityMapping.push_back("20"); syslogFacilities.push_back("LOCAL5"); syslogFacilityMapping.push_back("LOCAL5"); syslogFacilityMapping.push_back("21"); syslogFacilities.push_back("LOCAL6"); syslogFacilityMapping.push_back("LOCAL6"); syslogFacilityMapping.push_back("22"); syslogFacilities.push_back("LOCAL7"); syslogFacilityMapping.push_back("LOCAL7"); syslogFacilityMapping.push_back("23"); bool f1=fwoptions->getBool("junosacl_acl_basic"); bool f2=fwoptions->getBool("junosacl_acl_no_clear"); bool f3=fwoptions->getBool("junosacl_acl_substitution"); bool f4=fwoptions->getBool("junosacl_add_clear_statements"); /* * If none of the new junosacl_acl_* options is set and old junosacl_add_clear_statements * option is true, set junosacl_acl_basic to true. * * If old option junosacl_add_clear_statements iss false, set * junosacl_acl_no_clear to true */ if (!f1 && !f2 && !f3) { if ( f4 ) fwoptions->setBool("junosacl_acl_basic",true); else fwoptions->setBool("junosacl_acl_no_clear",true); } Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption(m_dialog->ipv4before_2, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") << "ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first" ); /* Page "Compiler Options" */ data.registerOption( m_dialog->outputFileName, fwoptions, "output_file" ); data.registerOption( m_dialog->filterPrefix, fwoptions, "filter_prefix"); /* data.registerOption( m_dialog->junosacl_use_object_groups, fwoptions, "junosacl_use_object_groups" ); */ /* data.registerOption( m_dialog->junosacl_acl_alwaysNew, fwoptions, "junosacl_acl_always_new" ); */ data.registerOption( m_dialog->junosacl_include_comments, fwoptions, "junosacl_include_comments" ); data.registerOption( m_dialog->junosacl_check_shadowing, fwoptions, "check_shading" ); data.registerOption( m_dialog->junosacl_ignore_empty_groups, fwoptions, "ignore_empty_groups" ); /* page Installer */ data.registerOption( m_dialog->user, fwoptions, "admUser"); data.registerOption( m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption( m_dialog->use_scp, fwoptions, "use_scp"); // data.registerOption( m_dialog->use_junos_session, fwoptions, "use_junos_session" ); data.registerOption( m_dialog->filesystem, fwoptions, "filesystem"); data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str() ); m_dialog->installScriptArgs->setText( pis->getArguments().c_str() ); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->junosacl_prolog_script, fwoptions, "junosacl_prolog_script" ); data.registerOption( m_dialog->junosacl_epilog_script, fwoptions, "junosacl_epilog_script" ); /* page Logging */ data.registerOption(m_dialog->generate_logging_commands, fwoptions, "junosacl_generate_logging_commands"); data.registerOption(m_dialog->syslog_host, fwoptions, "junosacl_syslog_host"); m_dialog->syslog_facility->clear(); m_dialog->syslog_facility->addItems( syslogFacilities ); data.registerOption( m_dialog->syslog_facility, fwoptions, "junosacl_syslog_facility", syslogFacilityMapping); m_dialog->logging_trap_level->clear(); m_dialog->logging_trap_level->addItems(logLevels); data.registerOption( m_dialog->logging_trap_level, fwoptions, "junosacl_logging_trap_level", logLevelMapping); data.registerOption(m_dialog->logging_timestamp, fwoptions, "junosacl_logging_timestamp"); data.registerOption(m_dialog->logging_buffered, fwoptions, "junosacl_logging_buffered"); m_dialog->logging_buffered_level->clear(); m_dialog->logging_buffered_level->addItems(logLevels); data.registerOption( m_dialog->logging_buffered_level, fwoptions, "junosacl_logging_buffered_level", logLevelMapping); data.registerOption(m_dialog->logging_console, fwoptions, "junosacl_logging_console"); m_dialog->logging_console_level->clear(); m_dialog->logging_console_level->addItems(logLevels); data.registerOption( m_dialog->logging_console_level,fwoptions, "junosacl_logging_console_level", logLevelMapping); data.loadAll(); scriptACLModeChanged(); toggleGenerateLogging(); // Currently Junos only support scp m_dialog->use_scp->setChecked(true); m_dialog->use_scp->setEnabled(false); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void junosaclAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* options = Firewall::cast(new_state)->getOptionsObject(); assert(options!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(options); const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void junosaclAdvancedDialog::reject() { QDialog::reject(); } void junosaclAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->junosacl_prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->junosacl_prolog_script->setText( edt.text() ); } void junosaclAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->junosacl_epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->junosacl_epilog_script->setText( edt.text() ); } void junosaclAdvancedDialog::scriptACLModeChanged() { } void junosaclAdvancedDialog::toggleGenerateLogging() { m_dialog->syslog_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); m_dialog->other_logging_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); } fwbuilder-5.3.7/src/libgui/junosaclAdvancedDialog.h000066400000000000000000000033131303637203600223130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __JUNOSACLADVANCEDDIALOG_H_ #define __JUNOSACLADVANCEDDIALOG_H_ #include #include "DialogData.h" #include #include class QWidget; class QSpinBox; class QComboBox; class QCheckBox; class QProcess; namespace libfwbuilder { class FWObject; }; class junosaclAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::junosaclAdvancedDialog_q *m_dialog; public: junosaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~junosaclAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); virtual void scriptACLModeChanged(); virtual void toggleGenerateLogging(); }; #endif // __JUNOSACLADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/junosacladvanceddialog_q.ui000066400000000000000000001067161303637203600231340ustar00rootroot00000000000000 junosaclAdvancedDialog_q Qt::WindowModal true 0 0 743 600 jun-OS ACL Firewall Settings false 0 Compiler Options 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 300 0 32767 22 Qt::Vertical QSizePolicy::Expanding 20 170 0 0 Policy Compiler Options false false false If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules true false Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in the policy true false 20 Compiler creates multiple access lists from the same policy, two for each interface: one for inbound and another for outbound. If the policy is written in a such way that no rule can possibly be associated with an interface, this interface gets no access list at all. Also, interfaces marked as "unprotected" never get access list regardless of how the policy rules are designed. Generate separate access list for each interface Compiler creates one access list and assigns it to all interfaces. Create one access list and attach it to all interfaces Filter name prefix (if left blank, prefix is "fwbfilter") Script Options 20 12 20 20 0 0 20 Qt::Vertical 20 70 Insert comments into generated JUNOSACL configuration file Comment the code Installer 4 4 4 4 External install script 6 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Horizontal 398 20 File system on the router where configuration file should be saved if it is copied with scp. Examples: "/tmp", "/var/tmp". If this input field is left blank, installer uses "/tmp". true true Copy generated configuration file to the router using scp true true Qt::Vertical QSizePolicy::Expanding 20 20 Built-in installer User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Prolog/Epilog 20 12 20 20 6 6 6 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true 6 6 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::RichText Qt::AlignVCenter true 0 Logging Generate logging commands Syslog 12 12 12 12 Syslog host (name or IP address): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog facility: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog level ('logging trap'): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QFrame::HLine QFrame::Sunken Qt::Horizontal QFrame::HLine QFrame::Sunken Qt::Horizontal The logging timestamp command requires that the clock command be set. Qt::AlignVCenter true Enable logging timestamps on syslog file Other logging destinations and levels: 12 12 12 12 Internal buffer Console Qt::Vertical QSizePolicy::Expanding 675 121 IPv6 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal QSizePolicy::Expanding 20 20 OK Qt::AlignCenter false Cancel outputFileName separate_acls_for_interfaces one_acl_for_all_interfaces junosacl_ignore_empty_groups junosacl_check_shadowing junosacl_include_comments user altAddress sshArgs scpArgs use_scp filesystem installScript installScriptArgs junosacl_prolog_script edit_prolog_button junosacl_epilog_script edit_epilog_button generate_logging_commands syslog_host syslog_facility logging_trap_level logging_timestamp logging_buffered logging_console logging_buffered_level logging_console_level ipv4before_2 ok_button cancel_button tabWidget ok_button clicked() junosaclAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() junosaclAdvancedDialog_q reject() 20 20 20 20 edit_prolog_button clicked() junosaclAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() junosaclAdvancedDialog_q editEpilog() 20 20 20 20 generate_logging_commands toggled(bool) junosaclAdvancedDialog_q toggleGenerateLogging() 359 55 359 359 fwbuilder-5.3.7/src/libgui/junosadvanceddialog_q.ui000066400000000000000000000070371303637203600224500ustar00rootroot00000000000000 junosAdvancedDialog_q Qt::WindowModal true 0 0 597 188 JUNOS Advanced Configuration Options Qt::Horizontal 151 20 OK Cancel General 0 Set router name using object's name Generate commands to configure addresses for interfaces Qt::Vertical QSizePolicy::Expanding 20 40 junos_set_host_name tabWidget junos_ip_address ok_button cancel_button ok_button clicked() junosAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() junosAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/keywordsdialog_q.ui000066400000000000000000000143101303637203600214630ustar00rootroot00000000000000 KeywordsDialog_q 0 0 626 387 Dialog All keywords 1 0 QAbstractItemView::NoEditTriggers QAbstractItemView::ExtendedSelection 10 10 Qt::Vertical 20 40 0 0 Add >> 0 0 << Remove Qt::Vertical 20 40 1 1 QAbstractItemView::NoEditTriggers QAbstractItemView::ExtendedSelection Current keywords Qt::Horizontal 13 20 New Keyword: 0 0 200 0 0 0 Create Qt::Horizontal QDialogButtonBox::Cancel|QDialogButtonBox::Ok buttonBox accepted() KeywordsDialog_q accept() 248 254 157 274 buttonBox rejected() KeywordsDialog_q reject() 316 260 286 274 fwbuilder-5.3.7/src/libgui/libexport_q.ui000066400000000000000000000132121303637203600204440ustar00rootroot00000000000000 LibExport_q 0 0 578 502 5 5 0 0 Export true 11 6 7 7 0 0 QFrame::Box QFrame::Sunken 11 6 5 0 0 0 This will export a library to a file which can later be imported back into Firewall Builder Qt::AlignVCenter true QAbstractItemView::ExtendedSelection New Item Make exported libraries read-only Choose libraries to be exported: Qt::AlignTop false Qt::Vertical QSizePolicy::Fixed 20 20 7 5 0 0 QFrame::NoFrame QFrame::Sunken 11 6 Qt::Horizontal QSizePolicy::Expanding 41 20 Ok Cancel okButton clicked() LibExport_q accept() 20 20 20 20 cancelButton clicked() LibExport_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/libgui.pro000066400000000000000000000437501303637203600175640ustar00rootroot00000000000000# -*- mode: makefile; tab-width: 4; -*- QT += network greaterThan(QT_MAJOR_VERSION, 4): QT += widgets printsupport include(../../qmake.inc) exists(qmake.inc):include( qmake.inc) TEMPLATE = lib CONFIG += staticlib TARGET = gui INSTALLS -= target # This makes gcc compile this header file and store result in # .obj/fwbuilder.gch/c++. Generated Makefile will also add # "-include .obj/fwbuilder " to the command line for the compiler # for every module. There is no need to #include file fwbuilder_ph.h # in each module since it will be included by means of -include option. # PRECOMPILED_HEADER = fwbuilder_ph.h # control whether we build debug or release in ../../qmake.inc # CONFIG += precompile_header HEADERS += ../../config.h \ events.h \ FWWindow.h \ ProjectPanel.h \ BaseObjectDialog.h \ TextEditWidget.h \ utils.h \ utils_no_qt.h \ SSHSession.h \ SSHUnx.h \ SSHCisco.h \ SSHPIX.h \ SSHIOS.h \ SSHNXOS.h \ SSHJUNOS.h \ SSHProcurve.h \ debugDialog.h \ findDialog.h \ listOfLibrariesModel.h \ longTextDialog.h \ newGroupDialog.h \ filePropDialog.h \ DialogData.h \ SimpleTextEditor.h \ SimpleIntEditor.h \ TextFileEditor.h \ FWBSettings.h \ FWBTree.h \ RCS.h \ RCSFilePreview.h \ FWObjectClipboard.h \ platforms.h \ global.h \ printerStream.h \ PrintingProgressDialog.h \ PrintingController.h \ FWObjectPropertiesFactory.h \ ObjectManipulator.h \ ObjectEditor.h \ ObjectEditorDockWidget.h \ FWObjectDrag.h \ ObjectTreeView.h \ ObjectListView.h \ ObjectIconView.h \ ObjectTreeViewItem.h \ ObjectSelectorWidget.h \ InstallFirewallViewItem.h \ DialogFactory.h \ HostDialog.h \ FirewallDialog.h \ ClusterDialog.h \ ClusterGroupDialog.h \ InterfaceDialog.h \ AddressRangeDialog.h \ AddressTableDialog.h \ IPv4Dialog.h \ IPv6Dialog.h \ PhysicalAddressDialog.h \ AttachedNetworksDialog.h \ NetworkDialog.h \ NetworkDialogIPv6.h \ UserDialog.h \ RuleSetDialog.h \ LibraryDialog.h \ CustomServiceDialog.h \ IPServiceDialog.h \ ICMPServiceDialog.h \ TCPServiceDialog.h \ UDPServiceDialog.h \ GroupObjectDialog.h \ ObjectIconViewItem.h \ TimeDialog.h \ ColDesc.h \ FWObjectSelectionModel.h \ RuleNode.h \ RuleSetModel.h \ RuleSetView.h \ RuleSetViewDelegate.h \ iptAdvancedDialog.h \ ipcopAdvancedDialog.h \ ipfAdvancedDialog.h \ ipfwAdvancedDialog.h \ pfAdvancedDialog.h \ pixAdvancedDialog.h \ pixosAdvancedDialog.h \ iosaclAdvancedDialog.h \ iosAdvancedDialog.h \ nxosaclAdvancedDialog.h \ nxosAdvancedDialog.h \ junosaclAdvancedDialog.h \ junosAdvancedDialog.h \ ipcoposAdvancedDialog.h \ linux24AdvancedDialog.h \ linksysAdvancedDialog.h \ freebsdAdvancedDialog.h \ openbsdAdvancedDialog.h \ procurveaclAdvancedDialog.h \ solarisAdvancedDialog.h \ macosxAdvancedDialog.h \ secuwallAdvancedDialog.h \ secuwallosAdvancedDialog.h \ secuwallIfaceOptsDialog.h \ vlanOnlyIfaceOptsDialog.h \ linux24IfaceOptsDialog.h \ pixosIfaceOptsDialog.h \ bsdIfaceOptsDialog.h \ clusterMembersDialog.h \ CompilerOutputPanel.h \ CompilerDriverFactory.h \ RuleOptionsDialog.h \ RoutingRuleOptionsDialog.h \ NATRuleOptionsDialog.h \ LibExportDialog.h \ PrefsDialog.h \ instConf.h \ instDialog.h \ FirewallInstaller.h \ FirewallInstallerCisco.h \ FirewallInstallerJuniper.h \ FirewallInstallerProcurve.h \ FirewallInstallerUnx.h \ newFirewallDialog.h \ newClusterDialog.h \ newHostDialog.h \ ObjConflictResolutionDialog.h \ ColorLabelMenuItem.h \ TagServiceDialog.h \ ActionsDialog.h \ SimpleTextView.h \ BlankDialog.h \ DNSNameDialog.h \ instOptionsDialog.h \ instBatchOptionsDialog.h \ FilterDialog.h \ FindObjectWidget.h \ FWObjectDropArea.h \ CommentEditorPanel.h \ MetricEditorPanel.h \ FindWhereUsedWidget.h \ ConfirmDeleteObjectDialog.h \ FakeWizard.h \ AskLibForCopyDialog.h \ FWBAboutDialog.h \ Help.h \ HttpGet.h \ StartTipDialog.h \ vrrpOptionsDialog.h \ carpOptionsDialog.h \ pixFailoverOptionsDialog.h \ conntrackOptionsDialog.h \ heartbeatOptionsDialog.h \ openaisOptionsDialog.h \ pfsyncOptionsDialog.h \ check_update_url.h \ startup_tip_url.h \ InterfaceEditorWidget.h \ FWCmdBasic.h \ FWCmdChange.h \ FWCmdAddObject.h \ FWCmdDeleteObject.h \ FWCmdMoveObject.h \ InterfacesTabWidget.h \ FirewallSelectorWidget.h \ ClusterInterfacesSelectorWidget.h \ ClusterInterfaceWidget.h \ FWCmdRule.h \ UsageResolver.h \ IconSetter.h \ TutorialDialog.h \ MDIEventFilter.h \ FWBApplication.h \ WorkflowIcons.h \ FirewallCodeViewer.h \ networkZoneManager.h \ KeywordsDialog.h \ CommentKeywords.h \ DynamicGroupDialog.h \ FilterLineEdit.h \ \ ObjectDescriptor.h \ QThreadLogger.h \ \ importAddressListWizard/ChooseObjectsPage.h \ importAddressListWizard/CreateObjectsPage.h \ importAddressListWizard/FileNamePage.h \ importAddressListWizard/SelectLibraryPage.h \ importAddressListWizard/ImportAddressListWizard.h \ importAddressListWizard/HostsFile.h \ \ snmpNetworkDiscoveryWizard/ND_ChooseNetworksPage.h \ snmpNetworkDiscoveryWizard/ND_ChooseObjectsPage.h \ snmpNetworkDiscoveryWizard/ND_ChooseObjectTypePage.h \ snmpNetworkDiscoveryWizard/ND_CreateObjectsPage.h \ snmpNetworkDiscoveryWizard/ND_DiscoveryParametersPage.h \ snmpNetworkDiscoveryWizard/ND_ProgressPage.h \ snmpNetworkDiscoveryWizard/ND_SelectLibraryPage.h \ snmpNetworkDiscoveryWizard/ND_SetupPage.h \ snmpNetworkDiscoveryWizard/ND_SNMPParametersPage.h \ snmpNetworkDiscoveryWizard/SNMPNetworkDiscoveryWizard.h \ snmpNetworkDiscoveryWizard/SNMPCrawlerThread.h \ \ importFirewallConfigurationWizard/IC_FileNamePage.h \ importFirewallConfigurationWizard/IC_FirewallNamePage.h \ importFirewallConfigurationWizard/IC_PlatformWarningPage.h \ importFirewallConfigurationWizard/IC_ProgressPage.h \ importFirewallConfigurationWizard/IC_NetworkZonesPage.h \ importFirewallConfigurationWizard/ImportFirewallConfigurationWizard.h \ importFirewallConfigurationWizard/ImporterThread.h \ RuleSetDiffDialog.h \ RuleSetDiffDelegate.h \ RuleSetDiffModel.h \ BackgroundCompileInfoWidget.h \ temporarydir.h SOURCES += ProjectPanel.cpp \ ProjectPanel_events.cpp \ ProjectPanel_file_ops.cpp \ ProjectPanel_state_ops.cpp \ BaseObjectDialog.cpp \ FWWindow.cpp \ FWWindow_editor.cpp \ FWWindow_single_rule_compile.cpp \ FWWindow_wrappers.cpp \ FWWindowPrint.cpp \ TextEditWidget.cpp \ ObjectEditorDockWidget.cpp \ ssh_wrappers.cpp \ utils.cpp \ utils_no_qt.cpp \ SSHSession.cpp \ SSHUnx.cpp \ SSHCisco.cpp \ SSHPIX.cpp \ SSHIOS.cpp \ SSHNXOS.cpp \ SSHJUNOS.cpp \ SSHProcurve.cpp \ debugDialog.cpp \ findDialog.cpp \ listOfLibrariesModel.cpp \ longTextDialog.cpp \ newGroupDialog.cpp \ filePropDialog.cpp \ DialogData.cpp \ SimpleTextEditor.cpp \ SimpleIntEditor.cpp \ TextFileEditor.cpp \ FWBSettings.cpp \ FWBTree.cpp \ RCS.cpp \ RCSFilePreview.cpp \ FWObjectClipboard.cpp \ platforms.cpp \ printerStream.cpp \ PrintingProgressDialog.cpp \ PrintingController.cpp \ FWObjectPropertiesFactory.cpp \ ObjectManipulator.cpp \ ObjectManipulator_ops.cpp \ ObjectManipulator_tree_ops.cpp \ ObjectManipulator_create_new.cpp \ ObjectManipulator_slots.cpp \ ObjectManipulator_new_object_checks.cpp \ ObjectEditor.cpp \ FWObjectDrag.cpp \ ObjectTreeView.cpp \ ObjectListView.cpp \ ObjectIconView.cpp \ ObjectSelectorWidget.cpp \ DialogFactory.cpp \ HostDialog.cpp \ FirewallDialog.cpp \ ClusterDialog.cpp \ ClusterGroupDialog.cpp \ InterfaceDialog.cpp \ AddressRangeDialog.cpp \ AddressTableDialog.cpp \ IPv4Dialog.cpp \ IPv6Dialog.cpp \ PhysicalAddressDialog.cpp \ AttachedNetworksDialog.cpp \ NetworkDialog.cpp \ NetworkDialogIPv6.cpp \ UserDialog.cpp \ LibraryDialog.cpp \ CustomServiceDialog.cpp \ IPServiceDialog.cpp \ ICMPServiceDialog.cpp \ TCPServiceDialog.cpp \ UDPServiceDialog.cpp \ GroupObjectDialog.cpp \ TimeDialog.cpp \ RuleSetDialog.cpp \ FWObjectSelectionModel.cpp \ ColDesc.cpp \ RuleNode.cpp \ RuleSetModel.cpp \ RuleSetView.cpp \ RuleSetViewDelegate.cpp \ iptAdvancedDialog.cpp \ ipcopAdvancedDialog.cpp \ ipfAdvancedDialog.cpp \ ipfwAdvancedDialog.cpp \ pfAdvancedDialog.cpp \ pixAdvancedDialog.cpp \ pixosAdvancedDialog.cpp \ iosaclAdvancedDialog.cpp \ iosAdvancedDialog.cpp \ nxosaclAdvancedDialog.cpp \ nxosAdvancedDialog.cpp \ junosaclAdvancedDialog.cpp \ junosAdvancedDialog.cpp \ ipcoposAdvancedDialog.cpp \ linux24AdvancedDialog.cpp \ linksysAdvancedDialog.cpp \ freebsdAdvancedDialog.cpp \ openbsdAdvancedDialog.cpp \ procurveaclAdvancedDialog.cpp \ solarisAdvancedDialog.cpp \ macosxAdvancedDialog.cpp \ secuwallAdvancedDialog.cpp \ secuwallosAdvancedDialog.cpp \ secuwallIfaceOptsDialog.cpp \ vlanOnlyIfaceOptsDialog.cpp \ linux24IfaceOptsDialog.cpp \ pixosIfaceOptsDialog.cpp \ bsdIfaceOptsDialog.cpp \ clusterMembersDialog.cpp \ CompilerOutputPanel.cpp \ CompilerDriverFactory.cpp \ RuleOptionsDialog.cpp \ RoutingRuleOptionsDialog.cpp \ NATRuleOptionsDialog.cpp \ LibExportDialog.cpp \ PrefsDialog.cpp \ instConf.cpp \ instDialog.cpp \ instDialog_ui_ops.cpp \ instDialog_compile.cpp \ instDialog_installer.cpp \ FirewallInstaller.cpp \ FirewallInstallerCisco.cpp \ FirewallInstallerJuniper.cpp \ FirewallInstallerProcurve.cpp \ FirewallInstallerUnx.cpp \ newFirewallDialog.cpp \ newFirewallDialog_from_template.cpp \ newClusterDialog.cpp \ newClusterDialog_create.cpp \ newHostDialog.cpp \ ObjConflictResolutionDialog.cpp \ ColorLabelMenuItem.cpp \ TagServiceDialog.cpp \ ActionsDialog.cpp \ SimpleTextView.cpp \ BlankDialog.cpp \ DNSNameDialog.cpp \ ObjectTreeViewItem.cpp \ InstallFirewallViewItem.cpp \ instOptionsDialog.cpp \ instBatchOptionsDialog.cpp \ FilterDialog.cpp \ FindObjectWidget.cpp \ FWObjectDropArea.cpp \ CommentEditorPanel.cpp \ MetricEditorPanel.cpp \ FindWhereUsedWidget.cpp \ ConfirmDeleteObjectDialog.cpp \ FakeWizard.cpp \ AskLibForCopyDialog.cpp \ ObjectListViewItem.cpp \ Help.cpp \ HttpGet.cpp \ StartTipDialog.cpp \ FWBAboutDialog.cpp \ vrrpOptionsDialog.cpp \ carpOptionsDialog.cpp \ pixFailoverOptionsDialog.cpp \ conntrackOptionsDialog.cpp \ pfsyncOptionsDialog.cpp \ heartbeatOptionsDialog.cpp \ openaisOptionsDialog.cpp \ InterfaceEditorWidget.cpp \ FWCmdBasic.cpp \ FWCmdChange.cpp \ FWCmdAddObject.cpp \ FWCmdDeleteObject.cpp \ FWCmdMoveObject.cpp \ InterfacesTabWidget.cpp \ FirewallSelectorWidget.cpp \ ClusterInterfacesSelectorWidget.cpp \ ClusterInterfaceWidget.cpp \ FWCmdRule.cpp \ IconSetter.cpp \ UsageResolver.cpp \ TutorialDialog.cpp \ MDIEventFilter.cpp \ FWBApplication.cpp \ WorkflowIcons.cpp \ FirewallCodeViewer.cpp \ networkZoneManager.cpp \ KeywordsDialog.cpp \ CommentKeywords.cpp \ DynamicGroupDialog.cpp \ FilterLineEdit.cpp \ \ ObjectDescriptor.cpp \ QThreadLogger.cpp \ \ importAddressListWizard/ChooseObjectsPage.cpp \ importAddressListWizard/CreateObjectsPage.cpp \ importAddressListWizard/FileNamePage.cpp \ importAddressListWizard/SelectLibraryPage.cpp \ importAddressListWizard/ImportAddressListWizard.cpp \ importAddressListWizard/HostsFile.cpp \ \ snmpNetworkDiscoveryWizard/ND_ChooseNetworksPage.cpp \ snmpNetworkDiscoveryWizard/ND_ChooseObjectsPage.cpp \ snmpNetworkDiscoveryWizard/ND_ChooseObjectTypePage.cpp \ snmpNetworkDiscoveryWizard/ND_CreateObjectsPage.cpp \ snmpNetworkDiscoveryWizard/ND_DiscoveryParametersPage.cpp \ snmpNetworkDiscoveryWizard/ND_ProgressPage.cpp \ snmpNetworkDiscoveryWizard/ND_SelectLibraryPage.cpp \ snmpNetworkDiscoveryWizard/ND_SetupPage.cpp \ snmpNetworkDiscoveryWizard/ND_SNMPParametersPage.cpp \ snmpNetworkDiscoveryWizard/SNMPNetworkDiscoveryWizard.cpp \ snmpNetworkDiscoveryWizard/SNMPCrawlerThread.cpp \ \ importFirewallConfigurationWizard/IC_FileNamePage.cpp \ importFirewallConfigurationWizard/IC_FirewallNamePage.cpp \ importFirewallConfigurationWizard/IC_PlatformWarningPage.cpp \ importFirewallConfigurationWizard/IC_ProgressPage.cpp \ importFirewallConfigurationWizard/IC_NetworkZonesPage.cpp \ importFirewallConfigurationWizard/ImportFirewallConfigurationWizard.cpp \ importFirewallConfigurationWizard/ImporterThread.cpp \ RuleSetDiffDialog.cpp \ RuleSetDiffDelegate.cpp \ RuleSetDiffModel.cpp \ BackgroundCompileInfoWidget.cpp \ temporarydir.cpp FORMS = FWBMainWindow_q.ui \ compileroutputpanel_q.ui \ customservicedialog_q.ui \ ipservicedialog_q.ui \ icmpservicedialog_q.ui \ tcpservicedialog_q.ui \ udpservicedialog_q.ui \ groupobjectdialog_q.ui \ librarydialog_q.ui \ ipv4dialog_q.ui \ ipv6dialog_q.ui \ rulesetdialog_q.ui \ addressrangedialog_q.ui \ addresstabledialog_q.ui \ attachednetworksdialog_q.ui \ networkdialog_q.ui \ networkdialogipv6_q.ui \ userdialog_q.ui \ hostdialog_q.ui \ firewalldialog_q.ui \ clusterdialog_q.ui \ clustergroupdialog_q.ui \ interfacedialog_q.ui \ physaddressdialog_q.ui \ timedialog_q.ui \ rcsfilepreview_q.ui \ rcsfilesavedialog_q.ui \ iptadvanceddialog_q.ui \ ipcopadvanceddialog_q.ui \ ipcoposadvanceddialog_q.ui \ objectmanipulator_q.ui \ prefsdialog_q.ui \ pixadvanceddialog_q.ui \ pixosadvanceddialog_q.ui \ iosacladvanceddialog_q.ui \ iosadvanceddialog_q.ui \ nxosacladvanceddialog_q.ui \ nxosadvanceddialog_q.ui \ junosacladvanceddialog_q.ui \ junosadvanceddialog_q.ui \ procurveacladvanceddialog_q.ui \ simpletexteditor_q.ui \ simpleinteditor_q.ui \ textfileeditor_q.ui \ aboutdialog_q.ui \ libexport_q.ui \ ruleoptionsdialog_q.ui \ routingruleoptionsdialog_q.ui \ instdialog_q.ui \ objconflictresolutiondialog_q.ui \ newfirewalldialog_q.ui \ newclusterdialog_q.ui \ finddialog_q.ui \ ipfadvanceddialog_q.ui \ ipfwadvanceddialog_q.ui \ pfadvanceddialog_q.ui \ linux24advanceddialog_q.ui \ solarisadvanceddialog_q.ui \ freebsdadvanceddialog_q.ui \ openbsdadvanceddialog_q.ui \ macosxadvanceddialog_q.ui \ secuwalladvanceddialog_q.ui \ secuwallosadvanceddialog_q.ui \ secuwallifaceoptsdialog_q.ui \ clustermembersdialog_q.ui \ bsdifaceoptsdialog_q.ui \ colorlabelmenuitem_q.ui \ debugdialog_q.ui \ filepropdialog_q.ui \ askrulenumberdialog_q.ui \ newgroupdialog_q.ui \ newhostdialog_q.ui \ longtextdialog_q.ui \ linksysadvanceddialog_q.ui \ printingprogressdialog_q.ui \ pagesetupdialog_q.ui \ blankdialog_q.ui \ dnsnamedialog_q.ui \ tagservicedialog_q.ui \ actionsdialog_q.ui \ simpletextview_q.ui \ helpview_q.ui \ filterdialog_q.ui \ natruleoptionsdialog_q.ui \ instoptionsdialog_q.ui \ findobjectwidget_q.ui \ fwobjectdroparea_q.ui \ commenteditorpanel_q.ui \ metriceditorpanel_q.ui \ findwhereusedwidget_q.ui \ confirmdeleteobjectdialog_q.ui \ projectpanel_q.ui \ asklibforcopydialog_q.ui \ starttipdialog_q.ui \ vrrpoptionsdialog_q.ui \ carpoptionsdialog_q.ui \ pixfailoveroptionsdialog_q.ui \ conntrackoptionsdialog_q.ui \ heartbeatoptionsdialog_q.ui \ openaisoptionsdialog_q.ui \ pfsyncoptionsdialog_q.ui \ vlanonlyifaceoptsdialog_q.ui \ linux24ifaceoptsdialog_q.ui \ pixosifaceoptsdialog_q.ui \ InterfaceEditorWidget.ui \ InterfacesTabWidget.ui \ ClusterInterfaceWidget.ui \ TutorialDialog.ui \ WorkflowIcons.ui \ FirewallCodeViewer.ui \ objectselectorwidget_q.ui \ keywordsdialog_q.ui \ commentkeywords_q.ui \ dynamicgroupdialog_q.ui \ \ importAddressListWizard/chooseobjectspage_q.ui \ importAddressListWizard/createobjectspage_q.ui \ importAddressListWizard/filenamepage_q.ui \ importAddressListWizard/selectlibrarypage_q.ui \ \ snmpNetworkDiscoveryWizard/nd_choosenetworkspage_q.ui \ snmpNetworkDiscoveryWizard/nd_chooseobjectspage_q.ui \ snmpNetworkDiscoveryWizard/nd_chooseobjecttypepage_q.ui \ snmpNetworkDiscoveryWizard/nd_createobjectspage_q.ui \ snmpNetworkDiscoveryWizard/nd_discoveryparameterspage_q.ui \ snmpNetworkDiscoveryWizard/nd_progresspage_q.ui \ snmpNetworkDiscoveryWizard/nd_selectlibrarypage_q.ui \ snmpNetworkDiscoveryWizard/nd_setuppage_q.ui \ snmpNetworkDiscoveryWizard/nd_snmpparameterspage_q.ui \ \ importFirewallConfigurationWizard/ic_filenamepage_q.ui \ importFirewallConfigurationWizard/ic_firewallnamepage_q.ui \ importFirewallConfigurationWizard/ic_platformwarningpage_q.ui \ importFirewallConfigurationWizard/ic_progresspage_q.ui \ importFirewallConfigurationWizard/ic_networkzonespage_q.ui \ rulesetdiffdialog_q.ui # fwtransfer stuff. # HEADERS += transferDialog.h # SOURCES += transferDialog.cpp # FORMS += transferdialog_q.ui # !macx:LIBS += -lQtDBus # workaround for QT += dbus not working with Qt < 4.4.0 INCLUDEPATH += \ ../.. \ ../import \ ../iptlib \ ../pflib \ ../cisco_lib \ ../juniper_lib \ ../compiler_lib \ ../libfwbuilder/src DEPENDPATH += \ ../import \ ../iptlib \ ../pflib \ ../cisco_lib/ \ ../juniper_lib \ ../compiler_lib \ ../libfwbuilder/src RESOURCES += MainRes.qrc win32 { # add "." to include path to make sure #include works when we # compile modules in subdirectories, such as # importAddressListWizard and other wizards. This seems to only be # necessary on Windows INCLUDEPATH += . } fwbuilder-5.3.7/src/libgui/librarydialog_q.ui000066400000000000000000000111201303637203600212540ustar00rootroot00000000000000 LibraryDialog_q true 0 0 726 237 Library QFrame::Box QFrame::Sunken 350 0 350 16777215 QFrame::Box QFrame::Sunken 12 Name: false 200 0 0 0 Color: false 0 0 Qt::Vertical QSizePolicy::Expanding 185 121 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name colorButton colorButton clicked() LibraryDialog_q changeColor() 20 20 20 20 fwbuilder-5.3.7/src/libgui/linksysAdvancedDialog.cpp000066400000000000000000000117771303637203600225410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "linksysAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; linksysAdvancedDialog::~linksysAdvancedDialog() { delete m_dialog; } linksysAdvancedDialog::linksysAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::linksysAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* * since v2.0.3 we do not need to know shell prompt on linksys. Will * remove the page completely when code becomes stable. */ m_dialog->tabWidget->removeTab( 1 ); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); /* set default prompts */ if (fwopt->getStr("prompt1").empty()) Resources::os_res["sveasoft"]->Resources::setDefaultOption(fwopt, "/FWBuilderResources/Target/options/default/prompt1"); if (fwopt->getStr("prompt2").empty()) Resources::os_res["sveasoft"]->Resources::setDefaultOption(fwopt, "/FWBuilderResources/Target/options/default/prompt2"); data.registerOption( m_dialog->linksys_prompt1, fwopt, "prompt1" ); data.registerOption( m_dialog->linksys_prompt2, fwopt, "prompt2" ); data.registerOption( m_dialog->linksys_path_iptables, fwopt, "linux24_path_iptables" ); data.registerOption( m_dialog->linksys_path_ip, fwopt, "linux24_path_ip" ); data.registerOption( m_dialog->linksys_path_lsmod, fwopt, "linux24_path_lsmod" ); data.registerOption( m_dialog->linksys_path_logger, fwopt, "linux24_path_logger" ); data.registerOption( m_dialog->linksys_path_modprobe, fwopt, "linux24_path_modprobe" ); data.registerOption( m_dialog->linksys_path_vconfig, fwopt, "linksys_path_vconfig"); data.registerOption( m_dialog->linksys_path_brctl, fwopt, "linksys_path_brctl"); data.registerOption( m_dialog->linksys_path_ifenslave, fwopt, "linksys_path_ifenslave"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void linksysAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void linksysAdvancedDialog::reject() { QDialog::reject(); } void linksysAdvancedDialog::setDefaultPrompts() { FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); m_dialog->linksys_prompt1->setText( Resources::getTargetOptionStr("sveasoft","default/prompt1").c_str() ); m_dialog->linksys_prompt2->setText( Resources::getTargetOptionStr("sveasoft","default/prompt2").c_str() ); } fwbuilder-5.3.7/src/libgui/linksysAdvancedDialog.h000066400000000000000000000027621303637203600222000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LINKSYSADVANCEDDIALOG_H_ #define __LINKSYSADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class linksysAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::linksysAdvancedDialog_q *m_dialog; public: linksysAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~linksysAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); public slots: virtual void setDefaultPrompts(); }; #endif // __LINKSYSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/linksysadvanceddialog_q.ui000066400000000000000000000340551303637203600230060ustar00rootroot00000000000000 linksysAdvancedDialog_q Qt::WindowModal 0 0 504 548 Linksys/Sveasoft: advanced settings 11 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true QTabWidget::Rounded 1 Path Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory path and a file name for each utility on your firewall machine. Leave these empty if you want to use default values. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true iptables: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false ip: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false logger: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false modprobe: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false lsmod Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false vconfig Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false brctl Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false ifenslave Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Vertical QSizePolicy::Expanding 20 40 Prompts 6 0 0 Policy installer relies on the shell prompt on the firewall to execute commands. Installer tries both prompt string patterns configured here; it assumes that the firewall is ready to accept a command if either prompt matches. You should only need to change these string patterns if Sveasoft changes the shell prompt in the future releases of the software. <br> <br> The default strings work for Sveasoft Alchemy pre-5.1 and pre-5.2 Qt::RichText Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 4 Qt::Vertical QSizePolicy::Expanding 20 80 Use default prompts prompt 2 Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Horizontal QSizePolicy::Expanding 30 20 prompt 1 Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Horizontal QSizePolicy::Fixed 150 20 Qt::Vertical QSizePolicy::Fixed 20 20 linksys_path_iptables linksys_path_ip linksys_path_logger linksys_path_modprobe linksys_path_lsmod linksys_path_vconfig linksys_path_brctl linksys_path_ifenslave buttonOk buttonCancel linksys_prompt1 linksys_prompt2 useDefaultPrompts tabWidget buttonOk clicked() linksysAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() linksysAdvancedDialog_q reject() 20 20 20 20 useDefaultPrompts clicked() linksysAdvancedDialog_q setDefaultPrompts() 20 20 20 20 fwbuilder-5.3.7/src/libgui/linux24AdvancedDialog.cpp000066400000000000000000000211301303637203600223320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "linux24AdvancedDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "Help.h" using namespace std; using namespace libfwbuilder; linux24AdvancedDialog::~linux24AdvancedDialog() { delete m_dialog; } linux24AdvancedDialog::linux24AdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::linux24AdvancedDialog_q; m_dialog->setupUi(this); obj=o; string host_os = obj->getStr("host_OS"); string description = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/description"); setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str())); FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption( m_dialog->linux24_log_martians, fwopt, "linux24_log_martians", threeStateMapping); data.registerOption( m_dialog->linux24_accept_redirects, fwopt, "linux24_accept_redirects", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_echo_ignore_all, fwopt, "linux24_icmp_echo_ignore_all", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_echo_ignore_broadcasts, fwopt, "linux24_icmp_echo_ignore_broadcasts", threeStateMapping); data.registerOption( m_dialog->linux24_icmp_ignore_bogus_error_responses, fwopt, "linux24_icmp_ignore_bogus_error_responses", threeStateMapping); data.registerOption( m_dialog->linux24_ip_dynaddr, fwopt, "linux24_ip_dynaddr", threeStateMapping); data.registerOption( m_dialog->linux24_rp_filter, fwopt, "linux24_rp_filter", threeStateMapping); data.registerOption( m_dialog->linux24_accept_source_route, fwopt, "linux24_accept_source_route", threeStateMapping); data.registerOption( m_dialog->linux24_ip_forward, fwopt, "linux24_ip_forward", threeStateMapping); data.registerOption( m_dialog->linux24_ipv6_forward, fwopt, "linux24_ipv6_forward", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_fin_timeout, fwopt, "linux24_tcp_fin_timeout" ); data.registerOption( m_dialog->linux24_tcp_keepalive_interval, fwopt, "linux24_tcp_keepalive_interval"); data.registerOption( m_dialog->linux24_tcp_window_scaling, fwopt, "linux24_tcp_window_scaling", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_sack, fwopt, "linux24_tcp_sack", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_fack, fwopt, "linux24_tcp_fack", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_ecn, fwopt, "linux24_tcp_ecn", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_syncookies, fwopt, "linux24_tcp_syncookies", threeStateMapping); data.registerOption( m_dialog->linux24_tcp_timestamps, fwopt, "linux24_tcp_timestamps", threeStateMapping); data.registerOption( m_dialog->linux24_path_iptables, fwopt, "linux24_path_iptables" ); data.registerOption( m_dialog->linux24_path_ip6tables, fwopt, "linux24_path_ip6tables" ); data.registerOption( m_dialog->linux24_path_ip, fwopt, "linux24_path_ip"); data.registerOption( m_dialog->linux24_path_lsmod, fwopt, "linux24_path_lsmod"); data.registerOption( m_dialog->linux24_path_logger, fwopt, "linux24_path_logger"); data.registerOption( m_dialog->linux24_path_vconfig, fwopt, "linux24_path_vconfig"); data.registerOption( m_dialog->linux24_path_brctl, fwopt, "linux24_path_brctl"); data.registerOption( m_dialog->linux24_path_ifenslave, fwopt, "linux24_path_ifenslave"); data.registerOption( m_dialog->linux24_path_modprobe, fwopt, "linux24_path_modprobe"); data.registerOption( m_dialog->linux24_path_ipset, fwopt, "linux24_path_ipset"); data.registerOption( m_dialog->linux24_path_iptables_restore, fwopt, "linux24_path_iptables_restore"); data.registerOption( m_dialog->linux24_path_ip6tables_restore, fwopt, "linux24_path_ip6tables_restore"); data.registerOption(m_dialog->conntrack_max, fwopt, "linux24_conntrack_max"); data.registerOption(m_dialog->conntrack_hashsize, fwopt, "linux24_conntrack_hashsize"); data.registerOption(m_dialog->conntrack_tcp_be_liberal, fwopt, "linux24_conntrack_tcp_be_liberal", threeStateMapping); data.registerOption(m_dialog->linux24_data_dir, fwopt, "data_dir"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void linux24AdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); if (!Firewall::cast(cmd->getOldState())->getOptionsObject()->cmp(fwoptions, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void linux24AdvancedDialog::reject() { QDialog::reject(); } void linux24AdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Host type Linux 2.4/2.6"); h->setSource(QUrl("linux24AdvancedDialog.html#" + anchor)); h->raise(); h->show(); } fwbuilder-5.3.7/src/libgui/linux24AdvancedDialog.h000066400000000000000000000027271303637203600220120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LINUX24ADVANCEDDIALOG_H_ #define __LINUX24ADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class linux24AdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::linux24AdvancedDialog_q *m_dialog; public: linux24AdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~linux24AdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); }; #endif // __LINUX24ADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/linux24IfaceOptsDialog.cpp000066400000000000000000000132111303637203600225030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "linux24IfaceOptsDialog.h" #include "platforms.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "FWWindow.h" #include "Help.h" #include #include #include using namespace std; using namespace libfwbuilder; linux24IfaceOptsDialog::linux24IfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::linux24IfaceOptsDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } data.registerOption(m_dialog->enable_stp, ifopt, "enable_stp"); data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.registerOption(m_dialog->bonding_policy, ifopt, "bonding_policy"); data.registerOption(m_dialog->xmit_hash_policy, ifopt, "xmit_hash_policy"); data.registerOption(m_dialog->bondng_driver_options, ifopt, "bondng_driver_options"); data.loadAll(); // special actions for different iface types // VLAN (8021q) typeChanged(""); bondingPolicyChanged(ifopt->getStr("bonding_policy").c_str()); } linux24IfaceOptsDialog::~linux24IfaceOptsDialog() { delete m_dialog; } /* * store all data in the object */ void linux24IfaceOptsDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } data.saveAll(ifopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void linux24IfaceOptsDialog::reject() { QDialog::reject(); } void linux24IfaceOptsDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Interface Linux 2.4/2.6"); h->setSource(QUrl("linux24IfaceOptsDialog.html#" + anchor)); h->raise(); h->show(); } void linux24IfaceOptsDialog::typeChanged(const QString&) { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); // enable VLAN ID line edit for type VLAN if (new_type == "8021q") { m_dialog->options_stack->setCurrentIndex(1); return; } if (new_type == "bridge") { m_dialog->options_stack->setCurrentIndex(2); return; } if (new_type == "bonding") { m_dialog->options_stack->setCurrentIndex(3); return; } // page 0 is empty m_dialog->options_stack->setCurrentIndex(0); } void linux24IfaceOptsDialog::bondingPolicyChanged(const QString &new_policy) { m_dialog->xmit_hash_policy->setEnabled(new_policy == "802.3ad" || new_policy == "balance-xor"); } bool linux24IfaceOptsDialog::validate() { bool valid = true; QString combobox = m_dialog->iface_type->currentText(); QString type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); QWidget *focus = NULL; QString message; if (type == "vrrp") { // Both vvrp_secret and vrrp_id attributes moved to vrrpOptionsDialog ; } if (type == "8021q") { // VLAN ID must be set between 1 <= vid <= 4'094 // QSpinBox widget enforces these limits ; } if (!valid) { QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); focus->setFocus(); } return valid; } fwbuilder-5.3.7/src/libgui/linux24IfaceOptsDialog.h000066400000000000000000000032231303637203600221520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LINUX24IFACEOPTSDIALOG_H_ #define __LINUX24IFACEOPTSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class linux24IfaceOptsDialog : public QDialog { Q_OBJECT public: linux24IfaceOptsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~linux24IfaceOptsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::linux24IfaceOptsDialog_q *m_dialog; bool cluster_interface; /** validate user input for different interface types */ bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void typeChanged(const QString&); void bondingPolicyChanged(const QString&); }; #endif // __LINUX24IFACEOPTSDIALOG_H_ fwbuilder-5.3.7/src/libgui/linux24advanceddialog_q.ui000066400000000000000000001275161303637203600226240ustar00rootroot00000000000000 linux24AdvancedDialog_q Qt::WindowModal 0 0 493 566 Linux 2.4: advanced settings QTabWidget::Rounded 2 Options 12 Qt::Vertical QSizePolicy::Fixed 20 20 IPv4 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Expanding 40 150 IPv6 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Kernel anti-spoofing protection Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore broadcast pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore all pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Accept source route Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Accept ICMP redirects Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore bogus ICMP errors Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Allow dynamic addresses Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Fixed 141 21 Log martians Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false whats this text No change On Off Qt::Vertical QSizePolicy::Expanding 93 21 TCP 12 These parameters make sense for connections to or from the firewall host Qt::AlignCenter true Qt::Vertical QSizePolicy::Fixed 20 20 Qt::Vertical QSizePolicy::Expanding 20 30 Qt::Horizontal QSizePolicy::Expanding 100 50 Qt::Horizontal QSizePolicy::Fixed 150 20 0 1000 30 0 10000 1800 No change On Off No change On Off No change On Off No change On Off No change On Off No change On Off TCP sack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP window scaling Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP ECN Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP SYN cookies Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP keepalive time (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP fack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP timestamps Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false TCP FIN timeout (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Path Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory path and a file name for each utility on your firewall machine. Leave these empty if you want to use default values. Qt::AlignCenter true iptables: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 300 0 Qt::LeftToRight ip6tables: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter ip: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false logger: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false vconfig: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false brctl: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false ifenslave: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false modprobe: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false lsmod: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false ipset: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter iptables-restore: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::LeftToRight ip6tables-restore: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Qt::Vertical QSizePolicy::Expanding 20 60 conntrack QFrame::StyledPanel QFrame::Raised CONNTRACK_MAX 64 16777215 CONNTRACK_MAX is the maximum number of "sessions" (connection tracking entries) that can be handled simultaneously by netfilter in kernel memory. 999999999 Qt::Horizontal 242 20 HASHSIZE 0 0 64 16777215 the size of the hash table storing the lists of conntrack entries 999999999 0 0 false background:#fff <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">These parameters allow you to tune performance of<br />conntrack module (netfilter state tracking). This<br />should only be necessary for large firewalls with a lot<br />of traffic and many stateful rules.<br />Explanation of these parameters can be found on</p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">the Internet if you search for &quot;netfilter conntrack performance&quot;<br /><br />Set both to zero to use default values</p></body></html> QFrame::StyledPanel QFrame::Raised 0 0 background: #fff This parameter is used if you run conntrackd in state <br> synchronization mode for a firewall cluster and have<br> kernel &lt;2.6.22<br> Explanation of this parameter can be found at<br> <a href="http://conntrack-tools.netfilter.org/manual.html">http://conntrack-tools.netfilter.org/manual.html</a> Disable TCP window tracking ("ip_conntrack_tcp_be_liberal") true No change On Off Qt::Horizontal 110 20 Qt::Vertical 397 7 Qt::Vertical 20 3 Data Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory where data files (e.g. run-time address table) are found on the firewall. Qt::AlignCenter true Data directory: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 300 0 Qt::Vertical 20 358 Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true linux24_ip_forward linux24_ipv6_forward linux24_rp_filter linux24_icmp_echo_ignore_broadcasts linux24_icmp_echo_ignore_all linux24_accept_source_route linux24_accept_redirects linux24_icmp_ignore_bogus_error_responses linux24_ip_dynaddr linux24_log_martians buttonOk buttonCancel linux24_tcp_fin_timeout linux24_tcp_keepalive_interval linux24_tcp_window_scaling linux24_tcp_sack linux24_tcp_fack linux24_tcp_ecn linux24_tcp_syncookies linux24_tcp_timestamps linux24_path_iptables linux24_path_ip6tables linux24_path_ip linux24_path_logger linux24_path_vconfig linux24_path_brctl linux24_path_ifenslave linux24_path_modprobe linux24_path_lsmod linux24_path_iptables_restore linux24_path_ip6tables_restore tabWidget buttonHelp buttonOk clicked() linux24AdvancedDialog_q accept() 316 472 20 20 buttonCancel clicked() linux24AdvancedDialog_q reject() 397 472 20 20 buttonHelp clicked() linux24AdvancedDialog_q help() 68 464 231 245 fwbuilder-5.3.7/src/libgui/linux24ifaceoptsdialog_q.ui000066400000000000000000000272771303637203600230370ustar00rootroot00000000000000 linux24IfaceOptsDialog_q 0 0 418 322 Linux: interface settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 :/Icons/Options:/Icons/Options Options Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft Device Type Qt::Horizontal 40 20 0 0 2 true Qt::RightToLeft VLAN ID 4095 Qt::Horizontal 140 20 Qt::Vertical 20 43 Enable STP Qt::Vertical 20 173 Bonding policy: balance-rr active-backup balance-xor broadcast 802.3ad balance-tlb balance-alb Xmit hash policy: layer2 layer3+4 Other parameters: Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() linux24IfaceOptsDialog_q accept() 316 472 20 20 buttonCancel clicked() linux24IfaceOptsDialog_q reject() 397 472 20 20 buttonHelp clicked() linux24IfaceOptsDialog_q help() 68 464 231 245 iface_type currentIndexChanged(QString) linux24IfaceOptsDialog_q typeChanged(QString) 287 196 286 261 bonding_policy currentIndexChanged(QString) linux24IfaceOptsDialog_q bondingPolicyChanged(QString) 268 126 208 160 typeChanged(QString) bondingPolicyChanged(QString) fwbuilder-5.3.7/src/libgui/listOfLibrariesModel.cpp000066400000000000000000000120761303637203600223460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "ObjectTreeView.h" #include "listOfLibrariesModel.h" #include "fwbuilder/FWObject.h" #include #include using namespace libfwbuilder; ListOfLibrariesModel::ListOfLibrariesModel(QObject *parent) : QStringListModel(parent) { top_static_items.push_back(tr("Object Libraries:")); // top_static_items.push_back(tr("----------------")); } void ListOfLibrariesModel::addStaticItems() { int row = rowCount(); foreach(QString itm, top_static_items) { insertRows(row, 1); QModelIndex idx = index(row, 0); QStringListModel::setData(idx, itm, Qt::DisplayRole); row++; } // setData(idx, QString::fromLatin1("separator"), Qt::AccessibleDescriptionRole); } Qt::ItemFlags ListOfLibrariesModel::flags(const QModelIndex &index) const { int row = index.row(); if (row < 0 || row >= items.size()) return 0; FWObject *lib = items.at(index.row()).lib; if (lib == NULL) return Qt::ItemIsEnabled; else return QStringListModel::flags(index); } bool ListOfLibrariesModel::insertRows(int row, int count, const QModelIndex & parent) { for (int c=0; c < count; ++c) items.insert(row, _item_data("", NULL, NULL)); return QStringListModel::insertRows(row, count, parent); } bool ListOfLibrariesModel::removeRows(int row, int count, const QModelIndex &parent) { int c = count; while (c > 0) { items.removeAt(row); c--; } return QStringListModel::removeRows(row, count, parent); } static bool ascendingLessThan(const _item_data &s1, const _item_data &s2) { return s1.name < s2.name; } static bool decendingLessThan(const _item_data &s1, const _item_data &s2) { return s1.name > s2.name; } void ListOfLibrariesModel::sort(int column, Qt::SortOrder order) { Q_UNUSED(column) QList<_item_data> list; for (int i=0; igetId() == lib->getId()) { return idx; } } } return QModelIndex(); } FWObject* ListOfLibrariesModel::getLibrary(QModelIndex idx) { return getLibrary(idx.row()); } FWObject* ListOfLibrariesModel::getLibrary(int row) { if (row < 0 || row >= items.size()) return NULL; return items[row].lib; } ObjectTreeView* ListOfLibrariesModel::getTreeWidget(QModelIndex idx) { return getTreeWidget(idx.row()); } ObjectTreeView* ListOfLibrariesModel::getTreeWidget(int row) { if (row < 0 || row >= items.size()) return NULL; return items[row].tree; } void ListOfLibrariesModel::setData(QModelIndex idx, const QString &name, FWObject *lib, ObjectTreeView *otv) { int row = idx.row(); if (row < 0 || row >= items.size()) return ; items[row] = _item_data(name, lib, otv); QStringListModel::setData(idx, indentLibName(name, lib!=NULL), Qt::DisplayRole); } void ListOfLibrariesModel::setName(QModelIndex idx, const QString &name) { int row = idx.row(); if (row < 0 || row >= items.size()) return ; items[row].name = name; QStringListModel::setData(idx, indentLibName(name, items.at(row).lib!=NULL), Qt::DisplayRole); } QString ListOfLibrariesModel::indentLibName(const QString &name, bool indent) { if (indent) return " " + name; else return name; } fwbuilder-5.3.7/src/libgui/listOfLibrariesModel.h000066400000000000000000000047751303637203600220220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LISTOFLIBRARIESMODEL_H_ #define __LISTOFLIBRARIESMODEL_H_ #include #include class ObjectTreeView; namespace libfwbuilder { class FWObject; }; class _item_data { public: QString name; libfwbuilder::FWObject* lib; ObjectTreeView* tree; _item_data(const QString &_n, libfwbuilder::FWObject* _lib, ObjectTreeView* _tree) { name = _n; lib = _lib; tree = _tree; } }; class ListOfLibrariesModel : public QStringListModel { Q_OBJECT; QStringList top_static_items; QList<_item_data> items; public: ListOfLibrariesModel(QObject *parent = 0); void addStaticItems(); QString indentLibName(const QString &name, bool indent); // virtual QModelIndex index(int, int, const QModelIndex &p = QModelIndex()) const; QModelIndex getIdxForLib(libfwbuilder::FWObject*); libfwbuilder::FWObject* getLibrary(QModelIndex idx); libfwbuilder::FWObject* getLibrary(int row); #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" void setData(QModelIndex idx, const QString &name, libfwbuilder::FWObject *lib, ObjectTreeView *otv); #pragma GCC diagnostic pop void setName(QModelIndex idx, const QString &name); ObjectTreeView* getTreeWidget(QModelIndex idx); ObjectTreeView* getTreeWidget(int row); virtual Qt::ItemFlags flags(const QModelIndex &index) const; virtual bool insertRows(int row, int count, const QModelIndex & parent = QModelIndex()); virtual bool removeRows(int row, int count, const QModelIndex & parent = QModelIndex()); virtual void sort(int column, Qt::SortOrder order = Qt::AscendingOrder); }; #endif fwbuilder-5.3.7/src/libgui/longTextDialog.cpp000066400000000000000000000030531303637203600212070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "longTextDialog.h" #include #include #include #include #include using namespace libfwbuilder; using namespace std; longTextDialog::~longTextDialog() { delete m_dialog; } longTextDialog::longTextDialog(QWidget *p, const QString &txt,const QString <xt) : QDialog(p) { m_dialog = new Ui::longTextDialog_q; m_dialog->setupUi(this); setWindowTitle("Firewall Builder"); m_dialog->dlgText->setText(txt); m_dialog->icn->setPixmap( QMessageBox::standardIcon(QMessageBox::Critical) ); m_dialog->dlgLongText->setText(ltxt); } fwbuilder-5.3.7/src/libgui/longTextDialog.h000066400000000000000000000022561303637203600206600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LONGTEXTDIALOG_H_ #define __LONGTEXTDIALOG_H_ #include "config.h" #include class longTextDialog : public QDialog { Q_OBJECT Ui::longTextDialog_q *m_dialog; public: longTextDialog(QWidget *p,const QString &txt,const QString <xt); ~longTextDialog(); }; #endif // __LONGTEXTDIALOG_H fwbuilder-5.3.7/src/libgui/longtextdialog_q.ui000066400000000000000000000070771303637203600214740ustar00rootroot00000000000000 longTextDialog_q 0 0 368 291 longTextDialog_q 11 Continue Qt::Horizontal QSizePolicy::Expanding 100 20 Qt::Horizontal QSizePolicy::Expanding 120 20 0 0 QFrame::NoFrame QFrame::Raised 11 :/Icons/warning.png true false 0 0 this is the error text true false dlgLongText closeBtn closeBtn clicked() longTextDialog_q accept() 20 20 20 20 fwbuilder-5.3.7/src/libgui/macosxAdvancedDialog.cpp000066400000000000000000000066031303637203600223270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "macosxAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; macosxAdvancedDialog::~macosxAdvancedDialog() { delete m_dialog; } macosxAdvancedDialog::macosxAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::macosxAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption( m_dialog->macosx_ip_forward, fwopt, "macosx_ip_forward", threeStateMapping); data.registerOption( m_dialog->macosx_ip_redirect, fwopt, "macosx_ip_redirect", threeStateMapping); data.registerOption( m_dialog->macosx_ip_sourceroute, fwopt, "macosx_ip_sourceroute", threeStateMapping); data.registerOption( m_dialog->macosx_path_ipfw, fwopt, "macosx_path_ipfw"); data.registerOption( m_dialog->macosx_path_sysctl, fwopt, "macosx_path_sysctl"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void macosxAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void macosxAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/macosxAdvancedDialog.h000066400000000000000000000026671303637203600220020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __MACOSXADVANCEDDIALOG_H_ #define __MACOSXADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class macosxAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::macosxAdvancedDialog_q *m_dialog; public: macosxAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~macosxAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __MACOSXADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/macosxadvanceddialog_q.ui000066400000000000000000000304031303637203600225750ustar00rootroot00000000000000 macosxAdvancedDialog_q 0 0 389 237 MacOS X: advanced settings 6 0 0 0 0 Qt::Vertical QSizePolicy::Expanding 20 20 &OK true true &Cancel true QTabWidget::Rounded 0 Options 0 0 0 0 Generate ICMP redirects Qt::AlignCenter false Packet forwarding Qt::AlignCenter false No change On Off No change On Off No change On Off Forward source routed packets Qt::AlignCenter false Qt::Vertical QSizePolicy::Expanding 151 20 Qt::Vertical QSizePolicy::Expanding 20 20 Qt::Vertical QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 20 40 Path 0 0 0 0 ipfw: Qt::AlignCenter false sysctl: Qt::AlignCenter false Specify directory path and a file name for the following utilities on the OS your firewall machine is running. Leave these empty if you want to use default values. Qt::AlignCenter true 0 0 200 0 0 0 200 0 Qt::Vertical QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 20 40 tabWidget macosx_ip_forward macosx_ip_sourceroute macosx_ip_redirect buttonOk buttonCancel macosx_path_ipfw macosx_path_sysctl buttonOk clicked() macosxAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() macosxAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/memcheck.h000066400000000000000000000317501303637203600175110ustar00rootroot00000000000000 /* ---------------------------------------------------------------- Notice that the following BSD-style license applies to this one file (memcheck.h) only. The rest of Valgrind is licensed under the terms of the GNU General Public License, version 2, unless otherwise indicated. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- This file is part of MemCheck, a heavyweight Valgrind tool for detecting memory errors. Copyright (C) 2000-2008 Julian Seward. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---------------------------------------------------------------- Notice that the above BSD-style license applies to this one file (memcheck.h) only. The entire rest of Valgrind is licensed under the terms of the GNU General Public License, version 2. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- */ #ifndef __MEMCHECK_H #define __MEMCHECK_H /* This file is for inclusion into client (your!) code. You can use these macros to manipulate and query memory permissions inside your own programs. See comment near the top of valgrind.h on how to use them. */ #include "valgrind.h" /* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !! This enum comprises an ABI exported by Valgrind to programs which use client requests. DO NOT CHANGE THE ORDER OF THESE ENTRIES, NOR DELETE ANY -- add new ones at the end. */ typedef enum { VG_USERREQ__MAKE_MEM_NOACCESS = VG_USERREQ_TOOL_BASE('M','C'), VG_USERREQ__MAKE_MEM_UNDEFINED, VG_USERREQ__MAKE_MEM_DEFINED, VG_USERREQ__DISCARD, VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE, VG_USERREQ__CHECK_MEM_IS_DEFINED, VG_USERREQ__DO_LEAK_CHECK, VG_USERREQ__COUNT_LEAKS, VG_USERREQ__GET_VBITS, VG_USERREQ__SET_VBITS, VG_USERREQ__CREATE_BLOCK, VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE, /* This is just for memcheck's internal use - don't use it */ _VG_USERREQ__MEMCHECK_RECORD_OVERLAP_ERROR = VG_USERREQ_TOOL_BASE('M','C') + 256 } Vg_MemCheckClientRequest; /* Client-code macros to manipulate the state of memory. */ /* Mark memory at _qzz_addr as unaddressable for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_NOACCESS(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_NOACCESS, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similarly, mark memory at _qzz_addr as addressable but undefined for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_UNDEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similarly, mark memory at _qzz_addr as addressable and defined for _qzz_len bytes. */ #define VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_DEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Similar to VALGRIND_MAKE_MEM_DEFINED except that addressability is not altered: bytes which are addressable are marked as defined, but those which are not addressable are left unchanged. */ #define VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Create a block-description handle. The description is an ascii string which is included in any messages pertaining to addresses within the specified memory range. Has no other effect on the properties of the memory range. */ #define VALGRIND_CREATE_BLOCK(_qzz_addr,_qzz_len, _qzz_desc) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__CREATE_BLOCK, \ _qzz_addr, _qzz_len, _qzz_desc, \ 0, 0); \ _qzz_res; \ })) /* Discard a block-description-handle. Returns 1 for an invalid handle, 0 for a valid handle. */ #define VALGRIND_DISCARD(_qzz_blkindex) \ (__extension__ ({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* default return */, \ VG_USERREQ__DISCARD, \ 0, _qzz_blkindex, 0, 0, 0); \ _qzz_res; \ })) /* Client-code macros to check the state of memory. */ /* Check that memory at _qzz_addr is addressable for _qzz_len bytes. If suitable addressibility is not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_MEM_IS_ADDRESSABLE(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE,\ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Check that memory at _qzz_addr is addressable and defined for _qzz_len bytes. If suitable addressibility and definedness are not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_MEM_IS_DEFINED(_qzz_addr,_qzz_len) \ (__extension__({unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CHECK_MEM_IS_DEFINED, \ _qzz_addr, _qzz_len, 0, 0, 0); \ _qzz_res; \ })) /* Use this macro to force the definedness and addressibility of an lvalue to be checked. If suitable addressibility and definedness are not established, Valgrind prints an error message and returns the address of the first offending byte. Otherwise it returns zero. */ #define VALGRIND_CHECK_VALUE_IS_DEFINED(__lvalue) \ VALGRIND_CHECK_MEM_IS_DEFINED( \ (volatile unsigned char *)&(__lvalue), \ (unsigned long)(sizeof (__lvalue))) /* Do a memory leak check mid-execution. */ #define VALGRIND_DO_LEAK_CHECK \ {unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DO_LEAK_CHECK, \ 0, 0, 0, 0, 0); \ } /* Just display summaries of leaked memory, rather than all the details */ #define VALGRIND_DO_QUICK_LEAK_CHECK \ {unsigned long _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DO_LEAK_CHECK, \ 1, 0, 0, 0, 0); \ } /* Return number of leaked, dubious, reachable and suppressed bytes found by all previous leak checks. They must be lvalues. */ #define VALGRIND_COUNT_LEAKS(leaked, dubious, reachable, suppressed) \ /* For safety on 64-bit platforms we assign the results to private unsigned long variables, then assign these to the lvalues the user specified, which works no matter what type 'leaked', 'dubious', etc are. We also initialise '_qzz_leaked', etc because VG_USERREQ__COUNT_LEAKS doesn't mark the values returned as initialised. */ \ {unsigned long _qzz_res; \ unsigned long _qzz_leaked = 0, _qzz_dubious = 0; \ unsigned long _qzz_reachable = 0, _qzz_suppressed = 0; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__COUNT_LEAKS, \ &_qzz_leaked, &_qzz_dubious, \ &_qzz_reachable, &_qzz_suppressed, 0); \ leaked = _qzz_leaked; \ dubious = _qzz_dubious; \ reachable = _qzz_reachable; \ suppressed = _qzz_suppressed; \ } /* Get the validity data for addresses [zza..zza+zznbytes-1] and copy it into the provided zzvbits array. Return values: 0 if not running on valgrind 1 success 2 [previously indicated unaligned arrays; these are now allowed] 3 if any parts of zzsrc/zzvbits are not addressable. The metadata is not copied in cases 0, 2 or 3 so it should be impossible to segfault your system by using this call. */ #define VALGRIND_GET_VBITS(zza,zzvbits,zznbytes) \ (__extension__({unsigned long _qzz_res; \ char* czza = (char*)zza; \ char* czzvbits = (char*)zzvbits; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__GET_VBITS, \ czza, czzvbits, zznbytes, 0, 0 ); \ _qzz_res; \ })) /* Set the validity data for addresses [zza..zza+zznbytes-1], copying it from the provided zzvbits array. Return values: 0 if not running on valgrind 1 success 2 [previously indicated unaligned arrays; these are now allowed] 3 if any parts of zza/zzvbits are not addressable. The metadata is not copied in cases 0, 2 or 3 so it should be impossible to segfault your system by using this call. */ #define VALGRIND_SET_VBITS(zza,zzvbits,zznbytes) \ (__extension__({unsigned int _qzz_res; \ char* czza = (char*)zza; \ char* czzvbits = (char*)zzvbits; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__SET_VBITS, \ czza, czzvbits, zznbytes, 0, 0 ); \ _qzz_res; \ })) #endif fwbuilder-5.3.7/src/libgui/metriceditorpanel_q.ui000066400000000000000000000051061303637203600221510ustar00rootroot00000000000000 MetricEditorPanel_q true 0 0 359 247 Script Editor true 0 0 64 0 64 16777215 QAbstractSpinBox::PlusMinus 255 1 Qt::Horizontal 258 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 spin_box valueChanged(int) MetricEditorPanel_q changed() 20 20 20 20 changed() fwbuilder-5.3.7/src/libgui/natruleoptionsdialog_q.ui000066400000000000000000000404641303637203600227130ustar00rootroot00000000000000 NATRuleOptionsDialog_q 0 0 942 345 NAT Rule Options QFrame::Box QFrame::Sunken 3 12 12 QFrame::NoFrame QFrame::Raised 2 2 No options are available for this firewall platform false Qt::Vertical QSizePolicy::MinimumExpanding 20 0 Normally, if object used to define translated source address is an interface marked as "dynamic", fwbuilder generates NAT rule with target MASQUERADE. However masquerading has problems with policy routing. This option makes fwbuilder use SNAT target instead. true Use SNAT target instead of MASQUERADING for NAT rules with dynamic interfaces Qt::Vertical QSizePolicy::Fixed 20 20 Randomize port mapping (translates to --random) Give a client the same source-/destination-address for each connection (translates to --persistent, requires iptables 1.4.3 or later). Qt::Vertical 20 81 12 12 Qt::Vertical QSizePolicy::Expanding 20 20 0 0 Pool type 12 12 default true bitmask random source-hash round-robin Qt::Horizontal QSizePolicy::Expanding 81 20 Qt::Vertical QSizePolicy::Expanding 20 130 static-port Qt::Vertical QSizePolicy::Fixed 20 10 Starting with v8.3 ASAs support NAT type "static" and "dynamic" for source NAT rules. Firewall Builder attempts to determine the correct type based on the information in the rule, but the calculated value can be overridden below. true true Automatically detect NAT type "static" or "dynamic". This rule is currently set to type "%1" Force rule to be NAT type "dynamic". Note, rules with destination translation defined cannot be "dynamic" Force rule to be NAT type "static". Qt::Horizontal Make this NAT rule translate DNS replies. You also need to enable DNS inspection in the firewall object advanced settings dialog. Qt::Vertical 20 265 pf_bitmask toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 pf_random toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 pf_source_hash toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 pf_round_robin toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 pf_static_port toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 pf_pool_type_none toggled(bool) NATRuleOptionsDialog_q changed() 20 20 20 20 ipt_use_snat_instead_of_masq toggled(bool) NATRuleOptionsDialog_q changed() 307 108 304 116 ipt_nat_random toggled(bool) NATRuleOptionsDialog_q changed() 366 123 362 166 ipt_nat_persistent toggled(bool) NATRuleOptionsDialog_q changed() 474 148 470 172 asa8_nat_dns stateChanged(int) NATRuleOptionsDialog_q changed() 470 32 470 172 asa8_nat_auto toggled(bool) NATRuleOptionsDialog_q changed() 470 64 470 172 asa8_nat_dynamic toggled(bool) NATRuleOptionsDialog_q changed() 470 93 470 172 asa8_nat_static toggled(bool) NATRuleOptionsDialog_q changed() 470 122 470 172 changed() fwbuilder-5.3.7/src/libgui/networkZoneManager.cpp000066400000000000000000000100311303637203600220750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "networkZoneManager.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/ObjectGroup.h" #include using namespace libfwbuilder; using namespace std; NetworkZoneManager::NetworkZoneManager() { } void NetworkZoneManager::load(FWObjectDatabase *_db) { db = _db; netzones_object_names.clear(); netzones_id_to_index.clear(); netzones_index_to_id.clear(); int n = 0; netzones_id_to_index[0] = n; netzones_index_to_id[n] = 0; netzones_object_names.push_back(" None "); ++n; netzones_id_to_index[FWObjectDatabase::ANY_ADDRESS_ID] = n; netzones_index_to_id[n] = FWObjectDatabase::ANY_ADDRESS_ID; netzones_object_names.push_back(" Any "); ++n; /* TODO: try to make this widget show object with appropriate icon */ list libs = db->getByType( Library::TYPENAME ); for (list::iterator l=libs.begin(); l!=libs.end(); ++l) { FWObject *library= *l; FWObject *o1,*o2; if ( library->getId()==FWObjectDatabase::DELETED_OBJECTS_ID ) continue; o1 = library->findObjectByName(ObjectGroup::TYPENAME, "Objects"); assert(o1!=NULL); o2 = o1->findObjectByName(ObjectGroup::TYPENAME, "Groups"); if (o2==NULL) { if (fwbdebug) qDebug() << "NetworkZoneManager::NetworkZoneManager():" << "missing Groups group in " << FWObjectDatabase::getStringId(o1->getId()).c_str(); continue; } for (FWObject::iterator i=o2->begin(); i!=o2->end(); ++i) { netzones_id_to_index[(*i)->getId()] = n; netzones_index_to_id[n] = (*i)->getId(); netzones_object_names.push_back( QObject::tr("Group: ")+ (*i)->getName().c_str() ); ++n; } o2=o1->findObjectByName(ObjectGroup::TYPENAME,"Networks"); if (o2==NULL) { if (fwbdebug) qDebug() << "NetworkZoneManager::NetworkZoneManager():" << "missing Networks group in " << FWObjectDatabase::getStringId(o1->getId()).c_str(); continue; } for (FWObject::iterator i1=o2->begin(); i1!=o2->end(); ++i1) { netzones_id_to_index[(*i1)->getId()] = n; netzones_index_to_id[n] = (*i1)->getId(); netzones_object_names.push_back( QObject::tr("Network: ")+ (*i1)->getName().c_str()); ++n; } } } int NetworkZoneManager::getListItemIdexByNetzoneId(int id) { return netzones_id_to_index[id]; } int NetworkZoneManager::getNetzoneIdByListIndex(int idx) { return netzones_index_to_id[idx]; } void NetworkZoneManager::packComboBox(QComboBox *combobox, int current_netzone_object_id) { combobox->clear(); combobox->addItems(netzones_object_names); for(int idx=0; idx < combobox->count(); ++idx) combobox->setItemData(idx, QVariant(netzones_index_to_id[idx]), Qt::UserRole); combobox->setCurrentIndex( netzones_id_to_index[current_netzone_object_id] ); } fwbuilder-5.3.7/src/libgui/networkZoneManager.h000066400000000000000000000032161303637203600215510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NETWORK_ZONE_MANAGER_H_ #define __NETWORK_ZONE_MANAGER_H_ #include "config.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; } class NetworkZoneManager { libfwbuilder::FWObjectDatabase *db; QStringList netzones_object_names; // netzones_id_to_index : key - object id, value - number in the list QMap netzones_id_to_index; // netzones_index_to_id : key - number in the list, value - obj id QMap netzones_index_to_id; public: NetworkZoneManager(); void load(libfwbuilder::FWObjectDatabase *db); int getListItemIdexByNetzoneId(int id); int getNetzoneIdByListIndex(int idx); void packComboBox(QComboBox *combobox, int current_netzone_object_id); }; #endif fwbuilder-5.3.7/src/libgui/networkdialog_q.ui000066400000000000000000000137241303637203600213150ustar00rootroot00000000000000 NetworkDialog_q true 0 0 949 258 0 0 Network 0 0 QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Address: false 0 0 Netmask: false 0 0 Qt::Vertical 20 113 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name address netmask address editingFinished() NetworkDialog_q addressEntered() 218 106 355 143 address returnPressed() NetworkDialog_q addressEntered() 218 106 355 143 fwbuilder-5.3.7/src/libgui/networkdialogipv6_q.ui000066400000000000000000000152231303637203600221160ustar00rootroot00000000000000 NetworkDialogIPv6_q true 0 0 718 258 0 0 Network 12 12 0 0 QFrame::Box QFrame::Sunken 0 0 350 16 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Address: false 200 0 0 0 Prefix length: false 0 0 0 23 Qt::Vertical 20 104 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name address address editingFinished() NetworkDialogIPv6_q addressEntered() 199 116 333 130 address returnPressed() NetworkDialogIPv6_q addressEntered() 199 116 333 130 changed() fwbuilder-5.3.7/src/libgui/newClusterDialog.cpp000066400000000000000000000271471303637203600215500ustar00rootroot00000000000000/* * newClusterDialog.cpp - new Cluster wizard implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "newClusterDialog.h" #include "global.h" #include "utils_no_qt.h" #include "utils.h" #include "platforms.h" #include "upgradePredicate.h" #include "ProjectPanel.h" #include "DialogFactory.h" #include "FWBTree.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Library.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include #include #include #include #include #define FIREWALLS_PAGE 0 #define INTERFACES_PAGE 1 #define INTERFACEEDITOR_PAGE 2 #define POLICY_PAGE 3 #define SUMMARY_PAGE 4 using namespace libfwbuilder; using namespace std; newClusterDialog::newClusterDialog(QWidget *parentw, FWObject *_p) : QDialog(parentw), ncl(NULL), fwlist(NULL), tmpldb(NULL) { parent = _p; db = parent->getRoot(); useFirewallList = false; m_dialog = new Ui::newClusterDialog_q; m_dialog->setupUi(this); setControlWidgets(this, m_dialog->stackedWidget, m_dialog->nextButton, m_dialog->finishButton, m_dialog->backButton, m_dialog->cancelButton, m_dialog->titleLabel); m_dialog->obj_name->setFocus(); this->noPolicy = new QRadioButton(m_dialog->page_4); this->noPolicy->setChecked(true); this->spacer = new QSpacerItem(10, 1000); this->m_dialog->page_4->layout()->addWidget(noPolicy); this->m_dialog->page_4->layout()->addItem(spacer); noPolicy->setText(tr("do not use any, i will create new policy and NAT rules")); showPage(0); } void newClusterDialog::changed() { int p = currentPage(); if (p == 0) setNextEnabled(p, !m_dialog->obj_name->text().isEmpty()); } newClusterDialog::~newClusterDialog() { delete m_dialog; } void newClusterDialog::setFirewallList(std::vector data, bool select) { m_dialog->interfaceSelector->clear(); firewallList.clear(); //typedef QPair fwpair; // Unused foreach ( FWObject *fw, data ) firewallList.push_back(Firewall::cast(fw)); m_dialog->firewallSelector->setFirewallList(firewallList, select); } void newClusterDialog::showPage(const int page, bool blank) { FakeWizard::showPage(page); int p = currentPage(); if (fwbdebug) { qDebug("newClusterDialog::selected p=%d", p); } switch (p) { case FIREWALLS_PAGE: { if (blank) { m_dialog->firewallSelector->clear(); m_dialog->firewallSelector->setFirewallList(firewallList, true); /*else { list fwlist; mw->findAllFirewalls(fwlist); m_dialog->firewallSelector->setFirewallList(fwlist); }*/ } setNextEnabled(FIREWALLS_PAGE, !this->m_dialog->obj_name->text().isEmpty()); setFinishEnabled(FIREWALLS_PAGE, false); m_dialog->nextButton->setDefault(true); break; } case INTERFACES_PAGE: { if (blank) { m_dialog->interfaceSelector->clear(); QList firewalls; typedef QPair fwpair; foreach ( fwpair fw, m_dialog->firewallSelector->getSelectedFirewalls() ) firewalls.append(fw.first); this->m_dialog->interfaceSelector->setFirewallList(firewalls); } setNextEnabled(INTERFACES_PAGE, true); setFinishEnabled(INTERFACES_PAGE, false); m_dialog->nextButton->setDefault(true); break; } case INTERFACEEDITOR_PAGE: { if (blank) { if (this->m_dialog->interfaceSelector->getInterfaces().count() == 0) this->showPage(POLICY_PAGE); this->m_dialog->interfaceEditor->setClusterMode(true); this->m_dialog->interfaceEditor->clear(); this->m_dialog->interfaceEditor->setExplanation( tr("Depending on the failover protocol, cluster interface " "may or may not need an IP address. VRRP, " "CARP, heartbeat interfaces should have their " "own unique IP addresses different from the member firewall " "interfaces. Other failover protocols such as the one used in " "Cisco ASA (PIX) firewall do not require additional IP address." "
" "
" "List of available failover protocols depends on the firewall " "platform." ) ); while (this->m_dialog->interfaceEditor->count()) this->m_dialog->interfaceEditor->removeTab(0); foreach (ClusterInterfaceData iface, this->m_dialog->interfaceSelector->getInterfaces()) { this->m_dialog->interfaceEditor->addClusterInterface(iface); } } setNextEnabled(INTERFACEEDITOR_PAGE, true); setFinishEnabled(INTERFACEEDITOR_PAGE, false); m_dialog->nextButton->setDefault(true); break; } case POLICY_PAGE: { if (blank) { foreach (QRadioButton *btn, copy_rules_from_buttons.keys()) { btn->close(); delete btn; } copy_rules_from_buttons.clear(); QList > fws = m_dialog->firewallSelector->getSelectedFirewalls(); this->m_dialog->page_4->layout()->removeItem(spacer); for ( int i = 0; i < fws.count() ; i++ ) { QRadioButton *newbox = new QRadioButton(QString::fromUtf8(fws.at(i).first->getName().c_str()), m_dialog->page_4); newbox->setObjectName(fws.at(i).first->getName().c_str()); this->m_dialog->page_4->layout()->addWidget(newbox); copy_rules_from_buttons[newbox] = fws.at(i).first; } this->m_dialog->page_4->layout()->addItem(spacer); } setNextEnabled(POLICY_PAGE, true); setFinishEnabled(POLICY_PAGE, false); m_dialog->nextButton->setDefault(true); break; } case SUMMARY_PAGE: { QFont *monospace = new QFont("Lucida Console"); if (!monospace->exactMatch()) { monospace->setFixedPitch(true); monospace->setStyleHint(QFont::SansSerif, QFont::PreferAntialias); QFontDatabase fontdb; foreach (QString family, fontdb.families(QFontDatabase::Latin)) { if (family.startsWith(".")) continue; if (fontdb.isFixedPitch(family, "normal")) { qDebug() << family; monospace->setFamily(family); break; } } } this->m_dialog->firewallsList->setFont(*monospace); this->m_dialog->interfacesList->setFont(*monospace); this->m_dialog->clusterName->setText(this->m_dialog->clusterName->text() + this->m_dialog->obj_name->text()); QStringList firewalls; QList > fws = m_dialog->firewallSelector->getSelectedFirewalls(); QString master; for ( int i = 0; i < fws.count() ; i++ ) { if (fws.at(i).second) master = QString::fromUtf8(fws.at(i).first->getName().c_str()); firewalls.append(QString::fromUtf8(fws.at(i).first->getName().c_str())); } this->m_dialog->firewallsList->setText(firewalls.join("\n")); this->m_dialog->masterLabel->setText(this->m_dialog->masterLabel->text() + master); QStringList interfaces; foreach (EditedInterfaceData iface, this->m_dialog->interfaceEditor->getNewData()) { QString str; if (iface.type == 0) str += tr("regular "); if (iface.type == 1) str += tr("dynamic "); if (iface.type == 1) str += tr("unnumbered "); str += iface.name; if (iface.type == 0 && iface.addresses.count() > 0) { if (iface.addresses.count() == 1) str += tr(" with address: "); else str += tr(" with addresses: "); QStringList addresses; for (int i = 0; i< iface.addresses.values().count(); i++) { AddressInfo addr = iface.addresses.values().at(i); QString addrstr; if (i > 0) addrstr.fill(' ', str.length()); addrstr += addr.address + "/" + addr.netmask; addresses.append(addrstr); } str += addresses.join("\n"); } interfaces.append(str); } this->m_dialog->interfacesList->setText(interfaces.join("\n")); bool doCopy = false; foreach (QRadioButton* btn, copy_rules_from_buttons.keys()) { if (btn->isChecked() && btn != noPolicy) { QString fwname = QString::fromUtf8( copy_rules_from_buttons[btn]->getName().c_str()); this->m_dialog->policyLabel->setText(this->m_dialog->policyLabel->text() + fwname); doCopy = true; break; } } if (!doCopy) this->m_dialog->policyLabel->setVisible(false); setNextEnabled(SUMMARY_PAGE, false); setFinishEnabled(SUMMARY_PAGE, true); m_dialog->finishButton->setDefault(true); break; } } } void newClusterDialog::finishClicked() { m_dialog->nextButton->setFocus(Qt::OtherFocusReason); createNewCluster(); if (unloadTemplatesLib) { delete tmpldb; tmpldb = NULL; unloadTemplatesLib = false; } QDialog::accept(); } void newClusterDialog::cancelClicked() { QDialog::reject(); } void newClusterDialog::nextClicked() { m_dialog->nextButton->setFocus(Qt::OtherFocusReason); if (currentPage() == FIREWALLS_PAGE) { if (!this->m_dialog->firewallSelector->isValid()) return; if ( this->m_dialog->firewallSelector->getSelectedFirewalls().count() == 0 ) { QMessageBox::critical( this, "Firewall Builder", tr("You should select at least one firewall to create a cluster"), "&Continue", QString::null, QString::null, 0, 1); return; } } if (currentPage() == INTERFACES_PAGE) { if (!this->m_dialog->interfaceSelector->isValid()) return; } if (currentPage() == INTERFACEEDITOR_PAGE) if (!this->m_dialog->interfaceEditor->isValid()) return; if (nextRelevant(currentPage()) > -1) { showPage(nextRelevant(currentPage())); } } void newClusterDialog::backClicked() { if (previousRelevant(currentPage()) > -1) { showPage(previousRelevant(currentPage()), false); } } int newClusterDialog::previousRelevant(const int page) const { if (page == POLICY_PAGE && this->m_dialog->interfaceEditor->getNewData().count() == 0) { return INTERFACES_PAGE; } else return FakeWizard::previousRelevant(page); } fwbuilder-5.3.7/src/libgui/newClusterDialog.h000066400000000000000000000042741303637203600212110ustar00rootroot00000000000000/* * newClusterDialog.h - new cluster wizard dialog * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __NEWCLUSTERDIALOG_H_ #define __NEWCLUSTERDIALOG_H_ #include #include "fakeWizard.h" #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; class ObjectGroup; class Cluster; class Interface; }; class newClusterDialog : public QDialog, public FakeWizard { Q_OBJECT; libfwbuilder::Cluster *ncl; libfwbuilder::ObjectGroup *fwlist; libfwbuilder::FWObject *parent; libfwbuilder::FWObjectDatabase *db; libfwbuilder::FWObjectDatabase *tmpldb; bool unloadTemplatesLib; QMap copy_rules_from_buttons; QMap visited; std::list firewallList; bool useFirewallList; QVBoxLayout *policies; QRadioButton *noPolicy; QSpacerItem *spacer; void copyRuleSets(const std::string &type, libfwbuilder::Firewall *src, std::map &id_mapping); void deleteRuleSets(const std::string &type, libfwbuilder::Firewall *fw); void createNewCluster(); public: newClusterDialog(QWidget *parentw, libfwbuilder::FWObject *parent); virtual ~newClusterDialog(); libfwbuilder::Cluster* getNewCluster() { return ncl; }; void setFirewallList(std::vector, bool select = false); void showPage(const int page, bool blank = true); protected: Ui::newClusterDialog_q *m_dialog; int previousRelevant(const int page) const; protected slots: virtual void finishClicked(); virtual void cancelClicked(); virtual void nextClicked(); virtual void backClicked(); virtual void changed(); }; #endif /* __NEWCLUSTERDIALOG_H */ fwbuilder-5.3.7/src/libgui/newClusterDialog_create.cpp000066400000000000000000000271261303637203600230700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "events.h" #include "FWWindow.h" #include "newClusterDialog.h" #include "InterfacesTabWidget.h" #include "platforms.h" #include "FWBTree.h" #include "FWCmdAddObject.h" #include "RuleSetModel.h" #include "RuleSetView.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Routing.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include using namespace libfwbuilder; using namespace std; void newClusterDialog::createNewCluster() { if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster()"; map id_mapping; QList cluster_interfaces = this->m_dialog->interfaceSelector->getInterfaces(); typedef QPair fwpair; Firewall *master = NULL; QList > member_firewalls = this->m_dialog->firewallSelector->getSelectedFirewalls(); foreach(fwpair member, member_firewalls) { if (member.second) { master = member.first; break; } } FWObject *o; o = db->create(Cluster::TYPENAME); if (o == NULL) { QDialog::accept(); return; } o->setName(string(m_dialog->obj_name->text().toUtf8().constData())); parent->add(o); ncl = Cluster::cast(o); o->setStr("platform", this->m_dialog->firewallSelector->getSelectedFirewalls().first().first->getStr("platform")); o->setStr("host_OS", this->m_dialog->firewallSelector->getSelectedFirewalls().first().first->getStr("host_OS")); if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster()" << "Creating interfaces"; foreach(EditedInterfaceData data, this->m_dialog->interfaceEditor->getNewData()) { Interface *oi = Interface::cast(db->create(Interface::TYPENAME)); oi->setName(string(data.name.toUtf8().constData())); if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster()" << "Interface" << data.name; ncl->add(oi); oi->setLabel(string(data.label.toUtf8().constData())); QList > member_interfaces; foreach(ClusterInterfaceData cid, cluster_interfaces) { if (cid.name == data.name) { member_interfaces = cid.interfaces; break; } } foreach(AddressInfo address, data.addresses) { if (address.ipv4) { QString addrname = QString("%1:%2:ip") .arg(m_dialog->obj_name->text()) .arg(data.name); IPv4 *oa = IPv4::cast(db->create(IPv4::TYPENAME)); oa->setName(string(addrname.toUtf8().constData())); oi->add(oa); oa->setAddress(InetAddr(address.address.toLatin1().constData())); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask(InetAddr(inetmask)); } else { oa->setNetmask(InetAddr(address.netmask.toLatin1().constData())); } } else { QString addrname = QString("%1:%2:ip") .arg(m_dialog->obj_name->text()) .arg(data.name); IPv6 *oa = IPv6::cast(db->create(IPv6::TYPENAME)); oa->setName(string(addrname.toUtf8().constData())); oi->add(oa); oa->setAddress(InetAddr(AF_INET6, address.address.toLatin1().constData())); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask(InetAddr(AF_INET6, inetmask)); } else { oa->setNetmask(InetAddr(AF_INET6, address.netmask.toLatin1().constData())); } } } if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster()" << "Setting up failover group" << "master=" << master; FWOptions *ifopt; ifopt = oi->getOptionsObject(); ifopt->setStr("type", "cluster_interface"); // create failover group for this interface QString grpname = QString("%1:%2:members") .arg(m_dialog->obj_name->text()) .arg(data.name); FailoverClusterGroup *failover_grp = FailoverClusterGroup::cast( db->create(FailoverClusterGroup::TYPENAME)); failover_grp->setName(string(grpname.toUtf8().constData())); oi->add(failover_grp); QString failover_protocol_name = data.protocol.toLower(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) failover_grp->setStr("type", failover_protocol_name.toAscii().constData()); #else failover_grp->setStr("type", failover_protocol_name.toLatin1().constData()); #endif typedef QPair intfpair; foreach(intfpair intf, member_interfaces) { Firewall *member_fw = intf.first; Interface *member_intf = intf.second; if (fwbdebug) qDebug() << "Adding" << "member_fw=" << member_fw << "member_intf=" << member_intf->getName().c_str(); id_mapping[member_intf->getId()] = oi->getId(); failover_grp->addRef(member_intf); if (master!=NULL && member_fw == master) { std::string masteriface_id = FWObjectDatabase::getStringId(member_intf->getId()); failover_grp->setStr("master_iface", masteriface_id); } } // need to populate failover group with some reasonable // default values. If this is not done, parameters such as // CARP vhid remain blank and that leads to incomplete // generated configurations setDefaultFailoverGroupAttributes(failover_grp); } // Set correct type of the state sync group (the StateSyncGroup object is // created in Cluster::init() FWObject *state_sync_members = ncl->getFirstByType(StateSyncClusterGroup::TYPENAME); setDefaultStateSyncGroupAttributes( StateSyncClusterGroup::cast(state_sync_members)); // Copy rule sets if requested Firewall *source = NULL; foreach (QRadioButton* btn, copy_rules_from_buttons.keys()) { if (btn->isChecked() && btn != noPolicy) { source = copy_rules_from_buttons[btn]; break; } } if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster() checkpoint 4"; ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); if (source == NULL) { if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster() checkpoint 5"; FWObject *first_policy = ncl->getFirstByType(Policy::TYPENAME); if (fwbdebug) qDebug() << "newClusterDialog::createNewCluster() checkpoint 6" << "first_policy=" << first_policy; QCoreApplication::postEvent( mw, new openRulesetEvent(filename, first_policy->getId())); return; } // See #1622 If rule set view shows rules of the firewall // , need to close it because we are about to delete that // rule set object RuleSet* current_ruleset = NULL; RuleSetView* rsv = pp->getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (current_ruleset && current_ruleset->isChildOf(source)) { pp->closeRuleSet(current_ruleset); } db->setIgnoreReadOnlyFlag(true); FWObject *fwgroup = FWBTree().getStandardSlotForObject(parent->getLibrary(), Firewall::TYPENAME); foreach(fwpair member, member_firewalls) { Firewall *fw = member.first; id_mapping[fw->getId()] = ncl->getId(); string name_bak = fw->getName() + "-bak"; FWCmdAddObject *cmd = new FWCmdAddObject( mw->activeProject(), fwgroup, NULL, QString("Create new Firewall %1") .arg(QString::fromUtf8(name_bak.c_str()))); cmd->setNeedTreeReload(true); FWObject *new_state = cmd->getNewState(); Firewall *bakfw = Firewall::cast(new_state->addCopyOf(fw)); bakfw->setName(name_bak); bakfw->setInactive(true); mw->activeProject()->undoStack->push(cmd); } copyRuleSets(Policy::TYPENAME, source, id_mapping); copyRuleSets(NAT::TYPENAME, source, id_mapping); copyRuleSets(Routing::TYPENAME, source, id_mapping); //ncl->getRoot()->fixReferences(ncl, id_mapping); foreach(fwpair member, member_firewalls) { Firewall *fw = member.first; deleteRuleSets(Policy::TYPENAME, fw); deleteRuleSets(NAT::TYPENAME, fw); deleteRuleSets(Routing::TYPENAME, fw); } db->setIgnoreReadOnlyFlag(false); FWObject *first_policy = ncl->getFirstByType(Policy::TYPENAME); QCoreApplication::postEvent( mw, new openRulesetEvent(filename, first_policy->getId())); } void newClusterDialog::deleteRuleSets(const string &type, Firewall *fw) { list rule_sets = fw->getByType(type); foreach(FWObject *rs, rule_sets) fw->remove(rs); fw->add(db->create(type)); } void newClusterDialog::copyRuleSets(const string &type, Firewall *source, map &id_mapping) { list old_ones = ncl->getByType(type); foreach(FWObject *old, old_ones) ncl->remove(old); FWObjectDatabase *db = ncl->getRoot(); FWObjectTypedChildIterator it = source->findByType(type); for (; it != it.end(); ++it) { FWObject *new_ruleset = ncl->addCopyOf(*it); id_mapping[(*it)->getId()] = new_ruleset->getId(); db->fixReferences(new_ruleset, id_mapping); } /* * since the order in which we copy rule sets is undefined and * because they may have references to each other via branching * rules, we need to fix references in them after we create all of * them. This fixes SF bug #3106168 "Branch destinations lost when adding to cluster" */ it = ncl->findByType(type); for (; it != it.end(); ++it) { db->fixReferences(*it, id_mapping); } } fwbuilder-5.3.7/src/libgui/newFirewallDialog.cpp000066400000000000000000001204601303637203600216640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "newFirewallDialog.h" #include "ObjConflictResolutionDialog.h" #include "upgradePredicate.h" #include "FWBSettings.h" #include "FWBTree.h" #include "events.h" #include "FWBApplication.h" #include "QDesktopWidget" #include "networkZoneManager.h" #include "ObjConflictResolutionDialog.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/BackgroundOp.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include // must be the last for win #include "fwbuilder/snmp.h" using namespace libfwbuilder; using namespace std; #define NAME_AND_PLATFORM_PAGE 0 #define INTERFACES_MANUAL_OR_SNMP 1 #define CONFIGURE_INTERFACES_MANUALLY 2 #define CONFIGURE_SECURITY_LEVELS 3 #define CONFIGURE_NETWORK_ZONES 4 #define CHOOSE_FW_TEMPLATE 5 #define CONFIGURE_TEMPLATE_INTERFACES_MANUALLY 6 newFirewallDialog::newFirewallDialog(QWidget *parentw, FWObject *_p) : QDialog(parentw) { db_orig = _p->getRoot(); db_copy = new FWObjectDatabase(); db_copy->duplicate(db_orig, false); parent = db_copy->getById(_p->getId(), true); m_dialog = new Ui::newFirewallDialog_q; m_dialog->setupUi(this); possible_inside_interface_labels.push_back("inside"); possible_inside_interface_labels.push_back("GREEN"); possible_inside_interface_labels.push_back("green"); possible_outside_interface_labels.push_back("outside"); possible_outside_interface_labels.push_back("RED"); possible_outside_interface_labels.push_back("red"); possible_dmz_interface_labels.push_back("dmz"); possible_dmz_interface_labels.push_back("ORANGE"); possible_dmz_interface_labels.push_back("orange"); setControlWidgets(this, m_dialog->stackedWidget, m_dialog->nextButton, m_dialog->finishButton, m_dialog->backButton, m_dialog->cancelButton, m_dialog->titleLabel); nfw = NULL; tmpldb = NULL; snmpPollCompleted = false; q = NULL; unloadTemplatesLib = false; getInterfacesBusy = false; timer = new QTimer(this); connect( timer, SIGNAL(timeout()), this, SLOT(monitor())); connect( m_dialog->selectCustomTemplateLib, SIGNAL(pressed()), this, SLOT(browseTemplate())); connect( m_dialog->useStandard, SIGNAL(toggled(bool)), this, SLOT(updateTemplatePanel())); connect( m_dialog->useTemplate, SIGNAL(released()), this, SLOT(updateTemplatePanel())); m_dialog->useStandard->setChecked(true); m_dialog->templateFilePath->setText( Constants::getTemplatesObjectsFilePath().c_str()); updateTemplatePanel(); /* fill in platform. Since iptables is the most popular, start with * it. */ QString new_fw_platform = st->getNewFirewallPlatform(); /* if new_fw_platform is empty, the drop-down list will have empty * item which will be current. This is so only on the first run of * the program because it remembers chosen platform and uses it on * subsequent runs. */ setPlatform(m_dialog->platform, new_fw_platform); /* fill in host OS */ setHostOS(m_dialog->hostOS, readPlatform(m_dialog->platform), ""); setNextEnabled( NAME_AND_PLATFORM_PAGE, false ); //m_dialog->iface_sl_list->setAllColumnsShowFocus( true ); QTimer::singleShot(0, m_dialog->obj_name, SLOT(setFocus())); currentTemplate = NULL; this->m_dialog->interfaceEditor1->clear(); this->m_dialog->interfaceEditor2->clear(); this->m_dialog->interfaceEditor1->closeTab(); this->m_dialog->interfaceEditor2->closeTab();//->removeTab(0); this->m_dialog->interfaceEditor1->setExplanation( tr("Interfaces with the type set to 'Dynamic IP address' get " "IP address by means of DHCP or PPP protocol and do not " "require an address here. Interfaces with the type set to " "'Static IP address' have statically configured IP address " "which should be entered on this page. Interface can have " "several IPv4 and IPv6 addresses.") ); this->m_dialog->interfaceEditor2->setExplanation( tr("Here you can change IP address of the template interface " "to match addresses used on your network. " "Interface can have several IPv4 and " "IPv6 addresses.") ); this->resize(this->width(), this->minimumHeight()); int maxheight = (int)(app->desktop()->height()*0.9); if (this->height() > maxheight) this->resize(this->width(), maxheight); showPage(NAME_AND_PLATFORM_PAGE); } void newFirewallDialog::browseTemplate() { QString fileName = QFileDialog::getOpenFileName( this, tr("FWBuilder template files"), st->getOpenFileDir(), tr("FWBuilder template files (*.xml *.fwb *.fwl)")); if (fileName.isEmpty()) return; st->setOpenFileDir(fileName); m_dialog->templateFilePath->setText(fileName); updateTemplatePanel(); } void newFirewallDialog::useStandardTemplate() { m_dialog->templateFilePath->setText( Constants::getTemplatesObjectsFilePath().c_str()); updateTemplatePanel(); } void newFirewallDialog::updateTemplatePanel() { if (st->customTemplatesEnabled() && m_dialog->useTemplate->checkState()==Qt::Checked) { QString fileName = m_dialog->templateFilePath->text(); bool using_std = m_dialog->useStandard->isChecked(); m_dialog->templateGroupBox->setVisible(true); m_dialog->templateFilePathLabel->setVisible(true); m_dialog->templateFilePath->setVisible(true); m_dialog->templateLibExplanation->setVisible(true); m_dialog->templateFilePath->setEnabled(!using_std); m_dialog->selectCustomTemplateLib->setEnabled(!using_std); if (using_std) { m_dialog->templateFilePath->setText( Constants::getTemplatesObjectsFilePath().c_str()); } } else { m_dialog->templateGroupBox->setVisible(false); } } newFirewallDialog::~newFirewallDialog() { delete m_dialog; if (timer!=NULL) delete timer; #ifdef HAVE_LIBSNMP if (q!=NULL) delete q; #endif delete db_copy; } void newFirewallDialog::changed() { int p = currentPage(); if (fwbdebug) qDebug() << "newFirewallDialog::changed() page=" << p << "use_manual=" << m_dialog->use_manual->isChecked() << "use_snmp=" << m_dialog->use_snmp->isChecked(); if (p==NAME_AND_PLATFORM_PAGE) { setNextEnabled(p, !m_dialog->obj_name->text().isEmpty() && !readPlatform(m_dialog->platform).isEmpty() ); setHostOS(m_dialog->hostOS, readPlatform(m_dialog->platform), ""); QString host_os = readHostOS(m_dialog->hostOS); m_dialog->interfaceEditor1->setHostOS(host_os); m_dialog->interfaceEditor2->setHostOS(host_os); } if (p==INTERFACES_MANUAL_OR_SNMP) { bool use_snmp = false; #ifdef HAVE_LIBSNMP use_snmp = m_dialog->use_snmp->isChecked(); #else use_snmp = false; m_dialog->use_snmp->setEnabled( use_snmp ); #endif m_dialog->snmpIP->setEnabled( use_snmp ); m_dialog->snmp_community->setEnabled( use_snmp ); m_dialog->snmpQuery->setEnabled( use_snmp ); m_dialog->snmpProgress->setEnabled( use_snmp ); if ( use_snmp ) m_dialog->snmp_community->setFocus(); if (use_snmp) { getIPAddressOfFirewallByName(); } use_snmp = m_dialog->use_manual->isChecked() || snmpPollCompleted; setNextEnabled( 1, use_snmp ); } if (fwbdebug) qDebug() << "newFirewallDialog::changed() done"; } void newFirewallDialog::getIPAddressOfFirewallByName() { getInterfacesBusy = true; m_dialog->snmpIP->setText(""); QString name = m_dialog->obj_name->text().toLatin1().constData(); QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString addr = getAddrByName(name, AF_INET); QApplication::restoreOverrideCursor(); if (!addr.isEmpty()) m_dialog->snmpIP->setText(addr); else { QMessageBox::warning( this,"Firewall Builder", tr("Address of %1 could not be obtained via DNS") .arg(m_dialog->obj_name->text()), "&Continue", QString::null, QString::null, 0, 1 ); } getInterfacesBusy = false; } void newFirewallDialog::monitor() { if (logger==NULL || q==NULL) return; #ifdef HAVE_LIBSNMP if( logger->ready() ) { QString str = logger->getLine().c_str(); m_dialog->snmpProgress->moveCursor( QTextCursor::End ); m_dialog->snmpProgress->insertPlainText( str ); return; } if (q->isRunning()) return; timer->stop(); QString platform = readPlatform(m_dialog->platform); guessOSAndPlatformFromSysDescr(q->getDescr().c_str(), discovered_platform, discovered_host_os, discovered_version); if (fwbdebug) qDebug() << "Guessed version as " << discovered_version; map* intf = q->getInterfaces(); map::iterator i; this->m_dialog->interfaceEditor1->clear(); this->m_dialog->interfaceEditor1->removeTab(0); for (i=intf->begin(); i!=intf->end(); ++i) { InterfaceData* idata = &(i->second); if (fwbdebug) { qDebug() << "------------------------------------------------"; qDebug() << "id=" << idata->id.c_str(); qDebug() << "name=" << idata->name.c_str(); qDebug() << "snmp_type=" << idata->snmp_type; qDebug() << "ostatus=" << idata->ostatus; qDebug() << "mac_addr=" << idata->mac_addr.c_str(); qDebug() << "interface_type=" << idata->interface_type.c_str(); qDebug() << ""; } /* * some special treatment of discovered interfaces for Cisco ASA devices: * if mac address is reported as 00:00:00:00:00:00 or * 00:00:00:anything, this is usually some kind of internal special * interface and we can skip it. Examples: "_internal_loopback", * "Internal-Data0/1" * * This is different from how Linux reports mac address of a * loopback because Linux snmpd returns empty string for the * loopback mac address. * * The name of the interface reported by ASA is like this: * "Adaptive Security Appliance 'Ethernet0/0' interface" * * Need to strip all thie verbose description */ if (idata->ostatus) { guessInterfaceLabel(idata); if (platform == "pix" || platform == "fwsm") { if ( ! idata->mac_addr.empty() && idata->snmp_type == 1 && idata->mac_addr.find("00:00:00")==0) continue; QString name = idata->name.c_str(); name.replace("Adaptive Security Appliance '", ""); name.replace("Cisco PIX Security Appliance '", ""); name.replace("PIX Firewall '", ""); name.replace("' interface", ""); idata->name = name.toStdString(); } this->m_dialog->interfaceEditor1->addInterfaceFromData(idata); } } if ( this->m_dialog->interfaceEditor1->count() == 0 ) this->m_dialog->interfaceEditor1->addNewInterface(); delete q; q=NULL; #endif snmpPollCompleted=true; setNextEnabled( INTERFACES_MANUAL_OR_SNMP, true ); } void newFirewallDialog::getInterfacesViaSNMP() { #ifdef HAVE_LIBSNMP // need to protect from reentry because getAddrByName processes events if (q!=NULL || getInterfacesBusy) return; snmpPollCompleted=false; m_dialog->interfaceEditor1->clear(); string rcomm=m_dialog->snmp_community->text().toLatin1().constData(); if ( rcomm.empty() ) { QMessageBox::warning( this,"Firewall Builder", tr("Missing SNMP community string."), "&Continue", QString::null, QString::null, 0, 1 ); return ; } getInterfacesBusy = true; InetAddr addr; try { addr = InetAddr(m_dialog->snmpIP->text().toStdString()); } catch (FWException &ex) { try { QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString a = getAddrByName(m_dialog->snmpIP->text(), AF_INET); QApplication::restoreOverrideCursor(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) addr = InetAddr(a.toAscii().constData()); #else addr = InetAddr(a.toLatin1().constData()); #endif getInterfacesBusy = false; } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Address of %1 could not be obtained via DNS") .arg(m_dialog->snmpIP->text()), "&Continue", QString::null, QString::null, 0, 1 ); getInterfacesBusy = false; return ; } } logger = NULL; m_dialog->snmpProgress->clear(); if (q!=NULL) delete q; q = new SNMP_interface_query(); q->init(addr.toString(), rcomm, SNMP_DEFAULT_RETRIES, SNMP_DEFAULT_TIMEOUT); timer->setSingleShot(false); timer->start(0); try { logger = q->start_operation(); } catch(const FWException &ex) { //do nothing } getInterfacesBusy = false; #endif } bool interfaceCompare(libfwbuilder::Interface *first, libfwbuilder::Interface *second) { return first->getName() < second->getName(); } bool newFirewallDialog::appropriate(const int page) const { switch (page) { case NAME_AND_PLATFORM_PAGE: case CHOOSE_FW_TEMPLATE: return true; case INTERFACES_MANUAL_OR_SNMP: case CONFIGURE_INTERFACES_MANUALLY: case CONFIGURE_SECURITY_LEVELS: case CONFIGURE_NETWORK_ZONES: return (!m_dialog->useTemplate->isChecked()); } return true; } void newFirewallDialog::nextClicked() { if ( currentPage() == CHOOSE_FW_TEMPLATE ) { if (m_dialog->templateList->currentItem() == NULL) { QMessageBox::warning( this,"Firewall Builder", tr("Please select template"), tr("&Continue"), QString::null,QString::null, 0, 1 ); showPage(CHOOSE_FW_TEMPLATE); return; } } if ( currentPage() == CONFIGURE_INTERFACES_MANUALLY ) if ( !this->m_dialog->interfaceEditor1->isValid() ) return; // FakeWizard::nextRelevant() finds next (in the numerical order) // page that is permitted by function appropriate() and returns // its number if (nextRelevant( currentPage() ) > -1) showPage(nextRelevant( currentPage() )); } void newFirewallDialog::backClicked() { if (previousRelevant( currentPage() ) > -1) showPage(previousRelevant( currentPage() )); } void newFirewallDialog::showPage(const int page) { FakeWizard::showPage(page); int p = page; if (fwbdebug) qDebug() << "newFirewallDialog::showPage page=" << page; // p is a page number _after_ it changed switch (p) { case NAME_AND_PLATFORM_PAGE: // we get here if user hits "Back" on page 4 (where they // choose template object) if (tmpldb!=NULL) { m_dialog->templateList->clear(); delete tmpldb; tmpldb = NULL; } m_dialog->nextButton->setDefault(true); m_dialog->obj_name->setFocus(); break; case INTERFACES_MANUAL_OR_SNMP: { // page 1 is where we choose to configure interfaces manually or via snmp m_dialog->snmpIP->setText(""); changed(); // to properly enable/disable widgets m_dialog->nextButton->setDefault(true); break; } case CONFIGURE_INTERFACES_MANUALLY: { if (!Resources::getTargetCapabilityBool( readPlatform(m_dialog->platform).toLatin1().constData(), "security_levels") ) { /* if chosen fw platform does not support security levels, * this is the last page */ setNextEnabled( CONFIGURE_INTERFACES_MANUALLY, false ); setFinishEnabled( CONFIGURE_INTERFACES_MANUALLY, true ); m_dialog->finishButton->setDefault(true); } break; } case CONFIGURE_SECURITY_LEVELS: { if (m_dialog->useTemplate->isChecked()) { showPage( NAME_AND_PLATFORM_PAGE ); return; } // Edit security levels fillInterfaceSLList(); setNextEnabled( CONFIGURE_SECURITY_LEVELS, true ); setFinishEnabled( CONFIGURE_SECURITY_LEVELS, false ); m_dialog->nextButton->setDefault(true); break; } case CONFIGURE_NETWORK_ZONES: { if (m_dialog->useTemplate->isChecked()) { showPage( NAME_AND_PLATFORM_PAGE ); return; } // Edit network zones fillInterfaceNZList(); setNextEnabled(CONFIGURE_NETWORK_ZONES, false ); setFinishEnabled(CONFIGURE_NETWORK_ZONES, true ); m_dialog->finishButton->setDefault(true); break; } case CHOOSE_FW_TEMPLATE: { // Show firewall templates setFinishEnabled( CHOOSE_FW_TEMPLATE, false ); setNextEnabled( CHOOSE_FW_TEMPLATE, true ); // load templates if not loaded if (tmpldb==NULL) { MessageBoxUpgradePredicate upgrade_predicate(this); tmpldb = new FWObjectDatabase(); tmpldb->setReadOnly( false ); try { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) tmpldb->load( m_dialog->templateFilePath->text().toAscii().data(), &upgrade_predicate, Constants::getDTDDirectory()); #else tmpldb->load( m_dialog->templateFilePath->text().toLatin1().data(), &upgrade_predicate, Constants::getDTDDirectory()); #endif } catch (FWException &ex) { QMessageBox::critical( this,"Firewall Builder", tr("Error loading template library:\n%1") .arg(ex.toString().c_str()), tr("&Continue"), QString::null,QString::null, 0, 1 ); } } // nfw != NULL if user clicked Back on one of the subsequent // pages because we create firewall object when they click // Next on the page where they choose template ( see case // CONFIGURE_TEMPLATE_INTERFACES_MANUALLY below) if (nfw) { parent->remove(nfw, false); delete nfw; nfw = NULL; } list fl; FWObjectTypedChildIterator libiter = tmpldb->findByType(Library::TYPENAME); for ( ; libiter!=libiter.end(); ++libiter) findFirewalls(*libiter, fl, false); QString icn = ":/Icons/Firewall/icon-tree"; m_dialog->templateList->clear(); int n = 0; QListWidgetItem *first_template = NULL; for (list::iterator m=fl.begin(); m!=fl.end(); m++,n++) { FWObject *o = *m; /* Ticket #1492 requested the change to only show the user templates that match platform and host OS they choose on the first page of the wizard. Unfortunately this does not really work because most templates have platform and host OS set to "unknown". Either we have to maintain many almost identical templates to provide enough choices for all possible platforms, or we should not filter by platform. #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string platform = readPlatform(m_dialog->platform).toAscii().constData(); string host_os = readHostOS(m_dialog->hostOS).toAscii().constData(); #else string platform = readPlatform(m_dialog->platform).toLatin1().constData(); string host_os = readHostOS(m_dialog->hostOS).toLatin1().constData(); #endif if (o->getStr("platform") != platform || o->getStr("host_OS") != host_os) continue; */ QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } QListWidgetItem *twi = new QListWidgetItem; twi->setIcon( QIcon(pm) ); twi->setText( QString(o->getName().c_str()) ); m_dialog->templateList->addItem( twi ); templates[ m_dialog->templateList->item( m_dialog->templateList->count()-1 ) ] = o; if (first_template == NULL) first_template = twi; } m_dialog->templateList->setFocus(); m_dialog->templateList->setCurrentItem(first_template, QItemSelectionModel::SelectCurrent); m_dialog->finishButton->setDefault(false); m_dialog->nextButton->setDefault(true); break; } case CONFIGURE_TEMPLATE_INTERFACES_MANUALLY: { // Edit interfaces of the template object createFirewallFromTemplate(); setFinishEnabled( CONFIGURE_TEMPLATE_INTERFACES_MANUALLY, true ); this->m_dialog->interfaceEditor2->clear(); this->m_dialog->interfaceEditor2->closeTab();//->removeTab(0); this->m_dialog->interfaceEditor2->setCornerWidgetsVisible(false); QList interfaces; FWObjectTypedChildIterator intiter = nfw->findByType(Interface::TYPENAME); for ( ; intiter != intiter.end(); ++intiter ) interfaces.append(Interface::cast(*intiter)); sort(interfaces.begin(), interfaces.end(), interfaceCompare); foreach(Interface* intr, interfaces) m_dialog->interfaceEditor2->addInterface(intr); m_dialog->finishButton->setDefault(true); } } } void newFirewallDialog::getInterfaceDataFromInterfaceEditor( EditedInterfaceData &edata, InterfaceData &idata) { idata.name = edata.name.toStdString(); idata.label = edata.label.toStdString(); AddressInfo address; bool gotIPv4 = false; foreach(AddressInfo addr, edata.addresses.values()) { if (addr.ipv4) { address = addr; gotIPv4 = true; break; } } InetAddrMask *iam;// = new InetAddrMask(); if (edata.type == 0 && edata.addresses.size() != 0) { if (!gotIPv4) address = edata.addresses.values().first(); if ( address.ipv4 ) iam = new InetAddrMask( InetAddr(address.address.toStdString()), InetAddr(address.netmask.toStdString())); else { iam = new InetAddrMask( InetAddr(AF_INET6, address.address.toStdString()), InetAddr(AF_INET6, address.netmask.toStdString())); } idata.addr_mask.push_back(iam); } if (gotIPv4) { try { guessSecurityLevel( readPlatform(m_dialog->platform).toStdString(), &idata); } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", ex.toString().c_str(), "&Continue", QString::null, QString::null, 0, 1 ); showPage( CONFIGURE_INTERFACES_MANUALLY ); return; } } else idata.securityLevel = 0; } void newFirewallDialog::fillInterfaceSLList() { m_dialog->iface_sl_list->clear(); QStringList labels; labels << QObject::tr("Name") << QObject::tr("Label") << QObject::tr("Address") << QObject::tr("Security Level"); m_dialog->iface_sl_list->setHorizontalHeaderLabels(labels); int row = 0; foreach(EditedInterfaceData iface, this->m_dialog->interfaceEditor1->getData().values() + this->m_dialog->interfaceEditor1->getNewData()) { InterfaceData idata; getInterfaceDataFromInterfaceEditor(iface, idata); m_dialog->iface_sl_list->insertRow(row); QTableWidgetItem* itm; itm = new QTableWidgetItem(iface.name); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_sl_list->setItem(row, 0, itm); itm = new QTableWidgetItem(iface.label); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_sl_list->setItem(row, 1, itm); QString addr_str; if (iface.addresses.size() > 0) { AddressInfo addr = *(iface.addresses.begin()); addr_str = addr.address; } itm = new QTableWidgetItem(addr_str); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_sl_list->setItem(row, 2, itm); //itm = new QTableWidgetItem(QString::number(idata.securityLevel)); QSpinBox *widget = new QSpinBox(); widget->setMaximum(100); widget->setMinimum(0); widget->setValue(idata.securityLevel); m_dialog->iface_sl_list->setCellWidget(row, 3, widget); row++; } } void newFirewallDialog::fillInterfaceNZList() { m_dialog->iface_nz_list->clear(); QStringList labels; labels << QObject::tr("Name") << QObject::tr("Label") << QObject::tr("Address") << QObject::tr("Network Zone"); m_dialog->iface_nz_list->setHorizontalHeaderLabels(labels); NetworkZoneManager netzone_manager; netzone_manager.load(db_copy); int row = 0; foreach(EditedInterfaceData iface, this->m_dialog->interfaceEditor1->getData().values() + this->m_dialog->interfaceEditor1->getNewData()) { InterfaceData idata; getInterfaceDataFromInterfaceEditor(iface, idata); m_dialog->iface_nz_list->insertRow(row); QTableWidgetItem* itm; itm = new QTableWidgetItem(iface.name); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 0, itm); itm = new QTableWidgetItem(iface.label); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 1, itm); QString addr_str; if (iface.addresses.size() > 0) { AddressInfo addr = *(iface.addresses.begin()); addr_str = addr.address; } itm = new QTableWidgetItem(addr_str); itm->setFlags(itm->flags() & ~Qt::ItemIsEditable); m_dialog->iface_nz_list->setItem(row, 2, itm); QComboBox *widget = new QComboBox(); netzone_manager.packComboBox(widget, -1); m_dialog->iface_nz_list->setCellWidget(row, 3, widget); row++; } m_dialog->iface_nz_list->resizeColumnToContents(3); } /* * this slot is connected to currentItemChanged signal of templateList * As a side effect, this slot is called when we clear templateList. */ void newFirewallDialog::templateSelected(QListWidgetItem *itm) { if (templates.size()==0) return; FWObject *o = templates[itm]; if (o==NULL) return; this->m_dialog->interfaceEditor2->setTemplate(o); currentTemplate = o; Firewall *fw = Firewall::cast(o); m_dialog->templateComment->clear(); QString s = QString("\n") + fw->getComment().c_str(); m_dialog->templateComment->append( s ); m_dialog->templateComment->scrollToAnchor("top"); bool haveOutside = false; bool haveInside = false; bool haveDMZ = false; list ll = fw->getByType(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); if (std::find(possible_outside_interface_labels.begin(), possible_outside_interface_labels.end(), intf->getLabel()) != possible_outside_interface_labels.end()) { haveOutside=true; m_dialog->intfOutsideLine->show(); m_dialog->intfOutsideText->show(); fillInterfaceData(intf,m_dialog->intfOutsideText); } if (std::find(possible_inside_interface_labels.begin(), possible_inside_interface_labels.end(), intf->getLabel()) != possible_inside_interface_labels.end()) { haveInside=true; m_dialog->intfInsideLine->show(); m_dialog->intfInsideText->show(); fillInterfaceData(intf,m_dialog->intfInsideText); } if (std::find(possible_dmz_interface_labels.begin(), possible_dmz_interface_labels.end(), intf->getLabel()) != possible_dmz_interface_labels.end()) { haveDMZ=true; m_dialog->intfDMZLine->show(); m_dialog->intfDMZText->show(); fillInterfaceData(intf,m_dialog->intfDMZText); } } if (!haveOutside) { m_dialog->intfOutsideLine->hide(); m_dialog->intfOutsideText->hide(); } if (!haveInside) { m_dialog->intfInsideLine->hide(); m_dialog->intfInsideText->hide(); } if (!haveDMZ) { m_dialog->intfDMZLine->hide(); m_dialog->intfDMZText->hide(); } } void newFirewallDialog::fillInterfaceData(Interface *intf, QTextBrowser *qte) { qte->clear(); QString s; s += ""; s += ""; s += ""; s += ""; s += ""; s += ""; s += ""; s += "
"; s += tr("Interface: %1 (%2)") .arg(intf->getName().c_str()) .arg(intf->getLabel().c_str()); s += "
"; if (intf->isDyn()) s += tr("Dynamic address"); else if (intf->isUnnumbered()) s += tr("Unnumbered interface"); else { const InetAddr *addr = intf->getAddressPtr(); QString addr_str = (addr) ? addr->toString().c_str() : ""; const InetAddr *netm = intf->getNetmaskPtr(); QString netm_str = (netm) ? netm->toString().c_str() : ""; s += QString("%1/%2").arg(addr_str).arg(netm_str); } s += "
"; qte->setText(s); } bool newFirewallDialog::validateAddressAndMask(const QString &addr, const QString &netm) { try { InetAddr(addr.toLatin1().constData()); } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Invalid address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } try { bool ok = false ; int ilen = netm.toInt (&ok); if (ok) { if (ilen < 0 || ilen > 32) { QMessageBox::warning( this,"Firewall Builder", tr("Invalid address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } } else { InetAddr(netm.toLatin1().constData()); } } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Invalid address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } return true; } void newFirewallDialog::cleanup() { if (nfw) { parent->remove(nfw, false); delete nfw; nfw = NULL; } if (tmpldb) { delete tmpldb; tmpldb = NULL; } } void newFirewallDialog::cancelClicked() { cleanup(); reject(); } void newFirewallDialog::finishClicked() { // getting focus to close table cell editor // see #1594 m_dialog->finishButton->setFocus(Qt::OtherFocusReason); if (fwbdebug) qDebug() << "newFirewallDialog::finishClicked()" << "currentPage()=" << currentPage(); if ((!this->m_dialog->useTemplate->isChecked()) && currentPage() == CONFIGURE_INTERFACES_MANUALLY) { if ( !this->m_dialog->interfaceEditor1->isValid() ) return; } if ( currentPage() == CONFIGURE_TEMPLATE_INTERFACES_MANUALLY ) if ( !this->m_dialog->interfaceEditor2->isValid() ) return; #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string platform = readPlatform(m_dialog->platform).toAscii().constData(); string host_os = readHostOS(m_dialog->hostOS).toAscii().constData(); #else string platform = readPlatform(m_dialog->platform).toLatin1().constData(); string host_os = readHostOS(m_dialog->hostOS).toLatin1().constData(); #endif st->setNewFirewallPlatform(platform.c_str()); if (currentPage()==CONFIGURE_INTERFACES_MANUALLY) fillInterfaceSLList(); if (currentPage()==CHOOSE_FW_TEMPLATE || currentPage()==CONFIGURE_TEMPLATE_INTERFACES_MANUALLY) { // Creating from a template if (nfw==NULL) createFirewallFromTemplate(); else changedAddressesInNewFirewall(); } else { // Create from interface list (obtained either manually or via snmp) if ( !this->m_dialog->interfaceEditor1->isValid() ) return; FWObject *o; o = db_copy->create(Firewall::TYPENAME); if (o==NULL) { QDialog::accept(); return; } o->setName( string( m_dialog->obj_name->text().toUtf8().constData() ) );//.toStdString()); parent->add(o); nfw = Firewall::cast(o); o->setStr("platform", platform); Resources::setDefaultTargetOptions(platform , nfw); o->setStr("host_OS", host_os); Resources::setDefaultTargetOptions(host_os , nfw); if ( ! discovered_version.isEmpty()) o->setStr("version", discovered_version.toStdString()); /* create interfaces */ foreach(EditedInterfaceData iface, this->m_dialog->interfaceEditor1->getNewData()) { QString name = iface.name; QString label = iface.label; bool dyn = iface.type == 1; bool unnum = iface.type == 2; QString physaddr = iface.mac; int sec_level = 0; string network_zone_str_id = ""; QList ltwi = m_dialog->iface_sl_list->findItems( name , Qt::MatchExactly ); if ( ! ltwi.empty()) { QTableWidgetItem *itm2 = ltwi[0]; assert(itm2!=NULL); int row = itm2->row(); QSpinBox *sb = dynamic_cast( m_dialog->iface_sl_list->cellWidget(row, 3)); assert(sb!=NULL); sec_level = sb->value(); } ltwi = m_dialog->iface_nz_list->findItems( name , Qt::MatchExactly ); if ( ! ltwi.empty()) { QTableWidgetItem *itm2 = ltwi[0]; assert(itm2!=NULL); int row = itm2->row(); QComboBox *cb = dynamic_cast( m_dialog->iface_nz_list->cellWidget(row, 3)); assert(cb!=NULL); int network_zone_int_id = cb->itemData(cb->currentIndex(), Qt::UserRole).toInt(); if (network_zone_int_id != 0) network_zone_str_id = FWObjectDatabase::getStringId( network_zone_int_id); else network_zone_str_id = ""; } Interface *oi = Interface::cast(db_copy->create(Interface::TYPENAME)); assert(oi!=NULL); nfw->add(oi); oi->setName( string(name.toUtf8().constData()) ); oi->setLabel( string(label.toUtf8().constData()) ); oi->setComment( string(iface.comment.toUtf8().constData()) ); oi->setDyn(dyn); oi->setUnnumbered(unnum); oi->setSecurityLevel(sec_level); // only set network zone if it is supported and is not empty. See #2014 if (!network_zone_str_id.empty()) oi->setStr("network_zone", network_zone_str_id); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(nfw)); if (int_prop->looksLikeVlanInterface(name)) { QString base_name; int vlan_id; int_prop->parseVlan(name, &base_name, &vlan_id); oi->getOptionsObject()->setStr("type", "8021q"); oi->getOptionsObject()->setInt("vlan_id", vlan_id); } if (iface.type == 0) { foreach(AddressInfo address, iface.addresses) { if (address.address == "0.0.0.0") continue; if (address.ipv4) { string addrname = string( QString("%1:%2:ip").arg(QString(m_dialog->obj_name->text())).arg(name).toUtf8().constData() ); IPv4 *oa = IPv4::cast(db_copy->create(IPv4::TYPENAME)); oi->add(oa); oa->setName(addrname); oa->setAddress( InetAddr(address.address.toLatin1().constData()) ); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask( InetAddr(inetmask) ); } else { oa->setNetmask( InetAddr(address.netmask.toLatin1().constData()) ); } } else { string addrname = string ( QString("%1:%2:ip6").arg(QString(m_dialog->obj_name->text())).arg(name).toUtf8().constData() ); IPv6 *oa = IPv6::cast(db_copy->create(IPv6::TYPENAME)); oi->add(oa); oa->setName(addrname); oa->setAddress(InetAddr(AF_INET6, address.address.toLatin1().constData()) ); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask( InetAddr(AF_INET6, inetmask) ); } else { oa->setNetmask(InetAddr(AF_INET6, address.netmask.toLatin1().constData())); } } } } } } // merge dbcopy into db CompareObjectsDialog cod(this); db_orig->merge(db_copy, &cod); db_orig->fixTree(); nfw = Firewall::cast(db_orig->findInIndex(nfw->getId())); if (tmpldb!=NULL) { delete tmpldb; tmpldb = NULL; } QDialog::accept(); } fwbuilder-5.3.7/src/libgui/newFirewallDialog.h000066400000000000000000000105511303637203600213300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NEWFIREWALLDIALOG_H_ #define __NEWFIREWALLDIALOG_H_ #include "config.h" #include #include "fwbuilder/InterfaceData.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/InterfaceData.h" #include "fakeWizard.h" #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; class Firewall; class Interface; class Logger; class SNMPQuery; }; class QTreeWidgetItem; class QTimer; class QTextEdit; class newFirewallDialog : public QDialog, public FakeWizard { Q_OBJECT; Ui::newFirewallDialog_q *m_dialog; libfwbuilder::FWObject *currentTemplate; libfwbuilder::Firewall *nfw; bool snmpPollCompleted; libfwbuilder::Logger *logger; libfwbuilder::SNMPQuery *q; QTimer *timer; libfwbuilder::FWObjectDatabase *db_orig; libfwbuilder::FWObjectDatabase *tmpldb; libfwbuilder::FWObjectDatabase *db_copy; libfwbuilder::FWObject *parent; std::map templates; bool unloadTemplatesLib; bool getInterfacesBusy; QString discovered_platform; QString discovered_host_os; QString discovered_version; std::list possible_inside_interface_labels; std::list possible_outside_interface_labels; std::list possible_dmz_interface_labels; void fillInterfaceData(libfwbuilder::Interface *intf, QTextBrowser *qte); void fillInterfaceSLList(); void fillInterfaceNZList(); void getInterfaceDataFromInterfaceEditor(EditedInterfaceData &edata, libfwbuilder::InterfaceData &idata); void createFirewallFromTemplate(); void changedAddressesInNewFirewall(); void replaceInterfaceAttributes(libfwbuilder::Firewall *fw, libfwbuilder::Interface *intf, EditedInterfaceData *new_data); libfwbuilder::Address* replaceInterfaceAddressData( libfwbuilder::Firewall *fw, libfwbuilder::Interface *intf, libfwbuilder::Address *addr_obj, const QString &address, const QString &netmask, bool ipv4); void replaceReferencesToNetworks(libfwbuilder::Firewall *fw, libfwbuilder::Interface *intf, libfwbuilder::InetAddrMask old_net, libfwbuilder::InetAddrMask new_net); void replaceReferencesToObject(libfwbuilder::Firewall *fw, libfwbuilder::FWObject *old_obj, libfwbuilder::FWObject *new_obj); public: newFirewallDialog(QWidget *parentw, libfwbuilder::FWObject *parent); virtual ~newFirewallDialog(); libfwbuilder::Firewall* getNewFirewall() { return nfw; }; virtual bool appropriate(const int page) const; void showPage(const int page); //it was "selected(QString)" bool validateAddressAndMask(const QString &addr,const QString &netm); void getIPAddressOfFirewallByName(); public slots: virtual void changed(); virtual void getInterfacesViaSNMP(); virtual void monitor(); virtual void templateSelected(QListWidgetItem *itm); void browseTemplate(); void useStandardTemplate(); void updateTemplatePanel(); protected slots: void finishClicked(); void cancelClicked(); void nextClicked(); void backClicked(); void cleanup(); }; #endif // __NEWFIREWALLDIALOG_H fwbuilder-5.3.7/src/libgui/newFirewallDialog_from_template.cpp000066400000000000000000000323761303637203600246120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "events.h" #include "platforms.h" #include "newFirewallDialog.h" #include "FWBSettings.h" #include "FWBTree.h" #include "InterfaceEditorWidget.h" #include "InterfacesTabWidget.h" #include "FWWindow.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include #include using namespace libfwbuilder; using namespace std; class FindNetwork : public FWObjectFindPredicate { InetAddrMask net; public: FindNetwork(InetAddrMask _net) { net = _net; } virtual bool operator()(FWObject *o) const { FWObject *obj = FWReference::getObject(o); if (Address::cast(obj)) { const InetAddrMask *am = Address::cast(obj)->getInetAddrMaskObjectPtr(); if (am && (*am) == net) return true; } return false; } }; void newFirewallDialog::createFirewallFromTemplate() { QListWidgetItem *itm = m_dialog->templateList->currentItem(); FWObject *template_fw = templates[itm]; assert (template_fw!=NULL); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) string platform = readPlatform(m_dialog->platform).toAscii().constData(); string host_os = readHostOS(m_dialog->hostOS).toAscii().constData(); #else string platform = readPlatform(m_dialog->platform).toLatin1().constData(); string host_os = readHostOS(m_dialog->hostOS).toLatin1().constData(); #endif map map_ids; FWObject *no = db_copy->recursivelyCopySubtree(parent, template_fw, map_ids); no->setName( string( m_dialog->obj_name->text().toUtf8().constData() ) ); nfw = Firewall::cast(no); no->setStr("platform", platform); no->setStr("host_OS", host_os); /* * If we set defaults for the platform and host OS, then we lose * all settings that were done in the template. See ticket * #1340. Not setting defaults fixes #1340 with a caveat: since * the name of the same (sematically) option can be different for * different firewall platforms, options set in the template * generally are only rpeserved if the new firewall object uses * the same platform as the template. In practical terms this * basically means iptables. If user changes the platform, they * need to revisit options and fix them manually */ //Resources::setDefaultTargetOptions(platform , nfw); //Resources::setDefaultTargetOptions(host_os , nfw); } void newFirewallDialog::changedAddressesInNewFirewall() { // the key in this map is the pointer to interface that used to be // part of the template. We do not allow the user to create new or // delete existing interfaces when they edit template interfaces. QMap new_configuration = m_dialog->interfaceEditor2->getData(); list all_interfaces = nfw->getByTypeDeep(Interface::TYPENAME); for (list::iterator intiter=all_interfaces.begin(); intiter != all_interfaces.end(); ++intiter ) { Interface *intf = Interface::cast(*intiter); list old_addr = intf->getByType(IPv4::TYPENAME); list old_ipv6 = intf->getByType(IPv6::TYPENAME); old_addr.splice(old_addr.begin(), old_ipv6); if (new_configuration.count(intf) == 0) { QMessageBox::critical( this, "Firewall Builder", tr("Can not find interface %1 in the interface editor data") .arg(intf->getName().c_str()), "&Continue", QString::null, QString::null, 0, 1 ); } else { EditedInterfaceData new_data = new_configuration[intf]; replaceInterfaceAttributes(nfw, intf, &new_data); if (new_data.type == 0) // regular interface { /* * Substitute interface addresses. * * EditedInterfaceData::addresses uses Address* as a * key. If it is not NULL, then this points to the * updated information for existing Address object * which we should modify. If it is NULL, then the * user created new address and we need to create new * IPv4 or IPv6 object. * * If user created more addresses than there used to * be, extra addresses are not added to rules. */ QMap::iterator addrit; for (addrit=new_data.addresses.begin(); addrit!=new_data.addresses.end(); ++addrit) { Address *old_addr_obj = addrit.key(); InetAddrMask old_net; AddressInfo new_addr = addrit.value(); if (old_addr_obj) { const InetAddrMask *old_addr_mask = old_addr_obj->getInetAddrMaskObjectPtr(); old_net = InetAddrMask( *(old_addr_mask->getAddressPtr()), *(old_addr_mask->getNetmaskPtr())); } Address *oa = replaceInterfaceAddressData(nfw, intf, old_addr_obj, new_addr.address, new_addr.netmask, new_addr.ipv4); const InetAddrMask *new_addr_mask = oa->getInetAddrMaskObjectPtr(); InetAddrMask new_net = InetAddrMask( *(new_addr_mask->getAddressPtr()), *(new_addr_mask->getNetmaskPtr())); if (old_addr_obj) { // User edited address of the interface. Remove it // from old_addr so we won't delete it later. old_addr.remove(old_addr_obj); // Now check if the actually changed the // address and/or netmask. If they did, create // new network object and replace references // to network objects that match old address/ // netmask with references pointing to the new // one. if ( ! (old_net == new_net)) replaceReferencesToNetworks(nfw, intf, old_net, new_net); } } } // Now delete old address objects that are still in the // old_addr list. These are the object that were deleted // in the editor. Do not forget to remove references to // thse objects in rules and groups, if any. while (old_addr.size()) { Address *addr = Address::cast(old_addr.front()); old_addr.pop_front(); if (addr) { nfw->removeAllReferences(addr); intf->remove(addr, false); delete addr; } } } } } void newFirewallDialog::replaceInterfaceAttributes(Firewall*, Interface *intf, EditedInterfaceData *new_data) { intf->setName( string(new_data->name.toUtf8().constData())); intf->setLabel( string(new_data->label.toUtf8().constData())); intf->setComment( string(new_data->comment.toUtf8().constData())); if (fwbdebug) qDebug() << "Interface" << intf->getName().c_str() << "type=" << new_data->type; switch (new_data->type) { case 1: intf->setDyn(true); intf->setUnnumbered(false); break; case 2: intf->setDyn(false); intf->setUnnumbered(true); break; default: intf->setDyn(false); intf->setUnnumbered(false); break; } } Address* newFirewallDialog::replaceInterfaceAddressData(Firewall *fw, Interface *intf, Address *addr_obj, const QString &address, const QString &netmask, bool ipv4) { Address *oa; QString name; if (ipv4) { if (addr_obj) oa = addr_obj; else { oa = IPv4::cast(db_copy->create(IPv4::TYPENAME)); intf->add(oa); } name = QString("%1:%2:ipv4") .arg(fw->getName().c_str()) .arg(intf->getName().c_str()); oa->setAddress( InetAddr(address.toStdString())); bool ok = false ; int inetmask = netmask.toInt(&ok); if (ok) oa->setNetmask(InetAddr(inetmask)); else oa->setNetmask(InetAddr(netmask.toStdString())); } else { if (addr_obj) oa = addr_obj; else { oa = IPv6::cast(db_copy->create(IPv6::TYPENAME)); intf->add(oa); } name = QString("%1:%2:ipv6") .arg(fw->getName().c_str()) .arg(intf->getName().c_str()); oa->setAddress( InetAddr(AF_INET6, address.toStdString()) ); bool ok = false ; int inetmask = netmask.toInt(&ok); if (ok) oa->setNetmask(InetAddr(AF_INET6, inetmask)); } oa->setName(name.toStdString()); return oa; } /* * Find references to NEtwork and NetworkIPv6 objects that match * old_net and if there are any, create new Network or NetworkIPv6 * object with address/netmask defined by new_net and replace * references. */ void newFirewallDialog::replaceReferencesToNetworks(Firewall *fw, Interface *intf, InetAddrMask old_net, InetAddrMask new_net) { if(old_net.isAny()) return; // do not replace references to 0/0 FWObject *current_lib = fw->getLibrary(); // Find all matching Network and NetworkIPv6 // objects used in the rules FindNetwork pred(old_net); list res = fw->findIf(&pred); set old_nets; if (res.size()) { // eliminate duplicates for (list::iterator it=res.begin(); it!=res.end(); ++it) old_nets.insert(FWObjectReference::getObject(*it)); string net_type = Network::TYPENAME; if (old_net.getAddressPtr()->isV6()) net_type = NetworkIPv6::TYPENAME; FWObject *parent = FWBTree().getStandardSlotForObject( current_lib, net_type.c_str()); Address *new_net_obj = Address::cast(db_copy->create(net_type)); parent->add(new_net_obj); QString new_net_name = QString("%1:%2:net").arg(fw->getName().c_str()).arg(intf->getName().c_str()); new_net_obj->setName(new_net_name.toStdString()); new_net_obj->setAddress(*(new_net.getAddressPtr())); new_net_obj->setNetmask(*(new_net.getNetmaskPtr())); QString filename = mw->activeProject()->getFileName(); QCoreApplication::postEvent( mw, new insertObjectInTreeEvent(filename, parent->getId(), new_net_obj->getId())); for (set::iterator it=old_nets.begin(); it!=old_nets.end(); ++it) { FWObject *old_obj = FWObjectReference::getObject(*it); replaceReferencesToObject(fw, old_obj, new_net_obj); } } } void newFirewallDialog::replaceReferencesToObject(Firewall *fw, FWObject *old_obj, FWObject *new_obj) { map map_ids; map_ids[old_obj->getId()] = new_obj->getId(); db_copy->fixReferences(fw, map_ids); } fwbuilder-5.3.7/src/libgui/newGroupDialog.cpp000066400000000000000000000031171303637203600212120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "FWBApplication.h" #include "newGroupDialog.h" #include #include #include using namespace libfwbuilder; using namespace std; newGroupDialog::~newGroupDialog() { delete m_dialog; } newGroupDialog::newGroupDialog(QWidget *parent, FWObjectDatabase *_db) : QDialog(parent) { db = _db; m_dialog = new Ui::newGroupDialog_q; m_dialog->setupUi(this); fillLibraries(m_dialog->libs, db, true); // only read-write libs m_dialog->obj_name->setFocus(); } void newGroupDialog::accept() { /* create a group */ if (m_dialog->obj_name->text().isEmpty()) { app->beep(); return; } QDialog::accept(); } fwbuilder-5.3.7/src/libgui/newGroupDialog.h000066400000000000000000000025641303637203600206640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NEWGROUPDIALOG_H_ #define __NEWGROUPDIALOG_H_ #include "config.h" #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWObjectDatabase.h" class newGroupDialog : public QDialog { Q_OBJECT; libfwbuilder::FWObjectDatabase *db; public: newGroupDialog(QWidget *parent, libfwbuilder::FWObjectDatabase *_db); ~newGroupDialog(); Ui::newGroupDialog_q *m_dialog; public slots: virtual void accept(); }; #endif // __NEWGROUPDIALOG_H fwbuilder-5.3.7/src/libgui/newHostDialog.cpp000066400000000000000000000473021303637203600210370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "platforms.h" #include "newHostDialog.h" #include "FWWindow.h" #include "ObjConflictResolutionDialog.h" #include "upgradePredicate.h" #include "events.h" #include "fwbuilder/Library.h" #include "fwbuilder/Host.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Policy.h" #include "fwbuilder/BackgroundOp.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include // must be the last for win #include "fwbuilder/snmp.h" using namespace libfwbuilder; using namespace std; #define OBJECT_NAME_PAGE 0 #define SNMP_PAGE 1 #define MANUAL_PAGE 2 #define TEMPLATES_PAGE 3 newHostDialog::newHostDialog(QWidget *parentw, FWObject *_p) : QDialog(parentw) { parent = _p; db = parent->getRoot(); m_dialog = new Ui::newHostDialog_q; m_dialog->setupUi(this); setControlWidgets(this, m_dialog->stackedWidget, m_dialog->nextButton, m_dialog->finishButton, m_dialog->backButton, m_dialog->cancelButton, m_dialog->titleLabel); nhst=NULL; tmpldb = NULL; snmpPollCompleted=false; q=NULL; unloadTemplatesLib = false; getInterfacesBusy = false; timer = new QTimer(this); connect( timer, SIGNAL(timeout()), this, SLOT(monitor()) ); connect( m_dialog->templateUseCustom, SIGNAL(pressed()), this,SLOT(browseTemplate())); connect( m_dialog->templateUseStandard, SIGNAL(pressed()), this,SLOT(useStandardTemplate())); connect( m_dialog->useTemplate, SIGNAL(released()), this,SLOT(updateTemplatePanel())); m_dialog->templateFilePath->setText( Constants::getTemplatesObjectsFilePath().c_str()); updateTemplatePanel(); setNextEnabled( OBJECT_NAME_PAGE, false ); m_dialog->obj_name->setFocus(); m_dialog->interfaceEditor->clear(); showPage(0); } void newHostDialog::browseTemplate() { QString fileName = QFileDialog::getOpenFileName( this, tr("FWBuilder template files"), st->getOpenFileDir(), tr("FWBuilder template files (*.xml *.fwb)")); if (fileName.isEmpty()) return; st->setOpenFileDir(fileName); m_dialog->templateFilePath->setText(fileName); updateTemplatePanel(); } void newHostDialog::useStandardTemplate() { m_dialog->templateFilePath->setText( Constants::getTemplatesObjectsFilePath().c_str()); updateTemplatePanel(); } void newHostDialog::updateTemplatePanel() { if (m_dialog->useTemplate->checkState()==Qt::Checked) { QString fileName = m_dialog->templateFilePath->text(); bool using_std = fileName == Constants::getTemplatesObjectsFilePath().c_str(); m_dialog->templateFrame->setVisible(true); m_dialog->templateFilePathLabel->setVisible(!using_std); m_dialog->templateFilePath->setVisible(!using_std); m_dialog->templateUseCustom->setVisible(using_std); m_dialog->templateUseStandard->setVisible(!using_std); } else { m_dialog->templateFrame->setVisible(false); } } newHostDialog::~newHostDialog() { delete m_dialog; if (timer!=NULL) delete timer; #ifdef HAVE_LIBSNMP if (q!=NULL) delete q; #endif } void newHostDialog::nextClicked() { if (nextRelevant( currentPage() ) > -1) showPage(nextRelevant( currentPage() )); } void newHostDialog::backClicked() { if (previousRelevant( currentPage() ) > -1) showPage(previousRelevant( currentPage() )); } void newHostDialog::changed() { int p = currentPage(); if (p==OBJECT_NAME_PAGE) { setNextEnabled( p, !m_dialog->obj_name->text().isEmpty() ); } if (p==SNMP_PAGE) { bool f; #ifdef HAVE_LIBSNMP f = m_dialog->use_snmp->isChecked(); #else f = false; m_dialog->use_snmp->setEnabled( f ); #endif m_dialog->snmp_community->setEnabled( f ); m_dialog->snmpQuery->setEnabled( f ); m_dialog->snmpProgress->setEnabled( f ); if (f) m_dialog->snmp_community->setFocus(); f = m_dialog->use_manual->isChecked() || snmpPollCompleted; setNextEnabled( SNMP_PAGE, f ); } if (p==MANUAL_PAGE) { /* if (m_dialog->iface_dyn->isChecked() || m_dialog->iface_unnum->isChecked()) { m_dialog->iface_addr->clear(); m_dialog->iface_addr->setEnabled(false); m_dialog->iface_netmask->clear(); m_dialog->iface_netmask->setEnabled(false); } else { m_dialog->iface_addr->setEnabled(true); m_dialog->iface_netmask->setEnabled(true); }*/ } } void newHostDialog::monitor() { if (logger==NULL || q==NULL) return; #ifdef HAVE_LIBSNMP if( logger->ready() ) { QString str = logger->getLine().c_str(); m_dialog->snmpProgress->moveCursor( QTextCursor::End ); m_dialog->snmpProgress->insertPlainText( str ); return; } if (q->isRunning()) return; timer->stop(); map* intf = q->getInterfaces(); map::iterator i; for(i=intf->begin(); i!=intf->end(); ++i) { InterfaceData* idata = &(i->second); if ( idata->ostatus ) { guessInterfaceLabel(idata); this->m_dialog->interfaceEditor->addInterfaceFromData(idata); } } delete q; q=NULL; #endif snmpPollCompleted=true; setNextEnabled( SNMP_PAGE, true ); } void newHostDialog::getInterfacesViaSNMP() { #ifdef HAVE_LIBSNMP // need to protect from reentry because getAddrByName processes events if (q!=NULL || getInterfacesBusy) return; snmpPollCompleted=false; string rcomm=m_dialog->snmp_community->text().toLatin1().constData(); if ( rcomm.empty() ) { QMessageBox::warning( this,"Firewall Builder", tr("Missing SNMP community string."), "&Continue", QString::null, QString::null, 0, 1 ); return ; } m_dialog->interfaceEditor->clear(); m_dialog->interfaceEditor->removeTab(0); getInterfacesBusy = true; InetAddr addr; QString name=m_dialog->obj_name->text().toLatin1().constData(); try { QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) ); QString a = getAddrByName(name, AF_INET); QApplication::restoreOverrideCursor(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) addr = InetAddr(a.toAscii().constData()); #else addr = InetAddr(a.toLatin1().constData()); #endif } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Address of %1 could not be obtained via DNS") .arg(m_dialog->obj_name->text()), "&Continue", QString::null, QString::null, 0, 1 ); getInterfacesBusy = false; return ; } logger=NULL; m_dialog->snmpProgress->clear(); if (q!=NULL) delete q; q=new SNMP_interface_query(); q->init(addr.toString(),rcomm,SNMP_DEFAULT_RETRIES,SNMP_DEFAULT_TIMEOUT); timer->setSingleShot(false); timer->start(0); try { logger = q->start_operation(); } catch(const FWException &ex) { //do nothing } getInterfacesBusy = false; #endif } bool newHostDialog::appropriate(const int page) const { int p = page; if (fwbdebug) { qDebug("newHostDialog::appropriate p=%d",p); } switch (p) { case OBJECT_NAME_PAGE: case TEMPLATES_PAGE: return true; case SNMP_PAGE: case MANUAL_PAGE: return (!m_dialog->useTemplate->isChecked()); } return true; } void newHostDialog::showPage(const int page) { FakeWizard::showPage(page); int p = currentPage(); if (fwbdebug) qDebug("newHostDialog::selected p=%d",p); // p is a page number _after_ it changed switch (p) { case SNMP_PAGE: changed(); // to properly enable/disable widgets m_dialog->nextButton->setDefault(true); break; case MANUAL_PAGE: { setNextEnabled( MANUAL_PAGE, false ); setFinishEnabled( MANUAL_PAGE, true ); m_dialog->finishButton->setDefault(true); break; } case TEMPLATES_PAGE: { m_dialog->finishButton->setDefault(true); setFinishEnabled( TEMPLATES_PAGE, true ); /* load templates if not loaded */ if (tmpldb==NULL) { MessageBoxUpgradePredicate upgrade_predicate(this); tmpldb = new FWObjectDatabase(); tmpldb->setReadOnly( false ); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) tmpldb->load( m_dialog->templateFilePath->text().toAscii().data(), &upgrade_predicate, Constants::getDTDDirectory()); #else tmpldb->load( m_dialog->templateFilePath->text().toLatin1().data(), &upgrade_predicate, Constants::getDTDDirectory()); #endif } list fl; FWObjectTypedChildIterator libiter = tmpldb->findByType(Library::TYPENAME); for ( ; libiter!=libiter.end(); ++libiter) findHosts(*libiter, fl, false); QString icn = QString( Resources::global_res->getObjResourceStr(fl.front(), "icon-tree").c_str() ); m_dialog->templateList->clear(); int n=0; for (list::iterator m=fl.begin(); m!=fl.end(); m++,n++) { FWObject *o=*m; QPixmap pm; if ( ! QPixmapCache::find( icn, pm) ) { pm.load( icn ); QPixmapCache::insert( icn, pm); } QListWidgetItem *item = new QListWidgetItem( QIcon(pm), QString(o->getName().c_str())); m_dialog->templateList->addItem(item); templates[ m_dialog->templateList->item( m_dialog->templateList->count()-1 ) ]=o; } m_dialog->templateList->setCurrentItem(0); m_dialog->templateList->setFocus(); break; } } } void newHostDialog::templateSelected(QListWidgetItem *itm) //void newHostDialog::templateSelected(QListWidgetItem *cur) { //QListWidgetItem *itm = cur; if (fwbdebug) qDebug("newHostDialog::templateSelected "); FWObject *o=templates[itm]; assert (o!=NULL); Host *fw = Host::cast(o); m_dialog->templateComment->clear(); m_dialog->templateComment->append( fw->getComment().c_str() ); m_dialog->templateComment->moveCursor(QTextCursor::Start); bool haveOutside = false; bool haveInside = false; bool haveDMZ = false; list ll = fw->getByType(Interface::TYPENAME); for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { Interface *intf = Interface::cast( *i ); QString nam = intf->getName().c_str(); QString lbl = intf->getLabel().c_str(); if (lbl=="outside" || nam.indexOf(QRegExp(".*0$"))!=-1 || nam.indexOf(QRegExp(".*0/0$"))!=-1 ) { haveOutside=true; m_dialog->intfOutsideLine->show(); m_dialog->intfOutsideText->show(); fillInterfaceData(intf,m_dialog->intfOutsideText); } if (lbl=="inside" || nam.indexOf(QRegExp(".*1$"))!=-1 || nam.indexOf(QRegExp(".*0/1$"))!=-1 ) { haveInside=true; m_dialog->intfInsideLine->show(); m_dialog->intfInsideText->show(); fillInterfaceData(intf,m_dialog->intfInsideText); } } if (!haveOutside) { m_dialog->intfOutsideLine->hide(); m_dialog->intfOutsideText->hide(); } if (!haveInside) { m_dialog->intfInsideLine->hide(); m_dialog->intfInsideText->hide(); } if (!haveDMZ) { m_dialog->intfDMZLine->hide(); m_dialog->intfDMZText->hide(); } } void newHostDialog::fillInterfaceData(Interface *intf, QTextBrowser *qte) { qte->clear(); QString s; s += ""; s += ""; s += ""; s += ""; s += ""; s += ""; s += ""; s += "
"; s += tr("Interface: %1 (%2)") .arg(intf->getName().c_str()) .arg(intf->getLabel().c_str()); s += "
"; if (intf->isDyn()) s += tr("Dynamic address"); else if (intf->isUnnumbered()) s += tr("Unnumbered interface"); else { const InetAddr *addr = intf->getAddressPtr(); QString addr_str = (addr) ? addr->toString().c_str() : ""; const InetAddr *netm = intf->getNetmaskPtr(); QString netm_str = (netm) ? netm->toString().c_str() : ""; s += QString("%1/%2").arg(addr_str).arg(netm_str); } s += "
"; qte->setText(s); } bool newHostDialog::validateAddressAndMask(const QString &addr, const QString &netm) { try { InetAddr(addr.toLatin1().constData()); } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Illegal address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } try { bool ok = false ; int ilen = netm.toInt (&ok); if (ok) { if (ilen < 0 || ilen > 32) { QMessageBox::warning( this,"Firewall Builder", tr("Illegal address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } } else { InetAddr(netm.toLatin1().constData()); } } catch (FWException &ex) { QMessageBox::warning( this,"Firewall Builder", tr("Illegal address '%1/%2'").arg(addr).arg(netm), "&Continue", QString::null, QString::null, 0, 1 ); return false; } return true; } void newHostDialog::cancelClicked() { QDialog::reject(); } void newHostDialog::finishClicked() { int p = currentPage(); if (p==TEMPLATES_PAGE) { QListWidgetItem *itm = m_dialog->templateList->currentItem(); FWObject *o=templates[itm]; assert (o!=NULL); FWObject *no = db->create(Host::TYPENAME); no->duplicate(o, true); no->setName(m_dialog->obj_name->text().toUtf8().constData()); mw->activeProject()->m_panel->om->autorename(no); nhst = Host::cast(no); } else { if ( !this->m_dialog->interfaceEditor->isValid() ) return; FWObject *o; o = db->create(Host::TYPENAME); o->setName(m_dialog->obj_name->text().toUtf8().constData()); if (o==NULL) { QDialog::accept(); return; } nhst = Host::cast(o); /* create interfaces */ foreach(EditedInterfaceData iface, this->m_dialog->interfaceEditor->getNewData()) { QString name = iface.name; QString label = iface.label; bool dyn = iface.type == 1; bool unnum = iface.type == 2; QString physaddr = iface.mac; Interface *oi = Interface::cast(db->create(Interface::TYPENAME)); oi->setName( string(name.toUtf8().constData()) ); oi->setLabel( string(label.toUtf8().constData()) ); oi->setComment( string(iface.comment.toUtf8().constData()) ); nhst->add(oi); if (dyn) oi->setDyn(true); if (unnum) oi->setUnnumbered(true); oi->setSecurityLevel(0); if (physaddr != "") { QString addrname=QString("%1:%2:mac") .arg(m_dialog->obj_name->text()).arg(name); physAddress* pa = physAddress::cast( db->create(physAddress::TYPENAME)); pa->setName(addrname.toUtf8().constData()); oi->add(pa); pa->setPhysAddress(physaddr.toLatin1().constData()); } if (iface.type == 0) { foreach(AddressInfo address, iface.addresses) { if (address.address == "0.0.0.0") continue; if (address.ipv4) { string addrname = string( QString("%1:%2:ip") .arg(m_dialog->obj_name->text()).arg(name).toUtf8()); IPv4 *oa = IPv4::cast(db->create(IPv4::TYPENAME)); oi->add(oa); oa->setName(addrname); oa->setAddress( InetAddr(address.address.toLatin1().constData()) ); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask( InetAddr(inetmask) ); } else { oa->setNetmask( InetAddr(address.netmask.toLatin1().constData()) ); } } else { string addrname = string( QString("%1:%2:ip6") .arg(m_dialog->obj_name->text()).arg(name).toUtf8() ); IPv6 *oa = IPv6::cast(db->create(IPv6::TYPENAME)); oi->add(oa); oa->setName(addrname); oa->setAddress( InetAddr(AF_INET6, address.address.toLatin1().constData()) ); bool ok = false ; int inetmask = address.netmask.toInt(&ok); if (ok) { oa->setNetmask( InetAddr(AF_INET6, inetmask) ); } else { oa->setNetmask( InetAddr(AF_INET6, address.netmask.toLatin1().constData())); } } } } } } if (unloadTemplatesLib) { delete tmpldb; tmpldb = NULL; unloadTemplatesLib=false; } QDialog::accept(); } fwbuilder-5.3.7/src/libgui/newHostDialog.h000066400000000000000000000056031303637203600205020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NEWHOSTDIALOG_H_ #define __NEWHOSTDIALOG_H_ #include "config.h" #include #include "fwbuilder/InterfaceData.h" #include "fakeWizard.h" #include #include namespace libfwbuilder { class FWObject; class Host; class Interface; class Logger; class SNMP_interface_query; }; class QTimer; class QTextEdit; class QTreeWidgetItem; class QListWidgetItem; class newHostDialog : public QDialog, public FakeWizard { Q_OBJECT libfwbuilder::Host *nhst; bool snmpPollCompleted; libfwbuilder::Logger *logger; libfwbuilder::SNMP_interface_query *q; QTimer *timer; libfwbuilder::FWObjectDatabase *db; libfwbuilder::FWObjectDatabase *tmpldb; libfwbuilder::FWObject *parent; std::map templates; bool unloadTemplatesLib; bool getInterfacesBusy; Ui::newHostDialog_q *m_dialog; void fillInterfaceData(libfwbuilder::Interface *intf, QTextBrowser *qte); bool validateAddressAndMask(const QString &addr, const QString &netm); public: newHostDialog(QWidget *parentw, libfwbuilder::FWObject *parent); virtual ~newHostDialog(); libfwbuilder::Host* getNewHost() { return nhst; }; virtual bool appropriate(const int page) const; void showPage(const int page); public slots: virtual void changed(); // virtual void selectedInterface(QTreeWidgetItem *cur); virtual void getInterfacesViaSNMP(); virtual void monitor(); // virtual void templateSelected(QListWidgetItem *cur); virtual void templateSelected(QListWidgetItem *itm); void browseTemplate(); void useStandardTemplate(); void updateTemplatePanel(); protected slots: virtual void finishClicked(); virtual void cancelClicked(); virtual void nextClicked(); virtual void backClicked(); }; #endif // __NEWHOSTDIALOG_H fwbuilder-5.3.7/src/libgui/newclusterdialog_q.ui000066400000000000000000000334231303637203600220150ustar00rootroot00000000000000 newClusterDialog_q Qt::WindowModal 0 0 651 644 0 0 0 25 Sans Serif 14 75 false true TextLabel Qt::AlignCenter 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 161 37 < &Back false &Next > true false &Finish false &Cancel false 500 450 3 Enter the name of the new object Qt::AlignCenter false Select member firewall objects to use with the new cluster. One member firewall should be marked as master. You can choose to copy policy and NAT rules from the rule sets of one of the members to the new cluster later. true Firewall Use in cluster Master 0 Tab 1 0 Tab 1 Choose which member's Policy and NAT rules should be used to create Policy and NAT rules of the cluster. First, each member firewall object will be copied with the name "<firewall>-bak" (where <firewall> is the name of the member) for backup, then rules from the chosen member will be copied to the new cluster and finally all Policy and NAT rules will be deleted in both members. Backup firewall objects ensure that you do not lose your configuration and can always revert back if necessary. You can delete backup objects or move them to a separate library for archival later. true 0 0 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Lucida Grande'; font-size:13pt; font-weight:400; font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600;">Cluster summary:</span></p></body></html> Name: 0 0 0 150 16777215 150 Firewalls used in this cluster Lucida Console Qt::Vertical 20 40 0 0 Master firewall: Cluster interfaces Lucida Console Qt::Vertical 20 40 0 0 Policy and NAT rules will be copied from firewall: 0 0 Click Finish to create this cluster. InterfacesTabWidget QTabWidget
InterfacesTabWidget.h
1 FirewallSelectorWidget QTableWidget
FirewallSelectorWidget.h
 ClusterInterfacesSelectorWidget QTabWidget
ClusterInterfacesSelectorWidget.h
1 backButton nextButton finishButton cancelButton obj_name textChanged(QString) newClusterDialog_q changed() 275 68 7 35 changed() failoverProtocolChanged() selectedInterface(QTreeWidgetItem*,QTreeWidgetItem*) platformChanged() addInterface() deleteInterface() fwbuilder-5.3.7/src/libgui/newfirewalldialog_q.ui000066400000000000000000001042441303637203600221410ustar00rootroot00000000000000 newFirewallDialog_q Qt::WindowModal 0 0 650 590 650 590 Creating new firewall object :/Icons/Firewall/icon-tree:/Icons/Firewall/icon-tree 0 0 0 25 Sans Serif 14 75 false true TextLabel Qt::AlignCenter 500 450 2 Name of the new firewall object: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Choose firewall software it is running: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Choose OS the new firewall runs on: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 0 0 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Use preconfigured firewall templates Firewall Builder comes with a library of standard template firewall objects, however you can compose your own library of templates and use it to create new firewall. true Use standard template objects Use custom template objects Select custom template library file Using template library file: 400 0 Qt::Vertical 20 1 0 Next step is to add interfaces to the new firewall. There are two ways to do it: using SNMP query or manually. Adding them using SNMP query is fast and automatic, but is only possible if firewall runs SNMP agent and you know SNMP community string 'read'. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Qt::Vertical QSizePolicy::Fixed 20 20 10 12 Configure interfaces manually true Use SNMP to discover interfaces of the firewall Qt::Horizontal QSizePolicy::Expanding 40 20 Discover Interfaces using SNMP SNMP 'read' community string: Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 140 20 Qt::Horizontal QSizePolicy::Expanding 40 20 Firewall IP address: 0 0 'Name' corresponds to the name of the physical interface, such as 'eth0', 'fxp0', 'ethernet0' etc. 'Label' is used to mark interface to reflect network topology, e.g. 'outside' or 'inside'. Label is mandatory for PIX firewall. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 Tab 1 9 In order to be able to build firewall policy properly, Firewall Builder needs information about 'security level' of the firewall's interfaces. Interface that connects it to the Internet is considered 'insecure' and has security level '0', while interface connected to the internal network is supposed to be 'secure' (security level '100'). Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Qt::AlignCenter true Qt::AlignCenter true QFrame::NoFrame QFrame::Sunken 0 true true Name Label Address Security Level Firewall Builder uses Network Zones to determine network topology. Each firewall interface must have a Network Zone configured. The Network Zone of an interface represents the set of IP networks that would be the source IP address of traffic arriving inbound on an interface. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true If you do not set the Network Zone now you can update the Network Zone configuration after the firewall has been created by double-clicking on the network interface of the firewall object and then selecting the desired object from the Network Zone dropdown list. true :/Images/network_zone_dialog.png Qt::AlignCenter 0 150 QFrame::NoFrame QFrame::Sunken 0 true true Name Label Address Security Level 0 0 0 250 210 QFrame::StyledPanel QFrame::Sunken 0 0 20 20 QFrame::VLine QFrame::Sunken Qt::Vertical 0 0 16777215 55 QFrame::Panel QFrame::Raised Qt::ScrollBarAlwaysOff Qt::ScrollBarAlwaysOff :/Icons/firewall_64.png false false 0 0 20 20 QFrame::HLine QFrame::Sunken Qt::Horizontal 0 0 16777215 55 QFrame::Panel QFrame::Raised Qt::ScrollBarAlwaysOff Qt::ScrollBarAlwaysOff 0 0 20 20 QFrame::VLine QFrame::Sunken Qt::Vertical 0 0 16777215 55 QFrame::Panel QFrame::Raised Qt::ScrollBarAlwaysOff Qt::ScrollBarAlwaysOff Choose template object in the list and click 'Next' when ready. You can change interface names and their IP addresses on the next page. Template firewall object comes with basic policy and NAT rules that implement policy described in its comment. If you change IP addresses of its interfaces, policy and NAT rules will be automatically corrected to reflect this change. However you should always inspect the rules and adjust them to suite your security policy. Template objects are designed to be a starting point, a way to jump-start your configuration and most likely require changes to be useful in your environment. Qt::AlignVCenter true 200 0 250 16777215 'Name' corresponds to the name of the physical interface, such as 'eth0', 'fxp0', 'ethernet0' etc. 'Label' is used to mark interface to reflect network topology, e.g. 'outside' or 'inside'. Label is mandatory for PIX firewall. true 0 Tab 1 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 161 37 < &Back false &Next > true true false &Finish false false &Cancel false InterfacesTabWidget QTabWidget
InterfacesTabWidget.h
1 obj_name platform hostOS useTemplate use_manual snmp_community snmpQuery snmpProgress templateList intfOutsideText intfDMZText intfInsideText templateComment obj_name textChanged(QString) newFirewallDialog_q changed() 99 58 20 20 platform activated(int) newFirewallDialog_q changed() 102 58 20 20 use_snmp toggled(bool) newFirewallDialog_q changed() 70 76 20 20 snmpQuery clicked() newFirewallDialog_q getInterfacesViaSNMP() 102 88 20 20 templateList currentItemChanged(QListWidgetItem*,QListWidgetItem*) newFirewallDialog_q templateSelected(QListWidgetItem*) 32 126 20 20 newFirewallDialog_q rejected() newFirewallDialog_q cleanup() 324 294 324 294 cancelClicked() cleanup() fwbuilder-5.3.7/src/libgui/newgroupdialog_q.ui000066400000000000000000000074001303637203600214640ustar00rootroot00000000000000 newGroupDialog_q 0 0 314 156 1 1 0 0 New Group Library: false 7 0 0 0 Group Name: false This operation will create a new group and put selected objects in it Qt::AlignVCenter true 55 20 Expanding Horizontal Create a group Cancel obj_name libs applyBtn cancelBtn cancelBtn clicked() newGroupDialog_q reject() applyBtn clicked() newGroupDialog_q accept() fwbuilder-5.3.7/src/libgui/newhostdialog_q.ui000066400000000000000000000643261303637203600213170ustar00rootroot00000000000000 newHostDialog_q Qt::WindowModal 0 0 616 621 Creating new host object :/Icons/Host/icon-tree:/Icons/Host/icon-tree 0 0 0 25 Sans Serif 14 75 false true TextLabel Qt::AlignCenter 0 0 500 450 2 The Host object in Firewall Builder is designed to represent real hosts in the network: workstations, servers, and any other network node with one or several addresses. Host object is useful when it has more than one IP address because then you can just use it in any rule and have Firewall Builder generate firewall configuration to match all of its addresses. If the host object you are going to create has just one IP address, you may want to consider an Address object instead which is simpler. true Qt::Vertical QSizePolicy::Fixed 20 40 Name of the new host object: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 0 0 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Use preconfigured template host objects QFrame::NoFrame QFrame::Raised Using template library file: 400 0 Select custom template library file Use standard template library Qt::Horizontal 20 20 Qt::Vertical 20 269 0 Next step is to add interfaces to the new host. There are two ways to do it: using SNMP query or manually. Adding them using SNMP query is fast and automatic, but is only possible if the host runs SNMP agent and you know SNMP community string 'read'. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Qt::Vertical QSizePolicy::Fixed 20 20 0 Configure interfaces manually true Use SNMP to discover interfaces of the host Qt::Horizontal QSizePolicy::Expanding 40 20 Discover Interfaces using SNMP SNMP 'read' community string: Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 140 20 Qt::Horizontal QSizePolicy::Expanding 40 20 0 0 0 Here you can add or edit interfaces manually. 'Name' corresponds to the name of the physical interface, such as 'eth0', 'fxp0', 'ethernet0' etc. 'Label' is used to mark interface to reflect network topology, e.g. 'outside' or 'inside'. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Check option 'Unnumbered interface' for the interface that does not have an IP address. Examples of interfaces of this kind are those used to terminate PPPoE or VPN tunnels. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Check option 'Dynamic IP Address' for the interface that gets its IP address dynamically via DHCP or PPP protocol. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Click 'Next' when done. Qt::AlignCenter false Tab 2 0 0 0 280 210 QFrame::StyledPanel QFrame::Sunken 79 77 20 52 0 0 20 20 QFrame::HLine QFrame::Sunken Qt::Horizontal 38 148 20 30 0 0 20 20 QFrame::VLine QFrame::Sunken Qt::Vertical 68 8 200 52 QFrame::Panel QFrame::Raised 88 78 180 52 QFrame::Panel QFrame::Raised 68 148 200 52 QFrame::Panel QFrame::Raised 10 70 64 64 :/Icons/host_64.xpm false false 38 28 20 30 0 0 20 20 QFrame::VLine QFrame::Sunken Qt::Vertical Choose template object in the list and click 'Finish' when ready. Template objects use generic interface names that will be iherited by the firewall object you create. You may need to rename them later to reflect real names of interfaces on your firewall machine. Qt::AlignVCenter true 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 193 19 < &Back false &Next > true false &Finish false &Cancel false InterfacesTabWidget QTabWidget
InterfacesTabWidget.h
1 obj_name useTemplate use_manual snmp_community snmpQuery snmpProgress templateList intfOutsideText intfDMZText intfInsideText templateComment obj_name textChanged(QString) newHostDialog_q changed() 20 20 20 20 use_manual toggled(bool) newHostDialog_q changed() 20 20 20 20 use_snmp toggled(bool) newHostDialog_q changed() 20 20 20 20 snmpQuery clicked() newHostDialog_q getInterfacesViaSNMP() 20 20 20 20 templateList currentItemChanged(QListWidgetItem*,QListWidgetItem*) newHostDialog_q templateSelected(QListWidgetItem*) 20 20 20 20 fwbuilder-5.3.7/src/libgui/nxosAdvancedDialog.cpp000066400000000000000000000051021303637203600220150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "nxosAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; nxosAdvancedDialog::~nxosAdvancedDialog() { delete m_dialog; } nxosAdvancedDialog::nxosAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::nxosAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* Page "General" */ data.registerOption( m_dialog->nxos_set_host_name , fwoptions, "nxos_set_host_name" ); data.registerOption( m_dialog->nxos_ip_address , fwoptions, "nxos_ip_address" ); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void nxosAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void nxosAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/nxosAdvancedDialog.h000066400000000000000000000026241303637203600214700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NXOSADVANCEDDIALOG_H_ #define __NXOSADVANCEDDIALOG_H_ #include #include "DialogData.h" namespace libfwbuilder { class FWObject; }; class nxosAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::nxosAdvancedDialog_q*m_dialog; public: nxosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~nxosAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); public slots: }; #endif // __NXOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/nxosaclAdvancedDialog.cpp000066400000000000000000000306221303637203600225020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "nxosaclAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; nxosaclAdvancedDialog::~nxosaclAdvancedDialog() { delete m_dialog; } nxosaclAdvancedDialog::nxosaclAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::nxosaclAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); string vers="version_"+obj->getStr("version"); string platform = obj->getStr("platform"); // should be 'nxosacl' QString s; QStringList logLevels; QStringList logLevelMapping; logLevelMapping.push_back(""); logLevelMapping.push_back(""); /* filling pop-down menu and pushing the same strings to the mapping * list at the same time so we could use translation */ s=QObject::tr("0 - System Unusable"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("0"); s=QObject::tr("1 - Take Immediate Action"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("1"); s=QObject::tr("2 - Critical Condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("2"); s=QObject::tr("3 - Error Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("3"); s=QObject::tr("4 - Warning Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("4"); s=QObject::tr("5 - Normal but significant condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("5"); s=QObject::tr("6 - Informational"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("6"); s=QObject::tr("7 - Debug Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("7"); /* do not need to translate syslog facilities, but will use the same * method just in case */ QStringList syslogFacilities; QStringList syslogFacilityMapping; syslogFacilities.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilities.push_back("LOCAL0"); syslogFacilityMapping.push_back("LOCAL0"); syslogFacilityMapping.push_back("16"); syslogFacilities.push_back("LOCAL1"); syslogFacilityMapping.push_back("LOCAL1"); syslogFacilityMapping.push_back("17"); syslogFacilities.push_back("LOCAL2"); syslogFacilityMapping.push_back("LOCAL2"); syslogFacilityMapping.push_back("18"); syslogFacilities.push_back("LOCAL3"); syslogFacilityMapping.push_back("LOCAL3"); syslogFacilityMapping.push_back("19"); syslogFacilities.push_back("LOCAL4"); syslogFacilityMapping.push_back("LOCAL4"); syslogFacilityMapping.push_back("20"); syslogFacilities.push_back("LOCAL5"); syslogFacilityMapping.push_back("LOCAL5"); syslogFacilityMapping.push_back("21"); syslogFacilities.push_back("LOCAL6"); syslogFacilityMapping.push_back("LOCAL6"); syslogFacilityMapping.push_back("22"); syslogFacilities.push_back("LOCAL7"); syslogFacilityMapping.push_back("LOCAL7"); syslogFacilityMapping.push_back("23"); bool f1=fwoptions->getBool("nxosacl_acl_basic"); bool f2=fwoptions->getBool("nxosacl_acl_no_clear"); bool f3=fwoptions->getBool("nxosacl_acl_substitution"); bool f4=fwoptions->getBool("nxosacl_add_clear_statements"); /* * If none of the new nxosacl_acl_* options is set and old nxosacl_add_clear_statements * option is true, set nxosacl_acl_basic to true. * * If old option nxosacl_add_clear_statements iss false, set * nxosacl_acl_no_clear to true */ if (!f1 && !f2 && !f3) { if ( f4 ) fwoptions->setBool("nxosacl_acl_basic",true); else fwoptions->setBool("nxosacl_acl_no_clear",true); } Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption(m_dialog->ipv4before_2, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") << "ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first" ); /* Page "Compiler Options" */ data.registerOption( m_dialog->outputFileName, fwoptions, "output_file" ); data.registerOption( m_dialog->nxosacl_acl_basic, fwoptions, "nxosacl_acl_basic" ); data.registerOption( m_dialog->nxosacl_use_object_groups, fwoptions, "nxosacl_use_object_groups" ); /* data.registerOption( m_dialog->nxosacl_acl_alwaysNew, fwoptions, "nxosacl_acl_always_new" ); */ data.registerOption( m_dialog->nxosacl_acl_no_clear, fwoptions, "nxosacl_acl_no_clear" ); data.registerOption( m_dialog->nxosacl_acl_substitution, fwoptions, "nxosacl_acl_substitution" ); data.registerOption( m_dialog->nxosacl_acl_temp_addr, fwoptions, "nxosacl_acl_temp_addr" ); data.registerOption( m_dialog->nxosacl_include_comments, fwoptions, "nxosacl_include_comments" ); data.registerOption( m_dialog->nxosacl_use_acl_remarks, fwoptions, "nxosacl_use_acl_remarks" ); data.registerOption( m_dialog->nxosacl_regroup_commands, fwoptions, "nxosacl_regroup_commands" ); data.registerOption( m_dialog->nxosacl_check_shadowing, fwoptions, "check_shading" ); data.registerOption( m_dialog->nxosacl_ignore_empty_groups, fwoptions, "ignore_empty_groups" ); data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh" ); data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr" ); /* page Installer */ data.registerOption( m_dialog->user, fwoptions, "admUser"); data.registerOption( m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption( m_dialog->use_scp, fwoptions, "use_scp"); data.registerOption( m_dialog->use_nxos_session, fwoptions, "use_nxos_session" ); data.registerOption( m_dialog->filesystem, fwoptions, "filesystem"); data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str() ); m_dialog->installScriptArgs->setText( pis->getArguments().c_str() ); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->nxosacl_prolog_script, fwoptions, "nxosacl_prolog_script" ); data.registerOption( m_dialog->nxosacl_epilog_script, fwoptions, "nxosacl_epilog_script" ); /* page Logging */ data.registerOption(m_dialog->generate_logging_commands, fwoptions, "nxosacl_generate_logging_commands"); data.registerOption(m_dialog->syslog_host, fwoptions, "nxosacl_syslog_host"); m_dialog->syslog_facility->clear(); m_dialog->syslog_facility->addItems( syslogFacilities ); data.registerOption( m_dialog->syslog_facility, fwoptions, "nxosacl_syslog_facility", syslogFacilityMapping); m_dialog->logging_trap_level->clear(); m_dialog->logging_trap_level->addItems(logLevels); data.registerOption( m_dialog->logging_trap_level, fwoptions, "nxosacl_logging_trap_level", logLevelMapping); data.registerOption(m_dialog->logging_timestamp, fwoptions, "nxosacl_logging_timestamp"); data.registerOption(m_dialog->logging_buffered, fwoptions, "nxosacl_logging_buffered"); m_dialog->logging_buffered_level->clear(); m_dialog->logging_buffered_level->addItems(logLevels); data.registerOption( m_dialog->logging_buffered_level, fwoptions, "nxosacl_logging_buffered_level", logLevelMapping); data.registerOption(m_dialog->logging_console, fwoptions, "nxosacl_logging_console"); m_dialog->logging_console_level->clear(); m_dialog->logging_console_level->addItems(logLevels); data.registerOption( m_dialog->logging_console_level,fwoptions, "nxosacl_logging_console_level", logLevelMapping); data.loadAll(); scriptACLModeChanged(); toggleGenerateLogging(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void nxosaclAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* options = Firewall::cast(new_state)->getOptionsObject(); assert(options!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(options); const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void nxosaclAdvancedDialog::reject() { QDialog::reject(); } void nxosaclAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->nxosacl_prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->nxosacl_prolog_script->setText( edt.text() ); } void nxosaclAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->nxosacl_epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->nxosacl_epilog_script->setText( edt.text() ); } void nxosaclAdvancedDialog::scriptACLModeChanged() { m_dialog->nxosacl_acl_temp_lbl->setEnabled( m_dialog->nxosacl_acl_substitution->isChecked()); m_dialog->nxosacl_acl_temp_addr->setEnabled( m_dialog->nxosacl_acl_substitution->isChecked()); } void nxosaclAdvancedDialog::toggleGenerateLogging() { m_dialog->syslog_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); m_dialog->other_logging_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); } fwbuilder-5.3.7/src/libgui/nxosaclAdvancedDialog.h000066400000000000000000000033031303637203600221430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NXOSACLADVANCEDDIALOG_H_ #define __NXOSACLADVANCEDDIALOG_H_ #include #include "DialogData.h" #include #include class QWidget; class QSpinBox; class QComboBox; class QCheckBox; class QProcess; namespace libfwbuilder { class FWObject; }; class nxosaclAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::nxosaclAdvancedDialog_q *m_dialog; public: nxosaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~nxosaclAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); virtual void scriptACLModeChanged(); virtual void toggleGenerateLogging(); }; #endif // __NXOSACLADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/nxosacladvanceddialog_q.ui000066400000000000000000001371551303637203600227660ustar00rootroot00000000000000 nxosaclAdvancedDialog_q Qt::WindowModal true 0 0 743 600 NX-OS ACL Firewall Settings false 0 Compiler Options 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 300 0 32767 22 false 20 Compiler creates multiple access lists from the same policy, two for each interface: one for inbound and another for outbound. If the policy is written in a such way that no rule can possibly be associated with an interface, this interface gets no access list at all. Also, interfaces marked as "unprotected" never get access list regardless of how the policy rules are designed. Generate separate access list for each interface Compiler creates one access list and assigns it to all interfaces. Create one access list and attach it to all interfaces 0 0 Policy Compiler Options false false If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in the policy Use object-group statements (requires NX-OS v12.4(20)T and later) Always permit ssh access from the management workstation with this address: true false 0 0 300 0 32767 22 Qt::Horizontal 328 20 Qt::Vertical QSizePolicy::Expanding 20 170 Script Options 20 12 20 20 0 0 20 Insert comments into generated NX-OSACL configuration file Comment the code Insert comments into generated NX-OSACL configuration file Use ACL remarks Group NX-OSACL commands in the script so that similar commands appear next to each other, just like NX-OSACL does it when you use 'show config' Group similar commands together Qt::Vertical 20 70 0 0 12 12 12 12 6 Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via IPSEC tunnel. This is the way access lists were generated in older versions of Firewall Builder for NX-OSACL. Qt::AlignVCenter true nxosacl_acl_basic Qt::ClickFocus Do not clear access lists and object group, just generate NX-OSACL commands for the new ones. Use this option if you have your own policy installation scripts. Qt::AlignVCenter true nxosacl_acl_no_clear Qt::Vertical QSizePolicy::Expanding 20 20 "Safety net" method: First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration. Qt::AlignVCenter true nxosacl_acl_substitution QFrame::StyledPanel QFrame::Sunken 11 11 11 11 Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24): Qt::AlignVCenter true Qt::Horizontal QSizePolicy::Expanding 120 20 0 0 200 0 120 32767 Qt::Horizontal QSizePolicy::Expanding 110 20 0 0 0 0 0 0 Installer 4 4 4 4 Qt::Vertical QSizePolicy::Expanding 20 20 Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then "copy file running-config" command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for NX-OS v12.4 or later and is much faster than running configuration line by line. true Copy generated configuration file to the router using scp File system on the router where configuration file should be saved if it is copied with scp. Examples: "nvram:", "slot0:". Should end with a colon ":". If this input field is left blank, installer uses "volatile:": true Qt::Horizontal 398 20 External install script 6 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Built-in installer User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Use NXOS Session Manager Prolog/Epilog 20 12 20 20 6 6 6 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true 6 6 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::RichText Qt::AlignVCenter true 0 Logging Generate logging commands Syslog 12 12 12 12 Syslog host (name or IP address): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog facility: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog level ('logging trap'): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QFrame::HLine QFrame::Sunken Qt::Horizontal QFrame::HLine QFrame::Sunken Qt::Horizontal The logging timestamp command requires that the clock command be set. Qt::AlignVCenter true Enable logging timestamps on syslog file Other logging destinations and levels: 12 12 12 12 Internal buffer Console Qt::Vertical QSizePolicy::Expanding 675 121 IPv6 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal QSizePolicy::Expanding 20 20 OK Qt::AlignCenter false Cancel outputFileName separate_acls_for_interfaces one_acl_for_all_interfaces nxosacl_ignore_empty_groups nxosacl_check_shadowing mgmt_ssh mgmt_addr nxosacl_acl_basic nxosacl_acl_no_clear nxosacl_acl_substitution nxosacl_acl_temp_addr nxosacl_include_comments nxosacl_use_acl_remarks nxosacl_regroup_commands user altAddress sshArgs scpArgs use_scp filesystem installScript installScriptArgs nxosacl_prolog_script edit_prolog_button nxosacl_epilog_script edit_epilog_button generate_logging_commands syslog_host syslog_facility logging_trap_level logging_timestamp logging_buffered logging_console logging_buffered_level logging_console_level ipv4before_2 ok_button cancel_button textLabel3 tabWidget ok_button clicked() nxosaclAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() nxosaclAdvancedDialog_q reject() 20 20 20 20 edit_prolog_button clicked() nxosaclAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() nxosaclAdvancedDialog_q editEpilog() 20 20 20 20 nxosacl_acl_basic clicked() nxosaclAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 nxosacl_acl_substitution clicked() nxosaclAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 generate_logging_commands toggled(bool) nxosaclAdvancedDialog_q toggleGenerateLogging() 359 55 359 359 fwbuilder-5.3.7/src/libgui/nxosadvanceddialog_q.ui000066400000000000000000000070271303637203600223000ustar00rootroot00000000000000 nxosAdvancedDialog_q Qt::WindowModal true 0 0 597 188 NX-OS Advanced Configuration Options Qt::Horizontal 151 20 OK Cancel General 0 Set router name using object's name Generate commands to configure addresses for interfaces Qt::Vertical QSizePolicy::Expanding 20 40 nxos_set_host_name tabWidget nxos_ip_address ok_button cancel_button ok_button clicked() nxosAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() nxosAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/objconflictresolutiondialog_q.ui000066400000000000000000000175031303637203600242430ustar00rootroot00000000000000 ObjConflictResolutionDialog_q 0 0 850 436 Conflict Resolution 11 0 0 :/Icons/warning.png true false 0 0 There is a conflict between an object in your tree and object in the file you are trying to open. Choose which version of this object you want to use: Qt::AlignVCenter true Qt::Horizontal Current Object Qt::AlignVCenter true 0 0 5 Keep current object Qt::Horizontal QSizePolicy::Expanding 20 20 Always choose this object if there is a conflict New Object Qt::AlignVCenter true 0 0 5 Replace with this object Qt::Horizontal QSizePolicy::Expanding 20 20 Always choose this object if there is a conflict currentObj newObj currentAll useCurrentObj newAll useNewObj useCurrentObj clicked() ObjConflictResolutionDialog_q reject() 20 20 20 20 useNewObj clicked() ObjConflictResolutionDialog_q accept() 20 20 20 20 currentAll toggled(bool) ObjConflictResolutionDialog_q setFlags() 20 20 20 20 newAll toggled(bool) ObjConflictResolutionDialog_q setFlags() 20 20 20 20 fwbuilder-5.3.7/src/libgui/objecteditor_q.ui000066400000000000000000000053441303637203600211200ustar00rootroot00000000000000 ObjectEditor_q true 0 0 202 119 5 5 0 0 Firewall Builder true 0 6 0 6 Qt::Horizontal QSizePolicy::Expanding 20 20 &Close Alt+C true true 200 0 QFrame::StyledPanel QFrame::Raised buttonOk clicked() ObjectEditor_q accept() 20 20 20 20 fwbuilder-5.3.7/src/libgui/objectmanipulator_q.ui000066400000000000000000000135121303637203600221610ustar00rootroot00000000000000 ObjectManipulator_q true 0 0 240 441 0 0 Tree of Objects 0 Filter: Library: 0 0 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">Object libraries</p> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">Library <span style=" font-weight:600;">&quot;Standard&quot;</span> holds predefined</p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">collection of service and address objects</p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">that ships with the package. Library <span style=" font-weight:600;">&quot;User&quot;</span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">is where you create your own objects.</p></body></html> false true Item1 Item 2 false 0 0 0 0 0 0 69 69 69 FilterLineEdit QLineEdit
FilterLineEdit.h
 widgetStack currentChanged(int) ObjectManipulator_q currentTreePageChanged(int) 20 104 20 20 libs activated(int) ObjectManipulator_q libChanged(int) 119 38 119 220 libChanged(int) fwbuilder-5.3.7/src/libgui/objectselectorwidget_q.ui000066400000000000000000000154001303637203600226500ustar00rootroot00000000000000 ObjectSelectorWidget_q 0 0 691 455 Form 0 6 QAbstractItemView::MultiSelection 6 Remove Filter Select All Filter ... Unselect All 6 -> <- Qt::Vertical QSizePolicy::Expanding 20 240 6 QAbstractItemView::MultiSelection 6 Select All Unselect All addObjButton clicked() ObjectSelectorWidget_q addObject() 345 28 344 227 objFilterButton clicked() ObjectSelectorWidget_q addFilter() 84 384 344 227 remObjButton clicked() ObjectSelectorWidget_q removeObject() 345 64 344 227 remObjFilterButton clicked() ObjectSelectorWidget_q removeFilter() 220 384 344 227 selAllObjButton clicked() ObjectSelectorWidget_q selectAllUsed() 469 420 344 227 selAllResButton clicked() ObjectSelectorWidget_q selectAllResults() 84 420 344 227 unselAllObjButton clicked() ObjectSelectorWidget_q unselectAllUsed() 605 420 344 227 unselAllResButton clicked() ObjectSelectorWidget_q unselectAllResults() 220 420 344 227 addFilter() removeFilter() selectAllResults() unselectAllResults() selectAllUsed() unselectAllUsed() addObject() removeObject() fwbuilder-5.3.7/src/libgui/openaisOptionsDialog.cpp000066400000000000000000000071711303637203600224220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "openaisOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include #include #include using namespace std; using namespace libfwbuilder; openaisOptionsDialog::openaisOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::openaisOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); FWObject *p = obj; while (p && Cluster::cast(p)==NULL) p = p->getParent(); assert(p != NULL); Cluster *cluster = Cluster::cast(p); Resources *os_res = Resources::os_res[cluster->getStr("host_OS")]; assert(os_res != NULL); string default_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_address"); string default_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_port"); string addr = gropt->getStr("openais_address"); if (addr.empty()) gropt->setStr("openais_address", default_address); string port = gropt->getStr("openais_port"); if (port.empty()) gropt->setStr("openais_port", default_port); data.registerOption(m_dialog->openais_address, gropt, "openais_address"); data.registerOption(m_dialog->openais_port, gropt, "openais_port"); data.loadAll(); } openaisOptionsDialog::~openaisOptionsDialog() { delete m_dialog; } void openaisOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void openaisOptionsDialog::reject() { QDialog::reject(); } bool openaisOptionsDialog::validate() { try { InetAddr(m_dialog->openais_address->text().toLatin1().constData()); } catch (FWException &ex) { try { InetAddr(AF_INET6, m_dialog->openais_address->text().toLatin1().constData() ); } catch (FWException &ex) { QMessageBox::critical( this, "Firewall Builder", tr("Invalid IP address '%1'").arg(m_dialog->openais_address->text()), tr("&Continue"), 0, 0, 0 ); return false; } } return true; } fwbuilder-5.3.7/src/libgui/openaisOptionsDialog.h000066400000000000000000000026661303637203600220730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OPENAISOPTIONSDIALOG_H_ #define __OPENAISOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class openaisOptionsDialog : public QDialog { Q_OBJECT public: openaisOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~openaisOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::openaisOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __OPENAISOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/openaisoptionsdialog_q.ui000066400000000000000000000117711303637203600226760ustar00rootroot00000000000000 openaisOptionsDialog_q 0 0 402 282 openais protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 openais Parameters :/Icons/Options:/Icons/Options Address: Qt::Horizontal 60 20 Port number (udp): 65535 Qt::Horizontal 120 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() openaisOptionsDialog_q accept() 316 472 20 20 buttonCancel clicked() openaisOptionsDialog_q reject() 397 472 20 20 fwbuilder-5.3.7/src/libgui/openbsdAdvancedDialog.cpp000066400000000000000000000077101303637203600224670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "openbsdAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; openbsdAdvancedDialog::~openbsdAdvancedDialog() { delete m_dialog; } openbsdAdvancedDialog::openbsdAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::openbsdAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption( m_dialog->openbsd_ip_sourceroute, fwopt, "openbsd_ip_sourceroute", threeStateMapping); data.registerOption( m_dialog->openbsd_ip_redirect, fwopt, "openbsd_ip_redirect", threeStateMapping); data.registerOption( m_dialog->openbsd_ip_directed_broadcast, fwopt, "openbsd_ip_directed_broadcast", threeStateMapping); data.registerOption( m_dialog->openbsd_ip_forward, fwopt, "openbsd_ip_forward", threeStateMapping); data.registerOption( m_dialog->openbsd_ipv6_forward, fwopt, "openbsd_ipv6_forward", threeStateMapping); data.registerOption( m_dialog->openbsd_path_pfctl, fwopt, "openbsd_path_pfctl"); data.registerOption( m_dialog->openbsd_path_sysctl, fwopt, "openbsd_path_sysctl"); data.registerOption(m_dialog->openbsd_data_dir, fwopt, "data_dir"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void openbsdAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void openbsdAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/openbsdAdvancedDialog.h000066400000000000000000000026761303637203600221420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OPENBSDADVANCEDDIALOG_H_ #define __OPENBSDADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class openbsdAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::openbsdAdvancedDialog_q *m_dialog; public: openbsdAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~openbsdAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __OPENBSDADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/openbsdadvanceddialog_q.ui000066400000000000000000000362331303637203600227440ustar00rootroot00000000000000 openbsdAdvancedDialog_q Qt::WindowModal 0 0 433 330 OpenBSD: advanced settings 11 2 Options Qt::Vertical QSizePolicy::Fixed 20 20 IPv4 Packet forwarding Qt::AlignCenter false 0 No change On Off Qt::Horizontal QSizePolicy::Expanding 40 20 IPv6 Packet forwarding Qt::AlignCenter false 0 No change On Off Enable directed broadcast Qt::AlignCenter false No change On Off Forward source routed packets Qt::AlignCenter false No change On Off Generate ICMP redirects Qt::AlignCenter false No change On Off Qt::Horizontal QSizePolicy::Fixed 231 20 Qt::Vertical QSizePolicy::Expanding 93 51 Path 6 pfctl: Qt::AlignCenter false 200 0 200 0 sysctl: Qt::AlignCenter false Specify directory path and a file name for the following utilities on the OS your firewall machine is running. Leave these empty if you want to use default values. Qt::AlignCenter true Qt::Vertical QSizePolicy::Expanding 20 40 Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Horizontal QSizePolicy::Expanding 40 20 Data Qt::Vertical QSizePolicy::Fixed 20 20 Specify directory where data files (e.g. run-time address table) are found on the firewall. Qt::AlignCenter true Data directory: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 200 0 Qt::Vertical 20 118 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true tabWidget openbsd_ip_forward openbsd_ipv6_forward openbsd_ip_directed_broadcast openbsd_ip_sourceroute openbsd_ip_redirect openbsd_path_pfctl openbsd_path_sysctl buttonOk buttonCancel buttonOk clicked() openbsdAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() openbsdAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/pagesetupdialog_q.ui000066400000000000000000000106211303637203600216120ustar00rootroot00000000000000 pageSetupDialog_q 0 0 316 235 Page Setup start each section on a new page print header on every page print legend print objects used in rules Scale tables: false 1 200 Qt::Horizontal TextLabel Qt::Vertical 20 38 Qt::Horizontal QSizePolicy::Expanding 40 20 &OK Alt+O true true &Cancel Alt+C false false buttonOk clicked() pageSetupDialog_q accept() 20 20 20 20 buttonCancel clicked() pageSetupDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/pfAdvancedDialog.cpp000066400000000000000000000514311303637203600214410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "pfAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "Help.h" #include "FWCmdChange.h" #include "CompilerDriver.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; pfAdvancedDialog::pfAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::pfAdvancedDialog_q; m_dialog->setupUi(this); obj=o; QStringList slm; string version = obj->getStr("version"); FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); if (fwbdebug) qDebug("%s", Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); if (!Resources::getTargetOptionBool( obj->getStr("host_OS"),"user_can_change_install_dir")) { m_dialog->pf_fw_dir->setEnabled(false); fwopt->setStr("firewall_dir",""); } // see #1888: we now support rc.conf format for the output // Set variables for backwards compatibility for users who configured // custom name for the output .fw script before. if (!fwopt->getBool("generate_shell_script") && !fwopt->getBool("generate_rc_conf_file")) { fwopt->setBool("generate_shell_script", true); } if (!Resources::getTargetOptionBool(obj->getStr("host_OS"), "rc_conf_format_supported")) { fwopt->setBool("generate_shell_script", true); fwopt->setBool("generate_rc_conf_file", false); } m_dialog->generateShellScript->setEnabled( Resources::getTargetOptionBool(obj->getStr("host_OS"), "rc_conf_format_supported")); m_dialog->generateRcConfFile->setEnabled( Resources::getTargetOptionBool(obj->getStr("host_OS"), "rc_conf_format_supported")); QString init_script_name = QString::fromUtf8( fwopt->getStr("output_file").c_str()).trimmed(); QString conf_file_name = QString::fromUtf8( fwopt->getStr("conf1_file").c_str()).trimmed(); if (!init_script_name.isEmpty() && conf_file_name.isEmpty()) { conf_file_name = fwcompiler::CompilerDriver::getConfFileNameFromFwFileName( init_script_name, ".conf"); fwopt->setStr("conf1_file", conf_file_name.toUtf8().constData()); } data.registerOption(m_dialog->ipv4before, fwopt, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first"); data.registerOption( m_dialog->pf_log_prefix,fwopt, "log_prefix"); data.registerOption( m_dialog->pf_fallback_log,fwopt, "fallback_log"); data.registerOption( m_dialog->pf_do_timeout_interval, fwopt, "pf_do_timeout_interval"); data.registerOption( m_dialog->pf_timeout_interval, fwopt, "pf_timeout_interval"); data.registerOption( m_dialog->pf_do_timeout_frag,fwopt, "pf_do_timeout_frag"); data.registerOption( m_dialog->pf_timeout_frag,fwopt, "pf_timeout_frag"); data.registerOption( m_dialog->pf_do_limit_frags,fwopt, "pf_do_limit_frags"); data.registerOption( m_dialog->pf_limit_frags,fwopt, "pf_limit_frags"); data.registerOption( m_dialog->pf_do_limit_states,fwopt, "pf_do_limit_states"); data.registerOption( m_dialog->pf_limit_states,fwopt, "pf_limit_states"); data.registerOption( m_dialog->pf_do_limit_src_nodes,fwopt, "pf_do_limit_src_nodes"); data.registerOption( m_dialog->pf_limit_src_nodes, fwopt, "pf_limit_src_nodes"); data.registerOption( m_dialog->pf_do_limit_tables, fwopt, "pf_do_limit_tables"); data.registerOption( m_dialog->pf_limit_tables,fwopt, "pf_limit_tables"); data.registerOption( m_dialog->pf_do_limit_table_entries,fwopt, "pf_do_limit_table_entries"); data.registerOption( m_dialog->pf_limit_table_entries,fwopt,"pf_limit_table_entries"); // Prepare mapping for pf_optimization: slm.clear(); slm.push_back(""); slm.push_back(""); slm.push_back(QObject::tr("Aggressive")); slm.push_back("aggressive"); slm.push_back(QObject::tr("Conservative")); slm.push_back("conservative"); slm.push_back(QObject::tr("For high latency")); slm.push_back("high-latency"); slm.push_back(QObject::tr("Normal")); slm.push_back("normal"); m_dialog->pf_optimization->clear(); m_dialog->pf_optimization->addItems(getScreenNames(slm)); data.registerOption( m_dialog->pf_optimization, fwopt, "pf_optimization", slm); // Prepare state_policy combo box slm.clear(); slm.push_back(""); slm.push_back(""); slm.push_back(QObject::tr("Bound to interfaces")); slm.push_back("if-bound"); slm.push_back(QObject::tr("Floating")); slm.push_back("floating"); m_dialog->pf_state_policy->clear(); m_dialog->pf_state_policy->addItems(getScreenNames(slm)); data.registerOption( m_dialog->pf_state_policy, fwopt, "pf_state_policy", slm); m_dialog->pf_state_policy->setEnabled( XMLTools::version_compare(version, "3.5") >= 0); // Prepare block_policy combo box slm.clear(); slm.push_back(""); slm.push_back(""); slm.push_back(QObject::tr("Drop")); slm.push_back("drop"); slm.push_back(QObject::tr("Return")); slm.push_back("return"); m_dialog->pf_block_policy->clear(); m_dialog->pf_block_policy->addItems(getScreenNames(slm)); data.registerOption( m_dialog->pf_block_policy, fwopt, "pf_block_policy", slm); m_dialog->pf_block_policy->setEnabled( XMLTools::version_compare(version, "3.5") >= 0); // set debug combo box slm.clear(); slm.push_back(""); slm.push_back(""); slm.push_back("emerg"); slm.push_back("emerg"); slm.push_back("alert"); slm.push_back("alert"); slm.push_back("crit"); slm.push_back("crit"); slm.push_back("err"); slm.push_back("err"); slm.push_back("warning"); slm.push_back("warning"); slm.push_back("notice"); slm.push_back("notice"); slm.push_back("info"); slm.push_back("info"); slm.push_back("debug"); slm.push_back("debug"); m_dialog->pf_set_debug->clear(); m_dialog->pf_set_debug->addItems(getScreenNames(slm)); data.registerOption( m_dialog->pf_set_debug, fwopt, "pf_set_debug", slm); m_dialog->pf_set_debug->setEnabled( XMLTools::version_compare(version, "3.5") >= 0); data.registerOption( m_dialog->pf_check_shadowing,fwopt, "check_shading"); data.registerOption( m_dialog->pf_preserve_group_names, fwopt, "preserve_group_names"); data.registerOption( m_dialog->pf_ignore_empty_groups,fwopt, "ignore_empty_groups"); // data.registerOption( pf_use_tables, fwopt, "use_tables"); data.registerOption( m_dialog->pf_accept_new_tcp_with_no_syn,fwopt, "accept_new_tcp_with_no_syn"); data.registerOption( m_dialog->pf_modulate_state,fwopt, "pf_modulate_state"); data.registerOption( m_dialog->pf_scrub_random_id,fwopt, "pf_scrub_random_id"); data.registerOption( m_dialog->pf_do_scrub,fwopt, "pf_do_scrub"); // radio buttons // the following pf_scrub options are available in PF <= 4.5 data.registerOption( m_dialog->pf_scrub_reassemble, fwopt, "pf_scrub_reassemble"); data.registerOption( m_dialog->pf_scrub_fragm_crop, fwopt, "pf_scrub_fragm_crop"); data.registerOption( m_dialog->pf_scrub_fragm_drop_ovl, fwopt, "pf_scrub_fragm_drop_ovl"); // pf_scrub_reassemble_tcp is available in all versions data.registerOption( m_dialog->pf_scrub_reassemble_tcp, fwopt, "pf_scrub_reassemble_tcp"); data.registerOption( m_dialog->pf_scrub_use_minttl, fwopt, "pf_scrub_use_minttl"); data.registerOption( m_dialog->pf_scrub_use_maxmss, fwopt, "pf_scrub_use_maxmss"); data.registerOption( m_dialog->pf_scrub_maxmss,fwopt, "pf_scrub_maxmss"); data.registerOption( m_dialog->pf_scrub_minttl,fwopt, "pf_scrub_minttl"); data.registerOption( m_dialog->pf_scrub_no_df,fwopt, "pf_scrub_no_df"); data.registerOption( m_dialog->pf_fw_dir,fwopt, "firewall_dir"); data.registerOption( m_dialog->pf_user,fwopt, "admUser"); data.registerOption( m_dialog->altAddress,fwopt, "altAddress"); data.registerOption( m_dialog->sshArgs, fwopt, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwopt, "scpArgs"); data.registerOption( m_dialog->activationCmd, fwopt, "activationCmd"); data.registerOption( m_dialog->pf_manage_virtual_addr, fwopt, "manage_virtual_addr"); data.registerOption( m_dialog->pf_configure_interfaces, fwopt, "configure_interfaces"); data.registerOption( m_dialog->pf_configure_carp_interfaces, fwopt, "configure_carp_interfaces"); data.registerOption( m_dialog->pf_configure_pfsync_interfaces, fwopt, "configure_pfsync_interfaces"); data.registerOption( m_dialog->pf_configure_vlan_interfaces, fwopt, "configure_vlan_interfaces"); data.registerOption( m_dialog->pf_configure_bridge_interfaces, fwopt, "configure_bridge_interfaces"); data.registerOption( m_dialog->pf_debug,fwopt, "debug"); data.registerOption( m_dialog->pf_flush_states, fwopt, "pf_flush_states"); data.registerOption( m_dialog->compiler,fwopt, "compiler"); data.registerOption( m_dialog->compilerArgs,fwopt, "cmdline"); data.registerOption( m_dialog->generateShellScript, fwopt, "generate_shell_script"); data.registerOption( m_dialog->generateRcConfFile, fwopt, "generate_rc_conf_file"); data.registerOption( m_dialog->outputFileName, fwopt, "output_file"); data.registerOption( m_dialog->confFileName, fwopt, "conf1_file"); data.registerOption( m_dialog->fileNameOnFw, fwopt, "script_name_on_firewall"); data.registerOption( m_dialog->confFileNameOnFw, fwopt, "conf_file_name_on_firewall"); data.registerOption( m_dialog->mgmt_ssh,fwopt, "mgmt_ssh"); data.registerOption( m_dialog->mgmt_addr,fwopt, "mgmt_addr"); data.registerOption( m_dialog->pf_set_tcp_first, fwopt, "pf_set_tcp_first"); data.registerOption( m_dialog->pf_tcp_first, fwopt, "pf_tcp_first"); data.registerOption( m_dialog->pf_set_tcp_opening, fwopt, "pf_set_tcp_opening"); data.registerOption( m_dialog->pf_tcp_opening, fwopt, "pf_tcp_opening"); data.registerOption( m_dialog->pf_set_tcp_established, fwopt, "pf_set_tcp_established"); data.registerOption( m_dialog->pf_tcp_established, fwopt, "pf_tcp_established"); data.registerOption( m_dialog->pf_set_tcp_closing, fwopt, "pf_set_tcp_closing"); data.registerOption( m_dialog->pf_tcp_closing, fwopt, "pf_tcp_closing"); data.registerOption( m_dialog->pf_set_tcp_finwait, fwopt, "pf_set_tcp_finwait"); data.registerOption( m_dialog->pf_tcp_finwait, fwopt, "pf_tcp_finwait"); data.registerOption( m_dialog->pf_set_tcp_closed, fwopt, "pf_set_tcp_closed"); data.registerOption( m_dialog->pf_tcp_closed, fwopt, "pf_tcp_closed"); data.registerOption( m_dialog->pf_set_udp_first, fwopt, "pf_set_udp_first"); data.registerOption( m_dialog->pf_udp_first, fwopt, "pf_udp_first"); data.registerOption( m_dialog->pf_set_udp_single, fwopt, "pf_set_udp_single"); data.registerOption( m_dialog->pf_udp_single, fwopt, "pf_udp_single"); data.registerOption( m_dialog->pf_set_udp_multiple, fwopt, "pf_set_udp_multiple"); data.registerOption( m_dialog->pf_udp_multiple, fwopt, "pf_udp_multiple"); data.registerOption( m_dialog->pf_set_icmp_first, fwopt, "pf_set_icmp_first"); data.registerOption( m_dialog->pf_icmp_first, fwopt, "pf_icmp_first"); data.registerOption( m_dialog->pf_set_icmp_error, fwopt, "pf_set_icmp_error"); data.registerOption( m_dialog->pf_icmp_error, fwopt, "pf_icmp_error"); data.registerOption( m_dialog->pf_set_other_first, fwopt, "pf_set_other_first"); data.registerOption( m_dialog->pf_other_first, fwopt, "pf_other_first"); data.registerOption( m_dialog->pf_set_other_single, fwopt, "pf_set_other_single"); data.registerOption( m_dialog->pf_other_single, fwopt, "pf_other_single"); data.registerOption( m_dialog->pf_set_other_multiple, fwopt, "pf_set_other_multiple"); data.registerOption( m_dialog->pf_other_multiple, fwopt, "pf_other_multiple"); data.registerOption( m_dialog->pf_set_adaptive, fwopt, "pf_set_adaptive"); data.registerOption( m_dialog->pf_adaptive_start, fwopt, "pf_adaptive_start"); data.registerOption( m_dialog->pf_adaptive_end, fwopt, "pf_adaptive_end"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText( pis->getCommand().c_str()); m_dialog->installScriptArgs->setText( pis->getArguments().c_str()); /* page "Prolog/Epilog" */ QStringList prologPlaces_pf; prologPlaces_pf.push_back(QObject::tr("in the activation shell script")); prologPlaces_pf.push_back("fw_file"); prologPlaces_pf.push_back(QObject::tr("in the pf rule file, at the very top")); prologPlaces_pf.push_back("pf_file_top"); prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after set comamnds")); prologPlaces_pf.push_back("pf_file_after_set"); prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after scrub comamnds")); prologPlaces_pf.push_back("pf_file_after_scrub"); prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after table definitions")); prologPlaces_pf.push_back("pf_file_after_tables"); m_dialog->prologPlace->clear(); m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_pf)); data.registerOption( m_dialog->prologPlace, fwopt, "prolog_place", prologPlaces_pf); data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script"); data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script"); data.loadAll(); doScrubToggled(); ltToggled(); m_dialog->tabWidget->setCurrentIndex(0); } pfAdvancedDialog::~pfAdvancedDialog() { delete m_dialog; } void pfAdvancedDialog::doScrubToggled() { string version = obj->getStr("version"); bool f_old_reassemble = m_dialog->pf_do_scrub->isChecked(); bool f_reassemble_tcp = f_old_reassemble; if (XMLTools::version_compare(version, "4.6")>=0) f_old_reassemble = false; m_dialog->pf_scrub_reassemble->setEnabled(f_old_reassemble); m_dialog->pf_scrub_fragm_crop->setEnabled(f_old_reassemble); m_dialog->pf_scrub_fragm_drop_ovl->setEnabled(f_old_reassemble); m_dialog->pf_scrub_reassemble_tcp->setEnabled(f_reassemble_tcp); if (!m_dialog->pf_scrub_reassemble->isChecked() && !m_dialog->pf_scrub_fragm_crop->isChecked() && !m_dialog->pf_scrub_fragm_drop_ovl->isChecked() && !m_dialog->pf_scrub_reassemble_tcp->isChecked()) { m_dialog->pf_scrub_reassemble_tcp->setChecked(true); } } void pfAdvancedDialog::ltToggled() { m_dialog->pf_limit_frags->setEnabled( m_dialog->pf_do_limit_frags->isChecked()); m_dialog->pf_limit_states->setEnabled( m_dialog->pf_do_limit_states->isChecked()); m_dialog->pf_limit_src_nodes->setEnabled( m_dialog->pf_do_limit_src_nodes->isChecked()); m_dialog->pf_limit_tables->setEnabled( m_dialog->pf_do_limit_tables->isChecked()); m_dialog->pf_limit_table_entries->setEnabled( m_dialog->pf_do_limit_table_entries->isChecked()); m_dialog->pf_timeout_interval->setEnabled( m_dialog->pf_do_timeout_interval->isChecked()); m_dialog->pf_timeout_frag->setEnabled( m_dialog->pf_do_timeout_frag->isChecked()); m_dialog->pf_tcp_first->setEnabled( m_dialog->pf_set_tcp_first->isChecked()); m_dialog->pf_tcp_opening->setEnabled( m_dialog->pf_set_tcp_opening->isChecked()); m_dialog->pf_tcp_established->setEnabled( m_dialog->pf_set_tcp_established->isChecked()); m_dialog->pf_tcp_closing->setEnabled( m_dialog->pf_set_tcp_closing->isChecked()); m_dialog->pf_tcp_finwait->setEnabled( m_dialog->pf_set_tcp_finwait->isChecked()); m_dialog->pf_tcp_closed->setEnabled( m_dialog->pf_set_tcp_closed->isChecked()); m_dialog->pf_udp_first->setEnabled( m_dialog->pf_set_udp_first->isChecked()); m_dialog->pf_udp_single->setEnabled( m_dialog->pf_set_udp_single->isChecked()); m_dialog->pf_udp_multiple->setEnabled( m_dialog->pf_set_udp_multiple->isChecked()); m_dialog->pf_icmp_first->setEnabled( m_dialog->pf_set_icmp_first->isChecked()); m_dialog->pf_icmp_error->setEnabled( m_dialog->pf_set_icmp_error->isChecked()); m_dialog->pf_other_first->setEnabled( m_dialog->pf_set_other_first->isChecked()); m_dialog->pf_other_single->setEnabled( m_dialog->pf_set_other_single->isChecked()); m_dialog->pf_other_multiple->setEnabled( m_dialog->pf_set_other_multiple->isChecked()); m_dialog->pf_adaptive_start->setEnabled( m_dialog->pf_set_adaptive->isChecked()); m_dialog->pf_adaptive_end->setEnabled( m_dialog->pf_set_adaptive->isChecked()); } /* * store all data in the object */ void pfAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData()); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData()); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pfAdvancedDialog::reject() { QDialog::reject(); } void pfAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr( "Script Editor")); if ( edt.exec() == QDialog::Accepted) m_dialog->prolog_script->setText( edt.text()); } void pfAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr( "Script Editor")); if ( edt.exec() == QDialog::Accepted) m_dialog->epilog_script->setText( edt.text()); } void pfAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Firewall platform: pf"); h->setSource(QUrl("pfAdvancedDialog.html#" + anchor)); h->raise(); h->show(); } fwbuilder-5.3.7/src/libgui/pfAdvancedDialog.h000066400000000000000000000030411303637203600211000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PFADVANCEDDIALOG_H_ #define __PFADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class pfAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::pfAdvancedDialog_q *m_dialog; public: pfAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~pfAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); virtual void doScrubToggled(); virtual void ltToggled(); virtual void editProlog(); virtual void editEpilog(); }; #endif // __PFADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/pfadvanceddialog_q.ui000066400000000000000000002747321303637203600217270ustar00rootroot00000000000000 pfAdvancedDialog_q Qt::WindowModal 0 0 700 600 700 16777215 pf: advanced settings false 20 Help Qt::Horizontal QSizePolicy::Expanding 331 27 &OK true true &Cancel true 663 0 0 Compiler Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 0 0 Command line options for the compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 Names of generated files Initialization script name (can be full path): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 32767 22 PF configuration file name (can be full path): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 32767 22 0 0 (if left blank, the file name is constructed of the firewall object name and extension ".fw" or ".conf" depending on the format) Qt::AlignVCenter true Names of the files on the firewall false Initialization script and PF configuration file can be copied to the firewall machine under different names. If these fields are left blank, the file name does not change. true Initialization script name on the firewall 32767 22 PF configuration file name on the firewall 32767 22 false Accept TCP sessions opened prior to firewall restart 0 0 Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing 0 0 Modulate state for all stateful rules (applies only to TCP services) 0 0 If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups Preserve group and address table obects names in the generated pf configuration 9 9 0 0 Always permit ssh access from the management workstation with this address: 0 0 32767 22 Qt::Vertical 20 11 Scrub Qt::Vertical QSizePolicy::Fixed 20 20 Clears the don't fragment bit from the IP packet header. Clear DF bit Replaces the IP identification field of outgoing packets with random values to compensate for operating systems that use predictable values. Use random ID Enforce Minimum TTL: Enforces a minimum Time To Live (TTL) in IP packet headers. 0 100 1 Qt::Horizontal 328 20 Enforce Maximum MSS: Enforces a maximum Maximum Segment Size (MSS) in TCP packet headers. 536 10000 1460 Qt::Horizontal QSizePolicy::Expanding 140 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Reassemble fragments 0 0 6 0 0 Buffers incoming packet fragments and reassembles them into a complete packet before passing them to the filter engine. In PF 4.5 and earlier. Buffer and reassemble fragments (default) 0 0 Causes duplicate fragments to be dropped and any overlaps to be cropped. In PF 4.5 and earlier. Drop duplicate fragments, do not buffer and reassemble 0 0 Similar to 'Drop duplicate fragments' except that all duplicate or overlapping fragments will be dropped as well as any further corresponding fragments. In PF 4.5 and earlier. Drop duplicate and subsequent fragments Statefully normalises TCP connections. Reassemble TCP Qt::Vertical QSizePolicy::Expanding 20 110 Options Limits reassembly pool: 0 0 maximum number of entries in the memory pool used for packet reassembly 0 100000000 10 5000 state table size: 0 0 maximum number of entries in the memory pool used for state table entries 0 100000000 10 20000 src-nodes 0 0 maximum number of entries in the memory pool used for tracking source IP addresses 0 100000000 10 2000 tables 0 0 maximum number of tables that can exist in the memory simultaneously 0 100000000 10 1000 table-entries 0 0 maximum number of addresses that canbe stored in tables 0 100000000 10 100000 Options Optimization: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false Optimize state timeouts. See man pf.conf for more details. Debug: Set the debug level, which limits the severity of log messages printed by pf(4). This should be a keyword from the following ordered list (highest to lowest): emerg, alert, crit, err, warning, notice, info, and debug. The last keyword, debug, must be quoted. These keywords correspond to the similar (LOG_) values specified to the syslog(3) library routine. State policy: States can be bound to interfaces or match packets on any interface. The latter can be useful in case of an assymmetric routing. Block policy: The block-policy option sets the default behaviour for the packet block action: drop Packet is silently dropped. return A TCP RST is returned for blocked TCP packets, an ICMP UNREACHABLE is returned for blocked UDP packets, and all other packets are silently dropped. drop return Qt::Vertical 20 308 Timeouts When a packet matches a stateful connection, the seconds to live for the connection will be updated to the value which corresponds to the connection state. Qt::AlignVCenter true 0 0 TCP 6 0 0 first 0 0 The state after the first packet. 0 100000 0 opening 0 0 The state before the destination host ever sends a packet. 0 100000 0 established 0 0 The fully established state. 0 100000 1 0 0 0 The state after the first FIN has been sent. 0 100000 0 closing 0 0 The state after both FINs have been exchanged and the connection is closed. 0 100000 0 finwait 0 0 The state after one endpoint sends an RST. 0 100000 0 closed UDP 6 first 0 0 The state after the first packet. 0 100000 0 single 0 0 The state if the source host sends more than one packet but the destination host has never sent one back. 0 100000 0 multiple 0 0 The state if both hosts have sent packets. 0 100000 0 Other Protocols 6 0 0 first 0 0 The state after the first packet. 0 100000 0 single multiple 0 0 The state after the first packet. 0 100000 0 0 0 The state after the first packet. 0 100000 0 ICMP 6 0 0 The state after the first packet. 0 100000 0 0 0 The state after an ICMP error came back in response to an ICMP packet. 0 100000 0 first error Adaptive scaling Timeout values can be reduced adaptively as the number of state table entries grows (see man page pf.conf(5) for details) Qt::AlignVCenter true Activate adaptive timeout scaling 0 0 adaptive start false 0 0 When the number of state entries exceeds this value, adaptive scaling begins. 0 100000000 0 0 0 adaptive end false 0 0 When reaching this number of state entries, all timeout values become zero, effectively purging all state entries immediately. 0 100000000 0 Qt::Horizontal QSizePolicy::Expanding 40 20 Fragments translates into 'set timeout interval' interval between purging expired states and fragments 0 0 translates into 'set timeout interval' 1 1000 10 Qt::Horizontal 206 20 translates into 'set timeout frag' seconds before an unassembled fragment is expired 0 0 translates into 'set timeout frag' 1 1000 30 Qt::Vertical QSizePolicy::Expanding 20 20 Installer 20 Built-in installer Directory on the firewall where script should be installed Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root') Qt::AlignVCenter true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Qt::Vertical QSizePolicy::Expanding 20 80 Prolog/Epilog 20 12 20 20 20 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOff The following commands will be added verbatim after generated configuration Qt::AlignVCenter true 6 Edit Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOff The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Insert prolog and epilog scripts false 0 0 in the activation shell script (.fw file) in the pf rule file (.conf file) Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Horizontal QSizePolicy::Expanding 410 20 Logging 20 12 20 20 20 Qt::Vertical QSizePolicy::Fixed 20 20 Log Prefix Qt::AlignCenter false Qt::Horizontal QSizePolicy::Fixed 70 20 Qt::Horizontal QSizePolicy::Expanding 130 20 Qt::Vertical QSizePolicy::Expanding 20 320 Fallback "deny all" rule should log blocked packets Script Qt::Vertical QSizePolicy::Fixed 20 20 System configuration and firewall initialization script format false Firewall Builder can generate system configuration and initialization script for PF in two formats: this can either be a shell script or a file in rc.conf format. Rc.conf format is only supported for FreeBSD. true shell script with extension .fw file in rc.conf format Enable auxiliary sections in the generated script Turn debugging on in generated script Configure Interfaces of the firewall machine Configure CARP Interfaces Configure pfsync Interfaces Configure VLAN Interfaces 0 0 Configure bridge Interfaces Add virtual addresses for NAT Flush pf states after reloading rules Qt::Vertical QSizePolicy::Expanding 20 230 IPv6 20 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 pf_configure_carp_interfaces pf_configure_pfsync_interfaces pf_configure_vlan_interfaces pf_manage_virtual_addr pf_flush_states ipv4before buttonCancel buttonOk buttonHelp tabWidget compiler compilerArgs outputFileName confFileName fileNameOnFw confFileNameOnFw pf_accept_new_tcp_with_no_syn pf_modulate_state pf_check_shadowing pf_ignore_empty_groups mgmt_ssh mgmt_addr pf_scrub_no_df pf_scrub_random_id pf_scrub_use_minttl pf_scrub_minttl pf_scrub_use_maxmss pf_scrub_maxmss pf_do_scrub pf_scrub_reassemble pf_scrub_fragm_crop pf_scrub_fragm_drop_ovl pf_scrub_reassemble_tcp pf_set_tcp_first pf_tcp_first pf_set_tcp_opening pf_tcp_opening pf_set_tcp_established pf_tcp_established pf_set_tcp_closing pf_tcp_closing pf_set_tcp_finwait pf_tcp_finwait pf_set_tcp_closed pf_tcp_closed pf_set_udp_first pf_udp_first pf_set_udp_single pf_udp_single pf_set_udp_multiple pf_udp_multiple pf_set_adaptive pf_adaptive_start pf_adaptive_end pf_set_icmp_first pf_icmp_first pf_set_icmp_error pf_icmp_error pf_set_other_first pf_other_first pf_set_other_single pf_other_single pf_set_other_multiple pf_other_multiple pf_do_timeout_interval pf_timeout_interval pf_do_timeout_frag pf_timeout_frag pf_fw_dir pf_user altAddress activationCmd sshArgs scpArgs installScript installScriptArgs prologPlace prolog_script edit_prolog_button epilog_script edit_epilog_button pf_log_prefix pf_fallback_log generateShellScript generateRcConfFile pf_debug pf_configure_interfaces buttonOk clicked() pfAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() pfAdvancedDialog_q reject() 20 20 20 20 pf_set_tcp_first toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_tcp_opening toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_tcp_established toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_tcp_closing toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_tcp_finwait toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_tcp_closed toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_udp_first toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_udp_single toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_udp_multiple toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_icmp_first toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_icmp_error toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_other_first toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_other_single toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_other_multiple toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 pf_set_adaptive toggled(bool) pfAdvancedDialog_q ltToggled() 20 20 20 20 edit_epilog_button clicked() pfAdvancedDialog_q editEpilog() 20 20 20 20 edit_prolog_button clicked() pfAdvancedDialog_q editProlog() 20 20 20 20 buttonHelp clicked() pfAdvancedDialog_q help() 47 638 345 330 pf_do_limit_frags clicked() pfAdvancedDialog_q ltToggled() 156 100 349 299 pf_do_limit_src_nodes clicked() pfAdvancedDialog_q ltToggled() 156 154 349 299 pf_do_limit_states clicked() pfAdvancedDialog_q ltToggled() 156 127 349 299 pf_do_limit_table_entries clicked() pfAdvancedDialog_q ltToggled() 156 208 349 299 pf_do_limit_tables clicked() pfAdvancedDialog_q ltToggled() 156 181 349 299 pf_do_scrub toggled(bool) pfAdvancedDialog_q doScrubToggled() 20 20 20 20 ltToggled() fwbuilder-5.3.7/src/libgui/pfsyncOptionsDialog.cpp000066400000000000000000000042601303637203600222620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "pfsyncOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include #include #include using namespace std; using namespace libfwbuilder; pfsyncOptionsDialog::pfsyncOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::pfsyncOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); data.registerOption(m_dialog->syncpeer, gropt, "syncpeer"); data.loadAll(); } pfsyncOptionsDialog::~pfsyncOptionsDialog() { delete m_dialog; } void pfsyncOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pfsyncOptionsDialog::reject() { QDialog::reject(); } bool pfsyncOptionsDialog::validate() { return true; } fwbuilder-5.3.7/src/libgui/pfsyncOptionsDialog.h000066400000000000000000000026561303637203600217360ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PFSYNCOPTIONSDIALOG_H_ #define __PFSYNCOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class pfsyncOptionsDialog : public QDialog { Q_OBJECT public: pfsyncOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~pfsyncOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::pfsyncOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __PFSYNCOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/pfsyncoptionsdialog_q.ui000066400000000000000000000106171303637203600225400ustar00rootroot00000000000000 pfsyncOptionsDialog_q 0 0 405 242 pfsync protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 pfsync Parameters :/Icons/Options:/Icons/Options 0 0 By default pfsync updates are multicast on the local network. This option overrides that behavior and instead unicasts the update to the specified peer. true Use unicast address to communicate with the peer Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() pfsyncOptionsDialog_q accept() 316 472 20 20 buttonCancel clicked() pfsyncOptionsDialog_q reject() 397 472 20 20 fwbuilder-5.3.7/src/libgui/physaddressdialog_q.ui000066400000000000000000000117221303637203600221510ustar00rootroot00000000000000 PhysAddressDialog_q true 0 0 746 208 physAddress QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Physical address (MAC): false 0 0 Qt::Vertical 20 70 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name pAddress obj_name editingFinished() PhysAddressDialog_q changed() 20 20 20 20 pAddress editingFinished() PhysAddressDialog_q changed() 20 20 20 20 fwbuilder-5.3.7/src/libgui/pixAdvancedDialog.cpp000066400000000000000000001063441303637203600216400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "pixAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "CompilerDriver_pix.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::pixAdvancedDialog_q; m_dialog->setupUi(static_cast(this)); obj = o; string version = obj->getStr("version"); string vers = "version_" + obj->getStr("version"); string platform = obj->getStr("platform"); // could be 'pix' or 'fwsm' QString s; QStringList logLevels; QStringList logLevelMapping; // logLevelMapping.push_back(""); // logLevelMapping.push_back(""); /* filling pop-down menu and pushing the same strings to the mapping * list at the same time so we could use translation */ s=QObject::tr("0 - System Unusable"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("0"); s=QObject::tr("1 - Take Immediate Action"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("1"); s=QObject::tr("2 - Critical Condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("2"); s=QObject::tr("3 - Error Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("3"); s=QObject::tr("4 - Warning Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("4"); s=QObject::tr("5 - Normal but significant condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("5"); s=QObject::tr("6 - Informational"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("6"); s=QObject::tr("7 - Debug Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("7"); /* do not need to translate syslog facilities, but will use the same * method just in case */ QStringList syslogFacilities; QStringList syslogFacilityMapping; syslogFacilities.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilities.push_back("LOCAL0"); syslogFacilityMapping.push_back("LOCAL0"); syslogFacilityMapping.push_back("16"); syslogFacilities.push_back("LOCAL1"); syslogFacilityMapping.push_back("LOCAL1"); syslogFacilityMapping.push_back("17"); syslogFacilities.push_back("LOCAL2"); syslogFacilityMapping.push_back("LOCAL2"); syslogFacilityMapping.push_back("18"); syslogFacilities.push_back("LOCAL3"); syslogFacilityMapping.push_back("LOCAL3"); syslogFacilityMapping.push_back("19"); syslogFacilities.push_back("LOCAL4"); syslogFacilityMapping.push_back("LOCAL4"); syslogFacilityMapping.push_back("20"); syslogFacilities.push_back("LOCAL5"); syslogFacilityMapping.push_back("LOCAL5"); syslogFacilityMapping.push_back("21"); syslogFacilities.push_back("LOCAL6"); syslogFacilityMapping.push_back("LOCAL6"); syslogFacilityMapping.push_back("22"); syslogFacilities.push_back("LOCAL7"); syslogFacilityMapping.push_back("LOCAL7"); syslogFacilityMapping.push_back("23"); FWOptions *fwoptions = (Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); /* Page Script */ bool f1=fwoptions->getBool("pix_acl_basic"); bool f2=fwoptions->getBool("pix_acl_no_clear"); bool f3=fwoptions->getBool("pix_acl_substitution"); bool f4=fwoptions->getBool("pix_add_clear_statements"); /* * If none of the new pix_acl_* options is set and old pix_add_clear_statements * option is true, set pix_acl_basic to true. * * If old option pix_add_clear_statements iss false, set * pix_acl_no_clear to true */ if (!f1 && !f2 && !f3) { if ( f4 ) fwoptions->setBool("pix_acl_basic",true); else fwoptions->setBool("pix_acl_no_clear",true); } Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption( m_dialog->short_script, fwoptions, "short_script"); /* Page "Compiler Options" */ bool outboundACLSupported= (Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/" + vers + "/pix_outbound_acl_supported")); if (outboundACLSupported) m_dialog->pix_emulate_out_acl->hide(); else m_dialog->pix_generate_out_acl->hide(); m_dialog->tabWidget->setTabEnabled(9,false); //Disable tab data.registerOption(m_dialog->ipv4before_2, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first"); data.registerOption( m_dialog->outputFileName, fwoptions, "output_file"); data.registerOption( m_dialog->pix_assume_fw_part_of_any, fwoptions, "pix_assume_fw_part_of_any"); if (XMLTools::version_compare(version, "8.3") >= 0) { m_dialog->pix_replace_natted_objects->setChecked(false); m_dialog->pix_replace_natted_objects->setEnabled(false); } else { m_dialog->pix_replace_natted_objects->setEnabled(true); data.registerOption( m_dialog->pix_replace_natted_objects, fwoptions, "pix_replace_natted_objects"); } data.registerOption( m_dialog->pix_emulate_out_acl, fwoptions, "pix_emulate_out_acl"); data.registerOption( m_dialog->pix_generate_out_acl, fwoptions, "pix_generate_out_acl"); data.registerOption( m_dialog->pix_acl_basic, fwoptions, "pix_acl_basic"); /* data.registerOption( m_dialog->pix_acl_alwaysNew, fwoptions, "pix_acl_always_new"); */ data.registerOption( m_dialog->pix_acl_no_clear, fwoptions, "pix_acl_no_clear"); data.registerOption( m_dialog->pix_acl_substitution, fwoptions, "pix_acl_substitution"); data.registerOption( m_dialog->pix_acl_temp_addr, fwoptions, "pix_acl_temp_addr"); data.registerOption( m_dialog->pix_include_comments, fwoptions, "pix_include_comments"); data.registerOption( m_dialog->pix_use_acl_remarks, fwoptions, "pix_use_acl_remarks"); data.registerOption( m_dialog->pix_regroup_commands, fwoptions, "pix_regroup_commands"); data.registerOption( m_dialog->pix_use_manual_commit, fwoptions, "pix_use_manual_commit"); m_dialog->pix_use_manual_commit->setEnabled(platform=="fwsm"); /* data.registerOption( m_dialog->pix_add_clear_statements, fwoptions, "pix_add_clear_statements"); */ data.registerOption( m_dialog->pix_optimize_default_nat, fwoptions, "pix_optimize_default_nat"); data.registerOption( m_dialog->pix_check_shadowing, fwoptions, "check_shading"); data.registerOption( m_dialog->pix_ignore_empty_groups, fwoptions, "ignore_empty_groups"); data.registerOption( m_dialog->pix_check_duplicate_nat, fwoptions, "pix_check_duplicate_nat"); data.registerOption( m_dialog->pix_check_overlapping_global_pools, fwoptions, "pix_check_overlapping_global_pools"); data.registerOption( m_dialog->pix_check_overlapping_statics, fwoptions, "pix_check_overlapping_statics"); data.registerOption( m_dialog->pix_check_overlapping_global_statics, fwoptions, "pix_check_overlapping_global_statics"); data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); /* page Installer */ data.registerOption( m_dialog->user,fwoptions, "admUser"); data.registerOption( m_dialog->altAddress,fwoptions, "altAddress"); data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption( m_dialog->use_scp, fwoptions, "use_scp"); data.registerOption( m_dialog->filesystem, fwoptions, "filesystem"); data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText( pis->getCommand().c_str()); m_dialog->installScriptArgs->setText( pis->getArguments().c_str()); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->pix_prolog_script, fwoptions, "pix_prolog_script"); data.registerOption( m_dialog->pix_epilog_script, fwoptions, "pix_epilog_script"); /* page "Timeouts" */ data.registerOption( m_dialog->xlate_hh, fwoptions, "xlate_hh"); data.registerOption( m_dialog->xlate_mm, fwoptions, "xlate_mm"); data.registerOption( m_dialog->xlate_ss, fwoptions, "xlate_ss"); data.registerOption( m_dialog->conn_hh, fwoptions, "conn_hh"); data.registerOption( m_dialog->conn_mm, fwoptions, "conn_mm"); data.registerOption( m_dialog->conn_ss, fwoptions, "conn_ss"); data.registerOption( m_dialog->udp_hh, fwoptions, "udp_hh"); data.registerOption( m_dialog->udp_mm, fwoptions, "udp_mm"); data.registerOption( m_dialog->udp_ss, fwoptions, "udp_ss"); data.registerOption( m_dialog->rpc_hh, fwoptions, "rpc_hh"); data.registerOption( m_dialog->rpc_mm, fwoptions, "rpc_mm"); data.registerOption( m_dialog->rpc_ss, fwoptions, "rpc_ss"); data.registerOption( m_dialog->h323_hh, fwoptions, "h323_hh"); data.registerOption( m_dialog->h323_mm, fwoptions, "h323_mm"); data.registerOption( m_dialog->h323_ss, fwoptions, "h323_ss"); data.registerOption( m_dialog->sip_hh, fwoptions, "sip_hh"); data.registerOption( m_dialog->sip_mm, fwoptions, "sip_mm"); data.registerOption( m_dialog->sip_ss, fwoptions, "sip_ss"); data.registerOption( m_dialog->sip_media_hh, fwoptions, "sip_media_hh"); data.registerOption( m_dialog->sip_media_mm, fwoptions, "sip_media_mm"); data.registerOption( m_dialog->sip_media_ss, fwoptions, "sip_media_ss"); data.registerOption( m_dialog->half_closed_hh, fwoptions, "half-closed_hh"); data.registerOption( m_dialog->half_closed_mm, fwoptions, "half-closed_mm"); data.registerOption( m_dialog->half_closed_ss, fwoptions, "half-closed_ss"); data.registerOption( m_dialog->uauth_hh, fwoptions, "uauth_hh"); data.registerOption( m_dialog->uauth_mm, fwoptions, "uauth_mm"); data.registerOption( m_dialog->uauth_ss, fwoptions, "uauth_ss"); data.registerOption( m_dialog->uauth_abs, fwoptions, "uauth_abs"); data.registerOption( m_dialog->uauth_inact, fwoptions, "uauth_inact"); data.registerOption( m_dialog->telnet_timeout, fwoptions, "pix_telnet_timeout"); data.registerOption( m_dialog->ssh_timeout, fwoptions, "pix_ssh_timeout"); /* page Fixups */ allFixups.push_back(fixupControl( m_dialog->pix_ctiqbe_switch, m_dialog->pix_ctiqbe_port, NULL, NULL, "ctiqbe_fixup", "ctiqbe", 0)); allFixups.push_back(fixupControl( m_dialog->pix_dns_switch, m_dialog->pix_dns_max_length, NULL, NULL, "dns_fixup", "dns", 1)); allFixups.push_back(fixupControl( m_dialog->pix_espike_switch, NULL, NULL, NULL, "espike_fixup", "esp-ike", 2)); allFixups.push_back(fixupControl( m_dialog->pix_ftp_switch, m_dialog->pix_ftp_port, NULL, m_dialog->pix_ftp_strict, "ftp_fixup", "ftp", 3)); allFixups.push_back(fixupControl( m_dialog->pix_h323h225_switch, m_dialog->pix_h323h225_port1, m_dialog->pix_h323h225_port2, NULL, "h323_h225_fixup", "h323 h225", 4)); allFixups.push_back(fixupControl( m_dialog->pix_h323ras_switch, m_dialog->pix_h323ras_port1, m_dialog->pix_h323ras_port2, NULL, "h323_ras_fixup", "h323 ras", 5)); allFixups.push_back(fixupControl( m_dialog->pix_http_switch, m_dialog->pix_http_port1, m_dialog->pix_http_port2, NULL, "http_fixup", "http", 6)); allFixups.push_back(fixupControl( m_dialog->pix_icmperror_switch, NULL, NULL, NULL, "icmp_error_fixup", "icmp error", 7)); allFixups.push_back(fixupControl( m_dialog->pix_ils_switch, m_dialog->pix_ils_port1, m_dialog->pix_ils_port2, NULL, "ils_fixup", "ils", 8)); allFixups.push_back(fixupControl( m_dialog->pix_mgcp_switch, m_dialog->pix_mgcp_gateway_port, m_dialog->pix_mgcp_call_agent_port, NULL, "mgcp_fixup", "mgcp", 9)); allFixups.push_back(fixupControl( m_dialog->pix_pptp_switch, m_dialog->pix_pptp_port, NULL, NULL, "pptp_fixup", "pptp", 10)); allFixups.push_back(fixupControl( m_dialog->pix_rsh_switch, m_dialog->pix_rsh_port1, NULL, NULL, "rsh_fixup", "rsh", 11)); allFixups.push_back(fixupControl( m_dialog->pix_rtsp_switch, m_dialog->pix_rtsp_port, NULL, NULL, "rtsp_fixup", "rtsp", 12)); allFixups.push_back(fixupControl( m_dialog->pix_sip_switch, m_dialog->pix_sip_port1, m_dialog->pix_sip_port2, NULL, "sip_fixup", "sip", 13)); allFixups.push_back(fixupControl( m_dialog->pix_sipudp_switch, m_dialog->pix_sip_udp_port1, NULL, NULL, "sip_udp_fixup", "sip udp", 14)); allFixups.push_back(fixupControl( m_dialog->pix_skinny_switch, m_dialog->pix_skinny_port1, m_dialog->pix_skinny_port2, NULL, "skinny_fixup", "skinny", 15)); allFixups.push_back(fixupControl( m_dialog->pix_smtp_switch, m_dialog->pix_smtp_port1, m_dialog->pix_smtp_port2, NULL, "smtp_fixup", "smtp", 16)); allFixups.push_back(fixupControl( m_dialog->pix_sqlnet_switch, m_dialog->pix_sqlnet_port1, m_dialog->pix_sqlnet_port2, NULL, "sqlnet_fixup", "sqlnet", 17)); allFixups.push_back(fixupControl( m_dialog->pix_tftp_switch, m_dialog->pix_tftp_port, NULL, NULL, "tftp_fixup", "tftp", 18)); allFixups.push_back(fixupControl( m_dialog->pix_ip_options_eool_switch, NULL, NULL, NULL, "ip_options_eool_fixup", "IP options", 19)); allFixups.push_back(fixupControl( m_dialog->pix_ip_options_nop_switch, NULL, NULL, NULL, "ip_options_nop_fixup", "IP options", 20)); allFixups.push_back(fixupControl( m_dialog->pix_ip_options_rtralt_switch, NULL, NULL, NULL, "ip_options_rtralt_fixup", "IP options", 21)); QStringList allowed_fixups = QString(Resources::platform_res[platform]->getResourceStr( "/FWBuilderResources/Target/options/" + vers + "/fixups/list").c_str()).split(","); if (fwbdebug) qDebug() << "pixAdvancedDialog::pixAdvancedDialog allowed_fixups:" << allowed_fixups; for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { if (fwbdebug) qDebug() << "pixAdvancedDialog::pixAdvancedDialog fwopt:" << fi->fwoption; if (fi->switch_widget!=NULL) connect( fi->switch_widget, SIGNAL(activated(int)), this, SLOT(fixupCmdChanged())); if (fi->arg1!=NULL) connect( fi->arg1, SIGNAL(valueChanged(int)), this, SLOT(fixupCmdChanged())); if (fi->arg2!=NULL) connect( fi->arg2, SIGNAL(valueChanged(int)), this, SLOT(fixupCmdChanged())); if (fi->arg3!=NULL) connect( fi->arg3, SIGNAL(clicked()), this, SLOT(fixupCmdChanged())); bool active = allowed_fixups.contains(fi->fwoption); fi->active = active; m_dialog->fixup_notebook->setTabEnabled( fi->page, active); } /* page Logging */ m_dialog->emblem_log_format->setEnabled( Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/pix_emblem_log_format")); syslogDeviceIdSupported=(Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/"+ vers+"/pix_syslog_device_id_supported")); m_dialog->syslog_device_id_hostname->setEnabled(syslogDeviceIdSupported); m_dialog->syslog_device_id_interface->setEnabled(syslogDeviceIdSupported); m_dialog->syslog_device_id_interface_val->setEnabled(syslogDeviceIdSupported); m_dialog->syslog_device_id_string->setEnabled(syslogDeviceIdSupported); m_dialog->syslog_device_id_string_val->setEnabled(syslogDeviceIdSupported); data.registerOption( m_dialog->syslog_host, fwoptions, "pix_syslog_host"); data.registerOption( m_dialog->syslog_queue_size, fwoptions, "pix_syslog_queue_size"); m_dialog->syslog_facility->clear(); m_dialog->syslog_facility->addItems( syslogFacilities); data.registerOption( m_dialog->syslog_facility, fwoptions, "pix_syslog_facility", syslogFacilityMapping); m_dialog->logging_trap_level->clear(); m_dialog->logging_trap_level->addItems(logLevels); data.registerOption( m_dialog->logging_trap_level, fwoptions, "pix_logging_trap_level", logLevelMapping); data.registerOption( m_dialog->emblem_log_format, fwoptions, "pix_emblem_log_format"); QStringList interfaces; list l2=obj->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) interfaces.push_back( (Interface::cast(*i))->getLabel().c_str()); m_dialog->syslog_device_id_interface_val->addItems(interfaces); if (syslogDeviceIdSupported) { string s=fwoptions->getStr("pix_syslog_device_id_opt"); string v=fwoptions->getStr("pix_syslog_device_id_val"); if (s=="hostname") m_dialog->syslog_device_id_hostname->setChecked(true); if (s=="interface") { m_dialog->syslog_device_id_interface->setChecked(true); m_dialog->syslog_device_id_interface_val->setCurrentIndex( m_dialog->syslog_device_id_interface_val->findText(v.c_str())); } if (s=="string") { m_dialog->syslog_device_id_string->setChecked(true); m_dialog->syslog_device_id_string_val->setText(v.c_str()); } } data.registerOption( m_dialog->logging_timestamp, fwoptions, "pix_logging_timestamp"); data.registerOption( m_dialog->logging_buffered, fwoptions, "pix_logging_buffered"); m_dialog->logging_buffered_level->clear(); m_dialog->logging_buffered_level->addItems(logLevels); data.registerOption( m_dialog->logging_buffered_level, fwoptions, "pix_logging_buffered_level", logLevelMapping); data.registerOption( m_dialog->logging_console, fwoptions, "pix_logging_console"); m_dialog->logging_console_level->clear(); m_dialog->logging_console_level->addItems(logLevels); data.registerOption( m_dialog->logging_console_level,fwoptions, "pix_logging_console_level", logLevelMapping); /* page Options */ m_dialog->fragguard->setEnabled( Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/" + vers + "/pix_security_fragguard_supported")); m_dialog->route_dnat->setEnabled( Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/" + vers + "/pix_route_dnat_supported")); data.registerOption( m_dialog->fragguard, fwoptions, "pix_fragguard"); data.registerOption( m_dialog->route_dnat, fwoptions, "pix_route_dnat"); data.registerOption( m_dialog->resetinbound, fwoptions, "pix_resetinbound"); data.registerOption( m_dialog->resetoutside, fwoptions, "pix_resetoutside"); data.registerOption( m_dialog->connection_timewait, fwoptions, "pix_connection_timewait"); data.registerOption( m_dialog->floodguard, fwoptions, "pix_floodguard"); data.registerOption( m_dialog->nodnsalias_inbound, fwoptions, "pix_nodnsalias_inbound"); data.registerOption( m_dialog->nodnsalias_outbound, fwoptions, "pix_nodnsalias_outbound"); data.registerOption( m_dialog->max_conns, fwoptions, "pix_max_conns"); data.registerOption( m_dialog->emb_limit, fwoptions, "pix_emb_limit"); data.loadAll(); loadFixups(); updateFixupCommandsDisplay(); scriptACLModeChanged(); m_dialog->tabWidget->setCurrentIndex(0); } pixAdvancedDialog::~pixAdvancedDialog() { delete m_dialog; } /* * items in the switch_widget (QComboBox) | values in FirewallOptions object * | * Skip (item 0) | 2 * Enable (item 1) | 0 * Disable (item 2) | 1 * * this strange mapping is historical. * * ip options switch has the following items: * * skip * allow * drop * clear * * The last item is just added at the bottom and is mapped to FirewallOptions * value "3" * */ static int fixupOpt2Widget[] = { 1, 2, 0, 3 }; static int fixupWidget2Opt[] = { 2, 0, 1, 3 }; int pixAdvancedDialog::translateFixupSwitchFromOptionToWidget(int o) { return fixupOpt2Widget[o]; } int pixAdvancedDialog::translateFixupSwitchFromWidgetToOption(int w) { return fixupWidget2Opt[w]; } void pixAdvancedDialog::enableAllFixups() { changeAllFixups(0); } void pixAdvancedDialog::disableAllFixups() { changeAllFixups(1); } void pixAdvancedDialog::skipAllFixups() { changeAllFixups(2); } void pixAdvancedDialog::changeAllFixups(int state) { for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { if (!fi->active) continue; fi->switch_widget->setCurrentIndex( translateFixupSwitchFromOptionToWidget(state) ); } updateFixupCommandsDisplay(); } void pixAdvancedDialog::loadFixups() { FWOptions *options=(Firewall::cast(obj))->getOptionsObject(); assert(options!=NULL); for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { if (!fi->active) continue; string f = options->getStr(fi->fwoption.toLatin1().constData()); if (!f.empty()) { // "0" means "fixup" or "enable" in a pop-down menu (historical) // "1" means "no fixup" or "disable" in a pop-down menu (historical) int sw; int p1,p2; // two port numbers string arg3n; // option name bool arg3v; // option state (on/off) istringstream str(f); str >> sw >> p1 >> p2 >> arg3n >> arg3v; if (arg3n=="nil") arg3n=""; fi->switch_widget->setCurrentIndex( translateFixupSwitchFromOptionToWidget(sw) ); /* if values are 0 in the data file, we stick with defaults. Defaults * are preconfigured in the GUI */ if (fi->arg1 && p1!=0) fi->arg1->setValue(p1); if (fi->arg2 && p2!=0) fi->arg2->setValue(p2); if (fi->arg3) fi->arg3->setChecked(arg3v); } else { fi->switch_widget->setCurrentIndex(0); } } } void pixAdvancedDialog::saveFixups(FWOptions *options) { for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { string name = fi->fwoption.toLatin1().constData(); int sw = translateFixupSwitchFromWidgetToOption( fi->switch_widget->currentIndex()); int p1 =(fi->arg1)?fi->arg1->value():0; int p2 =(fi->arg2)?fi->arg2->value():0; string on =(name=="ftp_fixup")?"strict":"nil"; bool ov =(fi->arg3)?fi->arg3->isChecked():false; if (!fi->active) sw=2; ostringstream str; str << sw << " " << p1 << " " << p2 << " " << on << " " << int(ov); options->setStr( fi->fwoption.toLatin1().constData(), str.str() ); if (fwbdebug) qDebug() << "pixAdvancedDialog::saveFixups()" << name.c_str() << str.str().c_str(); } } void pixAdvancedDialog::displayCommands() { m_dialog->pix_generated_fixup->setText(""); /* * need to copy information from widgets that control fixups into * firewall object's options, so that when we dump the database into * memory buffer, we get updated info * * This creates a problem however: since we save changes into the * actual object here, the undo/redo commands don't work later on in * accept() because we do not detect any changes and undo command is * not placed on undo stack. Need to save FWOptions object, save fixup * parameters into it, generate commands and then restore FWOptions * object back */ FWOptions *options = (Firewall::cast(obj))->getOptionsObject(); assert(options!=NULL); FWOptions *backup_options = new FWOptions(); backup_options->duplicate(options, false); saveFixups(options); CompilerDriver_pix driver(obj->getRoot()); driver.setTargetId(FWObjectDatabase::getStringId(obj->getId())); string inspectors = driver.protocolInspectorCommands(); m_dialog->pix_generated_fixup->setText(inspectors.c_str()); options->duplicate(backup_options, false); delete backup_options; } void pixAdvancedDialog::updateFixupCommandsDisplay() { displayCommands(); } void pixAdvancedDialog::fixupCmdChanged() { updateFixupCommandsDisplay(); } /* * store all data in the object */ void pixAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); saveFixups(fwoptions); // find first interface marked as "management" const InetAddr *mgmt_addr = Firewall::cast(new_state)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); if (syslogDeviceIdSupported) { QString s,v; s=""; v=""; if (m_dialog->syslog_device_id_hostname->isChecked()) s="hostname"; if (m_dialog->syslog_device_id_interface->isChecked()) { s="interface"; v=m_dialog->syslog_device_id_interface_val->currentText(); } if (m_dialog->syslog_device_id_string->isChecked()) { s="string"; v=m_dialog->syslog_device_id_string_val->text(); } fwoptions->setStr("pix_syslog_device_id_opt",s.toLatin1().constData()); fwoptions->setStr("pix_syslog_device_id_val",v.toLatin1().constData()); } PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pixAdvancedDialog::reject() { QDialog::reject(); } void pixAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->pix_prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->pix_prolog_script->setText( edt.text() ); } void pixAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->pix_epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->pix_epilog_script->setText( edt.text() ); } void pixAdvancedDialog::setDefaultTimeoutValue(const QString &option) { string platform = obj->getStr("platform"); // could be 'pix' or 'fwsm' FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); string vers="version_"+obj->getStr("version"); if (option=="uauth_abs" || option=="uauth_inact") #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) data.setWidgetValue(option.toAscii().constData(), Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/timeouts/"+option.toLatin1().constData())); else data.setWidgetValue(option.toAscii().constData(), Resources::platform_res[platform]->getResourceInt( "/FWBuilderResources/Target/options/"+vers+"/timeouts/"+option.toLatin1().constData())); #else data.setWidgetValue(option.toLatin1().constData(), Resources::platform_res[platform]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/timeouts/"+option.toLatin1().constData())); else data.setWidgetValue(option.toLatin1().constData(), Resources::platform_res[platform]->getResourceInt( "/FWBuilderResources/Target/options/"+vers+"/timeouts/"+option.toLatin1().constData())); #endif } void pixAdvancedDialog::defaultTimeouts() { FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); string vers="version_"+obj->getStr("version"); setDefaultTimeoutValue("xlate_hh" ); setDefaultTimeoutValue("xlate_mm" ); setDefaultTimeoutValue("xlate_ss" ); setDefaultTimeoutValue("conn_hh" ); setDefaultTimeoutValue("conn_mm" ); setDefaultTimeoutValue("conn_ss" ); setDefaultTimeoutValue("udp_hh" ); setDefaultTimeoutValue("udp_mm" ); setDefaultTimeoutValue("udp_ss" ); setDefaultTimeoutValue("rpc_hh" ); setDefaultTimeoutValue("rpc_mm" ); setDefaultTimeoutValue("rpc_ss" ); setDefaultTimeoutValue("h323_hh" ); setDefaultTimeoutValue("h323_mm" ); setDefaultTimeoutValue("h323_ss" ); setDefaultTimeoutValue("sip_hh" ); setDefaultTimeoutValue("sip_mm" ); setDefaultTimeoutValue("sip_ss" ); setDefaultTimeoutValue("sip_media_hh" ); setDefaultTimeoutValue("sip_media_mm" ); setDefaultTimeoutValue("sip_media_ss" ); setDefaultTimeoutValue("half-closed_hh" ); setDefaultTimeoutValue("half-closed_mm" ); setDefaultTimeoutValue("half-closed_ss" ); setDefaultTimeoutValue("uauth_hh" ); setDefaultTimeoutValue("uauth_mm" ); setDefaultTimeoutValue("uauth_abs" ); setDefaultTimeoutValue("uauth_inact" ); setDefaultTimeoutValue("telnet_timeout" ); setDefaultTimeoutValue("ssh_timeout" ); } void pixAdvancedDialog::regenerateFixups() { } void pixAdvancedDialog::scriptACLModeChanged() { m_dialog->pix_acl_temp_lbl->setEnabled(m_dialog->pix_acl_substitution->isChecked()); m_dialog->pix_acl_temp_addr->setEnabled(m_dialog->pix_acl_substitution->isChecked()); } fwbuilder-5.3.7/src/libgui/pixAdvancedDialog.h000066400000000000000000000060061303637203600212770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PIXADVANCEDDIALOG_H_ #define __PIXADVANCEDDIALOG_H_ #include #include "DialogData.h" #include class QWidget; class QSpinBox; class QComboBox; class QCheckBox; namespace libfwbuilder { class FWObject; class FWOptions; }; struct fixupControl { class QComboBox *switch_widget; class QSpinBox *arg1; class QSpinBox *arg2; class QCheckBox *arg3; QString fwoption; QString fixup_cmd; int page; // number of the notebook page in fixup_notebook widget bool active; // if false, then this fixup is not supported on the given // version of PIX OS fixupControl(QComboBox *s, QSpinBox *w1, QSpinBox *w2, QCheckBox *w3, const QString &o, const QString &f, int p) { switch_widget=s; arg1=w1; arg2=w2; arg3=w3; fwoption=o; fixup_cmd=f; page=p; active=true; } }; class pixAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; std::list allFixups; bool syslogDeviceIdSupported; Ui::pixAdvancedDialog_q *m_dialog; public: pixAdvancedDialog(QWidget *parent, libfwbuilder::FWObject *o); ~pixAdvancedDialog(); void setDefaultTimeoutValue(const QString &option); void updateFixupCommandsDisplay(); void loadFixups(); void saveFixups(libfwbuilder::FWOptions *options); int translateFixupSwitchFromOptionToWidget(int o); int translateFixupSwitchFromWidgetToOption(int o); void changeAllFixups(int state); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); virtual void defaultTimeouts(); virtual void regenerateFixups(); virtual void fixupCmdChanged(); virtual void enableAllFixups(); virtual void disableAllFixups(); virtual void skipAllFixups(); virtual void scriptACLModeChanged(); virtual void displayCommands(); }; #endif // __PIXADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/pixFailoverOptionsDialog.cpp000066400000000000000000000055431303637203600232550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "pixFailoverOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include #include using namespace std; using namespace libfwbuilder; pixFailoverOptionsDialog::pixFailoverOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::pixFailoverOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); data.registerOption(m_dialog->pix_failover_key, gropt, "pix_failover_key"); data.loadAll(); } pixFailoverOptionsDialog::~pixFailoverOptionsDialog() { delete m_dialog; } /* * store all data in the object */ void pixFailoverOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pixFailoverOptionsDialog::reject() { QDialog::reject(); } bool pixFailoverOptionsDialog::validate() { bool valid = true; QWidget *focus = NULL; QString message; // key must be set if (m_dialog->pix_failover_key->text().isEmpty()) { message = "PIX failover key field can not be empty!"; focus = m_dialog->pix_failover_key; valid = false; } if (!valid) { QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); focus->setFocus(); } return valid; } fwbuilder-5.3.7/src/libgui/pixFailoverOptionsDialog.h000066400000000000000000000027271303637203600227230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PIXFAILOVEROPTIONSDIALOG_H_ #define __PIXFAILOVEROPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class pixFailoverOptionsDialog : public QDialog { Q_OBJECT; public: pixFailoverOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~pixFailoverOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::pixFailoverOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __PIXFAILOVEROPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/pixadvanceddialog_q.ui000066400000000000000000005173261303637203600221210ustar00rootroot00000000000000 pixAdvancedDialog_q Qt::WindowModal true 0 0 829 596 PIX Firewall Settings false Qt::Horizontal QSizePolicy::Expanding 20 20 OK Cancel Qt::AlignCenter false 16777215 16777215 QTabWidget::North QTabWidget::Rounded 0 Qt::ElideNone true Compiler 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 32767 22 Qt::Horizontal 518 20 0 0 16777215 16777215 Policy Compiler Options Generate rules assuming the firewall is part of "Any". This makes a difference in rules that use services 'ssh' and 'telnet' since PIX uses special commands to control ssh and telnet access to the firewall machine Assume firewall is part of 'any' Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in the policy Normally PIX does not support outbound ACL, however policy compiler can emulate them if this option is turned on Emulate outbound ACLs Normally PIX does not support ouotbound ACL, however policy compiler can emulate them if this option is turned on Generate outbound ACLs If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules In nat rules where network zone object is used in OSrc, ODst and OSrv are 'any' and TSrc defines a global pool for the translation, replace object in OSrc with 'any' to produce PIX command "nat (interface) N 0.0.0.0 0.0.0.0" Optimize 'default nat' rules Address Translation In configurations using NAT, starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. Prior to v8.3 ASA/PIX required using translated IP addresses in firewall policy rules. Firewall Builder can emulate v8.3 behavior for older versions of ASA/PIX letting you use real IP addresses in policy rules. This emulation is only needed if your firewall runs ASA software older than v8.3 and you want to use real IP addresses in firewall policy rules. true 0 0 PIX inspects packets with ACLs before it does NAT, while many other firewalls do NAT first and then apply ACLs. Policy compiler can emulate the latter behaviour if this options is turned on. Replace NAT'ted objects with their translations in policy rules 0 0 16777215 16777215 Verification of NAT rules -1 Check for duplicate nat rules Check for overlapping statics Check for overlapping global pools 0 0 Check for overlapping global pools and statics Always permit ssh access from the management workstation with this address: 0 0 200 0 32767 22 Qt::Horizontal 508 20 Qt::Vertical QSizePolicy::Expanding 20 170 Installer Built-in installer User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 Additional command line parameters for ssh false 0 0 250 0 Additional command line parameters for scp false 0 0 250 0 Instead of running generated configuration on the firewall line by line, installer can use scp to copy the file and then "copy file running-config" command to activate it. Ssh v2 and scp servers should be configured on the firewall for this to work. This method works for PIX v7 or later and is much faster than running configuration line by line. true Copy generated configuration file to the firewall using scp File system on the firewall where configuration file should be saved if it is copied with scp. Examples: "flash:", "disk0:". Should end with a colon ":". If this input field is left blank, installer uses "flash:": true Qt::Horizontal 40 20 External install script 0 0 0 0 Policy install script (built-in installer will be used if blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 250 0 0 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 250 0 Prolog/Epilog 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOn 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOn The following commands will be added verbatim after generated configuration Qt::AlignVCenter true Timeouts Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 20 30 QFrame::NoFrame QFrame::Sunken 5 0 5 0 4 xlate Qt::AlignCenter false conn Qt::AlignCenter false udp Qt::AlignCenter false rpc Qt::AlignCenter false h323 Qt::AlignCenter false sip Qt::AlignCenter false sip&media Qt::AlignCenter false sip_media_hh unauth Qt::AlignCenter false 0 100 0 0 100 0 0 100 0 0 100 0 0 100 0 0 100 0 0 100 0 0 100 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 0 59 0 telnet Qt::AlignCenter false ssh Qt::AlignCenter false ss Qt::AlignCenter false mm Qt::AlignCenter false hh Qt::AlignCenter false 0 59 0 0 59 0 0 100 0 half-closed Qt::AlignCenter false 0 59 0 0 59 0 QFrame::HLine QFrame::Sunken Qt::Horizontal 6 Inactivity Qt::AlignCenter false Absolute Qt::AlignCenter false Set all to defaults.. Inspect Policy compiler generates 'fixup' commands for PIX/ASA v6.1-6.3 and FWSM v2.3. For v7.x and v8.x it generates 'class-map' and 'inspect' commands assigned to the 'policy-map' under either default or custom inspection classes. Qt::AlignVCenter true 12 Qt::Vertical QSizePolicy::Fixed 20 10 0 0 16777215 16777215 QTabWidget::North QTabWidget::Triangular 19 Qt::ElideNone true ctiqbe 10 10 0 0 skip enable disable Computer Telephony Interface Quick Buffer Encoding (CTIQBE) protocol inspection module that supports NAT, PAT, and bi-directional NAT. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true port: Qt::AlignCenter false pix_ctiqbe_port 1 65535 2748 Qt::Horizontal QSizePolicy::Expanding 80 20 dns 10 10 0 0 Based on this maximum-length configured by the user, the DNS fixup checks to see if the DNS packet length is within this limit. Every UDP DNS packet (request/response) undergoes the above check. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true max length: Qt::AlignCenter false pix_dns_max_length 512 65535 65535 skip enable disable Qt::Horizontal QSizePolicy::Expanding 40 20 esp ike 10 10 0 0 Enables PAT for Encapsulating Security Payload (ESP), single tunnel. Qt::AlignCenter true skip enable disable Qt::Horizontal QSizePolicy::Expanding 40 20 ftp 10 10 0 0 1 65535 21 port: Qt::AlignCenter false pix_ftp_port strict: Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable Activated support for FTP protocol and allows to change the ftp control connection port number. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true h323 h225 10 10 0 0 Specifies to use H.225, the ITU standard that governs H.225.0 session establishment and packetization, with H.323 Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true port: Qt::AlignCenter false pix_ctiqbe_port -- Qt::AlignCenter false 1 65535 1720 1 65535 1720 Qt::Horizontal QSizePolicy::Expanding 30 20 skip enable disable h323 ras 10 10 0 0 Specifies to use RAS with H.323 to enable dissimilar communication devices to communicate with each other. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 1 65535 1718 -- Qt::AlignCenter false port: Qt::AlignCenter false pix_ctiqbe_port 1 65535 1719 Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable http 10 10 0 0 The default port for HTTP is 80. Use the port option to change the HTTP port, or specify a range of HTTP ports. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true -- Qt::AlignCenter false port: Qt::AlignCenter false pix_ctiqbe_port 1 65535 80 1 65535 80 Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable icmp error 10 10 0 0 Enables NAT of ICMP error messages. This creates translations for intermediate hops based on the static or network address translation configuration on the firewall. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true skip enable disable Qt::Horizontal QSizePolicy::Expanding 40 20 ils 10 10 0 0 Provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LightWeight Directory Access Protocol (LDAP) to exchange directory information with an for Internet Locator Service (ILS) server. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 1 65535 389 port: Qt::AlignCenter false pix_ctiqbe_port 1 65535 389 -- Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable mgcp 10 10 0 0 Enables the Media Gateway Control Protocol (MGCP) fixup. Qt::AlignCenter true Gateway Port: Qt::AlignCenter false pix_ctiqbe_port Call Agent port: Qt::AlignCenter false 1 65535 2427 1 65535 2727 skip enable disable Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Horizontal QSizePolicy::Expanding 160 20 pptp 10 10 0 0 Enables Point-to-Point Tunneling Protocol (PPTP) application inspection. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 1 65535 1723 port: Qt::AlignCenter false pix_ftp_port Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable rsh 10 10 0 0 Enables inspection of RSH protocol. Qt::AlignCenter true port: Qt::AlignCenter false 1 65535 514 Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable rtsp 10 10 0 0 Lets PIX Firewall pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 1 65535 554 port: Qt::AlignCenter false pix_ctiqbe_port Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable sip 10 10 0 0 Enable or change the port assignment for the Session Initiation Protocol (SIP) for Voice over IP TCP connections. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 1 65535 5060 1 65535 5060 port: Qt::AlignCenter false pix_ctiqbe_port -- Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable sip udp 10 10 0 0 Enable SIP-over-UDP application inspection. Qt::AlignCenter true 1 65535 5060 port: Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable skinny 10 10 0 0 Enable SCCP application inspection. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals. Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true -- Qt::AlignCenter false 1 65535 2000 1 65535 2000 port: Qt::AlignCenter false pix_ctiqbe_port Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable smtp 10 10 0 0 Enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. Qt::AlignCenter true port: Qt::AlignCenter false pix_ctiqbe_port -- Qt::AlignCenter false 1 65535 25 1 65535 25 Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable sqlnet 10 10 0 0 Enables support for SQL*Net protocol. Qt::AlignCenter true 1 65535 1521 port: Qt::AlignCenter false pix_ctiqbe_port -- Qt::AlignCenter false 1 65535 1521 Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable tftp 10 10 0 0 Enable TFTP application inspection. Qt::AlignCenter true 1 65535 69 port: Qt::AlignCenter false pix_ctiqbe_port Qt::Horizontal QSizePolicy::Expanding 40 20 skip enable disable IP options 20 End of Options List (EOOL) skip allow drop clear 0 0 IP Options analysis is only available in PIX 8.2 and later and olnly EOOL, NOP and RTRALT options can be inspected. The firewall can allow IP packet with one of the options through or clear the option and then forward the packet, or drop the packet. Packets with any other option are always dropped. true No Operation (NOP) skip allow drop clear Router Alert (RTRALT) skip allow drop clear Qt::Horizontal QSizePolicy::Expanding 40 20 Enable all protocols false Disable all protocols false Skip all protocols false Qt::Horizontal QSizePolicy::Expanding 40 20 16777215 16777215 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOn Logging Syslog host (IP address): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Syslog message queue size (messages): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 10000 0 Qt::Horizontal QSizePolicy::Expanding 40 20 syslog facility: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Horizontal 345 20 syslog level ('logging trap'): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Horizontal 345 20 PIX Firewall Version 6.3 introduces support for EMBLEM format, which is required when using the CiscoWorks Resource Manager Essentials (RME) syslog analyzer. Use 'EMBLEM' format for syslog messages Set device id for syslog messages (v6.3 and later): use hostname Qt::Horizontal QSizePolicy::Expanding 40 20 use address of interface Qt::Horizontal 387 20 use text string The logging timestamp command requires that the clock command be set. Qt::AlignVCenter true Enable logging timestamps on syslog file Other logging destinations and levels: Internal buffer 0 22 Qt::Horizontal 488 20 Console 0 22 Qt::Horizontal 488 20 Qt::Vertical QSizePolicy::Expanding 20 40 Script 0 0 0 0 Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via IPSEC tunnel. This is the way access lists were generated in older versions of Firewall Builder for PIX. Qt::AlignVCenter true pix_acl_basic 0 0 Qt::ClickFocus Do not clear access lists and object group, just generate PIX commands for the new ones. Use this option if you have your own policy installation scripts. Qt::AlignVCenter true pix_acl_no_clear QFrame::StyledPanel QFrame::Sunken 11 Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24): Qt::AlignVCenter true Qt::Horizontal QSizePolicy::Expanding 110 20 0 0 200 0 120 32767 Qt::Horizontal QSizePolicy::Expanding 120 20 0 0 "Safety net" method: First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration. Qt::AlignVCenter true pix_acl_substitution Qt::Vertical 20 137 Script (additional) Compiler can generate PIX configuration without commands that configures interfaces, timeouts and inspectors. These parts of configuration change rarely so it makes no sense to execute the same commands again and again. In addition, runnig the same commands on configuration reload cause errors. Use this option to generate shortened configuration to avoid errors and make update faster. true Generate only access-list, access-group, telnet, ssh, nat, global and static commands 0 0 12 Insert comments into generated PIX configuration file Comment the code Use ACL remarks to relate ACL commands and policy rules in the GUI Use ACL remarks Group PIX commands in the script so that similar commands appear next to each other, just like PIX does it when you use 'show config' Group similar commands together Use manual ACL commit on FWSM Qt::Vertical 20 40 PIX Options 20 20 12 20 20 QFrame::NoFrame QFrame::Plain 12 Actively reset inbound TCP connections with RST Actively reset inbound TCP connections with RST on outside interface Force each TCP connection to linger in a shortened TIME&WAIT Alt+W Enable the IP Frag Guard feature (deprecated in v6.3 and later). Enable TCP resource control for AAA Authentication Proxy Specify that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop (deprecated in v6.3 and later). QFrame::HLine QFrame::Sunken Qt::Horizontal Disable inbound embedded DNS A record fixups Disable outbound DNS A record replies QFrame::HLine QFrame::Sunken Qt::Horizontal The following parameters are used for all NAT rules: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false maximum number of simultaneous TCP and UDP connections Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false max_conns 64 16777215 Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.) 0 100000 0 Qt::Horizontal 254 20 maximum number of embryonic connections per host Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false emb_limit 64 16777215 Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections. 0 100000 0 (The default for both parameters is 0, which means unlimited number of connections.) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true Qt::Vertical QSizePolicy::Expanding 20 20 IPv6 20 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 tabWidget outputFileName pix_assume_fw_part_of_any pix_emulate_out_acl pix_optimize_default_nat pix_check_shadowing pix_check_duplicate_nat pix_check_overlapping_statics mgmt_ssh mgmt_addr user altAddress sshArgs scpArgs use_scp installScriptArgs pix_prolog_script edit_prolog_button pix_epilog_script edit_epilog_button xlate_hh xlate_mm xlate_ss conn_hh conn_mm conn_ss udp_hh udp_mm udp_ss rpc_hh rpc_mm rpc_ss h323_hh h323_mm h323_ss sip_hh sip_mm sip_ss sip_media_hh sip_media_mm sip_media_ss half_closed_hh half_closed_mm half_closed_ss uauth_hh uauth_mm uauth_ss telnet_timeout ssh_timeout uauth_abs uauth_inact defaultTimeoutsButton fixup_notebook pix_ctiqbe_switch pix_ctiqbe_port pix_dns_switch pix_dns_max_length pix_espike_switch pix_ftp_switch pix_ftp_port pix_ftp_strict pix_h323h225_switch pix_h323h225_port1 pix_h323h225_port2 pix_h323ras_switch pix_h323ras_port1 pix_h323ras_port2 pix_http_switch pix_http_port1 pix_http_port2 pix_icmperror_switch pix_ils_switch pix_ils_port1 pix_ils_port2 pix_mgcp_switch pix_mgcp_gateway_port pix_mgcp_call_agent_port pix_pptp_switch pix_pptp_port pix_rsh_switch pix_rsh_port1 pix_rtsp_switch pix_rtsp_port pix_sip_switch pix_sip_port1 pix_sip_port2 pix_sipudp_switch pix_sip_udp_port1 pix_skinny_switch pix_skinny_port1 pix_skinny_port2 pix_smtp_switch pix_smtp_port1 pix_smtp_port2 pix_sqlnet_switch pix_sqlnet_port1 pix_sqlnet_port2 pix_tftp_switch pix_tftp_port enableAllFixupsButton disableAllFixupsButton skipAllFixupsButton pix_generated_fixup syslog_host syslog_queue_size syslog_facility logging_trap_level emblem_log_format syslog_device_id_hostname syslog_device_id_interface syslog_device_id_interface_val syslog_device_id_string syslog_device_id_string_val logging_timestamp logging_buffered logging_buffered_level logging_console logging_console_level pix_acl_basic pix_acl_no_clear pix_acl_substitution pix_acl_temp_addr resetinbound resetoutside connection_timewait fragguard floodguard route_dnat nodnsalias_inbound nodnsalias_outbound max_conns emb_limit ipv4before_2 ok_button cancel_button textLabel3 ok_button clicked() pixAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() pixAdvancedDialog_q reject() 20 20 20 20 edit_prolog_button clicked() pixAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() pixAdvancedDialog_q editEpilog() 20 20 20 20 defaultTimeoutsButton clicked() pixAdvancedDialog_q defaultTimeouts() 20 20 20 20 enableAllFixupsButton clicked() pixAdvancedDialog_q enableAllFixups() 20 20 20 20 disableAllFixupsButton clicked() pixAdvancedDialog_q disableAllFixups() 20 20 20 20 skipAllFixupsButton clicked() pixAdvancedDialog_q skipAllFixups() 20 20 20 20 pix_acl_basic clicked() pixAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 pix_acl_substitution clicked() pixAdvancedDialog_q scriptACLModeChanged() 20 20 20 20 fwbuilder-5.3.7/src/libgui/pixfailoveroptionsdialog_q.ui000066400000000000000000000112711303637203600235630ustar00rootroot00000000000000 pixFailoverOptionsDialog_q 0 0 319 376 PIX failover protocol settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 PIX Failover Protocol Parameters :/Icons/Options:/Icons/Options Qt::Vertical QSizePolicy::Minimum 20 20 true PIX Failover Key Qt::LeftToRight Key: true Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() pixFailoverOptionsDialog_q accept() 316 472 193 137 buttonCancel clicked() pixFailoverOptionsDialog_q reject() 397 472 20 20 fwbuilder-5.3.7/src/libgui/pixosAdvancedDialog.cpp000066400000000000000000000105041303637203600221720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "pixosAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; pixosAdvancedDialog::~pixosAdvancedDialog() { delete m_dialog; } pixosAdvancedDialog::pixosAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::pixosAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); /* Page "General" */ data.registerOption( m_dialog->pix_set_host_name, fwoptions, "pix_set_host_name"); data.registerOption( m_dialog->pix_ip_address, fwoptions, "pix_ip_address"); /* Page NTP */ string host_os = o->getStr("host_OS"); if (host_os == "pix_os") { m_dialog->fwsm_ntp_warning->hide(); m_dialog->ntp_servers_group->show(); data.registerOption( m_dialog->ntp1, fwoptions, "pix_ntp1" ); data.registerOption( m_dialog->ntp1_pref, fwoptions, "pix_ntp1_pref" ); data.registerOption( m_dialog->ntp2, fwoptions, "pix_ntp2" ); data.registerOption( m_dialog->ntp2_pref, fwoptions, "pix_ntp2_pref" ); data.registerOption( m_dialog->ntp3, fwoptions, "pix_ntp3" ); data.registerOption( m_dialog->ntp3_pref, fwoptions, "pix_ntp3_pref" ); } if (host_os == "fwsm_os") { m_dialog->fwsm_ntp_warning->show(); m_dialog->ntp_servers_group->hide(); } /* Page SNMP */ data.registerOption( m_dialog->disable_snmp_agent, fwoptions, "pix_disable_snmp_agent"); data.registerOption( m_dialog->set_communities, fwoptions, "pix_set_communities_from_object_data" ); data.registerOption( m_dialog->enable_traps, fwoptions, "pix_enable_snmp_traps" ); data.registerOption( m_dialog->snmp_server1, fwoptions, "pix_snmp_server1" ); data.registerOption( m_dialog->snmp_server2, fwoptions, "pix_snmp_server2" ); data.registerOption( m_dialog->snmp_poll_traps_1, fwoptions, "pix_snmp_poll_traps_1" ); data.registerOption( m_dialog->snmp_poll_traps_2, fwoptions, "pix_snmp_poll_traps_2" ); /* Page Options */ data.registerOption( m_dialog->tcpmss, fwoptions, "pix_tcpmss"); data.registerOption( m_dialog->tcpmss_value, fwoptions, "pix_tcpmss_value"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void pixosAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pixosAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/pixosAdvancedDialog.h000066400000000000000000000026601303637203600216430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PIXOSADVANCEDDIALOG_H_ #define __PIXOSADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class pixosAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::pixosAdvancedDialog_q *m_dialog; public: pixosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~pixosAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); public slots: }; #endif // __PIXOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/pixosIfaceOptsDialog.cpp000066400000000000000000000113161303637203600223440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: pixosIfaceOptsDialog.cpp 1586 2009-10-13 05:05:03Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "pixosIfaceOptsDialog.h" #include "platforms.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "FWWindow.h" #include "Help.h" #include #include using namespace std; using namespace libfwbuilder; pixosIfaceOptsDialog::pixosIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::pixosIfaceOptsDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.loadAll(); // special actions for different iface types // VLAN (8021q) typeChanged(""); } pixosIfaceOptsDialog::~pixosIfaceOptsDialog() { delete m_dialog; } /* * store all data in the object */ void pixosIfaceOptsDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } data.saveAll(ifopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void pixosIfaceOptsDialog::reject() { QDialog::reject(); } void pixosIfaceOptsDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("PIX Interface"); h->setSource(QUrl("pixosIfaceOptsDialog.html#" + anchor)); h->raise(); h->show(); } void pixosIfaceOptsDialog::typeChanged(const QString&) { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); // enable VLAN ID line edit for type VLAN if (new_type == "8021q") { m_dialog->options_stack->setCurrentIndex(1); return; } // page 0 is empty m_dialog->options_stack->setCurrentIndex(0); } bool pixosIfaceOptsDialog::validate() { bool valid = true; QString combobox = m_dialog->iface_type->currentText(); QString type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); QWidget *focus = NULL; QString message; if (type == "8021q") { // VLAN ID must be set between 1 <= vid <= 4'094 // QSpinBox widget enforces these limits ; } if (!valid) { QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); focus->setFocus(); } return valid; } fwbuilder-5.3.7/src/libgui/pixosIfaceOptsDialog.h000066400000000000000000000032151303637203600220100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id: pixosIfaceOptsDialog.h 1487 2009-09-23 17:00:48Z vadim $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PIXOSIFACEOPTSDIALOG_H_ #define __PIXOSIFACEOPTSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class pixosIfaceOptsDialog : public QDialog { Q_OBJECT public: pixosIfaceOptsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~pixosIfaceOptsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::pixosIfaceOptsDialog_q *m_dialog; bool cluster_interface; /** validate user input for different interface types */ bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void typeChanged(const QString&); }; #endif // __PIXOSIFACEOPTSDIALOG_H_ fwbuilder-5.3.7/src/libgui/pixosadvanceddialog_q.ui000066400000000000000000000413501303637203600224500ustar00rootroot00000000000000 pixosAdvancedDialog_q Qt::WindowModal true 0 0 539 402 PIX Advanced Configuration Options 11 6 0 General 6 6 Set PIX host name using object's name Generate commands to configure addresses for interfaces Qt::Vertical QSizePolicy::Expanding 20 40 NTP NTP cannot be configured on FWSM, because it takes its settings from the Switch. Qt::AlignCenter true NTP Servers: 6 6 Server 1: Qt::AlignCenter false Server 2: Qt::AlignCenter false Server 3: Qt::AlignCenter false Preffered: Qt::AlignCenter false IP address: Qt::AlignCenter false Qt::Vertical QSizePolicy::Expanding 20 30 SNMP 6 6 Disable SNMP Agent Set SNMP communities using data from the firewall object dialog Qt::Vertical QSizePolicy::Expanding 20 40 SNMP servers 6 6 Poll Poll and Traps Traps Poll Poll and Traps Traps Enable: Qt::AlignCenter false 0 0 IP address: Qt::AlignCenter false SNMP Server 1: Qt::AlignCenter false SNMP Server 2: Qt::AlignCenter false Enable sending log messages as SNMP trap notifications Options 6 6 Change TCP MSS to Qt::Vertical QSizePolicy::Expanding 20 162 0 4096 10 1380 bytes Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 20 20 6 0 Qt::Horizontal QSizePolicy::Expanding 20 20 OK Qt::AlignCenter false Cancel tabWidget pix_set_host_name pix_ip_address ntp1 ntp1_pref ntp2 ntp2_pref ntp3 ntp3_pref disable_snmp_agent set_communities enable_traps snmp_server1 snmp_poll_traps_1 snmp_server2 snmp_poll_traps_2 tcpmss tcpmss_value ok_button cancel_button ok_button clicked() pixosAdvancedDialog_q accept() 20 20 20 20 cancel_button clicked() pixosAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/pixosifaceoptsdialog_q.ui000066400000000000000000000167171303637203600226710ustar00rootroot00000000000000 pixosIfaceOptsDialog_q 0 0 418 322 PIX: interface settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 Options :/Icons/Options:/Icons/Options Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft Device Type Qt::Horizontal 40 20 0 0 1 true Qt::RightToLeft VLAN ID 4095 Qt::Horizontal 140 20 Qt::Vertical 20 43 buttonOk buttonCancel tabWidget buttonOk clicked() pixosIfaceOptsDialog_q accept() 316 472 20 20 buttonCancel clicked() pixosIfaceOptsDialog_q reject() 397 472 20 20 buttonHelp clicked() pixosIfaceOptsDialog_q help() 68 464 231 245 iface_type currentIndexChanged(QString) pixosIfaceOptsDialog_q typeChanged(QString) 287 196 286 261 typeChanged(QString) bondingPolicyChanged(QString) fwbuilder-5.3.7/src/libgui/platforms.cpp000066400000000000000000001276711303637203600203070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "platforms.h" #include "FWBSettings.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include #include #include #include #include "fwbuilder/Cluster.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Policy.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; QStringList emptyList; QStringList logLevels; QStringList logFacilities; QStringList actionsOnReject; QStringList routeOptions_pf_ipf; QStringList routeLoadOptions_pf; QStringList limitSuffixes; QStringList classifyOptions_ipfw; void init_platforms() { logLevels.push_back(""); logLevels.push_back(""); logLevels.push_back(QObject::tr( "alert" )); logLevels.push_back( "alert" ); logLevels.push_back(QObject::tr( "crit" )); logLevels.push_back( "crit" ); logLevels.push_back(QObject::tr( "error" )); logLevels.push_back( "error" ); logLevels.push_back(QObject::tr( "warning")); logLevels.push_back( "warning"); logLevels.push_back(QObject::tr( "notice" )); logLevels.push_back( "notice" ); logLevels.push_back(QObject::tr( "info" )); logLevels.push_back( "info" ); logLevels.push_back(QObject::tr( "debug" )); logLevels.push_back( "debug" ); logFacilities.push_back(""); logFacilities.push_back(""); logFacilities.push_back(QObject::tr( "kern" )); logFacilities.push_back( "kern" ); logFacilities.push_back(QObject::tr( "user" )); logFacilities.push_back( "user" ); logFacilities.push_back(QObject::tr( "mail" )); logFacilities.push_back( "mail" ); logFacilities.push_back(QObject::tr( "daemon" )); logFacilities.push_back( "daemon" ); logFacilities.push_back(QObject::tr( "auth" )); logFacilities.push_back( "auth" ); logFacilities.push_back(QObject::tr( "syslog" )); logFacilities.push_back( "syslog" ); logFacilities.push_back(QObject::tr( "lpr" )); logFacilities.push_back( "lpr" ); logFacilities.push_back(QObject::tr( "news" )); logFacilities.push_back( "news" ); logFacilities.push_back(QObject::tr( "uucp" )); logFacilities.push_back( "uucp" ); logFacilities.push_back(QObject::tr( "cron" )); logFacilities.push_back( "cron" ); logFacilities.push_back(QObject::tr( "authpriv" )); logFacilities.push_back( "authpriv"); logFacilities.push_back(QObject::tr( "ftp" )); logFacilities.push_back( "ftp" ); logFacilities.push_back(QObject::tr( "local0" )); logFacilities.push_back( "local0" ); logFacilities.push_back(QObject::tr( "local1" )); logFacilities.push_back( "local1" ); logFacilities.push_back(QObject::tr( "local2" )); logFacilities.push_back( "local2" ); logFacilities.push_back(QObject::tr( "local3" )); logFacilities.push_back( "local3" ); logFacilities.push_back(QObject::tr( "local4" )); logFacilities.push_back( "local4" ); logFacilities.push_back(QObject::tr( "local5" )); logFacilities.push_back( "local5" ); logFacilities.push_back(QObject::tr( "local6" )); logFacilities.push_back( "local6" ); logFacilities.push_back(QObject::tr( "local7" )); logFacilities.push_back( "local7" ); actionsOnReject.push_back(""); actionsOnReject.push_back(""); actionsOnReject.push_back(QObject::tr("ICMP admin prohibited")); actionsOnReject.push_back("ICMP admin prohibited"); actionsOnReject.push_back(QObject::tr("ICMP host prohibited")); actionsOnReject.push_back("ICMP host prohibited"); actionsOnReject.push_back(QObject::tr("ICMP host unreachable")); actionsOnReject.push_back("ICMP host unreachable"); actionsOnReject.push_back(QObject::tr("ICMP net prohibited")); actionsOnReject.push_back("ICMP net prohibited"); actionsOnReject.push_back(QObject::tr("ICMP net unreachable")); actionsOnReject.push_back("ICMP net unreachable"); actionsOnReject.push_back(QObject::tr("ICMP port unreachable")); actionsOnReject.push_back("ICMP port unreachable"); actionsOnReject.push_back(QObject::tr("ICMP protocol unreachable")); actionsOnReject.push_back("ICMP protocol unreachable"); actionsOnReject.push_back(QObject::tr("TCP RST")); actionsOnReject.push_back("TCP RST"); routeOptions_pf_ipf.push_back(QObject::tr("None")); routeOptions_pf_ipf.push_back("none"); routeOptions_pf_ipf.push_back(QObject::tr("Route through")); routeOptions_pf_ipf.push_back("route_through"); routeOptions_pf_ipf.push_back(QObject::tr("Route reply through")); routeOptions_pf_ipf.push_back("route_reply_through"); routeOptions_pf_ipf.push_back(QObject::tr("Route a copy through")); routeOptions_pf_ipf.push_back("route_copy_through"); routeLoadOptions_pf.push_back(QObject::tr("None")); routeLoadOptions_pf.push_back("none"); routeLoadOptions_pf.push_back(QObject::tr("Bitmask")); routeLoadOptions_pf.push_back("bitmask"); routeLoadOptions_pf.push_back(QObject::tr("Random")); routeLoadOptions_pf.push_back("random"); routeLoadOptions_pf.push_back(QObject::tr("Source Hash")); routeLoadOptions_pf.push_back("source_hash"); routeLoadOptions_pf.push_back(QObject::tr("Round Robin")); routeLoadOptions_pf.push_back("round_robin"); classifyOptions_ipfw.push_back(QObject::tr("None")); classifyOptions_ipfw.push_back("-1"); classifyOptions_ipfw.push_back(QObject::tr("dummynet(4) 'pipe'")); classifyOptions_ipfw.push_back("1"); classifyOptions_ipfw.push_back(QObject::tr("dummynet(4) 'queue'")); classifyOptions_ipfw.push_back("2"); limitSuffixes.push_back(""); limitSuffixes.push_back(""); limitSuffixes.push_back(QObject::tr("/day")); limitSuffixes.push_back("/day"); limitSuffixes.push_back(QObject::tr("/hour")); limitSuffixes.push_back("/hour"); limitSuffixes.push_back(QObject::tr("/minute")); limitSuffixes.push_back("/minute"); limitSuffixes.push_back(QObject::tr("/second")); limitSuffixes.push_back("/second"); } bool isUsingNetZone(Firewall *fw) { string platform=fw->getStr("platform"); return (platform=="pix" || platform=="fwsm"); } bool isDefaultPolicyRuleOptions(FWOptions *opt) { bool res = true; FWObject *p; PolicyRule *rule = NULL; p = opt; do { p = p->getParent(); if (PolicyRule::cast(p)!=NULL) rule = PolicyRule::cast(p); } while ( p!=NULL && Firewall::cast(p)==NULL ); if (p==NULL) { qDebug() << "isDefaultPolicyRuleOptions()" << "Can not locate parent Firewall object for the options object"; opt->dump(false, true); return true; } QString platform = p->getStr("platform").c_str(); // if (fwbdebug) // qDebug(QString("Options object type: %1").arg(opt->getTypeName())); if (PolicyRuleOptions::isA(opt)) { if (platform=="iptables") { res= ( opt->getStr("log_prefix").empty() && opt->getStr("log_level").empty() && opt->getInt("limit_value")<=0 && ! opt->getBool("limit_value_not") && opt->getInt("limit_burst")<=0 && opt->getInt("connlimit_value")<=0 && ! opt->getBool("connlimit_above_not") && opt->getInt("connlimit_masklen")<=0 && opt->getStr("hashlimit_name").empty() && opt->getInt("hashlimit_value")<=0 && opt->getInt("hashlimit_burst")<=0 && opt->getInt("hashlimit_size")<=0 && opt->getInt("hashlimit_max")<=0 && opt->getInt("hashlimit_expire")<=0 && opt->getInt("hashlimit_gcinterval")<=0 && opt->getInt("ulog_nlgroup")<=1 && opt->getStr("limit_suffix").empty() && opt->getStr("firewall_is_part_of_any_and_networks") == ""); } if (platform=="pix" || platform=="fwsm") { string vers="version_"+p->getStr("version"); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) if ( Resources::platform_res[platform.toAscii().constData()]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/pix_rule_syslog_settings")) #else if ( Resources::platform_res[platform.toLatin1().constData()]->getResourceBool( "/FWBuilderResources/Target/options/"+vers+"/pix_rule_syslog_settings")) #endif { res= ( opt->getStr("log_level").empty() && opt->getInt("log_interval")<=0 && ! opt->getBool("disable_logging_for_this_rule") ); } else { res=true; } } if (platform=="pf") { string version = p->getStr("version"); bool ge_4_0 = XMLTools::version_compare(version, "4.0")>=0; bool ge_4_5 = XMLTools::version_compare(version, "4.5")>=0; if (ge_4_5) { res = (!opt->getBool("pf_no_sync") && !opt->getBool("pf_pflow")); } if (ge_4_0) { res = res && ( opt->getStr("log_prefix").empty() && opt->getInt("pf_rule_max_state")<=0 && ! opt->getBool("pf_source_tracking") && opt->getInt("pf_max_src_conn")<=0 && opt->getInt("pf_max_src_conn_rate_num")<=0 && opt->getInt("pf_max_src_conn_rate_seconds")<=0 && ! opt->getBool("pf_keep_state") && ! opt->getBool("pf_sloppy_tracker") && ! opt->getBool("pf_synproxy") && ! opt->getBool("pf_modulate_state") ); }else { res = res && ( opt->getStr("log_prefix").empty() && opt->getInt("pf_rule_max_state")<=0 && ! opt->getBool("pf_source_tracking") && opt->getInt("pf_max_src_conn")<=0 && opt->getInt("pf_max_src_conn_rate_num")<=0 && opt->getInt("pf_max_src_conn_rate_seconds")<=0 && ! opt->getBool("pf_keep_state") && ! opt->getBool("pf_sloppy_tracker") && ! opt->getBool("pf_synproxy") && ! opt->getBool("pf_modulate_state") ); } } if (platform=="ipf") { res= ( opt->getStr("ipf_log_facility").empty() && opt->getStr("log_level").empty() && ! opt->getBool("ipf_keep_frags") && ! opt->getBool("ipf_return_icmp_as_dest") ); } if (platform=="ipfw") { //res= ( ! opt->getBool("stateless") ); res = true; } if (rule!=NULL) { PolicyRule::Action act = rule->getAction(); if (act==PolicyRule::Accept) { // by default, these actions are not stateless res = res && (!opt->getBool("stateless")); } else { // other actions are stateless by default res = res && opt->getBool("stateless"); } } // all rules are stateless for IOS ACL if (platform=="iosacl" || platform=="procurve_acl") { res = !opt->getBool("iosacl_add_mirror_rule"); } } return res; } bool isDefaultNATRuleOptions(FWOptions *opt) { bool res=true; FWObject *p; p=opt; do { p=p->getParent(); } while ( p!=NULL && Firewall::cast(p)==NULL ); assert(p!=NULL); QString platform = p->getStr("platform").c_str(); if (NATRuleOptions::isA(opt)) { if (platform=="iptables") { res = !opt->getBool("ipt_use_snat_instead_of_masq") && !opt->getBool("ipt_nat_random") && !opt->getBool("ipt_nat_persistent"); } if (platform=="pf") { // if "pf_pool_type_none" is undefined, then all others // should not be defined too because they all are set by // the same dialog // In this case consider options default. res = (opt->getStr("pf_pool_type_none") == "" || ( opt->getBool("pf_pool_type_none") && ! opt->getBool("pf_bitmask") && ! opt->getBool("pf_random") && ! opt->getBool("pf_source_hash") && ! opt->getBool("pf_round_robin") && ! opt->getBool("pf_static_port") ) ); } if (platform=="pix" || platform=="fwsm") { res = (! opt->getBool("asa8_nat_dns") && ! opt->getBool("asa8_nat_static") && ! opt->getBool("asa8_nat_dynamic")); } } return res; } bool isDefaultRoutingRuleOptions(FWOptions *opt) { bool res=true; // if (fwbdebug) // qDebug(QString("Options object type: %1").arg(opt->getTypeName())); if (RoutingRuleOptions::isA(opt)) { res= ( ! opt->getBool("no_fail") ); } return res; } QString getVersionString(const QString &platform, const QString &version) { list vl; getVersionsForPlatform(platform, vl); list::iterator li = std::find_if(vl.begin(),vl.end(),findFirstInQStringPair(version)); QString readableVersion = (li!=vl.end())?li->second:""; return readableVersion; } void getVersionsForPlatform(const QString &platform, std::list &res) { /* versions are defined here instead of the resource files so that * strings could be localized. We use strings that can be localized * only for iptables but define versions for all platforms here for * uniformity */ if (platform=="iptables") { res.push_back(QStringPair("", QObject::tr("- any -"))); res.push_back(QStringPair("lt_1.2.6", QObject::tr("1.2.5 or earlier"))); res.push_back(QStringPair("ge_1.2.6", QObject::tr("1.2.6 to 1.2.8"))); res.push_back(QStringPair("1.2.9", QObject::tr("1.2.9 to 1.2.11"))); res.push_back(QStringPair("1.3.0", QObject::tr("1.3.x"))); res.push_back(QStringPair("1.4.0", QObject::tr("1.4.0 or later"))); res.push_back(QStringPair("1.4.1.1", QObject::tr("1.4.1.1 or later"))); res.push_back(QStringPair("1.4.3", QObject::tr("1.4.3"))); res.push_back(QStringPair("1.4.4", QObject::tr("1.4.4 or later"))); res.push_back(QStringPair("1.4.11", QObject::tr("1.4.11 or later"))); res.push_back(QStringPair("1.4.20", QObject::tr("1.4.20 or later"))); } else { // we list supported versions for the following platforms in // corresponding resource .xml file if (platform=="pix" || platform=="fwsm" || platform=="nxosacl" || platform=="iosacl" || platform=="procurve_acl") { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QString lst = Resources::platform_res[ platform.toAscii().constData()]->getResourceStr( "/FWBuilderResources/Target/versions").c_str(); #else QString lst = Resources::platform_res[ platform.toLatin1().constData()]->getResourceStr( "/FWBuilderResources/Target/versions").c_str(); #endif QStringList ll=lst.split(','); for (QStringList::iterator i=ll.begin(); i!=ll.end(); ++i) res.push_back(QStringPair(*i,*i)); } else { if (platform=="pf") { res.push_back(QStringPair("","- any -")); res.push_back(QStringPair("3.x", QObject::tr("3.x"))); res.push_back(QStringPair("ge_3.7", QObject::tr("3.7 to 3.9"))); res.push_back(QStringPair("4.0", QObject::tr("4.0 to 4.2"))); res.push_back(QStringPair("4.3", QObject::tr("4.3"))); res.push_back(QStringPair("4.5", QObject::tr("4.5"))); res.push_back(QStringPair("4.6", QObject::tr("4.6"))); res.push_back(QStringPair("4.7", QObject::tr("4.7 and later"))); /* add pf versions here */ } else { if (platform=="ipf") { res.push_back(QStringPair("","- any -")); /* add ipf versions here */ } else { if (platform=="ipfw") { res.push_back(QStringPair("","- any -")); /* add ipfw versions here */ } else res.push_back(QStringPair("","- any -")); } } } } } /* * ticket #58: move state sync types and failover types to resource files. * * Note: this function fills in list of QString pairs, each pair is * , * The second element in the pair is for QComboBox and is visible to the user. */ void getStateSyncTypesForOS(const QString &host_os, std::list &res) { Resources* os_res = Resources::os_res[host_os.toStdString()]; if (os_res==NULL) return; list protocols; os_res->getResourceStrList("/FWBuilderResources/Target/protocols/state_sync", protocols); _repackStringList(protocols, res); } void getFailoverTypesForOS(const QString &host_os, std::list &res) { Resources* os_res = Resources::os_res[host_os.toStdString()]; if (os_res==NULL) return; list protocols; os_res->getResourceStrList("/FWBuilderResources/Target/protocols/failover", protocols); _repackStringList(protocols, res); } void getInterfaceTypes(Interface *iface, list &res) { FWObject *fw = iface->getParent(); string host_os = fw->getStr("host_OS"); Resources* os_res = Resources::os_res[host_os]; if (os_res==NULL) return; list interface_types; if (Cluster::isA(fw)) { os_res->getResourceStrList("/FWBuilderResources/Target/interfaces/cluster", interface_types); } else { os_res->getResourceStrList("/FWBuilderResources/Target/interfaces/firewall", interface_types); } _repackStringList(interface_types, res); } /* * Return list of types of subinterfaces that given interface can have * * @iface an Interface object. This is not a subinterface, this is a * regular interface. This function returns list of subinterface types * this interface can have. * * @res a list of pairs of QString, each pair is , */ void getSubInterfaceTypes(Interface *iface, list &res) { FWObject *p = Host::getParentHost(iface); //FWObject *p = iface->getParentHost(); assert(p!=NULL); QString host_os = p->getStr("host_OS").c_str(); Resources* os_res = Resources::os_res[host_os.toStdString()]; if (os_res==NULL) return; FWOptions *ifopt; ifopt = Interface::cast(iface)->getOptionsObject(); string parent_type = ifopt->getStr("type"); // empty parent type is equivalent to "ethernet" for backwards // compatibility if (parent_type.empty()) parent_type = "ethernet"; QString obj_name = iface->getName().c_str(); list interface_types; os_res->getResourceStrList( "/FWBuilderResources/Target/subinterfaces/" + parent_type, interface_types); _repackStringList(interface_types, res); } void setInterfaceTypes(QComboBox *iface_type, Interface *iface, const QString ¤t_type) { bool this_is_subinterface = Interface::isA(iface->getParent()); list mapping; if (this_is_subinterface) getSubInterfaceTypes(Interface::cast(iface->getParent()), mapping); else getInterfaceTypes(iface, mapping); if (st->getBool("Objects/Interface/autoconfigureInterfaces")) { // #335 : if interface name matches naming convention for vlan // interfaces and vlan type is in the list that came from the // resource file, then leave only vlan in the list we return. // Note that if resource file says this subint can not be vlan, we // dan't return vlan type on the list even if its name looks like // it could be one. FWObject *p = Host::getParentHost(iface); //FWObject *p = iface->getParentHost(); assert(p!=NULL); QString host_os = p->getStr("host_OS").c_str(); QString obj_name = iface->getName().c_str(); Resources* os_res = Resources::os_res[p->getStr("host_OS")]; string os_family = p->getStr("host_OS"); if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( os_family)); if (int_prop->looksLikeVlanInterface(obj_name)) { QString parent_name = iface->getParent()->getName().c_str(); QString err; if (int_prop->isValidVlanInterfaceName(obj_name, parent_name, err)) { // iface can be valid vlan interface. Leave only vlan type // in the list if it was there to begin with. for (list::iterator it=mapping.begin(); it!=mapping.end(); ++it) { QString itype = it->first; QString rtype = it->second; if (itype == "8021q") { mapping.clear(); mapping.push_back(QStringPair(itype, rtype)); mapping.push_back(QStringPair("unknown", "Unknown")); break; } } } } } list::iterator it; int idx = 0; int unknown_idx = 0; int current_idx = -1; for (it = mapping.begin(); it != mapping.end(); it++) { if (it->first == "unknown") unknown_idx = idx; iface_type->addItem(it->second); iface_type->setItemData(idx, QVariant(it->first)); if (current_type == it->first) current_idx = idx; idx++; } if (current_idx >= 0) iface_type->setCurrentIndex(current_idx); else iface_type->setCurrentIndex(unknown_idx); } /* currently we return the same list for all platforms */ const QStringList& getLogLevels(const QString&) { return logLevels; } const QStringList& getLogFacilities(const QString&) { return logFacilities; } const QStringList& getActionsOnReject(const QString&) { return actionsOnReject; } /* * need to return mapping list for the parameter 'route_option' of * action 'Routing' regardless of the firewall platform even though * it only makes sense and is needed for pf and ipf. This is because * ActionsDialog is designed with widget stack and therefore must * always initialize widgets for all platforms. Worse, it always * saves all parameters into rule options object, regardless of the * platform. So, if we return an empty mapping list from this method * because platform is not pf or ipf while user is editing action * parameters for iptables, parameters for pf and ipf get saved * uninitizalized and unmapped. QComboBox::currentText() returns the * first item which goes straight into rule options object. This is * ok in English locale, but breaks XML if the item has been * translated and the program runs under national locale. Sigh. */ const QStringList& getRouteOptions_pf_ipf(const QString&) { return routeOptions_pf_ipf; } const QStringList& getRouteLoadOptions_pf(const QString&) { return routeLoadOptions_pf; } const QStringList& getClassifyOptions_ipfw(const QString&) { return classifyOptions_ipfw; } const QStringList& getLimitSuffixes(const QString&) { return limitSuffixes; } QStringList getScreenNames(const QStringList &sl) { QStringList res; for( QStringList::const_iterator it = sl.begin(); it!=sl.end(); ++it,++it) { res.push_back(*it); } return res; } QString getScreenName(QString s, const QStringList &sl) { QString res; for( QStringList::const_iterator it = sl.begin(); it!=sl.end(); ++it) { res=(*it); ++it; if ((*it)==s) break; } return res; } QString getRuleAction(Rule *rule) { PolicyRule *policy_rule = PolicyRule::cast(rule); NATRule *nat_rule = NATRule::cast(rule); string act; if (policy_rule) act = policy_rule->getActionAsString(); if (nat_rule) act = nat_rule->getActionAsString(); return act.c_str(); } /* * will remap names of some actions to make it clear what commands or * configuration language keywords they will be translated to for the * target firewall platform. This should help users who are familiar * with the platform. There are very few places where such mapping is * necessary, plus we need to provide for localization of the mapped * names. That is why action names are not stored in platform resource * files and are not pulled using Rule::getActionAsString. */ QString getActionNameForPlatform(Firewall *fw, Rule *rule) { if (fw==NULL) return ""; PolicyRule *policy_rule = PolicyRule::cast(rule); NATRule *nat_rule = NATRule::cast(rule); string act; if (policy_rule) act = policy_rule->getActionAsString(); if (nat_rule) act = nat_rule->getActionAsString(); return getActionNameForPlatform(fw, act); } QString getActionNameForPlatform(Firewall *fw, const std::string &action) { if (fw==NULL) return ""; string platform = fw->getStr("platform"); string name; try { name = Resources::getTargetCapabilityStr( platform, "actions/" + action + "/description"); } catch (FWException &ex) { } return name.c_str(); } /* * this function provides logic for the decision whether the rule * should be stateless by default. Currently it only depends on the * action, but may depend on the platform as well. * * actions Accept, Tag and Route by default assume the rule is * stateful. Other actions by default assume it is stateless * and set rule option accordingly * * See bugs #1676635 and 1671910 */ bool getStatelessFlagForAction(PolicyRule *rule) { PolicyRule::Action act = rule->getAction(); if (act==PolicyRule::Accept) return false; else return true; } /** * Returns translatable string - name of the corresponding rule element. */ QString getReadableRuleElementName(const string &platform, const string &re_type_name) { bool nat_intf_in = Resources::getTargetCapabilityBool( platform, "inbound_interface_in_nat"); bool nat_intf_out = Resources::getTargetCapabilityBool( platform, "outbound_interface_in_nat"); // The following map TYPENAME of RuleElement classes to readable // translatable names. if (re_type_name == "Src") return QObject::tr("Source"); if (re_type_name == "Dst") return QObject::tr("Destination"); if (re_type_name == "Srv") return QObject::tr("Service"); if (re_type_name == "Itf") return QObject::tr("Interface"); if (re_type_name == "When") return QObject::tr("Time"); if (re_type_name == "OSrc") return QObject::tr("Original Src"); if (re_type_name == "ODst") return QObject::tr("Original Dst"); if (re_type_name == "OSrv") return QObject::tr("Original Srv"); if (re_type_name == "TSrc") return QObject::tr("Translated Src"); if (re_type_name == "TDst") return QObject::tr("Translated Dst"); if (re_type_name == "TSrv") return QObject::tr("Translated Srv"); if (nat_intf_in != nat_intf_out) { // For some platforms I only show one interface column in nat // rules, in this case nat_intf_in and nat_intf_out have // different values. For example, for PF I hide inbound // interface and show outbound interface column. Columns title // should then be just "Interface" if (re_type_name == "ItfInb") return QObject::tr("Interface"); if (re_type_name == "ItfOutb") return QObject::tr("Interface"); } else { if (re_type_name == "ItfInb") return QObject::tr("Interface In"); if (re_type_name == "ItfOutb") return QObject::tr("Interface Out"); } if (re_type_name == "RDst") return QObject::tr("Destination"); if (re_type_name == "RGtw") return QObject::tr("Gateway"); if (re_type_name == "RItf") return QObject::tr("Interface"); // as of v3.0.x the following are not real rule elements (not separate // classes with names) but just attributes of corresponding Rule class. if (re_type_name == "Direction") return QObject::tr("Direction"); if (re_type_name == "Action") return QObject::tr("Action"); if (re_type_name == "Options") return QObject::tr("Options"); if (re_type_name == "Metric") return QObject::tr("Metric"); if (re_type_name == "Comment") return QObject::tr("Comment"); return QString(); } QMap getAllPlatforms(bool filter) { QMap res; map platforms = Resources::getPlatforms(); map::iterator i; for (i=platforms.begin(); i!=platforms.end(); i++) { QString name = i->first.c_str(); QString res_status = Resources::platform_res[name.toStdString()]->getResourceStr( "/FWBuilderResources/Target/status/").c_str(); QString status = st->getTargetStatus(name, res_status); if (filter && status == "disabled") continue; res[name] = i->second.c_str(); } return res; } QMap getAllOS(bool filter) { QMap res; map OSs = Resources::getOS(); map::iterator i; for (i=OSs.begin(); i!=OSs.end(); i++) { QString name = i->first.c_str(); QString res_status = Resources::os_res[name.toStdString()]->getResourceStr( "/FWBuilderResources/Target/status/").c_str(); QString status = st->getTargetStatus(name, res_status); if (filter && status == "disabled") continue; res[name] = i->second.c_str(); } return res; } QString readPlatform(QComboBox *platform) { return platform->itemData(platform->currentIndex()).toString(); } QString readHostOS(QComboBox *hostOS) { return hostOS->itemData(hostOS->currentIndex()).toString(); } /* * Fill combobox widget with items that exist in resources. * If second argument is not an empty string, make corresponding item current. * If it is an empty string, add an empty item on top to the combo box and make * it current. */ void setPlatform(QComboBox *platform, const QString &pl) { platform->clear(); // platforms maps platform name (pix) to readable name (Cisco PIX) QMap platforms = getAllPlatforms(); QMap::iterator i; // platform_mapping maps key (.) to pair // , QMap > platform_mapping; QStringList platform_keys; for (i=platforms.begin(); i!=platforms.end(); i++) { QString group = Resources::platform_res[i.key().toLatin1().constData()]-> getResourceStr("/FWBuilderResources/Target/group").c_str(); QString key = group + "." + i.key(); platform_mapping[key] = QPair(group, i.key()); platform_keys.push_back(key); } qSort(platform_keys); QStringList::iterator iter; int ind = 0; int cp = 0; if (pl.isEmpty()) { platform->addItem("", ""); cp++; } QString current_group = ""; for (iter=platform_keys.begin(); iter!=platform_keys.end(); iter++) { if (fwbdebug) qDebug() << *iter; QString group = platform_mapping[*iter].first; QString platform_name = platform_mapping[*iter].second; if (platforms.count(platform_name) == 0) continue; if (group != current_group) { current_group = group; #if (QT_VERSION > 0x040500) platform->insertSeparator(cp); // QT before 4.4.? does not support separator in QComboBox #else platform->addItem(""); #endif cp++; } platform->addItem(platforms[platform_name], platform_name); // note that if pl is "", then no real platform name will // match it and ind will remain 0, which makes the top item in // the combobox current. if ( pl == platform_name ) ind = cp; cp++; } platform->setCurrentIndex( ind ); } /* * Fill in "host os" combo box with list of os supported for the given * platform and make current host os item current. * * If platform == "", then use all known host OS but also add * empty item on top of the combobox and make that item current. * If os == "", make the first OS in the list current. */ void setHostOS(QComboBox *hostOS, const QString &platform, const QString &os) { hostOS->clear(); QStringList supported_os_list; if (!platform.isEmpty()) { Resources *platform_res = Resources::platform_res[platform.toLatin1().constData()]; if (!platform_res) platform_res = Resources::platform_res["unknown"]; QString supported_os = platform_res-> getResourceStr("/FWBuilderResources/Target/supported_os").c_str(); if (fwbdebug) qDebug("supported_os %s", supported_os.toLatin1().constData()); if (supported_os.isEmpty()) { // something is broken, we have no supported host OS for // this platform. Just add os to the combo box and return if (fwbdebug) qDebug("No supported host OS for platform %s", platform.toLatin1().constData()); hostOS->addItem(os, os); hostOS->setCurrentIndex(0); return; } supported_os_list = supported_os.split(","); int cp = 0; int ind = 0; QMap OSs = getAllOS(); QStringList::iterator os_iter; for (os_iter=supported_os_list.begin(); os_iter!=supported_os_list.end(); ++os_iter) { QString os_code = *os_iter; if (OSs.count(os_code) > 0) { hostOS->addItem( OSs[os_code], os_code); if ( os == os_code ) ind = cp; cp++; } } hostOS->setCurrentIndex( ind ); return; } // platform is empty int cp = 0; int ind = 0; hostOS->addItem("", ""); cp++; QMap OSs = getAllOS(); QMap::iterator i; for (i=OSs.begin(); i!=OSs.end(); i++) { hostOS->addItem( i.value(), i.key() ); if ( os == i.key() ) ind = cp; cp++; } hostOS->setCurrentIndex( ind ); } void _repackStringList(list &list1, list &list2) { list2.clear(); foreach(string p, list1) { QString str = QString(p.c_str()); QStringList pl = str.split(","); if (pl.size() == 1) list2.push_back(QStringPair(str, str)); else list2.push_back(QStringPair(pl[0], pl[1])); } } void setDefaultStateSyncGroupAttributes(StateSyncClusterGroup *grp) { FWObject *p = grp; while (p && Cluster::cast(p)==NULL) p = p->getParent(); assert(p != NULL); Cluster *cluster = Cluster::cast(p); Resources *os_res = Resources::os_res[cluster->getStr("host_OS")]; assert(os_res != NULL); list protocols; os_res->getResourceStrList("/FWBuilderResources/Target/protocols/state_sync", protocols); QStringList protocol_names = QString(protocols.front().c_str()).split(","); grp->setName(protocol_names[1].toStdString()); grp->setStr("type", protocol_names[0].toStdString()); } void setDefaultFailoverGroupAttributes(FailoverClusterGroup *grp) { FWObject *p = grp; while (p && Cluster::cast(p)==NULL) p = p->getParent(); assert(p != NULL); Cluster *cluster = Cluster::cast(p); Resources *os_res = Resources::os_res[cluster->getStr("host_OS")]; assert(os_res != NULL); FWOptions *gropt = grp-> getOptionsObject(); assert(gropt != NULL); string failover_protocol = grp->getStr("type"); if (failover_protocol == "carp") { gropt->setStr("carp_password", ""); gropt->setInt("carp_vhid", 1); gropt->setInt("carp_advbase", 1); gropt->setInt("carp_master_advskew", 10); gropt->setInt("carp_default_advskew", 20); } if (failover_protocol == "vrrp") { gropt->setStr("vrrp_secret", ""); gropt->setInt("vrrp_vrid", 1); gropt->setBool("vrrp_over_ipsec_ah", false); } if (failover_protocol == "heartbeat") { string default_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_address"); string default_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/heartbeat/default_port"); gropt->setStr("heartbeat_address", default_address); gropt->setStr("heartbeat_port", default_port); gropt->setBool("heartbeat_unicast", false); } if (failover_protocol == "openais") { string default_address = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_address"); string default_port = os_res->getResourceStr( "/FWBuilderResources/Target/protocols/openais/default_port"); gropt->setStr("openais_address", default_address); gropt->setStr("openais_port", default_port); } if (failover_protocol == "pix_failover") { gropt->setStr("pix_failover_key", ""); } } void guessInterfaceLabel(InterfaceData *idata) { /* * some firewalls report fairly regular names for interfaces through * their built-in SNMP agent. We can use this to assign labels * automatically. * * in PIX interfaces have names like "PIX Firewall 'inside' interface" * */ QString qs_name = idata->name.c_str(); QString qs_label; QRegExp pat1("Adaptive Security Appliance '(.*)' interface"); QRegExp pat2("Cisco PIX Security Appliance '(.*)' interface"); QRegExp pat3("PIX Firewall '(.*)' interface"); if (pat1.indexIn(qs_name) > -1) qs_label = pat1.cap(1); if (pat2.indexIn(qs_name) > -1) qs_label = pat2.cap(1); if (pat3.indexIn(qs_name) > -1) qs_label = pat3.cap(1); idata->label = qs_label.toStdString(); if ( ! idata->isDyn && ! idata->isUnnumbered && ! idata->isBridgePort && idata->addr_mask.size()!=0 && idata->addr_mask.front()->getAddressPtr()->toString() == InetAddr::getLoopbackAddr().toString()) idata->label = "loopback"; } void guessSecurityLevel(const string&, InterfaceData *idata) { InetAddrMask n10(InetAddr("10.0.0.0"), InetAddr("255.0.0.0")); InetAddrMask n172(InetAddr("172.16.0.0"), InetAddr("255.240.0.0")); InetAddrMask n192(InetAddr("192.168.0.0"), InetAddr("255.255.0.0")); idata->securityLevel = -1; string llbl = idata->label; for (string::size_type i=0; isecurityLevel = 0; if ( llbl=="lan" || llbl=="in" || llbl.find("inside")!=string::npos || llbl.find("internal")!=string::npos ) idata->securityLevel = 100; if ( llbl.find("dmz")!=string::npos ) idata->securityLevel = 50; if ((*(idata->addr_mask.front()->getAddressPtr()))==InetAddr::getLoopbackAddr()) idata->securityLevel = 100; if (idata->name=="Null0") idata->securityLevel = 100; if (idata->securityLevel==-1 && ! idata->isDyn && ! idata->isUnnumbered && ! idata->isBridgePort) { if (n10.belongs(InetAddr(*(idata->addr_mask.front()->getAddressPtr())))) idata->securityLevel = 100; if (n172.belongs(InetAddr(*(idata->addr_mask.front()->getAddressPtr())))) idata->securityLevel = 100; if (n192.belongs(InetAddr(*(idata->addr_mask.front()->getAddressPtr())))) idata->securityLevel = 100; } if (idata->isDyn || idata->isUnnumbered || idata->isBridgePort) idata->securityLevel = 0; if (idata->securityLevel==-1) idata->securityLevel = 0; } void guessOSAndPlatformFromSysDescr( const QString &sysDescr, QString &platform, QString &hostOS, QString &version) { QList pix_re; pix_re << QRegExp("Cisco PIX Firewall Version ([0-9\\.]+)") << QRegExp("Cisco PIX Security Appliance Version ([0-9\\.]+)") << QRegExp("Cisco Adaptive Security Appliance Version ([0-9\\.]+)"); QList ios_re; ios_re << QRegExp("Cisco Internetwork Operating System Software .* Version ([0-9\\.]+)"); platform = ""; hostOS = ""; version = ""; if (fwbdebug) qDebug() << "guessOSAndPlatformFromSysDescr:" << "sysdescr=" << sysDescr; list allowed_versions; QString version_from_sysdescr; foreach (QRegExp re, pix_re) { if (re.indexIn(sysDescr) > -1) { platform = "pix"; hostOS = "pix_os"; version_from_sysdescr = re.cap(1); } } foreach (QRegExp re, ios_re) { if (re.indexIn(sysDescr) > -1) { platform = "iosacl"; hostOS = "ios"; version_from_sysdescr = re.cap(1); } } if (fwbdebug) qDebug() << "guessOSAndPlatformFromSysDescr:" << "platform=" << platform << "hostOS=" << hostOS << "version=" << version_from_sysdescr; if ( ! platform.isEmpty()) version = findBestVersionMatch(platform, version_from_sysdescr); } QString findBestVersionMatch(const QString &platform, const QString &discovered_version) { list allowed_versions; getVersionsForPlatform(platform, allowed_versions); if ( ! discovered_version.isEmpty()) { QString version_fit; list::iterator it; foreach (QStringPair p, allowed_versions) { QString vers = p.first; if (XMLTools::version_compare(vers.toStdString(), discovered_version.toStdString())>0) break; version_fit = vers; } return version_fit; } return ""; } fwbuilder-5.3.7/src/libgui/platforms.h000066400000000000000000000145631303637203600177470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2000 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _PLATFORMS_HH #define _PLATFORMS_HH #include "config.h" // among other things, utils.h defines list which we need here #include "utils.h" #include #include #include #include #include "fwbuilder/Rule.h" #include "fwbuilder/InterfaceData.h" namespace libfwbuilder { class FWOptions; class Firewall; class PolicyRule; class FailoverClusterGroup; class StateSyncClusterGroup; }; void init_platforms(); bool isUsingNetZone(libfwbuilder::Firewall *fw); bool isDefaultPolicyRuleOptions(libfwbuilder::FWOptions *opt); bool isDefaultNATRuleOptions(libfwbuilder::FWOptions *opt); bool isDefaultRoutingRuleOptions(libfwbuilder::FWOptions *opt); void setDefaultFailoverGroupAttributes(libfwbuilder::FailoverClusterGroup *grp); void setDefaultStateSyncGroupAttributes(libfwbuilder::StateSyncClusterGroup *grp); // using list of pairs instead of a map or QMap because maps are dictionaries // and do not preserve order of elements void getVersionsForPlatform(const QString &platform, std::list &list); QString getVersionString(const QString &platform, const QString &version); /* * Get list of supported state synchronization protocols for given * cluster host OS. This is used for the "type" in StateSyncClusterGroup */ void getStateSyncTypesForOS(const QString &host_os, std::list &list); /* * Get list of supported failover protocols for given cluster * host OS. This is used for the "type" in FailoverClusterGroup */ void getFailoverTypesForOS(const QString &host_os, std::list &list); /* * Get list of supported interface types for the "advanced" interface * options dialog. Returns list of string pairs, */ void getInterfaceTypes(libfwbuilder::Interface *iface, std::list &list); /* * Get list of allowed subinterface types for the given interface */ void getSubInterfaceTypes(libfwbuilder::Interface *iface, std::list &list); /* * Fill QComboBox widget with interface types */ void setInterfaceTypes(QComboBox *iface_type, libfwbuilder::Interface *iface, const QString ¤t_type); /** * this method is a collection of heuristics that allow us to assign * a reasonable label to the interface based on firewall platform, * name of the interface, its label and other parameters. */ void guessInterfaceLabel(libfwbuilder::InterfaceData *idata); /** * this method is a collection of heuristics that allow us to make an * educated guess about interface's security level based on the * firewall platform, name of the interface, its label and other * parameters. */ void guessSecurityLevel(const std::string &platform, libfwbuilder::InterfaceData *idata); /** * !!! returns a list of log levels that can be used to populate qcombobox * !!! widget. I do not see how log levels can be different for various * !!! fw platforms, but who knows. */ const QStringList& getLogLevels(const QString &platform); /** * like the above, except returns a list of log facilities. */ const QStringList& getLogFacilities(const QString &platform); /** * returns a list of Actions on reject (mapping list) * */ const QStringList& getActionsOnReject(const QString &platform); /** * returns a list of options for Route action * */ const QStringList& getRouteOptions_pf_ipf(const QString &platform); const QStringList& getRouteLoadOptions_pf(const QString &platform); const QStringList& getClassifyOptions_ipfw(const QString &platform); /** * returns a list of Limit Suffixes (mapping list) */ const QStringList& getLimitSuffixes(const QString &platform); /** * returns a list of screen names from the mapping list that can be * used to populate qcombobox. */ QStringList getScreenNames(const QStringList &sl); /** * finds screen name (i.e. string that can be localized) for the * internal item name s in the mapping list sl */ QString getScreenName(QString s,const QStringList &sl); QString getRuleAction(libfwbuilder::Rule *rule); QString getActionNameForPlatform(libfwbuilder::Firewall *fw, libfwbuilder::Rule *rule); QString getActionNameForPlatform(libfwbuilder::Firewall *fw, const std::string &action); bool getStatelessFlagForAction(libfwbuilder::PolicyRule *rule); QString getReadableRuleElementName(const std::string &platform, const std::string &rule_element_type_name); /* * convenience method that calls Resourcess::getPlatforms() and * converts the result to QMap. If @filter is true, * platforms marked as disabled in global FWBSettings are dropped. */ QMap getAllPlatforms(bool filter=true); QMap getAllOS(bool filter=true); QString readPlatform(QComboBox *platform); QString readHostOS(QComboBox *hostOS); void setPlatform(QComboBox *platform, const QString &pl); void setHostOS(QComboBox *hostOS, const QString &platform, const QString &os); void guessOSAndPlatformFromSysDescr(const QString &sysDescr, QString &platform, QString &hostOS, QString &version); QString findBestVersionMatch(const QString &platform, const QString &discovered_version); /* * Internal: Auxiliary function that copies elements from the list returned by * Resources::getResourceStrList() to the list of string pairs */ void _repackStringList(std::list &list1, std::list &list2); #endif fwbuilder-5.3.7/src/libgui/portinglog.txt000066400000000000000000000276461303637203600205220ustar00rootroot00000000000000Log for qt3to4 on Wed Aug 15 20:07:00 2007. Number of log entries: 45 In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 51 column 21: qobjectlist.h -> qobject.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 52 column 19: qlistview.h -> q3listview.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 55 column 17: qheader.h -> q3header.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 56 column 22: qwidgetstack.h -> q3widgetstack.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 67 column 20: qpopupmenu.h -> q3popupmenu.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 68 column 22: qtextbrowser.h -> q3textbrowser.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 135 column 21: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 162 column 14: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 162 column 47: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 272 column 36: QPixmap::fromMimeSource -> qPixmapFromMimeSource In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 342 column 21: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 360 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 371 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 389 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 414 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 460 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 563 column 21: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 587 column 17: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 646 column 55: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 652 column 20: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 660 column 36: QPixmap::fromMimeSource -> qPixmapFromMimeSource In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 708 column 68: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 709 column 57: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 733 column 40: QPixmap::fromMimeSource -> qPixmapFromMimeSource In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 743 column 40: QPixmap::fromMimeSource -> qPixmapFromMimeSource In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 771 column 20: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 815 column 49: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 832 column 14: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 832 column 36: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 836 column 14: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 836 column 44: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 837 column 14: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 837 column 44: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 1829 column 21: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 2062 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 2107 column 48: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp at line 2142 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.cpp: Added the following include directives: #include #include In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 36 column 19: qlistview.h -> q3listview.h In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 51 column 16: QPopupMenu -> Q3PopupMenu In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 82 column 25: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 110 column 55: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 141 column 35: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.h at line 190 column 34: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectManipulator.h: Added the following include directives: #include Log for qt3to4 on Wed Aug 15 20:16:20 2007. Number of log entries: 57 In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 38 column 19: qlistview.h -> q3listview.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 39 column 21: qdragobject.h -> q3dragobject.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 40 column 19: qiconview.h -> q3iconview.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 49 column 39: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 53 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 54 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 74 column 23: QDragObject -> Q3DragObject In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 89 column 69: WFlags -> Qt::WFlags In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 120 column 37: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 121 column 38: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 122 column 33: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h at line 123 column 32: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.h: Added the following include directives: #include #include #include #include #include #include #include In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 53 column 21: qdragobject.h -> q3dragobject.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 54 column 19: qlistview.h -> q3listview.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 55 column 17: qheader.h -> q3header.h In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 72 column 73: WFlags -> Qt::WFlags In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 73 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 88 column 54: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 89 column 52: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 94 column 49: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 95 column 47: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 97 column 48: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 98 column 46: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 114 column 30: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 116 column 35: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 121 column 31: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 124 column 28: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 130 column 49: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 140 column 44: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 147 column 43: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 173 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 192 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 193 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 201 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 202 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 210 column 25: QListViewItemIterator -> Q3ListViewItemIterator In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 211 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 259 column 11: QDragObject -> Q3DragObject In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 263 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 346 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 361 column 21: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 418 column 17: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 467 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 480 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 504 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 514 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 572 column 17: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 593 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 601 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 617 column 48: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 624 column 13: QListView -> Q3ListView In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 654 column 25: QListViewItemIterator -> Q3ListViewItemIterator In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 659 column 25: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 674 column 25: QListViewItemIterator -> Q3ListViewItemIterator In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp at line 681 column 25: QListViewItem -> Q3ListViewItem In file /home/krava/work/someproj/src/gui/ObjectTreeView.cpp: Added the following include directives: #include #include #include #include #include #include #include #include fwbuilder-5.3.7/src/libgui/prefsdialog_q.ui000066400000000000000000002226601303637203600207440ustar00rootroot00000000000000 prefsDialog_q true 0 0 731 550 Preferences true Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true 0 General 20 0 0 Working directory: false 0 0 0 0 200 16777215 Browse... 0 0 Data directory: false 0 0 0 0 200 16777215 Browse... 75 true Software Updates: Check Now Check for updates automatically Qt::Horizontal 15 20 Qt::Horizontal 223 20 Use http proxy while checking for updates (host:port) No identifiable information will be sent to the server during update check Qt::Vertical 20 7 Do not show tips on startup Objects Show deleted objects Advanced User Mode, only show minimal tooltips 0 25 Enable object tooltips in the tree and rule sets Qt::Vertical 618 20 Show object attributes in the tree Qt::Horizontal QSizePolicy::Expanding 429 20 Properties of specific object types: Qt::AlignCenter The program comes with a library of template objects that can be used to create new firewalls, however you can create your own library of templates and use it in addition to the one we provide Enable use of custom firewall template libraries 0 300 0 DNS Name 20 :/Icons/DNSName/icon-big 0 0 QFrame::NoFrame QFrame::Raised 0 19 Create new objects in "Compile Time" mode by default true Create new objects in "Run Time" mode by default Use object name for the DNS record in all objects of this type Qt::Vertical 20 106 Address Table 20 :/Icons/AddressTable/icon-big 0 0 QFrame::NoFrame QFrame::Raised 0 19 Create new objects in "Compile Time" mode by default true Create new objects in "Run Time" mode by default Qt::Vertical 20 136 Policy Rules 4 7 64 64 64 64 64 64 :/Icons/Policy/icon-big 72 4 623 45 0 0 This setting allows you to change whether new rules created in fwbuilder have action, logging and stateful inspection turned on or off by default. true 72 53 290 21 0 0 Create new policy rules with logging turned on 72 78 354 21 0 0 Create new policy rules with stateful inspection turned on 73 104 351 154 Create new policy rules with action Deny Accept Create new policy rules with direction Both Inbound Outbound Set policy rules default source Any Dummy Set policy rules default destination Any Dummy Set policy rules default service Any Dummy Set policy rules default interface Any Dummy Interface 0 0 :/Icons/Interface/icon-big When an interface object is created as a child object of another interface, fwbuilder can verify that the name and type of the child and the parent objects match and form valid configuration. FWbuilder can also automatically guess some interface types and their parameters using their names. For example, it can automatically set interface type to "vlan" and assign vlan ID if object name looks like a valid vlan interface for the given OS. However in some situations desired configuration might be more complex than our checks allow so this may need to be turned off. true 0 0 Verify interface names and autoconfigure their parmeters using known name patterns Qt::Vertical 20 134 Qt::Vertical QSizePolicy::Expanding 618 46 Data File 20 20 Periodically save data to file every 50 0 100 16777215 1 120 minutes false Qt::Horizontal 225 20 Do not ask for the log record when checking in new file revision. Enable compression of the data file Qt::Vertical 20 97 Installer A full path to the Secure Shell utility (remote command execution; for example ssh on Unix or plink.exe on Windows): Qt::AlignVCenter true 0 0 0 0 Browse... A full path to the SCP utility (file copy over ssh; for example scp on Unix or pscp.exe on Windows): Qt::AlignVCenter true 0 0 0 0 Browse... Value for the ServerAliveInterval ssh configuration parameter. This parameter sets timeout interval in seconds after which if no data has been received from the server, ssh client will send a message through the encrypted channel to request a response from the server. This helps detect disconnects between fwbuilder policy installer and the firewall. If set to 0, these messages will not be sent to the server and loss of connectivity with the firewall will lead to hanging of the installer session. Scp uses different parameter for this, ConnectTimeout. Fwbuilder automatically calculates the value for this parameter using the same timeout value. Note that this only works with ssh protocol v2. true 999999 sec Qt::Horizontal 528 23 QFrame::NoFrame QFrame::Plain 0 0 0 0 Download plink.exe and pscp.exe from the web site at 0 0 0 30 16777215 30 true QFrame::NoFrame QFrame::Plain <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Sans Serif'; font-size:8pt; font-weight:400; font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/"><span style=" font-family:'Lucida Grande'; text-decoration: underline; color:#0000ff;">http://www.chiark.greenend.org.uk/~sgtatham/putty/</span></a></p></body></html> true true Qt::Vertical QSizePolicy::Fixed 20 20 Built-in policy installer can remember passwords for the duration of the session. Passwords are never stored permanently, they are only kept in memory. In order to use this feature, you also need to configure user name used to authenticate to the firewall in the "advanced" settings dialog of the firewall object. true false Warning: using this feature creates certain risk if working Firewall Builder GUI is left unattended on the unlocked workstation. Someone may walk up to the machine and make changes to the firewall using cached password of the administrator who used the same GUI session before. Always lock the screen or exit Firewall Builder GUI when leaving computer. true Enable password caching for the duration of the session (passwords are never stored permanently) Enable password caching Qt::Vertical QSizePolicy::Expanding 505 61 true Labels 20 20 Use these labels to mark rules in the firewall policy Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 20 Red Blue Yellow Orange Purple Green Gray Qt::Horizontal QSizePolicy::Expanding 70 20 Qt::Vertical 20 38 Appearance Icons settings 20 12 0 0 250 0 Choose font for rules sets Rules font 0 0 rules font description 0 0 250 0 Choose font for tree Tree font 0 0 tree font description 0 0 250 0 Choose font for tree Compiler Output Panel font 0 0 compiler output font description Show icons in rules true Show text descriptions in columns "Direction", "Action" 100 100 true Icons size in rules: 16x16 25x25 true Qt::Horizontal 330 96 Qt::Vertical 20 40 Clip comments in rules Show text under toolbar icons Diff Rule Set Diff Viewer Use these colors to mark rules in the diff viewer Qt::AlignCenter false 20 Remove true Add true Edit true Move true Display unmodified rules Generated Output Diff Viewer Firewall Builder may compile your firewalls automaticly when you load a file. The generated files will be stored in a temporary directory and are deleted when you quit the application. This will enable you to compare the output of the generated files between the current version and the unmodified version of the file you loaded. Enable auto compiling when loading file A full path to the graphical diff utility: Qt::AlignVCenter true 0 0 0 0 Browse... Qt::Horizontal 339 20 Platforms and OS 20 If you disable firewall platform or host OS here, it will not appear in the drop-down lists of platforms and host OS anywhere in the program. This helps avoid clutter in lists of platforms and OS if you only work with one or two of them. true Supported firewall platforms Supported host OS true QAbstractItemView::NoSelection false false Platform QAbstractItemView::NoEditTriggers true QAbstractItemView::NoSelection false false Host OS tabWidget wDir browseWDir buttonOk buttonCancel emptyRCSLog browseForSSH sshPath redBtn redText orangeBtn orangeText yellowBtn yellowText greenBtn greenText blueBtn blueText purpleBtn purpleText grayBtn grayText buttonOk clicked() prefsDialog_q accept() 634 552 20 20 buttonCancel clicked() prefsDialog_q reject() 720 552 20 20 rb25 clicked() prefsDialog_q changeIconSize25() 119 101 20 20 browseForSCP clicked() prefsDialog_q findSCP() 119 78 334 214 checkUpdatesNow clicked() prefsDialog_q checkSwUpdates() 375 195 334 214 btTreeFont clicked() prefsDialog_q changeTreeFont() 175 86 334 210 orangeBtn clicked() prefsDialog_q changeOrangeColor() 149 94 20 20 blueBtn clicked() prefsDialog_q changeBlueColor() 149 94 20 20 rb16 clicked() prefsDialog_q changeIconSize16() 119 101 20 20 btRulesFont clicked() prefsDialog_q changeRulesFont() 137 60 334 210 objTooltips toggled(bool) prefsDialog_q objTooltipsEnabled(bool) 57 67 3 71 btCompilerOutputFont clicked() prefsDialog_q changeCompilerOutputFont() 175 88 334 233 browseWDir clicked() prefsDialog_q findWDir() 709 75 20 20 browseDataDir clicked() prefsDialog_q findDataDir() 641 83 20 20 redBtn clicked() prefsDialog_q changeRedColor() 149 94 20 20 yellowBtn clicked() prefsDialog_q changeYellowColor() 149 94 20 20 browseForSSH clicked() prefsDialog_q findSSH() 119 74 20 20 greenBtn clicked() prefsDialog_q changeGreenColor() 149 94 20 20 purpleBtn clicked() prefsDialog_q changePurpleColor() 149 94 20 20 chShowIcons clicked() prefsDialog_q changeShowIcons() 65 61 20 20 grayBtn clicked() prefsDialog_q changeGrayColor() 149 94 20 20 addColorBtn clicked() prefsDialog_q changeAddColor() 61 113 165 540 editColorBtn clicked() prefsDialog_q changeEditColor() 69 155 141 547 moveColorBtn clicked() prefsDialog_q changeMoveColor() 64 196 126 554 removeColorBtn clicked() prefsDialog_q changeRemoveColor() 56 237 117 535 browseForDiff clicked() prefsDialog_q findDiff() 327 452 411 540 findSSH() findSCP() checkSwUpdates() changeRulesFont() changeTreeFont() changeCompilerOutputFont() objTooltipsEnabled(bool) findDiff() fwbuilder-5.3.7/src/libgui/printerStream.cpp000066400000000000000000000364351303637203600211340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "printerStream.h" #include "RuleSetModel.h" #include "RuleSetView.h" #include #include #include #include #include printerStream::printerStream(QPrinter *p, float ts, float m, bool h, const QString &ht, PrintingProgressDialog *pd) : pr()//,metrics(p) { printer = p; table_scaling = ts; margin = m; printHeader = h; headerText = ht; ppd = pd; headerFont = QFont( "times", 10, QFont::Normal ); bodyFont = QFont( "times", 14, QFont::Normal ); headerHeight = 1.5; // 1.5 cm for header pageNo = 0; active = false; fromPage = 1; toPage = 9999; headerTimeString = QDateTime::currentDateTime().toString(); } bool printerStream::begin() { if( !pr.begin(printer) ) // paint on printer return false; active=true; pageWidth = printer->width(); pageHeight = printer->height(); if (fwbdebug) { qDebug("printer dimensions: %dx%d",pageWidth,pageHeight); qDebug("Margin: %.1f", margin); } dpiy = printer->logicalDpiY(); ymargin = (int) ( (margin/2.54)*dpiy ); // assuming printer's resolutions by X and Y axes are the same xmargin = ymargin; pageBody = QRect( xmargin, ymargin, printer->width() - 2 * xmargin, printer->height() - 2 * ymargin ); yHeaderHeight = int((headerHeight / 2.54) * dpiy); yHeaderLine = int(((headerHeight - 0.5) / 2.54) * dpiy); pr.setFont(headerFont); QFontMetrics fm = pr.fontMetrics(); QRect br = fm.boundingRect("Page 999"); headerTextBox = QRect(xmargin, ymargin + yHeaderLine - fm.lineSpacing() - 1, printer->width() - 2 * xmargin, fm.lineSpacing() + 1); headerBox = QRect(xmargin, ymargin, printer->width() - 2 * xmargin, yHeaderHeight); if (fwbdebug) { qDebug("dpiy=%d", dpiy); qDebug("yHeaderHeight=%d", yHeaderHeight); qDebug("yHeaderLine=%d", yHeaderLine); qDebug("fm.lineSpacing()=%d", fm.lineSpacing()); qDebug("bounding rect for the header text: l=%d,t=%d,w=%d,h=%d", br.left(), br.top(), br.width(), br.height()); qDebug("headerBox: l=%d,t=%d,w=%d,h=%d", headerBox.left(), headerBox.top(), headerBox.width(), headerBox.height()); qDebug("headerTextBox: l=%d,t=%d,w=%d,h=%d", headerTextBox.left(), headerTextBox.top(), headerTextBox.width(), headerTextBox.height()); } yPos = 0; pageNo = 1; QPaintDevice *dev = pr.device(); // lets table with width 1000 pixels be drawn 80% of the page width pixmap_scaling_ratio = float(dev->width()) * 0.8 / 1000 * table_scaling; return true; } void printerStream::end() { // according to QT docs, there is no need to explicitly call QPainter::end() // because its destructor does it // pr.end(); } int printerStream::getWorkspaceWidth() { return pageBody.width(); } int printerStream::getWorkspaceHeight() { return (printHeader) ? (pageBody.height()-headerBox.height()) : pageBody.height(); } void printerStream::beginPage() { yPos=0; if (ppd!=NULL) ppd->setCurrentPageNo(pageNo); if (printHeader) { if (fwbdebug) qDebug("Printing header for page %d (%d-%d)", pageNo, fromPage, toPage); QString page = QObject::tr("Page %1").arg(pageNo); if (pageNo>=fromPage && pageNo<=toPage) { pr.setFont(headerFont); pr.setPen(Qt::black); pr.setPen(Qt::SolidLine); pr.drawText(headerTextBox,Qt::AlignLeft,page); pr.drawText(headerTextBox,Qt::AlignCenter,headerText); pr.drawText(headerTextBox,Qt::AlignRight,headerTimeString); pr.drawLine(headerTextBox.left(),headerTextBox.bottom(), headerTextBox.right(),headerTextBox.bottom()); } yPos = ymargin+headerBox.height(); } } void printerStream::flushPage() { if (pageNo>=fromPage && pageNo<=toPage) printer->newPage(); pageNo++; } int printerStream::getTextHeight(const QString &txt) { if (txt.isEmpty()) return 0; if (printer->printerState() == QPrinter::Aborted) return 0; pr.setFont( bodyFont ); QFontMetrics fm = pr.fontMetrics(); int nlines=1; int i=-1; while ( (i=txt.indexOf("\n",i+1))>=0 ) nlines++; return nlines*fm.lineSpacing(); } void printerStream::printText(const QString &txt, bool newLine) { if (fwbdebug) { qDebug("printText -------"); qDebug("pageBody.height(): %d", pageBody.height()); qDebug("yPos: %d", yPos); } if (txt.isEmpty()) return; if (printer->printerState() == QPrinter::Aborted) return; pr.setFont( bodyFont ); QFontMetrics fm = pr.fontMetrics(); QRect br = fm.boundingRect(txt); if (getYSpace()=fromPage && pageNo<=toPage) { pr.setPen(Qt::black); pr.drawText( xmargin, yPos, printer->width()-2*xmargin, br.height(), Qt::TextExpandTabs | Qt::TextDontClip, txt ); } int nlines=1; int i=-1; while ( (i=txt.indexOf("\n",i+1))>=0 ) nlines++; if (newLine) yPos = yPos + nlines*fm.lineSpacing(); } void printerStream::printPixmap(const QPixmap &pm, bool newLine) { #if 0 QPaintDevice *dev = pr.device(); if (fwbdebug) { qDebug("printPixmap: width=%d height=%d", pm.width(), pm.height()); qDebug("printPixmap: printer->resolution()=%d", printer->resolution()); if (dev) { qDebug("printPixmap: device parameters:"); qDebug(" height=%d width=%d", dev->height(), dev->width()); qDebug(" logicalDpiY=%d logicalDpiX=%d", dev->logicalDpiY(), dev->logicalDpiX()); qDebug(" physicalDpiY=%d physicalDpiX=%d", dev->physicalDpiY(), dev->physicalDpiX()); } } #endif int target_w = (int)(pm.width() * pixmap_scaling_ratio); int target_h = (int)(pm.height() * pixmap_scaling_ratio); int pmYOffset = 0; while ( getYSpace()<(pm.height()-pmYOffset) ) { int yFrag = pageBody.height() - yPos; if (pageNo>=fromPage && pageNo<=toPage) { if (fwbdebug) qDebug("Print pixmap 1: yPos=%d pmYOffset=%d " "yFrag=%d target_w=%d target_h=%d", yPos, pmYOffset, yFrag, target_w, target_h); pr.drawPixmap(xmargin, yPos, target_w, target_h, pm, 0, pmYOffset, -1, yFrag); } pmYOffset = pmYOffset + yFrag; flushPage(); beginPage(); // resets yPos } if (pageNo>=fromPage && pageNo<=toPage) { if (fwbdebug) qDebug("Print pixmap 2: yPos=%d pmYOffset=%d target_w=%d target_h=%d", yPos, pmYOffset, target_w, target_h); pr.drawPixmap(xmargin, yPos, target_w, target_h, pm, 0, pmYOffset, -1, -1); } if (newLine) yPos = yPos + (target_h - pmYOffset); } void printerStream::printRuleSetView(RuleSetView *tbl, bool top_margin) { if (fwbdebug) { qDebug("printQTable ----------------------------------------------"); qDebug("Size: %dx%d", tbl->width(), tbl->height()); qDebug("YSpace: %d", getYSpace()); qDebug("yPos: %d", yPos); } int columnsWidth = 0; int i = 0; while (i < tbl->model()->columnCount()) { columnsWidth += tbl->columnWidth(i); i++; } RuleSetModelIterator it = ((RuleSetModel*)tbl->model())->begin(); RuleSetModelIterator end = ((RuleSetModel*)tbl->model())->end(); RuleSetModelIterator bottomIt; while (it.isValid() && it != end) { // Pages iterations int tblHeight = (int)( (float)(tbl->header()->height()) * pixmap_scaling_ratio); /* =================================================================== * Row height is screen pixels, getYSpace returns remaining * space in printer resolution units. Keep track of both to * resize pixmap * =================================================================== */ int pixMapHeight = tbl->header()->height(); RuleSetModelIterator pit = it; while (pit != end) { // Check if current index is collapsed QModelIndex index = pit.index(); QModelIndex parent = index.parent(); if (!parent.isValid() || tbl->isExpanded(parent)) { int nth = tblHeight + (int)((float)(tbl->rowHeight(index)) * pixmap_scaling_ratio); if ( nth==getYSpace() ) break; if ( nth>getYSpace() ) { // if it == pit then even single row does not fit on the page if (it == pit) { pixMapHeight = tbl->rowHeight(index); } else { --pit; } break; } tblHeight = nth; pixMapHeight += tbl->rowHeight(index); } ++pit; } bottomIt = pit; int left_hdr_w = 0; int top_hdr_h = 0; Q_UNUSED(top_hdr_h); if (top_margin && tbl->header() != NULL) top_hdr_h = tbl->header()->height(); int tblWidth = columnsWidth + left_hdr_w; qDebug("Page %d -- tblWidth: %d tblHeight: %d", pageNo, tblWidth, tblHeight); tbl->resize(tblWidth, pixMapHeight); tbl->updateWidget(); tbl->scrollTo(it.index(), QAbstractItemView::PositionAtTop); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) printPixmap(QPixmap::grabWidget(tbl)); #else printPixmap(tbl->grab()); #endif if (bottomIt == end) break; flushPage(); beginPage(); it = bottomIt; ++it; } } void printerStream::printQTable(QTableView *tbl, bool left_margin, bool top_margin) { if (fwbdebug) { qDebug("printQTable ----------------------------------------------"); qDebug("Size: %dx%d", tbl->width(), tbl->height()); // qDebug("Visible: %dx%d", // tbl->contentsRect().width(), tbl->contentsRect().height()); // qDebug("Viewport: %dx%d", // tbl->viewport()->width(), tbl->viewport()->height()); // qDebug("pageBody.height(): %d", pageBody.height()); qDebug("YSpace: %d", getYSpace()); qDebug("yPos: %d", yPos); } int top_row = 0; int bottom_row = 1; int columnsWidth = 0; int i = 0; while (i < tbl->model()->columnCount()) { columnsWidth += tbl->columnWidth(i); i++; } int rowCount = tbl->model()->rowCount(); while (top_row <= (rowCount-1)) { int row = 0; int tblHeight = (int)( (float)(tbl->horizontalHeader()->height()) * pixmap_scaling_ratio); /* =================================================================== * Row height is screen pixels, getYSpace returns remaining * space in printer resolution units. Keep track of both to * resize pixmap * =================================================================== */ int pixMapHeight = tbl->horizontalHeader()->height(); for (row=top_row; row < rowCount; ++row) { if (tbl->isRowHidden(row)) { // hidden rows count but do not contribute to table height continue; } int nth = tblHeight + (int)((float)(tbl->rowHeight(row)) * pixmap_scaling_ratio); if ( nth==getYSpace() ) break; if ( nth>getYSpace() ) { row--; break; } tblHeight = nth; pixMapHeight += tbl->rowHeight(row); } // if row < top_row then even single row does not fit on the page if (row < top_row) { row = top_row; pixMapHeight = tbl->rowHeight(top_row); } if (row == rowCount) row--; bottom_row = row; int left_hdr_w = 0; if (left_margin && tbl->verticalHeader() != NULL) left_hdr_w = tbl->verticalHeader()->width(); int top_hdr_h = 0; Q_UNUSED(top_hdr_h); if (top_margin && tbl->horizontalHeader() != NULL) top_hdr_h = tbl->horizontalHeader()->height(); int tblWidth = columnsWidth + left_hdr_w; if (fwbdebug) qDebug("Page %d -- (%d-%d of %d rows) tblWidth: %d tblHeight: %d", pageNo, top_row, bottom_row, rowCount, tblWidth, tblHeight); tbl->resize(tblWidth, pixMapHeight); tbl->verticalHeader()->resize( tbl->verticalHeader()->width(), tbl->height() - tbl->horizontalHeader()->height()); tbl->horizontalHeader()->resize( tbl->width() - tbl->verticalHeader()->width(), tbl->horizontalHeader()->height()); // QTableView::scrollTo() makes row visible, but if there are not enough // rows below it, it appears in the middle of the table. This means the table // shows few rows that belong on the previous page, which is bad. // // tbl->scrollTo(tbl->model()->index(top_row, 0), // QAbstractItemView::PositionAtTop); int top_row_position = tbl->verticalHeader()->sectionPosition(top_row); tbl->verticalHeader()->setOffset(top_row_position); tbl->update(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) printPixmap(QPixmap::grabWidget(tbl)); //,0,0,-1,pixMapHeight)); #else printPixmap(tbl->grab()); //,0,0,-1,pixMapHeight)); #endif if (bottom_row>=(rowCount-1)) break; flushPage(); beginPage(); top_row = bottom_row + 1; } } fwbuilder-5.3.7/src/libgui/printerStream.h000066400000000000000000000057411303637203600205750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PRINTERSTREAM_H_ #define __PRINTERSTREAM_H_ #include #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include # include #else # include # include #endif #include #include "PrintingProgressDialog.h" class QPrinter; class RuleSetView; class printerStream { QPrinter *printer; QPainter pr; QRect pageBody; PrintingProgressDialog *ppd; int yPos; float margin; int ymargin; int xmargin; int fromPage; int toPage; bool active; bool printHeader; QString headerTimeString; QString headerText; QFont headerFont; QRect headerTextBox; QRect headerBox; QFont bodyFont; float headerHeight; int yHeaderHeight; int yHeaderLine; int pageNo; int pageWidth; int pageHeight; int dpiy; float pixmap_scaling_ratio; float table_scaling; public: printerStream(QPrinter *p, float table_scaling, float margin, bool header, const QString &headerText, PrintingProgressDialog *ppd); bool begin(); void end(); bool isActive() { return active; } void setFromTo(int from, int to) { fromPage=from; toPage=to; } QPainter& painter() { return pr; } int getYMargin() { return ymargin; } int getXMargin() { return xmargin; } void printText(const QString &txt, bool newLine=true); void printPixmap(const QPixmap &pm, bool newLine=true); void printQTable(QTableView *tbl, bool left_margin=true, bool top_margin=true); void printRuleSetView(RuleSetView *tbl, bool top_margin=true); int getTextHeight(const QString &txt); void beginPage(); void flushPage(); int getPageHeight() { return pageHeight; } int getPageWidth() { return pageWidth; } int getWorkspaceHeight(); int getWorkspaceWidth(); int getYPos() { return yPos; } int getYSpace() { return pageBody.height()-yPos; } }; #endif fwbuilder-5.3.7/src/libgui/printingprogressdialog_q.ui000066400000000000000000000034121303637203600232340ustar00rootroot00000000000000 printingProgressDialog_q 0 0 275 110 Printing Cancel Qt::Vertical QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 40 20 textLabel1 false fwbuilder-5.3.7/src/libgui/procurveaclAdvancedDialog.cpp000066400000000000000000000314241303637203600233610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include "procurveaclAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/XMLTools.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; procurveaclAdvancedDialog::~procurveaclAdvancedDialog() { delete m_dialog; } procurveaclAdvancedDialog::procurveaclAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::procurveaclAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); // As of 4.1.0 we do not support scp install method for Procurve // I could not figure out how to copy configuration to the switch // even when "ip ssh filetransfer" command has been executed and scp // seems to work - I ran into problems with file permissions that // I could not resolve. This will remain a low priority TODO item. // See also commented out code in FirewallInstallerProcurve.cpp m_dialog->SCPgroupBox->setEnabled(false); string vers="version_"+obj->getStr("version"); string platform = obj->getStr("platform"); // should be 'procurve_acl' QString s; QStringList logLevels; QStringList logLevelMapping; logLevelMapping.push_back(""); logLevelMapping.push_back(""); /* filling pop-down menu and pushing the same strings to the mapping * list at the same time so we could use translation */ s=QObject::tr("0 - System Unusable"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("0"); s=QObject::tr("1 - Take Immediate Action"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("1"); s=QObject::tr("2 - Critical Condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("2"); s=QObject::tr("3 - Error Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("3"); s=QObject::tr("4 - Warning Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("4"); s=QObject::tr("5 - Normal but significant condition"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("5"); s=QObject::tr("6 - Informational"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("6"); s=QObject::tr("7 - Debug Message"); logLevels.push_back(s); logLevelMapping.push_back(s); logLevelMapping.push_back("7"); /* do not need to translate syslog facilities, but will use the same * method just in case */ QStringList syslogFacilities; QStringList syslogFacilityMapping; syslogFacilities.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilityMapping.push_back(""); syslogFacilities.push_back("LOCAL0"); syslogFacilityMapping.push_back("LOCAL0"); syslogFacilityMapping.push_back("16"); syslogFacilities.push_back("LOCAL1"); syslogFacilityMapping.push_back("LOCAL1"); syslogFacilityMapping.push_back("17"); syslogFacilities.push_back("LOCAL2"); syslogFacilityMapping.push_back("LOCAL2"); syslogFacilityMapping.push_back("18"); syslogFacilities.push_back("LOCAL3"); syslogFacilityMapping.push_back("LOCAL3"); syslogFacilityMapping.push_back("19"); syslogFacilities.push_back("LOCAL4"); syslogFacilityMapping.push_back("LOCAL4"); syslogFacilityMapping.push_back("20"); syslogFacilities.push_back("LOCAL5"); syslogFacilityMapping.push_back("LOCAL5"); syslogFacilityMapping.push_back("21"); syslogFacilities.push_back("LOCAL6"); syslogFacilityMapping.push_back("LOCAL6"); syslogFacilityMapping.push_back("22"); syslogFacilities.push_back("LOCAL7"); syslogFacilityMapping.push_back("LOCAL7"); syslogFacilityMapping.push_back("23"); bool f1=fwoptions->getBool("procurve_acl_acl_basic"); bool f2=fwoptions->getBool("procurve_acl_acl_no_clear"); bool f3=fwoptions->getBool("procurve_acl_acl_substitution"); bool f4=fwoptions->getBool("procurve_acl_add_clear_statements"); /* * If none of the new procurve_acl_acl_* options is set and old procurve_acl_add_clear_statements * option is true, set procurve_acl_acl_basic to true. * * If old option procurve_acl_add_clear_statements iss false, set * procurve_acl_acl_no_clear to true */ if (!f1 && !f2 && !f3) { if ( f4 ) fwoptions->setBool("procurve_acl_acl_basic",true); else fwoptions->setBool("procurve_acl_acl_no_clear",true); } Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption(m_dialog->ipv4before_2, fwoptions, "ipv4_6_order", QStringList() << tr("IPv4 before IPv6") << "ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first" ); /* Page "Compiler Options" */ data.registerOption( m_dialog->outputFileName, fwoptions, "output_file" ); data.registerOption( m_dialog->procurve_acl_check_shadowing, fwoptions, "check_shading" ); data.registerOption( m_dialog->procurve_acl_ignore_empty_groups, fwoptions, "ignore_empty_groups" ); data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh" ); data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr" ); /* data.registerOption( m_dialog->procurve_acl_acl_alwaysNew, fwoptions, "procurve_acl_acl_always_new" ); */ /* Page Script options */ data.registerOption( m_dialog->procurve_acl_acl_basic, fwoptions, "procurve_acl_acl_basic" ); data.registerOption( m_dialog->procurve_acl_acl_no_clear, fwoptions, "procurve_acl_acl_no_clear" ); data.registerOption( m_dialog->procurve_acl_acl_substitution, fwoptions, "procurve_acl_acl_substitution" ); data.registerOption( m_dialog->procurve_acl_acl_temp_addr, fwoptions, "procurve_acl_acl_temp_addr" ); data.registerOption( m_dialog->procurve_acl_include_comments, fwoptions, "procurve_acl_include_comments" ); data.registerOption( m_dialog->procurve_acl_use_acl_remarks, fwoptions, "procurve_acl_use_acl_remarks" ); /* Page Installer */ data.registerOption( m_dialog->user, fwoptions, "admUser"); data.registerOption( m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption( m_dialog->use_scp, fwoptions, "use_scp"); data.registerOption( m_dialog->filesystem, fwoptions, "filesystem"); data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str() ); m_dialog->installScriptArgs->setText( pis->getArguments().c_str() ); /* page "Prolog/Epilog" */ data.registerOption( m_dialog->procurve_acl_prolog_script, fwoptions, "procurve_acl_prolog_script" ); data.registerOption( m_dialog->procurve_acl_epilog_script, fwoptions, "procurve_acl_epilog_script" ); /* page Logging */ data.registerOption(m_dialog->generate_logging_commands, fwoptions, "procurve_acl_generate_logging_commands"); data.registerOption(m_dialog->syslog_host, fwoptions, "procurve_acl_syslog_host"); m_dialog->syslog_facility->clear(); m_dialog->syslog_facility->addItems( syslogFacilities ); data.registerOption( m_dialog->syslog_facility, fwoptions, "procurve_acl_syslog_facility", syslogFacilityMapping); m_dialog->logging_trap_level->clear(); m_dialog->logging_trap_level->addItems(logLevels); data.registerOption( m_dialog->logging_trap_level, fwoptions, "procurve_acl_logging_trap_level", logLevelMapping); data.registerOption(m_dialog->logging_timestamp, fwoptions, "procurve_acl_logging_timestamp"); data.registerOption(m_dialog->logging_buffered, fwoptions, "procurve_acl_logging_buffered"); m_dialog->logging_buffered_level->clear(); m_dialog->logging_buffered_level->addItems(logLevels); data.registerOption( m_dialog->logging_buffered_level, fwoptions, "procurve_acl_logging_buffered_level", logLevelMapping); data.registerOption(m_dialog->logging_console, fwoptions, "procurve_acl_logging_console"); m_dialog->logging_console_level->clear(); m_dialog->logging_console_level->addItems(logLevels); data.registerOption( m_dialog->logging_console_level,fwoptions, "procurve_acl_logging_console_level", logLevelMapping); data.loadAll(); scriptACLModeChanged(); toggleGenerateLogging(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void procurveaclAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* options = Firewall::cast(new_state)->getOptionsObject(); assert(options!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(options); const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) mgmt->setAddress(*mgmt_addr); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); pis->setCommand( m_dialog->installScript->text().toLatin1().constData() ); pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() ); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void procurveaclAdvancedDialog::reject() { QDialog::reject(); } void procurveaclAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->procurve_acl_prolog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->procurve_acl_prolog_script->setText( edt.text() ); } void procurveaclAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->procurve_acl_epilog_script->toPlainText(), true, tr( "Script Editor" ) ); if ( edt.exec() == QDialog::Accepted ) m_dialog->procurve_acl_epilog_script->setText( edt.text() ); } void procurveaclAdvancedDialog::scriptACLModeChanged() { m_dialog->procurve_acl_acl_temp_lbl->setEnabled( m_dialog->procurve_acl_acl_substitution->isChecked()); m_dialog->procurve_acl_acl_temp_addr->setEnabled( m_dialog->procurve_acl_acl_substitution->isChecked()); } void procurveaclAdvancedDialog::toggleGenerateLogging() { m_dialog->syslog_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); m_dialog->other_logging_controls->setEnabled( m_dialog->generate_logging_commands->isChecked()); } fwbuilder-5.3.7/src/libgui/procurveaclAdvancedDialog.h000066400000000000000000000033431303637203600230250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PROCURVEACLADVANCEDDIALOG_H_ #define __PROCURVEACLADVANCEDDIALOG_H_ #include #include "DialogData.h" #include #include class QWidget; class QSpinBox; class QComboBox; class QCheckBox; class QProcess; namespace libfwbuilder { class FWObject; }; class procurveaclAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::procurveaclAdvancedDialog_q *m_dialog; public: procurveaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~procurveaclAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void editProlog(); virtual void editEpilog(); virtual void scriptACLModeChanged(); virtual void toggleGenerateLogging(); }; #endif // __PROCURVEACLADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/procurveacladvanceddialog_q.ui000066400000000000000000001273151303637203600236410ustar00rootroot00000000000000 procurveaclAdvancedDialog_q Qt::WindowModal true 0 0 743 558 HP ProCurve ACL Firewall Settings false 0 Compiler Options 0 0 Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw") Qt::AlignVCenter true 300 0 32767 22 false 20 Compiler creates multiple access lists from the same policy, two for each interface: one for inbound and another for outbound. If the policy is written in a such way that no rule can possibly be associated with an interface, this interface gets no access list at all. Also, interfaces marked as "unprotected" never get access list regardless of how the policy rules are designed. Generate separate access list for each interface Compiler creates one access list and assigns it to all interfaces. Create one access list and attach it to all interfaces 0 0 Policy Compiler Options false false 20 If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! Ignore empty groups in rules Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. Detect rule shadowing in the policy Always permit ssh access from the management workstation with this address: true false 0 0 300 0 32767 22 Qt::Horizontal 328 20 Qt::Vertical QSizePolicy::Expanding 20 170 Script Options 0 0 5 0 0 Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via tunnel. Qt::AlignVCenter true procurve_acl_acl_basic 0 0 Qt::ClickFocus Do not clear access lists, just generate commands for the new ones. Use this option if you have your own policy installation scripts. Qt::AlignVCenter true procurve_acl_acl_no_clear 0 0 "Safety net" method: First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration. Qt::AlignVCenter true procurve_acl_acl_substitution QFrame::NoFrame QFrame::Sunken 0 11 0 11 Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24): Qt::AlignVCenter true Qt::Horizontal QSizePolicy::Expanding 120 20 0 0 199 0 500 32767 Qt::Horizontal QSizePolicy::Expanding 110 20 0 0 20 Insert comments into generated IOSACL configuration file Comment the code Insert comments into generated IOSACL configuration file Use ACL remarks Qt::Vertical 20 137 Installer Built-in installer User name used to authenticate to the firewall (leave this empty if you use putty session): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then "copy file running-config" command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method is much faster than running configuration line by line. true Copy generated configuration file to the router using scp File system on the router where configuration file should be saved if it is copied with scp. Examples: "flash:", "disk0:". Should end with a colon ":". If this input field is left blank, installer uses "nvram:": true Qt::Horizontal 398 20 External install script -1 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Prolog/Epilog 20 12 20 20 6 Qt::Horizontal QSizePolicy::Expanding 40 20 Edit The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::RichText Qt::AlignVCenter true 0 Logging Generate logging commands Syslog 12 Syslog host (name or IP address): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog facility: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false syslog level ('logging trap'): Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QFrame::HLine QFrame::Sunken Qt::Horizontal QFrame::HLine QFrame::Sunken Qt::Horizontal The logging timestamp command requires that the clock command be set. Qt::AlignVCenter true Enable logging timestamps on syslog file Other logging destinations and levels: 12 Internal buffer Console Qt::Vertical QSizePolicy::Expanding 675 121 IPv6 The order in which ipv4 and ipv6 rules should be generated: Qt::Horizontal 40 20 IPv4 before IPv6 IPv6 before IPv4 Qt::Vertical 20 40 Qt::Horizontal QSizePolicy::Expanding 20 20 OK Qt::AlignCenter false Cancel outputFileName separate_acls_for_interfaces one_acl_for_all_interfaces procurve_acl_ignore_empty_groups procurve_acl_check_shadowing mgmt_ssh mgmt_addr procurve_acl_acl_basic procurve_acl_acl_no_clear procurve_acl_acl_substitution procurve_acl_acl_temp_addr user altAddress sshArgs scpArgs use_scp filesystem installScript installScriptArgs procurve_acl_prolog_script edit_prolog_button procurve_acl_epilog_script edit_epilog_button generate_logging_commands syslog_host syslog_facility logging_trap_level logging_timestamp logging_buffered logging_console logging_buffered_level logging_console_level ipv4before_2 ok_button cancel_button textLabel3 tabWidget ok_button clicked() procurveaclAdvancedDialog_q accept() 584 703 371 366 cancel_button clicked() procurveaclAdvancedDialog_q reject() 689 703 371 366 edit_prolog_button clicked() procurveaclAdvancedDialog_q editProlog() 671 318 371 366 edit_epilog_button clicked() procurveaclAdvancedDialog_q editEpilog() 671 628 371 366 procurve_acl_acl_basic toggled(bool) procurveaclAdvancedDialog_q scriptACLModeChanged() 60 75 371 366 procurve_acl_acl_no_clear toggled(bool) procurveaclAdvancedDialog_q scriptACLModeChanged() 60 117 371 366 procurve_acl_acl_substitution toggled(bool) procurveaclAdvancedDialog_q scriptACLModeChanged() 60 207 371 366 editProlog() editEpilog() scriptACLModeChanged() fwbuilder-5.3.7/src/libgui/projectpanel_q.ui000066400000000000000000000323711303637203600211310ustar00rootroot00000000000000 ProjectPanel_q 0 0 835 494 Form :/Images/fwbuilder3.png:/Images/fwbuilder3.png 2 2 2 2 Qt::Horizontal false 150 0 QFrame::NoFrame QFrame::Plain 0 0 0 0 0 0 0 10 20 16777215 16777215 20 0 QFrame::NoFrame QFrame::Raised 2 2 0 0 2 0 0 Insert rule Insert rule Insert rule ... :/Icons/add.png:/Icons/add.png 25 25 false QToolButton::DelayedPopup Qt::NoArrow Qt::Horizontal QSizePolicy::Fixed 10 20 14 50 false false Firewall / ruleset Qt::AlignCenter Qt::Horizontal QSizePolicy::Fixed 20 20 View diff View diff View diff ... :/Icons/newobject_32.png:/Icons/newobject_32.png 25 25 false QToolButton::DelayedPopup Qt::NoArrow Compile this firewall Compile this firewall Compile this firewall ... :/Icons/Compile:/Icons/Compile 25 25 false QToolButton::DelayedPopup Qt::NoArrow Compile and install this firewall Compile and install this firewall Compile and install this firewall ... :/Icons/Install:/Icons/Install 25 25 Inspect generated files Inspect generated files Inspect generated files ... :/Icons/Inspect:/Icons/Inspect 25 25 0 ObjectManipulator QWidget
ObjectManipulator.h
1 WorkflowIcons QWidget
WorkflowIcons.h
1 compile_this_fw clicked() ProjectPanel_q compileThis() 750 37 417 246 install_this_fw clicked() ProjectPanel_q installThis() 789 37 417 246 add_rule clicked() ProjectPanel_q addRule() 195 31 417 246 inspect_this_fw clicked() ProjectPanel_q inspectThis() 828 26 417 246 diff_this_fw clicked() ProjectPanel_q diffThis() 693 18 559 0 compileThis() installThis() addRule() inspectThis() diffThis() fwbuilder-5.3.7/src/libgui/rcsfilepreview_q.ui000066400000000000000000000177701303637203600215020ustar00rootroot00000000000000 RCSFilePreview_q Qt::WindowModal true 0 0 508 488 0 0 RCSFilePreview true true 300 0 QFrame::NoFrame QFrame::Plain Qt::ScrollBarAlwaysOn false true true Revision Date Author Locked by QFrame::StyledPanel QFrame::Raised Tree View List View Qt::Horizontal 267 20 QFrame::HLine QFrame::Plain Qt::Horizontal 0 0 0 RCS log: Qt::AlignTop false 4 0 0 0 32767 80 QFrame::NoFrame Qt::Horizontal QSizePolicy::Expanding 111 30 0 30 true Open 0 30 Open read-only 0 30 Cancel RCSTreeView comment openButton openRO released() RCSFilePreview_q openReadOnly() 20 20 20 20 openButton clicked() RCSFilePreview_q openFile() 379 462 253 243 tree_view clicked() RCSFilePreview_q switchToTreeView() 66 301 253 243 list_view clicked() RCSFilePreview_q switchToListView() 160 301 253 243 switchToTreeView() switchToListView() fwbuilder-5.3.7/src/libgui/rcsfilesavedialog_q.ui000066400000000000000000000113171303637203600221260ustar00rootroot00000000000000 RCSFileSaveDialog_q true 0 0 381 194 Log record for the new revision true Do not ask me anymore, always check files in with empty log 0 6 20 20 Expanding Horizontal Check file &in Alt+I true true &Cancel true 7 7 0 0 32767 32767 Checking file %1 into RCS false 5 7 0 0 Log record for this revision: false rcslog nolog buttonOk buttonCancel buttonOk clicked() RCSFileSaveDialog_q accept() buttonCancel clicked() RCSFileSaveDialog_q reject() fwbuilder-5.3.7/src/libgui/routingruleoptionsdialog_q.ui000066400000000000000000000113571303637203600236170ustar00rootroot00000000000000 RoutingRuleOptionsDialog_q 0 0 562 161 Routing Rule Options 0 0 QFrame::Box QFrame::Sunken 1 12 12 QFrame::NoFrame QFrame::Plain 12 12 If installation of this routing rule fails, just carry on Qt::Vertical QSizePolicy::MinimumExpanding 20 0 12 12 QFrame::NoFrame QFrame::Plain 2 2 No options available for routing rules of this firewall platform false Qt::Vertical QSizePolicy::Expanding 20 50 routing_non_critical_rule routing_non_critical_rule toggled(bool) RoutingRuleOptionsDialog_q changed() 20 20 20 20 fwbuilder-5.3.7/src/libgui/rulegrouppanel.ui000077500000000000000000000027221303637203600211670ustar00rootroot00000000000000 RuleGroupPanel 0 0 447 61 Form 2 2 2 2 20 2 TextLabel Qt::Horizontal 40 20 fwbuilder-5.3.7/src/libgui/ruleoptionsdialog_q.ui000066400000000000000000003461361303637203600222150ustar00rootroot00000000000000 RuleOptionsDialog_q 0 0 1412 357 Rule Options for ipt 12 12 12 12 12 0 0 QFrame::Box QFrame::Sunken 1 0 7 2 2 2 2 2 Qt::Vertical QSizePolicy::Expanding 20 40 There are no options for this firewall platform Qt::AlignCenter false Qt::Vertical QSizePolicy::Expanding 20 40 12 12 12 12 12 0 0 QTabWidget::Triangular 0 General 12 12 12 12 12 Assume firewall is part of "any" for this rule only: Follow global setting On Off Qt::Horizontal QSizePolicy::MinimumExpanding 40 0 Normally policy compiler uses stateful inspection in each rule. Activating this option makes this rule stateless. Qt::AlignVCenter false Stateless rule Qt::Vertical 20 112 Logging 12 12 12 12 12 0 0 200 32767 alert crit error warning notice info debug 0 0 200 32767 Log prefix: false Log level: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false Qt::Horizontal QSizePolicy::MinimumExpanding 0 20 Netlink group (if using ULOG): false 1 32 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 limit 12 12 12 12 12 Module limit Qt::AlignVCenter true Rate (rule matches if it hits this often or less): false 0 0 99999 0 0 200 32767 /day /hour /minute /second Qt::Horizontal QSizePolicy::Fixed 40 20 Negate Qt::Horizontal QSizePolicy::MinimumExpanding 0 0 Burst: false 10000 Qt::Horizontal 886 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 connlimit 12 12 12 12 12 Module connlimit false Match if the number of existing connections is above this (translates into option --connlimit-above) false 0 0 99999 Qt::Horizontal QSizePolicy::Expanding 40 20 Negate Qt::Horizontal 168 20 0 0 per network with netmask of false 0 0 10000 0 0 bit false Qt::Horizontal QSizePolicy::Expanding 20 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 hashlimit 12 12 12 8 Module hashlimit false Name: false On some older systems this module has name 'dstlimit'. Check here if you need to use this name. Rate: false 0 25 80 32767 99999 0 0 0 25 200 32767 /day /hour /minute /second Burst: false 0 25 80 32767 10000 Qt::Horizontal 108 20 Mode: false 0 0 QFrame::NoFrame QFrame::Raised 12 2 0 2 0 srcip dstip srcport dstport Qt::Horizontal QSizePolicy::Expanding 40 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Options below control size of the hash table and expiration time. They will be omitted from the generated script if set to zero. Qt::AlignVCenter true htable-size: false 0 25 The number of buckets of the hash table (omit this option in generated script if set to 0) 999999 htable-max: false 0 25 Maximum number of entries in the hash (omit this option in generated script if set to 0) 999999 htable-expire: false 0 25 After how many milliseconds do hash entries expire (omit this option in the generated script if set to 0) 999999 htable-gcinterval: false 0 25 How many milliseconds between garbage collection intervals (omit this option in generated script if set to 0) 999999 Qt::Horizontal 268 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 Tag 12 12 12 12 12 Tag service object: false Qt::Horizontal QSizePolicy::Expanding 615 81 0 0 100 80 9 Tag connections created by packets that match this rule (adds a rule with CONNMARK target) Qt::Vertical QSizePolicy::MinimumExpanding 609 108 Classify 12 12 12 12 12 Classify string: false Qt::Horizontal 928 20 Qt::Vertical QSizePolicy::MinimumExpanding 1105 169 Route 12 12 12 12 12 12 Qt::Vertical 20 17 0 0 500 16777215 0 0 QFrame::StyledPanel QFrame::Raised 600 0 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600;">Option Route has been deprecated.</span></p></body></html> true Use Custom Action in combination with branching rule to create iptables command with '-j ROUTE' target. This works only if the OS running on your firewall supports this iptables target. true Change inbound interface to false Change outbound interface to false Route through gateway false 250 0 Qt::Horizontal 328 17 Qt::Horizontal 373 20 Continue packet inspection Make a copy Qt::Vertical 20 96 12 0 0 QTabWidget::Triangular 0 General 12 12 12 12 Normally policy compiler uses stateful inspection in each rule. Activating next option makes this rule stateless. Qt::AlignVCenter true Stateless rule Send ICMP 'unreachable' packet masquerading as being from the original destination Keep information on fragmented packets, to be applied to later fragments Qt::Vertical 20 100 Logging 12 12 12 12 12 Log facility: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 200 16777215 Qt::Horizontal QSizePolicy::Expanding 20 20 Log level: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 200 16777215 Qt::Vertical QSizePolicy::Expanding 20 30 Route 12 12 12 12 12 12 12 12 12 12 None Route through Route reply through Route a copy through interface false next hop false Qt::Horizontal 548 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 180 12 12 12 12 12 0 0 QTabWidget::Triangular 0 State Tracking Normally policy compiler uses stateful inspection in each rule. Activating this option makes this rule stateless. Force "keep state" to make the rule stateful regardless of the default. Available in OpenBSD 4.5 and later Prevent state changes for states created by this rule from appearing on the pfsync interface. Available in OpenBSD 4.5 and later States created by this rule are exported on the pflow interface. When this option is checked, the number of states per source IP is tracked Activate source tracking. 0 0 300 0 Maximum number of source addresses which can simultaneously have state table entries (max-src-nodes): Qt::AlignVCenter false 0 0 1000000 Qt::Horizontal 40 20 0 0 300 0 Maximum number of simultaneous state entries that a single source address can create with this rule (max-src-states): Qt::AlignVCenter false 0 0 1000000 Qt::Horizontal 40 20 Qt::Vertical 20 60 Logging 12 12 12 12 12 Log prefix: false Qt::Horizontal QSizePolicy::Expanding 301 20 Qt::Vertical QSizePolicy::Expanding 20 51 Limits 12 12 12 12 12 300 0 Maximum number of concurrent states this rule may create. Unlimited if set to zero (option 'max'). Qt::AlignVCenter false When this limit is reached, further packets matching the rule that would create state are dropped, until existing states time out. 1000000 Qt::Horizontal QSizePolicy::Expanding 101 23 Maximum number of simultaneous TCP connections that a single host can make (max-src-conn): Qt::AlignVCenter false 0 0 1000000 Qt::Horizontal QSizePolicy::Expanding 101 23 The limit of new connections over a time interval (max-src-conn-rate): Qt::AlignVCenter false 0 0 80 32767 1000000 / false 0 0 80 32767 1000000 sec false 0 0 overload table: false 100 0 flush global Qt::Horizontal QSizePolicy::Expanding 431 23 Qt::Vertical QSizePolicy::Expanding 22 41 TCP 12 12 12 12 12 Modulate state synproxy Use sloppy TCP state tracker for this rule Qt::Vertical 20 51 Tag 12 12 12 12 12 Tag service object: false 0 0 100 80 9 Qt::Horizontal 982 77 Qt::Vertical QSizePolicy::MinimumExpanding 108 112 Classify 12 12 12 12 12 Classify string: false Qt::Horizontal 948 20 Qt::Vertical 948 169 Route 12 12 12 12 12 None Route through Route reply through Route a copy through interface false next hop false 300 0 Qt::Horizontal 537 20 12 12 12 12 12 Fastroute Qt::Horizontal QSizePolicy::Fixed 40 20 Load Balancing: None Bitmask Random Source Hash Round Robin Qt::Horizontal 665 20 Qt::Vertical QSizePolicy::MinimumExpanding 553 139 2 2 2 2 2 QTabWidget::Triangular 0 State Tracking 12 12 12 12 12 300 0 Normally policy compiler uses stateful inspection in each rule. Activating next option makes this rule stateless. Qt::AlignVCenter false Qt::Horizontal 446 20 Stateless rule Qt::Vertical QSizePolicy::Expanding 20 184 Classify Packet classification can be implemented in different ways: Qt::AlignVCenter false true None dummynet(4) 'pipe' dummynet(4) 'queue' Pipe or queue number: false 80 0 999999 Qt::Horizontal 172 20 Qt::Horizontal 882 20 Qt::Vertical QSizePolicy::MinimumExpanding 20 60 2 2 2 2 2 QFrame::NoFrame QFrame::Raised 12 12 12 12 12 These options are only valid for PIX running software v6.3 or later Qt::AlignVCenter true Qt::Vertical QSizePolicy::Fixed 20 16 completely disable logging for this rule 2 Log level: false Qt::Horizontal QSizePolicy::Expanding 51 20 2 Logging interval: false 600 Qt::Horizontal QSizePolicy::Expanding 51 20 Qt::Vertical QSizePolicy::Expanding 20 20 Compiler can automatically create a rule with mirrored source and destination addresses and service fields. This can be used to match "reply" packets using address and service parameters matched by this rule. The action of the mirrored rule is the same as that of this one. Firewall Builder recognizes the following services and creates "mirrored" versions as follows: true * UDP service: mirrored service has source and destination port ranges reversed * TCP service: mirrored service has source and destination port ranges reversed and "established" flag inverted. If TCP service used in this rule does not have "established" flag, the mirrored service gets it, and the other way around. This is designed to simplify creating ACL rules to permit "reply" TCP packets * ICMP service: ICMP echo request is recognized, mirrored service becomes ICMP echo reply. Other ICMP types are simply copied to the mirrored service * ICMPv6 service: like with ICMP, ICMP echo request is recognized and other ICMPv6 types are just copied * IP service: mirrored service is a copy true Add mirror rule Qt::Vertical 20 73 QTabWidget::Triangular 0 Counting Counter name: Qt::Horizontal 80 20 Qt::Vertical 20 235 FWObjectDropArea QWidget
FWObjectDropArea.h
1 tabw0 ipt_assume_fw_is_part_of_any ipt_stateless ipt_logPrefix ipt_logLevel ipt_nlgroup ipt_limit ipt_limitSuffix ipt_limit_not ipt_burst ipt_connlimit ipt_connlimit_above_not ipt_connlimit_masklen ipt_hashlimit_name ipt_hashlimit_dstlimit ipt_hashlimit ipt_hashlimit_suffix ipt_hashlimit_burst cb_srcip cb_dstip cb_srcport cb_dstport ipt_hashlimit_size ipt_hashlimit_max ipt_hashlimit_expire ipt_hashlimit_gcinterval ipt_mark_connections classify_str ipt_iif ipt_oif ipt_gw ipt_continue ipt_tee tabw1 ipf_stateless ipf_masq_icmp ipf_keep_frags ipf_logFacility ipf_logLevel ipf_route_option ipf_route_opt_if ipf_route_opt_addr tabw2 pf_stateless pf_keep_state pf_no_sync pf_pflow pf_source_tracking pf_max_src_nodes pf_max_src_states pf_logPrefix pf_rule_max_state pf_max_src_conn pf_max_src_conn_rate_num pf_max_src_conn_rate_seconds pf_overload_table pf_flush pf_global pf_modulate pf_synproxy pf_sloppy_tracker pf_classify_str pf_route_option pf_route_opt_if pf_route_opt_addr pf_fastroute pf_route_load_option ipfw_stateless usePortNum pix_disable_rule_log pix_logLevel pix_log_interval iosacl_add_mirror_rule tabWidget ipt_connlimit_above_not clicked() RuleOptionsDialog_q connlimitAboveLabelChange() 868 105 566 162 ipt_limit_not clicked() RuleOptionsDialog_q limitLabelChange() 630 103 566 162 changed() connlimitAboveLabelChange() limitLabelChange() fwbuilder-5.3.7/src/libgui/rulesetdialog_q.ui000066400000000000000000000171401303637203600213030ustar00rootroot00000000000000 RuleSetDialog_q true 0 0 824 260 0 0 Ruleset QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 1 0 200 0 16777215 250 Rule set: 0 0 250 16777215 false IPv4 IPv6 IPv4 and IPv6 Qt::Horizontal 130 20 Top ruleset true 0 0 0 0 16777215 16777215 Qt::LeftToRight false Table Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop false false mangle table filter+mangle table Qt::Vertical 20 26 0 0 CommentKeywords QWidget
CommentKeywords.h
1 changed() fwbuilder-5.3.7/src/libgui/rulesetdiffdialog_q.ui000066400000000000000000000306751303637203600221440ustar00rootroot00000000000000 RuleSetDiffDialog_q Qt::ApplicationModal 0 0 800 600 Diff Viewer Firewall 1 0 200 0 Ruleset 1 0 200 0 Qt::Horizontal 20 20 QFormLayout::AllNonFixedFieldsGrow 6 6 0 0 0 16 16 QFrame::Panel QFrame::Sunken 65 0 Add (0) 0 0 16 16 QFrame::Panel QFrame::Sunken 65 0 Edit (0) 6 0 0 16 16 QFrame::Panel QFrame::Sunken 65 0 Remove (0) 0 0 16 16 QFrame::Panel QFrame::Sunken 65 0 Move (0) Qt::Horizontal 40 20 Qt::Horizontal 40 20 0 0 16777215 16777215 Close Qt::Horizontal 40 20 Qt::LeftToRight Display umodified rules QLayout::SetNoConstraint 10 Current version Qt::AlignCenter Original version Qt::AlignCenter 1 1 QFrame::StyledPanel QFrame::Raised 1 1 QFrame::StyledPanel QFrame::Raised pushButton clicked() RuleSetDiffDialog_q accept() 738 23 587 22 fwbuilder-5.3.7/src/libgui/secuwallAdvancedDialog.cpp000066400000000000000000000227261303637203600226600ustar00rootroot00000000000000/* * secuwallAdvancedDialog.cpp - secuwall advanced host OS dialog implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "../../config.h" #include "global.h" #include "platforms.h" #include "secuwallAdvancedDialog.h" #include "SimpleTextEditor.h" #include "FWWindow.h" #include "Help.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; secuwallAdvancedDialog::~secuwallAdvancedDialog() { delete m_dialog; } secuwallAdvancedDialog::secuwallAdvancedDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::secuwallAdvancedDialog_q; m_dialog->setupUi(this); obj=o; QStringList slm; string platform = obj->getStr("platform"); string description = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/description"); setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str())); FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq"); data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt"); data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt"); data.registerOption(m_dialog->logNumsyslog, fwoptions, "use_numeric_log_levels"); slm = getLogLevels(obj->getStr("platform").c_str()); m_dialog->logLevel->clear(); m_dialog->logLevel->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm); data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG"); data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange"); data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold"); data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup"); data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix"); slm=getLimitSuffixes(obj->getStr("platform").c_str()); m_dialog->logLimitSuffix->clear(); m_dialog->logLimitSuffix->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> logLimitSuffix, fwoptions, "limit_suffix", slm); data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value"); data.registerOption(m_dialog->logAll, fwoptions, "log_all"); data.registerOption(m_dialog->compiler, fwoptions, "compiler"); data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline"); data.registerOption(m_dialog->assumeFwIsPartOfAny, fwoptions, "firewall_is_part_of_any_and_networks"); data.registerOption(m_dialog->acceptSessions, fwoptions, "accept_new_tcp_with_no_syn"); data.registerOption(m_dialog->dropInvalid, fwoptions, "drop_invalid"); data.registerOption(m_dialog->logInvalid, fwoptions, "log_invalid"); data.registerOption(m_dialog->acceptESTBeforeFirst, fwoptions, "accept_established"); data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw"); data.registerOption(m_dialog->shadowing, fwoptions, "check_shading"); data.registerOption(m_dialog->emptyGroups, fwoptions, "ignore_empty_groups"); data.registerOption(m_dialog->localNAT, fwoptions, "local_nat"); data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu"); slm = getActionsOnReject(obj->getStr("platform").c_str()); m_dialog->actionOnReject->clear(); m_dialog->actionOnReject->addItems(getScreenNames(slm)); data.registerOption(m_dialog-> actionOnReject, fwoptions,"action_on_reject", slm); data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped, fwoptions, "add_mgmt_ssh_rule_when_stoped"); data.registerOption(m_dialog->addVirtualsforNAT, fwoptions, "manage_virtual_addr"); data.registerOption(m_dialog->configureInterfaces, fwoptions, "configure_interfaces"); data.registerOption(m_dialog->iptDebug, fwoptions, "debug"); data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces"); data.registerOption(m_dialog->allowReboot, fwoptions, "allow_reboot"); data.registerOption(m_dialog->iptablesRestoreActivation, fwoptions, "use_iptables_restore"); data.registerOption(m_dialog->altAddress, fwoptions, "altAddress"); data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs"); data.registerOption(m_dialog->scpArgs, fwoptions, "scpArgs"); data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); m_dialog->installScript->setText(pis->getCommand().c_str()); m_dialog->installScriptArgs->setText(pis->getArguments().c_str()); /* page "Prolog/Epilog" */ data.registerOption(m_dialog->prolog_script, fwoptions, "prolog_script"); QStringList prologPlaces_ipt; prologPlaces_ipt.push_back(QObject::tr("on top of the script")); prologPlaces_ipt.push_back("top"); prologPlaces_ipt.push_back(QObject::tr("after interface configuration")); prologPlaces_ipt.push_back("after_interfaces"); // bug #2820840: can't put prolog "after policy reset" if iptables-restore if (!fwoptions->getBool("use_iptables_restore")) { prologPlaces_ipt.push_back(QObject::tr("after policy reset")); prologPlaces_ipt.push_back("after_flush"); } m_dialog->prologPlace->clear(); m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_ipt)); data.registerOption(m_dialog-> prologPlace, fwoptions, "prolog_place", prologPlaces_ipt); data.registerOption(m_dialog->epilog_script, fwoptions, "epilog_script"); data.loadAll(); /* Now set sane values after loading data */ /* secuwall supports currently only LOG, not ULOG */ m_dialog->useLOG->setChecked(true); switchLOG_ULOG(); m_dialog->useULOG->setEnabled(false); m_dialog->tabWidget->setCurrentIndex(0); } void secuwallAdvancedDialog::switchLOG_ULOG() { m_dialog->useLOG->setChecked(!m_dialog->useULOG->isChecked()); if (m_dialog->useLOG->isChecked()) m_dialog->logTargetStack->setCurrentIndex(0); else m_dialog->logTargetStack->setCurrentIndex(1); } /* * store all data in the object */ void secuwallAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd(new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); Management *mgmt = (Firewall::cast(new_state))->getManagementObject(); assert(mgmt!=NULL); data.saveAll(fwoptions); /********************* data for fwbd and install script **************/ PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); // find first interface marked as "management" const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress(); if (mgmt_addr) { mgmt->setAddress(*mgmt_addr); } pis->setCommand(m_dialog->installScript->text().toLatin1().constData()); pis->setArguments(m_dialog->installScriptArgs->text().toLatin1().constData()); if (!cmd->getOldState()->cmp(new_state, true)) { project->undoStack->push(cmd.release()); } QDialog::accept(); } void secuwallAdvancedDialog::reject() { QDialog::reject(); } void secuwallAdvancedDialog::editProlog() { SimpleTextEditor edt(this, m_dialog->prolog_script->toPlainText(), true, tr("Script Editor" )); if (edt.exec() == QDialog::Accepted) { m_dialog->prolog_script->setText(edt.text()); } } void secuwallAdvancedDialog::editEpilog() { SimpleTextEditor edt(this, m_dialog->epilog_script->toPlainText(), true, tr("Script Editor" )); if (edt.exec() == QDialog::Accepted) { m_dialog->epilog_script->setText(edt.text()); } } void secuwallAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Firewall platform: iptables"); h->setSource(QUrl("secuwallAdvancedDialog.html#" + anchor)); h->show(); h->raise(); } fwbuilder-5.3.7/src/libgui/secuwallAdvancedDialog.h000066400000000000000000000024061303637203600223160ustar00rootroot00000000000000/* * secuwallAdvancedDialog.h - secunet wall advanced host OS settings dialog * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __SECUWALLADVANCEDDIALOG_H_ #define __SECUWALLADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class secuwallAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; protected: Ui::secuwallAdvancedDialog_q *m_dialog; public: secuwallAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~secuwallAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); virtual void editProlog(); virtual void editEpilog(); public slots: virtual void switchLOG_ULOG(); }; #endif // __SECUWALLADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/secuwallIfaceOptsDialog.cpp000066400000000000000000000101301303637203600230120ustar00rootroot00000000000000/* * secuwallIfaceOptsDialog.cpp - secunet wall Interface options implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "secuwallIfaceOptsDialog.h" #include "platforms.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "FWWindow.h" #include "Help.h" #include #include using namespace std; using namespace libfwbuilder; secuwallIfaceOptsDialog::secuwallIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::secuwallIfaceOptsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } data.registerOption(m_dialog->iface_mtu, ifopt, "iface_mtu"); data.registerOption(m_dialog->iface_disablearp, ifopt, "iface_disablearp"); data.registerOption(m_dialog->iface_disableboot, ifopt, "iface_disableboot"); data.registerOption(m_dialog->iface_options, ifopt, "iface_options"); data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.loadAll(); // perform special actions for different iface types typeChanged(""); } secuwallIfaceOptsDialog::~secuwallIfaceOptsDialog() { delete m_dialog; } /* * store all data in the object */ void secuwallIfaceOptsDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } data.saveAll(ifopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void secuwallIfaceOptsDialog::reject() { QDialog::reject(); } void secuwallIfaceOptsDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Interface secunet wall"); h->setSource(QUrl("secuwallIfaceOptsDialog.html#" + anchor)); h->raise(); h->show(); } void secuwallIfaceOptsDialog::typeChanged(const QString&) { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); // enable VLAN page for type VLAN if (new_type == "8021q") { m_dialog->options_stack->setCurrentIndex(1); return; } // page 0 is empty m_dialog->options_stack->setCurrentIndex(0); } fwbuilder-5.3.7/src/libgui/secuwallIfaceOptsDialog.h000066400000000000000000000023321303637203600224640ustar00rootroot00000000000000/* * secuwallIfaceOptsDialog.h - Interface options dialog for secunet wall * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __SECUWALLIFACEOPTSDIALOG_H_ #define __SECUWALLIFACEOPTSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class secuwallIfaceOptsDialog : public QDialog { Q_OBJECT public: secuwallIfaceOptsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~secuwallIfaceOptsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::secuwallIfaceOptsDialog_q *m_dialog; bool cluster_interface; protected slots: virtual void accept(); virtual void reject(); virtual void help(); void typeChanged(const QString&); }; #endif // __SECUWALLIFACEOPTSDIALOG_H_ fwbuilder-5.3.7/src/libgui/secuwalladvanceddialog_q.ui000066400000000000000000001355201303637203600231300ustar00rootroot00000000000000 secuwallAdvancedDialog_q Qt::WindowModal true 0 0 762 665 0 0 iptables: advanced settings false Help Qt::Horizontal QSizePolicy::Expanding 351 27 &OK true true &Cancel true 0 0 0 Compiler Compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 0 0 Command line options for the compiler: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 32767 22 QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Vertical QSizePolicy::Maximum 0 0 0 0 Assume firewall is part of 'any' Qt::Horizontal QSizePolicy::Maximum 30 150 0 0 Accept TCP sessions opened prior to firewall restart 0 0 Accept ESTABLISHED and RELATED packets before the first rule Drop packets that are associated with no known connection and log them Qt::Horizontal QSizePolicy::Expanding 80 20 0 0 Bridging firewall 0 0 Detect shadowing in policy rules 0 0 Ignore empty groups in rules 0 0 Enable support for NAT of locally originated connections 0 0 This adds a rule on top of the policy with iptables target TCPMSS and option --clamp-mss-to-pmtu. Generation of this command is version-dependent and also depends on the setting of ip or ipv6 forwarding in host settings dialog. Clamp MSS to MTU Default action on 'Reject': false Qt::Horizontal QSizePolicy::Expanding 72 20 QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Fixed 30 50 Always permit ssh access from the management workstation with this address: 0 0 32767 32767 Install the rule for ssh access from the management workstation when the firewall is stopped Qt::Vertical QSizePolicy::Expanding 20 20 Installer 6 Built-in installer 6 Additional command line parameters for ssh false 0 0 300 0 Additional command line parameters for scp false 0 0 300 0 Alternative name or address used to communicate with the firewall (also putty session name on Windows) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 0 0 250 0 0 0 250 0 Qt::Vertical QSizePolicy::Expanding 20 120 External install script 0 0 Policy install script (using built-in installer if this field is blank): Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter true 0 0 300 0 0 0 Command line options for the script: Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false 0 0 300 0 Prolog/Epilog 6 6 6 Edit Qt::Horizontal QSizePolicy::Expanding 40 20 The following commands will be added verbatim after generated configuration Qt::AlignVCenter true 6 The following commands will be added verbatim on top of generated configuration Qt::AlignVCenter true Edit Insert prolog script false 0 0 on top of the script after interface configuration after policy reset Logging 6 20 true false 20 12 use ULOG use LOG 0 0 log TCP seq. numbers log IP options use numeric syslog levels Log level: false log TCP options 0 1500 cprange false 1 queue threshold: false netlink group: false 1 32 Qt::Vertical QSizePolicy::Expanding 20 16 0 0 QFrame::VLine QFrame::Sunken Qt::Vertical 0 0 Log prefix: false 32 Logging limit: false 10000 0 0 Activate logging in all rules (overrides rule options, use for debugging) Qt::Vertical QSizePolicy::Expanding 20 40 Qt::Vertical QSizePolicy::Expanding 20 16 Script Qt::Horizontal QSizePolicy::Fixed 30 20 0 0 Allow reboot to load modules (only if needed) Qt::Vertical QSizePolicy::Fixed 556 18 0 0 Turn debugging on in generated script Qt::Vertical QSizePolicy::Fixed 556 18 Managing interfaces and addresses 0 0 Verify interfaces before loading firewall policy 0 0 Configure Interfaces of the running firewall machine 0 0 Add virtual addresses for NAT Qt::Vertical QSizePolicy::Fixed 556 40 Generated script can load rules one by one by calling iptables command line utility, or activate them all at once using iptables-restore. In both cases you just run the script with command line parameter "start" to activate the policy, the script will use iptables-restore automatically if this checkbox is on. true 0 0 iptables-restore replaces firewall policy in one atomic transaction Use iptables-restore to activate policy Qt::Vertical QSizePolicy::Expanding 20 200 Warning: rebooting breaks the connectivity until the firewall is up again. The outage can be up to minutes, depending on how fast the machine restarts. true If debugging is turned on, the script will run with shell option "-x" that makes it print every command it executes. Warning: this produces a lot of debugging output. true Warning: this breaks the connectivity until all interfaces are 'up' again. The outage is typically < 10 seconds true tabWidget compiler compilerArgs assumeFwIsPartOfAny acceptSessions acceptESTBeforeFirst dropInvalid logInvalid bridge shadowing emptyGroups localNAT clampMSStoMTU actionOnReject mgmt_ssh mgmt_addr add_mgmt_ssh_rule_when_stoped altAddress activationCmd sshArgs scpArgs installScript installScriptArgs prolog_script prologPlace edit_prolog_button epilog_script edit_epilog_button useLOG useULOG logTCPseq logTCPopt logIPopt logNumsyslog logLevel logprefix logLimitVal logLimitSuffix logAll allowReboot iptDebug verifyInterfaces configureInterfaces addVirtualsforNAT iptablesRestoreActivation buttonHelp buttonOk buttonCancel cprange qthreshold nlgroup buttonOk clicked() secuwallAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() secuwallAdvancedDialog_q reject() 20 20 20 20 buttonHelp clicked() secuwallAdvancedDialog_q help() 20 20 20 20 useLOG toggled(bool) secuwallAdvancedDialog_q switchLOG_ULOG() 20 20 20 20 edit_prolog_button clicked() secuwallAdvancedDialog_q editProlog() 20 20 20 20 edit_epilog_button clicked() secuwallAdvancedDialog_q editEpilog() 20 20 20 20 fwbuilder-5.3.7/src/libgui/secuwallifaceoptsdialog_q.ui000066400000000000000000000272001303637203600233330ustar00rootroot00000000000000 secuwallIfaceOptsDialog_q 0 0 347 438 secunet wall: interface settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 Options :/Icons/Options:/Icons/Options Qt::Vertical QSizePolicy::Fixed 20 16 Specify secunet wall advanced interface options below Qt::AlignCenter true Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft MTU 1 1500 1500 Qt::RightToLeft Options Qt::RightToLeft Device Type Qt::Horizontal 40 20 Qt::Vertical QSizePolicy::Minimum 20 20 Qt::Horizontal 40 20 0 0 0 true Qt::RightToLeft VLAN ID 4095 Qt::Horizontal 140 20 Qt::Horizontal 141 20 Qt::Horizontal 40 20 Qt::Horizontal 40 20 Disable at boot Disable ARP on this interface Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() secuwallIfaceOptsDialog_q accept() 316 472 20 20 buttonCancel clicked() secuwallIfaceOptsDialog_q reject() 397 472 20 20 buttonHelp clicked() secuwallIfaceOptsDialog_q help() 68 464 231 245 iface_type currentIndexChanged(QString) secuwallIfaceOptsDialog_q typeChanged(QString) 287 196 286 261 fwbuilder-5.3.7/src/libgui/secuwallosAdvancedDialog.cpp000066400000000000000000000355161303637203600232230ustar00rootroot00000000000000/* * secuwallosAdvancedDialog.cpp - secuwall advanced host OS dialog implementation * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "../../config.h" #include "global.h" #include "platforms.h" #include #include "secuwallosAdvancedDialog.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "Help.h" using namespace std; using namespace libfwbuilder; secuwallosAdvancedDialog::~secuwallosAdvancedDialog() { delete m_dialog; } secuwallosAdvancedDialog::secuwallosAdvancedDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::secuwallosAdvancedDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *fwopt = (Firewall::cast(obj))->getOptionsObject(); assert(fwopt != NULL); // mappings from value to QComboBox index QStringList threeStateMapping; QStringList resoStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); resoStateMapping.push_back(""); resoStateMapping.push_back("none"); resoStateMapping.push_back("Hosts"); resoStateMapping.push_back("files"); resoStateMapping.push_back("DNS"); resoStateMapping.push_back("dns"); resoStateMapping.push_back("NIS"); resoStateMapping.push_back("nis"); resoStateMapping.push_back("NIS+"); resoStateMapping.push_back("nisplus"); resoStateMapping.push_back("DB"); resoStateMapping.push_back("db"); // management settings data.registerOption(m_dialog->secuwall_mgmt_mgmtaddr, fwopt, "secuwall_mgmt_mgmtaddr"); data.registerOption(m_dialog->secuwall_mgmt_loggingaddr, fwopt, "secuwall_mgmt_loggingaddr"); data.registerOption(m_dialog->secuwall_mgmt_snmpaddr, fwopt, "secuwall_mgmt_snmpaddr"); data.registerOption(m_dialog->secuwall_mgmt_rosnmp, fwopt, "secuwall_mgmt_rosnmp"); data.registerOption(m_dialog->secuwall_mgmt_ntpaddr, fwopt, "secuwall_mgmt_ntpaddr"); data.registerOption(m_dialog->secuwall_mgmt_nagiosaddr, fwopt, "secuwall_mgmt_nagiosaddr"); data.registerOption(m_dialog->secuwall_mgmt_varpart, fwopt, "secuwall_mgmt_varpart"); data.registerOption(m_dialog->secuwall_mgmt_confpart, fwopt, "secuwall_mgmt_confpart"); data.registerOption(m_dialog->secuwall_mgmt_rules_disable, fwopt, "secuwall_mgmt_rules_disable"); // dns settings data.registerOption(m_dialog->secuwall_dns_srv1, fwopt, "secuwall_dns_srv1"); data.registerOption(m_dialog->secuwall_dns_srv2, fwopt, "secuwall_dns_srv2"); data.registerOption(m_dialog->secuwall_dns_srv3, fwopt, "secuwall_dns_srv3"); data.registerOption(m_dialog->secuwall_dns_domains, fwopt, "secuwall_dns_domains"); data.registerOption(m_dialog->secuwall_dns_reso1, fwopt, "secuwall_dns_reso1", resoStateMapping); data.registerOption(m_dialog->secuwall_dns_reso2, fwopt, "secuwall_dns_reso2", resoStateMapping); data.registerOption(m_dialog->secuwall_dns_reso3, fwopt, "secuwall_dns_reso3", resoStateMapping); data.registerOption(m_dialog->secuwall_dns_reso4, fwopt, "secuwall_dns_reso4", resoStateMapping); data.registerOption(m_dialog->secuwall_dns_reso5, fwopt, "secuwall_dns_reso5", resoStateMapping); // hosts settings data.registerOption(m_dialog->secuwall_dns_hosts, fwopt, "secuwall_dns_hosts", resoStateMapping); // iptables / routing and TCP data.registerOption(m_dialog->linux24_log_martians, fwopt, "linux24_log_martians", threeStateMapping); data.registerOption(m_dialog->linux24_accept_redirects, fwopt, "linux24_accept_redirects", threeStateMapping); data.registerOption(m_dialog->linux24_icmp_echo_ignore_all, fwopt, "linux24_icmp_echo_ignore_all", threeStateMapping); data.registerOption(m_dialog->linux24_icmp_echo_ignore_broadcasts, fwopt, "linux24_icmp_echo_ignore_broadcasts", threeStateMapping); data.registerOption(m_dialog->linux24_icmp_ignore_bogus_error_responses, fwopt, "linux24_icmp_ignore_bogus_error_responses", threeStateMapping); data.registerOption(m_dialog->linux24_ip_dynaddr, fwopt, "linux24_ip_dynaddr", threeStateMapping); data.registerOption(m_dialog->linux24_rp_filter, fwopt, "linux24_rp_filter", threeStateMapping); data.registerOption(m_dialog->linux24_accept_source_route, fwopt, "linux24_accept_source_route", threeStateMapping); data.registerOption(m_dialog->linux24_ip_forward, fwopt, "linux24_ip_forward", threeStateMapping); data.registerOption(m_dialog->linux24_ipv6_forward, fwopt, "linux24_ipv6_forward", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_fin_timeout, fwopt, "linux24_tcp_fin_timeout"); data.registerOption(m_dialog->linux24_tcp_keepalive_interval, fwopt, "linux24_tcp_keepalive_interval"); data.registerOption(m_dialog->linux24_tcp_window_scaling, fwopt, "linux24_tcp_window_scaling", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_sack, fwopt, "linux24_tcp_sack", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_fack, fwopt, "linux24_tcp_fack", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_ecn, fwopt, "linux24_tcp_ecn", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_syncookies, fwopt, "linux24_tcp_syncookies", threeStateMapping); data.registerOption(m_dialog->linux24_tcp_timestamps, fwopt, "linux24_tcp_timestamps", threeStateMapping); // additional files data.registerOption(m_dialog->additional_files_enabled, fwopt, "secuwall_add_files"); data.registerOption(m_dialog->additional_files_dir, fwopt, "secuwall_add_files_dir"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void secuwallosAdvancedDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void secuwallosAdvancedDialog::reject() { QDialog::reject(); } void secuwallosAdvancedDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Host secunet wall"); h->setSource(QUrl("secuwallosAdvancedDialog.html#" + anchor)); h->raise(); h->show(); } void secuwallosAdvancedDialog::additionalChanged(int state) { if (state == Qt::Checked) { m_dialog->templdir_label->setEnabled(true); m_dialog->additional_files_dir->setEnabled(true); m_dialog->buttonBrowse->setEnabled(true); m_dialog->buttonOpenURL->setEnabled(true); } else { m_dialog->templdir_label->setEnabled(false); m_dialog->additional_files_dir->setEnabled(false); m_dialog->buttonBrowse->setEnabled(false); m_dialog->buttonOpenURL->setEnabled(false); } } void secuwallosAdvancedDialog::buttonBrowseClicked() { QString templ_dir = QFileDialog::getExistingDirectory (this, tr("Select templates directory"), m_dialog->additional_files_dir->text(), QFileDialog::DontResolveSymlinks); if (templ_dir == "") { return ; } m_dialog->additional_files_dir->setText(templ_dir); } void secuwallosAdvancedDialog::buttonOpenURLClicked() { bool ok = true; QString message; QString path = m_dialog->additional_files_dir->text(); QUrl url("file://" + path); if (!url.isValid()) { ok = false; message = tr("URL is not valid: %1").arg(path); } else { // note: "Warning: unknown mime-type" errors can not be detected here if (!QDesktopServices::openUrl(url)) { ok = false; message = tr("Could not open URL: %1").arg(url.toLocalFile()); } } if (!ok) { QMessageBox::warning (this, "Firewall Builder", message, "&Continue", QString::null, QString::null, 0, 1); } } bool secuwallosAdvancedDialog::validate() { bool valid = true; QWidget *focus = NULL; QString message; // widgets to verify struct _tocheck { QLineEdit* widget; bool (*chkfn)(const QString &); } widgets[5] = { { m_dialog->secuwall_mgmt_mgmtaddr, &secuwallosAdvancedDialog::validateNetworkOrAddress }, { m_dialog->secuwall_mgmt_loggingaddr, &secuwallosAdvancedDialog::validateAddress }, { m_dialog->secuwall_mgmt_snmpaddr, &secuwallosAdvancedDialog::validateNetworkOrAddress }, { m_dialog->secuwall_mgmt_ntpaddr, &secuwallosAdvancedDialog::validateAddress }, { m_dialog->secuwall_mgmt_nagiosaddr, &secuwallosAdvancedDialog::validateNetworkOrAddress }, }; int size = sizeof(widgets) / sizeof(struct _tocheck); // reset widget colors first for (int i = 0; i < size; i++) { if (widgets[i].widget->palette() != QApplication::palette()) { widgets[i].widget->setPalette(QApplication::palette()); } } // validate each widget one by one for (int i = 0; i < size && valid; i++) { // get text to verify QString to_verify = widgets[i].widget->text(); // focus current widget focus = widgets[i].widget; // if empty, continue if (to_verify.isEmpty()) { continue; } // check comma sep. list of addresses QStringList addrlist = to_verify.split(","); int pos = 1; foreach(QString addr, addrlist) { if (addr.isEmpty()) { valid = false; message = tr("Empty address found (position %1)").arg(pos); break; } addr = addr.simplified(); if (!widgets[i].chkfn(addr)) { valid = false; message = tr("Illegal address '%1' (position %2)"). arg(addr).arg(pos); break; } pos++; } } if (!valid) { // highlight error: focus and set different background color focus->setFocus(); m_dialog->tabWidget->setCurrentIndex(0); QPalette palette; palette.setColor(focus->backgroundRole(), QColor(255, 0, 0, 100)); focus->setPalette(palette); // display errror message QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); } return valid; } bool secuwallosAdvancedDialog::validateAddress(const QString &addr) { if (addr.indexOf("/") != -1) { return false; } try { InetAddr(addr.toLatin1().constData()); } catch (FWException &ex) { return false; } return true; } bool secuwallosAdvancedDialog::validateNetwork(const QString &addr) { if (addr.indexOf("/") == -1) { return false; } // validate IP/netmask address pairs QStringList addrpair = addr.split("/"); try { InetAddr(addrpair.at(0).toLatin1().constData()); } catch (FWException &ex) { return false; } try { InetAddr(addrpair.at(1).toLatin1().constData()); } catch (FWException &ex) { // not in dotted notation? bool ok = false; int ilen = addrpair[1].toInt(&ok); if (ok) { if (ilen < 0 || ilen > 32) { return false; } } else { return false; } } return true; } bool secuwallosAdvancedDialog::validateNetworkOrAddress(const QString &addr) { return (validateNetwork(addr) || validateAddress(addr)); } fwbuilder-5.3.7/src/libgui/secuwallosAdvancedDialog.h000066400000000000000000000035711303637203600226640ustar00rootroot00000000000000/* * secuwallosAdvancedDialog.h - secunet wall advanced host OS settings dialog * * Copyright (c) 2008 secunet Security Networks AG * Copyright (c) 2008 Adrian-Ken Rueegsegger * Copyright (c) 2008 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef __SECUWALLOSADVANCEDDIALOG_H_ #define __SECUWALLOSADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class secuwallosAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::secuwallosAdvancedDialog_q *m_dialog; public: secuwallosAdvancedDialog(QWidget *parent, libfwbuilder::FWObject *o); ~secuwallosAdvancedDialog(); private: /** validate user input */ bool validate(); /** * validate a given IP address * * valid: 192.168.1.1 * * @param addr address to verify * @return true if valid, false if not */ static bool validateAddress(const QString &addr); /** * validate a given IP address / netmask * * valid: 192.168.1.1/32 * valid: 192.168.1.1/255.255.255.0 * * @param addr address to verify * @return true if valid, false if not */ static bool validateNetwork(const QString &addr); static bool validateNetworkOrAddress(const QString &addr); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void additionalChanged(int state); void buttonBrowseClicked(); void buttonOpenURLClicked(); }; #endif // __SECUWALLOSADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/secuwallosadvanceddialog_q.ui000066400000000000000000001526471303637203600235030ustar00rootroot00000000000000 secuwallosAdvancedDialog_q 0 0 510 568 secunet wall: advanced settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 Management secunet wall Management settings Qt::Vertical QSizePolicy::Fixed 20 16 Specify secunet wall Management settings below. Please use commas to separate a list of IP addresses. Qt::AlignCenter false Qt::Vertical QSizePolicy::Fixed 20 16 Management access Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true Enter the IP addresses or networks of the secunet wall management zone Qt::RightToLeft Syslog servers true Enter IP addresses of logging servers SNMP access Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true Enter IP addresses or networks where SNMP requests to this firewall come from RO-SNMP string Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true Enter community string for read only SNMP access NTP servers Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true Enter IP addresses of NTP servers Qt::Horizontal QSizePolicy::Minimum 40 20 Qt::RightToLeft Nagios access Enter IP addresses or networks for Nagios access Local /var partition Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Enter name for partition that will be mounted to /var Local config partition Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true Enter name for local config partition Qt::Horizontal QSizePolicy::Expanding 170 20 Qt::Vertical 20 40 Disable auto-generation of firewall rules for management services Don't create firewall rules :/Icons/DNSName/icon-tree:/Icons/DNSName/icon-tree DNS Client secunet wall DNS settings Qt::Vertical QSizePolicy::Fixed 20 16 Specify secunet wall DNS client related settings below Qt::AlignCenter false Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft DNS servers Qt::Horizontal QSizePolicy::Expanding 170 20 Qt::RightToLeft Search domains 0 0 16777215 120 Enter DNS search domains here. One search domain per line Qt::Horizontal QSizePolicy::Minimum 40 20 Qt::RightToLeft Hosts file Enter Hosts entries here. One IP-Address/Name pair per line. These entries will be written to /etc/hosts file on the firewall Qt::Vertical QSizePolicy::Fixed 20 16 The resolution order defines how hostnames will be resolved on the firewall (nsswitch.conf). Default is "Hosts file first" Qt::RightToLeft Resolution order 60 16777215 1 Hosts DNS NIS NIS+ DB 60 16777215 0 Hosts DNS NIS NIS+ DB 60 16777215 0 Hosts DNS NIS NIS+ DB 60 16777215 0 Hosts DNS NIS NIS+ DB 60 16777215 0 Hosts DNS NIS NIS+ DB Qt::Vertical 20 40 Options Specify secunet wall advanced iptables/routing options below Qt::AlignCenter true IPv4 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off IPv6 Packet forwarding Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Kernel anti-spoofing protection Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore broadcast pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore all pings Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Expanding 40 20 Accept source route Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Accept ICMP redirects Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Ignore bogus ICMP errors Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Allow dynamic addresses Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Log martians Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false whats this text No change On Off Qt::Vertical 20 40 Qt::Vertical QSizePolicy::Fixed 20 16 Qt::Vertical QSizePolicy::Fixed 20 16 Qt::Horizontal QSizePolicy::Expanding 250 20 :/Icons/TCPService/icon-tree:/Icons/TCPService/icon-tree TCP Qt::Vertical QSizePolicy::Fixed 20 16 These parameters make sense for connections to or from the firewall host Qt::AlignCenter true TCP FIN timeout (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 1000 30 TCP keepalive time (sec) Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false 0 10000 1800 TCP window scaling Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off TCP sack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off TCP fack Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Horizontal QSizePolicy::Expanding 40 20 TCP ECN Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off TCP SYN cookies Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off TCP timestamps Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false No change On Off Qt::Vertical 20 40 Qt::Vertical QSizePolicy::Fixed 20 16 Qt::Horizontal QSizePolicy::Expanding 250 20 :/Icons/folder1.png:/Icons/folder1.png Files Qt::Vertical QSizePolicy::Fixed 20 16 Enable support for additional files here. Files in the selected templates directory will be added to the configuration of this Firewall. Qt::AlignCenter true Qt::Vertical QSizePolicy::Fixed 20 16 QFrame::NoFrame QFrame::Plain Add additional files to firewall configuration false Template directory Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter false Qt::Horizontal 61 20 false Select templates directory for this Firewall Browse false Open current path in file browser Open Qt::Horizontal 31 20 Qt::Vertical 20 231 secuwall_mgmt_mgmtaddr secuwall_mgmt_loggingaddr secuwall_mgmt_snmpaddr secuwall_mgmt_rosnmp secuwall_mgmt_ntpaddr secuwall_mgmt_nagiosaddr secuwall_mgmt_varpart secuwall_mgmt_confpart buttonOk buttonCancel secuwall_dns_srv1 secuwall_dns_srv2 secuwall_dns_srv3 secuwall_dns_domains secuwall_dns_hosts secuwall_dns_reso1 secuwall_dns_reso2 secuwall_dns_reso3 secuwall_dns_reso4 secuwall_dns_reso5 linux24_ip_forward linux24_ipv6_forward linux24_rp_filter linux24_icmp_echo_ignore_broadcasts linux24_icmp_echo_ignore_all linux24_accept_source_route linux24_accept_redirects linux24_icmp_ignore_bogus_error_responses linux24_ip_dynaddr linux24_log_martians linux24_tcp_fin_timeout linux24_tcp_keepalive_interval linux24_tcp_window_scaling linux24_tcp_sack linux24_tcp_fack linux24_tcp_ecn linux24_tcp_syncookies linux24_tcp_timestamps additional_files_enabled additional_files_dir buttonBrowse buttonOpenURL buttonHelp tabWidget buttonOk clicked() secuwallosAdvancedDialog_q accept() 316 472 20 20 buttonCancel clicked() secuwallosAdvancedDialog_q reject() 397 472 20 20 buttonHelp clicked() secuwallosAdvancedDialog_q help() 68 464 231 245 additional_files_enabled stateChanged(int) secuwallosAdvancedDialog_q additionalChanged(int) 272 141 272 289 buttonBrowse clicked() secuwallosAdvancedDialog_q buttonBrowseClicked() 193 205 272 289 buttonOpenURL clicked() secuwallosAdvancedDialog_q buttonOpenURLClicked() 433 191 249 289 fwbuilder-5.3.7/src/libgui/simpleinteditor_q.ui000066400000000000000000000066721303637203600216630ustar00rootroot00000000000000 SimpleIntEditor_q true 0 0 248 96 Script Editor 11 11 11 11 0 0 QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 110 20 Cancel true QAbstractSpinBox::PlusMinus 255 1 OK true spin_box ok_button cancel_button ok_button clicked() SimpleIntEditor_q accept() 20 20 20 20 cancel_button clicked() SimpleIntEditor_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/simpletexteditor_q.ui000066400000000000000000000076541303637203600220560ustar00rootroot00000000000000 SimpleTextEditor_q true 0 0 592 344 Qt::StrongFocus Script Editor 11 11 11 11 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOn Qt::Horizontal QSizePolicy::Expanding 40 20 OK true Cancel Import from file ... 0 0 QFrame::HLine QFrame::Sunken Qt::Horizontal editor inputFromFileButton ok_button cancel_button ok_button clicked() SimpleTextEditor_q accept() 20 20 20 20 cancel_button clicked() SimpleTextEditor_q reject() 20 20 20 20 inputFromFileButton clicked() SimpleTextEditor_q loadFromFile() 20 20 20 20 fwbuilder-5.3.7/src/libgui/simpletextview_q.ui000066400000000000000000000055761303637203600215430ustar00rootroot00000000000000 SimpleTextView_q 0 0 488 592 Qt::StrongFocus Text viewer QFrame::StyledPanel QFrame::Plain 11 75 true Object Name false true QFrame::HLine QFrame::Sunken Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 91 20 Close pushButton7 released() SimpleTextView_q close() 20 20 20 20 fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/000077500000000000000000000000001303637203600231565ustar00rootroot00000000000000fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseNetworksPage.cpp000066400000000000000000000040561303637203600300220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "ND_ChooseNetworksPage.h" #include "SNMPNetworkDiscoveryWizard.h" #include using namespace std; using namespace libfwbuilder; ND_ChooseNetworksPage::ND_ChooseNetworksPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_ChooseNetworksPage_q; m_dialog->setupUi(this); registerField("networksToUse*", m_dialog->objectSelector, "objectsToUse", SIGNAL(selectionChanged())); } void ND_ChooseNetworksPage::initializePage() { if (fwbdebug) qDebug() << "ND_ChooseNetworksPage::initializePage()"; ObjectDescriptorList *networks = dynamic_cast(wizard())->getNetworks(); m_dialog->objectSelector->init(*networks); /* list objects; fill objects with data and call m_dialog->objectSelector->init(objects); */ } bool ND_ChooseNetworksPage::validatePage() { if (fwbdebug) qDebug() << "ND_ChooseNetworksPage::validatePage()"; return true; } bool ND_ChooseNetworksPage::isComplete() const { if (fwbdebug) qDebug() << "ND_ChooseNetworksPage::isComplete()"; return (m_dialog->objectSelector->count() > 0); } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseNetworksPage.h000066400000000000000000000024041303637203600274620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_CHOOSENETWORKSPAGE_H_ #define __ND_CHOOSENETWORKSPAGE_H_ #include "ui_nd_choosenetworkspage_q.h" class ND_ChooseNetworksPage : public QWizardPage { Q_OBJECT; Ui::ND_ChooseNetworksPage_q *m_dialog; public: ND_ChooseNetworksPage(QWidget *parent); virtual ~ND_ChooseNetworksPage() {} virtual void initializePage(); virtual bool validatePage(); virtual bool isComplete() const; }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseObjectTypePage.cpp000066400000000000000000000061661303637203600302620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "ND_ChooseObjectTypePage.h" #include "SNMPNetworkDiscoveryWizard.h" #include using namespace std; using namespace libfwbuilder; ND_ChooseObjectTypePage::ND_ChooseObjectTypePage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_ChooseObjectTypePage_q; m_dialog->setupUi(this); } void ND_ChooseObjectTypePage::initializePage() { if (fwbdebug) qDebug() << "ND_ChooseObjectTypePage::initializePage()"; objects = dynamic_cast(wizard())->getObjects(); objectsToUse = dynamic_cast(wizard())->getObjectsToUse(); fillTypeChangingList(); } void ND_ChooseObjectTypePage::fillTypeChangingList() { m_dialog->typeChangingList->clear(); qDebug() << objectsToUse; int idx = 0; foreach(ObjectDescriptor od, *objects) { if (objectsToUse->contains(QString::fromUtf8(od.sysname.c_str()))) { QString ins; ins = (od.interfaces.size()) ? QString("%1").arg(od.interfaces.size()) : ""; QStringList sl; sl << QString::fromUtf8(od.toString().c_str()) << ins << od.type.c_str(); QTreeWidgetItem *itm = new QTreeWidgetItem( m_dialog->typeChangingList, sl ); itm->setData(0, Qt::UserRole, idx); } idx++; } m_dialog->typeChangingList->resizeColumnToContents(0); m_dialog->typeChangingList->resizeColumnToContents(1); } void ND_ChooseObjectTypePage::typeAddress() { changeTargetObject(IPv4::TYPENAME); } void ND_ChooseObjectTypePage::typeHost() { changeTargetObject(Host::TYPENAME); } void ND_ChooseObjectTypePage::typeFirewall() { changeTargetObject(Firewall::TYPENAME); } void ND_ChooseObjectTypePage::changeTargetObject(const QString &buf) { QTreeWidgetItem* item = m_dialog->typeChangingList->topLevelItem(0); while (item!=0) { if (item->isSelected()) { int idx = item->data(0, Qt::UserRole).toInt(); (*objects)[idx].type = buf.toStdString(); item->setText(2, buf); } item = m_dialog->typeChangingList->topLevelItem( m_dialog->typeChangingList->indexOfTopLevelItem(item)+1); } } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseObjectTypePage.h000066400000000000000000000027301303637203600277200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_CHOOSEOBJECTTYPEPAGE_H_ #define __ND_CHOOSEOBJECTTYPEPAGE_H_ #include "ui_nd_chooseobjecttypepage_q.h" #include "ObjectDescriptor.h" class ND_ChooseObjectTypePage : public QWizardPage { Q_OBJECT; Ui::ND_ChooseObjectTypePage_q *m_dialog; ObjectDescriptorList *objects; QStringList *objectsToUse; public: ND_ChooseObjectTypePage(QWidget *parent); virtual ~ND_ChooseObjectTypePage() {} virtual void initializePage(); void fillTypeChangingList(); void changeTargetObject(const QString &buf); public slots: void typeAddress(); void typeHost(); void typeFirewall(); }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseObjectsPage.cpp000066400000000000000000000043421303637203600275750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "ND_ChooseObjectsPage.h" #include "SNMPNetworkDiscoveryWizard.h" #include #include using namespace std; using namespace libfwbuilder; ND_ChooseObjectsPage::ND_ChooseObjectsPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_ChooseObjectsPage_q; m_dialog->setupUi(this); registerField("objectsToUse*", m_dialog->objectSelector, "objectsToUse", SIGNAL(selectionChanged())); } void ND_ChooseObjectsPage::initializePage() { if (fwbdebug) qDebug() << "ND_ChooseObjectsPage::initializePage()"; ObjectDescriptorList *objects = dynamic_cast(wizard())->getObjects(); m_dialog->objectSelector->init(*objects); /* list objects; fill objects with data and call m_dialog->objectSelector->init(objects); */ } bool ND_ChooseObjectsPage::validatePage() { if (fwbdebug) qDebug() << "ND_ChooseObjectsPage::validatePage()"; QStringList *objectsToUse = dynamic_cast(wizard())->getObjectsToUse(); *objectsToUse = m_dialog->objectSelector->getObjectsToUse(); return true; } bool ND_ChooseObjectsPage::isComplete() const { if (fwbdebug) qDebug() << "ChooseObjectsPage::isComplete()"; return (m_dialog->objectSelector->count() > 0); } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ChooseObjectsPage.h000066400000000000000000000023751303637203600272460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_CHOOSEOBJECTSPAGE_H_ #define __ND_CHOOSEOBJECTSPAGE_H_ #include "ui_nd_chooseobjectspage_q.h" class ND_ChooseObjectsPage : public QWizardPage { Q_OBJECT; Ui::ND_ChooseObjectsPage_q *m_dialog; public: ND_ChooseObjectsPage(QWidget *parent); virtual ~ND_ChooseObjectsPage() {} virtual void initializePage(); virtual bool validatePage(); virtual bool isComplete() const; }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_CreateObjectsPage.cpp000066400000000000000000000343621303637203600275650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "events.h" #include "FWWindow.h" #include "ProjectPanel.h" #include "platforms.h" #include "ND_CreateObjectsPage.h" #include "SNMPNetworkDiscoveryWizard.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Resources.h" #include "fwbuilder/InterfaceData.h" #include "fwbuilder/Firewall.h" #include #include #include #include using namespace std; using namespace libfwbuilder; ND_CreateObjectsPage::ND_CreateObjectsPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_CreateObjectsPage_q; m_dialog->setupUi(this); } void ND_CreateObjectsPage::initializePage() { if (fwbdebug) qDebug() << "ND_CreateObjectsPage::initializePage()"; ObjectDescriptorList *objects = dynamic_cast(wizard())->getObjects(); QStringList *objectsToUse = dynamic_cast(wizard())->getObjectsToUse(); ObjectDescriptorList *networks = dynamic_cast(wizard())->getNetworks(); int lib_index = field("libIndex").toInt(); QStringList libraries = field("libraries").toStringList(); if (fwbdebug) qDebug() << "libraries=" << libraries; m_dialog->progressBar->setFormat("%v / %m"); m_dialog->progressBar->setMaximum(objectsToUse->size() / 2 + networks->size()); FWObject *last_object = NULL; string type, name, a; int counter = 0; foreach(ObjectDescriptor od, *networks) { type = od.type; // Network or NetworkIPv6 name = od.sysname; a = od.addr.toString().c_str(); Address *net = Address::cast( mw->createObject(type.c_str(), name.c_str())); assert(net!=NULL); net->setName(name); net->setAddress(od.addr); net->setNetmask(od.netmask); mw->moveObject(libraries[lib_index], net); last_object = net; m_dialog->progressBar->setValue(counter); qApp->processEvents(); counter++; } foreach(ObjectDescriptor od, *objects) { if (objectsToUse->contains(QString::fromUtf8(od.sysname.c_str()))) { type = od.type; name = od.sysname; QString platform; QString os; QString version; guessOSAndPlatformFromSysDescr(od.descr.c_str(), platform, os, version); a = od.addr.toString(); if (type==Host::TYPENAME || type==Firewall::TYPENAME) { FWObject *o=NULL; o = mw->createObject(type.c_str(), name.c_str()); o->setName(name); if (type==Firewall::TYPENAME) { if (os == "linux") { o->setStr("platform", "iptables"); o->setStr("host_OS", "linux24"); } if (os == "freebsd") { o->setStr("platform", "pf"); o->setStr("host_OS", "freebsd"); } if (os == "openbsd") { o->setStr("platform", "pf"); o->setStr("host_OS", "openbsd"); } if (os == "ios") { o->setStr("platform", "iosacl"); o->setStr("host_OS", "ios"); } if (os == "pix" || os == "fwsm") { o->setStr("platform", "pix"); o->setStr("host_OS", "pix_os"); } if (os == "apple") { o->setStr("platform", "ipfw"); o->setStr("host_OS", "macosx"); } if (os == "solaris") { o->setStr("platform", "ipf"); o->setStr("host_OS", "solaris"); } Resources::setDefaultTargetOptions( o->getStr("platform"), Firewall::cast(o) ); Resources::setDefaultTargetOptions( o->getStr("host_OS"), Firewall::cast(o) ); } if (od.interfaces.size()==0) { Interface *itf= Interface::cast( mw->createObject(o,Interface::TYPENAME,"nic1") ); if (od.addr.isV4()) { IPv4 *ipv4= IPv4::cast( mw->createObject(itf, IPv4::TYPENAME, a.c_str()) ); ipv4->setAddress(od.addr); ipv4->setNetmask(InetAddr()); } if (od.addr.isV6()) { IPv6 *ipv6 = IPv6::cast( mw->createObject(itf, IPv6::TYPENAME, a.c_str()) ); ipv6->setAddress(od.addr); ipv6->setNetmask(InetAddr()); } } else { if (fwbdebug) { map::iterator i; for (i=od.interfaces.begin(); i!=od.interfaces.end(); ++i) { InterfaceData *intf = &(i->second); QString str("Discovered interface %1: %2"); qDebug() << str.arg(intf->name.c_str()).arg(intf->mac_addr.c_str()); } } list interface_tree; std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(o)); int_prop->rearrangeInterfaces(od.interfaces, interface_tree); if (interface_tree.size() != od.interfaces.size()) { // Some interfaces have been converted to subinterfaces // Show warning QMessageBox::warning( this, "Firewall Builder", tr( "Some discovered interfaces have been rearranged in " "fwbuilder objects and recreated as subinterfaces to " "reflect VLANs, bonding and bridging configurations. " "The algorithm used to guess correct relationship " "between interfaces and subinterfaces is imperfect " "because of the limited information provided by SNMP " "daemon. Pelase review created objects to make sure " "generated configuration is accurate. " "\n" "\n" "The program expects MAC addresses of bonding, bridge " "and vlan interfaces to be the same. It is especially " "important to review and fix generated objects if you " "use MAC address spoofing." ), tr("&Continue"), 0, 0, 0 ); } list::iterator it; for (it=interface_tree.begin(); it!=interface_tree.end(); ++it) { InterfaceData *in = *it; // if this interface has subinterfaces, add even if it // has no ip address (last arg) FWObject *intf = addInterface( o, in, in->subinterfaces.size()!=0); if (intf == NULL) continue; list::iterator sit; for (sit=in->subinterfaces.begin(); sit!=in->subinterfaces.end(); ++sit) { InterfaceData *subint = *sit; addInterface(intf, subint, true); } } } if (!od.descr.empty()) { FWOptions* opt=(dynamic_cast(o))->getOptionsObject(); opt->setStr("snmp_description",od.descr); opt->setStr("snmp_location", od.location); opt->setStr("snmp_contact", od.contact); } mw->moveObject(libraries[lib_index], o); } else if (type==Network::TYPENAME) { Network *net=dynamic_cast( mw->createObject(type.c_str(),name.c_str()) ); assert(net!=NULL); net->setName(name); net->setAddress(InetAddr(a)); net->setNetmask(InetAddr(InetAddr(a))); mw->moveObject(libraries[lib_index], net); } else if (type==IPv4::TYPENAME) { IPv4 *obj=dynamic_cast( mw->createObject(type.c_str(),name.c_str()) ); assert(obj!=NULL); obj->setName(name); obj->setAddress(InetAddr(a)); obj->setNetmask(InetAddr(InetAddr::getAllOnes())); mw->moveObject(libraries[lib_index], obj); } m_dialog->progressBar->setValue(counter); qApp->processEvents(); counter++; } } ProjectPanel *pp = mw->activeProject(); QString filename = pp->getFileName(); QCoreApplication::postEvent(mw, new reloadObjectTreeEvent(filename)); QCoreApplication::postEvent( mw->activeProject(), new openLibraryForObjectEvent( filename, last_object->getId())); } FWObject* ND_CreateObjectsPage::addInterface(FWObject *parent, InterfaceData *in, bool skip_ip_address_check) { ObjectManipulator *om = mw->activeProject()->m_panel->om; bool includeUnnumbered = field("snmpIncludeUnnumbered").toBool(); if ( ! includeUnnumbered && ! skip_ip_address_check) { if (in->addr_mask.size()==0) return NULL; if (in->addr_mask.front()->getAddressPtr()->isAny()) return NULL; } QString obj_name = in->name.c_str(); Interface *itf = NULL; itf = Interface::cast( mw->createObject(parent, QString(Interface::TYPENAME), obj_name)); QString iname = om->getStandardName(itf, physAddress::TYPENAME, "mac"); iname = om->makeNameUnique(itf, iname, physAddress::TYPENAME); physAddress *paddr = physAddress::cast( mw->createObject(itf, physAddress::TYPENAME, iname) ); paddr->setPhysAddress(in->mac_addr); itf->setLabel(in->label); itf->setSecurityLevel(in->securityLevel); if (fwbdebug) qDebug() << "Interface=" << obj_name << "type=" << in->interface_type.c_str(); if (!in->interface_type.empty()) { itf->getOptionsObject()->setStr("type", in->interface_type); if (in->interface_type == "8021q") itf->getOptionsObject()->setInt("vlan_id", in->vlan_id); } else { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject(parent)); if (int_prop->looksLikeVlanInterface(obj_name)) { QString base_name; int vlan_id; int_prop->parseVlan(obj_name, &base_name, &vlan_id); itf->getOptionsObject()->setStr("type", "8021q"); itf->getOptionsObject()->setInt("vlan_id", vlan_id); } } if (in->addr_mask.size()==0 || in->addr_mask.front()->getAddressPtr()->isAny()) { itf->setUnnumbered(true); } else { list::iterator n; for (n=in->addr_mask.begin(); n!=in->addr_mask.end(); ++n) { const InetAddr *addr = (*n)->getAddressPtr(); const InetAddr *netm = (*n)->getNetmaskPtr(); if (addr->isV4()) { try { QString iname = om->getStandardName(itf, IPv4::TYPENAME, "ip"); iname = om->makeNameUnique(itf, iname, IPv4::TYPENAME); IPv4 *ipv4= IPv4::cast( om->createObject(itf, IPv4::TYPENAME, iname) ); ipv4->setAddress(*addr); ipv4->setNetmask(*netm); } catch (FWException &ex) { cerr << "FWException: " << ex.toString() << endl; } } if (addr->isV6()) { try { QString iname = om->getStandardName(itf, IPv6::TYPENAME, "ip"); iname = om->makeNameUnique(itf, iname, IPv6::TYPENAME); IPv6 *ipv6 = IPv6::cast( om->createObject(itf, IPv6::TYPENAME, iname) ); ipv6->setAddress(*addr); ipv6->setNetmask(*netm); } catch (FWException &ex) { cerr << "FWException: " << ex.toString() << endl; } } } } return itf; } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_CreateObjectsPage.h000066400000000000000000000027551303637203600272330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_CREATEOBJECTSPAGE_H_ #define __ND_CREATEOBJECTSPAGE_H_ #include "ui_nd_createobjectspage_q.h" namespace libfwbuilder { class InterfaceData; class FWObject; }; class ND_CreateObjectsPage : public QWizardPage { Q_OBJECT; Ui::ND_CreateObjectsPage_q *m_dialog; libfwbuilder::FWObject* addInterface(libfwbuilder::FWObject *parent, libfwbuilder::InterfaceData *in, bool skip_ip_address_check); public: ND_CreateObjectsPage(QWidget *parent); virtual ~ND_CreateObjectsPage() {} virtual void initializePage(); public slots: }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_DiscoveryParametersPage.cpp000066400000000000000000000060501303637203600310340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "FWBSettings.h" #include "ND_DiscoveryParametersPage.h" #include using namespace std; //using namespace libfwbuilder; #define DISCOVERY_DRUID_PREFIX "DiscoveryDruid/" #define DISCOVERY_DRUID_SNMPRECURSIVE "SNMPRecursive" #define DISCOVERY_DRUID_SNMPFOLLOWP2P "SNMPFollowP2P" #define DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED "SnmpIncludeUnnumbered" #define DISCOVERY_DRUID_SNMPDODNS "SNMPDoDNS" ND_DiscoveryParametersPage::ND_DiscoveryParametersPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_DiscoveryParametersPage_q; m_dialog->setupUi(this); m_dialog->snmpRecursive->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRECURSIVE)); m_dialog->snmpFollowP2P->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPFOLLOWP2P)); m_dialog->snmpIncludeUnnumbered->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED)); m_dialog->snmpDoDNS->setChecked(st->getBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDODNS)); registerField("snmpRecursive", m_dialog->snmpRecursive); registerField("snmpFollowP2P", m_dialog->snmpFollowP2P); registerField("snmpIncludeUnnumbered", m_dialog->snmpIncludeUnnumbered); registerField("snmpDoDNS", m_dialog->snmpDoDNS); } void ND_DiscoveryParametersPage::initializePage() { if (fwbdebug) qDebug() << "ND_DiscoveryParametersPage::initializePage()"; } bool ND_DiscoveryParametersPage::validatePage() { st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRECURSIVE, m_dialog->snmpRecursive->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPFOLLOWP2P, m_dialog->snmpFollowP2P->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINCLUDEUNNUMBERED, m_dialog->snmpIncludeUnnumbered->isChecked()); st->setBool( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPDODNS, m_dialog->snmpDoDNS->isChecked()); return true; } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_DiscoveryParametersPage.h000066400000000000000000000024201303637203600304760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_DISCOVERYPARAMETERSPAGE_H_ #define __ND_DISCOVERYPARAMETERSPAGE_H_ #include "ui_nd_discoveryparameterspage_q.h" class ND_DiscoveryParametersPage : public QWizardPage { Q_OBJECT; Ui::ND_DiscoveryParametersPage_q *m_dialog; public: ND_DiscoveryParametersPage(QWidget *parent); virtual ~ND_DiscoveryParametersPage() {} virtual void initializePage(); virtual bool validatePage(); public slots: }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ProgressPage.cpp000066400000000000000000000300041303637203600266410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "utils.h" #include "FWBSettings.h" #include #include #include #include #include #include "ND_ProgressPage.h" #include "SNMPCrawlerThread.h" #include "SNMPNetworkDiscoveryWizard.h" // #include snmp.h only after all Qt headers; see #2185 #include "fwbuilder/snmp.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/Network.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" using namespace std; using namespace libfwbuilder; bool fwbdebug_nd = false; ND_ProgressPage::ND_ProgressPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_ProgressPage_q; m_dialog->setupUi(this); #ifdef HAVE_LIBSNMP crawler = NULL; connect(m_dialog->discoveryStopButton, SIGNAL(clicked()), this, SLOT(stop())); connect(m_dialog->logSaveButton, SIGNAL(clicked()), this, SLOT(saveLog())); #endif QTextCursor cursor(m_dialog->discoveryLog->textCursor()); normal_format = cursor.charFormat(); error_format = normal_format; error_format.setForeground(QBrush(Qt::red)); error_format.setAnchorHref("http://somewhere.com"); error_format.setAnchor(true); // weight must be between 0 and 99. Qt 4.4.1 does not seem to mind if // it is >99 (just caps it) but older versions assert error_format.setProperty(QTextFormat::FontWeight, 99); warning_format = normal_format; warning_format.setForeground(QBrush(Qt::blue)); warning_format.setProperty(QTextFormat::FontWeight, 99); warning_format.setAnchor(true); warning_format.setAnchorHref("http://somewhere.com"); } ND_ProgressPage::~ND_ProgressPage() { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::~ND_ProgressPage()"; disconnect(this, SLOT(logLine(QString))); disconnect(this, SLOT(crawlerFinished())); #ifdef HAVE_LIBSNMP if (crawler != NULL && crawler->isRunning()) { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::initializePage()" << "crawler is still runnig; stopping"; crawler->stop(); // crawler->wait(); // do not delete crawler thread object, we call deleteLater() // in SNMPCrawlerThread::run() to make sure crawler thread // object is only deleted after snmp crawler has finished and // thread terminated } #endif } #ifdef HAVE_LIBSNMP bool ND_ProgressPage::validatePage() { ObjectDescriptorList *objects = dynamic_cast(wizard())->getObjects(); if (fwbdebug_nd) qDebug() << "ND_ProgressPage::validatePage()" << "crawler=" << crawler << "isRunning=" << ((crawler) ? crawler->isRunning() : 0) << "objects->size()=" << objects->size(); if (crawler != NULL && crawler->isRunning()) return false; return (objects->size() > 0); } bool ND_ProgressPage::isComplete() const { if (crawler != NULL && crawler->isRunning()) return false; return true; } void ND_ProgressPage::crawlerDestroyed(QObject *obj) { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::crawlerDestroyed() obj=" << obj; if (obj == crawler) crawler = NULL; } void ND_ProgressPage::initializePage() { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::initializePage()"; ObjectDescriptorList *objects = dynamic_cast(wizard())->getObjects(); ObjectDescriptorList *networks = dynamic_cast(wizard())->getNetworks(); QString seedHostName = field("seedHostName").toString(); QString snmpInclAddr = field("snmpInAddr").toString(); QString snmpInclMask = field("snmpInMask").toString(); bool snmpRecursive = field("snmpRecursive").toBool(); bool snmpFollowP2P = field("snmpFollowP2P").toBool(); // bool snmpIncludeUnnumbered = field("snmpIncludeUnnumbered").toBool(); QString snmpCommunity = field("snmpCommunity").toString(); int snmpRetries = field("snmpRetries").toInt(); int snmpTimeoutSec = field("snmpTimeout").toInt(); QString seedHostAddress = getAddrByName(seedHostName, AF_INET); InetAddr seedHostInetAddr = InetAddr( seedHostAddress.toLatin1().constData() ); include_networks.clear(); bool limit_scan = false; Q_UNUSED(limit_scan); if ( ! snmpInclAddr.isEmpty() && ! snmpInclMask.isEmpty()) { try { InetAddrMask in( InetAddr(snmpInclAddr.toStdString()), InetAddr(snmpInclMask.toStdString()) ); include_networks.push_back(in); limit_scan = true; } catch (const FWException &ex) { //TODO: do something usefull } } if (crawler != NULL && crawler->isRunning()) { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::initializePage()" << "crawler is still runnig; stopping"; crawler->stop(); crawler->wait(); delete crawler; } objects->clear(); networks->clear(); emit completeChanged(); // note that crawler deletes itself using call to deleteLater() after // underlying SNMPCrawler finishes its work. crawler = new SNMPCrawlerThread(this, seedHostName, snmpCommunity, snmpRecursive, snmpFollowP2P, snmpRetries, snmpTimeoutSec, &include_networks); connect(crawler, SIGNAL(destroyed(QObject*)), this, SLOT(crawlerDestroyed(QObject*))); connect(crawler, SIGNAL(finished()), this, SLOT(crawlerFinished())); crawler->start(); } void ND_ProgressPage::cleanupPage() { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::cleanupPage()"; disconnect(this, SLOT(logLine(QString))); disconnect(this, SLOT(crawlerFinished())); if (crawler != NULL && crawler->isRunning()) crawler->stop(); include_networks.clear(); } void ND_ProgressPage::stop() { if (crawler != NULL && crawler->isRunning()) { logLine(tr("Stopping network crawler process...")); crawler->stop(); } } /* * SNMPCrawlerThread emits signal finished() that should be connected * to this slot. We collect all the data here. */ void ND_ProgressPage::crawlerFinished() { if (fwbdebug_nd) qDebug() << "ND_ProgressPage::crawlerFinished()"; ObjectDescriptorList *networks = dynamic_cast(wizard())->getNetworks(); ObjectDescriptorList *objects = dynamic_cast(wizard())->getObjects(); logLine("\n"); logLine(tr("Network crawler stopped")); bool snmpDoDNS = field("snmpDoDNS").toBool(); if (crawler==NULL) return; set::iterator m; set discovered_networks = crawler->getNetworks(); map discovered_addresses = crawler->getAllIPs(); logLine(tr("Discovered %1 networks").arg(discovered_networks.size())); for (m=discovered_networks.begin(); m!=discovered_networks.end(); ++m) { ObjectDescriptor od; InetAddrMask net = *m; logLine(QString("network %1").arg(net.toString().c_str())); // if address in *m is ipv6, recreate it as Inet6AddrMask and // use type NetworkIPv6 if (net.getAddressPtr()->isV6()) { Inet6AddrMask in6am(*(net.getAddressPtr()), *(net.getNetmaskPtr())); od.sysname = in6am.toString(); // different from ipv6 od.type = NetworkIPv6::TYPENAME; } else { od.sysname = net.toString(); od.type = Network::TYPENAME; } od.addr = *(net.getAddressPtr()); od.netmask = *(net.getNetmaskPtr()); od.isSelected = false; networks->push_back(od); } logLine(tr("Discovered %1 addresses").arg(discovered_addresses.size())); int cntr = 0; map::iterator j; for(j = discovered_addresses.begin(); j!=discovered_addresses.end(); ++j,++cntr) { ObjectDescriptor od( &(j->second) ); od.addr = j->first; od.type = (od.interfaces.size()>1) ? (Host::TYPENAME) : (IPv4::TYPENAME); od.isSelected = false; if (od.sysname.empty()) { od.sysname = string("h-") + od.addr.toString(); if (snmpDoDNS) { QString hostName = getNameByAddr( od.addr.toString().c_str() ); if (!hostName.isEmpty()) od.sysname = hostName.toUtf8().constData(); } logLine( QString(od.addr.toString().c_str()) + " : " + od.sysname.c_str()); } if (snmpDoDNS && od.dns_info.aliases.size() > 0) { set::iterator si; for(si=od.dns_info.aliases.begin(); si!=od.dns_info.aliases.end(); ++si) { od.sysname = (*si); objects->push_back(od);; } } else objects->push_back(od); } emit completeChanged(); } void ND_ProgressPage::logLine(const QString &buf) { if (buf.isEmpty()) return; foreach(QString line, buf.trimmed().split("\n")) { QTextCharFormat format = normal_format; if (line.contains("Parser error")) format = error_format; if (line.contains("Parser warning")) format = warning_format; if (line.contains("SNMP error, status 2 Timeout")) format = warning_format; QString txt = line; while (!txt.isEmpty() && (txt.endsWith("\n") || txt.endsWith("\r"))) txt.chop(1); if (format == error_format || format == warning_format) format.setAnchorHref(txt); QTextCursor cursor = m_dialog->discoveryLog->textCursor(); cursor.insertBlock(); cursor.insertText(txt, format); } m_dialog->discoveryLog->ensureCursorVisible(); } void ND_ProgressPage::saveLog() { QString dir; dir = st->getWDir(); if (dir.isEmpty()) dir = st->getOpenFileDir(); if (dir.isEmpty()) dir = "~"; QString s = QFileDialog::getSaveFileName( this, "Choose a file", dir, "Text file (*.txt)"); if (!s.isEmpty()) { if (s.endsWith(".txt")) { s += ".txt"; } QFile f(s); if (f.open(QIODevice::WriteOnly)) { if (fwbdebug) { qDebug("Saving crawler log to file: %d chars", m_dialog->discoveryLog->toPlainText().length()); qDebug("--------------------------------"); } QTextStream strm(&f); QString txt = m_dialog->discoveryLog->toPlainText(); strm << txt << endl; if (fwbdebug) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("%s",txt.toAscii().constData()); #else qDebug("%s",txt.toLatin1().constData()); #endif qDebug("--------------------------------"); } f.close(); } } } #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_ProgressPage.h000066400000000000000000000034401303637203600263120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_PROGRESSPAGE_H_ #define __ND_PROGRESSPAGE_H_ // for HAVE_LIBSNMP #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/InetAddrMask.h" #include "ui_nd_progresspage_q.h" #include class SNMPCrawlerThread; class ND_ProgressPage : public QWizardPage { Q_OBJECT; Ui::ND_ProgressPage_q *m_dialog; QTextCharFormat normal_format; QTextCharFormat error_format; QTextCharFormat warning_format; std::vector include_networks; public: ND_ProgressPage(QWidget *parent); virtual ~ND_ProgressPage(); #ifdef HAVE_LIBSNMP private: SNMPCrawlerThread *crawler; virtual void initializePage(); virtual void cleanupPage(); virtual bool validatePage(); virtual bool isComplete() const; public slots: void stop(); void saveLog(); void logLine(const QString &line); void crawlerDestroyed(QObject*); void crawlerFinished(); #endif }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SNMPParametersPage.cpp000066400000000000000000000051301303637203600276400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "FWBSettings.h" #include "ND_SNMPParametersPage.h" #include using namespace std; //using namespace libfwbuilder; #define DISCOVERY_DRUID_PREFIX "DiscoveryDruid/" #define DISCOVERY_DRUID_SNMPCOMMUNITY "SNMPCommunity" #define DISCOVERY_DRUID_SNMPRETRIES "SNMPRetries" #define DISCOVERY_DRUID_SNMPTIMEOUT "SNMPTimeout" ND_SNMPParametersPage::ND_SNMPParametersPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_SNMPParametersPage_q; m_dialog->setupUi(this); QString s = st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPCOMMUNITY); m_dialog->snmpCommunity->setText((s.isEmpty())?"public":s); int i = st->getInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRETRIES); m_dialog->snmpRetries->setValue((i)?i:1); i = st->getInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPTIMEOUT); m_dialog->snmpTimeout->setValue((i)?i:2); registerField("snmpCommunity", m_dialog->snmpCommunity); registerField("snmpRetries", m_dialog->snmpRetries); registerField("snmpTimeout", m_dialog->snmpTimeout); } void ND_SNMPParametersPage::initializePage() { if (fwbdebug) qDebug() << "ND_SNMPParametersPage::initializePage()"; } bool ND_SNMPParametersPage::validatePage() { st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPCOMMUNITY, m_dialog->snmpCommunity->text()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPRETRIES, m_dialog->snmpRetries->value()); st->setInt( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPTIMEOUT, m_dialog->snmpTimeout->value()); return true; } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SNMPParametersPage.h000066400000000000000000000023611303637203600273100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_SNMPPARAMETERSPAGE_H_ #define __ND_SNMPPARAMETERSPAGE_H_ #include "ui_nd_snmpparameterspage_q.h" class ND_SNMPParametersPage : public QWizardPage { Q_OBJECT; Ui::ND_SNMPParametersPage_q *m_dialog; public: ND_SNMPParametersPage(QWidget *parent); virtual ~ND_SNMPParametersPage() {} virtual void initializePage(); virtual bool validatePage(); public slots: }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SelectLibraryPage.cpp000066400000000000000000000031021303637203600276000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "ND_SelectLibraryPage.h" #include using namespace std; //using namespace libfwbuilder; ND_SelectLibraryPage::ND_SelectLibraryPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_SelectLibraryPage_q; m_dialog->setupUi(this); registerField("libIndex*", m_dialog->libs); registerField("libraries", this, "libraries"); setCommitPage(true); } void ND_SelectLibraryPage::initializePage() { if (fwbdebug) qDebug() << "ND_SelectLibraryPage::initializePage()"; fillLibraries(m_dialog->libs, mw->activeProject()->db()); for (int i=0; i < m_dialog->libs->count(); ++i) libraries << m_dialog->libs->itemText(i); } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SelectLibraryPage.h000066400000000000000000000026401303637203600272530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SELECTLIBRARYPAGE_H_ #define __SELECTLIBRARYPAGE_H_ #include "ui_nd_selectlibrarypage_q.h" class ND_SelectLibraryPage : public QWizardPage { Q_OBJECT; Ui::ND_SelectLibraryPage_q *m_dialog; QStringList libraries; Q_PROPERTY(QStringList libraries READ getLibraries WRITE setLibraries); public: ND_SelectLibraryPage(QWidget *parent); virtual ~ND_SelectLibraryPage() {} virtual void initializePage(); QStringList getLibraries() { return libraries; } void setLibraries(const QStringList &l) { libraries = l; } public slots: }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SetupPage.cpp000066400000000000000000000163171303637203600261500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "utils.h" #include "FWWindow.h" #include "FWBSettings.h" #include "ND_SetupPage.h" #include "fwbuilder/InetAddr.h" #include #include using namespace std; using namespace libfwbuilder; #define DISCOVERY_DRUID_PREFIX "DiscoveryDruid/" #define DISCOVERY_DRUID_SEEDHOST "SeedHost" #define DISCOVERY_DRUID_SNMPINADDR "SNMPInAddr" #define DISCOVERY_DRUID_SNMPINMASK "SNMPInMask" ND_SetupPage::ND_SetupPage(QWidget *parent) : QWizardPage(parent) { m_dialog = new Ui::ND_SetupPage_q; m_dialog->setupUi(this); hideProgressBar(); displayStatusNeutral(""); dns_op_id = -1; seedHostOK = false; limitScanConfigurationOK = true; m_dialog->seedHostName->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SEEDHOST)); m_dialog->snmpInAddr->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINADDR)); m_dialog->snmpInMask->setText(st->getStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINMASK)); registerField("seedHostName*", m_dialog->seedHostName); registerField("snmpInAddr", m_dialog->snmpInAddr); registerField("snmpInMask", m_dialog->snmpInMask); } ND_SetupPage::~ND_SetupPage() {} void ND_SetupPage::initializePage() { if (fwbdebug) qDebug() << "ND_SetupPage::initializePage()"; } bool ND_SetupPage::validatePage() { st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SEEDHOST, m_dialog->seedHostName->text()); st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINADDR, m_dialog->snmpInAddr->text()); st->setStr( QString(DISCOVERY_DRUID_PREFIX) + DISCOVERY_DRUID_SNMPINMASK, m_dialog->snmpInMask->text()); return true; } bool ND_SetupPage::isComplete() const { return seedHostOK && limitScanConfigurationOK; } bool ND_SetupPage::isSeedHostOK(const QString &hostName) { if (hostName.isEmpty()) return false; QRegExp r = QRegExp("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$", Qt::CaseInsensitive); //non wildcard last_error = ""; if (r.exactMatch(hostName)) { try { InetAddr(hostName.toLatin1().constData()); return true; } catch(const FWException &ex) { last_error = ex.toString().c_str(); return false; } } else { last_error = tr("Wrong IPv4 format"); return false; } } bool ND_SetupPage::looksLikeIpAddress(const QString &s) { QRegExp r=QRegExp("^(\\d|\\.)+$",Qt::CaseInsensitive); //non wildcard return r.exactMatch(s); } void ND_SetupPage::displayStatusError(const QString &err) { QPalette palette = m_dialog->seedHostErrorMessage->palette(); palette.setColor( m_dialog->seedHostErrorMessage->foregroundRole(), Qt::darkRed); m_dialog->seedHostErrorMessage->setPalette(palette); m_dialog->seedHostErrorMessage->setText(err); } void ND_SetupPage::displayStatusSuccess(const QString &err) { QPalette palette = m_dialog->seedHostErrorMessage->palette(); palette.setColor( m_dialog->seedHostErrorMessage->foregroundRole(), Qt::darkGreen); m_dialog->seedHostErrorMessage->setPalette(palette); m_dialog->seedHostErrorMessage->setText(err); } void ND_SetupPage::displayStatusNeutral(const QString &err) { QPalette palette = m_dialog->seedHostErrorMessage->palette(); palette.setColor( m_dialog->seedHostErrorMessage->foregroundRole(), Qt::black); m_dialog->seedHostErrorMessage->setPalette(palette); m_dialog->seedHostErrorMessage->setText(err); } void ND_SetupPage::showProgressBar() { m_dialog->DNSProgressBar->show(); } void ND_SetupPage::hideProgressBar() { m_dialog->DNSProgressBar->hide(); } void ND_SetupPage::changedSeedHost() { m_dialog->seedHostErrorMessage->setText(" "); hideProgressBar(); QString hostName = m_dialog->seedHostName->text(); if (dns_op_id > -1) { QHostInfo::abortHostLookup(dns_op_id); dns_op_id = -1; } if (hostName.isEmpty()) { displayStatusError(tr("Enter a valid host name or address.")); } else { if (looksLikeIpAddress(hostName)) { // seems to be an IP Address seedHostOK = isSeedHostOK(hostName); if (seedHostOK) displayStatusSuccess(tr("Address successfully verified")); else displayStatusError(last_error); } else { // it looks like a DNS name displayStatusNeutral(tr("DNS resolution in progress...")); showProgressBar(); dns_op_id = QHostInfo::lookupHost(hostName, this, SLOT(dnsFinish(QHostInfo))); } } emit completeChanged(); } void ND_SetupPage::dnsFinish(const QHostInfo &host) { dns_op_id = -1; QList list = host.addresses(); hideProgressBar(); //get the test result if (list.isEmpty()) { displayStatusError(tr( "host name not found")); seedHostOK = false; } else { displayStatusSuccess(tr("host name verified")); seedHostOK = true; } emit completeChanged(); } void ND_SetupPage::changedLimitScanConfiguraton() { m_dialog->limitScanError->setText(" "); if (m_dialog->snmpInAddr->text().isEmpty() && m_dialog->snmpInMask->text().isEmpty()) { m_dialog->limitScanError->setText(" "); limitScanConfigurationOK = true; emit completeChanged(); return; } if ( ! m_dialog->snmpInAddr->text().isEmpty() && ! m_dialog->snmpInMask->text().isEmpty()) { try { InetAddr a(m_dialog->snmpInAddr->text().toLatin1().constData()); InetAddr n(m_dialog->snmpInMask->text().toLatin1().constData()); InetAddrMask(a, n); m_dialog->limitScanError->setText(" "); limitScanConfigurationOK = true; } catch (const FWException &ex) { m_dialog->limitScanError->setText(ex.toString().c_str()); limitScanConfigurationOK = false; } } else { m_dialog->limitScanError->setText(tr("Incomplete network address / netmask")); limitScanConfigurationOK = false; } emit completeChanged(); } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/ND_SetupPage.h000066400000000000000000000033451303637203600256120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ND_SETUPPAGE_H_ #define __ND_SETUPPAGE_H_ #include "ui_nd_setuppage_q.h" #include class ND_SetupPage : public QWizardPage { Q_OBJECT; Ui::ND_SetupPage_q *m_dialog; QString last_error; int dns_op_id; bool seedHostOK; bool limitScanConfigurationOK; bool isSeedHostOK(const QString &s); bool looksLikeIpAddress(const QString &s); void displayStatusError(const QString &err); void displayStatusSuccess(const QString &err); void displayStatusNeutral(const QString &err); void showProgressBar(); void hideProgressBar(); public: ND_SetupPage(QWidget *parent); virtual ~ND_SetupPage(); virtual void initializePage(); virtual bool validatePage(); virtual bool isComplete() const; public slots: void changedSeedHost(); void changedLimitScanConfiguraton(); void dnsFinish(const QHostInfo &host); }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/SNMPCrawlerThread.cpp000066400000000000000000000056031303637203600271130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include #include #include "utils.h" #include "QThreadLogger.h" #include "SNMPCrawlerThread.h" #ifdef HAVE_LIBSNMP // #include snmp.h only after all Qt headers; see #2185 #include "fwbuilder/snmp.h" using namespace std; using namespace libfwbuilder; SNMPCrawlerThread::SNMPCrawlerThread(QWidget *ui, const QString &seedHostName, const QString &community, bool recursive, bool followP2P, int snmpRetries, int snmpTimeout, const std::vector *include_net) { this->ui = ui; stop_flag = new SyncFlag(); QString seedHostAddress = getAddrByName(seedHostName, AF_INET); InetAddr seedHostInetAddr = InetAddr( seedHostAddress.toLatin1().constData()); q = new SNMPCrawler(); q->init(seedHostInetAddr, community.toLatin1().constData(), recursive, false, followP2P, 0, snmpRetries, 1000000L * snmpTimeout, 0, 0, (include_net->size() > 0) ? include_net : NULL); } SNMPCrawlerThread::~SNMPCrawlerThread() { if (fwbdebug) qDebug() << "SNMPCrawlerThread::~SNMPCrawlerThread()"; delete q; delete stop_flag; } void SNMPCrawlerThread::run() { QThreadLogger *logger = new QThreadLogger(); connect(logger, SIGNAL(lineReady(QString)), this->ui, SLOT(logLine(QString)), Qt::QueuedConnection); q->run_impl(logger, stop_flag); emit finished(); deleteLater(); // mark this object for destruction on the next run of event loop } void SNMPCrawlerThread::stop() { stop_flag->set(true); } map SNMPCrawlerThread::getAllIPs() { return q->getAllIPs(); } set SNMPCrawlerThread::getNetworks() { return q->getNetworks(); } #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/SNMPCrawlerThread.h000066400000000000000000000041061303637203600265550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _SNMPCRAWLERTHREAD_H_ #define _SNMPCRAWLERTHREAD_H_ #include "../../config.h" #include #include #include #include #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/InetAddrMask.h" #include "fwbuilder/ThreadTools.h" #ifdef HAVE_LIBSNMP // avoid #include "snmp.h" since it conflicts with Qt, see #2185 namespace libfwbuilder { class SNMPCrawler; class SyncFlag; class CrawlerFind; }; class SNMPCrawlerThread : public QThread { Q_OBJECT; libfwbuilder::SNMPCrawler *q; libfwbuilder::SyncFlag *stop_flag; QWidget *ui; public: SNMPCrawlerThread(QWidget *ui, const QString &seedHost, const QString &community, bool recursive, bool followP2P, int snmpRetries, int snmpTimeout, const std::vector *include); virtual ~SNMPCrawlerThread(); void run(); void stop(); std::map getAllIPs(); std::set getNetworks(); signals: void finished(); }; #endif #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/SNMPNetworkDiscoveryWizard.cpp000066400000000000000000000046171303637203600310720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "global.h" #include "SNMPNetworkDiscoveryWizard.h" #include "ND_ChooseNetworksPage.h" #include "ND_ChooseObjectsPage.h" #include "ND_ChooseObjectTypePage.h" #include "ND_CreateObjectsPage.h" #include "ND_DiscoveryParametersPage.h" #include "ND_ProgressPage.h" #include "ND_SelectLibraryPage.h" #include "ND_SetupPage.h" #include "ND_SNMPParametersPage.h" #include "FWWindow.h" #include #include using namespace std; //using namespace libfwbuilder; SNMPNetworkDiscoveryWizard::SNMPNetworkDiscoveryWizard(QWidget *parent) : QWizard(parent) { QPixmap pm; pm.load(":/Images/fwbuilder3-72x72.png"); setPixmap(QWizard::LogoPixmap, pm); setWindowTitle(tr("Discover addresses and subnets using SNMP")); addPage(new ND_SetupPage(this)); addPage(new ND_DiscoveryParametersPage(this)); addPage(new ND_SNMPParametersPage(this)); addPage(new ND_ProgressPage(this)); addPage(new ND_ChooseNetworksPage(this)); addPage(new ND_ChooseObjectsPage(this)); addPage(new ND_ChooseObjectTypePage(this)); addPage(new ND_SelectLibraryPage(this)); addPage(new ND_CreateObjectsPage(this)); QRect sg = QApplication::desktop()->screenGeometry(mw); QSize screen_size = sg.size(); #if defined(Q_OS_MACX) QSize desired_size(900, 700); #else QSize desired_size(800, 700); #endif if (desired_size.width() > screen_size.width()) desired_size.setWidth(screen_size.width()); if (desired_size.height() > screen_size.height()) desired_size.setHeight(screen_size.height()); resize(desired_size); } fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/SNMPNetworkDiscoveryWizard.h000066400000000000000000000027031303637203600305310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SNMPNETWORKDISCOVERYWIZARD_H_ #define __SNMPNETWORKDISCOVERYWIZARD_H_ #include "ObjectDescriptor.h" #include class SNMPNetworkDiscoveryWizard : public QWizard { Q_OBJECT; ObjectDescriptorList networks; ObjectDescriptorList objects; QStringList objectsToUse; public: SNMPNetworkDiscoveryWizard(QWidget *parent); virtual ~SNMPNetworkDiscoveryWizard() {} ObjectDescriptorList* getNetworks() { return &networks; } ObjectDescriptorList* getObjects() { return &objects; } QStringList* getObjectsToUse() { return &objectsToUse; } public slots: }; #endif fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_choosenetworkspage_q.ui000066400000000000000000000014751303637203600304370ustar00rootroot00000000000000 ND_ChooseNetworksPage_q 0 0 574 560 WizardPage ObjectSelectorWidget QWidget
ObjectSelectorWidget.h
1 fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_chooseobjectspage_q.ui000066400000000000000000000014731303637203600302120ustar00rootroot00000000000000 ND_ChooseObjectsPage_q 0 0 599 514 WizardPage ObjectSelectorWidget QWidget
ObjectSelectorWidget.h
1 fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_chooseobjecttypepage_q.ui000066400000000000000000000076721303637203600307400ustar00rootroot00000000000000 ND_ChooseObjectTypePage_q 0 0 578 519 WizardPage Change type of selected objects: 6 Address Host Firewall Here you can change type of the objects to be created for each address discovered by the scanner. By default, an "Address" object is created for the host with just one interface with single IP address and "Host" object is created for the host with multiple interfaces, however you can change their types on this page. Qt::AlignVCenter true QAbstractItemView::ExtendedSelection true Object Interfaces Type addresTypeButton clicked() ND_ChooseObjectTypePage_q typeAddress() 104 487 288 259 hostTypeButton clicked() ND_ChooseObjectTypePage_q typeHost() 288 487 288 259 firewallTypeButton clicked() ND_ChooseObjectTypePage_q typeFirewall() 472 487 288 259 typeAddress() typeHost() typeFirewall() fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_createobjectspage_q.ui000066400000000000000000000026221303637203600301720ustar00rootroot00000000000000 ND_CreateObjectsPage_q 0 0 624 513 WizardPage Adding new objects to library ... Qt::AlignTop true Qt::Horizontal Qt::Vertical QSizePolicy::Expanding 20 439 fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_discoveryparameterspage_q.ui000066400000000000000000000107371303637203600314560ustar00rootroot00000000000000 ND_DiscoveryParametersPage_q 0 0 627 583 WizardPage The scanner process can repeat its algorithm recursively using each new host it finds as a new "seed". This allows it to find as many objects on your network as possible. On the other hand, it takes more time and may find some objects you do not really need. You can turn recursive scanning on below: Qt::AlignVCenter true Run network scan recursively QFrame::HLine QFrame::Sunken Qt::Horizontal The scanner process can find nodes beyond the boundaries of your network by following point-to-point links connecting it to the Internet or other parts of WAN. Qt::AlignVCenter true Follow point-to-point links QFrame::HLine QFrame::Sunken Qt::Horizontal The scanner process normally ignores interfaces that have no IP addresses; checking this option makes it create such interfaces as "Unnumbered" Qt::AlignVCenter true Include interfaces with no ip addresses QFrame::HLine QFrame::Sunken Qt::Horizontal Analysis of ARP table yields IP addresses for hosts on your network. In order to determine their names, scanner can run reverse name lookup queries using your name servers (DNS): Qt::AlignVCenter true Run reverse name lookup DNS queries to determine host names false fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_progresspage_q.ui000066400000000000000000000036041303637203600272220ustar00rootroot00000000000000 ND_ProgressPage_q 0 0 609 537 WizardPage Process log: 0 true Stop Save scan log to file Qt::Horizontal QSizePolicy::Expanding 141 20 stop() saveLog() fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_selectlibrarypage_q.ui000066400000000000000000000035671303637203600302320ustar00rootroot00000000000000 ND_SelectLibraryPage_q 0 0 559 452 WizardPage Select target library 6 0 0 Qt::Horizontal QSizePolicy::Expanding 71 20 Qt::Vertical QSizePolicy::Expanding 20 364 fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_setuppage_q.ui000066400000000000000000000211101303637203600265060ustar00rootroot00000000000000 ND_SetupPage_q 0 0 633 629 WizardPage This discovery method scans networks looking for hosts or gateways responding to SNMP queries. It pulls host's ARP table and uses all the entries found in it to create objects. Scan starts from the host called "seed". Enter "seed" host name or address below: Qt::AlignVCenter true 'Seed' host 6 Qt::Horizontal QSizePolicy::Expanding 211 21 true 0 20 Enter a valid host name or address. false 0 0 32767 20 0 Qt::Horizontal Qt::Horizontal QSizePolicy::Expanding 40 20 The scanner process can be confined to a certain network, so it won't discover hosts on adjacent networks. If you leave these fields blank, scanner will visit all networks it can find: Qt::AlignVCenter true Confine scan to this network: Enter network ip address as a standard dotted quad ("192.168.1.0"): Address: false Qt::Horizontal QSizePolicy::Expanding 271 20 Enter netmask as a standard dotted quad ("255.255.255.0") or bit length ("24"): Netmask: false Qt::Horizontal QSizePolicy::Expanding 271 20 false Qt::Vertical QSizePolicy::Expanding 20 255 seedHostName textChanged(QString) ND_SetupPage_q changedSeedHost() 165 101 316 314 snmpInAddr textChanged(QString) ND_SetupPage_q changedLimitScanConfiguraton() 208 237 316 314 snmpInMask textChanged(QString) ND_SetupPage_q changedLimitScanConfiguraton() 208 266 316 314 changedSeedHost() changedLimitScanConfiguraton() fwbuilder-5.3.7/src/libgui/snmpNetworkDiscoveryWizard/nd_snmpparameterspage_q.ui000066400000000000000000000113561303637203600304220ustar00rootroot00000000000000 ND_SNMPParametersPage_q 0 0 604 539 WizardPage Enter parameters for SNMP and DNS reverse lookup queries below. (If unsure, just leave default values): Qt::AlignVCenter true SNMP query parameters: 6 SNMP 'read' community string: false number of retries: false timeout (sec): false 1 1 1 2 public Qt::Horizontal QSizePolicy::Expanding 190 20 Qt::Horizontal QSizePolicy::Expanding 250 20 Qt::Horizontal QSizePolicy::Expanding 250 20 false Qt::Vertical QSizePolicy::Expanding 20 199 fwbuilder-5.3.7/src/libgui/solarisAdvancedDialog.cpp000066400000000000000000000103231303637203600225030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "platforms.h" #include "solarisAdvancedDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Management.h" #include #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; solarisAdvancedDialog::~solarisAdvancedDialog() { delete m_dialog; } solarisAdvancedDialog::solarisAdvancedDialog(QWidget *parent,FWObject *o) : QDialog(parent) { m_dialog = new Ui::solarisAdvancedDialog_q; m_dialog->setupUi(this); obj=o; FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject(); assert(fwopt!=NULL); Management *mgmt=(Firewall::cast(obj))->getManagementObject(); assert(mgmt!=NULL); QStringList threeStateMapping; threeStateMapping.push_back(QObject::tr("No change")); threeStateMapping.push_back(""); threeStateMapping.push_back(QObject::tr("On")); threeStateMapping.push_back("1"); threeStateMapping.push_back(QObject::tr("Off")); threeStateMapping.push_back("0"); data.registerOption( m_dialog->solaris_ip_forward, fwopt, "solaris_ip_forward", threeStateMapping); data.registerOption( m_dialog->solaris_ip_forward_src_routed, fwopt, "solaris_ip_forward_src_routed", threeStateMapping); data.registerOption( m_dialog->solaris_ip_forward_directed_broadcasts, fwopt, "solaris_ip_forward_directed_broadcasts", threeStateMapping); data.registerOption( m_dialog->solaris_ip_respond_to_echo_broadcast, fwopt, "solaris_ip_respond_to_echo_broadcast", threeStateMapping); data.registerOption( m_dialog->solaris_ip_forward_directed_broadcasts, fwopt, "solaris_ip_forward_directed_broadcasts", threeStateMapping); data.registerOption( m_dialog->solaris_ip_ignore_redirect, fwopt, "solaris_ip_ignore_redirect", threeStateMapping); data.registerOption( m_dialog->solaris_ip_forward_src_routed, fwopt, "solaris_ip_forward_src_routed", threeStateMapping); data.registerOption( m_dialog->solaris_path_ipf , fwopt, "solaris_path_ipf"); data.registerOption( m_dialog->solaris_path_ipnat, fwopt, "solaris_path_ipnat"); data.loadAll(); m_dialog->tabWidget->setCurrentIndex(0); } /* * store all data in the object */ void solarisAdvancedDialog::accept() { ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the fw object FWObject* new_state = cmd->getNewState(); FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject(); assert(fwoptions!=NULL); data.saveAll(fwoptions); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void solarisAdvancedDialog::reject() { QDialog::reject(); } fwbuilder-5.3.7/src/libgui/solarisAdvancedDialog.h000066400000000000000000000026761303637203600221640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __SOLARISADVANCEDDIALOG_H_ #define __SOLARISADVANCEDDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class solarisAdvancedDialog : public QDialog { Q_OBJECT libfwbuilder::FWObject *obj; DialogData data; Ui::solarisAdvancedDialog_q *m_dialog; public: solarisAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o); ~solarisAdvancedDialog(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __SOLARISADVANCEDDIALOG_H fwbuilder-5.3.7/src/libgui/solarisadvanceddialog_q.ui000066400000000000000000000324661303637203600227720ustar00rootroot00000000000000 solarisAdvancedDialog_q Qt::WindowModal 0 0 388 285 Solaris: advanced settings 11 6 6 0 Qt::Horizontal QSizePolicy::Expanding 20 20 &OK true true &Cancel true 0 Options 6 6 Ignore ICMP redirects Qt::AlignCenter false No change On Off Forward directed broadcasts Qt::AlignCenter false Respond to echo broadcast Qt::AlignCenter false No change On Off No change On Off Packet forwarding Qt::AlignCenter false No change On Off No change On Off Forward source routed packets Qt::AlignCenter false Qt::Horizontal QSizePolicy::Fixed 151 20 Qt::Vertical QSizePolicy::Fixed 20 20 Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 20 40 Path 6 6 200 0 ipf: Qt::AlignCenter false ipnat: Qt::AlignCenter false 200 0 Specify directory path and a file name for the following utilities on the OS your firewall machine is running. Leave these empty if you want to use default values. Qt::AlignCenter true Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Horizontal QSizePolicy::Expanding 40 20 Qt::Vertical QSizePolicy::Expanding 20 40 tabWidget solaris_ip_forward solaris_ip_forward_src_routed solaris_ip_forward_directed_broadcasts solaris_ip_ignore_redirect solaris_ip_respond_to_echo_broadcast solaris_path_ipf solaris_path_ipnat buttonOk buttonCancel buttonOk clicked() solarisAdvancedDialog_q accept() 20 20 20 20 buttonCancel clicked() solarisAdvancedDialog_q reject() 20 20 20 20 fwbuilder-5.3.7/src/libgui/ssh_wrappers.cpp000066400000000000000000000252711303637203600210110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #ifndef _WIN32 #include #include #include #include "FWBSettings.h" #include #include #include #include #include #ifdef HAVE_SIGNAL_H #include #endif #ifdef HAVE_PTY_H #include #endif #ifdef HAVE_LIBUTIL_H #include #endif #ifdef HAVE_UTIL_H #include #endif #include #include #include using namespace std; extern FWBSettings *st; extern int fwbdebug; static struct termios save_termios; static int ttysavefd = -1; static pid_t pid = 0; #ifndef HAVE_CFMAKERAW static inline void cfmakeraw(struct termios *termios_p) { termios_p->c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON); termios_p->c_oflag &= ~OPOST; termios_p->c_lflag &= ~(ECHO|ECHONL|ICANON|ISIG|IEXTEN); termios_p->c_cflag &= ~(CSIZE|PARENB); termios_p->c_cflag |= CS8; } #endif #ifndef HAVE_FORKPTY #include #include #include //#include #include /* fork_pty() remplacement for Solaris. * ignore the last two arguments * for the moment */ int forkpty (int *amaster, char *name, void *unused1, void *unused2) { int master, slave; char *slave_name; pid_t pid; master = open("/dev/ptmx", O_RDWR); if (master < 0) return -1; if (grantpt (master) < 0) { close (master); return -1; } if (unlockpt (master) < 0) { close (master); return -1; } slave_name = ptsname (master); if (slave_name == NULL) { close (master); return -1; } slave = open (slave_name, O_RDWR); if (slave < 0) { close (master); return -1; } if (ioctl (slave, I_PUSH, "ptem") < 0 || ioctl (slave, I_PUSH, "ldterm") < 0) { close (slave); close (master); return -1; } if (amaster) *amaster = master; if (name) strcpy (name, slave_name); pid = fork (); switch (pid) { case -1: /* Error */ return -1; case 0: /* Child */ close (master); dup2 (slave, STDIN_FILENO); dup2 (slave, STDOUT_FILENO); dup2 (slave, STDERR_FILENO); return 0; default: /* Parent */ close (slave); return pid; } return -1; } #endif int tty_raw(int fd) { struct termios buf; if (tcgetattr(fd, &save_termios) < 0) { qDebug("Can not switch terminal to raw mode, tcgetattr error '%s'",strerror(errno)); exit(1); } buf = save_termios; cfmakeraw(&buf); // this used to use TCSAFLUSH, but that caused stall which I did not // completely understand. Apparently there was some data in the output // buffer at the moment when we try to switch tty to raw mode, but I // could not figure out where this data comes from and why it could // not be written to the tty. Anyway, this caused semi-random stalls // in the installer because whenever it called fwbuilder -X, the child // process would block in this place and stall installer. I had to // switch to TCSANOW to fix. if (tcsetattr(fd, TCSANOW, &buf) < 0) { qDebug("Can not switch terminal to raw mode, tcsetattr error '%s'",strerror(errno)); exit(1); } ttysavefd = fd; return 0; } int echo_off(int fd) { struct stat statbuf; if (fstat(fd,&statbuf)!=0) return 0; struct termios stermios; if (tcgetattr(fd, &stermios)<0) { qDebug("Can not turn terminal echo off, tcgetattr error '%s'",strerror(errno)); exit(1); } stermios.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL); stermios.c_oflag &= ~(ONLCR); if (tcsetattr(fd, TCSANOW, &stermios)<0) { qDebug("Can not turn terminal echo off, tcsetattr error '%s'",strerror(errno)); exit(1); } return 0; } ssize_t writen(int fd,const void *vptr, size_t n) { size_t nleft; ssize_t nwritten; const char *ptr; ptr = (const char*)(vptr); nleft = n; if (fwbdebug) qDebug("need to write %d bytes",int(nleft)); while (nleft > 0) { if ( (nwritten = write(fd,ptr,nleft )) <= 0) return nwritten; if (fwbdebug) qDebug("%d bytes written",int(nwritten)); nleft -= nwritten; ptr += nwritten; } return n; } #ifndef strndup char* strndup(const char* s,int n) { char *tbuf = (char*)malloc(n); if (tbuf) memcpy(tbuf,s,n); return tbuf; } #endif void catch_sign(int sig) { if (fwbdebug) { cerr << "Wrapper caight signal " << sig << endl; cerr << "Child process pid " << pid << endl; } if (pid != 0) { int stat; kill(pid, SIGTERM); int timeout = 0; pid_t cp = 0; while ( (cp = waitpid(pid, &stat, WNOHANG)) == 0 && timeout < 10) { if (fwbdebug) cerr << "Waiting for pid " << pid << " to finish" << endl; sleep(1); timeout++; } if (cp == 0) { if (fwbdebug) cerr << "Timeout, child process is still running. Killing it." << endl; kill(pid, SIGKILL); } } exit(1); } void ssh_wrapper( int argc, char *argv[] ) { bool ssh_wrapper = false; bool scp_wrapper = false; const char *arg[128]; int i; QStringList new_args; for (i = 1 ; i StartTipDialog_q 0 0 529 403 Welcome to Firewall Builder :/Images/fwbuilder3-128x128.png false 0 0 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-family:'Lucida Grande'; font-size:28pt;">Firewall Builder %1</span></p></body></html> Qt::AlignCenter Qt::Horizontal 40 20 Version Qt::AlignCenter Qt::Horizontal 40 20 Qt::Horizontal 40 20 Watch Getting Started Tutorial Qt::Horizontal 40 20 QFrame::NoFrame QFrame::Plain 0 true Do not show this again Qt::Horizontal 18 17 Previous Tip false Next Tip false false false Close false true closeButton clicked() StartTipDialog_q close() 514 390 347 207 nextTipButton clicked() StartTipDialog_q nextTip() 435 390 259 133 prevTipButton clicked() StartTipDialog_q prevTip() 337 390 259 133 start_tutorial clicked() StartTipDialog_q showGettingStartedTutorial() 381 96 519 99 nextTip() prevTip() showGettingStartedTutorial() showSummary() fwbuilder-5.3.7/src/libgui/startup_tip_url.h000066400000000000000000000020041303637203600211630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2008 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef STARTUP_TIP_URL_HH #define STARTUP_TIP_URL_HH #include "../../VERSION.h" #define STARTUP_TIP_URL "http://update.fwbuilder.org/tips/gettip.cgi?v=" VERSION #endif fwbuilder-5.3.7/src/libgui/startwizard_q.ui000066400000000000000000000224341303637203600210200ustar00rootroot00000000000000 startWizard_q 0 0 440 283 0 0 0 25 Sans Serif 14 75 false true Qt::AlignCenter 0 0 0 0 0 Aharoni 24 <b>Firewall Builder N.N.N</b> Qt::AlignCenter true Do you want to open existing project file or create a new one? Qt::AlignCenter false Qt::Horizontal QSizePolicy::Expanding 40 20 Create new project file Qt::Horizontal QSizePolicy::Expanding 40 20 Open existing file Qt::Horizontal QSizePolicy::Expanding 30 20 0 0 0 0 File name: %1 false Activate Revision Control System for this file (if you do not do this now, you can always activate it later) Qt::Vertical QSizePolicy::Expanding 20 60 Let the program automatically open this file when I start it next time (you can activate this option later using Preferences dialog) 1 0 400 50 QFrame::StyledPanel QFrame::Raised Qt::Horizontal 40 20 < &Back &Next > false &Finish false &Cancel openFileButton newFileButton rcsBtn autoopenBtn newFileButton clicked() startWizard_q newFile() 20 20 20 20 openFileButton clicked() startWizard_q openFile() 20 20 20 20 startWizard_q selected(QString) startWizard_q selected(QString) 20 20 20 20 fwbuilder-5.3.7/src/libgui/tagservicedialog_q.ui000066400000000000000000000103531303637203600217530ustar00rootroot00000000000000 TagServiceDialog_q 0 0 688 199 Form1 QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Code: false 0 0 Qt::Vertical QSizePolicy::MinimumExpanding 20 0 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name tagcode fwbuilder-5.3.7/src/libgui/tcpservicedialog_q.ui000066400000000000000000000601141303637203600217660ustar00rootroot00000000000000 TCPServiceDialog_q true 0 0 884 265 0 0 TCP QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken 0 0 Name: false 200 0 0 0 0 0 QGroupBox { margin-top: 0px; padding-top: 1ex; padding-bottom: 0px; } 2 10 4 0 0 0 0 0 0 U false TCP flags that must be set (see man iptables, option --tcp-flags) Settings: false 0 0 0 0 0 0 0 0 0 0 R false 0 0 P false 0 0 0 0 TCP flags that should be examined (see man iptables, option --tcp-flags) Mask: false 0 0 0 0 0 0 Flags: false 0 0 0 0 A false 0 0 S false 0 0 0 0 F false 0 0 Option "established" can be used if supported by the target firewall platform Established Qt::Vertical QSizePolicy::Expanding 172 70 0 0 QFrame::Box QFrame::Sunken 8 2 8 2 2 6 QGroupBox { margin-top: 1ex; padding-top: 1ex; padding-bottom: 0px; padding-left: 2px; } QGroupBox::title { subcontrol-origin: margin; subcontrol-position: top left; padding: 0 3px; } QSpinBox { margin: 0px; padding: 0px; } Source Port Range 2 2 QAbstractSpinBox::UpDownArrows 65535 QAbstractSpinBox::UpDownArrows 65535 Start: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false End: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QGroupBox { margin-top: 1ex; padding-top: 1ex; padding-bottom: 0px; padding-left: 2px; } QGroupBox::title { subcontrol-origin: margin; subcontrol-position: top left; padding: 0 3px; } QSpinBox { margin: 0px; padding: 0px; } Destination Port Range 2 2 QAbstractSpinBox::UpDownArrows 65535 QAbstractSpinBox::UpDownArrows 65535 Start: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false End: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false Qt::Vertical 20 40 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name ss se ds de urg_m urg_s ack_m ack_s psh_m psh_s rst_m rst_s syn_m syn_s fin_m fin_s established toggled(bool) TCPServiceDialog_q toggleEstablished() 46 246 20 20 fwbuilder-5.3.7/src/libgui/temporarydir.cpp000066400000000000000000000217451303637203600210140ustar00rootroot00000000000000/**************************************************************************** ** ** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). ** Contact: http://www.qt-project.org/legal ** ** This file is part of the QtCore module of the Qt Toolkit. ** ** $QT_BEGIN_LICENSE:LGPL$ ** Commercial License Usage ** Licensees holding valid commercial Qt licenses may use this file in ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and Digia. For licensing terms and ** conditions see http://qt.digia.com/licensing. For further information ** use the contact form at http://qt.digia.com/contact-us. ** ** GNU Lesser General Public License Usage ** Alternatively, this file may be used under the terms of the GNU Lesser ** General Public License version 2.1 as published by the Free Software ** Foundation and appearing in the file LICENSE.LGPL included in the ** packaging of this file. Please review the following information to ** ensure the GNU Lesser General Public License version 2.1 requirements ** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. ** ** In addition, as a special exception, Digia gives you certain additional ** rights. These rights are described in the Digia Qt LGPL Exception ** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. ** ** GNU General Public License Usage ** Alternatively, this file may be used under the terms of the GNU ** General Public License version 3.0 as published by the Free Software ** Foundation and appearing in the file LICENSE.GPL included in the ** packaging of this file. Please review the following information to ** ensure the GNU General Public License version 3.0 requirements will be ** met: http://www.gnu.org/copyleft/gpl.html. ** ** ** $QT_END_LICENSE$ ** ****************************************************************************/ // Backported to Qt 4 from Qt 5.1 #include "temporarydir.h" #include #include "qplatformdefs.h" #include //************* TemporaryDirPrivate class TemporaryDirPrivate { public: TemporaryDirPrivate(); ~TemporaryDirPrivate(); void create(const QString &templateName); QString path; bool autoRemove; bool success; }; TemporaryDirPrivate::TemporaryDirPrivate() : autoRemove(true), success(false) { } TemporaryDirPrivate::~TemporaryDirPrivate() { } static QString defaultTemplateName() { QString baseName; baseName = QLatin1String("qt_temp"); return QDir::tempPath() + QLatin1Char('/') + baseName + QLatin1String("-XXXXXX"); } static char *q_mkdtemp(char *templateName) { static const char letters[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; const size_t length = strlen(templateName); char *XXXXXX = templateName + length - 6; if ((length < 6u) || strncmp(XXXXXX, "XXXXXX", 6)) return 0; for (int i = 0; i < 256; ++i) { int v = qrand(); /* Fill in the random bits. */ XXXXXX[0] = letters[v % 62]; v /= 62; XXXXXX[1] = letters[v % 62]; v /= 62; XXXXXX[2] = letters[v % 62]; v /= 62; XXXXXX[3] = letters[v % 62]; v /= 62; XXXXXX[4] = letters[v % 62]; v /= 62; XXXXXX[5] = letters[v % 62]; QString templateNameStr = QFile::decodeName(templateName); QDir tempPath(QDir::tempPath()); if (!tempPath.mkdir(templateNameStr)) continue; return templateName; } return 0; } void TemporaryDirPrivate::create(const QString &templateName) { QByteArray buffer = QFile::encodeName(templateName); if (!buffer.endsWith("XXXXXX")) buffer += "XXXXXX"; if (q_mkdtemp(buffer.data())) { // modifies buffer success = true; path = QFile::decodeName(buffer.constData()); } } //************* TemporaryDir /*! \class QTemporaryDir \inmodule QtCore \reentrant \brief The QTemporaryDir class creates a unique directory for temporary use. \ingroup io QTemporaryDir is used to create unique temporary dirs safely. The dir itself is created by the constructor. The name of the temporary directory is guaranteed to be unique (i.e., you are guaranteed to not overwrite an existing dir), and the directory will subsequently be removed upon destruction of the QTemporaryDir object. The directory name is either auto-generated, or created based on a template, which is passed to QTemporaryDir's constructor. Example: \snippet code/src_corelib_io_qtemporarydir.cpp 0 It is very important to test that the temporary directory could be created, using isValid(). Do not use exists(), since a default-constructed QDir represents the current directory, which exists. The path to the temporary dir can be found by calling path(). A temporary directory will have some static part of the name and some part that is calculated to be unique. The default path will be determined from QCoreApplication::applicationName() (otherwise \c qt_temp) and will be placed into the temporary path as returned by QDir::tempPath(). If you specify your own path, a relative path will not be placed in the temporary directory by default, but be relative to the current working directory. In all cases, a random string will be appended to the path in order to make it unique. \sa QDir::tempPath(), QDir, QTemporaryFile */ /*! Constructs a QTemporaryDir using as template the application name returned by QCoreApplication::applicationName() (otherwise \c qt_temp). The directory is stored in the system's temporary directory, QDir::tempPath(). \sa QDir::tempPath() */ TemporaryDir::TemporaryDir() : d_ptr(new TemporaryDirPrivate) { d_ptr->create(defaultTemplateName()); } /*! Constructs a QTemporaryFile with a template name of \a templateName. If \a templateName is a relative path, the path will be relative to the current working directory. You can use QDir::tempPath() to construct \a templateName if you want use the system's temporary directory. If the \a templateName ends with XXXXXX it will be used as the dynamic portion of the directory name, otherwise it will be appended. Unlike QTemporaryFile, XXXXXX in the middle of the template string is not supported. \sa QDir::tempPath() */ TemporaryDir::TemporaryDir(const QString &templateName) : d_ptr(new TemporaryDirPrivate) { if (templateName.isEmpty()) d_ptr->create(defaultTemplateName()); else d_ptr->create(templateName); } /*! Destroys the temporary directory object. If auto remove mode was set, it will automatically delete the directory including all its contents. \sa autoRemove() */ TemporaryDir::~TemporaryDir() { if (d_ptr->autoRemove) remove(); } /*! Returns true if the QTemporaryDir was created successfully. */ bool TemporaryDir::isValid() const { return d_ptr->success; } /*! Returns the path to the temporary directory. Empty if the QTemporaryDir could not be created. */ QString TemporaryDir::path() const { return d_ptr->path; } /*! Returns true if the QTemporaryDir is in auto remove mode. Auto-remove mode will automatically delete the directory from disk upon destruction. This makes it very easy to create your QTemporaryDir object on the stack, fill it with files, do something with the files, and finally on function return it will automatically clean up after itself. Auto-remove is on by default. \sa setAutoRemove(), remove() */ bool TemporaryDir::autoRemove() const { return d_ptr->autoRemove; } /*! Sets the QTemporaryDir into auto-remove mode if \a b is true. Auto-remove is on by default. \sa autoRemove(), remove() */ void TemporaryDir::setAutoRemove(bool b) { d_ptr->autoRemove = b; } /*! Removes the temporary directory, including all its contents. Returns true if removing was successful. */ bool TemporaryDir::remove() { if (!d_ptr->success) return false; Q_ASSERT(!path().isEmpty()); Q_ASSERT(path() != QLatin1String(".")); return removeRecursively(path()); } // This method is based on QTemporaryDir::remove from the Qt 5.1 branch bool TemporaryDir::removeRecursively(const QString& dirPath) { if (!QDir(dirPath).exists()) return true; bool success = true; // not empty -- we must empty it first QDirIterator di(dirPath, QDir::AllEntries | QDir::Hidden | QDir::System | QDir::NoDotAndDotDot); while (di.hasNext()) { di.next(); const QFileInfo& fi = di.fileInfo(); bool ok; if (fi.isDir() && !fi.isSymLink()) ok = removeRecursively(di.filePath()); else ok = QFile::remove(di.filePath()); if (!ok) success = false; } if (success) { QDir dir(dirPath); QString path = dir.absolutePath(); dir.cdUp(); success = dir.rmdir(path); } return success; } fwbuilder-5.3.7/src/libgui/temporarydir.h000066400000000000000000000050101303637203600204440ustar00rootroot00000000000000/**************************************************************************** ** ** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). ** Contact: http://www.qt-project.org/legal ** ** This file is part of the QtCore module of the Qt Toolkit. ** ** $QT_BEGIN_LICENSE:LGPL$ ** Commercial License Usage ** Licensees holding valid commercial Qt licenses may use this file in ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and Digia. For licensing terms and ** conditions see http://qt.digia.com/licensing. For further information ** use the contact form at http://qt.digia.com/contact-us. ** ** GNU Lesser General Public License Usage ** Alternatively, this file may be used under the terms of the GNU Lesser ** General Public License version 2.1 as published by the Free Software ** Foundation and appearing in the file LICENSE.LGPL included in the ** packaging of this file. Please review the following information to ** ensure the GNU Lesser General Public License version 2.1 requirements ** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. ** ** In addition, as a special exception, Digia gives you certain additional ** rights. These rights are described in the Digia Qt LGPL Exception ** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. ** ** GNU General Public License Usage ** Alternatively, this file may be used under the terms of the GNU ** General Public License version 3.0 as published by the Free Software ** Foundation and appearing in the file LICENSE.GPL included in the ** packaging of this file. Please review the following information to ** ensure the GNU General Public License version 3.0 requirements will be ** met: http://www.gnu.org/copyleft/gpl.html. ** ** ** $QT_END_LICENSE$ ** ****************************************************************************/ // Backported to Qt 4 from Qt 5.1 #ifndef TEMPORARYDIR_H #define TEMPORARYDIR_H #include #include class TemporaryDirPrivate; class TemporaryDir { public: TemporaryDir(); explicit TemporaryDir(const QString &templateName); ~TemporaryDir(); bool isValid() const; bool autoRemove() const; void setAutoRemove(bool b); bool remove(); QString path() const; private: QScopedPointer d_ptr; Q_DISABLE_COPY(TemporaryDir) bool removeRecursively(const QString& path); }; #endif // TEMPORARYDIR_H fwbuilder-5.3.7/src/libgui/textfileeditor_q.ui000066400000000000000000000062351303637203600214760ustar00rootroot00000000000000 TextFileEditor_q true 0 0 592 344 Qt::StrongFocus Script Editor 11 Qt::ScrollBarAlwaysOn Qt::ScrollBarAlwaysOn Qt::Horizontal QSizePolicy::Expanding 40 20 Save true Cancel 0 0 QFrame::HLine QFrame::Sunken Qt::Horizontal editor ok_button cancel_button ok_button clicked() TextFileEditor_q save() 20 20 20 20 cancel_button clicked() TextFileEditor_q reject() 20 20 20 20 save() fwbuilder-5.3.7/src/libgui/timedialog_q.ui000066400000000000000000000342301303637203600205550ustar00rootroot00000000000000 TimeDialog_q true 0 0 951 251 Time QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Qt::Vertical QSizePolicy::MinimumExpanding 20 5 350 16 QFrame::NoFrame QFrame::Sunken 0 2 2 Start date: 0 25 M/d/yyyy true 2000 1 1 Qt::Horizontal 101 25 Start time: false 0 25 Qt::Horizontal 111 20 2 2 End date: 0 25 M/d/yyyy true 2000 1 1 Qt::Horizontal 101 25 End time: false 0 25 Qt::Horizontal 101 25 false 2 2 0 QFrame::NoFrame QFrame::Raised 0 0 Mon Tue Wed Thu Fri Sat Sun 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name startDate startTime endDate endTime useStartDate toggled(bool) TimeDialog_q useStartOrEndDate() 224 79 20 20 useEndDate toggled(bool) TimeDialog_q useStartOrEndDate() 224 166 20 20 fwbuilder-5.3.7/src/libgui/udpservicedialog_q.ui000066400000000000000000000236351303637203600217770ustar00rootroot00000000000000 UDPServiceDialog_q true 0 0 922 239 0 0 UDP QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 Qt::Vertical 20 150 0 0 QFrame::Box QFrame::Sunken 2 8 8 QGroupBox { margin-top: 1ex; padding-top: 1ex; padding-bottom: 0px; padding-left: 2px; } QGroupBox::title { subcontrol-origin: margin; subcontrol-position: top left; padding: 0 3px; } QSpinBox { margin: 0px; padding: 0px; } Source Port Range 0 2 Start: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QAbstractSpinBox::UpDownArrows 65535 End: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QAbstractSpinBox::UpDownArrows 65535 QGroupBox { margin-top: 1ex; padding-top: 1ex; padding-bottom: 0px; padding-left: 2px; } QGroupBox::title { subcontrol-origin: margin; subcontrol-position: top left; padding: 0 3px; } QSpinBox { margin: 0px; padding: 0px; } Destination Port Range 0 2 Start: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QAbstractSpinBox::UpDownArrows 65535 End: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter false QAbstractSpinBox::UpDownArrows 65535 Qt::Vertical 20 40 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name ss se ds de fwbuilder-5.3.7/src/libgui/upgradePredicate.h000066400000000000000000000037251303637203600212060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2004 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __UPGRADEPREDICATE_H_ #define __UPGRADEPREDICATE_H_ #include "fwbuilder/XMLTools.h" #include "qmessagebox.h" #include "qobject.h" class MessageBoxUpgradePredicate: public libfwbuilder::XMLTools::UpgradePredicate { QWidget *parent; public: MessageBoxUpgradePredicate(QWidget *p=NULL) { parent=p; } virtual bool operator()(const std::string&) const { return QMessageBox::information( parent , "Firewall Builder", QObject::tr( "The data file you are trying to open has been \ saved with an older version of Firewall Builder. \ Opening it in this version will cause it to be \ upgraded, which may prevent older versions of \ the program from reading it. Backup copy of your \ file in the old format will be made in the same \ directory with extension '.bak'.\n\ Are you sure you want to open it?"), QObject::tr("&Upgrade"), QObject::tr("&Do not load the file"), QString::null, 0, 1 )==0; } }; #endif fwbuilder-5.3.7/src/libgui/userdialog_q.ui000066400000000000000000000113451303637203600205770ustar00rootroot00000000000000 UserDialog_q true 0 0 859 272 0 0 User 12 0 0 QFrame::Box QFrame::Sunken 0 0 350 0 350 16777215 QFrame::Box QFrame::Sunken Name: false 200 0 0 0 User id: false 0 0 Qt::Vertical QSizePolicy::MinimumExpanding 20 5 0 0 CommentKeywords QWidget
CommentKeywords.h
1 obj_name userid fwbuilder-5.3.7/src/libgui/utils.cpp000066400000000000000000000417601303637203600174320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "utils.h" #include "utils_no_qt.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "FWBSettings.h" #include "fwbuilder/dns.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #if defined(_WIN32) # include # include # include # include # include # include #else # include # include # include # include #endif #include #include #include #include "FWBTree.h" using namespace std; using namespace libfwbuilder; QAction* addPopupMenuItem(QObject *res, QMenu* menu, const QString &resourceIconPath, const QString itemName, const char* member, const QKeySequence &accel) { string icn; QPixmap pm; //int itmID = -1; QAction *act = NULL; icn = Resources::global_res->getResourceStr(static_cast(resourceIconPath.toLatin1())); if(icn!="") { // pm = QPixmap::fromMimeSource( icn.c_str() ); if ( ! QPixmapCache::find( icn.c_str(), pm) ) { pm.load( (":/"+icn).c_str() );//fromMimeSource( icn.c_str() ); QPixmapCache::insert( icn.c_str(), pm); } act = menu->addAction( pm, itemName , res , member, accel ); //insertItem } else act = menu->addAction( itemName , res , member, accel); //insertItem return act; } void fillLibraries(QComboBox *libs, libfwbuilder::FWObject *obj, bool rw) { bool standardObj = false; bool templateObj = false; bool deletedObj = false; QString lib=""; if ( ! FWObjectDatabase::isA(obj)) { FWObject *libobj = obj->getLibrary(); assert(libobj!=NULL); lib = libobj->getName().c_str(); standardObj = (libobj->getId()==FWObjectDatabase::STANDARD_LIB_ID); templateObj = (libobj->getId()==FWObjectDatabase::TEMPLATE_LIB_ID); deletedObj = (libobj->getId()==FWObjectDatabase::DELETED_OBJECTS_ID); } libs->clear(); list ll = obj->getRoot()->getByType( Library::TYPENAME ); ll.sort(FWObjectNameCmpPredicate()); int n=0; int cn=0; string libicn; for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { if (libicn.empty()) libicn=(":/Icons/"+(*i)->getTypeName()+"/icon-tree").c_str(); if ( (*i)->getId()==FWObjectDatabase::STANDARD_LIB_ID && !standardObj) continue; if ( (*i)->getId()==FWObjectDatabase::TEMPLATE_LIB_ID && !templateObj) continue; if ( (*i)->getId()==FWObjectDatabase::DELETED_OBJECTS_ID && !deletedObj ) continue; if (rw && (*i)->isReadOnly()) continue; if (lib==QString((*i)->getName().c_str())) cn=n; QPixmap icon; icon.load( (libicn).c_str() ); libs->addItem(icon, QString::fromUtf8((*i)->getName().c_str()) ); n++; } libs->setCurrentIndex(cn); } void fillLibraries(QListWidget *libs, libfwbuilder::FWObject *obj, bool rw) { bool standardObj = false; bool templateObj = false; bool deletedObj = false; QString lib=""; if ( ! FWObjectDatabase::isA(obj)) { FWObject *libobj = obj->getLibrary(); assert(libobj!=NULL); lib = libobj->getName().c_str(); standardObj = (libobj->getId()==FWObjectDatabase::STANDARD_LIB_ID); templateObj = (libobj->getId()==FWObjectDatabase::TEMPLATE_LIB_ID); deletedObj = (libobj->getId()==FWObjectDatabase::DELETED_OBJECTS_ID); } libs->clear(); list ll = obj->getRoot()->getByType( Library::TYPENAME ); ll.sort(FWObjectNameCmpPredicate()); int n=0; int cn=0; string libicn; for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++) { if (libicn.empty()) libicn=Resources::global_res->getObjResourceStr(*i,"icon-tree").c_str(); if ( (*i)->getId()==FWObjectDatabase::STANDARD_LIB_ID && !standardObj) continue; if ( (*i)->getId()==FWObjectDatabase::TEMPLATE_LIB_ID && !templateObj) continue; if ( (*i)->getId()==FWObjectDatabase::DELETED_OBJECTS_ID && !deletedObj ) continue; if (rw && (*i)->isReadOnly()) continue; if (lib==QString((*i)->getName().c_str())) cn=n; QPixmap icon; icon.load( (":/"+libicn).c_str() ); QListWidgetItem *item = new QListWidgetItem(icon, (*i)->getName().c_str()); libs->addItem(item); n++; } libs->setCurrentRow(cn); } bool isTreeReadWrite(QWidget *parent, FWObject *obj) { if (obj->isReadOnly()) { QMessageBox::warning( parent, "Firewall Builder", QObject::tr("Impossible to apply changes because object is " "located in read-only\npart of the tree or data " "file was opened read-only"), QObject::tr("&Continue"), 0, 0, 0, 2 ); return false; } return true; } /* * compare names as QString objects to catch non-ascii names */ bool validateName(QWidget *parent, FWObject *obj, const QString &newname) { if (newname.isEmpty()) { // show warning dialog only if app has focus if (QApplication::focusWidget() != NULL) { parent->blockSignals(true); QMessageBox::warning( parent, "Firewall Builder", QObject::tr("Object name should not be blank"), QObject::tr("&Continue"), NULL, NULL, 0, 2 ); parent->blockSignals(false); } return false; } FWObject *p = obj->getParent(); for (FWObject::iterator i=p->begin(); i!=p->end(); ++i) { FWObject *o1= *i; // Another hack: we need to be able to create policy and nat // ruleset objects with name "ftp-proxy/*" for PF. Allow // objects of different type to have the same name. if (o1 == obj || o1->getTypeName() != obj->getTypeName()) continue; if (QString(o1->getName().c_str()) == newname) { /* * when we open this warning dialog, the dialog class * loses focus and obj_name lineEdit widget sends signal * "editingfinished" again. To the user this looks like the * warning dialog popped up twice (in fact two copies of the * same warning dialog appear at the same time, one exactly on * top of another). To avoid this, block signals for the * duration while we show the dialog. Note that documentation * does not mention that QObject::blockSignals() affects not * only the widget but all its children, but it seems to work * that way. Tested with Qt 4.6.1. See #1171 */ // show warning dialog only if app has focus if (QApplication::focusWidget() != NULL) { parent->blockSignals(true); QMessageBox::warning( parent, "Firewall Builder", QObject::tr("Object with name '%1' already exists, " "please choose different name."). arg(o1->getName().c_str()), QObject::tr("&Continue"), NULL, NULL, 0, 2 ); parent->blockSignals(false); } return false; } } return true; } QString quoteString(const QString &str) { QString res; if (str.indexOf(" ")!=-1) res="\""; res+=str; if (str.indexOf(" ")!=-1) res+="\""; return res; } QString getFileDir(const QString &file) { return QFileInfo(file).dir().path(); } void setDisabledPalette(QWidget *w) { QPalette pal=w->palette(); pal.setCurrentColorGroup( QPalette::Active ); pal.setColor( QPalette::Text, Qt::black ); pal.setCurrentColorGroup( QPalette::Inactive ); pal.setColor( QPalette::Text, Qt::black ); pal.setCurrentColorGroup( QPalette::Disabled ); pal.setColor( QPalette::Text, Qt::black ); w->setPalette( pal ); } QString getAddrByName(const QString &name, int af_type) { list results; try { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) results = DNS::getHostByName(name.toAscii().constData(), af_type); #else results = DNS::getHostByName(name.toLatin1().constData(), af_type); #endif } catch (FWException &e) { if (fwbdebug) qDebug("utils::getAddrByName: DNS lookup error: %s", e.toString().c_str()); return ""; } try { if (results.size()>0) return QString(results.front().toString().c_str()); } catch (FWException &e) { qDebug() << "utils::getAddrByName: Can not convert address to string"; qDebug() << e.toString().c_str(); } return ""; #if 0 QHostInfo a = QHostInfo::fromName(name); QList alist = a.addresses(); if (alist.empty()) return ""; return alist.front().toString(); #endif } QString getNameByAddr(const QString &addr) { /*QHostAddress ha; ha.setAddress(addr); Q3Dns qry( ha, Q3Dns::Ptr); QStringList nlist = qry.hostNames(); while (qry.isWorking()) { app->processEvents(200); } nlist = qry.hostNames(); if (nlist.empty()) return ""; return nlist.front();*/ QHostInfo a = QHostInfo::fromName(addr); return a.hostName(); } QString wordWrap(const QString& s, int maxchinline) { int chcount=0; int lastwdpos=0; int linestart=0; bool fl_wd=true; /*unsigned*/ int pos=0; QString res=""; QChar ch; for ( ; pos < s.length(); pos++,chcount++) { ch = s.at(pos); if (!ch.isLetter() && !ch.isNumber()) { fl_wd=false; } else { if (!fl_wd) { fl_wd=true; lastwdpos=pos; } } if (chcount>maxchinline) { if (fl_wd) { if (linestartgetTypeName()+"/icon-tree").c_str(); LoadPixmap(icn_file, pm); // if ( ! QPixmapCache::find( icn_file, pm) ) // { // pm.load( icn_file ); // QPixmapCache::insert( icn_file, pm); // } } void LoadPixmap(const QString &path, QPixmap &pm) { if ( ! QPixmapCache::find( path, pm ) ) { pm.load( path ); if (pm.width() == 0) #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) qDebug("pixmap load failed: %s", path.toAscii().constData()); #else qDebug("pixmap load failed: %s", path.toLatin1().constData()); #endif QPixmapCache::insert( path, pm ); } } QPixmap LoadPixmap(const QString &path) { QPixmap p; LoadPixmap(path, p); return p; } QString calculateIconName(const QString &_icn, bool negation) { // if _icn has white space, use only the first word QStringList icnl = _icn.split(" "); QString icn = ":/Icons/" + icnl[0] + "/icon"; if (negation) { icn = icn + "-neg"; } if (FWBSettings::SIZE16X16 == st->getIconsInRulesSize()) { return icn+"-tree"; } return icn; } void doSetObjectIcon(FWObject *obj, QPixmap *pm, int icon_size) { QString icn_alias; QString icn_sfx; switch (icon_size) { case 0: icn_sfx = "icon-tree"; break; case 2: icn_sfx = "icon-big"; break; default: icn_sfx = "icon"; break; } // note that we do not have "locked" version of large icons if (obj->getRO() && icon_size != 2) icn_alias = ":/Icons/lock"; else { if (FWBTree().isStandardFolder(obj)) icn_alias = ":/Icons/SystemGroup/" + icn_sfx; else icn_alias = QString(":/Icons/") + obj->getTypeName().c_str() + "/" + icn_sfx; } LoadPixmap(icn_alias, *pm); } QString _getNextToken(QStringList &args) { QString a; while (args.size() > 0) { a = args.front(); args.pop_front(); if (!a.isEmpty()) break; } return a; } // reassemble quoted strings from the list of tokens, possibly // recursively if there are quoted strings inside. The first token is // assumed to be " or '. Pops all processed tokens from the list but // leaves the rest in it. QString _parseTokens(QStringList &args, const QChar closing_quote='\0') { QString a = _getNextToken(args); if (args.size() == 0) return a; if (closing_quote != '\0' && a.endsWith(closing_quote)) return a; if (a.startsWith("\"") || a.startsWith("'")) { QStringList res; QChar closing_quote = a[0]; res.append(a); while (!a.endsWith(closing_quote) && args.size() > 0) { a = _parseTokens(args, closing_quote); res.append(a); } return res.join(" "); } return a; } /** * parse command line for ssh or scp given by user in the global * preferences dialog. The challenge is to be able to handle situation * when the program is installed in directory with a whitespace in the * name, so we can't just split the string by a " ". * * Recognize the following constructs: * * /path/to/program/program -arg1 val1 -arg2 val2 -arg3 "value 3" * * everything before the first "-" is considered executable name * (possibly with full path) * * word that starts with "-" or "/" preceded by a space is an argument * argument may have an optional parameter * parameter may be quoted using double or single quotes */ void parseCommandLine(const QString &cmd, QStringList &argv) { int first_arg = cmd.indexOf(QRegExp(" *-")); if (first_arg == -1) { // no arguments argv.append(cmd.trimmed()); return; } QString program = cmd.mid(0, first_arg).trimmed(); if (!program.isEmpty()) argv.append(program); QStringList args = cmd.mid(first_arg).split(QRegExp("\\s+")); // QString::SkipEmptyParts); // splits like this: // ["", "-arg1", "val1", "-arg2", "\"value", "2", "\""] while (args.size() > 0) { QString t = _parseTokens(args); // remove quotes from quoted strings if ((t.startsWith('\"') && t.endsWith('\"')) || (t.startsWith('\'') || t.endsWith('\''))) { t = t.mid(1, t.length()-2); } argv.append(t); } } static bool stringsCompare(const QString &a, const QString &b) { QString aLower = a.toLower(); QString bLower = b.toLower(); int result = aLower.localeAwareCompare(bLower); if (result == 0) { return a.localeAwareCompare(b) < 0; } else { return result < 0; } } QStringList sortStrings(const QStringList &list) { QStringList ret = list; qSort(ret.begin(), ret.end(), stringsCompare); return ret; } fwbuilder-5.3.7/src/libgui/utils.h000066400000000000000000000100261303637203600170660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __UTILS_H_ #define __UTILS_H_ #include #include #include #include #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) # include #else # include #endif class QObject; class QWidget; class QMenu; class QComboBox; class QListWidget; #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWReference.h" typedef std::pair QStringPair; // a predicate used to compare first string in pair // use with find_if class findFirstInQStringPair { QString str; public: findFirstInQStringPair(const QString &d) { str=d; } bool operator()(std::pair &_d) { return (str == _d.first); } }; class findSecondInQStringPair { QString str; public: findSecondInQStringPair(const QString &d) { str=d; } bool operator()(std::pair &_d) { return (str == _d.second); } }; extern QAction* addPopupMenuItem(QObject *res, QMenu* menu, //it was a Q3PopupMenu object const QString &resourceIconPath, const QString itemName, const char* member, const QKeySequence &accel = 0); extern void fillLibraries(QComboBox *libs, libfwbuilder::FWObject *obj, bool rw=false); extern void fillLibraries(QListWidget *libs, libfwbuilder::FWObject *obj, bool rw=false); /** * this is a convenience method that checks if the object tree is * read-only and shows appropriate error dialog. This method is * there so we don't have to repeat the same code in each object * class dialog. */ extern bool isTreeReadWrite(QWidget *parent, libfwbuilder::FWObject *obj); /** * this function checks if the name of the object 'obj' is a duplicate * by scanning all children objects of its parent and comparing their * names. It shows pop-up dialog letting user know if the same name * was found, and returns false. It returns true otherwise. */ extern bool validateName(QWidget *parent, libfwbuilder::FWObject *obj, const QString &newname); /** * returns a copy of the string str, enclosed in quotes if it contains * whitespaces */ extern QString quoteString(const QString &str); extern QString getFileDir(const QString &file); extern void loadIcon(QPixmap &pm, libfwbuilder::FWObject *obj); extern void setDisabledPalette(QWidget *w); extern QString getAddrByName(const QString &name, int af_type); extern QString getNameByAddr(const QString &addr); extern QString wordWrap(const QString& ,int); extern void LoadPixmap(const QString &path, QPixmap &where); extern QPixmap LoadPixmap(const QString &path); extern QString calculateIconName(const QString &_icn, bool negation); extern void parseCommandLine(const QString &cmd, QStringList &argv); QStringList sortStrings(const QStringList &list); /* * @icon_size: 0 - small (16x16) , 1 - medium (25x25), 2 - big (64x64) */ extern void doSetObjectIcon(libfwbuilder::FWObject *obj, QPixmap *pm, int icon_size); #endif fwbuilder-5.3.7/src/libgui/utils_no_qt.cpp000066400000000000000000000065321303637203600206300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ //#include "../../config.h" <- TAPIR: wasn't commented #include "global.h" #include "utils_no_qt.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/FWReference.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Library.h" #include "fwbuilder/Resources.h" #include #include #include using namespace std; using namespace libfwbuilder; /** * this method finds all firewalls in the tree and makes no * assumtions about tree structure */ void findFirewalls(FWObject *o, std::list &fwlist, bool skip_system_libs) { findByObjectType(o,Firewall::TYPENAME,fwlist,skip_system_libs); } void findClusters(FWObject *o, std::list &fwlist, bool skip_system_libs) { findByObjectType(o, Cluster::TYPENAME, fwlist, skip_system_libs); } void findHosts(FWObject *o, std::list &fwlist, bool skip_system_libs) { findByObjectType(o,Host::TYPENAME,fwlist,skip_system_libs); } void findByObjectType(FWObject *o, const string &otype, list &fwlist, bool skip_system_libs) { if (skip_system_libs) { if (o->getId()==FWObjectDatabase::DELETED_OBJECTS_ID) return; if (o->getId()==FWObjectDatabase::TEMPLATE_LIB_ID) return; } for (list::iterator m=o->begin(); m!=o->end(); m++) { FWObject *o1=*m; if (FWReference::cast(o1)!=NULL) continue; if (o1->getTypeName()==otype) fwlist.push_back(o1); else findByObjectType(o1,otype,fwlist); } } /** * Find reference to object in the group and return * pointer to that reference object. If no such reference exists, * return NULL. */ FWReference* findRef(FWObject *o, FWObject *container) { FWReference* ref=NULL; FWObject::iterator i = container->begin(); for(; i!=container->end(); ++i) { ref = FWReference::cast(*i); if (ref!=NULL && ref->getPointer() == o) { break; } ref=NULL; } return ref; } string strip(const string &s) { if (s.empty()) return s; string tmps = s; string::size_type n1,n2; n1 = s.find_first_not_of(" ", 0); n2 = s.size()-1; while (n2>n1 && isspace(s[n2])) n2--; n2++; return s.substr(n1, n2-n1); } string getPathToBinary(const string &pgm_name) { return appRootDir + FS_SEPARATOR + pgm_name; } fwbuilder-5.3.7/src/libgui/utils_no_qt.h000066400000000000000000000042301303637203600202660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __UTILS_NO_QT_H_ #define __UTILS_NO_QT_H_ #include #include #include #include #include "fwbuilder/FWObject.h" #include "fwbuilder/FWReference.h" /* Utility functions that do not depend on QT */ extern void findFirewalls(libfwbuilder::FWObject *o, std::list &fwlist, bool skip_system_libs=true); extern void findClusters(libfwbuilder::FWObject *o, std::list &fwlist, bool skip_system_libs=true); extern void findHosts(libfwbuilder::FWObject *o, std::list &fwlist, bool skip_system_libs=true); extern void findByObjectType(libfwbuilder::FWObject *o, const std::string &otype, std::list &fwlist, bool skip_system_libs=true); extern libfwbuilder::FWReference* findRef(libfwbuilder::FWObject *o, libfwbuilder::FWObject *p); // helper: strip whitespaces from the beginning and end of a string extern std::string strip(const std::string &s); extern std::string getPathToBinary(const std::string &pgm_name); #endif fwbuilder-5.3.7/src/libgui/valgrind.h000066400000000000000000007056021303637203600175470ustar00rootroot00000000000000/* -*- c -*- ---------------------------------------------------------------- Notice that the following BSD-style license applies to this one file (valgrind.h) only. The rest of Valgrind is licensed under the terms of the GNU General Public License, version 2, unless otherwise indicated. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- This file is part of Valgrind, a dynamic binary instrumentation framework. Copyright (C) 2000-2008 Julian Seward. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---------------------------------------------------------------- Notice that the above BSD-style license applies to this one file (valgrind.h) only. The entire rest of Valgrind is licensed under the terms of the GNU General Public License, version 2. See the COPYING file in the source distribution for details. ---------------------------------------------------------------- */ /* This file is for inclusion into client (your!) code. You can use these macros to manipulate and query Valgrind's execution inside your own programs. The resulting executables will still run without Valgrind, just a little bit more slowly than they otherwise would, but otherwise unchanged. When not running on valgrind, each client request consumes very few (eg. 7) instructions, so the resulting performance loss is negligible unless you plan to execute client requests millions of times per second. Nevertheless, if that is still a problem, you can compile with the NVALGRIND symbol defined (gcc -DNVALGRIND) so that client requests are not even compiled in. */ #ifndef __VALGRIND_H #define __VALGRIND_H #include /* Nb: this file might be included in a file compiled with -ansi. So we can't use C++ style "//" comments nor the "asm" keyword (instead use "__asm__"). */ /* Derive some tags indicating what the target platform is. Note that in this file we're using the compiler's CPP symbols for identifying architectures, which are different to the ones we use within the rest of Valgrind. Note, __powerpc__ is active for both 32 and 64-bit PPC, whereas __powerpc64__ is only active for the latter (on Linux, that is). */ #undef PLAT_x86_linux #undef PLAT_amd64_linux #undef PLAT_ppc32_linux #undef PLAT_ppc64_linux #undef PLAT_ppc32_aix5 #undef PLAT_ppc64_aix5 #if !defined(_AIX) && defined(__i386__) # define PLAT_x86_linux 1 #elif !defined(_AIX) && defined(__x86_64__) # define PLAT_amd64_linux 1 #elif !defined(_AIX) && defined(__powerpc__) && !defined(__powerpc64__) # define PLAT_ppc32_linux 1 #elif !defined(_AIX) && defined(__powerpc__) && defined(__powerpc64__) # define PLAT_ppc64_linux 1 #elif defined(_AIX) && defined(__64BIT__) # define PLAT_ppc64_aix5 1 #elif defined(_AIX) && !defined(__64BIT__) # define PLAT_ppc32_aix5 1 #endif /* If we're not compiling for our target platform, don't generate any inline asms. */ #if !defined(PLAT_x86_linux) && !defined(PLAT_amd64_linux) \ && !defined(PLAT_ppc32_linux) && !defined(PLAT_ppc64_linux) \ && !defined(PLAT_ppc32_aix5) && !defined(PLAT_ppc64_aix5) # if !defined(NVALGRIND) # define NVALGRIND 1 # endif #endif /* ------------------------------------------------------------------ */ /* ARCHITECTURE SPECIFICS for SPECIAL INSTRUCTIONS. There is nothing */ /* in here of use to end-users -- skip to the next section. */ /* ------------------------------------------------------------------ */ #if defined(NVALGRIND) /* Define NVALGRIND to completely remove the Valgrind magic sequence from the compiled code (analogous to NDEBUG's effects on assert()) */ #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { \ (_zzq_rlval) = (_zzq_default); \ } #else /* ! NVALGRIND */ /* The following defines the magic code sequences which the JITter spots and handles magically. Don't look too closely at them as they will rot your brain. The assembly code sequences for all architectures is in this one file. This is because this file must be stand-alone, and we don't want to have multiple files. For VALGRIND_DO_CLIENT_REQUEST, we must ensure that the default value gets put in the return slot, so that everything works when this is executed not under Valgrind. Args are passed in a memory block, and so there's no intrinsic limit to the number that could be passed, but it's currently five. The macro args are: _zzq_rlval result lvalue _zzq_default default value (result returned when running on real CPU) _zzq_request request code _zzq_arg1..5 request params The other two macros are used to support function wrapping, and are a lot simpler. VALGRIND_GET_NR_CONTEXT returns the value of the guest's NRADDR pseudo-register and whatever other information is needed to safely run the call original from the wrapper: on ppc64-linux, the R2 value at the divert point is also needed. This information is abstracted into a user-visible type, OrigFn. VALGRIND_CALL_NOREDIR_* behaves the same as the following on the guest, but guarantees that the branch instruction will not be redirected: x86: call *%eax, amd64: call *%rax, ppc32/ppc64: branch-and-link-to-r11. VALGRIND_CALL_NOREDIR is just text, not a complete inline asm, since it needs to be combined with more magic inline asm stuff to be useful. */ /* ------------------------- x86-linux ------------------------- */ #if defined(PLAT_x86_linux) typedef struct { unsigned int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "roll $3, %%edi ; roll $13, %%edi\n\t" \ "roll $29, %%edi ; roll $19, %%edi\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { volatile unsigned int _zzq_args[6]; \ volatile unsigned int _zzq_result; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %EDX = client_request ( %EAX ) */ \ "xchgl %%ebx,%%ebx" \ : "=d" (_zzq_result) \ : "a" (&_zzq_args[0]), "0" (_zzq_default) \ : "cc", "memory" \ ); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ volatile unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %EAX = guest_NRADDR */ \ "xchgl %%ecx,%%ecx" \ : "=a" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_CALL_NOREDIR_EAX \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* call-noredir *%EAX */ \ "xchgl %%edx,%%edx\n\t" #endif /* PLAT_x86_linux */ /* ------------------------ amd64-linux ------------------------ */ #if defined(PLAT_amd64_linux) typedef struct { unsigned long long int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rolq $3, %%rdi ; rolq $13, %%rdi\n\t" \ "rolq $61, %%rdi ; rolq $51, %%rdi\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ { volatile unsigned long long int _zzq_args[6]; \ volatile unsigned long long int _zzq_result; \ _zzq_args[0] = (unsigned long long int)(_zzq_request); \ _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \ _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \ _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \ _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \ _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %RDX = client_request ( %RAX ) */ \ "xchgq %%rbx,%%rbx" \ : "=d" (_zzq_result) \ : "a" (&_zzq_args[0]), "0" (_zzq_default) \ : "cc", "memory" \ ); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ volatile unsigned long long int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %RAX = guest_NRADDR */ \ "xchgq %%rcx,%%rcx" \ : "=a" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_CALL_NOREDIR_RAX \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* call-noredir *%RAX */ \ "xchgq %%rdx,%%rdx\n\t" #endif /* PLAT_amd64_linux */ /* ------------------------ ppc32-linux ------------------------ */ #if defined(PLAT_ppc32_linux) typedef struct { unsigned int nraddr; /* where's the code? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \ "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned int _zzq_args[6]; \ unsigned int _zzq_result; \ unsigned int* _zzq_ptr; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 3,%1\n\t" /*default*/ \ "mr 4,%2\n\t" /*ptr*/ \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" /*result*/ \ : "=b" (_zzq_result) \ : "b" (_zzq_default), "b" (_zzq_ptr) \ : "cc", "memory", "r3", "r4"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "cc", "memory", "r3" \ ); \ _zzq_orig->nraddr = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc32_linux */ /* ------------------------ ppc64-linux ------------------------ */ #if defined(PLAT_ppc64_linux) typedef struct { unsigned long long int nraddr; /* where's the code? */ unsigned long long int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \ "rotldi 0,0,61 ; rotldi 0,0,51\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned long long int _zzq_args[6]; \ register unsigned long long int _zzq_result __asm__("r3"); \ register unsigned long long int* _zzq_ptr __asm__("r4"); \ _zzq_args[0] = (unsigned long long int)(_zzq_request); \ _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \ _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \ _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \ _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \ _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \ _zzq_ptr = _zzq_args; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1" \ : "=r" (_zzq_result) \ : "0" (_zzq_default), "r" (_zzq_ptr) \ : "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned long long int __addr __asm__("r3"); \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2" \ : "=r" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4" \ : "=r" (__addr) \ : \ : "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc64_linux */ /* ------------------------ ppc32-aix5 ------------------------- */ #if defined(PLAT_ppc32_aix5) typedef struct { unsigned int nraddr; /* where's the code? */ unsigned int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \ "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned int _zzq_args[7]; \ register unsigned int _zzq_result; \ register unsigned int* _zzq_ptr; \ _zzq_args[0] = (unsigned int)(_zzq_request); \ _zzq_args[1] = (unsigned int)(_zzq_arg1); \ _zzq_args[2] = (unsigned int)(_zzq_arg2); \ _zzq_args[3] = (unsigned int)(_zzq_arg3); \ _zzq_args[4] = (unsigned int)(_zzq_arg4); \ _zzq_args[5] = (unsigned int)(_zzq_arg5); \ _zzq_args[6] = (unsigned int)(_zzq_default); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 4,%1\n\t" \ "lwz 3, 24(4)\n\t" \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" \ : "=b" (_zzq_result) \ : "b" (_zzq_ptr) \ : "r3", "r4", "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc32_aix5 */ /* ------------------------ ppc64-aix5 ------------------------- */ #if defined(PLAT_ppc64_aix5) typedef struct { unsigned long long int nraddr; /* where's the code? */ unsigned long long int r2; /* what tocptr do we need? */ } OrigFn; #define __SPECIAL_INSTRUCTION_PREAMBLE \ "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \ "rotldi 0,0,61 ; rotldi 0,0,51\n\t" #define VALGRIND_DO_CLIENT_REQUEST( \ _zzq_rlval, _zzq_default, _zzq_request, \ _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \ \ { unsigned long long int _zzq_args[7]; \ register unsigned long long int _zzq_result; \ register unsigned long long int* _zzq_ptr; \ _zzq_args[0] = (unsigned int long long)(_zzq_request); \ _zzq_args[1] = (unsigned int long long)(_zzq_arg1); \ _zzq_args[2] = (unsigned int long long)(_zzq_arg2); \ _zzq_args[3] = (unsigned int long long)(_zzq_arg3); \ _zzq_args[4] = (unsigned int long long)(_zzq_arg4); \ _zzq_args[5] = (unsigned int long long)(_zzq_arg5); \ _zzq_args[6] = (unsigned int long long)(_zzq_default); \ _zzq_ptr = _zzq_args; \ __asm__ volatile("mr 4,%1\n\t" \ "ld 3, 48(4)\n\t" \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = client_request ( %R4 ) */ \ "or 1,1,1\n\t" \ "mr %0,3" \ : "=b" (_zzq_result) \ : "b" (_zzq_ptr) \ : "r3", "r4", "cc", "memory"); \ _zzq_rlval = _zzq_result; \ } #define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \ { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \ register unsigned long long int __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR */ \ "or 2,2,2\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->nraddr = __addr; \ __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \ /* %R3 = guest_NRADDR_GPR2 */ \ "or 4,4,4\n\t" \ "mr %0,3" \ : "=b" (__addr) \ : \ : "r3", "cc", "memory" \ ); \ _zzq_orig->r2 = __addr; \ } #define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ __SPECIAL_INSTRUCTION_PREAMBLE \ /* branch-and-link-to-noredir *%R11 */ \ "or 3,3,3\n\t" #endif /* PLAT_ppc64_aix5 */ /* Insert assembly code for other platforms here... */ #endif /* NVALGRIND */ /* ------------------------------------------------------------------ */ /* PLATFORM SPECIFICS for FUNCTION WRAPPING. This is all very */ /* ugly. It's the least-worst tradeoff I can think of. */ /* ------------------------------------------------------------------ */ /* This section defines magic (a.k.a appalling-hack) macros for doing guaranteed-no-redirection macros, so as to get from function wrappers to the functions they are wrapping. The whole point is to construct standard call sequences, but to do the call itself with a special no-redirect call pseudo-instruction that the JIT understands and handles specially. This section is long and repetitious, and I can't see a way to make it shorter. The naming scheme is as follows: CALL_FN_{W,v}_{v,W,WW,WWW,WWWW,5W,6W,7W,etc} 'W' stands for "word" and 'v' for "void". Hence there are different macros for calling arity 0, 1, 2, 3, 4, etc, functions, and for each, the possibility of returning a word-typed result, or no result. */ /* Use these to write the name of your wrapper. NOTE: duplicates VG_WRAP_FUNCTION_Z{U,Z} in pub_tool_redir.h. */ #define I_WRAP_SONAME_FNNAME_ZU(soname,fnname) \ _vgwZU_##soname##_##fnname #define I_WRAP_SONAME_FNNAME_ZZ(soname,fnname) \ _vgwZZ_##soname##_##fnname /* Use this macro from within a wrapper function to collect the context (address and possibly other info) of the original function. Once you have that you can then use it in one of the CALL_FN_ macros. The type of the argument _lval is OrigFn. */ #define VALGRIND_GET_ORIG_FN(_lval) VALGRIND_GET_NR_CONTEXT(_lval) /* Derivatives of the main macros below, for calling functions returning void. */ #define CALL_FN_v_v(fnptr) \ do { volatile unsigned long _junk; \ CALL_FN_W_v(_junk,fnptr); } while (0) #define CALL_FN_v_W(fnptr, arg1) \ do { volatile unsigned long _junk; \ CALL_FN_W_W(_junk,fnptr,arg1); } while (0) #define CALL_FN_v_WW(fnptr, arg1,arg2) \ do { volatile unsigned long _junk; \ CALL_FN_W_WW(_junk,fnptr,arg1,arg2); } while (0) #define CALL_FN_v_WWW(fnptr, arg1,arg2,arg3) \ do { volatile unsigned long _junk; \ CALL_FN_W_WWW(_junk,fnptr,arg1,arg2,arg3); } while (0) /* ------------------------- x86-linux ------------------------- */ #if defined(PLAT_x86_linux) /* These regs are trashed by the hidden call. No need to mention eax as gcc can already see that, plus causes gcc to bomb. */ #define __CALLER_SAVED_REGS /*"eax"*/ "ecx", "edx" /* These CALL_FN_ macros assume that on x86-linux, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ __asm__ volatile( \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $4, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ __asm__ volatile( \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $8, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ __asm__ volatile( \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $12, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ __asm__ volatile( \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $16, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ __asm__ volatile( \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $20, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ __asm__ volatile( \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $24, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ __asm__ volatile( \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $28, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ __asm__ volatile( \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $32, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ __asm__ volatile( \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $36, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ __asm__ volatile( \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $40, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5, \ arg6,arg7,arg8,arg9,arg10, \ arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ __asm__ volatile( \ "pushl 44(%%eax)\n\t" \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $44, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5, \ arg6,arg7,arg8,arg9,arg10, \ arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ _argvec[12] = (unsigned long)(arg12); \ __asm__ volatile( \ "pushl 48(%%eax)\n\t" \ "pushl 44(%%eax)\n\t" \ "pushl 40(%%eax)\n\t" \ "pushl 36(%%eax)\n\t" \ "pushl 32(%%eax)\n\t" \ "pushl 28(%%eax)\n\t" \ "pushl 24(%%eax)\n\t" \ "pushl 20(%%eax)\n\t" \ "pushl 16(%%eax)\n\t" \ "pushl 12(%%eax)\n\t" \ "pushl 8(%%eax)\n\t" \ "pushl 4(%%eax)\n\t" \ "movl (%%eax), %%eax\n\t" /* target->%eax */ \ VALGRIND_CALL_NOREDIR_EAX \ "addl $48, %%esp\n" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_x86_linux */ /* ------------------------ amd64-linux ------------------------ */ #if defined(PLAT_amd64_linux) /* ARGREGS: rdi rsi rdx rcx r8 r9 (the rest on stack in R-to-L order) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS /*"rax",*/ "rcx", "rdx", "rsi", \ "rdi", "r8", "r9", "r10", "r11" /* These CALL_FN_ macros assume that on amd64-linux, sizeof(unsigned long) == 8. */ /* NB 9 Sept 07. There is a nasty kludge here in all these CALL_FN_ macros. In order not to trash the stack redzone, we need to drop %rsp by 128 before the hidden call, and restore afterwards. The nastyness is that it is only by luck that the stack still appears to be unwindable during the hidden call - since then the behaviour of any routine using this macro does not match what the CFI data says. Sigh. Why is this important? Imagine that a wrapper has a stack allocated local, and passes to the hidden call, a pointer to it. Because gcc does not know about the hidden call, it may allocate that local in the redzone. Unfortunately the hidden call may then trash it before it comes to use it. So we must step clear of the redzone, for the duration of the hidden call, to make it safe. Probably the same problem afflicts the other redzone-style ABIs too (ppc64-linux, ppc32-aix5, ppc64-aix5); but for those, the stack is self describing (none of this CFI nonsense) so at least messing with the stack pointer doesn't give a danger of non-unwindable stack. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ "addq $128,%%rsp\n\t" \ VALGRIND_CALL_NOREDIR_RAX \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $8, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $16, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $24, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $32, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 88(%%rax)\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $40, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)(arg1); \ _argvec[2] = (unsigned long)(arg2); \ _argvec[3] = (unsigned long)(arg3); \ _argvec[4] = (unsigned long)(arg4); \ _argvec[5] = (unsigned long)(arg5); \ _argvec[6] = (unsigned long)(arg6); \ _argvec[7] = (unsigned long)(arg7); \ _argvec[8] = (unsigned long)(arg8); \ _argvec[9] = (unsigned long)(arg9); \ _argvec[10] = (unsigned long)(arg10); \ _argvec[11] = (unsigned long)(arg11); \ _argvec[12] = (unsigned long)(arg12); \ __asm__ volatile( \ "subq $128,%%rsp\n\t" \ "pushq 96(%%rax)\n\t" \ "pushq 88(%%rax)\n\t" \ "pushq 80(%%rax)\n\t" \ "pushq 72(%%rax)\n\t" \ "pushq 64(%%rax)\n\t" \ "pushq 56(%%rax)\n\t" \ "movq 48(%%rax), %%r9\n\t" \ "movq 40(%%rax), %%r8\n\t" \ "movq 32(%%rax), %%rcx\n\t" \ "movq 24(%%rax), %%rdx\n\t" \ "movq 16(%%rax), %%rsi\n\t" \ "movq 8(%%rax), %%rdi\n\t" \ "movq (%%rax), %%rax\n\t" /* target->%rax */ \ VALGRIND_CALL_NOREDIR_RAX \ "addq $48, %%rsp\n" \ "addq $128,%%rsp\n\t" \ : /*out*/ "=a" (_res) \ : /*in*/ "a" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_amd64_linux */ /* ------------------------ ppc32-linux ------------------------ */ #if defined(PLAT_ppc32_linux) /* This is useful for finding out about the on-stack stuff: extern int f9 ( int,int,int,int,int,int,int,int,int ); extern int f10 ( int,int,int,int,int,int,int,int,int,int ); extern int f11 ( int,int,int,int,int,int,int,int,int,int,int ); extern int f12 ( int,int,int,int,int,int,int,int,int,int,int,int ); int g9 ( void ) { return f9(11,22,33,44,55,66,77,88,99); } int g10 ( void ) { return f10(11,22,33,44,55,66,77,88,99,110); } int g11 ( void ) { return f11(11,22,33,44,55,66,77,88,99,110,121); } int g12 ( void ) { return f12(11,22,33,44,55,66,77,88,99,110,121,132); } */ /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* These CALL_FN_ macros assume that on ppc32-linux, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[1]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[2]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[4]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[5]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[6]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[7]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[8]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[9]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[10]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-16\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,16\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[11]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-16\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,16\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[12]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ _argvec[11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-32\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,16(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,32\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[13]; \ volatile unsigned long _res; \ _argvec[0] = (unsigned long)_orig.nraddr; \ _argvec[1] = (unsigned long)arg1; \ _argvec[2] = (unsigned long)arg2; \ _argvec[3] = (unsigned long)arg3; \ _argvec[4] = (unsigned long)arg4; \ _argvec[5] = (unsigned long)arg5; \ _argvec[6] = (unsigned long)arg6; \ _argvec[7] = (unsigned long)arg7; \ _argvec[8] = (unsigned long)arg8; \ _argvec[9] = (unsigned long)arg9; \ _argvec[10] = (unsigned long)arg10; \ _argvec[11] = (unsigned long)arg11; \ _argvec[12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "addi 1,1,-32\n\t" \ /* arg12 */ \ "lwz 3,48(11)\n\t" \ "stw 3,20(1)\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,16(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,12(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,8(1)\n\t" \ /* args1-8 */ \ "lwz 3,4(11)\n\t" /* arg1->r3 */ \ "lwz 4,8(11)\n\t" \ "lwz 5,12(11)\n\t" \ "lwz 6,16(11)\n\t" /* arg4->r6 */ \ "lwz 7,20(11)\n\t" \ "lwz 8,24(11)\n\t" \ "lwz 9,28(11)\n\t" \ "lwz 10,32(11)\n\t" /* arg8->r10 */ \ "lwz 11,0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "addi 1,1,32\n\t" \ "mr %0,3" \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[0]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc32_linux */ /* ------------------------ ppc64-linux ------------------------ */ #if defined(PLAT_ppc64_linux) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* These CALL_FN_ macros assume that on ppc64-linux, sizeof(unsigned long) == 8. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)" /* restore tocptr */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-128\n\t" /* expand stack frame */ \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,128" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-128\n\t" /* expand stack frame */ \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,128" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-144\n\t" /* expand stack frame */ \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,144" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "addi 1,1,-144\n\t" /* expand stack frame */ \ /* arg12 */ \ "ld 3,96(11)\n\t" \ "std 3,136(1)\n\t" \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ "addi 1,1,144" /* restore frame */ \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc64_linux */ /* ------------------------ ppc32-aix5 ------------------------- */ #if defined(PLAT_ppc32_aix5) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* Expand the stack frame, copying enough info that unwinding still works. Trashes r3. */ #define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \ "addi 1,1,-" #_n_fr "\n\t" \ "lwz 3," #_n_fr "(1)\n\t" \ "stw 3,0(1)\n\t" #define VG_CONTRACT_FRAME_BY(_n_fr) \ "addi 1,1," #_n_fr "\n\t" /* These CALL_FN_ macros assume that on ppc32-aix5, sizeof(unsigned long) == 4. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(64) \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(64) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(64) \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(64) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(72) \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,64(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(72) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "stw 2,-8(11)\n\t" /* save tocptr */ \ "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(72) \ /* arg12 */ \ "lwz 3,48(11)\n\t" \ "stw 3,68(1)\n\t" \ /* arg11 */ \ "lwz 3,44(11)\n\t" \ "stw 3,64(1)\n\t" \ /* arg10 */ \ "lwz 3,40(11)\n\t" \ "stw 3,60(1)\n\t" \ /* arg9 */ \ "lwz 3,36(11)\n\t" \ "stw 3,56(1)\n\t" \ /* args1-8 */ \ "lwz 3, 4(11)\n\t" /* arg1->r3 */ \ "lwz 4, 8(11)\n\t" /* arg2->r4 */ \ "lwz 5, 12(11)\n\t" /* arg3->r5 */ \ "lwz 6, 16(11)\n\t" /* arg4->r6 */ \ "lwz 7, 20(11)\n\t" /* arg5->r7 */ \ "lwz 8, 24(11)\n\t" /* arg6->r8 */ \ "lwz 9, 28(11)\n\t" /* arg7->r9 */ \ "lwz 10, 32(11)\n\t" /* arg8->r10 */ \ "lwz 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "lwz 2,-8(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(72) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc32_aix5 */ /* ------------------------ ppc64-aix5 ------------------------- */ #if defined(PLAT_ppc64_aix5) /* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */ /* These regs are trashed by the hidden call. */ #define __CALLER_SAVED_REGS \ "lr", "ctr", "xer", \ "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \ "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \ "r11", "r12", "r13" /* Expand the stack frame, copying enough info that unwinding still works. Trashes r3. */ #define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \ "addi 1,1,-" #_n_fr "\n\t" \ "ld 3," #_n_fr "(1)\n\t" \ "std 3,0(1)\n\t" #define VG_CONTRACT_FRAME_BY(_n_fr) \ "addi 1,1," #_n_fr "\n\t" /* These CALL_FN_ macros assume that on ppc64-aix5, sizeof(unsigned long) == 8. */ #define CALL_FN_W_v(lval, orig) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+0]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_W(lval, orig, arg1) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+1]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WW(lval, orig, arg1,arg2) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+2]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+3]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+4]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+5]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+6]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+7]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+8]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+9]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(128) \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(128) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+10]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(128) \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(128) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+11]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(144) \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(144) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \ arg7,arg8,arg9,arg10,arg11,arg12) \ do { \ volatile OrigFn _orig = (orig); \ volatile unsigned long _argvec[3+12]; \ volatile unsigned long _res; \ /* _argvec[0] holds current r2 across the call */ \ _argvec[1] = (unsigned long)_orig.r2; \ _argvec[2] = (unsigned long)_orig.nraddr; \ _argvec[2+1] = (unsigned long)arg1; \ _argvec[2+2] = (unsigned long)arg2; \ _argvec[2+3] = (unsigned long)arg3; \ _argvec[2+4] = (unsigned long)arg4; \ _argvec[2+5] = (unsigned long)arg5; \ _argvec[2+6] = (unsigned long)arg6; \ _argvec[2+7] = (unsigned long)arg7; \ _argvec[2+8] = (unsigned long)arg8; \ _argvec[2+9] = (unsigned long)arg9; \ _argvec[2+10] = (unsigned long)arg10; \ _argvec[2+11] = (unsigned long)arg11; \ _argvec[2+12] = (unsigned long)arg12; \ __asm__ volatile( \ "mr 11,%1\n\t" \ VG_EXPAND_FRAME_BY_trashes_r3(512) \ "std 2,-16(11)\n\t" /* save tocptr */ \ "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \ VG_EXPAND_FRAME_BY_trashes_r3(144) \ /* arg12 */ \ "ld 3,96(11)\n\t" \ "std 3,136(1)\n\t" \ /* arg11 */ \ "ld 3,88(11)\n\t" \ "std 3,128(1)\n\t" \ /* arg10 */ \ "ld 3,80(11)\n\t" \ "std 3,120(1)\n\t" \ /* arg9 */ \ "ld 3,72(11)\n\t" \ "std 3,112(1)\n\t" \ /* args1-8 */ \ "ld 3, 8(11)\n\t" /* arg1->r3 */ \ "ld 4, 16(11)\n\t" /* arg2->r4 */ \ "ld 5, 24(11)\n\t" /* arg3->r5 */ \ "ld 6, 32(11)\n\t" /* arg4->r6 */ \ "ld 7, 40(11)\n\t" /* arg5->r7 */ \ "ld 8, 48(11)\n\t" /* arg6->r8 */ \ "ld 9, 56(11)\n\t" /* arg7->r9 */ \ "ld 10, 64(11)\n\t" /* arg8->r10 */ \ "ld 11, 0(11)\n\t" /* target->r11 */ \ VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \ "mr 11,%1\n\t" \ "mr %0,3\n\t" \ "ld 2,-16(11)\n\t" /* restore tocptr */ \ VG_CONTRACT_FRAME_BY(144) \ VG_CONTRACT_FRAME_BY(512) \ : /*out*/ "=r" (_res) \ : /*in*/ "r" (&_argvec[2]) \ : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \ ); \ lval = (__typeof__(lval)) _res; \ } while (0) #endif /* PLAT_ppc64_aix5 */ /* ------------------------------------------------------------------ */ /* ARCHITECTURE INDEPENDENT MACROS for CLIENT REQUESTS. */ /* */ /* ------------------------------------------------------------------ */ /* Some request codes. There are many more of these, but most are not exposed to end-user view. These are the public ones, all of the form 0x1000 + small_number. Core ones are in the range 0x00000000--0x0000ffff. The non-public ones start at 0x2000. */ /* These macros are used by tools -- they must be public, but don't embed them into other programs. */ #define VG_USERREQ_TOOL_BASE(a,b) \ ((unsigned int)(((a)&0xff) << 24 | ((b)&0xff) << 16)) #define VG_IS_TOOL_USERREQ(a, b, v) \ (VG_USERREQ_TOOL_BASE(a,b) == ((v) & 0xffff0000)) /* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !! This enum comprises an ABI exported by Valgrind to programs which use client requests. DO NOT CHANGE THE ORDER OF THESE ENTRIES, NOR DELETE ANY -- add new ones at the end. */ typedef enum { VG_USERREQ__RUNNING_ON_VALGRIND = 0x1001, VG_USERREQ__DISCARD_TRANSLATIONS = 0x1002, /* These allow any function to be called from the simulated CPU but run on the real CPU. Nb: the first arg passed to the function is always the ThreadId of the running thread! So CLIENT_CALL0 actually requires a 1 arg function, etc. */ VG_USERREQ__CLIENT_CALL0 = 0x1101, VG_USERREQ__CLIENT_CALL1 = 0x1102, VG_USERREQ__CLIENT_CALL2 = 0x1103, VG_USERREQ__CLIENT_CALL3 = 0x1104, /* Can be useful in regression testing suites -- eg. can send Valgrind's output to /dev/null and still count errors. */ VG_USERREQ__COUNT_ERRORS = 0x1201, /* These are useful and can be interpreted by any tool that tracks malloc() et al, by using vg_replace_malloc.c. */ VG_USERREQ__MALLOCLIKE_BLOCK = 0x1301, VG_USERREQ__FREELIKE_BLOCK = 0x1302, /* Memory pool support. */ VG_USERREQ__CREATE_MEMPOOL = 0x1303, VG_USERREQ__DESTROY_MEMPOOL = 0x1304, VG_USERREQ__MEMPOOL_ALLOC = 0x1305, VG_USERREQ__MEMPOOL_FREE = 0x1306, VG_USERREQ__MEMPOOL_TRIM = 0x1307, VG_USERREQ__MOVE_MEMPOOL = 0x1308, VG_USERREQ__MEMPOOL_CHANGE = 0x1309, VG_USERREQ__MEMPOOL_EXISTS = 0x130a, /* Allow printfs to valgrind log. */ VG_USERREQ__PRINTF = 0x1401, VG_USERREQ__PRINTF_BACKTRACE = 0x1402, /* Stack support. */ VG_USERREQ__STACK_REGISTER = 0x1501, VG_USERREQ__STACK_DEREGISTER = 0x1502, VG_USERREQ__STACK_CHANGE = 0x1503 } Vg_ClientRequest; #if !defined(__GNUC__) # define __extension__ /* */ #endif /* Returns the number of Valgrinds this code is running under. That is, 0 if running natively, 1 if running under Valgrind, 2 if running under Valgrind which is running under another Valgrind, etc. */ #define RUNNING_ON_VALGRIND __extension__ \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0 /* if not */, \ VG_USERREQ__RUNNING_ON_VALGRIND, \ 0, 0, 0, 0, 0); \ _qzz_res; \ }) /* Discard translation of code in the range [_qzz_addr .. _qzz_addr + _qzz_len - 1]. Useful if you are debugging a JITter or some such, since it provides a way to make sure valgrind will retranslate the invalidated area. Returns no value. */ #define VALGRIND_DISCARD_TRANSLATIONS(_qzz_addr,_qzz_len) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DISCARD_TRANSLATIONS, \ _qzz_addr, _qzz_len, 0, 0, 0); \ } /* These requests are for getting Valgrind itself to print something. Possibly with a backtrace. This is a really ugly hack. */ #if defined(NVALGRIND) # define VALGRIND_PRINTF(...) # define VALGRIND_PRINTF_BACKTRACE(...) #else /* NVALGRIND */ /* Modern GCC will optimize the static routine out if unused, and unused attribute will shut down warnings about it. */ static int VALGRIND_PRINTF(const char *format, ...) __attribute__((format(__printf__, 1, 2), __unused__)); static int VALGRIND_PRINTF(const char *format, ...) { unsigned long _qzz_res; va_list vargs; va_start(vargs, format); VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, VG_USERREQ__PRINTF, (unsigned long)format, (unsigned long)vargs, 0, 0, 0); va_end(vargs); return (int)_qzz_res; } static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...) __attribute__((format(__printf__, 1, 2), __unused__)); static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...) { unsigned long _qzz_res; va_list vargs; va_start(vargs, format); VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, VG_USERREQ__PRINTF_BACKTRACE, (unsigned long)format, (unsigned long)vargs, 0, 0, 0); va_end(vargs); return (int)_qzz_res; } #endif /* NVALGRIND */ /* These requests allow control to move from the simulated CPU to the real CPU, calling an arbitary function. Note that the current ThreadId is inserted as the first argument. So this call: VALGRIND_NON_SIMD_CALL2(f, arg1, arg2) requires f to have this signature: Word f(Word tid, Word arg1, Word arg2) where "Word" is a word-sized type. Note that these client requests are not entirely reliable. For example, if you call a function with them that subsequently calls printf(), there's a high chance Valgrind will crash. Generally, your prospects of these working are made higher if the called function does not refer to any global variables, and does not refer to any libc or other functions (printf et al). Any kind of entanglement with libc or dynamic linking is likely to have a bad outcome, for tricky reasons which we've grappled with a lot in the past. */ #define VALGRIND_NON_SIMD_CALL0(_qyy_fn) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL0, \ _qyy_fn, \ 0, 0, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL1(_qyy_fn, _qyy_arg1) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL1, \ _qyy_fn, \ _qyy_arg1, 0, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL2(_qyy_fn, _qyy_arg1, _qyy_arg2) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL2, \ _qyy_fn, \ _qyy_arg1, _qyy_arg2, 0, 0); \ _qyy_res; \ }) #define VALGRIND_NON_SIMD_CALL3(_qyy_fn, _qyy_arg1, _qyy_arg2, _qyy_arg3) \ __extension__ \ ({unsigned long _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__CLIENT_CALL3, \ _qyy_fn, \ _qyy_arg1, _qyy_arg2, \ _qyy_arg3, 0); \ _qyy_res; \ }) /* Counts the number of errors that have been recorded by a tool. Nb: the tool must record the errors with VG_(maybe_record_error)() or VG_(unique_error)() for them to be counted. */ #define VALGRIND_COUNT_ERRORS \ __extension__ \ ({unsigned int _qyy_res; \ VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \ VG_USERREQ__COUNT_ERRORS, \ 0, 0, 0, 0, 0); \ _qyy_res; \ }) /* Mark a block of memory as having been allocated by a malloc()-like function. `addr' is the start of the usable block (ie. after any redzone) `rzB' is redzone size if the allocator can apply redzones; use '0' if not. Adding redzones makes it more likely Valgrind will spot block overruns. `is_zeroed' indicates if the memory is zeroed, as it is for calloc(). Put it immediately after the point where a block is allocated. If you're using Memcheck: If you're allocating memory via superblocks, and then handing out small chunks of each superblock, if you don't have redzones on your small blocks, it's worth marking the superblock with VALGRIND_MAKE_MEM_NOACCESS when it's created, so that block overruns are detected. But if you can put redzones on, it's probably better to not do this, so that messages for small overruns are described in terms of the small block rather than the superblock (but if you have a big overrun that skips over a redzone, you could miss an error this way). See memcheck/tests/custom_alloc.c for an example. WARNING: if your allocator uses malloc() or 'new' to allocate superblocks, rather than mmap() or brk(), this will not work properly -- you'll likely get assertion failures during leak detection. This is because Valgrind doesn't like seeing overlapping heap blocks. Sorry. Nb: block must be freed via a free()-like function specified with VALGRIND_FREELIKE_BLOCK or mismatch errors will occur. */ #define VALGRIND_MALLOCLIKE_BLOCK(addr, sizeB, rzB, is_zeroed) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MALLOCLIKE_BLOCK, \ addr, sizeB, rzB, is_zeroed, 0); \ } /* Mark a block of memory as having been freed by a free()-like function. `rzB' is redzone size; it must match that given to VALGRIND_MALLOCLIKE_BLOCK. Memory not freed will be detected by the leak checker. Put it immediately after the point where the block is freed. */ #define VALGRIND_FREELIKE_BLOCK(addr, rzB) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__FREELIKE_BLOCK, \ addr, rzB, 0, 0, 0); \ } /* Create a memory pool. */ #define VALGRIND_CREATE_MEMPOOL(pool, rzB, is_zeroed) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__CREATE_MEMPOOL, \ pool, rzB, is_zeroed, 0, 0); \ } /* Destroy a memory pool. */ #define VALGRIND_DESTROY_MEMPOOL(pool) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__DESTROY_MEMPOOL, \ pool, 0, 0, 0, 0); \ } /* Associate a piece of memory with a memory pool. */ #define VALGRIND_MEMPOOL_ALLOC(pool, addr, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_ALLOC, \ pool, addr, size, 0, 0); \ } /* Disassociate a piece of memory from a memory pool. */ #define VALGRIND_MEMPOOL_FREE(pool, addr) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_FREE, \ pool, addr, 0, 0, 0); \ } /* Disassociate any pieces outside a particular range. */ #define VALGRIND_MEMPOOL_TRIM(pool, addr, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_TRIM, \ pool, addr, size, 0, 0); \ } /* Resize and/or move a piece associated with a memory pool. */ #define VALGRIND_MOVE_MEMPOOL(poolA, poolB) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MOVE_MEMPOOL, \ poolA, poolB, 0, 0, 0); \ } /* Resize and/or move a piece associated with a memory pool. */ #define VALGRIND_MEMPOOL_CHANGE(pool, addrA, addrB, size) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_CHANGE, \ pool, addrA, addrB, size, 0); \ } /* Return 1 if a mempool exists, else 0. */ #define VALGRIND_MEMPOOL_EXISTS(pool) \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__MEMPOOL_EXISTS, \ pool, 0, 0, 0, 0); \ _qzz_res; \ }) /* Mark a piece of memory as being a stack. Returns a stack id. */ #define VALGRIND_STACK_REGISTER(start, end) \ ({unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_REGISTER, \ start, end, 0, 0, 0); \ _qzz_res; \ }) /* Unmark the piece of memory associated with a stack id as being a stack. */ #define VALGRIND_STACK_DEREGISTER(id) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_DEREGISTER, \ id, 0, 0, 0, 0); \ } /* Change the start and end address of the stack id. */ #define VALGRIND_STACK_CHANGE(id, start, end) \ {unsigned int _qzz_res; \ VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \ VG_USERREQ__STACK_CHANGE, \ id, start, end, 0, 0); \ } #undef PLAT_x86_linux #undef PLAT_amd64_linux #undef PLAT_ppc32_linux #undef PLAT_ppc64_linux #undef PLAT_ppc32_aix5 #undef PLAT_ppc64_aix5 #endif /* __VALGRIND_H */ fwbuilder-5.3.7/src/libgui/vlanOnlyIfaceOptsDialog.cpp000066400000000000000000000114351303637203600230060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "vlanOnlyIfaceOptsDialog.h" #include "platforms.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include "FWWindow.h" #include "Help.h" #include #include using namespace std; using namespace libfwbuilder; vlanOnlyIfaceOptsDialog::vlanOnlyIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::vlanOnlyIfaceOptsDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } m_dialog->vlan_id->setValue(ifopt->getInt("vlan_id")); // special actions for different iface types // VLAN (8021q) typeChanged(""); } vlanOnlyIfaceOptsDialog::~vlanOnlyIfaceOptsDialog() { delete m_dialog; } /* * store all data in the object */ void vlanOnlyIfaceOptsDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } ifopt->setInt("vlan_id", m_dialog->vlan_id->value()); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void vlanOnlyIfaceOptsDialog::reject() { QDialog::reject(); } void vlanOnlyIfaceOptsDialog::help() { QString tab_title = m_dialog->tabWidget->tabText( m_dialog->tabWidget->currentIndex()); QString anchor = tab_title.replace('/', '-').replace(' ', '-').toLower(); Help *h = Help::getHelpWindow(this); h->setName("Interface Properties"); h->setSource(QUrl("vlanOnlyIfaceOptsDialog.html#" + anchor)); h->raise(); h->show(); } void vlanOnlyIfaceOptsDialog::typeChanged(const QString&) { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); // enable VLAN ID line edit for type VLAN bool enable_vlan = (new_type == "8021q"); m_dialog->vlan_id->setEnabled(enable_vlan); m_dialog->vlan_label->setEnabled(enable_vlan); } bool vlanOnlyIfaceOptsDialog::validate() { bool valid = true; QString combobox = m_dialog->iface_type->currentText(); QString type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); QWidget *focus = NULL; QString message; if (type == "vrrp") { // Both vvrp_secret and vrrp_id attributes moved to vrrpOptionsDialog ; } if (type == "8021q") { // VLAN ID must be set between 1 <= vid <= 4'094 // QSpinBox widget enforces these limits ; } if (!valid) { QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); focus->setFocus(); } return valid; } fwbuilder-5.3.7/src/libgui/vlanOnlyIfaceOptsDialog.h000066400000000000000000000031621303637203600224510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __VLANONLYIFACEOPTSDIALOG_H_ #define __VLANONLYIFACEOPTSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class vlanOnlyIfaceOptsDialog : public QDialog { Q_OBJECT public: vlanOnlyIfaceOptsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~vlanOnlyIfaceOptsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::vlanOnlyIfaceOptsDialog_q *m_dialog; bool cluster_interface; /** validate user input for different interface types */ bool validate(); protected slots: virtual void accept(); virtual void reject(); virtual void help(); void typeChanged(const QString &new_type); }; #endif // __VLANONLYIFACEOPTSDIALOG_H_ fwbuilder-5.3.7/src/libgui/vlanonlyifaceoptsdialog_q.ui000066400000000000000000000143561303637203600233660ustar00rootroot00000000000000 vlanOnlyIfaceOptsDialog_q 0 0 310 268 Vlan interface settings Help Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 Options :/Icons/Options:/Icons/Options Qt::Vertical QSizePolicy::Fixed 20 16 Qt::RightToLeft Device Type true Qt::RightToLeft VLAN ID 4095 Qt::Horizontal 92 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() vlanOnlyIfaceOptsDialog_q accept() 316 472 20 20 buttonCancel clicked() vlanOnlyIfaceOptsDialog_q reject() 397 472 20 20 buttonHelp clicked() vlanOnlyIfaceOptsDialog_q help() 68 464 231 245 iface_type currentIndexChanged(QString) vlanOnlyIfaceOptsDialog_q typeChanged(QString) 287 196 286 261 typeChanged(QString) fwbuilder-5.3.7/src/libgui/vrrpOptionsDialog.cpp000066400000000000000000000060161303637203600217520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "global.h" #include "vrrpOptionsDialog.h" #include "FWWindow.h" #include "FWCmdChange.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Firewall.h" #include #include using namespace std; using namespace libfwbuilder; vrrpOptionsDialog::vrrpOptionsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::vrrpOptionsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *gropt = FWOptions::cast(obj); assert(gropt != NULL); data.registerOption(m_dialog->vrrp_secret, gropt, "vrrp_secret"); data.registerOption(m_dialog->vrrp_vrid, gropt, "vrrp_vrid"); data.registerOption(m_dialog->vrrp_over_ipsec_ah, gropt, "vrrp_over_ipsec_ah"); data.loadAll(); } vrrpOptionsDialog::~vrrpOptionsDialog() { delete m_dialog; } /* * store all data in the object */ void vrrpOptionsDialog::accept() { if (!validate()) return; // the parent of this dialog is InterfaceDialog, not ProjectPanel ProjectPanel *project = mw->activeProject(); std::auto_ptr cmd( new FWCmdChangeOptionsObject(project, obj)); FWObject* new_state = cmd->getNewState(); data.saveAll(new_state); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); } void vrrpOptionsDialog::reject() { QDialog::reject(); } bool vrrpOptionsDialog::validate() { bool valid = true; QWidget *focus = NULL; QString message; // vrrp secret must be set if (m_dialog->vrrp_secret->text().isEmpty()) { message = "VRRP Secret field can not be empty!"; focus = m_dialog->vrrp_secret; valid = false; } if (!valid) { QMessageBox::warning(this, "Firewall Builder", tr("Input not valid: %1").arg(message), "&Continue", QString::null, QString::null, 0, 1); focus->setFocus(); } return valid; } fwbuilder-5.3.7/src/libgui/vrrpOptionsDialog.h000066400000000000000000000026361303637203600214230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __VRRPOPTIONSDIALOG_H_ #define __VRRPOPTIONSDIALOG_H_ #include #include "DialogData.h" #include namespace libfwbuilder { class FWObject; }; class vrrpOptionsDialog : public QDialog { Q_OBJECT public: vrrpOptionsDialog(QWidget *parent, libfwbuilder::FWObject *o); ~vrrpOptionsDialog(); private: libfwbuilder::FWObject *obj; DialogData data; Ui::vrrpOptionsDialog_q *m_dialog; bool validate(); protected slots: virtual void accept(); virtual void reject(); }; #endif // __VRRPOPTIONSDIALOG_H_ fwbuilder-5.3.7/src/libgui/vrrpoptionsdialog_q.ui000066400000000000000000000127521303637203600222310ustar00rootroot00000000000000 vrrpOptionsDialog_q 0 0 369 259 secunet wall: interface settings Qt::Horizontal QSizePolicy::Expanding 151 27 &OK true true &Cancel true QTabWidget::Rounded 0 VRRP Parameters :/Icons/Options:/Icons/Options Use IPsec AH protected VRRP true Qt::RightToLeft VRRP Secret true true Virtual Router ID Qt::RightToLeft VRID 1 255 Qt::Horizontal 140 20 Qt::Vertical 20 40 buttonOk buttonCancel tabWidget buttonOk clicked() vrrpOptionsDialog_q accept() 316 472 20 20 buttonCancel clicked() vrrpOptionsDialog_q reject() 397 472 20 20 fwbuilder-5.3.7/src/nxosacl/000077500000000000000000000000001303637203600157525ustar00rootroot00000000000000fwbuilder-5.3.7/src/nxosacl/nxosacl.cpp000066400000000000000000000112551303637203600201310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #ifdef _WIN32 # include #else # include #endif #include #include #include #include #include #include #include #include "CompilerDriver_nxosacl.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &msg) const { msg.size(); // to make compiler happy about unused parameter cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for Cisco NX-OS ACL" << endl; cout << "Copyright 2007-2009 NetCitadel, LLC" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_nxosacl *driver = new CompilerDriver_nxosacl(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(libfwbuilder::FWException &ex) { cerr << ex.toString() << endl; return 1; } catch (std::string s) { cerr << s << endl; return 1; } catch (std::exception ex) { cerr << "exception: " << ex.what() << endl; return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } return 0; } fwbuilder-5.3.7/src/nxosacl/nxosacl.pro000066400000000000000000000016151303637203600201460ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui # # # PACKAGE = fwbuilder-nxosacl-$$FWB_VERSION # # QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\"" # QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\"" greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = nxosacl.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_nxosacl fwbuilder-5.3.7/src/parsers/000077500000000000000000000000001303637203600157625ustar00rootroot00000000000000fwbuilder-5.3.7/src/parsers/IOSCfgLexer.cpp000066400000000000000000001267701303637203600205550ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "iosacl.g" -> "IOSCfgLexer.cpp"$ */ #line 43 "iosacl.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IOSCfgLexer.cpp" #include "IOSCfgLexer.hpp" #include #include #include #include #include #include #include #line 49 "iosacl.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 25 "IOSCfgLexer.cpp" #line 1 "iosacl.g" #line 27 "IOSCfgLexer.cpp" IOSCfgLexer::IOSCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } IOSCfgLexer::IOSCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } IOSCfgLexer::IOSCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void IOSCfgLexer::initLiterals() { literals["host"] = 9; literals["log"] = 30; literals["access-list"] = 17; literals["interface"] = 37; literals["remark"] = 40; literals["certificate"] = 12; literals["exit"] = 45; literals["udp"] = 22; literals["point-to-point"] = 38; literals["tcp"] = 8; literals["controller"] = 36; literals["eq"] = 23; literals["ip"] = 5; literals["access-group"] = 42; literals["time-range"] = 34; literals["version"] = 13; literals["community-list"] = 10; literals["icmp"] = 7; literals["description"] = 39; literals["secondary"] = 44; literals["lt"] = 25; literals["range"] = 27; literals["log-input"] = 31; literals["standard"] = 47; literals["gt"] = 24; literals["permit"] = 20; literals["extended"] = 19; literals["address"] = 43; literals["established"] = 32; literals["neq"] = 26; literals["quit"] = 6; literals["vlan"] = 35; literals["any"] = 29; literals["deny"] = 21; literals["shutdown"] = 41; literals["hostname"] = 15; literals["fragments"] = 33; } ANTLR_USE_NAMESPACE(antlr)RefToken IOSCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0x21 /* '!' */ : { mLINE_COMMENT(true); theRetToken=_returnToken; break; } case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { mNUMBER(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x24 /* '$' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mWORD(true); theRetToken=_returnToken; break; } case 0x22 /* '\"' */ : { mSTRING(true); theRetToken=_returnToken; break; } case 0x7c /* '|' */ : { mPIPE_CHAR(true); theRetToken=_returnToken; break; } case 0x23 /* '#' */ : { mNUMBER_SIGN(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x27 /* '\'' */ : { mAPOSTROPHE(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2b /* '+' */ : { mPLUS(true); theRetToken=_returnToken; break; } case 0x2c /* ',' */ : { mCOMMA(true); theRetToken=_returnToken; break; } case 0x2d /* '-' */ : { mMINUS(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3a /* ':' */ : { mCOLON(true); theRetToken=_returnToken; break; } case 0x3b /* ';' */ : { mSEMICOLON(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUALS(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x40 /* '@' */ : { mCOMMERCIAL_AT(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5e /* '^' */ : { mCARET(true); theRetToken=_returnToken; break; } case 0x5f /* '_' */ : { mUNDERLINE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x7e /* '~' */ : { mTILDE(true); theRetToken=_returnToken; break; } default: if ((_tokenSet_0.member(LA(1)))) { mWhitespace(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void IOSCfgLexer::mLINE_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LINE_COMMENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("!"); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { { match(_tokenSet_1); } } else { goto _loop85; } } _loop85:; } // ( ... )* if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 756 "iosacl.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 484 "IOSCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 761 "iosacl.g" newline(); #line 517 "IOSCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mHEXDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEXDIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; switch ( LA(1)) { case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : { matchRange('A','F'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { bool synPredMatched104 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (_tokenSet_2.member(LA(6))) && (_tokenSet_2.member(LA(7))) && (true) && (true) && (true))) { int _m104 = mark(); synPredMatched104 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt99=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt99>=1 ) { goto _loop99; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt99++; } _loop99:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt101=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt101>=1 ) { goto _loop101; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt101++; } _loop101:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt103=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt103>=1 ) { goto _loop103; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt103++; } _loop103:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched104 = false; } rewind(_m104); inputState->guessing--; } if ( synPredMatched104 ) { { { // ( ... )+ int _cnt107=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt107>=1 ) { goto _loop107; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt107++; } _loop107:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt109=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt109>=1 ) { goto _loop109; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt109++; } _loop109:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt111=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt111>=1 ) { goto _loop111; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt111++; } _loop111:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt113=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt113>=1 ) { goto _loop113; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt113++; } _loop113:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 781 "iosacl.g" _ttype = IPV4; #line 753 "IOSCfgLexer.cpp" } } else { bool synPredMatched119 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) { int _m119 = mark(); synPredMatched119 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt116=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt116>=1 ) { goto _loop116; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt116++; } _loop116:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt118=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt118>=1 ) { goto _loop118; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt118++; } _loop118:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched119 = false; } rewind(_m119); inputState->guessing--; } if ( synPredMatched119 ) { { { // ( ... )+ int _cnt122=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt122>=1 ) { goto _loop122; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt122++; } _loop122:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt124=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt124>=1 ) { goto _loop124; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt124++; } _loop124:; } // ( ... )+ } } else if ((LA(1) == 0x30 /* '0' */ ) && (LA(2) == 0x78 /* 'x' */ )) { { match('0' /* charlit */ ); match('x' /* charlit */ ); { // ( ... )+ int _cnt129=0; for (;;) { if ((_tokenSet_3.member(LA(1)))) { mHEXDIGIT(false); } else { if ( _cnt129>=1 ) { goto _loop129; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt129++; } _loop129:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 787 "iosacl.g" _ttype = HEX_CONST; #line 856 "IOSCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true)) { { // ( ... )+ int _cnt126=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt126>=1 ) { goto _loop126; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt126++; } _loop126:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 785 "iosacl.g" _ttype = INT_CONST; #line 877 "IOSCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mWORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = WORD; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x21 /* '!' */ : case 0x22 /* '\"' */ : case 0x23 /* '#' */ : case 0x24 /* '$' */ : case 0x25 /* '%' */ : case 0x26 /* '&' */ : case 0x27 /* '\'' */ : case 0x28 /* '(' */ : case 0x29 /* ')' */ : case 0x2a /* '*' */ : case 0x2b /* '+' */ : case 0x2c /* ',' */ : case 0x2d /* '-' */ : case 0x2e /* '.' */ : case 0x2f /* '/' */ : { matchRange('!','/'); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3a /* ':' */ : { match(':' /* charlit */ ); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3c /* '<' */ : { match('<' /* charlit */ ); break; } case 0x3d /* '=' */ : { match('=' /* charlit */ ); break; } case 0x3e /* '>' */ : { match('>' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5c /* '\\' */ : { match('\\' /* charlit */ ); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop133; } } } _loop133:; } // ( ... )* if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mSTRING(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STRING; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\"' /* charlit */ ); { // ( ... )* for (;;) { if ((_tokenSet_4.member(LA(1)))) { matchNot('\"' /* charlit */ ); } else { goto _loop136; } } _loop136:; } // ( ... )* match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mPIPE_CHAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PIPE_CHAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('|' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mNUMBER_SIGN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_SIGN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('#' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mAPOSTROPHE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = APOSTROPHE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\'' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mPLUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PLUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('+' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCOMMA(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMA; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(',' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(':' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mSEMICOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SEMICOLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(';' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mEQUALS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUALS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCOMMERCIAL_AT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMERCIAL_AT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('@' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCARET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CARET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('^' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mUNDERLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = UNDERLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('_' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IOSCfgLexer::mTILDE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TILDE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('~' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } const unsigned long IOSCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long IOSCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # $ % // & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G // H I J K L M N O const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgLexer::_tokenSet_1(_tokenSet_1_data_,16); const unsigned long IOSCfgLexer::_tokenSet_2_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long IOSCfgLexer::_tokenSet_3_data_[] = { 0UL, 67043328UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 A B C D E F const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgLexer::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long IOSCfgLexer::_tokenSet_4_data_[] = { 4294967288UL, 4294967291UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! # $ // % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F // G H I J K L M N O const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgLexer::_tokenSet_4(_tokenSet_4_data_,16); fwbuilder-5.3.7/src/parsers/IOSCfgLexer.hpp000066400000000000000000000070761303637203600205570ustar00rootroot00000000000000#ifndef INC_IOSCfgLexer_hpp_ #define INC_IOSCfgLexer_hpp_ #line 27 "iosacl.g" // gets inserted before antlr generated includes in the header // file #include "IOSImporter.h" #line 11 "IOSCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20090306): "iosacl.g" -> "IOSCfgLexer.hpp"$ */ #include #include #include #include "IOSCfgParserTokenTypes.hpp" #include #line 33 "iosacl.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IOSImporter; #line 28 "IOSCfgLexer.hpp" #line 57 "iosacl.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "IOSCfgLexer.hpp" class CUSTOM_API IOSCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public IOSCfgParserTokenTypes { #line 1 "iosacl.g" #line 38 "IOSCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: IOSCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); IOSCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); IOSCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mLINE_COMMENT(bool _createToken); public: void mWhitespace(bool _createToken); public: void mNEWLINE(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mHEXDIGIT(bool _createToken); public: void mNUMBER(bool _createToken); public: void mDOT(bool _createToken); public: void mWORD(bool _createToken); public: void mSTRING(bool _createToken); public: void mPIPE_CHAR(bool _createToken); public: void mNUMBER_SIGN(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mAPOSTROPHE(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mSTAR(bool _createToken); public: void mPLUS(bool _createToken); public: void mCOMMA(bool _createToken); public: void mMINUS(bool _createToken); public: void mSLASH(bool _createToken); public: void mCOLON(bool _createToken); public: void mSEMICOLON(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mEQUALS(bool _createToken); public: void mGREATER_THAN(bool _createToken); public: void mQUESTION(bool _createToken); public: void mCOMMERCIAL_AT(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mCARET(bool _createToken); public: void mUNDERLINE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mTILDE(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; }; #endif /*INC_IOSCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/IOSCfgParser.cpp000066400000000000000000001347201303637203600207240ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "iosacl.g" -> "IOSCfgParser.cpp"$ */ #line 43 "iosacl.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IOSCfgParser.cpp" #include "IOSCfgParser.hpp" #include #include #include #line 49 "iosacl.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 20 "IOSCfgParser.cpp" #line 1 "iosacl.g" #line 22 "IOSCfgParser.cpp" IOSCfgParser::IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } IOSCfgParser::IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } IOSCfgParser::IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } IOSCfgParser::IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } IOSCfgParser::IOSCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void IOSCfgParser::cfgfile() { try { // for error handling { // ( ... )+ int _cnt3=0; for (;;) { switch ( LA(1)) { case LINE_COMMENT: { comment(); break; } case IOSVERSION: { version(); break; } case HOSTNAME: { hostname(); break; } case IP: { ip_commands(); break; } case INTRFACE: { intrface(); break; } case CONTROLLER: { controller(); break; } case VLAN: { vlan(); break; } case ACCESS_LIST: { access_list_commands(); break; } case EXIT: { exit(); break; } case DESCRIPTION: { description(); break; } case SHUTDOWN: { shutdown(); break; } case CERTIFICATE: { certificate(); break; } case QUIT: { quit(); break; } case WORD: { unknown_command(); break; } case NEWLINE: { match(NEWLINE); break; } default: { if ( _cnt3>=1 ) { goto _loop3; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } } _cnt3++; } _loop3:; } // ( ... )+ } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_0); } else { throw; } } } void IOSCfgParser::comment() { try { // for error handling match(LINE_COMMENT); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::version() { ANTLR_USE_NAMESPACE(antlr)RefToken v = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(IOSVERSION); v = LT(1); match(NUMBER); if ( inputState->guessing==0 ) { #line 193 "iosacl.g" *dbg << "VERSION " << v->getText() << std::endl; #line 177 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::hostname() { try { // for error handling match(HOSTNAME); { switch ( LA(1)) { case STRING: { match(STRING); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 200 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->setHostName( LT(0)->getText() ); *dbg << "HOSTNAME " << "LT0=" << LT(0)->getText() << std::endl; #line 221 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::ip_commands() { try { // for error handling match(IP); { switch ( LA(1)) { case ACCESS_LIST: { ip_access_list_ext(); break; } case ACCESS_GROUP: case ADDRESS: { interface_known_ip_commands(); break; } case COMMUNITY_LIST: { community_list_command(); break; } case ICMP: case TCP: case HOST: { ip_unused_command(); break; } case WORD: { unknown_command(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::intrface() { ANTLR_USE_NAMESPACE(antlr)RefToken in = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(INTRFACE); in = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 527 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; #line 300 "IOSCfgParser.cpp" } { switch ( LA(1)) { case POINT_TO_POINT: { match(POINT_TO_POINT); if ( inputState->guessing==0 ) { #line 535 "iosacl.g" importer->addMessageToLog( QString("Warning: point-to-point interfaces " "are not supported")); #line 314 "IOSCfgParser.cpp" } break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::controller() { try { // for error handling match(CONTROLLER); if ( inputState->guessing==0 ) { #line 517 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->clearCurrentInterface(); consumeUntil(NEWLINE); #line 351 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::vlan() { try { // for error handling match(VLAN); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 507 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->clearCurrentInterface(); consumeUntil(NEWLINE); #line 393 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::access_list_commands() { ANTLR_USE_NAMESPACE(antlr)RefToken acl_num = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_LIST); acl_num = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 216 "iosacl.g" importer->newUnidirRuleSet( std::string("acl_") + acl_num->getText(), libfwbuilder::Policy::TYPENAME); *dbg << acl_num->getLine() << ":" << " ACL #" << acl_num->getText() << " "; #line 421 "IOSCfgParser.cpp" } { if ((LA(1) == PERMIT) && (LA(2) == IPV4 || LA(2) == ANY)) { permit_std(); } else if ((LA(1) == DENY) && (LA(2) == IPV4 || LA(2) == ANY)) { deny_std(); } else if ((LA(1) == PERMIT) && (_tokenSet_3.member(LA(2)))) { permit_ext(); } else if ((LA(1) == DENY) && (_tokenSet_3.member(LA(2)))) { deny_ext(); } else if ((LA(1) == REMARK)) { remark(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::exit() { try { // for error handling match(EXIT); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::description() { try { // for error handling match(DESCRIPTION); if ( inputState->guessing==0 ) { #line 547 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setInterfaceComment( descr ); *dbg << " DESCRIPTION " << descr << std::endl; //consumeUntil(NEWLINE); #line 489 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::shutdown() { try { // for error handling match(SHUTDOWN); if ( inputState->guessing==0 ) { #line 583 "iosacl.g" *dbg<< LT(1)->getLine() << ":" << " INTERFACE SHUTDOWN " << std::endl; #line 512 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::certificate() { try { // for error handling match(CERTIFICATE); match(WORD); if ( inputState->guessing==0 ) { #line 185 "iosacl.g" consumeUntil(NEWLINE); consumeUntil(QUIT); #line 536 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::quit() { try { // for error handling match(QUIT); if ( inputState->guessing==0 ) { #line 153 "iosacl.g" consumeUntil(NEWLINE); #line 558 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::unknown_command() { try { // for error handling match(WORD); if ( inputState->guessing==0 ) { #line 178 "iosacl.g" consumeUntil(NEWLINE); #line 580 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::ip_access_list_ext() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_LIST); match(EXTENDED); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 238 "iosacl.g" importer->newUnidirRuleSet( name->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << name->getLine() << ":" << " ACL ext " << name->getText() << std::endl; #line 608 "IOSCfgParser.cpp" } match(NEWLINE); { // ( ... )* for (;;) { switch ( LA(1)) { case PERMIT: { permit_ext(); break; } case DENY: { deny_ext(); break; } case REMARK: { remark(); break; } default: if ((LA(1) == LINE_COMMENT) && (_tokenSet_1.member(LA(2)))) { comment(); } else if ((LA(1) == NEWLINE) && (_tokenSet_1.member(LA(2)))) { match(NEWLINE); } else { goto _loop18; } } } _loop18:; } // ( ... )* if ( inputState->guessing==0 ) { #line 255 "iosacl.g" *dbg << LT(0)->getLine() << ":" << " ACL end" << std::endl << std::endl; #line 649 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::interface_known_ip_commands() { try { // for error handling { if ((LA(1) == ACCESS_GROUP) && (LA(2) == WORD)) { access_group_by_name(); } else if ((LA(1) == ACCESS_GROUP) && (LA(2) == INT_CONST)) { access_group_by_number(); } else if ((LA(1) == ADDRESS)) { intf_address(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::community_list_command() { try { // for error handling match(COMMUNITY_LIST); if ( inputState->guessing==0 ) { #line 171 "iosacl.g" consumeUntil(NEWLINE); #line 701 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::ip_unused_command() { try { // for error handling switch ( LA(1)) { case ICMP: { match(ICMP); break; } case TCP: { match(TCP); break; } case HOST: { match(HOST); if ( inputState->guessing==0 ) { #line 164 "iosacl.g" consumeUntil(NEWLINE); #line 736 "IOSCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::permit_std() { try { // for error handling match(PERMIT); if ( inputState->guessing==0 ) { #line 290 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; #line 768 "IOSCfgParser.cpp" } rule_std(); if ( inputState->guessing==0 ) { #line 297 "iosacl.g" importer->pushRule(); #line 776 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::deny_std() { try { // for error handling match(DENY); if ( inputState->guessing==0 ) { #line 303 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; #line 801 "IOSCfgParser.cpp" } rule_std(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 310 "iosacl.g" importer->pushRule(); #line 810 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::permit_ext() { try { // for error handling match(PERMIT); if ( inputState->guessing==0 ) { #line 263 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; #line 835 "IOSCfgParser.cpp" } rule_ext(); if ( inputState->guessing==0 ) { #line 270 "iosacl.g" importer->pushRule(); #line 843 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::deny_ext() { try { // for error handling match(DENY); if ( inputState->guessing==0 ) { #line 276 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; #line 868 "IOSCfgParser.cpp" } rule_ext(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 283 "iosacl.g" importer->pushRule(); #line 877 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::remark() { try { // for error handling match(REMARK); if ( inputState->guessing==0 ) { #line 566 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string rem; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { rem += LT(1)->getText() + " "; consume(); } importer->addRuleComment( rem ); *dbg << " REMARK " << rem << std::endl; //consumeUntil(NEWLINE); #line 909 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::rule_ext() { try { // for error handling { switch ( LA(1)) { case IP: case WORD: { ip_protocols(); hostaddr_ext(); if ( inputState->guessing==0 ) { #line 320 "iosacl.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 935 "IOSCfgParser.cpp" } hostaddr_ext(); if ( inputState->guessing==0 ) { #line 321 "iosacl.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 941 "IOSCfgParser.cpp" } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case FRAGMENTS: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case ICMP: { match(ICMP); if ( inputState->guessing==0 ) { #line 327 "iosacl.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 1065 "IOSCfgParser.cpp" } hostaddr_ext(); if ( inputState->guessing==0 ) { #line 331 "iosacl.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 1071 "IOSCfgParser.cpp" } hostaddr_ext(); if ( inputState->guessing==0 ) { #line 332 "iosacl.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 1077 "IOSCfgParser.cpp" } { if ((LA(1) == WORD || LA(1) == INT_CONST) && (_tokenSet_4.member(LA(2)))) { icmp_spec(); } else if ((_tokenSet_5.member(LA(1))) && (_tokenSet_6.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case FRAGMENTS: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case TCP: case UDP: { { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 339 "iosacl.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 1230 "IOSCfgParser.cpp" } hostaddr_ext(); if ( inputState->guessing==0 ) { #line 343 "iosacl.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 1236 "IOSCfgParser.cpp" } { switch ( LA(1)) { case P_EQ: case P_GT: case P_LT: case P_NEQ: case P_RANGE: { xoperator(); if ( inputState->guessing==0 ) { #line 344 "iosacl.g" importer->SaveTmpPortToSrc(); #line 1250 "IOSCfgParser.cpp" } break; } case HOST: case IPV4: case ANY: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } hostaddr_ext(); if ( inputState->guessing==0 ) { #line 345 "iosacl.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 1270 "IOSCfgParser.cpp" } { switch ( LA(1)) { case P_EQ: case P_GT: case P_LT: case P_NEQ: case P_RANGE: { xoperator(); if ( inputState->guessing==0 ) { #line 346 "iosacl.g" importer->SaveTmpPortToDst(); #line 1284 "IOSCfgParser.cpp" } break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case ESTABLISHED: case FRAGMENTS: case TIME_RANGE: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ESTABLISHED: { established(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case FRAGMENTS: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case LOG: case LOG_INPUT: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case PERMIT: case DENY: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case REMARK: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 352 "iosacl.g" *dbg << std::endl; #line 1484 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::rule_std() { try { // for error handling { hostaddr_std(); if ( inputState->guessing==0 ) { #line 360 "iosacl.g" importer->SaveTmpAddrToSrc(); *dbg << "(std) "; #line 1505 "IOSCfgParser.cpp" } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case IP: case QUIT: case WORD: case CERTIFICATE: case IOSVERSION: case HOSTNAME: case ACCESS_LIST: case VLAN: case CONTROLLER: case INTRFACE: case DESCRIPTION: case SHUTDOWN: case EXIT: case LINE_COMMENT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } if ( inputState->guessing==0 ) { #line 363 "iosacl.g" *dbg << std::endl; #line 1546 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_2); } else { throw; } } } void IOSCfgParser::ip_protocols() { try { // for error handling { switch ( LA(1)) { case IP: { match(IP); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 371 "iosacl.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 1586 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_7); } else { throw; } } } void IOSCfgParser::hostaddr_ext() { ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { case HOST: { { match(HOST); h = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 423 "iosacl.g" importer->tmp_a = h->getText(); importer->tmp_nm = "0.0.0.0"; *dbg << h->getText() << "/0.0.0.0"; #line 1620 "IOSCfgParser.cpp" } break; } case IPV4: { { a = LT(1); match(IPV4); m = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 430 "iosacl.g" importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); #line 1639 "IOSCfgParser.cpp" } break; } case ANY: { match(ANY); if ( inputState->guessing==0 ) { #line 437 "iosacl.g" importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; #line 1653 "IOSCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_8); } else { throw; } } } void IOSCfgParser::time_range() { ANTLR_USE_NAMESPACE(antlr)RefToken tr_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(TIME_RANGE); tr_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 489 "iosacl.g" importer->time_range_name = tr_name->getText(); *dbg << "time_range " << tr_name->getText() << " "; #line 1686 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void IOSCfgParser::fragments() { try { // for error handling match(FRAGMENTS); if ( inputState->guessing==0 ) { #line 482 "iosacl.g" importer->fragments = true; *dbg << "fragments "; #line 1709 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_10); } else { throw; } } } void IOSCfgParser::log() { try { // for error handling { switch ( LA(1)) { case LOG: { match(LOG); break; } case LOG_INPUT: { match(LOG_INPUT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 468 "iosacl.g" importer->logging = true; *dbg << "logging "; #line 1749 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IOSCfgParser::icmp_spec() { ANTLR_USE_NAMESPACE(antlr)RefToken icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken icmp_code = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken icmp_word = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case INT_CONST: { { icmp_type = LT(1); match(INT_CONST); icmp_code = LT(1); match(INT_CONST); } if ( inputState->guessing==0 ) { #line 379 "iosacl.g" importer->icmp_type = icmp_type->getText(); importer->icmp_code = icmp_code->getText(); importer->icmp_spec = ""; *dbg << icmp_type->getText() << " " << icmp_code->getText() << " "; #line 1787 "IOSCfgParser.cpp" } break; } case WORD: { icmp_word = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 388 "iosacl.g" importer->icmp_spec = icmp_word->getText(); *dbg << icmp_word->getText() << " "; #line 1801 "IOSCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IOSCfgParser::xoperator() { try { // for error handling switch ( LA(1)) { case P_EQ: case P_GT: case P_LT: case P_NEQ: { single_port_op(); break; } case P_RANGE: { port_range(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_11); } else { throw; } } } void IOSCfgParser::established() { try { // for error handling match(ESTABLISHED); if ( inputState->guessing==0 ) { #line 475 "iosacl.g" importer->established = true; *dbg << "established "; #line 1865 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IOSCfgParser::hostaddr_std() { ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling if ((LA(1) == IPV4) && (_tokenSet_12.member(LA(2)))) { { h = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 446 "iosacl.g" importer->tmp_a = h->getText(); importer->tmp_nm = "0.0.0.0"; *dbg << h->getText() << "/0.0.0.0"; #line 1896 "IOSCfgParser.cpp" } } else if ((LA(1) == IPV4) && (LA(2) == IPV4)) { { a = LT(1); match(IPV4); m = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 453 "iosacl.g" importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); #line 1913 "IOSCfgParser.cpp" } } else if ((LA(1) == ANY)) { match(ANY); if ( inputState->guessing==0 ) { #line 460 "iosacl.g" importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; #line 1925 "IOSCfgParser.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_12); } else { throw; } } } void IOSCfgParser::single_port_op() { try { // for error handling { switch ( LA(1)) { case P_EQ: { match(P_EQ); break; } case P_GT: { match(P_GT); break; } case P_LT: { match(P_LT); break; } case P_NEQ: { match(P_NEQ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 399 "iosacl.g" importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; #line 1980 "IOSCfgParser.cpp" } port_spec(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_11); } else { throw; } } } void IOSCfgParser::port_range() { try { // for error handling match(P_RANGE); if ( inputState->guessing==0 ) { #line 407 "iosacl.g" importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; #line 2004 "IOSCfgParser.cpp" } port_spec(); port_spec(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_11); } else { throw; } } } void IOSCfgParser::port_spec() { try { // for error handling { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 415 "iosacl.g" importer->tmp_port_spec += (std::string(" ") + LT(0)->getText()); *dbg << LT(0)->getText() << " "; #line 2046 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_13); } else { throw; } } } void IOSCfgParser::access_group_by_name() { ANTLR_USE_NAMESPACE(antlr)RefToken acln = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken dir = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_GROUP); acln = LT(1); match(WORD); dir = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 609 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( acln->getText(), "", dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << acln->getText() << "'" << " " << dir->getText() << std::endl; #line 2081 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_14); } else { throw; } } } void IOSCfgParser::access_group_by_number() { ANTLR_USE_NAMESPACE(antlr)RefToken acln = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken dir = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_GROUP); acln = LT(1); match(INT_CONST); dir = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 625 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( std::string("acl_") + acln->getText(), "", dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << acln->getText() << "'" << " " << dir->getText() << std::endl; #line 2116 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_14); } else { throw; } } } void IOSCfgParser::intf_address() { ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken s = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ADDRESS); a = LT(1); match(IPV4); m = LT(1); match(IPV4); { switch ( LA(1)) { case SECONDARY: { s = LT(1); match(SECONDARY); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 638 "iosacl.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->addInterfaceAddress(a->getText(), m->getText()); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << a->getText() << "/" << m->getText() << " "; if (s) { *dbg << s->getText(); } *dbg << std::endl; #line 2172 "IOSCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_14); } else { throw; } } } void IOSCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* IOSCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "\"ip\"", "\"quit\"", "\"icmp\"", "\"tcp\"", "\"host\"", "\"community-list\"", "WORD", "\"certificate\"", "\"version\"", "NUMBER", "\"hostname\"", "STRING", "\"access-list\"", "INT_CONST", "\"extended\"", "\"permit\"", "\"deny\"", "\"udp\"", "\"eq\"", "\"gt\"", "\"lt\"", "\"neq\"", "\"range\"", "IPV4", "\"any\"", "\"log\"", "\"log-input\"", "\"established\"", "\"fragments\"", "\"time-range\"", "\"vlan\"", "\"controller\"", "\"interface\"", "\"point-to-point\"", "\"description\"", "\"remark\"", "\"shutdown\"", "\"access-group\"", "\"address\"", "\"secondary\"", "\"exit\"", "LINE_COMMENT", "\"standard\"", "Whitespace", "HEX_CONST", "NEG_INT_CONST", "DIGIT", "HEXDIGIT", "PIPE_CHAR", "NUMBER_SIGN", "PERCENT", "AMPERSAND", "APOSTROPHE", "OPENING_PAREN", "CLOSING_PAREN", "STAR", "PLUS", "COMMA", "MINUS", "DOT", "SLASH", "COLON", "SEMICOLON", "LESS_THAN", "EQUALS", "GREATER_THAN", "QUESTION", "COMMERCIAL_AT", "OPENING_SQUARE", "CLOSING_SQUARE", "CARET", "UNDERLINE", "OPENING_BRACE", "CLOSING_BRACE", "TILDE", 0 }; const unsigned long IOSCfgParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_0(_tokenSet_0_data_,4); const unsigned long IOSCfgParser::_tokenSet_1_data_[] = { 3324018UL, 25528UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "permit" "deny" "vlan" "controller" "interface" "description" "remark" // "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_1(_tokenSet_1_data_,4); const unsigned long IOSCfgParser::_tokenSet_2_data_[] = { 178290UL, 25272UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "vlan" "controller" "interface" "description" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_2(_tokenSet_2_data_,4); const unsigned long IOSCfgParser::_tokenSet_3_data_[] = { 4196768UL, 0UL, 0UL, 0UL }; // "ip" "icmp" "tcp" WORD "udp" const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_3(_tokenSet_3_data_,4); const unsigned long IOSCfgParser::_tokenSet_4_data_[] = { 3224811634UL, 25534UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // INT_CONST "permit" "deny" "log" "log-input" "fragments" "time-range" // "vlan" "controller" "interface" "description" "remark" "shutdown" "exit" // LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_4(_tokenSet_4_data_,4); const unsigned long IOSCfgParser::_tokenSet_5_data_[] = { 3224549490UL, 25534UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "permit" "deny" "log" "log-input" "fragments" "time-range" "vlan" "controller" // "interface" "description" "remark" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_5(_tokenSet_5_data_,4); const unsigned long IOSCfgParser::_tokenSet_6_data_[] = { 3229089778UL, 28600UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" "icmp" "tcp" "host" "community-list" WORD "certificate" // "version" NUMBER "hostname" STRING "access-list" INT_CONST "permit" // "deny" "udp" "log" "log-input" "vlan" "controller" "interface" "description" // "remark" "shutdown" "access-group" "address" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_6(_tokenSet_6_data_,4); const unsigned long IOSCfgParser::_tokenSet_7_data_[] = { 805306880UL, 0UL, 0UL, 0UL }; // "host" IPV4 "any" const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_7(_tokenSet_7_data_,4); const unsigned long IOSCfgParser::_tokenSet_8_data_[] = { 4290165362UL, 25535UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" "host" WORD "certificate" "version" "hostname" // "access-list" INT_CONST "permit" "deny" "eq" "gt" "lt" "neq" "range" // IPV4 "any" "log" "log-input" "established" "fragments" "time-range" // "vlan" "controller" "interface" "description" "remark" "shutdown" "exit" // LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_8(_tokenSet_8_data_,4); const unsigned long IOSCfgParser::_tokenSet_9_data_[] = { 3224549490UL, 25530UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "permit" "deny" "log" "log-input" "fragments" "vlan" "controller" "interface" // "description" "remark" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_9(_tokenSet_9_data_,4); const unsigned long IOSCfgParser::_tokenSet_10_data_[] = { 3224549490UL, 25528UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "permit" "deny" "log" "log-input" "vlan" "controller" "interface" "description" // "remark" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_10(_tokenSet_10_data_,4); const unsigned long IOSCfgParser::_tokenSet_11_data_[] = { 4029856370UL, 25535UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" "host" WORD "certificate" "version" "hostname" // "access-list" "permit" "deny" IPV4 "any" "log" "log-input" "established" // "fragments" "time-range" "vlan" "controller" "interface" "description" // "remark" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_11(_tokenSet_11_data_,4); const unsigned long IOSCfgParser::_tokenSet_12_data_[] = { 3221403762UL, 25272UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" WORD "certificate" "version" "hostname" "access-list" // "log" "log-input" "vlan" "controller" "interface" "description" "shutdown" // "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_12(_tokenSet_12_data_,4); const unsigned long IOSCfgParser::_tokenSet_13_data_[] = { 4030118514UL, 25535UL, 0UL, 0UL }; // EOF NEWLINE "ip" "quit" "host" WORD "certificate" "version" "hostname" // "access-list" INT_CONST "permit" "deny" IPV4 "any" "log" "log-input" // "established" "fragments" "time-range" "vlan" "controller" "interface" // "description" "remark" "shutdown" "exit" LINE_COMMENT const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_13(_tokenSet_13_data_,4); const unsigned long IOSCfgParser::_tokenSet_14_data_[] = { 16UL, 0UL, 0UL, 0UL }; // NEWLINE const ANTLR_USE_NAMESPACE(antlr)BitSet IOSCfgParser::_tokenSet_14(_tokenSet_14_data_,4); fwbuilder-5.3.7/src/parsers/IOSCfgParser.hpp000066400000000000000000000130271303637203600207250ustar00rootroot00000000000000#ifndef INC_IOSCfgParser_hpp_ #define INC_IOSCfgParser_hpp_ #line 27 "iosacl.g" // gets inserted before antlr generated includes in the header // file #include "IOSImporter.h" #line 11 "IOSCfgParser.hpp" #include /* $ANTLR 2.7.7 (20090306): "iosacl.g" -> "IOSCfgParser.hpp"$ */ #include #include #include "IOSCfgParserTokenTypes.hpp" #include #line 33 "iosacl.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IOSImporter; #line 28 "IOSCfgParser.hpp" #line 57 "iosacl.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "IOSCfgParser.hpp" class CUSTOM_API IOSCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public IOSCfgParserTokenTypes { #line 74 "iosacl.g" // additional methods and members public: std::ostream *dbg; IOSImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); } #line 38 "IOSCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: IOSCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); IOSCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return IOSCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return IOSCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return IOSCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void version(); public: void hostname(); public: void ip_commands(); public: void intrface(); public: void controller(); public: void vlan(); public: void access_list_commands(); public: void exit(); public: void description(); public: void shutdown(); public: void certificate(); public: void quit(); public: void unknown_command(); public: void ip_access_list_ext(); public: void interface_known_ip_commands(); public: void community_list_command(); public: void ip_unused_command(); public: void permit_std(); public: void deny_std(); public: void permit_ext(); public: void deny_ext(); public: void remark(); public: void rule_ext(); public: void rule_std(); public: void ip_protocols(); public: void hostaddr_ext(); public: void time_range(); public: void fragments(); public: void log(); public: void icmp_spec(); public: void xoperator(); public: void established(); public: void hostaddr_std(); public: void single_port_op(); public: void port_range(); public: void port_spec(); public: void access_group_by_name(); public: void access_group_by_number(); public: void intf_address(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 80; #else enum { NUM_TOKENS = 80 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; static const unsigned long _tokenSet_7_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_7; static const unsigned long _tokenSet_8_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_8; static const unsigned long _tokenSet_9_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_9; static const unsigned long _tokenSet_10_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_10; static const unsigned long _tokenSet_11_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_11; static const unsigned long _tokenSet_12_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_12; static const unsigned long _tokenSet_13_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_13; static const unsigned long _tokenSet_14_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_14; }; #endif /*INC_IOSCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/IOSCfgParserTokenTypes.hpp000066400000000000000000000031751303637203600227560ustar00rootroot00000000000000#ifndef INC_IOSCfgParserTokenTypes_hpp_ #define INC_IOSCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20090306): "iosacl.g" -> "IOSCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API IOSCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, IP = 5, QUIT = 6, ICMP = 7, TCP = 8, HOST = 9, COMMUNITY_LIST = 10, WORD = 11, CERTIFICATE = 12, IOSVERSION = 13, NUMBER = 14, HOSTNAME = 15, STRING = 16, ACCESS_LIST = 17, INT_CONST = 18, EXTENDED = 19, PERMIT = 20, DENY = 21, UDP = 22, P_EQ = 23, P_GT = 24, P_LT = 25, P_NEQ = 26, P_RANGE = 27, IPV4 = 28, ANY = 29, LOG = 30, LOG_INPUT = 31, ESTABLISHED = 32, FRAGMENTS = 33, TIME_RANGE = 34, VLAN = 35, CONTROLLER = 36, INTRFACE = 37, POINT_TO_POINT = 38, DESCRIPTION = 39, REMARK = 40, SHUTDOWN = 41, ACCESS_GROUP = 42, ADDRESS = 43, SECONDARY = 44, EXIT = 45, LINE_COMMENT = 46, STANDARD = 47, Whitespace = 48, HEX_CONST = 49, NEG_INT_CONST = 50, DIGIT = 51, HEXDIGIT = 52, PIPE_CHAR = 53, NUMBER_SIGN = 54, PERCENT = 55, AMPERSAND = 56, APOSTROPHE = 57, OPENING_PAREN = 58, CLOSING_PAREN = 59, STAR = 60, PLUS = 61, COMMA = 62, MINUS = 63, DOT = 64, SLASH = 65, COLON = 66, SEMICOLON = 67, LESS_THAN = 68, EQUALS = 69, GREATER_THAN = 70, QUESTION = 71, COMMERCIAL_AT = 72, OPENING_SQUARE = 73, CLOSING_SQUARE = 74, CARET = 75, UNDERLINE = 76, OPENING_BRACE = 77, CLOSING_BRACE = 78, TILDE = 79, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_IOSCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/IOSCfgParserTokenTypes.txt000066400000000000000000000025161303637203600230040ustar00rootroot00000000000000// $ANTLR 2.7.7 (20090306): iosacl.g -> IOSCfgParserTokenTypes.txt$ IOSCfgParser // output token vocab name NEWLINE=4 IP="ip"=5 QUIT="quit"=6 ICMP="icmp"=7 TCP="tcp"=8 HOST="host"=9 COMMUNITY_LIST="community-list"=10 WORD=11 CERTIFICATE="certificate"=12 IOSVERSION="version"=13 NUMBER=14 HOSTNAME="hostname"=15 STRING=16 ACCESS_LIST="access-list"=17 INT_CONST=18 EXTENDED="extended"=19 PERMIT="permit"=20 DENY="deny"=21 UDP="udp"=22 P_EQ="eq"=23 P_GT="gt"=24 P_LT="lt"=25 P_NEQ="neq"=26 P_RANGE="range"=27 IPV4=28 ANY="any"=29 LOG="log"=30 LOG_INPUT="log-input"=31 ESTABLISHED="established"=32 FRAGMENTS="fragments"=33 TIME_RANGE="time-range"=34 VLAN="vlan"=35 CONTROLLER="controller"=36 INTRFACE="interface"=37 POINT_TO_POINT="point-to-point"=38 DESCRIPTION="description"=39 REMARK="remark"=40 SHUTDOWN="shutdown"=41 ACCESS_GROUP="access-group"=42 ADDRESS="address"=43 SECONDARY="secondary"=44 EXIT="exit"=45 LINE_COMMENT=46 STANDARD="standard"=47 Whitespace=48 HEX_CONST=49 NEG_INT_CONST=50 DIGIT=51 HEXDIGIT=52 PIPE_CHAR=53 NUMBER_SIGN=54 PERCENT=55 AMPERSAND=56 APOSTROPHE=57 OPENING_PAREN=58 CLOSING_PAREN=59 STAR=60 PLUS=61 COMMA=62 MINUS=63 DOT=64 SLASH=65 COLON=66 SEMICOLON=67 LESS_THAN=68 EQUALS=69 GREATER_THAN=70 QUESTION=71 COMMERCIAL_AT=72 OPENING_SQUARE=73 CLOSING_SQUARE=74 CARET=75 UNDERLINE=76 OPENING_BRACE=77 CLOSING_BRACE=78 TILDE=79 fwbuilder-5.3.7/src/parsers/IPTCfgLexer.cpp000066400000000000000000002741121303637203600205510ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgLexer.cpp"$ */ #line 55 "iptables.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IPTCfgLexer.cpp" #include "IPTCfgLexer.hpp" #include #include #include #include #include #include #include #line 61 "iptables.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #include "fwbuilder/TCPService.h" #include "fwbuilder/Logger.h" #include #line 30 "IPTCfgLexer.cpp" #line 1 "iptables.g" #line 32 "IPTCfgLexer.cpp" IPTCfgLexer::IPTCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } IPTCfgLexer::IPTCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } IPTCfgLexer::IPTCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void IPTCfgLexer::initLiterals() { literals["FIN"] = 109; literals["RST"] = 110; literals["NEW"] = 63; literals["comment"] = 96; literals["ESTABLISHED"] = 64; literals["recent"] = 74; literals["limit"] = 71; literals["POSTROUTING"] = 16; literals["INPUT"] = 12; literals["ACK"] = 108; literals["URG"] = 111; literals["mark"] = 69; literals["iprange"] = 75; literals["multiport"] = 95; literals["pkttype"] = 90; literals["broadcast"] = 92; literals["NONE"] = 114; literals["multicast"] = 93; literals["ALL"] = 113; literals["length"] = 88; literals["PSH"] = 112; literals["SYN"] = 107; literals["udp"] = 33; literals["PREROUTING"] = 15; literals["FORWARD"] = 13; literals["INVALID"] = 62; literals["OUTPUT"] = 14; literals["state"] = 66; literals["unicast"] = 94; literals["RELATED"] = 65; literals["icmp"] = 34; literals["tcp"] = 32; literals["COMMIT"] = 9; } ANTLR_USE_NAMESPACE(antlr)RefToken IPTCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { mNUMBER(true); theRetToken=_returnToken; break; } case 0x24 /* '$' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mWORD(true); theRetToken=_returnToken; break; } case 0x22 /* '\"' */ : { mSTRING(true); theRetToken=_returnToken; break; } case 0x21 /* '!' */ : { mEXCLAMATION(true); theRetToken=_returnToken; break; } case 0x23 /* '#' */ : { mNUMBER_SIGN(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x27 /* '\'' */ : { mAPOSTROPHE(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2b /* '+' */ : { mPLUS(true); theRetToken=_returnToken; break; } case 0x2c /* ',' */ : { mCOMMA(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3a /* ':' */ : { mCOLON(true); theRetToken=_returnToken; break; } case 0x3b /* ';' */ : { mSEMICOLON(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUALS(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x40 /* '@' */ : { mCOMMERCIAL_AT(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5e /* '^' */ : { mCARET(true); theRetToken=_returnToken; break; } case 0x5f /* '_' */ : { mUNDERLINE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x7e /* '~' */ : { mTILDE(true); theRetToken=_returnToken; break; } default: if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x64 /* 'd' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x73 /* 's' */ ) && (LA(6) == 0x74 /* 't' */ ) && (LA(7) == 0x69 /* 'i' */ ) && (LA(8) == 0x6e /* 'n' */ ) && (LA(9) == 0x61 /* 'a' */ ) && (LA(10) == 0x74 /* 't' */ ) && (LA(11) == 0x69 /* 'i' */ ) && (LA(12) == 0x6f /* 'o' */ ) && (LA(13) == 0x6e /* 'n' */ ) && (LA(14) == 0x2d /* '-' */ ) && (LA(15) == 0x70 /* 'p' */ ) && (LA(16) == 0x6f /* 'o' */ ) && (LA(17) == 0x72 /* 'r' */ ) && (LA(18) == 0x74 /* 't' */ ) && (LA(19) == 0x73 /* 's' */ )) { mMATCH_DST_MULTIPORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x64 /* 'd' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x73 /* 's' */ ) && (LA(6) == 0x74 /* 't' */ ) && (LA(7) == 0x69 /* 'i' */ ) && (LA(8) == 0x6e /* 'n' */ ) && (LA(9) == 0x61 /* 'a' */ ) && (LA(10) == 0x74 /* 't' */ ) && (LA(11) == 0x69 /* 'i' */ ) && (LA(12) == 0x6f /* 'o' */ ) && (LA(13) == 0x6e /* 'n' */ ) && (LA(14) == 0x2d /* '-' */ ) && (LA(15) == 0x70 /* 'p' */ ) && (LA(16) == 0x6f /* 'o' */ ) && (LA(17) == 0x72 /* 'r' */ ) && (LA(18) == 0x74 /* 't' */ ) && (true)) { mMATCH_DST_PORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x75 /* 'u' */ ) && (LA(6) == 0x72 /* 'r' */ ) && (LA(7) == 0x63 /* 'c' */ ) && (LA(8) == 0x65 /* 'e' */ ) && (LA(9) == 0x2d /* '-' */ ) && (LA(10) == 0x70 /* 'p' */ ) && (LA(11) == 0x6f /* 'o' */ ) && (LA(12) == 0x72 /* 'r' */ ) && (LA(13) == 0x74 /* 't' */ ) && (LA(14) == 0x73 /* 's' */ )) { mMATCH_SRC_MULTIPORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x75 /* 'u' */ ) && (LA(6) == 0x72 /* 'r' */ ) && (LA(7) == 0x63 /* 'c' */ ) && (LA(8) == 0x65 /* 'e' */ ) && (LA(9) == 0x2d /* '-' */ ) && (LA(10) == 0x70 /* 'p' */ ) && (LA(11) == 0x6f /* 'o' */ ) && (LA(12) == 0x72 /* 'r' */ ) && (LA(13) == 0x74 /* 't' */ ) && (true)) { mMATCH_SRC_PORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x67 /* 'g' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x74 /* 't' */ ) && (LA(8) == 0x63 /* 'c' */ ) && (LA(9) == 0x70 /* 'p' */ ) && (LA(10) == 0x2d /* '-' */ ) && (LA(11) == 0x73 /* 's' */ )) { mLOG_TCP_SEQ(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x67 /* 'g' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x74 /* 't' */ ) && (LA(8) == 0x63 /* 'c' */ ) && (LA(9) == 0x70 /* 'p' */ ) && (LA(10) == 0x2d /* '-' */ ) && (LA(11) == 0x6f /* 'o' */ )) { mLOG_TCP_OPT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x69 /* 'i' */ ) && (LA(5) == 0x6d /* 'm' */ ) && (LA(6) == 0x69 /* 'i' */ ) && (LA(7) == 0x74 /* 't' */ ) && (LA(8) == 0x2d /* '-' */ )) { mMATCH_LIMIT_BURST(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x75 /* 'u' */ ) && (LA(4) == 0x6c /* 'l' */ ) && (LA(5) == 0x6f /* 'o' */ ) && (LA(6) == 0x67 /* 'g' */ ) && (LA(7) == 0x2d /* '-' */ ) && (LA(8) == 0x70 /* 'p' */ )) { mULOG_PREFIX(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x75 /* 'u' */ ) && (LA(4) == 0x6c /* 'l' */ ) && (LA(5) == 0x6f /* 'o' */ ) && (LA(6) == 0x67 /* 'g' */ ) && (LA(7) == 0x2d /* '-' */ ) && (LA(8) == 0x71 /* 'q' */ )) { mULOG_QTHR(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x75 /* 'u' */ ) && (LA(4) == 0x6c /* 'l' */ ) && (LA(5) == 0x6f /* 'o' */ ) && (LA(6) == 0x67 /* 'g' */ ) && (LA(7) == 0x2d /* '-' */ ) && (LA(8) == 0x6e /* 'n' */ )) { mULOG_NLG(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x75 /* 'u' */ ) && (LA(4) == 0x6c /* 'l' */ ) && (LA(5) == 0x6f /* 'o' */ ) && (LA(6) == 0x67 /* 'g' */ ) && (LA(7) == 0x2d /* '-' */ ) && (LA(8) == 0x63 /* 'c' */ )) { mULOG_CPR(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x63 /* 'c' */ ) && (LA(5) == 0x70 /* 'p' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x66 /* 'f' */ )) { mMATCH_TCP_FLAGS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x63 /* 'c' */ ) && (LA(5) == 0x70 /* 'p' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x6f /* 'o' */ )) { mMATCH_TCP_OPTION(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x69 /* 'i' */ ) && (LA(5) == 0x6d /* 'm' */ ) && (LA(6) == 0x69 /* 'i' */ ) && (LA(7) == 0x74 /* 't' */ ) && (true)) { mMATCH_LIMIT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x63 /* 'c' */ )) { mSET_CLASS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x6d /* 'm' */ )) { mSET_MARK(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x74 /* 't' */ )) { mSET_TOS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x67 /* 'g' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x70 /* 'p' */ )) { mLOG_PREFIX(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x67 /* 'g' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x6c /* 'l' */ )) { mLOG_LEVEL(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x67 /* 'g' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x69 /* 'i' */ )) { mLOG_IP_OPT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x2d /* '-' */ ) && (LA(6) == 0x73 /* 's' */ )) { mTO_SOURCE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x2d /* '-' */ ) && (LA(6) == 0x64 /* 'd' */ )) { mTO_DESTINATION(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x2d /* '-' */ ) && (LA(6) == 0x70 /* 'p' */ )) { mTO_PORTS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x6d /* 'm' */ )) { mMATCH_RECENT_REMOVE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x63 /* 'c' */ )) { mMATCH_RECENT_SECONDS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (true)) { mMATCH_RECENT_SET(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x63 /* 'c' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x6d /* 'm' */ )) { mMATCH_COMMENT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x6a /* 'j' */ )) { mREJECT_WITH(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x73 /* 's' */ )) { mRESTORE_MARK(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x63 /* 'c' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (LA(5) == 0x6e /* 'n' */ )) { mCONTINUE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x73 /* 's' */ )) { mRSOURCE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x74 /* 't' */ )) { mMATCH_STATE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x70 /* 'p' */ ) && (LA(4) == 0x6f /* 'o' */ )) { mMATCH_BOTH_MULTIPORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x70 /* 'p' */ )) { mMATCH_SRC_PORT_SHORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x64 /* 'd' */ ) && (LA(4) == 0x70 /* 'p' */ )) { mMATCH_DST_PORT_SHORT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x79 /* 'y' */ )) { mMATCH_SYN(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x69 /* 'i' */ ) && (LA(4) == 0x63 /* 'c' */ )) { mMATCH_ICMP_TYPE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6c /* 'l' */ ) && (LA(4) == 0x65 /* 'e' */ )) { mMATCH_LENGTH(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x63 /* 'c' */ )) { mMATCH_RECENT_RCHECK(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x75 /* 'u' */ ) && (LA(4) == 0x70 /* 'p' */ )) { mMATCH_RECENT_UPDATE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x74 /* 't' */ )) { mMATCH_RECENT_RTTL(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x72 /* 'r' */ ) && (LA(4) == 0x64 /* 'd' */ )) { mMATCH_RECENT_RDEST(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x72 /* 'r' */ )) { mMATCH_IPRANGE_SRC(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x64 /* 'd' */ ) && (LA(4) == 0x73 /* 's' */ )) { mMATCH_IPRANGE_DST(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x70 /* 'p' */ ) && (LA(4) == 0x6b /* 'k' */ )) { mMATCH_PKT_TYPE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x61 /* 'a' */ )) { mSAVE_MARK(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x69 /* 'i' */ ) && (LA(4) == 0x69 /* 'i' */ )) { mROUTE_IIF(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x65 /* 'e' */ )) { mROUTE_TEE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x74 /* 't' */ ) && (LA(4) == 0x6f /* 'o' */ ) && (true)) { mTO_NETMAP(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x63 /* 'c' */ ) && (LA(4) == 0x6c /* 'l' */ )) { mCLAMP_MSS(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6d /* 'm' */ )) { mMATCH_MARK(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6e /* 'n' */ )) { mMATCH_RECENT_NAME(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x68 /* 'h' */ )) { mMATCH_RECENT_HITCOUNT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x6f /* 'o' */ )) { mROUTE_OIF(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x67 /* 'g' */ )) { mROUTE_GW(true); theRetToken=_returnToken; } else if ((LA(1) == 0x20 /* ' ' */ ) && (LA(2) == 0x47 /* 'G' */ )) { mIPTABLES_SAVE_HEADER(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x41 /* 'A' */ )) { mADD_RULE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x6d /* 'm' */ )) { mOPT_MODULE(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x73 /* 's' */ )) { mOPT_SRC(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x64 /* 'd' */ )) { mOPT_DST(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x69 /* 'i' */ )) { mOPT_IN_INTF(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x6f /* 'o' */ )) { mOPT_OUT_INTF(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x70 /* 'p' */ )) { mOPT_PROTO(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x6a /* 'j' */ )) { mOPT_TARGET(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x66 /* 'f' */ )) { mOPT_FRAGM(true); theRetToken=_returnToken; } else if ((_tokenSet_0.member(LA(1))) && (true)) { mWhitespace(true); theRetToken=_returnToken; } else if ((LA(1) == 0x2d /* '-' */ ) && (true)) { mMINUS(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void IPTCfgLexer::mIPTABLES_SAVE_HEADER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = IPTABLES_SAVE_HEADER; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(" Generated by iptables-save v"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 1250 "iptables.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 723 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 1252 "iptables.g" newline(); resetText(); #line 756 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mIPV4(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = IPV4; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTHREE_COMPONENT_VERSION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = THREE_COMPONENT_VERSION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mIPV6(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = IPV6; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMAC_ADDRESS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MAC_ADDRESS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mHEXDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEXDIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; switch ( LA(1)) { case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : { matchRange('A','F'); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNUM_3DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_3DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { matchRange('0','9'); } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNUM_HEX_4DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_HEX_4DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; mHEXDIGIT(false); { if ((_tokenSet_1.member(LA(1)))) { { mHEXDIGIT(false); } { if ((_tokenSet_1.member(LA(1)))) { { mHEXDIGIT(false); } { if ((_tokenSet_1.member(LA(1)))) { mHEXDIGIT(false); } else { } } } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; bool synPredMatched186 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (_tokenSet_2.member(LA(6))) && (_tokenSet_2.member(LA(7))) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) { int _m186 = mark(); synPredMatched186 = true; inputState->guessing++; try { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched186 = false; } rewind(_m186); inputState->guessing--; } if ( synPredMatched186 ) { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); if ( inputState->guessing==0 ) { #line 1319 "iptables.g" _ttype = IPV4; #line 1036 "IPTCfgLexer.cpp" } } } else { bool synPredMatched189 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) { int _m189 = mark(); synPredMatched189 = true; inputState->guessing++; try { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched189 = false; } rewind(_m189); inputState->guessing--; } if ( synPredMatched189 ) { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); if ( inputState->guessing==0 ) { #line 1323 "iptables.g" _ttype = THREE_COMPONENT_VERSION; #line 1070 "IPTCfgLexer.cpp" } } } else if ((LA(1) == 0x30 /* '0' */ ) && (LA(2) == 0x78 /* 'x' */ )) { { match('0' /* charlit */ ); match('x' /* charlit */ ); { // ( ... )+ int _cnt193=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEXDIGIT(false); } else { if ( _cnt193>=1 ) { goto _loop193; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt193++; } _loop193:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 1327 "iptables.g" _ttype = HEX_CONST; #line 1096 "IPTCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true)) { { // ( ... )+ int _cnt195=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt195>=1 ) { goto _loop195; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt195++; } _loop195:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 1329 "iptables.g" _ttype = INT_CONST; #line 1117 "IPTCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } _ttype = testLiteralsTable(_ttype); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mWORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = WORD; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x21 /* '!' */ : case 0x22 /* '\"' */ : case 0x23 /* '#' */ : case 0x24 /* '$' */ : case 0x25 /* '%' */ : case 0x26 /* '&' */ : case 0x27 /* '\'' */ : case 0x28 /* '(' */ : case 0x29 /* ')' */ : case 0x2a /* '*' */ : case 0x2b /* '+' */ : { matchRange('!','+'); break; } case 0x2d /* '-' */ : { match('-' /* charlit */ ); break; } case 0x2e /* '.' */ : { match('.' /* charlit */ ); break; } case 0x2f /* '/' */ : { match('/' /* charlit */ ); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3a /* ':' */ : { match(':' /* charlit */ ); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3c /* '<' */ : { match('<' /* charlit */ ); break; } case 0x3d /* '=' */ : { match('=' /* charlit */ ); break; } case 0x3e /* '>' */ : { match('>' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop199; } } } _loop199:; } // ( ... )* if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSTRING(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STRING; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\"' /* charlit */ ); { // ( ... )* for (;;) { if ((_tokenSet_3.member(LA(1)))) { matchNot('\"' /* charlit */ ); } else { goto _loop202; } } _loop202:; } // ( ... )* match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mUNSUPPORTED_OPTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = UNSUPPORTED_OPTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mRSOURCE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = RSOURCE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--rsource"); if ( inputState->guessing==0 ) { #line 1353 "iptables.g" _ttype = UNSUPPORTED_OPTION; #line 1433 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mADD_RULE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ADD_RULE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-A"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_STATE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_STATE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--state"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_SRC_MULTIPORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_SRC_MULTIPORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--source-ports"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_DST_MULTIPORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_DST_MULTIPORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--destination-ports"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_BOTH_MULTIPORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_BOTH_MULTIPORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--ports"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_SRC_PORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_SRC_PORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--source-port"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_DST_PORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_DST_PORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--destination-port"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_SRC_PORT_SHORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_SRC_PORT_SHORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--sport"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_DST_PORT_SHORT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_DST_PORT_SHORT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--dport"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_SYN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_SYN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--syn"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_TCP_FLAGS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_TCP_FLAGS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--tcp-flags"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_TCP_OPTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_TCP_OPTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--tcp-option"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_ICMP_TYPE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_ICMP_TYPE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--icmp-type"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_MARK(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_MARK; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--mark"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_LENGTH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_LENGTH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--length"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_LIMIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_LIMIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--limit"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_LIMIT_BURST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_LIMIT_BURST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--limit-burst"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_NAME(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_NAME; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--name"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_RCHECK(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_RCHECK; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--rcheck"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_UPDATE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_UPDATE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--update"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_REMOVE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_REMOVE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--remove"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_SECONDS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_SECONDS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--seconds"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_HITCOUNT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_HITCOUNT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--hitcount"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_RTTL(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_RTTL; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--rttl"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_RDEST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_RDEST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--rdest"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_RECENT_SET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_RECENT_SET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--set"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_IPRANGE_SRC(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_IPRANGE_SRC; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--src-range"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_IPRANGE_DST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_IPRANGE_DST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--dst-range"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_COMMENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--comment"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMATCH_PKT_TYPE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MATCH_PKT_TYPE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--pkt-type"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mREJECT_WITH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = REJECT_WITH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--reject-with"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSET_CLASS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SET_CLASS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--set-class"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSET_MARK(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SET_MARK; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--set-mark"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSAVE_MARK(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SAVE_MARK; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--save-mark"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mRESTORE_MARK(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = RESTORE_MARK; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--restore-mark"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSET_TOS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SET_TOS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--set-tos"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCONTINUE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CONTINUE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--continue"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mROUTE_IIF(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ROUTE_IIF; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--iif"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mROUTE_OIF(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ROUTE_OIF; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--oif"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mROUTE_GW(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ROUTE_GW; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--gw"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mROUTE_TEE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ROUTE_TEE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--tee"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLOG_PREFIX(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LOG_PREFIX; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--log-prefix"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLOG_LEVEL(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LOG_LEVEL; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--log-level"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLOG_TCP_SEQ(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LOG_TCP_SEQ; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--log-tcp-sequence"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLOG_TCP_OPT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LOG_TCP_OPT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--log-tcp-options"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLOG_IP_OPT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LOG_IP_OPT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--log-ip-options"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mULOG_PREFIX(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ULOG_PREFIX; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--ulog-prefix"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mULOG_QTHR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ULOG_QTHR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--ulog-qthreshold"); if ( inputState->guessing==0 ) { #line 1421 "iptables.g" _ttype = UNSUPPORTED_OPTION; #line 2110 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mULOG_NLG(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ULOG_NLG; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--ulog-nlgroup"); if ( inputState->guessing==0 ) { #line 1422 "iptables.g" _ttype = UNSUPPORTED_OPTION; #line 2129 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mULOG_CPR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = ULOG_CPR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--ulog-cprange"); if ( inputState->guessing==0 ) { #line 1423 "iptables.g" _ttype = UNSUPPORTED_OPTION; #line 2148 "IPTCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTO_SOURCE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TO_SOURCE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--to-source"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTO_DESTINATION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TO_DESTINATION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--to-destination"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTO_PORTS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TO_PORTS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--to-ports"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTO_NETMAP(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TO_NETMAP; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--to"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCLAMP_MSS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLAMP_MSS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("--clamp-mss-to-pmtu"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_MODULE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_MODULE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-m"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_SRC(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_SRC; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-s"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_DST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_DST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-d"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_IN_INTF(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_IN_INTF; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-i"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_OUT_INTF(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_OUT_INTF; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-o"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_PROTO(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_PROTO; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-p"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_TARGET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_TARGET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-j"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPT_FRAGM(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPT_FRAGM; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("-f"); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mEXCLAMATION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EXCLAMATION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('!' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mNUMBER_SIGN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_SIGN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('#' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mAPOSTROPHE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = APOSTROPHE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\'' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mPLUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PLUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('+' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCOMMA(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMA; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(',' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(':' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mSEMICOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SEMICOLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(';' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mEQUALS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUALS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCOMMERCIAL_AT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMERCIAL_AT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('@' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCARET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CARET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('^' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mUNDERLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = UNDERLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('_' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void IPTCfgLexer::mTILDE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TILDE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('~' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } const unsigned long IPTCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f 0x7f 0x80 0x81 // 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f // 0x90 0x91 const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long IPTCfgLexer::_tokenSet_1_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_1(_tokenSet_1_data_,10); const unsigned long IPTCfgLexer::_tokenSet_2_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long IPTCfgLexer::_tokenSet_3_data_[] = { 4294967288UL, 4294967291UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! # $ // % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F // G H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d e f g // h i j k l m n o p q r s t u v w x y z { | } ~ 0x7f 0x80 0x81 0x82 0x83 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_3(_tokenSet_3_data_,16); fwbuilder-5.3.7/src/parsers/IPTCfgLexer.hpp000066400000000000000000000155441303637203600205600ustar00rootroot00000000000000#ifndef INC_IPTCfgLexer_hpp_ #define INC_IPTCfgLexer_hpp_ #line 38 "iptables.g" // gets inserted before antlr generated includes in the header // file #include "IPTImporter.h" #line 11 "IPTCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgLexer.hpp"$ */ #include #include #include #include "IPTCfgParserTokenTypes.hpp" #include #line 45 "iptables.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IPTImporter; #line 28 "IPTCfgLexer.hpp" #line 74 "iptables.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "IPTCfgLexer.hpp" class CUSTOM_API IPTCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public IPTCfgParserTokenTypes { #line 1 "iptables.g" #line 38 "IPTCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: IPTCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); IPTCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); IPTCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mIPTABLES_SAVE_HEADER(bool _createToken); public: void mWhitespace(bool _createToken); public: void mNEWLINE(bool _createToken); protected: void mIPV4(bool _createToken); protected: void mTHREE_COMPONENT_VERSION(bool _createToken); protected: void mIPV6(bool _createToken); protected: void mMAC_ADDRESS(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mHEXDIGIT(bool _createToken); protected: void mNUM_3DIGIT(bool _createToken); protected: void mNUM_HEX_4DIGIT(bool _createToken); public: void mNUMBER(bool _createToken); public: void mWORD(bool _createToken); public: void mSTRING(bool _createToken); protected: void mUNSUPPORTED_OPTION(bool _createToken); public: void mRSOURCE(bool _createToken); public: void mADD_RULE(bool _createToken); public: void mMATCH_STATE(bool _createToken); public: void mMATCH_SRC_MULTIPORT(bool _createToken); public: void mMATCH_DST_MULTIPORT(bool _createToken); public: void mMATCH_BOTH_MULTIPORT(bool _createToken); public: void mMATCH_SRC_PORT(bool _createToken); public: void mMATCH_DST_PORT(bool _createToken); public: void mMATCH_SRC_PORT_SHORT(bool _createToken); public: void mMATCH_DST_PORT_SHORT(bool _createToken); public: void mMATCH_SYN(bool _createToken); public: void mMATCH_TCP_FLAGS(bool _createToken); public: void mMATCH_TCP_OPTION(bool _createToken); public: void mMATCH_ICMP_TYPE(bool _createToken); public: void mMATCH_MARK(bool _createToken); public: void mMATCH_LENGTH(bool _createToken); public: void mMATCH_LIMIT(bool _createToken); public: void mMATCH_LIMIT_BURST(bool _createToken); public: void mMATCH_RECENT_NAME(bool _createToken); public: void mMATCH_RECENT_RCHECK(bool _createToken); public: void mMATCH_RECENT_UPDATE(bool _createToken); public: void mMATCH_RECENT_REMOVE(bool _createToken); public: void mMATCH_RECENT_SECONDS(bool _createToken); public: void mMATCH_RECENT_HITCOUNT(bool _createToken); public: void mMATCH_RECENT_RTTL(bool _createToken); public: void mMATCH_RECENT_RDEST(bool _createToken); public: void mMATCH_RECENT_SET(bool _createToken); public: void mMATCH_IPRANGE_SRC(bool _createToken); public: void mMATCH_IPRANGE_DST(bool _createToken); public: void mMATCH_COMMENT(bool _createToken); public: void mMATCH_PKT_TYPE(bool _createToken); public: void mREJECT_WITH(bool _createToken); public: void mSET_CLASS(bool _createToken); public: void mSET_MARK(bool _createToken); public: void mSAVE_MARK(bool _createToken); public: void mRESTORE_MARK(bool _createToken); public: void mSET_TOS(bool _createToken); public: void mCONTINUE(bool _createToken); public: void mROUTE_IIF(bool _createToken); public: void mROUTE_OIF(bool _createToken); public: void mROUTE_GW(bool _createToken); public: void mROUTE_TEE(bool _createToken); public: void mLOG_PREFIX(bool _createToken); public: void mLOG_LEVEL(bool _createToken); public: void mLOG_TCP_SEQ(bool _createToken); public: void mLOG_TCP_OPT(bool _createToken); public: void mLOG_IP_OPT(bool _createToken); public: void mULOG_PREFIX(bool _createToken); public: void mULOG_QTHR(bool _createToken); public: void mULOG_NLG(bool _createToken); public: void mULOG_CPR(bool _createToken); public: void mTO_SOURCE(bool _createToken); public: void mTO_DESTINATION(bool _createToken); public: void mTO_PORTS(bool _createToken); public: void mTO_NETMAP(bool _createToken); public: void mCLAMP_MSS(bool _createToken); public: void mOPT_MODULE(bool _createToken); public: void mOPT_SRC(bool _createToken); public: void mOPT_DST(bool _createToken); public: void mOPT_IN_INTF(bool _createToken); public: void mOPT_OUT_INTF(bool _createToken); public: void mOPT_PROTO(bool _createToken); public: void mOPT_TARGET(bool _createToken); public: void mOPT_FRAGM(bool _createToken); public: void mEXCLAMATION(bool _createToken); public: void mNUMBER_SIGN(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mAPOSTROPHE(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mSTAR(bool _createToken); public: void mPLUS(bool _createToken); public: void mCOMMA(bool _createToken); public: void mMINUS(bool _createToken); public: void mDOT(bool _createToken); public: void mSLASH(bool _createToken); public: void mCOLON(bool _createToken); public: void mSEMICOLON(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mEQUALS(bool _createToken); public: void mGREATER_THAN(bool _createToken); public: void mQUESTION(bool _createToken); public: void mCOMMERCIAL_AT(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mCARET(bool _createToken); public: void mUNDERLINE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mTILDE(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; }; #endif /*INC_IPTCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/IPTCfgParser.cpp000066400000000000000000002472201303637203600207260ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgParser.cpp"$ */ #line 55 "iptables.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IPTCfgParser.cpp" #include "IPTCfgParser.hpp" #include #include #include #line 61 "iptables.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #include "fwbuilder/TCPService.h" #include "fwbuilder/Logger.h" #include #line 25 "IPTCfgParser.cpp" #line 1 "iptables.g" #line 27 "IPTCfgParser.cpp" IPTCfgParser::IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } IPTCfgParser::IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } IPTCfgParser::IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } IPTCfgParser::IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } IPTCfgParser::IPTCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void IPTCfgParser::cfgfile() { try { // for error handling { // ( ... )+ int _cnt3=0; for (;;) { switch ( LA(1)) { case NUMBER_SIGN: { comment(); break; } case STAR: { start_table(); break; } case COLON: { create_chain(); break; } case ADD_RULE: { add_rule(); break; } case COMMIT: { commit(); break; } case NEWLINE: { match(NEWLINE); break; } default: { if ( _cnt3>=1 ) { goto _loop3; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } } _cnt3++; } _loop3:; } // ( ... )+ } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_0); } else { throw; } } } void IPTCfgParser::comment() { try { // for error handling match(NUMBER_SIGN); { // ( ... )* for (;;) { if ((LA(1) == IPTABLES_SAVE_HEADER)) { match(IPTABLES_SAVE_HEADER); { switch ( LA(1)) { case THREE_COMPONENT_VERSION: { match(THREE_COMPONENT_VERSION); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 151 "iptables.g" importer->setCurrentLineNumber(LT(0)->getLine()); std::string version = LT(0)->getText(); importer->setDiscoveredVersion(version); *dbg << "VERSION " << version << std::endl; consumeUntil(NEWLINE); #line 145 "IPTCfgParser.cpp" } } else { goto _loop7; } } _loop7:; } // ( ... )* if ( inputState->guessing==0 ) { #line 159 "iptables.g" consumeUntil(NEWLINE); #line 160 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IPTCfgParser::start_table() { try { // for error handling match(STAR); match(WORD); if ( inputState->guessing==0 ) { #line 181 "iptables.g" if (!importer->current_table.empty()) { // we did not see COMMIT *(importer->logger) << "********************************\n"; *(importer->logger) << "Missing COMMIT for the table " << importer->current_table << "\n"; *(importer->logger) << "Perhaps the file is broken ?" << "\n"; *(importer->logger) << "********************************\n"; *dbg << "Missing COMMIT for the table " << importer->current_table; *dbg << "Perhaps the file is broken ?"; // push last rule importer->pushRule(); // clear current table importer->current_table = ""; } importer->registerTable(LT(0)->getText()); *dbg << "TABLE " << LT(0)->getText() << std::endl; #line 200 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IPTCfgParser::create_chain() { try { // for error handling match(COLON); chain_def(); if ( inputState->guessing==0 ) { #line 216 "iptables.g" importer->setCurrentLineNumber(LT(0)->getLine()); if (importer->current_table=="nat") importer->newUnidirRuleSet(LT(0)->getText(), libfwbuilder::NAT::TYPENAME); else importer->newUnidirRuleSet(LT(0)->getText(), libfwbuilder::Policy::TYPENAME); *dbg << "NEW CHAIN " << LT(0)->getText() << std::endl; #line 230 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: { match(WORD); break; } case MINUS: { match(MINUS); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 227 "iptables.g" importer->setDefaultAction(LT(0)->getText()); *dbg << "DEFAULT ACTION " << LT(0)->getText() << std::endl; #line 256 "IPTCfgParser.cpp" } { switch ( LA(1)) { case OPENING_SQUARE: { match(OPENING_SQUARE); match(INT_CONST); match(COLON); match(INT_CONST); match(CLOSING_SQUARE); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case NUMBER_SIGN: case COMMIT: case STAR: case COLON: case ADD_RULE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IPTCfgParser::add_rule() { try { // for error handling match(ADD_RULE); chain_def(); if ( inputState->guessing==0 ) { #line 237 "iptables.g" // push previous rule *dbg << std::endl; importer->pushRule(); // start new one importer->setCurrentLineNumber(LT(0)->getLine()); if (importer->current_table=="nat") importer->newNATRule(); else importer->newPolicyRule(); importer->current_chain = LT(0)->getText(); *dbg << "add_rule: line=" << LT(0)->getLine() << " chain=" << LT(0)->getText(); #line 317 "IPTCfgParser.cpp" } { // ( ... )+ int _cnt17=0; for (;;) { if ((_tokenSet_2.member(LA(1)))) { ipt_option(); } else { if ( _cnt17>=1 ) { goto _loop17; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } _cnt17++; } _loop17:; } // ( ... )+ match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IPTCfgParser::commit() { try { // for error handling match(COMMIT); if ( inputState->guessing==0 ) { #line 169 "iptables.g" // push last rule importer->pushRule(); *dbg << " COMMIT" << std::endl; // clear current table importer->current_table = ""; #line 358 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void IPTCfgParser::chain_def() { try { // for error handling { switch ( LA(1)) { case INPUT: { match(INPUT); break; } case FORWARD: { match(FORWARD); break; } case OUTPUT: { match(OUTPUT); break; } case PREROUTING: { match(PREROUTING); break; } case POSTROUTING: { match(POSTROUTING); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_3); } else { throw; } } } void IPTCfgParser::ipt_option() { try { // for error handling { switch ( LA(1)) { case EXCLAMATION: { negation(); break; } case OPT_SRC: { src(); break; } case OPT_DST: { dst(); break; } case OPT_IN_INTF: { i_intf(); break; } case OPT_OUT_INTF: { o_intf(); break; } case OPT_PROTO: { proto(); break; } case OPT_TARGET: { target(); break; } case OPT_FRAGM: { fragm(); break; } case MATCH_ICMP_TYPE: { icmp_type_spec(); break; } case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: { basic_tcp_udp_port_spec(); break; } case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: { multiport_tcp_udp_port_spec(); break; } case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { tcp_options(); break; } case MATCH_LIMIT: { match_limit(); break; } case MATCH_LIMIT_BURST: { match_limit_burst(); break; } case MATCH_LENGTH: { match_length(); break; } case MATCH_IPRANGE_SRC: { match_iprange_src(); break; } case MATCH_IPRANGE_DST: { match_iprange_dst(); break; } case MINUS: case UNSUPPORTED_OPTION: { unknown_option(); break; } default: if ((LA(1) == OPT_MODULE) && (_tokenSet_4.member(LA(2)))) { module(); } else if ((LA(1) == OPT_MODULE) && (LA(2) == M_MARK)) { match_mark(); } else if ((LA(1) == OPT_MODULE) && (LA(2) == M_RECENT)) { match_recent(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::negation() { try { // for error handling match(EXCLAMATION); if ( inputState->guessing==0 ) { #line 303 "iptables.g" importer->tmp_neg = true; #line 561 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::module() { try { // for error handling match(OPT_MODULE); { switch ( LA(1)) { case M_STATE: { m_state(); break; } case M_MPORT: { m_mport(); break; } case ICMP: { m_icmp(); break; } case TCP: { m_tcp(); break; } case UDP: { m_udp(); break; } case M_LIMIT: { m_limit(); break; } case M_LENGTH: { m_length(); break; } case M_IPRANGE: { m_iprange(); break; } case M_COMMENT: { m_comment(); break; } case M_PKTTYPE: { m_pkttype(); break; } case WORD: { m_unknown_module(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_mark() { try { // for error handling match(OPT_MODULE); m_mark(); { switch ( LA(1)) { case EXCLAMATION: { match(EXCLAMATION); if ( inputState->guessing==0 ) { #line 731 "iptables.g" importer->neg_match_mark = true; #line 665 "IPTCfgParser.cpp" } break; } case MATCH_MARK: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(MATCH_MARK); { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case HEX_CONST: { match(HEX_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 733 "iptables.g" importer->tmp_neg = false; importer->match_mark = LT(0)->getText(); *dbg << " MATCH MARK " << LT(0)->getText(); #line 705 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_recent() { try { // for error handling match(OPT_MODULE); m_recent(); { // ( ... )+ int _cnt95=0; for (;;) { if (((LA(1) >= MATCH_RECENT_SET && LA(1) <= MATCH_RECENT_HITCOUNT))) { recent_opts(); } else { if ( _cnt95>=1 ) { goto _loop95; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } _cnt95++; } _loop95:; } // ( ... )+ } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::src() { try { // for error handling match(OPT_SRC); if ( inputState->guessing==0 ) { #line 381 "iptables.g" *dbg << " SRC="; importer->src_neg = importer->tmp_neg; importer->tmp_neg = false; #line 759 "IPTCfgParser.cpp" } { { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 387 "iptables.g" importer->src_a = LT(0)->getText(); *dbg << LT(0)->getText(); #line 786 "IPTCfgParser.cpp" } { switch ( LA(1)) { case SLASH: { match(SLASH); { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 392 "iptables.g" importer->src_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); #line 817 "IPTCfgParser.cpp" } break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::dst() { try { // for error handling match(OPT_DST); if ( inputState->guessing==0 ) { #line 401 "iptables.g" *dbg << " DST="; importer->dst_neg = importer->tmp_neg; importer->tmp_neg = false; #line 881 "IPTCfgParser.cpp" } { { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 407 "iptables.g" importer->dst_a = LT(0)->getText(); *dbg << LT(0)->getText(); #line 908 "IPTCfgParser.cpp" } { switch ( LA(1)) { case SLASH: { match(SLASH); { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 412 "iptables.g" importer->dst_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); #line 939 "IPTCfgParser.cpp" } break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::i_intf() { try { // for error handling match(OPT_IN_INTF); if ( inputState->guessing==0 ) { #line 421 "iptables.g" importer->intf_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1002 "IPTCfgParser.cpp" } match(WORD); if ( inputState->guessing==0 ) { #line 426 "iptables.g" importer->i_intf = LT(0)->getText(); *dbg << " I_INTF=" << LT(0)->getText(); #line 1011 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::o_intf() { try { // for error handling match(OPT_OUT_INTF); if ( inputState->guessing==0 ) { #line 434 "iptables.g" importer->intf_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1034 "IPTCfgParser.cpp" } match(WORD); if ( inputState->guessing==0 ) { #line 439 "iptables.g" importer->o_intf = LT(0)->getText(); *dbg << " O_INTF=" << LT(0)->getText(); #line 1043 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::proto() { try { // for error handling match(OPT_PROTO); if ( inputState->guessing==0 ) { #line 450 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1066 "IPTCfgParser.cpp" } protocol_word(); if ( inputState->guessing==0 ) { #line 455 "iptables.g" std::string tmp_s = LT(0)->getText(); importer->protocol.resize(tmp_s.size()); std::transform(tmp_s.begin(), tmp_s.end(), importer->protocol.begin(), ::tolower); *dbg << " PROTO=" << importer->protocol; #line 1080 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::target() { ANTLR_USE_NAMESPACE(antlr)RefToken t = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OPT_TARGET); t = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 468 "iptables.g" importer->target = LT(0)->getText(); *dbg << " TARGET=" << t->getText(); #line 1106 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((_tokenSet_6.member(LA(1)))) { target_options(); } else { goto _loop54; } } _loop54:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::fragm() { try { // for error handling match(OPT_FRAGM); if ( inputState->guessing==0 ) { #line 680 "iptables.g" importer->fragments = true; *dbg << " FRAGM"; #line 1141 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::icmp_type_spec() { try { // for error handling match(MATCH_ICMP_TYPE); { switch ( LA(1)) { case WORD: { match(WORD); if ( inputState->guessing==0 ) { #line 970 "iptables.g" importer->icmp_spec = LT(0)->getText(); *dbg << " ICMP_SPEC=" << LT(0)->getText(); #line 1169 "IPTCfgParser.cpp" } break; } case INT_CONST: { { match(INT_CONST); if ( inputState->guessing==0 ) { #line 977 "iptables.g" importer->icmp_type = LT(0)->getText(); importer->icmp_code = "-1"; *dbg << " ICMP_TYPE=" << LT(0)->getText(); #line 1184 "IPTCfgParser.cpp" } { switch ( LA(1)) { case SLASH: { match(SLASH); match(INT_CONST); if ( inputState->guessing==0 ) { #line 984 "iptables.g" importer->icmp_code = LT(0)->getText(); *dbg << " ICMP_CODE=" << LT(0)->getText(); #line 1198 "IPTCfgParser.cpp" } break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::basic_tcp_udp_port_spec() { try { // for error handling switch ( LA(1)) { case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: { { switch ( LA(1)) { case MATCH_SRC_PORT: { match(MATCH_SRC_PORT); break; } case MATCH_SRC_PORT_SHORT: { match(MATCH_SRC_PORT_SHORT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1066 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1290 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: case INT_CONST: { port_def_with_range(); break; } case COLON: { port_def_with_incomplete_range(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1071 "iptables.g" importer->pushTmpPortSpecToSrcPortList(); #line 1316 "IPTCfgParser.cpp" } break; } case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: { { switch ( LA(1)) { case MATCH_DST_PORT: { match(MATCH_DST_PORT); break; } case MATCH_DST_PORT_SHORT: { match(MATCH_DST_PORT_SHORT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1076 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1347 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: case INT_CONST: { port_def_with_range(); break; } case COLON: { port_def_with_incomplete_range(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1081 "iptables.g" importer->pushTmpPortSpecToDstPortList(); #line 1373 "IPTCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::multiport_tcp_udp_port_spec() { try { // for error handling { switch ( LA(1)) { case MATCH_SRC_MULTIPORT: { { match(MATCH_SRC_MULTIPORT); if ( inputState->guessing==0 ) { #line 901 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startSrcMultiPort(); *dbg << " SRC MULTIPORT="; #line 1410 "IPTCfgParser.cpp" } port_def_with_range(); if ( inputState->guessing==0 ) { #line 908 "iptables.g" importer->pushTmpPortSpecToSrcPortList(); #line 1418 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); port_def_with_range(); if ( inputState->guessing==0 ) { #line 912 "iptables.g" importer->pushTmpPortSpecToSrcPortList(); #line 1430 "IPTCfgParser.cpp" } } else { goto _loop114; } } _loop114:; } // ( ... )* } break; } case MATCH_DST_MULTIPORT: { { match(MATCH_DST_MULTIPORT); if ( inputState->guessing==0 ) { #line 919 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startDstMultiPort(); *dbg << " DST MULTIPORT="; #line 1455 "IPTCfgParser.cpp" } port_def_with_range(); if ( inputState->guessing==0 ) { #line 926 "iptables.g" importer->pushTmpPortSpecToDstPortList(); #line 1463 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); port_def_with_range(); if ( inputState->guessing==0 ) { #line 930 "iptables.g" importer->pushTmpPortSpecToDstPortList(); #line 1475 "IPTCfgParser.cpp" } } else { goto _loop117; } } _loop117:; } // ( ... )* } break; } case MATCH_BOTH_MULTIPORT: { { match(MATCH_BOTH_MULTIPORT); if ( inputState->guessing==0 ) { #line 937 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startBothMultiPort(); *dbg << " MULTIPORT PORTS="; #line 1500 "IPTCfgParser.cpp" } port_def_with_range(); if ( inputState->guessing==0 ) { #line 944 "iptables.g" importer->pushTmpPortSpecToBothPortList(); #line 1508 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); port_def_with_range(); if ( inputState->guessing==0 ) { #line 948 "iptables.g" importer->pushTmpPortSpecToBothPortList(); #line 1520 "IPTCfgParser.cpp" } } else { goto _loop120; } } _loop120:; } // ( ... )* } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::tcp_options() { try { // for error handling { switch ( LA(1)) { case MATCH_SYN: { syn(); break; } case MATCH_TCP_FLAGS: { tcp_flags(); break; } case MATCH_TCP_OPTION: { tcp_option(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1111 "iptables.g" importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; #line 1582 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_limit() { try { // for error handling match(MATCH_LIMIT); limit_rate(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_limit_burst() { try { // for error handling match(MATCH_LIMIT_BURST); match(INT_CONST); if ( inputState->guessing==0 ) { #line 765 "iptables.g" importer->limit_burst = LT(0)->getText(); *dbg << " LIMIT BURST " << LT(0)->getText(); #line 1622 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_length() { try { // for error handling match(MATCH_LENGTH); length_spec(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_iprange_src() { try { // for error handling match(MATCH_IPRANGE_SRC); { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 788 "iptables.g" importer->iprange_src_from = LT(0)->getText(); importer->using_iprange_src = true; #line 1679 "IPTCfgParser.cpp" } match(MINUS); { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 793 "iptables.g" importer->iprange_src_to = LT(0)->getText(); #line 1705 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::match_iprange_dst() { try { // for error handling match(MATCH_IPRANGE_DST); { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 799 "iptables.g" importer->iprange_dst_from = LT(0)->getText(); importer->using_iprange_dst = true; #line 1746 "IPTCfgParser.cpp" } match(MINUS); { switch ( LA(1)) { case WORD: { match(WORD); break; } case IPV4: { match(IPV4); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 804 "iptables.g" importer->iprange_dst_to = LT(0)->getText(); #line 1772 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::unknown_option() { try { // for error handling if ((LA(1) == MINUS) && (LA(2) == WORD)) { { match(MINUS); match(WORD); if ( inputState->guessing==0 ) { #line 312 "iptables.g" importer->reportError( std::string("Unknown option: -")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=-" << LT(0)->getText(); #line 1799 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: case INT_CONST: case DIGIT: { unknown_parameter(); break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } } else if ((LA(1) == MINUS) && (LA(2) == MINUS)) { { { match(MINUS); match(MINUS); match(WORD); } if ( inputState->guessing==0 ) { #line 322 "iptables.g" importer->reportError( std::string("Unknown option: --")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=--" << LT(0)->getText(); #line 1863 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: case INT_CONST: case DIGIT: { unknown_parameter(); break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } } else if ((LA(1) == UNSUPPORTED_OPTION)) { { match(UNSUPPORTED_OPTION); if ( inputState->guessing==0 ) { #line 332 "iptables.g" importer->reportError( std::string("Unknown option: ")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=" << LT(0)->getText(); #line 1923 "IPTCfgParser.cpp" } { switch ( LA(1)) { case WORD: case INT_CONST: case DIGIT: { unknown_parameter(); break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::unknown_parameter() { #line 341 "iptables.g" std::string s; #line 1991 "IPTCfgParser.cpp" try { // for error handling if ((LA(1) == INT_CONST || LA(1) == DIGIT) && (LA(2) == SLASH)) { { { { switch ( LA(1)) { case DIGIT: { match(DIGIT); if ( inputState->guessing==0 ) { #line 347 "iptables.g" s+=LT(0)->getText(); #line 2005 "IPTCfgParser.cpp" } break; } case INT_CONST: { match(INT_CONST); if ( inputState->guessing==0 ) { #line 349 "iptables.g" s+=LT(0)->getText(); #line 2015 "IPTCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(SLASH); if ( inputState->guessing==0 ) { #line 351 "iptables.g" s+=LT(0)->getText(); #line 2029 "IPTCfgParser.cpp" } match(WORD); if ( inputState->guessing==0 ) { #line 352 "iptables.g" s+=LT(0)->getText(); #line 2035 "IPTCfgParser.cpp" } } if ( inputState->guessing==0 ) { #line 354 "iptables.g" importer->reportError( std::string("Unknown parameter: ")+s); *dbg << " UNKNOWN PARMETER=" << s; #line 2045 "IPTCfgParser.cpp" } } } else if ((LA(1) == WORD || LA(1) == INT_CONST || LA(1) == DIGIT) && (_tokenSet_5.member(LA(2)))) { { { switch ( LA(1)) { case DIGIT: { match(DIGIT); break; } case INT_CONST: { match(INT_CONST); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 363 "iptables.g" importer->reportError( std::string("Unknown parameter: ")+LT(0)->getText()); *dbg << " UNKNOWN PARMETER=" << LT(0)->getText(); #line 2081 "IPTCfgParser.cpp" } } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_state() { try { // for error handling match(M_STATE); match(MATCH_STATE); if ( inputState->guessing==0 ) { #line 701 "iptables.g" importer->current_state = ""; #line 2110 "IPTCfgParser.cpp" } state_word(); if ( inputState->guessing==0 ) { #line 705 "iptables.g" importer->current_state += LT(0)->getText(); #line 2118 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); state_word(); if ( inputState->guessing==0 ) { #line 710 "iptables.g" importer->current_state += std::string(",") + LT(0)->getText(); #line 2130 "IPTCfgParser.cpp" } } else { goto _loop76; } } _loop76:; } // ( ... )* if ( inputState->guessing==0 ) { #line 714 "iptables.g" *dbg << " STATE MATCH=" << importer->current_state; #line 2145 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_mport() { try { // for error handling match(M_MPORT); if ( inputState->guessing==0 ) { #line 873 "iptables.g" *dbg << " MULTIPORT"; #line 2167 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_icmp() { try { // for error handling match(ICMP); if ( inputState->guessing==0 ) { #line 960 "iptables.g" importer->protocol = "icmp"; *dbg << " ICMP"; #line 2190 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_tcp() { try { // for error handling match(TCP); if ( inputState->guessing==0 ) { #line 1099 "iptables.g" importer->protocol = "tcp"; *dbg << " TCP"; #line 2213 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_udp() { try { // for error handling match(UDP); if ( inputState->guessing==0 ) { #line 1090 "iptables.g" importer->protocol = "udp"; *dbg << " UDP"; #line 2236 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_limit() { try { // for error handling match(M_LIMIT); if ( inputState->guessing==0 ) { #line 743 "iptables.g" *dbg << " LIMIT"; #line 2258 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_length() { try { // for error handling match(M_LENGTH); if ( inputState->guessing==0 ) { #line 838 "iptables.g" *dbg << " LENGTH"; #line 2280 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_iprange() { try { // for error handling match(M_IPRANGE); if ( inputState->guessing==0 ) { #line 782 "iptables.g" *dbg << " IPRANGE"; #line 2302 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_comment() { try { // for error handling match(M_COMMENT); match(MATCH_COMMENT); match(STRING); if ( inputState->guessing==0 ) { #line 881 "iptables.g" *dbg << " COMMENT=" << LT(0)->getText(); #line 2326 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_pkttype() { try { // for error handling match(M_PKTTYPE); match(MATCH_PKT_TYPE); pkt_type_spec(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_unknown_module() { try { // for error handling match(WORD); if ( inputState->guessing==0 ) { #line 688 "iptables.g" *dbg << " UNKNOWN MODULE=" << LT(0)->getText(); importer->reportError( std::string("Unknown module: ")+LT(0)->getText()); #line 2367 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::protocol_word() { try { // for error handling { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } case ICMP: { match(ICMP); break; } case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::target_options() { ANTLR_USE_NAMESPACE(antlr)RefToken major = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken minor = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case REJECT_WITH: { match(REJECT_WITH); match(WORD); if ( inputState->guessing==0 ) { #line 479 "iptables.g" importer->action_params["reject_with"] = LT(0)->getText(); *dbg << " REJECT WITH=" << LT(0)->getText(); #line 2444 "IPTCfgParser.cpp" } break; } case LOG_PREFIX: { match(LOG_PREFIX); { switch ( LA(1)) { case WORD: { match(WORD); break; } case STRING: { match(STRING); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 485 "iptables.g" importer->action_params["log_prefix"] = LT(0)->getText(); *dbg << " LOG PREFIX=" << LT(0)->getText(); #line 2475 "IPTCfgParser.cpp" } break; } case LOG_TCP_SEQ: { match(LOG_TCP_SEQ); if ( inputState->guessing==0 ) { #line 491 "iptables.g" importer->action_params["log_tcp_seq"] = LT(0)->getText(); *dbg << " LOG TCP SEQUENCE="; #line 2488 "IPTCfgParser.cpp" } break; } case LOG_TCP_OPT: { match(LOG_TCP_OPT); if ( inputState->guessing==0 ) { #line 497 "iptables.g" importer->action_params["log_tcp_options"] = LT(0)->getText(); *dbg << " LOG TCP OPTIONS="; #line 2501 "IPTCfgParser.cpp" } break; } case LOG_IP_OPT: { match(LOG_IP_OPT); if ( inputState->guessing==0 ) { #line 503 "iptables.g" importer->action_params["log_ip_options"] = LT(0)->getText(); *dbg << " LOG IP OPTIONS="; #line 2514 "IPTCfgParser.cpp" } break; } case ULOG_PREFIX: { match(ULOG_PREFIX); { switch ( LA(1)) { case WORD: { match(WORD); break; } case STRING: { match(STRING); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 509 "iptables.g" importer->action_params["log_prefix"] = LT(0)->getText(); *dbg << " ULOG PREFIX=" << LT(0)->getText(); #line 2545 "IPTCfgParser.cpp" } break; } case LOG_LEVEL: { match(LOG_LEVEL); { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 515 "iptables.g" importer->action_params["log_level"] = LT(0)->getText(); *dbg << " LOG LEVEL=" << LT(0)->getText(); #line 2576 "IPTCfgParser.cpp" } break; } case SET_CLASS: { match(SET_CLASS); major = LT(1); match(INT_CONST); match(COLON); minor = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 521 "iptables.g" importer->action_params["set_class"] = major->getText() + ":" + minor->getText(); *dbg << " SET CLASS=" << major->getText() + ":" + minor->getText(); #line 2595 "IPTCfgParser.cpp" } break; } case SET_MARK: { match(SET_MARK); { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case HEX_CONST: { match(HEX_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 528 "iptables.g" importer->action_params["set_mark"] = LT(0)->getText(); *dbg << " SET MARK=" << LT(0)->getText(); #line 2626 "IPTCfgParser.cpp" } break; } case SAVE_MARK: { match(SAVE_MARK); if ( inputState->guessing==0 ) { #line 546 "iptables.g" importer->action_params["connmark_save_mark"] = "--save-mark"; *dbg << " SAVE MARK"; #line 2639 "IPTCfgParser.cpp" } break; } case RESTORE_MARK: { match(RESTORE_MARK); if ( inputState->guessing==0 ) { #line 552 "iptables.g" importer->action_params["connmark_restore_mark"] = "--restore-mark"; *dbg << " RESTORE MARK"; #line 2652 "IPTCfgParser.cpp" } break; } case CONTINUE: { match(CONTINUE); if ( inputState->guessing==0 ) { #line 558 "iptables.g" importer->action_params["route_continue"] = "--continue"; *dbg << " CONTINUE"; #line 2665 "IPTCfgParser.cpp" } break; } case ROUTE_IIF: { match(ROUTE_IIF); match(WORD); if ( inputState->guessing==0 ) { #line 564 "iptables.g" importer->action_params["route_iif"] = LT(0)->getText(); *dbg << " ROUTE_IIF=" << LT(0)->getText(); #line 2679 "IPTCfgParser.cpp" } break; } case ROUTE_OIF: { match(ROUTE_OIF); match(WORD); if ( inputState->guessing==0 ) { #line 570 "iptables.g" importer->action_params["route_oif"] = LT(0)->getText(); *dbg << " ROUTE_OIF=" << LT(0)->getText(); #line 2693 "IPTCfgParser.cpp" } break; } case ROUTE_GW: { match(ROUTE_GW); match(IPV4); if ( inputState->guessing==0 ) { #line 576 "iptables.g" importer->action_params["route_gw"] = LT(0)->getText(); *dbg << " ROUTE_GW=" << LT(0)->getText(); #line 2707 "IPTCfgParser.cpp" } break; } case ROUTE_TEE: { match(ROUTE_TEE); if ( inputState->guessing==0 ) { #line 582 "iptables.g" importer->action_params["route_tee"] = "--tee"; *dbg << " ROUTE_TEE"; #line 2720 "IPTCfgParser.cpp" } break; } case TO_SOURCE: { match(TO_SOURCE); if ( inputState->guessing==0 ) { #line 588 "iptables.g" *dbg << " TO-SOURCE"; #line 2732 "IPTCfgParser.cpp" } nat_spec(); break; } case TO_DESTINATION: { match(TO_DESTINATION); if ( inputState->guessing==0 ) { #line 594 "iptables.g" *dbg << " TO-DESTINATION"; #line 2745 "IPTCfgParser.cpp" } nat_spec(); break; } case TO_PORTS: { match(TO_PORTS); redirect_spec(); break; } case TO_NETMAP: { match(TO_NETMAP); if ( inputState->guessing==0 ) { #line 602 "iptables.g" *dbg << " TO-NETMAP"; #line 2764 "IPTCfgParser.cpp" } { match(IPV4); if ( inputState->guessing==0 ) { #line 607 "iptables.g" importer->nat_addr1 = LT(0)->getText(); importer->nat_addr2 = LT(0)->getText(); *dbg << LT(0)->getText(); #line 2775 "IPTCfgParser.cpp" } match(SLASH); { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 613 "iptables.g" importer->nat_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); #line 2802 "IPTCfgParser.cpp" } } break; } case CLAMP_MSS: { match(CLAMP_MSS); if ( inputState->guessing==0 ) { #line 620 "iptables.g" importer->action_params["clamp-mss-to-pmtu"] = "--clamp-mss-to-pmtu"; *dbg << " TO-NETMAP"; #line 2816 "IPTCfgParser.cpp" } break; } default: if ((LA(1) == SET_TOS) && (LA(2) == HEX_CONST)) { match(SET_TOS); match(HEX_CONST); if ( inputState->guessing==0 ) { #line 534 "iptables.g" importer->action_params["set_tos"] = LT(0)->getText(); *dbg << " SET TOS=" << LT(0)->getText(); #line 2830 "IPTCfgParser.cpp" } } else if ((LA(1) == SET_TOS) && (LA(2) == WORD)) { match(SET_TOS); match(WORD); if ( inputState->guessing==0 ) { #line 540 "iptables.g" importer->action_params["set_tos"] = LT(0)->getText(); *dbg << " SET TOS=" << LT(0)->getText(); #line 2842 "IPTCfgParser.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_7); } else { throw; } } } void IPTCfgParser::nat_spec() { try { // for error handling nat_addr_range(); { switch ( LA(1)) { case COLON: { match(COLON); nat_port_def_with_range(); break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case REJECT_WITH: case LOG_PREFIX: case LOG_TCP_SEQ: case LOG_TCP_OPT: case LOG_IP_OPT: case ULOG_PREFIX: case LOG_LEVEL: case SET_CLASS: case SET_MARK: case SET_TOS: case SAVE_MARK: case RESTORE_MARK: case CONTINUE: case ROUTE_IIF: case ROUTE_OIF: case ROUTE_GW: case ROUTE_TEE: case TO_SOURCE: case TO_DESTINATION: case TO_PORTS: case TO_NETMAP: case CLAMP_MSS: case OPT_FRAGM: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 631 "iptables.g" *dbg << " " << importer->nat_addr1 << "-" << importer->nat_addr2 << ":" << importer->nat_port_range_start << "-" << importer->nat_port_range_end; #line 2944 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_7); } else { throw; } } } void IPTCfgParser::redirect_spec() { try { // for error handling nat_port_def_with_range(); if ( inputState->guessing==0 ) { #line 666 "iptables.g" *dbg << " TO-PORTS " << importer->nat_addr1 << "-" << importer->nat_addr2 << ":" << importer->nat_port_range_start << "-" << importer->nat_port_range_end; #line 2973 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_7); } else { throw; } } } void IPTCfgParser::nat_addr_range() { ANTLR_USE_NAMESPACE(antlr)RefToken a1 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken a2 = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling bool synPredMatched67 = false; if (((LA(1) == IPV4) && (LA(2) == MINUS))) { int _m67 = mark(); synPredMatched67 = true; inputState->guessing++; try { { match(IPV4); match(MINUS); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched67 = false; } rewind(_m67); inputState->guessing--; } if ( synPredMatched67 ) { { a1 = LT(1); match(IPV4); match(MINUS); a2 = LT(1); match(IPV4); if ( inputState->guessing==0 ) { #line 647 "iptables.g" importer->nat_port_range_start = ""; importer->nat_port_range_end = ""; importer->nat_addr1 = a1->getText(); importer->nat_addr2 = a2->getText(); #line 3023 "IPTCfgParser.cpp" } } } else if ((LA(1) == IPV4) && (_tokenSet_8.member(LA(2)))) { match(IPV4); if ( inputState->guessing==0 ) { #line 656 "iptables.g" importer->nat_port_range_start = ""; importer->nat_port_range_end = ""; importer->nat_addr1 = LT(0)->getText(); importer->nat_addr2 = LT(0)->getText(); #line 3037 "IPTCfgParser.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_8); } else { throw; } } } void IPTCfgParser::nat_port_def_with_range() { try { // for error handling bool synPredMatched137 = false; if (((LA(1) == WORD || LA(1) == INT_CONST) && (LA(2) == MINUS))) { int _m137 = mark(); synPredMatched137 = true; inputState->guessing++; try { { { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(MINUS); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched137 = false; } rewind(_m137); inputState->guessing--; } if ( synPredMatched137 ) { { { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1043 "iptables.g" importer->nat_port_range_start = LT(0)->getText(); importer->nat_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); #line 3119 "IPTCfgParser.cpp" } match(MINUS); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1049 "iptables.g" importer->nat_port_range_end = LT(0)->getText(); *dbg << ":" << LT(0)->getText(); #line 3146 "IPTCfgParser.cpp" } } } else if ((LA(1) == WORD || LA(1) == INT_CONST) && (_tokenSet_7.member(LA(2)))) { { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1056 "iptables.g" importer->nat_port_range_start = LT(0)->getText(); importer->nat_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); #line 3176 "IPTCfgParser.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_7); } else { throw; } } } void IPTCfgParser::state_word() { try { // for error handling { switch ( LA(1)) { case INVALID: { match(INVALID); break; } case NEW: { match(NEW); break; } case ESTABLISHED: { match(ESTABLISHED); break; } case RELATED: { match(RELATED); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void IPTCfgParser::m_mark() { try { // for error handling match(M_MARK); if ( inputState->guessing==0 ) { #line 723 "iptables.g" *dbg << " MARK"; #line 3245 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_10); } else { throw; } } } void IPTCfgParser::limit_rate() { try { // for error handling match(INT_CONST); if ( inputState->guessing==0 ) { #line 754 "iptables.g" importer->limit_val = LT(0)->getText(); #line 3265 "IPTCfgParser.cpp" } match(SLASH); match(WORD); if ( inputState->guessing==0 ) { #line 756 "iptables.g" importer->limit_suffix = LT(0)->getText(); #line 3272 "IPTCfgParser.cpp" } if ( inputState->guessing==0 ) { #line 757 "iptables.g" *dbg << " MATCH LIMIT " << importer->limit_val << "/" << importer->limit_suffix; #line 3281 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::m_recent() { try { // for error handling match(M_RECENT); if ( inputState->guessing==0 ) { #line 774 "iptables.g" *dbg << " RECENT"; #line 3303 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_11); } else { throw; } } } void IPTCfgParser::recent_opts() { try { // for error handling switch ( LA(1)) { case MATCH_RECENT_SET: case MATCH_RECENT_RCHECK: case MATCH_RECENT_UPDATE: case MATCH_RECENT_REMOVE: case MATCH_RECENT_RTTL: case RSOURCE: case MATCH_RECENT_RDEST: { recent_args_no_param(); break; } case MATCH_RECENT_NAME: case MATCH_RECENT_SECONDS: case MATCH_RECENT_HITCOUNT: { recent_args_param(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_12); } else { throw; } } } void IPTCfgParser::recent_args_no_param() { try { // for error handling { switch ( LA(1)) { case MATCH_RECENT_SET: { match(MATCH_RECENT_SET); break; } case MATCH_RECENT_RCHECK: { match(MATCH_RECENT_RCHECK); break; } case MATCH_RECENT_UPDATE: { match(MATCH_RECENT_UPDATE); break; } case MATCH_RECENT_REMOVE: { match(MATCH_RECENT_REMOVE); break; } case MATCH_RECENT_RTTL: { match(MATCH_RECENT_RTTL); break; } case RSOURCE: { match(RSOURCE); break; } case MATCH_RECENT_RDEST: { match(MATCH_RECENT_RDEST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 826 "iptables.g" importer->recent_match += LT(0)->getText() + " "; #line 3403 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_12); } else { throw; } } } void IPTCfgParser::recent_args_param() { try { // for error handling { switch ( LA(1)) { case MATCH_RECENT_NAME: { match(MATCH_RECENT_NAME); break; } case MATCH_RECENT_SECONDS: { match(MATCH_RECENT_SECONDS); break; } case MATCH_RECENT_HITCOUNT: { match(MATCH_RECENT_HITCOUNT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 830 "iptables.g" importer->recent_match += LT(0)->getText() + " "; #line 3445 "IPTCfgParser.cpp" } { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 832 "iptables.g" importer->recent_match += LT(0)->getText() + " "; #line 3468 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_12); } else { throw; } } } void IPTCfgParser::length_spec() { try { // for error handling match(INT_CONST); if ( inputState->guessing==0 ) { #line 849 "iptables.g" importer->length_spec = LT(0)->getText(); #line 3488 "IPTCfgParser.cpp" } match(COLON); match(INT_CONST); if ( inputState->guessing==0 ) { #line 851 "iptables.g" importer->length_spec += ":"; importer->length_spec += LT(0)->getText(); #line 3496 "IPTCfgParser.cpp" } if ( inputState->guessing==0 ) { #line 853 "iptables.g" *dbg << " MATCH LENGTH " << importer->length_spec; #line 3503 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::pkt_type_spec() { try { // for error handling { switch ( LA(1)) { case WORD_BROADCAST: { match(WORD_BROADCAST); break; } case WORD_MULTICAST: { match(WORD_MULTICAST); break; } case WORD_UNICAST: { match(WORD_UNICAST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 864 "iptables.g" importer->pkt_type_spec = LT(0)->getText(); *dbg << " PKT_TYPE " << importer->pkt_type_spec; #line 3548 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } /**************************************************************** * port definition that allows for port range. That parser should * recognize constructs * * port1 ---> range_start = range_end = port1 * port1:port2 ---> range_start = port1 range_end = port2 * port1: ---> range_start = port1 range_end = 65535 * :port2 ---> range_start = 0 range_end = port2 */ void IPTCfgParser::port_def_with_range() { try { // for error handling { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1014 "iptables.g" importer->tmp_port_range_start = LT(0)->getText(); importer->tmp_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); #line 3598 "IPTCfgParser.cpp" } { switch ( LA(1)) { case COLON: { match(COLON); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case COMMA: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1021 "iptables.g" importer->tmp_port_range_end = LT(0)->getText(); *dbg << ":" << LT(0)->getText(); #line 3661 "IPTCfgParser.cpp" } break; } case NEWLINE: case MINUS: case EXCLAMATION: case UNSUPPORTED_OPTION: case OPT_MODULE: case OPT_SRC: case OPT_DST: case OPT_IN_INTF: case OPT_OUT_INTF: case OPT_PROTO: case OPT_TARGET: case OPT_FRAGM: case COMMA: case MATCH_LIMIT: case MATCH_LIMIT_BURST: case MATCH_IPRANGE_SRC: case MATCH_IPRANGE_DST: case MATCH_LENGTH: case MATCH_SRC_MULTIPORT: case MATCH_DST_MULTIPORT: case MATCH_BOTH_MULTIPORT: case MATCH_ICMP_TYPE: case MATCH_SRC_PORT: case MATCH_SRC_PORT_SHORT: case MATCH_DST_PORT: case MATCH_DST_PORT_SHORT: case MATCH_SYN: case MATCH_TCP_FLAGS: case MATCH_TCP_OPTION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void IPTCfgParser::port_def_no_range() { try { // for error handling { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 996 "iptables.g" importer->tmp_port_range_start = LT(0)->getText(); importer->tmp_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); #line 3742 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_0); } else { throw; } } } void IPTCfgParser::port_def_with_incomplete_range() { try { // for error handling match(COLON); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1030 "iptables.g" importer->tmp_port_range_start = "0"; importer->tmp_port_range_end = LT(0)->getText(); *dbg << "PORT 0:" << LT(0)->getText(); #line 3784 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::syn() { try { // for error handling match(MATCH_SYN); if ( inputState->guessing==0 ) { #line 1118 "iptables.g" importer->tcp_flags_mask.clear(); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::SYN); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::RST); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::ACK); importer->tcp_flags_comp.clear(); importer->tcp_flags_comp.push_back(libfwbuilder::TCPService::SYN); #line 3812 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::tcp_flags() { try { // for error handling match(MATCH_TCP_FLAGS); tcp_flags_list(); if ( inputState->guessing==0 ) { #line 1169 "iptables.g" importer->tcp_flags_mask = importer->tmp_tcp_flags_list; importer->tmp_tcp_flags_list.clear(); #line 3836 "IPTCfgParser.cpp" } tcp_flags_list(); if ( inputState->guessing==0 ) { #line 1174 "iptables.g" importer->tcp_flags_comp = importer->tmp_tcp_flags_list; importer->tmp_tcp_flags_list.clear(); *dbg << " TCP FLAGS="; foreach(int x, importer->tcp_flags_mask) *dbg << x << "|"; *dbg << " "; foreach(int x, importer->tcp_flags_comp) *dbg << x << "|"; #line 3851 "IPTCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::tcp_option() { try { // for error handling match(MATCH_TCP_OPTION); match(INT_CONST); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void IPTCfgParser::tcp_flag_word() { try { // for error handling { switch ( LA(1)) { case SYN: { match(SYN); if ( inputState->guessing==0 ) { #line 1131 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::SYN; #line 3891 "IPTCfgParser.cpp" } break; } case ACK: { match(ACK); if ( inputState->guessing==0 ) { #line 1133 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::ACK; #line 3901 "IPTCfgParser.cpp" } break; } case FIN: { match(FIN); if ( inputState->guessing==0 ) { #line 1135 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::FIN; #line 3911 "IPTCfgParser.cpp" } break; } case RST: { match(RST); if ( inputState->guessing==0 ) { #line 1137 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::RST; #line 3921 "IPTCfgParser.cpp" } break; } case URG: { match(URG); if ( inputState->guessing==0 ) { #line 1139 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::URG; #line 3931 "IPTCfgParser.cpp" } break; } case PSH: { match(PSH); if ( inputState->guessing==0 ) { #line 1141 "iptables.g" importer->tmp_tcp_flag_code = libfwbuilder::TCPService::PSH; #line 3941 "IPTCfgParser.cpp" } break; } case ALL: { match(ALL); if ( inputState->guessing==0 ) { #line 1143 "iptables.g" importer->tmp_tcp_flag_code = 99; #line 3951 "IPTCfgParser.cpp" } break; } case NONE: { match(NONE); if ( inputState->guessing==0 ) { #line 1145 "iptables.g" importer->tmp_tcp_flag_code = 98; #line 3961 "IPTCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_13); } else { throw; } } } void IPTCfgParser::tcp_flags_list() { try { // for error handling if ( inputState->guessing==0 ) { #line 1150 "iptables.g" importer->tmp_tcp_flags_list.clear(); importer->tmp_tcp_flag_code = 0; #line 3991 "IPTCfgParser.cpp" } tcp_flag_word(); if ( inputState->guessing==0 ) { #line 1155 "iptables.g" importer->tmp_tcp_flags_list.push_back(importer->tmp_tcp_flag_code); #line 3999 "IPTCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); tcp_flag_word(); if ( inputState->guessing==0 ) { #line 1160 "iptables.g" importer->tmp_tcp_flags_list.push_back( importer->tmp_tcp_flag_code); #line 4012 "IPTCfgParser.cpp" } } else { goto _loop156; } } _loop156:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_14); } else { throw; } } } void IPTCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* IPTCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "NUMBER_SIGN", "IPTABLES_SAVE_HEADER", "THREE_COMPONENT_VERSION", "IPV4", "\"COMMIT\"", "STAR", "WORD", "\"INPUT\"", "\"FORWARD\"", "\"OUTPUT\"", "\"PREROUTING\"", "\"POSTROUTING\"", "COLON", "MINUS", "OPENING_SQUARE", "INT_CONST", "CLOSING_SQUARE", "ADD_RULE", "EXCLAMATION", "UNSUPPORTED_OPTION", "DIGIT", "SLASH", "OPT_MODULE", "OPT_SRC", "OPT_DST", "OPT_IN_INTF", "OPT_OUT_INTF", "\"tcp\"", "\"udp\"", "\"icmp\"", "OPT_PROTO", "OPT_TARGET", "REJECT_WITH", "LOG_PREFIX", "STRING", "LOG_TCP_SEQ", "LOG_TCP_OPT", "LOG_IP_OPT", "ULOG_PREFIX", "LOG_LEVEL", "SET_CLASS", "SET_MARK", "HEX_CONST", "SET_TOS", "SAVE_MARK", "RESTORE_MARK", "CONTINUE", "ROUTE_IIF", "ROUTE_OIF", "ROUTE_GW", "ROUTE_TEE", "TO_SOURCE", "TO_DESTINATION", "TO_PORTS", "TO_NETMAP", "CLAMP_MSS", "OPT_FRAGM", "\"INVALID\"", "\"NEW\"", "\"ESTABLISHED\"", "\"RELATED\"", "\"state\"", "MATCH_STATE", "COMMA", "\"mark\"", "MATCH_MARK", "\"limit\"", "MATCH_LIMIT", "MATCH_LIMIT_BURST", "\"recent\"", "\"iprange\"", "MATCH_IPRANGE_SRC", "MATCH_IPRANGE_DST", "MATCH_RECENT_SET", "MATCH_RECENT_RCHECK", "MATCH_RECENT_UPDATE", "MATCH_RECENT_REMOVE", "MATCH_RECENT_RTTL", "RSOURCE", "MATCH_RECENT_RDEST", "MATCH_RECENT_NAME", "MATCH_RECENT_SECONDS", "MATCH_RECENT_HITCOUNT", "\"length\"", "MATCH_LENGTH", "\"pkttype\"", "MATCH_PKT_TYPE", "\"broadcast\"", "\"multicast\"", "\"unicast\"", "\"multiport\"", "\"comment\"", "MATCH_COMMENT", "MATCH_SRC_MULTIPORT", "MATCH_DST_MULTIPORT", "MATCH_BOTH_MULTIPORT", "MATCH_ICMP_TYPE", "MATCH_SRC_PORT", "MATCH_SRC_PORT_SHORT", "MATCH_DST_PORT", "MATCH_DST_PORT_SHORT", "MATCH_SYN", "\"SYN\"", "\"ACK\"", "\"FIN\"", "\"RST\"", "\"URG\"", "\"PSH\"", "\"ALL\"", "\"NONE\"", "MATCH_TCP_FLAGS", "MATCH_TCP_OPTION", "Whitespace", "IPV6", "MAC_ADDRESS", "NEG_INT_CONST", "HEXDIGIT", "NUM_3DIGIT", "NUM_HEX_4DIGIT", "NUMBER", "ULOG_QTHR", "ULOG_NLG", "ULOG_CPR", "PERCENT", "AMPERSAND", "APOSTROPHE", "OPENING_PAREN", "CLOSING_PAREN", "PLUS", "DOT", "SEMICOLON", "LESS_THAN", "EQUALS", "GREATER_THAN", "QUESTION", "COMMERCIAL_AT", "CARET", "UNDERLINE", "OPENING_BRACE", "CLOSING_BRACE", "TILDE", 0 }; const unsigned long IPTCfgParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_0(_tokenSet_0_data_,6); const unsigned long IPTCfgParser::_tokenSet_1_data_[] = { 4326962UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE NUMBER_SIGN "COMMIT" STAR COLON ADD_RULE const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_1(_tokenSet_1_data_,6); const unsigned long IPTCfgParser::_tokenSet_2_data_[] = { 4186177536UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST OPT_IN_INTF // OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT MATCH_LIMIT_BURST // MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS // MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_2(_tokenSet_2_data_,8); const unsigned long IPTCfgParser::_tokenSet_3_data_[] = { 4186179584UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // WORD MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS // MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_3(_tokenSet_3_data_,8); const unsigned long IPTCfgParser::_tokenSet_4_data_[] = { 2048UL, 7UL, 2231371908UL, 1UL, 0UL, 0UL, 0UL, 0UL }; // WORD "tcp" "udp" "icmp" "state" "limit" "iprange" "length" "pkttype" // "multiport" "comment" const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_4(_tokenSet_4_data_,8); const unsigned long IPTCfgParser::_tokenSet_5_data_[] = { 4186177552UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS // MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_5(_tokenSet_5_data_,8); const unsigned long IPTCfgParser::_tokenSet_6_data_[] = { 0UL, 536837984UL, 0UL, 0UL, 0UL, 0UL }; // REJECT_WITH LOG_PREFIX LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX // LOG_LEVEL SET_CLASS SET_MARK SET_TOS SAVE_MARK RESTORE_MARK CONTINUE // ROUTE_IIF ROUTE_OIF ROUTE_GW ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS // TO_NETMAP CLAMP_MSS const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_6(_tokenSet_6_data_,6); const unsigned long IPTCfgParser::_tokenSet_7_data_[] = { 4186177552UL, 1073708920UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET REJECT_WITH LOG_PREFIX // LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_CLASS SET_MARK // SET_TOS SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW // ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM // MATCH_LIMIT MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH // MATCH_SRC_MULTIPORT MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE // MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT // MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_7(_tokenSet_7_data_,8); const unsigned long IPTCfgParser::_tokenSet_8_data_[] = { 4186308624UL, 1073708920UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE COLON MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC // OPT_DST OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET REJECT_WITH LOG_PREFIX // LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_CLASS SET_MARK // SET_TOS SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW // ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM // MATCH_LIMIT MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH // MATCH_SRC_MULTIPORT MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE // MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT // MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_8(_tokenSet_8_data_,8); const unsigned long IPTCfgParser::_tokenSet_9_data_[] = { 4186177552UL, 536870936UL, 33567504UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM COMMA MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS // MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_9(_tokenSet_9_data_,8); const unsigned long IPTCfgParser::_tokenSet_10_data_[] = { 8388608UL, 0UL, 64UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EXCLAMATION MATCH_MARK const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_10(_tokenSet_10_data_,8); const unsigned long IPTCfgParser::_tokenSet_11_data_[] = { 0UL, 0UL, 16760832UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // MATCH_RECENT_SET MATCH_RECENT_RCHECK MATCH_RECENT_UPDATE MATCH_RECENT_REMOVE // MATCH_RECENT_RTTL RSOURCE MATCH_RECENT_RDEST MATCH_RECENT_NAME MATCH_RECENT_SECONDS // MATCH_RECENT_HITCOUNT const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_11(_tokenSet_11_data_,8); const unsigned long IPTCfgParser::_tokenSet_12_data_[] = { 4186177552UL, 536870936UL, 50328320UL, 1574908UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_RECENT_SET // MATCH_RECENT_RCHECK MATCH_RECENT_UPDATE MATCH_RECENT_REMOVE MATCH_RECENT_RTTL // RSOURCE MATCH_RECENT_RDEST MATCH_RECENT_NAME MATCH_RECENT_SECONDS MATCH_RECENT_HITCOUNT // MATCH_LENGTH MATCH_SRC_MULTIPORT MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT // MATCH_ICMP_TYPE MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT // MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_12(_tokenSet_12_data_,8); const unsigned long IPTCfgParser::_tokenSet_13_data_[] = { 4186177552UL, 536870936UL, 33567504UL, 2097148UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM COMMA MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN "SYN" // "ACK" "FIN" "RST" "URG" "PSH" "ALL" "NONE" MATCH_TCP_FLAGS MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_13(_tokenSet_13_data_,8); const unsigned long IPTCfgParser::_tokenSet_14_data_[] = { 4186177552UL, 536870936UL, 33567488UL, 2097148UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST // OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT // MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT // MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT // MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN "SYN" // "ACK" "FIN" "RST" "URG" "PSH" "ALL" "NONE" MATCH_TCP_FLAGS MATCH_TCP_OPTION const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_14(_tokenSet_14_data_,8); fwbuilder-5.3.7/src/parsers/IPTCfgParser.hpp000066400000000000000000000145041303637203600207300ustar00rootroot00000000000000#ifndef INC_IPTCfgParser_hpp_ #define INC_IPTCfgParser_hpp_ #line 38 "iptables.g" // gets inserted before antlr generated includes in the header // file #include "IPTImporter.h" #line 11 "IPTCfgParser.hpp" #include /* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgParser.hpp"$ */ #include #include #include "IPTCfgParserTokenTypes.hpp" #include #line 45 "iptables.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IPTImporter; #line 28 "IPTCfgParser.hpp" #line 74 "iptables.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "IPTCfgParser.hpp" class CUSTOM_API IPTCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public IPTCfgParserTokenTypes { #line 91 "iptables.g" // additional methods and members public: std::ostream *dbg; IPTImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } #line 38 "IPTCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: IPTCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); IPTCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return IPTCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return IPTCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return IPTCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void start_table(); public: void create_chain(); public: void add_rule(); public: void commit(); public: void chain_def(); public: void ipt_option(); public: void negation(); public: void module(); public: void match_mark(); public: void match_recent(); public: void src(); public: void dst(); public: void i_intf(); public: void o_intf(); public: void proto(); public: void target(); public: void fragm(); public: void icmp_type_spec(); public: void basic_tcp_udp_port_spec(); public: void multiport_tcp_udp_port_spec(); public: void tcp_options(); public: void match_limit(); public: void match_limit_burst(); public: void match_length(); public: void match_iprange_src(); public: void match_iprange_dst(); public: void unknown_option(); public: void unknown_parameter(); public: void m_state(); public: void m_mport(); public: void m_icmp(); public: void m_tcp(); public: void m_udp(); public: void m_limit(); public: void m_length(); public: void m_iprange(); public: void m_comment(); public: void m_pkttype(); public: void m_unknown_module(); public: void protocol_word(); public: void target_options(); public: void nat_spec(); public: void redirect_spec(); public: void nat_addr_range(); public: void nat_port_def_with_range(); public: void state_word(); public: void m_mark(); public: void limit_rate(); public: void m_recent(); public: void recent_opts(); public: void recent_args_no_param(); public: void recent_args_param(); public: void length_spec(); public: void pkt_type_spec(); public: void port_def_with_range(); public: void port_def_no_range(); public: void port_def_with_incomplete_range(); public: void syn(); public: void tcp_flags(); public: void tcp_option(); public: void tcp_flag_word(); public: void tcp_flags_list(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 146; #else enum { NUM_TOKENS = 146 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; static const unsigned long _tokenSet_7_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_7; static const unsigned long _tokenSet_8_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_8; static const unsigned long _tokenSet_9_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_9; static const unsigned long _tokenSet_10_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_10; static const unsigned long _tokenSet_11_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_11; static const unsigned long _tokenSet_12_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_12; static const unsigned long _tokenSet_13_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_13; static const unsigned long _tokenSet_14_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_14; }; #endif /*INC_IPTCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/IPTCfgParserTokenTypes.hpp000066400000000000000000000061071303637203600227560ustar00rootroot00000000000000#ifndef INC_IPTCfgParserTokenTypes_hpp_ #define INC_IPTCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API IPTCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, NUMBER_SIGN = 5, IPTABLES_SAVE_HEADER = 6, THREE_COMPONENT_VERSION = 7, IPV4 = 8, COMMIT = 9, STAR = 10, WORD = 11, INPUT = 12, FORWARD = 13, OUTPUT = 14, PREROUTING = 15, POSTROUTING = 16, COLON = 17, MINUS = 18, OPENING_SQUARE = 19, INT_CONST = 20, CLOSING_SQUARE = 21, ADD_RULE = 22, EXCLAMATION = 23, UNSUPPORTED_OPTION = 24, DIGIT = 25, SLASH = 26, OPT_MODULE = 27, OPT_SRC = 28, OPT_DST = 29, OPT_IN_INTF = 30, OPT_OUT_INTF = 31, TCP = 32, UDP = 33, ICMP = 34, OPT_PROTO = 35, OPT_TARGET = 36, REJECT_WITH = 37, LOG_PREFIX = 38, STRING = 39, LOG_TCP_SEQ = 40, LOG_TCP_OPT = 41, LOG_IP_OPT = 42, ULOG_PREFIX = 43, LOG_LEVEL = 44, SET_CLASS = 45, SET_MARK = 46, HEX_CONST = 47, SET_TOS = 48, SAVE_MARK = 49, RESTORE_MARK = 50, CONTINUE = 51, ROUTE_IIF = 52, ROUTE_OIF = 53, ROUTE_GW = 54, ROUTE_TEE = 55, TO_SOURCE = 56, TO_DESTINATION = 57, TO_PORTS = 58, TO_NETMAP = 59, CLAMP_MSS = 60, OPT_FRAGM = 61, INVALID = 62, NEW = 63, ESTABLISHED = 64, RELATED = 65, M_STATE = 66, MATCH_STATE = 67, COMMA = 68, M_MARK = 69, MATCH_MARK = 70, M_LIMIT = 71, MATCH_LIMIT = 72, MATCH_LIMIT_BURST = 73, M_RECENT = 74, M_IPRANGE = 75, MATCH_IPRANGE_SRC = 76, MATCH_IPRANGE_DST = 77, MATCH_RECENT_SET = 78, MATCH_RECENT_RCHECK = 79, MATCH_RECENT_UPDATE = 80, MATCH_RECENT_REMOVE = 81, MATCH_RECENT_RTTL = 82, RSOURCE = 83, MATCH_RECENT_RDEST = 84, MATCH_RECENT_NAME = 85, MATCH_RECENT_SECONDS = 86, MATCH_RECENT_HITCOUNT = 87, M_LENGTH = 88, MATCH_LENGTH = 89, M_PKTTYPE = 90, MATCH_PKT_TYPE = 91, WORD_BROADCAST = 92, WORD_MULTICAST = 93, WORD_UNICAST = 94, M_MPORT = 95, M_COMMENT = 96, MATCH_COMMENT = 97, MATCH_SRC_MULTIPORT = 98, MATCH_DST_MULTIPORT = 99, MATCH_BOTH_MULTIPORT = 100, MATCH_ICMP_TYPE = 101, MATCH_SRC_PORT = 102, MATCH_SRC_PORT_SHORT = 103, MATCH_DST_PORT = 104, MATCH_DST_PORT_SHORT = 105, MATCH_SYN = 106, SYN = 107, ACK = 108, FIN = 109, RST = 110, URG = 111, PSH = 112, ALL = 113, NONE = 114, MATCH_TCP_FLAGS = 115, MATCH_TCP_OPTION = 116, Whitespace = 117, IPV6 = 118, MAC_ADDRESS = 119, NEG_INT_CONST = 120, HEXDIGIT = 121, NUM_3DIGIT = 122, NUM_HEX_4DIGIT = 123, NUMBER = 124, ULOG_QTHR = 125, ULOG_NLG = 126, ULOG_CPR = 127, PERCENT = 128, AMPERSAND = 129, APOSTROPHE = 130, OPENING_PAREN = 131, CLOSING_PAREN = 132, PLUS = 133, DOT = 134, SEMICOLON = 135, LESS_THAN = 136, EQUALS = 137, GREATER_THAN = 138, QUESTION = 139, COMMERCIAL_AT = 140, CARET = 141, UNDERLINE = 142, OPENING_BRACE = 143, CLOSING_BRACE = 144, TILDE = 145, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_IPTCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/IPTCfgParserTokenTypes.txt000066400000000000000000000046051303637203600230070ustar00rootroot00000000000000// $ANTLR 2.7.7 (20090306): iptables.g -> IPTCfgParserTokenTypes.txt$ IPTCfgParser // output token vocab name NEWLINE=4 NUMBER_SIGN=5 IPTABLES_SAVE_HEADER=6 THREE_COMPONENT_VERSION=7 IPV4=8 COMMIT="COMMIT"=9 STAR=10 WORD=11 INPUT="INPUT"=12 FORWARD="FORWARD"=13 OUTPUT="OUTPUT"=14 PREROUTING="PREROUTING"=15 POSTROUTING="POSTROUTING"=16 COLON=17 MINUS=18 OPENING_SQUARE=19 INT_CONST=20 CLOSING_SQUARE=21 ADD_RULE=22 EXCLAMATION=23 UNSUPPORTED_OPTION=24 DIGIT=25 SLASH=26 OPT_MODULE=27 OPT_SRC=28 OPT_DST=29 OPT_IN_INTF=30 OPT_OUT_INTF=31 TCP="tcp"=32 UDP="udp"=33 ICMP="icmp"=34 OPT_PROTO=35 OPT_TARGET=36 REJECT_WITH=37 LOG_PREFIX=38 STRING=39 LOG_TCP_SEQ=40 LOG_TCP_OPT=41 LOG_IP_OPT=42 ULOG_PREFIX=43 LOG_LEVEL=44 SET_CLASS=45 SET_MARK=46 HEX_CONST=47 SET_TOS=48 SAVE_MARK=49 RESTORE_MARK=50 CONTINUE=51 ROUTE_IIF=52 ROUTE_OIF=53 ROUTE_GW=54 ROUTE_TEE=55 TO_SOURCE=56 TO_DESTINATION=57 TO_PORTS=58 TO_NETMAP=59 CLAMP_MSS=60 OPT_FRAGM=61 INVALID="INVALID"=62 NEW="NEW"=63 ESTABLISHED="ESTABLISHED"=64 RELATED="RELATED"=65 M_STATE="state"=66 MATCH_STATE=67 COMMA=68 M_MARK="mark"=69 MATCH_MARK=70 M_LIMIT="limit"=71 MATCH_LIMIT=72 MATCH_LIMIT_BURST=73 M_RECENT="recent"=74 M_IPRANGE="iprange"=75 MATCH_IPRANGE_SRC=76 MATCH_IPRANGE_DST=77 MATCH_RECENT_SET=78 MATCH_RECENT_RCHECK=79 MATCH_RECENT_UPDATE=80 MATCH_RECENT_REMOVE=81 MATCH_RECENT_RTTL=82 RSOURCE=83 MATCH_RECENT_RDEST=84 MATCH_RECENT_NAME=85 MATCH_RECENT_SECONDS=86 MATCH_RECENT_HITCOUNT=87 M_LENGTH="length"=88 MATCH_LENGTH=89 M_PKTTYPE="pkttype"=90 MATCH_PKT_TYPE=91 WORD_BROADCAST="broadcast"=92 WORD_MULTICAST="multicast"=93 WORD_UNICAST="unicast"=94 M_MPORT="multiport"=95 M_COMMENT="comment"=96 MATCH_COMMENT=97 MATCH_SRC_MULTIPORT=98 MATCH_DST_MULTIPORT=99 MATCH_BOTH_MULTIPORT=100 MATCH_ICMP_TYPE=101 MATCH_SRC_PORT=102 MATCH_SRC_PORT_SHORT=103 MATCH_DST_PORT=104 MATCH_DST_PORT_SHORT=105 MATCH_SYN=106 SYN="SYN"=107 ACK="ACK"=108 FIN="FIN"=109 RST="RST"=110 URG="URG"=111 PSH="PSH"=112 ALL="ALL"=113 NONE="NONE"=114 MATCH_TCP_FLAGS=115 MATCH_TCP_OPTION=116 Whitespace=117 IPV6=118 MAC_ADDRESS=119 NEG_INT_CONST=120 HEXDIGIT=121 NUM_3DIGIT=122 NUM_HEX_4DIGIT=123 NUMBER=124 ULOG_QTHR=125 ULOG_NLG=126 ULOG_CPR=127 PERCENT=128 AMPERSAND=129 APOSTROPHE=130 OPENING_PAREN=131 CLOSING_PAREN=132 PLUS=133 DOT=134 SEMICOLON=135 LESS_THAN=136 EQUALS=137 GREATER_THAN=138 QUESTION=139 COMMERCIAL_AT=140 CARET=141 UNDERLINE=142 OPENING_BRACE=143 CLOSING_BRACE=144 TILDE=145 fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgLexer.cpp000066400000000000000000001304241303637203600221670ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "ifconfig_bsd.g" -> "IfconfigBSDCfgLexer.cpp"$ */ #line 43 "ifconfig_bsd.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IfconfigBSDCfgLexer.cpp" #include "IfconfigBSDCfgLexer.hpp" #include #include #include #include #include #include #include #line 49 "ifconfig_bsd.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 25 "IfconfigBSDCfgLexer.cpp" #line 1 "ifconfig_bsd.g" #line 27 "IfconfigBSDCfgLexer.cpp" IfconfigBSDCfgLexer::IfconfigBSDCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } IfconfigBSDCfgLexer::IfconfigBSDCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } IfconfigBSDCfgLexer::IfconfigBSDCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void IfconfigBSDCfgLexer::initLiterals() { literals["priority"] = 7; literals["broadcast"] = 21; literals["Scope"] = 35; literals["scopeid"] = 26; literals["Host"] = 30; literals["UP"] = 39; literals["groups"] = 27; literals["HWaddr"] = 49; literals["encap"] = 37; literals["NOARP"] = 43; literals["Mask"] = 34; literals["netmask"] = 19; literals["RUNNING"] = 44; literals["inet"] = 17; literals["media"] = 8; literals["BROADCAST"] = 40; literals["P-t-P"] = 33; literals["prefixlen"] = 25; literals["Loopback"] = 38; literals["Interrupt"] = 48; literals["Bcast"] = 32; literals["mtu"] = 36; literals["inet6"] = 22; literals["status"] = 9; literals["LOOPBACK"] = 42; literals["Link"] = 28; literals["TX"] = 46; literals["addr"] = 31; literals["RX"] = 45; literals["Global"] = 29; literals["POINTOPOINT"] = 41; literals["flags"] = 12; literals["lladdr"] = 50; literals["collisions"] = 47; } ANTLR_USE_NAMESPACE(antlr)RefToken IfconfigBSDCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0x23 /* '#' */ : { mLINE_COMMENT(true); theRetToken=_returnToken; break; } case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : case 0x3a /* ':' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mNUMBER_ADDRESS_OR_WORD(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2d /* '-' */ : { mMINUS(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUAL(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } default: if ((_tokenSet_0.member(LA(1)))) { mWhitespace(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void IfconfigBSDCfgLexer::mLINE_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LINE_COMMENT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("#"); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { { match(_tokenSet_1); } } else { goto _loop18; } } _loop18:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 388 "ifconfig_bsd.g" newline(); #line 357 "IfconfigBSDCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 294 "ifconfig_bsd.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 438 "IfconfigBSDCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mHEX_DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : { matchRange('A','F'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNUM_3DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_3DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { matchRange('0','9'); } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNUM_HEX_4DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_HEX_4DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; mHEX_DIGIT(false); { if ((_tokenSet_2.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_2.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_2.member(LA(1)))) { mHEX_DIGIT(false); } else { } } } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mMAC_ADDRESS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MAC_ADDRESS; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_ADDRESS_OR_WORD; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; bool synPredMatched43 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m43 = mark(); synPredMatched43 = true; inputState->guessing++; try { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched43 = false; } rewind(_m43); inputState->guessing--; } if ( synPredMatched43 ) { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); } if ( inputState->guessing==0 ) { #line 336 "ifconfig_bsd.g" _ttype = IPV4; #line 708 "IfconfigBSDCfgLexer.cpp" } } else { bool synPredMatched47 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m47 = mark(); synPredMatched47 = true; inputState->guessing++; try { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); { match(_tokenSet_5); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched47 = false; } rewind(_m47); inputState->guessing--; } if ( synPredMatched47 ) { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } if ( inputState->guessing==0 ) { #line 348 "ifconfig_bsd.g" _ttype = MAC_ADDRESS; #line 758 "IfconfigBSDCfgLexer.cpp" } } else { bool synPredMatched50 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m50 = mark(); synPredMatched50 = true; inputState->guessing++; try { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched50 = false; } rewind(_m50); inputState->guessing--; } if ( synPredMatched50 ) { { bool synPredMatched55 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m55 = mark(); synPredMatched55 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt54=0; for (;;) { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } else { if ( _cnt54>=1 ) { goto _loop54; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt54++; } _loop54:; } // ( ... )+ match(':' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched55 = false; } rewind(_m55); inputState->guessing--; } if ( synPredMatched55 ) { { { // ( ... )+ int _cnt58=0; for (;;) { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } else { if ( _cnt58>=1 ) { goto _loop58; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt58++; } _loop58:; } // ( ... )+ match(':' /* charlit */ ); { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); { // ( ... )* for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { goto _loop61; } } _loop61:; } // ( ... )* } else { } } } if ( inputState->guessing==0 ) { #line 357 "ifconfig_bsd.g" _ttype = IPV6; #line 855 "IfconfigBSDCfgLexer.cpp" } } else if ((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3)))) { mNUM_HEX_4DIGIT(false); { // ( ... )+ int _cnt63=0; for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { if ( _cnt63>=1 ) { goto _loop63; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt63++; } _loop63:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 360 "ifconfig_bsd.g" _ttype = IPV6; #line 878 "IfconfigBSDCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 362 "ifconfig_bsd.g" _ttype = IPV6; #line 889 "IfconfigBSDCfgLexer.cpp" } } else { bool synPredMatched65 = false; if (((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (_tokenSet_2.member(LA(3))))) { int _m65 = mark(); synPredMatched65 = true; inputState->guessing++; try { { match(':' /* charlit */ ); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched65 = false; } rewind(_m65); inputState->guessing--; } if ( synPredMatched65 ) { match(':' /* charlit */ ); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); { // ( ... )* for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { goto _loop67; } } _loop67:; } // ( ... )* if ( inputState->guessing==0 ) { #line 365 "ifconfig_bsd.g" _ttype = IPV6; #line 931 "IfconfigBSDCfgLexer.cpp" } } else { bool synPredMatched73 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m73 = mark(); synPredMatched73 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt70=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt70>=1 ) { goto _loop70; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt70++; } _loop70:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt72=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt72>=1 ) { goto _loop72; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt72++; } _loop72:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched73 = false; } rewind(_m73); inputState->guessing--; } if ( synPredMatched73 ) { { { // ( ... )+ int _cnt76=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt76>=1 ) { goto _loop76; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt76++; } _loop76:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt78=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt78>=1 ) { goto _loop78; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt78++; } _loop78:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 372 "ifconfig_bsd.g" _ttype = NUMBER; #line 1014 "IfconfigBSDCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (true)) { match(':' /* charlit */ ); match(':' /* charlit */ ); if ( inputState->guessing==0 ) { #line 367 "ifconfig_bsd.g" _ttype = IPV6; #line 1023 "IfconfigBSDCfgLexer.cpp" } } else if ((LA(1) == 0x30 /* '0' */ ) && (LA(2) == 0x58 /* 'X' */ || LA(2) == 0x78 /* 'x' */ )) { match('0' /* charlit */ ); { switch ( LA(1)) { case 0x78 /* 'x' */ : { match('x' /* charlit */ ); break; } case 0x58 /* 'X' */ : { match('X' /* charlit */ ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } mHEX_DIGIT(false); { // ( ... )* for (;;) { if ((_tokenSet_2.member(LA(1)))) { mHEX_DIGIT(false); } else { goto _loop83; } } _loop83:; } // ( ... )* if ( inputState->guessing==0 ) { #line 376 "ifconfig_bsd.g" _ttype = HEX_CONST; #line 1062 "IfconfigBSDCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (true)) { match(':' /* charlit */ ); if ( inputState->guessing==0 ) { #line 369 "ifconfig_bsd.g" _ttype = COLON; #line 1070 "IfconfigBSDCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) { { // ( ... )+ int _cnt80=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt80>=1 ) { goto _loop80; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt80++; } _loop80:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 374 "ifconfig_bsd.g" _ttype = INT_CONST; #line 1091 "IfconfigBSDCfgLexer.cpp" } } else if ((_tokenSet_6.member(LA(1))) && (true) && (true)) { { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x22 /* '\"' */ : { match('\"' /* charlit */ ); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } case 0x25 /* '%' */ : { match('%' /* charlit */ ); break; } case 0x26 /* '&' */ : { match('&' /* charlit */ ); break; } case 0x2d /* '-' */ : { match('-' /* charlit */ ); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5c /* '\\' */ : { match('\\' /* charlit */ ); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop86; } } } _loop86:; } // ( ... )* if ( inputState->guessing==0 ) { #line 384 "ifconfig_bsd.g" _ttype = WORD; #line 1311 "IfconfigBSDCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } }}}} _ttype = testLiteralsTable(_ttype); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mEQUAL(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUAL; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigBSDCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } const unsigned long IfconfigBSDCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long IfconfigBSDCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # $ % // & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G // H const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_1(_tokenSet_1_data_,16); const unsigned long IfconfigBSDCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 A B C D E F const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long IfconfigBSDCfgLexer::_tokenSet_3_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long IfconfigBSDCfgLexer::_tokenSet_4_data_[] = { 0UL, 134152192UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 : A B C D E F const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_4(_tokenSet_4_data_,10); const unsigned long IfconfigBSDCfgLexer::_tokenSet_5_data_[] = { 4294967288UL, 4227858431UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # // $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 ; < = > ? @ A B C D E F // G H const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_5(_tokenSet_5_data_,16); const unsigned long IfconfigBSDCfgLexer::_tokenSet_6_data_[] = { 0UL, 0UL, 134217726UL, 134217726UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // A B C D E F G H const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgLexer::_tokenSet_6(_tokenSet_6_data_,10); fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgLexer.hpp000066400000000000000000000072221303637203600221730ustar00rootroot00000000000000#ifndef INC_IfconfigBSDCfgLexer_hpp_ #define INC_IfconfigBSDCfgLexer_hpp_ #line 25 "ifconfig_bsd.g" // gets inserted before antlr generated includes in the header // file #include "IfconfigImporter.h" #line 11 "IfconfigBSDCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20100319): "ifconfig_bsd.g" -> "IfconfigBSDCfgLexer.hpp"$ */ #include #include #include #include "IfconfigBSDCfgParserTokenTypes.hpp" #include #line 32 "ifconfig_bsd.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class IfconfigImporter; #line 29 "IfconfigBSDCfgLexer.hpp" #line 57 "ifconfig_bsd.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "IfconfigBSDCfgLexer.hpp" class CUSTOM_API IfconfigBSDCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public IfconfigBSDCfgParserTokenTypes { #line 1 "ifconfig_bsd.g" #line 39 "IfconfigBSDCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: IfconfigBSDCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); IfconfigBSDCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); IfconfigBSDCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mLINE_COMMENT(bool _createToken); public: void mNEWLINE(bool _createToken); public: void mWhitespace(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNUMBER(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mCOLON(bool _createToken); protected: void mHEX_DIGIT(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mNUM_3DIGIT(bool _createToken); protected: void mNUM_HEX_4DIGIT(bool _createToken); protected: void mMAC_ADDRESS(bool _createToken); public: void mNUMBER_ADDRESS_OR_WORD(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mSTAR(bool _createToken); public: void mMINUS(bool _createToken); public: void mDOT(bool _createToken); public: void mSLASH(bool _createToken); public: void mEQUAL(bool _createToken); public: void mQUESTION(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mGREATER_THAN(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; }; #endif /*INC_IfconfigBSDCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgParser.cpp000066400000000000000000000217061303637203600223460ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "ifconfig_bsd.g" -> "IfconfigBSDCfgParser.cpp"$ */ #line 43 "ifconfig_bsd.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IfconfigBSDCfgParser.cpp" #include "IfconfigBSDCfgParser.hpp" #include #include #include #line 49 "ifconfig_bsd.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 20 "IfconfigBSDCfgParser.cpp" #line 1 "ifconfig_bsd.g" #line 22 "IfconfigBSDCfgParser.cpp" IfconfigBSDCfgParser::IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } IfconfigBSDCfgParser::IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } IfconfigBSDCfgParser::IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } IfconfigBSDCfgParser::IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } IfconfigBSDCfgParser::IfconfigBSDCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void IfconfigBSDCfgParser::cfgfile() { Tracer traceInOut(this, "cfgfile"); try { // for error handling { // ( ... )* for (;;) { switch ( LA(1)) { case LINE_COMMENT: { comment(); break; } case LLADDR: { hwaddr_line(); break; } case INET: { inet_address(); break; } case INET6: { inet6_address(); break; } case GROUPS: { groups(); break; } case NEWLINE: { match(NEWLINE); break; } case DOUBLE_NEWLINE: { match(DOUBLE_NEWLINE); break; } default: if ((LA(1) == WORD) && (LA(2) == COLON)) { interface_line(); } else if (((LA(1) >= PRIORITY && LA(1) <= WORD)) && (_tokenSet_0.member(LA(2)))) { unknown_line(); } else { goto _loop3; } } } _loop3:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void IfconfigBSDCfgParser::comment() { Tracer traceInOut(this, "comment"); try { // for error handling match(LINE_COMMENT); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::interface_line() { Tracer traceInOut(this, "interface_line"); ANTLR_USE_NAMESPACE(antlr)RefToken in = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 165 "ifconfig_bsd.g" InterfaceSpec is; #line 128 "IfconfigBSDCfgParser.cpp" try { // for error handling in = LT(1); match(WORD); match(COLON); match(FLAGS); match(EQUAL); match(INT_CONST); #line 168 "ifconfig_bsd.g" // interface name and status is.name = in->getText(); importer->newInterface(is); consumeUntil(NEWLINE); #line 144 "IfconfigBSDCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::hwaddr_line() { Tracer traceInOut(this, "hwaddr_line"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(LLADDR); addr = LT(1); match(MAC_ADDRESS); #line 181 "ifconfig_bsd.g" importer->HwAddressForCurrentInterface(addr->getText()); #line 164 "IfconfigBSDCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::inet_address() { Tracer traceInOut(this, "inet_address"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken netm = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken bcast = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 190 "ifconfig_bsd.g" AddressSpec as; #line 179 "IfconfigBSDCfgParser.cpp" try { // for error handling match(INET); addr = LT(1); match(IPV4); match(NETMASK); netm = LT(1); match(HEX_CONST); match(BROADCAST); bcast = LT(1); match(IPV4); #line 193 "ifconfig_bsd.g" as.at = AddressSpec::INTERFACE_CONFIGURATION; as.address = addr->getText(); as.netmask = netm->getText(); as.broadcast = bcast->getText(); importer->inetConfigurationForCurrentInterface(as); #line 199 "IfconfigBSDCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::inet6_address() { Tracer traceInOut(this, "inet6_address"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken netm = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 205 "ifconfig_bsd.g" AddressSpec as; #line 213 "IfconfigBSDCfgParser.cpp" try { // for error handling match(INET6); addr = LT(1); match(IPV6); match(PERCENT); match(WORD); match(PREFIXLEN); netm = LT(1); match(INT_CONST); match(SCOPEID); match(HEX_CONST); #line 208 "ifconfig_bsd.g" as.at = AddressSpec::INTERFACE_CONFIGURATION; as.address = addr->getText(); as.netmask = netm->getText(); importer->inet6ConfigurationForCurrentInterface(as); #line 233 "IfconfigBSDCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::groups() { Tracer traceInOut(this, "groups"); try { // for error handling match(GROUPS); match(COLON); groups_list(); match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::unknown_line() { Tracer traceInOut(this, "unknown_line"); try { // for error handling { switch ( LA(1)) { case PRIORITY: { match(PRIORITY); break; } case MEDIA: { match(MEDIA); break; } case STATUS: { match(STATUS); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 152 "ifconfig_bsd.g" consumeUntil(NEWLINE); #line 292 "IfconfigBSDCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigBSDCfgParser::groups_list() { Tracer traceInOut(this, "groups_list"); try { // for error handling match(WORD); #line 224 "ifconfig_bsd.g" importer->addGroupToCurrentInterface(LT(0)->getText()); #line 307 "IfconfigBSDCfgParser.cpp" { // ( ... )* for (;;) { if ((LA(1) == WORD)) { match(WORD); #line 226 "ifconfig_bsd.g" importer->addGroupToCurrentInterface(LT(0)->getText()); #line 314 "IfconfigBSDCfgParser.cpp" } else { goto _loop14; } } _loop14:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_2); } } void IfconfigBSDCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* IfconfigBSDCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "DOUBLE_NEWLINE", "LINE_COMMENT", "\"priority\"", "\"media\"", "\"status\"", "WORD", "COLON", "\"flags\"", "EQUAL", "INT_CONST", "LLADDR", "MAC_ADDRESS", "\"inet\"", "IPV4", "\"netmask\"", "HEX_CONST", "\"broadcast\"", "\"inet6\"", "IPV6", "PERCENT", "\"prefixlen\"", "\"scopeid\"", "\"groups\"", "\"Link\"", "\"Global\"", "\"Host\"", "\"addr\"", "\"Bcast\"", "\"P-t-P\"", "\"Mask\"", "\"Scope\"", "\"mtu\"", "\"encap\"", "\"Loopback\"", "\"UP\"", "\"BROADCAST\"", "\"POINTOPOINT\"", "\"LOOPBACK\"", "\"NOARP\"", "\"RUNNING\"", "\"RX\"", "\"TX\"", "\"collisions\"", "\"Interrupt\"", "\"HWaddr\"", "\"lladdr\"", "Whitespace", "NUMBER", "NEG_INT_CONST", "HEX_DIGIT", "DIGIT", "NUM_3DIGIT", "NUM_HEX_4DIGIT", "NUMBER_ADDRESS_OR_WORD", "AMPERSAND", "STAR", "MINUS", "DOT", "SLASH", "QUESTION", "OPENING_PAREN", "CLOSING_PAREN", "OPENING_SQUARE", "CLOSING_SQUARE", "OPENING_BRACE", "CLOSING_BRACE", "LESS_THAN", "GREATER_THAN", 0 }; const unsigned long IfconfigBSDCfgParser::_tokenSet_0_data_[] = { 138577906UL, 0UL, 0UL, 0UL }; // EOF NEWLINE DOUBLE_NEWLINE LINE_COMMENT "priority" "media" "status" // WORD LLADDR "inet" "inet6" "groups" const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgParser::_tokenSet_0(_tokenSet_0_data_,4); const unsigned long IfconfigBSDCfgParser::_tokenSet_1_data_[] = { 2UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgParser::_tokenSet_1(_tokenSet_1_data_,4); const unsigned long IfconfigBSDCfgParser::_tokenSet_2_data_[] = { 16UL, 0UL, 0UL, 0UL }; // NEWLINE const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigBSDCfgParser::_tokenSet_2(_tokenSet_2_data_,4); fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgParser.hpp000066400000000000000000000072341303637203600223530ustar00rootroot00000000000000#ifndef INC_IfconfigBSDCfgParser_hpp_ #define INC_IfconfigBSDCfgParser_hpp_ #line 25 "ifconfig_bsd.g" // gets inserted before antlr generated includes in the header // file #include "IfconfigImporter.h" #line 11 "IfconfigBSDCfgParser.hpp" #include /* $ANTLR 2.7.7 (20100319): "ifconfig_bsd.g" -> "IfconfigBSDCfgParser.hpp"$ */ #include #include #include "IfconfigBSDCfgParserTokenTypes.hpp" #include #line 32 "ifconfig_bsd.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class IfconfigImporter; #line 29 "IfconfigBSDCfgParser.hpp" #line 57 "ifconfig_bsd.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "IfconfigBSDCfgParser.hpp" class CUSTOM_API IfconfigBSDCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public IfconfigBSDCfgParserTokenTypes { #line 82 "ifconfig_bsd.g" // additional methods and members public: std::ostream *dbg; IfconfigImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } #line 39 "IfconfigBSDCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: IfconfigBSDCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); IfconfigBSDCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return IfconfigBSDCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return IfconfigBSDCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return IfconfigBSDCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void interface_line(); public: void hwaddr_line(); public: void inet_address(); public: void inet6_address(); public: void groups(); public: void unknown_line(); public: void groups_list(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 73; #else enum { NUM_TOKENS = 73 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; }; #endif /*INC_IfconfigBSDCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgParserTokenTypes.hpp000066400000000000000000000031071303637203600243740ustar00rootroot00000000000000#ifndef INC_IfconfigBSDCfgParserTokenTypes_hpp_ #define INC_IfconfigBSDCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20100319): "ifconfig_bsd.g" -> "IfconfigBSDCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API IfconfigBSDCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, DOUBLE_NEWLINE = 5, LINE_COMMENT = 6, PRIORITY = 7, MEDIA = 8, STATUS = 9, WORD = 10, COLON = 11, FLAGS = 12, EQUAL = 13, INT_CONST = 14, LLADDR = 15, MAC_ADDRESS = 16, INET = 17, IPV4 = 18, NETMASK = 19, HEX_CONST = 20, BROADCAST = 21, INET6 = 22, IPV6 = 23, PERCENT = 24, PREFIXLEN = 25, SCOPEID = 26, GROUPS = 27, LINK = 28, GLOBAL = 29, HOST = 30, ADDR = 31, BCAST = 32, P_T_P = 33, MASK = 34, SCOPE = 35, MTU = 36, ENCAP = 37, LOOPBACK = 38, UP = 39, UPPER_BROADCAST = 40, UPPER_POINTOPOINT = 41, UPPER_LOOPBACK = 42, UPPER_NOARP = 43, UPPER_RUNNING = 44, RX = 45, TX = 46, COLLISIONS = 47, INTERRUPT = 48, HWADDR = 49, LLADR = 50, Whitespace = 51, NUMBER = 52, NEG_INT_CONST = 53, HEX_DIGIT = 54, DIGIT = 55, NUM_3DIGIT = 56, NUM_HEX_4DIGIT = 57, NUMBER_ADDRESS_OR_WORD = 58, AMPERSAND = 59, STAR = 60, MINUS = 61, DOT = 62, SLASH = 63, QUESTION = 64, OPENING_PAREN = 65, CLOSING_PAREN = 66, OPENING_SQUARE = 67, CLOSING_SQUARE = 68, OPENING_BRACE = 69, CLOSING_BRACE = 70, LESS_THAN = 71, GREATER_THAN = 72, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_IfconfigBSDCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigBSDCfgParserTokenTypes.txt000066400000000000000000000023511303637203600244240ustar00rootroot00000000000000// $ANTLR 2.7.7 (20100319): ifconfig_bsd.g -> IfconfigBSDCfgParserTokenTypes.txt$ IfconfigBSDCfgParser // output token vocab name NEWLINE=4 DOUBLE_NEWLINE=5 LINE_COMMENT=6 PRIORITY="priority"=7 MEDIA="media"=8 STATUS="status"=9 WORD=10 COLON=11 FLAGS="flags"=12 EQUAL=13 INT_CONST=14 LLADDR=15 MAC_ADDRESS=16 INET="inet"=17 IPV4=18 NETMASK="netmask"=19 HEX_CONST=20 BROADCAST="broadcast"=21 INET6="inet6"=22 IPV6=23 PERCENT=24 PREFIXLEN="prefixlen"=25 SCOPEID="scopeid"=26 GROUPS="groups"=27 LINK="Link"=28 GLOBAL="Global"=29 HOST="Host"=30 ADDR="addr"=31 BCAST="Bcast"=32 P_T_P="P-t-P"=33 MASK="Mask"=34 SCOPE="Scope"=35 MTU="mtu"=36 ENCAP="encap"=37 LOOPBACK="Loopback"=38 UP="UP"=39 UPPER_BROADCAST="BROADCAST"=40 UPPER_POINTOPOINT="POINTOPOINT"=41 UPPER_LOOPBACK="LOOPBACK"=42 UPPER_NOARP="NOARP"=43 UPPER_RUNNING="RUNNING"=44 RX="RX"=45 TX="TX"=46 COLLISIONS="collisions"=47 INTERRUPT="Interrupt"=48 HWADDR="HWaddr"=49 LLADR="lladdr"=50 Whitespace=51 NUMBER=52 NEG_INT_CONST=53 HEX_DIGIT=54 DIGIT=55 NUM_3DIGIT=56 NUM_HEX_4DIGIT=57 NUMBER_ADDRESS_OR_WORD=58 AMPERSAND=59 STAR=60 MINUS=61 DOT=62 SLASH=63 QUESTION=64 OPENING_PAREN=65 CLOSING_PAREN=66 OPENING_SQUARE=67 CLOSING_SQUARE=68 OPENING_BRACE=69 CLOSING_BRACE=70 LESS_THAN=71 GREATER_THAN=72 fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgLexer.cpp000066400000000000000000001306761303637203600226670ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "ifconfig_linux.g" -> "IfconfigLinuxCfgLexer.cpp"$ */ #line 43 "ifconfig_linux.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IfconfigLinuxCfgLexer.cpp" #include "IfconfigLinuxCfgLexer.hpp" #include #include #include #include #include #include #include #line 49 "ifconfig_linux.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 25 "IfconfigLinuxCfgLexer.cpp" #line 1 "ifconfig_linux.g" #line 27 "IfconfigLinuxCfgLexer.cpp" IfconfigLinuxCfgLexer::IfconfigLinuxCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } IfconfigLinuxCfgLexer::IfconfigLinuxCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } IfconfigLinuxCfgLexer::IfconfigLinuxCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void IfconfigLinuxCfgLexer::initLiterals() { literals["priority"] = 7; literals["broadcast"] = 43; literals["Scope"] = 38; literals["scopeid"] = 46; literals["Host"] = 39; literals["UP"] = 11; literals["groups"] = 41; literals["HWaddr"] = 27; literals["encap"] = 26; literals["NOARP"] = 15; literals["Mask"] = 33; literals["netmask"] = 44; literals["RUNNING"] = 16; literals["inet"] = 29; literals["media"] = 8; literals["BROADCAST"] = 12; literals["P-t-P"] = 34; literals["prefixlen"] = 45; literals["Loopback"] = 17; literals["Interrupt"] = 18; literals["Bcast"] = 32; literals["mtu"] = 47; literals["inet6"] = 35; literals["status"] = 9; literals["LOOPBACK"] = 14; literals["Link"] = 25; literals["TX"] = 22; literals["addr"] = 30; literals["RX"] = 21; literals["Global"] = 40; literals["POINTOPOINT"] = 13; literals["flags"] = 42; literals["lladdr"] = 48; literals["collisions"] = 19; } ANTLR_USE_NAMESPACE(antlr)RefToken IfconfigLinuxCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0x23 /* '#' */ : { mLINE_COMMENT(true); theRetToken=_returnToken; break; } case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : case 0x3a /* ':' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mNUMBER_ADDRESS_OR_WORD(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2d /* '-' */ : { mMINUS(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUAL(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } default: if ((_tokenSet_0.member(LA(1)))) { mWhitespace(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void IfconfigLinuxCfgLexer::mLINE_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LINE_COMMENT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("#"); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { { match(_tokenSet_1); } } else { goto _loop32; } } _loop32:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 448 "ifconfig_linux.g" newline(); #line 357 "IfconfigLinuxCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 354 "ifconfig_linux.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 438 "IfconfigLinuxCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mHEX_DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : { matchRange('A','F'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNUM_3DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_3DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { matchRange('0','9'); } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNUM_HEX_4DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_HEX_4DIGIT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; mHEX_DIGIT(false); { if ((_tokenSet_2.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_2.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_2.member(LA(1)))) { mHEX_DIGIT(false); } else { } } } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mMAC_ADDRESS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MAC_ADDRESS; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_ADDRESS_OR_WORD; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; bool synPredMatched57 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m57 = mark(); synPredMatched57 = true; inputState->guessing++; try { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched57 = false; } rewind(_m57); inputState->guessing--; } if ( synPredMatched57 ) { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); } if ( inputState->guessing==0 ) { #line 396 "ifconfig_linux.g" _ttype = IPV4; #line 708 "IfconfigLinuxCfgLexer.cpp" } } else { bool synPredMatched61 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m61 = mark(); synPredMatched61 = true; inputState->guessing++; try { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); { match(_tokenSet_5); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched61 = false; } rewind(_m61); inputState->guessing--; } if ( synPredMatched61 ) { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } if ( inputState->guessing==0 ) { #line 408 "ifconfig_linux.g" _ttype = MAC_ADDRESS; #line 758 "IfconfigLinuxCfgLexer.cpp" } } else { bool synPredMatched64 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m64 = mark(); synPredMatched64 = true; inputState->guessing++; try { { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched64 = false; } rewind(_m64); inputState->guessing--; } if ( synPredMatched64 ) { { bool synPredMatched69 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m69 = mark(); synPredMatched69 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt68=0; for (;;) { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } else { if ( _cnt68>=1 ) { goto _loop68; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt68++; } _loop68:; } // ( ... )+ match(':' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched69 = false; } rewind(_m69); inputState->guessing--; } if ( synPredMatched69 ) { { { // ( ... )+ int _cnt72=0; for (;;) { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); match(':' /* charlit */ ); } else { if ( _cnt72>=1 ) { goto _loop72; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt72++; } _loop72:; } // ( ... )+ match(':' /* charlit */ ); { if ((_tokenSet_2.member(LA(1)))) { mNUM_HEX_4DIGIT(false); { // ( ... )* for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { goto _loop75; } } _loop75:; } // ( ... )* } else { } } } if ( inputState->guessing==0 ) { #line 417 "ifconfig_linux.g" _ttype = IPV6; #line 855 "IfconfigLinuxCfgLexer.cpp" } } else if ((_tokenSet_2.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3)))) { mNUM_HEX_4DIGIT(false); { // ( ... )+ int _cnt77=0; for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { if ( _cnt77>=1 ) { goto _loop77; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt77++; } _loop77:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 420 "ifconfig_linux.g" _ttype = IPV6; #line 878 "IfconfigLinuxCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 422 "ifconfig_linux.g" _ttype = IPV6; #line 889 "IfconfigLinuxCfgLexer.cpp" } } else { bool synPredMatched79 = false; if (((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (_tokenSet_2.member(LA(3))))) { int _m79 = mark(); synPredMatched79 = true; inputState->guessing++; try { { match(':' /* charlit */ ); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched79 = false; } rewind(_m79); inputState->guessing--; } if ( synPredMatched79 ) { match(':' /* charlit */ ); match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); { // ( ... )* for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); mNUM_HEX_4DIGIT(false); } else { goto _loop81; } } _loop81:; } // ( ... )* if ( inputState->guessing==0 ) { #line 425 "ifconfig_linux.g" _ttype = IPV6; #line 931 "IfconfigLinuxCfgLexer.cpp" } } else { bool synPredMatched87 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m87 = mark(); synPredMatched87 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt84=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt84>=1 ) { goto _loop84; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt84++; } _loop84:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt86=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt86>=1 ) { goto _loop86; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt86++; } _loop86:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched87 = false; } rewind(_m87); inputState->guessing--; } if ( synPredMatched87 ) { { { // ( ... )+ int _cnt90=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt90>=1 ) { goto _loop90; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt90++; } _loop90:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt92=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt92>=1 ) { goto _loop92; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt92++; } _loop92:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 432 "ifconfig_linux.g" _ttype = NUMBER; #line 1014 "IfconfigLinuxCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (true)) { match(':' /* charlit */ ); match(':' /* charlit */ ); if ( inputState->guessing==0 ) { #line 427 "ifconfig_linux.g" _ttype = IPV6; #line 1023 "IfconfigLinuxCfgLexer.cpp" } } else if ((LA(1) == 0x30 /* '0' */ ) && (LA(2) == 0x58 /* 'X' */ || LA(2) == 0x78 /* 'x' */ )) { match('0' /* charlit */ ); { switch ( LA(1)) { case 0x78 /* 'x' */ : { match('x' /* charlit */ ); break; } case 0x58 /* 'X' */ : { match('X' /* charlit */ ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } mHEX_DIGIT(false); { // ( ... )* for (;;) { if ((_tokenSet_2.member(LA(1)))) { mHEX_DIGIT(false); } else { goto _loop97; } } _loop97:; } // ( ... )* if ( inputState->guessing==0 ) { #line 436 "ifconfig_linux.g" _ttype = HEX_CONST; #line 1062 "IfconfigLinuxCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (true)) { match(':' /* charlit */ ); if ( inputState->guessing==0 ) { #line 429 "ifconfig_linux.g" _ttype = COLON; #line 1070 "IfconfigLinuxCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) { { // ( ... )+ int _cnt94=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt94>=1 ) { goto _loop94; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt94++; } _loop94:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 434 "ifconfig_linux.g" _ttype = INT_CONST; #line 1091 "IfconfigLinuxCfgLexer.cpp" } } else if ((_tokenSet_6.member(LA(1))) && (true) && (true)) { { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x22 /* '\"' */ : { match('\"' /* charlit */ ); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } case 0x25 /* '%' */ : { match('%' /* charlit */ ); break; } case 0x26 /* '&' */ : { match('&' /* charlit */ ); break; } case 0x2d /* '-' */ : { match('-' /* charlit */ ); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5c /* '\\' */ : { match('\\' /* charlit */ ); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop100; } } } _loop100:; } // ( ... )* if ( inputState->guessing==0 ) { #line 444 "ifconfig_linux.g" _ttype = WORD; #line 1311 "IfconfigLinuxCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } }}}} _ttype = testLiteralsTable(_ttype); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mEQUAL(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUAL; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } void IfconfigLinuxCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; _saveIndex=0; } const unsigned long IfconfigLinuxCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # $ % // & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_1(_tokenSet_1_data_,16); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 A B C D E F const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_3_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_4_data_[] = { 0UL, 134152192UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 : A B C D E F const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_4(_tokenSet_4_data_,10); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_5_data_[] = { 4294967288UL, 4227858431UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # // $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 ; < = > ? @ A B C D E F // G const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_5(_tokenSet_5_data_,16); const unsigned long IfconfigLinuxCfgLexer::_tokenSet_6_data_[] = { 0UL, 0UL, 134217726UL, 134217726UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // A B C D E F G const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgLexer::_tokenSet_6(_tokenSet_6_data_,10); fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgLexer.hpp000066400000000000000000000072701303637203600226650ustar00rootroot00000000000000#ifndef INC_IfconfigLinuxCfgLexer_hpp_ #define INC_IfconfigLinuxCfgLexer_hpp_ #line 25 "ifconfig_linux.g" // gets inserted before antlr generated includes in the header // file #include "IfconfigImporter.h" #line 11 "IfconfigLinuxCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20100319): "ifconfig_linux.g" -> "IfconfigLinuxCfgLexer.hpp"$ */ #include #include #include #include "IfconfigLinuxCfgParserTokenTypes.hpp" #include #line 32 "ifconfig_linux.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class IfconfigImporter; #line 29 "IfconfigLinuxCfgLexer.hpp" #line 57 "ifconfig_linux.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "IfconfigLinuxCfgLexer.hpp" class CUSTOM_API IfconfigLinuxCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public IfconfigLinuxCfgParserTokenTypes { #line 1 "ifconfig_linux.g" #line 39 "IfconfigLinuxCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: IfconfigLinuxCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); IfconfigLinuxCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); IfconfigLinuxCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mLINE_COMMENT(bool _createToken); public: void mNEWLINE(bool _createToken); public: void mWhitespace(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNUMBER(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mCOLON(bool _createToken); protected: void mHEX_DIGIT(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mNUM_3DIGIT(bool _createToken); protected: void mNUM_HEX_4DIGIT(bool _createToken); protected: void mMAC_ADDRESS(bool _createToken); public: void mNUMBER_ADDRESS_OR_WORD(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mSTAR(bool _createToken); public: void mMINUS(bool _createToken); public: void mDOT(bool _createToken); public: void mSLASH(bool _createToken); public: void mEQUAL(bool _createToken); public: void mQUESTION(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mGREATER_THAN(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; }; #endif /*INC_IfconfigLinuxCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgParser.cpp000066400000000000000000000330461303637203600230350ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "ifconfig_linux.g" -> "IfconfigLinuxCfgParser.cpp"$ */ #line 43 "ifconfig_linux.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "IfconfigLinuxCfgParser.cpp" #include "IfconfigLinuxCfgParser.hpp" #include #include #include #line 49 "ifconfig_linux.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 20 "IfconfigLinuxCfgParser.cpp" #line 1 "ifconfig_linux.g" #line 22 "IfconfigLinuxCfgParser.cpp" IfconfigLinuxCfgParser::IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } IfconfigLinuxCfgParser::IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } IfconfigLinuxCfgParser::IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } IfconfigLinuxCfgParser::IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } IfconfigLinuxCfgParser::IfconfigLinuxCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void IfconfigLinuxCfgParser::cfgfile() { Tracer traceInOut(this, "cfgfile"); try { // for error handling { // ( ... )* for (;;) { switch ( LA(1)) { case LINE_COMMENT: { comment(); break; } case HWADDR: { hwaddr_line(); break; } case INET: { inet_address(); break; } case INET6: { inet6_address(); break; } case GROUPS: { groups(); break; } case UP: case UPPER_BROADCAST: case UPPER_POINTOPOINT: case UPPER_LOOPBACK: case UPPER_NOARP: case UPPER_RUNNING: case LOOPBACK: { interface_flags(); break; } case INTERRUPT: case COLLISIONS: case RX: case TX: { interface_statistics(); break; } case NEWLINE: { match(NEWLINE); break; } case DOUBLE_NEWLINE: { match(DOUBLE_NEWLINE); break; } default: if ((LA(1) == WORD) && (LA(2) == COLON || LA(2) == DOT || LA(2) == LINK)) { interface_line(); } else if (((LA(1) >= PRIORITY && LA(1) <= WORD)) && (_tokenSet_0.member(LA(2)))) { unknown_line(); } else { goto _loop3; } } } _loop3:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void IfconfigLinuxCfgParser::comment() { Tracer traceInOut(this, "comment"); try { // for error handling match(LINE_COMMENT); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::interface_line() { Tracer traceInOut(this, "interface_line"); ANTLR_USE_NAMESPACE(antlr)RefToken in1 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken in2 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken lbl1 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken lbl2 = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 206 "ifconfig_linux.g" InterfaceSpec is; #line 150 "IfconfigLinuxCfgParser.cpp" try { // for error handling in1 = LT(1); match(WORD); { switch ( LA(1)) { case DOT: { match(DOT); in2 = LT(1); match(INT_CONST); break; } case COLON: case LINK: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case COLON: { match(COLON); { switch ( LA(1)) { case WORD: { lbl1 = LT(1); match(WORD); break; } case INT_CONST: { lbl2 = LT(1); match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case LINK: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(LINK); match(ENCAP); match(COLON); match(WORD); #line 212 "ifconfig_linux.g" // interface name and status if (in2) is.name = in1->getText() + "." + in2->getText(); else is.name = in1->getText(); if (lbl1) is.label = lbl1->getText(); if (lbl2) is.label = lbl2->getText(); importer->newInterface(is); #line 225 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::hwaddr_line() { Tracer traceInOut(this, "hwaddr_line"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(HWADDR); addr = LT(1); match(MAC_ADDRESS); #line 227 "ifconfig_linux.g" importer->HwAddressForCurrentInterface(addr->getText()); #line 245 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::inet_address() { Tracer traceInOut(this, "inet_address"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken bcast = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken netm = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 236 "ifconfig_linux.g" AddressSpec as; #line 260 "IfconfigLinuxCfgParser.cpp" try { // for error handling match(INET); match(ADDR); match(COLON); addr = LT(1); match(IPV4); #line 240 "ifconfig_linux.g" as.at = AddressSpec::INTERFACE_CONFIGURATION; as.address = addr->getText(); #line 273 "IfconfigLinuxCfgParser.cpp" { switch ( LA(1)) { case BCAST: case MASK: { { { switch ( LA(1)) { case BCAST: { match(BCAST); match(COLON); bcast = LT(1); match(IPV4); break; } case MASK: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(MASK); match(COLON); netm = LT(1); match(IPV4); } #line 246 "ifconfig_linux.g" as.netmask = netm->getText(); if (bcast) as.broadcast = bcast->getText(); #line 310 "IfconfigLinuxCfgParser.cpp" break; } case P_T_P: { { match(P_T_P); match(COLON); match(IPV4); match(MASK); match(COLON); match(IPV4); } #line 252 "ifconfig_linux.g" // we do not support p2p interfaces at this time #line 327 "IfconfigLinuxCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 256 "ifconfig_linux.g" importer->inetConfigurationForCurrentInterface(as); #line 340 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::inet6_address() { Tracer traceInOut(this, "inet6_address"); ANTLR_USE_NAMESPACE(antlr)RefToken addr = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken netm = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 264 "ifconfig_linux.g" AddressSpec as; #line 354 "IfconfigLinuxCfgParser.cpp" try { // for error handling match(INET6); match(ADDR); match(COLON); addr = LT(1); match(IPV6); match(SLASH); netm = LT(1); match(INT_CONST); match(SCOPE); match(COLON); { switch ( LA(1)) { case HOST: { match(HOST); break; } case LINK: { match(LINK); break; } case GLOBAL: { match(GLOBAL); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 267 "ifconfig_linux.g" as.at = AddressSpec::INTERFACE_CONFIGURATION; as.address = addr->getText(); as.netmask = netm->getText(); importer->inet6ConfigurationForCurrentInterface(as); #line 402 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::groups() { Tracer traceInOut(this, "groups"); try { // for error handling match(GROUPS); match(COLON); groups_list(); match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::interface_flags() { Tracer traceInOut(this, "interface_flags"); try { // for error handling { switch ( LA(1)) { case UP: { match(UP); break; } case UPPER_BROADCAST: { match(UPPER_BROADCAST); break; } case UPPER_POINTOPOINT: { match(UPPER_POINTOPOINT); break; } case UPPER_LOOPBACK: { match(UPPER_LOOPBACK); break; } case UPPER_NOARP: { match(UPPER_NOARP); break; } case UPPER_RUNNING: { match(UPPER_RUNNING); break; } case LOOPBACK: { match(LOOPBACK); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 178 "ifconfig_linux.g" consumeUntil(NEWLINE); #line 476 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::interface_statistics() { Tracer traceInOut(this, "interface_statistics"); try { // for error handling { switch ( LA(1)) { case INTERRUPT: case COLLISIONS: { { { switch ( LA(1)) { case INTERRUPT: { match(INTERRUPT); break; } case COLLISIONS: { match(COLLISIONS); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(COLON); } break; } case RX: { match(RX); break; } case TX: { match(TX); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 192 "ifconfig_linux.g" consumeUntil(NEWLINE); #line 536 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::unknown_line() { Tracer traceInOut(this, "unknown_line"); try { // for error handling { switch ( LA(1)) { case PRIORITY: { match(PRIORITY); break; } case MEDIA: { match(MEDIA); break; } case STATUS: { match(STATUS); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 156 "ifconfig_linux.g" consumeUntil(NEWLINE); #line 580 "IfconfigLinuxCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void IfconfigLinuxCfgParser::groups_list() { Tracer traceInOut(this, "groups_list"); try { // for error handling match(WORD); #line 284 "ifconfig_linux.g" importer->addGroupToCurrentInterface(LT(0)->getText()); #line 595 "IfconfigLinuxCfgParser.cpp" { // ( ... )* for (;;) { if ((LA(1) == WORD)) { match(WORD); #line 286 "ifconfig_linux.g" importer->addGroupToCurrentInterface(LT(0)->getText()); #line 602 "IfconfigLinuxCfgParser.cpp" } else { goto _loop28; } } _loop28:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_2); } } void IfconfigLinuxCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* IfconfigLinuxCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "DOUBLE_NEWLINE", "LINE_COMMENT", "\"priority\"", "\"media\"", "\"status\"", "WORD", "\"UP\"", "\"BROADCAST\"", "\"POINTOPOINT\"", "\"LOOPBACK\"", "\"NOARP\"", "\"RUNNING\"", "\"Loopback\"", "\"Interrupt\"", "\"collisions\"", "COLON", "\"RX\"", "\"TX\"", "DOT", "INT_CONST", "\"Link\"", "\"encap\"", "\"HWaddr\"", "MAC_ADDRESS", "\"inet\"", "\"addr\"", "IPV4", "\"Bcast\"", "\"Mask\"", "\"P-t-P\"", "\"inet6\"", "IPV6", "SLASH", "\"Scope\"", "\"Host\"", "\"Global\"", "\"groups\"", "\"flags\"", "\"broadcast\"", "\"netmask\"", "\"prefixlen\"", "\"scopeid\"", "\"mtu\"", "\"lladdr\"", "Whitespace", "HEX_CONST", "NUMBER", "NEG_INT_CONST", "HEX_DIGIT", "DIGIT", "NUM_3DIGIT", "NUM_HEX_4DIGIT", "NUMBER_ADDRESS_OR_WORD", "PERCENT", "AMPERSAND", "STAR", "MINUS", "EQUAL", "QUESTION", "OPENING_PAREN", "CLOSING_PAREN", "OPENING_SQUARE", "CLOSING_SQUARE", "OPENING_BRACE", "CLOSING_BRACE", "LESS_THAN", "GREATER_THAN", 0 }; const unsigned long IfconfigLinuxCfgParser::_tokenSet_0_data_[] = { 678428658UL, 520UL, 0UL, 0UL }; // EOF NEWLINE DOUBLE_NEWLINE LINE_COMMENT "priority" "media" "status" // WORD "UP" "BROADCAST" "POINTOPOINT" "LOOPBACK" "NOARP" "RUNNING" "Loopback" // "Interrupt" "collisions" "RX" "TX" "HWaddr" "inet" "inet6" "groups" const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgParser::_tokenSet_0(_tokenSet_0_data_,4); const unsigned long IfconfigLinuxCfgParser::_tokenSet_1_data_[] = { 2UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgParser::_tokenSet_1(_tokenSet_1_data_,4); const unsigned long IfconfigLinuxCfgParser::_tokenSet_2_data_[] = { 16UL, 0UL, 0UL, 0UL }; // NEWLINE const ANTLR_USE_NAMESPACE(antlr)BitSet IfconfigLinuxCfgParser::_tokenSet_2(_tokenSet_2_data_,4); fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgParser.hpp000066400000000000000000000074231303637203600230420ustar00rootroot00000000000000#ifndef INC_IfconfigLinuxCfgParser_hpp_ #define INC_IfconfigLinuxCfgParser_hpp_ #line 25 "ifconfig_linux.g" // gets inserted before antlr generated includes in the header // file #include "IfconfigImporter.h" #line 11 "IfconfigLinuxCfgParser.hpp" #include /* $ANTLR 2.7.7 (20100319): "ifconfig_linux.g" -> "IfconfigLinuxCfgParser.hpp"$ */ #include #include #include "IfconfigLinuxCfgParserTokenTypes.hpp" #include #line 32 "ifconfig_linux.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class IfconfigImporter; #line 29 "IfconfigLinuxCfgParser.hpp" #line 57 "ifconfig_linux.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "IfconfigLinuxCfgParser.hpp" class CUSTOM_API IfconfigLinuxCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public IfconfigLinuxCfgParserTokenTypes { #line 82 "ifconfig_linux.g" // additional methods and members public: std::ostream *dbg; IfconfigImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } #line 39 "IfconfigLinuxCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: IfconfigLinuxCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); IfconfigLinuxCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return IfconfigLinuxCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return IfconfigLinuxCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return IfconfigLinuxCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void interface_line(); public: void hwaddr_line(); public: void inet_address(); public: void inet6_address(); public: void groups(); public: void interface_flags(); public: void interface_statistics(); public: void unknown_line(); public: void groups_list(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 72; #else enum { NUM_TOKENS = 72 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; }; #endif /*INC_IfconfigLinuxCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgParserTokenTypes.hpp000066400000000000000000000031041303637203600250600ustar00rootroot00000000000000#ifndef INC_IfconfigLinuxCfgParserTokenTypes_hpp_ #define INC_IfconfigLinuxCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20100319): "ifconfig_linux.g" -> "IfconfigLinuxCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API IfconfigLinuxCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, DOUBLE_NEWLINE = 5, LINE_COMMENT = 6, PRIORITY = 7, MEDIA = 8, STATUS = 9, WORD = 10, UP = 11, UPPER_BROADCAST = 12, UPPER_POINTOPOINT = 13, UPPER_LOOPBACK = 14, UPPER_NOARP = 15, UPPER_RUNNING = 16, LOOPBACK = 17, INTERRUPT = 18, COLLISIONS = 19, COLON = 20, RX = 21, TX = 22, DOT = 23, INT_CONST = 24, LINK = 25, ENCAP = 26, HWADDR = 27, MAC_ADDRESS = 28, INET = 29, ADDR = 30, IPV4 = 31, BCAST = 32, MASK = 33, P_T_P = 34, INET6 = 35, IPV6 = 36, SLASH = 37, SCOPE = 38, HOST = 39, GLOBAL = 40, GROUPS = 41, FLAGS = 42, BROADCAST = 43, NETMASK = 44, PREFIXLEN = 45, SCOPEID = 46, MTU = 47, LLADR = 48, Whitespace = 49, HEX_CONST = 50, NUMBER = 51, NEG_INT_CONST = 52, HEX_DIGIT = 53, DIGIT = 54, NUM_3DIGIT = 55, NUM_HEX_4DIGIT = 56, NUMBER_ADDRESS_OR_WORD = 57, PERCENT = 58, AMPERSAND = 59, STAR = 60, MINUS = 61, EQUAL = 62, QUESTION = 63, OPENING_PAREN = 64, CLOSING_PAREN = 65, OPENING_SQUARE = 66, CLOSING_SQUARE = 67, OPENING_BRACE = 68, CLOSING_BRACE = 69, LESS_THAN = 70, GREATER_THAN = 71, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_IfconfigLinuxCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/IfconfigLinuxCfgParserTokenTypes.txt000066400000000000000000000023451303637203600251160ustar00rootroot00000000000000// $ANTLR 2.7.7 (20100319): ifconfig_linux.g -> IfconfigLinuxCfgParserTokenTypes.txt$ IfconfigLinuxCfgParser // output token vocab name NEWLINE=4 DOUBLE_NEWLINE=5 LINE_COMMENT=6 PRIORITY="priority"=7 MEDIA="media"=8 STATUS="status"=9 WORD=10 UP="UP"=11 UPPER_BROADCAST="BROADCAST"=12 UPPER_POINTOPOINT="POINTOPOINT"=13 UPPER_LOOPBACK="LOOPBACK"=14 UPPER_NOARP="NOARP"=15 UPPER_RUNNING="RUNNING"=16 LOOPBACK="Loopback"=17 INTERRUPT="Interrupt"=18 COLLISIONS="collisions"=19 COLON=20 RX="RX"=21 TX="TX"=22 DOT=23 INT_CONST=24 LINK="Link"=25 ENCAP="encap"=26 HWADDR="HWaddr"=27 MAC_ADDRESS=28 INET="inet"=29 ADDR="addr"=30 IPV4=31 BCAST="Bcast"=32 MASK="Mask"=33 P_T_P="P-t-P"=34 INET6="inet6"=35 IPV6=36 SLASH=37 SCOPE="Scope"=38 HOST="Host"=39 GLOBAL="Global"=40 GROUPS="groups"=41 FLAGS="flags"=42 BROADCAST="broadcast"=43 NETMASK="netmask"=44 PREFIXLEN="prefixlen"=45 SCOPEID="scopeid"=46 MTU="mtu"=47 LLADR="lladdr"=48 Whitespace=49 HEX_CONST=50 NUMBER=51 NEG_INT_CONST=52 HEX_DIGIT=53 DIGIT=54 NUM_3DIGIT=55 NUM_HEX_4DIGIT=56 NUMBER_ADDRESS_OR_WORD=57 PERCENT=58 AMPERSAND=59 STAR=60 MINUS=61 EQUAL=62 QUESTION=63 OPENING_PAREN=64 CLOSING_PAREN=65 OPENING_SQUARE=66 CLOSING_SQUARE=67 OPENING_BRACE=68 CLOSING_BRACE=69 LESS_THAN=70 GREATER_THAN=71 fwbuilder-5.3.7/src/parsers/PFCfgLexer.cpp000066400000000000000000001641571303637203600204310ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "pf.g" -> "PFCfgLexer.cpp"$ */ #line 43 "pf.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "PFCfgLexer.cpp" #include "PFCfgLexer.hpp" #include #include #include #include #include #include #include #line 49 "pf.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 25 "PFCfgLexer.cpp" #line 1 "pf.g" #line 27 "PFCfgLexer.cpp" PFCfgLexer::PFCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } PFCfgLexer::PFCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } PFCfgLexer::PFCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void PFCfgLexer::initLiterals() { literals["badhead"] = 201; literals["notifications"] = 235; literals["state-policy"] = 26; literals["floating"] = 28; literals["no"] = 84; literals["counters"] = 72; literals["esp"] = 126; literals["routersol"] = 160; literals["frags"] = 60; literals["reply-to"] = 140; literals["icmp.first"] = 49; literals["string-key"] = 99; literals["gre"] = 125; literals["pass"] = 86; literals["scrub"] = 65; literals["warnings"] = 236; literals["include"] = 6; literals["skip"] = 32; literals["timeout"] = 13; literals["eigrp"] = 128; literals["icmp-type"] = 151; literals["transit"] = 199; literals["inet"] = 115; literals["no-df"] = 146; literals["network"] = 77; literals["photuris"] = 176; literals["igmp"] = 120; literals["unreach"] = 154; literals["range"] = 228; literals["rsvp"] = 124; literals["debugging"] = 231; literals["host-tos"] = 189; literals["paramprob"] = 162; literals["user"] = 113; literals["interface"] = 217; literals["adaptive.end"] = 58; literals["limit"] = 21; literals["state-defaults"] = 29; literals["hex-key"] = 98; literals["net-unk"] = 183; literals["antispoof"] = 9; literals["udp.single"] = 47; literals["inforeq"] = 165; literals["ipv6-here"] = 173; literals["redir"] = 156; literals["static-port"] = 88; literals["common-adv"] = 198; literals["loginterface"] = 22; literals["ip"] = 118; literals["mobregreq"] = 174; literals["conservative"] = 17; literals["ospf"] = 129; literals["proto-unr"] = 179; literals["peer"] = 79; literals["inforep"] = 166; literals["errors"] = 233; literals["tables-entries"] = 64; literals["any"] = 136; literals["mobregrep"] = 175; literals["label"] = 214; literals["pptp"] = 224; literals["synproxy"] = 212; literals["debug"] = 37; literals["alerts"] = 229; literals["all"] = 112; literals["state"] = 213; literals["tag"] = 209; literals["in"] = 108; literals["tables"] = 63; literals["file"] = 73; literals["nos"] = 221; literals["src-nodes"] = 62; literals["ipv6-where"] = 172; literals["require-order"] = 30; literals["udp"] = 122; literals["states"] = 61; literals["sticky-address"] = 101; literals["return-icmp"] = 106; literals["redir-tos-net"] = 195; literals["pim"] = 223; literals["emergencies"] = 232; literals["squench"] = 155; literals["disable"] = 237; literals["flags"] = 150; literals["tcp"] = 121; literals["net-tos"] = 188; literals["reassemble"] = 38; literals["adaptive.start"] = 57; literals["frag"] = 54; literals["port"] = 92; literals["icmp"] = 119; literals["to"] = 114; literals["return-rst"] = 104; literals["normal-adv"] = 197; literals["optimization"] = 15; literals["log"] = 110; literals["fragment"] = 143; literals["snp"] = 226; literals["broadcast"] = 78; literals["icmp6-type"] = 207; literals["normal"] = 19; literals["code"] = 152; literals["if-bound"] = 27; literals["src.track"] = 56; literals["drop-ovl"] = 145; literals["routeradv"] = 159; literals["other.single"] = 52; literals["dup-to"] = 141; literals["bitmask"] = 95; literals["maskreq"] = 167; literals["ipip"] = 130; literals["tcp.closed"] = 45; literals["block"] = 103; literals["high-latency"] = 18; literals["udp.first"] = 46; literals["badlen"] = 203; literals["tcp.first"] = 40; literals["host-unr"] = 178; literals["ah"] = 127; literals["random-id"] = 149; literals["modulate"] = 211; literals["interval"] = 55; literals["maskrep"] = 168; literals["ruleset-optimization"] = 14; literals["trace"] = 169; literals["rip"] = 225; literals["urpf-failed"] = 135; literals["set"] = 12; literals["source-hash"] = 97; literals["critical"] = 230; literals["quit"] = 216; literals["icmp.error"] = 50; literals["const"] = 71; literals["altq"] = 10; literals["tcp.closing"] = 43; literals["port-unr"] = 180; literals["table"] = 67; literals["redir-tos-host"] = 196; literals["fingerprints"] = 31; literals["return"] = 25; literals["optmiss"] = 202; literals["match"] = 66; literals["keep"] = 210; literals["net-prohib"] = 186; literals["inet6"] = 116; literals["group"] = 142; literals["from"] = 134; literals["tcp.finwait"] = 44; literals["hostid"] = 39; literals["proto"] = 117; literals["vrrp"] = 131; literals["drop"] = 24; literals["l2tp"] = 132; literals["max-mss"] = 148; literals["isolate"] = 185; literals["timereq"] = 163; literals["aggressive"] = 16; literals["icmp6"] = 218; literals["echoreq"] = 158; literals["tcp.established"] = 42; literals["decrypt-fail"] = 206; literals["mobredir"] = 171; literals["other.first"] = 51; literals["ipsec"] = 220; literals["no-route"] = 137; literals["random"] = 96; literals["binat"] = 102; literals["srcfail"] = 182; literals["self"] = 80; literals["timerep"] = 164; literals["crop"] = 144; literals["host-preced"] = 191; literals["host"] = 227; literals["echorep"] = 153; literals["other.multiple"] = 53; literals["althost"] = 157; literals["udp.multiple"] = 48; literals["cutoff-preced"] = 192; literals["redir-host"] = 194; literals["rdr"] = 89; literals["tagged"] = 208; literals["on"] = 33; literals["round-robin"] = 100; literals["pcp"] = 222; literals["block-policy"] = 23; literals["persist"] = 70; literals["unknown-ind"] = 204; literals["redir-net"] = 193; literals["filter-prohib"] = 190; literals["nat"] = 85; literals["satellite"] = 20; literals["informational"] = 234; literals["needfrag"] = 181; literals["tcp.opening"] = 41; literals["igrp"] = 219; literals["quick"] = 111; literals["timex"] = 161; literals["host-unk"] = 184; literals["route-to"] = 139; literals["dataconv"] = 170; literals["rdp"] = 123; literals["net-unr"] = 177; literals["queue"] = 11; literals["isis"] = 133; literals["reassemb"] = 200; literals["inactive"] = 238; literals["out"] = 109; literals["min-ttl"] = 147; literals["auth-fail"] = 205; literals["exit"] = 215; literals["host-prohib"] = 187; } ANTLR_USE_NAMESPACE(antlr)RefToken PFCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0x23 /* '#' */ : { mCOMMENT_START(true); theRetToken=_returnToken; break; } case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x24 /* '$' */ : case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : case 0x3a /* ':' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mNUMBER_ADDRESS_OR_WORD(true); theRetToken=_returnToken; break; } case 0x7c /* '|' */ : { mPIPE_CHAR(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x27 /* '\'' */ : { mAPOSTROPHE(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2b /* '+' */ : { mPLUS(true); theRetToken=_returnToken; break; } case 0x2c /* ',' */ : { mCOMMA(true); theRetToken=_returnToken; break; } case 0x2d /* '-' */ : { mMINUS(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3b /* ';' */ : { mSEMICOLON(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUAL(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x40 /* '@' */ : { mCOMMERCIAL_AT(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x5e /* '^' */ : { mCARET(true); theRetToken=_returnToken; break; } case 0x5f /* '_' */ : { mUNDERLINE(true); theRetToken=_returnToken; break; } case 0x7e /* '~' */ : { mTILDE(true); theRetToken=_returnToken; break; } case 0x21 /* '!' */ : { mEXLAMATION(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } default: if ((LA(1) == 0x22 /* '\"' */ ) && ((LA(2) >= 0x3 /* '\3' */ && LA(2) <= 0xff))) { mSTRING(true); theRetToken=_returnToken; } else if ((_tokenSet_0.member(LA(1)))) { mWhitespace(true); theRetToken=_returnToken; } else if ((LA(1) == 0x22 /* '\"' */ ) && (true)) { mDOUBLE_QUOTE(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void PFCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 2001 "pf.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 622 "PFCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCOMMENT_START(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMENT_START; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('#' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 2006 "pf.g" newline(); #line 669 "PFCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mHEX_DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : { matchRange('A','F'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNUM_3DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_3DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { { matchRange('0','9'); } { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { matchRange('0','9'); } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNUM_HEX_4DIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUM_HEX_4DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; mHEX_DIGIT(false); { if ((_tokenSet_1.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_1.member(LA(1)))) { { mHEX_DIGIT(false); } { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { } } } else { } } } else { } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_ADDRESS_OR_WORD; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; switch ( LA(1)) { case 0x3a /* ':' */ : { { bool synPredMatched322 = false; if (((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (_tokenSet_1.member(LA(3))))) { int _m322 = mark(); synPredMatched322 = true; inputState->guessing++; try { { match(':' /* charlit */ ); match(':' /* charlit */ ); { // ( ... )+ int _cnt321=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { if ( _cnt321>=1 ) { goto _loop321; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt321++; } _loop321:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched322 = false; } rewind(_m322); inputState->guessing--; } if ( synPredMatched322 ) { { match(':' /* charlit */ ); match(':' /* charlit */ ); { // ( ... )+ int _cnt325=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { if ( _cnt325>=1 ) { goto _loop325; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt325++; } _loop325:; } // ( ... )+ { // ( ... )* for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); { // ( ... )+ int _cnt328=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { if ( _cnt328>=1 ) { goto _loop328; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt328++; } _loop328:; } // ( ... )+ } else { goto _loop329; } } _loop329:; } // ( ... )* } if ( inputState->guessing==0 ) { #line 2052 "pf.g" _ttype = IPV6; #line 977 "PFCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (true)) { { match(':' /* charlit */ ); match(':' /* charlit */ ); } if ( inputState->guessing==0 ) { #line 2054 "pf.g" _ttype = IPV6; #line 988 "PFCfgLexer.cpp" } } else if ((LA(1) == 0x3a /* ':' */ ) && (true)) { match(':' /* charlit */ ); if ( inputState->guessing==0 ) { #line 2056 "pf.g" _ttype = COLON; #line 996 "PFCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } break; } case 0x24 /* '$' */ : { { if ((LA(1) == 0x24 /* '$' */ ) && (_tokenSet_2.member(LA(2)))) { match('$' /* charlit */ ); { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } default: { goto _loop355; } } } _loop355:; } // ( ... )* if ( inputState->guessing==0 ) { #line 2080 "pf.g" _ttype = MACRO; #line 1172 "PFCfgLexer.cpp" } } else if ((LA(1) == 0x24 /* '$' */ ) && (true)) { match('$' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } break; } default: bool synPredMatched332 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m332 = mark(); synPredMatched332 = true; inputState->guessing++; try { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched332 = false; } rewind(_m332); inputState->guessing--; } if ( synPredMatched332 ) { { mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); match('.' /* charlit */ ); mNUM_3DIGIT(false); } if ( inputState->guessing==0 ) { #line 2061 "pf.g" _ttype = IPV4; #line 1218 "PFCfgLexer.cpp" } } else { bool synPredMatched339 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) { int _m339 = mark(); synPredMatched339 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt336=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt336>=1 ) { goto _loop336; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt336++; } _loop336:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt338=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt338>=1 ) { goto _loop338; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt338++; } _loop338:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched339 = false; } rewind(_m339); inputState->guessing--; } if ( synPredMatched339 ) { { { // ( ... )+ int _cnt342=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt342>=1 ) { goto _loop342; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt342++; } _loop342:; } // ( ... )+ match('.' /* charlit */ ); { // ( ... )+ int _cnt344=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt344>=1 ) { goto _loop344; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt344++; } _loop344:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 2064 "pf.g" _ttype = NUMBER; #line 1301 "PFCfgLexer.cpp" } } else { bool synPredMatched307 = false; if (((_tokenSet_1.member(LA(1))) && (_tokenSet_4.member(LA(2))) && (true))) { int _m307 = mark(); synPredMatched307 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt306=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { if ( _cnt306>=1 ) { goto _loop306; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt306++; } _loop306:; } // ( ... )+ match(':' /* charlit */ ); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched307 = false; } rewind(_m307); inputState->guessing--; } if ( synPredMatched307 ) { { { { // ( ... )+ int _cnt311=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt311++; } _loop311:; } // ( ... )+ { // ( ... )+ int _cnt315=0; for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { match(':' /* charlit */ ); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX_DIGIT(false); } else { goto _loop314; } } _loop314:; } // ( ... )* } else { if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt315++; } _loop315:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 2046 "pf.g" _ttype = IPV6; #line 1382 "PFCfgLexer.cpp" } } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) { { // ( ... )+ int _cnt346=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt346>=1 ) { goto _loop346; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt346++; } _loop346:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 2066 "pf.g" _ttype = INT_CONST; #line 1404 "PFCfgLexer.cpp" } } else if ((_tokenSet_2.member(LA(1))) && (true) && (true)) { { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x22 /* '\"' */ : { match('\"' /* charlit */ ); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } case 0x25 /* '%' */ : { match('%' /* charlit */ ); break; } case 0x26 /* '&' */ : { match('&' /* charlit */ ); break; } case 0x2d /* '-' */ : { match('-' /* charlit */ ); break; } case 0x2e /* '.' */ : { match('.' /* charlit */ ); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5c /* '\\' */ : { match('\\' /* charlit */ ); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop349; } } } _loop349:; } // ( ... )* if ( inputState->guessing==0 ) { #line 2075 "pf.g" _ttype = WORD; #line 1629 "PFCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } }}} _ttype = testLiteralsTable(_ttype); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mSTRING(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STRING; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\"' /* charlit */ ); { // ( ... )* for (;;) { if ((_tokenSet_5.member(LA(1)))) { matchNot('\"' /* charlit */ ); } else { goto _loop358; } } _loop358:; } // ( ... )* match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mPIPE_CHAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PIPE_CHAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('|' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mAPOSTROPHE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = APOSTROPHE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\'' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mPLUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PLUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('+' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCOMMA(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMA; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(',' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mSEMICOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SEMICOLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(';' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mEQUAL(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUAL; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCOMMERCIAL_AT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMERCIAL_AT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('@' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mCARET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CARET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('^' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mUNDERLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = UNDERLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('_' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mTILDE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TILDE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('~' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mEXLAMATION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EXLAMATION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('!' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PFCfgLexer::mDOUBLE_QUOTE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOUBLE_QUOTE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } const unsigned long PFCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f 0x7f 0x80 0x81 // 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f // 0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d // 0x9e 0x9f 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab // 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 // 0xba 0xbb 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7 // 0xc8 0xc9 0xca 0xcb 0xcc 0xcd 0xce 0xcf 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 // 0xd6 0xd7 0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3 // 0xe4 0xe5 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef 0xf0 0xf1 // 0xf2 0xf3 0xf4 0xf5 0xf6 0xf7 0xf8 0xf9 0xfa 0xfb 0xfc 0xfd 0xfe 0xff const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long PFCfgLexer::_tokenSet_1_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_1(_tokenSet_1_data_,10); const unsigned long PFCfgLexer::_tokenSet_2_data_[] = { 0UL, 0UL, 134217726UL, 134217726UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h // i j k l m n o p q r s t u v w x y z const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long PFCfgLexer::_tokenSet_3_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long PFCfgLexer::_tokenSet_4_data_[] = { 0UL, 134152192UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 : A B C D E F a b c d e f const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_4(_tokenSet_4_data_,10); const unsigned long PFCfgLexer::_tokenSet_5_data_[] = { 4294967288UL, 4294967291UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! # $ // % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F // G H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d e f g // h i j k l m n o p q r s t u v w x y z { | } ~ 0x7f 0x80 0x81 0x82 0x83 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 // 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f // 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad // 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 0xba 0xbb // 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7 0xc8 0xc9 // 0xca 0xcb 0xcc 0xcd 0xce 0xcf 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7 // 0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3 0xe4 0xe5 // 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef 0xf0 0xf1 0xf2 0xf3 // 0xf4 0xf5 0xf6 0xf7 0xf8 0xf9 0xfa 0xfb 0xfc 0xfd 0xfe 0xff const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_5(_tokenSet_5_data_,16); fwbuilder-5.3.7/src/parsers/PFCfgLexer.hpp000066400000000000000000000075111303637203600204240ustar00rootroot00000000000000#ifndef INC_PFCfgLexer_hpp_ #define INC_PFCfgLexer_hpp_ #line 25 "pf.g" // gets inserted before antlr generated includes in the header // file #include "PFImporter.h" #line 11 "PFCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20100319): "pf.g" -> "PFCfgLexer.hpp"$ */ #include #include #include #include "PFCfgParserTokenTypes.hpp" #include #line 32 "pf.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class PFImporter; #line 29 "PFCfgLexer.hpp" #line 57 "pf.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "PFCfgLexer.hpp" class CUSTOM_API PFCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public PFCfgParserTokenTypes { #line 1 "pf.g" #line 39 "PFCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: PFCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); PFCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); PFCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mWhitespace(bool _createToken); public: void mCOMMENT_START(bool _createToken); public: void mNEWLINE(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNUMBER(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mCOLON(bool _createToken); protected: void mHEX_DIGIT(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mNUM_3DIGIT(bool _createToken); protected: void mNUM_HEX_4DIGIT(bool _createToken); public: void mNUMBER_ADDRESS_OR_WORD(bool _createToken); public: void mSTRING(bool _createToken); public: void mPIPE_CHAR(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mAPOSTROPHE(bool _createToken); public: void mSTAR(bool _createToken); public: void mPLUS(bool _createToken); public: void mCOMMA(bool _createToken); public: void mMINUS(bool _createToken); public: void mDOT(bool _createToken); public: void mSLASH(bool _createToken); public: void mSEMICOLON(bool _createToken); public: void mEQUAL(bool _createToken); public: void mQUESTION(bool _createToken); public: void mCOMMERCIAL_AT(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mCARET(bool _createToken); public: void mUNDERLINE(bool _createToken); public: void mTILDE(bool _createToken); public: void mEXLAMATION(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mGREATER_THAN(bool _createToken); public: void mDOUBLE_QUOTE(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; }; #endif /*INC_PFCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/PFCfgParser.cpp000066400000000000000000004600411303637203600205750ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20100319): "pf.g" -> "PFCfgParser.cpp"$ */ #line 43 "pf.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "PFCfgParser.cpp" #include "PFCfgParser.hpp" #include #include #include #line 49 "pf.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 20 "PFCfgParser.cpp" #line 1 "pf.g" #line 22 "PFCfgParser.cpp" PFCfgParser::PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } PFCfgParser::PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } PFCfgParser::PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } PFCfgParser::PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } PFCfgParser::PFCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void PFCfgParser::cfgfile() { try { // for error handling { // ( ... )* for (;;) { switch ( LA(1)) { case COMMENT_START: { comment(); break; } case INCLUDE_COMMAND: { include_command(); break; } case WORD: { macro_definition(); break; } case ALTQ: { altq_rule(); break; } case ANTISPOOF: { antispoof_rule(); break; } case QUEUE: { queue_rule(); break; } case SET: { set_rule(); break; } case SCRUB: { scrub_rule(); break; } case MATCH: { match_rule(); break; } case TABLE: { table_rule(); break; } case NO: { no_nat_rule(); break; } case NAT: { nat_rule(); break; } case RDR: { rdr_rule(); break; } case BINAT: { binat_rule(); break; } case PASS: { pass_rule(); break; } case BLOCK: { block_rule(); break; } case NEWLINE: { match(NEWLINE); break; } default: { goto _loop3; } } } _loop3:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_0); } } void PFCfgParser::comment() { try { // for error handling match(COMMENT_START); #line 159 "pf.g" QStringList str; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { str << QString::fromUtf8(LT(1)->getText().c_str()); consume(); } importer->last_comment << str.join(" "); #line 169 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::include_command() { try { // for error handling match(INCLUDE_COMMAND); #line 173 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'include' commands is not supported.")); consumeUntil(NEWLINE); #line 189 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::macro_definition() { try { // for error handling match(WORD); match(EQUAL); #line 184 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); consumeUntil(NEWLINE); #line 208 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::altq_rule() { try { // for error handling match(ALTQ); #line 204 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'altq' commands is not supported.")); consumeUntil(NEWLINE); #line 228 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::antispoof_rule() { try { // for error handling match(ANTISPOOF); #line 193 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Warning: import of 'antispoof' commands has not been implemented yet.")); consumeUntil(NEWLINE); #line 248 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::queue_rule() { try { // for error handling match(QUEUE); #line 215 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'queue' commands is not supported.")); consumeUntil(NEWLINE); #line 268 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_rule() { try { // for error handling match(SET); #line 226 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 285 "PFCfgParser.cpp" { switch ( LA(1)) { case TIMEOUT: { set_timeout(); break; } case 14: { set_ruleset_optimization(); break; } case LITERAL_optimization: { set_optimization(); break; } case LITERAL_limit: { set_limit(); break; } case LITERAL_loginterface: { set_loginterface(); break; } case 23: { set_block_policy(); break; } case 26: { set_state_policy(); break; } case 29: { set_state_defaults(); break; } case 30: { set_require_order(); break; } case LITERAL_fingerprints: { set_fingerprints(); break; } case LITERAL_skip: { set_skip(); break; } case LITERAL_debug: { set_debug(); break; } case LITERAL_reassemble: { set_reassemble(); break; } case LITERAL_hostid: { set_hostid(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::scrub_rule() { try { // for error handling match(SCRUB); #line 525 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "scrub"; *dbg << LT(1)->getLine() << ":" << " scrub "; #line 383 "PFCfgParser.cpp" rule_extended(); match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::match_rule() { try { // for error handling match(MATCH); #line 540 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "match"; *dbg << LT(1)->getLine() << ":" << " match "; #line 405 "PFCfgParser.cpp" rule_extended(); #line 548 "pf.g" if ( ! importer->scrub_rule) importer->pushRule(); #line 411 "PFCfgParser.cpp" match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::table_rule() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken file = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(TABLE); #line 557 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 431 "PFCfgParser.cpp" match(LESS_THAN); name = LT(1); match(WORD); match(GREATER_THAN); { switch ( LA(1)) { case PERSIST: { match(PERSIST); break; } case NEWLINE: case OPENING_BRACE: case CONST_WORD: case COUNTERS: case FILE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case CONST_WORD: { match(CONST_WORD); #line 569 "pf.g" importer->addMessageToLog( QString("Warning: attribute \"const\" will be dropped from table configuration since this attribute is not supported at this time")); #line 467 "PFCfgParser.cpp" break; } case NEWLINE: case OPENING_BRACE: case COUNTERS: case FILE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case COUNTERS: { match(COUNTERS); #line 576 "pf.g" importer->addMessageToLog( QString("Warning: attribute \"counters\" will be dropped from table configuration since this attribute is not supported at this time")); #line 493 "PFCfgParser.cpp" break; } case NEWLINE: case OPENING_BRACE: case FILE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FILE: { match(FILE); file = LT(1); match(STRING); #line 583 "pf.g" importer->newAddressTableObject( name->getText(), file->getText()); #line 520 "PFCfgParser.cpp" break; } case OPENING_BRACE: { match(OPENING_BRACE); tableaddr_spec(); { // ( ... )* for (;;) { if ((_tokenSet_2.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case INT_CONST: case EXLAMATION: case SELF: case IPV4: case NUMBER: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } tableaddr_spec(); } else { goto _loop58; } } _loop58:; } // ( ... )* match(CLOSING_BRACE); #line 595 "pf.g" importer->newAddressTableObject( name->getText(), importer->tmp_group); #line 567 "PFCfgParser.cpp" break; } case NEWLINE: { match(NEWLINE); #line 601 "pf.g" // Special case: table definition without file name or list of addresses. // Create run-time AddressTable object with name but no file spec. importer->newAddressTableObject(name->getText(), ""); #line 579 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::no_nat_rule() { try { // for error handling match(NO); #line 676 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "nonat"; *dbg << LT(1)->getLine() << ":" << " nonat "; #line 607 "PFCfgParser.cpp" { switch ( LA(1)) { case NAT: { nat_rule(); break; } case RDR: { rdr_rule(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::nat_rule() { try { // for error handling match(NAT); #line 693 "pf.g" if ( importer->action != "nonat" ) { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "nat"; *dbg << LT(1)->getLine() << ":" << " nat "; } #line 648 "PFCfgParser.cpp" { switch ( LA(1)) { case PASS: { match(PASS); #line 705 "pf.g" importer->error_tracker->registerError( QString("import of 'nat pass' commands is not supported.")); #line 659 "PFCfgParser.cpp" { switch ( LA(1)) { case LOG: { logging(); break; } case NEWLINE: case ON: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: case ON: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ON: { intrface(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case INET: case INET6: { address_family(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case PROTO: { protospec(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } hosts(); { switch ( LA(1)) { case EXLAMATION: case TAGGED: { tagged(); break; } case NEWLINE: case MINUS: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case TAG: { tag_clause(); #line 718 "pf.g" importer->error_tracker->registerError( QString("import of 'nat ... tag' commands is not supported.")); #line 819 "PFCfgParser.cpp" break; } case NEWLINE: case MINUS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case MINUS: { match(MINUS); match(GREATER_THAN); { switch ( LA(1)) { case WORD: case IPV4: case OPENING_PAREN: { redirhost(); break; } case OPENING_BRACE: { redirhost_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 726 "pf.g" importer->nat_group = importer->tmp_group; #line 863 "PFCfgParser.cpp" { switch ( LA(1)) { case PORT: { portspec(); #line 731 "pf.g" importer->nat_port_group = importer->tmp_port_group; #line 873 "PFCfgParser.cpp" break; } case NEWLINE: case STATIC_PORT: case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { pooltype(); break; } case NEWLINE: case STATIC_PORT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case STATIC_PORT: { match(STATIC_PORT); #line 737 "pf.g" importer->nat_rule_opt_2 = "static-port"; #line 919 "PFCfgParser.cpp" break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 740 "pf.g" importer->pushRule(); #line 948 "PFCfgParser.cpp" match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::rdr_rule() { try { // for error handling match(RDR); #line 749 "pf.g" if ( importer->action != "nonat" ) { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "rdr"; *dbg << LT(1)->getLine() << ":" << " rdr "; } #line 972 "PFCfgParser.cpp" { switch ( LA(1)) { case PASS: { match(PASS); #line 761 "pf.g" importer->error_tracker->registerError( QString("import of 'nat pass' commands is not supported.")); #line 983 "PFCfgParser.cpp" { switch ( LA(1)) { case LOG: { logging(); break; } case NEWLINE: case ON: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: case ON: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ON: { intrface(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case INET: case INET6: { address_family(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case PROTO: { protospec(); break; } case NEWLINE: case EXLAMATION: case MINUS: case ALL: case TO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } hosts(); { switch ( LA(1)) { case EXLAMATION: case TAGGED: { tagged(); break; } case NEWLINE: case MINUS: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case TAG: { tag_clause(); #line 774 "pf.g" importer->error_tracker->registerError( QString("import of 'nat ... tag' commands is not supported.")); #line 1143 "PFCfgParser.cpp" break; } case NEWLINE: case MINUS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case MINUS: { match(MINUS); match(GREATER_THAN); { switch ( LA(1)) { case WORD: case IPV4: case OPENING_PAREN: { redirhost(); break; } case OPENING_BRACE: { redirhost_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 782 "pf.g" importer->nat_group = importer->tmp_group; #line 1187 "PFCfgParser.cpp" { switch ( LA(1)) { case PORT: { portspec(); #line 787 "pf.g" importer->nat_port_group = importer->tmp_port_group; #line 1197 "PFCfgParser.cpp" break; } case NEWLINE: case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { pooltype(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 793 "pf.g" importer->pushRule(); #line 1250 "PFCfgParser.cpp" match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::binat_rule() { try { // for error handling match(BINAT); #line 925 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'binat' commands is not supported.")); consumeUntil(NEWLINE); #line 1271 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::pass_rule() { try { // for error handling match(PASS); #line 948 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "pass"; *dbg << LT(1)->getLine() << ":" << " pass "; #line 1291 "PFCfgParser.cpp" rule_extended(); #line 956 "pf.g" importer->pushRule(); #line 1297 "PFCfgParser.cpp" match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::block_rule() { try { // for error handling match(BLOCK); #line 963 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "block"; *dbg << LT(1)->getLine() << ":" << " block "; #line 1318 "PFCfgParser.cpp" { switch ( LA(1)) { case DROP: case RETURN: case RETURN_RST: case RETURN_ICMP: case RETURN_ICMP6: { block_return(); break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case IN_WORD: case OUT_WORD: case LOG: case QUICK: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } rule_extended(); #line 972 "pf.g" importer->pushRule(); #line 1381 "PFCfgParser.cpp" match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_timeout() { try { // for error handling match(TIMEOUT); { switch ( LA(1)) { case 40: case 41: case 42: case 43: case 44: case 45: case 46: case 47: case 48: case 49: case 50: case 51: case 52: case 53: case LITERAL_frag: case LITERAL_interval: case 56: case 57: case 58: { timeout_def(); break; } case OPENING_BRACE: { timeout_def_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_ruleset_optimization() { try { // for error handling match(14); #line 269 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set ruleset-optimization' commands is not supported.")); consumeUntil(NEWLINE); #line 1449 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_optimization() { try { // for error handling match(LITERAL_optimization); { switch ( LA(1)) { case LITERAL_aggressive: { match(LITERAL_aggressive); break; } case LITERAL_conservative: { match(LITERAL_conservative); break; } case 18: { match(18); break; } case LITERAL_normal: { match(LITERAL_normal); break; } case LITERAL_satellite: { match(LITERAL_satellite); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 291 "pf.g" importer->set_optimization = LT(0)->getText(); #line 1496 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_limit() { try { // for error handling match(LITERAL_limit); { switch ( LA(1)) { case LITERAL_frags: case LITERAL_states: case 62: case LITERAL_tables: case 64: { limit_def(); break; } case OPENING_BRACE: { limit_def_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_loginterface() { try { // for error handling match(LITERAL_loginterface); #line 302 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set loginterface' commands is not supported.")); consumeUntil(NEWLINE); #line 1549 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_block_policy() { try { // for error handling match(23); { switch ( LA(1)) { case DROP: { match(DROP); break; } case RETURN: { match(RETURN); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 314 "pf.g" importer->set_block_policy = LT(0)->getText(); #line 1581 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_state_policy() { try { // for error handling match(26); { switch ( LA(1)) { case 27: { match(27); break; } case LITERAL_floating: { match(LITERAL_floating); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 320 "pf.g" importer->set_state_policy = LT(0)->getText(); #line 1613 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_state_defaults() { try { // for error handling match(29); #line 326 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set state-defaults' commands is not supported.")); consumeUntil(NEWLINE); #line 1633 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_require_order() { try { // for error handling match(30); #line 338 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set require-order' commands is not supported.")); consumeUntil(NEWLINE); #line 1653 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_fingerprints() { try { // for error handling match(LITERAL_fingerprints); #line 350 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set fingerprints' commands is not supported.")); consumeUntil(NEWLINE); #line 1673 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_skip() { try { // for error handling match(LITERAL_skip); match(ON); skip_def(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_debug() { try { // for error handling match(LITERAL_debug); match(WORD); #line 386 "pf.g" importer->set_debug = LT(0)->getText(); #line 1703 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_reassemble() { try { // for error handling match(LITERAL_reassemble); #line 394 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set reassemble' commands is not supported.")); consumeUntil(NEWLINE); #line 1723 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::set_hostid() { try { // for error handling match(LITERAL_hostid); #line 406 "pf.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set hostid' commands is not supported.")); consumeUntil(NEWLINE); #line 1743 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::timeout_def() { #line 424 "pf.g" std::string timeout_name, timeout_value; #line 1754 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case 40: { match(40); break; } case 41: { match(41); break; } case 42: { match(42); break; } case 43: { match(43); break; } case 44: { match(44); break; } case 45: { match(45); break; } case 46: { match(46); break; } case 47: { match(47); break; } case 48: { match(48); break; } case 49: { match(49); break; } case 50: { match(50); break; } case 51: { match(51); break; } case 52: { match(52); break; } case 53: { match(53); break; } case LITERAL_frag: { match(LITERAL_frag); break; } case LITERAL_interval: { match(LITERAL_interval); break; } case 56: { match(56); break; } case 57: { match(57); break; } case 58: { match(58); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 465 "pf.g" timeout_name = LT(0)->getText(); #line 1864 "PFCfgParser.cpp" match(INT_CONST); #line 469 "pf.g" timeout_value = LT(0)->getText(); importer->timeouts.push_back( std::pair(timeout_name, timeout_value)); #line 1872 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_3); } } void PFCfgParser::timeout_def_list() { try { // for error handling match(OPENING_BRACE); timeout_def(); { // ( ... )* for (;;) { if ((_tokenSet_4.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case 40: case 41: case 42: case 43: case 44: case 45: case 46: case 47: case 48: case 49: case 50: case 51: case 52: case 53: case LITERAL_frag: case LITERAL_interval: case 56: case 57: case 58: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } timeout_def(); } else { goto _loop42; } } _loop42:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::limit_def() { #line 487 "pf.g" std::string limit_name, limit_value; #line 1943 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case LITERAL_frags: { match(LITERAL_frags); break; } case LITERAL_states: { match(LITERAL_states); break; } case 62: { match(62); break; } case LITERAL_tables: { match(LITERAL_tables); break; } case 64: { match(64); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 500 "pf.g" limit_name = LT(0)->getText(); #line 1983 "PFCfgParser.cpp" match(INT_CONST); #line 504 "pf.g" limit_value = LT(0)->getText(); importer->limits.push_back( std::pair(limit_name, limit_value)); #line 1991 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_5); } } void PFCfgParser::limit_def_list() { try { // for error handling match(OPENING_BRACE); limit_def(); { // ( ... )* for (;;) { if ((_tokenSet_6.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case LITERAL_frags: case LITERAL_states: case 62: case LITERAL_tables: case 64: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } limit_def(); } else { goto _loop48; } } _loop48:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::skip_def() { try { // for error handling switch ( LA(1)) { case WORD: { match(WORD); #line 366 "pf.g" importer->set_skip_on.push_back(LT(0)->getText()); #line 2054 "PFCfgParser.cpp" break; } case OPENING_BRACE: { skip_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::skip_list() { try { // for error handling match(OPENING_BRACE); match(WORD); #line 375 "pf.g" importer->set_skip_on.push_back(LT(0)->getText()); #line 2081 "PFCfgParser.cpp" { // ( ... )* for (;;) { if ((LA(1) == WORD || LA(1) == COMMA)) { { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); } else { goto _loop32; } } _loop32:; } // ( ... )* match(WORD); #line 378 "pf.g" importer->set_skip_on.push_back(LT(0)->getText()); #line 2100 "PFCfgParser.cpp" } else { goto _loop33; } } _loop33:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_1); } } void PFCfgParser::rule_extended() { try { // for error handling { switch ( LA(1)) { case IN_WORD: case OUT_WORD: { direction(); break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case LOG: case QUICK: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case QUICK: { quick_or_log(); break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ON: { intrface(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { if (((LA(1) >= ROUTE_TO && LA(1) <= DUP_TO)) && (LA(2) == OPENING_BRACE || LA(2) == OPENING_PAREN)) { route(); } else if ((_tokenSet_7.member(LA(1))) && (_tokenSet_8.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } { switch ( LA(1)) { case INET: case INET6: { address_family(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case PROTO: { protospec(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { if ((_tokenSet_9.member(LA(1))) && (_tokenSet_10.member(LA(2)))) { hosts(); } else if ((_tokenSet_11.member(LA(1))) && (_tokenSet_12.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } { switch ( LA(1)) { case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case USER: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { filteropts(); break; } case NEWLINE: case ROUTE_TO: case REPLY_TO: case DUP_TO: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ROUTE_TO: case REPLY_TO: case DUP_TO: { route(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_13); } } void PFCfgParser::tableaddr_spec() { #line 609 "pf.g" AddressSpec as; #line 2454 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case EXLAMATION: { match(EXLAMATION); #line 610 "pf.g" as.neg = true; #line 2464 "PFCfgParser.cpp" break; } case WORD: case INT_CONST: case SELF: case IPV4: case NUMBER: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case WORD: { match(WORD); #line 613 "pf.g" // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); #line 2492 "PFCfgParser.cpp" { switch ( LA(1)) { case COLON: { match(COLON); { switch ( LA(1)) { case NETWORK: { match(NETWORK); #line 622 "pf.g" as.at = AddressSpec::INTERFACE_NETWORK; #line 2507 "PFCfgParser.cpp" break; } case BROADCAST: { match(BROADCAST); #line 627 "pf.g" as.at = AddressSpec::INTERFACE_BROADCAST; #line 2517 "PFCfgParser.cpp" break; } case PEER: { match(PEER); #line 632 "pf.g" importer->error_tracker->registerError( QString("import of 'interface:peer' is not supported.")); #line 2528 "PFCfgParser.cpp" break; } case INT_CONST: { match(INT_CONST); #line 638 "pf.g" importer->error_tracker->registerError( QString("import of 'interface:0' is not supported.")); #line 2539 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case WORD: case COMMA: case CLOSING_BRACE: case INT_CONST: case EXLAMATION: case SELF: case IPV4: case NUMBER: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case SELF: { match(SELF); #line 646 "pf.g" as.at = AddressSpec::SPECIAL_ADDRESS; as.address = "self"; #line 2577 "PFCfgParser.cpp" break; } case INT_CONST: case IPV4: case NUMBER: { { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case NUMBER: { match(NUMBER); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 653 "pf.g" as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); #line 2612 "PFCfgParser.cpp" { switch ( LA(1)) { case SLASH: { match(SLASH); #line 659 "pf.g" as.at = AddressSpec::NETWORK_ADDRESS; #line 2622 "PFCfgParser.cpp" { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 663 "pf.g" as.netmask = LT(0)->getText(); #line 2645 "PFCfgParser.cpp" break; } case WORD: case COMMA: case CLOSING_BRACE: case INT_CONST: case EXLAMATION: case SELF: case IPV4: case NUMBER: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 668 "pf.g" importer->tmp_group.push_back(as); #line 2677 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_14); } } void PFCfgParser::logging() { try { // for error handling match(LOG); { switch ( LA(1)) { case OPENING_PAREN: { logopts(); break; } case NEWLINE: case ON: case EXLAMATION: case MINUS: case ALL: case TO: case INET: case INET6: case PROTO: case FROM: case TAGGED: case TAG: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1048 "pf.g" importer->logging = true; #line 2719 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_15); } } void PFCfgParser::intrface() { try { // for error handling match(ON); { switch ( LA(1)) { case WORD: case EXLAMATION: { ifspec(); break; } case OPENING_BRACE: { interface_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_16); } } void PFCfgParser::address_family() { try { // for error handling switch ( LA(1)) { case INET: { match(INET); break; } case INET6: { match(INET6); #line 1092 "pf.g" importer->address_family = LT(0)->getText(); #line 2773 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_17); } } void PFCfgParser::protospec() { try { // for error handling match(PROTO); proto_def(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_18); } } void PFCfgParser::hosts() { try { // for error handling switch ( LA(1)) { case ALL: { match(ALL); #line 1135 "pf.g" importer->src_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); importer->dst_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); #line 2814 "PFCfgParser.cpp" break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case MINUS: case OPENING_PAREN: case USER: case TO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { { switch ( LA(1)) { case FROM: { hosts_from(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case MINUS: case OPENING_PAREN: case USER: case TO: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case TO: { hosts_to(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case MINUS: case OPENING_PAREN: case USER: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_19); } } void PFCfgParser::tagged() { try { // for error handling { switch ( LA(1)) { case EXLAMATION: { match(EXLAMATION); #line 1694 "pf.g" importer->tagged_neg = true; #line 2958 "PFCfgParser.cpp" break; } case TAGGED: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(TAGGED); match(WORD); #line 1696 "pf.g" importer->tagged = LT(0)->getText(); #line 2977 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_20); } } void PFCfgParser::tag_clause() { try { // for error handling match(TAG); match(WORD); #line 1703 "pf.g" importer->tag = LT(0)->getText(); #line 2994 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_20); } } void PFCfgParser::redirhost() { #line 804 "pf.g" AddressSpec as; #line 3005 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case IPV4: { match(IPV4); #line 807 "pf.g" as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); #line 3018 "PFCfgParser.cpp" { switch ( LA(1)) { case SLASH: { match(SLASH); #line 813 "pf.g" as.at = AddressSpec::NETWORK_ADDRESS; #line 3028 "PFCfgParser.cpp" { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 817 "pf.g" as.netmask = LT(0)->getText(); #line 3051 "PFCfgParser.cpp" break; } case NEWLINE: case WORD: case COMMA: case CLOSING_BRACE: case IPV4: case STATIC_PORT: case OPENING_PAREN: case PORT: case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case OPENING_PAREN: { match(OPENING_PAREN); match(WORD); #line 824 "pf.g" // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); #line 3087 "PFCfgParser.cpp" match(CLOSING_PAREN); break; } case WORD: { match(WORD); #line 832 "pf.g" // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); #line 3100 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 838 "pf.g" importer->tmp_group.push_back(as); #line 3113 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_21); } } void PFCfgParser::redirhost_list() { try { // for error handling match(OPENING_BRACE); redirhost(); { // ( ... )* for (;;) { if ((_tokenSet_22.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case IPV4: case OPENING_PAREN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } redirhost(); } else { goto _loop101; } } _loop101:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_23); } } void PFCfgParser::portspec() { #line 863 "pf.g" PortSpec ps; #line 3168 "PFCfgParser.cpp" try { // for error handling match(PORT); { switch ( LA(1)) { case WORD: case INT_CONST: { port_def(); #line 867 "pf.g" ps.port1 = importer->tmp_port_def; ps.port2 = ps.port1; ps.port_op = "="; #line 3184 "PFCfgParser.cpp" break; } case IPV6: { match(IPV6); #line 876 "pf.g" ps.setFromPortRange(LT(0)->getText()); #line 3194 "PFCfgParser.cpp" { switch ( LA(1)) { case STAR: { match(STAR); #line 880 "pf.g" ps.port2 = "65535"; #line 3202 "PFCfgParser.cpp" break; } case NEWLINE: case STATIC_PORT: case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 883 "pf.g" importer->tmp_port_group.push_back(ps); #line 3232 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_24); } } void PFCfgParser::pooltype() { try { // for error handling { switch ( LA(1)) { case BITMASK: { match(BITMASK); #line 897 "pf.g" importer->pooltype_opt = "bitmask"; #line 3250 "PFCfgParser.cpp" break; } case RANDOM: { match(RANDOM); #line 899 "pf.g" importer->pooltype_opt = "random"; #line 3258 "PFCfgParser.cpp" break; } case SOURCE_HASH: { match(SOURCE_HASH); #line 901 "pf.g" importer->pooltype_opt = "source-hash"; #line 3266 "PFCfgParser.cpp" { switch ( LA(1)) { case HEX_KEY: { match(HEX_KEY); #line 904 "pf.g" importer->error_tracker->registerError( QString("import of commands with pool type 'source-hash hex-key' " "option is not supported")); #line 3278 "PFCfgParser.cpp" break; } case STRING_KEY: { match(STRING_KEY); #line 911 "pf.g" importer->error_tracker->registerError( QString("import of commands with pool type 'source-hash string-key' " "option is not supported")); #line 3290 "PFCfgParser.cpp" break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case STATIC_PORT: case OPENING_PAREN: case STICKY_ADDRESS: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case ROUND_ROBIN: { match(ROUND_ROBIN); #line 918 "pf.g" importer->pooltype_opt = "round-robin"; #line 3343 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case STICKY_ADDRESS: { match(STICKY_ADDRESS); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case STATIC_PORT: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_25); } } void PFCfgParser::port_def() { try { // for error handling { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1831 "pf.g" importer->tmp_port_def = LT(0)->getText(); #line 3433 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_26); } } void PFCfgParser::block_return() { try { // for error handling { switch ( LA(1)) { case DROP: { match(DROP); #line 980 "pf.g" importer->block_action_params.push_back("drop"); #line 3451 "PFCfgParser.cpp" break; } case RETURN: { match(RETURN); #line 982 "pf.g" importer->block_action_params.push_back("return"); #line 3459 "PFCfgParser.cpp" break; } case RETURN_RST: { match(RETURN_RST); #line 984 "pf.g" importer->block_action_params.push_back("return-rst"); #line 3467 "PFCfgParser.cpp" { switch ( LA(1)) { case TTL: { match(TTL); match(INT_CONST); #line 987 "pf.g" importer->error_tracker->registerError( QString("Import of \"block return-rst ttl number\" is not supported. ")); #line 3479 "PFCfgParser.cpp" break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case IN_WORD: case OUT_WORD: case LOG: case QUICK: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case RETURN_ICMP: { match(RETURN_ICMP); #line 993 "pf.g" importer->block_action_params.push_back("return-icmp"); #line 3535 "PFCfgParser.cpp" { if ((LA(1) == OPENING_PAREN) && (_tokenSet_27.member(LA(2)))) { match(OPENING_PAREN); { switch ( LA(1)) { case 177: case 178: case 179: case 180: case LITERAL_needfrag: case LITERAL_srcfail: case 183: case 184: case LITERAL_isolate: case 186: case 187: case 188: case 189: case 190: case 191: case 192: case 193: case 194: case 195: case 196: case 197: case 198: case LITERAL_transit: case LITERAL_reassemb: case LITERAL_badhead: case LITERAL_optmiss: case LITERAL_badlen: case 204: case 205: case 206: { icmp_code_by_name(); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 997 "pf.g" importer->block_action_params.push_back(LT(0)->getText()); #line 3588 "PFCfgParser.cpp" { switch ( LA(1)) { case COMMA: { match(COMMA); { switch ( LA(1)) { case 177: case 178: case 179: case 180: case LITERAL_needfrag: case LITERAL_srcfail: case 183: case 184: case LITERAL_isolate: case 186: case 187: case 188: case 189: case 190: case 191: case 192: case 193: case 194: case 195: case 196: case 197: case 198: case LITERAL_transit: case LITERAL_reassemb: case LITERAL_badhead: case LITERAL_optmiss: case LITERAL_badlen: case 204: case 205: case 206: { icmp_code_by_name(); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1001 "pf.g" importer->error_tracker->registerError( QString("Import of \"block return-icmp (icmp_code, icmp6_code)\" is not supported")); #line 3646 "PFCfgParser.cpp" break; } case CLOSING_PAREN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(CLOSING_PAREN); } else if ((_tokenSet_28.member(LA(1))) && (_tokenSet_29.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } break; } case RETURN_ICMP6: { match(RETURN_ICMP6); #line 1010 "pf.g" importer->error_tracker->registerError( QString("Import of \"block return-icmp6\" is not supported")); importer->block_action_params.push_back("return-icmp"); #line 3679 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_28); } } void PFCfgParser::icmp_code_by_name() { try { // for error handling { switch ( LA(1)) { case 177: { match(177); break; } case 178: { match(178); break; } case 179: { match(179); break; } case 180: { match(180); break; } case LITERAL_needfrag: { match(LITERAL_needfrag); break; } case LITERAL_srcfail: { match(LITERAL_srcfail); break; } case 183: { match(183); break; } case 184: { match(184); break; } case LITERAL_isolate: { match(LITERAL_isolate); break; } case 186: { match(186); break; } case 187: { match(187); break; } case 188: { match(188); break; } case 189: { match(189); break; } case 190: { match(190); break; } case 191: { match(191); break; } case 192: { match(192); break; } case 193: { match(193); break; } case 194: { match(194); break; } case 195: { match(195); break; } case 196: { match(196); break; } case 197: { match(197); break; } case 198: { match(198); break; } case LITERAL_transit: { match(LITERAL_transit); break; } case LITERAL_reassemb: { match(LITERAL_reassemb); break; } case LITERAL_badhead: { match(LITERAL_badhead); break; } case LITERAL_optmiss: { match(LITERAL_optmiss); break; } case LITERAL_badlen: { match(LITERAL_badlen); break; } case 204: { match(204); break; } case 205: { match(205); break; } case 206: { match(206); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_30); } } void PFCfgParser::direction() { try { // for error handling { switch ( LA(1)) { case IN_WORD: { match(IN_WORD); break; } case OUT_WORD: { match(OUT_WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1031 "pf.g" importer->direction = LT(0)->getText(); #line 3888 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_31); } } void PFCfgParser::quick_or_log() { try { // for error handling { switch ( LA(1)) { case LOG: { match(LOG); { if ((LA(1) == OPENING_PAREN) && ((LA(2) >= ALL && LA(2) <= TO))) { logopts(); } else if ((_tokenSet_32.member(LA(1))) && (_tokenSet_33.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } #line 1039 "pf.g" importer->logging = true; #line 3917 "PFCfgParser.cpp" { switch ( LA(1)) { case QUICK: { match(QUICK); #line 1040 "pf.g" importer->quick = true; #line 3925 "PFCfgParser.cpp" break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case QUICK: { match(QUICK); #line 1042 "pf.g" importer->quick = true; #line 3977 "PFCfgParser.cpp" { switch ( LA(1)) { case LOG: { match(LOG); { if ((LA(1) == OPENING_PAREN) && ((LA(2) >= ALL && LA(2) <= TO))) { logopts(); } else if ((_tokenSet_34.member(LA(1))) && (_tokenSet_8.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } #line 1043 "pf.g" importer->logging = true; #line 3996 "PFCfgParser.cpp" break; } case NEWLINE: case QUEUE: case ON: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_34); } } void PFCfgParser::route() { try { // for error handling switch ( LA(1)) { case ROUTE_TO: { route_to(); break; } case REPLY_TO: { reply_to(); break; } case DUP_TO: { dup_to(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_7); } } void PFCfgParser::filteropts() { try { // for error handling filteropt(); { // ( ... )* for (;;) { if ((_tokenSet_35.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case USER: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } filteropt(); } else { goto _loop207; } } _loop207:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_36); } } void PFCfgParser::logopts() { try { // for error handling match(OPENING_PAREN); logopt(); { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); #line 1055 "pf.g" importer->logopts += ","; #line 4159 "PFCfgParser.cpp" logopt(); } else { goto _loop142; } } _loop142:; } // ( ... )* match(CLOSING_PAREN); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_37); } } void PFCfgParser::logopt() { try { // for error handling switch ( LA(1)) { case ALL: { match(ALL); break; } case USER: { match(USER); break; } case TO: { match(TO); match(WORD); #line 1062 "pf.g" importer->logopts += LT(0)->getText(); #line 4199 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_38); } } void PFCfgParser::ifspec() { #line 1070 "pf.g" InterfaceSpec is; #line 4217 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case EXLAMATION: { match(EXLAMATION); #line 1071 "pf.g" is.neg = true; #line 4227 "PFCfgParser.cpp" break; } case WORD: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(WORD); #line 1073 "pf.g" is.name = LT(0)->getText(); importer->iface_group.push_back(is); importer->newInterface(is.name); #line 4247 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_39); } } void PFCfgParser::interface_list() { try { // for error handling match(OPENING_BRACE); ifspec(); { // ( ... )* for (;;) { if ((LA(1) == WORD || LA(1) == COMMA || LA(1) == EXLAMATION)) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case EXLAMATION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } ifspec(); } else { goto _loop151; } } _loop151:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_16); } } void PFCfgParser::proto_def() { try { // for error handling { switch ( LA(1)) { case IP: case ICMP: case IGMP: case TCP: case UDP: case RDP: case RSVP: case GRE: case ESP_WORD: case AH: case EIGRP: case OSPF: case IPIP: case VRRP: case L2TP: case ISIS: { proto_name(); break; } case INT_CONST: { proto_number(); break; } case OPENING_BRACE: { proto_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_40); } } void PFCfgParser::proto_name() { try { // for error handling { switch ( LA(1)) { case IP: { match(IP); break; } case ICMP: { match(ICMP); break; } case IGMP: { match(IGMP); break; } case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } case RDP: { match(RDP); break; } case RSVP: { match(RSVP); break; } case GRE: { match(GRE); break; } case ESP_WORD: { match(ESP_WORD); break; } case AH: { match(AH); break; } case EIGRP: { match(EIGRP); break; } case OSPF: { match(OSPF); break; } case IPIP: { match(IPIP); break; } case VRRP: { match(VRRP); break; } case L2TP: { match(L2TP); break; } case ISIS: { match(ISIS); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1112 "pf.g" importer->proto_list.push_back(LT(0)->getText()); #line 4441 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_40); } } void PFCfgParser::proto_number() { try { // for error handling match(INT_CONST); #line 1118 "pf.g" importer->proto_list.push_back(LT(0)->getText()); #line 4457 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_40); } } void PFCfgParser::proto_list() { try { // for error handling match(OPENING_BRACE); proto_def(); { // ( ... )* for (;;) { if ((_tokenSet_41.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case OPENING_BRACE: case INT_CONST: case IP: case ICMP: case IGMP: case TCP: case UDP: case RDP: case RSVP: case GRE: case ESP_WORD: case AH: case EIGRP: case OSPF: case IPIP: case VRRP: case L2TP: case ISIS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } proto_def(); } else { goto _loop162; } } _loop162:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_40); } } void PFCfgParser::hosts_from() { try { // for error handling match(FROM); src_hosts_part(); { switch ( LA(1)) { case PORT: { src_port_part(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case MINUS: case OPENING_PAREN: case USER: case TO: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_42); } } void PFCfgParser::hosts_to() { try { // for error handling match(TO); dst_hosts_part(); { switch ( LA(1)) { case PORT: { dst_port_part(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case MINUS: case OPENING_PAREN: case USER: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_19); } } void PFCfgParser::src_hosts_part() { try { // for error handling { switch ( LA(1)) { case WORD: case OPENING_BRACE: case LESS_THAN: case EXLAMATION: case SELF: case IPV4: case OPENING_PAREN: case IPV6: case ANY: case NO_ROUTE: case MACRO: { common_hosts_part(); break; } case URPF_FAILED: { match(URPF_FAILED); #line 1158 "pf.g" importer->tmp_group.push_back( AddressSpec(AddressSpec::SPECIAL_ADDRESS, false, "urpf-failed", "")); #line 4664 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1164 "pf.g" importer->src_neg = importer->tmp_neg; importer->src_group.splice(importer->src_group.begin(), importer->tmp_group); #line 4679 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_43); } } void PFCfgParser::src_port_part() { try { // for error handling match(PORT); { switch ( LA(1)) { case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: case IPV6: { port_op(); break; } case OPENING_BRACE: { port_op_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1752 "pf.g" importer->src_port_group.splice(importer->src_port_group.begin(), importer->tmp_port_group); #line 4720 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_42); } } void PFCfgParser::dst_hosts_part() { try { // for error handling common_hosts_part(); #line 1173 "pf.g" importer->dst_neg = importer->tmp_neg; importer->dst_group.splice(importer->dst_group.begin(), importer->tmp_group); #line 4738 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_44); } } void PFCfgParser::dst_port_part() { try { // for error handling match(PORT); { switch ( LA(1)) { case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: case IPV6: { port_op(); break; } case OPENING_BRACE: { port_op_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1765 "pf.g" importer->dst_port_group.splice(importer->dst_port_group.begin(), importer->tmp_port_group); #line 4779 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_19); } } void PFCfgParser::common_hosts_part() { try { // for error handling switch ( LA(1)) { case ANY: { match(ANY); #line 1182 "pf.g" importer->tmp_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); #line 4799 "PFCfgParser.cpp" break; } case NO_ROUTE: { match(NO_ROUTE); #line 1188 "pf.g" importer->tmp_group.push_back( AddressSpec(AddressSpec::SPECIAL_ADDRESS, false, "no-route", "")); #line 4810 "PFCfgParser.cpp" break; } case WORD: case LESS_THAN: case EXLAMATION: case SELF: case IPV4: case OPENING_PAREN: case IPV6: case MACRO: { host(); break; } case OPENING_BRACE: { host_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_43); } } void PFCfgParser::host() { ANTLR_USE_NAMESPACE(antlr)RefToken tn = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken in = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 1198 "pf.g" AddressSpec as; #line 4847 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case EXLAMATION: { match(EXLAMATION); #line 1199 "pf.g" as.neg = true; #line 4857 "PFCfgParser.cpp" break; } case WORD: case LESS_THAN: case SELF: case IPV4: case OPENING_PAREN: case IPV6: case MACRO: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case WORD: case MACRO: { { switch ( LA(1)) { case WORD: { match(WORD); break; } case MACRO: { match(MACRO); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1202 "pf.g" // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); #line 4905 "PFCfgParser.cpp" { switch ( LA(1)) { case COLON: { match(COLON); { switch ( LA(1)) { case NETWORK: { match(NETWORK); #line 1211 "pf.g" as.at = AddressSpec::INTERFACE_NETWORK; #line 4920 "PFCfgParser.cpp" break; } case BROADCAST: { match(BROADCAST); #line 1216 "pf.g" as.at = AddressSpec::INTERFACE_BROADCAST; #line 4930 "PFCfgParser.cpp" break; } case PEER: { match(PEER); #line 1221 "pf.g" importer->error_tracker->registerError( QString("import of 'interface:peer' is not supported.")); #line 4941 "PFCfgParser.cpp" break; } case INT_CONST: { match(INT_CONST); #line 1227 "pf.g" importer->error_tracker->registerError( QString("import of 'interface:0' is not supported.")); #line 4952 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: case WORD: case QUEUE: case COMMA: case CLOSING_BRACE: case LITERAL_reassemble: case SCRUB: case LESS_THAN: case EXLAMATION: case SELF: case IPV4: case NO: case MINUS: case OPENING_PAREN: case PORT: case IPV6: case USER: case TO: case MACRO: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case SELF: { match(SELF); #line 1235 "pf.g" as.at = AddressSpec::SPECIAL_ADDRESS; as.address = "self"; #line 5019 "PFCfgParser.cpp" break; } case IPV6: { match(IPV6); #line 1241 "pf.g" importer->error_tracker->registerError( QString("IPv6 import is not supported. ")); consumeUntil(NEWLINE); #line 5031 "PFCfgParser.cpp" break; } case IPV4: { match(IPV4); #line 1248 "pf.g" as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); #line 5042 "PFCfgParser.cpp" { switch ( LA(1)) { case SLASH: { match(SLASH); #line 1254 "pf.g" as.at = AddressSpec::NETWORK_ADDRESS; #line 5052 "PFCfgParser.cpp" { switch ( LA(1)) { case IPV4: { match(IPV4); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1258 "pf.g" as.netmask = LT(0)->getText(); #line 5075 "PFCfgParser.cpp" break; } case NEWLINE: case WORD: case QUEUE: case COMMA: case CLOSING_BRACE: case LITERAL_reassemble: case SCRUB: case LESS_THAN: case EXLAMATION: case SELF: case IPV4: case NO: case MINUS: case OPENING_PAREN: case PORT: case IPV6: case USER: case TO: case MACRO: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case LESS_THAN: { match(LESS_THAN); tn = LT(1); match(WORD); match(GREATER_THAN); #line 1264 "pf.g" as.at = AddressSpec::TABLE; as.address = tn->getText(); #line 5137 "PFCfgParser.cpp" break; } case OPENING_PAREN: { match(OPENING_PAREN); in = LT(1); match(WORD); match(CLOSING_PAREN); #line 1270 "pf.g" // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = in->getText(); #line 5152 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1276 "pf.g" importer->tmp_group.push_back(as); #line 5165 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_45); } } void PFCfgParser::host_list() { try { // for error handling match(OPENING_BRACE); host(); { // ( ... )* for (;;) { if ((_tokenSet_46.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case LESS_THAN: case EXLAMATION: case SELF: case IPV4: case OPENING_PAREN: case IPV6: case MACRO: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } host(); } else { goto _loop185; } } _loop185:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_43); } } void PFCfgParser::route_to() { try { // for error handling match(ROUTE_TO); { switch ( LA(1)) { case OPENING_PAREN: { routehost(); break; } case OPENING_BRACE: { routehost_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { pooltype(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1298 "pf.g" importer->route_type = PFImporter::ROUTE_TO; #line 5299 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_7); } } void PFCfgParser::reply_to() { try { // for error handling match(REPLY_TO); { switch ( LA(1)) { case OPENING_PAREN: { routehost(); break; } case OPENING_BRACE: { routehost_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { pooltype(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1305 "pf.g" importer->route_type = PFImporter::REPLY_TO; #line 5384 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_7); } } void PFCfgParser::dup_to() { try { // for error handling match(DUP_TO); { switch ( LA(1)) { case OPENING_PAREN: { routehost(); break; } case OPENING_BRACE: { routehost_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case BITMASK: case RANDOM: case SOURCE_HASH: case ROUND_ROBIN: { pooltype(); break; } case NEWLINE: case QUEUE: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case ALL: case USER: case TO: case INET: case INET6: case PROTO: case FROM: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1312 "pf.g" importer->route_type = PFImporter::DUP_TO; #line 5469 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_7); } } void PFCfgParser::routehost() { ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken v6 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken nm6 = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 1317 "pf.g" RouteSpec rs; #line 5484 "PFCfgParser.cpp" try { // for error handling match(OPENING_PAREN); match(WORD); #line 1319 "pf.g" rs.iface = LT(0)->getText(); #line 5491 "PFCfgParser.cpp" { switch ( LA(1)) { case IPV4: { h = LT(1); match(IPV4); break; } case IPV6: { v6 = LT(1); match(IPV6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case SLASH: { match(SLASH); { switch ( LA(1)) { case IPV4: { nm = LT(1); match(IPV4); break; } case INT_CONST: { nm6 = LT(1); match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case CLOSING_PAREN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1321 "pf.g" if (v6) { importer->error_tracker->registerError( QString("IPv6 import is not supported. ")); consumeUntil(NEWLINE); } else { if (h) rs.address = h->getText(); if (nm) rs.netmask = nm->getText(); importer->route_group.push_back(rs); } #line 5563 "PFCfgParser.cpp" match(CLOSING_PAREN); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_47); } } void PFCfgParser::routehost_list() { try { // for error handling match(OPENING_BRACE); routehost(); { // ( ... )* for (;;) { if ((LA(1) == COMMA || LA(1) == OPENING_PAREN)) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case OPENING_PAREN: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } routehost(); } else { goto _loop203; } } _loop203:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_48); } } void PFCfgParser::filteropt() { try { // for error handling switch ( LA(1)) { case USER: { user_match(); break; } case GROUP: { group_match(); break; } case FLAGS: { tcp_flags(); break; } case ICMP_TYPE: { icmp_type(); break; } case ICMP6_TYPE: { icmp6_type(); break; } case EXLAMATION: case TAGGED: { tagged(); break; } case TAG: { tag_clause(); break; } case NO: case KEEP: case MODULATE: case SYNPROXY: { state(); break; } case QUEUE: { queue(); break; } case LABEL: { label(); break; } case SCRUB: { match_rule_scrub_options(); break; } case LITERAL_reassemble: case OPENING_PAREN: case LITERAL_fragment: case 146: case 147: case 148: case 149: { scrub_options(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::user_match() { try { // for error handling match(USER); { switch ( LA(1)) { case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: { user_group_op(); break; } case OPENING_BRACE: { user_group_op_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1386 "pf.g" importer->addMessageToLog( QString("Error: import of 'user' match is not supported.")); #line 5732 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::group_match() { try { // for error handling match(GROUP); { switch ( LA(1)) { case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: { user_group_op(); break; } case OPENING_BRACE: { user_group_op_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1395 "pf.g" importer->addMessageToLog( QString("Error: import of 'group' match is not supported.")); #line 5772 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::tcp_flags() { ANTLR_USE_NAMESPACE(antlr)RefToken check = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken mask = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(FLAGS); { switch ( LA(1)) { case ANY: { match(ANY); #line 1505 "pf.g" importer->flags_check = "none"; importer->flags_mask = "none"; #line 5796 "PFCfgParser.cpp" break; } case WORD: case SLASH: { { switch ( LA(1)) { case WORD: { check = LT(1); match(WORD); break; } case SLASH: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(SLASH); { switch ( LA(1)) { case WORD: { mask = LT(1); match(WORD); break; } case NEWLINE: case QUEUE: case COMMA: case LITERAL_reassemble: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case USER: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1511 "pf.g" if (check) importer->flags_check = check->getText(); else importer->flags_check = "any"; if (mask) importer->flags_mask = mask->getText(); else importer->flags_mask = "all"; #line 5876 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::icmp_type() { try { // for error handling match(ICMP_TYPE); { switch ( LA(1)) { case LITERAL_skip: case INT_CONST: case LITERAL_echorep: case LITERAL_unreach: case LITERAL_squench: case LITERAL_redir: case LITERAL_althost: case LITERAL_echoreq: case LITERAL_routeradv: case LITERAL_routersol: case LITERAL_timex: case LITERAL_paramprob: case LITERAL_timereq: case LITERAL_timerep: case LITERAL_inforeq: case LITERAL_inforep: case LITERAL_maskreq: case LITERAL_maskrep: case LITERAL_trace: case LITERAL_dataconv: case LITERAL_mobredir: case 172: case 173: case LITERAL_mobregreq: case LITERAL_mobregrep: case LITERAL_photuris: { icmp_type_code(); break; } case OPENING_BRACE: { icmp_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::icmp6_type() { try { // for error handling match(ICMP6_TYPE); #line 1686 "pf.g" importer->error_tracker->registerError( QString("ICMP6 import is not supported. ")); consumeUntil(NEWLINE); #line 5956 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::state() { try { // for error handling { switch ( LA(1)) { case NO: { match(NO); break; } case KEEP: { match(KEEP); break; } case MODULATE: { match(MODULATE); break; } case SYNPROXY: { match(SYNPROXY); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1718 "pf.g" importer->state_op = LT(0)->getText(); #line 5999 "PFCfgParser.cpp" match(STATE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::queue() { try { // for error handling match(QUEUE); { switch ( LA(1)) { case WORD: { match(WORD); #line 1727 "pf.g" importer->queue += LT(0)->getText(); #line 6019 "PFCfgParser.cpp" break; } case OPENING_PAREN: { match(OPENING_PAREN); match(WORD); #line 1730 "pf.g" importer->queue += LT(0)->getText(); #line 6028 "PFCfgParser.cpp" { // ( ... )* for (;;) { if ((LA(1) == COMMA)) { match(COMMA); #line 1732 "pf.g" importer->queue += ","; #line 6035 "PFCfgParser.cpp" match(WORD); #line 1733 "pf.g" importer->queue += LT(0)->getText(); #line 6039 "PFCfgParser.cpp" } else { goto _loop260; } } _loop260:; } // ( ... )* match(CLOSING_PAREN); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::label() { try { // for error handling match(LABEL); match(STRING); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::match_rule_scrub_options() { try { // for error handling match(SCRUB); scrub_options(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::scrub_options() { try { // for error handling { switch ( LA(1)) { case LITERAL_reassemble: case LITERAL_fragment: case 146: case 147: case 148: case 149: { scrub_option(); break; } case OPENING_PAREN: { scrub_option_list(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::user_group_op() { try { // for error handling { switch ( LA(1)) { case EQUAL: case LESS_THAN: case GREATER_THAN: case EXLAMATION: { unary_op(); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case WORD: case INT_CONST: { { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { if ((LA(1) == LESS_THAN || LA(1) == GREATER_THAN || LA(1) == COLON) && (_tokenSet_50.member(LA(2)))) { binary_op(); { switch ( LA(1)) { case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } else if ((_tokenSet_51.member(LA(1))) && (_tokenSet_52.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_51); } } void PFCfgParser::user_group_op_list() { try { // for error handling match(OPENING_BRACE); user_group_op(); { // ( ... )* for (;;) { if ((_tokenSet_53.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } user_group_op(); } else { goto _loop222; } } _loop222:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::unary_op() { try { // for error handling { switch ( LA(1)) { case EQUAL: { match(EQUAL); #line 1773 "pf.g" importer->tmp_port_op = "="; #line 6274 "PFCfgParser.cpp" break; } case EXLAMATION: { match(EXLAMATION); match(EQUAL); #line 1775 "pf.g" importer->tmp_port_op = "!="; #line 6283 "PFCfgParser.cpp" break; } default: if ((LA(1) == LESS_THAN) && (LA(2) == WORD || LA(2) == INT_CONST)) { match(LESS_THAN); #line 1777 "pf.g" importer->tmp_port_op = "<"; #line 6291 "PFCfgParser.cpp" } else if ((LA(1) == LESS_THAN) && (LA(2) == EQUAL)) { match(LESS_THAN); match(EQUAL); #line 1779 "pf.g" importer->tmp_port_op = "<="; #line 6298 "PFCfgParser.cpp" } else if ((LA(1) == GREATER_THAN) && (LA(2) == WORD || LA(2) == INT_CONST)) { match(GREATER_THAN); #line 1781 "pf.g" importer->tmp_port_op = ">"; #line 6304 "PFCfgParser.cpp" } else if ((LA(1) == GREATER_THAN) && (LA(2) == EQUAL)) { match(GREATER_THAN); match(EQUAL); #line 1783 "pf.g" importer->tmp_port_op = ">="; #line 6311 "PFCfgParser.cpp" } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_54); } } void PFCfgParser::binary_op() { try { // for error handling { switch ( LA(1)) { case LESS_THAN: { match(LESS_THAN); match(GREATER_THAN); #line 1789 "pf.g" importer->tmp_port_op = "<>"; #line 6336 "PFCfgParser.cpp" break; } case GREATER_THAN: { match(GREATER_THAN); match(LESS_THAN); #line 1791 "pf.g" importer->tmp_port_op = "><"; #line 6345 "PFCfgParser.cpp" break; } case COLON: { match(COLON); #line 1793 "pf.g" importer->tmp_port_op = ":"; #line 6353 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_54); } } void PFCfgParser::scrub_option() { try { // for error handling { switch ( LA(1)) { case LITERAL_fragment: { match(LITERAL_fragment); { switch ( LA(1)) { case LITERAL_reassemble: { match(LITERAL_reassemble); break; } case LITERAL_crop: { match(LITERAL_crop); break; } case 145: { match(145); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1457 "pf.g" importer->scrub_options.push_back( str_tuple("fragment", LT(0)->getText())); importer->scrub_rule = true; #line 6406 "PFCfgParser.cpp" break; } case LITERAL_reassemble: { match(LITERAL_reassemble); match(TCP); #line 1464 "pf.g" importer->scrub_options.push_back( str_tuple("reassemble", "tcp")); importer->scrub_rule = true; #line 6419 "PFCfgParser.cpp" break; } case 146: { match(146); #line 1471 "pf.g" importer->scrub_options.push_back( str_tuple(LT(0)->getText(), "")); importer->scrub_rule = true; #line 6431 "PFCfgParser.cpp" break; } case 147: { match(147); match(INT_CONST); #line 1478 "pf.g" importer->scrub_options.push_back( str_tuple("min-ttl", LT(0)->getText())); importer->scrub_rule = true; #line 6444 "PFCfgParser.cpp" break; } case 148: { match(148); match(INT_CONST); #line 1485 "pf.g" importer->scrub_options.push_back( str_tuple("max-mss", LT(0)->getText())); importer->scrub_rule = true; #line 6457 "PFCfgParser.cpp" break; } case 149: { match(149); #line 1492 "pf.g" importer->scrub_options.push_back( str_tuple(LT(0)->getText(), "")); importer->scrub_rule = true; #line 6469 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_55); } } void PFCfgParser::scrub_option_list() { try { // for error handling match(OPENING_PAREN); scrub_option(); { // ( ... )* for (;;) { if ((_tokenSet_56.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case LITERAL_reassemble: case LITERAL_fragment: case 146: case 147: case 148: case 149: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } scrub_option(); } else { goto _loop229; } } _loop229:; } // ( ... )* match(CLOSING_PAREN); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::icmp_type_code() { #line 1533 "pf.g" IcmpSpec is; #line 6535 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case LITERAL_skip: case LITERAL_echorep: case LITERAL_unreach: case LITERAL_squench: case LITERAL_redir: case LITERAL_althost: case LITERAL_echoreq: case LITERAL_routeradv: case LITERAL_routersol: case LITERAL_timex: case LITERAL_paramprob: case LITERAL_timereq: case LITERAL_timerep: case LITERAL_inforeq: case LITERAL_inforep: case LITERAL_maskreq: case LITERAL_maskrep: case LITERAL_trace: case LITERAL_dataconv: case LITERAL_mobredir: case 172: case 173: case LITERAL_mobregreq: case LITERAL_mobregrep: case LITERAL_photuris: { icmp_type_by_name(); #line 1535 "pf.g" is.icmp_type_name = LT(0)->getText(); #line 6569 "PFCfgParser.cpp" break; } case INT_CONST: { match(INT_CONST); #line 1537 "pf.g" is.icmp_type_int = LT(0)->getText(); #line 6577 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ICMP_CODE: { match(ICMP_CODE); { switch ( LA(1)) { case 177: case 178: case 179: case 180: case LITERAL_needfrag: case LITERAL_srcfail: case 183: case 184: case LITERAL_isolate: case 186: case 187: case 188: case 189: case 190: case 191: case 192: case 193: case 194: case 195: case 196: case 197: case 198: case LITERAL_transit: case LITERAL_reassemb: case LITERAL_badhead: case LITERAL_optmiss: case LITERAL_badlen: case 204: case 205: case 206: { icmp_code_by_name(); #line 1543 "pf.g" is.icmp_code_name = LT(0)->getText(); #line 6627 "PFCfgParser.cpp" break; } case INT_CONST: { match(INT_CONST); #line 1545 "pf.g" is.icmp_code_int = LT(0)->getText(); #line 6635 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: case QUEUE: case LITERAL_skip: case COMMA: case CLOSING_BRACE: case LITERAL_reassemble: case INT_CONST: case SCRUB: case EXLAMATION: case NO: case OPENING_PAREN: case USER: case ROUTE_TO: case REPLY_TO: case DUP_TO: case GROUP: case LITERAL_fragment: case 146: case 147: case 148: case 149: case FLAGS: case ICMP_TYPE: case LITERAL_echorep: case LITERAL_unreach: case LITERAL_squench: case LITERAL_redir: case LITERAL_althost: case LITERAL_echoreq: case LITERAL_routeradv: case LITERAL_routersol: case LITERAL_timex: case LITERAL_paramprob: case LITERAL_timereq: case LITERAL_timerep: case LITERAL_inforeq: case LITERAL_inforep: case LITERAL_maskreq: case LITERAL_maskrep: case LITERAL_trace: case LITERAL_dataconv: case LITERAL_mobredir: case 172: case 173: case LITERAL_mobregreq: case LITERAL_mobregrep: case LITERAL_photuris: case ICMP6_TYPE: case TAGGED: case TAG: case KEEP: case MODULATE: case SYNPROXY: case LABEL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1548 "pf.g" importer->icmp_type_code_group.push_back(is); #line 6713 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_57); } } void PFCfgParser::icmp_list() { try { // for error handling match(OPENING_BRACE); icmp_type_code(); { // ( ... )* for (;;) { if ((_tokenSet_58.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case LITERAL_skip: case INT_CONST: case LITERAL_echorep: case LITERAL_unreach: case LITERAL_squench: case LITERAL_redir: case LITERAL_althost: case LITERAL_echoreq: case LITERAL_routeradv: case LITERAL_routersol: case LITERAL_timex: case LITERAL_paramprob: case LITERAL_timereq: case LITERAL_timerep: case LITERAL_inforeq: case LITERAL_inforep: case LITERAL_maskreq: case LITERAL_maskrep: case LITERAL_trace: case LITERAL_dataconv: case LITERAL_mobredir: case 172: case 173: case LITERAL_mobregreq: case LITERAL_mobregrep: case LITERAL_photuris: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } icmp_type_code(); } else { goto _loop250; } } _loop250:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_49); } } void PFCfgParser::icmp_type_by_name() { try { // for error handling { switch ( LA(1)) { case LITERAL_echorep: { match(LITERAL_echorep); break; } case LITERAL_unreach: { match(LITERAL_unreach); break; } case LITERAL_squench: { match(LITERAL_squench); break; } case LITERAL_redir: { match(LITERAL_redir); break; } case LITERAL_althost: { match(LITERAL_althost); break; } case LITERAL_echoreq: { match(LITERAL_echoreq); break; } case LITERAL_routeradv: { match(LITERAL_routeradv); break; } case LITERAL_routersol: { match(LITERAL_routersol); break; } case LITERAL_timex: { match(LITERAL_timex); break; } case LITERAL_paramprob: { match(LITERAL_paramprob); break; } case LITERAL_timereq: { match(LITERAL_timereq); break; } case LITERAL_timerep: { match(LITERAL_timerep); break; } case LITERAL_inforeq: { match(LITERAL_inforeq); break; } case LITERAL_inforep: { match(LITERAL_inforep); break; } case LITERAL_maskreq: { match(LITERAL_maskreq); break; } case LITERAL_maskrep: { match(LITERAL_maskrep); break; } case LITERAL_trace: { match(LITERAL_trace); break; } case LITERAL_dataconv: { match(LITERAL_dataconv); break; } case LITERAL_mobredir: { match(LITERAL_mobredir); break; } case 172: { match(172); break; } case 173: { match(173); break; } case LITERAL_mobregreq: { match(LITERAL_mobregreq); break; } case LITERAL_mobregrep: { match(LITERAL_mobregrep); break; } case LITERAL_skip: { match(LITERAL_skip); break; } case LITERAL_photuris: { match(LITERAL_photuris); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_59); } } void PFCfgParser::port_op() { #line 1799 "pf.g" PortSpec ps; #line 6934 "PFCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case EQUAL: case LESS_THAN: case GREATER_THAN: case EXLAMATION: { unary_op(); #line 1801 "pf.g" ps.port_op = importer->tmp_port_op; #line 6947 "PFCfgParser.cpp" port_def(); #line 1803 "pf.g" ps.port1 = importer->tmp_port_def; ps.port2 = importer->tmp_port_def; #line 6954 "PFCfgParser.cpp" break; } case WORD: case INT_CONST: { port_def(); #line 1809 "pf.g" ps.port1 = importer->tmp_port_def; ps.port2 = ps.port1; ps.port_op = "="; #line 6967 "PFCfgParser.cpp" { if ((LA(1) == LESS_THAN || LA(1) == GREATER_THAN || LA(1) == COLON) && (_tokenSet_50.member(LA(2)))) { binary_op(); #line 1815 "pf.g" ps.port_op = importer->tmp_port_op; #line 6973 "PFCfgParser.cpp" port_def(); #line 1816 "pf.g" ps.port2 = LT(0)->getText(); #line 6977 "PFCfgParser.cpp" } else if ((_tokenSet_60.member(LA(1))) && (_tokenSet_61.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } break; } case IPV6: { match(IPV6); #line 1820 "pf.g" ps.setFromPortRange(LT(0)->getText()); #line 6995 "PFCfgParser.cpp" break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } #line 1824 "pf.g" importer->tmp_port_group.push_back(ps); #line 7008 "PFCfgParser.cpp" } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_60); } } void PFCfgParser::port_op_list() { try { // for error handling match(OPENING_BRACE); port_op(); { // ( ... )* for (;;) { if ((_tokenSet_62.member(LA(1)))) { { switch ( LA(1)) { case COMMA: { match(COMMA); break; } case WORD: case EQUAL: case INT_CONST: case LESS_THAN: case GREATER_THAN: case EXLAMATION: case IPV6: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } port_op(); } else { goto _loop278; } } _loop278:; } // ( ... )* match(CLOSING_BRACE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { reportError(ex); recover(ex,_tokenSet_42); } } void PFCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* PFCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "COMMENT_START", "\"include\"", "WORD", "EQUAL", "\"antispoof\"", "\"altq\"", "\"queue\"", "\"set\"", "\"timeout\"", "\"ruleset-optimization\"", "\"optimization\"", "\"aggressive\"", "\"conservative\"", "\"high-latency\"", "\"normal\"", "\"satellite\"", "\"limit\"", "\"loginterface\"", "\"block-policy\"", "\"drop\"", "\"return\"", "\"state-policy\"", "\"if-bound\"", "\"floating\"", "\"state-defaults\"", "\"require-order\"", "\"fingerprints\"", "\"skip\"", "\"on\"", "OPENING_BRACE", "COMMA", "CLOSING_BRACE", "\"debug\"", "\"reassemble\"", "\"hostid\"", "\"tcp.first\"", "\"tcp.opening\"", "\"tcp.established\"", "\"tcp.closing\"", "\"tcp.finwait\"", "\"tcp.closed\"", "\"udp.first\"", "\"udp.single\"", "\"udp.multiple\"", "\"icmp.first\"", "\"icmp.error\"", "\"other.first\"", "\"other.single\"", "\"other.multiple\"", "\"frag\"", "\"interval\"", "\"src.track\"", "\"adaptive.start\"", "\"adaptive.end\"", "INT_CONST", "\"frags\"", "\"states\"", "\"src-nodes\"", "\"tables\"", "\"tables-entries\"", "\"scrub\"", "\"match\"", "\"table\"", "LESS_THAN", "GREATER_THAN", "\"persist\"", "\"const\"", "\"counters\"", "\"file\"", "STRING", "EXLAMATION", "COLON", "\"network\"", "\"broadcast\"", "\"peer\"", "\"self\"", "IPV4", "NUMBER", "SLASH", "\"no\"", "\"nat\"", "\"pass\"", "MINUS", "\"static-port\"", "\"rdr\"", "OPENING_PAREN", "CLOSING_PAREN", "\"port\"", "IPV6", "STAR", "\"bitmask\"", "\"random\"", "\"source-hash\"", "\"hex-key\"", "\"string-key\"", "\"round-robin\"", "\"sticky-address\"", "\"binat\"", "\"block\"", "\"return-rst\"", "TTL", "\"return-icmp\"", "RETURN_ICMP6", "\"in\"", "\"out\"", "\"log\"", "\"quick\"", "\"all\"", "\"user\"", "\"to\"", "\"inet\"", "\"inet6\"", "\"proto\"", "\"ip\"", "\"icmp\"", "\"igmp\"", "\"tcp\"", "\"udp\"", "\"rdp\"", "\"rsvp\"", "\"gre\"", "\"esp\"", "\"ah\"", "\"eigrp\"", "\"ospf\"", "\"ipip\"", "\"vrrp\"", "\"l2tp\"", "\"isis\"", "\"from\"", "\"urpf-failed\"", "\"any\"", "\"no-route\"", "MACRO", "\"route-to\"", "\"reply-to\"", "\"dup-to\"", "\"group\"", "\"fragment\"", "\"crop\"", "\"drop-ovl\"", "\"no-df\"", "\"min-ttl\"", "\"max-mss\"", "\"random-id\"", "\"flags\"", "\"icmp-type\"", "\"code\"", "\"echorep\"", "\"unreach\"", "\"squench\"", "\"redir\"", "\"althost\"", "\"echoreq\"", "\"routeradv\"", "\"routersol\"", "\"timex\"", "\"paramprob\"", "\"timereq\"", "\"timerep\"", "\"inforeq\"", "\"inforep\"", "\"maskreq\"", "\"maskrep\"", "\"trace\"", "\"dataconv\"", "\"mobredir\"", "\"ipv6-where\"", "\"ipv6-here\"", "\"mobregreq\"", "\"mobregrep\"", "\"photuris\"", "\"net-unr\"", "\"host-unr\"", "\"proto-unr\"", "\"port-unr\"", "\"needfrag\"", "\"srcfail\"", "\"net-unk\"", "\"host-unk\"", "\"isolate\"", "\"net-prohib\"", "\"host-prohib\"", "\"net-tos\"", "\"host-tos\"", "\"filter-prohib\"", "\"host-preced\"", "\"cutoff-preced\"", "\"redir-net\"", "\"redir-host\"", "\"redir-tos-net\"", "\"redir-tos-host\"", "\"normal-adv\"", "\"common-adv\"", "\"transit\"", "\"reassemb\"", "\"badhead\"", "\"optmiss\"", "\"badlen\"", "\"unknown-ind\"", "\"auth-fail\"", "\"decrypt-fail\"", "\"icmp6-type\"", "\"tagged\"", "\"tag\"", "\"keep\"", "\"modulate\"", "\"synproxy\"", "\"state\"", "\"label\"", "\"exit\"", "\"quit\"", "\"interface\"", "\"icmp6\"", "\"igrp\"", "\"ipsec\"", "\"nos\"", "\"pcp\"", "\"pim\"", "\"pptp\"", "\"rip\"", "\"snp\"", "\"host\"", "\"range\"", "\"alerts\"", "\"critical\"", "\"debugging\"", "\"emergencies\"", "\"errors\"", "\"informational\"", "\"notifications\"", "\"warnings\"", "\"disable\"", "\"inactive\"", "Whitespace", "HEX_CONST", "NEG_INT_CONST", "HEX_DIGIT", "DIGIT", "NUM_3DIGIT", "NUM_HEX_4DIGIT", "NUMBER_ADDRESS_OR_WORD", "PIPE_CHAR", "PERCENT", "AMPERSAND", "APOSTROPHE", "PLUS", "DOT", "SEMICOLON", "QUESTION", "COMMERCIAL_AT", "OPENING_SQUARE", "CLOSING_SQUARE", "CARET", "UNDERLINE", "TILDE", "DOUBLE_QUOTE", 0 }; const unsigned long PFCfgParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_0(_tokenSet_0_data_,10); const unsigned long PFCfgParser::_tokenSet_1_data_[] = { 7922UL, 0UL, 40894478UL, 192UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD "antispoof" "altq" "queue" // "set" "scrub" "match" "table" "no" "nat" "pass" "rdr" "binat" "block" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_1(_tokenSet_1_data_,10); const unsigned long PFCfgParser::_tokenSet_2_data_[] = { 128UL, 134217736UL, 460800UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD COMMA INT_CONST EXLAMATION "self" IPV4 NUMBER const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long PFCfgParser::_tokenSet_3_data_[] = { 7922UL, 134217496UL, 40894478UL, 192UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD "antispoof" "altq" "queue" // "set" COMMA CLOSING_BRACE "tcp.first" "tcp.opening" "tcp.established" // "tcp.closing" "tcp.finwait" "tcp.closed" "udp.first" "udp.single" "udp.multiple" // "icmp.first" "icmp.error" "other.first" "other.single" "other.multiple" // "frag" "interval" "src.track" "adaptive.start" "adaptive.end" "scrub" // "match" "table" "no" "nat" "pass" "rdr" "binat" "block" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long PFCfgParser::_tokenSet_4_data_[] = { 0UL, 134217480UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // COMMA "tcp.first" "tcp.opening" "tcp.established" "tcp.closing" "tcp.finwait" // "tcp.closed" "udp.first" "udp.single" "udp.multiple" "icmp.first" "icmp.error" // "other.first" "other.single" "other.multiple" "frag" "interval" "src.track" // "adaptive.start" "adaptive.end" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_4(_tokenSet_4_data_,10); const unsigned long PFCfgParser::_tokenSet_5_data_[] = { 7922UL, 4026531864UL, 40894479UL, 192UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD "antispoof" "altq" "queue" // "set" COMMA CLOSING_BRACE "frags" "states" "src-nodes" "tables" "tables-entries" // "scrub" "match" "table" "no" "nat" "pass" "rdr" "binat" "block" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_5(_tokenSet_5_data_,10); const unsigned long PFCfgParser::_tokenSet_6_data_[] = { 0UL, 4026531848UL, 1UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // COMMA "frags" "states" "src-nodes" "tables" "tables-entries" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_6(_tokenSet_6_data_,10); const unsigned long PFCfgParser::_tokenSet_7_data_[] = { 2064UL, 64UL, 68159490UL, 4128768UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN "all" // "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" "dup-to" // "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_7(_tokenSet_7_data_,16); const unsigned long PFCfgParser::_tokenSet_8_data_[] = { 8178UL, 134217805UL, 645598270UL, 4293329088UL, 4278190079UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" OPENING_BRACE COMMA "reassemble" INT_CONST "scrub" "match" // "table" LESS_THAN GREATER_THAN STRING EXLAMATION "self" IPV4 SLASH "no" // "nat" "pass" "rdr" OPENING_PAREN IPV6 "binat" "block" "all" "user" "to" // "proto" "ip" "icmp" "igmp" "tcp" "udp" "rdp" "rsvp" "gre" "esp" "ah" // "eigrp" "ospf" "ipip" "vrrp" "l2tp" "isis" "from" "urpf-failed" "any" // "no-route" MACRO "route-to" "reply-to" "dup-to" "group" "fragment" "crop" // "drop-ovl" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "echorep" "unreach" "squench" "redir" "althost" "echoreq" "routeradv" // "routersol" "timex" "paramprob" "timereq" "timerep" "inforeq" "inforep" // "maskreq" "maskrep" "trace" "dataconv" "mobredir" "ipv6-where" "ipv6-here" // "mobregreq" "mobregrep" "photuris" "icmp6-type" "tagged" "tag" "keep" // "modulate" "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_8(_tokenSet_8_data_,16); const unsigned long PFCfgParser::_tokenSet_9_data_[] = { 2064UL, 64UL, 68159490UL, 458752UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN "all" // "user" "to" "from" "route-to" "reply-to" "dup-to" "group" "fragment" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_9(_tokenSet_9_data_,16); const unsigned long PFCfgParser::_tokenSet_10_data_[] = { 8178UL, 134217805UL, 645598270UL, 33685696UL, 4278189952UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" OPENING_BRACE COMMA "reassemble" INT_CONST "scrub" "match" // "table" LESS_THAN GREATER_THAN STRING EXLAMATION "self" IPV4 SLASH "no" // "nat" "pass" "rdr" OPENING_PAREN IPV6 "binat" "block" "user" "tcp" "urpf-failed" // "any" "no-route" MACRO "route-to" "reply-to" "dup-to" "group" "fragment" // "crop" "drop-ovl" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "echorep" "unreach" "squench" "redir" "althost" "echoreq" "routeradv" // "routersol" "timex" "paramprob" "timereq" "timerep" "inforeq" "inforep" // "maskreq" "maskrep" "trace" "dataconv" "mobredir" "ipv6-where" "ipv6-here" // "mobregreq" "mobregrep" "photuris" "icmp6-type" "tagged" "tag" "keep" // "modulate" "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_10(_tokenSet_10_data_,16); const unsigned long PFCfgParser::_tokenSet_11_data_[] = { 2064UL, 64UL, 68159490UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN "user" // "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_11(_tokenSet_11_data_,16); const unsigned long PFCfgParser::_tokenSet_12_data_[] = { 8178UL, 134217805UL, 108530750UL, 33685696UL, 4278188288UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" OPENING_BRACE COMMA "reassemble" INT_CONST "scrub" "match" // "table" LESS_THAN GREATER_THAN STRING EXLAMATION SLASH "no" "nat" "pass" // "rdr" OPENING_PAREN "binat" "block" "user" "tcp" "any" "route-to" "reply-to" // "dup-to" "group" "fragment" "crop" "drop-ovl" "no-df" "min-ttl" "max-mss" // "random-id" "flags" "icmp-type" "echorep" "unreach" "squench" "redir" // "althost" "echoreq" "routeradv" "routersol" "timex" "paramprob" "timereq" // "timerep" "inforeq" "inforep" "maskreq" "maskrep" "trace" "dataconv" // "mobredir" "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" "photuris" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_12(_tokenSet_12_data_,16); const unsigned long PFCfgParser::_tokenSet_13_data_[] = { 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_13(_tokenSet_13_data_,10); const unsigned long PFCfgParser::_tokenSet_14_data_[] = { 128UL, 134217752UL, 460800UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD COMMA CLOSING_BRACE INT_CONST EXLAMATION "self" IPV4 NUMBER const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_14(_tokenSet_14_data_,10); const unsigned long PFCfgParser::_tokenSet_15_data_[] = { 16UL, 2UL, 8390656UL, 3997696UL, 64UL, 0UL, 196608UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "on" EXLAMATION MINUS "all" "to" "inet" "inet6" "proto" "from" // "tagged" "tag" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_15(_tokenSet_15_data_,16); const unsigned long PFCfgParser::_tokenSet_16_data_[] = { 2064UL, 64UL, 76548098UL, 4128768UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_16(_tokenSet_16_data_,16); const unsigned long PFCfgParser::_tokenSet_17_data_[] = { 2064UL, 64UL, 76548098UL, 2555904UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "all" "user" "to" "proto" "from" "route-to" "reply-to" "dup-to" "group" // "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_17(_tokenSet_17_data_,16); const unsigned long PFCfgParser::_tokenSet_18_data_[] = { 2064UL, 64UL, 76548098UL, 458752UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "all" "user" "to" "from" "route-to" "reply-to" "dup-to" "group" "fragment" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_18(_tokenSet_18_data_,16); const unsigned long PFCfgParser::_tokenSet_19_data_[] = { 2064UL, 64UL, 76548098UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "user" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_19(_tokenSet_19_data_,16); const unsigned long PFCfgParser::_tokenSet_20_data_[] = { 2064UL, 72UL, 76548098UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" COMMA "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "user" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_20(_tokenSet_20_data_,16); const unsigned long PFCfgParser::_tokenSet_21_data_[] = { 144UL, 24UL, 2499936256UL, 19UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD COMMA CLOSING_BRACE IPV4 "static-port" OPENING_PAREN "port" // "bitmask" "random" "source-hash" "round-robin" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_21(_tokenSet_21_data_,10); const unsigned long PFCfgParser::_tokenSet_22_data_[] = { 128UL, 8UL, 67239936UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD COMMA IPV4 OPENING_PAREN const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_22(_tokenSet_22_data_,10); const unsigned long PFCfgParser::_tokenSet_23_data_[] = { 16UL, 0UL, 2432696320UL, 19UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "static-port" "port" "bitmask" "random" "source-hash" "round-robin" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_23(_tokenSet_23_data_,10); const unsigned long PFCfgParser::_tokenSet_24_data_[] = { 16UL, 0UL, 2164260864UL, 19UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "static-port" "bitmask" "random" "source-hash" "round-robin" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_24(_tokenSet_24_data_,10); const unsigned long PFCfgParser::_tokenSet_25_data_[] = { 2064UL, 64UL, 84936706UL, 4128768UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" "static-port" OPENING_PAREN // "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_25(_tokenSet_25_data_,16); const unsigned long PFCfgParser::_tokenSet_26_data_[] = { 2448UL, 134217816UL, 2777684018UL, 393235UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD EQUAL "queue" COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" LESS_THAN GREATER_THAN EXLAMATION COLON "no" MINUS "static-port" // OPENING_PAREN IPV6 "bitmask" "random" "source-hash" "round-robin" "user" // "to" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_26(_tokenSet_26_data_,16); const unsigned long PFCfgParser::_tokenSet_27_data_[] = { 0UL, 134217728UL, 0UL, 0UL, 0UL, 4294836224UL, 32767UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // INT_CONST "net-unr" "host-unr" "proto-unr" "port-unr" "needfrag" "srcfail" // "net-unk" "host-unk" "isolate" "net-prohib" "host-prohib" "net-tos" // "host-tos" "filter-prohib" "host-preced" "cutoff-preced" "redir-net" // "redir-host" "redir-tos-net" "redir-tos-host" "normal-adv" "common-adv" // "transit" "reassemb" "badhead" "optmiss" "badlen" "unknown-ind" "auth-fail" // "decrypt-fail" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_27(_tokenSet_27_data_,16); const unsigned long PFCfgParser::_tokenSet_28_data_[] = { 2064UL, 66UL, 68159490UL, 4190208UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "on" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // "in" "out" "log" "quick" "all" "user" "to" "inet" "inet6" "proto" "from" // "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_28(_tokenSet_28_data_,16); const unsigned long PFCfgParser::_tokenSet_29_data_[] = { 8178UL, 134217807UL, 645598270UL, 4294951104UL, 4278190079UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" "on" OPENING_BRACE COMMA "reassemble" INT_CONST "scrub" // "match" "table" LESS_THAN GREATER_THAN STRING EXLAMATION "self" IPV4 // SLASH "no" "nat" "pass" "rdr" OPENING_PAREN IPV6 "binat" "block" "log" // "quick" "all" "user" "to" "inet" "inet6" "proto" "ip" "icmp" "igmp" // "tcp" "udp" "rdp" "rsvp" "gre" "esp" "ah" "eigrp" "ospf" "ipip" "vrrp" // "l2tp" "isis" "from" "urpf-failed" "any" "no-route" MACRO "route-to" // "reply-to" "dup-to" "group" "fragment" "crop" "drop-ovl" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "echorep" "unreach" "squench" // "redir" "althost" "echoreq" "routeradv" "routersol" "timex" "paramprob" // "timereq" "timerep" "inforeq" "inforep" "maskreq" "maskrep" "trace" // "dataconv" "mobredir" "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" // "photuris" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_29(_tokenSet_29_data_,16); const unsigned long PFCfgParser::_tokenSet_30_data_[] = { 2064UL, 134217817UL, 202377218UL, 131072UL, 4277991424UL, 131071UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "skip" COMMA CLOSING_BRACE "reassemble" INT_CONST "scrub" // EXLAMATION "no" OPENING_PAREN CLOSING_PAREN "user" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "echorep" "unreach" "squench" "redir" "althost" // "echoreq" "routeradv" "routersol" "timex" "paramprob" "timereq" "timerep" // "inforeq" "inforep" "maskreq" "maskrep" "trace" "dataconv" "mobredir" // "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" "photuris" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_30(_tokenSet_30_data_,16); const unsigned long PFCfgParser::_tokenSet_31_data_[] = { 2064UL, 66UL, 68159490UL, 4177920UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "on" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // "log" "quick" "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" // "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_31(_tokenSet_31_data_,16); const unsigned long PFCfgParser::_tokenSet_32_data_[] = { 2064UL, 66UL, 68159490UL, 4161536UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "on" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // "quick" "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_32(_tokenSet_32_data_,16); const unsigned long PFCfgParser::_tokenSet_33_data_[] = { 8178UL, 134217807UL, 645598270UL, 4294901952UL, 4278190079UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" "on" OPENING_BRACE COMMA "reassemble" INT_CONST "scrub" // "match" "table" LESS_THAN GREATER_THAN STRING EXLAMATION "self" IPV4 // SLASH "no" "nat" "pass" "rdr" OPENING_PAREN IPV6 "binat" "block" "all" // "user" "to" "inet" "inet6" "proto" "ip" "icmp" "igmp" "tcp" "udp" "rdp" // "rsvp" "gre" "esp" "ah" "eigrp" "ospf" "ipip" "vrrp" "l2tp" "isis" "from" // "urpf-failed" "any" "no-route" MACRO "route-to" "reply-to" "dup-to" // "group" "fragment" "crop" "drop-ovl" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "echorep" "unreach" "squench" "redir" "althost" // "echoreq" "routeradv" "routersol" "timex" "paramprob" "timereq" "timerep" // "inforeq" "inforep" "maskreq" "maskrep" "trace" "dataconv" "mobredir" // "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" "photuris" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_33(_tokenSet_33_data_,16); const unsigned long PFCfgParser::_tokenSet_34_data_[] = { 2064UL, 66UL, 68159490UL, 4128768UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "on" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_34(_tokenSet_34_data_,16); const unsigned long PFCfgParser::_tokenSet_35_data_[] = { 2048UL, 72UL, 68159490UL, 131072UL, 16564224UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "queue" COMMA "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN "user" // "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_35(_tokenSet_35_data_,16); const unsigned long PFCfgParser::_tokenSet_36_data_[] = { 16UL, 0UL, 0UL, 0UL, 14336UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "route-to" "reply-to" "dup-to" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_36(_tokenSet_36_data_,12); const unsigned long PFCfgParser::_tokenSet_37_data_[] = { 2064UL, 66UL, 76548098UL, 4161536UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "on" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "quick" "all" "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" // "dup-to" "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" // "flags" "icmp-type" "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" // "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_37(_tokenSet_37_data_,16); const unsigned long PFCfgParser::_tokenSet_38_data_[] = { 0UL, 8UL, 134217728UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // COMMA CLOSING_PAREN const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_38(_tokenSet_38_data_,10); const unsigned long PFCfgParser::_tokenSet_39_data_[] = { 2192UL, 88UL, 76548098UL, 4128768UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD "queue" COMMA CLOSING_BRACE "reassemble" "scrub" EXLAMATION // "no" MINUS OPENING_PAREN "all" "user" "to" "inet" "inet6" "proto" "from" // "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_39(_tokenSet_39_data_,16); const unsigned long PFCfgParser::_tokenSet_40_data_[] = { 2064UL, 134217820UL, 76548098UL, 4291231744UL, 16578687UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" OPENING_BRACE COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" EXLAMATION "no" MINUS OPENING_PAREN "all" "user" "to" "ip" "icmp" // "igmp" "tcp" "udp" "rdp" "rsvp" "gre" "esp" "ah" "eigrp" "ospf" "ipip" // "vrrp" "l2tp" "isis" "from" "route-to" "reply-to" "dup-to" "group" "fragment" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_40(_tokenSet_40_data_,16); const unsigned long PFCfgParser::_tokenSet_41_data_[] = { 0UL, 134217740UL, 0UL, 4290772992UL, 63UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // OPENING_BRACE COMMA INT_CONST "ip" "icmp" "igmp" "tcp" "udp" "rdp" "rsvp" // "gre" "esp" "ah" "eigrp" "ospf" "ipip" "vrrp" "l2tp" "isis" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_41(_tokenSet_41_data_,12); const unsigned long PFCfgParser::_tokenSet_42_data_[] = { 2064UL, 64UL, 76548098UL, 393216UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "user" "to" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" // "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" // "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_42(_tokenSet_42_data_,16); const unsigned long PFCfgParser::_tokenSet_43_data_[] = { 2064UL, 64UL, 344983554UL, 393216UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "port" "user" "to" "route-to" "reply-to" "dup-to" "group" "fragment" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_43(_tokenSet_43_data_,16); const unsigned long PFCfgParser::_tokenSet_44_data_[] = { 2064UL, 64UL, 344983554UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" MINUS OPENING_PAREN // "port" "user" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" // "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" // "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_44(_tokenSet_44_data_,16); const unsigned long PFCfgParser::_tokenSet_45_data_[] = { 2192UL, 88UL, 882051090UL, 393216UL, 16579584UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD "queue" COMMA CLOSING_BRACE "reassemble" "scrub" LESS_THAN // EXLAMATION "self" IPV4 "no" MINUS OPENING_PAREN "port" IPV6 "user" "to" // MACRO "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_45(_tokenSet_45_data_,16); const unsigned long PFCfgParser::_tokenSet_46_data_[] = { 128UL, 8UL, 604178448UL, 0UL, 1024UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD COMMA LESS_THAN EXLAMATION "self" IPV4 OPENING_PAREN IPV6 MACRO const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_46(_tokenSet_46_data_,12); const unsigned long PFCfgParser::_tokenSet_47_data_[] = { 2064UL, 88UL, 2215643138UL, 4128787UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" COMMA CLOSING_BRACE "reassemble" "scrub" EXLAMATION // "no" OPENING_PAREN "bitmask" "random" "source-hash" "round-robin" "all" // "user" "to" "inet" "inet6" "proto" "from" "route-to" "reply-to" "dup-to" // "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_47(_tokenSet_47_data_,16); const unsigned long PFCfgParser::_tokenSet_48_data_[] = { 2064UL, 64UL, 2215643138UL, 4128787UL, 16578624UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN "bitmask" // "random" "source-hash" "round-robin" "all" "user" "to" "inet" "inet6" // "proto" "from" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" // "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" // "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_48(_tokenSet_48_data_,16); const unsigned long PFCfgParser::_tokenSet_49_data_[] = { 2064UL, 72UL, 68159490UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" COMMA "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // "user" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_49(_tokenSet_49_data_,16); const unsigned long PFCfgParser::_tokenSet_50_data_[] = { 128UL, 134217728UL, 48UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD INT_CONST LESS_THAN GREATER_THAN const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_50(_tokenSet_50_data_,10); const unsigned long PFCfgParser::_tokenSet_51_data_[] = { 2448UL, 134217816UL, 68159538UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD EQUAL "queue" COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" LESS_THAN GREATER_THAN EXLAMATION "no" OPENING_PAREN "user" // "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" "min-ttl" // "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" "tag" // "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_51(_tokenSet_51_data_,16); const unsigned long PFCfgParser::_tokenSet_52_data_[] = { 8178UL, 134217821UL, 108534846UL, 33685696UL, 4278188288UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" OPENING_BRACE COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" "match" "table" LESS_THAN GREATER_THAN STRING EXLAMATION COLON // SLASH "no" "nat" "pass" "rdr" OPENING_PAREN "binat" "block" "user" "tcp" // "any" "route-to" "reply-to" "dup-to" "group" "fragment" "crop" "drop-ovl" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "echorep" // "unreach" "squench" "redir" "althost" "echoreq" "routeradv" "routersol" // "timex" "paramprob" "timereq" "timerep" "inforeq" "inforep" "maskreq" // "maskrep" "trace" "dataconv" "mobredir" "ipv6-where" "ipv6-here" "mobregreq" // "mobregrep" "photuris" "icmp6-type" "tagged" "tag" "keep" "modulate" // "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_52(_tokenSet_52_data_,16); const unsigned long PFCfgParser::_tokenSet_53_data_[] = { 384UL, 134217736UL, 2096UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD EQUAL COMMA INT_CONST LESS_THAN GREATER_THAN EXLAMATION const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_53(_tokenSet_53_data_,10); const unsigned long PFCfgParser::_tokenSet_54_data_[] = { 128UL, 134217728UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD INT_CONST const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_54(_tokenSet_54_data_,10); const unsigned long PFCfgParser::_tokenSet_55_data_[] = { 2064UL, 72UL, 202377218UL, 131072UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" COMMA "reassemble" "scrub" EXLAMATION "no" OPENING_PAREN // CLOSING_PAREN "user" "route-to" "reply-to" "dup-to" "group" "fragment" // "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" // "tagged" "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_55(_tokenSet_55_data_,16); const unsigned long PFCfgParser::_tokenSet_56_data_[] = { 0UL, 72UL, 0UL, 0UL, 3964928UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // COMMA "reassemble" "fragment" "no-df" "min-ttl" "max-mss" "random-id" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_56(_tokenSet_56_data_,12); const unsigned long PFCfgParser::_tokenSet_57_data_[] = { 2064UL, 134217817UL, 68159490UL, 131072UL, 4277991424UL, 131071UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "skip" COMMA CLOSING_BRACE "reassemble" INT_CONST "scrub" // EXLAMATION "no" OPENING_PAREN "user" "route-to" "reply-to" "dup-to" // "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "echorep" "unreach" "squench" "redir" "althost" "echoreq" "routeradv" // "routersol" "timex" "paramprob" "timereq" "timerep" "inforeq" "inforep" // "maskreq" "maskrep" "trace" "dataconv" "mobredir" "ipv6-where" "ipv6-here" // "mobregreq" "mobregrep" "photuris" "icmp6-type" "tagged" "tag" "keep" // "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_57(_tokenSet_57_data_,16); const unsigned long PFCfgParser::_tokenSet_58_data_[] = { 0UL, 134217737UL, 0UL, 0UL, 4261412864UL, 131071UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "skip" COMMA INT_CONST "echorep" "unreach" "squench" "redir" "althost" // "echoreq" "routeradv" "routersol" "timex" "paramprob" "timereq" "timerep" // "inforeq" "inforep" "maskreq" "maskrep" "trace" "dataconv" "mobredir" // "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" "photuris" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_58(_tokenSet_58_data_,12); const unsigned long PFCfgParser::_tokenSet_59_data_[] = { 2064UL, 134217817UL, 68159490UL, 131072UL, 4294768640UL, 131071UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "queue" "skip" COMMA CLOSING_BRACE "reassemble" INT_CONST "scrub" // EXLAMATION "no" OPENING_PAREN "user" "route-to" "reply-to" "dup-to" // "group" "fragment" "no-df" "min-ttl" "max-mss" "random-id" "flags" "icmp-type" // "code" "echorep" "unreach" "squench" "redir" "althost" "echoreq" "routeradv" // "routersol" "timex" "paramprob" "timereq" "timerep" "inforeq" "inforep" // "maskreq" "maskrep" "trace" "dataconv" "mobredir" "ipv6-where" "ipv6-here" // "mobregreq" "mobregrep" "photuris" "icmp6-type" "tagged" "tag" "keep" // "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_59(_tokenSet_59_data_,16); const unsigned long PFCfgParser::_tokenSet_60_data_[] = { 2448UL, 134217816UL, 613419058UL, 393216UL, 16578560UL, 0UL, 6258688UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE WORD EQUAL "queue" COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" LESS_THAN GREATER_THAN EXLAMATION "no" MINUS OPENING_PAREN IPV6 // "user" "to" "route-to" "reply-to" "dup-to" "group" "fragment" "no-df" // "min-ttl" "max-mss" "random-id" "flags" "icmp-type" "icmp6-type" "tagged" // "tag" "keep" "modulate" "synproxy" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_60(_tokenSet_60_data_,16); const unsigned long PFCfgParser::_tokenSet_61_data_[] = { 8178UL, 134217821UL, 653990974UL, 33947840UL, 4278189824UL, 131071UL, 8355840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE COMMENT_START "include" WORD EQUAL "antispoof" "altq" "queue" // "set" "skip" OPENING_BRACE COMMA CLOSING_BRACE "reassemble" INT_CONST // "scrub" "match" "table" LESS_THAN GREATER_THAN STRING EXLAMATION COLON // "self" IPV4 SLASH "no" "nat" "pass" MINUS "rdr" OPENING_PAREN IPV6 "binat" // "block" "user" "to" "tcp" "any" "no-route" MACRO "route-to" "reply-to" // "dup-to" "group" "fragment" "crop" "drop-ovl" "no-df" "min-ttl" "max-mss" // "random-id" "flags" "icmp-type" "echorep" "unreach" "squench" "redir" // "althost" "echoreq" "routeradv" "routersol" "timex" "paramprob" "timereq" // "timerep" "inforeq" "inforep" "maskreq" "maskrep" "trace" "dataconv" // "mobredir" "ipv6-where" "ipv6-here" "mobregreq" "mobregrep" "photuris" // "icmp6-type" "tagged" "tag" "keep" "modulate" "synproxy" "state" "label" const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_61(_tokenSet_61_data_,16); const unsigned long PFCfgParser::_tokenSet_62_data_[] = { 384UL, 134217736UL, 536873008UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD EQUAL COMMA INT_CONST LESS_THAN GREATER_THAN EXLAMATION IPV6 const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgParser::_tokenSet_62(_tokenSet_62_data_,10); fwbuilder-5.3.7/src/parsers/PFCfgParser.hpp000066400000000000000000000313601303637203600206000ustar00rootroot00000000000000#ifndef INC_PFCfgParser_hpp_ #define INC_PFCfgParser_hpp_ #line 25 "pf.g" // gets inserted before antlr generated includes in the header // file #include "PFImporter.h" #line 11 "PFCfgParser.hpp" #include /* $ANTLR 2.7.7 (20100319): "pf.g" -> "PFCfgParser.hpp"$ */ #include #include #include "PFCfgParserTokenTypes.hpp" #include #line 32 "pf.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class PFImporter; #line 29 "PFCfgParser.hpp" #line 57 "pf.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 35 "PFCfgParser.hpp" class CUSTOM_API PFCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public PFCfgParserTokenTypes { #line 82 "pf.g" // additional methods and members public: std::ostream *dbg; PFImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); importer->error_tracker->registerError("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); importer->error_tracker->registerError("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); importer->error_tracker->registerError("Parser warning: " + s); std::cerr << s << std::endl; } #line 39 "PFCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: PFCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); PFCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return PFCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return PFCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return PFCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void include_command(); public: void macro_definition(); public: void altq_rule(); public: void antispoof_rule(); public: void queue_rule(); public: void set_rule(); public: void scrub_rule(); public: void match_rule(); public: void table_rule(); public: void no_nat_rule(); public: void nat_rule(); public: void rdr_rule(); public: void binat_rule(); public: void pass_rule(); public: void block_rule(); public: void set_timeout(); public: void set_ruleset_optimization(); public: void set_optimization(); public: void set_limit(); public: void set_loginterface(); public: void set_block_policy(); public: void set_state_policy(); public: void set_state_defaults(); public: void set_require_order(); public: void set_fingerprints(); public: void set_skip(); public: void set_debug(); public: void set_reassemble(); public: void set_hostid(); public: void timeout_def(); public: void timeout_def_list(); public: void limit_def(); public: void limit_def_list(); public: void skip_def(); public: void skip_list(); public: void rule_extended(); public: void tableaddr_spec(); public: void logging(); public: void intrface(); public: void address_family(); public: void protospec(); public: void hosts(); public: void tagged(); public: void tag_clause(); public: void redirhost(); public: void redirhost_list(); public: void portspec(); public: void pooltype(); public: void port_def(); public: void block_return(); public: void icmp_code_by_name(); public: void direction(); public: void quick_or_log(); public: void route(); public: void filteropts(); public: void logopts(); public: void logopt(); public: void ifspec(); public: void interface_list(); public: void proto_def(); public: void proto_name(); public: void proto_number(); public: void proto_list(); public: void hosts_from(); public: void hosts_to(); public: void src_hosts_part(); public: void src_port_part(); public: void dst_hosts_part(); public: void dst_port_part(); public: void common_hosts_part(); public: void host(); public: void host_list(); public: void route_to(); public: void reply_to(); public: void dup_to(); public: void routehost(); public: void routehost_list(); public: void filteropt(); public: void user_match(); public: void group_match(); public: void tcp_flags(); public: void icmp_type(); public: void icmp6_type(); public: void state(); public: void queue(); public: void label(); public: void match_rule_scrub_options(); public: void scrub_options(); public: void user_group_op(); public: void user_group_op_list(); public: void unary_op(); public: void binary_op(); public: void scrub_option(); public: void scrub_option_list(); public: void icmp_type_code(); public: void icmp_list(); public: void icmp_type_by_name(); public: void port_op(); public: void port_op_list(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 262; #else enum { NUM_TOKENS = 262 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; static const unsigned long _tokenSet_7_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_7; static const unsigned long _tokenSet_8_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_8; static const unsigned long _tokenSet_9_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_9; static const unsigned long _tokenSet_10_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_10; static const unsigned long _tokenSet_11_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_11; static const unsigned long _tokenSet_12_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_12; static const unsigned long _tokenSet_13_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_13; static const unsigned long _tokenSet_14_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_14; static const unsigned long _tokenSet_15_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_15; static const unsigned long _tokenSet_16_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_16; static const unsigned long _tokenSet_17_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_17; static const unsigned long _tokenSet_18_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_18; static const unsigned long _tokenSet_19_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_19; static const unsigned long _tokenSet_20_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_20; static const unsigned long _tokenSet_21_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_21; static const unsigned long _tokenSet_22_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_22; static const unsigned long _tokenSet_23_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_23; static const unsigned long _tokenSet_24_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_24; static const unsigned long _tokenSet_25_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_25; static const unsigned long _tokenSet_26_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_26; static const unsigned long _tokenSet_27_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_27; static const unsigned long _tokenSet_28_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_28; static const unsigned long _tokenSet_29_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_29; static const unsigned long _tokenSet_30_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_30; static const unsigned long _tokenSet_31_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_31; static const unsigned long _tokenSet_32_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_32; static const unsigned long _tokenSet_33_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_33; static const unsigned long _tokenSet_34_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_34; static const unsigned long _tokenSet_35_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_35; static const unsigned long _tokenSet_36_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_36; static const unsigned long _tokenSet_37_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_37; static const unsigned long _tokenSet_38_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_38; static const unsigned long _tokenSet_39_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_39; static const unsigned long _tokenSet_40_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_40; static const unsigned long _tokenSet_41_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_41; static const unsigned long _tokenSet_42_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42; static const unsigned long _tokenSet_43_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_43; static const unsigned long _tokenSet_44_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_44; static const unsigned long _tokenSet_45_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_45; static const unsigned long _tokenSet_46_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_46; static const unsigned long _tokenSet_47_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_47; static const unsigned long _tokenSet_48_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_48; static const unsigned long _tokenSet_49_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_49; static const unsigned long _tokenSet_50_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_50; static const unsigned long _tokenSet_51_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_51; static const unsigned long _tokenSet_52_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_52; static const unsigned long _tokenSet_53_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_53; static const unsigned long _tokenSet_54_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_54; static const unsigned long _tokenSet_55_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_55; static const unsigned long _tokenSet_56_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_56; static const unsigned long _tokenSet_57_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_57; static const unsigned long _tokenSet_58_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_58; static const unsigned long _tokenSet_59_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_59; static const unsigned long _tokenSet_60_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_60; static const unsigned long _tokenSet_61_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_61; static const unsigned long _tokenSet_62_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_62; }; #endif /*INC_PFCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/PFCfgParserTokenTypes.hpp000066400000000000000000000126751303637203600226360ustar00rootroot00000000000000#ifndef INC_PFCfgParserTokenTypes_hpp_ #define INC_PFCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20100319): "pf.g" -> "PFCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API PFCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, COMMENT_START = 5, INCLUDE_COMMAND = 6, WORD = 7, EQUAL = 8, ANTISPOOF = 9, ALTQ = 10, QUEUE = 11, SET = 12, TIMEOUT = 13, // "ruleset-optimization" = 14 LITERAL_optimization = 15, LITERAL_aggressive = 16, LITERAL_conservative = 17, // "high-latency" = 18 LITERAL_normal = 19, LITERAL_satellite = 20, LITERAL_limit = 21, LITERAL_loginterface = 22, // "block-policy" = 23 DROP = 24, RETURN = 25, // "state-policy" = 26 // "if-bound" = 27 LITERAL_floating = 28, // "state-defaults" = 29 // "require-order" = 30 LITERAL_fingerprints = 31, LITERAL_skip = 32, ON = 33, OPENING_BRACE = 34, COMMA = 35, CLOSING_BRACE = 36, LITERAL_debug = 37, LITERAL_reassemble = 38, LITERAL_hostid = 39, // "tcp.first" = 40 // "tcp.opening" = 41 // "tcp.established" = 42 // "tcp.closing" = 43 // "tcp.finwait" = 44 // "tcp.closed" = 45 // "udp.first" = 46 // "udp.single" = 47 // "udp.multiple" = 48 // "icmp.first" = 49 // "icmp.error" = 50 // "other.first" = 51 // "other.single" = 52 // "other.multiple" = 53 LITERAL_frag = 54, LITERAL_interval = 55, // "src.track" = 56 // "adaptive.start" = 57 // "adaptive.end" = 58 INT_CONST = 59, LITERAL_frags = 60, LITERAL_states = 61, // "src-nodes" = 62 LITERAL_tables = 63, // "tables-entries" = 64 SCRUB = 65, MATCH = 66, TABLE = 67, LESS_THAN = 68, GREATER_THAN = 69, PERSIST = 70, CONST_WORD = 71, COUNTERS = 72, FILE = 73, STRING = 74, EXLAMATION = 75, COLON = 76, NETWORK = 77, BROADCAST = 78, PEER = 79, SELF = 80, IPV4 = 81, NUMBER = 82, SLASH = 83, NO = 84, NAT = 85, PASS = 86, MINUS = 87, STATIC_PORT = 88, RDR = 89, OPENING_PAREN = 90, CLOSING_PAREN = 91, PORT = 92, IPV6 = 93, STAR = 94, BITMASK = 95, RANDOM = 96, SOURCE_HASH = 97, HEX_KEY = 98, STRING_KEY = 99, ROUND_ROBIN = 100, STICKY_ADDRESS = 101, BINAT = 102, BLOCK = 103, RETURN_RST = 104, TTL = 105, RETURN_ICMP = 106, RETURN_ICMP6 = 107, IN_WORD = 108, OUT_WORD = 109, LOG = 110, QUICK = 111, ALL = 112, USER = 113, TO = 114, INET = 115, INET6 = 116, PROTO = 117, IP = 118, ICMP = 119, IGMP = 120, TCP = 121, UDP = 122, RDP = 123, RSVP = 124, GRE = 125, ESP_WORD = 126, AH = 127, EIGRP = 128, OSPF = 129, IPIP = 130, VRRP = 131, L2TP = 132, ISIS = 133, FROM = 134, URPF_FAILED = 135, ANY = 136, NO_ROUTE = 137, MACRO = 138, ROUTE_TO = 139, REPLY_TO = 140, DUP_TO = 141, GROUP = 142, LITERAL_fragment = 143, LITERAL_crop = 144, // "drop-ovl" = 145 // "no-df" = 146 // "min-ttl" = 147 // "max-mss" = 148 // "random-id" = 149 FLAGS = 150, ICMP_TYPE = 151, ICMP_CODE = 152, LITERAL_echorep = 153, LITERAL_unreach = 154, LITERAL_squench = 155, LITERAL_redir = 156, LITERAL_althost = 157, LITERAL_echoreq = 158, LITERAL_routeradv = 159, LITERAL_routersol = 160, LITERAL_timex = 161, LITERAL_paramprob = 162, LITERAL_timereq = 163, LITERAL_timerep = 164, LITERAL_inforeq = 165, LITERAL_inforep = 166, LITERAL_maskreq = 167, LITERAL_maskrep = 168, LITERAL_trace = 169, LITERAL_dataconv = 170, LITERAL_mobredir = 171, // "ipv6-where" = 172 // "ipv6-here" = 173 LITERAL_mobregreq = 174, LITERAL_mobregrep = 175, LITERAL_photuris = 176, // "net-unr" = 177 // "host-unr" = 178 // "proto-unr" = 179 // "port-unr" = 180 LITERAL_needfrag = 181, LITERAL_srcfail = 182, // "net-unk" = 183 // "host-unk" = 184 LITERAL_isolate = 185, // "net-prohib" = 186 // "host-prohib" = 187 // "net-tos" = 188 // "host-tos" = 189 // "filter-prohib" = 190 // "host-preced" = 191 // "cutoff-preced" = 192 // "redir-net" = 193 // "redir-host" = 194 // "redir-tos-net" = 195 // "redir-tos-host" = 196 // "normal-adv" = 197 // "common-adv" = 198 LITERAL_transit = 199, LITERAL_reassemb = 200, LITERAL_badhead = 201, LITERAL_optmiss = 202, LITERAL_badlen = 203, // "unknown-ind" = 204 // "auth-fail" = 205 // "decrypt-fail" = 206 ICMP6_TYPE = 207, TAGGED = 208, TAG = 209, KEEP = 210, MODULATE = 211, SYNPROXY = 212, STATE = 213, LABEL = 214, EXIT = 215, QUIT = 216, INTRFACE = 217, ICMP6 = 218, IGRP = 219, IPSEC = 220, NOS = 221, PCP = 222, PIM = 223, PPTP = 224, RIP = 225, SNP = 226, HOST = 227, RANGE = 228, LOG_LEVEL_ALERTS = 229, LOG_LEVEL_CRITICAL = 230, LOG_LEVEL_DEBUGGING = 231, LOG_LEVEL_EMERGENCIES = 232, LOG_LEVEL_ERRORS = 233, LOG_LEVEL_INFORMATIONAL = 234, LOG_LEVEL_NOTIFICATIONS = 235, LOG_LEVEL_WARNINGS = 236, LOG_LEVEL_DISABLE = 237, LOG_LEVEL_INACTIVE = 238, Whitespace = 239, HEX_CONST = 240, NEG_INT_CONST = 241, HEX_DIGIT = 242, DIGIT = 243, NUM_3DIGIT = 244, NUM_HEX_4DIGIT = 245, NUMBER_ADDRESS_OR_WORD = 246, PIPE_CHAR = 247, PERCENT = 248, AMPERSAND = 249, APOSTROPHE = 250, PLUS = 251, DOT = 252, SEMICOLON = 253, QUESTION = 254, COMMERCIAL_AT = 255, OPENING_SQUARE = 256, CLOSING_SQUARE = 257, CARET = 258, UNDERLINE = 259, TILDE = 260, DOUBLE_QUOTE = 261, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_PFCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/PFCfgParserTokenTypes.txt000066400000000000000000000123041303637203600226530ustar00rootroot00000000000000// $ANTLR 2.7.7 (20100319): pf.g -> PFCfgParserTokenTypes.txt$ PFCfgParser // output token vocab name NEWLINE=4 COMMENT_START=5 INCLUDE_COMMAND="include"=6 WORD=7 EQUAL=8 ANTISPOOF="antispoof"=9 ALTQ="altq"=10 QUEUE="queue"=11 SET="set"=12 TIMEOUT="timeout"=13 "ruleset-optimization"=14 LITERAL_optimization="optimization"=15 LITERAL_aggressive="aggressive"=16 LITERAL_conservative="conservative"=17 "high-latency"=18 LITERAL_normal="normal"=19 LITERAL_satellite="satellite"=20 LITERAL_limit="limit"=21 LITERAL_loginterface="loginterface"=22 "block-policy"=23 DROP="drop"=24 RETURN="return"=25 "state-policy"=26 "if-bound"=27 LITERAL_floating="floating"=28 "state-defaults"=29 "require-order"=30 LITERAL_fingerprints="fingerprints"=31 LITERAL_skip="skip"=32 ON="on"=33 OPENING_BRACE=34 COMMA=35 CLOSING_BRACE=36 LITERAL_debug="debug"=37 LITERAL_reassemble="reassemble"=38 LITERAL_hostid="hostid"=39 "tcp.first"=40 "tcp.opening"=41 "tcp.established"=42 "tcp.closing"=43 "tcp.finwait"=44 "tcp.closed"=45 "udp.first"=46 "udp.single"=47 "udp.multiple"=48 "icmp.first"=49 "icmp.error"=50 "other.first"=51 "other.single"=52 "other.multiple"=53 LITERAL_frag="frag"=54 LITERAL_interval="interval"=55 "src.track"=56 "adaptive.start"=57 "adaptive.end"=58 INT_CONST=59 LITERAL_frags="frags"=60 LITERAL_states="states"=61 "src-nodes"=62 LITERAL_tables="tables"=63 "tables-entries"=64 SCRUB="scrub"=65 MATCH="match"=66 TABLE="table"=67 LESS_THAN=68 GREATER_THAN=69 PERSIST="persist"=70 CONST_WORD="const"=71 COUNTERS="counters"=72 FILE="file"=73 STRING=74 EXLAMATION=75 COLON=76 NETWORK="network"=77 BROADCAST="broadcast"=78 PEER="peer"=79 SELF="self"=80 IPV4=81 NUMBER=82 SLASH=83 NO="no"=84 NAT="nat"=85 PASS="pass"=86 MINUS=87 STATIC_PORT="static-port"=88 RDR="rdr"=89 OPENING_PAREN=90 CLOSING_PAREN=91 PORT="port"=92 IPV6=93 STAR=94 BITMASK="bitmask"=95 RANDOM="random"=96 SOURCE_HASH="source-hash"=97 HEX_KEY="hex-key"=98 STRING_KEY="string-key"=99 ROUND_ROBIN="round-robin"=100 STICKY_ADDRESS="sticky-address"=101 BINAT="binat"=102 BLOCK="block"=103 RETURN_RST="return-rst"=104 TTL=105 RETURN_ICMP="return-icmp"=106 RETURN_ICMP6=107 IN_WORD="in"=108 OUT_WORD="out"=109 LOG="log"=110 QUICK="quick"=111 ALL="all"=112 USER="user"=113 TO="to"=114 INET="inet"=115 INET6="inet6"=116 PROTO="proto"=117 IP="ip"=118 ICMP="icmp"=119 IGMP="igmp"=120 TCP="tcp"=121 UDP="udp"=122 RDP="rdp"=123 RSVP="rsvp"=124 GRE="gre"=125 ESP_WORD="esp"=126 AH="ah"=127 EIGRP="eigrp"=128 OSPF="ospf"=129 IPIP="ipip"=130 VRRP="vrrp"=131 L2TP="l2tp"=132 ISIS="isis"=133 FROM="from"=134 URPF_FAILED="urpf-failed"=135 ANY="any"=136 NO_ROUTE="no-route"=137 MACRO=138 ROUTE_TO="route-to"=139 REPLY_TO="reply-to"=140 DUP_TO="dup-to"=141 GROUP="group"=142 LITERAL_fragment="fragment"=143 LITERAL_crop="crop"=144 "drop-ovl"=145 "no-df"=146 "min-ttl"=147 "max-mss"=148 "random-id"=149 FLAGS="flags"=150 ICMP_TYPE="icmp-type"=151 ICMP_CODE="code"=152 LITERAL_echorep="echorep"=153 LITERAL_unreach="unreach"=154 LITERAL_squench="squench"=155 LITERAL_redir="redir"=156 LITERAL_althost="althost"=157 LITERAL_echoreq="echoreq"=158 LITERAL_routeradv="routeradv"=159 LITERAL_routersol="routersol"=160 LITERAL_timex="timex"=161 LITERAL_paramprob="paramprob"=162 LITERAL_timereq="timereq"=163 LITERAL_timerep="timerep"=164 LITERAL_inforeq="inforeq"=165 LITERAL_inforep="inforep"=166 LITERAL_maskreq="maskreq"=167 LITERAL_maskrep="maskrep"=168 LITERAL_trace="trace"=169 LITERAL_dataconv="dataconv"=170 LITERAL_mobredir="mobredir"=171 "ipv6-where"=172 "ipv6-here"=173 LITERAL_mobregreq="mobregreq"=174 LITERAL_mobregrep="mobregrep"=175 LITERAL_photuris="photuris"=176 "net-unr"=177 "host-unr"=178 "proto-unr"=179 "port-unr"=180 LITERAL_needfrag="needfrag"=181 LITERAL_srcfail="srcfail"=182 "net-unk"=183 "host-unk"=184 LITERAL_isolate="isolate"=185 "net-prohib"=186 "host-prohib"=187 "net-tos"=188 "host-tos"=189 "filter-prohib"=190 "host-preced"=191 "cutoff-preced"=192 "redir-net"=193 "redir-host"=194 "redir-tos-net"=195 "redir-tos-host"=196 "normal-adv"=197 "common-adv"=198 LITERAL_transit="transit"=199 LITERAL_reassemb="reassemb"=200 LITERAL_badhead="badhead"=201 LITERAL_optmiss="optmiss"=202 LITERAL_badlen="badlen"=203 "unknown-ind"=204 "auth-fail"=205 "decrypt-fail"=206 ICMP6_TYPE="icmp6-type"=207 TAGGED="tagged"=208 TAG="tag"=209 KEEP="keep"=210 MODULATE="modulate"=211 SYNPROXY="synproxy"=212 STATE="state"=213 LABEL="label"=214 EXIT="exit"=215 QUIT="quit"=216 INTRFACE="interface"=217 ICMP6="icmp6"=218 IGRP="igrp"=219 IPSEC="ipsec"=220 NOS="nos"=221 PCP="pcp"=222 PIM="pim"=223 PPTP="pptp"=224 RIP="rip"=225 SNP="snp"=226 HOST="host"=227 RANGE="range"=228 LOG_LEVEL_ALERTS="alerts"=229 LOG_LEVEL_CRITICAL="critical"=230 LOG_LEVEL_DEBUGGING="debugging"=231 LOG_LEVEL_EMERGENCIES="emergencies"=232 LOG_LEVEL_ERRORS="errors"=233 LOG_LEVEL_INFORMATIONAL="informational"=234 LOG_LEVEL_NOTIFICATIONS="notifications"=235 LOG_LEVEL_WARNINGS="warnings"=236 LOG_LEVEL_DISABLE="disable"=237 LOG_LEVEL_INACTIVE="inactive"=238 Whitespace=239 HEX_CONST=240 NEG_INT_CONST=241 HEX_DIGIT=242 DIGIT=243 NUM_3DIGIT=244 NUM_HEX_4DIGIT=245 NUMBER_ADDRESS_OR_WORD=246 PIPE_CHAR=247 PERCENT=248 AMPERSAND=249 APOSTROPHE=250 PLUS=251 DOT=252 SEMICOLON=253 QUESTION=254 COMMERCIAL_AT=255 OPENING_SQUARE=256 CLOSING_SQUARE=257 CARET=258 UNDERLINE=259 TILDE=260 DOUBLE_QUOTE=261 fwbuilder-5.3.7/src/parsers/PIXCfgLexer.cpp000066400000000000000000001531661303637203600205620ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "pix.g" -> "PIXCfgLexer.cpp"$ */ #line 42 "pix.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "PIXCfgLexer.cpp" #include "PIXCfgLexer.hpp" #include #include #include #include #include #include #include #line 48 "pix.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 25 "PIXCfgLexer.cpp" #line 1 "pix.g" #line 27 "PIXCfgLexer.cpp" PIXCfgLexer::PIXCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in) : ANTLR_USE_NAMESPACE(antlr)CharScanner(new ANTLR_USE_NAMESPACE(antlr)CharBuffer(in),true) { initLiterals(); } PIXCfgLexer::PIXCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib) : ANTLR_USE_NAMESPACE(antlr)CharScanner(ib,true) { initLiterals(); } PIXCfgLexer::PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)CharScanner(state,true) { initLiterals(); } void PIXCfgLexer::initLiterals() { literals["parameter-problem"] = 91; literals["full"] = 125; literals["FWSM"] = 67; literals["port-object"] = 54; literals["notifications"] = 111; literals["duplex"] = 131; literals["dns"] = 56; literals["no"] = 63; literals["static"] = 163; literals["esp"] = 18; literals["time-range"] = 117; literals["gre"] = 19; literals["timestamp-request"] = 98; literals["echo"] = 81; literals["speed"] = 130; literals["warnings"] = 112; literals["resetoutbound"] = 61; literals["timeout"] = 8; literals["eigrp"] = 17; literals["icmp-type"] = 51; literals["permit"] = 74; literals["remark"] = 153; literals["network"] = 10; literals["igmp"] = 20; literals["range"] = 32; literals["destination"] = 44; literals["setroute"] = 166; literals["vlan"] = 129; literals["debugging"] = 107; literals["controller"] = 118; literals["interface"] = 101; literals["dhcp"] = 145; literals["aui"] = 122; literals["Version"] = 68; literals["auto"] = 123; literals["subnet"] = 33; literals["time-exceeded"] = 96; literals["outside"] = 119; literals["shutdown"] = 143; literals["group-object"] = 46; literals["eq"] = 77; literals["fragments"] = 116; literals["norandomseq"] = 164; literals["unreachable"] = 100; literals["delay"] = 134; literals["ip"] = 6; literals["security-level"] = 142; literals["mobile-redirect"] = 90; literals["ospf"] = 25; literals["name"] = 12; literals["errors"] = 109; literals["mask-request"] = 89; literals["PIX"] = 65; literals["any"] = 102; literals["ASA"] = 66; literals["pptp"] = 27; literals["redirect"] = 92; literals["forward"] = 133; literals["timestamp-reply"] = 97; literals["description"] = 30; literals["alerts"] = 105; literals["netmask"] = 162; literals["lt"] = 79; literals["internal"] = 58; literals["bnc"] = 124; literals["global"] = 160; literals["nos"] = 24; literals["extended"] = 73; literals["certificate"] = 64; literals["service"] = 34; literals["telnet"] = 37; literals["udp"] = 42; literals["hold-time"] = 135; literals["management-only"] = 137; literals["baseT"] = 126; literals["ipinip"] = 22; literals["standby"] = 146; literals["crypto"] = 55; literals["object"] = 29; literals["pim"] = 9; literals["secondary"] = 165; literals["emergencies"] = 108; literals["disable"] = 113; literals["mask-reply"] = 88; literals["tcp"] = 41; literals["tcp-udp"] = 52; literals["source"] = 43; literals["names"] = 11; literals["icmp"] = 38; literals["http"] = 35; literals["call-home"] = 57; literals["log"] = 103; literals["snp"] = 28; literals["mac-address"] = 138; literals["established"] = 82; literals["deny"] = 75; literals["information-request"] = 87; literals["ssh"] = 36; literals["protocol-object"] = 49; literals["gt"] = 78; literals["ah"] = 16; literals["interval"] = 115; literals["resetoutside"] = 62; literals["ddns"] = 132; literals["ipv6"] = 136; literals["rip"] = 141; literals["baseTX"] = 127; literals["access-group"] = 154; literals["critical"] = 106; literals["standard"] = 76; literals["quit"] = 5; literals["community-list"] = 7; literals["network-object"] = 47; literals["hostname"] = 70; literals["server"] = 152; literals["information-reply"] = 86; literals["icmp6"] = 40; literals["authentication-certificate"] = 151; literals["switchport"] = 147; literals["ipsec"] = 23; literals["conversion-error"] = 84; literals["host"] = 31; literals["echo-reply"] = 85; literals["nameif"] = 128; literals["pcp"] = 26; literals["service-object"] = 53; literals["nat"] = 156; literals["access-list"] = 72; literals["informational"] = 110; literals["igrp"] = 21; literals["traceroute"] = 99; literals["address"] = 144; literals["log-input"] = 104; literals["router-advertisement"] = 93; literals["resetinbound"] = 60; literals["router-solicitation"] = 94; literals["access"] = 148; literals["icmp-object"] = 50; literals["source-quench"] = 95; literals["scopy"] = 149; literals["protocol"] = 48; literals["object-group"] = 45; literals["inactive"] = 114; literals["multicast"] = 139; literals["exit"] = 121; literals["version"] = 150; literals["neq"] = 80; literals["alternate-address"] = 83; literals["password-recovery"] = 59; } ANTLR_USE_NAMESPACE(antlr)RefToken PIXCfgLexer::nextToken() { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; for (;;) { ANTLR_USE_NAMESPACE(antlr)RefToken theRetToken; int _ttype = ANTLR_USE_NAMESPACE(antlr)Token::INVALID_TYPE; resetText(); try { // for lexical and char stream error handling switch ( LA(1)) { case 0xa /* '\n' */ : case 0xd /* '\r' */ : { mNEWLINE(true); theRetToken=_returnToken; break; } case 0x24 /* '$' */ : case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { mNUMBER_ADDRESS_OR_WORD(true); theRetToken=_returnToken; break; } case 0x2e /* '.' */ : { mDOT(true); theRetToken=_returnToken; break; } case 0x22 /* '\"' */ : { mSTRING(true); theRetToken=_returnToken; break; } case 0x7c /* '|' */ : { mPIPE_CHAR(true); theRetToken=_returnToken; break; } case 0x23 /* '#' */ : { mNUMBER_SIGN(true); theRetToken=_returnToken; break; } case 0x25 /* '%' */ : { mPERCENT(true); theRetToken=_returnToken; break; } case 0x26 /* '&' */ : { mAMPERSAND(true); theRetToken=_returnToken; break; } case 0x27 /* '\'' */ : { mAPOSTROPHE(true); theRetToken=_returnToken; break; } case 0x28 /* '(' */ : { mOPENING_PAREN(true); theRetToken=_returnToken; break; } case 0x29 /* ')' */ : { mCLOSING_PAREN(true); theRetToken=_returnToken; break; } case 0x2a /* '*' */ : { mSTAR(true); theRetToken=_returnToken; break; } case 0x2b /* '+' */ : { mPLUS(true); theRetToken=_returnToken; break; } case 0x2c /* ',' */ : { mCOMMA(true); theRetToken=_returnToken; break; } case 0x2d /* '-' */ : { mMINUS(true); theRetToken=_returnToken; break; } case 0x2f /* '/' */ : { mSLASH(true); theRetToken=_returnToken; break; } case 0x3b /* ';' */ : { mSEMICOLON(true); theRetToken=_returnToken; break; } case 0x3c /* '<' */ : { mLESS_THAN(true); theRetToken=_returnToken; break; } case 0x3d /* '=' */ : { mEQUALS(true); theRetToken=_returnToken; break; } case 0x3e /* '>' */ : { mGREATER_THAN(true); theRetToken=_returnToken; break; } case 0x3f /* '?' */ : { mQUESTION(true); theRetToken=_returnToken; break; } case 0x40 /* '@' */ : { mCOMMERCIAL_AT(true); theRetToken=_returnToken; break; } case 0x5b /* '[' */ : { mOPENING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5d /* ']' */ : { mCLOSING_SQUARE(true); theRetToken=_returnToken; break; } case 0x5e /* '^' */ : { mCARET(true); theRetToken=_returnToken; break; } case 0x5f /* '_' */ : { mUNDERLINE(true); theRetToken=_returnToken; break; } case 0x7b /* '{' */ : { mOPENING_BRACE(true); theRetToken=_returnToken; break; } case 0x7d /* '}' */ : { mCLOSING_BRACE(true); theRetToken=_returnToken; break; } case 0x7e /* '~' */ : { mTILDE(true); theRetToken=_returnToken; break; } default: if ((LA(1) == 0x21 /* '!' */ ) && ((LA(2) >= 0x3 /* '\3' */ && LA(2) <= 0xff))) { mLINE_COMMENT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x3a /* ':' */ ) && ((LA(2) >= 0x3 /* '\3' */ && LA(2) <= 0xff))) { mCOLON_COMMENT(true); theRetToken=_returnToken; } else if ((LA(1) == 0x3a /* ':' */ ) && (true)) { mCOLON(true); theRetToken=_returnToken; } else if ((_tokenSet_0.member(LA(1)))) { mWhitespace(true); theRetToken=_returnToken; } else if ((LA(1) == 0x21 /* '!' */ ) && (true)) { mEXLAMATION(true); theRetToken=_returnToken; } else { if (LA(1)==EOF_CHAR) { uponEOF(); _returnToken = makeToken(ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE); } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } if ( !_returnToken ) goto tryAgain; // found SKIP token _ttype = _returnToken->getType(); _ttype = testLiteralsTable(_ttype); _returnToken->setType(_ttype); return _returnToken; } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& e) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamRecognitionException(e); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamIOException& csie) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamIOException(csie.io); } catch (ANTLR_USE_NAMESPACE(antlr)CharStreamException& cse) { throw ANTLR_USE_NAMESPACE(antlr)TokenStreamException(cse.getMessage()); } tryAgain:; } } void PIXCfgLexer::mLINE_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LINE_COMMENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match("!"); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { { match(_tokenSet_1); } } else { goto _loop285; } } _loop285:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mNEWLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEWLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { if ((LA(1) == 0xd /* '\r' */ ) && (LA(2) == 0xa /* '\n' */ )) { match("\r\n"); } else if ((LA(1) == 0xd /* '\r' */ ) && (true)) { match('\r' /* charlit */ ); } else if ((LA(1) == 0xa /* '\n' */ )) { match('\n' /* charlit */ ); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } if ( inputState->guessing==0 ) { #line 2548 "pix.g" newline(); #line 548 "PIXCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON_COMMENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; mCOLON(false); { // ( ... )* for (;;) { if ((_tokenSet_1.member(LA(1)))) { { match(_tokenSet_1); } } else { goto _loop289; } } _loop289:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(':' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mWhitespace(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = Whitespace; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { switch ( LA(1)) { case 0x3 /* '\3' */ : case 0x4 /* '\4' */ : case 0x5 /* '\5' */ : case 0x6 /* '\6' */ : case 0x7 /* '\7' */ : case 0x8 /* '\10' */ : { matchRange('\3','\10'); break; } case 0x9 /* '\t' */ : { match('\t' /* charlit */ ); break; } case 0xb /* '\13' */ : { match('\13' /* charlit */ ); break; } case 0xc /* '\14' */ : { match('\14' /* charlit */ ); break; } case 0xe /* '\16' */ : case 0xf /* '\17' */ : case 0x10 /* '\20' */ : case 0x11 /* '\21' */ : case 0x12 /* '\22' */ : case 0x13 /* '\23' */ : case 0x14 /* '\24' */ : case 0x15 /* '\25' */ : case 0x16 /* '\26' */ : case 0x17 /* '\27' */ : case 0x18 /* '\30' */ : case 0x19 /* '\31' */ : case 0x1a /* '\32' */ : case 0x1b /* '\33' */ : case 0x1c /* '\34' */ : case 0x1d /* '\35' */ : case 0x1e /* '\36' */ : case 0x1f /* '\37' */ : { matchRange('\16','\37'); break; } case 0x20 /* ' ' */ : { match(' ' /* charlit */ ); break; } default: if (((LA(1) >= 0x7f && LA(1) <= 0xff))) { matchRange('\177',static_cast('\377')); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( inputState->guessing==0 ) { #line 2543 "pix.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 672 "PIXCfgLexer.cpp" } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mINT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mHEX_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEX_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mNUMBER(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mNEG_INT_CONST(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NEG_INT_CONST; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('0','9'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mHEXDIGIT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = HEXDIGIT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; matchRange('a','f'); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_ADDRESS_OR_WORD; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { bool synPredMatched338 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) { int _m338 = mark(); synPredMatched338 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt337=0; for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } default: { if ( _cnt337>=1 ) { goto _loop337; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } _cnt337++; } _loop337:; } // ( ... )+ mCOLON(false); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched338 = false; } rewind(_m338); inputState->guessing--; } if ( synPredMatched338 ) { { { { // ( ... )+ int _cnt342=0; for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } default: { if ( _cnt342>=1 ) { goto _loop342; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } _cnt342++; } _loop342:; } // ( ... )+ { // ( ... )+ int _cnt346=0; for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { mCOLON(false); { // ( ... )* for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : { matchRange('a','f'); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } default: { goto _loop345; } } } _loop345:; } // ( ... )* } else { if ( _cnt346>=1 ) { goto _loop346; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt346++; } _loop346:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 2589 "pix.g" _ttype = IPV6; #line 914 "PIXCfgLexer.cpp" } } } else { bool synPredMatched303 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) { int _m303 = mark(); synPredMatched303 = true; inputState->guessing++; try { { mDIGIT(false); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched303 = false; } rewind(_m303); inputState->guessing--; } if ( synPredMatched303 ) { { bool synPredMatched312 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m312 = mark(); synPredMatched312 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt307=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt307>=1 ) { goto _loop307; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt307++; } _loop307:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt309=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt309++; } _loop309:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt311=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt311++; } _loop311:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched312 = false; } rewind(_m312); inputState->guessing--; } if ( synPredMatched312 ) { { { // ( ... )+ int _cnt315=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt315++; } _loop315:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt317=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt317++; } _loop317:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt319=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt319>=1 ) { goto _loop319; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt319++; } _loop319:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt321=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt321>=1 ) { goto _loop321; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt321++; } _loop321:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 2577 "pix.g" _ttype = IPV4; #line 1061 "PIXCfgLexer.cpp" } } else { bool synPredMatched327 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { int _m327 = mark(); synPredMatched327 = true; inputState->guessing++; try { { { // ( ... )+ int _cnt324=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt324>=1 ) { goto _loop324; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt324++; } _loop324:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt326=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt326++; } _loop326:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched327 = false; } rewind(_m327); inputState->guessing--; } if ( synPredMatched327 ) { { { // ( ... )+ int _cnt330=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt330>=1 ) { goto _loop330; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt330++; } _loop330:; } // ( ... )+ mDOT(false); { // ( ... )+ int _cnt332=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt332>=1 ) { goto _loop332; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt332++; } _loop332:; } // ( ... )+ } if ( inputState->guessing==0 ) { #line 2580 "pix.g" _ttype = NUMBER; #line 1144 "PIXCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) { { // ( ... )+ int _cnt334=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { if ( _cnt334>=1 ) { goto _loop334; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } _cnt334++; } _loop334:; } // ( ... )+ if ( inputState->guessing==0 ) { #line 2582 "pix.g" _ttype = INT_CONST; #line 1165 "PIXCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } } else if ((_tokenSet_5.member(LA(1))) && (true) && (true)) { { switch ( LA(1)) { case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x24 /* '$' */ : { match('$' /* charlit */ ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } { // ( ... )* for (;;) { switch ( LA(1)) { case 0x21 /* '!' */ : case 0x22 /* '\"' */ : case 0x23 /* '#' */ : case 0x24 /* '$' */ : case 0x25 /* '%' */ : case 0x26 /* '&' */ : case 0x27 /* '\'' */ : { matchRange('!','\''); break; } case 0x2a /* '*' */ : { match('*' /* charlit */ ); break; } case 0x2b /* '+' */ : { match('+' /* charlit */ ); break; } case 0x2d /* '-' */ : { match('-' /* charlit */ ); break; } case 0x2e /* '.' */ : { match('.' /* charlit */ ); break; } case 0x2f /* '/' */ : { match('/' /* charlit */ ); break; } case 0x30 /* '0' */ : case 0x31 /* '1' */ : case 0x32 /* '2' */ : case 0x33 /* '3' */ : case 0x34 /* '4' */ : case 0x35 /* '5' */ : case 0x36 /* '6' */ : case 0x37 /* '7' */ : case 0x38 /* '8' */ : case 0x39 /* '9' */ : { matchRange('0','9'); break; } case 0x3a /* ':' */ : { match(':' /* charlit */ ); break; } case 0x3b /* ';' */ : { match(';' /* charlit */ ); break; } case 0x3c /* '<' */ : { match('<' /* charlit */ ); break; } case 0x3d /* '=' */ : { match('=' /* charlit */ ); break; } case 0x3e /* '>' */ : { match('>' /* charlit */ ); break; } case 0x3f /* '?' */ : { match('?' /* charlit */ ); break; } case 0x40 /* '@' */ : { match('@' /* charlit */ ); break; } case 0x41 /* 'A' */ : case 0x42 /* 'B' */ : case 0x43 /* 'C' */ : case 0x44 /* 'D' */ : case 0x45 /* 'E' */ : case 0x46 /* 'F' */ : case 0x47 /* 'G' */ : case 0x48 /* 'H' */ : case 0x49 /* 'I' */ : case 0x4a /* 'J' */ : case 0x4b /* 'K' */ : case 0x4c /* 'L' */ : case 0x4d /* 'M' */ : case 0x4e /* 'N' */ : case 0x4f /* 'O' */ : case 0x50 /* 'P' */ : case 0x51 /* 'Q' */ : case 0x52 /* 'R' */ : case 0x53 /* 'S' */ : case 0x54 /* 'T' */ : case 0x55 /* 'U' */ : case 0x56 /* 'V' */ : case 0x57 /* 'W' */ : case 0x58 /* 'X' */ : case 0x59 /* 'Y' */ : case 0x5a /* 'Z' */ : { matchRange('A','Z'); break; } case 0x5c /* '\\' */ : { match('\\' /* charlit */ ); break; } case 0x5e /* '^' */ : { match('^' /* charlit */ ); break; } case 0x5f /* '_' */ : { match('_' /* charlit */ ); break; } case 0x60 /* '`' */ : { match('`' /* charlit */ ); break; } case 0x61 /* 'a' */ : case 0x62 /* 'b' */ : case 0x63 /* 'c' */ : case 0x64 /* 'd' */ : case 0x65 /* 'e' */ : case 0x66 /* 'f' */ : case 0x67 /* 'g' */ : case 0x68 /* 'h' */ : case 0x69 /* 'i' */ : case 0x6a /* 'j' */ : case 0x6b /* 'k' */ : case 0x6c /* 'l' */ : case 0x6d /* 'm' */ : case 0x6e /* 'n' */ : case 0x6f /* 'o' */ : case 0x70 /* 'p' */ : case 0x71 /* 'q' */ : case 0x72 /* 'r' */ : case 0x73 /* 's' */ : case 0x74 /* 't' */ : case 0x75 /* 'u' */ : case 0x76 /* 'v' */ : case 0x77 /* 'w' */ : case 0x78 /* 'x' */ : case 0x79 /* 'y' */ : case 0x7a /* 'z' */ : { matchRange('a','z'); break; } default: { goto _loop349; } } } _loop349:; } // ( ... )* if ( inputState->guessing==0 ) { #line 2597 "pix.g" _ttype = WORD; #line 1427 "PIXCfgLexer.cpp" } } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); } } } if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mDOT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = DOT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('.' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mSTRING(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STRING; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\"' /* charlit */ ); { // ( ... )* for (;;) { if ((_tokenSet_6.member(LA(1)))) { matchNot('\"' /* charlit */ ); } else { goto _loop352; } } _loop352:; } // ( ... )* match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mPIPE_CHAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PIPE_CHAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('|' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mNUMBER_SIGN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = NUMBER_SIGN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('#' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mPERCENT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PERCENT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('%' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mAMPERSAND(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = AMPERSAND; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('&' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mAPOSTROPHE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = APOSTROPHE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('\'' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mOPENING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('(' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCLOSING_PAREN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_PAREN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(')' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mSTAR(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = STAR; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('*' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mPLUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = PLUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('+' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCOMMA(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMA; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(',' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mMINUS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = MINUS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('-' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mSLASH(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SLASH; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('/' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mSEMICOLON(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = SEMICOLON; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(';' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mLESS_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = LESS_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('<' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mEQUALS(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EQUALS; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('=' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mGREATER_THAN(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = GREATER_THAN; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('>' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mQUESTION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = QUESTION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('?' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCOMMERCIAL_AT(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = COMMERCIAL_AT; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('@' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mOPENING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('[' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCLOSING_SQUARE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_SQUARE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match(']' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCARET(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CARET; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('^' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mUNDERLINE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = UNDERLINE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('_' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mOPENING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = OPENING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('{' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mCLOSING_BRACE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = CLOSING_BRACE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('}' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mTILDE(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = TILDE; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('~' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } void PIXCfgLexer::mEXLAMATION(bool _createToken) { int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length(); _ttype = EXLAMATION; //ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; match('!' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { _token = makeToken(_ttype); _token->setText(text.substr(_begin, text.length()-_begin)); } _returnToken = _token; //_saveIndex=0; } const unsigned long PIXCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL, 2147483648UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f 0x7f 0x80 0x81 // 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f // 0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d // 0x9e 0x9f 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab // 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 // 0xba 0xbb 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_0(_tokenSet_0_data_,16); const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 // 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # $ % // & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G // H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d e f g h // i j k l m n o p q r s t u v w x y z { | } ~ 0x7f 0x80 0x81 0x82 0x83 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 // 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f // 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad // 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 0xba 0xbb // 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_1(_tokenSet_1_data_,16); const unsigned long PIXCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 0UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 a b c d e f const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_2(_tokenSet_2_data_,10); const unsigned long PIXCfgLexer::_tokenSet_3_data_[] = { 0UL, 134152192UL, 0UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0 1 2 3 4 5 6 7 8 9 : a b c d e f const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_3(_tokenSet_3_data_,10); const unsigned long PIXCfgLexer::_tokenSet_4_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // . 0 1 2 3 4 5 6 7 8 9 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_4(_tokenSet_4_data_,10); const unsigned long PIXCfgLexer::_tokenSet_5_data_[] = { 0UL, 16UL, 134217726UL, 134217726UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // $ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g // h i j k l m n o p q r s t u v w x y z const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_5(_tokenSet_5_data_,10); const unsigned long PIXCfgLexer::_tokenSet_6_data_[] = { 4294967288UL, 4294967291UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13 // 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! # $ // % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F // G H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d e f g // h i j k l m n o p q r s t u v w x y z { | } ~ 0x7f 0x80 0x81 0x82 0x83 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 // 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f // 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad // 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 0xba 0xbb // 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_6(_tokenSet_6_data_,16); fwbuilder-5.3.7/src/parsers/PIXCfgLexer.hpp000066400000000000000000000075751303637203600205710ustar00rootroot00000000000000#ifndef INC_PIXCfgLexer_hpp_ #define INC_PIXCfgLexer_hpp_ #line 25 "pix.g" // gets inserted before antlr generated includes in the header // file #include "PIXImporter.h" #line 11 "PIXCfgLexer.hpp" #include /* $ANTLR 2.7.7 (20090306): "pix.g" -> "PIXCfgLexer.hpp"$ */ #include #include #include #include "PIXCfgParserTokenTypes.hpp" #include #line 32 "pix.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class PIXImporter; #line 28 "PIXCfgLexer.hpp" #line 56 "pix.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "PIXCfgLexer.hpp" class CUSTOM_API PIXCfgLexer : public ANTLR_USE_NAMESPACE(antlr)CharScanner, public PIXCfgParserTokenTypes { #line 1 "pix.g" #line 38 "PIXCfgLexer.hpp" private: void initLiterals(); public: bool getCaseSensitiveLiterals() const { return true; } public: PIXCfgLexer(ANTLR_USE_NAMESPACE(std)istream& in); PIXCfgLexer(ANTLR_USE_NAMESPACE(antlr)InputBuffer& ib); PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& state); ANTLR_USE_NAMESPACE(antlr)RefToken nextToken(); public: void mLINE_COMMENT(bool _createToken); public: void mNEWLINE(bool _createToken); public: void mCOLON_COMMENT(bool _createToken); public: void mCOLON(bool _createToken); public: void mWhitespace(bool _createToken); protected: void mINT_CONST(bool _createToken); protected: void mHEX_CONST(bool _createToken); protected: void mNUMBER(bool _createToken); protected: void mNEG_INT_CONST(bool _createToken); protected: void mDIGIT(bool _createToken); protected: void mHEXDIGIT(bool _createToken); public: void mNUMBER_ADDRESS_OR_WORD(bool _createToken); public: void mDOT(bool _createToken); public: void mSTRING(bool _createToken); public: void mPIPE_CHAR(bool _createToken); public: void mNUMBER_SIGN(bool _createToken); public: void mPERCENT(bool _createToken); public: void mAMPERSAND(bool _createToken); public: void mAPOSTROPHE(bool _createToken); public: void mOPENING_PAREN(bool _createToken); public: void mCLOSING_PAREN(bool _createToken); public: void mSTAR(bool _createToken); public: void mPLUS(bool _createToken); public: void mCOMMA(bool _createToken); public: void mMINUS(bool _createToken); public: void mSLASH(bool _createToken); public: void mSEMICOLON(bool _createToken); public: void mLESS_THAN(bool _createToken); public: void mEQUALS(bool _createToken); public: void mGREATER_THAN(bool _createToken); public: void mQUESTION(bool _createToken); public: void mCOMMERCIAL_AT(bool _createToken); public: void mOPENING_SQUARE(bool _createToken); public: void mCLOSING_SQUARE(bool _createToken); public: void mCARET(bool _createToken); public: void mUNDERLINE(bool _createToken); public: void mOPENING_BRACE(bool _createToken); public: void mCLOSING_BRACE(bool _createToken); public: void mTILDE(bool _createToken); public: void mEXLAMATION(bool _createToken); private: static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; }; #endif /*INC_PIXCfgLexer_hpp_*/ fwbuilder-5.3.7/src/parsers/PIXCfgLexer.txt000066400000000000000000002742121303637203600206130ustar00rootroot00000000000000ANTLR-generated file resulting from grammar pix.g Diagnostic output Terence Parr, MageLang Institute with John Lilley, Empathy Software ANTLR Version 2.7.7 (20090306); 1989-2005 *** Header Action. This action will appear at the top of all generated files. // gets inserted after generated namespace specifications in the // header file. But outside the generated class. *** End of Header Action *** Lexer Preamble Action. This action will appear before the declaration of your lexer class: *** End of Lexer Preamble Action *** Your lexer class is called 'PIXCfgLexer' and is a subclass of 'CharScanner'. *** User-defined lexer class members: These are the member declarations that you defined for your class: *** End of user-defined lexer class members *** String literals used in the parser The following string literals were used in the parser. An actual code generator would arrange to place these literals into a table in the generated lexer, so that actions in the generated lexer could match token text against the literals. String literals used in the lexer are not listed here, as they are incorporated into the mainstream lexer processing. *** End of string literals used by the parser *** Lexer nextToken rule: The lexer nextToken rule is synthesized from all of the user-defined lexer rules. It logically consists of one big alternative block with each user-defined rule being an alternative. The grammar analyzer has determined that the synthesized nextToken rule is non-deterministic (i.e., it has ambiguities) This means that there is some overlap of the character lookahead for two or more of your lexer rules. Start of an alternative block. The lookahead set for this block is: k==1: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', ']', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } k==2: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } k==3: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: {'!' } k==2: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Rule Reference: mLINE_COMMENT Otherwise, Alternate(2) will be taken IF: The lookahead set: { '\n', '\r' } is matched. Rule Reference: mNEWLINE Otherwise, Alternate(3) will be taken IF: The lookahead set: k==1: {':' } k==2: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Rule Reference: mCOLON_COMMENT Otherwise, Alternate(4) will be taken IF: The lookahead set: k==1: {':' } k==2: { } is matched. Rule Reference: mCOLON Otherwise, Alternate(5) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Rule Reference: mWhitespace Otherwise, Alternate(6) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Rule Reference: mNUMBER Otherwise, Alternate(7) will be taken IF: The lookahead set: { '.' } is matched. Rule Reference: mDOT Otherwise, Alternate(8) will be taken IF: The lookahead set: k==1: { '$', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } k==2: { '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } k==3: { '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } is matched. Rule Reference: mWORD Otherwise, Alternate(9) will be taken IF: The lookahead set: { '"' } is matched. Rule Reference: mSTRING Otherwise, Alternate(10) will be taken IF: The lookahead set: { '|' } is matched. Rule Reference: mPIPE_CHAR Otherwise, Alternate(11) will be taken IF: The lookahead set: { '#' } is matched. Rule Reference: mNUMBER_SIGN Otherwise, Alternate(12) will be taken IF: The lookahead set: { '%' } is matched. Rule Reference: mPERCENT Otherwise, Alternate(13) will be taken IF: The lookahead set: { '&' } is matched. Rule Reference: mAMPERSAND Otherwise, Alternate(14) will be taken IF: The lookahead set: { '\'' } is matched. Rule Reference: mAPOSTROPHE Otherwise, Alternate(15) will be taken IF: The lookahead set: { '(' } is matched. Rule Reference: mOPENING_PAREN Otherwise, Alternate(16) will be taken IF: The lookahead set: { ')' } is matched. Rule Reference: mCLOSING_PAREN Otherwise, Alternate(17) will be taken IF: The lookahead set: { '*' } is matched. Rule Reference: mSTAR Otherwise, Alternate(18) will be taken IF: The lookahead set: { '+' } is matched. Rule Reference: mPLUS Otherwise, Alternate(19) will be taken IF: The lookahead set: { ',' } is matched. Rule Reference: mCOMMA Otherwise, Alternate(20) will be taken IF: The lookahead set: { '-' } is matched. Rule Reference: mMINUS Otherwise, Alternate(21) will be taken IF: The lookahead set: { '/' } is matched. Rule Reference: mSLASH Otherwise, Alternate(22) will be taken IF: The lookahead set: { ';' } is matched. Rule Reference: mSEMICOLON Otherwise, Alternate(23) will be taken IF: The lookahead set: { '<' } is matched. Rule Reference: mLESS_THAN Otherwise, Alternate(24) will be taken IF: The lookahead set: { '=' } is matched. Rule Reference: mEQUALS Otherwise, Alternate(25) will be taken IF: The lookahead set: { '>' } is matched. Rule Reference: mGREATER_THAN Otherwise, Alternate(26) will be taken IF: The lookahead set: { '?' } is matched. Rule Reference: mQUESTION Otherwise, Alternate(27) will be taken IF: The lookahead set: { '@' } is matched. Rule Reference: mCOMMERCIAL_AT Otherwise, Alternate(28) will be taken IF: The lookahead set: { '[' } is matched. Rule Reference: mOPENING_SQUARE Otherwise, Alternate(29) will be taken IF: The lookahead set: { ']' } is matched. Rule Reference: mCLOSING_SQUARE Otherwise, Alternate(30) will be taken IF: The lookahead set: { '^' } is matched. Rule Reference: mCARET Otherwise, Alternate(31) will be taken IF: The lookahead set: { '_' } is matched. Rule Reference: mUNDERLINE Otherwise, Alternate(32) will be taken IF: The lookahead set: { '{' } is matched. Rule Reference: mOPENING_BRACE Otherwise, Alternate(33) will be taken IF: The lookahead set: { '}' } is matched. Rule Reference: mCLOSING_BRACE Otherwise, Alternate(34) will be taken IF: The lookahead set: { '~' } is matched. Rule Reference: mTILDE Otherwise, Alternate(35) will be taken IF: The lookahead set: k==1: {'!' } k==2: { } is matched. Rule Reference: mEXLAMATION OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. *** End of nextToken lexer rule. *** User-defined Lexer rules: *** Lexer Rule: mLINE_COMMENT Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '!' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '!' } is matched. Match string literal "!" Start ZERO-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { '\r' } is matched. Match character '\r' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '\n' } is matched. Match character '\n' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ZERO-OR-MORE block. Rule Reference: mNEWLINE OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mLINE_COMMENT *** Lexer Rule: mNEWLINE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '\n', '\r' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\n', '\r' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: k==1: {'\n', '\r' } k==2: {'\n' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: {'\r' } k==2: {'\n' } is matched. Match string literal "\r\n" Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: {'\r' } k==2: { } is matched. Match character '\r' Otherwise, Alternate(3) will be taken IF: The lookahead set: { '\n' } is matched. Match character '\n' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: newline(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mNEWLINE *** Lexer Rule: mCOLON_COMMENT Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ':' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ':' } is matched. Rule Reference: mCOLON Start ZERO-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { '\r' } is matched. Match character '\r' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '\n' } is matched. Match character '\n' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ZERO-OR-MORE block. Rule Reference: mNEWLINE OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCOLON_COMMENT *** Lexer Rule: mCOLON Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ':' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ':' } is matched. Match character ':' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCOLON *** Lexer Rule: mWhitespace Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\u000b', '\u000c', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008' } is matched. Match character range: '\003'..'\010' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '\t' } is matched. Match character '\t' Otherwise, Alternate(3) will be taken IF: The lookahead set: { '\u000b' } is matched. Match character '\013' Otherwise, Alternate(4) will be taken IF: The lookahead set: { '\u000c' } is matched. Match character '\f' Otherwise, Alternate(5) will be taken IF: The lookahead set: { '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f' } is matched. Match character range: '\016'..'\037' Otherwise, Alternate(6) will be taken IF: The lookahead set: { '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Match character range: '\177'..'\377' Otherwise, Alternate(7) will be taken IF: The lookahead set: { ' ' } is matched. Match character ' ' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mWhitespace *** Lexer Rule: mINT_CONST Access: protected Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: MATCHES ALL is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mINT_CONST *** Lexer Rule: mHEX_CONST Access: protected Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: MATCHES ALL is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mHEX_CONST *** Lexer Rule: mNEG_INT_CONST Access: protected Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: MATCHES ALL is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mNEG_INT_CONST *** Lexer Rule: mDIGIT Access: protected Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Match character range: '0'..'9' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mDIGIT *** Lexer Rule: mHEXDIGIT Access: protected Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { 'a', 'b', 'c', 'd', 'e', 'f' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Match character range: 'a'..'f' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mHEXDIGIT *** Lexer Rule: mNUMBER Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Start of alternative block. Warning: This alternative block is non-deterministic Start of an alternative block. The lookahead set for this block is: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Start of alternative block. Warning: This alternative block is non-deterministic Start of an alternative block. The lookahead set for this block is: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: _ttype = IPV4; Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==2: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==3: { '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Rule Reference: mDOT Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Otherwise, Alternate(3) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==2: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } k==3: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Rule Reference: mDIGIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. ACTION: _ttype = INT_CONST; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } k==2: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } k==3: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', 'a', 'b', 'c', 'd', 'e', 'f' } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Match character range: 'a'..'f' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Match character range: '0'..'9' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. End ONE-OR-MORE block. Rule Reference: mCOLON OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { 'a', 'b', 'c', 'd', 'e', 'f' } is matched. Match character range: 'a'..'f' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Match character range: '0'..'9' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. End ONE-OR-MORE block. Rule Reference: mCOLON OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: _ttype = IPV6; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mNUMBER *** Lexer Rule: mDOT Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '.' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '.' } is matched. Match character '.' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mDOT *** Lexer Rule: mWORD Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '$', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '$', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { '$', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } is matched. Match character range: 'a'..'z' Otherwise, Alternate(2) will be taken IF: The lookahead set: { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' } is matched. Match character range: 'A'..'Z' Otherwise, Alternate(3) will be taken IF: The lookahead set: { '$' } is matched. Match character '$' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start ZERO-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/' } is matched. Match character range: '!'..'/' Otherwise, Alternate(2) will be taken IF: The lookahead set: { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' } is matched. Match character range: '0'..'9' Otherwise, Alternate(3) will be taken IF: The lookahead set: { ':' } is matched. Match character ':' Otherwise, Alternate(4) will be taken IF: The lookahead set: { ';' } is matched. Match character ';' Otherwise, Alternate(5) will be taken IF: The lookahead set: { '<' } is matched. Match character '<' Otherwise, Alternate(6) will be taken IF: The lookahead set: { '=' } is matched. Match character '=' Otherwise, Alternate(7) will be taken IF: The lookahead set: { '>' } is matched. Match character '>' Otherwise, Alternate(8) will be taken IF: The lookahead set: { '?' } is matched. Match character '?' Otherwise, Alternate(9) will be taken IF: The lookahead set: { '@' } is matched. Match character '@' Otherwise, Alternate(10) will be taken IF: The lookahead set: { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' } is matched. Match character range: 'A'..'Z' Otherwise, Alternate(11) will be taken IF: The lookahead set: { '\\' } is matched. Match character '\\' Otherwise, Alternate(12) will be taken IF: The lookahead set: { '^' } is matched. Match character '^' Otherwise, Alternate(13) will be taken IF: The lookahead set: { '_' } is matched. Match character '_' Otherwise, Alternate(14) will be taken IF: The lookahead set: { '`' } is matched. Match character '`' Otherwise, Alternate(15) will be taken IF: The lookahead set: { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' } is matched. Match character range: 'a'..'z' OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. End ZERO-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mWORD *** Lexer Rule: mSTRING Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '"' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '"' } is matched. Match character '"' Start ZERO-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\u0003', '\u0004', '\u0005', '\u0006', '\u0007', '\u0008', '\t', '\n', '\u000b', '\u000c', '\r', '\u000e', '\u000f', '\u0010', '\u0011', '\u0012', '\u0013', '\u0014', '\u0015', '\u0016', '\u0017', '\u0018', '\u0019', '\u001a', '\u001b', '\u001c', '\u001d', '\u001e', '\u001f', ' ', '!', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\u007f', '\u0080', '\u0081', '\u0082', '\u0083', '\u0084', '\u0085', '\u0086', '\u0087', '\u0088', '\u0089', '\u008a', '\u008b', '\u008c', '\u008d', '\u008e', '\u008f', '\u0090', '\u0091', '\u0092', '\u0093', '\u0094', '\u0095', '\u0096', '\u0097', '\u0098', '\u0099', '\u009a', '\u009b', '\u009c', '\u009d', '\u009e', '\u009f', '\u00a0', '\u00a1', '\u00a2', '\u00a3', '\u00a4', '\u00a5', '\u00a6', '\u00a7', '\u00a8', '\u00a9', '\u00aa', '\u00ab', '\u00ac', '\u00ad', '\u00ae', '\u00af', '\u00b0', '\u00b1', '\u00b2', '\u00b3', '\u00b4', '\u00b5', '\u00b6', '\u00b7', '\u00b8', '\u00b9', '\u00ba', '\u00bb', '\u00bc', '\u00bd', '\u00be', '\u00bf', '\u00c0', '\u00c1', '\u00c2', '\u00c3', '\u00c4', '\u00c5', '\u00c6', '\u00c7', '\u00c8', '\u00c9', '\u00ca', '\u00cb', '\u00cc', '\u00cd', '\u00ce', '\u00cf', '\u00d0', '\u00d1', '\u00d2', '\u00d3', '\u00d4', '\u00d5', '\u00d6', '\u00d7', '\u00d8', '\u00d9', '\u00da', '\u00db', '\u00dc', '\u00dd', '\u00de', '\u00df', '\u00e0', '\u00e1', '\u00e2', '\u00e3', '\u00e4', '\u00e5', '\u00e6', '\u00e7', '\u00e8', '\u00e9', '\u00ea', '\u00eb', '\u00ec', '\u00ed', '\u00ee', '\u00ef', '\u00f0', '\u00f1', '\u00f2', '\u00f3', '\u00f4', '\u00f5', '\u00f6', '\u00f7', '\u00f8', '\u00f9', '\u00fa', '\u00fb', '\u00fc', '\u00fd', '\u00fe', '\u00ff' } is matched. Match character NOT '"' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ZERO-OR-MORE block. Match character '"' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mSTRING *** Lexer Rule: mPIPE_CHAR Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '|' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '|' } is matched. Match character '|' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mPIPE_CHAR *** Lexer Rule: mNUMBER_SIGN Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '#' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '#' } is matched. Match character '#' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mNUMBER_SIGN *** Lexer Rule: mPERCENT Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '%' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '%' } is matched. Match character '%' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mPERCENT *** Lexer Rule: mAMPERSAND Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '&' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '&' } is matched. Match character '&' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mAMPERSAND *** Lexer Rule: mAPOSTROPHE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '\'' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '\'' } is matched. Match character '\'' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mAPOSTROPHE *** Lexer Rule: mOPENING_PAREN Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '(' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '(' } is matched. Match character '(' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mOPENING_PAREN *** Lexer Rule: mCLOSING_PAREN Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ')' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ')' } is matched. Match character ')' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCLOSING_PAREN *** Lexer Rule: mSTAR Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '*' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '*' } is matched. Match character '*' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mSTAR *** Lexer Rule: mPLUS Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '+' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '+' } is matched. Match character '+' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mPLUS *** Lexer Rule: mCOMMA Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ',' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ',' } is matched. Match character ',' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCOMMA *** Lexer Rule: mMINUS Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '-' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '-' } is matched. Match character '-' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mMINUS *** Lexer Rule: mSLASH Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '/' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '/' } is matched. Match character '/' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mSLASH *** Lexer Rule: mSEMICOLON Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ';' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ';' } is matched. Match character ';' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mSEMICOLON *** Lexer Rule: mLESS_THAN Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '<' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '<' } is matched. Match character '<' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mLESS_THAN *** Lexer Rule: mEQUALS Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '=' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '=' } is matched. Match character '=' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mEQUALS *** Lexer Rule: mGREATER_THAN Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '>' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '>' } is matched. Match character '>' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mGREATER_THAN *** Lexer Rule: mQUESTION Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '?' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '?' } is matched. Match character '?' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mQUESTION *** Lexer Rule: mCOMMERCIAL_AT Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '@' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '@' } is matched. Match character '@' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCOMMERCIAL_AT *** Lexer Rule: mOPENING_SQUARE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '[' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '[' } is matched. Match character '[' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mOPENING_SQUARE *** Lexer Rule: mCLOSING_SQUARE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { ']' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { ']' } is matched. Match character ']' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCLOSING_SQUARE *** Lexer Rule: mCARET Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '^' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '^' } is matched. Match character '^' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCARET *** Lexer Rule: mUNDERLINE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '_' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '_' } is matched. Match character '_' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mUNDERLINE *** Lexer Rule: mOPENING_BRACE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '{' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '{' } is matched. Match character '{' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mOPENING_BRACE *** Lexer Rule: mCLOSING_BRACE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '}' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '}' } is matched. Match character '}' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mCLOSING_BRACE *** Lexer Rule: mTILDE Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '~' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '~' } is matched. Match character '~' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mTILDE *** Lexer Rule: mEXLAMATION Access: public Return value: lexical rule returns an implicit token type Start of an alternative block. The lookahead set for this block is: { '!' } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { '!' } is matched. Match character '!' OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. *** End Lexer Rule: mEXLAMATION *** End User-defined Lexer rules: fwbuilder-5.3.7/src/parsers/PIXCfgParser.cpp000066400000000000000000004671021303637203600207350ustar00rootroot00000000000000/* $ANTLR 2.7.7 (20090306): "pix.g" -> "PIXCfgParser.cpp"$ */ #line 42 "pix.g" // gets inserted before the antlr generated includes in the cpp // file #line 8 "PIXCfgParser.cpp" #include "PIXCfgParser.hpp" #include #include #include #line 48 "pix.g" // gets inserted after the antlr generated includes in the cpp // file #include #include #line 20 "PIXCfgParser.cpp" #line 1 "pix.g" #line 22 "PIXCfgParser.cpp" PIXCfgParser::PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,k) { } PIXCfgParser::PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf) : ANTLR_USE_NAMESPACE(antlr)LLkParser(tokenBuf,2) { } PIXCfgParser::PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,k) { } PIXCfgParser::PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer) : ANTLR_USE_NAMESPACE(antlr)LLkParser(lexer,2) { } PIXCfgParser::PIXCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state) : ANTLR_USE_NAMESPACE(antlr)LLkParser(state,2) { } void PIXCfgParser::cfgfile() { try { // for error handling { // ( ... )+ int _cnt3=0; for (;;) { switch ( LA(1)) { case LINE_COMMENT: case COLON_COMMENT: { comment(); break; } case PIX_WORD: case ASA_WORD: case FWSM_WORD: { version(); break; } case HOSTNAME: { hostname(); break; } case INTRFACE: { intrface(); break; } case NAMEIF: { nameif_top_level(); break; } case CONTROLLER: { controller(); break; } case ACCESS_LIST: { access_list_commands(); break; } case SSH: { ssh_command(); break; } case TELNET: { telnet_command(); break; } case HTTP: { http_command(); break; } case ICMP: { icmp_top_level_command(); break; } case NAT: { nat_top_level_command(); break; } case GLOBAL: { global_top_level_command(); break; } case STATIC: { static_top_level_command(); break; } case ACCESS_GROUP: { access_group(); break; } case EXIT: { exit(); break; } case CERTIFICATE: { certificate(); break; } case QUIT: { quit(); break; } case NAMES: { names_section(); break; } case NAME: { name_entry(); break; } case CRYPTO: { crypto(); break; } case NO: { no_commands(); break; } case TIMEOUT: { timeout_command(); break; } case DNS: { dns_command(); break; } case SERVICE: { service_top_level_command(); break; } case PIM: { pim_top_level_command(); break; } case NETWORK: { network_top_level_command(); break; } case WORD: { unknown_command(); break; } case NEWLINE: { match(NEWLINE); break; } default: if ((LA(1) == IP) && (LA(2) == COMMUNITY_LIST)) { community_list_command(); } else if ((LA(1) == IP) && (LA(2) == WORD)) { unknown_ip_command(); } else if ((LA(1) == IP) && (LA(2) == ADDRESS)) { intf_address(); } else if ((LA(1) == OBJECT) && (LA(2) == NETWORK)) { named_object_network(); } else if ((LA(1) == OBJECT) && (LA(2) == SERVICE)) { named_object_service(); } else if ((LA(1) == OBJECT_GROUP) && (LA(2) == NETWORK)) { object_group_network(); } else if ((LA(1) == OBJECT_GROUP) && (LA(2) == SERVICE)) { object_group_service(); } else if ((LA(1) == OBJECT_GROUP) && (LA(2) == PROTOCOL)) { object_group_protocol(); } else if ((LA(1) == OBJECT_GROUP) && (LA(2) == ICMP_OBJECT)) { object_group_icmp_8_0(); } else if ((LA(1) == OBJECT_GROUP) && (LA(2) == ICMP_TYPE)) { object_group_icmp_8_3(); } else { if ( _cnt3>=1 ) { goto _loop3; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } } _cnt3++; } _loop3:; } // ( ... )+ } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_0); } else { throw; } } } void PIXCfgParser::comment() { try { // for error handling { switch ( LA(1)) { case LINE_COMMENT: { match(LINE_COMMENT); break; } case COLON_COMMENT: { match(COLON_COMMENT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::version() { #line 874 "pix.g" std::string platform; #line 288 "PIXCfgParser.cpp" try { // for error handling { switch ( LA(1)) { case PIX_WORD: { match(PIX_WORD); break; } case ASA_WORD: { match(ASA_WORD); break; } case FWSM_WORD: { match(FWSM_WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 878 "pix.g" platform = LT(0)->getText(); #line 319 "PIXCfgParser.cpp" } match(VERSION_WORD_CAP); match(NUMBER); if ( inputState->guessing==0 ) { #line 882 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->setDiscoveredPlatform(platform); importer->setDiscoveredVersion(LT(0)->getText()); *dbg << "VERSION " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); #line 332 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::hostname() { try { // for error handling match(HOSTNAME); { switch ( LA(1)) { case STRING: { match(STRING); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 893 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); // we get host name in the import wizard //importer->setHostName( LT(0)->getText() ); *dbg << "HOSTNAME " << "LT0=" << LT(0)->getText() << std::endl; #line 375 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::community_list_command() { try { // for error handling match(IP); match(COMMUNITY_LIST); if ( inputState->guessing==0 ) { #line 203 "pix.g" consumeUntil(NEWLINE); #line 398 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::unknown_ip_command() { try { // for error handling match(IP); match(WORD); if ( inputState->guessing==0 ) { #line 814 "pix.g" consumeUntil(NEWLINE); #line 421 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::intrface() { try { // for error handling match(INTRFACE); { if ((LA(1) == WORD) && (_tokenSet_2.member(LA(2)))) { interface_command_6(); } else if ((LA(1) == WORD) && (LA(2) == NEWLINE)) { interface_command_7(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::nameif_top_level() { #line 1474 "pix.g" std::string intf_name, intf_label, sec_level; #line 466 "PIXCfgParser.cpp" try { // for error handling match(NAMEIF); match(WORD); if ( inputState->guessing==0 ) { #line 1479 "pix.g" intf_name = LT(0)->getText(); #line 474 "PIXCfgParser.cpp" } interface_label(); if ( inputState->guessing==0 ) { #line 1480 "pix.g" intf_label = LT(0)->getText(); #line 480 "PIXCfgParser.cpp" } match(WORD); if ( inputState->guessing==0 ) { #line 1481 "pix.g" sec_level = LT(0)->getText(); #line 486 "PIXCfgParser.cpp" } if ( inputState->guessing==0 ) { #line 1482 "pix.g" importer->setInterfaceParametes(intf_name, intf_label, sec_level); *dbg << " NAMEIF: " << intf_name << " " << intf_label << " " << sec_level << std::endl; #line 497 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::intf_address() { try { // for error handling match(IP); match(ADDRESS); { switch ( LA(1)) { case WORD: case OUTSIDE: { v6_ip_address(); break; } case IPV4: case DHCP: { v7_ip_address(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::controller() { try { // for error handling match(CONTROLLER); if ( inputState->guessing==0 ) { #line 1386 "pix.g" importer->clearCurrentInterface(); consumeUntil(NEWLINE); #line 556 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::access_list_commands() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_LIST); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 904 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet( name->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << name->getLine() << ":" << " ACL ext " << name->getText() << std::endl; #line 586 "PIXCfgParser.cpp" } { switch ( LA(1)) { case LINE_COMMENT: case COLON_COMMENT: { comment(); break; } case REMARK: { remark(); break; } case NEWLINE: { match(NEWLINE); break; } default: if ((LA(1) == EXTENDED || LA(1) == PERMIT) && (_tokenSet_3.member(LA(2)))) { permit_extended(); } else if ((LA(1) == EXTENDED || LA(1) == DENY) && (_tokenSet_4.member(LA(2)))) { deny_extended(); } else if ((LA(1) == STANDARD) && (LA(2) == PERMIT)) { permit_standard(); } else if ((LA(1) == STANDARD) && (LA(2) == DENY)) { deny_standard(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 927 "pix.g" *dbg << LT(0)->getLine() << ":" << " ACL line end" << std::endl << std::endl; #line 630 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::ssh_command() { try { // for error handling match(SSH); if ( inputState->guessing==0 ) { #line 1732 "pix.g" importer->clear(); #line 652 "PIXCfgParser.cpp" } { switch ( LA(1)) { case TIMEOUT: { { match(TIMEOUT); match(INT_CONST); } if ( inputState->guessing==0 ) { #line 1737 "pix.g" // set ssh timeout here #line 667 "PIXCfgParser.cpp" } break; } case SCOPY: { match(SCOPY); break; } case VERSION_WORD_LOW: { match(VERSION_WORD_LOW); match(INT_CONST); break; } case IPV4: case OBJECT: case HOST: case OBJECT_GROUP: case INTRFACE: case ANY: { { hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1747 "pix.g" importer->SaveTmpAddrToSrc(); #line 696 "PIXCfgParser.cpp" } interface_label(); } if ( inputState->guessing==0 ) { #line 1752 "pix.g" std::string intf_label = LT(0)->getText(); std::string acl_name = "ssh_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "ssh"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; #line 718 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::telnet_command() { try { // for error handling match(TELNET); if ( inputState->guessing==0 ) { #line 1772 "pix.g" importer->clear(); #line 748 "PIXCfgParser.cpp" } { switch ( LA(1)) { case TIMEOUT: { { match(TIMEOUT); match(INT_CONST); } break; } case IPV4: case OBJECT: case HOST: case OBJECT_GROUP: case INTRFACE: case ANY: { { hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1779 "pix.g" importer->SaveTmpAddrToSrc(); #line 774 "PIXCfgParser.cpp" } interface_label(); } if ( inputState->guessing==0 ) { #line 1784 "pix.g" std::string intf_label = LT(0)->getText(); std::string acl_name = "telnet_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "telnet"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; #line 796 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::http_command() { try { // for error handling match(HTTP); if ( inputState->guessing==0 ) { #line 1806 "pix.g" importer->clear(); #line 826 "PIXCfgParser.cpp" } { switch ( LA(1)) { case REDIRECT: case AUTHENTICATION_CERTIFICATE: case SERVER: { { switch ( LA(1)) { case AUTHENTICATION_CERTIFICATE: { match(AUTHENTICATION_CERTIFICATE); break; } case REDIRECT: { match(REDIRECT); break; } case SERVER: { match(SERVER); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1811 "pix.g" consumeUntil(NEWLINE); #line 862 "PIXCfgParser.cpp" } break; } case IPV4: case OBJECT: case HOST: case OBJECT_GROUP: case INTRFACE: case ANY: { { hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1817 "pix.g" importer->SaveTmpAddrToSrc(); #line 880 "PIXCfgParser.cpp" } interface_label(); } if ( inputState->guessing==0 ) { #line 1822 "pix.g" std::string intf_label = LT(0)->getText(); std::string acl_name = "http_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "www"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; #line 903 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::icmp_top_level_command() { ANTLR_USE_NAMESPACE(antlr)RefToken permit = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken deny = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ICMP); { switch ( LA(1)) { case UNREACHABLE: { { match(UNREACHABLE); if ( inputState->guessing==0 ) { #line 1852 "pix.g" consumeUntil(NEWLINE); #line 941 "PIXCfgParser.cpp" } } break; } case PERMIT: case DENY: { { { switch ( LA(1)) { case PERMIT: { permit = LT(1); match(PERMIT); break; } case DENY: { deny = LT(1); match(DENY); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1859 "pix.g" importer->clear(); #line 975 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1863 "pix.g" importer->SaveTmpAddrToSrc(); #line 983 "PIXCfgParser.cpp" } { switch ( LA(1)) { case INT_CONST: case ECHO: case ECHO_REPLY: case TIME_EXCEEDED: case UNREACHABLE: { icmp_types_for_icmp_command(); break; } case WORD: case OUTSIDE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } interface_label(); if ( inputState->guessing==0 ) { #line 1868 "pix.g" std::string intf_label = LT(0)->getText(); std::string acl_name = "icmp_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); if (permit) importer->action = "permit"; if (deny) importer->action = "deny"; importer->setDstSelf(); importer->protocol = "icmp"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); #line 1024 "PIXCfgParser.cpp" } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::nat_top_level_command() { try { // for error handling match(NAT); match(OPENING_PAREN); if ( inputState->guessing==0 ) { #line 1954 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 1057 "PIXCfgParser.cpp" } { if ((LA(1) == WORD || LA(1) == OUTSIDE) && (LA(2) == CLOSING_PAREN)) { nat_old_top_level_command(); } else if ((LA(1) == WORD || LA(1) == OUTSIDE) && (LA(2) == COMMA)) { nat_new_top_level_command(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::global_top_level_command() { ANTLR_USE_NAMESPACE(antlr)RefToken num = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(GLOBAL); match(OPENING_PAREN); if ( inputState->guessing==0 ) { #line 2075 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 1094 "PIXCfgParser.cpp" } interface_label(); if ( inputState->guessing==0 ) { #line 2080 "pix.g" importer->tmp_global_pool.pool_interface = LT(0)->getText(); #line 1102 "PIXCfgParser.cpp" } match(CLOSING_PAREN); num = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 2085 "pix.g" importer->tmp_global_pool.str_num = num->getText(); importer->tmp_global_pool.netmask = "255.255.255.255"; *dbg << " GLOBAL POOL " << importer->tmp_global_pool.str_num << " " << importer->tmp_global_pool.pool_interface; #line 1117 "PIXCfgParser.cpp" } { switch ( LA(1)) { case INTRFACE: { match(INTRFACE); if ( inputState->guessing==0 ) { #line 2098 "pix.g" importer->tmp_global_pool.start = LT(0)->getText(); importer->tmp_global_pool.end = LT(0)->getText(); #line 1130 "PIXCfgParser.cpp" } break; } case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 2104 "pix.g" importer->tmp_global_pool.start = importer->tmp_a; importer->tmp_global_pool.end = importer->tmp_a; #line 1144 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case MINUS: { match(MINUS); single_addr(); if ( inputState->guessing==0 ) { #line 2113 "pix.g" importer->tmp_global_pool.end = importer->tmp_a; #line 1165 "PIXCfgParser.cpp" } break; } case NEWLINE: case NETMASK: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case NETMASK: { match(NETMASK); match(IPV4); if ( inputState->guessing==0 ) { #line 2122 "pix.g" importer->tmp_global_pool.netmask = LT(0)->getText(); #line 1191 "PIXCfgParser.cpp" } break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); if ( inputState->guessing==0 ) { #line 2128 "pix.g" importer->addGlobalPool(); *dbg << " " << importer->tmp_global_pool.start << " " << importer->tmp_global_pool.end << " " << importer->tmp_global_pool.netmask << std::endl; #line 1215 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::static_top_level_command() { try { // for error handling match(STATIC); match(OPENING_PAREN); if ( inputState->guessing==0 ) { #line 2140 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 1239 "PIXCfgParser.cpp" } interface_label(); if ( inputState->guessing==0 ) { #line 2144 "pix.g" importer->prenat_interface = LT(0)->getText(); #line 1245 "PIXCfgParser.cpp" } match(COMMA); interface_label(); if ( inputState->guessing==0 ) { #line 2146 "pix.g" importer->postnat_interface = LT(0)->getText(); #line 1252 "PIXCfgParser.cpp" } match(CLOSING_PAREN); if ( inputState->guessing==0 ) { #line 2148 "pix.g" importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME ); *dbg << " DNAT rule "; importer->rule_type = libfwbuilder::NATRule::DNAT; #line 1262 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IPV4: case IPV6: case INTRFACE: { static_starts_with_hostaddr(); break; } case TCP: case UDP: { static_starts_with_tcp_udp(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); if ( inputState->guessing==0 ) { #line 2163 "pix.g" importer->pushNATRule(); *dbg << std::endl; #line 1292 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::access_group() { ANTLR_USE_NAMESPACE(antlr)RefToken aclname = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken dir = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ACCESS_GROUP); aclname = LT(1); match(WORD); dir = LT(1); match(WORD); match(INTRFACE); interface_label(); if ( inputState->guessing==0 ) { #line 1927 "pix.g" std::string intf_label = LT(0)->getText(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( aclname->getText(), intf_label, dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << aclname->getText() << "'" << " " << intf_label << " " << dir->getText() << std::endl; #line 1331 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::exit() { try { // for error handling match(EXIT); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::certificate() { try { // for error handling match(CERTIFICATE); match(WORD); if ( inputState->guessing==0 ) { #line 867 "pix.g" consumeUntil(NEWLINE); consumeUntil(QUIT); #line 1370 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::quit() { try { // for error handling match(QUIT); if ( inputState->guessing==0 ) { #line 196 "pix.g" consumeUntil(NEWLINE); #line 1392 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::names_section() { try { // for error handling match(NAMES); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::name_entry() { try { // for error handling match(NAME); { switch ( LA(1)) { case IPV4: { name_entry_ipv4(); break; } case IPV6: { name_entry_ipv6(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::named_object_network() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT); match(NETWORK); name = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 258 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNamedObjectAddress(name->getText()); *dbg << name->getLine() << ":" << " Named Object " << name->getText() << std::endl; #line 1471 "PIXCfgParser.cpp" } { // ( ... )* for (;;) { switch ( LA(1)) { case DESCRIPTION: { named_object_description(); break; } case HOST: case RANGE: case SUBNET: { named_object_network_parameters(); break; } default: if ((LA(1) == NAT) && (LA(2) == OPENING_PAREN)) { named_object_nat(); } else { goto _loop18; } } } _loop18:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::named_object_service() { try { // for error handling match(OBJECT); match(SERVICE); if ( inputState->guessing==0 ) { #line 371 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 1521 "PIXCfgParser.cpp" } { switch ( LA(1)) { case WORD: { match(WORD); break; } case HTTP: { match(HTTP); break; } case SSH: { match(SSH); break; } case TELNET: { match(TELNET); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 376 "pix.g" importer->newNamedObjectService(LT(0)->getText()); *dbg << " NAMED OBJECT " << LT(0)->getText() << std::endl; #line 1557 "PIXCfgParser.cpp" } match(NEWLINE); { // ( ... )* for (;;) { if ((LA(1) == DESCRIPTION)) { named_object_description(); } else if ((LA(1) == SERVICE) && (_tokenSet_6.member(LA(2)))) { named_object_service_parameters(); } else { goto _loop35; } } _loop35:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::object_group_network() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT_GROUP); match(NETWORK); name = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 491 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupNetwork(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; #line 1604 "PIXCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == DESCRIPTION || LA(1) == GROUP_OBJECT || LA(1) == NETWORK_OBJECT)) { object_group_network_parameters(); } else { goto _loop54; } } _loop54:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::object_group_service() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken tcp = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken udp = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken tcpudp = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT_GROUP); match(SERVICE); name = LT(1); match(WORD); { switch ( LA(1)) { case TCP: { tcp = LT(1); match(TCP); break; } case UDP: { udp = LT(1); match(UDP); break; } case TCP_UDP: { tcpudp = LT(1); match(TCP_UDP); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); if ( inputState->guessing==0 ) { #line 713 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupService(name->getText()); if (tcp) importer->setObjectGroupServiceProtocol("tcp"); if (udp) importer->setObjectGroupServiceProtocol("udp"); if (tcpudp) importer->setObjectGroupServiceProtocol("tcp-udp"); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; #line 1683 "PIXCfgParser.cpp" } { // ( ... )* for (;;) { if ((_tokenSet_7.member(LA(1)))) { object_group_service_parameters(); } else { goto _loop86; } } _loop86:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::object_group_protocol() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT_GROUP); match(PROTOCOL); name = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 589 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupProtocol(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; #line 1726 "PIXCfgParser.cpp" } { // ( ... )+ int _cnt66=0; for (;;) { if ((LA(1) == DESCRIPTION || LA(1) == GROUP_OBJECT || LA(1) == PROTOCOL_OBJECT)) { object_group_protocol_parameters(); } else { if ( _cnt66>=1 ) { goto _loop66; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());} } _cnt66++; } _loop66:; } // ( ... )+ } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::object_group_icmp_8_0() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT_GROUP); match(ICMP_OBJECT); name = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 644 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupICMP(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; #line 1771 "PIXCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == DESCRIPTION || LA(1) == GROUP_OBJECT || LA(1) == ICMP_OBJECT)) { object_group_icmp_parameters(); } else { goto _loop74; } } _loop74:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::object_group_icmp_8_3() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(OBJECT_GROUP); match(ICMP_TYPE); name = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 657 "pix.g" importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupICMP(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; #line 1814 "PIXCfgParser.cpp" } { // ( ... )* for (;;) { if ((LA(1) == DESCRIPTION || LA(1) == GROUP_OBJECT || LA(1) == ICMP_OBJECT)) { object_group_icmp_parameters(); } else { goto _loop77; } } _loop77:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::crypto() { try { // for error handling match(CRYPTO); if ( inputState->guessing==0 ) { #line 807 "pix.g" consumeUntil(NEWLINE); #line 1848 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::no_commands() { try { // for error handling match(NO); if ( inputState->guessing==0 ) { #line 858 "pix.g" *dbg << " TOP LEVEL \"NO\" COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); #line 1872 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::timeout_command() { try { // for error handling match(TIMEOUT); if ( inputState->guessing==0 ) { #line 210 "pix.g" consumeUntil(NEWLINE); #line 1894 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::dns_command() { try { // for error handling match(DNS); if ( inputState->guessing==0 ) { #line 828 "pix.g" consumeUntil(NEWLINE); #line 1916 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::service_top_level_command() { try { // for error handling match(SERVICE); { switch ( LA(1)) { case CALL_HOME: { match(CALL_HOME); break; } case INTERNAL: { match(INTERNAL); break; } case PASSWORD_RECOVERY: { match(PASSWORD_RECOVERY); break; } case RESETINBOUND: { match(RESETINBOUND); break; } case RESETOUTBOUND: { match(RESETOUTBOUND); break; } case RESETOUTSIDE: { match(RESETOUTSIDE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 851 "pix.g" consumeUntil(NEWLINE); #line 1976 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::pim_top_level_command() { try { // for error handling match(PIM); if ( inputState->guessing==0 ) { #line 218 "pix.g" consumeUntil(NEWLINE); #line 1998 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::network_top_level_command() { try { // for error handling match(NETWORK); if ( inputState->guessing==0 ) { #line 226 "pix.g" consumeUntil(NEWLINE); #line 2020 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::unknown_command() { try { // for error handling match(WORD); if ( inputState->guessing==0 ) { #line 821 "pix.g" consumeUntil(NEWLINE); #line 2042 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::name_entry_ipv4() { try { // for error handling match(IPV4); match(WORD); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::name_entry_ipv6() { try { // for error handling match(IPV6); match(WORD); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::ip_protocol_names() { try { // for error handling { switch ( LA(1)) { case AH: { match(AH); break; } case EIGRP: { match(EIGRP); break; } case ESP_WORD: { match(ESP_WORD); break; } case GRE: { match(GRE); break; } case IGMP: { match(IGMP); break; } case IGRP: { match(IGRP); break; } case IP: { match(IP); break; } case IPINIP: { match(IPINIP); break; } case IPSEC: { match(IPSEC); break; } case NOS: { match(NOS); break; } case OSPF: { match(OSPF); break; } case PCP: { match(PCP); break; } case PIM: { match(PIM); break; } case PPTP: { match(PPTP); break; } case SNP: { match(SNP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_8); } else { throw; } } } void PIXCfgParser::named_object_nat() { try { // for error handling nat_top_level_command(); if ( inputState->guessing==0 ) { #line 286 "pix.g" *dbg << "Named object with singleton nat command" << std::endl; importer->addMessageToLog( QString("Warning: " "Import of named objects with \"nat\" command " "is not supported at this time")); consumeUntil(NEWLINE); #line 2198 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::named_object_description() { try { // for error handling match(DESCRIPTION); if ( inputState->guessing==0 ) { #line 297 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setNamedObjectDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; #line 2229 "PIXCfgParser.cpp" } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::named_object_network_parameters() { try { // for error handling { switch ( LA(1)) { case HOST: { host_addr(); break; } case RANGE: { range_addr(); break; } case SUBNET: { subnet_addr(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::host_addr() { try { // for error handling match(HOST); single_addr(); if ( inputState->guessing==0 ) { #line 313 "pix.g" importer->commitNamedAddressObject(); #line 2291 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::range_addr() { ANTLR_USE_NAMESPACE(antlr)RefToken r1 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken r2 = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { match(RANGE); r1 = LT(1); match(IPV4); r2 = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 337 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->tmp_range_1 = r1->getText(); importer->tmp_range_2 = r2->getText(); importer->commitNamedAddressRangeObject(); *dbg << r1->getText() << "/" << r2->getText(); #line 2325 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::subnet_addr() { ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken v6 = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { match(SUBNET); { switch ( LA(1)) { case IPV4: { { a = LT(1); match(IPV4); nm = LT(1); match(IPV4); } break; } case IPV6: { v6 = LT(1); match(IPV6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } if ( inputState->guessing==0 ) { #line 347 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->commitNamedAddressObject(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } #line 2389 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::single_addr() { ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken v6 = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case IPV4: { h = LT(1); match(IPV4); break; } case IPV6: { v6 = LT(1); match(IPV6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 319 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; *dbg << importer->tmp_a << " "; } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } #line 2444 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_10); } else { throw; } } } void PIXCfgParser::named_object_service_parameters() { try { // for error handling { if ((LA(1) == SERVICE) && (LA(2) == ICMP)) { service_icmp(); } else if ((LA(1) == SERVICE) && (LA(2) == ICMP6)) { service_icmp6(); } else if ((LA(1) == SERVICE) && (LA(2) == TCP || LA(2) == UDP)) { service_tcp_udp(); } else if ((LA(1) == SERVICE) && (_tokenSet_11.member(LA(2)))) { service_other(); } else if ((LA(1) == SERVICE) && (LA(2) == WORD)) { service_unknown(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_12); } else { throw; } } } void PIXCfgParser::service_icmp() { ANTLR_USE_NAMESPACE(antlr)RefToken icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(SERVICE); match(ICMP); { switch ( LA(1)) { case INT_CONST: { icmp_type = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 406 "pix.g" importer->icmp_type = LT(0)->getText(); #line 2510 "PIXCfgParser.cpp" } break; } case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { icmp_names(); if ( inputState->guessing==0 ) { #line 411 "pix.g" importer->icmp_spec = LT(0)->getText(); #line 2540 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 415 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedICMPServiceObject(); *dbg << "NAMED OBJECT SERVICE ICMP " << LT(0)->getText() << " "; #line 2557 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::service_icmp6() { try { // for error handling match(SERVICE); match(ICMP6); { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case WORD: { match(WORD); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 423 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Warning: " "Import of IPv6 addresses and servcies " "is not supported at this time")); *dbg << "NAMED OBJECT SERVICE ICMP6 " << LT(0)->getText() << " "; consumeUntil(NEWLINE); #line 2604 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::service_tcp_udp() { try { // for error handling match(SERVICE); { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 435 "pix.g" importer->protocol = LT(0)->getText(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; #line 2645 "PIXCfgParser.cpp" } { switch ( LA(1)) { case SOURCE: { src_port_spec(); break; } case NEWLINE: case RANGE: case DESTINATION: case P_EQ: case P_GT: case P_LT: case P_NEQ: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case RANGE: case DESTINATION: case P_EQ: case P_GT: case P_LT: case P_NEQ: { dst_port_spec(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 441 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedTCPUDPServiceObject(); #line 2698 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::service_other() { try { // for error handling match(SERVICE); { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: { ip_protocol_names(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 460 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->commitNamedIPServiceObject(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; #line 2755 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::service_unknown() { try { // for error handling match(SERVICE); match(WORD); if ( inputState->guessing==0 ) { #line 475 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = "ip"; importer->commitNamedIPServiceObject(); std::string err = "Warning: Unknown service name " + LT(0)->getText(); importer->setNamedObjectDescription(err); importer->addMessageToLog(err); *dbg << "UNKNOWN SERVICE " << LT(0)->getText() << " "; #line 2785 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::icmp_names() { try { // for error handling { switch ( LA(1)) { case ALTERNATE_ADDRESS: { match(ALTERNATE_ADDRESS); break; } case CONVERSION_ERROR: { match(CONVERSION_ERROR); break; } case ECHO: { match(ECHO); break; } case ECHO_REPLY: { match(ECHO_REPLY); break; } case INFORMATION_REPLY: { match(INFORMATION_REPLY); break; } case INFORMATION_REQUEST: { match(INFORMATION_REQUEST); break; } case MASK_REPLY: { match(MASK_REPLY); break; } case MASK_REQUEST: { match(MASK_REQUEST); break; } case MOBILE_REDIRECT: { match(MOBILE_REDIRECT); break; } case PARAMETER_PROBLEM: { match(PARAMETER_PROBLEM); break; } case REDIRECT: { match(REDIRECT); break; } case ROUTER_ADVERTISEMENT: { match(ROUTER_ADVERTISEMENT); break; } case ROUTER_SOLICITATION: { match(ROUTER_SOLICITATION); break; } case SOURCE_QUENCH: { match(SOURCE_QUENCH); break; } case TIME_EXCEEDED: { match(TIME_EXCEEDED); break; } case TIMESTAMP_REPLY: { match(TIMESTAMP_REPLY); break; } case TIMESTAMP_REQUEST: { match(TIMESTAMP_REQUEST); break; } case TRACEROUTE: { match(TRACEROUTE); break; } case UNREACHABLE: { match(UNREACHABLE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_13); } else { throw; } } } void PIXCfgParser::src_port_spec() { try { // for error handling match(SOURCE); xoperator(); if ( inputState->guessing==0 ) { #line 448 "pix.g" importer->SaveTmpPortToSrc(); #line 2925 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_14); } else { throw; } } } void PIXCfgParser::dst_port_spec() { try { // for error handling { switch ( LA(1)) { case DESTINATION: { match(DESTINATION); break; } case RANGE: case P_EQ: case P_GT: case P_LT: case P_NEQ: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } xoperator(); if ( inputState->guessing==0 ) { #line 454 "pix.g" importer->SaveTmpPortToDst(); #line 2968 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::xoperator() { #line 1162 "pix.g" importer->tmp_port_spec = ""; #line 2984 "PIXCfgParser.cpp" try { // for error handling switch ( LA(1)) { case P_EQ: case P_GT: case P_LT: case P_NEQ: { single_port_op(); break; } case RANGE: { port_range(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_15); } else { throw; } } } void PIXCfgParser::object_group_network_parameters() { try { // for error handling { switch ( LA(1)) { case DESCRIPTION: { object_group_description(); break; } case GROUP_OBJECT: { group_object(); break; } case NETWORK_OBJECT: { network_object(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_16); } else { throw; } } } void PIXCfgParser::object_group_description() { try { // for error handling match(DESCRIPTION); if ( inputState->guessing==0 ) { #line 515 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setObjectGroupDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; #line 3073 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::group_object() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(GROUP_OBJECT); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 530 "pix.g" importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; #line 3101 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::network_object() { ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken v6 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken hv6 = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(NETWORK_OBJECT); if ( inputState->guessing==0 ) { #line 539 "pix.g" importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 3130 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IPV4: case IPV6: { { switch ( LA(1)) { case IPV4: { { a = LT(1); match(IPV4); nm = LT(1); match(IPV4); } break; } case IPV6: { v6 = LT(1); match(IPV6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 545 "pix.g" if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->addNetworkToObjectGroup(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } #line 3178 "PIXCfgParser.cpp" } break; } case HOST: { match(HOST); { switch ( LA(1)) { case IPV4: { h = LT(1); match(IPV4); break; } case IPV6: { hv6 = LT(1); match(IPV6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 562 "pix.g" if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; importer->addNetworkToObjectGroup(); *dbg << h->getText() << "/255.255.255.255"; } if (hv6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } #line 3222 "PIXCfgParser.cpp" } break; } case OBJECT: { match(OBJECT); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 579 "pix.g" importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; #line 3237 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::object_group_protocol_parameters() { try { // for error handling { switch ( LA(1)) { case DESCRIPTION: { object_group_description(); break; } case GROUP_OBJECT: { group_object(); break; } case PROTOCOL_OBJECT: { protocol_object(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_17); } else { throw; } } } void PIXCfgParser::protocol_object() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(PROTOCOL_OBJECT); if ( inputState->guessing==0 ) { #line 613 "pix.g" importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 3307 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: case ICMP: case INT_CONST: case TCP: case UDP: { { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case ICMP: { match(ICMP); break; } case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: { ip_protocol_names(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 619 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; #line 3386 "PIXCfgParser.cpp" } break; } case ICMP6: { match(ICMP6); if ( inputState->guessing==0 ) { #line 627 "pix.g" importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); #line 3400 "PIXCfgParser.cpp" } break; } case OBJECT: { match(OBJECT); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 634 "pix.g" importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; #line 3415 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::object_group_icmp_parameters() { try { // for error handling { switch ( LA(1)) { case DESCRIPTION: { object_group_description(); break; } case GROUP_OBJECT: { group_object(); break; } case ICMP_OBJECT: { icmp_object(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_18); } else { throw; } } } void PIXCfgParser::icmp_object() { ANTLR_USE_NAMESPACE(antlr)RefToken icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(ICMP_OBJECT); if ( inputState->guessing==0 ) { #line 681 "pix.g" importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 3486 "PIXCfgParser.cpp" } { switch ( LA(1)) { case INT_CONST: case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { { switch ( LA(1)) { case INT_CONST: { icmp_type = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 688 "pix.g" importer->icmp_type = LT(0)->getText(); #line 3522 "PIXCfgParser.cpp" } break; } case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { icmp_names(); if ( inputState->guessing==0 ) { #line 693 "pix.g" importer->icmp_spec = LT(0)->getText(); #line 3552 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 697 "pix.g" importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; #line 3568 "PIXCfgParser.cpp" } break; } case OBJECT: { match(OBJECT); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 703 "pix.g" importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; #line 3583 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::object_group_service_parameters() { try { // for error handling { switch ( LA(1)) { case DESCRIPTION: { object_group_description(); break; } case GROUP_OBJECT: { group_object(); break; } case SERVICE_OBJECT: { service_object(); break; } case PORT_OBJECT: { port_object(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_19); } else { throw; } } } void PIXCfgParser::service_object() { ANTLR_USE_NAMESPACE(antlr)RefToken icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(SERVICE_OBJECT); if ( inputState->guessing==0 ) { #line 742 "pix.g" importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); #line 3659 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: case INT_CONST: { { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: { ip_protocol_names(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 748 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; #line 3720 "PIXCfgParser.cpp" } break; } case TCP: case UDP: case TCP_UDP: { { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } case TCP_UDP: { match(TCP_UDP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 756 "pix.g" importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " "; #line 3757 "PIXCfgParser.cpp" } { switch ( LA(1)) { case SOURCE: { src_port_spec(); break; } case NEWLINE: case RANGE: case DESTINATION: case P_EQ: case P_GT: case P_LT: case P_NEQ: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case RANGE: case DESTINATION: case P_EQ: case P_GT: case P_LT: case P_NEQ: { dst_port_spec(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 762 "pix.g" importer->addTCPUDPServiceToObjectGroup(); #line 3809 "PIXCfgParser.cpp" } break; } case ICMP: { match(ICMP); { switch ( LA(1)) { case INT_CONST: { icmp_type = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 769 "pix.g" importer->icmp_type = LT(0)->getText(); #line 3827 "PIXCfgParser.cpp" } break; } case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { icmp_names(); if ( inputState->guessing==0 ) { #line 774 "pix.g" importer->icmp_spec = LT(0)->getText(); #line 3857 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 778 "pix.g" importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; #line 3873 "PIXCfgParser.cpp" } break; } case OBJECT: { match(OBJECT); name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 784 "pix.g" importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; #line 3888 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::port_object() { #line 791 "pix.g" importer->tmp_port_spec = ""; importer->tmp_port_spec_2 = ""; #line 3915 "PIXCfgParser.cpp" try { // for error handling match(PORT_OBJECT); xoperator(); if ( inputState->guessing==0 ) { #line 796 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << " PORT OBJECT TCP/UDP " << LT(0)->getText() << " " << std::endl; importer->SaveTmpPortToDst(); importer->addTCPUDPServiceToObjectGroup(); *dbg << std::endl; #line 3929 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::permit_extended() { try { // for error handling { switch ( LA(1)) { case EXTENDED: { match(EXTENDED); break; } case PERMIT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(PERMIT); if ( inputState->guessing==0 ) { #line 935 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; #line 3971 "PIXCfgParser.cpp" } rule_extended(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 942 "pix.g" importer->pushRule(); #line 3980 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::deny_extended() { try { // for error handling { switch ( LA(1)) { case EXTENDED: { match(EXTENDED); break; } case DENY: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(DENY); if ( inputState->guessing==0 ) { #line 948 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; #line 4022 "PIXCfgParser.cpp" } rule_extended(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 955 "pix.g" importer->pushRule(); #line 4031 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::permit_standard() { try { // for error handling match(STANDARD); match(PERMIT); if ( inputState->guessing==0 ) { #line 961 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; #line 4057 "PIXCfgParser.cpp" } rule_standard(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 968 "pix.g" importer->pushRule(); #line 4066 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::deny_standard() { try { // for error handling match(STANDARD); match(DENY); if ( inputState->guessing==0 ) { #line 974 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; #line 4092 "PIXCfgParser.cpp" } rule_standard(); match(NEWLINE); if ( inputState->guessing==0 ) { #line 981 "pix.g" importer->pushRule(); #line 4101 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::remark() { try { // for error handling match(REMARK); if ( inputState->guessing==0 ) { #line 1909 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string rem; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { rem += LT(1)->getText() + " "; consume(); } importer->addRuleComment( rem ); *dbg << " REMARK " << rem << std::endl; //consumeUntil(NEWLINE); #line 4133 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::rule_extended() { ANTLR_USE_NAMESPACE(antlr)RefToken grp_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: case OBJECT: case ICMP6: case OBJECT_GROUP: { ip_protocols(); hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1006 "pix.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 4176 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1007 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 4182 "PIXCfgParser.cpp" } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case NEWLINE: case LOG: case LOG_INPUT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case ICMP: { match(ICMP); if ( inputState->guessing==0 ) { #line 1013 "pix.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 4252 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1017 "pix.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 4258 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1018 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 4264 "PIXCfgParser.cpp" } { switch ( LA(1)) { case OBJECT_GROUP: { match(OBJECT_GROUP); grp_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 1035 "pix.g" importer->icmp_spec = grp_name->getText(); *dbg << "service gorup: " << grp_name->getText() << std::endl; #line 4280 "PIXCfgParser.cpp" } break; } case INT_CONST: case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { icmp_spec(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case NEWLINE: case LOG: case LOG_INPUT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case TCP: case UDP: { tcp_udp_rule_extended(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1049 "pix.g" *dbg << std::endl; #line 4398 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::rule_standard() { try { // for error handling if ( inputState->guessing==0 ) { #line 991 "pix.g" importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; importer->SaveTmpAddrToSrc(); #line 4421 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 997 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) " << std::endl; #line 4430 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::hostaddr_expr() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken h = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { case INTRFACE: { match(INTRFACE); interface_label(); if ( inputState->guessing==0 ) { #line 1296 "pix.g" importer->tmp_a = LT(0)->getText(); importer->tmp_nm = "interface"; *dbg << "object " << LT(0)->getText() << " "; #line 4462 "PIXCfgParser.cpp" } break; } case OBJECT: case OBJECT_GROUP: { { { switch ( LA(1)) { case OBJECT: { match(OBJECT); break; } case OBJECT_GROUP: { match(OBJECT_GROUP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } name = LT(1); match(WORD); } if ( inputState->guessing==0 ) { #line 1303 "pix.g" importer->tmp_a = name->getText(); importer->tmp_nm = ""; *dbg << "object " << name->getText() << " "; #line 4498 "PIXCfgParser.cpp" } break; } case HOST: { { match(HOST); h = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 1310 "pix.g" importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; *dbg << h->getText() << "/255.255.255.255"; #line 4516 "PIXCfgParser.cpp" } break; } case IPV4: { { a = LT(1); match(IPV4); m = LT(1); match(IPV4); } if ( inputState->guessing==0 ) { #line 1317 "pix.g" importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); #line 4535 "PIXCfgParser.cpp" } break; } case ANY: { match(ANY); if ( inputState->guessing==0 ) { #line 1324 "pix.g" importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; #line 4549 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_20); } else { throw; } } } void PIXCfgParser::ip_protocols() { ANTLR_USE_NAMESPACE(antlr)RefToken name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: case ICMP6: { { switch ( LA(1)) { case IP: case PIM: case AH: case EIGRP: case ESP_WORD: case GRE: case IGMP: case IGRP: case IPINIP: case IPSEC: case NOS: case OSPF: case PCP: case PPTP: case SNP: { ip_protocol_names(); break; } case ICMP6: { match(ICMP6); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1243 "pix.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 4630 "PIXCfgParser.cpp" } break; } case OBJECT: case OBJECT_GROUP: { { { switch ( LA(1)) { case OBJECT: { match(OBJECT); break; } case OBJECT_GROUP: { match(OBJECT_GROUP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } name = LT(1); match(WORD); } if ( inputState->guessing==0 ) { #line 1249 "pix.g" importer->protocol = name->getText(); *dbg << "protocol " << name->getText() << " "; #line 4665 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_21); } else { throw; } } } void PIXCfgParser::time_range() { ANTLR_USE_NAMESPACE(antlr)RefToken tr_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(TIME_RANGE); tr_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 1376 "pix.g" importer->time_range_name = tr_name->getText(); *dbg << "time_range " << tr_name->getText() << " "; #line 4699 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_22); } else { throw; } } } void PIXCfgParser::fragments() { try { // for error handling match(FRAGMENTS); if ( inputState->guessing==0 ) { #line 1369 "pix.g" importer->fragments = true; *dbg << "fragments "; #line 4722 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_23); } else { throw; } } } void PIXCfgParser::log() { try { // for error handling { switch ( LA(1)) { case LOG: { match(LOG); break; } case LOG_INPUT: { match(LOG_INPUT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1335 "pix.g" importer->logging = true; #line 4761 "PIXCfgParser.cpp" } { { switch ( LA(1)) { case INT_CONST: case LOG_LEVEL_ALERTS: case LOG_LEVEL_CRITICAL: case LOG_LEVEL_DEBUGGING: case LOG_LEVEL_EMERGENCIES: case LOG_LEVEL_ERRORS: case LOG_LEVEL_INFORMATIONAL: case LOG_LEVEL_NOTIFICATIONS: case LOG_LEVEL_WARNINGS: case LOG_LEVEL_DISABLE: case LOG_LEVEL_INACTIVE: { { switch ( LA(1)) { case INT_CONST: { match(INT_CONST); break; } case LOG_LEVEL_ALERTS: { match(LOG_LEVEL_ALERTS); break; } case LOG_LEVEL_CRITICAL: { match(LOG_LEVEL_CRITICAL); break; } case LOG_LEVEL_DEBUGGING: { match(LOG_LEVEL_DEBUGGING); break; } case LOG_LEVEL_EMERGENCIES: { match(LOG_LEVEL_EMERGENCIES); break; } case LOG_LEVEL_ERRORS: { match(LOG_LEVEL_ERRORS); break; } case LOG_LEVEL_INFORMATIONAL: { match(LOG_LEVEL_INFORMATIONAL); break; } case LOG_LEVEL_NOTIFICATIONS: { match(LOG_LEVEL_NOTIFICATIONS); break; } case LOG_LEVEL_WARNINGS: { match(LOG_LEVEL_WARNINGS); break; } case LOG_LEVEL_DISABLE: { match(LOG_LEVEL_DISABLE); break; } case LOG_LEVEL_INACTIVE: { match(LOG_LEVEL_INACTIVE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1352 "pix.g" importer->log_level = LT(0)->getText(); #line 4844 "PIXCfgParser.cpp" } break; } case NEWLINE: case INTERVAL: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case INTERVAL: { { match(INTERVAL); match(INT_CONST); } if ( inputState->guessing==0 ) { #line 1357 "pix.g" importer->log_interval = LT(0)->getText(); #line 4870 "PIXCfgParser.cpp" } break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } if ( inputState->guessing==0 ) { #line 1360 "pix.g" // if (importer->log_level == "log") importer->log_level = ""; // if (importer->log_interval == "log") importer->log_interval = ""; *dbg << "logging level '" << importer->log_level << "' interval '" << importer->log_interval << "'"; #line 4893 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::icmp_spec() { ANTLR_USE_NAMESPACE(antlr)RefToken icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken icmp_code = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case INT_CONST: { { icmp_type = LT(1); match(INT_CONST); icmp_code = LT(1); match(INT_CONST); } if ( inputState->guessing==0 ) { #line 1259 "pix.g" importer->icmp_type = icmp_type->getText(); importer->icmp_code = icmp_code->getText(); importer->icmp_spec = ""; *dbg << icmp_type->getText() << " " << icmp_code->getText() << " "; #line 4930 "PIXCfgParser.cpp" } break; } case ECHO: case ALTERNATE_ADDRESS: case CONVERSION_ERROR: case ECHO_REPLY: case INFORMATION_REPLY: case INFORMATION_REQUEST: case MASK_REPLY: case MASK_REQUEST: case MOBILE_REDIRECT: case PARAMETER_PROBLEM: case REDIRECT: case ROUTER_ADVERTISEMENT: case ROUTER_SOLICITATION: case SOURCE_QUENCH: case TIME_EXCEEDED: case TIMESTAMP_REPLY: case TIMESTAMP_REQUEST: case TRACEROUTE: case UNREACHABLE: { icmp_names(); if ( inputState->guessing==0 ) { #line 1268 "pix.g" importer->icmp_spec = LT(0)->getText(); *dbg << LT(0)->getText() << " "; #line 4961 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_13); } else { throw; } } } void PIXCfgParser::tcp_udp_rule_extended() { ANTLR_USE_NAMESPACE(antlr)RefToken src_grp_name = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken dst_addr_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1056 "pix.g" importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; #line 5011 "PIXCfgParser.cpp" } hostaddr_expr(); if ( inputState->guessing==0 ) { #line 1060 "pix.g" importer->SaveTmpAddrToSrc(); *dbg << "(src) "; #line 5017 "PIXCfgParser.cpp" } { bool synPredMatched131 = false; if (((_tokenSet_21.member(LA(1))) && (_tokenSet_24.member(LA(2))))) { int _m131 = mark(); synPredMatched131 = true; inputState->guessing++; try { { match(OBJECT_GROUP); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { synPredMatched131 = false; } rewind(_m131); inputState->guessing--; } if ( synPredMatched131 ) { { if (((LA(1) == OBJECT_GROUP) && (LA(2) == WORD))&&( importer->isKnownServiceGroupName(LT(2)->getText()) )) { match(OBJECT_GROUP); src_grp_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 1070 "pix.g" importer->src_port_spec = src_grp_name->getText(); *dbg << "src port spec: " << src_grp_name->getText() << std::endl; #line 5049 "PIXCfgParser.cpp" } hostaddr_expr_1(); if ( inputState->guessing==0 ) { #line 1078 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 5058 "PIXCfgParser.cpp" } acl_tcp_udp_dst_port_spec(); } else if ((_tokenSet_21.member(LA(1))) && (_tokenSet_24.member(LA(2)))) { hostaddr_expr_2(); if ( inputState->guessing==0 ) { #line 1087 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 5070 "PIXCfgParser.cpp" } acl_tcp_udp_dst_port_spec(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } else if ((LA(1) == OBJECT) && (LA(2) == WORD)) { match(OBJECT); dst_addr_name = LT(1); match(WORD); { if ((_tokenSet_25.member(LA(1))) && (_tokenSet_26.member(LA(2)))) { acl_xoperator_dst(); } else if ((_tokenSet_27.member(LA(1))) && (_tokenSet_28.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } { if ((LA(1) == ESTABLISHED) && (_tokenSet_27.member(LA(2)))) { established(); } else if ((_tokenSet_27.member(LA(1))) && (_tokenSet_29.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } if ( inputState->guessing==0 ) { #line 1096 "pix.g" // looks like "object foo" at this point can only be dest addr. // (judging by cli prompts on 8.3) importer->tmp_a = dst_addr_name->getText(); importer->tmp_nm = ""; importer->SaveTmpAddrToDst(); *dbg << "dst addr object " << dst_addr_name->getText() << " "; #line 5116 "PIXCfgParser.cpp" } acl_tcp_udp_dst_port_spec(); } else if ((_tokenSet_30.member(LA(1))) && (_tokenSet_31.member(LA(2)))) { { switch ( LA(1)) { case RANGE: case P_EQ: case P_GT: case P_LT: case P_NEQ: { xoperator(); if ( inputState->guessing==0 ) { #line 1110 "pix.g" importer->SaveTmpPortToSrc(); #line 5135 "PIXCfgParser.cpp" } break; } case IPV4: case OBJECT: case HOST: case OBJECT_GROUP: case INTRFACE: case ANY: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } hostaddr_expr_3(); if ( inputState->guessing==0 ) { #line 1114 "pix.g" importer->SaveTmpAddrToDst(); *dbg << "(dst) "; #line 5158 "PIXCfgParser.cpp" } acl_tcp_udp_dst_port_spec(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } { switch ( LA(1)) { case TIME_RANGE: { time_range(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case FRAGMENTS: { fragments(); break; } case NEWLINE: case LOG: case LOG_INPUT: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case LOG: case LOG_INPUT: { log(); break; } case NEWLINE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::hostaddr_expr_1() { try { // for error handling hostaddr_expr(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_27); } else { throw; } } } void PIXCfgParser::acl_tcp_udp_dst_port_spec() { ANTLR_USE_NAMESPACE(antlr)RefToken dst_port_group_name = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken dst_port_obj_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case OBJECT_GROUP: { { match(OBJECT_GROUP); dst_port_group_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 1132 "pix.g" importer->dst_port_spec = dst_port_group_name->getText(); *dbg << "dst port spec: " << dst_port_group_name->getText() << std::endl; #line 5270 "PIXCfgParser.cpp" } { switch ( LA(1)) { case ESTABLISHED: { established(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } break; } case OBJECT: { match(OBJECT); dst_port_obj_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 1142 "pix.g" importer->dst_port_spec = dst_port_obj_name->getText(); *dbg << "dst addr object " << dst_port_obj_name->getText() << std::endl; #line 5308 "PIXCfgParser.cpp" } { switch ( LA(1)) { case ESTABLISHED: { established(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case NEWLINE: case RANGE: case P_EQ: case P_GT: case P_LT: case P_NEQ: case ESTABLISHED: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { { switch ( LA(1)) { case RANGE: case P_EQ: case P_GT: case P_LT: case P_NEQ: { acl_xoperator_dst(); break; } case NEWLINE: case ESTABLISHED: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { switch ( LA(1)) { case ESTABLISHED: { established(); break; } case NEWLINE: case LOG: case LOG_INPUT: case FRAGMENTS: case TIME_RANGE: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_13); } else { throw; } } } void PIXCfgParser::hostaddr_expr_2() { try { // for error handling hostaddr_expr(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_27); } else { throw; } } } void PIXCfgParser::acl_xoperator_dst() { try { // for error handling xoperator(); if ( inputState->guessing==0 ) { #line 1157 "pix.g" importer->SaveTmpPortToDst(); #line 5435 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_27); } else { throw; } } } void PIXCfgParser::established() { try { // for error handling match(ESTABLISHED); if ( inputState->guessing==0 ) { #line 1232 "pix.g" importer->established = true; *dbg << "established "; #line 5458 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_27); } else { throw; } } } void PIXCfgParser::hostaddr_expr_3() { try { // for error handling hostaddr_expr(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_27); } else { throw; } } } void PIXCfgParser::single_port_op() { try { // for error handling { switch ( LA(1)) { case P_EQ: { match(P_EQ); break; } case P_GT: { match(P_GT); break; } case P_LT: { match(P_LT); break; } case P_NEQ: { match(P_NEQ); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1169 "pix.g" importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; #line 5523 "PIXCfgParser.cpp" } port_spec(); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_15); } else { throw; } } } void PIXCfgParser::port_range() { try { // for error handling match(RANGE); pair_of_ports_spec(); if ( inputState->guessing==0 ) { #line 1188 "pix.g" importer->tmp_port_op = "range"; *dbg << "range " << importer->tmp_port_spec; #line 5548 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_15); } else { throw; } } } void PIXCfgParser::port_spec() { try { // for error handling if ( inputState->guessing==0 ) { #line 1177 "pix.g" importer->tmp_port_spec_2 = ""; #line 5569 "PIXCfgParser.cpp" } tcp_udp_port_spec(); if ( inputState->guessing==0 ) { #line 1181 "pix.g" importer->tmp_port_spec = std::string(" ") + importer->tmp_port_spec_2; *dbg << LT(0)->getText() << " " << importer->tmp_port_spec; #line 5578 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_15); } else { throw; } } } void PIXCfgParser::tcp_udp_port_spec() { try { // for error handling { switch ( LA(1)) { case PPTP: case HTTP: case SSH: case TELNET: case HOSTNAME: case ECHO: { tcp_udp_port_names(); break; } case WORD: { match(WORD); break; } case INT_CONST: { match(INT_CONST); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1212 "pix.g" importer->tmp_port_spec_2 = LT(0)->getText(); #line 5627 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_32); } else { throw; } } } void PIXCfgParser::pair_of_ports_spec() { try { // for error handling if ( inputState->guessing==0 ) { #line 1195 "pix.g" importer->tmp_port_spec_2 = ""; #line 5648 "PIXCfgParser.cpp" } tcp_udp_port_spec(); if ( inputState->guessing==0 ) { #line 1199 "pix.g" importer->tmp_port_spec += importer->tmp_port_spec_2; #line 5656 "PIXCfgParser.cpp" } tcp_udp_port_spec(); if ( inputState->guessing==0 ) { #line 1203 "pix.g" importer->tmp_port_spec += " "; importer->tmp_port_spec += importer->tmp_port_spec_2; #line 5665 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_15); } else { throw; } } } void PIXCfgParser::tcp_udp_port_names() { try { // for error handling { switch ( LA(1)) { case ECHO: { match(ECHO); break; } case HOSTNAME: { match(HOSTNAME); break; } case PPTP: { match(PPTP); break; } case SSH: { match(SSH); break; } case TELNET: { match(TELNET); break; } case HTTP: { match(HTTP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_32); } else { throw; } } } void PIXCfgParser::interface_label() { try { // for error handling switch ( LA(1)) { case WORD: { match(WORD); break; } case OUTSIDE: { match(OUTSIDE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_33); } else { throw; } } } void PIXCfgParser::interface_command_6() { ANTLR_USE_NAMESPACE(antlr)RefToken in = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling in = LT(1); match(WORD); pix6_interface_hw_speed(); if ( inputState->guessing==0 ) { #line 1440 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; #line 5775 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::interface_command_7() { ANTLR_USE_NAMESPACE(antlr)RefToken in = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 1448 "pix.g" bool have_interface_parameters = false; #line 5792 "PIXCfgParser.cpp" try { // for error handling in = LT(1); match(WORD); match(NEWLINE); if ( inputState->guessing==0 ) { #line 1449 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; #line 5806 "PIXCfgParser.cpp" } { { // ( ... )* for (;;) { if ((_tokenSet_34.member(LA(1)))) { interface_parameters(); if ( inputState->guessing==0 ) { #line 1456 "pix.g" have_interface_parameters = true; #line 5816 "PIXCfgParser.cpp" } } else { goto _loop197; } } _loop197:; } // ( ... )* { switch ( LA(1)) { case LINE_COMMENT: { match(LINE_COMMENT); break; } case EXIT: { match(EXIT); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1458 "pix.g" if ( ! have_interface_parameters ) { importer->ignoreCurrentInterface(); *dbg<< LT(1)->getLine() << ":" << " EMPTY INTERFACE " << std::endl; } #line 5854 "PIXCfgParser.cpp" } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::pix6_interface_hw_speed() { try { // for error handling { switch ( LA(1)) { case AUI: { match(AUI); break; } case AUTO: { match(AUTO); break; } case BNC: { match(BNC); break; } case INT_CONST: { { match(INT_CONST); { switch ( LA(1)) { case FULL: { match(FULL); break; } case BASET: { match(BASET); break; } case BASETX: { match(BASETX); break; } case AUTO: { match(AUTO); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::interface_parameters() { try { // for error handling if ( inputState->guessing==0 ) { #line 1493 "pix.g" importer->setCurrentLineNumber(LT(0)->getLine()); #line 5948 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IP: { intf_address(); break; } case VLAN: { vlan_interface(); break; } case SEC_LEVEL: { sec_level(); break; } case NAMEIF: { nameif(); break; } case DESCRIPTION: { interface_description(); break; } case SWITCHPORT: { switchport(); break; } case SHUTDOWN: { shutdown(); break; } case NO: { interface_no_commands(); break; } case PIM: case IGMP: case OSPF: case SPEED: case DUPLEX: case DDNS: case FORWARD: case DELAY: case HOLD_TIME: case IPV6_C: case MANAGEMENT_ONLY: case MAC_ADDRESS: case MULTICAST: case PPPOE: case RIP: { unsupported_interface_commands(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } match(NEWLINE); } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_35); } else { throw; } } } void PIXCfgParser::vlan_interface() { ANTLR_USE_NAMESPACE(antlr)RefToken vlan_id = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(VLAN); vlan_id = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 1519 "pix.g" importer->setInterfaceVlanId(vlan_id->getText()); *dbg << " VLAN: " << vlan_id->getText() << std::endl; #line 6042 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::sec_level() { ANTLR_USE_NAMESPACE(antlr)RefToken sec_level = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(SEC_LEVEL); sec_level = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 1573 "pix.g" importer->setInterfaceSecurityLevel(sec_level->getText()); *dbg << "SEC_LEVEL: " << sec_level->getText() << std::endl; #line 6068 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::nameif() { try { // for error handling match(NAMEIF); interface_label(); if ( inputState->guessing==0 ) { #line 1592 "pix.g" importer->setInterfaceParametes(LT(0)->getText(), "", ""); *dbg << " NAMEIF: " << LT(0)->getText() << std::endl; #line 6092 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::interface_description() { try { // for error handling match(DESCRIPTION); if ( inputState->guessing==0 ) { #line 1601 "pix.g" *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setInterfaceComment( descr ); *dbg << " DESCRIPTION " << descr << std::endl; //consumeUntil(NEWLINE); #line 6123 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::switchport() { ANTLR_USE_NAMESPACE(antlr)RefToken vlan_num = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling match(SWITCHPORT); match(ACCESS); match(VLAN); vlan_num = LT(1); match(INT_CONST); if ( inputState->guessing==0 ) { #line 1722 "pix.g" importer->addMessageToLog("Switch port vlan " + vlan_num->getText()); *dbg << "Switch port vlan " << vlan_num->getText() << std::endl; #line 6151 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::shutdown() { try { // for error handling match(SHUTDOWN); if ( inputState->guessing==0 ) { #line 1616 "pix.g" importer->ignoreCurrentInterface(); *dbg<< LT(1)->getLine() << ":" << " INTERFACE SHUTDOWN " << std::endl; #line 6175 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::interface_no_commands() { try { // for error handling match(NO); { switch ( LA(1)) { case NAMEIF: { match(NAMEIF); break; } case IP: { match(IP); break; } case SEC_LEVEL: { match(SEC_LEVEL); break; } case SHUTDOWN: { match(SHUTDOWN); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1565 "pix.g" *dbg << " INTERFACE \"NO\" COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); #line 6227 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::unsupported_interface_commands() { try { // for error handling { switch ( LA(1)) { case SPEED: { match(SPEED); break; } case DUPLEX: { match(DUPLEX); break; } case DDNS: { match(DDNS); break; } case FORWARD: { match(FORWARD); break; } case DELAY: { match(DELAY); break; } case HOLD_TIME: { match(HOLD_TIME); break; } case IGMP: { match(IGMP); break; } case IPV6_C: { match(IPV6_C); break; } case MANAGEMENT_ONLY: { match(MANAGEMENT_ONLY); break; } case MAC_ADDRESS: { match(MAC_ADDRESS); break; } case MULTICAST: { match(MULTICAST); break; } case OSPF: { match(OSPF); break; } case PIM: { match(PIM); break; } case PPPOE: { match(PPPOE); break; } case RIP: { match(RIP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1557 "pix.g" *dbg << " UNSUPPORTED INTERFACE COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); #line 6333 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::v6_ip_address() { try { // for error handling if ((LA(1) == WORD || LA(1) == OUTSIDE) && (LA(2) == DHCP)) { v6_dhcp_address(); } else if ((LA(1) == WORD || LA(1) == OUTSIDE) && (LA(2) == IPV4)) { v6_static_address(); } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::v7_ip_address() { try { // for error handling switch ( LA(1)) { case DHCP: { v7_dhcp_address(); break; } case IPV4: { v7_static_address(); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::v6_dhcp_address() { ANTLR_USE_NAMESPACE(antlr)RefToken dhcp = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 1650 "pix.g" std::string lbl; #line 6404 "PIXCfgParser.cpp" try { // for error handling interface_label(); if ( inputState->guessing==0 ) { #line 1652 "pix.g" lbl = LT(0)->getText(); #line 6413 "PIXCfgParser.cpp" } dhcp = LT(1); match(DHCP); if ( inputState->guessing==0 ) { #line 1656 "pix.g" std::string addr = dhcp->getText(); importer->addInterfaceAddress(lbl, addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; // there can be some other parameters after "dhcp", such as // "setroute", "retry" etc. which we do not support consumeUntil(NEWLINE); #line 6428 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::v6_static_address() { ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; #line 1667 "pix.g" std::string lbl; #line 6446 "PIXCfgParser.cpp" try { // for error handling interface_label(); if ( inputState->guessing==0 ) { #line 1669 "pix.g" lbl = LT(0)->getText(); #line 6455 "PIXCfgParser.cpp" } a = LT(1); match(IPV4); m = LT(1); match(IPV4); if ( inputState->guessing==0 ) { #line 1673 "pix.g" std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(lbl, addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // in case there are some other parameters after address and netmask consumeUntil(NEWLINE); #line 6472 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::v7_dhcp_address() { ANTLR_USE_NAMESPACE(antlr)RefToken dhcp = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling dhcp = LT(1); match(DHCP); if ( inputState->guessing==0 ) { #line 1689 "pix.g" std::string addr = dhcp->getText(); importer->addInterfaceAddress(addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; consumeUntil(NEWLINE); #line 6500 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::v7_static_address() { ANTLR_USE_NAMESPACE(antlr)RefToken a = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken m = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken s = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling a = LT(1); match(IPV4); m = LT(1); match(IPV4); { switch ( LA(1)) { case STANDBY: { s = LT(1); match(STANDBY); break; } case ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE: case NEWLINE: case QUIT: case IP: case TIMEOUT: case PIM: case NETWORK: case NAMES: case NAME: case WORD: case OBJECT: case SERVICE: case HTTP: case SSH: case TELNET: case ICMP: case OBJECT_GROUP: case CRYPTO: case DNS: case NO: case CERTIFICATE: case PIX_WORD: case ASA_WORD: case FWSM_WORD: case HOSTNAME: case ACCESS_LIST: case INTRFACE: case CONTROLLER: case LINE_COMMENT: case EXIT: case NAMEIF: case ACCESS_GROUP: case COLON_COMMENT: case NAT: case GLOBAL: case STATIC: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1700 "pix.g" std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // there can be other parameters after address/netmask pair, such as "standby" // We do not parse them yet. if (s) { importer->addMessageToLog( QString("Warning: failover IP detected. " "Failover is not supported by import " "at this time")); } consumeUntil(NEWLINE); #line 6595 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_1); } else { throw; } } } void PIXCfgParser::icmp_types_for_icmp_command() { try { // for error handling switch ( LA(1)) { case INT_CONST: { match(INT_CONST); if ( inputState->guessing==0 ) { #line 1888 "pix.g" importer->icmp_type = LT(0)->getText(); importer->icmp_code = "0"; importer->icmp_spec = ""; #line 6622 "PIXCfgParser.cpp" } break; } case ECHO: case ECHO_REPLY: case TIME_EXCEEDED: case UNREACHABLE: { { switch ( LA(1)) { case ECHO: { match(ECHO); break; } case ECHO_REPLY: { match(ECHO_REPLY); break; } case TIME_EXCEEDED: { match(TIME_EXCEEDED); break; } case UNREACHABLE: { match(UNREACHABLE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 1895 "pix.g" importer->icmp_type = ""; importer->icmp_code = "0"; importer->icmp_spec = LT(0)->getText(); #line 6666 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_36); } else { throw; } } } void PIXCfgParser::nat_old_top_level_command() { try { // for error handling interface_label(); if ( inputState->guessing==0 ) { #line 1963 "pix.g" importer->prenat_interface = LT(0)->getText(); #line 6695 "PIXCfgParser.cpp" } match(CLOSING_PAREN); if ( inputState->guessing==0 ) { #line 1967 "pix.g" importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME ); *dbg << " SNAT rule "; importer->rule_type = libfwbuilder::NATRule::SNAT; #line 6705 "PIXCfgParser.cpp" } match(INT_CONST); if ( inputState->guessing==0 ) { #line 1975 "pix.g" importer->nat_num = LT(0)->getText(); #line 6713 "PIXCfgParser.cpp" } nat_addr_match(); { // ( ... )* for (;;) { if ((_tokenSet_37.member(LA(1)))) { nat_command_last_parameters(); } else { goto _loop254; } } _loop254:; } // ( ... )* match(NEWLINE); if ( inputState->guessing==0 ) { #line 1987 "pix.g" importer->pushNATRule(); *dbg << std::endl; #line 6735 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::nat_new_top_level_command() { try { // for error handling interface_label(); match(COMMA); interface_label(); match(CLOSING_PAREN); if ( inputState->guessing==0 ) { #line 2064 "pix.g" importer->addMessageToLog( QString("Warning: Import of ASA 8.3 nat command " "is not supported at this time")); consumeUntil(NEWLINE); #line 6763 "PIXCfgParser.cpp" } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_5); } else { throw; } } } void PIXCfgParser::nat_addr_match() { ANTLR_USE_NAMESPACE(antlr)RefToken acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 1995 "pix.g" importer->nat_a = importer->tmp_a; #line 6790 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 2003 "pix.g" importer->nat_nm = importer->tmp_a; #line 6803 "PIXCfgParser.cpp" } break; } case NEWLINE: case INT_CONST: case TCP: case UDP: case DNS: case OUTSIDE: case NORANDOMSEQ: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } break; } case INT_CONST: { match(INT_CONST); if ( inputState->guessing==0 ) { #line 2009 "pix.g" if (LT(0)->getText() != std::string("0")) { importer->reportError( std::string("Unknown string ")+LT(0)->getText()+ std::string("; expected \"0\"")); *dbg << " UNKNOWN STRING " << LT(0)->getText(); } importer->nat_a = "0.0.0.0"; #line 6840 "PIXCfgParser.cpp" } { if ((LA(1) == INT_CONST) && (_tokenSet_38.member(LA(2)))) { match(INT_CONST); if ( inputState->guessing==0 ) { #line 2021 "pix.g" if (LT(0)->getText() != std::string("0")) { importer->reportError( std::string("Unknown string ")+LT(0)->getText()+ std::string("; expected \"0\"")); *dbg << " UNKNOWN STRING " << LT(0)->getText(); } importer->nat_nm = "0.0.0.0"; #line 6857 "PIXCfgParser.cpp" } } else if ((_tokenSet_38.member(LA(1))) && (_tokenSet_39.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } break; } case ACCESS_LIST: { match(ACCESS_LIST); acl_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 2034 "pix.g" importer->nat_acl = acl_name->getText(); #line 6879 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_38); } else { throw; } } } void PIXCfgParser::nat_command_last_parameters() { try { // for error handling switch ( LA(1)) { case INT_CONST: case TCP: case UDP: case DNS: case NORANDOMSEQ: { nat_and_static_command_common_last_parameters(); break; } case OUTSIDE: { match(OUTSIDE); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_38); } else { throw; } } } void PIXCfgParser::nat_and_static_command_common_last_parameters() { ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { case DNS: { match(DNS); if ( inputState->guessing==0 ) { #line 2306 "pix.g" importer->addMessageToLog( QString("Warning: 'nat' and 'static' command option 'dns' is not supported")); #line 6948 "PIXCfgParser.cpp" } break; } case NORANDOMSEQ: { match(NORANDOMSEQ); if ( inputState->guessing==0 ) { #line 2312 "pix.g" importer->addMessageToLog( QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported")); #line 6961 "PIXCfgParser.cpp" } break; } case INT_CONST: case TCP: case UDP: { { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } case INT_CONST: { break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } max_conn = LT(1); match(INT_CONST); { if ((LA(1) == INT_CONST) && (_tokenSet_40.member(LA(2)))) { max_emb_conn = LT(1); match(INT_CONST); } else if ((_tokenSet_40.member(LA(1))) && (_tokenSet_41.member(LA(2)))) { } else { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } if ( inputState->guessing==0 ) { #line 2319 "pix.g" importer->static_max_conn = max_conn->getText(); if (max_emb_conn) importer->static_max_emb_conn = max_emb_conn->getText(); #line 7012 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_40); } else { throw; } } } void PIXCfgParser::static_starts_with_hostaddr() { try { // for error handling static_mapped_addr_match(); static_real_addr_match(); { // ( ... )* for (;;) { if ((_tokenSet_42.member(LA(1)))) { static_command_common_last_parameters(); } else { goto _loop268; } } _loop268:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::static_starts_with_tcp_udp() { ANTLR_USE_NAMESPACE(antlr)RefToken acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case TCP: { match(TCP); break; } case UDP: { match(UDP); break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } if ( inputState->guessing==0 ) { #line 2216 "pix.g" importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " "; #line 7088 "PIXCfgParser.cpp" } static_mapped_addr_match(); tcp_udp_port_spec(); if ( inputState->guessing==0 ) { #line 2230 "pix.g" importer->mapped_port_spec = importer->tmp_port_spec_2; *dbg << "mapped port " << importer->mapped_port_spec << " "; #line 7098 "PIXCfgParser.cpp" } { switch ( LA(1)) { case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 2240 "pix.g" importer->real_a = importer->tmp_a; importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; #line 7113 "PIXCfgParser.cpp" } tcp_udp_port_spec(); if ( inputState->guessing==0 ) { #line 2251 "pix.g" importer->real_port_spec = importer->tmp_port_spec_2; *dbg << "real port " << importer->real_port_spec << " "; #line 7122 "PIXCfgParser.cpp" } break; } case ACCESS_LIST: { match(ACCESS_LIST); acl_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 2258 "pix.g" importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; #line 7137 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } { // ( ... )* for (;;) { if ((_tokenSet_42.member(LA(1)))) { static_command_common_last_parameters(); } else { goto _loop277; } } _loop277:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_9); } else { throw; } } } void PIXCfgParser::static_mapped_addr_match() { try { // for error handling { switch ( LA(1)) { case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 2183 "pix.g" importer->mapped_a = importer->tmp_a; importer->mapped_nm = importer->tmp_nm; *dbg << "mapped: " << importer->mapped_a; #line 7186 "PIXCfgParser.cpp" } break; } case INTRFACE: { match(INTRFACE); if ( inputState->guessing==0 ) { #line 2190 "pix.g" importer->mapped_a = "interface"; importer->mapped_nm = ""; *dbg << "mapped: " << importer->mapped_a; #line 7200 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_43); } else { throw; } } } void PIXCfgParser::static_real_addr_match() { ANTLR_USE_NAMESPACE(antlr)RefToken acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling { switch ( LA(1)) { case IPV4: case IPV6: { single_addr(); if ( inputState->guessing==0 ) { #line 2201 "pix.g" importer->real_a = importer->tmp_a; importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; #line 7238 "PIXCfgParser.cpp" } break; } case ACCESS_LIST: { match(ACCESS_LIST); acl_name = LT(1); match(WORD); if ( inputState->guessing==0 ) { #line 2208 "pix.g" importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; #line 7253 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_44); } else { throw; } } } void PIXCfgParser::static_command_common_last_parameters() { ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { case INT_CONST: case TCP: case UDP: case DNS: case NORANDOMSEQ: { nat_and_static_command_common_last_parameters(); break; } case NETMASK: { match(NETMASK); nm = LT(1); match(IPV4); if ( inputState->guessing==0 ) { #line 2290 "pix.g" importer->real_nm = nm->getText(); *dbg << "real netmask: " << importer->real_nm; #line 7299 "PIXCfgParser.cpp" } break; } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); recover(ex,_tokenSet_44); } else { throw; } } } void PIXCfgParser::initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& ) { } const char* PIXCfgParser::tokenNames[] = { "<0>", "EOF", "<2>", "NULL_TREE_LOOKAHEAD", "NEWLINE", "\"quit\"", "\"ip\"", "\"community-list\"", "\"timeout\"", "\"pim\"", "\"network\"", "\"names\"", "\"name\"", "IPV4", "WORD", "IPV6", "\"ah\"", "\"eigrp\"", "\"esp\"", "\"gre\"", "\"igmp\"", "\"igrp\"", "\"ipinip\"", "\"ipsec\"", "\"nos\"", "\"ospf\"", "\"pcp\"", "\"pptp\"", "\"snp\"", "\"object\"", "\"description\"", "\"host\"", "\"range\"", "\"subnet\"", "\"service\"", "\"http\"", "\"ssh\"", "\"telnet\"", "\"icmp\"", "INT_CONST", "\"icmp6\"", "\"tcp\"", "\"udp\"", "\"source\"", "\"destination\"", "\"object-group\"", "\"group-object\"", "\"network-object\"", "\"protocol\"", "\"protocol-object\"", "\"icmp-object\"", "\"icmp-type\"", "\"tcp-udp\"", "\"service-object\"", "\"port-object\"", "\"crypto\"", "\"dns\"", "\"call-home\"", "\"internal\"", "\"password-recovery\"", "\"resetinbound\"", "\"resetoutbound\"", "\"resetoutside\"", "\"no\"", "\"certificate\"", "\"PIX\"", "\"ASA\"", "\"FWSM\"", "\"Version\"", "NUMBER", "\"hostname\"", "STRING", "\"access-list\"", "\"extended\"", "\"permit\"", "\"deny\"", "\"standard\"", "\"eq\"", "\"gt\"", "\"lt\"", "\"neq\"", "\"echo\"", "\"established\"", "\"alternate-address\"", "\"conversion-error\"", "\"echo-reply\"", "\"information-reply\"", "\"information-request\"", "\"mask-reply\"", "\"mask-request\"", "\"mobile-redirect\"", "\"parameter-problem\"", "\"redirect\"", "\"router-advertisement\"", "\"router-solicitation\"", "\"source-quench\"", "\"time-exceeded\"", "\"timestamp-reply\"", "\"timestamp-request\"", "\"traceroute\"", "\"unreachable\"", "\"interface\"", "\"any\"", "\"log\"", "\"log-input\"", "\"alerts\"", "\"critical\"", "\"debugging\"", "\"emergencies\"", "\"errors\"", "\"informational\"", "\"notifications\"", "\"warnings\"", "\"disable\"", "\"inactive\"", "\"interval\"", "\"fragments\"", "\"time-range\"", "\"controller\"", "\"outside\"", "LINE_COMMENT", "\"exit\"", "\"aui\"", "\"auto\"", "\"bnc\"", "\"full\"", "\"baseT\"", "\"baseTX\"", "\"nameif\"", "\"vlan\"", "\"speed\"", "\"duplex\"", "\"ddns\"", "\"forward\"", "\"delay\"", "\"hold-time\"", "\"ipv6\"", "\"management-only\"", "\"mac-address\"", "\"multicast\"", "PPPOE", "\"rip\"", "\"security-level\"", "\"shutdown\"", "\"address\"", "\"dhcp\"", "\"standby\"", "\"switchport\"", "\"access\"", "\"scopy\"", "\"version\"", "\"authentication-certificate\"", "\"server\"", "\"remark\"", "\"access-group\"", "COLON_COMMENT", "\"nat\"", "OPENING_PAREN", "CLOSING_PAREN", "COMMA", "\"global\"", "MINUS", "\"netmask\"", "\"static\"", "\"norandomseq\"", "\"secondary\"", "\"setroute\"", "Whitespace", "HEX_CONST", "NEG_INT_CONST", "DIGIT", "HEXDIGIT", "NUMBER_ADDRESS_OR_WORD", "PIPE_CHAR", "NUMBER_SIGN", "PERCENT", "AMPERSAND", "APOSTROPHE", "STAR", "PLUS", "DOT", "SLASH", "COLON", "SEMICOLON", "LESS_THAN", "EQUALS", "GREATER_THAN", "QUESTION", "COMMERCIAL_AT", "OPENING_SQUARE", "CLOSING_SQUARE", "CARET", "UNDERLINE", "OPENING_BRACE", "CLOSING_BRACE", "TILDE", "EXLAMATION", 0 }; const unsigned long PIXCfgParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_0(_tokenSet_0_data_,8); const unsigned long PIXCfgParser::_tokenSet_1_data_[] = { 536895346UL, 2172657788UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "service" "http" "ssh" "telnet" "icmp" "object-group" "crypto" // "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" // "interface" "controller" LINE_COMMENT "exit" "nameif" "access-group" // COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_1(_tokenSet_1_data_,12); const unsigned long PIXCfgParser::_tokenSet_2_data_[] = { 0UL, 128UL, 0UL, 469762048UL, 0UL, 0UL, 0UL, 0UL }; // INT_CONST "aui" "auto" "bnc" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_2(_tokenSet_2_data_,8); const unsigned long PIXCfgParser::_tokenSet_3_data_[] = { 1073676864UL, 10048UL, 1024UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" // "ospf" "pcp" "pptp" "snp" "object" "icmp" "icmp6" "tcp" "udp" "object-group" // "permit" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_3(_tokenSet_3_data_,8); const unsigned long PIXCfgParser::_tokenSet_4_data_[] = { 1073676864UL, 10048UL, 2048UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" // "ospf" "pcp" "pptp" "snp" "object" "icmp" "icmp6" "tcp" "udp" "object-group" // "deny" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_4(_tokenSet_4_data_,8); const unsigned long PIXCfgParser::_tokenSet_5_data_[] = { 3758120818UL, 2172657791UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "host" "range" "subnet" "service" "http" "ssh" // "telnet" "icmp" "object-group" "crypto" "dns" "no" "certificate" "PIX" // "ASA" "FWSM" "hostname" "access-list" "interface" "controller" LINE_COMMENT // "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_5(_tokenSet_5_data_,12); const unsigned long PIXCfgParser::_tokenSet_6_data_[] = { 536822336UL, 1984UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" WORD "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" // "nos" "ospf" "pcp" "pptp" "snp" "icmp" INT_CONST "icmp6" "tcp" "udp" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_6(_tokenSet_6_data_,8); const unsigned long PIXCfgParser::_tokenSet_7_data_[] = { 1073741824UL, 6307840UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "description" "group-object" "service-object" "port-object" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_7(_tokenSet_7_data_,8); const unsigned long PIXCfgParser::_tokenSet_8_data_[] = { 2684362768UL, 8192UL, 0UL, 96UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 "object" "host" "object-group" "interface" "any" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_8(_tokenSet_8_data_,8); const unsigned long PIXCfgParser::_tokenSet_9_data_[] = { 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_9(_tokenSet_9_data_,8); const unsigned long PIXCfgParser::_tokenSet_10_data_[] = { 134275088UL, 16778936UL, 131392UL, 8388608UL, 0UL, 22UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 WORD IPV6 "pptp" "http" "ssh" "telnet" INT_CONST "tcp" // "udp" "dns" "hostname" "access-list" "echo" "outside" MINUS "netmask" // "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_10(_tokenSet_10_data_,12); const unsigned long PIXCfgParser::_tokenSet_11_data_[] = { 536805952UL, 128UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" // "ospf" "pcp" "pptp" "snp" INT_CONST const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_11(_tokenSet_11_data_,8); const unsigned long PIXCfgParser::_tokenSet_12_data_[] = { 1610637170UL, 2172657788UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "service" "http" "ssh" "telnet" "icmp" "object-group" // "crypto" "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" // "interface" "controller" LINE_COMMENT "exit" "nameif" "access-group" // COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_12(_tokenSet_12_data_,12); const unsigned long PIXCfgParser::_tokenSet_13_data_[] = { 16UL, 0UL, 0UL, 3146112UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "log" "log-input" "fragments" "time-range" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_13(_tokenSet_13_data_,8); const unsigned long PIXCfgParser::_tokenSet_14_data_[] = { 16UL, 4097UL, 122880UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "range" "destination" "eq" "gt" "lt" "neq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_14(_tokenSet_14_data_,8); const unsigned long PIXCfgParser::_tokenSet_15_data_[] = { 2684362768UL, 12289UL, 385024UL, 3146208UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 "object" "host" "range" "destination" "object-group" "eq" // "gt" "lt" "neq" "established" "interface" "any" "log" "log-input" "fragments" // "time-range" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_15(_tokenSet_15_data_,8); const unsigned long PIXCfgParser::_tokenSet_16_data_[] = { 1610637170UL, 2172706940UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "service" "http" "ssh" "telnet" "icmp" "object-group" // "group-object" "network-object" "crypto" "dns" "no" "certificate" "PIX" // "ASA" "FWSM" "hostname" "access-list" "interface" "controller" LINE_COMMENT // "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_16(_tokenSet_16_data_,12); const unsigned long PIXCfgParser::_tokenSet_17_data_[] = { 1610637170UL, 2172805244UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "service" "http" "ssh" "telnet" "icmp" "object-group" // "group-object" "protocol-object" "crypto" "dns" "no" "certificate" "PIX" // "ASA" "FWSM" "hostname" "access-list" "interface" "controller" LINE_COMMENT // "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_17(_tokenSet_17_data_,12); const unsigned long PIXCfgParser::_tokenSet_18_data_[] = { 1610637170UL, 2172936316UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "service" "http" "ssh" "telnet" "icmp" "object-group" // "group-object" "icmp-object" "crypto" "dns" "no" "certificate" "PIX" // "ASA" "FWSM" "hostname" "access-list" "interface" "controller" LINE_COMMENT // "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_18(_tokenSet_18_data_,12); const unsigned long PIXCfgParser::_tokenSet_19_data_[] = { 1610637170UL, 2178965628UL, 335UL, 54525984UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "service" "http" "ssh" "telnet" "icmp" "object-group" // "group-object" "service-object" "port-object" "crypto" "dns" "no" "certificate" // "PIX" "ASA" "FWSM" "hostname" "access-list" "interface" "controller" // LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" // "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_19(_tokenSet_19_data_,12); const unsigned long PIXCfgParser::_tokenSet_20_data_[] = { 2684379152UL, 8321UL, 4294959104UL, 11534847UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 WORD "object" "host" "range" INT_CONST "object-group" "eq" // "gt" "lt" "neq" "echo" "established" "alternate-address" "conversion-error" // "echo-reply" "information-reply" "information-request" "mask-reply" // "mask-request" "mobile-redirect" "parameter-problem" "redirect" "router-advertisement" // "router-solicitation" "source-quench" "time-exceeded" "timestamp-reply" // "timestamp-request" "traceroute" "unreachable" "interface" "any" "log" // "log-input" "fragments" "time-range" "outside" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_20(_tokenSet_20_data_,8); const unsigned long PIXCfgParser::_tokenSet_21_data_[] = { 2684362752UL, 8192UL, 0UL, 96UL, 0UL, 0UL, 0UL, 0UL }; // IPV4 "object" "host" "object-group" "interface" "any" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_21(_tokenSet_21_data_,8); const unsigned long PIXCfgParser::_tokenSet_22_data_[] = { 16UL, 0UL, 0UL, 1048960UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "log" "log-input" "fragments" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_22(_tokenSet_22_data_,8); const unsigned long PIXCfgParser::_tokenSet_23_data_[] = { 16UL, 0UL, 0UL, 384UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "log" "log-input" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_23(_tokenSet_23_data_,8); const unsigned long PIXCfgParser::_tokenSet_24_data_[] = { 536895504UL, 8193UL, 385024UL, 11534720UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 WORD "object" "range" "object-group" "eq" "gt" "lt" "neq" // "established" "log" "log-input" "fragments" "time-range" "outside" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_24(_tokenSet_24_data_,8); const unsigned long PIXCfgParser::_tokenSet_25_data_[] = { 0UL, 1UL, 122880UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "range" "eq" "gt" "lt" "neq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_25(_tokenSet_25_data_,8); const unsigned long PIXCfgParser::_tokenSet_26_data_[] = { 134234112UL, 184UL, 131136UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // WORD "pptp" "http" "ssh" "telnet" INT_CONST "hostname" "echo" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_26(_tokenSet_26_data_,8); const unsigned long PIXCfgParser::_tokenSet_27_data_[] = { 536870928UL, 8193UL, 385024UL, 3146112UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE "object" "range" "object-group" "eq" "gt" "lt" "neq" "established" // "log" "log-input" "fragments" "time-range" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_27(_tokenSet_27_data_,8); const unsigned long PIXCfgParser::_tokenSet_28_data_[] = { 671113074UL, 2172657917UL, 516431UL, 58720160UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "pptp" "object" "range" "service" "http" "ssh" "telnet" "icmp" INT_CONST // "object-group" "crypto" "dns" "no" "certificate" "PIX" "ASA" "FWSM" // "hostname" "access-list" "eq" "gt" "lt" "neq" "echo" "established" "interface" // "log" "log-input" "alerts" "critical" "debugging" "emergencies" "errors" // "informational" "notifications" "warnings" "disable" "inactive" "interval" // "fragments" "time-range" "controller" LINE_COMMENT "exit" "nameif" "access-group" // COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_28(_tokenSet_28_data_,12); const unsigned long PIXCfgParser::_tokenSet_29_data_[] = { 671113074UL, 2172657916UL, 131407UL, 58720160UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "pptp" "object" "service" "http" "ssh" "telnet" "icmp" INT_CONST "object-group" // "crypto" "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" // "echo" "interface" "log" "log-input" "alerts" "critical" "debugging" // "emergencies" "errors" "informational" "notifications" "warnings" "disable" // "inactive" "interval" "fragments" "time-range" "controller" LINE_COMMENT // "exit" "nameif" "access-group" COLON_COMMENT "nat" "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_29(_tokenSet_29_data_,12); const unsigned long PIXCfgParser::_tokenSet_30_data_[] = { 2684362752UL, 8193UL, 122880UL, 96UL, 0UL, 0UL, 0UL, 0UL }; // IPV4 "object" "host" "range" "object-group" "eq" "gt" "lt" "neq" "interface" // "any" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_30(_tokenSet_30_data_,8); const unsigned long PIXCfgParser::_tokenSet_31_data_[] = { 671113232UL, 8377UL, 516160UL, 11534720UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 WORD "pptp" "object" "range" "http" "ssh" "telnet" INT_CONST // "object-group" "hostname" "eq" "gt" "lt" "neq" "echo" "established" // "log" "log-input" "fragments" "time-range" "outside" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_31(_tokenSet_31_data_,8); const unsigned long PIXCfgParser::_tokenSet_32_data_[] = { 2818629648UL, 16791225UL, 516416UL, 3146208UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE IPV4 WORD IPV6 "pptp" "object" "host" "range" "http" "ssh" "telnet" // INT_CONST "tcp" "udp" "destination" "object-group" "dns" "hostname" // "access-list" "eq" "gt" "lt" "neq" "echo" "established" "interface" // "any" "log" "log-input" "fragments" "time-range" "netmask" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_32(_tokenSet_32_data_,12); const unsigned long PIXCfgParser::_tokenSet_33_data_[] = { 2684387186UL, 2172657917UL, 4294959439UL, 66060799UL, 3691118593UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4 // WORD "object" "host" "range" "service" "http" "ssh" "telnet" "icmp" // INT_CONST "object-group" "crypto" "dns" "no" "certificate" "PIX" "ASA" // "FWSM" "hostname" "access-list" "eq" "gt" "lt" "neq" "echo" "established" // "alternate-address" "conversion-error" "echo-reply" "information-reply" // "information-request" "mask-reply" "mask-request" "mobile-redirect" // "parameter-problem" "redirect" "router-advertisement" "router-solicitation" // "source-quench" "time-exceeded" "timestamp-reply" "timestamp-request" // "traceroute" "unreachable" "interface" "any" "log" "log-input" "fragments" // "time-range" "controller" "outside" LINE_COMMENT "exit" "nameif" "dhcp" // "access-group" COLON_COMMENT "nat" CLOSING_PAREN COMMA "global" "static" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_33(_tokenSet_33_data_,12); const unsigned long PIXCfgParser::_tokenSet_34_data_[] = { 1108345408UL, 2147483648UL, 0UL, 0UL, 589823UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" "igmp" "ospf" "description" "no" "nameif" "vlan" "speed" // "duplex" "ddns" "forward" "delay" "hold-time" "ipv6" "management-only" // "mac-address" "multicast" PPPOE "rip" "security-level" "shutdown" "switchport" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_34(_tokenSet_34_data_,12); const unsigned long PIXCfgParser::_tokenSet_35_data_[] = { 1108345408UL, 2147483648UL, 0UL, 50331648UL, 589823UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // "ip" "pim" "igmp" "ospf" "description" "no" LINE_COMMENT "exit" "nameif" // "vlan" "speed" "duplex" "ddns" "forward" "delay" "hold-time" "ipv6" // "management-only" "mac-address" "multicast" PPPOE "rip" "security-level" // "shutdown" "switchport" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_35(_tokenSet_35_data_,12); const unsigned long PIXCfgParser::_tokenSet_36_data_[] = { 16384UL, 0UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL }; // WORD "outside" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_36(_tokenSet_36_data_,8); const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // INT_CONST "tcp" "udp" "dns" "outside" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,12); const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,12); const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 3758120818UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 25UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "host" "range" "subnet" "service" "http" "ssh" // "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto" "dns" // "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" "interface" // "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT // "nat" "global" "static" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_39(_tokenSet_39_data_,12); const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "netmask" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_40(_tokenSet_40_data_,12); const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 3758129010UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 29UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4 // WORD "object" "description" "host" "range" "subnet" "service" "http" // "ssh" "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto" // "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" // "interface" "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group" // COLON_COMMENT "nat" "global" "netmask" "static" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,12); const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 0UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12); const unsigned long PIXCfgParser::_tokenSet_43_data_[] = { 134275072UL, 184UL, 131392UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // IPV4 WORD IPV6 "pptp" "http" "ssh" "telnet" INT_CONST "hostname" "access-list" // "echo" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_43(_tokenSet_43_data_,8); const unsigned long PIXCfgParser::_tokenSet_44_data_[] = { 16UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_44(_tokenSet_44_data_,12); fwbuilder-5.3.7/src/parsers/PIXCfgParser.hpp000066400000000000000000000277171303637203600207460ustar00rootroot00000000000000#ifndef INC_PIXCfgParser_hpp_ #define INC_PIXCfgParser_hpp_ #line 25 "pix.g" // gets inserted before antlr generated includes in the header // file #include "PIXImporter.h" #line 11 "PIXCfgParser.hpp" #include /* $ANTLR 2.7.7 (20090306): "pix.g" -> "PIXCfgParser.hpp"$ */ #include #include #include "PIXCfgParserTokenTypes.hpp" #include #line 32 "pix.g" // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class PIXImporter; #line 28 "PIXCfgParser.hpp" #line 56 "pix.g" // gets inserted after generated namespace specifications in the // header file. But outside the generated class. #line 34 "PIXCfgParser.hpp" class CUSTOM_API PIXCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public PIXCfgParserTokenTypes { #line 81 "pix.g" // additional methods and members public: std::ostream *dbg; PIXImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } #line 38 "PIXCfgParser.hpp" public: void initializeASTFactory( ANTLR_USE_NAMESPACE(antlr)ASTFactory& factory ); protected: PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf, int k); public: PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenBuffer& tokenBuf); protected: PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer, int k); public: PIXCfgParser(ANTLR_USE_NAMESPACE(antlr)TokenStream& lexer); PIXCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputState& state); int getNumTokens() const { return PIXCfgParser::NUM_TOKENS; } const char* getTokenName( int type ) const { if( type > getNumTokens() ) return 0; return PIXCfgParser::tokenNames[type]; } const char* const* getTokenNames() const { return PIXCfgParser::tokenNames; } public: void cfgfile(); public: void comment(); public: void version(); public: void hostname(); public: void community_list_command(); public: void unknown_ip_command(); public: void intrface(); public: void nameif_top_level(); public: void intf_address(); public: void controller(); public: void access_list_commands(); public: void ssh_command(); public: void telnet_command(); public: void http_command(); public: void icmp_top_level_command(); public: void nat_top_level_command(); public: void global_top_level_command(); public: void static_top_level_command(); public: void access_group(); public: void exit(); public: void certificate(); public: void quit(); public: void names_section(); public: void name_entry(); public: void named_object_network(); public: void named_object_service(); public: void object_group_network(); public: void object_group_service(); public: void object_group_protocol(); public: void object_group_icmp_8_0(); public: void object_group_icmp_8_3(); public: void crypto(); public: void no_commands(); public: void timeout_command(); public: void dns_command(); public: void service_top_level_command(); public: void pim_top_level_command(); public: void network_top_level_command(); public: void unknown_command(); public: void name_entry_ipv4(); public: void name_entry_ipv6(); public: void ip_protocol_names(); public: void named_object_nat(); public: void named_object_description(); public: void named_object_network_parameters(); public: void host_addr(); public: void range_addr(); public: void subnet_addr(); public: void single_addr(); public: void named_object_service_parameters(); public: void service_icmp(); public: void service_icmp6(); public: void service_tcp_udp(); public: void service_other(); public: void service_unknown(); public: void icmp_names(); public: void src_port_spec(); public: void dst_port_spec(); public: void xoperator(); public: void object_group_network_parameters(); public: void object_group_description(); public: void group_object(); public: void network_object(); public: void object_group_protocol_parameters(); public: void protocol_object(); public: void object_group_icmp_parameters(); public: void icmp_object(); public: void object_group_service_parameters(); public: void service_object(); public: void port_object(); public: void permit_extended(); public: void deny_extended(); public: void permit_standard(); public: void deny_standard(); public: void remark(); public: void rule_extended(); public: void rule_standard(); public: void hostaddr_expr(); public: void ip_protocols(); public: void time_range(); public: void fragments(); public: void log(); public: void icmp_spec(); public: void tcp_udp_rule_extended(); public: void hostaddr_expr_1(); public: void acl_tcp_udp_dst_port_spec(); public: void hostaddr_expr_2(); public: void acl_xoperator_dst(); public: void established(); public: void hostaddr_expr_3(); public: void single_port_op(); public: void port_range(); public: void port_spec(); public: void tcp_udp_port_spec(); public: void pair_of_ports_spec(); public: void tcp_udp_port_names(); public: void interface_label(); public: void interface_command_6(); public: void interface_command_7(); public: void pix6_interface_hw_speed(); public: void interface_parameters(); public: void vlan_interface(); public: void sec_level(); public: void nameif(); public: void interface_description(); public: void switchport(); public: void shutdown(); public: void interface_no_commands(); public: void unsupported_interface_commands(); public: void v6_ip_address(); public: void v7_ip_address(); public: void v6_dhcp_address(); public: void v6_static_address(); public: void v7_dhcp_address(); public: void v7_static_address(); public: void icmp_types_for_icmp_command(); public: void nat_old_top_level_command(); public: void nat_new_top_level_command(); public: void nat_addr_match(); public: void nat_command_last_parameters(); public: void nat_and_static_command_common_last_parameters(); public: void static_starts_with_hostaddr(); public: void static_starts_with_tcp_udp(); public: void static_mapped_addr_match(); public: void static_real_addr_match(); public: void static_command_common_last_parameters(); public: ANTLR_USE_NAMESPACE(antlr)RefAST getAST() { return returnAST; } protected: ANTLR_USE_NAMESPACE(antlr)RefAST returnAST; private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS static const int NUM_TOKENS = 197; #else enum { NUM_TOKENS = 197 }; #endif static const unsigned long _tokenSet_0_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_0; static const unsigned long _tokenSet_1_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_1; static const unsigned long _tokenSet_2_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_2; static const unsigned long _tokenSet_3_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_3; static const unsigned long _tokenSet_4_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_4; static const unsigned long _tokenSet_5_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_5; static const unsigned long _tokenSet_6_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_6; static const unsigned long _tokenSet_7_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_7; static const unsigned long _tokenSet_8_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_8; static const unsigned long _tokenSet_9_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_9; static const unsigned long _tokenSet_10_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_10; static const unsigned long _tokenSet_11_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_11; static const unsigned long _tokenSet_12_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_12; static const unsigned long _tokenSet_13_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_13; static const unsigned long _tokenSet_14_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_14; static const unsigned long _tokenSet_15_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_15; static const unsigned long _tokenSet_16_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_16; static const unsigned long _tokenSet_17_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_17; static const unsigned long _tokenSet_18_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_18; static const unsigned long _tokenSet_19_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_19; static const unsigned long _tokenSet_20_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_20; static const unsigned long _tokenSet_21_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_21; static const unsigned long _tokenSet_22_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_22; static const unsigned long _tokenSet_23_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_23; static const unsigned long _tokenSet_24_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_24; static const unsigned long _tokenSet_25_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_25; static const unsigned long _tokenSet_26_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_26; static const unsigned long _tokenSet_27_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_27; static const unsigned long _tokenSet_28_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_28; static const unsigned long _tokenSet_29_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_29; static const unsigned long _tokenSet_30_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_30; static const unsigned long _tokenSet_31_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_31; static const unsigned long _tokenSet_32_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_32; static const unsigned long _tokenSet_33_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_33; static const unsigned long _tokenSet_34_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_34; static const unsigned long _tokenSet_35_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_35; static const unsigned long _tokenSet_36_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_36; static const unsigned long _tokenSet_37_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_37; static const unsigned long _tokenSet_38_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_38; static const unsigned long _tokenSet_39_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_39; static const unsigned long _tokenSet_40_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_40; static const unsigned long _tokenSet_41_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_41; static const unsigned long _tokenSet_42_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42; static const unsigned long _tokenSet_43_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_43; static const unsigned long _tokenSet_44_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_44; }; #endif /*INC_PIXCfgParser_hpp_*/ fwbuilder-5.3.7/src/parsers/PIXCfgParser.txt000066400000000000000000004554711303637203600210000ustar00rootroot00000000000000ANTLR-generated file resulting from grammar pix.g Diagnostic output Terence Parr, MageLang Institute with John Lilley, Empathy Software ANTLR Version 2.7.7 (20090306); 1989-2005 *** Header Action. This action will appear at the top of all generated files. // gets inserted after generated namespace specifications in the // header file. But outside the generated class. *** End of Header Action *** Parser Preamble Action. This action will appear before the declaration of your parser class: *** End of Parser Preamble Action *** Your parser class is called 'PIXCfgParser' and is a subclass of 'LLkParser'. *** User-defined parser class members: These are the member declarations that you defined for your class: // additional methods and members public: std::ostream *dbg; PIXImporter *importer; *** End of user-defined parser class members *** Parser rules: *** Parser Rule: cfgfile Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } is matched. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: { NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } k==2: { EOF, NEWLINE, "quit", "ip", "community-list", "names", "name", IPV4, WORD, INT_CONST, "object", "network", "service", "object-group", "protocol", "icmp-type", "crypto", "certificate", "PIX", "ASA", "Version", "hostname", STRING, "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { LINE_COMMENT, COLON_COMMENT } is matched. Rule Reference: comment Otherwise, Alternate(2) will be taken IF: The lookahead set: { "PIX", "ASA" } is matched. Rule Reference: version Otherwise, Alternate(3) will be taken IF: The lookahead set: { "hostname" } is matched. Rule Reference: hostname Otherwise, Alternate(4) will be taken IF: The lookahead set: k==1: {"ip" } k==2: {"access-list" } is matched. Rule Reference: ip_access_list_ext Otherwise, Alternate(5) will be taken IF: The lookahead set: k==1: {"ip" } k==2: {"community-list" } is matched. Rule Reference: community_list_command Otherwise, Alternate(6) will be taken IF: The lookahead set: k==1: {"ip" } k==2: {WORD } is matched. Rule Reference: unknown_ip_command Otherwise, Alternate(7) will be taken IF: The lookahead set: { "interface" } is matched. Rule Reference: intrface Otherwise, Alternate(8) will be taken IF: The lookahead set: { "controller" } is matched. Rule Reference: controller Otherwise, Alternate(9) will be taken IF: The lookahead set: { "access-list" } is matched. Rule Reference: access_list_commands Otherwise, Alternate(10) will be taken IF: The lookahead set: { "exit" } is matched. Rule Reference: exit Otherwise, Alternate(11) will be taken IF: The lookahead set: { "certificate" } is matched. Rule Reference: certificate Otherwise, Alternate(12) will be taken IF: The lookahead set: { "quit" } is matched. Rule Reference: quit Otherwise, Alternate(13) will be taken IF: The lookahead set: { "names" } is matched. Rule Reference: names_section Otherwise, Alternate(14) will be taken IF: The lookahead set: { "name", INT_CONST } is matched. Rule Reference: name_entry Otherwise, Alternate(15) will be taken IF: The lookahead set: k==1: {"object" } k==2: {"network" } is matched. Rule Reference: named_object_network Otherwise, Alternate(16) will be taken IF: The lookahead set: k==1: {"object" } k==2: {"service" } is matched. Rule Reference: named_object_service Otherwise, Alternate(17) will be taken IF: The lookahead set: k==1: {"object-group" } k==2: {"network" } is matched. Rule Reference: object_group_network Otherwise, Alternate(18) will be taken IF: The lookahead set: k==1: {"object-group" } k==2: {"service" } is matched. Rule Reference: object_group_service Otherwise, Alternate(19) will be taken IF: The lookahead set: k==1: {"object-group" } k==2: {"protocol" } is matched. Rule Reference: object_group_protocol Otherwise, Alternate(20) will be taken IF: The lookahead set: k==1: {"object-group" } k==2: {"icmp-type" } is matched. Rule Reference: object_group_icmp Otherwise, Alternate(21) will be taken IF: The lookahead set: { "crypto" } is matched. Rule Reference: crypto Otherwise, Alternate(22) will be taken IF: The lookahead set: { WORD } is matched. Rule Reference: unknown_command Otherwise, Alternate(23) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {EOF } *** End Parser Rule: cfgfile *** Parser Rule: comment Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { LINE_COMMENT, COLON_COMMENT } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { LINE_COMMENT, COLON_COMMENT } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { LINE_COMMENT, COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { LINE_COMMENT } is matched. Match token LINE_COMMENT Otherwise, Alternate(2) will be taken IF: The lookahead set: { COLON_COMMENT } is matched. Match token COLON_COMMENT OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: comment *** Parser Rule: version Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "PIX", "ASA" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "PIX", "ASA" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "PIX", "ASA" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "PIX" } is matched. Match token PIX_WORD Otherwise, Alternate(2) will be taken IF: The lookahead set: { "ASA" } is matched. Match token ASA_WORD OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Match token VERSION_WORD Match token NUMBER ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->setDiscoveredVersion(LT(0)->getText()); *dbg << "VERSION " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: version *** Parser Rule: hostname Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "hostname" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "hostname" } is matched. Match token HOSTNAME Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, STRING } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { STRING } is matched. Match token STRING Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->setHostName( LT(0)->getText() ); *dbg << "HOSTNAME " << "LT0=" << LT(0)->getText() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: hostname *** Parser Rule: ip_access_list_ext Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip" } is matched. Match token IP Match token ACCESS_LIST Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet( name->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << name->getLine() << ":" << " ACL ext " << name->getText() << std::endl; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "permit", "deny", LINE_COMMENT, "remark", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "permit" } is matched. Rule Reference: permit_ext Otherwise, Alternate(2) will be taken IF: The lookahead set: { "deny" } is matched. Rule Reference: deny_ext Otherwise, Alternate(3) will be taken IF: The lookahead set: { LINE_COMMENT, COLON_COMMENT } is matched. Rule Reference: comment Otherwise, Alternate(4) will be taken IF: The lookahead set: { "remark" } is matched. Rule Reference: remark Otherwise, Alternate(5) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: *dbg << LT(0)->getLine() << ":" << " ACL line end" << std::endl << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: ip_access_list_ext *** Parser Rule: community_list_command Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip" } is matched. Match token IP Match token COMMUNITY_LIST ACTION: consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: community_list_command *** Parser Rule: unknown_ip_command Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip" } is matched. Match token IP Match token WORD ACTION: consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: unknown_ip_command *** Parser Rule: intrface Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "interface" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "interface" } is matched. Match token INTRFACE Match token WORD, label=in ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; consumeUntil(NEWLINE); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "description" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: interface_description Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: { "ip", "igmp", "ospf", "pim", "description", "vlan", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip", "no", "security-level", "nameif", "shutdown", "switchport" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: { "ip", "igmp", "ospf", "pim", "description", "vlan", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip", "no", "security-level", "nameif", "shutdown", "switchport" } is matched. Rule Reference: interface_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. Match token NEWLINE Match token LINE_COMMENT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: intrface *** Parser Rule: controller Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "controller" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "controller" } is matched. Match token CONTROLLER ACTION: importer->clearCurrentInterface(); consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: controller *** Parser Rule: access_list_commands Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "access-list" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "access-list" } is matched. Match token ACCESS_LIST Match token INT_CONST, label=acl_num ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet( std::string("acl_") + acl_num->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << acl_num->getLine() << ":" << " ACL #" << acl_num->getText() << " "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "permit", "deny", "remark" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "permit" } is matched. Rule Reference: permit_ext Otherwise, Alternate(2) will be taken IF: The lookahead set: { "deny" } is matched. Rule Reference: deny_ext Otherwise, Alternate(3) will be taken IF: The lookahead set: { "remark" } is matched. Rule Reference: remark OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: access_list_commands *** Parser Rule: exit Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "exit" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "exit" } is matched. Match token EXIT OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: exit *** Parser Rule: certificate Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "certificate" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "certificate" } is matched. Match token CERTIFICATE Match token WORD ACTION: consumeUntil(NEWLINE); consumeUntil(QUIT); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: certificate *** Parser Rule: quit Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "quit" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "quit" } is matched. Match token QUIT ACTION: consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: quit *** Parser Rule: names_section Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "names" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "names" } is matched. Match token NAMES ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( "Parser warning: \"names\" section detected. " "Import of configuration that uses \"names\" " "is not supported at this time"); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: names_section *** Parser Rule: name_entry Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "name", INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "name" } is matched. Match token NAME Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token WORD, label=n OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=v6 OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: if (a) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( "Name " + a->getText() + " " + n->getText()); *dbg << "Name " << a->getText() << " " << n->getText() << std::endl; } if (v6) { importer->addMessageToLog( "Parser warning: IPv6 import is not supported. "); consumeUntil(NEWLINE); } OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: name_entry *** Parser Rule: named_object_network Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token NETWORK Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNamedObjectAddress(name->getText()); *dbg << name->getLine() << ":" << " Named Object " << name->getText() << std::endl; Start ZERO-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"nat", "description", "host", "range", "subnet" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"nat", "description", "host", "range", "subnet" } is matched. Match token NEWLINE Rule Reference: named_object_network_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ZERO-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_network *** Parser Rule: named_object_service Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token SERVICE Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNamedObjectService(name->getText()); *dbg << name->getLine() << ":" << " Named Object " << name->getText() << std::endl; Start ZERO-OR-MORE (...)+ block: Warning: This zero-or-more block is non-deterministic Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"description", "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"description", "service" } is matched. Match token NEWLINE Rule Reference: named_object_service_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ZERO-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_service *** Parser Rule: object_group_network Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object-group" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object-group" } is matched. Match token OBJECT_GROUP Match token NETWORK Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupNetwork(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"description", "group-object", "network-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"description", "group-object", "network-object" } is matched. Rule Reference: object_group_network_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_network *** Parser Rule: object_group_service Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object-group" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object-group" } is matched. Match token OBJECT_GROUP Match token SERVICE Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupService(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"description", "group-object", "service-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"description", "group-object", "service-object" } is matched. Rule Reference: object_group_service_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_service *** Parser Rule: object_group_protocol Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object-group" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object-group" } is matched. Match token OBJECT_GROUP Match token PROTOCOL Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupProtocol(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"description", "group-object", "protocol-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"description", "group-object", "protocol-object" } is matched. Rule Reference: object_group_protocol_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_protocol *** Parser Rule: object_group_icmp Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "object-group" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "object-group" } is matched. Match token OBJECT_GROUP Match token ICMP_TYPE Match token WORD, label=name ACTION: importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupICMP(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; Start ONE-OR-MORE (...)+ block: Start of an alternative block. The lookahead set for this block is: k==1: {NEWLINE } k==2: {"description", "group-object", "icmp-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: k==1: {NEWLINE } k==2: {"description", "group-object", "icmp-object" } is matched. Rule Reference: object_group_icmp_parameters OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. End ONE-OR-MORE block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_icmp *** Parser Rule: crypto Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "crypto" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "crypto" } is matched. Match token CRYPTO ACTION: consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: crypto *** Parser Rule: unknown_command Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD ACTION: consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: unknown_command *** Parser Rule: ip_protocol_names Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "ah" } is matched. Match token AH Otherwise, Alternate(2) will be taken IF: The lookahead set: { "eigrp" } is matched. Match token EIGRP Otherwise, Alternate(3) will be taken IF: The lookahead set: { "esp" } is matched. Match token ESP Otherwise, Alternate(4) will be taken IF: The lookahead set: { "gre" } is matched. Match token GRE Otherwise, Alternate(5) will be taken IF: The lookahead set: { "igmp" } is matched. Match token IGMP Otherwise, Alternate(6) will be taken IF: The lookahead set: { "igrp" } is matched. Match token IGRP Otherwise, Alternate(7) will be taken IF: The lookahead set: { "ip" } is matched. Match token IP Otherwise, Alternate(8) will be taken IF: The lookahead set: { "ipinip" } is matched. Match token IPINIP Otherwise, Alternate(9) will be taken IF: The lookahead set: { IPSEC } is matched. Match token IPSEC Otherwise, Alternate(10) will be taken IF: The lookahead set: { "nos" } is matched. Match token NOS Otherwise, Alternate(11) will be taken IF: The lookahead set: { "ospf" } is matched. Match token OSPF Otherwise, Alternate(12) will be taken IF: The lookahead set: { "pcp" } is matched. Match token PCP Otherwise, Alternate(13) will be taken IF: The lookahead set: { "pim" } is matched. Match token PIM Otherwise, Alternate(14) will be taken IF: The lookahead set: { PPTP } is matched. Match token PPTP Otherwise, Alternate(15) will be taken IF: The lookahead set: { SNP } is matched. Match token SNP OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: ip_protocol_names *** Parser Rule: named_object_network_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "nat", "description", "host", "range", "subnet" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "nat", "description", "host", "range", "subnet" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "nat", "description", "host", "range", "subnet" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "nat" } is matched. Rule Reference: named_object_nat Otherwise, Alternate(2) will be taken IF: The lookahead set: { "host" } is matched. Rule Reference: host_addr Otherwise, Alternate(3) will be taken IF: The lookahead set: { "range" } is matched. Rule Reference: range_addr Otherwise, Alternate(4) will be taken IF: The lookahead set: { "subnet" } is matched. Rule Reference: subnet_addr Otherwise, Alternate(5) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: named_object_description OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_network_parameters *** Parser Rule: named_object_nat Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "nat" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "nat" } is matched. Match token NAT ACTION: importer->addMessageToLog( "Parser warning: " "Import of named objects with \"nat\" command " "is not supported at this time"); consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_nat *** Parser Rule: host_addr Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "host" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "host" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "host" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "host" } is matched. Match token HOST Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=h Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=v6 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; importer->commitNamedAddressObject(); *dbg << h->getText() << "/255.255.255.255"; } if (v6) { importer->addMessageToLog( "Parser warning: IPv6 import is not supported. "); consumeUntil(NEWLINE); } OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: host_addr *** Parser Rule: range_addr Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "range" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "range" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "range" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "range" } is matched. Match token RANGE Match token IPV4, label=r1 Match token IPV4, label=r2 OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->tmp_range_1 = r1->getText(); importer->tmp_range_2 = r2->getText(); importer->commitNamedAddressRangeObject(); *dbg << r1->getText() << "/" << r2->getText(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: range_addr *** Parser Rule: subnet_addr Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "subnet" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "subnet" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "subnet" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "subnet" } is matched. Match token SUBNET Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token IPV4, label=nm OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=v6 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->commitNamedAddressObject(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( "Parser warning: IPv6 import is not supported. "); consumeUntil(NEWLINE); } OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: subnet_addr *** Parser Rule: named_object_description Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "description" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Match token DESCRIPTION ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setNamedObjectDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_description *** Parser Rule: named_object_service_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "description", "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "description", "service" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: k==1: {"description", "service" } k==2: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "object", "icmp", ICMP6, "tcp", "udp", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: {"service" } k==2: {"icmp" } is matched. Rule Reference: service_icmp Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: {"service" } k==2: {ICMP6 } is matched. Rule Reference: service_icmp6 Otherwise, Alternate(3) will be taken IF: The lookahead set: k==1: {"service" } k==2: {"tcp", "udp" } is matched. Rule Reference: service_tcp_udp Otherwise, Alternate(4) will be taken IF: The lookahead set: k==1: {"service" } k==2: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: service_other Otherwise, Alternate(5) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: named_object_description OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: named_object_service_parameters *** Parser Rule: service_icmp Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "service" } is matched. Match token SERVICE Match token ICMP Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=icmp_type ACTION: importer->icmp_type = LT(0)->getText(); Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=icmp_word ACTION: importer->icmp_spec = icmp_word->getText(); OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedICMPServiceObject(); *dbg << "NAMED OBJECT SERVICE ICMP " << LT(0)->getText() << " "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: service_icmp *** Parser Rule: service_icmp6 Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "service" } is matched. Match token SERVICE Match token ICMP6 Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog("Parser warning: " "Import of IPv6 addresses and servcies " "is not supported at this time"); *dbg << "NAMED OBJECT SERVICE ICMP6 " << LT(0)->getText() << " "; consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: service_icmp6 *** Parser Rule: service_tcp_udp Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "service" } is matched. Match token SERVICE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "tcp", "udp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "tcp" } is matched. Match token TCP Otherwise, Alternate(2) will be taken IF: The lookahead set: { "udp" } is matched. Match token UDP OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->protocol = LT(0)->getText(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "source", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "source" } is matched. Rule Reference: src_port_spec Otherwise, Alternate(2) will be taken IF: The lookahead set: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "destination" } is matched. Rule Reference: dst_port_spec Otherwise, Alternate(2) will be taken IF: The lookahead set: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedTCPUDPServiceObject(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: service_tcp_udp *** Parser Rule: service_other Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "service" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "service" } is matched. Match token SERVICE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST Otherwise, Alternate(2) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: ip_protocol_names OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->commitNamedIPServiceObject(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: service_other *** Parser Rule: src_port_spec Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "source" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "source" } is matched. Match token SOURCE Rule Reference: xoperator ACTION: importer->SaveTmpPortToSrc(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: src_port_spec *** Parser Rule: dst_port_spec Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "destination" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "destination" } is matched. Match token DESTINATION Rule Reference: xoperator ACTION: importer->SaveTmpPortToDst(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: dst_port_spec *** Parser Rule: xoperator Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "range", "eq", "gt", "lt", "neq" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "eq", "gt", "lt", "neq" } is matched. Rule Reference: single_port_op Otherwise, Alternate(2) will be taken IF: The lookahead set: { "range" } is matched. Rule Reference: port_range OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "log", "log-input", "established", "fragments", "time-range", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: xoperator *** Parser Rule: object_group_network_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "description", "group-object", "network-object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: object_group_description Otherwise, Alternate(2) will be taken IF: The lookahead set: { "group-object" } is matched. Rule Reference: group_object Otherwise, Alternate(3) will be taken IF: The lookahead set: { "network-object" } is matched. Rule Reference: network_object OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_network_parameters *** Parser Rule: object_group_description Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "description" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Match token DESCRIPTION ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setObjectGroupDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_description *** Parser Rule: group_object Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "group-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "group-object" } is matched. Match token GROUP_OBJECT Match token WORD, label=name ACTION: importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: group_object *** Parser Rule: network_object Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "network-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "network-object" } is matched. Match token NETWORK_OBJECT ACTION: importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, INT_CONST, "object", "host" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { IPV4, INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token IPV4, label=nm OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=v6 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->addNetworkToObjectGroup(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( "Parser warning: IPv6 import is not supported. "); consumeUntil(NEWLINE); } Otherwise, Alternate(2) will be taken IF: The lookahead set: { "host" } is matched. Match token HOST Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=h Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=hv6 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; importer->addNetworkToObjectGroup(); *dbg << h->getText() << "/255.255.255.255"; } if (hv6) { importer->addMessageToLog( "Parser warning: IPv6 import is not supported. "); consumeUntil(NEWLINE); } Otherwise, Alternate(3) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token WORD, label=name ACTION: importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: network_object *** Parser Rule: object_group_protocol_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "description", "group-object", "protocol-object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: object_group_description Otherwise, Alternate(2) will be taken IF: The lookahead set: { "group-object" } is matched. Rule Reference: group_object Otherwise, Alternate(3) will be taken IF: The lookahead set: { "protocol-object" } is matched. Rule Reference: protocol_object OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_protocol_parameters *** Parser Rule: protocol_object Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "protocol-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "protocol-object" } is matched. Match token PROTOCOL_OBJECT ACTION: importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST Otherwise, Alternate(2) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: ip_protocol_names OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; Otherwise, Alternate(2) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token WORD, label=name ACTION: importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: protocol_object *** Parser Rule: object_group_icmp_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "description", "group-object", "icmp-object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: object_group_description Otherwise, Alternate(2) will be taken IF: The lookahead set: { "group-object" } is matched. Rule Reference: group_object Otherwise, Alternate(3) will be taken IF: The lookahead set: { "icmp-object" } is matched. Rule Reference: icmp_object OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_icmp_parameters *** Parser Rule: icmp_object Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "icmp-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "icmp-object" } is matched. Match token ICMP_OBJECT ACTION: importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST, "object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD, INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=icmp_type ACTION: importer->icmp_type = LT(0)->getText(); Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=icmp_word ACTION: importer->icmp_spec = icmp_word->getText(); OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; Otherwise, Alternate(2) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token WORD, label=name ACTION: importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: icmp_object *** Parser Rule: object_group_service_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "description", "group-object", "service-object" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: object_group_description Otherwise, Alternate(2) will be taken IF: The lookahead set: { "group-object" } is matched. Rule Reference: group_object Otherwise, Alternate(3) will be taken IF: The lookahead set: { "service-object" } is matched. Rule Reference: service_object OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: object_group_service_parameters *** Parser Rule: service_object Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "service-object" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "service-object" } is matched. Match token SERVICE_OBJECT ACTION: importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "object", "icmp", "tcp", "udp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", INT_CONST, "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST Otherwise, Alternate(2) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: ip_protocol_names OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; Otherwise, Alternate(2) will be taken IF: The lookahead set: { "tcp", "udp" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "tcp", "udp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "tcp" } is matched. Match token TCP Otherwise, Alternate(2) will be taken IF: The lookahead set: { "udp" } is matched. Match token UDP OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "source", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "source" } is matched. Rule Reference: src_port_spec Otherwise, Alternate(2) will be taken IF: The lookahead set: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "destination" } is matched. Rule Reference: dst_port_spec Otherwise, Alternate(2) will be taken IF: The lookahead set: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->addTCPUDPServiceToObjectGroup(); Otherwise, Alternate(3) will be taken IF: The lookahead set: { "icmp" } is matched. Match token ICMP Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=icmp_type ACTION: importer->icmp_type = LT(0)->getText(); Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=icmp_word ACTION: importer->icmp_spec = icmp_word->getText(); OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; Otherwise, Alternate(4) will be taken IF: The lookahead set: { "object" } is matched. Match token OBJECT Match token WORD, label=name ACTION: importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: service_object *** Parser Rule: permit_ext Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "permit" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "permit" } is matched. Match token PERMIT ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; Rule Reference: rule_ext Match token NEWLINE ACTION: importer->pushRule(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: permit_ext *** Parser Rule: deny_ext Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "deny" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "deny" } is matched. Match token DENY ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; Rule Reference: rule_ext Match token NEWLINE ACTION: importer->pushRule(); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: deny_ext *** Parser Rule: remark Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "remark" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "remark" } is matched. Match token REMARK ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string rem; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { rem += LT(1)->getText() + " "; consume(); } importer->addRuleComment( rem ); *dbg << " REMARK " << rem << std::endl; //consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", WORD, INT_CONST, "object", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: remark *** Parser Rule: rule_ext Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "icmp", "tcp", "udp" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "icmp", "tcp", "udp" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP, "icmp", "tcp", "udp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: ip_protocols Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToSrc(); *dbg << "(src) "; Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToDst(); *dbg << "(dst) "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "time-range" } is matched. Rule Reference: time_range Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "fragments" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "fragments" } is matched. Rule Reference: fragments Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "log", "log-input" } is matched. Rule Reference: log Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Otherwise, Alternate(2) will be taken IF: The lookahead set: { "icmp" } is matched. Match token ICMP ACTION: importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToSrc(); *dbg << "(src) "; Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToDst(); *dbg << "(dst) "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, WORD, INT_CONST, "log", "log-input", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD, INT_CONST } is matched. Rule Reference: icmp_spec Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "fragments", "time-range" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "time-range" } is matched. Rule Reference: time_range Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "fragments" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "fragments" } is matched. Rule Reference: fragments Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "log", "log-input" } is matched. Rule Reference: log Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Otherwise, Alternate(3) will be taken IF: The lookahead set: { "tcp", "udp" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "tcp", "udp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "tcp" } is matched. Match token TCP Otherwise, Alternate(2) will be taken IF: The lookahead set: { "udp" } is matched. Match token UDP OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToSrc(); *dbg << "(src) "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, "host", "range", "eq", "gt", "lt", "neq", "any" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "range", "eq", "gt", "lt", "neq" } is matched. Rule Reference: xoperator ACTION: importer->SaveTmpPortToSrc(); Otherwise, Alternate(2) will be taken IF: The lookahead set: { IPV4, "host", "any" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Rule Reference: hostaddr_ext ACTION: importer->SaveTmpAddrToDst(); *dbg << "(dst) "; Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "range", "eq", "gt", "lt", "neq", "log", "log-input", "established", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "range", "eq", "gt", "lt", "neq" } is matched. Rule Reference: xoperator ACTION: importer->SaveTmpPortToDst(); Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "established", "fragments", "time-range" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "established", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "established" } is matched. Rule Reference: established Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "fragments", "time-range" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments", "time-range" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "time-range" } is matched. Rule Reference: time_range Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input", "fragments" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input", "fragments" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "fragments" } is matched. Rule Reference: fragments Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE, "log", "log-input" } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "log", "log-input" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "log", "log-input" } is matched. Rule Reference: log Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: *dbg << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: rule_ext *** Parser Rule: ip_protocols Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip", "ah", "eigrp", "esp", "gre", "igmp", "igrp", "ipinip", IPSEC, "nos", "ospf", "pcp", "pim", PPTP, SNP } is matched. Rule Reference: ip_protocol_names ACTION: importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {IPV4, "host", "any" } *** End Parser Rule: ip_protocols *** Parser Rule: hostaddr_ext Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { IPV4, "host", "any" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "host" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "host" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "host" } is matched. Match token HOST Match token IPV4, label=h OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; *dbg << h->getText() << "/255.255.255.255"; Otherwise, Alternate(2) will be taken IF: The lookahead set: { IPV4 } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token IPV4, label=m OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); Otherwise, Alternate(3) will be taken IF: The lookahead set: { "any" } is matched. Match token ANY ACTION: importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { NEWLINE, IPV4, WORD, INT_CONST, "host", "range", "eq", "gt", "lt", "neq", "any", "log", "log-input", "established", "fragments", "time-range" } *** End Parser Rule: hostaddr_ext *** Parser Rule: time_range Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "time-range" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "time-range" } is matched. Match token TIME_RANGE Match token WORD, label=tr_name ACTION: importer->time_range_name = tr_name->getText(); *dbg << "time_range " << tr_name->getText() << " "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE, "log", "log-input", "fragments" } *** End Parser Rule: time_range *** Parser Rule: fragments Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "fragments" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "fragments" } is matched. Match token FRAGMENTS ACTION: importer->fragments = true; *dbg << "fragments "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE, "log", "log-input" } *** End Parser Rule: fragments *** Parser Rule: log Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "log", "log-input" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "log", "log-input" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "log", "log-input" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "log" } is matched. Match token LOG Otherwise, Alternate(2) will be taken IF: The lookahead set: { "log-input" } is matched. Match token LOG_INPUT OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->logging = true; *dbg << "logging "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: log *** Parser Rule: icmp_spec Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD, INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=icmp_type Match token INT_CONST, label=icmp_code OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->icmp_type = icmp_type->getText(); importer->icmp_code = icmp_code->getText(); importer->icmp_spec = ""; *dbg << icmp_type->getText() << " " << icmp_code->getText() << " "; Otherwise, Alternate(2) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=icmp_word ACTION: importer->icmp_spec = icmp_word->getText(); *dbg << icmp_word->getText() << " "; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE, "log", "log-input", "fragments", "time-range" } *** End Parser Rule: icmp_spec *** Parser Rule: established Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "established" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "established" } is matched. Match token ESTABLISHED ACTION: importer->established = true; *dbg << "established "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE, "log", "log-input", "fragments", "time-range" } *** End Parser Rule: established *** Parser Rule: single_port_op Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "eq", "gt", "lt", "neq" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "eq", "gt", "lt", "neq" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "eq", "gt", "lt", "neq" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "eq" } is matched. Match token P_EQ Otherwise, Alternate(2) will be taken IF: The lookahead set: { "gt" } is matched. Match token P_GT Otherwise, Alternate(3) will be taken IF: The lookahead set: { "lt" } is matched. Match token P_LT Otherwise, Alternate(4) will be taken IF: The lookahead set: { "neq" } is matched. Match token P_NEQ OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; Rule Reference: port_spec OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "log", "log-input", "established", "fragments", "time-range", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: single_port_op *** Parser Rule: port_range Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "range" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "range" } is matched. Match token RANGE Rule Reference: pair_of_ports_spec ACTION: importer->tmp_port_op = "range"; *dbg << "range "; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "log", "log-input", "established", "fragments", "time-range", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: port_range *** Parser Rule: port_spec Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD, INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->tmp_port_spec = (std::string(" ") + LT(0)->getText()); *dbg << LT(0)->getText() << " " << importer->tmp_port_spec; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "log", "log-input", "established", "fragments", "time-range", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: port_spec *** Parser Rule: pair_of_ports_spec Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD, INT_CONST } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=s1 Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=s2 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD, INT_CONST } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=e1 Otherwise, Alternate(2) will be taken IF: The lookahead set: { INT_CONST } is matched. Match token INT_CONST, label=e2 OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: importer->tmp_port_spec = ""; if (s1) importer->tmp_port_spec += s1->getText(); if (s2) importer->tmp_port_spec += s2->getText(); importer->tmp_port_spec += " "; if (e1) importer->tmp_port_spec += e1->getText(); if (e2) importer->tmp_port_spec += e2->getText(); *dbg << "pair of ports: " << importer->tmp_port_spec; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: { EOF, NEWLINE, "quit", "ip", "names", "name", IPV4, WORD, INT_CONST, "object", "host", "destination", "object-group", "crypto", "certificate", "PIX", "ASA", "hostname", "access-list", "any", "log", "log-input", "established", "fragments", "time-range", "controller", "interface", LINE_COMMENT, "exit", COLON_COMMENT } *** End Parser Rule: pair_of_ports_spec *** Parser Rule: hostaddr_std Access: public Return value: none Start of an alternative block. The lookahead set for this block is: k==1: {IPV4, "any" } k==2: {EOF, IPV4 } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: {IPV4 } k==2: {EOF } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=h OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->tmp_a = h->getText(); importer->tmp_nm = "0.0.0.0"; *dbg << h->getText() << "/0.0.0.0"; Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: {IPV4 } k==2: {IPV4 } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token IPV4, label=m OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. ACTION: importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); Otherwise, Alternate(3) will be taken IF: The lookahead set: { "any" } is matched. Match token ANY ACTION: importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {EOF } *** End Parser Rule: hostaddr_std *** Parser Rule: interface_description Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "description" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "description" } is matched. Match token DESCRIPTION ACTION: *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setInterfaceComment( descr ); *dbg << " DESCRIPTION " << descr << std::endl; //consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: interface_description *** Parser Rule: interface_parameters Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. Match token NEWLINE ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "ip", "igmp", "ospf", "pim", "description", "vlan", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip", "no", "security-level", "nameif", "shutdown", "switchport" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "ip" } is matched. Rule Reference: intf_address Otherwise, Alternate(2) will be taken IF: The lookahead set: { "vlan" } is matched. Rule Reference: vlan_interface Otherwise, Alternate(3) will be taken IF: The lookahead set: { "security-level" } is matched. Rule Reference: sec_level Otherwise, Alternate(4) will be taken IF: The lookahead set: { "nameif" } is matched. Rule Reference: nameif Otherwise, Alternate(5) will be taken IF: The lookahead set: { "description" } is matched. Rule Reference: interface_description Otherwise, Alternate(6) will be taken IF: The lookahead set: { "switchport" } is matched. Rule Reference: switchport Otherwise, Alternate(7) will be taken IF: The lookahead set: { "shutdown" } is matched. Rule Reference: shutdown Otherwise, Alternate(8) will be taken IF: The lookahead set: { "no" } is matched. Rule Reference: interface_no_commands Otherwise, Alternate(9) will be taken IF: The lookahead set: { "igmp", "ospf", "pim", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip" } is matched. Rule Reference: unsupported_interface_commands OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: interface_parameters *** Parser Rule: intf_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "ip" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "ip" } is matched. Match token IP Match token ADDRESS Start of alternative block. Start of an alternative block. The lookahead set for this block is: { IPV4, WORD, "dhcp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Rule Reference: v6_ip_address Otherwise, Alternate(2) will be taken IF: The lookahead set: { IPV4, "dhcp" } is matched. Rule Reference: v7_ip_address OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: intf_address *** Parser Rule: vlan_interface Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "vlan" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "vlan" } is matched. Match token VLAN Match token INT_CONST, label=vlan_id ACTION: importer->setInterfaceVlanId(vlan_id->getText()); *dbg << " VLAN: " << vlan_id->getText() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: vlan_interface *** Parser Rule: sec_level Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "security-level" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "security-level" } is matched. Match token SEC_LEVEL Match token INT_CONST, label=sec_level ACTION: importer->setInterfaceSecurityLevel(sec_level->getText()); *dbg << "SEC_LEVEL: " << sec_level->getText() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: sec_level *** Parser Rule: nameif Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "nameif" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "nameif" } is matched. Match token NAMEIF Match token WORD, label=p_intf Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, WORD } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { WORD } is matched, AND the syntactic predicate: Start of alternative block. Start of an alternative block. The lookahead set for this block is: { WORD } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. is matched. Match token WORD, label=intf_label Match token WORD, label=sec_level Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: std::string label = (intf_label) ? intf_label->getText() : ""; std::string seclevel = (sec_level) ? sec_level->getText() : ""; importer->setInterfaceParametes(p_intf->getText(), label, seclevel); *dbg << " NAMEIF: " << p_intf->getText() << label << seclevel << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: nameif *** Parser Rule: switchport Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "switchport" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "switchport" } is matched. Match token SWITCHPORT Match token ACCESS Match token VLAN Match token INT_CONST, label=vlan_num ACTION: importer->addMessageToLog("Switch port vlan " + vlan_num->getText()); *dbg << "Switch port vlan " << vlan_num->getText() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: switchport *** Parser Rule: shutdown Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "shutdown" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "shutdown" } is matched. Match token SHUTDOWN ACTION: importer->ignoreCurrentInterface(); *dbg<< LT(1)->getLine() << ":" << " INTERFACE SHUTDOWN " << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: shutdown *** Parser Rule: interface_no_commands Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "no" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "no" } is matched. Match token NO Match token WORD ACTION: *dbg << " INTERFACE \"NO\" COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: interface_no_commands *** Parser Rule: unsupported_interface_commands Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "igmp", "ospf", "pim", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "igmp", "ospf", "pim", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip" } is matched. Start of alternative block. Start of an alternative block. The lookahead set for this block is: { "igmp", "ospf", "pim", "speed", "duplex", "ddns", "forward", "delay", "hold-time", "ipv6", "mac-address", "multicast", PPPOE, "rip" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "speed" } is matched. Match token SPEED Otherwise, Alternate(2) will be taken IF: The lookahead set: { "duplex" } is matched. Match token DUPLEX Otherwise, Alternate(3) will be taken IF: The lookahead set: { "ddns" } is matched. Match token DDNS Otherwise, Alternate(4) will be taken IF: The lookahead set: { "forward" } is matched. Match token FORWARD Otherwise, Alternate(5) will be taken IF: The lookahead set: { "delay" } is matched. Match token DELAY Otherwise, Alternate(6) will be taken IF: The lookahead set: { "hold-time" } is matched. Match token HOLD_TIME Otherwise, Alternate(7) will be taken IF: The lookahead set: { "igmp" } is matched. Match token IGMP Otherwise, Alternate(8) will be taken IF: The lookahead set: { "ipv6" } is matched. Match token IPV6 Otherwise, Alternate(9) will be taken IF: The lookahead set: { "mac-address" } is matched. Match token MAC_ADDRESS Otherwise, Alternate(10) will be taken IF: The lookahead set: { "multicast" } is matched. Match token MULTICAST Otherwise, Alternate(11) will be taken IF: The lookahead set: { "ospf" } is matched. Match token OSPF Otherwise, Alternate(12) will be taken IF: The lookahead set: { "pim" } is matched. Match token PIM Otherwise, Alternate(13) will be taken IF: The lookahead set: { PPPOE } is matched. Match token PPPOE Otherwise, Alternate(14) will be taken IF: The lookahead set: { "rip" } is matched. Match token RIP OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: *dbg << " UNSUPPORTED INTERFACE COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: unsupported_interface_commands *** Parser Rule: v6_ip_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: k==1: {WORD } k==2: {IPV4, "dhcp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: k==1: {WORD } k==2: {"dhcp" } is matched. Rule Reference: v6_dhcp_address Otherwise, Alternate(2) will be taken IF: The lookahead set: k==1: {WORD } k==2: {IPV4 } is matched. Rule Reference: v6_static_address OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v6_ip_address *** Parser Rule: v7_ip_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { IPV4, "dhcp" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "dhcp" } is matched. Rule Reference: v7_dhcp_address Otherwise, Alternate(2) will be taken IF: The lookahead set: { IPV4 } is matched. Rule Reference: v7_static_address OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v7_ip_address *** Parser Rule: v6_dhcp_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=lbl Match token DHCP, label=dhcp ACTION: std::string label = lbl->getText(); std::string addr = dhcp->getText(); importer->addInterfaceAddress(label, addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; // there can be some other parameters after "dhcp", such as "setroute", "retry" etc. // which we do not support consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v6_dhcp_address *** Parser Rule: v6_static_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { WORD } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { WORD } is matched. Match token WORD, label=lbl Match token IPV4, label=a Match token IPV4, label=m ACTION: std::string label = lbl->getText(); std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(label, addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // in case there are some other parameters after address and netmask consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v6_static_address *** Parser Rule: v7_dhcp_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "dhcp" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "dhcp" } is matched. Match token DHCP, label=dhcp ACTION: std::string addr = dhcp->getText(); importer->addInterfaceAddress(addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v7_dhcp_address *** Parser Rule: v7_static_address Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { IPV4 } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { IPV4 } is matched. Match token IPV4, label=a Match token IPV4, label=m Start of alternative block. Start of an alternative block. The lookahead set for this block is: { NEWLINE, "standby" } This block has multiple alternatives: Alternate(1) will be taken IF: The lookahead set: { "standby" } is matched. Match token STANDBY, label=s Otherwise, Alternate(2) will be taken IF: The lookahead set: { NEWLINE } is matched. OTHERWISE, a NoViableAlt exception will be thrown End of alternatives End of alternative block. ACTION: std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // there can be other parameters after address/netmask pair, such as "standby" // We do not parse them yet. if (s) { importer->addMessageToLog("Parser warning: failover IP detected. " "Failover is not supported by import " "at this time"); } consumeUntil(NEWLINE); OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {NEWLINE } *** End Parser Rule: v7_static_address *** Parser Rule: access_group_by_name Access: public Return value: none Start of an alternative block. The lookahead set for this block is: { "access-group" } This block has a single alternative Alternate(1) will be taken IF: The lookahead set: { "access-group" } is matched. Match token ACCESS_GROUP Match token WORD, label=acln Match token WORD, label=dir Match token INTRFACE Match token WORD, label=intf_label ACTION: importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( acln->getText(), intf_label->getText(), dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << acln->getText() << "'" << " " << intf_label->getText() << " " << dir->getText() << std::endl; OTHERWISE, a NoViableAlt exception will be thrown End of alternative block. Default error-handling will be generated, which catches all parser exceptions and consumes tokens until the follow-set is seen. The follow set for this rule is: k==1: {EOF } *** End Parser Rule: access_group_by_name *** End of parser rules *** End of parser fwbuilder-5.3.7/src/parsers/PIXCfgParserTokenTypes.hpp000066400000000000000000000075121303637203600227630ustar00rootroot00000000000000#ifndef INC_PIXCfgParserTokenTypes_hpp_ #define INC_PIXCfgParserTokenTypes_hpp_ /* $ANTLR 2.7.7 (20090306): "pix.g" -> "PIXCfgParserTokenTypes.hpp"$ */ #ifndef CUSTOM_API # define CUSTOM_API #endif #ifdef __cplusplus struct CUSTOM_API PIXCfgParserTokenTypes { #endif enum { EOF_ = 1, NEWLINE = 4, QUIT = 5, IP = 6, COMMUNITY_LIST = 7, TIMEOUT = 8, PIM = 9, NETWORK = 10, NAMES = 11, NAME = 12, IPV4 = 13, WORD = 14, IPV6 = 15, AH = 16, EIGRP = 17, ESP_WORD = 18, GRE = 19, IGMP = 20, IGRP = 21, IPINIP = 22, IPSEC = 23, NOS = 24, OSPF = 25, PCP = 26, PPTP = 27, SNP = 28, OBJECT = 29, DESCRIPTION = 30, HOST = 31, RANGE = 32, SUBNET = 33, SERVICE = 34, HTTP = 35, SSH = 36, TELNET = 37, ICMP = 38, INT_CONST = 39, ICMP6 = 40, TCP = 41, UDP = 42, SOURCE = 43, DESTINATION = 44, OBJECT_GROUP = 45, GROUP_OBJECT = 46, NETWORK_OBJECT = 47, PROTOCOL = 48, PROTOCOL_OBJECT = 49, ICMP_OBJECT = 50, ICMP_TYPE = 51, TCP_UDP = 52, SERVICE_OBJECT = 53, PORT_OBJECT = 54, CRYPTO = 55, DNS = 56, CALL_HOME = 57, INTERNAL = 58, PASSWORD_RECOVERY = 59, RESETINBOUND = 60, RESETOUTBOUND = 61, RESETOUTSIDE = 62, NO = 63, CERTIFICATE = 64, PIX_WORD = 65, ASA_WORD = 66, FWSM_WORD = 67, VERSION_WORD_CAP = 68, NUMBER = 69, HOSTNAME = 70, STRING = 71, ACCESS_LIST = 72, EXTENDED = 73, PERMIT = 74, DENY = 75, STANDARD = 76, P_EQ = 77, P_GT = 78, P_LT = 79, P_NEQ = 80, ECHO = 81, ESTABLISHED = 82, ALTERNATE_ADDRESS = 83, CONVERSION_ERROR = 84, ECHO_REPLY = 85, INFORMATION_REPLY = 86, INFORMATION_REQUEST = 87, MASK_REPLY = 88, MASK_REQUEST = 89, MOBILE_REDIRECT = 90, PARAMETER_PROBLEM = 91, REDIRECT = 92, ROUTER_ADVERTISEMENT = 93, ROUTER_SOLICITATION = 94, SOURCE_QUENCH = 95, TIME_EXCEEDED = 96, TIMESTAMP_REPLY = 97, TIMESTAMP_REQUEST = 98, TRACEROUTE = 99, UNREACHABLE = 100, INTRFACE = 101, ANY = 102, LOG = 103, LOG_INPUT = 104, LOG_LEVEL_ALERTS = 105, LOG_LEVEL_CRITICAL = 106, LOG_LEVEL_DEBUGGING = 107, LOG_LEVEL_EMERGENCIES = 108, LOG_LEVEL_ERRORS = 109, LOG_LEVEL_INFORMATIONAL = 110, LOG_LEVEL_NOTIFICATIONS = 111, LOG_LEVEL_WARNINGS = 112, LOG_LEVEL_DISABLE = 113, LOG_LEVEL_INACTIVE = 114, INTERVAL = 115, FRAGMENTS = 116, TIME_RANGE = 117, CONTROLLER = 118, OUTSIDE = 119, LINE_COMMENT = 120, EXIT = 121, AUI = 122, AUTO = 123, BNC = 124, FULL = 125, BASET = 126, BASETX = 127, NAMEIF = 128, VLAN = 129, SPEED = 130, DUPLEX = 131, DDNS = 132, FORWARD = 133, DELAY = 134, HOLD_TIME = 135, IPV6_C = 136, MANAGEMENT_ONLY = 137, MAC_ADDRESS = 138, MULTICAST = 139, PPPOE = 140, RIP = 141, SEC_LEVEL = 142, SHUTDOWN = 143, ADDRESS = 144, DHCP = 145, STANDBY = 146, SWITCHPORT = 147, ACCESS = 148, SCOPY = 149, VERSION_WORD_LOW = 150, AUTHENTICATION_CERTIFICATE = 151, SERVER = 152, REMARK = 153, ACCESS_GROUP = 154, COLON_COMMENT = 155, NAT = 156, OPENING_PAREN = 157, CLOSING_PAREN = 158, COMMA = 159, GLOBAL = 160, MINUS = 161, NETMASK = 162, STATIC = 163, NORANDOMSEQ = 164, SECONDARY = 165, SETROUTE = 166, Whitespace = 167, HEX_CONST = 168, NEG_INT_CONST = 169, DIGIT = 170, HEXDIGIT = 171, NUMBER_ADDRESS_OR_WORD = 172, PIPE_CHAR = 173, NUMBER_SIGN = 174, PERCENT = 175, AMPERSAND = 176, APOSTROPHE = 177, STAR = 178, PLUS = 179, DOT = 180, SLASH = 181, COLON = 182, SEMICOLON = 183, LESS_THAN = 184, EQUALS = 185, GREATER_THAN = 186, QUESTION = 187, COMMERCIAL_AT = 188, OPENING_SQUARE = 189, CLOSING_SQUARE = 190, CARET = 191, UNDERLINE = 192, OPENING_BRACE = 193, CLOSING_BRACE = 194, TILDE = 195, EXLAMATION = 196, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus }; #endif #endif /*INC_PIXCfgParserTokenTypes_hpp_*/ fwbuilder-5.3.7/src/parsers/PIXCfgParserTokenTypes.txt000066400000000000000000000102741303637203600230120ustar00rootroot00000000000000// $ANTLR 2.7.7 (20090306): pix.g -> PIXCfgParserTokenTypes.txt$ PIXCfgParser // output token vocab name NEWLINE=4 QUIT="quit"=5 IP="ip"=6 COMMUNITY_LIST="community-list"=7 TIMEOUT="timeout"=8 PIM="pim"=9 NETWORK="network"=10 NAMES="names"=11 NAME="name"=12 IPV4=13 WORD=14 IPV6=15 AH="ah"=16 EIGRP="eigrp"=17 ESP_WORD="esp"=18 GRE="gre"=19 IGMP="igmp"=20 IGRP="igrp"=21 IPINIP="ipinip"=22 IPSEC="ipsec"=23 NOS="nos"=24 OSPF="ospf"=25 PCP="pcp"=26 PPTP="pptp"=27 SNP="snp"=28 OBJECT="object"=29 DESCRIPTION="description"=30 HOST="host"=31 RANGE="range"=32 SUBNET="subnet"=33 SERVICE="service"=34 HTTP="http"=35 SSH="ssh"=36 TELNET="telnet"=37 ICMP="icmp"=38 INT_CONST=39 ICMP6="icmp6"=40 TCP="tcp"=41 UDP="udp"=42 SOURCE="source"=43 DESTINATION="destination"=44 OBJECT_GROUP="object-group"=45 GROUP_OBJECT="group-object"=46 NETWORK_OBJECT="network-object"=47 PROTOCOL="protocol"=48 PROTOCOL_OBJECT="protocol-object"=49 ICMP_OBJECT="icmp-object"=50 ICMP_TYPE="icmp-type"=51 TCP_UDP="tcp-udp"=52 SERVICE_OBJECT="service-object"=53 PORT_OBJECT="port-object"=54 CRYPTO="crypto"=55 DNS="dns"=56 CALL_HOME="call-home"=57 INTERNAL="internal"=58 PASSWORD_RECOVERY="password-recovery"=59 RESETINBOUND="resetinbound"=60 RESETOUTBOUND="resetoutbound"=61 RESETOUTSIDE="resetoutside"=62 NO="no"=63 CERTIFICATE="certificate"=64 PIX_WORD="PIX"=65 ASA_WORD="ASA"=66 FWSM_WORD="FWSM"=67 VERSION_WORD_CAP="Version"=68 NUMBER=69 HOSTNAME="hostname"=70 STRING=71 ACCESS_LIST="access-list"=72 EXTENDED="extended"=73 PERMIT="permit"=74 DENY="deny"=75 STANDARD="standard"=76 P_EQ="eq"=77 P_GT="gt"=78 P_LT="lt"=79 P_NEQ="neq"=80 ECHO="echo"=81 ESTABLISHED="established"=82 ALTERNATE_ADDRESS="alternate-address"=83 CONVERSION_ERROR="conversion-error"=84 ECHO_REPLY="echo-reply"=85 INFORMATION_REPLY="information-reply"=86 INFORMATION_REQUEST="information-request"=87 MASK_REPLY="mask-reply"=88 MASK_REQUEST="mask-request"=89 MOBILE_REDIRECT="mobile-redirect"=90 PARAMETER_PROBLEM="parameter-problem"=91 REDIRECT="redirect"=92 ROUTER_ADVERTISEMENT="router-advertisement"=93 ROUTER_SOLICITATION="router-solicitation"=94 SOURCE_QUENCH="source-quench"=95 TIME_EXCEEDED="time-exceeded"=96 TIMESTAMP_REPLY="timestamp-reply"=97 TIMESTAMP_REQUEST="timestamp-request"=98 TRACEROUTE="traceroute"=99 UNREACHABLE="unreachable"=100 INTRFACE="interface"=101 ANY="any"=102 LOG="log"=103 LOG_INPUT="log-input"=104 LOG_LEVEL_ALERTS="alerts"=105 LOG_LEVEL_CRITICAL="critical"=106 LOG_LEVEL_DEBUGGING="debugging"=107 LOG_LEVEL_EMERGENCIES="emergencies"=108 LOG_LEVEL_ERRORS="errors"=109 LOG_LEVEL_INFORMATIONAL="informational"=110 LOG_LEVEL_NOTIFICATIONS="notifications"=111 LOG_LEVEL_WARNINGS="warnings"=112 LOG_LEVEL_DISABLE="disable"=113 LOG_LEVEL_INACTIVE="inactive"=114 INTERVAL="interval"=115 FRAGMENTS="fragments"=116 TIME_RANGE="time-range"=117 CONTROLLER="controller"=118 OUTSIDE="outside"=119 LINE_COMMENT=120 EXIT="exit"=121 AUI="aui"=122 AUTO="auto"=123 BNC="bnc"=124 FULL="full"=125 BASET="baseT"=126 BASETX="baseTX"=127 NAMEIF="nameif"=128 VLAN="vlan"=129 SPEED="speed"=130 DUPLEX="duplex"=131 DDNS="ddns"=132 FORWARD="forward"=133 DELAY="delay"=134 HOLD_TIME="hold-time"=135 IPV6_C="ipv6"=136 MANAGEMENT_ONLY="management-only"=137 MAC_ADDRESS="mac-address"=138 MULTICAST="multicast"=139 PPPOE=140 RIP="rip"=141 SEC_LEVEL="security-level"=142 SHUTDOWN="shutdown"=143 ADDRESS="address"=144 DHCP="dhcp"=145 STANDBY="standby"=146 SWITCHPORT="switchport"=147 ACCESS="access"=148 SCOPY="scopy"=149 VERSION_WORD_LOW="version"=150 AUTHENTICATION_CERTIFICATE="authentication-certificate"=151 SERVER="server"=152 REMARK="remark"=153 ACCESS_GROUP="access-group"=154 COLON_COMMENT=155 NAT="nat"=156 OPENING_PAREN=157 CLOSING_PAREN=158 COMMA=159 GLOBAL="global"=160 MINUS=161 NETMASK="netmask"=162 STATIC="static"=163 NORANDOMSEQ="norandomseq"=164 SECONDARY="secondary"=165 SETROUTE="setroute"=166 Whitespace=167 HEX_CONST=168 NEG_INT_CONST=169 DIGIT=170 HEXDIGIT=171 NUMBER_ADDRESS_OR_WORD=172 PIPE_CHAR=173 NUMBER_SIGN=174 PERCENT=175 AMPERSAND=176 APOSTROPHE=177 STAR=178 PLUS=179 DOT=180 SLASH=181 COLON=182 SEMICOLON=183 LESS_THAN=184 EQUALS=185 GREATER_THAN=186 QUESTION=187 COMMERCIAL_AT=188 OPENING_SQUARE=189 CLOSING_SQUARE=190 CARET=191 UNDERLINE=192 OPENING_BRACE=193 CLOSING_BRACE=194 TILDE=195 EXLAMATION=196 fwbuilder-5.3.7/src/parsers/iosacl.g000066400000000000000000000514021303637203600174060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ header "pre_include_hpp" { // gets inserted before antlr generated includes in the header // file #include "IOSImporter.h" } header "post_include_hpp" { // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IOSImporter; } header "pre_include_cpp" { // gets inserted before the antlr generated includes in the cpp // file } header "post_include_cpp" { // gets inserted after the antlr generated includes in the cpp // file #include #include } header { // gets inserted after generated namespace specifications in the // header file. But outside the generated class. } options { language="Cpp"; } class IOSCfgParser extends Parser; options { k = 2; // defaultErrorHandler=false; } { // additional methods and members public: std::ostream *dbg; IOSImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); } } cfgfile : ( comment | version | hostname | ip_commands | intrface | controller | vlan | access_list_commands | exit | description | shutdown | certificate | quit | unknown_command | NEWLINE )+ ; //**************************************************************** ip_commands : IP ( ip_access_list_ext | interface_known_ip_commands | community_list_command | ip_unused_command | unknown_command ) ; //**************************************************************** quit : QUIT { consumeUntil(NEWLINE); } ; //**************************************************************** // these are "ip ..." top level commands that we do not use but parser // should not abort on. Unlike unknown_command, these have known token as // a second word so they dont match unknown_command which expects WORD. ip_unused_command : ICMP | TCP | HOST { consumeUntil(NEWLINE); } ; //**************************************************************** community_list_command : COMMUNITY_LIST { consumeUntil(NEWLINE); } ; //**************************************************************** unknown_command : WORD { consumeUntil(NEWLINE); } ; //**************************************************************** certificate : CERTIFICATE WORD { consumeUntil(NEWLINE); consumeUntil(QUIT); } ; //**************************************************************** version : IOSVERSION v:NUMBER { *dbg << "VERSION " << v->getText() << std::endl; } ; //**************************************************************** hostname : HOSTNAME ( STRING | WORD ) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->setHostName( LT(0)->getText() ); *dbg << "HOSTNAME " << "LT0=" << LT(0)->getText() << std::endl; } ; //**************************************************************** // note that permit_ext and deny_ext eat NEWLINE. This is necessary // because the same parser rules are used for ip access-list commands, // where they should work the same way as LINE_COMMENT which eats // NEWLINE // access_list_commands : ACCESS_LIST acl_num:INT_CONST { importer->newUnidirRuleSet( std::string("acl_") + acl_num->getText(), libfwbuilder::Policy::TYPENAME); *dbg << acl_num->getLine() << ":" << " ACL #" << acl_num->getText() << " "; } ( permit_std | deny_std | permit_ext | deny_ext | remark ) ; //**************************************************************** ip_access_list_ext : ACCESS_LIST EXTENDED name:WORD { importer->newUnidirRuleSet( name->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << name->getLine() << ":" << " ACL ext " << name->getText() << std::endl; } NEWLINE ( permit_ext | deny_ext | comment | remark | NEWLINE // to match end of each line and also empty lines )* { *dbg << LT(0)->getLine() << ":" << " ACL end" << std::endl << std::endl; } ; //**************************************************************** permit_ext: PERMIT { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; } rule_ext // NEWLINE { importer->pushRule(); } ; deny_ext: DENY { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; } rule_ext NEWLINE { importer->pushRule(); } ; //**************************************************************** permit_std: PERMIT { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; } rule_std // NEWLINE { importer->pushRule(); } ; deny_std: DENY { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; } rule_std NEWLINE { importer->pushRule(); } ; //**************************************************************** // the difference between standard and extended acls should be in these rules rule_ext : ( ip_protocols hostaddr_ext { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } hostaddr_ext { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } (time_range)? (fragments)? (log)? | ICMP { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; } hostaddr_ext { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } hostaddr_ext { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } (icmp_spec)? (time_range)? (fragments)? (log)? | (TCP|UDP) { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; } hostaddr_ext { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } (xoperator { importer->SaveTmpPortToSrc(); } )? hostaddr_ext { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } (xoperator { importer->SaveTmpPortToDst(); } )? (established)? (time_range)? (fragments)? (log)? ) { *dbg << std::endl; } ; //**************************************************************** rule_std : ( hostaddr_std { importer->SaveTmpAddrToSrc(); *dbg << "(std) "; } (log)? ) { *dbg << std::endl; } ; //**************************************************************** // ip_protocols : (IP | AHP | EIGRP | ESP | GRE | IGRP | IPINIP | NOS | OSPF | PCP | PIM ) ip_protocols : (IP | WORD ) { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; }; icmp_spec : ( (INT_CONST) => (icmp_type:INT_CONST icmp_code:INT_CONST) { importer->icmp_type = icmp_type->getText(); importer->icmp_code = icmp_code->getText(); importer->icmp_spec = ""; *dbg << icmp_type->getText() << " " << icmp_code->getText() << " "; } | icmp_word:WORD { importer->icmp_spec = icmp_word->getText(); *dbg << icmp_word->getText() << " "; } ) ; xoperator : single_port_op | port_range ; single_port_op : (P_EQ | P_GT | P_LT | P_NEQ ) { importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; } port_spec ; port_range : P_RANGE { importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; } port_spec port_spec ; port_spec : (WORD|INT_CONST) { importer->tmp_port_spec += (std::string(" ") + LT(0)->getText()); *dbg << LT(0)->getText() << " "; } ; hostaddr_ext : (HOST h:IPV4) { importer->tmp_a = h->getText(); importer->tmp_nm = "0.0.0.0"; *dbg << h->getText() << "/0.0.0.0"; } | (a:IPV4 m:IPV4) { importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); } | ANY { importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; } ; hostaddr_std : (h:IPV4) { importer->tmp_a = h->getText(); importer->tmp_nm = "0.0.0.0"; *dbg << h->getText() << "/0.0.0.0"; } | (a:IPV4 m:IPV4) { importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); } | ANY { importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; } ; log : (LOG | LOG_INPUT) { importer->logging = true; *dbg << "logging "; } ; established : ESTABLISHED { importer->established = true; *dbg << "established "; } ; fragments : FRAGMENTS { importer->fragments = true; *dbg << "fragments "; } ; time_range : TIME_RANGE tr_name:WORD { importer->time_range_name = tr_name->getText(); *dbg << "time_range " << tr_name->getText() << " "; } ; //**************************************************************** // Need this not because we parse "vlan" commands, but because // "ip address" command may appear in the "vlan" context // So we properly clear current_interface in the Importer class // to let it know that it should ignore "ip address" that follows. // // Also, depending on the context, command "vlan" may have just // one argument (vlan number) or more. So we need to consume // all tokens until newline to accommodate for all possible formats. // This works because we ignore all of them. // vlan : VLAN (WORD | INT_CONST ) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->clearCurrentInterface(); consumeUntil(NEWLINE); } ; //**************************************************************** controller : CONTROLLER { importer->setCurrentLineNumber(LT(0)->getLine()); importer->clearCurrentInterface(); consumeUntil(NEWLINE); } ; //**************************************************************** intrface : INTRFACE in:WORD { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; } ( POINT_TO_POINT { importer->addMessageToLog( QString("Warning: point-to-point interfaces " "are not supported")); } )? NEWLINE ; // interface description // Use it for comment description : DESCRIPTION { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setInterfaceComment( descr ); *dbg << " DESCRIPTION " << descr << std::endl; //consumeUntil(NEWLINE); } ; // remark. According to the Cisco docs, can only be used // within access list // Use it for the current rule comment remark : REMARK { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string rem; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { rem += LT(1)->getText() + " "; consume(); } importer->addRuleComment( rem ); *dbg << " REMARK " << rem << std::endl; //consumeUntil(NEWLINE); } // NEWLINE ; shutdown : SHUTDOWN { *dbg<< LT(1)->getLine() << ":" << " INTERFACE SHUTDOWN " << std::endl; } ; interface_known_ip_commands : ( access_group_by_name | access_group_by_number | intf_address ) NEWLINE ; // need this because "ospf", "bgp" and others are a known tokens // (needed for protocol and ports in access lists) and "ip ospf" and // similar are legit interface commands // ignore_interface_ip_commands : (BGP | OSPF | DHCP) // { // consumeUntil(NEWLINE); // } // ; access_group_by_name : ACCESS_GROUP acln:WORD dir:WORD { importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( acln->getText(), "", dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << acln->getText() << "'" << " " << dir->getText() << std::endl; } ; // for acess lists defined by numbers we add prefix "acl_" to the name // Making sure this is done consistently in both "access-list NNN" // and "ip access-group NNN" commands access_group_by_number : ACCESS_GROUP acln:INT_CONST dir:WORD { importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( std::string("acl_") + acln->getText(), "", dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << acln->getText() << "'" << " " << dir->getText() << std::endl; } ; intf_address : ADDRESS a:IPV4 m:IPV4 (s:SECONDARY)? { importer->setCurrentLineNumber(LT(0)->getLine()); importer->addInterfaceAddress(a->getText(), m->getText()); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << a->getText() << "/" << m->getText() << " "; if (s) { *dbg << s->getText(); } *dbg << std::endl; } ; //**************************************************************** exit: EXIT ; comment : LINE_COMMENT ; // comment: COMMENT_START // { // *dbg << LT(1)->getLine() << ":"; // std::string comm; // while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) // { // comm += LT(1)->getText() + " "; // consume(); // } // importer->addInterfaceComment( comm ); // *dbg << " COMMENT " << comm << std::endl; // } // ; //**************************************************************** class IOSCfgLexer extends Lexer; options { k = 10; // ASCII only charVocabulary = '\3'..'\377'; } tokens { EXIT = "exit"; QUIT = "quit"; IOSVERSION = "version"; HOSTNAME = "hostname"; CERTIFICATE = "certificate"; INTRFACE = "interface"; CONTROLLER = "controller"; DESCRIPTION = "description"; REMARK = "remark"; SHUTDOWN = "shutdown"; VLAN = "vlan"; ACCESS_LIST = "access-list"; ACCESS_GROUP = "access-group"; ADDRESS = "address"; SECONDARY = "secondary"; COMMUNITY_LIST = "community-list"; PERMIT = "permit"; DENY = "deny"; // protocols for 'permit' and 'deny' commands IP = "ip"; ICMP = "icmp"; TCP = "tcp"; UDP = "udp"; // AHP = "ahp"; // EIGRP = "eigrp"; // ESP = "esp"; // GRE = "gre"; // IGMP = "igmp"; // IGRP = "igrp"; // IPINIP = "ipinip"; // NOS = "nos"; // OSPF = "ospf"; // PCP = "pcp"; // PIM = "pim"; HOST = "host"; ANY = "any"; P_EQ = "eq"; P_GT = "gt"; P_LT = "lt"; P_NEQ = "neq"; P_RANGE = "range"; LOG = "log"; LOG_INPUT = "log-input"; ESTABLISHED = "established"; FRAGMENTS = "fragments"; TIME_RANGE = "time-range"; EXTENDED = "extended" ; STANDARD = "standard" ; POINT_TO_POINT = "point-to-point" ; } LINE_COMMENT : "!" (~('\r' | '\n'))* ; // NEWLINE ; Whitespace : ( '\003'..'\010' | '\t' | '\013' | '\f' | '\016'.. '\037' | '\177'..'\377' | ' ' ) { _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; } ; //COMMENT_START : '!' ; NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); } ; protected INT_CONST:; protected HEX_CONST:; protected NEG_INT_CONST:; protected DIGIT : '0'..'9' ; protected HEXDIGIT : '0'..'9' | 'A'..'F' ; NUMBER : ( ( (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ )=> ( (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ ) { _ttype = IPV4; } | ( (DIGIT)+ DOT (DIGIT)+ )=> ( (DIGIT)+ DOT (DIGIT)+ ) | ( DIGIT )+ { _ttype = INT_CONST; } | ( '0' 'x' ( HEXDIGIT )+ ) { _ttype = HEX_CONST; } ) ; WORD : ( 'a'..'z' | 'A'..'Z' | '$' ) ( '!'..'/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' | '?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )* ; STRING : '"' (~'"')* '"'; PIPE_CHAR : '|'; NUMBER_SIGN : '#' ; // DOLLAR : '$' ; PERCENT : '%' ; AMPERSAND : '&' ; APOSTROPHE : '\'' ; OPENING_PAREN : '(' ; CLOSING_PAREN : ')' ; STAR : '*' ; PLUS : '+' ; COMMA : ',' ; MINUS : '-' ; DOT : '.' ; SLASH : '/' ; COLON : ':' ; SEMICOLON : ';' ; LESS_THAN : '<' ; EQUALS : '=' ; GREATER_THAN : '>' ; QUESTION : '?' ; COMMERCIAL_AT : '@' ; OPENING_SQUARE : '[' ; CLOSING_SQUARE : ']' ; CARET : '^' ; UNDERLINE : '_' ; OPENING_BRACE : '{' ; CLOSING_BRACE : '}' ; TILDE : '~' ; fwbuilder-5.3.7/src/parsers/iptables.g000066400000000000000000001172141303637203600177430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Note about negation: this grammar parses only extrapositioned negation "! -s address" for all recognized options that can have it. Intrapositioned negation ("-s ! address") should be converted to extrapositioned in IPTImporter class before running the parser. */ header "pre_include_hpp" { // gets inserted before antlr generated includes in the header // file #include "IPTImporter.h" } header "post_include_hpp" { // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class IPTImporter; } header "pre_include_cpp" { // gets inserted before the antlr generated includes in the cpp // file } header "post_include_cpp" { // gets inserted after the antlr generated includes in the cpp // file #include #include #include "fwbuilder/TCPService.h" #include "fwbuilder/Logger.h" #include } header { // gets inserted after generated namespace specifications in the // header file. But outside the generated class. } options { language="Cpp"; } class IPTCfgParser extends Parser; options { k = 2; // defaultErrorHandler=false; } { // additional methods and members public: std::ostream *dbg; IPTImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } } cfgfile : ( comment | start_table | create_chain | add_rule | commit | NEWLINE )+ ; //**************************************************************** // comment can be iptables-save header or a regular comment // Examples of the header: // // # Generated by iptables-save v1.3.5 on Mon Apr 11 15:32:22 2011 // # Generated by iptables-save v1.4.1.1 on Fri Mar 4 12:14:55 2011 // comment : NUMBER_SIGN ( IPTABLES_SAVE_HEADER ( THREE_COMPONENT_VERSION | IPV4 ) { importer->setCurrentLineNumber(LT(0)->getLine()); std::string version = LT(0)->getText(); importer->setDiscoveredVersion(version); *dbg << "VERSION " << version << std::endl; consumeUntil(NEWLINE); } )* { consumeUntil(NEWLINE); } ; //**************************************************************** //**************************************************************** commit : COMMIT { // push last rule importer->pushRule(); *dbg << " COMMIT" << std::endl; // clear current table importer->current_table = ""; } ; //**************************************************************** start_table : STAR WORD { if (!importer->current_table.empty()) { // we did not see COMMIT *(importer->logger) << "********************************\n"; *(importer->logger) << "Missing COMMIT for the table " << importer->current_table << "\n"; *(importer->logger) << "Perhaps the file is broken ?" << "\n"; *(importer->logger) << "********************************\n"; *dbg << "Missing COMMIT for the table " << importer->current_table; *dbg << "Perhaps the file is broken ?"; // push last rule importer->pushRule(); // clear current table importer->current_table = ""; } importer->registerTable(LT(0)->getText()); *dbg << "TABLE " << LT(0)->getText() << std::endl; } ; //**************************************************************** chain_def : (INPUT | FORWARD | OUTPUT | PREROUTING | POSTROUTING | WORD) ; //**************************************************************** // // :INPUT DROP [2:104] // :FORWARD DROP [0:0] // :OUTPUT DROP [1:1492] // :Cid4089E41E.0 - [0:0] // :Cid45349B7222600.0 - [0:0] create_chain : COLON chain_def { importer->setCurrentLineNumber(LT(0)->getLine()); if (importer->current_table=="nat") importer->newUnidirRuleSet(LT(0)->getText(), libfwbuilder::NAT::TYPENAME); else importer->newUnidirRuleSet(LT(0)->getText(), libfwbuilder::Policy::TYPENAME); *dbg << "NEW CHAIN " << LT(0)->getText() << std::endl; } (WORD | MINUS) { importer->setDefaultAction(LT(0)->getText()); *dbg << "DEFAULT ACTION " << LT(0)->getText() << std::endl; } (OPENING_SQUARE INT_CONST COLON INT_CONST CLOSING_SQUARE)? ; //**************************************************************** add_rule : ADD_RULE chain_def { // push previous rule *dbg << std::endl; importer->pushRule(); // start new one importer->setCurrentLineNumber(LT(0)->getLine()); if (importer->current_table=="nat") importer->newNATRule(); else importer->newPolicyRule(); importer->current_chain = LT(0)->getText(); *dbg << "add_rule: line=" << LT(0)->getLine() << " chain=" << LT(0)->getText(); } ( ipt_option )+ NEWLINE ; //**************************************************************** ipt_option : ( negation | module | match_mark | match_recent | src | dst | i_intf | o_intf | proto | target | fragm | icmp_type_spec | basic_tcp_udp_port_spec | multiport_tcp_udp_port_spec | tcp_options | match_limit | match_limit_burst | match_length | match_iprange_src | match_iprange_dst | unknown_option ) ; //**************************************************************** negation : EXCLAMATION { importer->tmp_neg = true; } ; //**************************************************************** unknown_option : ( MINUS WORD { importer->reportError( std::string("Unknown option: -")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=-" << LT(0)->getText(); } (unknown_parameter)? ) | ( ( MINUS MINUS WORD ) { importer->reportError( std::string("Unknown option: --")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=--" << LT(0)->getText(); } (unknown_parameter)? ) | ( UNSUPPORTED_OPTION { importer->reportError( std::string("Unknown option: ")+LT(0)->getText()); *dbg << " UNKNOWN OPTION=" << LT(0)->getText(); } (unknown_parameter)? ) ; unknown_parameter { std::string s; } : ( ( ( DIGIT {s+=LT(0)->getText();} | INT_CONST {s+=LT(0)->getText();} ) SLASH {s+=LT(0)->getText();} WORD {s+=LT(0)->getText();} ) { importer->reportError( std::string("Unknown parameter: ")+s); *dbg << " UNKNOWN PARMETER=" << s; } ) | ( (DIGIT | INT_CONST | WORD) { importer->reportError( std::string("Unknown parameter: ")+LT(0)->getText()); *dbg << " UNKNOWN PARMETER=" << LT(0)->getText(); } ) ; //**************************************************************** // this matches "-m module", except for modules "mark" and "recent" // which have some parameters that look the same as parameters for // other modules. See match_mark and match_recent module : OPT_MODULE ( m_state | m_mport | m_icmp | m_tcp | m_udp | m_limit | m_length | m_iprange | m_comment | m_pkttype | m_unknown_module) ; //**************************************************************** src : OPT_SRC { *dbg << " SRC="; importer->src_neg = importer->tmp_neg; importer->tmp_neg = false; } ( (WORD | IPV4) { importer->src_a = LT(0)->getText(); *dbg << LT(0)->getText(); } (SLASH (IPV4 | INT_CONST) { importer->src_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); } )? ) ; //**************************************************************** dst : OPT_DST { *dbg << " DST="; importer->dst_neg = importer->tmp_neg; importer->tmp_neg = false; } ( (WORD | IPV4) { importer->dst_a = LT(0)->getText(); *dbg << LT(0)->getText(); } (SLASH (IPV4 | INT_CONST) { importer->dst_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); } )? ) ; //**************************************************************** i_intf : OPT_IN_INTF { importer->intf_neg = importer->tmp_neg; importer->tmp_neg = false; } WORD { importer->i_intf = LT(0)->getText(); *dbg << " I_INTF=" << LT(0)->getText(); } ; //**************************************************************** o_intf : OPT_OUT_INTF { importer->intf_neg = importer->tmp_neg; importer->tmp_neg = false; } WORD { importer->o_intf = LT(0)->getText(); *dbg << " O_INTF=" << LT(0)->getText(); } ; //**************************************************************** protocol_word : (TCP | UDP | ICMP | WORD | INT_CONST ) ; proto : OPT_PROTO { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; } protocol_word { std::string tmp_s = LT(0)->getText(); importer->protocol.resize(tmp_s.size()); std::transform(tmp_s.begin(), tmp_s.end(), importer->protocol.begin(), ::tolower); *dbg << " PROTO=" << importer->protocol; } ; //**************************************************************** target : OPT_TARGET t:WORD { importer->target = LT(0)->getText(); *dbg << " TARGET=" << t->getText(); } ( target_options )* ; //**************************************************************** target_options : ( REJECT_WITH WORD { importer->action_params["reject_with"] = LT(0)->getText(); *dbg << " REJECT WITH=" << LT(0)->getText(); } | LOG_PREFIX (WORD | STRING) { importer->action_params["log_prefix"] = LT(0)->getText(); *dbg << " LOG PREFIX=" << LT(0)->getText(); } | LOG_TCP_SEQ { importer->action_params["log_tcp_seq"] = LT(0)->getText(); *dbg << " LOG TCP SEQUENCE="; } | LOG_TCP_OPT { importer->action_params["log_tcp_options"] = LT(0)->getText(); *dbg << " LOG TCP OPTIONS="; } | LOG_IP_OPT { importer->action_params["log_ip_options"] = LT(0)->getText(); *dbg << " LOG IP OPTIONS="; } | ULOG_PREFIX (WORD | STRING) { importer->action_params["log_prefix"] = LT(0)->getText(); *dbg << " ULOG PREFIX=" << LT(0)->getText(); } | LOG_LEVEL (INT_CONST | WORD) { importer->action_params["log_level"] = LT(0)->getText(); *dbg << " LOG LEVEL=" << LT(0)->getText(); } | SET_CLASS major:INT_CONST COLON minor:INT_CONST { importer->action_params["set_class"] = major->getText() + ":" + minor->getText(); *dbg << " SET CLASS=" << major->getText() + ":" + minor->getText(); } | SET_MARK (INT_CONST | HEX_CONST) { importer->action_params["set_mark"] = LT(0)->getText(); *dbg << " SET MARK=" << LT(0)->getText(); } | SET_TOS HEX_CONST { importer->action_params["set_tos"] = LT(0)->getText(); *dbg << " SET TOS=" << LT(0)->getText(); } | SET_TOS WORD { importer->action_params["set_tos"] = LT(0)->getText(); *dbg << " SET TOS=" << LT(0)->getText(); } | SAVE_MARK { importer->action_params["connmark_save_mark"] = "--save-mark"; *dbg << " SAVE MARK"; } | RESTORE_MARK { importer->action_params["connmark_restore_mark"] = "--restore-mark"; *dbg << " RESTORE MARK"; } | CONTINUE { importer->action_params["route_continue"] = "--continue"; *dbg << " CONTINUE"; } | ROUTE_IIF WORD { importer->action_params["route_iif"] = LT(0)->getText(); *dbg << " ROUTE_IIF=" << LT(0)->getText(); } | ROUTE_OIF WORD { importer->action_params["route_oif"] = LT(0)->getText(); *dbg << " ROUTE_OIF=" << LT(0)->getText(); } | ROUTE_GW IPV4 { importer->action_params["route_gw"] = LT(0)->getText(); *dbg << " ROUTE_GW=" << LT(0)->getText(); } | ROUTE_TEE { importer->action_params["route_tee"] = "--tee"; *dbg << " ROUTE_TEE"; } | TO_SOURCE { *dbg << " TO-SOURCE"; } nat_spec | TO_DESTINATION { *dbg << " TO-DESTINATION"; } nat_spec | TO_PORTS redirect_spec | TO_NETMAP { *dbg << " TO-NETMAP"; } ( IPV4 { importer->nat_addr1 = LT(0)->getText(); importer->nat_addr2 = LT(0)->getText(); *dbg << LT(0)->getText(); } SLASH (IPV4 | INT_CONST) { importer->nat_nm = LT(0)->getText(); *dbg << "/" << LT(0)->getText(); } ) | CLAMP_MSS { importer->action_params["clamp-mss-to-pmtu"] = "--clamp-mss-to-pmtu"; *dbg << " TO-NETMAP"; } ) ; //**************************************************************** nat_spec : nat_addr_range (COLON nat_port_def_with_range)? { *dbg << " " << importer->nat_addr1 << "-" << importer->nat_addr2 << ":" << importer->nat_port_range_start << "-" << importer->nat_port_range_end; } ; //**************************************************************** nat_addr_range : (IPV4 MINUS) => ( a1:IPV4 MINUS a2:IPV4 { importer->nat_port_range_start = ""; importer->nat_port_range_end = ""; importer->nat_addr1 = a1->getText(); importer->nat_addr2 = a2->getText(); } ) | IPV4 { importer->nat_port_range_start = ""; importer->nat_port_range_end = ""; importer->nat_addr1 = LT(0)->getText(); importer->nat_addr2 = LT(0)->getText(); } ; //**************************************************************** redirect_spec : nat_port_def_with_range { *dbg << " TO-PORTS " << importer->nat_addr1 << "-" << importer->nat_addr2 << ":" << importer->nat_port_range_start << "-" << importer->nat_port_range_end; } ; //**************************************************************** fragm : OPT_FRAGM { importer->fragments = true; *dbg << " FRAGM"; } ; //**************************************************************** m_unknown_module : WORD { *dbg << " UNKNOWN MODULE=" << LT(0)->getText(); importer->reportError( std::string("Unknown module: ")+LT(0)->getText()); } ; //**************************************************************** state_word : ( INVALID | NEW | ESTABLISHED | RELATED ) ; m_state : M_STATE MATCH_STATE { importer->current_state = ""; } state_word { importer->current_state += LT(0)->getText(); } ( COMMA state_word { importer->current_state += std::string(",") + LT(0)->getText(); } )* { *dbg << " STATE MATCH=" << importer->current_state; } ; //**************************************************************** m_mark : M_MARK { *dbg << " MARK"; } ; //**************************************************************** match_mark : OPT_MODULE m_mark ( EXCLAMATION {importer->neg_match_mark = true;} )? MATCH_MARK (INT_CONST | HEX_CONST) { importer->tmp_neg = false; importer->match_mark = LT(0)->getText(); *dbg << " MATCH MARK " << LT(0)->getText(); } ; //**************************************************************** m_limit : M_LIMIT { *dbg << " LIMIT"; } ; //**************************************************************** match_limit : MATCH_LIMIT limit_rate ; limit_rate : INT_CONST { importer->limit_val = LT(0)->getText(); } SLASH WORD { importer->limit_suffix = LT(0)->getText(); } { *dbg << " MATCH LIMIT " << importer->limit_val << "/" << importer->limit_suffix; } ; match_limit_burst : MATCH_LIMIT_BURST INT_CONST { importer->limit_burst = LT(0)->getText(); *dbg << " LIMIT BURST " << LT(0)->getText(); } ; //**************************************************************** m_recent : M_RECENT { *dbg << " RECENT"; } ; //**************************************************************** m_iprange : M_IPRANGE { *dbg << " IPRANGE"; } ; match_iprange_src : MATCH_IPRANGE_SRC (WORD | IPV4) { importer->iprange_src_from = LT(0)->getText(); importer->using_iprange_src = true; } MINUS (WORD | IPV4) { importer->iprange_src_to = LT(0)->getText(); } ; match_iprange_dst : MATCH_IPRANGE_DST (WORD | IPV4) { importer->iprange_dst_from = LT(0)->getText(); importer->using_iprange_dst = true; } MINUS (WORD | IPV4) { importer->iprange_dst_to = LT(0)->getText(); } ; //**************************************************************** /* Unlike with other modules, this matches both "-m recent" and * module arguments * I am having difficulties writing grammar to catch negation * in front of arguments, such as ! --set */ match_recent : OPT_MODULE m_recent ( recent_opts )+ ; recent_opts: recent_args_no_param | recent_args_param ; recent_args_no_param: (MATCH_RECENT_SET | MATCH_RECENT_RCHECK | MATCH_RECENT_UPDATE | MATCH_RECENT_REMOVE | MATCH_RECENT_RTTL | RSOURCE | MATCH_RECENT_RDEST) { importer->recent_match += LT(0)->getText() + " "; } ; recent_args_param: (MATCH_RECENT_NAME | MATCH_RECENT_SECONDS | MATCH_RECENT_HITCOUNT) { importer->recent_match += LT(0)->getText() + " "; } (INT_CONST | WORD) { importer->recent_match += LT(0)->getText() + " "; } ; //**************************************************************** m_length : M_LENGTH { *dbg << " LENGTH"; } ; //**************************************************************** match_length : MATCH_LENGTH length_spec ; length_spec : INT_CONST { importer->length_spec = LT(0)->getText(); } COLON INT_CONST { importer->length_spec += ":"; importer->length_spec += LT(0)->getText(); } { *dbg << " MATCH LENGTH " << importer->length_spec; } ; //**************************************************************** m_pkttype: M_PKTTYPE MATCH_PKT_TYPE pkt_type_spec ; pkt_type_spec : (WORD_BROADCAST | WORD_MULTICAST | WORD_UNICAST) { importer->pkt_type_spec = LT(0)->getText(); *dbg << " PKT_TYPE " << importer->pkt_type_spec; } ; //**************************************************************** m_mport : M_MPORT { *dbg << " MULTIPORT"; } ; //**************************************************************** m_comment : M_COMMENT MATCH_COMMENT STRING { *dbg << " COMMENT=" << LT(0)->getText(); } ; //**************************************************************** /* * Note that there can be just one port (i.e. no ,port[,port] part) * * Note also that we do little preprocessing of the iptables lines * before passing them to the parser in IPTImporter::run(). Specifically, * we replace --sport and --dport with --source-ports and --destination-ports * for module multiport to avoid ambiguity that arises from different * rules that arguments for the --sport and --dport parameters can follow * depending on the module. */ multiport_tcp_udp_port_spec : ( ( MATCH_SRC_MULTIPORT { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startSrcMultiPort(); *dbg << " SRC MULTIPORT="; } port_def_with_range { importer->pushTmpPortSpecToSrcPortList(); } ( COMMA port_def_with_range { importer->pushTmpPortSpecToSrcPortList(); } )* ) | ( MATCH_DST_MULTIPORT { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startDstMultiPort(); *dbg << " DST MULTIPORT="; } port_def_with_range { importer->pushTmpPortSpecToDstPortList(); } ( COMMA port_def_with_range { importer->pushTmpPortSpecToDstPortList(); } )* ) | ( MATCH_BOTH_MULTIPORT { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; importer->startBothMultiPort(); *dbg << " MULTIPORT PORTS="; } port_def_with_range { importer->pushTmpPortSpecToBothPortList(); } ( COMMA port_def_with_range { importer->pushTmpPortSpecToBothPortList(); } )* ) ) ; //**************************************************************** m_icmp : ICMP { importer->protocol = "icmp"; *dbg << " ICMP"; } ; //**************************************************************** icmp_type_spec : MATCH_ICMP_TYPE ( WORD { importer->icmp_spec = LT(0)->getText(); *dbg << " ICMP_SPEC=" << LT(0)->getText(); } | ( INT_CONST { importer->icmp_type = LT(0)->getText(); importer->icmp_code = "-1"; *dbg << " ICMP_TYPE=" << LT(0)->getText(); } ( SLASH INT_CONST { importer->icmp_code = LT(0)->getText(); *dbg << " ICMP_CODE=" << LT(0)->getText(); } )? ) ) ; //**************************************************************** // port definition that does not allow for port range port_def_no_range : (WORD|INT_CONST) { importer->tmp_port_range_start = LT(0)->getText(); importer->tmp_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); } ; /**************************************************************** * port definition that allows for port range. That parser should * recognize constructs * * port1 ---> range_start = range_end = port1 * port1:port2 ---> range_start = port1 range_end = port2 * port1: ---> range_start = port1 range_end = 65535 * :port2 ---> range_start = 0 range_end = port2 */ port_def_with_range : (WORD|INT_CONST) { importer->tmp_port_range_start = LT(0)->getText(); importer->tmp_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); } ( COLON (WORD|INT_CONST)? { importer->tmp_port_range_end = LT(0)->getText(); *dbg << ":" << LT(0)->getText(); } )? ; port_def_with_incomplete_range : COLON (WORD|INT_CONST) { importer->tmp_port_range_start = "0"; importer->tmp_port_range_end = LT(0)->getText(); *dbg << "PORT 0:" << LT(0)->getText(); } ; //**************************************************************** // nat port definition that allows for port range // (uses '-' instead of ':') nat_port_def_with_range : ((WORD | INT_CONST) MINUS) => ( (WORD | INT_CONST) { importer->nat_port_range_start = LT(0)->getText(); importer->nat_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); } MINUS (WORD | INT_CONST) { importer->nat_port_range_end = LT(0)->getText(); *dbg << ":" << LT(0)->getText(); } ) | (WORD | INT_CONST) { importer->nat_port_range_start = LT(0)->getText(); importer->nat_port_range_end = LT(0)->getText(); *dbg << " PORT=" << LT(0)->getText(); } ; //**************************************************************** basic_tcp_udp_port_spec : (MATCH_SRC_PORT | MATCH_SRC_PORT_SHORT) { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; } (port_def_with_range | port_def_with_incomplete_range) { importer->pushTmpPortSpecToSrcPortList(); } | (MATCH_DST_PORT | MATCH_DST_PORT_SHORT) { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; } (port_def_with_range | port_def_with_incomplete_range) { importer->pushTmpPortSpecToDstPortList(); } ; //**************************************************************** m_udp : UDP { importer->protocol = "udp"; *dbg << " UDP"; } ; //**************************************************************** m_tcp : TCP { importer->protocol = "tcp"; *dbg << " TCP"; } ; //**************************************************************** // tcp options can follow "-p tcp", the "-m tcp" seems to be optional, // at least in the older versions of iptables tcp_options : ( syn | tcp_flags | tcp_option) { importer->srv_neg = importer->tmp_neg; importer->tmp_neg = false; } ; syn : MATCH_SYN { importer->tcp_flags_mask.clear(); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::SYN); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::RST); importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::ACK); importer->tcp_flags_comp.clear(); importer->tcp_flags_comp.push_back(libfwbuilder::TCPService::SYN); } ; tcp_flag_word : ( SYN { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::SYN; } | ACK { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::ACK; } | FIN { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::FIN; } | RST { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::RST; } | URG { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::URG; } | PSH { importer->tmp_tcp_flag_code = libfwbuilder::TCPService::PSH; } | ALL { importer->tmp_tcp_flag_code = 99; } | NONE { importer->tmp_tcp_flag_code = 98; } ) ; tcp_flags_list : { importer->tmp_tcp_flags_list.clear(); importer->tmp_tcp_flag_code = 0; } tcp_flag_word { importer->tmp_tcp_flags_list.push_back(importer->tmp_tcp_flag_code); } ( COMMA tcp_flag_word { importer->tmp_tcp_flags_list.push_back( importer->tmp_tcp_flag_code); } )* ; tcp_flags : MATCH_TCP_FLAGS tcp_flags_list { importer->tcp_flags_mask = importer->tmp_tcp_flags_list; importer->tmp_tcp_flags_list.clear(); } tcp_flags_list { importer->tcp_flags_comp = importer->tmp_tcp_flags_list; importer->tmp_tcp_flags_list.clear(); *dbg << " TCP FLAGS="; foreach(int x, importer->tcp_flags_mask) *dbg << x << "|"; *dbg << " "; foreach(int x, importer->tcp_flags_comp) *dbg << x << "|"; } ; // --tcp-option is not supported in fwbuilder at this time tcp_option : MATCH_TCP_OPTION INT_CONST ; //**************************************************************** class IPTCfgLexer extends Lexer; options { k = 20; // ASCII only charVocabulary = '\3'..'\377'; } tokens { INPUT = "INPUT"; FORWARD = "FORWARD"; OUTPUT = "OUTPUT"; PREROUTING = "PREROUTING"; POSTROUTING = "POSTROUTING"; INVALID = "INVALID"; NEW = "NEW"; ESTABLISHED = "ESTABLISHED"; RELATED = "RELATED"; COMMIT = "COMMIT"; M_STATE = "state"; M_COMMENT = "comment"; M_MPORT = "multiport"; M_MARK = "mark"; M_LIMIT = "limit" ; M_LENGTH = "length" ; M_RECENT = "recent" ; M_IPRANGE = "iprange" ; M_PKTTYPE = "pkttype" ; ICMP = "icmp"; TCP = "tcp"; UDP = "udp"; SYN = "SYN"; ACK = "ACK"; FIN = "FIN"; RST = "RST"; URG = "URG"; PSH = "PSH"; ALL = "ALL"; NONE = "NONE"; WORD_BROADCAST = "broadcast" ; WORD_MULTICAST = "multicast" ; WORD_UNICAST = "unicast" ; } // LINE_COMMENT : '#' (~('\r' | '\n'))* NEWLINE ; IPTABLES_SAVE_HEADER : " Generated by iptables-save v"; Whitespace : ( '\003'..'\010' | '\t' | '\013' | '\f' | '\016'.. '\037' | '\177'..'\377' | ' ' ) { _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; } ; NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); resetText(); } ; protected IPV4:; protected THREE_COMPONENT_VERSION:; protected IPV6:; protected MAC_ADDRESS:; protected INT_CONST:; protected HEX_CONST:; protected NEG_INT_CONST:; protected DIGIT : '0'..'9' ; protected HEXDIGIT : '0'..'9' | 'A'..'F' | 'a'..'f'; // ################################ // Rules for IPv4 and IPv6 partially based on ideas from // http://www.antlr.org:8080/pipermail/antlr-interest/2005-June/012661.html // Ruleset copied from the posting does not compile, antlr 2.7.7 seems to // hang while processing it. Commenting out rules for MAC_ADDRESS and // IPV6 makes antlr process grammar successfully (but defeats the purpose). protected NUM_3DIGIT: ('0'..'9') (('0'..'9') ('0'..'9')?)?; protected NUM_HEX_4DIGIT: HEXDIGIT ((HEXDIGIT) ((HEXDIGIT) (HEXDIGIT)?)?)?; // IPV6 // Note that '::' can only appear once in the address // but can be used to compress leading and/or trailing zeros in an address // // As of 12/2008 these rules do not work, antlr seems to hang while compiling // this grammar. // // IPV6_1: (NUM_HEX_4DIGIT ':' (NUM_HEX_4DIGIT | ':')* NUM_HEX_4DIGIT) // { $setType(IPV6); }; // // IPV6_2: (':' ':' (NUM_HEX_4DIGIT | ':')* NUM_HEX_4DIGIT) { $setType(IPV6); }; // // IPV6_3: ((NUM_HEX_4DIGIT | ':')* NUM_HEX_4DIGIT ':' ':') { $setType(IPV6); }; // // IPV6_4: ':' ':' { $setType(IPV6); }; NUMBER options { testLiterals = true; } : // IPv4 RULE (NUM_3DIGIT '.' NUM_3DIGIT '.') => ( NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT { $setType(IPV4); } ) | (NUM_3DIGIT '.' NUM_3DIGIT '.') => ( NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT { $setType(THREE_COMPONENT_VERSION); } ) | ( '0' 'x' ( HEXDIGIT )+ ) { $setType(HEX_CONST); } | ( DIGIT )+ { $setType(INT_CONST); } ; WORD : ( 'a'..'z' | 'A'..'Z' | '$' ) ( '!'..'+' | '-' | '.' | '/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' | '?' | '@' | 'A'..'Z' | '^' | '_' | '`' | 'a'..'z' )* ; STRING : '"' (~'"')* '"'; // ------------------------------------------------------------------------ // I have to add these options even though I do not support them // protected UNSUPPORTED_OPTION:; //"--seconds" confuses lexer because it interprets it as "-" "-s" "econds" //SECONDS : "--seconds" { $setType(UNSUPPORTED_OPTION); }; // SET : "--set" { $setType(UNSUPPORTED_OPTION); }; // "--rsource" also confuses lexer which expects "--reject" RSOURCE : "--rsource" { $setType(UNSUPPORTED_OPTION); }; // ------------------------------------------------------------------------ ADD_RULE : "-A" ; MATCH_STATE : "--state" ; MATCH_SRC_MULTIPORT : "--source-ports" ; MATCH_DST_MULTIPORT : "--destination-ports" ; MATCH_BOTH_MULTIPORT : "--ports" ; MATCH_SRC_PORT : "--source-port" ; MATCH_DST_PORT : "--destination-port" ; MATCH_SRC_PORT_SHORT : "--sport" ; MATCH_DST_PORT_SHORT : "--dport" ; MATCH_SYN : "--syn" ; MATCH_TCP_FLAGS : "--tcp-flags" ; MATCH_TCP_OPTION : "--tcp-option" ; MATCH_ICMP_TYPE : "--icmp-type" ; MATCH_MARK : "--mark" ; MATCH_LENGTH : "--length" ; MATCH_LIMIT : "--limit" ; MATCH_LIMIT_BURST : "--limit-burst" ; MATCH_RECENT_NAME : "--name" ; MATCH_RECENT_RCHECK : "--rcheck" ; MATCH_RECENT_UPDATE : "--update" ; MATCH_RECENT_REMOVE : "--remove" ; MATCH_RECENT_SECONDS : "--seconds" ; MATCH_RECENT_HITCOUNT : "--hitcount" ; MATCH_RECENT_RTTL : "--rttl" ; MATCH_RECENT_RDEST : "--rdest" ; MATCH_RECENT_SET : "--set" ; MATCH_IPRANGE_SRC : "--src-range" ; MATCH_IPRANGE_DST : "--dst-range" ; MATCH_COMMENT : "--comment" ; MATCH_PKT_TYPE : "--pkt-type" ; // ---------------------------------------------------------------- // target options REJECT_WITH : "--reject-with" ; SET_CLASS : "--set-class" ; SET_MARK : "--set-mark" ; SAVE_MARK : "--save-mark" ; RESTORE_MARK : "--restore-mark" ; SET_TOS : "--set-tos" ; CONTINUE : "--continue" ; ROUTE_IIF : "--iif" ; ROUTE_OIF : "--oif" ; ROUTE_GW : "--gw" ; ROUTE_TEE : "--tee" ; LOG_PREFIX : "--log-prefix" ; LOG_LEVEL : "--log-level" ; LOG_TCP_SEQ : "--log-tcp-sequence"; LOG_TCP_OPT : "--log-tcp-options"; LOG_IP_OPT : "--log-ip-options"; ULOG_PREFIX : "--ulog-prefix" ; ULOG_QTHR : "--ulog-qthreshold" { $setType(UNSUPPORTED_OPTION); }; ULOG_NLG : "--ulog-nlgroup" { $setType(UNSUPPORTED_OPTION); }; ULOG_CPR : "--ulog-cprange" { $setType(UNSUPPORTED_OPTION); }; TO_SOURCE : "--to-source" ; TO_DESTINATION : "--to-destination" ; TO_PORTS : "--to-ports" ; TO_NETMAP : "--to" ; CLAMP_MSS : "--clamp-mss-to-pmtu" ; // ---------------------------------------------------------------- // these are the basic iptables options, not too many really OPT_MODULE : "-m" ; OPT_SRC : "-s" ; OPT_DST : "-d" ; OPT_IN_INTF : "-i" ; OPT_OUT_INTF : "-o" ; OPT_PROTO : "-p" ; OPT_TARGET : "-j" ; OPT_FRAGM : "-f" ; EXCLAMATION : '!' ; NUMBER_SIGN : '#' ; // DOLLAR : '$' ; PERCENT : '%' ; AMPERSAND : '&' ; APOSTROPHE : '\'' ; OPENING_PAREN : '(' ; CLOSING_PAREN : ')' ; STAR : '*' ; PLUS : '+' ; COMMA : ',' ; MINUS : '-' ; DOT : '.' ; SLASH : '/' ; COLON : ':' ; SEMICOLON : ';' ; LESS_THAN : '<' ; EQUALS : '=' ; GREATER_THAN : '>' ; QUESTION : '?' ; COMMERCIAL_AT : '@' ; OPENING_SQUARE : '[' ; CLOSING_SQUARE : ']' ; CARET : '^' ; UNDERLINE : '_' ; OPENING_BRACE : '{' ; CLOSING_BRACE : '}' ; TILDE : '~' ; fwbuilder-5.3.7/src/parsers/parsers.pro000066400000000000000000000015161303637203600201660ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = IOSCfgLexer.cpp \ IOSCfgParser.cpp \ IPTCfgLexer.cpp \ IPTCfgParser.cpp \ PIXCfgLexer.cpp \ PIXCfgParser.cpp \ PFCfgLexer.cpp \ PFCfgParser.cpp \ HEADERS = ../../config.h \ IOSCfgLexer.hpp \ IOSCfgParser.hpp \ IOSCfgParserTokenTypes.hpp \ IPTCfgLexer.hpp \ IPTCfgParser.hpp \ IPTCfgParserTokenTypes.hpp \ PIXCfgLexer.hpp \ PIXCfgParser.hpp \ PIXCfgParserTokenTypes.hpp \ PFCfgLexer.hpp \ PFCfgParser.hpp \ PFCfgParserTokenTypes.hpp \ CONFIG += staticlib INCLUDEPATH += $$ANTLR_INCLUDEPATH ../import ../libfwbuilder/src DEPENDPATH += $$ANTLR_INCLUDEPATH ../import ../libfwbuilder/src LIBS += $$ANTLR_LIBS DEFINES += $$ANTLR_DEFINES TARGET = fwbparser INSTALLS -= target fwbuilder-5.3.7/src/parsers/pf.g000066400000000000000000001416341303637203600165500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ header "pre_include_hpp" { // gets inserted before antlr generated includes in the header // file #include "PFImporter.h" } header "post_include_hpp" { // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include #include class PFImporter; } header "pre_include_cpp" { // gets inserted before the antlr generated includes in the cpp // file } header "post_include_cpp" { // gets inserted after the antlr generated includes in the cpp // file #include #include } header { // gets inserted after generated namespace specifications in the // header file. But outside the generated class. } options { language="Cpp"; } class PFCfgParser extends Parser; options { k = 2; // when default error handler is disabled, parser errors cause // exception and terminate parsing process. We can catch the exception // and make the error appear in importer log, but import process // terminates which is not always optimal // // defaultErrorHandler = false; // see http://www.antlr2.org/doc/options.html } { // additional methods and members public: std::ostream *dbg; PFImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); importer->error_tracker->registerError("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); importer->error_tracker->registerError("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); importer->error_tracker->registerError("Parser warning: " + s); std::cerr << s << std::endl; } } cfgfile : ( comment | include_command | macro_definition | altq_rule | antispoof_rule | queue_rule | set_rule | scrub_rule | match_rule | table_rule | no_nat_rule | nat_rule | rdr_rule | binat_rule | pass_rule | block_rule | // unknown_rule // | NEWLINE )* ; //**************************************************************** comment : COMMENT_START { QStringList str; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { str << QString::fromUtf8(LT(1)->getText().c_str()); consume(); } importer->last_comment << str.join(" "); } ; //**************************************************************** include_command : INCLUDE_COMMAND { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'include' commands is not supported.")); consumeUntil(NEWLINE); } ; //**************************************************************** macro_definition : WORD EQUAL { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); consumeUntil(NEWLINE); } ; //**************************************************************** antispoof_rule : ANTISPOOF { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Warning: import of 'antispoof' commands has not been implemented yet.")); consumeUntil(NEWLINE); } ; //**************************************************************** altq_rule : ALTQ { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'altq' commands is not supported.")); consumeUntil(NEWLINE); } ; //**************************************************************** queue_rule : QUEUE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'queue' commands is not supported.")); consumeUntil(NEWLINE); } ; //**************************************************************** set_rule : SET { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( set_timeout | set_ruleset_optimization | set_optimization | set_limit | set_loginterface | set_block_policy | set_state_policy | set_state_defaults | set_require_order | set_fingerprints | set_skip | set_debug | set_reassemble | set_hostid ) ; set_timeout : TIMEOUT ( timeout_def | timeout_def_list ) ; set_ruleset_optimization : "ruleset-optimization" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set ruleset-optimization' commands is not supported.")); consumeUntil(NEWLINE); } ; set_optimization : "optimization" ( "aggressive" | "conservative" | "high-latency" | "normal" | "satellite" ) { importer->set_optimization = LT(0)->getText(); } ; set_limit : "limit" ( limit_def | limit_def_list ) ; set_loginterface : "loginterface" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set loginterface' commands is not supported.")); consumeUntil(NEWLINE); } ; set_block_policy : "block-policy" (DROP | RETURN) { importer->set_block_policy = LT(0)->getText(); } ; set_state_policy : "state-policy" ("if-bound" | "floating") { importer->set_state_policy = LT(0)->getText(); } ; set_state_defaults : "state-defaults" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set state-defaults' commands is not supported.")); consumeUntil(NEWLINE); } ; set_require_order : "require-order" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set require-order' commands is not supported.")); consumeUntil(NEWLINE); } ; set_fingerprints : "fingerprints" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set fingerprints' commands is not supported.")); consumeUntil(NEWLINE); } ; set_skip : "skip" ON skip_def ; skip_def : WORD { importer->set_skip_on.push_back(LT(0)->getText()); } | skip_list ; skip_list : OPENING_BRACE WORD { importer->set_skip_on.push_back(LT(0)->getText()); } ( ( COMMA )* WORD { importer->set_skip_on.push_back(LT(0)->getText()); } )* CLOSING_BRACE ; set_debug : "debug" WORD { importer->set_debug = LT(0)->getText(); } ; set_reassemble : "reassemble" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set reassemble' commands is not supported.")); consumeUntil(NEWLINE); } ; set_hostid : "hostid" { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Error: import of 'set hostid' commands is not supported.")); consumeUntil(NEWLINE); } ; /* timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | "tcp.closing" | "tcp.finwait" | "tcp.closed" | "udp.first" | "udp.single" | "udp.multiple" | "icmp.first" | "icmp.error" | "other.first" | "other.single" | "other.multiple" | "frag" | "interval" | "src.track" | "adaptive.start" | "adaptive.end" ) number */ timeout_def { std::string timeout_name, timeout_value; } : ( "tcp.first" | "tcp.opening" | "tcp.established" | "tcp.closing" | "tcp.finwait" | "tcp.closed" | "udp.first" | "udp.single" | "udp.multiple" | "icmp.first" | "icmp.error" | "other.first" | "other.single" | "other.multiple" | "frag" | "interval" | "src.track" | "adaptive.start" | "adaptive.end" ) { timeout_name = LT(0)->getText(); } INT_CONST { timeout_value = LT(0)->getText(); importer->timeouts.push_back( std::pair(timeout_name, timeout_value)); } ; timeout_def_list : OPENING_BRACE timeout_def ( ( COMMA )? timeout_def )* CLOSING_BRACE ; limit_def { std::string limit_name, limit_value; } : ( "frags" | "states" | "src-nodes" | "tables" | "tables-entries" ) { limit_name = LT(0)->getText(); } INT_CONST { limit_value = LT(0)->getText(); importer->limits.push_back( std::pair(limit_name, limit_value)); } ; limit_def_list : OPENING_BRACE limit_def ( ( COMMA )? limit_def )* CLOSING_BRACE ; //**************************************************************** scrub_rule : SCRUB { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "scrub"; *dbg << LT(1)->getLine() << ":" << " scrub "; } rule_extended // do not call pushRule() for scrub rules because we configure // scrub parameters as firewall options NEWLINE ; //**************************************************************** match_rule : MATCH { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "match"; *dbg << LT(1)->getLine() << ":" << " match "; } rule_extended { if ( ! importer->scrub_rule) importer->pushRule(); } NEWLINE ; //**************************************************************** table_rule : TABLE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } LESS_THAN name:WORD GREATER_THAN ( PERSIST ) ? ( CONST_WORD { importer->addMessageToLog( QString("Warning: attribute \"const\" will be dropped from table configuration since this attribute is not supported at this time")); } ) ? ( COUNTERS { importer->addMessageToLog( QString("Warning: attribute \"counters\" will be dropped from table configuration since this attribute is not supported at this time")); } )? ( FILE file:STRING { importer->newAddressTableObject( name->getText(), file->getText()); } | OPENING_BRACE tableaddr_spec ( ( COMMA )? tableaddr_spec )* CLOSING_BRACE { importer->newAddressTableObject( name->getText(), importer->tmp_group); } | NEWLINE { // Special case: table definition without file name or list of addresses. // Create run-time AddressTable object with name but no file spec. importer->newAddressTableObject(name->getText(), ""); } ) ; tableaddr_spec { AddressSpec as; } : ( EXLAMATION { as.neg = true; } )? ( WORD { // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); } ( COLON ( NETWORK { as.at = AddressSpec::INTERFACE_NETWORK; } | BROADCAST { as.at = AddressSpec::INTERFACE_BROADCAST; } | PEER { importer->error_tracker->registerError( QString("import of 'interface:peer' is not supported.")); } | INT_CONST { importer->error_tracker->registerError( QString("import of 'interface:0' is not supported.")); } ) )? | SELF { as.at = AddressSpec::SPECIAL_ADDRESS; as.address = "self"; } | // match NUMBER and INT_CONST to account for 10/8, 172.16/12 cases. ( IPV4 | NUMBER | INT_CONST ) { as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); } ( SLASH { as.at = AddressSpec::NETWORK_ADDRESS; } ( IPV4 | INT_CONST ) { as.netmask = LT(0)->getText(); } )? ) { importer->tmp_group.push_back(as); } ; //**************************************************************** no_nat_rule : NO { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "nonat"; *dbg << LT(1)->getLine() << ":" << " nonat "; } ( nat_rule | rdr_rule ) ; //**************************************************************** nat_rule : NAT { if ( importer->action != "nonat" ) { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "nat"; *dbg << LT(1)->getLine() << ":" << " nat "; } } ( PASS { importer->error_tracker->registerError( QString("import of 'nat pass' commands is not supported.")); } ( logging )? )? ( intrface )? ( address_family )? ( protospec )? hosts ( tagged )? ( tag_clause { importer->error_tracker->registerError( QString("import of 'nat ... tag' commands is not supported.")); } )? ( MINUS GREATER_THAN ( redirhost | redirhost_list ) { importer->nat_group = importer->tmp_group; } ( portspec { importer->nat_port_group = importer->tmp_port_group; } )? ( pooltype )? ( STATIC_PORT { importer->nat_rule_opt_2 = "static-port"; } )? )? { importer->pushRule(); } NEWLINE ; //**************************************************************** rdr_rule : RDR { if ( importer->action != "nonat" ) { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNATRule(); importer->action = "rdr"; *dbg << LT(1)->getLine() << ":" << " rdr "; } } ( PASS { importer->error_tracker->registerError( QString("import of 'nat pass' commands is not supported.")); } ( logging )? )? ( intrface )? ( address_family )? ( protospec )? hosts ( tagged )? ( tag_clause { importer->error_tracker->registerError( QString("import of 'nat ... tag' commands is not supported.")); } )? ( MINUS GREATER_THAN ( redirhost | redirhost_list ) { importer->nat_group = importer->tmp_group; } ( portspec { importer->nat_port_group = importer->tmp_port_group; } )? ( pooltype )? )? { importer->pushRule(); } NEWLINE ; // redirhost = address [ "/" mask-bits ] // address = ( interface-name | interface-group | // "(" ( interface-name | interface-group ) ")" | // hostname | ipv4-dotted-quad | ipv6-coloned-hex ) // redirhost { AddressSpec as; } : ( IPV4 { as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); } ( SLASH { as.at = AddressSpec::NETWORK_ADDRESS; } ( IPV4 | INT_CONST ) { as.netmask = LT(0)->getText(); } )? | OPENING_PAREN WORD { // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); } CLOSING_PAREN | WORD { // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); } ) { importer->tmp_group.push_back(as); } ; redirhost_list : OPENING_BRACE redirhost ( ( COMMA )? redirhost )* CLOSING_BRACE ; // portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] // // // rdr The packet is redirected to another destination and possibly a dif- // ferent port. rdr rules can optionally specify port ranges instead // of single ports. rdr ... port 2000:2999 -> ... port 4000 redirects // ports 2000 to 2999 (inclusive) to port 4000. rdr ... port // 2000:2999 -> ... port 4000:* redirects port 2000 to 4000, 2001 to // 4001, ..., 2999 to 4999. // portspec { PortSpec ps; } : PORT ( port_def { ps.port1 = importer->tmp_port_def; ps.port2 = ps.port1; ps.port_op = "="; } | // lexer matches port range (1000:1010) as IPv6, see rule // NUMBER_ADDRESS_OR_WORD. Combination "1000:*" comes as IPV6 STAR IPV6 { ps.setFromPortRange(LT(0)->getText()); } ( STAR { ps.port2 = "65535"; } )? ) { importer->tmp_port_group.push_back(ps); } ; // pooltype = ( "bitmask" | "random" | // "source-hash" [ ( hex-key | string-key ) ] | // "round-robin" ) [ sticky-address ] // // Note that as of v4.2 we can not generate optinal parameters for the // "source-hash" pooltype. "sticky-address" is not supported either. // pooltype : ( BITMASK { importer->pooltype_opt = "bitmask"; } | RANDOM { importer->pooltype_opt = "random"; } | SOURCE_HASH { importer->pooltype_opt = "source-hash"; } ( HEX_KEY { importer->error_tracker->registerError( QString("import of commands with pool type 'source-hash hex-key' " "option is not supported")); } | STRING_KEY { importer->error_tracker->registerError( QString("import of commands with pool type 'source-hash string-key' " "option is not supported")); } )? | ROUND_ROBIN { importer->pooltype_opt = "round-robin"; } ) ( STICKY_ADDRESS )? ; //**************************************************************** binat_rule : BINAT { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->error_tracker->registerError( QString("import of 'binat' commands is not supported.")); consumeUntil(NEWLINE); } ; //**************************************************************** //unknown_rule : WORD // { // importer->clear(); // importer->setCurrentLineNumber(LT(0)->getLine()); // consumeUntil(NEWLINE); // } // ; //**************************************************************** pass_rule : PASS { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "pass"; *dbg << LT(1)->getLine() << ":" << " pass "; } rule_extended { importer->pushRule(); } NEWLINE ; block_rule : BLOCK { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "block"; *dbg << LT(1)->getLine() << ":" << " block "; } ( block_return )? rule_extended { importer->pushRule(); } NEWLINE ; block_return : ( DROP { importer->block_action_params.push_back("drop"); } | RETURN { importer->block_action_params.push_back("return"); } | RETURN_RST { importer->block_action_params.push_back("return-rst"); } ( TTL INT_CONST { importer->error_tracker->registerError( QString("Import of \"block return-rst ttl number\" is not supported. ")); } )? | RETURN_ICMP { importer->block_action_params.push_back("return-icmp"); } ( OPENING_PAREN ( icmp_code_by_name | INT_CONST ) { importer->block_action_params.push_back(LT(0)->getText()); } ( COMMA ( icmp_code_by_name | INT_CONST ) { importer->error_tracker->registerError( QString("Import of \"block return-icmp (icmp_code, icmp6_code)\" is not supported")); } )? CLOSING_PAREN )? | RETURN_ICMP6 { importer->error_tracker->registerError( QString("Import of \"block return-icmp6\" is not supported")); importer->block_action_params.push_back("return-icmp"); } ) ; rule_extended : ( direction )? ( quick_or_log )? ( intrface )? ( route )? ( address_family )? ( protospec )? ( hosts )? ( filteropts )? ( route )? ; direction : ( IN_WORD | OUT_WORD ) { importer->direction = LT(0)->getText(); } ; // looks like both "block log quick" and "block quick log" are legitimate quick_or_log : ( LOG (logopts)? { importer->logging = true; } ( QUICK { importer->quick = true; } )? | QUICK { importer->quick = true; } ( LOG (logopts)? { importer->logging = true; } )? ) ; logging : LOG (logopts)? { importer->logging = true; } ; logopts : OPENING_PAREN logopt ( COMMA { importer->logopts += ","; } logopt )* CLOSING_PAREN ; logopt : ALL | USER | TO WORD { importer->logopts += LT(0)->getText(); } ; intrface : ON ( ifspec | interface_list ) ; ifspec { InterfaceSpec is; } : ( EXLAMATION { is.neg = true; } )? WORD { is.name = LT(0)->getText(); importer->iface_group.push_back(is); importer->newInterface(is.name); } ; interface_list : OPENING_BRACE ifspec ( ( COMMA )? ifspec )* CLOSING_BRACE ; address_family : INET | INET6 { importer->address_family = LT(0)->getText(); } ; protospec : PROTO proto_def ; proto_def : ( proto_name | proto_number | proto_list ) ; proto_name : (IP | ICMP | IGMP | TCP | UDP | RDP | RSVP | GRE | ESP_WORD | AH | EIGRP | OSPF | IPIP | VRRP | L2TP | ISIS ) { importer->proto_list.push_back(LT(0)->getText()); } ; proto_number : INT_CONST { importer->proto_list.push_back(LT(0)->getText()); } ; proto_list : OPENING_BRACE proto_def ( ( COMMA )? proto_def )* CLOSING_BRACE ; hosts : ALL { importer->src_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); importer->dst_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); } | ( hosts_from )? ( hosts_to )? ; hosts_from : FROM src_hosts_part ( src_port_part )? ; hosts_to : TO dst_hosts_part ( dst_port_part )? ; src_hosts_part : ( common_hosts_part | URPF_FAILED { importer->tmp_group.push_back( AddressSpec(AddressSpec::SPECIAL_ADDRESS, false, "urpf-failed", "")); } ) { importer->src_neg = importer->tmp_neg; importer->src_group.splice(importer->src_group.begin(), importer->tmp_group); } ; dst_hosts_part : common_hosts_part { importer->dst_neg = importer->tmp_neg; importer->dst_group.splice(importer->dst_group.begin(), importer->tmp_group); } ; common_hosts_part : ANY { importer->tmp_group.push_back( AddressSpec(AddressSpec::ANY, false, "0.0.0.0", "0.0.0.0")); } | NO_ROUTE { importer->tmp_group.push_back( AddressSpec(AddressSpec::SPECIAL_ADDRESS, false, "no-route", "")); } | host | host_list ; host { AddressSpec as; } : ( EXLAMATION { as.neg = true; } )? ( ( WORD | MACRO ) { // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = LT(0)->getText(); } ( COLON ( NETWORK { as.at = AddressSpec::INTERFACE_NETWORK; } | BROADCAST { as.at = AddressSpec::INTERFACE_BROADCAST; } | PEER { importer->error_tracker->registerError( QString("import of 'interface:peer' is not supported.")); } | INT_CONST { importer->error_tracker->registerError( QString("import of 'interface:0' is not supported.")); } ) )? | SELF { as.at = AddressSpec::SPECIAL_ADDRESS; as.address = "self"; } | IPV6 { importer->error_tracker->registerError( QString("IPv6 import is not supported. ")); consumeUntil(NEWLINE); } | IPV4 { as.at = AddressSpec::HOST_ADDRESS; as.address = LT(0)->getText(); } ( SLASH { as.at = AddressSpec::NETWORK_ADDRESS; } ( IPV4 | INT_CONST ) { as.netmask = LT(0)->getText(); } )? | LESS_THAN tn:WORD GREATER_THAN { as.at = AddressSpec::TABLE; as.address = tn->getText(); } | OPENING_PAREN in:WORD CLOSING_PAREN { // interface name or domain/host name as.at = AddressSpec::INTERFACE_OR_HOST_NAME; as.address = in->getText(); } ) { importer->tmp_group.push_back(as); } ; host_list : OPENING_BRACE host ( ( COMMA )? host )* CLOSING_BRACE ; // ************************************************************************ route : route_to | reply_to | dup_to ; route_to : ROUTE_TO ( routehost | routehost_list ) ( pooltype )? { importer->route_type = PFImporter::ROUTE_TO; } ; reply_to : REPLY_TO ( routehost | routehost_list ) ( pooltype )? { importer->route_type = PFImporter::REPLY_TO; } ; dup_to : DUP_TO ( routehost | routehost_list ) ( pooltype )? { importer->route_type = PFImporter::DUP_TO; } ; routehost { RouteSpec rs; } : OPENING_PAREN WORD { rs.iface = LT(0)->getText(); } (h:IPV4 | v6:IPV6) (SLASH (nm:IPV4 | nm6:INT_CONST))? { if (v6) { importer->error_tracker->registerError( QString("IPv6 import is not supported. ")); consumeUntil(NEWLINE); } else { if (h) rs.address = h->getText(); if (nm) rs.netmask = nm->getText(); importer->route_group.push_back(rs); } } CLOSING_PAREN ; routehost_list : OPENING_BRACE routehost ( ( COMMA )? routehost )* CLOSING_BRACE ; // ************************************************************************ filteropts : filteropt ( ( COMMA )? filteropt )* ; filteropt : user_match | group_match | tcp_flags | icmp_type | icmp6_type | tagged | tag_clause | state | queue | label | match_rule_scrub_options | scrub_options ; //************************************************************************ user_match : USER ( user_group_op | user_group_op_list ) { importer->addMessageToLog( QString("Error: import of 'user' match is not supported.")); } ; group_match : GROUP ( user_group_op | user_group_op_list ) { importer->addMessageToLog( QString("Error: import of 'group' match is not supported.")); } ; user_group_op : ( unary_op ( WORD | INT_CONST ) | ( WORD | INT_CONST ) ( binary_op ( WORD | INT_CONST ) )? ) ; user_group_op_list : OPENING_BRACE user_group_op ( ( COMMA )? user_group_op )* CLOSING_BRACE ; //************************************************************************ match_rule_scrub_options : SCRUB scrub_options ; scrub_options : ( scrub_option | scrub_option_list ) ; scrub_option_list : OPENING_PAREN scrub_option ( ( COMMA )? scrub_option )* CLOSING_PAREN ; scrub_option : ( "fragment" ( "reassemble" | "crop" | "drop-ovl" ) { importer->scrub_options.push_back( str_tuple("fragment", LT(0)->getText())); importer->scrub_rule = true; } | "reassemble" TCP { importer->scrub_options.push_back( str_tuple("reassemble", "tcp")); importer->scrub_rule = true; } | "no-df" { importer->scrub_options.push_back( str_tuple(LT(0)->getText(), "")); importer->scrub_rule = true; } | "min-ttl" INT_CONST { importer->scrub_options.push_back( str_tuple("min-ttl", LT(0)->getText())); importer->scrub_rule = true; } | "max-mss" INT_CONST { importer->scrub_options.push_back( str_tuple("max-mss", LT(0)->getText())); importer->scrub_rule = true; } | "random-id" { importer->scrub_options.push_back( str_tuple(LT(0)->getText(), "")); importer->scrub_rule = true; } ) ; tcp_flags : FLAGS ( ANY { importer->flags_check = "none"; importer->flags_mask = "none"; } | ( check:WORD )? SLASH ( mask:WORD )? { if (check) importer->flags_check = check->getText(); else importer->flags_check = "any"; if (mask) importer->flags_mask = mask->getText(); else importer->flags_mask = "all"; } ) ; icmp_type : ICMP_TYPE ( icmp_type_code | icmp_list ) ; icmp_type_code { IcmpSpec is; } : ( icmp_type_by_name { is.icmp_type_name = LT(0)->getText(); } | INT_CONST { is.icmp_type_int = LT(0)->getText(); } ) ( ICMP_CODE ( icmp_code_by_name { is.icmp_code_name = LT(0)->getText(); } | INT_CONST { is.icmp_code_int = LT(0)->getText(); } ) )? { importer->icmp_type_code_group.push_back(is); } ; icmp_type_by_name : ( "echorep" | "unreach" | "squench" | "redir" | "althost" | "echoreq" | "routeradv" | "routersol" | "timex" | "paramprob" | "timereq" | "timerep" | "inforeq" | "inforep" | "maskreq" | "maskrep" | "trace" | "dataconv" | "mobredir" | "ipv6-where" | "ipv6-here" | "mobregreq" | "mobregrep" | "skip" | "photuris" ) ; icmp_code_by_name : ( "net-unr" | "host-unr" | "proto-unr" | "port-unr" | "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | "filter-prohib" | "host-preced" | "cutoff-preced" | "redir-net" | "redir-host" | "redir-tos-net" | "redir-tos-host" | "normal-adv" | "common-adv" | "transit" | "reassemb" | "badhead" | "optmiss" | "badlen" | "unknown-ind" | "auth-fail" | "decrypt-fail" ) ; icmp_list : OPENING_BRACE icmp_type_code ( ( COMMA )? icmp_type_code )* CLOSING_BRACE ; icmp6_type : ICMP6_TYPE { importer->error_tracker->registerError( QString("ICMP6 import is not supported. ")); consumeUntil(NEWLINE); } ; tagged : ( EXLAMATION { importer->tagged_neg = true; } )? TAGGED WORD { importer->tagged = LT(0)->getText(); } ; tag_clause : TAG WORD { importer->tag = LT(0)->getText(); } ; state : ( NO | KEEP | MODULATE | SYNPROXY ) { importer->state_op = LT(0)->getText(); } STATE ; queue : QUEUE ( WORD { importer->queue += LT(0)->getText(); } | OPENING_PAREN WORD { importer->queue += LT(0)->getText(); } ( COMMA { importer->queue += ","; } WORD { importer->queue += LT(0)->getText(); } )* CLOSING_PAREN ) ; label : LABEL STRING ; //**************************************************************** src_port_part : PORT ( port_op | port_op_list ) { importer->src_port_group.splice(importer->src_port_group.begin(), importer->tmp_port_group); } ; dst_port_part : PORT ( port_op | port_op_list ) { importer->dst_port_group.splice(importer->dst_port_group.begin(), importer->tmp_port_group); } ; unary_op : ( EQUAL { importer->tmp_port_op = "="; } | EXLAMATION EQUAL { importer->tmp_port_op = "!="; } | LESS_THAN { importer->tmp_port_op = "<"; } | LESS_THAN EQUAL { importer->tmp_port_op = "<="; } | GREATER_THAN { importer->tmp_port_op = ">"; } | GREATER_THAN EQUAL { importer->tmp_port_op = ">="; } ) ; binary_op : ( LESS_THAN GREATER_THAN { importer->tmp_port_op = "<>"; } | GREATER_THAN LESS_THAN { importer->tmp_port_op = "><"; } | COLON { importer->tmp_port_op = ":"; } ) ; // lexer matches port range (1000:1010) as IPv6, see rule // NUMBER_ADDRESS_OR_WORD port_op { PortSpec ps; } : ( unary_op { ps.port_op = importer->tmp_port_op; } port_def { ps.port1 = importer->tmp_port_def; ps.port2 = importer->tmp_port_def; } | port_def { ps.port1 = importer->tmp_port_def; ps.port2 = ps.port1; ps.port_op = "="; } ( binary_op { ps.port_op = importer->tmp_port_op; } port_def { ps.port2 = LT(0)->getText(); } )? | IPV6 { ps.setFromPortRange(LT(0)->getText()); } ) { importer->tmp_port_group.push_back(ps); } ; port_def : ( WORD | INT_CONST ) { importer->tmp_port_def = LT(0)->getText(); } ; port_op_list : OPENING_BRACE port_op ( ( COMMA )? port_op )* CLOSING_BRACE ; //**************************************************************** class PFCfgLexer extends Lexer; options { k = 3; // ASCII only charVocabulary = '\3'..'\377'; } tokens { INCLUDE_COMMAND = "include"; EXIT = "exit"; QUIT = "quit"; NO = "no"; INTRFACE = "interface"; PASS = "pass"; BLOCK = "block"; MATCH = "match"; QUICK = "quick"; IN_WORD = "in"; OUT_WORD = "out"; ON = "on"; PROTO = "proto"; FROM = "from"; TO = "to"; INET = "inet"; INET6 = "inet6"; // protocols IP = "ip"; ICMP = "icmp"; ICMP6 = "icmp6"; TCP = "tcp"; UDP = "udp"; AH = "ah"; EIGRP = "eigrp"; ESP_WORD = "esp"; GRE = "gre"; IGMP = "igmp"; IGRP = "igrp"; IPIP = "ipip"; IPSEC = "ipsec"; NOS = "nos"; OSPF = "ospf"; PCP = "pcp"; PIM = "pim"; PPTP = "pptp"; RIP = "rip"; SNP = "snp"; RDP = "rdp"; RSVP = "rsvp"; VRRP = "vrrp"; L2TP = "l2tp"; ISIS = "isis"; HOST = "host"; ANY = "any"; ALL = "all"; USER = "user"; GROUP = "group"; NETWORK = "network"; BROADCAST = "broadcast"; PEER = "peer"; PORT = "port"; RANGE = "range"; LOG = "log"; NO_ROUTE = "no-route"; SELF = "self"; URPF_FAILED = "urpf-failed"; LOG_LEVEL_ALERTS = "alerts"; LOG_LEVEL_CRITICAL = "critical"; LOG_LEVEL_DEBUGGING = "debugging"; LOG_LEVEL_EMERGENCIES = "emergencies"; LOG_LEVEL_ERRORS = "errors"; LOG_LEVEL_INFORMATIONAL = "informational"; LOG_LEVEL_NOTIFICATIONS = "notifications"; LOG_LEVEL_WARNINGS = "warnings"; LOG_LEVEL_DISABLE = "disable"; LOG_LEVEL_INACTIVE = "inactive"; TIMEOUT = "timeout"; ALTQ = "altq"; ANTISPOOF = "antispoof"; SET = "set"; SCRUB = "scrub"; NAT = "nat"; RDR = "rdr"; BINAT = "binat"; TABLE = "table"; CONST_WORD = "const"; PERSIST = "persist"; COUNTERS = "counters"; FILE = "file"; QUEUE = "queue"; LABEL = "label"; ROUTE_TO = "route-to"; REPLY_TO = "reply-to"; DUP_TO = "dup-to"; DROP = "drop"; RETURN = "return"; RETURN_RST = "return-rst"; RETURN_ICMP = "return-icmp"; TAG = "tag"; TAGGED = "tagged"; STATE = "state"; KEEP = "keep"; MODULATE = "modulate"; SYNPROXY = "synproxy"; FLAGS = "flags"; ICMP_TYPE = "icmp-type"; ICMP6_TYPE = "icmp6-type"; ICMP_CODE = "code"; BITMASK = "bitmask"; RANDOM = "random"; SOURCE_HASH = "source-hash"; HEX_KEY = "hex-key"; STRING_KEY = "string-key"; ROUND_ROBIN = "round-robin"; STICKY_ADDRESS = "sticky-address"; STATIC_PORT = "static-port"; } // LINE_COMMENT : "#" (~('\r' | '\n'))* NEWLINE ; Whitespace : ( '\003'..'\010' | '\t' | '\013' | '\f' | '\016'.. '\037' | '\177'..'\377' | ' ' ) { $setType(ANTLR_USE_NAMESPACE(antlr)Token::SKIP); } ; COMMENT_START : '#' ; NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); } ; protected INT_CONST:; protected HEX_CONST:; protected NUMBER:; protected NEG_INT_CONST:; protected COLON : ; protected HEX_DIGIT : ( '0'..'9' | 'a'..'f' | 'A'..'F') ; protected DIGIT : '0'..'9' ; protected NUM_3DIGIT: ('0'..'9') (('0'..'9') ('0'..'9')?)? ; protected NUM_HEX_4DIGIT: HEX_DIGIT ((HEX_DIGIT) ((HEX_DIGIT) (HEX_DIGIT)?)?)? ; // Unfortunately IPV6 rule below matches "1000:1010" or "1024:65535" // as IPV6. This is not a valid IPv6 address and it creates problems // with port ranges // NUMBER_ADDRESS_OR_WORD options { testLiterals = true; } : ( ( HEX_DIGIT )+ ':' ) => ( ( ( HEX_DIGIT )+ ( ':' ( HEX_DIGIT )* )+ ) { $setType(IPV6); } ) | ( ':' ) => ( (':' ':' ( HEX_DIGIT )+ ) => (':' ':' ( HEX_DIGIT )+ (':' ( HEX_DIGIT )+)*) {$setType(IPV6);} | (':' ':' ) { $setType(IPV6); } | ':' { $setType(COLON); } ) | ( NUM_3DIGIT '.' NUM_3DIGIT '.' ) => (NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT '.' NUM_3DIGIT) { $setType(IPV4); } | ( (DIGIT)+ '.' (DIGIT)+ )=> ( (DIGIT)+ '.' (DIGIT)+ ) { $setType(NUMBER); } | ( DIGIT )+ { $setType(INT_CONST); } // Making sure ',' '(' ')' '=' '<' '>' '+' are not part of WORD. // Double quote " should be included, without it STRING does not match | ( 'a'..'z' | 'A'..'Z' ) ( '"' | '$' | '%' | '&' | '-' | '.' | '0'..'9' | ';' | '?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )* { $setType(WORD); } | ( '$' ) => ( '$' ( 'a'..'z' | 'A'..'Z' ) ( 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' )* { $setType(MACRO); } | '$' ) ; STRING : '"' (~'"')* '"'; PIPE_CHAR : '|'; // DOLLAR : '$' ; PERCENT : '%' ; AMPERSAND : '&' ; APOSTROPHE : '\'' ; STAR : '*' ; PLUS : '+' ; COMMA : ',' ; MINUS : '-' ; DOT : '.' ; SLASH : '/' ; // COLON : ':' ; SEMICOLON : ';' ; EQUAL : '='; QUESTION : '?' ; COMMERCIAL_AT : '@' ; OPENING_PAREN : '(' ; CLOSING_PAREN : ')' ; OPENING_SQUARE : '[' ; CLOSING_SQUARE : ']' ; OPENING_BRACE : '{' ; CLOSING_BRACE : '}' ; CARET : '^' ; UNDERLINE : '_' ; TILDE : '~' ; EXLAMATION : '!'; LESS_THAN : '<' ; GREATER_THAN : '>' ; DOUBLE_QUOTE : '"'; fwbuilder-5.3.7/src/parsers/pix.g000066400000000000000000002204651303637203600167430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ header "pre_include_hpp" { // gets inserted before antlr generated includes in the header // file #include "PIXImporter.h" } header "post_include_hpp" { // gets inserted after antlr generated includes in the header file // outside any generated namespace specifications #include class PIXImporter; } header "pre_include_cpp" { // gets inserted before the antlr generated includes in the cpp // file } header "post_include_cpp" { // gets inserted after the antlr generated includes in the cpp // file #include #include } header { // gets inserted after generated namespace specifications in the // header file. But outside the generated class. } options { language="Cpp"; } class PIXCfgParser extends Parser; options { k = 2; // when default error handler is disabled, parser errors cause // exception and terminate parsing process. We can catch the exception // and make the error appear in importer log, but import process // terminates which is not always optimal // // defaultErrorHandler = false; // see http://www.antlr2.org/doc/options.html } { // additional methods and members public: std::ostream *dbg; PIXImporter *importer; /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { importer->addMessageToLog("Parser error: " + ex.toString()); std::cerr << ex.toString() << std::endl; } /// Parser error-reporting function can be overridden in subclass virtual void reportError(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser error: " + s); std::cerr << s << std::endl; } /// Parser warning-reporting function can be overridden in subclass virtual void reportWarning(const ANTLR_USE_NAMESPACE(std)string& s) { importer->addMessageToLog("Parser warning: " + s); std::cerr << s << std::endl; } } cfgfile : ( comment | version | hostname | community_list_command | unknown_ip_command | intrface | nameif_top_level | intf_address | controller | access_list_commands | ssh_command | telnet_command | http_command | icmp_top_level_command | nat_top_level_command | global_top_level_command | static_top_level_command | access_group | exit | certificate | quit | names_section | name_entry | named_object_network | named_object_service | object_group_network | object_group_service | object_group_protocol | object_group_icmp_8_0 | object_group_icmp_8_3 | crypto | no_commands | timeout_command | dns_command | service_top_level_command | pim_top_level_command | network_top_level_command | unknown_command | NEWLINE )+ ; //**************************************************************** quit : QUIT { consumeUntil(NEWLINE); } ; //**************************************************************** community_list_command : IP COMMUNITY_LIST { consumeUntil(NEWLINE); } ; //**************************************************************** timeout_command : TIMEOUT { consumeUntil(NEWLINE); } ; //**************************************************************** // need this because we have token PIM used in a different context pim_top_level_command : PIM { consumeUntil(NEWLINE); } ; //**************************************************************** // need this because we have token NETWORK used in a different context network_top_level_command : NETWORK { consumeUntil(NEWLINE); } ; //**************************************************************** // just skip this line since we pre-process names in PIXImporterRun.cpp names_section : NAMES ; name_entry : NAME ( name_entry_ipv4 | name_entry_ipv6 ) ; name_entry_ipv4 : IPV4 WORD ; name_entry_ipv6 : IPV6 WORD ; //**************************************************************** // // these are used in access-list and named object definitions // ip_protocol_names : ( AH | EIGRP | ESP_WORD | GRE | IGMP | IGRP | IP | IPINIP | IPSEC | NOS | OSPF | PCP | PIM | PPTP | SNP ) ; //**************************************************************** named_object_network : OBJECT NETWORK name:WORD NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newNamedObjectAddress(name->getText()); *dbg << name->getLine() << ":" << " Named Object " << name->getText() << std::endl; } ( named_object_nat | named_object_description | named_object_network_parameters )* ; named_object_network_parameters : ( host_addr | range_addr | subnet_addr ) NEWLINE ; named_object_nat : nat_top_level_command { *dbg << "Named object with singleton nat command" << std::endl; importer->addMessageToLog( QString("Warning: " "Import of named objects with \"nat\" command " "is not supported at this time")); consumeUntil(NEWLINE); } ; named_object_description : DESCRIPTION { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setNamedObjectDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; } NEWLINE ; host_addr : HOST single_addr { importer->commitNamedAddressObject(); } ; single_addr : (h:IPV4 | v6:IPV6) { importer->setCurrentLineNumber(LT(0)->getLine()); if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; *dbg << importer->tmp_a << " "; } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } } ; range_addr : (RANGE r1:IPV4 r2:IPV4) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->tmp_range_1 = r1->getText(); importer->tmp_range_2 = r2->getText(); importer->commitNamedAddressRangeObject(); *dbg << r1->getText() << "/" << r2->getText(); } ; subnet_addr : (SUBNET ((a:IPV4 nm:IPV4) | v6:IPV6)) { importer->setCurrentLineNumber(LT(0)->getLine()); if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->commitNamedAddressObject(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } } ; //**************************************************************** // Unfortunately any keyword can be used as named object name // named_object_service : OBJECT SERVICE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } (WORD | HTTP | SSH | TELNET) { importer->newNamedObjectService(LT(0)->getText()); *dbg << " NAMED OBJECT " << LT(0)->getText() << std::endl; } NEWLINE ( named_object_description | named_object_service_parameters )* ; named_object_service_parameters : ( service_icmp | service_icmp6 | service_tcp_udp | service_other | service_unknown ) NEWLINE ; service_icmp : SERVICE ICMP ( icmp_type:INT_CONST { importer->icmp_type = LT(0)->getText(); } | icmp_names { importer->icmp_spec = LT(0)->getText(); } ) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedICMPServiceObject(); *dbg << "NAMED OBJECT SERVICE ICMP " << LT(0)->getText() << " "; } ; service_icmp6 : SERVICE ICMP6 (INT_CONST | WORD) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->addMessageToLog( QString("Warning: " "Import of IPv6 addresses and servcies " "is not supported at this time")); *dbg << "NAMED OBJECT SERVICE ICMP6 " << LT(0)->getText() << " "; consumeUntil(NEWLINE); } ; service_tcp_udp : SERVICE (TCP|UDP) { importer->protocol = LT(0)->getText(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; } ( src_port_spec )? ( dst_port_spec )? { importer->setCurrentLineNumber(LT(0)->getLine()); importer->commitNamedTCPUDPServiceObject(); } ; src_port_spec : SOURCE xoperator { importer->SaveTmpPortToSrc(); } ; dst_port_spec : ( DESTINATION )? xoperator { importer->SaveTmpPortToDst(); } ; service_other : SERVICE ( INT_CONST | ip_protocol_names) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->commitNamedIPServiceObject(); *dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " "; } ; // we should create a placeholder object even when its protocol is // unknown because this object may be used in some object groups or // acls later on. Add a note to the object comment to clarify there // has been a parser error. Note that this is done because of the // overall liberal policy of the importer that tries to import as much // as possible even when some constructs are not recognized. service_unknown : SERVICE WORD { importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = "ip"; importer->commitNamedIPServiceObject(); std::string err = "Warning: Unknown service name " + LT(0)->getText(); importer->setNamedObjectDescription(err); importer->addMessageToLog(err); *dbg << "UNKNOWN SERVICE " << LT(0)->getText() << " "; } ; //**************************************************************** object_group_network : OBJECT_GROUP NETWORK name:WORD NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupNetwork(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; } ( object_group_network_parameters )* ; object_group_network_parameters : ( object_group_description | group_object | network_object ) NEWLINE ; object_group_description : DESCRIPTION { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setObjectGroupDescription(descr); *dbg << " DESCRIPTION " << descr << std::endl; } ; group_object : GROUP_OBJECT name:WORD { importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; } ; network_object : NETWORK_OBJECT { importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( ( (a:IPV4 nm:IPV4) | v6:IPV6 ) { if (a) { importer->tmp_a = a->getText(); importer->tmp_nm = nm->getText(); importer->addNetworkToObjectGroup(); *dbg << a->getText() << "/" << nm->getText(); } if (v6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } } | HOST ( h:IPV4 | hv6:IPV6) { if (h) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; importer->addNetworkToObjectGroup(); *dbg << h->getText() << "/255.255.255.255"; } if (hv6) { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } } | OBJECT name:WORD { importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; } ) ; //**************************************************************** object_group_protocol : OBJECT_GROUP PROTOCOL name:WORD NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupProtocol(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; } ( object_group_protocol_parameters )+ ; object_group_protocol_parameters : ( object_group_description | group_object | protocol_object ) NEWLINE ; protocol_object : PROTOCOL_OBJECT { importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( ( INT_CONST | ICMP | TCP | UDP | ip_protocol_names) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; } | ICMP6 { importer->addMessageToLog( QString("Warning: IPv6 import is not supported. ")); consumeUntil(NEWLINE); } | OBJECT name:WORD { importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; } ) ; //**************************************************************** object_group_icmp_8_0 : OBJECT_GROUP ICMP_OBJECT name:WORD NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupICMP(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; } ( object_group_icmp_parameters )* ; object_group_icmp_8_3 : OBJECT_GROUP ICMP_TYPE name:WORD NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupICMP(name->getText()); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; } ( object_group_icmp_parameters )* ; object_group_icmp_parameters : ( object_group_description | group_object | icmp_object ) NEWLINE ; icmp_object : ICMP_OBJECT { importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( ( icmp_type:INT_CONST { importer->icmp_type = LT(0)->getText(); } | icmp_names { importer->icmp_spec = LT(0)->getText(); } ) { importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; } | OBJECT name:WORD { importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; } ) ; //**************************************************************** object_group_service : OBJECT_GROUP SERVICE name:WORD ( tcp:TCP | udp:UDP | tcpudp:TCP_UDP )? NEWLINE { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newObjectGroupService(name->getText()); if (tcp) importer->setObjectGroupServiceProtocol("tcp"); if (udp) importer->setObjectGroupServiceProtocol("udp"); if (tcpudp) importer->setObjectGroupServiceProtocol("tcp-udp"); *dbg << name->getLine() << ":" << " Object Group " << name->getText() << std::endl; } ( object_group_service_parameters )* ; object_group_service_parameters : ( object_group_description | group_object | service_object | port_object ) NEWLINE ; service_object : SERVICE_OBJECT { importer->clearTempVars(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( ( INT_CONST | ip_protocol_names) { importer->setCurrentLineNumber(LT(0)->getLine()); importer->protocol = LT(0)->getText(); importer->addIPServiceToObjectGroup(); *dbg << " GROUP MEMBER " << LT(0)->getText() << " "; } | ( TCP | UDP | TCP_UDP ) { importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " "; } ( src_port_spec )? ( dst_port_spec )? { importer->addTCPUDPServiceToObjectGroup(); } | ICMP ( icmp_type:INT_CONST { importer->icmp_type = LT(0)->getText(); } | icmp_names { importer->icmp_spec = LT(0)->getText(); } ) { importer->addICMPServiceToObjectGroup(); *dbg << " SERVICE ICMP " << LT(0)->getText() << " "; } | OBJECT name:WORD { importer->addNamedObjectToObjectGroup(name->getText()); *dbg << " GROUP MEMBER " << name->getLine() << std::endl; } ) ; port_object { importer->tmp_port_spec = ""; importer->tmp_port_spec_2 = ""; } : PORT_OBJECT xoperator { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << " PORT OBJECT TCP/UDP " << LT(0)->getText() << " " << std::endl; importer->SaveTmpPortToDst(); importer->addTCPUDPServiceToObjectGroup(); *dbg << std::endl; } ; //**************************************************************** crypto : CRYPTO { consumeUntil(NEWLINE); } ; //**************************************************************** unknown_ip_command : IP WORD { consumeUntil(NEWLINE); } ; //**************************************************************** unknown_command : WORD { consumeUntil(NEWLINE); } ; //**************************************************************** dns_command : DNS { consumeUntil(NEWLINE); } ; //**************************************************************** // //asa5505(config)# service ? // // call-home Enable or disable Smart Call-Home // internal Advanced settings (use only under Cisco supervision) // password-recovery Password recovery configuration // resetinbound Send reset to a denied inbound TCP packet // resetoutbound Send reset to a denied outbound TCP packet // resetoutside Send reset to a denied TCP packet to outside interface service_top_level_command : SERVICE ( CALL_HOME | INTERNAL | PASSWORD_RECOVERY | RESETINBOUND | RESETOUTBOUND | RESETOUTSIDE ) { consumeUntil(NEWLINE); } ; //**************************************************************** no_commands : NO { *dbg << " TOP LEVEL \"NO\" COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); } ; //**************************************************************** certificate : CERTIFICATE WORD { consumeUntil(NEWLINE); consumeUntil(QUIT); } ; //**************************************************************** version { std::string platform; } : ( PIX_WORD | ASA_WORD | FWSM_WORD ) { platform = LT(0)->getText(); } VERSION_WORD_CAP NUMBER { importer->setCurrentLineNumber(LT(0)->getLine()); importer->setDiscoveredPlatform(platform); importer->setDiscoveredVersion(LT(0)->getText()); *dbg << "VERSION " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); } ; //**************************************************************** hostname : HOSTNAME ( STRING | WORD ) { importer->setCurrentLineNumber(LT(0)->getLine()); // we get host name in the import wizard //importer->setHostName( LT(0)->getText() ); *dbg << "HOSTNAME " << "LT0=" << LT(0)->getText() << std::endl; } ; //**************************************************************** access_list_commands : ACCESS_LIST name:WORD { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet( name->getText(), libfwbuilder::Policy::TYPENAME ); *dbg << name->getLine() << ":" << " ACL ext " << name->getText() << std::endl; } ( permit_extended | deny_extended | permit_standard | deny_standard | comment | remark | NEWLINE ) { *dbg << LT(0)->getLine() << ":" << " ACL line end" << std::endl << std::endl; } ; //**************************************************************** permit_extended: ( EXTENDED )? PERMIT { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; } rule_extended NEWLINE { importer->pushRule(); } ; deny_extended: ( EXTENDED )? DENY { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; } rule_extended NEWLINE { importer->pushRule(); } ; permit_standard: STANDARD PERMIT { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "permit"; *dbg << LT(1)->getLine() << ":" << " permit "; } rule_standard NEWLINE { importer->pushRule(); } ; deny_standard: STANDARD DENY { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newPolicyRule(); importer->action = "deny"; *dbg << LT(1)->getLine() << ":" << " deny "; } rule_standard NEWLINE { importer->pushRule(); } ; //**************************************************************** // the difference between standard and extended acls should be in these rules // standard acl only matches destination address rule_standard : { importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; importer->SaveTmpAddrToSrc(); } hostaddr_expr { importer->SaveTmpAddrToDst(); *dbg << "(dst) " << std::endl; } ; rule_extended : ( ip_protocols hostaddr_expr { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } hostaddr_expr { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } (time_range)? (fragments)? (log)? | ICMP { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; } hostaddr_expr { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } hostaddr_expr { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } // at this point: // configure mode commands/options: // <0-255> Enter ICMP type number (0 - 255) // alternate-address // conversion-error // echo // echo-reply // inactive Keyword for disabling an ACL element // . . . . more icmp service names // object-group ICMP object-group for destination port // . . . . more icmp service names // ( OBJECT_GROUP grp_name:WORD { importer->icmp_spec = grp_name->getText(); *dbg << "service gorup: " << grp_name->getText() << std::endl; } | icmp_spec )? (time_range)? (fragments)? (log)? | tcp_udp_rule_extended ) { *dbg << std::endl; } ; tcp_udp_rule_extended : ( TCP | UDP ) { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; } hostaddr_expr { importer->SaveTmpAddrToSrc(); *dbg << "(src) "; } ( (OBJECT_GROUP) => ( // This object-group can be either // source port or destination address // // Using disambiguating predicate; it must be the first element // in the production (i.e. nothing should precede {}?) { importer->isKnownServiceGroupName(LT(2)->getText()) }? OBJECT_GROUP src_grp_name:WORD { importer->src_port_spec = src_grp_name->getText(); *dbg << "src port spec: " << src_grp_name->getText() << std::endl; } // destination address spec follows; hostaddr_expr matches // OBJECT | OBJECT_GROUP among pure addresses hostaddr_expr_1 { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } acl_tcp_udp_dst_port_spec | // still object-group after src address but this group is not // a known service group - must be dest. address group hostaddr_expr_2 { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } acl_tcp_udp_dst_port_spec ) | // not "object-group" keyword after src address spec. OBJECT dst_addr_name:WORD (acl_xoperator_dst)? (established)? { // looks like "object foo" at this point can only be dest addr. // (judging by cli prompts on 8.3) importer->tmp_a = dst_addr_name->getText(); importer->tmp_nm = ""; importer->SaveTmpAddrToDst(); *dbg << "dst addr object " << dst_addr_name->getText() << " "; } acl_tcp_udp_dst_port_spec | // if not object-group and object, then it can optionally // be regular inline port spec, followed by dest address spec ( xoperator { importer->SaveTmpPortToSrc(); } )? hostaddr_expr_3 { importer->SaveTmpAddrToDst(); *dbg << "(dst) "; } acl_tcp_udp_dst_port_spec ) (time_range)? (fragments)? (log)? ; //**************************************************************** acl_tcp_udp_dst_port_spec : ( // destination port spec. Can be blank, a named // object, object-group or inline (OBJECT_GROUP) => ( // This object-group can be only destination port OBJECT_GROUP dst_port_group_name:WORD { importer->dst_port_spec = dst_port_group_name->getText(); *dbg << "dst port spec: " << dst_port_group_name->getText() << std::endl; } (established)? ) | // not "object-group" OBJECT dst_port_obj_name:WORD { importer->dst_port_spec = dst_port_obj_name->getText(); *dbg << "dst addr object " << dst_port_obj_name->getText() << std::endl; } (established)? | // if not object-group and object, then it can optionally // be regular inline port spec (acl_xoperator_dst)? (established)? ) ; acl_xoperator_dst : xoperator { importer->SaveTmpPortToDst(); } ; xoperator { importer->tmp_port_spec = ""; } : single_port_op | port_range ; //**************************************************************** single_port_op : (P_EQ | P_GT | P_LT | P_NEQ ) { importer->tmp_port_op = LT(0)->getText(); *dbg << LT(0)->getText() << " "; } port_spec ; port_spec : { importer->tmp_port_spec_2 = ""; } tcp_udp_port_spec { importer->tmp_port_spec = std::string(" ") + importer->tmp_port_spec_2; *dbg << LT(0)->getText() << " " << importer->tmp_port_spec; } ; port_range : RANGE pair_of_ports_spec { importer->tmp_port_op = "range"; *dbg << "range " << importer->tmp_port_spec; } ; pair_of_ports_spec : { importer->tmp_port_spec_2 = ""; } tcp_udp_port_spec { importer->tmp_port_spec += importer->tmp_port_spec_2; } tcp_udp_port_spec { importer->tmp_port_spec += " "; importer->tmp_port_spec += importer->tmp_port_spec_2; } ; // note that some words coincide as names of protocols or ports and // can be used in other parts of configuration tcp_udp_port_spec : (tcp_udp_port_names | WORD | INT_CONST) { importer->tmp_port_spec_2 = LT(0)->getText(); } ; // tokens that can be tcp/udp port names (but can also be used for // something else). If I ever decide to make tokens for every known // port name, they should be added here tcp_udp_port_names : ( ECHO | HOSTNAME | PPTP | SSH | TELNET | HTTP ) ; established : ESTABLISHED { importer->established = true; *dbg << "established "; } ; //**************************************************************** ip_protocols : ( ( ip_protocol_names | ICMP6 ) { importer->protocol = LT(0)->getText(); *dbg << "protocol " << LT(0)->getText() << " "; } | ( ( OBJECT | OBJECT_GROUP ) name:WORD ) { importer->protocol = name->getText(); *dbg << "protocol " << name->getText() << " "; } ) ; icmp_spec : ( (INT_CONST) => (icmp_type:INT_CONST icmp_code:INT_CONST) { importer->icmp_type = icmp_type->getText(); importer->icmp_code = icmp_code->getText(); importer->icmp_spec = ""; *dbg << icmp_type->getText() << " " << icmp_code->getText() << " "; } | icmp_names { importer->icmp_spec = LT(0)->getText(); *dbg << LT(0)->getText() << " "; } ) ; icmp_names : ( ALTERNATE_ADDRESS | CONVERSION_ERROR | ECHO | ECHO_REPLY | INFORMATION_REPLY | INFORMATION_REQUEST | MASK_REPLY | MASK_REQUEST | MOBILE_REDIRECT | PARAMETER_PROBLEM | REDIRECT | ROUTER_ADVERTISEMENT | ROUTER_SOLICITATION | SOURCE_QUENCH | TIME_EXCEEDED | TIMESTAMP_REPLY | TIMESTAMP_REQUEST | TRACEROUTE | UNREACHABLE ) ; //**************************************************************** // using these to help with debugging hostaddr_expr_1 : hostaddr_expr ; hostaddr_expr_2 : hostaddr_expr ; hostaddr_expr_3 : hostaddr_expr ; hostaddr_expr : INTRFACE interface_label { importer->tmp_a = LT(0)->getText(); importer->tmp_nm = "interface"; *dbg << "object " << LT(0)->getText() << " "; } | ( ( OBJECT | OBJECT_GROUP ) name:WORD ) { importer->tmp_a = name->getText(); importer->tmp_nm = ""; *dbg << "object " << name->getText() << " "; } | (HOST h:IPV4) { importer->tmp_a = h->getText(); importer->tmp_nm = "255.255.255.255"; *dbg << h->getText() << "/255.255.255.255"; } | (a:IPV4 m:IPV4) { importer->tmp_a = a->getText(); importer->tmp_nm = m->getText(); *dbg << a->getText() << "/" << m->getText(); } | ANY { importer->tmp_a = "0.0.0.0"; importer->tmp_nm = "0.0.0.0"; *dbg << "0.0.0.0/0.0.0.0"; } ; //**************************************************************** log : (LOG | LOG_INPUT) { importer->logging = true; } ( ( ( INT_CONST | LOG_LEVEL_ALERTS | LOG_LEVEL_CRITICAL | LOG_LEVEL_DEBUGGING | LOG_LEVEL_EMERGENCIES | LOG_LEVEL_ERRORS | LOG_LEVEL_INFORMATIONAL | LOG_LEVEL_NOTIFICATIONS | LOG_LEVEL_WARNINGS | LOG_LEVEL_DISABLE | LOG_LEVEL_INACTIVE ) { importer->log_level = LT(0)->getText(); } )? ( ( INTERVAL INT_CONST ) { importer->log_interval = LT(0)->getText(); } )? ) { // if (importer->log_level == "log") importer->log_level = ""; // if (importer->log_interval == "log") importer->log_interval = ""; *dbg << "logging level '" << importer->log_level << "' interval '" << importer->log_interval << "'"; } ; fragments : FRAGMENTS { importer->fragments = true; *dbg << "fragments "; } ; time_range : TIME_RANGE tr_name:WORD { importer->time_range_name = tr_name->getText(); *dbg << "time_range " << tr_name->getText() << " "; } ; //**************************************************************** controller : CONTROLLER { importer->clearCurrentInterface(); consumeUntil(NEWLINE); } ; //**************************************************************** // // **************** PIX 6 "interface" command: // // interface [ [shutdown]] // [no] interface [logical|physical] [shutdown] // interface change-vlan // show interface // // Example: // // interface ethernet0 auto // interface ethernet1 auto // nameif ethernet0 outside security0 // nameif ethernet1 inside security100 // // **************** PIX 7 "interface" command // // interface // interface . // no interface . // // Examples: // // interface Ethernet0 // no nameif // no security-level // no ip address // ! // interface Ethernet0.101 // vlan 101 // nameif outside // security-level 0 // ip address 192.0.2.253 255.255.255.0 // ! // vlans in pix6 config format are not parsed intrface : INTRFACE ( interface_command_6 | interface_command_7 ) ; // unfortunately word "outside" is used as a keyword in nat commands // and is also common interface label interface_label : WORD | OUTSIDE ; interface_command_6 : in:WORD pix6_interface_hw_speed // pix 6 { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; } ; interface_command_7 {bool have_interface_parameters = false;} : in:WORD NEWLINE { importer->setCurrentLineNumber(LT(0)->getLine()); importer->newInterface( in->getText() ); *dbg << in->getLine() << ":" << " INTRFACE: " << in->getText() << std::endl; } ( ( interface_parameters {have_interface_parameters = true;} )* ( LINE_COMMENT | EXIT ) { if ( ! have_interface_parameters ) { importer->ignoreCurrentInterface(); *dbg<< LT(1)->getLine() << ":" << " EMPTY INTERFACE " << std::endl; } } ) ; pix6_interface_hw_speed : ( AUI | AUTO | BNC | ( INT_CONST ( FULL | BASET | BASETX | AUTO ) ) ) ; nameif_top_level { std::string intf_name, intf_label, sec_level; } : NAMEIF WORD { intf_name = LT(0)->getText(); } interface_label { intf_label = LT(0)->getText(); } WORD { sec_level = LT(0)->getText(); } { importer->setInterfaceParametes(intf_name, intf_label, sec_level); *dbg << " NAMEIF: " << intf_name << " " << intf_label << " " << sec_level << std::endl; } ; interface_parameters : { importer->setCurrentLineNumber(LT(0)->getLine()); } ( intf_address | vlan_interface | sec_level | nameif | interface_description | switchport | shutdown | interface_no_commands | unsupported_interface_commands ) NEWLINE ; vlan_interface : VLAN vlan_id:INT_CONST { importer->setInterfaceVlanId(vlan_id->getText()); *dbg << " VLAN: " << vlan_id->getText() << std::endl; } ; unsupported_interface_commands : ( SPEED | DUPLEX | DDNS | FORWARD | DELAY | HOLD_TIME | IGMP | IPV6_C | MANAGEMENT_ONLY | MAC_ADDRESS | MULTICAST | OSPF | PIM | PPPOE | RIP ) { *dbg << " UNSUPPORTED INTERFACE COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); } ; interface_no_commands : NO (NAMEIF | IP | SEC_LEVEL | SHUTDOWN) { *dbg << " INTERFACE \"NO\" COMMAND: " << LT(0)->getText() << std::endl; consumeUntil(NEWLINE); } ; sec_level : SEC_LEVEL sec_level:INT_CONST { importer->setInterfaceSecurityLevel(sec_level->getText()); *dbg << "SEC_LEVEL: " << sec_level->getText() << std::endl; } ; // // If there is a word after label, then there must be sec_level // also. Otherwise there must be nothing. // // In case of pix6 configs, "nameif" is not really inside interface // context but is rather located at the top level, the same level // where "interface" line is found. Also, pix6 places all definitions // of physical interfaces ("interface") first, then all nameif lines // under them. Even though match for nameif is in the interface // context in the grammar, function setInterfaceParametes() can locate // right interface using its first parameter. // nameif : NAMEIF interface_label { importer->setInterfaceParametes(LT(0)->getText(), "", ""); *dbg << " NAMEIF: " << LT(0)->getText() << std::endl; } ; // interface description // Use it for comment interface_description : DESCRIPTION { *dbg << LT(1)->getLine() << ":"; std::string descr; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { descr += LT(1)->getText() + " "; consume(); } importer->setInterfaceComment( descr ); *dbg << " DESCRIPTION " << descr << std::endl; //consumeUntil(NEWLINE); } ; shutdown : SHUTDOWN { importer->ignoreCurrentInterface(); *dbg<< LT(1)->getLine() << ":" << " INTERFACE SHUTDOWN " << std::endl; } ; // Interface IP address. // // **************** PIX 6 // // ip address outside dhcp setroute retry 10 // ip address inside 10.3.14.202 255.255.255.0 // // **************** PIX 7 // // interface Ethernet0.101 // vlan 101 // nameif outside // security-level 0 // ip address 192.0.2.253 255.255.255.0 // ! // // interface Vlan1 // nameif inside // security-level 100 // ip address dhcp setroute // ! intf_address : IP ADDRESS (v6_ip_address | v7_ip_address) ; v6_ip_address : v6_dhcp_address | v6_static_address; v6_dhcp_address { std::string lbl; } : interface_label { lbl = LT(0)->getText(); } dhcp:DHCP { std::string addr = dhcp->getText(); importer->addInterfaceAddress(lbl, addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; // there can be some other parameters after "dhcp", such as // "setroute", "retry" etc. which we do not support consumeUntil(NEWLINE); } ; v6_static_address { std::string lbl; } : interface_label { lbl = LT(0)->getText(); } a:IPV4 m:IPV4 { std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(lbl, addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // in case there are some other parameters after address and netmask consumeUntil(NEWLINE); } ; v7_ip_address : v7_dhcp_address | v7_static_address; v7_dhcp_address : dhcp:DHCP { std::string addr = dhcp->getText(); importer->addInterfaceAddress(addr, ""); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << std::endl; consumeUntil(NEWLINE); } // NEWLINE ; v7_static_address : a:IPV4 m:IPV4 (s:STANDBY)? { std::string addr = a->getText(); std::string netm = m->getText(); importer->addInterfaceAddress(addr, netm); *dbg << LT(1)->getLine() << ":" << " INTRFACE ADDRESS: " << addr << "/" << netm << std::endl; // there can be other parameters after address/netmask pair, such as "standby" // We do not parse them yet. if (s) { importer->addMessageToLog( QString("Warning: failover IP detected. " "Failover is not supported by import " "at this time")); } consumeUntil(NEWLINE); } // NEWLINE ; switchport : SWITCHPORT ACCESS VLAN vlan_num:INT_CONST { importer->addMessageToLog("Switch port vlan " + vlan_num->getText()); *dbg << "Switch port vlan " << vlan_num->getText() << std::endl; } ; //**************************************************************** // pretend ssh commands are rules in access lists with names // "ssh_commands_" + interface_label ssh_command : SSH { importer->clear(); } ( ( TIMEOUT INT_CONST ) { // set ssh timeout here } | SCOPY | VERSION_WORD_LOW INT_CONST | ( hostaddr_expr { importer->SaveTmpAddrToSrc(); } interface_label ) { std::string intf_label = LT(0)->getText(); std::string acl_name = "ssh_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "ssh"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; } ) ; telnet_command : TELNET { importer->clear(); } ( ( TIMEOUT INT_CONST ) | ( hostaddr_expr { importer->SaveTmpAddrToSrc(); } interface_label ) { std::string intf_label = LT(0)->getText(); std::string acl_name = "telnet_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "telnet"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; } ) ; // pretend ssh commands are rules in access lists with names // "htto_commands_" + interface_label http_command : HTTP { importer->clear(); } ( ( AUTHENTICATION_CERTIFICATE | REDIRECT | SERVER ) { consumeUntil(NEWLINE); } | ( hostaddr_expr { importer->SaveTmpAddrToSrc(); } interface_label ) { std::string intf_label = LT(0)->getText(); std::string acl_name = "http_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); importer->action = "permit"; importer->setDstSelf(); importer->protocol = "tcp"; importer->dst_port_op = "eq"; importer->dst_port_spec = "www"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); *dbg << std::endl; } ) ; // icmp command is non-determenistic syntactically because WORD can be // used as a name of icmp type or as interface label. I am going to // define all icmp types as tokens in icmp_types_for_icmp_command // Looks like "icmp" command accepts limited set of icmp type names // and can accept numeric code. // icmp_top_level_command : ICMP ( ( UNREACHABLE { consumeUntil(NEWLINE); } ) | ( (permit:PERMIT | deny:DENY) { importer->clear(); } hostaddr_expr { importer->SaveTmpAddrToSrc(); } ( icmp_types_for_icmp_command )? interface_label { std::string intf_label = LT(0)->getText(); std::string acl_name = "icmp_commands_" + intf_label; importer->setCurrentLineNumber(LT(0)->getLine()); importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME ); importer->newPolicyRule(); if (permit) importer->action = "permit"; if (deny) importer->action = "deny"; importer->setDstSelf(); importer->protocol = "icmp"; importer->setInterfaceAndDirectionForRuleSet( acl_name, intf_label, "in" ); importer->pushRule(); } ) ) ; icmp_types_for_icmp_command : INT_CONST { importer->icmp_type = LT(0)->getText(); importer->icmp_code = "0"; importer->icmp_spec = ""; } | (ECHO | ECHO_REPLY | TIME_EXCEEDED | UNREACHABLE) { importer->icmp_type = ""; importer->icmp_code = "0"; importer->icmp_spec = LT(0)->getText(); } ; //**************************************************************** // remark. According to the Cisco docs, can only be used // within access list // Use it for the current rule comment remark : REMARK { importer->setCurrentLineNumber(LT(0)->getLine()); *dbg << LT(1)->getLine() << ":"; std::string rem; while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE) { rem += LT(1)->getText() + " "; consume(); } importer->addRuleComment( rem ); *dbg << " REMARK " << rem << std::endl; //consumeUntil(NEWLINE); } ; //**************************************************************** access_group : ACCESS_GROUP aclname:WORD dir:WORD INTRFACE interface_label { std::string intf_label = LT(0)->getText(); importer->setCurrentLineNumber(LT(0)->getLine()); importer->setInterfaceAndDirectionForRuleSet( aclname->getText(), intf_label, dir->getText() ); *dbg << LT(1)->getLine() << ":" << " INTRFACE: ACL '" << aclname->getText() << "'" << " " << intf_label << " " << dir->getText() << std::endl; } ; //**************************************************************** exit: EXIT ; comment : (LINE_COMMENT | COLON_COMMENT) ; //**************************************************************** // NAT commands nat_top_level_command : NAT OPENING_PAREN { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } ( nat_old_top_level_command | nat_new_top_level_command ) ; nat_old_top_level_command : interface_label { importer->prenat_interface = LT(0)->getText(); } CLOSING_PAREN { importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME ); *dbg << " SNAT rule "; importer->rule_type = libfwbuilder::NATRule::SNAT; } // <0-2147483647> The of this group of hosts/networks. INT_CONST { importer->nat_num = LT(0)->getText(); } // Hostname or A.B.C.D The hosts/networks in this group // access-list Specify access-list name after this keyword nat_addr_match ( nat_command_last_parameters )* NEWLINE { importer->pushNATRule(); *dbg << std::endl; } ; nat_addr_match : single_addr // real { importer->nat_a = importer->tmp_a; } // A.B.C.D IP netmask to apply to the local IP address // ( single_addr { importer->nat_nm = importer->tmp_a; } )? | INT_CONST { if (LT(0)->getText() != std::string("0")) { importer->reportError( std::string("Unknown string ")+LT(0)->getText()+ std::string("; expected \"0\"")); *dbg << " UNKNOWN STRING " << LT(0)->getText(); } importer->nat_a = "0.0.0.0"; } ( INT_CONST { if (LT(0)->getText() != std::string("0")) { importer->reportError( std::string("Unknown string ")+LT(0)->getText()+ std::string("; expected \"0\"")); *dbg << " UNKNOWN STRING " << LT(0)->getText(); } importer->nat_nm = "0.0.0.0"; } )? | ACCESS_LIST acl_name:WORD { importer->nat_acl = acl_name->getText(); } ; nat_command_last_parameters : // nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]] // // here we deal with parameters starting with "dns". Note that compiler // does not know anything about max_conns and emb_limit options anyway // // // <0-65535> The maximum number of simultaneous TCP connections // dns Rewrite DNS address record // norandomseq Disable TCP sequence number randomization // outside Enable Outside NAT // tcp Configure TCP specific parameters // udp Configure UDP specific parameters // nat_and_static_command_common_last_parameters | OUTSIDE ; nat_new_top_level_command : interface_label COMMA interface_label CLOSING_PAREN { importer->addMessageToLog( QString("Warning: Import of ASA 8.3 nat command " "is not supported at this time")); consumeUntil(NEWLINE); } ; global_top_level_command : GLOBAL OPENING_PAREN { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } interface_label { importer->tmp_global_pool.pool_interface = LT(0)->getText(); } CLOSING_PAREN num:INT_CONST { importer->tmp_global_pool.str_num = num->getText(); importer->tmp_global_pool.netmask = "255.255.255.255"; *dbg << " GLOBAL POOL " << importer->tmp_global_pool.str_num << " " << importer->tmp_global_pool.pool_interface; } // WORD Enter IP address or a range of IP addresses [-] // interface Specifies PAT using the IP address at the interface ( INTRFACE { importer->tmp_global_pool.start = LT(0)->getText(); importer->tmp_global_pool.end = LT(0)->getText(); } | single_addr { importer->tmp_global_pool.start = importer->tmp_a; importer->tmp_global_pool.end = importer->tmp_a; } ) ( MINUS single_addr { importer->tmp_global_pool.end = importer->tmp_a; } )? // netmask Specify netmask for the IP address(es) after this keyword // ( NETMASK IPV4 { importer->tmp_global_pool.netmask = LT(0)->getText(); } )? NEWLINE { importer->addGlobalPool(); *dbg << " " << importer->tmp_global_pool.start << " " << importer->tmp_global_pool.end << " " << importer->tmp_global_pool.netmask << std::endl; } ; static_top_level_command : STATIC OPENING_PAREN { importer->clear(); importer->setCurrentLineNumber(LT(0)->getLine()); } interface_label { importer->prenat_interface = LT(0)->getText(); } COMMA interface_label { importer->postnat_interface = LT(0)->getText(); } CLOSING_PAREN { importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME ); *dbg << " DNAT rule "; importer->rule_type = libfwbuilder::NATRule::DNAT; } // Hostname or A.B.C.D Global or mapped address // interface Global address overload from interface // tcp TCP to be used as transport protocol // udp UDP to be used as transport protocol ( static_starts_with_hostaddr | static_starts_with_tcp_udp ) NEWLINE { importer->pushNATRule(); *dbg << std::endl; } ; static_starts_with_hostaddr : static_mapped_addr_match // Hostname or A.B.C.D Real IP address of the host or hosts // access-list Configure access-list name after this keyw static_real_addr_match ( static_command_common_last_parameters )* ; static_mapped_addr_match : ( single_addr { importer->mapped_a = importer->tmp_a; importer->mapped_nm = importer->tmp_nm; *dbg << "mapped: " << importer->mapped_a; } | INTRFACE { importer->mapped_a = "interface"; importer->mapped_nm = ""; *dbg << "mapped: " << importer->mapped_a; } ) ; static_real_addr_match : ( single_addr // real { importer->real_a = importer->tmp_a; importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; } | ACCESS_LIST acl_name:WORD { importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; } ) ; static_starts_with_tcp_udp : ( TCP | UDP ) { importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " "; } // Hostname or A.B.C.D Global or mapped address // interface Global address overload from interface static_mapped_addr_match // <0-65535> Enter port number (0 - 65535) // aol // bgp // chargen tcp_udp_port_spec { importer->mapped_port_spec = importer->tmp_port_spec_2; *dbg << "mapped port " << importer->mapped_port_spec << " "; } // Hostname or A.B.C.D Real IP address of the host or hosts // access-list Configure access-list name after this keyword ( single_addr // real { importer->real_a = importer->tmp_a; importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; } // <0-65535> Enter port number (0 - 65535) // aol // bgp // chargen tcp_udp_port_spec { importer->real_port_spec = importer->tmp_port_spec_2; *dbg << "real port " << importer->real_port_spec << " "; } | ACCESS_LIST acl_name:WORD { importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; } ) // <0-65535> The maximum number of simultaneous tcp connections the loc // hosts are to allow, default is 0 which means unlimited // connections. Idle connections are closed after the time // specified by the timeout conn command // dns Use the created xlate to rewrite DNS address record // netmask Configure Netmask to apply to IP addresses // norandomseq Disable TCP sequence number randomization // tcp Configure TCP specific parameters // udp Configure UDP specific parameters ( static_command_common_last_parameters )* ; static_command_common_last_parameters : // <0-65535> The maximum number of simultaneous tcp connections // dns Use the created xlate to rewrite DNS address record // netmask Configure Netmask to apply to IP addresses // norandomseq Disable TCP sequence number randomization // tcp Configure TCP specific parameters // udp Configure UDP specific parameters // nat_and_static_command_common_last_parameters | NETMASK nm:IPV4 { importer->real_nm = nm->getText(); *dbg << "real netmask: " << importer->real_nm; } ; nat_and_static_command_common_last_parameters : // <0-65535> The maximum number of simultaneous tcp connections // dns Use the created xlate to rewrite DNS address record // netmask Configure Netmask to apply to IP addresses // norandomseq Disable TCP sequence number randomization // tcp Configure TCP specific parameters // udp Configure UDP specific parameters // DNS { importer->addMessageToLog( QString("Warning: 'nat' and 'static' command option 'dns' is not supported")); } | NORANDOMSEQ { importer->addMessageToLog( QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported")); } | (TCP | UDP)? max_conn:INT_CONST (max_emb_conn:INT_CONST)? { importer->static_max_conn = max_conn->getText(); if (max_emb_conn) importer->static_max_emb_conn = max_emb_conn->getText(); } ; //**************************************************************** class PIXCfgLexer extends Lexer; options { k = 3; // ASCII only charVocabulary = '\3'..'\377'; } tokens { EXIT = "exit"; QUIT = "quit"; NO = "no"; HOSTNAME = "hostname"; CERTIFICATE = "certificate"; INTRFACE = "interface"; CONTROLLER = "controller"; DESCRIPTION = "description"; REMARK = "remark"; SHUTDOWN = "shutdown"; SPEED = "speed"; DUPLEX = "duplex"; DELAY = "delay"; DNS = "dns"; DDNS = "ddns"; FORWARD = "forward"; HOLD_TIME = "hold-time"; IPV6_C = "ipv6"; MAC_ADDRESS = "mac-address"; MANAGEMENT_ONLY = "management-only"; MULTICAST = "multicast"; NETMASK = "netmask"; INTERVAL = "interval"; OUTSIDE = "outside"; VLAN = "vlan"; SWITCHPORT = "switchport"; ACCESS = "access"; SEC_LEVEL = "security-level"; ACCESS_LIST = "access-list"; ACCESS_GROUP = "access-group"; ADDRESS = "address"; SECONDARY = "secondary"; STANDBY = "standby"; COMMUNITY_LIST = "community-list"; PERMIT = "permit"; DENY = "deny"; DHCP = "dhcp"; SETROUTE = "setroute"; // protocols for 'permit' and 'deny' commands IP = "ip"; ICMP = "icmp"; ICMP6 = "icmp6"; TCP = "tcp"; UDP = "udp"; TCP_UDP = "tcp-udp"; DESTINATION = "destination"; SOURCE = "source"; AH = "ah"; EIGRP = "eigrp"; ESP_WORD = "esp"; GRE = "gre"; IGMP = "igmp"; IGRP = "igrp"; IPINIP = "ipinip"; IPSEC = "ipsec"; NOS = "nos"; OSPF = "ospf"; PCP = "pcp"; PIM = "pim"; PPTP = "pptp"; RIP = "rip"; SNP = "snp"; HOST = "host"; ANY = "any"; P_EQ = "eq"; P_GT = "gt"; P_LT = "lt"; P_NEQ = "neq"; RANGE = "range"; LOG = "log"; LOG_INPUT = "log-input"; LOG_LEVEL_ALERTS = "alerts"; LOG_LEVEL_CRITICAL = "critical"; LOG_LEVEL_DEBUGGING = "debugging"; LOG_LEVEL_EMERGENCIES = "emergencies"; LOG_LEVEL_ERRORS = "errors"; LOG_LEVEL_INFORMATIONAL = "informational"; LOG_LEVEL_NOTIFICATIONS = "notifications"; LOG_LEVEL_WARNINGS = "warnings"; LOG_LEVEL_DISABLE = "disable"; LOG_LEVEL_INACTIVE = "inactive"; ESTABLISHED = "established"; FRAGMENTS = "fragments"; TIME_RANGE = "time-range"; EXTENDED = "extended" ; STANDARD = "standard" ; PIX_WORD = "PIX" ; ASA_WORD = "ASA" ; FWSM_WORD = "FWSM" ; VERSION_WORD_CAP = "Version" ; VERSION_WORD_LOW = "version" ; CRYPTO = "crypto"; // OBJECT = "object"; // OBJECT_GROUP = "object-group"; GROUP_OBJECT = "group-object"; NETWORK_OBJECT = "network-object"; SERVICE_OBJECT = "service-object"; PORT_OBJECT = "port-object"; PROTOCOL_OBJECT = "protocol-object"; ICMP_OBJECT = "icmp-object"; ICMP_TYPE = "icmp-type"; NETWORK = "network"; SERVICE = "service"; PROTOCOL = "protocol"; SUBNET = "subnet"; NAT = "nat"; GLOBAL = "global"; STATIC = "static"; SSH = "ssh"; TELNET = "telnet"; AUI = "aui"; AUTO = "auto"; BNC = "bnc"; BASET = "baseT"; FULL = "full"; BASETX = "baseTX"; TIMEOUT = "timeout"; ALTERNATE_ADDRESS = "alternate-address"; CONVERSION_ERROR = "conversion-error"; ECHO = "echo"; ECHO_REPLY = "echo-reply"; INFORMATION_REPLY = "information-reply"; INFORMATION_REQUEST = "information-request"; MASK_REPLY = "mask-reply"; MASK_REQUEST = "mask-request"; MOBILE_REDIRECT = "mobile-redirect"; PARAMETER_PROBLEM = "parameter-problem"; REDIRECT = "redirect"; ROUTER_ADVERTISEMENT = "router-advertisement"; ROUTER_SOLICITATION = "router-solicitation"; SOURCE_QUENCH = "source-quench"; TIME_EXCEEDED = "time-exceeded"; TIMESTAMP_REPLY = "timestamp-reply"; TIMESTAMP_REQUEST = "timestamp-request"; TRACEROUTE = "traceroute"; UNREACHABLE = "unreachable"; NORANDOMSEQ = "norandomseq"; SCOPY = "scopy"; CALL_HOME = "call-home"; INTERNAL = "internal"; PASSWORD_RECOVERY = "password-recovery"; RESETINBOUND = "resetinbound"; RESETOUTBOUND = "resetoutbound"; RESETOUTSIDE = "resetoutside"; HTTP = "http"; AUTHENTICATION_CERTIFICATE = "authentication-certificate"; SERVER = "server"; NAME = "name"; NAMES = "names"; NAMEIF = "nameif"; OBJECT = "object"; OBJECT_GROUP = "object-group"; } LINE_COMMENT : "!" (~('\r' | '\n'))* NEWLINE ; // This is for lines like these that appear at the top of "show run" // : Saved // : COLON_COMMENT : COLON (~('\r' | '\n'))* NEWLINE ; Whitespace : ( '\003'..'\010' | '\t' | '\013' | '\f' | '\016'.. '\037' | '\177'..'\377' | ' ' ) { _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; } ; //COMMENT_START : '!' ; NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); } ; protected INT_CONST:; protected HEX_CONST:; protected NUMBER:; protected NEG_INT_CONST:; protected DIGIT : '0'..'9' ; protected HEXDIGIT : 'a'..'f' ; NUMBER_ADDRESS_OR_WORD : ( ( DIGIT ) => ( ( (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ ) => ( (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ DOT (DIGIT)+ ) { _ttype = IPV4; } | ( (DIGIT)+ DOT (DIGIT)+ )=> ( (DIGIT)+ DOT (DIGIT)+ ) { _ttype = NUMBER; } | ( DIGIT )+ { _ttype = INT_CONST; } ) | ( ( 'a'..'f' | '0'..'9' )+ COLON ) => ( ( ( 'a'..'f' | '0'..'9' )+ ( COLON ( 'a'..'f' | '0'..'9' )* )+ ) { _ttype = IPV6; } ) | // making sure ',' '(' ')' are not part of WORD ( 'a'..'z' | 'A'..'Z' | '$' ) ( '!'..'\'' | '*' | '+' | '-' | '.' | '/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' | '?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )* { _ttype = WORD; } ) ; STRING : '"' (~'"')* '"'; PIPE_CHAR : '|'; NUMBER_SIGN : '#' ; // DOLLAR : '$' ; PERCENT : '%' ; AMPERSAND : '&' ; APOSTROPHE : '\'' ; OPENING_PAREN : '(' ; CLOSING_PAREN : ')' ; STAR : '*' ; PLUS : '+' ; COMMA : ',' ; MINUS : '-' ; DOT : '.' ; SLASH : '/' ; COLON : ':' ; SEMICOLON : ';' ; LESS_THAN : '<' ; EQUALS : '=' ; GREATER_THAN : '>' ; QUESTION : '?' ; COMMERCIAL_AT : '@' ; OPENING_SQUARE : '[' ; CLOSING_SQUARE : ']' ; CARET : '^' ; UNDERLINE : '_' ; OPENING_BRACE : '{' ; CLOSING_BRACE : '}' ; TILDE : '~' ; EXLAMATION : '!'; fwbuilder-5.3.7/src/pf/000077500000000000000000000000001303637203600147105ustar00rootroot00000000000000fwbuilder-5.3.7/src/pf/pf.cpp000066400000000000000000000115641303637203600160300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include "CompilerDriver_pf.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for OpenBSD PF" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-x] [-v] [-V] [-f filename.xml] [-o output.fw] [-d destdir] [-D datadir] [-m] [-4|-6] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); IPService::addNamedProtocol(112, "carp"); IPService::addNamedProtocol(240, "pfsync"); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(""); FWObjectDatabase *ndb = new FWObjectDatabase(); ndb->load(filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->merge(ndb, NULL); delete ndb; objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_pf *driver = new CompilerDriver_pf(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(const FWException &ex) { cerr << ex.toString() << endl; return 1; #if __GNUC__ >= 3 /* need to check version because std::ios::failure does not seem to be * supported in gcc 2.9.5 on FreeBSD 4.10 */ } catch (const std::ios::failure &e) { cerr << "Error while opening or writing to the output file" << endl; return 1; #endif } catch (const std::string &s) { cerr << s; return 1; } catch (const std::exception &ex) { cerr << ex.what(); return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } } fwbuilder-5.3.7/src/pf/pf.pro000066400000000000000000000013321303637203600160360ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT -= gui # greaterThan(QT_MAJOR_VERSION, 4): QT += widgets SOURCES = pf.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../pflib/$$BINARY_SUBDIR/libfwbpf.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_pf fwbuilder-5.3.7/src/pflib/000077500000000000000000000000001303637203600153775ustar00rootroot00000000000000fwbuilder-5.3.7/src/pflib/AutomaticRules_pf.cpp000066400000000000000000000177211303637203600215410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AutomaticRules_pf.h" #include "fwbuilder/Address.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include using namespace fwcompiler; using namespace libfwbuilder; using namespace std; void AutomaticRules_pf::addSshAccessRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty()) { PolicyRule *r; TCPService *ssh = ruleset->getRoot()->createTCPService(); ssh->setDstRangeStart(22); ssh->setDstRangeEnd(22); ssh->setName("mgmt_ssh"); persistent_objects->add(ssh,false); string mgmt_addr = fwopt->getStr("mgmt_addr"); InetAddr addr; InetAddr netmask(InetAddr::getAllOnes()); try { addr = InetAddr(mgmt_addr); string::size_type sep = mgmt_addr.find("/"); if (sep != string::npos) { addr = InetAddr(mgmt_addr.substr(0,sep)); string nm = mgmt_addr.substr(sep+1); int o1,o2,o3,o4; if (sscanf(nm.c_str(), "%3u.%3u.%3u.%3u", &o1, &o2, &o3, &o4)==4) { netmask = InetAddr(nm); } else { sscanf(nm.c_str(),"%u",&o1); netmask = InetAddr(o1); } } } catch(FWException &ex) { QString err("Invalid address for the backup ssh access: '%1'"); throw FWException(err.arg(mgmt_addr.c_str()).toStdString()); } Network *mgmt_workstation = ruleset->getRoot()->createNetwork(); mgmt_workstation->setName("mgmt_addr"); mgmt_workstation->setAddress(addr); mgmt_workstation->setNetmask(netmask); persistent_objects->add(mgmt_workstation,false); // r = ruleset->getRoot()->createPolicyRule(); // ruleset->push_front(r); r = PolicyRule::cast(ruleset->insertRuleAtTop(true)); r->setAction(PolicyRule::Accept); r->setLogging(false); r->setDirection(PolicyRule::Inbound); r->setPosition(9998); r->setComment(" backup ssh access rule "); r->setHidden(true); r->setFallback(false); r->setLabel("backup ssh access rule"); r->setBool("needs_established",true); // supported in ipfw RuleElement *src = r->getSrc(); assert(src!=NULL); src->addRef(mgmt_workstation); RuleElement *dst = r->getDst(); assert(dst!=NULL); dst->addRef(fw); RuleElement *srv = r->getSrv(); assert(srv!=NULL); srv->addRef(ssh); } } void AutomaticRules_pf::addCarpRules() { if (ruleset == NULL) return; /* Add CARP-Service to database */ IPService* carp_service = IPService::cast(ruleset->getRoot()->create(IPService::TYPENAME)); carp_service->setComment("CARP service"); carp_service->setProtocolNumber(112); persistent_objects->add(carp_service); FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME); for (; interfaces != interfaces.end(); ++interfaces) { Interface *iface = Interface::cast(*interfaces); if (iface->isFailoverInterface()) { FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); if (failover_group->getStr("type") == "carp") { /* Add automatic rules for CARP * Rule should be associated with physical interface */ string phys_iface_name = iface->getOptionsObject()->getStr("base_device"); Interface *phys_iface = Interface::cast( fw->findObjectByName(Interface::TYPENAME, phys_iface_name)); if (phys_iface) { PolicyRule *rule = addMgmtRule(NULL, NULL, carp_service, phys_iface, PolicyRule::Both, PolicyRule::Accept, "CARP"); FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL); ruleopt->setBool("firewall_is_part_of_any_and_networks", false); } else { throw FWException( "Can not find interface " + phys_iface_name + " for the CARP interface " + iface->getName() + " of the cluster"); } } } } } void AutomaticRules_pf::addPfsyncRules() { if (ruleset == NULL) return; /* Add pfsync service to database */ IPService* pfsync_service = IPService::cast(ruleset->getRoot()->create(IPService::TYPENAME)); pfsync_service->setComment("pfsync service"); pfsync_service->setProtocolNumber(240); persistent_objects->add(pfsync_service); FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME); for (; interfaces != interfaces.end(); ++interfaces) { Interface *iface = Interface::cast(*interfaces); if (iface->getOptionsObject()->getBool("state_sync_group_member")) { FWObject *state_sync_group = ruleset->getRoot()->findInIndex( ruleset->getRoot()->getIntId( iface->getOptionsObject()->getStr("state_sync_group_id"))); assert(state_sync_group!=NULL); if (state_sync_group && state_sync_group->getStr("type") == "pfsync") { PolicyRule *rule = addMgmtRule(NULL, NULL, pfsync_service, iface, PolicyRule::Both, PolicyRule::Accept, "pfsync"); FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL); ruleopt->setBool("firewall_is_part_of_any_and_networks", false); } } } } void AutomaticRules_pf::addFallbackRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); PolicyRule *r = PolicyRule::cast(ruleset->appendRuleAtBottom(true)); r->setUniqueId( ruleset->getRoot()->getPredictableId( FWObjectDatabase::getStringId(fw->getId()) + "." )); FWOptions *ruleopt; r->setAction(PolicyRule::Deny); r->setLogging(fwopt->getBool("fallback_log")); r->setDirection(PolicyRule::Both); r->setPosition(10000); r->setComment(" fallback rule "); r->setHidden(true); r->setFallback(true); r->setLabel("fallback rule"); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); } fwbuilder-5.3.7/src/pflib/AutomaticRules_pf.h000066400000000000000000000027141303637203600212020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __AUTOMATICRULES_PF_HH__ #define __AUTOMATICRULES_PF_HH__ #include "AutomaticRules.h" namespace libfwbuilder { class Address; class Firewall; class Interface; class Service; }; namespace fwcompiler { class AutomaticRules_pf : public AutomaticRules { public: AutomaticRules_pf(libfwbuilder::Firewall *fw, libfwbuilder::Library *presistent_objects) : AutomaticRules(fw, presistent_objects) {} void addSshAccessRule(); void addCarpRules(); void addPfsyncRules(); void addFallbackRule(); }; }; #endif fwbuilder-5.3.7/src/pflib/CompilerDriver_ipf.cpp000066400000000000000000000042461303637203600216750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "CompilerDriver_ipf.h" #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_ipf::CompilerDriver_ipf(FWObjectDatabase *db) : CompilerDriver_pf(db) { have_nat = false; have_filter = false; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_ipf::clone() { CompilerDriver_ipf* new_cd = new CompilerDriver_ipf(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } QString CompilerDriver_ipf::printActivationCommandWithSubstitution(Firewall *fw) { QString script_buffer; QTextStream str(&script_buffer, QIODevice::WriteOnly); FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *iface=Interface::cast(*j); if ( iface->isDyn() ) { str << "sed \"s/ (" << iface->getName() << ") " << "/ $i_" << iface->getName() << " /\""; } } return script_buffer; } fwbuilder-5.3.7/src/pflib/CompilerDriver_ipf.h000066400000000000000000000052211303637203600213340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_IPF_HH__ #define __COMPILER_DRIVER_IPF_HH__ #include "CompilerDriver_pf.h" #include "TableFactory.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class CompilerDriver_ipf : public CompilerDriver_pf { QStringList activation_commands; QString composeActivationCommand(libfwbuilder::Firewall *fw, bool filter, const std::string &debug, const std::string &version, const std::string &remote_file_name); protected: QString printActivationCommandWithSubstitution(libfwbuilder::Firewall *fw); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_ipf(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/pflib/CompilerDriver_ipf_run.cpp000066400000000000000000000354011303637203600225560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_ipf.h" #include "PolicyCompiler_ipf.h" #include "NATCompiler_ipf.h" #include "AutomaticRules_pf.h" #include "OSConfigurator_openbsd.h" #include "OSConfigurator_freebsd.h" #include "OSConfigurator_solaris.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_ipf::composeActivationCommand(libfwbuilder::Firewall *fw, bool filter, const std::string &debug, const std::string &, const std::string &remote_file) { Configlet act(fw, "ipf", "activation"); act.removeComments(); act.collapseEmptyStrings(true); act.setVariable("dyn_addr", fw->getOptionsObject()->getBool("dynAddr")); act.setVariable("not_dyn_addr", !fw->getOptionsObject()->getBool("dynAddr")); act.setVariable("filter", filter); act.setVariable("nat", !filter); act.setVariable("ipf_debug", debug.c_str()); act.setVariable("remote_file", remote_file.c_str()); act.setVariable("interface_name_substitution_commands", printActivationCommandWithSubstitution(fw)); return act.expand(); } QString CompilerDriver_ipf::assembleManifest(Cluster*, Firewall* fw, bool ) { (void) fw; // Unused QString remote_name = remote_file_names[FW_FILE]; QString remote_ipf_name = remote_file_names[CONF1_FILE]; QString remote_nat_name = remote_file_names[CONF2_FILE]; QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]); if (remote_name != file_names[FW_FILE]) script << " " << this->escapeFileName(remote_name); script << endl; if (have_filter) { script << MANIFEST_MARKER << " " << this->escapeFileName(file_names[CONF1_FILE]); if (remote_ipf_name != file_names[CONF1_FILE]) script << " " << this->escapeFileName(remote_ipf_name); script << endl; } if (have_nat) { script << MANIFEST_MARKER << " " << this->escapeFileName(file_names[CONF2_FILE]); if (remote_nat_name != file_names[CONF2_FILE]) script << " " << this->escapeFileName(remote_nat_name); script << endl; } return script_buffer; } QString CompilerDriver_ipf::assembleFwScript(Cluster *cluster, Firewall* fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "ipf", "script_skeleton"); Configlet top_comment(fw, "ipf", "top_comment"); assembleFwScriptInternal( cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#", true); return script_skeleton.expand(); } QString CompilerDriver_ipf::printActivationCommands(libfwbuilder::Firewall*) { return activation_commands.join("\n"); } QString CompilerDriver_ipf::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); FWOptions* options = fw->getOptionsObject(); string fw_version = fw->getStr("version"); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); string s; bool debug = options->getBool("debug"); string ipf_dbg = (debug)?"-v":""; std::auto_ptr prep(new Preprocessor(objdb , fw, false)); prep->compile(); /* * Process firewall options, build OS network configuration script */ std::auto_ptr oscnf; string host_os = fw->getStr("host_OS"); string family=Resources::os_res[host_os]->Resources::getResourceStr("/FWBuilderResources/Target/family"); if ( host_os == "solaris" ) oscnf = std::auto_ptr(new OSConfigurator_solaris(objdb , fw, false)); if ( host_os == "openbsd") oscnf = std::auto_ptr(new OSConfigurator_openbsd(objdb , fw, false)); if ( host_os == "freebsd") oscnf = std::auto_ptr(new OSConfigurator_freebsd(objdb , fw, false)); if (oscnf.get()==NULL) { abort("Unrecognized host OS " + host_os + " (family " + family + ")"); return ""; } oscnf->prolog(); list all_policies = fw->getByType(Policy::TYPENAME); list all_nat = fw->getByType(NAT::TYPENAME); try { AutomaticRules_pf auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); auto_rules.addCarpRules(); auto_rules.addPfsyncRules(); auto_rules.addFallbackRule(); } catch (FWException &ex) { abort(ex.toString()); } PolicyCompiler_ipf c(objdb , fw, false , oscnf.get() ); FWObject *policy = all_policies.front(); c.setSourceRuleSet(Policy::cast(policy)); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); if ( c.prolog() > 0 ) { have_filter = true; c.compile(); c.epilog(); } NATCompiler_ipf n( objdb , fw, false , oscnf.get() ); FWObject *nat = all_nat.front(); n.setSourceRuleSet(NAT::cast(nat)); n.setRuleSetName(nat->getName()); n.setPersistentObjects(persistent_objects); n.setSingleRuleCompileMode(single_rule_id); n.setDebugLevel( dl ); if (rule_debug_on) n.setDebugRule( drn ); n.setVerbose( verbose ); if (inTestMode()) n.setTestMode(); if (inEmbeddedMode()) n.setEmbeddedMode(); if ( n.prolog() > 0 ) { have_nat = true; n.compile(); n.epilog(); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } if (single_rule_compile_on) { // in single rule compile mode just return the result ostringstream ostr; if (have_filter) { if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } ostr << c.getCompiledScript(); } if (have_nat) { if (n.haveErrorsAndWarnings()) { all_errors.push_back(n.getErrors("").c_str()); } ostr << n.getCompiledScript(); } return formSingleRuleCompileOutput( QString::fromUtf8(ostr.str().c_str())); } determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList() << "" << "ipf" << "nat", QStringList() << "fw" << "conf" << "conf", QStringList() << "script_name_on_firewall" << "ipf_conf_file_name_on_firewall" << "nat_conf_file_name_on_firewall"); QString remote_ipf_name = remote_file_names[CONF1_FILE]; QString remote_nat_name = remote_file_names[CONF2_FILE]; if (have_filter) { QString output_file = getAbsOutputFileName(file_names[CONF1_FILE]); info("Output file name: " + output_file.toStdString()); QFile ipf_file(output_file); if (ipf_file.open(QIODevice::WriteOnly)) { QTextStream ipf_str(&ipf_file); if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); ipf_str << "# Policy compiler errors and warnings:" << endl; ipf_str << QString::fromUtf8(c.getErrors("# ").c_str()); } ipf_str << QString::fromUtf8(c.getCompiledScript().c_str()); ipf_file.close(); ipf_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); } else { QString err(" Failed to open file %1 for writing: %2; " "Current dir: %3"); abort(err.arg(ipf_file.fileName()) .arg(ipf_file.error()) .arg(QDir::current().path()).toStdString()); } QString remote_file_name = escapeFileName(remote_ipf_name); activation_commands.push_back( composeActivationCommand( fw, true, ipf_dbg, fw_version, remote_file_name.toUtf8().constData())); } if (have_nat) { QString output_file = getAbsOutputFileName(file_names[CONF2_FILE]); info("Output file name: " + output_file.toStdString()); QFile nat_file(output_file); if (nat_file.open(QIODevice::WriteOnly)) { QTextStream nat_str(&nat_file); if (n.haveErrorsAndWarnings()) { all_errors.push_back(n.getErrors("").c_str()); nat_str << "# NAT compiler errors and warnings:" << endl; nat_str << QString::fromUtf8(n.getErrors("# ").c_str()); } nat_str << QString::fromUtf8(n.getCompiledScript().c_str()); nat_file.close(); nat_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); } else { QString err(" Failed to open file %1 for writing: %2; " "Current dir: %3"); abort(err.arg(nat_file.fileName()) .arg(nat_file.error()) .arg(QDir::current().path()).toStdString()); } QString remote_file_name = escapeFileName(remote_nat_name); activation_commands.push_back( composeActivationCommand( fw, false, ipf_dbg, fw_version, remote_file_name.toUtf8().constData())); } /* * assemble the script and then perhaps post-process it if needed */ QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); file_names[FW_FILE] = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + file_names[FW_FILE].toStdString()); QFile fw_file(file_names[FW_FILE]); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/pflib/CompilerDriver_ipfw.cpp000066400000000000000000000025071303637203600220620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "CompilerDriver_ipfw.h" #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_ipfw::CompilerDriver_ipfw(FWObjectDatabase *db) : CompilerDriver_pf(db) { } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_ipfw::clone() { CompilerDriver_ipfw* new_cd = new CompilerDriver_ipfw(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } fwbuilder-5.3.7/src/pflib/CompilerDriver_ipfw.h000066400000000000000000000043511303637203600215260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_IPFW_HH__ #define __COMPILER_DRIVER_IPFW_HH__ #include "CompilerDriver_pf.h" #include "TableFactory.h" #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; namespace fwcompiler { class CompilerDriver_ipfw : public CompilerDriver_pf { QStringList activation_commands; protected: virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); public: CompilerDriver_ipfw(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/pflib/CompilerDriver_ipfw_run.cpp000066400000000000000000000277341303637203600227570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "CompilerDriver_ipfw.h" #include "PolicyCompiler_ipfw.h" #include "AutomaticRules_pf.h" #include "OSConfigurator_freebsd.h" #include "OSConfigurator_macosx.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; QString CompilerDriver_ipfw::assembleManifest(Cluster*, Firewall* , bool ) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); script << MANIFEST_MARKER << "* " << this->escapeFileName(file_names[FW_FILE]); if (!remote_file_names[FW_FILE].isEmpty()) script << " " << this->escapeFileName(remote_file_names[FW_FILE]); script << "\n"; script << "#" << endl; script << "#" << endl; return script_buffer; } QString CompilerDriver_ipfw::printActivationCommands(Firewall*) { return activation_commands.join("\n"); } QString CompilerDriver_ipfw::assembleFwScript(Cluster *cluster, Firewall* fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "ipfw", "script_skeleton"); Configlet top_comment(fw, "ipfw", "top_comment"); assembleFwScriptInternal( cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#", true); return script_skeleton.expand(); } QString CompilerDriver_ipfw::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); FWOptions* options = fw->getOptionsObject(); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); string s; string firewall_dir=options->getStr("firewall_dir"); if (firewall_dir=="") firewall_dir="/etc/fw"; bool debug=options->getBool("debug"); string shell_dbg=(debug)?"-x":"" ; /* * Process firewall options, build OS network configuration script */ std::auto_ptr oscnf; string host_os = fw->getStr("host_OS"); string family = Resources::os_res[host_os]->Resources::getResourceStr("/FWBuilderResources/Target/family"); if ( host_os == "macosx") oscnf = std::auto_ptr(new OSConfigurator_macosx(objdb , fw, false)); if ( host_os == "freebsd") oscnf = std::auto_ptr(new OSConfigurator_freebsd(objdb , fw, false)); if (oscnf.get()==NULL) { abort("Unrecognized host OS " + host_os + " (family " + family + ")"); return ""; } oscnf->prolog(); list all_policies = fw->getByType(Policy::TYPENAME); vector ipv4_6_runs; string generated_script; int policy_rules_count = 0; int ipfw_rule_number = 0; findImportedRuleSets(fw, all_policies); try { AutomaticRules_pf auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); auto_rules.addCarpRules(); auto_rules.addPfsyncRules(); auto_rules.addFallbackRule(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not used by this compiler assignUniqueRuleIds(all_policies); // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int policy_af = *i; bool ipv6_policy = (policy_af == AF_INET6); /* We need to create and run preprocessor for this address family before nat and policy compilers, but if there are no nat / policy rules for this address family, we do not need preprocessor either. */ // Count rules for each address family int policy_count = 0; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p) { Policy *policy = Policy::cast(*p); if (policy->matchingAddressFamily(policy_af)) policy_count++; } if (policy_count) { std::auto_ptr prep(new Preprocessor(objdb , fw, ipv6_policy)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); } ostringstream c_str; bool empty_output = true; for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); string branch_name = policy->getName(); if (!policy->matchingAddressFamily(policy_af)) continue; PolicyCompiler_ipfw c(objdb, fw, ipv6_policy, oscnf.get()); c.setIPFWNumber(ipfw_rule_number); c.setSourceRuleSet( policy ); c.setRuleSetName(branch_name); c.setPersistentObjects(persistent_objects); c.setSingleRuleCompileMode(single_rule_id); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( (bool)(verbose) ); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); if ( (policy_rules_count=c.prolog()) > 0 ) { c.compile(); c.epilog(); ipfw_rule_number = c.getIPFWNumber(); if (c.getCompiledScriptLength() > 0) { if (!single_rule_compile_on) c_str << "# ================ Rule set " << branch_name << endl; c_str << c.getCompiledScript(); c_str << endl; empty_output = false; } if (c.haveErrorsAndWarnings()) { all_errors.push_back(c.getErrors("").c_str()); } } } if (!empty_output && !single_rule_compile_on) { if (ipv6_policy) { generated_script += "\n\n"; generated_script += "# ================ IPv6\n"; generated_script += "\n\n"; } else { generated_script += "\n\n"; generated_script += "# ================ IPv4\n"; generated_script += "\n\n"; } } generated_script += c_str.str(); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8(generated_script.c_str())); } PolicyCompiler_ipfw c(objdb, fw, false, oscnf.get()); activation_commands.push_back(c.defaultRules().c_str()); activation_commands.push_back( QString::fromUtf8(generated_script.c_str())); /* * assemble the script and then perhaps post-process it if needed */ determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("script_name_on_firewall")); QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString output_file = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + output_file.toStdString()); QFile fw_file(output_file); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } fwbuilder-5.3.7/src/pflib/CompilerDriver_pf.cpp000066400000000000000000000333531303637203600215250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "CompilerDriver_pf.h" #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; CompilerDriver_pf::CompilerDriver_pf(FWObjectDatabase *db) : CompilerDriver(db) { have_nat = false; have_filter = false; } // create a copy of itself, including objdb CompilerDriver* CompilerDriver_pf::clone() { CompilerDriver_pf* new_cd = new CompilerDriver_pf(objdb); if (inEmbeddedMode()) new_cd->setEmbeddedMode(); return new_cd; } /* * Generate file name for the ruleset .conf file using general conf * file name as a prototype. */ QString CompilerDriver_pf::getConfFileNameForRuleset(const QString &ruleset_name, const QString &conf_file_name, const QString &ext) { assert(!conf_file_name.isEmpty()); if (ruleset_name == "__main__") return conf_file_name; QString suffix = QString("-") + ruleset_name; QFileInfo fi(conf_file_name); QString path = fi.path(); // qDebug() << "getConfFileNameForRuleset:" // << "conf_file_name=" << conf_file_name // << "path=" << path; QString using_suffix = fi.completeSuffix(); if (!ext.isEmpty()) using_suffix = ext; QString new_name = fi.completeBaseName() + suffix + "." + using_suffix; if (!path.isEmpty() && path != ".") new_name = path + "/" + new_name; return new_name; } QString CompilerDriver_pf::getRemoteConfFileName(const QString &ruleset_name, const QString &local_conf_name, const QString &remote_fw_name, const QString &remote_conf_name) { QString conf_file_name; QString suffix = QString("-") + ruleset_name; if (ruleset_name == "__main__") suffix = ""; if (remote_conf_name.isEmpty() && remote_fw_name.isEmpty()) { // local_conf_name may be a relative or absolute path. Return // just the file name QFileInfo fi(local_conf_name); return fi.fileName(); } QFileInfo fi; if (!remote_conf_name.isEmpty()) fi = QFileInfo(remote_conf_name); else if (!remote_fw_name.isEmpty()) fi = QFileInfo(remote_fw_name); QString new_name = fi.completeBaseName() + suffix + ".conf"; QString path = fi.path(); if (path == ".") return new_name; else return path + "/" + new_name; } string CompilerDriver_pf::printTimeout(FWOptions* options, const string &OnOffOption, const string &ValOption, const string &pfCode) { std::ostringstream res; if (options->getBool(OnOffOption) && options->getInt(ValOption)>0) { res << "set timeout " << pfCode << " " << options->getInt(ValOption) << endl; } return res.str(); } void CompilerDriver_pf::printProlog(QTextStream &file, const string &prolog_code) { file << endl; file << "#" << endl; file << "# Prolog script" << endl; file << "#" << endl; file << prolog_code << endl; file << "#" << endl; file << "# End of prolog script" << endl; file << "#" << endl; } void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw) { FWOptions* options = fw->getOptionsObject(); list all_interfaces=fw->getByType(Interface::TYPENAME); string prolog_place = options->getStr("prolog_place"); if (prolog_place.empty()) prolog_place = "fw_file"; // old default string pre_hook = options->getStr("prolog_script"); if (prolog_place == "pf_file_top") printProlog(file, pre_hook); file << endl; string set_debug = options->getStr("pf_set_debug"); if (!set_debug.empty()) { file << "set debug " << set_debug << endl; } string state_policy = options->getStr("pf_state_policy"); if (!state_policy.empty()) { file << "set state-policy " << state_policy << endl; } string block_policy = options->getStr("pf_block_policy"); if (!block_policy.empty()) { file << "set block-policy " << block_policy << endl; } QStringList limits; if (options->getBool("pf_do_limit_frags") && options->getInt("pf_limit_frags")>0 ) limits.push_back(QString("frags ") + options->getStr("pf_limit_frags").c_str()); if (options->getBool("pf_do_limit_states") && options->getInt("pf_limit_states")>0 ) limits.push_back(QString("states ") + options->getStr("pf_limit_states").c_str()); if (options->getBool("pf_do_limit_src_nodes") && options->getInt("pf_limit_src_nodes")>0 ) limits.push_back(QString("src-nodes ") + options->getStr("pf_limit_src_nodes").c_str()); if (options->getBool("pf_do_limit_tables") && options->getInt("pf_limit_tables")>0 ) limits.push_back(QString("tables ") + options->getStr("pf_limit_tables").c_str()); if (options->getBool("pf_do_limit_table_entries") && options->getInt("pf_limit_table_entries")>0 ) limits.push_back(QString("table-entries ") + options->getStr("pf_limit_table_entries").c_str()); if (limits.size() > 0) { file << "set limit "; if (limits.size() > 1 ) file << "{ "; file << limits.join(", "); if (limits.size() > 1 ) file << " }"; file << endl; } if ( ! options->getStr("pf_optimization").empty() ) file << "set optimization " << options->getStr("pf_optimization") << endl; file << printTimeout(options, "pf_do_timeout_interval","pf_timeout_interval", "interval"); file << printTimeout(options, "pf_do_timeout_frag","pf_timeout_frag", "frag"); file << printTimeout(options, "pf_set_tcp_first","pf_tcp_first", "tcp.first" ); file << printTimeout(options, "pf_set_tcp_opening","pf_tcp_opening", "tcp.opening" ); file << printTimeout(options, "pf_set_tcp_established","pf_tcp_established", "tcp.established" ); file << printTimeout(options, "pf_set_tcp_closing","pf_tcp_closing", "tcp.closing" ); file << printTimeout(options, "pf_set_tcp_finwait","pf_tcp_finwait", "tcp.finwait" ); file << printTimeout(options, "pf_set_tcp_closed","pf_tcp_closed", "tcp.closed" ); file << printTimeout(options, "pf_set_udp_first","pf_udp_first", "udp.first" ); file << printTimeout(options, "pf_set_udp_single","pf_udp_single", "udp.single" ); file << printTimeout(options, "pf_set_udp_multiple","pf_udp_multiple", "udp.multiple" ); file << printTimeout(options, "pf_set_icmp_first","pf_icmp_first", "icmp.first" ); file << printTimeout(options, "pf_set_icmp_error","pf_icmp_error", "icmp.error" ); file << printTimeout(options, "pf_set_other_first","pf_other_first", "other.first" ); file << printTimeout(options, "pf_set_other_single","pf_other_single", "other.single" ); file << printTimeout(options, "pf_set_other_multiple","pf_other_multiple", "other.multiple" ); file << printTimeout(options, "pf_set_adaptive","pf_adaptive_start", "adaptive.start" ); file << printTimeout(options, "pf_set_adaptive","pf_adaptive_end", "adaptive.end"); // check if any interface is marked as 'unprotected' // and generate 'set skip on ' commands if (fw->getStr("version")=="ge_3.7" || // fw->getStr("version")=="4.x") XMLTools::version_compare(fw->getStr("version"), "4.0")>=0) { for (list::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if ( iface->isUnprotected()) file << "set skip on " << iface->getName() << endl; } } file << endl; if (prolog_place == "pf_file_after_set") printProlog(file, pre_hook); QStringList scrub_options; string scrub_rule_direction = "in "; if (options->getBool("pf_do_scrub")) { if (XMLTools::version_compare(fw->getStr("version"), "4.6")<0) { if (options->getBool("pf_scrub_reassemble")) scrub_options << "fragment reassemble"; if (options->getBool("pf_scrub_fragm_crop")) scrub_options << "fragment crop"; if (options->getBool("pf_scrub_fragm_drop_ovl")) scrub_options << "fragment drop-ovl"; } if (options->getBool("pf_scrub_reassemble_tcp")) { // "scrub all reassemble tcp" - does not allow direction scrub_options << "reassemble tcp"; scrub_rule_direction = ""; } } if (options->getBool("pf_scrub_no_df")) scrub_options << "no-df "; if (!scrub_options.empty()) { file << "#" << endl; file << "# Scrub rules" << endl; file << "#" << endl; if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0) { file << "match " << scrub_rule_direction << "all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl; } else { file << "scrub " << scrub_rule_direction << "all " << scrub_options.join(" ").toStdString() << endl; } } scrub_options.clear(); if (options->getBool("pf_scrub_random_id")) scrub_options << "random-id"; if (options->getBool("pf_scrub_use_minttl")) scrub_options << "min-ttl " << options->getStr("pf_scrub_minttl").c_str(); if (options->getBool("pf_scrub_use_maxmss")) scrub_options << "max-mss " << options->getStr("pf_scrub_maxmss").c_str(); if (!scrub_options.empty()) { if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0) { file << "match out all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl; } else { file << "scrub out all " << scrub_options.join(" ").toStdString() << endl; } } file << endl; if (prolog_place == "pf_file_after_scrub") printProlog(file, pre_hook); //file << table_factory->PrintTables(); //file << endl; //if (prolog_place == "pf_file_after_tables") // printProlog(file, pre_hook); } void CompilerDriver_pf::setToolPathVar(Firewall* fw, const string &os, const string &var_path_suffix, OSData::tools osdata_tool_type, Configlet *configlet) { OSData os_data; FWOptions* options = fw->getOptionsObject(); string s; string path; s = options->getStr(os + "_" + var_path_suffix); if (!s.empty()) path = s; else path = os_data.getPathForTool(os, osdata_tool_type); configlet->setVariable(var_path_suffix.c_str(), path.c_str()); } QString CompilerDriver_pf::printPathForAllTools(Firewall* fw, const string &os) { Configlet tools = Configlet(fw, "bsd", "tools"); tools.removeComments(); setToolPathVar(fw, os, "path_ifconfig", OSData::IFCONFIG, &tools); setToolPathVar(fw, os, "path_ipf", OSData::IPF, &tools); setToolPathVar(fw, os, "path_ipnat", OSData::IPNAT, &tools); setToolPathVar(fw, os, "path_ipfw", OSData::IPFW, &tools); setToolPathVar(fw, os, "path_pfctl", OSData::PFCTL, &tools); setToolPathVar(fw, os, "path_sysctl", OSData::SYSCTL, &tools); setToolPathVar(fw, os, "path_logger", OSData::LOGGER, &tools); return tools.expand(); } fwbuilder-5.3.7/src/pflib/CompilerDriver_pf.h000066400000000000000000000117641303637203600211740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __COMPILER_DRIVER_PF_HH__ #define __COMPILER_DRIVER_PF_HH__ #include "CompilerDriver.h" #include "OSConfigurator_bsd.h" #include "TableFactory.h" #include "OSData.h" #include "Configlet.h" #include #include #include #include #include namespace libfwbuilder { class FWObjectDatabase; class Cluster; class ClusterGroup; class Firewall; class RuleSet; class Interface; }; class MapOstringStream : public std::map { public: MapOstringStream() {} ~MapOstringStream(); void clear(); }; class MapTableFactory : public std::map { public: MapTableFactory() {} ~MapTableFactory(); void clear(); }; namespace fwcompiler { class CompilerDriver_pf : public CompilerDriver { QStringList anchor_names; // QString conf_file_name; // Note that in the following maps ruleset name will be // "__main__" for both main Policy and NAT rulesets. // map ruleset_name -> conf file name // std::map conf_files; // map ruleset_name -> remote conf file name // std::map remote_conf_files; // map ruleset_name -> generated script // std::map generated_scripts; MapOstringStream generated_scripts; // map ruleset_name -> TableFactory* // std::map table_factories; MapTableFactory table_factories; void setToolPathVar(libfwbuilder::Firewall* fw, const std::string &os, const std::string &var_path_suffix, OSData::tools osdata_tool_type, Configlet *configlet); QString composeActivationCommand(libfwbuilder::Firewall *fw, const std::string &pfctl_debug, const std::string &anchor_name, const std::string &pf_version, const std::string &remote_file_name); protected: std::string routing_script; QString getConfFileNameForRuleset(const QString &ruleset_name, const QString &conf_file_name, const QString &ext=""); QString getRemoteConfFileName(const QString &ruleset_name, const QString &local_file_name, const QString &remote_fw_file_name, const QString &remote_conf_file_name); std::string printTimeout(libfwbuilder::FWOptions* options, const std::string &OnOffOption, const std::string &ValOption, const std::string &pfCode); void printProlog(QTextStream &file, const std::string &prolog_code); void printStaticOptions(QTextStream &file, libfwbuilder::Firewall* fw); virtual QString printPathForAllTools(libfwbuilder::Firewall* fw, const std::string &os); virtual QString printActivationCommands(libfwbuilder::Firewall *fw); virtual QString assembleFwScript(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member, OSConfigurator *ocsnf); virtual QString assembleManifest(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall* fw, bool cluster_member); public: CompilerDriver_pf(libfwbuilder::FWObjectDatabase *db); // create a copy of itself, including objdb virtual CompilerDriver* clone(); virtual QString run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id); }; }; #endif fwbuilder-5.3.7/src/pflib/CompilerDriver_pf_run.cpp000066400000000000000000000730211303637203600224050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #include #include #include #include "Configlet.h" #include "CompilerDriver_pf.h" #include "PolicyCompiler_pf.h" #include "NATCompiler_pf.h" #include "TableFactory.h" #include "Preprocessor_pf.h" #include "RoutingCompiler_openbsd.h" #include "RoutingCompiler_freebsd.h" #include "AutomaticRules_pf.h" #include "OSConfigurator_openbsd.h" #include "OSConfigurator_freebsd.h" #include "OSConfigurator_solaris.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/ClusterGroup.h" #include "fwbuilder/FWException.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Routing.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "fwcompiler/Preprocessor.h" #include "fwcompiler/GroupRegistry.h" #include "fwcompiler/exceptions.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; // #define DEBUG_FILE_NAMES 1 QString CompilerDriver_pf::composeActivationCommand(Firewall *fw, const string &pfctl_debug, const string &anchor_name, const string &pf_version, const string &remote_file_name) { FWOptions* options = fw->getOptionsObject(); Configlet act(fw, "pf", options->getBool("generate_rc_conf_file") ? "rc_conf_activation" : "activation"); act.removeComments(); act.setVariable("pfctl_debug", pfctl_debug.c_str()); act.setVariable("anchor", !anchor_name.empty()); act.setVariable("anchor_name", anchor_name.c_str()); if (pf_version == "obsd_lt_3.2") { act.setVariable("pf_version_lt_3_2", 1); act.setVariable("pf_version_ge_3_2", 0); } else { act.setVariable("pf_version_lt_3_2", 0); act.setVariable("pf_version_ge_3_2", 1); } act.setVariable("remote_file", remote_file_name.c_str()); return act.expand(); } QString CompilerDriver_pf::printActivationCommands(Firewall *fw) { FWOptions* options = fw->getOptionsObject(); bool debug = options->getBool("debug"); string pfctl_dbg = (debug)?"-v ":""; QString remote_file_name = escapeFileName(remote_file_names[CONF1_FILE]); return composeActivationCommand( fw, pfctl_dbg, "", fw->getStr("version"), remote_file_name.toUtf8().constData()); #if 0 QStringList activation_commands; // skip first item in the list since it is .fw script for(int idx=1; idxgetStr("version"), remote_file_name.toUtf8().constData())); } return activation_commands.join("\n"); #endif } QString CompilerDriver_pf::assembleManifest(Cluster*, Firewall* , bool ) { QString script_buffer; QTextStream script(&script_buffer, QIODevice::WriteOnly); for(int idx=0; idxgetOptionsObject(); Configlet script_skeleton( fw, "pf", options->getBool("generate_rc_conf_file") ? "rc_conf_skeleton" : "script_skeleton"); Configlet top_comment(fw, "pf", options->getBool("generate_rc_conf_file") ? "rc_conf_top_comment" : "top_comment"); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); assembleFwScriptInternal( cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#", !options->getBool("generate_rc_conf_file")); if (fw->getStr("platform") == "pf") { script_skeleton.setVariable( "pf_flush_states", options->getBool("pf_flush_states")); script_skeleton.setVariable( "pf_version_ge_4_x", // fw->getStr("version")=="4.x"); XMLTools::version_compare(fw->getStr("version"), "4.0")>=0); } else { script_skeleton.setVariable("pf_flush_states", 0); script_skeleton.setVariable("pf_version_ge_4_x", 0); } return script_skeleton.expand(); } QString CompilerDriver_pf::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); try { clearReadOnly(fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); commonChecks2(cluster, fw); FWOptions* options = fw->getOptionsObject(); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = QString::fromUtf8(fw->getName().c_str()); string firewall_dir = options->getStr("firewall_dir"); if (firewall_dir=="") firewall_dir="/etc/fw"; string prolog_place = options->getStr("prolog_place"); if (prolog_place.empty()) prolog_place = "fw_file"; // old default string pre_hook = fw->getOptionsObject()->getStr("prolog_script"); bool debug = options->getBool("debug"); string shell_dbg = (debug)?"set -x":"" ; string pfctl_dbg = (debug)?"-v ":""; /* * Process firewall options, build OS network configuration script */ std::auto_ptr oscnf; string platform = fw->getStr("platform"); string fw_version = fw->getStr("version"); string host_os = fw->getStr("host_OS"); string family = Resources::os_res[host_os]-> Resources::getResourceStr("/FWBuilderResources/Target/family"); if (host_os == "solaris") oscnf = std::auto_ptr(new OSConfigurator_solaris( objdb , fw, false)); if (host_os == "openbsd") oscnf = std::auto_ptr(new OSConfigurator_openbsd( objdb , fw, false)); if (host_os == "freebsd") oscnf = std::auto_ptr(new OSConfigurator_freebsd( objdb , fw, false)); if (oscnf.get()==NULL) { abort("Unrecognized host OS " + host_os + " (family " + family + ")"); return ""; } oscnf->prolog(); QString remote_fw_name = QString::fromUtf8( options->getStr("script_name_on_firewall").c_str()); QString remote_conf_name = QString::fromUtf8( options->getStr("conf_file_name_on_firewall").c_str()); list all_policies = fw->getByType(Policy::TYPENAME); list all_nat = fw->getByType(NAT::TYPENAME); findImportedRuleSets(fw, all_policies); findImportedRuleSets(fw, all_nat); try { AutomaticRules_pf auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); auto_rules.addCarpRules(); auto_rules.addPfsyncRules(); auto_rules.addFallbackRule(); } catch (FWException &ex) { abort(ex.toString()); } // assign unique rule ids that later will be used to generate // chain names. This should be done after calls to // findImportedRuleSets() // NB: these ids are not really used by compiler for PF assignUniqueRuleIds(all_policies); assignUniqueRuleIds(all_nat); list all_rulesets; all_rulesets.insert( all_rulesets.begin(), all_policies.begin(), all_policies.end()); all_rulesets.insert( all_rulesets.begin(), all_nat.begin(), all_nat.end()); // establish mapping of rule sets to file names so it can be used // for "load anchor" commands QMap rulesets_to_file_names; QMap rulesets_to_remote_file_names; QMap rulesets_to_indexes; QStringList file_extensions; QStringList remote_file_options; anchor_names.clear(); anchor_names << ""; // for fw_file anchor_names << ""; // for main .conf file (both policy and nat top rule sets) // Can not make extension .conf when generating rc.conf file // because the second file also has extension .conf and this // causes conflict if both names are generated using default // algorithm from the fw name // file_extensions << "fw"; file_extensions << "conf"; remote_file_options << "script_name_on_firewall"; remote_file_options << "conf_file_name_on_firewall"; rulesets_to_indexes["__main__"] = CONF1_FILE; int idx = CONF2_FILE; for (list::iterator p=all_rulesets.begin(); p!=all_rulesets.end(); ++p) { RuleSet *rs = RuleSet::cast(*p); QString ruleset_name = QString::fromUtf8(rs->getName().c_str()); if (ruleset_name.endsWith("/*")) { QString err("The name of the %1 ruleset %2" " ends with '/*', assuming it is externally" " controlled and skipping it."); warning(fw, rs, NULL, err.arg(rs->getTypeName().c_str()) .arg(ruleset_name).toStdString()); rs->setBool(".skip_ruleset", true); continue; } if (rs->isTop()) continue; // record index of this ruleset in file_names and remote_file_names if (rulesets_to_indexes.count(ruleset_name) == 0) { anchor_names << ruleset_name; file_extensions << "conf"; remote_file_options << ""; // to make sure it has right number of items rulesets_to_indexes[ruleset_name] = idx; idx++; } } #ifdef DEBUG_FILE_NAMES qDebug() << "anchor_names=" << anchor_names; qDebug() << "file_extensions=" << file_extensions; qDebug() << "remote_file_options=" << remote_file_options; #endif // The order of file names in file_names and remote_file_names // is the same as the order of rule sets in all_rulesets determineOutputFileNames(cluster, fw, !cluster_id.empty(), anchor_names, file_extensions, remote_file_options); for (list::iterator p=all_rulesets.begin(); p!=all_rulesets.end(); ++p) { RuleSet *rs = RuleSet::cast(*p); if (rs->getBool(".skip_ruleset")) continue; QString ruleset_name = QString::fromUtf8(rs->getName().c_str()); if (rs->isTop()) ruleset_name = "__main__"; int idx = rulesets_to_indexes[ruleset_name]; rulesets_to_file_names[ruleset_name] = file_names[idx]; rulesets_to_remote_file_names[ruleset_name] = remote_file_names[idx]; } #ifdef DEBUG_FILE_NAMES qDebug() << "file_names=" << file_names; qDebug() << "remote_file_names=" << remote_file_names; qDebug() << "rulesets_to_file_names=" << rulesets_to_file_names; qDebug() << "rulesets_to_remote_file_names=" << rulesets_to_remote_file_names; #endif GroupRegistry group_registry; int routing_rules_count = 0; vector ipv4_6_runs; // command line options -4 and -6 control address family for which // script will be generated. If "-4" is used, only ipv4 part will // be generated. If "-6" is used, only ipv6 part will be generated. // If neither is used, both parts will be done. if (options->getStr("ipv4_6_order").empty() || options->getStr("ipv4_6_order") == "ipv4_first") { if (ipv4_run) ipv4_6_runs.push_back(AF_INET); if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); } if (options->getStr("ipv4_6_order") == "ipv6_first") { if (ipv6_run) ipv4_6_runs.push_back(AF_INET6); if (ipv4_run) ipv4_6_runs.push_back(AF_INET); } ostringstream* main_str = new ostringstream(); list redirect_rules_info; for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int ruleset_address_family = *i; bool is_ipv6 = (ruleset_address_family == AF_INET6); Preprocessor_pf* prep = new Preprocessor_pf(objdb , fw, is_ipv6); prep->setSingleRuleCompileMode(single_rule_id); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); delete prep; } // ################################################################ // First I process NAT rules, both ipv4 and ipv6, then process // ipv4 and ipv6 policy rules. See SF bug 3428992 for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int ruleset_address_family = *i; bool is_ipv6 = (ruleset_address_family == AF_INET6); for (list::iterator p=all_nat.begin(); p!=all_nat.end(); ++p ) { NAT *nat = NAT::cast(*p); if (!nat->matchingAddressFamily(ruleset_address_family)) continue; if (nat->getBool(".skip_ruleset")) continue; QString ruleset_name = QString::fromUtf8(nat->getName().c_str()); if (nat->isTop()) ruleset_name = "__main__"; if (table_factories.count(ruleset_name) == 0) { table_factories[ruleset_name] = new fwcompiler::TableFactory(this, fw, persistent_objects, &group_registry); } NATCompiler_pf n( objdb, fw, is_ipv6, oscnf.get(), table_factories[ruleset_name] ); n.setSourceRuleSet( nat ); n.setRuleSetName(nat->getName()); n.setPersistentObjects(persistent_objects); n.setGroupRegistry(&group_registry); n.setSingleRuleCompileMode(single_rule_id); n.setDebugLevel( dl ); if (rule_debug_on) n.setDebugRule(drn); n.setVerbose( verbose ); if (inTestMode()) n.setTestMode(); if (inEmbeddedMode()) n.setEmbeddedMode(); int nat_rules_count = 0; if ( (nat_rules_count=n.prolog()) > 0 ) { n.compile(); n.epilog(); } have_nat = (have_nat || (nat_rules_count > 0)); if (nat->isTop()) { if (generated_scripts.count(ruleset_name) == 0) generated_scripts[ruleset_name] = main_str; } else { if (generated_scripts.count(ruleset_name) == 0) generated_scripts[ruleset_name] = new ostringstream(); } if (n.getCompiledScriptLength() > 0) { if (n.haveErrorsAndWarnings()) { // store errors and warnings so they will appear on top // of .fw file in addition to the .conf file if (!single_rule_compile_on) { *(generated_scripts[ruleset_name]) << "# NAT compiler errors and warnings:" << endl; *(generated_scripts[ruleset_name]) << n.getErrors("# "); } } *(generated_scripts[ruleset_name]) << n.getCompiledScript(); *(generated_scripts[ruleset_name]) << endl; } all_errors.push_back(n.getErrors("").c_str()); const list lst = n.getRedirRulesInfo(); redirect_rules_info.insert(redirect_rules_info.begin(), lst.begin(), lst.end()); } } // ################################################################ // Process policy rule sets for (vector::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i) { int ruleset_address_family = *i; bool is_ipv6 = (ruleset_address_family == AF_INET6); for (list::iterator p=all_policies.begin(); p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); if (!policy->matchingAddressFamily(ruleset_address_family)) continue; if (policy->getBool(".skip_ruleset")) continue; QString ruleset_name = QString::fromUtf8(policy->getName().c_str()); if (policy->isTop()) ruleset_name = "__main__"; if (table_factories.count(ruleset_name) == 0) { table_factories[ruleset_name] = new fwcompiler::TableFactory(this, fw, persistent_objects, &group_registry); } PolicyCompiler_pf c( objdb, fw, is_ipv6, oscnf.get(), &redirect_rules_info, table_factories[ruleset_name] ); c.setSourceRuleSet( policy ); c.setRuleSetName(policy->getName()); c.setPersistentObjects(persistent_objects); c.setGroupRegistry(&group_registry); c.setSingleRuleCompileMode(single_rule_id); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule(drp); c.setVerbose( verbose ); if (inTestMode()) c.setTestMode(); if (inEmbeddedMode()) c.setEmbeddedMode(); int pf_rules_count = 0; if ( (pf_rules_count=c.prolog()) > 0 ) { c.compile(); c.epilog(); } have_filter = (have_filter || (pf_rules_count > 0)); if (policy->isTop()) { if (generated_scripts.count("__main__") == 0) generated_scripts["__main__"] = main_str; } else { if (generated_scripts.count(ruleset_name) == 0) generated_scripts[ruleset_name] = new ostringstream(); } if (c.getCompiledScriptLength() > 0) { if (c.haveErrorsAndWarnings()) { if (!single_rule_compile_on) { *(generated_scripts[ruleset_name]) << "# Policy compiler errors and warnings:" << endl; *(generated_scripts[ruleset_name]) << c.getErrors("# "); } } *(generated_scripts[ruleset_name]) << c.getCompiledScript(); *(generated_scripts[ruleset_name]) << endl; } all_errors.push_back(c.getErrors("").c_str()); } } std::auto_ptr routing_compiler; if (host_os == "openbsd") routing_compiler = std::auto_ptr( new RoutingCompiler_openbsd(objdb, fw, false, oscnf.get())); if (host_os == "freebsd") routing_compiler = std::auto_ptr( new RoutingCompiler_freebsd(objdb, fw, false, oscnf.get())); if (routing_compiler.get() == NULL) { abort("Unrecognized host OS " + host_os + " (family " + family + ")"); return ""; } RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME)); if (routing) { routing_compiler->setSourceRuleSet(routing); routing_compiler->setRuleSetName(routing->getName()); routing_compiler->setPersistentObjects(persistent_objects); routing_compiler->setSingleRuleCompileMode(single_rule_id); routing_compiler->setDebugLevel( dl ); if (rule_debug_on) routing_compiler->setDebugRule(drp); routing_compiler->setVerbose( verbose ); if (inTestMode()) routing_compiler->setTestMode(); if (inEmbeddedMode()) routing_compiler->setEmbeddedMode(); if ( (routing_rules_count=routing_compiler->prolog()) > 0 ) { routing_compiler->compile(); routing_compiler->epilog(); } if (routing_compiler->haveErrorsAndWarnings()) all_errors.push_back(routing_compiler->getErrors("").c_str()); routing_script += routing_compiler->getCompiledScript(); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } if (single_rule_compile_on) { // in single rule compile mode just return the result QString buffer; QTextStream pf_str(&buffer); for (map::iterator fi=generated_scripts.begin(); fi!=generated_scripts.end(); fi++) { QString ruleset_name = fi->first; ostringstream *strm = fi->second; pf_str << table_factories[ruleset_name]->PrintTables(); pf_str << QString::fromUtf8(strm->str().c_str()); pf_str << QString::fromUtf8(routing_script.c_str()); } // clear() calls destructors of all elements in the container table_factories.clear(); generated_scripts.clear(); return formSingleRuleCompileOutput(buffer); } /* add commands to load anchors to the bottom of the main .conf file */ QMap::iterator it; for (it=rulesets_to_remote_file_names.begin(); it!=rulesets_to_remote_file_names.end(); ++it) { QString ruleset_name = it.key(); if (ruleset_name == "__main__") continue; QString remote_file_name = it.value(); ostringstream *ostr = generated_scripts["__main__"]; // note that ostr can be NULL if the firewall we are // trying to compile has no top-level rule sets if (ostr == NULL) continue; *ostr << QString("load anchor %1 from \"%2\"") .arg(ruleset_name).arg(remote_file_name).toUtf8().constData() << endl; } /* * now write generated scripts to files */ idx = CONF1_FILE; for (map::iterator fi=generated_scripts.begin(); fi!=generated_scripts.end(); fi++) { QString ruleset_name = fi->first; QString file_name = rulesets_to_file_names[ruleset_name]; // file_names[idx]; ostringstream *strm = fi->second; if (strm==NULL) continue; if (ruleset_name.contains("/*")) continue; file_name = getAbsOutputFileName(file_name); info("Output file name: " + file_name.toStdString()); QFile pf_file(file_name); if (pf_file.open(QIODevice::WriteOnly)) { QTextStream pf_str(&pf_file); if (ruleset_name == "__main__") { printStaticOptions(pf_str, fw); // attach persistent_tables subtree inside TableFactory object // to the object tree table_factories[ruleset_name]->init(objdb); pf_str << table_factories[ruleset_name]->PrintTables(); if (prolog_place == "pf_file_after_tables") printProlog(pf_str, pre_hook); } else { pf_str << table_factories[ruleset_name]->PrintTables(); } pf_str << QString::fromUtf8(strm->str().c_str()); pf_file.close(); } else { // clear() calls destructors of all elements in the container table_factories.clear(); generated_scripts.clear(); QString err("Failed to open file %1 for writing: %2; " "Current dir: %3"); abort(err.arg(pf_file.fileName()) .arg(pf_file.error()) .arg(QDir::current().path()).toStdString()); } idx++; } /* * assemble the script and then perhaps post-process it if needed */ QString script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); // clear() calls destructors of all elements in the container table_factories.clear(); generated_scripts.clear(); file_names[FW_FILE] = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + file_names[FW_FILE].toStdString()); QFile fw_file(file_names[FW_FILE]); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; } MapOstringStream::~MapOstringStream() { clear(); } void MapOstringStream::clear() { std::map::iterator it; for (it=begin(); it!=end(); ++it) delete it->second; std::map::clear(); } MapTableFactory::~MapTableFactory() { clear(); } void MapTableFactory::clear() { std::map::iterator it; for (it=begin(); it!=end(); ++it) delete it->second; std::map::clear(); } fwbuilder-5.3.7/src/pflib/NATCompiler_ipf.cpp000066400000000000000000000516151303637203600210660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_ipf.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string NATCompiler_ipf::myPlatformName() { return "ipf"; } int NATCompiler_ipf::prolog() { int n=NATCompiler_pf::prolog(); return n; } bool NATCompiler_ipf::VerifyRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); if (rule->getRuleType()==NATRule::DNAT && odst->size()!=1) compiler->abort(rule, "There should be no more than one object in " "original destination"); // if (rule->getRuleType()==NATRule::SNAT && tsrc->size()!=1) // compiler->abort(rule, "There should be no more than one object in translated source in the rule "+rule->getLabel()); if (rule->getRuleType()==NATRule::DNAT && osrv->isAny()) compiler->abort(rule, "Service must be specified for destination translation rule"); if (tsrv->size()!=1) compiler->abort(rule, "Translated service should be 'Original' or should " "contain single object"); FWObject *o=tsrv->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if ( Group::cast(o)!=NULL) compiler->abort(rule, "Can not use group in translated service"); if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstOSrc(rule)); Network *a2=Network::cast(compiler->getFirstTSrc(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) compiler->abort(rule, "Original and translated source should both " "be networks of the same size"); } if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstODst(rule)); Network *a2=Network::cast(compiler->getFirstTDst(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) compiler->abort(rule, "Original and translated destination should " "both be networks of the same size"); } if (osrc->getNeg() || odst->getNeg() || osrv->getNeg()) compiler->abort(rule, "Negation in NAT rules is not supported"); return true; } bool NATCompiler_ipf::ExpandPortRange::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; Service *osrv=compiler->getFirstOSrv(rule); if (UDPService::isA(osrv) || TCPService::isA(osrv)) { int rs = TCPUDPService::cast(osrv)->getDstRangeStart(); int re = TCPUDPService::cast(osrv)->getDstRangeEnd(); int numPorts = re-rs+1; if (numPorts==1) { tmp_queue.push_back(rule); return true; } if (numPorts > 20) { ostringstream ostr; ostr << string("Expanding port range ") << osrv->getName() << " creates " << numPorts << " rules"; compiler->warning(rule, ostr.str()); } string newSrvType = TCPService::TYPENAME; if (UDPService::isA(osrv)) newSrvType = UDPService::TYPENAME; for (int p=rs; p<=re; ++p) { NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); FWObject *newSrv = compiler->dbcopy->create(newSrvType); newSrv->duplicate(osrv,true); TCPUDPService::cast(newSrv)->setDstRangeStart(p); TCPUDPService::cast(newSrv)->setDstRangeEnd(p); compiler->persistent_objects->add(newSrv,false); compiler->dbcopy->addToIndex(newSrv); RuleElementOSrv *nosrv = r->getOSrv(); nosrv->clearChildren(); nosrv->addRef(newSrv); compiler->temp_ruleset->add(r); tmp_queue.push_back(r); } } else { tmp_queue.push_back(rule); } return true; } bool NATCompiler_ipf::AssignInterface::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; RuleElementItfOutb *itf_re = rule->getItfOutb(); Address *a = NULL; switch (rule->getRuleType() ) { case NATRule::Continue: case NATRule::NONAT: { /* use heuristic to assign nonat rule to interfaces */ Interface *iface; a=compiler->getFirstODst(rule); iface=compiler->findInterfaceFor( compiler->getFirstODst(rule) , compiler->fw); if (iface!=NULL && !iface->isLoopback()) { if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); // rule->setInterfaceId( iface->getId() ); tmp_queue.push_back( rule ); return true; } /* slip into Redirect case to assign rule to all interfaces */ } case NATRule::Redirect: case NATRule::DNAT: case NATRule::DNetnat: case NATRule::LB: { /* * we do not have network zones here, so our ability to pick right * interfaces is rather limited. First, we try to find interface that * is connected to the subnet OSrc belongs to. If that does not work, * we assign rule to all interfaces, except loopback */ a = NULL; if ( ! rule->getOSrc()->isAny() ) a = compiler->getFirstOSrc(rule); if ( a==NULL && ! rule->getODst()->isAny() ) a = compiler->getFirstODst(rule); if (a!=NULL) { Interface *iface; iface = compiler->findInterfaceFor(a,compiler->fw); if (iface!=NULL && !iface->isLoopback()) { if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); // rule->setInterfaceId( iface->getId() ); tmp_queue.push_back(rule); return true; } } FWObjectTypedChildIterator j=compiler->fw->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *iface = Interface::cast(*j); assert(iface); if ( iface->isUnnumbered() || iface->isBridgePort() || iface->isLoopback()) continue; NATRule *r = compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementItfOutb *itf_re = r->getItfOutb(); if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); //r->setInterfaceId( iface->getId() ); tmp_queue.push_back( r ); } return true; } case NATRule::SNAT: case NATRule::SNetnat: { a=compiler->getFirstTSrc(rule); if ( (Interface::isA(a) || IPv4::isA(a)) && a->isChildOf(compiler->fw)) { FWObject *p = a; while ( ! Interface::isA(p) ) p = p->getParent(); if ( ! itf_re->hasRef(p)) itf_re->addRef(p); // rule->setInterfaceId( p->getId() ); tmp_queue.push_back(rule); return true; } /* if we appear here, then TSrc is not an interface or address of an * interface. */ int n=0; list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=Interface::cast(*i); assert(iface); if (iface->isLoopback() || iface->isUnnumbered() || iface->isBridgePort()) continue; NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); RuleElementItfOutb *itf_re = r->getItfOutb(); if ( ! itf_re->hasRef(iface)) itf_re->addRef(iface); // r->setInterfaceId( iface->getId() ); tmp_queue.push_back(r); n++; } if (n==0) tmp_queue.push_back(rule); return true; } default: ; } compiler->abort(rule, "Could not assign NAT rule to the interface. " "Perhaps one of the objects has address which does not " "belong to any subnet the firewall has interface on"); return true; } bool NATCompiler_ipf::prepareForLB::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if (rule->getRuleType()==NATRule::LB ) { RuleElementTDst *tdst=rule->getTDst(); assert(tdst); if (tdst->size()>2) { std::vector cl; for(list::iterator i=tdst->begin(); i!=tdst->end(); ++i) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); cl.push_back(o); if (cl.size()==2) { NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementTDst *notdst=r->getTDst(); notdst->clearChildren(); notdst->addRef( cl[0] ); notdst->addRef( cl[1] ); cl.clear(); tmp_queue.push_back( r ); } } if (cl.size()!=0) { NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementTDst *notdst=r->getTDst(); notdst->clearChildren(); notdst->addRef( cl[0] ); // notdst->addRef( cl[1] ); cl.clear(); tmp_queue.push_back( r ); } } else tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; } /* * by now the rule should have already been assigned to interface. * * TODO: We should also take into account a situation when interface has * multiple addresses... */ bool NATCompiler_ipf::RedirectRules::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; RuleElementItfOutb *itf_re = rule->getItfOutb(); Interface *rule_iface = Interface::cast(FWObjectReference::getObject(itf_re->front())); // Interface::cast( rule->getRoot()->getById(rule->getInterfaceId() ,true) ); tmp_queue.push_back(rule); RuleElementTDst *rel=rule->getTDst(); assert(rel); Address *otdst=compiler->getFirstTDst(rule); if (rule->getRuleType()==NATRule::Redirect && rule_iface!=NULL && otdst->getId()==compiler->fw->getId()) { rel->clearChildren(); rel->addRef( rule_iface ); } return true; } bool NATCompiler_ipf::appProxy::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; bool ftp_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_ftp_proxy"); bool rcmd_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_rcmd_proxy"); bool krcmd_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_krcmd_proxy"); bool ekshell_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_ekshell_proxy"); bool raudio_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_raudio_proxy"); bool h323_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_h323_proxy"); bool ipsec_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_ipsec_proxy"); bool pptp_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_pptp_proxy"); bool irc_proxy = compiler->getCachedFwOpt()->getBool("ipf_nat_irc_proxy"); QString ipsec_proxy_str = QString("proxy port %1 ipsec/udp ").arg(ISAKMP_PORT); QString ftp_proxy_str = QString("proxy port %1 ftp/tcp ").arg(FTP_PORT); QString rcmd_proxy_str = QString("proxy port %1 rcmd/tcp ").arg(RCMD_PORT); QString krcmd_proxy_str = QString("proxy port %1 rcmd/tcp ").arg(KRCMD_PORT); QString ekshell_proxy_str = QString("proxy port %1 rcmd/tcp ").arg(EKSHELL_PORT); QString raudio_proxy_str = QString("proxy port %1 raudio/tcp ").arg(RAUDIO_PORT); QString h323_proxy_str = QString("proxy port %1 h323/tcp ").arg(H323_PORT); QString pptp_proxy_str = QString("proxy port %1 pptp/tcp ").arg(PPTP_PORT); QString irc_proxy_str = QString("proxy port %1 irc/tcp ").arg(IRC_PORT); if (rule->getRuleType()==NATRule::SNAT || rule->getRuleType()==NATRule::NONAT) { Service *osrv = compiler->getFirstOSrv(rule); if (UDPService::isA(osrv)) { UDPService *s=UDPService::cast(osrv); if (ipsec_proxy && s->getDstRangeStart()==ISAKMP_PORT && s->getDstRangeEnd()==ISAKMP_PORT) rule->setStr("nat_rule_proxy", ipsec_proxy_str.toStdString()); } if (TCPService::isA(osrv)) { TCPService *s = TCPService::cast(osrv); int range_start = s->getDstRangeStart(); int range_end = s->getDstRangeEnd(); if (ftp_proxy && range_start==FTP_PORT && range_end==FTP_PORT) rule->setStr("nat_rule_proxy", ftp_proxy_str.toStdString()); if (rcmd_proxy && range_start==RCMD_PORT && range_end==RCMD_PORT) rule->setStr("nat_rule_proxy", rcmd_proxy_str.toStdString()); if (krcmd_proxy && range_start==KRCMD_PORT && range_end==KRCMD_PORT ) rule->setStr("nat_rule_proxy", krcmd_proxy_str.toStdString()); if (ekshell_proxy && range_start==EKSHELL_PORT && range_end==EKSHELL_PORT ) rule->setStr("nat_rule_proxy", ekshell_proxy_str.toStdString()); if (raudio_proxy && range_start==RAUDIO_PORT && range_end==RAUDIO_PORT ) rule->setStr("nat_rule_proxy", raudio_proxy_str.toStdString()); if (h323_proxy && range_start==H323_PORT && range_end==H323_PORT ) rule->setStr("nat_rule_proxy", h323_proxy_str.toStdString()); if (pptp_proxy && range_start==PPTP_PORT && range_end==PPTP_PORT ) rule->setStr("nat_rule_proxy", pptp_proxy_str.toStdString()); if (irc_proxy && range_start==IRC_PORT && range_end==IRC_PORT ) rule->setStr("nat_rule_proxy", irc_proxy_str.toStdString()); } } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipf::expandAnyService::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *srv=rule->getOSrv(); if (rule->getRuleType()==NATRule::SNAT && srv->isAny()) { NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setBool("needs_portmap",true); tmp_queue.push_back(r); } tmp_queue.push_back(rule); return true; } bool NATCompiler_ipf::processMultiAddressObjectsInRE::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) compiler->abort( rule, "Run-time AddressTable objects are not supported."); } tmp_queue.push_back(rule); return true; } void NATCompiler_ipf::compile() { bool manage_virtual_addr=getCachedFwOpt()->getBool("manage_virtual_addr"); info(" Compiling NAT rules for " + fw->getName()); Compiler::compile(); add( new Begin()); add( new printTotalNumberOfRules() ); add( new singleRuleFilter()); add( new recursiveGroupsInOSrc( "check for recursive groups in OSRC" ) ); add( new recursiveGroupsInODst( "check for recursive groups in ODST" ) ); add( new recursiveGroupsInOSrv( "check for recursive groups in OSRV" ) ); add( new recursiveGroupsInTSrc( "check for recursive groups in TSRC" ) ); add( new recursiveGroupsInTDst( "check for recursive groups in TDST" ) ); add( new recursiveGroupsInTSrv( "check for recursive groups in TSRV" ) ); add( new emptyGroupsInOSrc( "check for empty groups in OSRC" ) ); add( new emptyGroupsInODst( "check for empty groups in ODST" ) ); add( new emptyGroupsInOSrv( "check for empty groups in OSRV" ) ); add( new emptyGroupsInTSrc( "check for empty groups in TSRC" ) ); add( new emptyGroupsInTDst( "check for empty groups in TDST" ) ); add( new emptyGroupsInTSrv( "check for empty groups in TSRV" ) ); add( new ExpandGroups( "expand groups" ) ); add( new eliminateDuplicatesInOSRC( "eliminate duplicates in OSRC" ) ); add( new eliminateDuplicatesInODST( "eliminate duplicates in ODST" ) ); add( new eliminateDuplicatesInOSRV( "eliminate duplicates in OSRV" ) ); add( new swapMultiAddressObjectsInOSrc(" swap MultiAddress -> MultiAddressRunTime in OSrc") ); add( new swapMultiAddressObjectsInODst(" swap MultiAddress -> MultiAddressRunTime in ODst") ); add( new processMultiAddressObjectsInOSrc("process MultiAddress objects in OSrc") ); add( new processMultiAddressObjectsInODst("process MultiAddress objects in ODst") ); add( new splitOnOSrv( "split rule on original service" ) ); add( new ExpandPortRange("expand port ranges") ); add( new fillTranslatedSrv( "fill translated service" ) ); add( new NATRuleType( "determine NAT rule types" ) ); add( new VerifyRules( "verify NAT rules" ) ); add( new splitODstForSNAT("split rule if objects in ODst belong to different subnets" ) ); add( new ReplaceFirewallObjectsODst( "replace references to the firewall in ODst" ) ); add( new ReplaceFirewallObjectsTSrc( "replace references to the firewall in TSrc" ) ); if ( manage_virtual_addr ) { add( new addVirtualAddress( "add virtual addresses for NAT rules" ) ); } add( new ExpandMultipleAddresses( "expand multiple addresses" ) ); add( new checkForUnnumbered( "check for unnumbered interfaces" ) ); add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls" ) ); add( new ExpandAddressRanges( "expand address range objects" ) ); add( new ConvertToAtomicForOriginal( "convert to atomic rules in OSrc and ODst" ) ); add( new ConvertToAtomicForTSrc( "convert to atomic rules in TSrc" ) ); add( new prepareForLB( "prepare for load balancing rules" ) ); add( new appProxy( "add application proxy code to map rules" ) ); add( new expandAnyService("split NAT rules with ANY service" ) ); add( new AssignInterface( "assign rules to interfaces" ) ); add( new RedirectRules( "replace objects in TDst for 'Redirect' rules" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new PrintRule("generate ipfilter code") ); add( new simplePrintProgress() ); runRuleProcessors(); } void NATCompiler_ipf::epilog() { } fwbuilder-5.3.7/src/pflib/NATCompiler_ipf.h000066400000000000000000000136721303637203600205340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NATCOMPILER_IPF_HH #define __NATCOMPILER_IPF_HH #include #include "NATCompiler_pf.h" #include #define FTP_PORT 21 #define RCMD_PORT 514 #define KRCMD_PORT 544 #define EKSHELL_PORT 2106 #define H323_PORT 1720 #define RAUDIO_PORT 5050 #define ISAKMP_PORT 500 #define PPTP_PORT 1723 #define IRC_PORT 6667 namespace fwcompiler { class NATCompiler_ipf : public NATCompiler_pf { protected: virtual std::string myPlatformName(); /** * verifies correctness of the NAT rules (some checks are the * same as in pf, some are specific for ipf) */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); /** * splits NAT rules if user ordered using * application proxy * code for "map" rules */ DECLARE_NAT_RULE_PROCESSOR(appProxy); /** * splits rules with service 'any' because they need "proxy * tcp/udp auto" */ DECLARE_NAT_RULE_PROCESSOR(expandAnyService); /** * ipf nat and rdr rules do not support port tanges; need to * generate a separate rule for each port of the range. */ DECLARE_NAT_RULE_PROCESSOR(ExpandPortRange); /** * LB-type rules allow no more than two destination hosts on * the right side of '->'. This processor splits NAT rule if * necessary to satisfy this rule */ DECLARE_NAT_RULE_PROCESSOR(prepareForLB); /** * assigns NAT rules to interfaces */ DECLARE_NAT_RULE_PROCESSOR(AssignInterface); /** * replaces object in tdst with reference to firewall's * interface in 'Redirect' rules */ DECLARE_NAT_RULE_PROCESSOR(RedirectRules); friend class fwcompiler::NATCompiler_ipf::RedirectRules; /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInODST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInODST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; /** * Placeholder for MultiAddressRunTime objects that are not * supported for ipf */ class processMultiAddressObjectsInRE : public NATRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : NATRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInOSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInOSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class processMultiAddressObjectsInODst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInODst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. */ class PrintRule : public NATCompiler_pf::PrintRule { protected: virtual void _printProtocol(libfwbuilder::Service *srv); virtual void _printAddr_L(libfwbuilder::Address *o, bool print_netmask=true); virtual void _printAddr_R(libfwbuilder::Address *o, bool print_netmask=true); virtual void _printAddr_R_LB(libfwbuilder::RuleElementTDst *re); virtual void _printPort(libfwbuilder::Service *srv,bool eq); public: PrintRule(const std::string &name); virtual bool processNext(); }; public: NATCompiler_ipf(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : NATCompiler_pf(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/pflib/NATCompiler_ipf_writers.cpp000066400000000000000000000227401303637203600226420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipf.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/DNSName.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask) { FWOptions* options=compiler->fw->getOptionsObject(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { compiler->output << atrt->getSourceName() << " "; return; } // at this time we only support two types of MultiAddress // objects: AddressTable and DNSName. Both should be converted // to MultiAddressRunTime at this point. If we get some other // kind of MultiAddressRunTime object, we do not know what to do // with it so we stop. assert(atrt==NULL); } if (Interface::cast(o)!=NULL && Interface::cast(o)->isDyn()) { if (options->getBool("dynAddr")) compiler->output << "(" << o->getName() << ") "; else compiler->output << "any "; return; } const InetAddr *addr = o->getAddressPtr(); if (addr) { InetAddr mask = *(o->getNetmaskPtr()); if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn()) mask = InetAddr(InetAddr::getAllOnes()); if (o->dimension()==1) mask = InetAddr(InetAddr::getAllOnes()); if (addr->isAny() && mask.isAny()) { compiler->output << "any "; } else { compiler->output << addr->toString(); if (print_netmask) compiler->output << "/" << mask.getLength(); compiler->output << " "; } } } void NATCompiler_ipf::PrintRule::_printAddr_R(Address *o, bool print_netmask) { const InetAddr *addr = o->getAddressPtr(); // check for the case when dynamic interface is used in TSrc (or when // interface in TSrc just has no IP address ) if (Interface::cast(o) != NULL && (addr==NULL || addr->isAny())) { compiler->output << "0/32 "; return; } if (addr) { InetAddr mask = *(o->getNetmaskPtr)(); if (Interface::cast(o) != NULL) mask = InetAddr(InetAddr::getAllOnes()); if (o->dimension()==1) mask = InetAddr(InetAddr::getAllOnes()); if (addr->isAny() && print_netmask && mask.isHostMask()) { compiler->output << "0/32 "; } else { compiler->output << addr->toString(); if (print_netmask) compiler->output << "/" << mask.getLength(); compiler->output << " "; } } } void NATCompiler_ipf::PrintRule::_printAddr_R_LB(RuleElementTDst *tdst) { bool first=true; for(list::iterator i=tdst->begin(); i!=tdst->end(); ++i) { FWObject *o= *i; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Address *a=Address::cast(obj); const InetAddr *addr = a->getAddressPtr(); if (!first) compiler->output << ","; compiler->output << addr->toString(); first=false; } compiler->output << " "; } void NATCompiler_ipf::PrintRule::_printProtocol(Service *srv) { if ( CustomService::isA(srv) ) { // CustomService returns protocol name starting with v3.0.4 // However CustomService can return protocol name "any", which we should // just skip. string pn = srv->getProtocolName(); if (pn == "any") return; } compiler->output << srv->getProtocolName() << " "; } /* * Note: ipfilter permits "port 0" to the right of "->", in fact, this is useful * and recommended construct for rules that should match "any tcp" or "any udp". * If this method is called to print port spec. for the part of the rule left * of "->", then parameter eq is true, otherwise it is false. We permit port 0 * only for the right part of the rule, that is, when eq is false */ void NATCompiler_ipf::PrintRule::_printPort(Service *srv,bool eq) { if (TCPService::isA(srv) || UDPService::isA(srv)) { int drs=TCPUDPService::cast(srv)->getDstRangeStart(); if (!eq || drs!=0) { compiler->output << "port "; if (eq) compiler->output << "= "; compiler->output<< drs << " "; } } } NATCompiler_ipf::PrintRule::PrintRule(const std::string &name) : NATCompiler_pf::PrintRule(name) { } bool NATCompiler_ipf::PrintRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); compiler->output << compiler->printComment(rule, current_rule_label, "#"); Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc); Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); string iface_name; RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->isAny()) iface_name = FWObjectReference::getObject(itf_re->front())->getName(); // string iface_name = rule->getInterfaceStr(); if (rule->getRuleType()==NATRule::NONAT) { compiler->output << "map " << iface_name << " "; compiler->output << "from "; _printAddr_L( osrc ); compiler->output << "to "; _printAddr_L( odst ); if ( rule->getStr("nat_rule_proxy")=="") _printPort(osrv,true); compiler->output << "-> 0/0"; // _printAddr_R( tsrc ); compiler->output << " "; if ( rule->getStr("nat_rule_proxy")!="") compiler->output << rule->getStr("nat_rule_proxy"); compiler->output << endl; } if (rule->getRuleType()==NATRule::SNAT) { compiler->output << "map " << iface_name << " "; compiler->output << "from "; _printAddr_L( osrc ); compiler->output << "to "; _printAddr_L( odst ); if ( rule->getStr("nat_rule_proxy")=="") _printPort(osrv,true); compiler->output << "-> "; _printAddr_R( tsrc ); compiler->output << " "; if ( rule->getStr("nat_rule_proxy")!="") compiler->output << rule->getStr("nat_rule_proxy"); else { if (osrv->getTypeName()==TCPService::TYPENAME || osrv->getTypeName()==UDPService::TYPENAME || rule->getBool("needs_portmap") ) compiler->output << " portmap tcp/udp auto "; } compiler->output << endl; } if (rule->getRuleType()==NATRule::DNAT) { compiler->output << "rdr " << iface_name << " "; compiler->output << "from "; _printAddr_L( osrc , true ); compiler->output << "to "; _printAddr_L( odst , true ); _printPort(osrv,true); compiler->output << "-> "; _printAddr_R( tdst , false ); _printPort(tsrv,false); if ( ! osrv->isAny()) _printProtocol(osrv); compiler->output << endl; } if (rule->getRuleType()==NATRule::LB) { compiler->output << "rdr " << iface_name << " "; compiler->output << "from "; _printAddr_L( osrc , true ); compiler->output << "to "; _printAddr_L( odst , true ); _printPort(osrv,true); compiler->output << "-> "; _printAddr_R_LB( rule->getTDst() ); _printPort(tsrv,false); if ( ! osrv->isAny()) _printProtocol(osrv); compiler->output << " round-robin "; compiler->output << endl; } if (rule->getRuleType()==NATRule::Redirect) { compiler->output << "rdr " << iface_name << " "; compiler->output << "from "; _printAddr_L( osrc , true ); compiler->output << "to "; _printAddr_L( odst , true ); _printPort(osrv,true); compiler->output << "-> "; _printAddr_R( tdst , false ); _printPort(tsrv,false); _printProtocol(osrv); compiler->output << endl; } return true; } fwbuilder-5.3.7/src/pflib/NATCompiler_ipfw.cpp000066400000000000000000000035161303637203600212520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_ipfw.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string NATCompiler_ipfw::myPlatformName() { return "ipfw"; } int NATCompiler_ipfw::prolog() { int n=NATCompiler_pf::prolog(); return n; } void NATCompiler_ipfw::compile() { info(" Compiling NAT rules for " + fw->getName()); Compiler::compile(); add( new Begin()); add( new printTotalNumberOfRules() ); add( new simplePrintProgress() ); runRuleProcessors(); } void NATCompiler_ipfw::epilog() { } fwbuilder-5.3.7/src/pflib/NATCompiler_ipfw.h000066400000000000000000000031451303637203600207150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NATCOMPILER_IPFW_HH #define __NATCOMPILER_IPFW_HH #include #include "NATCompiler_pf.h" #include #define FTP_PORT 21 #define RCMD_PORT 514 #define H323_PORT 1720 #define RAUDIO_PORT 5050 #define ISAKMP_PORT 500 namespace fwcompiler { class NATCompiler_ipfw : public NATCompiler_pf { protected: virtual std::string myPlatformName(); public: NATCompiler_ipfw(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : NATCompiler_pf(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/pflib/NATCompiler_ipfw_writers.cpp000066400000000000000000000025421303637203600230270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_ipfw.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; fwbuilder-5.3.7/src/pflib/NATCompiler_pf.cpp000066400000000000000000001302561303637203600207140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "NATCompiler_pf.h" #include "fwcompiler/OSConfigurator.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Host.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/NAT.h" #include "fwbuilder/Network.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string NATCompiler_pf::myPlatformName() { return "pf"; } int NATCompiler_pf::prolog() { int n=NATCompiler::prolog(); if ( n>0 ) { list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if ( iface->isDyn()) { iface->setBool("use_var_address",true); /* dynamic interface should not have IPv4 child object(s). We issue a * warning if it does in a policy compiler, there is no need to repeat * it here */ list l3=iface->getByType(IPv4::TYPENAME); for (list::iterator j=l3.begin(); j!=l3.end(); ++j) iface->remove(*j); } } } /* pseudo-host with ip address 127.0.0.1 We'll use it for redirection * NAT rules */ //FWObject *grp; loopback_address = dbcopy->createIPv4(); loopback_address->setName("__loopback_address__"); loopback_address->setId(FWObjectDatabase::generateUniqueId()); // "__loopback_address_id__"); IPv4::cast(loopback_address)->setAddress(InetAddr::getLoopbackAddr()); persistent_objects->add(loopback_address,false); if (tables) { tables->init(dbcopy); if (!getSourceRuleSet()->isTop()) tables->setRuleSetName(getRuleSetName()); } return n; } string NATCompiler_pf::debugPrintRule(libfwbuilder::Rule *r) { NATRule *rule = NATRule::cast(r); RuleElementItfOutb *itf_re = rule->getItfOutb(); FWObject *rule_iface = FWObjectReference::getObject(itf_re->front()); // FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId()); return NATCompiler::debugPrintRule(rule) + " " + string( (rule_iface!=NULL)?rule_iface->getName():"") + " (type=" + rule->getRuleTypeAsString() + ")"; } void NATCompiler_pf::_expand_addr(Rule *rule, FWObject *s, bool expand_cluster_interfaces_fully) { if (RuleElementTSrc::isA(s)) { // do not replace interfaces with their ip addresses in TSrc // to be able to generate "nat ... -> (em0)" command later list interfaces_in_re; for (FWObject::iterator i1=s->begin(); i1!=s->end(); ++i1) { FWObject *o = FWReference::getObject(*i1); assert(o); if (Interface::isA(o)) interfaces_in_re.push_back(o); } if (interfaces_in_re.size() > 1) { for (list::iterator i=interfaces_in_re.begin(); i!=interfaces_in_re.end(); ++i) s->removeRef(*i); NATCompiler::_expand_addr( rule, s, expand_cluster_interfaces_fully); for (list::iterator i=interfaces_in_re.begin(); i!=interfaces_in_re.end(); ++i) s->addRef(*i); } } else NATCompiler::_expand_addr( rule, s, expand_cluster_interfaces_fully); } bool NATCompiler_pf::NATRuleType::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); if (rule->getRuleType()!=NATRule::Unknown) return true; RuleElementTSrc *tsrcre = rule->getTSrc(); RuleElementTDst *tdstre = rule->getTDst(); RuleElementTSrv *tsrvre = rule->getTSrv(); Service *osrv=compiler->getFirstOSrv(rule); Address *tsrc = compiler->getFirstTSrc(rule); Address *tdst = compiler->getFirstTDst(rule); Service *tsrv=compiler->getFirstTSrv(rule); if (rule->getAction() == NATRule::Branch) { rule->setRuleType(NATRule::NATBranch); if (!tsrcre->isAny() || !tdstre->isAny() || !tsrvre->isAny()) { tsrcre->clearChildren(); tsrcre->setAnyElement(); tdstre->clearChildren(); tdstre->setAnyElement(); tsrvre->clearChildren(); tsrvre->setAnyElement(); compiler->warning( rule, "Translated Src, Dst and Srv are ignored in the NAT " "rule with action 'Branch'"); } return true; } if (tsrc->isAny() && tdst->isAny() && (tsrv->isAny() || (tsrv->getId() == osrv->getId())) ) { rule->setRuleType(NATRule::NONAT); return true; } bool osrv_defines_src_port = false; Q_UNUSED(osrv_defines_src_port); bool osrv_defines_dst_port = false; Q_UNUSED(osrv_defines_dst_port); bool tsrv_translates_src_port = false; bool tsrv_translates_dst_port = false; if (TCPUDPService::cast(osrv)) { TCPUDPService *tu_osrv = TCPUDPService::cast(osrv); osrv_defines_src_port = \ (tu_osrv->getSrcRangeStart() != 0 && tu_osrv->getDstRangeStart() == 0); osrv_defines_dst_port = \ (tu_osrv->getSrcRangeStart() == 0 && tu_osrv->getDstRangeStart() != 0); } if (TCPUDPService::cast(tsrv)) { TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv); tsrv_translates_src_port = \ (tu_tsrv->getSrcRangeStart() != 0 && tu_tsrv->getDstRangeStart() == 0); tsrv_translates_dst_port = \ (tu_tsrv->getSrcRangeStart() == 0 && tu_tsrv->getDstRangeStart() != 0); } if ( (! tsrc->isAny() && tdst->isAny()) || (tsrc->isAny() && tdst->isAny() && tsrv_translates_src_port) ) { rule->setRuleType(NATRule::SNAT); return true; } if ( (tsrc->isAny() && ! tdst->isAny()) || (tsrc->isAny() && tdst->isAny() && tsrv_translates_dst_port) ) { /* this is load balancing rule if there are multiple objects in TDst */ if ( tdstre->size()>1 ) rule->setRuleType(NATRule::LB); else { if ( compiler->complexMatch(tdst,compiler->fw) ) rule->setRuleType(NATRule::Redirect); else rule->setRuleType(NATRule::DNAT); // if ( tdst->getId()==compiler->fw->getId() ) rule->setRuleType(NATRule::Redirect); // else rule->setRuleType(NATRule::DNAT); } return true; } if ( ( ! tsrc->isAny() && ! tdst->isAny() ) || ( ! tsrc->isAny() && tsrv_translates_dst_port) || ( ! tdst->isAny() && tsrv_translates_src_port) ) { rule->setRuleType(NATRule::SDNAT); return true; } compiler->abort(rule, "Unsupported translation."); return false; } /* * This processor should be called after classifyNATRule. Should call * classifyNATRule after this processor again. * * This algorithm is very much specific to iptables. Platforms where * this simple algorithm for SDNAT rules is not appropriate, should * either implement equivalent of this processor using different * algorithm, or should catch SDNAT rules and abort in their own * verifyNATRule processor. */ bool NATCompiler_pf::splitSDNATRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; if ( rule->getRuleType()==NATRule::SDNAT) { RuleElementODst *odst; RuleElementOSrv *osrv; RuleElementTSrc *tsrc; RuleElementTDst *tdst; /* first rule translates destination and may translate service (depends * on the original rule) */ NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); r->setRuleType(NATRule::Unknown); tsrc=r->getTSrc(); tsrc->clearChildren(); tsrc->setAnyElement(); tmp_queue.push_back(r); /* the second rule translates source and uses translated object in * ODst. Since the service could have been translated by the first * rule, we use TSrv in OSrv */ r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); r->setRuleType(NATRule::Unknown); odst=r->getODst(); odst->clearChildren(); for (FWObject::iterator i=rule->getTDst()->begin(); i!=rule->getTDst()->end(); i++) { FWObject *o = FWReference::getObject(*i); odst->addRef(o); } if ( ! rule->getTSrv()->isAny()) { /* * See "pf flow diagram" at http://homepage.mac.com/quension/pf/flow.png * rdr happens first, then nat. This means nat sees packet with * translated destination address and port. * * If the first rule in the pair translated service and * changed destination port, we need to match it in the * second rule to only trsnslate source in the packets * that have been processed by the first rule. However * this only applies to the case when destination port has * been translated because the first rule uses DNAT which * can only translate dest. port. So, if TSrv has zero * dest. port range but non-zero source port range, we * should not match it here because in this case no * dest. port translation occurs. If TSrv translates both * source and destination ports, we create new TCP(UDP) * service object with only dest. port part and use it to * match. */ Service *tsrv = compiler->getFirstTSrv(rule); TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv); if (tu_tsrv && tu_tsrv->getDstRangeStart() != 0) { TCPUDPService *match_service = NULL; if (tu_tsrv->getSrcRangeStart() == 0) { // no source port tranlsation match_service = tu_tsrv; } else { // both source and dest port translation occurs match_service = TCPUDPService::cast( compiler->dbcopy->create(tsrv->getTypeName())); match_service->setName(tsrv->getName() + "_dport"); compiler->persistent_objects->add(match_service); match_service->setDstRangeStart(tu_tsrv->getDstRangeStart()); match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd()); } osrv = r->getOSrv(); osrv->clearChildren(); osrv->addRef(match_service); } } tdst=r->getTDst(); tdst->clearChildren(); tdst->setAnyElement(); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool NATCompiler_pf::VerifyRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc); RuleElementODst *odst=rule->getODst(); assert(odst); RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); RuleElementTDst *tdst=rule->getTDst(); assert(tdst); RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv); /* * because of the change in the nat and rdr rules syntax in * 4.7, I can no longer implement no-nat rules correctly for * this version. They dropped the "no" keyword and their * examples suggest using "pass" to implement exclusions for * the nat rules. I need no-nat rule to just not translate but * not make a decision whether the packet should be passed or * dropped. In the new PF model, translation rules are just * options on the matching policy rules and they do not offer * any keyword or option to not translate. */ if (rule->getRuleType()==NATRule::NONAT && XMLTools::version_compare(version, "4.7")>=0) { compiler->abort( rule, "No translation rules are not supported for PF 4.7, " "use negation to implement exclusions"); return true; } if (osrv->getNeg()) { compiler->abort( rule, "Negation in original service is not supported."); return true; } /* bug #1276083: "Destination NAT rules". this restriction is not * true at least as of OpenBSD 3.5 * if (rule->getRuleType()==NATRule::DNAT && osrv->isAny()) compiler->abort("Service must be specified for destination translation rule. Rule "+rule->getLabel()); */ if (rule->getRuleType()==NATRule::DNAT && osrv->isAny() && !tsrv->isAny()) { compiler->abort( rule, "Can not translate 'any' into a specific service."); return true; } if (tsrc->getNeg()) { compiler->abort( rule, "Can not use negation in translated source."); return true; } if (tdst->getNeg()) { compiler->abort( rule, "Can not use negation in translated destination."); return true; } if (tsrv->getNeg()) { compiler->abort( rule, "Can not use negation in translated service."); return true; } if (tsrv->size()!=1) { compiler->abort( rule, "Translated service should be 'Original' or should contain single object."); return true; } FWObject *o=tsrv->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if ( Group::cast(o)!=NULL) { compiler->abort( rule, "Can not use group in translated service."); return true; } #if 0 if (rule->getRuleType()==NATRule::SNAT ) { Address* o1=compiler->getFirstTSrc(rule); if ( Network::cast(o1)!=NULL || AddressRange::cast(o1)!=NULL ) compiler->abort("Can not use network or address range object in translated source. Rule "+rule->getLabel()); } #endif if (rule->getRuleType()==NATRule::SNAT ) { if (tsrc->isAny()) { compiler->abort(rule, "Source translation rule needs an address in " "Translated Source."); return true; } FWObject *o = FWReference::getObject(tsrc->front()); if (Interface::isA(o) && Interface::cast(o)->isUnnumbered()) { compiler->abort(rule, "Can not use unnumbered interface in " "Translated Source of a Source translation rule."); return true; } } if (rule->getRuleType()==NATRule::DNAT || rule->getRuleType()==NATRule::Redirect ) { if (tdst->isAny()) { compiler->abort( rule, "Destination translation rule needs an address in " "Translated Destination."); return true; } if ( tdst->size()!=1) { compiler->abort( rule, "There should be no more than one object in translated destination"); return true; } Address* o1=compiler->getFirstTDst(rule); if ( Network::cast(o1)!=NULL || AddressRange::cast(o1)!=NULL ) { compiler->abort( rule, "Can not use network or address range object in translated destination."); return true; } } if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstOSrc(rule)); Network *a2=Network::cast(compiler->getFirstTSrc(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated source should both be networks of the same size."); return true; } } if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() ) { Network *a1=Network::cast(compiler->getFirstODst(rule)); Network *a2=Network::cast(compiler->getFirstTDst(rule)); if ( a1==NULL || a2==NULL || a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() ) { compiler->abort( rule, "Original and translated destination should both be networks of the same size."); return true; } } if (rule->getRuleType()==NATRule::NATBranch ) { RuleSet *branch = rule->getBranch(); if (branch == NULL) { compiler->abort( rule, "Action 'Branch' needs NAT rule set to point to"); return true; } else { if (!NAT::isA(branch)) { compiler->abort( rule, "Action 'Branch' must point to a NAT rule set " "(points to " + branch->getTypeName() + ")"); return true; } } } tmp_queue.push_back(rule); return true; } bool NATCompiler_pf::splitOnOSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); if (osrv->size()!=1) { for(list::iterator i=osrv->begin(); i!=osrv->end(); ++i) { FWObject *o= *i; // if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementOSrv *nosrv=r->getOSrv(); nosrv->clearChildren(); nosrv->addRef( s ); tmp_queue.push_back( r ); } } else tmp_queue.push_back(rule); return true; } bool NATCompiler_pf::fillTranslatedSrv::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *osrv_o=compiler->getFirstOSrv(rule); Service *tsrv_o=compiler->getFirstTSrv(rule); if ( ! osrv_o->isAny() && tsrv_o->isAny() ) { RuleElementTSrv *tsrv=rule->getTSrv(); tsrv->addRef(osrv_o); } return true; } bool NATCompiler_pf::addVirtualAddress::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Address *a=NULL; if (rule->getRuleType()==NATRule::SNAT) a=compiler->getFirstTSrc(rule); else if (rule->getRuleType()==NATRule::DNAT) a=compiler->getFirstODst(rule); else return true; assert(a!=NULL); const InetAddr *a_addr = a->getAddressPtr(); if ( ! a->isAny() && a->getId()!=compiler->getFwId() && a_addr) { list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); const InetAddr *iface_addr = iface->getAddressPtr(); if (iface_addr && *a_addr == *iface_addr ) return true; } compiler->osconfigurator->addVirtualAddressForNAT( a ); } return true; } bool NATCompiler_pf::splitForTSrc::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementTSrc *tsrc=rule->getTSrc(); assert(tsrc); map > interfaceGroups; for(list::iterator i=tsrc->begin(); i!=tsrc->end(); ++i) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Interface *iface = compiler->findInterfaceFor(Address::cast(o), compiler->fw); if (iface!=NULL) interfaceGroups[iface->getId()].push_back(o); } if (interfaceGroups.size()<=1) tmp_queue.push_back(rule); else { map >::iterator i; for (i=interfaceGroups.begin(); i!=interfaceGroups.end(); i++) { list &objSubset = (*i).second; RuleElementTSrc *ntsrc = NULL; NATRule *r = compiler->dbcopy->createNATRule(); r->duplicate(rule); compiler->temp_ruleset->add(r); ntsrc=r->getTSrc(); ntsrc->clearChildren(); ntsrc->setAnyElement(); for (FWObject::iterator j=objSubset.begin(); j!=objSubset.end(); j++) { ntsrc->addRef(*j); } tmp_queue.push_back(r); } } return true; } bool NATCompiler_pf::assignInterfaceToNATRule(NATRule *rule, Address *addr) { RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if (Interface::isA(addr) || IPv4::isA(addr)) { FWObject *p = addr; while ( p && ! Interface::isA(p) ) p = p->getParent(); Interface *intf = Interface::cast(p); if (intf && intf->isFailoverInterface()) { FailoverClusterGroup *fg = FailoverClusterGroup::cast( intf->getFirstByType(FailoverClusterGroup::TYPENAME)); if (fg) intf = fg->getInterfaceForMemberFirewall(fw); } if (intf && intf->isChildOf(fw)) { if ( ! itf_re->hasRef(intf)) itf_re->addRef(intf); return true; } } return false; } bool NATCompiler_pf::AssignInterface::processNext() { NATCompiler_pf *pf_comp = dynamic_cast(compiler); NATRule *rule = getNext(); if (rule==NULL) return false; if (rule->getStr(".iface") == "nil") { tmp_queue.push_back(rule); return true; } RuleElementItfOutb *itf_re = rule->getItfOutb(); assert(itf_re!=NULL); if ( ! itf_re->isAny()) { tmp_queue.push_back(rule); return true; } switch ( rule->getRuleType() ) { case NATRule::SNAT: { RuleElementTSrc *tsrc_re = rule->getTSrc(); bool have_interface = false; for (FWObject::iterator i1=tsrc_re->begin(); i1!=tsrc_re->end(); ++i1) { Address *addr = Address::cast(FWObjectReference::getObject(*i1)); have_interface |= pf_comp->assignInterfaceToNATRule(rule, addr); } if (have_interface) { tmp_queue.push_back(rule); return true; } /* if we appear here, then TSrc is not an interface or address of * an interface. Generate NAT rule without "on iface" clause */ // rule->setInterfaceStr(""); itf_re->clearChildren(); itf_re->setAnyElement(); } break; case NATRule::DNAT: { RuleElementODst *odst_re = rule->getODst(); bool have_interface = false; for (FWObject::iterator i1=odst_re->begin(); i1!=odst_re->end(); ++i1) { Address *addr = Address::cast(FWObjectReference::getObject(*i1)); have_interface |= pf_comp->assignInterfaceToNATRule(rule, addr); } if (have_interface) { tmp_queue.push_back(rule); return true; } /* if we appear here, then ODst is not an interface or address of an * interface. If this is so, just do not specify interface for rdr * rule. */ itf_re->clearChildren(); itf_re->setAnyElement(); } break; default: break; } tmp_queue.push_back(rule); return true; } /* * I assume that there is always only one object in ODst, TSrc and TDst * rule elements. This should have been assured by inspector VerifyRules */ bool NATCompiler_pf::ReplaceFirewallObjectsODst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); list cl; RuleElementODst *rel; Address *obj=NULL; rel = rule->getODst(); assert(rel); obj =compiler->getFirstODst(rule); assert(obj); if (obj->getId()==compiler->getFwId() ) { list l2 = compiler->fw->getByTypeDeep(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *interface_ = Interface::cast(*i); /* * update 03/20/03: * * generally we assume that if firewall object is used in the rule, * then any or all its interface will be used. This means that if * firewall is in ODst we should really use all of its interfaces, not * only external ones. */ if (! interface_->isLoopback() ) cl.push_back(interface_); } if ( ! cl.empty() ) { rel->clearChildren(); for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); } } /* * update for ticket 1397 If firewall object is in ODst, do not assign * the rule to any interface. I use attribute ".iface" to signal * AssignInterface that it should not do anything. */ rule->setStr(".iface", "nil"); } return true; } /* * I assume that there is always only one object in ODst, TSrc and TDst * rule elements. This should have been assured by inspector VerifyRules */ bool NATCompiler_pf::ReplaceFirewallObjectsTSrc::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); list cl; RuleElementTSrc *rel; Address *obj=NULL; switch (rule->getRuleType()) { case NATRule::Masq: return true; default: rel=rule->getTSrc(); assert(rel); obj=compiler->getFirstTSrc(rule); assert(obj); if (obj->getId()==compiler->getFwId() ) { Address *odst=compiler->getFirstODst(rule); rel->clearChildren(); Interface *iface=compiler->findInterfaceFor(odst,compiler->fw); if (!odst->isAny() && !rule->getODst()->getNeg() && iface!=NULL) rel->addRef(iface); else // else use all interfaces except loopback and unnumbered ones { list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=Interface::cast(*i); if (! iface->isLoopback() && ! iface->isUnnumbered() && ! iface->isBridgePort()) rel->addRef( *i ); } for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) rel->addRef( *i1 ); /* it is an error if rule element is empty at this point. this could have * happened if all external interfaces are unnumbered */ if (rel->size()==0) { QString err( "Could not find suitable interface for the NAT rule %1. " "Perhaps all interfaces are unnumbered?"); compiler->abort( rule, err.arg(rule->getLabel().c_str()).toStdString()); } } } } return true; } /* * I assume that there is always only one object in ODst, TSrc and TDst * rule elements. This should have been assured by inspector VerifyRules */ bool NATCompiler_pf::ReplaceObjectsTDst::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; NATCompiler_pf *pf_comp=dynamic_cast(compiler); tmp_queue.push_back(rule); if (rule->getRuleType()==NATRule::Redirect) { Service *tsrv=compiler->getFirstTSrv(rule); RuleElementTDst *rel=rule->getTDst(); assert(rel); Address *otdst=compiler->getFirstTDst(rule); Interface *loopback=NULL; FWObject *loopback_address=NULL; /* if firewall is used in TDst in redirection rule, replace it with * its loopback interface */ if (otdst->getId()==compiler->fw->getId()) { std::list l2=compiler->fw->getByType(Interface::TYPENAME); for (std::list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface = dynamic_cast(*i); assert(iface); if (iface->isLoopback()) { loopback = iface; loopback_address = loopback->getFirstByType(IPv4::TYPENAME); } } if (loopback_address==NULL) { compiler->abort(rule, "Can not configure redirection for the NAT rule " "because loopback interface is missing."); } rel->clearChildren(); rel->addRef( loopback_address ); pf_comp->redirect_rules.push_back( redirectRuleInfo( rule->getLabel(), otdst, loopback_address, tsrv ) ); } } return true; } bool NATCompiler_pf::swapAddressTableObjectsInRE::processNext() { NATCompiler_pf *pf_comp=dynamic_cast(compiler); Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); /* * All addressTable objects will be run-time here because we * switch them in preprocessor. The difference is: if address * table was originally run-time, at this point it will have * no children, however if it was compile-time originally, it * will have children objects. That is how we distinguish * them in this rule processor. Here we only deal with * AddressTable objects that originally used to be * compile-time because we need to create tables for them. */ if (AddressTable::cast(o)!=NULL && AddressTable::cast(o)->isRunTime() && o->size() > 0) cl.push_back(MultiAddress::cast(o)); } if (!cl.empty()) { for (list::iterator i=cl.begin(); i!=cl.end(); i++) { MultiAddress *atbl = *i; // Need to make sure the ID of the MultiAddressRunTime // object created here is stable and is always the same // for the same MultiAddress object. In particular this // ensures that we reuse tables between policy and NAT rules string mart_id_str = FWObjectDatabase::getStringId(atbl->getId()) + "_runtime"; int mart_id = FWObjectDatabase::registerStringId(mart_id_str); MultiAddressRunTime *mart = MultiAddressRunTime::cast(compiler->dbcopy->findInIndex(mart_id)); if (mart==NULL) { mart = new MultiAddressRunTime(atbl); // need to ensure stable ID for the runtime object, so // that when the same object is replaced in different // rulesets by different compiler passes, chosen // runtime object has the same ID and is identified as // the same by the compiler. mart->setId( mart_id ); compiler->dbcopy->addToIndex(mart); compiler->persistent_objects->add(mart); // register this object as a table string tblname = atbl->getName(); string tblID = tblname + "_addressTableObject"; pf_comp->tables->registerTable(tblname,tblID,atbl); } re->removeRef(atbl); re->addRef(mart); } tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } bool NATCompiler_pf::processMultiAddressObjectsInRE::processNext() { NATCompiler_pf *pf_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); bool neg = re->getNeg(); list cl; try { for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { if (re->size()>1 && neg) { string err = "AddressTable object can not be used with " "negation in combination with other objects " "in the same rule element."; compiler->abort(rule, err); } o->setBool("pf_table",true); string tblname = o->getName(); string tblID = tblname + "_addressTableObject"; pf_comp->tables->registerTable(tblname,tblID,o); cl.push_back(o); } } } catch(FWException &ex) // TableFactory::registerTable throws exception { string err; err = "Can not process MultiAddress object in rule " + rule->getLabel() + ". Error: " + ex.toString(); compiler->abort(rule, err); } if (!cl.empty()) { RuleElement *nre; for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) { NATRule *r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); nre->addRef( *i ); tmp_queue.push_back(r); } for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) re->removeRef( *i ); if (!re->isAny()) tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } void NATCompiler_pf::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(RuleElement *re, Rule *rule) { if (re->isAny()) return; list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs = Interface::cast(obj); if (ifs && Cluster::isA(ifs->getParent())) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( ifs->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *member_iface = Interface::cast(FWObjectReference::getObject(*it)); assert(member_iface); if (member_iface->isChildOf(compiler->fw)) { ifs = member_iface; break; } } } } if (ifs && ifs->isDyn() && ! ifs->isChildOf(compiler->fw)) { QString err( "Can not build rule using dynamic interface '%1' " "of the object '%2' because its address is unknown."); compiler->abort( rule, err .arg(ifs->getName().c_str()) .arg(ifs->getParent()->getName().c_str()).toStdString()); } } } bool NATCompiler_pf::checkForDynamicInterfacesOfOtherObjects::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; findDynamicInterfaces( rule->getOSrc() , rule ); findDynamicInterfaces( rule->getODst() , rule ); findDynamicInterfaces( rule->getTSrc() , rule ); findDynamicInterfaces( rule->getTDst() , rule ); tmp_queue.push_back(rule); return true; } bool NATCompiler_pf::createTables::processNext() { NATCompiler_pf *pf_comp=dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrc=rule->getOSrc(); RuleElementODst *odst=rule->getODst(); if (osrc->size()!=1) pf_comp->tables->createTablesForRE(osrc,rule); if (odst->size()!=1) pf_comp->tables->createTablesForRE(odst,rule); #if 0 RuleElementTSrc *tsrc=rule->getTSrc(); RuleElementTDst *tdst=rule->getTDst(); if (tsrc->size()!=1) pf_comp->tables->createTablesForRE(tsrc,rule); if (tdst->size()!=1) pf_comp->tables->createTablesForRE(tdst,rule); #endif tmp_queue.push_back(rule); return true; } void NATCompiler_pf::compile() { bool manage_virtual_addr=fwopt->getBool("manage_virtual_addr"); string banner = " Compiling NAT rules for " + fw->getName(); if (!getRuleSetName().empty()) banner += " ruleset " + getRuleSetName(); if (ipv6) banner += ", IPv6"; info(banner); Compiler::compile(); add( new Begin()); add( new printTotalNumberOfRules() ); add( new singleRuleFilter()); add(new expandGroupsInItfOutb("expand groups in Interface")); add(new replaceClusterInterfaceInItfOutb( "replace cluster interfaces with member interfaces in " "the Interface rule element")); add(new singleObjectNegationItfOutb( "process single object negation in inbound Itf")); add(new ItfOutbNegation("process negation in Itf")); add( new recursiveGroupsInOSrc("check for recursive groups in OSRC") ); add( new recursiveGroupsInODst("check for recursive groups in ODST") ); add( new recursiveGroupsInOSrv("check for recursive groups in OSRV") ); add( new recursiveGroupsInTSrc("check for recursive groups in TSRC") ); add( new recursiveGroupsInTDst("check for recursive groups in TDST") ); add( new recursiveGroupsInTSrv("check for recursive groups in TSRV") ); add( new emptyGroupsInOSrc( "check for empty groups in OSRC" ) ); add( new emptyGroupsInODst( "check for empty groups in ODST" ) ); add( new emptyGroupsInOSrv( "check for empty groups in OSRV" ) ); add( new emptyGroupsInTSrc( "check for empty groups in TSRC" ) ); add( new emptyGroupsInTDst( "check for empty groups in TDST" ) ); add( new emptyGroupsInTSrv( "check for empty groups in TSRV" ) ); if (fw->getOptionsObject()->getBool("preserve_group_names")) { add(new RegisterGroupsAndTablesInOSrc( "register object groups and tables in OSrc")); add(new RegisterGroupsAndTablesInODst( "register object groups and tables in ODst")); } add( new ExpandGroups( "expand groups" ) ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInOSRC( "eliminate duplicates in OSRC") ); add( new eliminateDuplicatesInODST( "eliminate duplicates in ODST") ); add( new eliminateDuplicatesInOSRV( "eliminate duplicates in OSRV") ); add( new swapMultiAddressObjectsInOSrc( " swap MultiAddress -> MultiAddressRunTime in OSrc") ); add( new swapMultiAddressObjectsInODst( " swap MultiAddress -> MultiAddressRunTime in ODst") ); add( new swapMultiAddressObjectsInTSrc( " swap MultiAddress -> MultiAddressRunTime in TSrc") ); add( new swapMultiAddressObjectsInTDst( " swap MultiAddress -> MultiAddressRunTime in TDst") ); add( new swapAddressTableObjectsInOSrc( "AddressTable -> MultiAddressRunTime in OSrc") ); add( new swapAddressTableObjectsInODst( "AddressTable -> MultiAddressRunTime in ODst") ); add( new swapAddressTableObjectsInTSrc( "AddressTable -> MultiAddressRunTime in TSrc") ); add( new swapAddressTableObjectsInTDst( "AddressTable -> MultiAddressRunTime in TDst") ); add( new processMultiAddressObjectsInOSrc( "process MultiAddress objects in OSrc") ); add( new processMultiAddressObjectsInODst( "process MultiAddress objects in ODst") ); add( new processMultiAddressObjectsInTSrc( "process MultiAddress objects in TSrc") ); add( new processMultiAddressObjectsInTDst( "process MultiAddress objects in TDst") ); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new splitOnOSrv( "split rule on original service" ) ); add( new fillTranslatedSrv( "fill translated service" ) ); //add( new doOSrcNegation( "process negation in OSrc" ) ); //add( new doODstNegation( "process negation in ODst" ) ); //add( new doOSrvNegation( "process negation in OSrv" ) ); add( new NATRuleType( "determine NAT rule types" ) ); add( new splitSDNATRule("split SDNAT rules" ) ); add( new NATRuleType( "determine NAT rule types" ) ); add( new VerifyRules( "verify NAT rules" ) ); add( new ReplaceFirewallObjectsODst( "replace references to the firewall in ODst" ) ); add( new ReplaceFirewallObjectsTSrc( "replace references to the firewall in TSrc" ) ); add( new ReplaceObjectsTDst( "replace objects in TDst" ) ); add( new ExpandMultipleAddresses( "expand multiple addresses" ) ); // we might get empty RE after expanding multiple addresses, // for example when unnumbered interface is used in TSRC. Note // that VerifyRules should not allow this, but we may still // get here in the test mode. Calling dropRuleWithEmptyRE works // as a fail-safe and prevents crash. add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); if ( manage_virtual_addr ) add( new addVirtualAddress("add virtual addresses for NAT rules")); add( new checkForUnnumbered("check for unnumbered interfaces" ) ); add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls")); add( new ExpandAddressRanges( "expand address range objects" ) ); add( new splitForTSrc( "split if addresses in TSrc belong to different networks" )); add( new AssignInterface( "assign rules to interfaces" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new createTables("create tables")); // add( new PrintTables( "print tables" ) ); add( new PrintRule("generate pf code") ); add( new simplePrintProgress() ); runRuleProcessors(); } void NATCompiler_pf::epilog() { } NATCompiler_pf::~NATCompiler_pf() { //if (tables) tables->detach(); } fwbuilder-5.3.7/src/pflib/NATCompiler_pf.h000066400000000000000000000340501303637203600203540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __NATCOMPILER_PF_HH #define __NATCOMPILER_PF_HH #include #include "fwcompiler/NATCompiler.h" #include "TableFactory.h" #include #include #include #include namespace libfwbuilder { class Host; class IPv4; class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementOSrc; class RuleElementODst; class RuleElementOSrv; class RuleElementTSrc; class RuleElementTDst; class RuleElementTSrv; }; namespace fwcompiler { class NATCompiler_pf : public NATCompiler { public: struct redirectRuleInfo { std::string natrule_label; int old_tdst; int new_tdst; int tsrv; redirectRuleInfo(const std::string &rl, libfwbuilder::FWObject *oa, libfwbuilder::FWObject *na, libfwbuilder::Service *s) { natrule_label = rl; old_tdst = oa->getId(); new_tdst = na->getId(); tsrv = s->getId(); } }; protected: libfwbuilder::FWObject *loopback_address; TableFactory *tables; virtual std::string debugPrintRule(libfwbuilder::Rule *rule); virtual void _expand_addr(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s, bool expand_cluster_interfaces_fully); /** * analyse given address and decide which interface this NAT * rule should be tied to. If interface is found, use * rule->setInterfaceId() to save its ID and return * true. Otherwise, return false. Most importantly, this * function checks if @obj is cluster interface and then * uses corresponding real interface instead of it. */ bool assignInterfaceToNATRule(libfwbuilder::NATRule *rule, libfwbuilder::Address *obj); /** * determines type of the NAT rule */ DECLARE_NAT_RULE_PROCESSOR(NATRuleType); /** * this processor spits SDNAT rule onto SNAT and DNAT rules. * SDNAT rule translates both source and destination. */ DECLARE_NAT_RULE_PROCESSOR(splitSDNATRule); /** * verifies correctness of the NAT rules */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); /** * splits rule with multiple service objects in OSrv * onto * several rules */ DECLARE_NAT_RULE_PROCESSOR(splitOnOSrv); /** * fills translated service with the copy of original srv */ DECLARE_NAT_RULE_PROCESSOR(fillTranslatedSrv); /** * split rule if addresses in TSrc are from the networks * different interfaces of the firewall belong to. */ DECLARE_NAT_RULE_PROCESSOR(splitForTSrc); /** * assigns NAT rules to interfaces */ friend class AssignInterface; class AssignInterface : public NATRuleProcessor { std::string regular_interfaces; public: AssignInterface(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; /** * calls OSConfigurator to add virtual * address to the * firewall if it is needed for NAT rule */ DECLARE_NAT_RULE_PROCESSOR(addVirtualAddress); /** * replaces references to the firewall in odst with * references to its external interfaces */ DECLARE_NAT_RULE_PROCESSOR(ReplaceFirewallObjectsODst); /** * replaces references to the firewall in tsrc with * references to its external interfaces */ DECLARE_NAT_RULE_PROCESSOR(ReplaceFirewallObjectsTSrc); /** * replaces object in tdst with reference to firewall's * loopback interface address object */ DECLARE_NAT_RULE_PROCESSOR(ReplaceObjectsTDst); friend class fwcompiler::NATCompiler_pf::ReplaceObjectsTDst; /** * deals with negation in OSrc */ DECLARE_NAT_RULE_PROCESSOR(doOSrcNegation); /** * deals with negation in ODst */ DECLARE_NAT_RULE_PROCESSOR(doODstNegation); /** * deals with negation in OSrv */ DECLARE_NAT_RULE_PROCESSOR(doOSrvNegation); /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInODST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInODST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInOSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInOSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementOSrv::TYPENAME) {} }; class checkForDynamicInterfacesOfOtherObjects : public NATRuleProcessor { void findDynamicInterfaces(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: checkForDynamicInterfacesOfOtherObjects(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; friend class checkForDynamicInterfacesOfOtherObjects; /** * like standard processor swapMultiAddressObjectsInRE, but * swaps compile-time address tables. See comment for this * rule processor in PolicyCompiler_pf */ class swapAddressTableObjectsInRE : public NATRuleProcessor { std::string re_type; public: swapAddressTableObjectsInRE(const std::string &name, const std::string &t) : NATRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; friend class swapAddressTableObjectsInRE; class swapAddressTableObjectsInOSrc : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInOSrc(const std::string &n) : swapAddressTableObjectsInRE(n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; friend class swapAddressTableObjectsInOSrc; class swapAddressTableObjectsInODst : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInODst(const std::string &n) : swapAddressTableObjectsInRE(n, libfwbuilder::RuleElementODst::TYPENAME) {} }; friend class swapAddressTableObjectsInODst; class swapAddressTableObjectsInTSrc : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInTSrc(const std::string &n) : swapAddressTableObjectsInRE(n, libfwbuilder::RuleElementTSrc::TYPENAME) {} }; class swapAddressTableObjectsInTDst : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInTDst(const std::string &n) : swapAddressTableObjectsInRE(n, libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * Split rule if MultiAddress object is used in RE to make * sure it is single object. Also check for the case where * MultiAddress object is used in combination with negation, * this case is not supported. NOTE: this restriction can be * removed if PF adds support for recursively defined tables * (tables as elements inside tables). */ class processMultiAddressObjectsInRE : public NATRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : NATRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInOSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInOSrc(const std::string &n) : processMultiAddressObjectsInRE(n, libfwbuilder::RuleElementOSrc::TYPENAME) {} }; class processMultiAddressObjectsInODst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInODst(const std::string &n) : processMultiAddressObjectsInRE(n, libfwbuilder::RuleElementODst::TYPENAME) {} }; class processMultiAddressObjectsInTSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInTSrc(const std::string &n) : processMultiAddressObjectsInRE(n, libfwbuilder::RuleElementTSrc::TYPENAME) {} }; class processMultiAddressObjectsInTDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInTDst(const std::string &n) : processMultiAddressObjectsInRE(n, libfwbuilder::RuleElementTDst::TYPENAME) {} }; /** * this processor is only called if we are using tables. It * creates two tables for each rule element Processor * PrintRule uses these tables later. */ class createTables : public NATRuleProcessor { void createTablesForRE(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: createTables(const std::string &name) : NATRuleProcessor(name) {} virtual bool processNext(); }; friend class NATCompiler_pf::createTables; /** * this processor accumulates all rules fed to it by previous * processors, then prints commands for all tables, * then feeds all rules to the next processor. Usually this * processor is in chain right before PrintRules */ class PrintTables : public NATRuleProcessor { public: PrintTables(const std::string &n) : NATRuleProcessor(n) {} virtual bool processNext(); }; friend class NATCompiler_pf::PrintTables; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. */ class PrintRule : public NATRuleProcessor { void _printAnchorRule(const std::string &anchor_command, const std::string &ruleset_name, libfwbuilder::NATRule *rule); protected: bool init; std::string current_rule_label; virtual void _printProtocol(libfwbuilder::Service *srv); virtual void _printPort(libfwbuilder::Service *srv, bool lhs); virtual void _printSrcPort(libfwbuilder::Service *srv, bool lhs); virtual void _printAddrList(libfwbuilder::FWObject *o,bool negflag); virtual void _printREAddr(libfwbuilder::RuleElement *o); virtual void _printAddr(libfwbuilder::FWObject *o); virtual void _printNATRuleOptions(libfwbuilder::Rule *rule); virtual void _printInterface(libfwbuilder::NATRule *r); virtual void _printNegation(libfwbuilder::RuleElement *o); public: PrintRule(const std::string &name); virtual bool processNext(); }; virtual std::string myPlatformName(); std::list redirect_rules; public: NATCompiler_pf(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, TableFactory *tbf = NULL ) : NATCompiler(_db, fw, ipv6_policy, _oscnf) { tables = tbf; } virtual ~NATCompiler_pf(); virtual int prolog(); virtual void compile(); virtual void epilog(); // virtual string atomicRuleToString(libfwbuilder::Rule *r); const std::list& getRedirRulesInfo() { return redirect_rules; } }; } #endif fwbuilder-5.3.7/src/pflib/NATCompiler_pf_negation.cpp000066400000000000000000000075071303637203600226020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_pf.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Firewall.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /* * negation in OSrc : * * !A B C RULE_TYPE *----------------------------------------------- * * A B C Continue ("no nat") * any B C SNAT/DNAT */ bool NATCompiler_pf::doOSrcNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrc *osrcrel=rule->getOSrc(); if (osrcrel->getNeg()) { NATRule *r; osrcrel->setNeg(false); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setRuleType(NATRule::Continue); tmp_queue.push_back(r); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementOSrc *nsrc=r->getOSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } /* * negation in Odst : * * A !B C RULE_TYPE TARGET *------------------------------------- * * A B C Continue ("no nat") * A any C SNAT/DNAT */ bool NATCompiler_pf::doODstNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementODst *odstrel=rule->getODst(); if (odstrel->getNeg()) { NATRule *r; odstrel->setNeg(false); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setRuleType(NATRule::Continue); tmp_queue.push_back(r); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementODst *ndst=r->getODst(); ndst->clearChildren(); ndst->setAnyElement(); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } /* * negation in OSrv : * * A B !C RULE_TYPE TARGET *------------------------------------- * * A B C Continue ("no nat") * A B any SNAT/DNAT */ bool NATCompiler_pf::doOSrvNegation::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; RuleElementOSrv *osrvrel=rule->getOSrv(); /* A B ! C */ if (osrvrel->getNeg()) { NATRule *r; osrvrel->setNeg(false); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setRuleType(NATRule::Continue); tmp_queue.push_back(r); r= compiler->dbcopy->createNATRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementOSrv *nsrv=r->getOSrv(); nsrv->clearChildren(); nsrv->setAnyElement(); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } fwbuilder-5.3.7/src/pflib/NATCompiler_pf_writers.cpp000066400000000000000000000417001303637203600224660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NATCompiler_pf.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/NAT.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Host.h" #include "fwbuilder/Network.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/UserService.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ NATCompiler_pf::PrintRule::PrintRule(const std::string &name) : NATRuleProcessor(name) { init=true; } void NATCompiler_pf::PrintRule::_printInterface(NATRule *rule) { RuleElementItf *intf_re = rule->getItfOutb(); QStringList rule_interfaces; if ( ! intf_re->isAny()) { for (FWObject::iterator it=intf_re->begin(); it!=intf_re->end(); ++it) { FWObject *o = FWObjectReference::getObject(*it); rule_interfaces << o->getName().c_str(); } if (rule_interfaces.size() > 1) { rule_interfaces.push_front("{"); rule_interfaces.push_back("}"); } compiler->output << "on " << string((intf_re->getBool("single_object_negation")) ? "! " : " ") << rule_interfaces.join(" ").toStdString() << " "; } } bool NATCompiler_pf::PrintRule::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); string version = compiler->fw->getStr("version"); compiler->output << compiler->printComment(rule, current_rule_label, "#"); RuleElementOSrc *osrcrel = rule->getOSrc(); RuleElementODst *odstrel = rule->getODst(); RuleElementTSrc *tsrcrel = rule->getTSrc(); RuleElementTDst *tdstrel = rule->getTDst(); FWObject *osrc, *odst; osrc = osrcrel->front(); if (osrc && FWReference::cast(osrc)!=NULL) osrc = FWReference::cast(osrc)->getPointer(); odst = odstrel->front(); if (odst && FWReference::cast(odst)!=NULL) odst = FWReference::cast(odst)->getPointer(); //Address *osrc=compiler->getFirstOSrc(rule); //assert(osrc); //Address *odst=compiler->getFirstODst(rule); //assert(odst); Service *osrv = compiler->getFirstOSrv(rule); //assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); //assert(tsrc); Address *tdst = compiler->getFirstTDst(rule); //assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); //assert(tsrv); if (osrc==NULL || odst==NULL || osrv==NULL || tsrc==NULL || tdst==NULL || tsrv==NULL) { QString err; if (osrc==NULL) err = QString("NAT rule %1: osrc==NULL"); if (odst==NULL) err = QString("NAT rule %1: odst==NULL"); if (osrv==NULL) err = QString("NAT rule %1: osrv==NULL"); if (tsrc==NULL) err = QString("NAT rule %1: tsrc==NULL"); if (tdst==NULL) err = QString("NAT rule %1: tdst==NULL"); if (tsrv==NULL) err = QString("NAT rule %1: tsrv==NULL"); compiler->abort(rule, err.arg(rule->getLabel().c_str()).toStdString()); } switch ( rule->getRuleType() ) { case NATRule::Continue: case NATRule::NONAT: { if (XMLTools::version_compare(version, "4.7")>=0) { /* I could not find a better way to implement old "no nat" * behavior with 4.7. They seem to suggest that we should * implement exceptions to the translations using "pass" * or "block" actions. At least this is the only way they * show in examples and there is no "no" keyword anymore. */ compiler->output << "pass in quick "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr(osrcrel); _printSrcPort(osrv, true); compiler->output << "to "; _printREAddr(odstrel); _printPort(osrv, true); compiler->output << endl; } else { compiler->output << "no nat "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr(osrcrel); compiler->output << "to "; _printREAddr(odstrel); compiler->output << endl; compiler->output << "no rdr "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); compiler->output << "to "; _printREAddr( odstrel ); compiler->output << endl; } break; } case NATRule::SNAT: { if (XMLTools::version_compare(version, "4.7")>=0) { compiler->output << "match out "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); _printSrcPort(osrv, true); compiler->output << "to "; _printREAddr( odstrel ); _printPort( osrv, true ); compiler->output << "nat-to "; _printREAddr( tsrcrel ); _printSrcPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } else { compiler->output << "nat "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); _printSrcPort(osrv, true); compiler->output << "to "; _printREAddr( odstrel ); _printPort( osrv, true ); compiler->output << "-> "; _printREAddr( tsrcrel ); _printSrcPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } break; } case NATRule::DNAT: case NATRule::LB: { if (XMLTools::version_compare(version, "4.7")>=0) { compiler->output << "match in "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); _printSrcPort(osrv, true); // this is where it is different from NATRule::Redirect compiler->output << "to "; _printREAddr( odstrel ); _printPort(osrv, true); compiler->output << "rdr-to "; _printREAddr( tdstrel ); _printPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } else { compiler->output << "rdr "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); _printSrcPort(osrv, true); // this is where it is different from NATRule::Redirect compiler->output << "to "; _printREAddr( odstrel ); _printPort(osrv, true); compiler->output << "-> "; _printREAddr( tdstrel ); _printPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } break; } case NATRule::Redirect: { if (XMLTools::version_compare(version, "4.7")>=0) { compiler->output << "match in "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); compiler->output << "to "; _printREAddr( odstrel ); _printPort(osrv, true); compiler->output << "rdr-to "; _printREAddr( tdstrel ); _printPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } else { compiler->output << "rdr "; _printInterface(rule); _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); compiler->output << "to "; _printREAddr( odstrel ); _printPort(osrv, true); compiler->output << "-> "; _printREAddr( tdstrel ); _printPort(tsrv, false); _printNATRuleOptions(rule); compiler->output << endl; } break; } case NATRule::NATBranch: { RuleSet *ruleset = rule->getBranch(); string ruleset_name; if (ruleset!=NULL) { ruleset_name = ruleset->getName(); } else { compiler->abort( rule, "Branching rule refers ruleset that does not exist"); // in test mode compiler->abort() does not really abort the program ruleset_name = "UNKNOWN"; } if (XMLTools::version_compare(version, "4.6")>=0) { _printAnchorRule("anchor", ruleset_name, rule); } else { _printAnchorRule("nat-anchor", ruleset_name, rule); _printAnchorRule("rdr-anchor", ruleset_name, rule); } } break; default: break; } return true; } void NATCompiler_pf::PrintRule::_printAnchorRule(const string &anchor_command, const std::string &ruleset_name, NATRule *rule) { RuleElementOSrc *osrcrel = rule->getOSrc(); RuleElementODst *odstrel = rule->getODst(); RuleElementOSrv *osrvrel = rule->getOSrv(); Service *osrv = compiler->getFirstOSrv(rule); compiler->output << anchor_command << " \"" << ruleset_name << "\" "; _printInterface(rule); if (!osrvrel->isAny() || !osrcrel->isAny() || !odstrel->isAny()) { _printProtocol(osrv); compiler->output << "from "; _printREAddr( osrcrel ); compiler->output << "to "; _printREAddr( odstrel ); _printPort(osrv, true); } compiler->output << endl; } void NATCompiler_pf::PrintRule::_printProtocol(Service *srv) { // CustomService returns protocol name starting with v3.0.4 if (CustomService::isA(srv)) { // check if the code string for this custom service already includes // "proto ..." fragment string code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); std::size_t minus_p = code.find("proto "); if (minus_p != string::npos) return; } if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv) && srv->getProtocolName()!="ip") { compiler->output << "proto "; compiler->output << srv->getProtocolName(); compiler->output << " "; } } /* * print port numbers for the service. For most platforms that inherit * classes for PF this is sufficient, but PF itself also supports * TagService and this method prints "tagged" keyword for it as well. * Arg controls which side of the "->" this service is on. On * the right hand side PF supports shortcut spec 'NNNN:*', but it is * not allowed on the left hand side. Also keyword "tagged" is only * allowed on the left hand side of "->". */ void NATCompiler_pf::PrintRule::_printPort(Service *srv, bool lhs) { if (TCPUDPService::cast(srv)) { int drs = TCPUDPService::cast(srv)->getDstRangeStart(); int dre = TCPUDPService::cast(srv)->getDstRangeEnd(); if (drs!=0) { compiler->output << "port " << drs; if (dre!=0 && dre!=drs) { if (lhs) compiler->output << ":" << dre; else compiler->output << ":*"; } } compiler->output << " "; } if (lhs && TagService::isA(srv)) { compiler->output << "tagged " << TagService::constcast(srv)->getCode() << " "; } } /* * Print port range spec using source ports of the given service object */ void NATCompiler_pf::PrintRule::_printSrcPort(Service *srv, bool lhs) { if (TCPUDPService::cast(srv)) { int srs = TCPUDPService::cast(srv)->getSrcRangeStart(); int sre = TCPUDPService::cast(srv)->getSrcRangeEnd(); if (srs!=0) { compiler->output << "port " << srs; if (sre != 0 && sre != srs) { if (lhs) compiler->output << ":" << sre; else compiler->output << ":*"; } compiler->output << " "; } } } void NATCompiler_pf::PrintRule::_printNegation(RuleElement *rel) { if (rel->getNeg()) compiler->output << "! "; } void NATCompiler_pf::PrintRule::_printREAddr(RuleElement *rel) { FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); // Address *addr= Address::cast(o); _printNegation(rel); if (rel->size()==1) { _printAddr(o); } else { _printAddrList(rel, rel->getNeg()); } } void NATCompiler_pf::PrintRule::_printAddrList(FWObject *grp,bool ) { compiler->output << "{ "; for (FWObject::iterator i=grp->begin(); i!=grp->end(); i++) { if (i!=grp->begin()) compiler->output << ", "; FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); _printAddr(o); } compiler->output << "} "; } void NATCompiler_pf::PrintRule::_printAddr(FWObject *o) { MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { compiler->output << atrt->getSourceName() << " "; return; } if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { compiler->output << "<" << o->getName() << "> "; return; } if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME) { compiler->output << atrt->getSourceName() << ":network "; return ; } assert(atrt==NULL); } if (Interface::cast(o)!=NULL) { compiler->output << "(" << o->getName() << ") "; return; } if (o->getBool("pf_table")) { compiler->output << "<" << o->getName() << "> "; return; } Address *addr_obj = Address::cast(o); assert(addr_obj!=NULL); const InetAddr *addr = addr_obj->getAddressPtr(); if (addr) { InetAddr mask = *(addr_obj->getNetmaskPtr()); if (Interface::cast(o)!=NULL || Address::cast(o)->dimension()==1) { mask = InetAddr(InetAddr::getAllOnes()); } if (addr->isAny() && mask.isAny()) { compiler->output << "any "; } else { compiler->output << addr->toString(); if (!mask.isHostMask()) { compiler->output << "/" << mask.getLength(); } compiler->output << " "; } } } void NATCompiler_pf::PrintRule::_printNATRuleOptions(Rule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("pf_bitmask")) compiler->output << "bitmask "; if (ruleopt->getBool("pf_random")) compiler->output << "random "; if (ruleopt->getBool("pf_source_hash")) compiler->output << "source-hash "; if (ruleopt->getBool("pf_round_robin")) compiler->output << "round-robin "; if (ruleopt->getBool("pf_static_port")) compiler->output << "static-port "; } bool NATCompiler_pf::PrintTables::processNext() { NATCompiler_pf *pf_comp=dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; /* print tables */ compiler->output << pf_comp->tables->PrintTables(); return true; } fwbuilder-5.3.7/src/pflib/OSConfigurator_bsd.cpp000066400000000000000000000143001303637203600216350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "Configlet.h" #include "OSConfigurator_bsd.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/XMLTools.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_bsd::myPlatformName() { return "BSD"; } string OSConfigurator_bsd::getInterfaceVarName(FWObject *iface) { return string("i_") + iface->getName(); } string OSConfigurator_bsd::printKernelVarsCommands() { return ""; } void OSConfigurator_bsd::addVirtualAddressForNAT(const Network*) { } /** * This method is called from NATCompiler_pf::addVirtualAddress::processNext() */ void OSConfigurator_bsd::addVirtualAddressForNAT(const Address *addr) { FWObject *iaddr = findAddressFor(addr, fw ); if (iaddr!=NULL) { virtual_addresses.insert(addr->getId()); } else warning("Can not add virtual address " + addr->getAddressPtr()->toString() ); } int OSConfigurator_bsd::prolog() { return 0; } string OSConfigurator_bsd::printFunctions() { ostringstream ostr; FWOptions* options = fw->getOptionsObject(); string host_os = fw->getStr("host_OS"); string version = fw->getStr("version"); Configlet functions(fw, "bsd", "shell_functions"); functions.removeComments(); functions.setVariable("dyn_addr", options->getBool("dynAddr")); if (options->getBool("dynAddr")) { /* * get addresses of dynamic interfaces */ QString script_buffer; QTextStream ostr(&script_buffer, QIODevice::WriteOnly); FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *iface=Interface::cast(*j); if ( iface->isDyn() ) { /* if interface name ends with '*', this is a wildcard interface. Do * not get its address at this time. * * Do we support wildcard interfaces on *BSD at all ? */ if (iface->getName().find("*")==string::npos) ostr << "getaddr " << iface->getName().c_str() << " " << getInterfaceVarName(iface).c_str() << "\n"; } } functions.setVariable("get_dyn_addr_commands", script_buffer); } else functions.setVariable("get_dyn_addr_commands", ""); ostr << functions.expand().toStdString(); if ( options->getBool("configure_interfaces") ) { Configlet update_addresses(fw, "bsd", "update_addresses"); update_addresses.removeComments(); update_addresses.setVariable("freebsd", host_os == "freebsd"); update_addresses.setVariable("openbsd", host_os == "openbsd"); ostr << update_addresses.expand().toStdString(); } if ( options->getBool("configure_vlan_interfaces") ) { Configlet update_vlans(fw, "bsd", "update_vlans"); update_vlans.removeComments(); update_vlans.setVariable("freebsd", host_os == "freebsd"); update_vlans.setVariable("openbsd", host_os == "openbsd"); ostr << update_vlans.expand().toStdString(); } if (options->getBool("configure_bridge_interfaces")) { Configlet update_bridge(fw, "bsd", "update_bridge"); update_bridge.removeComments(); update_bridge.setVariable("freebsd", host_os == "freebsd"); if (host_os == "openbsd") { update_bridge.setVariable("openbsd", true); update_bridge.setVariable("openbsd_lt_47", XMLTools::version_compare(version, "4.7")<0); update_bridge.setVariable("openbsd_ge_47", XMLTools::version_compare(version, "4.7")>=0); } ostr << update_bridge.expand().toStdString(); } if ( options->getBool("configure_carp_interfaces") ) { Configlet update_carp(fw, "bsd", "update_carp"); update_carp.removeComments(); update_carp.setVariable("freebsd", host_os == "freebsd"); update_carp.setVariable("openbsd", host_os == "openbsd"); ostr << update_carp.expand().toStdString(); } if ( options->getBool("configure_pfsync_interfaces") ) { Configlet update_pfsync(fw, "bsd", "update_pfsync"); update_pfsync.removeComments(); update_pfsync.setVariable("freebsd", host_os == "freebsd"); update_pfsync.setVariable("openbsd", host_os == "openbsd"); ostr << update_pfsync.expand().toStdString(); } return ostr.str(); } void OSConfigurator_bsd::setKernelVariable(Firewall *fw, const string &var_name, Configlet *configlet) { FWOptions* options = fw->getOptionsObject(); string s; s = options->getStr(var_name); if (!s.empty()) { configlet->setVariable(QString("have_") + var_name.c_str(), 1); configlet->setVariable(var_name.c_str(), s=="1" || s=="on" || s=="On"); } } fwbuilder-5.3.7/src/pflib/OSConfigurator_bsd.h000066400000000000000000000105511303637203600213060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002,2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSCONFIGURATOR_BSD_HH #define _OSCONFIGURATOR_BSD_HH #include "config.h" #include "fwcompiler/OSConfigurator.h" #include #include #include class Configlet; namespace libfwbuilder { class Firewall; class Interface; class StateSyncClusterGroup; } namespace fwcompiler { class OSConfigurator_bsd : public OSConfigurator { protected: QMap interface_configuration_lines; QStringList cloned_interfaces; std::set virtual_addresses; virtual void setKernelVariable(libfwbuilder::Firewall *fw, const std::string &var_name, Configlet *configlet); // functions that generate interface address configuration virtual void summaryConfigLineIP(QStringList intf_names, bool ipv6); virtual void interfaceConfigLineIP( libfwbuilder::Interface *iface, std::list > all_addresses); // functions that generate VLAN configuration virtual void summaryConfigLineVlan(QStringList vlan_names); virtual void interfaceConfigLineVlan( libfwbuilder::Interface *iface, const std::list &vlan_subinterfaces); // functions that generate bridge configuration virtual void summaryConfigLineBridge(QStringList vlan_names); virtual void interfaceConfigLineBridge( libfwbuilder::Interface *iface, QStringList vlan_names); // functions that generate CARP interface configuration virtual void summaryConfigLineCARP(QStringList carp_names); virtual void interfaceConfigLineCARP(libfwbuilder::Interface *iface, libfwbuilder::FWObject *failover_group); virtual void interfaceConfigLineCARPInternal( libfwbuilder::Interface *iface, libfwbuilder::FWObject *failover_group, Configlet *configlet); // functions that generate pfsync interface configuration virtual void summaryConfigLinePfsync(bool have_pfsync); virtual void interfaceConfigLinePfsync( libfwbuilder::Interface *iface, libfwbuilder::StateSyncClusterGroup *sync_group); // this function generates additional ifconfig parameters virtual void interfaceIfconfigLine(libfwbuilder::Interface *iface); virtual QString interfaceIfconfigLineInternal(libfwbuilder::Interface *iface, Configlet *configlet); virtual QString printAllInterfaceConfigurationLines(); public: virtual ~OSConfigurator_bsd() {}; OSConfigurator_bsd(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); virtual std::string printFunctions(); virtual std::string printKernelVarsCommands(); virtual std::string configureInterfaces(); std::string getInterfaceVarName(libfwbuilder::FWObject *iface); virtual void processFirewallOptions() {} }; }; #endif fwbuilder-5.3.7/src/pflib/OSConfigurator_bsd_interfaces.cpp000066400000000000000000000571231303637203600240520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "Configlet.h" #include "OSConfigurator_bsd.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_bsd::configureInterfaces() { FWOptions* options = fw->getOptionsObject(); // Update vlans first because we may need to update ip addresses // on vlan interfaces later if ( options->getBool("configure_vlan_interfaces") ) { // http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/ // ifconfig vlan vlandev QStringList all_physical_interfaces; QMap parent_interfaces; QMap > vlans; QStringList all_vlan_interfaces; // all vlan interfaces FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); QString iface_name = iface->getName().c_str(); parent_interfaces[iface_name] = iface; all_physical_interfaces << iface_name; FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME); for ( ; si!=si.end(); ++si ) { Interface *subinterface = Interface::cast(*si); assert(subinterface); if (subinterface->getOptionsObject()->getStr("type") == "8021q") { vlans[iface_name].push_back(subinterface); all_vlan_interfaces << subinterface->getName().c_str(); } } } // sort interfaces by name all_vlan_interfaces.sort(); all_physical_interfaces.sort(); // issue sync_vlan_interfaces command even if there are no vlans // since it deletes them on the firewall if they exist summaryConfigLineVlan(all_vlan_interfaces); foreach (QString iface_name, all_physical_interfaces) { Interface *iface = parent_interfaces[iface_name]; list vlan_subinterfaces = vlans[iface_name]; if (vlan_subinterfaces.size() > 0) interfaceConfigLineVlan(iface, vlan_subinterfaces); } } if (options->getBool("configure_bridge_interfaces")) { list all_bridges = fw->getInterfacesByType("bridge"); QStringList all_bridge_interfaces; QMap bridge_interfaces_by_name; QMap bridge_ports; for (list::iterator it=all_bridges.begin(); it!=all_bridges.end(); ++it) { Interface *iface = Interface::cast(*it); assert(iface); QString iface_name = iface->getName().c_str(); all_bridge_interfaces << iface_name; bridge_interfaces_by_name[iface_name] = iface; FWObjectTypedChildIterator si = iface->findByType(Interface::TYPENAME); for ( ; si!=si.end(); ++si ) { Interface *subinterface = Interface::cast(*si); assert(subinterface); bridge_ports[iface_name] << subinterface->getName().c_str(); } } // sort interfaces by name all_bridge_interfaces.sort(); summaryConfigLineBridge(all_bridge_interfaces); foreach (QString iface_name, all_bridge_interfaces) { Interface *iface = bridge_interfaces_by_name[iface_name]; if (bridge_ports.size() > 0) interfaceConfigLineBridge(iface, bridge_ports[iface_name]); } } if ( options->getBool("configure_carp_interfaces") ) { /* * Compiler::processFailoverGroup copies interfaces of the cluster to * the member firewall objects. This means when we scan interfaces of * the firewall here, we get both its normal interfaces and a copy of * cluster interfaces. * */ QStringList carp_interfaces; QMap carp_interfaces_by_name; QMap failover_groups; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); QString iface_name = iface->getName().c_str(); if ( ! iface->isFailoverInterface()) continue; FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); if (failover_group && failover_group->getStr("type") == "carp") { carp_interfaces << iface_name; carp_interfaces_by_name[iface_name] = iface; failover_groups[iface_name] = failover_group; } } // sort interfaces by name carp_interfaces.sort(); // issue "sync_carp_interfaces" call even when we have none, it will // delete those that might exist on the firewall summaryConfigLineCARP(carp_interfaces); foreach (QString iface_name, carp_interfaces) { Interface *iface = carp_interfaces_by_name[iface_name]; FWObject* failover_group = failover_groups[iface_name]; interfaceConfigLineCARP(iface, failover_group); } } if ( options->getBool("configure_interfaces") ) { std::auto_ptr int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( fw->getStr("host_OS"))); list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); all_interfaces.sort(); QStringList configure_intf_commands; QStringList intf_names; QStringList ipv6_names; QStringList all_names; QMap > > all_addresses; QMap interfaces_by_name; for (list::iterator i=all_interfaces.begin(); i != all_interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); QString iface_name = iface->getName().c_str(); interfaces_by_name[iface_name] = iface; all_names << iface_name; QStringList update_addresses; QStringList ignore_addresses; if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) { // unfortunately addresses in update_addresses are in // the form of address/masklen but OpenBSD ifconfig // uses hex netmask representation and so should we. // Will ignore update_addresses and ignore_addresses and // build our own list here. Returned value of manageIpAddresses() // is useful though. list all_addr = iface->getByType(IPv4::TYPENAME); list all_ipv6 = iface->getByType(IPv6::TYPENAME); all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end()); bool have_ipv6 = false; const InetAddr *netmask = iface->getNetmaskPtr(); list > iface_all_addresses; for (list::iterator j = all_addr.begin(); j != all_addr.end(); ++j) { Address *iaddr = Address::cast(*j); const InetAddr *ipaddr = iaddr->getAddressPtr(); const InetAddr *ipnetm = iaddr->getNetmaskPtr(); iface_all_addresses.push_back( pair(*ipaddr, *ipnetm)); if (ipaddr->isV6()) have_ipv6 = true; } set::iterator it; for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it) { const Address *addr = Address::constcast(dbcopy->findInIndex(*it)); const InetAddr *ipaddr = addr->getAddressPtr(); FWObject *iaddr = findAddressFor(addr, fw ); if (iaddr!=NULL) { Interface *iface_2 = Interface::cast(iaddr->getParent()); if (iface_2 == iface) { iface_all_addresses.push_back( pair(*ipaddr, *netmask)); if (ipaddr->isV6()) have_ipv6 = true; } } } // see #2032. About interfaces with no addresses: // // - when we generate rc.conf file, we should add line // "ifconfig_em0="DHCP"" for dynamic interfaces, so we should // include them in the management list as well. // // Note that int_prop returns false for dynamic interfaces on // OpenBSD because we do not support rc.conf format for it atm // and should not try to manage dynamic interfaces in the shell // script format. // intf_names << iface_name; if (have_ipv6) ipv6_names << iface_name; all_addresses[iface_name] = iface_all_addresses; } } // sort interfaces by name all_names.sort(); // remove duplicates. We get duplicates in all_names when an // interface appears twice, once as a bridge port and another time as // vlan parent interface // // Note that QStringList::removeDuplicates() is only available in Qt 4.5 // all_names.removeDuplicates(); QStringList deduplicated_names; QString prev; foreach(QString name, all_names) { if (name != prev) deduplicated_names << name; prev = name; } all_names = deduplicated_names; ipv6_names.sort(); intf_names.sort(); summaryConfigLineIP(ipv6_names, true); summaryConfigLineIP(intf_names, false); foreach (QString iface_name, all_names) { interfaceConfigLineIP(interfaces_by_name[iface_name], all_addresses[iface_name]); } for (list::iterator i=all_interfaces.begin(); i != all_interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); interfaceIfconfigLine(iface); } } if ( options->getBool("configure_pfsync_interfaces") ) { bool have_pfsync_interfaces = false; QStringList pfsync_output; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if ( ! iface->getOptionsObject()->getBool("state_sync_group_member")) continue; int state_sync_group_id = FWObjectDatabase::getIntId( iface->getOptionsObject()->getStr("state_sync_group_id")); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id)); assert(state_sync_group!=NULL); // Interface can be state sync group member, but of a different type if (state_sync_group->getStr("type") != "pfsync") continue; have_pfsync_interfaces = true; summaryConfigLinePfsync(have_pfsync_interfaces); interfaceConfigLinePfsync(iface, state_sync_group); break; } if (!have_pfsync_interfaces) summaryConfigLinePfsync(false); } return printAllInterfaceConfigurationLines().toStdString(); } void OSConfigurator_bsd::interfaceIfconfigLine(Interface *iface) { QString iface_name = iface->getName().c_str(); Configlet configlet(fw, "bsd", "ifconfig_interface"); QString config_lines = interfaceIfconfigLineInternal(iface, &configlet); if (!config_lines.isEmpty()) interface_configuration_lines[iface_name] << config_lines; } /* * If user configured mtu and free-form ifconfig options in the GUI, * add ifconfig command to execute them. * * TODO: Add a checkbox "up" in interface dialog, it should be on by * default. */ QString OSConfigurator_bsd::interfaceIfconfigLineInternal(Interface *iface, Configlet *configlet) { QString iface_name = iface->getName().c_str(); configlet->removeComments(); configlet->collapseEmptyStrings(true); configlet->setVariable("interface_name", iface_name); FWOptions *ifopt = iface->getOptionsObject(); assert(ifopt != NULL); bool need_additional_ifconfig = false; QStringList ifconfig_options; if (ifopt->getBool("iface_configure_mtu") && ifopt->getInt("iface_mtu") > 0) { configlet->setVariable("have_mtu", true); configlet->setVariable("mtu", ifopt->getInt("iface_mtu")); need_additional_ifconfig = true; } else { configlet->setVariable("have_mtu", false); configlet->setVariable("mtu", ""); } QString options; if (!ifopt->getStr("iface_options").empty()) { options = ifopt->getStr("iface_options").c_str(); need_additional_ifconfig = true; } configlet->setVariable("options", options.simplified()); if (need_additional_ifconfig) return configlet->expand(); return ""; } void OSConfigurator_bsd::summaryConfigLineIP(QStringList , bool ) { } void OSConfigurator_bsd::interfaceConfigLineIP( Interface *iface, list > all_addresses) { if (iface->isDyn()) return; QStringList arg1; arg1 << iface->getName().c_str(); for (list >::iterator j = all_addresses.begin(); j != all_addresses.end(); ++j) { InetAddr ipaddr = j->first; InetAddr ipnetm = j->second; if (ipaddr.isV6()) arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str()) .arg(ipnetm.getLength())); else { /* on OpenBSD ifconfig prints netmask of ipv4 addresses in hex # ifconfig em0 em0: flags=8843 mtu 1500 lladdr 00:0c:29:83:4d:2f media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2 */ int nbits = ipnetm.getLength(); uint32_t netm = 0; while (nbits) { netm = netm >> 1; netm |= 1<<31; nbits--; } arg1 << QString("%1/0x%2") .arg(ipaddr.toString().c_str()).arg(netm, -8, 16); } } QString cmd = QString("update_addresses_of_interface \"%1\" \"\"") .arg(arg1.join(" ")); interface_configuration_lines[iface->getName().c_str()] << cmd; } void OSConfigurator_bsd::summaryConfigLineVlan(QStringList vlan_names) { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("sync_vlan_interfaces %1").arg(vlan_names.join(" ")); } void OSConfigurator_bsd::interfaceConfigLineVlan( Interface *iface, const list &vlan_subinterfaces) { QStringList vlan_names; list::const_iterator it; for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it) { QString vlan_intf_name = (*it)->getName().c_str(); int vlan_id = (*it)->getOptionsObject()->getInt("vlan_id"); vlan_names << QString("%1:%2").arg(vlan_intf_name).arg(vlan_id); } interface_configuration_lines[iface->getName().c_str()] << QString("update_vlans_of_interface \"%1 %2\"") .arg(iface->getName().c_str()) .arg(vlan_names.join(" ")); } void OSConfigurator_bsd::summaryConfigLineBridge(QStringList bridge_names) { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("sync_bridge_interfaces %1").arg(bridge_names.join(" ")); } void OSConfigurator_bsd::interfaceConfigLineBridge(Interface *iface, QStringList bridge_port_names) { QString iface_name = iface->getName().c_str(); FWOptions *ifopt = iface->getOptionsObject(); assert(ifopt != NULL); bool enable_stp = ifopt->getBool("enable_stp"); Configlet bridge_configlet(fw, "bsd", "bridge_interface"); bridge_configlet.removeComments(); bridge_configlet.collapseEmptyStrings(true); bridge_configlet.setVariable("bridge_interface", iface_name); bridge_configlet.setVariable("bridge_ports", bridge_port_names.join(" ")); interface_configuration_lines[iface_name] << bridge_configlet.expand(); foreach (QString bridge_port, bridge_port_names) { Configlet port_configlet(fw, "bsd", "bridge_port"); port_configlet.removeComments(); port_configlet.collapseEmptyStrings(true); port_configlet.setVariable("bridge_interface", iface_name); port_configlet.setVariable("bridge_port", bridge_port); port_configlet.setVariable("stp_off", !enable_stp); interface_configuration_lines[iface_name] << port_configlet.expand(); } } void OSConfigurator_bsd::summaryConfigLineCARP(QStringList carp_names) { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("sync_carp_interfaces %1").arg(carp_names.join(" ")); } void OSConfigurator_bsd::interfaceConfigLineCARP(Interface *iface, FWObject *failover_group) { Configlet configlet(fw, "bsd", "carp_interface"); interfaceConfigLineCARPInternal(iface, failover_group, &configlet); } void OSConfigurator_bsd::interfaceConfigLineCARPInternal( Interface *iface, FWObject *failover_group, Configlet *configlet) { // failover_master and base_device are set in Compiler::processFailoverGroup FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject(); assert(ifopt != NULL); bool master = ifopt->getBool("failover_master"); string base_interface = ifopt->getStr("base_device"); QStringList carp_interfaces; carp_interfaces.push_back(iface->getName().c_str()); FWOptions *failover_opts = FailoverClusterGroup::cast(failover_group)->getOptionsObject(); string carp_password = failover_opts->getStr("carp_password"); //if (carp_password.empty()) carp_password = "\"\""; int vhid = failover_opts->getInt("carp_vhid"); // use the same default as the one we use in // setDefaultFailoverGroupAttributes() in platforms.cpp if (vhid < 0) vhid = 1; int advbase = failover_opts->getInt("carp_advbase"); int master_advskew = failover_opts->getInt("carp_master_advskew"); int default_advskew = failover_opts->getInt("carp_default_advskew"); if (master_advskew < 0) master_advskew = 0; if (default_advskew < 0) default_advskew = 0; if (master_advskew == default_advskew) default_advskew++; int use_advskew; if (master) use_advskew = master_advskew; else use_advskew = default_advskew; configlet->removeComments(); configlet->collapseEmptyStrings(true); configlet->setVariable("carp_interface", iface->getName().c_str()); configlet->setVariable("have_advbase", advbase > 1); configlet->setVariable("advbase", advbase); configlet->setVariable("have_advskew", use_advskew > 0); configlet->setVariable("advskew", use_advskew); configlet->setVariable("have_base_inetrface", !base_interface.empty()); configlet->setVariable("base_inetrface", base_interface.c_str()); configlet->setVariable("carp_password", carp_password.c_str()); configlet->setVariable("have_password", !carp_password.empty()); configlet->setVariable("vhid", vhid); interface_configuration_lines[iface->getName().c_str()] << configlet->expand(); } void OSConfigurator_bsd::summaryConfigLinePfsync(bool have_pfsync) { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("sync_pfsync_interfaces %1").arg(have_pfsync?"pfsync0":""); } /* * http://www.kernel-panic.it/openbsd/carp/index.html * http://www.openbsd.org/faq/pf/carp.html * pfsync configuration: * * ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer] */ void OSConfigurator_bsd::interfaceConfigLinePfsync( Interface *iface, StateSyncClusterGroup *state_sync_group) { Configlet configlet(fw, "bsd", "pfsync_interface"); configlet.removeComments(); configlet.collapseEmptyStrings(true); configlet.setVariable("syncdev", iface->getName().c_str()); if (state_sync_group->getOptionsObject()->getBool("syncpeer")) { for (FWObjectTypedChildIterator it = state_sync_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *cluster_iface = Interface::cast( FWObjectReference::getObject(*it)); assert(cluster_iface); if (cluster_iface->getId() == iface->getId()) continue; IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME)); const InetAddr *addr = ipv4->getAddressPtr(); configlet.setVariable("have_syncpeer", 1); configlet.setVariable("syncpeer", addr->toString().c_str()); } } interface_configuration_lines[iface->getName().c_str()] << configlet.expand(); } /* * I need to sort interfaces by name but make sure carp and bridge * interfaces are always last. See #1807 and #2104 */ bool sort_interface_names(QString a, QString b) { QString an = a; QString bn = b; if (a.startsWith("bridge")) an = "x_" + a; if (b.startsWith("bridge")) bn = "x_" + b; if (a.startsWith("carp")) an = "y_" + a; if (b.startsWith("carp")) bn = "y_" + b; if (a.startsWith("pfsync")) an = "z_" + a; if (b.startsWith("pfsync")) bn = "z_" + b; return an < bn; } QString OSConfigurator_bsd::printAllInterfaceConfigurationLines() { QStringList keys = interface_configuration_lines.keys(); //keys.sort(); qSort(keys.begin(), keys.end(), sort_interface_names); QStringList res; foreach (QString iface, keys) res << interface_configuration_lines[iface].join("\n"); return res.join("\n"); } fwbuilder-5.3.7/src/pflib/OSConfigurator_freebsd.cpp000066400000000000000000000412011303637203600224770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002-2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "OSConfigurator_freebsd.h" #include "Configlet.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_freebsd::myPlatformName() { return "FreeBSD"; } string OSConfigurator_freebsd::printKernelVarsCommands() { FWOptions* options = fw->getOptionsObject(); std::auto_ptr kernel_vars; if (options->getBool("generate_rc_conf_file")) { kernel_vars = std::auto_ptr( new Configlet(fw, "freebsd", "rc_conf_kernel_vars")); } else { kernel_vars = std::auto_ptr( new Configlet(fw, "bsd", "kernel_vars")); } kernel_vars->removeComments(); setKernelVariable(fw, "freebsd_ip_forward", kernel_vars.get()); setKernelVariable(fw, "freebsd_ipv6_forward", kernel_vars.get()); setKernelVariable(fw, "freebsd_ip_sourceroute", kernel_vars.get()); //setKernelVariable(fw, "freebsd_ip_redirect", kernel_vars.get()); return kernel_vars->expand().toStdString(); } void OSConfigurator_freebsd::setKernelVariable(Firewall *fw, const string &var_name, Configlet *configlet) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { string s; s = options->getStr(var_name); if (!s.empty()) { configlet->setVariable(QString("have_") + var_name.c_str(), 1); string yesno = (s=="1" || s=="on" || s=="On") ? "YES" : "NO"; configlet->setVariable(QString(var_name.c_str()), QString(yesno.c_str())); } } else OSConfigurator_bsd::setKernelVariable(fw, var_name, configlet); } int OSConfigurator_freebsd::prolog() { //printPathForAllTools("freebsd"); //printFunctions(); //processFirewallOptions(); //configureInterfaces(); return 0; } void OSConfigurator_freebsd::summaryConfigLineIP(QStringList names, bool ipv6) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file") && !names.isEmpty()) { if (ipv6) { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("ipv6_network_interfaces=\"%1\"").arg(names.join(" ")); } else { interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("network_interfaces=\"%1\"").arg(names.join(" ")); } } } void OSConfigurator_freebsd::interfaceConfigLineIP( Interface *iface, list > all_addresses) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { /* * lines in rc.conf have the following format: * * network_interfaces="ed0 ed1 lo0" * ifconfig_ed0="inet 192.0.2.1 netmask 0xffffff00" * ipv4_addrs_ed0="192.0.2.129/27 192.0.2.1-5/28" * */ QString interface_name = iface->getName().c_str(); if (iface->isDyn()) { ifconfig_lines[interface_name] << "DHCP"; return; } int ipv4_alias_counter = -2; int ipv6_alias_counter = -2; for (list >::iterator j = all_addresses.begin(); j != all_addresses.end(); ++j) { QString ipv4_conf_line; QString ipv6_conf_line; InetAddr ipaddr = j->first; InetAddr ipnetm = j->second; if (ipaddr.isV6()) { ipv6_conf_line += QString("%1/%2") .arg(ipaddr.toString().c_str()) .arg(ipnetm.getLength()); ipv6_alias_counter++; } else { int nbits = ipnetm.getLength(); uint32_t netm = 0; while (nbits) { netm = netm >> 1; netm |= 1<<31; nbits--; } ipv4_conf_line += QString("%1 netmask 0x%2") .arg(ipaddr.toString().c_str()) .arg(netm, -8, 16); ipv4_alias_counter++; } if (!ipv4_conf_line.isEmpty()) { QString suffix; if (ipv4_alias_counter>=0) suffix = QString("_alias%1").arg(ipv4_alias_counter); ifconfig_lines[interface_name + suffix] << ipv4_conf_line; } if (!ipv6_conf_line.isEmpty()) { QString suffix; if (ipv6_alias_counter>=0) suffix = QString("_alias%1").arg(ipv6_alias_counter); ipv6_ifconfig_lines[interface_name + suffix] << ipv6_conf_line; } } } else OSConfigurator_bsd::interfaceConfigLineIP(iface, all_addresses); } void OSConfigurator_freebsd::interfaceIfconfigLine(Interface *iface) { QString iface_name = iface->getName().c_str(); FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { Configlet configlet(fw, "freebsd", "rc_conf_ifconfig_interface"); QString config_lines = interfaceIfconfigLineInternal(iface, &configlet); if (!config_lines.isEmpty()) ifconfig_lines[iface_name] << config_lines; } else { Configlet configlet(fw, "freebsd", "ifconfig_interface"); QString config_lines = interfaceIfconfigLineInternal(iface, &configlet); if (!config_lines.isEmpty()) interface_configuration_lines[iface_name] << config_lines; } } void OSConfigurator_freebsd::summaryConfigLineVlan(QStringList vlan_names) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { cloned_interfaces += vlan_names; } else interface_configuration_lines["1_should_sort_before_interfaces_"] << QString("sync_vlan_interfaces %1").arg(vlan_names.join(" ")); } /* For rc.conf format: If a vlans_ variable is set, a vlan(4) interface will be created for each item in the list with the vlandev argument set to interface. If a vlan interface's name is a number, then that number is used as the vlan tag and the new vlan interface is named interface.tag. Otherwise, the vlan tag must be specified via a vlan parameter in the create_args_ variable. To create a vlan device named em0.101 on em0 with the vlan tag 101: vlans_em0="101" To create a vlan device named myvlan on em0 with the vlan tag 102: vlans_em0="myvlan" create_args_myvlan="vlan 102" */ void OSConfigurator_freebsd::interfaceConfigLineVlan( Interface *iface, const list &vlan_subinterfaces) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { QString iface_name = iface->getName().c_str(); // the "vlans_em2="vlan101 vlan102" will appear next to other lines // intended for interface em2 QStringList vlan_names; list::const_iterator it; for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it) vlan_names << (*it)->getName().c_str(); interface_configuration_lines[iface_name] << QString("vlans_%1=\"%2\"").arg(iface->getName().c_str()) .arg(vlan_names.join(" ")); for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it) { QString vlan_intf_name = (*it)->getName().c_str(); int vlan_id = (*it)->getOptionsObject()->getInt("vlan_id"); interface_configuration_lines[iface_name] << QString("create_args_%1=\"vlan %2 vlandev %3\"") .arg(vlan_intf_name).arg(vlan_id).arg(iface->getName().c_str()); } } else OSConfigurator_bsd::interfaceConfigLineVlan(iface, vlan_subinterfaces); } void OSConfigurator_freebsd::summaryConfigLineBridge(QStringList bridge_names) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { cloned_interfaces += bridge_names; } else OSConfigurator_bsd::summaryConfigLineBridge(bridge_names); } /* For rc.conf format: Consider a system with two 4-port Ethernet boards. The following will cause a bridge consisting of all 8 ports with Rapid Spanning Tree enabled to be created: ifconfig bridge0 create ifconfig bridge0 \ addm fxp0 stp fxp0 \ addm fxp1 stp fxp1 \ addm fxp2 stp fxp2 \ addm fxp3 stp fxp3 \ addm fxp4 stp fxp4 \ addm fxp5 stp fxp5 \ addm fxp6 stp fxp6 \ addm fxp7 stp fxp7 \ up The bridge can be used as a regular host interface at the same time as bridging between its member ports. In this example, the bridge connects em0 and em1, and will receive its IP address through DHCP: cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 DHCP" ifconfig_em0="up" ifconfig_em1="up" Refernce: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html */ void OSConfigurator_freebsd::interfaceConfigLineBridge(Interface *iface, QStringList bridge_port_names) { QString iface_name = iface->getName().c_str(); FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { FWOptions *ifopt = iface->getOptionsObject(); assert(ifopt != NULL); bool enable_stp = ifopt->getBool("enable_stp"); QStringList outp; QStringList bp; foreach(QString bridge_port, bridge_port_names) { Configlet port_configlet(fw, "freebsd", "rc_conf_bridge_port"); port_configlet.removeComments(); port_configlet.collapseEmptyStrings(true); port_configlet.setVariable("bridge_interface", iface_name); port_configlet.setVariable("bridge_port", bridge_port); port_configlet.setVariable("stp_off", !enable_stp); bp << port_configlet.expand(); } bp << "up"; ifconfig_lines[iface_name] << bp.join(" "); foreach(QString bridge_port, bridge_port_names) { ifconfig_lines[bridge_port] << "up"; } interface_configuration_lines[iface_name] << outp.join("\n"); } else OSConfigurator_bsd::interfaceConfigLineBridge(iface, bridge_port_names); } void OSConfigurator_freebsd::summaryConfigLineCARP(QStringList carp_names) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { cloned_interfaces += carp_names; } else OSConfigurator_bsd::summaryConfigLineCARP(carp_names); } void OSConfigurator_freebsd::interfaceConfigLineCARP(Interface *iface, FWObject *failover_group) { FWOptions* options = fw->getOptionsObject(); QString configlet_name = "carp_interface"; if (options->getBool("generate_rc_conf_file")) { configlet_name = "rc_conf_carp_interface"; } Configlet configlet(fw, "freebsd", configlet_name); interfaceConfigLineCARPInternal(iface, failover_group, &configlet); } void OSConfigurator_freebsd::summaryConfigLinePfsync(bool have_pfsync) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { if (have_pfsync) interface_configuration_lines["pfsync0"] << "pfsync_enable=\"YES\""; } else OSConfigurator_bsd::summaryConfigLinePfsync(have_pfsync); } /* in rc.conf format: pfsync_enable (bool) Set to ``NO'' by default. Setting this to ``YES'' enables exposing pf(4) state changes to other hosts over the network by means of pfsync(4). The pfsync_syncdev variable must also be set then. pfsync_syncdev (str) Empty by default. This variable specifies the name of the network interface pfsync(4) should operate through. It must be set accordingly if pfsync_enable is set to ``YES''. pfsync_syncpeer (str) Empty by default. This variable is optional. By default, state change messages are sent out on the synchroni- sation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the pfsync_syncpeer option, the peer address is used as a desti- nation for the pfsync traffic, and the traffic can then be protected using ipsec(4). See the pfsync(4) manpage for more details about using ipsec(4) with pfsync(4) interfaces. pfsync_ifconfig (str) Empty by default. This variable can contain additional options to be passed to the ifconfig(8) command used to set up pfsync(4). */ void OSConfigurator_freebsd::interfaceConfigLinePfsync( Interface *iface, StateSyncClusterGroup *state_sync_group) { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { Configlet configlet(fw, "freebsd", "rc_conf_pfsync_interface"); configlet.removeComments(); configlet.collapseEmptyStrings(true); configlet.setVariable("syncdev", iface->getName().c_str()); if (state_sync_group->getOptionsObject()->getBool("syncpeer")) { for (FWObjectTypedChildIterator it = state_sync_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { Interface *cluster_iface = Interface::cast( FWObjectReference::getObject(*it)); assert(cluster_iface); if (cluster_iface->getId() == iface->getId()) continue; IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME)); const InetAddr *addr = ipv4->getAddressPtr(); configlet.setVariable("have_syncpeer", 1); configlet.setVariable("syncpeer", addr->toString().c_str()); } } interface_configuration_lines[iface->getName().c_str()] << configlet.expand(); } else OSConfigurator_bsd::interfaceConfigLinePfsync(iface, state_sync_group); } QString OSConfigurator_freebsd::printAllInterfaceConfigurationLines() { FWOptions* options = fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { printIfconfigLines(ifconfig_lines); printIfconfigLines(ipv6_ifconfig_lines); if (!cloned_interfaces.isEmpty()) interface_configuration_lines["0_should_be_on_top_"] << QString("cloned_interfaces=\"%1\"") .arg(cloned_interfaces.join(" ")); } return OSConfigurator_bsd::printAllInterfaceConfigurationLines(); } void OSConfigurator_freebsd::printIfconfigLines(const QMap &lines) { if (!lines.isEmpty()) { QStringList keys = lines.keys(); keys.sort(); foreach (QString iface_name, keys) { const QStringList commands = lines[iface_name]; interface_configuration_lines[iface_name] << QString("ifconfig_%1=\"%2\"").arg(iface_name) .arg(commands.join(" ")); } } } fwbuilder-5.3.7/src/pflib/OSConfigurator_freebsd.h000066400000000000000000000070311303637203600221470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSCONFIGURATOR_FREEBSD_HH #define _OSCONFIGURATOR_FREEBSD_HH #include "config.h" #include "OSConfigurator_bsd.h" #include "OSData.h" #include #include namespace libfwbuilder { class Interface; }; namespace fwcompiler { class OSConfigurator_freebsd : public OSConfigurator_bsd { QMap ifconfig_lines; QMap ipv6_ifconfig_lines; virtual void printIfconfigLines(const QMap &lines); virtual void setKernelVariable(libfwbuilder::Firewall *fw, const std::string &var_name, Configlet *configlet); virtual void summaryConfigLineIP(QStringList intf_names, bool ipv6); virtual void interfaceConfigLineIP( libfwbuilder::Interface *iface, std::list > all_addresses); virtual void summaryConfigLineVlan(QStringList vlan_names); virtual void interfaceConfigLineVlan( libfwbuilder::Interface *iface, const std::list &vlan_subinterfaces); // functions that generate bridge configuration virtual void summaryConfigLineBridge(QStringList vlan_names); virtual void interfaceConfigLineBridge( libfwbuilder::Interface *iface, QStringList vlan_names); // functions that generate CARP interface configuration virtual void summaryConfigLineCARP(QStringList carp_names); virtual void interfaceConfigLineCARP(libfwbuilder::Interface *iface, libfwbuilder::FWObject *failover_group); // functions that generate pfsync interface configuration virtual void summaryConfigLinePfsync(bool have_pfsync); virtual void interfaceConfigLinePfsync( libfwbuilder::Interface *iface, libfwbuilder::StateSyncClusterGroup *sync_group); // this function generates additional ifconfig parameters virtual void interfaceIfconfigLine(libfwbuilder::Interface *iface); virtual QString printAllInterfaceConfigurationLines(); public: virtual ~OSConfigurator_freebsd() {}; OSConfigurator_freebsd(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator_bsd(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual std::string printKernelVarsCommands(); }; }; #endif fwbuilder-5.3.7/src/pflib/OSConfigurator_macosx.cpp000066400000000000000000000034661303637203600223720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "OSConfigurator_macosx.h" #include "Configlet.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_macosx::myPlatformName() { return "Macosx"; } string OSConfigurator_macosx::printKernelVarsCommands() { Configlet kernel_vars(fw, "bsd", "kernel_vars"); kernel_vars.removeComments(); setKernelVariable(fw, "macosx_ip_forward", &kernel_vars); setKernelVariable(fw, "macosx_ip_sourceroute", &kernel_vars); setKernelVariable(fw, "macosx_ip_redirect", &kernel_vars); return kernel_vars.expand().toStdString(); } int OSConfigurator_macosx::prolog() { //printPathForAllTools("macosx"); //printFunctions(); //processFirewallOptions(); //configureInterfaces(); return 0; } fwbuilder-5.3.7/src/pflib/OSConfigurator_macosx.h000066400000000000000000000027411303637203600220320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002,2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSCONFIGURATOR_MACOSX_HH #define _OSCONFIGURATOR_MACOSX_HH #include "config.h" #include "OSConfigurator_bsd.h" #include "OSData.h" namespace fwcompiler { class OSConfigurator_macosx : public OSConfigurator_bsd { public: virtual ~OSConfigurator_macosx() {}; OSConfigurator_macosx(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator_bsd(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual std::string printKernelVarsCommands(); }; }; #endif fwbuilder-5.3.7/src/pflib/OSConfigurator_openbsd.cpp000066400000000000000000000040741303637203600225260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "OSConfigurator_openbsd.h" #include "Configlet.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "Configlet.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_openbsd::myPlatformName() { return "OpenBSD"; } string OSConfigurator_openbsd::printKernelVarsCommands() { Configlet kernel_vars(fw, "bsd", "kernel_vars"); kernel_vars.removeComments(); setKernelVariable(fw, "openbsd_ip_directed_broadcast", &kernel_vars); setKernelVariable(fw, "openbsd_ip_forward", &kernel_vars); setKernelVariable(fw, "openbsd_ipv6_forward", &kernel_vars); setKernelVariable(fw, "openbsd_ip_sourceroute", &kernel_vars); setKernelVariable(fw, "openbsd_ip_redirect", &kernel_vars); return kernel_vars.expand().toStdString(); } int OSConfigurator_openbsd::prolog() { //printPathForAllTools("openbsd"); //printFunctions(); //processFirewallOptions(); //configureInterfaces(); return 0; } fwbuilder-5.3.7/src/pflib/OSConfigurator_openbsd.h000066400000000000000000000027461303637203600221770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002,2009 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSCONFIGURATOR_OPENBSD_HH #define _OSCONFIGURATOR_OPENBSD_HH #include "config.h" #include "OSConfigurator_bsd.h" #include "OSData.h" namespace fwcompiler { class OSConfigurator_openbsd : public OSConfigurator_bsd { public: virtual ~OSConfigurator_openbsd() {}; OSConfigurator_openbsd(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator_bsd(_db, fw, ipv6_policy) {} virtual int prolog(); virtual std::string myPlatformName(); virtual std::string printKernelVarsCommands(); }; }; #endif fwbuilder-5.3.7/src/pflib/OSConfigurator_solaris.cpp000066400000000000000000000077141303637203600225540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "OSConfigurator_solaris.h" #include "Configlet.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string OSConfigurator_solaris::myPlatformName() { return "Solaris"; } string OSConfigurator_solaris::printKernelVarsCommands() { Configlet kernel_vars(fw, "bsd", "kernel_vars"); kernel_vars.removeComments(); setKernelVariable(fw, "solaris_ip_forward", &kernel_vars); setKernelVariable(fw, "solaris_ip_ignore_redirect", &kernel_vars); setKernelVariable(fw, "solaris_ip_respond_to_echo_broadcast", &kernel_vars); setKernelVariable(fw, "solaris_ip_forward_directed_broadcasts", &kernel_vars); setKernelVariable(fw, "solaris_ip_forward_src_routed", &kernel_vars); return kernel_vars.expand().toStdString(); } void OSConfigurator_solaris::addVirtualAddressForNAT(const Network*) { } void OSConfigurator_solaris::addVirtualAddressForNAT(const Address *addr) { if (virtual_addresses.empty() || find(virtual_addresses.begin(),virtual_addresses.end(), *(addr->getAddressPtr())) == virtual_addresses.end()) { FWObject *iaddr = findAddressFor(addr, fw ); if (iaddr!=NULL) { Address *iaddr_addr = Address::cast(iaddr); assert(iaddr_addr!=NULL); Interface *iface=Interface::cast(iaddr->getParent()); assert(iface!=NULL); output << "add_addr " << addr->getAddressPtr()->toString() << " " << iaddr_addr->getNetmaskPtr()->toString() << " " << iface->getName() << endl; virtual_addresses.push_back(*(addr->getAddressPtr())); } else warning("Can not add virtual address " + addr->getAddressPtr()->toString() ); } } int OSConfigurator_solaris::prolog() { //printPathForAllTools("solaris"); //processFirewallOptions(); //configureInterfaces(); return 0; } string OSConfigurator_solaris::configureInterfaces() { ostringstream ostr; FWOptions* options=fw->getOptionsObject(); if ( options->getBool("configure_interfaces") ) { ostr << endl; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); for ( ; i!=i.end(); ++i ) { Interface *iface=dynamic_cast(*i); assert(iface); if (!iface->isRegular()) continue; FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME); for ( ; j!=j.end(); ++j ) { Address *iaddr = Address::cast(*j); ostr << "add_addr " << iaddr->getAddressPtr()->toString() << " " << iaddr->getNetmaskPtr()->toString() << " " << iface->getName() << endl; virtual_addresses.push_back(*(iaddr->getAddressPtr())); } } ostr << endl; } return ostr.str(); } fwbuilder-5.3.7/src/pflib/OSConfigurator_solaris.h000066400000000000000000000042431303637203600222130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _OSNETWORKCONFIGURATOR_SOLARIS_HH #define _OSNETWORKCONFIGURATOR_SOLARIS_HH #include "config.h" #include "fwbuilder/InetAddr.h" #include #include "OSConfigurator_bsd.h" #include "OSData.h" /* * Of course Solaris has nothing to do with BSD. Class * OSConfigurator_solaris inherits OSConfigurator_bsd only because the * latter is the base class for all OSConfigurator classes for the * pf-ipf-ipfw family. TODO: rename OSConfigurator_bsd to use more * generic name, something like OSConfigurator_generic_pf_ipf_family */ namespace fwcompiler { class OSConfigurator_solaris : public OSConfigurator_bsd { OSData os_data; std::vector virtual_addresses; public: virtual ~OSConfigurator_solaris() {}; OSConfigurator_solaris(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : OSConfigurator_bsd(_db, fw, ipv6_policy) , os_data() {} virtual int prolog(); virtual std::string myPlatformName(); virtual std::string printKernelVarsCommands(); virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr); virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw); virtual std::string configureInterfaces(); }; }; #endif fwbuilder-5.3.7/src/pflib/OSData.cpp000066400000000000000000000027531303637203600172250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "OSData.h" #include "fwbuilder/Resources.h" using namespace std; using namespace libfwbuilder; OSData::OSData() {} string OSData::getPathForTool(const string &os,tools t) { string r = "/FWBuilderResources/Target/tools/"; switch (t) { case IFCONFIG: r += "path_ifconfig"; break; case SYSCTL: r += "path_sysctl"; break; case PFCTL: r += "path_pfctl"; break; case IPFW: r += "path_ipfw"; break; case IPF: r += "path_ipf"; break; case IPNAT: r += "path_ipnat"; break; case LOGGER: r += "path_logger"; break; } return Resources::os_res[os]->getResourceStr(r); } fwbuilder-5.3.7/src/pflib/OSData.h000066400000000000000000000022051303637203600166620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __OSDATA_HH #define __OSDATA_HH #include "config.h" #include #include class OSData { public: OSData(); typedef enum { IFCONFIG, SYSCTL, PFCTL, IPFW, IPF, IPNAT, LOGGER } tools; std::string getPathForTool(const std::string &os,tools t); }; #endif fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipf.cpp000066400000000000000000000471221303637203600217010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_ipf.h" #include "fwcompiler/Compiler.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_ipf::myPlatformName() { return "ipf"; } int PolicyCompiler_ipf::prolog() { int n= PolicyCompiler_pf::prolog(); anytcp = dbcopy->createTCPService(); anytcp->setId(FWObjectDatabase::generateUniqueId()); //ANY_TCP_OBJ_ID); persistent_objects->add(anytcp,false); anyudp=dbcopy->createUDPService(); anyudp->setId(FWObjectDatabase::generateUniqueId()); //ANY_UDP_OBJ_ID); persistent_objects->add(anyudp,false); anyicmp=dbcopy->createICMPService(); anyicmp->setId(FWObjectDatabase::generateUniqueId()); //ANY_ICMP_OBJ_ID); persistent_objects->add(anyicmp,false); return n; } bool PolicyCompiler_ipf::expandAnyService::processNext() { PolicyCompiler_ipf *pcomp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); FWOptions *ruleopt =rule->getOptionsObject(); if (srv->isAny() && ! ruleopt->getBool("stateless") && rule->getAction()==PolicyRule::Accept) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyicmp); //compiler->dbcopy->findInIndex(ANY_ICMP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anytcp); //compiler->dbcopy->findInIndex(ANY_TCP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyudp); //compiler->dbcopy->findInIndex(ANY_UDP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); FWOptions *ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipf::doSrcNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); if (src->getNeg()) { RuleElementSrc *nsrc; PolicyRule *r; FWOptions *ruleopt; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Continue); r->setLogging(false); nsrc=r->getSrc(); nsrc->setNeg(false); r->setBool("quick",false); r->setBool("skip_check_for_duplicates",true); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getSrc(); nsrc->setNeg(false); nsrc->clearChildren(); nsrc->setAnyElement(); r->setBool("quick",true); r->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipf::doDstNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dst=rule->getDst(); if (dst->getNeg()) { RuleElementDst *ndst; PolicyRule *r; FWOptions *ruleopt; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Continue); r->setLogging(false); ndst=r->getDst(); ndst->setNeg(false); r->setBool("quick",false); r->setBool("skip_check_for_duplicates",true); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getDst(); ndst->setNeg(false); ndst->clearChildren(); ndst->setAnyElement(); r->setBool("quick",true); r->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipf::doSrvNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); if (srv->getNeg()) { compiler->abort(rule, "Negation in Srv is not implemented"); return false; } tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipf::specialCaseWithDynInterface::dropDynamicInterface(RuleElement *re) { list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && !ifs->isRegular()) continue; cl.push_back(obj); } if (!cl.empty()) { re->clearChildren(); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->addRef( (*i1) ); } } bool PolicyCompiler_ipf::specialCaseWithDynInterface::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; dropDynamicInterface( rule->getDst() ); dropDynamicInterface( rule->getSrc() ); tmp_queue.push_back(rule); return true; } PolicyCompiler_ipf::calculateSkip::calculateSkip(const std::string &n) : PolicyRuleProcessor(n) { } bool PolicyCompiler_ipf::calculateSkip::processNext() { // PolicyRule *rule; slurp(); if (tmp_queue.size()==0) return false; /* * first, we scan all rules and build a hash that maps attribute * "skip_label" to rule number. Attribute "skip_label" is set in * optimize1, after which we could have split some rules, so this * attrbiute may not be unique. We want to skip to the first rule * marked with the same skip label if there are few with the same * label. The simplest way to find the first one with the same label * is to scan rules in reverse order, that is from the bottom up. */ int N=tmp_queue.size()-1; // The last rule number is N for (deque::reverse_iterator k=tmp_queue.rbegin(); k!=tmp_queue.rend(); ++k) { PolicyRule *r = PolicyRule::cast( *k ); if (!r->getStr("skip_label").empty()) allrules[r->getStr("skip_label")]=N; r->setInt("rule_num",N); N--; } for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *r = PolicyRule::cast( *k ); string rl=r->getLabel(); int current_position=r->getPosition(); if (r->getAction()==PolicyRule::Skip) { assert(!r->getStr("skip_to").empty()); int to=allrules[r->getStr("skip_to")]; int n =r->getInt("rule_num"); r->setInt("no_to_skip",to-n-1); } /* Action 'Continue' means we need to jump to the next rule in the * GUI. We scan rules down from the current one, looking for the first * rule that corresponds to the next rule in the GUI. */ if (r->getAction()==PolicyRule::Continue) { r->setAction(PolicyRule::Skip); r->setBool("quick",false); deque::iterator j=k; ++j; int n=0; for ( ; j!=tmp_queue.end(); ++j) { PolicyRule *r2 = PolicyRule::cast( *j ); if (r2->getPosition()!=current_position) break; /* 'skip' only skips rules with the same setting of 'in' or 'out', * that is the same direction */ if (r2->getDirection()==r->getDirection()) ++n; } r->setInt("no_to_skip",n); } } return true; } bool PolicyCompiler_ipf::checkForKeepState::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *srv=compiler->getFirstSrv(rule); assert(srv); FWOptions *ruleopt =rule->getOptionsObject(); if (! ICMPService::isA(srv) && ! UDPService::isA(srv) && ! TCPService::isA(srv) ) ruleopt->setBool("stateless",true); return true; } bool PolicyCompiler_ipf::eliminateDuplicateRules::processNext() { PolicyCompiler *pcomp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; // Note that if rule has "any" in Interface column, it is // implemented as reference to the AnyNetwork object. In this case // Compiler::getFirstItf() returns NULL. Interface *intf_rule = compiler->getFirstItf(rule); int intf_id_rule = (intf_rule) ? intf_rule->getId() : -1; if ( ! rule->getBool("skip_check_for_duplicates")) { for (deque::iterator i=rules_seen_so_far.begin(); i!=rules_seen_so_far.end(); ++i) { PolicyRule *r=(*i); if (r->getBool("skip_check_for_duplicates") ) continue; if (r->getAction()==PolicyRule::Continue || r->getAction()==PolicyRule::Skip) continue; Interface *intf_r = compiler->getFirstItf(r); int intf_id_r = (intf_r) ? intf_r->getId() : -1; if (intf_id_r==intf_id_rule && r->getAction()==rule->getAction() && r->getLogging()==rule->getLogging() && pcomp->cmpRules(*r,*rule) ) { // cout << "---------------------------------------" << endl; // cout << pcomp->debugPrintRule(r) << endl; // cout << pcomp->debugPrintRule(rule) << endl; return true; } } } tmp_queue.push_back(rule); rules_seen_so_far.push_back(rule); return true; } bool PolicyCompiler_ipf::processMultiAddressObjectsInRE::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) compiler->abort( rule, "Run-time AddressTable objects are not supported."); } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipf::SplitDirectionIpfilter::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getDirection()==PolicyRule::Both) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Inbound); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Outbound); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipf::compile() { info(" Compiling policy for " + fw->getName()); Compiler::compile(); bool check_for_recursive_groups=true; if ( fw->getOptionsObject()->getBool ("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin ("Detecting rule shadowing" ) ); add( new printTotalNumberOfRules( ) ); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); check_for_recursive_groups=false; add( new ExpandGroups("expand groups") ); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC") ); add( new eliminateDuplicatesInDST("eliminate duplicates in DST") ); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV") ); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src") ); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst") ); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC" ) ); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST" ) ); add( new ConvertToAtomic("convert to atomic rules" ) ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing("Detect shadowing" ) ); add( new simplePrintProgress() ); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin()); add( new printTotalNumberOfRules() ); add( new singleRuleFilter()); // add( new MACFiltering( "verify for MAC address filtering" ) ); add( new setQuickFlag("set 'quick' flag") ); if (check_for_recursive_groups) { add( new recursiveGroupsInSrc("check for recursive groups in SRC")); add( new recursiveGroupsInDst("check for recursive groups in DST")); add( new recursiveGroupsInSrv("check for recursive groups in SRV")); } add( new emptyGroupsInSrc("check for empty groups in SRC") ); add( new emptyGroupsInDst("check for empty groups in DST") ); add( new emptyGroupsInSrv("check for empty groups in SRV") ); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids") ); add( new doSrcNegation("process negation in Src") ); add( new doDstNegation("process negation in Dst") ); add( new doSrvNegation("process negation in Srv") ); add( new ExpandGroups( "expand groups") ); add( new CheckForTCPEstablished( "check for TCPService objects with flag \"established\"") ); add( new CheckForUnsupportedUserService("check for user service") ); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC") ); add( new eliminateDuplicatesInDST("eliminate duplicates in DST") ); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV") ); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src") ); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst") ); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src") ); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst") ); add( new splitIfFirewallInSrc("split rule if firewall is in Src") ); add( new splitIfFirewallInDst("split rule if firewall is in Dst") ); add( new fillDirection("determine directions") ); add( new SplitDirectionIpfilter("split rules with direction 'both'" ) ); add( new ExpandMultipleAddresses( "expand objects with multiple addresses") ); add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls" )); add( new MACFiltering("verify for MAC address filtering" ) ); add( new checkForUnnumbered("check for unnumbered interfaces") ); add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface") ); add( new addressRanges("expand address range objects") ); add( new groupServicesByProtocol("split rules with different protocols") ); add( new separateTCPWithFlags("separate TCP services with flags" ) ); add( new separateSrcPort("split on TCP and UDP with source ports")); add( new verifyCustomServices( "verify custom services for this platform") ); add( new SpecialServices("check for special services" ) ); add( new expandAnyService("expand ANY service for stateful rules") ); /* * it may make sense to do optimization even before we expand groups * (before ExpandGroups). Need to test this idea. */ if ( fw->getOptionsObject()->getBool ("optimize") ) { add( new optimizeSrc("optimization in SRC") ); add( new optimizeDst("optimization in DST") ); add( new optimizeSrv("optimization in SRV") ); } add( new ConvertToAtomic("convert to atomic rules") ); add( new checkForZeroAddr("check for zero addresses" ) ); if ( fw->getOptionsObject()->getBool ("eliminate_duplicates") ) add( new eliminateDuplicateRules("eliminate duplicate rules" ) ); add( new calculateSkip("calculate argument for skip") ); add( new checkForKeepState("check for 'keep state'") ); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new PrintRule("generate ipf code") ); add( new simplePrintProgress() ); runRuleProcessors(); } string PolicyCompiler_ipf::debugPrintRule(Rule *r) { PolicyRule *rule=PolicyRule::cast(r); // FWOptions *ruleopt =rule->getOptionsObject(); ostringstream s; s << PolicyCompiler::debugPrintRule(rule) << " "; RuleElementItf *intf_re = rule->getItf(); string rule_interfaces; int intf_count = 0; for (FWObject::iterator it=intf_re->begin(); it!=intf_re->end(); ++it) { FWObject *o = *it; if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer(); rule_interfaces += " " + o->getName(); intf_count++; } if (intf_count > 0) { s << " intf: "; if (intf_count > 1) s << "{ "; s << rule_interfaces; if (intf_count > 1) s << " }"; } else s << " intf: ?"; s << " "; if (r->getBool("skip_check_for_duplicates")) s << "skip_check_for_duplicates "; if (r->getStr("skip_label")!="") s << "skip_label: " << r->getStr("skip_label") << " "; if (r->getStr("skip_to")!="") s << "skip_to: " << r->getStr("skip_to") << " "; if (r->getInt("no_to_skip")!=-1) s << "no_to_skip: " << r->getInt("no_to_skip"); s << " " << FWObjectDatabase::getStringId(r->getId()) << " (" << r->getId() << ")"; return s.str(); } void PolicyCompiler_ipf::epilog() { } fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipf.h000066400000000000000000000205071303637203600213440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_IPF_HH #define __POLICYCOMPILER_IPF_HH #include #include "PolicyCompiler_pf.h" namespace libfwbuilder { class TCPService; class UDPService; class ICMPService; }; #define ANY_IP_OBJ_ID "__any_ip_obj__" #define ANY_ICMP_OBJ_ID "__any_icmp_obj__" #define ANY_TCP_OBJ_ID "__any_tcp_obj__" #define ANY_UDP_OBJ_ID "__any_udp_obj__" namespace fwcompiler { class PolicyCompiler_ipf : public PolicyCompiler_pf { protected: libfwbuilder::TCPService *anytcp; libfwbuilder::UDPService *anyudp; libfwbuilder::ICMPService *anyicmp; virtual std::string myPlatformName(); /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls PolicyCompiler::_internalPrintPolicyRule and then adds * chain and target at the end of the printed line */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * split rules if direction is "Both" */ DECLARE_POLICY_RULE_PROCESSOR(SplitDirectionIpfilter); /** * splits rules with service 'any' because ipf can keep state * only for UDP/TCP/ICMP */ DECLARE_POLICY_RULE_PROCESSOR(expandAnyService); /** * deals with negation in Src in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doSrcNegation); /** * deals with negation in Dst in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doDstNegation); /** * deals with negation in Srv in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doSrvNegation); /** * Placeholders for MultiAddressRunTime objects which are not * supported for ipf */ class processMultiAddressObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class processMultiAddressObjectsInDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInDst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * checks for the following situations: * * 1. dynamic interface is in source and direction is inbound * (drop interface from src since source address is * undertermined) * * 2. dynamic interface is in source, direction is outbound * (drop interface from the list, this rule has been created * while processing negation. TODO: this is kludge, need to * find a better way to process negation if firewall is in rule * element and it has dynamic interface) * * 3. dynamic interface is in destination and direction is * outbound (drop interface since dest. address is undefined) * */ class specialCaseWithDynInterface : public PolicyRuleProcessor { void dropDynamicInterface(libfwbuilder::RuleElement *re); public: specialCaseWithDynInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * ipf supports "keep state" only for icmp/udp/tcp */ DECLARE_POLICY_RULE_PROCESSOR(checkForKeepState); /** * calculates N for action skip (used in negation) */ class calculateSkip : public PolicyRuleProcessor { std::map allrules; public: calculateSkip(const std::string &n); virtual bool processNext(); }; /** * eliminates duplicate atomic rules */ class eliminateDuplicateRules : public PolicyRuleProcessor { private: std::deque rules_seen_so_far; public: eliminateDuplicateRules(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class fwcompiler::PolicyCompiler_ipf::eliminateDuplicateRules; /** * optimize rules - instead of generating all possible * combinations of src,dst and srv we split the rule onto * three rules, checking on * rule element at a time and using * 'any' in the other two. This reduces the number of * generated elementary rules from N^3 to 3N (and reduces * compile time about the same). */ class optimize1 : public PolicyRuleProcessor { protected: void optimizeForRuleElement(libfwbuilder::PolicyRule *rule, const std::string &re_type); public: optimize1(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipf::optimize1; class optimizeSrc : public optimize1 { public: optimizeSrc(const std::string &name) : optimize1(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipf::optimizeSrc; class optimizeDst : public optimize1 { public: optimizeDst(const std::string &name) : optimize1(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipf::optimizeDst; class optimizeSrv : public optimize1 { public: optimizeSrv(const std::string &name) : optimize1(name) {} virtual bool processNext(); }; friend class PolicyCompiler_ipf::optimizeSrv; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. * Negation should also have been taken care of before this * method is called. */ class PrintRule : public PolicyCompiler_pf::PrintRule { virtual std::string _printPort(int rs,int re,bool neg=false); virtual void _printWith(libfwbuilder::Service *srv); virtual void _printAction(libfwbuilder::PolicyRule *r); #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Woverloaded-virtual" virtual void _printAddr(libfwbuilder::Address *o,bool neg=false); #pragma GCC diagnostic pop virtual void _printDstService(libfwbuilder::RuleElement *o); public: PrintRule(const std::string &name); virtual bool processNext(); }; public: PolicyCompiler_ipf(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : PolicyCompiler_pf(_db, fw, ipv6_policy, _oscnf, NULL) {} virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipf_optimizer.cpp000066400000000000000000000147041303637203600240030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipf.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static map skip_targets; void PolicyCompiler_ipf::optimize1::optimizeForRuleElement(PolicyRule *rule, const std::string &re_type) { RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type)); PolicyRule *r; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); /* duplicate copies everything, including attribute * "skip_label". That's why I set skip_label after I create a copy of the rule */ string skip_target = FWObjectDatabase::getStringId(rule->getId()); while (skip_targets[skip_target]) skip_target+=".A"; skip_targets[skip_target]=true; // just need a unique label, and ID is unique rule->setStr("skip_label", skip_target); for (FWObject::iterator i=r->begin(); i!=r->end(); ++i) { if (RuleElement::cast(*i)!=NULL && (*i)->getTypeName()!=re_type) { RuleElement *nre=RuleElement::cast(*i); nre->clearChildren(); nre->setAnyElement(); } } r->setAction(PolicyRule::Skip); r->setBool("quick",false); r->setStr("skip_to",skip_target); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElement *re1; re1=r->getSrc(); re1->clearChildren(); re1->setAnyElement(); re1=r->getDst(); re1->clearChildren(); re1->setAnyElement(); re1=r->getSrv(); re1->clearChildren(); re1->setAnyElement(); r->setAction(PolicyRule::Continue); r->setStr("skip_label",""); tmp_queue.push_back(r); re->clearChildren(); re->setAnyElement(); /* rules that we have inserted above 'rule' will skip over it. We should * not drop them when we eliminate duplicates */ rule->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(rule); } bool PolicyCompiler_ipf::optimize1::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); RuleElementSrv *srvrel=rule->getSrv(); int srcn=srcrel->size(); int dstn=dstrel->size(); int srvn=srvrel->size(); /* if all rule elements have exactly one object, there is nothing to optimize */ if ( (srcn==1 && dstn==1) || (dstn==1 && srvn==1) || (srvn==1 && srcn==1) ) { tmp_queue.push_back(rule); return true; } if (srcn==1) srcn=INT_MAX; if (dstn==1) dstn=INT_MAX; if (srvn==1) srvn=INT_MAX; string re=RuleElementSrc::TYPENAME; if (srcn>2 && srcn<=dstn && dstn<=srvn) { optimizeForRuleElement(rule,RuleElementSrc::TYPENAME); return true; } if (dstn>2 && dstn<=srvn && srvn<=srcn) { optimizeForRuleElement(rule,RuleElementDst::TYPENAME); return true; } if (srvn>2 && srvn<=srcn && srcn<=dstn) { optimizeForRuleElement(rule,RuleElementSrv::TYPENAME); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipf::optimizeSrc::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); RuleElementSrv *srvrel=rule->getSrv(); int srcn=srcrel->size(); int dstn=dstrel->size(); int srvn=srvrel->size(); /* without optimization we generate N^3 rules (n1*n2*n3), with it we * generate 3*N (n1+n2+n3) rules. If n1+n2+n3 is greater than * n1*n2*n3, then we should not optimize */ if (srcrel->isAny() || (srcn+dstn+srvn>=srcn*dstn*srvn)) { tmp_queue.push_back(rule); return true; } optimizeForRuleElement(rule,RuleElementSrc::TYPENAME); return true; } bool PolicyCompiler_ipf::optimizeDst::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); RuleElementSrv *srvrel=rule->getSrv(); int srcn=srcrel->size(); int dstn=dstrel->size(); int srvn=srvrel->size(); /* without optimization we generate N^3 rules (n1*n2*n3), with it we * generate 3*N (n1+n2+n3) rules. If n1+n2+n3 is greater than * n1*n2*n3, then we should not optimize */ if (dstrel->isAny() || (srcn+dstn+srvn>=srcn*dstn*srvn)) { tmp_queue.push_back(rule); return true; } optimizeForRuleElement(rule,RuleElementDst::TYPENAME); return true; } bool PolicyCompiler_ipf::optimizeSrv::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel=rule->getSrc(); RuleElementDst *dstrel=rule->getDst(); RuleElementSrv *srvrel=rule->getSrv(); int srcn=srcrel->size(); int dstn=dstrel->size(); int srvn=srvrel->size(); /* without optimization we generate N^3 rules (n1*n2*n3), with it we * generate 3*N (n1+n2+n3) rules. If n1+n2+n3 is greater than * n1*n2*n3, then we should not optimize */ if (srvrel->isAny() || (srcn+dstn+srvn>=srcn*dstn*srvn)) { tmp_queue.push_back(rule); return true; } optimizeForRuleElement(rule,RuleElementSrv::TYPENAME); return true; } fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipf_writers.cpp000066400000000000000000000271731303637203600234640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_ipf.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/DNSName.h" #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ string PolicyCompiler_ipf::PrintRule::_printPort(int rs,int re,bool neg) { ostringstream str; if (rs<0) rs=0; if (re<0) re=0; if (!neg) { if (rs>0 || re>0) { if (rs>re && re==0) re=rs; if (rs==re) str << "= " << rs; else if (rs==0 && re!=0) str << "<= " << re; else if (rs!=0 && re==65535) str << ">= " << rs; else { /* * port range. Operator '><' defines range in a such way that boundaries * are not included. Since we assume it is inclusive, let's move boundaries */ if (rs>0 ) rs--; if (re<65535) re++; str << rs << " >< " << re; } } } else { if (rs>0 || re>0) { if (rs==re) str << "!= " << rs; else if (rs==0 && re!=0) str << "> " << re; else if (rs!=0 && re==65535) str << "< " << rs; else { str << rs << " <> " << re; } } } return str.str(); } void PolicyCompiler_ipf::PrintRule::_printDstService(RuleElement *rel) { FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); IPService *ip_srv = IPService::cast(srv); if (ip_srv) { return; } else PolicyCompiler_pf::PrintRule::_printDstService(rel); } void PolicyCompiler_ipf::PrintRule::_printAction(PolicyRule *rule) { /* * difference between this and PolicyCompiler_pf::_printAction is as follows: * * 1. there is no support for action Scrub in ipf * 2. there is support for return-icmp-as-dest in ipf * 3. there is support for action Skip in ipf */ FWOptions *ruleopt =rule->getOptionsObject(); Service *srv=compiler->getFirstSrv(rule); assert(srv); switch (rule->getAction()) { case PolicyRule::Skip: compiler->output << "skip " << rule->getInt("no_to_skip") << " "; break; case PolicyRule::Accept: compiler->output << "pass "; break; case PolicyRule::Accounting: compiler->output << "count "; break; case PolicyRule::Deny: compiler->output << "block "; break; case PolicyRule::Reject: if (rule->getDirection()==PolicyRule::Inbound) { if (TCPService::isA(srv)) compiler->output << "block return-rst "; else { string aor=ruleopt->getStr("action_on_reject"); if (aor.empty()) aor=compiler->getCachedFwOpt()->getStr("action_on_reject"); string code; if ( aor.find("ICMP")!=string::npos ) { if (ruleopt->getBool("ipf_return_icmp_as_dest") || compiler->getCachedFwOpt()->getBool("ipf_return_icmp_as_dest") ) code="return-icmp-as-dest "; else code="return-icmp "; if (aor.find("unreachable")!=string::npos ) { if (aor.find("net")!=string::npos) code=code+"(0) "; if (aor.find("host")!=string::npos) code=code+"(1) "; if (aor.find("protocol")!=string::npos) code=code+"(2) "; if (aor.find("port")!=string::npos) code=code+"(3) "; } if (aor.find("prohibited")!=string::npos ) { if (aor.find("net")!=string::npos) code=code+"(9) "; if (aor.find("host")!=string::npos) code=code+"(10) "; } } else code="return-icmp "; compiler->output << "block " << code; } } else compiler->output << "block "; break; case PolicyRule::Custom: compiler->output << ruleopt->getStr("custom_str") << " "; break; default: compiler->abort( rule, string("Unknown action ") + rule->getActionAsString()); // compiler->output << rule->getActionAsString() << " "; } } void PolicyCompiler_ipf::PrintRule::_printWith(libfwbuilder::Service *srv) { IPService *ip_srv = IPService::cast(srv); if (ip_srv) { if (ip_srv->getBool("any_opt")) compiler->warning("ipfilter can not match \"any IP option\" "); bool with=true; if ( srv->getBool("short_fragm") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " short"; } if ( srv->getBool("fragm") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " frag"; } if (srv->getBool("rr") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " opt rr"; } if (srv->getBool("lsrr") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " opt lsrr"; } if (srv->getBool("ssrr") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " opt ssrr"; } if (srv->getBool("ts") ) { if (with) { compiler->output << " with"; with=false; } compiler->output << " opt ts"; } } } /* * this is almost like the one in PolicyCompiler_pf, except it does * not print interface name for dynamic interface ('cause ipfilter * does not support it) */ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg) { FWOptions* options=compiler->fw->getOptionsObject(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { compiler->output << atrt->getSourceName() << " "; return; } // at this time we only support two types of MultiAddress // objects: AddressTable and DNSName. Both should be converted // to MultiAddressRunTime at this point. If we get some other // kind of MultiAddressRunTime object, we do not know what to do // with it so we stop. assert(atrt==NULL); } if (options->getBool("dynAddr") && Interface::cast(o)!=NULL && Interface::cast(o)->isDyn()) { if (neg) compiler->output << "! "; compiler->output << "(" << o->getName() << ") "; return; } const InetAddr *addr = o->getAddressPtr(); if (Interface::cast(o)!=NULL && addr==NULL) { compiler->output << " "; } if (addr) { InetAddr mask = *(o->getNetmaskPtr()); if (Interface::cast(o)!=NULL) { mask = InetAddr(InetAddr::getAllOnes()); } if (o->dimension()==1) { mask = InetAddr(InetAddr::getAllOnes()); } if (addr->isAny() && mask.isAny()) { compiler->output << "any "; } else { if (neg) compiler->output << "! "; compiler->output << addr->toString(); if (!mask.isHostMask()) { compiler->output << "/" << mask.getLength(); } compiler->output << " "; } } } PolicyCompiler_ipf::PrintRule::PrintRule(const std::string &name) : PolicyCompiler_pf::PrintRule(name) { } bool PolicyCompiler_ipf::PrintRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); tmp_queue.push_back(rule); compiler->output << compiler->printComment(rule, current_rule_label, "#"); RuleElementSrc *srcrel=rule->getSrc(); Address *src =compiler->getFirstSrc(rule); assert(src); RuleElementDst *dstrel=rule->getDst(); Address *dst =compiler->getFirstDst(rule); assert(dst); RuleElementSrv *srvrel=rule->getSrv(); Service *srv =compiler->getFirstSrv(rule); assert(srv); _printAction(rule); _printDirection(rule); if (rule->getLogging()) { compiler->output << " log "; if (compiler->getCachedFwOpt()->getBool("ipf_log_or_block") && rule->getAction()==PolicyRule::Accept) compiler->output << " or-block"; if (compiler->getCachedFwOpt()->getBool("ipf_log_body")) compiler->output << " body"; string facility=ruleopt->getStr("ipf_log_facility"); if (facility.empty()) facility = compiler->getCachedFwOpt()->getStr("ipf_log_facility"); string level=ruleopt->getStr("log_level"); if (level.empty()) level=compiler->getCachedFwOpt()->getStr("ipf_log_level"); if (level!="") { compiler->output << " level "; if (facility!="") compiler->output << facility << "."; compiler->output << level; } compiler->output << " "; } if ( rule->getBool("quick") ) compiler->output << "quick "; _printInterface(rule); _printRouteOptions(rule); _printProtocol(srv); compiler->output << " from "; _printSrcAddr(srcrel); _printSrcService(srvrel); compiler->output << " to "; _printDstAddr(dstrel); _printDstService(srvrel); _printWith(srv); /* keeping state does not apply to deny/reject */ if ( ! ruleopt->getBool("stateless") ) { /* * this is per advice from Darren Reed http://false.net/ipfilter/2002_12/0176.html * * Feature req. #653803: Implement flags for TCP keep state * * If "keep state" option is given, the rule matches only first packet * in the session. To make the rule more secure, we also match on TCP * flags (if TCP service is used) looking for the correct session * opener packet which should have only SYN flag set and all other * flags cleared. * * However, if option "Accept tcp sessions opened prior to firewall * restart" is ON, we do not need to add "flags S" here ( bug #725853 ). * */ TCPService *tcpsrv=TCPService::cast(srv); if ( ! compiler->getCachedFwOpt()->getBool("accept_new_tcp_with_no_syn") && tcpsrv!=NULL && !tcpsrv->inspectFlags() ) compiler->output << "flags S "; compiler->output << "keep state "; } /* keep frags option */ if ( ruleopt->getBool("ipf_keep_frags") && rule->getAction()==PolicyRule::Accept) { compiler->output << "keep frags "; } compiler->output << endl; return true; } fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipfw.cpp000066400000000000000000000527421303637203600220740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_ipfw.h" #include "fwcompiler/Compiler.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_ipfw::myPlatformName() { return "ipfw"; } int PolicyCompiler_ipfw::prolog() { int n= PolicyCompiler_pf::prolog(); anytcp=dbcopy->createTCPService(); anytcp->setId(FWObjectDatabase::generateUniqueId()); // ANY_TCP_OBJ_ID); persistent_objects->add(anytcp,false); anyudp=dbcopy->createUDPService(); anyudp->setId(FWObjectDatabase::generateUniqueId()); //ANY_UDP_OBJ_ID); persistent_objects->add(anyudp,false); anyicmp=dbcopy->createICMPService(); anyicmp->setId(FWObjectDatabase::generateUniqueId()); //ANY_ICMP_OBJ_ID); persistent_objects->add(anyicmp,false); return n; } /* * (this is a virtual method). We do not want to expand a firewall * object that own the policy we are processing, because we can use * address 'me' in ipfw rules. */ void PolicyCompiler_ipfw::_expand_addr(Rule *rule, FWObject *s, bool expand_cluster_interfaces_fully) { RuleElement *re=RuleElement::cast(s); if (re!=NULL && re->size()==1 ) { FWObject *o=re->front(); if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); if (o->getId()==fw->getId()) return; } Compiler::_expand_addr(rule, s, expand_cluster_interfaces_fully); } bool PolicyCompiler_ipfw::expandAnyService::processNext() { PolicyCompiler_ipfw *pcomp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); FWOptions *ruleopt =rule->getOptionsObject(); if (srv->isAny() && ! ruleopt->getBool("stateless") && rule->getAction()==PolicyRule::Accept) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyicmp); //compiler->dbcopy->findInIndex(ANY_ICMP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anytcp); //compiler->dbcopy->findInIndex(ANY_TCP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyudp); //compiler->dbcopy->findInIndex(ANY_UDP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); FWOptions *ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::SpecialRuleActionsForShadowing::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getAction()==PolicyRule::Pipe || rule->getAction()==PolicyRule::Custom) return true; tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::doSrcNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); if (src->getNeg()) { RuleElementSrc *nsrc; PolicyRule *r; FWOptions *ruleopt; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Continue); r->setLogging(false); nsrc=r->getSrc(); nsrc->setNeg(false); r->setBool("quick",false); r->setBool("skip_check_for_duplicates",true); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getSrc(); nsrc->setNeg(false); nsrc->clearChildren(); nsrc->setAnyElement(); r->setBool("quick",true); r->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::doDstNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dst=rule->getDst(); if (dst->getNeg()) { RuleElementDst *ndst; PolicyRule *r; FWOptions *ruleopt; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Continue); r->setLogging(false); ndst=r->getDst(); ndst->setNeg(false); r->setBool("quick",false); r->setBool("skip_check_for_duplicates",true); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getDst(); ndst->setNeg(false); ndst->clearChildren(); ndst->setAnyElement(); r->setBool("quick",true); r->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::doSrvNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); if (srv->getNeg()) { compiler->abort(rule, "Negation in Srv is not implemented"); return false; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::separatePortRanges::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *rel= rule->getSrv(); if (rel->size()==1) { tmp_queue.push_back(rule); return true; } list services; bool sawServiceWithPortRange=false; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast(o); assert(s!=NULL); if ( TCPService::isA(s) || UDPService::isA(s) ) { unsigned srs=TCPUDPService::cast(s)->getSrcRangeStart(); unsigned sre=TCPUDPService::cast(s)->getSrcRangeEnd(); unsigned drs=TCPUDPService::cast(s)->getDstRangeStart(); unsigned dre=TCPUDPService::cast(s)->getDstRangeEnd(); if (srs!=0 && sre==0) sre=srs; if (drs!=0 && dre==0) dre=drs; if (srs!=sre || drs!=dre) { /* leave the very first service with port range in this rule, * split others into separate rules */ if (sawServiceWithPortRange) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef( s ); tmp_queue.push_back(r); services.push_back(s); } sawServiceWithPortRange=true; } } } for (list::iterator i=services.begin(); i!=services.end(); i++) rel->removeRef( (*i) ); if (!rel->isAny()) tmp_queue.push_back(rule); return true; } bool PolicyCompiler_ipfw::sortTCPUDPServices::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *rel= rule->getSrv(); if (rel->size()==1) { tmp_queue.push_back(rule); return true; } FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s1= Service::cast(o); if ( !UDPService::isA(s1) && !TCPService::isA(s1)) { tmp_queue.push_back(rule); return true; } /* * we know that at this point if there the original rule had service * objects with port ranges, there is only one left. We just need to * move it to the front of the list. */ Service *portRangeSvc=NULL; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast(o); assert(s!=NULL); unsigned srs=TCPUDPService::cast(s)->getSrcRangeStart(); unsigned sre=TCPUDPService::cast(s)->getSrcRangeEnd(); unsigned drs=TCPUDPService::cast(s)->getDstRangeStart(); unsigned dre=TCPUDPService::cast(s)->getDstRangeEnd(); if (srs!=0 && sre==0) sre=srs; if (drs!=0 && dre==0) dre=drs; if (srs!=sre || drs!=dre) { portRangeSvc=s; break; } } if (portRangeSvc) { rel->removeRef(portRangeSvc); /* It certainly would have been better if we had FWObject::insertRef() */ FWReference *oref = portRangeSvc->createRef(); portRangeSvc->ref(); rel->push_front(oref); oref->setParent(rel); } tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipfw::specialCaseWithDynInterface::dropDynamicInterface(RuleElement *re) { list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && !ifs->isRegular()) continue; cl.push_back(obj); } if (!cl.empty()) { re->clearChildren(); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) re->addRef( (*i1) ); } } bool PolicyCompiler_ipfw::specialCaseWithDynInterface::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; dropDynamicInterface( rule->getDst() ); dropDynamicInterface( rule->getSrc() ); tmp_queue.push_back(rule); return true; } PolicyCompiler_ipfw::calculateNum::calculateNum(const std::string &n) : PolicyRuleProcessor(n) {} bool PolicyCompiler_ipfw::calculateNum::processNext() { PolicyCompiler_ipfw *pcomp = dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *r = PolicyRule::cast( *k ); pcomp->ipfw_num += 10; r->setInt("ipfw_num", pcomp->ipfw_num ); } for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *r = PolicyRule::cast( *k ); int current_position = r->getPosition(); if (r->getAction()==PolicyRule::Continue) { r->setAction(PolicyRule::Skip); deque::iterator j = k; ++j; PolicyRule *r2; for ( ; j!=tmp_queue.end(); ++j) { r2 = PolicyRule::cast( *j ); if (r2->getPosition()!=current_position) { r->setInt("skip_to", r2->getInt("ipfw_num") ); break; } } } } return true; } bool PolicyCompiler_ipfw::checkForKeepState::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *srv=compiler->getFirstSrv(rule); assert(srv); FWOptions *ruleopt =rule->getOptionsObject(); if (! ICMPService::isA(srv) && ! UDPService::isA(srv) && ! TCPService::isA(srv) ) ruleopt->setBool("stateless",true); return true; } bool PolicyCompiler_ipfw::eliminateDuplicateRules::processNext() { PolicyCompiler *pcomp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; // Note that if rule has "any" in Interface column, it is // implemented as reference to the AnyNetwork object. In this case // Compiler::getFirstItf() returns NULL. Interface *intf_rule = compiler->getFirstItf(rule); int intf_id_rule = (intf_rule) ? intf_rule->getId() : -1; if ( ! rule->getBool("skip_check_for_duplicates")) { for (deque::iterator i=rules_seen_so_far.begin(); i!=rules_seen_so_far.end(); ++i) { PolicyRule *r=(*i); if ( r->getBool("skip_check_for_duplicates") ) continue; Interface *intf_r = compiler->getFirstItf(r); int intf_id_r = (intf_r) ? intf_r->getId() : -1; if (intf_id_r==intf_id_rule && r->getAction()==rule->getAction() && r->getLogging()==rule->getLogging() && pcomp->cmpRules(*r,*rule) ) { // cout << "---------------------------------------" << endl; // cout << pcomp->debugPrintRule(r) << endl; // cout << pcomp->debugPrintRule(rule) << endl; return true; } } } tmp_queue.push_back(rule); rules_seen_so_far.push_back(rule); return true; } /* * this processor is the same as in PolicyCompiler_ipf */ bool PolicyCompiler_ipfw::processMultiAddressObjectsInRE::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) compiler->abort( rule, "Run-time AddressTable objects are not supported."); } tmp_queue.push_back(rule); return true; } void PolicyCompiler_ipfw::compile() { string banner = " Compiling " + fw->getName(); if (!getRuleSetName().empty()) banner += " ruleset " + getRuleSetName(); if (ipv6) banner += ", IPv6"; info(banner); Compiler::compile(); bool check_for_recursive_groups=true; if ( fw->getOptionsObject()->getBool("check_shading") && ! inSingleRuleCompileMode()) { add( new Begin("Detecting rule shadowing")); add( new printTotalNumberOfRules()); add( new SpecialRuleActionsForShadowing( "disable rules with action Pipe and Custom") ); add( new ItfNegation("process negation in Itf" ) ); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new recursiveGroupsInSrc("check for recursive grps in SRC")); add( new recursiveGroupsInDst("check for recursive grps in DST")); add( new recursiveGroupsInSrv("check for recursive grps in SRV")); check_for_recursive_groups=false; add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src") ); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst") ); add( new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC")); add( new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new ConvertToAtomic("convert to atomic rules")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new DetectShadowing("Detect shadowing")); add( new simplePrintProgress()); runRuleProcessors(); deleteRuleProcessors(); } add( new Begin()); add( new printTotalNumberOfRules()); add( new singleRuleFilter()); if (check_for_recursive_groups) { add( new recursiveGroupsInSrc("check for recursive grps in SRC")); add( new recursiveGroupsInDst("check for recursive grps in DST")); add( new recursiveGroupsInSrv("check for recursive grps in SRV")); } add( new emptyGroupsInSrc("check for empty grps in SRC")); add( new emptyGroupsInDst("check for empty grps in DST")); add( new emptyGroupsInSrv("check for empty grps in SRV")); add( new ItfNegation("process negation in Itf")); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); add( new doSrcNegation("process negation in Src")); add( new doDstNegation("process negation in Dst")); add( new doSrvNegation("process negation in Srv")); add( new ExpandGroups("expand groups")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add( new eliminateDuplicatesInDST("eliminate duplicates in DST")); add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src") ); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst") ); add( new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src") ); add( new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst") ); add( new splitIfFirewallInSrc("split rule if firewall is in Src")); add( new splitIfFirewallInDst("split rule if firewall is in Dst")); add( new fillDirection("determine directions")); add( new ExpandMultipleAddresses( "expand objects with multiple addresses")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls")); add( new MACFiltering("verify for MAC address filtering")); add( new checkForUnnumbered("check for unnumbered interfaces")); add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface")); add( new addressRanges("expand address range objects")); add( new groupServicesByProtocol("split rules with different protocols")); add( new splitIpOptions("split rules with multiple IPService objects with options")); add( new separateTCPWithFlags("separate TCP services with flags")); add( new separateSrcPort("split on TCP and UDP with source ports")); add( new separatePortRanges("split services with port ranges")); add( new sortTCPUDPServices("move port ranges to the front of ports")); add( new verifyCustomServices( "verify custom services for this platform")); add( new SpecialServices("check for special services")); // add( new expandAnyService("expand ANY service for stateful rules")); add( new ConvertToAtomicForAddresses( "convert to atomic rules in SRC and DST")); add( new checkForZeroAddr("check for zero addresses")); add( new calculateNum("calculate rule numbers ")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add( new PrintRule("generate ipf code")); add( new simplePrintProgress()); runRuleProcessors(); } string PolicyCompiler_ipfw::debugPrintRule(Rule *r) { PolicyRule *rule=PolicyRule::cast(r); ostringstream s; s << PolicyCompiler::debugPrintRule(rule); RuleElementItf *intf_re = rule->getItf(); string rule_interfaces; int intf_count = 0; for (FWObject::iterator it=intf_re->begin(); it!=intf_re->end(); ++it) { FWObject *o = *it; if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer(); rule_interfaces += " " + o->getName(); intf_count++; } if (intf_count > 0) { s << " intf: "; if (intf_count > 1) s << "{ "; s << rule_interfaces; if (intf_count > 1) s << " }"; } else s << " intf: ?"; return s.str(); } void PolicyCompiler_ipfw::epilog() { } fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipfw.h000066400000000000000000000210571303637203600215340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_IPFW_HH #define __POLICYCOMPILER_IPFW_HH #include #include "PolicyCompiler_pf.h" namespace libfwbuilder { class TCPService; class UDPService; class ICMPService; }; #define ANY_IP_OBJ_ID "__any_ip_obj__" #define ANY_ICMP_OBJ_ID "__any_icmp_obj__" #define ANY_TCP_OBJ_ID "__any_tcp_obj__" #define ANY_UDP_OBJ_ID "__any_udp_obj__" namespace fwcompiler { class PolicyCompiler_ipfw : public PolicyCompiler_pf { protected: libfwbuilder::TCPService *anytcp; libfwbuilder::UDPService *anyudp; libfwbuilder::ICMPService *anyicmp; int ipfw_num; virtual std::string myPlatformName(); virtual void _expand_addr(libfwbuilder::Rule *rule, libfwbuilder::FWObject *s, bool expand_cluster_interfaces_fully); /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls PolicyCompiler::_internalPrintPolicyRule and then adds * chain and target at the end of the printed line */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * disabled rules with action Pipe, use this processor in the * run detecting rule shadowing */ DECLARE_POLICY_RULE_PROCESSOR(SpecialRuleActionsForShadowing); /** * splits rules with service 'any' because ipf can keep state * only for UDP/TCP/ICMP */ DECLARE_POLICY_RULE_PROCESSOR(expandAnyService); /** * deals with negation in Src in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doSrcNegation); /** * deals with negation in Dst in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doDstNegation); /** * deals with negation in Srv in policy rules. * * this method is different from that in PolicyCompiler_pf */ DECLARE_POLICY_RULE_PROCESSOR(doSrvNegation); /** * This processor separates TCP/UDP services with port ranges * (can only have one port range per group of ports in one * rule). Call this processor after TCP and UDP services were * separated by splitServices */ DECLARE_POLICY_RULE_PROCESSOR(separatePortRanges); /** * This processor rearranges order of TCP/UDP services to make * sure those with port ranges come first. Call this processor * after TCP and UDP services were separated by splitServices * and port ranges were separated by separatePortRanges */ DECLARE_POLICY_RULE_PROCESSOR(sortTCPUDPServices); /** * checks for the following situations: * * 1. dynamic interface is in source and direction is inbound * (drop interface from src since source address is * undertermined) * * 2. dynamic interface is in source, direction is outbound * (drop interface from the list, this rule has been created * while processing negation. TODO: this is kludge, need to * find a better way to process negation if firewall is in rule * element and it has dynamic interface) * * 3. dynamic interface is in destination and direction is * outbound (drop interface since dest. address is undefined) * */ class specialCaseWithDynInterface : public PolicyRuleProcessor { void dropDynamicInterface(libfwbuilder::RuleElement *re); public: specialCaseWithDynInterface(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * ipf supports "keep state" only for icmp/udp/tcp */ DECLARE_POLICY_RULE_PROCESSOR(checkForKeepState); /** * increments numbers for rules (ipfw numbers, that is) * The number itself is stored in the compiler class. */ class calculateNum : public PolicyRuleProcessor { public: calculateNum(const std::string &n); virtual bool processNext(); }; /** * eliminates duplicate atomic rules */ class eliminateDuplicateRules : public PolicyRuleProcessor { private: std::deque rules_seen_so_far; public: eliminateDuplicateRules(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class fwcompiler::PolicyCompiler_ipfw::eliminateDuplicateRules; /** * Placeholders for MultiAddressRunTime objects which are not * supported for ipfw */ class processMultiAddressObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInSrc(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementSrc::TYPENAME) {} }; class processMultiAddressObjectsInDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInDst(const std::string &n) : processMultiAddressObjectsInRE( n, libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. * Negation should also have been taken care of before this * method is called. */ class PrintRule : public PolicyCompiler_pf::PrintRule { virtual std::string _printPort(int rs,int re,bool neg=false); virtual void _printProtocol(libfwbuilder::Service *srv); virtual void _printAction(libfwbuilder::PolicyRule *r); virtual void _printAddr(libfwbuilder::FWObject *o,bool neg=false); virtual void _printDirection(libfwbuilder::PolicyRule *r); virtual void _printOppositeDirection(libfwbuilder::PolicyRule *r); virtual void _printInterface(libfwbuilder::PolicyRule *r); virtual void _printSrcService(libfwbuilder::RuleElement *o); virtual void _printDstService(libfwbuilder::RuleElement *o); virtual std::string _printSrcService(libfwbuilder::Service *srv, bool neg=false); virtual std::string _printDstService(libfwbuilder::Service *srv, bool neg=false); virtual std::string _printTCPFlags(libfwbuilder::TCPService *srv); public: PrintRule(const std::string &name); virtual bool processNext(); }; public: PolicyCompiler_ipfw(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : PolicyCompiler_pf(_db, fw, ipv6_policy, _oscnf, NULL) { ipfw_num = 0; } virtual int prolog(); virtual void compile(); virtual void epilog(); std::string defaultRules(); int getIPFWNumber() { return ipfw_num; } void setIPFWNumber(int n) { ipfw_num = n; } }; } #endif fwbuilder-5.3.7/src/pflib/PolicyCompiler_ipfw_writers.cpp000066400000000000000000000440721303637203600236500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "definitions.h" #include "PolicyCompiler_ipfw.h" #include "OSData.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObjectDatabase.h" #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ void PolicyCompiler_ipfw::PrintRule::_printProtocol(Service *srv) { if ( srv->isAny() || srv->getProtocolName()=="ip") { compiler->output << "all "; return; } if ( CustomService::isA(srv) ) { // CustomService returns protocol name starting with v3.0.4 // However CustomService can return protocol name "any", which // we should just skip. Also, in ipfw option "established" is // only defined for tcp, so we should set protocol to "tcp" if // custom service inserts this option. string pn = srv->getProtocolName(); if (pn != "any") compiler->output << pn << " "; else { string cscode = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ); if (cscode=="established") compiler->output << "tcp "; // custom service does not define protocol - do not add any. } return; } compiler->output << srv->getProtocolName(); compiler->output << " "; } string PolicyCompiler_ipfw::PrintRule::_printPort(int rs,int re,bool ) { ostringstream str; if (rs<0) rs=0; if (re<0) re=0; if (rs>0 || re>0) { if (rs==re) str << rs; else str << rs << "-" << re; } return str.str(); } string PolicyCompiler_ipfw::PrintRule::_printTCPFlags(TCPService *srv) { string str; if (srv->getEstablished()) str = "established"; else { if (srv->inspectFlags()) { if (srv->getTCPFlagMask(TCPService::FIN)) { if (!srv->getTCPFlag(TCPService::FIN)) str+="!"; str+="fin"; } if (srv->getTCPFlagMask(TCPService::SYN)) { str+=","; if (!srv->getTCPFlag(TCPService::SYN)) str+="!"; str+="syn"; } if (srv->getTCPFlagMask(TCPService::RST)) { str+=","; if (!srv->getTCPFlag(TCPService::RST)) str+="!"; str+="rst"; } if (srv->getTCPFlagMask(TCPService::PSH)) { str+=","; if (!srv->getTCPFlag(TCPService::PSH)) str+="!"; str+="psh"; } if (srv->getTCPFlagMask(TCPService::ACK)) { str+=","; if (!srv->getTCPFlag(TCPService::ACK)) str+="!"; str+="ack"; } if (srv->getTCPFlagMask(TCPService::URG)) { str+=","; if (!srv->getTCPFlag(TCPService::URG)) str+="!"; str+="urg"; } if (!str.empty()) return "tcpflags " + str; } } return str; } void PolicyCompiler_ipfw::PrintRule::_printAction(PolicyRule *rule) { FWOptions *ruleopt = rule->getOptionsObject(); Service *srv = compiler->getFirstSrv(rule); assert(srv); if (rule->getClassification()) { int portNum = ruleopt->getInt("ipfw_pipe_queue_num"); switch (ruleopt->getInt("ipfw_classify_method")) { case DUMMYNETPIPE: compiler->output << "pipe " << portNum << " "; return; case DUMMYNETQUEUE: compiler->output << "queue " << portNum << " "; return; default: compiler->output << "divert " << portNum << " "; return; } } switch (rule->getAction()) { case PolicyRule::Skip: compiler->output << "skipto " << rule->getInt("skip_to") << " "; break; case PolicyRule::Accounting: compiler->output << "count "; break; case PolicyRule::Accept: compiler->output << "permit "; break; case PolicyRule::Deny: compiler->output << "drop "; break; case PolicyRule::Reject: if (TCPService::isA(srv)) compiler->output << "reset "; else { string aor=ruleopt->getStr("action_on_reject"); if (aor.empty()) aor=compiler->getCachedFwOpt()->getStr("action_on_reject"); string code; if ( aor.find("ICMP")!=string::npos ) { code=""; if (aor.find("unreachable")!=string::npos ) { if (aor.find("net")!=string::npos) code="net "; if (aor.find("host")!=string::npos) code="host "; if (aor.find("protocol")!=string::npos) code="protocol "; if (aor.find("port")!=string::npos) code="port "; } if (aor.find("prohibited")!=string::npos ) { if (aor.find("net")!=string::npos) code="net-prohib "; if (aor.find("host")!=string::npos) code="host-prohib "; } } else code="host-prohib "; compiler->output << "unreach " << code; } break; case PolicyRule::Pipe: compiler->output << "divert " << ruleopt->getInt("ipfw_pipe_port_num") << " "; break; case PolicyRule::Custom: compiler->output << ruleopt->getStr("custom_str") << " "; break; default: compiler->abort( rule, string("Unknown action ") + rule->getActionAsString()); // compiler->output << rule->getActionAsString() << " "; } } /* * this is almost like the one in PolicyCompiler_pf, except it does * not print interface name for dynamic interface ('cause ipfilter * does not support it) */ void PolicyCompiler_ipfw::PrintRule::_printAddr(FWObject *o, bool neg) { if (o->getId()==compiler->fw->getId()) { compiler->output << "me "; return; } Address *addr_obj = Address::cast(o); assert(addr_obj!=NULL); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { compiler->output << atrt->getSourceName() << " "; return; } // at this time we only support two types of MultiAddress // objects: AddressTable and DNSName. Both should be converted // to MultiAddressRunTime at this point. If we get some other // kind of MultiAddressRunTime object, we do not know what to do // with it so we stop. assert(atrt==NULL); } const InetAddr *addr = addr_obj->getAddressPtr(); if (Interface::cast(o)!=NULL && addr==NULL) { compiler->output << "me "; } if (addr) { InetAddr mask = *(addr_obj->getNetmaskPtr()); if (Interface::cast(o)!=NULL) mask = InetAddr(InetAddr::getAllOnes()); if (addr_obj->dimension()==1) mask = InetAddr(InetAddr::getAllOnes()); if (addr->isAny() && mask.isAny()) { compiler->output << "any "; } else { if (neg) compiler->output << "not "; compiler->output << addr->toString(); if (!mask.isHostMask()) { compiler->output << "/" << mask.getLength(); } compiler->output << " "; } } } void PolicyCompiler_ipfw::PrintRule::_printDirection(libfwbuilder::PolicyRule *r) { switch (r->getDirection()) { case PolicyRule::Outbound: compiler->output << "out "; break; case PolicyRule::Inbound: compiler->output << "in "; break; case PolicyRule::Both: compiler->output << " "; break; default: break; } } void PolicyCompiler_ipfw::PrintRule::_printOppositeDirection(PolicyRule *r) { switch (r->getDirection()) { case PolicyRule::Outbound: compiler->output << "in "; break; case PolicyRule::Inbound: compiler->output << "out "; break; case PolicyRule::Both: compiler->output << " "; break; default: break; } } void PolicyCompiler_ipfw::PrintRule::_printInterface(PolicyRule *r) { Interface *intf = compiler->getFirstItf(r); if (intf) { switch (r->getDirection()) { case PolicyRule::Outbound: compiler->output << "xmit "; break; case PolicyRule::Inbound: compiler->output << "recv "; break; case PolicyRule::Both: compiler->output << "via "; break; default: break; } compiler->output << intf->getName() << " "; } } void PolicyCompiler_ipfw::PrintRule::_printSrcService(RuleElement *rel) { /* I do not want to use rel->getFirst because it traverses the tree to * find the object. I'd rather use a cached copy in the compiler */ FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s1= Service::cast(o); bool tcpudp= (UDPService::isA(s1) || TCPService::isA(s1)); bool first=true; for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv=Service::cast(o); if (tcpudp) { string str=_printSrcService( srv , false ); if (! str.empty() ) { if (!first) compiler->output << ","; compiler->output << str; } } } } string PolicyCompiler_ipfw::PrintRule::_printSrcService(Service *srv,bool neg) { string res; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getSrcRangeStart(); int re=TCPUDPService::cast(srv)->getSrcRangeEnd(); string s1= _printPort(rs,re,neg); if (!s1.empty()) res= s1; } return res; } void PolicyCompiler_ipfw::PrintRule::_printDstService(RuleElement *rel) { FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s1= Service::cast(o); bool tcpudp= (UDPService::isA(s1) || TCPService::isA(s1)); bool icmp = ICMPService::isA(s1); bool custom= CustomService::isA(s1); if (icmp) compiler->output << "icmptypes "; bool first=true; for (list::iterator i1=rel->begin(); i1!=rel->end(); ++i1) { FWObject *o = *i1; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv=Service::cast(o); if (tcpudp || custom) { string str=_printDstService( srv , false ); if (! str.empty() ) { if (!first) compiler->output << ","; compiler->output << str; } } if (icmp) { if (!first) compiler->output << ","; compiler->output << srv->getStr("type"); } first=false; } compiler->output << " "; /* * TCP services with flags were separated in rule processor * separateTCPWithFlags. We can count on objects like that being a * single object in the SRV. */ if (TCPService::isA(s1)) { string str=_printTCPFlags(TCPService::cast(s1)); if (!str.empty()) compiler->output << str << " "; } const IPService *ip_srv = IPService::constcast(s1); if (ip_srv) { Rule *rule = Rule::cast(rel->getParent()); if ((ip_srv->getBool("fragm") || ip_srv->getBool("short_fragm")) ) compiler->output << " frag "; if (ip_srv->hasIpOptions()) { QStringList options; if (ip_srv->getBool("any_opt")) compiler->warning(rule, "ipfw can not match \"any IP option\" "); else { const char *option_names[] = {"lsrr", "ssrr", "rr", "ts", NULL}; for (const char* *cptr=option_names; *cptr; cptr++) if (ip_srv->getBool(*cptr)) options.push_back(*cptr); } if (!options.empty()) compiler->output << " ipoptions " << options.join(",").toStdString() << " "; } } } string PolicyCompiler_ipfw::PrintRule::_printDstService(Service *srv,bool neg) { string res; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getDstRangeStart(); int re=TCPUDPService::cast(srv)->getDstRangeEnd(); string s1=_printPort(rs,re,neg);; if (!s1.empty()) res= s1; } if (ICMPService::isA(srv) && srv->getInt("type")!=-1) { res= "icmptypes " + srv->getStr("type") + " "; } if (CustomService::isA(srv)) { res= CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) + " "; } return res; } PolicyCompiler_ipfw::PrintRule::PrintRule(const std::string &name) : PolicyCompiler_pf::PrintRule(name) { } bool PolicyCompiler_ipfw::PrintRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); tmp_queue.push_back(rule); /* need to quote $IPFW because it may contain space, this happens on * Mac more often than anywhere else */ string quote = "\""; compiler->output << compiler->printComment(rule, current_rule_label, "#"); RuleElementSrc *srcrel=rule->getSrc(); Address *src =compiler->getFirstSrc(rule); assert(src); RuleElementDst *dstrel=rule->getDst(); Address *dst =compiler->getFirstDst(rule); assert(dst); RuleElementSrv *srvrel=rule->getSrv(); Service *srv =compiler->getFirstSrv(rule); assert(srv); if (rule->getBool("needs_established")) { /* * This flag means we need to automatically generate mirrored rule with * parameter "established" * * ipfw_num is assigned with a step of 10, so it is safe to substract 1 */ compiler->output << quote << "$IPFW" << quote << " add " << rule->getInt("ipfw_num")-1 << " set 1 "; _printAction(rule); if (rule->getLogging()) compiler->output << " log "; _printProtocol(srv); compiler->output << " from "; _printSrcAddr(dstrel); _printSrcService(dstrel); compiler->output << " to "; _printDstAddr(srcrel); _printDstService(dstrel); _printOppositeDirection(rule); _printInterface(rule); if ( ! ruleopt->getBool("stateless")) { TCPService *tcpsrv = TCPService::cast(srv); if ( tcpsrv!=NULL && !tcpsrv->inspectFlags() && !tcpsrv->getEstablished() ) compiler->output << "established "; compiler->output << "keep-state "; } compiler->output << endl; } compiler->output << quote << "$IPFW" << quote << " add " << rule->getInt("ipfw_num") << " set 1 "; _printAction(rule); if (rule->getLogging()) compiler->output << " log "; _printProtocol(srv); compiler->output << " from "; _printSrcAddr(srcrel); _printSrcService(srvrel); compiler->output << " to "; _printDstAddr(dstrel); _printDstService(srvrel); _printDirection(rule); _printInterface(rule); /* keeping state does not apply to deny/reject */ if ( ! ruleopt->getBool("stateless")) { /* * this is per advice from Darren Reed http://false.net/ipfilter/2002_12/0176.html * * Feature req. #653803: Implement flags for TCP keep state * * In ipfw the equivalend is * * setup TCP packets only. Match packets that have the SYN bit * set but no ACK bit. * */ TCPService *tcpsrv=TCPService::cast(srv); if ( tcpsrv!=NULL && !tcpsrv->inspectFlags() && !tcpsrv->getEstablished() ) compiler->output << "setup "; compiler->output << "keep-state "; } compiler->output << " || exit 1" << endl; //compiler->output << endl; return true; } string PolicyCompiler_ipfw::defaultRules() { FWOptions *options = fw->getOptionsObject(); string quote = "\""; ostringstream res; res << quote << "$IPFW" << quote << " set disable 1" << endl; /* checking if option add_check_state_rule is absent to * provide for backward compatibility: before 2.1.6 build 131 * this option did not exist and compiler alawys generated * check-state rule */ if (options->getStr("add_check_state_rule").empty() || options->getBool("add_check_state_rule")) { res << quote << "$IPFW" << quote << " add 1 set 1 check-state ip from any to any" << endl; } res << endl; return res.str(); } fwbuilder-5.3.7/src/pflib/PolicyCompiler_pf.cpp000066400000000000000000000773651303637203600215440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "PolicyCompiler_pf.h" #include "NATCompiler_pf.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FailoverClusterGroup.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UDPService.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; string PolicyCompiler_pf::myPlatformName() { return "pf"; } int PolicyCompiler_pf::prolog() { if (fw->getStr("platform")!=myPlatformName() ) abort("Unsupported platform " + fw->getStr("platform") ); list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=dynamic_cast(*i); assert(iface); if ( iface->isDyn()) { list l3=iface->getByType(IPv4::TYPENAME); if (l3.size()>0) { QString err( "Dynamic interface %1 should not have an IP " "address object attached to it. This IP address " "object will be ignored."); warning(err.arg(iface->getName().c_str()).toStdString()); for (list::iterator j=l3.begin(); j!=l3.end(); ++j) iface->remove(*j); } } } if (tables) { tables->init(dbcopy); if (!getSourceRuleSet()->isTop()) tables->setRuleSetName(getRuleSetName()); } return PolicyCompiler::prolog(); } /* * this is very much like * Compiler::swapMultiAddressObjectsInRE::processNext() except it also * registers the table using registerTable() */ bool PolicyCompiler_pf::swapAddressTableObjectsInRE::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); /* * All addressTable objects will be run-time here because we * switch them in preprocessor. The difference is: if address * table was originally run-time, at this point it will have * no children, however if it was compile-time originally, it * will have children objects. That is how we distinguish * them in this rule processor. Here we only deal with * AddressTable objects that originally used to be * compile-time because we need to create tables for them. */ if (AddressTable::cast(o)!=NULL && AddressTable::cast(o)->isRunTime() && o->size() > 0) cl.push_back(MultiAddress::cast(o)); } if (!cl.empty()) { for (list::iterator i=cl.begin(); i!=cl.end(); i++) { MultiAddress *atbl = *i; // Need to make sure the ID of the MultiAddressRunTime // object created here is stable and is always the same // for the same MultiAddress object. In particular this // ensures that we reuse tables between policy and NAT rules string mart_id_str = FWObjectDatabase::getStringId(atbl->getId()) + "_runtime"; int mart_id = FWObjectDatabase::registerStringId(mart_id_str); MultiAddressRunTime *mart = MultiAddressRunTime::cast(compiler->dbcopy->findInIndex(mart_id)); if (mart==NULL) { mart = new MultiAddressRunTime(atbl); // need to ensure stable ID for the runtime object, so // that when the same object is replaced in different // rulesets by different compiler passes, chosen // runtime object has the same ID and is identified as // the same by the compiler. mart->setId( mart_id ); compiler->dbcopy->addToIndex(mart); compiler->persistent_objects->add(mart); // register this object as a table string tblname = atbl->getName(); string tblID = tblname + "_addressTableObject"; pf_comp->tables->registerTable(tblname,tblID,atbl); } re->removeRef(atbl); re->addRef(mart); } tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::processMultiAddressObjectsInRE::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); bool neg = re->getNeg(); list maddr_runtime; try { for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { if (re->size()>1 && neg) { compiler->abort(rule, "AddressTable object can not be used " "with negation in combination with " "other objects in the same rule element."); } string tblname = o->getName(); string tblID = tblname + "_addressTableObject"; pf_comp->tables->registerTable(tblname,tblID,o); o->setBool("pf_table",true); maddr_runtime.push_back(o); } } } catch(FWException &ex) // TableFactory::registerTable throws exception { string err; err = "Can not process MultiAddress object: " + ex.toString(); compiler->abort(rule, err); } if (!maddr_runtime.empty()) { RuleElement *nre; for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); nre->addRef( *i ); tmp_queue.push_back(r); } for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++) re->removeRef( *i ); if (!re->isAny()) tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::splitIfFirewallInSrc::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; PolicyRule *r; RuleElementSrc *src = rule->getSrc(); assert(src); if (src->size()==1 || src->getNeg()) { tmp_queue.push_back(rule); return true; } FWObject *fw_in_src = NULL; vector cl; for (FWObject::iterator i1=src->begin(); i1!=src->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); if (obj==NULL) compiler->abort(rule, "Broken Src object"); if (obj->getId()==compiler->getFwId()) { fw_in_src = obj; RuleElementSrc *nsrc; r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc = r->getSrc(); nsrc->clearChildren(); nsrc->setAnyElement(); nsrc->addRef( compiler->fw ); tmp_queue.push_back(r); } } if (fw_in_src!=NULL) src->removeRef( fw_in_src ); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::splitIfFirewallInDst::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; PolicyRule *r; RuleElementDst *dst = rule->getDst(); assert(dst); if (dst->size()==1 || dst->getNeg()) { tmp_queue.push_back(rule); return true; } FWObject *fw_in_dst = NULL; vector cl; for (FWObject::iterator i1=dst->begin(); i1!=dst->end(); ++i1) { FWObject *obj = FWReference::getObject(*i1); if (obj==NULL) compiler->abort(rule, "Broken Dst"); if (obj->getId()==compiler->getFwId()) { fw_in_dst = obj; RuleElementDst *ndst; r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst = r->getDst(); ndst->clearChildren(); ndst->setAnyElement(); ndst->addRef( compiler->fw ); tmp_queue.push_back(r); } } if (fw_in_dst!=NULL) dst->removeRef( fw_in_dst ); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::fillDirection::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); /* after interface policies have been merged with global policy, rules * with empty direction have disappeared. In fact, xslt * transformation 2.1.1->2.1.2 leaves empty direction in the old * global policy rules, but the GUI promptly fixes that replacing it * with "Both" whenever user opens the policy. So, we have to handle * both the case of an empty direction and direction "Both". To * preserve old semantics as accurately as possible, I check for a * combination of empty interface and direction "Both", this is what * old global rules become after user opens the combined policy in the * GUI. In fact, it does not matter what direction is set in the rule * as long as it misses interface - we need to determine direction * again anyway. */ if (rule->getDirection() == PolicyRule::Undefined) rule->setDirection( PolicyRule::Both ); /* * Correction for bug #2791950 "no way to generate "pass out" rule * with no interface". Do not reset direction just because interface * rule element is "any", otherwise we can not create rule with no * interface spec: * * pass out quick inet from any to any * * If we reset direction here, instead of this one rule we get two, * one "pass out" and another "pass in". However it is still useful to * change direction if fw is in source or destination. */ if (rule->getDirection() == PolicyRule::Both) { Address *src = compiler->getFirstSrc(rule); Address *dst = compiler->getFirstDst(rule); //int fwid = compiler->getFwId(); if (src==NULL || dst==NULL) compiler->abort(rule, "Broken src or dst"); if (!src->isAny() && !dst->isAny() && compiler->complexMatch(compiler->fw, src) && compiler->complexMatch(compiler->fw, dst)) return true; if (!src->isAny() && compiler->complexMatch(compiler->fw, src)) { rule->setDirection( PolicyRule::Outbound ); compiler->warning( rule, "Changing rule direction due to self reference"); } if (!dst->isAny() && compiler->complexMatch(compiler->fw, dst)) { rule->setDirection( PolicyRule::Inbound ); compiler->warning( rule, "Changing rule direction due to self reference"); } } return true; } bool PolicyCompiler_pf::SpecialServices::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); RuleElementSrv *srv=rule->getSrv(); for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (IPService::cast(s)!=NULL && rule->getAction()==PolicyRule::Accept) { rule->setBool("allow_opts", IPService::constcast(s)->hasIpOptions()); } } return true; } bool PolicyCompiler_pf::SplitDirection::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; if (rule->getDirection()==PolicyRule::Both && rule->getRouting()) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Inbound); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setDirection(PolicyRule::Outbound); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::ProcessScrubOption::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); if ( ruleopt->getBool("scrub") ) { if (rule->getAction()!=PolicyRule::Accept) { ruleopt->setBool("scrub",false); tmp_queue.push_back(rule); compiler->abort(rule, "Rule option 'scrub' is supported only for rules " "with action 'Accept'"); return true; } PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Scrub); r->getOptionsObject()->setBool("scrub",false); tmp_queue.push_back(r); ruleopt->setBool("scrub",false); tmp_queue.push_back(rule); return true; } /* if service is ip_fragment and action is 'Deny', then add rule with scrub */ Service *srv=compiler->getFirstSrv(rule); assert(srv); if ( (srv->getBool("short_fragm") || srv->getBool("fragm")) && ( rule->getAction()==PolicyRule::Deny || rule->getAction()==PolicyRule::Reject) ) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Scrub); r->getOptionsObject()->setBool("scrub",false); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::setQuickFlag::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); FWOptions *ropt = rule->getOptionsObject(); Q_UNUSED(ropt); switch (rule->getAction()) { case PolicyRule::Scrub: case PolicyRule::Accounting: case PolicyRule::Branch: case PolicyRule::Continue: break; default: rule->setBool("quick", true); break; } // as of 4.2.0 build 3477 we provide checkboxes to make Tag and // Classify actions (PF) terminating or non-terminating on // per-rule basis. Old behavior: Tag was non-terminating and // Classify was terminating. Set options accordingly if they are // not set. // // TODO #2367: now instead of checkboxes, user should use actions Accept // or Continue return true; } bool PolicyCompiler_pf::doSrcNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrc *src=rule->getSrc(); if (src->getNeg()) { RuleElementSrc *nsrc; PolicyRule *r; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); if (rule->getAction()==PolicyRule::Accept) r->setAction(PolicyRule::Deny); else r->setAction(PolicyRule::Accept); nsrc=r->getSrc(); nsrc->setNeg(false); r->setBool("quick",true); r->setLogging(false); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrc=r->getSrc(); nsrc->setNeg(false); nsrc->clearChildren(); nsrc->setAnyElement(); r->setBool("quick",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::doDstNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dst=rule->getDst(); if (dst->getNeg()) { RuleElementDst *ndst; PolicyRule *r; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); if (rule->getAction()==PolicyRule::Accept) r->setAction(PolicyRule::Deny); else r->setAction(PolicyRule::Accept); ndst=r->getDst(); ndst->setNeg(false); r->setBool("quick",true); r->setLogging(false); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getDst(); ndst->setNeg(false); ndst->clearChildren(); ndst->setAnyElement(); r->setBool("quick",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::doSrvNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); if (srv->getNeg()) { compiler->abort(rule, "Negation in Srv is not implemented"); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::addLoopbackForRedirect::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; PolicyCompiler_pf *pf_comp = dynamic_cast(compiler); RuleElementDst *dst = rule->getDst(); RuleElementSrv *srv = rule->getSrv(); if (pf_comp->redirect_rules_info==NULL) compiler->abort( rule, "addLoopbackForRedirect needs a valid pointer to " "the list object"); tmp_queue.push_back(rule); if (pf_comp->redirect_rules_info->empty()) return true; for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++) { FWObject *o1 = FWReference::getObject(*i); Service *s = Service::cast( o1 ); assert(s); for (FWObject::iterator j=dst->begin(); j!=dst->end(); j++) { FWObject *o2 = FWReference::getObject(*j); if (o2->getName() == "self" && DNSName::isA(o2)) continue; Address *a = Address::cast( o2 ); assert(a); list::const_iterator k; for (k=pf_comp->redirect_rules_info->begin(); k!=pf_comp->redirect_rules_info->end(); ++k) { Address *old_tdst_obj = Address::cast( compiler->dbcopy->findInIndex(k->old_tdst)); Service *tsrv_obj = Service::cast( compiler->dbcopy->findInIndex(k->tsrv)); if ( *a == *(old_tdst_obj) && *s == *(tsrv_obj) ) { // insert address used for redirection in the NAT rule. FWObject *new_tdst_obj = compiler->dbcopy->findInIndex(k->new_tdst); dst->addRef(new_tdst_obj); return true; } } } } return true; } void PolicyCompiler_pf::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(RuleElement *re, Rule *rule) { if (re->isAny()) return; list cl; for (list::iterator i1=re->begin(); i1!=re->end(); ++i1) { FWObject *o = *i1; FWObject *obj = o; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Interface *ifs =Interface::cast( obj ); if (ifs!=NULL && ifs->isDyn() && ifs->getParent()->getId()!=compiler->fw->getId() && ! ifs->getParent()->getBool("pf_table") ) { QString err( "Can not build rule using dynamic interface '%1' " "of the object '%2' because its address in unknown."); compiler->abort( rule, err .arg(ifs->getName().c_str()) .arg(ifs->getParent()->getName().c_str()).toStdString()); } } } bool PolicyCompiler_pf::checkForDynamicInterfacesOfOtherObjects::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; findDynamicInterfaces( rule->getSrc() , rule ); findDynamicInterfaces( rule->getDst() , rule ); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::splitIfInterfaceInRE::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); if (re->size()<=2) { tmp_queue.push_back(rule); return true; } list cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Interface *interface_=Interface::cast(o); if (interface_!=NULL && interface_->isDyn()) cl.push_back(interface_); } if (!cl.empty()) { RuleElement *nre; PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) nre->addRef( *i ); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) nre->removeRef( *i ); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::createTables::processNext() { PolicyCompiler_pf *pf_comp = dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementSrc *src = rule->getSrc(); RuleElementDst *dst = rule->getDst(); if (!src->isAny()) pf_comp->tables->createTablesForRE(src, rule); if (!dst->isAny()) pf_comp->tables->createTablesForRE(dst, rule); tmp_queue.push_back(rule); return true; } bool PolicyCompiler_pf::printScrubRule::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions* options=compiler->fw->getOptionsObject(); if (!init && options->getBool("pf_do_scrub")) { compiler->output << "#" << endl; compiler->output << "# Defragmentation" << endl; compiler->output << "#" << endl; compiler->output << "scrub in from any to any" << endl << endl; init=true; } tmp_queue.push_back(rule); return true; } void PolicyCompiler_pf::compile() { string banner = " Compiling " + fw->getName(); if (!getRuleSetName().empty()) banner += " ruleset " + getRuleSetName(); if (ipv6) banner += ", IPv6"; info(banner); Compiler::compile(); bool check_for_recursive_groups=true; if (fw->getOptionsObject()->getBool("check_shading") && ! inSingleRuleCompileMode()) { add(new Begin("Detecting rule shadowing")); add(new printTotalNumberOfRules()); add(new ItfNegation("process negation in Itf")); add(new InterfacePolicyRules( "process interface policy rules and store interface ids")); add(new recursiveGroupsInSrc("check for recursive groups in SRC")); add(new recursiveGroupsInDst("check for recursive groups in DST")); add(new recursiveGroupsInSrv("check for recursive groups in SRV")); check_for_recursive_groups=false; add(new ExpandGroups("expand groups")); add(new dropRuleWithEmptyRE("drop rules with empty rule elements")); add(new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add(new eliminateDuplicatesInDST("eliminate duplicates in DST")); add(new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add(new swapAddressTableObjectsInSrc( "AddressTable -> MultiAddressRunTime in Src")); add(new swapAddressTableObjectsInDst( "AddressTable -> MultiAddressRunTime in Dst")); add(new swapMultiAddressObjectsInSrc( "MultiAddress -> MultiAddressRunTime in Src")); add(new swapMultiAddressObjectsInDst( "MultiAddress -> MultiAddressRunTime in Dst")); add(new ExpandMultipleAddressesInSrc( "expand objects with multiple addresses in SRC")); add(new ExpandMultipleAddressesInDst( "expand objects with multiple addresses in DST")); add(new dropRuleWithEmptyRE( "drop rules with empty rule elements")); add(new ConvertToAtomic("convert to atomic rules")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add(new setQuickFlag("set 'quick' flag")); add(new DetectShadowing("Detect shadowing")); add(new simplePrintProgress()); runRuleProcessors(); deleteRuleProcessors(); } add(new Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); // add(new printScrubRule(" Defragmentation")); if (check_for_recursive_groups) { add(new recursiveGroupsInSrc("check for recursive groups in SRC")); add(new recursiveGroupsInDst("check for recursive groups in DST")); add(new recursiveGroupsInSrv("check for recursive groups in SRV")); } add(new emptyGroupsInSrc("check for empty groups in SRC")); add(new emptyGroupsInDst("check for empty groups in DST")); add(new emptyGroupsInSrv("check for empty groups in SRV")); // add(new doSrcNegation("process negation in Src")); // add(new doDstNegation("process negation in Dst")); add(new doSrvNegation("process negation in Srv")); if (fw->getOptionsObject()->getBool("preserve_group_names")) { add(new RegisterGroupsAndTablesInSrc( "register object groups and tables in Src")); add(new RegisterGroupsAndTablesInDst( "register object groups and tables in Dst")); } // ExpandGroups opens groups, as well as groups in groups etc. add(new ExpandGroups("expand groups")); add(new dropRuleWithEmptyRE("drop rules with empty rule elements")); add(new CheckForTCPEstablished( "check for TCPService objects with flag \"established\"")); add(new eliminateDuplicatesInSRC("eliminate duplicates in SRC")); add(new eliminateDuplicatesInDST("eliminate duplicates in DST")); add(new eliminateDuplicatesInSRV("eliminate duplicates in SRV")); add(new swapAddressTableObjectsInSrc( "AddressTable -> MultiAddressRunTime in Src")); add(new swapAddressTableObjectsInDst( "AddressTable -> MultiAddressRunTime in Dst")); add(new swapMultiAddressObjectsInSrc( "MultiAddress -> MultiAddressRunTime in Src")); add(new swapMultiAddressObjectsInDst( "MultiAddress -> MultiAddressRunTime in Dst")); add(new processMultiAddressObjectsInSrc( "process MultiAddress objects in Src")); add(new processMultiAddressObjectsInDst( "process MultiAddress objects in Dst")); add(new replaceFailoverInterfaceInItf("replace carp interfaces")); add(new expandGroupsInItf("expand groups in Interface")); add(new replaceClusterInterfaceInItf( "replace cluster interfaces with member interfaces in " "the Interface rule element")); add(new ItfNegation("process negation in Itf")); //add(new InterfacePolicyRules( // "process interface policy rules and store interface ids")); add(new splitIfFirewallInSrc("split rule if firewall is in Src")); add(new ReplaceFirewallObjectWithSelfInSrc( "Replace firewall object with 'self' in Src")); add(new splitIfFirewallInDst("split rule if firewall is in Dst")); add(new ReplaceFirewallObjectWithSelfInDst( "Replace firewall object with 'self' in Dst")); // call these again since "self" is a MultiAddress object add( new swapMultiAddressObjectsInSrc( " swap MultiAddress -> MultiAddressRunTime in Src")); add( new swapMultiAddressObjectsInDst( " swap MultiAddress -> MultiAddressRunTime in Dst")); add(new fillDirection("determine directions")); // commented out for bug #2828602 // ... and put back per #2844561 // both bug reports/patches are by Tom Judge (tomjudge on sourceforge) add( new SplitDirection("split rules with direction 'both'" )); add(new addLoopbackForRedirect( "add loopback to rules that permit redirected services")); add(new ExpandMultipleAddresses( "expand objects with multiple addresses")); add(new dropRuleWithEmptyRE("drop rules with empty rule elements")); add(new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls")); add(new MACFiltering("verify for MAC address filtering")); add(new checkForUnnumbered("check for unnumbered interfaces")); add(new addressRanges("expand address range objects")); add(new groupServicesByProtocol("split rules with different protocols")); add(new separateTCPWithFlags("separate TCP services with flags")); add(new separateSrcPort("split on TCP and UDP with source ports")); add(new separateTagged("split on TagService")); add(new separateTOS("split on IPService with TOS")); if (ipv6) add( new DropIPv4Rules("drop ipv4 rules")); else add( new DropIPv6Rules("drop ipv6 rules")); add(new verifyCustomServices("verify custom services for this platform")); // add(new ProcessScrubOption("process 'scrub' option")); add(new SpecialServices("check for special services")); add(new setQuickFlag("set 'quick' flag")); add(new checkForZeroAddr("check for zero addresses")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add(new createTables("create tables")); // add(new PrintTables("print tables")); add(new PrintRule("generate pf code")); add(new simplePrintProgress()); runRuleProcessors(); } void PolicyCompiler_pf::epilog() { } /** * virtual method to let policy compiler check rules using * options specific for the given fw platform. Base class * PolicyCompiler has no visibility into platform-specific * options and can not do this. */ bool PolicyCompiler_pf::checkForShadowingPlatformSpecific(PolicyRule *, PolicyRule *r2) { bool quick = r2->getBool("quick"); // if quick == false, the rule is non-terminating if (!quick) return false; return true; } PolicyCompiler_pf::~PolicyCompiler_pf() { // if (tables) tables->detach(); } fwbuilder-5.3.7/src/pflib/PolicyCompiler_pf.h000066400000000000000000000377211303637203600212010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __POLICYCOMPILER_PF_HH #define __POLICYCOMPILER_PF_HH #include #include "fwcompiler/PolicyCompiler.h" #include "NATCompiler_pf.h" #include "TableFactory.h" #include #include #include namespace libfwbuilder { class IPService; class ICMPService; class TCPService; class UDPService; class RuleElementSrc; class RuleElementDst; class RuleElementSrv; class IPv4; }; namespace fwcompiler { class PolicyCompiler_pf : public PolicyCompiler { protected: /** * virtual method to let policy compiler check rules using * options specific for the given fw platform. Base class * PolicyCompiler has no visibility into platform-specific * options and can not do this. */ virtual bool checkForShadowingPlatformSpecific(libfwbuilder::PolicyRule *r1, libfwbuilder::PolicyRule *r2); /** * splits rule if one of the objects in Src * is firewall * itself. This is needed to properly choose direction * * later in filDirection */ DECLARE_POLICY_RULE_PROCESSOR(splitIfFirewallInSrc); /** * splits rule if one of the objects in Dst * is firewall * itself. This is needed to properly choose direction * * later in filDirection */ DECLARE_POLICY_RULE_PROCESSOR(splitIfFirewallInDst); /** * decides on direction if it is empty. */ DECLARE_POLICY_RULE_PROCESSOR(fillDirection); /** * split rules if direction is "Both" */ DECLARE_POLICY_RULE_PROCESSOR(SplitDirection); /** * Option "scrub" does not accept "quick" and therefore does not * stop matching sequence. We need to split rule onto two, the first * will be generated with action "scrub", while the second one with * action "pass" and option "quick" */ DECLARE_POLICY_RULE_PROCESSOR(ProcessScrubOption); /** * checks for the services which require * special treatment. * Some of these will be checking for * source or destination * object as well because special * command may need to be * generated in case source or * destination is a firewall * itself. Therefore this processor * should be called after * converting to atomic rules, but * before interface * addresses in source and destination are * expanded. */ DECLARE_POLICY_RULE_PROCESSOR(SpecialServices); /** * sets 'quick' flag on rules */ DECLARE_POLICY_RULE_PROCESSOR(setQuickFlag); /** * deals with negation in Src in policy rules. */ DECLARE_POLICY_RULE_PROCESSOR(doSrcNegation); /** * deals with negation in Dst in policy rules. */ DECLARE_POLICY_RULE_PROCESSOR(doDstNegation); /** * deals with negation in Srv in policy rules. * * NOT IMPLEMENTED */ DECLARE_POLICY_RULE_PROCESSOR(doSrvNegation); /** * Replace carp interface in the "Interface" rule element * with firewall's real interface */ class replaceFailoverInterfaceInItf : public replaceFailoverInterfaceInRE { public: replaceFailoverInterfaceInItf(const std::string &n) : replaceFailoverInterfaceInRE(n, libfwbuilder::RuleElementItf::TYPENAME) {} }; /** * like standard processor swapMultiAddressObjectsInRE, * but swaps compile-time address tables * * We need this because unlike on other platforms, we need to * generate code for compile-time AddressTables using their * object name (to name the table after that). This * substantially complicates things, we have to register * AddressTable objects with TableFactory and then replace * them with corresponding run time objects. This is unique * feature of the compiler for PF. */ class swapAddressTableObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: swapAddressTableObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class swapAddressTableObjectsInSrc : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInSrc(const std::string &n) : swapAddressTableObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class swapAddressTableObjectsInDst : public swapAddressTableObjectsInRE { public: swapAddressTableObjectsInDst(const std::string &n) : swapAddressTableObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * Split rule if MultiAddress object is used in RE to make * sure it is single object. Also check for the case where * MultiAddress object is used in combination with negation, * this case is not supported. NOTE: this restriction can be * removed if PF adds support for recursively defined tables * (tables as elements inside tables). */ class processMultiAddressObjectsInRE : public PolicyRuleProcessor { std::string re_type; public: processMultiAddressObjectsInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; class processMultiAddressObjectsInSrc : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInSrc(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; class processMultiAddressObjectsInDst : public processMultiAddressObjectsInRE { public: processMultiAddressObjectsInDst(const std::string &n) : processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * This is to work around a "feature" specific to PF: If NAT * policy defines a redirect rule (a rule which sends packets * to the firewall itself, possibly changing port numbers), * then the packet appears on the same _ingress_ interface * twice. The first time it is inspected, it has an original * destination address, but the second time it has destination * address of 127.0.0.1. This address appears there because * our NAT compiler uses it for redirection rules. Our normal * ExpandMultipleAddresses processor replaces firewall object * with a set of addresses of all its interfaces, but skips * loopback interface. Rule processor addLoopbackForRedirect * consults with NATCompiler_pf to find out whether we have * any Redirect rules to accomodate for. In case we do, and * destination service in the current policy rule matches TSrv * in the redirect rule and destination contains the same * object that was in TDst in the NAT rule, it adds a new * policy rule with the same source, destination being a new * object used in TDst by the NAT compiler and the same * service. * * Caveat: as everywhere in compiler for PF, we assume rule * elements may contain multiple objects. */ DECLARE_POLICY_RULE_PROCESSOR(addLoopbackForRedirect); friend class PolicyCompiler_pf::addLoopbackForRedirect; friend class checkForDynamicInterfacesOfOtherObjects; class checkForDynamicInterfacesOfOtherObjects : public PolicyRuleProcessor { void findDynamicInterfaces(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: checkForDynamicInterfacesOfOtherObjects(const std::string &name) : PolicyRuleProcessor(name) {} virtual bool processNext(); }; /** * we can not put interface name in the table, so we need to * split the rule if src or dst contains both interface and * host or network objects. */ class splitIfInterfaceInRE : public PolicyRuleProcessor { std::string re_type; public: splitIfInterfaceInRE(const std::string &name, const std::string &t) : PolicyRuleProcessor(name) { re_type=t; } virtual bool processNext(); }; /** * we can not put interface name in the table, so we need to * split the rule if src contains both interface and host or * network objects. */ class splitIfInterfaceInSrc : public splitIfInterfaceInRE { public: splitIfInterfaceInSrc(const std::string &n) : splitIfInterfaceInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * we can not put interface name in the table, so we need to * split the rule if dst contains both interface and host or * network objects. */ class splitIfInterfaceInDst : public splitIfInterfaceInRE { public: splitIfInterfaceInDst(const std::string &n) : splitIfInterfaceInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * this processor is only called if we are using tables. It * creates two tables for each rule: one for source and * another for destination. Processor PrintRule uses these * tables later. */ class createTables : public PolicyRuleProcessor { void createTablesForRE(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); public: createTables(const std::string &name) : PolicyRuleProcessor(name) { } virtual bool processNext(); }; friend class PolicyCompiler_pf::createTables; /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInSRC : public eliminateDuplicatesInRE { public: eliminateDuplicatesInSRC(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementSrc::TYPENAME) {} }; /** * eliminates duplicate objects in DST. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInDST : public eliminateDuplicatesInRE { public: eliminateDuplicatesInDST(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {} }; /** * eliminates duplicate objects in SRV. Uses default comparison * in eliminateDuplicatesInRE which compares IDs */ class eliminateDuplicatesInSRV : public eliminateDuplicatesInRE { public: eliminateDuplicatesInSRV(const std::string &n) : eliminateDuplicatesInRE(n,libfwbuilder::RuleElementSrv::TYPENAME) {} }; class printScrubRule : public PolicyRuleProcessor { protected: bool init; public: printScrubRule(const std::string &name) : PolicyRuleProcessor(name) { init=false; } virtual bool processNext(); }; /** * this processor accumulates all rules fed to it by previous * processors, then prints commands for all tables, * then feeds all rules to the next processor. Usually this * processor is in chain right before PrintRules */ class PrintTables : public PolicyRuleProcessor { public: PrintTables(const std::string &n) : PolicyRuleProcessor(n) {} virtual bool processNext(); }; friend class PolicyCompiler_pf::PrintTables; /** * prints single policy rule, assuming all groups have been * expanded, so source, destination and service hold exactly * one object each, and this object is not a group. Negation * should also have been taken care of before this method is * called. */ class PrintRule : public PolicyRuleProcessor { protected: bool init; std::string current_rule_label; virtual void _printSrcService(libfwbuilder::RuleElement *o); virtual void _printDstService(libfwbuilder::RuleElement *o); virtual void _printProtocol(libfwbuilder::Service *srv); virtual std::string _printPort(int rs,int re,bool neg=false); virtual std::string _printSrcService(libfwbuilder::Service *srv,bool neg=false); virtual std::string _printDstService(libfwbuilder::Service *srv,bool neg=false); virtual std::string _printTCPFlags(libfwbuilder::TCPService *srv); virtual void _printAddrList(libfwbuilder::FWObject *o,bool negflag); virtual void _printSrcAddr(libfwbuilder::RuleElement *o); virtual void _printDstAddr(libfwbuilder::RuleElement *o); virtual void _printAddr(libfwbuilder::FWObject *o, bool neg=false); virtual void _printNegation(libfwbuilder::RuleElement *o); virtual void _printAction(libfwbuilder::PolicyRule *r); virtual void _printRouteOptions(libfwbuilder::PolicyRule *r); virtual void _printLogging(libfwbuilder::PolicyRule *r); virtual void _printDirection(libfwbuilder::PolicyRule *r); virtual void _printInterface(libfwbuilder::PolicyRule *r); virtual void _printAF(libfwbuilder::PolicyRule *r); virtual void _printLabel(libfwbuilder::PolicyRule *r); virtual void _printQueue(libfwbuilder::PolicyRule *r); virtual void _printUser(libfwbuilder::PolicyRule *r); virtual void _printTag(libfwbuilder::PolicyRule *r); virtual std::string _printLogPrefix(libfwbuilder::PolicyRule *r,const std::string &prefix); public: PrintRule(const std::string &name); virtual bool processNext(); }; friend class PolicyCompiler_pf::PrintRule; virtual std::string myPlatformName(); public: PolicyCompiler_pf(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, const std::list *rri, TableFactory *tbf = NULL) : PolicyCompiler(_db, fw, ipv6_policy, _oscnf) { redirect_rules_info = rri; tables = tbf; } virtual ~PolicyCompiler_pf(); virtual int prolog(); virtual void compile(); virtual void epilog(); protected: TableFactory *tables; libfwbuilder::IPv4 *loopback_address; const std::list *redirect_rules_info; private: }; } #endif fwbuilder-5.3.7/src/pflib/PolicyCompiler_pf_writers.cpp000066400000000000000000001112371303637203600233060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PolicyCompiler_pf.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/AttachedNetworks.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule) { FWOptions *ruleopt = rule->getOptionsObject(); Service *srv = compiler->getFirstSrv(rule); assert(srv); string version = compiler->fw->getStr("version"); switch (rule->getAction()) { // case PolicyRule::Classify: #2367 // case PolicyRule::Route: #2367 case PolicyRule::Accept: case PolicyRule::Accounting: compiler->output << "pass "; break; case PolicyRule::Deny: compiler->output << "block "; break; case PolicyRule::Continue: if (XMLTools::version_compare(version, "4.6")>=0) { compiler->output << "match "; }else { compiler->output << "pass "; } break; case PolicyRule::Reject: { string aor = ruleopt->getStr("action_on_reject"); string code; if ( aor.find("ICMP")!=string::npos ) { code = "return-icmp "; if (aor.find("unreachable")!=string::npos ) { if (aor.find("net")!=string::npos) code = code + "( 0 ) "; if (aor.find("host")!=string::npos) code = code + "( 1 ) "; if (aor.find("protocol")!=string::npos) code = code + "( 2 ) "; if (aor.find("port")!=string::npos) code = code + "( 3 ) "; } if (aor.find("prohibited")!=string::npos ) { if (aor.find("net")!=string::npos) code = code + "( 9 ) "; if (aor.find("host")!=string::npos) code = code + "( 10 ) "; if (aor.find("filter")!=string::npos) code = code + "( 13 ) "; if (aor.find("admin")!=string::npos) code = code + "( 13 ) "; } } else { if ( aor.find("TCP")!=string::npos ) code = "return-rst "; else code = "return-icmp "; } compiler->output << "block " << code; break; } case PolicyRule::Scrub: { string version = compiler->fw->getStr("version"); if (XMLTools::version_compare(version, "4.7")>=0) { compiler->output << "match in all scrub "; } else { compiler->output << "scrub "; } break; } case PolicyRule::Custom: compiler->output << ruleopt->getStr("custom_str") << " "; break; case PolicyRule::Branch: { RuleSet *ruleset = rule->getBranch(); if (ruleset==NULL) { compiler->abort( rule, "Branching rule refers ruleset that does not exist"); // if we are in test mode or single-rule compile mode compiler->output << "anchor \"UNDEFINED\" "; }else { compiler->output << "anchor \"" << ruleset->getName() << "\" "; } break; } default: compiler->abort( rule, string("Unknown action ") + rule->getActionAsString()); } // #2367 // // if (rule->getTagging()) // { // if (XMLTools::version_compare(version, "4.6")>=0) // { // compiler->output << "match "; // }else // { // compiler->output << "pass "; // } // break; // } } void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); if (rule->getRouting()) { string prefix = "pf"; if (compiler->myPlatformName()=="ipf") prefix = "ipf"; string ro = ruleopt->getStr(prefix+"_route_option"); if (ruleopt->getBool("pf_fastroute") && ro != "none") { compiler->abort( rule, "Cannot use fastroute and route methods in " "the same rule because they are mutually " "exclusive."); } else if (ruleopt->getBool("pf_fastroute") && ro == "none") { compiler->output << "fastroute "; } else { string roif = ruleopt->getStr(prefix+"_route_opt_if"); string roaddr_list = ruleopt->getStr(prefix+"_route_opt_addr"); string roload = ruleopt->getStr("pf_route_load_option"); if (!ro.empty()) { if (roif.empty()) compiler->abort( rule, "Interface specification is required " "for action Route."); if (ro == "route_through") compiler->output << "route-to "; else if (ro == "route_reply_through") compiler->output << "reply-to "; else if (ro == "route_copy_through") compiler->output << "dup-to "; else compiler->abort( rule, "Unknown option for rule action Route: '" + ro + "'"); compiler->output << "{ "; int route_member = 0; std::istringstream buf(roaddr_list); string roaddr; while (std::getline(buf, roaddr, ',')) { if (!roaddr.empty()) { if (route_member > 0 ) { compiler->output << ", "; } compiler->output << "( "; compiler->output << roif << " "; compiler->output << roaddr << " "; compiler->output << ") "; std::string::size_type sp = roaddr.find('/'); if (sp!=std::string::npos) { // roaddr is addr/netmask try { string a = roaddr.substr(0,sp); InetAddr roaddr_addr = InetAddr(a); } catch (FWException &ex) { compiler->abort( rule, "Illegal IP address for next hop"); } try { InetAddr roaddr_netmask; string n = roaddr.substr(sp+1); if (n.find('.')!=std::string::npos) { roaddr_netmask = InetAddr(n); } else { roaddr_netmask = InetAddr( atoi(n.c_str())); } if (roaddr_netmask.getLength()==32) route_member++; else // lame way to tell compiler that // we actually have several addresses for // the next hop. We do not exactly care // how many there are, as long as it is // greater than 1. route_member += 2; } catch (FWException &ex) { compiler->abort( rule, "Illegal netmask for next hop"); } } else { // roaddr is just an addres try { InetAddr roaddr_addr = InetAddr(roaddr); } catch (FWException &ex) { compiler->abort( rule, "Illegal IP address for next hop"); } route_member++; } } } if (route_member < 1) { compiler->abort( rule, "No router specified rule action Route: '" + ro + "'"); } if (route_member >= 2 && (roload.empty() || roload == "none")) { compiler->abort( rule, "More than one router specified without load " "balancing for rule action Route: '" + ro + "'"); } if (route_member == 1 && ((!roload.empty()) && roload != "none")) { compiler->abort( rule, "Only one router specified with load balancing " "for rule action Route: '" + ro + "'"); } compiler->output << "} "; if (!roload.empty()) { if (roload == "bitmask") compiler->output << "bitmask "; else if (roload == "random") compiler->output << "random "; else if (roload == "source_hash") compiler->output << "source-hash "; else if (roload == "round_robin") compiler->output << "round-robin "; } } } } } void PolicyCompiler_pf::PrintRule::_printQueue(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); if (rule->getClassification()) { compiler->output << "queue "; compiler->output << ruleopt->getStr("pf_classify_str") << " "; } } void PolicyCompiler_pf::PrintRule::_printUser(PolicyRule *rule) { RuleElementSrv *srvrel = rule->getSrv(); FWObject *o = srvrel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (!UserService::isA(srv)) return; ostringstream str; if (srvrel->size()==1) { str << "user "; if (srvrel->getNeg()) str << "!= "; str << UserService::constcast(srv)->getUserId() << " "; compiler->output << str.str() << " "; } else { int counter = 0; for (FWObject::iterator i=srvrel->begin(); i!=srvrel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); if (counter > 0) str << ","; str << " "; if (srvrel->getNeg()) str << "!= "; str << UserService::constcast(s)->getUserId(); counter++; } if ( counter ) { compiler->output << "user {" << str.str() << " } "; } } } void PolicyCompiler_pf::PrintRule::_printTag(PolicyRule *rule) { if (rule->getTagging()) compiler->output << "tag " << rule->getTagValue() << " "; } void PolicyCompiler_pf::PrintRule::_printDirection(PolicyRule *rule) { if (rule->getDirection()==PolicyRule::Outbound) compiler->output << "out "; if (rule->getDirection()==PolicyRule::Inbound) compiler->output << "in "; } void PolicyCompiler_pf::PrintRule::_printLogging(PolicyRule *rule) { if (rule->getAction() != PolicyRule::Branch && rule->getLogging()) compiler->output << " log "; } void PolicyCompiler_pf::PrintRule::_printLabel(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); string s=ruleopt->getStr("log_prefix"); if (s.empty()) s=compiler->getCachedFwOpt()->getStr("log_prefix"); if (!s.empty()) compiler->output << " label " << _printLogPrefix(rule,s) << " "; } string PolicyCompiler_pf::PrintRule::_printLogPrefix(PolicyRule *rule, const string &prefix) { string s=prefix; /* deal with our logging macros: * %N - rule number * %A - action * %I - interface name * %C - chain name */ string::size_type n; if (rule && (n=s.find("%N"))!=string::npos ) { std::ostringstream s1; s1 << rule->getPosition(); s.replace(n,2,s1.str()); } if (rule && (n=s.find("%A"))!=string::npos ) { std::ostringstream s1; switch (rule->getAction()) { case PolicyRule::Accept: s1 << "ACCEPT"; break; case PolicyRule::Deny: s1 << "DROP"; break; case PolicyRule::Reject: s1 << "REJECT"; break; case PolicyRule::Return: s1 << "RETURN"; break; default: break; } s.replace(n,2,s1.str()); } if (rule && (n=s.find("%I"))!=string::npos ) { std::ostringstream s1; RuleElementItf *intf_re = rule->getItf(); string rule_interfaces; if (!intf_re->isAny()) { for (FWObject::iterator it=intf_re->begin(); it!=intf_re->end(); ++it) { FWObject *o = FWObjectReference::getObject(*it); rule_interfaces += " " + o->getName(); } } if (!rule_interfaces.empty()) s.replace(n, 2, rule_interfaces); else s.replace(n, 2, "global"); } if (rule && (n=s.find("%C"))!=string::npos ) { s.replace(n,2,""); // there is no chain in PF and friends } return "\"" + s + "\" "; } void PolicyCompiler_pf::PrintRule::_printInterface(PolicyRule *rule) { RuleElementItf *intf_re = rule->getItf(); QStringList rule_interfaces; if (!intf_re->isAny()) { for (FWObject::iterator it=intf_re->begin(); it!=intf_re->end(); ++it) { FWObject *o = FWObjectReference::getObject(*it); rule_interfaces << o->getName().c_str(); } if (rule_interfaces.size() > 1) { rule_interfaces.push_front("{"); rule_interfaces.push_back("}"); } compiler->output << "on " << rule_interfaces.join(" ").toStdString() << " "; } } // print address family void PolicyCompiler_pf::PrintRule::_printAF(PolicyRule*) { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); if (pf_comp->ipv6) compiler->output << "inet6 "; else compiler->output << "inet "; } void PolicyCompiler_pf::PrintRule::_printProtocol(Service *srv) { // CustomService returns protocol name starting with v3.0.4 // However CustomService can return protocol name "any", which we should // just skip. // CustomService returns protocol name starting with v3.0.4 if (CustomService::isA(srv)) { // check if the code string for this custom service already includes // "proto ..." fragment string code = CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName()); std::size_t minus_p = code.find("proto "); if (minus_p != string::npos) return; string pn = srv->getProtocolName(); if (pn == "any") return; } if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv) && srv->getProtocolName()!="ip") { compiler->output << "proto "; compiler->output << srv->getProtocolName(); compiler->output << " "; } } string PolicyCompiler_pf::PrintRule::_printPort(int rs,int re,bool neg) { ostringstream str; if (rs<0) rs=0; if (re<0) re=0; if (!neg) { if (rs>0 || re>0) { if (rs>re && re==0) re=rs; if (rs==re) str << rs; // TODO: do we need '=' here ? else if (rs==0 && re!=0) str << "<= " << re; else if (rs!=0 && re==65535) str << ">= " << rs; else { /* * port range. Operator '><' defines range in a such way that boundaries * are not included. Since we assume it is inclusive, let's move boundaries */ if (rs>0 ) rs--; if (re<65535) re++; str << rs << " >< " << re; } } } else { if (rs>0 || re>0) { if (rs==re) str << "!= " << rs; else if (rs==0 && re!=0) str << "> " << re; else if (rs!=0 && re==65535) str << "< " << rs; else { str << rs << " <> " << re; } } } return str.str(); } /* * we made sure that all services in rel represent the same protocol. */ void PolicyCompiler_pf::PrintRule::_printSrcService(RuleElement *rel) { /* I do not want to use rel->getFirst because it traverses the tree to * find the object. I'd rather use a cached copy in the compiler */ FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); string prefix = ""; if (UDPService::isA(srv) || TCPService::isA(srv)) prefix = "port "; if (rel->size()==1) { if (UDPService::isA(srv) || TCPService::isA(srv)) { string str=_printSrcService( srv , rel->getNeg()); if (! str.empty() ) compiler->output << prefix << str << " "; } } else { string str; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s = Service::cast( o ); assert(s); string str1; if (UDPService::isA(srv) || TCPService::isA(srv)) str1 = _printSrcService(s , rel->getNeg() ); if (! str.empty() && ! str1.empty() ) str = str + ", "; str = str + str1; } if ( !str.empty() ) compiler->output << prefix << "{ " << str << "} "; } } string PolicyCompiler_pf::PrintRule::_printSrcService(Service *srv, bool neg) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getSrcRangeStart(); int re=TCPUDPService::cast(srv)->getSrcRangeEnd(); str << _printPort(rs,re,neg); } return str.str(); } void PolicyCompiler_pf::PrintRule::_printDstService(RuleElement *rel) { FWObject *o=rel->front(); if (o && FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *srv= Service::cast(o); if (rel->size()==1) { string str=_printDstService( srv , rel->getNeg()); if ( ! str.empty() ) { if (UDPService::isA(srv) || TCPService::isA(srv)) compiler->output << "port " << str << " "; else { if (ICMPService::isA(srv)) compiler->output << "icmp-type " << str << " "; else if (ICMP6Service::isA(srv)) compiler->output << "icmp6-type " << str << " "; else compiler->output << str << " "; } } if (TCPService::isA(srv)) { str=_printTCPFlags(TCPService::cast(srv)); if (!str.empty()) compiler->output << "flags " << str << " "; } if (IPService::isA(srv)) { if (srv->getBool("fragm") || srv->getBool("short_fragm")) compiler->output << " fragment "; const IPService *ip = IPService::constcast(srv); string tos = ip->getTOSCode(); string dscp = ip->getDSCPCode(); if (!tos.empty()) compiler->output << " tos " << tos << " "; if (!dscp.empty()) compiler->abort( rel->getParent(), "PF does not support DSCP matching"); } } else { string str; for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Service *s=Service::cast( o ); assert(s); string str1= _printDstService(s , rel->getNeg() ); if (! str.empty() && ! str1.empty() ) str = str + ", "; str = str + str1; } if ( !str.empty() ) { if (UDPService::isA(srv) || TCPService::isA(srv)) compiler->output << "port { " << str << " } "; else { if (ICMPService::isA(srv)) compiler->output << "icmp-type { " << str << " } "; else { if (ICMP6Service::isA(srv)) compiler->output << "icmp6-type { " << str << " } "; else compiler->output << str << " " << endl; } } } } } string PolicyCompiler_pf::PrintRule::_printDstService(Service *srv, bool neg) { ostringstream str; if (TCPService::isA(srv) || UDPService::isA(srv)) { int rs=TCPUDPService::cast(srv)->getDstRangeStart(); int re=TCPUDPService::cast(srv)->getDstRangeEnd(); str << _printPort(rs,re,neg); } if (ICMPService::isA(srv) && srv->getInt("type")!=-1) { str << srv->getStr("type") << " "; if (srv->getInt("code")!=-1) str << "code " << srv->getStr("code") << " "; } if (CustomService::isA(srv)) { str << CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) << " "; } if (TagService::isA(srv)) { str << "tagged " << TagService::constcast(srv)->getCode() << " "; } return str.str(); } string PolicyCompiler_pf::PrintRule::_printTCPFlags(libfwbuilder::TCPService *srv) { string str; if (srv->inspectFlags()) { if (srv->getTCPFlag(TCPService::URG)) str+="U"; if (srv->getTCPFlag(TCPService::ACK)) str+="A"; if (srv->getTCPFlag(TCPService::PSH)) str+="P"; if (srv->getTCPFlag(TCPService::RST)) str+="R"; if (srv->getTCPFlag(TCPService::SYN)) str+="S"; if (srv->getTCPFlag(TCPService::FIN)) str+="F"; str+="/"; if (srv->getTCPFlagMask(TCPService::URG)) str+="U"; if (srv->getTCPFlagMask(TCPService::ACK)) str+="A"; if (srv->getTCPFlagMask(TCPService::PSH)) str+="P"; if (srv->getTCPFlagMask(TCPService::RST)) str+="R"; if (srv->getTCPFlagMask(TCPService::SYN)) str+="S"; if (srv->getTCPFlagMask(TCPService::FIN)) str+="F"; } return str; } void PolicyCompiler_pf::PrintRule::_printAddr(FWObject *o, bool ) { MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { compiler->output << atrt->getSourceName() << " "; return; } if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { compiler->output << "<" << o->getName() << "> "; return; } if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME) { compiler->output << atrt->getSourceName() << ":network "; return ; } assert(atrt==NULL); } if (o->getBool("pf_table")) { compiler->output << "<" << o->getName() << "> "; return; } Address *addr_obj = Address::cast(o); assert(addr_obj!=NULL); const InetAddr *addr = addr_obj->getAddressPtr(); InetAddr mask; if (Interface::cast(o)!=NULL) { Interface *interface_=Interface::cast(o); if (interface_->isDyn()) { compiler->output << "(" << interface_->getName() << ") "; return; } mask = InetAddr(InetAddr::getAllOnes()); } else { mask = *(addr_obj->getNetmaskPtr()); } if (addr_obj->dimension()==1) { mask = InetAddr(InetAddr::getAllOnes()); } if (addr->isAny() && mask.isAny()) { compiler->output << "any "; } else { // if (neg) compiler->output << "! "; compiler->output << addr->toString(); if (!mask.isHostMask()) { compiler->output << "/" << mask.getLength(); } compiler->output << " "; } } void PolicyCompiler_pf::PrintRule::_printAddrList(FWObject *grp,bool negflag) { compiler->output << "{ "; for (FWObject::iterator i=grp->begin(); i!=grp->end(); i++) { if (i!=grp->begin()) compiler->output << ", "; FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); _printAddr(o , negflag); } compiler->output << "} "; } void PolicyCompiler_pf::PrintRule::_printSrcAddr(RuleElement *rel) { FWObject *o=rel->front(); FWReference *oref = FWReference::cast(o); if (o && oref!=NULL) o=oref->getPointer(); _printNegation(rel); if (o==NULL) { PolicyRule *rule = PolicyRule::cast(rel->getParent()); ostringstream errstr; errstr << "Broken rule element " << rel->getTypeName() << " in rule '" << rule->getLabel() << "' rel->front(): " << oref->getPointerId(); compiler->abort(rel->getParent(), errstr.str()); } if (rel->size()==1) { _printAddr(o, rel->getNeg() ); } else { _printAddrList(rel,rel->getNeg()); } } void PolicyCompiler_pf::PrintRule::_printDstAddr(RuleElement *rel) { FWObject *o=rel->front(); FWReference *oref = FWReference::cast(o); if (o && oref!=NULL) o=oref->getPointer(); _printNegation(rel); if (o==NULL) { PolicyRule *rule = PolicyRule::cast(rel->getParent()); ostringstream errstr; errstr << "Broken rule element " << rel->getTypeName() << " in rule '" << rule->getLabel() << "' rel->front(): " << oref->getPointerId(); compiler->abort(rel->getParent(), errstr.str()); } if (rel->size()==1) { _printAddr(o, rel->getNeg()); } else { _printAddrList(rel, rel->getNeg()); } } void PolicyCompiler_pf::PrintRule::_printNegation(libfwbuilder::RuleElement *rel) { if (rel->getNeg()) compiler->output << "! "; } PolicyCompiler_pf::PrintRule::PrintRule(const std::string &name) : PolicyRuleProcessor(name) { init=true; } bool PolicyCompiler_pf::PrintRule::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); string version = compiler->fw->getStr("version"); tmp_queue.push_back(rule); compiler->output << compiler->printComment(rule, current_rule_label, "#"); RuleElementSrc *srcrel=rule->getSrc(); // Address *src =compiler->getFirstSrc(rule); assert(src); RuleElementDst *dstrel=rule->getDst(); // Address *dst =compiler->getFirstDst(rule); assert(dst); RuleElementSrv *srvrel=rule->getSrv(); Service *srv =compiler->getFirstSrv(rule); assert(srv); _printAction(rule); _printDirection(rule); _printLogging(rule); if ( rule->getBool("quick") ) compiler->output << " quick "; _printInterface(rule); if (XMLTools::version_compare(version, "4.7")<0) _printRouteOptions(rule); _printAF(rule); _printProtocol(srv); // cerr << "CP 2" << endl; compiler->output << " from "; _printSrcAddr(srcrel); _printSrcService(srvrel); compiler->output << " to "; _printDstAddr(dstrel); _printDstService(srvrel); _printTag(rule); _printUser(rule); /* * Dealing with "keep state" and "modulate state" flags * * 1. both flags do not apply to deny/reject rules. * * 2. modulate state applies only to TCP services. Since we use * groupServicesByProtocol, all services in a rule are of the same * protocol, therefore we can simply check type of srv */ if ( ! ruleopt->getBool("stateless") ) { TCPService *tcpsrv=TCPService::cast(srv); if (tcpsrv!=NULL && ! tcpsrv->inspectFlags() ) { // tcp service, no special flag match // if ( version == "4.x") if (XMLTools::version_compare(version, "4.0")>=0) { if (compiler->getCachedFwOpt()->getBool( "accept_new_tcp_with_no_syn") ) // v4.x, accept connections opened prior to restart compiler->output << "flags any "; // else - no 'flags' option since in 4.x // 'flags S/SA' is the default if (ruleopt->getBool("pf_keep_state") ) compiler->output << "keep state "; } else { // v3.x if ( compiler->getCachedFwOpt()->getBool( "accept_new_tcp_with_no_syn") ) { // no 'flags ' option needed ; } else // v3.x, stateful compiler->output << "flags S/SA "; } } /* * in PF "modulate state", "synproxy state", "keep state" are * mutually exclusive "keep state" can be used with any * protocol, while "modulate state" and "synproxy state" can * only be used with tcp. */ bool have_state_option = false; /* * First, set explicit state tracking parameter, then add * stateful tracking options. */ if (ruleopt->getBool("pf_synproxy") && tcpsrv!=NULL) { compiler->output << "synproxy state "; have_state_option = true; } else { if ((ruleopt->getBool("pf_modulate_state") || compiler->getCachedFwOpt()->getBool("pf_modulate_state")) && tcpsrv!=NULL) { compiler->output << "modulate state "; have_state_option = true; } else { /* * "flags S/SA keep state" is implicit in 4.x * However see section "1.2. Operational changes" in * http://www.openbsd.org/faq/upgrade41.html * * Quote: * * In particular care should be taken with the enc0 * interface, as floating states are a potential problem * for filtering IPsec traffic: states need to be * interface bound, to avoid permitting unencrypted * traffic should isakmpd(8) exit. Therefore all rules on * the enc0 interface should explicitly set keep state * (if-bound). * * This seems to imply that even though "keep state" is * the default, it should be explicitly used with enc0 * interface. Adding rule option "Set 'keep state' * explicitly" to cope with this. */ if (XMLTools::version_compare(version, "4.0") < 0 || compiler->getCachedFwOpt()->getBool("pf_keep_state")) { compiler->output << "keep state "; have_state_option = true; } } } /* * Stateful tracking options. According to the pf.conf manual, * one of keep state, modulate state, or synproxy state must * be specified explicitly to apply these options to a rule. * Using flags need_state_option and have_state_option for that. */ QStringList options; bool need_state_option = false; if (ruleopt->getInt("pf_rule_max_state")>0) { options.push_back(QString("max %1").arg(ruleopt->getInt("pf_rule_max_state"))); need_state_option = true; } if (ruleopt->getBool("pf_sloppy_tracker")) { options.push_back("sloppy"); need_state_option = true; } if (ruleopt->getBool("pf_no_sync")) { options.push_back("no-sync"); need_state_option = true; } if (ruleopt->getBool("pf_pflow")) { options.push_back("pflow"); need_state_option = true; } if (ruleopt->getBool("pf_source_tracking")) { if (ruleopt->getInt("pf_max_src_nodes") > 0) { options.push_back(QString("max-src-nodes %1").arg( ruleopt->getInt("pf_max_src_nodes"))); need_state_option = true; } if (ruleopt->getInt("pf_max_src_states")>0) { options.push_back(QString("max-src-states %1").arg( ruleopt->getInt("pf_max_src_states"))); need_state_option = true; } } bool check_overload_opts = false; if (ruleopt->getInt("pf_max_src_conn")>0) { options.push_back(QString("max-src-conn %1").arg( ruleopt->getInt("pf_max_src_conn"))); check_overload_opts = true; need_state_option = true; } if (ruleopt->getInt("pf_max_src_conn_rate_num")>0 && ruleopt->getInt("pf_max_src_conn_rate_seconds")>0) { options.push_back(QString("max-src-conn-rate %1/%2") .arg(ruleopt->getInt("pf_max_src_conn_rate_num")) .arg(ruleopt->getInt("pf_max_src_conn_rate_seconds"))); check_overload_opts = true; need_state_option = true; } if (check_overload_opts) { QStringList overload_opts; if (ruleopt->getStr("pf_max_src_conn_overload_table")!="") overload_opts.push_back( QString("overload <%1>").arg( ruleopt->getStr("pf_max_src_conn_overload_table").c_str())); if (ruleopt->getBool("pf_max_src_conn_flush")) overload_opts.push_back("flush"); if (ruleopt->getBool("pf_max_src_conn_global")) overload_opts.push_back("global"); if (overload_opts.size() > 0) options.push_back(overload_opts.join(" ")); } if (need_state_option && !have_state_option) { compiler->output << "keep state "; } // looks like pf.conf syntax requires '(' ')' even if there is // only one option if (options.size() > 0) compiler->output << "( "; compiler->output << options.join(", ").toStdString(); if (options.size() > 0) compiler->output << " )"; } else { // stateless rule if (XMLTools::version_compare(version, "4.0")>=0) { // v4.x, stateless rule compiler->output << "no state "; } } if (rule->getBool("allow_opts")) compiler->output << "allow-opts "; _printQueue(rule); _printLabel(rule); if (XMLTools::version_compare(version, "4.7")>=0) _printRouteOptions(rule); compiler->output << endl; return true; } bool PolicyCompiler_pf::PrintTables::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; /* print tables */ compiler->output << pf_comp->tables->PrintTables(); return true; } fwbuilder-5.3.7/src/pflib/Preprocessor_pf.cpp000066400000000000000000000024761303637203600212670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Preprocessor_pf.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/AttachedNetworks.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; void Preprocessor_pf::convertObject(FWObject *obj) { // do not convert attachedNetworks object, compiler for PF always // treats it as run-time object if ( AttachedNetworks::isA(obj)) AttachedNetworks::cast(obj)->setRunTime(true); else Preprocessor::convertObject(obj); } fwbuilder-5.3.7/src/pflib/Preprocessor_pf.h000066400000000000000000000026401303637203600207250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2006 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __PREPROCESSOR_PF_HH #define __PREPROCESSOR_PF_HH #include #include "fwcompiler/Preprocessor.h" namespace libfwbuilder { class FWObjectDatabase; }; namespace fwcompiler { class Preprocessor_pf : public Preprocessor { public: Preprocessor_pf(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy) : Preprocessor(_db, fw, ipv6_policy) { } virtual void convertObject(libfwbuilder::FWObject *obj); }; } #endif fwbuilder-5.3.7/src/pflib/RoutingCompiler_freebsd.cpp000066400000000000000000000073451303637203600227300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_freebsd.h" #include "fwbuilder/Firewall.h" using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** * Need to reimplement this function even though it looks exactly the same * as the one in RoutingCompiler_openbsd. The difference is that it picks up * class RoutingCompiler_freebsd::PrintRule * */ void RoutingCompiler_freebsd::compile() { string banner = " Compiling routing rules for " + fw->getName(); info(banner); Compiler::compile(); //bool check_for_recursive_groups=true; add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstAndRItf("Check if RDst and RItf are both empty")); add(new singleAdressInRGtw( "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); add(new interfaceOrGateway( "Check that the rule has either gw or interface but not both")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); add(new contradictionRGtwAndRItf( "Check if RGtw is in a network of RItf")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddresses( "Expand objects with multiple addresses in DST")); add(new addressRangesInDst("process address ranges")); //add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new FindDefaultRoute("Find rules that install default route")); #ifdef ECMP_SUPPORT_OLD_STYLE add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); #endif add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new sameDestinationDifferentGateways( "detect rules with the same destination but different gateways. We do not " "support ECMP at this time")); // add(new createSortedDstIdsLabel( // "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); // add(new classifyRoutingRules( // "Classify into single path or part of a multi path rule")); add(new optimize3( "Eliminate duplicate rules generated from a single gui-rule")); add(new eliminateDuplicateRules( "Eliminate duplicate rules over the whole table")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add(printRule=new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } fwbuilder-5.3.7/src/pflib/RoutingCompiler_freebsd.h000066400000000000000000000052741303637203600223740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ROUTINGCOMPILER_FREEBSD_HH__ #define __ROUTINGCOMPILER_FREEBSD_HH__ #include #include "RoutingCompiler_openbsd.h" #include "fwbuilder/RuleElement.h" #include "config.h" #include #include namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_freebsd : public RoutingCompiler_openbsd { int routing_rule_counter; QMap routing_rules_ids; QString getNextStaticRouteID(); protected: /** * prints single policy rule, assuming all groups have been * expanded, destination holds exactly one object, and this * object is not a group. Negation should also have been taken * care of before this method is called. * * This processor is not necessarily the last in the * conveyor, so it should push rules back to tmp_queue (for * example there could be progress indicator processor after * this one) */ class PrintRule : public RoutingCompiler_openbsd::PrintRule { public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r, bool add_decorations=true); }; friend class RoutingCompiler_freebsd::PrintRule; public: RoutingCompiler_freebsd(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_openbsd(_db, fw, ipv6_policy, _oscnf) { routing_rule_counter = 0; } virtual void compile(); }; } #endif fwbuilder-5.3.7/src/pflib/RoutingCompiler_freebsd_writers.cpp000066400000000000000000000112301303637203600244730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_freebsd.h" #include "Configlet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ QString RoutingCompiler_freebsd::getNextStaticRouteID() { return QString("route_%1").arg(routing_rule_counter++); } RoutingCompiler_freebsd::PrintRule::PrintRule(const std::string &name) : RoutingCompiler_openbsd::PrintRule(name) { } bool RoutingCompiler_freebsd::PrintRule::processNext() { RoutingCompiler_freebsd* routing_comp = dynamic_cast(compiler); FWOptions* options = compiler->fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { slurp(); if (tmp_queue.size()==0) return false; QStringList rule_ids; for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { RoutingRule *rule = RoutingRule::cast( *k ); QString routing_id = routing_comp->getNextStaticRouteID(); rule_ids << routing_id; routing_comp->routing_rules_ids[rule->getId()] = routing_id; //rule_ids << FWObjectDatabase::getStringId(rule->getId()).c_str(); } if (rule_ids.size() > 0) { compiler->output << QString("static_routes=\"%1\"") .arg(rule_ids.join(" ")).toStdString() << endl; } for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { RoutingRule *rule = RoutingRule::cast( *k ); compiler->output << RoutingRuleToString(rule) << endl; } return true; } else return RoutingCompiler_openbsd::PrintRule::processNext(); } string RoutingCompiler_freebsd::PrintRule::RoutingRuleToString(RoutingRule *rule, bool add_decorations) { RoutingCompiler_freebsd* routing_comp = dynamic_cast(compiler); FWOptions* options = compiler->fw->getOptionsObject(); if (options->getBool("generate_rc_conf_file")) { RuleElementRDst *dstrel = rule->getRDst(); Address *dst = Address::cast(FWReference::getObject(dstrel->front())); RuleElementRItf *itfrel = rule->getRItf(); Interface *itf = Interface::cast(FWReference::getObject(itfrel->front())); RuleElementRGtw *gtwrel = rule->getRGtw(); Address *gtw = Address::cast(FWReference::getObject(gtwrel->front())); if(dst==NULL) compiler->abort(rule, "Broken DST"); QStringList command_line; if (gtwrel->isAny() && itf != NULL) command_line << "-interface"; command_line << _printRDst(rule).c_str(); if (gtw != NULL) command_line << _printRGtw(rule).c_str(); if (itf != NULL) command_line << _printRItf(rule).c_str(); QString rule_code = command_line.join(" "); if (add_decorations) { rule_code = QString("route_%1=\"%2\"") .arg(routing_comp->routing_rules_ids[rule->getId()]) .arg(rule_code); } return rule_code.toUtf8().constData(); } else return RoutingCompiler_openbsd::PrintRule::RoutingRuleToString( rule, add_decorations); } fwbuilder-5.3.7/src/pflib/RoutingCompiler_openbsd.cpp000066400000000000000000000177231303637203600227510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_openbsd.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Network.h" #include #include #include #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; static std::map tmp_chain_no; string RoutingCompiler_openbsd::myPlatformName() { return "pf"; } void RoutingCompiler_openbsd::verifyOS() { QStringList supported_os = QString( Resources::platform_res[fw->getStr("platform")]-> getResourceStr("/FWBuilderResources/Target/supported_os").c_str()) .split(","); QString host_os = fw->getStr("host_OS").c_str(); if (!supported_os.contains(host_os)) abort("Unsupported host OS " + host_os.toStdString()); } int RoutingCompiler_openbsd::prolog() { int n = RoutingCompiler::prolog(); verifyOS(); return n; } bool RoutingCompiler_openbsd::addressRangesInDst::processNext() { RoutingRule *rule; rule=getNext(); if (rule==NULL) return false; RuleElementRDst *dstrel = rule->getRDst(); compiler->_expandAddressRanges(rule, dstrel); tmp_queue.push_back(rule); return true; } bool RoutingCompiler_openbsd::FindDefaultRoute::processNext() { RoutingCompiler_openbsd *bsd_comp = dynamic_cast(compiler); RoutingRule *rule; rule=getNext(); if (rule==NULL) return false; RuleElementRDst *dstrel = rule->getRDst(); FWObject *ref = dstrel->front(); Address *dst = Address::cast(FWReference::cast(ref)->getPointer()); if (dst->isAny()) bsd_comp->have_default_route = true; tmp_queue.push_back(rule); return true; } /* * this processor eliminates duplicate routing rules, generated from the same * rule in the GUI */ bool RoutingCompiler_openbsd::optimize3::processNext() { RoutingCompiler_openbsd *bsd_comp = dynamic_cast(compiler); RoutingRule *rule = getNext(); if (rule==NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } assert (bsd_comp->printRule!=NULL); string thisRule = rule->getLabel() + " " + bsd_comp->printRule->RoutingRuleToString(rule, false); if (rules_seen_so_far.count(thisRule)!=0) return true; tmp_queue.push_back(rule); rules_seen_so_far[thisRule] = true; return true; } /* * this processor eliminates duplicate atomic routing rules in one routing table */ bool RoutingCompiler_openbsd::eliminateDuplicateRules::processNext() { RoutingCompiler_openbsd *bsd_comp = dynamic_cast(compiler); RoutingRule *rule = getNext(); if (rule==NULL) return false; if (rule->isFallback() || rule->isHidden()) { tmp_queue.push_back(rule); return true; } assert (bsd_comp->printRule!=NULL); string thisRule = bsd_comp->printRule->RoutingRuleToString(rule, false); map::iterator rules_it = rules_seen_so_far.find(thisRule); if (rules_it != rules_seen_so_far.end()) { QString msg = QObject::tr("Two of the routing commands created from the gui " "routing rules %1 and %2 " "are identical, skipping the second. " "Revise them to avoid this warning"); compiler->warning( rule, msg.arg(rules_it->second.c_str()).arg(rule->getLabel().c_str()).toStdString()); return true; } tmp_queue.push_back(rule); rules_seen_so_far[thisRule] = rule->getLabel(); return true; } /** *----------------------------------------------------------------------- */ void RoutingCompiler_openbsd::compile() { string banner = " Compiling routing rules for " + fw->getName(); info(banner); Compiler::compile(); //bool check_for_recursive_groups=true; add(new RoutingCompiler::Begin()); add(new printTotalNumberOfRules()); add( new singleRuleFilter()); add(new recursiveGroupsInRDst("Check for recursive Groups in RDst")); add(new emptyGroupsInRDst("Check for empty Groups in RDst")); add(new emptyRDstAndRItf("Check if RDst and RItf are both empty")); add(new singleAdressInRGtw( "Check if RGtw object has exactly one IP adress")); add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); add(new interfaceOrGateway( "Check that the rule has either gw or interface but not both")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( "Check if RGtw is reachable via local networks")); add(new contradictionRGtwAndRItf( "Check if RGtw is in a network of RItf")); add(new ExpandGroups("Expand groups in DST")); add(new ExpandMultipleAddresses( "Expand objects with multiple addresses in DST")); add(new addressRangesInDst("process address ranges")); add( new processMultiAddressObjectsInRDst( "process MultiAddress objects in RDst") ); //add(new eliminateDuplicatesInDST("Eliminate duplicates in DST")); add(new FindDefaultRoute("Find rules that install default route")); #ifdef ECMP_SUPPORT_OLD_STYLE add(new createSortedDstIdsLabel( "Create label with a sorted dst-id-list for 'competingRules'")); add(new competingRules("Check for competing rules")); #endif add(new ConvertToAtomicForDST( "Convert to atomic rules by dst address elements")); add(new sameDestinationDifferentGateways( "detect rules with the same destination but different gateways. We do not " "support ECMP at this time")); // add(new createSortedDstIdsLabel( // "Create label with a sorted dst-id-list for 'classifyRoutingRules'")); // add(new classifyRoutingRules( // "Classify into single path or part of a multi path rule")); add(new optimize3( "Eliminate duplicate rules generated from a single gui-rule")); add(new eliminateDuplicateRules( "Eliminate duplicate rules over the whole table")); add( new checkForObjectsWithErrors( "check if we have objects with errors in rule elements")); add(printRule=new PrintRule("generate ip code")); add(new simplePrintProgress()); runRuleProcessors(); } string RoutingCompiler_openbsd::debugPrintRule(Rule *r) { RoutingRule *rule = RoutingRule::cast(r); return RoutingCompiler::debugPrintRule(rule); } void RoutingCompiler_openbsd::epilog() { if (!inSingleRuleCompileMode() && defined_restore_script_output) { // function restore_script_output may not be defined if we // have no rules or all rules are disabled output << endl; output << "restore_script_output" << endl; output << "echo \"...done.\"" << endl; } } fwbuilder-5.3.7/src/pflib/RoutingCompiler_openbsd.h000066400000000000000000000107241303637203600224100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __ROUTINGCOMPILER_OPENBSD_HH__ #define __ROUTINGCOMPILER_OPENBSD_HH__ #include #include "fwcompiler/RoutingCompiler.h" #include "fwbuilder/RuleElement.h" #include "config.h" namespace libfwbuilder { class RuleElementRDst; class RuleElementRItf; class RuleElementRGtw; }; namespace fwcompiler { class RoutingCompiler_openbsd : public RoutingCompiler { protected: /** * prints rule in some universal format (close to that visible * to user in the GUI). Used for debugging purposes. This method * calls RoutingCompiler::debugPrintRule */ virtual std::string debugPrintRule(libfwbuilder::Rule *rule); /** * expand address range objects in destination */ DECLARE_ROUTING_RULE_PROCESSOR(addressRangesInDst); /** * check if we have to install default route */ DECLARE_ROUTING_RULE_PROCESSOR(FindDefaultRoute); /** * remove duplicate rules */ class PrintRule; class optimize3 : public RoutingRuleProcessor { std::map rules_seen_so_far; public: optimize3(const std::string &name) : RoutingRuleProcessor(name) {} virtual bool processNext(); }; /** * eliminates duplicate rules */ class eliminateDuplicateRules : public RoutingRuleProcessor { std::map rules_seen_so_far; public: eliminateDuplicateRules(const std::string &name) : RoutingRuleProcessor(name) {} virtual bool processNext(); }; /** * prints single policy rule, assuming all groups have been * expanded, destination holds exactly one object, and this * object is not a group. Negation should also have been taken * care of before this method is called. * * This processor is not necessarily the last in the * conveyor, so it should push rules back to tmp_queue (for * example there could be progress indicator processor after * this one) */ class PrintRule : public RoutingRuleProcessor { protected: std::string current_rule_label; virtual std::string _printAddr(libfwbuilder::Address *o); public: PrintRule(const std::string &name); virtual bool processNext(); virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r, bool add_decorations=true); virtual std::string _printRGtw(libfwbuilder::RoutingRule *r); virtual std::string _printRItf(libfwbuilder::RoutingRule *r); virtual std::string _printRDst(libfwbuilder::RoutingRule *r); }; friend class RoutingCompiler_openbsd::PrintRule; virtual std::string myPlatformName(); bool have_default_route; bool defined_restore_script_output; PrintRule *printRule; public: RoutingCompiler_openbsd(libfwbuilder::FWObjectDatabase *_db, libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler(_db, fw, ipv6_policy, _oscnf) { have_default_route = false; defined_restore_script_output = false; printRule = NULL; } virtual void verifyOS(); virtual int prolog(); virtual void compile(); virtual void epilog(); }; } #endif fwbuilder-5.3.7/src/pflib/RoutingCompiler_openbsd_writers.cpp000066400000000000000000000211501303637203600245150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RoutingCompiler_openbsd.h" #include "Configlet.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Network.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Routing.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; /** *----------------------------------------------------------------------- * Methods for printing */ string RoutingCompiler_openbsd::PrintRule::_printAddr(Address *o) { ostringstream ostr; if (Interface::cast(o)!=NULL) { Interface *iface = Interface::cast(o); if (iface->isDyn()) ostr << "$interface_" << iface->getName() << " "; return ostr.str(); } const InetAddr *addr; const InetAddr *mask; addr = o->getAddressPtr(); mask = o->getNetmaskPtr(); if (addr==NULL) { FWObject *obj=o; /* * check if this is object of class Address. since we want to * distinguish between Host, Interface and Address, and both Host and * Interface are inherited from Address, we can't use cast. Use isA * instead */ while (obj!=NULL && !Host::isA(obj) && !Firewall::isA(obj) && !Network::isA(obj)) obj=obj->getParent(); compiler->abort( "Problem with address or netmask in the object or " "one of its interfaces: '" + obj->getName() + "'"); } if (addr->isAny() && mask->isAny()) { ostr << "default "; } else { ostr << addr->toString(); if (Interface::cast(o)==NULL && Address::cast(o)->dimension() > 1 && !mask->isHostMask()) { ostr << "/" << mask->getLength(); } ostr << " "; } return ostr.str(); } RoutingCompiler_openbsd::PrintRule::PrintRule(const std::string &name) : RoutingRuleProcessor(name) { } bool RoutingCompiler_openbsd::PrintRule::processNext() { RoutingCompiler_openbsd *bsd_comp = dynamic_cast(compiler); slurp(); if (tmp_queue.size()==0) return false; if (!compiler->inSingleRuleCompileMode()) { Configlet routing_functions(compiler->fw, compiler->fw->getStr("host_OS"), "routing_functions"); // we should delete default route if we have a new one to // install. IF user did not define any routes that look like // default (i.e. where destination is "any"), then we should // preserve default so that we won't leave machine with no // default at all. QString route_pattern = ""; if (bsd_comp->have_default_route) { // If we will install default route, delete it now route_pattern = "'lo0'"; } else { // do not delete default if we won't install new one route_pattern = "'lo0|default'"; } routing_functions.setVariable("route_filter", route_pattern); compiler->output << routing_functions.expand().toStdString(); bsd_comp->defined_restore_script_output = true; } for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { RoutingRule *rule = RoutingRule::cast( *k ); string rl = rule->getLabel(); if (!compiler->inSingleRuleCompileMode() && rl!=current_rule_label) { compiler->output << "# " << endl; compiler->output << "# Rule " << rl << endl; //compiler->output << "# " << rule->getRuleTypeAsString() << endl; compiler->output << "# " << endl; compiler->output << "echo \"Routing rule " << rl << "\"" << endl; compiler->output << "# " << endl; } if (rule->getRuleType() != RoutingRule::MultiPath ) { if (!compiler->inSingleRuleCompileMode() && rl!=current_rule_label) { QStringList comment = QString::fromUtf8( rule->getComment().c_str()).split("\n"); int comment_lines = 0; foreach (QString str, comment) { if (!str.isEmpty()) { compiler->output << "# " << str.toUtf8().data() << endl; ++comment_lines; } } if (comment_lines) compiler->output << "#" << endl; string err = compiler->getErrorsForRule(rule, "# "); if (!err.empty()) compiler->output << err << endl; current_rule_label = rl; } // string err = rule->getCompilerMessage(); // if (!err.empty()) compiler->output << "# " << err << endl; string command_line = RoutingRuleToString(rule); compiler->output << command_line; } } return true; } string RoutingCompiler_openbsd::PrintRule::RoutingRuleToString(RoutingRule *rule, bool add_decorations) { RuleElementRDst *dstrel = rule->getRDst(); Address *dst = Address::cast(FWReference::getObject(dstrel->front())); RuleElementRItf *itfrel = rule->getRItf(); Interface *itf = Interface::cast(FWReference::getObject(itfrel->front())); RuleElementRGtw *gtwrel = rule->getRGtw(); Address *gtw = Address::cast(FWReference::getObject(gtwrel->front())); if(dst==NULL) compiler->abort(rule, "Broken DST"); ostringstream command_line; command_line << "route add "; if (gtwrel->isAny() && itf != NULL) command_line << "-interface "; command_line << _printRDst(rule); if (gtw != NULL) command_line << _printRGtw(rule); if (itf != NULL) command_line << _printRItf(rule); // to make generated script more readable in single rule compile mode, // skip the part that rolls back in case of an error if (!compiler->inSingleRuleCompileMode() && add_decorations) { command_line << "|| route_command_error " << "\"" << rule->getLabel() << "\"" << endl;; } command_line << endl; return command_line.str(); } string RoutingCompiler_openbsd::PrintRule::_printRGtw(RoutingRule *rule) { RuleElementRGtw *gtwrel = rule->getRGtw(); Address *gtw = Address::cast(FWReference::getObject(gtwrel->front())); if(gtw==NULL) compiler->abort(rule, "Broken GTW"); string gateway = _printAddr(gtw); if( gateway != "default ") return gateway; else return ""; } string RoutingCompiler_openbsd::PrintRule::_printRItf(RoutingRule *rule) { RuleElementRItf *itfrel = rule->getRItf(); Interface *itf = Interface::cast(FWReference::getObject(itfrel->front())); if(itf != NULL) { IPv4 *addr = IPv4::cast(itf->getFirstByType(IPv4::TYPENAME)); if (addr == NULL) { QString err("Can not configure static route via interface %1 " "because its address is unknown"); compiler->abort(rule, err.arg(itf->getName().c_str()).toStdString()); } const InetAddr* ia = addr->getAddressPtr(); return ia->toString(); } else return ""; } string RoutingCompiler_openbsd::PrintRule::_printRDst(RoutingRule *rule) { RuleElementRDst *dstrel = rule->getRDst(); Address *dst = Address::cast(FWReference::getObject(dstrel->front())); if(dst==NULL) compiler->abort(rule, "Broken DST"); return _printAddr(dst); } fwbuilder-5.3.7/src/pflib/TableFactory.cpp000066400000000000000000000264651303637203600204770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "TableFactory.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Library.h" #include "fwbuilder/Rule.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/AttachedNetworks.h" #include #include #include #include #include #include using namespace libfwbuilder; using namespace fwcompiler; using namespace std; void print_string(const string &s) { cerr << s << " "; } TableFactory::TableFactory(BaseCompiler *comp, Firewall *fwall, Library *persistent_objects, GroupRegistry *_group_registry) { compiler = comp; firewall = fwall; ruleSetName = ""; group_registry = _group_registry; dbroot = NULL; persistent_tables = new ObjectGroup(); persistent_tables->setName("PF Tables"); persistent_objects->add(persistent_tables); } void TableFactory::init(FWObjectDatabase *_dbr) { dbroot = _dbr; // dbroot->add(persistent_tables); // persistent_tables->fixTree(); } void TableFactory::detach() { // dbroot->remove(persistent_tables, false); } struct joinIDs : public unary_function { string out, sep; joinIDs(const string& _sep) { sep=_sep; }; void operator() (string x) { out += x + sep; } }; string TableFactory::generateTblID(RuleElement *re) { string res; list lids; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); lids.push_back(FWObjectDatabase::getStringId(o->getId())); } lids.sort(); joinIDs R = for_each(lids.begin(), lids.end(), joinIDs("_")); return R.out; } void TableFactory::registerTable(const string& tblname, const string& tblid, FWObject* tbl) throw(FWException) { // two different table objects should have different names // if (tables.count(tblid)!=0 && tblnames.count(tblname)!=0 && tables[tblid]->getName()!=tbl->getName() ) compiler->abort("table object name must be unique: '"+tblname+"'"); tblnames[tblname] = tblid; tables[tblid] = tbl; table_deduplicator[tblname] = set(); } FWObject* TableFactory::createTableObject(const string &tblname, const string &tblid) { FWObject *tblgrp = dbroot->createObjectGroup(); tblgrp->setName( tblname ); tblgrp->setId(FWObjectDatabase::generateUniqueId()); // "id_" + tblname ); persistent_tables->add(tblgrp, false); dbroot->addToIndex(tblgrp); tblgrp->setBool("pf_table", true); tblgrp->setStr("pf_table_id", tblid); registerTable(tblname, tblid, tblgrp); return tblgrp; } /* * Add object to the table group, but perform a check to make sure we * do not add it again if it is already there. See #2671 */ void TableFactory::addObjectToTable(FWObject *tblgrp, FWObject *obj) { int obj_id = obj->getId(); string tblname = tblgrp->getName(); if (table_deduplicator[tblname].count(obj_id) == 0) { tblgrp->addRef(obj); table_deduplicator[tblname].insert(obj_id); } } void TableFactory::createTablesForRE(RuleElement *re, Rule *rule) { // sanity checks assert(rule->getRoot()==re->getRoot()); assert(dbroot==rule->getRoot()); /* * get the list of groups that used to be in this rule element * when we started */ set original_groups = group_registry->getGroupsForRE(re); string tblID = generateTblID(re); FWObject *tblgrp = NULL; list objects_in_groups; list objects; set table_objects; /* * separate objects that should be in a user-defined groups * (tables) and those that dont */ for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o = FWReference::getObject(*i); if ( ! group_registry->getGroupRegistryKey(o).empty()) objects_in_groups.push_back(o); else objects.push_back(o); } re->clearChildren(); if (original_groups.size() > 0) { for (FWObject::iterator i=objects_in_groups.begin(); i!=objects_in_groups.end(); i++) { FWObject *obj = *i; set groups = group_registry->getGroupsForObject(obj); set groups_in_this_re; /* * an object can be a member of multiple groups, but not all * of these groups belong to the given RE. * * set_intersection requires both sets to be sorted, but STL class set is * always sorted automatically. */ std::set_intersection( original_groups.begin(), original_groups.end(), groups.begin(), groups.end(), std::insert_iterator< set >( groups_in_this_re, groups_in_this_re.begin() )); for (set::iterator it=groups_in_this_re.begin(); it!=groups_in_this_re.end(); ++it) { string tblname = *it; if (tables.count(tblname)!=0) { tblgrp = tables[tblname]; } else { tblgrp = createTableObject(tblname, tblname); } /* * Add object to the table but first check if this object * already belongs to the group. If RE had two groups and * this object used to belong to both, set * groups_in_this_re will have two items. * * See #2671 */ addObjectToTable(tblgrp, obj); table_objects.insert(tblgrp); } } } else { // if RE never had any groups to begin with for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *obj = FWReference::getObject(*i); objects.push_back(obj); } } /* * Deal with objects that weren't part of any user-defined group */ if (objects.size() > 0) { if (objects.size() == 1) { re->addRef(objects.front()); } else { // objects.size() > 1 if (tables.count(tblID)!=0) { tblgrp = tables[tblID]; } else { // TODO: can two rules yeild the same name for the group using this method? std::ostringstream tblname; if (!ruleSetName.empty()) tblname << ruleSetName << ":"; int rp = rule->getPosition(); tblname << "tbl.r"; tblname << ((rp>0)?rp:0); //if (rule_iface) tblname << rule_iface->getName()+"."; // tblname=tblname+rule->getId(); if (RuleElementSrc::isA(re)) tblname << ".s"; if (RuleElementDst::isA(re)) tblname << ".d"; while (tblnames.count(tblname.str())>0) tblname << "x"; tblgrp = createTableObject(tblname.str(), tblID); for (FWObject::iterator i=objects.begin(); i!=objects.end(); i++) { addObjectToTable(tblgrp, *i); // tblgrp->addRef(*i); } } table_objects.insert(tblgrp); } } for (set::iterator i=table_objects.begin(); i!=table_objects.end(); i++) re->addRef(*i); } string TableFactory::PrintTables() { if (tables.size() == 0) return ""; stringstream output; output << endl; output << "# Tables: (" << tables.size() << ")" << endl; for (map::const_iterator i=tblnames.begin(); i!=tblnames.end(); i++) { string tblID = i->second; FWObject *grp = tables[tblID]; output << "table "; output << "<" << grp->getName() << "> "; MultiAddressRunTime *atrt = MultiAddressRunTime::cast(grp); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { output << "persist"; if ( !atrt->getSourceName().empty() ) { string path = atrt->getSourceNameAsPath(firewall->getOptionsObject()); if (path.empty()) { compiler->abort("Error: Firewall's data directory not set for address table: " + atrt->getName()); } output << " file \"" << path << "\""; } output << endl; continue; } output << "{ "; for (FWObject::iterator i=grp->begin(); i!=grp->end(); i++) { if (i!=grp->begin()) output << ", "; FWObject *o = FWReference::getObject(*i); if (o==NULL) compiler->abort("broken table object "); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL) { if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME) { output << atrt->getSourceName() << " "; } if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME) { output << atrt->getSourceName() << ":network "; } } else { if (Interface::cast(o)) { output << o->getName(); } else { Address *A=Address::cast( o ); if (A==NULL) compiler->abort("table object must be an address: '" + o->getTypeName()+"'"); const InetAddr *addr = A->getAddressPtr(); InetAddr mask = *(A->getNetmaskPtr()); if (A->dimension()==1) { mask = InetAddr(InetAddr::getAllOnes()); } output << addr->toString(); if (!mask.isHostMask()) { output << "/" << mask.getLength(); } } } output << " "; } output << "} "; output << endl; } output << endl; return output.str(); } fwbuilder-5.3.7/src/pflib/TableFactory.h000066400000000000000000000054241303637203600201340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2005 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __TABLEFACTORY_HH #define __TABLEFACTORY_HH #include #include #include #include #include #include #include #include #include namespace libfwbuilder { class FWObject; class FWObjectDatabase; }; namespace fwcompiler { class TableFactory { BaseCompiler *compiler; libfwbuilder::Firewall *firewall; libfwbuilder::FWObjectDatabase *dbroot; libfwbuilder::FWObject *persistent_tables; GroupRegistry *group_registry; std::map tables; std::map tblnames; std::string ruleSetName; std::map > table_deduplicator; std::string generateTblID(libfwbuilder::RuleElement *re); libfwbuilder::FWObject* createTableObject(const std::string &tblname, const std::string &tblid); public: TableFactory(BaseCompiler *comp, libfwbuilder::Firewall *firewall, libfwbuilder::Library *persistent_objects, GroupRegistry *group_registry); void init(libfwbuilder::FWObjectDatabase *_dbroot); void detach(); void setRuleSetName(const std::string &rsn="") { ruleSetName=rsn; } void registerTable(const std::string& tblname, const std::string& tblid, libfwbuilder::FWObject *tbl) throw(libfwbuilder::FWException); void createTablesForRE(libfwbuilder::RuleElement *re, libfwbuilder::Rule *rule); void addObjectToTable(libfwbuilder::FWObject *tblgrp, libfwbuilder::FWObject *obj); std::string PrintTables(); }; }; #endif fwbuilder-5.3.7/src/pflib/pflib.pro000066400000000000000000000037331303637203600172230ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) # TEMPLATE = lib # SOURCES = TableFactory.cpp \ Preprocessor_pf.cpp \ NATCompiler_ipf.cpp \ NATCompiler_ipfw.cpp \ NATCompiler_ipf_writers.cpp \ NATCompiler_ipfw_writers.cpp \ NATCompiler_pf.cpp \ NATCompiler_pf_negation.cpp \ NATCompiler_pf_writers.cpp \ OSConfigurator_bsd.cpp \ OSConfigurator_bsd_interfaces.cpp \ OSConfigurator_freebsd.cpp \ OSConfigurator_macosx.cpp \ OSConfigurator_openbsd.cpp \ OSConfigurator_solaris.cpp \ OSData.cpp \ PolicyCompiler_ipf.cpp \ PolicyCompiler_ipf_optimizer.cpp \ PolicyCompiler_ipfw.cpp \ PolicyCompiler_ipf_writers.cpp \ PolicyCompiler_ipfw_writers.cpp \ PolicyCompiler_pf.cpp \ PolicyCompiler_pf_writers.cpp \ CompilerDriver_pf.cpp \ CompilerDriver_pf_run.cpp \ CompilerDriver_ipf.cpp \ CompilerDriver_ipf_run.cpp \ CompilerDriver_ipfw.cpp \ CompilerDriver_ipfw_run.cpp \ RoutingCompiler_openbsd.cpp \ RoutingCompiler_openbsd_writers.cpp \ RoutingCompiler_freebsd.cpp \ RoutingCompiler_freebsd_writers.cpp \ AutomaticRules_pf.cpp HEADERS = ../../config.h \ OSData.h \ TableFactory.h \ Preprocessor_pf.h \ NATCompiler_ipf.h \ NATCompiler_ipfw.h \ NATCompiler_pf.h \ OSConfigurator_bsd.h \ OSConfigurator_freebsd.h \ OSConfigurator_macosx.h \ OSConfigurator_openbsd.h \ OSConfigurator_solaris.h \ PolicyCompiler_ipf.h \ PolicyCompiler_ipfw.h \ PolicyCompiler_pf.h \ CompilerDriver_pf.h \ CompilerDriver_ipf.h \ CompilerDriver_ipfw.h \ RoutingCompiler_openbsd.h \ RoutingCompiler_freebsd.h \ AutomaticRules_pf.h macx:LIBS += $$LIBS_FWCOMPILER INCLUDEPATH += ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../compiler_lib ../libfwbuilder/src win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a !win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a CONFIG += staticlib TARGET = fwbpf INSTALLS -= target fwbuilder-5.3.7/src/pix/000077500000000000000000000000001303637203600151035ustar00rootroot00000000000000fwbuilder-5.3.7/src/pix/pix.cpp000066400000000000000000000114001303637203600164030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2002 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #ifdef _WIN32 # include #else # include #endif #include #include #include #include #include #include #include #include "CompilerDriver_pix.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &msg) const { msg.size(); // to make compiler happy about unused parameter cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for Cisco PIX firewall (with support for FWSM)" << endl; cout << "Copyright 2002-2009 NetCitadel, LLC" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; bool only_print_inspection_code = false; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-I") { only_print_inspection_code = true; continue; } if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_pix *driver = new CompilerDriver_pix(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } if (only_print_inspection_code) { cout << driver->protocolInspectorCommands(); } else driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(libfwbuilder::FWException &ex) { cerr << ex.toString() << endl; return 1; } catch (std::string s) { cerr << s << endl; return 1; } return 0; } fwbuilder-5.3.7/src/pix/pix.pro000066400000000000000000000013511303637203600164250ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # greaterThan(QT_MAJOR_VERSION, 4): QT += widgets include(../../qmake.inc) QT -= gui SOURCES = pix.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_pix fwbuilder-5.3.7/src/procurve_acl/000077500000000000000000000000001303637203600167675ustar00rootroot00000000000000fwbuilder-5.3.7/src/procurve_acl/procurve_acl.cpp000066400000000000000000000112671303637203600221660ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2007 NetCitadel, LLC Author: Vadim Kurland vadim@vk.crocodile.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include #include #include #include #include #include #ifdef _WIN32 # include #else # include #endif #include #include #include #include #include #include #include #include "CompilerDriver_procurve_acl.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Tools.h" #include "fwbuilder/Constants.h" #include #include #include #include "../common/init.cpp" using namespace std; using namespace libfwbuilder; using namespace fwcompiler; FWObjectDatabase *objdb = NULL; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &msg) const { msg.size(); // to make compiler happy about unused parameter cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl; return false; } }; void usage(const char *name) { cout << "Firewall Builder: policy compiler for HP ProCurve ACL" << endl; cout << "Copyright 2010 NetCitadel, LLC" << endl; cout << "Version " << VERSION << endl; cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl; } int main(int argc, char **argv) { QCoreApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); #endif QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); QStringList args = app.arguments(); if (args.size()<=1) { usage(argv[0]); exit(1); } QString last_arg; string filename; for (int idx=0; idx < args.size(); idx++) { QString arg = args.at(idx); last_arg = arg; if (arg == "-V") { usage(argv[0]); exit(0); } if (arg == "-f") { idx++; filename = string(args.at(idx).toLatin1().constData()); continue; } } if (filename.empty()) { usage(argv[0]); exit(1); } init(argv); try { new Resources(Constants::getResourcesFilePath()); /* create database */ objdb = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; cout << " *** Loading data ..."; objdb->setReadOnly( false ); objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(filename); objdb->reIndex(); cout << " done\n"; FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID); if (slib && slib->isReadOnly()) slib->setReadOnly(false); CompilerDriver_procurve_acl *driver = new CompilerDriver_procurve_acl(objdb); if (!driver->prepare(args)) { usage(argv[0]); exit(1); } driver->compile(); //int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1; int ret = driver->getStatus(); delete driver; delete objdb; return ret; } catch(libfwbuilder::FWException &ex) { cerr << ex.toString() << endl; return 1; } catch (std::string s) { cerr << s << endl; return 1; } catch (std::exception ex) { cerr << "exception: " << ex.what() << endl; return 1; } catch (...) { cerr << "Unsupported exception"; return 1; } return 0; } fwbuilder-5.3.7/src/procurve_acl/procurve_acl.pro000066400000000000000000000016351303637203600222020ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # greaterThan(QT_MAJOR_VERSION, 4): QT += widgets include(../../qmake.inc) QT -= gui # # # PACKAGE = fwbuilder-procurve_acl-$$FWB_VERSION # # QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\"" # QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\"" SOURCES = procurve_acl.cpp HEADERS = ../../config.h !win32 { QMAKE_COPY = ../../install.sh -m 0755 -s } win32:CONFIG += console INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \ ../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \ ../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \ ../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \ ../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \ LIBS += $$PRE_TARGETDEPS $$LIBS TARGET = fwb_procurve_acl fwbuilder-5.3.7/src/res/000077500000000000000000000000001303637203600150745ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/000077500000000000000000000000001303637203600161475ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/128x128/000077500000000000000000000000001303637203600171045ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/128x128/fwbuilder.png000066400000000000000000000544061303637203600216060ustar00rootroot00000000000000PNG  IHDR>asRGBbKGD pHYs.#.#x?vX7IDATxwd}y8zrY`E `EAA*2-e\w:骮|%,ɲ|$:H $"n^l;~9߾ (L,,,|>Iq a~Sm7)!"lp&{ Aub76Vaeeʐ$ ??'XYYA,C__N I߀8  "AVۑ>1A۶^yoU*b @> 蘆,N qA8T+,뺮lڷ lۆm(L84M,<σyTpخ%]#5,1 /<@v([eko=&PFIn*|e'011gH.&kn$QB,v3ډNRowc#:?֯-ck~k|?$KH$[`"V]{wGr^##egG]J"I2@D}G*bv ˲( HS翛< - x{kߋ4M>|`uR #n{%Ij?Qޭ]3-a}@Q%N111QT4C4D'潛M{L3;8pv߳ 3͏{FNnQTZ) <(܍߽$88G}ϝ@ 7d,ۆc4 ӓ7I Zts9qFLb}tm84%trpwץm{ss#=ח3.} ( Μ9s! 0d8zV9Io mߍH q=p.@ 㚾_EU&[-qG9u$IvSsنx<ϋḊ9U]eY-m{q@Z6|Ew8xı xܙ tnYS9UU%Aiۏ <"@L@ն᏶Qlw6߭5MdYDQeYeYN0 hfS9͛.LtQjbN22t]Ԅ/"ZwG gqUUNv ߽9ʎ\2u+ ewau]>cLwň O$ޞiێuDžiY0M eos&2b(8huͣZB-ewnC0A>(]m]>qW$e< }+god; Oq;]M,!@(PQMEO*A`tÀN.VW&\!I+%v7vayuTQKu'Z\(;Nݸ*Q˲?8Si @jnOqzzRf*z3kx7h4`&5,!Y?D"eYh4(ʎ7.բ 8[}DӴo_~qA ˲'}+{Nx<noD KKػw7*N;Q -73L"H@$0MT zďIᴵ b8މ{vzMMMtRכh6[p]uP[gOXPRѫ*N:Z֭{Ԗoa9rJFQȲ>j5uVA+qe8z2S}YD"P# eY'\RO,E2@,EjHꆁFZJE "u]E\~jBeV8]y7s;2͡7-Y%l6H$a&&t]G$!FsÚ"L J ,U m'췢tH$UUY+ -OAq]u]Os=9Q!J"DAݩ(2 Y9rEJ%\|Z 1+&Q %qPUA,Ş={\nܱ;AUUD{^UVQTnJiKYB^k&4"F@N$I!IEacAO?X4@8O6{<ϓi|8ڝ{e}}PU c~a'X,$%:h UFYcrrܶm8{cM߇> czz G$(h(䋐dV W^eD'[6Ow~UUH`umؿ?dYޑZnJ]$P$iTDִypNL&;]K^<kT*05CD h4]渭щՅa:׻ کfسgc8z(CeǿJ&0uTq$I$IR)J% c||1vo] DYشtR'OX!RzzzXUp3HnF臺pȣnL1#) xFc)8W/1CeT*|u`Z.\T*H$n1}$ H$bD"H$H$e`Ma[a?\@ZӍJlߔB2GLBm{tQ!ofSTJ(T焱jPl6a6|t:9k׮AuָBVMe0Y2%f'[0 bfz/zo`k~^VWWa6p1u]:umnt}痗144((*r\7t((sfN| /2+žtM|O/|?oLOb0) !)bz "D066Q\r:ai#_x9FE F7bh4}%144ݻw#3#h!3dj>usx^0g466)FL&Yis"8vM뺸~: 58~h "onw㸾sSI2OT*!={Ǐ,˨+tP6iʥ2.]OS/+={SSf)3d033Ü"EQ`&ɶP(h4`6 m[ E'? ڵk5 M!r8Ӣ6J:6Di* II0TU.9w:acdAwJڅOm_gSH8r"'Ou¶m VWWuMai{ :9Pw&E$IߎbbbtšCQV144{!‡A+"1a(yyy|["~w*s>-E GJ!8WӴ-eYuflfVg^o0qt]gh$x2(UUopN PJ>crr Sdɩ[^^F2d m#3ܰTPS.Q*r}att_?( 'į/CT,- cdd1;ql@7}hw˲̀:%j9O8pp] d"F\d)caҔp)Ò!`% b1 ###ؿ?.ATZ΀yr`vf48pr8Nq _~~ O|I,- D臱^`_"n#ܩU>AGG޶Fhیe2 ø^` ~NB&>+(Bh%19R7t4s Lall {*C(Lflu8zp.{ AYZZbaȲG}DF8Noo?~_Rvģ*YV[ְr#Gŋwf医r :=X,VH0pNy3]ov8]Ev 4*)leV ,3M@I%W`V 'OD@OO|$&''fߏFT*Q˲zktTr\g&aXI"b088cǎP(`}}}wEQ|SSz__RɦY؈'zqf_XX˗Q*~ m=<I?%Ęm7ހeYfxec}]aAOO`Iߤ0w8!Dؘ\.|>rt:{bdd1"3aS#X&67|mE$0p\HAI2)tK4[^x?x'Ӄo|ln?"2I0 ,78v[8v:͠7#T*AEZ-fNC!djuNR,Q-SSS8q2<5UC$~R F[m;d|MdYƷ˗/#`sssQ5XkYTUŁ000P<3M@`VC`Y֖(QYF8QyqJ%SY$d2z&ڶ%I9۱nB'p]\$pfpLҮwdUu7B K%|4Mb:4MC6eqpZImdd1E:׌OIl6٦-'y#üt:W^y,cbb4:+A#ʲ,Zm>N%i4 J/_*EߏgyA__/+ =σaɔeI4Z5TULNNnD˜]˴'nŋ8<2:~{+W[xL|1eY(JH0Md(Hba9BS5lFsC wPAm+++4 /vj+I[p`8`MӺ;e``9;"]`&E~rH$œAbJLdv6StV"Zg&.\_~Ľދ^{ Kj__WU#Yf̧i;RX,Be`rrT ®T*h v/,+m0TUEZJ&''{n իxnڕnZϟGRߏD"RT8A:Sa$2nQĵ1ӱ/xiB("TyBp%avvW_}, O?)6 qIGUҗBO\5 0X(jۋ{BBh4=fv ɠlcnn a!Nc.j5ccc8~8 K wdE{==='?I>}?<\CjBRmrˆ!(!uKq򑏠Zbcc.۶?ro!@QĢqZb~~T <`Y I(vݖ |W$dJK/AE4 DQ1Ϝc+(tn8Nf9 k(H!$B4١FfjZ j"L`ubT w݋l6 ˲J w~Q|uC.nCHxBξcvvcccLyv^ i?008LNN¶mdYFZ"lfڏ;2s*~mlnn7:ke'iR[X I$SCA{el)9s9XСClNpD\FfT"zNTԉJ,dt#׀Hz>]3P,qe4 v1 F{@L@$*ϣØepČ"#I:m~";w( NeBf 4vjII:f" 2={`mm9 kkkL:u@fP"&!xTW*r$Ib%dTB$ LB;M8Ct n҆m'uz% ;Xkll _G^G.c`U $^k_MmA*dL& MN!U׷$oDQd*""&TUePuZ4Mih4SNرcc[t9 uyČ伆H\t]GfpSK)+IN C, C{zzX=uVj5IHh:X"`0 q˲xWo6ë8s]W$8,2)j6!$F W|@x _ zڠ`hRbqqqNE^g:V ܫftZQl6177ҽA4m0pCN7@Ѻo RիaAhPNkpA|ũS}zֳAPUUh$cBFȃ'IwRXE_V112@CQE R8h4X'.ƒ) U`QxčʠZ^YYa/Xt݀]3b3c6Mб4hmm D"8 cssi'$r~|㥗^oۭ[6v?,/Fjgvø/B.aZ,!b NAi5kEOS$ Aa0;4,1֩Sp%ضY<3˗t:<߃(8rx?zn,!(AOO, rv N`\~ztGN!q._|GߖZ&Slp$ @:"3mbb"bΝ;ǐE* 'fh6D"[T01CȮbey _ЕNbfib8xh?&Po4D22\HG(|ǥK8x<2XD6+`6;>я"h`uq y{뿉N { 2W?o}Ї>R] piptäbk#us4֭j1h@R8xJBu,--!T*PGŧ?i .s:U$Ig~d2B,@ZǙ3yA&b+űc0::v|>)Ln32V۶hC!L矇$IX^^gz8o+?9LP4kzY%ؚn*NOOߒ;xo;|+<tR$a(<څ4PwRPAMX&iBjLꩂ%2)˸~: vލM;w<>!H@ullllq": A>jMJonl6{nݻxϞ=d2p (NFRZ:}Q *N ߇PpxU*Qw6i)c-8n<?~SSSx /`ee,FGG^Sm92i4MeYH$mBޑNLH>JgNjM,--\.chhY/>jk< Hx<|#xWp›8qr H 8ko >u^ۅE9|4<0k.LLL`xxLp"w'.iYZYkX^G?677Jx TU`k|'J.3%5wsHNQˊX766PTH$p.]eYh``u#kfD^8D""NjaeeVtiqr]uPR2NQ]BKP^MH`Y"vcATfggqAm`ii ׯ_8,NӃX,|X,+]N'SB t Uv5V+:j\Ifq1\pؽ{7VWWwNĦ % 7oRm 666$gy,3$,(]iZsR)LLM"qUΣw #(oQW~m ,`t*ke$zPr>rd=zǎu*_t]gq99TU;55o~0 #O`ff7Eil&=l6(dk.id\$zɉА9#g7&裏b߾}}bسg, "(r\ "mop (['Fq` p<x9Eai>*>܆M%+x񅗶OS_{fazzV FxUPf*('Oմ$T>l0Ba1??4111~eYV(J,PN>Dx1iPUZ{`zzd׮]c>\^}_9vQ5zyV0ȃ3X+:i2ҙ^$2zz{ ZDC)[(DE ͈N4,5Gm'88jrs9w`4,21TN=#ab(d;SBϢX,ȑ#Ğ={Xm?1 a9}KPABBs*GGGaY Gi\İiQpudRqģ2 ,^pn3""drX )#30vhb|4e[  Q,p_ypM;jБh@"yR90 ]OV6vAg؀iiRͤV/2(&''qQx^xzׯ_gfs,(*guM2E Mf! xQDhB%}`?μ8\SkՃHB$7hnt}*ؾx8- x ٳqpVqmlB*=*x$L] J)Ir^yr9?~'OdK\"Me"666Dpb߾}evê[l~B8A__%50kW{j_y,N {aAQ(>DjKL6/b. RO_cvv=Ŷ$[4: r>@йjAI;%IsLdMEΝ(>ϳȂ/|dߠ0pUEGZؕ&{}d2֓VESp:ga]! NO`<8ǹ΀WDO" Ccp|^A+%(o֐' gf3( >O^ooѣGY>4" s&[@V[aF o00NarXYYFFF}CCC;^=wAFN rjƧ>) l7d!jI FMi*U#;w1:;QT`4۸(+P"jDGmV®*ס % .x,w,2n_Jl @mlll`ll +Bk׮7ą L&166 dn9 IuK>o$s r666ɠ w&vg넛G $_AT*i,@w4̊"S y+m 8MUX\ac.S7?5-p +*kw#N>+ Bۼv,jdΌ[Y7OO#j677Y6?Rz9;k* J `R44Mj5T*J%tr333fHH,VT>߀jٳX[[C:ƣ>A|߆eYXXXbHÉ#6Mu訪q0[vP-5d σx$\r2DdOAFj".!Q>&zLFikYpNAH###Ū$mV0<<c<1 MNQ,P*u6mCDvz~~ppE/uk[ѥ!}}}ؿ?^D"'N0VyFH}|ZE.__`ttg122¦pIa>ijllgz_q`::$ЛL³z[xc`b/Q=9 z/x ШpPհ>+lqPdiUURd(OMY(:^Ea;-,õ}ILNOz?QVǮ߿?F3IIƏ lzBW"eYT*?ĉxNn\@l[hZm%4??۶Yk42("H l6'N%ǏC2iZz*gLxV4ݳ]בNCKaT"6׆oloOb"F~7L륅f֬:`:L7xE6/7?i\r%'2̓y]V< ))b&b(-KCV2ʫ&L:\A%0SrfLy$QFnUBP9X^menNsz159ڢu4FT0o7 !>S9ổ˫^Qh_ P6a6ZN`X-p5W/Xkֆx8fѽq@u뺘?11jC>RTN <{,F( h6|_  Sv,cG^2ă&#+0M0ڍUd;b||KLv IeN@ Μ9K/p+j-V/[ߋ2bcR/׹WeE r:S=/> mw wmâSUU-ٞ s{L~> =R7i(p\M)B>ĊT<8$ip*b(ԃ.S\pu ׄ`r/]kW!MAB~3˲bǷ a[㻝GΫW_}+++/ueE4: պ;\l?/&Ny-,huKl {G&ܻsiTu\4qȢM'Oh4s^r>@!Dx7n2q. @@mknA׎[.85<츶pmZ3׮]Ñ#G022|>\.]144e.,ao?e n8!V$yvgHN07ejHaY26?@vClh=8&.D GNc8>Xx 9,[0)*Ű8=cHir-(oӧOURy,g/ئB X9e󻌲Hkim < B|yy DZEXC,aov{bªNfpk&+ilNP\f\vX\GY`HTx,$R@3'jeh>b7b,D4kT4P=H/ GAEvbo~3g|lF: *Y[r<$N]]]E=܃q3ɓl";Tz{(Ép6R0@5Qp NaC*ʥ2tq191WV5HRYsFG:9V3sw|1˗PW A@@cd_R H>bٳ߹vWt<&hcA:.^J) alluRI `#qb).#_kAD 04|E j7a:="&Qla`zvz ߾tҳm z  dndA٭jK.!cxxlCCC I(XYYa-ytd,)jX^^fL}(7^ס:P[ƽ:6/"Hpltҽk\.@ƞ}X!^@!:J"&\DR,D123fĵ70vx|o8sKxS\ @ 8n*7t xtMX8210e:Mtv~ ;?q\$|pwJxZMX#i,EL'|>#x{i8 K)#RRv m x< h B ΢mhv hT,C>,,.± $"(lTE4!` ZޘC"BE T dB{{=K{M2+W&柺h:(jcʬ(5y<ׇ/9J1 Uخ5 #k-ؾq! C޴]2QHťȦ1:Їy m@4Aw-YHf@$"9 l%Ph#x_@c*~ǝ|xO<J;=@χ+uåǤ]<U#:ШTPm cT ĸ*"l( M46( B uQGd{`VkKU8f#ؼ\Guko`hoAaj9%-H4|i!abnv'f'^AfK<8^D@шXCU"pu_?!kf"pڐW$+pG{>hؘ/$1j2vA/HGapSG?7|e> N`GwwzAw!ȎgQ-Q+Uc5 b`pm&D9AxVE*"Ё{ GdTKu7>Fq2 4uh=dE{ 7$X&\W'x0-  \}DY FSQLךF26! *}ى,οt !I&zzq!2DY'DP\-Vl@Hg{_`hzlv+v{wc>$h5"`xvcr =}ȌfЬjVP-"LA$酬&WAD!@aZ =7yhZCGZI^_o6߫V?]iNtHw[^?j!v0@D%96+|zSG$!R`UXyu %CZ^Bˠ栺bt -,G$VO0o Sظv QV $^ѿ [-bWyQ*2>ITiSg B w8g r/o"#א0Eم]p *5l-c%BEm\@x ɾ ٮl"ho ۅAoϻBGM!e (F:ARQA8"lD "|< ` B(,?#=CLA#juD5 jL`64,z^D{~zq.^!"8]m6kMWt jLBj2 DG$ 06h5mbLD~TD~Zwq]F(qHd`dddwR*1Y^{25^`~%fKzf L&VlVۯ+W}7(p"8>ʍqn_` Yn jb`W5\B'+Ӝ.܊!)s۞,Royz A;7Jm}8$8ʽ/Ut$}@dLI=8Ám`kɓcasy[ۭ~bTcvnl^1ub^gCL[3Ĝn0e6n6v?N  mX~ ^YLH1%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/16x16/000077500000000000000000000000001303637203600167345ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/16x16/fwbuilder.png000066400000000000000000000013061303637203600214250ustar00rootroot00000000000000PNG  IHDR(-SsRGB PLTE222SSSjjjPPP'''iiiccc'k7z"(yX "d L'2r7W:;F>A 4=FD H 1vvv333TTTQQQ66642,2/)nnnώooommm64.iii1.(QiHWZVPPPMMMAAA...7968W.CM/h|aYYY???6Y+T,DP+;@6`*VVV.\JC$;CC tRNS5bS +3kbKGDH pHYs.#.#x?vIDATc````bfQPdeSbbLeEU< jZp>.1 S3s N(QG(` d1B ll@C퀆"]a| A_?P!aHXxDmWtLl(P@L\BR ]ZFVN2>*%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/24x24/000077500000000000000000000000001303637203600167325ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/24x24/fwbuilder.png000066400000000000000000000022251303637203600214240ustar00rootroot00000000000000PNG  IHDRשsRGB1PLTEnnn'''222'''aaaxxxvvvuuu)v*#gT 3G%P.O"i L%4u;XN*<G7>:45 0?<7B 5333@@@kkkooo^^^JJJvvv]]]FFF666)))VVVuuuyyy888+++tttɀ:821.'xxx1.(̶www~~~}}}pppsssrrrnnnŰiii:$PdJ{{{___TTTHHH===???1M)E%P/PqDdddQQQAAA;>:C,H)R)P.Q57{2G+X.R*S1Q7AA!E*6Cc9+I!Y1CH)G,4Ep$6b5p4z.pO`KWWW>>>%CO~.6a:w 6|,sf,;tRNS 00UMZTofSa9SffSk_@P׈p}bKGDH pHYs.#.#x?vGIDAT(c`k[&;{fkk$ptr&I(&a ÃY? 0(6ĖE#4,<"2*:&U $F OHLNEgKIMKGJd$Q% BQ%D *qE+(U!y WJp 2ʥQ%dEɯoGPhljnnhmklRTJ(vOp8i!g̜5,1g : -^,lV%׬]~䒉6oٺm ML h>lu縩%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/256x256/000077500000000000000000000000001303637203600171105ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/256x256/fwbuilder.png000066400000000000000000001754451303637203600216210ustar00rootroot00000000000000PNG  IHDR\rfsRGBbKGD pHYs.#.#x?vIDATxwu%9WuuFD" &DJcɤGɖ7^Gzgl={eil<=$KDK$"%:9{_*4@8kwϹ'쳏JQܒ[rKnNQ_ %\?^Bp-{̡(fI=䓙}ZF[b!|vج(4(@(ֵn_{M_kpf$S>ON^ﵹen^[5++aU>jj$Cl~9ϩTyMLؽ{Kumݒ[fryGw7(z(R~]y^m۶z衳gK&o۶/-oFQE ]ܥh\w}}}wct:}0a-%7w~wLLɯlW@C܌}͛72̶`0^n#< 1ox',ek|)GEyZbry#L&|;f2C @t%n絸a<'־Lk< z'cW?n7\sd ZN&h4jO&T*W|o1zX,hmmU+z^===Xz|}y#Uce߼y/}K]z~bl6bh4VV!!L.# k.@l6|>477nt`0:;;/s(bZ^xjb/O>΍I}VQ_j7V |3ob-p5Z>G2y./VaX``٩۱ct:z=4B Qj5˅6477,(*RjjJJd29477CףRZСC|>ݠ|S(1 R [~G&O=䓧޲%7\sPT}T*!u:\.^/ۋ={@RAV# baaH@KK @pq,.." "#CCBV ũjBKJŢ:uxT*R@RX,^~pXQVջ  Z~\V\NŔ=ϠK(=#ߪrokp䆔TÆ!\3/9~Vo6133SVˆB/|(G?o}뒓ߎ\>ש({G?zRn "Pܳga``@o>LLL oyC {l7[M&dYh(nEQ(^~3: Ibr-=H$ʏc:tΝ; 177!TT붰%F*H/afbQP}ck@Z}K,~aaa=*eý?C_prI@Vɭ(C<>tuua  9ku[rvI={}{kq M$nZ"ru_WRR{5RFGGgXVr9׬aY[r NCZjjj5d2LMM]rjJW+L$A477 y-L&,-nrIjNmŜ=ht:a .颯g^zt:! !!HP(F{ޒ"d|\Ѭ䟯@OOVVV.)$(J rZbbfff044t,2 $DץZW^%E.|{G>F;Td޽{ꫯ"^z ,$L^FTt:ى *JŰ""hR>~3ޒ^.~g2+\nqĉ:oxJd2d2B!LNNֽpc֭bK RTh4o&w\$( ?p8viㅠ\s`0`޽ɓ'1?~u3@!df.ɟI( M&lb>_֦`0dly6 䟽^/~icrrR׻ 4k_zGlӘpo~~~u]`w/~P.WP,[P(l+=qeuN'vڅ]vaii SSSEVFp\3%7\v7` g>G}|;JŲ`*kwÁ[fa~nZw\@\COߥhzHGG:::P(055o~x衇6^RS8_*&''=?xmϞ=X,rS\ VEOOn݊Ǐo V5Vn[Oאu}i4FE2)6ضmmۆZ&(6Jj5j-#pT*>|###{vwW@ebbSr080BO+/ʄW".Kiall6EARAVoߎV(V D(KUKy^kZ("q# 7dPmxa0eRZ¼oO6Ȋwg}CCCÖ-[Zzמ r7+L&ls5tu>ٌr 8s 2 4 <eZFen2*^\ϓ?sꫯ?>S'] (˗h4ؼy3E{d(= FBxIg-J<Fs zJœU.S`ql6XjjX,qrrt:@ԨZ=TUTbz03* vRIZVFF8v(066:֦1i'_;9媀@wnHb哟34 Z(YihooGXdVE:`ljNۘW~鄱jh4XXXJB&*VVVJ\G{z91RIho#Wj<07#7wRVj@@! / 3B+^/ BJŐN{ݛǵP(Voy7\^O>])+\nI8uB\.w_HF.[݀7\hL8ONҵ?R]3Hz_N@6+28~Bwt:-K\(   f^-'WX/-?^8 .VFsiܸ׹x|9咴i=Љ,=^}bY;_Ζٍ7JuY < )z'zA>~'NNl%nnNdR˕>~\ ڛt9!LhnFY7K^t:,y=r @.VܒV.\(RQL%p(eX1X]>-y[%+UK&.Wtz=  ɿ };CB~~XT+qrK67{핰^p#"Ux랏bFD"bHRVbR6j- C'p%#/l$mAdE6Q2 Μ9x[rC53ܐ r :RH`nnNl]ē[ 7k,+1zsJ4\i̠Zj-8JRbnxMW?oY/X,brrLfǸ%(~U 2btchot/m/2`=@oy7e@Ɵ/Xmv -W/VߚȝX gϞE8P雵lzd2^jvRz4uIRjղJ>VTx)/yIL8XXf4gZ}u%usGGG1::X, cA|flת_+W2\Zx׾v0z4uNV/ժYJuZRQTf<){%EQTCQV^o=}m/8n2CR|ZMTMdZ)B16rı?Vk(+CLNjjy /k4ZNZ:VTxyW7/|V`fu1/@Qhu:yX }EhZ 2@@~ˉZ+reSVfjYaZR[w\fVsEQ4ox ]w?ojj2]w#Fa^5}Ie[OkOV7}CJwJRl{+PXtwwfaaa'O":[7Ž0x7jw*CjZ) DXVBr}EZjY^Fe24QnxNdnviÅBa\.ӧ\W9|_T*)K[J*Vefc˖-0 믿 rq^\?JOZe+וT*jB k;[VEtNsNjN}Vȵ >aA&??`3p8[B žJ:tؼy3T* l\V\V *s|_A ?ERusCJ%TUM~3uʲސ;'e2?_}dvf !xV*%K% E%J%o& >_z{{QT011o)( Oh\~QRm].R梌÷}F#0B?߽x+/.+j}ޠd`ZfJj5EUQ( #q9:xUшvtww#a||w1H_v'H~Cz3lo䓿z?k-+adZo@K\FRA\*zk%/G˥|pA#^Af f \.Bb(D>_hu F4^}U$~}E'xbCНRhKa ^~ߒb_ȟRA㴠fZ[ԧL-?JdٝRvRY1Md2l^5Fjqb6`63 J شizzz) 7$˟x GOU*'U*Sf)Sks6J學yk5~PT_E ?Wʕg2MJenL\FP@<{|uLf zr T.FZl6{C7[]5ZK_ʯʷJҗT*Nz'Vg. \hȅ[HFjT~NWPe]> $?yR\=tV{\.J&CԄd2)//77ʆ_'?x<|sANwAX]z=l.u:]&gCh4d2/m>{ eSz\^bߌvLOO_,2~CKuٲaxO$333uN㨮 f[u_O+~9R`6aXjVR~{V(>Jrp܂m۶Acbb>,fff(il(`^M&RyqdjEk꛹:5%o5rOPjjpCTTwOL}by9pG6{˛9T*::::088ZӧO㩧t¿]^ ]d^jh4jhiiA8FTB.CV4T]JY/(oG<%Qez9Ba mK/}I˿7 ovfFߊ(JrHērfsfH$zj5 <6oތ~e8qO<M)|l0&+jV+,z`f("9Ŷ] N^he_Qt:X,L&:PKZr z=?w|>t`V\Nuc٭p:Pp9G.C&E:A"D6E&C*kШ0hjjL&q)| _@(7l0 ^Vj &'>!`0fj z ސ o7ν_E*={YyR?}m<[GsǓD2Y #l6jpjjt=olFw&)d2d2Y$IR)VVf3144>9sO?4 jvMYR x@ @lBÁL&#p2]6 DT & & fFͬVwt( 9r.0y^^/^vWQg~z1NېK}f.P$s|2YF2rV 6n v V6U'.% T~'}7*l,>z_H&G N ˍ[bΝhmmӧN'Zg?ٷIo`R]''{4O=nfY<ȡAY{>L&Qt:QTK*Hc,[/&䍏7|*8PVqc~~^z`'*-X_o~k|l&{VV΍܌#zMMMغ{~i9sJuy,6V{$(MoL(S>XZT*b9X]Ђ_|ZBj Պ|>_Dc|bedIh Sq (EYTLχq hxpė |ڭ.w1>Nm%ǯ*`0طoz=?8}yxUf3\NԚUcFQw~yFscj꒕+N.& * 3Gks*N' pVQTBӨez@IFNr`Xzd1טob1hfCa!l>$/ `e%p$H8pRՈbAoo/{nyx70 TFŗ =FFzMTR''Ӯ4׋j_w>GR^˰^lF2sZF\@1o y^fJgc6*Ni?{T*4vG*h4@SZ6|>|^F ׋~i]AVVG L&/y8vn1<<kԧ>ŷkBkp1'7oeZR)Isw.f3~9cb-ofOe>р*mRnGZC6}f;z&T._.]n,;Vt:"y9Ƚ%AY)Z!jV.*/C]bqbq=zC MM>45Vڂ֖חJ%ce%l6 x<[Mڵ 3338|0dJ `s"FPt*˞zF.Us6گ|[Ν;( Eju{d;IPWZc9\. Ųvy~ӽ/ET*q=brh5l6ۚKX^Hc3Oc9b{u_+@ @  ߄ft:ކ6|^h4~{b8y$9/| o 4EբbJsss0Lxo%z=rP3* d9 sThDRYYd@]@)%ۚaVUy =JEa֭۰gT*k'={m̡xx^&qߩįdE׋(L&ՙr+n7S U˅x.'rsU6Ɉ޽;v@Toܛ78tuuAՉCWl6Y@A_Pϰ'? Me͇B{{{JW1(r]n])0*keE/|9p .l?(4D~5Enr9>}SSS0LlV+۱sN "Hٳ~dq8hokC:AX֭}XYYxNBzl6F2?(py^R=(X,qLMM [6~t:JP($6i<8INpad0P4ƽs +Jun)^\7( J!?&d ItSFvƪ@c5@<:bbb|1`Zֆ>"`zzO?hx(<K%W"ؿHIL&x^J:\Q3Η@Ӓ-IM>ֳP(`rrccczJ%c۶mL& b1:::ߏ>x+/T2klj"Od|{;ŗ^T{-ƪP(F)YeA>F Y \p8nC[[;6mڄv?1rνX,شnoqbB*VMMM(uuzzFn+CTv&v E177Wbݼy3v޽e6& vbX0VVV" BRaaaKKK8tz{{ׇ-[ܐ#on04YVmBcnl8d>^'hfC\F:KLҨ''3a΢Vpp\?/7[IF#6mpJNFc٠JnxOPa i>FCu{TG,fffD%MQx^ c׮]DVU˅QK/-[83 $K/[:+@`Zj*FXş_{XjfA}w"'?r #9јd"R.q[,Օx-ܘrc*B2D,D\f3<{bii o"v;w"X^^o]`0k|0u=&T|نl6 J\U)k/iƝq]6bnnx\dv؁J%iϣV6r<3Z B!$Ittt1??Ç̙3ueA?~& mmmhkkCkk+됀37Dg9uKSHSO~C=3JXr9h4.dQш5T*$IXVb1$I|>fdY> Qbb_7 +J!!"J.|׈ِS}Ci|(H&#K6|>B fF€Fn# '`ZzBE(~vn=N'&''1;;@ pJ񸸉z^4yzz1k{ߋI<'11>B/} fރ0IX,a0H$P.p8fjNaۑH$ĉCT*(D/lFXXX@8[,FdDP('---A{{;zzzJF,7n|B.4n_eP Np*\s2a :㍀!dvyyB!d:/忈14ZsujgA\VVJmc*'˅}jd2a~~hpHD(4R$Kb~n r8!x|^a^nތ>w( r{000Xg5 v"2 FpIBRNL&VH$^Ox<q$ D"DQ9r@@he827}7\4MfL4!xt #j4E5E&t% X-!b p OF8ZT\lF__t:E\L&Jac&sB!ײrﶦ$>yXI)$iI4\. hV0M( QP(k?18z8;ZiS'z{GT*e1qD"Qt"?F͛7v]$t:ADQy>|+++(")\{X`%o(;'ȥ<‘(^2ۦ&,// R9CCvQan7T*v{!q\uS,sr)OV<.\hccc"~6M Q_\x'(f PuT6XR)Zo45T*˫V7)FNMގtuuv8]fjX _ dJ0;;+h4*Ol6B 6-10Oa6Q.aۑNa2{P( l6p HE6QGd8o>G8F*[fl_Oc||p:8p~WNS? =XU5.~\1fe.t.^G6;9{5 LOp`qqQēdLnJ+++pPtZ$YVj^k.kQ&`H3Ɣ2@SD|]K)o^nchpmXu5xӀh`(D\ dh8B3c! =+٨]TDb`֭lƉ'wPc~~G$Hkr,QrcccMyhtd tmmm(JH$|d2V$$ Ry)8G( @#]W ,|=>,)UUvf40[ 3haK* }Ј3oWXvnI K]d\zղZ"WT,xT*jךn\!, ^XjBӡ}}}hnnFP4/_ׅZ-x{wǮ]Âzg~^{ {^G"bK2Gv+y 6"dIdx\PLd2:oXȕ żF] -Vp"fkd\O#ٗqɥ*0!<KM2 2zMJhlިd2a ::7Qg.OYoE#,ggjbQxb\& \VUt1.ƒL L:)tPTJ,VD022COO 7==@1 /FGǐJL^/ /^ @UJ6@tNC$bn5ɥXp9fkD5z-=ܨc\.|dRlT*Y9iqrT*54h4$rw;[A|ƕ0UW4 _˓xNF >]o.BDP.1OшL&S'Fx>OPkp\.lق~|_T*8|0>O?>ɄL&3X\X2`phFN/!zD,+2fiH$011!lsssgFWWU2 \ȏ'w|>YVȼz|L (7BZ ?ne`E"ERb`ppA*mSSDgtnć~q <)SΕ{l6+f~'7իӋ eoad 2͢,I4 b0LlVYϜ9U=y<lD{G; zkFP89w•Ҝ(Wnd\&ǐA6,{5eLҐeYT*яA=X,yqhp6oތ;wr`P2\. ;r6_j5N?p8rK+IC)#`=?>eii"A2,G(^z H2a\.J%VL|ZV4]7Ev pf„P(*btbii XL YX,,wpRr91 Sz4 VL&łt:XZZpbۇZAFMزf %Z,aVäC (@y*(+= '*8_2 Rfff DGV;wF#Ƅk/w;(LDr}3fzA,..Kf3ꫯoߎp8,d:Uǃ#G=VVVpLOOb H$bA,CPrfWVV zx<TEik~7z@ Z-r-(Ol6tuu 7"v]&gΜA4E{{;\.rL&&Bdy Y^HCd2 !p Ncff<*4x78s l6 KKK>1LLL`jjJ(OSNRJ;wjA,rd2 $PzpZz!O'htDBtkt U%@x<D"VR乂l.J$%ȅj5VjX:v;Rz{{ىi7rf2x Kdq"I[ޠg$C{ɓ' \oڴI6>bee*lZZZ0??_e~VqĤ'@ASFCPgN8p;vбc`0055!z80kqr6 hkkߏ`||X PHDb1XV9rnVn[`V+eW6EGGREKQ s5b%Ir9T* B8F2D{{x<~attt`jjJ$|" D*ORł@ P0b6gFEc$B@ D"! r nR3 y ̖ሌ#A*[tYΤ;Ͼ 9ַhVǍyطon7~Pގ\.' 9Đ/“A/FƧκz@A!x N$ue>K\Vo KKK0 !\O `4ՅgyJEmpX65oukPD[g<f ~_; ! !+ /BUZxk?YeۅNusjpjfaqqX^^h?7\ݍC J!OLHCbwM)n72ryͫs>Ix%D"RL:#N^mZA"T)F2FGGQT O"d$ El͍HFE$ZDPXYY򲨂dXꚥ2!d w&B ")\l6] J"%rՁm2N8ɺ͸{p=:iLNN|VeTY|>N'VVVp8t:Q,JDFV&z<8nw!ϯtFMXB@Ao qN'+\DZ|_4n'G>n f)Jd2 iss3ZZZ&_\\;HZ&zN T1ZDk&᰸>ۍxAw@s,)vuu I'ZW䃈D"hkkI[$t\HDLf|)jl$u`0(6q>G.ѣGEqSSS)d kt멐R:,yֵep^C{-u}z6dsٳg1??_G}mؽ{7j5 x A=== +h٬ bt T*|>/vV4eNH|<Q/.9Ixg(t-\qa @R鐁:$̔BDTbPtv;\.uEed2x< RR_A&=f3p~~qZ"R.ٌ&g!d3Ϟ=[70OlN!755! WIP,z^G&P=&'ٱ$) pL&ũ+oFy "122)e{<)aaO~#G5+ڵ )7׶1fL&t:dgLAJ8"ie=\r]m 1.ׅ Jx<~y^FEq=`FQb3)L!Lfq.AL$hiic2\NaEA;11JL&!N`nQTXZZn&dK L)pVK't1?'FLрc8!3VOg}?Op87xgϞE<o>WZY l^O`!Ӊ`0X>jZ,//#ˡ vH$",>ӦM_D(˘ř3g033.B\VAk{+:;" JB[G'DO} gΜ ԉJ3 jVzz{pǁ;߿ǎ< "'caaAtKKKukb144AN_Rjw`-Obzz.K<`2X,\sssC<~n۱w^ڵ(G'},N8&"WɄH$#ɿGXRA[[ȒKוJDžҦ&$Ih4DQQ#]`y ٽǬ>T*QJZ^^jE{j HD `.K\.')Wu- #&ݚL6AӟN:Zڳgx .'G6d(~? jNѣǑLbU/g*{lҘcNS`KEńHȭ[bpp( XXXX,VAQl yW;Sf31k0JXXXB:pW*9r`Pyyfٳ7oH$XUVkev)F59NeOXg-q02J/\ j:jq }uXwb(jD+n{{;DNr$Q$G. 6 H.g2!hMr8[ĉ HYx?:66ITTߏ & t$pJK_P l?3LϞD_K0T0s:"o4;{}zsNC# addD(>l1996Nصgezz3sGSG^|ii x\TfL&v؁]v odvvV5HNC8}a׮]"Z>M2>ݳJ!zpFps:2,^WlyȳhiB(#Bp8v$sJv]K4 k." qC-Z'ŇTUl޼۶mDžL&q͉rVŻ.<d2XXX1{;~gm8<_J(n]$[tZLğf-vG*SXJ%Q=(Џ}c̃H&SHB$v!BJ"! F:::}v P( `eeET(t Dr۶mNj/P(NX,֭[i&qbs q~dUgM᳁Rcc?]` BvYB C&U"p_yу V+E3=-\r C?7fff+ΐ/ZqD""tdx~A6==-3rm\FIHg?+:'^3E1 >@b׮]z8v$+LLLX,rBnCޫP(iDQqt: aΝp\H0qfrUl>!,..^@>^G8F(+M6ahhH`ɡ4cpnv9NqzX]*B2%z@ HƉOK_%@LI<-a4gϚ4]ع_&8077T*U7l6|'v؁)ωnc׮]ؽ{7\ÇVfF\j}488(' mx5;;[x0<<>K2==-P.@"o(>sXdEQ.+IFÇ*x.\Nȝt܀Lr"V+,K1#a}}}".Zt^/fggE]L×'DdDssslli0q8뮻{n,--ȑ#܇n0كNx%9cxq9d`9Z jFBM3F`u\K3-?.j}}}سgP.V(ʎ RSaZaZ#חԮ.b4 nJV_i,,, LU^gbT*Uga Z4o~H8z(?.bm.oӧOpnc Nfʹ1^vTM׍OgC W;B\t݂׀ldXTXt @POVdyj0 QB1==-Pj+++Pwr}$";&kjq}CĦF|> !%c$dZ4>^Vl6|>ك{ o!@>T"ԜY&ɹzYc'I*m(,1n߾]x###FӑӥT*8ZZZĽf#Ck1 5RvXVtvvbyyY,=܃{ӘF:-ċ' 1& ~NGdxz9dfbVaeejUhM$2؟gr3&R@= s4FD3bii ᰈ+ n7!ȑ#⤦A%)&q0)(dBŧr8 34\\륻oߎ|CCCfd^s:`VcА ?Yy)lE1AI7\.# c:Cs -[ZZĚvl۶ ͢:;;Qa9yc':d4yj? '9ۋ͛7YVBހ 0LJ5Id皒d@~Nv)4v] PX7iN)*/\t@2 j{ILr*[qb=Klقj}sPD4I=A\rH/INEfT*ucyLF҂xCCCxEwK/b[r,// L{`0b1A[*000GBazzZtсJ#R1"cbbBtȁX;.sZr0ۄelvב8d2YזrD\͸cV+VVVZyL0I]X`@gg'|>f3n шӧOÁ1hmmNǎRzpvH$v@D_erUV4l 'ߛhgh̙c \,X qijQ'$aOeR}90epp[lH 6;aILj822"Fπ,$455i|D6 Yo*_KSdUhspưN4"mE ܜ,^WtʣxF+++݋B$6m`#oXD)1VaF"xjEܜD+4h$a9RCse:tycM5h =02 FF!G!y!?^#C*~ޕv\b'T*!C 4P ZZZP(077'By Px=EE:N8$ q:|qq 岎1;;vwfś,ϣCP4蓁?$ kzL 1ػw/ vYQnnnF{{ahӦM{r^QcDBL ^_~9=e~"\VF i*{t') n(S<}$)avv 8ʹ 1@ˬ2J `'{<,rhP($@Q488eco g'~АE3ٳ ~h4w^ҍ\c3 1*;pn 1B)74Fgɫ\. q8F:V} L&`0d2⢘?bVh!t_g@#h&Ā BUs3T2LДkrF*4k n4;eG("XG'G@My~ф‘_sss"rb V)t& B ~@Vd?  KVFHD!]Vv)$ 2Z-PVB bp鶮nXYYYtuuZ]pyO@*˧l ^RVvjkc*pھ(x[x;B_2$Ü.)#H`yyC 78bppNHZZZD'8c5E6ZM@ԁU<)^YB!J}eT*|>l߾H$"r677*(܃s,aK68qpXhΝ;1<-<ʝz2@{Kw%>!8b,-:Npr,//QT033EQ& h|X$Ȉ1>~_L b<"+|kA6)2dFbwd k6{{d%7 V,8'NcbbN~_@ss3F@`ZM#3VX mmmbqy.?JOOHГgs]ؤh4ɓ'ߏ{"!e^"EjiS$IWO+¤'.1"@c~~^Eׇ;vd_Whp(^6ri hY& lƤ߽{7m˅`0(`0(40Z =D,uF .r|>qrj5CN*RKw[ì>7|&f[n!,K-Z[ <M(?UK,l[[JŰ(Ct:6Mvxi4x<^Cb${?|N)$=kTɓ'111Q7 wNFUO `@Km-hoo1jæMض}:us bh>== BYzs@$ V/pOaGfgեE$ ,-- w!8FZv}xE+,4²b G~&ӹrda85ر8{fE׺ @;O{BRvHRCBdcEϊ.fYx\7.g~%>Y oM̌06*WU|#HC9]Tp*|x2u,~|RPl .j o8F2D(».q (`#fɟ& &^l4*p#imYd:le@`eenb T*azzf"Wvwq`PLh3ġ4,]@ S7 `jttT( "2288{w}}6g*̟ cLFF8]n edq>v|2d 'bΝ;~nAbddd0 hjj_XL(̙zEH^,FVxxP^x1;b۶mرczgGhUclHh }{{>'m\PݫR!xtf.jٳ'H$0??h4/~زersr ib)q a'e1⧙ܓǒq].Cgg'hTE40_v(ebӦMFp;:i98)\a%M>O@N)ORaaaAyF8Nlڴ ?OʼnhpA}´itsr*s:Nd)ԑz&)=;bqr"Y~eNݻ;wG*FB{{rttt#h oDK OdK###VǾc``* @ǎ <ƃl*T6ekBx:^᧟E2V( (x|M[_\D"G}@ D"B (LxsyѺʭ1{&Y%Ylda*j‚ЭM"l)n^͛%7w&@cbbB1NV(P<B 6 .S N&^χ`ddDLY\\jMHoB6r!Q>1a͛7_䤰ga W$XxBn_?ko>|>nݻWDQ*0;;m۶s2D?:t>17ӭ^S`xD>۶m<"N8!]V*˳0y.h*BoTRlWP./C/ӧOb8Vs` +BSUS}#T2trL&Eٳ,*N l"ρs|hnizJIDAT,` 755aeeELsR^ fc߾}ѣGVQC(g 52.>@{2S6nx ժ"07o%X`E0/sN}G:H9BM&Nh&msykN`X&dMt2Q8{_W_}Up 0/"WdN^,D8k(SpЩ5+(Hkg// ɌsPUvj?aT3zdI(hDWW~w*~ KW.qYLNN 7$w&M`Ȉ8HLT*1Dgff-NXL=`0`nnv't\ oߎcǎ?)~`Alشi4/\:6o,f,LMMA20_zPDC.-- 6tR ~?ՅRMU' TU)d^/ 1z*Idyy.l2&gqh#@@hP`[4Ekj5 199Y7c IΊ Mœa,A<miicy9rIt =t[e=s <Ξ= Պ!,//cddDxқ8|$N$&Jc|A5+ ?Alٲdsss_!2|e+vp8] f2<4j>OdQ_0jh4طoۇ r$ß\.;㘟Ǿ}Dcш#G`۶mL fR'O`:~zN`)K➕jVVC"G $\>5*@*DVg A7Bo5"|xL훷h#`26ZuyB` *Pj5Vٳgq1eOE]nb#:1uGCeAΙLT hG$Xi(ˢᇭ \pSSSp8bp:hmmܜ~X,Al6TsH$"tedaSTi,h k..J155UGC-528V+<ha⏛$.A>|X$8xV‚0*L3 b}J%&T*  n6A6˩HT楥%J0+N>]g 144^@ Ç oȽ/Ci(qp,Z R\ r8nl}F0 2z μ:31wZmJUC˖NMz$#If°{$sv+We4 4;¸(ztuuaΝjLXɒf ƀs6r y455u]2źDLJE1iJw^zlڴ "fr8{0Tl`onPsXH$ p t[Mr&aTQї }FEȧmSSG`ƄMR;sss8{,* N>:7a IxIa` @eȟH;]?,"vvơ瞃dv ׄYxtѲ?,&+g1~,jD0Z]3`9<rKj&LCCCԓJ kAQVʥْukxW HW/bfG.ww3t:ldr9Nwy'fgg+ڳgϊ}>$Tcd"(3+l޼Y.$Gfy" !"e;zF:@XAj8}4D&I{wqŗ4A*K F<GWWv;yfdY,// Vłeq $$&jU6\D‚Lc\cyV!WbR9mW Z 8=r Z&;PBf" !t be:COl wT``Y;u9/վZ> <`8J9yb)."_lGL&O x@j$*;_{zBkk@|1tX\\Z >mEQ2'"@ (t:ef" `0t:-YiX,P"ӗJ*m` b~f0%lƍy}###\`xx{/m& Yrɫ +I14X fCPfÎ;$p`֭tzu17 Uz^ر7o|rr<| ;e l2k%ԔPYՃ*u,ZO,tҾlƩc'Q(3Qݏ=g_Edaa4 a:ڡ7uU\(哈2rH o&, r QT*~w}ûv߽SygϜ8s`k@]# 9Yao]w݅bnqc & xF)9D"1Q&B)#pgT(JG] rנrsiy"+-rsss8s=O{}'˧Oʊ b3y LfvG@}>Ξ=[Z̐̿I}̙ =`ǎhkkC<ѣG"휕&Vnd> Z\-Go IBUSXVjżme}t'{o&Z jbh|t +Dc :o7(!]w'O~_eL&l6Q:y캲sKf$$]4 <$pTgdh)tYRE޼_xKKK8}t Xgg'x߿:NspP CV^i8\EsC0QeER]MXR):~=O`=@lZał :FA/ܤ,݋[0ܐܤ}ȑ'ϤkD5ތXVF 'k0Zlhĸ"q4<a/S˳ Lu^B,T ^; _*&''=b8W΢+papx'6 ^s0,;h2c}VK }lH 62jP\U`u`ZujAם'+;"﫲48@`99#?4i$4ClVcc՚fͨ1͌v$q]U]wVVfV}?2^Ϊn4[DFDzx{w| OaY` wgΜᓟ$###E/a+8.{ ҍ,! .@92LU< "9 x4"7 fA_qHIb-+PRLpG"]y饗]WtqB\K2aJPN /x.ݻw١^{1q:."؏D$ "Y-Bs+VߊL&&LjXYYT*}ڽN`sK)o 2q P.T)̞#w}}xH铳d7,ޚ'08q4&=FWp #'tp@4\\p?m;pM~~o͛7v.]ӟ4ccc)sPrSŠ/WPwBqĪ VᩈAG*L!EDTDROx""*\Vz|&իܹsg_ⷋG$Br[0>eflv_ŋy=k׮b4mx[Hapc/矄ϓhe&{ [b.|z=,e7OVK]Ƨܹġ\k%L4=~g_|y賱} gS۩Ĺ[ܼ w'3>8[K\t-TMG34ڕ&pѡ?y2O?'9õk>ŋ?#p]Wr NOO:ܸqBaH%)lZ { >򩜈>ؘG &=GTLӤXϓW; "]$ 257AjtBdW7:O$1FE#5>Dj4ȯna P/YzJf&@4 =#[T ;̜:쩓\^ ?0SҏkzQ:ZE\LMMO?ʕ+|k_\.{sUUwvvI$.AG.++Aȯ%49-V%z 7Q .4͋SJ,R$̴<P(xsvvv j-V}cdYn߾xUes#AS)QUU9w/Ǐ+Z}ȲA.{Ncqfff"RU[]}"q?NNKb*-\yN{HO¹gؙ[k8.ܾ;{n먚BDU :&\6}~8;ۛ$GaR.Kj2Ib,EqAvqr6+yapB&by&{'IX\.1.7n_֭[2DP( LMM166+佌 dzYd"$<O(Px<%1C%XHL"G @ r]\.GX X1Euѣ<3={R=%(F]Ͻɓ'=֡;wqIaraF@F6 , cUUq%^x,ׯ_G!Ou%LሕZƍ4MB6z=q ê hK!pQU6kq $>$5 ׆ؾ(L:L!Mc̞:;/]e%&Oc|W?W :=QS09a>s~fg)KOC$@PT9s.IEFpp?'}^|E<kkk@KfB4MezjGU%Xe0E6YxT \Sh4V<5Fv܄eYiΟ?,ǎömvvvX^^gyZX)M+^cɊ?h$dt:n޼>fӧOcǎ?b{{1߿.Hɰbq.8ΟL&!3f #!`z}afggQANK$ ,zPv`؏?M:/SmW(B06F1P!5 1$EyHa/ ݆gW/Lĩ)E U-jX&g?>l/)W)lVG5> ma;JN@LVņo-ύ]__gssӛ~UZxmL _P.jwt7[P(e =Cō.z%I@Hev$qF٣Rggg̙3Q( Z-SӐ9̾3>Xq˰R kkk /g#ky,--khObKX|0U$ѣ:thq ^b$c2lضm6˴.'?vh?F3`6L*;9&ȭש L5%ȐHN`HKywuׅ蘦w[4\'w(m60b:f!fX0`37|@'F_76:w=~!؂E Hj}q]8ɐd8{c1BkmmT*AjŀOCMۈK$NEwߌ=Gd/~LNN2>> zzN>_S`Ex rZ!h}pA }rH?gaaQ^|E>OxhG2J$,\3"/ΣW1޽{D"YQyt:^|/_x""/"#7!r&⺋sSr' '3Z F璬]i ^}\6Tg9K\+ܾDZ2uJY3qbZ0J- S>EB,F:4kVl$M5WQjoӯ:]$Zd/ǃ2,TV| W!DĽ"Vm(0:6n:bqz4Moup^+ Ɛh@' 377a366###LNNj5~ 7FMtω70[ǃKsP4͝;w4SN/}gzs777*dY(8b]i+l9,x{czz'NȮ]a.:pz伏L&M8q=ǡ4l/ltFm=rK9?2<:WH4'&.ZVQ"UQZHϥ/  RI%aJ+e͢RݩNYBnԹYec Dɣ>JيS|uYb>HB!_l9C*nٲ=BD,b@ @.R-cbjztd\R$ᖊbxx[M)`1|jj u" I8%ȴZpddX EMt:666;mg_%&'');1pDÔ#\W.Ce$$%<J%lGGرcx/ s @tp8ylb@?嶘83/si } 2/?3̹iۏw(o71B>>ft6C$'|uv3?]o}noټMgNc8gQPɭЬuhe&/?^WUՐO !|qfGeGܜ`FN6GYGQ3uߏditcOm۔%2c8yGrI=~j ĝ\} 8 wu]O=WXƍ /Ir#)yAx)V~`Rg$<*\^wɭ;;;d2666<00H|__$fy뭷sV^A&`$^-8QqqٶMXWD"={94Mc{{}aل`mBx BdF&qώ(ēi^Z`(*]' C$[Ky hV(12pK[Y^Sas),IL9ٓKTk4Km0(>צp2b[͙^z} lv=7_W+a2ZVN<D!+At8X7i<vrzk6GL!P(`Yzcl*2µiyxĒgț >FQT8"* P0q|v{y$jdt,Vc>FVѨ6FbD33L>~;,٧UNYB~ jkbv-RF۲H`4]a-6(JvMb^ ?P3]3.'oB7DrP`L>4~72Jy|";,0BEl&ǎtGQB>ЉݕrhFC Eɳ[a8ꄲBOF(lpj,kƑ#G4y,B#і H$Yg!HxF'DIF}>󌍍l6F J,ΡhEf^cQF'::y_d*VR/_'Q?7m+0qqN@fjC7hWjtk]=>gݞxVGj,C|4I٨~OF?}^N>b;4u4C4_(oYf[YNրڞhIo]r[<Ȋ&\p8M<ʮLȑ#9rpE]Z(X{gJFGD"JbE"b^ Rxy|>'!~k׮y 8#5Q$N*qEC<\n0^(}9rgϒdT*\~z{A<"vt:^8!DH %i CgYp_/ܦ5W#7wHҦ]09AcNDO^YQHpŵ4;tous8)Q#]*j՚ÎBnW:oFlt[5kQScH$W Yye |Aa}P3B"1h$fc޺u/).&r hKɋ_T+~ߜ Fuf~Mb,aӮh9_]7|g˹p`{(<ꖬޕ~Jeg7님w\eXd5Y1멏*4,rO8#5LzqEQD-gJ-Vh@qҠXTQҋD"w #Q( ThP(!DQgYFFFD"9vsξagPDCNʳe^V ^SRoK_ZS֞9{zBErӬVE7zToḭ]:X}+-vC^)rϸfͦurܯݴ.ssO;=ޥeկj'#ȽԢ|t\^Yցwb*Bbul ؇IDrL&2L/Fb7H C$Fm]H,ZF2q}4tl6e1FGGw'q +\ۥhx,)ht=j#ohҤÞrB!oD bt q@20F. ⽅eWQ%2"(1;Q6<';tڋ]ettRD"`||mou'W~oĄG4h˗/{gh|vP8I|̳>boت Xe WqjS`5a xZmϿ}B1E6]Okb6hwwǵfn̺R A3w< mK[b \q丮Rw_b%GȠ'* >&_Lޯ၉PDpP*JΝ;?ַ~AŃXx=+psb%A̦wrܗT|Vl]5sOyj lYp!ϓL&D"o6JkO8B9.ޗ Aޯ'փlD<( Kzr&7/K2{.NxLm z  .q<ܿ(,--JQj4;;;a%pI켊W8.DOYZ6vUfbjʥ% =@yE kϟΩބ^1^^['xr#`UJ'%@.rҝ;w~On`MV|YلBʫOnx``wωʛOvx=<;в;VVY[[cvvv_Dvez;'w|.øq  ##+H ~9,a.QVdxDpX^$Ÿ"tފHd.CwP޿ؗ'eA^`kPd8B)@"bEz5yyEQenCnD K'  S;D8(& lޢoFĢ St.kCK>,uq&L_˿ WCqOqD"VUUVVV6޽gׯ_!_/fTG^dߏ "enܸٳgPĭn)JyW_4rW 2Mnw pP,<Q+P$r^_>yhPUx8w+ettTt+w.4a1 %2<3?3y/k\n˅ b( ̸),b1N8np0_F{4&qmTh; #bER,f2HH:h4<\\*V BQ1X,z};;;lf7Pg\܎P1 $ip,&JƱ@`t6\ơ Ϝ{Bq:‰S!n\B"Yij(l-a,$jvD(0>>4+=tKWo1461۳<=M>;8s^}\Ċo[om7y+\& J_gjjǏ{ &_C~}V>%gDM]< !r)Ox J 2"W!n 3$Ո5\qQJ mtD3$ :o_r34K&}֊x ;nכ(~/W>40 vvv(t] էjq&,B >WGiFh6FZJ'G jP>V7R,f">Xiu̞R0::F3WSr$Sa߹KHuD$G[Ȯэ p-S&# BGb;}/z!rPݻwߺu;< hGV?,yPi-zص@lرc{ /|;k^ & n>X䏃9<${-dk2/C32wRK }^ѵ&p׼S.q,^A`Z}=J5EQUpr|zfmkR%GޡPPksS9t j Zb1:ͱ8?̡9!P _'b;Jd;E[ +ȜNm}M.q۬ccaP2vl _O%_#=7Z][v<3o]z޵kV+?Q|IiI?dt=,޽{311x`0H2`\$n +^ynܸD Μ91Ŋ^nڐK6?`ݗAL rDh4J%L$2Q=bX1b.\0 ߿O>Zz.f Kx< $;|^چ!~tؽ>:3<7߸Q̭kTqL^alz1ɏvW.`fML¦+=u# #)^kˌ M(JXVpʕPx?[|(yxQ8 ###z7pUE~hxH5֐BR!smoyP(b1fffbvBdL>DrXECƔE677=v _U^z%2L&խ&wB}SkZEZ"f [({%RHout{=cM #C\<,+kwy6P\H3X>Vߦ&3:KF!@$ESBly;XC<7G3ln- ܩ)N :dcI&d7WY|VߦaC\vy4[݃V"# <6aͦ7 #144D" FI$&$"xK.bpU2N&IoM4L'N*׮]#J8C^ggg})H%\u@B!E^ApE"`ȿRP.T**gz G(Kܛ] 0E , qZA n߹AЧJq=fǟg>m1<=B,Uo[i"Pe9|_|#'-a(}D"AT7< ,ÜBe} ˸Z|7 RFPGKQOȁ@Qga>3YE"c>^`0H" N y^xUZy2hg'_NFg4KT}.@d&CQ$ JI@Pu>5@ dsk_K_3/|x|mݞC@wA?4<)N;Ƿ"Cm\# K &1&cgL?) ;wHNҪVs8C4%5GAdHgdz \e*V$<S b'>aG̃Z Þ bt]b\8PX,(ȫ0g(`!'*oR,ޓz!`eB {#ȞPrY2RrL\P(x u1;E+} V,q3Su&3JPuȤn5=ё!VW( ;j̰K'9},39#Oy5Gf,H:*6"z2› ?34F:129cGЃAJ[YP5Hu\#;<扼<xY ~z`ޑEaWȁ@'&&\wP{с``P[G[.D@ 9oamq*OՈ~JZhm eʌ wĢ WoIbulxT";o+'mlUNu?K(&32<&8οݯYtoAW!6ؼEiK\Q%N6Pʃ_a}~oO]i^S'@r8$t~ŜE<z=NPTDC=}컾WWU.LJdPJz[F-߻=l 9§\:Jb9iDTVBA3||T&Nz'>7n:V"aL*m|շL0ya]n_ɱzo/ֹ ch[߽USNb7Q f|!>C;uiV(t8|n^AYgG>ox>GgT-HP şR~d_cdtr̙*_GK'QAb[7q _Sɗ1{6hDzz;DS:z@5M8n@QN̝7UFnk&h{MB40 @2Tr6ڽE̾I4.#zvN6fhF>C$Ft[*ŅUD(D>|# ;[y^Y NP4s7yxy K@U a=s?"+׺OX"LdPU@Gprp( }CdS*cc3j3sGuqu¡cI*jzAR#4Q2<G2AxD:S ?Y]^g:V&Àg|V@8+߽Li-\\Lq5.cBVY %>'Dʿ'ě8GJA G#@-“ߠgTNh4DUv2})Ct҇IƉDBNa'G' mDbŅVݤ])P#M0>^`~Tj&Ӈ3}d\>_g9D8. .Vs!pt=}H{ӭUѫi8b4[w\ߤk3>wW`\vIa}8RN?Ᶎ |"H UU=a8H>J?X}p|&\4`lf^+7iMc4MK:9jlz`ׂ~ad:I`ɑ!~zdo'}M^D>q)̯=IUg{HaJaB<D*`LNNV%aqCT')8e_Y9-9~ÄAjeEWg,,G95Fv6Q]a OOI:FsܻD뢇  CLc/ S)\ۤhSܩ8CjtiR+qQ4Д(sNw4+]RC: YZjs/>Eq*LUWؼE^ɳ&F)nT\$&Lf0'gYW0>}U' \IrB$N_ȏ_7X@cz4ܙ$R *tK* Vi`dw>Cqll|nKԷh#ٸCij#`J!fw 4ګٹɫ<Og4M *r' )=GU_qp zgd| USM?yldfmb$Zp;'(Qܮ?$1bfj#gtvkpt.2k1{6Biw*qJ,/>Rl±.a, :PfFbgS5]}Ǝ;2?T ߠ5jt]Vbt\յ9/J/YAVOx`d2yuGeaVI\ \UچQV0>3'0 wWWi5S)$7H}>c)6RJ6h k*u NzNotDS16DC̝9 .U8 .tk%sĈb*-Bc عCOz=:.-SW~Xz tO~I@Y+}&ѷL:~NuOcrW _0ЈC\sT6Vq}>̆FqbXpz'P.i[$3 ڍYLbl[-av?p?hM/Z&B6oA!61??JA-﵉O=5Y6GBp,@5_agsZL<Q(R))f`,JҦUiit&ݶɩf ɑ!2oXBkcigiVJ, &gkq:-awZ /?CWr$"g$'aM֮_.ߤYhP^l,uV{v7)t 'O?4+GGconp9Q@QPu0㻕C'3;1u\(l~7O2dP#S$½n>zkEqC&.ŝ-p54]!=24tN`45^Jy3? ձÇb\i:ssgvI hj߾mklE!55P@wDć0;4+ @nQ.pf{y#1 ;t[]vM:~_@0qlTm{oaۄ!~k6Xys=F$dkK$gvUkmU~H*LէUcI G%[ Ҫ1{u1hoeޭ?#"3nw5󑑑qC8&UG:ϻq. Z}L&0:3˷HEۄC!RXjrBX&JV@sax2αp:oI=r$N1.pllqϾMI$bYp#~fch(o5)oV(N&mr0l\+31ѡV&=3LtTezfRFl|a6[EQSv0ٍQׯZߎc0eEBa"|d_@3g0szSXݢM5p\Pkopu58ѩQ2)eѩu7ot})3<"z$N _Jk,%}*E֤2t".$n@n/JD0uhj - jXM0⩿1wظI!6mn&ɥ_1uanMD3q>:xxs!~V"noxat'^`:yyW.Sg'=?M(%IuwQlo[J8#5X2G00yds*fFFST2'?opA_c#n Tp^E#u(IӡUi0q~mIYYlvuH*c9ګ>VCeF)I'IN%"4KMlش+vΟ hm}guuR*F^:66"EJh: yX8?K<Xbs{O$bN4SǦ6,]_fxJexzvI)d&z]iTMzEH RZ.3v(ũy+>}K>Vf"f,_8Jt"Q]JD¬Mg2t"Rhb;:6A8r tkmΎ/t[]jfS%8xIZ6cw ̷ʀr c?\|ݣ'X @vVVVhߎbN& #x~=j??ma\+$21w I?FVcvG)FNЬ6(U)n(e(= h"3z|SèajN)L]\`foruj*auV鏚(EmDemf>v;%"vC0$}mfGTt*=0RZ2|2?ۄ}*uT8bY@z.Qg:[\"iߢ۰׋"b5U~ p d@ @݋z{m222r|llc###)gvrgC̜;Db22r" , ˲0 0B,ȭ 𳐇+yֺbvAQEEAJ4 h =|O' CKEQ5ZN#1Fc˄~KfBd f?wgP(3\+_Wl*ST!:Yn5h4.F8թ W2aòp]0eW'Sˏ{i{6?@~ CCC#'O<7==}fxxH$ y-''+7;h6AɛeY= gYiXq>ԥ_-[:Tv }H#``*ȑQl!qQjo;2IZ۪m -&/0$w颪 F@':vQ4thR0]ԉaB lfoil6.100fr l 6 Fcs?PW]T:6u$6B !6 ae"HG&''d"@ k~J8ཆ?8: c"۶(S-G MspX&RnCt(/c8ə49 94N"$1jj`r- #E`cJO@۴r=tBj*4686 _×G|K}߲[\]izT#֫l>FXbQ#AMyB(V'6ps{n.ه*|*/@Gܐ'''=:;222d&H8N>n@28d^FA <˲4*b{vw|-w:Z۩>KP'OΜku3PUnCF~zmf׺7k< ڱۧRSQ4ES:,ֺt*=lZJoz&$ױuȸNF}V}է $h½"VE7n \2` 1 /Axh kb?rR5oSjabZPD>e՘\eQ.&yy``BzDI)~";4l̺UwJz8:O@o3y\dd=kxM^k2lop27r5%]QQQp\# -@QXZ.wĬtޗٗ9xqЀ c8H <α=0sxj{<r8T^ !O OvGA?LoGzSmޠa+PPf} CvA!9tx~9:wJ~x"!pB~|8(Oy <Ǒ<x"?#<'D~vft%tEXtdate:create2013-06-19T15:46:47+02:00R^%tEXtdate:modify2013-06-19T15:46:47+02:00#^-IENDB`fwbuilder-5.3.7/src/res/Icons/32x32/000077500000000000000000000000001303637203600167305ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/32x32/fwbuilder.png000066400000000000000000000053151303637203600214250ustar00rootroot00000000000000PNG  IHDR szzsRGBbKGD pHYs.#.#x?v IDATXíKw^?y<=off3`1X`m$E9Jr!k!.=@886  llxyxg0h7d7T߯-魷֭[ܺupt!iebbo|o4_ Igggyb6\fl: |͛Oz^+I˲nQu]_f9hZq%mMӆ7]q],2,rV[qs=ӧVaHEX.oƯ OpePkT75M_~kK+++Ez,4{,˔JrYK3<4$ø84MZRTp] X]]_,$ @VU8YX\`ffZ8ضM^hvB022i_9T˲O_<8{PYQUe4Mڵsg~;߳LnJ$IȝN'iqKQTΡi??74<4;r;;忖@|2R;bTVzaH$$IBqLJXdxx/eY7MSg C>r|tt81$IBT9::@c,//pmqqUUONiB]IAN:EQ?y<h6ۇضeaY&9sK!Ppg`hh% ^0 9<<Ķm&Jj1{w{i,(gϞ0??a|QeY,..?ޥ48wn˲h4qLE4 :^OÐ-WBp.^XXX$z'iz qEffft:m;t0f|b(A@d2t]288O>ɵkguu˲p]Y)ܽ{ӧO311y@,_~Yu={pp$aP*p]y3,$A$(n:?/?իW1M۶ 1 烟2Qc{ޱ9]Rt]'7_dss$I4 200 |nÇq&(HDףܿ|>G>1fI$~NUU׾IZrt: PnضM\fjjf!DW0 ]1Mbq^&}Ī Ib:{{{iJ6%B<ϣVh>`l>ݥVWdm۬~Hi4T+UJ%Ծ>$IvFGG1 ^G?Pe0dppZFբRtxc:q(2IrDU,L(v;qW_=^zFij\>4M4M4EAEK$8i<`Y&/^"/ߟE4E! CEAU xeL&?S$I"D6n,ƶm.ab&cccrpp8qܣԳUU48t-z6B73:Bucc!D#2oߦ+0;;R>6NVEc) ybQ羇k(5U MSqn!B'c#crQa6N'Iұ~:NEdr:}3*xr|!R2 QdE{:㘖IMr Em| #f;btz݈;Q?rY]ZZzu] ㌏Okd)44MZ47*8C}LvcZGylmm[Ñp{ZX{i%u)۶ƨ쐦)\0}#<{ qlOSo)e?n4tH,Jw~]}BZ)r9>|HD$qL^u]W٥}zg iHDr@):wU6uݫ###qL<V qh8s: B]N\1Z$"T`R$TUEQ$I:q|ApRND@_H DUfPw)qKo7H$Dja ?id~.@~@)h7mdv+y2qЩ,8i>+++&''eY}_s]W4Ю;·i+MYޞd)Z~']_gFE1eY6i$=!De]EJM681|>oq%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/48x48/000077500000000000000000000000001303637203600167465ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/48x48/fwbuilder.png000066400000000000000000000116101303637203600214360ustar00rootroot00000000000000PNG  IHDR00WsRGBbKGD pHYs.#.#x?vIDATh՚i$YuvuWLάw1Qd 2 )H1" )BQ,A"EI@ R`=ggL/US<[#$I%>ϲM$qgmSL"I;8T*q <(8c=?~CDQDjDv1n:`0DDQDEdE&IH. = ۷ P(Y[[cgg]n˕+W8s PVq{F$IbTI (DQyt]^ilooOpqZK.(ol6,  Q}JUO=3g>{xtP(BTU_:deIPUWK/q9\̙3OBq^xƒZF>ȑ#86I$ Q!l h4/,,<};sdYXEG}*EB< ƒ>۷Oze<=[i5M&&&x{Kd2K|> ;;;vQU'O۶}EQ$UdYѣ{`^/ql4)KdY0$ C$AETU%"DQ$IAT*4 H8MXb~sssy8Ftي]'??<:ۮB_ʗW,s]w3pS!Y^^l~KCDQ<~iTU\.痿g1_|1$ /}WEIQeL8]DǣJ"(Yt]-5 E${7z׾*y~ٲ_U9P(jԌVv[׈ w_Eѿlnn~bDFIiAqJh1Q; CTUellzN^_zkm)CR=Qd2b^e84m'-Vkqq]UUeyR$$I#< XuEO...b&AEa.av9±vMVöm67rYüKzUUE A1Z333߿Mh6EDQIJvUoFRaSOq1fff(+,-]?9u(AY%eYz=,bll,e`۶q0 Uϑ$1,h4gaaFQUEQind2=0 F 199I&a}}uyr+r9~]xGET* @u9}4a8˙(iG;`~~fI&ɨ1" Cl|͔eǹx"fF1$KEQfxU^=s=BT*>\ m\. i"r*3Furrn[on O&A$|4-vvve˗/sƐzJq* 8N233Ww/6+++`K(+Apq斣GX,fY]]M5T%Iv~$HĩS/c !IsuhW| ˑ$ BAu .099|EUm{2, EQp]q8(s-0;;ˁذۘrM\&ɤ-jGE._i@X$ 4n`q366cT*cY6=[;v M\!\%𦦦(J{c6L&-kkk綶liia5ir% $iY:Ŭ8θ(#FRZ2;;OEQL$˥ Ð~OE)G zZ/""R 4jor,+rn,`Y4tFs$ꫯ:;;;(BTB4\MCm$/F(ǡnwuNZB~+ :my 0BQ< E>r|^GJ2(( I4MC]j@dUU9|0meYe Hʶm!`&nQ4-MRu9p8( (JLFI1&&&(Jr4dv9*.f3UvqR7AfYիWAmz] L\n7]%b6AY՞r#$I}R 2N{*pt\,,0 Qoh3$<\ʕ+JXdrrjm|aqqחJ440$"L$ 1vp "WD}199).rY:Aì ds·FwXedYNkkkWe\effݒY*hsa%dFA.CQInUUQURc9~~ c0Me!Oa80U{aFIh4VlnnnS=$Vk?jZrʨA@\Uc˳)KxAHu-$"˲T(X,P׿ɓ׳ȑ. TkEj50LY6aYgΜallBt<q' <ǧҿ^6( H>! ׮]#2>>NEضiqs/pDZLTf2TЍm(pz(Xhd_T4-BI "}ǷDiv6B]#;sr3F9^t Y\\djj IdqX]]e{{T5(H/4MKlggeLӤZ"ImI4aGR|{{;1g0m qǵ tQ$HIrZM:(ʳT*ynqi2M+p]81M3Ivk^/ $".W3vb{Ԙ$ժ2MEYYZZooO}Tۃ6܋/8eψBgْ"a2&Ic $ A0 ,+UabY^ C7w8t鐋q%VE{̅,W2L3q̹s疿ӧll=>[0^-/;wE.\,&&&R7JD˲ض0 0&ꯐ"Rxp\^ب].h^_D^\:y^{ǀMoFD0 pbrruY[[ccc(}?eܭ-<ϻaN( vy#~\>EMJ{k?/Bm,@[G`@XT*:(bvN#8RN`g0 6kt 99c3h%/ R3!%61 ڿG0#R2M3}12ܲtۖ0cpU mɋZl[QƶxOoFH?x41)H "K-4]#IDIt7L90]"p8ܔ$ Q$8MW b>AL\k#" ܾӍ[ĞLȚ rޮ)K.=pڵo ҹ$I)3qO(ˬbMT %+sFLB;@͂gD{=c2>55CvmmZL&yN 4MLä,B$ι5>]\6gu:CH;.[Z_/GO)?+7$IR4S(ZE)kVE1E⺮8mYV/kHs[XrO@PT%qp5WQ IL6^OEKV?hP`w`W#S8K%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/512x512/000077500000000000000000000000001303637203600170765ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/512x512/fwbuilder.png000066400000000000000000005216321303637203600216000ustar00rootroot00000000000000PNG  IHDRxsRGBbKGD pHYs.#.#x?vIDATxgxu&VunH`a,kH5$*îjw-ow>ږ5eYdٴe蓬0!! n4BXOݾF#MEjrǗa$*!y^cg_;N ,2,\7nw7Eiƶa__ijZjv{E___رc_ݵkWW:h4IR׻&+~Q,Xa2N'qpHQz^P+#_-a`` o=z4d>K$(>} ,XV// nMpf0 Hǭ"kU |>?}]n_H$X l؂ ,%?6, nEQl@eٱW6M.͆Gn[سg`0P(/--!Hl)u v _e5MzZ Z =G%UbɅ=== whll œd tN> `ڪg`Za[_;}UF}RU} b``  UUU}LHd+=ӳNOvmؙ3g^``a{b[__`?iڛq FZJ}v+lxk_x _WWWBp8ժG~dӧOO!cf5gΜ9Z/",lOlyo4ތJzכB1gk}>L&5^-GN> |p _b |7j* [ɟn+JE|>-T KKKXXXr\U j h%}-C!`=N:l6E4i #q oxÖ"OE x YM2FX=ʕ+o _PUbB|E'm`#Cb׮]Rpd{cfYLL,smoBX(( uۯozӛ8}1`D%q̙፸X={챻}>^/^/nxbQ'B!#a~~F3)~Pvt~>MMMUA4EEhgyDV}~658}/Fim圁L bTmND|>|>v;N'E(C{{;b(D0;;.N[4JV477DCC@o"p4 KKK>xǻEcb{T >}ϙ3g׺,X5-Ll:F:6 ߏ@ UU*l6l6EQ*000==C]vmmmhooGSSn;;;QIE@5MC6ؘ_Ğ={P, /OO|;{oEQP /O?Javva||`ff\H&D"M9_r) a`n>~EQھ"!ayO>5 ̰-,155o hhh@ccGƚ. wFoo>R)LNNbll ~: سgUUW}㘞066q]o-(ʶSOE9ķF^[[_2uY`asak׮X6`MMM9dzطoۧxX\\Dss3z{{W4LW^ŵk011)LNNbddDcJA7#C5#EQJoJӧO$U?̙pmZԂ l$I`ddDֆm6>IU( ?_\\`0x?߀*pӧ{̙luY`a"UF,C, 5%mlE(ʻ^kllxVӿz̙U`B-v/oWي?wz166K.a~~~mQP lӧ{Z.8dǶ YHy g"@,}݇Yeg5Xjp+-BEx;{XC-l~lQ_~;\.N~\z7  QxHӴMS[`aQ#:xVӴ< ٟY+R6?(@&ў}Y 8x N8\.X,3lf@~|Z ˿|HU߽1UQ# i,nMӞٟ[v߷Pa65lU@( zqd2xk_^z SSS+k}^Bw=կ~۵ns ,T%gESt}4GyIӴJZw+ Z(h_~W^Žދݻw#Nnhդ MӴO]:կ~jK [`(P(Ұ+>(1M<#qpC%(ĩE6/PD$I<8rnvÇf1==mWX"ˉ@ 1*F>EI`uޖ̯(OyiI`cl^lW@pnc``X dҰZ~@>_W,vm6E4/l$@ܯF.[OӗZeYlaIP,%055o}[xߏ^+55@77x'ab@Qc}& 4MP(`0T*id2ZRr9mMes󡫫 /_Տ<"j\x,`¶E% mL}&|z $R?լw P(uW_ݻى`0y6'k֘,X:*In_'Ri C]]eL& DX,w$d2(;9N톪kL~%Hou{Z`zl몈Vm v:p:BIA:F"@"@$ީBǑm9*;Vt:EP ,Q'[ B@A񠩩 HRob#2̶r|>'+O;PZb,XRp\dҔe๕¡P*e]w*r;&~?<par9R)b1R)=1uy-da-(]weM`abP($ߑr,v H$q).HyKɁ~r^/nO ,T#.\p=z4!FH@oo/.]T- ;P8eP(D"˅l6 UUa``Q,P(`qqX\\fgg1==\.$O_&`BP1pܹ_"DB*QI"T%)9p\G0D @ @ss4AX;B!ݻWGQaffC4DZcǴGyX,y, TtK}{Nr*[M.ܷoB[P(vfav~ְ% BPWW`0XF466ͳFx;ߙq=U؂펊xJʀ 7G"?v[> ^ѭ[]Zxp9rr ˨Tf6l+EQ$~DQ axxl(g~<`ag}q?3dɓ'Cׯ_' o$A~hmmO<'; rM{;4ATUAMlM8u_!LMMI*Ey`5 ? `a}&I?7v]v]=tPhffqrrR ?}Vi`=0 {?8_t:>z3jfR~wFQE (1fv;z{{ۋd2A ׾tf$ v&6d|>o~xӛ޴wqq1o߾q{=577ѣx;cǎarrCCCWU|>5@wb ;B/"_wnUUw5778p׮]+ZOmJvqQ!"b.~ 8{ynGة@Ӵ -hvӹȯugg':::d0<<-w)w^[`ab HԧprcܑH;<< afeE%Xr4M;OӴ>EQ:W|zjxpA-="t:eF]R+M 4MD.ꐨXX߂ 'fEGE?gԩSxߎ[X>>LMM)ccc_9ѣJkW.S?4JmV\.ݻ͆6_l5ɖG_Ph_"blfFQb+M8{,Ν;}o;^(4===H$Xt:u0g)*lvSEQݍnӁK(Šv ߱lppH: ? `퉚r0>O_2u{n74MC__D0>>[2wF?e#'|鋟G2Xӱ7dqfX__={KƮukzدX_w~?R"džy `@ JPpW3g஻k_Z۷Oߧ MMM8r00;;ꤻ`0nMWO_ _[y͒rۋ5s @=F%~>qtttT#^?# `ac>(%__{q=nbzzx<}">|[z(Į]*bLKRDxX -|>ڵ hnn*i/'xBOʬfk,ll:(Y455[MT*PP}677\lttv6 x/.\al6fCP >{`a{cL ak>7zΩtFUUӃݻwWșC}}=  dfdRȴ&kp%+/+wR!".4@ 7 u9 *q|_IV<9^*HB%Y ].Buo>dyD͆A ʕ+)VY{SQf8ے-X(y#='| 75=\.WY5̼z2[9n# P@`PS^ ڵkr d T,Xr4`i٠(nZu (Ւpq)k[˫Frfe`0P(P(gONE*S$qUV9٭(@JĂ kƦ"4K  ?4Մ8 cÝwމn7]3*j@^uuuA @]]]Dthx̌ـͧK ½ CA;v SSSXl68Nl6\.l6v}0}݇P(ۍNv̰(XZZҏG ʘk%A+t: Nި*,FGG cjj$RXMsbq5q-`6F jQ'//˾6P>)Aڵ N. ׯ_"wo~3^^9掛%PE9 $B4|!i+3L2iN'<~N" Ć9WJ@$h鱱1LLL쾙P$_H ny ^U\n3t,X=`)UXM.`ab`57r@զnmnUr^KWd2Z?,X8X @`)*jMӦ`a{ch-Zg&  XCV5@>7Pb,lclՠ*`rfE 1*W+9&wU] XEdǤgn7׺,XP=8QIr6jI2P@P0f-XP=TB* L=:?UU66{&Nf6ƶ  y;(f9 = &FGGCͯ`ƶ kA. F  \W^E6HX%z"Veoo9`ǖ D5p8XbX1E)ڵkeH [ue ^& M8r8ZZڪV T"066XM T{ ,[*(Yi!8]vWŀvn`tt,nMJD~-u+-|~ =={oXX Y-Y\v L9q__ԺY,ggk} 06%&*5 vm' -`瀌Z0FFFd`_R v6%Kݮ&/~fV V9N>r  pԤ},!@Uղ=bpp( z duo},l duqŏ  B6ReNQqEeEQ(TfXִThqv.WmWI-$S+`ddngVX |A" 6<kG d:$~<n*EUU㪢L(rIQǕ+WpEa}ʩ(1ګX1,X<󅻒ɴs=(4P(p>l)UUTEWTEW tUT̈́zY38w'O݅`0T6Rv(099_~CCCr);UyF8bݹ\p"S,˩ +rI$mT4^ I{gy׽hjjTT"< \  ˞++ X.cq ϳX>/J$R܃j`R-,U.c>ﵠD6`V ?#֧Y󰴴$%~T%H{/| _*m`G ¯7m KUD2UjSUkmJՠk H.LlMvnͭעwod{YL 0mw}w6s/P,r>_3O|* R 3D baAUw}ߩy*F^|'OiͪpB**Bzs}?x֧&X`Be1i?j9Zx饳P(/͟* ;f晢(Њ,,.b~~n; ֥j}^}JjdՒ3Oܱ9ؔDe%pwv^.v/ۯ\"jڇW(<裗k}&Ν{_,?ޓ XTUA>b1ێ h/\OрJVųYk{ӧT|C @  K B6`3hbMӐNcakᥗ- 9˟fs!o ~𫚦}p5*`\{qBX,d2Yl6hG%br*~v ˸io f??b1ŋ /}|_L糑PU\3۷Glo~~׮]0(vc(~EQlk "7V)\N) H$D"lәw:ۭnxޚ^X PX, DGR(ER>P벰9 Ͻ#/b.3mhUUd0;; ˍ={SBfgg1::Ab1V<裗?|FQ%ú8̓_oNz~͵vyWP@:֏jnNr].׆U :SmlYyKvB|>f[\xg-_ȿ;ޖAI|ORE0Doo/5JFGGqU$-36Wfjb!EQ7+İyߊŢ?N9UU6rt:=Ro٠Dr fE%ox`y^xṆBlt&S,w fff҂={u{4 ׯ_Nk}BU>:|#czIz32V FبiZ#Zn,lfK9:>/I"kW 7s/o3#%~&[,߫5Z |l6`:ijƭBU$ Άс}o|# ycpprg[3ޥ(ʛՕ!zo u ]RX\\عBp0[4M v>R(UU}~-X H@DBM$?[8 F [ߞJj}> E(pzzz`˼gYbhhׯ_GP`vb!VGn/_3q[u 1blGo G4M"4ӱf+q~ec]f+8Y˕w`e^1E|G?O-T#Ã6o l?ϸP(""N#""!VS,ѿ1qU clllG(@ u뮹oxx%Rid2Yd2 Tp%xAӀ4r%\|###ֆ 2G?S>W(Z-or?/zőr~c?|ɣ|W2̛t8z=NN\.Nx=[M3bdn,ҙ R42lI$GQl6{))DpU !t>;Ey0z%W_K,-7ySxzP.>+f NJQ!Q,/b~w~gSU%6<9r:3J7f%q\N].\..xn\.We׍d2H3HHxͳx^c>4]K.aiii} -裏~k9NΉ V/*?H%6l}dT6;JKe{ݾL^a؝ePoL4(H3H&S D$sUUA6o>(Yv/\bë:=_~?(?Ӳ_լVn?;kHkW0mNݓjT_ Y>{~~ϒ|#L}Dr_>ߐb튢, TU#L!O`p*hooo>XƢi: )׷'V4Y+IU+q \'%֋H3PU5d>_uY0w;weJ[reD"D"Yt.=t 'D"su w篃텪hi`xU\r^B JQ'ƌmfFXrBW=+sokZHRggY`OMC<ȧ~/ S3Nh!^/[1M|-\]r;P]T# f}WS4Vǩo}?}$J=k۹ viXXXC?:t._p8 x,Tɓ'񜚙A>Z`9E4448rHIaZRŋXXXjMIry<L&(]ُ{ߔ%7j>vC[%|"+|>l6l6l6([Cm!|StŖb'SWX}":;;!9r0yW<v/ƥKrԄ:sl6[YY-t|~g_͔4gaeO|arnl6R*' g6T*ÙLvr0eo,COOqACab!]O& Y t:v6Mcb~?8` pńhWuR+۫Y3`L ܮD1r|z( n7|>  ƿdN$-..u$>EQ. yrp !ߵ9Y vWUU˧Hihiifɧb̔Ky[+)b9Iv5J! ILm6<|>=#ÃmNb9hZ;)OQiy޽GŁ IztW\/k׮!Yf%0Ȝc-WZr4MӫBqjۥ!}dJYBe 7>׾\j ?nn77J7T9Sn;5#Ã}Aw{ e9$I,,,"L"H"H`qqi[< JAQ۷G i"+K.apppM,l.lZ`]9ip8|US@Yje [z0yyk3Њ~_7<6 $ ^N} !D(,,L!L"cqi DddAEQH$t:qAUPa-K,+dI =59W>Մ/\.x<\.$~7544X@c?|$Om " bY4''&-lmHdF_m!eR>mO_t?/b%l6u||HE P@hc $  GO$ U D8rn|zzϟDž 033cmJ0#\X)n[P(n!TР\"l +dfܩ\TU֍2?722 #T}?EW^XDdnϖ^P_B 44ҹ*z4ԗgy]˄ O`)⪓5MC2D[[q 46dtt/^Ĺs0ck,\.W> <(pυcn{fb(  r|p Ǡ B4=B 4k$C JH,Oѧ\qɔrn׍߾#LKKZ.|Q!o_ $#LH>\._4sdwq1Ɯ+WŋpႡȚ5>U.uuulٷ#f&n. NS74C܇fdD|>\. >u@Z$tqh%VfF>t"x%)1)h}HTdrqbp8x;߶_%wݖLj6-..aqqIY}}~~r{k Zdqd2ݻ/ |2^~e\xDe+ Á@0UUB 1w3( s3yP(:AEe[-ǣ+f3/>D.R'V>pV'7Gɣ"r8ee}'d{m3cEiڶ[o[3^Z=47fzE17-ٮ*C󣱡uuup:fs޽{,/ xߎf2\|/"^}UCaW`\`yfӹyDoZ@fuG Ng_</EAKr2_*ŋ/Va*f! p /@Ӏ|Oꜛl6/A+NS&M̽~eʀkY"DQy2k  L9RRzI2mˎQ Ћ {d%7)+yf2B@'ڷP(xhVW㉏.,.̅j}> _fff,(N'>7[pA,B~ϟǥK ㄅfS t9oT-aaf(rY`TUuʼ)2j| DPIv(FA$@s bG@gZ@ +rF|%rPn_1xUe|q|D>`tzV2>7?H$M$2wRljl6 ׋n 7|^(䑈ǐL&N/~KH>7ks =vVwEɛto$} b_ efentv"dR߇::[*DhDwvZb`!/K+GD{G "Odqdʌj@XoS}Ofi7{l /9Scwφ#\Y#  ĉk,NW_;NDOw[>ۍBln90n-`-hooA9rCʙ jY,FؤhQ~cy4u:XAHdR;V_I_IIvH\${x<E.3\؆bY]6ЋJo} ;_O]]ʟٟmK_|tW*Cps+$ULSa|bbgϞٳg155OPyxcβϱ <|^;F 4Sl3z@i&=%H l* _F̶ڗG9O;"J655X,NjrJnFd@vNtqo Eq%f!>`q>s2,Hj @V[£x@ħi0w1_TbyybnJ enG̋O[)Y 6Y03+#d>\ kn`LxAyYAF<!NђlRHC78WO dǏ ouRr/Mۍʴo#s3x}3bfW6 VD'Oĉ'G>ŋ_F,׋PJEQtK}1/e޾xQی؃zu}O? 2I'8{]汖KţdXV"NӺP#%ڗ~/LV-/xbbH8Ayi?IsL~/;互~'zb_6 lEc/Kri728>я^x5=#Ã}񥏼ʫ'Sus64w}79bNqE<Ӹx"R%Wn m((ji@Y _:J3yTUBkDP5K,|/Ƈ#dDoZfB36&KTtΉv6χΉ΁{"WvL!mMEb [f%m+8+8r@f͈LIJ\濨2PNL]4vH$p8I9ew8ys)B>+Uxm=>`0U(Ʋ37҂֖b}ߏ8 n\-!O/&Ɍ :+-GڎLm 8=oonP;K,)-x j<v\.LOOX,""H |ӟzG"]ZZǴhGGqd20faLMM#衭͈|>P(SNɓ8th4~gϞťK,_eJE+za8nOE_TĄ@Y.Y<`d90P wd^lz7$$hѠȦrOOqAɐj0w}(_(E(CL$+I%& j`u@l3C [d@A}Y'/k[~Pp`ffssszhya?kKKwONNp hiiAssZ[܄US׋ݻ{{waffG"E8̺~hiiw܁o{1|>==x1<q╓ƃ͎MG4M^-zK iMn}ƥn3$Eoj'χ?'Q< xxbWndAHxEx<@Wٺb_Ss JE|Du }񙗦z<}Ex쟿֚LoVT*]jE"sDJhACXBBOO`6" 7VB>GWWnvs=%yFFFsgĄY"&&p`?<^"\-xf:@07jNqCB .dWd .roL"0Ǹ,RU?}K]oWRHruy};&&r̐2]l?qBPpmQ!?3EIfb_2#J$ hnnFWW<Ν{ll#/x'&&&[*X&' ;Z[[֊֛7ږő199陙plx|ؿ?N8{MMM6tΞ='|H7Ir9{R̫7 ,llfEY ͂OA]`E "x9$}~3A4bA&Jd)kvGOߕ_\(}[Al+z‰ҧe!YD2(ej ;7Y;_"vmG#ȝSd~} ׯ|>mlGKsh< H,'bzfSSӘjB#GԩS;Q__o8ιs駟 .PWW@wL6MϽ$}3O_6O2C/#5'.]B*ݻ diZ zdщǡ?Jt#C_n٠^n~;J9gQ?:&Ur8yLO䄈O0_j1D 2@m.S/dE@.w(~^?=11vZ%b1b1 ]5l_%4--hoo[o|>ۻ۰W~wމSN$/+$OC"0꠾Pj7{q,~Ukyp6O^oFԜ$ ,--ajj X/Wӈd4ekydd|@TB{tT Xй8jo΀y31tACFk/Cc3dǢmeֆfmAHdya{[[+ڂb|Sp"n Nj__'\`y{^z%-mUԇBi,bm~X|z<}1ߌaF7jNL&fQWWhJ8.6f+" Yd8XkJt|J+qbнz"NBA>=@\BύHm,&̒x;,1tt:| !Jb2|/> w. 7U Y~fC{{:u Ja0{/ q^PEA<ٳgϟ lhllP%4jt/%Wr eݬ9b1n~D" ҢD.Jb!("%DHɂhd1N dLo 5m#L4>"\*fzpeqE#OHxNA9o9 +2ugJ~AZ6:<{`'+cZ%`bI~-Oo;pq?~PwP(&y?*̳Azhnj@(݋HFv@h3|'=a51}VB 4&&&p8؈fa' bHdƙt\|˦q0"@3y u`1 O) bK]r^$FDےڍ@F{f޽bH⾢%,ֆ  V$+" ؆FFGFgۙ B;q |>T2T*t:Oz[^o$vhE͠‰t>rt?}vp8 2cPQPp9c_!LjN$nɬ)C& G(z?lE#v:J&K*U HC{xP8 #DCk+!k%EC/{m8[rI],Z8|6s2MeO>9AFihiiwމo==={1==gyϟ/¿.47jd=B4f~=  ߕ9u|?AYz f&5'n[,..BUU,` Xs]Gs3#4=Ożd/?7&_<|@ C,Íe.c7_ }h^<^;T҃ovx+% # )Rت(ɓ'q]wFxOcjjF֧r9 M9^N!:XҘp8t: 2i_"n:q/_4$nټ}3\^zPs( o<iEQ8UK,QJm2oL&,FW4Rt9yhy}Jl7!5TkȊ[lNdx=1c5 W@̼eވd{2eE6D[b!,aZТ}.r"p qhjj2|~e=*ny3ᰣb|䆞Brbyv :rȒj%#NC @&A}}=`MA6h5w3&("b1:X=A57 ^WWT6^K{\SKz{! h 2m7 deg_ /G 2_FD!~츼l͌Coɓ' }yxgEP֗+]O8&ʦVo3Psf "!׫p=r)32?ȎEe7R|/r#=|.RGUUrIJC@p~\ zꋢ d1πCe̟+[b^fX{)3\7O);'1 Onø;q1~>y?=Ξ=x<㽵(hooAŒ4/Y~;4 A˦iwزXJϑ{<tx|Z$ *( *k"q,Ϭ#L8v=#GJ...ٳx/ EKs3rl)/)HGLʖ֕ 'W'?䪕&ӗՄx59|hll$G{uʚ3hY>urC4:"c85LeR./kFmBhEDs $o*zb@.;W rʇd^&]%bk333x饗 q1 `Ϟ=rDpY?W\1# >B__?\n>eDŲh>ͦqC"!Ocp]l ȞL&!͂hmmf:=;;aLMMhoo/1NDSxW+f2 _FL5%sC zf Rea\jҔ˭V/5rUYZm=Lϸ&2{\$ifMMMUWp ӠPܹs8w_nI`0jK1x^SɞUC*")DC":*\k S^i_1 &S*1kQ꫘j9p|rp:JCCC T .\ne7?p4qs3!#$--d1#riL6Qʗ38b,PNI2y]fVkϷyDыq2`Zk\{ןJpe\zpF4ڰ~=z4 cccxWq9Z~kW>mڵkKnϽuR8|6wd=x/VPI H$A\rT \(> ]Q,,, ۈƝ/=j-YVTdғ)#Ug|J M~"a2S H|D\5QFdZ,a appxpm|>H$HdK1446b׹ql?z Py~31G@ϡ8ƊXt8 *-E˸~D,--մ$̥%DQzAŬ??Ǯ]w^tuuT;+dkYl\k,S:Vbf*4Y;dKlމFW\WoOzKf/&r\8hXgyaF44_Qb KZ{ݺLM`hh###zeIo\.vBSS#y,c]oF< 1GR $}?' Ί Drz'JY ڵkH+>uuu8uT!lT7Y6ؔi,/z)<Ӻ&cqTJ^100@ PRN@*>@y*,l-~,fM? 3ﶜ1:DMC!G,#hw.#T\.'wd4e׬}e;2ۅBSSS_طogΜWpصkiLNNڵk2ݎ] {y# (+b q6 @vPG&Q@w*bq91aՠRNRN&X~<'Ob߾}4d|}}=^ɓW^yƊF3ٳx饗Ӄ{b߾}zyQF^VcC$fƁLPpLji7 RY@Am-S9d/ kInh &gYd2-DPb+ΟpAQD"LOOcrrЀ8|n7:;;ӃI111!ilص ---p={ӢM<~ɋ.Eh(*jʪ}Y,&09#ž+A6V ahh+}q!)x<x<=… 91|[˗K/n199z mmmسgظbyWaca'KJlw`*trσ BYYb%ΥzY;b#&d3eM[= Yq&,Gx}e <#"cnnNYp]wn#bppX]]]hoo7ܟT*1LLL`rrp]6ݻ EUK<|˲Eia<] h6|L!.%dG2C>/*͝B4}dd\nnÉ'ؔL&dzf3jz|Pţi._H$޽?3?)|ٳg$3fIA$ /P(]]]%ĭdcsy"Q!. 5Il^>K^r᎑kvށ.465aϞ}8w@6=df{̮gq}ĘXb2oDglIߖ,,7B&1%R)annN_v5^G{{;^ꫯbffFo͆6<8x|2N4g/z2cOQ>b>ybeJ?}_8S}dRd$(N$4Tt:q!;v w.9t:x<P͆3x^EUU7u% G__~> o㩧2 SX,s… p8صkс}?Ĝ1v%2PyrH$~ gxli _5f?q 'N݁GaP=wJ Ͻtш1K㆛>#-1 }FP(OQ8qhޏmb!1ϲ,8)k5{ǁ>puLOO N333HHĄN:dBuֆN(je8 'O\.3eD@Ήj&~)<{3"arrׯ_쪞Ž{رchs8bXI(p\!98{,Ѐ&(&:EKK w'~'py<쳸rJ٘X,bbbp8phooGGG*Y:irze*1t+ X\Lc?-k$:o|3M :FnDEQd;QӵS{P;pO0gDe2E\.1L&d2 MzLdpU}9aarr0&8vJrRB͂U6E2ޕKLvaaϟe{}kFO'͹3r@xbbSSSֆf477 ~P(gg&, Hx27XU WOQ= ,+pq^qHŤ9;$% о\e0 lYP"@"@2D2o=^èiXXX8Ѩa!$26سz=/fs)^fy=$sˍJuwy?rxD5+*YD28˓'OEib5%mV]sp!iLMMQՀ|2FGGс.477mo{N>W_}gϞŅ M@i?sssXXXi:444 BB%UyR,A9#bn.OϞ8vvڅ@ ]sDH$0 `|l W T _] _󶢐 /dH$,Wvt:-f2ϓĕ\.a? l4 NCt~/Xļxt:Aqyg2,--!#L* Ł000{tww@(U+QnVq;c=hii2LM=xs.i_GT >` BI'!r˼~z/ jeu;f199YC`3477/YSDDqZfAGeV( ^/U.3զË'e hhh@ss3z{{o>>}8{,0<s霈`q "L&ScKKKJt@{Pz @cc#šCߏ6iS@dJG!} 7o5'!"JI %ſۿ5(|}M Iɍt=F~04xAxSSS՗Rj!86ӉN Æz{NDX,곌np&d#ϗsgDC,X չh\JFX,BpO ۅBKKK/ ICSSjNvލl6h4.s/+BRhB:40EG]]. <;;i".Ad:psx.CÑG Y\XSO>H q3YC CUUΆq0EQנ ǏE[{ky&IDAT3e׮]x<,--azzSSSz?QZX`Rn X\\BW.uH5#Iy(D<\.a_&ib_U]NXpƾO͜ll0#bH@?wd/_ >zqA>|PD-XXXЋ6~+'_}$A߁=蝕E B:F0noyb .f֊,C*2ߏ@ Ӊd*JqX,fe@ĹBF5rs H*dY `ddmmSl7ɓG)/}v# 鞍8/NmLt:/L)N(!'ωڃ%@a"^E)Wp*2Hcty)Fww7ߛ̌^k#'+|Ic+A2+ ;bϞ^tuu^@" q>a2r u@x2 )1~ddz4mf~b,,I\y/5v]/N3L&nD̯i60kK?nʝݎ`0UU=<$mfD@CųPy,*=$9SїF4 ޸ԗfoH6>34!!H"HIcjf4;Nv;19>ǿ6*3NO$ne!j;ͦϻ̞@迬2LD02L yӧ}&R n466b׮]hmmEss3mH*x^;y<"|= ^ (UOK2I,U[f@<':EϯuvvؿN(F"@l,a5\ 5'tZW4 i-" 3L 9eV4M/ʙ8eCcR|D"T* !-^^`~!V˘̈P< o|>ַ58>ZbK|.;N@:;|j 74{VQk%'Ԥ577]/ĥZyҒSɨtb{yl2B$(EOw7{fcT8I8Iz ܜL950Եi0.m>'+CɾK u5;KKKD"X\\\=ϧ@FIT/WB9Z-6#]ǏrͧԜh'g#I+^E_o"g sVA.>c@ssso2|>+o&)C%V ^=y >?Vfz5<k'ýk"2TlGGz=2G{^ntjǃz=󡱱Q͔@a4E4l.ug3,;N]r~OLCn_F?kb{"bj{.<Ѩtj<ك~}NvFuWVV>[)Pv-2OE$^YO;)cĢKVLj|\&eӃ+qf+2d2ip3wrbE `HDG6/77xtn۷݆, ַ~H$"=Ut/L˩d"ѡv19Nssse0jNՐxe㭼_1jY?)LfzׇήNJq=?wz@DPUU~"EA>vrxti?׫7rXPQeٳNCTUD"XZZ*>РW$G0/_q5|`"ȓyt|*:ړ9R2DGDvI2#A ;EϓBx <ΌE/R1yy(еTB X\\\~b5wC;(O%w $(|EHƏ˓#f2r1J3~- ﻲֲSɍdVxw=ݨ  FY̹R{"dN܈睗'zM'~nI496zV)T_ E"JX^GaPOcc~MP]z'E( 5LOO?O] VRЊѨ9hjjҗm-zUrIT"kj$`Hum6j2e0 yW/rُ/;h׫od8\.L&c0|Rۤ&G7Ox]E,8 Aɓ'p p b(G<C4)z>p' p $Kj_2"Xd=0޷E8x*i֦nǁۋ$=?7ff>I}~t~P'V}  y#Cد44553T+HØƓO>O|,{;8wR"\.߇~ԟ?Tꤡ=z8ʝ OmWN U5'4 {M*Jђ&[^~hBNcb';f4oU X ABB](S^x4?#ȤGC){z`Mm%K?"o31)Qae,Kj e{00Sƛe޿, PT\/;To"*DNLiJCM}fųtNxpj%]BCCƈD"HRk|_6=OA}cmetp}tlVVQfIÜ4p׬mD0TP(l6 ˅x<Jw4:=%zO=Kj<m0\r㝉{( sc&3ZԀPԊ%vzt<.!#&DLe>bs#/)'zK :sڵ _J>4 ϟg3Fя~vtCg bllssQb1x=N44cW.ἙP%=_a_]{,;qsn6֨9XZZB<AiCA ̽pA7vCUU}!2NIFO |ūRn2mA,T)5`5K$98gc(3 IR-e^ _nYhV \s~s%d1g> {d'&CiՉiXtGL%$Q\B=xB+1OD5l>0:;bzM,V%|>uuunN%~)G>LLL|GUU|Cwd֊i|yWbtM5MC,G>Ctn71Szڍ3BrYv\ᰙPs0==Mբ.@.M{R4_I9Z>\2^ZZt:3=CcY4p@7ᜎRMVRj@9o|^:sOdڞ)Iy'!H/"^{KOx8Bi;ϨˬsʃluA+<rAGֆn .`@J㊞>E_ o"?ȈEaYt.LݻW'n0jN(R{lʲ2=hm6MWx9-\b \Nl >؛ɴ"5`Q>rЂ:|)B$1Q /#V L&9 O@D'FWLsdr2A4b:Hm%J^qْ @CC::o,8ul)/-#R?/&^_y9"|jO3{^8@ #^:pCHK<)/kMH \vdf|OPFG?/#dKpanxܪ"\.WY%W؉y^ڵkr |o|ϥ5'|^Wiooŋm2S#I A%ei?˅P(׃/"憁۠|Z?.}p%NږET33A {dcYxIaaK]\\TiO3/p8 R4e izk=[1~Nl% JCT(ƪEyডٴ| 6A,BƳea"Y7|@ޠ@ }hەmx?Kv̌:?5?fÇk.ʶ)ҢA,O$8bb)KU&$9=vш ^߼9oR) Ӗ{Ӊ>sZovvVW'^|t4ߔ? ?H_{Uy!xHӆP ( XXX4L&KBF"qԩ|&eG*R~>bqqhii))w;"uTzb y<)/nC,!Jkӷ؉yrPQ!2T<~$@.WVJ X R:؈h}E/JmM}Ι']~yйf2\z!PU}}eH`6^XKQ|>v3J~?BLۊϩ=l{+= q {nGWUGQݻGݻKfR)affTd,=[9'yq1<*oOjO/7S'DEY)`UU133QLLL }{nq8ta<JLnԜrm) d ݍN|XzhqAb-R)(ߏL&9v餀Ő)@Nt t)6nf,@,`(UJ X |HKmLKdN$Iq,,,y<G*2dFTځ>qq~zbޖKKKbͺG S٬{s=Wˆ過bx144WsB4G !^$ @%nHv\e}x_܅djy "$hގ'N`p ZZ(To'Bf\RUUU7u5=Č.ss4ĕA9Fɬ}{rωp(g Zv3>GK!cjj qI${\u}GޛJFY~G !Iޒo3zny\q-~JD"E`0g:F v#~G׿Wp._Qttt`Ϟ=4 EqO$}?#)@Qnf`B.7K&Is>PaMoE (~?|>A%Oʧr9!c\0S L.ҒR }_'B"NSu8)4 %r)ΐcn[ߗ <Ϡ'4??^z Ν+y<׀ÜS{ ͸ HyLK"!\ƍ,SX79Ya%sIF}E]R}H PL㘞F<_l68pGž}J>㘝 婬4#ofD$f,{6|ʊj JI:WR鹝Ȋ`0Œp8W|AxvrU9U^|LP@__3g)ψ (ݍ}NeR|Viz`[f3uȠP͜ܪ>#r]J6dy/p8 hF<7 dbܜ@Q0^B aQ#b 3\n qt`Y FF8jygO3x(qk#kEQ033q=Yܸh߯'R~(9nXĕ+W R$PȚ =L,֝={h'Nȏȑ#wW'D!~! :+ zDY4p3Û^<8s˭;-HZՀ~7N#Lyx\}>|T*D6ͼhhh⢾y:!zDθaugՋC+6ۓ+89%2k%~DF6j9 zq8|x˚Ȉ~4F@y6?I3^ >*NsCLi;'O^̋ϔpKsiiIA x qqݻX,)LLLӔN.L"~x"l8ˉ:DԨ%pÂ>2дI/쁨^r2:<8jh4( Ht]kVskͦD"a>EΩ>/։H+^c (aJ ~( ( rF+I%̍_P1335D}kC G' +wtU[7%~8 UMٕm]8=Y \{0#@oqnnX[[S\{x'&+( ZB0Y2~O~Ml1O$x 1{=#mAL~ >####طoax LCl6|m5Uw*;7TI8 kt^Br%x_ "H)K5T0bHR0zZppo<25S^  *i;7^88r^z%Ov:,--auuĢu_PDŎ?46g՞U7*MU6 ]3"H<yj)gJ.lrg8F.  7xO=I!t:/(BxN7;%r^I߭׿[ BqBT .]•+WH$cp% ]c[_ÿq~T ;;S۟󬥗if1GF84,S.@cL:iNU1y:ժ(SSe2Es AÂkIJXjqh41FΨ$N2+>*%1L=pn$̌=ѢUQ#0>GomcŶ=sքPa%~R~!{I{ܸq_װ\v ׮]C:F6go8F:6 =HqC0L6ɂr٬-(JlCT9)ZKn:lxf A$ :%5~|5sW0nlqC-S&5!"JСC&5ܾ}x4! yGdEsؘ[ESvp8?˘3sh^# + $LXxU@(Zc,lwh95x j@q((V( F/Yh9جDy8qN2Bh`}}|Bs˕ao{ -0`ZB*|Ci$t-ԫ4l ;ϠNoiyJ$xq5:tY+3}ѽ)oBg`YO${P#.‘ur9S+F³04W1Pq`Y*3o  n4b*maE Jʝdhh㘚V日y%MLYlK lnL&cvWnZ60ۇl68~8ZVWW13; kذ+OZcZK_33leE =p-UJN暪ъzݤѳ*(t:n!p^*31#G&Wj/\ӥM,v9cMCخVrZK&, p{Pbhj%FI+j =U?.mM߮ y%R?:\|oBJt]KCL&|4@hX)Ϊ3p B0~EK(r{rqUJ%T*S8 A#H `uuX^^6QȟŠ25xTpЏ0>qSV-{A bhh'wyߦQC*~5QZuW[nא iᜰSJ oz=d$C7PV͞pݭ;8{~ TY)A'}6qA8pTY Ɔ)scֹV%4@+U`dTxNX ^*n[+޸ϧ])P8U\Uܻwm=4y u`~--7VځQ_D"l.e YJSÌ1CyLez`J3֯(8&,@N9܇tX׀Ӿ}>\i'n#8놔x6l^N*+3q凐z?ۇD" $ISQpii +++dU87jIwR{y\t&'1`ڷԣ`0z [ׯކ*$ ͙jpîX#cnB&!i2cccdҤD0`H=] b[af3:_K$FFF0::jf5O1-vDCQ )sUZAϢϬlp5w*ZC; mG[$Y0BK=*/=A׈ϭ4Hc}}}ϸ~(•+W-53J7K |:G''9Ꝫ)H6Z9ݻIĉxsȘnc~~<0vp-ÿ4ȴgls}N"bߛM c`h}tz|ScB Ln#ti>#ᵩTxj1 aMCP7pMlllx߈D"xg/… ^,MEH5 Kh EjԘޭiP`+ݖO24dcM㤧N/UÔVFUeo{5q8^ %>́ h! H$}k55L 4۫+QhySH5ʴ&lV㜼'{kRBFZG?CCCp]4(+"c`6C M25L9,DLk\H 5iz)&ɀLRa842 FFFׇl6>0T&_G~oEHk{vhK9<՘Ǭ IoT +pѥho\ %Rt:}6><?11_~< hj6XXXҒ -)O3.P]\HhSõ\Z$鹳މ/Njj " 4J~!2Q~c*|üѦL{hM a3ׇZOEkּV -0uמO-C`Kjv~7aa*) l wid? Z>$  !#M#%.,qNQ wNi{ThԆ mp߿4mJ&7 ^B% _JJjRɄs4)YJ\).[Xiʕ,_5lE{NUUsϡ ޿X_~h$Ua*ɑ OL^~e+$n\+++X[[9"ǵx?fR 2'ig~>6^$Bϫgl%@IwHawUG٤CB{o'sE'1V xJCTmh4 T^# qxx4FFF<1wz>;Os\FZ5N*y 7;BzvSUQk,V=h"v$-ҢqE[iۨ!+[OAhM$4NZv[~5|-UVq ܺu JeOo?Hgk s )yo\1$#GD#:5WƹmiFC"ei :?skJ-fCYdl)S}? < x^4ݸU* m xC g.*p[UE2VAs)pHRtTLѲI6WÂ$T*@ R[AEǘ*!ғh4ȭ=鵦#ʢ&Isq "͢T Jôg)DB*{$"1~PܒAZ.= J vfReu x _@.@D";6\"!fE-4.BTT>-LE{;Yb۶1PλzJH䞚ݻw%kx< sYd+{>˗/g~gpP7jU;m6 /f«@Ú;e"AzJŷ.O ~4Y[GhXfsZdήanW~Ws1P@WV !SŌӵMKS2pm2Bt֠244h27?9Z_8-s㳂Z$h!l6M\f{]ۑrItR%B:peDSeji 0MH 9= y/.g#d S׊ײy6ù2Γ ;A~gYϫ_OW^t:_*w5 [?C$>|_r9|Mj5yFaG3N"v 3AwZŎF쉡w}}}{̞+^ =z8PJuޤcIϏ{{YKfSSSb&)'j,,,`߾}N ra(pleEFoYq[X+|*euڱqX1Faf(K Vi\6E2D"0W8Y ]08bttT(`b"5P Swg&1P$c5 L&c!-WVVnK|9:zGqNbvf+?|1~9ZhI 椫WOםaJ{N p,hjh2Dk<#G`ddZ bqOYOS|N8{oK׷NZZ xXHE xsUj=mU j (ԫإPZeEӚЩHBg/*G*J({sPf 2Q /JRSD MjD36⼩gƜB<Τ OR~\TX)oC F}N%qD8lޣ^C*toHS>M> ;53}}yywxy7şdꫯg//n;sp{%5?CO<:z~_#JQƟy uKAS E aE8ikY!SrxVw6[o@[:8r&&&p:e:nݺI9o6D8rN<h6ۇ<}7)*`v[4,3upDgگn߾mx|ѣ8|~N4]c R'o!45unWT*br7o?J? իx3  /qav( _|_QML+<ܳJEQ b-} Tis}[3\D"aH kjNA듰'_HS Μ9ӧOo aubzz\by"8zؿ+fqY:/뺸wV' nTghis΃aNw Ξ=WvS?D L&<$D9WS4-ZlD!HۛͨCC~5CS嵴`1&#ߧ@4wZ7. +lC/]+#ntvLQ>kA_Y4fOo>ajX,>ڰ͸f.h\^(o~ K~7VvY\%U$R]S􃯩`g(_lPF@2=jf UI|>њ;w>37?^{ /"sݩ": [oa}}s5ʩrzU  l*ᾬ=TCXQte/K<45Pԩ'yy`XDv[H$'Obbb###z=XYY1mCE9B0ҙ N9Ǐ/oGZi%5(V÷P(`ff2,~i\rȫgj5ܾ}YXX8ߏmlYn](Җ) JLvzTtcEk j6 KE[ZZ1.|xZTbh LS044Nq_n|nv[H Ϙ7> q r-'aa$ CBfSm8DC@'S+5j~mlj/%kj~6u5Iu]O-aQrc9UZ'|E n:_vL??g oRNJ*^u׹$mlll,G3zn߾w/!-g//~zǸ<`rj:b͵:v8.^dDؿ1mޫD R;f35== `z"!I\P9mB*ii'h\k=hvD6G6,q|+zb\ӶshGcNW"2L[Pe#l*ʎ+K hfPhh7:C x6iN+dW+Dm v;ZT\.Þo|aھ4|}_UG"\v /^94ױaVcks?zѣG^o|;wnU͔7-Ap$VW"XZZ%XNFy퓔<%*%^x8{zn LrCS5u ԕKkD"Q ݙvqo>>i0dcb,Z6==Y3;x</իaFP@>oa48 Ғ)ypމ h{,Wxk y1nlrƽ5fWK^"@8ǔXF_MuGM>`D¼`tj'W>g!uUQU!R|۠L~岙`0L&-mN^Pw*8>B`3ʇr1t{q \Io3iO^3+s~5^=o߾>spu7{jd^KG}+/_A6 ;ˏ^otLP*p[s~LMxڎ3Vyȫ 0[h=}izX[[l,0=8v&&&pm+ ( (˨VJ9MlIսC;p$p~[;f{mLM=Y4M10"j!cō cmmmz*&&&2]p=ug!{t:d2';vyJR`4ޝWЖn*M#| こHT2UQ( cpm"'k6؊Xo_ zz6{B@4N xv |.ȹTSJN;k/KI i(:рҴA,Q/b?M )&Lbuuw5Y55A\h#<ヒ?ؐvS6xkall3_L8BѶZG\7>2ҷ]TLnwnsoNZ* 9s4yk6K{/--=r6Ņ p9`4ͦQ*o)'J `hx&0K%GR{{h`DE_ m:$n333XZZ;Hxꩧ0::NcIS5 D H$ 9(OOOcuu.\Ç=IPPc:ÃmvWMaa*m%Q1f,Ϧ)u6Û޽M=oM+T]JS@6A29%4FuBGlK%L[{[Wb=E*'~zӀ&_ݳ YD(Xժi ! hA$Up QD8*+cuuՃB\$ȓ]UTpܼyB왝[X ?<^{5;wJz,s@eKMϤq~ bq۽|K?ox^+W|n)jN=E/-.ѣکT&q>7hsƟ3^ p \xѓDZU2`q+'@ D"zn-fsF D<1qnvF=6JdJ jEH${!iv=Mߔ/)ٙ9{y~g[YYh؜M0~뮃Vb^Tܜ0?::/̙3{sof=C*+l$I l6/ėt:oʚ!2ON?I*(kWWWhȹ; qp\|ڶGr 0Q*/| 8l) 7L&gرch 8ijLW0V>b ;PLPhMSVX^Ϯ5}HSԀ #6pQ@>zSHy\d2!5zahU|vB%o~5c(!-Z67bW{ۥryܽ{ xy??R\.HuZp}ܿݼqx7000XTL]y[kFt5|,~~k}_mgzSbw055ӧOM$wA޾ 1B bSFT9 s<mE="ڨ nW!q3;3(DZ5W8Zr,PIn{ ho1 F" i*u -֤󩨒fg#l*^]]۷#a?~'~T '4E|Oƾ}<nW``z;K*\eP }Yk(WCh5-ʆ -g7!s< BhҦ FsE8H^VdAQZ-wz5;4`U!E9\+‹`++rkb?3Nְ-D6Iܿmx~5p]7n@.3e`aaJ_z)x=m2J@Ϡ26iUr_ @ЋmroՍT_Z?`tr#u@+lkjU3`s0mhij)1 rrk9LM=ʪ!Kd2(4I#zX]]s~ʟ)|/^D6fe{2*35fСCAOx>ǎqɟ }]^$,fggL&q >}, U4o߯˜z +kp 8U-tyxxJ:k3LXiS"=5PBTRp0-S3֭35Fx=p"\w9D\w^sŵ#)E(h0MFtG|1QVqMCcH&Hs^~e {Jw()zF׌VOO4l77U55{}#yPp}l`l!~kgL*ȧw.~J|6iB! #\.o D"&͚gR ϛȜK=o>'jF`tiKx"z-ܿDj>8x ?'NȆ;WAMVwS()}ZhUXl_*φ4u~+!/;-Ε~gʟkq>Z*=j[=l `^z- \GAzsfVPoe}}&5ɏGğOF4߿oRS*֖Kd2/N<_T2{:G:RT׶1N5Lכ&W=Jdrr f>g ŐkƿbO?88WԩS_e((F hhsB0$ rouJ4vX!'ܜLjO5:=sDpi\rdȅ)$]Wu24=ܻw/"~5٬saUR 10::?VVV;;t2-F/u|pqS8J^(fQS3 ~(,{aBR/Pfh\VWGWI4-L & y}Tp { DshFVrix,jaeeKKKX__Fԡny׮]C(:޽b1>; q011_|W\ʜ}EoMu;ܠ(}~x7o<^y%kwwTC^t<,nDp9<&}ϯ, |\o$vFEqKϨUmD`uu3g8+++ú q߿PT{7BuŢ'ήi]b?*]pN iWljJ%S#c_`Cm8oOb\;G$Hϙ)FH~C !0Lu]XXXʊٕpe:ꫯ6Z~GX]]VA)1::K.ᩧB6E24e4-b~#]az5tg~Ms.--#[U?[#KpkQϛf&ZoC {0JCD'r6 C(B__*ە*a>68N:˗/*ְr!Kw]"z(?x ~u'w_5Si[{zz|Z`S?mOB_K9r###8r2Y,4& x! [h<<<|4) `*P-[ M{lENYqNkgUBc}(WRPŨU-á\=B-D3LzAZ8o& k4X[[ښ̵TJp q8qℹmdq={Νȕo2lUi!eߧa[a>J61TNn{w #B!oƑF2ĕ+WpUg#<],M nh)C4|)jXsM)4YċDTiSk5C CX $+ecd2/… !V0??ob\/qߏCyi(ͶئHR6H~ݯqȁЈ'965[~!Z/ׇk׮ڵkd2g B(F4x9Azƴҏ@4IjiEUEH=W*stcN>K.!zj0??EaivP州 ܣs >3}y(~wj܄dGZ5ylR*ߏd2_|=߿;w޽{j2 ]*uv(r3ill)|-(i.*zsJE=aí4\`+hshC5<܄BDg}Ѱ ΙdtԐSGι>{P0N*!#aqqZ̓h6n…"zlN=܍\.gBl|.[Po4MSpi.̩F=ah*r~fQ<'`}u$m q%7B*T*l6t:>1/5*hS g+;_hwlu;`ó5Nit^KJg=DbvrzEfA24|>oXxccc8t("n޼%EctpUv1 j^bbƳsh79vR-˼Y%ؠMEoa?p231WoRnl΁*6;KR7 y" D hqk';?Ucvz)LlǗU`1j_*_{ZsFp.p!۷6!zUelllxm|rphD(Ja4Wch" A;5ڝQw sv™3gf.VWWER*:7;Du*QB>; xd2qr،\A38u9ڡfC:)+ŽkOW*{f :8x@0LrӸk4Mn)lRfRD">DQ ^0’m0033c`#x= ~V&(h(i&ҙzC!f]3RIJO$v ' SJvl+p*hA m<IDAT̎%+\{V(0ϲX2`|`^_ NJb^:4ȑ#8{,=D"a NJQ sBٝy#|q(D+GeN9TPD K06Ru~ POZbnnӌ]Žsν**z"]; ^mƳmpST)ExDp6owyɓ'177gn΅kB0Pw(W>#m޾rd/9@3hzixJjEZvWd(mx%cV-NСCxꩧYEc@ph ԩ]> Na0u]5l_9i@0iFd2L&c:uTU3?*= ",{Qư?2i&LUX~Ehfz=^P(xs!n zV98 ok,=q#N UlllZ"Hx~mq/*:\ρ~Ϛ=A^[=~(VגgY|i! {yv7MNNz5I԰_0=luj8c.Ӂ[Ks/qD"aRjp-y]C>ϖU]:ٍ$zVqӰ {Nollošfijk`0ѣ"t[,bY`XV+^uYU 7zEJ Pg8" TT hC=οqLzWQ A](hxuY^zJlb, !fж&}FN.(9Ç#NB666jmPWTQD9akqq9=*p—czoW$@TG?*`xywH$JWV=J@}WO0EKAJս9[@oժ |߿8z=W9qbb ?VUn;+ g47e#^|h= |cmmi6P(x^W3(W!|>{1jn%|MO^>s1jFs +ل\,܄9M/n`0~߿( Bl;ٳQ9_C*zUhrKϳ@`K(MȈ)XBCJX[[3y܄+hM\i`*槄8w";?]c|~)Ը}mU)]UxP$=" %k},CkP( h_*xY <ժy}188s㞌X__7dP>}r_0? ک {P(RIL&?CNp8`JR&m0lV*Aύ++cQSk[ b1d2k |nͦjhgol&;={M!PR!@ƍ}Z-5VtF8GVА9 w j5 ###X=9&ghcYßKɺn4Ȅ 8E,l%kasӽcD+AkANo{܃ȉ D*?g(\K1=QGE@xTx klǚyb݆B}}}h6FU*36R¨ux>"fffvl. 8rΝ;~d녅(<+Evvȃ{zƳ̵c*: Գs}(>3fx<3 ~mSdBVT8٩Ȫժ1iѓ|! p0 N=yJn"d$m#Z?SX[- bƶTҴ0ޗB:GfXTPп*>*j׌E4g?qOU<4ۇ chhcDHZbmm V@ JJFa9ckgC?6&81ReZl#ABMɬzFٝ6ul)xb6!qx^kNe%3zN4eόRiFzzkU'Nw&3gpCT*Au5g)L#'2!1mu!L;[vh3Y޺n|ӨG(7xhb N֒F|"iTByP)Lzk|۷o{PX؏] FHd<*LEU`ɂz9c,"kc99]kJv||D4bطob/Ou] =L& 䔨@lNB`HdHİaö4tb3jS!\WN0j+ui-W5 Bm 12ʎuqs?9nm!=bT*Iv' 3~B=r՜G)eº'u~>3gsmm ®G`坆L]/89$ٜ׋&v T ?A})SGDbiiS?D B0*cӳ$NeZB 9MJcܰJ h{$|_>R_#YFShsVd2fmClZ-TU~մ2~e}{UֱZߩT x*F$1 NcccfƐN8yFP(L&cfꩪfP}87|HR6Eһl6 ' "F4z'2_U驑'w?;u#꣝gy~4`7#`/2ީ޷4a)Y~f!`|-H#B!TUbKF8{,Ξ=T*广FS–s^^}:bmÓ%"kSuxh v|P(`aa!YN׋p3FG8FP0k04d;5$bi-GJelVT6S@m))izd+T8M_ "JC=5̢ipѨ~ J'FϚH$000` e %/;ɵ "¿}9Z([R*1@NrJT*婿ƞfpp]5VIp~1_?XV[ ˨BR65gc+h Avp-?pʻj r:V/55H0~"gRl!aii \ctjv&*shqfȽLC9+t V6 ;w`zz^/Yg4@,hAP(dr0\@*z4BCd:M=!k㼒p#drk!n<IcAɡHT"TVC\; Hq14E~/*a~Tl{*$U*X6j!}zv(^z6{Hd4P?\vIܾ} D]ݕ}'NF~(V&>޶/xalfMWC"-9ޞW-Q%E ;qR73u/r=#bߛ-m#Ϙr裏099YϝƩSpa|ʘG)o|؃{X(|sBt%Cb5-MdX,>R]… &O U6Kc}~(rE *5`IʷGMjfWa`rsss(Jh.\SO=~z=7H8{cD ~*ڡmrok{pֶk&dpIU]И*_~'x,~7Bl*1BqZMzT) 9-yiO__"iC6-ח!gl8F:F<79^zɱ:KSضzmwq-`7T*euSRYE?ڕ N>{?c*)4zC'}>5tz1>c==ӡ!<3r `yyyOie 2uK.pQ+ T$OkH=#bXT'?OĄIճy#٬#]5F6ea5}kgh8>#JzoI#WհyI•+WpYX1KmwqU|séSdvzxKSC:=ʹIjAyHcy;f a}}4 rzVu/Y:%~2πI}{ IUT)+5`;ӉLP0ӽ`cǎÇӁZXX@Xlf qZuʻFR!f5Rm0-]0s)0h-|~ b2BR!Wdm~]S A 2Q\wfDRXCV"l+D8OZ\?~̈́=qBHHiNVcL\;mK/ EHcjhj^zNJP0T_S>z@EߞX,ƍ裏 GO3K/TCmZu4d~C>s*cZC)kJbLz}G( u{#N< ÿZ-`eeŜ+4HOҩ g\UlK'GVVVLם!z*=Y"QTL&V`3Aسo<d2V5ʑIh-S5KAGXYL W%Pz* lk<*d[(Bxzzzt(+XS yP7]:8݈,P8N 01 vT*L&d2iP0c+E`0+O2!& SP[ۨS/ȓR clAcy6 >? o34RЎkhݻ0??ȍbxqu9rdBtuuTkwR~P?Np9=sjwl{ϥ]/Uk-R5ZuʯʶyeΟ?SNyc @.< .'vz(K+~.PN3Ա#\X]]3ۤW\3g<\`3 SVs꺮 k[p?1z H${J렂d40["Ӏ*NƑlaCMvj\zp|F -; WÁDפNԀ^<0= U~i6(fq]5sxd/3dU8)`=P *tA@<~^-lauUFZCnDcmVbuu7oĭ[,>wO9NiRB4Z)u]3  Q2Z!n-9rfȂ^4v"Ǣlb}}Z4sbG ~[f[hz=4ׂ6*ld׵P΁c1V 㘲D)/ok/yJf >c)*ҸkJʵs199[F.__~/_?Ƴ766LΕ{M6.]8}|8>ٸ6 xMk!QЩEٹј%,mOfR﷙קۮgl#B:=8ElᠯSi\O<=4BT$7@ժ|6666LA!z',]̴RWI~b>Tc=(b5mTv"0 Vl6W-8PCRy(u~ֶx=Eh +}]ܾ}{zih>,_3gxu]:9RWVϱ022ё?~Fsb.cpp=kÏw$Ƴ(R(XYY10B28uQ>{T*yR}nܸɞRœ'yE2yvP[~ǟj=F4 ,,,$2:u7/!ofG~ʿ5ݏ^ѳNw3D t: %\pcIi U$WPQ)mC<@~0v{5\.k{v{l^6`'oU*:9TU֒zp-n@TB$1%Oׇl6ki}c&Zp](tZ QZBN 7* }*6ӛ?(CFC IײO忾x>kF(˸{.޽kRvΎ;^{ >1x}R%FbmpޒFG2q$Si=v/yn˫ k Vⶌ[qG"폎zj0777oP( Lbhh#¦[z =ϗ]#`}Y e?E"rܞ02Ĺs;x^>I?'/C ix=N _.;,cImƃm븩`?uy?vn8q]>x"=D"1o|xa2eO%YVlEe(s!VSϘڶڱOMISΏ:U27nr~PWXz߬JBw̨pZd ShTL&` ~ǛT2a:6UŢS24fV$=h*)({כ| FMc^lem [)QW^) =aU#lbaa<ښg/rMRx饗+СCR(3o?¶ *6TbP%`O?s;I|]O-k}AVXZZ2״ג?xꩧpEOit(똟7Ltrdlc2kL$Y;XaR]ҡz2p%9sfs{\]]5Dc IR&h9o5bjS`E] ;!uұ7[2aݍ?n/ L+_m|FJt666Z&+;K/axx@4RRRU!z5 *RĪȀjqjq!bQ [z WAL@S'&< 8sddVszjxj5RT**sDXX@$lyJ+_rY̜U*4R{Z~Y)z_~5|؄';籰`~'V:M>;FG?^~efy|>oA7c쉽F2B__?N:|ۓyc Sӟ+"Yªu3 ~i\zd3Z +++wh4!L4{& IWm"u􂁭9ʇ06k]tý{̜x< .ҥK!R`qqqgTq^D^PoۈD#D6z.&:R}IcaC *%? =r{ux`#'b,--!;V+Ę.-̹9bbbk=z۫VOju5VZw[ٱ7m헮EL’>tFMZ` Tĩ( P8&*)XX,!IÀ Q0$djx(47?{0`3fWT%rOG",--, {'O&2z`vvքXx|Ukʝ8ZBYj4+9ٮy*xv*-kmcΖW_y "a\xgΜ[YY 4TXilUx_*^4FĮe+lI__bIUK]KwHfa}HO{V cАjio$Js8UoNא-l/ N 1z*TQiV$VWWzD RaR)Zgҳa!y}n<#؆U#6ABJnRc|M8׮t UaHjW x޽{&??'OT*ͱϙ+ E1ts糡a5=j K/)2ߟ)N9Q@_EP*6ބ<^xy< O@tDȍa_fi@ Rd~:}jXSF{cPvh\q/u =.ٳpLJ%cmm͜5Mޫ.ʡ!2tPYD<@,CBUA$B,A8qE!4uMhp.u@pۃܞf}4v~Hsŭa @K ? D ^D"ڱc?wajj8n`0\.g}amPS;lD0ֺy>X*k'=. *ZNFr,^O4JŪ"цj5t]C2ݮ$eԐ;|bh ص+ !N#J5ᥩZ;js%D5(nd2i7Z6DugܴZ-Sr9D!heAiIڦ6d-0Hh{5!NEl/{ÏKrsVWWpx7L&UF8vN΂zZBosDi=g*cy_zx>|.]Gvu:,//cvv֔Zֳ{R(-y=9'2hR[ B,D={_"&JQfZTxZfnQTAd44,BQfתt:L&A<6 Jb<'\5j[SUH|.[Sh A[.T*/ŏ{gA{pob߾},)uG@~{A=o};5׿jųB(@ !D" @ϰR_<GZ4wdK/ڵk.?%l.H%EÚ{jjdD"aiNzrt:S6lBKI%ԯP/\en#ܹs8}ٻr6[Nl٬d[ ߝN70z p0pzp6\E0nN^ D " \lrJہBB0' nv "")Vnu.`3+ OO(uVdxx8@ u] _~i>cB^2VVV8z(Μ9ӧO#Jyb6doǾlO] Q(?`l_fnBݨ|VqLZ=qrqL{2g5}IeZ~ 8H$ 0XcFHMw0<;h5YF}vTXv gѳ幠"f&ON,--mCl$Jg+bofwE.3~Sނ`)/Ba^WF{ sݻXt [!"(6&Svk@AB^A^CZBZBRA4F$ތ-4k-]C B4c g!q8a'bY,//qSVZohh=Ο?oБ\.{8J\gUxydF\~X|.HcZINψ"\j\ѣj$@f7@Ap4`#Gv횧V> FiS!a167 D>N\FP@ 0YsZg2OF. Kua0gi\Oo*J011SNy1b}}&ӇMEDϏVʳ>ekf@nC)c74 zA ࢋN .:-w_@0D8GvpHrBō"8H4hOiSFh42U: Oicl0[vwo5i/)n6Zó@M2:5oA?~F,..z2jRw ۹s]&,*) v oB` hw:+f?0nfvJt_?}h4ZppaB!8 6j Z&ڍ6"B0z:pc(D,BACKFc'b:X,Fޏ jh4088~x׿noAmW[,}]AaddʶY:%K_Y~vHנ१OXZc)2grFejm5۵C >zV10#G[yZXD-[ lA!DIxK\6$EmP"9\i|\ρD_HRzƸ(O=I DX=x.26*"nrup}ܳP4)RSֵwT`W\`qq@ ƃ099ijaNFU^7~w|ci䤁GFF044~CNߦm΁VzOZ+T*y*|ԫyKQ(NzTpxܔT6oY,UױlMXg3fFY(088t:1SxT*!{dGP0B*48QQT 78w z.//c~~ޔ ޴ 5Uވfx{lLz]vN;@GD(D8Do!1ݬn#L<, aڭ**w ˫ȯ!phxFNaH& 4P/Q-VD1.]ZN3M-`mm ~>J Vط\.\.# q%8?{g6\'$ Ov9S|.5:.FFFlvc~7(TJnf+eulllxU;bmSO_()-0223gΘzcҊw~JSBS]+2}($Y#\I4M=6ݳT8z/LH΀h4p-ܿ[{$ x0::OO<8Μ9qz Ұ&f _,j088hdCGvS›}0Hc00J  HgK?YIKq[JP_*055Wâz.T={FN{6lev@ADIqD1 E"E"F߇pA0\(Q`59lާSMB{0 (?33Zm;JYUy";Ţ^ v`,W Gܹs8uiZDw.ښas>m^z yкμi[u+w)"4ȽUl~ r_߭ܲҶﰅÇ+g5L%lllxd.|~ʅO8TdR HxH4^vIݗ܇,CRfB&12`'Y %{o ɓxw|;#B*bew~R[{Ɇbo6` nA'X4t&|\D@~W@~=P8X,DA,{H n@ ӆB0±8"@nge1$ 8 '_(8#'bqL ymRӴd2 ?s Ξ=k m{Q5UU0Q766́ 'e\ٍ-yhLLC߄yCCCD>@<7d/I|\73ns>/&VVV<K~H"f7~7<T䚣]Kit1N˹.hV lѣG1>>n ,--!ycB6ԩQ='ywӺޓګZh]Oݻ4HO?4>ȑ#l61??^})~Q246AMb訩n1::jY4ۅ-Db)v a+~]$!We*rl‚4i=eڱc0111Zm6ކ7zH9'ymE쿫#vszpbj7趱~u݄*)S(&w[;gamZcE`eeTۉ'8/he˞ɪ@xR lPL8@2kҙŔLJg3GN86#}]TqJ%b1hRvt']<&% ;v ###H&1Lzd>7 Ox}`rq 4ǁ=FX~9ߗ'`vvK/ׯ}D02>8xAanh ` 2QXɯV!c8p"nMZf:#߀’qf 0|U3 "Vb<0ߏq=X^)/e{61ϨR?Osnj)ʤ)@vUB6kjΝ;hM_|ׯ_ǹsWB:.(±0'P4P@J ';KD'bq aon +Dﵽ;mHVL^H$bC泿kfQ`_5;Y~Y f/{˥]jbaa sqi8yF« ِ frGh_ 4olUqqer~4f81L&㩂t:m b8TP@5 $6P(X,[NRZ sX9ʊ3Ә} 5&87 U(FuXu\.?SSSOoi\~x:ofsssh`քȔ~а=ȁѳ3[Mܜ$+U`+bWcQ4x>X-|& 񌰴.|0=hnz?xV ǃLir{!3;֯~^c'}]z.Z&re,5g_lIv(6PQ-7jtm9p`@pt=[mtZNF0DATPoUmVayj PЮxj8ăG::S`+x #7f\FVn7ВMQŠUt\|LCG^ ?e?e$I7pAd2YX*s9r9aޤgB}wJqU\tՐPӃÂ01yzTC"~ n*tzk = F޳"Q5q!0!L^) (\9"4gڂS]H=oƟw"1B@^~f虲ϚާuSSSLO<_~O?6d.3+R{9訕JY`'QL&P(dPD^8 ̨2hLƄ[TL~=~WuW*8w٬KݻOiboj=w"kEsp^Cm6 ThpІrvhVBHHRh:Wjhh-T-<@8r kp`~ V,QBzVFf t_)$n7aCDioSpQwz@`$^Ro5>,E7084CD9>޻wϼ^񍷿o7sCj($' (˞dA1G֔f ii45YG* uOHL(QI/6a%ѢXH#ŏooAY6 PSF (+z`3ruknܸwz G=D< _}m+dj}0%hsa:ʢX7YD8Gl{px6!U bΡV$@T@[jϣl6/u],//޽{0c#w* |,w #rc`PyBԃE:փrEC/THׅΎk:\.#ϛ\_q 1/ ʰ'9PC0:'/!ϛp3(rlZ^: bT㳓U7 ?"CrYv vUwb]N?3UR}fͮMu};u,nݺm׶o7F*XZZҒV33E{vsFS׃wA#u]So#Hص\jWGxVq8x .]Cy vYܻw j(nsf~l{/wڙG:*<+tnzMFh;MQA@Am`Gott":AAt;]4*54 Sp]oZ@PGك "# p@nN͎jp(X8vvv^`0p`zmA1GCP' K 6٢KSQTɫS2T@ njG^qş9?_ƃrqqOe8` Mbz$EDAsMA˱cL0)уbJbӘRϙ Ţa8XJ.3!cPmچ*4SR*yJ6c&޵_Wcz-L KH ~S>#Ó<AH>G&LʔJ*I%W* A12膠RC̴UO˔zV*˥eVZ2 &zs1?]w3Lpq>{ǎXko}kտ!vvvp֭Z_裏4Gqʕ+rɜv67BLIlBqg1oMM';k !ױYR=XBeP@E& . E$M!`BR8ptH "vZH$*W9"Vso߬^o7SO=n[+PRڔ&dCFQT+]~@uQu {WhSO=n;5\1)rԇ B2mB#WEwk((Sh,b6IOʾn#3y^i!C"Cos*K2'9t[{2([F 󰵵MizW˗OLq1͛7q!YF&.'~MNr5y6W)>7H1VmJL!TP9)^6/"Nh"/ĢHKI k Ё9|ׇTq~)Dj!hw!| m#~*TυtHG" dq,Matvw'!8NB'QoŅNfwӨMlb02 b)f1YIxGonnK_ni2ȑU%q&N?y9ˉd6)x!W(XhHirt :%̕W;uN3'P*cKRnX;7M䀐^ Ҧ1v+}N'R?iBԆ' 9Gxʲk r8H6Μ9g}<ȔTJիxױ5Ex%9l6l? 5\'}66 'Cl0[!B?A6!Za S-,`ݵ-HO@e _BQUjL!ѕb6 KcrJH @9P)5EUבR@: ) ̒ƀ&-~7 1 TyD?ϡ*#/ l5so69ԸBa}9l!}Q[S\(ʲĕ+q2怜{A޻rvxw&u_ߔRW?U+LHbsȕ< xb& d"_JJȕGa[)r7&HӘhv|ؤ*.m} ¦(&ԌgqY޼O\v .nݺՈvY+>6u,K7668`+3T{qEFeM̽YHZ'_/|\&SrV; M,˰W >&Gec{.°'q% ,tPTz( s6U\h$ΐp"P 0@)%!.\AE FgPe2OQ 8x R`RL'Ł`.ZЇ+".K @x'|E} S1hˏ6Ӷ)6_nυC\IऱYB~ qgSBqpЃ6Ƕ64>N9S8衇s簺ro|ӵGE*bT[s$'^u<h\NjaPe]$EQo'qb#y3 1cÇHVlh>N=;WZ&{\ۣCm({ޛ:?{q<ÇB-'y6bIu| Ll>D gD (eyj<-Ou uA2? :2&01ƍ\>Q駟s=W614Mk.$DF< 6Yxm ڦ$nq60hp [2evʻW2poN( @6ʑS##حE^"s]bK!! ja,ͫ3xaS=-*g#N@{Cs @ȓd@( WB;P_Es I,?>,JFP,T&=* pԂ|:hww]>_o…S~o}cc.a+PPH*RĖ'e5\'/}Lɋ 辳PShld(:/ݗϿusl)'NITQ24Fnoocuu -..S^z>Sڪ4P _WoEnGwxj+)L{Y7: $ndp0.S Yۛo+W`wwa|#g>˗/ akk>$T2g4QxcVTAxƓG354Mk#W#T~C}YYY=yc灐{?am|bp]>׃>.Oއ&/Pm4qL&uo޿,tCG"&D)ڽ.xpɠQx2QA"ZpA YUUz7ln,1N>@H y,,/B%$C ]C8.''94G݆ `,|σTh, p* _wvwwaۆM(oIDAT6FAY(l1<7 7MŰ4yf+ h^2T,Ϧ{FJ0,O#/y>VRʚDH}N7R#ǯ7;NB>yEed^9 ӥJuMYv Z\|GHXmS1ۘt:x|ǎ_e׽P\q#HMk]8RzףȐ<4Ci5 RV < cuM ':geeeJqS;7? K{NxξW;p ({4<)4)`PJ"t hP`Qڔ0pX _) x1K o2 0-#MA4&1Nua*K9e^@C8~o|*/'G>"ӂȳ*tP*hk&jt];wN\zuWcvbN!.?X 9=#|R,ޜc av{Pl.Tݣ*w6si(RA͈Mk;ep)rEs9Kʎ<`i]6E1ms]Q 2.?zNS?倧$8:n'?I|:A}lnnb4M)t_RnpGE׃ѱ矞K()J///._|$ȕ\~.COƘ)jipT*"!<}/4M~޳8HH[)R59h11m!m8\)HYk*HdD$(,C1hs)Qd9*X^袵Ђp|\(J-#PevFYJᗹx0v7 s0@%PNB+,)s DA )ۘVw5>Tq;wNܸq˕,nmb2ߛ5V蚦C(TQvb ^~h`0{?15ierޣ0z7M>O<5Ln"Y A1t o^~|Odl׆yLwooPlk}O=^xw}5^ݿwHӴ>_(>я/b?h43m84&_8f4Mqz&?>ݓ‚H# q p\WL}m4RЅRZ@ e,#Ib$!x U(YCN:.vX ,dc(Y(?@H e>&tI\) xA0 @qba'ea#GP!>TOZYI v;ùv>כ{r#ޠl`Y!g^t8V?*pTsf=~)=zYSA2$%o*qos7@sÎOrÄ N;qHȣ]av{ }c<>t-7Ro xg3`~~NP=_XZZپz*nݺd8JA}ZڤI2nJgz{p`9BeqqOJ!Rz`$CnYVpBY1(sSU+H^c~hq2qs P%<<m` ><߇t% <ΐNRR( )ؼ A6vV(r$eJea%qwk+!?hݚӇji\hkN^M!য়wGvV<[2ѤXmesyE9[A;uomx~o*t&V\a[68 )%nܸq6 7|N0 9Dߩ 1O n뤉cT6ggw[n?!dƅ o]ɺp4n6$[Mn˽$qy帛U\;huU)\G@:R hheT)+>Py #"/J$i$F-\8xc2|+zR@@:B YqU-<@݇:R"lF42 Nd 8(e? ZyV`7D3שB]NAh r9^ѷqXo߾<͛7}G177whڂSo{666H(sk,~YCiÎfBhďܭqo{MliAP{4W'mf'ɔksfcM#I<*}:^ml6!K9k,۠iڼmo1%Aǃ>"&y^#ɓR͛S'K>kJr ]SEOv< h$w= pmkm־pE\vqOxw>EkIg2I8t:P.j}i8D M#<`\l`QUPHHʠ(˃J>YZ( }tН_@#A.(U @+>\߫be2EBiJk}l]ww1CgۂHmi"#[p.Dž{}NvBԎe)I4a988Mr`w,NQ%`χ.s@+4 Y$@*^WO<,ClrOq%XY081{\yR >9^J+Rй2glx*]GG½&.G\θgg4ܰ7&Cg 2Q1c7oބ^N©Sjo3 Y+lh d8{\}ml"Z|N|42Bx]vvvp- ChoAg /9O~yY"%ZIk#ϴKR{,%ۍͬcQI?~0I'OFHyWߩq\A0dic2I PJ# :H Kdi#4y!+b HpAۇҸd<ؔ$l/ $8.|?hwhup] eKHPyYHyZAsTѤ p%!0L} JG`~ؖ]Nl2lmb<y2Pe^w}8qD9*5F;c\BVs4. Pvs*S$B Qm2H1Q i%v?(̅;E!K HH$xE^@e yZ`6ola>vV-PZ݋uZĭȳZ 8J"81?}@&aW| J+?n D"G8Eϻd ܋aWwS绡wkwifDX͖mMj>Ͻz993蹢#h1Rnt%B;oM2Є5v<F}IM2omkA15SצRu`Q{}#rw;|ÂD08<=!YJ‹/|#S}ug(G(|S4Y4 ﯽm7+=eyE9s?g9v6dh6 %2 jGeY Kcʼ`T,lbx 7@<@H'1qt"FaefH,a27p-DQԂp\ZTޢ(P#P8A($E2~ul"ido q\<~;Dp}e^!E3P%U@$ Les O0KXvwwQ% 1_OҥK*RIok9ܔ?LV G Oy&͗12v'<.;AvQ!FG9;$.ۓ)w*(ef& ]ԧMov][Ε6WzT n4[mﳝJy^[['Ĭ_'> lllTeYAoS zICExa+&5)=yEN8s}|+_oeu!:RiRCBK8ƒkt{s$V9@4X0 t%ZQ"f Qp}JQ@ q<ȅHditUcMUk@ hSӲi7 `HfkwNns%׮]koooüw-|٫|=Yd@9!Ip7d?054G x?V<&)p%jǺ9b^ëqV3/\ʲS20Q eip4H:眣ޝOY?wﻮӧO׊[n:ƔBCxacǐ)_UQ{up} ?Ģʝw$Z^{~U[i!Z64EHkC$B!M2J@ yWus0fҁp=A YhS I~~( μ-hu[p1tiP9PfPso&ÊCl F_Q#`cc/_Ƴ>[ֆ;m/2sax$݋6/cI`pD|h{MBJNg=&F8{oM0z&'%6݆y} [qk4RMmmRޤ8yuJzYdU_2_kxGoͿi?G{xS{4!\vF鋗^6nݺ!P< ^~ew}S!rիWkπ֬"E4d(qE;p5y[~k ڍRu9WZ-;wN cwwM)|:@Huzc TnehJ{>ȇb BHEQv\\ǃ#%@<+@ /,!By!tye$" @%Lu}Q hp<wʼY~0p<^0̳@9>x5C/om^|Ekku9RZ8EQ^իW+G-\.|!0qz5Wlv@.QiBή}>7?ß7l}vM›9?>C[Iy?p=4ЈOl*ʕ5rɯ˯B`4_:{C _+~1\66_F8bÑ#/x}_v>n8/䀯Uܸqut/⥗^Bә2`wvvp5a)ze-0US=v_x:-Kx }k]ZAźsZùspCh677x |)k/f`e4%,#L1HF1pʼ@\as`TU"MQ9b#Lq"N+[ع5sK%JjBBH7+N,FB[edC8hXZ^BF>GЊ"xa!@d9(D@>|칦@iv'pNK*1EP a4EQxя~oM/˒}o&^{5|\@Bog}6x=)X4)PNRNU6m|vt,^QQ@jǫPS~Z??իWo U򣕛dG[ oT֖zo͛uh2p^~e<3SRuy ΦBUs#d(9i?|#h=čiIb{v2wkǎùsYass;;;'ůB^f(Tc m;)L@iR I"/%Vp@uڈ~Pq(R+\ʪTp9,cy"ϑM2ăma-$c|F+Um] ǑHFc,Tq') E,ΐA\a,JUGB?!&Y4HQtT91BJHFOw* ,$I^{ ?O2E*D0{H>ɠKx#O'pnBVit38}YasgY:-`ai `=#y"-Obh[EԕyԀWn@Z 1ME@aNv;/\DHZi#d0.H1E^BUJU2/ Hqt"})ɿYá: KKKfaaAhՁw3#E hcc?|K_>1!^܀DPɨ{O{.-ƕE}gϞř3g{2rV"ǞX">602;ha`F3v@< sK 8~d( 5t{(E#JRWzhU:!:\ M2$ 0.BB`gmy1xa"Ds [B DUʼ@HqUŰ( ʪ+**Gtb5B4!#G.ܱoA_c:o}/}ٺ.={mm W\:Xq)"e;E١5aʍbU"m?'O2@(߷ [x(c5-d:Dc%rC1px ;gCܸq]|/RM.k)իSs}~Vig569,feReSe/iz{e\pS)sgDߛ'RЎBR S %\-(1Th^( mR||&c! 7xV_[[Í7N +`qqqFXYY& ԧrO8Ex\䟟ir#6>m㙿m,2C 5t:塚U .N$熐f$<0 i;͇X[(r,!5<ׅI;bv 1BAgI k~EXZ^Dm#"b>VB렄UVAfUa mP% υ4@HDIx$`8pRECՋ`LRYD: [G<1aFyc+YX P"0HF+@8Kt"I[yA<'14Mrv'BE؉ƒ:ݪU:"MoucRc!8G@8pQAb Н 'PY 'p;!:sm# b>s]RHY5}g:V e~p6Q-_DsM8(Gdr[k7oboo/^#<VVV[[WZ/jO ꫯbqq.]ߏs{ʾyvkB~a~Pho|?6CQ~0prRF39G6bP{<ڛqjB15~nZGN=O7@)pY|s= ʕZ5 WSM>\ YJ,qVf6Am4ƍSe7c=^z O|RB`0 q}ٳSe1z}f_/Mmnyx`01܅V@*t̠t<cg3рR16Gp<?Zڝ9<E0  ?s$q TBN%9q !ј%G}8Cs" xZHc1:ZZ J0 O@J5! `PJHq*Ƈ؆!16)}]looܹsp~W~/eo>Oߐ`6yd7M[ .\M^z~ p?QЀ{y κl6]ҙ7]RZ<> {B i2s>`C| CauuA}Gy??.VfŰN k f9gsegϛ 0c 666pu ?_~Sr6LpuM! ܫs UZ y!'H *qx_(x=AH pdUO`=J@iK8~U+0Mra;A<Џ3o1!ȳLp] /B(4naA8BH`|s~wp8Cz=:u Ǐ_o|~`cZ֭[XYY-Z-?NoA(}{m)/ \ [1_ ME ?ЇĎq琧cz^>s9N2.9QhRڶ䥒lcb}} 5+nn1(/"N>]?֭[SUm&G }(@hQS16_&sw~:^8\{KKKxWя~aNokk nݪkYpi+HE{h֡]ǞmQl"xA{N‡9h]8`E-/ SPJC 7t,|a*\J!2qQE2. L<ᅀx#^8VBjӝCؚ#0)`# Q1N/vi 9 x.n YRB@8N~06&.8<~ xׯcss'O2^y|ӟ/K_ᔧDž&(p SpI8qǏ\ZT}!&GE\ASг<%TN\8jWi{Sq]a1^RnvLoigGyW$X__vvv=u> gˡ083<.~THGhNj+./eVOS4WWW<~/2._<5~EQ~/]j§۱w / ww5}I)qY\pv{o6{ݟ#'˔eTJйB21F3 ÍB8~ hP8p]NACdqի#\#g0b+~ B"Wl{!%L#$©@HBB  3xDA]z-D.Qa/m^-"hV7y}A h\0RBJ@$< /YRJ('ZgM7Y9%}OگS/dEyױy,//ĉK/7x7_4^myW ܁xmJ iT3@q~/`0=o{N &#c8b0ԹϜ7I;#6Iq<裸|2|Ѻ=dhue4-dsgIָڞ2=ykk W\ƈyx/ԩSSɲ 7nJ(Xq8J?soz]:y)lz٧TpS8>d>~< X__eFhf~ z( 1U \yPAU"IH׃xUp= ǯBhe1 OsK*GUxyǘ Q QtCV/j\L)FY/ъ<89mAaS0ؼ ZTT#K4.>]tzB Sq ? NlDq_LOoMgD-{{{ KKKXZZ“O>z B;0lՆVeB?}<X]]Xcӡ}h][UBoelw/:5 {q&V͊/70GQ-[~[[[SdӜ4y\nqen߾]gQ!.>~Ǐ##|5+fMr%)!tuHGJKE U@:9-ADž#ځ4*AF<#M5 ?hϵ[ ~Iݵ=Fh(EGW Z-#0=9*ߨ0'l s> !(r!*:"/wxz '`Pe&Pd 8* @kɹROhԣ8M kJAm ^ņme5AWR%S,=q;q._K.ǹ(:;g/6tMhd~>_#<ڊ/!6q5\~}ĺvExꩧ9Sٳg!0\asHȦS\l"i((z~ ?U lpߕ}Ujj x"N<9%eYb{{kkkS3MS^kHZP9TJ@gaE): :[mNsp3cw=10ٗ@x ",? IOq $1_;-@܏1ޫXhtb74P0PХAY({>Z[,;F >|σ t(4td4AYdp}x8c0wFnH5$C6*1K$  ެ5J^ўM"/Y 90LvC?g {{{vZ֒$ϝ?9S!{?q5\x͏ܭэyp Ge, mڞ'RPqx\}F§چfAln'K.--GO?K.MdlooO)E~In2`R:c1{{B`kk .׏]s=O8w\}&Esyho4/Vw+9PHB|FbSUKۀY5x\xSs1n߾Fg  ǯ&וm앛pOMHxwB*uDne;;D1V(Ei=a؂ dJ{p}n K m(0p0f(?F:N9TBkG 8tpRJStЪ%Zs:K=Hc*~( yØ5p<ǗT%[.9,>hV71e $aq?C<0O SЃ)ķVuev7!D#jJ Zоp9S{_RV5į_ׯdVBŋxbU ck 7o֭Z_4nH]<. 1LN pEQ`<( dY~4MAs>T{!*z'NҥKxN5 e)cvx9pe|ٲw7y9*@RJ͛xw5nW^y/Ҕ3`wwޡϜ={Sc1<.زߏ߇qƓggRG5Y5B<.\>x7 pmM3Gl¢]) c?gWdzveU5V#ĈC /%Ρ!t!Qf 1R.p= q |ׅ:n۝Cqйi#O {}aguL*~Qi+OJT;cyn(vBx@:Q#d@Q"h!DuBܱ[*1@*q,UBСRom}1;eKQS C7&i-S;>t_.B CAVG}=X}۷qmlll`ss~~Y䭳gOT k}#IRLYi/dG퍑@F:.>tCZk|;AExwT!QPuv}g}ΎseJxfP_[F*iK(as lC] Tt(óQǕ+WpڵVj}v \z:7v73xg-3XWK2yxתm$5!ƦpPӺϾ]\.t*Hl@ BHR>&e2ao B$n =8^bw.N*DLvGc6oќ[Zu~Ѐ.i OapJSiR\HϭH d :pCa;@kUY|n"a?vVPp< u1~ wq#ZG67&&p6qEZZFR$y>=|4-?~o\mrxsKX^^CG\Wt\~~nVfS}R>c9Yy (MPjpGHN8cǎ̙3pz:e,cJ@\y1;3O=hnd<`6lxo͔u{gp)QE icI.g[V9߶̕K~y5őJC=gN]S%666UjM{jK3}wudsq3bqk^ Pd,О } JA tB,?sDZqm+p'h; \_ <8Nn^BJQcOa#O|W߻7n`48V|L!X]4麦fWfvmP?Gxꩧm[5`0 Tp]iv)DFDq{6aRFBF^(ar@?b1wA<]wJ@ SBh80 !'o YQGo1@ )\h "s$n"Uh:0PDTW:hJA+n8A<`7BdH)Y!3Y^-2D Jjd~g(~@f_? o>mp7 f-&ؗ7Q޵6t:t:>oLuL)'oStxOatp!ʲ@{s{ʄϙs){Rܻi<n˔gΜ'pI:u ΝéSv7f-o.\&cqJ p?#h GC t.Yឧ=.Gr]>?gя~tp8 žm.-+|q΍ G!OkFc</c2͛|>ƉP u!)˲y?;.pe`S c׻2/P"@@OP Y!\qQFAG"c0 6G{>DDA <ih5xl4*3xHy^=@H`n ^|Bk](ǠJl %\O@*ɑ3$n@z=K Y50Fܟ sRh " !a,͑9@)e}ߢ'8lL)KKK'(OB'i&3}g&^D-M 6: {I`kkm=u{=t{=x:ǻ8 $F2^uv mNcƇLb bģ\vڃ纐x WE1r% \ґJCEe z2Gj1*tC3ԟS/ZubMʶobJC MLg5g\8(2OEon9:}')tM/c<݄^y٤(2 ӧEN8vǏT)u (jJyvkʛ7l _϶7@Ȍ1I`4*c+NSVK6^Ϝ95~?$4&T Xs߆Y QYt`s1*EBnrHCq뢽Coq~xCymnnSnT-ÕL; Mmfq$s@/&d2Uxp=I)L)]BAI$\bg@m{d'Lz< hm0 B=lخ֦Ae%"A{z;;1=Bu%υp$'Cyӆy#Q7p<~;\:0*";PD>S$,\x7&bRA,-g^h[!BhR,4ʠ0k21Q ?ot:=ZTq7M ׼D]HI¾# C#ˮ=氰0VO>T/vU7]{^17^h) `EMk]Ypg%c#{>>Wd4eY+b#uMa&uߏFN$*vvvf,}#.c+++X]]烇͌1uU=~sxu4nvHi9k paXt^7mC$y\$Y$&+?<|SEί $wC&^m1^__U5M^|E|ř3gƈj[6f+wx vMT[9q}}ӗ뺸x"$o4Շ:J99phoKI=|hB]'uxQ:d#0*&%2[@91  a Sxـ D~@KFi Fqh)RAZTG>N!$ `0A2Jvl!ꠢܘrQ9n Iqt -%^l#O *@ !\8.# t"OKG@ #De<-2/L1J)#'zvnZe;;p7#Y=0Z08. C$IRaUn}}2Cshs>/8~zz~{* V53v ܩ䥓Ɗy5)pK?J2x9/c{zPx<^mx~<287l6lx'4Mkx---S^xM6n߾Z>|5E!)s~^vYM/G1*nnnb<b p%\t_6VWW+2/3z;RV\sC8\V9{Һ-rGᆘ86ƅgaDXH-C07j/^蠽A:1p\ PY4ϑc%Id K diBkWzdc?F>ɠԀsj!DR]Aˁ]H߅UR /5򤨼RA4_ q h_,DypvLa Uytab)Gq~~^XX3v~"7Hw{w 0uvh1P0 n$ &qs~߻moi\N&M19hܾ}uPe;8:6ѻR_eFln#M{:G>,So}_`~@yэv`{ *D>(-JRC*Y|&aGx0:(8 h5@zхTi Mʘ<-dx*B!rq$wUjƸsfTJv7$(Zd|!^ZM+{Qws? 0: >'%ʟy,)DB2cyyNYdD2MXkNuVl\!5˳7=il"qEߙƟMiv\o! npSmb% -DVvzV%>رc>]p8UϯNHyWST kp%wԺPѧ&ߏ|#X^^OǸu677މgشgfpl#+&؝{po Ts>o~coo1FyʉԦ4DG/EJRGF 8( ă TBJYq'vz~.cg9@^(SV7BmA:[׭ 0/hzOYD)="rRJ;YZ0v4EC:R -% x+a !K]SfJkc S`W g[F6c?5~W:u>.PG 6d{K^&(G^M!`ˆy-( 'IQa<q){I9)?L4UM|CߛߗFyh.yJ' zGʚ>od0 {Si !Rxt_;;6+}],ZF*( 's ^<ϧ5k#ksmgF9h42B/'@әg vww&(=!a&{ϱv)؟ \7׿o}e2l(M5(]K_gfNIOw9U,Im+s -Hυ#]w&lH $ZKB&IlW:"PJKYd(.` ]] pDDrmlP]"zJiH@xqR^9Y%+#Uh(HdrYl\SR6ny~$N_۹M^(gfY@uNCj@ǀ߇opv!Δ8i~Тt:B0`qqV(jO/\٬bM;+P'}8|c"lH^Qs0hn^WDv9UCSVum8S)XsS 2K}Fٜ}MF*KpuSvW,:-79EJYl$ ?~?K.M1`ggԶhmC{MV!3Ѥ|M[\=n=ַꫯ~!I u;JJ|rlƺ0]`s&Nv<\ߜ20ib|"q#D2*pCpv$n $C !)J^$vcͷͪʐ~褌Z%zT !ʞ+}bn'Ξ=ypIW6:˯ЍÏ epEC!S4-۞=hT|<S# ̆Yf pI>{؛J~: Lt,˦I/Q 7nG-k%"$4W Ljx@怣aF-M}looO{ >[%6776U7[>~MNͬ}. ~?!j24@12svo??0l+ 5),pSM\NԞNM[q ک(KJG#DvQ{.V8Y"/y2@) !LAœlEng(r$R 9Yw9bCV[9vʏ{vhNi;;;>Ļag⩧VI۷fsf)e;L6 = w^;RMriyVm@sٶ͍_+cg~~1o;p8+󦍌ښ⌼oQkkx!<z/a$Rʈ9P*HxJ)DQ0 !d2AYaNn"ٛ?Hx^zob8PG$~p$'_MPNH1D1( #,FBw7G^>"BM`{ (CGC駟ӧk37ֱ;ex sٌy{]6y\9і3Wd#ɠa])|w׾7o|HkH7Ksi{4@N!@=0~ #Fe`\-6ܞ<'uG(JlKU$Hwz1mp_w{zwAM޴t,*sM][yk/ߏ"Ѽv,n@ӽ~>̺~Mhm`<Ov>xM\076dR ZLd%yX`^F!sJ$)2'1`̝q:ģ87Ԋ6z뭩׊pփs$7iI8+% g\c:1i<(1Zj?X\^ڨF^Ω e?X)Iܾ}5uq%\|Ǐ :!J 3+,`:PSύ„M *W_}s)8sV ^ %p.(e2\.L8,w avLdg{}>(g܃ĥidv=ۓ4lk+;~:G?&Dζ`:3b9H 6YvVL萭mה'gtD0ÒS=븼yu7^'I aXfB2yPJa4!MSZyO˲Ә曍^$,jZ<gcx Gj{.? I^~'&6N%+&Cx5{z}Lկ~wwwwkc?JۊV8q q%*EpؗTIڧ!bϝE+kf }?G){w}   UN^E͆oPZeY߫m/&^g5yM߬p=Wq|.?uϺ~OT@c'O9|8+mTh?04z?@ɏm/rq''ěiamooɓuW|æf/Y.jw3 le6AMKk2b Xp%`+4.vM9˽g~)t9KGxBy|2\R pjθMQ >C$~;/kk]Hqa5~8PY~:z)y *3pBȥ8s.VF@H JjD 1Q(Ji@TWuAK-߅tBHQ` 38=~hk$I92: ?Ǟy_qj.MS`ssNmyNޱ|4=n~M>J~硴&ã Dh}i U&߆UqXXC =L}l%İobۊ_zoz8X !iju\paܔbO‰'EnSVLvaVxЈ-\ДN'lM{? M54fmZ6m6ⷉQsȜB=|I1}kFnݮ_%8xTgW#E} DڔR51WO4b +8Fq|M| !.y^֨ʗH8ҁ8p`\G@aTn(VRH.DžBwo8ɒJc VVVB֚<|Iyr+%䓊+pznin|.4vH kSi-y?wYb믿|+gbi|Ϗm&~)D:.SK ;& :D<~?oJm1x~y&Ν;w(.{Jkkkz8vi`ś232w3$jw3T=~{4y.MpOos= ~T<#ɳ|i:G Bgɩ.˓J1)/˲C=@Ho|l`$u:$ާjեzdL&\~nݪ ۀeN]^1 @\u$Y qB.M7IQ* nV5`P]Z6aʙc޼\#9=>._~Fsֲ؏w=^C{sN\iW0/X[,oȟoA6~k_1f@a~5:G* ?rq8ΛmgbdN_ybtܤHQC40 x&c~17azЃ0lahҌ(H"%Jn6ުn-X_u2n潷d=n/heh+~}DQw}/ez\Ozv_sQܩ_72~{YpЮ7X; diۋ.P7a ^/09m^WtYLm3W8L7#L;C΅g8]yY :9S\#+yK+ŝ&r:>8x3T52aH{a)RIDB Rg1CLFR ˨䃧uRZK|}$6QDL"J8~!N(.&tL!^TYx5wxMϝ98::_f$=}^cZ=WYMv:T%˨?JK*{iˈ0Кqytlkzm^zs92 ύHu ce}~0ݦךtS%U0M+L;1M`ioϷm~^x7y)2hݳS❑,=bImB/EM6DDfty1DH'۷ rLP$YE]Dr@${/=!;T=9o}~DXS|>'?y١T"^7K^_Ư<71/S6Y_K駮7@0t\L|reK/wrSt?ҝ>? ]=wl ?ک]0}T񚂈Þo` { VsIy_H `p}_C<ۈȍ'JOHJ1xB9B9CFd@sq9(!>X-(~#&e>?ſy7/;|yqq1-4-w=ҩ-t;νԬR9?hɩx2 ,m/FE^fSO[ k$$e"cO^VUn7{nCtsV[{S?"k;99^vü\:9:>OӾgچi~&iEeCŔr 1f9 "8Ψ u;=jWBgmOPe8(QIֳݎPZc(WI)=8!H !y@d(%d R )@+֘J1`K=wi~?ͻ?I)noc64c5LUakK$]X8oANH) FL>}Dk2T.us !Sj ׁg&̯Y7߽;s>!}4]vssQ[r O<_:_מ{{MeIe 0F>";?t{jd?tsm8\ÌExyuyV jaV4/Gܚoםic%9p}y~N*O?禀0Irڎ9|pCN%tņh6m H:^GlqovJTK - p1ddH=y1hcI9RĻs9ɽ4HGJ*Z+tdA -4U,,hFPwg鿤#3.1vCd*K-`j%%ĒhIzJy&Wu|@ j+/h?RJ/s=ܼ`a`nu]s?s!d,sCG5B9wNY]_>˻nQp6\ 󥟽Spf:pΗ==7^Nq Jp>sğ?/'4,sN <':C|&T:V1@CH"p=D tP5Vۈ\@. " ĝ@X}黲$2`ntEwP ()H<;>؊*2Fc-hJR.A@,9%r(ii#2nl3 xn&Af(N(Y#e A ,"b@k$F9|v=apH)ꚺk0 !J{# B.[[ɿ_s J|4:|Mm9to={M"]. "չxE'g}/IU&{ ~g:U:L8|_ZS2qϗ;T.s$?:/>0CRG @ $d-еV/+B!%J(iXT+hC3r̥4"1 %4M6 hBpqfhJh[ڦF+!#DdA%G `$!fH!xB h{-dk)""Ā k%;7 ۞a+ )QFAIrKn+UbGv|m ??ayy>ίOSs>;L`RJk?._7㋋o6<웏㿎_d~7~ )luo_׸>NG;e>]<୷޺R .{/ZsC?mp:~0:tu0{QڮyId9/]O˛庱a g~aafoͳǸ%9LfM N˜ `wr  ?E UF˨fp zY 8`Z6 $RlrS&heBǧ jJZ !HF7!!8Z,-B@?B#,-Gܡ[#Z! @B9e6׃` {Jv aJ%^#ł21$diq#~qCǰjmVH)$ g4[[Lej] RH a8s/3}\7:ߦ_߬?9"4u#qpڏ> ߀R ej:lbH0 Oq߷OH1_H@B ޏmSaMO~C+j 4XE&O=bfGں׸s.G±0t VKI]iJ#;RJTTH!.Vm#/zB!2Ybz`.~\Ytہnױ]oѦ/IU"s$J8(8"B 50ggznl6x#1e n:J#!*2cKBHbO&39{~KwcG,uP7 VH)ޱnT$)ǴB91ƠBAQtð 'EO EEp!*²=&g 9 \w~3P/+a îGl7T!2EhTHjİ!d$HD%ɕ\qr«'@Ԕ?~< &ef{nO0'Opvv[o]} 19fyvzm CG?ǁLB޻ַ!bݾq[kd+/I)վRJ|;?oo֥TaEp]My^~w۶v;>կ~r}{<89g_",Ȁn̷e8/zSdN3/ONt靐s>GOYռ09@tG0Axqzz%ϝ¥uF ; }_ Q%2T d_#2B~(S0 4vq݃3s&L2W0FR,뫕j @Jqq+Q&8/)fF? 3($F*'e TY S)QZ,$n "b+E̎*DŽ1{eOZ~dD_8JT# Jyp'X0 )).m9g}{0 co*(߭㿵]xuܮO={=//}鹊imm+Uy]cs)%}],KҗWfuӼ9h!Pn_:!筅W ?D!ϫÀeKTJ6М7DuS`0wOL:|z`x}5o;+(S^y%ߴs;EkX?T^0|*uEHH12~.:Ur, k|x.޿{?q1ƞ:?YAcBZ#.>o&?S?bx8ONN.iZ'pR<+Ǒ{, :_җ.G *z|{ey|O7`J`\G"ti~C90pM??o|, V:o_W}Ca9zV >!h}yp6QsƔgc4I4g"~JhOZkac LA´ uzǏu]]_ԴE舶m &MHeкš#)zRN}?LI_&CdAB ehO^*Җ2>ݰ|}NmKnlENqv悾#HN)hb,B@u{gO1t=LGn[Rq@KM| ) 8-\;Nwk=!$ a2t8> @ I.-adL]Vw'%!Awcw-QZcۚ9>ϳ\./S0p޽wݎn!!aPp]ӧ<~~%K`QwDʃșGAcFG R.P0c*Xc vːrƾ<3QZrRDBa d#p}D i*:w D,9'hSa+er`l4ɲLh(b̵B)E0bo|[O>=:$yu#G?+X/<\W;9*ÇEyu]_[B@d0 frJ0w fϯ ֗%UUqtty뭷F6Ϣ {ׁ&*"s)۞7wZH6aalM>PӲ&3...l60??믿~+ 2sq|=Vbq_rX9i1cOt#L*C %OLy{rƞm!=r{oG]6()9"ZڪV18 <{aĻLe*4"bB u@,[RL q9`d׺B` ߎldoB7%9'OIiDH-vY'.{o04ZeqgΒeyGz+{]wl !@(cIAO{?|Us~28$yoBt:[HqZ>i͆nǻ r(a]VezmCLwy߹,kOՊ)?s?we[+Bҩ^7?wz:;l-Lp0Q0fyʟN|>>7 1GSϿo6-NXz} aiJ_ۨ2_,1r>ϼC`dEWL _z!x )c$@L?Hv]nKu5X)gj[؆ ;\Xonތ)AB"A $u #}C9#J[lhmڢ!G #.RE,qcld!M&2v+h Բ$[_q`1U[QWfǸCb$j`;~_J A͇?{Fq;Jw7=u#ǩulx+>wW柛g ~pttĽ{ 1;w\V}46 }?GqX=s{+ip]9_y9G]0{5łmY.7f^OOOy1|S i5ʂPe.s#1ERʸP]Q %K} њ$JR+RĘ THcYKRHƱG kczDFz߶(zm[hh!t=rEr ѭCQ`j#VwNX%#9aĻ@&gL2I.b82=޻9q'=y-G1'G-AMTpc Eq8>[͹uS/q3n0 <|m999kQ!{B0IrjMA|HΙ}m{'stD%oж%i_;ܱMUzӧO/{)%ͦp@̮.낚 ue!6F4m{)<ߧ}w9d<}+`~7qQ3F"Dy6-')I=H+H*LQBTd! Rv > 2Bg(CRYI> 9Zf=]AG˅P-B e?F,E<^w=60vvu,Vw8{kȂэ~X/!oC1l\HG0P5I D"1z\?x0c nRƹʵܑb*㿵O>RVJ>N0do̗1_lG>DXϿѬJwl6l65~]|A,}XWI2yEӧW7Mt=?~ܾn__vyt4F7nʾor/zϋ3?g۶5MC4WJeNu]ǣG.0窕#CYUZB}(' Bt8I1}aP&Z,!;{Ђ^r>G%1J(ѻ.`mZ*\n7w7bspk8軎bjn>SۆjYsul7<~# Rmx]3oq#/ ˥ݠE$ sœ0I7,;GeM gmt[.*UYT7@6] )f;Ti>T}ʓ'OxWTspa$OQB@1!)X  bBkÉi{'a OMYYk(\)~mC_F`CY-^E1x`M ~DȔɸLx\ Y9:j99{!7\ z(A29]@k93lMSOǚ݊1'oIw#BIlkQJ?d02 FbfUMG r0zȢw5}?j?r5uG|lϊ伦rskDmOe)(W &Puqd0 eaGΞc;{vu퓛Z*/s0vSq齫ݣbZ]MMAu}b9;;yIݰR]z]iu P"!FHxR FW5)Fs ]+<}Z^Th R ]l<b`lAr?OU20Fޔ 7>uEI{wFi8` $]i%Čڔ=)q ԵA\7LkhZa`wR IdBM lڣSkK+2v0s(0udҟf2yy­GZx]\_60_/,ΜGYٜvʖ=CVτa13p h_7hyPU% 4:79j1DMyabe2?VMgggrzzzYr>i?^sgDe)ANV32\ ' S`L(!E)"1~3E][RtnI1`7ZXK8^ׁŀw3!fX#hږrk,O^nAK#umIDٝ3l:,O MY.ج(ƴTwZV[Y?[wpt>2,__R*R#],qDjUў,ZJʄc_^|jXs$CYS'uW~QJ"|6zS9 꼮KUeph7U^`*_[y΃/gާH B8p$lUajE*.2t#BRȐRiw( g !%Z@QV~.OunE~_ͳG-~Ԋ7^tqDZ(]cӸ]]ח}gcueAӺcd9g|U*7^v&uas8?ܘGqqqqOOO/i B^v];Wdd|T/<"f̝7YImCejPAIEXHw>\"~_Z4 |z3R& ]2몡jRNCO#> HQrrt4u+QѶT|`{;}LӮucJW/y68&`Xzy{*pG2gӇ#e2ޡ*IR '"(tl1ڒ2'H 7I9_%\* c TEWFSսHg$Ow:^[1GiʧRmΡJ)/`BWU%EMЇq+}m!}|]*ӧ8x9?~|٧/Jhh\wrn2tRBfIL|FxA"XziЦd" !RjXQbL8"e@iCNMʸ/B:>]BjCc+c ÎR !1FT.mIAHB"%8;;'84BrYS7V{i@x9YZcTͽ7ů~QK sL1d! &b.->$Hɱ|P6uz"DΑw +ԢH'L y |La$H U+VEY԰,G3g qK{\jVaMJO >A(_;t0Gmܔyʲ__tn9g]?/{7XVhRrL-\ ӜHYiR"ijg=2ősǗ\ / P> XF|^ܴNӎ4a QMMB+4IHZ1Jdi,H%Y *Qyb9B@(]GU=] :ȲT$q" vv)Fd.UE۰:ZQ749s1 lw7܀lٜ%mŲ҄1w#~H#A)iaYov1-x`tLie)B,7X@RL&2kͪ^5TJ+ %v;O7D;{H!  f*‰\O>J3n6e&X^?,YOU믽ڕh(MϿnȏZU8*2V|c$Kҷk;5$qg72W`~z$Gׁq,]dxIl5 JC%K_!"*2b#0BHEvDFabtI>۟k $d>wv4Xkz9EECp 7 cΌ?tqH  cK#n(Elm#cՒ9ڻ3]dJQ-$R~#9W2R(Y8iOZeM X_(]hkcxwH  K__ pl~'eו?яT1쫖? p%`CJ?c4îO) iK= %Qx\߼#E >HMϸ- zcfh ]h"K$#B?2{yO?{Ri2DKg<;;eGO[۞n<$QXc*PH󌣃\2&@Eg"d()1FdmV5ӱیD B[[䑭nk՝%gkL}Gsd1VGΣ^V;2nuZUt2XWO8]#gZ{ս)NhV-Ukw~E$)&/6 fշ __J_O_n퓲dHRj0WvO-E>UDl&""~L$/Jپ B1\$E($"9D)P#B`N-=R**[0ʐmt8{b?ZhJ(vQA R)m%1B4M9^"!.[T%PUb=v qeEXp3wkLkY]z]K6gg;MJCHEg5hdOƣwdI2TEY.,+ .:s9G'+.LZ BP%'"N$<lF÷n &?/e?z܄'4~V?"TH#<Ȁ5J`#Z;bl ԄovAB3R&lFDi$҈a'T(eQRHdTBJ1>}`UlDu$ ! Rx1@vh k&# ^:YdA0m6\)F+Ւv$3ε+uHfo{g$ 7O8~m2$2,[U44)@BG ciTF〪ئj*2aٝmٞo6[\?rlS %h*!䔁2(33|X[OԮ f_ODZ+ӑ\E#(+RP эk T=6k rYaH.?¢]F/5au: Ya'QʠE EN}$Ԋʔ~ TC\*DL3"KVTzZH ρ<*]IS(*Zg8B &@Un[rrH#!er{HHtہwH '%EXH2il6E 0Lv=ȸs""kh)HIǍFiCL~]~zlðpcRZE-1bXnW+E(i27gvk=:@ !ҫ.5 QUxoze2~\mGK,)': +A&FG5um [ PcPF!)0-ZֺY&fh9eƍC}kCF(+C4X]&\YS.@j8ݎŖ(!IjQ8Wz%b̸jG])lmB* 9buBSZ JA hTغisUJT?d ^xk׽q{GYD_6GME J?+nz)Rƪ!JPvV*\E'5ƃ8G FRՈ,F! F`lKVVSv]G!$HC*8!D0 HH*MHQϻBP/,+OV "Y)lW4##l$l>)ǻP rPYZ  IEcXi>yf}}̄1'+_Y_":v[sϳl 1rp wkICbeugBHr ݀",Z =l :[m uR2~"[-L,hB-YʼcB$lPDk9&B[i疷T-[99z%h*Y쩷S&Ed+e >Q#  : $PSJ# HJTƒL1R_FՒm@-Mjh][]t]%$Gn 1Z.ZG.K}RmMXd܍ȦT Kudh*Iw8~9g=-gc:ơ&" ?Х{k+0u]2ڟv 0eržY Ts1SBiK֜ܽK?DQtqH#B`e)J Ph)*m4`aNCLUrАGR+5h:FF`ۆ"]/9W@9!s&HmVPRhJe  *0F,,O !"gOc{BJ*%(D LOB]t\|&HhTU8 RR!LRi%DQ #HЭ9h65ͪ^?߱>S2)1M)2 PFR?3>o}*6߬16?.GE$6FտI\)dȥǹ%ZS/jVG$GBb{CYL8gՖ HXm m$)ҿ Yd$"'Ơ„7#n b(ta',juq$V*dΨ)i%C.-ke,xM+m#;1ǀ;BIFS5U]Qז%J{#') zɃaFBUF Z6ڐ2wo4zH$B*IL#L̞#9q2+4R* +b,RM3ȉ<~I1ᇑ=h+Z Yc»@UVwԕA"HߍPH$)οnfN:B[g0,!}f hPZM)CY|5H n{V>Er/ sgC]beEʙq3P/`[m-){gGn@js?:P!$&׏@z'jS0QJR~g%hO(C/{k?X !VsGR*0Va{ $euo&Drqvnc}ܹ:78͎~;⺀YM|!SV+#;>SE2ghkR=1e>v\ӭ4Ͳ r6(#Z+Œ"f艩,h[EjahW!wxv8j6C5$Vw[eK{TcVS5[cJlUƒcdFnd  sBW:Ui-x~ObQC hiB(m*pu?FD>#)a>ټpo|N3Y&r6"G(-9  gTUsB4z)f{!)C`!8!3"nHb#9i pl7 ΍D @c bUJhbL0B \}(oJ[mK[7,-r9m; >{GT2~GHHhW hRl/vcY#Z6d)H/TTzi)!tI;50ߋ e0FQ/,)沽rĮl_˴-8g:9*@QeZ++9&nv-[JoS1͇toZ~>]૰ 7=e /Gc{V~2s*]9;P(# gB("BIR(eS=n` h$Fh'+A<0IH# Z^اP ', Tmna{eȄRqHLEZ.j$ ?2:e釛*B?Y"!4FRA)A(hV L]CdIqlv#R63mG ;GN-AGȩ(Y,@.^"gg،%؋ %V Cm!%B}/<٢k ICԘ"M c |(dN8nۼg7O{n> {.Ɍa3MdIDT޳\zͲ%8_zn$HNvdQ^L~$ֆfUנۂW Ae!7z'_jlS&'p}@т;!wa0F#/ԶBiLndv xGR)S*CD [leZn{o; )Pp3@ H)ˆb6XJ]AS˛2LX8E{R0pޚjatk KȞ+"T cL俻)8ڭ}6AB|f(_J/b?U3X\Z"cBf-)eV,Vg E59=p%Ď~ҟv##uDĶ/Va! r^]UV,ۖ#Ke{9X V;B]-1>G!*Jq?ߍ}u c6!]t6zTőE[H] b(M UkV_1z =i 0zR"E?_n:>1 ڭ}v@ĸqMa9cЦ̘wv®Ui_Z/HQ$B*rE>K`,.RR`j |"i9RK*S,aqR5MY[C";:Ӂc2}ɲ]rDmDQu@ \E $PtBW5vJ,tYH)FWxC,J7D!cvQ@}2q'Hc!! m4Jk%R HLm(1rB ѕ!@.@p>1v+DE$ G~~ Of p%w0 qg?iY4~\Q2{o?Y@q.E"FfZG4mJ@L()&cՀ2X5cH!S؀Қ1tw#"X,L]wό 8DEM{ %!dVA*~íÙí#CZJXJaH>AJx@P;?=gʔR{bq$xE9\u- Hm,;'hY9ߌ;Q5E>x(wɀP 9Lu2cp/j,eM"mNqhړ#~3 vMA&EQ1M<9g/ms <_>1;lH@M ?)k "JHEQF7#1PpMS935ݮ#%Pzg-U]A.z9&* 2)ΓCF Ab,<\!"ʄ!0l  MmVf?W_x*Ȉ,qCP/L"<7td) {GNg3u/~=#CjCV9,Ub"au<@T50beX)EEp)3!%B98Ę0B6m4BO Q6$04e$( K2" rJIx1v,tiLJ%ϫo}vH$3џIfOq&~>eI|x?J4r0pT^j,F+B㧸GTu]p6kvnkú!*ϸp݀`1pqպ'̰ ޓR=nN^;cN/֊]GNa?( YQcX(^}$JP2?F@Q&t0(]ړXm TdEg;J&jTPRh&'=9zN+mOG\HQ(8 3ywk9;TG~oJO^*_ܭ}9-U+1t#briВmvۂ=U]( }aK1QM%` \qL4 cRLOS USQ5Rk1<ΞlHx9a ҞNWf?Q8$2i4{ی$02B&ńiUeGMf!~DFLpcɻg!`*[薅ی<}~;"@ʽXAv2bj'(m)$rch bbwcwEQ0LeԂ渦=H]i㝜s]~}wϧ\f7íOɦ`~fc9*^D tks=%0VkTDbh`\ض1]HL~>@M2c7[؝ ( cR9#65ѲF3v#1))'l<6I΂ziHW9L})؞m /\rOƓ31FP۔qHSiLcPJ!DjT U &|%hPC QPc"yu=9 sd"$(!BiߙZHAUW!H1"A=HUB K[bxpX3{6p5Ǒ9τ[cԕ`/CϿU^}wg?6\f[FOrefT1* zD䬊؎hijEh-R(?2c7vrt mڰ<)ۀ:D KTmdE ȅs(-ѕ»N9qcƌ=^p '-}e!]»Ĕ.ɋW%0-Z~Rbmn%UƏ5J4~ {G!~#î/\KJ` Rb-'g),pI!qq*X eq?5QfKd*+,nJ3͟;tW/o^??O[3l'tfOKor1nglGPJ (Τj*,OV,*cR @W5Z] lFdE0 %+> wTMbP/*eEՔv#xGJ7 \ %zVۥ(э #Y\@H@3a,{AEtyLr)5hrPZ\b \ܐP&S!>r 2Z x7ߖ nD%јJ#}K6]itmL#B6+@ ؏99ϧ*dR+>Y$0 ڀ>IE.k(VQUuю`bRYVD؞w.mEUo"" >F82,kQlv6IZR)v#Y%.v񊪭QFF|b`h,'e4h%BS/0ņnKD{J]V4c@>"T,s{>(.=ߑTT0v}AG ):fm5xG7 298nEjZ %~i!X*VB9'hUhsa됍xy:ig4>j 0&I >|ɀ}ǭ6d/Bf+6RR-,BJHpb$ŀm 0AĞbE(LEϾ!r?g Eg[s?fr/6@J ug9Mo۟4{N}/3pPG Ks,Q&E*"4r,V$ki ;Gh r,[Yb!lm[WN"nH2pbI]Y~D5*,Z9̳wu7|Q0`T !#H?:gk66\<>{OxcLZ,N2Нw 芘 bhDqTb(1251܍!2l#3vT,R"F!p.E퀩4q !x8 Qqܷt|iGc[:=jv܏#@[j5 >|c4_[[d8HZ83>)=aAF*22Kb =Y.km0dbO-4؅F!A LCIO.KX1 X׎<\̴+-%#@hI.Xs{,N( 1#GJ7[.s)?S?X44ˊI_ [+/NJS&("12t7R,*}hQH-C&@ zbt?`c M,4mM] UqWzEu tBؤ2dܮLi@F/O|@O̪p5(wç?6+5oݪ6uԏ|WypԵf|BHNdA}԰w4+lS# @ޣn)h7=g?<)chON^?fyY4pmEVESAJYF2[o!b>plG>`սUU;=itԭ1T Kj=gP/ZII$i{7wrꮮnzZ 8 A ̤ & 0+G' Ȥ1 0p@ztwՙ+7+Oψ2+;fnK,g?Hx F%B#>q[e;+A B"֗O}3`W$@|~+_ʲ& /^&ċr~mR"@,=$ T4D '=viH,ZNj\f=f~]tyt%'bLY.fIZ%Y=dvsef'%Do#KGӒtL1cY$(+ zAs~Fb`yv4sBYp9_Dn@$=#ً퀝[92$P(Dc#} (#(Gal.LV/BiA1">' Bg 4ݧ),% ]])$B!saJ?yd/ |w^{oL&\xXgW ]6~ZCЃE  DJG1L)F.X]6bMY\d=Y3Qg[@,₮?8a飈. J%pZaB$`1+DHg 's _Hᄣq;~6;QeA cNzU2"H\Nīlv1)džѴхY(&GIVW*y:u$hRoɚD{O IJޘ]h|밭chIW;RB =Y-BDpL*VLƌG]}jUhFB,3u%[؝og`wsBO^O50V~oܹsB˽8T7z_<6'&H 㽊Eaah='RHV)DH>O.(P2*0:RUUz te;'uZ:GK?>>iل=f쿲=q.i[ԸfI{>=>ggϨ.k(I1+ߚ d)ƆRy`q`JiLe]Huݢ=袠b\ ux y4]ilWS&Bta.P+ՎJPJ²'܏9k('bVPNJirB@܊XH imȏJ9!wZ;7_ /`͛ lu[]|:wނgF@N#hc{Ƴ1h T*!HysԮCx.HRm rT`]Qi%h{9ж)qYh1&ov$=wdI:s9Ǐ5) :b HХAWR }qRb%iERBx+*j1֎va\WN+RBR필H9obMX9H`~غ.{ f w >ۈ2.B%ʈa~ppI%PZL()Ln4M)ʂjTG]0zo-iIНִ5$٣= Ӓ;mT3Mgs柜rvO8p)1xX# .DZ I"-;MHr^}"E+`=rU ^tu\ $b Aj02{*@(* 8?3ڥ;.w+ȋSbK@D򴔊͒ў-~g U.-1r2d.Н?<)~a:>5LdwݻwmooVMD`mq8*ߴepmU܇͔/Rˀmn:TsGHJ4RB(1(\k~?si5DOR ͱ("FL(f[BȹR ƇcX5Dh H# Al6f" Cٔr$S\7$.abH$tWDeݜ(7!]Wc} wgoſaGvxAˑߦQ'|w_y,ouɄ?mxY>K0#Mg 갤#yOHxq.𑂐!Fڦeu6 v+wQM.Fh@昹JP6d;!(J2+I1,NJZ'Lѕƻ.|27 ])4YA5-T*{;!_J h] ػ@YXHE )5`o"}4_߹sW])xSl6}2I[`e0~Fۼ"OKx^6rO)/-r/;lZ%R?QM+ns-n11䡭O攓s3H~+kyO-yuR2B,;Dˇ?JR ) (%g oAtcnjJF7obem4&":곚 LnM(cʽ1{'syM72yX~|Y,%e$JiR[Bs(wCdR$d!PI$pM.B` 2ǘm&F**t%qwx[PNJFc8saH6&Y ?FOKYMMmw$`}@?OakП~w޽gٯ !l ׯuuD|}W-?| Xx#UY*1Ӄ {7cvcl*'YO[[#x6A,Cn.lRr'<*}n 6R{l J( (R>7FȑB4$r n"Sjr٢DG{ <]Z{4joDWwMMsǐ0UITa21iղ@ At"1o z|kЕDL9brnI}RIqd@d}!S<$s|ZIGL(% |Dǻ)V9@~ b!ug"]4l cles}(x޽{:*P^g$6& &MWy1x0d U4 T{%8uۇT3 k?9]8ҵֶ4KHg%qxj6qxPbisg;1 "YhL$$ee(fyK8ECwrZRM5#7ƨqA?3oӚrvxi0$[n?)&/:0Lqֺw}TU^}g:yrFtSܺ`M2ěr&0(_I @G8~S"!frYbvhɣ-IIv )}C YMO+T!)D΂uJ.h)`j0PYEy(yO}h<-'%*Zw-J^DD=1AbD eJtUyT.ʽXU v1םu65xQu'| Ĕ{" gKZaFϒG qձP!"Zɠ+lC"/q5_yʄ~wo=Äz ~On RmG?x[tcxRoؖYRhbP b_9ey)fo(T]XqD5[tmKִmGg;ֶZijx4 s柞" {~pA}ZK!Agw<)"u|pvhZfW jb;OZDXu#$\r;`I17-ݢ ʝp AeoT Y(.;cGW)%)s+bH%Nm qApS ʙF|nѪ9]hY)eџn{oGےe;|Y6l mှt@غݻUU!6z^ga]}I:>kKF;9 ёt !E #.1zLe"RB!&ym]Uk]& Yyi "Pr<>xB8EDZ% Fڢ1}s罔*HvTF D.y]$,6t#{R$IpflSI)tw g` XRr$i4:$B!E:⒣9hZԘLj| R(pR]S J*}f"IDATCF SѺ\!$zQFD̐{d2G7qzϳόn^86[ '<(zy;w~a6ZeJf7eykB0 !l؄q?e%_fv`c'&\5Orq݈S&-D(Fл:ַnim]FKfV7i |B Gj:a"i-JjВn.{: ҚWs,x3)05)%\h4\v:%2 91O)!"$nhNLㄩ"N'.He2`s 2dn)__^G `^8iC^@O=@@=x_7ղ,onRBtX+K*xQ43/Bג"E :׵@HlD&YF(PF^dZD+2E層t$pÝ8gIAr|N9.A R5{:W6`U7,s:[I"ō&J!\%4H#/Hm\*$¬!MDp.Z"@Df03+H TN",$Ќo(R#DdF % JI|$O$)Jv:,u* Hix54ey"DH`S.@ONs5^7_uݾͻwyΝ|W1BZyd8M>RK]"@Fe5.׈DNDSA+9k.-q8ESPEF%1lD9)s[h$)gD}r "#(7q%vT]n)@Hja)\1!+ѡ1;%cŵU\&xTjX~ji:|ug>w%l3ֈР'-,т*%QLnC9\hOլBWbl"g s*$f&)*E9-;OsBdLbVy#?v۟G:J K$B=Ξ gɅU,dPE[O}UFbm""4 r]1 T|.,ˏ#n~:fPe.F#@ Y^Č4f-;yJKTrA (RsBBĈk=vi3X=$= OXw"~a'xgJvx)T`-D`P:7@oD?{{w՛o޽_R.vb`CU<41҅UXcႵ|Fg6_!&9H" ;w&bL[]8õ r8@WNkA"%HJ9~.[t,NkƑDtA'Ƕ=+G|CzՎwuS@;)F4,<")dQn!FZO}Rׯ5R5Ko)4ʈ\n%P#iBQ:K )I.ҝ{|J!+JvlΰWJA H2brO3Yf"2չO].bW{RK>kOs|@9!wt?gF2 De݂椿[gwxiL`-a5fz`M j0ob~o櫯go޼gk} ڰ*C'}m} 0öNʀ/^!(I$[,QMȽ3[Gt6!()N h#NzEG3jں=og=ZA\f^IpΓVoSX鈛nQge!ŋ;L UJ8u`Z@XkW:. #dD!b9JP!0!I*X}){)|LЦ$Z$V {T! 6jǺBp g=;\# ~g뒿c~=y6t;4x.6͢73П O3X.y{wÃo|߹w/)cH\:_`M|w60D%b[RdS(^]T,HjUV'Clgc%VUiBXo=YK`$ Dee˜mkZ:pCknEh=R6.xΞ,"gڡ+)52J#K]z| >xx9Ϲ )&B')ƆH/'q'D>FlHbL [Ta[T!( R<`J}qV!B@H(Y@LdL+A/Fw#>de<Mָ&6jbONNo'?okpttW{8łBy. Ceိ i౐=ۮ`I6 @7ol1ɽ坂VE&!$rzHV|W%%y0kCΒGfπV,'c}&d&AQ|ַwDVє[[BLRL|MmbvGĨ@UaJ.7Y+߅γ Tl!ex)P2aFr ʡ!+k!T"9 #BmB_1o&^Fs߅ܡ/`T(Y:վ#zoED'R!TrEV]}ğ{'˓$`8^J|n`+3,x<4 7qK0$?o}_̍7ZUU^0LW7B%'/w~&7I#o6lӜa<}e՚Z'b I T)Hܴt "3]5$Xc&nu>ZSjY`!h[Uqr2DA ѓ|#MUo) )W hTvKfaiNr+_! !^ܡAEdqBB O7FRN Q9'Aew:b%$DGf!RIt%0R3Kɹb&)@0{qK`Y0zhOx7d~{$`΄g0CO;>A`~HM`~HԖ$C_}k޽{7nܛfwFѡ1u7F|Ѷٴd=-!.?`[(?HIzZsz{RWZoUq$FjODGZJ’bBF,ʣДp;B_I[]ԧ Q>LQ8ص|62)ek%2~6 嬤:0>ڕ{]uB 6nOl sAS%ZH[ J"R YN 6 ,ar!Wft](@PL fjPZGik<3bZ%2hZ~?_<o7LC?T{eK'} @_a`@ +aawI@Nov޽fd29E)UEhw=ODnR!o?l{&-xa<!XCO۶y4޵&R7u˛0KQxJc|ӄ(]RI]lhmjm1%]jʉŤ(bH5]Ϛ:|:؝?p- ?">֏]\o_.J ʉia%+L ^,ѷx(dBp̷؞:{)&e*L,,c`dBJ"hP(d.[+ =sJQ)ZO{۬qCRT OaNWkH66}ne"kl _ 6 uɺMAs5D@x7f٫Uu(iQ{UUBیF~ק5CBOK;.[kxm?7YI$o =]BS7 5II r&&[{Wʽb&(BDUozUv)FWLʧ6u[&[/Di:6#;z&cSTrdJ|v&:G* ypu.C1:EK}yз8ZB&M!JH2MJh10S{R žiLɓY7%.[=)X+M"K%uX?r'{ApC'ﺉxo× qICn,`2oU6}eqw󵔒{kBUU^Y5!Ƙ}  m붅46}n!s?YCum{iOsbmi75ZO$XOCw.RԘiHA@VwսFo )eJB)%.ԅFd^obJA13bZHDC)]|G{݃)y6`iCsq!U}?5/M)eUYn-= T¬1;]hklo}(ihx/n {7 1ƍ*\ _]/L&7(򶔲^/գ6k[oBڞ;.v^qJ)-r9P-^:6}~]~ Bb@SBGz==Vr 52c=2UnR;?jߝܾ8J=S=B jSޝcI$'t>_j_5?PF~E` t1ƐҪbAR U($b 1:]w6ΣХc_qH$$!F 5SQ}YrN2tNca>_o/}'n9=fMN{s/`Gv>61]l8Vm5޷u8i?qźbݻA~x}9Oe.oggVTZUbdnrqGBJ3V7HOQ1tnO?q??t? uZ"jD u:-ЦeFj*0$/O4W#ׄN_K| JV~M1SBjMѥah$Ф^?$*y_jՖO_K m+?v;5HebG"vx` Y*Rp*͐?dx:MHל~Z㿍\E%\}ù =V<5!$Z1S531-3:Zħ4I}AlS6nj(-Sn2xPA.oo_J))D.)Z@<QrOc)>f4gtmҶkkعM"'O>!#v`>_K]g|}ouIF aöMq vF%p=oЀ벷ӦѡT6UYq(͑e&@(cǣAx? u\' ]eT&O&"`bZ*MG)t)Hih9tT'Qkz2r<tU8$%TY(§ebGvx&U#mag6/3W}ߦסl~2X u_&;\1FD`=T`x.d(F AmhM]6: ?aGvxO5Oc~1:#>wUǦ l1o\憾?XgMĻ*OUg5;_i\ϫ6u X>˶Dr/V<˾>w\Xy"y~tzQtZ\˳?sqcٴm۱l;g!-ϓtsy#;l*F ie>;σaur/eoZ޶<_σas?OEIvavbvavxٰ#;;sϑJ%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/Icons/72x72/000077500000000000000000000000001303637203600167405ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/Icons/72x72/fwbuilder.png000066400000000000000000000211541303637203600214340ustar00rootroot00000000000000PNG  IHDRHHUGsRGBbKGD pHYs.#.#x?v!IDATxkpdgy}ԒfFIɞG0^ok(vmK%ETHN Cِ엄T6Jl lgs5]/A:\<68ꚞ> ADž `E{%K|`}4|'4M+2~75.4z?>se ɓC4I$HrkrP|ߏq:ZrL\& 쉉 Hd2x O?$>qXd۶mL& qe!IR2RYYYAplP. t:/vm_8@Qpl*bΝng+l6yhF"{/ʹ3L[Ql $1b? <{Z-ɓuUU{AzϞ=?W0>xuݟt/“O>) yy O~CvܽMJ L';?080{uo @$I/jLӤlyWb(癮%IɲKo&BִmnZFufyޝz?tlU@>='ODuMs0֔^z;TUd$( XLEqq}ӟ0uq }DQ@$UC HR$ZtCc\lzw( T5&]^缑tB& V% DB u-A@"@Q$b&/?>C7>N&d2 LL%tt&e366JsqdYft [U\{5MӘ,6ZvM&Aeljn\ulj" 2 EYd2d2,LM? s6mN(eNl&SUu˅`Crnp멪JRaaav{r%ihc=$I~Uo} lr;[px<Y|$I8R\.yMq}122BR=zb===4Mwap @ݦ`&:JV*VB@P,R8W/֭[f˖a ===,//366ɸ Rh4PNW_9 E˲t:lڴl6K:fqq:sC4M&>?yއeYZ-<cccJ.c||9J҆8JWw(@Zc GF[ ^4ϬVo )<<쳤R)~aDQ̙3^:7ҷmt:DQD$6|h4)r<'x?Ɏ;,YrcYRըT* 6t:evut+M7ٷojEQ" mufffx(c,.[(F״, /( i"IT*45}^<ϋX-dpa`)IR!x4IRl6\r%R(d2b1VVV+"-uGUUx+x׻ɷ M-=ZJi-644{ii IR o]ץhPl64_ c7?ѣT*d2)ٳYn64xUU hR/rTRJ&J%癛xῧ^tP5(J:u/ 3'/P^8}4+++ ~NK^LX2,k퇡$Ia8CR!FFFȑ#ؘ<55aE~IJ l69z(miW\qj5"QV$* v;-T*oeQ׽״AțIOO{aiihN>i\w/硪*ZNU;SV4M60>>N<,"J4- a_(*o6qNFqȲ^6%,_K|dN'ݕ׳3N>$I>}{UU? jCQto6ukoy,jys i߿\%\uUQT-IemKacYaa.7t:\~t:}QFGя T6I(RTuT*P*{[nbeL,>a300 &N:,(Jt,i###d2.R*Z[G鉜q3B&^0bxR "dL&C.Cev2L(PQfFf}Eℎu]z{{1MB@a,--ERŢdEQ"08[d)J  @UU<ϋއ7r p t:lێ@iyQo@jQK~.6$Q,VQ"8\DYm椓ɤ b MӢJk' B2 #bD"AZ% GI5rÇiZk(lhZZ-@daaaC!\u#344ڶt:uaV(lu=!@F0 W~Nܲ,^~eZ###\ODlwM7GN:Y Z6CCC (X (Q愺c&wZrޗrOs $Iضm[$ɲ|Rdh1@ry^넱NXkSUvt}LNNt<+ߺjO~|uI&LNNL&YYYhN1 #ZPɓ dvvoU u8p\O@>'&&v(n$QQ9zh뚦eYYld-iR.)JZ(l޼|~-Q{(V1 k}CHDՊ(αc"ӎbd2mۆeY޽;rnx)Fy^C[yơCujraD.6.rL!Ԇ@Kw2b-[JcrrF+ǶgU PHE۶9}4Ǐg||k6p[ ߸K!366 m,//ߡ8bv=@ތ뮻u2'NT*ND" oGQjTYH=p;wdݼFJAqU2d``YY\\֐Z3Ze*IjN]'p-CiJtd@x;RdPmbXɚNc=կrQwG*n _eQբD+V?B_notzGםܚI.cbbzm۔J .!ʚWZN~I[I02MT², yBu#G| ȭ|~R-4#Zڀ{Bٳt:]<, vwnȲL<'JiZF["0"5lj6pj8g' b$T“XN< TKcv$u}ĉ<3ju| f :H!LMMI>ud2>X]]/PDA!ݮwFz*RJ9M.QeTtzNPk1 2(q5WI vHhCOmǁmbwݴVE;PA4P(0<VIDZ*m;*mFFFwzJ\!6B2$#y"'!:9%K[4r)U/7ͿN< ^($¾Pjr9,[nЁ?~!mwœu7|*3<#P!cK+ C)Fex<Ǧ]ij%篁uB /"{4 &-MMMM razZG~65uX̧bX4+1 YvӶ9 Dc;k5dPpݻW@*|rŁVO$|g=Qò,ٶmu4Ml]uF0m?Eszi-}n_%QScz}œ.W3/Z^c@i7^@g%x ց kzR':O)āa-WZe-w] O_\~~q\nUʓot@/7겶Zg(CXF[m8qθڞ{k͗ HRLg%tEXtdate:create2013-06-19T15:09:21+02:00n%tEXtdate:modify2013-06-19T15:09:21+02:0039PIENDB`fwbuilder-5.3.7/src/res/configlets/000077500000000000000000000000001303637203600172315ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/bsd/000077500000000000000000000000001303637203600200015ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/bsd/bridge_interface000066400000000000000000000004501303637203600231770ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## update_bridge_interface {{$bridge_interface}} "{{$bridge_ports}}" fwbuilder-5.3.7/src/res/configlets/bsd/bridge_port000066400000000000000000000004631303637203600222270ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## $IFCONFIG {{$bridge_interface}} {{if stp_off}}-{{endif}}stp {{$bridge_port}} fwbuilder-5.3.7/src/res/configlets/bsd/carp_interface000066400000000000000000000013671303637203600227000ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## CARP ## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface] ## [pass passphrase] [state state] [vhid host-id] ## ## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/ ## "Redundant firewalls with OpenBSD, CARP and pfsync" $IFCONFIG {{$carp_interface}} vhid {{$vhid}} {{if have_password}}pass {{$carp_password}}{{endif}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}} {{if have_base_inetrface}} carpdev {{$base_inetrface}}{{endif}} fwbuilder-5.3.7/src/res/configlets/bsd/ifconfig_interface000066400000000000000000000004661303637203600235360ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## $IFCONFIG {{$interface_name}} {{if have_mtu}}mtu {{$mtu}}{{endif}} {{$options}} fwbuilder-5.3.7/src/res/configlets/bsd/kernel_vars000066400000000000000000000010471303637203600222410ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. fwbuilder-5.3.7/src/res/configlets/bsd/pfsync_interface000066400000000000000000000011051303637203600232430ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## PFSYNC ## ifconfig pfsync-interface [maxupd n] [[-]syncdev iface] ## [[-]syncpeer peer_address] ## ## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/ ## "Redundant firewalls with OpenBSD, CARP and pfsync" $IFCONFIG pfsync0 syncdev {{$syncdev}} {{if have_syncpeer}} syncpeer {{$syncpeer}}{{endif}} $IFCONFIG pfsync0 up fwbuilder-5.3.7/src/res/configlets/bsd/shell_functions000066400000000000000000000020661303637203600231270ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } {{if dyn_addr}} getaddr() { intf=$1 varname=$2 L=`ifconfig $1 | grep 'inet '` if [ -z "$L" ]; then L="inet 0.0.0.0/32" fi set $L a=$2 eval "$varname=$a" } {{$get_dyn_addr_commands}} {{endif}} fwbuilder-5.3.7/src/res/configlets/bsd/tools000066400000000000000000000011231303637203600210610ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Set path to all utilities that we need fwbuilder-5.3.7/src/res/configlets/bsd/update_addresses000066400000000000000000000105241303637203600232450ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ############ add or remove ip addresses of interfaces ####################### ## address (argument 1) is in the form of address/netmask, where ## netmask should be hex represenatation matching netmask in the ## output of ifconfig for ipv4 address. For ipv6 addresses netmask ## part should be given as prefix length. missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } ## ## The list of current addresses is taken using "ifconfig $interface" ## command. Second argument defines address scrope; it should be in ## the form of the matching regex such as "scope global" or "scope ## .*". Unfortunately ifconfig prints "scopeid" for link and host ## scopes but does not print any "scopeid" parameter for the global ## scope (tested on OpenBSD 4.2). This means I have to invert the ## regex match logic and skip addresses with given scope (this is ## different from how this function works for addresses on Linux). If ## any non-empty scope string is given as second argument, this ## function will skip addresses with this scope. If this argument is ## an empty string, this function returns all addresses. ## list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } ## arg 1 is like "pcn1 1.1.1.1/24 2.2.2.2/24 fe80::20c:29ff:fef6:bea0/64" ## arg 2 is "3.3.3.3/24 4.4.4.4/24" - list of addresses we should ignore ## Using arg2 to provide list of addresses managed by heartbeat, so that ## incremental update does not delete them. ## ## Only "scope global" addreses are managed because fwbuilder script ## should not try to delete addresses configured for tunnels and IPv6 ## link scope addresses (fe80::) ("scope link" or "scope host" addresses) ## ## Addresses we should ignore are dropped from the list. ## update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } ## carp interface on FreeBSD does not like to have two ip ## addresses. This means we should delete address first, then add new ## one. All other interfaces work with >1 address, so we add first, ## then delete to make sure there is no time window when interface has ## no address at all. echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } fwbuilder-5.3.7/src/res/configlets/bsd/update_bridge000066400000000000000000000076321303637203600225320ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if openbsd_lt_47}} BRCONFIG="brconfig" {{endif}} {{if openbsd_ge_47}} BRCONFIG="$IFCONFIG" {{endif}} {{if freebsd}} BRCONFIG="$IFCONFIG" {{endif}} missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } ## update_bridge br0 "eth2 eth3" update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } ## This function synchronizes bridge interfaces between fwbuilder objects ## and actual configuration of the firewall machine. Birgde interfaces not ## listed as arguments will be deleted and those in the arguments will be ## created if missing. ## ## NOTE: we have to delete and create bridge interfaces before we add ## bridge ports to them because if a bridge interface that was not ## configured in fwbuilder existed before this script ran, its bridge ## ports could not be added to other bridges. This bridge interface ## should be deleted first. ## ## sync_bridge_interfaces bridge0 bridge1 sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } fwbuilder-5.3.7/src/res/configlets/bsd/update_carp000066400000000000000000000036501303637203600222170ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ############ CARP interfaces ############################################ ## ## This function synchronizes carp interfaces between fwbuilder objects ## and actual configuration of the firewall machine. Carp interfaces not ## listed as arguments will be deleted and those in the arguments will be ## created if missing. ## ## This function only executes "ifconfig carp0 create" or "ifconfig carp0 destroy" ## commands. Other parameters of carp interfaces should be set up separately ## (see configlet carp_interface for that) ## ## sync_carp_interfaces carp0 carp1 sync_carp_interfaces() { $IFCONFIG {{if openbsd}}-A{{endif}} | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } fwbuilder-5.3.7/src/res/configlets/bsd/update_pfsync000066400000000000000000000035751303637203600226020ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ############ PFSYNC interfaces ############################################ ## ## This function synchronizes pfsync interfaces between fwbuilder objects ## and actual configuration of the firewall machine. Pfsync interfaces not ## listed as arguments will be deleted and those in the arguments will be ## created if missing. ## ## This function only executes "ifconfig pfsync0 create" or "ifconfig pfsync0 destroy" ## commands. Other parameters of pfsync interfaces should be set up separately ## (see configlet pfsync_interface for that) ## ## sync_pfsync_interfaces pfsync0 pfsync1 ## ## May be there can be only one pfsync interface ? The function in this configlet ## does not depend on this assumption. sync_pfsync_interfaces() { $IFCONFIG {{if openbsd}}-A{{endif}} | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } fwbuilder-5.3.7/src/res/configlets/bsd/update_vlans000066400000000000000000000056521303637203600224210ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ############ VLAN ############################################## ## arguments: ## ## $1: vlan_name:vlan_id@ e.g. vlan8101:101@em1 ## $2: command, can be "add" or "rem" ## missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG {{if openbsd}}-A{{endif}} | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } ## ## Call format: ## ## update_vlans_of_interface "pcn0 vlan101 vlan104" ## ## update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG {{if openbsd}}-A{{endif}} | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/000077500000000000000000000000001303637203600213605ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/check_utilities000066400000000000000000000036241303637203600244600ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Known variables: ## ## need_iptables_restore ## need_ip6tables_restore ## need_modprobe : set to true if "load modules" option is on, or ## script needs to manage vlan or bonding interfaces. ## See configlets for vlan and bonding interfaces to find ## how modprobe is used to load corresponding modules ## need_vconfig : set to true if script manages vlans ## need_brctl : set to true if script manages bridge ports ## need_ifenslave : set to true if script manages bonding interfaces ## need_ipset : set to true if ipset is used for run-time address tables ## load_modules : set to true if "load modules" option is on ## ## These variables are set in OSConfigurator_linux24::printShellFunctions() ## About using "command" to find programs: ## find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES {{if need_iptables_restore}} find_program $IPTABLES_RESTORE{{endif}} {{if need_ip6tables_restore}} find_program $IP6TABLES_RESTORE{{endif}} find_program $IP {{if need_vconfig}} find_program $VCONFIG {{endif}} {{if need_brctl}} find_program $BRCTL {{endif}} {{if need_ifenslave}} find_program $IFENSLAVE {{endif}} {{if need_ipset}} find_program $IPSET {{endif}} } fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/installer_commands_reg_user000066400000000000000000000021471303637203600270600ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## ## We only use root to authenticate to Sveasoft firewall {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/installer_commands_root000066400000000000000000000016541303637203600262320ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; /usr/sbin/nvram unset rc_firewall; /usr/sbin/nvram set rc_firewall="{{$fwdir}}/{{$fwscript}}"; /usr/sbin/nvram commit; sh {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' {{endif}} fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/routing_functions000066400000000000000000000037461303637203600250740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## The recent versions of DD-WRT V24 preSP2 Build 13064 and newer are ## missing modprobe and mktemp. This configlet does not use mktemp to ## create temporary file # ============== ROUTING RULES ============== TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" (umask 077 && mkdir $TMPDIRNAME) || exit 1 # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules (IFS=" "; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) oldRoutes=$($IP route show | sort -k 2) echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v {{$proto_filter}} | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/script_skeleton000066400000000000000000000062561303637203600245240ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## Some shells (not bash) do not like empty functions. Placing a comment ## inside the function does not help. Using dummy ":" as a placeholder. ## {{$top_comment}} {{$errors_and_warnings}} {{$shell_debug}} FWBDEBUG="" {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} load_modules() { : {{$load_modules}} } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } {{$block_action}} {{$stop_action}} {{$status_action}} # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated {{$timestamp}} by {{$user}}" check_tools {{if prolog_top}} prolog_commands {{endif}} check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} load_modules "{{$load_modules_with_nat}} {{$load_modules_with_ipv6}}" configure_interfaces verify_interfaces {{if prolog_after_interfaces}} prolog_commands {{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}} prolog_commands {{endif}} script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; {{if using_ipset}} ## Usage: script.fw reload_address_table reload_address_table) reload_address_table $2 $3 ;; ## Usage: script.fw add_to_address_table
add_to_address_table) add_to_address_table $2 $3 $4 ;; ## Usage: script.fw remove_from_address_table
remove_from_address_table) remove_from_address_table $2 $3 $4 ;; ## Usage: script.fw test_address_table
test_address_table) test_address_table $2 $3 ;; {{endif}} *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces{{if using_ipset}}|reload_address_table|add_to_address_table|remove_from_address_table|test_address_table{{endif}}]" ;; esac exit $RETVAL fwbuilder-5.3.7/src/res/configlets/dd-wrt-jffs/top_comment000066400000000000000000000004021303637203600236230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} DD-WRT (jffs) # {{$comment}} fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/000077500000000000000000000000001303637203600215535ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/check_utilities000066400000000000000000000035511303637203600246520ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Known variables: ## ## need_iptables_restore ## need_ip6tables_restore ## need_modprobe : set to true if "load modules" option is on, or ## script needs to manage vlan or bonding interfaces. ## See configlets for vlan and bonding interfaces to find ## how modprobe is used to load corresponding modules ## need_vconfig : set to true if script manages vlans ## need_brctl : set to true if script manages bridge ports ## need_ifenslave : set to true if script manages bonding interfaces ## need_ipset : set to true if ipset is used for run-time address tables ## load_modules : set to true if "load modules" option is on ## ## These variables are set in OSConfigurator_linux24::printShellFunctions() ## find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES {{if need_iptables_restore}} find_program $IPTABLES_RESTORE{{endif}} {{if need_ip6tables_restore}} find_program $IP6TABLES_RESTORE{{endif}} find_program $IP {{if need_vconfig}} find_program $VCONFIG {{endif}} {{if need_brctl}} find_program $BRCTL {{endif}} {{if need_ifenslave}} find_program $IFENSLAVE {{endif}} {{if need_ipset}} find_program $IPSET {{endif}} } fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/installer_commands_reg_user000066400000000000000000000021471303637203600272530ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## ## We only use root to authenticate to Sveasoft firewall {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/installer_commands_root000066400000000000000000000040441303637203600264210ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/dd-wrt-nvram/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} {{if with_compression}} echo '{{$fwbprompt}}'; mv /tmp/{{$fwscript}} /tmp/fwb; /usr/sbin/nvram unset rc_firewall; /usr/sbin/nvram set rc_firewall="/usr/sbin/nvram get fwb|uudecode|gzip -dc|sh"; /usr/sbin/nvram unset fwb; /usr/sbin/nvram set fwb="`cat /tmp/fwb|gzip|uuencode -`" || exit 1; rm /tmp/fwb; echo "Saving data to flash memory"; /usr/sbin/nvram commit || exit 1; echo "Flash memory:"; /usr/sbin/nvram show >/dev/null; echo "Activating policy"; /usr/sbin/nvram get fwb|uudecode|gzip -dc|sh && echo 'Policy activated' {{endif}} {{if no_compression}} echo '{{$fwbprompt}}'; mv /tmp/{{$fwscript}} /tmp/fwb; /usr/sbin/nvram set rc_firewall="/usr/sbin/nvram get fwb|sh"; /usr/sbin/nvram unset fwb; /usr/sbin/nvram set fwb="`cat /tmp/fwb`" || exit 1; rm /tmp/fwb; echo "Saving data to flash memory"; /usr/sbin/nvram commit || exit 1; echo "Flash memory:"; /usr/sbin/nvram show >/dev/null; echo "Activating policy"; /usr/sbin/nvram get fwb|sh && echo 'Policy activated' {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/routing_functions000066400000000000000000000037461303637203600252670ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## The recent versions of DD-WRT V24 preSP2 Build 13064 and newer are ## missing modprobe and mktemp. This configlet does not use mktemp to ## create temporary file # ============== ROUTING RULES ============== TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" (umask 077 && mkdir $TMPDIRNAME) || exit 1 # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules (IFS=" "; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) oldRoutes=$($IP route show | sort -k 2) echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v {{$proto_filter}} | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/script_skeleton000066400000000000000000000040461303637203600247120ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Note that /bin/sh on Sveasoft (busybox) does not like empty shell ## functions and fails with an error "36: Syntax error: "}" unexpected" ## Will call /bin/true as a placeholder so that if some other ## commands are added to the function body during template expansion, ## they are executed after /bin/true and their return code is ## preserved. If no commands are added, then the function body won't ## be empty and will return success. {{$top_comment}} {{$shell_debug}} {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} load_modules() { : {{$load_modules}} } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { : {{$prolog_script}} } epilog_commands() { : {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } log "Activating firewall script generated {{$timestamp}} by {{$user}}" check_tools {{if prolog_top}}prolog_commands{{endif}} check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} load_modules configure_interfaces verify_interfaces {{if prolog_after_interfaces}}prolog_commands{{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}}prolog_commands{{endif}} script_body ip_forward epilog_commands fwbuilder-5.3.7/src/res/configlets/dd-wrt-nvram/top_comment000066400000000000000000000003661303637203600240270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} DD-WRT (nvram) # fwbuilder-5.3.7/src/res/configlets/freebsd/000077500000000000000000000000001303637203600206435ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/freebsd/carp_interface000066400000000000000000000014121303637203600235310ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## CARP ## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface] ## [pass passphrase] [state state] [vhid host-id] ## ## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/ ## "Redundant firewalls with OpenBSD, CARP and pfsync" ## ## Unlike in OpenBSD, in FreeBSD ifconfig does not understand carpdev parameter $IFCONFIG {{$carp_interface}} vhid {{$vhid}} {{if have_password}}pass {{$carp_password}}{{endif}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/ifconfig_interface000066400000000000000000000004661303637203600244000ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## $IFCONFIG {{$interface_name}} {{if have_mtu}}mtu {{$mtu}}{{endif}} {{$options}} fwbuilder-5.3.7/src/res/configlets/freebsd/installer_commands_reg_user000066400000000000000000000032211303637203600263350ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## See #1368 for the explanation of the need for the "sleep2; echo" commands ## ## Note: all commands should be on one line to avoid unnecessary linefeeds. ## These linefeeds are sent to the server side (to the firewall) and end up ## on the input of sudo and other commands. This creates difficult to catch ## race condition which breaks installation process. {{if shell_script_format}} echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sudo -S {{$fwdir}}/{{$fwscript}} && ( echo 'Policy activated'; sleep 2; echo) {{endif}} {{if rc_conf_format}} echo '{{$fwbprompt}}'; sudo -S /etc/rc.d/pf reload && ( echo 'Policy activated'; sleep 2; echo) {{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/installer_commands_root000066400000000000000000000025441303637203600255140ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## See #1368 for the explanation of the need for the "sleep2; echo" commands {{if shell_script_format}} echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sh {{$fwdir}}/{{$fwscript}} && ( echo 'Policy activated'; sleep 2; echo) {{endif}} {{if rc_conf_format}} echo '{{$fwbprompt}}'; /etc/rc.d/pf reload && ( echo 'Policy activated'; sleep 2; echo) {{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/kernel_vars000066400000000000000000000016771303637203600231140ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/freebsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if have_freebsd_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$freebsd_ip_forward}}{{endif}} {{if have_freebsd_ipv6_forward}}$SYSCTL -w net.inet6.ip6.forwarding={{$freebsd_ipv6_forward}}{{endif}} {{if have_freebsd_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$freebsd_ip_sourceroute}}{{endif}} {{if have_freebsd_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$freebsd_ip_redirect}}{{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/rc_conf_bridge_port000066400000000000000000000004511303637203600245570ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## addm {{$bridge_port}} {{if stp_off}}-{{endif}}stp {{$bridge_port}} fwbuilder-5.3.7/src/res/configlets/freebsd/rc_conf_carp_interface000066400000000000000000000016561303637203600252340ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## CARP ## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface] ## [pass passphrase] [state state] [vhid host-id] ## ## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/ ## "Redundant firewalls with OpenBSD, CARP and pfsync" ## ## here is how to configure CARP interfaces in rc.conf ## ## http://blas.phemo.us/articles/2007/04/04/setting-up-and-configuring-carp-interfaces-on-freebsd ## ## Unlike in OpenBSD, in FreeBSD ifconfig does not understand carpdev parameter create_args_{{$carp_interface}}="vhid {{$vhid}} {{if have_password}}pass {{$carp_password}}{{endif}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}}" fwbuilder-5.3.7/src/res/configlets/freebsd/rc_conf_ifconfig_interface000066400000000000000000000004301303637203600260600ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## {{if have_mtu}}mtu {{$mtu}}{{endif}} {{$options}} fwbuilder-5.3.7/src/res/configlets/freebsd/rc_conf_kernel_vars000066400000000000000000000016171303637203600245770ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/freebsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if have_freebsd_ip_forward}}gateway_enable="{{$freebsd_ip_forward}}"{{endif}} {{if have_freebsd_ipv6_forward}}ipv6_gateway_enable="{{$freebsd_ipv6_forward}}"{{endif}} {{if have_freebsd_ip_sourceroute}}forward_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}} {{if have_freebsd_ip_sourceroute}}accept_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/rc_conf_pfsync_interface000066400000000000000000000005031303637203600255770ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## pfsync_syncdev="{{$syncdev}}" {{if have_syncpeer}}pfsync_syncpeer="{{$syncpeer}}"{{endif}} fwbuilder-5.3.7/src/res/configlets/freebsd/routing_functions000066400000000000000000000035761303637203600243600ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## # ============== ROUTING RULES ============== TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules netstat -rn -f inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \ while read route gw rest; do route delete $route $gw; done # restore old routing rules (IFS=" "; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 oldRoutes=$(netstat -rn -f inet | awk '/^$|Destination|Routing tables|Internet:/ {next;} {printf "route add %s %s\n",$1,$2;}') echo "Deleting routing rules previously set by user space processes..." netstat -rn -f inet | awk '$3 ~ /S/ { print $0;}' | grep -Ev {{$route_filter}} | \ while read route gw rest; do route delete $route $gw; done echo "Activating routing rules..." fwbuilder-5.3.7/src/res/configlets/freebsd/tools000066400000000000000000000014041303637203600217250ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/freebsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Set path to all utilities that we need IFCONFIG="{{$path_ifconfig}}" PFCTL="{{$path_pfctl}}" IPFW="{{$path_ipfw}}" IPF="{{$path_ipf}}" IPNAT="{{$path_ipnat}}" SYSCTL="{{$path_sysctl}}" LOGGER="{{$path_logger}}" fwbuilder-5.3.7/src/res/configlets/fwsm_os/000077500000000000000000000000001303637203600207065ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/fwsm_os/failover_commands_2000066400000000000000000000023701303637203600245440ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html ## ## failover ip address outside 209.165.201.2 ## failover ip address inside 192.168.2.2 ## failover ip address failover 192.168.254.2 ## failover ip address state 192.168.253.2 ## failover link state ## failover lan unit primary ## failover lan interface failover ## failover lan key 12345678 ## failover lan enable ## failover ## ## ## "failover ip address" commands are added bu the failover_interface_6 configlet failover link {{$state_sync_interface_label}} failober lan unit {{$primary_or_secondary}} failover lan interface {{$failover_interface_label}} failover key {{$failover_key}} failover lan enable failover fwbuilder-5.3.7/src/res/configlets/fwsm_os/failover_commands_3_2000066400000000000000000000027361303637203600247740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## failover ## failover lan unit primary ## failover lan interface failover Ethernet3 ## failover lan enable ## failover key ****** ## failover link state Ethernet2 ## failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2 ## failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2 failover lan unit {{$primary_or_secondary}} failover lan interface {{$failover_interface_label}} {{$failover_interface_name}} failover lan enable failover key {{$failover_key}} failover interface ip {{$failover_interface_label}} {{$failover_interface_primary_address}} {{$failover_interface_primary_netmask}} standby {{$failover_interface_standby_address}} failover link {{$state_sync_interface_label}} {{$state_sync_interface_name}} failover interface ip {{$state_sync_interface_label}} {{$state_sync_interface_primary_address}} {{$state_sync_interface_primary_netmask}} standby {{$state_sync_interface_standby_address}} failover fwbuilder-5.3.7/src/res/configlets/fwsm_os/failover_interface_2000066400000000000000000000015101303637203600246760ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{if configure_standby_address}}failover ip address {{$interface_label}} {{$standby_address}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/failover_interface_3_2000066400000000000000000000012071303637203600251230ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## interface {{$interface_name}} description LAN/STATE Failover Interface no nameif exit fwbuilder-5.3.7/src/res/configlets/fwsm_os/installer_commands_post_config000066400000000000000000000007001303637203600270760ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if cancel_rollback}} reload cancel {{endif}} {{if run}} wr mem {{endif}} {{if save_standby}} wr standby {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/installer_commands_pre_config000066400000000000000000000006061303637203600267040ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if schedule_rollback}} reload in {{$rbtimeout}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/installer_commands_reg_user000066400000000000000000000017051303637203600264050ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is ## logged in ## {{$fwdir}} -- directory on the firewall (in case of PIX, "flash:" or ## similar) ## {{$fwscript}} -- script name on the firewall ## {{$firewall_name}} -- the name of the firewall object ## {{if using_scp}} changeto context {{$firewall_name}} copy /noconfirm {{$fwdir}}/{{$fwscript}} running-config changeto system delete /noconfirm {{$fwdir}}/{{$fwscript}} exit {{endif}} {{if not_using_scp}} config term terminal width 256 {{$fwbuilder_generated_configuration_lines}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/ntp000066400000000000000000000004051303637203600214310ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## See http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml ## ## Cisco says: ## "Note: NTP cannot be configured on FWSM, because it takes its settings from the Switch." fwbuilder-5.3.7/src/res/configlets/fwsm_os/regular_interface_2000066400000000000000000000020661303637203600245370ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{if configure_standby_address}}failover ip address {{$interface_label}} {{$standby_address}} {{endif}} {{endif}} {{if dhcp_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} dhcp setroute retry 10 {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/regular_interface_3_2000066400000000000000000000020441303637203600247550ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} interface {{$interface_name}} nameif {{$interface_label}} {{if configure_interface_address}} ip address {{$address}} {{$netmask}} {{if configure_standby_address}} standby {{$standby_address}} {{endif}} {{endif}} security-level {{$security_level}} exit {{endif}} {{if dhcp_address}} interface {{$interface_name}} nameif {{$interface_label}} {{if configure_interface_address}} ip address dhcp setroute {{endif}} security-level {{$security_level}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/snmp000066400000000000000000000024131303637203600216060ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/fwsm_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if clear}} {{if fwsm_version_lt_32}} clear snmp-server {{endif}} {{if fwsm_version_ge_32}} clear config snmp-server {{endif}} {{endif}} {{if disable}} no snmp-server {{endif}} {{if not_disable}} {{if set_community}} snmp-server community {{$read_community}} {{endif}} {{if set_sysinfo}} {{if not_location_empty}}snmp-server location {{$location}}{{endif}} {{if not_contact_empty}}snmp-server contact {{$contact}}{{endif}} {{endif}} {{if not_enable_traps}}no {{endif}}snmp-server enable traps {{if not_server_1_empty}}snmp-server host {{$interface_1_label}} {{$address_1}} {{$poll_or_trap_1}} {{endif}} {{if not_server_2_empty}}snmp-server host {{$interface_2_label}} {{$address_2}} {{$poll_or_trap_2}} {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/ssh000066400000000000000000000015021303637203600214240ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if clear}} {{if fwsm_version_lt_32}} clear ssh {{endif}} {{if fwsm_version_ge_32}} clear config ssh {{endif}} {{endif}} aaa authentication ssh console LOCAL {{if use_scp}} ssh version 2 ssh scopy enable {{endif}} {{if ssh_timeout}} ssh timeout {{$ssh_timeout}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/vlan_parent_interface_2000066400000000000000000000010571303637203600254060ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## fwbuilder-5.3.7/src/res/configlets/fwsm_os/vlan_parent_interface_3_2000066400000000000000000000012011303637203600256170ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## interface {{$interface_name}} no nameif no ip address no security-level exit fwbuilder-5.3.7/src/res/configlets/fwsm_os/vlan_subinterface_2000066400000000000000000000020701303637203600245430ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## interface ethernet0 vlan3 logical {{if static_address}} interface {{$parent_interface}} {{$interface_name}} logical nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}} ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{endif}} {{if dhcp_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}} ip address {{$interface_label}} dhcp setroute retry 10 {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/fwsm_os/vlan_subinterface_3_2000066400000000000000000000021141303637203600247640ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} interface {{$interface_name}} vlan {{$vlan_id}} nameif {{$interface_label}} {{if configure_interface_address}} ip address {{$address}} {{$netmask}} {{if configure_standby_address}} standby {{$standby_address}} {{endif}} {{endif}} security-level {{$security_level}} exit {{endif}} {{if dhcp_address}} interface {{$interface_name}} vlan {{$vlan_id}} nameif {{$interface_label}} {{if configure_interface_address}} ip address dhcp setroute {{endif}} security-level {{$security_level}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/ios/000077500000000000000000000000001303637203600200235ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/ios/installer_commands_post_config000066400000000000000000000010641303637203600262170ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if version_lt_124}} {{if cancel_rollback}} reload cancel {{endif}} {{endif}} {{if version_ge_124}} {{if cancel_rollback}} config term no event manager applet fwbuilder-rollback exit {{endif}} {{endif}} {{if run}} wr mem {{endif}} fwbuilder-5.3.7/src/res/configlets/ios/installer_commands_pre_config000066400000000000000000000014221303637203600260160ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## {{$test}} -- doing installation in test mode ## terminal width 256 terminal length 0 {{if schedule_rollback}} {{if version_lt_124}} reload in {{$rbtimeout}} {{endif}} {{if version_ge_124}} config term event manager applet fwbuilder-rollback event timer countdown name rollback-countdown time {{$rbtimeout_sec}} action 1.0 cli command "enable" action 1.1 cli command "configure replace nvram:startup-config force" exit exit {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/ios/installer_commands_reg_user000066400000000000000000000016511303637203600255220ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar) ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if using_scp}} copy {{$fwdir}}{{$fwscript}} running-config {{endif}} {{if not_using_scp}} config term {{$fwbuilder_generated_configuration_lines}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/ios/safety_net_acl000066400000000000000000000024211303637203600227250ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ios/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ! temporary access list for "safety net install" {{if ipv4}} no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip {{$management_addr}} {{$management_netm}} any deny ip any any exit interface {{$management_interface}} no ip access-group in no ip access-group out ip access-group tmp_acl in exit {{endif}} {{if ipv6}} no ipv6 access-list tmp_acl ipv6 access-list tmp_acl {{if slash_notation}} permit ipv6 {{$management_addr}} any {{endif}} {{if host_addr}} permit ipv6 host {{$management_addr}} any {{endif}} permit icmp any any deny ipv6 any any exit interface {{$management_interface}} no ipv6 traffic-filter in no ipv6 traffic-filter out ipv6 traffic-filter tmp_acl in exit {{endif}} fwbuilder-5.3.7/src/res/configlets/ios/script_skeleton000066400000000000000000000015371303637203600231640ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ios/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} ! ! Prolog script: ! {{$prolog_script}} ! ! End of prolog script: ! {{$other_os_configuration_commands}} {{$system_configuration_script}} {{$policy_script}} {{$nat_script}} {{$routing_script}} ! ! Epilog script: ! {{$epilog_script}} ! End of epilog script: ! fwbuilder-5.3.7/src/res/configlets/ios/top_comment000066400000000000000000000003541303637203600222740ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v{{$version}} ! ! Generated {{$timestamp}} {{$tz}} by {{$user}} ! ! Compiled for {{$platform}} {{$fw_version}} ! {{$manifest}} ! {{$comment}} fwbuilder-5.3.7/src/res/configlets/ipcop/000077500000000000000000000000001303637203600203435ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/ipcop/automatic_rules000066400000000000000000000072701303637203600234740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## Each rule must start with {{$begin_rule}} and end with ## {{$end_rule}}. Variable $begin_rule has value "$IPTABLES -A" if ## generated script is in the shell script format, or just empty ## string if it is in iptables-restore format ## IPCOP runs ssh on port 222 {{if mgmt_access}} # backup ssh access {{$begin_rule}} INPUT -p tcp -m tcp -s {{$ssh_management_address}} --dport 222 -m state --state NEW,ESTABLISHED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d {{$ssh_management_address}} --sport 222 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{endif}} {{if drop_new_tcp_with_no_syn}} # drop TCP sessions opened prior firewall restart {{$begin_rule}} INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}} {{endif}} {{endif}} {{if add_rules_for_ipv6_neighbor_discovery}} # rules to permit IPv6 Neighbor discovery {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}} {{endif}} {{if drop_invalid}} # drop packets that do not match any valid state {{$begin_rule}} OUTPUT -m state --state INVALID -j DROP {{$end_rule}} {{$begin_rule}} INPUT -m state --state INVALID -j DROP {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -m state --state INVALID -j DROP {{$end_rule}} {{endif}} {{endif}} {{if drop_invalid_and_log}} # drop packets that do not match any valid state and log them {{$create_drop_invalid_chain}} {{$begin_rule}} OUTPUT -m state --state INVALID -j drop_invalid {{$end_rule}} {{$begin_rule}} INPUT -m state --state INVALID -j drop_invalid {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -m state --state INVALID -j drop_invalid {{$end_rule}} {{endif}} {{if use_ulog}} {{$begin_rule}} drop_invalid -j ULOG {{if use_nlgroup}}--ulog-nlgroup {{$nlgroup}}{{endif}} {{if use_cprange}}--ulog-cprange {{$cprange}}{{endif}} {{if use_qthreshold}}--ulog-qthreshold {{$qthreshold}}{{endif}} --ulog-prefix {{$invalid_match_log_prefix}}{{$end_rule}} {{endif}} {{if not_use_ulog}} {{$begin_rule}} drop_invalid -j LOG --log-level debug --log-prefix {{$invalid_match_log_prefix}}{{$end_rule}} {{endif}} {{$begin_rule}} drop_invalid -j DROP {{$end_rule}} {{endif}} fwbuilder-5.3.7/src/res/configlets/ipcop/installer_commands_reg_user000066400000000000000000000022151303637203600260370ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## ## On IPCOP we use standard system script to reload firewall policy {{if run}} /etc/rc.d/rc.firewall restart {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/ipcop/installer_commands_root000066400000000000000000000022061303637203600252070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## On IPCOP we use standard system script to reload firewall policy {{if run}} /etc/rc.d/rc.firewall restart {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/ipcop/kernel_vars000066400000000000000000000011441303637203600226010ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Fwbuilder does not control kernel variables on IPCOP fwbuilder-5.3.7/src/res/configlets/ipcop/script_skeleton000066400000000000000000000032131303637203600234750ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$shell_debug}} {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } script_body() { {{$script_body}} } reset_all() { : {{$reset_all}} } case "$1" in start) check_tools check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} verify_interfaces prolog_commands script_body epilog_commands ;; stop) # on IPCOP "/etc/rc.firewall stop" purges all tables and chains # and then calls this script with command "stop", but there is # nothing left for us to do here. ;; reload) $0 stop $0 start ;; *) echo "Usage $0 {start|stop|reload}" ;; esac fwbuilder-5.3.7/src/res/configlets/ipcop/shell_functions000066400000000000000000000020571303637203600234710ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by AddressTable object $1" exit 1 } } getInterfaceVarName() { echo $1 | sed 's/\./_/' } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } fwbuilder-5.3.7/src/res/configlets/ipcop/update_addresses000066400000000000000000000011551303637203600236070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## fwbuilder does not manage ip addresses of interfaces on IPCOP fwbuilder-5.3.7/src/res/configlets/ipcop/update_bonding000066400000000000000000000011451303637203600232510ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## fwbuilder does not manage bonding interfaces on IPCOP fwbuilder-5.3.7/src/res/configlets/ipcop/update_bridge000066400000000000000000000011441303637203600230640ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## fwbuilder does not manage bridge interfaces on IPCOP fwbuilder-5.3.7/src/res/configlets/ipcop/update_vlans000066400000000000000000000011301303637203600227460ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipcop/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## fwbuilder does not manage vlans on IPCOP fwbuilder-5.3.7/src/res/configlets/ipf/000077500000000000000000000000001303637203600200075ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/ipf/activation000066400000000000000000000017541303637203600221020ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if dyn_addr}} {{if filter}} cat {{$remote_file}} | grep -v '#' | {{$interface_name_substitution_commands}} | $IPF {{$ipf_debug}} -I -f - {{endif}} {{if nat}} cat {{$remote_file}} | grep -v '#' | {{$interface_name_substitution_commands}} | $IPNAT {{$ipf_debug}} -f - {{endif}} {{endif}} {{if not_dyn_addr}} {{if filter}} $IPF {{$ipf_debug}} -I -f {{$remote_file}} {{endif}} {{if nat}} $IPNAT {{$ipf_debug}} -f {{$remote_file}} {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/ipf/script_skeleton000066400000000000000000000024141303637203600231430ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} FWDIR=`dirname $0` {{$shell_debug}} {{$tools}} {{$shell_functions}} verify_interfaces() { : {{$verify_interfaces}} } set_kernel_vars() { : {{$kernel_vars_commands}} } prolog_commands() { : {{$prolog_script}} } epilog_commands() { : {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } log "Activating firewall script generated {{$timestamp}} by {{$user}}" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C {{$activation_commands}} {{if have_filter}} $IPF -s {{endif}} epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -E fwbuilder-5.3.7/src/res/configlets/ipf/top_comment000066400000000000000000000003631303637203600222600ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/ipfw/000077500000000000000000000000001303637203600201765ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/ipfw/script_skeleton000066400000000000000000000024251303637203600233340ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ipfw/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} {{$shell_debug}} cd {{$firewall_dir}} || exit 1 {{$tools}} {{$shell_functions}} verify_interfaces() { : {{$verify_interfaces}} } set_kernel_vars() { : {{$kernel_vars_commands}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } log "Activating firewall script generated {{$timestamp}} by {{$user}}" set_kernel_vars configure_interfaces prolog_commands {{$activation_commands}} epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1 fwbuilder-5.3.7/src/res/configlets/ipfw/top_comment000066400000000000000000000003641303637203600224500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/junos/000077500000000000000000000000001303637203600203675ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/junos/installer_commands_post_config000066400000000000000000000003651303637203600265660ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall file delete {{$fwdir}}/{{$fwscript}} fwbuilder-5.3.7/src/res/configlets/junos/installer_commands_reg_user000066400000000000000000000014611303637203600260650ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar) ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## load replace {{$fwdir}}/{{$fwscript}} commit fwbuilder-5.3.7/src/res/configlets/junos/script_skeleton000066400000000000000000000014721303637203600235260ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/ios/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} # # Prolog script: # {{$prolog_script}} # # End of prolog script: # {{$other_os_configuration_commands}} {{$system_configuration_script}} {{$policy_script}} # # Epilog script: # {{$epilog_script}} # End of epilog script: # # fwbuilder-5.3.7/src/res/configlets/junos/top_comment000066400000000000000000000003561303637203600226420ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_junosacl v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # # Compiled for {{$platform}} {{$fw_version}} # {{$manifest}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/linux24/000077500000000000000000000000001303637203600205365ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/linux24/automatic_rules000066400000000000000000000155071303637203600236710ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## Each rule must start with {{$begin_rule}} and end with ## {{$end_rule}}. Variable $begin_rule has value "$IPTABLES -A" if ## generated script is in the shell script format, or just empty ## string if it is in iptables-restore format ## ## Variables in this configlet: ## ## $begin_rule "$IPTABLES -A" or empty string ## $end_rule ## $ssh_management_address address of the management address used for backup ssh access ## $management_interface the name of the management interface ## $cprange (ULOG --cprange) ## $nlgroup (ULOG --ulog-nlgroup) ## $qthreshold (ULOG --ulog-qthreshold) ## $invalid_match_log_prefix (ULOG --ulog-prefix or LOG --log-prefix) ## ## Conditional statements use the following variables: ## ## bridging_firewall the firewall is a bridge ## ipforw should generate rules in FORWARD chain ## accept_established should add rules to match --state ESTABLISHED,RELATED ## mgmt_access should add rules for management ssh access ## drop_new_tcp_with_no_syn should add rules to drop TCP sessions opened prior firewall restart ## add_rules_for_ipv6_neighbor_discovery should add rules to permit IPv6 Neighbor discovery ## drop_invalid should add rules to drop packets that match state INVALID ## drop_invalid_and_log drop and log packets that match state INVALID ## not_use_ulog use LOG for logging ## use_ulog use ULOG for logging ## use_nlgroup for --ulog-nlgroup ## use_cprange for --ulog-cprange ## use_qthreshold for --ulog-qthreshold ## bug #1092141: "irritating FORWARD rule for established connections" ## Need rules in FORWARD chain only if ip forwarding is on or set to ## "no change" {{if accept_established}} # accept established sessions {{$begin_rule}} INPUT -m {{$state_module_option}} ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -m {{$state_module_option}} ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} FORWARD -m {{$state_module_option}} ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{endif}} ## it helps to add backup ssh access rule as early as possible so that ## ssh session opened from the management station won't break after ## all chains are flushed. The installation process may stall if ## stdout buffer gets filled with diagnostic or progress output from ## this script printed after chains are flushed but before a rule ## permitting ssh is installed. This may happen if script debugging is ## on or there are many NAT rules (so it prints a lot of "Rule NN ## (NAT)" lines). {{if mgmt_access}} # backup ssh access {{$begin_rule}} INPUT -p tcp -m tcp -s {{$ssh_management_address}} --dport 22 -m {{$state_module_option}} NEW,ESTABLISHED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d {{$ssh_management_address}} --sport 22 -m {{$state_module_option}} ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{endif}} {{if drop_new_tcp_with_no_syn}} # drop TCP sessions opened prior firewall restart {{$begin_rule}} INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m {{$state_module_option}} NEW -j DROP {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m {{$state_module_option}} NEW -j DROP {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m {{$state_module_option}} NEW -j DROP {{$end_rule}} {{endif}} {{endif}} {{if add_rules_for_ipv6_neighbor_discovery}} # rules to permit IPv6 Neighbor discovery {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{if bridging_firewall}} {{$begin_rule}} FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{$begin_rule}} FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}} {{endif}} {{endif}} {{if drop_invalid}} # drop packets that do not match any valid state {{$begin_rule}} OUTPUT -m {{$state_module_option}} INVALID -j DROP {{$end_rule}} {{$begin_rule}} INPUT -m {{$state_module_option}} INVALID -j DROP {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -m {{$state_module_option}} INVALID -j DROP {{$end_rule}} {{endif}} {{endif}} {{if drop_invalid_and_log}} # drop packets that do not match any valid state and log them {{$create_drop_invalid_chain}} {{$begin_rule}} OUTPUT -m {{$state_module_option}} INVALID -j drop_invalid {{$end_rule}} {{$begin_rule}} INPUT -m {{$state_module_option}} INVALID -j drop_invalid {{$end_rule}} {{if ipforw}} {{$begin_rule}} FORWARD -m {{$state_module_option}} INVALID -j drop_invalid {{$end_rule}} {{endif}} {{if use_ulog}} {{$begin_rule}} drop_invalid -j ULOG {{if use_nlgroup}}--ulog-nlgroup {{$nlgroup}}{{endif}} {{if use_cprange}}--ulog-cprange {{$cprange}}{{endif}} {{if use_qthreshold}}--ulog-qthreshold {{$qthreshold}}{{endif}} --ulog-prefix {{$invalid_match_log_prefix}}{{$end_rule}} {{endif}} {{if not_use_ulog}} {{$begin_rule}} drop_invalid -j LOG --log-level debug --log-prefix {{$invalid_match_log_prefix}}{{$end_rule}} {{endif}} {{$begin_rule}} drop_invalid -j DROP {{$end_rule}} {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/block_action000066400000000000000000000032001303637203600231030ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## This configlet defines commands executed when iptables script is ran ## with command line argument "block". By default it resets iptables ## tables and chains using function reset_all and optionally adds backup ## ssh access rules. block_action() { reset_all ## it helps to add backup ssh access rule as early as possible so that ## ssh session opened from the management station won't break after ## all chains are flushed. The installation process may stall if ## stdout buffer gets filled with diagnostic or progress output from ## this script printed after chains are flushed but before a rule ## permitting ssh is installed. This may happen if script debugging is ## on or there are many NAT rules (so it prints a lot of "Rule NN ## (NAT)" lines). {{if mgmt_access}} # backup ssh access $IPTABLES {{$opt_wait}} -A INPUT -p tcp -m tcp -s {{$ssh_management_address}} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES {{$opt_wait}} -A OUTPUT -p tcp -m tcp -d {{$ssh_management_address}} --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT {{endif}} } fwbuilder-5.3.7/src/res/configlets/linux24/check_utilities000066400000000000000000000036401303637203600236340ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Known variables: ## ## need_iptables_restore ## need_ip6tables_restore ## need_modprobe : set to true if "load modules" option is on, or ## script needs to manage vlan or bonding interfaces. ## See configlets for vlan and bonding interfaces to find ## how modprobe is used to load corresponding modules ## need_vconfig : set to true if script manages vlans ## need_brctl : set to true if script manages bridge ports ## need_ifenslave : set to true if script manages bonding interfaces ## need_ipset : set to true if ipset is used for run-time address tables ## load_modules : set to true if "load modules" option is on ## ## These variables are set in OSConfigurator_linux24::printShellFunctions() ## find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES {{if need_iptables_restore}} find_program $IPTABLES_RESTORE{{endif}} {{if need_ip6tables_restore}} find_program $IP6TABLES_RESTORE{{endif}} {{if need_modprobe}} find_program $MODPROBE {{endif}} find_program $IP {{if need_vconfig}} find_program $VCONFIG {{endif}} {{if need_brctl}} find_program $BRCTL {{endif}} {{if need_ifenslave}} find_program $IFENSLAVE {{endif}} {{if need_ipset}} find_program $IPSET {{endif}} } fwbuilder-5.3.7/src/res/configlets/linux24/configure_interfaces000066400000000000000000000014351303637203600246500ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## Some shells (not bash) do not like empty functions. Placing a comment ## inside the function does not help. Using dummy ":" as a placeholder. ## {{if have_interfaces}} {{if need_promote_command}} # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries {{endif}} {{$configure_interfaces_script}} {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/conntrack000066400000000000000000000014611303637203600224450ustar00rootroot00000000000000## -*- mode: shell-script; -*- {{if iptables_version_lt_1_4}} {{if if_conntrack_max}}echo {{$conntrack_max}} > /proc/sys/net/ipv4/netfilter/ip_conntrack_max{{endif}} {{if if_conntrack_hashsize}}echo {{$conntrack_hashsize}} > /sys/module/ip_conntrack/parameters/hashsize{{endif}} {{if if_conntrack_tcp_be_liberal}}echo {{$conntrack_tcp_be_liberal}} > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal {{endif}} {{endif}} {{if iptables_version_ge_1_4}} {{if if_conntrack_max}}echo {{$conntrack_max}} > /proc/sys/net/netfilter/nf_conntrack_max {{endif}} {{if if_conntrack_hashsize}}echo {{$conntrack_hashsize}} > /sys/module/nf_conntrack/parameters/hashsize{{endif}} {{if if_conntrack_tcp_be_liberal}}echo {{$conntrack_tcp_be_liberal}} > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/constants000066400000000000000000000012421303637203600224740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Place any constant definitions for the generated script here ## This code appears at the very top of the script. fwbuilder-5.3.7/src/res/configlets/linux24/installer_commands_reg_user000066400000000000000000000021051303637203600262300ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## Note: all commands should be on one line to avoid unnecessary linefeeds. ## These linefeeds are sent to the server side (to the firewall) and end up ## on the input of sudo and other commands. This creates difficult to catch ## race condition which breaks installation process. echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sudo -S {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' fwbuilder-5.3.7/src/res/configlets/linux24/installer_commands_root000066400000000000000000000014651303637203600254100ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sh {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/ip_forwarding000066400000000000000000000013111303637203600233070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if ipv4}} echo {{$ipv4_forw}} > /proc/sys/net/ipv4/ip_forward {{endif}} {{if ipv6}} echo {{$ipv6_forw}} > /proc/sys/net/ipv6/conf/all/forwarding {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/kernel_vars000066400000000000000000000046401303637203600230000ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if if_linux24_ip_dynaddr}} echo {{$linux24_ip_dynaddr}} > /proc/sys/net/ipv4/ip_dynaddr {{endif}} {{if if_linux24_rp_filter}} echo {{$linux24_rp_filter}} > /proc/sys/net/ipv4/conf/all/rp_filter {{endif}} {{if if_linux24_accept_source_route}} echo {{$linux24_accept_source_route}} > /proc/sys/net/ipv4/conf/all/accept_source_route {{endif}} {{if if_linux24_accept_redirects}} echo {{$linux24_accept_redirects}} > /proc/sys/net/ipv4/conf/all/accept_redirects {{endif}} {{if if_linux24_log_martians}} echo {{$linux24_log_martians}} > /proc/sys/net/ipv4/conf/all/log_martians {{endif}} {{if if_linux24_icmp_echo_ignore_broadcasts}} echo {{$linux24_icmp_echo_ignore_broadcasts}} > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts {{endif}} {{if if_linux24_icmp_echo_ignore_all}} echo {{$linux24_icmp_echo_ignore_all}} > /proc/sys/net/ipv4/icmp_echo_ignore_all {{endif}} {{if if_linux24_icmp_ignore_bogus_error_responses}} echo {{$linux24_icmp_ignore_bogus_error_responses}} > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses {{endif}} {{if if_linux24_tcp_fin_timeout}} echo {{$linux24_tcp_fin_timeout}} > /proc/sys/net/ipv4/tcp_fin_timeout {{endif}} {{if if_linux24_tcp_keepalive_interval}} echo {{$linux24_tcp_keepalive_interval}} > /proc/sys/net/ipv4/tcp_keepalive_intvl {{endif}} {{if if_linux24_tcp_window_scaling}} echo {{$linux24_tcp_window_scaling}} > /proc/sys/net/ipv4/tcp_window_scaling {{endif}} {{if if_linux24_tcp_sack}} echo {{$linux24_tcp_sack}} > /proc/sys/net/ipv4/tcp_sack {{endif}} {{if if_linux24_tcp_fack}} echo {{$linux24_tcp_fack}} > /proc/sys/net/ipv4/tcp_fack {{endif}} {{if if_linux24_tcp_syncookies}} echo {{$linux24_tcp_syncookies}} > /proc/sys/net/ipv4/tcp_syncookies {{endif}} {{if if_linux24_tcp_ecn}} echo {{$linux24_tcp_ecn}} > /proc/sys/net/ipv4/tcp_ecn {{endif}} {{if if_linux24_tcp_timestamps}} echo {{$linux24_tcp_timestamps}} > /proc/sys/net/ipv4/tcp_timestamps {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/load_modules000066400000000000000000000036541303637203600231400ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## This is the body of the shell function load_modules(). I keep ## function definition in the script_skeleton configlet to make it ## more readable (the function and call to it are in the file, both ## clearly visible). I could put the code for the body of load_modules ## function in the script_skeleton configlet as well, but I keep it ## separate to make script_skeleton small and clean. ## ## Function load_modules is called with one parameter. This parameter ## is a space-separated list of options. Options (words) "nat" and ## "ipv6" are recognized. PArameter can be "", "nat", "ipv6", ## "nat ipv6" If word "nat" is included, the function should also load ## modules for nat. If word "ipv6" is included, it should also load ## module nf_conntrack_ipv6 {{if load_modules}} OPTS=$1 MODULES_DIR="{{$modules_dir}}" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/prolog_epilog_functions000066400000000000000000000013761303637203600254210ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } fwbuilder-5.3.7/src/res/configlets/linux24/reset_iptables000066400000000000000000000030021303637203600234610ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## reset_iptables_v4() { local list $IPTABLES {{$opt_wait}} -P OUTPUT DROP $IPTABLES {{$opt_wait}} -P INPUT DROP $IPTABLES {{$opt_wait}} -P FORWARD DROP while read table; do list=$($IPTABLES {{$opt_wait}} -t $table -L -n) printf "%s" "$list" | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES {{$opt_wait}} -t $table -F $chain fi done $IPTABLES {{$opt_wait}} -t $table -X done < /proc/net/ip_tables_names } reset_iptables_v6() { local list $IP6TABLES {{$opt_wait}} -P OUTPUT DROP $IP6TABLES {{$opt_wait}} -P INPUT DROP $IP6TABLES {{$opt_wait}} -P FORWARD DROP while read table; do list=$($IP6TABLES {{$opt_wait}} -t $table -L -n) printf "%s" "$list" | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES {{$opt_wait}} -t $table -F $chain fi done $IP6TABLES {{$opt_wait}} -t $table -X done < /proc/net/ip6_tables_names } fwbuilder-5.3.7/src/res/configlets/linux24/routing_functions000066400000000000000000000037551303637203600242520ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v {{$proto_filter}} | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." fwbuilder-5.3.7/src/res/configlets/linux24/run_time_address_tables000066400000000000000000000121271303637203600253450ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## this function checks if ipset actually can work on the system note ## that we check if it is present separately in check_utilities ## configlet By this time, it is assumed the utility is installed and ## is available, but we still need to check if it works properly ## because it also depends on the kernel module. ## ## ipset -V checks the version of ipset utility and kernel module and ## is a good way to check if the utility can communicate with the module. ## Unfortunately "ipset -V" returns 0 return code even in the case of ## an error. Will use "ipset --list" which fails when it can't talk to ## the module and then use ipset -V to get diagnostics. {{if using_ipset}} check_module_ipset() { $IPSET --list > /dev/null 2>&1 || { echo "Detected an error with ipset utility :" $IPSET -V exit 1 } } ## reloads ipset from the data file. The file must have one address ## per line. The difficulty with ipset is that no set type accepts a ## mix of individual ip addresses and CIDR blocks. Set type iphash ## takes only ip addresses and type nethash takes only CIDR blocks ## with netmask between 1 and 31 bits (no 32 bits). Using a setlist ## set with two sub-sets, one for addresses and another for subnets. ## reload_address_table() { addrtbl_name=$1 data_file=$2 test -z "$addrtbl_name" -o -z "$data_file" && { echo "Usage: reload_address_table address_table_object_name file_name" exit 1 } $IPSET -X tmp_fwb_set:ip -q $IPSET -X tmp_fwb_set:net -q $IPSET -N tmp_fwb_set:ip iphash $IPSET -N tmp_fwb_set:net nethash DATAFILE_SIZE=`wc -l $data_file|cut -d" " -f 1` echo "Processing $DATAFILE_SIZE items in file: $data_file" grep -Ev '^#|^;|^\s*$' $data_file | while read L ; do set $L addr=$1 if echo $addr | grep -q "/" then $IPSET -A tmp_fwb_set:net $addr else $IPSET -A tmp_fwb_set:ip $addr fi done $IPSET --list ${addrtbl_name}:ip >/dev/null || $IPSET -N ${addrtbl_name}:ip iphash $IPSET --list ${addrtbl_name}:net >/dev/null || $IPSET -N ${addrtbl_name}:net nethash $IPSET -W ${addrtbl_name}:ip tmp_fwb_set:ip $IPSET -W ${addrtbl_name}:net tmp_fwb_set:net $IPSET --list ${addrtbl_name} >/dev/null || { $IPSET -N ${addrtbl_name} setlist } $IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:ip || { $IPSET -A ${addrtbl_name} ${addrtbl_name}:ip } $IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:net || { $IPSET -A ${addrtbl_name} ${addrtbl_name}:net } $IPSET -X tmp_fwb_set:ip $IPSET -X tmp_fwb_set:net } add_to_address_table() { addrtbl_name=$1 data_file=$2 address=$3 test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && { echo "Usage: add_to_address_table address_table_object_name file_name address" exit 1 } echo $address >> $data_file if echo $address | grep -q "/" then $IPSET -A ${addrtbl_name}:net $address else $IPSET -A ${addrtbl_name}:ip $address fi } remove_from_address_table() { addrtbl_name=$1 data_file=$2 address=$3 test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && { echo "Usage: remove_from_address_table address_table_object_name file_name address" exit 1 } ## note that $address may contain "/" escaped_addr=$(echo $address | sed 's!/!\\/!') sed -i "/^ *$escaped_addr *\$/d" $data_file if echo $address | grep -q "/" then $IPSET -D ${addrtbl_name}:net $address else $IPSET -D ${addrtbl_name}:ip $address fi } test_address_table() { addrtbl_name=$1 address=$2 test -z "$addrtbl_name" -o -z "$address" && { echo "Usage: test_address_table address_table_object_name address" exit 1 } if echo $address | grep -q "/" then $IPSET -T ${addrtbl_name}:net $address else $IPSET -T ${addrtbl_name}:ip $address fi } load_run_time_address_table_files() { : {{$load_files_commands}} } {{endif}} check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } ## function to check if the data file is available. This is done ## regardless of whether we use module ipset or not. ## Since macro language does not support loops at this time, whole ## code for the body of this function is generated in ## OSConfigurator_linux24::printRunTimeAddressTablesCode() check_run_time_address_table_files() { : {{$check_files_commands}} } fwbuilder-5.3.7/src/res/configlets/linux24/run_time_wrappers000066400000000000000000000036441303637203600242350ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if no_wrapper}} {{$command}} {{endif}} {{if address_table}} grep -Ev '^#|^;|^\s*$' {{$address_table_file}} | while read L ; do set $L; at_{{$address_table_var}}=$1; {{$command}} done {{endif}} ## ## Current implementation supports only one wildcard interface per rule. ## This can be something like "ppp*" ## {{if wildcard_interface}} getinterfaces {{$interface_family_name}} | while read I; do ivar=$(getInterfaceVarName $I) getaddr{{if ipv6}}6{{endif}} $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && {{$command}} done done {{endif}} ## If the rule uses address of dynamic interface, there can be either ## one such address or two (source and destination). It impossible to ## have more than two. ## ## intf_name is the name of the interface plus "_v6" suffix if ipv6 ## such as "ppp0" or "ppp0_v6" ## This is so because we call getaddr6 function with variable name ## constructed with suffix _v6 ## {{if one_dyn_addr}} for i_{{$intf_1_var_name}} in $i_{{$intf_1_var_name}}_list do test -n "$i_{{$intf_1_var_name}}" && {{$command}} done {{endif}} {{if two_dyn_addr}} for i_{{$intf_1_var_name}} in $i_{{$intf_1_var_name}}_list do for i_{{$intf_2_var_name}} in $i_{{$intf_2_var_name}}_list do test -n "$i_{{$intf_1_var_name}}" && test -n "$i_{{$intf_2_var_name}}" && {{$command}} done done {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/script_body_iptables_restore000066400000000000000000000022571303637203600264360ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## iptables-restore method, not single rule compile {{if have_script}} ( {{if filter_or_auto}} echo '*filter' {{$filter_auto_script}} {{$filter_script}} echo COMMIT {{endif}} {{if mangle_or_auto}} echo '*mangle' {{$mangle_auto_script}} {{$mangle_script}} echo COMMIT {{endif}} {{if nat}} echo '*nat' {{$nat_script}} echo COMMIT {{endif}} {{if ipv4}} ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES {{endif}} {{if ipv6}} ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/script_body_iptables_shell000066400000000000000000000015761303637203600260650ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## this template is used for single rule compile, both ## iptables-restore and regular, as well as for the regular ## (not iptables-restore) script {{if auto}}{{$filter_auto_script}} {{$mangle_auto_script}}{{endif}} {{if nat}}{{$nat_script}}{{endif}} {{if mangle}}{{$mangle_script}}{{endif}} {{if filter}}{{$filter_script}}{{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/script_body_single_rule000066400000000000000000000017421303637203600253760ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## this template is used for single rule compile, both ## iptables-restore and regular, as well as for the regular ## (not iptables-restore) script {{if filter}} {{if iptables_restore_format}}echo '*filter' {{endif}} {{$filter_script}} {{endif}} {{if mangle}} {{if iptables_restore_format}}echo '*mangle' {{endif}} {{$mangle_script}} {{endif}} {{if nat}} {{if iptables_restore_format}}echo '*nat' {{endif}} {{$nat_script}} {{endif}} fwbuilder-5.3.7/src/res/configlets/linux24/script_skeleton000066400000000000000000000063331303637203600236760ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## Some shells (not bash) do not like empty functions. Placing a comment ## inside the function does not help. Using dummy ":" as a placeholder. ## {{$top_comment}} {{$errors_and_warnings}} {{$shell_debug}} FWBDEBUG="" {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} load_modules() { : {{$load_modules}} } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } {{$block_action}} {{$stop_action}} {{$status_action}} # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated {{$timestamp}} by {{$user}}" check_tools {{if prolog_top}} prolog_commands {{endif}} check_run_time_address_table_files {{if using_ipset}} check_module_ipset {{endif}} load_modules "{{$load_modules_with_nat}} {{$load_modules_with_ipv6}}" configure_interfaces verify_interfaces {{if prolog_after_interfaces}} prolog_commands {{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}} prolog_commands {{endif}} script_body ip_forward {{if using_ipset}} load_run_time_address_table_files {{endif}} epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; {{if using_ipset}} ## Usage: script.fw reload_address_table reload_address_table) reload_address_table $2 $3 ;; ## Usage: script.fw add_to_address_table
add_to_address_table) add_to_address_table $2 $3 $4 ;; ## Usage: script.fw remove_from_address_table
remove_from_address_table) remove_from_address_table $2 $3 $4 ;; ## Usage: script.fw test_address_table
test_address_table) test_address_table $2 $3 ;; {{endif}} *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces{{if using_ipset}}|reload_address_table|add_to_address_table|remove_from_address_table|test_address_table{{endif}}]" ;; esac exit $RETVAL fwbuilder-5.3.7/src/res/configlets/linux24/shell_functions000066400000000000000000000051621303637203600236640ustar00rootroot00000000000000## -*- mode: shell-script; -*- log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } ## ## getaddr6() reimplementation idea courtesy Juergen Kammer ## See ticket #651 ## ## Can not use awk substr() function as originally suggested by ## Juergen because of the difference in behavior between GNU awk and ## mawk (a bug?). GNU awk substr() returns +1 character while mawk ## returns n characters. Tested with GNU awk v3.1.5 (CentOS 5.2) and ## mawk v1.3.3 (Ubuntu Jaunty) ## ## This sed command has been tested with GNU sed v4.1.5 and busybox v1.00 ## ## getaddr has been reimplemented to return list of all ipv4 addresses ## of the interface. This is different from its behavior in fwbuilder ## v2 and v3 where it returned only the first address. ## getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } ## ## This function reads all ipv4 addresses of interface (arg 1) and ## assignes the list to the variable which name is given as arg 2. ## getaddr() { getaddr_internal $1 $2 "-4" } ## ## This function reads all ipv6 addresses of interface (arg 1) and ## assignes the list to the variable which name is given as arg 2. ## getaddr6() { getaddr_internal $1 $2 "-6" } ## ## This function reads all ipv4 addresses of interface (arg 1) and ## assignes list of addresses of attached networks with their netmasks ## to the variable which name is given as arg 2. ## getnet() { getnet_internal $1 $2 "-4" } ## ## This function reads all ipv6 addresses of interface (arg 1) and ## assignes list of addresses of attached networks with their netmasks ## to the variable which name is given as arg 2. ## getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } fwbuilder-5.3.7/src/res/configlets/linux24/status_action000066400000000000000000000031641303637203600233450ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## This configlet defines commands executed when iptables script is ran ## with command line argument "status". Exit codes are defined in ## http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html ## Script should return with exit code 0 if iptables rules are loaded and ## 1 otherwise. We can not verify that the rules running at the moment ## are those configured in this script so we only check if some rules ## exist by checking if any tables are defined. check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } fwbuilder-5.3.7/src/res/configlets/linux24/stop_action000066400000000000000000000022121303637203600230000ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## This configlet defines commands executed when iptables script is ran ## with command line argument "stop". By default it resets iptables ## tables and chains using function reset_all and sets all chains ## default policy to ACCEPT stop_action() { reset_all {{if have_ipv4}} $IPTABLES {{$opt_wait}} -P OUTPUT ACCEPT $IPTABLES {{$opt_wait}} -P INPUT ACCEPT $IPTABLES {{$opt_wait}} -P FORWARD ACCEPT {{endif}} {{if have_ipv6}} $IP6TABLES {{$opt_wait}} -P OUTPUT ACCEPT $IP6TABLES {{$opt_wait}} -P INPUT ACCEPT $IP6TABLES {{$opt_wait}} -P FORWARD ACCEPT {{endif}} } fwbuilder-5.3.7/src/res/configlets/linux24/top_comment000066400000000000000000000003641303637203600230100ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/linux24/update_addresses000066400000000000000000000124251303637203600240040ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ############ add or remove ip addresses of interfaces ####################### P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS ## as of v4.0 we do not manage addresses of point-to-point ## interfaces. The output of "ip addr show" command for these inetrfaces has ## word "POINTOPOINT". ## Since the user can not define interface address without netmask in ## fwbuilder GUI, the script always assumes the address of p2p ## interface has one. It is therefore something like 1.2.3.4/32. The ## address in the output of "ip addr show" command does not have any ## netmask, like in ## ## 10: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 ## link/[65534] ## inet 10.0.0.100 peer 10.0.0.200 scope global tun0 ## ## This means, we always have a discrepancy and the script will always ## want to update the address, even if the address defined in the GUI ## matches the one on the interface, the only difference being the ## missing netmask. This leads to many repetitive warnings. We get two ## warnings even if there is only one p2p interface. Using global ## variable to suppress redundant warnings. This means the user will ## see only one warning, citing the name of the first p2p interface ## even if they have many. $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" ## Use "broadcast +" syntax to make ip assign broadcast automatically, ## but only for ipv4 addresses echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } ## ## The list of current addresses is taken using "ip addr show" command. ## Second argument defines address scrope; it should be in the form ## of the matching regex such as "scope global" or "scope .*". ## list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } ## arg 1 is like "eth1 1.1.1.1/24 2.2.2.2/24 fe80::20c:29ff:fef6:bea0/64" ## arg 2 is "3.3.3.3/24 4.4.4.4/24" - list of addresses we should ignore ## Using arg2 to provide list of addresses managed by heartbeat, so that ## incremental update does not delete them. ## ## Only "scope global" addreses are managed because fwbuilder script ## should not try to delete addresses configured for tunnels and IPv6 ## link scope addresses (fe80::) ("scope link" or "scope host" addresses) ## ## Addresses we should ignore are dropped from the list. ## update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } ## this function removes addresses from interfaces that do not exist in ## fwbuilder config. ## ## Usage: ## remove_unconfigured_addresses lo eth0 eth1 eth2.100 vlan20 br0 ## ## Arguments are all interfaces that have addresses in ## fwbuilder. Addresses will be removed from all other interfaces with ## addresses found on the firewall. ## clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } fwbuilder-5.3.7/src/res/configlets/linux24/update_bonding000066400000000000000000000134171303637203600234510ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ############ bonding ########################################### ## cat /proc/net/bonding/bond0 ## Ethernet Channel Bonding Driver: v3.5.0 (November 4, 2008) ## ## Bonding Mode: load balancing (round-robin) ## MII Status: up ## MII Polling Interval (ms): 0 ## Up Delay (ms): 0 ## Down Delay (ms): 0 ## ## Slave Interface: eth2 ## MII Status: up ## Link Failure Count: 0 ## Permanent HW addr: 00:0c:29:f6:be:aa ## ## Slave Interface: eth3 ## MII Status: up ## Link Failure Count: 0 ## Permanent HW addr: 00:0c:29:f6:be:b4 ## ## missing_bond() { bond_intf=$1 cmd=$2 test "$cmd" = "down" && { echo "# Bring unconfigured bonding interface $bond_intf down" $FWBDEBUG $IP link set $bond_intf down } } missing_slave() { slave=$1 cmd=$2 oldIFS=$IFS IFS="@" set $slave intf=$1 bond_interface=$2 IFS=$oldIFS test "$cmd" = "-d" && { echo "# Delete bonding interface slave: $bond_interface $intf" $FWBDEBUG $IFENSLAVE -d $bond_interface $intf } || { echo "# Add bonding interface slave: $bond_interface $intf" $FWBDEBUG $IP link set $bond_interface up $FWBDEBUG $IFENSLAVE $bond_interface $intf } } ## verify that bonding module is loaded with parameters that provide ## support for required number of bonding interfaces (bonding ## interfaces get created when module is loaded and if we need 2 -- ## bond0 and bond1 -- then the way to get them is to load the module ## with parameter max_bonds=2). ## ## Current implementation only supports identical bonding parameters ## for all bonding interfaces. This is because in my tests command ## "modprobe bonding -obond1" always causes kernel panic. This means I ## could not find a way to load bonding module two times with ## different parameters. Call for this function is generated in ## OSConfigurator_linux24::printBondingInterfaceConfigurationCommands() ## ## load_bonding_module "bond0 bond1" max_bonds=2 mode=balance-alb miimon=50 ## load_bonding_module() { bonding_interfaces=$1 shift module_parameters=$* PROC_DIR="/proc/net/bonding/" test -d $PROC_DIR || { ## module is not loaded. Load it with appropriate max_bonds argument cmd="$MODPROBE bonding $module_parameters" test -n "$FWBDEBUG" && echo "# $cmd" || $cmd || { # Module load failed. cat </dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $BRCTL addbr $bridge_interface $FWBDEBUG $IP link set $bridge_interface up } PORTS=$( $BRCTL show | \ awk '($1~/^br/) { printf "\n"; } (!/bridge name/ && NF>3) {printf "%s %s ", $1,$NF;} (NF==1) {printf "%s ",$1;}' | grep $bridge_interface ) test -n "$PORTS" && { set $PORTS shift CURRENT_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" delif diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addif } ## This function synchronizes bridge interfaces between fwbuilder objects ## and actual configuration of the firewall machine. Birgde interfaces not ## listed as arguments will be deleted and those in the arguments will be ## created if missing. ## ## NOTE: we have to delete and create bridge interfaces before we add ## bridge ports to them because if a bridge interface that was not ## configured in fwbuilder existed before this script ran, its bridge ## ports could not be added to other bridges. This bridge interface ## should be deleted first. ## ## sync_bridge_interfaces br0 br1 sync_bridge_interfaces() { $BRCTL show | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^br[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IP link set $brintf down $FWBDEBUG $BRCTL delbr $brintf done for brint in $*; do $BRCTL showmacs $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $BRCTL addbr $brint $FWBDEBUG $IP link set $brint up } done } fwbuilder-5.3.7/src/res/configlets/linux24/update_vlans000066400000000000000000000073101303637203600231470ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ############ VLAN ############################################## ## /proc/net/vlan/config ## ## VLAN Dev name | VLAN ID ## Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD ## eth1.100 | 100 | eth1 ## eth1.101 | 101 | eth1 ## eth1.102 | 102 | eth1 ## ## Note about vlans: "ip link show" does not always accurately shows ## relationship between vlan subinterfaces and their parents. Example of ## the output where this happens (Sveasoft firmware for Linksys): ## ## ip link show | grep vlan ## 7: vlan0: mtu 1500 qdisc noqueue ## 8: vlan1: mtu 1500 qdisc noqueue missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } ## This function removes vlan interfaces not configured in fwbuilder. ## Missing vlans are added using function update_vlans ## ## clear_vlans_except_known eth1.100@eth1 eth1.101@eth1 vlan200@eth2 ## ## Call shown above would keep listed vlans but remove eth3.300 ## clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } fwbuilder-5.3.7/src/res/configlets/linux24/verify_interfaces000066400000000000000000000005331303637203600241710ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## This is the body of the shell function verify_interfaces() {{if have_interfaces}} echo "Verifying interfaces: {{$interfaces}}" for i in {{$interfaces}} ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done {{endif}} fwbuilder-5.3.7/src/res/configlets/macosx/000077500000000000000000000000001303637203600205235ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/macosx/installer_commands_reg_user000066400000000000000000000026161303637203600262240ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/macosx/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## Note: all commands should be on one line to avoid unnecessary linefeeds. ## These linefeeds are sent to the server side (to the firewall) and end up ## on the input of sudo and other commands. This creates difficult to catch ## race condition which breaks installation process. echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sudo -S {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' fwbuilder-5.3.7/src/res/configlets/macosx/installer_commands_root000066400000000000000000000021721303637203600253710ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/macosx/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sh {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' {{endif}} fwbuilder-5.3.7/src/res/configlets/macosx/kernel_vars000066400000000000000000000015211303637203600227600ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/macosx/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if have_macosx_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$macosx_ip_forward}}{{endif}} {{if have_macosx_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$macosx_ip_sourceroute}}{{endif}} {{if have_macosx_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$macosx_ip_redirect}}{{endif}} fwbuilder-5.3.7/src/res/configlets/macosx/tools000066400000000000000000000012771303637203600216150ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/macosx/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Set path to all utilities that we need IFCONFIG="{{$path_ifconfig}}" IPFW="{{$path_ipfw}}" SYSCTL="{{$path_sysctl}}" LOGGER="{{$path_logger}}" fwbuilder-5.3.7/src/res/configlets/nxos/000077500000000000000000000000001303637203600202205ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/nxos/installer_commands_post_config000066400000000000000000000011221303637203600264070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## ##{{if version_lt_124}} ##{{if cancel_rollback}} ##reload cancel ##{{endif}} ##{{endif}} ## ## ##{{if version_ge_124}} ##{{if cancel_rollback}} ##config term ##no event manager applet fwbuilder-rollback ##exit ##{{endif}} ##{{endif}} {{if run}} ##wr mem {{endif}} fwbuilder-5.3.7/src/res/configlets/nxos/installer_commands_pre_config000066400000000000000000000014771303637203600262250ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## {{$test}} -- doing installation in test mode ## terminal width 256 terminal length 0 ##{{if schedule_rollback}} ## ##{{if version_lt_123}} ##reload in {{$rbtimeout}} ##{{endif}} ## ##{{if version_ge_124}} ##config term ##event manager applet fwbuilder-rollback ##event timer countdown name rollback-countdown time {{$rbtimeout_sec}} ##action 1.0 cli command "enable" ##action 1.1 cli command "configure replace nvram:startup-config force" ##exit ##exit ##{{endif}} ## ##{{endif}} config term fwbuilder-5.3.7/src/res/configlets/nxos/installer_commands_reg_user000066400000000000000000000027451303637203600257240ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar) ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if using_scp}} ## scp, no session {{if not_using_nxos_session}} copy {{$fwdir}}{{$fwscript}} running-config {{endif}} ## scp and session {{if using_nxos_session}} del {{$fwdir}}/{{$fwscript}}.run config session fwb_{{$firewall_name}} echo "config term" > {{$fwdir}}/{{$fwscript}}.run show file {{$fwdir}}/{{$fwscript}} >> {{$fwdir}}/{{$fwscript}}.run run-script {{$fwdir}}/{{$fwscript}}.run >> {{$fwdir}}/{{$fwscript}} commit del {{$fwdir}}/{{$fwscript}} del {{$fwdir}}/{{$fwscript}}.run {{endif}} exit {{endif}} {{if not_using_scp}} config term {{if using_nxos_session}} config session fwb_{{$firewall_name}} {{endif}} {{$fwbuilder_generated_configuration_lines}} {{if using_nxos_session}} commit {{endif}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/nxos/safety_net_acl000066400000000000000000000024221303637203600231230ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/nxos/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ! temporary access list for "safety net install" {{if ipv4}} no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip {{$management_addr}} {{$management_netm}} any deny ip any any exit interface {{$management_interface}} no ip access-group in no ip access-group out ip access-group tmp_acl in exit {{endif}} {{if ipv6}} no ipv6 access-list tmp_acl ipv6 access-list tmp_acl {{if slash_notation}} permit ipv6 {{$management_addr}} any {{endif}} {{if host_addr}} permit ipv6 host {{$management_addr}} any {{endif}} permit icmp any any deny ipv6 any any exit interface {{$management_interface}} no ipv6 traffic-filter in no ipv6 traffic-filter out ipv6 traffic-filter tmp_acl in exit {{endif}} fwbuilder-5.3.7/src/res/configlets/nxos/script_skeleton000066400000000000000000000015401303637203600233530ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/nxos/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} ! ! Prolog script: ! {{$prolog_script}} ! ! End of prolog script: ! {{$other_os_configuration_commands}} {{$system_configuration_script}} {{$policy_script}} {{$nat_script}} {{$routing_script}} ! ! Epilog script: ! {{$epilog_script}} ! End of epilog script: ! fwbuilder-5.3.7/src/res/configlets/nxos/top_comment000066400000000000000000000003551303637203600224720ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_nxosacl v{{$version}} ! ! Generated {{$timestamp}} {{$tz}} by {{$user}} ! ! Compiled for {{$platform}} {{$fw_version}} ! {{$manifest}} ! {{$comment}} fwbuilder-5.3.7/src/res/configlets/openbsd/000077500000000000000000000000001303637203600206635ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/openbsd/installer_commands_reg_user000066400000000000000000000031421303637203600263570ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## See #1368 for the explanation of the need for the "sleep2; echo" commands ## On the other hand, since we use ssh keepalives in v4.0.2 and later, these ## commands may not be necessary anymore. ## ## Note: all commands should be on one line to avoid unnecessary linefeeds. ## These linefeeds are sent to the server side (to the firewall) and end up ## on the input of sudo and other commands. This creates difficult to catch ## race condition which breaks installation process. echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sudo -S {{$fwdir}}/{{$fwscript}} && (echo 'Policy activated'; sleep 2; echo) fwbuilder-5.3.7/src/res/configlets/openbsd/installer_commands_root000066400000000000000000000023061303637203600255300ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## See #1368 for the explanation of the need for the "sleep2; echo" commands echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sh {{$fwdir}}/{{$fwscript}} && ( echo 'Policy activated'; sleep 2; echo ) fwbuilder-5.3.7/src/res/configlets/openbsd/kernel_vars000066400000000000000000000020761303637203600231260ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/openbsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if have_openbsd_ip_directed_broadcast}}$SYSCTL -w net.inet.ip.directed-broadcast={{$openbsd_ip_directed_broadcast}}{{endif}} {{if have_openbsd_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$openbsd_ip_forward}}{{endif}} {{if have_openbsd_ipv6_forward}}$SYSCTL -w net.inet6.ip6.forwarding={{$openbsd_ipv6_forward}}{{endif}} {{if have_openbsd_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$openbsd_ip_sourceroute}}{{endif}} {{if have_openbsd_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$openbsd_ip_redirect}}{{endif}} fwbuilder-5.3.7/src/res/configlets/openbsd/routing_functions000066400000000000000000000034671303637203600243770ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/bsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## # ============== ROUTING RULES ============== TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules route -n show -inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \ while read route gw rest; do route delete $route $gw; done # restore old routing rules (IFS=" "; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 oldRoutes=$(route -n show -inet | awk '{printf "route add %s %s\n",$1,$2;}') echo "Deleting routing rules previously set by user space processes..." route -n show -inet | grep S | grep -Ev {{$route_filter}} | \ while read route gw rest; do route delete $route $gw; done echo "Activating routing rules..." fwbuilder-5.3.7/src/res/configlets/openbsd/tools000066400000000000000000000013021303637203600217420ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/openbsd/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Set path to all utilities that we need IFCONFIG="{{$path_ifconfig}}" PFCTL="{{$path_pfctl}}" SYSCTL="{{$path_sysctl}}" LOGGER="{{$path_logger}}" fwbuilder-5.3.7/src/res/configlets/openwrt/000077500000000000000000000000001303637203600207275ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/openwrt/check_utilities000066400000000000000000000015651303637203600240310ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/linux24/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IP {{if need_vconfig}} find_program $VCONFIG {{endif}} {{if need_brctl}} find_program $BRCTL {{endif}} {{if need_ifenslave}} find_program $IFENSLAVE {{endif}} } fwbuilder-5.3.7/src/res/configlets/openwrt/installer_commands_reg_user000066400000000000000000000021461303637203600264260ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## ## We only use root to authenticate to OpenWRT firewall {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/openwrt/installer_commands_root000066400000000000000000000014431303637203600255750ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; {{$fwdir}}/{{$fwscript}} start && echo 'Policy activated' fwbuilder-5.3.7/src/res/configlets/openwrt/load_modules000066400000000000000000000015471303637203600233300ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## This configlet is a variant of linux24/load_modules except it uses insmod ## instead of modprobe because modprobe is not available on OpenWRT. See ## linux24/load_modules for more comments. {{if load_modules}} OPTS=$1 MODULES_DIR="{{$modules_dir}}" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi insmod ${module} || exit 1 done {{endif}} fwbuilder-5.3.7/src/res/configlets/openwrt/script_skeleton000066400000000000000000000035221303637203600240640ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## Some shells (not bash) do not like empty functions. Placing a comment ## inside the function does not help. Using dummy ":" as a placeholder. ## {{$top_comment}} {{$errors_and_warnings}} START=46 EXTRA_COMMANDS="status interfaces test_interfaces" {{$shell_debug}} FWBDEBUG="" {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} load_modules() { : {{$load_modules}} } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } {{$stop_action}} {{$status_action}} start() { log "Activating firewall script generated {{$timestamp}} by {{$user}}" check_tools {{if prolog_top}} prolog_commands {{endif}} check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} load_modules "{{$load_modules_with_nat}} {{$load_modules_with_ipv6}}" configure_interfaces verify_interfaces {{if prolog_after_interfaces}} prolog_commands {{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}} prolog_commands {{endif}} script_body ip_forward epilog_commands } stop() { stop_action } status() { status_action } interfaces() { configure_interfaces } test_interfaces() { FWBDEBUG="echo" configure_interfaces } fwbuilder-5.3.7/src/res/configlets/openwrt/top_comment000066400000000000000000000004021303637203600231720ustar00rootroot00000000000000#!/bin/sh /etc/rc.common # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/pf/000077500000000000000000000000001303637203600176365ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/pf/activation000066400000000000000000000013151303637203600217220ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## $PFCTL {{$pfctl_debug}} {{if anchor}}-a {{$anchor_name}}{{endif}} {{if pf_version_lt_3_2}}-R{{endif}} {{if pf_version_ge_3_2}}-f{{endif}} {{$remote_file}} || exit 1 fwbuilder-5.3.7/src/res/configlets/pf/rc_conf_activation000066400000000000000000000011041303637203600234070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## pf_rules="{{$remote_file}}" fwbuilder-5.3.7/src/res/configlets/pf/rc_conf_skeleton000066400000000000000000000015251303637203600231010ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Parts of this configlets will be translated to variable=value syntax ## used by rc.conf files ## {{$top_comment}} {{$errors_and_warnings}} {{$kernel_vars_commands}} {{$prolog_script}} {{$configure_interfaces}} pf_enable="YES" {{$activation_commands}} {{$routing_script}} {{$epilog_script}} fwbuilder-5.3.7/src/res/configlets/pf/rc_conf_top_comment000066400000000000000000000003501303637203600235740ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/pf/script_skeleton000066400000000000000000000024071303637203600227740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pf/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} {{$shell_debug}} FWDIR=`dirname $0` {{$tools}} {{$shell_functions}} verify_interfaces() { : {{$verify_interfaces}} } set_kernel_vars() { : {{$kernel_vars_commands}} } prolog_commands() { : {{$prolog_script}} } epilog_commands() { : {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } log "Activating firewall script generated {{$timestamp}} by {{$user}}" set_kernel_vars configure_interfaces prolog_commands {{$activation_commands}} {{if pf_version_ge_4_x}} {{if pf_flush_states}} $PFCTL -F states {{endif}} {{endif}} {{$routing_script}} epilog_commands fwbuilder-5.3.7/src/res/configlets/pf/top_comment000066400000000000000000000003621303637203600221060ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # {{$comment}} fwbuilder-5.3.7/src/res/configlets/pix_os/000077500000000000000000000000001303637203600205325ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/pix_os/failover_commands_6000066400000000000000000000023701303637203600243740ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html ## ## failover ip address outside 209.165.201.2 ## failover ip address inside 192.168.2.2 ## failover ip address failover 192.168.254.2 ## failover ip address state 192.168.253.2 ## failover link state ## failover lan unit primary ## failover lan interface failover ## failover lan key 12345678 ## failover lan enable ## failover ## ## ## "failover ip address" commands are added bu the failover_interface_6 configlet failover link {{$state_sync_interface_label}} failober lan unit {{$primary_or_secondary}} failover lan interface {{$failover_interface_label}} failover key {{$failover_key}} failover lan enable failover fwbuilder-5.3.7/src/res/configlets/pix_os/failover_commands_7000066400000000000000000000027361303637203600244030ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## failover ## failover lan unit primary ## failover lan interface failover Ethernet3 ## failover lan enable ## failover key ****** ## failover link state Ethernet2 ## failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2 ## failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2 failover lan unit {{$primary_or_secondary}} failover lan interface {{$failover_interface_label}} {{$failover_interface_name}} failover lan enable failover key {{$failover_key}} failover interface ip {{$failover_interface_label}} {{$failover_interface_primary_address}} {{$failover_interface_primary_netmask}} standby {{$failover_interface_standby_address}} failover link {{$state_sync_interface_label}} {{$state_sync_interface_name}} failover interface ip {{$state_sync_interface_label}} {{$state_sync_interface_primary_address}} {{$state_sync_interface_primary_netmask}} standby {{$state_sync_interface_standby_address}} failover fwbuilder-5.3.7/src/res/configlets/pix_os/failover_interface_6000066400000000000000000000015101303637203600245260ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{if configure_standby_address}}failover ip address {{$interface_label}} {{$standby_address}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/failover_interface_7000066400000000000000000000012071303637203600245320ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## interface {{$interface_name}} description LAN/STATE Failover Interface no nameif exit fwbuilder-5.3.7/src/res/configlets/pix_os/installer_commands_post_config000066400000000000000000000007001303637203600267220ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if cancel_rollback}} reload cancel {{endif}} {{if run}} wr mem {{endif}} {{if save_standby}} wr standby {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/installer_commands_pre_config000066400000000000000000000006061303637203600265300ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if schedule_rollback}} reload in {{$rbtimeout}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/installer_commands_reg_user000066400000000000000000000017131303637203600262300ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall (in case of PIX, "flash:" or similar) ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if using_scp}} copy /noconfirm {{$fwdir}}{{$fwscript}} running-config {{endif}} {{if not_using_scp}} config term terminal width 256 {{$fwbuilder_generated_configuration_lines}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/ntp000066400000000000000000000020251303637203600212550ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if clear}} {{if pix_version_lt_70}} clear ntp {{endif}} {{if pix_version_ge_70}} clear config ntp {{endif}} {{endif}} {{if not_server_1_empty}}ntp server {{$address_1}} source {{$interface_1_label}} {{if prefer_1}}prefer{{endif}} {{endif}} {{if not_server_2_empty}}ntp server {{$address_2}} source {{$interface_2_label}} {{if prefer_2}}prefer{{endif}} {{endif}} {{if not_server_3_empty}}ntp server {{$address_3}} source {{$interface_3_label}} {{if prefer_3}}prefer{{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/regular_interface_6000066400000000000000000000020661303637203600243670ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{if configure_standby_address}}failover ip address {{$interface_label}} {{$standby_address}} {{endif}} {{endif}} {{if dhcp_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}}ip address {{$interface_label}} dhcp setroute retry 10 {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/regular_interface_7000066400000000000000000000020441303637203600243640ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} interface {{$interface_name}} nameif {{$interface_label}} {{if configure_interface_address}} ip address {{$address}} {{$netmask}} {{if configure_standby_address}} standby {{$standby_address}} {{endif}} {{endif}} security-level {{$security_level}} exit {{endif}} {{if dhcp_address}} interface {{$interface_name}} nameif {{$interface_label}} {{if configure_interface_address}} ip address dhcp setroute {{endif}} security-level {{$security_level}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/script_skeleton000066400000000000000000000035501303637203600236700ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## {{$system_configuration_script}} -- commands to configure ## interfaces, snmp, syslog, ntp etc. ## {{$preamble_commands}} -- commands to configure temporary ## access list in "safety net install" ## mode and to set up FWSM commit mode. ## {{$clear_commands}} -- clear commands for access lists, global, ## static, nat, icmp, telnet, ssh, http, ## object-group ## ## {{$top_comment}} {{$errors_and_warnings}} ! ! Prolog script: ! {{$prolog_script}} ! ! End of prolog script: ! {{if short_script}} ! This script was generated with option "Generate only access-list, access-group, ! nat, static, global" commands turned on in the "Script" tab of the firewall ! object advanced settings dialog. Skipping system configuration commands. {{endif}} {{if not_short_script}} {{$system_configuration_script}} {{endif}} {{$preamble_commands}} {{$clear_commands}} {{$named_objects_and_object_groups}} {{$policy_script}} {{$nat_script}} {{$routing_script}} ! ! Epilog script: ! {{$epilog_script}} ! End of epilog script: ! fwbuilder-5.3.7/src/res/configlets/pix_os/snmp000066400000000000000000000024101303637203600214270ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if clear}} {{if pix_version_lt_70}} clear snmp-server {{endif}} {{if pix_version_ge_70}} clear config snmp-server {{endif}} {{endif}} {{if disable}} no snmp-server {{endif}} {{if not_disable}} {{if set_community}} snmp-server community {{$read_community}} {{endif}} {{if set_sysinfo}} {{if not_location_empty}}snmp-server location {{$location}}{{endif}} {{if not_contact_empty}}snmp-server contact {{$contact}}{{endif}} {{endif}} {{if not_enable_traps}}no {{endif}}snmp-server enable traps {{if not_server_1_empty}}snmp-server host {{$interface_1_label}} {{$address_1}} {{$poll_or_trap_1}} {{endif}} {{if not_server_2_empty}}snmp-server host {{$interface_2_label}} {{$address_2}} {{$poll_or_trap_2}} {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/ssh000066400000000000000000000015001303637203600212460ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if clear}} {{if pix_version_lt_70}} clear ssh {{endif}} {{if pix_version_ge_70}} clear config ssh {{endif}} {{endif}} aaa authentication ssh console LOCAL {{if use_scp}} ssh version 2 ssh scopy enable {{endif}} {{if ssh_timeout}} ssh timeout {{$ssh_timeout}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/top_comment000066400000000000000000000006461303637203600230070ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v{{$version}} ! ! Generated {{$timestamp}} {{$tz}} by {{$user}} ! ! Compiled for {{$platform}} {{$fw_version}} ! Outbound ACLs: {{$outbound_acl_supported}} ! Emulate outbound ACLs: {{$emulate_outb_acls}} ! Generating outbound ACLs: {{$generate_outb_acls}} ! Assume firewall is part of any: {{$afpa}} ! {{$manifest}} ! {{$comment}} fwbuilder-5.3.7/src/res/configlets/pix_os/vlan_parent_interface_6000066400000000000000000000010571303637203600252360ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## fwbuilder-5.3.7/src/res/configlets/pix_os/vlan_parent_interface_7000066400000000000000000000012011303637203600252260ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## interface {{$interface_name}} no nameif no ip address no security-level exit fwbuilder-5.3.7/src/res/configlets/pix_os/vlan_subinterface_6000066400000000000000000000020701303637203600243730ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## interface ethernet0 vlan3 logical {{if static_address}} interface {{$parent_interface}} {{$interface_name}} logical nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}} ip address {{$interface_label}} {{$address}} {{$netmask}} {{endif}} {{endif}} {{if dhcp_address}} nameif {{$interface_name}} {{$interface_label}} security{{$security_level}} {{if configure_interface_address}} ip address {{$interface_label}} dhcp setroute retry 10 {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/pix_os/vlan_subinterface_7000066400000000000000000000021141303637203600243730ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/pix_os/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{if static_address}} interface {{$interface_name}} vlan {{$vlan_id}} nameif {{$interface_label}} {{if configure_interface_address}} ip address {{$address}} {{$netmask}} {{if configure_standby_address}} standby {{$standby_address}} {{endif}} {{endif}} security-level {{$security_level}} exit {{endif}} {{if dhcp_address}} interface {{$interface_name}} vlan {{$vlan_id}} nameif {{$interface_label}} {{if configure_interface_address}} ip address dhcp setroute {{endif}} security-level {{$security_level}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/procurve/000077500000000000000000000000001303637203600210765ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/procurve/installer_commands_post_config000066400000000000000000000006211303637203600272700ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout ## {{$test}} -- doing installation in test mode ## {{if cancel_rollback}} no reload {{endif}} {{if run}} wr mem {{endif}} fwbuilder-5.3.7/src/res/configlets/procurve/installer_commands_pre_config000066400000000000000000000007351303637203600270770ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. ## ## These are commands built-in policy installer runs on the firewall ## ## Variables: ## ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## {{$test}} -- doing installation in test mode ## terminal width 256 no page {{if schedule_rollback}} reload after {{$rbtimeout}} {{endif}} fwbuilder-5.3.7/src/res/configlets/procurve/installer_commands_reg_user000066400000000000000000000016511303637203600265750ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar) ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if using_scp}} copy {{$fwdir}}{{$fwscript}} running-config {{endif}} {{if not_using_scp}} config term {{$fwbuilder_generated_configuration_lines}} exit {{endif}} fwbuilder-5.3.7/src/res/configlets/procurve/safety_net_acl000066400000000000000000000024621303637203600240050ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/procurve/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ; temporary access list for "safety net install" {{if ipv4}} {{if management_interface_is_vlan}} no vlan {{$management_interface_vlan_id}} ip access-group tmp_acl in no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip {{$management_addr}} {{$management_netm}} any deny ip any any exit vlan {{$management_interface_vlan_id}} ip access-group tmp_acl in {{endif}} {{if management_interface_is_not_vlan}} interface {{$management_interface}} no ip access-group tmp_acl in exit no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip {{$management_addr}} {{$management_netm}} any deny ip any any exit interface {{$management_interface}} ip access-group tmp_acl in exit {{endif}} {{endif}} {{if ipv6}} {{endif}} fwbuilder-5.3.7/src/res/configlets/procurve/script_skeleton000066400000000000000000000015441303637203600242350ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/procurve/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## {{$top_comment}} {{$errors_and_warnings}} ; ; Prolog script: ; {{$prolog_script}} ; ; End of prolog script: ; {{$other_os_configuration_commands}} {{$system_configuration_script}} {{$policy_script}} {{$nat_script}} {{$routing_script}} ; ; Epilog script: ; {{$epilog_script}} ; End of epilog script: ; fwbuilder-5.3.7/src/res/configlets/procurve/top_comment000066400000000000000000000003621303637203600233460ustar00rootroot00000000000000; ; This is automatically generated file. DO NOT MODIFY ! ; ; Firewall Builder fwb_procurve_acl v{{$version}} ; ; Generated {{$timestamp}} {{$tz}} by {{$user}} ; ; Compiled for {{$platform}} {{$fw_version}} ; {{$manifest}} ; {{$comment}} fwbuilder-5.3.7/src/res/configlets/secuwall/000077500000000000000000000000001303637203600210505ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/secuwall/installer_commands_reg_user000066400000000000000000000013421303637203600265440ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/secuwall/installer_commands_root000066400000000000000000000013331303637203600257140ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Lines that start with "##" will be removed before this code is ## added to the generated script. Regular shell comments can be added ## using single "#", these will appear in the script. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/secuwall/management_rules000066400000000000000000000054631303637203600243310ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## {{if has_secuwall_mgmt_mgmtaddr}} # SSH access from management stations/networks for mgmt in {{$secuwall_mgmt_mgmtaddr}} ; do {{$begin_rule}} INPUT -p tcp -m tcp -s ${mgmt} --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d ${mgmt} --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} {{if has_secuwall_mgmt_loggingaddr}} # logging via SYSLOG to loghosts for loghost in {{$secuwall_mgmt_loggingaddr}} ; do {{$begin_rule}} OUTPUT -p udp -m udp -d ${loghost} --dport 514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d ${loghost} --dport 514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p tcp -m tcp -s ${loghost} --sport 514 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} {{if has_secuwall_mgmt_ntpaddr}} # get current time via NTP for ntphost in {{$secuwall_mgmt_ntpaddr}} ; do {{$begin_rule}} OUTPUT -p udp -m udp -d ${ntphost} --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p udp -m udp -s ${ntphost} --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} {{if has_secuwall_mgmt_snmpaddr}} # let us peek via SNMP for snmp in {{$secuwall_mgmt_snmpaddr}} ; do {{$begin_rule}} INPUT -p udp -m udp -s ${snmp} --dport 161 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p udp -m udp -d ${snmp} --sport 161 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p udp -m udp -d ${snmp} --dport 162 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} {{if has_secuwall_mgmt_nagiosaddr}} # access to the NRPE client on the firewall for nagios in {{$secuwall_mgmt_nagiosaddr}} ; do {{$begin_rule}} INPUT -p tcp -m tcp -s ${nagios} --dport 5666 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d ${nagios} --sport 5666 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} # client DNS for the firewall {{if has_secuwall_dns_srv1}} for dns in {{$secuwall_dns_srv1}} {{$secuwall_dns_srv2}} {{$secuwall_dns_srv3}} ; do {{$begin_rule}} OUTPUT -p udp -m udp -d ${dns} --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p udp -m udp -s ${dns} --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} OUTPUT -p tcp -m tcp -d ${dns} --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} {{$begin_rule}} INPUT -p tcp -m tcp -s ${dns} --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}} done {{endif}} fwbuilder-5.3.7/src/res/configlets/secuwall/script_skeleton000066400000000000000000000052671303637203600242150ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## Double '##' comments are removed when configlet is processed. ## Single '#' comments stay. ## ## Some shells (not bash) do not like empty functions. Placing a comment ## inside the function does not help. Using dummy ":" as a placeholder. ## {{$top_comment}} {{$errors_and_warnings}} {{$shell_debug}} FWBDEBUG="" {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} load_modules() { : echo "Modules are loaded only at startup!" } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { echo "Running prolog script" {{$prolog_script}} } epilog_commands() { echo "Running epilog script" {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { for runstop in keepalived conntrackd network ; do /etc/init.d/${runstop} stop done /sbin/ifclear all for runstart in management network keepalived conntrackd ; do /etc/init.d/${runstart} start done } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } {{$block_action}} {{$stop_action}} {{$status_action}} # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated {{$timestamp}} by {{$user}}" log "Database was {{$database}}" check_tools check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} {{if prolog_top}} prolog_commands {{endif}} load_modules "{{$load_modules_with_nat}} {{$load_modules_with_ipv6}}" configure_interfaces verify_interfaces {{if prolog_after_interfaces}} prolog_commands {{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}} prolog_commands {{endif}} script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 {start|stop|status|block|reload|interfaces|test_interfaces}" ;; esac exit $RETVAL fwbuilder-5.3.7/src/res/configlets/solaris/000077500000000000000000000000001303637203600207055ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/solaris/installer_commands_reg_user000066400000000000000000000027061303637203600264060ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/solaris/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## ## Note: all commands should be on one line to avoid unnecessary linefeeds. ## These linefeeds are sent to the server side (to the firewall) and end up ## on the input of sudo and other commands. This creates difficult to catch ## race condition which breaks installation process. echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sudo -S {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' fwbuilder-5.3.7/src/res/configlets/solaris/installer_commands_root000066400000000000000000000021511303637203600255500ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/solaris/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## echo '{{$fwbprompt}}'; chmod +x {{$fwdir}}/{{$fwscript}}; sh {{$fwdir}}/{{$fwscript}} && echo 'Policy activated' fwbuilder-5.3.7/src/res/configlets/solaris/kernel_vars000066400000000000000000000022451303637203600231460ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/solaris/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. {{if have_solaris_ip_forward}}ndd -set /dev/ip ip_forwarding {{$solaris_ip_forward}}{{endif}} {{if have_solaris_ip_ignore_redirect}}ndd -set /dev/ip ip_ignore_redirect {{$solaris_ip_ignore_redirect}}{{endif}} {{if have_solaris_ip_respond_to_echo_broadcast}}ndd -set /dev/ip ip_respond_to_echo_broadcast {{$solaris_ip_respond_to_echo_broadcast}}{{endif}} {{if have_solaris_ip_forward_directed_broadcasts}}ndd -set /dev/ip ip_forward_directed_broadcasts {{$solaris_ip_forward_directed_broadcasts}}{{endif}} {{if have_solaris_ip_forward_src_routed}}ndd -set /dev/ip ip_forward_src_routed {{$solaris_ip_forward_src_routed}}{{endif}} fwbuilder-5.3.7/src/res/configlets/solaris/tools000066400000000000000000000013161303637203600217710ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/solaris/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Set path to all utilities that we need IPFW="{{$path_ipfw}}" IPF="{{$path_ipf}}" IPNAT="{{$path_ipnat}}" SYSCTL="{{$path_sysctl}}" LOGGER="{{$path_logger}}" fwbuilder-5.3.7/src/res/configlets/sveasoft/000077500000000000000000000000001303637203600210635ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/configlets/sveasoft/installer_commands_reg_user000066400000000000000000000021471303637203600265630ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using regular user account for authentication ## ## Variables: ## ## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout ## ## {{$firewall_name}} -- the name of the firewall object ## ## ## We only use root to authenticate to Sveasoft firewall {{if run}} {{endif}} {{if test}} {{endif}} fwbuilder-5.3.7/src/res/configlets/sveasoft/installer_commands_root000066400000000000000000000040371303637203600257330ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## ## These are commands built-in policy installer runs on the firewall if ## installation is performed using root account for authentication ## ## Variables: ## ## {{$fwbpromp}} -- "magic" prompt that installer uses to detect when it is logged in ## {{$fwdir}} -- directory on the firewall ## {{$fwscript}} -- script name on the firewall ## {{$rbtimeout}} -- rollback timeout (min) ## {{$rbtimeout_sec}} -- rollback timeout (sec) ## ## {{$firewall_name}} -- the name of the firewall object ## {{if run}} {{if with_compression}} echo '{{$fwbprompt}}'; mv /tmp/{{$fwscript}} /tmp/fwb; /usr/sbin/nvram unset rc_firewall; /usr/sbin/nvram set rc_firewall="/usr/sbin/nvram get fwb|uudecode|gzip -dc|sh"; /usr/sbin/nvram unset fwb; /usr/sbin/nvram set fwb="`cat /tmp/fwb|gzip|uuencode -`" || exit 1; rm /tmp/fwb; echo "Saving data to flash memory"; /usr/sbin/nvram commit || exit 1; echo "Flash memory:"; /usr/sbin/nvram show >/dev/null; echo "Activating policy"; /usr/sbin/nvram get fwb|uudecode|gzip -dc|sh && echo 'Policy activated' {{endif}} {{if no_compression}} echo '{{$fwbprompt}}'; mv /tmp/{{$fwscript}} /tmp/fwb; /usr/sbin/nvram set rc_firewall="/usr/sbin/nvram get fwb|sh"; /usr/sbin/nvram unset fwb; /usr/sbin/nvram set fwb="`cat /tmp/fwb`" || exit 1; rm /tmp/fwb; echo "Saving data to flash memory"; /usr/sbin/nvram commit || exit 1; echo "Flash memory:"; /usr/sbin/nvram show >/dev/null; echo "Activating policy"; /usr/sbin/nvram get fwb|sh && echo 'Policy activated' {{endif}} {{endif}} fwbuilder-5.3.7/src/res/configlets/sveasoft/script_skeleton000066400000000000000000000041101303637203600242120ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. ## ## Note that /bin/sh on Sveasoft (busybox) does not like empty shell ## functions and fails with an error "36: Syntax error: "}" unexpected" ## Will call /bin/true as a placeholder so that if some other ## commands are added to the function body during template expansion, ## they are executed after /bin/true and their return code is ## preserved. If no commands are added, then the function body won't ## be empty and will return success. {{$top_comment}} {{$shell_debug}} {{$path}} {{$constants}} {{$tools}} {{$shell_functions}} {{$run_time_address_tables}} ## we do not load modules on Sveasoft load_modules() { : } verify_interfaces() { : {{$verify_interfaces}} } prolog_commands() { : {{$prolog_script}} } epilog_commands() { : {{$epilog_script}} } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : {{$configure_interfaces}} } script_body() { {{$script_body}} } ip_forward() { : {{$ip_forward_commands}} } reset_all() { : {{$reset_all}} } {{$stop_action}} log "Activating firewall script generated {{$timestamp}} by {{$user}}" check_tools {{if prolog_top}}prolog_commands{{endif}} check_run_time_address_table_files {{if using_ipset}} check_module_ipset load_run_time_address_table_files {{endif}} load_modules configure_interfaces verify_interfaces {{if prolog_after_interfaces}}prolog_commands{{endif}} {{if not_using_iptables_restore}} reset_all {{endif}} {{if prolog_after_flush}}prolog_commands{{endif}} script_body ip_forward epilog_commands fwbuilder-5.3.7/src/res/configlets/sveasoft/shell_functions000066400000000000000000000032251303637203600242070ustar00rootroot00000000000000## -*- mode: shell-script; -*- ## ## To be able to make changes to the part of configuration created ## from this configlet you need to copy this file to the directory ## fwbuilder/configlets/sveasoft/ in your home directory and modify it. ## Double "##" comments are removed during processing but single "#" ## comments are be retained and appear in the generated script. Empty ## lines are removed as well. ## ## Configlets support simple macro language with these constructs: ## {{$var}} is variable expansion ## {{if var}} is conditional operator. log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by AddressTable object $1" exit 1 } } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } ## ## This function reads all ipv4 addresses of interface (arg 1) and ## assignes the list to the variable which name is given as arg 2. ## getaddr() { getaddr_internal $1 $2 "-4" } ## ## This function reads all ipv6 addresses of interface (arg 1) and ## assignes the list to the variable which name is given as arg 2. ## getaddr6() { getaddr_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } fwbuilder-5.3.7/src/res/configlets/sveasoft/top_comment000066400000000000000000000003471303637203600233360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v{{$version}} # # Generated {{$timestamp}} {{$tz}} by {{$user}} # {{$manifest}} # # Compiled for {{$platform}} {{$fw_version}} # fwbuilder-5.3.7/src/res/fwbuilder.desktop000066400000000000000000000003101303637203600204440ustar00rootroot00000000000000[Desktop Entry] Name=Firewall Builder Comment=Design and Manage Firewall Rules Icon=fwbuilder Categories=System;Settings;Security;Qt; Exec=fwbuilder Type=Application StartupNotify=true Terminal=false fwbuilder-5.3.7/src/res/fwbuilder_preferences.dtd.in000066400000000000000000000053251303637203600225470ustar00rootroot00000000000000 fwbuilder-5.3.7/src/res/fwbuilder_prefs.xml.in000066400000000000000000000031141303637203600214040ustar00rootroot00000000000000 10 1 10 1 lpr null.xsl false true false true false 0 0 0 0 0 0 0 0 0 0 0 0 0 Split false false true true false popup 2 fwbuilder-5.3.7/src/res/help/000077500000000000000000000000001303637203600160245ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/help/en_US/000077500000000000000000000000001303637203600170355ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/help/en_US/cluster_interfaces.png000066400000000000000000003753761303637203600234540ustar00rootroot00000000000000PNG  IHDRHF/vhiCCPICC ProfilexgTSM$$ tAz/.UMJ]).HGPEQ "HA=]˝}grdl(lq8wojfnJ #@^%GGhzrL Af <c?> 0zxx)Xʻ0s[ Zm&<`L!tibmyWk'1? 2eP7uNLvlpFwVkN܂7EK<˜?N02ѭc6~Rl""FFwQ{}!txǟ܆bd](!?Q 5i.c VnD- s)Cl}?1gyyEJK H pщJ Yav*sr ̊?Ɣ{UU%hhjj jjo]h׻oռ(jjHiodyYY][[cZ:z'OXiZ[m.M<jxYޕӝsףϪ/O  ~zMۚ/?51n,rkvhkG^e{_M70570&2^6-s cKq+j뗗*.l-t9::a._\ܞ])wy <~%D5P > &_F4FH v#Pl"ʚHM(钥q;=ӑ[oV QH]Z4t8$ :MwV>}xRJzfћuORF674Y4=oen#k}>yף;=i} /Y^:fܻKVFG7?nL">ȧ?јqM:&h=t|ytzzyC_F[+wo; hI.`*6 &,9F2A 5}` A$5Lm ⅔!+(J*hA@(#7*tCf!{; VQ2h,:=F(IAIdFJMB|@EԜE7NTTE"ԝ3*M- cI;LUv,,çRN_deg͡I9ƌcgLyF҄"Ƣ2bb R8i}!Y)~'*d*)+_SQYթ=K'^31001674߷jzF6nA1鳋kwaw<~WQc`DJUHȞ([1PgTAb_bJsLzӭ=/fOz $ і6T?TyXv>lLSR˹g :{y{;-#c_i...l8lݶgyAE` n IDATx]`Ev_z=%@EA{O 6TPD@`GzO( ޓ\ۻT!|B!$[vf̛WPe><<<<<####У [|cxxxxxOz####6(x֣>'}GGGGG!9<<<<= 7GGGG'l|QG}N1<<<<:0"\>,0,A0 <H9;rʰ5=5YQ&D-)lA2 t( R\&:kxoiTfV-cxh*-== %P$bZzmQ}Jq}, $\Vπ]yNR\IW26P5f`D(jɹ.D@R+,R6b躯]}ʕ<յ5)#d"܁c.팣^_x F90M%e%R 8jQ\T.~!p l +C"mPJH0JgzcI9ƴzlC$n} h#NJwpP6l1T)|\ & (8.Uuc µb [砚6OlUDR( 1ΊlWT0n0r?xדpo޵LA-\|N_y_G/7uW˛Lؚj; AA1L塼ig0[jjX~bDJVcqbw.NJͬ`Y\V1k*1+شr׸ηpHPB{0xрA NV^gdRܕfm~@n]Ў.^|gX(&oKk18A[ zϐG]^)hơ@)6E zAR e$b\$!%kc^Ώe`1B$D M$*)e E3LIIgS!K"&;"bFWU-pχ$lkƋ蘋_alc:Z݀B*tT-732Id(cIdPP!HDD!h2ntFťj7_\rFĻ{xHYPlXQ*DHDbBP&Z)59A61Jyߟr!J i{Wt[PDH%IWRH`$*ŰSD#`,[dvlJmߴ_\:KFwo|y ن>3o]`7pTΦcYZISUfI%a F.!"a$-^ca + L)qz`KKrcAL۵vV Ln`'pdhF۵CvY7WAg M v|I^iX0H+4i$%(#p(xHPa",\ QĄ3.F4~ABkn{#cvVhlnr48_tT{0 z<) lkVYޯ'>ӑ66Sf-:՗PIAo};546.:8׬Awp G$1T y+37?P*~̱y_ѠZ U#t \بgtrU3#'X -bg(nTy~g㵆o% 0HSg}ookNNk:pbq7瓓D(%n~W1SǥX IW:`c$ɖI? #K;O;:b~X+ 1Bҕ DŽd Ωl=GvN.EpʣWvc>_Us*򿘹 !6XXF;!zG#j~2cCOL۾87\"q.$adYaK+6k}m5+#2G Nmez߀ωGj#Gk^AHлCxj mTv^_TԘo,)5]SCbR5m!fj[-oo)SNHA?(vP2i%w:ipNɵ >*}cl݉c9bBBt[kB$$AJE)Jb B1fSin0+, E#2[Z[%< l[I e HR0{`GX #'//>s1J^#*5g3,*3g1nBږ>驥kM gr,3x` ewd7BoxÆ hSk#0< qc`o:ۉPw%?= bc"{\/d'%MƲ2CiP^YPOl~2L+Ʋ4BYy$4LBp.An[0h#{0A{܇}BHșOxϓm r7mVEW" V:A s45F㱆zuF@#^Z)EN{L)-mW(*5}iA@;N" qÊD5xʲI":a~qnY1,ן"Az|!$BY%AiF粥^.N%k85&&9ՄMCAO  ]!pzY#&cG@{u-ڜ:͕D* IJ])eȵ{_kjUD~!pg |hCB슓)"F\ǡ@HC4#3 * G@n-=GP7ힵ&hblt ;V##pu@T5g 0/Os7i.7 a$BpDR #un ǬR D`MZjuG P#JtM|lKV_ ͩ8]UW7[<vk4aJVJmy-8]XcfkIvwpRp9ra Lxqªp3XɃ_~sIICwLMwS .ޖ/DG6 >]$ l&J+ %`9\u 8f&RКnecftSHͺEd@0,\"@GK.{!-%9Wx1 1!!W۠R7;wʿBPOTlZ)S>\u82bZ00; p޽.7wHKyw65p 3{h'ŵ=bgnN%sP6Cjv*+mr_?_Pej}~:uAN]*Jp0= [yY*HUzV#RKV m t p6PPk/m!kNg?ze#kO_`W%AK 5IE@Xq=vNғX"GQ)߰ЫLPx}.Y@x"K?|BycWv` LP"`33!+;P4Ps ?'qnFL-di'"> ^|;n{O8&Q PHy]nSRV`JD!D`Ȇq|K+8+E*FA BU \d; G4}U_z!V@ܸ%h33FjCTͅ#R4yM>tE@$P%*ә)py.Ξ1250Qv2ZY l^YJʫMOxnTnh*[5-Ͻ]D:DbP@1 Nn['_z/XN!9p% FidT|֎'3pSQgIB Znܞ 0p^0lI;#!N ڭ(ߺonf={WZ퍳M+η*.B0;^yI])JE0,ay ,f%e-(9@砮pLNw*;K!?)@*y8"O4EBѧ*Ӈ/9Cq-0Qb{H<팥OS$8lR?08-uEط_kW5{ @!3ݟo1aIw bq%7o`֨J)[JϵÞ->\* *6[V)Ȍ12!fmؿimy[WϚ0ʠ>CD2I֭CVAW"("gm0k8x8 hD7d₌$F|֙YV(,4iŅ3`[%xHvӛZ~S/&q/_, Nvϛbba4G 5y( %7h偂EI2\X7e 0ԟܻso2&59WPljy?NCƴIw$^ۏ߳A#?uCi#uH2mEDX8<*O3Nj>qm٘>'w×}0LAW*5mt踔 B ŬW)/+۟k\6?u 'OFL&+Q*"BtGvo;֘UbJE䊂-~-: ߗ+$%S^y纟J= 0㫿z=dY9>mD?<<<m*o(3`18yl'q>t#n#Ž-H-7phEўb8i橑ubQĉ8_A^5'^boxO6 8V, wGIC~ rYQKqUcp Ҳ>Qi^gL7D;͒/ιT(ZSmlͅ@Zt@kBSBЋ(i# 9FEq@ٓOD.:&F}n{}dG1>x{R?G|rF_Qހ̡wC-Hh_Blj!L `MGvnL18Ef>̈́,dg6IV/] ʘ YѾSyo 453c 'i[ĐQ3+M5 IDATpf{Sյź tw~nMZ/A'^h"Ø< dž= csXx~#8Ľw tGB]} ?9"6 4w. ;I)OBN|)Cl_۷$=5J.@_tiO_ىrs`@9wC$XEQsU!\$V t.V3%ȌWwfm\„Qg%TA8&d%8x `İ$781WX-! . wmq8ro-k@,B8JK3"AzKTK)TAps0gWuHyaA0"XbO"2wӝ.N"l0OWH, cѿ-iR0$3ȁ3')Pg78>3vP\|bB1CXܛbӲ4p,Pf'[}@.b/Na☄;`x((9Ut0AQ}oPB>zABY旟=KKsǢcOuMa"DCb3! ) l,"V{kŜ°A$[dKoTp+G# IL*.UZ7w(Aࡒ Vэsv74\TIDo HaƗj* "DՕ;P "Zgal@6V~P6(zP <(z@$ͷ뼚K!3.?:@` a(퀟0:MPV;9?b 'f1z<' p8-$RKIxR*ˌ& !%dLV|za̒xjkHXb18ɡuM?9&,H{j (N3NfOYq.-Xu7N=ç)rt!g.CwF 8oٛ`6B#nW47ߴ) UΙ{OLwo4_j7Xz \$(NMqC)2Ɯb1.;Pt:nL0P9b& L/@脩4l`Uˇm@砃w@D4Ӣ0ΓD|Mp۞Ko4pc@$R~{]JAg|zi#F)\3;VZYبjbB,H%bI.AmJg(Z-@:V;켧#j1ah(<%oWv; WYW,J)35)5EMCP7X$BT.g¸gǏc1mj_W;g޹7M3󞻪>X_(KS҂ 3#["ߣr ԲϠ Bl]՞Esؔ`SVclЅ KW Xd^v2J9%"A=i~0;6|;=jo L 77[2xvKgzW ߞI~a+acm[^~w 34l gt{Nf4rX r50.߸HoLVmL GOΝRaT[U{|x׷Z @`Agb|XqS(@%3V>>kZ7づ D]|U젱M1s:!FKc zl!_7 b:!l>ϧLW fL%(`JH v󎉏Dڏ\踰Rm@,B>qC&Z4.2 6Lyˆ+ZN +U0p{LyuMV++^n20ד1LbÈz /J*VFxEiq$i[R MvNPaO=jQz+@/;AG6ggq` "C9BURz~XuI#B+{f?3Y@KUJDܲL$<`4 :޲hPA_c/[(B҈[@< Z;po Y`nXa(s.kGZen{#@ fQ34IYO DKsYiB"rAg_(.M|xu9MF X!%N@ Ng|&$i 8j*Bu"=h-fX.}$)39YAT3yR6E:m;m/9: 1uT,9ҕS54,pv9NC1 .!%(1GX)npT&D(Vq *Qj%J 9pҶ3I7 r4-B~>?PWʕ1 xY\ [@ɯnx2|Xo!62.68)‚3Jϫ$Yl ~:FJ"h4-6\$SZгvq"`?@t2i{]8'֞v~e$uvhrYdPKC1KUӱ X45s#&:X+ q Nj"i<.hAM` 2w?Bta0깖ԪVekߺg=mPZvUβjLc_ip2i]}].$_D6T~4om|J.UMɚ]0#XT꒾W|,q+,}G uf-d̮m͋,*(*5"JN%6mec˅eNS\On@.jld)++AxG! 0 bCG K!W'v&s:V7֧ńRx KMVX} jSUg}vWNmΉFTdm*IGxh} o@$tn诠]fMGrsւ0AHZ qc]JҜпM@ظO \~Dng)DqC a>l71ەSs;L1Ai+?}߿{";"(9G}3g\myXbDMLQφG Ma.as Ug.ɪdqeuz5bP[wݪz3uiIv#X LZ<)[ZSd}^]r"nF(sd#0w66vS= 0 ~buu{fيN#ܘR<[2 ~X=R46`@2<.<kd![ʀHlfVN}Ԏf&\CbD on!$Lٞx%XTڕŧ-趲BJm 7TibѭUE@E+(3% Pk!-d` >j~ NvCם9THE&Ep4++ȦF}M${֟A`ޣu[0V?gJ?RS(rElYk`pc>6 &40Z;V *c=[.Α;tݛc=83"OU+7T:wڬzwu[t0mq<:%S^66$.g[ЪO#>Ю#q[PGE]{1On qoZCIU:E<~vꇂ60Uo5/)S[jQD5<ϾkL؜k=@!۳7W|#wO5S &D#!PQk}gG t&g  ec]zoqQgd4R!뉝9B-ǔ[+h5qa2qu9uTW*bg. s{ͱS57\۪V|>,p]\Pp(­@[~r4YݏB%d}^jNh6sKr ֌"* qQkiA14)gʖł~tɔh÷BKhd@D(URRBեfܵ}6l55:XZ?Յ("Ҡ19_1I'j4 ""zal>sǘ@ l8/2s(CaĽ&d?6%v ]J0:V)lҡ&$Թ)L6:zl*[:_۟-as`Ȏ z:03t=p.oZ63spo/=+W[-B`cq(&PZ"eB\cH0~FSah&)L A.Hy8`LUw0U6c]MR]vIk>Bk;es70MV+U0x>.+Eсn0҈EbyzUN5nWU44-t QC(b1c2 EuVB̘jMp U+vU54=O-)}͞'}~goO=4MiFo͛' W<7|g !XC}Y>C%N5$KUEQ:hN*xxQo5ZE\ +A Aqk%Pp:>[]@*{^V9L_kX,L`mR.˘tۂ/i8U{-SGq~hj(%G|M##m`tBR>NG ZgyPzZ&G u%e&i]5d{̾cxSy9L5?R5""U2m_Hof#}LBd$9 :^aKId|&ޱ#mBpW_nUOVu9 :gO wStѷsUD-!?~ZJEӆ`Cu7hܡ}#9-Ql0 A l%h(X,ǦuK/#֘o}27ȇ<}<_I6' --%M|>J ن>} N6ߺqDZķߛ?̶' L!iX)] io+;#=%ԎK"[Ϫp:ј7xd`u׻A*nضbe@lyznǤrj Ԙe,0V&'ɸ'oC,zXkc 4XJB|>o9[zjۯErYm_95n]?P*㞛wі'60%-4b0{继Nl\r 1RJM33<-MÈvWYJardN8'C9]nӧhʚiw0"71<|Шv秇 f=W]K|??7zgSe%nrwfBS9f']0,-Uk/;>~?,SoyQ}:C" *y3t]VDŏw(6;%k@2ӼCoҵ uPFHpK*]qMrW(CUGV>٠7p>FsL?PҢ^X'Z>T'%jc H@lUNvW)+`eh_`2sW4bl#51MXzvp)=A&M'f*Ƃ\1jF"ܖx =_PQcby~R!jP~PCBug3z36=ՌyeSqÙ/m~E2?$Tĭ P=-_Q5*@o}ye# DpFBüiʹDtkd<}|v 8Rq߄#@dnn(j Ԝh6ziZ`6Jr4aÑTzfm⡥Qp6#sw)Dng5.!ir fRVgO"b) A*#3xp`K̜8Gq ]L`DD8i5T<ݴ/8oű"!a!g-/L+vδ9~8+mF\{TE9I:Pu0yMZzN/ ;jn~+$F)i;߹Qvl |4,a0II6 sɿ-toqSrm6v m&K5ٷmTq$rdc2'L &ح͈8{ 8hEcQpɍCS]% Hb s"!Lt t1N(=ldbz;ќc_Ýxɾq3t89Ʀ pv3z3ڍL= a~-+gOZ7?2usG}Qּ mh, lUvS*cIRҨԾV5.3L. Pv0 PnN5Ԥ2T< %M&j"%6j0i6SVA A{9}Bk1`Q Smm<5Υ~ IDATJk6B '69)BNu銃Dm?cHu??Ieqw տn]<׷:oͬ$j5^]cő_rO<䶌`1PچC|kSs 긱Sb=Bc/fm#aR+ـ04m}~x|V_?b|j}dhV[WZyph=_A`6hܔpwZh7gM1fĭs7t$x-+zҳiЭܻqeNCOs>`+)rˍ뵆8YϚ2ޞ#щ?8ʨb̠QS)./J"P$CƀՖץďB(0%0BXWb9qg yP nўg^<*k(8ltv@,V M7/ϼpAEGoL9}2 ▾ Q3bo+ %3}|W\Oe3Ą*A"7xoO/z(k`^̽{Q.ᲄcAJ${Hq#!9Q꣐d}9sצ&ū ŧ5譔m?}6(=ebMz%x&GWݽN wC/}C}<3R݄N yH#Mj`(*}P5?naKaY}dPh i3ǘ<8?^~ښ~?ak©O2g&^"?#_{wFlSm=\E? Xa;n'V?c7at0kkD$yH;;rH$r 9acm`LYtk_*x 2cp4#=8Hәc:.&! I[eVm<;'~po7ܤncz&.oQ~͎CRp\T2IE_ۮb4hL[ĥz }aҘQ9q .Ͽ1`6*' hx7`6IsW_|b!tŤT#J7FIuUP!t.r4=8.vTpE±yy7Hƭ¥Chp BjRF,\6΁X~3[| :F:`k;?v3bg72ǝT]@p9 ']y/䉉)m*.@- *O> Ip "&# S?\ ;fG|i&3qi6c8vc)`d AN!a_/R8LHH"-\7aZ"*ՕR5DĂ/s&r8Ƀ8ptB*yo+k7H؞9d_z p #JH!P @r Lu^s Se`wӒ\Z[?uzJ4As8-oNݻUՍ8Fi2686z/]"!捊gL y`og2!]Ͷuw=Õ鰆ZK}TJ sWg u(S#֛0XŁ8ck>:(5+RHKԼmz\tLrR'#Co!m;K@F(eDَ]fv,4͛+[BN Q.=tWI j!Zr}mߠjPzR*rNnX:(90$tg?{ڜTK>vW-0`JҺ;-Bʑj6--^!zl̩=t]@');,A@,BƌL-e(lᅷF &hfKfINw@nyĵ2/Yݏْi/| ^E)=%v[ %l׺b8k` &VI ʽӊ@\ as ;*C/JE^K#K<`_-9a=H[;bq˯*dZw֔<ϿKuTڐtܫ_J@Z^;DW=P+j0HMEM3K$zr3otS"WSkJ*P{SlL_ryY [oA?j}AW cNWuita`-6c@@^'ΠQ `#YUm{Όۇ-?[v䀈6osd;0֢-DR`{]T3PZ05>֤@e䰀f ? .Z{ TR.p2T4&0 ;\.Ȝm`MS6@#Z${ES\Pk-]k×C0/r>1iR/9_4qӕ?ñ9&%^cۆ w XQ^v?=<:g [3:ڙoBE 2L6\=N/-t`K}dݸrW($ڛ+Μ^& ?!I}md_g ˛3z3u1sOt>%)1ʩap*f(50Uup}{pdd:EmM?:~}8QqAf;I7ɮ&ېw;H/)Ya,}}}XJWZP+BeyFa铕*8W?ٝ_S5#+y͕cNѽ/$㥹cr٤-DkGS*LPQ+Wfqnjl i͔[ъ/l_pOZŇv$qd6\2W**XPF& 龜Ou}܀?jes +^XCI8j`?$K]ZAFp>@Xp@ОjtG8 PP˨R(b`RƄ^}&NK@`<^˿iQ})'8XR!-!bQJol,. d8ӂf&4#T!o ݡ(pXXL)i&x M58R^ re@ V *g1wEϜ+PQ Q*#o4*Fp-bjdGh\xVԘk%] lط\sH"$*@JDZg6$C0j.z\CBH!$Rv꼦 t' \XC ȁ@1dĸ-_+^\Y+4sV@ę[eVB,@MXD hֽrN GEs^~zCo=i~UTH(qpgΠ*B hV@]$XzmfBB*r@ہR jD!zR)"(ڢ ʪjZ8d6+W%3\|6N!V sh-jILG1n*lLL&#'Vqh~]NQU?}\HP/m3_dP^ӖBA IwG"ϟ1ssGwdkqbXMy9 YYf 1&QtGjȩ_=Mv>1US}$) Ϝ7m-qFQlwzɥ PCЋ Ebņ{AQQ@Q^$!@Rrsr ! *|ۙySvf̫>R]z| ֫G^ʸ|#cO2 EɖNjwdl$lI)[7m{g) {dr2 חY/S3L#0KmѕUvK&:#Wĭ[n=l:zpXSrڈӢ*kǶ2|b(VŶSYvv)LI fO~=#1mCdd篁rϲL~~O,NvrퟷX1I W R um-27Juҷ& b1i4Rko,Snr|Oh RUű?k^tb˂nK A .' KtcGo»qKWlbb%,=TWZ/^0\jMwI1)\22Z?oKO^5rqI_ S L ~̠.rr 9Pvz}y >Nk6 Bcq]䑡qSzyX/~Y_vQ[wxw JrN|SϡRE;̾εMq.4:du_}W0 *zzǪyQLRxNуw сOpzϮ^bp+@,5dقtlǑӫˈy/N7KLxԗ5&֯s _qaW~}k8li ò>zDϿxfL)>.v3'u ű K?+1٢R.{l'%B썽Ovwu1zh]2cIC_X|fU|0Ӭ+uY X.S=xTOo_O~WP{T!Nrf2^ T)T lФ. SS@ <Yt,˽ØTRi\#o] n hu )5Y *UQvP|Oʯ\4}稁F9Ba !Ɓ<,CjK-1@At-\(RS&(,ƠƵ_=:MX]ʦҨFprvmnaVaL&2WPo) vH%.)>UȲ,E(k2H[&et€zX6}t &c̮lyhh'CSBs'`) NoD&Dw5س`m ܊SHM)uRі|aCi0o.8 XqIEþ8E`#%m,*:.yح /T*!DKH䝒~}K39ګW|Eɘ&1>mQ7/>Nø \C~9xl ""d|`Y.!" ?"8Cep`}!fKRQ͂0(TOF+O>yu(DJ48tPgo}tgӷ|GNt`$f> 8wR.]07ކQasݎp&(Pfy;nɷJފ{T> fceuqg%6v!&cCY}c}a`2$Z)1aJT-n܄:_C UZx]G!yձIAqmZ< _P+"}t$6ɐ͂ufS.t9OA>@ o]W.h#SLI5 m#͆ee!\cҶl_%~>gäQ$4rmfSҔ3^~"6]B$a)@%_6pF@d}[} C. r* օ[}hᒺ 4 ʝV"x!| dm`M]o ݂hPNl୑$gm?jzs`?} U#V9=![[Tlt A炘o]]H[-X@G@W ] jH0dEa?\U|xחLjLx3`5YYu{W:xap}Nc?41?o>1SO;`z+󌠳EĢ2ƌ)}g'ol|BԷJeXlFsK\lXl&i٘n׮~Jk ,%;_, IDATӲz[)a/X z=O5)_.s;˹@հl*HMwEWQB7ט+aۗk808óg_]7a wwFg pߠN~}skܽljI68-lk[.9Y8Ҡ!^R*gboz\;y+3=NOz'TgSg2W4LՇ?wC?o \ܷ at`N p3K 3b( _uC `/^5eo'iH,?`/m{uP`+WtwvPpCq*a0Ia4 ًlcؙsvlpJ@j M z{ړ_&|u)!Ͼ3oƛnGF,nL+*!M iܲ66ec:sBA[GУ7k Pju9̹ S.$ ܫ?B%"~ bXA@KPpz_w9|.EL~sTP kO9Jc#iAhit& 8Q#gJ'ilP&0 /.Z9u> 8"0,[+Uj#M.b)؏ 3Y 4zSK7z'~9 W`@r eJ[8*ey&| f 'pBTB0i}L&`!ȀM?`8Q=@4-pYA FJvfL‡0cNvRG3`"1@_Ѫr@i5z]ґf$tˡ:r"8 X^`4 Aȍ|d {7b:d4F3)uخ6@lVc$<W,6io>Y.Hi@TrUWzeO%TuK4o޼?٫@4uHc^TVc {P9\:40tz8ܩ.p;~ﶍ>lQwfOw^(Oh6Ht.f_q +l`##zY\o}q{rӡKVHJX ?Y!=Nף;V;x~cdsԽhRux.Rffs0ߝ,QQv@bkc'ٝ KI=1zod,m#m@[W;yPCזH8(^ktw+ hZLpۈ oJQyxQuZx<_ 03hf:@hiЙM&RWo Jw$XB̺9 _F2(D_֘΀#yao.р-{T;ov,K;͜ixTH EΔfYWtU%e^^a{2+u3.wAub{֬z8tfc}H)A,Ɨ'0z Ezߞ` }R&u|2p75/f9^rtZ,`Ɔww,i^#muf`AYʃMRj” s 9lv̺k:=vh[Hȝwzh_A&A(k :8y;L`ApʷxnOoohI+0k ۆW:n5F&5$p -F@vf@d2biGCt.aoCY[L.1. lתx TF{OW 6߇%,LbXLHhdkZ!eeH3Wx ZRgX5m+m|Q;p|mG$ 뱅5BihR+vItzQZEbY zE. ns7s=o?Td]2YtApZ_Y ( 8.d$K( jiv G˳f#7O(oy$aV),@ʵSuuiI/P8tڂB}R$ r 5^Xpbcz(jstQyF/@CQckUT 7)sSc|;>ɌSi'w7=9 aszC[Ǧ ##p͙~1fFl&dx3MsW/gf~Wbܛl8Gh0aq#q 搳pd@v^7I@$l&ZS5Ge{\GG3uASk.oOyocFZLF vߎ 4h~.}yf>E]ԑܝ[4kR-@ Lqը4ݥH@xth}{w UrյeVEM+YUd^5d:Yk\G7Xw1S ɴN*U|ݚ (  FApXu+J˦68m_k\{t 0F=[@!l9vwI7q)Ud$pYec$ r3:4dCnd|ާvա/^ٯz"z`MTΩY5R{PTXFmx@8h'KJ[H;.~{.9F2RL %ǸzLs@o VdR](47|$!ZTK߮L3'ŋČv!hl PHU5.vg2 `Z0A 0a_ "h(XJu٠Q:y {݃xVDP_>gj[܀[P˿8CFpO[ @KLef N`)妽tX@e4^ݻHU:j5 \ΧSsp|ͨ-QX"W7؉5kT dPX/?>{NtZEpuM?ېC&oڪSYٟF YjERm$ro) #&0OQeZ.^R *kk)t\֯ pډffuRe3/=xLg@W0%F ,މ`X^ nL#c:Ojp\}Y<:X£\/5Fs#8}}c[p+rQzPiL:7&#Vu~?L:FY͂c7#`(ۨ'w^}tS+oLs==*WW/*c'RWAK5m74FNP۲H{h{.Wiz.|9 k+rè%?;sܞwY-;;PO bP,Mttte>ʋhx7~t }]Wxy3 M⟋< ;SW9Zu10vH/ӂzx #=J̇ [߷*h Lj@0w$dMeҌ|;sN`*Vd[.>3\^|fզ_VkTL4}qk$7Qxq>"#0fk$,<_A߾O}C"1 `cݏ}F g޼9Ӟ.@-7Zu^ai 1kό⡼pr;LxfU?l)C{n+e%PM}KDp5l]<9uLZg[GSW.+Μ4tGi~"!eu|8OyƯKT& )u-L=}Q,wnWUø8WG̾۫`A0(80[?}_l<;QynņAٜ;?#$vx o]=f1G j8$-RJg mz_?7X.Z1-1#4P){q!:+F3Wjiޱ%;YlGbmF̮:apvm:+kJe`~ gw}qsebCߜ'_-.FT2-{7Π:KI}̤QF3v۫"rKMA9]BjI sRpJU"$FxƍhVgSykiZ(nȳOVAݨ"9V\QQ^qc.1>\QU$sq`L)PӴ?5R1_7oʀvC"D#\_m"z) i/틉Vg>칁$o8DzD;Eo)vY׸Qs sQL&+xqdbr=&$YTؘthŕG. /â>!|t±wAEQ+l?OB gj3Vp%Wg5uVhQ shzF_ A^}PnlA|ft﨓O f/`"I tk1FR´[,6"IiJ|[ Dh P(觧6 vM Xp>X\[m& 0W`Z 빖20/L(c%Ius,*@TeWXəJuâJp=!J촦;b#`2ն2^MYR1h=uDZ镻9_n;}{'٠n=\^?^w>ʴpn9G+ ֙3l]%f]*^$8X71%T&div:J/_qA5 n_d_=dӺz00u/U]TPud&$:M}F]&&ba"qAw튰88̋r#t!T .'-@{Ȩsfbue 0gP/lKPH Q.ٹ#ΐ2.5čI(Ϭ;{T{Э)g]ԍ \Bn\~ТIAa6 y8TW?p’B{X`fWO5FHQi*x'5-Z<}Cw'ν7! \wq5wxgG}%|McuJput z't[_pΓM'>ޣ_)3)z/t ]ڷCmɩB XǕB^t9&'D㴭eD4ER^Qz6Nה@oJS'g`o\)ߣjشs[lq,J9 BVG.YPuH`qzjOm2ӄc_ܭ'b&ı,81a*Mi( ]ʺ Kݼ\d % RŰߪybBTŎx~oֆRzyH]BEՈ RMH3lΈkc?6Lcx0(q?u9P&2#CP(I*_Epے;"8K3^8{ (Acʂt5*I[hRui-Gh PyE5.^2ЪqbNֆQEa]b6UCfhVmlq\Buڕ"o@H`T{ pݑpG`-NRh^B{N/.@j_.m/koc߿oz<`ٰZ^˥GGDG-@k͝_j0b00ZDp Gl$ À7k[X`,p]"z Ă>|cf7F,k8A;Ńv6vb,X,phC#O0ƒu^13 >7k` Xh9j(W !x l=Artԏq5p|tނbyNaݥFbJs؃YWj3թaiшn1:VK4g1i uǶfFX.) dm93Q(d{ 0+=(kRz:yaz8_]6\IuQm~dhO߽L}#"|jGPi 8 ͌N.0W7>H" sͲ0iک@C]Ҏ39ۃa?̛1s7իgʁ䘖Um'+`<^ &  - OMOCpy[oI j FCmhzB,QC%VA$-4/ hQ e]v#]X geV'ږք]Bu ďUuP#eP7n2Z5M"} CԱ9RnZj([$ኀM+H|kȷ^$yeazdfQыjG5 ͱxǫ?}1փyZ lkeP'FIVC7Нj3LU~B.t񕵙Yܐ, $6kl\`_J[KPiZj1ٓAk84k@WmEa%`V{GZ)u +cuiɡ~=hZz*k8,~|?\*z-O6;f-XoY%i.tl3qȀ νR5s]b}AufiQsa@l ~Q¯P[`iY,V7ΐr;@&X{:e X1Uy7444`/2'%̦e:q+ڭ:+kP7wBu;B~^qk˿D;|VU[*N_U@(eF7[\;@ IzYKv~6pQ1VݗȜ.{#sRD3dDjWTS@֬ԛ 8\p(`O vhу(NШ,amz{cբ| Nͤ,B@!hVf4^lnq#}`oFN~j #Bz_k߿mbkJ`-%ĥ:#*b/DַjL N$N\St=Sk:>IJؐ>FN 9t aGε8NL` 'NqtӡjM&f`I t8#GHV *BtiS|{:*  M`k ^@mxB9]d@ɼC`#0&hAiC%\!ў@6ⶓjWa b!>l [tBio C)Ƙ0F$JLB@Wac#ZN3\WSW~  $A<]YE\u^̇Zarorܠo"  $S?_䑐ү2ЙJNfaϘΚ&0X'Јdn^̈d͋GΞ<[~C5K)@D02[3}M!55VPQJ{@6gt[}7n2JŁΗg>:dHOVsY۵#^̸gCc?:*޽W<``yҬ`LJ;5R-yIYW?ܹk#I$B_iҵٺx7"3/~ٶ?Ǥ!Ic^0m݀&P)o^;C1`ʤcSV]Xi{ogTS?bWv+G2lcq^K֬~wF ~)f{"tqr0\HqZbUΙa-'Ҵ!C,d?kGKT^s%Q^cbgd7^6;ELz\A{&uqeW\8%~cش?r *5zuڶЧNI_)fDoNTW{|[/oTd>fSny Z_465ô[-٤^Q[ġDVXƂ { F猟ϛN5ͳ.~CM_~hXgwl'iʵ$he8BS6b؈>O?,WzЙಛeU c>1>A )y`q#TYIA@ 6)3n m 4m*LLy^`a3s DUfnz].K]+էGե#wԆ&pr˷ٶTٹ{0v]pOcyuesD)v ʄ*2&smޥ_(n`S^t2mw4x`UnR/OH?3k]KE'e۳w8wFv2gi.9' ,N-)\8*eԔdla߸ELݟ^?[ V z}C q%?}í-8嫃 bQXӇLZqm~xbhߖ!m?']mG4Ɣ7O-ꏫNm1f_v03ŤyN 5s<l--E^垾^}go7:䂩'fsŜNn8.;`0(4 7Iomb .g+<piAʕWdU ""wzFTͻg п=zE{y!#Jr'/9p$3õJJ Ʃt(],3R9uVYREk2t:gBXO. MqOOG_uqjz[JD q1y%nzhA_q7F>?;2;۝>;[d$U~'mA/=NgYnԕ-zOrw`ө.r ûHAZٴa6D:pAM7*P> >9^.>_lU}NN*0%DaEBiIk`fV?b_8"-g._[~IY=2:X,Y=a<[F1otި@1ķΕua Z<TfU2%/?@~ɨ 9'Į쟝!Eլ|Tg_XU'ip77 "8MZ#'>2Su#=E?רwZ"&JzAm_Emqpw0Ck u1] enVp X`KZJEb.k0i 60 KT5i5)`h$ A$/1*n@GS {( x#΢1FhV,U lvdAngŇE p$)H‚̰b/ެ 7zzYLsbB^_||B#Q=H$bګ~kX/?&8S߂3hz-#>M\vpL/vN@qLՁ=7g V nZ \,c 4*-0Gu& #0C`q$`a,L?fB=y2]s EwftΊcn*.xJ~^[~S7_8IA%9%Ip709 WQJLcL-phȢ3k`06J:s\GȈ K[;ND% P ;( 'K ńEjN'/څ44T&˅ற4ȃFl;Ҭ,)hw8Oć[qu@\}9p@lKFfS#"$lkJ8(ebы4JKf1Ec0恇ke?8>Ȗ疳ôzxz٧'MErJ+ڒSWMr0R_xX9/>Dzn~EסQ!nv]kv >ןpFsk(]>[otG3i}<`q6BF;^3(i9dh<6 BY ɖn]$]F5 9gI]N Ԗ2ܡFtI|Ns<ҕ_r:- khY| n= OMtم+ՠTʶ?,, Iv%'E,?ʬ4 8ZtJ9g7R9w;t朋vqAIL9hо"R }𩃘bWNWp=C|-^B3~Șʯ}ÙpT#.x30;G"y`E"d=AZٴĿаsNl\rdNaEm9{{hto@l#@lu#X~Rst4RkZX(m'4zP ۲A''Yƛ|3 C=Igr<a_P#)>nG?]vՂ %$TxP{|J؀V+'?Xg' ~`œ'OxtP,pivo%W=3pc]:uSAHjbRn'PQYRquĸfQNG/20ްT}϶R,X=.>RPvp#: ܊ £٥ χEѸY{^!(^ wa=(N}K?j0X(7.O8[~/>ɭkB8wOW!ӎLX+Vj$NK^q0/jrVR7Hvv>̤wgX ul>q;1FܥB?tDN0 yt*MSۦ*+e謸FPqTB|6ITߩ:*'1)>BRY/0v+pmzFeRAyf;DaD% C|me X@'|n+K`]$VcJAs; z#\huTxp:5KS+#:mL :aJY*ࡰ) !A x~ۈBI4DJņ3(^P XI#/g zY n0H R 3s8〓%u56:-9 Y* mʄho2D@ r5BӨГsv~f#>(@քfR(|2gbF)#N,(&h?i>iੳH ?TPQ7@qtH8L58\/B |S:l+;G p(0 HTJ3.}?:sM/-Ѽy>oP HR fG& Y0^yپ*u4}[oa{7wNhzeG&;:g2㨫ԽD`+Shucu\ZQC:m6qkw0-` 3F&Pz؅fHmdK*k4מߩ#zbv^F1#\@öX `IlBOb v5Ё>0h>$O'(Nx0t@@́ՠ:{`jb;u4(NSJk 4TT Y1qx /v C=CN+^V80Dy„8^GP2cC:?hc5;@}=VC M(hzb IDATq|@Hܲ;؆I(btH^˞|0bĿ00[{ }F8 -ʾb#vo(1ma9cgxAb ^CC}:^5^=u;~7 eF{[Y67KQ]1z viRv-oO=EhT"=tɓa|7Iˎlu6 .M<:su|0,ؗ?nxe[Iw8:rgB:5*R+Vg@K$GʳwOËS\|hJƏ{Wѵ]wZPww]ZZ@qkY!+3sgΕ3sŷ!knk/'nv_ҵ~ L?i\Z>?<+hɺŎ#5:*wmj'lBlhNb xXPFX-^>[Ƃϥo(ݣHlhn(m`8@0EoΟtv#]Opj?뺾AzwCg$V}UH,Dni1!,=}H|Dΰn ފרP3U"sB-W$iTmn|zU M8R ëOt^]F @VOf/w[ Dug6M[l!÷e75|2HI5˕8|LJ Iu}UHN#h| 8l2EM>dyʦQhnMR6UU/kiMU[]_ZeUj]$;lgj=\{Z-k--cΜɡDu |Z >[|);B[_%`:c 2v C=^/؇_B#eq(;DٿU_ѹޠɾ#lɬN>CƯ`Cx$Rj v`ß|M)a~a7kj1Px">xc_m|+VlI,& ֺ'pZS |O$@\Hh.~Nˮ-TG_^k8_}Jdw`Xh=bf@1"1 V/dP/h#pABRrpQ R Ppc0iqG؁ׂX{= nV6;w4_5j`a=Ç xs/n뗿uXo]u: Q;Ko ;{O(6RlJu`J&2twBFrE.0]}MU+`Z5:{X'K9dAQt*IX4R-ugO} V;m46Ug5R! A!SFCjSWvZ. 9ߗMeyi!Ep +dW4-fw\7LٍTWYB t1S5DP*ʳ2+@|#}Xq4V1p@'}g#?g)3W~AfjoCMfvJnk:ؒu150|C *DAUn )(8)YņUE~]bP|-9`&X ,E@I(wC^7A:r̔n٢)?o]nj @oY0V^|2+).Q\|Y-#jE}iGKu?}Y/&6UdBțY2ww<,?.`BÆ/˪k5#޸+: ̜Ϲ|ޘc:yT7({ʠ[ʗhXk1cGa&DK_T2I# dt>YjNrg)mk.kl.RHSR=;+.f>FC}IM&{Nzjzb(3gƼ5C |n@0Qn;e  ͊z.FX,|b$=T=@{z%Rx5o3/gl֝ *1t/L Y+$0*FZ~v1̋g*U~RTs板l۩z1yi"wf[gĉF{8Xlӿ)c88iJ~gmQ^ݠqmԬʡpxjvxO9ES_Q0{@{Pnj?ԯl3l,a 1dX M..dkmmUa!̓bME \qڤ2EkkY2>sJjLvuЈPO0ބezf.9Y,֊Je$*V (@/)+vs'_<ׁ(+H3<1}bCY<8IK"kO)36UEf92`@ sz{4t`{i7~H)'כO2D!U,$HL$Xt4({= X__"*t*Cks]^k Q+6NXQރg=Dj.e,N'8I#P{ƽFN<#%{'^ ^μ` d+-+7|"gHHo[ߓ@N` Qj'uo1fZL j*|xzh{"mFũRl< 8QSf{2 ::{jǤB9G-uwĦk fQ-W6+D"0[ZboomfXaQB1ʦ4gUFhBZ !ph|`.2>٬YJ#3u)u  M}dw6dX jr(d<*Q{_**"Û 3HC]E*\p {`|ۍҘ #Ooo wAXzHa,.ԋ.DEDtK#jUYS֤;sNuZГ/Z5D̺ ti+ro `C-fraQ7P٦"fbUkQq,nOΕD:Q__y5! 7;NʈQaBemE  |LJOe>-wͯM_?O/w}ш7!ssaݺ3Wl+VE 󃋬d*yBA.k`M.ZC7gS{OrDԬ9̸o/xw'xP]G/[}PV>'=O*<(c@eeڠ'76D7cAGrS,DI4D8 ~*cd*Z8mϛ7ɘ&"h}ɡΙ yr, .5WJzekؼ^iq-Ǘgq& R"ܳdoqh/3D!5r|i%6&Θ8j.vW9Ё Hi5_IcΆz& @D"3paJj| :!C-ݼ#[m3.3!(Wta? ڲ7杞;ຏVעR!LJ]Bok?zr*izeN`p_.x]Ӝ RkZ|z2&Y3;zs]gdtg'߶Q}I鉒xM_'{՗ HAV5+4Ktn-'nV҇ 2``'rr #h;F#`h~AaSisFqH$'R]؀@X<<)5)NFId `X' b25CŎ6Ꮙbk.^k8 [s7/5;#o?;/\Wbi*6 ZVknf. \)' oil}s:޿ҝvajel*k60!DQޒy6Wo" M4M5I ֪z%= ֍N@ZEE D!q=D,#34ˬQuv_6H&cÂ#u/]G$>e+(tA:o />eQ1X[eP)pw+ 73jL7S{0#1 _\`i0SV\D†;xɽ]ɼ"mÇ̞,sγ 7!@"J )Ŀ̥zwN2"/bÒiruB+ *TkT8/>Ҧ|4{<{~oݻIo 4pBÿР7uKPWָ68_e;֧^qSB,`,H|{`a_dPxt澔K^fH-$b3m@ᏡfU˕NHFEK}Nlљ#6TU5uzmw%s;[C>lB6W)opf#L0}Hpi D ,k  ܑ\Ε@]ム ʑ+CCDӕy|Jت"zASM[VpLK$0< 4nrqNBrLd*fElX?lrlxĶKʠgNrge]1#]4Й5G63K:_߃b`cm˖`*Ɋ3mTʍVeU 'L$Tfnzjy+=|`\jj&0¾DF~F mL p  1H" ƚ:γ^5 IDATĤ/5f8$Zh')LY}9W/Z_]{_GgODODЬR|׆|u6%DzqҮvJY8t%RlmlF 3-S$2|)f T8dȑAhޮ/PH2h *Lb2n\6f}\!oP205:Jcp[!YTF5Wp)ʴGt E#)M['Wk}H}.?Ol#CA0&ATU_`4F`$)6ⵚ @Xa#R Y8W/P)psXM:@!B:`,f;pZjZ1 64>$# ` 62Bḁx 4uVъ U"w~j/#UODX= YBv\ >c@p }'>[}ю}[i /^\  $p\g" SʧD5`ȉjZ=z"ݥ8c>«*Ku@?-.:S%Zyw!{&٘2f׉FQSz0w6ѕK]#>Ǽ >ްyD!B22-:hlbYڲRKL7V oW$蒀x`TXYwh6 uj `kϝwE[:Pѭ(C'NgZFso+^)%NũQA;#c)_$ns̭uv*Qojy}[f}p^wY-Nss'z98q@/ ?467G"SVGKe蟯X@{tv0$X')Dӳ C_l({H{'j|/ZAf1 s.\,.+SV{zd_TN][[*wشWkN]6oxlV}M䗊Nl1j &;W.OVō?`֚?XsA0kX_]췿-H2mxClڼCsʻO)'C_N~=iѣ0SWԴh&EeifNGZ}Oφ\w^h^۵.ߙ9 -tsNg!`4vE{}.:jaSYDtG-E~+O{L/Ryyd⨩c,-S]St`/ൃhR_/9|&6b?O~ 1Ѣ}9MXߩ:>uNS?F{iEJxٛ('RMEa2v,UO?<#'=,wIZJ4FsYou+6r?͊ DJgUpF/}D弒$ E_Z;+8QKU44+M#e,ѥc:isS텆Zӟ.%F1oZabđ>}m@n&)#FJDKe}]^n Hۗ`aIxi}x_6:ң`i֥QF?74bk7#gӬ1UꭥtT,]e\*qbhɦ?F!yzFE,YxM]{~0@:`0"XI\7O_X)L5'sw&f Y"#´ yra܄!!nwӵ}%p]e0{f$~' 6f+a@JC4Qd~aMw?e<^Te M%XǖR.dP.u" "Brp oQP$5yg\c\n >s@"Daꂡݤzkٸ276R@1 pK/y7.. tu2c?7բx"p?u!eay[g[NgfI9k"?o>G@J.`Ƈs2[~+5'8D:Rtq Lauvv_P~>CJE}"}r^s '/7:0t`_|,Do @+=M"Y(*xP&pڋ.WUEE'Z#'BFdL!ϟ+^QRHDaX  m>R O$֦V NPG回!2F\6KQ—jEk_fdW6 Mj]SɂMs㺽(ΔyWI,AxڰG74P6佹YˎooI\ȉjF)SZn]w/B#gDvǥU"vE~G kՓuO7sN?](7̸GlyH4FT8j耴FH18t wh$$z۰Dn/L*a iN$%DzAH@G,bk84,$ӛ01T-<֗S @h{~0BAm9sڷa=q[#Ķ\#R:/XcT+#b&ĄNX: :bSV(daZ4V,f>@܇pvs cO7c @H@;↧1 <( 4K#*4٥a bwt9>s|CcD}h^E_Z!}!龅gWm0>ĐV)dD8}Pi$x6RB14:,ŗ ]lC6 %`0?UA Xwvǥ\\өa#Ϯ7XwT\!f]qMw؉>q8@9kW&9T Os)B~;KUڋ8 [ Vu՛8[jvY<"SWYQX5~v/ly5Ԉ\;q0PgoF;9#Jx$-L(q߿o~+hEҨǓW;' 9\w/$ 8r 'v`si?u{5?J]4nrT_Ku/tud;+|Ϛ4! !#i͝^Ms:u~ʙ:)NlhByQڒ2!(8,̓IEw5#/˽$3gϮ5ŕJY^NnGu?9RD6J`W#2~<;x^lS\MWAY7O0s:Mqq6nMsws( odB`$ + 2:c>b;ox/cwUpmio^l`?Y_\ sW[wƪZ4K/,X:S@]wuVI*6l+\q3y@ z`y [Uz*"0%yFxs~z{ D\Q\y!ӕ/Ɖ岷5&MX:6:g> ^`~f9Q!ؽFwΥnh ~€Opيc( w^4R}7?xIx'yuP[ej1 `)mwˊ\~ <1wܿ׺p=>i]txP-W])R.(IqWM i=(ط>,XI'bU9~~";0 ,VTmf-))j0Zf X<tgbA]Ynb3-{TGosP8 m*mu6tT0v}{7\L۳XJB V.Çf#qo6‹'2y^Av?0V"W hdQ(m4?>^ݪ m sZX*;,VG06JFZvH jn*\FM <bS͹e@.vUV((>1޼v•ߒ?n(pyhL'wfmA ^@gRoQr^s^ Ki9~/ llғ9uܫNU}<2(P‰I-ap57L&d{6`6h+TMSu>Y^_w^}n]~d˯d6_YW![*wǖ eLĮ:!}<Zq"{YƧ{>\ia]QC͉-HBd*] @aBNůzEz oYrNxzt|bxRvu+t$CwFI] @ܗ<,`; ժO.) il+ۙAdm=6 { &@Z#bӫˮ]H}t̨70M?ܾu\"WR*ou9Rlv#}'Q|RR #Ԟ޳ReFy>RGyћ+i;/;!gl=:)@4|{g$SO@ЙTŤh @X11 ,8h= >"̈́I8H$C edpP=d:\rB#xH9^;&ͣ]Z:#p:kw^}A1jopm`}7ㄇ9xȲB0rK?zdmvgeTeYJvKFS?5XT|1*Vg[ oN[363u#`ٺe+Y"d4* oF"s<͚UkN֩[yQnt\u ڷ43ЧJWʛM-%J3B6?\B2&^o%qlO/ID O>7 I * P[YޑgM/TD^Vkec%xzzx Lʈdu5JJ:{.V~3ɦv/_'q5" {+=,mw!`߾V-~s/ 阍@fm')큷WK71lW,n!aCf]&:Xnw]vJ`5-å4r*nmGFY;?IH<>i$l ity9;-Q7h뉯w_׫25z^0̋ yxq#2\oi1w>σurGI*6,EcǎBL-$`zVtl7u$&7z IDAT6UC 8f'oZY dl(E ]ՌzBbnR!4Cc=4u_H%s_:ׁ >pb n @j{@5_)(jf0V$B* t"P!OD%CSzA!khG^ :`/:{[%NϷNm63<śOcSf< 12EF/ՄRX`F03#di`$x@D)68;K/gH{1]'@K>Xǃ]zVm)?y[ok{Q!`>tfL-s* ,uJnJ]]u*ڼ%%=zS""(].v{[}pfζd_Vk^t3N`{nT$ Xd_{I-\ഀjb{P]Z7IAдMp'臊 3("tsXݣLJD  +FJ ɾ 6]u;@1"pQ6>h@XV7x>\_/-5W$C&l6Z"K "ӝΊcM%w`J-p%@{|qM0:>?Gި ~ M/6d>4_8[}+hRߢ.8-d ChUʊA=xmږ֖V Va)tT@mL0 Pʡl*%iDIoeywWmՁ/fB? P7$+ 'n_>d&H~/~(wujN7ԉ# G( ߑr'emraKM(Q-$iZj )Éd+ ɣ-;M&kJ^h!ZJZ%p"cK9vZ _L{ 6N ǿ1e [r}Jdޠp J<BO6Qn$wqDa}ƢWj6쩜;޷5]EmV79DpEss[%%%Z,$mUiIQ)j7ْwjI7ڗd7Q 8W46&Ʒj:MmV++x^[b1 xT 몚[M(US[UYPJbdlbԴ(LO7lV6_0D$UՑ?lV"Qiq"^hH(EȤ UdUeV44P__.06dm~B( v].d鿊 A&x~ɴ?ZvGI j{x1Nԛ{Q-pH/=]FyWN=u" drAc<[42~۲m<ݐ /,*EmAM{Zǥ&ʼnQ-̬,gĥħK+ հf6I` <|@Д@BZml=Xr`iCJIJ Eͭ*R{J31-mCpwF==>o !TeGWPy騪6X}'B?+!A=VVg>=KaF5hHl^BŁYJ'߮^5ÕJ =Q2dDgd [>ڝ}.*Eh>_Gw9دVɎ7`c$CcM^VjXBL|>G1[fpd> EƷLetDt%`a D"qC)dJ=3魨@0id"jves^G~g1i|*TxR~`ƒE?̧]ӗ`ZkOlrYJA۾3{B`GЕ@%@_HDF3?$A`h 1[f2_)׮޳ꉩ861T&=8|`7|{q&HvE}A+,W*XQL: ojI) /;b:A^iV)6O X`E)'A;םdy!Ӄ-۵vv̽[f3V͆awQCnDLu^HIH|R'=?gN fHck]e{zb`6ՠskuʒD~+^Ε9 HGf}:yBr\IѢnN<wDu8u,& ɨ59_%Շ Mu8ҫ H6+wY3“))!qhƶl!&ĤQ8l;ez;-tcぷ=V?;4<ŕ\^HA 0$-K쳋BO\j:t0MŊ{e]V ʄdžz`@^J4OW\H!7K2/z%I xbe @}]{3\4!ih F'dpd 褨cR>͠q\_q82$"=n3-ր`s$!:U^ 8ai(b#s$M5t#csծm@xhhFV2{8@3N[K1ݕ/Li(ia BO}PYd@g(JSq Ĵimstᦖ#DM P|۞L gu"N۠qk*$` %zC#ooo?Tl.] i`pFcBTsZ!qm˱ S uV(ڸ$`p!.RZ\ xݳK824ϛ6trh G]qd7n<^?sdZP~7vt*62<݋3c~>KM, ^w7M`u_Ɖs:ۗ n˗=ҭ@4JKgUwUTi{f%J^7ADPIJU׾ֵ]Q" HB RPH9}rwy?bӫj}c˚{zj< 8;$"[ bvX;<,)p!xym\(&vb:lQ ҌIްx̀`onɱ9ςxs,~ ͧO3Wx<4#R^A]O ]p9Z|A!MMcIO{a2!tųG4H 㬀^83NBY+PAG ӏm~׿لa+^:gi'&5.PF&/׿ל}izG# Ro>Tl8V*tX$}zmaU|LnIR.o dp_T|5DE MlFEUsgvunp^~4y?8,pBWnO gW.#-A <<'!(*?㗼yc8ܻkҥK!;'7 h\t_Xs}9{lҬ|6<6 \Xų3xk/l˷tU'G}TIٌr[!Gn͐İfV@4q|.3Tl^5j԰a|I rn[@!2I.>qMvp8]saM>7{qRxsLַ/:eơ2C("b?>j/N8; [] L8]h u )A}/}0;e}jJRF8Qy_IZ@R6@؄p|=n}_TbRaDYYYk֬OM}Zh%Dtd)<9"GvVKН묦-g>{u6d>w pT\rEc!"[q {M!de+rb;{v|H9Ud/OIuAI]uѱdpi\QֆS8\v4nװ)7%٧?w,-\XP;Q.cgr[)ĄI&;WjTƟ1[`|bĄ2! q,ΏM }Wﷰ sxmݔspM0ɤRaHbxXjRN: X 9ٟ<=xi?|a}j$0i銷ߓo6PʩgLy|>G I>h"^cL]="K.c3V72Dt״W_&b<ԥ>AӜKNvT[| u\)%cƇ4$p%GN$Ii|/o|dF9m&>s(00H{\9 5~o/:ej7܉AMz} 콺#ZPcDr|ӻcOSJG3bWˈK?njmGPUZ=Xa=FDA@& c TX>/F?L\ʟ@"%DB!{YLv3ORL*uzeui}% hx+pkFWn/ e~ H!hi1w{cN)#XҖ*,f<'cJcƃJ\ZӮB\4Ԩ e%gsOY3V8|Yn5 } tMy/g${M_/[<KOۘUMWCe9yrZ0iث8[ 6G;$Cbt>sj KUva:؞wDwV_$<@V =drJwh>Y'Ϙ2k?7LQg?z?[V֣OOb^k{oė~v=R(Ȅ%5Gߧ}8^ua{iޔQjUiK5&*;U=-PAsڡfW!LQU#?X1#ś H?4 YGS5N+{'-̉ C?d /&WNcBeNA.OD>Ԝ&1I`TMbWc"}^LsQ:!9 d.2|* o ;f"*ծgz/mC8nE@1TvHlBp aLx+G6ᑂ  V*EF%Bv! 8L7A)O,u˲I/ֹ!oQ֬~Po+'|JҚf(bz5I|tб~<;PV{N}6L.:)a؍{KN7^8v`H{!Ўh?SioDV}ɣF{@qD$8ԥ76mCVWmt b@sL{0/O|˹-6_iX7;>4v"vx5 #ڲ7Q"a *"$<<Ǔq񺼳90}|T^CH!:@: BIG('u٧ HMdT'…_0(PApG#I1Z1)@j蛦#q$h bk ! b@@``* ɚ/LOQG257B # ?<4t@5ew2+ }x|43[ =@B[zh0"JX$=[ĴQK6Hq$hU V8`-G9?V?V!mh޼8#Ab4?TOC@"di͠dE{|rJ|Fj & k,ؕf?m۶yA[1D \>_߿`uA~6+/ :tqTF@@^U v6Ȅp9\eeeK,y뭷WU@c& }cO~;6 VBk7DONW6l봌.CfwoϺɉ!㑛#ZwV%<~δbkKrn % &Ku+m791HaϸܴF۬^ZံX}-#q@ۍAwm ׾8/ @̔4M}Dwz-ExmX7Ih7KS$%1n̟ +2čWXUAw?An[*@4{tYZ֖,J-il l]iX@W]9y:w;yʃ+5A.l<|U59ŒwxN^֕S^U\y EUNڋx >'\ IFAM|@~+{zo HTMͲnZ% YS@j 'pB(]|s!Fp(`byp½Aph3atZ}$+L9Sk7}GEޯl۝9B!P }GH5km gX50HW`/(.ش}+x[8b8e ֋?GPQbB$ bUb[X/ 12L.N$Ƒfs=DP"YݘP, X60tx:}QDwZ Zͣ@A<8&rBd?>1YmS"A~smvM2Z\4)ByYI8 8얲{!h< X55ׯ8k-3bI#y``B Űnc:+ ض)~hClxЭQA⻒R]7 .]<;bbr~}DlmQ#C$WK~?qqX𠦇rIMdYrR"2Kd`TPc=_dNa"AiXb6c9v^f㎂1QپuaaQ}>iٸuIwhpCF4WK=dkLN K (AHBK۸1U}^WFMTu|_,yl˅ bƙ,*Sа%!Dr}nH2l 劐ΎHg(.s6mL65YhV)Y$e/)s,qt;G& ~XzN/,]S ,h޹;FB&.H7mJн'#/m7; ť Sibx<~"\ޱcà j}A?"uZLGA_|e*nдbA):DJ.S.~5ZR4>n bk !p<<>zÞ6Hj$ל=PjpPt 1DR!)# TFE.K{Y2^NR k$ AI!2mppx$UoSm n1BVhP ں \j́m bk !p@! Ҧ4H{{w:0|5w{F+47@zG>nM1%㓄dCUj ziQ"UspK$SDuIv40} :@ bC;LPȽFM)}J_}G^h6[Sor>̀_frw>\۹nE>$3m6zm F%zrJ<36Qԛ;ԋT&R#ڏ§uΆex!#8jPX0 ]w@d ^uD%({$hs5G7ԗ892"iv`mOS@&o˖[J (X+}i3xCz:G]]V8咠P?vIC!ad5 QV}Do+r͑(Ub wYٜT]>{A "P;By$@9bSFG_Ss?hCB~IUI1S{-q.5p篊]{Yƅ[tQx)uɄh3a9EyPJL9!: 5}`$v#ĸyۺsIFD^I2{ ׹}K7n1l<ڽWrTL{w5k.%@Ұ[wVa5 h"ؿf$>g ܡHēϫb{>)$uڠ+M99fcTgV1r he볊8 Xf H bcee8J@\^!2J%0[yhȚsN%AjN .Xu]]t/Z^Ņx͊;gӒI͇w$3>?D|-ZE,D`RĠ$%BRF9wO {TQQ0!} W@V ギ"=}R n9Muk (dq &=y͋ȵX"uۇB9\]\>/Ԛ4/C;hŜs2}|QSǍ`3sL{fa#L":}u{ gƈ0?Qk?㞱+el';b# b:%("%2&==\9/6EB5U[!* ?5TZZB ^xCej"ϛNДŠ HADpVwm)UIU'f '뾔T1D ] Lє v28({& TbL#V%Ap6TCzujóeR݌Qf;|bO^^+iN)m` Q*y8}nJK+`=saεׯn=U(O1SBe.SMNהߙuݙ!#׈gT_B \#KPyQ]"(ثjV1W2<"1<I` %-VqpE|&f,FN@lC@B]5Z a 4N0 S.T1nqgi6$ xWgY2{J̳R)WA L~' sFOUe'e#ZIr"AVBp@e8NE"=2W0}j:D} bC;,<u }>{Lց>2u+$xZ%Qv1)p!W-=tBF NƆl=Nr^8F5*p=U+ 0Q]@=$ThJil wq10T}5uy&/p1E$۷.S9.!b +pdD@HhOL _MEHP/SYY~baYvگ6)i[l8 0Ц.ާ&Uxr;/N}!^@BLY?;gFƄщ@ VkR>HB_=#9&\ysα#F~}oʮ 9qLOA|_+<\U BWgzdu: gw.PTpVxPtUgTPh5 e[\v Z@"@{@T7$trZ|@# ƀ`Ì2gsv_iau =V7TG]tVVV.?gC ׷k,M﷎^U#d6a˗r='?C ;wdෆ}g)Bqy?iϕݬ6w..cW:G)FwXC_%;Sf$_Ӽ"ZRJM?jtMoDvkpF CGBRf2[qCQN#8" GE`õʌuwj ׼Nśߠ.K{sUXnOVa?vn.k8[q YTQ?+hhv kֵ5WRhrJ[>⠐FY |hpg]aN]]6b4l 6s ; |]L`?i=1ZU7O6eҜq۪K>nL'2Z3O~ōd4ܢC/ƺ'.xu=DD;Izʑ֢8a F\-v&1: dbOrێ VmTI#"XPĝEV7vjQ'wNZOxq~3sgnQuh A᪎SC !A*5s׬_'¤T"́#O-[zP}pU5~f/_j_T +_;cΊ2嵖W8" IDAT!U:Xrn3`n=$hHe䇔iZ9MPFŒPW NpKD0Kyh (4UKl_ygU,.;ut-ui u.i{KW*-ܹv_0A=Bd V^6iFK i&QIڹjkwziF leڥL#U2Ҕq`ѷ_ȠF`JVfzl/|OAXvT\Ov:ExL?9ur'ӎˌ~l<8}#r%IDhjԹESIO쎝@{Ovw%)ެ9n{hЫ=`?&6%I)Bnk!))> B+9Om)9u s=Ӟ{uHֲWn>UiZ.\(4C.>~ԘM ~_֛]~CtK};?wMˁHM9ԮSܼ|'ʍNeBq츁fhЀ/2->Q~aܒ ͽk@4/?_x][-`Trf1)9vΜ| ӌsW6Jl%Q2]oae=P9钒$rp,U =={?ky"3R8Vk@(*T:x \19(]gypq,KIXcKХSƿKjh K IHdՃ9e/7ݘρ36V^%x5XZ$&q?د.vI ׋"=tw.[~|<Ÿ5qCPvKRU'5Q/ݹV?Sa]%m@{Ǝjժ/W~1`Lk' 4se`!S~{mt,BٵRʚ"#-S'8U2#O}U;Ep\('h/XK`{^BNxq9) x7'Quь|j]e1L8g$ P8k- \w:hb"F$S[gӫe-n!.hİ'3mXNQB~yL&å"R˨fx]OYKܵ>=%hHЊ! ozAF@P&MUU\>lG^6ܱJOEr$")x\()BN]p@ȅA6또.R Hqͱ\(BJS] T0%_@!V*.YC8o d1.b^;\. !LJ(ߦT$֌_U;6\.UI2Xin1Z .m=D˗&#k]FۊMƍ&F!pCx ɼ N0߄t"TVypZW?Rzm^U~jߨdKxS|T.TDmKzeBۭh9Z8 Vw=]ǰVA9w3`ocw{x W*!Iaiauv/Q#bk@5'3\3?u[kVew']5HƧ  FfWM{vkڿqym%"^|UZoqؿ~01$'ݙO*[]X }A_oF.dD2X|_띞ZGBV?f UF Z:P? ~$e󹺋B*C{b!dH "6$/uetbr6A91/UtX0!S&Ɂe^҂Q Oy7pݰQu wTH"u/풄cqzQi->E1(Jc m1_CԒj][:]Y 1Qڿ6_;VzH B!z($Sgbsf=n^hhsGWc`~$2`mR>…Y,n`dj΄*xb@j\ny9z}E̋JyDL =S XS ]FʼEQ d#eSh%+РO!5F|Ly0C~]S$ a֌M#!D $ Vh8ͧBo|4 >֊W W4zD`zr }{GL֋ d'v׹.sc : MxL|b"YrOnؾy'Fy`0\^[9[g2H̕g[NR eGb*>=\^+FXCH|җh\xBY2=22~Ia@uE\@WIIS'1%?r:0ڬ9EKD((B12 .P,]'*:J]#Oh/'&9lܰcx6.Y]PPVo\/s=1|+=ⲏo<7Π L $IAƍ5Dl I xbϨczpWT-;PRm娸uO02F͇.eb0`}3/91u& !$ɮH?zH&&0Xgrw-윪 jC#̞gvTYK#gdZJl.1LͻK*Tbv".sRjWHa3N : e2O^PiИpT$b(eŤJT *$ ͲL&@lG%8ո`Q( }C nGB!h~ARI@ ):H]y#ny$CeW"4\w  Ʉ-^ĕc݇~[ Iy](2>OMe*DoW[{~hn;s'2VIy=[bWs*%+GY e~p%N|ْvDlwȃFDAĂ@ "@/dEb#^tTD %<ea\Br$eqjo[|Jn_=p4避OCbQF@yL~hc vĞ(RFZ)!n g:ϖ>լ:~WE::|jzl9?lGn_gW'B|x 6w0[-%D#xr%E:\BU8 Ð:cf'TE'@ Zļ"tM4@ B,3lژ+7n;gK?~Ԓ>cڌ'G6YI39czw977 惛7ϯ{)#쥿,bmGqY9ΘZ_,6 >XT鿟8%R1WeZxK~|dg%7^W&K(7_ڤ8s wیj&cQA  X #)RA 8bIb9DCntⴽ܎31<s| c//90gRʶ]4۾yg59cTjR=a'"C̸a*?D=}bڰ6t>J#I:~=#cb!ò-^r"Ajs*+9/v1Y|a멁/y!)LE[.l⇅d=y}o+v{G=|3+>{0F^Z{NIH!r>n?w-EsgF8?y٨oǡF+j"'D W!QA^P_ ӴrLʛ+z/t0u ưc6d(5D0!E "jĴ^oΌx= %봜߳;njp&ǸDa'\1Tu3"6Vث“aIžJ|oJMV]CV r6Uu`3 ޽M~Fi#S1B⯖p@b naG^I>=?bkݾf{@zG X{ES볣bQt -N nm߹I@ (3? L=3g@U޻g18L68[8,4)GD\>afKIQZkMQ=Gο=//| Q*ʃF3\T᯿9M\ݮsObe[~PZ?*\죒 2#X_xb㕧}Wᄀa-RԇHu*^9"\۹=}Vn݁&=WYGcJ;nĈ=8O>px2DnKSzh>;,)Ft)qe]Nޮ3"?Ex_gJ5VT^x*돿QIڷtwjPOIaߔ#L 5xQׯ9 )rbAP5 JT ⟼tN1a&}Cޡ=4_Q+{ '`3e.)ozFJP>G34 6z^ 4(uMsfH_H8U$>١U19~Kד9_'p03|N09ޥ8})0'E{~D:\=w9y8 " )Zc`Ѭ8c8u6Kx%V{4 !{'~k`Q".gH2".b/uGpC`niBt"O09&k:ŖwP&W2 `Y,נ5ı[mv^P]:0¦;)~sW|6._@ .:͒oˮaӆQ,T*N8q0́A9I){*P3eW5O7>RH20Baۓ]sONe4lhC`k<@Z"hE!QM]#j̽Ǒ5 Z Ẋ n˦Uk+*ϐYcD"Sί߳5Q)0{˾_$O6q)5OkW yvCɱUX^lޖ2'74ìcߎU_=cܤ^#280VϬau :%ۇ^#4s,"T.]]b47&IӎY4>NgHH.+)9zh 7m*3 &jO-iR_*oBhJJAin_U$+rYmd[9.{##t`?}-I穗U =32}7.|Q7ǫw|sƚ>[nzCXV)dpFn_m}%S6Hs#'͘.f`L;DeM0)6: n8ι@'ˀl5lݷS  . ɥ4-sP2a>|?% `ouY1\M[ҷ'mrK m @b3qP<%'HmmT !c7+lEvgT&~/dX-mO).vju2ܸ o[w5ް\'.B,;s HLK711(L퉗[/TH_>>7ΦNMt$*d<]iC_{bƌM-QP 6N==8]4)_IצNHS ӍV o $`ǀOo711}c^cIW}꤭{Ϝ-3Y [ÕB<x!m!9籹vd;9 E]E`˘D(ne5w'N!!|9G~|DXYkq6TKQʪzZo "-u&Ok=rW``R$^_W]Zmw6@OQQf& Ҧ[lt|*󬹺h2]?ŝ:gX6WmNd[5>Zl.:vhDoC$:mKAsnɗiDkKZ5f1D(M\x贮3)titO?Q'>{rl~KJEP*/?ZRT&6L *B{\? ڃ E6h} zrh>2hV.IBVM8-Hj.o_7oJ(7޸޹&'=mi/x vUP"D`Mj2t+zA7E!#?OQ@m|>ػO'0L"ƏzcZ p lEmCOKuB8OMzP)\"Yܸoq!, Ձڌ˗h5l^!ߒZI 8=1{{I_Z& Th!{a}ٖsN'I`M0d6'qL* #sN'+ ?d ϋW MJ.L~z'!?V8E vP _E=PZD*NM8m gce iuqpΜ]t&{oms70﹩) r8yp;l'L5WKKAZ8M{i,~~siLrS}Nr1f?sSk.l^~eOŒٷ$I_ T'D~f.,rG*;7>X*Ԝ4y=\S: ŝyE xq|$~.alwSN\ AQ=ヂ62o>$;픯SU*{[w0&L RO,|-;Yʷz7Ffj1ÚzkX͎?9[=43]Ϭ.$&Pw}+kv57=fxio>_c*Mo8xcvwT[yNfVYw/~S/g'0WJI _NrfCmx꿳c볏ZqSyAʮ4ZXUD' BR`?"aOc6 If&96?Hz`ٜ_?XiU%F0dQȮM*崌j(R̀9{b&a%J?}`LLTg#WnuUT[H|` ;~15A)#I%vr޼چJ+(s˫v_VL{[@8:+w}=oƷ׾3\o0횀Yc}m9ao߽͞ )BX!S=i\TExڿ%[\l:Mۿ~9?|z?2A׆]:T"\t:!;C^Ĩ>cн,bk1:0SYjp>tԌ'f~O:n&On[sKi<8_AU'%98NJ1ɳM9 ,hldjwohu?($KMr  [!5Ɩ}O֙kۼJ,08gNOvԺ+ j KTlpxq70$4\rB_͇=bfc/gYZ[k΂)|w3Q)/w;<ʩ+l‡#@7$0f4;dc>:lҏLOI4t&5n/SrҎ$7jp9Q(9z:._ j5X7'q+3z(sX)/fZYw>r׍q0-0;H2LY8ka,_Lʱ㰚A)(q߳xɉRQZqbe܋[͜(p(e ѾJgNVr1ƭ|GoN(x%]K14qrq,ӕ`Jڨ,D iT,K|itxLq)_U%hr#/Z5Ֆ;YOT_z>gʬ^ ’{*~6&~! +^W$=%4ؤ6&SI%0Yu`U ffwùnE)^YJ (F6xٛ"6幏%:A6(D# #o=l1&hh˜fhe\H6@* mm/) rEkGq;^}qR-+휈j$?Iq<[8;chN #aK|%1}9@G } Vvض域6ϸ1zjlX)zkPȨd=DL>hL!9ᓆG1A3 iDR>zO*G'zت+;Zq~dҾuT0R#Ük Ғ{t>}͘@|9[Y! ѷŞq)q^LAleAa~}Ҋ8acy ܴB5..-< IDATC#9htO*;' E XaV*yxh(6^3V+i <`_/ 6\5uc6mOH 6DGF: ̍נ#@1$CȐA :`۷4U X.WBY_NԸHԱr)fQa{I8__*BDP2)>ad8ނ, 4b BiZd|鞚lKmyqnũZ|B|G.!yA<@0``qKP@hG֥o/Ρ\7h8X_+Ye%kܵjkY)T6" b^SdܴxWk0Cd(ZKҖ`p<,|K3ڒc ֱF T[~LO+?q`-kaaXKPgr{ Kaت7|R,>~*(6 x>OrN92W̥ki#,p vУD-꘳m&|M#r lK8r(ߕWқ,y6$&v-|xNC7yVPS>~pc|`BB0}Zf LDrv`xGKb' Ͳ@]O gJD+ PO}1\dq_g6OE#?<9}4n`eko{qj/_e߁ͽOk^9cq]lLU{bz~f|Z#S|PNr_Nxu #63F }D[0WE&,}2^y6V׍zMB8M/UyEFPhϠPBx0)޾~Z)E f+^7TXIFd[ q*W:-le A@.ɬ$6L2.%@gkk` ѷL%S$I0yxHu"\5"@ϊIEpg\b G,VVH Iib Hoΰ3kWu魅~#륕-U L u7itL*IDjPFM>Pcp0+(` ӫ3RE93c<>09G` n -a'=x'%F'>}Cӓ/pB&]cRoW\3Û9ZJ14Ci6(V]rb2+u ` J5_*B7"pM?݈ "t;gʗQ7-cuAS=6BZss b֘S]^cH]@#%DF>}mq.&>]T`s[N%RaЃ' 8}m xr,0%j(NbzLMa:rXցa#ai)e36icò$WP:`b8D2q޸,*z"cy,osNKvˏ,}OZ\C5G6(4cߘx,Yn4EihL`Ɲ f%ꢏ7²-&zRj^>N''_碭C#d:9đDzO<>0Jڕ0.q`.= -8Ç>ƼRJuJKDa=| =p)n5 w厵\A ٳ(J[/rsaIyM~e=+Pi5 5D`V~"*H\BbMBaLy_O=3 Qc& (9+*|D %0:J6l{Ƅp"Z6gKԟlߠ墘]O gJD+ @CƽT<^4R>Xm$hmH5v1/k^)F<_vh~5rZp*\Gҕ;>0b @ ؏M"Ñ6`Q"p92Kaُ1,Y].= )؂ ~S$zM\'T̐bӽ ֯,Dy H#0:SDjdۀ_XH]@#@XWtoqX=ul CN9q>QUyx;01-F_5d%`t :2 cݷ-E`Q"*VV޺$I$s΁Y qgyA9XcE@7ݚlݺ{P뙀G/s@6FX3,f`k]"@w"B)8q`l8 .Ƞ;uY7 lݤ#P5D"f:9Ftqi`(Sj#9 @NF`E}[uⵕuW? q8x;‹1+ \.:KqD,F[MϬs؀nT"{Ha@-ھxwὧ*- S|RC @0bB?sv"85-\B7(mb^9$خJ ]B@MbsE]?47^:,,쮻P}duew<|Q"UaCDKd۲xg"/vkşV=4Q>-Voڄ C,\h^RX0‰ N@ K5q) VnZC0A"M/%8C\SAƋEJ8$VHAO7|]+ Q@}PzJX zҟI2v׮]}W=JR NHKL1kە?I~DŽa}4[g[VݯO00]Ų[nf?_<'%ϞΡy/_?bI:/m"٨ٷ㡤1[sWQ1lrNoʀ(/ڭ}oTS$F\wtj]ϐWK%r&v# B FDrrJT pf;5wFޖRypgw쭋 ^wxQu_ڍJ/*0\?"2,G*JnCMD&GxkÛ*6$^f+냃}SeO}ͯ13Zz wzRdƒB'@lDC$N_9|9'*^s-mm0Xϯ:f=</ޣr;JR+m nwbR:w2?/D^ vDDE+6?9: vz~\CdžxRM+!bÎi LĚ"bGk}}5D) r%G\<[ f rxٶ|z:4y{f~"t#[E9#@?qu~Ƀ Inl`M7,5=vLJ$l~ j!ڹkHsǽ8cځ3%&6eR{EtȱdN@SLDC$.D_Q,ᚿ'ȹYN&['F#{811E+gBvzm@aQ`0(#DN׿_=wyTK+='H^%==AW@9u9!~(DoO`РAVОCmnI~c(o߾W`j|)@6m2MsQC/^z~HJ "n%B" ![{衴" ݎlݮKPD@C CiD@$غ] !"l""t;Hu.ABDh$CEDv`v]* "HJ " U@D=`k=@D@u " @{ z(-" @#[T!D@@=PZD@nG n%B" ![{衴" ݎlݮKPD@C CiD@$غ] !"l""t;TkLP" 9!42AD.`.= "!`(D@B " BG8 H4h-85!8w`dEEgWe 0 u:u(`dg.E:|zAdSTLjA&$$h~3|@V]Ve2?Ϳ?-]Ʈ,}Ateee'~ 6h$|͊YmgQrD"`X@JVCLP@BBژ{FZR$Y .rfB)ΡkHU]yet=\0saP :w`ǎ(FӁyv0|}mٳgOjjjgL]iM.˥mwiJ t4m6cgFm2_UB^q"H' ӹ{u9T "pp e) R4<3VB9= ;-pFhLeH 9`cmud 7t@AE8|lT"^z\)P= vc:_$:)0Bt25~mXLƈR3^ ^*u d8Bp%T͆۷㘘P9)(]f+9ՇKn CzQ8'P 40>Q H]jP%B%a'gl~$qش/K`!1]IHuF.n#̼Iw IDAT7E?<={ǀu?Xq]E-PiQV{Щj bQ|Ѓohh}BnR)#4LIT^rʭ0`0leTT*!vH6;:- ihQƈ@gq2q:,ӓˊB%juѓ:T:k8œ!P/T$LTS[Pz}fk5k=^Pl7|f0ˉ`Lx  I |êSb>WUdkgZbw(Ťɓ5ǿ[{w9JFxe]I+}T̛'vOA=#XhCќ2tJ ;߰f96o#S Antrl~^Kj!8lZ2o3MOOzMN*:3ZnÖXC֚6>I'cm;鮈@_! 6Ar<`Ws1Ce΂3{s+mܞEny5d+/ݓs læIQ+>3|*~qOܹVdu}01z ڿ،yHc;A.3 `|SnvDfƑ1Fޣ4[0x֤~̱m7˶uG S'cdΒGezI2q&`^o(346w`f`ʲ*=aRgOWx_ߙWR[PtS\5;5̧o1{ߋʎ\Qw+ _4;--1ZBh#\C&lߑHK[nccM| ^=~a3mpHD^Srlܹϯ&'7{G_7`DR7OJ| |gj>.mxYJ>p9|BiN|_3$-QMm<\C39;"&J^JVXX- + 枰UZhoJ R}%IQDJKiFo P{`M"`Ɍ~'NUʑJ4-@VSM99ǎ:"}^(&Td R+s+IF𬭊S(%RgNWBFS4,QuBΡr7$堔Ԟ32^EZ>YZJ0J_hƝ2f),9}uqQ2f`*wHqws_/x7D񢵤D. rB dRJ.h$&x2<4zVf~#f6&ʷHA%=`h(?DK(6NBI䲰Aټc0d0SJ4wVr/^p@>s~E?gQ!H` &%E&0*n8*T 79󄂖k ʳ%f'YZ)*} SǤj Fer}ġ P`)1IA?\wQ$Sg?_IѦj壞O`iB|`ʞ Q'>a\aމc{2w@YpF jĻ>m, '@VXDv/p'I)<R (k?xRWDI~DG,ڙWcr0A`Є0j @IR?IRR0y\O+~ؼ;a)a ul@R\J]?!Ѫ]׮rGeX'2Z" ~w&P]F`p (T*' (SPi`D\7?Zƒ;oi(~c⤜!rRb[a K?s|z{g<3k_TóPuADc\/tFa?hIϠQS'2"v•JmF}lEn]kZWS¾/ECin\(t#)x/݂Ϻ`w/a>ϝg,^{~/=_| TRd⣥_lGّr5zEVSQziSf ul幹%ƼjuޓryU/۩@y_Hm `pV݈s.UF?A9 ,oӪ&aVSos@DMX`mW~hv~3֒w`#(Ҙt7M1(0t|`m~&۳k}_S&?n?2uʭ>3yDZsq]'za7jK8mҚZ+} v)1V3z + 6c]IqQiYXV>}Ϭ* Mvss\WY^aTj?y)+8jp~،&83˕כ-`/g3כf0~9VpmJ+jDѯ1&Xs֘ _C mz8iᘪҲrS<^kJKkMP8kVb@:ckJKv'`'JJ8mU%u_F,0UڡMfK}m%d?ՔZ+&A9sY>]Cח fp\j)euÀ^8+j[W]`G_=\ܝ8Ib-PүBQh"] ws۽;4 Œ_?;7y潋ǏUZ쳯>4o:v5:¡e3l|r{8wDNf6Yŧt,Mk4٠^iQw*- X%0^WMuXjJ8[VgF͘*?|v"t;hwGhZWY[iU%Gwn)ۭƢ%o|]Y+KHsh'՟`BǴm?e >;W3on@ȇ,_{@ُQw//@SV"fE.\gKz= -f9~Iq9Lg>\wq>dj1?o_!C/{o=-?g)G Ͽ8g(^ltW%Äܣ]yˑUKfxȃoNݳ>M{c'<5&e{#x⤧fW^$}G T2S6/ڂsoo8y̨p[kHxVyyދ?y?[\[pׯ:j}o6/]R)<~u-^h[JN/r>䳏 3Ƴ+?헝E&7F1=;bܳO͕H ]h*0)pP]vӚ7/_(6B 2H;)BÇa/AjդBC)0UihMJLx7;>QC-&F1|1Ƒ6(s,x'C;9R%bo, x1TH gʊ2.ATr@j+uFZ Q%BhS& h&J@Kr:Ur>ik`')d"l׿/7:qJNq=TjkU}M!o{? ?p|m1&L:2ck#">ٷ+Ih]68z̙9O`پvf㳦 [6..5cԊKݘE_Slaj0 2f.;>z/>rd޲+n=w?dKz]ޙ4!:X)FzS] ~a}!1kڟ5}oX6[x5ϾŪ=3?bwl^$|UH! *]2h.$7//Vv*Cixvgߕ/Nݽ_ ̝ǩ<~nC}?3 Gsզ᳇ńGd{;lVG-a FT(ٛk (poPp/Je2ؔmx3}>fOY%uϽ΁tU;\<掕nZ~dޤS)bz={}43=خC,}$,Mߎ-7jc6ϝsGq|LbкOr9IQ8ꋎ}s?Ѵfn͓H hԣۣ_#:p (#Icb3h+XFJEYZk8\dAYl`#MP_tP<&l4;vߔLAujRoG0Xȳjꍔ*cG6 :&jʃlLY`o'&;/3=}b"y:gTWK-Be ޔB,ٕII-OI(0DllIwӳrSLA@,o#.(æ?v['N3R/<920vzsA=]rrr10U=v}ZK%=e*ˎ8poBY,3[90oOwԟ+$h7zpCa.I0|FaMGQ+ɣ#%6C5כ;?q]kn-Nw }ߤ!]o%UH[|\aoy0|ԉk2QΥ}LSY}nVMl'R*:6+"N ypA[I%SoEz+k+o/tq泛~]}?~lJ6a\暥x"^+zX藞'|xO@ȐʾI C&GF37;%n>"M#ǹ˅LRk쩗|dx'mL{V 2& :0mjKlѮ[{ợ|v&un,` kԱO_}O>!g cuZygY@Y9j 0n!߹h`QnQ?CޞcxҚzjRB.sM\R{EF@"H%BH*w"&锕ÕF  IDAT/! 9ILk]e<MNEa4XKuHᯒT-ru& _h@D Ǟ> RwIDGD5CO=c<ނffwGQB Ip0S4?H\ ń2u8(Sn5j =7cFpqxfUIvqS= WB~40] " ,V˫t5j8JE6!S0ݮgng4_~դ8^B}jH='tTTI$/(o^}AQчW'pdzq+js?bKQS(~`؝\W[Էo< BAq$94Yה+p bg4E* CGk9nl@8qAO&d,9->`pJ?]Q9@/G%5ՔXf=Z.+#e Dlq /Kg-0*/J!Oz{nt|8R_osPӋ(̷; nRk1 Y.Vn0y 28\w41o MMygu ,}>gq>DS($h+H6: B c`l5IKYD^ ڵОPz6*qZ &`7CO%  IUHR`?Ck_jxR^V~ha"V:6)- 5|kPppÑ}9`xb ^XSb*͍ d;=w:u>Ս򙪼K'/և:UprǙjşnC[SsE>y?׭޴ZQdu'^~~!<0qIIf_yuOY[6!#<)U{bNAq!|VaH7]{Da}׏EW yݖ~IAbUT1mӕXlWn391~0|rhuYP-n|`V2"Z]ڑ/Ȕ=] P;&vfuzT-ԇ樴`|(l\$X }-`z‘:+K\LUs"r牳v00XkA*KĐSK MmqO0CٞK 9L]vZJQh_jt_݉Oykx_菛[Kn'|5x6|` aJH< @ $xfɽӴ_:bf|>y. fI#Za%1i KW?}#5zˇ>x{ψ_$VhŌ[Ov,n.JPy/I*n܂s1f f /d^h>za#f`RIX' sW=6潧g1w'^ޱLQ)ǐ92-ߤJ0b?~ M9dL5SZ) &O=wO^f2<.J6#*ѧoP$7vqHd߱RU{l990o?Hׯ>A|NA,c јɫυ ]n %?+-i@v= \T&)H1Vp ЈZ MJ`AlEn|ج՚R}l\$W `jH.VAj]٬`9dh#؍`s24B_6.X<e!`X*54xUp4L6 {̭vV֫mV`/9w6î8G ( 6>0؇BJnHSfj@3)6]nf.[pr =nsss/Dg(o7l|4W䝹ԂXNoٳga.D Ou`x]]]),:_#ozwO.ykvsfΟ;Übꐡ鋟.6fS}"Og=bHOZ;ᆽŻ#0Q{뭷 B D*Qi`kPPP1mO>nQ ] lx9/:Xi`Wq,z<>[5x{s{z^e)r?;KS=?xwSś+7ZG>H|O&O[9K;z[xQk?zטlWN+ϭ~lևg+^jL|/qp*3ç`4W_w 0\7?~n3O5م&th>zzo(?ku#w[#O[^Jׯ%[HB0y f*7~=SRR\~{ ` 3VrK3+Q8HVC=BUAV~VѬ\۹V7WV^}cA`:LԜo ʼn@{&6#3XF@`zx-֪{mU Btu +xt_BC00tvIn @n d7QΕDπݑG";DzA?]0@] r_nDΖ8xuk"PLΉeB- pg]ڶZ_pAlCh̰IJ,6CmaQOhdRrO!& 5B4CWY~Fdȹck~Q?%r30 -8}C*wl:'cMgjtqa>tlڷ ZVnu (&;=(R.tyYڠy;rikJ !(8u0{ӏ"0ͯ42Pd?qm8ٻm ?KBv\~mfE]?p VG|T!xd F6*Wɥ5@u7PC:.n_|bm<0՞2!^SkQ>MFlQ_\mP) mۭF*n[?맾G;P_-e7%!fd{5 Ipxg/*6R( \e6RPHL@!ޭpIuH< ޔh.+Җ ڊbS]5x iYL=ePZ. .U-k !TFm;캔Wb2adT2@.-&  d ^F6VvR^} ~_B8غxőRxPrzd z :90 F ”9cFU @@~]eU,r~4ck?erv A&6;]Ugp3h˼ y5+Lϭ1UEψQrG|"ʡ/MIq  /CBbf̌wJf-Po2kFsBANE٧VW <˕ƈIHNx\7A_՞>5jHG5DtG] UةWPo98}rOVE%n[JJIt%E c{tKN?_a KWű̊zs Aqb~Rjgӏړu?ԎDl0QVR;4Co_z.@.&j| 3ɂ#u@rL%&}s6X>rvʴsNCǍvvofy`n(3bH0acJ*ւ:Ksdoo;W:{j󺼬 _'xh*r*zgB£Sm5gV˞%{n4p }xq;HK}8$K;vgON;awZv+k;jʊrbLRJwUmNiܠШ-s(?/[Rɰn =#ϧٽ( f<ْW?+hW5"[ Z `5Y >y\F T\Jzˉp9ǝ?e)ƼQ½G*jCF xl__u0/zP,HِR箺oɃE$ +qHi' }y^I>XXjڢ⚺zqyLۻ >uuWlؖW'ok=to=}NyF_W5|uaskY~vc/-(ȳ<;c'J&n[o>Ig8Yұc|0(hs%;ǟ' H!bwX((+sA`Z  N6ܵ:$ADrԅJsMD;"a6YN eu FQ %j"R#`:a'{Ϫ8+mzn\lSvM|m\D13x2OHJ Ci.Xהj lH..>0vٽv3SlȱxUzx5xc†=  o,7YlL F;\, ?ŃU 4kL(Ȗ XOPZu@ }6p2- 649ԋc,0삡WK5ި+JQȄ]O$bY.AX3WV t̝_>g矚KΉjEEEt譩PC ߴXj\7N[lw񸄏$_CMZL /]T\\_vJBL ;Ź@̜|[EAi6mצ:b萡Gۛٯc΍k~gΫ̜[.r9i:D[R; vH #b LH߭ǹL}yAA~^L9Hguk )PB!8G-+Lq#Lb<QA8Ɓ`4`c- QG&&J@ve9y>Qa 9*+x%ed 7woZyWK\wvcLUUXysubwfOHۏ;'6pPk2 ,oV[EF3SPnq(s6t(efUVCDž ?/~ΐr#uA|<8 ; bF0aH9Ϙ?Whw]t8ay!˙lŌK?S%=WlA5J9';YصFcCy$5˕ v>S(hl~Z -Gli,|D6sV2vӽSuќgR^S07~>>^`*+ uouYnaQR <0{\,J9P:°nûR=&N|Py*[!yݯBAu;=\ޕsGNAA]F&>#Y-:A5w:pݖREУU4[̄XehO%ƙΘf~NGP8Wv8_-)8O׭H%:4Bs IزWGΘmVF3~D۪-DSz{l9Y4g# 9&}e?_NvLf IDATび"hdVk ΍+qwp te 4fl0$^A8Ξ^ng9=ciTBL/9詜s6Xʭ=rKp`vP-[86x>?`Aj%'%XMmEݨ78lO|"cȼ*}nBQ*H *P0e=<ܭ={Dx{6Rξ۔o90v^+ZQ9,C{wm>(4]^~#[ VQv#cpo~u)p'tW=` vw:z ɬvZo4aw.FHeY;DybAn?(Si603{ S@$PK*@Rob>P\ĦT*@0o//:E|1,97){G o|yV:h6ZB fEٗxb3}FXEqVl0.\0ftf.O77/3ut:geh3<&B!p `۝fI;qx%RH߅q0Fhmv^+g0WРSl5$7|  0_ ȬM *Z؀i {녃Qcǎv8Ir!~:#͗0:OШe0.f솊JT m)YT2;q$T@' z$LFv6"aQ[]]V\\Nxs(>[lbkߍ [h :uryuw(ѱ;w4PWxЏWh bIנQ `a i;VK^"=rTggy'w-۲J1n>?(67XlZqӇb"nC?m0c4f-;) 2+>sRFgH^o,h  BVhb\!A;^^_ 8Mo1Kջ#c?T#nܸnO#}|~lYuQ=| 7.]K}բk`bVA!03:NPENpIY(W͡Zl)jzgDB!3+M#*}gzѩ&{c'+j./;1 vWN~|~*Swr3Նw`AzȆРC96KZfЗqxB/6$"nAo# (X;k V mO@h`_X,fƪMki橃\ 5baf\C:\ t3x\oEKQ~; LFv͹βBW]i11_zTe3tQՆ=DI&z3&󥭴Xɱu:\%sI k`= 7ye 8cmI/ *X+./n:9ck규e B aFNt x2C\8H>*3m/?_1P{c>QݼAۙ.C' vFƹG46 R*H֏"!W2.vіf $X5'pJYREZ`˚ܿ޸3T h %n*/I縎*hըOCZk]&ϛcw,BZnA~+[gs(M,BCh+'\`5q=|=@UGv!` q[+(9$%6zaPZ~SVs^0&!NL2 fҪӧSVX&zEw۹"RBpDcGDkFe<[\.pV 0\,ƥ j=0.??-ԛ~G\!R Z/32á8tJ]Z>oG#в͟=+djxI pÊc6IT4`Ycpruͫ7_>(!O>]QQ/\YS `fJ;fQ Uw7%} D &륇@! =Иf*M_v d˳?"\tf#> K %:@^]p:?v6r8Mjl8VNZ-(B*Pd 0/B!мcb55ܻ?`9_:лLZY@ p 2q$\fϢBm##mB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ mDlmB!Dl AB!ж@ֶI@  @t@ ͎ N%RF Vk6/}2Bh>nCeG41XbB1v{3aDl!Z+C p\8iNf:Lds [sD4#g4(i@c4 [c`{֍@3u;H:""o)B!@ 36BaX0m`mQ+aE!a.J$|[DXE?~d2rB2-؄BgtttHH-6@'6Ѹnݺuu1m!Μ9sԩ.]r ehsbl9s?osĚ iphk%T*}||:کS'H@lkňmsbʚ4iyXV[JAnji]d aڹ<.A[6 j#\Zmk>КӧOC=$T¶'$=B- n cXZ|2px{{'4 ܁cKa*.2N E8ps 2JJBƜws}ۙ­X13Se!G|`j uIp6C0TZL.Ns`$Iby_6}|$?Jy 0mMB[-vT]\RcU*ַ91f@ 7  eZ[%?C"h͒D'Fİo L$ \lVܼdZ\]U'e˾YO-5[}TQd֭%g ~Q݂IT[?WH)͛eǓYб):6uhuUyzDe[-1'6m?S;R5t;ٱff#e>vzb!g,Y<ӪwI>~K4^l53 V7]sXL5ضcԋOSr1΁x;:`(`EI4!l ,eddTWWCUě$eBJ t0̋蟛i@nat삒4Tlw,8({ALQ~'_?V!A¡\H$AK\T1}ڣB3^NɃzǚTxk]|bDX$\%^M$b.ݷSB"5֚C Q} ?Fq(gp!xl`{Pܮ]:Y`JK9--|R`==ztS9t0yB8CA;Ym4H8X`WJā՞1UӅZ{%'V ;1Ww R<¼ >n]j)))QQQ'OVTw,J!رc+-)0p \svKlC ~F5. M9#&q1ɝC.#qZ(<:-d x< F\1FP8^a3b) KYpthYR$aGRB@F8$ !Injug'y\>Wɗw3ep7k;@"šD}ycկ W-_9f;Vy`>TB] ,Ξ=  #_ljm~lï`uO6rؠzxx9,׭[`CLl1 q ?!`a8}z z{yX7.\g}9LIƐPsEiv<.XE` c?5]id4FeR4ث#kR3rzuT5Ңڒp;م%XuIF^^bmd2fq"؝ 4 f/4s!oS"W 裇i:G ;z':ea+:sB.OQ0r9`7n҄d6 h#I.L a C'SaC'-N\RfַMl"%Ρx$rzOA1 FP*[mQ"2C߾۶m tssο?OMuECp I-7<50Wՠc=M#I5e. 9lTA3"<0_(P ۫없&y~f9nO=Wk :Ft K=y{P=all*Gڍ[0ܧ_J pSر|QbM]ALP:#0Wɇm6]5͙>э09T`E^R2cǩM;p)'6{@a2v HN9;O޹[.^t,ˠe'n:ubE#!ҏ\9ߵ݂@d\3h` +aP  * -Z,&&妋b~FCNؕc›ӿ(dV0le7x #f X!->of8 Naja\ Vma?fI(Xj+J>߇g D>[ 15Pk~O$ |k$H`v/c`%Hؘ}bt#e1l 0H\챃Tuf&&u0hư}ĉ`,6k/%@ 75n!4L G ýNeQbdBsgVEû׃"Ɖk2!OBj#,E.-K#x_xWř&`dz#t.IR\P1._puO*-!}rrr`@_gSxfl{+@r;q԰u["YŦ+Iv*gw4vvvMX܃'RJ4Z+Qr\ǣ{b0]P@{ j T_~j޲ J[ޟ;9T@f]}qMrR*3YY9< %5-ëC\\Σ,?0ݢ5r~مHbbW}ǴBUn]5꿰,.e|}}1QYޫih%}HLL )H$r̺n;{R$SMxl&|,( IDAT@9Ν??{dTv\ R;Wpھ%h"E L;~?Cڔ%NN 2:%y5Յ_̝Tˡ#?!1:2ݓ/ UkKvn;ׅ-=|18*({nUYb|U2ܖW;]e|ņkBH3;*;aUӅg( n~v>텂/W(#KW8❩i5GN|Wr|E :lJ̼W$5mԉ2P: ^AӀj U0Jcv sn 0rq 8$ԁz&@(FV q3}]7m݄]eJm> 9`Q1pcMcƻ 2v &Ft)qb><`0ҸBv(2C9L ?)(Y%: x6|RC'=/0K8X7߷ 8\ ]4|~1*:*>DZ$n2GAcc(T-܋KVo^~g^Փ-ڿ_fALj6Nnzcp޻3JXl'..s{ T}>T9RW/\ ky1I-b`LIGԘI$6W&]`t02VhkXftB;09^z5g ,Q&' Xbn13/ȷxڧr{hLժuo.s >i_'hcL(ʡ<2iU^Tb扽fzoޙwFmUaOK;l3&  >= "&^RUXGɠV]&c]KKάKe4j{{Ö^n߹wڈOT'6T@{OT*깏9}){6[A&~ k (׊:꣈>JwE鍟<M;,_s2RGH8ࠂ6^2W?טyՍKS}meFzo{:~KKj9^72tB S7n: )Zvҙpc'C/˵FX_zVřiPf۽ǺɅjn{3'|uY_p,Ӗ=+?<xS*'Y|])j||\'R#ЦNؼ࡫_aSF¦⁁ѮFn)S\eU:ȔvNҟ&mn*D+r4Ͼ~m-_U&i[aHT,k.Κ pa¡*rb;o%Ng 1ZPlIwLw&(O's4Ӳʁ(?6"+,Рi9%*?UMH S( Pm;A"W&-$BwD_xTÇ"#*V}yHJ4RCYQ§|\i䭼Ӏ› csQ4ҿz2P O G 9TjD" h4 F_*') bZ"LN5Of lh\MS$iDB嵴;ո;xv vW?N`.!le|k( rzuK&*\\5chPQ'ˊ5G,Eox{8V$GCni;' %SWd'zn{5w7\+Ł Vu!PFm(5t]BVW݁1 W&M!{~`dqi{ff1E@Дϵ^iq6p-u;w:"`ry) L5@0Ha3 @>~` $IS `f @ ¤)@OaX@ la ', 60i @@AA4@ l @  L 6} `f&MA}>@0Ha3 @>34^IENDB`fwbuilder-5.3.7/src/res/help/en_US/create_and_add_to_group.png000066400000000000000000001755441303637203600243760ustar00rootroot00000000000000PNG  IHDR!eUViCCPICC ProfilexgP{v%gD% JIY`%gI²dA$ (JFrP@D$ SUSӧ68SSĘaG0ZDmq XX/{>;/k:?,ȶ}p>maosNmp!9Ma"LJ^s9wwO>}n;KY3wkR ͈{h6i;TZV+oG 2EPֹb~tm/S_:6|2${hXxDI)Og4fK~]ƻc2 5ud?7 п.j`q ~=JP&%MBMZAFCO'rlx ; sISl ?hNq<++'/"/-!"rLT H IIUIgɄɺÞc'_RUQz\fI5zQ;W皮-VFR`pԨǸ$4BΒˊjҌ{^.6.ծ嗋ܲSz2tig]Ys'ퟟ땯RP QrTQS=I]H3\9mF 7ؤx=csDߍ5p\ԂbUť8k=Ƒ eеr[5˞8M/yـӁlWXS]%!?`~s,/_Z=fzhֆ7FFw'ѓSx?M;$>21ʷ`-d2jȏ˿vO; hqJ0@Qkpe@)-h@ Q@7 D@BP?4 @#RD?bIC"3=mA7+()T : =J(NNAdBBELOIԔ-ETTB4&4+tg軏2p33P=Tl2t2E f͋]c+ 7;D5=H  K0쉎ՉK$uid&e=9_"!xUrJjZQumJ~],b^!qI鞹˖K6Y E]"]߻q{ >ھ,BD䋺 xN%&'7J5<}bdW.*/@p̺^mU5G:5ӟJM7$64km l3>G8߳DB0dQ^4OMCHGHIF$'ND:C@6OIMMHYEL5FCCNSFJ;GwL}qk '8NL31[9u ÉYbm`a$q:;{b`~qBS}"b~ R$+2ò%ɇ+(z))_VPU UOZ.,rc.; V، ML;¬zl,m'΄.mn>8V~D p+t*\'>5*ZEl_DBYSrJ*QZxAFHAVx6QNJs~Et@ݝݻTTwkZa/mUY[9^!u{p1iEӵ֍=Sr^Ly5AhD8*"6:*;+:N46Q <-5/fn&֝uy wp6[S]Mcǧu- nM͍f~uv.ǽ}M[oG &B>nNy}Zv07zaxQ{Zz㏑M-_;{/rѶsmqw=I[&хk"`rĎ.GlouWtwĮ6#v0?b?c);x\q60>} _߹y\8Ҹh?p3a@SpHm]+>p '.Ql^?/FXPP 6  pHYs   IDATx]`Ezr $T&[Q (R *H**Ҥ(EjC\r}ow9B@Awow}4;; X<<P0 >%f_<E'鿛[#<"ȑ;vܾ}eϼ3_#o0LfsΝ"08W=9ӁOнNsqq۩u\ &<<UB&xj'}S%*Sexx6 ?WdžO###"Szz<6e "p!sFL=łj+NV8AJ%PX,>^mzdTRDNUϪ|<<5.$mzV!qBv/7A $Qª(AcO*O;6,1bͷP?ABHX~[qD#8,O \P, pg=A>{1|ȨQ#G/hȃ1: (eM\Q r5|uT~:2)|@[$eB JN4Z^^5G>P@S&ξiz>J?g#_'BF%>u6E' SԭaeP`.;x6F]AzZūÊ~ڝJ\>@'-@ܰQں$Z;ғG;gqwr$/;|`CKJwヤ|ݮ5s8-ؐ?:z9}ҵs(3`~~0a͔{ٴ| Z>~2YW/ &;c(*H}d&p4ƙOh ˂{txܻ1'9;fyK*6 3oD>2#'%1QJz>ռ#$`}[#W5!P|BXxl٧nv+/:\BniG6*c~6 DXYH'3-kȭI>8bFoMuNXA#A>hAWߟhW_Qq[f ;/&n/f_k6{}}oN8Nb$2Ё^[D0F} :e|H׽˿;/q2c ߽[ֈA+PU' )5w(7o}Q&w7_H k\4ݰf-F%ijG]EgE=}ck7O1k髿m#oTp+{?ǴycX BBjɱztPKYF+/v ۘP\'ӊsyjo?PЬY&-R+YF "[ZϠ׼EOK$u0,6i}x-l5\|~~`HIЄ4 tq˷=W,";̝l`V@4N2͊" kv #a; Ҝ!ɋ;}"ӹCq. soD(dR/Bdei  |n3PLV;ï,h 4){ˑN/tYG1*8Ed6mGo(&5#c-^f7Õ@{ $;g Dd]7on(I c5k+^ ȇXءXT9Ssp* ܬ&XKy4SVQu*}@>p[.@4ei\Wr*=,)ߓ%D^}Ke BϨ:c-yy4.vws_zn\*<'] sVkY0Wcx#GV?G #Ν|hqh-7}N5~>j{T .>2jh <<<mJ@FfW><T򒒒Q} P%*~wwwL#####P%Fb'''m}ןGGGG>T̚GGGGF|=@9x/###@u[###Pˁ7y |*o%o8T GGy@<2k(;5 N#&5@UNÆic W",OklwUc~RD5@"88.f###hꇝq bM:˾}IF]FKZ O(l)TPlR|5k:RԵE~WP~*B~ão1>@C[dffTf: Ĭ`O:ovF_{!r%.l{C;BDBTo`'ض4`/bؚG$6U)f\]QsV+l8*j jǩ/GGG"u\ !lֳm'0QJЄح& B5ظG{uJPRsNˈlTiHԸogBZOELG##P{O gmWvma :QD Bî%W4YthրbYB:)`Mؒ9`سSVmXlB!ʷ_٫9 S <:fGq둕pV*r1NbSb>cdcsNehD,E"\Trc iT sqt;TXhf w87xxx;5Gl~0!*qwGJ!stNpnd)Sl5&6+%SܔZH ďpBHN>K26Y7|Kyx1G\<@iڂb:WS_J8 " (َ0F8-[ UP'ܔS7tidm閸 JЈ5$ @Gy.իsCzRvX¢×DXPypĿB }MKܵ[ I L/6roRF{|}^`WQ99V{=sxH҇l00IT̜s{B)"U( f|UD,9'.e_&quHҜWh0+S&a v p¬rjc)(w0%N@ HT %\4S5jC@bsmgWD%kAIcYZSUEP@EbDF,IbTrjF&{~f6 .DA$UT ZYD!$ ZPS( }D;p=Uh<3֒P|gßhYq-Q,P -a?*ΰ$WHLܤ.ht.E례< ;JQЀ[)nZ8BTf[}8$`J1W(p!D?+y>nc@O D6KIW7Nf%2Dܰc?R(d"UjѨ)¸ǚC8@/($ȤRFmer,>}- vξ/1;` R*.r.SF :vte4]p`p|YB!!#|Z8vt!66o߾0Z_A,2Ҭey+稃7͸ٮ?Ӫ/t>{K(kt{B4و('UZ |Mbo0 #m\HG=@٘=ƴoEgzs̖m=KyCYxj/qi7_Ύ9yFܹ+/޾jv}h㯃1Y-[,7ntUY y->ZއoL)G˥zM{O"b%"sA,8b ܃"~!*JHAr:E@:>|Y>P?N mwpOWĸ.s®qS?l@zlV7paZVX+V3HxX+ޞ]<ߔ(^d0,t0  RL!( <pmxF$xʗwƇJ9H"8 LHHHG98ߑ k#|³! 4 1kp6k߉ k*2BXگ:m66dN!"'E&uxM$ըia7j}HZ@xKww0; /5A^Ҙڰ^]9йG:&"[tnzq׉y`ߎ/_ rMoXQa""8^t4Exj9x/4ySk9mr[B᪓ԏ̙18SV6Q" ,ֶVgߔn6$+Bp9n6H])T"ҵ\B8â^JBj֪@0ʄf#P[s Zeb+} + re_?FA+WQYQ2*M@?]9i[InO/+E5J*p)"mR޶mKF%CAc_`kgG4CXjmi^]' "s%E &׸z7sY][cj]^۶oϕ Ű@@"Bn86ߧ֤ԏK3"6b1Hk#ܩ0ێ$ɲ(*QpQbfIZ$WJJqͰM 7L֢cL%7Q[81rEOgR(|4 &n* aœkxjxjK&n-{ǎ89ir˥b;_\#KCw3su/tŠ|e&ݝu_VHQ{{irNxX`A$zPV( A`mFɰV]Xs9ک횅l?/  !BnC@Y ` .0G}% 5Τ p)*ti׺!̷q'x[^PܜJP|@'DBhLn+ }'qD#n$UjDZ΁{p/`1|֋lU/η}BJWUܹsp%k 9|p{;^}Up<'6ESŚ&*oL/MFd~_W x1+b>4,8a_U(2TH\~ s8V/Z.לvStUۧӕWl~Ƨjg ,߹vqWwZJ^;D^Y0QTHpHnCoʷ'i" _ ;$H2 3Nڶ;P?77iͶQ0(ݨ@ApP#t/֫%a5RCt%V@P\CB"S\\ 0NUPXL4 xzzj ,V>(AASs䚵t}m4{QUxN<7''ЙtQ{F~F|ZR V1V IDATMĉJw+?+a1o7\㄃fS ώG>*wxI ᩄpڒls pbkdga+-C7-Q0Kq ڰD.XU ˥ sMS:uڲsN.*=Kҵ.>^{]-|W[ //0 A1˽MX5sιrbR'AW~?~iL(U&Td"}0[k˥Ⱦ-q s mYE9f 4ܙ.*'eZG)L"&-5Sa>* b\8rv?=Wm7E5@&6b wلi^XU|P/3Nf/i "OEpSnVd\) .#N$=E!e06lm=b8w@%c$"̭{ngJTY z6%QҤ+oufˁ6bp~ .L :h5+OL_t^b66?مe\Avsp\,[ g rXDp)"cf{9MO*HHI l4#Lpr't7vV+ YiJIԯ/G`@L@ɧk꤀$JX"I-cz 5hT((3+O1v|#K?˥;/s-oH,ۧ3Q~x٩aJ9)Q(WA +$d2<d%mvr u1C nSibxxY)L^U)k$<bR(&$Z[& LB < }c YXG(0; _Ϭ"t0`t or | C DP nTذem OcE"=fM^@z <7Hp*33quL?]?ѥȀɿ {߉lf`GuLq0Y V#dӕOk̛̇Q?GP)LG2y7Ǿg Vl` EjA+9)G,N"Y$IEBHwg!LmՕ/Gv T*e 3AfP '=4W8흚=\%jصvA!bAe;`c2Y-BXw% ~3b%b}B.]ViuPKDhVq,H,)@6 JB ;!clMY-lG.r2alQ)f n=]ufܶ[]ua0q)I!$:Z |wH\),qӫ+3})sRն<A e~Y!Z3TH[k_a"6U~(! K^rY[ߥK3w*EL)BC깍3vbH+M|R\ڭ> }bm ع&I&EY!y:)-͏VZh.^4sGKL\)sV\ݪq9죭n+&N9xƋיſڻFDF ߀".F6c1#ؼMMV< ;3m3@:x >0w:_,+J= ߁ X8AYKpNjS)𹷇@sfϞ= QרQ/w~*owڷ{owKexoAq{޲^EQ*tIߺE/f<!VSBa jߡ?Z(wu+De-9`sWIE.?2Gi2IǟWvYpiuXo[BC[ǸB2Kߡ^G˫هQ?6+~Ű˦{׫NtVU/crB BQN*`׳ܮ]~LAI-kd *J " G"۷L4އꔧl1^!d2v@根RvZk~~ovma"o;0!E W <]*2N={/S+˯* Q//uhئ}ruk,&kr%K%vr9vДDZ.~ >aMK@׬;N*`}7נaA#> ]dn|Ng·`>ne]0FD\.r|*u ޳IF|u nǘ&M8˚~m۶լ>J{yqJOnܸ6k0VDr $+ϟ|<7ӌXSRI(7KG[ιλ@nvjI(b /#" &vG1 W`JCbvG"- ♿01kbWv!TCrJ{.>$I IL*DxJ_իkCEC7qc^)!>JFEYpF\B⭛7:zw^KZ(,wXm0P"T ۲x^P:9B Ξ//?D >zg;N=</RCĿ?Z8c1EBu%=|9b'N_MJ/Nv ,.R3J+SđCWbWe!ZzyxkDclWNzĬ{[O#Fp"Ξ]GQq{u'bX3U L9uۦGNoKQJUZn+a;b*p b'DKVd(Fڤ”bsq5Zh_rXhiaNA7Lj 9{ᝯV Xv6if-_+sdO7A>vTɜ%k毛./Xx٪HOw; C>n`G}wlv\N,/["Աgr]/u#Z m-Z|OaN_|2.HXW4fƂA}AگK>1u(io>wL5 \P~Iq}-@lj'J z6\Wİ99ڸY)|kVAGGI2!QV–r8gl 9?r&+'76K\T"`3Mڔwiи}?YwiinN*mvMg~mc?X͎e% V/oo=RtWE/s{C*9= {c=.GI_mE V,#w$=~$O}+f}~p<]2'=Ys9b}RZ#=x N>/T ac}0Y D 6ݚ6Z0_R!;O*^ pe_No D@aXÌW7oWBvkɍ'v<ؽ_\3oxo\PG0-dIZ6-S/ {\ j)@T-y3l}%EH^1Œ˗.D dA .Sc;u$.pRH*iи9 _rYAv}՛HEhaǎnҢ'S+l3)أq[[s*䩳)*?DØc/δ60Yc&5o1 g6~_+/俎cGJЪ 94m(j2'BIw8! 0Dȁ+Y-kOs>H_9g]ݘ8c4M1[zEIg_EAuF-zxg~937qqAG Ahw( NzfQ]m"+Dmb]xQ\_f&R@l̠,Fv!I," |_5V8`-sodwZğ?ګ͖Kݮio՟>6+ɗ#_Fу_}+9! 9yzC(@ 9 9K|:f. K0ngx33ȶ/f|W#0L:K7>S~{YN/)?A{;\4-L3nBfΙ=͗aB87^Rx%BĞw{ԸI]F{+!3p|8(ʍ3U91- S | c`ߞ={v֥M*' lR#ESNR[oG4j_ m-z:ܫa$8N5Ut~:sx*]m`eFXQTR`cԴ6uZ\FxOP *YW]X}|Z$^~ˡc>z~jkޕ}m!DZ^=4|'Ǐ(G¥xX4eP#{n 7ٱv䝫QIO6߱l꜕wyF {E"T|%o/X޿ԻQ˨ӛ~?p;mm7{e{c]Nce}ѻO("[D둄vxsjHOGQ ˗X, sl;'r 'vnb`!::YfdHYaU|`/|EpV}0 ?jשS'rhذa]̽JoP19|<=9O2 ǎƜ4eF5>"Tyݼ}bhNȡAXQ4 /\+ASըe#rY֡C]vʕFHa-=m=e=!.=&6$~TK iSsxntM(\ LfXT+lФԘsk]#0pzg(6/J| -|\%ܠV06o^dzuNV4oto;ScΗX<6_v:vw&Rv66B^k9fxt炟~i#ASP;I?;u<<u M6r`7 RBu29*0(!I{6pѯulZ[RG#:R<B);sB[  !:yÄn(^AWٝ@l֦ }㆐^(Y=) @m! aV!j@NAkM `;m&o1i SOD%=5C*ڲX |w ngf=zݧIxȽ d2]z$*^}Á\. cׯ4vC"WW ⋕FO<14@rk% "Զ\z_,yV%D8i⊏&OXhXDXtӋ P#9G.m}{iFvm.'7h&Mr 1}9!;1.6V6d3aE Nq">@ 1P}[`tf,߶.I߽pOKt_4k;& j{g_96ZfOBrz?~][0}CSM~Jn\>bo>|6q+1ƲVڳ?7^ *ITz6lr4}(ˎ?p *xǖG=B!Ur>دm!',P bޜ@PUpXN6uޫ FzntVأ(v6H%3mY1_(uϧo#s!'$M>!kY}ovMKYB+V8&WV#!W4 vWe\͒+Gs|$]fj!-M;8kڿmֿO~\KMVQ^wBB}IhWN 8ٜY5\(Uk󺕿 mݟ(i3<<QJ%_ ]8kw; ;/][VMJeT#p@5c Rb:~,jz #&Pzg,=aаMLihꧯclbQ3e2*?uhۑxxY^Լ/uns 5X`z|/ 0 g;$yg2#^fԌiR,vcNtlz܄ c^`چ벙&ɍҞ7è_HЛ~7n=1u7H! tԐO# 9tte mg`8()Mkh8CK0j"n4  ΢ryw,ȘfTrpW l} IBNbC1A@Hq/MW'<V#e`:7 T;~m%=8cbR9Trrg6]Z7χZK?y#{om͎0?N;Uךk1iG v]n=a$N$||H%U=O GG߂|MjP?L_Y0G߹KIrC Dtk:͋p~`(眅kbF4>,R6;}t?}#m3Sv6PsAs]ta7?=_ny=Ye@(&N )֗xKlkVn?pHa}1R?v_A0_-=1 IDATKPG{K,B€vr "t<%v,"Yvl4 s 6s6kܜd!4Vѣ&tvM > pbjOSBYZ lv*dC?yYNoXw`5 MNߑAD.=|8bK/1zЃKO[UԌ!dנȇ 9~yn#GvW sc,\hM>0[XX"??<7*{fsuh)4/n<ȹn!__8;;=qix 6 B.=B=nɻ,MͩjO &[QSF6D䯵OxLD ^&  5yJWq5//r|G@|ۄBf(#!MnTZXMF_Ynr)wè턳GsV NM1Z*M.aJ}s`ӧO6,,3ȿkJ zZ .S}Japt vcj$h٪U-TE`0[)yd[Gi($,K((b~%o] M^X]N5t.]!}h fLz*G {m:{;?ygQ c9wJZŘU3.oѢޑj6OoB=4>օ[r7`N={#9QC?nò`1h `.9i[6nPKegU]! J`G@`jr7!9bEC9dpB|Kr r\EzzޣZN]poVV#|~zVYnp7pSuaɪ*ogۤ1,Db7 NIR )-) $nkLV W|hޣNw, h:eE@]^SJK M|<ӻѰ5O(2nw'*Í#?Sߌnupt?fug}?-U"q7æ>m`ۭo?~)3TaDK+rx糕Vr8[&]!(> _ւ/>V+;㇁͹idXߑ$L_el(_iuf;T~k}WEgrUd:x U1+܏0'`Sng0/tj)'1.1U߈6 >A#a;|˘Wd uc>ݴzŁ_ G3^txgq7:fٰF>j$7j˂^{M`Gnޓ?ì_^F 6˥ߖsc_'x3%`!8I:}.ӓrصpr@z xOә9]~Ҽ=!̻#~!G>׊39N/Y?ū`B O(΅~<9'~aéd1&P](` "H($WtQL D$הI{|xRP&0/<ih]NH?K+!!!篽}W}lӊG-&yISefecť售 +ru)R[B$|>٢ՔIR/[^9ۆ?IfܳV=X.ӻ]TMP,._-E0ٷ!Ҋ~,F!BI >D\ǁ{{;;ZB4wC}>⃐C̚]^]._z.L^¯\ sѥ,gIڍ=ѵX6*t3+HoT^BZe ,I fNf 9aيeB[4w+pq5!7W&7O-,Px(!ԕ2LJO &R Rfps~MWA#_r/vwj Cxx:([`ɗa>|-[7O;0gVag٬5;PV࿆X,9tM[ޱvLW{`=.weP8a<~~nbϦ^!}鶓oX%߫A D?wܾMi=s6m ~ux3޶roVQUF R8. AW~9v_xyƹ?-_z ڹKkx!,(ʌ; [ٳxE{5ھR=cW~|h=J 39leѡ ݼqu\ [9DELs4ƗN<:rس ;N*to)鳧uGȡ 9L^t 9t&..[b;q{w=5y7vz}eҳUՅL4`vФimjӈ>JmO ꫔ ,4*KEg bg-)q7Ӄaҭ_`ƀN֔35'im7aͧ\>!p2Rش?bB(غr ?43fNGRϚCJzD(>{ة8ʈ䮠 fwyn[gڿkuV{ P$0w(-AU0]̥\DȐ\8dέ#OG@Ko[0 ;"xWs[++iWc=oc2! ˇ|:Ÿ/8z$dۯ9rx#厐è_a] 9\2oFkrD=0ʥ{ YL"DA}O9=;3TOJUvN(ǍЏ6e(kAʍ+ړη%hX9|X^bd6mnݡhWRZV=k O% 8`kRvW ,-yEr!ChD`Z+bM)g<'SO ?5Y.Ry= Zt6A~Jn!eؖyw._-=& l%QW"ioGwwp7[u?{E\oɥJ{GayggEŧXѿ< {C !=f7 !Pv{3|oo&Yf&O?&uLtar/luĶVش@Q|Ko}Q5dRmrBߩbw/uQWKFFxÌ>kL,kI''}mUЮ#'oHa/G8nRbcOv7{=ZL#e.vG)>CQ5Tb/df_{Z bA{t5a;s/u Vgcܯ*܏< SKƿT%"xbP`yvMH~04*T!cR VZ B/m9\Z10hyx&6. ԩo2<{0! (4ظs{ ii8 qmSbswŦY֮iɝg ſUuybt/#_Yt=)*Ov :|.!D^E^0\²cauU{!=m{KƧ|9$JHeh}?eUB{_{8BbUYɑߗ+J0l0Q+\y0ى %t6%)cy2ϧ6Y]էáݙqi٩ Wɱ F 0^jua&$W ǠVAAnL J|QQ¤vm,+:e#I&8^/.1 %}/ѭ:*ʷN㒚~XiH؞˷;{?_ܯpvXϕ7 cQ[w>H;KD]]MGnd"sDDD2^6ڼ2XO#pP8}Yy@+isڎ.HWa96G^Qxb㎣`L9 Ln̊dxݚҀIJS(*S ܕ0A3*tgT')cei` /*k|m{J9ղlXGEU8)y`NNa~Ԅ9~i̧n5̺kıEG>_^bڴC>R_niTsSES3ܽ~fs潏+IM{gq~}.דndd ԺHE{M~D W^c8sܳmy\m;3:νonIc zjRŬo+|5_i8S 8mIq9'8;ASRg߻[Z0\R2ODQB@B@B`Þ 8j22FAi5Nt?b~\#Νt۫]'|> oO>ݏ=l,1[ ozzR;;DUuѢN7vP?:qmݵ( S7?h]1u&ܽv)B'>2)uJ}śU\&-=F/{av{k[5س麴I1)Ur֒ltѩ? ]n&G;Nm#|!lG>qȈkrɌX[Qy[gjtc,}+АN/vQY`t-! !pY#PK0lвRӰ smeiiX"{6=IvޮN=cÆj^` V>ʨL*j;B)K ʨF򡫺L?c̟: NMy-SR' "М7N9CW3rؐ.uȡia[G~=igLeoa׉;o}/o)ǀSuӪ{;/zǃ#Y3w M{:LX9-4e>5G[Ӡ Ǟ$$$ P!dd<";vӐ7&V '2zIkjIT* 2>@ֽ׺cƝ5PRٯuI{'^ʉB1~թ4MR(j*!GcdBgNu5=ʌi$tn7f]qɧ0=]ty|p4c2'r;+B}j%J'" rb$nEtҌ7j#GL3fg}8d;~7idZQ7&BFN@B!5o3FY/Ft酡d0 %Ŝ+D>&N{] .PК1ۭAfzC 6񂀲g_h>2ӑ{*J0á%r.9d;[&v]j<te

XVE;ybNi KB@BjA9D4Y"e;qfQD>;/Ƥ<ǭ +w&M.}ןw'wD<'uISܬpވt'&! !p9""k>*= q"j0c#qi}"bt({Cɺ5dI{T9Tȡ\5hP5Cξ }&r8pݻ[' f^{9(eZ.+|_->&m.."x0tHW9ؼSRS;g7MB"‚ Ds맶W-#r_9i6{ۿuT)A",k6&IP"9[?(9̼a>xVd{ x/ev(9C rx ?gpWfC'9<}{o^1u]]>e{ rsbˊ@ugZ,uuPlUNaVB@=LB]ŒA͜_.!7DrW?Kiyվ IDATg%^J̤~lR휯#! !pM!H!9FuDj"5D1gzj" rP$ &r8rfBoۻA›vFnH!rsospHͅo%gom껎ٕ;AqA]MO@@)4, >MD"D{A䰶.گqCT75O0Vs\!6a5Slht9ߥMJAB@BJB@nݺv۾zOk&r r 2lD"?9#|\R>ܾ/Rkd"_TE"_}|GAEner߾ɭc-9c/D3"rPj1ز9b'۫"C!rȭ&r׸]iC`hx,Kpi"D˩wԮh?vPX+J4;ԕ>JJH  rظfՒKj*9D\E5$j^{n<ó۷9$!r4_MDAȡH䐶t)L<~.3-ṧ ǭ#[c v|ߗU=˪0d*9U9L=OzD98"a6덁?adݕ9XAps sT{vlQ UVdD DgV/RgRIst"↑,**; 5҇u;jBp# ;w{BlڵV ":;K0aҭ#f5E 2""c/$9O!DjȡJs`5ÿ9l?r"ZF )Da^ UN+ݩޝϮ>'ABB@BF8**?hCT?"{j"!r=6|5CT C㎺c%r{orZ9ŏ"SghȡB%>E&rHD)9tm g 9x]ؽgݩ|UއmT$$ -Zba!5UY5FЩ >NAسFF4zŸ́_p/gX{2V59kuN$$.gڷ6SC-M4< jj8/CyF2m \<%$$$ZÔK$$$y$Ϳc  k_dg.XB@BG>wa@ b;M3RGE6xVђWݗ>]jT9/4 /s4RУU!;aϜ+uPnvwwjvR5 Z+X9t2)<81d&TjL`OT܈5qL.ܛe֜2 . eU5֟F#!wO{w)]TZ=io<ӤCـ_lg>~[mȘQ,1ԑ i:N"X 3,.޸=Q6"1_zzv =y6c~97T@_o͎\ϐ=Ȕ {P q(q@Ԝ}c.oS p(o# ӛ9j@[kwStW;z¨UG[T'F ᩃ?pʐ6c 'JNa4^F"2i&Ϻ9Y5Gr,-w)7E^6iaJeT.\c. \ڸTZy *9[Yekl60yoJO(|,N.QV9K~Wn JH;T0!G-N;G#䚟W^FLTܣfW!䚅.:.aMJoU'G|VoJ&mOQ;maAh n*YQZvQ[~ƄD(ˊ;f6s!QqvS|}PS9kss|ۏb߽RQB~QǔX=U3[?5bn 2: wglzSͲ y:Q(trjZ;x^e7X{[PThˉա I4:J7aLtΌ(kfs¦7Oo8?y7*JSsEL)::76v@|,ZQhpŻ~' /NG[fEnmF/sVqt 5iS /(SFF;]%g2EڄѾ{!n1G6#܌̠3vwENڐ0p4&6,E3}ia7pa{NPIi5$x6f+R2Wۮ]6Vh:?dr(C3O;rC{\wVF5^Ky3# I۵A~rTUiΞ6Wӹ>VY=tPWCaϢO 2^I}62xǒ,5C9]c+޶׭6o\M 7; 8YjO͎}?rv.YVZ޷{ZT L{s,{QQyM'~sIԵTY^KNt>)_H϶rP2p7l0DSFt. c6X6Zmk\ܟK?iKlТ&V/bl'u\CY~S -{ݻq)*}nyrb՜pR+ +Wx }kZ r2Y"ݹ֣EdJu \p\Fc?')iځt ĖZJZ˰ZL!c1jޕ'* dO2R=owk]Q\dUELWzCa9/JpgRUtNR{U@[b\&gGAxe*b1 Hw]EO(;c3gQY Qvd,*r(EG1[ NЎ8UvX+ Hoͮ_.fy^PXg5tVxh.p2v5DҲ01>6)Cx5|5r3e,UaR&=(q^Ge*Vh2ddYB1U8Ү]tUy&'eq:E" 0*P;6&l϶܈S02PɇdZ3Ogy+OfhL+WFu_/YZuN&u,wwJj{VӰØc:N|ji8=̱gyWkJNkJ]Kv:_Ԕf  OU|-2 @ǀb]e\o7yml0lٙ[Pfr_ۀӌΥZ\+p?v?^-zaTjƎ|d))q[֭Q*9,( ZJG>GtdYN%S)ZLQ Z*9[esUh5JתG+.wuի!Ze=qFT𖗜؏A *D. JZRVҜ)Sk6 4jZFk4V*oCN7sWBq8v%gfdK5JFA*™ N,˹Y&Vf9L-& Z[ZNEr&mm݇eXjGA-W1lځ(@K*Ev`|ɺEb7M q0{=c%[v]6D&WSZ;4, u%\q8Fnn~q OBn1Nk\_HXRTrR[BU9mNl~G+<q{S8$+?;w}_K<:f I_wbG?巊"RabS|v-R#c_d[{2`U*\J>S/Gr{@Vޱ>Fv}#2`Miw+X+4dYS0N+MG6gݝ~IѺDvuf/+Ko|{!=?|5$W)RujC=d* NJDved9GO ]Kk⫓+0[\bwJܱ#9n O>~߯ p:9R)4Grʲ/S;ѝ K&>9tծ&3͖ޘ0G•ڲI>1,ȀXUYSK&g\8SPhn7 B^vxE@j[}kZ,":穟nQxdmY xAG?")5.#nEyG['PƲmqQ TКt`Z[ h=lWyI VdKb|MfKOyUC&R'ޭKd?ud@KnؒFyyyllliiiQ*++-QTR\C^f(Q6 {i*0\y0FqThApʪJ JB-<EDR Ўz`(󠓆)eXfu|Jrzn+4S׬?BT2J#QVA8Ȍ{ e{6UڬJ *`+r(m(e(c~ra'RQ `-+K2Wm-$9,fR 먨2#J9&2A&" #CfǞjc2֖y(3?_v?%t#J8V3QDVY.ehh#;ޑ(AR:z= $3vf5#ӷWWQ{5TkDR^:`n6DD7F e e.l3Q騎"+I'lB(Y9]d:\f2߉>(}(]P@'l,cxՉF*mQV+(XE~p"X2{#/w e '+cA!$f q겚\&*=H)Sj EBrDąrD:NȄxMK::G# A:hfL?j8#z\a~c#⃑\Úa2ڻL &*,L0/ܥX"U/n]"wAZۋF]i0 ? ,*B]C@w( rFVf3i4FU!f++>v0:NoyjJ' #Ь駋3k'{` unZ1pC |Eߡ)'jz 7)3Ym] #]e,yN>jGfgPEv8TӉ/_Kr "ЌǗ˭YO 掬۩|pHYDs`t:( ]h7+I p6mRV {9E@SFRcVRu%\4c9'0eTAkV|V y h2[rM! ~u?ւ`}M)xMCYҊa"<ꋃ }ͮHYh51,+1vz⟣լ\˗JrPjWctM}t9<IBIq2G`W3>J.=* KhzPy\ս=ӎE/_iW*=6g;mp!Nҏ˿ʿL4'm%GuQVWi޽a)}iepQӍ2uŧ\rQbDg$7~bu\?9dp1jH5gEtJѵ֏_RcM1 c|͡hAwߜ4jzRCzE_-5u4C޺A#:7oP?o2ڇeZF& I0۝U+-cz7}CCny{{+C7|]0.m5c0b.pvI)K~J. 4{r-ab}4 0o \ eh[^4PM{JW,@GX_5V˭eӡ0EU) g>+[o-#uK׻z۾b۵9CJ*sAV\r21-{kwW޶⃂6=>Ta|nIWSS/wFMBuh-qeL̘]jBout\SvGtZcW I( PC|}9i-{9zS^x TաU| IDAT5+F 0H+E&Rm\sUN֏7pCQQ F ~ue3v8Cq1c*wdfdaZƭʛ4+>?zURfΞXM | PD!"d񑠠}_y3Y/7w 坷 "x-CHq֏rT|x"e@3.Z|Ь@w/C??|%Im2Dv\89!!Dp7هp-[`h׮݃ ,Z+\Y}&NVMa+L?q%PH ?ŦՁX V%6#wD>@N8M@n8@ [p`x'%f_îZ :[u\+w>|PY1k.bGXLE'7GHؿJ&{Qd?s$0K9jxx\EU{g]g"tFEZ?p v9j,v\MLe;Cݸs^=r@ֆHhS}I#^!řQM7<_Ϯz6L?htt'/ߠvUS\8𾏪-8؝s=gf6gb8 be Aa q-H:Q|C-2\)Ó /'t~.fhpWTTfKx[ dINQm\t7o ' 5&[i޼&&~Sؽ4&J#s~\n+NF# yx\ '7w~VcvsU΁pWZ~YCT #|]CNVOntGV'oUPHi'Ծ~LDmۜm'}Ccr:1%`1w 0x{]x2fNeX1D__AY/(pkL@ݼ!x5/@79C+݄UnZ8/H86K]nYJǎA%՟a5n n˼*ZaݦQ}'ԝlnf)ؿC1r^e /m|2?},c)\tQHZu3<7qI5sm 3 :Q^a)@zryrs1nZi-z.G___ xYdt`/Xy8"}b L =592L"$^k $x5ɋIT^ya!aiT_]u !Hf!IWE DHaI*A6C.Ea"D7^dJDͽ)DBHDB;D[wAsvq݆_䷪9\\4v}2a|H{rrM$gJgKW:mڽЋA6d=(g0^JhOy?~m!Ǧז#?Mށe->8uxBsj] C||2ڱmr}7}٫x|OޚҐc>ӔIopٱQߝByӮ+'Y*d˖-1cF@@F?-ׇM6^VaLZX`72.þ8I&O=)XNL?,;X2D .E3."y90G%XvVrEXH褼 tBObn2X$`!± X(A8Kn " -9C4 @\ZfWмd B 5qwU0f9SL،o,@ E+Xe:\'c߉VŒCo_9Fg-}Цu#&$H:dU#8uM.*?K3ao ߟ_٫FUuwͅ&| 6+/(VG_V^UU#z~pYYY fY\j>׆ZNMvt;#a TaarT)b9H2H܅Y!}?QMG ܅gB #!A)#\1 @8l!j \#:+A8#$È؃ QDб`]b܉pBt#YC2& MK8ѭ Cd|ͣ,2ܾJ\^, mkؼUnl\u:Pnb@7i)*ܼV!d/ξXPUNC{?5i~{)riCWb}ikT @SJH@=u1 < v: PԤglO*r-#GPbgQ')ˎ*(YS.bQ&sfPjDt' ~]HBzoFΔۍB u#w ]pnПjH4GmVsDG1D7 #Ъ&'If*2*ثXvy8|6BpLHRҲ^1Әh/ /ϥN4] OQ5k\v(b%dnePh>1{VG$񥙃FrNuACN I@"RD+I9͝u="R_|iƠ嫋%rjC{yQJ˦-땔B9ڢ/d_r Z?ꌠ"=d(ѣGZZg^8ӴT(/Y8`œ**`#nk/w7Z K7rb^%jP* ~~V&\[(THR#\,ĸCeXI9"fDӏ"eIJQ7! _,ZθEAKqUTQ.VP*[V}劳^էoCe[.t2ȪU:^FzdJed˒:O7.؆0pD(da| nIII)))0MCi]DjsIP >L]Hhd.]+WZG'I!.|k_ѧ 9Оǔ:L ~a,̉&'ѣǏ}j8][ ,}TECQk?y8|ЊW*3PD}#x-v#/(0GxI!3I7I%iN %E,- ( 'j5D'sުb( 敊ϸ(E]`vhiA^Shkݪ_GPnhat<>L"(4k_&n1YZ/2wh4MR'k|7m,|բRקVPӄD@d5 yMRm >*@-Zغ&jubmr3YrA$ DYw/ 7+Q[0xu _?-s ~1͛jGp,XɝA8b- !8*'b\AX$" - T#&ܬmBN>#u:xŮSmRF8x3H#D00$<8ıX_'t3t:BXmT*cgTA-U8CBC@obu . )Z>GogFU_uÌ۶~0< y?|,»+W,Z\\mvˍᒊyg*҃8c,=܇ KN3vՊ9OX9b@E>TҒZ$Yy9Ȱb 3fbҶ=35 ZKU򓖢?,EcNuX3wMMS\$>l6qpij9O6h3˕u&q 4b *sޝc€YD3h@5-FO׮]{ĦCՐ5zr'>%Zq e[39L`iBARacn:~T٩#5ngwM}e,]Ww]6ߤPS'~y\u>]ք >:{=}DVIB?y Pw,׵c?eʹWKFνۦh@]*<,Q54$'!p!6fl6 '== 1޴MD]-|hj8?|=Fq[ѝw$i[ aR<9r+a&DƄ@U5xD PP뼠ڥpv{,HXت U3X44r NQL)@s> z;fͱ5L¬1?U_`kD6V̜Ysg< F:{clbt5Ňi\+KL]J|T'ޱhg?J sy?ԣw2 %¸A|ijqG䂞Kh.%*!ph#O8|D"C\'#8FGG *9 okpjQFv2RryQm7 F'6Q2G9/ Fn̙3*>>ijU~з%''7K߆Գnٻٔy!VZR4?[h|Cou!l0Va"WKf,bU*ux쓁"sfIll#fu[S W'q9 CDv9<I&;&PE \}n)-Sx\DI\}RCm ۻ 1ZVy6;#A ғׄd(C" pt&]σpڪ+970+kI tbO ʋ>!fl$2#wj۬H x9$لU.JH\釽@xE p͢mlԓ{l=O{mlydwsSN=G/žwHEĢ[Z`8 ~ɽE3jB7C\W*l,ne'5eC7l$d}1u.~N҅e@~}XXX SZ?O+R;J L?S2rr#tlCё 3u~ёaF2#uRGp nu[yΛiVߐ%$$Z@KMEEF_tkBmb}5ZcF#7"ڵ׳nJض,;Q* Ʀ9##TjV\,"9x@?Gp8visjvPb%wq!twq3+Irho._ha L0&ΰnV>aD|;>PGr]eovcX&{xmQe֐z RbILw]!;;\YV)OddT^/z ޻sJ¤#@< IDATڈй$9/2y"B2-V1l3Ū4jd[RBh鿸`Pnn.Faoۧ$Rn)S3QO73٢aEU6tj"h暐#XRRu@@@!/- s`3mz:'![QatNx=O?6OBw *H  6Dmjb`206ump "+K["}1`B'zΖĺaaLd8BOjXKVRF6V&Z*?h[#Zklg{NГx<̴*7pBz;=8/=Эym@p|:M!g?sA۠+l83gKnlvo{}1q~ 1{Y!ZFm[>ܣ \Y}IKH Ж:t`S^^^V , }^dL?%T\4Ur㫷(h7ӟ|OM 11|c~姻=ocv]iϿ=~-2ۇmxomޑe7l>gY#!ЦGap]c 6H$K+t'N biV{ʲ}zKHPT(BTG~ء~-&"PdN{хoq{A,[b%&Dc%ĚcM4ĎbA, E:qW7wĠB؝}3͛+~}, SoH2oVÈY@(G'cHpA.IxI_T(rqqѯuKmJJu$*EFYsdmu' J)K]u|Rޭ>-q0F#x&{05xCiisEXk Sw77 mF]cp|Co` 'wXs?Sd;f)s .LhӴ}u/_{·JWc/a Ip ݑ#'~<d|p0 ;v3A{ F`Fo<u@Ьfp`73Xϯ$8{lq~}||ZtI>8p̎.,JįG[هӒ͚7*}{?4nʆO7:R-޾ % r`05 L5At\5_MЊ]T_rDy\^9,q'UY8#FG~Xo`G_!9`8~8KbY|_`xdMMQ:Z k׮YUfQUK6H m u//NTa2Pm~QwfP3G_+C0&yJ5z= 9r9s | $篬5-"JָBEB ;k7;y%ñ2۲޺y/gd*(7 !mCk5-Z"CZj q$`WqO ;5n?۱ig{mfy ܬ*D:8vOY5P\_vVOm{}?5xeluCR^jmpxcBg0o/7䷋gv/qOf|cP0@9_m/GypUgORHѠ]`r0e+ApX9bz.N8w4[t OPlq} E]ralZ ȟ"ہA'3jE9z GT}mۘG'L fYw1 fق!U\{T0/@!9>hix^VbZ䖟k#H(m S ߠ.4s>ƈn7} ޙ9>a:(SBƔTn܉C>ɂ'oرco6[qxKnuA|4t {yR!_Hjϝ,jWuJ*>HnUkV&ܾvI i-W8o̼UwNpdO&7Yn1Lkc3R`e=Kp4-gfj߰yӦ(tNlP/AzI&# ̙/?wٜ5OmGۻD'_xrŸb5^C#x>/ ~FnU!$Pxx;k[WUDGGXs;mӹ99 hA7f]?i׏ʳ jut􄄝k(c^3$ TΡ{worQxϯVQ ao9`^<!) vbgcө.;.:d;=łRhs"SVo)`\o/F5p7)~m6knw: yyN=} W]Xx2m?Ao]6IyґX/:Z2 on?bj4m֠ԠP.Zއw1wLwzNBqV+I:Zˑ}<|T5V E74 U}Úok`_'N(okndӻJ-L9yW0H H9` HyLtTMYGl qLs{-a|k{-z0t |L+ =C8ZZFDE I&u6Qlڕx?Qvnph^[ ܫ-lo^&6.u5WYͤq>6"FR 2}z?Bz; <6*K8!$ԃ v{}DvYkWobݭfYѿ"V` ̷VkDJ{Nr| #_E_efg;\6]aʹ3mʜ uHC}mAm*x36]A 6.jt前>ɋ@LTg>\j,&LPnltcpy5L!+˗v'»>tXa {`YMlSؼ~gmSZν}stq7_vv5.gP32BrV˦.()Ol8q3oKEʣV& "7gF#P`T_5O]"c+;>p4sWI F`(4*F,}ma0L5.ʥZ,-G$o!7Zg.ƫr9F#;_;V -=IddutH,XS!92C(p_L\ lM hMvVJG0 H j@e*x2x? r$z ‚R d,uE+g;t- *-H]xIʛb& LJҥ)&M—s)nd1䏲Def 4]2[5⏾a0 $E+qv>y;A7h[Kin\-tn>>mbpsTc/=qb#U|F[phR6XezA#5XBiuIndmu+,s:kCtII)WS(Y=!ei e6z6*EH&hˊrK })hs.U)D*Y" xLCz.\3<>c"ȏ 9.hWƁw G!oZ{THsbAMv"+ʞ вZM'?.FUNk kk<Q()cZ`rM)Aq1KZ3N*r܌eRZSzMQowGN1~UqCy4kw^گ_:ȊsUg: -::nӢY;OHn' v]|ɵ=ϖ3dYsz/hӉ3&CН?۷u^wwJ$]8k@qs `NX @cC(@~ 3~s 08`P t&8rqa,"tnr.lAW̷ Ocf%B.dTNc>NQ ߲}W u=[_1uQ3- rR}}Ʋ4?9{7Q[g ?l+=!xû>6"]Y~ō[#Znθ,s(l { :wʈ ڷ xΓ[F;qU?; +0C0Pb6tt  3GkKG## Jb]N(u`@GԷm?{sAf:eZU!~9ضVۯȹ"Isg"!#?&*+{ O5Z>ɬ>O_|v|s#<Z]v^ORXغ-ۺ+Xp$.s>_Q*_%]p1GEjr t6#G9t~bN0+kOe?Gvi*2""DW=C},#e-{(:2~c"{ ߮^Q5&ӶF F ok/oܺu\H,6Q?@t#b2~ i  M:?|_rX`͛h6Gz?׃l8\4Kav;Zg)u I~ E`v_g@,)U*ą" [*Sr"!i(SQ|hU*- PDrj 3 KpbV|`G<*x9IDUV1W[2V18r5 EH4yc p0ͻq sgYZZ!?9C#k@5q0 a E`wv Kx;̄sb|50! 1C9zΑH>n˃#ZCX?14 =&Fg2b*!3SV?>_upL7QPMkJU_+.fނaFn Q!O E7#hXH Tu 8heYh R-<qy:|U+G~&xPo@ЋX^ a<./,>pd=Hucj%Q֜],ُEk|V`TCc}"1s z]; g*+ !> nो@1HGU1Ψ6" |@8-(>k` % ޟh`4m@5n@sSPt+{l]<` @ڟh16\C/(*zԜ\25 m TFzD6!^™4IB>XRr(.,8(..D,f6^İ#5[3*M8#P (CCKp'\L&jӾ*Сq=1HUA$X,(Bq=;S!!B/< kmi];,4u; m0aYq.6eQ94h}9yҼ9+ֹA̞:%MaY, 9@"ؚ3w[Pq*#]\y_qTS*m7bpo'b ^|'oq_OٲF[ekv0 #;ۆ?h\ϰq?c愆,zKpoZy^4A˥ "J-B=-ٛSCkrTM;^9W"*noVAqݴh >,-|R0;e\>l @SMԐ>3@Hj׆ל h+o#8\>PsOde %u0<0ΪC IDAT ;;2?Xk@p&/7#Z[[+HYQaqZ"o +ͽs/IK:z 7a]Lg SnٿVDkM}33g?WQ?KZ>3ND1$+=LTM0s% b!2hY)kR#$u]ڊx4) AOu0n'xl-k? I̾x쇕Krx WO1c|3ˣ+}XF GlG}hZgNp5˙>ɷqgV̛5ND&4ul}ԀVI55.Ϝc׀ SwN0"!{jGB|om<#~;Tj}aZ$L7hK+T"A`PtrXHIuKf otDZfjA1# 5\{=ȣ@Ʊyk9Wf37!K˾i=)ҽ!^@o1cq#& / ۴tգGxZGr; v{UfervF'}60\՜]z,{:ڏNZGSir~a7/˘?s뚰Ã'OXq/;åJ?- |\ýmT4zoZlsj_a5_S';=m='͛pX { hu>7zvozh˥I=ZzYhR;p<ڥM[Kz}ȡ8UQ98@mBhKr(AQG$NHF4TơAs1**k9]ͻ}|mF4d0S +r٪HS٥Tdf6AQ5  sW潻7^³;%r hݴy::jЮC@ WgUAi+s o[Q ׺n;[7lI8r-l"  jUr G9VxVvzvzRw|=@]>^RK"1>GFc3FmCh;r0(:-X~+lf썷Q?h/..0tD.TNeTnin Q_~|>p>Pz5|Sx@)լ61TpT* y0f4ߦ6NͷDZ o`/Xm6F2oC$l(D2Xmbojͷ\y!@3h(&8Ҽ@0;bP+BU9X%u3V,*ayp fOCO C.Y32~kߓ#U8!YR,a|`Mnum))I~^=4k<|hX|*Ym5ߦbLMS8XӨ̪pOx޾LN/y@g>>Lԏd>Ka>NO?#?ps@'֡,v/煒3VڔQ p0ų|+S<\~0M=o,` B x 0xb(^/T$@0r:@t@T26->laL(F #"Y`u2H8gވ+Gb(F:TQ%EEE r @k5ZdnnnlP+܀+s/ t>xp&SILը3f4P+^`ddTFV濕;Fl9'$$X؊eb10+Uǻr%ÃfSiPh:KƆb(90 K|]Lqx|Ja<&7ZY͙QY|4eE( EaglK ?J77.#Pm>g7XLTUM%D{*ʽ_(J10[֓j-{ -3rp1.]&4b&* Q|f#T~+k 6sL?M q^y3'>wW͵8w) }v.$o9iXoBi|_B\(wg5 2ȼ(S`EAsjb1RX5\0 v5o+O8@bt T03aRYZtuKk5++˭Y{wpܸQcج ;ֿWLC#%0;-/+ u$~2㵧 Չ0L|ФɶYm;[nؾ;,[=97i񺍃 Dh߯]]O?DsDŽ^#swԱˮ͞<Š2%!/p Ahg# qȜN^ܽ|!rY 剒{ .u!G~{:JO.jmqvtBg3Q\8o@D|(5#+%Z(2 dR)HK.]tyR q 1(ѓ6a]2 _QbqbnZ+H8y G/x܉N."(g@zÓ{؁4RWW34J͙>n/7Q 뀑 ~6{i@śI-0G <|Ԑ>+Tvٸv>ȳLu)19Pᣝv=$UmsK.U{qO˿8{ #*وz0Jk/K%2kCޛMu 3/8uD6t㗓~>q#6J?1& y<$~:VTJLj/w'm ~G۴?uOSL`' :tp/$\c~bB"A(jפD# ViJԗ]<~¡^&a0 WQ9-XʯY+dbj+Oij48mD @G&999j -31.=kXUΝl񗭖,Y4nWg&?J]Zlww$ئ߉|^Fl!3QJQ*Et΃3ܾ|ca$ȖIIZ-,8zL:Lr`bѠU\dE´oo.ڊϯidm{ 7,vƁNzuv kڬYTvvWJKK(JݤSaa 4`4;6ξ>>RhG2K[[$I`UveձUmhg/Y:8"{'uc:?J0/g$ߺ76vEZ؅W 8ZqܰZX[eDg,#xnc̷};`XN]n X I\rUaa!,a>,Oa'PThsR gЫ{jzJmAݯb1x Z,q`aT bP4:% R G,5)p]"3@$`W0Ri<ٱ &=HDn|qFLՋ<ν#>5k_}%X hE`̷)DͶ|a{ӹa5WPLLRv&{SYna @G P.`3FkؒPm t*(W*' P 0jES(^`+X_ "/YO # [(R,% }~T'y`dFW#Qj?X|{\њ=y9|:G,"RQ}Z[ZYV -lVMT$`Blx30'"`GL2 Chegd $bg*jiЩl[<5gf/#&0W/-9rF0K`;=&[u8RFٳ5tBwġa+X΋Xk"aDyޢ~!B. ;w9[eV+0uAaVg% `razc#rBIv s6؃T)XPpVEfBW 䊄ROh ڸ~ @ʺ?x2Q j,='lB#AB$GLWi̎U22mpȨYjxՀPHeӦ*ТhGbތofKtPi 1̷PDh/͚cM6y޸$@$"aʡvơ}$!@Pr@AOs{MV8Fx_ęuE톦DmGO#%Ύ`3;qUwtjΣG`"#K"B§ 6&"B}㎃{.FIObZ o^Kp ;,&7Au|XC9.~~ԓ(@ !R%=HJ^^B$AfQ A{ +M;{PgoP$aVNךpqSn* y OlM (Ȃ4v@U"*Ѭ@έQ Pi#[ZDؗrv|||XO0fQ0? a MMR~`ұS{}Hi{<~e{2?\l˔Z^mE'ݓN9ܜ\?8/\%2ٍqs޳5Ӿ~ꄓe>_Opp\{}~0vήBƚtruwR)e饇)ٖ 7,}KGץ\ιQ3@8tqGOKD1}\ZTIL0,YlOz;d(ǝ>);wܾ}6ml۶6UiKnY5_.յቭ$~aN{;.N3/{@{7G̺}tSfmf +3%ۗ2UJٙw~75~{w7;sG'a-/,` mKxFtÌ-6]AʚjmH׶ woTLhv@" TjzDOUCbd߱ I(oڴqM~h2[wg΢E}GdÿٸQkwX4ԯK%iCfxx:Eg3W<l>R _Ӫz D$HIӈKҠi`-l8{V,ϻoq)E=/m#݄ }pvY IE\' *K4'"8I"q\Fͣu9]QiK8#0׬xzɇ<.gusו!O|dmldf jJt1Fe{= uׄL+suT\{h[ttͼU, ppa3&}>bSq'Lt”7]⩳L4tT bZ5eX8e:2kurG7S)q]\V6Ҁ9f㰒iN֤&57J=|MVl#]S,{yI%CLj&\@mGo|)mb!oΪ颌2g zImJԺbo:횺k,st ᭚ i]}f !{x}YHpt.rd̚Œ*A=6嗓8<[.QAMBo;/gog!t `x_ϗ)wvfiAv))y-t=m%#[۴Ks6R5?B'pu)~~DK-y鷒-xH8lePi*ndy ^|hgdfz`eWk2 ]N?tY1j[b^|@ר,JFۄ";<\>Xd) `q2AOs#(5I.p ZÖztP/Ұy;\|ؚy]e|$;`GEi$_ ^k8z- $Beq /0Ķǥ4XI& ֺK76mOj_w{95 O?0'Pk0F .^a'[ٍ<Y49Xk)Fd `ۮrKX\)#0- bTUkfЛMU1*ASXH j_ }&gL)#ka0@SUXy $H/|ur;Te!8/FFSj՗'t4\;YZw g zє2xr֍ 1j љl+Ĭل`BK%A0ՋV^|_4w cI," 49D~< BWZ`寐.))#k̖)/̫D˰kbkk Tڗ~y'O*e kBSk:Jݚȣ(.lۉC-# ң{̷ m` vsD`Y,\l1DYVigL|XϞoC ;bR9w5jgDC<]&gV~ B$̸د&n'me!?DA*09dޅ:C8K|~Ś3#x%ʹ^>p~K `IDAT'Zq3K$wX,39w6VP43N%x==qM6™;ry'oq7.Jy6EQnAAna3g.2<8+7ni o88BpuZ˘fܰ(Of$KzK\JQT\R|3T=HE^r\셔GY%eΜI,Π0`0,a_Ж) vq-/߅bIGGꊵDb4Y44<2cM}ؚ3ww__tÂM\ƭ˴1Bx-_gm͞;^9au_L&ƧI,g׍|qVӢo+r@k%Cl8r]* u{wu=.gѥӷo.ʸt3`@K!fZymCTHYIK~y3>sp*үnLs t%%1N">4]0۱J2r8>SE Aލ7o3px"avc{p8f;5l@~*9,XԳ[wohׅӇV  ,¹TVT W#P+_ &n͊8+uS5"MW(+L|JzV8x^D5ӉܾƑ1Թa?lfٓ,;q'ydJa?}/%:BH$ $bk >`hO-Xf+n"!h  =y}2pX>܊2oCKd ت(H8Z -8Z"~oC` H,P+<^K-%_Nq+`ꯉf :FV&/8hٶp`*̷iJ6WB=<* s OޢY[ϼJ!|_xhcsM1?!,S󾙸NJ9KX6~oӨT*X+lVMq*W<)BA &+PGg]/ϐFQ6jճghO/M r|QG_w'7/??_k1^0I,m MNzjC]*U<߈Y`<'w tv kT9i ;0ƅEںؓODaФCX~C c#;O lo/|[= m/ifndzpmT(KW`i7d; a BS:>J=I(RACLQ-)|_F m-JVoP ![l`΍ <rc/EY75ߦש5(`oҁU9!LEf(B;qe a`лȖ2avkgqÌS[9k8lo>&$j$suybtY:#I<D(Leò: ļLͷQ٬s: 6˚:⵶["@ddLjFpS< D1PJLbEBOw3=+ tRV +\ɝd.uYצ<{[0/9jl0oA2,CcHkyvMSKnU&j c{8p51Մj<[0,/^ڡi xـWm˗o$. cjXXIJM !lT˒?p/P-F xŶ/e^L#~i\FV! l 2A,߁P2<Q6<@4TUyxE>`kā >5\ ?;[+Q^f@t+y ;یk}g ;]E[ FnA?TOJ[ }؇etLODBUi `Vd@9hEph)kJ-AʃBJ 9` +n ^18LUߐ@/0gE>h16}>CTG~LU ,8@ڜrLPFv"Z  @9hL "=uB tD>^[]`#Ҟ"I ,:ap?hԏ]U fRqhWE8@-ES6IlL"a?裛0z; c:[:L A34{PYg_%R;stp@}.7YgC^D#P? {rIENDB`fwbuilder-5.3.7/src/res/help/en_US/ipcopAdvancedDialog.html000066400000000000000000000333171303637203600236120ustar00rootroot00000000000000

iptables settings

Most of the iptables options can be found in the man page iptables(1) or online on the project web site at http://www.netfilter.org

Tab Compiler

Compiler

Full path to the policy compiler executable. Use this if you do not want to use standard Firewall Builder policy compiler that comes with the package or if you want to wrap compiler in a script.

Command line options for the compiler

Additional command line options for the policy compiler.

Output file name

Specify the name of the generated iptables script. If left blank, the file name is constructed from the firewall object name and extension ".fw".

Assume firewall is part of 'any'

On some firewall platforms there is a difference in the configuration command used to control access through the firewall versus the command that controls access to the firewall itself. For example, in iptables, packets headed for the firewall machine should be inspected in the INPUT chain, while packets going through the firewall are inspected in the FORWARD chain. If this option is ON, the compiler generates code for both FORWARD and INPUT chains if it sees ’any’ as the destination of the policy rule. In other words, it assumes that the firewall is part of ’any’, and packets may either go to or through the firewall. If this option is off, the compiler only generates code for the FORWARD chain. Compiler treats ’any’ in the source of the rule in a similar way, generating code either for the OUTPUT and FORWARD, or only for the FORWARD chain.

Accept TCP sessions opened prior to firewall restart

If this option is ON, the firewall will accept TCP sessions opened before the firewall software has been activated. These sessions are special because the firewall never saw their initiation phase. If this option is on, the firewall creates an entry in the state table when it sees a packet that apparently belongs to the unknown TCP session.

Accept ESTABLISHED and RELATED packets before the first rule

This option generates an implicit rule to accept ESTABLISHED and RELATED packets before the very first rule specified in the GUI. This helps to reduce the size of the policy script generated by the policy compiler. ESTABLISHED packets are basically reply packets coming back from the server to the client. Iptables keeps state information about each TCP session opened through the firewall and thus can detect and permit these kind of packets automatically. RELATED packets belong to another stream somehow associated with the initial stream opened through the firewall. FTP protocol is a good example of this situation. FTP uses two TCP sessions: command channel and data channel. You do not need to add a special rule for the data channel to your policy because iptables ’understands’ when it needs to permit packets that belong to the data channel that has been created per request sent via a known command channel. This option is ON by default. If for some reason you do not want to have an implicit rule to permit these types of packets on top of all the rules defined in the GUI, you should uncheck this option. Remember that in this case you need to add a rule to permit these types of packets yourself. You can use the Custom Service object named ’ESTABLISHED’ in this rule. This service object can be found in the ’Standard’ object tree.

Drop packets that are associated with no known connection

Add rule on top of the policy to match packets in state "INVALID" and drop them. This is implemented using iptables module state with option "--state INVALID". Additional checkbox makes generated script drop and log such packets.

Bridging firewall

This option changes algorithms used by the policy compiler and makes it generate script for a bridging firewall. A bridging firewall treats broadcast packets differently, never uses INPUT and OUTPUT chains, and has some other differences.

Detect shadowing in policy rules

Rule shadowing happens when a certain rule is a super set of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. For example, if rule #1 uses the network object for the source and rule #2 uses the host object located on that network for the source, rule #1 ’shadows’ rule #2 because any packet matched by #1 will never be matched by #2. This may be important if, say, rule #1 permits and #2 denies access to the same destination. If rule #1 ’shadows’ rule #2, then rule #2 will never fire. This situation is most often an error; the compiler can detect it and abort processing of the policy with an appropriate error message.

Ignore empty groups in rules

Compiler supports special case when empty group is used in the policy rule and there are no other objects in the same rule element. Depending on the state of this option, it generates iptables commands as follows:

  • OFF: Compiler treats such case as an error and stops processing. This is because group with no objects is equivalent to an empty rule element ("source" or "destination"), but empty rule element is normally considered to be equal to "any". To avoid errors this may cause, compiler considers this situation an error.
  • ON: A group with no objects in it never matches any packets, thus rendering the rule useless. When this option is turned on, compiler just throws such rule away.

This is useful when one needs to control access to/from a group of hosts which may change and sometimes becomes empty. When this option is turned on, compiler will automatically disable the rule if the group becomes empty. Group contents can be managed manually or by a script using fwbedit command line tool.

Enable support for NAT of locally originated connections

By default sessions initiated by the firewall are not considered subject to NAT and NAT rules are not placed in the OUTPUT chain. However if this option is checked, compiler finds NAT rules that can match sessions initiated by the firewall and places them in the OUTPUT chain as well.

Clamp MSS to MTU

This adds a rule on top of the policy with iptables target TCPMSS and option --clamp-mss-to-pmtu which automatically clamps MSS value to (path_MTU - 40). This iptables rule is added only if IP forwarding is turned on in the host settings dialog. since IP forwarding for ipv4 and ipv6 can be configured separately, rules with target TCPMSS for iptables and ip6tables are also added separately if corresponding IP forwarding setting is enabled. Finally, this target is only available in ip6tables starting with version 1.3.8 and compiler will not add it to the generated script if version is set to less than "1.4.x" in the firewall object dialog.

Make Tag and Classify actions terminating

Normally, iptables targets MARK and CLASSIFY are not terminating. This means iptables sets mark on the packet but does not stop inspection process and other rules still inspect the same packet. Fwbuilder policy compiler can emulate terminating behavior for these rules if this checkbox is checked.

Default action on "Reject"

This defines what kind of ICMP message will be send back to the sender if packet matches rule with action "Reject".

Always permit ssh access from the management station with given address

When this option is checked, compiler adds rules to permit ssh access to the firewall from the specified address block. Rules are placed at the very beginning of the policy to make sure ssh access is permitted even if there is an error in the policy which otherwise would block it. Added rules permit packets that match both NEW and ESTABLISHED states to avoid breaking ssh sessions that were already established.

Tab Installer

Directory on the firewall where script should be installed

Installer will try to put generated script in /etc on the firewall, unless this option specify different location

User name used to authenticate to the firewall

This can be root or any regular user name. See "How to use built-in policy installer" on the web site at http://www.fwbuilder.org/guides/firewall_builder_howtos.html

Alternative name or address used to communicate with the firewall

Normally installer uses address of the interface marked as "management" to communicate with the firewall. Note that installer uses IP address rather than run DNS query for its name. You can specify different IP address in this option if necessary.

Command that installer should execute on the firewall to activate the policy

If this option is blank, installer copies script produces by the policy compiler to the firewall and executes it there. If this option defines different command, installer copies generated script and then runs this command.

Additional command line parameters to ssh

This can be useful if you want to use alternative port for the ssh session to the firewall. Just put "-p PORT" here and this option will be appended to the ssh command line.

External policy install script

Put the full path to your own installer script here if you have one.

Command line options for the script

Command line options to the external installer script go here.

Tab Prolog/Epilog

Prolog section

Add commands that you want compiler to insert into generated script here. Prolog section is added at the beginning of the script, before generated iptables commands. Note that generated iptables script is just a shell script, so commands you place in the Prolog and Epilog sections should be valid Bourne shell commands.

Epilog section

Epilog commands are added at the bottom of generated script, after iptables commands.

Tab Logging

use LOG

Use target LOG for logging

log TCP seq. numbers

Available if target LOG is used for logging. Log TCP sequence numbers. This is a security risk if the log is readable by users.

log TCP options

Available if target LOG is used for logging. Log options from the TCP packet header.

log IP options

Available if target LOG is used for logging. Log options from the IP packet header.

Use numeric syslog levels

Available if target LOG is used for logging. Use numeric log levels instead of the names "debug", "info" etc. This option was added long time ago because of a bug in iptables and probably is not relevant any more.

Log level

Available if target LOG is used for logging. This option refers to the syslog log level and is used with firewalls that support logging via the syslog protocol. Here is the list of the standard log levels: ’debug’, ’info’, ’notice’, ’warning’, ’error ’, ’crit’ and ’alert'

queue threshold

Available if target ULOG is used for logging Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility).

netlink group

Available if target ULOG is used for logging This specifies the netlink group (1-32) to which the packet is sent. Default value is 1.

Log prefix

Log records will be prefixed with a string you enter in this option. Firewall Builder supports the following macros in the log prefix that are expanded at the compile time:

  • %N rule number in the GUI.
  • %A rule action
  • %I interface the rule is associated with
  • %C (iptables only) iptables chain that this rule generated code for.

Logging limit

Generated iptables rules use module "limit" to limit amount of log data they produce. You can limit logging to a given number of log records per unit of time.

Activate logging in all rules

This makes all rules log, regardless of whether a rule requested logging or not. This may be useful for debugging but produces a lot of syslog data and should be used carefully.

Tab Script Options

Verify interfaces before loading firewall policy

this option makes compiler add commands to check if all interfaces defined in the firewall object in the GUI really exist on the firewall machine. Generated policy is probably going to be incorrect and won't load because of iptables errors if it was generated for an interface that does not really exist.

Turn debugging on in generated script

This option makes the generated firewall script print all commands when it is executed. To do this, compiler adds "-x" to the shell command line at the top of the script.

Tab IPv6

Order in which IPv4 and IPv6 rules should be generated

Compiler can place ipv6 policies before or after ipv4 rules. This option controls the order. fwbuilder-5.3.7/src/res/help/en_US/ipcoposAdvancedDialog.html000066400000000000000000000123141303637203600241460ustar00rootroot00000000000000

Linux 2.4/2.6 kernel settings

All of these parameters are controlled either with sysctl command line tool or via /proc file system. See file ip-sysctl.txt for description of these parameters, and more. The file can be found online for example here

IPv6 related kernel settings are documented here:

Tab Options

IPv4 Packet Forwarding

Enable IPv4 forwarding between all interfaces

IPv6 Packet Forwarding

Enable IPv6 forwarding between all interfaces

Kernel anti-spoofing protection

/proc/sys/net/ipv4/conf/all/rp_filter

  • 1 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes.
  • 0 - No source validation.

Ignore broadcast pings

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

If set to true, then the kernel will ignore ICMP echo requests sent to broadcast/multicast addresses.

Accept source route

Accept packets with SRR option.

Accept ICMP redirects

Accept ICMP Redirects.

Ignore bogus ICMP errors

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Some routers violate RFC 1122 by sending bogus responses to broadcast frames. Such violations are normally logged via a kernel warning. If this is set to TRUE, the kernel will not give such warnings, which will avoid log file clutter.

Allow dynamic addresses

/proc/sys/net/ipv4/ip_dynaddr

If set, enables support for dynamic addresses.

Log martians

Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars).

Tab TCP

TCP FIN timeout

/proc/sys/net/ipv4/tcp_fin_timeout

Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer can be broken and never close its side, or even died unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, but remember that if your machine is even underloaded WEB server, you risk to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but they tend to live longer.

TCP keepalive time

/proc/sys/net/ipv4/tcp_keepalive_intvl

How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours.

TCP window scaling

/proc/sys/net/ipv4/tcp_window_scaling

Enable window scaling as defined in RFC1323.

TCP sack

/proc/sys/net/ipv4/tcp_sack

Enable select acknowledgments (SACKS).

TCP fack

/proc/sys/net/ipv4/tcp_fack

Enable FACK congestion avoidance and fast retransmission. The value is not used, if tcp_sack is not enabled.

TCP ECN

/proc/sys/net/ipv4/tcp_ecn

Enable Explicit Congestion Notification in TCP.

TCP SYN cookies

/proc/sys/net/ipv4/tcp_syncookies

Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE

Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured.

TCP timestamps

/proc/sys/net/ipv4/tcp_timestamps

Enable timestamps as defined in RFC1323.

Tab Path

In this tab you can set path to the system command line tools used by generated iptables script. Use these if tools you expect to use are located in non-standard directories (such as "/usr/local/bin", "/use/local/sbin" etc.) Leave these blank if tools you expect to use are in standard system directories. fwbuilder-5.3.7/src/res/help/en_US/ipfw_Classify.html000066400000000000000000000003741303637203600225310ustar00rootroot00000000000000

Rule Action "Classify"

This action allows the firewall to define QoS class for the packet that matches the rule. Compiler for ipfw uses pipe, queue or divert depending on how the action is configured by the administrator in the GUI.

fwbuilder-5.3.7/src/res/help/en_US/iptAdvancedDialog.html000066400000000000000000000537541303637203600233030ustar00rootroot00000000000000

iptables settings

Most of the iptables options can be found in the man page iptables(1) or online on the project web site at http://www.netfilter.org

Tab Compiler

Compiler

Full path to the policy compiler executable. Use this if you do not want to use standard Firewall Builder policy compiler that comes with the package or if you want to wrap compiler in a script.

Command line options for the compiler

Additional command line options for the policy compiler.

Output file name

Specify the name of the generated iptables script. If left blank, the file name is constructed from the firewall object name and extension ".fw".

Script name on the firewall

Generated script will be copied to the firewall using this name. Can be full absolute path as well.

Installation process is controlled by several variables that the user can change in the "advanced" dialog for the firewall platform:

Tab "Compiler":

  • output file name
  • script name on the firewall

Tab "Installer":

  • directory on the firewall where script should be installed
  • command that installer should execute on the firewall

These variables have default values if input fields are left blank in the dialog:

Output file name: the name of the firewall object, plus extension ".fw".

Script name on the firewall: the same as the output file name

directory on the firewall: "/etc" (tab "Installer")

command that installer executes to activate policy: installer runs script <firewall>.fw

If user enters alternative name in the "script name on the firewall", it is used when generated script is copied to the firewall. There are two input fields in the dialogs for PF and ipf where user can enter alternative name for the .fw script and .conf file. The name can be relative or absolute path. If it is a relative path or just a file name, it is treated as a file name in the directory specified by the "directory on the firewall" input field in the "Installer" tab. If the name is an absolute path, the directory entered in "directory on the firewall..." input field is ignored. If user entered alternative name for the script on the firewall, the command that installer should execute to activate it must be entered as well. If the alternative name was entered as an absolute path, activation command should take this into account and use the same absolute path. The command can start with "sudo " if user account used to copy and activate policy is not root.

Assume firewall is part of 'any'

On some firewall platforms there is a difference in the configuration command used to control access through the firewall versus the command that controls access to the firewall itself. For example, in iptables, packets headed for the firewall machine should be inspected in the INPUT chain, while packets going through the firewall are inspected in the FORWARD chain. If this option is ON, the compiler generates code for both FORWARD and INPUT chains if it sees "any" as the destination of the policy rule. In other words, it assumes that the firewall is part of "any", and packets may either go to or through the firewall. If this option is off, the compiler only generates code for the FORWARD chain. Compiler treats "any" in the source of the rule in a similar way, generating code either for the OUTPUT and FORWARD, or only for the FORWARD chain.

Accept TCP sessions opened prior to firewall restart

If this option is ON, the firewall will accept TCP sessions opened before the firewall software has been activated. These sessions are special because the firewall never saw their initiation phase. If this option is on, the firewall creates an entry in the state table when it sees a packet that apparently belongs to the unknown TCP session.

Accept ESTABLISHED and RELATED packets before the first rule

This option generates an implicit rule to accept ESTABLISHED and RELATED packets before the very first rule specified in the GUI. This helps to reduce the size of the policy script generated by the policy compiler. ESTABLISHED packets are basically reply packets coming back from the server to the client. Iptables keeps state information about each TCP session opened through the firewall and thus can detect and permit these kind of packets automatically. RELATED packets belong to another stream somehow associated with the initial stream opened through the firewall. FTP protocol is a good example of this situation. FTP uses two TCP sessions: command channel and data channel. You do not need to add a special rule for the data channel to your policy because iptables "understands" when it needs to permit packets that belong to the data channel that has been created per request sent via a known command channel. This option is ON by default. If for some reason you do not want to have an implicit rule to permit these types of packets on top of all the rules defined in the GUI, you should uncheck this option. Remember that in this case you need to add a rule to permit these types of packets yourself. You can use the Custom Service object named "ESTABLISHED" in this rule. This service object can be found in the "Standard" object tree.

Drop packets that are associated with no known connection

Add rule on top of the policy to match packets in state "INVALID" and drop them. This is implemented using iptables module state with option "--state INVALID". Additional checkbox makes generated script drop and log such packets.

Bridging firewall

This option changes algorithms used by the policy compiler and makes it generate script for a bridging firewall. A bridging firewall treats broadcast packets differently, never uses INPUT and OUTPUT chains, and has some other differences.

Detect shadowing in policy rules

Rule shadowing happens when a certain rule is a super set of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. For example, if rule #1 uses the network object for the source and rule #2 uses the host object located on that network for the source, rule #1 "shadows" rule #2 because any packet matched by #1 will never be matched by #2. This may be important if, say, rule #1 permits and #2 denies access to the same destination. If rule #1 "shadows" rule #2, then rule #2 will never fire. This situation is most often an error; the compiler can detect it and abort processing of the policy with an appropriate error message.

Ignore empty groups in rules

Compiler supports special case when empty group is used in the policy rule and there are no other objects in the same rule element. Depending on the state of this option, it generates iptables commands as follows:

  • OFF: Compiler treats such case as an error and stops processing. This is because group with no objects is equivalent to an empty rule element ("source" or "destination"), but empty rule element is normally considered to be equal to "any". To avoid errors this may cause, compiler considers this situation an error.
  • ON: A group with no objects in it never matches any packets, thus rendering the rule useless. When this option is turned on, compiler just throws such rule away.

This is useful when one needs to control access to/from a group of hosts which may change and sometimes becomes empty. When this option is turned on, compiler will automatically disable the rule if the group becomes empty. Group contents can be managed manually or by a script using fwbedit command line tool.

Enable support for NAT of locally originated connections

By default sessions initiated by the firewall are not considered subject to NAT and NAT rules are not placed in the OUTPUT chain. However if this option is checked, compiler finds NAT rules that can match sessions initiated by the firewall and places them in the OUTPUT chain as well.

Clamp MSS to MTU

This adds a rule on top of the policy with iptables target TCPMSS and option --clamp-mss-to-pmtu which automatically clamps MSS value to (path_MTU - 40). This iptables rule is added only if IP forwarding is turned on in the host settings dialog. since IP forwarding for ipv4 and ipv6 can be configured separately, rules with target TCPMSS for iptables and ip6tables are also added separately if corresponding IP forwarding setting is enabled. Finally, this target is only available in ip6tables starting with version 1.3.8 and compiler will not add it to the generated script if version is set to less than "1.4.x" in the firewall object dialog.

Add rules to accept IPv6 Neighbor Discovery packets to IPv6 policies

When this option is on, compiler will automatically add rules on top of the generated IPv6 script to permit ICMP6 types router-solicitation, router-advertisement, neighbour-solicitation, neighbour-advertisement (both INPUT and OUTPUT).

Default action on "Reject"

This defines what kind of ICMP message will be send back to the sender if packet matches rule with action "Reject".

Always permit ssh access from the management station with given address

When this option is checked, compiler adds rules to permit ssh access to the firewall from the specified address block. Rules are placed at the very beginning of the policy to make sure ssh access is permitted even if there is an error in the policy which otherwise would block it. Added rules permit packets that match both NEW and ESTABLISHED states to avoid breaking ssh sessions that were already established.

Install the rule for ssh access from the management workstation when the firewall is stopped

Generated script recognizes command line arguments "start" and "stop". Running with argument "start" causes it to flush all iptables tables and rules and install rules defined in fwbuilder GUI. Running with argument "stop" causes the script to flush all tables and rules and set default policy for all chains to "DROP". This effectively shuts down the firewall for all kinds of traffic. When this option is on, compiler adds rules to permit ssh access from the address defined in the previous option even when the firewall is stopped.

Tab Installer

Directory on the firewall where script should be installed

Installer will try to put generated script in /etc on the firewall, unless this option specify different location

User name used to authenticate to the firewall

This can be root or any regular user name. See "How to use built-in policy installer" on the web site at http://www.fwbuilder.org/guides/firewall_builder_howtos.html

Alternative name or address used to communicate with the firewall

Normally installer uses address of the interface marked as "management" to communicate with the firewall. Note that installer uses IP address rather than run DNS query for its name. You can specify different IP address in this option if necessary.

Command that installer should execute on the firewall to activate the policy

If this option is blank, installer copies script produces by the policy compiler to the firewall and executes it there. If this option defines different command, installer copies generated script and then runs this command.

Additional command line parameters to ssh

This can be useful if you want to use alternative port for the ssh session to the firewall. Just put "-p PORT" here and this option will be appended to the ssh command line.

External policy install script

Put the full path to your own installer script here if you have one.

Command line options for the script

Command line options to the external installer script go here.

Tab Prolog/Epilog

Prolog section

Add commands that you want compiler to insert into generated script here. Prolog section is added at the beginning of the script, before generated iptables commands. Note that generated iptables script is just a shell script, so commands you place in the Prolog and Epilog sections should be valid Bourne shell commands.

Insert prolog script ...

you can control where exactly commands specified in the Prolog section will be placed:

  • on top of the script: commands will be placed at the very beginning, before anything else is done.
  • After interface configuration: commands will be added after interface configuration is done but before any iptables commands.
  • After policy reset: Policy is reset by setting default iptables targets to DROP in all tables and all chains and by purging all existing chains. If this option is chosen, prolog section goes after policy reset but before the first iptables commands.

Epilog section

Epilog commands are added at the bottom of generated script, after iptables commands.

Tab Logging

use LOG

Use target LOG for logging

log TCP seq. numbers

Available if target LOG is used for logging. Log TCP sequence numbers. This is a security risk if the log is readable by users.

log TCP options

Available if target LOG is used for logging. Log options from the TCP packet header.

log IP options

Available if target LOG is used for logging. Log options from the IP packet header.

Use numeric syslog levels

Available if target LOG is used for logging. Use numeric log levels instead of the names "debug", "info" etc. This option was added long time ago because of a bug in iptables and probably is not relevant any more.

Log level

Available if target LOG is used for logging. This option refers to the syslog log level and is used with firewalls that support logging via the syslog protocol. Here is the list of the standard log levels: "debug", "info", "notice", "warning", "error ", "crit" and "alert"

queue threshold

Available if target ULOG is used for logging Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility).

netlink group

Available if target ULOG is used for logging This specifies the netlink group (1-32) to which the packet is sent. Default value is 1.

Log prefix

Log records will be prefixed with a string you enter in this option. Firewall Builder supports the following macros in the log prefix that are expanded at the compile time:

  • %N rule number in the GUI.
  • %A rule action
  • %I interface the rule is associated with
  • %C (iptables only) iptables chain that this rule generated code for.

Logging limit

Generated iptables rules use module "limit" to limit amount of log data they produce. You can limit logging to a given number of log records per unit of time.

Activate logging in all rules

This makes all rules log, regardless of whether a rule requested logging or not. This may be useful for debugging but produces a lot of syslog data and should be used carefully.

Tab Script Options

Load Modules

Compiler adds commands to load all available iptables modules into kernel memory.

Turn debugging on in generated script

This option makes the generated firewall script print all commands when it is executed. To do this, compiler adds "-x" to the shell command line at the top of the script.

Verify interfaces before loading firewall policy

this option makes compiler add commands to check if all interfaces defined in the firewall object in the GUI really exist on the firewall machine. Generated policy is probably going to be incorrect and won't load because of iptables errors if it was generated for an interface that does not really exist.

Configure interfaces of the firewall machine

This option makes compiler add commands to configure IP addresses of the interfaces of the firewall according to the "Address" objects added to interfaces in the Firewall Builder GUI.

The script generated by fwbuilder v4.0 does not rely on special labels of the addresses as it did in previous versions. Also, in the past it purged all addresses and then added those defined in fwbuilder back. Script created by fwbuilder v4.0 does not purge addresses, instead it manages them incrementally. First, it obtains the list of IP addresses of each interface and compares it with addresses defined in fwbuilder. Then, it adds missing addresses to the interface and deletes addresses that are not configured in fwbuilder.

Clear IP addresses and bring down interfaces not configured in fwbuilder

If this option is on, generated script will clear IP addresses and bring down interfaces of the firewall that have not been configured in the fwbuilder GUI. This can be used to ensure that the configuration of the firewall machine is perfectly synchronized with objects defined in fwbuilder. This function does nothing to interfaces configured in fwbuilder, regardless of their type ("regular", "dynamic" or "unnumbered"). Be careful using this option, especially in the early stages of building fwbuilder objects for the new firewall. If you forget to add an interface that is supposed to pass traffic to fwbuilder configuration, generated script will shut it down when this option is turned on. However when configuration has been debugged and is known to be correct, it may be useful to turn this option on to make fwbuilder completely take over management of firewall interfaces.

Configure VLAN interfaces

When this option is on, generated script will use vconfig commands to configure vlan interfaces defined in the fwbuilder GUI. The script tries to do this incrementally, that is, it compares requested set of vlans with existing vlan interfaces on the machine, then it creates those that are missing and deletes those that are not defined in fwbuilder.

Configure bridge interfaces

When this option is on, generated script will use brctl command to manage bridge and bridge ports. This is also done incrementally, by adding bridges and ports that are configured in fwbuilder but are missing on the machine and deleting those that exist on the machine but have not been defined in fwbuilder.

Configure bonding interfaces

When this option is on, generated script will use ifenslave command to manage bonding interfaces. The script can manage bonding interface slaves incrementally as well.

Unfortunately since bonding interfaces are created by the kernel module which is difficult to unload and load back reliably, the script can not change bonding parameters (arguments for the module) incrementally. However, the script includes commands that load "bonding" module with parameters defined in the fwbuilder GUI. The module will be loaded into the kernel with these parameters if the script runs after reboot. Bonding interface parameters are defined in the "Advanced Interface Settings" dialog of the bonding interface object.

Add virtual addresses for NAT

The compiler can generate commands to add a virtual address to one of the interfaces of the firewall machine if this option is turned on. This is needed if a NAT rule uses an IP address that does not belong to any interface of the firewall. The firewall either needs the static "published" ARP entry for this address, or it should be added to one of the interfaces as an "alias" or virtual address. The policy compiler adds code to add an "alias" address to the interface on top of the firewall activation script.

Use iptables-restore to activate policy

If this option is turned on, compiler generates firewall script in different format and uses iptables-restore script to load it. Both all iptables commands and the call to iptables-restore to load them are parts of the generated script, you just need to execute this script on the firewall. The advantage of this method is that operation of loading policy using iptables-restore is atomic, that is, either the whole the new policy loads into kernel memory, or none of it does. If new policy has syntax errors, it will not load. If generated script does not use iptables-restore to activate the policy, it may load partially if there is an error in one of the rules somewhere in the middle. Using iptables-restore helps avoid this problem.

Tab IPv6

Order in which IPv4 and IPv6 rules should be generated

Compiler can place ipv6 policies before or after ipv4 rules. This option controls the order.

fwbuilder-5.3.7/src/res/help/en_US/iptables_Branch.html000066400000000000000000000006341303637203600230060ustar00rootroot00000000000000

Rule Action "Branch"

This action is used to create a branch in the rule set. For iptables this action is translated into "-j" command line option with an argument that points to a user-defined chain. To use this action, create new Policy rule set object, then drag and drop it into a well in the dialog of this action. Note that you can use policy rule set object of another firewall as well.

fwbuilder-5.3.7/src/res/help/en_US/iptables_Classify.html000066400000000000000000000003141303637203600233610ustar00rootroot00000000000000

Rule Action "Classify"

This action allows the firewall to define QoS class for the packet that matches the rule. It is translated into CLASSIFY for iptables with parameter --set-class.

fwbuilder-5.3.7/src/res/help/en_US/iptables_Route.html000066400000000000000000000003631303637203600227060ustar00rootroot00000000000000

Rule Action "Route"

This action makes the firewall route the packet that matches the rule through an interface or a gateway specified in the parameters of the action. This action is translated into ROUTE target for iptables

fwbuilder-5.3.7/src/res/help/en_US/iptables_Tag.html000066400000000000000000000022531303637203600223230ustar00rootroot00000000000000

Rule Action "Tag"

This action associates internal tag with the packet. Tag can later be inspected using service object TagService. This action is translated into MARK target with corresponding --set-mark parameter and optionally additional rule with CONNMARK --save-mark target for iptables. If option that activates CONNMARK target is used, compiler also adds a rule at the very top of the policy to restore the mark. Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules.

To use this action create TagService object with tag code you want to use, then drag and drop it into the well in the action dialog.

fwbuilder-5.3.7/src/res/help/en_US/iptables_rule_options.html000066400000000000000000000105571303637203600243400ustar00rootroot00000000000000

Rule options for iptables policy rules

Tab General

Assume firewall is part of 'any'

This option overrides global setting of the option with the same name in the firewall object "advanced" settings dialog.

On some firewall platforms there is a difference in the configuration command used to control access through the firewall versus the command that controls access to the firewall itself. For example, in iptables, packets headed for the firewall machine should be inspected in the INPUT chain, while packets going through the firewall are inspected in the FORWARD chain. If this option is ON, the compiler generates code for both FORWARD and INPUT chains if it sees ’any’ as the destination of the policy rule. In other words, it assumes that the firewall is part of ’any’, and packets may either go to or through the firewall. If this option is off, the compiler only generates code for the FORWARD chain. Compiler treats ’any’ in the source of the rule in a similar way, generating code either for the OUTPUT and FORWARD, or only for the FORWARD chain.

Stateless rule

Firewall Builder always uses stateful packet inspection if it is available in the target firewall. In case of iptables, this means it always uses module "state" by adding the following parameters to the generated rules: "-m state --state NEW". It also adds a rule to match states "ESTABLISHED,RELATED" on top of the policy. However, sometimes it might be desirable to create a rule without state matching. Checking this checkbox on makes the rule stateless, which means parameters "-m state --state NEW" will not be added.

Rules with action Deny are always stateless by default and do not get the "-m state --state NEW" parameters, although you can make them stateful by checking this checkbox.

Tab Logging

Options in this tab override the same options configured globally in the firewall object "advanced" settings dialog.

Log prefix

Log records will be prefixed with a string you enter in this option. Firewall Builder supports the following macros in the log prefix that are expanded at the compile time:

  • %N rule number in the GUI.
  • %A rule action
  • %I interface the rule is associated with
  • %C (iptables only) iptables chain that this rule generated code for.

Log level

Choose one of the standard syslog log levels for the "--log-level" option of the LOG iptables target.

Netlink group

This specifies the netlink group (1-32) to which the packet is sent. Used to add "--ulog-nlgroup" parameter if ULOG logging is chosen in the firewall settings dialog, tab "Logging".

Tab limit

Options in this tab are used to configure parameters for the module "limit".

Rate, burst

These translate into " --limit rate" and "--limit-burst number" options for the module "limit". If rate is set to 0 (the default), parameter "-m limit --limit rate" is not added to the generated iptables command.

Tab connlimit

Options in this tab are used to configure parameters for the module "connlimit".

Number of allowed connections per client host

If this option is set to non-zero value, it adds the following clause to the generated iptables command: "-m connlimit --connlimit-above ".

...per network with netmask of ...

If this option is set to non-zero value, it adds the following to the generated iptables command: " --connlimit-mask mask".

Note that conntrack module must be compiled into the kernel and iptables in order for these options to work on the firewall.

Tab hashlimit

Options in this tab are used to configure parameters for the module "hashlimit". Please see man page for iptables, section "hashlimit" for the explanation of all parameters it accepts. Note that on some older Linux systems this module used to be called "dstlimit". Checking corresponding checkbox in this dialog causes compiler to generate parameter as "-m dstlimit" instead of "-m hashlimit".

fwbuilder-5.3.7/src/res/help/en_US/linux24AdvancedDialog.html000066400000000000000000000155011303637203600240000ustar00rootroot00000000000000

Linux 2.4/2.6 kernel settings

All of these parameters are controlled either with sysctl command line tool or via /proc file system. See file ip-sysctl.txt for description of these parameters, and more. The file can be found online for example here

IPv6 related kernel settings are documented here:

Tab Options

IPv4 Packet Forwarding

Enable IPv4 forwarding between all interfaces

IPv6 Packet Forwarding

Enable IPv6 forwarding between all interfaces

Kernel anti-spoofing protection

/proc/sys/net/ipv4/conf/all/rp_filter

  • 1 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes.
  • 0 - No source validation.

Ignore broadcast pings

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

If set to true, then the kernel will ignore ICMP echo requests sent to broadcast/multicast addresses.

Accept source route

Accept packets with SRR option.

Accept ICMP redirects

Accept ICMP Redirects.

Ignore bogus ICMP errors

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Some routers violate RFC 1122 by sending bogus responses to broadcast frames. Such violations are normally logged via a kernel warning. If this is set to TRUE, the kernel will not give such warnings, which will avoid log file clutter.

Allow dynamic addresses

/proc/sys/net/ipv4/ip_dynaddr

If set, enables support for dynamic addresses.

Log martians

Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars).

Tab TCP

TCP FIN timeout

/proc/sys/net/ipv4/tcp_fin_timeout

Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer can be broken and never close its side, or even died unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, but remember that if your machine is even underloaded WEB server, you risk to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but they tend to live longer.

TCP keepalive time

/proc/sys/net/ipv4/tcp_keepalive_intvl

How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours.

TCP window scaling

/proc/sys/net/ipv4/tcp_window_scaling

Enable window scaling as defined in RFC1323.

TCP sack

/proc/sys/net/ipv4/tcp_sack

Enable select acknowledgments (SACKS).

TCP fack

/proc/sys/net/ipv4/tcp_fack

Enable FACK congestion avoidance and fast retransmission. The value is not used, if tcp_sack is not enabled.

TCP ECN

/proc/sys/net/ipv4/tcp_ecn

Enable Explicit Congestion Notification in TCP.

TCP SYN cookies

/proc/sys/net/ipv4/tcp_syncookies

Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE

Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (e.g. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured.

TCP timestamps

/proc/sys/net/ipv4/tcp_timestamps

Enable timestamps as defined in RFC1323.

Tab Path

In this tab you can set path to the system command line tools used by generated iptables script. Use these if tools you expect to use are located in non-standard directories (such as "/usr/local/bin", "/use/local/sbin" etc.) Leave these blank if tools you expect to use are in standard system directories.

Tab conntrack

In this tab you can adjust parameters of the conntrack module to tune its performance. This is useful for firewalls passing a lot of traffic but probably is not necessary in most cases. See http://www.wallfire.org/misc/netfilter_conntrack_perf.txt for the detailed explanation.

You can adjust the following parameters:

  • CONNTRACK_MAX is the maximum number of "sessions" (connection tracking entries) that can be handled simultaneously by netfilter in kernel memory.
  • The hash table contains HASHSIZE linked lists. When the limit is reached (the total number of conntrack entries being stored has reached CONNTRACK_MAX), each list will contain ideally (in the optimal case) about CONNTRACK_MAX/HASHSIZE entries. The hash table occupies a fixed amount of non-swappable kernel memory, whether you have any connections or not. But the maximum number of conntrack entries determines how many conntrack entries can be stored (globally into the linked lists), i.e. how much kernel memory they will be able to occupy at most.
  • "Disable TCP window tracking": this is needed if you run conntrackd daemon in state synchronization mode for a firewall cluster and have kernel < 2.6.22. See http://conntrack-tools.netfilter.org/manual.html for more details.

fwbuilder-5.3.7/src/res/help/en_US/main.html000066400000000000000000000036541303637203600206570ustar00rootroot00000000000000

Where to Find Help: Firewall Builder Online

External links open in your regular web browser. This page can also be opened using main menu item "Help/Firewall Builder Help.".

Firewall Builder documentation can be found on the project web site at http://www.fwbuilder.org.

You may want to start with Firewall Builder Documentation. You can find several Getting Started Guides on this page.

Examples of policy and NAT rules, advice on troubleshooting, solutions for typical tasks and problems, tips and tricks, iptables and pf configuration examples from numerous online guides, tutorials and books reproduced in Firewall Builder - all this and more can be found in the Firewall Builder Cookbook

Answers to frequently asked questions can be found in Firewall Builder FAQ

Lists of bug fixes and new features for every new version are always in the Release Notes

Project updates, news and comments are regularly posted in the Firewall Builder Blog.

Open bug reports and feature requests using our SourceForge bug tracking system

We have online discussion forum and mailing list

More information about how to get support for Firewall Builder is available on our Support Page

fwbuilder-5.3.7/src/res/help/en_US/new_bridge_interfaces.png000066400000000000000000000345301303637203600240600ustar00rootroot00000000000000PNG  IHDR+#hiCCPICC ProfilexgTSM$$ tAz/.UMJ]).HGPEQ "HA=]˝}grdl(lq8wojfnJ #@^%GGhzrL Af <c?> 0zxx)Xʻ0s[ Zm&<`L!tibmyWk'1? 2eP7uNLvlpFwVkN܂7EK<˜?N02ѭc6~Rl""FFwQ{}!txǟ܆bd](!?Q 5i.c VnD- s)Cl}?1gyyEJK H pщJ Yav*sr ̊?Ɣ{UU%hhjj jjo]h׻oռ(jjHiodyYY][[cZ:z'OXiZ[m.M<jxYޕӝsףϪ/O  ~zMۚ/?51n,rkvhkG^e{_M70570&2^6-s cKq+j뗗*.l-t9::a._\ܞ])wy <~%D5P > &_F4FH v#Pl"ʚHM(钥q;=ӑ[oV QH]Z4t8$ :MwV>}xRJzfћuORF674Y4=oen#k}>yף;=i} /Y^:fܻKVFG7?nL">ȧ?јqM:&h=t|ytzzyC_F[+wo; hI.`*6 &,9F2A 5}` A$5Lm ⅔!+(J*hA@(#7*tCf!{; VQ2h,:=F(IAIdFJMB|@EԜE7NTTE"ԝ3*M- cI;LUv,,çRN_deg͡I9ƌcgLyF҄"Ƣ2bb R8i}!Y)~'*d*)+_SQYթ=K'^31001674߷jzF6nA1鳋kwaw<~WQc`DJUHȞ([1PgTAb_bJsLzӭ=/fOz $ і6T?TyXv>lLSR˹g :{y{;-#c_i...l8lݶgyAE` n pHYs   IDATx] \SG$ U[#BT]U(UAڊZmZYZ_ V T%ʺvFX+հJ%V`@0;XSoL|ggvO;' ;̈X>HJk5]^8W#]ǽrd`^*ewj/|"a>]-&[MOn>hTP%7YM0xmC#MVg0HqB} 0Bkl7hB4Ҁ`i\92m 9@/ `h_~0>e gui0Gq0ǖ͂f"zxnYaŠ"xV$'"Z94/bO,?1!|)~!-OϬQ(Kaߜ!R֬0}dP"`H`G<k(?OC;}hR([@~Z[Zy^uUMUu<גUWo:<̮fsDGY_N>u:a%Y[QEq}(OJ׫,[siBͨ릨̘v~Tpt!ld(Ԣ@`T(eViQs&sAŎu#CB [>OOg[^@Lk20|r7\-Y DiҒDX> Oؙ#΃\80]8966IMrat"Z =kb'L8fNyZA͊69ԢVK͵V̞kA=9ϵE #L""g9x9sX.@RrxБd՗D 4ʓ]Ʀv~|远v0o;gO9ʛO|_. | m6hZvieAy,5i򴵶(-m6ErB*gկb(ERXIW..%4H2vnA27Nx`j{C' HKOƬ.>6[}xS=.am-[gx4m5@ w|/@t6\S!e Nʖ&iy4ON/je 2I-48Q@\*yM>Hl?-ϞZzhY> @suѢZ9c"VYFYLb˂_6ms9''i0ܩ%W`:Y `x4PD5\SY>˵|P㾣ZoSuwg}C~_"zd| ;sm텲U)WMwZ[A}Y3L(U6mlG +XNfJYskG. u4'o$׉<{\5Q>@C ?sE,]V!šŀDAv#-,'A AV>2wnkʞEQnEH]onu(uw'Z͏]YvMv$!i"'*s AuG%G({-W%&pk>i׻򢣙ȳ]6eⱂ2,/X4]] A_?_?pĠ- 긎]) 5ݨHJ΃WruoLrgʋfգ[M?+g`eT-#䆞FGDF-,Zd0xUtB{a/bSx ¢5F*}_b4k!]I'Nhj"0w\ хwvl|eb[8u=#Vyh~lf^=vۍ &hLz1"*33(ҲS6D ٛ"o]7( (qoSVߟ2p]?~FqYCZdX6)G+U}Vlʼ\Gmʓţ%ovym龄Xoը|Ҏݷ)až*ʺi 0̗rwйʂ]0=_%Xv+uX,-aEBZ]^iE: zݘQ|[,r=@wH C|xzzҙGMP 3acqz]l:Q3<_ΗK_%"Puŷy~5rE"IJ\0ɺtYyr9jm0N<YVA$̵j9)j8RfaH ǔaA݇וdx9"x><:$s[1QÇKWYA=@7*lN:yDklll:ײ✽='[94e&Ԝ,1lXhv6' |-TPO*l TʆAyyQܣLKZpsX&CMT [𮄎}N2=AQ#Dm;uW."x[A؏תXgcODav pP;pυ٩9۰[NQP@nW$ wN>`R`^hT|8sץ |x(B)AIj|Z#0C2*7ȑ/29=$S/}VT\GKa=. (uQn*(hnBtt׮ep!88H^ bnSM#=xiRX۴ܴh)Ȩ-#g c-ܩ$mm( Smyp}Vx0ZU"ܽzG?< TWIBcgD#YxQ+|իnEoFgjseϏ5Teršk_5ƕcd3c#% : l/ 6YLJښƢt$Z?0Q٫JhjUӇkjPbZ_"SF%ک!mՑ!7նq ]ts=u?ֵ'{8zzbQvw_OTCE)QVe |9ۛ 2 cyDD^vzU!mpQ>*I,Nu.IWș$`o1baZ~aS-ngVJWRͥDSomukb6;0}E;5ٴ~'x?8h{G5Ti-~JSX[С 1\l&YEϮk MSpȇg$cF2Q t&8>zɽ)ħ N>UG1J֭"8\|0) / zxt@</Gi.8#ЄN*TcH,oZl(B#bwe4 3!]?wbȿꝱj!@:my9y=fD%*"HkvR` Ɨc4ЌQ\]v(7jd QS#^~p"olA-YXbʣ/Imm"Yv֙f@|B5A0A)!-2!pԎF`/[?~m#\9ek[[kۮm'Gۡu(t(ɗ!H{_"w:*)PYW])>y ^ f-]m}= HzJ0Z~识1}c5)P&7&>;AvÁ~sWMBǐ[$b_ [U#j#mKɭC~ bOBTU`H lzraIꘁ4^`g/D`3K}R̰L-lz7R$CSkӏ ls%0ch$r}h3>T:Җxθ[Hl5R'b3O}ȸd'gP+?0yV _Me-mC{EOWI'Nn)a+E@'9y{CQ~vcBS=F*n<׈F(rKeq+IQƤ>AdD'I٠.1̄87TOy߾ʫIwL _^_z5>Dt#kuHwܜ0ˉۧLJo/ز?*HdK?QEq},=R+ s5~1ua F(RKape|{$>Ԯ: )5K PX*~}ceeEY0`8a81a9Ȁ@o ~[OuJ3덱o 4) 2>6OOdILًgŤdQ*q4fGdD魔2 #IUijHu^'4Hb 6Lxo;:jE'tbhIo&Ek$#,-;)R,N /H8cZ_kpxCZO10ZYLR8/7*KuyMXn,|Q[\xRX/6 J*F(ru%g0??f߯CRN)gH] s~j}D94=]9Ӳ]Yvk`y^>O-E|E+OHN5)Xrp*ɋ~ yKf;3|WH[Șl<cR?9] zC9 6g)P+Y&mRډPkֶD5g֞}*o,;qivml[ VD>Z(˝>qu;dL`Ex 6g)P+ɖU&LW;1aF"PHpc1wI&I>"2i.jsjc̆¬NكF$sՖ]xփG̟XO)*XV@Y e:v~DPWCD&8uURG{أ-kgA{ E*_WḨM@ףuU ][vӱ.dlvHԈAk ?;Y\*ʬ'|M%{c[u $%4M{W^yzԈ[ cz'VL)`hZ*F)$NLq#bhsLxrYԌէ dՇfgRB^.uPzme&p];by13!ݞ )-`O,հm(~Q(ZLxr@|նg0@(k?K]63׋Po_;֝㷆[UM4/:[L V&'J搟j!{ o2OxJRb(+U OjaVR$Cj,)D]GsڨGEഹ_&900PVo .+M(ߙ_\}y:85r1+1>od=UHhjS-)u5.൉P90haϞ yJjbqM*JWp  gN ,/B!ee "qK,䥜/\(>Y@5E 8ZzoYzK[)-&GúSb^ )/HLrxs;@1<9Hգ8CǙX$CMu0Y\nP x,ρXLޫ~H -BmO'K@"P J@{tV5ean"&WL⠃>>d|R$ھ0?u Yw#qFܩjbm*˗yrh4RpNcvXgΰARB ^|** h-~pr[V #!}T u8%-j;w|} ]Mgky&]%["6y'R$Ml폚u `3IYP|~YN_؂ ]3f|ٴKvm7 )x{IwsMJEeSxz(}bؐ3!ĺSQSvē}dzΞL#iKP+)euuj$QzϴYauyMR&u/xt Bf\i ղ4 it<8:|MxD<1-V Z)*Aޞ5 O]ơvlz\cB^#-פHcBF#N6 ʀhR}e"Ov[}՝Hgɨw& O^y(ZpRNϱCľΠn AS;Z̈́H[CM"i-R$Z̈́G[?Dg"l&>MTg!CľvtR$Zͅ؇UP^[%}\T衤f CC>nH@4Tڦn /~+ BoZ͍G[QU"uPwƣ]s#VT}!ԝhDNt-K6"OHAQ LB5冁ⶫz!!`,?"t8|5r/>">Ib0_~4p_|aA^8͍ⅆDh~oίʼnx+LccyUmfX"gݤNN:i/ӧ޲;wE˦J*5/vODw윕߭RMU,9O': K;`j0vI/n{B n3 ?u&k!Xĭ#8"p8D NKwפ_: /Iwy/ Py,WhKG6;?%mC ځL H<@Y ץ>ym4_㵵Q!`d陪3ӎfFK}?<ͰumlXbz^ *}B}o k{ctMw_ ʼnP{P]ɑ-}g߮ȴ8A $,7v Y-_;#ckUzz>T>H_߹WCRBAFjEk ) @C"X -nqjv|/|7cUV& ʮBB#" EgBJ˧Ѷ4%GG$ .Mg<=rl Sl=?jVK1"i?KM}&8c8XZ:sD(%M =? }cUТ;ԩN#,e&A;cg*'m<:kBB*)-tJQՂo"`"bi%pP%8[2_}Wx[ܠ6'+[zz]0-<vx5% K7=%Q]%ڻ/zJpX"iv.s't3$ך@,[#\~ߛܬ(w W{m#Hؐ6;Ytfq^;~ 5鮑y Cgn7ș &X,KSkY[`I&OxrDoRe *k.lsh$̺A}B^žta/}x6Q<DҡVh: Rצ.\]W) bE7yHFHdt]ȗ% j@oClOhZa {:D0F"2/ -,\Xe #@H8`ܰao5ڇh)7 S=9όZἀ8ɝjs?QKEo!`ኤ%61ZD2"4{z|sh (ppwzӊ;H/ӈ@ q=0Ἵ|Vb|B  W$wpN^` EKޑŃ7wz%W:95bWeT֝P frN>zQXl"ikxܤvLN:ժ5"Y8*ƓՌ\ -c]FͲMUB5ˤMމ^ƶR6k՛(g֜Y{RvP@o!`v/*>bh^.v'&uDmږ%U.\@#ԝG0#_ bf!-A/,|DmxMV~mo=xo5͖&DR$:dP8B -.62d/8(Qh׉d8la8EF^fIENDB`fwbuilder-5.3.7/src/res/help/en_US/pfAdvancedDialog.html000066400000000000000000000517311303637203600231050ustar00rootroot00000000000000

pf settings

Most of the pf options can be found in the man page pf.conf(5) or online http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

Tab Compiler

Compiler

Full path to the policy compiler executable. Use this if you do not want to use standard Firewall Builder policy compiler that comes with the package or if you want to wrap compiler in a script.

Command line options for the compiler

Additional command line options for the policy compiler.

Output file name

Specify the name of the generated iptables script. If left blank, the file name is constructed from the firewall object name and extension ".fw".

Script name on the firewall

Generated script will be copied to the firewall using this name. Can be full absolute path as well.

Installation process is controlled by several variables that the user can change in the "advanced" dialog for the firewall platform:

Tab "Compiler":

  • output file name
  • script name on the firewall
  • .conf file name on the firewall

Tab "Installer":

  • directory on the firewall where script should be installed
  • command that installer should execute on the firewall

These variables have default values if input fields are left blank in the dialog:

Output file name: the name of the firewall object, plus extension ".fw".

Script name on the firewall: the same as the output file name

directory on the firewall: "/etc" (tab "Installer")

command that installer executes to activate policy: installer runs script <firewall>.fw

If user enters alternative name in the "script name on the firewall", it is used when generated script is copied to the firewall. There are two input fields in the dialogs for PF and ipf where user can enter alternative name for the .fw script and .conf file. The name can be relative or absolute path. If it is a relative path or just a file name, it is treated as a file name in the directory specified by the "directory on the firewall" input field in the "Installer" tab. If the name is an absolute path, the directory entered in "directory on the firewall..." input field is ignored. If user entered alternative name for the script on the firewall, the command that installer should execute to activate it must be entered as well. If the alternative name was entered as an absolute path, activation command should take this into account and use the same absolute path. The command can start with "sudo " if user account used to copy and activate policy is not root.

Accept TCP sessions opened prior to firewall restart

If this option is ON, the firewall will accept TCP sessions opened before the firewall software has been activated. These sessions are special because the firewall never saw their initiation phase. If this option is on, the firewall creates an entry in the state table when it sees a packet that apparently belongs to the unknown TCP session.

For PF 4.x this option adds "flags any" parameters to rules that match TCP services. PF 4.x by default behaves as if "flags S/SA" parameter was added to all rules matching TCP services. Adding "flags any" makes rule match not only TCP packets with SYN flag set and ACK flag cleared, which is the packet that initiates the session, but also packets with any other combination of flags, including just ACK flag set. Firewall will see packets like that when session opened before firewall software was restarted and session table cleared hit it.

for PF 3.x the behavior of the policy compiler is opposite: when this option is not set, it adds "flags S/SA" to all rules that match any TCP services; if this option is set, "flags" parameter is not added to these rules at all, which makes them match TCP packets with any combination of flags.

Modulate state for all stateful rules

This adds "modulate state" parameter to rules that match any TCP services. Quoting man pf.conf(5), section STATE MODULATION:

Much of the security derived from TCP is attributable to how well the initial sequence numbers (ISNs) are chosen. Some popular stack implementations choose very poor ISNs and thus are normally susceptible to ISN prediction exploits. By applying a modulate state rule to a TCP connection, pf(4) will create a high quality random sequence number for each connection endpoint.

The modulate state directive implicitly keeps state on the rule and is only applicable to TCP connections.

For instance: 

           block all
           pass out proto tcp from any to any modulate state
           pass in  proto tcp from any to any port 25 flags S/SFRA modulate state

Note that modulated connections will not recover when the state table is lost (firewall reboot, flushing the state table, etc...). pf(4) will not be able to infer a connection again after the state table flushes the connection's modulator. When the state is lost, the connection may be left dangling until the respective endpoints time out the connection. It is possible on a fast local network for the endpoints to start an ACK storm while trying to resynchronize after the loss of the modulator. The default flags settings (or a more strict equivalent) should be used on modulate state rules to prevent ACK storms.

Detect shadowing in policy rules

Rule shadowing happens when a certain rule is a super-set of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. For example, if rule #1 uses the network object for the source and rule #2 uses the host object located on that network for the source, rule #1 ’shadows’ rule #2 because any packet matched by #1 will never be matched by #2. This may be important if, say, rule #1 permits and #2 denies access to the same destination. If rule #1 ’shadows’ rule #2, then rule #2 will never fire. This situation is most often an error; the compiler can detect it and abort processing of the policy with an appropriate error message.

Ignore empty groups in rules

Compiler supports special case when empty group is used in the policy rule and there are no other objects in the same rule element. Depending on the state of this option, it generates iptables commands as follows:

  • OFF: Compiler treats such case as an error and stops processing. This is because group with no objects is equivalent to an empty rule element ("source" or "destination"), but empty rule element is normally considered to be equal to "any". To avoid errors this may cause, compiler considers this situation an error.
  • ON: A group with no objects in it never matches any packets, thus rendering the rule useless. When this option is turned on, compiler just throws such rule away.

This is useful when one needs to control access to/from a group of hosts which may change and sometimes becomes empty. When this option is turned on, compiler will automatically disable the rule if the group becomes empty. Group contents can be managed manually or by a script using fwbedit command line tool.

Always permit ssh access from the management station with given address

When this option is checked, compiler adds rules to permit ssh access to the firewall from the specified address block. Rules are placed at the very beginning of the policy to make sure ssh access is permitted even if there is an error in the policy which otherwise would block it. Added rules permit packets that match both NEW and ESTABLISHED states to avoid breaking ssh sessions that were already established.

Tab Scrub rule options

Compiler adds rules "scrub in all [options]" and "scrub out all [options]" at the top of generated pf.conf file. This dialog tab controls options added to this rule.

Clear DF bit

Translates into "scrub out all no-df"

From man pf.conf(5):

Clears the dont-fragment bit from a matching IP packet. Some operating systems are known to generate fragmented packets with the dont-fragment bit set. This is particularly true with NFS. Scrub will drop such fragmented dont-fragment packets unless no-df is specified.

Unfortunately some operating systems also generate their dont- fragment packets with a zero IP identification field. Clearing the dont-fragment bit on packets with a zero IP ID may cause deleterious results if an upstream router later fragments the packet. Using the random-id modifier (see below) is recommended in combination with the no-df modifier to ensure unique IP identifiers.

This option is only used with scrub out all rule and therefore applies to all packets sent or forwarded by the firewall.

Use random ID

Translates into "scrub out all random-id"

From man pf.conf(5):

Replaces the IP identification field with random values to compensate for predictable values generated by many hosts. This option only applies to packets that are not fragmented after the optional fragment reassembly.

This option is only used with scrub out all rule and therefore applies to all packets sent or forwarded by the firewall.

Enforce Minimum TTL

Translates into "scrub out all min-ttl"

From man pf.conf(5):

Enforces a minimum TTL for matching IP packets.

This option is only used with scrub out all rule and therefore applies to all packets sent or forwarded by the firewall.

Enforce Maximum MSS

Translates into "scrub out all max-mss"

From man pf.conf(5):

Enforces a maximum MSS for matching TCP packets.

This option is only used with scrub out all rule and therefore applies to all packets sent or forwarded by the firewall.

Reassemble fragments

Enables the following three options that control fragment reassembly options.

Buffer and reassemble fragments

Translates into "scrub in all fragment reassemble"

From man pf.conf(5):

Using scrub rules, fragments can be reassembled by normalization. In this case, fragments are buffered until they form a complete packet, and only the completed packet is passed on to the filter. The advantage is that filter rules have to deal only with complete packets, and can ignore fragments. The drawback of caching fragments is the additional memory cost. But the full reassembly method is the only method that currently works with NAT. This is the default behavior of a scrub rule if no fragmentation modifier is supplied.

This option is only used with scrub in all rule.

Drop duplicate fragments, do not buffer and reassemble

Translates into "scrub in all fragment crop"

From man pf.conf(5):

The default fragment reassembly method is expensive, hence the option to crop is provided. In this case, pf(4) will track the fragments and cache a small range descriptor. Duplicate fragments are dropped and overlaps are cropped. Thus data will only occur once on the wire with ambiguities resolving to the first occurrence. Unlike the fragment reassemble modifier, fragments are not buffered, they are passed as soon as they are received. The fragment crop reassembly mechanism does not yet work with NAT.

This option is only used with scrub in all rule.

Drop duplicate and subsequent fragments

Translates into "scrub in all fragment drop-ovl"

From man pf.conf(5):

This option is similar to the fragment crop modifier except that all overlapping or duplicate fragments will be dropped, and all further corresponding fragments will be dropped as well.

This option is only used with scrub in all rule.

Tab Limits

Compiler adds rule "set limit [options]" at the top of generated pf.conf file. This dialog tab controls options added to this rule.

Reassembly pool

Translates into "set limit frags NNN"

From man pf.conf(5):

Sets the maximum number of entries in the memory pool used for fragment reassembly (generated by scrub rules)

State table size

Translates into "set limit states"

From man pf.conf(5):

Sets the maximum number of entries in the memory pool used by state table entries (generated by pass rules which do not specify no state).

Src-nodes

Translates into "set limit src-nodes"

From man pf.conf(5):

Sets the maximum number of entries in the memory pool used for tracking source IP addresses (generated by the sticky-address and src.track options)

Tables

Translates into "set limit tables"

From man pf.conf(5):

Sets limits on the memory pools used by tables. "set limit tables" sets the number of tables that can exist.

Table-entries

Translates into "set limit table-entries"

From man pf.conf(5):

Sets limits on the memory pools used by tables. "set limit tables-entries" sets the number of addresses that can be stored in tables.

Tab Timeouts

Compiler adds rule "set timeout [options]" at the top of generated pf.conf file. This dialog tab controls options added to this rule. See man pf.conf(5) for explanation.

Tab Installer

Directory on the firewall where script should be installed

Installer will try to put generated script in /etc on the firewall, unless this option specify different location

User name used to authenticate to the firewall

This can be root or any regular user name. See "How to use built-in policy installer" on the web site at http://www.fwbuilder.org/guides/firewall_builder_howtos.html

Alternative name or address used to communicate with the firewall

Normally installer uses address of the interface marked as "management" to communicate with the firewall. Note that installer uses IP address rather than run DNS query for its name. You can specify different IP address in this option if necessary.

Command that installer should execute on the firewall to activate the policy

If this option is blank, installer copies script produces by the policy compiler to the firewall and executes it there. If this option defines different command, installer copies generated script and then runs this command.

Additional command line parameters to ssh

This can be useful if you want to use alternative port for the ssh session to the firewall. Just put "-p PORT" here and this option will be appended to the ssh command line.

External policy install script

Put the full path to your own installer script here if you have one.

Command line options for the script

Command line options to the external installer script go here.

Tab Prolog/Epilog

Insert prolog script ...

you can control where exactly commands specified in Prolog and Epilog sections will be placed:

  • in the activation shell script: commands will be placed at the very beginning of the activation shell script firewall.fw
  • in the pf rule file, at the very top: commands will be added at the top of the generated .conf file
  • in the pf rule file, after set commands:commands will be added at the top of the generated .conf file after "set limit", "set timeout" commands but before "scrub" commands.
  • in the pf rule file, after scrub commands:commands will be added at the top of the generated .conf file after "scrub" commands but before table definitions
  • in the pf rule file, after scrub commands:commands will be added at the top of the generated .conf file after "table definitions" commands but before the first policy rule.

Prolog section

Add commands that you want compiler to insert into generated script here. Prolog section is added at the beginning of the script, before generated iptables commands. Note that generated iptables script is just a shell script, so commands you place in the Prolog and Epilog sections should be valid Bourne shell commands.

Epilog section

Epilog commands are added at the bottom of generated script, after iptables commands.

Tab Logging

Log Prefix:

this translates into "label " option in pf rules that request logging.

Fallback "deny all" rule should log blocked packets

Compiler adds policy rule at the bottom of the pf rule set that just denies all packets in and out. This is just a fallback rule that follows best practices in firewall policy design. Normally this rule blocks but does not log packets. This option makes it log.

Tab Script Options

Turn debugging on in generated script

This option makes the generated firewall script print all commands when it is executed. To do this, compiler adds "-x" to the shell command line at the top of the script. Command pfctlc/ used to load PF rules into the kernel will also be given command line flag "-v".

Configure interfaces of the firewall machine

This option makes compiler add commands to configure IP addresses of the interfaces of the firewall according to the "Address" objects added to interfaces in the Firewall Builder GUI.

Add virtual addresses for NAT

The compiler can generate commands to add a virtual address to one of the interfaces of the firewall machine if this option is turned on. This is needed if a NAT rule uses an IP address that does not belong to any interface of the firewall. The firewall either needs the static ’published’ ARP entry for this address, or it should be added to one of the interfaces as an ’alias’ or virtual address. The policy compiler adds code to add an ’alias’ address to the interface on top of the firewall activation script.

Flush pf states after reloading rules

Compiler can add command "pfctl -F states" after command "pfctl -f file.conf" to flush states that existed in memory from sessions opened prior to the policy reload. The reason is that some of these sessions might be denied by the new policy, but if state is not flushed, they will still work after the policy has been reloaded. This is optional and is off by default.

Note that ssh session used by the built-in installer to upload new pf configuration and activate it on the firewall is also subject to the state tracking and can hang if state is flushed. However, command added by the policy compiler when option "Always permit ssh access from the management station with given address" is used is immune to this. This command is written in a such way that firewall will automatically restore the state used to track ssh session opened by the installer so it will never hang. This option is located in the tab "Compiler" of the same dialog.

Tab IPv6

Order in which IPv4 and IPv6 rules should be generated

Compiler can place ipv6 policies before or after ipv4 rules. This option controls the order. fwbuilder-5.3.7/src/res/help/en_US/pf_Branch.html000066400000000000000000000005131303637203600216040ustar00rootroot00000000000000

Rule Action "Branch"

This action is used to create a branch in the rule set. For PF this is implemented using anchors. To use this action, create new Policy rule set object, then drag and drop it into a well in the dialog of this action. Note that you can use policy rule set object of another firewall as well.

fwbuilder-5.3.7/src/res/help/en_US/pf_Classify.html000066400000000000000000000002631303637203600221660ustar00rootroot00000000000000

Rule Action "Classify"

This action allows the firewall to define QoS class for the packet that matches the rule. For PF it is translated into a 'queue' clause.

fwbuilder-5.3.7/src/res/help/en_US/pf_Route.html000066400000000000000000000005231303637203600215060ustar00rootroot00000000000000

Rule Action "Route"

This action makes the firewall to route the packet that matches the rule through an interface or a gateway specified in the parameters of the action. This action is translated 'route' clause for PF and ipfilter. Compilers for PF and ipfilter support fastroute, route-to, reply-to and dup-to options.

fwbuilder-5.3.7/src/res/help/en_US/pf_Tag.html000066400000000000000000000004401303637203600211210ustar00rootroot00000000000000

Rule Action "Tag"

This action associates internal tag with the packet. For PF this action is translates into the 'tag' clause. To use this action create TagService object with tag string you want to use, then drag and drop it into the well in the action dialog.

fwbuilder-5.3.7/src/res/help/en_US/pf_rule_options.html000066400000000000000000000122361303637203600231360ustar00rootroot00000000000000

Rule options for PF policy rules

Tab General

Stateless rule

Firewall Builder always uses stateful packet inspection if it is available in the target firewall. In case of PF, this means using "keep state" option for PF 3.x. In PF 4.x, combination "flags S/SA keep state" is the default so fwbuilder does not add it explicitly to the generated pf configuration. However, sometimes it might be desirable to create a rule without state matching. Checking this checkbox on makes the rule stateless and forces compiler to add "no state" clause to the generated pf configuration line.

Add 'keep state'

In PF 4.x, "flags S/SA keep state" is the default. Compiler will omit these flags while generating code for stateful rules matching TCP services. However, according to the PF FAQ, care should be taken while dealing with states and interface enc0. To avoid leaking unencrypted traffic out, the FAQ recommends setting 'keep state' explicitly in all rules on the enc0 interface. This option applies only if version is set to 4.x.

Tab Logging

Log prefix

This option translates into "label " in the generated pf configuration. Firewall Builder supports the following macros in the log prefix that are expanded at the compile time:

  • %N rule number in the GUI.
  • %A rule action
  • %I interface the rule is associated with
  • %C (iptables only) iptables chain that this rule generated code for.

Tab Tracking

Activate source tracking

This checkbox enables using max-src-nodes and max-src-states options that can be configured using other elements in this page of the dialog.

Maximum number of source addresses...

This option translates into max-src-nodes parameter. It limits the maximum number of source addresses which can simultaneously have state table entries.

Maximum number of simultaneous state entries...

This option translates into max-src-states parameter. It limits the maximum number of simultaneous state entries that a single source address can create with this rule.

Tab Limits

Maximum number of concurrent states...

This parameter translates into "max <number>". It limits the number of concurrent states the rule may create. When this limit is reached, further packets that would create state will not match this rule until existing states time out.

Maximum number of simultaneous TCP connections...

This parameter translates into "max-src-conn <number>". It limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

The limit of new connections over a time interval ... / ... sec

These parameters translate into "max-src-conn-rate <number> / <seconds>". They limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average.

Overload table

this parameter translates into "overload" in the generated pf configuration and can be used to create a table with given name. Source IP addresses which hit either of the limits on established connections will be added to the named table. This table can be used in the ruleset to block further activity from the offending host, redirect it to a tarpit process, or restrict its bandwidth.

To use this table in the rules, create Address Table object with the same name and leave the file name in that object blank. Then use this object in policy rules of the firewall as usual.

Tab TCP

Modulate state

When this checkbox is checked, it makes compiler add "modulate state" clause to generated pf configuration.

This option makes pf randomize TCP initial sequence numbers (ISN) of the TCP sessions opened through the firewall, thus improving protection against ISN guessing attacks. See man page for pf.conf for more details.

synproxy

This parameter translates to the "synproxy" option in generated pf configuration. The synproxy state option can be used to cause pf itself to complete the handshake with the active endpoint, perform a handshake with the passive endpoint, and then forward packets between the endpoints. See man page for pf.conf for more details.

Use sloppy TCP state tracker for this rule

This parameter translates into "sloppy" parameter in generated pf configuration. From pf.conf man page:

This makes pf use sloppy TCP connection tracker that does not check sequence numbers at all, which makes insertion and ICMP teardown attacks way easier. This is intended to be used in situations where one does not see all packets of a connection, e.g. in asymmetric routing situations. Cannot be used with modulate or synproxy state.

fwbuilder-5.3.7/src/res/help/en_US/pix-failover-group-1.png000066400000000000000000001523401303637203600234450ustar00rootroot00000000000000PNG  IHDR&} iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx}]չw|θK2L$A+Jʫ=­RzBK($gqw}޳3Lvgߒ_m~[p8`4K955&MΘ\^P0 [aL %CƑy=:[}/mv)m:caNq|xqx53-ˉz4Z\0,0wp=NjhqS,l\">#H0K! F\򴅗g"Ԕ\FS /%)h>bp^b[f86EOkRofv;MZZ|R Ggf&0TʑK?;)x&6^r#p1eբ {>0OxjP%q|Ii7<rV AKI2x``fz˥eKNQ*z(sb<vXg}dA[mV凋xISe0`f~ʜ%Ly󓉖xw#'[П>KaF'H8eZXN<1 pjyߗŋ?>a.R3e2o} b(LBw} AR-8 (uȅ L¯yicY >ziH%AZjp1QLk:NTD`"qE\e媭rn4IRw՗ 9+W{l?VB[:l[10 z E%V¤̰ i8VHu3lJ h+ñFKI+٬&T}j\N#tPA.DZpj'}P0V[BdUHYa:j &"6ԦG#0j Ub{qA׍q P4E#ZO@4`"/R)߂:^,p4`ݛcZ$ 40JS J@tx}mؼ [DDh] *Ri# 1* cCD]+)[2k\D[O jcޯ -;}f9 }D"/{& GlHJJJFP0L!ع{[شq)l*x]Ifl t`㚕ذ(RԗŻ=6vv7!U_ }$cFFN ƀ69kb{ƏɄQaRfVT-[$]2m2fieIMW_}˜9Y:EE%|.dD(MkWBƊRԴ $<0(+)FG?ɷ8lH,}-8Zt }^3I(vlA@'0nCrj"z[kQR^ =\QT\zxqװnWR2nђ*Ih!)ŏ[VMf ='~"ft;Ibl6އ(w# 6V` @cHLNAdPQ\LƋ@ lۇ%p1 {qDs`h0%(qsG-ĬiuS1m޶zV[VEG nEgk3 `5K+`Șq*af_w߀%)ɑĕLV]{c(6^^T<cp(ho Eэ2ַۍ8Ѐ^AW{ ,h)GY}"ƒQmcw .ی yY0J}$LϣҒk1 zNjH|%U)(;+V#:w*b(y4l𢩺UFH?.xgtx`5)>'-.oQkERj<@T6{-Mhjj10-UNj`ꕳqR]UOq\08Qd,#a\h'Ť 9 a2ۆW_X16>VeLLb`8jF" g+.ƴ93bVΆ"<ro;Ġx} &Gxw?cIPLT ヌDJ(:aMa\MEYDfzG43\AɈ 6Re¤('XrRMIf۶(b dB ؽn5YqI">!=!- o- iX`.}˿XNBgN|øɨ/ڂUێȎ]%er U=¾HL"cBG^29۶aʬ {E@g2"&* qacnLJA\R(V<$ڃvܼ(LJ=R;!69 {^=ƤHNO݇hd c"  #w}dv+ h2E 3;Zqh,݌ڵ xjw|6Xbm،+"eVo~ vV6(ӓ㱟˜h;}GT.c@1AnlAP]/@YL,ē V(l@wZ0q:\TQyh3zD%) os];2r76cc=K;0`<}XWџq\. QbBvt?߷7:YYH&R؜qdC aAq vCd|<ʷE7b\oEƤ+l?ǂ).>lo%̿ axgN ;-21)Ȍ Aͱ#а?K߂R+7# _SZ={#)=kmvl[]х`Gr/<BCxwVe˱E1R XoPoNFd'c"ҥS-{qQ_A—> P*wVVסK11 (#82w'fN@+Wg@uet8-ڀNdFc`؍NxoCE }eil)<8`-afB7;h@GwbmnߍmKu;ж; 7y\0fOEYw#OF@Dm 貰̸NX(MF~/j(Wvw2O)Ed¬)7Y1v\T3o7“ ?-~ xnBjH{&Kw/Ŕ`8g'bB(>ݷԧ; !v80Qypqy[ AoH4  Sh`Ԍw⋷%3W6aҲ 9W@>p2d%)v^,I Z@ls$() RP惑8Y {RJ 2iI[ ?0) [zݸ"o96"CR163kW?hӢ)xLSPb(-qoVpQB5X:,^TDxx($om!ƇvB_sa(v:*ClD4Ҋj4v#;!aUSah܂ʍpehNYx ݰxXxf\1J2Nu훻0%$e ,퐱tbZ#KS!5ѓIɬȸɷd,KE}v:n nj 6`[ql6 鳿ƚjl_KoDH@qDewށ&ԅ]i]X},cZ6!{;vGH)J"/|&LHCmuPHf\*t $?:1CuTOϺSk?f'ENz ̞=OyTte5T)peHvcB=ԄDb.;$ aa&&Yɹhv( ŨmCs?dSLy$7%QXGJ(v2p ٵ 7zGeMDNx Z F}{?&1)`t 0dMFvP~ǵ 'cg}L )-]P،AASTE5žV!u g? J Ť0C0u|#XC10T U ]} #^Tx(j67$vd6|(-D Aڌ97i $R&ΚԄpwDza޽$\& O? BLjdFJ$LIB#EfX8*`?Ү kWn@G`_rֿ׍Y(=rGz&*#KPY׀>;PЉXq2 vRBj>UIqjƶnbGO MO'ޏ5עC sgOo,ʛz2( :'!cތEklT2t0eB<Ւ!(r.fEP3Xt3'JQUQ^q3 !߰rƩ!Vn2nRTDx :Itvv1F$2Q1s"-v:gde_wp;p(JBI} !R5 fOCՇA'Ua~2#N+(s9>ݿ!m6-\Ư]j^9'w= NQّ  q^Դ N'a:FF*V\uJqw8@i,?)ATwa]5PqJLid'GZyJE\Yx[}iR m8(xTJyTTI@YE%!nJXL4StKe9BBR_XJNSH TKGvs9;-V'-?9/mTTmRW!hC Ҡ91Z/W%*R0j%p %0XGKC%H%1)KwD\R7pDkȴj?GI{ِӟ <03RD#b(+z->2cn4$oBc3&U= 1ѐпuttttt.9:crɻ@n!1 (y(wcc ګ;C=19ΑK\k37~|I^ 󮶞eory! ̉2'7:Hff4Gcx=p ..|:r^'0X= 0pqh3\.^}c & WEƂlGKDj$̉0#rG] IDAT}oRG@G@G@G@G `6ej.M**TCImh fsq\P/p9WuB}>!zc#17..'3+gGG#####B[f^&x=Y\#a:x,E\E#̐8^$btNBKittF9h&} qsDD#38 sAqQ"O&[13c ?mu0',޿&2<ͳK3r"mn0x2cd* b J@DF"SBL0'_-ȔǠ#"̋ĽA:v+gƋ\U8)0s-immUQ+@י!7/'imL\prJ7LI +*[[pv/y!C0%dQԃ]oņ \+GkIB9H`!}o,2#Zy;[ȡ\R#USs<<}r edQk_? NjS+ǩZ?lCCCyRECj'+GY (ؓyЙ.ɞ]@avrh 1cc # 7n}Cŏ$B9;y j"6˥|1уE@DbAP)%jLsMEEHiL…+gXm4nYŨpK.핌I.D x7y2ʜBm6ixD7$>2n'$gb]vVڋ3th?N96SA. 9,6ù/!M(fP|&k8Q2q%%̖FCm-m1byJ}<-<25Ym5*t0Mhooݤ!!!FAO+*@cW@;4^%]AUƈ"}13n]{3ǒYX>1i,UX&M IJǒ %[U-PZfF\G$)rl-f S=K],_^H[Y7.3<t=b܈s?31#Kq(R9RJv$%vtBReL4ψȿ c"4*d__u !pYME(|B.f#d8 I@' 嵥LT&E3P.=|PZrG[6W_v7#Ȋ݃. u=^Ғ]V.o05(4US./:5G\QhA. H@&LM"G}.jĴtw9pldzo͟ BQV|=Ÿl0Pҽ*8w'z=|k{F&h@Yu"ӑ#Gx/Kdt`ߡctvP-lըlDrZC^WNԁL4[{}ːš}#ViqhGGw?HdD,t>ӌן1&?4E_/Ȼ!ΎF]U%| ؜t|/ѻA TãalA׆p;JBφ2Z8EGȔB&ܔ8Y= 3mm  3-=1!F~O9D&4u!?)a鈧CG(\}0tPL}'&S=7q~qk9?4F"]p{ 6ptաߏܔe|o]{ [>&-iCX?V®5aw-X:o@Xt1:tQb"DB!2--R !@$pdxB\[a͟AQF^{`ڀ~= zh7humؼ~=o~7cVp0O[t֊|Q"%R bI-1am)Be1TW;Fk]8w^ܞ5ޣ0{)ij(1}<R0BeLEY7*>XZ"dm7{6D҇Ղl6Ǭe_s13_[_T+<:sǜ3crI=%j,sa;]=NN:@;ob~tLIaF4;Mxg])֗lA\D$E¢ڥ 1k <!̊VG M? 6j C= J*6`}trxIIWW6nܨF%N:;vL6Ma"FsmID}\v:%Arp3?MW_~L\nAXX[Kk5m6^˭UnJ'Dksh뜨n2Ar$33c"*N$i>2DFDg1m| ሾyY0P=} %#=sͨ-5!)1RA+`||᳷@;u9Lyw"'<NᣊȘ~*_4?oOfMz1ۭBagŬacy9& <9߽#bg~[?u{BnǤqi[+1(x;W?xIYzzzPWW1{ٜ1G W-٢0ڥeAL >`z!9 _4>7@qg k` jK Ҋ">![ iQR06<_X|mUl1f䍛 3E`0J-u9c'\5j؂y=.,7["Ryc;T+gjA'@jxv^|aFGE;s  0X0s\2v-Nb_tٓPrm4vգm_Ê`Mi&Qr0N%c؋#w7y#wulo£0i nFr.{=@pImdn>lݰQ5SQbXIca掌 j+"1e,~fn<44=5M>ܶt̤eu\gBF wOiAcvK"$#SbfANahλ:*H/rf݈WMB-H!TQ2;fL4!.) "%`R^Ǝ͂g%U'1575_ O) 9Z˕æMh| pNQ\T&&&b #s!j/Ÿ(bxpX?)_ԻjrL!)8JjAv/彫CdA !,86ڠm)Zpǁ(D }Gp+CDOuħ&|+ҌTIT x髑ϵ^hmA4HS-`oW)OF>(jة':ɡR2V222#jXKNgCl,_I;'CW|,F<fE +59J̴!ۊ U=-sY;::q9ؒ42dN˼w$R5x-;CU$ƫTDD"iBDe"~@(sFyh`k6Ӌ6uLZ1T֩de7L edhEBitx81GZ(^B^pD%DUHeBTc/Oj1RYY r#'}Z)GǙC~omّsj2~ZpR7!T瓏[˸G]el 5%98Ø n:/m2G+a$Wa%.#ͲKʕgBׄ=՜1CuJi: &Ir;kS&|!&e0arO\  ^6\嚝 u> DJ2H`zxD.O߉v (2oi N;Fk@G gR]h/O˼J/4 d^y;X%wL8/V⮯=@edHW2d0'cP}PY|E tM"*$dj4Rp fF`f,6`arOƪ:^w[}9U e4IPS%y/e+ ؀C`{*_&pz0|G0ڄev"&SF:aqHM@IemdDS cLl>LڦU?vTĦ͸֥4z$>~9(h+ f S5_+=@pxHK:F Q?pZ)CYy-SRQ6ޑnrT5G M8;ThAzRVE)Oiw!!֮en Y#wRGNJ#I ĆVʵNIK mW5ϊ+0[uv*. WqUo cE Lx3XT]}:V0~ZZ'Ͳg=5GC@ĹSVSG @*9qHX-IŇ]ypB G|GprԙuO$$>ЏKvs):'ByX>Ϸ 2hDg#21B VTeqO[ B>[C;jZ:DNnoL+H.M07}3 1Tu"Fc^0)<1ɩqh( a[Yqai)C[4,6s‚qq6X,44+3fa Е~V#\$#9_~X־~fʘdW{ո~f~ӧ} 1ֺJ$1޷Bܵ O/ +=6,Ǣo}~1B\k0^kopu9՝[pVhe32#/GYOQidJ$I#A7[ʭsQ(Q鏒0M2G8NrZ}Yky]N{1[oYsYTDӡ)G*'ڞn#6f Si ʩC]e4TLGb(%pljjRh5$ݙ¹)Wb1aGq"7*RFHe ) b:ELB =5&edDHr]vvQUӏA/B!Cj㱎$`*a  `-Z[Kr!zl̑*8{6RB؊MV8YQz (&&R2nʐ/MCtLwjNO ґ#;QǎBAȔa~A߇߯<,۞GtWkkg8^whGYњnL3N120v;knƠذcpsAhݛUisY\8ttW7P_9MAPDW~VigĶukq^ ix]IQ*JZpGA#.s?` 2X끟i*6l:ko Ce#۸wDOhu%p4Ϟh߾i3p)6aݚha⥊+{x c*XO# Ra@U|=rbNWwP'%KD@+:gϚ8S/6mWh&JUt4_T!3N\]G'K_o3jNK˾]JJJN`zNU tLcZc04D28VC^g/& :0OTbDSk/|#:RѲ_uu_g'#9v2m-hnA3#lXfx'k+~ kh f k@E}]<<>\JJzO~ oo N%y!%NԵ d-W :mƺjYgxsn} \s 'Ǟn$ WǺ>gvY\Ȱ@4S~_!nKQ}=dhyd"l\z7\u"s19)F[ w47mA\H\ZƆH%3| ^piMGLh2Ht(BO 48NHc N 5̈DlQirtn"Y,!!߹ >Hpq1 @ Y4yM ;2&Ns[XMe9ScKMB~EO Cb [`bcW_3odP8WɘbÆU0܊O? ǥ/$O|>. FĈ|c;ZE.ƷPP˘ys_lP+A߅_ 8]J4xC!wCK:=V=)C(.@s:IYm87E鸒 +.~]OۛY1mxULKdJ_ΰ7+F$LxBTdGTH܇%W(x%^Qcu{jwGRw+=u 7R4uN/G;&>Xl)JQfJ2qVus̒n@WpR## EKژ lO݊E'*:2aNb ڄy(֢׀d%>z@ձ.t8x<;*sJ?&A77Y]r0!;f sym3*tLC;u?wx=3 57iWG#wT50cFB\)3`KǿH;csY7>1~BmʎH B;lKd:Г nHn*{[kq\s;mS0lDiC8xv6L*_y2Ĕ졸Ů_7Bo/ǯ_oş^y-[EGO}4\;:hē~ UcuMw"߱VZ혍?#!!vWTˣr!Eh|kfMυ9 ܅,J(Bf9"R O\Xִ4Et|OkLS MۛPDFG(JyRJ=U{?_\~ (rB pg0+ ^zsڻ;0ym [Ks2̟3q 'a*-Z-kp1j;źw"<-)sbů|%11&`ÌYQC=JPY](IŎ!igqܱ8~)h)kx54);׾k?@p⩰АxGmkFNzr]_3U3 2 =!gT 6>(*+A7/!#ٌW ۉZ=|J~.zȘ"/ƌף;ލt$᝕PN˱D\;Hv`j$/Zsg"Dj tR_C{|&YOFb´x6$x4ʜ 'yh>CpD!:kjYڗހwIȳ(E1ʙJR]s;1.և_i_žLNDxs1-;k}TTt`ڔ1j UhBgsfkԈ=iw%}9(*= ;2 N')x`7SHхo>k?ѽ=B}x8Ozw1A'|eMA_>q&v&RJfG+ {;Q޻1e,D~g?2p͸Fe1 1SB^y wx/"/=w&Ah5Nf3d(GD]VrIW yl%UN\{Oچf: Q/yr{T A")qIʨ057qZTxyʝ6*Q,!z[ܭ|L"N0&˛aZC/.y` fqs^3H۬0hqHBt¼E0:`XJMd$qA&Z)ܝq4wfk0D?}AlQؤ.fޝ_O rctܻG)H`H(U+a<<= wR߬l W)cxZv `]s^=eI\Q(H$es#IHkBJAbF??a3%!Q-Ld=E2\6qVYJ \l A$+?@ꅑ$kIv́z$Q:c6N4=cG!*mgK3x:J-Yfd7Í}]7$!#S[pD|> Ci\9%$rȤw =~WwDמ@ Wsrk_bg{HB (w Ac/9~n1Jp=869ٷ?N7`*3O=ţag.P6U۱Y0V%qk1S9k8OUktt ҃EUZ3wNV -''٤tJ0|7-#7KШf=O\2 ax5{<!jWQ)4,pn#M #o<*zۥfdh(SORrOz)VمY#KrmXZ~1,W\w#ߟ,qv?oIRgXGmW<v|`)۴#՜fRjBA/I :տG $Ida#y L@SlUAcbH&cA+h:qU(K%$ sBQrFGP:ߘ)u/\;Qy=ŧ.VQ_#+ru;pEu_g9Wyީ Y1Zm6W^ƭn).h8"BG"y%'GEzwmesE/# {W.o^l_|SBыGa r sp;SR!ɡu$s8tQZF^ o,FX/6N[1by3v46i<#19`;ރaK­(⼫4VqeYŅ2DU[AYgcO E;{4}NЮM? ޷{8{BO?t?[cE? |{qeF WTY{7_F#n Ϥsc y>3[߸_pp%;x"y546`ҙ/>vWPLO/g|QmջD:q9=HnPX$u(x_!cxϢ1J#<3gvա` Q2))wJmjx+]=I#Vl$5^Izӕ#Ç9k 999+D\,͙;zHphf8 2ţX]Qy.UctDt1wPg"HH8#; Tnp =ґDNi{׮]k%qb؜q˱c*l޺ ^N7{o2uOEc.Yy!Pm="tAErNI0OR_qRcA`SX,A"16 a!CQ0z<'Fi9cv:o|jy9rK^;'wgD܆hhjB,%j=h L~ˢ$%ࢎyYB!n-*^ ⑺<^.$Ca$hv5QZ06GMe9iB<Fem!Rbr0s< Oμb.XIӼzV\u#^Jf^U<ĥb^򢅎hr ^*ѧhF ) 7 x«)̓!Ip 8 G{Bc%>ۨ04EZL䰏ƞs߅ w3%s}O3}VZPA֟RéS: $pAi ꅃȦX, j+#`QP IDATp㵸ǿ5x?D8> `3)q촢J ?)כފ]޷]5iL>\wxHnF,kr3QMk<@OaӗS6vv}mm*^8@ssg1FSQyz}~Ykս9͌Պ"J[DڐOy=x7im&PF#?t3\S|[oefi'3Jʟq胕?"N.fq$Kƃq#px.\`ҧyX|D|ڳfxߌ~=& 7yW#M}x쮻`8N9zvK~شjq!{bds5C$}V_!؆yMabkSJ\nۤ҈ TZipmQn6t!VSWn{e81uSk hS=q_:nPCK[_;B\:stnR-a{щF)%ʯcgÈ \>}h.RhOi(HSͺog)/ja<#;#Gd=,+;SBo9mQȡAX}( hq]l|>brU#Tmhރوof@]oa7:(4"Ǣ=o" [L5cFMAwE8[Q3Ț6c ;l0Y| i^ڪѴu[n*Rȟvb'Nu(n,ĵ#vg˷D@k4t̯d KOne]剏Zx RzE w5|+r掛1g)~Q5Cp]_52۲v[Jt>pU_koOr1A~{^zm}H4͠-p{ <|153{BQX;[+&%O0i1;;rޏk9\< 6Ǻ5߹W#%ۜO|*o{}QKZ*)MKq3~λѼ\ =;_#{BkO檂|@I^g#}4l܍Mo |/!tG")&ӟ̠Β(DqbJdsFGŤt',{L~FKZN[z^ۓ-wXչS[ՊyGlmgt8i"76QBB{_adAtOEqXNqMGQØ$px///mF9ﭨEspGƌ?/~jAg n|2: ba*ش|غ[RԽ<\871yFW=Ђ7i+DWtO}f_[Ϝ+FKoyv#xpnןs9.-7s_7nfx.l܅O.K撙<W\xx\x^F**F[yX ;|F-h=#3o|j^uY hmG1^hugʧUlV 䎙P╄_{KsL^7_gAo_D1Oi(ߘ0a1~ ^H FĜKRAwe hŝܡ#Ț@z|cPs7z>‘3*GbUPL')h?@:d}TM/q PJ&gvҨVdzW\<95eʔx}!E_ KW87­ejFqә8󹿼h)nS, z[$u7cL;~PsPiOp3;_4{#>)OF5u#V7n(4л}oA ,)cTTh،[4O 9]<1 mKO*8塀U['؛[ (} {~7 o&ḱh9g6Ag&lI 2>RJ2B<?0~rn)| F3ĔvƾdnF>Zm`VDi6>,]cGuKgM`fSz2t%/R&t)ZAdH+**uEss0ӆBA66T!bqZ:mAߧ^>|Ag>{o]dcX>J؆HVVā"uKi30kj9r߮N[J+VdHCʤ9Ⱥsr @-V;M7#Ǒ#w#X>) `^a8̓`9џ-[`׮س{y+.gVv}bv^4/zs_)33P&R%F]c(>.ν(Ny;sxbϸzt%2{֭-q_^B|QQ=NH1sW\cϠ[yd=z}՝nuN4E-_n)TSGɁ&l޽짌 ^F11Xc;TO]1HY< y`,yqlZ}ĸ ;ٴi*ӕ~%kxB4v/lܾiތ_,YÉzqGD-^Z,&'nلy {B|WaqUӜGpq'ı֯z1,cx}6d!?16V5PS^->pǚ0p!JUGM:y>H7Eҙ:: skG]=}v2_K'{1s ~e<ʏ\NƤw|盼_ÒXړx//}U#o|'i~yjUeɑ/{Ym8JF/z>sʹ<:8pT[5?N|At paڪDI](ٳ… M>gy7z{Kw,u'[=OT K 󲢾XӫdГ} HKO=Gp{,n`*ߌw*'Z#~,˯b1g\Jch/$:'Ǐa>>]| fEx}~}xdcʨ8g"\9:n]uVZX (/=1K֯_RЋgm`ˈ#XUz#Gѩ(ܸ<#-{&^C{X$q۹U`s'rڌu#x G~J4D~ֹCGb4^A8g,m5V-|rt$ abB8N`KMW/Æ\3g#I(c#+rV 8ݴ/"b_E2&EIG@oݨb5%SlZ9~ sHHL VeF*-w˷;(DqS}G߁#t(nkiU4Fύ^E]8 RZ]QM*AK~쯍`żIQGvڵ 0L^f=sk9eD߱#|+6ḑ}dwߥضe+x=8bb76Fe2̊!v!馛peq3f͝c1v7`ǫDA=H׃g]yAooe_?!-ZM6QM1T>azv.')8ܖ)""1>aQq}ǎI Wc.Vy}|gVEiӕ"ǥ*p >Mw%JLJ(}e!T_=Ԗ eA~= 'fwq{e}MqfF. ш[* qU^9觷#oSu3c7M ~q>LM+W0i^^q^Ojv9{M* Em/ $.h-N}ĢáqlG$njSzbLc Gzw"!|5}jq>$2ӐK<(8>Cfеt%%O`Vu± N|qt%@,6*S}B3)EKo7nذa.iQb+`0@ZbDW)Uc͉xc mjOu|MkV|,(&̵OOB~drDznvz0Ôr5σ8;9t\ށ_սڽ۟Ѽ{9{Ͽ'v=".I^uҊ阔7Y Kg_f\m|92n$23vuԤ4w6-6 HW0@,$%k^0:iqʧxĉne2݀T{|}y4֮DtEșLb>0Nw3Ag]x0Z G7uO&~kpQuP٩p>z(t/'Dii Mq&s Jiii7nQPTbF$ YP茋OܼoKk&XEe~K.7$3Q56n9wԧ.\EqnOI7#+.oKAo#f⿨` t+83qd).}v!RO{ッtqLy}n%1aވ[C 7irn?rjO^/QޮnUR_%"zDԝKO‡j#4N])zyOF9U6,NVNh=WSVAXI^!AJ)kصhQ,ziHKa/OwY1Ri+A#b [? ;V6zP`F_@\i6g\8N>?%71M…ހF`;x$q9JM>GK#+W\H ?o1gN܁+cSY=c-Xʳ8Ogpc98F҆ uLwuN:طe5>_aRD'Ӆ)t*Ӽ7~V sy;x;eeLDV+JI:e*40= nb $9#ru ¹ch8J8ktͣkrr%3ދXP(A FA4HD)Ѥ/݁xũ|_^_qdOK-3Q=;鑄!5zpB1祙qǾ-,8 ANiϬ ;΄wd6X,D_D{B11]Io@0c2 yd3G9p! %Dr.R;Rk?v2%g3{4?n\r e`)T o2y$c 7W $h2S"Dd$9}N{KTĹ;ŻiFC{'M 'AޛQ@ϴ!(E^)ga(OEhܧ3Bg3d]p%MCEmG_ġ)~FXZ-(1O 2Ϟ4FieJz"e[eL:[Pz.l[W9e9(QMV1YdJQ,]RKQ__o왨X> '{#wTmO,rzR|I/c/߷agbi|`H$'bRdtɮ>!dngG(zб} {e8ʸ~n[zt̜ PQɭ޹0&O@^ SWϞZ,J<)lN?_nմG5Hq;re./C'STZA9%G.k)76X,E"`8|(.A4"e:̀`,E"`oA2&v#KqD8E"`X*^OgD[:-n1$nV ,E"`8}ߎ 8Wbly_`o߻@c[uc?E"`X/>,A$Y}UHE%ʱm1d^MiX,E KEiHGhh('yyxWa۾2ċc<;E"`X, d2E6rx兏?PٕٽAd:uQE"`X,EmdH6rqIY(0~O@GGz&]9h#-E"`􂀯c+7kn|>q"xOO2걾q(gX즏,/ /Û @jV67QB"3Q5GiE"`X,sX oGzv })hُ#3o335G;E"`X,#/ch>Q񓜒p^8@($ kE"`X,cA`r(Rѵv yHZGoZۓpỮҐ19aZ,E4G_1 uL<8+~xQݛ9Vbr%|E"`32&D!;?hll4-Fn-X,EtF_đ/k8܂f[ '% %9mE"`X~s`jbN^O{i.>jigOg gȴed&Z;oH;0T /@[{jjjL?;ve2$*>pZ[[M˟~QG4x"b>z`ѳ"`X#!--0&J FFF%+>-X~~V?h(Ξ4n9knP;'%BsP5aZ(y tfg2M޼az1 O4ISO#|4T)INIͼAuhstڞ*jV8ӖhdJ/Uf;ix#;id}jO>l1׼gOSb S CQ:B ch Rqdf^ݻr>$aT ĕnT:# vE"`$F@oYC>,v؁|3QYyo܁L:iT(4"IR;A'lM,9EsrФOL6v  UEN^nlO0yLyL WL*T?Vwk,Ё QyihbքϺ8U&M&T;<%^0;j3yIGe =mp aǡ|Xhbht.LM[IezEGP O34ĞQGL/I@sk6qÃ>.;Ҍ,IrcbF$;qEafRc1eRz KLTǎN%X,N4!ѷDعs'~_?q444QxM-@[a:r b(2SH&sB?PdVth[[4Sڮɝ8d^M5XÔxdվ{Anի؃L?Q 6|1SC#dbt^mvޞbZC7ñgHN1FO,Zg8|Bߴxgc؋Է^ (dZjL#IOJ̈$#bf׮]g?+]wm>~WxK ;!v8X,ЪQh$8w\޽8H 泌"990 y1''@F24QaH*Z#p3~/db^-Ka"b&XQZm<}j2 NMbp$Hbb:AiFnf:MJI[4je46++1f/pҚonôĥӄ-4(b[vQ[GIJЭ>8|$OFP5P ãYgB|P gӕi` LQef$-3ta-P<M M(v5֋Vki$v9]&_yÒHsԩSg_`SeJg _aXN\1C5fffbĈF~zsOKyn^ۑ:y9Y:J3qլ'p"䣉Ha84A3;iHJt5J<1=P`b45j%02)`ZbIܭM|tLDcg:ɪcL$b(8F-hR7I\jemh4mvSS7/MݝnҭkM.>GcұL\U'lzaXvúUQnI >t趧R 9˔D0&-4 R2N9t >Iْ9rzŘ| 0tP[[bZ-J6PrpRF0˞ L"`8pr$1s"eX@8zNDtr%)g|{v=LNyHM M8h𣉄Gl"r5p&?I8Z8'pIƙHͤƉJNj"S:k壉ΉWjyw cKUӣ5Y[}3A[uk"FoKL}LѴ軅iGuF~U[f<>JUJ4ƀIeU0sq|Xe|a'Yi'Un3Dwm#h\KjQ\\n11b>rrrpUW~-ɟ)bu><$I_ Kw@"Iv986E"p"~\DM1*wȑ+3`kap1=uF8hD3&3M(ޛFeh2NETӤ'iM:}MR\$ [Vb^03TFXFu3 4b4*"Ѩ#]٣NYҙ/,L>}Z.-Uw42ӀQݤQ?x|\#ZEl>@!I|0lNgx/!󡏞ɏ"wXȲqE" A1&ڦQ]wϪ6k04 pV܆cƓ/l-!cS +-'g1_%-H c^O;܇62vӐG@S`8 uЊ х;t[ (5y3NLb&_&=8g=^ys+}Axj= bX&m==λRnZCìdZh8o¥ǙT8mQt"X.V,!:qJ?r- aNj,.] D b82/T$,]~184hy0&ʌb Й}nM]νl<_i$j-D3e}tN]Mb%{ncU:A| ˖-3~F0f<8` ͇{Ep'\{C=ؼCzqC/=cɱqwi` }U{8[3n2#^0~ғd3g{:<ӺZjES\EEEf@vAycP#S?wǕŊW$JK*w`wOmhV~j躼A s+`9)a;;䲓hrAЕ#GW2?mT}9/ym`J3V7Ym5mɛiUgsQa>dBxc&%[/b Fnϊnp&1KtGY,Ǹ6b wuOmŶ-o@'lshT:,m2[IlKg`e:Q~-#tO.H9r ?A%KK._!925jD_ĢE;WȘRw3oŦu;2zRc|`pϻ?!Hl^85YJ2ɖw_a/[ּ[{XW_;oŪk C`4x)׻vɃg!tKQ93v+VoE;'0Ї-W𖽤bFe $Ο2 OG(R导ٳ&`Ϛش̃Sb\&q2-2+7Dyeطi 6ڈ4/kW3*lSɉ3 S-`/]0YUD: ͇+]6|c9ַ!d&f`ݛ+~38VAcef`ܰzUlW(kLMYfϫdz_O1!bĘH0s}1{bR¥wa…V2oGuAy*',c둑ԐXmIFnV*13-ys˰3S~1 mmơ#5HCz2e2M5Uh(Ơ+t88y"HMkQ# )SAt:}ȑg:ŝf}k?? 7nĉ `|tcV-1{&]E\j2|,P產e~oK~l#ϛǾooOЀs / 3¹sapa#䄝Ue83\.l'mpgcƔrހ`aF,}UԵrwT&1S۷"x\0ۗ.#M+)S'!5Z ;*tTbL>#۱Vغ1<Wo)1"7dxvlX5{[638Ũ#1rT.J>d2~Q=ÕaR߹+1e ep6y;QDqX_SyrKP)Ѷiӌ^92vGX:OOy"ݷ>?:# Ff@OϴA#= g$23 2]$qHfyLf𐎖C;R<:xGƭV2zڶtaF)YP[I Il^Om24f+I>?C\~-]KDHC0J^ŷG SMeqIDAT>644)%Do#WISC7Z j WpޢcyomaI] ˔ } J[SuC+af9%PF)#d7(~5إz<*H8qkĔ)#: 6p3!FtD V );J`(@7d%;&SgGSCtN#Ɩ /c R!ؼʙ()*@Y4p pS{78E=Ǖ!ӈ+rVTFcF%p8Fzlٻu2}DF(L&]U^ahB7z qk%9"'=dK$Դt i3hV&H]z6Ɩai?y>]`M5%\yj;0gm2'[Τ;nmPUc#QmM~]};ƠRVm7 "dϫ5gqź~u aG[D~r;=`뎍8cڅV#nhRp4FOffh{3tpf!\ ;vC2ߥJa^0311̞J:nf)ޱ`2oxcyGƖ<}ZҒ|4‘:nCskaař<ҧm Zc0<əq#Deߞ-صRcP}n6[E%8i'*kZRN),ٸǑA=C%?g#pYa3{2YgkT̉X~HʝLqΘbȏF6u>&,(V"d1.1ZoE\MF@ 0DIIM[c7N:} jOW`|U ^tP? b7*0 Ё-4WlC~4d$G7r{C] 6x.ׯE|q!V޻|.ä_ͷ|+_x|[6o÷?|J,{NqK6.(k 7^X2s& +pGE'l8[ZQpB$w;ݶ 1?zg?B9X'O~%u8c7?_G[j_H߄ oy|,x̚W?=>`?oۂ:X{]I)M;\lsܺ;^ј/il??Qc.F!1]Fae2Ӑ=K=q ɝ]d@!wLn}{mqp9g`5ŧeŅ"DmQ'B05 gN)E%ayHމ=o7O<3myg BL 2 ۢ~y(HOAp rWNs~ƺ[j1&,Fr4gSkdpe7KΧ NDnqYJQN~Th (e Ŷ.Q[C2S8qؿ9!:+d&Ρ Y11(1M4 --VS% rȄLC˱Ͼ˱jjfhiVm뉴`> 3Ə5>Ia$꫊?61tDeRciSy-$52L(ٿ2}8Ĺ#-g(&+ґq-?_7#WY٣0{w!x/MXNJUZ{?WwzVkAalQ/ Bx0 n >}6]p%FN ><sO~\;؇/s9Mxz}e.LOow^GB xӰG(9\JrSA,&zP%jPt3cλnDSJ>)~U4~1qh@)1 :`OfԭsqNb"D䠨lhDLqGPY)6/saL<) O{+;{2_?/^%tpI,? S7^P<#2%b̵}J ķf`!)$EjLp=('IgXP*X[nƏt(ԉOV]ښ Z;IT|㜩~n&Om[&IXIC $ {*} Ȝhjs W>rIOH򜂋e1MT3ԫlJ2qRE0+r:S],1.#ghUeLܔ^LJU'LhrY)2~"$N9 My[ʉvO^ؾ}ϽwԨHR&.▭k7`ℷӋʫߦqNSw2iMM#ǽ?&r2XĩH t\y^Zd?ik1LLluEv\>> G[h[J!=x|eY9\d9?7~~JMGV5@K@YGQO#kTfomwY)BqYXdә+GEJ n1PJ˟+6ԴbB{I \l億&3<+v{ǥ-CG1'zd;??ߌ3y_olL'}jOuf/6_*nR*q9J[_XGe(=0.7٩]bw7 Zg8L=/ўu]]]nS[j~Νƨ,YX=$ (#8%B",_!%BlTVVAth sO@C5TT/ .o[ƏDd8J8N}pby΢tuttS hWY@긨$vj)[/dQ"%&)z7;3w/x[[߆ߍUٙb Z `㽙R6dgM"FmNX2kxmqLLߥq D 6owlu+m칮0IkJuڱ S-Av}dȬ- G0#0/֘"F&c"튅lvC1AayG֮>縎1\ \wgvfDfN4|f]|sY5`(jnZ{͛޿pa}ғ7m61{tھN Z D^8~IF jx|S`?0&S C0]b瓗; ?K]OciY*Me; ig(E Cҏ8ٹm-LpA@z Ɩc8 ̖Y-4hB?woV=ᗒ]VJ"P (F_a̜?k}1/A_sh򥄮0pPz )Ti-3{|7 B]t\(M[I&MZuA(uB<5_yr񰞙qa/V̓NNs_ GweX7?s80d(޿>ҥK#3)yo)LX+PU|]ɷrn!ksMS@ ZD@D\8-<]^@m"d;MIq\'0V"2v Sџb%5E%F3(w&0ΒR* Wd/hZ!'@{{a(kڷ׿%G8nix$fDK"dkemO @DmAl9IAg-GߵU9wI#{{Cat$?:mW~m+O\Y{}+IV2@3!̇Lwl"YbNTݩ*W1 WӇW|ţhD@6&DCqɶ::cλ// CN3R¼c[> {}ðG!.E ~D R(^퟉Z(E<tZU VA!n [!Br*[D6UT_U&]8?.ӡ" &Gˉ%n*,ng͜JKD@rj>z&ŧ-bq ض0}{SBr7ew)sMX勀u'L|nTxAV."RWIm%u'L8 tږ܋'!b~kk ?Q3;I^X#" " D _wJq7;-@5/^|g[~Jz ˠ˩ιpvCdJ۷r_D@D@j@q[\\Nht[Ax<5a eoŒOy;8םرc.Hű-6&X-5Wu!Lh)yvvΜ9c/,p_:dٵE!PV!pY ܌ٓ9 `g9ޔ W]02y~]z7nܰ(U2rc@Hds-SE@D@D Լ0 "„덒,yXD 7R>wڂk5 |Ν5DַI.? 6v?2h.Zp5 5givn b<_k8jBϻnNΗ44hE)~:YD]H `Vd ΊYqSÌ%;3." }0yh:;yRIR&, ;*Hli57B{Zu5/LxbfwH8vd T _<|HrY8ޘ],&3 677n1/wCL҂B2 %[vE^xB'gyo9)],mdֻ|j֛_5+ @4Y:h @`Alzffmq9kaX?KK/Z"bӣ7ljqBN񸼅Oع -ZXHuXo۷ŵ<QL.,&>,//?|bEө XGwU{ ۣ0o!{ðDUtEP aiPB%_v!aDKYMeu?iî((7$I(o}*($-`z`Zβ+˭litv}k,gsD-3QM[{)m8a)&P3>ۣ$" " "PN %tt@:MOd Õa˯Y? (VQtϼc 5ƚԬ1|%ߵoue"=644hOXGOX~ $LX,涕TE@D@D'P$ nƑ9mmm@ _[&d&ZYL /(UtYKFڻ[AcX?q-wUnǍseەD@D@D@&P„e7 ùڵkvqʪ/ KBa.n#Blpn-( Z"pNusmT*U0ԥ" " "pԅ0ΝsFa9u{gTT]e75s[)hQؘ@] -%:0љtcK*vr>%1My;h#Pw„/wi}I-i5aRww," " L Ew"tTՈ@%&h09TD@D@D JTMD@D@DPH#c8du). ^:kFp8r@T)Lh61oSS;NZj'" " "g}fW\qӷ#L|;9?[*+OIENDB`fwbuilder-5.3.7/src/res/help/en_US/pix-failover-groups-mapping.png000066400000000000000000003252641303637203600251320ustar00rootroot00000000000000PNG  IHDRDQYiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ IDATx] @T 3ð(!DCE;)Y Y.jJYf.^Z&syiiD˴)i)T 3ܙ;3̀ 9:s=w s*)^8G#0v6|9G#p!p8G#`p8G#p p8G#`p8G#p p8G#`p8G#p p8G#`p8G#p p8G#`lG#p_ك+|r@F@"9CTgPrB@MkN<2Z5q8;;bx9Cd-r|G#`1 ;g2xYi'8  b7%W>6k#1xp:"s#2<b/v-bx'p-_"ĮR:W:vKo3D"s8V# 28j#u떰}ģՓctX"hxzz#0Hc !-ޗ# ܰŽ"3hhʕxq8O&N\.0ELj$3qH~@%>L2Ę!Rոy@O>۷o9@`_f3D"s8V!c&VRR"0F`m1!VnȃW2qM||{@{t/0DJR s4v4+8CTSx?GjDLіos29@=\11AFl*Zˇr8wQTf b":Ct9>l`fd2#2{?{~h;d.Uf!J]6m\U 'JniQb2M9589(!bF1E졋1Dlϱ1l/G>"6( 鎝ߏrup*,ES.$nwt&Z_ٿwK*ELde ,XU`KpŎl/a{ +ޒsx_GjDIij3UUʴd}WUcTKЩ#,G3 29;[08iLTeۇŤ~xhx0` K>^$ښF֠p8V!"a2E]ecP+f<2c5.ՖU%H:lot%Q^1M| *{':Ĕ9{b{^!DuQТ؎68R 9&^xTf137_0GsMJd-5Z?<p#"5 pIp"y9.;Aaŵ Ҧ8_~5_A*xg2ƄŪYB{DJ&cYsBX۷m^">`LjGK %h@7QUDZ5{3y6{UCX/lh'Zlî< PZdGbJiJTyG(ΝqQ;.D0?W8IƟKh=^û`Ix/Г&$ K SJp4f͑"CxO7{~|{_A> R==vJ}5qbLJhLS@Dt?ϭY\W1GwG4i# ]} '{õ5'}QNL#w[$ Wj!;"ƶۯ)1GA*!V X3hC+sCB&G=H!.n$to+=U\ef^%$EڕG>Pd$MPX|$DWnUYg/G<%fG!=# ie}Dm$G z!%p8ZUzkZFy'G!- JXFw=MpFPN@2D5)rO |>0nK9tV+^49!z^/ |GB_L# Ga#`aYa[]<6컽7,{Y Wrwݶn1%$AOxMNT6QQ(Exc0$Fqco> >CjȔa%>GafÐG@@d͈畏3F ;gh/!fCujএ;FN R=a&Dpff1h Ӟzar9Ewp{yqfjx!`C$27" bx-6/]@G18KdصT*#VǾδ}^Gl>a޾ղ=R@] ßB؈U8u{;~1&NOH`>|ܬ,n$ ƣ!'zgJɳ=;u g~@ 0m_-j#ґNdpؗZ Pnn.EyM5$ͻq8"2E 40GΘ"q=\fÝD$̜낗ҺfMH;C8NmOnCGY|<.-@Ҳ>Wr=~%Qck1<76l ߐ=䇂Ҙx"&{[ALmx򊆏 cpXaGh4SrJ{ ~O8rR0{}QZġ2gVHy̘+Twn+ \:uL9#(CЛ1U얃gOXwĢoD9ZL"CFHW;^EҫͅڡQ0}*~=6Q!*8b:Yc4d,f͊R&b{jܼD@>Хog᜿q8 û/Gt)ew\cKЁyյʌ=hz;oCVt0UZ¼M& +BΉD4͞H*;!)$_}~x!bO1Cl,))#c^{:ig WZZSwK\ GXCtT*JԮȖqޏТ*3G&7n5YbbXѪu̬Z3nPVɻz=Ob : GAD@[k*3Sui,7 j))Yɿqb@SR|7isl "ΙTXTV,2fYa*j+YQU=WDtÆ #GmyY тت, i 1w!(+:D֔RD \6X%#`HȘ YMn3DNN*B5J4d)!'R-"R/o_ich9f_&dQ%+0xQeֆ1;ɥpmKRѤ,)'"3&@^p: `؈q:I>+u?}ܵG=~!E:#Ga"`C$Dٽ`(YB%2/y7 A F :4rFbnz[U_mkY-5@D 3f)bB)b%Cm8GVuVq1\y/>%8Ujp<0.0v!NJRR%RGӽ%vO3q?r49e!cDj$Y)/#4bXX#F\y%Z8J%PC pS]O2xt>K\?9o=!OFرv'~۶Iɇ1'9*xؑ}<,7QVr)\u6D5YC> 8dm0_=ETa<8X"qfldұ8!8x8 dXGiH4BZr(aO1S2 epgSAUFuב[h*^'U> ٟ1쑩b=~SQf[KO`púuY">#P3w}wDpFnD?3#u?fsrVoS6GSH|z߲g)!#V*9ٶq75BJm9Qw +ց]XPTWҰjdK: ?CYy|y,~6 6^fzM3w%af(<>%f4,}#"#)csuϘ,^3y  0#p`ey'`npp1Gs SīI`cxa5=:R6^BBH%IMlfZFA@ן( ߠ>s9W#-yCsa( ͜A8rڜ\ &g %5U]L)s`|s&2<,9xovFP@W - 04*AaqBLhF'Wٛ>0Rb$(Aa!Qs U+>0Hދǻ2i'U$Myg@=C*݃!VfX1.٩EEvH.W+"2_4Z D gs(+KP^<ϛ u`9 =YhA+ODhĠT&P"q諧3pSA _xF*3%֯LZ^J0!l)$)Dc$Gu<Ȋ}JXF7[S[8Z!PZŽ;N32 XJǮ)є5$(qJĉ;MO+=tG5F/mǚ^:KJйa¢HDOJQM&$og" ]1=љm[lA%(^̐?L}YHkU-̪x=G#p؆Ȯ+׹xƺRh>sTk=}н* ')C BZE1WKJUMÂIuB izhWY/"u%6]fcBՒłfFM?]M/l@MedYQdFZv~Kćy]j%{>I=\;hXDO0?N|Ws*ok/nQX+R(kb Pj%($ZA=lsL+9+4sl9YMC:9"# ;6 Ebx:V2v`hxCĘq.X%ښJ = G#p?Pn7;}״RTSmn@q#Q|-~ؖL'~*g6^^Fƪ8u5(T!I}ʱL$ADs9I!W1?(aΌ)@b2 xI~jVF`QSP>JEwec?D*:mOggK=&FM0b./Pi(ҫ\% Fe b?c@>IdU =חRq N+KG"Pzf8c)q.1Ζɔv.nnAx]!b¾7PN><\S'~ ѠCwځCq" Y9٤6e#7cVH@$([UN*rm-ޟGbH9µ>$բFFfC|T_q~0{"/,? !|;#vI{O/KUè;B!􀧝/{O>6z)<<^n-׿cP(?_ 瑖^\&繡h3#3AF$N&g7 y^RR ^/kI i,SoLlFa2q< 4: uܜGAD2DU-wqAn]W>+W\+۶Ñb1X1^+wvEgSLzSG#P;M^9U{KJX} >}͌FL_KIjQ4^%sE*ljw|4G#"k?8= W9Rdâ’Jo\ qYϿA]$D C"?K^z*B5a$عpF3_N)WѨ80DjEzRˠ l`$(pSWKz DٞyK0뻟- Tga^GVzkl!LDP,'/Gf,u %uT ,O'9K(mdANHoOICʉql> Y&3w%c~n(_h2!9{WJI]еzy5a1EyJpxHO 1f/N*vOc$7. iƜMQ#p8#`3x;%B;{[(GZkrH*$O@P)f' 2>o GѤ뱾 Zv/#v|)0b7S@s-:C^2D|ACl/˕6h\Gҗmad z! Kpm [1/"i;g((vhX4zLkOI6f>.E¶lGT(%QMy+bZ]+1+8^&VSkxIlxzTb4JJMB) 3-g} ll%!#ٮGK1"A\ȾPD([X?L_~">^#bVUGc8{̮ͨT(OU(^[.ab|w$FTHqO$MAʏbǚp1=ť,<"fz]br0r&b1@^W:IΜ4,9vg4\ T 6S8zl9ل10 'R߳0`A>,%@Z>7,"ξ:Ow&IrNy'yUSyΟU2u3zz?)b_w,݀K6}HRc]*#Fz:=du;%9 J7m()^Ues8a[lz(xhbi@3A|Q10|]+neoMOVя{\c> ?2 _ˏ#a9 .@$JD*ԫ-&~9j39v,̞4g`[+wo[$U+ `Pz&. 4m 1EY&ۮc)@c6U,%+*\>tWwJkrM WE̤r!CxH<5j @{x{{C"1BaqI'aGI\L,kfDaZtP[ «8 aظ=cR<(H*c[SэBЖJ}?dPSF6e%k{2we]Aҍ H1z􏩏dO kphrU??bT*nmRg$!3O e^22[;lRW=*45g'C VFEVogc,&{!.>DJKCqnf^qd}>Gמc*%/VОØx5Z?,[N׺ a-nүda1i"(uK7hf G^#6U&zipypA< EGG#;;ݞc,]71n¶M}{,+"ʎw K@V)D@Af"r:=a_vN&]C [.{KkؼDK¬Q]<`H$$~[>"Ȋü|3- 7X&IT/1Im֙%\= tЌG?L`19v$ar&ЫƼ>Nk`B0,1U⧏^u֭ơ[w 7Dşqנ7u4# O/qm'GI5}z;$:;%HHc0 QWP.'؟ Z|p5Lss _w@X\ܠªU ]^vn*xq3#i$? A9g T'!28 Uf@zOLU]=+WbQY Hc܋%`ff#0IlKKtvvBNv~wthmmb᳐Iuv65> C¿PTF#JEPHAћFj馀Ch8VE|h[Q!Ruyt=CiL?( ɒ2>I>afLYѩ0TCEvVcu;G" :9^#3GW#q).@rx δ8NmOnCGY|<.-@Ҳ>Ъ q.-LdKVSOy#OOKWTڗt+\;Z7ꁵB@ؑkVwcXӛ8*~/ 嫗}P0:鎝Azz:$v9V1{%sEƘ'0@JF禟H0)ΨB(onӈi)T2~F:Rڈ3BC ȫr+bڛpq^m6s)Kb:sez2Ay%DNc$V,Wf67So:/Iǚ9xf4 V'}{'}\X#SkGwsخX_Φި?3z[> `o_UI)ha@mԟƜ,v`dLJ %z MrDy1IQV$Rq~4ȟzjYI=9զ̏I(<+9=ؙPKГ>?9nIlC2/n:/?Ol!bQdkRxNp81̛L,ePSt(gFnB(MYt|ARX̘ߑPH7̛ ;GKY SB/IՐWR"/%G0Z Z8CN?̞#G/ ̘(63@}D" 4,X͙gsM4yuxk'[I#zy$+nDoQBar FDtQNơ+^Mm{br_'̠H@yvA,y&b=xx"S G3{Xx %c{,&)) 2'1DGp}N%Zn̊i"q+tzOj>#C1{UKݰ'* y@y!f^ 'OS %'oTbRby2Gˌo$6 GʣK4u3Y Ed?őB-)<7(K/@Xv].R Q{Y+p2?,Eub7K S]qnDHb(~cH [1 FU2D`02+9bV̖NYC,'[kU*;xn)9tzf0.T "׬Grgx2D+h/!fCujM9OxKXYHT gvo0[ErvszCB// UglQ.ҿA֕\FG[m Vk FoPoH#NaJ^~Rtl,Eх՚eq(ßLO]IUG^r&{H̋Ȗh"tMiNNj% *N^ŕrEEEUUelO2c-Qe`bPT)K(& ?fL"ȎG%UXػP d4._@u, Ѣ$DlM!L2k9]{ j"&Qyn(=JfB᜝4=AyS. Jd:apyځWk, v]+1wN}9ba,kDb$QڹT_p,BG!E/3g*'ˬˬvE@ O.݄+(lW<9K B?ƞ([3['C_>jmZ2HBfLtDa}R"M_3fHB/tRv3Y,iNc5aqa-*udߛQ˜1㓐'ⴁH95YۀF֣2*5E[~'@d >"'c"5V$#EqP)aVךӻH TH$ďFUdƭK&kolݙ( \˾[XwbeGJJ'h ) Py˻Ѳ1XL쟂+1Lm]?) >xD.A}u/oEIւ QM?my@LW*iE`d &w<ߧ޵j9 JmSU@I09"`s  &FXw+Zd"LH޹ 9fh G#p'Z ߑ94FLMyL-m`PRBFM:m]!I;5Gfpn] *3%1D>$A#OʒX37&5ۣg_#SО2zqS+ڧ2ߺ.Ԭ%:r/u3?%l!b8-F.}FՒuh,όDWx#G#G͉q<Їpҩ( LPh#Vj7 ST|Ya5NRWw1?ƎFAMze^IduP'}ibT4JovPV'VOb^t7G=B&{=ɫ9g | >>U MPuv{Q^A=AI+R J%\%{  {ve1I4BO6\ q:R`m\cDH #ȜI۞CZqȈ?CUa I,qޙ## IѲg o; '^-_\s. gg82YWej20/"%ŝpAQ\Q"8AxMOLG83P܌4 Bs w+-,geS̡ QnG`F1 ecYxs!ZV2 ޗ#P[l!b%^X#jjkT#bG#PhDmԻ%pHz$ܺu R2݋8 p ݮ?8 "SR/bHN'^D杈`DL,Rɵ}?0._`2fS~Fq/bv$X/j_HWa^!)M2D 蓯UҚLJpOϺ!dB峔E&Ww>UqZ7ܹswR}"( "oPUA Fx*Duq   HGC1XPwJ3K5"c(Y@贅8"GA2D >UU QdɅY.8WEpp"2f.OGcBBXst yx^z:G!! `LQRI91jW3sTEKd㜼Vg$l!R Gy~(Rl QVZYY©Hxz3q"xӒSo@;0C-B^!X0xvNn tM#l<ݽE"E6JBDE В ;C fn$! 7nQ^xM$H[]dLDQMܰ`ψFu N#[(ѵǠ&!BuěHbٕiXv-K+$YJŪjXgl9&l[`t$'s~ 7BtEaWJ̥l_EXJrf@$&N@Ҳ>J 9 8$S 5 O.0l~|uڞ `KG5Voc@90"HvݬzQ.{bi>|fXh$V݇y#f1R+QJE[_r8;;;ޢ537S`!1~%kJ$uV[%^W#hӒ*4"__3fHB,tRv3Y,i EIId5aqa-mJl?!y|0f$dB2 JCM2&ewxtlA+"?{@K _8 +6P;R"*qt2 S }i SUc(sˏ#|(5BHF‘J}}+Il03[ԮX1>CU730i$~˜ H_˾kZ=~?ԃpl!d\TPHH,9I^t26vbhoc̊[C＀ĺ;v ^z^ }OV3iޣh$l` DUM/,#w0ɳq*V-qmN4G)KbZ45aIsyy01۪fx@h3wPvo Sm_2%DrK-ؾ'hZ?E8Ѿ^q iܵ2S^џMy"Bܠ :LIWYrk=Є$= =I- a_|񢩀RMʅx@aGQP&[_gl1u>%ZRRD{%PJ˸І=BJ]2 mtMٞ SU(c"9H*ԃl\ q:A* \]Mhy#bɎ~2DRsZ.t ` ѧVABh$Hwji3v6eu4pG`G*\6]JXCJ 5b2#](3\]!Ip+ש/cGVY8 !~"r*D!qNNQ۝h9yEDIj.._CSW7V ncCP5^&Q_މ#]tcf˘jc/uB&֭[טH_I_7n`CBg,ddhL+"^id'/RDX N{0x"e&Z|YabJ/0DLX!suWmu9E̎%{_ c*+!rId4xÝ[= &֭q$ gyZ3L,#}3?4(l!")ȟc 4Mk Egr#^8@t*O[HUe~+~Ik@^G'Y kYPTd\VWJXx+?8}BH(Y()'&}QkSD_d^X}@NMHQJG+qfZ|oʦU t;s#1浖?%M|YyM1u;EܛeY84=ke4RF4 IX1qbΩ:xD(xmµ5&Qc.zK)}Ө !D}cߒWDx}xdė`W3G#PS$o~Hb+( 3nIem#9]C.PGa|zI\1D*d7b~03^?l.5# Q0497=N@V)LNtƚ/%~Q_Eȡ jmG(L_ȺdeSUur`x|fhuK*Nˢtǎ܄ߣerk>(tc;Rb֑6;?lF1}UB')_S[?~Yݎ5HuKPcd^^^J2:z |\0<1=g=4 /# gwGi**,r!-Ee;ɥcF}%T?xo Q+ʌ(!/@U0US|(oU2C~a DDU{9fnj9E$qlϪq2W_q;rhE׍б>}Q$^O5(/&u.ng56RÒ {lKϐUlT8&xwo K@R>cû t/!o|1=1o2˴P p(d^O^yن'Ć6'/냡#ӿExqh)1 {-XXR/0}=(j,Rk5V?pTSk@9=[^1)Z`N2D /&)W>5r:N.rc[r)J+-x)z}@[ (S?YZ_yH{rdKW1)Y8 c7IIHCB1J= Q_Y1ذM(S~] ,6FVL)G`ҩ4Xb̛}_Z%3<ɂJ7u3+ MA9XL!ҡ c޸̐u!__yݭ*:Wb+xuº RQk? I!0T ~L| :2<9>xl=ݤ1߆ǓJC%cr"_/  |]`+fvH)قlN#?qa@a4x.Y_~0TC.b'[ҍo.i)<E6}C_煘1ZY3C/@̮Fyr2#Z!eQcVjKQ^Oˢg(2Z e>zw8K:cl DN]w^ҫ̵ZպDFBC.RH#r85ܝX9Q/!aM|oLnu zz* J>p?1#?H͋V*bXo/h>񟏡$w%p#l  ނ=KJ+1Lm0+8o1vn#^䙺ky8S`ګHIMD 9L1x!{Q&Phq*TaD ~]_X=43cA4(c}t+Df5MPL.[),BL%QclA{1]ZLEP`J_`v[LԺx;pjWw%pQU "*`b Th~iRfKnLiZ-j.iZ T(((Ȱ ?y13  q=;|GNש W;*D:M&i+NkwDn@_sFӦqO :_g$t7;m ͼsB (S7cͥV 5#[KaF߬n)KM dx= yFU5 z .D87$#B%&\>k Bl3Y2T'Ғ,J☠SuԏpQ y(`d m.e,־^_PKêKH,D T H]zз\a*@*ז1&%. 1Ζ4r73CJ[I:(<B61'u3> T̸r2q+5u5Ylۼ:!kHk|bgOJm1{Ve3!Yb *,ɒ=OX8NqInP$NP-Hê%x/ؒZ/SEV1j}mC; R.8u{)âD TX 1z6-dYy eLTF/7&h5 815jMcGw:&"дo8F%SB5"ARb0a!ҵį>w)uQڡu\pA=}78.;t /f`Bp nW0 `.溡DtqFˈhF{k>cfW/@?/WVtX{:mK|c0O, Pf .M ~2Kv!Ua4;`M`ہ֭~ܳJZ|W/??rxݻuaǎ5~C۶lR0u$[YVIl?=AlBȕ\urA3 l;]X1+D=z4 C*rJ4h=;ڦVDM;|C8Jyl9y~jrl l Rʯۥ&OB$B1cZ s0shRr^M_r[rBܴ "dK%v-+sc5!~ĖړĖzv)TZ&{MxH8R,<ZcИ=ErJD m %:iQ@ƎWM:'˗~ 3e}?@-pϱqC'./N,4꽉ؗY\ٰ>A̙Asfl KUBalа u%ׇQW47%>]޼鞯<}~"2֜fzQ5`7Kf0u4|# M->!, "V.+ ȵҿb 7mLJ*R@ nL~o-i!_]-F.xN'-)9+̱Bkh=M r^}q717ՒmW-%RےD-.P('YVTlXU5*v8IA2HRF60HWUyx IDAT2nkĶt; pH;h B@*~tC/38#h#?}!^I vez%fhK  pl|;E5~ ,!i&t'6ݦyYώʱ[)TYShqGإZuw!z ]Y+B 0u~LhYRmh ;$:dmd(6; ~XuLReِs,%FSg1%2v*AqS=_2v!c/AƚE }1y.1rzLeURvi9IШc^ 6biWUj\y  QxU.`mYi XmKa{אY 4I<R:x׈7X(MrNZg@)RAY)c}NQ,>EsMQǶu/R-Ri)n6 tnc(Oy19~e4kɢ)",ܼ[_F=P#Oe!9@cu '.X`'ۤ ;+ON iu;Uc`XXYdl4!c"c =5+R(>="1[-"c%ddXK X=VΛt5[6H]k. "o֫)aZ% @Hl疮F@د&?A](+f-C#p7#!c-ɒ"n)a04z\x_Ӏ gUЀDLy^^/c$3ՅQaXQq9I}:RR,#x#bKKyT+iYKq[2sоPZ0]aqe¤'FbK%;R k8KY!4!&UUY'vT&~.]ϳ<7S"$/7哖Q87J<.d f99?B.<2V.MZ ]: >2,քnJ}Bƾ2p5< :f/|!wz[&OА4G +?ǿ>!cw26m.$dl6F!d=12ݬ, GuV2|`2VA5<u}I 1wCZ/+~\Ek4(6Aׯ^g5Z *db5-Ta)K)~ۗt… cA4z ׇw}puHGt]!a: c)1"9sȋc]H-҆NqllǴq SR$T!2!c"c݃mAf2Vn-6-F}dl/eX). cK cې/lXdl##d ߒ׀hmK,D @FV!'?3-j2'6@$)bƋ$1Q %weH#:8j_/0C36D?ђͣ"cْهV"c]his~\D_hsX8_Kuuˤei<;XI diZ\&dlM°L,ԩ,q4 DvwI Á8G^!Pg?뉮mkE#)yB5IK4HK߀Y@.Ky9' ㊘?Գ:G[FRж2wnj-f fyE@B놣:!cbl) kYV՜1KgУHmvhUb,7oإ,QULiwp\'/AvިQ͉疆شKnp)fRFFB= x CFɉsmUX֖Ƅ B@Tw 26/zd( uבOF+ sAv)6j@4lTأ6YdUb@/Qb.ΎB-$C('b{EvGZF?ciпgui wҡs v$dPy cX@i54i Cƞ.]kK!u 2ִ,/, c JGƚp"UNXG\ZTHWAL7 Ǟ/"`H q~X6k~V~c[~ݛ!6QÝ+EVf^|p=n*Vs]OTu*ƙ?yoB_G pk7zu_UACG0Vm/uwF׬{f BʭrS(Ⱦ5 Dp}vl bHl_ȗXdlbep #ZW[)TZp R\PT!~MP.h8bl'SBx6@QR.vRMxbhDʦRt])oE%@-d]:HE^ZsqA^٤WCϓ} )GK(˘^zsAw_'[e=EaIT1pGm3Cg0]ۣ1v$S)JDml<>խ$>soL1nԍ_J&&EVTH޺wo,3R١H|$s;IsIOBL*i1,kEh?Q#MH8+4 R0!ggcŴlխӘC q75뎍s?3ɖ- WXjngi%N %yǦG;FzXt@>0^q,6a"?ᛑŸkZ.^]f\̮h$_>]y9k1?[i*aB$ ƐV9aX8Sh)}}0>J"K#ۍ~1T\*/U=K=l#oZ=QO*5֣vvT^3jKjkAy BN\F#9iۗA? 'H|E9(2NKANR jp/gPH `e p 1d1 16hGif"ٝ=ZٍYJ#ÄwE1a$f]5:AtAu}x/Z2)Y$O+rL.ڈT5g,G/1`|g4??j9j,GK1>~qvIoI_`މm=߷=BաƩ/bp*==zn86{LJG5?JJ3b.ծh5je=T1< d o6\ëD0sPmj \>>֏*U/ [&1}'EX2Mpgpt~.Wwc[Q+?%XA}NJuv裤Ę8 ̛+n+ bx"ZdlZHyfa4ˎ}cq>X`^v?B"5?A5l_{DY&]0 ,|,Hh'Mz'mj7fq1CyuPK]I?~(NM|ޜ vx>͹vbb@\wȳzþ%A=!/Jf9YZ3feg|5)E ݀=xc͍yȇccDJWn؜[kchHt]\\+'6V1._04(8TiZHGzN1LJ݇sŸ_X auf0Ƭ9yD#Se$c ޕx9̍0;9J'xyW4֚z{5s6vSi9g`und.uQ(H wCa4ڧuzG@c' e>Kږ _D눏Y#Ǡ]8D476"H;k{Lr 0]'ݖ%(ct R  G?mjYò22f:3d,OͳJFvv5E)wd C#-F7 8x:V4 rBhD: rH;ĉ & Lq&P OzQ " O?\rog)GPdrWb)WQ\n5P嘌^莁C (ad +Df /t(seCl\'?(9*ToTd_Hv:Vl(aˣ;n q'8Hg*6XnǯW"Ǿd 14m8oNյ&k֑ Q[YEuy/B ݤQd[yXG/{1k0aa35ҳ-lԧm`/_/J**MqP%?+y!8=3Ȼs7m;@H^_`K7Kceke6}0F8e.,ɵ|}[kt ?G8D3F 's4~{!4֭=zƉۢ4ĉ|ȓwKx{f հpLp?Zp!E Kb;J]nؚbW_a|Ieid5w Q'בSx;t߭A{Yv)4XBv{7ɸbmވ8.9K4 5!Ǣ%9ԎlH:юc"C9F`ۖwv`s ~+nA^-0wGܻqFHGu#("9;2c oD2n2cl/LmE;;}hnxp57hu|u<!pC4h]8Bı 84-o!hSwG╁|Fڢe}o&MǮ36gcb/\*2& LZV_9?E'`h]Re.ån*3yOU9|=̿$fe[AMp} s|WE* vD _c+k;4U\e%͵5:󲥨MOr))˶ur1 ]z J'-?=_:{ܫ@ܳj gky/ , ծ#5nڣ2wb=*sAMQ:±~TWޥ)9}!1dTZk6௘( k}1@,yX5(XSӒ9ġi iѝw"B Iᑽ*ވ^@%h9lFd:K_R{^%͟|ɊAֳы54mA<@7ـ@k6*yǫ|A.\3[H~#P @k,aIE,h[>Aq g =_./#ko"5\I4o gs₤YxvDBuv7\(ǹErcdmkC1Q[Q9[Qǒ|sr o`h34-WM (gr/QѺ> {YK3au-l^ݮ5Мr}:wnyj qawVEE1_®a IDATXD TpD8xwyB\P͚7JϺ/1"|%`B+='yjy۶,fB]WժF—@ak Bl332T'Ғ,☠SuԏpΉB`d2Z;;mdw/އUYXD T} t% fRDv?pt^WcL97o qbx;^>I*D:/Z[g5tio[G4.:S J)fTŪb#Z:.!Z&(}947.c%gv&RӸ pZ%{Ɵr9rssܻw֭Î;=k,ޙb+]t!pR nT:(I T}%WJ ӠnyUR-qz8vi@T9rdx ;V +笢QF ///xzzR.3C*%#w"bmo=+oώiw3aN s]w[B}1(|M=yCQ!Z;la踽[\\Wx=|ckчsy*-5 l! y17[S⫫qM=32uhJlͅRM٧kφ,MACboHNh))'[ 9SVi-s\TQ h+bl~5R[gL/PJ*Cuݸ!ʺy˦1׆g=.ځP׳lЋANm\~7m!!i$#S! ż1td:1 nRƖZECl4*(6gRg ,37t)bKñޛظw N} ,ǗyY~̆ b 3cK%Y cKe)2[¸> Ǽj5kp 4|Fr@f4kauW̊cc`ٚe<9J+Sky}G zCf V@U*"*]-qOfLPr4c#{'G?[&1}'BX2'ʬh ؝A3QSwow<Ӽn%*~:$A PmN9`c ?XC|bFQ ˠ-{13 tUl2U&K'GVĖZ̃9c?Pn 񖨻ս Bq =Vc["Ao ܞA-ԿhǍd[x :!Yua)$덳EHo J$=voG_09R'65PK%l1{/RsbNYƕאO..+s{5wT#^jį"Ses.X`-K5P@Mx'"R:x({So泱P#^”菐8M&%}|igBaA$[Z1k=2!`:1tq6n~N#;˿c>"U|kFq b f:?)Ėdf( j":.%qlxRxTz_־^v MdjTb' <Yc%Âb-1q )`Զ7C{Q"7祩.hMڹZ9}8'-e*0#GJD,c|yɚrYd%cgZ*v|t38By ^6z‹^|ued%Qz|5Q;ƚ||m ~ް a C%F,3kahɀ-Z=?U>MŌ;6_ neHVAĆ)N}F@u^OZ,Avk1x{]jB fVFծ>&;b"rz02.'"OTGj[JE~voD,Ysi)jzQ t- h9h_P-j.Ұ2aRNY#MzruЄ5H ćYAXHxoTd2ttfv"FP{ Y|72ANpt,?CH ɚq>ny\HV$!Ysr,3p8$\C%<@`ɺhu}1$ ĐJH}B2p5%ńd}LH֏u|-C'hHOd݃ȕm听;gs5#͞nVd݅#S`R+Qd*oQ6*I'~*83}Zٸ *db5-Ta)K)~X^`1D89@U2$A~9z{/'5sp1|Bo<|tgKǎd IX2_.+/$OKВ⽒.'-=$k&!YHbHbGRjZd₀dbmE TDeo;Ooqb5ho6#W.2N\C8vtƽky:u#x}ո#u!g^E3 k64FԎ^ iSFr4 t)h),fqFF~^lC+.PTea俘CRHV릏dCŐ[JOQv K"H@iqUGb>솦T(ә!t&x(h(B7̟Ѻ#)o? {.)طyO;2D~n Eŏdxm?1$&<^$k1;WRwbnmT<;;A1ϜN)Vi@4*X͛"j4<}(dž: |]g\FkOffb߱Lzr4}&ܞeZ^BjjrooBDB;Hp`c.SwNmKik2F4&$m Rfy#Y>xD$+grբ,, HVT!' td]DV-)ݝ?D TD.V٬fIr Eھ 9\Áp*ϸ>d yY–ش߆GuG$ gHl4Nrzt~jXGHuzmdMPfBqҺ}>30^Z$9Yd93 _̨3½yk C0nb5P 2j=d e9#drʅ[Aپ7B| MRE9=WTtIYn-ɢfG-x$L=5"Gk~]{yi~iV f|5Q[(5|\;;?AԃH+q-bg, YCFᴚ4!YO@5d%BS:djZVI$k ŋ{*YAX5y+dG^^-KkBR,<3R "UfY=| bYMoX8i%hYn!6QÝܳ a m2 - YlG)C4D^WsnEys8Ğ%sBuK>xG۹66q3~}uW"]бmPYɐޣJBۜEAAATJܱi bHl_ȗXilbepJ!#z SRV4f楸l?B29=!]p4N<~XneY7/} B_jDr˸pLj韺RB*̣O!<<}̔_^⃮,&uyt6i3)SuaqJf *E2 ŠN?HV+$655L>s=g`Ɛ9 !=^듏WHcHG\S ZkF)[IX5|4OߘR[ЯO&&EVTH޺w-3R١H|$3,/qGh\XB̵Ri1,kEh pEԈhNJ4Mu/kdnƴbBqW֬;6  K[³ɖ-Y*]])MoKti&ZHNGGxywb`N><6Ir45-%c1sÜޖtgfQ sDߌ4=BꮍkxU1曱s1~HS~v;|:}o1ء"|>GQ^Ckѧ3ve I/ 0zvP[Vg1- 3ojU5^WaNFJ *1G1Rcpb,[[gjLb'UjyjkxF-tI @pm/(^Aȉh$;4?gO? '2H|E9(2NKۥ V+s/A_Π\ʨ$\Βy~qvIoFDwg:w[mPPf18 C=B=[׌Pd& Gb? ^nnKx OJ *8勼`nYc]ls-n^f5J$ :gH(,=QNgt,֋g Axu2َ8)’ٔ=.h$c=w85sTsz?%>cEp;QHGf 7WDW8BBſ)E [M )s- kٱ0sl߿OCŠDטt} jYҿ'Fb}&]0 ,|,H(rKs@a r 2,_JxzQvGݏn !.fh#΀Jw~ +ܯSũ)PWϛ^BΆ{yAd;Yaoj̞JT KEAhc%1cZkڙFqR ݃ 1Nź[WTYtjMΜ1hmt"6 iՏY\GǛsG3Aw=ă@+0o7OӠ_UݠVRhx?D$OJ]Lup < M7,(N;dzzI?ɫt֊͟ãB;JЮ3~Η4(3Fe qKD LJzN1LJ݇sŸ_X auf0ש>#@m*#gӧVyv =Cv*UY%Xi]K]~7 RPؼ1; e|,Q!P.BD:h[6|u #>f5Fv=L{ߠ% ڲgv-nHAJZ!BDHznJ= 4Eְ4YH>CQIz.R2ΐ4?7*9.|<ܑE*P~S#-F7 ?%g?$n`Uh N8b`C ?3g# UQbΞRr^-'d4vD{ܷ "fPҞrD50z<`VY dm- rWb)WQ\n5PXY'S6w (=cی0-kM|lE IDATs ODg Fr/O )nVv|3 "3Wض }7[\/@y0J+_ǡأ8wLyT6ʹKW!ba膥}oeۢI<[$AέT$&eP Ȟyڤм5!3rKKFMZ?gp6ceޙk%ј w&)iYJ;;>>Rb:Ěe\9d>Egj >Y_=^6vb_Gjֲ[ ٝ>4ttƃ٘7fEۯI904ޞCO#sƭH_S?=(C?9@6k /_o<<5CЯ 1l9~B1.ޘ})Oc/|~[7s6qMl9A4 {0ukD}mo 82uXֹӀ^q|dq.8ܿ@RQdCێE֬3!&B89K!P_"W"k[;C5J U l"LdFĒ5ktH$ՂMGb^6<bBBFWD)0UshgCI*˭\ó7ʼ,YHiC2 ī?gRl8,9vQT3b\T#IIGt]NCڵL>P~97.c%dfv&RlG\Kd*$rb|5/uK~ R+!dETKWѽ}š֭./>5i!klRy#ާ`Pj}1uu#,<0X=ѹt-%' UjQCNѠNhޤzA&`@\uCq᳉¡_ap͈}'̔EL?1N@Ӷe_u}K|c0O, kiF絨sf,d eRꌐypܔIN*J'}ռ#Crpwt/JtB= cIh}-5 J~>|Ւ \Qu~Z D`3+o'JJtNVydF/ CCTF}{wHDSԧu9$fn_CȌѣ#."#P,eN-"h_<5] @T(*"K⾡,+zҬL˴J˞[Re+00{ =:s=;|3η]sI跀-1orh!q+v辡>E0Q9SUL[V(MtS[bMk+N?flV<*3cy_]Yk.#Tc7MݍhUPvxmݨD7 ioC2_zFjqJLxC<ܲ |(-frƘ43t {,iUt:Au^^u\fZ1] +gU۴<׷{?\5]} j{x臬\qhzQ+cB,22SQQ1E7ITՀ?㥄u = DY dwD&}0Q!N_}c vn$y_ĩ w%('ܱtE:YC}[KGwdO-Mu'T: J#o9@ [wPb02D]ג+rrjjgi5:7%L֚vojZT.߼.wC txp $ 4U* 0J$w}5$<Z3tz`3yvúS.}u&yhU ߜ&G9MvwXy} Ԯjrnemv)l&ϱLknxY%zcFPyI7JЁU&"0ڶYEc{"guSx'*G4{bˆ&*A<7<a ̕ \ܢ3-\cO2k^k3'E=7.ת.W;I&~3._իVW/2D#H>t ~jޭ:c X|~]$.bbƒ1uXIW .^8f ^k)E,j1DConłؗ7#r%RL㰥X0I_önVh0aGG#dDŽȐ8NX~PjRL-n1s8~&x$4Daeä[>^ILYْIu+Tp<\Ț%kv2Mile&IpK-ؖ JKI2='EdɩZա1ElN] y+"}kWQzS%=PKgHʫhI ,YB(^5M@u]3aV\dZץ`&^aQ4vAnf h;% p7\8y>$se/f(6u%NSwkȖw+@D^^#qDM:7w h8}I_0z{_"o2͠X9c"%)HO~2z_5]m,UԆQsebБmZWX|9E?F*٧]ܡzk Ɍ& p#J\}dzaƅ^#%3ujx)KLdXK-Y5J /:7́@Dww7gTO0oAw`r~LGAp6ْ3\2wڒ5|b}gV5K'ɒոp,Yld_-dXƭ4*d+Xb<́@DܲyϦHI8 VfHb`:J(껻;E|}Wׇbݺv \SKBb#uґU'Q?4 /!"G̦qSwr<@Nj:4#XA;KGeHD 4#e4KYȩKoq,OB$@/Q A j%5rà3d,ݟx<N@! Ѷ70WC+TjF-Y׉gg\ Ƌ72[7c-Yu6-Y'%KV7rBX,Y%KVϰnX~~ڷal6 lEY\*s8P+;mE/(om8.4y9f`KjJz՛"[co !@ $X:),54OQH0JL;Ldbsp;Mc4+yxY+ ௸"Z4k7=}]Ĭq^L/@Oӱ${ӽā"qp)>öMHt OOOx-cF`۾5ң_` ɒ5YflYU] fK:sBEb7 (KOæBb#bA٤իWRKD/YAedJ.N_o1÷gZ~oK'>}7`@$d:=b3bC֭}廘e*_xB0 DKVH3 ]z‚x7m~1>>Sh_ƁZ #AAΘ&.rĮu'oAg,RT-ع 9O֍2d&WaV/b_N03et /jf%.9@%-RQ'ӒE5zFy!<~~^O ÎYPE|~6rZ;_VnAFZ҈GW?A%:(( H ; ב$I6lZP}_e Y,YiAj)Z. ><8ْ 8%k"f%3*Y>6K+#K'GɒM^m4'd݊QK>‡ѭKVͣdɚw%k.ǒ%LDK-M/UOkOmXדX$e%Հ/E/]-,ʫ|J 3d^akD2‚"<~BW/qV4'ھn@}zx#|0{=vPA58ZZ{omz?BҖvYuY0iNFtY`drĒ5 L,YfeV,YԒ5&i8kŒU/FA뙟b82 [p$s.@6ũ-1m[ɕvliZܼ!q})^hV#b(,E XpDʓf.X?GP %C \i*%_߶%+on%+n%bn~eJrTԒq/6-d~-,YgеL,O,39PQ 3\N@Mpu^Νm1BgԚʕubrCtw7x8b_|l4는tFkj0% =ꡎ}&C7p0$.7=;|Ŗ/d- Jy-Y!O*{OYZ+7Pm$P j'2j2 aWګWb"Rd́jo J{ȹe. 0 79lGnQ:[2JTM MOmzL,YVYf(huX&լYr37~Pv[r]N-Ȓ1 woٰd-Nߒ_i*w%kHTp]d%YTYgձ&\@D?25NҠ`Ѷ I@ daɰ@P hM5Y3ñs = pah\L.hԙ2Q0ga{gTɒ Ȓux%KhrfjVfRrs>]Yy[AKV[Ȓ5)%K־EuZs?% V`Hù9PQ9aUj9\TWZ%o`thTڪVgPC ;cuU.fj_ +I[eWo,#FQ+KnHM0ƯٞTe ]vaݯWqJwdb5gMRРhcI LX%kHIؒH9K֥-YŇy"U2dkaj% 60ś2 ,Knf@_ YOm*.:ϱʌEW9٤$M[blAJww aMEI#>4i;و[FE%:l;P@AI6ܳ#itΗi976갋Qc IDATJСGm,nOh|#3?Nb(^ 7Ixi~>#z'[k#m=v~8!%+iRrEi[SPa/i=.7RB ]5n52/ aB}j7LjkױyćS⢚^VwOKqc۹`>[s;`H߹8q*ڦ[!թ!=L,5XY7x>\|E {fzOhe{~O (Stxj`Wv?́2 o%A=~^x+-ICP#ythNf4: ?bѯ1"*\҂H4jj "iU^ĒЊ\TK_h'6у,6VMdm67'ϵ۱zFkd7ڗ7#,VM{%O +-5)E'0em,?)F?c9R<C/ $ ưa`83C! ;ZY)~C.ЙU!)q%^K܄/79ĬO(J]XJzBWeckEq=FVVV?ʝtjtimX>4/՞[Мc:å`˳IZϓ|}X'EQ 7!x!)Aڙa&Ս؊m2څQ-Do*t5G f~t/3mW0=.n JG1z1͔%$\JCߧ -BJHͽbh[m$b?];-<:6{f@P^Q8M&6/c4ص],۠*0 =K7{8'L9CȐ{6'XgЯ6 Ph Ywi%WT 9pp@DU3tlAYxy"~=BW!NcR_Aw%ڧa$k4g[y2IJAP =R2 d-ϵ%f_幊hWڴq/*H/9':!1.FI*K #C?3j`t3t;IOD}Yc$u{FqS~7bј{} RPg\1 coϾ5w:p⑎N~|;S?}klyP`lٙi?uhJN!M hX|_V {,Mbn(MZ..LVϦe8v4ʐʼn!(Àv"m!_k3sc4GDARf V!U9sq@2/+l,܎͓6>:wqoO>z}A{J)A&`kb ڪtŎ甒"iI-fdnS_3V͙W%PO\MnKЉ :5=A[^ SyPg,A09~CH2$\VH} D1b sߘvV{h#0S/cgRߢqy>&(*yك?M._bR|BSJ} b^@:T-T,9ڻ@C=ܟe{(S-4Fpj؈]2>΁FCpyO3A|@& @q 3IEuZaqv$_.%`CH֯1:ҍ./K RFxu8N/\ӾD͋qַY ]W`J$2m8\pgΝ4*AGʞ%9(>{%g+CC??;ř=[aV"lC{g,JdE;5&dc@H84S`uoا׫#zFD̏##YSm sv}H\Eo]XS4VyC#nxc7F iȌ뉻 ç͇Wj/7_ܗo`K[ؿX- l8 v71YJ؉ ztz?O 4h)!a)0(D:ibu @h`5 FHx֯kWU\0 .O1cgrcf婼$XahqK˷Qٱ#FML$Y]zC@HŻi{L-櫼qF/ Tߑ\Ru&Fpa+K[w W/<\@lFTmݦ鎒'h%)zS\LJ#c^݇3$6z|jגj܃, 0LNaw؟[xG>M[kOKG߶@oND[Eh;BďGDp=ZI͓6J,s/W]r {w&9WWύ2C>os~KD[?;r֢ )R*N&2NƷV~YFvd!E(-q+Yy>V L<7fEպOzMGDHb)&yHiF+[I/ӗd<̾[I8 XiNaK\wC۠)TO(oly]L@ec+g*/*CpQMA(zvDS*8']z։ YN hw.U'S.QD\g;+T1܎k,{ noW$6gKJ̦vBfxfp[Ə6 le\lJ0pp'k͈v ʊg+Ongjc^|4N*$kۙ!][5/a g΁sv6&$d&d}nmBGmTqs_WؚR ק-mx HjǴq-TmC5cyV&o<Cnƭ]ؒo{fNMJs%aҍu3"k{lړa7b* 1t8w"~%$VXUl:?]o<}Z,|vO-&.߬5H"+I =e: ^^! u^{GlU[@at`9RYajuLבq!Y"nI`\;Vɶ<+"W-$JDhϢ2lEVRrR`|M禭 *+ /JʗeiD>mfN/pw&ߓaҩpq8 iWI\Ԛ2v0%ȑՑTx+ e1eBȾB)e |(̡Ȋ$F'+I cثxzg= UW%f|{zx`_0+4PYe# /G~v6YN[2iwAh Y\j-È\:?LE_U яȅh$>?h+ϗM< m`Yf8Vv5 C:%&%nFv| ;;k/=E\$!Y7[fF>\%0o8U`6 {_!5wW84.iMp|MqY-x oLh7iuk笁ϐIܮɹhAg]Htt "۞{8k{ˌ-*ΩH"0f=Ix bV>Ibg?qX;f<7 V %ޑs,38^2 [lҕ8xFƶ-{]Yycʝۢ@ĭ؅?#`J, XǢߊxnAI>!*@Tf?gcGn(.6Z\.ʾ'VƋXY,1kF|-|[ix+ؼb<բ1wZvE.HM1nmۢʜ$75›@Գ?qb:z:cHoJx?, T ;[$jt4TgK76\3c҄}&Wao#RB=]ܶ5#VTךkE]m1gm]))j#m )5]} jOn DYP٦ۧ LpzNEEP)Qd ڽq^x"Djr}G$m}XqZdA^a`GFOY}uړ1ealy_%_HB%_ʁ \\2KzkfxD&>8O^d vBWb~@ /p):[[ " ë#n?.z6~ yL]`(VsJ؂1xm~s8?KQ_bx~dSBG^"Bʮh8nh8q-}_^W IDATk')uM?VN%s@@5q`Eݹs@t8]D..h޳)R΂:9KfB(|}Wׇbݺv \SKBb#uґU' 0 JW/!F̦qSwr<@Nj:4#XA;Kb_-,%QM/bx "'Jr+Eip@wګF^O;Jk{ cpV]q=1466r10r@c61ܟu|0,xPң!E˖חrv #>G`C֧gpp4T>9 sz~e~֖bZ xo3(~bi}36Z3} &O:2/ dqlXP;\;UK=a:NbF_iwc/sqsҹ ~s&D(J/"~X4keWDfM⦢| U)E,XӍ)\>`6vK*Kes|V%@1`Hclk+EC87_[ `/bn8p "//O8!k D~Q-ޓ'9pqr͐ ^0x`a-5TBFNhDjH&( ?|re˖aӦM4{"&b%OG>-_z[sνoDFYH[yTmwT[숞;*[=*̦tԙG܋Vpx{W#7XChAWzAuodGz+3mP&>VRxӂ_R8_TT$+fAn(DZlPY9ppA 3 xodُvv繌yzz @mMVBdt˗.gՑ+?Lj1d^akD2[ V9e`k4T_ cf3.soBu͕H}ᷫL|)Nn-&5/^,!uxkk;(T"#ݎUd8 Iy$@Gz9c $-r2 [|_I ́N\7JvmcKe(;VTm+7pzC(doE(H0-WgҶoZ3#| o{K IoyyY-Ѫ3t(gd'8 (b/Q XZ!^3kJU(I2r8aX|hөZڧBJ)xzuD_wA;Y+Yڡ] : 6Ҋm 0B⅌xcChw%$(Riq9"M%Q́{ $I}L% $` IDt*HDkmz*&.PC=O|Ma*%/)|Unם,- e?3)0-_/Σۑryc #UנcK53*oD l!U;8 ݎHD5/IhY'zwCnT/ko3"I mS@ /pц$9ש #BjZ넓\/Ё9 s$)@?C# I׸fȀn0a3:EA!up;e6ţkBR.58ZCtxgim]G&{N9j+96xђ @3k 62z>q[I9pwq DG>|#^G8/թ (h7JnKSW֛5`A_!ʦnLZ}W@'w;neB!+4DaݯW nL=-:Rcċ|g@=yYy~=ƤrF́{1Ff0@be\*IDUEMŇ,/s)^ZQQ11F󵊓T᥄u xRPDM0д]=I&|IN.] cIYږ'1^LHR-"U[,ʸ&"))b/11|xc/l@HD?As%M-D Mn's@ h%)~$pL vv2V5C@MK",[Yp.@IoVU.DB6AP#r)'kz{`x Hg*Ym,Wc=o3K#m<#E,D(qaQxm~"я%:W!wdxsOWLSږx}'8G-z7³VVyIxHf(_/3ĘiK[>}܇\KxBP4|LÍ;4l(?Qvi}Eۦ^uXfmș@ѭLkХ'{DK/ק:ݶ/bB),nI`+1P?+ƭfo#7 Օ2d[= G:@TOEUBeUm `IP Y=ˬiMȿCs":'joOyd]:A} 偢* NX<̚vL[7c1Bk|00Ph\ӫX[1#ܘ8>{ z4r6T,L`h^}sQY6/H}s+nŨ%aytkY*8|=$1Oki sJ$ {KwwAc4:MdžٿcGhw"& DiI4)<6yf"O,y4v6 {ܶoC5QuBD=} Y>0 =sR@]qxq/*t{5+%ڻ!6'^le@Knx6TX.d+=KOa)i8qN. '2H*%ptmr6͜-P̦ouGde .…Mpr鞥5Ѣ)ml`V@=f- i-NXD;aS8xms[$ .`|.znٗhƑW,Q#d '>_~|;Vۤ.{47G0֣VxZ a|0310aMwr)c7'`!BKvbaIuk^6Q-')9u.[,} d+"d,N\m,Mbeeu'Q}ՏY%]n Zsnhڒ)Sp1nص]eѥЅԼ(XkM^bv_^[F [d\4c6<^K;jo}70{},'2AX=Dt* lUx;6LvozOFicZUp4]LJI ڈeO7CiuYJ^7l/K t~X 4X: Vb(6%2٨u %J](Ɯe,+EiޓYNw$h@DZ?!Hx甒Mgk4LLR]x>NVt*HҶ=@wګFe%EV^4TB!Bר@A/'!(5 vCL Hʑ6?<ܬ0PK9ps@A<)oykUF2 bU1B()T >U)(AI12h*ȅ  ^݊ DEV*6>C =IB:6zf6G;H1mz,ڕ~VqSwr<@Nj:4#ofC*@g&S0wz⍩+:%t?0c"??> )@ +P⳥IW~~(>w ATnf_8|%}]03> R>c6?R+/% f YyGHuYMa\혋71%ʸ/7+y/}CP ذ'|]' cJl"8<>8ćG/ _„'J.0먉[{Y$FgDyuLCq$lT)3aTX أ5+X?4#ޚKh05xlY}omA:$!>ZK~6K?~'| ~rF́ t8IH:֩SǏGPIRGD  8PII   @e˖aӦM4{"& GK}RNE Gdw:'oprW0C^B%m|.~T&׹-{P;6lJa\[>a\Uvo񋗣[f1bGPVQVC+V9 u-IIELɶ*Ppd[g߼>.*K-RSgNu xb@ouN 6`;BEn4F[LJ:"23)˩*_&*7<גRaیR5_I`@JUfgEjdhAuF2(nա'FKACwUCn(srqt|̎E iyEIjR"[mV[.I`/XQThB|Cs?%> 62a^$7v{~6J@fo:*B(-R^:oғiGՑLȴJR; O5V&ȖS9's6q ~?e'r(W$Y(OLJ~t"9ۼ/RG@I`ѱȹ4AIJtcI(5Ũt~t8[Ǯ& 3疮E ( M'2Ҩ- Wg2v##VnP_`FӕKe=`$IUE2$ͶJHZȋ$$e&&p.'2:&_KlUEsRmB;hXI}DS2+{]a&azoKH/Xқ/d|~6sˤu;L[;$ wv5v{R"g늒] eT  e8FS/7iUP͗T|b vGU؛on/:}S:;W̌|"s.$m6CUԫ!/WhoÍ;Áv^C# SaЕ9}`k{?QF@;atuu58`@>IXލSxw&k\icP+l3F!9j kDn@Qiu8|CA:NLmPH/N 7T|= =!pv\ e٧s}ϭլfeGU\WcaТ~ md͌|"s. #iLJ F7vfp@\Ẃp.=BQ *>zb(F: otA@@,"B>:E1@(U7!HHح/iڽ)R;o潚!3uÞߍAa)mwHR`O&d` ~<, M}\#Lv3O(JrIq=HO`D <Rxmv:~|x`of.ۖ㟱'з#V" ډLVPxs@z#'imo [e x"ÇGAA C{I*9`΁[ ;5[6 |g!Ga  &%p~ّD(2TBA'>.^nMA *t"=y&W(TEת. 1ܑpJ%f6>a['U> C=.Sؐda[FЙVL-h[)UsSu)No9-IHCFIXBEtI}OT_66N\cbh_n-,B:X릊e }˥2Q'RSuȋݿX IDAT)Hpbċd nwUNkEjJ /GE(~Nב9:q9Pbvh 1LA/M;[1-;zFIlߟW@c.,k 1aF`?mqpۀ@QPYV) PT6(i@$lvE#/rJ .4uIksKq4O_%T~x$ ѭG9 $bD1Qht#:BYXXOǮۈ!`ɜ|&sbe흴CȔ(/tAzǤk H)9/s@@9P|i9Yhݨ&p|FW[:elf^ ooo}ϫ*!'(udya;tǯcMJ{wѭ֡12\.I&6Af(7G2!7mC[B#Tx;m۵b4 pS~)A]XjцF y LĎH$h,ނ>M.Ō03%ge\CJ|a@ĄyQxd\#6IH4p(s@@8P%٩Vp9"Ì(.|i%F#0*Kxّ$*0W?6ۥFa6H#ڇ \JAv ,IzR̶+b&z?EH8?F,! rwPo"$ᗫ*D޸TB YoTBEHb]dJ2-Pez@nJ}98cYm_85u%ǽ'"Mwy_'7Kߡ/9픓wNj)/ pXGr~d $mI$ *dtl#@t{/{9`$!) rI -4IwHm$s@@p:=8+ةr$)8~ABH{N 3jn#ҩ2oca@͠ L q/\]M];-lka a729nݏ?pb'*5ЩB.긺 tB?Qy/&IMlYv,ot&9P pI}J$$!C2 %eT/ꃝ'ZHzRa -+M7|; Q_2?1@Yѯ5kf+?{WU0웂"/%**["%VL,W,+zVK⒘;(03?g{03;|/;-4MhLCI՗sDfBS%aj>[UF Rk&X՜Uf0"  ćE!FA2ohP]ITh[v_O(uT#/R4*vK}#4n)IQ:t# P)ZFwGoW&-(b`4-jD)#zԓ!ZOh9C~Hl?|umr3~f;?֟CNp: ~'}/#Vh !93Iq-h^Udܱ1U @]"PcBDRː^(_r>)cGCnSŧ?^3(>|6;t CE݉ ~xӿ /=| PP'$M>QF-%?dn8~gA_a}r15[U윒?HߴHEPJ zC3q> ;а(%#r~[nG'Hp#{Oh r s62z9+lS)=M[XP~֞ZϩtuUOm_@ YW@FQF !Ќ׃lfX=#?M-oa _I?QLM4u> ` əcx4vIGu:9|Kj\ ԗ[u$I]GWr[VE9,y dB4ĨM(VcW 9pKGZEDǕ">y\2uq(j=uр(su Q;rBC#`~\wt rRUy~]" q8 7hV!dZ7 ysj kCv[1Cη<֦E!Qzl2 -rGwa$mJ!ÅIC}RK09ʨ5_ۙKrsKڋ!4v6.Ev)asLؙ8V HNĥJI:y/}!\N'b ֣5DVxb6_Fcy}& Qx/DKQ2;vd45ʬ@# 𼑕ܥD,aaOr{饰X- z$Av hCHf9J8YjmH&kqM"ءmv^_þ/P ̚sfYz/ ~G"4F }-–˾/ѫm;L7M )q}Kؑ!Y ؘ ~= kIG4mm'ZqO DW/q,EY*շtyZdF]2ۥ[2<,yzΤyQ Ƅ@`b;ذ,7с=oF̪H$Х?+^GF/z$ӳQ58rx#&cAR1ao3-6C"0e׊p2J/Yœ#}@^JiWAzIХgVF/ZN1hld\/:-%3::d6Vd֯=_&`g4i_)ٝK"s~u;R ppO$y%^;;n0#5ǧ\4N1kNIc*]ܹeVgm5ݹU3',u"F!ڳ]ARUEj3m..Qpx(ANtᚲnqJ5OI͋ ]eP\/Fe$]0|Sl|g>cw FbeXd#+8tz‡AVeEE[ODvbLW6~g `9 ,ܭ*2/!LF}~- Bj!yiq*xfVd|a*%eW$GVr2RokGq ;9tҬRv!l`<*6P@G4V"khc=A,|1 [y 4آۆD) *CrReI_]fT~ln%ב@%J_cZi7i`xxL[#᢫bD'HZi\ 3s,p1S54͜{Z302PI';2?5gfgr?F;i}GxŸl ݶ^9Mėf8[<)**C*NZJφrCUKXU(⣊l8wmqNWS; +>GO'9v'DH*9I)yD!Mu%hIuuixAH-NSRJ\+pK{;``7G-à¨֦[W]JseH}19Ɍ%ձ*ۿ'*S@A,LU"L/ȁZ:Dtǚ^mK'/@,,$َ-\2RV-3?:\\F\f XFl}{v' t^@"`qzg00vx[_ܬQnz.^'e u{pV.5WM[*v"+mt95zTCdM<UH/YxzT;PgvGbr%;ΑzY]1Z8̦0^pw\]Pܬn/>Pa[U[m}52~>]st BRu7˺ܻr{×ruVڥI W5G?n qxˉw{1ReM4ѕ]}P>.! ؃/>]3 M@9>'2SP.5Ii,wMI~7b9C\_'i51} ,~>?C t.hCY5F>Ϛ͔!P SuMaPj/D݆>M% 9w-ʐ'Y& Q4xֶR9X׎by/N.ófyDa"ZK6bW #D-2E`X`kto&[Odh3҃/$GJ_ LERzX*R'm IT$E太ª>|VuGg՛#;ƞHwGRy ‱?p-*ʮ#؟ͦ0ȼ%Cp-::,9 @NHΑg⽗vS2|)ݠH>B~Is[*)=^Hn#Qff4],{#41uVWo4ۖ_}pm ~x? /^3 ЫbP'ѫX\fwĠj %4/8GKj^RkP:d}@B@hKnZcca0=MO,=2K.⊁ nmq^1A:'D+pq3ˮe0~;g0/isb#g0j@nq]~j_$8#Ǔ ѯ0hՊklq*\^;,̮z+rSGD?SAD,u2^R[Dг81a0F}7C "$p#U{Ȏq["L>%d(ͩ??u>^q]0 [2kXYo &@ﮮM0k`q*K$&>8zɹs ztv`͗(,LgbY~^4Fǜ+Cq`qg3$/?֧k#㮣P(bQ q̑%2ny\Vm0hpl22H<>u ܟntkҎ|d!.xOO_QV}k"ꪪ y#"8\{ :C:)b;cH_aZ ;oȉxbX{lWMDh>jHԨDžVUe9! %~GܨdSށ=I1 =hS'6 M6 <9L\4'7;&Go$cm%s7!MNCv{ͻ} jj#ca0ɏ vfݒ{V!BgK!WX݉  GA5DTIPྐTѫ[ọH,Yp֭Xllj N^m!3ơ]zS} q` [K"GwKq)E*RbFOJɱ7y32cB0:m"Kq2bHIHQ?ͽU+cV@SBGZ IDATvLX :E!)/wf:V 'FA$[~Mէ>)I~1KeH)]9R2H9\غ<}t&X#_:}=g a)|$ق+Vtnj$?g/ T,~$w]\ONBIƹ(!]tVW8a <AYrG:B{KO/ & Z>v_Іg(<#hK NC[Gώ l C!$4|#ƭ=mx:Th%:}(*iWP ; IRz-9*ױ3\]j +{yXt&!* r0~ Chd^xAF@`{8c@pOxI_;r Xk#0l!GN"78Z 7^y6~=1oN*O@C@Fhrcb0v^3XS\&Y.Y2ư!ʕ&*4SX]_73qb]>w4d˔eʴ&Vh!jY f?ƐRu_YVρZU&},6's Z{YWX[&YzK:"cZKS֭A?z]166RZ,ң{ >o!fw1~:n^$~ϷF…Tu9 F8xrQ,f _:=6 ㇓ZgiINC%#g%(;aq.'Kp˔7vhp5Q0Mu~HPː^¸m`gko7th#ƍ۠h/=ҸBgN(mqHEhE+ƟUrB-zKet[>X-v]QYA3"U]'o;gG gcb~1.\flN'+!'NJ2N(Up@T12ÄiX9MS usesC!`ݛ !h8PR/,Va۠9qo"ڶO?(Z5uRFq^B2!$9t葛SqQF.Q7tFz˘N4r~D欍]Y;!I^dF$2BܫXqh I*Dn؄?_h-#D!gG)F0ڶ6&x޳F:>\}51y8M֟ #qhN2l6CRzL|޲oq66".;X4Z5baؓn硤,<$@SG?, A`pGQkѯ{hed?J]e*A&y5ּzBs.Q7e괏g )OE Y`FGݣ'G Fd`@e*-/ MƗd-?y[xnRZ͑$6ymW"+7bGG -e*QTl*+2,_Lv؍o筩)2 @pn1 =c|w_,O2:w#^n{O<-;YOLv9$`Xy^bAƐIй홎Z,MAo&C ,N֍ rzӕtSRR"w:Pg ۃuNU(IBciLC@#DW!H:Q/47V%B+i8OWWr7'<~nI˭DwJv@hİT]7Q\L[*xOߐ>@HᫍDqމYF5R1#^LˡnA~[(wd C!P4SvOH5(w2IGˑ+P|.#dYaƳPvÍln9] /Tꢪ!؉A--&wVȼiCʦB.qJ QnPhRi ;s?n '1H$ґ=4(?5 bٳ5ٽ UI m #1wNGlQ Ca`śh1y& ߒ/v~#ÑR$q? XbCruR8@c4+@cU%yzRk]ߪ?|/7hʠTsT* 1ȣ/<|P'bȌ} (lJfۋ7EҊU>^) Zdҝ bU`وBlt84mfތ,]`KԘ|$'98W<Oh d^+]0FG!C@LA0g!>֪b:)ETŅgpmo:(a뮭UEž2ȋ9 =EiءwqZDf/TzZ:6nhIuu +i$<!C ,ՕП){],C憾ޱcqyBZ3X~VV!Mg@S9spaTw`ĐV(2]HآÔch'J)h+ZG2a45Ԭ#@C`HV؎L/fD-{w֏>NCɲPlkA~52v n7%'tdƷ^S*q u,5z%ޝ!>5? {# =1 '9!LaqK`ò fZپCGfNђr|@_R-|-, G`,#'oUrdh3_WSH\n;0<*33@"`:[LC!вQEh ~'_&<{mD r wJdj_B!d1P%JBVyqr|fP<ג&P/i=$msXQdT pA^Z(($} /-ƪ22ߠgLB{h+П d^r}yZ2NUk2`' @-nX @C`|'bg-m8+8Yz>}!s~:vD^mM ܹPݱD40,:GSS>D|cPWfT"'Dn#a>QL-TitqZ\aOꒇ17v1adžCÚhEEEd٭22N_F}e '# 25B,sBqR:2rhjĹQ+p 99S_mKbȫE,KY(TQ2 ;I E5BzK3mgN.E"3 } a ??i6눂}z1=V.~AgVٴ_#*V[5R:B$A+&bB1ϖ$ FLNjw]fzkܵ#> an@ƘI8qSkASe2-*]x.4#њxI#G.ϖ a[u`0D.'f׵B31ܰ$|-V^_BRh\Tyeyyє߯s'%YM}1_ SwݹHA Į+WbA"+!'2g!Q8] Yra}%3 ;t9s\?BzI:Fs%3 !H7>lj(&=zxիcG@C! ze0-^][H~Ȭ<;wkOWVEݱ4F:QBƌCV4G9iA9o ׽WaHf{#=w1Rk !2d Jxdk%#} tt'#CAd% #D 7!вV"x#$6QM$n/F`p<>3^AgJr Gǘ[!X_%(zLby8R98ujL}k ,KD+5ZXssqj;VƷԕ:!jZ\ @B=V,;l0p{wUot^n6:RkexIQ}Gbə]?/ anU8U?XV!7C@MM!(!1j7{ KŰ4uBI*KۮG++ENkkcģJLN)F&<#d`?.A Ɏq Ѱ̩QPr_eTg`oudŮ5r7z]jȋT@ɚ4! = 6@KAmk; F}޲*뗇\\+[eƓDT OPhp%T$t_onb[,Z2k?r¶u߹T'^ 9fj7Q@z bU`H,+r윽'#vv͌ٛeiZWjxm}>vN~D#Hc+~C+dRȯ cz\1 {d8Ɔ BV._€(3d'FcCg4uF{ڵ^hUW*">Ew$ rn4][Gք_&ЬJnܸ6ZPFK9vI'Df%Kgu%g <J!sC_Gj8Diӥ"J쌞#!>٤Y8,؊)+[lL].RZJBDMrΚ5 o`g02o'2EwO˚'FWMXƛ͍]/H"v2l\?ÁHa˝0{N'̚Ym+68|eC`ཕ!`6dX a ŶF@ Z3^-!fRXP笱ǽF=$Zz:UڹrI kp|JHͅ3Zhfks$z)EZJ#l=o5c\b X'bOy޺$ǵ=l4|(Nտ?"gKVVC_/@B3e,݋<17 _ChJ;5ڊ@rꘊ|q֟eCq"&x-Z6!{'WD@|ԥJ:dWeKSU=2Ľ `[G5^6!KX̘%5ͫxu{D=ݥZEn,J(Bp>ȧ|g =GJqEHN%¨,-F:B-FBz4utT&|Ƣ5BHBMJ)T8+ ,#P;*4ƅ2 訠帘T3+MJ-6z!)YvV-7YP(T{6oRVRv])$Gy??ۺ+I ߭C$`J1&j3f]ܳcSdK[_bvvva#X2;C2|=T> ^$_6LQ [Cߟ!yZ~ D'G]-%CG{h !VV00ʓ+vOW_JXC!wlwpA?v/sҝS4XƵ3pFV]KK_ Xu)VO0kg )73D;Ɛn7a׫CP*ٞ )qnE,BOVJy>`7MzBڏBa0[Y_ "̋!;ըIRY2_l"zh)>]RGM٢ᆎ:Ly\Gho'-{J]j}H H/IZ'OKiB& 3 wR$i-0 ylCH=D&__-.aDt4+oأp X[[U`#e]; E[)GD+r@xb&1_G`w2_' ¹r_$=)WTkb#8sώ#sVL3U].F [\aE)AL?l0pcos``0y(K"8DD o55EkkFw˯ۣk ғ[MeIjD *|bi9m;â#v26O?vgdؼh x G*N?ZჀtj]xchW l RCGT981i>DwSk:J+GaV6 UI90\Ò77#> 5)S^iTˡ\%1[3.͝"tfۀ??|[9;0B~ &c)9nΜd^t&$#qJDjGvϱk2'g{JN]:˷ˋrl<5M7tU iue{ Y {?[#w1[fi$<&%\)O'cikKS*c8uyOH1`$\hFHcF$xZCŮ+Vq$ xeI4C=mmO2uU|zaW|E/c~%Osٲ!]v4_E3EN+! "ŬV`0L#@_1* J4PRBRC(**BAArssfl۶ / .@wC{AUY_fF_n2'(궶^ž26lE$kYU}jr6v2M'5"Kʪ+'džQLF!! .'a͆Rҍ28 1um11KQD)CńyxhPݦyöBo%K"""3g΄\]] GGGdK-Ed"+`cIT> txH͜};p_22=I0,v!$3d:cGQt>MCzNeq[r,KV!WN%M 1 Cppw2T. $d"ڑ5&{6A2-{3hTun%>"Vƌ rtq7)[$OYh;hB,-/vX͚#09v̇6ر @= 2_)"ȫ <"FVUTs1VG^k Bd<ósGx: tӪEa^dVX[Cpv%IDm{՝*|@Vu}YrUk )US?n;VƷh8& %0Bd JC!Р<:2^P=9i=f$.S !$XɹD/n,h_|$] e2jЖ\kuLC!=" E0X(VSs"q.%-!!lSXDmw Y;D"3wW&Cφ=ߦ.,ꟁQPOZ]mSl (<෈"?bwJJbٺ*]joA;A~`&QbCb0#suu %3tlI %X>fKvqHC.VGygYWJCrtD͢n&.MS"K+n;ѿg !2o8GW,ċ ho3b>Ooqzl+š=yîJ $9{,^[kZ,XeJCev$0k$` G7Pߟa(9&U3XcJvo\|6W3I3BIo;7;Nk6iNdsw6؃P*A^-$}ʜM pBIcBx27_cp>zݬzAH0_evBWֿUH fG)(k"2F 1G ȩ޺SU666_Ut®R57)U{qsJd??3&K Meed7nifv񄷟7CqIط,&]1xSQ_I1DqM'/l}#F`;g/Ɉi3cfd7JOb}Cc+~C+Ċ(F z=tgKR ذAbj:]2 "dZ+8, •L+,r¡&#DM!!0BH x?f$&h9E;;g2=K=;k{mtڭ~M) wpF:6nXS_)N#Yݗ%Kgu%g <h,iwX|~)IAH|,Y ܊W+E3)9x0앤{KO/ & Z>v_$ʼv!`Sg&4JHTNJ)T8+i̬I.1#{u~1z5C3f7L#i\X)C!D8D7C/jJk"bceNp;:K; %V 7~LU.e_zKfz+=n߾o.|ǏZ7xwplt.I'ፀp ǀv疄91l|?NElX AkCGfNђrMųG!0WE,_56z;[q̼.nJ6Cu%9Jqd1fCN@J^˙R7~i Oaձ!jω!EMb mI_GzfJZS%3 2h0B C!,t/[Awa ;DD"Gb헜cɕj\Fn&F( pl툶D6Qggbdet˸B5ڲ5>sH^Aʭ!v̧=&),$!;#!>47}8,NJqJY2Jiqo=jGhX vV"boNW2g0s~o9D9 7C!{\hipF;-6V! q(}GDNCAkixGPUm6_{@a$Htf9ļlZ1rAVON~^5TiXZWFy)gSr"9Ƥ",Dѱ3^`%.uф!5[ 'ru^rE..B6]D}cL78{:YR:$j2prt"@dn1^n._8aHVɭ5Q- ~B=6D$DXp&:Pw)n~b-ZEx sB %#ņX Se2'ai֞X]7}ҥ9e2NHkQ9;XƜNs !;w@bңKK]ʭC7`ɒ%xwI̜9puu3!4XlSȺ C@v- 3Ck%MOӼ`52$ Ɩ;غQKj[1w^~͍t\%$+wS"TWbNƽ8xW*8RWM5 ̇apf0u@qKjiW9+^ummST2Du_&[/ۛ۰x#D=! ]zHЩ+?Jǁ[ؓ%6I!fT5@ZDB*^*$q0wA35]0BTcXCC =;H^/V"Cm 6{\+ɜnRc+wdM,s? . .rz򆧏7z9ciRvza]*;n_>ʂ>I6 ]nw{ZK.\ۚB~P A/ R'Kk>˜~l  I$m_=^V`]>"@XH sQsǿ3a y\<"2\566״)!c^2gĜ̰H +ᡮʺM7yBbJ'ŒC(_}=t2F NZlEh IDAT>6N3=M+E l>u?8kCDi7$΢ث@{;ÆS9o7.XYoNZHƔ o$,LCiIXxb-nzXh^p( p*Lq" ^_@o:Ɏ?:Y穻D :nA_V $Ti :,PjÞ%zQ N0^c;D"P:B,dp9m%Ƅ[j]?㌭LuH "轧Ww~>Ѣ հʆ|ջ͋yN-blEs")2}ZƱHfI{2a1_wdNrcXLVL™_rB8 tfP"ņLOߨb۲<6Km @U7 c;w(>,g"ie{RnR:ّQ'D%aw+ӗzڞJ4NN^Ŝ|=S(1iBV{4Ŝ;TfwRj*Ewƿ-u'k<" QJ<7} ,Ǭ$F̍U޿`Km&qhU,[S1l+'#Y5LxU}8[d5Ds򑟛y,pPyJ PR:);0l GڢBd tloc49l R"l,d.N3Z͚ut Sj`ǵC8Qh$Թ`!Aԁi"@Z+[o2&UKۚrfMﳴvƨP렁6>{ 0޳q )[6Pr/qJ?fyWz, A{Xj:xa.*+0v[۹նEu&D3ෘ*M Z-JKKQ\\Wb˖-رcq-bDF{&)؞ChC+dp'ql׹wmx8(>rG\o5yKmmiG  ;?خZek|LzbG::wd߰-]) sRvd(L~ױ㵺6 DrJDDD`޼y􄇇d/GG4feDF%"@:>ux˅l]Qs#ՏTi5í9kۜQYA gm-"*pU˾jC* bHuwVCRY!^Zݝ|1$ء=^R\FL886䷠g#뿤F7&!ޖTpH,yy]/Fe5rm2m ={HuُNn} O\~B{aT@ $U7g o;ŲS#MuL'cb\7nRgo=a\&#R J><2? g;&1 `7C&80}zl*0w-Bc;KMwA aѐ\du6eA ײbCBHC\N.ۄz6$ٲgo_xx_/}NLMA,Yl*%k,pI6 asK%ؗ%Mi;ylsB1.h;J^ʻ,Arzv.]r~[9ciRvzaŰ^ /1VdD $ Gky;}{c"׾s.qΟ?۶7$W< ԃF"~`&KGZ4i|VOYpǞ{q?@fhұzw,{67$. /cO\D5lwx4N,b H81M ( %"hʬ#SDmuх?1~LۘgM7Ҕ!_ {Rkj[,z=~ ,44> 6 M? ̴D'AD;g{߰mU!Fl 9|@/xSTT QWkǖĕoa?0'EhVd?x)qjLj6"@Y"@3&s AqZ`;/j[2 .(Z >&7/2{&3 -wᮂM?L83;4Prl&*X,E"7iXa5lKϢ3[&?DϜZ$Dp/Q?L^ӧ(JBJtpۆz1w fJN =[/g;#m*+Pm"沧WsTI#LXӓSbzZG‚mK [V3~S|F^&L:'DB1he}0`L?w:*vSXr7ޯp0-ǎ/d#yk!r\^JKKQVے+gsQy«k>+nfCn!^Mt_kp0j"?+yEMִ,)[̳T_*ɶ%,ųk qPZmaN@ Q#K2cwΟƥn:nޮ|E=nP8Ip(..+[<3Cf W^E+lDrx1ʖ"f%l_v$ƌIXrPOINSg#ƾbEpb3×'k˴<1[jX115~I39-2f>QԿ=zCZ VGJW}9" YϿ+(F oza{`O`-[ɟj^z+=eCұՕ;S ƊXQoّX_L)ݔLDxi3$va)Fĺ0%ѣ41: #ˤe;?-kᇲбjaX_!դ#P$:?5N@{D&/ {u?_T (ݱyuSjΟ;ǦLkZܦ>fCBRCUj^+[CD.EWG N,GEMriI =G}v.9`EPhs|:PtʹGs5x$\/vޫG՘93Ɔȿh}>&h !j dNCZ52o5?nx,nClGr'ϏexK^\zISͮLʟ>t!8Gd{Y7v!!WUB{ŏy2ܔ;#/6m"]MuJ.*z^ qZEWduÑy3HH,FڱS.ݝ$%cZckJ_FiWkmUR+~jXk AZ$ vKrxt}q4^tZ% o֠J/ ç+q o[+pَmO}dܴ(B1g8z„8ԓY; xMOa&݅b[7=$XPGTbߚ78hp__+ڍ.L1JGl P6 O/jg/SfGcKZq:,DkdI鈼ֶp>SV`M!}S2Tw"4P#MНO6Pm9\*>apl7PݘkT;dObyXxPN6T8HW/O؇B!l;tHQ"@@ 03 ~xط,.@"?qq.`*nDV] 1l %xlގiq{7<}˯I|KklQ&Op,Xlcx]nw{ZK.\ۚQ鯙Gg-`,^ʱ 1!! Ud{aL؞۵\?ƫt qMT3Lڍ vCM "2u !=OcbLrve!P l*Zou7yBbJ'ŒC(_}=t2F NZl>6]Ħ"TpMap6 j\Ǐ3cقX(F3Y{,ǢqO#p{ذz 5 +éYɘr-c"|i߽c}] -3 ~CM3Q6%2A:mJ:ZhJ&c ԘV(Ѣ հŜ3y0Vy1)E\UIyh%gKhO", ΢ڦ,ޭ%0,,J1TrB8_-<2 1\l$Qק? ǟm@Ɔmxs_C, zP ]p'u7'ܛyuw6;i0yj*Ewb^96υ _=YhRV#_Pf΅5:ʛTגl̈́u>ի/O\cX^ bMjcZcnycuZ5Dϔ,"Љ('TP60aOeevSx< zLͳpc?BNڋYH+ûh|Yokg=e+}1tdd#;# 9 /pk.#?7y[(.RT5NJ=Li=<9y":o"1[* G3~=.,_;Wk׼y뙛עmAQ[P%Dt* '5>f^PTאa,Ә-aqbrSfgs""}Ŀ€Kx'>QRjXjv "@(~b2hZW^Ŗ-[c,|1 ;5x2\-4}rTP{܆J#'|EYg}ئؖY{7﻾\$ji*1wmXj^}W+e”ld^ { DrJ&B#0ortdӛ֯i" DS8>6p 6lh #SSmߣ[bnO1 "{4/D aǿ(qx/[f"ДYWiDXM/Ɯr"k+XP.훱WTt$gM#%D6H|41u{*xK`m _~^Qst(aUɕ𴃧ښbIo]ƭKFFW7([гI hMGQw~D%U!0KޅV݅bQ&j]v1/e-D&$61>;Gony$nH9j؞Jid=cxlw$UF%N;87nDΖydDjAWǣ'y_F'!l$1B6!ƞhOֳ'B*;\ ݹc|z?&^oRs]@uqp4|"@:'կ_\ \Ibמ‰W3eЗ TQaqygo_xx_/}NLWA,Yb ,pI6 asK%ؗ%Mi;ylsB1.h;}Y] 9= ;D u.HA~Գm$IE5a^|xF0C6u +7$Ct$JQƈ{1vz B7Sכ{E6.\}Y>|G31!^zHO6y c5[=a)ל7Xx [c=Uz Vg KX=q\WֻXW =_S'.;<Q'z 'f=M+EC?2k" v@`ᓟi-yçv<`B2@ܿ|$ Uq| &ztlmNvG i*,Q"獛4dl'~~M]em\C$v\4j.><6T^;#?l[ڮ/VزRzʢv#@PSCDG#Spwb758=e,"jgEveѸ]W.^/@E)*j[_Ctl. ݻJxEPf9jDz7IO<wg>KBϛX[՗_'RcĊ\ʯB{f \Ol[/Q"L@VR;I"Ѕ[L^TVV ZX-[c,|1 j/u!NON\5+c"7X5Ful*TӐ݆l˵бBjm7N Aʕ+ypcXU*j/yNW Bs,fq3Ba J rTzVoHѿ"@'v HuϞFN@'!p\ SGp#VAc9 ٔrD>G/;D. :Ah[X'>ܚQ~,2rGj(ϏexK^\z$ hi7"@@>Rb3j M+ "uyn6Xn؁]@#@}da"@,#2Y8c{{LGh@1\;]Lb˞r+),µ"qs荾 ;7Bͮ[tmx[)` DТD pZ% o .)OW5~KWi(5г*e4ɸiEy)kQbLp Sq'ivB#n"M ?跐϶dxodmptdUi]/$?@8r[u]HkdI鈼VH<()+&q)*;{~G&` ǧgV6 p}{.ILfov8bS(XnL5`S1Riq{7<}˯Yױ4f=0.c|ˇYY5fa]nw{ZK.\ۚQ鯱8h-`,^ʱ 1!! Ud2^ݥSHߏkj.ډ vM"@K@9w l*DQsm׫|#UHL] XsHW2˿/21NܨiV X 6k*ij\Ǐ3cقX(F3Y{,٢qO#p{ذz 5 +éYɘr-c"|i߽c}] -3 ~CM  ܶLM"=R1斖鬭 mM"@ZJ@V\pS۔v8SX>fA5;\|}ДLީ1ݭ9)Q!QyOCJ{ 5+1$f#LmB9z5rf*e1!^JM0ʒSg"ݡ?,+^;08*t;5O;-(J%bHl g(DZ^֌WqOk/}CR;%!D48-p P l }kl-R-1")Le-L,W&m |&1!-Em&@klFF K +SȰcbm-=uc?BNڋYH+ûh|Yokg=e+}1tdd#;# 9 BھgLrN>sw:yB+(/@IUDFܳ)c{i ',&2͏yup0-7o=sZ- j d"Њ^_u__ω!klFI ?aZQ="ºe# &\!rIXQɰtEүX}Z 7BfbFl}|ZS~oZg%N9X &aʠpWBigX1^[hd139*Do ?W Ɗ71,ULa{y@3gnk0i̖0Fy`ݸ19c}uaAaR̥Btlڣ!jIbPɦX (..իWeر _¸ QspP)Q|$"k0mvYmmiG  S`fK%*T^}3>ҙױ\3x6lKWʄ)kC٢'ɼ> aʕy J%lё=)3ld !j]"D׶9dz /t<[_UZE/Wۅ}wTmCB jܖҭbg퐹سEڶ"К֚mvF[:^!k1S|ZzTyى5[B'DIoZҹtlhؿڡ&LEH{Isk !DEtJD/{JTV!oN Jz/Jd.E>`4yC"`3I#qy:x͆ ]_d~%$\ "Qq"@O@Yt#sud_ r(y9D4= mF71B:ׯ_|"‹cDۥB]0({t{ u 'NY}F:28DТD4tG>U&jSNEII nܸ!lX^^ 0"AlTtj .V=|F#a'<ӜD9Ԩ V0BW<'''T*3=B<q/KH:Z8$D(~DF\5W TD0DžIc5~7:IUWWQ1 ( ##!- ZCT6'ojtc70it.ICm1QDn{=CopOOpA$ #.$AIsƎ!j]#DYqojȓIT2 j!"@: ~G: G[d.Z%"AiYPG@' H78.)4iTF@$/t#saĽC\Hli-, " x71oneb/*krDn;K>_\ {/u˖DZTds!$ "IIB!D-:I@7( ~ϐ?s)kNMMs*R"@$#%d>=&]AHLE%!y2/+dX C I>WH.?R9霎Dtȑ%Q$DQs j5C@ HˆO_oqcd[$|`8jI 'Dj5dܲ$!EխM"lmukv" ] J DHeB9D"@@#@}4\"@ D.DuP D" b8 "@KQ]&C Dt1$N%D"@ AT "@ ] .p DcY[g,IENDB`fwbuilder-5.3.7/src/res/help/en_US/pix-statesync-group-1.png000066400000000000000000001432361303637203600236570ustar00rootroot00000000000000PNG  IHDR&^iCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ pHYs   IDATx]U^߷d7$ޛJE) /H (R `$@Bzl}ݷM߄so̝[Ν继]͛ГN:t )SK&@M)S@N:sSSN:t )S@)A`8%7BN㧀׫ @ZR|WW©Ж!m Gq\x)?0,O/KNP@ d2Frۊ!e,U)o34|nx۞>8\ F#=tmQAǰ=U 6v-=p"}PsUCK2& O?.!Va1 @Ze|J#.,V }f3ɘETT6Ji|CM~ <6 hE[[+̂ /Ye$$zQ;˼L=}ڠ]S/II1xp cR Pr@[zȃj\j)7EHYLBRUKh;{.+y>m|׌&3aYF8ުPy̫7X9ψ. Rc-ɽB'hui:b9R{u 84 ц4r, 'd*o4J%Pk '3)I`#Ln<(e5^w`uu(̺4{/)Tç|2v4Qj"35 GwLFއQHxOMcҴIFظ٘.G7YQiKcdFuKMYL a&3On t0Hٌ=0K{ v6b뫐6NFWW J_}%yXKi .p@ζȪwbޢ就hCFDhD[ÆMaE ncF6n c駀H2Vkdbۚ w0}.B3EeB#. IZIH)e_ф?%m?f̙'lː6OtIB3D{@@%yW' xo\-6ƧG %*LMD\6|0JP$G-+mEMm 4Ta <UScRb+}Κ> Zh@b󢲪mFapԠŃԴ$ح&ECn>bӧ!KyQOז棢q1iBrcm ؼh2 "Ċ\tW_߰pΜ 8۪ٖf$BMC#Z(NaΜ@:*m8ڱ H0x[Kaiav?R-z5`h.G~%zGX˯vρ(Ea}3(ZqVv!<2 FԶ;`ނ. !) /Ս$atwaêg>7w** hmGC]=VE$w: ƶy;g,<؊ cCRbl&_//*K%^75SPcj4](޹ ϘuAsX{h۸޸L$Zl;p?Iɨ*܇ٗ,paTx1ZZPžxhCIi R/$#~1*uLBM"E1DE%& NGI;Cb0?3 u SDs`k݁[+F}mmHZ,_2Zt8a3bu)A,Aֿg ϚR|ɕ< &+TXhb*(: ㆥ }p-rSP0)%gCAHifՁb >Z0  A\q 0"͛h?Ԕ!>6^D%w]ãŸe-*ڜ 7(=r!̜y[Q=s 5s/_Z4Tam8pt444)0iIKsw}T_p珮´@<|疇؞Z UT76+FPD\xpF-X8c,2抚׏t -tRLϯSh)@&f꾕,ACCYuvN.&N ¬D&bBfm=mʟ FaVLCܑO-=ބHLڱSUրx˝T"51L>aAvTb+`qvZ"$Fbɜ1\!=E{S#ݘ73 AfI^oc8kV9h릺9{(؀W&f;f-QqF{ --G&gFQ.q<)&ܝ()(i`$pҋq`NIGʼnv81z[7k/>Jms[f<K{8HL|WD8tUGF~a~˪ü rQGg[-MXAAX挮fͧjnDJZ:#'J*ˀRn`ٶ KE ݸ=PUV`R:;Cz9hS #AbL=8 n{3pb[-udm, DE^>`X`viED`I31*:$"tL !ڿ+]X||ć҆NSFp W\Ddڼ*nF4ęQN@ g11dX4t.܂->q*"4ލHHG;vAIu+£EE`eCi3hی-[!n94+${ ;"i.xMPh'۾m/bF/ƌqiF1KnG5Μ ? BY{GpG /{O,IS{ viٖj~n RGeb"wc[" !rQa}FAVUYR)QFF޾]ذa GLəlGr KI$3ꇄ27SUJ!ψR'KQ $h*P*0mR$DFWpW4Ft!v +#i-Ď]Y0M?Rp$_;݆%g#!"۩bH`PM'W`<ΘB[1 vtb#}~հk.)p Rw QÐNѽF3Wi# Uȕ:2I_ klϡKXinbc+#ϞC; ݘs#RmRz)p0l߾]z :Jaln='1 U(I^QUW)u+kzz}R_r/Farxi.^W:Svr^+I}u9GӮ-ZW{iS ZOI#&I}ZB:ToomTIBCCqO6N:t )S8fU$ /)S@NGMc&XUAGR:t )SkOc&: ?zu )S@I1RB:t )SkOc2~hSB3+QͱN)S@N:1 2 P-MhOsi=^Cꗺ秒EE.ZS[30>%)I1Q:t )U1SD^Bulj7żn_`LV2Fܠdr{p0_S>J$^[fEJu*@@N:q8f`r*QgGCi>z!y1>Qð`+B#"O$R TJH{)>w*=z[t )SA<01RuS |]fN5aZ`5@NV  p{2 l>g S (IK':t )uW(L}7ο1MKc0ֿEfLM1Im 7ՠ+k%F8 :D yJmJIItUS@NB,0Ƌ F,E%cO\ 0lh lt2&&i$+몇EU<@ɩ7.zt )S`h)&<A ںN`"sĦ5=$! '%?$Xi,ou=)S@N_tz=(qV#bBMXN0rދtGv:K )hF'"q9(>6_t R(K2~)&KVEZ50 U7&<9^@" ]y]J =w\^"HyK~8dR4Y=)Pv+sP~ )&ژhw B"  XP"ʁ:X (8QJ 8#=dH^J^(i hQE-W&Bq'nkk;E)p0 b%44T3$⑂ERpWґ?1 !rNLN/Ј“'OmgF#"s$&D%%#f?ڣGc+H07 $ hE-ʙ#II{{I/QN( _SS]`#IYrFQם·W0HB`ߺؐnEVoh 4S}G@".i!tՙUOJ0U;Vt8ef,x(p&ew~Ѱ1vB2hb=$ ɰp-8L('F2 gSIO:t X {'B"2MIYH9]=h>U m:J}?K;&Fޝ@z$[uBɇm&qT8rFX@ϗD9' S#@#dpUT' ?Wx@ \1+&TT7u!ۈXCVkRXꏶL{Ϙ|8ݎ "dyL8z)p) w)8{dBDWWO$ט}"Ke4TI.Di:}?v 8k[g Y71S!tG6!$opU58? sƹP^m!G_%P[=ui%6#Y9,<ƑUzf"XSY%s+vW*V'/Rwww7$Z<_FB{6Xc$iP@`DpNQS|Xd$/&O dp!)=ƧeTtmSTθ[fs)^*Rl|YX>nnK }:abNVz=:t 99 Cb"CVx̭7ܔRt,&(ю.bbN|z,}{d\!OQ^^!+s( gc=`%~ q8=d!Ʈ DTU5D9ʇV( FʐX'Nj Y9 NEAK+?RJ!Da`7!zEדN:( Gˉnpa[PRQC` $Gr2!}H X뤨dE$bd+K1̧8qRɈعyj*wb0[ -*od?Id!FJx0.GW&8Z˱5'N@#1xE uSBU,wY7Uc0e4rGr<̓\y$}7jan @3'nG7 >^wMb"CX H^liQh'0cTD 2FP+ IDATB.KHt0P"SI9. Q84 08zR)}6LY|&&Hj]a2BWUQI_Sy&O3h1sTAFh%Xǀv+'}| kWja ,}6)2P"Ry 'D0Jb kf!3`5jl(Fs +QR\@<ғBy0)p*R@FuT)W^{ߘp1;z6Ձ:4wRc{*HJEWK+h@twQ i3vNaU!nL7 HbJ`M: _a\5(D<9aQH8[JPRہ1͝ߛ >Ǯlu*Jԡ":" V攠ca)Ee)ɔl-!CϜ?D`F?;{)%ػE,4EYv`AmY)*:=WaSM.[>Avdp<I~mm Z;aCLd2H5mqg8Y<6Vಳpx|9oGtB*x0aJLJ 3Ap6V1R `Y\ktv1ҴCphkZ'[""~Ȑj@!Ʈ:!Z$'Jp5rgG"X\\y_O22y`K'>nrD=iݳ|EkSh( $ ]hM\y6{[߂Q#˯Fcz|z \F ccV+.k49<{7C{C Rgqp?ApSMh0Lk|_vyo38ooh#eHv=r}+ٳ[-[wS ~&Tb=joiތ [;w)qX7a5U _//ZP%TJM LDzDZ&`Af >zxqNΪ"ٺX\p}NOS vw%#3pWgXvZ4)X)I:"`Lrd%/m `M4^DDlJZ F(Av/F22HSXr\ ?_3b)[PzۄzJUB`yNLXVa݊^]^=8) c 6kU^:%('wvs_+;%?Ww;qYQp0,Ն5g?+j`%4 [{KZE& Du$H#=e/_d.* KVa/ri?سfkϫxw%]4 uTY4RW>w`pealZ$wW PSfU n|!Kjx7s5GB!(151&Ȼ>f4FkWg:2gO@ys 汈ɘG-B ᄉ/5N49?B`V[uձ$~b<(?{H0E-İ0d՚ v̾7X4g𸸨ZF)Lnjayq ::<)GCu,cNc(l omUd%1BUrͤH)NV/ #ѵpO1bۑ&ډTwz]1Ur-Tfu [xjwpϝY;yb%uI8~G+DN=V@(C4C}-/^L!m:Fĵw;Xc9/sb3@ 2e+#Pe:E,ſ&ο!!1TIs`g{^~o_mm]W]r8Ȝeb?[ ՙ(DuR/JkuzX*'sp:jW\F°/hg}onC;J9w?o^ O}ܖn’)319(X1$H߱B~D;K'aMMQȞ}4X0xO0/(stW"F)Qc=8&7KU|qwoJAQy-j x7ٔnBYE b J ݘ6bFO9B[п-R}u#/fcc":+հ|KPG(@F1V9g $aa#b c!H@B [(Yi#`iGNa+[ TPdҗm#~Wjť7f^ P'+9i\_u,ӮJ*Dg-<#Ft[oPEՉڤoCp֢3 ƣn iN'vؤM#}T̝>y-doحxޛ0w酨nbҘѴU4c:Bz9 1uOʡoV(@( $ @|l(ߏyI`]`Y\hퟣ; 1#1-Ve\-?6cJ1yƙ 9܂wXځo7:4"ތQӑCw$̴@P,f qH4b"B`jD( aA[`X3l#cgLļP회^{-~ ;c1k,Z< avҋJ)Ix_yWiGᲄ矆JcJ 5]iQ@uıhcsNl= S>B~ Wx زmzڦYG#I攂n݊: >W*RAcq'_܀d6H:0m!֟oI2F9^U@"j E-3!\bF/QOPJ&rn; ^dBD3\lo;rg4{p #a4vc*BaK!{tX&IIIOoYJI.n2e%QݰQJpFݫV6ZZ>P>O4_կ[;W7h=qo00 ,h+H/۟ڢLxn`-mo;_ h+rrr [> Li!x|n2eliim!2%%Y1Ҕw--! kWZ8o N<<`X Xm6ڝ(9/韛⡣ +bӠ!>DxCYYRSSw_i(MIJ & z7J=yx]"D.}F,Y| س q8YċxȘYe~. m &"jgف9NdxI?,z5 iiiҎ|jQ:.*`LFJ8 ]駟~ ྵ1Oܠ-"M!!or`52n6uk&(B`Y) ovbb6~щ60rڸȰ#XBl-˫rcd(OSzӗWq+ߏ"?GfJ(6`>໗/&XS4PJ( !n}bnU 0At>&4xg}BlߝM]y0&NH9Ș4T[FJGEƉGLn߹EխLI3zMaoC-Ch%I"be[FL`Z><9fY|ovj#ڢեT9e(=sP7L{FQtݳȭr1eVD >d0a\)ayTf(\ɫCG,|@9':$95NUȹf륅E[}//tm@۸m&)>p eaV!݅ܨ]qye-DTҝ1)mtkc?!1 }O||g2f2Zy2N#hQS|RlF( o*]㍉oie ŗ9u2 j0lBTHu`Ӟz̝9RM)JA-㇩Ve,j}G-ل cW^&H=ʤ[ORkj-x[H\΋dbK# 6ԯ$%^Fy6D,ss&s9(B{f>H#D;hy!u{#Y{`V^Pioj9lˁw i]HƴP|K~*~7)Wxqi~=ɧZRHD"BC& NUТuJG;{&oNL=c)@EtGh:jCxB BT~Rd'N5n -H!0B1O4Rz(Ew=;kPوڜ:9Wqѡ㡛H/=S\LeVaA"w2Y{ ف$ـsg#ױ j1eX4&2{9F}&ݘu&kDI篘w~6Lݛ7ѓ`lRcx1q5&bƏPbl㘨Zg_kΝ[UE } LWgv-Z, U@V#f̚0j\`ˍWWe;Q;$gZB>V#i<zis0,>3 Ƃ#jT h7Da GROgFP@ ncM{0?c܃oߧ~QkxZykӁR@R?n"f`XT Iɋ4ĩi[b}PM搒*ǁZ-J.lGTr; (ٳgO/(,w2nK}礓Z=s^_IO})z[^ HMs`Ӱ;WObݏaSbw jA$ +ҕ8(܂`߶=ȭڍJg.Zlu6կUm_ mgOQCu,J2Qqޏ#!yd\DL9+} Sn'O3\w%O*:+F-j*uc>cɓ _=t;ښq7㏰`?E蝹{)DY_kMǧ%Zö:#=J2aWwzD^xX5;+M.3Q<&D}􍡀6OD}6_ߗ_g| Tv;}'7Pbc9wlfkX%$nlmDy]%k ӪOU]5x~Kڍv{ζfTUVҼuT;H[lĖ"B|%[XQ7סRbz§.9wӵ55 ٗv^=C\Ob'$Tƪ<-o[(݅iEuqN BSk ձI{a%&}Q)PA=+D!FMݿlwrSUUR> h5pKÅ#oBէq?Ao|7]|>v+l/BuI5{ -zI<{hJavMO.i'/C4U[މ{ nEkClxQ87V.)svϝ!J?:Y_$ҫfg>>dQ2O8gWƿ>lm7/Uq%-Z} +na7a6$`b\ƫ^c!`*Ȏ] G^zfLd$eiWzϪ6z?|5,gbwyhAʰT=u+}Njڥ26k -Ib=NE1]fCsԂW Ł#Q:,^\u6;/EqB,L((Orh_ Ž4.~Tgg dd =ІVo{iJow㝊0Llw3㉻P ~x*TV6`\v˷#mUO>`=6%1j-yCܫ%$4=hXX{m *$z?K9)B"G!qDOq39I GzJcOáyV쯷||nPGiCT2j#!}pP$Pg(d_&hgsRV]@ W1{Z܎w^}Tq8Hz-Uh`@޿eu>#0{r0*GQ?a')9q_ 0t3hT-FO^t>xa~3Ten[fS1jX43 u VH@@d]v3~2Б A#5[#Sqmw#l6b%_g=G0*f7m TedҤ{pʷe#rpwh5]tb*X6V(+E$TpEnu ֜-4glܰYdW*.G{HJj>K!> ˬ4xyYkW|v3_FJ!*QYe kH&3}3 M$2E167Sp/wWk|CN[8/N'Xv2n c, ZŰ1>N#Z_ܞr:Lo;؃\ >Qv7Fą1shžېWZ%AesF4Q_[{Qw7Z`"vJ6Uؾu;Jk[>vR%N*9Y wJ|cU|@p< $Vf IDATo{ŏ⏯VLFD:\|-H7 $v߃wX6*WA>ʹc'w I1|?Gm2c-~zNi*=iZaD!@[I A }"Vq W "|E4o|3WΪ`0q^0lh@RLx~`ZN0Aq _8` M6Љ+t6ډ ?!=F}ʴ}kq. 2Mexfu=a&̾،ģw_?0{Dz@K³sPD @] %mpmឍePICe1{ ;]#pÎ7һ/ bY6!c3~.~-Q X~/0^+G#.~K1'--qxPx+o4oa8J6o;b:L.%2I"3CH\E5x(L.EJ@FN=u>rpTy2pyi ݋_ޓ:v Q P3^xP?@Lt =DjPp6LiXFw:AigYW#^̮±q_V˵b0qQ-;o#4I|JY*c4҄E"}B&1 7@;|anjb)q(6TTn+gY c/w|ľg1S5m-(LJ4 ֮"$"$ nEPUjtk:Ȼ鑟71w)A CpOcOܥ.EZfŃ%~Q;J*PY6w!l/v;>('=Cm@E^.VSQQ8>Ϲ !H:?EŁ/+W*+ ouTⲻŕnW_1g\JP"Ko<ՅI:|Q!;HW7CkkvKDQ^}U ܪD3H.fN '"gx|˱1kMw mM<8Y4f+^Jd o@ja=PU  %n3鎛D1z3ޅW!SEh FpT-yȀD'?CAB{((Pg| &PXTazI3T} HHH}%ښw.!zs0-וoM=@&0"g MXiաOٞ:LV;⒴lw7e\EpLc(H,_v hIvi/{OKЗӷ߼GmLO;Zs` Jւ־d6 I)i|w^$ +F"#OyOx ')E~5D)U`EJC K\~XE#(w߉S`{J;a™^ 1LyhiTÉ?>)!p$ |G^h༇<Ȉk=HQ/8(^@⩷c K9[Tp~5b1jsG¸a0:i!)>{\(I+``k88RIE_|'Z}zS$oh+NQIKaUXom5{X${} = b ۢ@ѡ=BшKcd#]u) DjCqY>M8hUJ{tzZ|#~sd,=)d:;5z`ҳ ݕW铹[x9xh?"`3i*3b>^9}Δ@zGs*ڕ`[쉸x譍H䎾]HL8o;{_cWSF/_̵h9_lJ:71a8X*D BU~J,x6~KFsk!Jh@8p(ev=kΘ}&;M;^֯?8*Ì+n #;_>į2Aֶ2\pXwwnx}Ԡ!z";;m2`ĉ40#5Ch@r>[7i{۵PoG/0njs#%Ŀx7߀]6? ݸ/S7A5U9|n@W[܈Z~: B5ID=#+II¡CI%'8@3@Vӎ*C5hQKi}Lh-CQ;*e E/r)򱄤wZމCxҕW\m݊S) ϧ4,AшjyS"}.662^\wdxm!H'H+w&6(y1~@ʈ*%$NUI]3Z4.1jk\#FsŸq㸋~圇b%- =w\x 23܀fEj񚑘wk5 ;nΕs;]qs 83a%kh@dZ=hNc\/iN),_MINY}B"㑞zT :9ֵZ܏ܴ:iLM_[ENɋ#Q[6DeC w-a0*pUQ]V OG#'ِ6j8C8}-Pi!9F&G".tշPR^i@qa,5XvN^ˆIO0/D fK/$\+SЄ3jW(}kb]Gn,%%&ٸNTP$brLѶS'I@)=*R@@S-Æ+A'#6'.9ŀ|L\<s<ҔJF}…JDh^sً*l1@!~)<S7MI~vZn֤G\TnD+EǤf#Ǿ7v;zX<[SGZ:rzIuqT\;pIh4W7qZov9g0Y_[ 88,0Gt!,uf{ܶ9vrejbөS ChES;Qmc7ZǖP|IH[,BB !0!L?W:CnySHSOrݯ+16H%&P{3kFNוg{>r,IPF#7i|]Hԡ?d6-i]][yve7/,AJ1-w~ѓT\PBR;%4dyWoEwK7i kiw2|&/} ̮LS#o{_N:`0*=u8A5 .lTH8!<+HL XvR_t*aI,z$H=s{86#~PӍΓOEF:  taKLQ0E ;Wa=]^c)a}l^bD|0¸}HO*Jl:ۛpO$ʷpJ;U&`WUm3¢8s.t_j0y`ejǾuj/%󚁰=^J=:oc%OY}w v(eCVڳJt6}sreeݟOO<-}慸06Dщn ņv$-RFTz 7pkP$T)xQ! .[]e; ]}醤z!:t 2ZM6W^G71X 7r7Ef7\KWw)G~~yǪshŠknĒIÔ[sC.6nQ pmwևWb4Jv ?#k>"^ > u_5aiN=cM[1;\6]MM?nu5oys*m:n\ۋhoi>ν**$?[&;t%javRef ԗ=Y>d>7x@$t TT"p-0X~WiMbcė3a܏[/ gY[)_0pRrc+uHJGBp v k1~g먠(&l<&;O+EcVi*'e2,盩c¯x׍ {}\g) "Uf\o\}x{P5^4wr[쉣яD**9Rb׎AjIKcp `[aqyTL;~.z ǜWm,0==v2b!;PN l7̀w 6ԘK%@yv6e-wX^t}%?~9J4E+'ZJwm&2[aV'vw$:^W4[uVvMCΏzšG%?7([]wcQ,B TpJb"k~{6S쓀=H !4h#68yC𫋆 z {֫gaܵ)XXn+vv<[o@aվ2 헣z"T7Z1'f[Cm6Dv2\d-D/gKEVpDz \܄O?x㮋5#k19;yx\J\~zdt6|^x)뇟VZ'3Eߗx($WogO#:x|[ڹ{Q~,۷bG6Ŷ|UX+"=teVׇ]~{Y߰kM fF}󐵻Wv6Y8+>4.X%rh~~g?O剷^|)/O7]Gv<4V u+Fq3 u/"'t^u.}#~НKOطo If a)>p ӡ94b뒘vlyOf,; aH9+ʥ'Ņ#|h8ٹšk=8 Cz.;.}<}) @ZZEi}M4vĒrUf&(9X8usuÎ%Ҿ!N~iylE? y_~\Fc*螺N$ ?m1Ǡ^ACCdH-n ~g fQd?3`K S,{,H tGنJ*jGAt]GNnbki :I<eo_/{OEi)y兗qobl%^ﮑĦg:Vo\QXP9fǎx8Ό%h{+NO՗@2Nx F:=L۲T%ZK.ߏ-o3H76aA˫ kEdU-RcQl'n-[w3O|^iQ$*;to$Njisv ޾%x'^{a< "Q]}_ʓ sk1¡H @uXlj_")l7KGy1:I$g`jWx]o C&`uAr&թ&dͲn~Rniyo3$u}<+(++f?Kǎ_Ψ "[wq2 `n8}p= -oҏ1h ?-*-B}i~D`<ǩgyy9SZ~~4Kӝֵ#0m>"i4%߬Ĥg[y ⷯO˾)pXࡐmk藪KbeA MeZ,-<0l" ,TTG?G43dEAI&8P!BT>suZg<߫Ht}NJz5ZxWRym@ZL>3ɸ/ 9Gߚ8X?df.[TD;NPA,Alq,G3Z"XsWBB'C3x&ېS녁qh[7 wV7I "{6ˀ# 7U~kw]^TψCi9yVt*ء}x='y$}i>#U3Șv!-Ksv`/f8)d,X&,lfr)e8OԲvNaӮz͏jqvׯ_pyu9KLX8xxzaLϿ? >~7GxOw o#'phrjviފRӆTd(3ˀ&棭&*'@S gy43.KNXJޤGHZh Š ŅppH^t);NNxW޻a}f-^VyRCӛ9HrXԞCҠQH4 iQ?bug'gsI8(vg/yـ>* TlM9.8c2)%dy^1Ѵ 'Rɓ7#iZڗˢCkat NLJE5LB I*iqWgt1)vj+ĢG^Ĵֈ,ۖ[ZϾ$x6I?nOuƝwɥpײ'GM#^7m(j.VVKtΖ?D"NKVP 2n]v̳ΤO= {ݫCqq!Ʋ 6Kq]۔G?>$Ҵ\0o{IS# >"&.Xϊt Uٝ-ŶN 8W!Re{&k-~DD8~|>=w_2>|&c[\p ,_yi;.B4DUq󕳐kRhH1ܴ&4Țj]"#5 \{vZܯcK=bqo^Qv nȈG spfmutqZ!φUac"ʻEq.]=/^ZΓR VN[56]=+8`,~\RxV5J Kp"ƏO{5V. ;s0tb[碄;X?'VnJs1O:T[o>C`5(CUY{ny_,CʯPy]Ҁ)`*I̺ v:9q9:~QрMk_`e $zSYmU"6c N݊XK?k$u$8 hߟ2O; \މ,/1س˟/FE @D )Ļ=5&ϑxrIN86ܼ9Dx<+sdwC{5V?鏽Z{-!+罍[p̍k!G?~9,Eym%^?s>6FSKzc b#xrn3O5jlXÖ|l]Oz/{1.j,QZ"6<&.o0WwTBV[FRo(I^mxw k޽ ;24Xź)QzO[ُaO~]ypS?#fnϯs'2;vաqO< ։R;cPF"cd:k1RYOIRRc!e;ν_ BuSNb`xkHO-֯?-ae7ȑ#1j(-&L@TT6@ B6HWJ$~zl|k-do| m|k)t_HGB3FN$R(VP*OwpV“taw5&J+;6h$4'sa}ᢰ/Gs4\.Gn7q7z'!Z2Czyc؅ȷÝ|CkqS ƳQ hrT}8XΜu&>[IHIIAxdjx@#@JF !&xinxj1.g1PtAa)eˑ}aܔ[_aFTǨ\޸f\29ҏ"Uêu9ƛ1kR_.pg^G\u( G{x8$2^+_FLv`sgs3޴'ʁ> {R“\nc?aQEpd0FnW䤬ridP7A͈T@}9uCD KaVQӦ⳹_a<Ł&>h.>| ~Dd l^2u@vc;ah˩)]ALde|"?q՗cPhj & ?|uջg߿J=@qL6 apk*5TДx:H(_^̣ӭ7܄T\=nr4gѷiX}Bqmw#?3FFD5ࢋF)3]qK 9::nAjA断(1Hrܨ`&4r;-HnP}%%(Д[,e䧚K_T:/u?h]ٝɍĵ!Nfdg G .'t.Wp1;X_5eMM%½\oFq@J*x̽sPXGF}ҳ˶~kyƨo>kY[ȧ'ojN:-y*?Z:qD.; fg-|AttlX|i"ݏx_vPE,^F'fB`")\()T]JL&*Tm|aC-ܺ'{ĬΊ&+ܹ%"AҸWǀ8렮ьS!"4W$R"8߆bWvbΎ%,i(RTSnʠ"2HH$apqlpRR!~2kpU3O)ŢU;pՌf(v 11cB1jXv9Atl/a/cLøGG_lbHgOԁʭ K_!׎'Ӧ>x \R'b##W;}05-iH TBߔhm&;CqL㮈T]!ie+Pq;lq)_~BƤT O_ #"Վ7!q6 CMO; q_N8DIZ'riҕl7D꭭#?y51Q:um"bIf?vX5]z6IEL2s5VN!86pWEN_ܢrx"5? yj+g-wTrMt9HȎO|ٻ( 'oyPKS߂jdHDƁ;9hߍE) T1119"Nļ2kf$ZiBu!yNˆfc[j`?/wTVVR/מh[ɥ "Zų3̞>[_YN1>$i“Z '}5Y`<;z{1,i?I[٦Af2{^6ۇdyQ+' #77J lpISRĨQv* 'Y$I!z_`Yz+=46ZZa!>h.WHH hE3AvhR;FNq {J 2U+!N:ORW4'~vJvEJ"ґbI<ߪQ'&ʡssH(j$CG!+r)G^\´g"Ͻ}^hryHh&9k1zzPo建u>/,_Snv{azx=18َnN yFC@G #/0nēu++Y>LgBQ^)|1\s%Y/*e)@Dh̲IJkq^5n:RxF oNxVY** ]966P$6t܏P*jq.BruRW uT`AGQY  c@DS 7qs lT,;AXrZr' Go- HLLD)9H V*#  M(q0P'?09,=wP$&x6u J!P( #%1(*ߑpZ!P( @[EDB B@!8T$&Y~uMPȉAT\oB@!P(=AKbҢclD"7H|[ ɉq'Pa B@!P]n` Vw hD 1엘cB@!P( "%1DakkVĸM!r B@!P( .rnEthV] w/-{QU]9_B@!P( .%&l/f^r9 mmnz$GbҠxhh3Nw~W}+ B@!3$&Zt FY<ΉXmE/=˘ P( @7DʮNG#p#^eK9q:z8z5"UbB@!P)Zȉ^~a1vr76{!=E7 \:9VTCTX!P( CFKb,86688gbM 7q}FV( B@!]$&L҃d&)WpTت5`$F'iiB) B@!.b 3\; kNUV-zmr\1S B@!>]CD_i3.)Iz_i -K9O\T( B@!@D79i:݄ƶ0w_CÑy9x ɉk2B@!P( 蒘hgk\K IDATM3M@e5W) I,)^* B@!c$&hX2/g#3069!21 !'"VSDAQ( BF4LܨZ]5Mx`_-7}b$zD!P( W%1hҍ,g7rƊ ej@`Sۅ]U B@! ]YƑgs1qشTbEڧ'骰 B@!P(BKb"+4b #!mDףA.luFeJHy( B@! .I:sN䧑t]8Dr"EwJ٤+}B@!P(GKck) B@!8tIL>"(P( Bp蒘&;JD[!)1(tW( B+ Őir#|3K) B@!8 &]BnsF믍\ipQKSA$$~$&~u"9>f4+ZzP B@! Z8ID\sNb"F9(A1>brMc[) B@!P Va_lkG0hMr* B@!p#!19Qg  k4<ԷB@!P( #bNbτDx&ࣼ B@!N=DJbXcG!P( @D舱x㤄DY*B@!P(=9Ąk6&Bn1a5wXh\l~4Hb* 0&xV <K9ٍ6L # [%_P{t'=F!P48'M1(8Up6b¥JM/ɨ'$=N]9\۪Qh@Rrb;p n8!:B<f-DNSxe&ZRR˗#..&L@xxFNmV/gڰϼkᚯW^;KW˷䳳@^HWVVbΝXx1RRRпte H)iJɻ!Vgm@GJB{"1Ύ K7cNƶr+,$''kH׻ƲQQQjjj%֕ wB G|zGLZ&m*`ٷOk)Fc/0qe5[;!ʱϤ4BWXBPWWu@Vn9Oذ#a=vԧݸYرgX"YV/IK/18pI_ į%-yl[ArYK-YpyVck.i%-|_{Fs©aZ&IO PP_ $yt&\I{4NEj߾}XnFPbcc<jSI./HƐ!C-b"IcCOGXc^F@ rvIJCe /0f!J|)kCŁ'>D)65\,O l'̞X-V8*1e3QWdTkq֤05P"0lkѣXEF ,^̚вK=x RPksƒu~pw8ycޒV-0ٴ)J &RI[78I'.i4)Y#u#7~6LwfJnTgt7VfnEYgNg>x 8m&"oGȵ+GR_-X}Uv0c­.Ɩr$ CXa'4y*<4b`Eu6{e!֭s0h O?bպ0anO?g`-RGcWP4&65[Tm3rwm j|/~sD{b!q@$c5ݵ^~ 1,VJ2OGz(Wy:@{$B5کAiB,EGGk:'r-[3HInn.-[+")=!qh?I΅ĊRjvD3qT5/oԏk@l㏶\%8'W8OWڇL|0oZczZ\srBy5Zd'=%Zʡ?y2jT+ԁ;F:,Xf}ꆈ K7/? 3 >C'BTPrsO0U!K<[{ܳ#2Sm_>o3aS?+il:{I,Xux!2%!^ ǁ%|*XH ȐS:吼+p B݄=oWnBE^\~ţFDYxDG~?(vc藘F|.3g?=5;sfxuHNNtD07-㯾!#`޷[9HvMRu*asQ6\~((!{'1%W /Ǟ>,ݜ{C-}X߄Ȧ,v2s$k?-WFB/n%_>)~&|֋XUdB@Sn~sAV~&^]`YfC#*i z\vb 3Hۢ,R>1&3;= 1io"dGHHff&___M:#~ZgNhm@;5!O-^8)-3SogBQ=U9u#޼R:&]9^Ä4r2, BW I,3 K-8dO/~z>jpUxK ]Lךcucb'g(o0Ý2$gn}=-r'-j.GK>Ok VfkЖiSBJxظĤ)Yo (%{e &1 1}Bh}< ߧ6ҙ 'qȬS~ۄt:-~F; I~KX3J9T~R %K9$&)# 8*{iqδ vÊI9h#? !}1v|$KC,pቿ;= ,YH=/<_\p: Әpƌi_C/ƣ_P9]XoQyJݲy[qͿ铒tk‚׾'8ЉϿ"0{zpIĪ?3_& a\E@|z?*kEξB4Z#zh?k.ў5X? 9{+` C#O7|)7܎민-n4\|BYyȫpCMyQmTNqxjB; ^zF GnKWmT`y\ژ$Gs[hi}!Mڒ>xr}N55%>Ȳ}LzPql֯ăI8 S}?6:c&=L[{Ycp߼F̜gÒ^֤ 4m6Z[Ujjm!nɤطW h%<7/]:'Tomr\|u[C{~n+] [a , InYYY۷fh猲uK e Fr<}h\:F:;g:VRQHB"3j.ALN](Ƅ#99vrJܱsVǎKڸFw:Xus2p3eF  mlt= [V|R؊w#{^Xors0Ҙ%s]?+(. ojl>k"B̨H |N!]CB^~ k18/N:.[ĭ똷:m'O9IRW?n5$lPMFf;,젫8pl[/"ȿOf/.Ǟ8qڰx{EQa<EG#0=}?^lά[:c>Z:AڬALDoFȃ#dKB"ԳDFf҃rz28Pqs Ɓ#/JaJ+?{Pg7ι~g_z ?.xf*|:{ Knnx7?,Ĕgw* 8ː6Q#`ú?8r.aI?XcNgr)% @AÂ%CiITF W߉k4:=8ѐ',In(X6o(Κ:|/?*e߫? >O#KBV:oGzʵ(ɂ쨫,q)V3f\ifq Sl/tK^ʯkeDRr_:8ݓ}]|BH#ν\oŬTԬ`-DuX.N@H6|O(͕C`t!O*cC{(vTxpq$oy3XmȪK5 |7cDP$ɳ_kY^q}(){_.AҰI7( K?7.543|b=*:%[łXSkni-Cʀ\ K>YU500KD QXela0;ݐ>`hcơJ4g?j8,u(ið~(+ȁӿ?X 7OZ:(mYkM'bˢ/~Wm (+*Fh\E{c[b|24b'Kd2v!|M%{^P ӧA}ה{)6Ygܓ9rMWt|߂#wu{1嬡ȭ'9i"%y0zkQYuPmgGLtV/XCP}%}7]ݎrk,wMמ^K1.9J@Yh`-?} YP28 GJB(x XgWVuP,_-L8=]{H.Ǫ/ w܋ &ݏA~zyW{sK<~ |)򦤃Ko=g*u}c&-m8 qRDѹ'`U# (gդ3>CIU?OX7ć>^2R=ﭭ_x Z^E5|ҹHV 7+1I2]Q! B ]Yjiofw(AHt')r7cijwƩ7PXWB\_Hr3s. p*(%YSDa厙uLSؿm3TQGB5 c`s*o'uABqڌ8fBzH|:7 g\gJ"OKC%L[Y*SdwŚƆrVh[?ã5$ ^AA1?%iE5RxdgiK$0CtP{ڄC[9rȻ$B;r&guvyQa}5=Zm|0gW7[3q3Y 56Nvu)N+ E K!ԑlr?((Hy 3/I)HIDATݰpBkZZuW[DH_Øx)Dcտ{qF}ȥt`3ϊAH8$j<'B<<#RTv#@^Bd8y@Z1n'?Zt]lDco^d]^^oߎ~IkǏPAOeYFDbO)ȱ K.ɓ5X)o\ :aJ؎i/VZj$Tܾy"p2-v+|XUHP}%"6մ6xʨ8ض" ֭ND{#Rc#*(i[7?[b:ԛ>rR"n:vo~|ظu7"#Z.T BcR1ad"veB`l6#s[KCY64x!o ֮Zʚj6x`q,/jKr|O( nB6;3[K[ـ|Fl zRݪSOA{iΈ[k֬3yݷ +tJB~Y7G%ذMT$2`ڴ0eB "?E<)bbT}lDf!w^Zkҩ jqriɿtbW8Gv6P|LRIStd+o߾};8%ҩU ˳^xC&6:;f-ݐvYti jTtrW1>#pqZ|4aw;fs2E>m ⥿ EuMKV%N\m!d_l3.?2 }v~ԋ/6lhDWݹOUF6pN2L,;DB.ĉi!S/z!4oM/5h!`¨{ eh2LD<'gvHR1IsIK'2n^ړ"aE ).FJ%MB׫E*"arܕo;aYӸ 3B@!PtA@ Qv]l[I! MoBTg5p*x3h|mXi(Ѷ-ĩ~m̼NuT =;$.. DU 6ޝKL( Ѷ<`KƼ/dw.u N4 M9:*wsΤU>3w7td2˒䣜B@!p09E&>*S v p9yO8\1u ^oюvnTh_H&"!zSN!8:H(dD?{""kW֎NnT v%&F1kۯ&4-,D^J9ڃPшC}=Ir`/2VN!8vȡbbcCBBSb"Er"N8ɰ' ۶/cka X 44 rrTS*" ũ]xBtILڋx[>jJ &cJI!P(<DL$99Y~} uMR!P(C&&+BFN'-y/T B@!pD рD1X%χ. \M!P(N,Nbb,@Њ& G 0;y!P  BXXUOI#Fzy:Բ B@!p8! Ȳ$k.xpklJJv4#%"WCIB!$&&HYX-FKCɻzF!P( N u)\Ik;Cd!%2(8P1 h9Y8,ȴ d~I@۴ifo$!!G2 IۭdU B@!PzH/5HJkȀJѕ 18+r$ Od0v,BVhV( uXL:k*"-h'0?Ba8ܹUUUDFғ%+YR*C!P(''^ZZ`l6m"Nvm}.@@&m7`SV>Fo"PWW&EU'O#OPPE<-ߚIP_H rb\뾚U:Ss$ox5!;t; n* BdBWEOC>BLOn]օēu XPQYKI&g#rb}n>r4$4&Fڸ kԀzs0L`2;J7& N>>>(..])A, P( ^OOOM?Cia1H[H[W/ǢKjF{^SU˗' hpy@rM 7Dcʌ^ Mfޗ8Iȃk8#-gȧ;8[!P(,11,CJBJ4f ܠY$_HJ}#0nąz0w#^S%Jcp6/2CcHJ0SU+ᡅ I0md$F$Ld#30m|)ѱR B@!LLڋh -BN 郤ӖrjfS&' Q(w#>)vfU q'ٹq{UbMf1R;uNJnP{D o"yRN!P( 8dbbppr=A]t1d)Gv8ػ&1C̱ NǺ [ys9"&#,'wh&ݗS'D RɯAr,Xw7*B@!P(zގŎ(hY+ED2wX,&MzafT#-vK9VXM Xdla0%=;sm:zmΜ)2$%%iԒNjOR( S C+dEdd$n`AxZm;R<;/.nQ0DF?-GÎ>eiG-|GMTF._ٚa'=cu)p%~2o'y1CѼc77ʹmk6Y1՟#@L `C5 ^' *EQ=Ķi|}N{}թ@4R}b lA`A+h|hYBɣM>Gz^|[! :vuUU@$n &n&IQ @L &wcƵ\'! @={,Jԁ A&Ai@|&>J Af7=F@@`'jВMGxs H ] U2!@ؤnʹeMnR7 Ҧif7@@@zGN۝shZ  $ |:IENDB`fwbuilder-5.3.7/src/res/help/en_US/pix-statesync-group-mapping.png000066400000000000000000003151541303637203600251520ustar00rootroot00000000000000PNG  IHDRDQYiCCPICC ProfilexZgTݖhhBs9sYr$H $H$* HT "TAP^f~_3ƻVwuԭv [HHfag4@(y)a|} gcR`[-֧J塼oy`_7WT{Ԭԇc˨;SaQ)香%U.$y -V֐666a:WtctkW 2 # iO23>dʤϔ,l\<μ̢r[V VyVW,l6 6l lHvQv;( Gty=h4Bqq}Nn~Q)kś»GͧW7ɏ/& $(+p[`]KZ0]SpU]B(UC0ppHHȖhO1i1?J'dQ %%,$2%%IJHHVI>"HIڐ!$|(JIZ._n\#! )EAR!P^"9%z%+BʆʙÇ0s:v8p=*{}j@M]-YmP>0(ИԤӴ,|ũU-ݡ3Kk[R[OQ~Aaa037605n61012e31m6amgܜ<ȼeajQfR2rĊhju껵u+Xa[m힝]{{4)GGNH'KZ#ZGy,<"Е5u؍-ם˽tlB{9x5z}P>>M_'~$~.~7={=zt 9 <`<;0.p*H,(=h>X)(cnHMȏPЦ00pHcnFDDMD GgF/h"b]c{?>w(2Vn詿s6^>T_bN;wx, ݵtrѰQѡ1q;4W?1q惁Z>ylޤ'ONM>u~wfgssE/_TyYJUE%ϯc dy[̻NݝF|c͚Z'OםoD~F|d٬ߒߺ{9ߘW>cG.nϮ=ý\/r\/r}}}}}}}}0_\ #aey{m$, KhXIRBBf5"ɌFЫ^\I'9 Mq>aI9!=G*5Q'<|U)B:<"H>jD I)6}2=r16 xe~CᇍTxUUzԫ4Njki0֯68afnno`:d`^fikuVюߞ99>w{ٹʥ5-=ۣгֻ̫ާ_m 88(x6C!iu,4*7r̝ع_ |O'y$$M-Kޔљ95=3x]ZV½ӈ3bYRb}9c9J*jj.]rXu%>k/747nh^񣕮MQwGRgYWk7~X n}:v|>vCG֏C&s\{n{Fm\싒o/-鿎|S{٫W>1nn\B`;[?xv: K[H_#CK})#@PHbͳZe+k;^z嚺F:zuMd7Z[۲n^jf葹ezhoZ_MϝwIG,Gk?21`ÓOrڟO v ۈNJIZK)JH;-`(DMա7U.e'ikk%igV5nLL"+,,7mmOG%#]PnD`D1'1/`Y7D"IRIJ M!NN!R ()?QP R)zJG? S0k-;*G7g.;2=6 _?@`(Qt[]f*6FEG())(;٩1,Z>Ec)~m+I@r G蜽]:ݽ<ؽO3o ,FĆ{FLӎj=GHDHIFdRge6f䴞ϻRUXy̹;T>QRw問W 65 ySu 衻зu'{nX=#7>1,9f&c" K~z-/w]^xim{]i#sf/_|[w`3vX#0 Ϝt2C~y~Ž-ăML`0?8$Ba3?X_M{~pw3gap1K?8''Ͻ]z?FW4k@38$&7CvypypHIHJ*֮Ӣ IDATx] @T h(sG35{a Y.%jjZ.e.z4{.ii.2q-Ӟ)R 3ܙ; :{9973w"pp8G#`XYKp8G# "Ap8G8G#p8G#x@dG#p8\ G#p,.YGp8g#p8G Dp8G#"p8GZ<GVՃj~>9GF@"T@TmPrFر&n/}Sy~Ӆ@YByqks\8G 8l>Vlg+=L3Ą!R*{ѣG9@߄GQQC*{_Lb7BA0b [hb'yV(]$__;G!O=T) anєƶ~E. D"q8f# e⍌m-|`kTp"&:Y{ 7UX>#9D>31!i؍Cs<43G* [&q+ϝw>=b-1ix:`v/a5\-w65>#0 &P$>ѕfOm8 |ڔjq "퐣!KTT\\0 [9:$9l I^ж"}uYw|s N?=hE"%!sC !zj?&8u &Z"ox+kIqeҵ5j~|VKO;x[Å2HS^*~mJpt*'ڍAmߓ& U߻_ތgѱ{?fOp>}O,$q239 z!/۷c{Ŷ=FV.U-ޗ#MpTSϦڨ<ǵljM]eh!˚3焮-q"5L]9Up&AZHBy xqh=y q?_7 i Nbi8L@vLϳWlH ׶)7&]gNҚL\ fuBui)֐@A泜" =i^RKQOFdN\vRHi?17_XU Gpdw8Gn!#;/çv¸'QɀZgrL '⾹W"s8(}bǥcfjFH;yCg s%$d$?"g$P\G6`ϭ|4 H$8=($s;YIr80ȧvʖ؉ c1 I ^<!Bw#(b_Ɛ2ɬLXx#G#P7'q+.},E#q-Rc!M~C̩ڇ{E2E7qE[ [['xY#?(BlVʒ:GI( ee;C&-0N&M\GR(׊H"Oo9@y]ܚ[eJoއ#T#ެ)WP.t Wu*?\y *I1e!+ImvV4sZY  I?0cߟg$@tlG* 8D[Wk1a.̚M+4f˩w.K6JJ/Bs0fď8J!J;s8; 'WuJ:ۿijHʺJXs9.$ϒ7'rB~remfRqI#0yNP( ll5 BaV=){CB0̎H: CV!xZ\ pE D+X2?\ 9l9gG`PE&]a"85@ Dp8Ղ%dw'4팹QՊbn Uf2~o1#xעĎ6q 3 Wx(Kax^>W[,:tS g w$6o1)uASO%xxN茊iq[0(S(jv$Fsgo >)ClPa%>[af)Ð_G@@ň Q`o+!aCM;FVM=R=~6DHqv2hS_.a66 b]X0'G0DFx^X>0G|;#ƾ|Z^g~Z=|eHs):y5!kp*%%0-N`xerKѣqU\v/G.!ՉRjA_<,yíy7G1"FP$n]\\0|pxxx#}gB81.ɝ@$CєuMT(;CC$|)s[S2 7"ny+~)i k>f[vBu: } Xo@tOi?~h0Gp( T*A(Zz5>'~O06dna#CU6^"_! X5f2cC4wP;iಉb_)D1&-ַ1c&^<Ia>:8=_ iI$6/҉qHPy5O8Ӧ#CM>eM'J DbE 1aJ%g*[]v^8'NotUw/ML0T1#<+t`Qfm2c}/}8D@a2)K3Wa^G榩fS3ptȟȺi8; .<~:|#4!`@Ğ P8L;Վ/Cu7δj%Rk.8C%#ӯ=(IЯȒq2FUMfL loJjo$0R+5¬B7n<eP͇J z_Fc0K&ًGiD@[[+Mf2ɶ5IEY`V%S砼wʂBUXPK9{a{aL+,, 3.Em|YE*NaFJ쏨.2m#R2PgbmxV.:b&-% ʕ#=) )4Aw\Ʈ"Di ,H~ G, xCd7G&%iִ@`"SPEΝ "Uo _>G`ie!T*lE__]^.ʬ YJ^U#)ʼtl {V =[D7{$lði}. ]5g&A;k3LG"_<TJ } eqD.Ch<bӗAZ{X[AJ jy72@~7ZxU j"&B9TRֲ*Z2?" jS5gB{bBp_K 'GU] (9]6;l?w zcp4ND]=cCk_ 9_ -9?+D##!`)2ItfOlQI1EȊ"e % հz"ྲVu U=s&6I OFiػa>'0A'x9rxؖ}s*V(3jYCd`@ڿ Um."# `@$jh6c7MF7Nı sC6f+P]'=iJPX@_[ʙ"J&.#>"75ƒbjRYaY/AN7x7yq| ;Y+9!;%jMmjJЩ D`ǥLJ&P$>=o̼KА4NbC+Мm>sVȔA.=r|A%Hq+ kLF+bɀhLrcꟶ?3zFߐJt>~G))qsX"_1XWmHsQH<rj.- qP ^;x!s<!b%b7Lχ!,=,[r84zB_(yQ(/&Jmx[¦~.eΝ(+1c*Ų qyG #kBS8gxLC|}3rLd&N (^Nt ;b`:%0a"D%H{BeS4AhXZTKGF0|a‘52ak*uO6R;sf Dbiም"ſ?5tf.EEH`Gf|*cE}ܙ5W(QQ8xs&ϛ{A l ƽXh*ODh$'@>ch3%L'ȷ_$&396^'}eDotmY˰t]<,{Ri)r~o%rC@|a[F2ؐ!ECUMLIՒ"VbRLZ*@VkHa])MCl#G,Y<T'Îp:zxzU:<\Zo0MtI(?:,R&LގJ9O*ooVht\ Q$dp=2;~1N6 -Hu•\ & 9IKō,cۤjlji#0k)^ig$RَMX>? g-g'9OZDwF.b$Y=ؑɡ7ˉY[3:-GEѴq7z_::}Ml[P+W d3HF~=sPB sqdPf 6ESSN4 ?SW۹q8ag2h |rs+a{ ,{%Tr5āq,J D" ;_v2q1}FIcr_Fb VH/(ȷ' 2 KF’q=ݱ?0'X3؉q@ !y5-+`IpH?R97KɻBCا%FcEAX!?Dl]viEaˇxږR)Rb`bFzð)[0,zG6)swnjh_k̡YBi6vad; >ک\.^ Vu!NCgGK=& Od4Wf钹SWYw[LNm$|9ݒSVYJ&P0ח9Z!G#PW(4ct_ɗʺj[&3ܷ&Y/ݩ1{cBB{0}xwpp1N# "Pg{~">r\c w& d6*l"%cI@ $(CQB&8h&^_%$?:̹>բ zAx2ǒS|ŏ8O :ht%̟He^B2{&׏MW7ŝn^PzSwW|C_Cds!>:+^.۫mP(_:rWqj*23U$y:w8@m 0*0bo7Kn2H`̮jt} _ @&ehCləzLa;; c‰%!U3<Y͜EwL[lHk ~^tH^Qծ<T1}o"h= " |Ւ)PDyjj(13d>I#NOmdDZ6Fn%JP&q*e\<lĬ1,9 [qĺ|ףFeN~u7z&5beƷg iva~8Kֈxa#`"a(v_l6 STЃpc2KZlE1Q,z =Q{WZl_p-96w*~"ffrcr0t61@QWMƝ$,m;`ˋpNyJpnf~L#G@7vNu؈Q~#!htn% yr h+GD?D'# GzP^"6O*}-Kx=[`·s5]!ՌOfey9-?f]|h4V@ڤ#h'uvCk]!PG <$Σg鮛|N4Z &\TRyi:Qa\cE2sdywJ''@p(koFa}:{bccD#QHGg$tm'q <2F%m@ 6k .#d `1 [7!!|p?:/_gsmE2vkʿE"kޏb)t)&b`"فSLDUSq`;Gev#*Q5c#8Rl$,YO'pk$2KZoR OCZL$ 4ڿsa9\xp"ȏwcHv6* /b?`!CIE$rɑ[zlxc7!;5Ss>+S#*ĭ],( X0rTjd ٸBADɷq`,@/c#%ccىSv7Ԙ n;/n9&!nL+h & >tS4bIl :pކ7o:`%緕t0a:`>N k*'ޏ#!`1?|߭ƔJ*]KFTzzdbg=Pn^"0W4t@+Xu}&/ N ]>&Ac rFŴ7>@2Df^Z+(tߣ:zˈRᗘOs!8Lޱ 1P$ ,KpU|k]: æ#khp>!===Hl^˨C3~̜4H*a7k 3Oţ?} ~n&^<C7>:8=_ Yma`q5ѭ!Hyb7F >uj4{˻Cou_ig@GV8j(u &coGIIy|:qdOͧ۰ŧJC f2;{Yi.~.^)ÉP0XM F1r~Fanhu1Cȱ0C3' ^EGfUS!k ]c]*V(KѨZ~=)?O,AVC~oWUgMI ʤsG@TG-O@ĴTWXrz3Ʒ;>Gb?0X4effBBŤD}<]<MgLSY` >D>8v4U߂Os9sB-&յtjm$Pa!JJAV>+EzkGȔ s@D""E5LA,L0F~cqIʈ58<=ç] W6X4H%%PPt-?ҿC[GᔨMUjKYKu0}J@~BQC]0oFk7M6f <{LAc&UEQ2/@yODyf$ΐeO5ؠK O\'֛=@]D"& EUBQ]̚m(nBƛyRKұ a&Y*!|kAh sݻ4Xha@F /Q􉜁Wb̲5C5zz1KFi2ڷ=02Ah7C)M7 k$j^T9L7Cas$lſծ"N#͔n=,N ߂56ÕaqLMnUitC[&gCo@x2љ~P؊$ I(z.[@@DA]4 ЩZBF"I(9m4e-yO托0"M)&8 Qވ?A,3d&A$l4NDk;Ph}gA4*0K }v.^*I8OKOIJs娥C7Bx-"k-ӌ œ0*Wf높@DGaЪA8]q ;@pGRh> >9Y3$5p82t#02#&G+K$m81t$`p:[3$s.H2[F5*x ^߫ >Q-ˏX@z6$o"ҁ5dH.]08 [ ggt΅!xϟXH6ɌHɣU%PKA&L'dݗ5VF ʯv7~a?y-WĦ}KѲ/Ztb@lI{BZmF#3ZvLKĈiF.!FzM8Q;?< ,'G6Xhի l|H3ϗ5E-yHI5A`P۔Aj3zwƌ㨖eeIE$VKkqH=zZ1Ծ 6?م/L^20jC:v/!y~x?Lvj%ڌ?3 vF=GaTK9q8ܪѢ(3f2+MU2U4u8Dzs#VL se3˃A7t9b1J^՗`eXN"Cm[g"Jd`W!AQ$&DNj P~t: +kc*X/?(G~~S$޴/A9"D|QdƢW? &9OlH? ocV?T;oU@b?~b3o13E8U"d51p(0}Av6,">e-{JBGPE%>yW/eӇaW<0mA[Fes㭦#fgZ^!Q)[W֟Ȍֻy9~`ZSNC)BnfAmC7kR܃bulo%//JEe!X$k 2ی7(zAOچ9C;l݇W@ѫ Hb՘;XܳccYqti0a|w0O ?x(8WYsQf쇋^(.(MW*^\ VQh M[d~L<QKaش~$vM.'d-tnׄ'#3LGBo#͋FC]DqzMAX2?.GA5EO6{l103d R 4Co<'\Cas F#K9N=gU>/߈H 3C?ƊSk T:DOj ū!Nqw7oYdJV~GNwuX|9qnlS: 9ʫaٔ FSV-u4 UExӬJitcAIM iֶV_-33x&3QCw6߉=Aa!C?ֱq&Y!ѾC d&?ADC: 4^L3Sl.=H N&`YSLZ1kL "B[yjj(13?s&bZ^AhVO ]Z>E>P7)wnZC&hOƽ ̙|#PCX@p)Aޣ KCYa7~L('S}!ʌ`̹O@r96xŧ~31!1b'N=HpH;hτ?΢jkc jBh+V5e&aaXV+RS(fHOoj-Fx'c!gP>/5yZՓZRB!YF-OMIp54X<,R z>9<0T`$Qd,'QE[NcWo|> Olƒ| O߹(hXkϩvi퍌P(X [6D~];u7"J)WPUڲuξ-S(P\I" cCh*b&$1At >3jn̊*mpטm#v( QH{* gƾ\ 7'}5lM0~IpYcƜK1d=|τvBBW(:x]):GZj&]#y4 %۬<Wܯmmm`G'G89RQ总e&Jr 1אFXŕ!sB~U\˔#ӡbAxsDGY[ Y)נj?oc 4g?ir3(P\3qL5{Go ,YƓI)S}8Յ D صLT_#NO,#BAg2/鮁%^a(t/ݿNl :>K7T'߼O= ;͟ЖaDZ2TB99{6`V%")QUoPz=M&?7_x2 u| GˊܬE58F/7b&f`BH33 j󐱟x970;z"z|͗-w՘ag=iN^HΝpCۙ̐MEnt,(2@'Ϯ=FMA+G#P-/ H(~wtLo)݅A~ӘJ(*_FCEʬ,. H%8FՕ%hlX* 631GlQ8,gޟ#4O4tp8 `ůǥ?}VDW^V>18`D|w\Pҷ3Ӈiʛf!DV= /č,$QG R)%5c p,6.V >,ACW lD?Er5\/.j 3vw8BhwgyMȏ(]N5v-6r n%h%0g(*V YFv U- uyCgAnNHO2idwx_Ev6:DK>{4/5*FL;u#x0Hxߣ‰J rTرܓ,YU lY7zaBo3uf/ ~ Vc܍H<\Tk$bgIuK9zY``B۶&0s܊3;J.:ZGX]5XYH;ʑ_ck:TXC/ԽHq|2vLQsO8(0FM; L&5;~eߍB܎K[&0XdżԙIk h"Pɽ SWܜ4D7i|HCD/j ǧH4ߚ'gy=K WǏhrMFޯfl$Idme_&[4ˌ{g(lOvvS7($6vnvԦ ޾YB,ˎ Ʋc^Z^^> k2Xdl ތ7(rv 'mn' %vtcZ$Vc.egN2Ҷwi0a|wU2\c߃ݎp Tɩu>mIx ` G aJ=%`aL bH5zyY[G_ΖG7xyCӚg[2V'*bgLQ!Ԩ4K4bmz<#_U2ߟ?_9j.[>"qroU]aGd $ CL:N}NEuVV6 >hVowvri;f$Α_1]*Kl[ޏ& %7nzɩaXҺzQN3%aǘha1qHC.WJ`]6v y%s(W#@Kc•z#ɸb.xixvD{=Qd<ڇA1)ߓ}h3U2m,sKDt|8#zHH{'(kkH22UcCų|[;fR,O+i=Rc{A]98Ci}6*`R?|H\Ą Xɸׯb fĬ_GN"iޗkr8<٣I># DE&dB)ޱK1\ŭFGӹM^,3C y)o¼~q?嚮p6՝Smv6Sqb9ÄyFDbh-1V_ \/zR+m \g t-UR*j*^b|G#zxHn[S䝶 .~]Vw5A01GZ$Վ@.3e:GqUvl ,D!b;ĞݿJ`3mgK I[1Q!;LfnZd A 9McEtF}ҐuA:Op2} So6bU@.9f{DLk+:8pKkZ=,MYcђC&hOƽ ̙b_x1O'ODzvm+*$zqX,eƘ5t (F7 ͏y?$۪#`j?NjbL3ڨLLX _mjܿda: hD>9jъ)8+V/ᝌD֫_s}zEVd熖ɓp~z I8IBףU"`qQ}+ʞ4:`eD%1Ϻ7”7²"%BUm"wjȸ EѰej[TѵSP{#*b! *JB[ "W҇HP1蠘 d'1jgODmލYQDAc*l6Sx鹸/ %'ZVR y9 ,nհ5?0192_"ke=L_;8qF rm%H _Ͻ4`R}?Cp_5tڌmNj=!ljM4F h-n+3smy_C9Npr34wo˨M.,G%ML72j4/d J3x2{79oN8  !+T^2?ir3(P\m C0`x}3vH&bQf"Y[Ǘ130!$B삙GŴ<ڊx970;z"z|͗-w +!Yr?ܳ<^v4FLmN^.' &;B0id|b~e}e}݆7tʱMԌ5XؐHC7Zb.Ugc-%2#ՔȐHa w0 y  `ݭ;-Es D8Z߮AB^ՓZMl)ƚ5k @[b 'GGc$hH3fL#w#ͮ #[/@ ˵YcAYcôYc/ v^d )lY_ԝλdI,f$z?ݪ\E:gȎ'RHsdHY9P rի%x=B;A x o>%xb,Yj[zx6ӊ@~@T WaO4B111(bdn吤U6VmEE4Wa´{nK\ ̚^je>.&&"WkW+3p" !P55kmXU-8@N|9Y_j \F;o~An>rЇ9ыgqm_E͍aeD$lG!m3 k4wWc&3 FOx 0]+M{Sq,Q>K4jKH6IVy Iɜ&A0dҖ10]7D`8<$ \Y Θqp@5w2P - @8B5۝5=EBƲо(m>;e}e!o!n|҈64Hv!,6}|=FH '*jK /kglj#`YX@$F)T(جg,Y"#-8f)Șі#&AZ4sնSl&*Ejt'hG?JZVXE0k=l>2?cP' E0jdہ4e&-rvib%vRiHrJr.\в~o$k{NFSϭ`8q/Jy;rYY, N^vM Ԕq(yqL&*{[GD#MzR}"t<AzP a$yDW7EZ9˧z ߕ7Wn 4F,,3S4W PPGڡJ8f_"ËKVijM0g  =R2Pgbm "1K+ KGڡ8Lll)He=ehC9={~^C>3NZ[Y#y[el4 "Ŕ qQd`WD7] \U~EST%*f*4oJS)M%4+I~5 SLS?STHQ QPgfgwvم]o3wvgyg0wYOԆXcJ=HsFA#Dhׅc}e쫓h o$q+94>QLW5N`MB)alw^f3_@#8B7Ycz5@w| ;8Z ;) KaX1~O2H> z6w"E͹rnr!9ai2 BbxB7ЩZԈy8FEeF3!|ԕ4i_cvh&_1o!STht^B:hm9&$J9mD|9 ey"Iq6d^\z.{H[LwdʋQ w@gC*&Ƚ,)7K3B[b}].WolB3&1|GxN?ǣ01q-3v,̚1H5%k,^X_>&pSmc?7$ƞ%(8؊BbPԻy'XaC0ěB,MBqil "ÖbV䦨EalXscn_WB\ bҸXE_޾5X9~ZdK%k6h<ƕ?O\˞p885˂;ņ "3s{oMHŠVb jcE<2ݰjaكtDĄ"-oa~ :q`Up+IV`V5ڴD4h2إlqWbcfa"70&PI}U{"#ԙ8Xgu%G[\n;vQ*rKjITTPkukI%6\ K$ g #;/3n aa2.LKN1.ɯz?o t5ebbAtl18 84\´?#σպ&n"+AxU=~' țLM*ճ}c~4ո;h֋7<ºR:;mUhZs䱹, bl5&04s1& Pqzi-؜"6{a3o`( hQYT fIO5(ͧ!b %^lkMсZ IIb,.4Q=_5nBj4jzn[i{O<cr5xƟT;{?DZrK}yNB 0>#cz>4а_V}|j{%'N;2Vx=yFeݿc¿MU,[5;bcD,rYpa1ϒz8eɢxYcr@ .Pyhja~hxL -g|=,93Sxڨ49!UBdvl- `ɿ Fĺ{PHqE|h 6Fyqco!lcдH li, RB63'f/y$3!RHes2p?1LA<,ŧ"5 )HI '59ŪR]QdvHOE@|Lr I]%W\EY =fE18@jA 6zBYhæjx2D4瘕)hs%̉DeSxڨBz0 [L.֐{g>Nė$N&KOT5dJl[@=X)3H;9r2 'zqjNw< IDATz0oȣ1|6XBZa-̛}7@ nc~V.}ρ|8!;g%yo1k"jnڠѸLB ㄣyg]T0fAwi9QbH%M\OQ]UW,Sf0#V xC}~%C-+a/la^B+0~$яBqEt8*T/Jb)1Ʋ+R͖ƓyKmp-i1%ˈŶ`o~ja]{ &o̳NQ{X4o6x\x}V;k<+j r$rƐDnXb<ЃܶFCfֶC\ Pٲ%Pl Ҷ CIQVAKzҡZUcl(bBɺ5GuqV}avxjN`L.|B! t#zFW}HxiE e J=KTfCb֬W`n}"iLxZƾZ=Ed/v #QO*^'?rK-Hu)Ȋ!Wg -m4C{=BEu}[gܩ[h֔ ⯽yk +ќǬ_XҨg!255EBWv9Ɍ!4lB1Č+oXgI*,,u7T\Z*R666 n&\l Ɩ:XOGI̖ d oS0*\%v>5^Yay{:dMT;.Y<+8W/ŕnr%l*{eYvGW՛*3K^RML?jH/|`kaMSdO'WgsFQay5!ƃ\fpnΟs_5Pc "'綍\=S_#Lk!?A‡JK;ws & %^BLd4>>Y[X:ŝΌ痠wsaN/JlY .|WZgjOZD( V mpE`i=l9.nCݲxW֭5 .-d)KH- T!q}h$yU?YŚj[pQ1*#n4'Niz/Eκ5gkZrݬqQN蕙)\{VTl,yB۰”%b㓹ܹm-LYe3i4k֔XR^՗ޞ[7ʛ]TmŽ^hDl-zsa{ 3L}-,m:|/{-˖cqz WORQǖJ[Sq%һњUWstD]v-L1p0qъVG ?Fq!~Ԁ[#/S@5&HЕ Zr鮐[ʖQf>gHH pT-2Kkی(xx9D}2B̖j:"e {Ou#^%jW,gG`qRQ-"z[[ʔ!2Cc_)ewr`'8ʳfnj:iY/$s;Kd.GI*ϘW^?^\$K'd^#2VF.@ Ʃ=#5 bzh֩)oe@#^Ф ^ R d4gO8~¢BB0uF:d>1#ZC*SVCXTKl*Ԓ'K%GG`3fbK5Dh{#ܙٮ&0=BD,O Gm5P%S{\6.O|S@ڼͭ%cKBl /e, ڋ!srտЬs rkIYcoEX?gl)rY2u(foOE N2Bq[+5P_j܌Zq@xNr';r '"NB%\;͖8w,CxX`!=%&#C`K%f` bLK`kІDlġG̩Tj6;*O/Ҋ<+cK[*o H<H㢀ŹdQb @z]M&'\ȆXSOj݋LFdrr }ԺSbRLU@@ƞr>Wb*EMv#N)۳ 2`dCƞx#Ip0)ᐱ) kZ#~3Q2 ): ،N)Đej>b9fR;(OBy/ݯ[,bikРE{D IHH[7q;11׮H=v{c׮0[dR(_PP" "sɐ-1@S\AF%K[5>3/Gtb^C75&peɲE3[ʳR@-u,Ril/"cOsЯ$gl̥}Jɒx*#]MˈUke ZV׮ihrbV9-C8yUmX2Z|!\3#ń{MD-!dN @6:ЊM!dX22]M4A2؃z"cŲxdlD‹J>z!cm81dlY9;Z4`fh/~B2d'[ cde}*-ɥҞ36#fА,YD@q yf:u\]_ę{*o{c $ҥh4KPgj,Ã1ʼy!co#FU!c$N _ A<2Vb'Űw{ n<2v&_|}~0d,9r[3D`.!c؃M/!dXuB~ܰe2nE5=i&dAlX㐱iQ@%  CkkSݏS^s,="3dlV"XC/+zf$zt`4ڮmIJUZU[;KjcK+SF7k!6D<'Mfǒl̈́ߑOۏ-C^EӉ*RV8!oۼ ^ŐɊ߹^Sd ^0:  r.ٞeLF <껀X?"CJum)%WmuDnS &w;B"|a"LTUۛ)ZdqFv^b/oᩑlc=4눴H&ЅK!c)oHš[³5/DF !c˗&fF૨ VW6jhƫfsvB?}gKytu)l%| wzϷQmTe#c)^ho {]Z.j% > !k hVm(Xmy#cmp@e=fr1ːe83O}SuhP5y(Fٚ|uo䇉٩HˬF+Izkfx8٩I߃ʷ(,1 NMB8PCM .:q㐡ԍo; E^kd[Zfeΐ-㚼j wQ?{:# Be6l5 j*o=~3zvh "9-!cO@!cM[E* 8wۍHF5ESEA e&$3ZZuЬ?c>qXb9)d2vh, ~_)-+_e!RC@\;jE3'fb ,CCV~2*ucI9T5`4*xGV,cR)H1RĄFqnf[ʯ!$Ɵ/2ddNUVsRSC#,6'd]Yp bDǔTӮJlŪ1ZK g(O^ʼ9P") =;U2KrEd7]OT E;2 #DURHZ4iT^[2фV닊2dqXfuvv0B;ʔ)x\35`4* xX/$"[hPS˖j)TVЏZVim犉T^'?BgZj}VK3O?&8FNVn Z^E-1h0ʮ!+U,v:ET8ګ58Ԓ]WmhYk}>E{j]'.,FZ#|Ai7BL_} [2jhh=dp E!ަ=G[O/Zia"EH}ݏ9VX/2`Ǘ DȘ,,!C\&te'g|dǎ/yZp`E[LSY1͒ܵ;'~^FdIh- t9L"lۿKܱ?UKE7Щ$ċ(#i!:Q5SލpÓI7;pd M!SܵXzR>>Ư"y*f#c1cJ9-5 )"*ە2K@H{8|xq= f2@?_ǺPW|;F^*2nAUħxbso{AQp}8\<+I9BFFF찴d64{[Vi6Q!( 1NVbW8Yb ÄϷF)pent<F-ݽE36x͕2ڠ+Uued(_o;,k`mAL,1Bzm o[čbC6!UX2gߥi=,+~Ƽm7}l#q3;OH)k|TG,wxX~EzVBƅ"=`|\Yߞb >@ְz }޿)$@N";xh%n,5!7>lL Bq5Ь\m`n[^do S|)}[bv0&/  JtY+r+)'È`8*ChAI'> [sAyQxIW|44;,[Txb iJLi֐.MDrd,-= L6CD>S+S"x:ô¬H.9=t'cs :ESaf|z2@RZٷ\%˧ kC)+wuņp,j% 0ƕR151ŧ/N(jeR̹ =b֜1=K <,BF2(M(L,,p)rr*qnE^9BҮ Q*. W> 1s1/v0#[fgv,ŅYG/}0o;RnXx6l4EZYdrd6/yHd0ɡX=H,;rSnۡj̟w?9Qofq*KcƷT Rqp2z]\|`|Y4IflHO)LܻE%pALj4R8uh;i)^ YlY6#Ԥ1&qq23J-xP86KQ"928Y`B3XZ!VRek6lBy2jJ@ -1THeܱ&(NP $5 M많)O;⹛4\M{3)]rVB?+$"zeOBBnܺۉd\s#!/#?3y7 ?&L{{݊b5@~bKZkVG0C jpsWJe`]?,]¢],1DOp`h!y6o%3O1Ο,AJbLGtiMO wEaj-$I>k</,6mX؏qc= IDAT6M% ſC0\in؆/d1-z%Q9(H|>Mo%'Mz@*[PG`lfb*Iz7#!lMQ%!eEC/%qT%O(,Bе{ԇ9C66aßk(ː{IN7kf@h7V (#̊T7ToaGw~G d'ea4,|+O?A1VIp3_6F̹rnr/9aI?b/4cj HZ[CM:RĆU.npj挦MVд=84-f ig'&\C) ir4!I4OLGvrAp8Vid1t9y>>zr݂+gYY(n#WNOb5M{Hr0bȸR$ێCVԗ3lu_8IFrbk) U3^U'8zCS;d[6[cHL HS]GjC9ZTҝ!l@S,V,Z; Ԗ sclbQt)ms(5* \T{|1:n:>ub1+x}3jiJU]yqjllVzʶR9S}U#Tg.H[zXPDHPT"scn_WB\ w(&[E^+^%[㧕nj)|bGշb|;n/{G)"]܉дW̠> oG#7" +ZMF58v1}$nXFx1C˛-+o߂bpnt܌ȇpeE忈[IxCZ5gg4@yN?oY̅c!/e{,<k1Y JqDmg9WYUIl+883UeʔeXt v E^#Ånt=uˆ=XVogUϫ#acf%!ҮeEF?miD sqaZBUv*]!%ٔ=o DHɯ{q&&C7oߡ瓆Kgryd K_mC/"Bw$SS/ox?ki{^E[\O ծo{z1NGώdsݣuڵ ۠+dZ0^ek Gh|S5i·{Fbk<2 )Bz@]|p4TƢLK ̏Er'4[;Uۘ_GS\fx#.;$DJpHIBjewGh`|ӬY؜L^ʳ MKi)K?-R7gRBq+!V{@Y2ŶYʅ.oHJc)X3:V+tnQ_8i1&h!3/b{u b٨3zi>%qɧ f7aӏ…*5а_V鿏ʚ#%_a!%F"8;=4W).&I0F]"Cnxkf̳ /̧r5ak4ʹ D\"6)kX3#ޟmzѷ =[:zN 8yzr:X I9l(8ʒ%A6TS,'_܍)ِtOؔڳH} 7҃'OaOvvv"#}h2>jo~B\:zƍ5C[ÔbvH<{#WI%U UQRFM)Cj?ioOFޡ< zbu[п -"!<}2g;^-ĬEaŕrV38!^ ?eElkZZwB;X8Q 2jjbv#$Wb|]/xRX(Y[a+197ϐ1㑄U=9YG[ &doJ0XKeY٫CsPEUВxtdDII vFH Ӣ<YòZa1VVC&Nlz5i'F[MMH"V뉦 T7Ɩ:Mo(ܱ6 -E~ԟ0\㍒Bs6S_w n*u[1 +eȲX\ՁF)nDZVT+1aE=XjnN4eDԽDlyH%R١pKɡPMF$ka: Ԙ"As66hACʥBZvo +[>G;Qb⅘hJll.m3s38Rl%* zA|*xнi*P[³#rl(ŖzD-UՊƞbc|Lh"af/a.'Q#ʼc*7#z]9'Eh3>sӠ'P;^^|ل$K'$ޚdecK^5W6ʬqSiNM~+)B&xgo@ldBJ +aϞp/\E|S7a댾u|bFTK݇ I V?U%/OJ cK*c(͘U-|Y7qT^3U&vNpxNo(𽎯^Q5~^wy /6x,!CL4\UwXt߮T6oXuaK8l / e, ڋ!jsJo~?tL}bЩiJmzBܡ`Ɖ `ii [[ճC=UG*Ԯ5C,YVX ѣdd8ԧX>ѥҙ$$ӊgSFYYݭ\F=S\HjyȳtVl)z ##1%RCYxT ><l!dY_-8s/&'#˅e4k*NĶФ #QϚuiUtyI :whۻ~UϦǽ8 ywBb뼭ÔN҄ɺQ(S,>i1!3$kHVN$k!YS"Y-(& Y%hQ& ™Xp+ڙx`@ukBUo?̼x2'!!7nD\s#qq]°n<$I|AA 2f[*cLs=m^M~Pj\Y0Wpl~_YOylzbhSh@Ԗ±}%]ODo+ϖJ -~pP`K>N돕立C JP>c3CH0ʛZCH W^hr,fhڔ>*$k !Y}EHVƚ̐xsS]H֮H  $A=bY<5C0_ЫCck] F TjH[i۵ %e1sU h"!!9FeF$1eItLUB2w(J4xU5z jZ|,LY}"Tsf{Q=tE$ҀѰi cDU=9O/7TQNgT +_Koe>; ɚ~#wUB %dƯ mdآI1^d]_6 J3l"0oGd}c&/m,Z:!Y?En2zZњ EN 6qH(BFےd„!d}5L)G)9X .6*O*XڨJ@6*}x') KTil gPe%]8VSF[je\4Y'' v RB*P-a>D?Nw,hheaH˻e˕R8”!bCGJ "&締ոQx X!Yx$+tH b!Y M#|&>@W~~4!uG2rJHVOjI n/M CV/db$a\,d%CV@*17jihոKbQD89:'j1%x&i/`-#Z ]_Qe#Y'dx=1$)n*F0C$֪*a=ЧP C W+d7UQզT]m憌լZ$[Y)x/e 3ĺ9I %{h3T#y}ʞmT5yc:n9q!]CrfK`RLHVK{ʲOnn =dHT$p6OHּɪk^qLwf9a?!YOfAJ!%ܚj9 nyȳʐlrhE̤ dfRkx`@k!bk7jjxK/5D.Hx|OYyp#89GKHIdljqr7Pzyme#YO51o&Σ)gF{!YO@!YM[E 8wڍHF5ESEA e&$3ZPZuЧ?c>qHVV$іDEH4p&}KGQ7oO=g {u /$θ5j4`4*[]*TsRT +1aQs0gdS5fN܂I7mYY94"lq)RuP=fgDϹAĮ "F!Ί_qF"p'"Y@!YqIĚ!Y/Bnюd%H=T-!Y@jUhu#SfOq:L5|=EBUbHȭ,#ۂ?Czރ ; z7~N1VPmw٩385a*NeȒ&GId2DlHbn_q]SB{ق#'Ѵ^#>lNe&ۨ]U":T=`Hִ*O(de'>z_tI]8$!*-ۘc@UjhUvY}I`,c-4VeKX"~$1ogbeRN~5D4D\R1yx-1%:pu*0j܊Sٲm0n/BL6">x↜ڧEy--xMZXKc5l̘x 5CS^'6͸?-$`~qF 5 4`4Rr].A8H0{[Cqg? i}W}Ek4-L0H6̱z=THO >Id,<#yÉAdiٱ#(1ȲY8i`|>1U`%9s-pvGWۏ+aE KL ᡤ]%|J(s(۶ۗc+/vE,P,+(O&߯;li7@Ǘ1h^BލpccA#ghZ/!ғ"cJ_!r[HkPmηqlCax65Xp퇐'MSN71t=% g?/35VWS )bht77!;U |gk~Roɰ?o/%=Hѯ`:SW(ՎQ{i@Ԁ :AoK%zR`=zm^A3K[FiKXc~0«~9W"x66q"i7LyY5sF"Y2sQl!R\[vk+}+sБb ÄϷF)pent<r~sl'0k_\V+$ V/D=%b;yڈ Ex9~Pb3}_ًkII ;Lp}{Ԟ$EReSjRj n60el1HX*)1MZ~u&b:Z22Pmzg{>S➖&~H]t$n>.Y Ӫ "N5Dӆssܾ!KZMkpW~5$Yaz*ي n}5|Tuɑ8S/Dbv8[DK<*3kŽ LL*-q1ZaS U\ E?2eqx]CjWx iX4`4R (ƒ•k%,ѨoRC[=fʧ~-s$}kaΕ[R$ŽjS(Mu4)8|Cd>T%`!Zd|R˝`Ba ٶW XJύXsAU], $F!±Sк cHhG݉Sc@3sظ z~}\++\.,?nRI &9 C7Ieg@nm;tR͞ ~"bb3J{D/8NeRqbt, _3Yl7 a-li+&gϒxřG)zQ/b8`Œ}`#ˉ9H 0(8 d8ٛhplk<8Ŧ*dM2c8*k|Z+d1D+ $P{"K:-!Ng}t3H̐©C;t*XR751Ż/A>j 9'&#Oda_/DXSzZ J͑M}\j )'`6+2f d{o,)tGi!ZtB*5H Y2#[e 2C0.M-a.'80d4Ϗ1j\Wz7im,e%NܔE;)3_ȗ5>C@[Ul=(>|]_s8 nB!Ci'9]l:q9C5{U kSm%2n=h2~A6M 1_sY8|[C[?ŝIYX:= &ŊiwӏptP̩Udhͯ' )AΕv{Iȉ HݥD2Kʭ&:)zaê7g85sFSצpvU_8k0v?7ǐq)]ːNK]'&_a;sfvZ3 -n} `!ޓexnb?Ŕ)lfܯ> fjimA40y|9nՕ3W(n#WvOk1AKaFAV r!Jl;AXQ_ΐc$U˩"/#ZA6kgjOmq Mیշ<ޔ\lطƌ@^bs[5jԆr4H%cU6)CmGrY4k('yᐘxclbQ hhm"'5:7qǥ7bҎ`O]Sc 0D#S]yq - @ecٳ=PM=Z "ÖbrSM!~Ӣt@6qc\^(xk7B20Ťqkk܋D}k`SsM]iG$gpQ} K(vʟȷ;l'x~<w"+oB3s{oMHŠVb jcE<2^nXFx<1C˛-+o߂bpn6x1ҕsD3V/ʇX ; @e1rn2rPsx-3IjdH84UŒ{ j;1j`ϪJe[+LY:zB/5]O zOQDWoP6,XWu}>qHZ} pC *´W٩vqކx7݋kD6bm;4|Ґs *1T1 -骤ĶÏ9_CZᦀ~v)OJm".;Iᑸ2,} 0cȋݑL^_Ju?k1-o(H瓬@d۞^dѳ#<5~o4kv~e鼅ɬj:21}S5i·{Fb:4jEv`m (&&:z4ӈ 0|}ZtePLCV> V"WY/ o0D6&Ci)Ǻ5&04s1& YԱ9Yf _i"+h ?xt<2^4geZ{]95wQby/(K&xZP;e鼅`ROgkגD>d@%h [Hl)A$hCE. :=s7ZvVnr=:Ƿdbdx"XiJB–b}w/؁QI>B\L6c(<7!s75l3YVO[NY(1A˘*:^]:lV eޞՐƙ,xטxYt3STVK(fhp=JһÉ޵EU/SAA1BEQKJKfkz{hMK-˺,Q&V]K4RTT$DD䵰;]塠g,gΜw{f~}`u=SrZs,}|)l+^\Y͘]/෪ה6x# #[VdKYJBƙ dh/W U޽<[R<223/I[d9K+ W>|1R͉BAז'Wz=u Wt$l$TUUae8jB- SJܩ#\プCr[ @-w|͊ [ )gr^~~zEO0_D[jSfO7d:C;LjoTčɷf`du"m:Ɇ!.?M&L{̌: 4]=јedxquZ&ר:1 V^3n- [,h(Hfc;B{_Mjϻ)r5{WGQ7'~c[aK7 ڳv$U[ԝ+'q⡳Tն >M]=D "ͪ:.Yb&9zTw21pd"Yd 8X}$-O[UGuNܦZgȨ p6*q^,x!v.2zmn{k^& >2an%}%WPE?uXZ"uMY-,qJu3j ͑fNK8oC*++qhm"ʅ=Ocn5qŲM_[s2yQDKQRGxX#JqʮU}B? [{t#0C%Q}]9\o\(!8tn(\":D+s^_GZ%ߓYBU[c>!N'[^~W\s!`\6Fn×[ӫִ$y@gWE]l}9&C^Gry$H(F(Й[U 1.Lb>YKػ0{_C9*/ϔ#fb;þ5`i/jk-9726k26X5yj<&+u;xa5$WX*QBnZu0^`rTvG;gQ~=0x̽}y}fvL봖'8Vwi2qR[ ! n <ۆGDk&A×/e__5kM6URDD$;tC`J]Ǡbٕ=cҷG`5y_=E{폗¢.XGq~>]B""=i\}] :X3T~) :<[gvj z!ܷ6wc%\z ~eB-$j#n9#CFlY~<IdmT #bл o]F`@yc2MiOsYu;$u{rf/zk* -M]87%k6YnlY@~*l(v!PJR8BpC pqA y<` '$* rĶafReePH;XCS }bhTʲ(fV]I ۆLdJў4 L]UZ|07s,YYLhR$_Y#2[{NS}M_a%~+MY?yde d͈#bWP 0Q2I8eA$X72K:qz ..pul_5vep]N] Ֆ$!MKG'J+J?)8]I:tS[(&<L];p{C(:kl|>Yt"@T] ,W $WJz1UWʵG!)H,YR{v '7E 3䖬0w`òv1)u"!szmnT(!+ӕyu"%kŖUZN#Kouvt-uY~dux;V^^PӖixÝX23 +'  " ߋ~ ӋƧ %!D@~~> WRS"#S"Jv97۴_r-xӑcl3)K!`jܷc$N?;^6v,5Z'in^1M3U.Y3w2;U;^v/>oG;Z}ۇ DHf-mtDI֞.S#3<.'p[ v_ZV KVZ;g^I#{afK/iWxab ؒu>o$HS%{[NV@ި;yl l<: uj_=sWpI ad% V?q1 ܹv7يEH? K@& K,&r gvbUGgA"Hs/rzTWdWa냑}ai+j9=@/0MzZ"~/J[]ӷdZqY&Edɚɒ0Ka7T9Y`anB!V@ -]D:9řQyO}r&BMjeWئ")NDx;3`_g/P7il:y+62o5%Ӗhxϐ%:KVK,YsGfɪ2d4aZ>rK,YMZ: KVu#ut3֕j@"zp┤ m'QaV}&ĎoID%D`|1d"$Z}m[f/ijO=rnvT2?fJjXRrKֶz]e%+kdɪ: zr|4=JL L9*\_)]*($ ;k7ϛg0$cce1NY OmJBeKݒ\u3[V&B[UXZ5Uf, S0'ijΗA DA#k 9{%Ȭ$&D_OB{WEdƛ,/9xQ<iX+l-Y.`dp GZ,Y̷dsg#-Y%dS,d KV`ϢT!@jb irUM0B%L? ]c;Gɭ3oUa]i`UtY&}$;\jC:`j_Z IDATQpwpHƯk6m d d]!dKN䖬le& ֟W9dY&,YbYy%-Z2bh{ ם+kBxh˖E7s#IҪ !#5PVxcTr59Wvz2NoTB&iY8JsJʐhXn  ނlh6d]fU:[S%d%,W ؒ7#KVӲ -Ymi7F W; !j#1hO Y%،U 9v~H/[߂SUTrCa.y]<O_0?C瓈cpz]Z3!*Ӕ#%7)=`%.c߱iZ>r=ҷ%]SA _!,`2uL3{}dx BBh?|~eiR["mB־3wAۓ)S>bfCKʌ+ )츇IB-vfu_3=Yx#ϵvͶ=Xڋk!0 AHk4T̷'&[?0 ZA`Vqs8n+ﺑ?w FkfG{+1vhWX#낡)}}2  h iiJE?`HZgvtcQq,"A#Ȱ Bi@c4T,x@(RKG+ O9ŲB.G_zWZ !osv\{isjϵ 6qJ?x8souMTq )~D|/7?E q-F| }(?l ntHv| xid 'MOp&;??/[}X $Xb+{蔟ۓ|9\Sbz6}(GKNv5㈴r"I]cvxc6P,0Uw'8VgAx x@Jrs7L/?OCt@ o[+TY[GJg.bڌr SΛ{E͇ j3mMsIRĖ٬-Q `aqwO,X?Tt:;!`Aʋ؝;?NbE:?5ImUoaiiFQF&ш dB)0}Y 2ml9hU)#hq#zW3ocGLEVES_SeFPĻ}F™pI xFU)Sёu|Li14G5R>QrW f؂d3 la}5Ctn _{ 9M=sWgXd 6OꤱOH.AwϞO1זa+;cW͘DPLhrăh)ml9a"\*.G;?dX:aD-e8Z !jDHZg*gpu:\mʴTTzW]FSsR 0)Z)'#3kgX KIAɖ<ҖZnnnK2o)&j} 2M{!es2IbtWuP+G4.-Lz83Ӛg=\T?#CD#!@)|xo=mѾ71_'rBtruw(_q2.)hortí!JPwG iQ#EA(Ø#TjWӥNH/Ɨ?jDahPLIl< v^r"KM$ȌıȘDvXPXɅ xWʑS\ VOhrb?B9;TW4f1؜[RG9Ú/kmsDJތuQoȫؘ{148~aStXw'g-~M!zc#Ux$#/}/F/Rљ_Dp뇉`M:$"%jk+ ə6W*ՔawA,H'LobCv]K*+]ܲDr JJڑ?3a3ړaep?gaSaԙX|=dXR"1I>- X:Cﻍsʨ"2K2Rq wErv}ݯȬ\32(uc.M_;׮'S^iV %@ʶWrw*Uc~r~'T"OjRuvoIDspėI30$c?K?؋k^CGn7C,#i;g|48tbG0l7']d;/'d{H*:MGp8ˑ;Cbx+)[ 9<ci\CzCρv(a<7Ϝc5J풪b.=*"n[~< MM1DL׃:'CZP8s"JH Nz{XwM^ߔ_dTgo NlG/G9|aўjG vzraS ߼Ғ9v su,xBUZų-g$w &Y:र~hu г쟤i-q5X <߂FVoˬT,IrUO;7 ĝ}+M%%%PTc^JY5Zz=XCi? ZLlֆVlN"4vRA~VƣCcݵIcKV_`W_#{ }0X2aIfV<.i,X⣣NlE9&ݏ$ݺX.} !jfw=J>k$뀀!]BEm͏Td"z;6÷7B/!x2 e[ $hYnד;-`Am{;aUY.)Q0#ݘbk翛mbd3mi{ bdDFmٟbizeS?('zImdwW*J"`*5V-g@H,DvPrϢ@MNF˙?ײQeKVu@=!|!6<6=$2dԅrj!I/>;whO-+.6rWH!+I ?W~ e1 "^oU)mFGliP@at.i!+TrInu--,d@FzVQr% _v`+a8VI[y&>VdtϢTRA! )1)HM3q\J7' Q=Rz*)Z0ߵ-ʌS%}辠(y))SPVMt$o/5.~`|Y9o"O)s'rDIQ?x 쳅e j,|>+Zj1ٶwث])/Ŝn=0As}H$#^rƣT_:GAK:DR$ZUo30䭾/#R@ЮTW!j H\0?Yғ:rV_O:ѵ.ӝ%˿ ),|t.ϖ$,{Nz۫fV8i~R':qJ"pѷ5ֹ : Ajo!*WkGHT ;tv;mdky|/] Gu=#> n@^,FM&B֎{Z/2}se"䒷0.Vxt6!Ƕiڼ˰g(A$}YU‰P,Jԟsa]sH;7<%ԟ-6Jx,V8tI]⭪ai؎8ɪq^,x!v.=+Ŷ&<3c.y_]½n^e\KF ܧVUJiesȕdH;u~=nOŞltMxk^&6)0̒%WPE?ƴߺꚲ~EVu [:1j|j7ZC*++qhm"UNL1bYѦxʭXd21EE(S[X!?u=b#pIRVVFqX~J:鼯zACq{F6hXOV:W]OM(,h˨\MQ%_WӦVzI~s4Pw4ݼVX+* 7<yUo3W8BOϿO@] hd56qII/PCóafReePH;XCS }bhTʲ(fV]I ۆLdH+zZjUYIPWXnDrΘe[_!^qo(Px96,ze{|۹VdDGf|t|g 6y:7!*Eښ5+c119 tI~X:c|Wc# ؑ5#% yg;eL 347iDxј* pG\,g; %}5UM}5ƳU%59WK )FN0ѹz"-(N>+eUp Ѻ91I̎w}PkWJr $Ar 1ocXOOO 6L*/YbGKko;ے{1UOTRr5Of'v^uq&DaI~(4;A yjd[m}0O0l>mQ-7gjMGi30,G+j!++ "6+*KH˿`,Ba!!^jHJ&SɗLf'*~7FE/#(**JxeV#QLhw̎b=<<+OěxQZ N< rD|M!Fn!^x?+)F'eFXݽmy|W'Ny|M_r{@!{`\>xrɊ Oj|$N V DM"QA@A#At!X-Ƭ)oU\cԛ"<ƾxeī2lϫ0bg|> M{WړO2DI>MۑLظHN'8&Ab Mz21JVA@A&A@򈹃CɉmD;K`R%hFMvf~vnKbԺkێ=ٝC!PxXu59f)Eem,9J(:%J&"Ys"'6N;j>xvO!r]wƗJycV+</,J W7ܝ*8 =|?rg?M޹gᷣSw+q X6]"vikx.Vn)LƧOkv_2 D\E)%m;A4WPJaM1^EaF>OwC40#gaC潨ػc? : GZ:ZKEIL/%` 4%X9*>>#{P.ZDAo_8O8HIO"4+;Zc75q11䤨1)mnw$|ܩBmMsIRĖ٬-Q `a!BS^j,HZ#wWX1= A1L4*jduH yb U̘)$cx݉'|մ:ڝE]6ml9h1SGP8Gx75D$~"%6ceuU lʩ#W=& !f2!^nL:Q_@9^ o7Z$%Itǂp5 DL`L| qf  7(Ao.nL$Z8;{;,\ݵW}ۢ2-Un{|&ޛ'm Ӆv\FTm}Z%Ob1.:#:IdHM{LLˢ<ɮ~2qѿ"SA@A `_uql25TM.6qȈWپ>: ҎmPFahdpCT#Hd(pFx,+gb{5jPt*ڗ^Nmcȃ^fE#aٔ_F6]Yq1UIR/*xޓQUqZ^PLj48H@mJ@#1z L?Yt%*[4ДCSp$k`Uu/5حT@DB>-8Tp$}\_,ƻKC?| Y?PIDq;2VaԞ,ViqܯP~c8Þj?0Q.Yx1j'ѷt{/Ana>yq.c;W((Z @|.2 ._kTV?qa閟|v^}U(ⓥ_UU%ڻT2l=%h¤[ }/^Q4>Jdz:-6`|L?sa`;RrǠlj4m^R]f!leܤ!btu&cz{{nPFx| +Z{?Az#( ~1D‚4C2(F2SD?[c~8U׊H[iԕ(~=⍊Cb%iR&>+W_H#q]~l)  &:)GwwwL8:rs "ƒ{Gµ~II T* ,77+VM0mT>}[X5yI+KY!2)  .OQrZPg24ݾ;ȫ^њIљH,CҤ'o"tmABmY_Dju&2$z0<8?OWv#d8'Qh.-klC|d2ēXiig=ak73xiM 0|@Tj /ZWjZQk&" -ЪюlѨ+pmziqG]Z``RnDap^Q䷇Mt֕=> QyC2-3B$&2>*n~ Res,/eB.]ɛB@*"&>bʄ.%?,iQK]KXX-"-.#;M[Å>bOGyeNS3U6hR*4v m(f<}#TV)*#"1 "B$Gz/>no5\QxfO8癆$ 1ؐAۆIʑ[TFTc?ŭhzY:="z f#hk/kͮ ̖**ԠDb)[}g"$Ȑ.[f !2U9QPB$pK[fb"G "y4YLD<Py;Dݦ:o6)f W&˫S% `@X-Hĩtݥ) = &\pV M6*rnpe[R$&-~enȮg::Qgo'9HkE[Fҥ)D,~|n^ v7 <|"Vx.iʐY >|d%e&p$ڽ=aJk[HE,9ށ6uj; ߞP-{TGѽM݋PCLlI9ڕ"\_U$;+nJzlu%啣jH/v[QOAַ'te9*Ѐ-JVRC.H>%ZrU+Isk]bjVUR86`ZūeUg?3=D|`m'^k/_pv'>u24<[:OD)@7KzTP ^(Vђ5![[[K}'Y$,KY.MWAIЮ U5X| {OdU٠J㓯)Ѣ[Bd=Iʘ%_:ԟOZZw#JI HPl0rB>Gk'AUQ [T'r %Rd^kk^/McĹ[Ñx"Cz#;[0nXGhrG//5 0iijÏoaH=&CDnv>*H o|x.C|bniȝ7d[ebx"FBAA C{)j@6 -t vOtCOXBJ O0 '''8;;W{9LnG"RuwwWt,0)Gs'/>5zjjTSmS*xbu/Giڣ 2 o4cV]V)LJ{/u_" ǿ;`+T|_ 2oI߉!wO68v^X4Gw.F|?|)*\ۃ=JS~usJR'"!V)2ć%;ZN OrB؁7v M@3v8] '!i-[Z|K )bbğ>vݑX'D*5-:3qY}ϥˠ cԉlh+`}M~r)WHKMgeVM mD_Iچ^q#Q>)iZNFgp${eo *?Iؽv3>+N Gݧoc#5>x08~FoL E*g 7$J>޴EH.TfĈ'R=&˓ Dbr9J^A#Ц jѵmKj Ʀz]3*Hņĵk;z"G7VN{F 9NZ4n19hl|.M<12] d IJj .qx Ӷ](F;"GLJ8R=_0}( ݉ q+F/DNٻ@,0|xDxIյx X|TٿlŸ ZJVAF9D9sń 1bňj5A@RGA5 p hئw}tLrY߲|`2$AĆ11=X:C pi=ڙjYyHJ,َV\S#}q !}/jK+H lj6ehW{E_oNIВ ,(>KꄥƐ@!Q+W `9 y2 O|$ʙ$h 'A,BA#0CHm CZ EG">բ\ щ4B[k~_6623RD;UtGzTG}9*8% $rCmD9vl앖h>KڹKVvƒN͸i袡6=)o/Uqn=kſiZsDJKԈz) V TCAEɓ('9!* &tD=GAC޸Peuwd>.=Ӯ%eJ> wÑxa7Zf:zP}߮+o{')v"Ue|~&DƼHgɏy|1H Ėe=1IZ73Qć!t8x /ͺ~0>.?'FT%Y%)^ 2(7J&7q)\9vEq'X~hjL͟@C^0X5&%$qfYU1KGo3 XLDϙ B$H BLB$R72=Kv?픢JVlKt?o-,>X#>ٮ/]C3Z<쿜}z{i{x7i Ɛ\1EwAiX  5h!S$1q2ቓWҘ)dH otzuXt;1w%e!1 RG.︃n?\إHwMq 7hkMq ֋@߮ E|d#zr"JRx?gϱ3,c# 6ZSk݅똑EyR ѯهPTFc +]+(ԅ@  (O"1鑟szQAFG .6SieNy3- 1<swD.*v%z=ҹ&yB%/j۩&)ܰ4 TBI!A ʟ~xD,<cDѺcw-BC0dh k989(pbk@| n#:܉> _mɂ0 oӱ8K^<3a9?F՛"'>ډt Zh6BZPƩ $[i4x-C P]7|?'Dz0C^rbgѯTƨuUoDX*}n{P3LuaU-OY{"֣ذr p!+7|`2-ҋ/`z(M; lR & @|s_=VXw[fd,V "=u#vf~kOcwؑ_)ktXR+)o? BnND`od ]?/9:F. 6;eV YG]1vm0)Vcn`[ mlڸdo;xwDc s;/ԭYs[dGvbeI7?1W]aͨX_ḏz;iRq;%)vBڟ2V!~ː_Vjd눻7e' eژ-3щTe] ;_{r,9;:$Uq0],f*%R~ hTZ{Fņsc/GQ8&mX{kF/YOkJVJZ !j]Km+Fk`S BnGHk@ 36/[S+ ꆬ&D?gӝ+=7h̘[f5rǰ1`ĿwyOX7,%Om7;޷5#h)\Gz' pgǟ@}AJR.(FB2V._RIn/O; ˡle-3&>=ߍ",KyӔk-e5GC-j㎸Gpr",zr<^݉QA#:lmZSLJ0ϏZC Oe [f}r#f@Čwdž_!5G M^VMZ !CљjM||.'EKBzA+Сg% 1SoCkrAA!͌@gL6+DZe-$xLj9ڼ2o 2Yے[?co? 0y@xò#WضM5e q$IEی6pd)$(YV@h(W.p ]Gnq{[QW֒3p^n۲~Ԑ.ęKIw8})\;୪DȺaw%pQU; 00(( h! )Vb?Y./%~ZZ*j%[&K*** *20!۰pO{߽}Ӽ瞳/GAl9R3i0@\, T(bMz1 Yi,DO)+C!50gB>rxbzZukuq$6Z Wзd4GYMI̤5>FH͙'El>W Vct͖#+t,gܻ2Tt %@D:DN1؍X0r[Ahӈ!jDT JCau:6\*S8'q T'6NH]1:m3qޚYO]f>a&7|4VU[~Pq1}5N>,2C@c7!Kc7i3M:vͦVYӸiN4v{//2Hj+w_ $;|f%o.01Z=Y 0t;cc~Zm4uECbY)є'RcD(nFHL`c;KX6_")zj/JLau.ٌ!(GJG2a q7v~ Ok?)h0>T=L*黄z9R\zgR\tVμc¢Biie?4 ExXZAq31;_aa!\O8nǦU? nQ_*bݜX >Gfa6'Kc6~`$=WDS!)HFGZ![#KSR `G,DBD>N/FOUrp⣽NF~9=|1,oVj0 `y, 33r&b0ATLaU HA5UkoH`pW1VU>lICk&b3d }kbex#H 6ϒ5K-UD'yU=7hyo{lE-~%6i~N>Zݾ{1 RJ:W<g0%U5%V ZF]rV YLril} w&|K&)xƹV}NP.kSUهd0l52 @r}n h_mM]0@ Bl-=:Vx//^8I@?1b05-lv@xi(|*s4l[wkͳ:Q7Zhrj^2V*CCCakk WJ>x,7- -!=݅ޢ<h0y??&}+Ggan`BTE.,;фQ/f?|S?*`c YTA:u*҈O"VAfM_y㛐c+%ZcCoۏ/:p]`:St05G {L $_A֔!ag!(7 TZ6{]9 6H رcg!ӫO0vojN?}4ҭ"یRN] -Zq e#H({azu'uYl#9biQo p0x>D""8?=8)e(DŽ=۸!o*,##PuxaL4@kA7Ft3f&`G Y+WXtq a3iӦq~Lu-|8Ng!zϸI,Fmϥ8?.y3gAEOp'6|L(W 䓺s_¦s(AQy/SS/a):B [W?99v ݹ w8z>]hd6l:C>} \%}D}#/PXZ6i9P==j_q翩i:Y61Ḧ@xፐp,tÜBTp;Wc̞16t᪆ƠLFquc&.v#h/0^kc1ݥ}rS?nG;$O8a_4&* A)D,$ Z#`/%/RVJ-gqkͳ>zYDC꽌 J St[YmWɱrd)Ϩ8{ %R=Z]{ۦ UFTq\b'U+AʞUy44&UDJ0ddwWI)h'1MI, vmbݖI`TuL(L{JN<<_؆ &L]' =Mfc-gv53MKP]fr?qD*3ST14^Iτ$ӆ UJHxdM6)4 B)D:0( "0s :: ج ɛ>ϋuKqP7[DW6itnE%("JQRA:®R&jE,6~gp ;3݈OCm͠p)\ Hp Y8y1HJq>G›xuK>&"JXCcN٪2U1'hB4Y >@ަ)- 26Lj,wGPoI>1жm[\۝3~jU2W+O|1 [!HFmށ`7~?ZO{`NJ|1 +`WAD<]Ozߝ睥5-H|ZO'[xwWl?!Ft]B Ƴ&@S#ljI @ ٬fu7Tg৤#?( mホyIcme+ѣG#J[eX>%hMF]Tnۈ)} Ĥ\jCj AQ WLOHNW/ل&m 2%DT:Q~1.QZ෸HyB]MZ lOf Fq[u9 ςƮ`G0eA'r۰*EŶv9?˔V["B2#[CB_{߉Ƭ2 =RC;6:9ׁGe6 h 05s4`M]+S7d`@"Y\8:eN܎U:rrيy؜p9,sfwD Tkju3)FbC.5+ڨg BT-ܸ5 zzzpR<vI!oaKe)!]Yw>&B)*KZd4m`lG>VPF`p$G,({be`i:5%ʭ;|G`c/o 9$K@np\* ɯG\#jO$Xd5 7U*^7ke4_x2:+4N 鴋wB OE=SæS[X8Vlkۥ ,YK )?gjCܽ];wz u1/h' +fv!O6[N,/D T3=G|kFi&MKԢ&`*Wx(6o{lDBa$֌o~v (Tz +N~JRs\غGJTaAap0HÍL(2ͱv3WCF FC)D5!LqGOa6^zJp+%BK̥׉՗]PlgaIɒ<喙JDs7d 3<<a/o7YݔW\:c<1`XM\G& IDAT-;؀q1WJ sJn,  OO'n+yَmGsX,v*xI[ "u!9 p>)uty(Ulg ,6!Ṗ p-@KDn}&^= gE( Gė}崄Sd(Y+&hYyp"CE6] j,&QP_b;÷/2wL&V %bL!еo B^n̥Q *mmߙy)+/Sx,уd9N|Lqd H'b%@!Öqf,N&1JƘ7]~Lujk,j {!f:9r5ATrԵxy4 ´(}29IJ~KdN8M%/*D>DjORӌ󠊐|zŇƒ^1Q#"Jö6ҾZ^j.p7FdZ9U\BƉ ZX3y @i0vgIlTo_q*'.\Uׁ!*KZיέ$q"Y_իqHJlD$掉=xڗ~rssQD!C(! I)H}rCy1HJ!xu5ũ, dHCrV#9ɫE,K9)i$-ϜɈY0 GoKeA2x˼ X CQ`FMM>|&μ"^Yi 9dU'0bMGgs(czX9Y0Qđ?GslM *^INN.ed %Z*DhO6%crO^}q"Ha4Kz}bC>ۍX9~*Nc@᜞˫iQZB_'UkDA% ~ ߬7:{srqVgGUOQ)Ɯ`^¿ 0︽&hmd5* D!ضm*l/Mw FǏY.ݚ'v3I y.oQIk<2a+ (9I޲,Yd.]e˖3f̀5,,,`ffH$#5-3MY! xsxa`{Wm Y8Fy~CNs&&"K(Z(CtbIA؈̡ ѾR+ذ FMS|65C@W} m,'rm U)-yp?~$j5iwp0qXC` Q=03&(,③>.ĺ6B -&Q-M`,L!Gc4.Վci "3C[F4&i*jGe Xw@+C)D쁳2B`zqb,d BSv= RsQŽ0ֳ# ܴop0=}.촳U[_aע֨- % ,I\J\\eZt"-~IC/F",HSkD^Sy) -+h0 QxLLH@!j7NLx! ~L:"hk-GI$~Ϲf\](!Q(Ts-e) E}S41Ȕ )Xnk9k? ~H"5^X>6x{rK"=;^ zUt9C!PD]¥k_p1uP5D;~~\ŚiZǤ_*n_(!A/*Ys0*xm$ٷLKk4Q&)=y"9]c*FQ@gރ@KȹtF&ᰓwDO}wHA hI/MHr2'FnǪI99ҏlEȂGSjR$}8u(<{]4cB@@0 @Dq6M Dl.h =inI6Xtl:#ImE:שPfiqn"vUk47Z\EĜǣ$s_م?Atn9W qsoqh0s̥^ D0KWGyc#袇X3r6 >1&dDq%8_GqaJ*QrG!:} 7NsF@E(L8e iHyלW1M˨E " p^Slg¯*oQm3Mr E lҜ6eW_b**6ԃ^mx1t,yq\)D~,\Ξ=Go՚lӡ}&0#L<\;+uʍ$o10Y|7sU:ꏶpDl@+%9%j7EۼlǶ#9b,Ky ^RFv|]`'Y㺹Xd:‹<*3U5 K/+4lS!cκt9B.݌TaҒ?xR{)n} -DT=:TpRuN)>C`vVt1a[Y Bs+~ڃɋu(u Q&W" IJ"m2RٶUk*LOFAyU<kAB% L3!{iJiX[|L> zbx*QcuZ!Cts0ik=کk! ^@ȸ$e%B? BrMS R1%TIHȋ(>i%`a, u2+簭n ڨU/5s8#@ @⠥BDM5zCBo%2V`4}ۺcN ^mvQIL"]&.P\vMI[pV~8NDz5Iw-114ã@Onn.c6D}%$!=)ɷOuH&qbNuū?p-NfANۧ!9ڑΜ"4sgd,d-[Y9eEt% &GڭL vHG!2 )O}kկӢ3% 4ln G3Mb=u*+'+tf6c99[[~s SS D jKH)9G<_0v >MnDl@x>zʼnxۆa/R 5b l7cx8-sz.Mmz^K&bE\ ZBs͚kx3i7h:r8:K;߿s/2J>D3,ny-[-s،6ƶ9nemjnB3y AzN8R}m<{ DbQTT|d2zA_m6۷>cӍ*v&mw #0oym6wq钘IT Fu幼EIb&xVKA,PrbeY#3ZۘyUXv.]e˖3f̀5,,,`ffH$#kle[f=֛!Ъn3:032%W$#1)*VD>|XE-oC erx+M=(C͋c0Hw !u|]m{2rD\bbjF#O8C!!"E`0BF^&; 9 ZTLq$Zzˮk K1O<c0r<}x)&XyS[`%C8Ja~c;Ш&1!]^Q>xV0Ԑa W3ٮ93RίGæiiu&L!¤b</;u֤m:^'q1z XF=`f@ط1$P!7SU]:w|»ڨj9hv0=2&0C@wXs 93@Qud.mvIrFC솉"O!3NF?S4olXBl+LGSn9XfVUyɴS- ]G a4NRzz*LvcE)D"3*h!iSfjR;rIĨv<,Bz nz.Żm BA"n7mP=x| ~>6 4H$3/e|!C '[$GyxClb_(+QڞBoQbt;fn[4L!` }8X9~TZqAUjllD;U(`jkYDSwyG;+kC}lʶʮFN#IU7%lEʶf I.wo(HISh8ג(ۇW!5#[ #0k̙G"ӎ~~|9nv /t )D-e19݂`l+r啯STl&~D1?IGRN=H+){[ ;1 +Jf]|m!,1GDD4v,6Sv!!)Re8 o"<4xg'+.ȢԥQZw EpD6I$E|gx7, 'J1q;5<9׆Ʃye)巏au82Iqg"UO:Ģ>}|XZznx.ćK_G0ܤؕ[ 8LN2p٥BT 0!94==GxQ< kmWV|1i*C226%|˜WHQP i1L/Aq%2V!2Eg8 ޣ0=(K=pX:?8y,> oe4H%x]FLeDGqʂ?< !#l4(w'1g{p׌>M,ee ܘ{Sɮe0,<` 4 ì[MycWp)CB48ϥ8Q.^Qdb\D [An*̕صbBT1.!+_0s8OA[]*ϗKz!$R:^MI[}SbE/s?}|q^"I7y1lMt<ۢMaNjki[q%WaO0BHη<<㱂k<<$e"ncBl`#{"Diͭ7:ڨń״ ݹmnqqlu\,UH]Ezep+ߧsSVx SXC! Fnj׿yXէT7, )I$#(=)Glm<ۮZw~¾?uE =khNoֆXn 81ͨ#0 9YCH&X ]? E۰_KUN$w_MW dzeXpCk)/P LTM!2&P 9Ո(FAfN|L>YB,.%ip>`0w"IkUU `h> C=WR,êIrv|D=UʶpԨƲ/Dn|r0ԆjIiaq~vo̗p1Ī}EnP2T#4:")vq[Y#8sρs6O]/1@i 31_'lS4,sAL#C!P:୮/g!Wn I[IZ8}ϩŤm@c*ww#>] >-zC@Aɍ?<şm'e Yx 9qcT̋qfQ$d-?ԇ(5>)I)HtQQ rRҐS\sX0$,+1ɜR^%mL,W'q.gd,I؃dlXyp ֫)G1C!PtxϵߖI)u٢=L򧱘D|f`ڹ6}iV3)8ֿ߷)rez|VW:6 d3l؆o8E'xt-bD3Lo| #*A ԐN1]Fbt˧Q^K&d8FuL"!ou.X_)FG>hʆǖ5T˾Y`1Ϗ\$5ngox_USvxjEN,LJse'v1cr`m Cd"rEz>qyO򑝝 l۶ ìC0kiHfg)U_G3, U#@Cf;BHsױ g-I[՜5ʰc($&)Cs+冓f-+ v Fꭼ%P1Ԗ<(dgD#j9 U͜M̫[腥Kbٲenj3`mm  |brR܎z"f!v!%FxPIIȿ~%G0䀿G^n:sRXJV4F 26wHi[,-F: QFR-!nV UKb&ThoTSets^2꾰LBCy!0yD]Tq=ΰf S.&Q죲m2:W')>U@NzUyԴztG?le׆Da^t.豱 @6kURr((U|niUx\*)P\RVu@@ NacVӭ:Lņ!0W)DuAe0EsY6C1~)8-hӶ$WtИD#k`m C0@n @c .(YЦMŀ8jZMc6i&Pu, <w< ;W,UV/i7[DEb iq:XY~UR| 729ku1 Z @W޹$}}Er "hvׂ!Ma^@QZK4٫v k9DQ}g=q ZK&;-C^:A hu \.e_#4kx,->M" Q{ʱMs#z7}AT8UK?_چ[xnnl!vUH Qxw+ڎU`Ί:@%_`4{\o"vVE,ΪGr2A IDAT~Ĺz?TΒfҮ(7+!#K#x]ݚ7T>ؓ'y(A*#}=DI޵!?}# h riB"Jɔ81r;VMA<,f1;`Bq|h,a.ɰ&x9 W>o&p^ǐ/=s""|j'KY#!!^n3 9xrڝ$JM=i,ӃK?*sTM 9~^-SEH Q%ʺi 68H4xm`lG>VPF`d"bEScFGN:"Oxzcmh*3ڽDq4Vu'ál!v!<<{"cȍ>/b^ݰ, |D+I9ށ q׷C5 7U Q#|ͯmu$pї(Cԩ_ѕźEN( L!ҁD`&DzxbiPFHOz*z*\mө-,kۥ ,ksK`'IT5) L,{QR\bϋu믑ASkdŚ 0^1()3SmuGj* Q?"jLr%JY_T}E M(̔V"zݿ?.gϞ|{C6`ٌO`>JI&.vzKhťӘ<<&vJW@N (x0Z$x(<=,f;- c]?'M+%unm$hۋׅ@+}ŬJ+Cɬb;SYP\s^a z D\X!|c2Z } {nS-(|{m-DŽa;oR)g?t[EB ݀::Nj+} D6ddwt@[fY92ˎddGtcǎ%KE$MG=Q%8AsObnU‘57B !R[(.!~Sa(VoU~19 JS!Cts0ik=/HT2Ȝȸ\yoL8a /*D>D@ O ^$QEȨU(>ԃ+`a, 52+簭n P^j.p7FdZ9_!8h{SuOl唡ܺaV3<PMr&/C!SL槄)MnDlS2&O'D!$dB;R.^P.Ơvc1a(r*Zl5H*jSUZ2+bxI_7kc.Ѫ##J?/ĩC4Cx <'C[?]p) = 8%RBRr&4C!,?1(**B~~>d2g/ ߶m?L@SG+_;K秪ꭩ0oymeӭ9bpIT Fu幼EIb&xVKA,PrbdY#3ZۘyUXv.]e˖O1caaa333@"pX\cK-29 @ P"W1OQ v7f1t7's t71ߊӺT eNL!i=(CU94!WjczPHw` >&CU!`D;=/X8{I֦KԃXAT^ u2S !c`]ټ׏!#_Xp MI4~L"uX ~ ' .axRL|7!gdj8Bp2 I/@O}ރ{D ZH9uz+Af?_ r7]<3tFJV;"(PcB 2["C9!@t|3+GSTh"AHNQX:dNЗ~&`.$T r>\'Cӄ98\_dY`?}|XZznx.ćK_G0ܤ5r)ߡIe0Z U.vTe kcsto"͜y8DؔD-s"_!EA,05~KRjKX1d&'Be0[p G\QsQk8KIJF,q.='sѶfXˈ8d닃?< !#l4ƼW3=G|kFi&UenL^`dWȲpdĊC[0 YNƄaЭ1W8֔D! IqnR((2@1.f"Uz7+Sc2ZR D,kG}DWV ] *>o!"7)FPzUó! |:QttLkoO] `ԣޗNQqP7kC,B7EPgEQ,!jx@v0|oV|9/^V9TE 7O> IezeXpCk)/P LTM!2&P 9Ո(FAfN|L>YB,.%ip>`:^`f ֊2Cv:Y9:`WDʘDޏQݎ"@ZBƲD @;Mfhf'`G׽o̗pM#^9>7>W!M0JeDYQ=s<wbqq,ES?&(ap7FdZ9#8̥)nM˵0h\Em5C-3]|*L&C)hjZ,Rl+P?iZ3(}N-&5m7CW1[2HNipX6O1!'wgygf|IgV-&>%_CX'9Q̮HR[~Qj| RR|;I鼣䤤!z?)i0ta8I#YV:c9'į*^ruoN. |LF̂I8z(.J-^`gp/իQnYe:6 C!=fe;yM6R?It!u$Z>N0 >C5mĶrN)Q 8~q`}ˆB!WluŪc`N6Æm'Zq2^GҸ~+Lĸ>1,6ϧ>>/C:cH wѝ_+.Gicx-bAbq֙2֍`IcMbX[s9lSm>UAX?e#g}Y3vul_՟;e^Hrj몎MXj @ Gl 2rss l۶ ìC0kiHhМf_ CIz43V6 oG!V=# ]Ǟs&&m5JC'1M[m՜ITЃH[yUO !>Ҙ؇w+%%)C"#dmc+CjXnPH-.]e˖3f̀5,,,`ffH$KiJr;ꉘj|]C@#?nԙ.P ))ZQR 2rvʓ [Y㉳z1rN!i]kڦȐT'!*H2čʼyĪ-"1j q36z͇4t#4!h1Daq x3yMYhCcY;I&Dq]ꭩЩg|Դ8Iҭ[VDZ AYw6+C!PGwxX&sw?lRiM:$boY NacVӭqchSEg0t#`a@Pg{Ol mle$Z=-sHwU%r}x=,!/`M]+S7e`@Z\H4)#pbvԱLʢO3se0i|P\6uCjuP3 8ڵ@ĿI(-2zOQvP5,Reiph*BJe*AWOcd'ǹESJhA-[;8vvcElFO&&"[=hԨcX(򄇨7ֆƩ.Y8|K4Gc[w2 ;^krH,'2ܘHQeCW|gx7, 'J>-Fc4 FF)D 8!h8F>ic-2N̺Yw[m~}TP~iqn"vUkt+."b_\~/iX1 Qr:Q4_֜!=l\3?Lm,] bH(K V0kF7?g;$V%8_GqaJ*QrG!:}X=Xepah B9 A@_M$ch"W6M%5Y9NWM(̔V"zݿ?.gϞ<{C6`ٌO`>J?&.v:ЊK1y'yV=gM\>|P8.œ.t✞iךضx$!h>* 1ՇkCb;W$/DQ{yB"5TkSP(I/Dk{o/2wL& O Ms~Ük/o1&B^ITre IJ"m2;NjVoy)HVwbҫC` Q?&C!P@v WQq]{u-IiH\w8D m20G;U/~A!ˠ B? E(҇QS\$HU&O)9%Fp׉̜öwEm/! \T²MQQ.>bkZjVأu7TݒJRZhTh(Ȣ ,<3]^]؅E9gfk?3gm)^(խGDN;2Khx*B jl*F<5Ly+(gkoop ;Dn E򣴴lb-!*:|e Onv2՜AI?|2ggd"ٜf7gyVI в/l])ĵBiBy!'@"#h>L̹c2:imn_!.^$1D~&ֽn_ö*׷GK>>.<~"r1JJJޠb}j0ЖU+_6-FA@WY5 L*ӽ؊D-K~l)&JW{9ƽEH) ӏ ˴ω%[j Kq$9wɦ{W .dk8W[ '@ሩ"@ڋ_jӡC]gggzx(;w27f` ^ײ!QYicM>U$ԜDBic]wЕ1g)8QS(vUSᏨW䕢Gdh&̃qoY `Veg#U<}9%3hW$?N _] 8 IDAT-?Q0%SA7|}H2讙UK&q1ͅ6\UO+cj6.%WaRU[C D&b/$Mqy)e~.*/x+:u{ثO|]99N@C$z@B?/to|^_p>8EwsNN [GU\[Yln(2{թc A1'% $o,g"I#!^OxX?% "cE \&<]ŕ{7uKg"` 2%DP1mC/ R&ԓme)pS^ذ|ƎV3h/$ڋJz Uf Lp$g;5xY%Nd@AwX2DvܴԵ(#0[$¤i8_7RifAcRdql_c_G}Uط5,;&[s#cf ]]żt׮h]SD8ve?Tx/*ޮ` Owꀩ X3_vG"y }q??H s3MhjzMB^cߜzfzĘOdi}kLE`doBO/L7  q6=x毆 HX*MXE=%9Hz _/_Uǻ5bH] `DZ%rౙ1gK#iO@rY&STL im'-v/,1!9SH]"YX)gҸ~jd%RkC!{w}~<#*qMrf$SX6A1oZK&یT|l|ܹ\C5SH?t e bGdb46wP6X4i .֯}rqvzںt>-ˢӐm AW,i ֖*6<$x漚v]sV]·QjeySP-!Z-2N.fcm9sh/p[Z@uԲ8{sUٹKwp^-%W+5{g ~JFLe.PɢM1UYXtzxOwQmjV̊_{?f^@hQE\j YQO7qSZՕy΢Mbv5^`iHNEW l'X;#Bn#Z4̓bLTh?N=a`a])LD qW3q){_+x=L9|HF[ *sX[ ڸ RF j E"pk]7殛3>{9k`Ⱥ=3y\uCY5W$;ѝ0__VBϖco=lܥ4q"rX ~V st#7׶c648rl x<&(!6)gsKy "3%D89>G1WT^F#n ǁEq4еBt2:zF`cqP9{+^м`lUlO5ưS<\{E}8_\sd#?7yy-'JUC_mUԃdd#T䱵tŅJ&7~3lob4=l t|`ZN!'7^gnA#M"@\C'b tFsr{³_06ΦvikӻˆsuFPtu nIJ}j#fa{3ף!]҄Y> 3 lNy^GK/W&H3zO~/0 g_ZqX3ɕ߫#!5 "F݃'}41{]^cDmK!>Nx(eV~& *j=ރ艟CD _d&)Xd.%s[հQDtNb봰2ՄNRիشiv؁c01] * Kc{5f^C{&q;5\Tn(9zۏz"k⬯[5i<Lxw1Yo) :&ܠV Y.C7٤'|ΐ|=mږ SV[&8'H8S`!11+V`"4 χ|||r9ȴ-Q9ӷLu!D]ny ¦S`pɴЗyA Ygj늌*\ձz)\A 9m1dٖWk&;!sfUڶ"p+}uڋ"488E U]8Yg}posMjb}eTk՘;wBș  NC`l$l"= 5{M."2k E"@վXDV/8& -8dHYCO\**Ռ.n M@IYmyKm(`Լl~ZnP ~NV[s,K׸uISˈpՆf"oݚ_?nd[. wIYwX) zϤqK])Ewz(8Qk+G<DWL $D@uu5Nn;J]JɦW3ԏ~v1˴躬yu7*Qq7nRo˖y{#Z }%o ~LLm{S=ĔJ/ة[zd|=e3V=G*p$.G\X㻱Qy;VZ'P'EM&DpabCm2C/=~ͅ$iY|1oxlRQQJb?7_?ugG2vbl}8DȢ=CWGrd? F6k3kWqKa%ؗ! ;Yl{"0!l[}Y] ` \-䙷 R2J)ƮayaM; #=PTpC2Dg"ЦH)n*g ||z;ׯm7n[zEtpW .…lۺ&G2@S8qa0uHz??1xJ)Z4i .֯}mgqp#qU_|>׬y!8 xyX+Pu$z{c\D5mGdb46ƍPY.{Vmb}6&@Cfm #D9?|#FZAꂠAd;yM0! I"ϰw(/gi-/uqp dl l8J3'<41,"T2]'QCa9,B,[Wb؆ѸMq'2>Jja]uBܰ՛i)Dc17ф! gDŽ7k>0jV`@X03!mEQ[rp*>d!Q- njqS{T !A%֤BlF-CfOO{vUAv2sE$B^1}|ݱAVrb*؎GD7ajV7д-%7;#Bn#Z4\Tg@ Af "@@@XwZVT&|3AŒqQ0avcq2RgԺZY !mFQp6r}F枳{Wwno\\]]]VlnOFѥ"<+KQ&V(EyyaBBٱ+zOG]  ײrQ3 pVUIysgI_mUٯUlfS5Z֩LT]?:[U#JDl#@6^[@?pR=ҲC<%%%Ly|晩a1԰WR]C{˦%( 6E&0;/at,"Q,fvK`&-3)ȕ&r{#4Rħ@/s?'l1,acK|u(@(/i¬r.e(6& aˤDxSż(++NCii 2Ai&ر babNK~nO\sy [cT_ʆXB7/y۔-Cz6SHMdbG Fb DEEa󃏏փyb܄C.[%e"&.@8W`[a !{lUjد{Ֆ+ D8O|*KQDt995xfn5yx0JWAZsao!ɑQ D?d@zouQ53 A Ձ"`[hߒ1Algx%rj(t~2bWbԭ[@I@Vj2 = D$7 rB d0(M |"zaz۳T6hHuoK@#3o!!mv:(-GWȽE$jO׊QCA&v}]tm8Y "[hQZ"@@;|7q#ٕ8sM7ߩS*q"Je lmGu30Q7( /u-4q~0iZ2}F Ȇ"Si X:rlim"tqwgjF NO")CzT*ACdw__Rpu#dZ;7*`j$voδ*p$K5qF ܹ|*">s_AGW7'qL),/MjhC =,/-_D *KEDM(1 DZ>=%9Hz _/_Uǻ5okl8D<63lCqi$HN=d =؝5bhL#FchpaqGu0@Q%R}EN~ Ggۍd%RkC!{w}~<#*qMr$/X{ k†7>{?_}ۄg[Ni>akq ~ϡ ,[ګ|IqMTҩ j#T  Ddl'[q8H +ᣮJԶi+'41= {V;e-GyQ:~%&0/& Ղ$?u=6D~k}^ħ"Bs {JոO!)?)QѸWsxr&zb~h]_= ~bսW1u7}Z E!ii)Xx`-UmxHhy5 !lm\{+.(5z,17Lw&@g:0'DJ!\ٯ)w8W{Aq pBQ2{_Rw৔hĄ_AY `݂9[u_ 6 V6_ێL,5fmM<&(Zަ e!e D-tG_klk_9ޏY:.e u!X1 7)|[s XWy8ـëLja#]Y2y*YB޶<Yy$o&’-A̫Gm^״x뙛kG Ad"`G++W <!kl 1(1_G .n4 EWWpF,?o6vϺw1_ X~=~)%M03|?Kqre) 4S0L"(a pEq#;c\*zk?^à/b*[h=xb7L5FԦd+`c|p_dk{˂$̥Dtn ڢ *Iw1UUUdC eel ())իWi&ر bablLwkHPr E5c[5ij .!0Tm}i( jUP:w-Mҗ2apkd g0$&&bŊxyynna\Δ oZhy,GDg Vw>/й!BUc? S!^wJmr@bȲ-7֊!nMvBb:gmE-&D͞evD[.WH8&e}>JrļĜCH۠D4K~%Kf P6 p6(#@X#X'Ad %JC@HtL}7|n"@@k Ht!!D.x$uPҵto i?RۿyZB"`3I3g8 9ba@@# L~- $ᡍ$lFɉh9ԑyzkT&ul|AiӦAƍ娨F$Z2M"jܳa1?x" <- $ZB"`5S!3+*J qSy$ՅSB"@:,$0燩(j0"AaPʼn@#`F#Ǥg$kQk1՘I>>{xާЦD8ԤU1xIDAT1~c4OHzxgLJˤg "ÿ&*8 'HR=AHF\$IS-KgYCψ9Ί ީ3RFirewall Builder 4.0.0 Release Notes

Changes in the GUI

The editor panel and object tree are now detachable. You can "float" these windows and rearrange them on the screen any way you want. There is only one editor panel even when you open several data files at the dame time. Each data file is opened in its own project window with object tree and rules.

Selection of the object in the tree or rules does not automatically open it in the editor anymore. Use double click or context menu item "Edit" to open object in the editor. This helps, for example, when you need to populate large object group and need to switch between libraries to find objects. Switching to another library or accidentally clicking on a wrong object in the tree does not cause editor to switch.

Full implementation of the "undo" facility for all operations in the GUI. You can also monitor undo stack in the "Undo stack window" that you can open using main menu item "View/Undo Stack".

Behavior of all object dialogs has changed. According to the results of the user community opinion poll and discussion, object dialogs are losing button "Apply". All changes made in dialog entry fields are saved into the object immediately. This does not change the data in the .fwb file, only objects in memory. Combined with Undo, this allows for faster object editing and roll back of changes.

"Single rule compile": After you select a rule in policy or NAT rule set, you can compile it and see the result in the editor panel immediately if you hit "X" on the keyboard or use context menu that appears if you click right mouse button. The result is shown in the editor panel immediately. To select a rule click anywhere in it (any rule element, not just rule number).

Error and warning messages generated by the policy compilers are highlighted using red and blue colors in the compiler output panel when you compile single rule. When you compile all rules of the firewall using toolbar buttons or main menu items "Compile" or "Install", errors and warnings are also highlighted in the dialog. Clicking on the error or warning message opens corresponding firewall and selects the rule that caused it.

A new "Filter" input field is located above the object tree. Typing fragment of the name in this field automatically limits set of objects shown in the tree to those that match what was typed. The filter maintain history of strings entered in it for the duration of the session.

Right above the panel showing rules there are now two new buttons. These allow you to compile and install policy for the firewall object shown in the rules panel at the moment. The same functions are available via context menu associated with the firewall or cluster object in the object tree, but these buttons are easier to use.

The GUI can show brief summary of object attributes in the second column in the object tree. This is controlled by a checkbox in the global preferences dialog, tab "Objects". This is off by default. The first column always shows object icon and its name, the second (optional) column shows its attributes. Interface label is shown in the second column. The width of both columns in the tree is set automatically to accommodate all the text, then can be adjusted by the user using mouse. Column width is saved in settings and will be restored upon program restart. Column width is saved per-file, per-library.

Now you can change IP addresses of interfaces of the new firewall created from a template. Templates come preconfigured with some IP addresses which probably do not match addresses used on your networks. When you create new firewall object from a template, the "new firewall" wizard includes interface editor page where you can change addresses and interface types (static or dynamic). The program not only changes addresses of interfaces, it also scans policy and NAT rules of the template looking for network objects that match original template addresses and replaces them with network objects that match new ones.

"Add object to a groups directly from the group dialog". Group object dialog now has a button that shows a menu when clicked, this menu allows you to create new object and add it to the group in one operation.

Password caching: Built-in installer can remember firewall password (and enable password for Cisco) for the duration of the session. Passwords are never stored permanently in any form, encrypted or plain text, they are only kept in memory of working Firewall Builder GUI instance. You need to enter password once when you activate generated policy. If you keep the program open and need to modify and activate policy again, the password fields in the installer dialog can be filled automatically. The feature is optional and is off by default. Cached passwords are associated with the firewall object and account name used to activate policy. To use this feature, turn it on in Preferences and configure user name used to authenticate to the firewall in the "advanced" settings dialog of the firewall object. Warning: using this feature creates certain risk if working Firewall Builder GUI is left unattended on the unlocked workstation. Someone may walk up to the machine and make changes to the firewall using cached password of the administrator who used the same GUI session before. Always lock the screen or exit Firewall Builder GUI when leaving computer.

The program supports new types of interfaces: VLAN, bridge, bonding. This is fully implemented for Linux and partially for other platforms. VLANs are added as child objects of an interface, like so:

The GUI checks the name of the vlan subinterface against naming convention for vlan interfaces on the chosen OS. For example, both "eth0.100" and "vlan100" are supported on Linux, while on Cisco IOS or PIX it should be "FastEthernet0/1.101"

See below for more details on the bridge interfaces implementation.

The program can generate commands to configure vlans, bridges and bonding interfaces on Linux. This is off by default and controlled by checkboxes in the "script" tab of the firewall object dialog. Generated script adds and removes vlans, bridges, bridge ports, bond and bond slaves incrementally. That is, the script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder. The same algorithm is used to create bridges, add or remove bridge ports and create bonds and then add or remove slave interfaces.

Configlets: generated firewall script (for all platforms) is assembled from small fragments we call "configlets". These fragments are located in the "/usr/share/fwbuilder/configlets" (on Linux). Each configlet is a template that uses specially defined macros which the program replaces with actual strings and values when it generates firewall configuration. There are separate templates for different firewall platforms and for different parts of the configuration file to be created. Supported macros include simple variable expansion and conditional "If - then" construct. You can override configlets we provide with your own if you create directory "fwbuilder/configlets" in your home directory and place files with the same name there. You need to retain the structure of subdirectories inside this directory, that is, the directory should be "$HOME/fwbuilder/configlets/linux24" for the configlets installed in "linux24" subdirectory under "/usr/share/fwbuilder/configlets". This way, you can change virtually all aspects of generated configuration file.

Built-in policy installer gets commands that it needs to execute on the firewall from configlets. Two configlets are used for Unix-based firewalls (Linux, OpenWRT, DD-WRT, Sveasoft, IPCOP and its variants, OpenBSD, FreeBSD, MacOSX, Solaris): "installer_commands_reg_user" and "installer_commands_root". You can change the behavior of the installer without having to touch C++ code, just create a copy of the configlet file in $HOME/fwbuilder/configlets and modify it.

Terminology for policy rule actions that create branching in the rule set or tag packets has been unified. Now we call these actions "Branch" and "Tag" for all platforms. Before, the name was different and matched original action on each platform, that is for PF it was "Anchor" and "Tag" and for iptables "Chain" and "Mark" respectively.

"Find where used" function can now find all uses of the given object, as well as all uses of its children. For example, if the object is firewall, then this function can find all groups and rules that refer to it directly, or to it and all its interfaces and their addresses. This extension is optional, it is controlled by a checkbox in the "Find" dialog.

Added a place in the global Preferences dialog for options specific for different object types. First parameters include options for DNSName and AddressTable to let the user decide if the newly created objects of these types should be automatically configured with "Compile Time" or "Run Time" mode. Also, added an option that makes DNSName object editor copy the name of the object into the DNS record input field when new object is created or whenever the name changes. This is useful when the user does not want to keep object name and dns record different because they need to enter the name only once.

"Batch install" checkbox moved to the page that shows compiler progress so the user can decide to do batch install right before they perform installations instead of doing this before they start compile.

Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.

Added GUI elements to support IP option "router-alert" which is now available as an attribute of IPService object.

Changes in the Standard Objects library

Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.

Added address objects for standard multicast groups: all-hosts, all-routers, all DVMRP, OSPF, RIP, EIGRP, DHCP server / relay agent, PIM, RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local Multicast Name Resolution, Teredo.

Common changes in all policy compilers

All compilers issue a warning when the firewall has no top level NAT or Policy rule set. Top rule set is used to generate iptables rules in the built-in chains INPUT/OUTPUT/FORWARD or the rules in the main PF configuration file (not anchors). If the firewall object has other not-top Policy and NAT rule sets but no top rule set, packets will never reach any rules. However there are legitimate cases when administrator may want to use fwbuilder to only generate iptables commands for a custom chain or configuration for a custom PF anchor, in which case this is not an error. Compilers generate warning for this condition to bring it to the attention of administrator but continue processing the rules.

Support for High Availability configurations

Test data file cluster.fwb with examples of different cluster configurations is available for download here.

New object type "Cluster" (located under Clusters in the tree) represents the HA pair. You configure policy and NAT rules in the rule sets of this object rather than in the actual firewalls.

Here is what you need to do to set up HA configuration:

  • Create your firewall objects. Assign platform and host OS and name interfaces as usual. Do not add any policy or NAT rules. These are your real (member) firewalls. Interfaces should have their real IP addresses (not CARP or VRRP addresses).
  • Create a Cluster object which you configure with proper platform and host OS. Use the usual "New Object" menu or toolbar button to create this object. Note that in order for the firewall object to become a member of a cluster, their platform and host OS settings must match.
  • The program guides you through the process of creation of the new Cluster object using wizard-like dialog. You start with the list of firewall objects where you choose which firewalls should become members of the cluster. Next, the program finds interfaces of the member firewalls that have the same name and can be part of the cluster and creates cluster interfaces with the same name. Not all interfaces are eligible, for example bridge ports, bonding interface slaves or parents of vlan interfaces can not be used for the cluster. Cluster interfaces define failover groups. You can add, remove or rename cluster interfaces, as well as change which interfaces of the member firewalls are used with each one. On the next page of the wizard you can change failover protocols and add, remove or change IP addresses of cluster interfaces. Not all failover protocols require IP addresses, for example VRRP or CARP do but heartbeat or OpenAIS don't. Finally, you can choose to use policy and NAT rules of one of the member firewalls to populate Policy and NAT rule sets of the new cluster. If this is done, all references to the original member firewall and its interfaces in rules are replaced with references to the cluster and its interfaces. The program also creates backup copies of the member firewall objects with the name with suffix "-bak" and clears Policy and NAT rule sets of the member firewall objects used with the cluster before new cluster is created.
  • OpenBSD or FreeBSD cluster gets carp interfaces. Name them "carp0", "carp1" or whatever indexes they have on your machines. You can add CARP password and ID at the same time, but if you don't, you can add them later.
  • If you use heartbeat or OpenAIS (on Linux) for failover, cluster interfaces should have the same names as corresponding member firewall interfaces. In this case, cluster interfaces are virtual entities that represent interfaces of the corresponding member firewalls. The program will make substitution when it compiles rules. This is also how it works for PIX failover configuration.
  • Each cluster interface has child "Failover group" object with the name "firewall:carp0:members" or similar. This is where you configure associated member firewall interfaces. Double click this object in the tree and then click "Manage Members" button in the dialog. Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
  • Besides interfaces, the Cluster object has a new child object "State Sync Group". This group represents state synchronization protocol. Currently pfsync is supported for OpenBSD and conntrackd for Linux. To configure, double click it in the tree to open it in the dialog and click "Manage Members". Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. They should appear in the "members" table in the State Sync Group dialog. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
  • Button "Edit protocol parameters" allows you to edit some parameters for chosen failover protocol. This is where you can configure an address and port for heartbeat and OpenAIS.
  • There are few new checkboxes in the "Script" tab of the firewall object dialog. These allow you to control whether the program will add shell commands to create and configure bonding, bridge and VLAN interfaces.
  • Compile by clicking right mouse button on the cluster object and using menu item "Compile". This will in fact compile each member firewall separately so you'll get .fw and .conf files for both of them.
  • Again, you configure all the rules in the policy and NAT rule sets that belong to the cluster object. If you put cluster's interfaces in rules, the program replaces them with interfaces of the member firewall when it compiles rules. If you put cluster object in a rule, it is like if you put member firewall object there instead, except the program automatically picks the member firewall it compiles the policy for.
  • First, the program looks at Policy and NAT rule set objects of the cluster and member firewalls and compares their names. If there is rule set object with the same name in both the cluster and member firewall and both have non-zero number of rules, the rule set object from the member is used and the one from the cluster is ignored. The program prints a warning message when this is done. If rule set objects with the same name exist but the one in the member firewall has zero rules, it is ignored and the one from the cluster is used (no warning is issued). Likewise, if there are rule sets with the same name but the one in the cluster has zero rules, it is ignored.
  • Here is what you need to do if you want to have most rules defined in the cluster so they will translate into rules for all member firewalls, but have some rules defined in the members so you can make configurations of the members slightly different:
    • Create separate rule set object in the cluster and in each member. Use name different from "Policy" or "NAT". Lets use name "member_override".
    • Create a rule with action "Branch" in the main Policy or NAT rule set of the cluster, drag rule set object "member_override" that belongs to the cluster to the well in the Branch action parameters dialog.
    • Leave "member_override" rule set that is a child of the cluster object empty (no rules)
    • Add rules to the rule set "member_override" in each member firewall
    • Make sure rule set "member_override" is not marked as "Top ruleset" in the cluster and each member. This rule set translates into user-defined chain (iptables) or anchor (PF) and should not be the "top ruleset".
    This method works for both policy and NAT rules for all platforms.

Cluster configuration for PIX

Firewall Builder supports PIX "lan based" failover configuration. Unlike in Linux or BSD, where each interface of the firewall runs its own instance of failover protocol, PIX runs one instance of failover protocol over dedicated interface. PIX can also run state synchronization protocol over the same or another dedicated interface. These dedicated interfaces should be connected via separate switch and do not see regular traffic. Here is how this is implemented in Firewall Builder:

  • Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object which should be configured with interfaces of the member firewalls. You can create Failover Group object using context menu item "Add Failover Group", the menu appears when you right mouse click on the cluster interface object. Here is an example of correct interface mapping between cluster and member firewalls:

    • The Failover Group object "cluster1:e0.101:members" is configured with interfaces "Ethernet0.101" of both members:

  • Interface that is configured for the failover on the member firewall should be marked as "Dedicated Failover". Use checkbox with this name in the interface object dialog to do this.
  • Cluster interface that corresponds to the failover interface of the members should be configured with protocol "PIX failover protocol". Click on the "Edit protocol parameters" button to edit timeout, poll time and the key.
  • Cluster interfaces that represent regular interfaces of the members also must have failover group objects; that is where you add interfaces of the member firewalls. There is no need to configure protocol in these failover groups because PIX does not run it over these interfaces. Regular interfaces should not be marked as "Dedicated Failover".
  • Cluster object should have State Synchronization group child object. Create it using context menu "Add State Synchronization Group" item if this object does not exist. In this object you need to configure member interfaces that should be used for state synchronization. You can use separate dedicated interfaces or the same interfaces used for failover. If these are separate, corresponding interface objects of the member firewalls must be marked as "Dedicated Failover".
  • One of the member firewall interfaces used in the State Synchronization group must be marked as "master". This is where you define which PIX unit is going to be the primary and which is going to be the secondary in the HA pair.
  • Here is an example of the state synchronization and failover using the same interface Ethernet2:

    The State Synchronization Group object "State Sync Group" is configured with interfaces "Ethernet2" of both members:

  • Dedicated failover interfaces of the member firewalls must have IP addresses and these addresses must be different but belong to the same subnet.

Built-in policy installer treats PIX clusters in a special way:

  • For the PIX cluster, built-in installer installs generated configuration only on the master PIX unit. It determines which one is the master by looking in the StateSyncGroup object (state synchronization cluster group).
  • Dialog where user enters authentication credentials and other parameters for the installer has a checkbox that makes installer initiate copy of the configuration to the standby PIX if installation was successful.

Changes in the support for bridging firewalls

Skip this if you do not use Firewall Builder to configure iptables firewalls in bridging configuration. Otherwise, please read on.

Previous versions of Firewall Builder provided an attribute "bridge port" in the dialog of the Interface object. If an interface marked as "bridge port" was used in the "Interface" column of a policy rule, fwbuilder policy compiler used "--physdev-in" or "--physdev-out" option instead of conventional "-i" or "-o" option. The attribute "bridge port" has been deprecated in the new version. You need to make changes to your firewall and interface objects manually in order to make your old configurations compile properly with new version of Firewall Builder.

First, check if you have an interface object to represent the bridge. Usually it will have a name br0 or similar. If you do not have this interface object in the firewall in Firewall Builder, please create it. Regardless whether this object existed before or you just created it, open it in the editor and click "Advanced Interface Settings" button in the dialog. This button and the dialog it opens are new in this version of the program. In the dialog that appears use drop-down menu "Device Type" to set its type to "Bridge". Then click "OK" to close the dialog and save configuration.

Next, find interface objects that should represent bridge ports and simply drag them and drop under the interface br0 (copy/paste works too). In the end, these interfaces become "children" of br0 and should be located in the branch of the tree rooted at br0. The program displays a comment "bridge port" next to the name of an interface like this in the tree. Here is how it looks like:

In this configuration we have bridge interface br0 and two bridge ports eth0 and eth1. Note how eth0 and eth1 are located in the tree under br0, on the same level as its IP address object.

This is it, bridge port interfaces will be recognized by the program again and it will generate proper iptables configuration.

Changes in support for iptables

When an interface with dynamic address is used in a policy or NAT rule, compiler generates shell script to read its IP addresses at the time of execution, assigns them to temporary shell variables and uses them in rules. In previous versions (fwbuilder v2 and v3) only the first IPv4 address of an interface was used. V4 uses all IPv4 and IPv6 addresses of the interface by creating a shell "for" loop in the script. Note that support for dynamic IPv6 addresses was broken in v3 completely, it was fixed in v4.

Policy compiler for iptables can generate shell commands to configure bridge, bonding and vlan interfaces (see above).

Added support for branching rules in NAT.

Added support for option "--random" in SNAT rules

"SNAT instead of MASQUERADE on dynamic interfaces". NAT rule options dialog now has a checkbox that makes compiler use SNAT target instead of MASQUERADING when checked when TSrc has dynamic interface. Apparently MASQ target has problems when iptables NAT is used in combination with policy routing. Using SNAT with a variable that gets interface address solves the problem. By default this option is off, that is compiler uses MASQUERADE target when TSrc has dynamic interface.

Generated script can adjust conntrack kernel module parameters to tune its performance for firewalls that handle heavy traffic.

Generated iptables script now has standard structure per LSB ("Linux Standard Base Core Specification 3.1"). The script has the following actions controlled by the command line arguments: "start", "stop", "reload", "status". Action "start" reconfigured interfaces and then flushes current iptables tables and chains and loads new iptables configuration. Action "stop" flushes all tables and chains and sets default policy in all chains to "DROP" to shut down the firewall to all kinds of traffic. It can also optionally install iptables rules to permit ssh access to the firewall from the management workstation. Action "status" returns return code per LSB specification. Code 0 means the firewall is loaded and is running (but it does not check that the rules it is running with are those defined in fwbuilder). Return code 3 means iptables modules are not loaded or there are no tables. This return code means the firewall is not running or not configured. It also supports additional actions "interfaces" and "test_interfaces". Action "interfaces" only runs commands that manage IP addresses of interfaces, as well as configure vlan, bridge and bonding interfaces. Action "test_interfaces" runs the same commands in the test mode when it prints commands that would be executed but does not actually execute them.

Added support for negation in "-m limit --limit rate" and "-m connlimit --connlimit-above" clauses for iptables.

Option "--random" is now supported in all NAT rules (targets SNAT, DNAT, MASQUERADE)

Option "--persistent" is now supported in all NAT rules (targets SNAT, DNAT) if version is set to 1.4.3 or later in the firewall object.

Algorithm that finds policy rules that shadow each other can now recognize rules configured to use iptables modules "limit", "connlimit" and "hashlimit" and detects shadowing taking into account rate, burst and other parameters for these modules.

Support for IPCOP

Firewall Builder v4.0 comes with experimental integration with IPCOP firewalls. To turn it on, choose platform "iptables" and host OS "IPCOP firewall appliance". Generated script is supposed to be installed on the firewall as /etc/rc.d/rc.firewall.local and restarted by the command "/etc/rc.d/rc.firewall restart". Built-in policy installer in Firewall Builder GUI installs it using this name and runs restart command to activate it. Firewall Builder does not manage interfaces of IPCOP firewall to avoid conflicts with IPCOP itself, use fwbuilder only to generate iptables rules. The program comes with some template objects for IPCOP firewalls, you can use them when you create new Firewall object if you choose to create it from a template.

Support for OpenWRT

Another new host OS supported in Firewall Builder v4.0 is OpenWRT. To use fwbuilder with OpenWRT you need to install the following packages on the firewall using command "ipkg install package.ipk":

  • ip
  • ip6tables (if you need IPv6)
  • iptables-mod-extra
  • iptables-utils
  • kmod-ipt-extra
Firewall Builder uses name "fwbuilder.fw" for the generated script for OpenWRT and places it in directory "/etc/init.d/" on the firewall. To make the firewall run it during boot sequence, install the script using built-in policy installer or copy it to this directory manually, then run command 
  /etc/init.d/fwbuilder.fw enable
and disable standard firewall script: 
  /etc/init.d/firewall disable
To activate the firewall and load policy generated by fwbuilder, use command 
  /etc/init.d/fwbuilder.fw start
To stop the firewall and block all traffic use command 
  /etc/init.d/fwbuilder.fw stop
An option in the "Compiler" tab of the firewall object in fwbuilder GUI allows you to make the firewall block all traffic when stopped but still permit ssh connections from preconfigured address of the management machine.

This method works both on stable Kamikaze (v7.06) and the latest OpenWRT (v8.09 at the time of Firewall Builder v4.0 release).

In test mode fwbuilder copies generated firewall script to directory /tmp on the firewall.

Support for DD-WRT

This version of Firewall Builder introduces direct support for DD-WRT. There are two options: you can use nvram to install generated firewall policy or you can use jffs (Journaling Flash File System) on the device and store generated script there. Two host OS settings are provided: "DD-WRT (nvram)" and "DD-WRT (jffs)".

DD-WRT (nvram)

In this mode generated script is somewhat shorter and does not support command line arguments "start", "stop", "status". The script does not try to load iptables modules on the firewall but configures interface addresses, vlans, bridge ports and bonding interfaces. Built-in policy installer saves the script in nvram variable "fwb" and configures nvram variable "rc_firewall" to run this script.

DD-WRT (jffs)

First of all, you need to activate JFFS/JFFS2 (Journaling Flash File System) on the firewall. Instructions are provided in the DD-WRT wiki. Once jffs is mounted read-write, you also need to create directory "/jffs/firewall" where fwbuilder will store generated script. This is explained in this article in DD-WRT wiki.

When firewall is configured with host OS "dd-wrt (jffs)", built-in policy installer copies generated script to the file "/jffs/firewall/firewall.fs" on the firewall and configures nvram variable "rc_firewall" to call this script.

Note: recent builds of DD-WRT (tested with v24 and v24SP1) seem to disable JFFS for some reason. If you plan to use jffs method of installing firewall script, check if the version you run supports it.

Changes in support for PF

Added support for branching rules in NAT. Compiler generates keyword "anchor" if PF version is 4.3 or later and "nat-anchor" and "rdr-anchor" for earlier versions.

Optimization: rules that have several interface objects (or a group) in the "Interface" column are compiled using "{ }" grouping to produce only one configuration line instead of several for such rule.

Compiler for PF generates "allow-opts" keyword when IPService object used in the rule has IP options. This includes new option "router-alert".

Added support for pf state tracking options "no-sync" and "pflow". Set version to "4.5" or "4.6" in the firewall object to be able to use these new options.

Implemented support for incremental management of IP addresses of interfaces and VLAN pseudo-interfaces for OpenBSD and FreeBSD. The script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder.

OpenBSD 4.7 has changed the syntax of "nat" and "rdr" PF rules. These keywords are gone, corresponding translations are done using "nat-to" and "rdr-to" options in "pass" or "match" rules. Fwbuilder 4.0 adds support for this. The list of recognized versions for PF has been extended with "4.7", choosing this version number makes policy compiler generate NAT and rdr rules using new syntax. Since the "no" keyword has been removed as well, fwbuilder can no longer generate "no nat" rules for 4.7. Policy compiler recognizes this as a fatal error, administrator should use negation to implement exceptions in NAT rule sets.

Changes in support for for Cisco IOS ACL

Built-in installer can use command scp to copy IOS configuration to the router using ssh and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The router should be configured with ssh v2 and scp server. This method can be combined with rollback (by reload or EEM). This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the router object. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some routers do not support scp.

For instructions how to configure scp see Secure Copy. You need to do the following:

  • Create RSA keys
  • enable ssh v2 using command "ip ssh version 2"
  • enable scp server using command "ip scp server enable".
  • User account used to copy the policy should have privilege 15: "username vadim privilege 15 password 7 XXXXXXXXXXX".

To troubleshoot when scp is not working:

  • Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw router:nvram:file.fw"
  • check that ssh and scp are enabled on the router (see commands above)
  • check that user account has privilege 15
  • Use command "debug IP ssh" on the router to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem

Note that installer does not use command "config replace" because configuration created by fwbuilder is incomplete and should be merged with running config rather than replace it.

Built-in policy installer uses EEM (Embedded Event Manager) on IOS 12.4 or later to schedule automatic configuration rollback instead of reloading the router. EEM appears in IOS 12.4 and supports background operations that can be triggered by some events on the router or by timers. In this new feature, fwbuilder creates EEM applet with a countdown timer that executes command "config replace nvram:startup-config force" when timer expires. User has the following options:

  • Schedule automatic rollback in a few minutes and install updated ACL configuration. This can be used to test new policy and revert to the original one after some short period of time. This also helps to avoid a situation when updated policy blocks access to the router because of an error; rolling back to the ACL configuration that was running before the update will restore access automatically.
  • Schedule rollback in a few minutes, install updated ACL but cancel rollback if installation of the new configuration was successful. This is mostly intended to prevent blocking access to the router in case of an error in the new ACL configuration. If fwbuilder was able to enter all lines of the new configuration all the way to the end, this means new configuration does not block access and installer executes command "no event manager applet fwbuilder-rollback" to cancel scheduled rollback.

Since IOS before 12.4 does not have EEM, automatic rollback on these older versions is implemented by scheduling router reload with command "reload in ". This hasn't changed since Firewall Builder v3.0

Added support for the "dry run" installer option for Cisco routers. When this option is on, installer logs into the router and switches to the enable mode, but does not execute any actual commands. If scp is used to copy configuration to the router, installer will copy the file but will not activate it. This tests ssh session in general, login password, enable password and scp but does not make any changes to the router configuration.

Added support for the object-group statement in generated IOS configuration. This helps reduce size of the generated access lists when the router should match long lists of IP addresses or ports. Both "network" and "service" object-groups are supported. This feature is controlled by a checkbox in the "Advanced" settings dialog of the firewall object; it requires IOS v12.4(20)T or later and is off by default. Check if your version of IOS supports "object-group" command before using!

Policy rule option "Add mirrored rule" (controlled by a checkbox in the rule options dialog) makes policy compiler for IOS ACL automatically create a rule with mirrored source and destination addresses and service fields. This can be used to match "reply" packets using address and service parameters matched by this rule. The action of the mirrored rule is the same as that of this one. Firewall Builder recognizes the following services and creates "mirrored" versions as follows:

  • UDP service: mirrored service has source and destination port ranges reversed
  • TCP service: mirrored service has source and destination port ranges reversed and "established" flag inverted. If TCP service used in this rule does not have "established" flag, the mirrored service gets it, and the other way around. This is designed to simplify creating ACL rules to permit "reply" TCP packets
  • ICMP service: ICMP echo request is recognized, mirrored service becomes ICMP echo reply. Other ICMP types are simply copied to the mirrored service
  • ICMPv6 service: like with ICMP, ICMP echo request is recognized and other ICMPv6 types are just copied
  • IP service: mirrored service is a copy

Changes in support for for Cisco ASA (PIX)

Built-in installer can use command scp to copy generated configuration to the firewall and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The firewall should be configured with ssh v2 and scp server. This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the PIX firewall. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some firewalls do not support scp.

To configure scp on the PIX firewall you need to do the following:

  • Create RSA keys
  • enable ssh v2 using command "ssh version 2" in configuration mode
  • enable scp using command "ssh scopy enable" in configuration mode
  • make sure user account used to copy configuration has "privilege 15": "username fwbadmin password XXXXXXX privilege 15"

To troubleshoot when scp is not working:

  • Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw firewall:flash:file.fw"
  • check that ssh and scopy are enabled on the firewall
  • check that user account has privilege 15
  • Use command "debug ssh 10" on PIX to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem

Note that when fwbuilder uses command "copy file.fw running-config" to activate uploaded policy, the firewall does not print it. If there are errors, they are printed but the lines they refer to are not printed. Some configuration lines trigger lines because they try to configure things that are already configured, such as some parameters of interfaces, global pools etc.

Generated PIX configuration will include commands that enable ssh v2 and enable scopy if this option is turned on to make sure they stay enabled after configuration is reloaded from the file.

When certain PIX configuration commands are executed again during configuration update, PIX detects this as an error. Commands that fall into this category are "inspect", "service-policy" and some "failover" commands, to name a few. To avoid this kind of errors while updating PIX using built-in installer and avoid entering commands for parts of configuration that do not change often, you can use checkbox "Generate only access-list, access-group... commands" in the "Script" tab of the PIX firewall "advanced" options dialog. If this checkbox is on, generated configuration file will only include "access-list", "access-group", "telnet", "ssh", "nat", "global" and "static" commands.

Changes in the command line tool fwbedit

User can now merge objects from two data files together using command line tool fwbedit just like the "Import library" function in the GUI.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.0.1.html000066400000000000000000000216261303637203600233020ustar00rootroot00000000000000

Firewall Builder 4.0.1 Release Notes

This release comes with fixes several minor bugs in the GUI and other components, improves policy importer for iptables and introduces support for HP ProCurve ACLs.

Changes in the GUI

  • fixed #1443 GUI crashes compiling file opened read-only. If a file that was added to RCS was opened read-only and then any firewall object in it compiled, the GUI crashed trying to update "last_compiled" timestamp.

  • fixed #1444 compile error on FreeBSD-Current Compiler issues error "/usr/include/utmp.h:2:2: error: #error <utmp.h> has been replaced by <utmpx.h>"

  • fixes #1447: context menu item "Edit" associated with rule set object in the tree opens it in the rule set view and the editor panel. Menu item "Open" only opens it in the rule set view. This eliminates strange behavior where it would open in the rule set view on first click on "Edit" and then in the editor in the second click on "Edit". Double click used to work the same, the first double click opened in rule set view, the second in the editor. Now double click always opens in rule set view and the editor which is more consistent with the behavior for other object types.

  • fixed #1339 "Logging" icon appears looking the same as "Rule options" icon on Mac

  • fixed #1460 "when "show icons in rules" is turned off, there is no way to tell when logging is turned on and non-default options are present in a rule".

  • fixed #1464, SourceForge bug 3004274: "Branch rule set object displays improperly". Branch rule set attribute was not loaded properly into Branch action dialog for rules of PF firewalls.

  • fixed #1462 "if you do a bulk install, and then want to do a single install, bulk mode is selected"

  • fixed #1461 Need obvious button to add new rule to the empty rule set. Added button with a "+" icon right above the rule set view, this button adds new rule to the set.

  • fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table.

  • fixed #1463 Always show branch rule set name with action "Branch"

  • fixed #1469 some actions should always display argument, even when text labels for actions and directions is off

  • applied patch by Vadim Jukov <persgray@gmail.com>, maintainer of OpenBSD port. Patch fixes compile issues on OpenBSD

  • fixed #1468 Open new object in the editor after it has been created.

  • see #1466 Implemented instrumentation that should help us improve user experience. Will track few things that new users do (or don't do) and report as a combination of boolean flags at the end of the GUI session. Reporting things such as if user ever looked at the "Getting Started" tutorial, if they created their first firewall object, modified any rules, tried to compile, install or import existing rule set. Information passed in the report is strictly a set of boolean flags, it is not identifiable and does not reveal what firewall platform they are using or anything about their objects and rules. List of flags is listed in the module UserWorkflow.h

  • fixed #1478 always use included antlr run-time library. Because of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit systems, we should always link with antlr run-time that is included with fwbuilder code tree rather than attempt to use the one that might be installed with the OS.

  • fixed #1481 when user changes platform in the firewall object, its version should change too.

  • added mechanism for one-time announcements that can be pulled from the web site when version check server says there is one. Announcement is shown only once. To do this, I store time stamp when it was shown in settings using hash of the announcement url.

  • refs #1483 If program detects change in CustomService object and the change just adds code string for a platform that was not in the object in the user's data file, the change is accepted without showing the dialog.

  • fixes #1484 "paste below" function pastes rules out of order

Changes in the policy importer

  • See #1450 and SourceForge ticket 3000809: iptables parser can now import "mark" module matches with hexadecimal parameters and "length" module matches. Also added check in the importer for broken iptables-save files where rules for any table are not terminated with "COMMIT".

  • fixes #1453 "iptables importer should parse multiport module parameter --ports". Module multuport with parameter "--ports" matches either source or destination port numbers. Importer creates two tcp (or udp) service objects to implement this match.

  • see #1451 "policy importer should support some popular iptables modules". Added support for module "recent" and rules that match standard ip/icmp/udp/tcp protocols and at the same time module "mark", "length", "limit" or "recent". Rules like these are translated into a combination of a branching rule and additional rule in a branch rule set that implements module match.

Changes in the Standard Objects library

  • fixed #1483 "missing code in the custom service object ESTABLISHED for ProCurve"

Changes in libfwbuilder library

  • fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set"

Support for HP ProCurve

  • Added experimental support for HP ProCurve "intelligent" switches (L3). Code is based on the policy compiler for Cisco IOS extended access lists. Differences include ';' character for comments, different naming convention for Vlan interfaces ("VLAN 2", with a space), requirement to unbind an ACL from interface before it can be cleared, different syntax for vlan ACLs and ACLs bound to switch ports.

  • At the time of the release of v4.0.1, we were able to test code generation for ProCurve ACL but policy installer remains untested for the lack of hardware. We are going to work on the installer over the next few months to make sure it works in the next point version release of fwbuilder.

Changes in support for iptables

  • fixed #1455 Function update_addresses() (host OS linux24 and derivatives) uses both ip and ifconfig. Should stick with /sbin/ip so the script works on systems where ifconfig is not installed.

  • fixed #1458 Should permit interface name "br-lan" for bridge interface on Linux. Bridge interfaces on Linux can have any name, including those with "-". OpenWRT creates bridge interface with the name "br-lan" by default.

Changes in support for DD-WRT

  • fixes #1448 "need to commit nvram changes on DD-WRT".

Changes in support for for Cisco IOS ACL

  • Compiler uses new configlet "safety_net" to add temporary ACL for the "safety net" install method.

  • restored function of the "comment the code" in the "Script options" of the firewall settings dialog for Cisco IOS ACL and ProCurve ACL. When this checkbox is off, comments are not added to generated script.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.1.0.html000066400000000000000000000570051303637203600233020ustar00rootroot00000000000000

Firewall Builder 4.1.0 Release Notes

This is the first official release for V4.1. It has been tested and we believe it to be stable, but you should test it prior to using it in production. If you find a bug please open a ticket in our SourceForge project:

SourceForge: Tickets for V4

What's new in V4.1?

There are several new features in this version including:

  • Support for Address Table objects that use the iptables ipset module
  • Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
  • New toolbar shortcut to view complete generated firewall configuration files in the GUI
  • Shortcut buttons in the main window to help new users get started more easily
  • Updated many dialog window sizes to work better for users with smaller displays (1024x768)
  • Added a new mode for stopping the firewall script called 'block'

In addition to providing new functionality one of the goals of this release is to make Firewall Builder easier for new users to learn. There are new buttons in the main window that are shortcuts to common functions that new users need to get started like adding a new firewall and importing policies from existing devices.

The iptables ipset module support provides an efficient way to build iptables rules that match large sets of ip addresses and update these addresses without reloading iptables rules. Please not this function requires that your firewall has the ipset module loaded. You can find more information about how to setup and use Firewall Builder to manage iptables IP sets in the Users Guide section for Address Table objects.

UsersGuide: Address Table Objects

GUI Updates

  • fixed #1505 move "Clip comments in rules" checkbox to "Appearance" tab.

  • fixed #1504 Added (optional) text to the toolbar buttons. Text is turned on by default but can be turned off in the global Preferences dialog.

  • using separate settings object and file in the .ini format to store instance uuid to ensure uuid persistence on windows across upgrades done with complete deinstall. Fixes #1497

  • fixed #1489 removed unnecessary debugging messages.

  • fixed #1490 compile problem with Qt 4.7

  • fixed #1501 call qsrand(seed) to seed random generator before generating new UUID

  • applied patch from slif@bellsouth.net to fix compiler warnings. Patch applied partially since not all fixes were appropriate. fixes #1510

  • fixed SF bug #3013532 "file chooser dialog for import policy does not show all files".

  • fixed SF bug #3013855 "various fixes for run_tests". Applied patch suggested by Michael J. Slifcak (with changes).

  • fixed SF bug #3013735 "invalid pixmap properties during make". Fixed uic warnings.

  • fixed #1499 "GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF bug 3015307. There is no reason to make method insertObject() protected which caused problems (and hacky workaround) in the unit test.

  • added user work flow progress flags for an attempted install and first successful install. Both flags are Boolean true/false indicating that the even occurred. We do not track and do not report any information about the firewall, platform, rules etc. These flags will be used to determine how many users abandon the program before even trying to run install for real because it is too complicated or the UI is not good enough. Fixes #1495

  • added user work flow flag indicating that ssh/scp have been configured in the Preferences dialog. The flag is Boolean and registers only the fact that something was entered in ssh and scp fields. Actual path and programs used are not registered and reported. Fixes #1496

  • fixed bug 3016720 "import policy disabled after file close". Menu items "File/Import Library" and "File/Import policy" became disabled after user closed data file using "File/Close" and never became enabled again.

  • fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes SourceForge bug reports 3016482 "segfault with RHEL5 pre-built packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in centos 5.5"

  • fixed #1493 "workflow icons in the big empty space". The GUI shows big buttons in the empty space in the right hand side of the main window when no firewall policy is not opened yet. These buttons provide simple shortcuts to the workflow functions useful for the novice users. Currently this includes "Create new firewall", "Import configuration of existing firewall" and "Watch Getting Started Tutorial".

  • fixed SF bug 3016680 "Vertical scrollbar issue" rules with a lot of objects did not scroll properly vertically.

  • fixed #1520 ("Comment field display clips comment text"

  • fixed #1526 "Make sure GUI unit tests work in the environment where user turned off tip of the day dialog". Unit tests now use alternative settings file with all default values and do not depend on user's preferences.

  • See #1346. Viewer panel that can be used to inspect generated firewall configuration files from within the GUI. The panel can be opened using a button in the mini-toolbar above firewall rules or as a page in the compile and install wizard.

  • SF bugs 3020381 and 3027284: "Line failure should abort remote firewall install". If network connection is lost during firewall policy activation, policy installer should detect this, disconnect and declare installation session a failure. Prior to this version, installer detected network failures during policy copy (done with scp) or when it could not connect to the firewall at all, but hang if connection was lost in the middle of ssh session used to activate firewall policy. Now using ssh parameter "ServerAliveInterval" to make it detect connection failure. Added an input field that defines inactivity timeout value in seconds to the "Installer" tab of the global preferences dialog. The same timeout value is used to set up ServerAliveInterval parameter for ssh, ConnectTimeout parameter for scp and registry entries required by plink and pscp on Windows using putty session "fwb_session_with_keepalive". Default value defines 30 sec timeout.

  • All instllation commands should be on the single line in the configlet so they are sent to the firewall as one line. When these commands were on separate lines, linefeed characters between them appeared on the standard input of command "sudo -S" and broke installation process. This only happened in my tests when I ran GUI installer on Windows and looked like some sort of a race. When all commands are on the one line the problem disappeared. Changed only configlets that used sudo as part of installation script.

  • fixed SourceForge bug 3020761 "printing from command line causes Segmentation fault". Fixes #1533

  • fixed source forge bug #3028740 "inspect/install does not like spaces in Firewall object name". compiling firewall objects with name that contains white space produces files with spaces in the name which confused "inspect generated files" function and built-in policy installer. Names with spaces are now supported.

  • sorting of filewall and cluster items in compile/install dialog is now case insensitive.

  • hiding "Select all" and "Select none" buttons in the first page of the compile/install wizard when there is only one firewall in list.

  • renamed buttons "All" to "Select all" and "None" to "Select none" in the first page of the compile/install wizard.

  • fixed SourceForge bug #3027272: "default values taken from unexpected sources". When new firewall object was created using "Import Policy" function, parts of its configuration were taken from default settings of an unexpected host OS.

  • fixed wrong display of non-ascii symbols in cluster member compilation warning.

  • firewall names are now resolved to IP address in the SNMP discovery. Added new input element for firewall IP address to use for SNMP interface discovery when firewall object name does not match DNS record..

  • Added "Cancell All" button to the installer options dialog to stop all firewalls installations and renamed OK button to "Install". The new "Cancel All" button lets user interrupt installation process when they are in the middle of pushing configuration to many firewalls.

  • fixed #1582 'tree is not refreshed after address substitutions in "new firewall" wizard'

  • Most dialogs were adjusted to make sure they fit on the screen 1024x768

  • fixed #1612 "File/Open should create new project panel". If user has some unsaved changes in the default project panel (the one with no associated file) and then uses File/Open menu to open another data file, the file should open in a new project panel.

  • fixed #1611 "File/New should create new project panel". Like #1612, open new data file in a new project panel if current project panel has no data file associated with it but has unsaved changes.

  • fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members while that rule set was opened in the rule set view.

  • fixed #1632 "dependencies created by branching rule sets should be processed recursively". In the case of multi-level branches the GUI should trace all references to find all firewalls affected by a change of an object used in the rule. This fixes SourceForge bug 3033462 "nested shared branch rules between servers not working".

  • fixed SF bug 3035426 "canceled save writes .fwb ". The program created file with name ".fwb" if user started with an empty project paje, created some objects, then hit "Compile" but then clicked "Cancel" when offered a chance to save objects into a new data file.

Changes in the policy importer

  • fixed #1511, SF bug 3012953: iptables import parse error icmp_type any

  • fixed sourceforge bug 3012953 name of UDP and TCP objects created during import should follow the same pattern and not include "0-0" for the source ports if they are equal to zero.

  • policy importer for iptables can now parse numerical log levels.

  • bug 3012953: iptables importer sometimes does not recognize rule with " ESTABLISHED,RELATED ". Parser properly processed iptables rules with state "RELATED,ESTABLISHED" but not when states were in the opposite order.

  • fixed #1513 iptables importer should check default policy in standard chains. Importer creates rules at the bottom of the policy rule set to reproduce default policies in the built-in chains INPUT,OUTPUT,FORWARD. These rules are added only when default policy in these chains is set to ACCEPT because generated iptables script always sets default policies to DROP. Support for this in the mangle table is limited so far, only default policies in PREROUTING, OUTPUT and POSTROUTING can be implemented. Rules created for the commands that set default policy in chains FORWARD and INPUT will generate commands in PREROUTING chain instead. We will try to address this in the future if there is sufficient demand.

  • fixed #1516 policy importer for iptables should not use automatic ESTABLISHED rule. (See also SF bug 3012953). Policy importer for iptables always creates explicit rule to match ESTABLISHED,RELATED to make sure it goes into the same chain as the original rule. Also in the same fix, importer creates branch for iptables rules that match both regular service and state ESTABLISHED,RELATED. The service is matched in the main policy rule set, while ESTABLISHED,RELATED state is matched in the branch.

  • fixed SF bug 3015641 "imported REJECT rule changed during compile". Importer of iptables rules did not handle properly parameters of the REJECT target.

  • Fixed SF bug 3016779: Policy importer for iptables should understand module iprange

  • policy importer for iptables replaces --sport and --dport parameters of module multiport with --source-ports and --destination-ports to remove grammar ambiguity that arises from the use of the same parameters --sport and --dport by different iptables modules with different argument syntax.

  • fixed SF bug 3017084 "compiler adds extra quote characters to log-prefix string".

  • fixed #1544 "fwbuilder crashes during import of file with rtf formatting data". The fix should prevent crashes in other cases when import was unsuccessful.

Changes in libfwbuilder library

  • Added framework for creating data files with predictable and repeatable object IDs and references. This is used in unit tests so we can create data files that can be compared.

  • fixed missing class variable initialization in class CustomService

Changes common for all policy compilers

  • fixed #1631 "Process branch rule sets recursively". Policy compilers used to look only one level deep while processing branching rules. They should allow for arbitrary nesting and correctly avoid infinite loops if user creates looped branches. Compiler issues a warning when it detects looped bracnhing. This fixes SF bug 3033462 "nested shared branch rules between servers not working".

Changes in support for iptables

  • fixed #1506 SF bug #3011516: generated iptables script tries to update ip addresses of unnumbered interface.

  • fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination is not generated". The rule with network object fe80::/10 in source and ipv6 muticast ff00::/8 in destination did not produce correspondign ip6tables command. The change affects other cases with rules using broadcast or multicast objects that should be considered matching the firewall object.

  • fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface addresses". Iptables script generated by fwbuilder used to include commands to configure virtual ip addresses for NAT only if option "configure interfaces" was turned on. Expected behavior is to generate these commands when option "Add virtual addresses for NAT" is turned on regardless of the setting of the option "configure interfaces".

  • Added support for iptables module "set" used to generate iptables command for rules with run-time AddressTable objects. This module is only available in iptables 1.4.1.1 and later, however some embedded platforms do not have it even though they ship later versions of iptables (e.g. OpenWRT). Use of this module is controlled by a checkbox in the iptables "advanced" settings dialog which is off by default. This checkbox becomes disabled when iptables version is set to < 1.4.1.1. Supporting shell functions are generated by the configlet run_time_address_tables. This includes shell function that checks if data files used by run time address tables objects are available, a function that loads these files if user activated use of the ipset module using checkbox, a function that checks if command line utility ipset is present and can communicate with the kernel module. This configlet is included in the script generated for all linux-based host os, even though most of them do not support module ipset. If ipset is not supported because iptables version is too old or the module is simply not available for the platform, user can just uncheck the checkbox in the firewall settings dialog and code generated by the configlet will support method of loading addresses from the file at run time based on script variables and a "while" loop.

  • Implemented support for mixed address lists for run-time address table objects using ipset module. Normally, one ipset set can either contain individual ip addresses or subnets. We create a "setlist" type set that includes two sub-sets, one for ip addresses and the other for subnets. Function reload_address_table in the configlet run_time_address_tables takes care of managing these three sets automatically. Address list file has the same format as for all other supported types of Address Table object: one address per line, subnets are defined using '/bitlength' or '/netmask' syntax, comments start with '#' or ';' character.

  • fixed #1640 "default policy when the script is stopped should be optional". The "stop" command used to be interpreted by the iptables script generated by fwbuilder in a way that it blocked all connections going to, from and through the firewall. Luc Paulin pointed out that this behavior is incompatible with other firewall management scripts, such as /etc/rc.d/init.d/iptables on Fedora Linux or ufw on Ubuntu, where "stop" means disabling the firewall. In v4.1 the "stop" command flushed all chains in all tables and sets default policy to ACCEPT. New command "block" does what "stop" used to do before, that is, flushes all chains in all tables and sets default policy to "DROP". The option to add a rule to permit ssh access from the management workstation when firewall is stopped now adds this rule when firewall script is run with "block" command instead.

  • fixed SF bug 3034628 "iptables does not allow target REJECT in mangle table". Iptables does not support target REJECT in mangle table. Added check to the policy compiler to make it detect this situation and issue an error.

  • fixed #1654 "Support for run-time Address Tables with empty file in iptables". This is an implementation of the same feature we already have for PF. If the file name in the configuration of the run-time Address Table object is blank, policy compiler generates firewall configuration that uses ipset with the name the same as the name of the object but does not generate code to load addresses from a file into it. All control of the ipset is left for the user.

  • fixed #1652 "support for adding single address to address table in the generated script". Generated iptables script now provides functions "add_to_address_table", "remove_from_address_table" and "test_address_table" that let administrator add or remove single ip address to a given address table. Functions take three arguments: set name, file name and address. Functions add and remove the address both from the set in memory and from the given file so that when firewall reboots and the script reloads the set, it is restored to the desired state. Another new function "test_address_table" is a wrapper around "ipset -T" command and tests if given address belongs to the set. All these functios take the name of the run-time Address Table object used to create sets as an argument and perform actual add, remove and test operations on the subsets created for ip addresses and subnets.

  • fixed SF bug #3038636 "@v4.1b, 'iptables v1.4.8: unknown option `--ra'"'. Ipv4options module has changed in iptables 1.4.3 and now accepts different set of parameters. Policy compiler generates new parameters if user set version in the firewall object dialog to "1.4.3 or later".

Support for PF

  • No changes for PF.

Changes in support for for Cisco IOS ACL

  • No changes for Cisco IOS ACL.

Changes in support for for Cisco ASA (PIX)

  • fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler should check validity of the object used as network zone of an interface.

  • do not verify network zones of unprotected interfaces. Compiler does not allow the same obejct to be used as network zone of two different interfaces, which caused problems when a vlan parent interface has zone "Any". Vlan parent interface can not have ACLs attached to it and does not need any meaningful network zone, so "Any" is reasonable fill-in choice. However it coinsides with network zone of the "outside" interface which triggered this check.

Support for HP ProCurve

  • No changes for HP ProCurve.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.1.1.html000066400000000000000000000111021303637203600232670ustar00rootroot00000000000000

Firewall Builder 4.1.1 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.1 ?

This release includes fixes for a number of minor bugs as well being the first release to officially support HP ProCurve ACL configuration. Thanks to a generous donation of several switches from Hewlett Packard we were able to test and finalize the ProCurve support. This release also fixes a critical bug in V4.1 related to Cisco IOS ACL configurations. Some configurations would cause Firewall Builder to incorrectly generate and error with the message "Can not find interface with network zone that includes address A.B.C.D.".

v4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

  • Built-in policy installer now works with HP Procurve switches. Currently installer can only execute generated configurarion lines one-by-one on the switch; installation method using scp that is available for Cisco routers is not supported yet. This has been tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo")

  • fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS.

  • fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1.

Changes in support for iptables

  • fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax.

  • see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements.

  • fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol.

  • fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning.

Support for PF

  • No changes support for PF in this release

Changes in support for for Cisco IOS ACL

  • fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone any anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. This bug caused compiler to fail with error message "Can not find interface with network zone that includes address A.B.C.D"

Changes in support for for Cisco ASA (PIX)

  • No changes in support for PIX in this release

Support for HP ProCurve

  • fixed #1688 "Procurve ACL remarks should be in quotes if they include space"

  • fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect.

  • Built-in installer has been tested and now works with ProCurve switches.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.1.2.html000066400000000000000000000344671303637203600233130ustar00rootroot00000000000000

Firewall Builder 4.1.2 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.2 ?

v4.1.2 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

  • fixed #1703 "importing iptables line with module pkttype causes parser error". We do not have any object with the behavior closely resembling that of iptables module "pkttype" so the importer creates CustomService object with the code taken from the original iptables rule. SF bug 3065435

  • fixed SF bug 3049665 "Firewall Settings -> Output file name misses .fw extension"

  • fixed how we append suffix ".fw" to the name of generated script when it is preconfigured in the firewall settings dialog and already includes ".fw" suffix (it was added twice).

  • Fixed #1699 installation session status was reset from "failure" to "success" in a configuration where fwbuilder gui was running on Windows and talked to Cisco router using pscp.exe and plink.exe and ssh session failed because of authentication failure. This happened because plink.exe terminated with return status "success" even in case of authentication failure.

  • fixed #1724 . There was a problem with pscp.exe and putty sessions. Plink.exe accepts session name in place of the host name on the command line, but pscp.exe does not. We ask user to enter session name in the "alternative name or address to use to communicate with the firewall" input field in the "Installer" tab of the firewall settings dialog and then use it in place of the host name in the command line for pscp.exe and plink.exe. This works with plink.exe but breaks pscp.exe which interprets it as a host name and fails with an error 'ssh_init: Host does not exist'. The fix checks if what user entered in the "alternative host or address field" is a session name and uses different command line with pscp.exe

  • fixed #1715 "automatically expand new firewall and new host objects in the tree once they are created"

  • fixed #1732 "Double clicking on object with child objects should auto expand them". Double clicking on objects and folders in the tree expands and collapses them, as well as opens object in the editor.

  • fixed #1729 "double clicking a folder in the tree should expand it rather than open it in the editor".

  • fixed #1738 "Enable tooltips by default"

  • refs #1731 Change double-clicking on "Any" object behavior. Tooltip shown for the object "any" in rules says "to modify the rule drag and drop an object from the tree here" instead of atributes of the object "any". Double click on "any" in a rule does not try to open object "any" in the tree and editor panel.

  • fixed #1739 "remove 'tooltip delay' input form preferences dialog". Qt4 does not allow for changing tooltip delay.

  • fixed #1728 "Update Library drop down menu". Library drop down list shows an item "Object libraries:" at the top that can not be selected and that always stays on top as libraries are added, removed and renamed. The list always stays sorted in ascending order. Library names are indented by 2 spaces to make them visually distinguishable from the prompt item at the top. Implementation uses class ListOfLibrariesModel that inherits QStringListModel.

  • fixed #1740 "Deleted library remains in the drop-down list". If option "Show deleted objects" was turned off in the Preferences dialog and user deleted a library, it remained in the drop-down list of libraries and its object tree was still displayed in the object tree panel.

  • fixed #1741 "there is no way to undelete a library object".

  • fixed #1730 "Add background help text and images to empty policy window". Showing tooltip in the empty space in the rule set view, this tooltip provides hints on how to edit rules which should be useful for the beginners.

  • fixed #1743 "change default for the option 'Show text descriptions for direction and action'". The option should be on by default.

  • fixed #1744 "Add tooltip to the rule number". The column in the RuleSetView? where rule number is shown now has a tooltip to remind the user that they can click right mouse button to the the context menu and use keyboard shortcut "x" to compile the rule

  • Added text to the tooltips shown for the "Direction" and "Action" rule elements to remind user that to change these rule parameters they need to click right mouse button to open list of possible settings

  • system folders in the tree now have tooltips that explain what kind of objects belong there.

  • refs #1737 Added "Quick Start Guide" tutorial that demonstrates basic features and key concepts of Firewall Builder. The tutorial is accessible via Help / Tutorials menu and is shown to the first-time user on the GUI startup instead of the "tip of the day" dialog.

  • refs #1748 "Add dialog about Standard Library when user creates first Service object". First time users will see an informational dialog reminding them about the Standard objects library when they create their first service object.

  • fixed #1745 "Remove path data from text above rules window that shows firewall name".

  • fixed #1746 "Force user to change interface name in New Firewall wizard". When user creates interfaces for the new firewall or host using manual method and clicks on the "+" button to add a tab for the new interface in the wizard page, the interface tab is created with blank name. Wizard later checks the name when user clicks Finish to create new firewall or host object and does not let them do this while interface name is still blank. Error dialog reminds that the name of the interface must match the name of the interface on the machine.

  • fixed #1733 "Add button for video tutorial link". Shortcut button "Watch Getting Started Tutorial" opens page with video tutorials in the standard browser.

  • added "placeholder" text to the interface name and label input fields. This text is displayed in greyed-out small font inside the imput field but is cleared as soon as user starts their input. The text gives user a prompt as of what is expected in each input field and actual list of example interface names depends on the host OS chosen in the first page of the wizard.. The "placeholder" text support is available only in Qt 4.7 and later so the code is conditional on the version of Qt.

  • fixed #1718 "Inspect generated files" dialog says "Multiple firewalls" even when there is only one

  • fixed #1751 "Don't allow interface names to be blank". The GUI should not allow the name of any object to be blank.

  • fixed #1759 "Use default template library" button seems to do nothing. This button should only be enabled if user switched to their own library of template objects. The button should be disabled if they switched back to the standard template library or never switched to their own one.

  • fixed #1757 Allow searching by attributes even after an object is dropped into the drop area in search panel.

  • fixed #1760 'Search by attribute "name" should search by name or label'. The first item in the list of attribute types available for search now reads "Name or label". Searching using this option matches the name or the label of object instead of just the name. Label is only defined for Interface objects.

  • fixed #1755 "hitting enter after editing search attribute in the Find panel should trigger search"

  • fixed #1753 "Set interface name hint based on firewall platform and host OS". The placeholder text in the interface name and label input fields in the new firewall wizard will depend on the host OS chosen in the first page of the wizard.

  • fixed #1761 "blank interface name is possible in new host wizard"

  • fixed #1763 Implemented basic facility for A/B testing within the GUI

  • fixed #1765, #1779 Move quick start guide to the web site. The "Quick Start Guide" is now part of the web site and the GUI only shows a dialog-invitation to watch it.

  • fixed #1776 once new firewall is created, automatically open its Policy

  • fixed #1767 improved UI in the new firewall and new host dialogs where user chooses file for the custom template library or uses standard template library.

  • fixed #1791 "Add preference flag to enable / disable the Custom templates button on the New Firewall Wizard". Use of the custom template library to create new firewall object is now optional, controlled by a checkbox in the "Object" tab of the gobal preferenes dialog. New users will have this option turned off by default, however existing users will see it enabled for backwards compatibility.

  • fixed #1777 "scroll new fw object to the top of the tree view panel once its created". This has side effect in that some other operations that open an object in the tree will also scroll the tree to position this object at the top.

  • fixed #1778 "main menu Rules should have the same items that context RuleSetView menu when no rules are selected"

  • fixed SF bug 3039681 "context-menu items inconsistent for Single/Multiple rules". When several rules are selected in rule set, some context menu itmes should turn to plural.

Changes in support for iptables

  • fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.

  • fixed #1705 "iptables (v >= 1.4.4) --set option deprecated ..." (SF bug 3059893) Option '--set' has been deprecated and renamed '--match-set' in iptales 1.4.4

  • fixed SF bug 3057503 "DNAT rule with dynamic IP has a white space, causing error".

  • fixed SF bug 3060325 "Address table object and prolog script conflict". Generated script should run prolog before checking and loading run-time address tables.

  • fixed #1707 "call function "prolog_commands" from the main iptables script part instead of function "script_body" when prolog should be executed after iptables reset"

  • fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.

  • fixed #1714 "make checking for MODPROBE conditional". There is no need to check if modprobe utility exists on the firewall machine if it is not used by the script.

  • fixed SF bug 3077132 "no PREROUTING rule with *-Interface". Rules matching addresses of a wildcard interface (e.g. "ppp*") were not properly generated.

Support for PF

  • fixed SF bug 3061034 "ifconfig definition missing". Script generated for the ipfw firewall on Mac OS X missed definition of variable IFCONFIG.

Support for ipfilter

  • fixed #1702 "Wrong path in the activation script for ipfilter". Activation command embedded in the generated .fw script used local path to the generated .conf file on the machine where fwbuilder compiler was running.

Changes in support for for Cisco IOS ACL

  • No changes in support for IOS ACL in this release

Changes in support for for Cisco ASA (PIX)

  • fixed #1783 "PIX routing entries require interface, but PIX config will compile without interface in Routing rule". Policy compiler for PIX now checks that both "interface" and "gateway" rule elements are not empty.

  • Collection of template firewall objects now includes an object for PIX 50X (501 and 506)

  • using command "terminal width 256" to turn off ANSI commands in the PIX command echo.

Support for HP ProCurve

  • No changes in support for HP ProCurve in this release

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.1.3.html000066400000000000000000000227151303637203600233050ustar00rootroot00000000000000

Firewall Builder 4.1.3 Release Notes

SourceForge: Tickets for V4

v4.1.3 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

  • see #1823 "Add Preference option for Advanced / Power users". Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI

  • see #1787 "new fw name input field should have focus when new firewall wizard opens"

  • code refactoring: see #1822 "refactor all GUI classes into libgui library and link executable with it"

  • code refactoring: see #1826 "Please place all unit tests in one directory". All GUI and other unit tests moved to the directory src/unit_tests

  • see #1809 "Add Firewall Setting in Logging settings for default log setting on new rules". Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off.

  • See #1832, SF bug 3097419 "installer uses bare IP address instead of putty session name". It appears pscp.exe on Windows can use putty session name in place of the host name. This change restores old behavior where session name was used like that but does it for both plink.exe and pscp.exe. This only affects users who run fwbuilder GUI on Windows

  • fixed #1837 "generated script gets .fw suffix even when user set output file name". Suffix .fw should not be appended to the name entered by the user in the "output file name" input field in the firewall settings dialog.

  • Fixed SF bug #3106168 "Branch destinations lost when adding to cluster". Since the order in which I copy rule sets is undefined and because they may have references to each other via branching rules, I need to fix references after I create all of them.

  • Fixes #1858 'Remove "Summary of features" page from the package' and #1857 'Remove "Getting Started" guide from the package'. We have dediced to keep documentation and other content like this on the web site. Button "Watch Getting Started Tutorial" in the Tip of the Day dialog opens tutorial hosted on the web site in a web browser.

Changes and improvements in the API library libfwbuilder

  • added module uint128 (128-bt arithmetics by Evan Teran). Implemented basic operations with ipv6 addresses using this module. See #1834. Now all policy compilers can correctly compare ipv6 addresses used in rules with ipv6 addresses of interfaces. This helps perform various optimizations and fixes issues with the algorithm used to pick the right interface for the Cisco IOS ACL compiled from a policy rule with an empty "interface" rule element and direction "both".

Changes and improvements in the library of standard objects

  • added ICMPv6 object "parameter problem" (type 4, any code) per SF feature request 3094743. Also added service group object "ipv6 unreachable messages" that includes ICMPv6 messages "destination unreachable", "packet too big", "parameter problem" and "time exceeded" per SF feature request 3094758

Changes in support for iptables

  • fix for the SF bug #3095615 "reopen no PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong shell variable to access ip address of a wildcard interface.

  • fixed #1820 "skip module "nf_conntrack_ipv6" if generated script has no ipv6 rules" Shell function load_modules should not try to load module nf_conntrack_ipv6 if generated script does not load any ipv6 rules. Loading this module fails if ipv6 has been disabled in the kernel.

  • fixed SF bug 3091069: "Routing configuration failed". Iptables script generated by fwbuilder did not configure broadcast when it added ip addresses to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF" syntax to do this.

  • implemented SF feature request 3094738 "Set the HL to 255 for IPv6 Neighbor Discovery". Neighbor discovery packets must have hop limit of 255 per RFC 2461. Automatically generated rules that match neighbor discovery packets will math hooplimit 255.

  • fixed SF bug 3094273 "no state needed for ipv6-icmp in ip6tables". Rules that match ICMPv6 objects should be stateless. Compiler will check for this and reset "stateful" flag of a rule and issue warning if the rule was built stateful in the GUI. This could be version-dependent, we may need to revisit this in the future when netfilter fixes the underlying issue. Some resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739 https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105

  • fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior is for the compiler to create files in the directory specified by the argument of the "-d" command line flag. If flag "-d" is not provided, files should be created in the current directory.

  • fixed #1824 "should not try to verify wildcard interfaces".

  • fixed #1838 "function configure_interfaces() does not manage ip addresses of vlan interfaces". This function used to take into account only interfaces that were direct children objects of the firewall. Since vlan interfaces are children of the corresponding physical interface, they were not included.

  • fixed SF bug 3103582 "Cant create redirect rule in cluster firewall object". Iptables nat rule with target REDIRECT could not be built in a cluster configuration. It should be possible to do this by putting cluster object in Translated Destination.

  • fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux bridge interfaces may have names with a "-" such as "br-lan". We will now permit a "-" in Linux interface names.

Support for PF

  • fixed #1807 "wrong order of address assignment in the generated OpenBSD/PF/CARP cluster configuration". Need to assign ip addresses to regular interfaces before trying to assign them to carp interfaces.

Support for ipfw

  • fixed #1836 "installer hangs and fails after activation of ipfw policy". As soon as .fw script swapped ipfw sets usig command "ipfw sawp" and deleted temporary set 1, ssh session would hang and eventually break. We optionally add ipfw rules to permit ssh session used to manage the firewall, as well as a rule to permit reply packets but the latter rule was not built correctly. It should match source and destination reversed, as well as match keyword "established" and recreate state with "keep-state". This rule automatically recreates state for the established ssh session over which firewall policy is being managed. Also added a comment to the firewall settings dialog for ipfw to remind the user that address or subnet they use with this automatic rule should be as narrow as possible.

Changes in support for for Cisco IOS ACL

  • see #1834 Fixed matching algorithm that determins which interface a rule should be associated with for Cisco IOS ACLs. Previously compiler did not compare subnets properly and because of that it interpreted some configurations incorrectly. For example in the case with a network object 10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24 (network should not be considered matching) compiler considered this interface matching and assigned the rule to the interface only with direction "inbound".

Changes in support for for Cisco ASA (PIX)

  • There are no changes in the support for ASA in this release

Support for HP ProCurve

  • There are no changes in the support for HP ProCurve in this release

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.2.0.html000066400000000000000000002251761303637203600233110ustar00rootroot00000000000000

Firewall Builder 4.2.0 Release Notes

SourceForge: Tickets for V4

Summary

This release brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

This release adds interfaces to the NAT rule model. There are two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded. Inbound and outbound interfaces in NAT rules are supported for iptables, ASA/PIX/FWSM and PF, but in the case of PF GUI exposes only one interface to the user since PF commands can not match two interfaces simultaneously.

This release adds support for ASA 8.0 - 8.3 configuration generation, including named objects and "new" style nat commands in ASA 8.3

This release comes with numerous improvemends in support for FWSM 2.x, 3.x and 4.x configuration generation.

This release implements import of PIX, ASA and FWSM configurations. Host name, version, interface configuration, object groups, named objects, access lists as well as commands "global", "nat" and "static" can be imported. There is no support for import of the "new" ASA 8.3 "nat" commands just yet. Also there is no support for import of standby configuration, which means PIX clusters can not be created automatically by importing existing configuration.

This release adds ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

This release adds ability to automatically detect firewall platform from the format of the imported configuration file. Import is supported for iptables, Cisco IOS or Cisco ASA/PIX/FWSM. The program detects firewall platform, version and host name (if possible) from the contents of the configuration and shows platform-specific warning to explain what parts of the config can and can not be imported. Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

Starting with this release the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

Deduplication algorithm is as follows:

  • ASA/PIX/FWSM configuration import:

    ASA configuration language supports named objects and object groups. On import, fwbuilder creates objects and groups with the same names and uses them in rules. Objects created from in-line address/netmask and port specifications found inside object-group, access-list, filter or nat commands are condidered "anonymous" objects. These get automatically generated names and are deduplicated using only their relevant attributes but not names. Objects created from PIX named object ("object network foo", "object service bar") statements are considered "named" objects. They get the name matching the name in corresponding PIX config line and are deduplicated using both relevant attributes and the name.

  • iptables:

    Fwbuilder can only import iptables configuration saved with "iptables-save" command. This format does not support variables or named objects, therefor all objects created from address and port specifications are "anonymous" and get automatically generated names. They are deduplicated using their address, netmask, port numbers and other relevant attributes but not their names.

TCP and UDP service objects in fwbuilder that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

GUI Updates

  • fixed #1872: "vlan interface does not appear in the list of interfaces for route-to action for PF".

  • context menu item that opens object in the editor should be named "Inspect" when the object is read-only because the editor would not allow the user to change it.

  • fixed #1926 "Crash when moving object in Standard library". Context menu item "Move" should be disabled when the object is located in the read-only library.

  • see #1976 "Crash when deleting firewall object from rule after export / import library" Crash occurred as the result of the following sequence of actions in the GUI: 1) use context menu item "Cut" to delete an object in the tree, 2) open object group or rule and use context menu item "Paste" to add it, 3) export library to an external file, 4) import this library into different data file, 5) save the data file. Saved data file is invalid XML since it has unsatisfied reference and some operations on it cause crash. The problem is that since it is a reference to the object that is being added in case of both groups and rules, we end up with a group or rule with a reference to an object that is located in Deleted Objects library. Deleted Objects library is not included when a library file is merged into data file and this leads to a dangling reference. The fix is to not allow Paste if object in the clipboard has been deleted.

  • see #1980 "Objects from Deleted Objects should not be allowed to be used in rules". Added checks to not allow drag-and-drop of an object from Deleted Objects library into rules and groups.

  • see #1994 "Crash when compiling a firewall in an imported Library". To prevent crash, added check to make sure firewall object is not read-only before an attempt to update its "last compiled" or "last installed" timestamp.

  • fixes #1993 "V4.2 on Windows - export Library shows the file type as Firewall Builder 2"

  • fixes #1992 " V4.2 on Windows - installer error can't find Secure Shell utility"

  • fixed #1989 "variables respath and librespath are redundant and copy Constants::getTemplateDirectory()". Got rid of global variables sysfname, tempfname, librespath, respath and localepath; will now use class Constants to keep this information.

  • fixes #1998 "Crash after running find-and-replace then closing file". Specific sequence of actions and only on Mac OSX caused GUI to crash. To fix, I clear editor panel when user closes project window using MDI window title menu item "Close" or "Close" button.

  • see #1996 "Crash when finding and replacing a large number of objects". When "find and replace" function was used to replace large number of objects in a rule set, it generated stream of calls to updateLastModifiedTimestampForAllFirewalls() which caused corresponding stream of events to update various parts of the GUI, both in the tree and rule set views. This caused weird corruption and crash on Windows. Trying to resolve the issue by optimizing the part that updated "last modified" timestamp on the firewall since all parts of the rule set updated in one call to "find and replace" function belong to the same firewall.

  • fixes #2000 "New dialog window in New Firewall wizard for ASA / PIX - Network Zone explanation". Added page to the new firewall wizard to let the user configure network zones of interfaces when chosen firewall platform supports network zones (only PIX/ASA right now).

  • fixes #1983 "ASA multiple interfaces have the same security level". Using table widget with spin-boxes to let the user edit security levels of interfaces conveniently.

  • see #2006 "Crash when closing editor panel with find-and-replace". The GUI crashed if user tried to close editor panel at the bottom after closing objects+rules panel and while some object was still displayed in the editor.

  • See #2015 "Add support for setting names of generated .fw and .conf files separately for PF". Added second input field in the "advanced settings" dialog, tab "Compiler" for the firewall platform "PF". Now user can set the name for both the generated .fw initialization script and .conf PF configuration file, as well as names for both files on the firewall. Support for this is generic and the same functions work for other platforms if corresponding input field in the dialog exists. The name of the initialization script is set as follows: 1) if user provided -o command line switch to the compiler, its argument is used. 2) if -o switch was not present but the name was configured in the firewall settings dialog, it is used. 3) if none of them were present, the name is constructed from the name of the firewall object with suffix .fw. The name of the .conf PF configuration file is taken from the settings dialog, but if it is blank, then it is constructed from the name of the initialization script but with suffix .conf.

  • fixes #1914 "Address table object file name is not created properly if user clicks outside Editor panel"

  • fixes #1915 "tooltip shown when mouse is over rule number should be added to the list of suppressed tooltips when 'Advanced user mode' is in effect"

  • fixes #2064 "CARP interfaces are not properly installed on FreeBSD cluster". I need to populate failover group objects with some reasonable defaults when they are created.

  • fixes #2067 "Add way to show interface label in object tree". The tree now shows interface name and label if the label is not empty.

  • fixes #1979 "New firewall created with Cisco c36xx template results in network object in interface column in Policy"

  • fixes #1895 "Add context menu option to expand all child nodes in object tree". Added menu item "Expand" to the context menu associated with all objects in the object tree. This item recursively expands all tree nodes under the given object and automatically changes to "Collapse" if the item is expanded. Also changed behavior of the double click on the object in tree: before, double click opened object in the editor and expanded or collapsed subtree. Now it only opens object in the editor but does not expand/collapse subtree.

  • see #2103 "complex vlan/bridge configurations are not supported by the interface validation code". Added checkbox to let the user turn off interface name validation functions in the GUI. Checkbox is located in the global Preferences dialog, tab Objects, subtab Interface. For backwards compatibility, the checkbox is turned on by default. When it is off, the GUI does not validate the name of interfaces and subinterfaces and turns off checks that enforced interface name patterns for VLAN, bridge and bodning interfaces. It also turns off check for the validity of vlan ID derived from vlan interface name and turns off automatic configuration of interface type and vlan ID. These checks sometimes were in the way of building complex configurations that involved multiple vlan interfaces with names not matching their IDs. This also fixes SF bug #3066714 "please dont stop me from creating a new interface" where user wanted to create interface "veth201.0" on Linux but the GUI blocked this operation because the name seemed to match vlan interface pattern.

  • fixes #2099 "Object list scrolls up to the last edited object". Object tree used to scroll spontaneously when user started dragging an object from it to a rule.

  • fixes #1971 "Address range can be created with end address lower than start address". Address Range object dialog should not let the user enter range end address which is lower than range start address. Dialog behavior is now similar to the behavior of the tcp and udp service dialog where user can not enter port range end number lower than port range start number.

  • fixes #1678 "When creating a firewall from template it appears that a default template is selected". When user arrives at the page where they choose template to create new firewall object from, the first template should be automatically selected.

  • fixes #2135 "Editing table objects". Dialog of the AddressTable object now offers button "Edit" that lets the user edit address table file. This only works if the file is located on the same machine where the GUI is running, so it is probably most useful for compile time objects.

  • fixes #2139 "Provide "Cancel" button if Address Table file is read-only". If the file configured with Address Table object is read-only, the GUI shows warning when user clicks "Edit" button and offers a choice: open it for viewing read-only or cancel.

  • see #2140 "Attempting to create new Address Table file results in read-only error". Implemented support for the workflow when user wants to create the file used to feed addresses to the Address Table object.

  • see #2047 "Inspect generated files button shows different path information". Do not pass full path to the output file as an argument of the "-o" option when the GUI launches policy compiler. Since the "-d" option passes directory path where files sould be saved, actual file names do not need to be absolute path, except if the user entered absolute path for the output file name in the firewall settings dialog.

  • see #2153 "Add Network Zone explanation and selection dialog to ASA/PIX import". Wizard shows additional page when user imports PIX/ASA config. This page explains concept of network zones and offers UI to let them choose network objects or groups as a network zone of each interface.

  • fixes #2156 "After import the firewall should be opened in object tree".

  • see #2163 code that imports addresses from a file in /etc/hosts format moved to its own wizard; using QWizard and QWizardPage classes with correct implementation of page sequencing and validation; old discovery druid has been disabled. SNMP discovery and ios/PIX/iptables configuration import will move to their own wizards later.

  • fixes #2203 "Crash when attempting to add an object to a locked group".

  • fixes #2201 "Some fields of locked object are editable". Some input fields of the Custom Service object dialog were editable even when object was locked read-only.

  • fixed SF bug 3238026: build failure on systems without net-snmp development libraries.

  • see #2226 fixed GUI crash that happened when user tried to delete or cut an object from locked library.

  • fixes #2307 "GUI switches to another file after editor panel is closed"

  • see #2286 "Crash when closing file". The GUI crashed if user imported iptables or PIX configuration, then deleted a rule and tried to close project window.

  • see #2171 "Undoing delete of rule ends up with rules being created with duplicate rule numbers". Also see #2172 "Crash when deleting rule - related to #2171". When user deleted the last rule in a rule set, then used Undo to restore it, the program lost track of rules in the rule set and became unstable.

  • see #2335 "GUI switches between data files upon closing editor panel". If user opened two data files in the GUI and was in the process of editing objects in one of them, the GUI would flip to the other file under certin circumstances.

  • see SF bug 3211769 "Member interfaces not sorted". Sorting interfaces by name in the dialog where user adds them to the cluster member group.

  • fixed #2287 "Show text description in rule columns" does not persist across sessions

  • see #2229 "Multiple new objects with the same name". The GUI should automatically choose unique object names for new objects.

Changes in command line tool fwbedit

  • see #2328 "Add ability to run firewall import from the command line". This has been implemented as a new function "import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for more details.

  • Starting with v4.2.0, fwbedit.exe is now part of the Windows package

Changes in policy importer for all supported platforms

Changes that affect import for all platforms

  • see #1931 "Update failed import behavior". Added meaningful error messages for when policy importer fails to create firewall object or does not create interface objects or any rules.

  • see #2161 "import workflow and automatic detection of firewall platform from the config file". When user imports existing firewall configuration, the GUI automatically detects firewall platform from the format of the config file and shows platform-specific warning to explain what parts of the config can and can not be imported. It also detects firewall host name where possible (currently Cisco IOS and ASA/PIX). Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

  • see #2162 menu item "File / Import Policy" renamed to "File / Import Firewall". This menu item launches wizard that imports existing iptables, Cisco router IOS or Cisco PIX/ASA config.

  • see #2183 "count errors and warnings generated by the importer and show the numbers in the progress page of the wizard". Configuration import wizard now shows counters of warnings and errors generated by the importer.

  • see #2189 Policy importer warnings and errors now include line numbers to help find relevant lines in the original configuration file.

  • see #2189 Program adds the file name and the line number to comments of policy and nat rules it creates during import.

  • fixed #1548 "Object de-duplication during import process". Also SourceForge 3030072 "remove duplicates during any import". Now the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

  • see #2253 "importer should not creates objects while still in the middle of the wizard". Importer wizard creates new objects in the object tree only when user clicks Finish and abandons results if they click Cancel.

Fixes and improvements in import of iptables configurations

  • see #2190 "support for import of branches in NAT rules for iptables". Implemented import of NAT rules in user-defined chains for iptables, these translate into branching NAT rules in fwbuilder.

  • see #2196 "iptables nat rules with target REDIRECT not imported". Iptables NAT rules with target REDIRECT where not imported correctly.

  • fixes #2195 "incorrect iptables import of nat rule with NETMAP target"

  • see #2194 "iptables import problem with SNAT rule translating to an address range". NAT rules translating into address range with "-j SNAT --to-source 192.168.1.1-192.168.1.10" did not import correctly

  • see #2197 "iptables nat rules in chain OUTPUT not imported correctly"

  • see #2202 importer for iptables creates Custom Service object to match combination of states it does not recognize. This includes "NEW,ESTABLISHED".

  • see #2336 Importer for iptables recognizes version stored in the top comment by iptables-save and sets version in the firewall object it creates.

  • see #2206 iptables commands with no "-j TARGET" parameter should be imported using action "Continue".

  • see #2338 "Empty Mangle Policy object created on import". iptables rules in the table 'mangle' will be imported in the dedicated Policy rule set with name "Mangle". Rules that use chains FORWARD and POSTROUTING in table 'mangle' can not be reproduced and will be marked as "bad" (color red and corresponding comment).

  • see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation.

  • see #2245 fixed bug in parser for iptables that prevented correct import of iptables rules using module "multiport" with port range matches.

Fixes and improvements in import of Cisco IOS configurations

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

Fixes and improvements in import of Cisco ASA/FWSM configurations

  • see #2161 policy import wizard shows the page where user can set up network zones of interfaces if firewall platform was determined to be PIX.

  • see #2152 "ASA Import - shutdown interfaces". Importer recognizes and skips ASA interfaces in "shutdown" mode.

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

  • see #2268 updated list of named TCP and UDP ports recognized by the importer for Cisco ASA.

  • see #2277 "Create policy objects for ASA access-lists that are not applied in an access-group". Policy rule set will be created and populated with rules found in the corresponding access-list even if this access-list is not applied to an interface with access-group command.

  • see #2164 fixed import of "ssh" commands and added import of "http" commands for ASA/PIX/FWSM

Changes in the built-in policy installer

  • see #2039 "Installer reports success even if pfctl can't load config file". Added more pfctl error messages to the list to make code more robust.

  • fixes #2049 "Installer reports success even if there was an error while creating static routes". Added our own error message generated when command used to add static route fails to the list of error messages recognized by the installer.

  • fixes #2037 "If there is an error when compiling firewall then installer should be aborted". Compile/install wizard should disable "Next" button after compile phase is done if all firewalls failed to compile with no errors.

  • fixes #2061 "Installer shows success for failed installed on FreeBSD due to corrupt script file". Added bunch of common shell error messages to make sure installer recognizes them and mark install as a failure even if ssh fails to pass termination code.

  • fixed SF bug 3169045: "Batch installer lists IPv4 address as management address". The "summary" display in the installer progress log output will now show putty session name if it is used instead of the management address.

  • see #2073 "Add additional information or workflow when no management inferface configured". The error message shown to the user when no interfaces has been marked as "management" is now more verbose and provides instructions how to do this. Also, if user provided alternative address to be used to communicate with the firewall, the check for the management interface is not performed since it is not needed.

  • see #2088 "Installer caches putty session". Need to initialize putty_session properly and clear it in clear().

  • fixes #2129 'deprecate "test install" function'. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD.

  • see #2239 Added variable "firewall_name" to configlets that define commands installer runs on the firewall to activate new policy (all platforms).

  • updated filesystem path on FWSM where fwbuilder built-in installer should place generated configuration when it is installed using scp. Currently using path "disk:".

  • see SF bug 3212988 "external script makes getopt difficult". User-defined parameters for the external script moved to the end of the command line.

Changes and improvements in the API library libfwbuilder

  • see #1972 Separated object creation and initialization. Some complex objects need to create a set of standard child objects. Previously this was done in a special type of constructor which required pointer to the object tree root (FWObjectDatabase*). This created problems with implementation of the method to register functions that create objects of new types outside of the API. Now all objects have just a basic set of constructors, plus method init() that can initialize them.

  • see #1972 implemented mechanism that allows me to register new object types created and used outside of libfwbuilder API. This means FWObjectDatabase can then copy and manipulate object trees that use these new object types.

  • fixes #1937 "RES_DIR macro is defined twice". Got rid of duplicate definition of this macro.

  • see #1985 added virtual function updateNonStandardObjectReferences() that is supposed to update any references to objects stored as attributes.

  • fixes #1997 "add removeRef and addRef methods to class NATRule". Now undo and redo correctly remove and restore references to NAT rule sets in NAT rules with action Branch.

  • fixes #1991 "Undo does not restore object as a parameter of policy rule action Branch or Tag after it was deleted deleted". Now Undo restores references to rule sets and tag services as arguments of corresponding policy rules, as well as references to objects configured as interface network zones.

  • fixes #1987 "Deleting object that is used as Network Zone for ASA/PIX interface results in inconsistent behavior". When an object that is used as a network zone of an interface is deleted, it should be removed from the interface configuration as well.

  • fixes #1995 "Crash when compiling a cluster with identical firewalls". Method Cluster::init() must call base class method Firewall::init() to get child Policy, NAT and Routing objects created.

  • See #2084 "snmp discovery takes forever on devices with large routing tables". This takes very long time on decides with large routing tables. This code was implemented long time ago and apparently routing data was intended to be used to discover "external" interfaces, but it is unclear if this is still done. The concept of external/internal currently exists only for platforms that support security levels (PIX) and there we guess levels by matching addresses against RFC1918 and let the user user adjust levels manually anyway.

  • see #133 Added interfaces to the NAT rule model. There will be two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded.

  • see #2126 Using snmp sysDescr OID to guess version of the new firewall when it is created using snmp polling.

  • fixes #2209 "do not allow the same object to be child of different objects in the tree". Method FWObject::add() enforces this. Subsequent clean-up and fixes in many places to follow this logic. This makes code much cleaner, better organized and more reliable.

Changes and improvements in the library of standard objects

  • #2083 Added new services to the Standard Objects Library: rtmp, xmpp-client, xmpp-server, nrpe

common changes that affect policy compilers for all platforms

  • fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used IP addresses that belonged to the interface even if it switchd to "unnumbered". These children address objects should be ignored.

  • fixes #2124 "some error messages get multiplied when compiler splits rules". Under certain circumstances error messages could appear multiple times in the generated script.

  • see #2204 "Shadowing detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed.

  • see #2207 fixed memory leak in policy compilers. The impact of this leak was especially severe on Windows with very large object databases.

  • see #2212 "Performance improvement in compilers". This change brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

  • sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration.

  • sorting objects in the rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration.

Changes in support for iptables

  • fixed #1879 "gui crash". Both GUI and fwb_ipt crashed trying to compile a rule with action Branch that was not configured to point to any rule set.

  • fixed SF bug #3102044 "Colon in (runtime) Address Table name". Variable used to process addresses in the run-time address table should not use character ":" even if it appears in the Address Table object name.

  • fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated.

  • see #2097 #133 "support for inbound and outbound interface columns in iptables NAT rules". This also addresses SF feature requests 1954286 "DNAT with interface as condition not possible" and 621023 "manipulating interface in NAT rule".

  • fixes #2008 "option "--physdev-out" is not allowed in OUTPUT chain". After this change, compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule).

  • see #2170 "Compiler should generate error for invalid iptables NAT configs". Now that we allow the user to specify inbound and outbound interfaces in iptables NAT rules, compiler should verify that combination of requested "-i" and "-o" interfaces is in fact valid. For example iptables does not allow "-o" interface spec with rules that go into PREROUTING chain (DNAT rules) or "-i" interface spec with rules in POSTROUTING chain (SNAT rules).

  • see #2181 "Update iptables importer to detect inbound & outbound interfaces in NAT rules". Importer can now import nat rules with "-i" or "-o" interface spec.

  • see #2230 the GUI should allow limit-burst values of up to 10000

  • SF bug 3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are added automatically to IPv6 Linux firewall to permit neighbor discovery packets should be also added to the FORWARD chain if the firewall is a bridge.

  • see #2324 "NAT + MAC-matching rules not generated properly". iptables NAT rules matching a group of host objects with both IP and MAC addresses each in "Original Source" were not generated properly.

  • see #2235 "Modified rule action for Continue". Rules with action "Continue" should translate into iptables commands without "-j TARGET" parameter. If such rule also has logging enabled, it should use target "-j LOG" instead of generating additional chain.

  • see #2359 "Crash when compiling single rule with IPv6 destination and IPv4 gateway or interface". Routing compiler for iptables does not support ipv6 at this time and will issue a warning when user tries to place ipv6 address or network in a routing rule. The warning does not appear when ipv6 address is a member of a group used in the rule. Also see #1575.

Changes in support for PF (FreeBSD, OpenBSD)

  • see #1890 "Add support for configuring static routes on BSD". Implemented support for simple static routing rules. ECMP and routing via interface (routing to directly reachable subnets) are not supported. Generated script preserves static routing entries that existed before and attempts to recover in case of error.

  • see #1888 "Add option to generate rc.conf.local file for BSD systems". Added ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

  • fixes #2026 Compiler can now generate static routing configuration in rc.conf format for FreeBSD.

  • fixes #2032 "support for DHCP interfaces in rc.conf mode". Include dynamic interfaces inin the list of interfaces generated script manages when the script is in rc.conf format. This addds lines similar to 'ifconfig_em0="DHCP"'.

  • fixes #2038 "pfctl error when firewall settings include scrub option for reassembly". Command "scrub all reassemble tcp" does not allow direction. Tested and verified on OpenBSD 4.2 and FreeBSD 8.1

  • see #1889, #2043 Added support for bridge interface configuration in BSD.

  • fixes #2054 "Add support for load anchor PF command". Instead of loading anchors using "pfctl -a anchor -f file" command in the .fw initialization script, now generated PF configuration uses "load anchor" commands in the pf.conf file. This way, we can load anchors correctly when PF configuration is activated from the generated rc.conf.local file where only one pf.conf file can be referenced.

  • fixes #2042 "add configlet and shell functions to manage bridge interfaces via shell script on OpenBSD and FreeBSD". Bridge interfaces are managed incrementally, that is, the script creates and destroys them as needed, then adds or removes bridge ports, to bring bridge configuration in sync with what is defined in fwbuilder GUI.

  • fixes #2065 "activation commands on FreeBSD and OpenBSD lose script exit status". Sequence of commands ran by the built-in installer on *BSD firewalls were losing exit status of the script which meant installer always declared installation a "success" even when there were errors.

  • fixes #2066 "Existing VLAN interfaces are not properly removed from FreeBSD and install script fails"

  • fixes #2069 "PF: allow multiple objects in ODst of redirecting nat rule". This fixes SF bug 3162862 "NAT - more than one object in original destination"

  • fixes #2071 "vlandev missing in the vlan definition (when using rc.conf.local )"

  • fixes #2058 "Ability to configure mtu and metric of regular interfaces". "Advanced settings" dialog of the interface object provides controls to configure MTU and possibly add any additional ifconfig parameters. This is available for OpenBSD and FreeBSD.

  • see #2078 added verbose error message in a situation when "ifconfig carp0 create" command fails to create CARP interface.

  • see #1867 "PF: rule with non-terminating action Tag shadows other rules below it". Since action Tag is non-terminating, rules with this action should not shadow other rules.

  • see #2074 On FreeBSD ifconfig does not understand parameter carpdev

  • fixes #1866 "support for pf option set state-policy", #1868 "support for pf option set block-policy", #1869 "support for pf option set debug".

  • fixes #2092 option "stp" should be optional in the ifconfig command that builds bridge interface for FreeBSD. The dialog provides checkbox "Enable STP", parameter "stp" will be added to the ifconfig command only when the checkbox is turned on.

  • fixes #2091 "ethernet interface options a used twice if the interface is a bridge port". When an interface appeared twice in the firewall configuration, such as when it is used as a bridge port and vlan parent interface, options configured for it in its settings dialog were added twice to the generated configuration.

  • see #1871 "PF Actions Tag and Classify can be terminating or non-terminating". Added checkbox to the action properties dialog for actions Tag and Classify for PF that lets the user choose if these actions should be terminating or not. Old behavior (Tag was non-terminating and Classify was terminating) is reflected in default settings of the checkboxes. Terminating rules generate "pass quick" commands, while non-terminating rules generate "pass" commands (no "quick" option).

  • see #1807, #2104: arrange interface configuration commands in the generated script in such order that bridge and carp interfaces are configured after all other interfaces are done.

  • see #2105: generated script now supports vlan interfaces with names that do not match vlan IDs (OpenBSD, FreeBSD, shell script format).

  • Making sure we print "ifconfig" commands for mtu and other parameters for all interfaces, including those with no ip addresses and bridge ports (unnumbered interfaces used to be skipped before)

  • fixes #2100 carp password should be optional parameter

  • fixes #2096 added support for negation in Interface column for PF NAT rules. Sets of interfaces are converted to complementary sets using complete list of interfaces of the firewall.

  • fixes #2095 added support for groups and multiple objects in column "Interface" for PF NAT rules. These translate into { em0 em1 em2 } groups in generated pf.conf lines.

  • fixes #2101 "CARP interfaces are set with same advskew". When new PF cluster is created, master advskew paramerer will be set to 10 and backup to 20 to make it deterministic.

  • fixes #2116 "When CARP interface IP address can't be assigned error or warning should appear". The problem actually affects any type of interface. Generated script should abort with an error termination code when ifconfig fails to assign IP address to an interface.

  • fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan interfaces of member firewalls, CARP interfaces were not properly configured with master/slave choice user makes on the first page of the new cluster wizard.

  • see #2143 "installer should run /etc/rc.d/pf script to reload PF rules on FreeBSD when generated script is in rc.conf format"

  • see #2224 "FreeBSD - Bridge interfaces with the name vlan don't show as Bridge Port Interfaces". This actually applies to all OS where we support vlan and bridge interfaces. Fwbuilder GUI should allow the user to set subinterface type to both "ethernet" and "vlan" when its parent interface has type "bridge". Setting subinterface type to "ethernet" makes it bridge port, while setting the type to "vlan" signals policy compiler that it should generate code to configure real vlan interface. If the name of the subinterface does not include the name of the parent, such as "vlan101", or when the name does not match vlan ID, such as "vlan8101", global preferences option "Verify interface names and autoconfigure their parameters..." should turned off. The option is located in the Preferences dialog, tab "Objects".

Changes in support for ipfilter

  • There are no changes in the support for ipfilter in this release

Changes in support for ipfw

  • There are no changes in the support for ipfw in this release

Changes in support for for Cisco IOS ACL

  • fixes #1966 "IOSACL: object-group can get name that consists of only suffix". Compiler generated object-group statements with names such as ".src.net.0" in some cases.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2330 "Crash when creating a cluster of IOS router firewalls". Added support for basic IOS router clusters. No failover protocol support at this time, but the cluster can be configured with protocol "None" and fwbuilder will do address substitutions at compile time.

Changes in support for for Cisco ASA and FWSM

  • FWSM v4.x does not have "fixup" command, instead, we should use policy-map and class commands.

  • refs #1893 fixes #1883 "inspect IP options in PIX8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented.

  • refs #1882 "Mixed service groups in PIX8". Added PIX versions 8.0 and 8.3; added support for mixed servcie groups in PIX 8.0 and later.

  • fixed #1892 "move rule processor class separateServiceObject to PolicyCompiler". This rule processor used to be implemented only in the compiler for PF, but since it has very general meaning, the same function was duplicated in other compilers as well. Moved the class to libfwbuilder and reimplemented several other rule processors to inherit from this class to avoid further duplication for code.

  • fixed #1891 "problems with TCP and UDP services with source ports". Policy compiler for PIX did not generate correct PIX ACL lines when one Policy rule tried to match several TCP and/or UDP objects matching source ports.

  • fixes #1901 "add destructor to NATCompiler_pix and NATCompiler_asa8". This eliminates memory leak.

  • refs #1885 "named network and service objects in PIX8". So far, these objects are only used for nat configuration.

  • fixes #1903 "correct order of clear commands for ASA 8.3"

  • refs #1886 "new nat configuration in PIX 8.3". Initial support for new style nat configuation.

  • fixed #1862 "fwb_pix crash". Compiler fwb_pix crashed when DNS Name run-time object was used in a rule, but worked fine and issued an error when used in single-rule compile mode.

  • fixed #1906 "ASA NAT - Address objects are not properly identified by network zone and have the wrong real interface". The problem should have affected both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When an Address object was used in Original Source of a NAT rule, compiler used wrong interface in the (interface1,interface2) pair in "nat" command.

  • fixed #1905 "fwbuilder crash when compiling a rule with hosts folder as destination". Compiler issues a warning when an empty group object is used in a rule, but GUI crashed when user tried to compile this rule using single-rule compile function. The change actually affects all policy compilers and makes sure the GUI catches exception and does not crash, and prints any errors generated by the compiler in the compiler output panel when single-rule compile function is used.

  • refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The option is presented to the user as three radio buttons in the NAT rule options dialog which is only enabled when platform is "PIX" and version >= 8.3. Policy compiler generates "twice nat" rules with keyword "static" in the following cases: when TSrc is "original", so the rule translates destination and not source or when numbers of ip addresses represented by OSrc and TSrc are equal. If TSrc is not "original" and represents different number of IP addresses than OSrc, compiler looks at the new rule option. User can use or override automatic algorithm using radio buttons in the NAT rule options dialog.

  • refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available for ASA 8.3 or later.

  • fixed #1909 "ASA NAT - static nat port translation where service is the same for original service and translated service not generated correctly"

  • fixed #1913 "ASA/PIX rules with logging enabled don't have log set unless user modifies Firewall Settings". Added default log level setting to the resource xml file for platform "PIX", set to "informational". ACL lines now get "log " keyword followed by the log level taken from the rule options, or if that was not configured, from the firewall object settings, or if that is not configured, the default.

  • refs #1907 "ASA NAT - fwbuilder doesn't support multiple translated sources in a single NAT rule". Compiler uses object-group to translate NAT rules that have multiple objects in Translated Source.

  • refs #1885 Compiler uses named objects and objects groups to build configurations that use address ranges in TSrc in NAT rules. (only ASA 8.3 and later)

  • fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user combines Address Table object with other address or network objects there.

  • fixes #1934 "libfwbuilder::getOverlap() incorrectly calculates overlap between IPv4 networks". This should also fix SF bug 3156376 "Can not find interface with network zone that includes address range".

  • fixes #1932 "Add description field to generated NAT rules for ASA". NAT rules generated for ASA 8.3 and later will have "description" keyword added, with rule label as an argument. Rule label includes word "NAT" and rule number.

  • Added support for CustomService objects in policy and nat rules for ASA 8.3 using named objects and object-groups. -- see #1942 "ASA NAT - if custom service is included in service group incorrect config generated" -- see #1929 "move map named_objects inside class NamedObjectManager" -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in PIX8" Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules translating destination allow Address Range objects in ODst or TDst for ASA 8.3

  • see #1940 "ASA NAT - fwbuilder host objects interface IP is reserved keyword". Added list of reserved words used in IOS and ASA software to make sure generated named objects do not conflict. Will maintain single super-set of reserved words instead of separate set for each version of IOS and ASA.

  • fixed #1938 "icmp" commands were not generated for ASA 8.x policy rules.

  • See #1927. Added check for NAT rules that request translation of destination address but have ODst "any". This only applies to ASA 8.3; these rules are prohibited.

  • fixes #1916 "nat rule must be "static" when subnet is present in TSrc"

  • see #1942 improved support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in each rule and then use object-group to match it. Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • fixes #1948 "incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA versions prior to 8.3". Since we do not support custom service objects in policy and nat rules for versions older than 8.3, added check to generate fatal error when such object is used.

  • fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was constantly increasing when user used single-rule compile function in the GUI.

  • fixed #1944 "ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects". Need to convert address range objects to subnets early, before the rule is split for any reason, to make sure object groups created later match and are reused.

  • See #1943 "ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config". Protocol word "tcp" was missing after "deny" in the generated rule.

  • see #1949 "ASA NAT - split objects if OSrc contains objects that are in more than one network zone".

  • ASA 8.3 see #1942, #1943 fixed generation of the "object-group" statements by adding protocol keyword at the end so that the group can be used in access-list commands. It looks like mixed service groups that have no protocol keyword at the end of the line that defines them cause error "specified object group has wrong type; expecting service type". I am going to avoid using mixed service groups because of this.

  • see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". Objects that represent addresses of interfaces of a host object created using template will be automatically renamed to follow standard naming convention "host_name:interface_name:ip" to avoid creating duplicate names.

  • see #1960 add support for CustomService for PIX policy rules. Note that CustomService objects are only supported in Policy rules since nat commands in ASA 8.3 require use of named objects and it is difficult to implement correct named objects and object-groups with protocol parameter and custom services.

  • See #1959 "ASA Policy - ranges are broken into composite network instead of using range command." Added support for address ranges using named network object with parameter "range" for ASA 8.3 and later. NOTE: if a network or IP address object is used in a nat rule for ASA 8.3, a named object has to be created for it since ASA 8.3 does not accept IP addresses or subnets in "nat" commands. In the situation like this, if the same address or network object is used in any Policy rule, the same named object will be used in the generated access-lists command.

  • see #1959 Moved generation of the code that defines named objects to class NamedObjectManager. This allows me to put all named object commands on top of the generated policy, nat and routing configurations and make sure each object is defined only once. Still need to do #1963 - move code that generates commands to define object-groups to class NamedObjectManager.

  • see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler issues warning when objects used in OSrc and TSrc of a NAT rule make it use the same interface as both real and mapped interface in the generated nat command. This check is only done for ASA 8.3 NAT rules.

  • see #1963 "move printing of object-group definitions to NamedObjectManager::getNamedObjectsDefinitions()". Consolidated code that works with named objects and object groups in the class NamedObjectManager. This class manages all the objects and in the end generates commands.

  • Refactored parts that generate "clear" commands to make sure they are printed in the right order at the top of the generated configuration. Previously compiler placed "clear global", "clear static" and "clear nat" commands above the NAT section but below policy section. Since ASA8.3 nat commands can use named objects and object groups, and since I have added support for object groups in ASA 8.3 policy rules, I now need to clear objects and object groups at the very beginning of the generated config. However in order to be able to clear objects and object-groups, I need to clear access-lists and nat commands that might be using them first. So, all clear commands are now grouped at the beginning of the generated configuration. This affects PIX/ASA, iosacl and procurve_acl platforms.

  • See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 and avoids using object-groups when firewall object version is set to 6.1

  • made names automatically assigned to object-groups in generated PIX configuration shorter by removing interface label prefix.

  • see #1968, #1972 Class NamedObjectsManager maintains its own copy of object tree that holds object group objects it creates during compiler passes. This allows me to maitain one common set of object groups for both policy and nat compilers and avoid creating duplicate and redundant object-group statements.

  • see #1968, #1972 class NamedObjectsManager (and derived classes for IOS and PIX) generate "clear" commands. This way, I can generate correct set of "clear" commands that take into account any named objects and object-groups that could be created during both policy and nat compiler passes.

  • See #1958 "consistently use "exit" to get out of nested context in PIX config". Using "exit" to exit from nested context while adding network or service object in generated PIX/ASA configuraton.

  • see #1970 "ASA Policy - single IPv6 icmp object allowed in rules". Since we do not support IPv6 for PIX/ASA at this time, policy compiler should drop the rule if IPv6 address or icmpv6 service is used and issue a warning.

  • see #1981 "ASA / FWSM Policy - Generate warning message if rule will not generate config data"

  • fixes #1986 "Cisco ASA remarks should be truncated to 100 characters or less". Trimming all lines used for access list remarks to than 100 characters. Remarks can only be less than 101 characters on PIX/ASA and less than 100 characters on IOS.

  • fixes #1994 "Crash when compiling a firewall in an imported Library". Compilers should reset any read-only flags in the copy of object tree they work with before they make any modifications.

  • fixes #2060 "Existing configuration objects are not cleared in PIX 6.3". Commands used to clear object groups and objects have different syntax in PIX 6.3 and PIX 7 and later.

  • see #2098 Added support for user-configurable inbound and outbound interfaces in Cisco PIX/ASA NAT rules. Two new columns appear in the rule set view: "Inbound Interface" and "Outbound Interface". If user leaves one or both columns blank, the GUI shows "Auto" in there and policy compiler picks corresponding interface automatically. Leaving both columns blank ("Auto") triggers backwards-compatible automatic behavior where both interfaces are picked automatically. Multiple interface objects and groups of interfaces are allowed in these columns.

  • fixes #2113 "ASA/PIX SNMP discovery - assign default labels based on interface description". Added pattern to match Cisco ASA interface description which is different from Cisco PIX interface descriptions as returned via snmp.

  • see #1990 "Change default value for Cisco ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA firewall objects will now have "generate outbound acl" option turned on by default.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2263 looks like "object-group service" that includes named objects defined as "service-object" can not be used in access-list commands and therefore is useless. Unless I misunderstood and there is a way to use it, I should not generate ASA configuration like this: 

            object-group service id5102X14531.srv.tcp.0 tcp
          service-object object http.0
          service-object object https.0

    Object-group with "tcp" or "udp" type-suffix in the end does not allow "service-object" statements at all, so this configuration is incorrect anyway. However even without "tcp" in the end to make "service-object" references acceptable, the group can be built but can not be used in access-list statements.

    Instead, the group should use port-object statements: 

    	object-group service id5102X14531.srv.tcp.0 tcp
	  port-object eq 80
	  port-object eq 443

  • see SF bug 3213019 "FWSM Network zone and IPv6". Currently we do not support IPv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places IPv6 address in it, this address should be ignored while compiling the policy but this should not be an error.

  • see #2308 "ASA rules with service set to "http" and destination set to ASA firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself.

  • see #2344 "FWSM install errors for clear commands". Using correct syntax for "clear" commands for FWSM v4.x

  • see #2343 "Interface nameif error when installing generated config for FWSM". Use correct "nameif" command sytax in FWSM 2.x and 4.x.

  • see #2345 More fixes for FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"

  • see #2344 fwbuilder should not generate any "ntp" commands for FWSM because NTP can not be configured on FWSM.

  • see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups.

  • see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.

  • see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is PIX or fwsm.

  • see #2295 Added FWSM version "3.2". According to Cisco documentation, FWSM version 3.2 matches PIX 7.

  • see #2351 Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this.

Changes in support for HP ProCurve

  • There are no changes in the support for HP ProCurve in this release

Changes in packaging

  • This version is the first one to merge libfwbuilder and fwbuilder packages. The libfwbuilder library is now in the src/libfwbuilder subtree inside fwbuilder code tree.

  • RPM .spec files and DEB .control files are now located in the directory "packaging" inside fwbuilder code tree.

  • Changes in the versioning format: build number is going to be used as part of the long version number, composing complete version as "4.2.0.3425". The "-n" suffix in rpm and deb package names will be used for package release number and most of the time will be "-1". This suffix should reflect minor differences in the package that do not affect the code.

  • We have stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more and more parts of the code do not compile and require workarounds, sometimes with loss of functionality in the GUI. v4.1.3 will be the last officially released version of fwbuilder to work on Hardy.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.2.1.html000066400000000000000000002313361303637203600233050ustar00rootroot00000000000000

Firewall Builder 4.2.1 Release Notes

v4.2.1 is a minor bug-fix release

SourceForge: Tickets for V4

GUI Updates

  • Fix for SF bug 3169045 "Batch installer lists IPv4 address as management address". Built-in installer wanted to use management interface address in batch mode even when alternative address or putty session name was provided. This happens only in batch mode install.

  • fixes #2370, #2371 "broken signals in network discovery wizard". Network discovery wizard was not correctly initializased and did not work.

  • fixes #2368 and SF bug 3294457 "External install script". External install script name and arguments weren't saved for IOS firewall objects.

  • fixes #2360 "Sometimes fwbuilder opens with object tree scroll bar centered so folders are not visible"

  • fixes #2385 "PF action Classify uses wrong parameter". This change fixes a bug introduced in 4.2.0 that affects rules with action Classify in PF firewalls. The bug causes the following problems:

    For users who built their rules before v4.2.0:

    • rules compile normally, both in the single rule compile and when the whole firewall is compiled
    • if they opened the action of one of such rules in the action editor, the classification string would look empty
    • if they entered new classification string in the editor, compiler kept using the old one (which they can not see or change in the editor)

    For users who tried to build rules with action Classify with v4.2.0:

    • no matter what classification string they enter in the action dialog, generated code does not use it

Firewall Builder 4.2.0 Release Notes

SourceForge: Tickets for V4

Summary

This release brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

This release adds interfaces to the NAT rule model. There are two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded. Inbound and outbound interfaces in NAT rules are supported for iptables, ASA/PIX/FWSM and PF, but in the case of PF GUI exposes only one interface to the user since PF commands can not match two interfaces simultaneously.

This release adds support for ASA 8.0 - 8.3 configuration generation, including named objects and "new" style nat commands in ASA 8.3

This release comes with numerous improvemends in support for FWSM 2.x, 3.x and 4.x configuration generation.

This release implements import of PIX, ASA and FWSM configurations. Host name, version, interface configuration, object groups, named objects, access lists as well as commands "global", "nat" and "static" can be imported. There is no support for import of the "new" ASA 8.3 "nat" commands just yet. Also there is no support for import of standby configuration, which means PIX clusters can not be created automatically by importing existing configuration.

This release adds ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

This release adds ability to automatically detect firewall platform from the format of the imported configuration file. Import is supported for iptables, Cisco IOS or Cisco ASA/PIX/FWSM. The program detects firewall platform, version and host name (if possible) from the contents of the configuration and shows platform-specific warning to explain what parts of the config can and can not be imported. Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

Starting with this release the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

Deduplication algorithm is as follows:

  • ASA/PIX/FWSM configuration import:

    ASA configuration language supports named objects and object groups. On import, fwbuilder creates objects and groups with the same names and uses them in rules. Objects created from in-line address/netmask and port specifications found inside object-group, access-list, filter or nat commands are condidered "anonymous" objects. These get automatically generated names and are deduplicated using only their relevant attributes but not names. Objects created from PIX named object ("object network foo", "object service bar") statements are considered "named" objects. They get the name matching the name in corresponding PIX config line and are deduplicated using both relevant attributes and the name.

  • iptables:

    Fwbuilder can only import iptables configuration saved with "iptables-save" command. This format does not support variables or named objects, therefor all objects created from address and port specifications are "anonymous" and get automatically generated names. They are deduplicated using their address, netmask, port numbers and other relevant attributes but not their names.

TCP and UDP service objects in fwbuilder that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

GUI Updates

  • fixed #1872: "vlan interface does not appear in the list of interfaces for route-to action for PF".

  • context menu item that opens object in the editor should be named "Inspect" when the object is read-only because the editor would not allow the user to change it.

  • fixed #1926 "Crash when moving object in Standard library". Context menu item "Move" should be disabled when the object is located in the read-only library.

  • see #1976 "Crash when deleting firewall object from rule after export / import library" Crash occurred as the result of the following sequence of actions in the GUI: 1) use context menu item "Cut" to delete an object in the tree, 2) open object group or rule and use context menu item "Paste" to add it, 3) export library to an external file, 4) import this library into different data file, 5) save the data file. Saved data file is invalid XML since it has unsatisfied reference and some operations on it cause crash. The problem is that since it is a reference to the object that is being added in case of both groups and rules, we end up with a group or rule with a reference to an object that is located in Deleted Objects library. Deleted Objects library is not included when a library file is merged into data file and this leads to a dangling reference. The fix is to not allow Paste if object in the clipboard has been deleted.

  • see #1980 "Objects from Deleted Objects should not be allowed to be used in rules". Added checks to not allow drag-and-drop of an object from Deleted Objects library into rules and groups.

  • see #1994 "Crash when compiling a firewall in an imported Library". To prevent crash, added check to make sure firewall object is not read-only before an attempt to update its "last compiled" or "last installed" timestamp.

  • fixes #1993 "V4.2 on Windows - export Library shows the file type as Firewall Builder 2"

  • fixes #1992 " V4.2 on Windows - installer error can't find Secure Shell utility"

  • fixed #1989 "variables respath and librespath are redundant and copy Constants::getTemplateDirectory()". Got rid of global variables sysfname, tempfname, librespath, respath and localepath; will now use class Constants to keep this information.

  • fixes #1998 "Crash after running find-and-replace then closing file". Specific sequence of actions and only on Mac OSX caused GUI to crash. To fix, I clear editor panel when user closes project window using MDI window title menu item "Close" or "Close" button.

  • see #1996 "Crash when finding and replacing a large number of objects". When "find and replace" function was used to replace large number of objects in a rule set, it generated stream of calls to updateLastModifiedTimestampForAllFirewalls() which caused corresponding stream of events to update various parts of the GUI, both in the tree and rule set views. This caused weird corruption and crash on Windows. Trying to resolve the issue by optimizing the part that updated "last modified" timestamp on the firewall since all parts of the rule set updated in one call to "find and replace" function belong to the same firewall.

  • fixes #2000 "New dialog window in New Firewall wizard for ASA / PIX - Network Zone explanation". Added page to the new firewall wizard to let the user configure network zones of interfaces when chosen firewall platform supports network zones (only PIX/ASA right now).

  • fixes #1983 "ASA multiple interfaces have the same security level". Using table widget with spin-boxes to let the user edit security levels of interfaces conveniently.

  • see #2006 "Crash when closing editor panel with find-and-replace". The GUI crashed if user tried to close editor panel at the bottom after closing objects+rules panel and while some object was still displayed in the editor.

  • See #2015 "Add support for setting names of generated .fw and .conf files separately for PF". Added second input field in the "advanced settings" dialog, tab "Compiler" for the firewall platform "PF". Now user can set the name for both the generated .fw initialization script and .conf PF configuration file, as well as names for both files on the firewall. Support for this is generic and the same functions work for other platforms if corresponding input field in the dialog exists. The name of the initialization script is set as follows: 1) if user provided -o command line switch to the compiler, its argument is used. 2) if -o switch was not present but the name was configured in the firewall settings dialog, it is used. 3) if none of them were present, the name is constructed from the name of the firewall object with suffix .fw. The name of the .conf PF configuration file is taken from the settings dialog, but if it is blank, then it is constructed from the name of the initialization script but with suffix .conf.

  • fixes #1914 "Address table object file name is not created properly if user clicks outside Editor panel"

  • fixes #1915 "tooltip shown when mouse is over rule number should be added to the list of suppressed tooltips when 'Advanced user mode' is in effect"

  • fixes #2064 "CARP interfaces are not properly installed on FreeBSD cluster". I need to populate failover group objects with some reasonable defaults when they are created.

  • fixes #2067 "Add way to show interface label in object tree". The tree now shows interface name and label if the label is not empty.

  • fixes #1979 "New firewall created with Cisco c36xx template results in network object in interface column in Policy"

  • fixes #1895 "Add context menu option to expand all child nodes in object tree". Added menu item "Expand" to the context menu associated with all objects in the object tree. This item recursively expands all tree nodes under the given object and automatically changes to "Collapse" if the item is expanded. Also changed behavior of the double click on the object in tree: before, double click opened object in the editor and expanded or collapsed subtree. Now it only opens object in the editor but does not expand/collapse subtree.

  • see #2103 "complex vlan/bridge configurations are not supported by the interface validation code". Added checkbox to let the user turn off interface name validation functions in the GUI. Checkbox is located in the global Preferences dialog, tab Objects, subtab Interface. For backwards compatibility, the checkbox is turned on by default. When it is off, the GUI does not validate the name of interfaces and subinterfaces and turns off checks that enforced interface name patterns for VLAN, bridge and bodning interfaces. It also turns off check for the validity of vlan ID derived from vlan interface name and turns off automatic configuration of interface type and vlan ID. These checks sometimes were in the way of building complex configurations that involved multiple vlan interfaces with names not matching their IDs. This also fixes SF bug #3066714 "please dont stop me from creating a new interface" where user wanted to create interface "veth201.0" on Linux but the GUI blocked this operation because the name seemed to match vlan interface pattern.

  • fixes #2099 "Object list scrolls up to the last edited object". Object tree used to scroll spontaneously when user started dragging an object from it to a rule.

  • fixes #1971 "Address range can be created with end address lower than start address". Address Range object dialog should not let the user enter range end address which is lower than range start address. Dialog behavior is now similar to the behavior of the tcp and udp service dialog where user can not enter port range end number lower than port range start number.

  • fixes #1678 "When creating a firewall from template it appears that a default template is selected". When user arrives at the page where they choose template to create new firewall object from, the first template should be automatically selected.

  • fixes #2135 "Editing table objects". Dialog of the AddressTable object now offers button "Edit" that lets the user edit address table file. This only works if the file is located on the same machine where the GUI is running, so it is probably most useful for compile time objects.

  • fixes #2139 "Provide "Cancel" button if Address Table file is read-only". If the file configured with Address Table object is read-only, the GUI shows warning when user clicks "Edit" button and offers a choice: open it for viewing read-only or cancel.

  • see #2140 "Attempting to create new Address Table file results in read-only error". Implemented support for the workflow when user wants to create the file used to feed addresses to the Address Table object.

  • see #2047 "Inspect generated files button shows different path information". Do not pass full path to the output file as an argument of the "-o" option when the GUI launches policy compiler. Since the "-d" option passes directory path where files sould be saved, actual file names do not need to be absolute path, except if the user entered absolute path for the output file name in the firewall settings dialog.

  • see #2153 "Add Network Zone explanation and selection dialog to ASA/PIX import". Wizard shows additional page when user imports PIX/ASA config. This page explains concept of network zones and offers UI to let them choose network objects or groups as a network zone of each interface.

  • fixes #2156 "After import the firewall should be opened in object tree".

  • see #2163 code that imports addresses from a file in /etc/hosts format moved to its own wizard; using QWizard and QWizardPage classes with correct implementation of page sequencing and validation; old discovery druid has been disabled. SNMP discovery and ios/PIX/iptables configuration import will move to their own wizards later.

  • fixes #2203 "Crash when attempting to add an object to a locked group".

  • fixes #2201 "Some fields of locked object are editable". Some input fields of the Custom Service object dialog were editable even when object was locked read-only.

  • fixed SF bug 3238026: build failure on systems without net-snmp development libraries.

  • see #2226 fixed GUI crash that happened when user tried to delete or cut an object from locked library.

  • fixes #2307 "GUI switches to another file after editor panel is closed"

  • see #2286 "Crash when closing file". The GUI crashed if user imported iptables or PIX configuration, then deleted a rule and tried to close project window.

  • see #2171 "Undoing delete of rule ends up with rules being created with duplicate rule numbers". Also see #2172 "Crash when deleting rule - related to #2171". When user deleted the last rule in a rule set, then used Undo to restore it, the program lost track of rules in the rule set and became unstable.

  • see #2335 "GUI switches between data files upon closing editor panel". If user opened two data files in the GUI and was in the process of editing objects in one of them, the GUI would flip to the other file under certin circumstances.

  • see SF bug 3211769 "Member interfaces not sorted". Sorting interfaces by name in the dialog where user adds them to the cluster member group.

  • fixed #2287 "Show text description in rule columns" does not persist across sessions

  • see #2229 "Multiple new objects with the same name". The GUI should automatically choose unique object names for new objects.

Changes in command line tool fwbedit

  • see #2328 "Add ability to run firewall import from the command line". This has been implemented as a new function "import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for more details.

  • Starting with v4.2.0, fwbedit.exe is now part of the Windows package

Changes in policy importer for all supported platforms

Changes that affect import for all platforms

  • see #1931 "Update failed import behavior". Added meaningful error messages for when policy importer fails to create firewall object or does not create interface objects or any rules.

  • see #2161 "import workflow and automatic detection of firewall platform from the config file". When user imports existing firewall configuration, the GUI automatically detects firewall platform from the format of the config file and shows platform-specific warning to explain what parts of the config can and can not be imported. It also detects firewall host name where possible (currently Cisco IOS and ASA/PIX). Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

  • see #2162 menu item "File / Import Policy" renamed to "File / Import Firewall". This menu item launches wizard that imports existing iptables, Cisco router IOS or Cisco PIX/ASA config.

  • see #2183 "count errors and warnings generated by the importer and show the numbers in the progress page of the wizard". Configuration import wizard now shows counters of warnings and errors generated by the importer.

  • see #2189 Policy importer warnings and errors now include line numbers to help find relevant lines in the original configuration file.

  • see #2189 Program adds the file name and the line number to comments of policy and nat rules it creates during import.

  • fixed #1548 "Object de-duplication during import process". Also SourceForge 3030072 "remove duplicates during any import". Now the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

  • see #2253 "importer should not creates objects while still in the middle of the wizard". Importer wizard creates new objects in the object tree only when user clicks Finish and abandons results if they click Cancel.

Fixes and improvements in import of iptables configurations

  • see #2190 "support for import of branches in NAT rules for iptables". Implemented import of NAT rules in user-defined chains for iptables, these translate into branching NAT rules in fwbuilder.

  • see #2196 "iptables nat rules with target REDIRECT not imported". Iptables NAT rules with target REDIRECT where not imported correctly.

  • fixes #2195 "incorrect iptables import of nat rule with NETMAP target"

  • see #2194 "iptables import problem with SNAT rule translating to an address range". NAT rules translating into address range with "-j SNAT --to-source 192.168.1.1-192.168.1.10" did not import correctly

  • see #2197 "iptables nat rules in chain OUTPUT not imported correctly"

  • see #2202 importer for iptables creates Custom Service object to match combination of states it does not recognize. This includes "NEW,ESTABLISHED".

  • see #2336 Importer for iptables recognizes version stored in the top comment by iptables-save and sets version in the firewall object it creates.

  • see #2206 iptables commands with no "-j TARGET" parameter should be imported using action "Continue".

  • see #2338 "Empty Mangle Policy object created on import". iptables rules in the table 'mangle' will be imported in the dedicated Policy rule set with name "Mangle". Rules that use chains FORWARD and POSTROUTING in table 'mangle' can not be reproduced and will be marked as "bad" (color red and corresponding comment).

  • see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation.

  • see #2245 fixed bug in parser for iptables that prevented correct import of iptables rules using module "multiport" with port range matches.

Fixes and improvements in import of Cisco IOS configurations

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

Fixes and improvements in import of Cisco ASA/FWSM configurations

  • see #2161 policy import wizard shows the page where user can set up network zones of interfaces if firewall platform was determined to be PIX.

  • see #2152 "ASA Import - shutdown interfaces". Importer recognizes and skips ASA interfaces in "shutdown" mode.

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

  • see #2268 updated list of named TCP and UDP ports recognized by the importer for Cisco ASA.

  • see #2277 "Create policy objects for ASA access-lists that are not applied in an access-group". Policy rule set will be created and populated with rules found in the corresponding access-list even if this access-list is not applied to an interface with access-group command.

  • see #2164 fixed import of "ssh" commands and added import of "http" commands for ASA/PIX/FWSM

Changes in the built-in policy installer

  • see #2039 "Installer reports success even if pfctl can't load config file". Added more pfctl error messages to the list to make code more robust.

  • fixes #2049 "Installer reports success even if there was an error while creating static routes". Added our own error message generated when command used to add static route fails to the list of error messages recognized by the installer.

  • fixes #2037 "If there is an error when compiling firewall then installer should be aborted". Compile/install wizard should disable "Next" button after compile phase is done if all firewalls failed to compile with no errors.

  • fixes #2061 "Installer shows success for failed installed on FreeBSD due to corrupt script file". Added bunch of common shell error messages to make sure installer recognizes them and mark install as a failure even if ssh fails to pass termination code.

  • fixed SF bug 3169045: "Batch installer lists IPv4 address as management address". The "summary" display in the installer progress log output will now show putty session name if it is used instead of the management address.

  • see #2073 "Add additional information or workflow when no management inferface configured". The error message shown to the user when no interfaces has been marked as "management" is now more verbose and provides instructions how to do this. Also, if user provided alternative address to be used to communicate with the firewall, the check for the management interface is not performed since it is not needed.

  • see #2088 "Installer caches putty session". Need to initialize putty_session properly and clear it in clear().

  • fixes #2129 'deprecate "test install" function'. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD.

  • see #2239 Added variable "firewall_name" to configlets that define commands installer runs on the firewall to activate new policy (all platforms).

  • updated filesystem path on FWSM where fwbuilder built-in installer should place generated configuration when it is installed using scp. Currently using path "disk:".

  • see SF bug 3212988 "external script makes getopt difficult". User-defined parameters for the external script moved to the end of the command line.

Changes and improvements in the API library libfwbuilder

  • see #1972 Separated object creation and initialization. Some complex objects need to create a set of standard child objects. Previously this was done in a special type of constructor which required pointer to the object tree root (FWObjectDatabase*). This created problems with implementation of the method to register functions that create objects of new types outside of the API. Now all objects have just a basic set of constructors, plus method init() that can initialize them.

  • see #1972 implemented mechanism that allows me to register new object types created and used outside of libfwbuilder API. This means FWObjectDatabase can then copy and manipulate object trees that use these new object types.

  • fixes #1937 "RES_DIR macro is defined twice". Got rid of duplicate definition of this macro.

  • see #1985 added virtual function updateNonStandardObjectReferences() that is supposed to update any references to objects stored as attributes.

  • fixes #1997 "add removeRef and addRef methods to class NATRule". Now undo and redo correctly remove and restore references to NAT rule sets in NAT rules with action Branch.

  • fixes #1991 "Undo does not restore object as a parameter of policy rule action Branch or Tag after it was deleted deleted". Now Undo restores references to rule sets and tag services as arguments of corresponding policy rules, as well as references to objects configured as interface network zones.

  • fixes #1987 "Deleting object that is used as Network Zone for ASA/PIX interface results in inconsistent behavior". When an object that is used as a network zone of an interface is deleted, it should be removed from the interface configuration as well.

  • fixes #1995 "Crash when compiling a cluster with identical firewalls". Method Cluster::init() must call base class method Firewall::init() to get child Policy, NAT and Routing objects created.

  • See #2084 "snmp discovery takes forever on devices with large routing tables". This takes very long time on decides with large routing tables. This code was implemented long time ago and apparently routing data was intended to be used to discover "external" interfaces, but it is unclear if this is still done. The concept of external/internal currently exists only for platforms that support security levels (PIX) and there we guess levels by matching addresses against RFC1918 and let the user user adjust levels manually anyway.

  • see #133 Added interfaces to the NAT rule model. There will be two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded.

  • see #2126 Using snmp sysDescr OID to guess version of the new firewall when it is created using snmp polling.

  • fixes #2209 "do not allow the same object to be child of different objects in the tree". Method FWObject::add() enforces this. Subsequent clean-up and fixes in many places to follow this logic. This makes code much cleaner, better organized and more reliable.

Changes and improvements in the library of standard objects

  • #2083 Added new services to the Standard Objects Library: rtmp, xmpp-client, xmpp-server, nrpe

common changes that affect policy compilers for all platforms

  • fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used IP addresses that belonged to the interface even if it switchd to "unnumbered". These children address objects should be ignored.

  • fixes #2124 "some error messages get multiplied when compiler splits rules". Under certain circumstances error messages could appear multiple times in the generated script.

  • see #2204 "Shadowing detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed.

  • see #2207 fixed memory leak in policy compilers. The impact of this leak was especially severe on Windows with very large object databases.

  • see #2212 "Performance improvement in compilers". This change brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

  • sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration.

  • sorting objects in the rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration.

Changes in support for iptables

  • fixed #1879 "gui crash". Both GUI and fwb_ipt crashed trying to compile a rule with action Branch that was not configured to point to any rule set.

  • fixed SF bug #3102044 "Colon in (runtime) Address Table name". Variable used to process addresses in the run-time address table should not use character ":" even if it appears in the Address Table object name.

  • fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated.

  • see #2097 #133 "support for inbound and outbound interface columns in iptables NAT rules". This also addresses SF feature requests 1954286 "DNAT with interface as condition not possible" and 621023 "manipulating interface in NAT rule".

  • fixes #2008 "option "--physdev-out" is not allowed in OUTPUT chain". After this change, compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule).

  • see #2170 "Compiler should generate error for invalid iptables NAT configs". Now that we allow the user to specify inbound and outbound interfaces in iptables NAT rules, compiler should verify that combination of requested "-i" and "-o" interfaces is in fact valid. For example iptables does not allow "-o" interface spec with rules that go into PREROUTING chain (DNAT rules) or "-i" interface spec with rules in POSTROUTING chain (SNAT rules).

  • see #2181 "Update iptables importer to detect inbound & outbound interfaces in NAT rules". Importer can now import nat rules with "-i" or "-o" interface spec.

  • see #2230 the GUI should allow limit-burst values of up to 10000

  • SF bug 3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are added automatically to IPv6 Linux firewall to permit neighbor discovery packets should be also added to the FORWARD chain if the firewall is a bridge.

  • see #2324 "NAT + MAC-matching rules not generated properly". iptables NAT rules matching a group of host objects with both IP and MAC addresses each in "Original Source" were not generated properly.

  • see #2235 "Modified rule action for Continue". Rules with action "Continue" should translate into iptables commands without "-j TARGET" parameter. If such rule also has logging enabled, it should use target "-j LOG" instead of generating additional chain.

  • see #2359 "Crash when compiling single rule with IPv6 destination and IPv4 gateway or interface". Routing compiler for iptables does not support ipv6 at this time and will issue a warning when user tries to place ipv6 address or network in a routing rule. The warning does not appear when ipv6 address is a member of a group used in the rule. Also see #1575.

Changes in support for PF (FreeBSD, OpenBSD)

  • see #1890 "Add support for configuring static routes on BSD". Implemented support for simple static routing rules. ECMP and routing via interface (routing to directly reachable subnets) are not supported. Generated script preserves static routing entries that existed before and attempts to recover in case of error.

  • see #1888 "Add option to generate rc.conf.local file for BSD systems". Added ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

  • fixes #2026 Compiler can now generate static routing configuration in rc.conf format for FreeBSD.

  • fixes #2032 "support for DHCP interfaces in rc.conf mode". Include dynamic interfaces inin the list of interfaces generated script manages when the script is in rc.conf format. This addds lines similar to 'ifconfig_em0="DHCP"'.

  • fixes #2038 "pfctl error when firewall settings include scrub option for reassembly". Command "scrub all reassemble tcp" does not allow direction. Tested and verified on OpenBSD 4.2 and FreeBSD 8.1

  • see #1889, #2043 Added support for bridge interface configuration in BSD.

  • fixes #2054 "Add support for load anchor PF command". Instead of loading anchors using "pfctl -a anchor -f file" command in the .fw initialization script, now generated PF configuration uses "load anchor" commands in the pf.conf file. This way, we can load anchors correctly when PF configuration is activated from the generated rc.conf.local file where only one pf.conf file can be referenced.

  • fixes #2042 "add configlet and shell functions to manage bridge interfaces via shell script on OpenBSD and FreeBSD". Bridge interfaces are managed incrementally, that is, the script creates and destroys them as needed, then adds or removes bridge ports, to bring bridge configuration in sync with what is defined in fwbuilder GUI.

  • fixes #2065 "activation commands on FreeBSD and OpenBSD lose script exit status". Sequence of commands ran by the built-in installer on *BSD firewalls were losing exit status of the script which meant installer always declared installation a "success" even when there were errors.

  • fixes #2066 "Existing VLAN interfaces are not properly removed from FreeBSD and install script fails"

  • fixes #2069 "PF: allow multiple objects in ODst of redirecting nat rule". This fixes SF bug 3162862 "NAT - more than one object in original destination"

  • fixes #2071 "vlandev missing in the vlan definition (when using rc.conf.local )"

  • fixes #2058 "Ability to configure mtu and metric of regular interfaces". "Advanced settings" dialog of the interface object provides controls to configure MTU and possibly add any additional ifconfig parameters. This is available for OpenBSD and FreeBSD.

  • see #2078 added verbose error message in a situation when "ifconfig carp0 create" command fails to create CARP interface.

  • see #1867 "PF: rule with non-terminating action Tag shadows other rules below it". Since action Tag is non-terminating, rules with this action should not shadow other rules.

  • see #2074 On FreeBSD ifconfig does not understand parameter carpdev

  • fixes #1866 "support for pf option set state-policy", #1868 "support for pf option set block-policy", #1869 "support for pf option set debug".

  • fixes #2092 option "stp" should be optional in the ifconfig command that builds bridge interface for FreeBSD. The dialog provides checkbox "Enable STP", parameter "stp" will be added to the ifconfig command only when the checkbox is turned on.

  • fixes #2091 "ethernet interface options a used twice if the interface is a bridge port". When an interface appeared twice in the firewall configuration, such as when it is used as a bridge port and vlan parent interface, options configured for it in its settings dialog were added twice to the generated configuration.

  • see #1871 "PF Actions Tag and Classify can be terminating or non-terminating". Added checkbox to the action properties dialog for actions Tag and Classify for PF that lets the user choose if these actions should be terminating or not. Old behavior (Tag was non-terminating and Classify was terminating) is reflected in default settings of the checkboxes. Terminating rules generate "pass quick" commands, while non-terminating rules generate "pass" commands (no "quick" option).

  • see #1807, #2104: arrange interface configuration commands in the generated script in such order that bridge and carp interfaces are configured after all other interfaces are done.

  • see #2105: generated script now supports vlan interfaces with names that do not match vlan IDs (OpenBSD, FreeBSD, shell script format).

  • Making sure we print "ifconfig" commands for mtu and other parameters for all interfaces, including those with no ip addresses and bridge ports (unnumbered interfaces used to be skipped before)

  • fixes #2100 carp password should be optional parameter

  • fixes #2096 added support for negation in Interface column for PF NAT rules. Sets of interfaces are converted to complementary sets using complete list of interfaces of the firewall.

  • fixes #2095 added support for groups and multiple objects in column "Interface" for PF NAT rules. These translate into { em0 em1 em2 } groups in generated pf.conf lines.

  • fixes #2101 "CARP interfaces are set with same advskew". When new PF cluster is created, master advskew paramerer will be set to 10 and backup to 20 to make it deterministic.

  • fixes #2116 "When CARP interface IP address can't be assigned error or warning should appear". The problem actually affects any type of interface. Generated script should abort with an error termination code when ifconfig fails to assign IP address to an interface.

  • fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan interfaces of member firewalls, CARP interfaces were not properly configured with master/slave choice user makes on the first page of the new cluster wizard.

  • see #2143 "installer should run /etc/rc.d/pf script to reload PF rules on FreeBSD when generated script is in rc.conf format"

  • see #2224 "FreeBSD - Bridge interfaces with the name vlan don't show as Bridge Port Interfaces". This actually applies to all OS where we support vlan and bridge interfaces. Fwbuilder GUI should allow the user to set subinterface type to both "ethernet" and "vlan" when its parent interface has type "bridge". Setting subinterface type to "ethernet" makes it bridge port, while setting the type to "vlan" signals policy compiler that it should generate code to configure real vlan interface. If the name of the subinterface does not include the name of the parent, such as "vlan101", or when the name does not match vlan ID, such as "vlan8101", global preferences option "Verify interface names and autoconfigure their parameters..." should turned off. The option is located in the Preferences dialog, tab "Objects".

Changes in support for ipfilter

  • There are no changes in the support for ipfilter in this release

Changes in support for ipfw

  • There are no changes in the support for ipfw in this release

Changes in support for for Cisco IOS ACL

  • fixes #1966 "IOSACL: object-group can get name that consists of only suffix". Compiler generated object-group statements with names such as ".src.net.0" in some cases.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2330 "Crash when creating a cluster of IOS router firewalls". Added support for basic IOS router clusters. No failover protocol support at this time, but the cluster can be configured with protocol "None" and fwbuilder will do address substitutions at compile time.

Changes in support for for Cisco ASA and FWSM

  • FWSM v4.x does not have "fixup" command, instead, we should use policy-map and class commands.

  • refs #1893 fixes #1883 "inspect IP options in PIX8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented.

  • refs #1882 "Mixed service groups in PIX8". Added PIX versions 8.0 and 8.3; added support for mixed servcie groups in PIX 8.0 and later.

  • fixed #1892 "move rule processor class separateServiceObject to PolicyCompiler". This rule processor used to be implemented only in the compiler for PF, but since it has very general meaning, the same function was duplicated in other compilers as well. Moved the class to libfwbuilder and reimplemented several other rule processors to inherit from this class to avoid further duplication for code.

  • fixed #1891 "problems with TCP and UDP services with source ports". Policy compiler for PIX did not generate correct PIX ACL lines when one Policy rule tried to match several TCP and/or UDP objects matching source ports.

  • fixes #1901 "add destructor to NATCompiler_pix and NATCompiler_asa8". This eliminates memory leak.

  • refs #1885 "named network and service objects in PIX8". So far, these objects are only used for nat configuration.

  • fixes #1903 "correct order of clear commands for ASA 8.3"

  • refs #1886 "new nat configuration in PIX 8.3". Initial support for new style nat configuation.

  • fixed #1862 "fwb_pix crash". Compiler fwb_pix crashed when DNS Name run-time object was used in a rule, but worked fine and issued an error when used in single-rule compile mode.

  • fixed #1906 "ASA NAT - Address objects are not properly identified by network zone and have the wrong real interface". The problem should have affected both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When an Address object was used in Original Source of a NAT rule, compiler used wrong interface in the (interface1,interface2) pair in "nat" command.

  • fixed #1905 "fwbuilder crash when compiling a rule with hosts folder as destination". Compiler issues a warning when an empty group object is used in a rule, but GUI crashed when user tried to compile this rule using single-rule compile function. The change actually affects all policy compilers and makes sure the GUI catches exception and does not crash, and prints any errors generated by the compiler in the compiler output panel when single-rule compile function is used.

  • refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The option is presented to the user as three radio buttons in the NAT rule options dialog which is only enabled when platform is "PIX" and version >= 8.3. Policy compiler generates "twice nat" rules with keyword "static" in the following cases: when TSrc is "original", so the rule translates destination and not source or when numbers of ip addresses represented by OSrc and TSrc are equal. If TSrc is not "original" and represents different number of IP addresses than OSrc, compiler looks at the new rule option. User can use or override automatic algorithm using radio buttons in the NAT rule options dialog.

  • refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available for ASA 8.3 or later.

  • fixed #1909 "ASA NAT - static nat port translation where service is the same for original service and translated service not generated correctly"

  • fixed #1913 "ASA/PIX rules with logging enabled don't have log set unless user modifies Firewall Settings". Added default log level setting to the resource xml file for platform "PIX", set to "informational". ACL lines now get "log " keyword followed by the log level taken from the rule options, or if that was not configured, from the firewall object settings, or if that is not configured, the default.

  • refs #1907 "ASA NAT - fwbuilder doesn't support multiple translated sources in a single NAT rule". Compiler uses object-group to translate NAT rules that have multiple objects in Translated Source.

  • refs #1885 Compiler uses named objects and objects groups to build configurations that use address ranges in TSrc in NAT rules. (only ASA 8.3 and later)

  • fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user combines Address Table object with other address or network objects there.

  • fixes #1934 "libfwbuilder::getOverlap() incorrectly calculates overlap between IPv4 networks". This should also fix SF bug 3156376 "Can not find interface with network zone that includes address range".

  • fixes #1932 "Add description field to generated NAT rules for ASA". NAT rules generated for ASA 8.3 and later will have "description" keyword added, with rule label as an argument. Rule label includes word "NAT" and rule number.

  • Added support for CustomService objects in policy and nat rules for ASA 8.3 using named objects and object-groups. -- see #1942 "ASA NAT - if custom service is included in service group incorrect config generated" -- see #1929 "move map named_objects inside class NamedObjectManager" -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in PIX8" Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules translating destination allow Address Range objects in ODst or TDst for ASA 8.3

  • see #1940 "ASA NAT - fwbuilder host objects interface IP is reserved keyword". Added list of reserved words used in IOS and ASA software to make sure generated named objects do not conflict. Will maintain single super-set of reserved words instead of separate set for each version of IOS and ASA.

  • fixed #1938 "icmp" commands were not generated for ASA 8.x policy rules.

  • See #1927. Added check for NAT rules that request translation of destination address but have ODst "any". This only applies to ASA 8.3; these rules are prohibited.

  • fixes #1916 "nat rule must be "static" when subnet is present in TSrc"

  • see #1942 improved support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in each rule and then use object-group to match it. Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • fixes #1948 "incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA versions prior to 8.3". Since we do not support custom service objects in policy and nat rules for versions older than 8.3, added check to generate fatal error when such object is used.

  • fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was constantly increasing when user used single-rule compile function in the GUI.

  • fixed #1944 "ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects". Need to convert address range objects to subnets early, before the rule is split for any reason, to make sure object groups created later match and are reused.

  • See #1943 "ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config". Protocol word "tcp" was missing after "deny" in the generated rule.

  • see #1949 "ASA NAT - split objects if OSrc contains objects that are in more than one network zone".

  • ASA 8.3 see #1942, #1943 fixed generation of the "object-group" statements by adding protocol keyword at the end so that the group can be used in access-list commands. It looks like mixed service groups that have no protocol keyword at the end of the line that defines them cause error "specified object group has wrong type; expecting service type". I am going to avoid using mixed service groups because of this.

  • see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". Objects that represent addresses of interfaces of a host object created using template will be automatically renamed to follow standard naming convention "host_name:interface_name:ip" to avoid creating duplicate names.

  • see #1960 add support for CustomService for PIX policy rules. Note that CustomService objects are only supported in Policy rules since nat commands in ASA 8.3 require use of named objects and it is difficult to implement correct named objects and object-groups with protocol parameter and custom services.

  • See #1959 "ASA Policy - ranges are broken into composite network instead of using range command." Added support for address ranges using named network object with parameter "range" for ASA 8.3 and later. NOTE: if a network or IP address object is used in a nat rule for ASA 8.3, a named object has to be created for it since ASA 8.3 does not accept IP addresses or subnets in "nat" commands. In the situation like this, if the same address or network object is used in any Policy rule, the same named object will be used in the generated access-lists command.

  • see #1959 Moved generation of the code that defines named objects to class NamedObjectManager. This allows me to put all named object commands on top of the generated policy, nat and routing configurations and make sure each object is defined only once. Still need to do #1963 - move code that generates commands to define object-groups to class NamedObjectManager.

  • see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler issues warning when objects used in OSrc and TSrc of a NAT rule make it use the same interface as both real and mapped interface in the generated nat command. This check is only done for ASA 8.3 NAT rules.

  • see #1963 "move printing of object-group definitions to NamedObjectManager::getNamedObjectsDefinitions()". Consolidated code that works with named objects and object groups in the class NamedObjectManager. This class manages all the objects and in the end generates commands.

  • Refactored parts that generate "clear" commands to make sure they are printed in the right order at the top of the generated configuration. Previously compiler placed "clear global", "clear static" and "clear nat" commands above the NAT section but below policy section. Since ASA8.3 nat commands can use named objects and object groups, and since I have added support for object groups in ASA 8.3 policy rules, I now need to clear objects and object groups at the very beginning of the generated config. However in order to be able to clear objects and object-groups, I need to clear access-lists and nat commands that might be using them first. So, all clear commands are now grouped at the beginning of the generated configuration. This affects PIX/ASA, iosacl and procurve_acl platforms.

  • See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 and avoids using object-groups when firewall object version is set to 6.1

  • made names automatically assigned to object-groups in generated PIX configuration shorter by removing interface label prefix.

  • see #1968, #1972 Class NamedObjectsManager maintains its own copy of object tree that holds object group objects it creates during compiler passes. This allows me to maitain one common set of object groups for both policy and nat compilers and avoid creating duplicate and redundant object-group statements.

  • see #1968, #1972 class NamedObjectsManager (and derived classes for IOS and PIX) generate "clear" commands. This way, I can generate correct set of "clear" commands that take into account any named objects and object-groups that could be created during both policy and nat compiler passes.

  • See #1958 "consistently use "exit" to get out of nested context in PIX config". Using "exit" to exit from nested context while adding network or service object in generated PIX/ASA configuraton.

  • see #1970 "ASA Policy - single IPv6 icmp object allowed in rules". Since we do not support IPv6 for PIX/ASA at this time, policy compiler should drop the rule if IPv6 address or icmpv6 service is used and issue a warning.

  • see #1981 "ASA / FWSM Policy - Generate warning message if rule will not generate config data"

  • fixes #1986 "Cisco ASA remarks should be truncated to 100 characters or less". Trimming all lines used for access list remarks to than 100 characters. Remarks can only be less than 101 characters on PIX/ASA and less than 100 characters on IOS.

  • fixes #1994 "Crash when compiling a firewall in an imported Library". Compilers should reset any read-only flags in the copy of object tree they work with before they make any modifications.

  • fixes #2060 "Existing configuration objects are not cleared in PIX 6.3". Commands used to clear object groups and objects have different syntax in PIX 6.3 and PIX 7 and later.

  • see #2098 Added support for user-configurable inbound and outbound interfaces in Cisco PIX/ASA NAT rules. Two new columns appear in the rule set view: "Inbound Interface" and "Outbound Interface". If user leaves one or both columns blank, the GUI shows "Auto" in there and policy compiler picks corresponding interface automatically. Leaving both columns blank ("Auto") triggers backwards-compatible automatic behavior where both interfaces are picked automatically. Multiple interface objects and groups of interfaces are allowed in these columns.

  • fixes #2113 "ASA/PIX SNMP discovery - assign default labels based on interface description". Added pattern to match Cisco ASA interface description which is different from Cisco PIX interface descriptions as returned via snmp.

  • see #1990 "Change default value for Cisco ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA firewall objects will now have "generate outbound acl" option turned on by default.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2263 looks like "object-group service" that includes named objects defined as "service-object" can not be used in access-list commands and therefore is useless. Unless I misunderstood and there is a way to use it, I should not generate ASA configuration like this: 

            object-group service id5102X14531.srv.tcp.0 tcp
          service-object object http.0
          service-object object https.0

    Object-group with "tcp" or "udp" type-suffix in the end does not allow "service-object" statements at all, so this configuration is incorrect anyway. However even without "tcp" in the end to make "service-object" references acceptable, the group can be built but can not be used in access-list statements.

    Instead, the group should use port-object statements: 

    	object-group service id5102X14531.srv.tcp.0 tcp
	  port-object eq 80
	  port-object eq 443

  • see SF bug 3213019 "FWSM Network zone and IPv6". Currently we do not support IPv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places IPv6 address in it, this address should be ignored while compiling the policy but this should not be an error.

  • see #2308 "ASA rules with service set to "http" and destination set to ASA firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself.

  • see #2344 "FWSM install errors for clear commands". Using correct syntax for "clear" commands for FWSM v4.x

  • see #2343 "Interface nameif error when installing generated config for FWSM". Use correct "nameif" command sytax in FWSM 2.x and 4.x.

  • see #2345 More fixes for FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"

  • see #2344 fwbuilder should not generate any "ntp" commands for FWSM because NTP can not be configured on FWSM.

  • see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups.

  • see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.

  • see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is PIX or fwsm.

  • see #2295 Added FWSM version "3.2". According to Cisco documentation, FWSM version 3.2 matches PIX 7.

  • see #2351 Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this.

Changes in support for HP ProCurve

  • There are no changes in the support for HP ProCurve in this release

Changes in packaging

  • This version is the first one to merge libfwbuilder and fwbuilder packages. The libfwbuilder library is now in the src/libfwbuilder subtree inside fwbuilder code tree.

  • RPM .spec files and DEB .control files are now located in the directory "packaging" inside fwbuilder code tree.

  • Changes in the versioning format: build number is going to be used as part of the long version number, composing complete version as "4.2.0.3425". The "-n" suffix in rpm and deb package names will be used for package release number and most of the time will be "-1". This suffix should reflect minor differences in the package that do not affect the code.

  • We have stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more and more parts of the code do not compile and require workarounds, sometimes with loss of functionality in the GUI. v4.1.3 will be the last officially released version of fwbuilder to work on Hardy.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_4.2.2.html000066400000000000000000002327021303637203600233040ustar00rootroot00000000000000

Firewall Builder 4.2.2 Release Notes

v4.2.2 is a minor bug-fix release

SourceForge: Tickets for V4

GUI Updates

  • fixes #2395 "Crash when setting installer directory location" and fixes #2396 "Crash when changing firewall name". These two bug reports where the manifestation of the same problem that was introduced by the fix for #2380. When user hitsOK in the newFirewallDialog and new firewall object was added to the object tree, any editing of the parameters of this new object would cause GUI to crash.

Firewall Builder 4.2.1 Release Notes

v4.2.1 is a minor bug-fix release

SourceForge: Tickets for V4

GUI Updates

  • Fix for SF bug 3169045 "Batch installer lists IPv4 address as management address". Built-in installer wanted to use management interface address in batch mode even when alternative address or putty session name was provided. This happens only in batch mode install.

  • fixes #2370, #2371 "broken signals in network discovery wizard". Network discovery wizard was not correctly initializased and did not work.

  • fixes #2368 and SF bug 3294457 "External install script". External install script name and arguments weren't saved for IOS firewall objects.

  • fixes #2360 "Sometimes fwbuilder opens with object tree scroll bar centered so folders are not visible"

  • fixes #2385 "PF action Classify uses wrong parameter". This change fixes a bug introduced in 4.2.0 that affects rules with action Classify in PF firewalls. The bug causes the following problems:

    For users who built their rules before v4.2.0:

    • rules compile normally, both in the single rule compile and when the whole firewall is compiled
    • if they opened the action of one of such rules in the action editor, the classification string would look empty
    • if they entered new classification string in the editor, compiler kept using the old one (which they can not see or change in the editor)

    For users who tried to build rules with action Classify with v4.2.0:

    • no matter what classification string they enter in the action dialog, generated code does not use it

Firewall Builder 4.2.0 Release Notes

SourceForge: Tickets for V4

Summary

This release brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

This release adds interfaces to the NAT rule model. There are two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded. Inbound and outbound interfaces in NAT rules are supported for iptables, ASA/PIX/FWSM and PF, but in the case of PF GUI exposes only one interface to the user since PF commands can not match two interfaces simultaneously.

This release adds support for ASA 8.0 - 8.3 configuration generation, including named objects and "new" style nat commands in ASA 8.3

This release comes with numerous improvemends in support for FWSM 2.x, 3.x and 4.x configuration generation.

This release implements import of PIX, ASA and FWSM configurations. Host name, version, interface configuration, object groups, named objects, access lists as well as commands "global", "nat" and "static" can be imported. There is no support for import of the "new" ASA 8.3 "nat" commands just yet. Also there is no support for import of standby configuration, which means PIX clusters can not be created automatically by importing existing configuration.

This release adds ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

This release adds ability to automatically detect firewall platform from the format of the imported configuration file. Import is supported for iptables, Cisco IOS or Cisco ASA/PIX/FWSM. The program detects firewall platform, version and host name (if possible) from the contents of the configuration and shows platform-specific warning to explain what parts of the config can and can not be imported. Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

Starting with this release the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

Deduplication algorithm is as follows:

  • ASA/PIX/FWSM configuration import:

    ASA configuration language supports named objects and object groups. On import, fwbuilder creates objects and groups with the same names and uses them in rules. Objects created from in-line address/netmask and port specifications found inside object-group, access-list, filter or nat commands are condidered "anonymous" objects. These get automatically generated names and are deduplicated using only their relevant attributes but not names. Objects created from PIX named object ("object network foo", "object service bar") statements are considered "named" objects. They get the name matching the name in corresponding PIX config line and are deduplicated using both relevant attributes and the name.

  • iptables:

    Fwbuilder can only import iptables configuration saved with "iptables-save" command. This format does not support variables or named objects, therefor all objects created from address and port specifications are "anonymous" and get automatically generated names. They are deduplicated using their address, netmask, port numbers and other relevant attributes but not their names.

TCP and UDP service objects in fwbuilder that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

GUI Updates

  • fixed #1872: "vlan interface does not appear in the list of interfaces for route-to action for PF".

  • context menu item that opens object in the editor should be named "Inspect" when the object is read-only because the editor would not allow the user to change it.

  • fixed #1926 "Crash when moving object in Standard library". Context menu item "Move" should be disabled when the object is located in the read-only library.

  • see #1976 "Crash when deleting firewall object from rule after export / import library" Crash occurred as the result of the following sequence of actions in the GUI: 1) use context menu item "Cut" to delete an object in the tree, 2) open object group or rule and use context menu item "Paste" to add it, 3) export library to an external file, 4) import this library into different data file, 5) save the data file. Saved data file is invalid XML since it has unsatisfied reference and some operations on it cause crash. The problem is that since it is a reference to the object that is being added in case of both groups and rules, we end up with a group or rule with a reference to an object that is located in Deleted Objects library. Deleted Objects library is not included when a library file is merged into data file and this leads to a dangling reference. The fix is to not allow Paste if object in the clipboard has been deleted.

  • see #1980 "Objects from Deleted Objects should not be allowed to be used in rules". Added checks to not allow drag-and-drop of an object from Deleted Objects library into rules and groups.

  • see #1994 "Crash when compiling a firewall in an imported Library". To prevent crash, added check to make sure firewall object is not read-only before an attempt to update its "last compiled" or "last installed" timestamp.

  • fixes #1993 "V4.2 on Windows - export Library shows the file type as Firewall Builder 2"

  • fixes #1992 " V4.2 on Windows - installer error can't find Secure Shell utility"

  • fixed #1989 "variables respath and librespath are redundant and copy Constants::getTemplateDirectory()". Got rid of global variables sysfname, tempfname, librespath, respath and localepath; will now use class Constants to keep this information.

  • fixes #1998 "Crash after running find-and-replace then closing file". Specific sequence of actions and only on Mac OSX caused GUI to crash. To fix, I clear editor panel when user closes project window using MDI window title menu item "Close" or "Close" button.

  • see #1996 "Crash when finding and replacing a large number of objects". When "find and replace" function was used to replace large number of objects in a rule set, it generated stream of calls to updateLastModifiedTimestampForAllFirewalls() which caused corresponding stream of events to update various parts of the GUI, both in the tree and rule set views. This caused weird corruption and crash on Windows. Trying to resolve the issue by optimizing the part that updated "last modified" timestamp on the firewall since all parts of the rule set updated in one call to "find and replace" function belong to the same firewall.

  • fixes #2000 "New dialog window in New Firewall wizard for ASA / PIX - Network Zone explanation". Added page to the new firewall wizard to let the user configure network zones of interfaces when chosen firewall platform supports network zones (only PIX/ASA right now).

  • fixes #1983 "ASA multiple interfaces have the same security level". Using table widget with spin-boxes to let the user edit security levels of interfaces conveniently.

  • see #2006 "Crash when closing editor panel with find-and-replace". The GUI crashed if user tried to close editor panel at the bottom after closing objects+rules panel and while some object was still displayed in the editor.

  • See #2015 "Add support for setting names of generated .fw and .conf files separately for PF". Added second input field in the "advanced settings" dialog, tab "Compiler" for the firewall platform "PF". Now user can set the name for both the generated .fw initialization script and .conf PF configuration file, as well as names for both files on the firewall. Support for this is generic and the same functions work for other platforms if corresponding input field in the dialog exists. The name of the initialization script is set as follows: 1) if user provided -o command line switch to the compiler, its argument is used. 2) if -o switch was not present but the name was configured in the firewall settings dialog, it is used. 3) if none of them were present, the name is constructed from the name of the firewall object with suffix .fw. The name of the .conf PF configuration file is taken from the settings dialog, but if it is blank, then it is constructed from the name of the initialization script but with suffix .conf.

  • fixes #1914 "Address table object file name is not created properly if user clicks outside Editor panel"

  • fixes #1915 "tooltip shown when mouse is over rule number should be added to the list of suppressed tooltips when 'Advanced user mode' is in effect"

  • fixes #2064 "CARP interfaces are not properly installed on FreeBSD cluster". I need to populate failover group objects with some reasonable defaults when they are created.

  • fixes #2067 "Add way to show interface label in object tree". The tree now shows interface name and label if the label is not empty.

  • fixes #1979 "New firewall created with Cisco c36xx template results in network object in interface column in Policy"

  • fixes #1895 "Add context menu option to expand all child nodes in object tree". Added menu item "Expand" to the context menu associated with all objects in the object tree. This item recursively expands all tree nodes under the given object and automatically changes to "Collapse" if the item is expanded. Also changed behavior of the double click on the object in tree: before, double click opened object in the editor and expanded or collapsed subtree. Now it only opens object in the editor but does not expand/collapse subtree.

  • see #2103 "complex vlan/bridge configurations are not supported by the interface validation code". Added checkbox to let the user turn off interface name validation functions in the GUI. Checkbox is located in the global Preferences dialog, tab Objects, subtab Interface. For backwards compatibility, the checkbox is turned on by default. When it is off, the GUI does not validate the name of interfaces and subinterfaces and turns off checks that enforced interface name patterns for VLAN, bridge and bodning interfaces. It also turns off check for the validity of vlan ID derived from vlan interface name and turns off automatic configuration of interface type and vlan ID. These checks sometimes were in the way of building complex configurations that involved multiple vlan interfaces with names not matching their IDs. This also fixes SF bug #3066714 "please dont stop me from creating a new interface" where user wanted to create interface "veth201.0" on Linux but the GUI blocked this operation because the name seemed to match vlan interface pattern.

  • fixes #2099 "Object list scrolls up to the last edited object". Object tree used to scroll spontaneously when user started dragging an object from it to a rule.

  • fixes #1971 "Address range can be created with end address lower than start address". Address Range object dialog should not let the user enter range end address which is lower than range start address. Dialog behavior is now similar to the behavior of the tcp and udp service dialog where user can not enter port range end number lower than port range start number.

  • fixes #1678 "When creating a firewall from template it appears that a default template is selected". When user arrives at the page where they choose template to create new firewall object from, the first template should be automatically selected.

  • fixes #2135 "Editing table objects". Dialog of the AddressTable object now offers button "Edit" that lets the user edit address table file. This only works if the file is located on the same machine where the GUI is running, so it is probably most useful for compile time objects.

  • fixes #2139 "Provide "Cancel" button if Address Table file is read-only". If the file configured with Address Table object is read-only, the GUI shows warning when user clicks "Edit" button and offers a choice: open it for viewing read-only or cancel.

  • see #2140 "Attempting to create new Address Table file results in read-only error". Implemented support for the workflow when user wants to create the file used to feed addresses to the Address Table object.

  • see #2047 "Inspect generated files button shows different path information". Do not pass full path to the output file as an argument of the "-o" option when the GUI launches policy compiler. Since the "-d" option passes directory path where files sould be saved, actual file names do not need to be absolute path, except if the user entered absolute path for the output file name in the firewall settings dialog.

  • see #2153 "Add Network Zone explanation and selection dialog to ASA/PIX import". Wizard shows additional page when user imports PIX/ASA config. This page explains concept of network zones and offers UI to let them choose network objects or groups as a network zone of each interface.

  • fixes #2156 "After import the firewall should be opened in object tree".

  • see #2163 code that imports addresses from a file in /etc/hosts format moved to its own wizard; using QWizard and QWizardPage classes with correct implementation of page sequencing and validation; old discovery druid has been disabled. SNMP discovery and ios/PIX/iptables configuration import will move to their own wizards later.

  • fixes #2203 "Crash when attempting to add an object to a locked group".

  • fixes #2201 "Some fields of locked object are editable". Some input fields of the Custom Service object dialog were editable even when object was locked read-only.

  • fixed SF bug 3238026: build failure on systems without net-snmp development libraries.

  • see #2226 fixed GUI crash that happened when user tried to delete or cut an object from locked library.

  • fixes #2307 "GUI switches to another file after editor panel is closed"

  • see #2286 "Crash when closing file". The GUI crashed if user imported iptables or PIX configuration, then deleted a rule and tried to close project window.

  • see #2171 "Undoing delete of rule ends up with rules being created with duplicate rule numbers". Also see #2172 "Crash when deleting rule - related to #2171". When user deleted the last rule in a rule set, then used Undo to restore it, the program lost track of rules in the rule set and became unstable.

  • see #2335 "GUI switches between data files upon closing editor panel". If user opened two data files in the GUI and was in the process of editing objects in one of them, the GUI would flip to the other file under certin circumstances.

  • see SF bug 3211769 "Member interfaces not sorted". Sorting interfaces by name in the dialog where user adds them to the cluster member group.

  • fixed #2287 "Show text description in rule columns" does not persist across sessions

  • see #2229 "Multiple new objects with the same name". The GUI should automatically choose unique object names for new objects.

Changes in command line tool fwbedit

  • see #2328 "Add ability to run firewall import from the command line". This has been implemented as a new function "import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for more details.

  • Starting with v4.2.0, fwbedit.exe is now part of the Windows package

Changes in policy importer for all supported platforms

Changes that affect import for all platforms

  • see #1931 "Update failed import behavior". Added meaningful error messages for when policy importer fails to create firewall object or does not create interface objects or any rules.

  • see #2161 "import workflow and automatic detection of firewall platform from the config file". When user imports existing firewall configuration, the GUI automatically detects firewall platform from the format of the config file and shows platform-specific warning to explain what parts of the config can and can not be imported. It also detects firewall host name where possible (currently Cisco IOS and ASA/PIX). Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

  • see #2162 menu item "File / Import Policy" renamed to "File / Import Firewall". This menu item launches wizard that imports existing iptables, Cisco router IOS or Cisco PIX/ASA config.

  • see #2183 "count errors and warnings generated by the importer and show the numbers in the progress page of the wizard". Configuration import wizard now shows counters of warnings and errors generated by the importer.

  • see #2189 Policy importer warnings and errors now include line numbers to help find relevant lines in the original configuration file.

  • see #2189 Program adds the file name and the line number to comments of policy and nat rules it creates during import.

  • fixed #1548 "Object de-duplication during import process". Also SourceForge 3030072 "remove duplicates during any import". Now the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

  • see #2253 "importer should not creates objects while still in the middle of the wizard". Importer wizard creates new objects in the object tree only when user clicks Finish and abandons results if they click Cancel.

Fixes and improvements in import of iptables configurations

  • see #2190 "support for import of branches in NAT rules for iptables". Implemented import of NAT rules in user-defined chains for iptables, these translate into branching NAT rules in fwbuilder.

  • see #2196 "iptables nat rules with target REDIRECT not imported". Iptables NAT rules with target REDIRECT where not imported correctly.

  • fixes #2195 "incorrect iptables import of nat rule with NETMAP target"

  • see #2194 "iptables import problem with SNAT rule translating to an address range". NAT rules translating into address range with "-j SNAT --to-source 192.168.1.1-192.168.1.10" did not import correctly

  • see #2197 "iptables nat rules in chain OUTPUT not imported correctly"

  • see #2202 importer for iptables creates Custom Service object to match combination of states it does not recognize. This includes "NEW,ESTABLISHED".

  • see #2336 Importer for iptables recognizes version stored in the top comment by iptables-save and sets version in the firewall object it creates.

  • see #2206 iptables commands with no "-j TARGET" parameter should be imported using action "Continue".

  • see #2338 "Empty Mangle Policy object created on import". iptables rules in the table 'mangle' will be imported in the dedicated Policy rule set with name "Mangle". Rules that use chains FORWARD and POSTROUTING in table 'mangle' can not be reproduced and will be marked as "bad" (color red and corresponding comment).

  • see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation.

  • see #2245 fixed bug in parser for iptables that prevented correct import of iptables rules using module "multiport" with port range matches.

Fixes and improvements in import of Cisco IOS configurations

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

Fixes and improvements in import of Cisco ASA/FWSM configurations

  • see #2161 policy import wizard shows the page where user can set up network zones of interfaces if firewall platform was determined to be PIX.

  • see #2152 "ASA Import - shutdown interfaces". Importer recognizes and skips ASA interfaces in "shutdown" mode.

  • see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

  • see #2268 updated list of named TCP and UDP ports recognized by the importer for Cisco ASA.

  • see #2277 "Create policy objects for ASA access-lists that are not applied in an access-group". Policy rule set will be created and populated with rules found in the corresponding access-list even if this access-list is not applied to an interface with access-group command.

  • see #2164 fixed import of "ssh" commands and added import of "http" commands for ASA/PIX/FWSM

Changes in the built-in policy installer

  • see #2039 "Installer reports success even if pfctl can't load config file". Added more pfctl error messages to the list to make code more robust.

  • fixes #2049 "Installer reports success even if there was an error while creating static routes". Added our own error message generated when command used to add static route fails to the list of error messages recognized by the installer.

  • fixes #2037 "If there is an error when compiling firewall then installer should be aborted". Compile/install wizard should disable "Next" button after compile phase is done if all firewalls failed to compile with no errors.

  • fixes #2061 "Installer shows success for failed installed on FreeBSD due to corrupt script file". Added bunch of common shell error messages to make sure installer recognizes them and mark install as a failure even if ssh fails to pass termination code.

  • fixed SF bug 3169045: "Batch installer lists IPv4 address as management address". The "summary" display in the installer progress log output will now show putty session name if it is used instead of the management address.

  • see #2073 "Add additional information or workflow when no management inferface configured". The error message shown to the user when no interfaces has been marked as "management" is now more verbose and provides instructions how to do this. Also, if user provided alternative address to be used to communicate with the firewall, the check for the management interface is not performed since it is not needed.

  • see #2088 "Installer caches putty session". Need to initialize putty_session properly and clear it in clear().

  • fixes #2129 'deprecate "test install" function'. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD.

  • see #2239 Added variable "firewall_name" to configlets that define commands installer runs on the firewall to activate new policy (all platforms).

  • updated filesystem path on FWSM where fwbuilder built-in installer should place generated configuration when it is installed using scp. Currently using path "disk:".

  • see SF bug 3212988 "external script makes getopt difficult". User-defined parameters for the external script moved to the end of the command line.

Changes and improvements in the API library libfwbuilder

  • see #1972 Separated object creation and initialization. Some complex objects need to create a set of standard child objects. Previously this was done in a special type of constructor which required pointer to the object tree root (FWObjectDatabase*). This created problems with implementation of the method to register functions that create objects of new types outside of the API. Now all objects have just a basic set of constructors, plus method init() that can initialize them.

  • see #1972 implemented mechanism that allows me to register new object types created and used outside of libfwbuilder API. This means FWObjectDatabase can then copy and manipulate object trees that use these new object types.

  • fixes #1937 "RES_DIR macro is defined twice". Got rid of duplicate definition of this macro.

  • see #1985 added virtual function updateNonStandardObjectReferences() that is supposed to update any references to objects stored as attributes.

  • fixes #1997 "add removeRef and addRef methods to class NATRule". Now undo and redo correctly remove and restore references to NAT rule sets in NAT rules with action Branch.

  • fixes #1991 "Undo does not restore object as a parameter of policy rule action Branch or Tag after it was deleted deleted". Now Undo restores references to rule sets and tag services as arguments of corresponding policy rules, as well as references to objects configured as interface network zones.

  • fixes #1987 "Deleting object that is used as Network Zone for ASA/PIX interface results in inconsistent behavior". When an object that is used as a network zone of an interface is deleted, it should be removed from the interface configuration as well.

  • fixes #1995 "Crash when compiling a cluster with identical firewalls". Method Cluster::init() must call base class method Firewall::init() to get child Policy, NAT and Routing objects created.

  • See #2084 "snmp discovery takes forever on devices with large routing tables". This takes very long time on decides with large routing tables. This code was implemented long time ago and apparently routing data was intended to be used to discover "external" interfaces, but it is unclear if this is still done. The concept of external/internal currently exists only for platforms that support security levels (PIX) and there we guess levels by matching addresses against RFC1918 and let the user user adjust levels manually anyway.

  • see #133 Added interfaces to the NAT rule model. There will be two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded.

  • see #2126 Using snmp sysDescr OID to guess version of the new firewall when it is created using snmp polling.

  • fixes #2209 "do not allow the same object to be child of different objects in the tree". Method FWObject::add() enforces this. Subsequent clean-up and fixes in many places to follow this logic. This makes code much cleaner, better organized and more reliable.

Changes and improvements in the library of standard objects

  • #2083 Added new services to the Standard Objects Library: rtmp, xmpp-client, xmpp-server, nrpe

common changes that affect policy compilers for all platforms

  • fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used IP addresses that belonged to the interface even if it switchd to "unnumbered". These children address objects should be ignored.

  • fixes #2124 "some error messages get multiplied when compiler splits rules". Under certain circumstances error messages could appear multiple times in the generated script.

  • see #2204 "Shadowing detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed.

  • see #2207 fixed memory leak in policy compilers. The impact of this leak was especially severe on Windows with very large object databases.

  • see #2212 "Performance improvement in compilers". This change brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.

  • sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration.

  • sorting objects in the rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration.

Changes in support for iptables

  • fixed #1879 "gui crash". Both GUI and fwb_ipt crashed trying to compile a rule with action Branch that was not configured to point to any rule set.

  • fixed SF bug #3102044 "Colon in (runtime) Address Table name". Variable used to process addresses in the run-time address table should not use character ":" even if it appears in the Address Table object name.

  • fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated.

  • see #2097 #133 "support for inbound and outbound interface columns in iptables NAT rules". This also addresses SF feature requests 1954286 "DNAT with interface as condition not possible" and 621023 "manipulating interface in NAT rule".

  • fixes #2008 "option "--physdev-out" is not allowed in OUTPUT chain". After this change, compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule).

  • see #2170 "Compiler should generate error for invalid iptables NAT configs". Now that we allow the user to specify inbound and outbound interfaces in iptables NAT rules, compiler should verify that combination of requested "-i" and "-o" interfaces is in fact valid. For example iptables does not allow "-o" interface spec with rules that go into PREROUTING chain (DNAT rules) or "-i" interface spec with rules in POSTROUTING chain (SNAT rules).

  • see #2181 "Update iptables importer to detect inbound & outbound interfaces in NAT rules". Importer can now import nat rules with "-i" or "-o" interface spec.

  • see #2230 the GUI should allow limit-burst values of up to 10000

  • SF bug 3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are added automatically to IPv6 Linux firewall to permit neighbor discovery packets should be also added to the FORWARD chain if the firewall is a bridge.

  • see #2324 "NAT + MAC-matching rules not generated properly". iptables NAT rules matching a group of host objects with both IP and MAC addresses each in "Original Source" were not generated properly.

  • see #2235 "Modified rule action for Continue". Rules with action "Continue" should translate into iptables commands without "-j TARGET" parameter. If such rule also has logging enabled, it should use target "-j LOG" instead of generating additional chain.

  • see #2359 "Crash when compiling single rule with IPv6 destination and IPv4 gateway or interface". Routing compiler for iptables does not support ipv6 at this time and will issue a warning when user tries to place ipv6 address or network in a routing rule. The warning does not appear when ipv6 address is a member of a group used in the rule. Also see #1575.

Changes in support for PF (FreeBSD, OpenBSD)

  • see #1890 "Add support for configuring static routes on BSD". Implemented support for simple static routing rules. ECMP and routing via interface (routing to directly reachable subnets) are not supported. Generated script preserves static routing entries that existed before and attempts to recover in case of error.

  • see #1888 "Add option to generate rc.conf.local file for BSD systems". Added ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

  • fixes #2026 Compiler can now generate static routing configuration in rc.conf format for FreeBSD.

  • fixes #2032 "support for DHCP interfaces in rc.conf mode". Include dynamic interfaces inin the list of interfaces generated script manages when the script is in rc.conf format. This addds lines similar to 'ifconfig_em0="DHCP"'.

  • fixes #2038 "pfctl error when firewall settings include scrub option for reassembly". Command "scrub all reassemble tcp" does not allow direction. Tested and verified on OpenBSD 4.2 and FreeBSD 8.1

  • see #1889, #2043 Added support for bridge interface configuration in BSD.

  • fixes #2054 "Add support for load anchor PF command". Instead of loading anchors using "pfctl -a anchor -f file" command in the .fw initialization script, now generated PF configuration uses "load anchor" commands in the pf.conf file. This way, we can load anchors correctly when PF configuration is activated from the generated rc.conf.local file where only one pf.conf file can be referenced.

  • fixes #2042 "add configlet and shell functions to manage bridge interfaces via shell script on OpenBSD and FreeBSD". Bridge interfaces are managed incrementally, that is, the script creates and destroys them as needed, then adds or removes bridge ports, to bring bridge configuration in sync with what is defined in fwbuilder GUI.

  • fixes #2065 "activation commands on FreeBSD and OpenBSD lose script exit status". Sequence of commands ran by the built-in installer on *BSD firewalls were losing exit status of the script which meant installer always declared installation a "success" even when there were errors.

  • fixes #2066 "Existing VLAN interfaces are not properly removed from FreeBSD and install script fails"

  • fixes #2069 "PF: allow multiple objects in ODst of redirecting nat rule". This fixes SF bug 3162862 "NAT - more than one object in original destination"

  • fixes #2071 "vlandev missing in the vlan definition (when using rc.conf.local )"

  • fixes #2058 "Ability to configure mtu and metric of regular interfaces". "Advanced settings" dialog of the interface object provides controls to configure MTU and possibly add any additional ifconfig parameters. This is available for OpenBSD and FreeBSD.

  • see #2078 added verbose error message in a situation when "ifconfig carp0 create" command fails to create CARP interface.

  • see #1867 "PF: rule with non-terminating action Tag shadows other rules below it". Since action Tag is non-terminating, rules with this action should not shadow other rules.

  • see #2074 On FreeBSD ifconfig does not understand parameter carpdev

  • fixes #1866 "support for pf option set state-policy", #1868 "support for pf option set block-policy", #1869 "support for pf option set debug".

  • fixes #2092 option "stp" should be optional in the ifconfig command that builds bridge interface for FreeBSD. The dialog provides checkbox "Enable STP", parameter "stp" will be added to the ifconfig command only when the checkbox is turned on.

  • fixes #2091 "ethernet interface options a used twice if the interface is a bridge port". When an interface appeared twice in the firewall configuration, such as when it is used as a bridge port and vlan parent interface, options configured for it in its settings dialog were added twice to the generated configuration.

  • see #1871 "PF Actions Tag and Classify can be terminating or non-terminating". Added checkbox to the action properties dialog for actions Tag and Classify for PF that lets the user choose if these actions should be terminating or not. Old behavior (Tag was non-terminating and Classify was terminating) is reflected in default settings of the checkboxes. Terminating rules generate "pass quick" commands, while non-terminating rules generate "pass" commands (no "quick" option).

  • see #1807, #2104: arrange interface configuration commands in the generated script in such order that bridge and carp interfaces are configured after all other interfaces are done.

  • see #2105: generated script now supports vlan interfaces with names that do not match vlan IDs (OpenBSD, FreeBSD, shell script format).

  • Making sure we print "ifconfig" commands for mtu and other parameters for all interfaces, including those with no ip addresses and bridge ports (unnumbered interfaces used to be skipped before)

  • fixes #2100 carp password should be optional parameter

  • fixes #2096 added support for negation in Interface column for PF NAT rules. Sets of interfaces are converted to complementary sets using complete list of interfaces of the firewall.

  • fixes #2095 added support for groups and multiple objects in column "Interface" for PF NAT rules. These translate into { em0 em1 em2 } groups in generated pf.conf lines.

  • fixes #2101 "CARP interfaces are set with same advskew". When new PF cluster is created, master advskew paramerer will be set to 10 and backup to 20 to make it deterministic.

  • fixes #2116 "When CARP interface IP address can't be assigned error or warning should appear". The problem actually affects any type of interface. Generated script should abort with an error termination code when ifconfig fails to assign IP address to an interface.

  • fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan interfaces of member firewalls, CARP interfaces were not properly configured with master/slave choice user makes on the first page of the new cluster wizard.

  • see #2143 "installer should run /etc/rc.d/pf script to reload PF rules on FreeBSD when generated script is in rc.conf format"

  • see #2224 "FreeBSD - Bridge interfaces with the name vlan don't show as Bridge Port Interfaces". This actually applies to all OS where we support vlan and bridge interfaces. Fwbuilder GUI should allow the user to set subinterface type to both "ethernet" and "vlan" when its parent interface has type "bridge". Setting subinterface type to "ethernet" makes it bridge port, while setting the type to "vlan" signals policy compiler that it should generate code to configure real vlan interface. If the name of the subinterface does not include the name of the parent, such as "vlan101", or when the name does not match vlan ID, such as "vlan8101", global preferences option "Verify interface names and autoconfigure their parameters..." should turned off. The option is located in the Preferences dialog, tab "Objects".

Changes in support for ipfilter

  • There are no changes in the support for ipfilter in this release

Changes in support for ipfw

  • There are no changes in the support for ipfw in this release

Changes in support for for Cisco IOS ACL

  • fixes #1966 "IOSACL: object-group can get name that consists of only suffix". Compiler generated object-group statements with names such as ".src.net.0" in some cases.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2330 "Crash when creating a cluster of IOS router firewalls". Added support for basic IOS router clusters. No failover protocol support at this time, but the cluster can be configured with protocol "None" and fwbuilder will do address substitutions at compile time.

Changes in support for for Cisco ASA and FWSM

  • FWSM v4.x does not have "fixup" command, instead, we should use policy-map and class commands.

  • refs #1893 fixes #1883 "inspect IP options in PIX8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented.

  • refs #1882 "Mixed service groups in PIX8". Added PIX versions 8.0 and 8.3; added support for mixed servcie groups in PIX 8.0 and later.

  • fixed #1892 "move rule processor class separateServiceObject to PolicyCompiler". This rule processor used to be implemented only in the compiler for PF, but since it has very general meaning, the same function was duplicated in other compilers as well. Moved the class to libfwbuilder and reimplemented several other rule processors to inherit from this class to avoid further duplication for code.

  • fixed #1891 "problems with TCP and UDP services with source ports". Policy compiler for PIX did not generate correct PIX ACL lines when one Policy rule tried to match several TCP and/or UDP objects matching source ports.

  • fixes #1901 "add destructor to NATCompiler_pix and NATCompiler_asa8". This eliminates memory leak.

  • refs #1885 "named network and service objects in PIX8". So far, these objects are only used for nat configuration.

  • fixes #1903 "correct order of clear commands for ASA 8.3"

  • refs #1886 "new nat configuration in PIX 8.3". Initial support for new style nat configuation.

  • fixed #1862 "fwb_pix crash". Compiler fwb_pix crashed when DNS Name run-time object was used in a rule, but worked fine and issued an error when used in single-rule compile mode.

  • fixed #1906 "ASA NAT - Address objects are not properly identified by network zone and have the wrong real interface". The problem should have affected both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When an Address object was used in Original Source of a NAT rule, compiler used wrong interface in the (interface1,interface2) pair in "nat" command.

  • fixed #1905 "fwbuilder crash when compiling a rule with hosts folder as destination". Compiler issues a warning when an empty group object is used in a rule, but GUI crashed when user tried to compile this rule using single-rule compile function. The change actually affects all policy compilers and makes sure the GUI catches exception and does not crash, and prints any errors generated by the compiler in the compiler output panel when single-rule compile function is used.

  • refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The option is presented to the user as three radio buttons in the NAT rule options dialog which is only enabled when platform is "PIX" and version >= 8.3. Policy compiler generates "twice nat" rules with keyword "static" in the following cases: when TSrc is "original", so the rule translates destination and not source or when numbers of ip addresses represented by OSrc and TSrc are equal. If TSrc is not "original" and represents different number of IP addresses than OSrc, compiler looks at the new rule option. User can use or override automatic algorithm using radio buttons in the NAT rule options dialog.

  • refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available for ASA 8.3 or later.

  • fixed #1909 "ASA NAT - static nat port translation where service is the same for original service and translated service not generated correctly"

  • fixed #1913 "ASA/PIX rules with logging enabled don't have log set unless user modifies Firewall Settings". Added default log level setting to the resource xml file for platform "PIX", set to "informational". ACL lines now get "log " keyword followed by the log level taken from the rule options, or if that was not configured, from the firewall object settings, or if that is not configured, the default.

  • refs #1907 "ASA NAT - fwbuilder doesn't support multiple translated sources in a single NAT rule". Compiler uses object-group to translate NAT rules that have multiple objects in Translated Source.

  • refs #1885 Compiler uses named objects and objects groups to build configurations that use address ranges in TSrc in NAT rules. (only ASA 8.3 and later)

  • fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user combines Address Table object with other address or network objects there.

  • fixes #1934 "libfwbuilder::getOverlap() incorrectly calculates overlap between IPv4 networks". This should also fix SF bug 3156376 "Can not find interface with network zone that includes address range".

  • fixes #1932 "Add description field to generated NAT rules for ASA". NAT rules generated for ASA 8.3 and later will have "description" keyword added, with rule label as an argument. Rule label includes word "NAT" and rule number.

  • Added support for CustomService objects in policy and nat rules for ASA 8.3 using named objects and object-groups. -- see #1942 "ASA NAT - if custom service is included in service group incorrect config generated" -- see #1929 "move map named_objects inside class NamedObjectManager" -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in PIX8" Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules translating destination allow Address Range objects in ODst or TDst for ASA 8.3

  • see #1940 "ASA NAT - fwbuilder host objects interface IP is reserved keyword". Added list of reserved words used in IOS and ASA software to make sure generated named objects do not conflict. Will maintain single super-set of reserved words instead of separate set for each version of IOS and ASA.

  • fixed #1938 "icmp" commands were not generated for ASA 8.x policy rules.

  • See #1927. Added check for NAT rules that request translation of destination address but have ODst "any". This only applies to ASA 8.3; these rules are prohibited.

  • fixes #1916 "nat rule must be "static" when subnet is present in TSrc"

  • see #1942 improved support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in each rule and then use object-group to match it. Note: this has been rolled back. There is no support for CustomService objects in NAT rules.

  • fixes #1948 "incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA versions prior to 8.3". Since we do not support custom service objects in policy and nat rules for versions older than 8.3, added check to generate fatal error when such object is used.

  • fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was constantly increasing when user used single-rule compile function in the GUI.

  • fixed #1944 "ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects". Need to convert address range objects to subnets early, before the rule is split for any reason, to make sure object groups created later match and are reused.

  • See #1943 "ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config". Protocol word "tcp" was missing after "deny" in the generated rule.

  • see #1949 "ASA NAT - split objects if OSrc contains objects that are in more than one network zone".

  • ASA 8.3 see #1942, #1943 fixed generation of the "object-group" statements by adding protocol keyword at the end so that the group can be used in access-list commands. It looks like mixed service groups that have no protocol keyword at the end of the line that defines them cause error "specified object group has wrong type; expecting service type". I am going to avoid using mixed service groups because of this.

  • see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". Objects that represent addresses of interfaces of a host object created using template will be automatically renamed to follow standard naming convention "host_name:interface_name:ip" to avoid creating duplicate names.

  • see #1960 add support for CustomService for PIX policy rules. Note that CustomService objects are only supported in Policy rules since nat commands in ASA 8.3 require use of named objects and it is difficult to implement correct named objects and object-groups with protocol parameter and custom services.

  • See #1959 "ASA Policy - ranges are broken into composite network instead of using range command." Added support for address ranges using named network object with parameter "range" for ASA 8.3 and later. NOTE: if a network or IP address object is used in a nat rule for ASA 8.3, a named object has to be created for it since ASA 8.3 does not accept IP addresses or subnets in "nat" commands. In the situation like this, if the same address or network object is used in any Policy rule, the same named object will be used in the generated access-lists command.

  • see #1959 Moved generation of the code that defines named objects to class NamedObjectManager. This allows me to put all named object commands on top of the generated policy, nat and routing configurations and make sure each object is defined only once. Still need to do #1963 - move code that generates commands to define object-groups to class NamedObjectManager.

  • see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler issues warning when objects used in OSrc and TSrc of a NAT rule make it use the same interface as both real and mapped interface in the generated nat command. This check is only done for ASA 8.3 NAT rules.

  • see #1963 "move printing of object-group definitions to NamedObjectManager::getNamedObjectsDefinitions()". Consolidated code that works with named objects and object groups in the class NamedObjectManager. This class manages all the objects and in the end generates commands.

  • Refactored parts that generate "clear" commands to make sure they are printed in the right order at the top of the generated configuration. Previously compiler placed "clear global", "clear static" and "clear nat" commands above the NAT section but below policy section. Since ASA8.3 nat commands can use named objects and object groups, and since I have added support for object groups in ASA 8.3 policy rules, I now need to clear objects and object groups at the very beginning of the generated config. However in order to be able to clear objects and object-groups, I need to clear access-lists and nat commands that might be using them first. So, all clear commands are now grouped at the beginning of the generated configuration. This affects PIX/ASA, iosacl and procurve_acl platforms.

  • See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 and avoids using object-groups when firewall object version is set to 6.1

  • made names automatically assigned to object-groups in generated PIX configuration shorter by removing interface label prefix.

  • see #1968, #1972 Class NamedObjectsManager maintains its own copy of object tree that holds object group objects it creates during compiler passes. This allows me to maitain one common set of object groups for both policy and nat compilers and avoid creating duplicate and redundant object-group statements.

  • see #1968, #1972 class NamedObjectsManager (and derived classes for IOS and PIX) generate "clear" commands. This way, I can generate correct set of "clear" commands that take into account any named objects and object-groups that could be created during both policy and nat compiler passes.

  • See #1958 "consistently use "exit" to get out of nested context in PIX config". Using "exit" to exit from nested context while adding network or service object in generated PIX/ASA configuraton.

  • see #1970 "ASA Policy - single IPv6 icmp object allowed in rules". Since we do not support IPv6 for PIX/ASA at this time, policy compiler should drop the rule if IPv6 address or icmpv6 service is used and issue a warning.

  • see #1981 "ASA / FWSM Policy - Generate warning message if rule will not generate config data"

  • fixes #1986 "Cisco ASA remarks should be truncated to 100 characters or less". Trimming all lines used for access list remarks to than 100 characters. Remarks can only be less than 101 characters on PIX/ASA and less than 100 characters on IOS.

  • fixes #1994 "Crash when compiling a firewall in an imported Library". Compilers should reset any read-only flags in the copy of object tree they work with before they make any modifications.

  • fixes #2060 "Existing configuration objects are not cleared in PIX 6.3". Commands used to clear object groups and objects have different syntax in PIX 6.3 and PIX 7 and later.

  • see #2098 Added support for user-configurable inbound and outbound interfaces in Cisco PIX/ASA NAT rules. Two new columns appear in the rule set view: "Inbound Interface" and "Outbound Interface". If user leaves one or both columns blank, the GUI shows "Auto" in there and policy compiler picks corresponding interface automatically. Leaving both columns blank ("Auto") triggers backwards-compatible automatic behavior where both interfaces are picked automatically. Multiple interface objects and groups of interfaces are allowed in these columns.

  • fixes #2113 "ASA/PIX SNMP discovery - assign default labels based on interface description". Added pattern to match Cisco ASA interface description which is different from Cisco PIX interface descriptions as returned via snmp.

  • see #1990 "Change default value for Cisco ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA firewall objects will now have "generate outbound acl" option turned on by default.

  • see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

  • see #2263 looks like "object-group service" that includes named objects defined as "service-object" can not be used in access-list commands and therefore is useless. Unless I misunderstood and there is a way to use it, I should not generate ASA configuration like this: 

            object-group service id5102X14531.srv.tcp.0 tcp
          service-object object http.0
          service-object object https.0

    Object-group with "tcp" or "udp" type-suffix in the end does not allow "service-object" statements at all, so this configuration is incorrect anyway. However even without "tcp" in the end to make "service-object" references acceptable, the group can be built but can not be used in access-list statements.

    Instead, the group should use port-object statements: 

    	object-group service id5102X14531.srv.tcp.0 tcp
	  port-object eq 80
	  port-object eq 443

  • see SF bug 3213019 "FWSM Network zone and IPv6". Currently we do not support IPv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places IPv6 address in it, this address should be ignored while compiling the policy but this should not be an error.

  • see #2308 "ASA rules with service set to "http" and destination set to ASA firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself.

  • see #2344 "FWSM install errors for clear commands". Using correct syntax for "clear" commands for FWSM v4.x

  • see #2343 "Interface nameif error when installing generated config for FWSM". Use correct "nameif" command sytax in FWSM 2.x and 4.x.

  • see #2345 More fixes for FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"

  • see #2344 fwbuilder should not generate any "ntp" commands for FWSM because NTP can not be configured on FWSM.

  • see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups.

  • see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.

  • see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is PIX or fwsm.

  • see #2295 Added FWSM version "3.2". According to Cisco documentation, FWSM version 3.2 matches PIX 7.

  • see #2351 Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this.

Changes in support for HP ProCurve

  • There are no changes in the support for HP ProCurve in this release

Changes in packaging

  • This version is the first one to merge libfwbuilder and fwbuilder packages. The libfwbuilder library is now in the src/libfwbuilder subtree inside fwbuilder code tree.

  • RPM .spec files and DEB .control files are now located in the directory "packaging" inside fwbuilder code tree.

  • Changes in the versioning format: build number is going to be used as part of the long version number, composing complete version as "4.2.0.3425". The "-n" suffix in rpm and deb package names will be used for package release number and most of the time will be "-1". This suffix should reflect minor differences in the package that do not affect the code.

  • We have stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more and more parts of the code do not compile and require workarounds, sometimes with loss of functionality in the GUI. v4.1.3 will be the last officially released version of fwbuilder to work on Hardy.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.0.0.html000066400000000000000000000456631303637203600233110ustar00rootroot00000000000000

Firewall Builder 5.0.0 Release Notes

SourceForge: Tickets

Summary

In addition to bug fixes and minor enhancements, v 5.0 includes the following new features:

  • User defined system folders
  • Keywords for tagging objects
  • Dynamic Group Objects with Smart Filters
  • Multiple operations per filter Rule
  • New Attached Networks Object
  • Improved GUI layout and behavior
  • Import of PF configurations

User Defined System Folders

Users can now create their own subfolders in the object tree. To add a subfolder right-click on a system folder, for example Firewalls, and select "New Subfolder". You can move objects into the subfolder by dragging-and-dropping them from the parent folder in the object tree to the subfolder. You can only delete empty subfolders, so if you want to delete a subfolder first move all the objects in that subfolder to the parent folder and then you can delete the subfolder.

Keywords for Tagging Objects

This feature gives users the ability to apply keywords to objects and then use the filter box to search for objects that match a keyword.

Dynamic Groups with Smart Filters

A new type of group, called a Dynamic Group, has been added to the Group object in the object tree. Right-click the Group object and select "New Dynamic Group" to create a new group. You can use both Keywords and Object Type to create filters of objects that should be included in the Dynamic Group. There is a preview window that displays all the objects that match the filter.

You can use Dynamic groups in rules just like you would use a regular Group object. When Firewall Builder compiles a rule that includes a Dynamic Group it will expand the group into all its member objects.

Multiple Operations per Filter Rule

The actions for Tag, Classify and Route have been moved to the rule Options. This allows a user to define a primary action, like Accept, and then define additional actions that should be taken on traffic that matches the rule.

This is only supported for iptables and PF platforms. For PF setting multiple actions will result in a single rule with multiple actions defined. For iptables this will result in multiple rules ordered so that all actions are performed correctly.

New Attached Networks Object

There is a new child object for interfaces that represents all the networks that are "attached" to the interface. This means that for each IP address that is configured on an interface the associated network for that IP address will be included in the Attached Networks object.

Improved GUI layout and behavior

There are a number of changes that have been made to make the mouse click behavior more consistent and the layout of the GUI has been updated to make things simplier.

Import of PF configurations

Firewall Builder can now import PF configurations in pf.conf format. To import a pf.conf configuration go to File -> Import Firewall and follow the prompts.

GUI Updates

  • "Crash when selecting New Firewall and existing firewall has interface that is locked". Fixed GUI crash that happened on some operations if an object in the tree was locked. For example, if the user locked an interface of one of the firewall objects that then proceeded to create new firewall object, the GUI would crash. The problem was not limited to locking specifically interface objects.

  • part of the GUI usability improvements, its behavior when user double clicks on "any" in a rule has changed. Now the program opens object "any" in the editor and shows prompt text that explains its behavior. The editor stays read-only and should appear grayed-out if palette is set up for that.

  • when user double clicks on a firewall object to open it in the editor, rule set view panel switches to the rule set of that firewall. To decide which rule set to show, the program scans history of the objects the user opened before in the same GUI session and shows that firewall's rule set they opened last. If user never opened any rule sets of this firewall, then the first Policy object is shown.

  • fixed several GUI crashes that happened when user performed various operations on the object tree that contained locked objects.

  • implementation of keywords associated with objects in the GUI; ability to filter by keywords, dialog layout changes to add GUI controls for keywords.

  • Removed obsolete localization files (Russian and Japanese). These were incomplete and have never been updated for v4.

  • Removed transfer agent code. This eliminates dependency on DBus framework.

  • Added support for creating user-defined subfolders. The subfolders exist purely in the display and are not reflected in the FWObject tree, in order to keep changes in the back-end to a minimum. New attribute "subfolders" on a system folder tells the gui what additional child elements to display in the tree, and attribute "folder" on any FWObject tells gui which child tree element to put it in.

  • Added feature : directory location caching. Use FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so that the directory you navigated to last time shows up in the next file dialog. This behavior is overridden by setting a working directory. If the directory no longer exists, gracefully fall back to something sensible.

  • "Add context menu to move an interface to be a child of another interface". New context menu (submenu) allows user to move an interface in the tree to make it a subinterface of another interface.

  • Implemented support for address table alternate paths. There's a "data directory" setting under user preferences. If the user selects an address table file using "choose file" and that file is "inside" the data directory, then the appropriate part of the path is replaced with %DATADIR% as a variable. If the address table is marked "run-time" then the path is taken from the firewall data directory option.

  • Fixed bug: save the expanded/collapsed state of the tree when the user starts typing something into the quick filter. When the quick filter is cleared, re-expand any items that started off expanded (so we get the union of expanded items displayed by quick filter plus what the user started with expanded).

  • "Attempting to copy-and-paste a tag service results in an error". Pasting of a TagService object to the "Tag Services" group did not work.

  • "Enhance Find to include searching for IP addresses in ranges". Function "find" now finds ip addresses inside address ranges.

  • "Expanded set of options the user can change to pre-set parameters in the new policy rules they create". Now user can set default values for action ("Deny" or "Accept"), direction, the "stateless" flag and logging.

  • fixes bug "If file doesn't exist when clicking 'edit file', then you have to hit save button twice". The bug affected "edit file" function in the Address Table object dialog.

  • "Remove Back and Forward buttons". We have decided behavior of the GUI was too complicated since user can both act on objects directly and navigate backwards and forwards to the objects found in their browsing history. Navigation using browsing history was broken when quick filter was in use, too. All in all, it feels the value of "back" and "forward" buttons was relatively low.

Changes in policy importer for all supported platforms

Changes that affect import of PF configurations

  • This version implements import of pf.conf configuration with the following limitations:

    • anchors are not imported. Anchor rules are imported but rules inside anchors are not.
    • only pf.conf configurations designed with the use of keyword "quick" can be imported.
    • Macros are expanded during import and are not recreated as objects. Tables are imported as run-time AddressTable obejcts configured with the file name, or object groups.
    • User has to specify host OS and PF version number during import process because interpretation of rules with default settings of some parameters is version-dependent.
    • Import of IPv6 addresses and ICMPv6 matches in pf.conf is not supported at this time.
    • Import of TCP flag matches for flags 'E' and 'W' is not supported.
    • Import of "include" clause is not supported
    • Import of "user" and "group" matches is not supported
    • as of v4.2 we can not generate optional parameters for the "source-hash" pooltype. "sticky-address" is not supported either. This options are not imported.
    • Interface group names are not recognized
    • commands "set ruleset-optimization", "set loginterface", "set block-policy", "set state-defaults", "set require-order", "set fingerprints", "set reassemble", "set hostid" are not supported.

Fixes and improvements in import of iptables configurations

  • Implemented import of iptables rules with target CLASSIFY.

Changes and improvements in the API library libfwbuilder

  • New object type "Attached Networks": network object that automatically matches subnets an interface is attached to. The object can be a child of an interface. The object is optional and is not created automatically for all interfaces; user can add it using context menu associated with an interface. Dialog for this object allows editing of the name and comment. List of network addresses represented by this object is always generated automatically. Compiler for PF translates this object to "en0:network" construct that is supported by PF. Compiler for iptables expands it to the list of ipv4 and ipv6 networks defined by the addresses of the parent interface if interface has static addresses. If interface is confgiured as "dynamic" and has no address in fwbuilder, then compiler treats AttachedNetworks object as run-time and uses shell function to determine network addresses during activation of the firewall script. Compilers for other firewall platforms always treat this object as compile-time and abort if it is used with dynamic interface.

  • New object type "Dynamic Group". Dynamic group automatically expands to a set of objects using matching rules that at this time can match object types and keywords.

  • Updated error message that appears when user tries to open .fwb file created by the future version of fwbuilder.

common changes that affect policy compilers for all platforms

  • fixed bug "Compile fails if firewall has locked interface that is set to dynamic".

Changes in support for iptables

  • 'Mixing Actions "Accept" and "Classify" results in incorrect rules', and 'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'. After we made Tag, Classify and Route rule options instead of actions, rules that mix these options with actions "Accept" and others, except for "Continue", should be treated differently. The action are now implemented using iptables rules in the table "filter" and additional rules in table "mangle" is used to implement only tagging, classification or routing. Generated script does not change default action in table "mangle" and assumes it is "ACCEPT" so adding rules with target ACCEPT in mangle table should not be necessary. Another change because of this affects branching rules that use option "create branch in mangle table in addition to the filter table". These rules used to duplicate the same action and logging rules in mangle. Now they dont do this and only create rules in mangle if branch rule set performs tagging, classification or routing.

  • "Deprecating Route option for iptables". This target is not included in any of the popular Linux distributions (checked in Ubuntu, Fedora and CentOS). The GUI dialog and all support in the compiler will be removed in future version of fwbuilder. Beginning with 4.3.0, compiler aborts with an error when it encounters a rule using this option. In older versions of fwbuilder (4.2.x and before) this option was presented as an action "Route".

  • "Tag action should be done in PREROUTING so it can be acted on later". If a rule has both tagging and classification options, the rule should be split so that iptables command doing tagging goes in PREROUTING and rule doing classification goes into POSTROUTING chain.

  • "Tag and classify actions dont work properly with branches". When branching rule points to a rule set that has rules with Tag and Classify options, branching should occur in mangle table even when checkbox "create branch in mangle table" is not checked. The fix in this change is tentative as it creates branch in chains PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in POSTROUTING, this may create conflict. Need to test more.

  • Added support for single object negation in "Inbound Interface" and "Outbound Interface" columns in compiler for iptables.

  • fixed SF bug 3371301 "Error compiling with VLAN and masquerade". Iptables NAT rules with vlan interface configured as "dynamic" and no ip address in Translated Source caused compiler crash.

Changes in support for PF (FreeBSD, OpenBSD)

  • "PF compiler should use 'self' keyword where appropriate". Compiler for PF now uses keyword 'self' in rules where firewall object is used in Source or Destination.

  • Added support for single object negation in "Interface" rule element of PF NAT rules. Now compiler can produce PF commands such as "nat on ! em0 ... " (for PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)

  • NAT Compiler for PF should use "(interface)" syntax to the right of "->" in NAT rules. This now works for all interfaces, including those that have ip addresses in fwbuilder configuration, when interface object appears in "Translated Source" in a nat rule. When firewall object appears in "Translated Source", it gets replaced with a set of its interfaces which also get translated into "-> (interface)".

  • fixed bug "PF compiler crashes when ipv4+ipv6 NAT rule uses only ipv4 address". This has been reported as SF bug 3305234.

  • 'avoid " {tcp udp icmp} " in place of protocol'. NAT compiler for PF does not need to generate protocol match "proto {tcp udp icmp}" when service object used in the NAT rule is "any". The reason this was done this way is lost in the mist of time; it's been like this since very early versions of fwbuilder.

  • "Update generated route-to configuration for PF versions 4.7 and later", SF bug 3348931. The "route-to" parameter moved to the end of pass rules in PF 4.7

  • "Crash when compiling a route with table object". Compiler for PF crashed when run-time AddressTable object was used in RDst of a routing rule.

  • "Group and Address Table name persistence in generated config". Compiler for PF can now preserve names of object groups, dynamic groups, compile-time AddressTable and compile-time DNSName objects in the generated pf.conf file. This is optional and is controlled by a checkbox in the firewall settings dialog.

  • fixes bug "Run-time dns name or address table in routing policy -> crash". Compiler for PF crashed if user placed run-time DNSName object in "destination" of a routing rule.

  • fixes bug "PF: NAT compiler fails when run-time address table object is used in a rule"

Other changes

  • applied patch to provide configure command line option to specify path to ccache. Thanks to user "a. k. huettel " on SourceForge.

  • applied two patches by Vadim Zhukov persgray@gmail.com to replace calls to sprintf with safer calls to snprintf and fix some compiler warnings.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.0.1.html000066400000000000000000000343471303637203600233070ustar00rootroot00000000000000

Firewall Builder 5.0.1 Release Notes

SourceForge: Tickets

Summary

v 5.0.1 is a minor bug fix release.

GUI Updates

  • moved "batch install" button from the main installer wizard to the dialog where user enters their password. Now user can start in a non-batch install mode but continue in batch install mode at any time if all their firewalls authenticate with the same user name and password.

  • see #2628 fixed crash that happened if user create new firewall object from a template and changed one of the ip addresses, while another firewall object created from the same template already existed in the tree.

  • see #2635 Object type AttachedNetworks is not allowed in the "interface" rule element.

  • The drop-down list of interfaces for the "route-through" rule option for PF and iptables should include not only cluster interfaces, but also interfaces of all members. This way, we can make compiler generate configuration "pass in quick on em0 route-to { ( em0 10.1.1.2 ) } ... " for a rule of a PF cluster. Here "em0" is an interface of a member, not the cluster.

  • fixes #2642 "GUI crashes if user cancels newFirewall dialog".

  • fixes #2641 "newFirewall dialog does not accept ipv6 addresses with long prefixes". The dialog did not allow ipv6 addresses of inetrfaces with netmask > 64 bit.

  • fixes #2643 "GUI crashes when user cuts a rule, then right-mouse click in any rule element of another"

  • added check to make sure user does not enter netmask with zeroes in the middle for the IPv4 network object. Netmasks like that are not supported by fwbuilder.

  • fixes #2648 "right mouse click on firewall object in "Deleted objects" library causes GUI crash"

  • fixes SF bug 3388055 Adding a "DNS Name" with a trailing space causes failure.

  • fixes SF bug 3302121 "cosmetic mis-format in fwb Linux paths dialog"

  • fixes SF bug 3247094 "Nomenclature of IP address edit dialog". Network ipv6 dialog says "Prefix length".

  • see #2654 fixes GUI crash that occured if user copied a rule from file A to file B, then closed file B, opened file C and tried to copy the same rule from A to C'

  • see #2655 Interface names are not allowed to have dash "-" even with interface verification off. We should allow "-" in the interface name for Cisco IOS

  • see #2657 snmp network discovery crashed if option "Confine scan to network" was used.

  • fixes #2658 "snmp network discovery creates duplicate address and network objects"

  • enable fwbuilder to take advantage of GSSAPIAuthentication with openssh using suggestion by Matthias Witte witte@netzquadrat.de

  • fixed a bug (no number): if the file name user entered in "Output file name" field in the "advanced settings" dialog of a firewall object ended with a white space, policy installer failed with an error "No such file or directory"

  • fixed SF bug #3433587 "Manual edit of new service Destination Port END value fails". This bug made it impossible to edit the value of the end of the port range because as soon as the value became less than the value of the beginning the range, the GUI would reset it to be equal to the value of the beginning of the range. This affected both TCP and UDP service object dialogs.

  • fixes #2665 "Adding text to comment causes rule to go from 2 rows to 1 row". Under certain circumstances, editing rule comment caused the GUI to collapse corresponding row in the rule set view so that only the first object of each rule element that contained several objects was visible.

  • fixes #2669 "Cant inspect custom Service object in Standard objects library".

Changes in policy importer for all supported platforms

Changes that affect import of PIX configurations

  • changed token name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP" that happened during build on OpenSolaris

  • see #2662 "Crash when compiling ASA rule with IP range". Need to split address range if it is used in "source" of a rule that controls telnet, ssh or http to the firewall itself and firewall's version is >= 8.3. Commands "ssh", "telnet" and "http" (those that control access on the corresponding protocols to the firewall itself) accept only ip address of a host or a network as their argument. They do not accept address range, named object or object group. This is so at least as of ASA 8.3. Since we expand address ranges only for versions < 8.3 and use named object for 8.3 and later, we need to make this additional check and still expand address ranges in rules that will later convert to "ssh", "telnet" or "http" command. Compiler still generates redundant object-group statement with CIDR blocks generated from the address range but does not use this group in the rule. This does not break generated configuration but the object-group is redundant since it is never used. This will be rectified in future versions.

  • fixes #2668 Remove "static routes" from the explanation text in ASA/PIX import dialog. We can not import PIX/ASA routing configuration at this time.

  • fixes #2677 Policy importer for PIX/ASA could not parse command "nat (inside) 1 0 0"

  • fixes #2679 Policy importer for PIX/ASA could not import "nat exemption" rule (for example: "nat (inside) 0 access-list EXEMPT")

  • fixes #2678 Policy importer for PIX/ASA could not parse nat command with parameter "outside"

Changes and improvements in the API library libfwbuilder

  • function InetAddr::isValidV4Netmask() checks that netmask represented by the object consists of a sequence of "1" bits, followed by the sequence of "0" bits and therefore does not have zeroes in the middle.

  • fixed bug #2670. Per RFC3021 network with netmask /31 has no network and direct broadcast addresses. When interface of the firewall is configured with netmask /31, policy compilers should not treat the second address of this "subnet" as a broadcast.

Changes in support for iptables

  • see #2639 "support for vlan subinterfaces of bridge interfaces (e.g. br0.5)". Currently fwbuilder can not generate script to configure vlan subinterfaces of bridge interfaces, however if user did not request this configuration script to be generated, compiler should not abort when it encounters this combination.

  • fixes #2650 "rules with address range that includes firewall address in Src are placed in OUTPUT chain even though addresses that do not match the firewall should go in FORWARD"

  • fixes SF bug #3414382 "Segfault in fwb_ipt dealing with empty groups". Compiler for iptables used to crash when an empty group was used in the "Interface" column of a policy rule.

  • see SF bug #3416900 "Replace `command` with `which`". Generated script (Linux/iptables) used to use "command -v" to check if command line tools it needs are present on the system. This was used to find iptables, lsmod, modprobe, ifconfig, vconfig, logger and others. Some embedded Linux distributions, notably TomatoUSB, come without support for "command". Switching to "which" that is more ubuquitous and should be available pretty much everywhere.

  • fixed #2663 "Rule with "old-broadcast" object results in invalid iptables INPUT chain". Compiler was choosing chain INPUT with direction "outbound" for rules that had old broadcast address in "Source", this lead to invalid iptables configuration with chain INPUT and "-o eth0" interface match clause.

  • fixed bug in the rule processor that replaces AddressRange object that represents single address with an IPv4 object. Also eliminated code redundancy.

  • fixes #2664 Update error message when "which" command fails. Generated iptables script uses "which" to check if all utilities it uses exist on the machine. We should also check if "which" itself exists and issue meaningful error message if not.

  • SF bug #3439613. physdev module does not allow --physdev-out for non-bridged traffic anymore. We should add --physdev-is-bridged to make sure this matches only bridged packets. Also adding "-i" / "-o" clause to match parent bridge interface. This allows us to correctly match which bridge the packet comes through in configurations using wildcard bridge port interfaces. For example, when br0 and br1 have "vnet+" bridge port interface, iptables can still correctly match which bridge the packet went through using "-o br0" or "-o br1" clause. This can be useful in installations with many bridged interfaces that get created and destroyed dynamically, e.g. with virtual machines. Note that the "-i br0" / "-o br0" clause is only added when there is more than one bridge interface and bridge port name ends with a wild card symbol "+"

  • fixed SF bug #3443609 Return of ID: 3059893": iptables "--set" option deprecated". Need to use --match-set instead of --set if iptables version is >= 1.4.4. The fix done for #3059893 was only in the policy compiler but needs to be done in both policy and nat compilers.

Changes in support for PF (FreeBSD, OpenBSD)

  • see #2636 "carp : Incorrect output in rc.conf.local format". Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters.

  • see #2638 "When CARP password is empty the advskew value is not read". Should skip "pass " parameter of the ifconfig command that creates carp interface if user did not set up any password.

  • fixed SF bug #3429377 "PF: IPv6 rules are not added in IPv4/IPv6 ruleset (anchor)". Compiler for PF did not inlcude rules generated for IPv6 in generated PF anchor configuration files.

  • fixed SF bug 3428992: "PF: rules order problem with IPv4 and IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together, before it generates ipv4 and ipv6 policy rules.

  • Several fixes in the algorithms used to process rules when option "preserve group and addresses table object names" is in effect

  • fixes #2674 NAT compiler for PF crashed when AttachedNetworks object was used in Translated Source of a NAT rule.

Changes in support for Cisco IOS ACL

  • fixes #2660 "compiler for IOSACL crashed when address range appears in a rule AND object-group option is turned ON"

  • fixed SF bug 3435004: "Empty lines in comment result in "Incomplete Command" in IOS".

Changes in support for ipfw

  • fixed SF bug #3426843 "ipfw doesn't work for self-reference, in 5.0.0.3568 version".

Changes in support for Cisco ASA (PIX, FWSM)

  • see #2656 "Generated Cisco ASA access-list has duplicate entry". Under certain circumstances policy compiler fwb_pix generated duplicate access-list lines.

Other changes

  • see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network objects to the Standard objects library: TEST-NET-2, TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4, Teredo, unique-local and few others.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.1.0.html000066400000000000000000000067541303637203600233100ustar00rootroot00000000000000

Firewall Builder 5.1.0 Release Notes

SourceForge: Tickets

Summary

Starting with 5.1.0, packages for Windows and Mac OS X are released under the terms of GPL. The source code tree includes all files necessary to build on Linux, *BSD, Windows and Mac OS X.

GUI Updates

  • fixes #2685 "Clicking "Manage Members" in a vlan subinterface of a cluster causes crash".

Changes in support for iptables

  • fixed SF bug #3468358 "change in rule-compilation between 5.0.0 and 5.0.1". Rule with cluster interface in "Destination" should compile into matching ip addresses assigned to the cluster interface object and corresponding member firewall's interface object, but in v5.0.1 it only matched member interface address. This bug triggered when iptables version was set to 1.2.11 or greater. This was a regression from v5.0.0

  • fixes #2686 "automatic rules for heartbeat are not generated for vlan subinterfaces"

  • fixes #2684 "fix address deletion in configlet update_addresses". This only applies to Linux firewalls and configurations where an interface has two or more ip addresses. If user deleted one of the addresses that happens to be the "primary" address of the interface in the GUI, generated script deleted both addresses on the firewall machine instead of just one and left interface with no addresses at all. The fix is to use /proc variable /proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel "promote" secondary address to a "primary" status when primary address is deleted. Default behavior in Linux kernel is to delete all addresses when primary address is deleted.

  • using mktemp to create temporary directory in the generated script. If mktemp is not available, fall back onto less secure but guaranteed to work method where I generate randomized the name of the temporary directory using process ID.

  • fixes SF bug 3489096 "dd-wrt-jffs: all routes are deleted if there is an error". The problem affects all supported Linux-like systems. Shell code that restores old static routing table entries in case of an error with commands adding new routing entries was broken and left the machine with no routes at all.

Other changes

  • fix for SF bug #3468802. Need to define macro __STDC_FORMAT_MACROS. This still needs to be tested on all build machines.

  • running autoconf, configure as part of windows build. Merged qmake .pro and .inc files for Windows, Mac and Linux builds. Moved files needed for Windows and Mac packaging to the "packaging" directory.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.2.0.html000066400000000000000000000126071303637203600233030ustar00rootroot00000000000000

Firewall Builder 5.2.0 Release Notes

SourceForge: Tickets

Summary

In addition to bug fixes and minor enhancements, v 5.2 includes the following new features:

  • Search for objects by port number or ip address
  • Graphical diff viewer
  • Diff on generated output, autocompiling firewall when loading file
  • Support for Cisco NXOS Access lists
  • Support for dummy objects in rules
  • Port to Qt5
  • New buildscript and instructions for OSX
  • Added build instructions for Windows

Search for objects by port number or ip address

In the library tree viewer it is possible to search for objects by port number or ip address. To search by port number you prefix with keyword 'port:', and to search by ip address, 'ip:'. This will display all matching objects, including groups. Some examples: 

  Find single service
port: 80

  Find several services
port: 110,995

  Range based search
port: 25-143

  Search with limits
port: <443
port: >5900

  Composed search
port: <24, 53, 80-110


  Find a single IPv4 address, and networks it belongs to
ip: 192.0.2.1

  Search using netmask
ip: 198.51.100.0/255.255.255.0
  CIDR notation
ip: 198.51.100.0/24

  Find a single IPv6 address, and networks it belongs to
ip: 2001:db8::1

  Search using netmask
ip: 2001:db8::/64

  Composed search
ip: 203.0.113.0/24,2001:db8::/32

Graphical diff viewer

A new graphical diff viewer will show all the changes done since loading of file. Selection of rules are synced in the side-by-side view and double clicking a rule will center the rule in both the original and curent view. The diff viewer is activated by a new button in the upper right corner of the rule set view.

Diff on generated output, autocompiling firewall when loading file

The user may choose an external diff utility to compare generated firewall output with a previously stored version. Optionally Firewall Builder can compile all firewalls in a project when the file is loaded. When modifying and compiling the user may compare newly generated firewall output with output generated from when the file was loaded. This feature is added to the "Inspect generated files" window.

Support for Cisco NXOS Access lists

Firewall Builder now supports generating output for the Cisco NXOS platform. This is based on the Cisco IOS code with only minor adjustments and more testing is needed.

Support for dummy objects in rules

The dummy object-feature enables the user to choose if newly inserted rules are added with any as the default target for source, destination, service or interface; or now: dummy. A rule with a dummy target will let the firewall compile but will not be evaluated. The user is shown a warning when compiling a firewall that contains one or more dummy rules. The default target is set both when you create a rule and when you delete the last remaining target. A dummy target may be "converted" to an any target. This option becomes available when right clicking on a dummy target.

Port to Qt5

Firewall Builder may now be compiled with Qt4 or Qt5, with the same codebase. This is tested on Linux and on OSX. Note: macdeployqt 5.0 and 5.1 is broken on OSX, please see QTBUG-32379.

New buildscript and instructions for OSX

A new build script and instructions are added for OSX. See doc/README.osx in the source code.

Added build instructions for Windows

Build instructions for Windows are added. See doc/README.windows in the source code.

GUI Updates

  • Fixed bug in the undo stack system when adding a new rule, undoing and redoing. The rule is now placed back in the correct group, if any, and is not corrupting the undo stack.

Common changes that affect policy compilers for all platforms

  • There are now two valid return values for the compilers. In addition to the success return code, the compilers now return a fixed value when compiling a firewall with one or more dummy rules. This value signalizes the result "success with warning".

    The libcommon static library, and all the compiler executables, are not using QApplication but QCoreApplication. This removes their dependency on QtGui and gives faster startup on some platforms.

Other changes

  • Fixed compile warning on 64 bit arch and some compile errors.

  • Fixed libpng warnings: "iCCP: known incorrect sRGB profile".

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.3.0.html000066400000000000000000000052121303637203600232760ustar00rootroot00000000000000

Firewall Builder 5.3.0 Release Notes

SourceForge: Tickets

Summary

In addition to bug fixes and minor enhancements, v 5.3 includes the following new features:

  • Support for Junos Access lists
  • Show all release notes

Support for Junos Access lists

Firewall Builder now supports generating output for the Junos platform. This implementation is based on the Cisco IOS code and shares codebase where applicable.

Units and interfaces

The Junos compiler expects the units to be subinterfaces of the main interfaces. E.g. unit 10 is a subinterface of ge-0/0/0.

To configure ge-0/0/0 unit 10, do the following steps:

  1. Add a new interface and rename to ge-0/0/0
  2. Add a new interface and rename to unit 10
  3. Make interface unit 10 a subinterface of ge-0/0/0

Deny and Reject

In the policy viewer, the Deny action will generate the following output 
then { discard; }
while the Reject action will generate 
then { reject; }
You may set parameters for the Reject action to specify ICMP reply.

Show release notes for previous releases

You may now select any of the available release notes in the release notes viewer, not only for the current version.

GUI Updates

  • When using Dummy and deleting an object in the object tree viewer, any objects using only that object will now use Dummy instead of Any.

  • Fixed wrong diff counting for DiffViewer.

Changes in support for NXOS

  • Added support for compiling a single rule for NXOS.

Other changes

  • Fixed compile error: QApplication::setGraphicsSystem is removed in Qt5.

  • Fixed NULL pointer dereference for Dummy interface when right clicking on the Dummy interface in the object tree viewer.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.3.6.html000066400000000000000000000023531303637203600233070ustar00rootroot00000000000000

Firewall Builder 5.3.6 Release Notes

GitHub: Issues

Changes in support for Junos

  • Bugfix: syntax error for "source-port"; missing colon is added.

  • Bugfix: do a rollback when getting syntax error when installing firewall.

  • Bugfix: set correct ICMP header for IPv6.

  • Bugfix: use /128 netmask on IPv6 host objects.

  • Bugfix: newer versions of Junos include an updated version of OpenSSH, resulting in not outputing a space after asking for password. The installer now handles this space as optional. This prevents installation of firewall from halting, waiting for authentication information.

  • Feature: added IP fragmentation service object in the standard object database.

Other changes

  • Added support for Git version numbering when doing development.

fwbuilder-5.3.7/src/res/help/en_US/release_notes_5.3.7.html000066400000000000000000000037241303637203600233130ustar00rootroot00000000000000

Firewall Builder 5.3.7 Release Notes

GitHub: Issues

Changes in support for iptables

  • Feature: fwbuilder now supports conntrack instead of state module for recent iptables

  • Feature: Add support for the iptables > 1.4.20 "-w" option

  • Bugfix: Fixed (potential) deadlock situation as sugested by https://github.com/antaflos

  • Bugfix: Proper handling of NAT chains

  • Feature: Add support for --kerneltz

Changes in support for Junos

  • Bugfix: Generated new ids for the IP fragmentation service objects in the standard object database

  • Bugfix: Use correct comment symbol

GUI changes

  • Bugfix: Don't delete object in locked group

  • Feature: Add new objects directly to the subfolder via context menu

Compiler and build systems changes

  • Feature: Add support for MSYS2

  • Update OSX buildscript for newer XCode

  • Feature: Add support for GCC 6.X

  • Refactor: Gain more C++11 compatability

  • Feature: W32: Add support for MXE and provide Docker environment for cross compiling

fwbuilder-5.3.7/src/res/help/en_US/state_sync_configuration.png000066400000000000000000003735511303637203600246640ustar00rootroot00000000000000PNG  IHDRHF/vhiCCPICC ProfilexgTSM$$ tAz/.UMJ]).HGPEQ "HA=]˝}grdl(lq8wojfnJ #@^%GGhzrL Af <c?> 0zxx)Xʻ0s[ Zm&<`L!tibmyWk'1? 2eP7uNLvlpFwVkN܂7EK<˜?N02ѭc6~Rl""FFwQ{}!txǟ܆bd](!?Q 5i.c VnD- s)Cl}?1gyyEJK H pщJ Yav*sr ̊?Ɣ{UU%hhjj jjo]h׻oռ(jjHiodyYY][[cZ:z'OXiZ[m.M<jxYޕӝsףϪ/O  ~zMۚ/?51n,rkvhkG^e{_M70570&2^6-s cKq+j뗗*.l-t9::a._\ܞ])wy <~%D5P > &_F4FH v#Pl"ʚHM(钥q;=ӑ[oV QH]Z4t8$ :MwV>}xRJzfћuORF674Y4=oen#k}>yף;=i} /Y^:fܻKVFG7?nL">ȧ?јqM:&h=t|ytzzyC_F[+wo; hI.`*6 &,9F2A 5}` A$5Lm ⅔!+(J*hA@(#7*tCf!{; VQ2h,:=F(IAIdFJMB|@EԜE7NTTE"ԝ3*M- cI;LUv,,çRN_deg͡I9ƌcgLyF҄"Ƣ2bb R8i}!Y)~'*d*)+_SQYթ=K'^31001674߷jzF6nA1鳋kwaw<~WQc`DJUHȞ([1PgTAb_bJsLzӭ=/fOz $ і6T?TyXv>lLSR˹g :{y{;-#c_i...l8lݶgyAE` n IDATx]`Ev_z=:iRDA+)WPD@齄 %v۽#!)ey ʲ,{^iGGGGB'l####6Sz|cxxxxx{ So O>####pO!{u xxxx)xvON1<<<<0nt\%J;Vʐdլ,Al.V#Nf|^eT85d`0vҞh, pMa(|@2wܙySՍ6۷dG wQ\hZUBv6ʀС&Kqu giTf~t){fll<ڽ %P$bZ#ݻ u<5Rvo-EeR1LΈPLXC@5Z[YۻۚU,[RVΠb}̕<(j2B&8bkjΜuc(R-, Y*+ :n>aCTAKPJI0aJg- zPN1deesnilx}> nh#4\<eYLfɆJ^$`n4sRU0 Lΰ5vfu qZYK!8 .#t"[H7Ȏ_hٟ[1{ƌWmM YR_﯃[/qK|h7zw#p [cuc%r%((ܔW޽5|UUlPL)Z)vCL4*`CX5W),̜]e;m1oY|wp9D Rqw P2Р30Z_w)LEp 3ixQ? C[jl]}dw{0)F/75VRwHKZ=3P*3CR4 mv<̓@HĸHBIsMIFLj=ܯiDcHIT,SJ1& $ #6j`A&JE L)6D )Č|8âW>!n&aݶEJ+kسCɼhe#`"SBFFRI .Bpj' f JA((ZDZOȘ!@RV)al&]^Wo@P\vq󖛊~}}Ǘ0 MR*Ng2OR!t4EuF€26r7wx[8-YWΝ*UHRF[ӗ*"JE}ɗz&pJ26;Si" Up(՟ͷlɖLEK]Rp,]A/ɯxaseaxu ׺Aұf+'f7 n6wJeq2kmr fp9 rwD#}΅?FG>1=Tq.w~WM1RSnزkK}iSΉ U=]PiƆX)l#V?K  }4#3CD"E&ɡa+,6)EwL<,RXHYN4̾!Z5dUaog+}_tUl6Jvہ4XZp |PCe3=ozeb[*4Aݼ 뽩R][|_}ب 7#LṰA306͐9x Syʢ@a FvhYXo+3$ *욻0ǖXucv?k`HikEぉ]Xiwkf_c~l/o$q !@"X6w;Hc#K[6G&6 KsKu&~['[`bYcY#l%eQD*g 0"Z+<1A;碭[AÞX4gXij4V_z3(;d ",PwSf%~kl'.]#'NH?a甚b!.΁)r!҆8[shG@Jel `Y6[!N."ɔHo)1h9,p#A@lg]!D fQ#A#$y[!QCjSJ pF֘)/!G0&,kr\H#0W)${e]ls'Hf+G'侱=W?~yoe=G3դh6IhgBB%#1,J4 yp17 " DYM``,'..PS5hP%a F*!\L Z̘+ L)qfMEy5 yAL˵\˙m 2lF-O&n>a !>4'%(#p(xHPf",T QĈ3ƒVF4>BKVޖ 1+Wh6G79GlXƝA'eA]l(9六/qlcRЬYx*8`FB&V;G.jm>A,m'AC6<SR!cNl'CjIC:l:S6 &FN"#5[j[P{h`wo cmťF*0Hc%6K5;(ee@vGv:ZPUI Jɇ_ÒzsiIGF*v;:bB/FHZSNl=iC}15TmY:Ek^8ci邊j7&uXvK^1nrKᆅǻBgd .0d اȸ~z]M R藣$[NKʲ]q8瘥:s%a=NneyωGf#[kҤJ! ["zY{4 B#=)bCỌFK Hz{`̎В)Ҧ a%l)Ŀ v '2pZs5aQgGlPPGG`ig Χ@4(X09 4!rb5I@M4 3!TL,82}uoߝ*h@in0+ΞFqe徚* 5]"uVT&`jc̀S揦faJ!-8$AT} <6jG@rՑr x9EBX b36 S- |k@~~/!ssܞx.!p ۥB:vIjR qPFZ]Cv\El Cà[7˥[:7-5'tظ2vK%g<<7T(FpJ5L)y.$l$PAjr΅T@,riQbjݩ3Ǐ P#JTMltSV_@>\lNٹ"0lc qnM;]G@.hǟfD+*"dL@I y{eZGGnALdˌ h1(_ @!1{M7֤3Z)6]QCl, 8J'Fn!ljkmQ 91FPT}NCY2RXg0D( `z;d?hOQN!"GA +ͫ$oWei!ù P_Kr#>Η}˗Υs! QPӦܜ#gL,p-i& L+GYeo>Qo6PY7n9?ꢆ`|Jp6{%acڤZJ"nr*,`Q je)03 5 VnG2"6 Ȁ<`X.E׏" H\ 5Q4e_՚/h)w"`J]p%N@PWDtq={k@O#piFu}Þ3;R9Rq{[-jA$&7łkw[w+w2;eە&*vXflYOֵ,f]ѮYwtqS8}.? ݒV~e SU'K]gY Z*Ypmc8gXUmͩ^dEq  Q6QFܑgD:~Rl$ 2Lu66*T*mo>|ud†ҍwBkOnٶye7zpA L7Q"`==.#=P(Կ}^%pnzLwD0NEi<^|/ssY:bx-ḷBJ#ϕYa'NPHY!)#+-9 p_uPkTLm1pp Urmm0 ūK }: Y9`˓$kTg%h8|h7aP VLgM[ppsb@k)KyY]+ye.+4AaBJmx_@ԡ& 7q`zxfiB$\s4J ZjŒac"~fÍM$E'hqkJS.pHq€B>"$\$XOr:=VPHh1lz`&~S^y(%VѶ6TBV[! wIU)JE0,az ,ًK0U ZPr A]ᘜPi!䧎nA׸+]i@Ej|S-:Oo9( 't[6ƜG9@Q$8l3g\ ؏[ټ:Щ]3(x>۵ p )F,dF! g\~Q5dmKGEXJ%4dPZ&,u|25{벣ٙZ&qC}*H#I2ɧ; Km"l "y `f;c$0L`ӈ:S)BgΜoŕ03`[%I6ݓ#g-3|l>a_?-], LQQR-+~͞lK7^_ص%|!y`!ERWL)Wy#̝+v1]nj6ڜ})ÐBT+s߻F=0o+[񑝿| 6JQ7݇sIf+$"UDPyYtRӅ5+Jt^Y~rߐq'O.[zFݭOFT|haIa~Zi^tIvě?4R)vłU ]3"?./ҷN{N$a*CC4) Y8ZUZRr m9#,~jjrΞ BL"+Ur/{pߔȴ\`!c{O=bR?şݗX$}ߵj`$Ź˫ZGq{B^Qa־9=5YO-ӦzH~>CC#RCh޲lw;8"ԢXp#V.M'6Cz!^`Mj%p:UU9u}u<< Zh0dp~ 8և|O5w3_>l DO601ZRj)StvͿ\ ;]ʣ/.Y4f1Ѿ>&@8p3VcqήO>|em߀^AG~I^Pf-,jyQdsYMgkk[{˯^U0xPos^Y#,_kd}bWlPFv 'DOGy gqew 1GDgW/8tp;C}&gׇ?|' F'UGz)+ʋueOe#o\OK^^^Jۍ6_COL̈ رOÑFͅƲ3k"- Lc]rQm"0VU)B;Gs"poXDoA:pcF c`!)"Ŋ4!L0B}M Kk#`mDW~gv|5Guո&wew@``|3S%ICWl*˩G}⢓lӫH?xl&zD.ӟ:Wfh2LȂzxydٗ˿^3{=#;G}rzYhϨe]mv 3hh,\Y4n IDAT]+CʪJI~R+WMZ`'p`vG []_)! . wm۳Vں_-C,B؄HI3 ;wM uWK)TAps0^.01!r[B`F:C,)yg:y-S ӕFG13Xqt[z]1*}z;wiDJ WPۥШw.}u׏=X ,K)&IZ[uҏo'.ˤ؃SG8&60+؋Ξr0Nn]oPB ?xV\|Whw3T{"EQ/]֒GhPtz\W$p$ЂEĞjw_3}\&|4t3_N+{^s쥑:ڄxr{o X*tt]  sSQ6 moЙOlx\ݍ'Fª|W!e1*6GgP\@'9,5znEq& du]e*p eP:0CU^!1`Tf\:6q"S@NEi;f<2bpPvp~౛ j b8 9h.ȕ8\X(p`¥$<|:)d%vڢ 2$@+n>t{qfIܽU@K$ C1@``kwvK rުֱB1(< ScҘ)`,"R.s#8n5 !ZsŸX`E±ʘ!@倫H7)N&8exB'Lj\> h:<&"P f- Fz`ߞ|cO w^#+S^Q_*jڳgDlB1$8dkׂn5}Wj7?@-U{ {bb䄹/0)^W.GʆxyA3-.ԮUiikJ<59^) MJ*s W%P3 vL_ 1b/6,P7DwTguUR+.zʛVn:pVK>uĀP`4іn94D]%? ~ )p^ܲ¢Reu=I2Wx Rc!ܷ 2dF2W 04gC+0E%nYg DpGt wwsuhbcVLoK( 2 LӺz?W9s8!sm)h1M+\;?Ɲt'?7A* R)%bucTǿ#@F͟;v $%.KRp&K|<чM2\qfϟ;qdrG|k/d̍ VOmE"l˅*%T>2]Sw4 65UU:XTtޠa8} nFRN~ p0i?SLdӬ],f^-ψϿdM/^Oo4~?Éa7!ٟh&l՘c[pDL?au|dԠg\1p8Κ̪ τp9{7/6XIYۯ4vʗ0(5s L79uT;i++}2p B{?^=8p3 _볔5I rT'XHz~{n֏O$9|;G5zl/8|8#(UޑT,{㯧 {"TRB o:DgTl$,%rBDž)qfRjБ3leJUrƼ`j-L~jCHe*̯;=|YߚFHjD{H&sa-/=zM/T%+#480IFSiW_@(ݼ| Hjs@"l]>gsKD,</ aEO4"ϼwl ]RR"e"Y&)qZLv"c{LRFج>fcr~cmKF J #PKk bOoglIim()wQ=:mQNxieo Z5WLB :R4;:Ok4MN T.p'"&q:3!n?NЛQT!JEA^#o6r#$IaLW"B.t/ sGF󝅙< mY^8x́l8 LU(u0a: 0)pQ]`L-U&h  qA'D(Vq *Qj%J 9հp12myId.Htʹ!xi|BA(WF)fq&lzm/ڛn'uߣc2?{>@%QjKPL hp\ (@\䵁^L!&v\r\(jD @g@t28Z܂SK5Mڀ5CA\rȠ(e39b(!฼ \$j`} F2hM\`,+Oy I4nWR@Ю[x3O􊄣ܸ-#ڟ68)ͯS.Rg<M>u ",)ٵ^+K R\ڏ48Nز\r'tÖv"p6T'4yB.UԌCO0O00.ODwx[6VXspP6@q֙]RZjll p[t_H iWS5[t! 2 -pO!p6`~C:BNMt/[YJ#c#J2'9٧nBa_Zk}b 7왤DQcm? qY/]@}=b9[UNde!a;a}$FuBJ߶&0p +73`HN8n3>|IDXmM$"L@cbewTuޮL8^i%w wO 5ڈ⣕j71y׏Ä(asUG.mdz̫y2v;imƹWW jzn[U/ݶ"oiA%ٞæmh˪״YX81I:rrXmO#pVéOs逞tCk }i=!/ v/*s\sT̊#ȥE'.Zӝr232J̩9dZ.3&MW4Et_ 1:Ag_}},:$Xq0%{ɮK-J5e5ե `Jܙ3P02xݦ=bQ&0L@,@;4gV:/藪f-5RnMrc(*A`L{Tk3?^xt}%L@{zPNM>H bme cha.X;Y͘Ph-zXA1@lY ?(J>:ì'۳a輇{ -{v݁VKO߇%#L {[p!O1/-A{m#PYIa#%c^c-x"37pg&DoqݚD_kVZ5Mæ G4[Wo;SO덆>e hSC k='ϗXiT$x` 97r4ڣ .H'5S4˹\z 9JkFq(`մpv٪=3eKa&|ɘȆk/ Ȁpd@Z.ź:+w~zG`K$VW>ED4j&]HV ^0> aGf"vAĸlXk$Oz`HO l0s Ƭ+$7s(Ca5 Hp2BN'nmEef0(1i:w\e?UjO_JO;^}W )#/@]ޞ; Jﳃ8~N]VA,9 uꊶ#%p]tgŝ@a94 C1J)*}ja`T4 zIa*O7P"pAkCG&,%:FҸjJwK[Z1bvcCje2ʀ"{: ˩|/&tl+15w45DP۪r? uv' N6gNOkغfD\?Ϻ7e_ L!viHY]iŦŏjOo2?S;Is^S3}Kh[y[† Dӷ/I.#6r/]/#gΟҿ]L=lFB$sFFXSYUkhקOKOV_G{uSFL8 h"OyIcl†0L#!XZpm72`<Ϗ--wV]y9eҬ'aif||d6+>9 sDONi83t)8yjPM"C= rπ1uvvJs,׺3;~OAn?>(ԕ}5p(K@e4OSOvPaը NyQ)iO~$fX:葜=SUp&7'μ97։?;wlȱu]}$V*'/9*H2?Pxz*pH6>",]DY.촓ƂmGunjUTŘك'f>n3!חUQ~XT9Y-Y&!e:ĽsICIjBϼn }onqE2'l P5%kDc u}_^| B a1 K\Ƥ.y1Z_~h5BhwOӃEU:- u KF]o0Ug-ʳ.Cˊ"PSo 6mcN:&Z Q3.^ޮj#)(7ts;//kĝ{1*:coѱ|]0HEd׌ѓ->6?X0sٍç O6Xͬ .7-Htzym;Ed"TAwEбH )r2fTF{˹E3Hu pH:4 ؒV(bQE3G%")DD8i1T*r|݆m߆{M6شwCZ^Vέfi3W~A긪Ho9r3u@IqRaMD"n饁q@ƷD)% 8m6;wʊ 7ց_u>b8q`les?-t3ƨs[`R}$CbM8mDUIh sP'チI"6 b5 vx05̀p(NPpɍf}cE HȢ q"u!Lt t1N(=,dbz;ќc_!sN@^oɯ'7w e*IXT8T"92}_ IDATSe Zo-f`ja\TlI){ uA}@)-ajYW5΂*VXWwSΏwH#h-1g\$;(`(;mRB g`66̨L#9HaZ\PduFn&,[ȃ Bf4_ΚMXT@hKJ+{xSyxw!N&#sz [Sk2@pQameLq1ŻyJH7Zg͆= ݹ:]@WPPIbn"le'y{v&F'%$s4e&uRIH{0҄F[BV Pa4 f[\QZC"pn%#3 ;H03Fʠk!fU3DbhgZ cmPcJ=.+>T6 66{Z`%ri_OYՂM;8%&kswd/+U&@if,!}t:-#_/`8fƣhjD]) :Q~Rսy{EiXܹ_B+7]?Ż'_JO͔_jޘy>]}ٱ;:jtY(J[w_JrvD3tL[BP?vb 3e ^`D){'6oF(5'GH[FftlQhړ} DJƤt\["lVtl؎Q5XĐ^YXZ(JE"H `a.IP`J`5|zJ[)#\#/hQdEAHY܄ %J]NT$=ܣedd-/[Ms(;Z}]"G\}m N';U!pMM1{ǻ ͵(ulm!hPP84eF̥J[srΗp;8x>'uWސuHBKy2Ny6 ek-9e!J$=:Iq-.1^ꥐdmIobՄMuU [vkr-?s+R@/ᘒ0|wQ؁+7Ԭ[D]`DWn>|)7@P0GטJ5tie *ȟ1Em {=*ؓâ`EZ$l+7ᑗ:#9d\XaAHMҀ9 gTW"YHx;cBb'<6 HE:q;U]f.'>tPq}oAOz> yb"DD!& a[F _fFA@C}$_,O( SwnΎ?ڷ$fb;bua(etlx>̩Q d><ǒq!#Nrܺ[ur6(rSu92#fD|}#}DNSsy -GP#O^4gvY|Vd^\2H%R#Tyt7)(-4\4~Nx98ǠkȰ:U7-ɥoP7Y^?5Խu/.9HNqcŦ}C{ܢZ&8dGNu>cpHհXVrh>!={(CWKy-/䡽&Pe|*Hy^*Ď sggu('mCLM73bfghO-/ uPH!f(4^AlہԉvȐAKHE#-$ʙv -u$78cIeS> 4cJX1&B0 +g޷$lM7v'];V9QyǗB?07 ĹqRM ɭٛ2a#s)cG:;M3 ڡ#~;MS o_!!x8q{ZuzkW Ǎ jYxt[*cS[Vޚ &<šNn$>X ,1XP+/ ,2E[m{dg͸r#f yuW4}5%}b]LpWtKܡ햶2Kzd[$]\kiY tր+Lړ0G/'dfiXjplO587 '_^i a#Xq,gIcAuUhaNyh-xƩ \Br, nsUwmwű!d} +>tVTXubQp2WꗟܸTq=5KqkԞ*W?P)qeqn,]qϻ/%l7l۷ IL|`8sR-|wvTTp[;m\9KG OP&]8t"@I6^rWO LpmԀ|kad qR[{hӑam6osd^FXsCLK* f5@u8 ju[qW5)vf0֬4mvem7Dj{^Nabs)piYӔ<Iה1B"ю$,.G&zEQon^px{ cҬ?8/9nA%/n=y%y_.9cq $D6T39YG΂yL=&a9.w|O4N5*+3fҒs`+5GOZC'lѩnC Tfa6-fK_[V3_ݎ3 WA!X[vliPx [;dMŅ9gU8oNI\<-iw/ Z,2퓙N(zLLQ}U8X-:x/917GV]{ ypMDŝ.RAp̴)F>6ٺ#A!S1% 2ٍ6Xa ]bC NjE:)5﷼yhWܬ?SNCRGV|י{NUEL輦eyg]$Y~cr٤MDkGS*󅞠L/#PH(*|<ڲӜ1Y?|f>n͉!m1/gR=#IۡғKN΅h8jL:~M8XMx~,A޺hx~F4;d5_ղ`++Ot˛;XzD:|JPa_ >w8.@%B-J)LIV{=$^ xhNJ SƌK p\B$ZBĢTL(`O A) n.CF["&4PзG>؆WsDqt{8;HcW%jl1$ӌS41D{GTP@w8x&_e\;3ͫoƁ6aRFd&hZ} ƾcn!q*Fal:2(4?y2A=dl`R'13S gvI A4J1B@̀Bz (~'XVP*(4rGqFX&x`A PT:&;~oQ8P,PųsʬeKWkX(}G ڬt v*hRY7&b)ivؤe ũ+`@(8ZH`\*c0:6k*xp*2)`J`T ڢݨ#pR AnD(SqG9|[6+=qyidwo ̭_T9`PUɄ/-8X^^כ5++cwT8ds%2$cr\|pefZrD3X%IPv~ޔk~~mQ՞_:& `2p/daў8jIܧG h [5>FSU=>kAMhg<^?]Tز3٤G4A݉9u1|j(+ӗ-  3Zw&-v=&-<N3Y댱Ǹa%'& &{wxS_3+w_>up_y3cF6#Əq߿Z)3K ǯertpsjJ٩6gӯ EY>Z!>*\\uqƒQ_,$!Ds0RՍ.MIや *XT1 {FYikפC|-;,ܫQUgé *P\u A}sa#^c҉+˿ɔn7#Hc~{U:ဓqQ?K ޯth'.-,mwVi?kͅ]XȤ{6 !g$\~mgQxLeGI+NY3ܵD=4էOy^Euau@Yt0Wgo'aqWĭV BXi$s{yVޮG->mBq+%M2!Iy mw7'/߲zGݤotf/9 єf]qYZX㇆PZ\4=0gO 6NVs x'OSGCgST턽1cL}鄽m!Μpo9#fAZCenտƎ~? Й_O7_aۢ?Cݼ==_QK=逸|}>fdPXW]?aw~t!~і3o"]c>ޯ:äu}>-<KEY Y8f{Ρ znkb멤U'*8KD& Q^9Z;dժ@)Ipݒ|F%@)UYTԘ{ 9{:i~#,"%p8jHzeeEu ƕ[Lna®ccMj5鹓xl3%AcNsoKz;V*ݗ>6otxH n]P\9.H`k5,?R08(`#zLLiEcaަ:eZaXuD߽=#(`gZ!-F@1&2Z64 Eħc s5}zEň-5Y{rne{\]SV,zq<7&y 6I ϕ;nB}DBjʤ[SB D:1iND_X36tZ$zмJwFڤ{fBd|S7>+Is'ymAYi1~bA Í `峽.kE_Zv3ㅑD/o _[͙oT5CofE2)j/&63$w+h{oyw_X=ҭ?|="Qp/'y7y:yMNJ`Oԗ$ae 9D<,zm!1C'c-\ SS"$*JC$~;^!2J6u`WSIƚ:?,#Fy SE0؈HOd!נW}Rh@It2E:Zybh[y̮ ;hE>D}trX8 ]؅ SDw;td]R6܌ &U,u#0c{`C`6O]p~!S3/[Д,6ޕ$ L0{wځLFVف4U"dوB[BaP*k\ӝʼnWԷo 0M`ޞvlD]y  xq ժ.hָb@GQL3%%*}|zf%u鐎20]E`<xbכs{iFVīw HcWF/Ji?!QV+:-`ru֜p7D֛'7 65iVQkzI]\ft(9eṽ )<1seNj"p,4s{u$GVzNߜ ɁV 8m0% 1q/.B^7+,ȣ&E!|qf "&>:/yj lm4~A@* tZ;y[HXYFWcsоF(X%^k D[`~וII;v[&ƍLYjĴI;vӧrU`Vh1bfL?4*FZM6) Tr{vw=O^P>\j"Hĺ|km \trA" `]V|IsMMg-W&l;TeMksms+@Dm?cc@Gi4=l:fo1oώ1v` MRPb$7?o}я !L>le>}'oVgEQs}"0< 'ֻ4Է&PHTVRuWE**h Ngz!$ސDQIX:2E’*eg3fB!KפdUmG o3DB`7ӫ3=MRes!#։mEѦi.@q9&/)b)6y ؀gj+A<8bp멃n>z>#Ew69"@s)ɢU[t aY{uut_LYja2kRݒd]XDl9T<\$7"  'f* . IDATG;o|oz4S5X({mյ*E^YmMh(.Hy\P`:{HXr(=򡲱NeG6+&%X[V_[j JsRŠէ_O%xKl@ˤbNfM,3gw(ؕgzyP~\0֚]>rA[nZϓ8%zOiJ/p`LXw⻿`QEHxg\⠉z[q;[*swvI/_+,9A"h fc]Iw\;BG 0U[XGFQ'ܿ#ecItQoZ}hL$dRǗ}|~N&Ga ,:'Q 'rcbIG"[ xf%K>5w'ҩ 7>L{B@`BGYN+ۯT~6 Zd'T&Me)Xkm_L2SHZ rva>^8YE=a8߯ǸOz3FV;lTğ'=SN0KCfƮ $lKǃ Iϭ{ߪPOdngi͇O5K!+]*P@ 5guxF1{c;nyHhdIj/gg'+-*.4& qwS_W]olGNSq??NH`@+ HBY]cMu]E*fy @L"}#`>Lb"M?A8Ĩ ~&8,  @~7z# f>GW:z4jZcZ>z~X a3{WKi՟~1vtQuP՚ʄn>֒!0&XLt*gpeIW}xzDz"h1I6Uz 6LdiW'6-AŨL˰`snnW~p˗? Ij`įn|c63sZ^y_ҶF8|ݣg7lڮ `!<"kZhX+^ Je c6gGہ5=q+iҥ}kEOR!~qYj88 9:,%xm-xC5h+(*tt:ݦ~HmC"S' * o8Z}wXRᮻ-Dk6cwY p+2kC6sHpVV[  -ꗿD=\u0VgM-w3JPfr.zwܚ d66+n (d& naSf+&ۡ3W*o% ɇL&HQƒG<0ŰCLJi|"IWM vs66Ax44Qv릳#:)pq _s$6 C2:6>AԀ_s=R1)!îJ. {f`;_ $((m=C :[ 0hfڂ@hԨfiG;l,!f]WxFld /k!dCIDVدkLOfNdty4 `p' Y>q¥x+*}{#E._K°1t0G䟫1.]]܆WTZzH܁=^nf{{b ?p"? dh@,“p86m_!D%BH7>h\yƂ ?3NN?,nw{no py ?o%cki-{;Fo edAɐ^cOYH5N񆔔 ,^ܝu#y^:-Ӥיq܆)6?qߙ%ۙ`:?44t*պwL`2d4qgg*m@m{):;b t|湲x~Okk->=UVYYXִQڦ#uuUUeeՊ:C1gsKoב-o[OB)AQԕUUS BQ4m>ۿE][; Wso`֘A:DvY P)*$w @b'5J5J|h**ϥbztyX o[gwӌ1IF[_%3|1ǪrsߌCo[hp6iϒs^F}\zc;r~L[9u\5b59 :(\km@5٩27!mQܐ6I7lV\9V e2mٸjF\u7mx9L641m/+f" `0(@Vm&ZTW}3n㢓KBZ YۡK򫄐g>hEQ`}FTzo@mS _lP*:ˏ~J3'3#n 3#]tz3bs`Ufſ~6d ]Nmfⵋ%:t*E-ZۀҠlZ7φ `Din}%fU'xg#|!#%CH]W # 1xT@ì`1SݧN _`K`)4޼՗_npۧ7 sp31Ⱦ5 pۡK=%xدƁ0G?h?pUj=#H|y? V(cCzVTa8zC; $9<KBUu. Tk,T^' dR)F-xANfyt^]0\kTՕ8bNfʖ00AR:l`=OhUܬ.񆵃{LcAQj4VQ6t{/ vUd.PW0˂qEg`DzKHԠϩ ĐtSuw֮o$og7v 5YL?7>D L y4X_RV|ܤv}? /l`לt8vy갶S' 0WB6ڠ|7Kt-M4{EV1 \Vtt/L8mק9)\0j2'%13%EIVaՖ禤V8v~1b.ɠVVh\JiJ <VSU> /\ĖU^FZ/@/_<?V o|l̩5r3WPM{9Q'x)4&ݢ9k6vmbi4+I'|~vOOΉw4x﷟!bp3=*LqL`/ޭ,(0a\csAOI]fQ~ѯJeݹ3ٴ7L ,ct~xeYey-H$2A3g\M'aK0\S]p|o*q`g6V\YmcfM:=Xy.|yr27d ?W'qCeUV(HS,qyf}̑`G1W:GgG}ĊY2ãxoH*4U;=R*ߥ":p&+'W" N?8X(Բjե;C1mgiGh>h]]Y |`t1oXֺX^]ߞO測\9YzV 0`ctvgE$`gb97OkԚM|vkf~u~sKugV#W&/vy l9S |`ϮLygWvΚ,tXdCƊ8מ "6v&"&?*(nhXq}}~⑆ V_mo#zN6ڶN-,$2gW@60DwP0xMXsL~mۛ,.ݶkۮ};:Y|IYq;vpH`y?Jzy櫛>)Vݐ{_9J^SxUܧ'ucFb4e58NZgOƚmy47g/> ]|^Fg~}ԑyjpO7I,XH/!> Н?mq>}uB<1vܳcGnGnYь <h~QC9ٰS(HzBjBkeaH8(sF>SccJ0tͿ}d f]jS3b_\`79`US^2l祟5)+qGJMsv '%.nN0u jT `܍I-ܒ {c~ ;wE[H_,_풚D51WZ92O"tsK1#@[~[B)+K4Wb5!`Wl@sڋeEfȹf.jPj+KUҌDyv )0vc=.++0%bByߍ#0 %".I'j<$85]{ Ý b*UW=+hN}7V}0 ==ZPpVCHDVb"2dV4HQģp lL`Xhf8 %J-t U3X]7tv8ހWS'(fb..5Ȓz oz#7i1.e3nЪIBV:q:2,+!XcNB%FlMּ)OV\dix?) 'FLoԛ\r7i> NB) 5aS(z_`#n $M䱂lVkdY(]KbVyp:ەNLѬ2d\OaR+jt*7ԤST*`LjUjToT @A c B]MEv */`>x׭K=mH gYG#M}}JqMzlƠ"JJ&d?*}#@-`{glɿj09H "U(\2_u[lڐfY~`3 l`Z5dJPyKlDج+_8BcDK)q~#Z=*;juMoG9}ktL]HNW<~PXcLw6잋Ou3I4j]S[5iHȌ(V}r@ya.4pk=![a SPxrt]x_GTweٜ$rͅ- g9}^^ܓ\BxQX 7č'{4_ha[ /yWPIg|Fķ'+x#P)T2|*|u?s]/)ν'! 囷p1²6a!{*x?Y&s8:Q4 ^ ]z=B束vUƢ7qK_$F5D;7Ď7lCI+p/{s'_KF* / IDATĘquHLA#֓:h$$LV]YΌhLڗ?}H4];eFEHT$8ij)Z5phPortd*.ͪe<%1P_m?oXI[~'V1ӷa(M,5?L4'Oɿ}\9+MQ4/c{ͺ_yE;@<' ~vv Ӗ]zdzzA5F; jX0g$Ho5G X9G"Ƅ>0[輻Z0wXOX$hg#j't #`C9> tffU a;(繼6NJ΃[[s*/C]0(9{W7]K˹!t7K'%βX<'m&k4gFԂdB2LshSؔVzfDP)mO@&^Rmb%lF +> t*P g0 J61us9P~Csp;01j6F` c6?ב";y_~b/oSiv=5[$iZNm$3"Jd-Ғʱv& Z;BPW,jIeјCGus!pƦuV(:6}\|ѵ (p>BaQQ`A[3¾&㈾ $;!?ʍe;۸旝Oٜy}r7uw |c(y;]c)/z#yfK_8=rQiQPq @/dzЂZZi@QM8'J[8uPq,H$d Q]{J(uo~B?ur ׆7$:tm\ǀa9Wjt89h%(Uio]i`fe:s)3ݩ,Rtp4k8& Xy?yjIyo #iN|w[&z7zÁuTͻ]{;?ztOo؇~QV蟬)_~KgFn~?eW~]ұlS)~*278GT7uZ$4q6nEghPp5`-oP+rjTmSc6CNh*5C3wlL _*u 4j^{&jdԨJ8Qj(D58N``&!-ઃo_:ǔ&ed0WŦ2WZMx:%%ϊG 5vDNd>5oܒ]0Y/ r#(Rg}V3qEz 8m1 .#aj|D15O3+GP 9_6hvF?Τ_P)Hw"+/eĢ 8Cpq1:`hEԤ%{^)w䘌:Y֚ +ts>pq?L]3`W*nC AsGfu&Ҟ$#^{Wtv=PRB75OϭyPYGDZ 7DЙ(>g-ymZ!״ZRmTn1j4~3J8F"ә.d7꼧&p2cڑAX5p2a@9Jo҂(NS)La-Z{lR[H<* 8`Š'" S"u˷np9"'ȝ&&LK=ĤK<ڗBBG + g p,bf5^v,[)lC5 Bk~ъPR$`VHX,`y!iV\>q0peNo^̙vLY@+N'h#GH *L4Йӣ"w|:*-Nu֘L@!SRs x (B,$~P.iiW猍 JMK^J"z -"[Bc0>l [tG1O`Y`j~i_1 c(Oyf鼫ܣ}$.Mj)T ZЁYW} 5@E 4~#vn#'̹RPi;o%}28yI6Mww:'0j|QsT;Wn(zysx`f W L1tPhDG "3$>/lӇY)}f uLԔ^=x|Cݰ뛶lO>˂_Xe0P3*nK7i.7l\}859aE]^L*])^f,)q 5\]\+ԯ̺X.˿[wS$}ld؉.\DuV]$MM֩>ŬaL §n,ꡜ*֣!igiLNYeFꪟ.Ը.ܺKu÷wVU/t3Q<6բ;[4xkBaN͈ل(saCY9[I'ٛ{mQ^/{(|h?ȳx?L]r֪zLw˰Q8w{>YPYީ#ڼjT>yE5- ,[S˓ܰA˸Ur32"ROaQaeZ+jDW46U EzJ%2)͵q]Lq>Q>|EMҮ\u]8O.{#gOc㇄f]#׿s{E s*}A֭WOV_t}g$ۼv,1`ׁ*2&s}Id^|~^t=kg[8Π`T*xtsQuvhҾƊ,vY#]* a(9ױ_Df֍6QU[~C4q< hUU;np$)wy%NWk(T&/X>j@OOG)x~Te}{2چM C&<5|H .y8% ;v._ow!pr Ձ&S"DvfZ֪[ҫEm#*EaaڎD&5rD2-w1% "C|:zL}ѱҢ:rZ Yd'S__hR֝oj0Gu('.d(֦hBzDr.zbEuW}C^_@.'{BoIȡYQv#X 4 %0BML&G+`]Y{Ht Yt$OpEWoF%5=)SlKRi97`M &9TVp I^#'A³jX .ADqD!/yqlHgNV~1|άn wiSϺ~F ݝ /єܱcO#Tm% &#Eq%%j,wwq EoPJF=GK4i%54 KJR1 xCf BY9ib~۠_ ՘B?t~AdɀfU֣SbRnph-Pm,Ll2t/$ˈEN=9Ym w̌wE{ Dnq ^`ϲ*o]盯vہ\ GwpJ#JSW˦`(;\'ƻ4' &Ml۝(R&LCwTIit,\tAE<הf^r'DB|wmǓkW'_ q⎉ ܙq!+2O+w`89=؀ 4#p3W)Br=ȴT)A)ɰ]AUgUXL:\`ReD*-^sv竫s1*58pDcÎ4ik r-:$ md".Zڎwܻ{N˼P0md\Sf*4mMl(J^ƒK2y#}nSQm&Jaa9>cNmbo/q|^8#!\_YϏcn\8Fnpg=zZB1axpz~TU|C}AFK෿yԉ3Vi-pމeg] 5m2z@Tv@LW|j](GDH<^"6R-u˓{o)<\.rw f[_UZ{Jit lکsp7e]]PPИF%z:, sg;}V1 1 ,*0G=3a`v@nrIWx+{U#̛3h{n ^&Ae;nm"A#u#I LZ:"$۽ztN:Q[Uͫ˩*`զz(e*mEJIaGv51sL_&0o{2h TJEY |*|v}ظBo^/Al^9E.ݱi:^Wu{y/x2x铧:IƆ-6| ]`ɵ7.gr!R2q@p(zZ1Mh?~;J#\*K?rϵJO ҕ%:&pvrB8"A|T!t1,xj97~j&cԞ%u #X;a9;,zNg"S_ܺjh$XjCM՛|{X}vmuddFc?]Q85f"A:O^s*?]dv9`[Gx 8%=JJ{O9†`ؐ>L!q\PWwCu1/m"X<Ah(\._ tAa"g\ K0 dފiC4'^%12k-UT5f p=yI_Eիl1Hc~H8fm 0{&EF;h?& [ hV*ʅ$PXQt%,_oCMm~~CmD&H&jsDJɂӁL 0xzҏ O  %Qe859(D͇(wdEji?҆x6iXSc!AcB`y%TNx#ie9tÊNH.K(Ȗ ǡEb"H"zǗkGmOzd`OBO޸`}IcmΟvMZk{sO2.u~?#"J#]M\e/i1-썑O4zdv>A'A߇Lױ wQBZ` @c"0p>=P%2{]+]] x{"0 ]E;'|.^&;a DQ]GxG馢uy}FbWoul/M &e}~6Oi?W,DVT w8 L*}|F[=ɋzg3y4.II' u2?x^@tW{Mr^} iIu;aJ(q&xDn_T 7YkN7ڶ6)kpe֖ZViTΧrEQIb _S'?lzd%:W{ OC4UU(#شi|G9-i?-*Q-cԅFHSȀUqvǥrr:* W ݅g_V/ 0s)6y1 Jh\~ܸC ͅ F5^kubk\x6^]GX=0D_0Ck7M2x#{_+*N33V HBPfDqt׷w)g vuCD4mQf\gX:BQigtUlT J[,f({dӫJbC6USS V&?i޲;aJ7sw/R֦X Z/uVV)>n ŗ7l#Jќ|t ɬcGEpGp:4!]SәmtNRBBh ]b&(An~a~B}p^mC0+Dù?:6t]ʛr|Z^pPg9k´,Y̗up6 $6F{_z,ᮎtӉ4Vc+霹tGis}'Ԯ'ϞoYqY^ͥ~`pZtNQݮ"w^3Vlږf5/)k*_i(ƶn/*ǘ'Gy|y(|uCy(6W\ytn.7za; ONgoCx$]ZM_ `oU)a~s^6k0Px">8_aښ#Zb+6Ԥhu kc[TJi/?KЇ?Xp0[bB[ y%> y&x#|4 AeMG|O ph!DB|XOM6$;_Of1qPĠx: ,9{]Z>xr8b=|t `U洆/},]WSvt!Dե0 i ~Ql0ԁu/jx`|/:.Ph@FQ ;e91#:|I‚b=Gg,3UI6w*O[m."'u0aXS*;\*4q/x+Cq`kA,=˕ŬmO*QyO76uXfψ/#5o]?x,o`\9iClygʣyF+]c֞ەY~ {M$$FD4GO=#oYf>ZbyhAd"Ow)dD/WDFv1]Kc}'`[;5:{x`@}fNF9dAQ~*KX4,W)3HT4rEרUc{C~+ p8v0wrAmꆒl5hiGC^LZB O+8Wj>~>l2k#Z,ll4R]*9h$'/VQW 24Toϒ=R}9ߝ=^ϫZmah8!cH!6e"`-v8NFO b{ PPeGKq^ F@!BUl !qUdS44b!uz@;\Qq ᆘ-#dknGt=-Mz˂򊜺sLwLFGtFf"[+jEKUGZZtT}u/&BϨ˔Y[߼O 3LJć,\%-͝fwvvH`ZH ucVgdobEeO4{#2šY(Gu9 QhL#Bwb$>A ugcVEcdmr45u٣#fd._9Ώ~ Ȟ )Y疍?PKeM0Qn(> e, gyT-\1SYc1Om>>(`):)˭,j㯌rʿve[nh1yr$HlIu%:d1ܛg(ί7/yWӸTsmmݦMz侀}rV|f;^Ns{(Ut><XPtx*ќ{Rߝ1 ̧nu*?ċ7Jg8u/If&eW.- y,- nD` IB(oQ&ejVy8lYUuMD޽.?`81q}[>K}4MԜ[xh+V-gkxQBO[:Q"ҩHcz/{?G3Z6}~ JZ=+C(4w4!~H/OccaG>>Ob*~۟yQ[ˤ$աE[I(?=b98iWPUۨYU_Hȣuny"{?`ͬ?@ &gq>uJ>>h KKj hI/,e,QL$3 _lXR:;yᏏ6ċ|`Z&Gc܀JJZS߁ ѰFI‰ H&dB[+nƊ'Ē)UZEX}jZ:@F0՘``xnqCGě,X 5k:ijӊJe$#*V) wR)kn{̇X5ُbW S#Y0v޾s4zݵ4N#7b w4"+UUW zl` L:d""ěx9C"=pox-AvF!@׿J$9 $4ZXTHBl$!1ZXqѷTJ=M )k.l1+Ri#8:#E쓱 縭پjfbq,mҪSlC¢ f#>JeŠ0z'" te+H :+җOPG&@Wy..l]~ M #<:pWsƖꭟݜcYKm@nO6I8#hЗBaf@w1k@vEGFٯPI#۪=_ 1X@ _X-&-%( 3ċj)ϱnPG' H5hLbt?/"8jI!>Z-Pmm$np07wBD Ez E"Ӏ(/kPڒf ˋϤs3gҐJScD4rl2JYB$bӮ q,!J)T6E_ɢ i|Pk5AnhybCLZ;JPf@TX=qsAY!0\(}޽$QcC ʡT7{D͹5?|ɾ$"D. ͵uJF@:p 8PP-)q3Ec)Rlps <34O~( RS n;% u. PJn ]Qkҝ:-|Ԣlkm$z&yOM[ϹMK}$Kb&Yz 6!qe3gIVE;|qWΕD:Q]Rw3!~߽mCʦ+ޕէ-[0dWӓlAmZ`6+ޥP5ߡe󝫬c$X{N,;bfVK%4`'fe??Vˌ_+c%k_ۂ>4T]йtƎ} ՍK31&-I `Y ]jɍ /\1:lFY " ?1P2J^97`bԊc _޻PeI-2?)U _v wz`|A{Ǒ5tz[O~0\Jy;7 {t x5tॳ4ݵ^~ݛY6<wqx:ѻ\||N&yZe-L&B+yDf$ÔJhygGI <@ c2~#!(Wta²ތ/;"u ? 稴7͇&מ e9iT_3.\ڡ=Ι\A]xQ wG/ w&}i[Kf%|-\^uYk\aLYQw<aLU^;P =*C55XA756*H\tJX0D.}h%dQ7)E^+k-w`!zJTt*1= mhUkjShL0-k Jq'd~J;Vj>S ޅsVݙ͠yrҚZ(GB;YERdD,L%{,&n]#L56H pƪESY#;W6qK/=tsQY`s}ZWD"CD0W P? V DFtu(t[vQӽvajeWZp?SU$0;&rb" PYҢƹ p_E5z+Bz"Y6uOfYlDb`h,*ofyFzfSM(|`oXu%g%EkrBμ2|}򱙬β1}w|퓌ˍoI2:-kqwFJ5͞~_%Wd)lͧmޏ;-A%a D`Ĺ=LG+ľK #m_ë- "PWZ a@uBP݇l@W(BDcW41ع aޕ_T DAzET`aU{hڅ=,ƎvH)`k `Q~YOw'(@3 *;خLq65"y9wȣhxCP"㸉_L{4uQ"$0 FgPDž$zڵ7|f8Fa aEDGDA87$ hА&.[cj,m)n(H?@h\$yY rofLze`pLW=OCCz֛]4h_`Sc޻P XQ(khXuV#@nH8&-XB192(:TnPԒbqS9yb?B݈H@ =io όd z\zRb=Ҹ .uKTGtWo6QՒ[OFՌcAo`8?v8Sʱt}~7d$=46fQ0_޻`RcS~o J'Ye$?jbmkTȥز^Ocǁ*p>RVeCX= ʬY-멌L  #aϯz?ďpi EynoeV|nij"G 股i:A2Q*r"3 f jD9BidP;aƦSH1k &ʡ;.:zHغo"= 0ҠOy0Xs 0}Hд w"XVDH4htxs \k$, }` ZF^cдhcȦ-);+6~18%PJa!ϩ(pJ!:vYQ;6&*LZzV|Bnk*],7 I_,.%VyʧV:@glgt~ 5zNe P&+zɩZUٛRf#TmϚ꧟h_p 4Zaf24vU=U "%Ab'rm\_ 1H" ƚfγҤ+i8{IN9P?1eٹQ~hK幊Kg߷d ES{q: 1ARt D6x ^`C<꼡~ß+ \KV_ٗD1bYxqMe~Ջ#u5mL8'0DI'M1|h šS&M Foy]IUNvRɠQt3dqlS`Q'fE\rUmCHL(ŧfR*B\ix%Rl #> Ңb3`jѦ4T}az !'Gr^J'6M!̠ :aź1 ̕.ņ/ @Xa#R Y8W/P)psXM / fskjŠ&3+tq/ĦL m05 ԁZF+ .@E q諽8TIt?a/9kYd%jv'> ef.JD{vp`#*֨ı߾E\z]D) SZ1Tsr-M3v¸QR|vU[u:~?i+ʏo?xEK_L8+k/f*6s<;gwUp) '֣eߧ_7Ϸ6DHF&ޡN%;EXRCp= c47O=Fс>*VVvfҪzUچSzx1Z>wFЖ'aOj_{NvO16=?UPK;g{>]G,ՇYsW=1[2;O݆oĥ $;NƝWA=9&SӧIl)O2RfKe6qq!̼?>dtv]_Cĝd.n6-VKX]QcpIL@Ev!@5)h{.:r%@YF5Ũ+^-0Ez fVV[WE]*kʼn([9JZyؗrt=ŔUgO)&scvKvXEM9.ݢ7)acb"'vaK] pA`c0\0PzPZZ(y ?Y ֊³Lf%0ۻzwם%Lhwo)zq'pݚ["}>7 sy|B9gY=wۦǵt^7ez E;oiQ|4glJ$PIZC88vM*͍|ű(/ [O3n_ȫK0.7q^0ѣ||&(P0m8kJnR{mUgy,ϬVX;L*)"$,JHedZC5|˱Yl1bحP#\v૽Uw1nO253? y)/b` kg_EM^y _%xBCV?9P(5v\64Ԡ;lA%+p_K j*Q¢aF }__UWӎץWQpH/p4zvB=Dt| d}uY,~b4~[xϨ+4!-y޿w(>kV94s'ھ ^!`:BgUG^{&1=ʟu2gO fq4dh.[Όnؘ/r8(4/͘cTҰ ~dm}Ҁ YEbRT6oܡ7f̾/9ޗ]:HغN&BMqk[+F !YLj9z X]WcEv |¬);|TZ|"TΒ S)6 N&X١?+ )B*&=qOgZX̄xiJ|DĖ'돪bY"tw$^ޟ<;D^~tC*B;D__Ͷ@&skr Na4scc8a$ґov3z[.\dg@ONܓ"'1{;ljPڎ#ksxy}/9Tq`= %0Q"*VD1N{1I4IЉYsӧMr199-#E" i:w70J| 0o_IX$"?N/3+KpqQ\F.%G _~h&]eVt*77uN & 6(g$:SH_:&<ՏA^c_5#w .KumԻX׿{$xN% `;D!SቑBE|_?|oͭb #㖘h֬%TzaiEGmN`>=1Vԯ ?'@K"QH0`kaQԤc`|UW4,$ 01TȚbWUP9I,U WGr;\1;4ӯ,5C)݃K 4șBF`d3"FgӾГ,%dKÂ^| 6d0Xӑ1:Ьi.l4r "Sכ F]Ko/R[@342]Q>Aыw؋>q8@9W&9Tz!8i!䷳WNPHwðp`х: 1yK;m8" ՖxXhoB{n+/FXbs0A)EV0u{`684w>Ёxf$rnװ$XBONND&v?ulԘ#kA|vQhm Yv/G\hL +^GJl먙r&.'pqT9L;?.MmI @[L.m]b|YRu]GX/whrPju s)= -OJĮޫzzU9M"Sųu&W+UlxP N``~Sd,~:pܿ9a/*1( {O/uB@7|I=I ?-b&?=l<kM3o./k&WД. W3 LC}b~Lņm幵~m%#._jW^u9quCLDA^ԃL6m|x|+y\avDL8Z 1`8zrܿT횒5ɎXK22b'vgJ /0ns9Ycpqv/Q@qp]FTl\][ %KFJo&@4  ؛]W~[v>٬Έ PA @eg^AK`a$ N;R{߽6Ac؀nW2n&(ԟ TN6O i顝Gh.k <\|̉YUUr` b묬hYxA^.JV_щb -EFXlsL =(hܕeX$0h呵߿n܃A=`2Fy% mUmZ`TT.קH$ ZU[MM}u" ܛPUN[G{y}rA] 4?AwvtFʃ-1\;]g/Y5ߍNSΪCu+67!q Z<5Ս:닎j$SSaE9;ڛ+Uw)6?LFbQ̨D0n-ZB3B xԨ1T{$@2ƌᄏUM$ԥfzY'IS֔F=p^wK8O[ NfB=~;O彩9O`)BmU{ (7aLf M&:oV0",XSZ)Sjl 3t=?1%ōN )4t;vI":! ]=½16FbBeq6aMXpD*xpT'-چ mCwmژ[L߹JJB V.Çf#qo6‹'2ya*'No%zLF0cVh8`Er9ȧ2xOs[J(pN{ųC(X$Oz %;hJ tOᜩ<ť0Xq֕UbCmªA[+>LOV`|dl>ƽ;3q \ņڄD:L'ePS!}ΊԈ1S'{X~NMhSw6Wbbla:QP<)Cq4!Kˊ-A\Z ws &Ng2\Ub0M-GP*͍ݲS/)jϭzZ}noX;y?.}75溶NYˉ|f߷O/rq(WrFz|bȹ!o;n;S4s@7W/T08[byKx+S6يJv4 Py^a+Ln9pd_0ûfyC~NÉȌIH Ξkk-w$̟tO <ڤY*w.A^U隷*NiZe%f*s~_[-z`h'vT(Ҟ}zղx.3LӚۗG͞*?Sm ]PHmv|n''~q&[gD[(XA9WSK޴\DdP5tA=UŊ2G-Uql?F?S2XZ敖)Q-g&3$# ݽA5heLVGֵk;U3 4ЁWIMxKSs!FFm8?HxR'Q|SSg, '4ٺN;+dvy~aRG{euJ ؏)fݩcg_ IDATM}C{pH9wƂŁd I%[LV:ɂ&ڃa.Q#LD0dة;W*kAsI`u/= z&oHcJ=|ly}듼YRysT_s~= ^ \K9,q LpdkvX6i{uO% L##L B L*J%Nt—D(?*,j,ȫ aQ0<*阺Qi @"/aP]4N |3XF ^01Q?sD"^$8 w{Y,@B }gv}Ƭza 阍@fmwT/6'gmbٞYC]^K8/X֜+EYS)1 "9R~JX[-kw‹ `h$G `΄G'M0M!.)߉1}-\ODܓl/,c׉]Y[#S٬`#FzsYix`&AFBY71%11+b ?!~*p^(E g2ɗIJҸK捋&t._{L_/!Z̋?ԗ"1rT٭[_P7$f\PZz@6k^q!j]z/0L@bF㔣1&x -;,{.݄k:K`*6 <{['rͿ) Q"]#|B), 33"No,iCh {J|XO,Dm3i*v=, -@C`lOlC} /mGEGIW<1;ar(O,{]PĖ;5{uaudRWA{|umހ x݃Du9qD'ur}pfήd_V^3uN`wnTxۣ{Xn og䊸s"W! nCڮYfhU/SW!mU9CH /ृi':ၻ=eцkU3vTt4IL"l6EFCs^fVk+'|н{(6D\FbhoD"siC_ʬu0:x._G?8Ǹ%LUͳ_~5YѮ:^С(=!d F:x_flr1lL@i;:;;&XrMbSu0@)&)k([ΦQ<⮸/64|{_% E {~uɉKϫhbvO0^_KfؑH!98Ihjwc1;O9HxڞJ_Oӿ?8!h|O}9{Oѣ-9inOtjYу9n8VdJPJIIIii@ ?XXD=;϶lFibr@X8=~$o]qe" @-ĠX˞_.l55L1gk=)0'?u"C,ꎢwW^6&b>DRa  I!5n$}KX &Z2DGx7l˔/)D%u;+S?hAP9Q٭͂JVFg=Ƈl)>|l$tG(\T +2>d/pmpf('dRVPPP A 'Ug#Hq*8uM \͓gd*6aHK`NgؠQtp󖼣|;fy ȏ9%]M)K}/e143nJF%{w&[F TA'ٕC<I梽n,Q_еZGDr`}V٩c_]8eos8Noʁo[x'4ĴҼM5VivK_?ɋTN2~r6 ן.zy2 D#j6`".mR j[ӧ${pV}0fW36B5zugJ r4!ceMx +wÈc6mJEPs,_5n2_ #^9=]qUZ y8L:{ea4_O29[tyso6"m9ۜtO9ӦLM mmzZMF&b D -|b |V0`mdIDufH'Щd E|Lz+*r42Ecs5^n9/;cӣ{i?4> rP ya.*``<`8jbf[:mllԠ GprRI'3nO;>?e?. zW+hqP % Í/EF[xj5J3CerC"fiݺǛ3+˧"j[JkQ,e]NfQxSLJNY_v @Rm'` y|q\% ,;P-'σ-Tھ *F™{1DyFbt0 ޻!7["M@~l_ϽC>O8s!eO{-)l1֯9p$+AFʣθ}h8'ɡޟO|pž֖6oc(ZYu8u,& ɨ*MrBƄ9)Y̠oPO`5?o!ka߲|]C TyN)b)9Zs\ڠ71DqD~۩?0Wώ|x/`d+z$>/c}ۙ,^n4Qϑλ9#%P˿cq0c0r<';#&0$wQ]|\s#)BB+-VBQ(P(^ _v{{@8ߕξy3{3O}3r;HĂXtڄY C(sߜ{`ǒ#ѿh< Kt?_?a${=ce0^ya_< os\uWOAq'l%p95EA-"FW5shH!<:{6 #%͢{%Pba]X-z+\ڿ_Ƒ\AB sّ/Ks:ID`>-Ltr8/ݼ{ v]py,:SF+(^~r*% 2LkWTCso{9 p귒f 6A5n)\wxn)):h7]+Reh*L?%r8Xqa dqki8|'cO8h00V>,8^~^+bW'5sy|.m|@O稃KCo)pD̗˝[`?"< EsaWs6JKŨbNQ+e~CXo`%[y^::D[l6Ōhj͈_Wkjr;SyL@l]ɴ[eiNu2گƤ= E7%yKi!M- 85Cɍ1+fw{ &wcYgiw/Go| G*S9OlZcJ#8,38UaZ%@^ j<(c᩵$K EhV6zfͰ{_셑j16B ,TܩnVBߎ`8 nK.{|ω\H;21zbF؋{ӏ΍ݝzgzXl6o/r#qu@g`ʓCUz_}OqpP]GjNى+~_;D `# GY~8{bfg:R6B)yエK x> !,dbI4 vYh#OK2 Q(֯8Vl骿g2XzQN[]%Gp{w\WV}e͝;7>>2=& [G!5uGݭ~{#lx6͛+б|ĬNlܸRΝWF̙ѲzsBfoHu1]iNbI .qֵ}_(|Gzք CXj+pe/ր!vw5~~~9m7W'n_]s #"""99Gec?ydcTk=ǎ^6):MtMlOޥ\5f cC)b PZa_M:4g LcƔ>7.6 5bQ L8f@ ]VvS+l|{lE~ه$(rE˙ PaqW"?8/11qΝEwP,FY38[#g\\@DiM=jCI\ŰamYqN[[Rf];yohWc?C J5te=QȺ}r$M@!o  \~ⅽ/PVvo&d9#@%ݞlŜSln=0-g1 {ҎϏߖ|`wf/cAqjll=4jXbʭT@a=zVbU *[`|R  Qb0f'm=:xg,^8󔖤Yq$>6}qҙ#,P(P 8^$"!7֭Gn@3f]XO-Yw(9e7zZp)Klϩr]i35D8IRK:֐AeKZʰb1Ʃs $dpA~XM_kݢKeqoI\z+hnωl%,Ǚ/Fo:طJFs?H5h- EgZlF%zm}xpAɿN]U?{_C`i<G<~"HR9iMha  9%է]K_ $ZNۻe75D4tocinkL![M{Aܟ% ?ÇAAh#6#}6-_q@qv9ȄY16~GjB*a˖%dUGP*VKĮ#Gi67׈p27FNC˳"R̲:E&t2}Ewqш|EJ GQG*noib+9Dެi],8׸xFCbJC!09bhrN"8>Uȩ01=nL.͆Z 3@B 63곾s>_@"$̈́mAxͤ7*`zx K$[t/VKrT9_ bʔdJZ/)yr7w^N"ggHF!s}SGmqէKoU3g8a¬CKJXq,~gFNu5·osyz+ÂAAP S; ;,,Vc'a8&rV*mQ\%ֽK_{ Hm\nvЊw=whz]VQ4DU]ɽ۹MGQ$/چy#ppf00PE RMʕB$Iqh|S`#8}=ieGϩE!=BH9_t%X/<&  aC{>6{`OL-%<E#?{mOo7;[[6xz ~_|9 Po<>bK@.,}&i41 O[#C$s:NKRWλh}υ`YGLw@{h'N߫124R,u+)c;x kfLCǭ^0,AA֠ecx mv}:3OM-b vCɓ՝!ÁA#8"8)|ŒNs,~_W͵](ݥ΍ 6; Pc|rzu]3Tޑr|^}˜ |ٍb!"/t$Ѭ3BM]p $ o" L_Fcc D9/QČsoiSkɥQ"ڔU[ۘ  AlA @{u,_?Y.%lH%WV}J]X1}8`k_fuB"n0y`>獘Y`_v\th. /@GlM ,Xs܄|s=S?A)Fg4&%6,j㬱ߺZ|_/UYnJwKǵ oEh6ƪՅg/I3 íffE"^ݽ aAVouD@:v1<ރbc[XȬApJuBuj7<#A߮ˮZgA~t뉸 WW].8sE; E=N٧ZmKI)9f[w/mf}QVfJ­nf6Fŧ11=Mf-O%60n6fj1֪A^=ŝԂC$i(6848X8_ʿ$ F$Ja`,8ϜahC1 *-hd.iiн@Kn>#F Ci~-4lLi\0q=Of5O_y&twk_ٽ>pIeJS[JiUB>fmGVhJeh- [p1AiCo\KY0Sl岝) H}xJ|(Fzeq9ČS$aU%Ng2[٨+5#P,gn}]DDuN]S Ծ=EUٻg13~-]KN}NrjOohl.렎^5P z6/^"lD"5 zX*6FRF+ E0J=rˆ`B6FV8luDNf%sU:-&_A \Zg) .m=||q`.]{/޷s}Rf 88RߺVށg3<2vw/#a3+ːWَ q!i-׼ b|½]@!8|w+_3a& >c*>\ BĘ'$L1iZJyl*3Ŝ\9g =+o|7/n[Ϫ?ʪ-H/J*qV;%|?rwl])dl_ XirR\BJ>O!b*Gg1~zF[|S!dY5<3#h+?RY1/W,}3GR$ERKrl#J,dѦ$y 0', a|6Xb:i5O_3'rX|xCVR_b1p8w}Xn鯘TxQ͝YWi5f$\gӹ&?A+s)ElOa՘`c:|+H,I~ė6ꬴ2dOo+iם1/1> L,92GQ0Ijl7ڨLRjo׵4V8~AD*k[WAP C"[y3Zą&ERb_ qBJ-@tv +ghKXBmAn  ؝ʩ .1R'׎S%~;ij T HyBv0rqInw˔5VؤͿ ", Xu1lH AWcEy5;B\NNٜ-&#A VRr Q(6Lɱ` Vc3.SIJb7%G8BLQVC޹;I4;gZS2jS{[IO>mQޝ:WQuUc FlO07)Z(_'8T1ie br֎gnG")Db$Y%I7osJJuTPRrRʵ6†Ŋp9bL9WFg#Z|TI~VѹS> I>~xrajPJg)X /S`ktYӍ@/_on[#P+?_c,roiwo_G֎"9㤭FLPxo ڔK՞4ͪ/1dfr99Z-n8qQQ.#?Ճ'JP)v @&R'I%\\6)]FrT$ ӡ'<>O!H'O+s)ClOax1pD.so^gwQu=0y m:ABqvidMIpX@zDQ.__d!6d% J `' h"wo/ZCGqD 8z;@$ O! :KV:A1q 4h.`6Bfώ>ڱJV3Oڗvt]ZW  9<+ Lڳ2aWzϼHִ"U*4F%<{kڂ6$8>Jڪ']۷ꭆw|(ZHUT>CP*'U) qw000<lNsU<ټ˳TIO ]YU21igEJW\z=C2#gU0ȫ{5g,gE_^ YjNږ[A˳%zVd(JINVdmJUhvFq ]5>VT 8tۘq}ݚRӊ}vBļәAtumQ׾䳳 \HUX5yB=iG/ǃ7Ļg5{5FyHːjon:^(bI 8(+҂9lsoovn 1y|W'jxK=cq'ˤeܾu۩~L-U.Rqũ WSbJ-e@08M*q nkz-#lmKwwmUyt.+O8'?ʯ:Sp&TE5d`)Avb\`xF) [ț#x>V=\k 0m;Ab7L,ww8{R Q| * Xpؕ9 Gذ{# X+8ai}%F_bRLæU4ҊY&|F6mMQ].=a Gܕ]*Ձ0>zfO|2<@ɸ s=O#x*9Ed8; NU`ߡ :< ##s ūQˆڴhP@$ۜ'vNd2a cRBB/yxl1FĐus[也M,9̸̗M_5uke`9C[N7yV|-ءTLTr6HsoUH ݶf!=ZSv<8ɍcRl|nP]7!]~箵oDV\S8qaZG!2T]9CUO42A_C_ JB;KX|(=6GrA/۔gVWZ:#ؚ7YӃ\=EXəH' %)Hq.0TH{dӚ)Dm*b7 Ygܺ'vH٥7XY1Nt-LWyY.X{bK=|h-5 #zJ l1`aۊ IŅ9NH(fE?h\w~ѕ:͔jcK<C^r!Yta/ <$zBJV.G. M:})g OmG b6FdBT`.Y}Jǎ/_iN;.Լ FBrڦ#|VAY\Ggƍ,ؐYwK/Vqo:(S]N<@^Txѯ֭ CV%qsDEe#|'Oyb_Q:$j4_Q-=tmZ͐;W~˼x90Rn[Jq܌X(U6zF8t2${vz4-j|3/ܝN|K1h(8CE"vuUæIܙU?cOkx\raW;pIX @蠂&UK|[yᬪFE$6UKm_`/O'=`<Ū-^& "} Y1ck9X8bE1v!ia/h ӱQBI6u]ۈ, )BH 100E$rt(З8ݥE | H,N(CQRLG$¢HUy&GlE6G,G&099s:٥sxESܟա4Sa-$:X(#3C6\UeR+ÛZq:X.n&RYF#ATUMh1LfT-1-Q Y6FtP?*$*59{ttV28 vrZZ:F!3vlʠ:wbHi:3bB.}g#Jlܜb pBVFc-rL?lj(~i?mqbzU9̈i= I(W 줒x{[ ^՚Y{~ٟE t* PFߦɽk~UT9,8} Xt0decj-s[?ܜ x6+}T_Lr>޳LDٟ .tp vP% Ik Wst\1e@u_;6Y:%d٪n9ʳZ+_s Ikqڄb 7=c.u=VdU~m},T }_uPW~XVSZ=TH¬U(H&b*wխE/uw};LEYz@sb j\fdg/g\[XbJEt9_TYPT[%p6[[.2KpR)}Kڹ;=Υ03,uK\f..6K|3 ,JBI}Nn꭬b)漚:If?\3ڲdesϚ5kٵ^:#E.n~1R7Z;2nG!H֮1+mVR FL|!Co3ӅJ^ʔnReETrw8/ppP-Og ^r%ZT1y`l^hKT) IDATm;'W)qq'8$b 7z.T`C8zQ+N 挭fx1  ,8 #n|pzc XZ?T\ eCݺ#j7CS^q0w.x绷*b*v "t,JH _ Y,9|X=%=4u9"4gLEa\Z/ NOҵ07FlUcP0]w%Q?|OݺImB422Ut >0W5Gl5nj D9iM}yqɱ%v4 h_~T7ʻ7pX&%_F<1FvʿԻguu@Z l-5GC]eΏCeUοO#؞̘ 5GL lZP}$iS6ʻ\6+\4\/7m%&]`sLvڌڒ¼B AbZg0Vg2:xVd֙ "Vqa(i 6h=փm*apfFah>1Uvd]Ղ{*z}ZW"uU`Ag`B]M5yx60v!n𛾎m+W4; 6D7T\ai%xqS5W@ 9V g\;dPJ XlCNviV#DѪfsql۸zw7?M`02S<=Nv0gyߎT65L\o5V2nY _FyK'R B!ElJ|a~~ [xl[n߈!!뗿4Q۩oWcFKKVU)gC۵xL}hB.ߨ'N]ARU*md=I )qpeG0ҖiiC#TK}oo޶d&A8듏sƗK^MٹGK5$$̵}]Oɾkf$#ٿt5[ !w# (m's/H=<ҷ_B{g9%۲^$hlf6 J0.!BmH]5XU3ZMOJz#"U+%b6ޜ჉d .i1dX*e1f8r@o'Q.WFlؓKnvs"l`%EX<[w8gF@q7Qʕ=&HH_7'' ĈGͥE)Y+QBH^ ґ*M+,=JY, <3KrO%ZZb券!/WGRlN_mvJvJg!is1pU&/`+?yCv,8rQ vi.ThGuĘklyFHU sSvZ끔l"ÂA!:{ୣYg]6EEW,kޅśz/]FC]^$퇆\Zba$ q6QoDĚߞGKy+q&םwmcaڻ׿WN`Cqt:~3~?s^?,85"I67{肣5{uܟq|_4k7$jF\ޢuWlH>x ~CqYRZ`8 v[ \+ / Ԗʵ~ӂΧw m[,=ucxqZ0cy]'M/"`)# L̆S]_dFbi]KȭCלKE)(k ֗7}ZH]|$`Pd.A_o9 HA8F*c8"B@V/`kpș8BKeA7bfPPz-&޴'}WG<15rSZL8ː26rcˈdeJrDWWj!hii!Q J o[- qlwo8bY.fz:+6$ z daIl9b@vn}()5[Np4]$@P/:K6ʉe|-?jBlY)'`%}w):#aT[Of=)9AFN#bɽ Y19afeP,7ZsmFA~f>T׎}wbA.k! K6^ 4UhX1~wm3[x}<;H.fK1[۲Y,ceԋ*c POf?X}ex ÷$K*Mߍ58'/ Xj%J브^U 6Вbk5%$g z؈2$4[\AjB;w_yb3 > i3fܐz>%ַ\9?3CbM.PUP̤]BWY[_\nvVjUDs?9E+p*p9`//{OK8LMRŠ}}%ۻ[؈}(J|6Ŭ٬h y͜e6mHPtSr %YIjJu0_#¶єGxBz.LцFAq s`FxOym~rb'sU\$8Bwn[hA #R/GU!񋖭9Uo&bª"E 0n 0]D9N%MVˆp"u(NpEE:J%lJi6 9PfMKa 8"JzJ˓C#Zpy_Yg(rrɡe-ԖX.eq3DJg)..6Q+`>L#  cKbctsƨ^kF,m\0¶BB=TI4Z}JF-4gCPe?.ӎ|엎7bDLfJoqh[CUr ^ŕBrJ#T%j'ttAqA Xw,d [88.ࢊS(k( pAbD\gAbz{"8Q9)Dž+9ӆ0;4O+(P(@穅Bn YȆDA1"&݇3;IOK_.AWdHɥ̓E*E P!٣.z%5};hk{27;\{QGK˕yC;8ǰe}CCG{:;;a_OwQzpY`5ݳwqpf`hzux?e3?43_1-t"|yaOg^ ~[r$<h` ~\Hwnׅ#94GC/AVB}ҝ6PPpaP}(ndF |N6>/7<.NPZTPl4 uAHK`Vuc{ߧ7A%346 ?ys}k^=ҥ>뿝ykUT5D[^7B<gF5,! dDspƹ8!nC'!?:woL蘃$RPTyKr0E!<{?PgHQb)7J^s$_۬&hJnh(LL)>ԛϳ/Ɯh Ǯ亿`N*}U,TMP00髋K:⭺)|aE_A"sPuB9aEǒ2d]KLR"PF̑!Ȭerb+-F>{!j4ͻ7'MznkAl` !@!V b+s ,a$ńXѕiFP !!,#\B@c:/C] Ztjk2cP>ǩ߲4#fNT`@, 0P)mrlݓٿmms+^8~Rj@~c\,Ĕr|SCQ&qs]޿3+z(eֵM۱Dz}D<{kشVV3]:x9zTͭ^wPK,_g[<ޅ)uFoCG`00<9:D- c:Gq+}Bvasؚg@!!7tbiDKwGbJhEXaG`cpuK9b g'u\VL"ӟ,^1_Ԧm`ۦ6R6*7'qxl,9iLVKIq񹒘|)xUZ"+Wz h ) u&|[Pk4P1i RV+iu8A^b d 1ۮJ)$|UHJO&3Im')HF&%OGD=Ahf͊vpVck6[0o*Y<"pTpnU<ۏ!pw bq.9M"+xq͖p\I(5aEښkq֐Xzv RmQQaaa`xbzR84E &5HL~U̷U,Pha n_տ_tsMtkj #9!=Iko&X 2Ԥ5 V⮋f0[b]Y Ri ﴘX 3xz_e[R6]R/{(o\\@Q ZͪTy1(J|%Wro]rPjV>|hu(#F\ XP2aCI"JMDa_a(rڙ/%)#CMCe5%LNmԏӑW?}! k9үw?ֶ?uG lIJVng2޾V4u|)CV;ܘ^ *'s.zt&li=co?2 Yޞ!*ϻZOk 4RZ-֒ެ֖-ES݊KZb7?iSRmIH>کpD! QmnAA#S\A7lrfcq% 3V[[PZjET̵qDؓr\X) yE#nZi%ZC)P(#_IF/-wS)ט|l3w@{uĬ7\aD yvj5jϊj%`ZqlkޑQG+MԤTSg@\Zj8ς44TX–-b\Li=rŹR'D!MS$OKwxYa,Ca%99'>N’ѩޠ^6 | ,Aq 0·C^F IDATAρ։/K"v@h5J+k. @w`fҏ*eo)d[݁+8dN\@)_;vQDM3 KCcK(nw8%{GZ#ZCtdx6Gg򌅎^Ŧ/I,7aP2%Iu~٧v_ PFvf! M z/ې[pY$NAȡe|Z{:< 94{fZ\C{lhzڷAJ{0 FckLOY @ WEѳ=.Wsm2/'>/ [*ԀS@z=#$Ul4 ?ch)c|}o\Oؾc`ֶw&ș3Au' z"}eth/)Ot=?hyG3{rdiT7;0Uz9MvX׵&Lǩi#LAf105,Nbқ bǓ8s<3$hB$a2KL* a0-p97D+  `0U Kbw-pZKo1>o`i8z Zu9ٔ/ iZJp\p3̗VSQL='o=lh/5~o?qG?} + +ZU] a͖1s+8yzDž35W~J$AA^n" bVkbQ5\N =PgjV jXj.UB\h],SY7t7|u rs[NN/몲jgU/2i ʨ DPf'sz vߟx,X;9W6}WھpM.V4 "JhVO^FbgEn3L曱X&sKyW:;yfF!SH;͙:4 y/̆B3RIgdžt`Haϓc-Y ajB6CYvɁIt>:oƂrh^ ;bFJERNrZ&,EE5W2K п)//3<9FM^HqC*;(X)owK͘ޞꂔCVZ.a Ef k|J5F"AnEK;vəkWy ܮY,ד`0y5*+@F5%&Ymt^6pBH N#ȑyզmg+dǎh?y'6yQ:iL2m{;;z ]X1,t+,~hrrx,^vXMd- KK s}8yL8*uԦ9[W;X xǧ$T}}Vs[ן<֍=;V6o^Xmƴc.8XL;mn?|~-KUmi_=:"B,k45/g}RǞ^ۑkb"w^K%|x">:FBSիFD_L(\jZ kGHJeZ SlTibhq\i;6o8j {lNJ)/3+hfx+n3[?w~| /uKԄ9vi϶{XvѾ P GжA*PEx[7.]q6 4j'|ypl*_׳3~诏7g֬Y|gk];إRÒqzs!ݑwLIU0Q#饡]:D`D|e-ix0{N٤:_NJB[ɷ/*@?)]޼F 3h=*WuKnn9LMnC/;!qLqe7 Fx>{']4zFXʑ?-]*S٦m|Ƶ< ]oMDn%םDy_<:Q5OI +ۅczqt<uϢ5'̎7""#Α.Rծ}btCpoM71<{z3dž6u}'"&^Uvҭ&_-AHX1"Ϭe"*L?pdGZۺ5t]Ar#l*q#'>`E”Grc1|a9aT&`|rξŠ3O =4XƐ8<|U'D3lj `8n9V W8琤P4Øa U1&"]yX'د2*a9L0'ltZP8*`8V*\­$Aq`EcYֶϼ?̛*Hlux hqBDv 5ȋk#Hu^<'f S@A*5L +JexIu2R YVYxM &, w 8-?]ȇǚ%o-qM.B; F1딧5U1sO /KcjsU*h=r3>WOUw)%"0ǼZŖƠ""dk#2l(ĮsI0Xa<+<=Unv f3$lJ,0YkE3K4PbiА~ ZpEJZx%NbB*RLHlkF3Bgo-fm +Rc8L$;^DpJl?cE6RIĂs |tPhִyv}j|)aؠ!1[-C2W7'tVHjł."'ۏuu'ϻn4[+idͨN&x<<(/BJ>{w+ʾmYq΁2;aɒ\b7TGFh#I-K;aU wԡ` Iſ]{`^c{ yFLa֋;-EU}C&L*3g-?K_'sxֲwd |atnaJ mš,Xr}+zw 6=ʶ-YЄn;nmTƽV+再C7"*@nL HF坝sdeC٢6T1"7 NY$"h_[s&7YOÿ'8'ż,Y6/7aoޫ@˭yPX^~>;+CoxBQQrJ**Sb2Jceo;T6$;МR؇~_9w>kv]"Ƿl*KGC LI n6+_Ӿ}WoiM~ {]:mXPN# /!~!2~PfO&f#q a& @jH [ռ J2G{o+=#Eᾳe=4iCU5ʕŇ+G'm:^cĴ?TEyfst7u&tQQFtKb\CQH!T.@/`ճMtGy,qa;eGDeցXRi;b󘍷`u穸VvKq~/.y9iAhR&#x|}L"lGuO Ro@}_Q;BGuɿ:4ց./W>] DŽ&(Hkglvdb0 F; 5,2i/>*0n8κ6 c>88@ۢaJÓ ʄ' I4-9*#l[٬Y'-F0$!+2!2lɩOЫh-mrʺ[܀ZO8"dLC^byV[W:Tɧ/'#%+_rU=#>~zOMAc贏Fm1px8!`-|" ~:clDBh?FCCꓶ8vwQxX2f/-,3 a{GPߗzBxdSQ2MU:;i*3X8ZVJa]؄!YkEY ;aӨ$<#Tkd?Ocya]RhcM\󁴸ݒu̦ khCNbg@#]AW%erɀcO>vhD!$=U6QsqjdgJkZ+T1(8Q{8m91MU9'`R"*OpRqx 89VcSR \ppyQ, &diin50ݝwBF: NYm;8TZF0pTU_+NI75+W'ΫN54W{U-rC E#@38{LT&vhERJ=QDZcCGCNu6]$|PD (d'FwËHVn+#edij".s|7VqD,k#v;# WE.8TtM~z6$&?fE k+Z ӡjH I!PZDh ]2 $RҾ\g)k 6ۑѭ]G-|N.lo IDAT5󾟹@Ay=i)N WU k9p,쥢% UCcrˋ^죺= |Q\fTau{卩/v5̲N:6R"j)xJ Fb1,v=^o+z2EN1f[p#OЬ/f\7YhtS=D1?ݲ`΢,{W1mkzyJSgU("£Zkht-f7ĝj-xyJ pǵ0u \[Wuis-ٖ0hSo.Ռ`e3gO:ʹw 2s89Qʸ֪(*])IPI0BD \ȱ-oH73;xVJb|hܐ_+b`[ 9&»uJ%t~Eﰖ%AzF.z>@xco?-"3ذH 2HDT>&jֿ:s'# o^ @JS'T[b'_"^ Sn)+RXVj4g).6FZc3%8c(O??zUa;4GLxŕyV.&9H\gтP"+,Dgakr 5:T-nH"@Z2X<&x, nDcJ xc8לSZ#cuS+d܃#=;0̟>釛ݏM5Γ_ٲӺ}@JP=l`84w.yaGD*h1MFW4g<6'&F9~O?|jYqd߬O[b,?ݍm}^ž#OVu ۞✫Ϋ2ޘ2)xݼ9m{kFNo@D9WHJ&gy̶:6?1ekߝ/m;_yvWe E{|GjM-4Uj( "o Rg9 9`8(MUMJwmxۿ8k%k9kQnN9N߶i_}߶߷7WǴo⫄" ^ڽyvJf$1Dk$Bw.8mՖ WnX}m,1omX$Xy"?b.ZG_qi8Uh/d>]Q-gg[}mu=%tW!cբ=8o=9}u}Qe! QoK 7]̬ti7dej{|a܆_Z/O`дi[JC"d WȪ:ΎQ>6G:{;>߮;p܆RրsA&c^Uu9J1Y#tU?0,)#+(:$YŰ8;;{jaI;2_v.FZ0W5[et c:a?H|F** =q/0\7nO.D2x=g0Y[cք^Ш7n.?֩7(CDo`bZhýyaOON4 }&kTޤ 8)4RҊIU:\è.3NfFCFXz/[Wx佉=<$ 0f,xҸ&aIY0dlPS 3aQ}%b6"^->z,sJı!bɭ;p(yb/9;v+W ;g á9@8Ԃ;$`9ӔHؚ6* @a1q{yzw2iLeuJ޼jP_ag4t }Ŵl x Nh-[3s}dנ2ٸ?c;IF+ ShHa1ZlD!;bW b`EAf*lfV9OHZ1~>rty+[k,_WW~q|H6@gJm,!`mye0p EKPn*U+(+M\f CnnGyյٔ;pE"@8s oM?e +`urmHTU&ic[rbCq =b<48 rKn?Oєz^11%4mM|x4V޴bȔ hT0SQ# : FWeqL"|Iց9`]Ae8šKW?>Jm).5mէWw!rC~aɡ2$/XaOϷ[%>D#mMj% ?˝!}uɱ?͟.Z8#'S}BjzG/"axQ" d=>XS %kΙ'Kшw>PF qR/d*I JۏLnunN)ӣ]BL]tžSiBG;J Fx&%f+bXߨfe ӘݡCp6pz`pWKs_J8F8*hFk?EV3FX NǎQ]?djcjYTB&;k 0l0?yX y`'+Ym0`n|İqY> GUW63_zJED>HخNDE< `z߄!ݺ9Ը+tz7Q~{EBѹ9Z79+FD@K.o].~תmu%u0wFs-8@PIظq5.O"4œ3/N [^`PX۵PʰVUK`Yea4WP$Tn1s\ cj8\_Qt.H"#@30/Vt(Am/=L0 ?~C1NsȀ3aOTR}tpᓆޛ?u4M+ofz@VoT(""4-[EHRn|;IϿ-`WzT/:o; ̋E\B1omo@b-/5`߽kÞGՃsKRcm)uC@D+Ե4d7)S>]-Kx݅TVjZ=q'ὂG_2 ]yDbVІ$X*MC(gTa2r_ K0t&) N!j#f'k4$l'څK(Y񩟙qcV)>./i׶/TF*-?^911,38IHȨhX!/;3!zs?ryc SwcIz8عӀJ[37ӣs̞ŗw5@MO [3G%"-%zR$ܿ[K/k*PAbJǹCȸh?.K»MuhٺoZivȘYw0Q_ᢈf^ԌwMOH1ؾ߄0fX  @&6t){:ąӦ FZ,&CJ^=΁F-]h{ J sYp ¦ :l9kw_r /o"yJt`{~dnowP b}VϧrǢ!achQƈ"ĶܽBW YF'&}9{l >$$baz$Iq"(vFaq aϳk J7Ȃ`;'F X_+Y?]3A(kDh8<}/ΞR]9r  V^_H2iP1/R/\ngw>:qam}C>Jnۥv•{ۍ PKk-t  akȨD}ڒ7 /LY/p·E)90:bn6;f.|ԣxYx7$\8WM8&ů*{=ySNnҽmCԵ]QQ ak(Dh|;5cgmB?<t,xaW1"gQ(IDrEȄ"(|ovy`bE %tJ:\QO~a$'J91. `3M祒 :;'9]=lB C x "PHOf(c{LqUGx+TwK}}d 7+^a*/a r%- W 1l"MUQn9-'D O}>@3odv&BL [3?T<"E ɠDI_ ;A. պU3z[q[WXLvOy@V561椏F (ܣ{paAГQw<%$l-Q 8t $tښ=WIZfB *"_f0G޿WVDZյ+c5.kb^VթNf~xDW_\WbKe.r#fR,+_zpNF`][[g,6Ŕ`;,6 y7`#ɥ1wi3W @{E0b l < ׭?ѵ߀JmL֖{OBڒ3gZ |耉8WqjkD$cgaP) (ŒӳkZRaf@Q"pKp윁ziYxw6WLo0yX^==aR̒yXL[޶m=XgIDTTP|“fc},c h%M7_$l #kLg&3k`3n0/ie,1YС:aR%&z%Ge\vcYѾ3dQrLS`90b!15:Tzw T" IDy0DbgHy>QY*q|ι'^k@hsg>X Rewd I0ݕȚ _.5=sT""Z?m\:%6w&0nX Ar΅~_}x@>KKPB&VZ?2՚[o^q a-l("4 SY'w,Z{G8/GÊ'?j#^Cv`ٞ:xa;γ8A_@Qο]b̜zEWH8p߾}c yhr==2R9fI}{Xj:2C{vL΁].Z;+٧ˑƴm޻6u˓0dxBs4VH+xE{.IMH,ϛ|łО#Be⎣:GӮN,"a*"#Uj[ƿ.S,4)jz'r ʤB7 l61/K.,D-,g.nCB|G|19<ԁe1AجE8LN$wW*B1Â=",w禿DXB*,vA@vlDQ$N2tᠽX;g/d [4m9’z,g/O,BuH'f>z,?:hc;r3Gw+Y`QțgX+9pT_o""α6K! u}S IDAT+/sKs{S{ˡlM&Q akT(3Dh<N[N;/vDFS/ѸoDu⻒8GOj3F9""P?l_(Re:gc""r SZO}b{܈>{{c+ VHclcwnHAP$Xr-˘` =8du޿q&QKy aIX/-/5ۭn.],Cksck\(7Dh4.e2Y"^l鲢7/'7oqέ(7V'sƴ[κٺ>|+~b }ɒ+ZbPNɨˎuoWRrtua3AN0MA+_K֭8u>-ę }Av᢬DRSS'Mgsv%r 3j;]W(l>%8p=./ݿn #FzgVyc};%>[W=3N֋O˔OR;ד^|-H LJqJ2 RsϏ0(sㆣ~cHˇ$zlw.@B@pqa ,iZ<1`ځ~SWMݸ:bĸ's"QJnO?4F)Jh/uTj0\P+bP'm|Ǿ Yle Z kH^TP ++|2I& %_wxVǘW?[ȵr ̴~)ՎI=uJdyH%G;E;L a{k?!@0hi3{QEr%-+A$ a :|7K;ZWAhUH{3!\iݥnB8Kg=YtdԶ{3#%(9H[3"4I>cf 0<zF^=$*yXeW|&aSVѮ;%uGք1>NJj"ǒ;e B'q d~C7:uY;L Gzaž$A*9pZS)]mja0zf;6BynmY l>kFgM ϲ@$3}:l@,FP[,fR")cY'j%c4 I ^,g T딴c]ƛRytٸF5΍ f`r~~< (BI榔f|y~o/(-uJXx,vskuUȡzphnj4IJ9)#avAx 7y>g&zADhKKyꩄkLR%L{MCj$l1$] V~t43mCiJ?}gI Cޤ.% Q:+DR\#N lPcܠ5J4%*aSkR:u R)VIlr/-J|8엟N/D<\џu3ʼn?͚~>6g"<5v ʍd19Ku )lR&~jd-M~G[^݊ }HK J)#Ͻ.?S?YݛΓ#?r^{iTs>htGz3f(tFH;7@'4 j[fٶ&zu[;q7O^[*/#E?-6+tO=c)g*WeIhLsX%VG~~W>]3}&[업:z̽MR_@Na>4bE%lURo?=[lL#Q &lźiRO.Qii/ZVk|ϭa٬9v?m({8bDR߄S7~4ko)N'03DBV͇jW՜a\:Ŝ ?rsSSSuwP|px6q4P 1mA~sQMJDŪQFy)b w_) 9&kqE'׎ 崸6]HmXqs@w! ˜/ӱd2 VCUE#c:'{r3t\%$tޏJgVw7-j_9[%WbHe"pSe"Jj&E*RŜ_}W/Lxj ~2'xn,u!Cx,\^@5 +:s( *]eee;wmAz7XLZ,*?? A3jqI1&' {`^J- {jXoloy?8a $rP` 6)!H81&)x63[H(B:X" 3@_%;6۵wg}޼&6$EXseH#w`|>XX]=O>"R `r'5FS7l\3Q19xV³Xf_896Jz%Qv;jb'Š`-a&ph3-'6RXbJy˗n;Tq*(/֖_.0C5"f\< Z|^PbDĂ)-x5][["ڈgB^^^гn <3gδnݺ%?4m2ʂ|ϯ܅^х7_QXmXz3ڴ+:إөFRUEtuwil}݊OAD@PQ ;΂{oϟܽΙs9/][`snJ;)6,JR3T''ۜoEXxVmZcy1ݥr !9v:0T۹50 eQIIIp f0/?.:ˣjb7*DV{Ys^ r?z,a쪋N*qmFl%0BHxrrrÆ ]2/\:iܷGGڥts7rm5.,mԉ[u~Aa"\}Q[gꩳ3-4uw/T]ÇO ]A_16UA'qpPOO'5ceЮsUE>9k7o`B7]ov ІwM5'v2+KEJU\N~d+nѡ.?z*}K%UyV`<1vJ_OnLAiB5ߚO{5|W***@R>$u?ȢwK-uCgo|w}r嚶OHgmel`t$* iD4#)el™ǚԓ|Gf@iii 'R_a6;s3$Nm4/gfIԨu+(l "7O٣j1KwKkY USTW2tAI?eK Z}mn)/^#<#85kӮe3g;Y|B$ZxR ̙/(.2ppwD$gki(LhР0p^cysy:Jy; ^4gJw -<, b9=y:NٹDD7[{wݿQ/17'>tɛP#2L٥So۽EJᙅO m7]ԩ9ڰҕֶ^./~F.yj}&"v|8ud~ҕ,sdԭܺটZnw׈n~G@"T:3p&\8_x!TPHEŅ_)x86g*s33s*M,18 Lȗ3t+(T,(6^:r%}+n\oˮ7fʤגR$ǔKb^[NZ$A\BBZR\X^<>W+)U?z[CP4զQF36\_.v7w˷.hwuuqYqugT[`gN Qd_T}p<|'Ť-':}3%-OEd%?&8j\UB~пmZw0`vzF,Or8]|sCV"ƽ#ͪHEn3kġs6ϥuDRNZ)V#pmmY<`mǐ1)pS.S)QEt{nF }zUwA+߽cxyj5d[6HXLܭ^fI1e%^s7}@B*2_ 5vGY^aIIERp <82O n369cSqwam ln;r/ߍO B L"w޳bi}%n6sX؈6.^J|:FzkpjYtaw=[+ >)U,`0|_&[;5% Ւ׷Ḣ s- ةU!Q&˄JʰZUj+q~ S& *wR@,j (2K*yR ĉ!TS.Rg@teyjG ^9wq%Ė;TŅ Ѿ! Ƶob kVՠx xEyK_^Rc&?- bn< Wj/A%F=M?Y^iľTY>_?Y_°/?қ[pDBgٽ/Lk:?/ nxDhǹڷz鱣\W,y\oѴDPdѦWL= 5vcGv> \ZxI˩+N p4 inoi#:{@GU~jܾh hoH6NTnrz]tg3cW#~Rom$>(-GTm1 eint flkm p!%"R5m Ƙ}&:~ڂ8.(%jC)srڝG=|݁ GN+*/IKLi뜗1Z7)1iU'"KR3Kʫޠ^ʛcd1m< cDV Dlb'Swz:cǎF|ombuUz3p!e*tkcnKAW=}!OeՄgDe,\y97NeɁ4UG;.4[^!+(p)Am4weYV2#Ԙ;Q9}J ꪶʇ_v(uXj}޸slKSҽKchWd8V),w8=kȗd"4ؠe6jRDH%F8i@ ;ZX0L:'Hĥhͫ6rm!P5&9amPЉJo/ ] WwFOȝo'mS/i7|Z?NM[SR͛XF ZR M3GvP@~ t!]]:.˸bEWZs ]UT ʫglD,I|QР1$ssO*u+AS6,޼Ljko ++"@li[sqv?n{ͱlRP]L%yXbآt؜U ;2-mQ ' bBj-{KԘLU=.e~GpE-*+6Ԕ޼ɪDэk#[__4gk3KIsW/n{x՛3gk|rw;So ~ΏI鼍QT&Rx$UoPMV|AM[s:=;4h`O}˴z R=>Uenoi~U'3; a軟̺󩧲 &szRбf3Ü&M,?Tsvaakm-+_*"""$$ӧpʪCAEoBRYTAs lލ2IqkW`zueބT2HFc˔/B: ~@ );t~|jr_ѣGGFF7<"hjnnrr['1""WLZiO^baJ; I 18@cGеS{A ,:rAH:2"em~MSuTftԋa ުz͚8 Mé*-T"I0w_g]0.Ι@-n :vhTǞZ9f@Y>zRۜ F߳jg=Z;k[#L":tߪyN;Ch&QD5YZ/445X~)/r+WBJTFPTt*DyEr"USKJ!C2>I~ 2T%Q,F"P;@ dˋ*DmMfiQ9KTV@0T*ih|H0,)$U +;WQ2qrC*Ȫ{9%'0US=d _:ASaF999:AVP7, ~^[;JZXG_(jJjAT-`i5:>zŷ8ס~~~d2nȬz w3iT@WN}Y8HPuOc/_pfd>8,,wޞ*|%ۧjt\m|J:$@Tw%:C˕׻ !U!@w4zFb:[^wYާ~~,|p]ái 5o mT? $ Ru'*I=$껎016U'ücjj k[h GA:\\7d+^^^FFL nh52Q|9w^r|"Ct1(!58#AE|+E E!`\ڡ4O _y vM }%w&C:5%@ J6&z:N=_(n"PK&<UrTUZ=ڇʶ1*:L&hSy\z (M3#v,jBb|w1C!Lr{ ÌNmq^f%:&K1`'7IsY(D2*.QAN8nƺ *緯 ϒqIJ1:jU)-,;ef~郂y 2x iw.پ!>[jڰ%,85,~'ieI˂?xU"48qјZ8)>p}^Ny9ϮGM/dPk pTKYVP("D ۛJT *3C/KJwshok1/q"N7S u%YWW܈ LR<☰3cnNN\6*%dnP\ '=߰7q<|~ڡ}1]>n?Kz9WF/ضc t6G%dbriÓhn9P#oJ@mB,Rbe$#,cQ4 ⒆YsS-)*%'Ou[aeY+^N⌙ؑ(鏾ZwZUv.E\E"QB K+]UeD 7w`sݪz4NRy|c0ިC:8!%g5:,?K2_whЋJу?GtyKn=!VRw;pBG9ǧ 9LMf]3̳ΟBt>hڶK۹`XZp0 I~|ͱBg'mq3C E`_ 1%(ӥZ YBEd[+"'_G+O=.A \Ƃ!=Dw;"CF,:l,:UӤ?X6Lfϰ$]e~#_P"ds6=m26pH;V*V\?v~6lhkk~H~V lh>DYwTIS^PKK 4k "\հܱQͼMĕ/i/hϜ9pp8Fu4Qi^avYsby{jiSHLsg9?,C֩.LM+`Qf.܊U9Ŷ#G,Kzz;QI1 Ymؽ{Ξ= He2 6  _]VѤ}W`shfʦ7܎znεU~V)vz[-_|g,֬PFͻĵskC6D߈Av3~3d >m[ft``_VG0MRJRbbo/xJ fı=rbȂ#{3ڞb \[($Vcll!e'D)X2H(1]cMz4~50;tYpZUd=pcr f.V86%>EhhU ij-|``:*^j1?P21aj@E94kl@UUӾ: 2}mnc#) O[7l*}c3A!)rx8w-O q?k׮/^޳a=G$DBFT# |tVKt~Bx20yd#6b1!wr bffMuLG,Bm1mXt qG@&|(SL B{`Pa+~B6Bp_ vׁ{JHG.1(t6ͣ=-* Yq= 7vG iT C@\6!0 Q^ҕʿ8xATQ$J Z\ t iV!ja"UdQUԺ#D"ECC>[I$U.T!$JhW϶d7Ui@'I`qHP5[*0 u~W~<@k/hNH.~\[^ƫ߲w[GgbEfL2/lu֏@fiz5kceՕ:y򤺤w?!,Art!J!'C\*|[xׄ7zlw9-{4~~y.MĶ6'o`Ifbr i`lRI6d qs;+ˈ7 [QQRYގ IDAT{3 ,{UZt&}x>xC3aZ/T=X7oyWk;cz԰N]NM8m(;/-)3r/8z)*e\Q,O$sG~E1BS"q.O&$ݽp[ӹZoĄy+Θ:WTGO4256PHlyȈV6諄*R%MTpZeQݎm)RW}21Y!X rwml:vq4"\eM\ cV-8{jA#{Y]:tG. R"4萀Mԇ!%.%ҳb_}W<!>ݿx-QXp\}9gwko [JIah`}~ĸ{{=o9p`ţ +6j7tL]|yRud|}=/H-S3^ Zw0fl[ % };ɡ&6 MnW/?>B//H)"–6?x&HNf2):MMipV1A~fuLC=b*wE ~4Q p)DI{?߀+؈*E׎Y*l.^ o0AC|[W  r˨c&e !d\Jai lH`8,}[+m4':hT!cM޴65bEˌ~p93C6f*it&J0DcQh mkшZ&ܝa}O|xߓ;Zi|lD}Y5Y$ۺN18[{z 3,)'0l] DJ'Qt5j_MA&L#̠x|˔fb:C%St48,:p f0ĢS=96;oSL#-ˡ D")P0WR!cs5+rdb̈́===-.D366$'UH tV֨0]}؛= ByET@AV3684ivB*%;x;ܘ$Kaצ&GZvc` 9e߾suG?'—:XpAl\n&SLXNa1y0/0础W^yu)W!WyϏoȵ"t5lM=5z.̄'w3(1eCkPd9òֱKgW:brJc7IqwNjd4uoA ML40L!+8͂b9ҭ+fg,hG7)%|9JekhM7iVDtv'<DcB.H #14 #t4=ּ۷pL<ayvz|י1Ze7\7#W[=g'QkǁMue"f2d@QNIMKЪ ]87m2&p0).b!4@":_%9$(42&KA$Q W,zΙ<{qΎg)4)p f}$JKb{_e57344ť*bRu_ט23ɗM9w+7ZyIo'hڈr~as/x"=&=XI3ͬ9\L*!6r}ުwgեkwc楐xպʐ@\'QX7jkm|CW$<Ǭ9Rb"K +evMy]lň0\e{7I@|qbV WOn4a[5$<-$7q&@ćH^Ȼ7J ;%G߸ѺO^}\mIӰsGz4,3V6ְ umzrP(4A9 U d/ݜ>r9B{ꄄYͽ;j탦q|ԃ M[o;cPQ*‡at;$#Ծa?y:TM.V1E*H4(  Y*EA=L 8&%PiT03OxaS)d h$媭;*S.#aoEK Suibq>UzVg͌V"?a;y8I Is5H|~ aaa|>~~?P xfV! __'@um|jk@9E16U\7obM\ 2![#5Qm Yv F@EjmKl@ P[Y]%&GЅ jjU:!c#8B!P@'l`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= @D1:idB!PblA)B!P@v"!@ #zlP B!@AcHF  Ʀ@ u`!B@= jQ"PG#-:#2L,)- 6~a;!P^zT*v]`LJ$--Zja "?M@ .cu!= @y8Ac;!PSIZA*D @@IlwT z  @BY \`fpI+/C|D"L&STN{Cy5bloq˗/cccy<bl53{TrbD16UZxxxFF݂])----$$ܹsm۶B.'!`&  ӦMp80  6l$ 靕P.#(0%h2o,Do}Ufff6lȇ.]ӧmuuTZrr2,O`|>Ԟ$I%9/_f %Ja,D Sy׳g (K9ʠ(Bɷ$s -6wQ*FJsm/L.L;$&&>xsp FȁF7,k4ɓntzqI1JV{x?xoC"ђNpr^ZrN&=|dnQt =oyL!aJDˤ2D&UR LA MU*)31xyS(8U'SQ6Dx 7X9BA TF BI <('DL!H6&Dy69ќ.A5_!" BRQL&Zk | 8uDvլ,  zЙ  Fuα~mu >@ . W*|̽y׉P0%?{۱R +X$A~E.]vmHH@2Aɓ#/o3gRf'^;` OkȽg6Y!˦ hiF ܨEt֓sw~e9{V`%%+ߴ~O^s̔y#.ܥiXkg.s TsDXz !a8Ug=6]?<2u`޽{PAO"аaC'NiB.]`p6ކ>A0T16}jӀU ܝ$F<*1kU~Ȩx2N)*[OGemb!Kga;b9J²>u #I~m8l|^Re46c+#x1Y0H $hL,^/m-,AbRa͛x䛚'$)A,B"/xԠHekפ͝eg9sUjhF9'*^øAYNZ/????44tΪ2J]ѦVVè3{TW A 1 p6_swwJV0Z9E`! .q|eB@ȓso?N>,wcPɰ9{f ]~Bz~P%cgw<nh"JJroz704n*5yFNo{CŝHwf^Ҿ}JJco^ihёյqisTs/[ }h`a7 S"qZ8qKyF'W/Z Yb9h`Ҡ#fsciJ`9DBfj;YŽƽfp.CQRߤ{Zvsٺy<疑(Mlq|{C{iPkф\`h2VS|葙nE160M ҽkɊ{Қ1-`kѤ2=W ܉B/'V颉*ZEa[A9{(*m )anؼZC?bv 1'q) aj6PYy%/ar' ed-U M WEu+G؆.n4h38U{L16 &h6kggS~\eTc>b&-YaVK6>"u%FNZ,??=żeϦ v4 et*(xOPjᨕ\8 Z64fSHx;rϜ>=ȵ)oou(vk',@lЂMt._%;"u )m¤[F^7o Im[whHIa;ZvnKW@6Qԯ[w݇\6nT,~y %w:k׮V^?ĦVa~˾IDAT Q_OaĞ&({X充 p5 DðcXr*/~Z[29QOΜVhַhauFM]"ew1 'OְZ1}X8 ^opI&POy|Ғ%}'0~)T=KQ~!Q#έuHJl݉N(a+sj-I,U\5j=Uݣ|Hz{`=6ѣHPTgJfӫ(K%d6(NNzChe|ڻ&0 F1` j&MR¶iYemߝvݙt"rXg? HrV\*}R+~o%kfK7M56{;MonM'4V܊&w;c;q[.FuINJڞoQ/_M\]^jZbHz3{{y*jFGN}P]{yAؼa=qx-K xn^MPSWelcome to Firewall Builder!

Firewall Builder Getting Started Guide

Examples, advice on troubleshooting, tips and tricks, iptables and pf configuration examples from numerous online guides, tutorials and books reproduced in Firewall Builder - all this and more can be found in the Firewall Builder Cookbook

fwbuilder-5.3.7/src/res/help/en_US/tip02.html000066400000000000000000000005151303637203600206620ustar00rootroot00000000000000

Welcome to Firewall Builder!

Answers to frequently asked questions and solutions for typical tasks and problems can be found in Firewall Builder HOWTOs and FAQ

fwbuilder-5.3.7/src/res/help/en_US/tip03.html000066400000000000000000000003401303637203600206570ustar00rootroot00000000000000

Welcome to Firewall Builder!

Lists of bug fixes and new features for every new version are always in the Release Notes

fwbuilder-5.3.7/src/res/help/en_US/tip04.html000066400000000000000000000002651303637203600206660ustar00rootroot00000000000000

Welcome to Firewall Builder!

Project updates, news and comments are regularly posted to the Firewall Builder Blog.

fwbuilder-5.3.7/src/res/help/en_US/tip05.html000066400000000000000000000003061303637203600206630ustar00rootroot00000000000000

Welcome to Firewall Builder!

Found a bug ? Please open bug report using our bug tracking system

fwbuilder-5.3.7/src/res/help/en_US/tip06.html000066400000000000000000000005401303637203600206640ustar00rootroot00000000000000

Welcome to Firewall Builder!

You can meet other users of Firewall Builder on our online discussion forum. Several hundreds of users subscribe Firewall Builder mailing list.

fwbuilder-5.3.7/src/res/help/en_US/tip07.html000066400000000000000000000002021303637203600206600ustar00rootroot00000000000000

Welcome to Firewall Builder!

Here is how to contact us

fwbuilder-5.3.7/src/res/help/en_US/tip08.html000066400000000000000000000004641303637203600206730ustar00rootroot00000000000000

Welcome to Firewall Builder!

Firewall Builder can copy generated script or configuration file to the firewall and activate it there. This article explains how to use built-in policy installer.

fwbuilder-5.3.7/src/res/help/en_US/tip09.html000066400000000000000000000004361303637203600206730ustar00rootroot00000000000000

Welcome to Firewall Builder!

Firewall Builder GUI has built-in Revision Control System that helps you keep track of the changes in objects and rules. Read more about it here.

fwbuilder-5.3.7/src/res/help/en_US/tip10.html000066400000000000000000000003421303637203600206570ustar00rootroot00000000000000

Welcome to Firewall Builder!

Did you know that Firewall Builder can run on Windows and Mac OS X ? Download Windows or Mac OS X packages here

fwbuilder-5.3.7/src/res/help/en_US/vlan_interfaces.png000066400000000000000000000271101303637203600227070ustar00rootroot00000000000000PNG  IHDRsOhiCCPICC ProfilexgTSM$$ tAz/.UMJ]).HGPEQ "HA=]˝}grdl(lq8wojfnJ #@^%GGhzrL Af <c?> 0zxx)Xʻ0s[ Zm&<`L!tibmyWk'1? 2eP7uNLvlpFwVkN܂7EK<˜?N02ѭc6~Rl""FFwQ{}!txǟ܆bd](!?Q 5i.c VnD- s)Cl}?1gyyEJK H pщJ Yav*sr ̊?Ɣ{UU%hhjj jjo]h׻oռ(jjHiodyYY][[cZ:z'OXiZ[m.M<jxYޕӝsףϪ/O  ~zMۚ/?51n,rkvhkG^e{_M70570&2^6-s cKq+j뗗*.l-t9::a._\ܞ])wy <~%D5P > &_F4FH v#Pl"ʚHM(钥q;=ӑ[oV QH]Z4t8$ :MwV>}xRJzfћuORF674Y4=oen#k}>yף;=i} /Y^:fܻKVFG7?nL">ȧ?јqM:&h=t|ytzzyC_F[+wo; hI.`*6 &,9F2A 5}` A$5Lm ⅔!+(J*hA@(#7*tCf!{; VQ2h,:=F(IAIdFJMB|@EԜE7NTTE"ԝ3*M- cI;LUv,,çRN_deg͡I9ƌcgLyF҄"Ƣ2bb R8i}!Y)~'*d*)+_SQYթ=K'^31001674߷jzF6nA1鳋kwaw<~WQc`DJUHȞ([1PgTAb_bJsLzӭ=/fOz $ і6T?TyXv>lLSR˹g :{y{;-#c_i...l8lݶgyAE` n pHYs  IDATx} \U3r[Xє(H&V*&Z`j%R&V^[yMJ4)/)^#&*d(P,^~.eXYg̙s}wyΜe ̧cZ%<*R JdR+JfkEVwJ +쬈j)L;ZJqr&r9P% WV4Bz?WC@H`!g-ԴLok'J?eJJV!aAw{WHnܪF*fi˾ùTB0qUҘE7 ޭE-D drXU2\ƩMyv8<+˪ / OrBJp\pȭ6)[2RUpp*A 1^@hΥ$C?6L<{a.ζU5rJ%6,B({s+DΚ!A5wJe!.8|98gb; \4쟫H C# ߇mA0AZETm?/>hQ3fp:4U@R g7X39pr ? @7 a]{_bM%9_@a tuˋ4 UW`tlٚri|;e̳+yV@j:Nt`{qm6Vnm}]m}] "XQ#ȬY9ud/>PD,Ƿy1ѐ{J%yGGa4K A{9}8cw=b> vٻ*9xP2jvZh@*E]S8˓p{;p -Qq7T\(:joY{BU~y*=L$EC VdЁ5#36t? aX(^7_Ws>Z#rG vZZ*D~-^W7랧/pL Fe/Yeȱ'^~fuс-ɹ*7%Vvbbsخ]S"1R/JJ%ys)!կ*7*qh2DE*=µsvGO/*Z=i$}@ >5>2>t>vZ.>H . /0qY铮vV=؃:ؼa݉ecE hv4^<,Bu{zNB"rށo+׎U?6 τ}wIN%5*"? kaK`D8\2drU0 -'Aw(RX ;dVٞԞ5z 7cT(f0 `? du#Đ`~AccJWF@8,૧mPFSjL;1㻹TVép zȱ^__(U@!(VH՛2˖.Mcc{cF UP$*"E{68,sR&k ?q!$ {d"E/`+̈́S;^Z2~hS󂢶{!g6}\CUv. "'1iBt_Gj"r<_*^&X DITjtX9Zu;@[ {C 'ίa%n<Ѳ -k'kf~M9gt8wQϮ)ED#܌ɜArPeGXV,Zg 2t̋?KymŢuֽm:E6/ZSmߵSktH±-1:V TWSYfY}N ++@_6zJ%$w$V*W^Wo['Mބ}fhB՛"R7 ǫ)M Rsϟ-&7 !lΈB/i59([#K[WYRyjvwlД'۠a}ch*+E"zE#Ҝ@p"aDmb ٖ i!~΃ )!= Ck APЀpϚW{=!%Ww!'c_lJd19tЋ{?9vZHRʑ#R(47V?۷wlr%A3vƅú෎=-,<'&^8aܸ N)M9JVLOj {ئ YS4S oRSjciǫd΄*FzgN-LvDX8*ԋkN'Fc{&>:xIàr׿H^*KJ8CxS`'d&q҆vҰ-JXq'jn!dK1clMRICEϞت;Zv, DlJOИJ/9];a1+#D[$>DzF~['ɭ-_7n޻_Q.$$,k.EAq**d8V5yq|a(It$k&f PQ`!$;42rD@ 2ll#'%SEgӍHZ9=)6\zbaⱄjmY3fM C@T!I.dBA QnjY3nfM 0[:CҎdGf̚1VgZ"@cT<Z.2[@0@(Dj!PB I2N5Ke_mG K|Qoi#h W iZ$f%T ,uڈ9kS3)>3DSSP*uB >VLY|YZrMmh-{X۲;ϩ.d/kkS3i@P1-3F'pj_MWt6bpCQP'>jk2gZ\-N5]aSZLks7 &խϴF1eqa LLkۅ6bp*U !E!/xqL\!Eav"~!n&y?/**#vLz093! sy U-q' !kڈ9 s0?/Fkso*I&h}\kksǤGͰl. 0@lZ# H űB % d(A*6@JQ  S+aj5oS KD̈́e:MTs,ED1  v7Z{OC0X2JQ௼{OL 1 @X2t~IPHBJ=P$(Ҙa!%h#4&'h fi# HQYuj#OIJeRԓ qX2 ,PBaҫ E_5 2V'6lX0&~vİ3i!h!<Ws'S7mfJ3 4EpiC|O UASFV<&‹v lقDRS*y&:bD7ǧ&u{<K1›L]_kd&Aaٜݸh@GJfAtѱݣ׏۰uA=" @0Ljb9) ~_ESf:9[<[dzYY?H뷔aGF|d$@Ewe\, QY2 |}c#>d!PK摀+#6m5I:ķt4=:Z.єcа{z<ʮtۣ[:*nZJl1!o3jfWsLF[3+8]WL}S[\E<ϿM,Ed!$}Z4Ұs|\.2fd0Va$ju!5wu$!DYfOKt^E'qξHLΰbAim@S^bwgbo 23DSWѷ8x(>â4OF^/Lc243!vVYl˞QaPV9&PSFS΄tށ[i]7gMe$8m-0S;'C%E&X0.m{nOՎۿ]zܶed~4}?N-e vL&Fx@S;oڄ!qs>5iI17!b"@ܕ`l 3Y0;};M0& (A[oR/0b!|ˡU2ϐUQGGM9k^uAtM=uTl'}iJԿ; :{Ӊ1{׫cU/Lp/k>:K$ #*fO RaPD}Eԋs&5kPMhQwʸHKh LT*s"`>_([ lH8/?z遀>YDF=H(C-a#Ze MQ*Մlwo'9=_o֧U9~2mq I Y@>|k׸푩qC ȜZL< ˞KBs$,Hض\[Wz1vNɣ9@cܒ-&K1DѿΔ8Mtch-ɗưU˓d*CA`C@%xK` PoS7g'T qC[swQ*J[°qcS"ؓ@*#EztDw>tP50@nV'G5L_IMMI6'% ~jvUr]XYj r_}}O0l^=oJJEp0Jp! *啕  6d! #\wkg)3$#.%CgX#>: [kf9N7:Ǖ\9*=|Y3M<40 mgzHɈQ#U"Ƅ( e ߩ"&)C/~A?$XyDhQK0k&*trtX8@cED޷?ݽؑ>A)dNu`v .bE,$9yq:KSF~C׳ؑd:IDGgFL Q5pVcM/UZѥxso{@IF2sukjÈ*y̏]5vp݁cIgh;U2.|vBq>;&?|}k~.33 DvhpO«ѱa-6l\}o?nTtJSS:tA-+_yQbJ‘wͤu6a\^cs ! ~(50y R{-Z ߛo,G\ UcX cv;[ ð3Fu71n<͝%?u 0fP8`sB@XPOL!^IzO?I?@QeFI1Xς{ Z 5 u1*D CEsAյ ]^  b02 !'YENwj[ܩxCjemPY)ܚ.jז\wr|Vyؗa PEYgxy^,;R1cƌOR)iTwb 2퐟D%'ʾ+lUSsl_"F[ve Nڵ' l׮]h2}>gvLd8}$ NC 4O^k_L;/H3V $DɖPlGݬ*EYN-*jò;ތD#e /Ǘ(돟;!y9Xo%2nWXĕ |iƞ #d],\-08h`wYTz nuIECl߅Qib:%s G׻4?HJ0#"=3tv㼚Hϫ@ej \84)j`)83gh6MN$>89mn;#, cg K _4nvPעM0;uBcM3&fL9?'?o?~Z G(ө&Q(&!6P }u]GG -hIENDB`fwbuilder-5.3.7/src/res/objects_init.xml.in000066400000000000000000002312451303637203600207060ustar00rootroot00000000000000 established established established -m state --state ESTABLISHED,RELATED established tcp-established established established established -m state --state ESTABLISHED,RELATED established tcp-established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fragment-offset 1-5 payload-protocol udp fragment-offset 6-8191 fwbuilder-5.3.7/src/res/os/000077500000000000000000000000001303637203600155155ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/os/dd-wrt-jffs.xml000066400000000000000000000114451303637203600203730ustar00rootroot00000000000000 DD-WRT (jffs) active dd-wrt-jffs linux24 linux24 basic true 1 lo True /lib/modules/`uname -r`/kernel /jffs/firewall firewall.fw root /jffs/firewall/ /tmp False True True True True True True True vrrp,VRRP heartbeat,heartbeat openais,OpenAIS none,None conntrack,conntrack True 224.0.10.100 694 False heartbeat True False 226.94.1.1 5405 False openais False 225.0.0.50 3780 conntrack True False False False True False vrrp,VRRP heartbeat,heartbeat ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/insmod /usr/sbin/iptables /usr/sbin/ip6tables /usr/sbin/iptables-restore /usr/sbin/ip6tables-restore /usr/sbin/ip /usr/bin/logger /sbin/ifconfig /sbin/vconfig /usr/sbin/brctl /usr/sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/dd-wrt-nvram.xml000066400000000000000000000113371303637203600205660ustar00rootroot00000000000000 DD-WRT (nvram) active dd-wrt-nvram linux24 linux24 basic false 1 lo /tmp root True $ # /tmp /tmp True True True True True True True True vrrp,VRRP heartbeat,heartbeat openais,OpenAIS none,None conntrack,conntrack True 224.0.10.100 694 False heartbeat True False 226.94.1.1 5405 False openais False 225.0.0.50 3780 conntrack True False False False True False vrrp,VRRP heartbeat,heartbeat ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/insmod /usr/sbin/iptables /usr/sbin/ip6tables /usr/sbin/iptables-restore /usr/sbin/ip6tables-restore /usr/sbin/ip /usr/bin/logger /sbin/ifconfig /sbin/vconfig /usr/sbin/brctl /usr/sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/endian.xml000066400000000000000000000062231303637203600175000ustar00rootroot00000000000000 Endian Firewall Appliance disabled ipcop ipcop false 1 lo /etc/rc.d/ rc.firewall.local root /etc/rc.d/rc.firewall restart False /lib/modules/`uname -r`/kernel/net/ /etc/rc.d {{$fwdir}}/tmp False True True True True False ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/freebsd.xml000066400000000000000000000055651303637203600176640ustar00rootroot00000000000000 FreeBSD active freebsd freebsd bsd basic true true 1 lo0 /etc/fw {{$fwdir}}/tmp True False False True True True carp,CARP none,None pfsync,pfsync False True pfsync True True carp False True False carp,CARP ethernet,Ethernet bridge,Bridge 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/ifconfig /sbin/ipfw /sbin/ipf /sbin/ipnat /sbin/pfctl /sbin/sysctl /usr/bin/logger /usr/bin/expect fwbuilder-5.3.7/src/res/os/fwsm_os.xml000066400000000000000000000022411303637203600177130ustar00rootroot00000000000000 Cisco FWSM active fwb_pix fwsm_os pix_os false disk: disk: True True True False ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/ios.xml000066400000000000000000000031721303637203600170340ustar00rootroot00000000000000 Cisco IOS active fwb_iosacl ios ios basic true nvram: nvram: True True True False True none,None none,None False True True ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/ipcop.xml000066400000000000000000000062161303637203600173560ustar00rootroot00000000000000 IPCOP Firewall Appliance active ipcop ipcop false 1 lo /etc/rc.d/ rc.firewall.local root /etc/rc.d/rc.firewall restart False /lib/modules/`uname -r`/kernel/net/ /etc/rc.d {{$fwdir}}/tmp False True True True True False ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/junos.xml000066400000000000000000000032021303637203600173720ustar00rootroot00000000000000 Juniper Junos active fwb_junosacl junos junos basic true /tmp /tmp True True True False True none,None none,None False True True ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/linux24.xml000066400000000000000000000200521303637203600175430ustar00rootroot00000000000000 Linux 2.4/2.6 active linux24 linux24 linux24 basic true 1 lo True /lib/modules/`uname -r`/kernel/net/ /etc/fw {{$fwdir}}/tmp False False True True True True True True vrrp,VRRP heartbeat,heartbeat openais,OpenAIS none,None conntrack,conntrack False True 224.0.10.100 694 False heartbeat False True 226.94.1.1 5405 False openais False 225.0.0.50 3780 False conntrack False True False True False False vrrp,VRRP heartbeat,heartbeat ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset /sbin/lsmod /sbin/modprobe /usr/sbin/iptables /usr/sbin/ip6tables /usr/sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset lsmod modprobe iptables ip6tables iptables-restore ip6tables-restore ip logger /usr/bin/expect ifconfig vconfig brctl ifenslave ipset fwbuilder-5.3.7/src/res/os/macosx.xml000066400000000000000000000027401303637203600175340ustar00rootroot00000000000000 Mac OS X active macosx macosx true 1 lo0 /etc/fw {{$fwdir}}/tmp False False False False ethernet,Ethernet unknown,Unknown /sbin/ifconfig /sbin/ipfw /usr/sbin/sysctl /usr/bin/logger /sw/bin/expect fwbuilder-5.3.7/src/res/os/nxos.xml000066400000000000000000000032061303637203600172270ustar00rootroot00000000000000 Cisco NX-OS active fwb_nxosacl nxos nxos basic true volatile: volatile: True True True False True none,None none,None False True True ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/oneshield.xml000066400000000000000000000062161303637203600202160ustar00rootroot00000000000000 OneShield Firewall Appliance disabled ipcop ipcop false 1 lo /etc/rc.d/ rc.firewall.local root /etc/rc.d/rc.firewall restart False /lib/modules/`uname -r`/kernel/net/ /etc/rc.d /tmp False True True True True False ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/openbsd.xml000066400000000000000000000053671303637203600177040ustar00rootroot00000000000000 OpenBSD active openbsd openbsd bsd basic true false 1 lo0 /etc/fw {{$fwdir}}/tmp True False False True True True carp,CARP none,None pfsync,pfsync False True pfsync True True carp False True False carp,CARP ethernet,Ethernet bridge,Bridge 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/ifconfig /sbin/pfctl /sbin/sysctl /usr/bin/logger /usr/bin/expect fwbuilder-5.3.7/src/res/os/openwrt.xml000066400000000000000000000114051303637203600177360ustar00rootroot00000000000000 OpenWRT active openwrt linux24 linux24 basic true 1 lo True /lib/modules/`uname -r`/ /etc/init.d fwbuilder.fw root /etc/ /tmp False False True True True True True True vrrp,VRRP heartbeat,heartbeat openais,OpenAIS none,None conntrack,conntrack True 224.0.10.100 694 False heartbeat True False 226.94.1.1 5405 False openais False 225.0.0.50 3780 conntrack True False False False True False vrrp,VRRP heartbeat,heartbeat ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /sbin/lsmod /usr/sbin/iptables /usr/sbin/ip6tables /usr/sbin/iptables-restore /usr/sbin/ip6tables-restore /usr/sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /usr/sbin/brctl /sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/pix_os.xml000066400000000000000000000044461303637203600175500ustar00rootroot00000000000000 Cisco ASA / Cisco PIX active fwb_pix pix_os pix_os pix_os basic true flash: flash: True True True True True True pix_failover,PIX failover protocol none, pix_state_sync,PIX state synchronization none, True True True pix_state_sync True True True True True True ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/procurve.xml000066400000000000000000000024531303637203600201100ustar00rootroot00000000000000 HP ProCurve active fwb_procurve procurve procurve vlan_only false nvram: nvram: True True True False True False ethernet,Ethernet 8021q,VLAN unknown,Unknown fwbuilder-5.3.7/src/res/os/secuwall.xml000066400000000000000000000102461303637203600200610ustar00rootroot00000000000000 secunet wall active secuwall secuwall basic secuwall transfer_secuwall False False /opt/secuwall/templates/default files 1 lo True /lib/modules/`uname -r`/kernel/net/ False False False RULE=%N ACTION=%A 1500 ethernet /etc/sysconfig /tmp False True True True True True True True vrrp,VRRP none,None conntrack,conntrack True 225.0.0.50 3780 conntrack True True vrrp vrrp,VRRP ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown /bin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip6tables /sbin/iptables-restore /sbin/ip6tables-restore /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ifconfig /sbin/vconfig /sbin/brctl /sbin/ifenslave /usr/sbin/ipset fwbuilder-5.3.7/src/res/os/solaris.xml000066400000000000000000000026451303637203600177220ustar00rootroot00000000000000 Solaris active solaris solaris true 1 lo0 /etc/fw {{$fwdir}}/tmp False False False False ethernet,Ethernet unknown,Unknown /sbin/ipf /sbin/ipnat /usr/bin/logger /usr/bin/expect fwbuilder-5.3.7/src/res/os/sveasoft.xml000066400000000000000000000054511303637203600200760ustar00rootroot00000000000000 Sveasoft active sveasoft sveasoft false 1 lo /tmp root True $ # /tmp /tmp True True True True True False ethernet,Ethernet bridge,Bridge bonding,Bonding 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown ethernet,Ethernet 8021q,VLAN unknown,Unknown lsmod modprobe iptables ip6tables iptables-restore ip6tables-restore ip logger ifconfig vconfig brctl ifenslave ipset fwbuilder-5.3.7/src/res/os/unknown_os.xml000066400000000000000000000035411303637203600204420ustar00rootroot00000000000000 Unknown active unknown unknown true /etc/fw {{$fwdir}}/tmp False False False False ethernet,Ethernet unknown,Unknown /sbin/ifconfig /sbin/lsmod /sbin/modprobe /sbin/iptables /sbin/ip /usr/bin/logger /usr/bin/expect /sbin/ipfw /sbin/ipf /sbin/ipnat /sbin/sysctl /sbin/ifconfig /sbin/vconfig /sbin/brctl fwbuilder-5.3.7/src/res/platform/000077500000000000000000000000001303637203600167205ustar00rootroot00000000000000fwbuilder-5.3.7/src/res/platform/fwsm.xml000066400000000000000000000401041303637203600204150ustar00rootroot00000000000000 Cisco FWSM active Cisco fwb_pix pix fwb_inst_pix fwb_pix_diff fwsm_os 2.3,3.2,4.x true true true true true true true info 300 false false false true true true true true true true true true info 300 true true true false false true false true true clear access-list clear object-group clear icmp clear telnet clear ssh clear ntp clear snmp-server clear xlate clear static clear global clear nat ip address %il %a %n ip address %il dhcp setroute retry 10 nameif %in %il security%sl 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup true false false true true true true true true false true info 300 true true true false false true true true false clear config access-list clear config object-group clear config icmp clear config telnet clear config ssh clear xlate clear config static clear config global clear config nat clear ntp clear snmp-server ip address %il %a %n ip address %il dhcp setroute retry 10 nameif %in %il security%sl 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup false true true true true true true true true false true info 300 true true true false false true true true false clear config access-list clear config object-group clear config icmp clear config telnet clear config ssh clear xlate clear config static clear config global clear config nat clear ntp clear snmp-server ip address %il %a %n ip address %il dhcp setroute retry 10 nameif %in %il security%sl 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup false true true False False False True True True False True True False False True True False True True True True Accept None True Deny None False Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None True Translate None False Branch None fwbuilder-5.3.7/src/res/platform/iosacl.xml000066400000000000000000000156151303637203600207240ustar00rootroot00000000000000 Cisco Router IOS ACL active Cisco fwb_iosacl iosacl fwb_inst_iosacl fwb_iosacl_diff ios 12.1,12.2,12.3,12.4 true true true true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp False False False True True False False False False False False False False True True False False True Accept None True Deny None False Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/platform/ipf.xml000066400000000000000000000100601303637203600202150ustar00rootroot00000000000000 ipfilter active Open Source Firewalls fwb_ipf ipf freebsd,solaris /etc true true true RULE %N -- %A true true true false True True False True True True False False False False True False False False True False False True Accept None True Deny None True Reject Reject True Count None False Tag None False Pipe None False Classify None True Custom CustomStr False Branch None False Route RouteIPF True Translate None False Branch None fwbuilder-5.3.7/src/res/platform/ipfw.xml000066400000000000000000000077451303637203600204240ustar00rootroot00000000000000 ipfw active Open Source Firewalls fwb_ipfw ipfw freebsd,macosx /etc true true true RULE %N -- %A true true True True False True True False False False False False True False False False True False False True Accept None True Deny None True Reject Reject True Count None False Tag None True Pipe PipeArgsIPFW False Classify ClassifyArgsIPFW True Custom CustomStr False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/platform/iptables.xml000066400000000000000000000114051303637203600212460ustar00rootroot00000000000000 iptables active Open Source Firewalls fwb_ipt iptables linux24,openwrt,sveasoft,ipcop,endian,oneshield,secuwall,dd-wrt-nvram,dd-wrt-jffs iptables true true true true true true true info RULE %N -- %A 1 0 true true false True True True True True True True True True True True False False False True True False True Accept None True Deny None True Reject Reject True Accounting AccountingStr False Tag TagIptables True Queue None False Classify ClassifyIptables True Custom CustomStr True Branch BranchChain False Routing RouteIPT True Continue None True Translate None True Branch NATBranch fwbuilder-5.3.7/src/res/platform/junosacl.xml000066400000000000000000000157241303637203600212710ustar00rootroot00000000000000 Juniper Junos ACL active Juniper fwb_junosacl junosacl fwb_inst_junosacl fwb_junos_acl_diff junos 11.2 true true true true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp False False False True True False False False False False True False False True True False False True Accept None True Deny None True Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/platform/nxosacl.xml000066400000000000000000000156331303637203600211210ustar00rootroot00000000000000 Cisco Router NX-OS ACL active Cisco fwb_nxosacl nxosacl fwb_inst_nxosacl fwb_nxosacl_diff nxos 4.2,5.0,5.1,5.2,6.0,6.1 true true true true true true False no access-list no ip access-list no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp true true true False no access-list no ip access-list no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp False False False True True False False False False False False False False True True False False True Accept None True Deny None False Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/platform/pf.xml000066400000000000000000000105531303637203600200530ustar00rootroot00000000000000 PF active Open Source Firewalls fwb_pf pf openbsd,freebsd /etc true RULE %N -- %A true true true false 1460 10 30 5000 10000 True True True True True True True False True False True False False True True True False True Accept None True Deny None True Reject Reject True Accounting None False Tag TagPF False Pipe None False Classify ClassifyPF False Custom None True Branch BranchAnchor False Route RoutePF True Continue None True Translate None True Branch NATBranch fwbuilder-5.3.7/src/res/platform/pix.xml000066400000000000000000000737561303637203600202640ustar00rootroot00000000000000 Cisco ASA / Cisco PIX active Cisco fwb_pix pix fwb_inst_pix fwb_pix_diff pix_os 6.1,6.2,6.3,7.0,8.0,8.2,8.3 true true true true true true true info 300 false false false true true true true true true true true true true info 300 false false false true true false false false true False clear access-list clear object-group clear icmp clear telnet clear ssh clear xlate clear static clear global clear nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup true false false true true true true true true true info 300 false false false true true false false true true False clear access-list clear object-group clear icmp clear telnet clear ssh clear xlate clear static clear global clear nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup true false false true true true true true true true info 300 true true true false false false false true true False clear access-list clear object-group clear icmp clear telnet clear ssh clear xlate clear static clear global clear nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ctiqbe_fixup,dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup true false false true true true true true true false true info 300 true true true false false true true true true False clear config access-list clear config object-group clear config object clear config icmp clear config telnet clear config ssh clear xlate clear config static clear config global clear config nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup false true false true true true true true true false true info 300 true true true false false true true true true True clear config access-list clear config object-group clear config object clear config icmp clear config telnet clear config ssh clear xlate clear config static clear config global clear config nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup false true true true true true true true true false true info 300 true true true false false true true true true True clear config access-list clear config object-group clear config object clear config icmp clear config telnet clear config ssh clear xlate clear config static clear config global clear config nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup false true true true true true true true true false true info 300 true true true false false true true true true True clear config access-list clear config object-group clear config object clear config icmp clear config telnet clear config ssh clear xlate clear config object clear config nat 3 0 0 1 0 0 0 2 0 0 10 0 0 5 0 0 30 0 0 2 0 0 10 0 2 0 0 True False 5 5 ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup false true true False False False True True True False True True False False True True True True True True True Accept None True Deny None False Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None True Translate None False NATBranch None fwbuilder-5.3.7/src/res/platform/procurve_acl.xml000066400000000000000000000111411303637203600221240ustar00rootroot00000000000000 HP ProCurve ACL active procurve_acl fwb_procurve_acl procurveacl procurve K.13 true true true true true true no access-list no ip access-list extended no ipv6 access-list interface %in ip address %a %n interface %in ip address dhcp False False False True True False False False False False False False False True True False False True Accept None True Deny None False Reject Reject False Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/platform/unknown.xml000066400000000000000000000067701303637203600211530ustar00rootroot00000000000000 Unknown active Unknown unknown unknown False False False False False False False False False False False False False False False False True Accept None True Deny None True Reject Reject True Accounting None False Tag None False Pipe None False Classify None False Custom None False Branch None False Route None False Translate None False Branch None fwbuilder-5.3.7/src/res/res.pro000066400000000000000000000036661303637203600164220ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) TEMPLATE = aux win32 { CONFIG -= embed_manifest_exe CONFIG -= debug QMAKE_RUN_CC = echo QMAKE_RUN_CXX = echo QMAKE_LINK = echo } !win32 { QMAKE_RUN_CC = @echo > /dev/null QMAKE_RUN_CXX = @echo > /dev/null QMAKE_LINK = @echo > /dev/null } TARGET = res win32:target.path = $$PREFIX/ unix:target.path = $$PREFIX/share/fwbuilder/ macx:target.path = $$PREFIX/ res.files = objects_init.xml templates.xml resources.xml res_os.files = os/*.xml res_platform.files = platform/*.xml res_help_en_US.files = help/en_US/*.html help/en_US/*.png help/en_US/*.jpg res_configlets.files = configlets/* INSTALLS -= target INSTALLS += res INSTALLS += res_os INSTALLS += res_platform INSTALLS += res_help_en_US INSTALLS += res_configlets unix { !macx { res_desktop.files = fwbuilder.desktop INSTALLS += res_desktop !isEmpty(ICONSDIR) { app_icon_16x16.files = Icons/16x16/fwbuilder.png app_icon_16x16.path = $$ICONSDIR/16x16/apps INSTALLS += app_icon_16x16 app_icon_24x24.files = Icons/24x24/fwbuilder.png app_icon_24x24.path = $$ICONSDIR/24x24/apps INSTALLS += app_icon_24x24 app_icon_32x32.files = Icons/32x32/fwbuilder.png app_icon_32x32.path = $$ICONSDIR/32x32/apps INSTALLS += app_icon_32x32 app_icon_48x48.files = Icons/48x48/fwbuilder.png app_icon_48x48.path = $$ICONSDIR/48x48/apps INSTALLS += app_icon_48x48 app_icon_72x72.files = Icons/72x72/fwbuilder.png app_icon_72x72.path = $$ICONSDIR/72x72/apps INSTALLS += app_icon_72x72 app_icon_128x128.files = Icons/128x128/fwbuilder.png app_icon_128x128.path = $$ICONSDIR/128x128/apps INSTALLS += app_icon_128x128 app_icon_256x256.files = Icons/256x256/fwbuilder.png app_icon_256x256.path = $$ICONSDIR/256x256/apps INSTALLS += app_icon_256x256 app_icon_512x512.files = Icons/512x512/fwbuilder.png app_icon_512x512.path = $$ICONSDIR/512x512/apps INSTALLS += app_icon_512x512 } } } fwbuilder-5.3.7/src/res/resources.xml000066400000000000000000000115741303637203600176400ustar00rootroot00000000000000 false Network Objects Library Of Objects Host Attached Networks Network Network IPv6 Address Range Firewall Firewall Cluster Group of Cluster members Group of Cluster members Group of Objects Dynamic Group of Objects Group of Services Group of time intervals Interface Physical address IPv4 address IPv6 address DNS Name Address Table Management true Management true Management true IP ICMP ICMP6 TCP UDP Tag Custom User NAT Policy Routing Policy Rule Element true Rule true Rule true Rule true Reference true Reference true Reference true Time Host Options true Firewall Options true Interface Options true Rule Set Options true Policy Rule Options true NAT Rule Options true Cluster Group Options true Temporary Objects true fwbuilder-5.3.7/src/res/templates.xml.in000066400000000000000000007704741303637203600202440ustar00rootroot00000000000000 established established established -m conntrack --ctstate ESTABLISHED,RELATED established established established established -m conntrack --ctstate ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/src.pro000066400000000000000000000007011303637203600156120ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # # include(../qmake.inc) TEMPLATE = subdirs CONFIG += ordered debug TARGET = src SUBDIRS = libfwbuilder \ res \ antlr \ parsers \ import \ common \ compiler_lib \ iptlib \ ipt \ pflib \ pf \ ipf \ ipfw \ cisco_lib \ nxosacl \ iosacl \ pix \ procurve_acl \ juniper_lib \ junosacl \ libgui \ fwbedit \ gui \ fwbuilder-5.3.7/src/tools/000077500000000000000000000000001303637203600154435ustar00rootroot00000000000000fwbuilder-5.3.7/src/tools/fwb_compile_all000077500000000000000000000035731303637203600205170ustar00rootroot00000000000000#!/bin/sh # # # Firewall Builder # # Copyright (C) 2003 NetCitadel, LLC # # Author: Vadim Kurland vadim@vk.crocodile.org # # $Id$ # # This program is free software which we release under the GNU General Public # License. You may redistribute and/or modify this program under the terms # of that license as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # To get a copy of the GNU General Public License, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # XMLFILE="objects.xml" # default fallback if -f option is missing DIR="." V="" LIB="User" # default library while getopts f:d:l:va opt do case "$opt" in a) all="yes" ;; v) V="-v " ;; f) XMLFILE=$OPTARG ;; d) DIR=$OPTARG ;; l) LIB=$OPTARG ;; \?) ;; esac done shift `expr $OPTIND - 1` test -n "$all" && LIST=`fwblookup -f $XMLFILE -lN /${LIB}/Firewalls | grep -v Firewalls` || { while test -n "$1"; do LIST="$LIST $1" shift done } for f in `echo $LIST`; do platform=`fwblookup -f $XMLFILE -a platform /${LIB}/Firewalls/$f` case "$platform" in iptables) comp="fwb_ipt" ;; ipf) comp="fwb_ipf" ;; ipfw) comp="fwb_ipfw";; pf) comp="fwb_pf" ;; pix) comp="fwb_pix" ;; \?) echo "Unknown platform \"$platform\""; exit 1 ;; esac echo echo "################ $f" $comp $V -f $XMLFILE -d $DIR $f; done fwbuilder-5.3.7/src/tools/rehash-ids.pl000077500000000000000000000016261303637203600200370ustar00rootroot00000000000000#!/usr/bin/perl # # use strict; my $file = $ARGV[0]; die "rehash-ids.pl data_file.fwb\n" if ($file eq ""); my %ids; my $idCntr = time; open F, "$file" or die "Could not open file $file for reading"; while () { if ($_ =~ /id=\"([^\"]+)\"/) { $ids{$1}=$1; } } close F; while ( my ($k,$v) = each %ids ) { if (length($k)>20) { $ids{$k} = sprintf("id%d", $idCntr); $idCntr++; printf "ID=%s -> %s\n",$k, $ids{$k}; } } my $newfile = "$file" . ".new"; open F, "$file" or die "Could not open file $file for reading"; open W, ">$newfile" or die "Coule not open file $newfile for writing"; while () { if ($_ =~ /id=\"([^\"]+)\"/) { my $oldid=$1; my $newid=$ids{$oldid}; $_ =~ s/id=\"[^\"]+\"/id=\"$newid\"/; } if ($_ =~ /ref=\"([^\"]+)\"/) { my $oldid=$1; my $newid=$ids{$oldid}; $_ =~ s/ref=\"[^\"]+\"/ref=\"$newid\"/; } print W $_; } close F; close W; fwbuilder-5.3.7/src/tools/resolve_duplicate_std_objects.py000077500000000000000000000112671303637203600241230ustar00rootroot00000000000000#!/usr/bin/python # # The purpose of this script is to find obejcts that normally belong # to the Standard Objects library but were copied to the user-defined # library thus creating duplicate IDs. Script finds such objects in # the specified data file and prints sed commands that change the IDs # to make them unique. The script does not modify the data file in any # way. # # If a copy of a duplicate object in the user-defined library is # identical to the object in the Standard library, it is removed. If # the copy has been modified, the id is changed to be unique and all # references to it are corrected. Obejcts are compared as text lines # regardless of the contents. # # This script does not use fwbuilder DTD and operates on xml files as # plain text, it can be used with files of old or different versions # regardless of fwbuilder DTD. import getopt import time import re import sys NEW_ID_PREFIX = '%s' % int(time.time()) generated_commands = [] def usage(): print '%s data_file.fwb objects_init.xml' % sys.argv[0] def command_to_delete(id): generated_commands.append("""sed '/id="%s"/d'""" % id) def command_to_change(id): new_id = '%s_%s' % (id, NEW_ID_PREFIX) generated_commands.append("""sed 's/id="%s"/id="%s"/'""" % (id, new_id)) generated_commands.append("""sed 's/ref="%s"/ref="%s"/g'""" % (id, new_id)) def main(): try: data_file = sys.argv[1] std_file = sys.argv[2] except IndexError,e: usage() sys.exit(1) std_objects = {} objects_of_interest = ['TCPService', 'UDPService', 'ICMPService', 'IPService', 'Network', 'Host', 'IPv4', 'IPv6', 'ObjectGroup', 'ServiceGroup', 'IntervalGroup', 'Library'] objects_we_never_delete = ['ObjectGroup', 'ServiceGroup', 'IntervalGroup', 'Library'] object_type_re = re.compile('<([^ ]+) ') object_id_re = re.compile('id="([^\"]+)"') object_ref_re = re.compile('ref="([^\"]+)"') object_comment_re = re.compile('comment="([^\"]*)"') # first, read standard objects and catalog all lines that have "id=" in them for line in open(std_file): line = line.strip() m = object_id_re.search(line) if m: id = m.group(1) std_objects[id] = line # now scan the data file, find all object definitions and compare for line in open(data_file): line = line.strip() m = object_type_re.match(line) if m: obj_type = m.group(1) if obj_type in objects_of_interest: m = object_id_re.search(line) if m: id = m.group(1) if id in std_objects: print 32 * '-' print 'Find duplicate object:' print 'Object in the data file:' print line print 'Object in the standard objects file:' print std_objects[id] # One of the typical cases is when only comment has changed file_line_no_comment = None std_line_no_comment = None m1 = object_comment_re.match(line) m2 = object_comment_re.match(std_objects[id]) if m1: file_comment = m1.group(1) file_line_no_comment = line.replace('comment="%s"' % file_comment, '') if m2: std_comment = m2.group(1) std_line_no_comment = line.replace('comment="%s"' % std_comment, '') if line == std_objects[id]: if obj_type not in objects_we_never_delete: print 'Objects are IDENTICAL' command_to_delete(id) else: print 'Objects are IDENTICAL but we cant delete' command_to_change(id) elif (file_line_no_comment and std_line_no_comment and file_line_no_comment == std_line_no_comment): print 'Only comments are DIFFERENT' print file_line_no_comment print std_line_no_comment command_to_change(id) else: print 'Objects are DIFFERENT' command_to_change(id) print 'cat %s | %s' % (data_file, ' | '.join(generated_commands)) if __name__ == '__main__': main() fwbuilder-5.3.7/src/tools/tools.pro000066400000000000000000000010231303637203600173210ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) win32 { QMAKE_RUN_CC = @echo QMAKE_RUN_CXX = @echo QMAKE_LINK = @echo } unix { QMAKE_RUN_CC = @true QMAKE_RUN_CXX = @true QMAKE_LINK = @true } macx { QMAKE_RUN_CC = @true QMAKE_RUN_CXX = @true QMAKE_LINK = @true } TARGET = tools win32:tools.path = $$target.path unix:tools.path = $$target.path macx:tools.path = $$target.path tools.files = fwb_install fwb_compile_all INSTALLS -= target INSTALLS += tools fwbuilder-5.3.7/src/unit_tests/000077500000000000000000000000001303637203600165045ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/.gitignore000066400000000000000000000000051303637203600204670ustar00rootroot00000000000000*.a fwbuilder-5.3.7/src/unit_tests/AddressRangeDialogTest/000077500000000000000000000000001303637203600230265ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/AddressRangeDialogTest/AddressRangeDialogTest.cpp000066400000000000000000000131071303637203600300560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: AddressRangeDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AddressRangeDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWBApplication.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/AddressRange.h" #include "StartTipDialog.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" using namespace std; using namespace libfwbuilder; QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void AddressRangeDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); QTest::qWait(10); } void AddressRangeDialogTest::checkMessageBox() { QVERIFY(app->activeModalWidget()->metaObject()->className() == QMessageBox().metaObject()->className()); QVERIFY(dynamic_cast(app->activeModalWidget())->text().contains("300.300.300.300") || dynamic_cast(app->activeModalWidget())->text().contains("200.200.200.200") ); dynamic_cast(app->activeModalWidget())->reject(); } void AddressRangeDialogTest::editSelectedObject() { //NOTUSED QToolButton* newButton = mw->findChild("newButton"); ObjectManipulator* om = dynamic_cast( mw->getCurrentObjectTree()->parent()->parent()); om->createObject( FWBTree().getStandardSlotForObject( om->getCurrentLib(), AddressRange::TYPENAME), AddressRange::TYPENAME, "Address Range"); QTest::qWait(100); QTreeWidgetItem *item = mw->getCurrentObjectTree()->findItems("Address Range", Qt::MatchRecursive | Qt::MatchExactly, 0).first(); mw->getCurrentObjectTree()->setCurrentItem(item, 0, QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); om->editSelectedObject(); QTest::qWait(100); om->editSelectedObject(); QWidget *address_range_dialog = mw->findChild("w_AddressRangeDialog"); QVERIFY(address_range_dialog != NULL); QLineEdit *rangeStart = address_range_dialog->findChildren("rangeStart").first(); QLineEdit *rangeEnd = address_range_dialog->findChildren("rangeEnd").first(); QLineEdit *objName = address_range_dialog->findChild("obj_name"); QVERIFY(objName != NULL); TextEditWidget *comment = address_range_dialog->findChild("comment"); QVERIFY(comment != NULL); objName->clear(); QTest::keyClicks(objName, "TestAddressRange"); QTest::keyClick(objName, Qt::Key_Enter); QVERIFY (dynamic_cast(item)->getFWObject()->getName() == "TestAddressRange"); QTest::qWait(100); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (dynamic_cast(item)->getFWObject()->getComment() == "Test comment"); rangeStart->clear(); QTest::keyClicks(rangeStart, "1.1.1.1"); QTest::keyClick(rangeStart, Qt::Key_Enter); QVERIFY (libfwbuilder::AddressRange::cast(dynamic_cast(item)->getFWObject())->getRangeStart().toString() == "1.1.1.1"); QTest::qWait(100); rangeEnd->clear(); QTest::keyClicks(rangeEnd, "1.1.1.10"); QTest::keyClick(rangeEnd, Qt::Key_Enter); QVERIFY (libfwbuilder::AddressRange::cast(dynamic_cast(item)->getFWObject())->getRangeEnd().toString() == "1.1.1.10"); QTimer::singleShot(1000, this, SLOT(checkMessageBox())); rangeStart->clear(); QTest::keyClicks(rangeStart, "300.300.300.300"); QTest::keyClick(rangeStart, Qt::Key_Enter); rangeStart->clear(); QTest::keyClicks(rangeStart, "200.200.200.200"); QTest::keyClick(rangeStart, Qt::Key_Enter); QTest::qWait(100); QTimer::singleShot(100, this, SLOT(checkMessageBox())); rangeEnd->clear(); QTest::keyClicks(rangeEnd, "300.300.300.300"); QTest::keyClick(rangeEnd, Qt::Key_Enter); QTest::qWait(1000); } fwbuilder-5.3.7/src/unit_tests/AddressRangeDialogTest/AddressRangeDialogTest.h000066400000000000000000000022741303637203600275260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: AddressRangeDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTMANIPULATORTEST_H #define OBJECTMANIPULATORTEST_H #include class AddressRangeDialogTest : public QObject { Q_OBJECT private slots: void initTestCase(); void editSelectedObject(); public slots: void checkMessageBox(); }; #endif // OBJECTMANIPULATORTEST_H fwbuilder-5.3.7/src/unit_tests/AddressRangeDialogTest/AddressRangeDialogTest.pro000066400000000000000000000004061303637203600300720ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = AddressRangeDialogTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app SOURCES += AddressRangeDialogTest.cpp \ main_AddressRangeDialogTest.cpp HEADERS += AddressRangeDialogTest.h fwbuilder-5.3.7/src/unit_tests/AddressRangeDialogTest/main_AddressRangeDialogTest.cpp000066400000000000000000000033221303637203600310600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_AddressRangeDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AddressRangeDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new AddressRangeDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/AddressTableTest/000077500000000000000000000000001303637203600217015ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/AddressTableTest/AddressTableTest.cpp000066400000000000000000000077701303637203600256150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "AddressTableTest.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Group.h" #include "fwbuilder/Library.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/Network.h" using namespace std; using namespace libfwbuilder; void AddressTableTest::setUp() { objdb = new FWObjectDatabase(); FWObject *nlib = objdb->create(Library::TYPENAME,true); objdb->add(nlib); nlib->setName( "Library" ); FWObject *o1 = objdb->create(ObjectGroup::TYPENAME,true); o1->setName("Objects"); nlib->add(o1); address_tables_group = objdb->create(ObjectGroup::TYPENAME,true); address_tables_group->setName("Address Tables"); o1->add(address_tables_group); } void AddressTableTest::positiveTest() { setStrings addrres; setStrings addrset; // This matches contents of the test file addresstable-1.txt addrset.insert("216.193.197.238/255.255.255.255"); addrset.insert("207.46.20.60/255.255.255.0"); addrset.insert("207.46.198.3/255.255.255.255"); addrset.insert("207.46.198.60/255.255.255.255"); addrset.insert("207.46.199.30/255.255.255.255"); addrset.insert("207.46.225.60/255.255.255.252"); addrset.insert("207.46.19.60/255.255.255.255"); addrset.insert("192.168.105.57/255.255.255.255"); addrset.insert("192.168.105.69/255.255.255.255"); addrset.insert("192.168.105.68/255.255.255.255"); addrset.insert("192.168.100.0/255.255.255.0"); addrset.insert("192.168.11.0/255.255.255.0"); CPPUNIT_ASSERT(address_tables_group!=NULL); AddressTable *nobj = AddressTable::cast(objdb->create(AddressTable::TYPENAME, true)); address_tables_group->add(nobj); nobj->setName("TestADT"); nobj->setSourceName("addresstable-1.txt"); nobj->loadFromSource(false, NULL, true); list::const_iterator t = nobj->begin(); Network *net; FWReference *ref; for ( ; t != nobj->end(); ++t ) { ref = FWReference::cast(*t); CPPUNIT_ASSERT(ref!=NULL); net = Network::cast(ref->getPointer()); CPPUNIT_ASSERT(net!=NULL); addrres.insert(net->getAddressPtr()->toString() + "/" + net->getNetmaskPtr()->toString()); } CPPUNIT_ASSERT(addrset==addrres); } void AddressTableTest::negativeTest1() { setStrings addrres; CPPUNIT_ASSERT(address_tables_group!=NULL); AddressTable *nobj = AddressTable::cast(objdb->create(AddressTable::TYPENAME, true)); address_tables_group->add(nobj); nobj->setName("TestADT2"); nobj->setSourceName("addresstable-2.txt"); CPPUNIT_ASSERT_THROW(nobj->loadFromSource(false, NULL, true), FWException); } void AddressTableTest::negativeTest2() { setStrings addrres; CPPUNIT_ASSERT(address_tables_group!=NULL); AddressTable *nobj = AddressTable::cast(objdb->create(AddressTable::TYPENAME, true)); address_tables_group->add(nobj); nobj->setName("TestADT3"); nobj->setSourceName("addresstable-not-found.txt"); CPPUNIT_ASSERT_THROW(nobj->loadFromSource(false, NULL, true), FWException); } fwbuilder-5.3.7/src/unit_tests/AddressTableTest/AddressTableTest.h000066400000000000000000000031211303637203600252440ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ADDRESSTABLETEST_H #define ADDRESSTABLETEST_H #include "fwbuilder/FWObjectDatabase.h" #include #include #include typedef std::set > setStrings; class AddressTableTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; libfwbuilder::FWObject *address_tables_group; CPPUNIT_TEST_SUITE(AddressTableTest); CPPUNIT_TEST(positiveTest); CPPUNIT_TEST(negativeTest1); CPPUNIT_TEST(negativeTest2); CPPUNIT_TEST_SUITE_END(); public: void setUp(); void positiveTest(); void negativeTest1(); void negativeTest2(); }; #endif // ADDRESSTABLETEST_H fwbuilder-5.3.7/src/unit_tests/AddressTableTest/AddressTableTest.pro000066400000000000000000000011261303637203600256200ustar00rootroot00000000000000 include(../../../qmake.inc) QT -= core gui TARGET = AddressTableTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp AddressTableTest.cpp HEADERS += AddressTableTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/AddressTableTest/addresstable-1.txt000066400000000000000000000006751303637203600252450ustar00rootroot00000000000000# This is a comment ;; comment too # Test of Address Table # # 1.2.3.4 this address should be ignored because it is in the comment 216.193.197.238 www.rebol.com www.microsoft.com: 207.46.20.60/24 207.46.198.3 207.46.198.60 207.46.199.30 207.46.225.60/30 207.46.19.60 OKC Network: 192.168.105.57 OKC_B0 192.168.105.69 OKC_DEVP2 192.168.105.68 OKC_SQL RK Network: 192.168.100.0/24 TT Lan: 192.168.11.0/24 fwbuilder-5.3.7/src/unit_tests/AddressTableTest/addresstable-2.txt000066400000000000000000000002351303637203600252360ustar00rootroot00000000000000# This is a comment ;; comment too # Test of Address Table # # This file is different from addresstable-1.txt , it has invalid ip address 300.300.300.300 fwbuilder-5.3.7/src/unit_tests/AddressTableTest/main.cpp000066400000000000000000000025271303637203600233370ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "AddressTableTest.h" #include "fwbuilder/FWObjectDatabase.h" #include int fwbdebug = 0; std::string platform; int main( int, char** argv) { CppUnit::TextUi::TestRunner runner; runner.addTest( AddressTableTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/CustomServiceDialogTest/000077500000000000000000000000001303637203600232575ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/CustomServiceDialogTest/CustomServiceDialogTest.cpp000066400000000000000000000163361303637203600305470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: CustomServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "CustomServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "CustomServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/CustomService.h" #include "CustomServiceDialog.h" #include "platforms.h" using namespace std; using namespace libfwbuilder; void CustomServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* CustomServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void CustomServiceDialogTest::selectComboItem(QWidget *widget, QString name) { QComboBox * combo = dynamic_cast(widget); Q_ASSERT(combo != NULL); int id = combo->findText(name); combo->setCurrentIndex(id); } void CustomServiceDialogTest::testDialog() { CustomService *service = CustomService::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), CustomService::TYPENAME), CustomService::TYPENAME, "testCustomService")); om->editObject(service); CustomServiceDialog *dialog = mw->findChild("w_CustomServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QComboBox *platform = dialog->findChild("platform"); QLineEdit *code = dialog->findChild("code"); QComboBox *protocol = dialog->findChild("protocol"); QRadioButton *ipv4 = dialog->findChild("ipv4"); QRadioButton *ipv6 = dialog->findChild("ipv6"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestCustomService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestCustomService"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); // testing saving platform code to service object selectComboItem(platform, "iptables"); dialog->platformChanged(); QTest::keyClicks(code, "code for iptables"); QTest::keyClick(code, Qt::Key_Tab); QTest::keyClick(code, Qt::Key_Enter); QTest::qWait(100); QVERIFY(service->getCodeForPlatform("iptables") == "code for iptables"); // platform code should clear when we change platform to one that currently does not have code selectComboItem(platform, "PF"); dialog->platformChanged(); QVERIFY(code->text().isEmpty()); // platform code for iptables should not change when setting code for PF or changing platform QVERIFY(service->getCodeForPlatform("iptables") == "code for iptables"); QTest::keyClicks(code, "code for pf"); QTest::keyClick(code, Qt::Key_Enter); QVERIFY(service->getCodeForPlatform("iptables") == "code for iptables"); QVERIFY(service->getCodeForPlatform("pf") == "code for pf"); // testing saving platform code to service object for all platforms QMap platforms = getAllPlatforms(); foreach (QString key, platforms.keys()) { selectComboItem(platform, platforms[key]); dialog->platformChanged(); code->clear(); QTest::keyClicks(code, "code for "+key); QTest::keyClick(code, Qt::Key_Tab); QTest::keyClick(code, Qt::Key_Enter); QTest::qWait(100); QVERIFY2(service->getCodeForPlatform(key.toStdString().c_str()) == (string("code for ")+key.toStdString()), (string("failed for platform ") + key.toStdString()).c_str()); } // testing changing protocol to tcp selectComboItem(platform, "iptables"); dialog->platformChanged(); selectComboItem(protocol, "tcp"); dialog->applyChanges(); QTest::qWait(100); QVERIFY(service->getProtocol() == "tcp"); selectComboItem(platform, "pf"); dialog->platformChanged(); QVERIFY(service->getProtocol() == "tcp"); // testing saving address family to service object selectComboItem(platform, "iptables"); dialog->platformChanged(); QTest::mouseClick(ipv6, Qt::LeftButton, Qt::NoModifier, QPoint(10,10)); QVERIFY(service->getAddressFamily() == AF_INET6); selectComboItem(platform, "PF"); dialog->platformChanged(); QVERIFY(service->getAddressFamily() == AF_INET6); // testing that changing address family does not change platform code foreach (QString key, platforms.keys()) { string oldcode = service->getCodeForPlatform(key.toStdString().c_str()); string oldprotocol = service->getProtocol(); QTest::mouseClick(ipv4, Qt::LeftButton, Qt::NoModifier, QPoint(10,10)); QVERIFY(service->getAddressFamily() == AF_INET); QVERIFY(oldcode == service->getCodeForPlatform(key.toStdString().c_str())); QVERIFY(oldprotocol == service->getProtocol()); QTest::mouseClick(ipv6, Qt::LeftButton, Qt::NoModifier, QPoint(10,10)); QVERIFY(service->getAddressFamily() == AF_INET6); QVERIFY(oldcode == service->getCodeForPlatform(key.toStdString().c_str())); QVERIFY(oldprotocol == service->getProtocol()); } } fwbuilder-5.3.7/src/unit_tests/CustomServiceDialogTest/CustomServiceDialogTest.h000066400000000000000000000025201303637203600302020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: CustomServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef CustomServiceDialogTest_H #define CustomServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class CustomServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; void selectComboItem(QWidget *widget, QString name); private slots: void initTestCase(); void testDialog(); }; #endif // CustomServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/CustomServiceDialogTest/CustomServiceDialogTest.pro000066400000000000000000000004031303637203600305510ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = CustomServiceDialogTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app SOURCES += main_CustomServiceDialogTest.cpp \ CustomServiceDialogTest.cpp HEADERS += CustomServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/CustomServiceDialogTest/main_CustomServiceDialogTest.cpp000066400000000000000000000033131303637203600315420ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "CustomServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new CustomServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/DNSTest/000077500000000000000000000000001303637203600177705ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/DNSTest/DNSTest.cpp000066400000000000000000000070571303637203600217710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "DNSTest.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Host.h" #include "fwbuilder/Library.h" #include "fwbuilder/DNSName.h" #include using namespace libfwbuilder; using namespace std; bool DNSTest::testDNSNameObject(FWObjectDatabase *objdb, FWObject *root, const string &dnsrec, char* results[]) { list expected_results; for (char** cptr=results; *cptr!=NULL; ++cptr) expected_results.push_back(*cptr); FWObject *nobj = objdb->create(DNSName::TYPENAME); if (root != NULL) { root->add(nobj); } DNSName* dnsnameobj = DNSName::cast(nobj); dnsnameobj->setName(dnsrec); dnsnameobj->setStr("dnsrec", dnsrec); dnsnameobj->setRunTime(false); for (FWObject::iterator j=dnsnameobj->begin(); j!=dnsnameobj->end(); ++j) { Address* addr = Address::cast(FWReference::cast(*j)->getPointer()); const InetAddr* inet_addr = addr->getAddressPtr(); list::const_iterator res; res = std::find(expected_results.begin(), expected_results.end(), inet_addr->toString()); if ( res != expected_results.end()) { return true; } else { return false; } } return true; } void DNSTest::runTest() { libfwbuilder::init(); objdb = new FWObjectDatabase(); FWObject *nlib = objdb->create(Library::TYPENAME); objdb->add(nlib); nlib->setName( "Library" ); FWObject *o1 = objdb->create(ObjectGroup::TYPENAME); o1->setName("Objects"); nlib->add(o1); FWObject *root = objdb->create(ObjectGroup::TYPENAME); root->setName("DNS Names"); o1->add(root); InetAddr addr; char* test1[] = {"localhost", "127.0.0.1", NULL}; CPPUNIT_ASSERT(testDNSNameObject(objdb, root, test1[0], &(test1[1]))); char* test2[] = {"www.fwbuilder.org","70.85.175.170", NULL}; CPPUNIT_ASSERT(testDNSNameObject(objdb, root, test2[0], &(test2[1]))); char* test3[] = {"www.microsoft.com", "65.55.21.250", "207.46.232.182", "207.46.197.32", "207.46.19.254", "207.46.192.254", "207.46.193.254", NULL}; CPPUNIT_ASSERT(testDNSNameObject(objdb, root, test3[0], &(test3[1]))); } fwbuilder-5.3.7/src/unit_tests/DNSTest/DNSTest.h000066400000000000000000000032211303637203600214230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef DNSTEST_H #define DNSTEST_H #include #include #include #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObject.h" class DNSTest : public CppUnit::TestCase { libfwbuilder::FWObjectDatabase *objdb; bool testDNSNameObject(libfwbuilder::FWObjectDatabase *objdb, libfwbuilder::FWObject *root, const std::string &dnsrec, char* results[]); public: void runTest(); static CppUnit::Test *suite() { CppUnit::TestSuite *suiteOfTests = new CppUnit::TestSuite( "ObjectMatcherTest" ); suiteOfTests->addTest( new CppUnit::TestCaller( "runTest", &DNSTest::runTest ) ); return suiteOfTests; } }; #endif // DNSTEST_H fwbuilder-5.3.7/src/unit_tests/DNSTest/DNSTest.pro000066400000000000000000000010731303637203600217770ustar00rootroot00000000000000 include(../../../qmake.inc) QT -= core gui TARGET = DNSTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp DNSTest.cpp HEADERS += DNSTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/DNSTest/main.cpp000066400000000000000000000025051303637203600214220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "DNSTest.h" #include "fwbuilder/FWObjectDatabase.h" #include int fwbdebug = 0; std::string platform; int main( int, char** argv) { CppUnit::TextUi::TestRunner runner; runner.addTest( DNSTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/FWBTreeTest/000077500000000000000000000000001303637203600206025ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/FWBTreeTest/FWBTreeTest.cpp000066400000000000000000000177771303637203600234270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "FWBTreeTest.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Host.h" #include "fwbuilder/Library.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/ObjectGroup.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Network.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/CustomService.h" #include "fwbuilder/Interval.h" #include "fwbuilder/IntervalGroup.h" using namespace libfwbuilder; using namespace std; void FWBTreeTest::isSystem() { FWBTree fwbtree; FWObjectDatabase db; CPPUNIT_ASSERT(fwbtree.isSystem(&db) == true); Library *lib = db.createLibrary(4); CPPUNIT_ASSERT(fwbtree.isSystem(lib) == true); lib = db.createLibrary(7); CPPUNIT_ASSERT(fwbtree.isSystem(lib) == true); lib = db.createLibrary(1); CPPUNIT_ASSERT(fwbtree.isSystem(lib) == false); lib = Library::cast(fwbtree.createNewLibrary(&db)); FWObject *slot = fwbtree.getStandardSlotForObject(lib, Firewall::TYPENAME); CPPUNIT_ASSERT(fwbtree.isSystem(slot) == true); Firewall fw; CPPUNIT_ASSERT(fwbtree.isSystem(&fw) == false); } QSet FWBTreeTest::getStandardFolders(FWObject *root) { QSet res; for (FWObject::iterator i = root->begin(); i != root->end(); i++) { if (FWBTree().isStandardFolder(*i)) res.insert(*i); res += getStandardFolders(*i); } return res; } void FWBTreeTest::validateForInsertion() { FWObjectDatabase db; FWBTree().createNewLibrary(&db); QSet stdFolders = getStandardFolders(&db); QString err; FWBTree tree; Host host; Firewall firewall; Interface iface; IPv4 ipv4; IPv6 ipv6; Firewall fw; Network net; CPPUNIT_ASSERT(tree.validateForInsertion(&host, &iface, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&firewall, &iface, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&iface, &ipv4, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&iface, &ipv6, err) == true); firewall.addInterface(&iface); CPPUNIT_ASSERT(tree.validateForInsertion(&iface, &ipv4, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&iface, &ipv6, err) == true); ObjectGroup grp, grp2; Cluster cluster; DNSName dnsname; AddressRange addrrange; AddressTable addrtable; CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &host, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &firewall, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &cluster, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &dnsname, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &addrrange, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &addrtable, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &grp2, err) == true); ServiceGroup sgrp, sgrp2; IPService ip; ICMPService icmp; TCPService tcp; UDPService udp; CustomService custom; CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &ip, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &icmp, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &tcp, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &udp, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &custom, err) == true); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &sgrp2, err) == true); Interval interval; IntervalGroup igrp; CPPUNIT_ASSERT(tree.validateForInsertion(&igrp, &interval, err) == true); foreach (FWObject* folder, stdFolders) { if (folder->getName() == "Hosts") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &host, err) == true); if (folder->getName() == "Firewalls") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &fw, err) == true); if (folder->getName() == "Addresses") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &ipv4, err) == true); if (folder->getName() == "Addresses") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &ipv6, err) == true); if (folder->getName() == "TCP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &tcp, err) == true); if (folder->getName() == "UDP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &udp, err) == true); if (folder->getName() == "ICMP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &icmp, err) == true); if (folder->getName() == "Address ranges") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &addrrange, err) == true); if (folder->getName() == "Networks") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &net, err) == true); } CPPUNIT_ASSERT(tree.validateForInsertion(&host, &ipv4, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&firewall, &ipv4, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&cluster, &ipv4, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &ip, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &ipv4, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&grp, &interval, err) == false); CPPUNIT_ASSERT(tree.validateForInsertion(&sgrp, &interval, err) == false); foreach (FWObject* folder, stdFolders) { if (folder->getName() == "Addresses") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &host, err) == false); if (folder->getName() == "Addresses") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &fw, err) == false); if (folder->getName() == "Hosts") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &ipv4, err) == false); if (folder->getName() == "Firewalls") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &ipv6, err) == false); if (folder->getName() == "Networks") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &tcp, err) == false); if (folder->getName() == "TCP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &udp, err) == false); if (folder->getName() == "Address ranges") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &icmp, err) == false); if (folder->getName() == "ICMP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &addrrange, err) == false); if (folder->getName() == "UDP") CPPUNIT_ASSERT(tree.validateForInsertion(folder, &net, err) == false); } // destructor ~FWObject calls FWObject::destroyChildren() which // tries to delete all child objects. Since interface iface was // not created using new, it can not be deleted. Remove it to // avoid crash. Also need to ref() it so that FWObject::remove() // does not try to delete it as well. All these hacks just because // a2k@codeminders.com was too lazy to create objects as recommended. iface.ref(); firewall.removeInterface(&iface); } fwbuilder-5.3.7/src/unit_tests/FWBTreeTest/FWBTreeTest.h000066400000000000000000000024711303637203600230550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWBTREETEST_H #define FWBTREETEST_H #include "FWBTree.h" #include class FWBTreeTest : public CppUnit::TestFixture { QSet getStandardFolders(libfwbuilder::FWObject *root); public: void isSystem(); void validateForInsertion(); CPPUNIT_TEST_SUITE(FWBTreeTest); CPPUNIT_TEST(isSystem); CPPUNIT_TEST(validateForInsertion); CPPUNIT_TEST_SUITE_END(); }; #endif // FWBTREETEST_H fwbuilder-5.3.7/src/unit_tests/FWBTreeTest/FWBTreeTest.pro000066400000000000000000000002331303637203600234200ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network TARGET = FWBTreeTest SOURCES += main_FWBTreeTest.cpp \ FWBTreeTest.cpp HEADERS += FWBTreeTest.hfwbuilder-5.3.7/src/unit_tests/FWBTreeTest/main_FWBTreeTest.cpp000066400000000000000000000024261303637203600244140ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "FWBTreeTest.h" int fwbdebug; int main(int /*UNUSED argc*/, char ** /*UNUSED argv[]*/) { CppUnit::TextUi::TestRunner runner; runner.addTest( FWBTreeTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/FWObjectTest/000077500000000000000000000000001303637203600210075ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/FWObjectTest/FWObjectTest.cpp000066400000000000000000000051571303637203600240260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: FWObjectTest.cpp 581 2010-03-10 18:31:03Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FWObjectTest.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" using namespace libfwbuilder; using namespace std; void FWObjectTest::cmpTest() { FWObjectDatabase db; FWObject *obj1 = db.create(Firewall::TYPENAME); FWObject *obj2 = db.create(Firewall::TYPENAME); obj2->duplicate(obj1); obj1->setStr("key", "value1"); CPPUNIT_ASSERT(obj1->cmp(obj2) == false); obj2->setStr("key", "value2"); CPPUNIT_ASSERT(obj1->cmp(obj2) == false); obj2->remStr("key"); obj1->setStr("key", ""); CPPUNIT_ASSERT(obj1->cmp(obj2) == false); obj1->remStr("key"); CPPUNIT_ASSERT(obj2->cmp(obj1) == true); FWObject *ch1 = db.create(Interface::TYPENAME); FWObject *ch2 = db.create(Interface::TYPENAME); FWObject *ch3 = db.create(Interface::TYPENAME); FWObject *ch4 = db.create(Interface::TYPENAME); ch1->setStr("key", "value1"); ch2->duplicate(ch1); CPPUNIT_ASSERT(ch1->cmp(ch2) == true); ch3->duplicate(ch1); CPPUNIT_ASSERT(ch1->cmp(ch3) == true); ch4->duplicate(ch1); ch4->setStr("key", "value2"); CPPUNIT_ASSERT(ch1->cmp(ch4) == false); obj1->add(ch1); obj1->add(ch2); obj2->add(ch3); obj2->add(ch4); CPPUNIT_ASSERT(obj1->cmp(obj2, true) == false); ch4->setStr("key", "value1"); CPPUNIT_ASSERT(obj1->cmp(obj2, true) == true); } fwbuilder-5.3.7/src/unit_tests/FWObjectTest/FWObjectTest.h000066400000000000000000000027321303637203600234670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: FWObjectTest.h 581 2010-03-10 18:31:03Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTMATCHERTEST_H #define OBJECTMATCHERTEST_H #include #include #include class FWObjectTest : public CppUnit::TestCase { public: void cmpTest(); static CppUnit::Test *suite() { CppUnit::TestSuite *suiteOfTests = new CppUnit::TestSuite( "FWObjectTest" ); suiteOfTests->addTest( new CppUnit::TestCaller( "cmpTest", &FWObjectTest::cmpTest ) ); return suiteOfTests; } }; #endif // OBJECTMATCHERTEST_H fwbuilder-5.3.7/src/unit_tests/FWObjectTest/FWObjectTest.pro000066400000000000000000000011111303637203600240260ustar00rootroot00000000000000include(../../../qmake.inc) QT -= core gui TARGET = FWObjectTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp FWObjectTest.cpp HEADERS += FWObjectTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/FWObjectTest/main.cpp000066400000000000000000000027121303637203600224410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main.cpp 581 2010-03-10 18:31:03Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "FWObjectTest.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace libfwbuilder; int fwbdebug = 0; //QString user_name; std::string platform; int main( int, char** argv) { //init(argv); init(); CppUnit::TextUi::TestRunner runner; runner.addTest( FWObjectTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/FWWindowTest/000077500000000000000000000000001303637203600210505ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/FWWindowTest/FWWindowTest.cpp000066400000000000000000000067071303637203600241320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FWWindowTest.h" #include "FWWindow.h" #include #include "global.h" #include "FWBSettings.h" #include #include #include FWWindowTest::FWWindowTest(QWidget *parent) : QMainWindow(parent) { } void FWWindowTest::initTestCase() { st->setCheckUpdates(true); st->setBool("UI/NoStartTip", true); } void FWWindowTest::cleanupTestCase() { if (QFile::exists("/tmp/update_4.0.0")) qDebug() << "file /tmp/update_4.0.0 exists"; QFile::remove("/tmp/update_4.0.0"); } void FWWindowTest::findMessageBox() { QList boxes = mw->findChildren(); QVERIFY(!boxes.empty()); bool found = false; foreach(QMessageBox *box, boxes) { if (box->text().contains("http://www.fwbuilder.org")) { found = true; box->reject(); break; } } QVERIFY(found); } void FWWindowTest::findNoMessageBox() { QList boxes = mw->findChildren(); if (!boxes.isEmpty()) boxes.first()->reject(); QVERIFY(boxes.empty()); } void FWWindowTest::prepareMW() { mw = new FWWindow(); mw->show(); QFile updatefile("/tmp/update_4.0.0"); updatefile.open(QFile::ReadWrite); updatefile.write("update = 1\n"); updatefile.close(); setenv("FWBUILDER_CHECK_UPDATE_URL", "file:///tmp/update_4.0.0", 1); st->setCheckUpdates(true); } void FWWindowTest::checkForUpgrade_1() { prepareMW(); st->setTimeOfLastUpdateAvailableWarning(0); QTimer::singleShot(1000, this, SLOT(findMessageBox())); mw->startupLoad(); QTest::qWait(1500); mw->hide(); } void FWWindowTest::checkForUpgrade_2() { prepareMW(); st->setTimeOfLastUpdateAvailableWarning(QDateTime::currentDateTime().addSecs(-60*60*25).toTime_t()); QTimer::singleShot(1000, this, SLOT(findMessageBox())); mw->startupLoad(); QTest::qWait(1500); mw->hide(); } void FWWindowTest::checkForUpgrade_3() { prepareMW(); st->setTimeOfLastUpdateAvailableWarning(QDateTime::currentDateTime().addSecs(-60*60*2).toTime_t()); QTimer::singleShot(1000, this, SLOT(findNoMessageBox())); mw->startupLoad(); QTest::qWait(1500); mw->hide(); } void FWWindowTest::checkForUpgrade_4() { prepareMW(); QFile updatefile("/tmp/update_4.0.0"); updatefile.open(QFile::WriteOnly); updatefile.resize(0); updatefile.close(); st->setTimeOfLastUpdateAvailableWarning(QDateTime::currentDateTime().addSecs(-60*60*25).toTime_t()); QTimer::singleShot(1000, this, SLOT(findNoMessageBox())); mw->startupLoad(); QTest::qWait(1500); mw->hide(); } fwbuilder-5.3.7/src/unit_tests/FWWindowTest/FWWindowTest.h000066400000000000000000000025641303637203600235740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWWINDOWTEST_H #define FWWINDOWTEST_H #include #include #include class FWWindowTest : public QMainWindow { Q_OBJECT; public: FWWindowTest(QWidget *parent = 0); public slots: void findMessageBox(); void findNoMessageBox(); void prepareMW(); private slots: void initTestCase(); void cleanupTestCase(); void checkForUpgrade_1(); void checkForUpgrade_2(); void checkForUpgrade_3(); void checkForUpgrade_4(); }; #endif // FWWINDOWTEST_H fwbuilder-5.3.7/src/unit_tests/FWWindowTest/FWWindowTest.pro000066400000000000000000000002501303637203600241330ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = FWWindowTest HEADERS += FWWindowTest.h SOURCES += main_FWWindowTest.cpp \ FWWindowTest.cpp fwbuilder-5.3.7/src/unit_tests/FWWindowTest/main_FWWindowTest.cpp000066400000000000000000000031771303637203600251340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FWWindowTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new FWWindowTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/FirewallDialogTest/000077500000000000000000000000001303637203600222315ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/FirewallDialogTest/FirewallDialogTest.cpp000066400000000000000000000167361303637203600264770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: FirewallDialogTestTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FirewallDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "FirewallDialog.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "FirewallDialogTest.h" #include "fwbuilder/IPService.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; void FirewallDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); mw->resize(1200, 600); QTest::qWait(2000); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); } Library* FirewallDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void FirewallDialogTest::rejectDialog() { QMessageBox *box = dynamic_cast(app->activeModalWidget()); Q_ASSERT(box != NULL); box->reject(); } void FirewallDialogTest::testDialog() { firewall = Firewall::cast( om->createObject( FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); QTest::qWait(1000); FirewallDialog *dialog = mw->findChild("w_FirewallDialog"); QVERIFY(dialog != NULL); QLineEdit *obj_name = dialog->findChild("obj_name"); TextEditWidget *comment = dialog->findChild("comment"); QComboBox *platform = dialog->findChild("platform"); QComboBox *version = dialog->findChild("version"); QComboBox *hostOS = dialog->findChild("hostOS"); QCheckBox *inactive = dialog->findChild("inactive"); QLabel *last_modified = dialog->findChild("last_modified"); QLabel *last_compiled = dialog->findChild("last_compiled"); QLabel *last_installed = dialog->findChild("last_installed"); // setting object name obj_name->clear(); QTest::keyClicks(obj_name, "TestFirewallName"); QTimer::singleShot(10, this, SLOT(rejectDialog())); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(firewall->getName() == "TestFirewallName"); // setting comment comment->clear(); QTest::qWait(2000); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(obj_name, Qt::LeftButton); //QTest::mouseClick(comment, Qt::LeftButton); //QTest::keyClick(comment, Qt::Key_Tab); qDebug() << "Dialog comment text=" << comment->toPlainText(); qDebug() << "Object comment=" << QString(firewall->getComment().c_str()); QVERIFY (firewall->getComment() == "Test comment"); // switching inactive QTest::mouseClick(inactive, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); QVERIFY(firewall->getInactive() == true); QTest::mouseClick(inactive, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); QVERIFY(firewall->getInactive() == false); // Testing that platform changes in firewall object and // version and hostOS combo boxes changes their values // when changing platform string oldplatform = firewall->getStr("platform"); bool versionChanges = false; bool osChanges = false; QString versionstr = version->currentText(); QString hostOSstr = hostOS->currentText(); for (int i=0; icount(); i++) { if (platform->itemText(i).isEmpty()) continue; oldplatform = firewall->getStr("platform"); platform->setCurrentIndex(i); dialog->changed(); QVERIFY2(firewall->getStr("platform") != oldplatform, oldplatform.c_str()); if (version->currentText() != versionstr) versionChanges = true; if (hostOS->currentText() != hostOSstr) osChanges = true; } QVERIFY(osChanges); QVERIFY(versionChanges); // setting platform to iptables to test version changing int iptidx = -1; for (int i=0; icount(); i++) { if (platform->itemText(i) == "iptables") { iptidx = i; break; } } platform->setCurrentIndex(iptidx); dialog->changed(); version->setCurrentIndex(0); dialog->changed(); for (int i=1; icount(); i++) { string oldversion = firewall->getStr("version"); version->setCurrentIndex(i); dialog->changed(); QVERIFY(oldversion != firewall->getStr("version")); } // Checking that host OS in firewall object changes when switching // it in combo box hostOS->setCurrentIndex(0); dialog->changed(); for (int i=1; icount(); i++) { string oldos = firewall->getStr("host_OS"); hostOS->setCurrentIndex(i); dialog->changed(); QVERIFY(oldos != firewall->getStr("host_OS")); } // Checking last_modified, last_compiled and last_installed labels QDateTime dt; time_t t; firewall->setInt("lastModified", 0); dialog->changed(); QVERIFY(last_modified->text() == "-"); firewall->setInt("lastModified", 123456789); t = 123456789; dt.setTime_t(t); dialog->changed(); QVERIFY(last_modified->text() == dt.toString()); firewall->setInt("lastCompiled", 0); dialog->changed(); QVERIFY(last_compiled->text() == "-"); firewall->setInt("lastCompiled", 123456789); t = 123456789; dt.setTime_t(t); dialog->changed(); QVERIFY(last_compiled->text() == dt.toString()); firewall->setInt("lastInstalled", 0); dialog->changed(); QVERIFY(last_installed->text() == "-"); firewall->setInt("lastInstalled", 123456789); t = 123456789; dt.setTime_t(t); dialog->changed(); QVERIFY(last_installed->text() == dt.toString()); } fwbuilder-5.3.7/src/unit_tests/FirewallDialogTest/FirewallDialogTest.h000066400000000000000000000026051303637203600261320ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: FirewallDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FirewallDialogTest_H #define FirewallDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" #include "fwbuilder/Cluster.h" class FirewallDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; libfwbuilder::Firewall *firewall; bool dialog_rejected; private slots: void initTestCase(); void testDialog(); public slots: void rejectDialog(); }; #endif // FirewallDialogTest_H fwbuilder-5.3.7/src/unit_tests/FirewallDialogTest/FirewallDialogTest.pro000066400000000000000000000003001303637203600264710ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = FirewallDialogTest SOURCES += main_FirewallDialogTest.cpp \ FirewallDialogTest.cpp HEADERS += FirewallDialogTest.h fwbuilder-5.3.7/src/unit_tests/FirewallDialogTest/main_FirewallDialogTest.cpp000066400000000000000000000033011303637203600274630ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FirewallDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new FirewallDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/GroupObjectDialogTest/000077500000000000000000000000001303637203600227075ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/GroupObjectDialogTest/GroupObjectDialogTest.cpp000066400000000000000000000274201303637203600276230ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: GroupObjectDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "GroupObjectDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "GroupObjectDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWServiceReference.h" #include "FWBApplication.h" #include "GroupObjectDialog.h" using namespace std; using namespace libfwbuilder; void GroupObjectDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); address = createObject("address"); address6 = createObject("address6"); network = createObject("network"); network6 = createObject("netowork6"); range = createObject("range"); table = createObject("table"); dns = createObject("dns"); ipservice = createObject("ipservice"); icmpservice = createObject("icmpservice"); udpservice = createObject("udpservice"); tcpservice = createObject("tcpservice"); tagservice = createObject("tagservice"); userservice = createObject("userservice"); FWObject *object_group = createObject("Object Group"); FWObject *service_group = createObject("Service Group"); } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void GroupObjectDialogTest::checkMessageBox() { QVERIFY(app->activeModalWidget()->metaObject()->className() == QMessageBox().metaObject()->className()); QTimer::singleShot(10, app->activeModalWidget(), SLOT(reject())); QVERIFY(dynamic_cast(app->activeModalWidget())->text().contains("300.300.300.300") || dynamic_cast(app->activeModalWidget())->text().contains("foo:345:1") || dynamic_cast(app->activeModalWidget())->text().contains("145") || dynamic_cast(app->activeModalWidget())->text().contains("300") || dynamic_cast(app->activeModalWidget())->text().contains("0") || dynamic_cast(app->activeModalWidget())->text().contains("0.0.0.0") || dynamic_cast(app->activeModalWidget())->text().contains("255.300.300.0") ); } void GroupObjectDialogTest::checkNoMessageBox() { foreach(QWidget *w, app->topLevelWidgets()) QVERIFY(w->metaObject()->className() != QMessageBox().metaObject()->className()); } void setLineEditText(QLineEdit *line, QString text) { line->clear(); QTest::keyClicks(line, text); QTest::keyClick(line, Qt::Key_Enter); } Library* GroupObjectDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } template ObjectTreeViewItem* findItemForType(ObjectTreeView *tree) { foreach(QTreeWidgetItem* item, tree->findItems("", Qt::MatchRecursive | Qt::MatchContains, 0)) { if (TYPE::isA(dynamic_cast(item)->getFWObject()) != NULL) return dynamic_cast(item); } return NULL; } template FWTYPE* GroupObjectDialogTest::createObject(QString name) { return FWTYPE::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), FWTYPE::TYPENAME), FWTYPE::TYPENAME, name)); } bool checkObjectInsertion(GroupObjectDialog *dlg, Group *grp, FWObject *obj) { qDebug() << "Trying to add object" << obj->getName().c_str() << "(" << obj->getTypeName().c_str() << ")" << "to group" << grp->getPath().c_str(); dlg->insertObject(obj); dlg->applyChanges(); for (Group::iterator i = grp->begin(); i!= grp->end(); i++) { if (FWReference::cast(*i)->getPointer() == obj) return true; } //object was not inserted into group return false; } /* * Test insertion of objects of different types into an object group */ void GroupObjectDialogTest::testObjectGroup() { ObjectTreeViewItem *groupItem = dynamic_cast( mw->getCurrentObjectTree()->findItems( "Object Group", Qt::MatchRecursive, 0).first()); QVERIFY(groupItem != NULL); mw->getCurrentObjectTree()->setCurrentItem( groupItem, 0, QItemSelectionModel::SelectCurrent | QItemSelectionModel::Clear); ObjectGroup *group = ObjectGroup::cast(groupItem->getFWObject()); QVERIFY(group != NULL); om->editObject(group); QTest::qWait(50); GroupObjectDialog *groupdialog = mw->findChild( "w_ObjectGroupDialog"); QVERIFY(groupdialog != NULL); QVERIFY(checkObjectInsertion(groupdialog, group, address)); QVERIFY(checkObjectInsertion(groupdialog, group, address6)); QVERIFY(checkObjectInsertion(groupdialog, group, network)); QVERIFY(checkObjectInsertion(groupdialog, group, network6)); QVERIFY(checkObjectInsertion(groupdialog, group, range)); QVERIFY(checkObjectInsertion(groupdialog, group, table)); QVERIFY(checkObjectInsertion(groupdialog, group, dns)); QVERIFY(checkObjectInsertion(groupdialog, group, group)); QVERIFY(!checkObjectInsertion(groupdialog, group, ipservice)); QVERIFY(!checkObjectInsertion(groupdialog, group, icmpservice)); QVERIFY(!checkObjectInsertion(groupdialog, group, udpservice)); QVERIFY(!checkObjectInsertion(groupdialog, group, tcpservice)); QVERIFY(!checkObjectInsertion(groupdialog, group, tagservice)); QVERIFY(!checkObjectInsertion(groupdialog, group, userservice)); QPushButton *newButton = mw->findChild( "w_ObjectGroupDialog")->findChild("newButton"); QVERIFY(newButton != NULL); QTimer::singleShot(50, this, SLOT(checkObjectGroupMenu())); QTest::mouseClick(newButton, Qt::LeftButton); } void GroupObjectDialogTest::checkObjectGroupMenu() { QMenu *menu = mw->findChild("w_ObjectGroupDialog")->findChild("GroupObjectDialog_newObjectMenu"); QList names; names << (QString("newObject_") + Host::TYPENAME) << (QString("newObject_") + Firewall::TYPENAME) << (QString("newObject_") + Cluster::TYPENAME) << (QString("newObject_") + Network::TYPENAME) << (QString("newObject_") + NetworkIPv6::TYPENAME) << (QString("newObject_") + IPv4::TYPENAME) << (QString("newObject_") + IPv6::TYPENAME) << (QString("newObject_") + DNSName::TYPENAME) << (QString("newObject_") + AddressRange::TYPENAME) << (QString("newObject_") + AddressTable::TYPENAME); QList menuNames; foreach(QAction *act, menu->actions()) menuNames.append(act->objectName()); QVERIFY(menuNames.size() == names.size()); foreach(QString name, names) QVERIFY(menuNames.contains(name)); menu->close(); } void GroupObjectDialogTest::checkObjectServiceGroupMenu() { QMenu *menu = mw->findChild("w_ServiceGroupDialog")->findChild("GroupObjectDialog_newObjectMenu"); QList names; names << (QString("newObject_") + IPService::TYPENAME) << (QString("newObject_") + ICMPService::TYPENAME) << (QString("newObject_") + ICMP6Service::TYPENAME) << (QString("newObject_") + TCPService::TYPENAME) << (QString("newObject_") + UDPService::TYPENAME) << (QString("newObject_") + CustomService::TYPENAME) << (QString("newObject_") + TagService::TYPENAME) << (QString("newObject_") + UserService::TYPENAME); QList menuNames; foreach(QAction *act, menu->actions()) menuNames.append(act->objectName()); QVERIFY(menuNames.size() == names.size()); foreach(QString name, names) QVERIFY(menuNames.contains(name)); menu->close(); } void GroupObjectDialogTest::testServiceGroup() { ObjectTreeViewItem *groupItem = dynamic_cast( mw->getCurrentObjectTree()->findItems( "Service Group", Qt::MatchRecursive, 0).first()); mw->getCurrentObjectTree()->setCurrentItem( groupItem, 0, QItemSelectionModel::SelectCurrent | QItemSelectionModel::Clear); QVERIFY(groupItem != NULL); ServiceGroup *group = ServiceGroup::cast(groupItem->getFWObject()); QVERIFY(group != NULL); om->editObject(group); QTest::qWait(50); GroupObjectDialog *groupdialog = mw->findChild( "w_ServiceGroupDialog"); QVERIFY(groupdialog != NULL); QVERIFY(!checkObjectInsertion(groupdialog, group, address)); QVERIFY(!checkObjectInsertion(groupdialog, group, address6)); QVERIFY(!checkObjectInsertion(groupdialog, group, network)); QVERIFY(!checkObjectInsertion(groupdialog, group, network6)); QVERIFY(!checkObjectInsertion(groupdialog, group, range)); QVERIFY(!checkObjectInsertion(groupdialog, group, table)); QVERIFY(!checkObjectInsertion(groupdialog, group, dns)); QVERIFY(checkObjectInsertion(groupdialog, group, group)); FWObject *objGroup = dynamic_cast(mw->getCurrentObjectTree()->findItems("Object Group", Qt::MatchRecursive, 0).first())->getFWObject(); QVERIFY(!checkObjectInsertion(groupdialog, group, objGroup)); QVERIFY(checkObjectInsertion(groupdialog, group, ipservice)); QVERIFY(checkObjectInsertion(groupdialog, group, icmpservice)); QVERIFY(checkObjectInsertion(groupdialog, group, udpservice)); QVERIFY(checkObjectInsertion(groupdialog, group, tcpservice)); QVERIFY(checkObjectInsertion(groupdialog, group, tagservice)); QVERIFY(checkObjectInsertion(groupdialog, group, userservice)); QPushButton *newButton = mw->findChild("w_ServiceGroupDialog")->findChild("newButton"); QVERIFY(newButton != NULL); QTimer::singleShot(50, this, SLOT(checkObjectServiceGroupMenu())); QTest::mouseClick(newButton, Qt::LeftButton); } fwbuilder-5.3.7/src/unit_tests/GroupObjectDialogTest/GroupObjectDialogTest.h000066400000000000000000000051421303637203600272650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: GroupObjectDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IPDIALOGTEST_H #define IPDIALOGTEST_H #include #include "fwbuilder/Library.h" #include "ObjectManipulator.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/AddressTable.h" #include "fwbuilder/DNSName.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/TagService.h" #include "fwbuilder/UserService.h" #include "fwbuilder/IPService.h" #include "fwbuilder/UDPService.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/ServiceGroup.h" #include "fwbuilder/ICMP6Service.h" #include "fwbuilder/CustomService.h" class GroupObjectDialogTest : public QObject { Q_OBJECT; libfwbuilder::Library* findUserLibrary(); template FWTYPE* createObject(QString name); ObjectManipulator *om; libfwbuilder::IPv4 *address; libfwbuilder::IPv6 *address6; libfwbuilder::Network *network; libfwbuilder::NetworkIPv6 *network6; libfwbuilder::AddressRange *range; libfwbuilder::AddressTable *table; libfwbuilder::DNSName *dns; libfwbuilder::IPService *ipservice; libfwbuilder::ICMPService *icmpservice; libfwbuilder::UDPService *udpservice; libfwbuilder::TCPService *tcpservice; libfwbuilder::TagService *tagservice; libfwbuilder::UserService *userservice; private slots: void initTestCase(); void testObjectGroup(); void testServiceGroup(); public slots: void checkMessageBox(); void checkNoMessageBox(); void checkObjectGroupMenu(); void checkObjectServiceGroupMenu(); }; #endif // IPDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/GroupObjectDialogTest/GroupObjectDialogTest.pro000066400000000000000000000003041303637203600276310ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = GroupObjectDialogTest SOURCES += main_GroupObjectDialogTest.cpp \ GroupObjectDialogTest.cpp HEADERS += GroupObjectDialogTest.h fwbuilder-5.3.7/src/unit_tests/GroupObjectDialogTest/main_GroupObjectDialogTest.cpp000066400000000000000000000033201303637203600306200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_GroupObjectDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "GroupObjectDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new GroupObjectDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/ICMP6ServiceDialogTest/000077500000000000000000000000001303637203600226235ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ICMP6ServiceDialogTest/ICMP6ServiceDialogTest.cpp000066400000000000000000000103451303637203600274510ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: ICMPServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ICMP6ServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMP6Service.h" #include "ICMPServiceDialog.h" using namespace std; using namespace libfwbuilder; void ICMP6ServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* ICMP6ServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void ICMP6ServiceDialogTest::testDialog() { ICMP6Service *service = ICMP6Service::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), ICMP6Service::TYPENAME), ICMP6Service::TYPENAME, "testICMP6Service")); om->editObject(service); ICMPServiceDialog *dialog = mw->findChild("w_ICMP6ServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QSpinBox *type = dialog->findChild("icmpType"); QSpinBox *code = dialog->findChild("icmpCode"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestICMPService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestICMPService"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); type->clear(); for (int i=0; i<52; i++) QTest::keyClick(type, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("type") == 50); for (int i=0; i<210; i++) QTest::keyClick(type, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("type") == 255); code->clear(); for (int i=0; i<52; i++) QTest::keyClick(code, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("code") == 50); for (int i=0; i<210; i++) QTest::keyClick(code, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("code") == 255); } fwbuilder-5.3.7/src/unit_tests/ICMP6ServiceDialogTest/ICMP6ServiceDialogTest.h000066400000000000000000000024221303637203600271130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: ICMP6ServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ICMP6ServiceDialogTest_H #define ICMP6ServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class ICMP6ServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // ICMP6ServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/ICMP6ServiceDialogTest/ICMP6ServiceDialogTest.pro000066400000000000000000000003101303637203600274560ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = ICMP6ServiceDialogTest SOURCES += main_ICMP6ServiceDialogTest.cpp \ ICMP6ServiceDialogTest.cpp HEADERS += ICMP6ServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/ICMP6ServiceDialogTest/main_ICMP6ServiceDialogTest.cpp000066400000000000000000000033111303637203600304500ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ICMP6ServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new ICMP6ServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/ICMPServiceDialogTest/000077500000000000000000000000001303637203600225355ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ICMPServiceDialogTest/ICMPServiceDialogTest.cpp000066400000000000000000000103751303637203600273000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: ICMPServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ICMPServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "ICMPServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/ICMPService.h" #include "ICMPServiceDialog.h" using namespace std; using namespace libfwbuilder; void ICMPServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* ICMPServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void ICMPServiceDialogTest::testDialog() { ICMPService *service = ICMPService::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), ICMPService::TYPENAME), ICMPService::TYPENAME, "testICMPService")); om->editObject(service); ICMPServiceDialog *dialog = mw->findChild("w_ICMPServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QSpinBox *type = dialog->findChild("icmpType"); QSpinBox *code = dialog->findChild("icmpCode"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestICMPService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestICMPService"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); type->clear(); for (int i=0; i<52; i++) QTest::keyClick(type, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("type") == 50); for (int i=0; i<210; i++) QTest::keyClick(type, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("type") == 255); code->clear(); for (int i=0; i<52; i++) QTest::keyClick(code, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("code") == 50); for (int i=0; i<210; i++) QTest::keyClick(code, Qt::Key_Up); QTest::keyClick(type, Qt::Key_Enter); QVERIFY(service->getInt("code") == 255); } fwbuilder-5.3.7/src/unit_tests/ICMPServiceDialogTest/ICMPServiceDialogTest.h000066400000000000000000000024151303637203600267410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: ICMPServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ICMPServiceDialogTest_H #define ICMPServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class ICMPServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // ICMPServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/ICMPServiceDialogTest/ICMPServiceDialogTest.pro000066400000000000000000000003041303637203600273050ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = ICMPServiceDialogTest SOURCES += main_ICMPServiceDialogTest.cpp \ ICMPServiceDialogTest.cpp HEADERS += ICMPServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/ICMPServiceDialogTest/main_ICMPServiceDialogTest.cpp000066400000000000000000000033071303637203600303010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ICMPServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new ICMPServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/IPDialogTest/000077500000000000000000000000001303637203600207745ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/IPDialogTest/IPDialogTest.cpp000066400000000000000000000216451303637203600240000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "IPDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "IPDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; void IPDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); QTest::qWait(1000); } void IPDialogTest::checkMessageBox() { QVERIFY(app->activeModalWidget()->metaObject()->className() == QMessageBox().metaObject()->className()); QTimer::singleShot(10, app->activeModalWidget(), SLOT(reject())); QVERIFY(dynamic_cast(app->activeModalWidget())->text().contains("300.300.300.300") || dynamic_cast(app->activeModalWidget())->text().contains("foo:345:1") || dynamic_cast(app->activeModalWidget())->text().contains("145") ); } void IPDialogTest::checkNoMessageBox() { foreach(QWidget *w, app->topLevelWidgets()) QVERIFY(w->metaObject()->className() != QMessageBox().metaObject()->className()); } void setLineEditText(QLineEdit *line, QString text) { line->clear(); QTest::keyClicks(line, text); QTest::keyClick(line, Qt::Key_Enter); } void IPDialogTest::testIPv4Dialog() { ObjectManipulator *om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } IPv4 *addrobj = IPv4::cast(om->createObject(FWBTree().getStandardSlotForObject(lib, IPv4::TYPENAME), IPv4::TYPENAME, "testAddress")); QTest::qWait(100); om->editObject(addrobj); QLineEdit *name, *addr, *mask; TextEditWidget *comment; QWidget *ipv4dialog = mw->findChild("w_IPv4Dialog"); name = ipv4dialog->findChild("obj_name"); addr = ipv4dialog->findChild("address"); mask = ipv4dialog->findChild("netmask"); comment = ipv4dialog->parent()->findChild("comment"); // test1 qDebug() << "test1"; QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(name, "testNetwork"); QTest::qWait(300); QVERIFY (addrobj->getName() == "testNetwork"); QTest::qWait(100); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (addrobj->getComment() == "Test comment"); QTest::qWait(100); //test2 qDebug() << "test2"; QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(addr, "192.0.2.1"); QTest::qWait(300); QVERIFY (addrobj->getAddressPtr()->toString() == "192.0.2.1"); //test3 qDebug() << "test3"; QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(addr, "300.300.300.300"); QTest::qWait(400); QVERIFY (addrobj->getAddressPtr()->toString() == "192.0.2.1"); //test4 qDebug() << "test4"; Firewall *fw = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(lib, Firewall::TYPENAME), Firewall::TYPENAME, "newFirewall")); Interface *intf = Interface::cast(om->createObject(fw, Interface::TYPENAME, "newInterface")); IPv4 *addr2obj = IPv4::cast(om->createObject(intf, IPv4::TYPENAME, "newAddress")); QTest::qWait(100); QTest::qWait(500); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(addr, "192.0.2.1"); QTest::qWait(300); QVERIFY (addr2obj->getAddressPtr()->toString() == "192.0.2.1"); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(mask, "255.255.0.0"); QTest::qWait(300); QVERIFY (addr2obj->getNetmaskPtr()->toString() == "255.255.0.0"); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(addr, "300.300.300.300"); QTest::qWait(400); QVERIFY (addr2obj->getAddressPtr()->toString() == "192.0.2.1"); QTest::qWait(100); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(mask, "300.300.300.300"); QTest::qWait(400); QVERIFY (addr2obj->getNetmaskPtr()->toString() == "255.255.0.0"); } void IPDialogTest::testIPv6Dialog() { ObjectManipulator *om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } QLineEdit *name, *addr, *mask; TextEditWidget *comment; QWidget *ipv6dialog = mw->findChild("w_IPv6Dialog"); name = ipv6dialog->findChild("obj_name"); addr = ipv6dialog->findChild("address"); mask = ipv6dialog->findChild("netmask"); comment = ipv6dialog->parent()->findChild("comment"); //test5 qDebug() << "test5"; IPv6 *addrobj = IPv6::cast(om->createObject(FWBTree().getStandardSlotForObject(lib, IPv6::TYPENAME), IPv6::TYPENAME, "testAddress6")); om->editObject(addrobj); setLineEditText(name, "testNetwork6"); QVERIFY (addrobj->getName() == "testNetwork6"); QTest::qWait(300); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (addrobj->getComment() == "Test comment"); QTest::qWait(100); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(addr, "2001:db8:1:1::1"); QTest::qWait(300); QVERIFY (libfwbuilder::IPv6::cast(addrobj)->getAddressPtr()->toString() == "2001:db8:1:1::1"); //test6 qDebug() << "test6"; QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(addr, "foo:345:1"); QTest::qWait(400); QVERIFY (libfwbuilder::IPv6::cast(addrobj)->getAddressPtr()->toString() == "2001:db8:1:1::1"); //test7 qDebug() << "test7"; Interface *intf = Interface::cast(dynamic_cast(mw->getCurrentObjectTree()->findItems("newInterface", Qt::MatchExactly | Qt::MatchRecursive, 0).first())->getFWObject()); IPv6 *addr62obj = IPv6::cast(om->createObject(intf, IPv6::TYPENAME, "newAddress2")); QTest::qWait(100); QTest::qWait(500); setLineEditText(addr, "2001:db8:1:1::1"); QVERIFY (addr62obj->getAddressPtr()->toString() == "2001:db8:1:1::1"); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(mask, "120"); QTest::qWait(300); QVERIFY (addr62obj->getNetmaskPtr()->toString() == "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00"); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(addr, "foo:345:1"); QVERIFY (addr62obj->getAddressPtr()->toString() == "2001:db8:1:1::1"); QTest::qWait(300); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(mask, "145"); QTest::qWait(400); QVERIFY (addr62obj->getNetmaskPtr()->toString() == "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00"); QTest::qWait(100); } fwbuilder-5.3.7/src/unit_tests/IPDialogTest/IPDialogTest.h000066400000000000000000000023011303637203600234310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: IPDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IPDIALOGTEST_H #define IPDIALOGTEST_H #include class IPDialogTest : public QObject { Q_OBJECT private slots: void initTestCase(); void testIPv4Dialog(); void testIPv6Dialog(); public slots: void checkMessageBox(); void checkNoMessageBox(); }; #endif // IPDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/IPDialogTest/IPDialogTest.pro000066400000000000000000000002401303637203600240020ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = IPDialogTest SOURCES += main_IPDialogTest.cpp \ IPDialogTest.cpp HEADERS += IPDialogTest.h fwbuilder-5.3.7/src/unit_tests/IPDialogTest/main_IPDialogTest.cpp000066400000000000000000000032641303637203600250010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "IPDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new IPDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/IPServiceDialogTest/000077500000000000000000000000001303637203600223155ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/IPServiceDialogTest/IPServiceDialogTest.cpp000066400000000000000000000221201303637203600266270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: IPServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "IPServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "IPServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" using namespace std; using namespace libfwbuilder; void IPServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->resize(QSize(1200,600)); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* IPServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void IPServiceDialogTest::testIpOptions() { IPService *service = IPService::cast( om->createObject( FWBTree().getStandardSlotForObject( findUserLibrary(), IPService::TYPENAME), IPService::TYPENAME, "testIPService-1")); om->editObject(service); IPServiceDialog *dialog = mw->findChild("w_IPServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QSpinBox *protocolNum = dialog->findChild("protocolNum"); TextEditWidget *comment = dialog->findChild("comment"); //options: QCheckBox *any_opt = dialog->findChild("any_opt"); QCheckBox *lsrr = dialog->findChild("lsrr"); QCheckBox *ssrr = dialog->findChild("ssrr"); QCheckBox *rr = dialog->findChild("rr"); QCheckBox *timestamp = dialog->findChild("timestamp"); QCheckBox *router_alert = dialog->findChild("router_alert"); QCheckBox *all_fragm = dialog->findChild("all_fragments"); QCheckBox *short_fragm = dialog->findChild("short_fragments"); obj_name->clear(); QTest::keyClicks(obj_name, "TestIPService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestIPService"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "test comment"); QTest::mouseClick(obj_name, Qt::LeftButton); QVERIFY(service->getComment() == "test comment"); QTest::keyClick(protocolNum, Qt::Key_Up); QTest::keyClick(protocolNum, Qt::Key_Up); QTest::keyClick(protocolNum, Qt::Key_Enter); QVERIFY(service->getProtocolNumber() == 2); QTest::mouseClick(lsrr, Qt::LeftButton, Qt::NoModifier, QPoint(8,8)); QVERIFY(service->getBool("lsrr") == true); QTest::mouseClick(lsrr, Qt::LeftButton); QVERIFY(service->getBool("lsrr") == false); QTest::mouseClick(ssrr, Qt::LeftButton); QVERIFY(service->getBool("ssrr") == true); QTest::mouseClick(ssrr, Qt::LeftButton); QVERIFY(service->getBool("ssrr") == false); QTest::mouseClick(rr, Qt::LeftButton); QVERIFY(service->getBool("rr") == true); QTest::mouseClick(rr, Qt::LeftButton); QVERIFY(service->getBool("rr") == false); // Have to expicitly specify position for the click; if not, mouseClick() // does not change checkbox state. This could be because the text // of this checkbox widget is shorter than in the others and clicking // in the center of the widget misses the text. Looks like clicking // outside the text of the checkbox does not switch it. QTest::mouseClick(timestamp, Qt::LeftButton, Qt::NoModifier, QPoint(8,8)); QVERIFY(service->getBool("ts") == true); QTest::mouseClick(timestamp, Qt::LeftButton, Qt::NoModifier, QPoint(8,8)); QVERIFY(service->getBool("ts") == false); QTest::mouseClick(router_alert, Qt::LeftButton); QVERIFY(service->getBool("rtralt") == true); QTest::mouseClick(router_alert, Qt::LeftButton); QVERIFY(service->getBool("rtralt") == false); QTest::mouseClick(all_fragm, Qt::LeftButton); QVERIFY(service->getBool("fragm") == true); QTest::mouseClick(all_fragm, Qt::LeftButton); QVERIFY(service->getBool("fragm") == false); QTest::mouseClick(short_fragm, Qt::LeftButton); QVERIFY(service->getBool("short_fragm") == true); QTest::mouseClick(short_fragm, Qt::LeftButton); QVERIFY(service->getBool("short_fragm") == false); QTest::mouseClick(any_opt, Qt::LeftButton); QVERIFY(service->getBool("any_opt") == true); QTest::mouseClick(any_opt, Qt::LeftButton); QVERIFY(service->getBool("any_opt") == false); } void IPServiceDialogTest::testAnyOpt() { IPService *service = IPService::cast( om->createObject( FWBTree().getStandardSlotForObject( findUserLibrary(), IPService::TYPENAME), IPService::TYPENAME, "testIPService-2")); om->editObject(service); IPServiceDialog *dialog = mw->findChild("w_IPServiceDialog"); //options: QCheckBox *any_opt = dialog->findChild("any_opt"); QCheckBox *lsrr = dialog->findChild("lsrr"); QCheckBox *ssrr = dialog->findChild("ssrr"); QCheckBox *rr = dialog->findChild("rr"); QCheckBox *timestamp = dialog->findChild("timestamp"); QCheckBox *router_alert = dialog->findChild("router_alert"); QTest::mouseClick(lsrr, Qt::LeftButton); QTest::mouseClick(ssrr, Qt::LeftButton); QTest::mouseClick(rr, Qt::LeftButton); QTest::mouseClick(timestamp, Qt::LeftButton); QTest::mouseClick(router_alert, Qt::LeftButton); QTest::mouseClick(any_opt, Qt::LeftButton); QVERIFY(service->getBool("any_opt") == true); QVERIFY(service->getBool("lsrr") == false); QVERIFY(service->getBool("ssrr") == false); QVERIFY(service->getBool("rr") == false); QVERIFY(service->getBool("ts") == false); QVERIFY(service->getBool("rtralt") == false); } void IPServiceDialogTest::testTOS() { IPService *service = IPService::cast( om->createObject( FWBTree().getStandardSlotForObject( findUserLibrary(), IPService::TYPENAME), IPService::TYPENAME, "testIPService-3")); om->editObject(service); IPServiceDialog *dialog = mw->findChild("w_IPServiceDialog"); QRadioButton *use_tos = dialog->findChild("use_tos"); QLineEdit *code = dialog->findChild("code"); QTest::mouseClick(use_tos, Qt::LeftButton); QLabel *code_label = dialog->findChild("code_label"); QVERIFY(code_label->text() == tr("TOS code (numeric):")); QTest::keyClicks(code, "10"); QTest::keyClick(code, Qt::Key_Enter); QVERIFY(service->getTOSCode() == "10"); } void IPServiceDialogTest::testDSCP() { IPService *service = IPService::cast( om->createObject( FWBTree().getStandardSlotForObject( findUserLibrary(), IPService::TYPENAME), IPService::TYPENAME, "testIPService-4")); om->editObject(service); IPServiceDialog *dialog = mw->findChild("w_IPServiceDialog"); QRadioButton *use_dscp = dialog->findChild("use_dscp"); QLineEdit *code = dialog->findChild("code"); QTest::mouseClick(use_dscp, Qt::LeftButton); QLabel *code_label = dialog->findChild("code_label"); QVERIFY(code_label->text() == tr("DSCP code or class:")); QTest::keyClicks(code, "af4"); QTest::keyClick(code, Qt::Key_Enter); QVERIFY(service->getDSCPCode() == "af4"); } fwbuilder-5.3.7/src/unit_tests/IPServiceDialogTest/IPServiceDialogTest.h000066400000000000000000000025101303637203600262750ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: IPServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IPServiceDialogTest_H #define IPServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class IPServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testIpOptions(); void testAnyOpt(); void testTOS(); void testDSCP(); }; #endif // IPServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/IPServiceDialogTest/IPServiceDialogTest.pro000066400000000000000000000002741303637203600266530ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = IPServiceDialogTest SOURCES += main_IPServiceDialogTest.cpp \ IPServiceDialogTest.cpp HEADERS += IPServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/IPServiceDialogTest/main_IPServiceDialogTest.cpp000066400000000000000000000033021303637203600276340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "IPServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new IPServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/ImporterTest/000077500000000000000000000000001303637203600211455ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ImporterTest/.gitignore000066400000000000000000000000271303637203600231340ustar00rootroot00000000000000*.fwb !test_data/*.fwb fwbuilder-5.3.7/src/unit_tests/ImporterTest/ImporterTest.cpp000066400000000000000000000234741303637203600243240ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ImporterTest.h" #include "config.h" #include "global.h" #include #include #include #include #include #include #include "Importer.h" #include "IOSImporter.h" #include "IPTImporter.h" #include "FWBTree.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; extern string platform; const char* iptables_sample = "# Generated by iptables-save %VERSION% on Mon Apr 11 15:50:58 2011\n" "*filter\n" ":INPUT ACCEPT [0:0]\n" ":FORWARD ACCEPT [0:0]\n" ":OUTPUT ACCEPT [0:0]\n" ":CHAIN-1-INPUT - [0:0]\n" "-A INPUT -j CHAIN-1-INPUT \n" "-A FORWARD -j CHAIN-1-INPUT \n" "-A CHAIN-1-INPUT -j ACCEPT \n" "COMMIT\n" "# Completed on Mon Apr 11 15:50:58 2011\n"; extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &) const { return false; } }; void ImporterTest::setUp() { //init(); FWBTree *tree = new FWBTree(); /* create database */ db = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; db->setReadOnly( false ); db->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); db->setFileName(""); lib = Library::cast(tree->createNewLibrary(db)); lib->setName("User"); logger = new QueueLogger(); // this makes the test compile and link. There is a problem with // dependencies, the test depends on libimport.a and additionally, // PIXImporter.cpp depends on this function that is implemented in // platforms.cpp in libgui.a; however since libgui.a comes before // libimport.a in linker command line, this function does not get // pulled since it is not used anywhere except by this test module // and so linking fails. Making this call creates dependency and // pulls this function at linking time before libimport.a and its // dependencies are considered QString version = findBestVersionMatch("pix", "7.0"); } void ImporterTest::compareResults(QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; while (logger->ready()) result.append(logger->getLine().c_str()); obtained_result = result.split("\n"); QFile rw(obtained_result_file_name); rw.open(QFile::WriteOnly); rw.write(result.toAscii()); rw.close(); QFile rr(expected_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); QStringList expected_result = result_file.split("\n"); CPPUNIT_ASSERT_MESSAGE( QString( "Sizes of the generated importer output and test files are different.\n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S") .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()).toStdString(), expected_result.size() == obtained_result.size()); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString err = QString("%1:%2:\nExpected: '%3'\nResult: '%4'\n") .arg(expected_result_file_name) .arg(i) .arg(expected_result[i]) .arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE( err.toStdString(), obtained_result[i] == expected_result[i]); } } void ImporterTest::compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; QFile rr(obtained_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); rr.close(); obtained_result = result_file.split("\n"); QFile er(expected_result_file_name); er.open(QFile::ReadOnly); result_file = er.readAll(); er.close(); QStringList expected_result = result_file.split("\n"); // find all lastModified attributes and replace them with identical values // because they are always going to be different QString err("Sizes of the generated .fwb and test files are different: \n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S"); CPPUNIT_ASSERT_MESSAGE( err .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()) .toStdString(), expected_result.size() == obtained_result.size()); QRegExp last_mod_re("lastModified=\"\\d+\""); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString os = obtained_result[i]; obtained_result[i] = os.replace(last_mod_re, "lastModified=\"0000000000\""); QString es = expected_result[i]; expected_result[i] = es.replace(last_mod_re, "lastModified=\"0000000000\""); } for (int i=0; i < max_idx; ++i) { QString err = QString("%1:%2:\nExpected: '%3'\nResult: '%4'\n") .arg(expected_result_file_name) .arg(i) .arg(expected_result[i]) .arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE( err.toStdString(), obtained_result[i] == expected_result[i]); } } void ImporterTest::IOSImporterTest() { platform = "iosacl"; QFile f("test_data/ios.test"); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); std::istringstream instream(buffer); Importer* imp = new IOSImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("ios.fwb"); compareFwbFiles("test_data/ios.fwb", "ios.fwb"); compareResults(logger, "test_data/ios.output", "ios.output"); } void ImporterTest::IPTImporterTest() { platform = "iptables"; QFile f("test_data/ipt.test"); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); std::istringstream instream(buffer); Importer* imp = new IPTImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("ipt.fwb"); compareFwbFiles("test_data/ipt.fwb", "ipt.fwb"); compareResults(logger, "test_data/ipt.output", "ipt.output"); } void ImporterTest::IPTImporterNoNatTest() { platform = "iptables"; QFile f("test_data/ipt-no-nat.test"); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); std::istringstream instream(buffer); Importer* imp = new IPTImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("ipt-no-nat.fwb"); compareFwbFiles("test_data/ipt-no-nat.fwb", "ipt-no-nat.fwb"); compareResults(logger, "test_data/ipt-no-nat.output", "ipt-no-nat.output"); } void ImporterTest::IPTImporterParseVersionsTest() { platform = "iptables"; QString iptables_save_file(iptables_sample); QStringList versions; versions << "v1.1.1" << "v1.1.1.1" << "v12.1.1" << "v12.1.1.1" << "v1.12.1" << "v1.12.1.1" << "v1.1.12" << "v1.1.12.1" << "v1.1.1.12" << "v1.2.1a"; foreach (QString v, versions) { QString file_name = QString("ipt-%1").arg(v); QString actual_iptables_save = iptables_save_file; actual_iptables_save.replace("%VERSION%", v); std::istringstream instream(actual_iptables_save.toStdString()); Importer* imp = new IPTImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); // db->setPredictableIds(); // db->saveFile(file_name.toStdString() + ".fwb"); // // no need to compare .fwb files, we do not recognize these // test version numbers anyway so version will be set to "any" // in all tests anyway // // compareFwbFiles(QString("test_data/%1.fwb").arg(file_name), // QString("%1.fwb").arg(file_name)); compareResults(logger, QString("test_data/%1.output").arg(file_name), QString("%1.output").arg(file_name)); } } fwbuilder-5.3.7/src/unit_tests/ImporterTest/ImporterTest.h000066400000000000000000000041101303637203600237530ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IMPORTERTEST_H #define IMPORTERTEST_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include #include class ImporterTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *db; libfwbuilder::Library *lib; libfwbuilder::QueueLogger *logger; int predictable_id_tracker; std::map id_mapping; void compareResults(libfwbuilder::QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name); void compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name); public: void setUp(); void IOSImporterTest(); void IPTImporterTest(); void IPTImporterNoNatTest(); void IPTImporterParseVersionsTest(); CPPUNIT_TEST_SUITE(ImporterTest); CPPUNIT_TEST(IOSImporterTest); CPPUNIT_TEST(IPTImporterTest); CPPUNIT_TEST(IPTImporterNoNatTest); CPPUNIT_TEST(IPTImporterParseVersionsTest); CPPUNIT_TEST_SUITE_END(); }; #endif // IMPORTERTEST_H fwbuilder-5.3.7/src/unit_tests/ImporterTest/ImporterTest.pro000066400000000000000000000002111303637203600243220ustar00rootroot00000000000000include(../tests_common.pri) TARGET = ImporterTest HEADERS += ImporterTest.h SOURCES += main_ImporterTest.cpp \ ImporterTest.cppfwbuilder-5.3.7/src/unit_tests/ImporterTest/main_ImporterTest.cpp000066400000000000000000000033151303637203600253200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "ImporterTest.h" #include "fwbuilder/Resources.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" #include #include #include #include "../../../common/init.cpp" int fwbdebug = 0; //QString user_name; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; std::string platform; int main(int argc, char** argv) { QApplication app(argc, argv, false); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( ImporterTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/000077500000000000000000000000001303637203600231155ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ios.fwb000066400000000000000000003057061303637203600244220ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ios.output000066400000000000000000000111061303637203600251700ustar00rootroot0000000000000010: Host name: "c3620" 106: New interface: FastEthernet0/0 107: Interface address: 192.168.100.100/255.255.255.0 108: Interface address: 10.3.14.201/255.255.255.0 109: Interface FastEthernet0/0 ruleset fe0_0_acl_in direction 'in' 110: Interface FastEthernet0/0 ruleset fe0_0_acl_out direction 'out' 115: New interface: Ethernet1/0 116: Interface comment: Test [ test ] { test } ( and one more test) / weird:characters#$%^&*/ 117: Interface address: 192.168.171.2/255.255.255.0 118: Interface Ethernet1/0 ruleset e1_0_acl_in direction 'in' 119: Interface Ethernet1/0 ruleset e1_0_acl_out direction 'out' 125: New interface: Serial1/0 131: New interface: Ethernet1/1 132: Interface address: 10.10.10.10/255.255.255.0 136: Interface Ethernet1/1 ruleset acl_133 direction 'in' 137: Interface Ethernet1/1 ruleset acl_133 direction 'out' 141: New interface: Ethernet1/2 142: Interface address: 10.10.20.20/255.255.255.0 147: Interface Ethernet1/2 ruleset acl_133 direction 'in' 148: Interface Ethernet1/2 ruleset acl_133 direction 'out' 152: New interface: ATM0 161: New interface: ATM0.1 161: Warning: point-to-point interfaces are not supported 162: Interface comment: $FW_OUTSIDE$$ES_WAN$ 165: Interface address: 10.0.0.1/255.255.255.252 194: access list rule: access list e1_0_acl_in, action deny 195: access list rule: access list e1_0_acl_in, action permit 196: access list rule: access list e1_0_acl_in, action permit 197: access list rule: access list e1_0_acl_in, action permit 198: access list rule: access list e1_0_acl_in, action deny 201: access list rule: access list e1_0_acl_out, action permit 202: access list rule: access list e1_0_acl_out, action deny 205: access list rule: access list fe0_0_acl_in, action permit 206: access list rule: access list fe0_0_acl_in, action permit 207: access list rule: access list fe0_0_acl_in, action permit 208: access list rule: access list fe0_0_acl_in, action deny 211: access list rule: access list fe0_0_acl_out, action permit 212: access list rule: access list fe0_0_acl_out, action deny 215: Rule comment: / / path1/path2/path3 216: Rule comment: access list comment 218: access list rule: access list outside, action permit 220: access list rule: access list outside, action permit 222: access list rule: access list outside, action permit 224: access list rule: access list outside, action permit 225: access list rule: access list outside, action deny 227: access list rule: access list outside, action permit 229: access list rule: access list outside, action permit 230: access list rule: access list outside, action permit 233: access list rule: access list outside, action deny 234: access list rule: access list outside, action deny 235: access list rule: access list outside, action deny 236: access list rule: access list outside, action deny 238: access list rule: access list outside, action permit 239: access list rule: access list outside, action permit 241: access list rule: access list outside, action permit 243: access list rule: access list outside, action permit 245: access list rule: access list outside, action permit 246: access list rule: access list outside, action permit 247: access list rule: access list outside, action permit 251: access list rule: access list outside, action permit 252: access list rule: access list outside, action permit 253: access list rule: access list outside, action permit 255: access list rule: access list outside, action permit 256: access list rule: access list outside, action deny 261: access list rule: access list tmp_acl, action permit 262: access list rule: access list tmp_acl, action deny 264: access list rule: access list acl_133, action permit 265: access list rule: access list acl_133, action permit 266: access list rule: access list acl_133, action deny 267: access list rule: access list acl_144, action permit 268: access list rule: access list acl_144, action permit 269: access list rule: access list acl_144, action permit 270: access list rule: access list acl_144, action permit 271: access list rule: access list acl_144, action permit 272: access list rule: access list acl_144, action permit 273: access list rule: access list acl_144, action permit 274: access list rule: access list acl_144, action permit 275: access list rule: access list acl_199, action permit 276: access list rule: access list acl_199, action permit 278: Rule comment: Standard access lists are 1 to 99 and 1300 to 1999 279: access list rule: access list acl_1300, action permit 280: access list rule: access list acl_1300, action permit 281: access list rule: access list acl_1300, action permit 282: access list rule: access list acl_1300, action permit fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ios.test000066400000000000000000000215521303637203600246150ustar00rootroot00000000000000! ! Last configuration change at 12:24:46 PST Fri May 11 2007 by vadim ! NVRAM config last updated at 12:24:46 PST Fri May 11 2007 by vadim ! version 12.2 service timestamps debug uptime no service timestamps log uptime service password-encryption ! hostname "c3620" ! no logging buffered no logging console aaa new-model aaa new-model aaa group server tacacs+ inttac server 10.1.0.1 ! enable secret 5 $1$U6dJ$BfnMsC23.X8BCFJB0XIJA. enable password 7 ! username user1 password 7 0123456789ABCDEF00 username user2 password 7 01234567890ABCDEF01234567890 clock timezone PST -7 ip subnet-zero ! ! ip tcp synwait-time 10 ip cef ip domain-name fwbuilder.org ip name-server 10.1.1.10 ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key address 22.22.22.22 crypto isakmp key address 192.168.171.1 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set test-transform esp-3des esp-md5-hmac crypto ipsec transform-set pix-transform esp-3des esp-md5-hmac ! crypto map test 10 ipsec-isakmp set peer 22.22.22.22 set transform-set test-transform match address 133 ! crypto map real 10 ipsec-isakmp set peer 192.168.171.1 set transform-set pix-transform match address 144 ! ! See bug 2334007 for "certificate" ! https://sourceforge.net/tracker2/?func=detail&aid=2334007&group_id=5314&atid=1070394 ! certificate self-signed 01 30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030 E7CF84EC 9FED5F77 EBE589EF 832F6AC3 DFFE3FD8 5F73C105 quit ! call rsvp-sync ! ! ! module ContentSwitchingModule 3 ft group 1 vlan 9 preempt ! ! -- test behavior for the "ip address" command in the "vlan" context ! (should ignore it) ! vlan 706 server ip address 172.16.1.1 255.255.255.128 alias 172.16.1.2 255.255.255.128 ! vlan 111 client ip address 172.16.10.1 255.255.255.0 gateway 172.16.10.254 ! static nat virtual real 192.168.16.20 real 192.168.16.19 ! ! vserver TEST virtual 172.16.1.51 tcp www vlan 706 serverfarm BBTEST-HTTP persistent rebalance slb-policy BBTEST inservice ! ! See bug 2334007 for "controller" with "description" ! https://sourceforge.net/tracker2/?func=detail&aid=2334007&group_id=5314&atid=1070394 ! controller T3 2/0 description Any description will crash the parser ! ! interface FastEthernet0/0 ip address 192.168.100.100 255.255.255.0 secondary ip address 10.3.14.201 255.255.255.0 ip access-group fe0_0_acl_in in ip access-group fe0_0_acl_out out no ip mroute-cache duplex auto speed auto ! interface Ethernet1/0 description Test [test] {test} (and one more test) /weird:characters#$%^&*/ ip address 192.168.171.2 255.255.255.0 ip access-group e1_0_acl_in in ip access-group e1_0_acl_out out no ip mroute-cache ip ospf cost 65000 half-duplex crypto map real ! interface Serial1/0 ip unnumbered Loopback0 no ip mroute-cache shutdown no fair-queue ! interface Ethernet1/1 ip address 10.10.10.10 255.255.255.0 no ip mroute-cache ! ! Note - the same access list applied both in and out ip access-group 133 in ip access-group 133 out no shutdown half-duplex ! interface Ethernet1/2 ip address 10.10.20.20 255.255.255.0 no ip mroute-cache ! ! Note - the same access list applied both in and out ! the same list is applied to eth 1/1 and eth 1/2 ip access-group 133 in ip access-group 133 out no shutdown half-duplex ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ no snmp trap link-status pvc 0/38 ip address 10.0.0.1 255.255.255.252 encapsulation aal5mux ppp dialer dialer pool-member 1 ! router ospf 1 network 10.3.14.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.171.1 no ip http server ! ip bgp-community new-format ip community-list standard AS65530.INTERNAL permit 65532:10100 ip community-list expanded ASFOO permit _65533:10200_ ip community-list expanded ASFOO.CUST permit _65532:103.._ ip community-list expanded TEST99 permit 65532:102.* 65533:.* ! ! See bug 2334007 for problems with commands using character "|" ! https://sourceforge.net/tracker2/?func=detail&aid=2334007&group_id=5314&atid=1070394 ! ip community-list expanded Test2 permit ^65063:1[8-9][0-9]|65063:20[0-9]$ ! ip as-path access-list 10 permit ^1239_ ip as-path access-list 10 permit .* ip flow-export source Loopback0 ip flow-export version 5 ! !################################################################ ip access-list extended e1_0_acl_in deny ip any any fragments permit tcp host 10.3.14.40 host 192.168.171.2 eq 22 log permit tcp host 10.3.14.40 host 10.3.14.201 eq 22 log permit ip any 10.3.14.0 0.0.0.255 log deny ip any any log !################################################################ ip access-list extended e1_0_acl_out permit ip 10.3.14.0 0.0.0.255 any log deny ip any any log !################################################################ ip access-list extended fe0_0_acl_in permit tcp host 10.3.14.40 host 192.168.171.2 eq 22 log permit tcp host 10.3.14.40 host 10.3.14.201 eq 22 log permit ip 10.3.14.0 0.0.0.255 any log deny ip any any log !################################################################ ip access-list extended fe0_0_acl_out permit ip any 10.3.14.0 0.0.0.255 log deny ip any any log !################################################################ ip access-list extended outside remark //path1/path2/path3 remark access list comment ! destination port permit udp any any eq isakmp ! source port permit tcp any eq 80 any ! source port and established permit tcp any eq 80 any established ! different port operators permit tcp any gt 1023 any deny tcp any lt 1023 any ! ports can be defined by number or by name permit tcp any any eq www ! port ranges permit tcp any any range 22 80 permit tcp any any range 22 www ! ! two identical services, one tcp, another udp deny tcp any any eq 2967 deny tcp any eq 2967 any deny udp any any eq 2967 deny udp any eq 2967 any ! permit ahp any any permit esp any any ! icmp rule with no icmp spec permit icmp any any ! icmp rule with icmp spec in the form of two integers permit icmp any any 8 0 ! icmp rule with icmp spec in the form of a word permit icmp any any unreachable permit icmp any any host-unreachable permit icmp any any host-precedence-unreachable ! ! check for empty line inside ACL definition permit udp any any eq bootpc permit udp any any eq bootps permit udp any eq domain any ! 'time-range' option permit tcp 10.10.10.0 0.0.0.255 eq 80 host 10.3.14.40 established time-range evening deny ip any any log !################################################################ ! empty access list declaration ip access-list extended foo ip access-list extended tmp_acl permit ip 10.3.14.0 0.0.0.255 any deny ip any any ! access-list 133 permit ip 10.3.14.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 133 permit ip 10.10.10.0 0.0.0.255 10.3.14.0 0.0.0.255 access-list 133 deny ip any any log access-list 144 permit icmp 10.3.14.0 0.0.0.255 10.2.1.0 0.0.0.255 access-list 144 permit icmp 10.2.1.0 0.0.0.255 10.3.14.0 0.0.0.255 access-list 144 permit ip 10.3.14.0 0.0.0.255 10.2.1.0 0.0.0.255 access-list 144 permit ip 10.2.1.0 0.0.0.255 10.3.14.0 0.0.0.255 access-list 144 permit icmp 10.3.14.0 0.0.0.255 host 192.168.171.1 access-list 144 permit icmp host 192.168.171.1 10.3.14.0 0.0.0.255 access-list 144 permit ip 10.3.14.0 0.0.0.255 host 192.168.171.1 access-list 144 permit ip host 192.168.171.1 10.3.14.0 0.0.0.255 access-list 199 permit icmp 10.3.14.0 0.0.0.255 10.10.10.0 0.0.0.255 log access-list 199 permit ip any any ! access-list 1300 remark Standard access lists are 1 to 99 and 1300 to 1999 access-list 1300 permit 22.22.22.21 access-list 1300 permit 22.23.24.25 access-list 1300 permit 22.23.25.0 0.0.0.15 access-list 1300 permit 10.0.0.0 0.255.255.255 ! route-map AS65530_AGGREGATION permit 10 match ip address prefix-list AS65530_AGGR set community 65532:111 65533:101 65533:111 65533:121 65533:131 65533:141 65533:151 65533:201 65533:301 65533:311 65533:321 65533:401 ! ! snmp-server community public RO snmp-server enable traps tty ! dial-peer cor custom ! ip prefix-list AS65530_AGGR permit 22.23.24.0/19 le 24 ! logging facility syslog logging source-interface Loopback0 logging 10.1.0.91 logging 10.1.0.92 ! ! ! banner motd ^C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ B A N N E R ~ ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^C ! line con 0 line aux 0 line vty 0 4 password 7 ! ntp clock-period 17179753 ntp server 10.3.14.10 ! time-range evening periodic daily 17:00 to 23:59 ! end fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-no-nat.fwb000066400000000000000000002646171303637203600256230ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-no-nat.output000066400000000000000000000014661303637203600263740ustar00rootroot000000000000001: Version: 1.3.5 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / RH-Firewall-1-INPUT 6: Default action: Deny 9: New interface: lo 16: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 18: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 18: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 18: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-no-nat.test000066400000000000000000000016021303637203600260030ustar00rootroot00000000000000# Generated by iptables-save v1.3.5 on Mon Apr 11 15:46:04 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1593531:5659620982] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Apr 11 15:46:04 2011 fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.1.1.1.output000066400000000000000000000011241303637203600261520ustar00rootroot000000000000001: Version: 1.1.1.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.1.1.12.output000066400000000000000000000011251303637203600262350ustar00rootroot000000000000001: Version: 1.1.1.12 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.1.1.output000066400000000000000000000011221303637203600260110ustar00rootroot000000000000001: Version: 1.1.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.1.12.1.output000066400000000000000000000011251303637203600262350ustar00rootroot000000000000001: Version: 1.1.12.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.1.12.output000066400000000000000000000011231303637203600260740ustar00rootroot000000000000001: Version: 1.1.12 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.12.1.1.output000066400000000000000000000011251303637203600262350ustar00rootroot000000000000001: Version: 1.12.1.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.12.1.output000066400000000000000000000011231303637203600260740ustar00rootroot000000000000001: Version: 1.12.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v1.2.1a.output000066400000000000000000000011221303637203600261530ustar00rootroot000000000000001: Version: 1.2.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v12.1.1.1.output000066400000000000000000000011251303637203600262350ustar00rootroot000000000000001: Version: 12.1.1.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt-v12.1.1.output000066400000000000000000000011231303637203600260740ustar00rootroot000000000000001: Version: 12.1.1 3: New ruleset: filter / INPUT 3: Default action: Accept 4: New ruleset: filter / FORWARD 4: Default action: Accept 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / CHAIN-1-INPUT 6: Default action: Deny Could not find enough information in the data file to create firewall interface objects. 9: Warning: Line 4: Added rule to reproduce default policy ACCEPT in filter/FORWARD 9: Warning: Line 3: Added rule to reproduce default policy ACCEPT in filter/INPUT 9: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt.fwb000066400000000000000000010101761303637203600244170ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk -m state --state NEW,ESTABLISHED -m state --state NEW,RELATED,ESTABLISHED -m length --length 400:65535 -m recent --name badguy --rcheck --seconds 60 -m recent --name badguy --set -m length --length 400:1500 -m pkttype --pkt-type broadcast fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt.output000066400000000000000000000176661303637203600252130ustar00rootroot000000000000001: Version: 1.2.1 3: New ruleset: filter / INPUT 3: Default action: Deny 4: New ruleset: filter / FORWARD 4: Default action: Deny 5: New ruleset: filter / OUTPUT 5: Default action: Accept 6: New ruleset: filter / user_chain 6: Default action: Deny 9: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 12: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 13: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 14: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 18: Created branch INPUT_state_match_0 18: Warning: Rule matches combination of states 'NEW,ESTABLISHED'. Iptables rules generated by fwbuilder can be stateless (match no state) or stateful (match state NEW). Fwbuilder also adds a rule at the top of the script to match states ESTABLISHED,RELATED. Combination of states 'NEW,ESTABLISHED' does not fit these standard cases and to match it, the program created new Custom Service object. This may require manual checking. 23: Created branch OUTPUT_established_1 23: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 28: Created branch OUTPUT_established_2 28: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 31: Created branch FORWARD_state_match_3 31: Warning: Rule matches combination of states 'NEW,RELATED,ESTABLISHED'. Iptables rules generated by fwbuilder can be stateless (match no state) or stateful (match state NEW). Fwbuilder also adds a rule at the top of the script to match states ESTABLISHED,RELATED. Combination of states 'NEW,RELATED,ESTABLISHED' does not fit these standard cases and to match it, the program created new Custom Service object. This may require manual checking. 34: Warning: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID 37: Warning: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID 40: New interface: lo 45: Created branch Policy_eth1 45: New interface: eth1 45: New interface: eth0 45: Warning: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1 106: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. 218: Created branch user_chain_55_mod_match 222: Created branch user_chain_56_mod_match 223: Created branch user_chain_57_mod_match 224: Created branch user_chain_58_mod_match 227: Created branch user_chain_59_mod_match 230: Created branch user_chain_60_mod_match 233: Created branch user_chain_61_mod_match 233: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match. 233: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match. 234: Created branch user_chain_62_mod_match 234: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match. 234: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match. 245: New ruleset: mangle / PREROUTING 245: Default action: Accept 246: New ruleset: mangle / INPUT 246: Default action: Accept 247: New ruleset: mangle / FORWARD 247: Default action: Accept 248: New ruleset: mangle / OUTPUT 248: Default action: Accept 249: New ruleset: mangle / POSTROUTING 249: Default action: Accept 252: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 252: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 255: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 255: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 256: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 256: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD 262: Warning: Skipping command with '-j CONNMARK --restore-mark' This rule is generated automatically. 265: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 265: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 266: Warning: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark' 269: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 269: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 270: New interface: eth2 270: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 270: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 274: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 274: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 275: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 275: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING 283: New ruleset: nat / PREROUTING 283: Default action: Accept 284: New ruleset: nat / POSTROUTING 284: Default action: Accept 285: New ruleset: nat / OUTPUT 285: Default action: Accept 289: New interface: eth+ 318: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT 318: Warning: Line 247: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled) 318: Warning: Line 247: Added rule to reproduce default policy ACCEPT in mangle/FORWARD 318: Warning: Line 246: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled) 318: Warning: Line 246: Added rule to reproduce default policy ACCEPT in mangle/INPUT 318: Warning: Line 248: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT 318: Warning: Line 249: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING 318: Warning: Line 245: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING fwbuilder-5.3.7/src/unit_tests/ImporterTest/test_data/ipt.test000066400000000000000000000360521303637203600246200ustar00rootroot00000000000000# Generated by iptables-save v1.2.1a on Fri Jun 1 14:04:15 2001 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1531191:180073476] :user_chain - [0:0] # this should produce rule in the same chain -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # and these, too -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # unusual combination of states, creates custom service object. Also, since the same rule # matches tcp service and custom service, branch will be created -A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # this creates a branch, matching service in the main policy and # ESTABLISHED,RELATE states in the branch # -A OUTPUT -d 21.21.21.21 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT # variant with a different action. New branch rule set should be created, different # from the one created for the rule above. # -A OUTPUT -d 21.21.21.21 -p tcp -m tcp --dport 23 -m state --state RELATED,ESTABLISHED -j DROP # more complex combination of states -A FORWARD -s 1.1.1.0/24 -d 2.2.2.0/24 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp ! --dport 80 -j ACCEPT # this should be recognized as built-in rule -A FORWARD -m state --state INVALID -j drop_invalid # this should be recognized as built-in rule -A OUTPUT -m state --state INVALID -j drop_invalid # these go into INPUT chain, should end up with firewall object in DST -A INPUT -i lo -j ACCEPT -A INPUT -j user_chain -A INPUT -j scan_checks_chain # both -i intf and -o intf in the same rule. Crearing a branch -A FORWARD -i eth0 -o eth1 -p udp --dport 1604 -j ACCEPT # testing action REJECT with option. Trying all possible options and aliases -A INPUT -p tcp --dport 0:8000 -j REJECT --reject-with tcp-reset -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-net-unreachable -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with net-unreach -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-host-unreachable -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with host-unreach -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-proto-unreachable -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with proto-unreach -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with port-unreach -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-net-prohibited -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with net-prohib -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-host-prohibited -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with host-prohib -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-admin-prohibited -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with admin-prohib # was: bad --reject-with argument -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-admin-prohibited -A INPUT -p udp --dport 0:8000 -j REJECT --reject-with admin-prohib # v2.1 does not support passing control to the same branch from # several rules This rule will have action 'branch' but branch name # will be 'user_chain1' This rule will have a comment explaining this # and branch rule set will be emtpy -A OUTPUT -j user_chain # Tests for module iprange -A FORWARD -m iprange --src-range 10.212.66.2-10.212.66.3 --dst-range 192.11.1.11-192.11.1.63 -j ACCEPT -A FORWARD -m iprange -s 10.212.66.2 --dst-range 192.11.1.11-192.11.1.63 -j ACCEPT -A FORWARD -m iprange --src-range 10.212.66.2-10.212.66.3 -d 192.11.1.11 -j ACCEPT # -A FORWARD -s 192.168.0.0/16 -m state --state NEW -j ACCEPT # this should end up with action "Continue" and logging on -A FORWARD -j LOG --log-prefix "FORWARD catch-all" # should have icmp (-1,-1) in SRV -- should recognize this as icmp # even though it is uppercased -A user_chain -s 128.143.0.0/16 -p ICMP -j ACCEPT # numeric protocol spec -A user_chain -d 192.168.1.1 -i eth0 -p 47 -j ACCEPT # target RETURN -A user_chain -s 1.1.0.0/16 -p ICMP -j RETURN # this should be reproduced using custom service object even though it # is in user-defined chain # -A user_chain -m state --state RELATED,ESTABLISHED -j ACCEPT -A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 5432 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.16.125 -p tcp -m tcp --dport 5432 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A user_chain -s 192.0.34.166 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 137:139 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport :1023 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 6000: -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p udp --dport 137 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p udp --dport 138 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -m state --state NEW -j ACCEPT -A user_chain -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT -A user_chain -s 192.0.34.166 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT -A user_chain -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A user_chain -s 127.0.0.1 -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT -A user_chain -s 127.0.0.1 -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT # different combinations of tcp flags in combination with some other # options. Taken from a real policy. # -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: " --log-level 7 -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A scan_checks_chain -i eth0 -p tcp -m tcp --syn -j ACCEPT -A scan_checks_chain -i eth0 -p tcp -m tcp ! --syn -j ACCEPT # was: bad port spec -A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 8088 -m state --state NEW -j ACCEPT # Log prefix and log limit test # Also need action Continue (or NOP) -A user_chain -s ! 128.143.0.0/16 -m limit --limit 25/hour -j LOG --log-prefix user_chain_notlocal: -A user_chain -s 128.143.0.0/16 -p tcp --dport 427 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p udp --dport 427 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p tcp --dport 548 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p tcp --dport 201 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p tcp --dport 202 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p tcp --dport 204 -j ACCEPT -A user_chain -s 128.143.0.0/16 -p tcp --dport 206 -j ACCEPT # --dports does not necessarily follow -m multiport # -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201,202,204,206 -j ACCEPT # there can be just one port with multiport # -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 2222 -j ACCEPT # source ports with multiport -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201,202,204,206 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 2222 -j ACCEPT # --ports (source OR destination port) -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201,202,204,206 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 2222 -j ACCEPT # various port range cases # it is unclear if multiport supports open-ended ranges such as ":1024" or "1024:" # -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206,311:315 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311:315,548 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206,311:315 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311:315,548 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206,311:315 -j ACCEPT -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311:315,548 -j ACCEPT # now with negation -A user_chain -m multiport -s 128.143.0.0/16 -p tcp ! --dports 548,201,202,204,206 -j ACCEPT # icmp -A user_chain -p icmp -s 128.143.0.0/16 --icmp-type any -j ACCEPT -A user_chain -p icmp -s 128.143.0.0/16 --icmp-type 3 -j ACCEPT -A user_chain -p icmp -s 128.143.0.0/16 --icmp-type network-unknown -j ACCEPT # module length -A user_chain -m length --length 400:65535 -j DROP # Module recent -A user_chain -m recent --name badguy --rcheck --seconds 60 -j DROP -A user_chain -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP # combinations of a regular service and module or two modules # -A user_chain -s 128.143.0.0/16 -p tcp --dport 5190 -m mark --mark 0x11 -j DROP -A user_chain -s 128.143.0.0/16 -p tcp --dport 5190 -m length --length 400:1500 -j DROP -A user_chain -m mark --mark 0x11 -m length --length 400:1500 -j DROP # this rule has negation in the mark match but no negation in port match -A user_chain -p tcp -m mark ! --mark 0x4 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-mark 0x1 # negation with tcp match -A user_chain -p tcp -m mark --mark 0x4 -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-mark 0x1 # this rule has three matches which is not supported -A user_chain -p tcp -m length --length 0:128 -m mark --mark 0x4 -m tcp --sport 53 -j ACCEPT -A user_chain -p tcp -m length --length 0:128 -m mark ! --mark 0x4 -m tcp --sport 53 -j ACCEPT # bug 1703, SF bug 3065435 -A user_chain -m pkttype --pkt-type broadcast -j DROP -A user_chain -j DROP COMMIT # mangle table *mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT # mark in FORWARD -A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 16 # mark in FORWARD, argument is hex -A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 0xa -A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 0xB # mark in PREROUTING (check option "ipt_mark_prerouting") -A PREROUTING -i eth1 -p tcp --dport smtp -j MARK --set-mark 16 # option "ipt_mark_connections" -A PREROUTING -j CONNMARK --restore-mark # packets from me going out -A POSTROUTING -o eth1 -p tcp --sport smtp -j MARK --set-mark 16 -A POSTROUTING -j CONNMARK --save-mark # test ROUTE target -A POSTROUTING -m mark --mark 1 -j ROUTE --oif eth0 --continue -A POSTROUTING -m mark --mark 2 -j ROUTE --oif eth2 --continue # test TOS target with parameters (unsupported, but parser # should not crash on it) -A POSTROUTING -d 192.168.1.1 -j TOS --set-tos Minimize-Delay -A POSTROUTING -d 192.168.1.1 -j TOS --set-tos 0x10 -A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 0001:0010 -A POSTROUTING -s 192.168.2.0/24 -j CLASSIFY --set-class 1:10 COMMIT *nat :PREROUTING ACCEPT [1502:275921] :POSTROUTING ACCEPT [406:45653] :OUTPUT ACCEPT [406:45653] -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.222 -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 -A POSTROUTING -o eth+ -s 192.168.1.32/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 -A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1 -A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1-192.168.1.10 -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --sport 1000:1010 -j SNAT --to-source 222.222.222.222:1000-1010 -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 222.222.222.0/24 -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 25 -j DNAT --to-destination 192.168.1.10:25 -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 25 -j DNAT --to-destination 192.168.1.10:25-50 -A PREROUTING -p icmp -m icmp -d 222.222.222.222 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 -A PREROUTING -p tcp -m tcp --sport 1000:1010 -d 222.222.222.222 -j DNAT --to-destination 192.168.1.10 -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10:4000-4010 -A PREROUTING -p tcp -m tcp -m multiport -d 222.222.222.222 --dports 6667,3128,113,53,21,80,119,25,22,23,540,70,13,2105,443 -j DNAT --to-destination 192.168.1.10 -A PREROUTING -d 222.222.222.13/32 -p tcp -m multiport --dports 1720,3230:3243 -j DNAT --to-destination 192.168.1.212 # numeric protocol spec -A PREROUTING -d 192.168.3.145 -i eth0 -p 47 -j DNAT --to-destination 1.1.1.1 # a "no nat" rule -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT # redirect rule -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # a couple of nat rules in chain OUTPUT -A OUTPUT -p tcp -m tcp -d 192.168.1.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 COMMIT fwbuilder-5.3.7/src/unit_tests/Inet6AddrMaskTest/000077500000000000000000000000001303637203600217405ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/Inet6AddrMaskTest/Inet6AddrMaskTest.cpp000066400000000000000000000202051303637203600256770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "Inet6AddrMaskTest.h" #include #include using namespace libfwbuilder; using namespace std; void Inet6AddrMaskTest::testUInt128ToInetAddr6() { InetAddr x1(AF_INET6, "::1"); uint128 x = x1.to_uint128(); InetAddr x2(AF_INET6, 0); x2.init_from_uint128(x); CPPUNIT_ASSERT(x2.toString() == "::1"); InetAddr x3(AF_INET6, "::8000"); x = x3.to_uint128(); InetAddr x4(AF_INET6, 0); x4.init_from_uint128(x); CPPUNIT_ASSERT(x4.toString() == "::8000"); InetAddr x5(AF_INET6, "::ff00"); x = x5.to_uint128(); InetAddr x6(AF_INET6, 0); x6.init_from_uint128(x); CPPUNIT_ASSERT(x6.toString() == "::ff00"); InetAddr x90(AF_INET6, "fe80::20c:29ff:fed2:cca1"); x = x90.to_uint128(); InetAddr x91(AF_INET6, 0); x91.init_from_uint128(x); CPPUNIT_ASSERT(x91.toString() == "fe80::20c:29ff:fed2:cca1"); } void Inet6AddrMaskTest::testInetAddr6ToUInt128() { InetAddr x1(AF_INET6, 0); uint128 x = x1.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "0"); InetAddr x2(AF_INET6, 1); x = x2.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "800000000000000000000000"); InetAddr x3(AF_INET6, 8); x = x3.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "FF0000000000000000000000"); InetAddr x4(AF_INET6, 16); x = x4.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "FFFF00000000000000000000"); InetAddr x5(AF_INET6, 64); x = x5.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "FFFFFFFFFFFFFFFF00000000"); InetAddr x6(AF_INET6, 128); x = x6.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); InetAddr x7(AF_INET6, "fe80::20c:29ff:fed2:cca1"); x = x7.to_uint128(); CPPUNIT_ASSERT(x.to_string() == "FE8000000000000020C29FFFED2CCA1"); } void Inet6AddrMaskTest::testIntToInetAddr6() { InetAddr x1(AF_INET6, 0); CPPUNIT_ASSERT(x1.toString()=="::" && x1.getLength()==128); InetAddr x2(AF_INET6, 1); CPPUNIT_ASSERT(x2.toString()=="8000::" && x2.getLength()==1); InetAddr x3(AF_INET6, 8); CPPUNIT_ASSERT(x3.toString()=="ff00::" && x3.getLength()==8); InetAddr x4(AF_INET6, 16); CPPUNIT_ASSERT(x4.toString()=="ffff::" && x4.getLength()==16); InetAddr x5(AF_INET6, 64); CPPUNIT_ASSERT(x5.toString()=="ffff:ffff:ffff:ffff::" && x5.getLength()==64); InetAddr x6(AF_INET6, 128); CPPUNIT_ASSERT(x6.toString()=="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" && x6.getLength()==128); } void Inet6AddrMaskTest::testStringToInetAddr6() { InetAddr *sa1 = new InetAddr(AF_INET6, "::"); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "::"); sa1 = new InetAddr(AF_INET6, "::1"); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "::1"); sa1 = new InetAddr(AF_INET6, "fe80::20c:29ff:fed2:cca1"); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "fe80::20c:29ff:fed2:cca1"); InetAddr x6(AF_INET6, "64"); CPPUNIT_ASSERT_MESSAGE(x6.toString(), x6.toString()=="ffff:ffff:ffff:ffff::"); CPPUNIT_ASSERT(x6.getLength()==64); } void Inet6AddrMaskTest::testStringToInetAddrExceptions() { CPPUNIT_ASSERT_THROW(new InetAddr(AF_INET, "fe80::20c:29ff:fed2:cca1"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr("fe80::20c:29ff:fed2:cca1"), FWException); CPPUNIT_ASSERT_NO_THROW(new InetAddr(AF_INET6, "fe80::20c:29ff:fed2:cca1/64")); CPPUNIT_ASSERT_THROW(new InetAddr(AF_INET6, "fe80::20c:29ff:fed2:cca1/200"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr(AF_INET6, "fe80::foo:bar:fed2:cca1"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr(AF_INET6, "1.2.3.4"), FWException); CPPUNIT_ASSERT_NO_THROW(new InetAddr(AF_INET6, 64)); CPPUNIT_ASSERT_THROW(new InetAddr(AF_INET6, 256), FWException); } /* * Note that our current implementation of address operations for ipv6 is very * limited */ void Inet6AddrMaskTest::testInet6AddressOps() { InetAddr x7(AF_INET6, "fe80::21d:9ff:fe8b:8e94"); InetAddr y6(AF_INET6, 64); InetAddr z1 = x7 & y6; CPPUNIT_ASSERT(z1.toString()=="fe80::"); CPPUNIT_ASSERT((~y6).toString()=="::ffff:ffff:ffff:ffff"); InetAddr z2 = z1 | ~y6; CPPUNIT_ASSERT_MESSAGE(z2.toString(), z2.toString()=="fe80::ffff:ffff:ffff:ffff"); InetAddr z3 = x7 + 1; CPPUNIT_ASSERT_MESSAGE(z3.toString(), z3.toString() == "fe80::21d:9ff:fe8b:8e95"); InetAddr z4 = z3 - 1; CPPUNIT_ASSERT_MESSAGE(z4.toString(), z4.toString() == "fe80::21d:9ff:fe8b:8e94"); InetAddr z5 = x7 + 65536; CPPUNIT_ASSERT_MESSAGE(z5.toString(), z5.toString() == "fe80::21d:9ff:fe8c:8e94"); InetAddr z6 = z5 - 65536; CPPUNIT_ASSERT_MESSAGE(z6.toString(), z6.toString() == "fe80::21d:9ff:fe8b:8e94"); InetAddr z7 = x7 + 2147483647; // 2^31-1 CPPUNIT_ASSERT_MESSAGE(z7.toString(), z7.toString() == "fe80::21d:a00:7e8b:8e93"); InetAddr z8 = z7 - 2147483647; CPPUNIT_ASSERT_MESSAGE(z8.toString(), z8.toString() == "fe80::21d:9ff:fe8b:8e94"); InetAddr x8(AF_INET6, "fe80::21d:9ff:fe8b:1111"); CPPUNIT_ASSERT(x7 > x8); CPPUNIT_ASSERT(x8 < x7); unsigned int dist = x8.distance(x7); CPPUNIT_ASSERT(dist == 32132); InetAddr x9(AF_INET6, "fe80::21d:9ff:fe8b:8e94"); CPPUNIT_ASSERT(x7 == x9); InetAddr x10(AF_INET6, "fe80::21d:a00:7e8b:8e93"); CPPUNIT_ASSERT(x10 > x9); CPPUNIT_ASSERT(x9 < x10); } void Inet6AddrMaskTest::testStringToInetAddrMask() { string sa; Inet6AddrMask *a1 = new Inet6AddrMask(); sa = a1->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="::"); Inet6AddrMask *a2 = new Inet6AddrMask( InetAddr(AF_INET6, "fe80::21d:9ff:fe8b:8e94"), InetAddr(AF_INET6, 128)); sa = a2->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="fe80::21d:9ff:fe8b:8e94"); sa = a2->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"); CPPUNIT_ASSERT(a2->getNetmaskPtr()->getLength()==128); CPPUNIT_ASSERT(a2->toString()=="fe80::21d:9ff:fe8b:8e94"); Inet6AddrMask *a3 = new Inet6AddrMask( InetAddr(AF_INET6, "fe80::21d:9ff:fe8b:8e94"), InetAddr(AF_INET6, 128)); a3->setNetmask(InetAddr(AF_INET6, 64)); sa = a3->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="fe80::21d:9ff:fe8b:8e94"); sa = a3->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="ffff:ffff:ffff:ffff::"); CPPUNIT_ASSERT(a3->getNetmaskPtr()->getLength()==64); CPPUNIT_ASSERT(a3->toString()=="fe80::21d:9ff:fe8b:8e94/64"); Inet6AddrMask *a4 = new Inet6AddrMask( string("fe80::21d:9ff:fe8b:8e94/64")); sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="fe80::21d:9ff:fe8b:8e94"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="ffff:ffff:ffff:ffff::"); CPPUNIT_ASSERT(a4->belongs( *(a2->getAddressPtr()) )); Inet6AddrMask *a5 = new Inet6AddrMask(*a3); sa = a5->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="fe80::21d:9ff:fe8b:8e94"); sa = a5->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="ffff:ffff:ffff:ffff::"); a5->setAddress(InetAddr(AF_INET6, "3ffe:1200:2001:1:8000::1")); sa = a5->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="3ffe:1200:2001:1:8000::1"); sa = a5->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="ffff:ffff:ffff:ffff::"); } fwbuilder-5.3.7/src/unit_tests/Inet6AddrMaskTest/Inet6AddrMaskTest.h000066400000000000000000000032211303637203600253430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INET6ADDRMASKTEST_H #define INET6ADDRMASKTEST_H #include class Inet6AddrMaskTest : public CppUnit::TestFixture { public: void testStringToInetAddrExceptions(); void testIntToInetAddr6(); void testStringToInetAddr6(); void testStringToInetAddrMask(); void testInet6AddressOps(); void testUInt128ToInetAddr6(); void testInetAddr6ToUInt128(); CPPUNIT_TEST_SUITE(Inet6AddrMaskTest); CPPUNIT_TEST(testStringToInetAddrExceptions); CPPUNIT_TEST(testIntToInetAddr6); CPPUNIT_TEST(testUInt128ToInetAddr6); CPPUNIT_TEST(testInetAddr6ToUInt128); CPPUNIT_TEST(testStringToInetAddr6); CPPUNIT_TEST(testStringToInetAddrMask); CPPUNIT_TEST(testInet6AddressOps); CPPUNIT_TEST_SUITE_END(); }; #endif // INET6ADDRMASKTEST_H fwbuilder-5.3.7/src/unit_tests/Inet6AddrMaskTest/Inet6AddrMaskTest.pro000066400000000000000000000011301303637203600257110ustar00rootroot00000000000000include(../../../qmake.inc) QT -= core gui TARGET = Inet6AddrMaskTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp Inet6AddrMaskTest.cpp HEADERS += Inet6AddrMaskTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/Inet6AddrMaskTest/main.cpp000066400000000000000000000026531303637203600233760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "Inet6AddrMaskTest.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace libfwbuilder; int fwbdebug = 0; //QString user_name; std::string platform; int main( int, char** argv) { //init(argv); init(); CppUnit::TextUi::TestRunner runner; runner.addTest( Inet6AddrMaskTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/InetAddrMaskTest/000077500000000000000000000000001303637203600216525ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/InetAddrMaskTest/InetAddrMaskTest.cpp000066400000000000000000000266631303637203600255410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "InetAddrMaskTest.h" #include using namespace libfwbuilder; using namespace std; void InetAddrMaskTest::testIntToInetAddr() { InetAddr *sa1 = new InetAddr(0); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "0.0.0.0"); sa1 = new InetAddr(AF_INET, 0); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "0.0.0.0"); sa1 = new InetAddr(1); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "128.0.0.0"); sa1 = new InetAddr(24); CPPUNIT_ASSERT_MESSAGE(sa1->toString(), sa1->toString() == "255.255.255.0"); } void InetAddrMaskTest::testStringToInetAddr() { InetAddr *sa1 = new InetAddr("0.0.0.1"); CPPUNIT_ASSERT_MESSAGE("0.0.0.1 -> " + sa1->toString(), sa1->toString() == "0.0.0.1"); sa1 = new InetAddr("0.0.0.0"); CPPUNIT_ASSERT_MESSAGE("0.0.0.0 -> " + sa1->toString(), sa1->toString() == "0.0.0.0"); sa1 = new InetAddr("1.2.3.4"); CPPUNIT_ASSERT_MESSAGE("1.2.3.4 -> " + sa1->toString(), sa1->toString() == "1.2.3.4"); sa1 = new InetAddr("0.0.1"); CPPUNIT_ASSERT_MESSAGE("0.0.1 -> " + sa1->toString(), sa1->toString() == "0.0.1.0"); sa1 = new InetAddr("0.1"); CPPUNIT_ASSERT_MESSAGE("0.1 -> " + sa1->toString(), sa1->toString() == "0.1.0.0"); // "1" ---> "128.0.0.0" I am not sure this is correct sa1 = new InetAddr("1"); CPPUNIT_ASSERT_MESSAGE("1 -> " + sa1->toString(), sa1->toString() == "128.0.0.0"); sa1 = new InetAddr("1.0"); CPPUNIT_ASSERT_MESSAGE("1.0 -> " + sa1->toString(), sa1->toString() == "1.0.0.0"); sa1 = new InetAddr("1.0.0"); CPPUNIT_ASSERT_MESSAGE("1.0.0 -> " + sa1->toString(), sa1->toString() == "1.0.0.0"); sa1 = new InetAddr("255.255.255.255"); CPPUNIT_ASSERT_MESSAGE("255.255.255.255 -> " + sa1->toString(), sa1->toString() == "255.255.255.255"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("255.255.255.128"); CPPUNIT_ASSERT_MESSAGE("255.255.255.128 -> " + sa1->toString(), sa1->toString() == "255.255.255.128"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("255.255.255.0"); CPPUNIT_ASSERT_MESSAGE("255.255.255.0 -> " + sa1->toString(), sa1->toString() == "255.255.255.0"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("255.255.0.0"); CPPUNIT_ASSERT_MESSAGE("255.255.0.0 -> " + sa1->toString(), sa1->toString() == "255.255.0.0"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("255.0.0.0"); CPPUNIT_ASSERT_MESSAGE("255.0.0.0 -> " + sa1->toString(), sa1->toString() == "255.0.0.0"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("0.0.0.0"); CPPUNIT_ASSERT_MESSAGE("0.0.0.0 -> " + sa1->toString(), sa1->toString() == "0.0.0.0"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == true); sa1 = new InetAddr("255.0.255.0"); CPPUNIT_ASSERT_MESSAGE("255.0.255.0 -> " + sa1->toString(), sa1->toString() == "255.0.255.0"); CPPUNIT_ASSERT(sa1->isValidV4Netmask() == false); } void InetAddrMaskTest::testStringToInetAddrExceptions() { CPPUNIT_ASSERT_NO_THROW(new InetAddr("1.2.3.4")); CPPUNIT_ASSERT_NO_THROW(new InetAddr("1.2.3.4/24")); CPPUNIT_ASSERT_THROW(new InetAddr("1.2.3.4/40"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr("300.300.300.300"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr("1.2.3.4.5"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr("foo.bar"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr("1.2.foo.bar"), FWException); CPPUNIT_ASSERT_THROW(new InetAddr(40), FWException); CPPUNIT_ASSERT_NO_THROW(new InetAddr(24)); CPPUNIT_ASSERT_THROW(new InetAddr((char*)(NULL)), FWException); CPPUNIT_ASSERT_NO_THROW(new InetAddr(0)); } void InetAddrMaskTest::testInetAddressOps() { InetAddr x1("1.2.3.4"); InetAddr y1(24); InetAddr z1 = x1 & y1; CPPUNIT_ASSERT(z1.toString() == "1.2.3.0"); CPPUNIT_ASSERT( (~y1).toString() == "0.0.0.255"); InetAddr z2 = z1 | ~y1; CPPUNIT_ASSERT(z2.toString() == "1.2.3.255"); InetAddr z3 = z1 | ~y1; CPPUNIT_ASSERT(z3.toString() == "1.2.3.255"); InetAddr z4 = x1 + 1; CPPUNIT_ASSERT(z4.toString() == "1.2.3.5"); InetAddr z5 = z4 - 1; CPPUNIT_ASSERT(z5.toString() == "1.2.3.4"); CPPUNIT_ASSERT(z5 == x1); InetAddr x2("255.255.255.255"); InetAddr z6 = x2 + 1; CPPUNIT_ASSERT(z6.toString() == "0.0.0.0"); InetAddr x3("1.2.2.4"); CPPUNIT_ASSERT(x3 < x1); CPPUNIT_ASSERT(x1 > x3); } void InetAddrMaskTest::testStringToInetAddrMask() { string sa; InetAddrMask *a1 = new InetAddrMask(); CPPUNIT_ASSERT(a1->toString() == "0.0.0.0/0.0.0.0"); sa = a1->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="0.0.0.0"); // 0.0.0.0/0.0.0.0 has maximum dimension (represents all possible addresses) CPPUNIT_ASSERT(a1->dimension() == (((unsigned int)1)<<31)-1); InetAddrMask *a2 = new InetAddrMask(InetAddr("1.1.1.1"), InetAddr("255.255.255.0")); sa = a2->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="1.1.1.0"); sa = a2->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.255.0"); CPPUNIT_ASSERT(a2->dimension()==256); CPPUNIT_ASSERT(a2->toString()=="1.1.1.0/255.255.255.0"); InetAddrMask *a3 = new InetAddrMask(string("1.1.1.1")); sa = a3->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="1.1.1.1"); sa = a3->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.255.255"); CPPUNIT_ASSERT(a3->dimension()==1); CPPUNIT_ASSERT(a2->belongs( *(a3->getAddressPtr()) )); InetAddrMask *a4 = new InetAddrMask(*a3); sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="1.1.1.1"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.255.255"); CPPUNIT_ASSERT(a4->dimension()==1); a4->setAddress(InetAddr("2.2.2.2")); sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="2.2.2.2"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.255.255"); CPPUNIT_ASSERT(a4->dimension()==1); a4->setNetmask(InetAddr("255.255.0.0")); sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="2.2.2.2"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.0.0"); CPPUNIT_ASSERT(a4->dimension()==256*256); a4->setNetmask(InetAddr("8")); sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="2.2.2.2"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.0.0.0"); CPPUNIT_ASSERT(a4->dimension()==256*256*256); CPPUNIT_ASSERT_THROW(a4->setNetmask(InetAddr("40")), FWException); // a4 should not have changed sa = a4->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="2.2.2.2"); sa = a4->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.0.0.0"); CPPUNIT_ASSERT(a4->dimension()==256*256*256); InetAddrMask *a5 = new InetAddrMask(string("1.1.1.1/24")); sa = a5->getAddressPtr()->toString(); CPPUNIT_ASSERT(sa=="1.1.1.1"); sa = a5->getNetmaskPtr()->toString(); CPPUNIT_ASSERT(sa=="255.255.255.0"); CPPUNIT_ASSERT(a5->dimension()==256); } string InetAddrMaskTest::vectorInetAddrMaskToString(vector vect) { string res; vector::iterator it; for (it=vect.begin(); it!=vect.end(); ++it) { res += it->toString() + " "; } return res; } void InetAddrMaskTest::testIPv4Overlap() { string res; res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")) ) ); CPPUNIT_ASSERT(res=="10.0.0.0/255.255.255.0 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")), InetAddrMask(InetAddr("10.0.0.255"), InetAddr("255.255.255.255")) ) ); CPPUNIT_ASSERT(res=="10.0.0.255/255.255.255.255 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.255"), InetAddr("255.255.255.255")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")) ) ); CPPUNIT_ASSERT(res=="10.0.0.255/255.255.255.255 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.254")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")) ) ); CPPUNIT_ASSERT(res=="10.0.0.0/255.255.255.254 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.254")) ) ); CPPUNIT_ASSERT(res=="10.0.0.0/255.255.255.254 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.252"), InetAddr("255.255.255.252")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")) ) ); CPPUNIT_ASSERT(res=="10.0.0.252/255.255.255.252 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")), InetAddrMask(InetAddr("10.0.0.252"), InetAddr("255.255.255.252")) ) ); CPPUNIT_ASSERT(res=="10.0.0.252/255.255.255.252 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.128"), InetAddr("255.255.255.252")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")) ) ); CPPUNIT_ASSERT(res=="10.0.0.128/255.255.255.252 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0")), InetAddrMask(InetAddr("10.0.0.128"), InetAddr("255.255.255.252")) ) ); CPPUNIT_ASSERT(res=="10.0.0.128/255.255.255.252 "); // test specifically for #1934 res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.2"), InetAddr("255.255.255.254")), InetAddrMask(InetAddr("10.0.0.0"), InetAddr("255.255.255.0"))) ); CPPUNIT_ASSERT(res=="10.0.0.2/255.255.255.254 "); res = vectorInetAddrMaskToString( libfwbuilder::getOverlap( InetAddrMask(InetAddr("10.0.0.2"), InetAddr("255.255.255.254")), InetAddrMask(InetAddr("0.0.0.0"), InetAddr("0.0.0.0"))) ); CPPUNIT_ASSERT(res=="10.0.0.2/255.255.255.254 "); } fwbuilder-5.3.7/src/unit_tests/InetAddrMaskTest/InetAddrMaskTest.h000066400000000000000000000033151303637203600251730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INETADDRMASKTEST_H #define INETADDRMASKTEST_H #include #include "fwbuilder/InetAddrMask.h" #include class InetAddrMaskTest : public CppUnit::TestFixture { public: std::string vectorInetAddrMaskToString( std::vector vect); void testIntToInetAddr(); void testStringToInetAddr(); void testStringToInetAddrExceptions(); void testStringToInetAddrMask(); void testInetAddressOps(); void testIPv4Overlap(); CPPUNIT_TEST_SUITE(InetAddrMaskTest); CPPUNIT_TEST(testStringToInetAddrExceptions); CPPUNIT_TEST(testIntToInetAddr); CPPUNIT_TEST(testStringToInetAddr); CPPUNIT_TEST(testStringToInetAddrMask); CPPUNIT_TEST(testInetAddressOps); CPPUNIT_TEST(testIPv4Overlap); CPPUNIT_TEST_SUITE_END(); }; #endif // INETADDRMASKTEST_H fwbuilder-5.3.7/src/unit_tests/InetAddrMaskTest/InetAddrMaskTest.pro000066400000000000000000000011251303637203600255410ustar00rootroot00000000000000include(../../../qmake.inc) QT -= core gui TARGET = InetAddrMaskTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp InetAddrMaskTest.cpp HEADERS += InetAddrMaskTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/InetAddrMaskTest/main.cpp000066400000000000000000000026501303637203600233050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "InetAddrMaskTest.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace libfwbuilder; int fwbdebug = 0; //QString user_name; std::string platform; int main( int, char** argv) { //init(argv); init(); CppUnit::TextUi::TestRunner runner; runner.addTest( InetAddrMaskTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/InterfaceDialogTest/000077500000000000000000000000001303637203600223645ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/InterfaceDialogTest/InterfaceDialogTest.cpp000066400000000000000000000153031303637203600267520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: InterfaceDialogTestTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "InterfaceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "InterfaceDialog.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "InterfaceDialogTest.h" #include "fwbuilder/IPService.h" using namespace std; using namespace libfwbuilder; void InterfaceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); // mw->resize(1200, 600); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); firewall->setStr("platform", "pix"); // using pix platforms as it supports all dialog options interface = Interface::cast(om->createObject(firewall, Interface::TYPENAME, "TestInterface")); QVERIFY(interface!=NULL); } Library* InterfaceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void InterfaceDialogTest::testDialog() { om->editObject(interface); InterfaceDialog *dialog = mw->findChild("w_InterfaceDialog"); QVERIFY(dialog != NULL); QLineEdit *obj_name = dialog->findChild("obj_name"); QLineEdit *label = dialog->findChild("label"); TextEditWidget *comment = dialog->findChild("comment"); //options: QSpinBox *seclevel = dialog->findChild("seclevel"); QComboBox *netzone = dialog->findChild("netzone"); QCheckBox *management = dialog->findChild("management"); QCheckBox *unprotected = dialog->findChild("unprotected"); QCheckBox *dedicated_failover = dialog->findChild("dedicated_failover"); QRadioButton *regular = dialog->findChild("regular"); QRadioButton *dynamic = dialog->findChild("dynamic"); QRadioButton *unnumbered = dialog->findChild("unnumbered"); // setting object name obj_name->clear(); QTest::keyClicks(obj_name, "TestInterfaceName"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(interface->getName() == "TestInterfaceName"); // setting label label->clear(); QTest::keyClicks(label, "TestInterfaceLabel"); QTest::keyClick(label, Qt::Key_Enter); QVERIFY(interface->getLabel() == "TestInterfaceLabel"); // setting comment comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (interface->getComment() == "Test comment"); // setting security level QTest::mouseClick(seclevel, Qt::LeftButton); QTest::keyClick(seclevel, Qt::Key_Up); QTest::keyClick(seclevel, Qt::Key_Up); QTest::keyClick(seclevel, Qt::Key_Enter); QVERIFY(interface->getSecurityLevel() == 2); // testing management QVERIFY(interface->isManagement() == false); QTest::mouseClick(management, Qt::LeftButton); QVERIFY(interface->isManagement() == true); QTest::mouseClick(management, Qt::LeftButton); QVERIFY(interface->isManagement() == false); // testing unprotected QVERIFY(interface->isUnprotected() == false); QTest::mouseClick(unprotected, Qt::LeftButton); QVERIFY(interface->isUnprotected() == true); QTest::mouseClick(unprotected, Qt::LeftButton); QVERIFY(interface->isUnprotected() == false); // testing dedicated failover QVERIFY(interface->isDedicatedFailover() == false); QTest::mouseClick(dedicated_failover, Qt::LeftButton); QVERIFY(interface->isDedicatedFailover() == true); QTest::mouseClick(dedicated_failover, Qt::LeftButton); QVERIFY(interface->isDedicatedFailover() == false); // testing regular/dynamic/unnumbered switch QTest::mouseClick(regular, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); QVERIFY(interface->isRegular() == true); QVERIFY(interface->isDyn() == false); QVERIFY(interface->isUnnumbered() == false); QTest::mouseClick(dynamic, Qt::LeftButton); QVERIFY(interface->isRegular() == false); QVERIFY(interface->isDyn() == true); QVERIFY(interface->isUnnumbered() == false); QTest::mouseClick(unnumbered, Qt::LeftButton); QVERIFY(interface->isRegular() == false); QVERIFY(interface->isDyn() == false); QVERIFY(interface->isUnnumbered() == true); // testing that changing netzone combo value changed interface's property string zone = interface->getStr("network_zone"); bool changed = false; for(int i=0; icount(); i++) { netzone->setCurrentIndex(i); dialog->changed(); if (interface->getStr("network_zone") != zone) { changed = true; break; } } QVERIFY(changed); } fwbuilder-5.3.7/src/unit_tests/InterfaceDialogTest/InterfaceDialogTest.h000066400000000000000000000025601303637203600264200ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: InterfaceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef InterfaceDialogTest_H #define InterfaceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" #include "fwbuilder/Cluster.h" class InterfaceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; libfwbuilder::Firewall *firewall; libfwbuilder::Interface *interface; private slots: void initTestCase(); void testDialog(); }; #endif // InterfaceDialogTest_H fwbuilder-5.3.7/src/unit_tests/InterfaceDialogTest/InterfaceDialogTest.pro000066400000000000000000000002741303637203600267710ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = InterfaceDialogTest SOURCES += main_InterfaceDialogTest.cpp \ InterfaceDialogTest.cpp HEADERS += InterfaceDialogTest.h fwbuilder-5.3.7/src/unit_tests/InterfaceDialogTest/main_InterfaceDialogTest.cpp000066400000000000000000000033021303637203600277520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "InterfaceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new InterfaceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/NetworkDialogTest/000077500000000000000000000000001303637203600221155ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/NetworkDialogTest/NetworkDialogTest.cpp000066400000000000000000000214151303637203600262350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: NetworkDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NetworkDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "NetworkDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Network.h" #include "fwbuilder/NetworkIPv6.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; void NetworkDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); QTest::qWait(1000); } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void NetworkDialogTest::checkMessageBox() { QVERIFY(app->activeModalWidget()->metaObject()->className() == QMessageBox().metaObject()->className()); QTimer::singleShot(10, app->activeModalWidget(), SLOT(reject())); QVERIFY(dynamic_cast(app->activeModalWidget())->text().contains("300.300.300.300") || dynamic_cast(app->activeModalWidget())->text().contains("foo:345:1") || dynamic_cast(app->activeModalWidget())->text().contains("145") || dynamic_cast(app->activeModalWidget())->text().contains("300") || dynamic_cast(app->activeModalWidget())->text().contains("0") || dynamic_cast(app->activeModalWidget())->text().contains("0.0.0.0") || dynamic_cast(app->activeModalWidget())->text().contains("255.300.300.0") ); } void NetworkDialogTest::checkNoMessageBox() { foreach(QWidget *w, app->topLevelWidgets()) QVERIFY(w->metaObject()->className() != QMessageBox().metaObject()->className()); } void setLineEditText(QLineEdit *line, QString text) { line->clear(); QTest::keyClicks(line, text); QTest::keyClick(line, Qt::Key_Enter); } Library* NetworkDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void NetworkDialogTest::testNetwork4Dialog() { ObjectManipulator *om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); Library *lib = findUserLibrary(); Network *obj = Network::cast(om->createObject(FWBTree().getStandardSlotForObject(lib, Network::TYPENAME), Network::TYPENAME, "testNetwork")); QTest::qWait(100); om->editObject(obj); QLineEdit *name, *addr, *mask; TextEditWidget *comment; QWidget *ipv4dialog = mw->findChild("w_NetworkDialog"); name = ipv4dialog->findChild("obj_name"); addr = ipv4dialog->findChild("address"); mask = ipv4dialog->findChild("netmask"); comment = ipv4dialog->parent()->findChild("comment"); // test1 qDebug() << "test1"; QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(name, "testNetwork"); QTest::qWait(300); QVERIFY (obj->getName() == "testNetwork"); QTest::qWait(100); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (obj->getComment() == "Test comment"); //test2 qDebug() << "test2"; QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(addr, "192.0.2.1"); QTest::qWait(300); QVERIFY (obj->getAddressPtr()->toString() == "192.0.2.1"); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(addr, "300.300.300.300"); QTest::qWait(400); QVERIFY (obj->getAddressPtr()->toString() == "192.0.2.1"); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(mask, "255.255.0.0"); QTest::qWait(300); QVERIFY (obj->getNetmaskPtr()->toString() == "255.255.0.0"); //test3 qDebug() << "test3"; QTest::qWait(100); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(mask, "300.300.300.300"); QTest::qWait(400); QVERIFY (obj->getNetmaskPtr()->toString() == "255.255.0.0"); //test4 qDebug() << "test4"; QTest::qWait(100); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(mask, "255.300.300.0"); QTest::qWait(400); QVERIFY (obj->getNetmaskPtr()->toString() == "255.255.0.0"); QTimer::singleShot(300, this, SLOT(checkMessageBox())); setLineEditText(mask, "0.0.0.0"); QTest::qWait(500); QVERIFY (obj->getNetmaskPtr()->toString() == "255.255.0.0"); } void NetworkDialogTest::testNetwork6Dialog() { ObjectManipulator *om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); Library *lib = findUserLibrary(); QLineEdit *name, *addr, *mask; TextEditWidget *comment; QWidget *ipv6dialog = mw->findChild("w_NetworkDialogIPv6"); name = ipv6dialog->findChild("obj_name"); addr = ipv6dialog->findChild("address"); mask = ipv6dialog->findChild("netmask"); comment = ipv6dialog->parent()->findChild("comment"); //test5 qDebug() << "test5"; NetworkIPv6 *obj = NetworkIPv6::cast(om->createObject(FWBTree().getStandardSlotForObject(lib, NetworkIPv6::TYPENAME), NetworkIPv6::TYPENAME, "testNetworkIPv6")); om->editObject(obj); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(name, "testNetworkIPv6"); QTest::qWait(300); QVERIFY (obj->getName() == "testNetworkIPv6"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (obj->getComment() == "Test comment"); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(addr, "2001:db8::"); QTest::qWait(300); QVERIFY (obj->getAddressPtr()->toString() == "2001:db8::"); QTimer::singleShot(200, this, SLOT(checkNoMessageBox())); setLineEditText(mask, "120"); QTest::qWait(300); QVERIFY (obj->getNetmaskPtr()->toString() == "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00"); //test6 qDebug() << "test6"; QTimer::singleShot(200, this, SLOT(checkMessageBox())); setLineEditText(addr, "foo:345:1"); QTest::qWait(300); QVERIFY (obj->getAddressPtr()->toString() == "2001:db8::"); //test7 qDebug() << "test7"; QTimer::singleShot(200, this, SLOT(checkMessageBox())); setLineEditText(mask, "300"); QTest::qWait(300); QVERIFY (obj->getNetmaskPtr()->toString() == "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00"); QTimer::singleShot(200, this, SLOT(checkMessageBox())); setLineEditText(mask, "0"); QTest::qWait(300); QVERIFY (obj->getNetmaskPtr()->toString() == "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00"); QTest::qWait(1000); } fwbuilder-5.3.7/src/unit_tests/NetworkDialogTest/NetworkDialogTest.h000066400000000000000000000024371303637203600257050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: NetworkDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef IPDIALOGTEST_H #define IPDIALOGTEST_H #include #include "fwbuilder/Library.h" class NetworkDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); private slots: void initTestCase(); void testNetwork4Dialog(); void testNetwork6Dialog(); public slots: void checkMessageBox(); void checkNoMessageBox(); }; #endif // IPDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/NetworkDialogTest/NetworkDialogTest.pro000066400000000000000000000002651303637203600262530ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = NetworkDialogTests SOURCES += main_NetworkDialogTest.cpp \ NetworkDialogTest.cpp HEADERS += NetworkDialogTest.h fwbuilder-5.3.7/src/unit_tests/NetworkDialogTest/main_NetworkDialogTest.cpp000066400000000000000000000033031303637203600272350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_NetworkDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "NetworkDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new NetworkDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/000077500000000000000000000000001303637203600227665ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/ObjectManipulatorTest.cpp000066400000000000000000000056641303637203600277670ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ObjectManipulatorTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "fwbuilder/RuleSet.h" using namespace std; using namespace libfwbuilder; QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void ObjectManipulatorTest::editSelectedObject() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->loadFile("test.fwb", false); ObjectTreeView *tree = mw->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *policy = dynamic_cast( tree->findItems("Policy", Qt::MatchRecursive | Qt::MatchExactly, 0).first()); ObjectTreeViewItem *fw = dynamic_cast( tree->findItems("TestFirewall", Qt::MatchRecursive | Qt::MatchExactly, 0).first()); ObjectManipulator *om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); tree->setCurrentItem( policy, 0, QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); om->editSelectedObject(); QTest::qWait(100); QVERIFY(mw->getOpenedEditor() == NULL); QVERIFY(mw->activeProject()->getCurrentRuleSet() == RuleSet::cast(policy->getFWObject())); om->editSelectedObject(); QTest::qWait(100); QVERIFY(mw->getOpenedEditor() == policy->getFWObject()); mw->closeEditor(); tree->setCurrentItem( fw, 0, QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); om->editSelectedObject(); QTest::qWait(100); QVERIFY(mw->getOpenedEditor() == fw->getFWObject()); } fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/ObjectManipulatorTest.h000066400000000000000000000020771303637203600274270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTMANIPULATORTEST_H #define OBJECTMANIPULATORTEST_H #include class ObjectManipulatorTest : public QObject { Q_OBJECT private slots: void editSelectedObject(); }; #endif // OBJECTMANIPULATORTEST_H fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/ObjectManipulatorTest.pro000066400000000000000000000005071303637203600277740ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = ObjectManipulatorTest SOURCES += main_ObjectManipulatorTest.cpp \ ObjectManipulatorTest.cpp HEADERS += ObjectManipulatorTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/main_ObjectManipulatorTest.cpp000066400000000000000000000032211303637203600307560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "ObjectManipulatorTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new ObjectManipulatorTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/ObjectManipulatorTest/test.fwb000066400000000000000000002421011303637203600244450ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/000077500000000000000000000000001303637203600220565ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/ObjectMatcherTest.cpp000066400000000000000000000210111303637203600261270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #define o(x) dbsearch(db, x) #include "ObjectMatcherTest.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/XMLTools.h" #include "fwbuilder/libfwbuilder-config.h" #include "fwbuilder/ObjectMatcher.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/Network.h" #include "fwbuilder/Address.h" #include "fwbuilder/AddressRange.h" #include "fwbuilder/Host.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Constants.h" using namespace libfwbuilder; using namespace std; FWObject* dbsearch(FWObject *parent, string name) { for (list::iterator it = parent->begin(); it != parent->end(); it++) { FWObject *obj = *it; if (obj->getName() == name) return obj; FWObject *chs = dbsearch(obj, name); if (chs != NULL) return chs; } return NULL; } void ObjectMatcherTest::matchTest() { FWObjectDatabase *db = new FWObjectDatabase(); XMLTools::UpgradePredicate up; db->load(string("test_data.fwb"), &up, Constants::getTemplateDirectory()); ObjectMatcher om; om.setRecognizeBroadcasts(true); om.setRecognizeMulticasts(true); om.setIPV6(false); om.setMatchSubnets(false); om.setAddressRangeMatchMode(ObjectMatcher::EXACT); Firewall *fw1 = Firewall::cast(dbsearch(db, "fw1")); CPPUNIT_ASSERT(fw1 != NULL); Interface *fw1_eth0 = Interface::cast(dbsearch(fw1, "eth0")); CPPUNIT_ASSERT(fw1_eth0 != NULL); Interface *fw1_eth1 = Interface::cast(dbsearch(fw1, "eth1")); CPPUNIT_ASSERT(fw1_eth1 != NULL); Interface *fw1_eth2 = Interface::cast(dbsearch(fw1, "eth2")); CPPUNIT_ASSERT(fw1_eth2 != NULL); IPv6 *fw1_eth2_ipv6 = IPv6::cast(dbsearch(fw1_eth2, "fw1:eth2:ipv6")); CPPUNIT_ASSERT(fw1_eth2_ipv6 != NULL); physAddress *fw1_eth2_mac = physAddress::cast(dbsearch(fw1_eth2, "fw1:eth2:mac")); CPPUNIT_ASSERT(fw1_eth2_mac != NULL); Host *host1 = Host::cast(dbsearch(db, "host1")); CPPUNIT_ASSERT(host1 != NULL); Host *host2 = Host::cast(dbsearch(db, "host2")); CPPUNIT_ASSERT(host2 != NULL); Host *host3 = Host::cast(dbsearch(db, "host3")); CPPUNIT_ASSERT(host3 != NULL); Interface *host1_eth0 = Interface::cast(dbsearch(host1, "eth0")); CPPUNIT_ASSERT(host1_eth0 != NULL); Interface *host2_eth0 = Interface::cast(dbsearch(host2, "eth0")); CPPUNIT_ASSERT(host2_eth0 != NULL); IPv4 *host2_eth0_ip = IPv4::cast(dbsearch(host2_eth0, "ip")); CPPUNIT_ASSERT(host2_eth0_ip != NULL); Interface *host3_eth0 = Interface::cast(dbsearch(host3, "eth0")); CPPUNIT_ASSERT(host3_eth0 != NULL); Interface *host3_eth1 = Interface::cast(dbsearch(host3, "eth1")); CPPUNIT_ASSERT(host3_eth1 != NULL); CPPUNIT_ASSERT(om.dispatch(fw1, fw1)); CPPUNIT_ASSERT(om.dispatch(fw1_eth0, fw1)); CPPUNIT_ASSERT(om.dispatch(fw1_eth1, fw1)); CPPUNIT_ASSERT(om.dispatch(fw1_eth0, fw1_eth0)); CPPUNIT_ASSERT( ! om.dispatch(fw1_eth2_ipv6, fw1)); om.setIPV6(true); CPPUNIT_ASSERT( om.dispatch(fw1_eth2_ipv6, fw1)); om.setIPV6(false); CPPUNIT_ASSERT(om.dispatch(fw1_eth2_mac, fw1)); CPPUNIT_ASSERT(om.dispatch(host1_eth0, fw1)); CPPUNIT_ASSERT(om.dispatch(host1, fw1)); CPPUNIT_ASSERT(om.dispatch(host2_eth0_ip, fw1) == false); CPPUNIT_ASSERT(om.dispatch(host2_eth0, fw1) == false); CPPUNIT_ASSERT(om.dispatch(host2, fw1) == false); om.setMatchSubnets(true); CPPUNIT_ASSERT(om.dispatch(host2_eth0_ip, fw1)); om.setMatchSubnets(false); CPPUNIT_ASSERT(om.dispatch(host3_eth0, fw1) == false); CPPUNIT_ASSERT(om.dispatch(host3_eth1, fw1) == false); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.1")), fw1)); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.1")), fw1_eth1)); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.1")), fw1_eth0) == false); om.setIPV6(true); CPPUNIT_ASSERT(om.dispatch(IPv6::cast(o("addr-ipv6-1")), fw1)); CPPUNIT_ASSERT(om.dispatch(IPv6::cast(o("addr-ipv6-2")), fw1) == false); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.1")), fw1) == false); om.setIPV6(false); CPPUNIT_ASSERT(om.dispatch(IPv6::cast(o("addr-ipv6-1")), fw1) == false); CPPUNIT_ASSERT(om.dispatch(IPv6::cast(o("addr-ipv6-2")), fw1) == false); CPPUNIT_ASSERT(om.dispatch(Network::cast(o("net-192.168.1.0")), fw1) == false); CPPUNIT_ASSERT(om.dispatch(Network::cast(o("net-192.168.1.0")), fw1_eth1) == false); CPPUNIT_ASSERT(om.dispatch(Network::cast(o("net-192.168.1.0")), fw1_eth0) == false); CPPUNIT_ASSERT(om.dispatch(Network::cast(o("net-192.168.1.1")), fw1)); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.255")), fw1)); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.0")), fw1)); CPPUNIT_ASSERT(om.dispatch(Network::cast(o("all multicasts")), fw1)); om.setRecognizeBroadcasts(false); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.255")), fw1) == false); CPPUNIT_ASSERT(om.dispatch(IPv4::cast(o("addr-192.168.1.0")), fw1) == false); // ================================================================ // AddressRange tests // here match_subnets == false address_range_match_mode = EXACT // range1 192.168.1.10 - 192.168.1.20 // does not match fw1 exactly, but matches when match_subnets == true CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range1")), fw1) == false); // range2 192.168.2.1-192.168.2.3 does not match fw1:eth2 at all CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range2")), fw1) == false); // range3 192.168.2.27-192.168.2.50 partially overlaps with fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range3")), fw1) == false); // range4 192.168.2.27-192.168.2.30 is completely inside fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range4")), fw1) == false); // ================================================================ om.setAddressRangeMatchMode(ObjectMatcher::PARTIAL); // here match_subnets == false address_range_match_mode = PARTIAL // when match_subnets == false, ObjectMatcher compares address of interface with // the range and ignores netmask of the interface. Address has to be inside the range // to match // range3 192.168.2.27-192.168.2.50 partially overlaps with fw1:eth2 subnet // but address of interface 192.168.2.24 is outside the range CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range3")), fw1) == false); // range4 192.168.2.27-192.168.2.30 is completely inside fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range4")), fw1) == false); // fw1:eth2:ip 192.168.2.24 falls inside range5 CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range5")), fw1)); // ================================================================ om.setMatchSubnets(true); // ranges will be compared to subnets defined by interface addr/mask // here match_subnets == true address_range_match_mode = PARTIAL CPPUNIT_ASSERT(om.dispatch(host2_eth0_ip, fw1)); CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range1")), fw1)); // range2 192.168.2.1-192.168.2.3 does not match fw1:eth2 at all CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range2")), fw1) == false); // range3 192.168.2.27-192.168.2.50 partially overlaps with fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range3")), fw1)); // range4 192.168.2.27-192.168.2.30 is completely inside fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range4")), fw1)); // range5 192.168.2.21-192.168.2.27 partially overlaps with fw1:eth2 subnet CPPUNIT_ASSERT(om.dispatch(AddressRange::cast(o("range5")), fw1)); } fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/ObjectMatcherTest.h000066400000000000000000000027061303637203600256060ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OBJECTMATCHERTEST_H #define OBJECTMATCHERTEST_H #include #include #include class ObjectMatcherTest : public CppUnit::TestCase { public: void matchTest(); static CppUnit::Test *suite() { CppUnit::TestSuite *suiteOfTests = new CppUnit::TestSuite( "ObjectMatcherTest" ); suiteOfTests->addTest( new CppUnit::TestCaller( "matchTest", &ObjectMatcherTest::matchTest ) ); return suiteOfTests; } }; #endif // OBJECTMATCHERTEST_H fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/ObjectMatcherTest.pro000066400000000000000000000011301303637203600261450ustar00rootroot00000000000000include(../../../qmake.inc) QT -= core gui TARGET = ObjectMatcherTest CONFIG += console CONFIG -= app_bundle TEMPLATE = app QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS LIBS += $$CPPUNIT_LIBS SOURCES += main.cpp ObjectMatcherTest.cpp HEADERS += ObjectMatcherTest.h INCLUDEPATH += ../../.. ../../libfwbuilder/src DEPENDPATH += ../../libfwbuilder/src LIBS = ../../libfwbuilder/src/fwbuilder/libfwbuilder.a $$LIBS run_tests.commands = echo "Running tests..." && ./${TARGET} run_tests.depends = all clean_tests.depends = clean build_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/main.cpp000066400000000000000000000026521303637203600235130ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "ObjectMatcherTest.h" #include "fwbuilder/FWObjectDatabase.h" #include using namespace libfwbuilder; int fwbdebug = 0; //QString user_name; std::string platform; int main( int, char** argv) { //init(argv); init(); CppUnit::TextUi::TestRunner runner; runner.addTest( ObjectMatcherTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/ObjectMatcherTest/test_data.fwb000066400000000000000000000332431303637203600245330ustar00rootroot00000000000000 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/000077500000000000000000000000001303637203600213735ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/PFImporterTest/.gitignore000066400000000000000000000000401303637203600233550ustar00rootroot00000000000000*.fwb !test_data/*.fwb !*.conf fwbuilder-5.3.7/src/unit_tests/PFImporterTest/PFImporterTest.cpp000066400000000000000000000415751303637203600250020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PFImporterTest.h" #include "config.h" #include "global.h" #include #include #include #include #include #include #include "Importer.h" #include "PFImporter.h" #include "FWBTree.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; extern string platform; extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &) const { return false; } }; void PFImporterTest::setUp() { FWBTree *tree = new FWBTree(); /* create database */ db = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; db->setReadOnly( false ); db->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); db->setFileName(""); lib = Library::cast(tree->createNewLibrary(db)); lib->setName("User"); logger = new QueueLogger(); // this makes the test compile and link. There is a problem with // dependencies, the test depends on libimport.a and additionally, // PFImporter.cpp depends on this function that is implemented in // platforms.cpp in libgui.a; however since libgui.a comes before // libimport.a in linker command line, this function does not get // pulled since it is not used anywhere except by this test module // and so linking fails. Making this call creates dependency and // pulls this function at linking time before libimport.a and its // dependencies are considered QString version = findBestVersionMatch("pf", "4.0"); } void PFImporterTest::compareResults(QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; while (logger->ready()) result.append(logger->getLine().c_str()); obtained_result = result.split("\n"); QFile rw(obtained_result_file_name); rw.open(QFile::WriteOnly); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) rw.write(result.toAscii()); #else rw.write(result.toLatin1()); #endif rw.close(); QFile rr(expected_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); QStringList expected_result = result_file.split("\n"); CPPUNIT_ASSERT_MESSAGE( QString( "Sizes of the generated importer output and test files are different.\n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S") .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()).toStdString(), expected_result.size() == obtained_result.size()); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString err = QString("Line %1:\nExpected: '%2'\nResult: '%3'\n") .arg(i).arg(expected_result[i]).arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE(err.toStdString(), obtained_result[i] == expected_result[i]); } } void PFImporterTest::compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; QFile rr(obtained_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); rr.close(); obtained_result = result_file.split("\n"); QFile er(expected_result_file_name); er.open(QFile::ReadOnly); result_file = er.readAll(); er.close(); QStringList expected_result = result_file.split("\n"); // find all lastModified attributes and replace them with identical values // because they are always going to be different QString err("Sizes of the generated .fwb and test files are different: \n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S"); CPPUNIT_ASSERT_MESSAGE( err .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()) .toStdString(), expected_result.size() == obtained_result.size()); QRegExp last_mod_re("lastModified=\"\\d+\""); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString os = obtained_result[i]; obtained_result[i] = os.replace(last_mod_re, "lastModified=\"0000000000\""); QString es = expected_result[i]; expected_result[i] = es.replace(last_mod_re, "lastModified=\"0000000000\""); } for (int i=0; i < max_idx; ++i) { QString err = QString("Line %1:\nExpected: '%2'\nResult: '%3'\n") .arg(i).arg(expected_result[i]).arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE(err.toStdString(), obtained_result[i] == expected_result[i]); } } std::string PFImporterTest::openTestFile(const QString &file_name) { QFile f(file_name); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); return buffer; } void PFImporterTest::macrosTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-macros.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-macros.fwb"); compareResults(logger, "test_data/pf-macros.output", "pf-macros.output"); compareFwbFiles("test_data/pf-macros.fwb", "pf-macros.fwb"); } void PFImporterTest::hostsMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-hosts-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-hosts-matches.fwb"); compareResults(logger, "test_data/pf-hosts-matches.output", "pf-hosts-matches.output"); compareFwbFiles("test_data/pf-hosts-matches.fwb", "pf-hosts-matches.fwb"); } void PFImporterTest::blockReturnTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-block-return-actions.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-block-return-actions.fwb"); compareResults(logger, "test_data/pf-block-return-actions.output", "pf-block-return-actions.output"); compareFwbFiles("test_data/pf-block-return-actions.fwb", "pf-block-return-actions.fwb"); } void PFImporterTest::icmpMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-icmp-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-icmp-matches.fwb"); compareResults(logger, "test_data/pf-icmp-matches.output", "pf-icmp-matches.output"); compareFwbFiles("test_data/pf-icmp-matches.fwb", "pf-icmp-matches.fwb"); } void PFImporterTest::interfaceMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-interface-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-interface-matches.fwb"); compareResults(logger, "test_data/pf-interface-matches.output", "pf-interface-matches.output"); compareFwbFiles("test_data/pf-interface-matches.fwb", "pf-interface-matches.fwb"); } void PFImporterTest::portMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-port-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-port-matches.fwb"); compareResults(logger, "test_data/pf-port-matches.output", "pf-port-matches.output"); compareFwbFiles("test_data/pf-port-matches.fwb", "pf-port-matches.fwb"); } void PFImporterTest::setCommandsTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-set-commands.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); //db->setPredictableIds(); //db->saveFile("pf-set-commands.fwb"); compareResults(logger, "test_data/pf-set-commands.output", "pf-set-commands.output"); //compareFwbFiles("test_data/pf-set-commands.fwb", // "pf-set-commands.fwb"); } void PFImporterTest::stateMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-state-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-state-matches.fwb"); compareResults(logger, "test_data/pf-state-matches.output", "pf-state-matches.output"); compareFwbFiles("test_data/pf-state-matches.fwb", "pf-state-matches.fwb"); } void PFImporterTest::tcpFlagsMatchTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-tcp-flags-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-tcp-flags-matches.fwb"); compareResults(logger, "test_data/pf-tcp-flags-matches.output", "pf-tcp-flags-matches.output"); compareFwbFiles("test_data/pf-tcp-flags-matches.fwb", "pf-tcp-flags-matches.fwb"); } void PFImporterTest::natCommands() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-nat-rules.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-nat-rules.fwb"); compareResults(logger, "test_data/pf-nat-rules.output", "pf-nat-rules.output"); compareFwbFiles("test_data/pf-nat-rules.fwb", "pf-nat-rules.fwb"); } void PFImporterTest::rdrCommands() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-rdr-rules.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-rdr-rules.fwb"); compareResults(logger, "test_data/pf-rdr-rules.output", "pf-rdr-rules.output"); compareFwbFiles("test_data/pf-rdr-rules.fwb", "pf-rdr-rules.fwb"); } void PFImporterTest::setTimeoutCommands() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-timeouts.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); // db->setPredictableIds(); // db->saveFile("pf-timeouts.fwb"); compareResults(logger, "test_data/pf-timeouts.output", "pf-timeouts.output"); // compareFwbFiles("test_data/pf-timeouts.fwb", // "pf-timeouts.fwb"); } void PFImporterTest::scrubCommandsOld() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-scrub-commands-old.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); compareResults(logger, "test_data/pf-scrub-commands-old.output", "pf-scrub-commands-old.output"); } void PFImporterTest::scrubCommandsNew() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-scrub-commands-new.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); compareResults(logger, "test_data/pf-scrub-commands-new.output", "pf-scrub-commands-new.output"); } void PFImporterTest::tableDefinitions() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-tables.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-tables.fwb"); compareResults(logger, "test_data/pf-tables.output", "pf-tables.output"); compareFwbFiles("test_data/pf-tables.fwb", "pf-tables.fwb"); } void PFImporterTest::userGroupMatches() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-user-group-matches.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-user-group-matches.fwb"); compareResults(logger, "test_data/pf-user-group-matches.output", "pf-user-group-matches.output"); compareFwbFiles("test_data/pf-user-group-matches.fwb", "pf-user-group-matches.fwb"); } void PFImporterTest::routeToTest() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-route-to.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-route-to.fwb"); compareResults(logger, "test_data/pf-route-to.output", "pf-route-to.output"); compareFwbFiles("test_data/pf-route-to.fwb", "pf-route-to.fwb"); } void PFImporterTest::routeTo47Test() { platform = "pf"; std::istringstream instream( openTestFile("test_data/pf-route-to-4.7.conf")); Importer* imp = new PFImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pf-route-to-4.7.fwb"); compareResults(logger, "test_data/pf-route-to-4.7.output", "pf-route-to-4.7.output"); compareFwbFiles("test_data/pf-route-to-4.7.fwb", "pf-route-to-4.7.fwb"); } fwbuilder-5.3.7/src/unit_tests/PFImporterTest/PFImporterTest.h000066400000000000000000000057511303637203600244430ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PFIMPORTERTEST_H #define PFIMPORTERTEST_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include #include #include #include class PFImporterTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *db; libfwbuilder::Library *lib; libfwbuilder::QueueLogger *logger; int predictable_id_tracker; std::map id_mapping; void compareResults(libfwbuilder::QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name); void compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name); std::string openTestFile(const QString &file_name); public: void setUp(); void macrosTest(); void hostsMatchTest(); void blockReturnTest(); void icmpMatchTest(); void interfaceMatchTest(); void portMatchTest(); void setCommandsTest(); void stateMatchTest(); void tcpFlagsMatchTest(); void natCommands(); void rdrCommands(); void setTimeoutCommands(); void scrubCommandsOld(); void scrubCommandsNew(); void tableDefinitions(); void userGroupMatches(); void routeToTest(); void routeTo47Test(); CPPUNIT_TEST_SUITE(PFImporterTest); CPPUNIT_TEST(macrosTest); CPPUNIT_TEST(hostsMatchTest); CPPUNIT_TEST(blockReturnTest); CPPUNIT_TEST(icmpMatchTest); CPPUNIT_TEST(interfaceMatchTest); CPPUNIT_TEST(portMatchTest); CPPUNIT_TEST(setCommandsTest); CPPUNIT_TEST(stateMatchTest); CPPUNIT_TEST(tcpFlagsMatchTest); CPPUNIT_TEST(natCommands); CPPUNIT_TEST(rdrCommands); CPPUNIT_TEST(setTimeoutCommands); CPPUNIT_TEST(scrubCommandsOld); CPPUNIT_TEST(scrubCommandsNew); CPPUNIT_TEST(tableDefinitions); CPPUNIT_TEST(userGroupMatches); CPPUNIT_TEST(routeToTest); CPPUNIT_TEST(routeTo47Test); CPPUNIT_TEST_SUITE_END(); }; #endif // PFIMPORTERTEST_H fwbuilder-5.3.7/src/unit_tests/PFImporterTest/PFImporterTest.pro000066400000000000000000000002241303637203600250020ustar00rootroot00000000000000include(../tests_common.pri) TARGET = PFImporterTest HEADERS += PFImporterTest.h SOURCES += main_PFImporterTest.cpp \ PFImporterTest.cpp fwbuilder-5.3.7/src/unit_tests/PFImporterTest/main_PFImporterTest.cpp000066400000000000000000000033061303637203600257740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "PFImporterTest.h" #include "fwbuilder/Resources.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" #include #include #include #include "../../../common/init.cpp" int fwbdebug = 0; //QString user_name; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; std::string platform; int main(int argc, char** argv) { QApplication app(argc, argv, false); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( PFImporterTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/000077500000000000000000000000001303637203600233435ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-block-return-actions.conf000066400000000000000000000037521303637203600306710ustar00rootroot00000000000000 # state matches block in quick inet proto tcp from any to self port = 80 # the same as the one above block drop in quick inet proto tcp from any to self port = 80 block return in quick inet proto tcp from any to self port = 80 block return in quick inet from any to self block return in quick inet proto udp from any to self port = 123 block return in quick inet proto icmp from any to self block return in quick inet proto { tcp, udp, icmp } from any to self block return-rst in quick inet proto tcp from any to self port = 80 # incorrect rule (cant ue return-rst with udp). But we import it anyway block return-rst in quick inet proto udp from any to self port = 123 block return-icmp in quick inet proto tcp from any to self port = 1080 block return-icmp (net-unr) in quick inet proto tcp from any to self port = 1081 block return-icmp (0) in quick inet proto tcp from any to self port = 1082 block return-icmp ( net-unr ) in quick inet proto tcp from any to self port = 1083 block return-icmp ( 0 ) in quick inet proto tcp from any to self port = 1084 block return-icmp (host-unr) in quick inet proto tcp from any to self port = 1085 block return-icmp (1) in quick inet proto tcp from any to self port = 1086 block return-icmp (proto-unr) in quick inet proto tcp from any to self port = 1087 block return-icmp (2) in quick inet proto tcp from any to self port = 1088 block return-icmp (port-unr) in quick inet proto tcp from any to self port = 1089 block return-icmp (3) in quick inet proto tcp from any to self port = 1090 block return-icmp (net-prohib) in quick inet proto tcp from any to self port = 1091 block return-icmp (9) in quick inet proto tcp from any to self port = 1092 block return-icmp (host-prohib) in quick inet proto tcp from any to self port = 1093 block return-icmp (10) in quick inet proto tcp from any to self port = 1094 block return-icmp (filter-prohib) in quick inet proto tcp from any to self port = 1095 block return-icmp (13) in quick inet proto tcp from any to self port = 1096 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-block-return-actions.fwb000066400000000000000000003242231303637203600305210ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-block-return-actions.output000066400000000000000000000033571303637203600313050ustar00rootroot000000000000005: filtering rule: action block; interfaces: 8: filtering rule: action block; interfaces: 10: filtering rule: action block; interfaces: 10: Error: 'block return' is not supported in fwbuilder, replacing with 'block return-icmp' 11: filtering rule: action block; interfaces: 11: Error: 'block return' is not supported in fwbuilder, replacing with 'block return-icmp' 12: filtering rule: action block; interfaces: 12: Error: 'block return' is not supported in fwbuilder, replacing with 'block return-icmp' 13: filtering rule: action block; interfaces: 13: Error: 'block return' is not supported in fwbuilder, replacing with 'block return-icmp' 14: filtering rule: action block; interfaces: 14: Error: 'block return' is not supported in fwbuilder, replacing with 'block return-icmp' 16: filtering rule: action block; interfaces: 18: filtering rule: action block; interfaces: 20: filtering rule: action block; interfaces: 21: filtering rule: action block; interfaces: 22: filtering rule: action block; interfaces: 23: filtering rule: action block; interfaces: 24: filtering rule: action block; interfaces: 26: filtering rule: action block; interfaces: 27: filtering rule: action block; interfaces: 29: filtering rule: action block; interfaces: 30: filtering rule: action block; interfaces: 32: filtering rule: action block; interfaces: 33: filtering rule: action block; interfaces: 35: filtering rule: action block; interfaces: 36: filtering rule: action block; interfaces: 38: filtering rule: action block; interfaces: 39: filtering rule: action block; interfaces: 41: filtering rule: action block; interfaces: 42: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-hosts-matches.conf000066400000000000000000000040341303637203600274000ustar00rootroot00000000000000 addr_list_macro = "{ 10.123.12.32/27 10.123.14.8/27 10.123.10.16/28 10.123.0.0/24 }" table { 192.168.1.1, 192.168.1.2, 192.168.2.0/24 } table { pcn0, pcn0:network } table { pcn0:peer, pcn0:0 } table { www.fwbuilder.org, www.netcitadel.com } # interface:network interface:broacast interface:peer and interface:0 pass in quick from pcn0:network to self pass in quick from pcn0:broadcast to self pass in quick from pcn0:peer to self pass in quick from pcn0:0 to self pass in quick from any to 192.168.1.1 pass in quick from any to 192.168.1.0/24 pass in quick inet proto tcp from any to pcn0 port 80 pass in quick inet proto tcp from any to (pcn0) port 80 pass in quick inet proto tcp from any to www.fwbuilder.org port 80 pass in quick inet proto tcp from any to self port 22 pass in quick from any to pass in quick from any to pass in quick from any to pass in quick from any to pass in quick from any to $addr_list_macro pass in quick proto tcp from any to $addr_list_macro port 22 pass in quick proto tcp from any to $addr_list_macro port 22 keep state pass in quick inet6 from any to 2001:470:1f0e:162::2 pass in quick inet6 from any to ipv6.fwbuilder.org pass in quick from 192.168.1.1 to any pass in quick from 192.168.1.0/24 to any pass in quick inet proto tcp from pcn0 port 80 to any pass in quick inet proto tcp from (pcn0) port 80 to any pass in quick inet proto tcp from www.fwbuilder.org port 80 to any pass in quick inet proto tcp from self port 22 to any pass in quick from to any pass in quick from to any pass in quick from to any pass in quick from to any pass in quick from $addr_list_macro to any pass in quick proto tcp from $addr_list_macro port 22 to any pass in quick proto tcp from $addr_list_macro port 22 to any keep state pass in quick inet6 from 2001:470:1f0e:162::2 to any pass in quick inet6 from ipv6.fwbuilder.org to any fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-hosts-matches.fwb000066400000000000000000003243301303637203600272350ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-hosts-matches.output000066400000000000000000000042241303637203600300140ustar00rootroot000000000000002: Address Table: : 10.123.12.32/27, 10.123.14.8/27, 10.123.10.16/28, 10.123.0.0/24 5: Address Table: : 192.168.1.1, 192.168.1.2, 192.168.2.0/24 6: Address Table: : pcn0, pcn0 6: New interface: pcn0 7: Address Table: : pcn0, pcn0 8: Address Table: : www.fwbuilder.org, www.netcitadel.com 11: filtering rule: action pass; interfaces: 12: filtering rule: action pass; interfaces: 12: Error: import of 'interface:broadcast' is not supported. 13: filtering rule: action pass; interfaces: 13: Error: import of 'interface:peer' is not supported. 14: filtering rule: action pass; interfaces: 14: Error: import of 'interface:0' is not supported. 16: filtering rule: action pass; interfaces: 17: filtering rule: action pass; interfaces: 18: filtering rule: action pass; interfaces: 19: filtering rule: action pass; interfaces: 20: filtering rule: action pass; interfaces: 21: filtering rule: action pass; interfaces: 22: filtering rule: action pass; interfaces: 23: filtering rule: action pass; interfaces: 24: filtering rule: action pass; interfaces: 25: filtering rule: action pass; interfaces: 26: filtering rule: action pass; interfaces: 27: filtering rule: action pass; interfaces: 28: filtering rule: action pass; interfaces: 30: filtering rule: action pass; interfaces: 30: Error: IPv6 import is not supported. 31: filtering rule: action pass; interfaces: 33: filtering rule: action pass; interfaces: 34: filtering rule: action pass; interfaces: 35: filtering rule: action pass; interfaces: 36: filtering rule: action pass; interfaces: 37: filtering rule: action pass; interfaces: 38: filtering rule: action pass; interfaces: 39: filtering rule: action pass; interfaces: 40: filtering rule: action pass; interfaces: 41: filtering rule: action pass; interfaces: 42: filtering rule: action pass; interfaces: 43: filtering rule: action pass; interfaces: 44: filtering rule: action pass; interfaces: 45: filtering rule: action pass; interfaces: 47: filtering rule: action pass; interfaces: 47: Error: IPv6 import is not supported. 48: filtering rule: action pass; interfaces: fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-icmp-matches.conf000066400000000000000000000015721303637203600271740ustar00rootroot00000000000000 icmp_services="echorep unreach squench redir althost echoreq routeradv routersol timex paramprob timereq timerep inforeq inforep maskreq maskrep trace dataconv mobredir ipv6-where ipv6-here mobregreq mobregrep skip photuris" # icmp matches pass quick on pcn0 inet proto icmp all icmp-type 8 pass quick on pcn0 inet proto icmp all icmp-type 8 code 0 pass quick on pcn0 inet proto icmp all icmp-type echoreq pass quick on pcn0 inet proto icmp all icmp-type echoreq code 0 pass quick on pcn0 inet proto icmp all icmp-type unreach code net-unr pass quick on pcn0 inet proto icmp all icmp-type unreach code 1 pass quick on pcn0 inet proto icmp all icmp-type unreach code host-unr pass quick on pcn0 inet proto icmp all icmp-type unreach code proto-unr pass quick on pcn0 inet proto icmp all icmp-type unreach code port-unr pass quick on pcn0 inet proto icmp all icmp-type { $icmp_services } fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-icmp-matches.fwb000066400000000000000000002557471303637203600270440ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-icmp-matches.output000066400000000000000000000010061303637203600275770ustar00rootroot000000000000005: New interface: pcn0 5: filtering rule: action pass; interfaces: pcn0 6: filtering rule: action pass; interfaces: pcn0 7: filtering rule: action pass; interfaces: pcn0 8: filtering rule: action pass; interfaces: pcn0 9: filtering rule: action pass; interfaces: pcn0 10: filtering rule: action pass; interfaces: pcn0 11: filtering rule: action pass; interfaces: pcn0 12: filtering rule: action pass; interfaces: pcn0 13: filtering rule: action pass; interfaces: pcn0 14: filtering rule: action pass; interfaces: pcn0 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-interface-matches.conf000066400000000000000000000004451303637203600302020ustar00rootroot00000000000000 # interface:network interface:broacast interface:peer and interface:0 pass in quick from pcn0:network to self pass in quick from pcn0:broadcast to self pass in quick from pcn0:peer to self pass in quick from pcn0:0 to self pass in quick from any to (pcn0) pass out quick from (pcn0) to any fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-interface-matches.fwb000066400000000000000000002414711303637203600300410ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-interface-matches.output000066400000000000000000000007151303637203600306150ustar00rootroot000000000000004: New interface: pcn0 4: filtering rule: action pass; interfaces: 5: filtering rule: action pass; interfaces: 5: Error: import of 'interface:broadcast' is not supported. 6: filtering rule: action pass; interfaces: 6: Error: import of 'interface:peer' is not supported. 7: filtering rule: action pass; interfaces: 7: Error: import of 'interface:0' is not supported. 9: filtering rule: action pass; interfaces: 10: filtering rule: action pass; interfaces: fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-macros.conf000066400000000000000000000043671303637203600261130ustar00rootroot00000000000000 one_address = 10.1.1.1 # comment is allowed here addr_list_1 = "{ 10.123.12.32/27 10.123.14.8/27 10.123.10.16/28 10.123.0.0/24 }" # another macro is used inside this one recursively and only {} are in quotes addr_list_2 = "{" $one_address 10.123.12.32/27 10.123.14.8/27 10.123.10.16/28 10.123.0.0/24 "}" # now use comma as a separator addr_list_3 = "{" $one_address, 10.123.12.33/27, 10.123.14.9/27 "}" # spaces are mixed with tabs and messed up addr_list_4 = "{$one_address, 10.123.12.34/27, 10.123.14.10/27}" # multi-line addr_list_5 = "{$one_address, \ 10.123.12.35/27,\ 10.123.14.11/27}" # another macro name is a substring of this one's name addr_list_1_foo = "{ 10.1.2.3 10.4.5.6 10.7.8.9 }" host1 = "192.168.1.1" host2 = "192.168.1.2" recursive_macro = "{" $host1 $host2 "}" tcp_services = "{ ssh, smtp }" ext_if = "em1" mixed_macro_1 = "{ $host1 192.168.2.1 www.fwbuilder.org }" mixed_macro_2 = "{ $host1 192.168.2.1 em1 }" mixed_macro_3 = "{ $host1 192.168.2.1 em1:network }" mixed_macro_4 = "{ em1:network www.fwbuilder.org }" # test for an undefined macro # undefined_macro = 192.168.23.45 pass in quick from any to $one_address pass in quick from any to { 10.11.11.11 $one_address } pass in quick from any to { 10.12.12.12 $one_address} pass in quick from any to { 10.13.13.13, $one_address } pass in quick from any to { $one_address 10.14.14.14 } pass in quick from any to {$one_address 10.15.15.15 } pass in quick from any to { $one_address, 10.16.16.16 } pass in quick from any to { $one_address , 10.17.17.17 } pass in quick from any to {$one_address , 10.18.18.18 } pass in quick from any to $addr_list_1 pass in quick from any to $addr_list_2 pass in quick from any to $addr_list_3 pass in quick from any to $addr_list_4 pass in quick from any to $addr_list_5 pass in quick from any to $addr_list_1_foo # test for undefined macro pass in quick from any to $undefined_macro pass out quick on $ext_if proto tcp to $recursive_macro port $tcp_services pass in quick on $ext_if proto tcp from any to $mixed_macro_1 port 80 pass in quick on $ext_if proto tcp from any to $mixed_macro_2 port 80 pass in quick on $ext_if proto tcp from any to $mixed_macro_3 port 80 pass in quick on $ext_if proto tcp from any to $mixed_macro_4 port 80 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-macros.fwb000066400000000000000000003075761303637203600257540ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-macros.output000066400000000000000000000035571303637203600265260ustar00rootroot00000000000000Warning: Macro undefined_macro is undefined3: Address Table: : 10.123.12.32/27, 10.123.14.8/27, 10.123.10.16/28, 10.123.0.0/24 5: Address Table: : 10.1.1.1, 10.123.12.32/27, 10.123.14.8/27, 10.123.10.16/28, 10.123.0.0/24 7: Address Table: : 10.1.1.1, 10.123.12.33/27, 10.123.14.9/27 9: Address Table: : 10.1.1.1, 10.123.12.34/27, 10.123.14.10/27 12: Address Table: : 10.1.1.1, 10.123.12.35/27, 10.123.14.11/27 15: Address Table: : 10.1.2.3, 10.4.5.6, 10.7.8.9 19: Address Table: : 192.168.1.1, 192.168.1.2 23: Address Table: : 192.168.1.1, 192.168.2.1, www.fwbuilder.org 24: Address Table: : 192.168.1.1, 192.168.2.1, em1 24: New interface: em1 25: Address Table: : 192.168.1.1, 192.168.2.1, em1 31: filtering rule: action pass; interfaces: 33: filtering rule: action pass; interfaces: 34: filtering rule: action pass; interfaces: 35: filtering rule: action pass; interfaces: 36: filtering rule: action pass; interfaces: 37: filtering rule: action pass; interfaces: 38: filtering rule: action pass; interfaces: 39: filtering rule: action pass; interfaces: 40: filtering rule: action pass; interfaces: 42: filtering rule: action pass; interfaces: 43: filtering rule: action pass; interfaces: 44: filtering rule: action pass; interfaces: 45: filtering rule: action pass; interfaces: 46: filtering rule: action pass; interfaces: 47: filtering rule: action pass; interfaces: 50: filtering rule: action pass; interfaces: 50: Warning: Macro '$undefined_macro' was undefined, rule may be broken 52: filtering rule: action pass; interfaces: em1 54: filtering rule: action pass; interfaces: em1 55: filtering rule: action pass; interfaces: em1 56: filtering rule: action pass; interfaces: em1 57: filtering rule: action pass; interfaces: em1 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-nat-rules.conf000066400000000000000000000027241303637203600265340ustar00rootroot00000000000000# nat rules nat on em0 from 192.168.168.0/24 to any -> 192.0.2.111 nat on ! em0 from 192.168.168.0/24 to any -> 192.0.2.111 nat on em0 inet from any to any -> 192.0.2.16/28 bitmask nat on em0 inet from any to any -> 192.0.2.16/28 random nat on em0 inet from any to any -> 192.0.2.16/28 random sticky-address nat on em0 inet from any to any -> 192.0.2.16/28 source-hash nat on em0 inet from any to any -> 192.0.2.16/28 source-hash hex-key nat on em0 inet from any to any -> 192.0.2.16/28 source-hash string-key nat on em0 inet from any to any -> 192.0.2.16/28 round-robin nat on em0 inet from any to any -> 192.0.2.16/28 round-robin sticky-address nat on em0 inet from any to any -> 192.0.2.16/28 static-port nat on em0 inet proto udp from any port 10000 to any -> em0 nat on em0 inet proto udp from any port 10000 to any -> (em0) nat on em0 inet proto udp from any port 10000 to any -> (em0) port 10000 nat on em0 inet proto udp from any port 10000:10010 to any -> (em0) port 10000 nat on em0 inet proto udp from any port 10000:10010 to any -> (em0) port 10000:* nat on em0 inet proto udp from any port 10000 to any -> \ 192.0.2.16/28 port 10000 bitmask nat on em0 inet proto udp from any port 10000:10010 to any -> \ 192.0.2.16/28 port 10000:* bitmask # no nat rule no nat on em0 proto ah from 192.168.1.0/24 to any nat on em0 from 192.168.1.0/24 to any -> 192.0.2.100 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-nat-rules.fwb000066400000000000000000003020621303637203600263630ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-nat-rules.output000066400000000000000000000020231303637203600271370ustar00rootroot000000000000003: New interface: em0 3: nat rule: action nat; interfaces: em0 4: nat rule: action nat; interfaces: em0 6: nat rule: action nat; interfaces: em0 7: nat rule: action nat; interfaces: em0 8: nat rule: action nat; interfaces: em0 9: nat rule: action nat; interfaces: em0 10: nat rule: action nat; interfaces: em0 10: Error: import of commands with pool type 'source-hash hex-key' option is not supported 11: nat rule: action nat; interfaces: em0 11: Error: import of commands with pool type 'source-hash string-key' option is not supported 12: nat rule: action nat; interfaces: em0 13: nat rule: action nat; interfaces: em0 14: nat rule: action nat; interfaces: em0 16: nat rule: action nat; interfaces: em0 17: nat rule: action nat; interfaces: em0 18: nat rule: action nat; interfaces: em0 19: nat rule: action nat; interfaces: em0 20: nat rule: action nat; interfaces: em0 22: nat rule: action nat; interfaces: em0 23: nat rule: action nat; interfaces: em0 26: nat rule: action nonat; interfaces: em0 27: nat rule: action nat; interfaces: em0 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-port-matches.conf000066400000000000000000000102641303637203600272260ustar00rootroot00000000000000 port_group = {22, 80, 119, 20} # destination port matches pass in quick proto tcp from any to self port = 22 pass in quick proto tcp from any to self port 22 pass in quick proto tcp from any to self port != 22 pass in quick proto tcp from any to self port < 1024 pass in quick proto tcp from any to self port <= 1024 pass in quick proto tcp from any to self port > 1024 pass in quick proto tcp from any to self port >= 1024 pass in quick proto tcp from any to self port $port_group pass in quick proto tcp from any to self port ssh pass in quick proto tcp from any to self port smtp pass in quick proto tcp from any to self port www pass in quick proto tcp from any to self port https pass in quick proto tcp from any to self port ntp pass in quick proto tcp from any to self port ftp pass in quick proto tcp from any to self port ftp-data pass in quick proto udp from any to self port domain # source port matches pass in quick proto tcp from any port = 22 to self pass in quick proto tcp from any port 22 to self pass in quick proto tcp from any port != 22 to self pass in quick proto tcp from any port < 1024 to self pass in quick proto tcp from any port <= 1024 to self pass in quick proto tcp from any port > 1024 to self pass in quick proto tcp from any port >= 1024 to self pass in quick proto tcp from any port $port_group to self pass in quick proto tcp from any port ssh to self pass in quick proto tcp from any port smtp to self pass in quick proto tcp from any port www to self pass in quick proto tcp from any port https to self pass in quick proto tcp from any port ntp to self pass in quick proto tcp from any port ftp to self pass in quick proto tcp from any port ftp-data to self pass in quick proto udp from any port domain to self # port ranges pass in quick proto tcp from any to self port 1000:1010 pass in quick proto tcp from any to self port 1000><1010 pass in quick proto tcp from any to self port 1000<>1010 pass in quick proto tcp from any port 1000:1010 to self pass in quick proto tcp from any port 1000><1010 to self pass in quick proto tcp from any port 1000<>1010 to self # that difficult port range match pass in quick proto tcp from any to self port 1024:65535 # combined source and destination port matches pass in quick proto tcp from any port 1024:65535 to self port 22 pass in quick proto tcp from any port 1024:65535 to self port != 22 pass in quick proto tcp from any port 1024:65535 to self port < 1024 pass in quick proto tcp from any port 1024:65535 to self port <= 1024 pass in quick proto tcp from any port 1024:65535 to self port > 1024 pass in quick proto tcp from any port 1024:65535 to self port >= 1024 pass in quick proto tcp from any port 1024:65535 to self port 1000:1010 pass in quick proto tcp from any port 1024:65535 to self port 1000><1010 pass in quick proto tcp from any port 1024:65535 to self port 1000<>1010 pass in quick proto tcp from any port > 1024 to self port 22 pass in quick proto tcp from any port > 1024 to self port != 22 pass in quick proto tcp from any port > 1024 to self port < 1024 pass in quick proto tcp from any port > 1024 to self port <= 1024 pass in quick proto tcp from any port > 1024 to self port > 1024 pass in quick proto tcp from any port > 1024 to self port >= 1024 pass in quick proto tcp from any port > 1024 to self port 1000:1010 pass in quick proto tcp from any port > 1024 to self port 1000><1010 pass in quick proto tcp from any port > 1024 to self port 1000<>1010 pass in quick proto tcp from any port > 1024 to self port $port_group pass in quick proto udp from any port { 10001, 10002, 10003 } to \ self port { 20001, 20002, 20003 } pass in quick proto udp from any port { 10001, 10002, 10003 } to \ self port { 20000:20020, 20030:20040 } pass in quick proto udp from any port { 10000:10010, 10030:10040 } to \ self port { 20000:20020, 20030:20040 } pass in quick proto udp from any port { <1024 , >10030 } to \ self port { 20000:20020, 20030:20040 } fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-port-matches.fwb000066400000000000000000004516241303637203600270700ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-port-matches.output000066400000000000000000000066201303637203600276420ustar00rootroot000000000000005: filtering rule: action pass; interfaces: 6: filtering rule: action pass; interfaces: 7: filtering rule: action pass; interfaces: 7: Error: 'Port not equal' operation is not supported yet. 8: filtering rule: action pass; interfaces: 9: filtering rule: action pass; interfaces: 10: filtering rule: action pass; interfaces: 11: filtering rule: action pass; interfaces: 12: filtering rule: action pass; interfaces: 14: filtering rule: action pass; interfaces: 15: filtering rule: action pass; interfaces: 16: filtering rule: action pass; interfaces: 17: filtering rule: action pass; interfaces: 18: filtering rule: action pass; interfaces: 19: filtering rule: action pass; interfaces: 20: filtering rule: action pass; interfaces: 21: filtering rule: action pass; interfaces: 24: filtering rule: action pass; interfaces: 25: filtering rule: action pass; interfaces: 26: filtering rule: action pass; interfaces: 26: Error: 'Port not equal' operation is not supported yet. 27: filtering rule: action pass; interfaces: 28: filtering rule: action pass; interfaces: 29: filtering rule: action pass; interfaces: 30: filtering rule: action pass; interfaces: 31: filtering rule: action pass; interfaces: 33: filtering rule: action pass; interfaces: 34: filtering rule: action pass; interfaces: 35: filtering rule: action pass; interfaces: 36: filtering rule: action pass; interfaces: 37: filtering rule: action pass; interfaces: 38: filtering rule: action pass; interfaces: 39: filtering rule: action pass; interfaces: 40: filtering rule: action pass; interfaces: 43: filtering rule: action pass; interfaces: 44: filtering rule: action pass; interfaces: 45: filtering rule: action pass; interfaces: 45: Error: 'except ranges' ('<>') for port numbers are not supported yet. 47: filtering rule: action pass; interfaces: 48: filtering rule: action pass; interfaces: 49: filtering rule: action pass; interfaces: 49: Error: 'except ranges' ('<>') for port numbers are not supported yet. 52: filtering rule: action pass; interfaces: 55: filtering rule: action pass; interfaces: 56: filtering rule: action pass; interfaces: 56: Error: 'Port not equal' operation is not supported yet. 57: filtering rule: action pass; interfaces: 58: filtering rule: action pass; interfaces: 59: filtering rule: action pass; interfaces: 60: filtering rule: action pass; interfaces: 61: filtering rule: action pass; interfaces: 62: filtering rule: action pass; interfaces: 63: filtering rule: action pass; interfaces: 63: Error: 'except ranges' ('<>') for port numbers are not supported yet. 65: filtering rule: action pass; interfaces: 66: filtering rule: action pass; interfaces: 66: Error: 'Port not equal' operation is not supported yet. 67: filtering rule: action pass; interfaces: 68: filtering rule: action pass; interfaces: 69: filtering rule: action pass; interfaces: 70: filtering rule: action pass; interfaces: 71: filtering rule: action pass; interfaces: 72: filtering rule: action pass; interfaces: 73: filtering rule: action pass; interfaces: 73: Error: 'except ranges' ('<>') for port numbers are not supported yet. 75: filtering rule: action pass; interfaces: 78: filtering rule: action pass; interfaces: 80: filtering rule: action pass; interfaces: 82: filtering rule: action pass; interfaces: 84: filtering rule: action pass; interfaces: Could not find enough information in the data file to create firewall interface objects. fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-rdr-rules.conf000066400000000000000000000007661303637203600265450ustar00rootroot00000000000000# rdr rules rdr on em0 inet proto tcp from any to (em0) port 80 -> 10.0.1.111 port 8080 rdr on em0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 # pool-type comes after portspec rdr on em0 inet proto tcp from any to (em0) port 80 -> \ { 10.0.1.111, 10.0.1.112, 10.0.1.113 } port 8080 round-robin # no rdr rule no rdr on em0 inet proto tcp from 192.168.1.1 to any port 80 rdr on em0 inet proto tcp from 192.168.1.0/24 to any port 80 -> \ 192.0.2.100 port 8080 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-rdr-rules.fwb000066400000000000000000002451471303637203600264020ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-rdr-rules.output000066400000000000000000000003471303637203600271530ustar00rootroot000000000000003: New interface: em0 3: nat rule: action rdr; interfaces: em0 5: nat rule: action rdr; interfaces: em0 8: nat rule: action rdr; interfaces: em0 11: nat rule: action nonat; interfaces: em0 12: nat rule: action rdr; interfaces: em0 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to-4.7.conf000066400000000000000000000017201303637203600267010ustar00rootroot00000000000000 pass in log quick inet from 192.168.1.0/24 to any route-to { ( em0 10.1.2.3 ) } pass in quick on bce0 inet from 192.168.1.0/24 to any reply-to ( bce0 10.3.4.5 ) pass out quick on bce0 proto tcp from any port 80 to any dup-to (em0 10.1.2.3) # here we test that parameters round-robin, bitmask, random and source-hash # are imported correctly. # Also as of fwbuilder 5 we do not support route-to with multiple different # interface-gateway pairs; multiple gateway addresses and only one interface # are allowed. These rules will be imported partially. pass in quick on bce0 from 172.16.20.0/24 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } round-robin pass in quick on bce0 from 172.16.20.0/24 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } bitmask pass in quick on bce0 from 172.16.20.0/24 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } random pass in quick on bce0 from 172.16.20.0/24 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } source-hash fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to-4.7.fwb000066400000000000000000002525741303637203600265510ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to-4.7.output000066400000000000000000000016761303637203600273260ustar00rootroot000000000000002: New interface: em0 2: filtering rule: action pass; interfaces: 4: New interface: bce0 4: filtering rule: action pass; interfaces: bce0 6: filtering rule: action pass; interfaces: bce0 14: New interface: em2 14: New interface: em1 14: filtering rule: action pass; interfaces: bce0 14: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 15: filtering rule: action pass; interfaces: bce0 15: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 16: filtering rule: action pass; interfaces: bce0 16: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 17: filtering rule: action pass; interfaces: bce0 17: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to.conf000066400000000000000000000017111303637203600263730ustar00rootroot00000000000000 pass in log quick route-to { ( em0 10.1.2.3 ) } inet from 192.168.1.0/24 to any pass in quick on bce0 reply-to ( bce0 10.3.4.5 ) inet from 192.168.1.0/24 to any pass out quick on bce0 dup-to (em0 10.1.2.3) proto tcp from any port 80 to any # here we test that parameters round-robin, bitmask, random and source-hash # are imported correctly. # Also as of fwbuilder 5 we do not support route-to with multiple different # interface-gateway pairs; multiple gateway addresses and only one interface # are allowed. These rules will be imported partially. pass in quick on bce0 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } round-robin from 172.16.20.0/24 pass in quick on bce0 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } bitmask from 172.16.20.0/24 pass in quick on bce0 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } random from 172.16.20.0/24 pass in quick on bce0 route-to { (em2 172.16.2.20), (em1 172.16.3.20) } source-hash from 172.16.20.0/24 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to.fwb000066400000000000000000002525741303637203600262430ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-route-to.output000066400000000000000000000016761303637203600270200ustar00rootroot000000000000002: New interface: em0 2: filtering rule: action pass; interfaces: 4: New interface: bce0 4: filtering rule: action pass; interfaces: bce0 6: filtering rule: action pass; interfaces: bce0 14: New interface: em2 14: New interface: em1 14: filtering rule: action pass; interfaces: bce0 14: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 15: filtering rule: action pass; interfaces: bce0 15: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 16: filtering rule: action pass; interfaces: bce0 16: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" 17: filtering rule: action pass; interfaces: bce0 17: Warning: 'route-to' parameters with multiple interface-gateway pairs are not supported: "(em2 172.16.2.20), (em1 172.16.3.20)" fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-scrub-commands-new.conf000066400000000000000000000004171303637203600303230ustar00rootroot00000000000000 # supported commands for PF v4.6 and newer match all scrub ( reassemble tcp ) match all scrub ( no-df ) match out all scrub ( min-ttl 10 ) match out all scrub ( max-mss 1470 ) match out all scrub ( random-id ) match in all scrub (no-df max-mss 1440) block log all fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-scrub-commands-new.output000066400000000000000000000004001303637203600307260ustar00rootroot0000000000000014: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. scrub reassemble tcp scrub no-df scrub min-ttl 10 scrub max-mss 1470 scrub random-id scrub no-df scrub max-mss 1440 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-scrub-commands-old.conf000066400000000000000000000003571303637203600303130ustar00rootroot00000000000000 # supported commands scrub all fragment reassemble scrub all fragment crop scrub all fragment drop-ovl scrub all reassemble tcp scrub all no-df scrub out all min-ttl 10 scrub out all max-mss 1470 scrub out all random-id block log all fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-scrub-commands-old.output000066400000000000000000000004461303637203600307250ustar00rootroot0000000000000014: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. scrub fragment reassemble scrub fragment crop scrub fragment drop-ovl scrub reassemble tcp scrub no-df scrub min-ttl 10 scrub max-mss 1470 scrub random-id fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-set-commands.conf000066400000000000000000000011201303637203600272010ustar00rootroot00000000000000 # supported set commands set debug crit set state-policy if-bound set block-policy drop set block-policy return set limit { frags 5000, states 10000, src-nodes 100000, tables 100000, tables-entries 100000 } set optimization normal set optimization aggressive set optimization conservative set optimization high-latency set skip on lo0 set skip on { lo0, em0 } set skip on {pcn0 pcn1} # unsupported set commands set fingerprints set hostid 1234567890 set loginterface dc0 set reassemble set require-order set ruleset-optimization basic set state-defaults pflow, no-sync block log all fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-set-commands.output000066400000000000000000000017371303637203600276320ustar00rootroot0000000000000022: Error: import of 'set fingerprints' commands is not supported. 23: Error: import of 'set hostid' commands is not supported. 24: Error: import of 'set loginterface' commands is not supported. 25: Error: import of 'set reassemble' commands is not supported. 26: Error: import of 'set require-order' commands is not supported. 27: Error: import of 'set ruleset-optimization' commands is not supported. 28: Error: import of 'set state-defaults' commands is not supported. 30: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. Configuring limits: set limit frags 5000 set limit states 10000 set limit src-nodes 100000 set limit tables 100000 set limit tables-entries 100000 set optimization high-latency set block-policy return set state-policy if-bound New interface: lo0set skip on lo0 New interface: em0set skip on em0 New interface: pcn0set skip on pcn0 New interface: pcn1set skip on pcn1 set debug crit fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-state-matches.conf000066400000000000000000000007641303637203600273660ustar00rootroot00000000000000 # state matches pass in quick proto tcp from any to self port = 22 label "no state word" pass in quick proto tcp from any to self port = 22 keep state label "keep state" pass in quick proto tcp from any to self port = 22 no state label "no state" # add modulate state , synproxy and other state-related variants here pass out proto tcp from any to any modulate state pass in proto tcp from any to any port 25 flags S/SFRA modulate state pass in proto tcp from any to any port 80 synproxy state fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-state-matches.fwb000066400000000000000000002442021303637203600272140ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-state-matches.output000066400000000000000000000005531303637203600277750ustar00rootroot000000000000005: filtering rule: action pass; interfaces: 6: filtering rule: action pass; interfaces: 7: filtering rule: action pass; interfaces: 10: filtering rule: action pass; interfaces: 11: filtering rule: action pass; interfaces: 12: filtering rule: action pass; interfaces: Could not find enough information in the data file to create firewall interface objects. fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tables.conf000066400000000000000000000012461303637203600260720ustar00rootroot00000000000000 table persist table counters table counters file "./pf_block_permanent" table file "./pf_table" table table const { 10/8, 172.16/12, 192.168/16 } table { 192.168.1.1, 192.168.1.2, 192.168.2.0/24 } table { pcn0, pcn0:network } table { pcn0:peer, pcn0:0 } table { www.fwbuilder.org, www.netcitadel.com } # unsupported: this table has a mix of negated and non-negated addresses table { 192.168.10.1, !192.168.10.2, 192.168.20.0/24 } # the rule should be marked as "broken" pass in quick on em1 from to any fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb000066400000000000000000002413451303637203600257310ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tables.output000066400000000000000000000023601303637203600265030ustar00rootroot000000000000002: Address Table: file 3: Warning: attribute "counters" will be dropped from table configuration since this attribute is not supported at this time 3: Address Table: file 4: Warning: attribute "counters" will be dropped from table configuration since this attribute is not supported at this time 4: Address Table: file "./pf_block_permanent" 5: Address Table: file "./pf_table" 6: Address Table: file 7: Warning: attribute "const" will be dropped from table configuration since this attribute is not supported at this time 7: Address Table: : 10/8, 172.16/12, 192.168/16 9: Address Table: : 192.168.1.1, 192.168.1.2, 192.168.2.0/24 10: Address Table: : pcn0, pcn0 10: New interface: pcn0 11: Address Table: : pcn0, pcn0 12: Address Table: : www.fwbuilder.org, www.netcitadel.com 15: Address Table: : 192.168.10.1, !192.168.10.2, 192.168.20.0/24 15: Error: import of table definition with negated addresses is not supported. 18: New interface: em1 18: filtering rule: action pass; interfaces: em1 18: Error: Address table 'dst_addresses_5' has a mix of negated and non-negated addresses in the original file. fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tcp-flags-matches.conf000066400000000000000000000012211303637203600301130ustar00rootroot00000000000000 # tcp flags matches pass in quick proto tcp from any to self port = 22 pass in quick proto tcp from any to self port = 22 flags any pass in quick proto tcp from any to self port = 22 flags S/SA pass in quick proto tcp from any to self port = 22 flags S/SAFR block in log quick proto tcp flags FUP/WEUAPRSF label "FUP/WEUAPRSF" block in log quick proto tcp flags WEUAPRSF/WEUAPRSF label "WEUAPRSF/WEUAPRSF" block in log quick proto tcp flags SRAFU/WEUAPRSF label "SRAFU/WEUAPRSF" block in log quick proto tcp flags /WEUAPRSF label "/WEUAPRSF" block in log quick proto tcp flags SR/SR label "SR/SR" block in log quick proto tcp flags SF/SF label "SF/SF" fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tcp-flags-matches.fwb000066400000000000000000002566661303637203600277750ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-tcp-flags-matches.output000066400000000000000000000014221303637203600305310ustar00rootroot000000000000004: filtering rule: action pass; interfaces: 5: filtering rule: action pass; interfaces: 6: filtering rule: action pass; interfaces: 7: filtering rule: action pass; interfaces: 9: filtering rule: action block; interfaces: 9: Error: TCP flag matches 'E' and 'W' are not supported. 10: filtering rule: action block; interfaces: 10: Error: TCP flag matches 'E' and 'W' are not supported. 11: filtering rule: action block; interfaces: 11: Error: TCP flag matches 'E' and 'W' are not supported. 12: filtering rule: action block; interfaces: 12: Error: TCP flag matches 'E' and 'W' are not supported. 13: filtering rule: action block; interfaces: 14: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-timeouts.conf000066400000000000000000000007471303637203600264760ustar00rootroot00000000000000 # these should be all timeouts we support in 4.3 set timeout interval 10 set timeout frag 30 set timeout { tcp.first 60, tcp.opening 30, tcp.established 3600, tcp.closing 30, tcp.finwait 2, tcp.closed 10 } set timeout { udp.first 20, udp.single 10, udp.multiple 15 } set timeout { icmp.first 11, icmp.error 6 } set timeout { other.first 40, other.single 20, other.multiple 30 } set timeout { adaptive.start 10, adaptive.end 5 } # invalid timeout name set timeout foo 20 block log all fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-timeouts.output000066400000000000000000000012631303637203600271030ustar00rootroot0000000000000012: Parser error: line 12:13: unexpected token: foo 14: filtering rule: action block; interfaces: Could not find enough information in the data file to create firewall interface objects. Configuring timeouts: set timeout interval 10 set timeout frag 30 set timeout tcp.first 60 set timeout tcp.opening 30 set timeout tcp.established 3600 set timeout tcp.closing 30 set timeout tcp.finwait 2 set timeout tcp.closed 10 set timeout udp.first 20 set timeout udp.single 10 set timeout udp.multiple 15 set timeout icmp.first 11 set timeout icmp.error 6 set timeout other.first 40 set timeout other.single 20 set timeout other.multiple 30 set timeout adaptive.start 10 set timeout adaptive.end 5 fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-user-group-matches.conf000066400000000000000000000005031303637203600303450ustar00rootroot00000000000000pass out quick from self to any user foo pass out quick from self to any user 500 pass out quick from self to any user > 500 pass out quick from self to any user { 500, 501, 502 } pass out quick from self to any group bar pass out quick from self to any group > 500 pass out quick from self to any group { 500, 501, 502 } fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-user-group-matches.fwb000066400000000000000000002417101303637203600302050ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PFImporterTest/test_data/pf-user-group-matches.output000066400000000000000000000013751303637203600307700ustar00rootroot000000000000001: Error: import of 'user' match is not supported. 1: filtering rule: action pass; interfaces: 2: Error: import of 'user' match is not supported. 2: filtering rule: action pass; interfaces: 3: Error: import of 'user' match is not supported. 3: filtering rule: action pass; interfaces: 4: Error: import of 'user' match is not supported. 4: filtering rule: action pass; interfaces: 5: Error: import of 'group' match is not supported. 5: filtering rule: action pass; interfaces: 6: Error: import of 'group' match is not supported. 6: filtering rule: action pass; interfaces: 7: Error: import of 'group' match is not supported. 7: filtering rule: action pass; interfaces: Could not find enough information in the data file to create firewall interface objects. fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/000077500000000000000000000000001303637203600215265ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/.gitignore000066400000000000000000000000271303637203600235150ustar00rootroot00000000000000*.fwb !test_data/*.fwb fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/PIXImporterTest.cpp000066400000000000000000000272651303637203600252700ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "PIXImporterTest.h" #include "config.h" #include "global.h" #include #include #include #include #include #include #include "Importer.h" #include "PIXImporter.h" #include "FWBTree.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Rule.h" #include "fwbuilder/TagService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; extern string platform; extern QString findBestVersionMatch(const QString &platform, const QString &discovered_version); class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string &) const { return false; } }; void PIXImporterTest::setUp() { FWBTree *tree = new FWBTree(); /* create database */ db = new FWObjectDatabase(); /* load the data file */ UpgradePredicate upgrade_predicate; db->setReadOnly( false ); db->load( Constants::getStandardObjectsFilePath(), &upgrade_predicate, Constants::getDTDDirectory()); db->setFileName(""); lib = Library::cast(tree->createNewLibrary(db)); lib->setName("User"); logger = new QueueLogger(); // this makes the test compile and link. There is a problem with // dependencies, the test depends on libimport.a and additionally, // PIXImporter.cpp depends on this function that is implemented in // platforms.cpp in libgui.a; however since libgui.a comes before // libimport.a in linker command line, this function does not get // pulled since it is not used anywhere except by this test module // and so linking fails. Making this call creates dependency and // pulls this function at linking time before libimport.a and its // dependencies are considered QString version = findBestVersionMatch("pix", "7.0"); } void PIXImporterTest::compareResults(QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; while (logger->ready()) result.append(logger->getLine().c_str()); obtained_result = result.split("\n"); QFile rw(obtained_result_file_name); rw.open(QFile::WriteOnly); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) rw.write(result.toAscii()); #else rw.write(result.toLatin1()); #endif rw.close(); QFile rr(expected_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); QStringList expected_result = result_file.split("\n"); CPPUNIT_ASSERT_MESSAGE( QString( "Sizes of the generated importer output and test files are different.\n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S") .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()).toStdString(), expected_result.size() == obtained_result.size()); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString err = QString("Line %1:\nExpected: '%2'\nResult: '%3'\n") .arg(i).arg(expected_result[i]).arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE(err.toStdString(), obtained_result[i] == expected_result[i]); } } void PIXImporterTest::compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name) { QString result; QStringList obtained_result; QFile rr(obtained_result_file_name); rr.open(QFile::ReadOnly); QString result_file = rr.readAll(); rr.close(); obtained_result = result_file.split("\n"); QFile er(expected_result_file_name); er.open(QFile::ReadOnly); result_file = er.readAll(); er.close(); QStringList expected_result = result_file.split("\n"); // find all lastModified attributes and replace them with identical values // because they are always going to be different QString err("Sizes of the generated .fwb and test files are different: \n" "Expected: %1 (%2)\n" "Obtained: %3 (%4)\n" "diff -u %1 %3 | less -S"); CPPUNIT_ASSERT_MESSAGE( err .arg(expected_result_file_name).arg(expected_result.size()) .arg(obtained_result_file_name).arg(obtained_result.size()) .toStdString(), expected_result.size() == obtained_result.size()); QRegExp last_mod_re("lastModified=\"\\d+\""); int max_idx = max(expected_result.size(), obtained_result.size()); for (int i=0; i < max_idx; ++i) { QString os = obtained_result[i]; obtained_result[i] = os.replace(last_mod_re, "lastModified=\"0000000000\""); QString es = expected_result[i]; expected_result[i] = es.replace(last_mod_re, "lastModified=\"0000000000\""); } for (int i=0; i < max_idx; ++i) { QString err = QString("Line %1:\nExpected: '%2'\nResult: '%3'\n") .arg(i).arg(expected_result[i]).arg(obtained_result[i]); CPPUNIT_ASSERT_MESSAGE(err.toStdString(), obtained_result[i] == expected_result[i]); } } std::string PIXImporterTest::openTestFile(const QString &file_name) { QFile f(file_name); f.open(QFile::ReadOnly); string buffer = QString(f.readAll()).toStdString(); f.close(); return buffer; } void PIXImporterTest::PIX_6_Test() { platform = "pix"; std::istringstream instream(openTestFile("test_data/pix6.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pix6.fwb"); compareResults(logger, "test_data/pix6.output", "pix6.output"); compareFwbFiles("test_data/pix6.fwb", "pix6.fwb"); } void PIXImporterTest::PIX_7_Test() { platform = "pix"; std::istringstream instream(openTestFile("test_data/pix7.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pix7.fwb"); compareResults(logger, "test_data/pix7.output", "pix7.output"); compareFwbFiles("test_data/pix7.fwb", "pix7.fwb"); } void PIXImporterTest::PIX_7_NAT_Test() { platform = "pix"; std::istringstream instream(openTestFile("test_data/pix7-nat.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("pix7-nat.fwb"); compareResults(logger, "test_data/pix7-nat.output", "pix7-nat.output"); compareFwbFiles("test_data/pix7-nat.fwb", "pix7-nat.fwb"); } void PIXImporterTest::ASA_8_0_Test() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.0.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.0.fwb"); compareResults(logger, "test_data/asa8.0.output", "asa8.0.output"); compareFwbFiles("test_data/asa8.0.fwb", "asa8.0.fwb"); } void PIXImporterTest::ASA_8_3_Test() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.3.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.3.fwb"); compareResults(logger, "test_data/asa8.3.output", "asa8.3.output"); compareFwbFiles("test_data/asa8.3.fwb", "asa8.3.fwb"); } void PIXImporterTest::ObjectsAndGroupsTest() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.3-objects-and-groups.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.3-objects-and-groups.fwb"); compareResults(logger, "test_data/asa8.3-objects-and-groups.output", "asa8.3-objects-and-groups.output"); compareFwbFiles("test_data/asa8.3-objects-and-groups.fwb", "asa8.3-objects-and-groups.fwb"); } void PIXImporterTest::ACLObjectsAndGroupsTest() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.3-acl-object-groups.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.3-acl-object-groups.fwb"); compareResults(logger, "test_data/asa8.3-acl-object-groups.output", "asa8.3-acl-object-groups.output"); compareFwbFiles("test_data/asa8.3-acl-object-groups.fwb", "asa8.3-acl-object-groups.fwb"); } void PIXImporterTest::ACLTest() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.3-acl.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.3-acl.fwb"); compareResults(logger, "test_data/asa8.3-acl.output", "asa8.3-acl.output"); compareFwbFiles("test_data/asa8.3-acl.fwb", "asa8.3-acl.fwb"); } void PIXImporterTest::NamesTest() { platform = "pix"; std::istringstream instream(openTestFile("test_data/asa8.0-names.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("asa8.0-names.fwb"); compareResults(logger, "test_data/asa8.0-names.output", "asa8.0-names.output"); compareFwbFiles("test_data/asa8.0-names.fwb", "asa8.0-names.fwb"); } void PIXImporterTest::FWSM_4_1_Test() { std::istringstream instream(openTestFile("test_data/fwsm1.test")); Importer* imp = new PIXImporter(lib, instream, logger, "test_fw"); imp->setAddStandardCommentsFlag(true); CPPUNIT_ASSERT_NO_THROW( imp->run() ); imp->finalize(); db->setPredictableIds(); db->saveFile("fwsm1.fwb"); compareResults(logger, "test_data/fwsm1.output", "fwsm1.output"); compareFwbFiles("test_data/fwsm1.fwb", "fwsm1.fwb"); } fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/PIXImporterTest.h000066400000000000000000000047431303637203600247310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2011 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PIXIMPORTERTEST_H #define PIXIMPORTERTEST_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include #include #include #include class PIXImporterTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *db; libfwbuilder::Library *lib; libfwbuilder::QueueLogger *logger; int predictable_id_tracker; std::map id_mapping; void compareResults(libfwbuilder::QueueLogger* logger, QString expected_result_file_name, QString obtained_result_file_name); void compareFwbFiles(QString expected_result_file_name, QString obtained_result_file_name); std::string openTestFile(const QString &file_name); public: void setUp(); void PIX_6_Test(); void PIX_7_Test(); void PIX_7_NAT_Test(); void ASA_8_0_Test(); void ASA_8_3_Test(); void FWSM_4_1_Test(); void ObjectsAndGroupsTest(); void ACLObjectsAndGroupsTest(); void ACLTest(); void NamesTest(); CPPUNIT_TEST_SUITE(PIXImporterTest); CPPUNIT_TEST(PIX_6_Test); CPPUNIT_TEST(PIX_7_Test); CPPUNIT_TEST(PIX_7_NAT_Test); CPPUNIT_TEST(ASA_8_0_Test); CPPUNIT_TEST(ASA_8_3_Test); CPPUNIT_TEST(ObjectsAndGroupsTest); CPPUNIT_TEST(ACLObjectsAndGroupsTest); CPPUNIT_TEST(ACLTest); CPPUNIT_TEST(NamesTest); CPPUNIT_TEST(FWSM_4_1_Test); CPPUNIT_TEST_SUITE_END(); }; #endif // PIXIMPORTERTEST_H fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/PIXImporterTest.pro000066400000000000000000000002301303637203600252650ustar00rootroot00000000000000include(../tests_common.pri) TARGET = PIXImporterTest HEADERS += PIXImporterTest.h SOURCES += main_PIXImporterTest.cpp \ PIXImporterTest.cpp fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/main_PIXImporterTest.cpp000066400000000000000000000033101303637203600262550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "PIXImporterTest.h" #include "fwbuilder/Resources.h" #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" #include #include #include #include "../../../common/init.cpp" int fwbdebug = 0; //QString user_name; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; std::string platform; int main(int argc, char** argv) { QApplication app(argc, argv, false); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( PIXImporterTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/000077500000000000000000000000001303637203600234765ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0-names.fwb000066400000000000000000002773731303637203600263140ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0-names.output000066400000000000000000000064521303637203600270620ustar00rootroot000000000000003: Platform: PIX 3: Version: 8.0 14: New interface: Ethernet0 14: Interface parameters: inside 14: Interface label: inside 16: Interface address: 192.168.2.221/255.255.255.0 19: New interface: Ethernet1 19: Interface parameters: outside 19: Interface label: outside 21: Interface address: 192.0.2.221/255.255.255.0 24: New interface: Ethernet2 Warning: interface Ethernet2 was not imported because it is in "shutdown" mode 30: New interface: Ethernet3 Warning: interface Ethernet3 was not imported because it is in "shutdown" mode 36: New interface: Ethernet4 Warning: interface Ethernet4 was not imported because it is in "shutdown" mode 44: Object Group (network) net_1_group 47: Object Group (network) another_group_net_1 50: Object Group (network) host_net_1 53: Object Group (network) host_net_2 56: Object Group (network) net-1 59: Object Group (network) net-2 65: filtering rule: access list inside_in, action permit 66: filtering rule: access list inside_in, action deny 68: Interface Ethernet0 ruleset inside_in direction 'in' 74: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 74: filtering rule: access list icmp_commands_outside, action permit 75: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 75: filtering rule: access list icmp_commands_outside, action permit 76: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 76: filtering rule: access list icmp_commands_outside, action permit 77: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 77: filtering rule: access list icmp_commands_outside, action permit 78: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 78: filtering rule: access list icmp_commands_outside, action permit 79: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 79: filtering rule: access list icmp_commands_outside, action permit 80: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 80: filtering rule: access list icmp_commands_inside, action permit 81: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 81: filtering rule: access list icmp_commands_inside, action permit 82: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 82: filtering rule: access list icmp_commands_inside, action permit 83: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 83: filtering rule: access list icmp_commands_inside, action permit 84: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 84: filtering rule: access list icmp_commands_inside, action permit 85: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 85: filtering rule: access list icmp_commands_inside, action permit 86: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 86: filtering rule: access list icmp_commands_inside, action permit 87: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 87: filtering rule: access list icmp_commands_inside, action permit 88: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 88: filtering rule: access list icmp_commands_inside, action permit 101: Interface Ethernet0 ruleset telnet_commands_inside direction 'in' 101: filtering rule: access list telnet_commands_inside, action permit 103: Interface Ethernet0 ruleset ssh_commands_inside direction 'in' 103: filtering rule: access list ssh_commands_inside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0-names.test000066400000000000000000000057321303637203600265010ustar00rootroot00000000000000: Saved : PIX Version 8.0(3) ! hostname pixfirewall enable password XXXXXXXXXXXXXXXX encrypted names name 192.168.2.0 inside_network name 192.168.2.221 inside_ip name 192.168.2.240 net_1 name 1.1.1.1 named-host-1 name 1.2.3.4 object-1234 ! interface Ethernet0 nameif inside security-level 100 ip address inside_ip 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 192.0.2.221 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd YYYYYYYYYYYYYYYY encrypted ftp mode passive object-group network net_1_group network-object net_1 255.255.255.240 network-object 192.168.2.0 255.255.255.0 object-group network another_group_net_1 network-object net_1 255.255.255.240 network-object 192.168.3.0 255.255.255.0 object-group network host_net_1 network-object host net_1 ! whitespace after net_1 object-group network host_net_2 network-object host net_1 object-group network net-1 description single network object-group network-object inside_network 255.255.255.0 object-group network net-2 description multiple network-object objects network-object 192.168.1.0 255.255.255.0 network-object inside_network 255.255.255.0 network-object 192.168.3.0 255.255.255.0 access-list inside_in extended permit ip inside_network 255.255.255.0 any access-list inside_in extended deny ip any any log warnings access-group inside_in in interface inside pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo outside icmp permit any 111 outside icmp permit any time-exceeded outside icmp permit any echo-reply outside icmp permit any unreachable outside icmp permit any outside icmp permit host 10.1.1.202 time-exceeded inside icmp permit host 10.1.1.202 echo-reply inside icmp permit host 10.1.1.202 unreachable inside icmp permit any echo inside icmp permit any time-exceeded inside icmp permit any echo-reply inside icmp permit any unreachable inside icmp permit any inside icmp permit 10.1.1.0 255.255.255.0 inside no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet inside_network 255.255.255.0 inside telnet timeout 5 ssh inside_network 255.255.255.0 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list username cisco password ZZZZZZZZZZZZZZZZ encrypted ! ! prompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0.fwb000066400000000000000000003173131303637203600252000ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0.output000066400000000000000000000072751303637203600257650ustar00rootroot000000000000003: Platform: PIX 3: Version: 8.0 9: New interface: Ethernet0 9: Interface parameters: inside 9: Interface label: inside 11: Interface address: 192.168.2.221/255.255.255.0 14: New interface: Ethernet1 14: Interface parameters: outside 14: Interface label: outside 16: Interface address: 192.0.2.221/255.255.255.0 19: New interface: Ethernet2 Warning: interface Ethernet2 was not imported because it is in "shutdown" mode 25: New interface: Ethernet3 Warning: interface Ethernet3 was not imported because it is in "shutdown" mode 31: New interface: Ethernet4 Warning: interface Ethernet4 was not imported because it is in "shutdown" mode 39: Object Group (network) net-1 42: Object Group (network) net-2 47: Object Group (network) host-1 49: Object Group (network) mixed-1 55: Object Group (network) host-2 58: Object Group (service) tcp-1 60: Object Group (service) mixed-service-1 66: Object Group (service) service-ranges 75: Object Group (icmp) icmp-1 77: Object Group (icmp) icmp-2 82: Object Group (icmp) icmp-3 83: Object Group (protocol) protocol-1 87: Object Group (protocol) proto-icmp 89: Object Group (protocol) proto-icmp6 90: Warning: IPv6 import is not supported. 91: Object Group (protocol) proto-ip 93: Object Group (protocol) proto-ipsec 95: Object Group (protocol) proto-pptp 97: Object Group (protocol) proto-snp 99: Object Group (protocol) proto-tcp 101: Object Group (protocol) proto-udp 108: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 108: filtering rule: access list icmp_commands_outside, action permit 109: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 109: filtering rule: access list icmp_commands_outside, action permit 110: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 110: filtering rule: access list icmp_commands_outside, action permit 111: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 111: filtering rule: access list icmp_commands_outside, action permit 112: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 112: filtering rule: access list icmp_commands_outside, action permit 113: Interface Ethernet1 ruleset icmp_commands_outside direction 'in' 113: filtering rule: access list icmp_commands_outside, action permit 114: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 114: filtering rule: access list icmp_commands_inside, action permit 115: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 115: filtering rule: access list icmp_commands_inside, action permit 116: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 116: filtering rule: access list icmp_commands_inside, action permit 117: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 117: filtering rule: access list icmp_commands_inside, action permit 118: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 118: filtering rule: access list icmp_commands_inside, action permit 119: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 119: filtering rule: access list icmp_commands_inside, action permit 120: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 120: filtering rule: access list icmp_commands_inside, action permit 121: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 121: filtering rule: access list icmp_commands_inside, action permit 122: Interface Ethernet0 ruleset icmp_commands_inside direction 'in' 122: filtering rule: access list icmp_commands_inside, action permit 135: Interface Ethernet0 ruleset telnet_commands_inside direction 'in' 135: filtering rule: access list telnet_commands_inside, action permit 137: Interface Ethernet0 ruleset ssh_commands_inside direction 'in' 137: filtering rule: access list ssh_commands_inside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.0.test000066400000000000000000000076161303637203600254030ustar00rootroot00000000000000: Saved : PIX Version 8.0(3) ! hostname pixfirewall enable password XXXXXXXXXXXXXXXX encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.2.221 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 192.0.2.221 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd YYYYYYYYYYYYYYYY encrypted ftp mode passive object-group network net-1 description single network object-group network-object 192.168.2.0 255.255.255.0 object-group network net-2 description multiple network-object objects network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 network-object 192.168.3.0 255.255.255.0 object-group network host-1 network-object host 192.168.1.5 object-group network mixed-1 description mix of objects network-objects host objects network-object host 192.168.1.5 network-object 172.16.0.0 255.255.0.0 network-object host 172.16.15.12 network-object 10.0.0.0 255.0.0.0 object-group network host-2 network-object host 172.16.15.1 network-object host 172.16.15.2 object-group service tcp-1 service-object tcp eq www object-group service mixed-service-1 description mix of service tcp & udp objects service-object tcp eq https service-object udp eq dnsix service-object tcp eq domain service-object udp eq ntp object-group service service-ranges service-object tcp gt 1024 service-object tcp range 1024 8080 service-object udp eq www service-object udp eq nfs service-object udp lt 8080 service-object udp gt 1024 service-object udp range www 101 service-object tcp lt 65535 object-group icmp-object icmp-1 icmp-object echo-reply object-group icmp-object icmp-2 description multiple icmp-objects icmp-object 1 icmp-object redirect icmp-object router-advertisement object-group icmp-object icmp-3 object-group protocol protocol-1 protocol-object ip protocol-object igmp object-group protocol proto-icmp protocol-object icmp object-group protocol proto-icmp6 protocol-object icmp6 object-group protocol proto-ip protocol-object ip object-group protocol proto-ipsec protocol-object esp object-group protocol proto-pptp protocol-object gre object-group protocol proto-snp protocol-object snp object-group protocol proto-tcp protocol-object tcp object-group protocol proto-udp protocol-object udp pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo outside icmp permit any 111 outside icmp permit any time-exceeded outside icmp permit any echo-reply outside icmp permit any unreachable outside icmp permit any outside icmp permit host 10.1.1.202 time-exceeded inside icmp permit host 10.1.1.202 echo-reply inside icmp permit host 10.1.1.202 unreachable inside icmp permit any echo inside icmp permit any time-exceeded inside icmp permit any echo-reply inside icmp permit any unreachable inside icmp permit any inside icmp permit 10.1.1.0 255.255.255.0 inside no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list username cisco password ZZZZZZZZZZZZZZZZ encrypted ! ! prompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl-object-groups.fwb000066400000000000000000003230401303637203600305130ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl-object-groups.output000066400000000000000000000050421303637203600312740ustar00rootroot000000000000003: Platform: ASA 3: Version: 8.3 8: New interface: Vlan1 8: Interface parameters: inside 8: Interface label: inside 10: Interface address: 192.168.1.1/255.255.255.0 14: New interface: Vlan2 14: Interface parameters: outside 14: Interface label: outside 16: Interface address: dhcp/ 20: New interface: Ethernet0/0 20: Interface comment: Switch port 0 / 0 77: Named object (service) http.0 81: Named object (service) https.0 85: Named object (address) server-1.0 89: Named object (address) Internal_net.0 93: Named object (address) external_net.0 96: Object Group (service) srv-group-1 101: Named object (service) ip2 104: Object Group (protocol) pg1 110: Object Group (network) src-network-group-1 114: Object Group (network) dst-network-group-1 122: filtering rule: access list inside_in, action permit 125: filtering rule: access list inside_in, action permit 127: filtering rule: access list inside_in, action permit 129: filtering rule: access list inside_in, action permit 131: filtering rule: access list inside_in, action permit 133: filtering rule: access list inside_in, action permit 138: filtering rule: access list inside_in, action permit 143: filtering rule: access list inside_in, action permit 145: filtering rule: access list inside_in, action permit 147: filtering rule: access list inside_in, action permit 149: filtering rule: access list inside_in, action permit 155: filtering rule: access list inside_in, action permit 155: Object Group (service) srv-group-1-mirror 162: filtering rule: access list inside_in, action permit 164: filtering rule: access list inside_in, action permit 166: filtering rule: access list inside_in, action permit 168: filtering rule: access list inside_in, action permit 170: filtering rule: access list inside_in, action permit 175: filtering rule: access list inside_in, action permit 177: filtering rule: access list inside_in, action permit 179: filtering rule: access list inside_in, action permit 181: filtering rule: access list inside_in, action permit 188: filtering rule: access list inside_in, action permit 188: Object Group (service) srv-group-1-mirror 190: filtering rule: access list inside_in, action permit 190: Object Group (service) srv-group-1-mirror 192: filtering rule: access list inside_in, action permit 192: Object Group (service) srv-group-1-mirror 194: filtering rule: access list inside_in, action permit 194: Object Group (service) srv-group-1-mirror 196: filtering rule: access list inside_in, action permit 196: Object Group (service) srv-group-1-mirror 199: Interface Vlan1 ruleset inside_in direction 'in' fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl-object-groups.test000066400000000000000000000111321303637203600307100ustar00rootroot00000000000000: Saved : ASA Version 8.3(2) ! hostname asa5505 interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 exit interface Vlan2 nameif outside security-level 0 ip address dhcp setroute exit interface Ethernet0/0 description Switch port 0/0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:0 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object service http.0 service tcp destination eq 80 exit object service https.0 service tcp destination eq 443 exit object network server-1.0 host 192.168.1.100 exit object network Internal_net.0 subnet 192.168.1.0 255.255.255.0 exit object network external_net.0 subnet 192.0.2.0 255.255.255.0 object-group service srv-group-1 tcp port-object eq 80 port-object eq 443 exit object service ip2 service eigrp object-group protocol pg1 protocol-object 111 protocol-object ah protocol-object ip protocol-object eigrp object-group network src-network-group-1 network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network dst-network-group-1 network-object object external_net.0 !################ ! access-list inside_in extended permit object-group pg1 192.168.1.0 255.255.255.0 any access-list inside_in extended permit tcp object server-1.0 any access-list inside_in extended permit tcp object server-1.0 host 192.0.2.1 access-list inside_in extended permit tcp object server-1.0 192.0.2.0 255.255.255.0 access-list inside_in extended permit tcp object server-1.0 object external_net.0 access-list inside_in extended permit tcp object server-1.0 object-group dst-network-group-1 ! named object in both source and destination ! access-list inside_in extended permit tcp object server-1.0 object external_net.0 ! src port definitions ! access-list inside_in extended permit tcp object server-1.0 eq 80 any access-list inside_in extended permit tcp object server-1.0 lt 1024 any access-list inside_in extended permit tcp object server-1.0 gt 1024 any access-list inside_in extended permit tcp object server-1.0 range 1000 1100 any ! ASA 8.3 does not take this acl definition (assumes object http.0 is dest address) ! access-list inside_in extended permit tcp object server-1.0 object http.0 any access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 any ! dest port is defined using in-line port operators ! access-list inside_in extended permit tcp object server-1.0 any eq 80 access-list inside_in extended permit tcp object server-1.0 host 192.0.2.1 eq 80 access-list inside_in extended permit tcp object server-1.0 192.0.2.0 255.255.255.0 eq 80 access-list inside_in extended permit tcp object server-1.0 object external_net.0 eq 80 access-list inside_in extended permit tcp object server-1.0 object-group dst-network-group-1 eq 80 ! object-group service is used to define destination ports ! access-list inside_in extended permit tcp object server-1.0 any object-group srv-group-1 access-list inside_in extended permit tcp object server-1.0 host 192.0.2.1 object-group srv-group-1 access-list inside_in extended permit tcp object server-1.0 192.0.2.0 255.255.255.0 object-group srv-group-1 access-list inside_in extended permit tcp object server-1.0 object external_net.0 object-group srv-group-1 ! object-group service is used to define source ports ! access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 any access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 host 192.0.2.1 access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 192.0.2.0 255.255.255.0 access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 object external_net.0 access-list inside_in extended permit tcp object server-1.0 object-group srv-group-1 object-group dst-network-group-1 access-group inside_in in interface inside fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.fwb000066400000000000000000005261411303637203600257410ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.output000066400000000000000000000161071303637203600265170ustar00rootroot000000000000003: Platform: ASA 3: Version: 8.3 8: New interface: Vlan1 8: Interface parameters: inside 8: Interface label: inside 10: Interface address: 192.168.1.1/255.255.255.0 14: New interface: Vlan2 14: Interface parameters: outside 14: Interface label: outside 16: Interface address: dhcp/ 20: New interface: Ethernet0/0 20: Interface comment: Switch port 0 / 0 77: Named object (service) http.0 81: Named object (service) https.0 85: Named object (service) match-1 88: Named object (service) match-2 91: Named object (address) server-1.0 95: Named object (address) Internal_net.0 99: Named object (address) external_net.0 102: Object Group (service) id5102X14531.srv.tcp.0 107: Named object (service) ip2 110: Object Group (protocol) pg1 116: Object Group (network) src-network-group-1 120: Object Group (network) dst-network-group-1 123: Object Group (service) test-service-1 126: Object Group (service) test-service-2 129: Object Group (service) test-service-3 133: Object Group (service) test-service-4 144: Rule comment: 0 ( global ) 148: filtering rule: access list inside_in, action permit 149: filtering rule: access list inside_in, action permit 150: filtering rule: access list inside_in, action permit 151: filtering rule: access list inside_in, action permit 152: filtering rule: access list inside_in, action permit 154: filtering rule: access list inside_in, action permit 155: filtering rule: access list inside_in, action permit 156: filtering rule: access list inside_in, action permit 157: filtering rule: access list inside_in, action permit 158: filtering rule: access list inside_in, action permit 159: filtering rule: access list inside_in, action permit 160: filtering rule: access list inside_in, action permit 161: filtering rule: access list inside_in, action permit 162: filtering rule: access list inside_in, action permit 163: filtering rule: access list inside_in, action permit 164: filtering rule: access list inside_in, action permit 165: filtering rule: access list inside_in, action permit 166: filtering rule: access list inside_in, action permit 167: filtering rule: access list inside_in, action permit 168: filtering rule: access list inside_in, action permit 171: filtering rule: access list inside_in, action permit 172: Rule comment: 3 ( global ) 175: filtering rule: access list inside_in, action deny 177: filtering rule: access list inside_in, action deny 179: filtering rule: access list inside_in, action deny 180: filtering rule: access list inside_in, action deny 181: filtering rule: access list inside_in, action deny 183: filtering rule: access list inside_in, action deny 189: filtering rule: access list inside_in, action permit 189: Object Group (service) id5102X14531.srv.tcp.0-mirror 191: filtering rule: access list inside_in, action permit 193: filtering rule: access list inside_in, action permit 194: filtering rule: access list inside_in, action permit 195: filtering rule: access list inside_in, action permit 196: filtering rule: access list inside_in, action permit 197: filtering rule: access list inside_in, action permit 199: filtering rule: access list inside_in, action permit 199: Object Group (service) id5102X14531.srv.tcp.0-mirror 200: filtering rule: access list inside_in, action permit 201: filtering rule: access list inside_in, action permit 202: filtering rule: access list inside_in, action permit 203: filtering rule: access list inside_in, action permit 204: filtering rule: access list inside_in, action permit 206: filtering rule: access list inside_out, action permit 207: filtering rule: access list inside_out, action permit 208: filtering rule: access list inside_out, action permit 209: filtering rule: access list inside_out, action permit 210: filtering rule: access list inside_out, action permit 211: filtering rule: access list inside_out, action permit 213: filtering rule: access list inside_out, action permit 214: filtering rule: access list inside_out, action permit 215: filtering rule: access list inside_out, action permit 216: filtering rule: access list inside_out, action permit 217: filtering rule: access list inside_out, action permit 218: filtering rule: access list inside_out, action permit 221: filtering rule: access list inside_out, action permit 221: Error: tcp port name 'foo' is unknown 223: filtering rule: access list inside_out, action permit 225: filtering rule: access list inside_out, action permit 227: filtering rule: access list inside_out, action permit 229: filtering rule: access list inside_out, action permit 231: filtering rule: access list inside_out, action permit 232: filtering rule: access list inside_out, action permit 234: filtering rule: access list outside_out, action permit 235: filtering rule: access list outside_out, action permit 236: filtering rule: access list outside_out, action permit 240: filtering rule: access list outside_in, action permit 240: Object Group (service) test-service-1-mirror 241: filtering rule: access list outside_in, action permit 241: Object Group (service) test-service-2-mirror 242: filtering rule: access list outside_in, action permit 242: Object Group (service) test-service-3-mirror 242: Object Group (service) test-service-1-mirror 243: filtering rule: access list outside_in, action permit 243: Object Group (service) test-service-4-mirror 243: Object Group (service) test-service-1-mirror 247: filtering rule: access list outside_in, action permit 247: Object Group (service) tcp port match line 247 248: filtering rule: access list outside_in, action permit 248: Object Group (service) tcp port match line 248 249: filtering rule: access list outside_in, action permit 249: Object Group (service) tcp port match line 249 250: filtering rule: access list outside_in, action permit 250: Object Group (service) tcp port match line 250 253: filtering rule: access list outside_in, action permit 253: Error: Rule matches tcp or udp ports using "neq" port operator in both source and destination. This configuration is not supported by import at this time, please fix manually 264: filtering rule: access list inside_in, action permit 264: Object Group (service) test-service-1-mirror 264: Object Group (service) tcp port match line 264 265: filtering rule: access list inside_in, action permit 265: Object Group (service) test-service-2-mirror 265: Object Group (service) tcp port match line 265 266: filtering rule: access list inside_in, action permit 266: Object Group (service) test-service-1-mirror 266: Object Group (service) tcp port match line 266 267: filtering rule: access list inside_in, action permit 267: Object Group (service) test-service-3-mirror 267: Object Group (service) test-service-1-mirror 267: Object Group (service) tcp port match line 267 268: filtering rule: access list inside_in, action permit 268: Object Group (service) test-service-1-mirror 268: Object Group (service) tcp port match line 268 269: filtering rule: access list inside_in, action permit 269: Object Group (service) tcp port match line 269 276: Interface Vlan1 ruleset inside_in direction 'in' 277: Interface Vlan1 ruleset inside_out direction 'out' 278: Interface Vlan2 ruleset outside_in direction 'in' 279: Interface Vlan2 ruleset outside_out direction 'out' fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.test000077500000000000000000000237051303637203600261430ustar00rootroot00000000000000: Saved : ASA Version 8.3(2) ! hostname asa5505 interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 exit interface Vlan2 nameif outside security-level 0 ip address dhcp setroute exit interface Ethernet0/0 description Switch port 0/0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:0 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object service http.0 service tcp destination eq 80 exit object service https.0 service tcp destination eq 443 exit object service match-1 service tcp destination eq 80 object service match-2 service tcp destination lt 1024 object network server-1.0 host 192.168.1.100 exit object network Internal_net.0 subnet 192.168.1.0 255.255.255.0 exit object network external_net.0 subnet 192.0.2.0 255.255.255.0 object-group service id5102X14531.srv.tcp.0 tcp port-object eq 80 port-object eq 443 exit object service ip2 service eigrp object-group protocol pg1 protocol-object 111 protocol-object ah protocol-object ip protocol-object eigrp object-group network src-network-group-1 network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network dst-network-group-1 network-object object external_net.0 object-group service test-service-1 tcp port-object eq www object-group service test-service-2 tcp port-object range 1000 1010 object-group service test-service-3 tcp port-object eq 25 group-object test-service-1 object-group service test-service-4 tcp port-object eq 25 port-object eq 88 group-object test-service-1 !################ ! ! remark access-list inside_in remark 0 (global) ! protocols, including named object and object group ! access-list inside_in extended permit ah 192.168.1.0 255.255.255.0 any access-list inside_in extended permit eigrp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit esp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit gre 192.168.1.0 255.255.255.0 any access-list inside_in extended permit icmp 192.168.1.0 255.255.255.0 any ! access-list inside_in extended permit icmp6 192.168.1.0 255.255.255.0 any access-list inside_in extended permit igmp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit igrp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 any access-list inside_in extended permit ipinip 192.168.1.0 255.255.255.0 any access-list inside_in extended permit ipsec 192.168.1.0 255.255.255.0 any access-list inside_in extended permit nos 192.168.1.0 255.255.255.0 any access-list inside_in extended permit object ip2 192.168.1.0 255.255.255.0 any access-list inside_in extended permit object-group pg1 192.168.1.0 255.255.255.0 any access-list inside_in extended permit ospf 192.168.1.0 255.255.255.0 any access-list inside_in extended permit pcp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit pim 192.168.1.0 255.255.255.0 any access-list inside_in extended permit pptp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit snp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 any access-list inside_in extended permit udp 192.168.1.0 255.255.255.0 any ! named object reference in source access-list inside_in extended permit ip object Internal_net.0 any access-list inside_in remark 3 (global) ! logging access-list inside_in extended deny ip any any log ! interval w/o level access-list inside_in extended deny ip any any log interval 100 ! level w/o interval, numeric and a word access-list inside_in extended deny ip any any log 1 access-list inside_in extended deny ip any any log alerts access-list inside_in extended deny ip any any log disable ! both level and interval access-list inside_in extended deny ip any any log 0 interval 300 ! more complex tests: named objects, object groups, inline address and ! port definitions in both source and destination access-list inside_in extended permit tcp object server-1.0 object-group id5102X14531.srv.tcp.0 any access-list inside_in extended permit tcp object server-1.0 object-group dst-network-group-1 access-list inside_in extended permit tcp object server-1.0 eq 80 any access-list inside_in extended permit tcp object server-1.0 gt 1010 any access-list inside_in extended permit tcp object server-1.0 lt 1024 any access-list inside_in extended permit tcp object server-1.0 range 1010 1020 any access-list inside_in extended permit tcp object server-1.0 neq 88 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 object-group id5102X14531.srv.tcp.0 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 eq 80 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 gt 1010 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 lt 1024 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 range 1010 1020 any access-list inside_in extended permit tcp 192.168.2.0 255.255.255.192 neq 88 any access-list inside_out extended permit tcp any object server-1.0 object-group id5102X14531.srv.tcp.0 access-list inside_out extended permit tcp any object server-1.0 eq 80 access-list inside_out extended permit tcp any object server-1.0 gt 1010 access-list inside_out extended permit tcp any object server-1.0 lt 1024 access-list inside_out extended permit tcp any object server-1.0 range 1010 1020 access-list inside_out extended permit tcp any object server-1.0 neq 88 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 object-group id5102X14531.srv.tcp.0 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 eq 80 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 gt 1010 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 lt 1024 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 range 1010 1020 access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 neq 88 ! invalid port name access-list inside_out extended permit tcp any 192.168.2.0 255.255.255.192 neq foo access-list inside_out extended permit tcp any object-group dst-network-group-1 access-list inside_out extended permit tcp object-group src-network-group-1 object-group dst-network-group-1 access-list inside_out extended permit tcp object-group src-network-group-1 gt 1023 object-group dst-network-group-1 eq 80 access-list inside_out extended permit tcp object-group src-network-group-1 gt 1023 object-group dst-network-group-1 neq 88 access-list inside_out extended permit tcp any eq www any range 1024 65535 access-list inside_out permit tcp any range 1080 1090 any range 1080 1090 access-list outside_out standard permit 192.0.2.0 255.255.255.0 access-list outside_out standard permit host 192.0.2.1 access-list outside_out standard permit any ! test for access list using service group that matches destination port to match ! service port access-list outside_in permit tcp object-group dst-network-group-1 object-group test-service-1 any access-list outside_in permit tcp object-group dst-network-group-1 object-group test-service-2 any access-list outside_in permit tcp object-group dst-network-group-1 object-group test-service-3 any access-list outside_in permit tcp object-group dst-network-group-1 object-group test-service-4 any ! same groups but matching destination ports access-list outside_in permit tcp object-group dst-network-group-1 gt 1024 any object-group test-service-1 access-list outside_in permit tcp object-group dst-network-group-1 gt 1024 any object-group test-service-2 access-list outside_in permit tcp object-group dst-network-group-1 gt 1024 any object-group test-service-3 access-list outside_in permit tcp object-group dst-network-group-1 gt 1024 any object-group test-service-4 ! unsupported configuration: neq in bouth source and destination access-list outside_in permit tcp any neq www any neq www ! however named object can not be used to match source ports in ASA ! 8.3 so the following rules are invalid ! ! access-list outside_in permit tcp object-group dst-network-group-1 object match-1 any ! access-list outside_in permit tcp object-group dst-network-group-1 object match-2 any ! tests for access lists using object groups for both source service and destination address ! access-list inside_in permit tcp 192.168.1.0 255.255.255.0 object-group test-service-1 host 4.2.2.1 object-group test-service-2 access-list inside_in permit tcp 192.168.1.0 255.255.255.0 object-group test-service-2 host 4.2.2.1 object-group test-service-1 access-list inside_in permit tcp 192.168.1.0 255.255.255.0 object-group test-service-1 host 4.2.2.1 object-group test-service-3 access-list inside_in permit tcp 192.168.1.0 255.255.255.0 object-group test-service-3 host 4.2.2.1 object-group test-service-1 access-list inside_in permit tcp 192.168.1.0 255.255.255.0 object-group test-service-1 host 4.2.2.1 gt 1024 access-list inside_in permit tcp 192.168.1.0 255.255.255.0 gt 1024 host 4.2.2.1 object-group test-service-1 ! access-group statements access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside access-group outside_out out interface outside fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-nat.test000077500000000000000000000075461303637203600261730ustar00rootroot00000000000000: Saved : ASA Version 8.3(2) ! hostname asa5505 interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 exit interface Vlan2 nameif outside security-level 0 ip address dhcp setroute exit interface Ethernet0/0 description Switch port 0/0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:0 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object network internal_subnet_1 subnet 192.168.1.0 255.255.255.192 description Internal Subnet 1 object network internal_subnet_2 subnet 192.168.1.64 255.255.255.192 description Internal Subnet 2 object network Internal_net subnet 192.168.1.0 255.255.255.0 object network hostA:eth0 host 192.168.1.10 object service http.0 service tcp destination eq 80 exit object service https.0 service tcp destination eq 443 exit object network server-1.0 host 192.168.1.100 exit object network Internal_net.0 subnet 192.168.1.0 255.255.255.0 exit object network external_net.0 subnet 192.0.2.0 255.255.255.0 object-group service id5102X14531.srv.tcp.0 tcp port-object eq 80 port-object eq 443 exit object service ip2 service eigrp object-group protocol pg1 protocol-object 111 protocol-object ah protocol-object ip protocol-object eigrp object-group network src-network-group-1 network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network dst-network-group-1 network-object object external_net.0 object-group network outside.id178211X29963.osrc.net.0 network-object object internal_subnet_1 network-object object internal_subnet_2 ! object-group network outside.id21353X4994.osrc.net.0 network-object object internal_subnet_1 network-object object Internal_net network-object object internal_subnet_2 ! object-group network outside.id77971X5929.osrc.net.1 network-object object internal_subnet_1 network-object object internal_subnet_2 !################ ! access-list outside_in extended deny ip any any log ! access-group statements access-group outside_in in interface outside ! ! Rule 0 (NAT) nat (inside,outside) source dynamic Internal_net.0 interface description "0 (NAT)" ! ! Rule 1 (NAT) nat (outside,inside) source static any any destination static interface server-1.0 service http.0 http.0 description "1 (NAT)" nat (outside,inside) source static any any destination static interface server-1.0 service https.0 https.0 description "1 (NAT)" nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-objects-and-groups.fwb000066400000000000000000003756251303637203600307210ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-objects-and-groups.output000066400000000000000000000106761303637203600314730ustar00rootroot000000000000003: Platform: ASA 3: Version: 8.3 7: New interface: Vlan1 7: Interface comment: inside interface 8: Interface parameters: inside 8: Interface label: inside 10: Interface address: dhcp/ 13: New interface: Vlan2 13: Interface comment: outside interface 14: Interface parameters: outside 14: Interface label: outside 16: Interface address: 192.168.2.1/255.255.255.0 19: New interface: Ethernet0/0 19: Interface comment: Switch port 0 / 0 20: Switch port vlan 2 25: Named object (address) internal_subnet_1 28: Named object (address) internal_subnet_2 32: Named object (address) internal_subnet_3 36: Named object (address) internal_subnet_4 39: Named object (address) Internal_net 41: Named object (address) outside_range-1 43: Named object (address) range_1 45: Named object (address) firewall90:FastEthernet1:ip-1 47: Named object (address) hostA:eth0 49: Named object (address) spamhost1 51: Named object (address) spamhost2 53: Named object (address) external_gw2 58: Named object (address) my-range-obj 60: Named object (address) my-inside-net 62: Warning: Import of ASA 8.3 nat command is not supported at this time 62: Warning: Import of named objects with "nat" command is not supported at this time 67: Named object (address) ipv6-host-object-1 68: Warning: IPv6 import is not supported. 70: Named object (address) ipv6-network-object-1 71: Warning: IPv6 import is not supported. 73: Named object (address) ipv6-host-object-3 74: Warning: IPv6 import is not supported. 76: Named object (address) ipv6-host-object-3 77: Warning: IPv6 import is not supported. 81: Named object (address) dummy-address 84: Named object (address) internal_subnet_5 88: Named object (address) dummy-address-1 89: Named object (address) internal_subnet_6 92: Named object (address) ipv6-host-object-2 93: Warning: IPv6 import is not supported. 95: Named object (address) host-1 99: Named object (service) smtp 101: Named object (service) http 103: Named object (service) ssh 105: Named object (service) squid 107: Named object (service) smtps 110: Named object (service) icmp1 112: Named object (service) icmp2 114: Named object (service) ip5 118: Named object (service) tcp-src-1 121: Named object (service) tcp-src-2 123: Named object (service) tcp-src-3 125: Named object (service) tcp-src-4 127: Named object (service) tcp-src-5 130: Named object (service) tcp-dst-1 132: Named object (service) tcp-dst-2 134: Named object (service) tcp-dst-3 136: Named object (service) tcp-dst-4 138: Named object (service) tcp-dst-5 142: Named object (service) tcp-src-dst-1 144: Named object (service) tcp-src-dst-2 146: Named object (service) tcp-src-dst-3 148: Named object (service) tcp-src-dst-4 150: Named object (service) tcp-src-dst-5 154: Named object (service) udp-src-1 156: Named object (service) udp-src-2 158: Named object (service) udp-src-3 160: Named object (service) udp-src-4 162: Named object (service) udp-src-5 165: Named object (service) udp-dst-1 167: Named object (service) udp-dst-2 169: Named object (service) udp-dst-3 171: Named object (service) udp-dst-4 173: Named object (service) udp-dst-5 177: Named object (service) ip1 179: Named object (service) ip2 181: Named object (service) icmp6-1 182: Warning: Import of IPv6 addresses and servcies is not supported at this time 185: Named object (service) ip3 186: Warning: Unknown service name some_weird_protocol 190: Named object (service) ip4 193: Object Group (network) outside.id178211X29963.osrc.net.0 196: Object Group (network) outside.id21353X4994.osrc.net.0 200: Object Group (network) outside.id77971X5929.osrc.net.1 203: Object Group (network) outside.id77971X5929.odst.net.1 206: Object Group (network) outside.id77971X5929.tsrc.net.1 209: Object Group (network) outside.id77971X5929.osrc.net.0 212: Object Group (network) outside.id77971X5929.odst.net.0 215: Object Group (network) outside.id77971X5929.tsrc.net.0 219: Object Group (service) outside.id77971X5929.osrv.1 223: Object Group (service) sg1 228: Object Group (service) sg2 232: Object Group (service) sg3 238: Object Group (service) sg4 243: Object Group (service) sg5 254: Object Group (service) combo-group-1 258: Object Group (service) neq-group-2 274: Object Group (protocol) pg1 279: Object Group (protocol) pg2 284: Object Group (icmp) ig1 287: Object Group (icmp) ig2 290: Object Group (icmp) ig3 296: Object Group (service) id5102X14531.srv.tcp.0 301: Object Group (service) tcp-udp-1 304: filtering rule: access list inside_in, action permit 305: Interface Vlan1 ruleset inside_in direction 'in' fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3-objects-and-groups.test000066400000000000000000000201041303637203600310750ustar00rootroot00000000000000: Saved : ASA Version 8.3(2) ! hostname asa5505 ! interface Vlan1 description inside interface nameif inside security-level 100 ip address dhcp setroute ! interface Vlan2 description outside interface nameif outside security-level 0 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0/0 description Switch port 0/0 switchport access vlan 2 ! ! object network internal_subnet_1 subnet 192.168.1.0 255.255.255.192 description Internal Subnet 1 object network internal_subnet_2 subnet 192.168.1.64 255.255.255.192 description Internal Subnet 2 ! this object matches network in standard objects lib, but it should be created anyway object network internal_subnet_3 subnet 192.168.1.0 255.255.255.0 description Internal Subnet 1 ! this object matches internale_subnet_1 but has different name and should be created object network internal_subnet_4 subnet 192.168.1.0 255.255.255.192 object network Internal_net subnet 192.168.1.0 255.255.255.0 object network outside_range-1 range 22.22.22.30 22.22.22.40 object network range_1 range 10.1.1.1 10.1.1.100 object network firewall90:FastEthernet1:ip-1 host 22.22.22.23 object network hostA:eth0 host 192.168.1.10 object network spamhost1 host 61.150.47.112 object network spamhost2 host 61.150.47.113 object network external_gw2 host 22.22.22.100 ! ! Example of a named object with "nat" command ! object network my-range-obj range 10.2.2.1 10.2.2.10 object network my-inside-net subnet 192.168.2.0 255.255.255.0 nat (inside,outside) dynamic my-range-ob ! ! ipv6 addresses ! object network ipv6-host-object-1 host 2001:0db8:85a3:0000:0000:8a2e:0370:7334 description Example of IPv6 host object object network ipv6-network-object-1 subnet 2001::/64 description IPv6 network object example object network ipv6-host-object-3 host fe80::202:b3ff:fe1e:8329 description Example of IPv6 host object object network ipv6-host-object-3 host a1b2:c3d4:e5f6:b3ff:fe1e:8329:0:1234 description Example of IPv6 host object ! empty named object definition object network dummy-address ! ! more good network objects after the empty one object network internal_subnet_5 subnet 10.10.1.0 255.255.255.0 ! ! another test for an empty object and non-empty object but no comments this time object network dummy-address-1 object network internal_subnet_6 subnet 10.10.2.0 255.255.255.0 ! object network ipv6-host-object-2 host 2001:af::1 description Test IPv6 host object network host-1 host 10.0.0.1 ! object service smtp service tcp destination eq smtp object service http service tcp destination eq www object service ssh service tcp destination eq 22 object service squid service tcp destination eq 3128 object service smtps service tcp destination eq 465 ! object service icmp1 service icmp echo object service icmp2 service icmp unreachable object service ip5 service 111 ! object service tcp-src-1 service tcp source lt 1024 description object description tcp src 1 object service tcp-src-2 service tcp source gt 1024 object service tcp-src-3 service tcp source eq 80 object service tcp-src-4 service tcp source neq 88 object service tcp-src-5 service tcp source range 1000 1010 ! object service tcp-dst-1 service tcp destination lt 1024 object service tcp-dst-2 service tcp destination gt 1024 object service tcp-dst-3 service tcp destination eq 80 object service tcp-dst-4 service tcp destination neq 88 object service tcp-dst-5 service tcp destination range 1001 1011 ! object service tcp-src-dst-1 service tcp source lt 1024 destination eq 80 object service tcp-src-dst-2 service tcp source gt 1024 destination eq 2222 object service tcp-src-dst-3 service tcp source eq 80 destination gt 1024 object service tcp-src-dst-4 service tcp source neq 88 destination gt 1024 object service tcp-src-dst-5 service tcp source range 1002 1012 destination gt 1024 ! object service udp-src-1 service udp source lt 1024 object service udp-src-2 service udp source gt 1024 object service udp-src-3 service udp source eq 80 object service udp-src-4 service udp source neq 88 object service udp-src-5 service udp source range 1000 1010 ! object service udp-dst-1 service udp destination lt 1024 object service udp-dst-2 service udp destination gt 1024 object service udp-dst-3 service udp destination eq 80 object service udp-dst-4 service udp destination neq 88 object service udp-dst-5 service udp destination range 1001 1011 ! object service ip1 service ip object service ip2 service eigrp object service icmp6-1 service icmp6 neighbor-advertisement ! ! named object using unknown protocol name object service ip3 service some_weird_protocol ! incomplete statement ! object service ip4 ! object-group network outside.id178211X29963.osrc.net.0 network-object object internal_subnet_1 network-object object internal_subnet_2 object-group network outside.id21353X4994.osrc.net.0 network-object object internal_subnet_1 network-object object Internal_net network-object object internal_subnet_2 object-group network outside.id77971X5929.osrc.net.1 network-object object internal_subnet_1 network-object object internal_subnet_2 object-group network outside.id77971X5929.odst.net.1 network-object object spamhost1 network-object object spamhost2 object-group network outside.id77971X5929.tsrc.net.1 network-object object outside_range-1 network-object object external_gw2 object-group network outside.id77971X5929.osrc.net.0 network-object object internal_subnet_1 network-object object internal_subnet_2 object-group network outside.id77971X5929.odst.net.0 network-object object spamhost1 network-object object spamhost2 object-group network outside.id77971X5929.tsrc.net.0 network-object object outside_range-1 network-object object external_gw2 object-group service outside.id77971X5929.osrv.1 service-object object smtp service-object object smtps object-group service sg1 service-object ip service-object eigrp service-object gre service-object 111 object-group service sg2 service-object icmp echo service-object icmp echo-reply service-object icmp 111 object-group service sg3 service-object tcp source gt 1024 destination eq www service-object tcp source gt 1024 destination range 10000 10010 service-object tcp source gt 1024 destination neq www service-object tcp source gt 1024 destination lt 1024 service-object tcp destination eq 22 object-group service sg4 service-object tcp source gt 1024 service-object tcp source lt 1024 service-object tcp source eq www service-object tcp source neq www object-group service sg5 service-object udp source gt 1024 service-object udp source gt 1024 destination eq www service-object udp destination eq domain service-object udp destination eq 5353 service-object object udp-dst-1 service-object object udp-dst-2 group-object sg1 group-object sg2 ! object-group service combo-group-1 service-object tcp-udp eq 10000 service-object tcp-udp lt 1024 service-object tcp-udp gt 1024 object-group service neq-group-2 service-object tcp neq www service-object tcp neq 81 service-object tcp neq 82 service-object tcp-udp neq 82 service-object tcp-udp neq 83 service-object tcp-udp neq 84 service-object udp neq 85 service-object udp neq 86 service-object udp neq 87 service-object udp neq www service-object udp neq nfs service-object udp neq radius service-object udp neq radius-acct service-object tcp neq ident object-group protocol pg1 protocol-object 111 protocol-object ah protocol-object ip protocol-object eigrp object-group protocol pg2 protocol-object 112 protocol-object object ip5 group-object pg1 ! object-group icmp-type ig1 icmp-object echo icmp-object 111 object-group icmp-type ig2 icmp-object echo-reply icmp-object 112 object-group icmp-type ig3 icmp-object mask-reply group-object ig1 ! also check for the terminating "exit" line (but this line is absent ! in show run output so we can't rely on it) object-group service id5102X14531.srv.tcp.0 tcp port-object eq 80 port-object eq 443 exit object-group service tcp-udp-1 tcp-udp port-object eq 10001 access-list inside_in extended permit ip any any access-group inside_in in interface inside fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3.fwb000066400000000000000000002506661303637203600252120ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3.output000066400000000000000000000041641303637203600257620ustar00rootroot000000000000003: Platform: ASA 3: Version: 8.3 14: New interface: Vlan1 14: Interface comment: inside interface 15: Interface parameters: inside 15: Interface label: inside 17: Interface address: dhcp/ 20: New interface: Vlan2 20: Interface comment: outside interface 21: Interface parameters: outside 21: Interface label: outside 23: Interface address: 192.168.2.1/255.255.255.0 26: New interface: Ethernet0/0 26: Interface comment: Switch port 0 / 0 27: Switch port vlan 2 30: New interface: Vlan2020 35: New interface: Ethernet0/1 Warning: interface Ethernet0/1 was not imported because it is in "shutdown" mode 37: New interface: Ethernet0/2 Warning: interface Ethernet0/2 was not imported because it is in "shutdown" mode 39: New interface: Ethernet0/3 Warning: interface Ethernet0/3 was not imported because it is in "shutdown" mode 41: New interface: Ethernet0/4 Warning: interface Ethernet0/4 was not imported because it is in "shutdown" mode 43: New interface: Ethernet0/5 Warning: interface Ethernet0/5 was not imported because it is in "shutdown" mode 45: New interface: Ethernet0/6 Warning: interface Ethernet0/6 was not imported because it is in "shutdown" mode 47: New interface: Ethernet0/7 Warning: interface Ethernet0/7 was not imported because it is in "shutdown" mode 53: Named object (address) internal_subnet_1 56: Named object (address) internal_subnet_2 59: Named object (address) Internal_net 61: Named object (address) hostA:eth0 65: filtering rule: access list outside_acl_in, action deny 84: Interface Vlan1 ruleset http_commands_inside direction 'in' 84: filtering rule: access list http_commands_inside, action permit 85: Interface Vlan1 ruleset http_commands_inside direction 'in' 85: filtering rule: access list http_commands_inside, action permit 86: Interface Vlan1 ruleset http_commands_inside direction 'in' 86: filtering rule: access list http_commands_inside, action permit 95: Interface Vlan1 ruleset ssh_commands_inside direction 'in' 95: filtering rule: access list ssh_commands_inside, action permit 96: Interface Vlan1 ruleset ssh_commands_inside direction 'in' 96: filtering rule: access list ssh_commands_inside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/asa8.3.test000077500000000000000000000071651303637203600254100ustar00rootroot00000000000000: Saved : ASA Version 8.3(2) ! hostname asa5505 enable password XXXXXXXXXXXXXXXX encrypted passwd YYYYYYYYYYYYYYYY encrypted names name 1.2.3.4 gw name 192.168.3.0 fake_network name 192.168.4.1 inside_ip name 2001:0db8:85a3:0000:0000:8a2e:0370:7334 some_ipv6_address ! interface Vlan1 description inside interface nameif inside security-level 100 ip address dhcp setroute ! interface Vlan2 description outside interface nameif outside security-level 0 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0/0 description Switch port 0/0 switchport access vlan 2 ! interface Vlan2020 no nameif no security-level no ip address ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa832-k8.bin ftp mode passive ! object network internal_subnet_1 subnet 192.168.1.0 255.255.255.192 description Internal Subnet 1 object network internal_subnet_2 subnet 192.168.1.64 255.255.255.192 description Internal Subnet 2 object network Internal_net subnet 192.168.1.0 255.255.255.0 object network hostA:eth0 host 192.168.1.10 access-list outside_acl_in extended deny ip any any log pager lines 24 logging enable logging buffered errors logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 10.0.0.0 255.255.255.0 inside http 10.1.1.1 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetinbound interface outside crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh scopy enable ssh 10.10.10.0 255.255.255.0 inside ssh 10.1.1.0 255.255.255.0 inside ssh timeout 30 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username foo password AAAAAAAAAAAAAAAA encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ctiqbe inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect icmp inspect ils inspect mgcp inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet inspect tftp policy-map type inspect ip-options ip-options-map parameters eool action allow nop action allow router-alert action allow ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/fwsm1.fwb000066400000000000000000002416031303637203600252410ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/fwsm1.output000066400000000000000000000017461303637203600260250ustar00rootroot000000000000003: Platform: FWSM 3: Version: 4.1 11: New interface: Vlan350 11: Interface comment: management 12: Interface parameters: vlan0350 12: Interface label: vlan0350 14: Interface address: 192.0.2.1/255.255.255.0 18: New interface: Vlan351 18: Interface parameters: vlan0351 18: Interface label: vlan0351 23: New interface: Vlan352 23: Interface parameters: vlan0352 23: Interface label: vlan0352 28: New interface: Vlan353 28: Interface parameters: vlan0353 28: Interface label: vlan0353 33: New interface: Vlan354 33: Interface parameters: vlan0354 33: Interface label: vlan0354 47: Interface Vlan350 ruleset icmp_commands_vlan0350 direction 'in' 47: filtering rule: access list icmp_commands_vlan0350, action permit 63: Interface Vlan350 ruleset http_commands_vlan0350 direction 'in' 63: filtering rule: access list http_commands_vlan0350, action permit 67: Interface Vlan350 ruleset ssh_commands_vlan0350 direction 'in' 67: filtering rule: access list ssh_commands_vlan0350, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/fwsm1.test000066400000000000000000000037151303637203600254420ustar00rootroot00000000000000: Saved : FWSM Version 4.1(4) ! hostname fwb domain-name default.domain.invalid enable password xxxxxxxxxxxxxxx encrypted names dns-guard ! interface Vlan350 description management nameif vlan0350 security-level 100 ip address 192.0.2.1 255.255.255.0 management-only ! interface Vlan351 nameif vlan0351 security-level 0 no ip address ! interface Vlan352 nameif vlan0352 security-level 0 no ip address ! interface Vlan353 nameif vlan0353 security-level 0 no ip address ! interface Vlan354 nameif vlan0354 security-level 0 no ip address ! passwd yyyyyyyyyyyyyyyy encrypted pager lines 24 logging enable logging asdm informational mtu vlan0350 1500 mtu vlan0351 1500 mtu vlan0352 1500 mtu vlan0353 1500 mtu vlan0354 1500 icmp permit any vlan0350 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-invite 0:03:00 sip-disconnect 0:02:00 timeout pptp-gre 0:02:00 timeout uauth 0:05:00 absolute username netcitadel password MMMMMMMMMMMMMMMM encrypted privilege 15 aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authorization command LOCAL http server enable http 192.0.2.0 255.255.255.0 vlan0350 no snmp-server location no snmp-server contact telnet timeout 5 ssh 192.0.2.0 255.255.255.0 vlan0350 ssh timeout 5 ssh version 2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:34b2ef08671bc98ed1d598733ed72e73 : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix6.fwb000066400000000000000000004306121303637203600250720ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix6.output000066400000000000000000000173031303637203600256520ustar00rootroot000000000000003: Platform: PIX 3: Version: 6.3 4: New interface: ethernet0 5: New interface: ethernet1 5: Interface parameters: ethernet0 outside security0 5: Interface parameters: ethernet1 inside security100 34: Object Group (icmp) inside.id12349X2458.srv.icmp.0 38: Object Group (icmp) outside.id12363X2458.srv.icmp.0 43: Object Group (service) outside.id12376X2458.srv.udp.0 46: Object Group (service) outside.id12438X2458.srv.tcp.0 49: Object Group (service) outside.id12466X2458.srv.tcp.0 52: Rule comment: 0 ( ethernet0 ) 53: filtering rule: access list outside_acl_in, action deny 54: filtering rule: access list outside_acl_in, action deny 55: Rule comment: 3 ( global ) 56: filtering rule: access list outside_acl_in, action permit 57: filtering rule: access list outside_acl_in, action permit 58: Rule comment: 4 ( global ) 59: Rule comment: fw uses DHCP 60: Rule comment: plus many DHCP requests 61: Rule comment: from cable modem 62: filtering rule: access list outside_acl_in, action permit 63: filtering rule: access list outside_acl_in, action permit 64: Rule comment: 6 ( global ) 65: filtering rule: access list outside_acl_in, action deny 66: Rule comment: 7 ( global ) 67: filtering rule: access list outside_acl_in, action permit 68: Rule comment: 10 ( global ) 69: Rule comment: using swatch to automatically 70: Rule comment: block probing ssh connections , so no 71: Rule comment: need to limit 72: filtering rule: access list outside_acl_in, action permit 73: filtering rule: access list outside_acl_in, action permit 74: filtering rule: access list outside_acl_in, action permit 75: Rule comment: 11 ( global ) 76: filtering rule: access list outside_acl_in, action permit 77: filtering rule: access list outside_acl_in, action permit 78: filtering rule: access list outside_acl_in, action permit 79: Rule comment: 17 ( global ) 80: filtering rule: access list outside_acl_in, action permit 81: filtering rule: access list outside_acl_in, action permit 82: Rule comment: 19 ( global ) 83: Rule comment: ' catch all' rule 84: filtering rule: access list outside_acl_in, action deny 85: Rule comment: 1 ( global ) 86: filtering rule: access list inside_acl_in, action permit 87: filtering rule: access list inside_acl_in, action permit 88: Rule comment: 2 ( global ) 89: filtering rule: access list inside_acl_in, action permit 90: filtering rule: access list inside_acl_in, action permit 91: Rule comment: 3 ( global ) 92: filtering rule: access list inside_acl_in, action permit 93: Rule comment: 5 ( global ) 94: filtering rule: access list inside_acl_in, action permit 95: Rule comment: 6 ( global ) 96: filtering rule: access list inside_acl_in, action deny 97: Rule comment: 7 ( global ) 98: filtering rule: access list inside_acl_in, action permit 99: Rule comment: 10 ( global ) 100: Rule comment: using swatch to automatically 101: Rule comment: block probing ssh connections , so no 102: Rule comment: need to limit 103: filtering rule: access list inside_acl_in, action permit 104: Rule comment: 11 ( global ) 105: filtering rule: access list inside_acl_in, action permit 106: Rule comment: 17 ( global ) 107: filtering rule: access list inside_acl_in, action permit 108: filtering rule: access list inside_acl_in, action permit 109: Rule comment: 18 ( global ) 110: filtering rule: access list inside_acl_in, action permit 111: Rule comment: 19 ( global ) 112: Rule comment: ' catch all' rule 113: filtering rule: access list inside_acl_in, action deny 114: filtering rule: access list id12594X2458.0, action permit 115: filtering rule: access list id12594X2458.1, action permit 116: filtering rule: access list id12594X2458.2, action permit 117: filtering rule: access list id12594X2458.3, action permit 118: filtering rule: access list id12626X2458.0, action permit 119: filtering rule: access list id12626X2458.1, action permit 120: filtering rule: access list id12626X2458.2, action permit 121: filtering rule: access list id12642X2458.0, action permit 122: filtering rule: access list id12656X2458.0, action permit 123: filtering rule: access list id12670X2458.0, action permit 124: filtering rule: access list id12684X2458.0, action permit 125: filtering rule: access list id12743X2458.0, action permit 136: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 136: filtering rule: access list icmp_commands_outside, action permit 137: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 137: filtering rule: access list icmp_commands_outside, action permit 138: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 138: filtering rule: access list icmp_commands_outside, action permit 139: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 139: filtering rule: access list icmp_commands_outside, action permit 140: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 140: filtering rule: access list icmp_commands_outside, action permit 141: Interface ethernet0 ruleset icmp_commands_outside direction 'in' 141: filtering rule: access list icmp_commands_outside, action permit 142: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 142: filtering rule: access list icmp_commands_inside, action permit 143: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 143: filtering rule: access list icmp_commands_inside, action permit 144: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 144: filtering rule: access list icmp_commands_inside, action permit 145: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 145: filtering rule: access list icmp_commands_inside, action permit 146: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 146: filtering rule: access list icmp_commands_inside, action permit 147: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 147: filtering rule: access list icmp_commands_inside, action permit 148: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 148: filtering rule: access list icmp_commands_inside, action permit 149: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 149: filtering rule: access list icmp_commands_inside, action permit 150: Interface ethernet1 ruleset icmp_commands_inside direction 'in' 150: filtering rule: access list icmp_commands_inside, action permit 152: Interface ethernet1 ruleset telnet_commands_inside direction 'in' 152: filtering rule: access list telnet_commands_inside, action permit 154: Interface ethernet1 ruleset ssh_commands_inside direction 'in' 154: filtering rule: access list ssh_commands_inside, action permit 155: Interface ethernet1 ruleset ssh_commands_inside direction 'in' 155: filtering rule: access list ssh_commands_inside, action permit 155: Interface address: dhcp/ 155: Interface address: 10.1.1.202/255.255.255.0 166: Global address pool: number 1, interface outside, address range interface-interface, netmask 255.255.255.255 167: Source translation rule ("nat" command) 168: Destination translation rule ("static" command) 169: Destination translation rule ("static" command) 170: Destination translation rule ("static" command) 171: Destination translation rule ("static" command) 172: Destination translation rule ("static" command) 173: Destination translation rule ("static" command) 174: Destination translation rule ("static" command) 175: Destination translation rule ("static" command) 176: Destination translation rule ("static" command) 177: Interface ethernet0 ruleset outside_acl_in direction 'in' 178: Interface ethernet1 ruleset inside_acl_in direction 'in' 196: Interface ethernet1 ruleset http_commands_inside direction 'in' 196: filtering rule: access list http_commands_inside, action permit 197: Interface ethernet1 ruleset http_commands_inside direction 'in' 197: filtering rule: access list http_commands_inside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix6.test000077500000000000000000000233761303637203600253030ustar00rootroot00000000000000: Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100baseTX nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXXX encrypted passwd YYYYYYYYYYYYYYYY encrypted hostname guardian domain-name some-domain.org clock timezone PDT -7 clock summer-time PDT recurring fixup protocol ctiqbe 2748 fixup protocol dns maximum-length 65535 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol ils 389 fixup protocol mgcp 2427 fixup protocol mgcp 2727 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group icmp-type inside.id12349X2458.srv.icmp.0 icmp-object time-exceeded icmp-object echo-reply icmp-object unreachable object-group icmp-type outside.id12363X2458.srv.icmp.0 icmp-object echo icmp-object time-exceeded icmp-object echo-reply icmp-object unreachable object-group service outside.id12376X2458.srv.udp.0 udp port-object eq bootpc port-object eq bootps object-group service outside.id12438X2458.srv.tcp.0 tcp port-object eq ssh port-object eq www object-group service outside.id12466X2458.srv.tcp.0 tcp port-object eq 8765 port-object eq ssh access-list outside_acl_in remark 0 (ethernet0) access-list outside_acl_in deny ip host 10.1.1.202 any log 5 access-list outside_acl_in deny ip 10.1.1.0 255.255.255.0 any log 5 access-list outside_acl_in remark 3 (global) access-list outside_acl_in permit icmp any interface outside echo access-list outside_acl_in permit icmp any interface outside object-group outside.id12363X2458.srv.icmp.0 access-list outside_acl_in remark 4 (global) access-list outside_acl_in remark fw uses DHCP access-list outside_acl_in remark plus many DHCP requests access-list outside_acl_in remark from cable modem access-list outside_acl_in permit udp any interface outside object-group outside.id12376X2458.srv.udp.0 access-list outside_acl_in permit udp any host 255.255.255.255 object-group outside.id12376X2458.srv.udp.0 access-list outside_acl_in remark 6 (global) access-list outside_acl_in deny tcp any interface outside eq ident access-list outside_acl_in remark 7 (global) access-list outside_acl_in permit tcp any host 10.1.1.10 eq smtp access-list outside_acl_in remark 10 (global) access-list outside_acl_in remark using swatch to automatically access-list outside_acl_in remark block probing ssh connections, so no access-list outside_acl_in remark need to limit access-list outside_acl_in permit tcp any interface outside eq ssh access-list outside_acl_in permit tcp any interface outside eq www access-list outside_acl_in permit tcp any host 10.1.1.43 object-group outside.id12438X2458.srv.tcp.0 access-list outside_acl_in remark 11 (global) access-list outside_acl_in permit tcp any interface outside eq 8765 access-list outside_acl_in permit tcp any interface outside eq 2222 access-list outside_acl_in permit tcp any host 10.1.1.46 object-group outside.id12466X2458.srv.tcp.0 access-list outside_acl_in remark 17 (global) access-list outside_acl_in permit icmp any interface outside access-list outside_acl_in permit icmp any any access-list outside_acl_in remark 19 (global) access-list outside_acl_in remark 'catch all' rule access-list outside_acl_in deny ip any any log 5 access-list inside_acl_in remark 1 (global) access-list inside_acl_in permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.202 eq www access-list inside_acl_in permit udp 10.1.1.0 255.255.255.0 host 10.1.1.202 eq snmp access-list inside_acl_in remark 2 (global) access-list inside_acl_in permit icmp host 10.1.1.202 host 10.1.1.202 object-group inside.id12349X2458.srv.icmp.0 access-list inside_acl_in permit icmp host 10.1.1.202 any object-group inside.id12349X2458.srv.icmp.0 access-list inside_acl_in remark 3 (global) access-list inside_acl_in permit icmp any host 10.1.1.202 object-group outside.id12363X2458.srv.icmp.0 access-list inside_acl_in remark 5 (global) access-list inside_acl_in permit ip host 10.1.1.202 any access-list inside_acl_in remark 6 (global) access-list inside_acl_in deny tcp any host 10.1.1.202 eq ident access-list inside_acl_in remark 7 (global) access-list inside_acl_in permit tcp any host 10.1.1.10 eq smtp access-list inside_acl_in remark 10 (global) access-list inside_acl_in remark using swatch to automatically access-list inside_acl_in remark block probing ssh connections, so no access-list inside_acl_in remark need to limit access-list inside_acl_in permit tcp any host 10.1.1.43 object-group outside.id12438X2458.srv.tcp.0 access-list inside_acl_in remark 11 (global) access-list inside_acl_in permit tcp any host 10.1.1.46 object-group outside.id12466X2458.srv.tcp.0 access-list inside_acl_in remark 17 (global) access-list inside_acl_in permit icmp any host 10.1.1.202 access-list inside_acl_in permit icmp any any access-list inside_acl_in remark 18 (global) access-list inside_acl_in permit ip 10.1.1.0 255.255.255.0 any access-list inside_acl_in remark 19 (global) access-list inside_acl_in remark 'catch all' rule access-list inside_acl_in deny ip any any log 5 access-list id12594X2458.0 permit tcp host 10.1.1.43 eq www any access-list id12594X2458.1 permit tcp host 127.0.0.1 eq www any access-list id12594X2458.2 permit tcp host 10.1.1.43 eq ssh any access-list id12594X2458.3 permit tcp host 127.0.0.1 eq ssh any access-list id12626X2458.0 permit tcp host 10.1.1.42 eq smtp any access-list id12626X2458.1 permit tcp host 10.1.1.42 eq 993 any access-list id12626X2458.2 permit tcp host 10.1.1.42 eq 587 any access-list id12642X2458.0 permit tcp host 10.1.1.46 eq ssh any access-list id12656X2458.0 permit tcp host 10.1.1.46 eq 8765 any access-list id12670X2458.0 permit tcp host 10.1.1.32 eq 5900 any access-list id12684X2458.0 permit tcp host 10.1.1.102 eq 5901 any access-list id12743X2458.0 permit ip 10.1.1.0 255.255.255.0 any no pager logging on logging timestamp logging buffered informational logging trap notifications logging facility 16 logging queue 10 logging device-id ipaddress inside logging host inside 10.1.1.10 logging host inside 10.1.1.40 format emblem icmp permit any echo outside icmp permit any 111 outside icmp permit any time-exceeded outside icmp permit any echo-reply outside icmp permit any unreachable outside icmp permit any outside icmp permit host 10.1.1.202 time-exceeded inside icmp permit host 10.1.1.202 echo-reply inside icmp permit host 10.1.1.202 unreachable inside icmp permit any echo inside icmp permit any time-exceeded inside icmp permit any echo-reply inside icmp permit any unreachable inside icmp permit any inside icmp permit 10.1.1.0 255.255.255.0 inside telnet 10.1.1.0 255.255.255.0 inside telnet timeout 5 ssh 10.1.1.30 255.255.255.255 inside ssh 10.1.1.0 255.255.255.0 inside ssh timeout 5 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute retry 10 ip address inside 10.1.1.202 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 access-list id12743X2458.0 0 0 static (inside,outside) tcp interface www access-list id12594X2458.0 0 0 static (inside,outside) tcp interface ssh access-list id12594X2458.2 0 0 static (inside,outside) tcp interface smtp access-list id12626X2458.0 0 0 static (inside,outside) tcp interface 993 access-list id12626X2458.1 0 0 static (inside,outside) tcp interface 587 access-list id12626X2458.2 0 0 static (inside,outside) tcp interface 2222 access-list id12642X2458.0 0 0 static (inside,outside) tcp interface 8765 access-list id12656X2458.0 0 0 static (inside,outside) tcp interface 5900 access-list id12670X2458.0 0 0 static (inside,outside) tcp interface 5901 access-list id12684X2458.0 0 0 access-group outside_acl_in in interface outside access-group inside_acl_in in interface inside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 2:00:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL ntp server 10.1.1.10 source inside prefer http server enable http 10.1.1.40 255.255.255.255 inside http 10.1.1.0 255.255.255.0 inside snmp-server host inside 10.1.1.30 snmp-server host inside 10.1.1.41 snmp-server host inside 10.1.1.42 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec service resetinbound service resetoutside crypto ipsec transform-set tripledes esp-3des esp-md5-hmac crypto map real 10 ipsec-isakmp crypto map real 10 set peer 192.168.171.2 crypto map real 10 set transform-set tripledes ! Incomplete crypto map real interface outside crypto map real interface inside isakmp enable outside isakmp key ******** address 192.168.171.2 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 console timeout 0 username foo password AAAAAAAAAAAAAAAA encrypted privilege 15 terminal width 256 Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb000066400000000000000000006123571303637203600256630ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output000066400000000000000000000167661303637203600264470ustar00rootroot000000000000003: Platform: PIX 3: Version: 7.2 16: New interface: Ethernet0 21: New interface: Ethernet0.101 22: Interface parameters: outside 22: Interface label: outside 24: Interface address: 192.0.2.253/255.255.255.0 27: New interface: Ethernet0.102 28: Interface parameters: dmz20 28: Interface label: dmz20 30: Interface address: 10.0.0.253/255.255.255.0 30: Warning: failover IP detected. Failover is not supported by import at this time 33: New interface: Ethernet1 35: Interface parameters: inside 35: Interface label: inside 37: Interface address: 10.1.1.206/255.255.255.0 40: New interface: Ethernet2 Warning: interface Ethernet2 was not imported because it is in "shutdown" mode 45: New interface: Ethernet3 Warning: interface Ethernet3 was not imported because it is in "shutdown" mode 51: New interface: Ethernet4 Warning: interface Ethernet4 was not imported because it is in "shutdown" mode 57: New interface: Ethernet5 Warning: interface Ethernet5 was not imported because it is in "shutdown" mode 63: New interface: Ethernet6 Warning: interface Ethernet6 was not imported because it is in "shutdown" mode 71: Object Group (network) outside.id12051X6282.src.net.0 74: Object Group (network) outside.id12051X6282.src.net.1 79: Object Group (network) outside.id12051X6282.src.net.2 83: Object Group (network) network-zone-inside 85: Object Group (network) network-zone-dmz20 89: filtering rule: access list outside_in, action deny 90: filtering rule: access list outside_in, action deny 91: filtering rule: access list outside_in, action deny 92: filtering rule: access list outside_in, action deny 93: filtering rule: access list inside_out, action permit 94: filtering rule: access list inside_out, action permit 95: filtering rule: access list inside_out, action permit 96: filtering rule: access list inside_out, action permit 97: filtering rule: access list inside_out, action deny 98: filtering rule: access list inside_in, action deny 99: filtering rule: access list inside_in, action deny 100: filtering rule: access list inside_in, action deny 101: filtering rule: access list inside_in, action permit 102: filtering rule: access list inside_in, action deny 104: filtering rule: access list id12251X6282.0, action permit 106: filtering rule: access list id12594X2458.0, action permit 109: filtering rule: access list WEB, action permit 111: filtering rule: access list WEB2, action permit 112: filtering rule: access list WEB2, action permit 113: filtering rule: access list EXEMPT, action permit 115: filtering rule: access list NET1, action permit 143: Global address pool: number 1, interface outside, address range interface-interface, netmask 255.255.255.255 144: Source translation rule ("nat" command) 146: Global address pool: number 2, interface outside, address range 192.0.2.10-192.0.2.10, netmask 255.255.255.255 147: Global address pool: number 2, interface outside, address range 192.0.2.11-192.0.2.15, netmask 255.255.255.255 148: Global address pool: number 2, interface outside, address range 192.0.2.128-192.0.2.128, netmask 255.255.255.240 149: Global address pool: number 2, interface dmz20, address range 10.0.0.128-10.0.0.128, netmask 255.255.255.240 150: Global address pool: number 3, interface outside, address range 192.0.2.20-192.0.2.20, netmask 255.255.255.255 151: Global address pool: number 3, interface outside, address range 192.0.2.30-192.0.2.31, netmask 255.255.255.255 153: Source translation rule ("nat" command) 154: Source translation rule ("nat" command) 156: Source translation rule ("nat" command) 157: Source translation rule ("nat" command) 160: Source translation rule ("nat" command) 163: Source translation rule ("nat" command) 163: NAT exemption rule ("nat (interface) 0" command) 166: Source translation rule ("nat" command) 169: Source translation rule ("nat" command) 173: Destination translation rule ("static" command) 174: Destination translation rule ("static" command) 175: Destination translation rule ("static" command) 176: Destination translation rule ("static" command) 177: Destination translation rule ("static" command) 179: Destination translation rule ("static" command) 180: Destination translation rule ("static" command) 181: Destination translation rule ("static" command) 182: Destination translation rule ("static" command) 183: Destination translation rule ("static" command) 184: Destination translation rule ("static" command) 185: Destination translation rule ("static" command) 186: Destination translation rule ("static" command) 187: Destination translation rule ("static" command) 188: Destination translation rule ("static" command) 189: Destination translation rule ("static" command) 190: Destination translation rule ("static" command) 191: Destination translation rule ("static" command) 192: Destination translation rule ("static" command) 193: Destination translation rule ("static" command) 194: Destination translation rule ("static" command) 195: Destination translation rule ("static" command) 196: Destination translation rule ("static" command) 197: Destination translation rule ("static" command) 198: Destination translation rule ("static" command) 199: Destination translation rule ("static" command) 200: Destination translation rule ("static" command) 201: Destination translation rule ("static" command) 202: Destination translation rule ("static" command) 203: Destination translation rule ("static" command) 204: Destination translation rule ("static" command) 205: Destination translation rule ("static" command) 206: Destination translation rule ("static" command) 207: Destination translation rule ("static" command) 208: Destination translation rule ("static" command) 209: Destination translation rule ("static" command) 210: Destination translation rule ("static" command) 211: Destination translation rule ("static" command) 212: Destination translation rule ("static" command) 213: Destination translation rule ("static" command) 214: Destination translation rule ("static" command) 215: Destination translation rule ("static" command) 216: Destination translation rule ("static" command) 217: Destination translation rule ("static" command) 218: Destination translation rule ("static" command) 219: Destination translation rule ("static" command) 220: Destination translation rule ("static" command) 221: Destination translation rule ("static" command) 222: Destination translation rule ("static" command) 223: Destination translation rule ("static" command) 224: Destination translation rule ("static" command) 225: Destination translation rule ("static" command) 226: Destination translation rule ("static" command) 227: Destination translation rule ("static" command) 228: Destination translation rule ("static" command) 229: Destination translation rule ("static" command) 234: Destination translation rule ("static" command) 235: Destination translation rule ("static" command) 236: Destination translation rule ("static" command) 238: Destination translation rule ("static" command) 241: Destination translation rule ("static" command) 244: Interface Ethernet0.101 ruleset outside_in direction 'in' 245: Interface Ethernet1 ruleset inside_in direction 'in' 246: Interface Ethernet1 ruleset inside_out direction 'out' 287: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 287: filtering rule: access list ssh_commands_inside, action permit 288: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 288: filtering rule: access list ssh_commands_inside, action permit 289: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in' 289: filtering rule: access list ssh_commands_outside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test000066400000000000000000000263011303637203600260500ustar00rootroot00000000000000: Saved : PIX Version 7.2(1) ! terminal width 511 hostname pix1 domain-name some-domain.org enable password XXXXXXXXXXXXXXXX encrypted names name 1.2.3.4 gw name 192.168.3.0 fake_network name 192.168.4.1 inside_ip ! dns-guard ! interface Ethernet0 no nameif no security-level no ip address ! interface Ethernet0.101 vlan 101 nameif outside security-level 0 ip address 192.0.2.253 255.255.255.0 ! interface Ethernet0.102 vlan 102 nameif dmz20 security-level 20 ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254 ! interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.1.1.206 255.255.255.0 ! interface Ethernet2 shutdown description LAN/STATE Failover Interface speed 10 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! interface Ethernet6 ! passwd MMMMMMMMMMMMMMMM encrypted boot system flash:/pix721.bin ftp mode passive clock timezone PDT -7 dns server-group DefaultDNS domain-name some-domain.org object-group network outside.id12051X6282.src.net.0 network-object host 10.1.1.206 network-object host 10.1.1.207 object-group network outside.id12051X6282.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 object-group network outside.id12051X6282.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 object-group network network-zone-inside network-object 10.1.1.0 255.255.255.0 object-group network network-zone-dmz20 network-object 10.0.0.0 255.255.255.0 access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings access-list outside_in extended deny ip 10.1.1.0 255.255.255.0 any log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.0 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.1 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.2 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 any access-list inside_out extended deny ip any any log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.0 log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.1 log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any access-list inside_in extended deny ip any any log warnings access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any access-list id12594X2458.0 permit tcp host 10.1.1.43 eq www any ! example from cisco docs, see also nat command below access-list WEB permit tcp 10.1.1.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80 access-list WEB2 permit tcp 192.168.2.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80 access-list WEB2 permit tcp 192.168.3.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80 access-list EXEMPT permit ip 192.168.4.0 255.255.255.0 any access-list NET1 permit ip host 10.1.1.20 host 4.2.2.1 pager lines 24 logging enable logging emblem logging trap debugging logging history informational logging facility 16 logging queue 10 logging device-id ipaddress inside logging host inside 192.168.240.20 logging host inside 10.1.1.40 format emblem logging class config buffered debugging mtu outside 1500 mtu dmz20 1500 mtu inside 1500 failover failover lan unit primary failover lan interface failover Ethernet2 failover lan enable failover key ***** failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 1 access-list id12251X6282.0 global (outside) 2 192.0.2.10 global (outside) 2 192.0.2.11-192.0.2.15 global (outside) 2 192.0.2.128 netmask 255.255.255.240 global (dmz20) 2 10.0.0.128 netmask 255.255.255.240 global (outside) 3 192.0.2.20 global (outside) 3 192.0.2.30-192.0.2.31 nat (inside) 2 10.1.1.1 255.255.255.255 nat (inside) 2 10.1.1.32 255.255.255.240 nat (inside) 1 access-list WEB nat (inside) 1 access-list WEB2 ! multiple address blocks in pool 3 and multiple lines in access list WEB2 nat (inside) 3 access-list WEB2 ! nat exemption example nat (inside) 0 access-list EXEMPT ! example of nat () 1 0 0 command nat (inside) 3 0 0 ! "nat outside example with max_conn parameter nat (dmz20) 2 10.2.2.0 255.255.255.0 outside 1000 static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240 static (inside,dmz20) 10.0.0.100 10.1.1.100 netmask 255.255.255.255 static (inside,dmz20) interface 10.1.1.111 static (inside,outside) tcp 10.5.80.16 80 10.1.1.16 8080 netmask 255.255.255.240 0 0 static (inside,outside) tcp 10.5.80.200 80 10.10.1.200 8080 netmask 255.255.255.255 0 0 static (inside,outside) tcp 10.5.80.16 aol 10.1.1.16 aol static (inside,outside) tcp 10.5.80.16 bgp 10.1.1.16 bgp static (inside,outside) tcp 10.5.80.16 chargen 10.1.1.16 chargen static (inside,outside) tcp 10.5.80.16 cifs 10.1.1.16 cifs static (inside,outside) tcp 10.5.80.16 citrix-ica 10.1.1.16 citrix-ica static (inside,outside) tcp 10.5.80.16 cmd 10.1.1.16 cmd static (inside,outside) tcp 10.5.80.16 ctiqbe 10.1.1.16 ctiqbe static (inside,outside) tcp 10.5.80.16 daytime 10.1.1.16 daytime static (inside,outside) tcp 10.5.80.16 discard 10.1.1.16 discard static (inside,outside) tcp 10.5.80.16 domain 10.1.1.16 domain static (inside,outside) tcp 10.5.80.16 echo 10.1.1.16 echo static (inside,outside) tcp 10.5.80.16 exec 10.1.1.16 exec static (inside,outside) tcp 10.5.80.16 finger 10.1.1.16 finger static (inside,outside) tcp 10.5.80.16 ftp 10.1.1.16 ftp static (inside,outside) tcp 10.5.80.16 ftp-data 10.1.1.16 ftp-data static (inside,outside) tcp 10.5.80.16 gopher 10.1.1.16 gopher static (inside,outside) tcp 10.5.80.16 h323 10.1.1.16 h323 static (inside,outside) tcp 10.5.80.16 hostname 10.1.1.16 hostname static (inside,outside) tcp 10.5.80.16 http 10.1.1.16 http static (inside,outside) tcp 10.5.80.16 https 10.1.1.16 https static (inside,outside) tcp 10.5.80.16 ident 10.1.1.16 ident static (inside,outside) tcp 10.5.80.16 imap4 10.1.1.16 imap4 static (inside,outside) tcp 10.5.80.16 irc 10.1.1.16 irc static (inside,outside) tcp 10.5.80.16 kerberos 10.1.1.16 kerberos static (inside,outside) tcp 10.5.80.16 klogin 10.1.1.16 klogin static (inside,outside) tcp 10.5.80.16 kshell 10.1.1.16 kshell static (inside,outside) tcp 10.5.80.16 ldap 10.1.1.16 ldap static (inside,outside) tcp 10.5.80.16 ldaps 10.1.1.16 ldaps static (inside,outside) tcp 10.5.80.16 login 10.1.1.16 login static (inside,outside) tcp 10.5.80.16 lotusnotes 10.1.1.16 lotusnotes static (inside,outside) tcp 10.5.80.16 lpd 10.1.1.16 lpd static (inside,outside) tcp 10.5.80.16 netbios-ssn 10.1.1.16 netbios-ssn static (inside,outside) tcp 10.5.80.16 nntp 10.1.1.16 nntp static (inside,outside) tcp 10.5.80.16 pcanywhere-data 10.1.1.16 pcanywhere-data static (inside,outside) tcp 10.5.80.16 pim-auto-rp 10.1.1.16 pim-auto-rp static (inside,outside) tcp 10.5.80.16 pop2 10.1.1.16 pop2 static (inside,outside) tcp 10.5.80.16 pop3 10.1.1.16 pop3 static (inside,outside) tcp 10.5.80.16 pptp 10.1.1.16 pptp static (inside,outside) tcp 10.5.80.16 rsh 10.1.1.16 rsh static (inside,outside) tcp 10.5.80.16 rtsp 10.1.1.16 rtsp static (inside,outside) tcp 10.5.80.16 sip 10.1.1.16 sip static (inside,outside) tcp 10.5.80.16 smtp 10.1.1.16 smtp static (inside,outside) tcp 10.5.80.16 sqlnet 10.1.1.16 sqlnet static (inside,outside) tcp 10.5.80.16 ssh 10.1.1.16 ssh static (inside,outside) tcp 10.5.80.16 sunrpc 10.1.1.16 sunrpc static (inside,outside) tcp 10.5.80.16 tacacs 10.1.1.16 tacacs static (inside,outside) tcp 10.5.80.16 talk 10.1.1.16 talk static (inside,outside) tcp 10.5.80.16 telnet 10.1.1.16 telnet static (inside,outside) tcp 10.5.80.16 uucp 10.1.1.16 uucp static (inside,outside) tcp 10.5.80.16 whois 10.1.1.16 whois static (inside,outside) tcp 10.5.80.16 www 10.1.1.16 www static (inside,outside) tcp interface www access-list id12594X2458.0 0 0 static (inside,outside) tcp interface 80 access-list id12594X2458.0 0 0 static (inside,outside) interface access-list id12594X2458.0 0 0 static (inside,outside) 192.0.2.15 access-list NET1 ! acl WEB2 has multiple lines. Does this even make sense ? static (inside,outside) 192.0.2.15 access-list WEB2 access-group outside_in in interface outside access-group inside_in in interface inside access-group inside_out out interface inside route inside 192.168.10.0 255.255.255.0 10.1.1.254 1 route inside 10.1.2.0 255.255.255.0 10.1.1.201 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 2:00:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius username fwbtest password AAAAAAAAAAAAAAAA encrypted privilege 15 aaa authentication ssh console LOCAL snmp-server host inside 10.1.1.180 community public snmp-server host inside 10.1.1.30 community public snmp-server host inside 10.1.1.40 poll community public version 2c no snmp-server location no snmp-server contact snmp-server community public crypto ipsec transform-set spde esp-des esp-sha-hmac crypto map spdemap 21 set peer 192.0.2.254 crypto map spdemap 21 set transform-set spde crypto isakmp identity address crypto isakmp policy 21 authentication pre-share encryption des hash sha group 1 lifetime 3600 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 192.0.2.254 type ipsec-l2l tunnel-group 192.0.2.254 ipsec-attributes pre-shared-key * telnet timeout 5 ssh scopy enable ssh 10.1.1.0 255.255.255.0 inside ssh 10.1.2.0 255.255.255.0 inside ssh 192.0.2.100 255.255.255.255 outside ssh timeout 20 console timeout 0 ! class-map custom_h323_h225_inspection match port tcp range h323 1721 class-map custom_http_inspection match port tcp range www 88 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ctiqbe inspect icmp inspect ils inspect mgcp inspect esmtp class custom_h323_h225_inspection inspect h323 h225 class custom_http_inspection inspect http ! service-policy global_policy global prompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7.fwb000066400000000000000000002774711303637203600251070ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7.output000066400000000000000000000054141303637203600256530ustar00rootroot000000000000003: Platform: PIX 3: Version: 7.2 16: New interface: Ethernet0 21: New interface: Ethernet0.101 22: Interface parameters: outside 22: Interface label: outside 24: Interface address: 192.0.2.253/255.255.255.0 27: New interface: Ethernet0.102 28: Interface parameters: dmz20 28: Interface label: dmz20 30: Interface address: 10.0.0.253/255.255.255.0 30: Warning: failover IP detected. Failover is not supported by import at this time 33: New interface: Ethernet1 35: Interface parameters: inside 35: Interface label: inside 37: Interface address: 10.1.1.206/255.255.255.0 40: New interface: Ethernet2 40: Interface comment: LAN/STATE Failover Interface 44: New interface: Ethernet3 Warning: interface Ethernet3 was not imported because it is in "shutdown" mode 50: New interface: Ethernet4 Warning: interface Ethernet4 was not imported because it is in "shutdown" mode 56: New interface: Ethernet5 Warning: interface Ethernet5 was not imported because it is in "shutdown" mode 62: New interface: Ethernet6 Warning: interface Ethernet6 was not imported because it is in "shutdown" mode 70: Object Group (network) outside.id12051X6282.src.net.0 73: Object Group (network) outside.id12051X6282.src.net.1 78: Object Group (network) outside.id12051X6282.src.net.2 81: filtering rule: access list outside_in, action deny 82: filtering rule: access list outside_in, action deny 83: filtering rule: access list outside_in, action deny 84: filtering rule: access list outside_in, action deny 85: filtering rule: access list inside_out, action permit 86: filtering rule: access list inside_out, action permit 87: filtering rule: access list inside_out, action permit 88: filtering rule: access list inside_out, action permit 89: filtering rule: access list inside_out, action deny 90: filtering rule: access list inside_in, action deny 91: filtering rule: access list inside_in, action deny 92: filtering rule: access list inside_in, action deny 93: filtering rule: access list inside_in, action permit 94: filtering rule: access list inside_in, action deny 95: filtering rule: access list id12251X6282.0, action permit 97: Interface Ethernet1 ruleset inside_in direction 'in' 98: Interface Ethernet0.101 ruleset outside_in direction 'in' 123: Interface Ethernet0.101 ruleset outside_in direction 'in' 124: Interface Ethernet1 ruleset inside_in direction 'in' 125: Interface Ethernet1 ruleset inside_out direction 'out' 164: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 164: filtering rule: access list ssh_commands_inside, action permit 165: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 165: filtering rule: access list ssh_commands_inside, action permit 166: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in' 166: filtering rule: access list ssh_commands_outside, action permit fwbuilder-5.3.7/src/unit_tests/PIXImporterTest/test_data/pix7.test000066400000000000000000000140531303637203600252710ustar00rootroot00000000000000: Saved : PIX Version 7.2(1) ! terminal width 511 hostname pix1 domain-name some-domain.org enable password XXXXXXXXXXXXXXXX encrypted names name 1.2.3.4 gw name 192.168.3.0 fake_network name 192.168.4.1 inside_ip ! dns-guard ! interface Ethernet0 no nameif no security-level no ip address ! interface Ethernet0.101 vlan 101 nameif outside security-level 0 ip address 192.0.2.253 255.255.255.0 ! interface Ethernet0.102 vlan 102 nameif dmz20 security-level 20 ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254 ! interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.1.1.206 255.255.255.0 ! interface Ethernet2 description LAN/STATE Failover Interface speed 10 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! interface Ethernet6 ! passwd MMMMMMMMMMMMMMMM encrypted boot system flash:/pix721.bin ftp mode passive clock timezone PDT -7 dns server-group DefaultDNS domain-name some-domain.org object-group network outside.id12051X6282.src.net.0 network-object host 10.1.1.206 network-object host 10.1.1.207 object-group network outside.id12051X6282.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 object-group network outside.id12051X6282.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings access-list outside_in extended deny ip 10.1.1.0 255.255.255.0 any log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.0 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.1 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.2 10.1.1.0 255.255.255.0 eq domain log warnings access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 any access-list inside_out extended deny ip any any log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.0 log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.1 log warnings access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any access-list inside_in extended deny ip any any log warnings access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any access-group inside_in in interface inside access-group outside_in in interface outside pager lines 24 logging enable logging emblem logging trap debugging logging history informational logging facility 16 logging queue 10 logging device-id ipaddress inside logging host inside 192.168.240.20 logging host inside 10.1.1.40 format emblem logging class config buffered debugging mtu outside 1500 mtu dmz20 1500 mtu inside 1500 failover failover lan unit primary failover lan interface failover Ethernet2 failover lan enable failover key ***** failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 no asdm history enable arp timeout 14400 access-group outside_in in interface outside access-group inside_in in interface inside access-group inside_out out interface inside route inside 192.168.10.0 255.255.255.0 10.1.1.254 1 route inside 10.1.2.0 255.255.255.0 10.1.1.201 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 2:00:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius username fwbtest password AAAAAAAAAAAAAAAA encrypted privilege 15 aaa authentication ssh console LOCAL snmp-server host inside 10.1.1.180 community public snmp-server host inside 10.1.1.30 community public snmp-server host inside 10.1.1.40 poll community public version 2c no snmp-server location no snmp-server contact snmp-server community public crypto ipsec transform-set spde esp-des esp-sha-hmac crypto map spdemap 21 set peer 192.0.2.254 crypto map spdemap 21 set transform-set spde crypto isakmp identity address crypto isakmp policy 21 authentication pre-share encryption des hash sha group 1 lifetime 3600 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 192.0.2.254 type ipsec-l2l tunnel-group 192.0.2.254 ipsec-attributes pre-shared-key * telnet timeout 5 ssh scopy enable ssh 10.1.1.0 255.255.255.0 inside ssh 10.1.2.0 255.255.255.0 inside ssh 192.0.2.100 255.255.255.255 outside ssh timeout 20 console timeout 0 ! class-map custom_h323_h225_inspection match port tcp range h323 1721 class-map custom_http_inspection match port tcp range www 88 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ctiqbe inspect icmp inspect ils inspect mgcp inspect esmtp class custom_h323_h225_inspection inspect h323 h225 class custom_http_inspection inspect http ! service-policy global_policy global prompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end fwbuilder-5.3.7/src/unit_tests/RCS/000077500000000000000000000000001303637203600171335ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/RCS/RCSTest.cpp000066400000000000000000000074041303637203600211330ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RCSTest.h" #include "../../../../config.h" //#include "../../global.h" #include "../../libgui/RCS.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; int fwbdebug = 0; QString test_file = "zu.fwb,v"; QString rlog_unit_test_log_file = "rlog_unit_test.log"; void RCSTest::verifyRevisions() { RCS::init(); RCS *rcs = new RCS(test_file); QList rcsrevs; for (QList::iterator i=rcs->begin(); i!=rcs->end(); ++i) { Revision rev = *i; QStringList log = rev.log.split("\n"); log.removeFirst(); rev.log = log.join("\n"); rcsrevs.append(rev); } QProcess rlog; rlog.start("rlog", QStringList() << test_file); rlog.waitForFinished(); QList realrevs; QRegExp revlock("revision\\s+([\\.\\d]+)(\\s+locked by: (\\w+);)?\\n"); revlock.setPatternSyntax(QRegExp::RegExp2); QRegExp dateauth("date: (\\d\\d\\d\\d/\\d\\d/\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d);\\s+author\\: (\\w+);\\s+state\\: (\\w+);(\\s+lines: \\+(\\d+) \\-(\\d+))?\\n"); QMap realrevsmap; QString line; while (!rlog.atEnd() && line != "----------------------------\n") // skip header line = rlog.readLine(); while (!rlog.atEnd()) { QStringList lines; while (!rlog.atEnd()) { line = rlog.readLine(); if (line != "----------------------------\n" && line != "=============================================================================\n") lines.append(line); else break; } QStringList comment; for (int i = 2; i< lines.size(); i++) comment.append(lines.at(i)); Revision rev; rev.log = comment.join(""); revlock.indexIn(lines[0]); rev.locked_by = revlock.capturedTexts()[3]; rev.rev = revlock.capturedTexts()[1]; dateauth.indexIn(lines[1]); rev.date = dateauth.capturedTexts()[1].replace("/", "-"); rev.author = dateauth.capturedTexts()[2]; rev.filename = test_file; realrevs.insert(0, rev); realrevsmap[rev.rev] = rev; } CPPUNIT_ASSERT(realrevs.size() == rcsrevs.size()); for (int i = 0; i < realrevs.size(); i++) { Revision rcsr = rcsrevs.at(i); Revision realr = realrevsmap[rcsr.rev]; /* qDebug() << realr.author << rcsr.author; qDebug() << realr.date << rcsr.date; qDebug() << realr.filename << rcsr.filename; qDebug() << realr.locked_by << rcsr.locked_by; qDebug() << realr.log << rcsr.log; qDebug() << realr.rev << rcsr.rev; qDebug() << "----------"; qDebug() << (realr == rcsr); */ CPPUNIT_ASSERT (realr == rcsr); } } fwbuilder-5.3.7/src/unit_tests/RCS/RCSTest.h000066400000000000000000000021711303637203600205740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RCSTEST_H #define RCSTEST_H #include class RCSTest : public CppUnit::TestFixture { public: void verifyRevisions(); CPPUNIT_TEST_SUITE(RCSTest); CPPUNIT_TEST(verifyRevisions); CPPUNIT_TEST_SUITE_END(); }; #endif // RCSTEST_H fwbuilder-5.3.7/src/unit_tests/RCS/RCSTest.pro000066400000000000000000000002061303637203600211420ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS += RCSTest.h SOURCES += main_RCS.cpp \ RCSTest.cpp TARGET = RCSTest fwbuilder-5.3.7/src/unit_tests/RCS/main_RCS.cpp000066400000000000000000000024541303637203600212770ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "RCSTest.h" #include #include //int fwbdebug = 0; //QString user_name; int main( int, char** ) { CppUnit::TextUi::TestRunner runner; runner.addTest( RCSTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/RCS/rlog_unit_test.log000066400000000000000000000024571303637203600227070ustar00rootroot00000000000000--------------------------------- revision: 1.7 date: 2006-07-18 20:42:51-07 author: vadim locked by: log: revision 1.7 working in the main trunk --------------------------------- revision: 1.6 date: 2006-07-18 20:40:24-07 author: vadim locked by: vadim log: revision 1.6 locked by: vadim; added dns name object --------------------------------- revision: 1.5 date: 2006-07-18 20:39:45-07 author: vadim locked by: log: revision 1.5 branches: 1.5.1; fixed file using fwbedit --------------------------------- revision: 1.4 date: 2006-06-25 20:16:12-07 author: vadim locked by: log: revision 1.4 _ --------------------------------- revision: 1.3 date: 2005-09-05 00:49:31-07 author: vadim locked by: log: revision 1.3 test commit --------------------------------- revision: 1.2 date: 2004-09-29 00:01:31-07 author: vadim locked by: log: revision 1.2 . --------------------------------- revision: 1.1 date: 2004-06-13 12:54:03-07 author: vadim locked by: log: revision 1.1 Initial revision --------------------------------- revision: 1.5.1.2 date: 2006-07-18 20:41:57-07 author: vadim locked by: log: revision 1.5.1.2 working in the branch --------------------------------- revision: 1.5.1.1 date: 2006-07-18 20:41:19-07 author: vadim locked by: log: revision 1.5.1.1 added dns name object #2, creating a branch fwbuilder-5.3.7/src/unit_tests/RCS/zu.fwb000066400000000000000000000041311303637203600202700ustar00rootroot00000000000000 fwbuilder-5.3.7/src/unit_tests/RCS/zu.fwb,v000066400000000000000000000167021303637203600205410ustar00rootroot00000000000000head 1.9; access; symbols; locks; strict; comment @# @; expand @b@; 1.9 date 2011.05.06.05.06.32; author vadim; state Exp; branches; next 1.8; 1.8 date 2011.02.23.00.03.49; author vadim; state Exp; branches; next 1.7; 1.7 date 2006.07.19.03.42.51; author vadim; state Exp; branches; next 1.6; 1.6 date 2006.07.19.03.40.24; author vadim; state Exp; branches; next 1.5; 1.5 date 2006.07.19.03.39.45; author vadim; state Exp; branches 1.5.1.1; next 1.4; 1.4 date 2006.06.26.03.16.12; author vadim; state Exp; branches; next 1.3; 1.3 date 2005.09.05.07.49.31; author vadim; state Exp; branches; next 1.2; 1.2 date 2004.09.29.07.01.31; author vadim; state Exp; branches; next 1.1; 1.1 date 2004.06.13.19.54.03; author vadim; state Exp; branches; next ; 1.5.1.1 date 2006.07.19.03.41.19; author vadim; state Exp; branches; next 1.5.1.2; 1.5.1.2 date 2006.07.19.03.41.57; author vadim; state Exp; branches; next ; desc @"Initial checkin" @ 1.9 log @upgraded to the latest dtd version @ text @ @ 1.8 log @upgrade to dtd 18 @ text @d3 13 a15 16 d17 13 a29 34 @ 1.7 log @working in the main trunk @ text @d3 1 a3 1 d5 3 d9 2 a10 7 d12 3 d16 4 a20 1 d22 30 a51 8 @ 1.6 log @added dns name object @ text @d3 1 a3 1 d14 1 @ 1.5 log @fixed file using fwbedit @ text @d3 1 a3 1 d12 3 a14 1 @ 1.5.1.1 log @added dns name object #2, creating a branch @ text @d3 1 a3 1 d12 1 a12 3 @ 1.5.1.2 log @working in the branch @ text @d3 1 a3 1 a13 1 @ 1.4 log @_ @ text @d3 2 a4 2 d6 1 a6 1 d12 1 d15 1 a15 1 @ 1.3 log @test commit @ text @d3 1 a3 1 d6 1 d14 1 @ 1.2 log @. @ text @d3 1 a3 1 @ 1.1 log @Initial revision @ text @d3 1 a3 1 @ fwbuilder-5.3.7/src/unit_tests/RuleSetViewContextMenuTest/000077500000000000000000000000001303637203600237545ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/RuleSetViewContextMenuTest/RuleSetViewContextMenuTest.cpp000066400000000000000000000406221303637203600317340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: RuleSetViewContextMenuTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetViewContextMenuTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include #include #include "FWBApplication.h" #include "StartTipDialog.h" #include "QMetaProperty" #include "FWObjectClipboard.h" #include "RuleSetModel.h" using namespace std; using namespace QTest; using namespace libfwbuilder; #define getRuleForPosition( x ) ((RuleSetModel*)view->model())->findRuleForPosition( x ) #define showContextMenu( x ) view->showContextMenu(view->pos() + x); void RuleSetViewContextMenuTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->move(0,0); if (app->desktop()->size().width() < 1024 || app->desktop()->size().height()<768) mw->resize(app->desktop()->size()); else mw->resize(1024, 768); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "testFirewall")); firewall->setStr("platform", "iptables"); openPolicy("testFirewall"); view = mw->findChild(""); om->closeObject(); } /* * Opens Policy of firewall with name fwname in RuleSetView of active project */ void RuleSetViewContextMenuTest::openPolicy(QString fwname) { Policy *p = NULL; foreach (FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == fwname.toStdString()) { p = Firewall::cast(fw)->getPolicy(); } } QVERIFY (p != NULL); QCoreApplication::postEvent(mw, new openRulesetImmediatelyEvent(mw->activeProject()->getFileName(), p->getId())); QTest::qWait(100); } /* * Returns libfwbuilder::Library with name "User" */ Library* RuleSetViewContextMenuTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } /* * Returns menu-relative position of topmost pixel clicking * which will trigger action */ QPoint findActionPos(QMenu *menu, QAction *action) { int x = menu->width()/2; for (int y=0; yheight(); y++) { if (menu->actionAt(QPoint(x,y)) != NULL && menu->actionAt(QPoint(x,y))->text() == action->text()) return QPoint(x,y); } return QPoint(-1,-1); } /* * Clicks item in topmost visible modal context menu. * Should be called right before opening menu (it waits 10 ms for menu to appear). */ void RuleSetViewContextMenuTest::clickMenuItem(QString item) { clicked = false; itemToClick = item; QTimer::singleShot(100, this, SLOT(actuallyClickMenuItem())); } void RuleSetViewContextMenuTest::actuallyClickMenuItem() { QMenu *menu = dynamic_cast(app->activePopupWidget()); Q_ASSERT(menu != NULL); foreach(QAction *action, menu->actions()) { if (action->text() == itemToClick) { //qDebug() << "clicking menu item" << action << action->text(); clicked = true; QPoint pos = findActionPos(menu, action); //qDebug() << pos; //QTest::mouseMove(menu, pos); QTest::mouseClick(menu, Qt::LeftButton, Qt::NoModifier, pos); //action->trigger(); //menu->hide(); return; } } // menu item not found. Include menu items that were actually // present in the menu in the error message to implify debugging QStringList items; foreach(QAction *action, menu->actions()) { items.push_back(QString("\"%1\"").arg(action->text())); } // need to hide the menu, otherwise test just hangs menu->hide(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QFAIL(QString("Menu item %1 not found. Menu consists of: %2") .arg(itemToClick) .arg(items.join(" ")).toAscii().constData()); #else QFAIL(QString("Menu item %1 not found. Menu consists of: %2") .arg(itemToClick) .arg(items.join(" ")).toLatin1().constData()); #endif } /* * Returns topmost pixel which belongs to first cell * of rule in RuleSetView */ QPoint RuleSetViewContextMenuTest::findRulePosition(Rule *rule) { int x = 30; view->scrollTo(((RuleSetModel*)view->model())->index(rule, 0)); for (int y=view->header()->height(); yheight(); y+=5) { Rule *found = ((RuleSetModel*)view->model())->getRule(view->indexAt(QPoint(x,y))); if (found == rule) return QPoint(x,y); } return QPoint(-1,-1); } /* * Returns topmost pixel which belongs to first cell * of row #rule in RuleSetView */ QPoint RuleSetViewContextMenuTest::findRulePosition(int rule) { return findRulePosition(getRuleForPosition(rule)); } /* * Fills group name request modal dialog with group name * and clicks OK. * Should be executed right before opening dialog. */ void RuleSetViewContextMenuTest::createGroup(QString name) { groupToCreate = name; // timeout should be more than clickMenuItem timeout QTimer::singleShot(200, this, SLOT(actuallyCreateGroup())); } void RuleSetViewContextMenuTest::actuallyCreateGroup() { QInputDialog *dlg = dynamic_cast(app->activeModalWidget()); Q_ASSERT(dlg != NULL); QLineEdit *name = dlg->findChild(); QTest::keyClicks(name, groupToCreate); dlg->accept(); } QPoint RuleSetViewContextMenuTest::findCell(Rule *rule, int col) { view->scrollTo(((RuleSetModel*)view->model())->index(rule, col)); for (int x=0; xwidth(); x++) { for(int y=view->height(); y>0; y--) { QModelIndex index = view->indexAt(QPoint(x,y)); Rule *found = ((RuleSetModel*)view->model())->getRule(view->indexAt(QPoint(x,y))); if (found == rule && index.column() == col) return QPoint(x,y); } } return QPoint(-1,-1); } void RuleSetViewContextMenuTest::verifyMenu(int column) { names.clear(); if (column == 0) { names << "New Group" << "Change color" << "Insert New Rule" << "Add New Rule Below" << "Remove Rule" << "Move Rule Up" << "Move Rule Down" << "Copy Rule" << "Cut Rule" << "Paste Rule Above" << "Paste Rule Below" << "Disable Rule" << "Compile rule"; } if (column > 0 && (column < 5 || column == 7)) { names << "Edit" << "Copy" << "Cut" << "Paste" << "Delete"<< "Where used" << "Reveal in tree" << "Negate" << "Compile rule"; } if (column == 5) { names << "Inbound" << "Outbound" << "Both" << "Compile rule"; } if (column == 6) { QMap possibleItems; QStringList order; order << "Accept" << "Deny" << "Reject" << "Accounting" << "Pipe" << "Tag" << "Classify" << "Custom" << "Branch" << "Route" << "Continue"; possibleItems["Accept"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Accept)); possibleItems["Deny"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Deny)); possibleItems["Reject"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Reject)); possibleItems["Accounting"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Accounting)); possibleItems["Pipe"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Pipe)); possibleItems["Custom"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Custom)); possibleItems["Branch"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Branch)); possibleItems["Continue"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Continue)); string currentPlatform = firewall->getStr("platform"); foreach(QString item, order) if (Resources::isTargetActionSupported(currentPlatform, item.toStdString())) { //qDebug() << item << "is valid for" << currentPlatform.c_str() << "with name" << possibleItems[item]; names.append(possibleItems[item]); } names << "Parameters" << "Compile rule"; } if (column == 8) { names << "Rule options" << "Logging On" << "Logging Off" << "Compile Rule"; } if (column == 9) { names << "Edit" << "Compile Rule"; } QStringList groupCommon; groupCommon << "Change color" << "Insert New Rule" << "Add New Rule Below" << "Remove Rule" << "Move Rule up" << "Move Rule down" << "Copy Rule" << "Cut Rule" << "Paste Rule Above" << "Paste Rule Below" << "Disable Rule" << "Compile rule"; if (column == -1) // column 0 for rule above group { names << "New group" << "Add to the group Test Group Name" << groupCommon; } if (column == -2) // column 0 for first rule in group { names << "Remove from the group" << groupCommon; } if (column == -3) // rule in the middle of the group { names << groupCommon; } if (column == -4) { names << "Remove from the group" << groupCommon; } if (column == -5) { names << "New group" << "Add to the group Test Group Name" << groupCommon; } QTimer::singleShot(150, this, SLOT(actuallyVerifyMenu())); } void RuleSetViewContextMenuTest::actuallyVerifyMenu() { QMenu *menu = dynamic_cast(app->activePopupWidget()); menu->hide(); int j =0; for (int i=0; iactions().size(); i++) { if (menu->actions()[i]->text().isEmpty() || !menu->actions()[i]->isVisible()) continue; if (menu->actions()[i]->text().toLower() != names[j++].toLower()) { failed = true; qDebug() << QString("Menu item not found or item order is wrong for item: %1").arg(names[j-1]); } } QVERIFY(j == names.size()); } /* * Scrolls view to bottom and returns middle pixel of view's middle line. * There */ QPoint RuleSetViewContextMenuTest::getViewBottomPoint() { view->scrollToBottom(); view->viewport()->mapToParent(QPoint(view->viewport()->width()/2, view->viewport()->height()-1)); return QPoint(view->viewport()->width()/2, view->viewport()->height()-1); } void RuleSetViewContextMenuTest::test_menus() { failed = false; // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rule = ((RuleSetModel*)view->model())->findRuleForPosition(0); // Verify columns 1..5 and 7..10 for (int i=0; i<10; i++) { if (i==6) continue; // it depens on platform qDebug() << "Verifying context menu for column" << i; verifyMenu(i); showContextMenu(findCell(rule, i)); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(!failed, QString("Failed for column %1").arg(i).toAscii().constData()); #else QVERIFY2(!failed, QString("Failed for column %1").arg(i).toLatin1().constData()); #endif } // Remove created rule clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule)); } void RuleSetViewContextMenuTest::test_group_menus() { failed = false; // Adding five new rules Rule *rules[5]; clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); rules[0] = getRuleForPosition(0); for (int i=0; i<4; i++) { clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); rules[i+1] = getRuleForPosition(i+1); } // Create new group view->selectRE(rules[2], 0); createGroup("Test Group Name"); clickMenuItem("New Group"); showContextMenu(findRulePosition(rules[3])); // Add two rules to group view->selectRE(rules[1], 0); clickMenuItem("Add To the Group Test Group Name"); showContextMenu(findRulePosition(rules[1])); view->selectRE(rules[3], 0); clickMenuItem("Add To the Group Test Group Name"); showContextMenu(findRulePosition(rules[3])); view->expandAll(); // Check that columns 2..10 acts same for grouped and ungrouped items for (int j=0; j<5; j++) { // Verify columns 1..5 and 7..10 for (int i=1; i<10; i++) { qDebug() << "Verifying context menu for column" << i; verifyMenu(i); showContextMenu(findCell(getRuleForPosition(j), i)); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(!failed, QString("Failed for column %1").arg(i).toAscii().constData()); #else QVERIFY2(!failed, QString("Failed for column %1").arg(i).toLatin1().constData()); #endif } } // Verify column 1 for all rules. They all should be different. for (int i=0; i<5; i++) { qDebug() << "Verifying rule #" <selectRE(getRuleForPosition(i),0); // QTest::qWait(1000); showContextMenu(findCell(getRuleForPosition(i), 0)); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(!failed, QString("Failed for rule #%1 of 5").arg(i+1).toAscii().constData()); #else QVERIFY2(!failed, QString("Failed for rule #%1 of 5").arg(i+1).toLatin1().constData()); #endif } // remove created rules for (int i=1; i<4; i++) { clickMenuItem("Remove From the Group"); view->selectRE(rules[i],0); showContextMenu(findCell(rules[i],0)) } for (int i=0; i<5; i++) { clickMenuItem("Remove Rule"); view->selectRE(rules[i],0); showContextMenu(findCell(rules[i],0)) } } void RuleSetViewContextMenuTest::test_platforms() { failed = false; // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rule = ((RuleSetModel*)view->model())->findRuleForPosition(0); // Verify column 6 for all platforms QMap platforms = getAllPlatforms(); foreach(QString platform, platforms.keys()) { qDebug() << "Verifying conext menu for column 6 and platform" << platform; firewall->setStr("platform", platform.toStdString()); verifyMenu(6); showContextMenu(findCell(rule, 6)); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(!failed, QString("Failed for paltform %1").arg(platform).toAscii().constData()); #else QVERIFY2(!failed, QString("Failed for paltform %1").arg(platform).toLatin1().constData()); #endif } // Verify that column count changes depending of firewall platform QVERIFY(view->model()->columnCount() == 10); firewall->setStr("platform", "unknown"); openPolicy("testFirewall"); view = mw->findChild(""); QVERIFY(view->model()->columnCount() == 8); firewall->setStr("platform", "ipf"); openPolicy("testFirewall"); view = mw->findChild(""); QVERIFY(view->model()->columnCount() == 9); firewall->setStr("platform", "unknown"); openPolicy("testFirewall"); view = mw->findChild(""); // Remove created rule clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule)); } fwbuilder-5.3.7/src/unit_tests/RuleSetViewContextMenuTest/RuleSetViewContextMenuTest.h000066400000000000000000000043271303637203600314030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: RuleSetViewContextMenuTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "instDialog.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "RuleSetView.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" class RuleSetViewContextMenuTest : public QObject { Q_OBJECT bool failed; ObjectManipulator *om; RuleSetView *view; const char *ssh_auth_sock; void openPolicy(QString fw); libfwbuilder::Library* findUserLibrary(); QString groupToCreate; QString itemToClick; bool clicked; void clickMenuItem(QString item); QPoint findRulePosition(int rule); QPoint findRulePosition(libfwbuilder::Rule *rule); QPoint getViewBottomPoint(); QPoint findCell(libfwbuilder::Rule *rule, int col); void createGroup(QString name); void verifyMenu(int column); QStringList names; libfwbuilder::Firewall *firewall; private slots: void initTestCase(); void test_menus(); void test_group_menus(); void test_platforms(); public slots: void actuallyClickMenuItem(); void actuallyCreateGroup(); void actuallyVerifyMenu(); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/RuleSetViewContextMenuTest/RuleSetViewContextMenuTest.pro000066400000000000000000000003301303637203600317420ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = RuleSetViewContextMenuTest SOURCES += main_RuleSetViewContextMenuTest.cpp \ RuleSetViewContextMenuTest.cpp HEADERS += RuleSetViewContextMenuTest.h fwbuilder-5.3.7/src/unit_tests/RuleSetViewContextMenuTest/main_RuleSetViewContextMenuTest.cpp000066400000000000000000000033231303637203600327350ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetViewContextMenuTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new RuleSetViewContextMenuTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/RuleSetViewTest/000077500000000000000000000000001303637203600215625ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/RuleSetViewTest/RuleSetViewTest.cpp000066400000000000000000000531401303637203600253470ustar00rootroot00000000000000 /* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: RuleSetViewTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetViewTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include #include #include "StartTipDialog.h" #include "QMetaProperty" #include "FWObjectClipboard.h" #include "RuleSetModel.h" #include "FWBApplication.h" using namespace std; using namespace QTest; using namespace libfwbuilder; #define getRuleForPosition( x ) ((RuleSetModel*)view->model())->findRuleForPosition( x ) void RuleSetViewTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->resize(QSize(800,600)); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d) if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "testFirewall")); openPolicy("testFirewall"); view = mw->findChild(""); om->closeObject(); } /* * Opens context menu at point relative to RuleSetView widget */ void RuleSetViewTest::showContextMenu(QPoint point) { view->showContextMenu(view->pos() + point); } void RuleSetViewTest::showContextMenu(int x, int y) { view->showContextMenu(view->pos() + QPoint(x,y)); } /* * Opens Policy of firewall with name fwname in RuleSetView of active project */ void RuleSetViewTest::openPolicy(QString fwname) { Policy *p = NULL; foreach (FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == fwname.toStdString()) { p = Firewall::cast(fw)->getPolicy(); } } QVERIFY (p != NULL); QCoreApplication::postEvent(mw, new openRulesetImmediatelyEvent(mw->activeProject()->getFileName(), p->getId())); QTest::qWait(100); } /* * Returns libfwbuilder::Library with name "User" */ Library* RuleSetViewTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } /* * Returns menu-relative position of topmost pixel clicking * which will trigger action */ QPoint findActionPos(QMenu *menu, QAction *action) { int x = menu->width()/2; for (int y=0; yheight(); y++) { if (menu->actionAt(QPoint(x,y)) != NULL && menu->actionAt(QPoint(x,y))->text() == action->text()) return QPoint(x,y); } return QPoint(-1,-1); } /* * Clicks item in topmost visible modal context menu. * Should be called right before opening menu (it waits 10 ms for menu to appear). */ void RuleSetViewTest::clickMenuItem(QString item) { clicked = false; itemToClick = item; QTimer::singleShot(100, this, SLOT(actuallyClickMenuItem())); } void RuleSetViewTest::actuallyClickMenuItem() { QMenu *menu = dynamic_cast(app->activePopupWidget()); Q_ASSERT(menu != NULL); foreach(QAction *action, menu->actions()) { if (action->text() == itemToClick) { //qDebug() << "clicking menu item" << action << action->text(); clicked = true; QPoint pos = findActionPos(menu, action); //qDebug() << pos; //QTest::mouseMove(menu, pos); QTest::mouseClick(menu, Qt::LeftButton, Qt::NoModifier, pos); //action->trigger(); //menu->hide(); return; } } // menu item not found. Include menu items that were actually // present in the menu in the error message to implify debugging QStringList items; foreach(QAction *action, menu->actions()) { items.push_back(QString("\"%1\"").arg(action->text())); } // need to hide the menu, otherwise test just hangs menu->hide(); #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QFAIL(QString("Menu item %1 not found. Menu consists of: %2") .arg(itemToClick) .arg(items.join(" ")).toAscii().constData()); #else QFAIL(QString("Menu item %1 not found. Menu consists of: %2") .arg(itemToClick) .arg(items.join(" ")).toLatin1().constData()); #endif } /* * Returns topmost pixel which belongs to first cell * of rule in RuleSetView */ QPoint RuleSetViewTest::findRulePosition(Rule *rule) { // Scroll view to make rule visible view->scrollTo(((RuleSetModel*)view->model())->indexForPosition(rule->getPosition()), QAbstractItemView::EnsureVisible); // Find top left pixel of rule's first cell for (int x=0; xwidth(); x++) { for(int y=0; yheight(); y++) { QModelIndex index = view->indexAt(QPoint(x,y)); Rule *found = ((RuleSetModel*)view->model())->getRule(view->indexAt(QPoint(x,y))); if (found == rule && index.column() == 0) return QPoint(x,y); } } return QPoint(-1,-1); } /* * Scrolls view to bottom and returns middle pixel of view's middle line. * There */ QPoint RuleSetViewTest::getViewBottomPoint() { view->scrollToBottom(); view->viewport()->mapToParent(QPoint(view->viewport()->width()/2, view->viewport()->height()-2)); return QPoint(view->viewport()->width()/2, view->viewport()->height()-2); } /* * Returns topmost pixel which belongs to first cell * of row #rule in RuleSetView */ QPoint RuleSetViewTest::findRulePosition(int rule) { return findRulePosition(getRuleForPosition(rule)); } /* * Fills group name request modal dialog with group name * and clicks OK. * Should be executed right before opening dialog. */ void RuleSetViewTest::createGroup(QString name) { groupToCreate = name; // timeout should be more than clickMenuItem timeout QTimer::singleShot(150, this, SLOT(actuallyCreateGroup())); } void RuleSetViewTest::actuallyCreateGroup() { QInputDialog *dlg = dynamic_cast(app->activeModalWidget()); Q_ASSERT(dlg != NULL); QLineEdit *name = dlg->findChild(); QTest::keyClicks(name, groupToCreate); dlg->accept(); } void RuleSetViewTest::test_add_remove() { QVERIFY(view->model()->rowCount(QModelIndex()) == 0); // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rule1 = ((RuleSetModel*)view->model())->findRuleForPosition(0); // Adding rule at the bottom clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 2); Rule *rule2 = getRuleForPosition(1); QVERIFY(rule1!=rule2); QVERIFY(getRuleForPosition(0) == rule1); // Adding rule on top clickMenuItem("Add New Rule on Top"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 3); Rule *rule3 = getRuleForPosition(0); QVERIFY(rule1!=rule2 && rule1!=rule3 && rule2!=rule3); QVERIFY(getRuleForPosition(1) == rule1); QVERIFY(getRuleForPosition(2) == rule2); // Remove last rule view->selectRE(rule1, 0); clickMenuItem("Insert New Rule"); showContextMenu(findRulePosition(rule1)); QVERIFY(view->model()->rowCount(QModelIndex()) == 4); QVERIFY(getRuleForPosition(0) == rule3); QVERIFY(getRuleForPosition(2) == rule1); QVERIFY(getRuleForPosition(3) == rule2); Rule *rule4 = getRuleForPosition(1); // Remove last rule view->selectRE(rule2, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule2)); QVERIFY(view->model()->rowCount(QModelIndex()) == 3); QVERIFY(getRuleForPosition(0) == rule3); QVERIFY(getRuleForPosition(1) == rule4); QVERIFY(getRuleForPosition(2) == rule1); // Remove first rule view->selectRE(rule3, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule3)); QVERIFY(view->model()->rowCount(QModelIndex()) == 2); QVERIFY(getRuleForPosition(0) == rule4); QVERIFY(getRuleForPosition(1) == rule1); // Remove all created rules view->selectRE(rule4, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule4)); view->selectRE(rule1, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule1)); QVERIFY(view->model()->rowCount(QModelIndex()) == 0); } void RuleSetViewTest::test_group() { // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rule1 = ((RuleSetModel*)view->model())->findRuleForPosition(0); // Adding seven new rules at the bottom Rule *rules[7]; for (int i=0; i<7;i++) { clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == i+2); rules[i] = getRuleForPosition(i+1); } // Create new group view->selectRE(rules[2], 0); createGroup("Test Group Name"); clickMenuItem("New Group"); showContextMenu(findRulePosition(rules[2])); QList groups; ((RuleSetModel*)view->model())->getGroups(groups); QVERIFY(groups.size() == 1); QVERIFY(rules[2]->getRuleGroupName() == "Test Group Name"); // Add two more rules to the group view->selectRE(rules[3], 0); clickMenuItem("Add To the Group Test Group Name"); showContextMenu(findRulePosition(rules[3])); view->clearSelection(); view->selectRE(rules[1], 0); clickMenuItem("Add To the Group Test Group Name"); showContextMenu(findRulePosition(rules[1])); QList groups2; ((RuleSetModel*)view->model())->getGroups(groups2); QVERIFY(groups.size() == 1); QVERIFY(rules[1]->getRuleGroupName() == "Test Group Name"); QVERIFY(rules[2]->getRuleGroupName() == "Test Group Name"); QVERIFY(rules[3]->getRuleGroupName() == "Test Group Name"); QVERIFY(groups2.first().internalId() == groups.first().internalId()); // Expanding created group view->expandAll(); // Creating new rule in group using "Add Rule Below" view->selectRE(rules[2], 0); clickMenuItem("Add New Rule Below"); showContextMenu(findRulePosition(rules[2])); Rule *newrule1 = ((RuleSetModel*)view->model())->findRuleForPosition(4); for (int i=0; i<5; i++) QVERIFY(newrule1 != rules[i]); QVERIFY(newrule1 != rule1); QVERIFY(newrule1->getRuleGroupName() == "Test Group Name"); // Creating new rule in group using "Insert Rule" view->selectRE(rules[2], 0); clickMenuItem("Insert New Rule"); showContextMenu(findRulePosition(rules[2])); Rule *newrule2 = ((RuleSetModel*)view->model())->findRuleForPosition(3); for (int i=0; i<5; i++) QVERIFY(newrule2 != rules[i]); QVERIFY(newrule2 != rule1); QVERIFY(newrule2 != newrule1); QVERIFY(newrule2->getRuleGroupName() == "Test Group Name"); // Select and add to group two rules under it view->clearSelection(); view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(rules[4]->getPosition()), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(rules[5]->getPosition()), QItemSelectionModel::Select); clickMenuItem("Add To the Group Test Group Name"); showContextMenu(findRulePosition(rules[4])); QList groups3; ((RuleSetModel*)view->model())->getGroups(groups3); QVERIFY(groups3.size() == 1); QVERIFY(rules[4]->getRuleGroupName() == "Test Group Name"); QVERIFY(rules[5]->getRuleGroupName() == "Test Group Name"); QVERIFY(groups3.first().internalId() == groups.first().internalId()); // Remoe first rule from group QVERIFY(view->model()->rowCount(groups3.first()) == 7); view->selectRE(rules[1], 0); clickMenuItem("Remove From the Group"); showContextMenu(findRulePosition(rules[1])); QVERIFY(rules[1]->getRuleGroupName() == ""); QVERIFY(view->model()->rowCount(groups3.first()) == 6); // Remoe last rule from group view->selectRE(rules[5], 0); clickMenuItem("Remove From the Group"); showContextMenu(findRulePosition(rules[5])); QVERIFY(rules[5]->getRuleGroupName() == ""); QVERIFY(view->model()->rowCount(groups3.first()) == 5); // Remove rule inside group view->selectRE(rules[3], 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rules[3])); QVERIFY(view->model()->rowCount(groups3.first()) == 4); // Remove all created rules for (int i=0; i<7; i++) { if (i==3) continue; view->selectRE(rules[i], 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rules[i])); } view->selectRE(newrule1, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(newrule1)); view->selectRE(newrule2, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(newrule2)); view->selectRE(rule1, 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(rule1)); QVERIFY(view->model()->rowCount() == 0); } void RuleSetViewTest::test_move() { // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rules[4]; rules[0] = ((RuleSetModel*)view->model())->findRuleForPosition(0);; // Adding three new rules at the bottom for (int i=1; i<4;i++) { clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == i+1); rules[i] = getRuleForPosition(i); } // Verifying that all rules' positions match their indexes for (int i=0; i<4; i++) QVERIFY(rules[i]->getPosition() == i); // Moving second rule up view->selectRE(rules[1], 0); clickMenuItem("Move Rule Up"); showContextMenu(findRulePosition(rules[1])); QVERIFY(rules[1]->getPosition() == 0); QVERIFY(rules[0]->getPosition() == 1); // Moving first rule down view->selectRE(rules[1], 0); clickMenuItem("Move Rule Down"); showContextMenu(findRulePosition(rules[1])); QVERIFY(rules[1]->getPosition() == 1); QVERIFY(rules[0]->getPosition() == 0); // Moving first rule up (rule order should not change) view->selectRE(rules[0], 0); clickMenuItem("Move Rule Up"); showContextMenu(findRulePosition(rules[0])); for (int i=0; i<4; i++) QVERIFY(rules[i]->getPosition() == i); // Moving last rule down (rule order should not change) view->selectRE(rules[3], 0); clickMenuItem("Move Rule Down"); showContextMenu(findRulePosition(rules[3])); for (int i=0; i<4; i++) QVERIFY(rules[i]->getPosition() == i); // Selecting two rules and moving them up view->selectRE(rules[1], 0); view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(2), QItemSelectionModel::Select); clickMenuItem("Move Rules Up"); showContextMenu(findRulePosition(rules[1])); QVERIFY(rules[1]->getPosition() == 0); QVERIFY(rules[2]->getPosition() == 1); QVERIFY(rules[0]->getPosition() == 2); QVERIFY(rules[3]->getPosition() == 3); // Selecting two rules and moving them down view->selectRE(rules[2], 0); view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(2), QItemSelectionModel::Select); clickMenuItem("Move Rules Down"); showContextMenu(findRulePosition(rules[2])); QVERIFY(rules[1]->getPosition() == 0); QVERIFY(rules[3]->getPosition() == 1); QVERIFY(rules[2]->getPosition() == 2); QVERIFY(rules[0]->getPosition() == 3); // Adding two more rules Rule *newrules[6] = { rules[1], rules[3], rules[2], rules[0], NULL, NULL }; for (int i=4; i<6;i++) { clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == i+1); newrules[i] = getRuleForPosition(i); } // Creating a group to test moving rules inside of it view->selectRE(newrules[1], 0); for (int i=2; i<5; i++) view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(i), QItemSelectionModel::Select); createGroup("Test Group Name"); clickMenuItem("New Group"); showContextMenu(findRulePosition(newrules[1])); for (int i=1; i<5; i++) QVERIFY(newrules[i]->getRuleGroupName() == "Test Group Name"); // Expanding created group view->expandAll(); // Moving second rule of group up view->selectRE(newrules[2], 0); clickMenuItem("Move Rule Up"); showContextMenu(findRulePosition(newrules[2])); QVERIFY(newrules[2]->getPosition() == 1); QVERIFY(newrules[1]->getPosition() == 2); // Moving first rule of group up. It should leave the group. view->selectRE(newrules[2], 0); clickMenuItem("Move Rule Up"); showContextMenu(findRulePosition(newrules[2])); QVERIFY(newrules[2]->getPosition() == 1); QVERIFY(newrules[0]->getPosition() == 0); QVERIFY(newrules[1]->getPosition() == 2); QVERIFY(newrules[2]->getRuleGroupName() == ""); // Moving first rule above group down. It should be added to group. view->selectRE(newrules[2], 0); clickMenuItem("Move Rule Down"); showContextMenu(findRulePosition(newrules[2])); QVERIFY(newrules[2]->getPosition() == 1); QVERIFY(newrules[0]->getPosition() == 0); QVERIFY(newrules[1]->getPosition() == 2); QVERIFY(newrules[2]->getRuleGroupName() == "Test Group Name"); // Moving last rule of group down. It should leave the group. view->selectRE(newrules[4], 0); clickMenuItem("Move Rule Down"); showContextMenu(findRulePosition(newrules[4])); QVERIFY(newrules[4]->getPosition() == 4); QVERIFY(newrules[5]->getPosition() == 5); QVERIFY(newrules[3]->getPosition() == 3); QVERIFY(newrules[4]->getRuleGroupName() == ""); // Moving first rule below group up. It should be added to group. view->selectRE(newrules[4], 0); clickMenuItem("Move Rule Up"); showContextMenu(findRulePosition(newrules[4])); QVERIFY(newrules[4]->getPosition() == 4); QVERIFY(newrules[5]->getPosition() == 5); QVERIFY(newrules[3]->getPosition() == 3); QVERIFY(newrules[4]->getRuleGroupName() == "Test Group Name"); // Removing all created rules for (int i=0; i<6; i++) { view->selectRE(newrules[i], 0); clickMenuItem("Remove Rule"); showContextMenu(findRulePosition(newrules[i])); } QVERIFY(view->model()->rowCount() == 0); } void RuleSetViewTest::test_copy_paste() { // Adding one new rule clickMenuItem("Insert New Rule"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == 1); Rule *rules[4]; rules[0] = ((RuleSetModel*)view->model())->findRuleForPosition(0); // Adding three new rules at the bottom for (int i=1; i<4;i++) { clickMenuItem("Add New Rule at the Bottom"); showContextMenu(getViewBottomPoint()); QVERIFY(view->model()->rowCount(QModelIndex()) == i+1); rules[i] = getRuleForPosition(i); } // Cutting second rule view->selectRE(rules[1], 0); clickMenuItem("Cut Rule"); showContextMenu(findRulePosition(rules[1])); QVERIFY(view->model()->rowCount() == 3); // Pasting cutted rule above first view->selectRE(rules[0], 0); clickMenuItem("Paste Rule Above"); showContextMenu(findRulePosition(rules[0])); QVERIFY(view->model()->rowCount() == 4); rules[1] = getRuleForPosition(0); // Copying second rule view->selectRE(rules[1], 0); clickMenuItem("Copy Rule"); showContextMenu(findRulePosition(rules[1])); QVERIFY(view->model()->rowCount() == 4); // Pasting rule after first rule view->selectRE(rules[1], 0); clickMenuItem("Paste Rule Below"); showContextMenu(findRulePosition(rules[1])); QVERIFY(view->model()->rowCount() == 5); // Copy two rules view->selectRE(getRuleForPosition(1), 0); view->selectionModel()->select(((RuleSetModel*)view->model())->indexForPosition(2), QItemSelectionModel::Select); clickMenuItem("Copy Rules"); showContextMenu(findRulePosition(getRuleForPosition(1))); QVERIFY(view->model()->rowCount() == 5); // Paste rules at the bottom view->selectRE(getRuleForPosition(4), 0); clickMenuItem("Paste Rule Below"); showContextMenu(findRulePosition(getRuleForPosition(4))); QVERIFY(view->model()->rowCount() == 7); } fwbuilder-5.3.7/src/unit_tests/RuleSetViewTest/RuleSetViewTest.h000066400000000000000000000041331303637203600250120ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: RuleSetViewTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "instDialog.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "RuleSetView.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" class RuleSetViewTest : public QObject { Q_OBJECT ObjectManipulator *om; RuleSetView *view; const char *ssh_auth_sock; void openPolicy(QString fw); libfwbuilder::Library* findUserLibrary(); QString groupToCreate; QString itemToClick; bool clicked; void clickMenuItem(QString item); QPoint findRulePosition(int rule); QPoint findRulePosition(libfwbuilder::Rule *rule); QPoint getViewBottomPoint(); void showContextMenu(QPoint point); void showContextMenu(int,int); void createGroup(QString name); private slots: void initTestCase(); void test_add_remove(); void test_group(); void test_move(); void test_copy_paste(); public slots: void actuallyClickMenuItem(); void actuallyCreateGroup(); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/RuleSetViewTest/RuleSetViewTest.pro000066400000000000000000000002541303637203600253630ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = RuleSetViewTest SOURCES += main_RuleSetViewTest.cpp \ RuleSetViewTest.cpp HEADERS += RuleSetViewTest.h fwbuilder-5.3.7/src/unit_tests/RuleSetViewTest/main_RuleSetViewTest.cpp000066400000000000000000000032751303637203600263570ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "RuleSetViewTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new RuleSetViewTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/TCPServiceDialogTest/000077500000000000000000000000001303637203600224335ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/TCPServiceDialogTest/TCPServiceDialogTest.cpp000066400000000000000000000220011303637203600270610ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: TCPServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "TCPServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "TCPServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/TCPService.h" #include "TCPServiceDialog.h" using namespace std; using namespace libfwbuilder; void TCPServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* TCPServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void TCPServiceDialogTest::testDialog() { TCPService *service = TCPService::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), TCPService::TYPENAME), TCPService::TYPENAME, "testTCPService")); om->editObject(service); TCPServiceDialog *dialog = mw->findChild("w_TCPServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QCheckBox *fin_s = dialog->findChild("fin_s"); QCheckBox *rst_s = dialog->findChild("rst_s"); QCheckBox *urg_s = dialog->findChild("urg_s"); QCheckBox *syn_s = dialog->findChild("syn_s"); QCheckBox *psh_s = dialog->findChild("psh_s"); QCheckBox *ack_s = dialog->findChild("ack_s"); QCheckBox *psh_m = dialog->findChild("psh_m"); QCheckBox *syn_m = dialog->findChild("syn_m"); QCheckBox *urg_m = dialog->findChild("urg_m"); QCheckBox *fin_m = dialog->findChild("fin_m"); QCheckBox *rst_m = dialog->findChild("rst_m"); QCheckBox *ack_m = dialog->findChild("ack_m"); QCheckBox *established = dialog->findChild("established"); QSpinBox *ss = dialog->findChild("ss"); QSpinBox *se = dialog->findChild("se"); QSpinBox *ds = dialog->findChild("ds"); QSpinBox *de = dialog->findChild("de"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestTCPService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestTCPService"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); // checking all small checkboxes QTest::mouseClick(urg_m, Qt::LeftButton); QVERIFY(service->getBool("urg_flag_mask")); QTest::mouseClick(urg_m, Qt::LeftButton); QVERIFY(!service->getBool("urg_flag_mask")); QTest::mouseClick(ack_m, Qt::LeftButton); QVERIFY(service->getBool("ack_flag_mask")); QTest::mouseClick(ack_m, Qt::LeftButton); QVERIFY(!service->getBool("ack_flag_mask")); QTest::mouseClick(psh_m, Qt::LeftButton); QVERIFY(service->getBool("psh_flag_mask")); QTest::mouseClick(psh_m, Qt::LeftButton); QVERIFY(!service->getBool("psh_flag_mask")); QTest::mouseClick(rst_m, Qt::LeftButton); QVERIFY(service->getBool("rst_flag_mask")); QTest::mouseClick(rst_m, Qt::LeftButton); QVERIFY(!service->getBool("rst_flag_mask")); QTest::mouseClick(syn_m, Qt::LeftButton); QVERIFY(service->getBool("syn_flag_mask")); QTest::mouseClick(syn_m, Qt::LeftButton); QVERIFY(!service->getBool("syn_flag_mask")); QTest::mouseClick(fin_m, Qt::LeftButton); QVERIFY(service->getBool("fin_flag_mask")); QTest::mouseClick(fin_m, Qt::LeftButton); QVERIFY(!service->getBool("fin_flag_mask")); QTest::mouseClick(urg_s, Qt::LeftButton); QVERIFY(service->getBool("urg_flag")); QTest::mouseClick(urg_s, Qt::LeftButton); QVERIFY(!service->getBool("urg_flag")); QTest::mouseClick(ack_s, Qt::LeftButton); QVERIFY(service->getBool("ack_flag")); QTest::mouseClick(ack_s, Qt::LeftButton); QVERIFY(!service->getBool("ack_flag")); QTest::mouseClick(psh_s, Qt::LeftButton); QVERIFY(service->getBool("psh_flag")); QTest::mouseClick(psh_s, Qt::LeftButton); QVERIFY(!service->getBool("psh_flag")); QTest::mouseClick(rst_s, Qt::LeftButton); QVERIFY(service->getBool("rst_flag")); QTest::mouseClick(rst_s, Qt::LeftButton); QVERIFY(!service->getBool("rst_flag")); QTest::mouseClick(syn_s, Qt::LeftButton); QVERIFY(service->getBool("syn_flag")); QTest::mouseClick(syn_s, Qt::LeftButton); QVERIFY(!service->getBool("syn_flag")); QTest::mouseClick(fin_s, Qt::LeftButton); QVERIFY(service->getBool("fin_flag")); QTest::mouseClick(fin_s, Qt::LeftButton); QVERIFY(!service->getBool("fin_flag")); QTest::mouseClick(established, Qt::LeftButton, Qt::NoModifier, QPoint(10,10)); QVERIFY(service->getBool("established")); QTest::mouseClick(established, Qt::LeftButton, Qt::NoModifier, QPoint(10,10)); QVERIFY(!service->getBool("established")); // check that it is not possible to set value more than 65535 se->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); QVERIFY(service->getSrcRangeEnd() == 65535); ss->setValue(65530); for (int i=0; i<65560; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(service->getSrcRangeStart() == 65535); de->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); QVERIFY(service->getDstRangeEnd() == 65535); ds->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(service->getDstRangeStart() == 65535); // check that range end change when range start is more se->clear(); for (int i=0; i<11; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); ss->clear(); for (int i=0; i<21; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(ss->value() == se->value()); de->clear(); for (int i=0; i<11; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); ds->clear(); for (int i=0; i<21; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(ds->value() == de->value()); // check that range end does not change if range start is less ss->setValue(0); se->setValue(0); for (int i=0; i<20; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); for (int i=0; i<10; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(se->value() == 20); ds->setValue(0); de->setValue(0); for (int i=0; i<20; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); for (int i=0; i<10; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(de->value() == 20); } fwbuilder-5.3.7/src/unit_tests/TCPServiceDialogTest/TCPServiceDialogTest.h000066400000000000000000000024101303637203600265300ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: TCPServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef TCPServiceDialogTest_H #define TCPServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class TCPServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // TCPServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/TCPServiceDialogTest/TCPServiceDialogTest.pro000066400000000000000000000003001303637203600270750ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = TCPServiceDialogTest SOURCES += main_TCPServiceDialogTest.cpp \ TCPServiceDialogTest.cpp HEADERS += TCPServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/TCPServiceDialogTest/main_TCPServiceDialogTest.cpp000066400000000000000000000033041303637203600300720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "TCPServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new TCPServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/TagServiceDialogTest/000077500000000000000000000000001303637203600225205ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/TagServiceDialogTest/TagServiceDialogTest.cpp000066400000000000000000000072341303637203600272460ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: TagServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "TagServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "TagServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/TagService.h" #include "TagServiceDialog.h" using namespace std; using namespace libfwbuilder; void TagServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* TagServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void TagServiceDialogTest::testDialog() { TagService *service = TagService::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), TagService::TYPENAME), TagService::TYPENAME, "testTagService")); om->editObject(service); TagServiceDialog *dialog = mw->findChild("w_TagServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QLineEdit *tagcode = dialog->findChild("tagcode"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestTagService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestTagService"); tagcode->clear(); QTest::keyClicks(tagcode, "45"); QTest::keyClick(tagcode, Qt::Key_Enter); QVERIFY(service->getCode() == "45"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); } fwbuilder-5.3.7/src/unit_tests/TagServiceDialogTest/TagServiceDialogTest.h000066400000000000000000000024101303637203600267020ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: TagServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef TagServiceDialogTest_H #define TagServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class TagServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // TagServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/TagServiceDialogTest/TagServiceDialogTest.pro000066400000000000000000000003001303637203600272470ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = TagServiceDialogTest SOURCES += main_TagServiceDialogTest.cpp \ TagServiceDialogTest.cpp HEADERS += TagServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/TagServiceDialogTest/main_TagServiceDialogTest.cpp000066400000000000000000000033051303637203600302450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "TagServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new TagServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/UDPServiceDialogTest/000077500000000000000000000000001303637203600224355ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/UDPServiceDialogTest/UDPServiceDialogTest.cpp000066400000000000000000000135031303637203600270740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: UDPServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UDPServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "UDPServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/UDPService.h" #include "UDPServiceDialog.h" using namespace std; using namespace libfwbuilder; void UDPServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); QTest::qWait(1000); } Library* UDPServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void UDPServiceDialogTest::testDialog() { UDPService *service = UDPService::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), UDPService::TYPENAME), UDPService::TYPENAME, "testUDPService")); om->editObject(service); UDPServiceDialog *dialog = mw->findChild("w_UDPServiceDialog"); QLineEdit *obj_name = dialog->findChild("obj_name"); QSpinBox *ss = dialog->findChild("ss"); QSpinBox *se = dialog->findChild("se"); QSpinBox *ds = dialog->findChild("ds"); QSpinBox *de = dialog->findChild("de"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestUDPService"); QTest::keyClick(obj_name, Qt::Key_Enter); QVERIFY(service->getName() == "TestUDPService"); comment->clear(); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(comment, Qt::LeftButton); QTest::keyClick(comment, Qt::Key_Tab); QTest::qWait(100); QVERIFY (service->getComment() == "Test comment"); // check that it is not possible to set value more than 65535 se->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); QVERIFY(service->getSrcRangeEnd() == 65535); ss->setValue(65530); for (int i=0; i<65560; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(service->getSrcRangeStart() == 65535); de->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); QVERIFY(service->getDstRangeEnd() == 65535); ds->setValue(65530); for (int i=0; i<100; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(service->getDstRangeStart() == 65535); // check that range end change when range start is more se->clear(); for (int i=0; i<11; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); ss->clear(); for (int i=0; i<21; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(ss->value() == se->value()); de->clear(); for (int i=0; i<11; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); ds->clear(); for (int i=0; i<21; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(ds->value() == de->value()); // check that range end does not change if range start is less ss->setValue(0); se->setValue(0); for (int i=0; i<20; i++) QTest::keyClick(se, Qt::Key_Up); QTest::keyClick(se, Qt::Key_Enter); for (int i=0; i<10; i++) QTest::keyClick(ss, Qt::Key_Up); QTest::keyClick(ss, Qt::Key_Enter); QVERIFY(se->value() == 20); //same for destination ds->setValue(0); de->setValue(0); for (int i=0; i<20; i++) QTest::keyClick(de, Qt::Key_Up); QTest::keyClick(de, Qt::Key_Enter); for (int i=0; i<10; i++) QTest::keyClick(ds, Qt::Key_Up); QTest::keyClick(ds, Qt::Key_Enter); QVERIFY(de->value() == 20); qDebug() << "done"; // it sometimes hangs without this } fwbuilder-5.3.7/src/unit_tests/UDPServiceDialogTest/UDPServiceDialogTest.h000066400000000000000000000024101303637203600265340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: UDPServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef UDPServiceDialogTest_H #define UDPServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class UDPServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // UDPServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/UDPServiceDialogTest/UDPServiceDialogTest.pro000066400000000000000000000003001303637203600271010ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = UDPServiceDialogTest SOURCES += main_UDPServiceDialogTest.cpp \ UDPServiceDialogTest.cpp HEADERS += UDPServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/UDPServiceDialogTest/main_UDPServiceDialogTest.cpp000066400000000000000000000033041303637203600300760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UDPServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new UDPServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/UsageResolverTest/000077500000000000000000000000001303637203600221325ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/UsageResolverTest/UsageResolverTest.cpp000066400000000000000000000173401303637203600262710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UsageResolverTest.h" #include "UsageResolver.h" #include #include using namespace std; using namespace libfwbuilder; void UsageResolverTest::addToLib(FWObject* obj) { FWBTree().getStandardSlotForObject(lib, obj->getTypeName().c_str())->add(obj); } void UsageResolverTest::setUp() { db = new FWObjectDatabase(); db->setName("Database"); lib = Library::cast(FWBTree().createNewLibrary(db)); lib->setName("Library"); Firewall *fw1 = Firewall::cast(db->create(Firewall::TYPENAME)); Firewall *fw2 = Firewall::cast(db->create(Firewall::TYPENAME)); Firewall *fw3 = Firewall::cast(db->create(Firewall::TYPENAME)); Firewall *fw4 = Firewall::cast(db->create(Firewall::TYPENAME)); fw1->setName("Firewall 1"); fw2->setName("Firewall 2"); fw3->setName("Firewall 3"); fw4->setName("Firewall 4"); addToLib(fw1); addToLib(fw2); addToLib(fw3); addToLib(fw4); addr1 = IPv4::cast(db->create(IPv4::TYPENAME)); addr2 = IPv4::cast(db->create(IPv4::TYPENAME)); addr3 = IPv4::cast(db->create(IPv4::TYPENAME)); addr1->setName("Address 1"); addr2->setName("Address 2"); addr3->setName("Address 3"); addToLib(addr1); addToLib(addr2); addToLib(addr3); FWObject *grp1 = db->create(ObjectGroup::TYPENAME); FWObject *grp2 = db->create(ObjectGroup::TYPENAME); FWObject *grp3 = db->create(ObjectGroup::TYPENAME); grp1->setName("Group 1"); grp2->setName("Group 2"); grp3->setName("Group 3"); addToLib(grp1); addToLib(grp2); addToLib(grp3); // addr1 belongs to grp1 // addr2 belongs to grp2 // grp1 belongs to grp2 grp1->addRef(addr1); grp2->addRef(addr2); grp2->addRef(grp1); grp3->addRef(grp2); Policy *policy = fw1->getPolicy(); PolicyRule *rule; rule = PolicyRule::cast(policy->createRule()); rule->setName("PolicyRule 1 of Firewall 1"); rule->getSrc()->addRef(addr1); policy->add(rule); rule = PolicyRule::cast(policy->createRule()); rule->setName("PolicyRule 2 of Firewall 1"); rule->getSrc()->addRef(grp1); policy->add(rule); rule = PolicyRule::cast(policy->createRule()); rule->setName("PolicyRule 3 of Firewall 1"); rule->getSrc()->addRef(grp2); policy->add(rule); /* * Branches: * * fw4 rule1 --> fw3 Policy * fw3 rule2 --> fw2 Policy * fw3 rule3 --> fw4 Policy (circular) * * object addr3 is used in rule 1 of fw2. */ rule = PolicyRule::cast(fw2->getPolicy()->createRule()); rule->setName("PolicyRule 1 of Firewall 2"); rule->getSrc()->addRef(addr2); rule->getDst()->addRef(addr3); fw2->getPolicy()->add(rule); rule = PolicyRule::cast(fw3->getPolicy()->createRule()); rule->setName("PolicyRule 1 of Firewall 3"); rule->getSrc()->addRef(grp3); fw3->getPolicy()->add(rule); rule = PolicyRule::cast(fw3->getPolicy()->createRule()); rule->setName("PolicyRule 2 of Firewall 3"); rule->setAction(PolicyRule::Branch); rule->setBranch(fw2->getPolicy()); fw3->getPolicy()->add(rule); rule = PolicyRule::cast(fw4->getPolicy()->createRule()); rule->setName("PolicyRule 1 of Firewall 4"); rule->setAction(PolicyRule::Branch); rule->setBranch(fw3->getPolicy()); fw4->getPolicy()->add(rule); rule = PolicyRule::cast(fw3->getPolicy()->createRule()); rule->setName("PolicyRule 3 of Firewall 3"); rule->setAction(PolicyRule::Branch); rule->setBranch(fw4->getPolicy()); fw3->getPolicy()->add(rule); } /* * addr1 is found in: * - system group "Addresses" * - group grp1 * - rule 1 of firewall 1 */ void UsageResolverTest::findWhereObjectIsUsed() { // db->dump(true, true); set res; db->findWhereObjectIsUsed(addr1, db, res); CPPUNIT_ASSERT(res.size() == 3); set::iterator iter = res.begin(); while (iter!=res.end()) { FWObject *obj = *iter; string name = obj->getName(); if (FWReference::cast(obj)) { // if we get reference, the parent must be rule element or user group obj = obj->getParent(); CPPUNIT_ASSERT( obj->getTypeName() == RuleElementSrc::TYPENAME || obj->getTypeName() == ObjectGroup::TYPENAME); if (RuleElementSrc::isA(obj)) { CPPUNIT_ASSERT(obj->getParent()->getName() == "PolicyRule 1 of Firewall 1"); } if (ObjectGroup::isA(obj)) { CPPUNIT_ASSERT(obj->getName() == "Group 1"); } } else { // otherwise we should get system folder "Addresses" CPPUNIT_ASSERT(name == "Addresses" ); } iter++; } qDebug() << "test FWObjectDatabase::findWhereObjectIsUsed done"; qDebug() << ""; } void UsageResolverTest::findFirewallsForObject() { qDebug() << "Dependencies for addr1:"; list res = UsageResolver().findFirewallsForObject(addr1, db); list::iterator iter = res.begin(); CPPUNIT_ASSERT(res.size() == 3); while (iter!=res.end()) { string name = (*iter)->getName(); qDebug() << name.c_str() << "' (" << (*iter)->getTypeName().c_str() << ")"; CPPUNIT_ASSERT ( name == "Firewall 1" || name == "Firewall 3" || name == "Firewall 4" ); iter++; } qDebug() << "Dependencies for addr2:"; res = UsageResolver().findFirewallsForObject(addr2, db); iter = res.begin(); CPPUNIT_ASSERT(res.size() == 4); while (iter!=res.end()) { string name = (*iter)->getName(); qDebug() << name.c_str() << "' (" << (*iter)->getTypeName().c_str() << ")"; CPPUNIT_ASSERT ( name == "Firewall 1" || name == "Firewall 2" || name == "Firewall 3" || name == "Firewall 4"); iter++; } //fwbdebug = 1; qDebug() << "Dependencies for addr3:"; res = UsageResolver().findFirewallsForObject(addr3, db); iter = res.begin(); //CPPUNIT_ASSERT(res.size() == 3); while (iter!=res.end()) { string name = (*iter)->getName(); qDebug() << name.c_str() << "' (" << (*iter)->getTypeName().c_str() << ")"; CPPUNIT_ASSERT ( name == "Firewall 2" || name == "Firewall 3" || name == "Firewall 4" ); iter++; } } void UsageResolverTest::humanizeSearchResults() { set res; db->findWhereObjectIsUsed(addr1, db, res); UsageResolver().humanizeSearchResults(res); set::iterator iter = res.begin(); while (iter!=res.end()) { string name = (*iter)->getName(); string type = (*iter)->getTypeName(); if (type == "ObjectRef") { FWObjectReference *o = FWObjectReference::cast(*iter); CPPUNIT_ASSERT(o->getPointer()->getName() == "Address 1"); } else { CPPUNIT_ASSERT ( name == "Group 1" || name == "Addresses"); } iter++; } } fwbuilder-5.3.7/src/unit_tests/UsageResolverTest/UsageResolverTest.h000066400000000000000000000035631303637203600257400ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWOBJECTDATABASETEST_H #define FWOBJECTDATABASETEST_H #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Group.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" #include "fwbuilder/Address.h" #include "fwbuilder/Library.h" #include "FWBTree.h" #include class UsageResolverTest : public CppUnit::TestFixture { void addToLib(libfwbuilder::FWObject* obj); public: libfwbuilder::FWObjectDatabase *db; libfwbuilder::Library *lib; libfwbuilder::IPv4 *addr1; libfwbuilder::IPv4 *addr2; libfwbuilder::IPv4 *addr3; libfwbuilder::PolicyRule *r1, *r2, *r3, *r4; void setUp(); void findWhereObjectIsUsed(); void findFirewallsForObject(); void humanizeSearchResults(); CPPUNIT_TEST_SUITE(UsageResolverTest); CPPUNIT_TEST(findWhereObjectIsUsed); CPPUNIT_TEST(findFirewallsForObject); CPPUNIT_TEST(humanizeSearchResults); CPPUNIT_TEST_SUITE_END(); }; #endif // FWOBJECTDATABASETEST_H fwbuilder-5.3.7/src/unit_tests/UsageResolverTest/UsageResolverTest.pro000066400000000000000000000002541303637203600263030ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network TARGET = UsageResolverTest SOURCES += main_UsageResolverTest.cpp \ UsageResolverTest.cpp HEADERS += UsageResolverTest.h fwbuilder-5.3.7/src/unit_tests/UsageResolverTest/main_UsageResolverTest.cpp000066400000000000000000000024511303637203600272720ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "UsageResolverTest.h" #include int fwbdebug = 0; QString user_name; int main( int, char** ) { CppUnit::TextUi::TestRunner runner; runner.addTest( UsageResolverTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/UserSerivceDialogTest/000077500000000000000000000000001303637203600227235ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/UserSerivceDialogTest/UserServiceDialogTest.cpp000066400000000000000000000105411303637203600276470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: UserServiceDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UserServiceDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "UserServiceDialogTest.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "IPServiceDialog.h" #include "fwbuilder/IPService.h" #include "fwbuilder/UserService.h" #include "UserDialog.h" using namespace std; using namespace libfwbuilder; void UserServiceDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); mw->resize(1200, 600); QTest::qWait(2000); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); } Library* UserServiceDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } void UserServiceDialogTest::testDialog() { UserService *service = UserService::cast( om->createObject( FWBTree().getStandardSlotForObject(findUserLibrary(), UserService::TYPENAME), UserService::TYPENAME, "testUserService")); QTest::qWait(1000); //om->editObject(service); UserDialog *dialog = mw->findChild("w_UserDialog"); QVERIFY(dialog != NULL); QLineEdit *obj_name = dialog->findChild("obj_name"); QLineEdit *userid = dialog->findChild("userid"); TextEditWidget *comment = dialog->findChild("comment"); obj_name->clear(); QTest::keyClicks(obj_name, "TestUserService"); QTest::keyClick(obj_name, Qt::Key_Enter); QTest::qWait(100); QVERIFY(service->getName() == "TestUserService"); userid->clear(); QTest::keyClicks(userid, "username"); QTest::keyClick(userid, Qt::Key_Enter); QTest::qWait(100); QVERIFY(service->getUserId() == "username"); // need to click inside the comment input field to make sure it // has focus. Looks like keyClicks() works even when widget has no // focus, so clicking outside of it does not trigger "edit // finished" signal. also looks like waiting a little after // clicking inside the text editor widget makes test more stable. comment->clear(); QTest::mouseClick(comment, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); QTest::qWait(100); QTest::keyClicks(comment, "Test comment"); QTest::mouseClick(obj_name, Qt::LeftButton); QTest::qWait(100); qDebug() << "Dialog comment text=" << comment->toPlainText(); qDebug() << "Object comment=" << QString(service->getComment().c_str()); QVERIFY(service->getComment() == "Test comment"); } fwbuilder-5.3.7/src/unit_tests/UserSerivceDialogTest/UserServiceDialogTest.h000066400000000000000000000024151303637203600273150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: UserServiceDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef UserServiceDialogTest_H #define UserServiceDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" class UserServiceDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; private slots: void initTestCase(); void testDialog(); }; #endif // UserServiceDialogTest_H fwbuilder-5.3.7/src/unit_tests/UserSerivceDialogTest/UserServiceDialogTest.pro000066400000000000000000000003041303637203600276610ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = UserServiceDialogTest SOURCES += main_UserServiceDialogTest.cpp \ UserServiceDialogTest.cpp HEADERS += UserServiceDialogTest.h fwbuilder-5.3.7/src/unit_tests/UserSerivceDialogTest/main_UserServiceDialogTest.cpp000066400000000000000000000033061303637203600306540ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "UserServiceDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new UserServiceDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/commandLinePrintingTest/000077500000000000000000000000001303637203600233055ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/commandLinePrintingTest/commandLinePrintingTest000077500000000000000000000024161303637203600300370ustar00rootroot00000000000000#!/bin/sh rm -f print.pdf >/dev/null 2>/dev/null QTVERSION=$(${QMAKE:-qmake} --version 2>&1 | tail -n1| cut -d' ' -f4) TESTNAME=${0##/} PASSED=0 FAILED=0 SKIPPED=0 pass() # test_name { echo "PASS : ${TESTNAME}::$1()" PASSED=$((PASSED+1)) } fail() # test_name { echo "FAIL! : ${TESTNAME}::$1()" FAILED=$((FAILED+1)) } output() # test_name text { echo -n "QDEBUG : ${TESTNAME}::$1() " shift echo $@ } run_command() # test_name command { test=$1 shift output=$("$@" 2>&1) returned=$? ORIGIFS=$IFS IFS=`printf "\n\b"` for line in $output do output $test $line done IFS=$ORIGIFS [ "$returned" -eq 0 ] && pass "$test" || fail "$test" } echo "********* Start testing of ${TESTNAME} *********" echo "Config: Using QTest library ${QTVERSION}, Qt ${QTVERSION}" pass "initTestCase" # -------- actual testing goes here -------- run_command "runPrinting" ../../gui/fwbuilder -f test.fwb -P test run_command "fileExists" ls print.pdf # --------- end of actual testing --------- rm -f print.pdf >/dev/null 2>&1 pass "cleanupTestCase" echo "Totals: ${PASSED} passed, ${FAILED} failed, ${SKIPPED} skipped" echo "********* Finished testing of ${TESTNAME} *********" [ "${FAILED}" -eq 0 ] && exit 0 || exit 1 fwbuilder-5.3.7/src/unit_tests/commandLinePrintingTest/commandLinePrintingTest.pro000066400000000000000000000005021303637203600306250ustar00rootroot00000000000000TEMPLATE = app LANGUAGE = bash CONFIG += console CONFIG -= app_bundle TARGET = commandLinePrintingTest run_tests.commands = echo "Running tests..." && ./${TARGET} && echo "OK" || echo "FAILED" run_tests.depends = build_tests clean_tests.commands = rm -f print.pdf QMAKE_EXTRA_TARGETS += run_tests build_tests clean_tests fwbuilder-5.3.7/src/unit_tests/commandLinePrintingTest/test.fwb000066400000000000000000002531171303637203600247750ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/compilerLibTest/000077500000000000000000000000001303637203600216055ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/compilerLibTest/interfacePropertiesTest.cpp000066400000000000000000000600551303637203600271740ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivkiy a2k0001@gmail.com $Id: interfaceProperties.cpp 2043 2009-12-06 01:10:10Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "interfacePropertiesTest.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Constants.h" #include #include using namespace std; using namespace libfwbuilder; using namespace CppUnit; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; interfaceProperties* interfacePropertiesTest::getIntProps(const QString &os) { Resources* os_res = Resources::os_res[os.toStdString()]; string os_family = os.toStdString(); if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); return interfacePropertiesObjectFactory::getInterfacePropertiesObject(os_family); } void interfacePropertiesTest::setUp() { db = new FWObjectDatabase(); } void interfacePropertiesTest::validateInterfaceNameCommon() { QString err; Firewall fw; fw.setStr("host_OS", "unknown"); db->add(&fw); Interface* iface = Interface::cast(db->create(Interface::TYPENAME)); fw.add(iface); iface->getOptionsObject()->setStr("type", "ethernet"); interfaceProperties * int_prop = getIntProps("unknown"); CPPUNIT_ASSERT(int_prop != NULL); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "eth0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "bar0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "vlan100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "Vlan100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "VlAn100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo 0", err) == false); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo-1", err) == false); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo 12345", err) == false); iface->getOptionsObject()->setStr("type", "bridge"); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "Br0", err) == true); // all OS except Linux and possibly some other do not permit // interface name with "-" CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br-lan", err) == false); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br 200", err) == false); } void interfacePropertiesTest::validateInterfaceNameLinux() { QString err; Firewall fw; fw.setStr("host_OS", "linux24"); db->add(&fw); Interface* iface = Interface::cast(db->create(Interface::TYPENAME)); fw.add(iface); iface->getOptionsObject()->setStr("type", "ethernet"); interfaceProperties * int_prop = getIntProps("linux24"); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "eth0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "bar0", err) == true); // we do not have special type for p2p interfaces yet // Linux permits "-" in interface names (see #1856) CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "ppp-dsl", err) == true); iface->getOptionsObject()->setStr("type", "8021q"); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "vlan100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "Vlan100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "VlAn100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo 0", err) == false); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "foo 12345", err) == false); iface->getOptionsObject()->setStr("type", "bridge"); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br0", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "Br0", err) == true); // Linux permits "-" in interface names (see #1856) CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br-lan", err) == true); // spaces are not permitted CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "br 200", err) == false); } void interfacePropertiesTest::validateInterfaceNameProCurve() { QString err; Firewall fw; fw.setStr("host_OS", "procurve"); db->add(&fw); Interface* iface = Interface::cast(db->create(Interface::TYPENAME)); fw.add(iface); iface->getOptionsObject()->setStr("type", "ethernet"); interfaceProperties * int_prop = getIntProps("procurve"); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "a1", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "b1", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "A1", err) == true); // basicValidateInterfaceName() only checks name format, // it does not check if port number makes sense CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "A1234567890", err) == true); // "-" is not permitted CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "vlan-100", err) == false); // but space is permitted CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "vlan 100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "Vlan 100", err) == true); CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "VlAn 100", err) == true); // basicValidateInterfaceName() only checks name format, // it does not check if vlan ID is valid. CPPUNIT_ASSERT(int_prop->basicValidateInterfaceName( iface, "VlAn 1000000000", err) == true); } void interfacePropertiesTest::validateInterface() { string host_OS = "linux24"; Resources* os_res = Resources::os_res[host_OS]; string os_family = host_OS; if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); interfaceProperties * int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject(os_family); CPPUNIT_ASSERT(int_prop != NULL); QString err; Cluster *cluster1 = Cluster::cast(db->create(Cluster::TYPENAME)); Interface *parent1 = Interface::cast(db->create(Interface::TYPENAME)); Interface *iface1 = Interface::cast(db->create(Interface::TYPENAME)); db->add(cluster1); db->add(parent1); parent1->add(iface1, false); parent1->getOptionsObject()->setStr("type", "eternet"); iface1->setUnnumbered(false); iface1->getOptionsObject()->setStr("type", "ethernet"); cluster1->setStr("host_OS", host_OS); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster1), dynamic_cast(iface1), false, err) == true ); iface1->setUnnumbered(true); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster1), dynamic_cast(iface1), false, err) == true ); parent1->getOptionsObject()->setStr("type", "bonding"); iface1->setUnnumbered(false); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster1), dynamic_cast(iface1), false, err) == false ); parent1->getOptionsObject()->setStr("type", "bridge"); iface1->setUnnumbered(false); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster1), dynamic_cast(iface1), false, err) == false ); Firewall fw; fw.setStr("host_OS", host_OS); db->add(&fw); Interface* parent = Interface::cast(db->create(Interface::TYPENAME)); Interface* iface = Interface::cast(db->create(Interface::TYPENAME)); Interface* subiface = Interface::cast(db->create(Interface::TYPENAME)); fw.add(parent); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), dynamic_cast(iface), true, err) == false); parent->getOptionsObject()->setStr("type", "bridge"); iface->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), FWObject::cast(iface), true, err) == true); iface->getOptionsObject()->setStr("type", "ethernet"); iface->add(subiface); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), dynamic_cast(iface), false, err) == false); iface->remove(subiface); Cluster *cluster = Cluster::cast(db->create(Cluster::TYPENAME)); iface->setName("vlan0"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster), dynamic_cast(iface), false, err) == true); iface->setName("vlan34324"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(cluster), dynamic_cast(iface), false, err) == false); parent->setName("vlan"); parent->getOptionsObject()->setStr("type", "bridge"); iface->setName("vlan1"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), dynamic_cast(iface), false, err) == true); IPv4 *adr = IPv4::cast(db->create(IPv4::TYPENAME)); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(adr), dynamic_cast(iface), false, err) == false); parent->setName("notAVlan"); parent->getOptionsObject()->setStr("type", "ethernet"); iface->setName("vlan1"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), dynamic_cast(iface), false, err) == true); iface->setName("eth0"); CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast(parent), dynamic_cast(iface), false, err) == false); } void interfacePropertiesTest::isEligibleForCluster() { Resources* os_res = Resources::os_res["linux24"]; string os_family = "linux24"; if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); interfaceProperties * int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject(os_family); CPPUNIT_ASSERT(int_prop != NULL); Firewall *fw1 = Firewall::cast(db->create(Firewall::TYPENAME)); fw1->setName("iface"); fw1->setStr("host_OS", "unknown"); db->add(fw1); Interface *parent1 = Interface::cast(db->create(Interface::TYPENAME)); Interface *iface1 = Interface::cast(db->create(Interface::TYPENAME)); fw1->add(parent1); parent1->add(iface1); iface1->getOptionsObject()->setStr("type", "ethernet"); parent1->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == true); iface1->getOptionsObject()->setStr("type", "ethernet"); parent1->getOptionsObject()->setStr("type", "bridge"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == false); iface1->getOptionsObject()->setStr("type", "bonding"); parent1->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == true); iface1->getOptionsObject()->setStr("type", "bridge"); parent1->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == true); iface1->getOptionsObject()->setStr("type", "8021q"); parent1->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == true); iface1->getOptionsObject()->setStr("type", "ethernet"); parent1->getOptionsObject()->setStr("type", "bridge"); CPPUNIT_ASSERT(int_prop->isEligibleForCluster(iface1) == false); Firewall *fw = Firewall::cast(db->create(Firewall::TYPENAME)); fw->setName("iface"); Interface *iface = Interface::cast(db->create(Interface::TYPENAME)); iface->setName("iface1"); Interface *subface = Interface::cast(db->create(Interface::TYPENAME)); subface->setName("iface"); fw->add(iface); iface->getOptionsObject()->setStr("type", "bonding"); iface->add(subface); CPPUNIT_ASSERT ( interfaceProperties().isEligibleForCluster(subface) == false ); iface->getOptionsObject()->setStr("type", "ethernet"); CPPUNIT_ASSERT ( interfaceProperties().isEligibleForCluster(iface) == false ); } void interfacePropertiesTest::isValidVlanInterfaceNameLinuxFamilies( interfaceProperties * int_prop) { QString err, parent = "eth0"; /* sub parent result vlan101 eth0 true eth0.101 eth0 true foo eth0 false foo101 eth0 false eth0.bar eth0 false eth0.99999 eth0 false eth1.101 eth0 false */ CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth0.101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth0.bar", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth0.99999", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth1.101", parent, err) == false); parent = "bond1"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("bond1.15", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("bond1.515", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("bond1.1205", parent, err) == true); } void interfacePropertiesTest::isValidVlanInterfaceNameLinux24() { isValidVlanInterfaceNameLinuxFamilies(getIntProps("linux24")); } void interfacePropertiesTest::isValidVlanInterfaceNameOpenWRT() { isValidVlanInterfaceNameLinuxFamilies(getIntProps("openwrt")); } void interfacePropertiesTest::isValidVlanInterfaceNameDDWRT1() { isValidVlanInterfaceNameLinuxFamilies(getIntProps("dd-wrt-nvram")); } void interfacePropertiesTest::isValidVlanInterfaceNameDDWRT2() { isValidVlanInterfaceNameLinuxFamilies(getIntProps("dd-wrt-jffs")); } void interfacePropertiesTest::isValidVlanInterfaceNameSecuwall() { isValidVlanInterfaceNameLinuxFamilies(getIntProps("secuwall")); } void interfacePropertiesTest::isValidVlanInterfaceNameBSD() { QString err, parent = "en0"; interfaceProperties *int_prop = getIntProps("openbsd"); /* vlan101 en0 true en0.101 en0 false foo en0 false foo101 en0 false */ CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth0.101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo101", parent, err) == false); int_prop = getIntProps("freebsd"); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("eth0.101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("foo101", parent, err) == false); } void interfacePropertiesTest::isValidVlanInterfaceNameIOS() { QString err, parent; /* FastEthernet0/1.101 FastEthernet0/1 true vlan101 FastEthernet0/1 false Ethernet0/0.101 FastEthernet0/1 false Ethernet0/0.99999 Ethernet0/0 false */ interfaceProperties *int_prop = getIntProps("ios"); parent = "FastEthernet0/1"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("FastEthernet0/1.101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.101", parent, err) == false); parent = "Ethernet0/0"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.99999", parent, err) == false); } void interfacePropertiesTest::isValidVlanInterfaceNamePIX() { QString err, parent; interfaceProperties *int_prop = getIntProps("pix_os"); parent = "FastEthernet0/1"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("FastEthernet0/1.101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.101", parent, err) == false); parent = "Ethernet0/0"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.99999", parent, err) == false); } void interfacePropertiesTest::isValidVlanInterfaceNameProCurve() { QString err, parent; /* * As of 05/10/2010 we do not restrict interfaces for ProCurve * Vlan interface name parent ok/not ok vlan 2 anything true vlan2 anything false Ethernet0/0.101 FastEthernet0/1 false Ethernet0/0.99999 Ethernet0/0 false */ interfaceProperties *int_prop = getIntProps("procurve"); parent = "FastEthernet0/1"; CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan 2", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("VLAN 2", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Vlan 2", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan2", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan 101", parent, err) == true); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == false); CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.101", parent, err) == false); } void interfacePropertiesTest::validateInterfaceProCurve() { string host_OS = "procurve"; Resources* os_res = Resources::os_res[host_OS]; string os_family = host_OS; if (os_res!=NULL) os_family = os_res->getResourceStr("/FWBuilderResources/Target/family"); interfaceProperties * int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject(os_family); CPPUNIT_ASSERT(int_prop != NULL); QString err; Firewall fw; fw.setStr("host_OS", host_OS); db->add(&fw); Interface* parent = Interface::cast(db->create(Interface::TYPENAME)); Interface* iface = Interface::cast(db->create(Interface::TYPENAME)); Interface* subiface = Interface::cast(db->create(Interface::TYPENAME)); fw.add(parent); iface->setName("vlan 2"); CPPUNIT_ASSERT(int_prop->validateInterface(&fw, iface, false, err) == true); iface->setName("vlan 34324"); CPPUNIT_ASSERT(int_prop->validateInterface(&fw, iface, false, err) == false); } void interfacePropertiesTest::testManageIpAddresses() { UpgradePredicate upgrade_predicate; string file_name = "test.fwb"; db->setReadOnly( false ); db->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); db->setFileName(file_name); db->reIndex(); FWObject *fw = db->findObjectByName(Firewall::TYPENAME, "fw1"); CPPUNIT_ASSERT(fw != NULL); Interface *intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "eth0")); interfaceProperties *int_prop = getIntProps("linux24"); QStringList update_addresses; QStringList ignore_addresses; CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == true); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "lo")); CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == true); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "eth1")); // dyn CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "eth2")); // bridge port CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "eth3")); // bonding intf slave CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "tun0")); // unnumbered CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "tun*")); // unnumbered CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); } void interfacePropertiesTest::testManageIpAddressesCluster() { UpgradePredicate upgrade_predicate; string file_name = "test.fwb"; db->setReadOnly( false ); db->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); db->setFileName(file_name); db->reIndex(); FWObject *fw = db->findObjectByName(Cluster::TYPENAME, "cluster1"); CPPUNIT_ASSERT(fw != NULL); Interface *intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "lo")); intf->getOptionsObject()->setBool("cluster_interface", true); interfaceProperties *int_prop = getIntProps("linux24"); QStringList update_addresses; QStringList ignore_addresses; CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == false); intf = Interface::cast( fw->findObjectByName(Interface::TYPENAME, "eth0")); CPPUNIT_ASSERT( int_prop->manageIpAddresses( intf, update_addresses, ignore_addresses) == true); } fwbuilder-5.3.7/src/unit_tests/compilerLibTest/interfacePropertiesTest.h000066400000000000000000000061451303637203600266410ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivkiy a2k0001@gmail.com $Id: interfaceProperties.h 2043 2009-12-06 01:10:10Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTERFACEPROPERTIESTEST #define INTERFACEPROPERTIESTEST #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWObject.h" #include "fwbuilder/Cluster.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Interface.h" #include "fwbuilder/Cluster.h" #include "interfaceProperties.h" #include "interfacePropertiesObjectFactory.h" #include #include #include class interfacePropertiesTest: public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *db; void isValidVlanInterfaceNameLinuxFamilies(interfaceProperties *int_prop); public: //interfaceProperties( std::string name ) : CppUnit::TestCase( name ) {} interfaceProperties* getIntProps(const QString &os); void validateInterfaceNameCommon(); void validateInterfaceNameLinux(); void validateInterfaceNameProCurve(); void validateInterface(); void isEligibleForCluster(); void isValidVlanInterfaceNameLinux24(); void isValidVlanInterfaceNameOpenWRT(); void isValidVlanInterfaceNameDDWRT1(); void isValidVlanInterfaceNameDDWRT2(); void isValidVlanInterfaceNameSecuwall(); void isValidVlanInterfaceNameBSD(); void isValidVlanInterfaceNameIOS(); void isValidVlanInterfaceNamePIX(); void isValidVlanInterfaceNameProCurve(); void validateInterfaceProCurve(); void testManageIpAddresses(); void testManageIpAddressesCluster(); void setUp(); CPPUNIT_TEST_SUITE(interfacePropertiesTest); CPPUNIT_TEST(validateInterfaceNameCommon); CPPUNIT_TEST(validateInterfaceNameLinux); CPPUNIT_TEST(validateInterfaceNameProCurve); CPPUNIT_TEST(validateInterface); CPPUNIT_TEST(isEligibleForCluster); CPPUNIT_TEST(isValidVlanInterfaceNameLinux24); CPPUNIT_TEST(isValidVlanInterfaceNameOpenWRT); CPPUNIT_TEST(isValidVlanInterfaceNameDDWRT1); CPPUNIT_TEST(isValidVlanInterfaceNameDDWRT2); CPPUNIT_TEST(isValidVlanInterfaceNameSecuwall); CPPUNIT_TEST(isValidVlanInterfaceNameBSD); CPPUNIT_TEST(isValidVlanInterfaceNameIOS); CPPUNIT_TEST(isValidVlanInterfaceNamePIX); CPPUNIT_TEST(testManageIpAddresses); CPPUNIT_TEST(testManageIpAddressesCluster); CPPUNIT_TEST_SUITE_END(); }; #endif fwbuilder-5.3.7/src/unit_tests/compilerLibTest/interfacePropertiesTests.pro000066400000000000000000000002301303637203600273620ustar00rootroot00000000000000include(../tests_common.pri) TARGET = interfacePropertiesTest SOURCES = interfacePropertiesTest.cpp tests_main.cpp HEADERS = interfacePropertiesTest.h fwbuilder-5.3.7/src/unit_tests/compilerLibTest/test.fwb000066400000000000000000002771731303637203600233050ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/compilerLibTest/tests_main.cpp000066400000000000000000000027701303637203600244650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivkiy a2k0001@gmail.com $Id: main.cpp 2039 2009-12-05 20:16:44Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include "common/init.cpp" #include "interfacePropertiesTest.h" #include "fwbuilder/Constants.h" #include #include #include //QString user_name; int main(int, char **argv) { init(argv); init(); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( interfacePropertiesTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/000077500000000000000000000000001303637203600243515ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/.gitignore000066400000000000000000000000071303637203600263360ustar00rootroot00000000000000ipf2-1 fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.cpp000066400000000000000000000232711303637203600327270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsIpfilter.h" #include "CompilerDriver_ipf.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void GeneratedScriptTest::setUp() { Configlet::setDebugging(true); } void GeneratedScriptTest::tearDown() { } void GeneratedScriptTest::loadDataFile(const string &file_name) { /* load the data file */ UpgradePredicate upgrade_predicate; objdb->setReadOnly( false ); objdb->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(file_name); objdb->reIndex(); } void GeneratedScriptTest::runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option) { loadDataFile(test_file); QStringList args; if (!output_file_option.empty()) { args << "-o" << output_file_option.c_str(); } args << firewall_object_name.c_str(); CompilerDriver_ipf driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipf initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file generate_file_name QFileInfo fi(generate_file_name.c_str()); CPPUNIT_ASSERT_MESSAGE("Generated file " + generate_file_name + " not found", fi.exists() == true); } // I can check only certain parts of the top comment. Can't // compare against "golden" file because some parts of the comment // are variable, such as date, version and build number void GeneratedScriptTest::ManifestTest_1() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf1", "ipf1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf1-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf1-nat.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_2() { /* * output script name is set to ipf2-1.fw in the fw object. This * parameter is used by instDialog and passed to the compiler via * "-o" command line option. Calling compiler without this option * produces file with standard name. */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf2", "ipf2-1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-nat.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_3() { /* * output script name is set to ipf2a in the fw object. This * parameter is used by instDialog and passed to the compiler via * "-o" command line option. Calling compiler without this option * produces file with standard name. */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf2a", "ipf2-1"); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-nat.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_4() { /* * Compile ipf2 and ipf2a adding "-o" option as instDialog does */ objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/ipf2-1.fw"; runCompiler("test1.fwb", "ipf2", "ipf2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + option_o) != -1); QString ipf_file = QDir::currentPath() + "/ipf2-1-ipf.conf"; QString nat_file = QDir::currentPath() + "/ipf2-1-nat.conf"; CPPUNIT_ASSERT(res.indexOf("# files: " + ipf_file) != -1); CPPUNIT_ASSERT(res.indexOf("# files: " + nat_file) != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_5() { objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/ipf2-1"; runCompiler("test1.fwb", "ipf2a", "ipf2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1-nat.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_6() { /* * remote ipf and nat files are configured as /etc/fw/ipf3-ipf.conf and * /etc/fw/ipf3-nat.conf in ipf3 */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf3", "ipf3.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf3.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf3.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf3-ipf.conf /etc/fw/ipf3-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf3-nat.conf /etc/fw/ipf3-nat.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_7() { /* * remote ipf and nat files in ipf4 have spaces in the path */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf4", "ipf4.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf4.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf4.fw /etc/path\\ with\\ space/ipf4.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf4-ipf.conf /etc/path\\ with\\ space/ipf4-ipf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf4-nat.conf /etc/path\\ with\\ space/ipf4-nat.conf") != -1); delete objdb; } // ************************************************************************ void GeneratedScriptTest::FwCommentTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipf1", "ipf1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf1.fw"); // find string from the firewall object comment and compare CPPUNIT_ASSERT(res.indexOf("# Firewall object test1 comment") != -1); delete objdb; } // ************************************************************************ void GeneratedScriptTest::ActivationCommandsTest_1() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf1.fw"); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf1-ipf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_2() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw"); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_3() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1"); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_4() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw"); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_6() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf3.fw"); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/fw/ipf3-ipf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_7() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf4.fw", 1); CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/path\\ with\\ space/ipf4-ipf.conf") != -1); res = Configlet::findConfigletInFile("activation", "ipf4.fw", 2); CPPUNIT_ASSERT(res.indexOf("$IPNAT -f /etc/path\\ with\\ space/ipf4-nat.conf") != -1); delete objdb; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.h000066400000000000000000000055541303637203600324000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef GENERATEDSCRIPTTESTS_IPFILTER_H #define GENERATEDSCRIPTTESTS_IPFILTER_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include class GeneratedScriptTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; void loadDataFile(const std::string &file_name); void runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option=""); public: void setUp(); void tearDown(); void ManifestTest_1(); void ManifestTest_2(); void ManifestTest_3(); void ManifestTest_4(); void ManifestTest_5(); void ManifestTest_6(); void ManifestTest_7(); void FwCommentTest(); void ActivationCommandsTest_1(); void ActivationCommandsTest_2(); void ActivationCommandsTest_3(); void ActivationCommandsTest_4(); // void ActivationCommandsTest_5(); void ActivationCommandsTest_6(); void ActivationCommandsTest_7(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); // The order of tests matters because activation commands tests use // files produced in manifest tests CPPUNIT_TEST(ManifestTest_1); CPPUNIT_TEST(ActivationCommandsTest_1); CPPUNIT_TEST(ManifestTest_2); CPPUNIT_TEST(ActivationCommandsTest_2); CPPUNIT_TEST(ManifestTest_3); CPPUNIT_TEST(ActivationCommandsTest_3); CPPUNIT_TEST(ManifestTest_4); CPPUNIT_TEST(ActivationCommandsTest_4); // CPPUNIT_TEST(ManifestTest_5); // CPPUNIT_TEST(ActivationCommandsTest_5); CPPUNIT_TEST(ManifestTest_6); CPPUNIT_TEST(ActivationCommandsTest_6); CPPUNIT_TEST(ManifestTest_7); CPPUNIT_TEST(ActivationCommandsTest_7); CPPUNIT_TEST(FwCommentTest); CPPUNIT_TEST_SUITE_END(); }; #endif // GENERATEDSCRIPTTESTS_IPFILTER_H fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.pro000066400000000000000000000005471303637203600327460ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS = generatedScriptTestsIpfilter.h SOURCES = main_generatedScriptTestsIpfilter.cpp \ generatedScriptTestsIpfilter.cpp TARGET = generatedScriptTestsIpfilter run_tests.commands = echo "Running tests..." && \ rm -f *.fw *.conf && \ ./${TARGET} && \ echo "OK" || { echo "FAILED"; exit 1; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/main_generatedScriptTestsIpfilter.cpp000066400000000000000000000034401303637203600337270ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsIpfilter.h" #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include "../../../common/init.cpp" using namespace std; using namespace libfwbuilder; int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( GeneratedScriptTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfilter/test1.fwb000066400000000000000000003006241303637203600261160ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/000077500000000000000000000000001303637203600235005ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/.gitignore000066400000000000000000000000101303637203600254570ustar00rootroot00000000000000ipfw2-1 fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/generatedScriptTestsIpfw.cpp000066400000000000000000000151061303637203600312030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsIpfw.h" #include "CompilerDriver_ipfw.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void GeneratedScriptTest::setUp() { Configlet::setDebugging(true); } void GeneratedScriptTest::tearDown() { } void GeneratedScriptTest::loadDataFile(const string &file_name) { /* load the data file */ UpgradePredicate upgrade_predicate; objdb->setReadOnly( false ); objdb->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(file_name); objdb->reIndex(); } void GeneratedScriptTest::runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option) { loadDataFile(test_file); QStringList args; if (!output_file_option.empty()) { args << "-o" << output_file_option.c_str(); } args << firewall_object_name.c_str(); CompilerDriver_ipfw driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipfw initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file generate_file_name QFileInfo fi(generate_file_name.c_str()); CPPUNIT_ASSERT_MESSAGE("Generated file " + generate_file_name + " not found", fi.exists() == true); } // I can check only certain parts of the top comment. Can't // compare against "golden" file because some parts of the comment // are variable, such as date, version and build number void GeneratedScriptTest::ManifestTest_1() { QFile::remove("ipfw1.fw"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw1", "ipfw1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw1.fw") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_2() { /* * output script name is set to ipfw2-1.fw in the fw object. */ QFile::remove("ipfw2-1.fw"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw2", "ipfw2-1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw2-1.fw") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_3() { /* * output script name is set to ipfw2-1 in the fw object (no extension) */ QFile::remove("ipfw2-1"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw2a", "ipfw2-1"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw2-1"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw2-1") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_4() { /* * Compile ipfw2 and ipfw2a adding "-o" option as instDialog does */ objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/ipfw2-1.fw"; QFile::remove(option_o); runCompiler("test1.fwb", "ipfw2", "ipfw2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "ipfw2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + option_o) != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_5() { objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/ipfw2-1"; QFile::remove(option_o); runCompiler("test1.fwb", "ipfw2a", "ipfw2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "ipfw2-1"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw2-1") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_6() { /* * remote ipfw and nat files are configured as /etc/fw/ipfw3-ipfw.conf and * /etc/fw/ipfw3-nat.conf in ipfw3 */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw3", "ipfw3.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw3.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw3.fw") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_7() { /* * remote ipfw and nat files in ipfw4 have spaces in the path */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw4", "ipfw4.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw4.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipfw4.fw /etc/path\\ with\\ space/ipfw4.fw") != -1); delete objdb; } // ************************************************************************ void GeneratedScriptTest::FwCommentTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "ipfw1", "ipfw1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipfw1.fw"); // find string from the firewall object comment and compare CPPUNIT_ASSERT(res.indexOf("# Firewall object test1 comment") != -1); delete objdb; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/generatedScriptTestsIpfw.h000066400000000000000000000045371303637203600306560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef GENERATEDSCRIPTTESTS_IPFILTER_H #define GENERATEDSCRIPTTESTS_IPFILTER_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include class GeneratedScriptTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; void loadDataFile(const std::string &file_name); void runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option=""); public: void setUp(); void tearDown(); void ManifestTest_1(); void ManifestTest_2(); void ManifestTest_3(); void ManifestTest_4(); void ManifestTest_5(); void ManifestTest_6(); void ManifestTest_7(); void FwCommentTest(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); // The order of tests matters because activation commands tests use // files produced in manifest tests CPPUNIT_TEST(ManifestTest_1); CPPUNIT_TEST(ManifestTest_2); CPPUNIT_TEST(ManifestTest_3); CPPUNIT_TEST(ManifestTest_4); // CPPUNIT_TEST(ManifestTest_5); // CPPUNIT_TEST(ActivationCommandsTest_5); CPPUNIT_TEST(ManifestTest_6); CPPUNIT_TEST(ManifestTest_7); CPPUNIT_TEST(FwCommentTest); CPPUNIT_TEST_SUITE_END(); }; #endif // GENERATEDSCRIPTTESTS_IPFILTER_H fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/generatedScriptTestsIpfw.pro000066400000000000000000000005271303637203600312220ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS = generatedScriptTestsIpfw.h SOURCES = main_generatedScriptTestsIpfw.cpp \ generatedScriptTestsIpfw.cpp TARGET = generatedScriptTestsIpfw run_tests.commands = echo "Running tests..." && \ rm -f *.fw *.conf && \ ./${TARGET} && \ echo "OK" || { echo "FAILED"; exit 1; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/main_generatedScriptTestsIpfw.cpp000066400000000000000000000034351303637203600322110ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsIpfw.h" #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include "../../../common/init.cpp" using namespace std; using namespace libfwbuilder; int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( GeneratedScriptTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsIpfw/test1.fwb000066400000000000000000003026721303637203600252520ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/000077500000000000000000000000001303637203600236725ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/generatedScriptTestsLinux.cpp000066400000000000000000000556061303637203600316000ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsLinux.h" #include "CompilerDriver_ipt.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void GeneratedScriptTest::setUp() { // register protocols we need IPService::addNamedProtocol(51, "ah"); IPService::addNamedProtocol(112, "vrrp"); Configlet::setDebugging(true); } void GeneratedScriptTest::tearDown() { } void GeneratedScriptTest::loadDataFile(const string &file_name) { try { /* load the data file */ UpgradePredicate upgrade_predicate; objdb->setReadOnly( false ); objdb->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(file_name); objdb->reIndex(); } catch (FWException &ex) { qDebug() << ex.toString().c_str(); } } void GeneratedScriptTest::runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name) { loadDataFile(test_file); QStringList args; args << firewall_object_name.c_str(); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file test1.fw QFileInfo fi(generate_file_name.c_str()); CPPUNIT_ASSERT_MESSAGE("Generated file " + generate_file_name + " not found", fi.exists() == true); } // I can check only certain parts of the top comment. Can't // compare against "golden" file because some parts of the comment // are variable, such as date, version and build number void GeneratedScriptTest::ManifestTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test1", "test1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "test1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test3", "test3.fw"); res = Configlet::findConfigletInFile("top_comment", "test3.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * test3.fw firewall.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); delete objdb; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test4", "test4.fw"); res = Configlet::findConfigletInFile("top_comment", "test4.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * test4.fw /etc/init.d/firewall.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test4.fw firewall.fw") == -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); delete objdb; } void GeneratedScriptTest::FwCommentTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test1", "test1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "test1.fw"); // find string from the firewall object comment and compare CPPUNIT_ASSERT(res.indexOf("# Firewall object test1 comment") != -1); delete objdb; } void GeneratedScriptTest::CheckUtilitiesTest() { QStringList utils; QStringList test1_utils; test1_utils << "find_program which"; test1_utils << "find_program $IPTABLES"; test1_utils << "find_program $MODPROBE"; test1_utils << "find_program $IP"; QStringList test2_utils; test2_utils << "find_program which"; test2_utils << "find_program $IPTABLES"; test2_utils << "find_program $IPTABLES_RESTORE"; test2_utils << "find_program $MODPROBE"; test2_utils << "find_program $IP"; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test1", "test1.fw"); QString res = Configlet::findConfigletInFile("check_utilities", "test1.fw"); foreach(QString line, res.split("\n")) { if (line.indexOf("find_program ")!=-1) { utils.push_back(line.trimmed()); } } CPPUNIT_ASSERT(utils == test1_utils); delete objdb; utils.clear(); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test2", "test2.fw"); res = Configlet::findConfigletInFile("check_utilities", "test2.fw"); foreach(QString line, res.split("\n")) { if (line.indexOf("find_program ")!=-1) { utils.push_back(line.trimmed()); } } CPPUNIT_ASSERT(utils == test2_utils); delete objdb; } void GeneratedScriptTest::verifyInterfacesTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test1", "test1.fw"); QString res = Configlet::findConfigletInFile("verify_interfaces", "test1.fw"); CPPUNIT_ASSERT(res.indexOf("for i in eth0 eth1 lo eth2 ; do") != -1); delete objdb; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test4", "test4.fw"); res = Configlet::findConfigletInFile("verify_interfaces", "test4.fw"); CPPUNIT_ASSERT(res.indexOf("for i in eth0 eth1 lo eth2 eth1.200 vlan110 vlan111 ; do") != -1); delete objdb; } void GeneratedScriptTest::configureInterfacesTest() { QStringList sample; sample << "update_addresses_of_interface \"eth0 192.0.2.1/24\" \"\""; sample << "update_addresses_of_interface \"lo 127.0.0.1/8\" \"\""; sample << "update_addresses_of_interface \"eth1.200 fe80::20c:29ff:fed2:cca1/64 192.168.1.1/24\" \"\""; sample << "update_addresses_of_interface \"vlan110 192.168.2.1/24\" \"\""; sample << "update_addresses_of_interface \"vlan111 192.168.3.1/24\" \"\""; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test4", "test4.fw"); // unfortunately function configure_interfaces is not generated by its // own configlet QString res = Configlet::findConfigletInFile("script_skeleton", "test4.fw"); int n1 = res.indexOf("configure_interfaces() {"); CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1); int n2 = res.indexOf("}", n1); res = res.mid(n1, n2-n1); QStringList intf_list; foreach(QString line, res.split("\n")) { if (line.indexOf("update_addresses_of_interface ")!=-1) { intf_list.push_back(line.trimmed()); } } sample.sort(); intf_list.sort(); CPPUNIT_ASSERT(sample == intf_list); delete objdb; } void GeneratedScriptTest::configureInterfacesClusterTest() { QStringList sample_2; sample_2 << "update_addresses_of_interface \"eth0 192.0.2.1/24\" \"192.0.2.100/24 192.0.2.101/24\""; sample_2 << "update_addresses_of_interface \"eth1 192.168.1.1/24\" \"192.168.1.100/24\""; sample_2 << "update_addresses_of_interface \"lo 127.0.0.1/8\" \"\""; sample_2 << "update_addresses_of_interface \"eth2 192.168.2.1/24\" \"192.168.2.100/24\""; QStringList sample_3; sample_3 << "update_addresses_of_interface \"eth0 192.0.2.2/24\" \"192.0.2.100/24 192.0.2.101/24\""; sample_3 << "update_addresses_of_interface \"eth1 192.168.1.2/24\" \"192.168.1.100/24\""; sample_3 << "update_addresses_of_interface \"lo 127.0.0.1/8\" \"\""; sample_3 << "update_addresses_of_interface \"eth2 192.168.2.2/24\" \"192.168.2.100/24\""; sample_2.sort(); sample_3.sort(); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "cluster-2-3", "test2.fw"); // unfortunately function configure_interfaces is not generated by its // own configlet QString res = Configlet::findConfigletInFile("script_skeleton", "test2.fw"); int n1 = res.indexOf("configure_interfaces() {"); CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1); int n2 = res.indexOf("}", n1); res = res.mid(n1, n2-n1); QStringList intf_list; foreach(QString line, res.split("\n")) { if (line.indexOf("update_addresses_of_interface ")!=-1) { intf_list.push_back(line.trimmed()); } } intf_list.sort(); CPPUNIT_ASSERT(sample_2 == intf_list); intf_list.clear(); res = Configlet::findConfigletInFile("script_skeleton", "test3.fw"); n1 = res.indexOf("configure_interfaces() {"); CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1); n2 = res.indexOf("}", n1); res = res.mid(n1, n2-n1); foreach(QString line, res.split("\n")) { if (line.indexOf("update_addresses_of_interface ")!=-1) { intf_list.push_back(line.trimmed()); } } intf_list.sort(); CPPUNIT_ASSERT(sample_3 == intf_list); delete objdb; } void GeneratedScriptTest::virtualAddressesForNat1Test() { QStringList sample_1; sample_1 << "update_addresses_of_interface \"eth0 192.0.2.1/24 192.0.2.100/24 192.0.2.101/24\" \"\""; sample_1 << "update_addresses_of_interface \"lo 127.0.0.1/8\" \"\""; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test5", "test5.fw"); // unfortunately function configure_interfaces is not generated by its // own configlet QString res = Configlet::findConfigletInFile("script_skeleton", "test5.fw"); int n1 = res.indexOf("configure_interfaces() {"); CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1); int n2 = res.indexOf("}", n1); res = res.mid(n1, n2-n1); QStringList intf_list; foreach(QString line, res.split("\n")) { if (line.indexOf("update_addresses_of_interface ")!=-1) { intf_list.push_back(line.trimmed()); } } intf_list.sort(); CPPUNIT_ASSERT(sample_1 == intf_list); delete objdb; } void GeneratedScriptTest::virtualAddressesForNat2Test() { QStringList sample_1; sample_1 << "update_addresses_of_interface \"eth0 192.0.2.100/24 192.0.2.101/24\" \"192.0.2.1/24\""; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test6", "test6.fw"); // unfortunately function configure_interfaces is not generated by its // own configlet QString res = Configlet::findConfigletInFile("script_skeleton", "test6.fw"); int n1 = res.indexOf("configure_interfaces() {"); CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1); int n2 = res.indexOf("}", n1); res = res.mid(n1, n2-n1); QStringList intf_list; foreach(QString line, res.split("\n")) { if (line.indexOf("update_addresses_of_interface ")!=-1) { intf_list.push_back(line.trimmed()); } } intf_list.sort(); CPPUNIT_ASSERT(sample_1 == intf_list); delete objdb; } /* * negative test first. test6 does not use ipset module and the configlet should * only insert blank function check_run_time_address_table_files() */ void GeneratedScriptTest::runTimeAddressTablesWithIpSet1Test() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test6", "test6.fw"); QString res = Configlet::findConfigletInFile("run_time_address_tables", "test6.fw"); CPPUNIT_ASSERT(!res.isEmpty()); int n1 = res.indexOf("load_run_time_address_table_files() {"); CPPUNIT_ASSERT(n1 == -1); n1 = res.indexOf("check_run_time_address_table_files() {"); CPPUNIT_ASSERT(n1 != -1); delete objdb; } void GeneratedScriptTest::runTimeAddressTablesWithIpSet2Test() { QStringList sample_1; sample_1 << "reload_address_table \"bad_guys\" \"/etc/fw/bad_guys.dat\""; sample_1 << "reload_address_table \"bad_guys_2\" \"/etc/fw/bad_guys.dat\""; QStringList sample_2; sample_2 << "check_file \"bad_guys\" \"/etc/fw/bad_guys.dat\""; sample_2 << "check_file \"bad_guys_2\" \"/etc/fw/bad_guys.dat\""; objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "test7", "test7.fw"); QString res = Configlet::findConfigletInFile("run_time_address_tables", "test7.fw"); int n1 = res.indexOf("load_run_time_address_table_files() {"); CPPUNIT_ASSERT_MESSAGE("Shell function load_run_time_address_table_files is missing", n1 != -1); int n2 = res.indexOf("}", n1); QString conf = res.mid(n1, n2-n1); QStringList cmd_list; foreach(QString line, conf.split("\n")) { if (line.indexOf("reload_address_table ")!=-1) { cmd_list.push_back(line.trimmed()); } } cmd_list.sort(); CPPUNIT_ASSERT(sample_1 == cmd_list); n1 = res.indexOf("check_run_time_address_table_files() {"); CPPUNIT_ASSERT_MESSAGE("Shell function check_run_time_address_table_files is missing", n1 != -1); n2 = res.indexOf("}", n1); conf = res.mid(n1, n2-n1); cmd_list.clear(); foreach(QString line, conf.split("\n")) { if (line.indexOf("check_file ")!=-1) { cmd_list.push_back(line.trimmed()); } } cmd_list.sort(); CPPUNIT_ASSERT(sample_2 == cmd_list); delete objdb; } // compiler should place generated script in the directory specified // with -d option void GeneratedScriptTest::minusDTest() { QDir current = QDir::current(); QFile f("/tmp/test1.fw"); f.remove(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QStringList args; args << "-d" << "/tmp" << "test1"; CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file /tmp/test1.fw QFileInfo fi("/tmp/test1.fw"); CPPUNIT_ASSERT_MESSAGE("Generated file /tmp/test1.fw not found", fi.exists() == true); QString res = Configlet::findConfigletInFile("top_comment", "/tmp/test1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; QDir::setCurrent(current.path()); } // if -o option is given, it defines the path and name for the // generated script void GeneratedScriptTest::minusOTest1() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); qDebug() << "Data load starts"; loadDataFile("test1.fwb"); qDebug() << "Data loaded"; QString full_output_file_name = QString("%1/test1.fw").arg(current.path()); QStringList args; args << "-o" << full_output_file_name << "test1"; if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; } // same as the previous but different output file name void GeneratedScriptTest::minusOTest2() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QString full_output_file_name = QString("%1/foo1.fw").arg(current.path()); QStringList args; args << "-o" << full_output_file_name << "test1"; if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; } // if both -d and -o are present, -o takes precedence void GeneratedScriptTest::minusDminusOTest() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QString full_output_file_name = QString("%1/test1.fw").arg(current.path()); if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); QStringList args; args << "-d" << "/tmp" << "-o" << full_output_file_name << "test1"; CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; QDir::setCurrent(current.path()); } // output file name is set in firewall settins to foo.fw void GeneratedScriptTest::outputFileNameOptionTest1() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QString full_output_file_name = "foo.fw"; QStringList args; args << "test1-1"; if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; } // output file name is set in firewall settins to /tmp/foo.fw void GeneratedScriptTest::outputFileNameOptionTest2() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QString full_output_file_name = "/tmp/foo.fw"; QStringList args; args << "test1-2"; if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; } // output file name is set in firewall settins to foo.fw but is overridden // by -o option to a file name with absolute path void GeneratedScriptTest::outputFileNameOptionTest3() { QDir current = QDir::current(); objdb = new FWObjectDatabase(); loadDataFile("test1.fwb"); QString full_output_file_name = QString("%1/bar.fw").arg(current.path()); if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); QStringList args; args << "-o" << full_output_file_name << "test1-1"; if (QFile::exists(full_output_file_name)) QFile::remove(full_output_file_name); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file full_output_file_name QFileInfo fi(full_output_file_name); CPPUNIT_ASSERT_MESSAGE("Generated file " + full_output_file_name.toStdString() + " not found", fi.exists() == true); QString res = Configlet::findConfigletInFile( "top_comment", full_output_file_name); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + full_output_file_name) != -1); CPPUNIT_ASSERT(res.indexOf("# files: * test1.fw") == -1); CPPUNIT_ASSERT(res.indexOf("# files: * test2.fw") == -1); delete objdb; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/generatedScriptTestsLinux.h000066400000000000000000000056201303637203600312340ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef GENERATEDSCRIPTTESTS_LINUX_H #define GENERATEDSCRIPTTESTS_LINUX_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include class GeneratedScriptTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; void loadDataFile(const std::string &file_name); void runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name); public: void setUp(); void tearDown(); void ManifestTest(); void FwCommentTest(); void CheckUtilitiesTest(); void verifyInterfacesTest(); void configureInterfacesTest(); void configureInterfacesClusterTest(); void virtualAddressesForNat1Test(); void virtualAddressesForNat2Test(); void runTimeAddressTablesWithIpSet1Test(); void runTimeAddressTablesWithIpSet2Test(); void minusDTest(); void minusOTest1(); void minusOTest2(); void minusDminusOTest(); void outputFileNameOptionTest1(); void outputFileNameOptionTest2(); void outputFileNameOptionTest3(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); CPPUNIT_TEST(ManifestTest); CPPUNIT_TEST(FwCommentTest); CPPUNIT_TEST(CheckUtilitiesTest); CPPUNIT_TEST(verifyInterfacesTest); CPPUNIT_TEST(configureInterfacesTest); CPPUNIT_TEST(configureInterfacesClusterTest); CPPUNIT_TEST(virtualAddressesForNat1Test); CPPUNIT_TEST(virtualAddressesForNat2Test); CPPUNIT_TEST(runTimeAddressTablesWithIpSet1Test); CPPUNIT_TEST(runTimeAddressTablesWithIpSet2Test); CPPUNIT_TEST(minusDTest); CPPUNIT_TEST(minusOTest1); CPPUNIT_TEST(minusOTest2); CPPUNIT_TEST(minusDminusOTest); CPPUNIT_TEST(outputFileNameOptionTest1); CPPUNIT_TEST(outputFileNameOptionTest2); CPPUNIT_TEST(outputFileNameOptionTest3); CPPUNIT_TEST_SUITE_END(); }; #endif // GENERATEDSCRIPTTESTS_LINUX_H fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/generatedScriptTestsLinux.pro000066400000000000000000000004411303637203600316010ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS = generatedScriptTestsLinux.h SOURCES = main_generatedScriptTestsLinux.cpp \ generatedScriptTestsLinux.cpp TARGET = generatedScriptTestsLinux run_tests.commands = echo "Running tests..." && \ rm -f *.fw && \ ./${TARGET} fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/main_generatedScriptTestsLinux.cpp000066400000000000000000000034361303637203600325760ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsLinux.h" #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include "../../../common/init.cpp" using namespace std; using namespace libfwbuilder; int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( GeneratedScriptTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsLinux/test1.fwb000066400000000000000000004460711303637203600254460ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/000077500000000000000000000000001303637203600231005ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/.gitignore000066400000000000000000000000071303637203600250650ustar00rootroot00000000000000ipf2-1 fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp000066400000000000000000000340531303637203600302050ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsPF.h" #include "CompilerDriver_pf.h" #include "Configlet.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/FWException.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void GeneratedScriptTest::setUp() { Configlet::setDebugging(true); } void GeneratedScriptTest::tearDown() { } void GeneratedScriptTest::loadDataFile(const string &file_name) { /* load the data file */ UpgradePredicate upgrade_predicate; objdb->setReadOnly( false ); objdb->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(file_name); objdb->reIndex(); } void GeneratedScriptTest::runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option) { loadDataFile(test_file); QStringList args; if (!output_file_option.empty()) { args << "-o" << output_file_option.c_str(); } args << firewall_object_name.c_str(); CompilerDriver_pf driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_pf initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file generate_file_name QFileInfo fi(generate_file_name.c_str()); CPPUNIT_ASSERT_MESSAGE("Generated file " + generate_file_name + " not found", fi.exists() == true); } // I can check only certain parts of the top comment. Can't // compare against "golden" file because some parts of the comment // are variable, such as date, version and build number void GeneratedScriptTest::ManifestTest_1() { QFile::remove("pf1.fw"); QFile::remove("pf1.conf"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf1", "pf1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf1.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_2() { /* * output script name is set to ipf2-1.fw in the fw object and * conf file name is set to ipf2-1.conf */ QFile::remove("ipf2-1.fw"); QFile::remove("ipf2-1.conf"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf2", "ipf2-1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_3() { /* * output script name is set to "ipf2-1" in the fw object (no .fw * extension) and conf file name is set to ipf2-1.conf */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf2a", "ipf2-1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "ipf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_4() { /* * Compile pf2 and pf2a adding "-o" option as instDialog * does. This oevverides .fw file name but does not override .conf * file name */ objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/pf2-1.fw"; runCompiler("test1.fwb", "pf2", "pf2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "pf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * " + option_o) != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_5() { objdb = new FWObjectDatabase(); QString option_o = QDir::currentPath() + "/pf2-1"; runCompiler("test1.fwb", "pf2a", "pf2-1.fw", option_o.toStdString()); QString res = Configlet::findConfigletInFile("top_comment", "pf2-1.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * ipf2-1.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_6() { /* * remote pf file is configured as /etc/fw/pf3.conf in pf3 */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf3", "pf3.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf3.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf3.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf3.conf /etc/fw/pf3.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_7() { /* * remote pf and nat files in pf4 have spaces in the path */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf4", "pf4.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf4.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf4.fw /etc/path\\ with\\ space/pf4.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf4.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_8() { /* * generated .fw and .conf files have different base names */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf5", "pf5.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf5.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf5.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf5.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_9() { /* * generated .fw and .conf files have different base names */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf6", "/tmp/pf6.fw"); QString res = Configlet::findConfigletInFile("top_comment", "/tmp/pf6.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * /tmp/pf6.fw /etc/fw/pf6.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: /tmp/pf6.conf /etc/pf.conf") != -1); delete objdb; } void GeneratedScriptTest::ManifestTest_10() { /* * generated .fw and .conf files have different base names */ objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf7", "tmp/pf7.fw"); QString res = Configlet::findConfigletInFile("top_comment", "tmp/pf7.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * tmp/pf7.fw /etc/fw/pf7.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: tmp/pf.conf /etc/pf.conf") != -1); delete objdb; } /* * pf8 has an achor and compiler generates two .conf files. The name * of the second file is derived from the name of the main .conf file * that is is set in fw options */ void GeneratedScriptTest::ManifestTest_11() { /* * generated .fw and .conf files have different base names */ if (QFile::exists("tmp/pf8.fw")) QFile::remove("tmp/pf8.fw"); if (QFile::exists("tmp/pf.conf")) QFile::remove("tmp/pf.conf"); if (QFile::exists("tmp/pf-anchor_1.conf")) QFile::remove("tmp/pf-anchor_1.conf"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf8", "tmp/pf8.fw"); QString res = Configlet::findConfigletInFile("top_comment", "tmp/pf8.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * tmp/pf8.fw /etc/fw/pf8.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: tmp/pf.conf /etc/pf.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: tmp/pf-anchor_1.conf /etc/pf-anchor_1.conf") != -1); delete objdb; } /* * pf9 has an achor and compiler generates two .conf files. Names for * all generated files are constructed using firewall name and default * algorithm */ void GeneratedScriptTest::ManifestTest_12() { /* * generated .fw and .conf files have different base names */ if (QFile::exists("pf9.fw")) QFile::remove("pf9.fw"); if (QFile::exists("pf9.conf")) QFile::remove("pf9.conf"); if (QFile::exists("pf9-anchor_1.conf")) QFile::remove("pf9-anchor_1.conf"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf9", "pf9.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf9.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf9.fw /etc/pf9.fw") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf9.conf /etc/pf9.conf") != -1); CPPUNIT_ASSERT(res.indexOf("# files: pf9-anchor_1.conf /etc/pf9-anchor_1.conf") != -1); delete objdb; } // ************************************************************************ void GeneratedScriptTest::FwCommentTest() { objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "pf1", "pf1.fw"); QString res = Configlet::findConfigletInFile("top_comment", "pf1.fw"); // find string from the firewall object comment and compare CPPUNIT_ASSERT(res.indexOf("# Firewall object test1 comment") != -1); delete objdb; } // ************************************************************************ // // $PFCTL \ // -f \ // ${FWDIR}/pf1.conf || exit 1 void GeneratedScriptTest::ActivationCommandsTest_1() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf1.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf1.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_2() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_3() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_4() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf2-1.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/ipf2-1.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_6() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf3.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/fw/pf3.conf") != -1); delete objdb; } /* * object pf4 defines remote name for the .fw file but does not define * remote name for the .conf file. The latter is determined by * default, by combining local file name with directory defined in * firewall_dir option (in the tab "Installer") */ void GeneratedScriptTest::ActivationCommandsTest_7() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf4.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf4.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_8() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf5.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf5.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_9() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "/tmp/pf6.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_10() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "tmp/pf7.fw") .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_11() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "tmp/pf8.fw", 1) .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf.conf") != -1); delete objdb; } void GeneratedScriptTest::ActivationCommandsTest_12() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf9.fw", 1) .split(QRegExp("\\s+")).join(" "); CPPUNIT_ASSERT(res.indexOf("$PFCTL -f /etc/pf9.conf") != -1); delete objdb; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.h000066400000000000000000000071041303637203600276470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef GENERATEDSCRIPTTESTS_IPFILTER_H #define GENERATEDSCRIPTTESTS_IPFILTER_H #include "fwbuilder/Resources.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWException.h" #include "fwbuilder/Logger.h" #include #include class GeneratedScriptTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; void loadDataFile(const std::string &file_name); void runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name, const std::string &output_file_option=""); public: void setUp(); void tearDown(); void ManifestTest_1(); void ManifestTest_2(); void ManifestTest_3(); void ManifestTest_4(); void ManifestTest_5(); void ManifestTest_6(); void ManifestTest_7(); void ManifestTest_8(); void ManifestTest_9(); void ManifestTest_10(); void ManifestTest_11(); void ManifestTest_12(); void FwCommentTest(); void ActivationCommandsTest_1(); void ActivationCommandsTest_2(); void ActivationCommandsTest_3(); void ActivationCommandsTest_4(); // void ActivationCommandsTest_5(); void ActivationCommandsTest_6(); void ActivationCommandsTest_7(); void ActivationCommandsTest_8(); void ActivationCommandsTest_9(); void ActivationCommandsTest_10(); void ActivationCommandsTest_11(); void ActivationCommandsTest_12(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); // The order of tests matters because activation commands tests use // files produced in manifest tests CPPUNIT_TEST(ManifestTest_1); CPPUNIT_TEST(ActivationCommandsTest_1); CPPUNIT_TEST(ManifestTest_2); CPPUNIT_TEST(ActivationCommandsTest_2); CPPUNIT_TEST(ManifestTest_3); CPPUNIT_TEST(ActivationCommandsTest_3); CPPUNIT_TEST(ManifestTest_4); CPPUNIT_TEST(ActivationCommandsTest_4); // CPPUNIT_TEST(ManifestTest_5); // CPPUNIT_TEST(ActivationCommandsTest_5); CPPUNIT_TEST(ManifestTest_6); CPPUNIT_TEST(ActivationCommandsTest_6); CPPUNIT_TEST(ManifestTest_7); CPPUNIT_TEST(ActivationCommandsTest_7); CPPUNIT_TEST(ManifestTest_8); CPPUNIT_TEST(ActivationCommandsTest_8); CPPUNIT_TEST(ManifestTest_9); CPPUNIT_TEST(ActivationCommandsTest_9); CPPUNIT_TEST(ManifestTest_10); CPPUNIT_TEST(ActivationCommandsTest_10); CPPUNIT_TEST(ManifestTest_11); CPPUNIT_TEST(ActivationCommandsTest_11); CPPUNIT_TEST(ManifestTest_12); CPPUNIT_TEST(ActivationCommandsTest_12); CPPUNIT_TEST(FwCommentTest); CPPUNIT_TEST_SUITE_END(); }; #endif // GENERATEDSCRIPTTESTS_IPFILTER_H fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.pro000066400000000000000000000005671303637203600302260ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS = generatedScriptTestsPF.h SOURCES = main_generatedScriptTestsPF.cpp \ generatedScriptTestsPF.cpp TARGET = generatedScriptTestsPF run_tests.commands = echo "Running tests..." && \ rm -f *.fw *.conf tmp/*.fw tmp/*.conf && \ mkdir -p tmp && \ ./${TARGET} && \ echo "OK" || { echo "FAILED"; exit 1; } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/main_generatedScriptTestsPF.cpp000066400000000000000000000034331303637203600312070ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "../../config.h" #include "generatedScriptTestsPF.h" #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include "../../../common/init.cpp" using namespace std; using namespace libfwbuilder; int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( GeneratedScriptTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsPF/test1.fwb000066400000000000000000004746351303637203600246630ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/000077500000000000000000000000001303637203600243525ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/generatedScriptTestsSecuwall.cpp000066400000000000000000000105731303637203600327320ustar00rootroot00000000000000/* * generatedScriptTestsSecuwall.h - secuwall unit tests * * Copyright (c) 2010 secunet Security Networks AG * Copyright (c) 2010 Adrian-Ken Rueegsegger * Copyright (c) 2010 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "../../config.h" #include "generatedScriptTestsSecuwall.h" #include "CompilerDriver_ipt.h" #include "Configlet.h" #include "fwbuilder/IPService.h" #include "fwbuilder/Constants.h" #include #include #include using namespace std; using namespace libfwbuilder; using namespace fwcompiler; class UpgradePredicate: public XMLTools::UpgradePredicate { public: virtual bool operator()(const string&) const { cout << "Data file has been created in the old version of Firewall Builder. Use fwbuilder GUI to convert it." << std::endl; return false; } }; void GeneratedScriptTest::setUp() { // register protocols we need IPService::addNamedProtocol(51, "ah"); IPService::addNamedProtocol(112, "vrrp"); Configlet::setDebugging(true); } void GeneratedScriptTest::tearDown() { } void GeneratedScriptTest::loadDataFile(const string &file_name) { /* load the data file */ UpgradePredicate upgrade_predicate; objdb->setReadOnly( false ); objdb->load(file_name, &upgrade_predicate, Constants::getDTDDirectory()); objdb->setFileName(file_name); objdb->reIndex(); } void GeneratedScriptTest::runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name) { loadDataFile(test_file); QStringList args; args << firewall_object_name.c_str(); CompilerDriver_ipt driver(objdb); driver.setEmbeddedMode(); CPPUNIT_ASSERT_MESSAGE("CompilerDriver_ipt initialization failed", driver.prepare(args) == true); driver.compile(); // compiler should have created file secuwall-1.fw and test1 directory with // secuwall-specific configuration files. QFileInfo fi(generate_file_name.c_str()); CPPUNIT_ASSERT_MESSAGE("Generated file " + generate_file_name + " not found", fi.exists() == true); } void GeneratedScriptTest::assertDirsEqual(const std::string &left_dir, const std::string &right_dir) { QStringList leftList, rightList; QDirIterator leftIt(QString (left_dir.c_str()), QDir::Files, QDirIterator::Subdirectories); QDirIterator rightIt(QString (right_dir.c_str()), QDir::Files, QDirIterator::Subdirectories); while (leftIt.hasNext() && rightIt.hasNext()) { leftList += leftIt.next(); rightList += rightIt.next(); } if (leftIt.hasNext()) { CPPUNIT_FAIL("Directory " + left_dir + " contains more files than " + right_dir); } if (rightIt.hasNext()) { CPPUNIT_FAIL("Directory " + right_dir + " contains more files than " + left_dir); } leftList.sort(); rightList.sort(); QList::const_iterator i, j; for (i = leftList.constBegin(), j = rightList.constBegin(); i != leftList.constEnd(); ++i, ++j) { assertFilesEqual(QString(*i).toStdString(), QString(*j).toStdString()); } } void GeneratedScriptTest::assertFilesEqual(const std::string &left_filename, const std::string &right_filename) { bool result = false; QFile leftFile(left_filename.c_str()); QFile rightFile(right_filename.c_str()); if (leftFile.open(QFile::ReadOnly) && rightFile.open(QFile::ReadOnly)) { result = leftFile.readAll() == rightFile.readAll(); leftFile.close(); rightFile.close(); } CPPUNIT_ASSERT_MESSAGE("Files " + left_filename + " and " + right_filename + " differ", result); } void GeneratedScriptTest::FilesGenerationTest() { const string fwname ("secuwall-1"); objdb = new FWObjectDatabase(); runCompiler("test1.fwb", "secuwall_cluster_1", "secuwall-1.fw"); delete objdb; assertDirsEqual("ref.secuwall-1", "secuwall-1"); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/generatedScriptTestsSecuwall.h000066400000000000000000000027261303637203600324000ustar00rootroot00000000000000/* * generatedScriptTestsSecuwall.h - secuwall unit tests * * Copyright (c) 2010 secunet Security Networks AG * Copyright (c) 2010 Adrian-Ken Rueegsegger * Copyright (c) 2010 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #ifndef GENERATEDSCRIPTTESTS_SECUWALL_H #define GENERATEDSCRIPTTESTS_SECUWALL_H #include #include "fwbuilder/FWObjectDatabase.h" class GeneratedScriptTest : public CppUnit::TestFixture { libfwbuilder::FWObjectDatabase *objdb; void loadDataFile(const std::string &file_name); void runCompiler(const std::string &test_file, const std::string &firewall_object_name, const std::string &generate_file_name); void assertDirsEqual(const std::string &left_dir, const std::string &right_dir); void assertFilesEqual(const std::string &left_filename, const std::string &right_filename); public: void setUp(); void tearDown(); void FilesGenerationTest(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); CPPUNIT_TEST(FilesGenerationTest); CPPUNIT_TEST_SUITE_END(); }; #endif // GENERATEDSCRIPTTESTS_SECUWALL_H fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/generatedScriptTestsSecuwall.pro000066400000000000000000000011641303637203600327440ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS = generatedScriptTestsSecuwall.h SOURCES = main_generatedScriptTestsSecuwall.cpp \ generatedScriptTestsSecuwall.cpp TARGET = generatedScriptTestsSecuwall run_tests.commands = echo "Running tests..." && \ ./${TARGET} && \ echo "OK" || { echo "FAILED"; exit 1; } build_tests.commands = @tar -zxf ./ref.secuwall-1.tar.gz clean_tests.commands = @rm -rf ./secuwall-* && \ rm -rf ./ref.secuwall-1 && \ rm -f ${TARGET} run_tests.depends = build_tests build_tests.depends = all clean_tests.depends = all QMAKE_EXTRA_TARGETS += run_tests build_tests clean_tests fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/main_generatedScriptTestsSecuwall.cpp000066400000000000000000000027271303637203600337400ustar00rootroot00000000000000/* * generatedScriptTestsSecuwall.h - secuwall unit test runner * * Copyright (c) 2010 secunet Security Networks AG * Copyright (c) 2010 Adrian-Ken Rueegsegger * Copyright (c) 2010 Reto Buerki * * This work is dual-licensed under: * * o The terms of the GNU General Public License as published by the Free * Software Foundation, either version 2 of the License, or (at your option) * any later version. * * o The terms of NetCitadel End User License Agreement */ #include "../../config.h" #include "generatedScriptTestsSecuwall.h" #include #include #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include "../../../common/init.cpp" using namespace std; using namespace libfwbuilder; int main(int argc, char **argv) { QApplication app(argc, argv, false); // compilers always write file names into manifest in Utf8 QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8")); QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8")); init(argv); Resources res(Constants::getResourcesFilePath()); CppUnit::TextUi::TestRunner runner; runner.addTest( GeneratedScriptTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); } fwbuilder-5.3.7/src/unit_tests/generatedScriptTestsSecuwall/ref.secuwall-1.tar.gz000066400000000000000000000016611303637203600302350ustar00rootroot00000000000000&K[s0}_u۝u N: Y'Ԗv<_#'_rk?!$bPWty񺠂#MWTVR*.wabb02d;ެ/ʅ?dl>a-ž6 c]è"n9N? }/a+OeqLH established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/genericDialogTest/000077500000000000000000000000001303637203600221005ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/genericDialogTest/genericDialogTest.cpp000066400000000000000000000341511303637203600262040ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: genericDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "genericDialogTest.h" #include "../../../../config.h" //#include "../../global.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "FWWindow.h" #include "ProjectPanel.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "ObjectEditor.h" #include "FWObjectClipboard.h" #include "TextEditWidget.h" #include "fwbuilder/Address.h" #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "fwbuilder/FWObjectDatabase.h" #include "FirewallDialog.h" #include "StartTipDialog.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/Interface.h" #include "genericDialogTest.h" #include "fwbuilder/IPService.h" #include "DialogFactory.h" #include "FWCmdChange.h" #include "RuleOptionsDialog.h" #include "fwbuilder/Rule.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Routing.h" #include "fwbuilder/NAT.h" #include "RoutingRuleOptionsDialog.h" #include "platforms.h" #include "NATRuleOptionsDialog.h" using namespace std; using namespace libfwbuilder; void genericDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); mw->resize(1200, 600); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); om = dynamic_cast(mw->getCurrentObjectTree()->parent()->parent()); init_platforms(); QTest::qWait(1000); } QList genericDialogTest::scanDialog(QWidget *dialog) { QList result; foreach(QLineEdit *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(QCheckBox *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(QComboBox *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(QRadioButton *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(QTextEdit *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(TextEditWidget *item, dialog->findChildren()) result.append(dynamic_cast(item)); foreach(QSpinBox *item, dialog->findChildren()) result.append(dynamic_cast(item)); return result; } // Activates tab which contains widget void genericDialogTest::activateTab(QWidget *widget) { QWidget *current = widget; while (current->parent() != NULL) { if (dynamic_cast(current->parent()) != NULL) { QTabWidget *tabs = dynamic_cast(current->parent()); for (int i=0; icount(); i++) { if (tabs->widget(i)->findChildren(widget->objectName()).contains(widget)) { tabs->setCurrentIndex(i); break; } } } current = dynamic_cast(current->parent()); } } bool genericDialogTest::testControl(QWidget *control) { if (dynamic_cast(control) != NULL) { QSpinBox *box = dynamic_cast(control); QTest::keyClick(box, Qt::Key_Up); QTest::keyClick(box, Qt::Key_Up); QTest::keyClick(box, Qt::Key_Enter); QTest::keyClick(box, Qt::Key_Tab); } else if (dynamic_cast(control) != NULL) { QLineEdit *line = dynamic_cast(control); line->clear(); QTest::keyClicks(line, QString("Some text for %1").arg(line->objectName())); //line->setText(QString("Some text for %1").arg(control->objectName())); QTest::keyClick(line, Qt::Key_Enter); } else if (dynamic_cast(control) != NULL) { QCheckBox *box = dynamic_cast(control); QTest::mouseClick(box, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); } else if (dynamic_cast(control) != NULL) { QRadioButton *box = dynamic_cast(control); // if it is not checked, jut clicking it if (!box->isChecked()) QTest::mouseClick(box, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); else { QList buttons; if (box->group() == NULL) { foreach(QRadioButton *button, box->parent()->findChildren()) { if (button->group() == NULL) buttons.append(button); } if (buttons.isEmpty()) { qDebug() << "Can not test QRadioButton" << box << "that is not in group and has no buttons nearby."; return false; } } else { buttons = box->group()->buttons(); } if (buttons.count() < 2) { qDebug() << "Can not test QRadioButton" << box << " that is only one button in group."; return false; } // looking for first radio button in same group that is not checked and clicking it foreach(QAbstractButton *button, buttons) { if (button->isChecked() == false && button != box) { QTest::mouseClick(button, Qt::LeftButton, Qt::NoModifier, QPoint(5, 5)); return true; } } } } else if (dynamic_cast(control) != NULL) { QComboBox *box = dynamic_cast(control); if (box->count() < 2) { for (int i=0; icount(); i++) qDebug() << box->itemText(i); qDebug() << "Can not change value of QComboBox" << box << "which has less than two items."; return false; } box->setCurrentIndex((box->currentIndex() + 1) % box->count()); } else if (dynamic_cast(control) != NULL) { QTextEdit *edit = dynamic_cast(control); QTest::mouseClick(edit, Qt::LeftButton, Qt::NoModifier); QTest::keyClicks(edit, "Some test input for " + edit->objectName()); QTest::mouseClick(edit, Qt::LeftButton, Qt::NoModifier); QTest::keyClick(edit, Qt::Key_Tab); } else return false; return true; } void genericDialogTest::testDialog(QWidget *dialog, FWObject *object) { qDebug() << "testing dialog" << dialog; QList widgets = scanDialog(dialog); qDebug() << "it contains" << widgets.size() << "controls"; QList tabs = dialog->findChildren(); FWObject *old = mw->db()->create(object->getTypeName()); for (int i=0; iduplicate(object); QWidget *widget = widgets.at(i); // Skipping QSpinBox (which inherits QLineEdit) with QLineEdit type // there should be another one with right type in list if (widget->objectName() == "qt_spinbox_lineedit") continue; if (dynamic_cast(dialog) != NULL) dynamic_cast(dialog)->open(); activateTab(widget); if (!widget->isVisible() || !widget->isEnabled()) continue; if (!testControl(widget)) { #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QWARN(QString("Dont know how to test widget %1. It might be unknown class, empty QComboBox or QRadioButton with not other QRadio button in group.") .arg(widgets.at(i)->objectName()).toAscii().data()); #else QWARN(QString("Dont know how to test widget %1. It might be unknown class, empty QComboBox or QRadioButton with not other QRadio button in group.") .arg(widgets.at(i)->objectName()).toLatin1().data()); #endif continue; } if (dynamic_cast(dialog) != NULL) dynamic_cast(dialog)->accept(); else { QMetaObject::invokeMethod(dialog, "changed"); QMetaObject::invokeMethod(dialog, "applyChanges"); } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(!old->cmp(object, true), QString("Widget %1 does not affect object").arg(widget->objectName()).toAscii().data()); #else QVERIFY2(!old->cmp(object, true), QString("Widget %1 does not affect object").arg(widget->objectName()).toLatin1().data()); #endif } } void genericDialogTest::testFirewallSettingsDialog_iptables() { Firewall *firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); firewall->setStr("platform", "iptables"); firewall->setStr("host_OS", "linux24"); QDialog *dialog = dynamic_cast(DialogFactory::createFWDialog(mw, firewall)); testDialog(dialog, firewall); } void genericDialogTest::testHostOSSettingsDialog_linux24() { Firewall *firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); firewall->setStr("platform", "iptables"); firewall->setStr("host_OS", "linux24"); QDialog *dialog = dynamic_cast(DialogFactory::createOSDialog(mw, firewall)); testDialog(dialog, firewall); } #if 0 // rule options dialog uses stacked widget with only one page visible, // depending on the firewall platform. Some widgets in invisible pages // are not even initialized, also depending on the platform. Need to // devise better test that would take this into account. void genericDialogTest::testRuleOptionsDialog() { Firewall *firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); QMap platforms = getAllPlatforms(); platforms.remove("unknown"); // dialog does not set options for it foreach(QString platform, platforms.keys()) { qDebug() << "Testing platform:" << platform; firewall->setStr("platform", platform.toStdString()); PolicyRule *rule = PolicyRule::cast(firewall->getPolicy()->createRule()); firewall->getPolicy()->add(rule); QWidget *dialog = dynamic_cast(DialogFactory::createDialog(mw->activeProject(), Rule::TYPENAME)); dynamic_cast(dialog)->attachToProjectWindow(mw->activeProject()); dialog->setVisible(true); dynamic_cast(dialog)->loadFWObject(rule); testDialog(dynamic_cast(dialog), FWObject::cast(rule)); } } void genericDialogTest::testRoutingRuleOptionsDialog() { Firewall *firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); /* QMap platforms = getAllPlatforms(); platforms.remove("unknown"); // dialog does not set options for it foreach(QString platform, platforms.keys()) { firewall->setStr("platform", platform.toStdString()); */ // it currently works only with iptables firewall->setStr("platform", "iptables"); RoutingRule *rule = RoutingRule::cast(firewall->getRouting()->createRule()); firewall->getRouting()->add(rule); QWidget *dialog = dynamic_cast(DialogFactory::createDialog(mw->activeProject(), RoutingRule::TYPENAME)); dynamic_cast(dialog)->attachToProjectWindow(mw->activeProject()); dialog->setVisible(true); dynamic_cast(dialog)->loadFWObject(rule); testDialog(dynamic_cast(dialog), FWObject::cast(rule)); } void genericDialogTest::testNATRuleOptionsDialog() { Firewall *firewall = Firewall::cast(om->createObject(FWBTree().getStandardSlotForObject(findUserLibrary(), Firewall::TYPENAME), Firewall::TYPENAME, "TestFirewall")); QMap platforms = getAllPlatforms(); platforms.remove("unknown"); // dialog does not set options for it foreach(QString platform, platforms.keys()) { qDebug() << "Testing platform:" << platform; firewall->setStr("platform", platform.toStdString()); NATRule *rule = NATRule::cast(firewall->getNAT()->createRule()); firewall->getNAT()->add(rule); QWidget *dialog = dynamic_cast(DialogFactory::createDialog(mw->activeProject(), NATRule::TYPENAME)); dynamic_cast(dialog)->attachToProjectWindow(mw->activeProject()); dialog->setVisible(true); dynamic_cast(dialog)->loadFWObject(rule); testDialog(dynamic_cast(dialog), FWObject::cast(rule)); } } #endif Library* genericDialogTest::findUserLibrary() { Library *lib = NULL; foreach (FWObject *obj, mw->db()->getByType(Library::TYPENAME)) { if (obj->getName() == "User") { lib = Library::cast(obj); break; } } return lib; } fwbuilder-5.3.7/src/unit_tests/genericDialogTest/genericDialogTest.h000066400000000000000000000033451303637203600256520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: genericDialogTest.h 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef genericDialogTest_H #define genericDialogTest_H #include #include "ObjectManipulator.h" #include "fwbuilder/Library.h" #include "fwbuilder/Cluster.h" class genericDialogTest : public QObject { Q_OBJECT libfwbuilder::Library* findUserLibrary(); ObjectManipulator *om; bool dialog_rejected; QList scanDialog(QWidget*); bool testControl(QWidget* control); void testDialog(QWidget *dialog, libfwbuilder::FWObject *object); void activateTab(QWidget *widget); private slots: void initTestCase(); void testFirewallSettingsDialog_iptables(); /* void testRuleOptionsDialog(); */ /* void testRoutingRuleOptionsDialog(); */ /* void testNATRuleOptionsDialog(); */ void testHostOSSettingsDialog_linux24(); public slots: //void rejectDialog(); }; #endif // genericDialogTest_H fwbuilder-5.3.7/src/unit_tests/genericDialogTest/genericDialogTest.pro000066400000000000000000000002641303637203600262200ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = genericDialogTest SOURCES += main_genericDialogTest.cpp \ genericDialogTest.cpp HEADERS += genericDialogTest.h fwbuilder-5.3.7/src/unit_tests/genericDialogTest/main_genericDialogTest.cpp000066400000000000000000000032771303637203600272150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_IPDialogTest.cpp 2723 2010-03-16 17:32:18Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "genericDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new genericDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/000077500000000000000000000000001303637203600230035ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/instDialogClusterTest.cpp000066400000000000000000000254241303637203600300150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogClusterTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ================================ Tests implemented in this module: ticket 1089 Tests for clusters: * when user clicks "install", checkboxes "install" should appear only next to the firewalls and should not appear next to the clusters in the list Ticket 1308: test2: * select cluster "cluster1" in the tree and use context menu to compile it * check that the list has objects "cluster1", "test3" and "test4" * check that the warning message is hidden test3: * regardless of the selection in the tree, simulate clicking on the main toolbar button "Compile" * check that the list includes objects "cluster1", "test3", "test4", "test1", "test2" and the warning message is hidden the focus of these tests is on the warning message. We verify settings of the "Compile" checkboxes in other tests. */ #include "instDialogClusterTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include "FWBApplication.h" #include "FWObjectClipboard.h" #include "StartTipDialog.h" using namespace std; using namespace QTest; using namespace libfwbuilder; void instDialogClusterTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); QTest::qWait(5000); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); mw->loadFile("test_work.fwb", false); QTest::qWait(1000); ObjectManipulator *om = mw->activeProject()->findChild("om"); FWObject *user_lib = mw->db()->findObjectByName(Library::TYPENAME, "User"); QVERIFY(user_lib != NULL); om->openLibForObject(user_lib); FWObject *cl = om->getCurrentLib(); QVERIFY(cl != NULL); QVERIFY(cl == user_lib); } void instDialogClusterTest::openPolicy(QString fwname) { Policy *p = NULL; foreach (FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == fwname.toStdString()) { p = Firewall::cast(fw)->getPolicy(); } } QVERIFY (p != NULL); QCoreApplication::postEvent(mw, new openRulesetImmediatelyEvent(mw->activeProject()->getFileName(), p->getId())); QTest::qWait(100); } void instDialogClusterTest::verifyDialog(instDialog *dlg, int items) { QVERIFY(dlg != NULL); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); if (items != -1) QVERIFY(table->topLevelItemCount() == items); QTreeWidgetItemIterator it(table, QTreeWidgetItemIterator::Enabled); while (*it) { if ((*it)->text(0) == "cluster1") QVERIFY((*it)->checkState(1) == Qt::Checked); if ((*it)->text(0) == "test1") QVERIFY((*it)->checkState(1) == Qt::Unchecked); if ((*it)->text(0) == "test2") QVERIFY((*it)->checkState(1) == Qt::Checked); it++; } } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void instDialogClusterTest::closeContextMenu() { QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } menu->hide(); } void instDialogClusterTest::openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText) { QTimer::singleShot(100, this, SLOT(closeContextMenu())); QPoint item_pos = findItemPos(item, tree); om->contextMenuRequested(item_pos); QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } foreach (QObject *act, menu->children()) { QAction *action = dynamic_cast(act); if (action == NULL) continue; if (action->text() == actionText) { action->activate(QAction::Trigger); break; } } } void instDialogClusterTest::page1_8() { ObjectTreeView *tree = mw->getCurrentObjectTree(); QVERIFY(tree != NULL); ObjectTreeViewItem *test3 = dynamic_cast( tree->findItems( "test3", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); QVERIFY(test3 != NULL); tree->selectionModel()->select( tree->indexAt(findItemPos(test3, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test3); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, test3, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QVERIFY(dlg != NULL); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->topLevelItemCount() == 1); QVERIFY(table->topLevelItem(0)->text(0) == "test3"); QFrame *warning_space = dlg->findChild("warning_space"); QLabel *warning_message_1 = dlg->findChild("warning_message_1"); QLabel *warning_message_2 = dlg->findChild("warning_message_2"); QVERIFY(warning_space->isVisible()); QVERIFY(warning_message_1->isVisible()); QVERIFY(warning_message_2->isVisible()); QTest::qWait(1000); dlg->findChild("cancelButton")->click(); QTest::qWait(1000); } void instDialogClusterTest::page1_9() { ObjectTreeView *tree = mw->getCurrentObjectTree(); ObjectTreeViewItem *cluster1 = dynamic_cast(tree->findItems("cluster1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); tree->selectionModel()->select(tree->indexAt(findItemPos(cluster1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(cluster1); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, cluster1, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QVERIFY(dlg != NULL); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->topLevelItemCount() == 1); QVERIFY(table->topLevelItem(0)->text(0) == "cluster1"); QVERIFY(table->topLevelItem(0)->childCount() == 2); QVERIFY(table->topLevelItem(0)->child(0)->text(0) == "test3"); QVERIFY(table->topLevelItem(0)->child(1)->text(0) == "test4"); QFrame *warning_space = dlg->findChild("warning_space"); QVERIFY(warning_space->isHidden()); QTest::qWait(1000); dlg->findChild("cancelButton")->click(); QTest::qWait(1000); } void instDialogClusterTest::page1_10() { QAction *compile = mw->findChild("compileAction"); compile->activate(QAction::Trigger); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QVERIFY(dlg != NULL); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->topLevelItemCount() == 3); QVERIFY(! table->findItems("cluster1", Qt::MatchExactly, 0).isEmpty()); QVERIFY(! table->findItems("test1", Qt::MatchExactly, 0).isEmpty()); QVERIFY(! table->findItems("test2", Qt::MatchExactly, 0).isEmpty()); QVERIFY(! table->findItems("test3", Qt::MatchExactly | Qt::MatchRecursive, 0).isEmpty()); QVERIFY(! table->findItems("test4", Qt::MatchExactly | Qt::MatchRecursive, 0).isEmpty()); QFrame *warning_space = dlg->findChild("warning_space"); QVERIFY(warning_space->isHidden()); QTest::qWait(1000); dlg->findChild("cancelButton")->click(); QTest::qWait(1000); } void instDialogClusterTest::page1_11() { QAction *compile = mw->findChild("installAction"); compile->activate(QAction::Trigger); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QVERIFY(dlg != NULL); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->topLevelItemCount() == 3); //QTest::qWait(100000); for (int i=0; i< table->topLevelItemCount(); i++) { QTreeWidgetItem *item = table->topLevelItem(i); if (item->text(0) == "cluster1") { QVERIFY(item->checkState(2) == Qt::Unchecked); QVERIFY(item->checkState(1) == Qt::Checked); QVERIFY(item->child(0)->checkState(1) == Qt::Unchecked); QVERIFY(item->child(0)->checkState(2) == Qt::Checked); QVERIFY(item->child(1)->checkState(1) == Qt::Unchecked); QVERIFY(item->child(1)->checkState(2) == Qt::Checked); } if (item->text(0) == "test1") { QVERIFY(item->checkState(1) == Qt::Unchecked); QVERIFY(item->checkState(2) == Qt::Checked); } if (item->text(0) == "test2") { QVERIFY(item->checkState(1) == Qt::Checked); QVERIFY(item->checkState(2) == Qt::Checked); } } QTest::qWait(1000); //dlg->findChild("cancelButton")->click(); dlg->reject(); QTest::qWait(1000); } fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/instDialogClusterTest.h000066400000000000000000000034201303637203600274520ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogClusterTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "instDialog.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" class instDialogClusterTest : public QObject { Q_OBJECT const char *ssh_auth_sock; void openPolicy(QString fw); void verifyDialog(instDialog *dlg, int items = -1); void openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText); void removeFiles(); private slots: void initTestCase(); void page1_8(); void page1_9(); void page1_10(); void page1_11(); public slots: void closeContextMenu(); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/instDialogClusterTest.pro000066400000000000000000000005161303637203600300260ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = instDialogClusterTest SOURCES += main_instDialogClusterTest.cpp \ instDialogClusterTest.cpp HEADERS += instDialogClusterTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/main_instDialogClusterTest.cpp000066400000000000000000000033111303637203600310100ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogClusterTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new instDialogClusterTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogClusterTest/test.fwb000066400000000000000000003506231303637203600244730ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/000077500000000000000000000000001303637203600227525ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/instDialogCompileTest.cpp000066400000000000000000000231451303637203600277310ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogCompileTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ================================ Ticket 1357: before running the test check if files "test1.fw", "test2.fw", "test3.fw", "test4.fw" exist and delete them if they are there. If delete operation fails for any reason, fail the test click on the toolbar button "Compile" click "CompileALL" click "Next" let it run until it is done check that status in the list in the column on the left is "Success" for all objects: cluster1, test1 and test2 check that it produced files "test1.fw", "test2.fw", "test3.fw", "test4.fw" check that each of these files has non-zero length */ #include "instDialogCompileTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include "FWObjectClipboard.h" #include "FWBApplication.h" using namespace std; using namespace QTest; using namespace libfwbuilder; void instDialogCompileTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->loadFile("test_work.fwb", false); } bool checkProgress(QTreeWidget *list) { for(int i=0; itopLevelItemCount(); i++) { if ( (list->topLevelItem(i)->text(1).toStdString() == "Compiling ...") || (list->topLevelItem(i)->text(1).toStdString() == "Installing ...") ) return false; } return true; } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { QRect rect = tree->visualItemRect(item); return QPoint(rect.x() + 1, rect.y() + 1); } void instDialogCompileTest::closeContextMenu() { QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } menu->hide(); } /* * This function finds and activates an item with given name in the * context menu. If item is absent in the menu or is disabled, it * fails the test. */ void instDialogCompileTest::openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText) { QTimer::singleShot(100, this, SLOT(closeContextMenu())); om->contextMenuRequested(findItemPos(item, tree)); bool found_menu_item = false; QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } QVERIFY(menu != NULL); foreach (QObject *act, menu->children()) { QAction *action = dynamic_cast(act); if (action == NULL) continue; if (action->text() == actionText) { QVERIFY(action->isEnabled() == true); action->activate(QAction::Trigger); found_menu_item = true; break; } } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toAscii().constData()); #else QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toLatin1().constData()); #endif } void instDialogCompileTest::testSelectButtonsVisibility() { ObjectManipulator *om = mw->activeProject()->findChild("om"); ObjectTreeView *tree = om->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *test1 = dynamic_cast(tree->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *test2 = dynamic_cast(tree->findItems("test2", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *cluster1 = dynamic_cast(tree->findItems("cluster1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); // case when compiling only one firewall: buttons should not be visible tree->clearSelection(); tree->scrollToItem(test1); test1->setSelected(true); tree->setCurrentItem(test1); //QTest::qWait(2000); openContextMenu(om, test1, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QFrame *selectFrame = dlg->findChild("selectAllNoneFrame"); QTest::qWait(1000); QVERIFY(selectFrame->isHidden()); dlg->reject(); // case when compiling more than one firewall: button should be visible tree->clearSelection(); tree->scrollToItem(test1); test1->setSelected(true); tree->setCurrentItem(test1); test2->setSelected(true); openContextMenu(om, test1, tree, "Compile"); //QTest::qWait(2000); QTest::qWait(1000); QVERIFY(!selectFrame->isHidden()); dlg->reject(); // case when compiling cluster: buttons should be visible tree->clearSelection(); tree->scrollToItem(cluster1); cluster1->setSelected(true); tree->setCurrentItem(cluster1); openContextMenu(om, cluster1, tree, "Compile"); QTest::qWait(1000); QVERIFY(!selectFrame->isHidden()); dlg->reject(); // case when compiling one firewall and one cluster: buttons should be visible tree->clearSelection(); tree->scrollToItem(cluster1); cluster1->setSelected(true); tree->setCurrentItem(cluster1); test2->setSelected(true); openContextMenu(om, cluster1, tree, "Compile"); QTest::qWait(1000); QVERIFY(!selectFrame->isHidden()); dlg->reject(); } void instDialogCompileTest::testCompile() { if (QFileInfo("test1.fw").exists()) QVERIFY(QFile("test1.fw").remove()); if (QFileInfo("test2.fw").exists()) QVERIFY(QFile("test2.fw").remove()); if (QFileInfo("test3.fw").exists()) QVERIFY(QFile("test3.fw").remove()); if (QFileInfo("test4.fw").exists()) QVERIFY(QFile("test4.fw").remove()); if (QFileInfo("pf firewall.fw").exists()) QVERIFY(QFile("pf firewall.fw").remove()); if (QFileInfo("ipfilter firewall.fw").exists()) QVERIFY(QFile("ipfilter firewall.fw").remove()); mw->findChild("compileAction")->trigger(); instDialog *dlg = mw->findChild(); dlg->findChild("pushButton16")->click(); dlg->findChild("nextButton")->click(); QTreeWidget *list = dlg->findChild("fwWorkList"); QPushButton *back = dlg->findChild("backButton"); QPushButton *next = dlg->findChild("nextButton"); QPushButton *finish = dlg->findChild("finishButton"); QPushButton *cancel = dlg->findChild("cancelButton"); int waited = 0; while (!checkProgress(list)) { // test state of the buttons QVERIFY(back->isEnabled() == true); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY(finish->isEnabled() == false); QTest::qWait(500); waited += 500; QVERIFY(waited < 10000); } for(int i=0; itopLevelItemCount(); i++) { QVERIFY(list->topLevelItem(i)->text(1) == "Success"); } // test state of the buttons QVERIFY(back->isEnabled() == true); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY(finish->isEnabled() == true); dlg->reject(); QVERIFY(QFileInfo("test1.fw").exists() && QFileInfo("test1.fw").size()); QVERIFY(QFileInfo("test2.fw").exists() && QFileInfo("test2.fw").size()); QVERIFY(QFileInfo("test3.fw").exists() && QFileInfo("test3.fw").size()); QVERIFY(QFileInfo("test4.fw").exists() && QFileInfo("test4.fw").size()); QVERIFY(QFileInfo("pf firewall.fw").exists() && QFileInfo("pf firewall.conf").exists() && QFileInfo("pf firewall.fw").size() && QFileInfo("pf firewall.conf").size()); QVERIFY(QFileInfo("ipfilter firewall.fw").exists() && QFileInfo("ipfilter firewall-ipf.conf").exists() && QFileInfo("ipfilter firewall-nat.conf").exists() && QFileInfo("ipfilter firewall.fw").size() && QFileInfo("ipfilter firewall-ipf.conf").size() && QFileInfo("ipfilter firewall-nat.conf").size()); QFile::remove("test1.fw"); QFile::remove("test2.fw"); QFile::remove("test3.fw"); QFile::remove("test4.fw"); QFile::remove("pf firewall.fw"); QFile::remove("pf firewall.conf"); QFile::remove("ipfilter firewall.fw"); QFile::remove("ipfilter firewall-ipf.conf"); QFile::remove("ipfilter firewall-nat.conf"); } fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/instDialogCompileTest.h000066400000000000000000000032051303637203600273710ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogCompileTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "instDialog.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" class instDialogCompileTest : public QObject { Q_OBJECT private slots: void initTestCase(); void testSelectButtonsVisibility(); void testCompile(); public slots: void closeContextMenu(); void openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/instDialogCompileTest.pro000066400000000000000000000005071303637203600277440ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = instDialogCompileTest SOURCES += main_instDialogCompileTest.cpp \ instDialogCompileTest.cpp HEADERS += instDialogCompileTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/main_instDialogCompileTest.cpp000066400000000000000000000033111303637203600307260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogCompileTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new instDialogCompileTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogCompileTest/test.fwb000066400000000000000000004514631303637203600244460ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/000077500000000000000000000000001303637203600227675ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/instDialogInspectTest.cpp000066400000000000000000000150551303637203600277640ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogInspectTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogInspectTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include #include "FWObjectClipboard.h" #include "FWBApplication.h" using namespace std; using namespace QTest; using namespace libfwbuilder; bool checkProgress(QTreeWidget *list) { for(int i=0; itopLevelItemCount(); i++) { if ( (list->topLevelItem(i)->text(1).toStdString() == "Compiling ...") || (list->topLevelItem(i)->text(1).toStdString() == "Installing ...") ) return false; } return true; } void instDialogInspectTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->loadFile("test_work.fwb", false); dialogClosed = false; om = mw->activeProject()->findChild("om"); tree = mw->activeProject()->getCurrentObjectTree(); tree->expandAll(); } void instDialogInspectTest::cleanupTestCase() { foreach(QString filename, filesToCleanup) if (QFileInfo(filename).exists()) QVERIFY(QFile::remove(filename)); } void instDialogInspectTest::closeInstallOptions() { QVERIFY(dynamic_cast(app->activeModalWidget()) != NULL); dynamic_cast(app->activeModalWidget())->cancelAll(); dialogClosed = true; } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { tree->scrollToItem(item); for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void instDialogInspectTest::closeContextMenu() { QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } menu->hide(); } /* * This function finds and activates an item with given name in the * context menu. If item is absent in the menu or is disabled, it * fails the test. */ void instDialogInspectTest::openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText) { QTimer::singleShot(100, this, SLOT(closeContextMenu())); om->contextMenuRequested(findItemPos(item, tree)); bool found_menu_item = false; QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } QVERIFY(menu != NULL); foreach (QObject *act, menu->children()) { QAction *action = dynamic_cast(act); if (action == NULL) continue; if (action->text() == actionText) { QVERIFY(action->isEnabled() == true); action->activate(QAction::Trigger); found_menu_item = true; break; } } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toAscii().constData()); #else QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toLatin1().constData()); #endif } void instDialogInspectTest::testInspect(QString firewall) { filesToCleanup.append(firewall+".fw"); ObjectTreeViewItem *treeitem = dynamic_cast(tree->findItems(firewall, Qt::MatchExactly | Qt::MatchRecursive).first()); this->openContextMenu(om, treeitem, tree, "Install"); instDialog *dlg = mw->findChild(); QTest::mouseClick(dlg->findChild("pushButton16"), Qt::LeftButton); QPushButton *back = dlg->findChild("backButton"); QPushButton *next = dlg->findChild("nextButton"); QPushButton *inspect = dlg->findChild("inspectGeneratedFiles"); QTest::mouseClick(next, Qt::LeftButton); QTreeWidget *list= dlg->findChild("fwWorkList"); QTextBrowser *processLogDisplay = dlg->findChild("procLogDisplay"); while (!checkProgress(list)) { QVERIFY(!inspect->isEnabled()); QTest::qWait(50); } QTest::qWait(50); Q_ASSERT(inspect->isEnabled()); QString oldtext = processLogDisplay->toPlainText(); QStackedWidget *stack = dlg->findChild(); QVERIFY(stack->currentIndex() == 1); QTest::mouseClick(inspect, Qt::LeftButton); QVERIFY(stack->currentIndex() == 2); QVERIFY(back->isEnabled()); QVERIFY(next->isEnabled()); QTest::mouseClick(back, Qt::LeftButton); QVERIFY(stack->currentIndex() == 1); QVERIFY(oldtext == processLogDisplay->toPlainText()); QTest::mouseClick(inspect, Qt::LeftButton); QTimer::singleShot(100, this, SLOT(closeInstallOptions())); QTest::mouseClick(next, Qt::LeftButton); QVERIFY(dialogClosed); QVERIFY(stack->currentIndex() == 1); dlg->reject(); QTest::qWait(500); } void instDialogInspectTest::testInspect_firewall() { testInspect("test1"); } void instDialogInspectTest::testInspect_cluster() { testInspect("cluster1"); } void instDialogInspectTest::testInspect_space() { testInspect("firewall name"); } void instDialogInspectTest::testInspect_ascii() { testInspect("firewall !@#$%^&()-+{},;"); } void instDialogInspectTest::testInspect_russian() { testInspect("русский фаерволл"); } fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/instDialogInspectTest.h000066400000000000000000000037211303637203600274260ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogInspectTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include "FWBTree.h" #include "FWWindow.h" #include "ObjectManipulator.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "instDialog.h" #include "newClusterDialog.h" #include "upgradePredicate.h" class instDialogInspectTest : public QObject { Q_OBJECT; bool dialogClosed; ObjectManipulator *om; ObjectTreeView *tree; QStringList filesToCleanup; private slots: void initTestCase(); void cleanupTestCase(); void testInspect_cluster(); void testInspect_firewall(); void testInspect_space(); void testInspect_ascii(); void testInspect_russian(); public slots: void closeInstallOptions(); void closeContextMenu(); void openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText); void testInspect(QString fwname); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/instDialogInspectTest.pro000066400000000000000000000005071303637203600277760ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = instDialogInspectTest SOURCES += main_instDialogInspectTest.cpp \ instDialogInspectTest.cpp HEADERS += instDialogInspectTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/main_instDialogInspectTest.cpp000066400000000000000000000033201303637203600307600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogInspectTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogInspectTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new instDialogInspectTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogInspectTest/test.fwb000066400000000000000000005704771303637203600244720ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/000077500000000000000000000000001303637203600227705ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/instDialogInstallTest.cpp000066400000000000000000000536251303637203600277730ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogInstallTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ================================ All tests in this module are designed to either fail installation or never supposed to complete it because they lack authentication credentials when they run unattended. Tests that perform successfull installs are located in a separate module fwbuilder-tests. Ticket 1358: using the same data file test.fwb but work with a copy because instDialog saves data to the disk and modifies the file keep common parts of all these tests in a separate function. There will be more tests like these in the future, the difference will be in the installer parameters and in the options stored in the firewall object. These tests check the status in the column on the left (Success or Error) and status of the buttons in the dialog (Finish). They also check if the file has been created and look for certain lines in the progress output panel. before running the test, check if files "test1.fw", "test2.fw", "test3.fw", "test4.fw" exist and delete them. If delete operation fails, fail the test. This should be done in the unit test code (C++) rather than in the runner shell script create subdirectory "test_install" in the current directory. If this directory exists, remove files in it. find firewall object test1, open it in the editor, click "Firewall settings" button and in the dialog change "Directory on the firewall where script should be installed" to the current directory. Alternatively, you can do this by manipulating data in the object instead of opening dialogs: FWOptions *fwoptions = firewall_object->getOptionsObject(); fwoptions->setStr("firewall_dir", current_dir + "/test_install"); test2 test for "authentication failed" error: * before compiling and installing, set environment variable "SSH_AUTH_SOCK" to empty string. Save its value before destroying it and then restore when this test is done * repeat the test1 with address 127.0.0.1. Since you have turned off ssh-agent and left password field empty, the program should not be able to authenticate and you should see "Permission denied" in the progress output test3 another kind of error is a timeout. * To simulate timeout repeat the test with ip address 127.0.0.2. Ssh should time out after some considerable time with appropriate error message in the output. Check for this message and make sure at that point button "Finish" is enabled and status is "Failed" (or is it "Error" ? ) test4 test cancellation. * Repeat the test using address 127.0.0.2 but click "Cancel" 1 sec after you start installation (this is too short for the ssh timeout to occur). Wait after that until the line "Stopping background process" appears, then check that the installer dialog closes. */ #include "instDialogInstallTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include #include "FWObjectClipboard.h" using namespace std; using namespace QTest; using namespace libfwbuilder; bool checkProgress(QTreeWidget *list) { for(int i=0; itopLevelItemCount(); i++) { if ( (list->topLevelItem(i)->text(1).toStdString() == "Compiling ...") || (list->topLevelItem(i)->text(1).toStdString() == "Installing ...") ) return false; } return true; } void instDialogInstallTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->loadFile("test_work.fwb", false); ssh_auth_sock = getenv("SSH_AUTH_SOCK"); } void instDialogInstallTest::cleanupTestCase() { if (ssh_auth_sock != NULL) setenv("SSH_AUTH_SOCK", ssh_auth_sock, 1); else unsetenv("SSH_AUTH_SOCK"); QDir().rmdir("test_install"); QFile::remove("test1.fw"); } void instDialogInstallTest::resetDialogs() { instOptionsDialog *optdlg = mw->findChild("instOptionsDialog_q"); if (optdlg && optdlg->isVisible()) optdlg->reject(); instDialog *dlg = mw->findChild(); if (dlg && dlg->isVisible()) dlg->reject(); QTest::qWait(500); } void instDialogInstallTest::fillInstOptionsDialog(const QString &user_name, const QString &passwd, const QString &alt_address, bool verbose_flag) { instOptionsDialog *optdlg = mw->findChild("instOptionsDialog_q"); QVERIFY(optdlg != NULL); QVERIFY(optdlg->isVisible() == true); QLineEdit *uname = optdlg->findChild("uname"); QLineEdit *pwd = optdlg->findChild("pwd"); QLineEdit *altAddress = optdlg->findChild("altAddress"); QCheckBox *verbose = optdlg->findChild("verbose"); if (!user_name.isEmpty()) uname->setText(user_name); if (!passwd.isEmpty()) pwd->setText(passwd); if (!alt_address.isEmpty()) altAddress->setText(alt_address); verbose->setChecked(verbose_flag); optdlg->findChild("okButton")->click(); } void instDialogInstallTest::instOptionsForTest1() { // set verbose on to reveal scp and ssh command line fillInstOptionsDialog(QString("root"), QString(""), QString("127.0.0.1"), true); } void instDialogInstallTest::instOptionsForTest2() { // set verbose on to reveal scp and ssh command line fillInstOptionsDialog(QString("root"), QString(""), QString("127.0.0.1"), true); } void instDialogInstallTest::instOptionsForTest3() { // set verbose on to reveal scp and ssh command line fillInstOptionsDialog(QString("root"), QString(""), QString("192.168.254.254"), true); } void instDialogInstallTest::instOptionsForTest4() { fillInstOptionsDialog(QString("root"), QString(""), QString("192.168.254.254"), false); } void instDialogInstallTest::instOptionsForTest5() { fillInstOptionsDialog(QString("root"), QString(""), QString("192.168.254.254"), false); } void instDialogInstallTest::removeFiles() { if (QFileInfo("test1.fw").exists()) QVERIFY(QFile::remove("test1.fw")); if (QFileInfo("test2.fw").exists()) QVERIFY(QFile::remove("test2.fw")); if (QFileInfo("test3.fw").exists()) QVERIFY(QFile::remove("test3.fw")); if (QFileInfo("test4.fw").exists()) QVERIFY(QFile::remove("test4.fw")); if (QDir("test_install").exists()) { foreach(QString file, QDir("test_install").entryList()) { if (QFileInfo("test_install/"+file).isFile()) QVERIFY(QFile::remove("test_install/"+file)); } QVERIFY(QDir().rmdir("test_install")); } QVERIFY(QDir().mkdir("test_install")); } void instDialogInstallTest::verifyInstallSuccess(const QString &) { instDialog *dlg = mw->findChild(); QTreeWidget *list= dlg->findChild("fwWorkList"); QTextBrowser *processLogDisplay = dlg->findChild("procLogDisplay"); for(int i=0; itopLevelItemCount(); i++) { QString txt = processLogDisplay->toPlainText(); if (list->topLevelItem(i)->text(1) != "Success") { foreach(QString line, txt.split("\n")) qDebug() << line; QFAIL("Installation failure detected, see debug above for details"); } } } /* test for "authentication failed" error: * before compiling and installing, set environment variable "SSH_AUTH_SOCK" to empty string. Save its value before destroying it and then restore when this test is done * repeat the test1 with address 127.0.0.1. Since you have turned off ssh-agent and left password field empty, the program should not be able to authenticate and you should see "Permission denied" in the progress output */ void instDialogInstallTest::testInstall2() { resetDialogs(); removeFiles(); Firewall *test1 = NULL; foreach(FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == "test1") { test1 = Firewall::cast(fw); break; } } QVERIFY(test1 != NULL); // reset additional args for scp and ssh FWOptions *fwoptions = test1->getOptionsObject(); fwoptions->setStr("scpArgs", ""); fwoptions->setStr("sshArgs", ""); fwoptions->setStr("firewall_dir", (QDir::currentPath()+"/test_install").toStdString()); setenv("SSH_AUTH_SOCK", "nothinghere", 1); QTest::qWait(500); mw->findChild("installAction")->trigger(); QTest::qWait(500); instDialog *dlg = mw->findChild(); dlg->findChild("pushButton17")->click(); QPushButton *back = dlg->findChild("backButton"); QPushButton *next = dlg->findChild("nextButton"); QPushButton *finish = dlg->findChild("finishButton"); QPushButton *cancel = dlg->findChild("cancelButton"); QTreeWidget *selectTable = dlg->findChild("selectTable"); QTreeWidgetItem *test1item = selectTable->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first(); test1item->setCheckState(1, Qt::Checked); test1item->setCheckState(2, Qt::Checked); QTest::qWait(500); next->click(); QTreeWidget *list= dlg->findChild("fwWorkList"); int waited = 0; while (!checkProgress(list)) { QVERIFY(back->isEnabled() == true); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY2(finish->isEnabled() == false, "Button Finish is enabled during operation"); QTest::qWait(500); waited += 500; QVERIFY(waited < 10000); } qDebug() << "Test 2 continues"; verifyInstallSuccess("instDialogInstallTest::testInstall2()"); QTest::qWait(500); QVERIFY(next->isEnabled()); QVERIFY(!dlg->findChild("finishButton")->isEnabled()); QVERIFY(QFile::exists("test1.fw")); QVERIFY(QFile::remove("test1.fw")); QFile testfile("test1.fw"); testfile.open(QFile::WriteOnly); testfile.write("#!/bin/sh\n#\n# This is automatically generated file. DO NOT MODIFY !\n#\n# Firewall Builder fwb_ipt v4.0.0-2784\n#\n# Generated Wed Mar 31 16:41:46 2010 EEST by a2k\n#\n# files: * test1.fw\n#\n# Compiled for iptables (any version)\n#\n# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.\n# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0\n\n\necho \"Testing policy activation script\"\n"); testfile.close(); testfile.setPermissions(testfile.permissions() | QFile::ExeOwner); QTimer::singleShot(200, this, SLOT(instOptionsForTest2())); next->click(); QTest::qWait(500); waited = 0; while (!checkProgress(list)) { QVERIFY(back->isEnabled() == false); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY2(finish->isEnabled() == false, "Button Finish is enabled during operation"); QTest::qWait(500); waited += 500; QVERIFY(waited < 10000); } QTest::qWait(500); for(int i=0; itopLevelItemCount(); i++) { QVERIFY(list->topLevelItem(i)->text(1) == "Failure"); } if (ssh_auth_sock != NULL) setenv("SSH_AUTH_SOCK", ssh_auth_sock, 1); else unsetenv("SSH_AUTH_SOCK"); QString text = dlg->findChild("procLogDisplay")->toPlainText(); QVERIFY(!text.isEmpty()); // foreach(QString line, text.split("\n")) // qDebug() << line; QVERIFY(text.contains("lost connection")); QVERIFY(text.contains("SSH session terminated, exit status: 1")); dlg->reject(); QTest::qWait(500); qDebug() << "Test 2 done"; } /* * Another kind of error is a timeout. * To simulate timeout repeat the test with an ip address that does * not exist. Ssh should time out after some considerable time with * appropriate error message in the output. Check for this message * and make sure at that point button "Finish" is enabled and status * is "Failed" (or is it "Error" ? ) * this test also tests custom scp command line argument * addition. The argument is ConnectTimeout, we both test the code * path that adds custom arguments for scp and make the test run * faster by shirtening the timeout. */ void instDialogInstallTest::testInstall3() { qDebug() << "Test 3 begins"; resetDialogs(); removeFiles(); Firewall *test1 = NULL; foreach(FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == "test1") { test1 = Firewall::cast(fw); break; } } QVERIFY(test1 != NULL); // reset additional args for scp and ssh FWOptions *fwoptions = test1->getOptionsObject(); fwoptions->setStr("scpArgs", ""); fwoptions->setStr("sshArgs", ""); fwoptions->setStr("firewall_dir", (QDir::currentPath()+"/test_install").toStdString()); // reduce timeout time to make test run faster fwoptions->setStr("scpArgs", "-o ConnectTimeout=2"); mw->findChild("installAction")->trigger(); QTest::qWait(500); instDialog *dlg = mw->findChild(); dlg->findChild("pushButton17")->click(); QPushButton *back = dlg->findChild("backButton"); QPushButton *next = dlg->findChild("nextButton"); QPushButton *finish = dlg->findChild("finishButton"); QPushButton *cancel = dlg->findChild("cancelButton"); QTreeWidget *selectTable = dlg->findChild("selectTable"); QTreeWidgetItem *test1item = selectTable->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first(); test1item->setCheckState(1, Qt::Checked); test1item->setCheckState(2, Qt::Checked); QTest::qWait(500); next->click(); QTreeWidget *list= dlg->findChild("fwWorkList"); int waited = 0; while (!checkProgress(list)) { QVERIFY(back->isEnabled() == true); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY2(finish->isEnabled() == false, "Button Finish is enabled during operation"); QTest::qWait(500); waited += 500; QVERIFY(waited < 10000); } verifyInstallSuccess("instDialogInstallTest::testInstall3()"); QTest::qWait(500); QVERIFY(next->isEnabled()); QVERIFY(!finish->isEnabled()); QVERIFY(QFile::exists("test1.fw")); QVERIFY(QFile::remove("test1.fw")); QFile testfile("test1.fw"); testfile.open(QFile::WriteOnly); testfile.write("#!/bin/sh\n#\n# This is automatically generated file. DO NOT MODIFY !\n#\n# Firewall Builder fwb_ipt v4.0.0-2784\n#\n# Generated Wed Mar 31 16:41:46 2010 EEST by a2k\n#\n# files: * test1.fw\n#\n# Compiled for iptables (any version)\n#\n# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.\n# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0\n\n\necho \"Testing policy activation script\"\n"); testfile.close(); testfile.setPermissions(testfile.permissions() | QFile::ExeOwner); QTimer::singleShot(200, this, SLOT(instOptionsForTest3())); next->click(); QTest::qWait(500); waited = 0; while (!checkProgress(list)) { QVERIFY(back->isEnabled() == false); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY2(finish->isEnabled() == false, "Button Finish is enabled during operation"); QTest::qWait(500); waited += 500; QVERIFY(waited < 1000000); } for(int i=0; itopLevelItemCount(); i++) { QVERIFY(list->topLevelItem(i)->text(1) == "Failure"); } QString text = dlg->findChild("procLogDisplay")->toPlainText(); // check that additional scp command line argument was indeed used QVERIFY(text.contains("-o ConnectTimeout=2")); // check that ssh timed out as expected QVERIFY(text.contains("lost connection")); QVERIFY(text.contains("SSH session terminated, exit status: 1")); QVERIFY(!text.isEmpty()); dlg->reject(); QTest::qWait(500); } /* * Test cancellation. * * This function does two tests: it runs install but hits Cancel or Stop * button (per @button_name argument) to interrupt the process and then * checks that the dialog is still open or not (per @dialog_should_stay_open * arg) * * Repeat the test using address that does not exist but click * "Cancel" 1 sec after you start installation (this is too short for * the ssh timeout to occur). Wait after that until the line "Stopping * background process" appears, then check that the installer dialog * closes. * */ void instDialogInstallTest::executeCancelAndStopTests(const QString &button_name, bool dialog_should_stay_open) { resetDialogs(); removeFiles(); Firewall *test1 = NULL; foreach(FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == "test1") { test1 = Firewall::cast(fw); break; } } QVERIFY(test1 != NULL); // reset additional args for scp and ssh FWOptions *fwoptions = test1->getOptionsObject(); fwoptions->setStr("scpArgs", ""); fwoptions->setStr("sshArgs", ""); fwoptions->setStr("firewall_dir", (QDir::currentPath()+"/test_install").toStdString()); mw->findChild("installAction")->trigger(); QTest::qWait(500); instDialog *dlg = mw->findChild(); dlg->findChild("pushButton17")->click(); QPushButton *back = dlg->findChild("backButton"); QPushButton *next = dlg->findChild("nextButton"); QPushButton *finish = dlg->findChild("finishButton"); QPushButton *cancel = dlg->findChild("cancelButton"); QTreeWidget *selectTable = dlg->findChild("selectTable"); QTreeWidgetItem *test1item = selectTable->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first(); test1item->setCheckState(1, Qt::Checked); test1item->setCheckState(2, Qt::Checked); QTest::qWait(500); next->click(); QTreeWidget *list= dlg->findChild("fwWorkList"); int waited = 0; while (!checkProgress(list)) { QVERIFY(back->isEnabled() == true); QVERIFY(next->isEnabled() == false); QVERIFY(cancel->isEnabled() == true); QVERIFY2(finish->isEnabled() == false, "Button Finish is enabled during operation"); QTest::qWait(500); waited += 500; QVERIFY(waited < 10000); } for(int i=0; itopLevelItemCount(); i++) { QVERIFY(list->topLevelItem(i)->text(1) == "Success"); } QTest::qWait(500); QVERIFY(next->isEnabled()); QVERIFY(!finish->isEnabled()); QVERIFY(QFile::exists("test1.fw")); QVERIFY(QFile::remove("test1.fw")); QFile testfile("test1.fw"); testfile.open(QFile::WriteOnly); testfile.write("#!/bin/sh\n#\n# This is automatically generated file. DO NOT MODIFY !\n#\n# Firewall Builder fwb_ipt v4.0.0-2784\n#\n# Generated Wed Mar 31 16:41:46 2010 EEST by a2k\n#\n# files: * test1.fw\n#\n# Compiled for iptables (any version)\n#\n# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.\n# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0\n\n\necho \"Testing policy activation script\"\n"); testfile.close(); testfile.setPermissions(testfile.permissions() | QFile::ExeOwner); QTimer::singleShot(200, this, SLOT(instOptionsForTest4())); next->click(); QTest::qWait(1000); // Now click button to interrupt the process dlg->findChild(button_name)->click(); QTest::qWait(2000); QString text = dlg->findChild("procLogDisplay")->toPlainText(); QVERIFY(text.contains("Stopping background process")); QTest::qWait(500); QVERIFY(mw->findChild()->isVisible() == dialog_should_stay_open); QTest::qWait(500); } void instDialogInstallTest::testInstall4() { executeCancelAndStopTests("cancelButton", false); } /* * Test "Stop" button. This is just like "Cancel", except the dialog * stays open. * */ void instDialogInstallTest::testInstall5() { executeCancelAndStopTests("stopButton", true); } fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/instDialogInstallTest.h000066400000000000000000000042401303637203600274250ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogInstallTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include "FWBTree.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Library.h" #include "fwbuilder/Policy.h" #include "instDialog.h" #include "newClusterDialog.h" #include "upgradePredicate.h" class instDialogInstallTest : public QObject { Q_OBJECT; const char *ssh_auth_sock; void removeFiles(); void verifyInstallSuccess(const QString &test_name); void resetDialogs(); void fillInstOptionsDialog(const QString &user_name, const QString &pwd, const QString &alt_address, bool verbose); void executeCancelAndStopTests(const QString &button_name, bool dialog_should_stay_open); private slots: void initTestCase(); void cleanupTestCase(); void testInstall2(); void testInstall3(); void testInstall4(); void testInstall5(); public slots: void instOptionsForTest1(); void instOptionsForTest2(); void instOptionsForTest3(); void instOptionsForTest4(); void instOptionsForTest5(); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/instDialogInstallTest.pro000066400000000000000000000005071303637203600300000ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = instDialogInstallTest SOURCES += main_instDialogInstallTest.cpp \ instDialogInstallTest.cpp HEADERS += instDialogInstallTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/main_instDialogInstallTest.cpp000066400000000000000000000033201303637203600307620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogInstallTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogInstallTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new instDialogInstallTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogInstallTest/test.fwb000066400000000000000000003506231303637203600244600ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/000077500000000000000000000000001303637203600234245ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/instDialogObjectListTest.cpp000066400000000000000000000561301303637203600310550ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogObjectListTest.cpp 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ================================ Tests implemented in this module: ticket 1089 * user clicks "compile" button in the topmost toolbar. The list should include all firewalls, but only those that require recompile should have "compile" checkboxes checked. * user uses main menu "Rules/Compile". This is the same function as the previous one * user opens Policy of the firewall "test1" and clicks button "Compile" in the toolbar right above rule set view. The list should include only firewall "test1" and checkbox "Compile" should be checked because it requires recompile * the same test as the previous one, but with firewall test2. This one does not require recompile and checkbox "Compile" should not be checked. * user selects firewall test1 in the tree and opens context menu, then clicks item "Compile". This is the same test as 3. * user selects firewall test2 in the tree and opens context menu, then clicks item "Compile". This is the same test as 4. * Select two firewalls in the tree (test1 and test2), open context menu and click "Compile". Should get a list with both firewalls, with checkbox "Compile" selected for test2 and not selected for test1. * all previous tests tested "Compile" function. This test should test first step of the "Install" function. * emulate clicking "Install" button in the main toolbar * check that the first page of the dialog has column of "compile" checkboxes and column of "install" checkboxes * check that "compile" checkboxes are checked according to the rules described above in this ticket Ticket 1153: * tests page1_5(), page1_6(), page1_7() should emulate opening context menu and clicking menu item "Compile" (see ticket #1089). Please add check that the menu item "Compile" is present and enabled * test page1_8() should also check that checkboxes in column "compile" and "install" are visible and enabled. Right now it only checks their "checked" state * test page1_8() should also test checkboxes next to the firewall objects test3 and test4 */ #include "instDialogObjectListTest.h" #include "unistd.h" #include #include #include #include #include #include #include #include "FWBApplication.h" #include "FWObjectClipboard.h" using namespace std; using namespace QTest; using namespace libfwbuilder; #define COMPILE_CHECKBOX_COLUMN 1 #define INSTALL_CHECKBOX_COLUMN 2 void instDialogObjectListTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->loadFile("test_work.fwb", false); } void instDialogObjectListTest::openPolicy(QString fwname) { Policy *p = NULL; foreach (FWObject *fw, mw->db()->getByTypeDeep(Firewall::TYPENAME)) { if (fw->getName() == fwname.toStdString()) { p = Firewall::cast(fw)->getPolicy(); } } QVERIFY (p != NULL); QCoreApplication::postEvent(mw, new openRulesetImmediatelyEvent(mw->activeProject()->getFileName(), p->getId())); QTest::qWait(100); } void instDialogObjectListTest::verifyCompileCheckboxes(QTreeWidget *table, int items) { if (items != -1) QVERIFY(table->topLevelItemCount() == items); QTreeWidgetItemIterator it(table, QTreeWidgetItemIterator::Enabled); while (*it) { if ((*it)->text(0) == "cluster1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test2") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test3") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test4") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } it++; } } /* * This function checks the state of checkboxes after firewall test1 has been compiled */ void instDialogObjectListTest::verifyCompileCheckboxes_2(QTreeWidget *table) { QTreeWidgetItemIterator it(table, QTreeWidgetItemIterator::Enabled); while (*it) { if ((*it)->text(0) == "cluster1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test2") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test3") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test4") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(COMPILE_CHECKBOX_COLUMN) == Qt::Unchecked); } it++; } } void instDialogObjectListTest::verifyInstallCheckboxes(QTreeWidget *table, int items) { if (items != -1) Q_ASSERT(table->topLevelItemCount() == items); QTreeWidgetItemIterator it(table, QTreeWidgetItemIterator::Enabled); while (*it) { if ((*it)->text(0) == "cluster1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(INSTALL_CHECKBOX_COLUMN) == Qt::Unchecked); } if ((*it)->text(0) == "test1") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(INSTALL_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test2") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(INSTALL_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test3") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(INSTALL_CHECKBOX_COLUMN) == Qt::Checked); } if ((*it)->text(0) == "test4") { QVERIFY(((*it)->flags() & Qt::ItemIsUserCheckable) != 0); QVERIFY((*it)->checkState(INSTALL_CHECKBOX_COLUMN) == Qt::Checked); } it++; } } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if(tree->itemAt(w,h) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void instDialogObjectListTest::closeContextMenu() { QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } menu->hide(); } /* * This function finds and activates an item with given name in the * context menu. If item is absent in the menu or is disabled, it * fails the test. */ void instDialogObjectListTest::openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText) { QTimer::singleShot(100, this, SLOT(closeContextMenu())); om->contextMenuRequested(findItemPos(item, tree)); bool found_menu_item = false; QMenu *menu = NULL; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } QVERIFY(menu != NULL); foreach (QObject *act, menu->children()) { QAction *action = dynamic_cast(act); if (action == NULL) continue; if (action->text() == actionText) { QVERIFY(action->isEnabled() == true); action->activate(QAction::Trigger); found_menu_item = true; break; } } #if QT_VERSION < QT_VERSION_CHECK(5, 0, 0) QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toAscii().constData()); #else QVERIFY2(found_menu_item == true, QString("Item %1 not found in the context menu").arg(actionText).toLatin1().constData()); #endif } /* * user clicks "compile" button in the topmost toolbar. The list * should include all firewalls, but only those that require * recompile should have "compile" checkboxes checked. */ void instDialogObjectListTest::test_compile_1() { QAction *compile = mw->findChild("compileAction"); compile->activate(QAction::Trigger); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 3); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * user uses main menu "Rules/Compile". This is the same function as * the previous one */ void instDialogObjectListTest::test_compile_2() { QMenu *rules = mw->menuBar()->findChild("RulesMenu"); QAction *compile = NULL; foreach(QAction *itm, rules->actions()) if (itm->objectName() == "compileAction") compile = dynamic_cast(itm); QVERIFY(compile != NULL); compile->activate(QAction::Trigger); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 3); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * user opens Policy of the firewall "test1" and clicks button * "Compile" in the toolbar right above rule set view. The list should * include only firewall "test1" and checkbox "Compile" should be checked * because it requires recompile */ void instDialogObjectListTest::test_compile_3() { openPolicy("test1"); QTest::qWait(10); QToolButton* compileThis = mw->activeProject()->findChild("compile_this_fw"); QVERIFY(compileThis != NULL); QTest::mouseClick (compileThis, Qt::LeftButton); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); QVERIFY(table->topLevelItemCount() == 1); verifyCompileCheckboxes(table, 1); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * the same test as the previous one, but with firewall test2. This * one does not require recompile and checkbox "Compile" should not * be checked. */ void instDialogObjectListTest::test_compile_4() { openPolicy("test2"); QTest::qWait(100); QToolButton* compileThis = mw->activeProject()->findChild("compile_this_fw"); QVERIFY(compileThis != NULL); QTest::mouseClick (compileThis, Qt::LeftButton); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 1); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * user selects firewall test1 in the tree and opens context menu, * then clicks item "Compile". This is the same test as 3. */ void instDialogObjectListTest::test_compile_5() { ObjectTreeView *tree = mw->activeProject()->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *test1 = dynamic_cast(tree->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *test2 = dynamic_cast(tree->findItems("test2", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); tree->scrollToItem(test1); // <<<<<<<<<<<<<< tree->selectionModel()->select(tree->indexAt(findItemPos(test1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test1); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, test1, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 1); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * user selects firewall test2 in the tree and opens context menu, * then clicks item "Compile". This is the same test as 4. */ void instDialogObjectListTest::test_compile_6() { ObjectTreeView *tree = mw->activeProject()->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *test1 = dynamic_cast(tree->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *test2 = dynamic_cast(tree->findItems("test2", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); tree->scrollToItem(test2); // <<<<<<<<<<<<<< tree->selectionModel()->select(tree->indexAt(findItemPos(test2, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test2); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, test2, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 1); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * Select two firewalls in the tree (test1 and test2), open context * menu and click "Compile". Should get a list with both firewalls, with * checkbox "Compile" selected for test2 and not selected for test1. */ void instDialogObjectListTest::test_compile_7() { ObjectTreeView *tree = mw->activeProject()->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *test1 = dynamic_cast(tree->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *test2 = dynamic_cast(tree->findItems("test2", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); tree->scrollToItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test2, tree)), QItemSelectionModel::Select); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, test2, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 2); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * all previous tests tested "Compile" function. This test should test * first step of the "Install" function. */ void instDialogObjectListTest::test_install_1() { QAction *compile = mw->findChild("installAction"); compile->activate(QAction::Trigger); QTest::qWait(100); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == false); verifyCompileCheckboxes(table, 3); verifyInstallCheckboxes(table, 3); QTest::qWait(100); dlg->findChild("cancelButton")->click(); QTest::qWait(100); } /* * Select two firewalls in the tree (test1 and test2), open context * menu and click "Compile". Should get a list with both firewalls, * with checkbox "Compile" selected for test2 and not selected for * test1. Then click "Next" to compile, wait until done, then click * "Finish". Select the same firewalls in the tree and open instDialog * again, now both checkboxes should be turned off. * * This test changes "last_compiled" timestamp of the firewall object * test2 so it should run after all tests above because it changes the * state of the "compile" checkbox next to this firewall in the list. */ void instDialogObjectListTest::test_actually_compile_1() { if (QFileInfo("test1.fw").exists()) QVERIFY(QFile("test1.fw").remove()); ObjectTreeView *tree = mw->activeProject()->getCurrentObjectTree(); tree->expandAll(); ObjectTreeViewItem *test1 = dynamic_cast(tree->findItems("test1", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *test2 = dynamic_cast(tree->findItems("test2", Qt::MatchExactly | Qt::MatchRecursive, 0).first()); tree->scrollToItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test2, tree)), QItemSelectionModel::Select); ObjectManipulator *om = mw->activeProject()->findChild("om"); openContextMenu(om, test2, tree, "Compile"); instDialog *dlg = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); QTreeWidget *table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes(table, 2); QTest::qWait(100); dlg->findChild("nextButton")->click(); QPushButton *finish = dlg->findChild("finishButton"); QVERIFY(finish != NULL); int timeout_counter = 0; while (!finish->isEnabled()) { timeout_counter++; QVERIFY2(timeout_counter < 600, "Compile takes too long (over 1 min) or button \"Finish\" " "is not enabled properly when compile is done"); QTest::qWait(100); } finish->click(); // Now select the same firewalls and open compile/install dialog again tree->scrollToItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(test1); tree->selectionModel()->select( tree->indexAt(findItemPos(test2, tree)), QItemSelectionModel::Select); openContextMenu(om, test2, tree, "Compile"); foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dlg = dynamic_cast(w); table = dlg->findChild("selectTable"); QVERIFY(table != NULL); QVERIFY(table->isColumnHidden(COMPILE_CHECKBOX_COLUMN) == false); QVERIFY(table->isColumnHidden(INSTALL_CHECKBOX_COLUMN) == true); verifyCompileCheckboxes_2(table); dlg->findChild("cancelButton")->click(); QTest::qWait(100); QVERIFY(QFileInfo("test1.fw").exists() && QFileInfo("test1.fw").size()); QFile::remove("test1.fw"); } fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/instDialogObjectListTest.h000066400000000000000000000041461303637203600305220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: instDialogObjectListTest.h 2786 2010-04-01 14:05:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INSTDIALOGTEST_H #define INSTDIALOGTEST_H #include #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "instDialog.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "events.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/Policy.h" class instDialogObjectListTest : public QObject { Q_OBJECT const char *ssh_auth_sock; void openPolicy(QString fw); void verifyCompileCheckboxes(QTreeWidget *table, int items = -1); void verifyCompileCheckboxes_2(QTreeWidget *table); void verifyInstallCheckboxes(QTreeWidget *table, int items = -1); void openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText); void removeFiles(); private slots: void initTestCase(); void test_compile_1(); void test_compile_2(); void test_compile_3(); void test_compile_4(); void test_compile_5(); void test_compile_6(); void test_compile_7(); void test_install_1(); void test_actually_compile_1(); public slots: void closeContextMenu(); }; #endif // INSTDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/instDialogObjectListTest.pro000066400000000000000000000005231303637203600310660ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = instDialogObjectListTest SOURCES += main_instDialogObjectListTest.cpp \ instDialogObjectListTest.cpp HEADERS += instDialogObjectListTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/main_instDialogObjectListTest.cpp000066400000000000000000000033171303637203600320600ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_instDialogTest.cpp 2707 2010-03-10 18:22:19Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "instDialogObjectListTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new instDialogObjectListTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/instDialogObjectListTest/test.fwb000066400000000000000000003506341303637203600251160ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/src/unit_tests/main/000077500000000000000000000000001303637203600174305ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/main/main.cpp000066400000000000000000000041121303637203600210560ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" #include "FWObjectClipboard.h" #include "common/commoninit.h" #include "fwbuilder/Resources.h" #include "fwbuilder/Constants.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; extern void init_platforms(); // defined in platforms.cpp void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st) { Q_INIT_RESOURCE(MainRes); init(argv); init_platforms(); *st = new FWBSettings(true); (*st)->init(false); (*st)->setCheckUpdates(false); (*st)->setBool("UI/NoStartTip", true); (*st)->setIntroDialogEnabled(false); (*st)->suppressReminderAboutStandardLib(true); string full_res_path = Constants::getResourcesFilePath(); new Resources(full_res_path); QString qt_resource_dir = QLibraryInfo::location(QLibraryInfo::TranslationsPath); QTranslator qt_translator(0); qt_translator.load(QLatin1String("qt_") + QLocale::system().name(), qt_resource_dir); (*app)->installTranslator (&qt_translator); } fwbuilder-5.3.7/src/unit_tests/main/main.pro000066400000000000000000000013471303637203600211030ustar00rootroot00000000000000# -*- mode: makefile; tab-width: 4; -*- include(../../../qmake.inc) OBJECTS_DIR = .obj MOC_DIR = .moc QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS CONFIG -= release CONFIG += debug INCLUDEPATH += ../../.. \ ../.. \ ../../libfwbuilder/src \ ../../libgui \ ../../libgui/.ui \ ../../compiler_lib \ ../../common DEPENDPATH += ../../.. \ ../.. \ ../../libfwbuilder/src \ ../../libgui \ ../../libgui/.ui \ ../../compiler_lib \ ../../common QT += testlib network gui TEMPLATE = lib CONFIG += staticlib TARGET = test_main INSTALLS -= target SOURCES += main.cpp run_tests.commands = echo "" run_tests.depends = build_tests build_tests.depends = all clean_tests.depends = clean QMAKE_EXTRA_TARGETS += run_tests build_tests clean_tests fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/000077500000000000000000000000001303637203600226175ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/main_newClusterDialogTest.cpp000066400000000000000000000032171303637203600304450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "newClusterDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new newClusterDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/newClusterDialogTest.cpp000066400000000000000000000323451303637203600274450ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "newClusterDialogTest.h" #include #include #include "ui_newclusterdialog_q.h" #include "FWWindow.h" #include "ObjectTreeView.h" #include "ProjectPanel.h" #include "StartTipDialog.h" #include "ObjectTreeView.h" #include "ObjectTreeViewItem.h" #include "FWObjectClipboard.h" #include "FWBApplication.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Constants.h" using namespace libfwbuilder; using namespace std; class newClusterDialog_ext: public newClusterDialog { public: newClusterDialog_ext(QWidget *parent, libfwbuilder::FWObject* obj): newClusterDialog(parent, obj) { } Ui::newClusterDialog_q* getUi() { return this->m_dialog; } QStringList getFirewallList() { QStringList res; for (int i=0; im_dialog->firewallSelector->rowCount(); i++) { res.append(this->m_dialog->firewallSelector->item(i, 0)->text()); } return res; } }; void newClusterDialogTest::initTestCase() { new FWObjectClipboard(); mw = new FWWindow(); mw->show(); mw->startupLoad(); QTest::qWait(5000); StartTipDialog *d = mw->findChild(); if (d!=NULL) d->close(); } void newClusterDialogTest::test1() { //init(); FWObjectDatabase *db = new FWObjectDatabase(); XMLTools::UpgradePredicate p; db->load("test_work.fwb", &p, Constants::getDTDDirectory()); newClusterDialog_ext *dialog = new newClusterDialog_ext(NULL, db); vector fws; QStringList fwnames; foreach(FWObject *obj, db->getByTypeDeep(Firewall::TYPENAME)) { fws.push_back(obj); fwnames.append(obj->getName().c_str()); } dialog->setFirewallList(fws); dialog->setModal(false); dialog->show(); QStringList dfws = dialog->getFirewallList(); QVERIFY(dfws.count() == int(fws.size())); foreach( QString fwname, dfws) QVERIFY(fwnames.contains(fwname)); QVERIFY(!dialog->getUi()->nextButton->isEnabled()); QTest::keyClicks(dialog->getUi()->obj_name, "New Cluster"); QVERIFY(dialog->getUi()->nextButton->isEnabled()); for (int i=0; i< dialog->getUi()->firewallSelector->rowCount(); i++) dynamic_cast(dialog->getUi()->firewallSelector->cellWidget(i, 1))->setChecked(true); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==1); QList ifaces = dialog->getUi()->interfaceSelector->getInterfaces(); foreach (ClusterInterfaceData iface, ifaces) { QVERIFY(iface.interfaces.count() == 2); for(int i=0; i < iface.interfaces.count(); i++) QVERIFY(iface.interfaces.at(i).second->getName().c_str() == iface.name); } dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==2); for (int i=1; igetUi()->interfaceEditor->count(); i++) dynamic_cast(dialog->getUi()->interfaceEditor->widget(i))->setProtocolIndex(2); InterfaceEditorWidget* eth0 = qFindChild(dialog->getUi()->interfaceEditor, "eth0_widget"); eth0->setProtocolIndex(0); eth0->addNewAddress("123.45.67.89", "24", true); QList addresses = dialog->getUi()->interfaceEditor->getNewData(); foreach( EditedInterfaceData iface, addresses) { if (iface.name == "eth0") { qDebug() << iface.addresses.values().count(); QVERIFY(iface.addresses.values().count() == 1); QVERIFY(iface.addresses.values().first().address == "123.45.67.89"); QVERIFY(iface.addresses.values().first().netmask == "24"); break; } } dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==3); dialog->getUi()->backButton->click(); QVERIFY(dialog->currentPage()==2); QList addresses2 = dialog->getUi()->interfaceEditor->getNewData(); foreach( EditedInterfaceData iface, addresses2) { if (iface.name == "eth0") { QVERIFY(iface.addresses.values().count() == 1); QVERIFY(iface.addresses.values().first().address == "123.45.67.89"); QVERIFY(iface.addresses.values().first().netmask == "24"); } } dialog->getUi()->interfaceEditor->setCurrentIndex(1); InterfaceEditorWidget* eth1 = qFindChild(dialog->getUi()->interfaceEditor, "eth1_widget"); eth1->setProtocolIndex(0); QTableWidget *addrs = eth1->findChild("addresses"); QVERIFY(addrs != NULL); QPushButton *addaddr = eth1->findChild("addAddress"); QVERIFY(addaddr != NULL); addaddr->click(); addrs->item(0,0)->setText("98.76.54.32"); addrs->item(0,1)->setText("24"); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==3); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==4); QVERIFY(dialog->getUi()->finishButton->isEnabled()); dialog->getUi()->finishButton->click(); Cluster *newc = dialog->getNewCluster(); QVERIFY(newc != NULL); QVERIFY(Cluster::isA(newc)); dialog->findChild("cancelButton")->click(); dialog->accept(); dialog->close(); dialog->deleteLater(); } void newClusterDialogTest::test2() { mw->loadFile("test_work.fwb", false); FWObjectDatabase *db = mw->db(); Library *lib = NULL; foreach(FWObject *obj, db->getByTypeDeep(Library::TYPENAME)) { qDebug() << obj->getName().c_str(); if (obj->getName() == "new_cluster_test") lib = Library::cast(obj); } QVERIFY(lib != NULL); newClusterDialog_ext *dialog = new newClusterDialog_ext(NULL, FWBTree().getStandardSlotForObject(lib, Cluster::TYPENAME)); vector fws; QStringList fwnames; foreach(FWObject *obj, db->getByTypeDeep(Firewall::TYPENAME)) { fws.push_back(obj); fwnames.append(obj->getName().c_str()); } dialog->setFirewallList(fws); dialog->setModal(false); dialog->show(); QStringList dfws = dialog->getFirewallList(); QVERIFY(dfws.count() == int(fws.size())); foreach( QString fwname, dfws) QVERIFY(fwnames.contains(fwname)); QVERIFY(!dialog->getUi()->nextButton->isEnabled()); QTest::keyClicks(dialog->getUi()->obj_name, "New Cluster"); QVERIFY(dialog->getUi()->nextButton->isEnabled()); for (int i=0; i< dialog->getUi()->firewallSelector->rowCount(); i++) dynamic_cast(dialog->getUi()->firewallSelector->cellWidget(i, 1))->setChecked(true); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==1); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==2); dynamic_cast(dialog->getUi()->interfaceEditor->widget(0))->setProtocolIndex(3); dynamic_cast(dialog->getUi()->interfaceEditor->widget(1))->setProtocolIndex(3); dynamic_cast(dialog->getUi()->interfaceEditor->widget(2))->setProtocolIndex(3); dynamic_cast(dialog->getUi()->interfaceEditor->widget(3))->setProtocolIndex(3); dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==3); QList btns= dialog->getUi()->page_4->findChildren(); foreach(QRadioButton *btn, btns) { if (btn->objectName() == "linux-1") QTest::mouseClick(btn, Qt::LeftButton); } dialog->getUi()->nextButton->click(); QVERIFY(dialog->currentPage()==4); QVERIFY(dialog->getUi()->finishButton->isEnabled()); dialog->getUi()->finishButton->click(); Cluster *newc = dialog->getNewCluster(); QVERIFY(newc != NULL); QVERIFY(Cluster::isA(newc)); Firewall *bak = Firewall::cast(mw->getCurrentLib()->findObjectByName(Firewall::TYPENAME, "linux-1-bak")); QVERIFY(bak != NULL); QVERIFY(bak->getInactive() == true); Firewall *linux1 = Firewall::cast(mw->getCurrentLib()->findObjectByName(Firewall::TYPENAME, "linux-1")); QVERIFY(linux1 != NULL); QVERIFY(linux1->getPolicy()->getChildrenCount() == 1); // there should be only RuleSetOptions object dialog->findChild("cancelButton")->click(); dialog->accept(); dialog->close(); dialog->deleteLater(); } QPoint findItemPos(ObjectTreeViewItem *item, ObjectTreeView *tree) { for (int h=10; hheight(); h+=1) { for (int w=75; wwidth(); w+=1) { if((tree->itemAt(w,h)) == item) return QPoint(w, h); } } return QPoint(-1,-1); } void newClusterDialogTest::closeContextMenu() { foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { qDebug() << w; w->hide(); } } } void newClusterDialogTest::openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText) { QTimer::singleShot(1000, this, SLOT(closeContextMenu())); om->contextMenuRequested(findItemPos(item, tree)); QMenu *menu; foreach(QWidget *w, QApplication::allWidgets()) { if (w->objectName() == "objectTreeContextMenu") { menu = dynamic_cast(w); break; } } foreach (QObject *act, menu->children()) { QAction *action = dynamic_cast(act); if (action == NULL) continue; if (action->text() == actionText) { QTimer::singleShot(100, this, SLOT(test3_part2())); action->trigger(); break; } } } void newClusterDialogTest::test3() { mw->loadFile("test_work.fwb", false); FWObjectDatabase *db = mw->db(); Library *lib = NULL; foreach(FWObject *obj, db->getByTypeDeep(Library::TYPENAME)) { qDebug() << obj->getName().c_str(); if (obj->getName() == "new_cluster_test") lib = Library::cast(obj); } QVERIFY(lib != NULL); mw->show(); ObjectManipulator *om = mw->activeProject()->findChild("om"); om->openLib(lib); QVERIFY ( om->getCurrentLib() == lib); ObjectTreeView *tree = mw->getCurrentObjectTree(); ObjectTreeViewItem *linux1 = dynamic_cast(tree->findItems("linux-1", Qt::MatchContains | Qt::MatchRecursive, 0).first()); ObjectTreeViewItem *linux2 = dynamic_cast(tree->findItems("linux-2", Qt::MatchContains | Qt::MatchRecursive, 0).first()); tree->selectionModel()->select(tree->indexAt(findItemPos(linux1, tree)), QItemSelectionModel::Clear | QItemSelectionModel::SelectCurrent); tree->setCurrentItem(linux1); tree->selectionModel()->select(tree->indexAt(findItemPos(linux2, tree)), QItemSelectionModel::Select); openContextMenu(om, linux2, tree, "New cluster from selected firewalls"); } void newClusterDialogTest::test3_part2() { QTest::qWait(100); newClusterDialog *dialog = NULL; foreach (QWidget *w, app->allWidgets()) if (dynamic_cast(w) != NULL) dialog = dynamic_cast(w); QVERIFY(dialog != NULL); QPushButton *nextButton = dialog->findChild("nextButton"); QPushButton *finishButton = dialog->findChild("finishButton"); InterfacesTabWidget *interfaceEditor = dialog->findChild("interfaceEditor"); QLineEdit *obj_name = dialog->findChild("obj_name"); QVERIFY(nextButton != NULL); QVERIFY(finishButton != NULL); QVERIFY(interfaceEditor != NULL); QVERIFY(obj_name != NULL); QTest::keyClicks(obj_name, "New Cluster"); QVERIFY(nextButton->isEnabled()); nextButton->click(); QVERIFY(dialog->currentPage()==1); QTest::qWait(1000); nextButton->click(); QVERIFY(dialog->currentPage()==2); dynamic_cast(interfaceEditor->widget(0))->setProtocolIndex(3); dynamic_cast(interfaceEditor->widget(1))->setProtocolIndex(3); dynamic_cast(interfaceEditor->widget(2))->setProtocolIndex(3); dynamic_cast(interfaceEditor->widget(3))->setProtocolIndex(3); nextButton->click(); QVERIFY(dialog->currentPage()==3); nextButton->click(); QVERIFY(dialog->currentPage()==4); QVERIFY(finishButton->isEnabled()); finishButton->click(); Cluster *newc = dialog->getNewCluster(); QVERIFY(newc != NULL); QVERIFY(Cluster::isA(newc)); } fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/newClusterDialogTest.h000066400000000000000000000026661303637203600271150ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef NEWCLUSTERDIALOGTEST_H #define NEWCLUSTERDIALOGTEST_H #include #include "newClusterDialog.h" #include "upgradePredicate.h" #include "FWBTree.h" #include "fwbuilder/Library.h" #include "ObjectManipulator.h" class newClusterDialogTest : public QObject { Q_OBJECT void openContextMenu(ObjectManipulator *om, ObjectTreeViewItem *item, ObjectTreeView *tree, const QString &actionText); private slots: void test1(); void test2(); void test3(); public slots: void initTestCase(); void closeContextMenu(); void test3_part2(); }; #endif // NEWCLUSTERDIALOGTEST_H fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/newClusterDialogTest.pro000066400000000000000000000005051303637203600274540ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = newClusterDialogTest SOURCES += main_newClusterDialogTest.cpp \ newClusterDialogTest.cpp HEADERS += newClusterDialogTest.h run_tests.commands = cp -f test.fwb test_work.fwb; \ ./${TARGET}; \ rm -f test_work.fwb fwbuilder-5.3.7/src/unit_tests/newClusterDialogTest/test.fwb000066400000000000000000001040061303637203600242770ustar00rootroot00000000000000 fwbuilder-5.3.7/src/unit_tests/parseCommandLineTest/000077500000000000000000000000001303637203600225655ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/parseCommandLineTest/main_parseCommandLineTest.cpp000066400000000000000000000026511303637203600303620ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include "parseCommandLineTest.h" #include #include //int fwbdebug = 0; //QString user_name; int fwbdebug = 0; void *mw = NULL; void *st = NULL; void *app = NULL; void *wfl; int sig = FWB_SIG; int main( int, char** ) { CppUnit::TextUi::TestRunner runner; runner.addTest( parseCommandLineTest::suite() ); runner.setOutputter( new CppUnit::CompilerOutputter( &runner.result(), std::cerr ) ); runner.run(); return 0; } fwbuilder-5.3.7/src/unit_tests/parseCommandLineTest/parseCommandLineTest.cpp000066400000000000000000000146731303637203600273650ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2003 NetCitadel, LLC Author: Vadim Kurland vadim@fwbuilder.org $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "parseCommandLineTest.h" #include "config.h" #include "utils.h" #include #include #include #include #include #include #include using namespace std; using namespace libfwbuilder; void parseCommandLineTest::parseCommandLines() { QStringList argv; parseCommandLine( "/usr/local/bin/ssh -i identity.key -o arg1=val1 -o arg2 val2 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "/usr/local/bin/ssh"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "identity.key"); CPPUNIT_ASSERT(argv[3] == "-o"); CPPUNIT_ASSERT(argv[4] == "arg1=val1"); CPPUNIT_ASSERT(argv[5] == "-o"); CPPUNIT_ASSERT(argv[6] == "arg2"); CPPUNIT_ASSERT(argv[7] == "val2"); CPPUNIT_ASSERT(argv[8] == "foo"); CPPUNIT_ASSERT(argv[9] == "bar"); argv.clear(); parseCommandLine( "/usr/local/bin/ssh -i identity.key -o arg1=val1 -o arg2 val2 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "/usr/local/bin/ssh"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "identity.key"); CPPUNIT_ASSERT(argv[3] == "-o"); CPPUNIT_ASSERT(argv[4] == "arg1=val1"); CPPUNIT_ASSERT(argv[5] == "-o"); CPPUNIT_ASSERT(argv[6] == "arg2"); CPPUNIT_ASSERT(argv[7] == "val2"); CPPUNIT_ASSERT(argv[8] == "foo"); CPPUNIT_ASSERT(argv[9] == "bar"); argv.clear(); parseCommandLine( "-i identity.key -o arg1=val1 -o arg2 val2 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "-i"); CPPUNIT_ASSERT(argv[1] == "identity.key"); CPPUNIT_ASSERT(argv[2] == "-o"); CPPUNIT_ASSERT(argv[3] == "arg1=val1"); CPPUNIT_ASSERT(argv[4] == "-o"); CPPUNIT_ASSERT(argv[5] == "arg2"); CPPUNIT_ASSERT(argv[6] == "val2"); CPPUNIT_ASSERT(argv[7] == "foo"); CPPUNIT_ASSERT(argv[8] == "bar"); argv.clear(); parseCommandLine( " -i identity.key -o arg1=val1 -o arg2 val2 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "-i"); CPPUNIT_ASSERT(argv[1] == "identity.key"); CPPUNIT_ASSERT(argv[2] == "-o"); CPPUNIT_ASSERT(argv[3] == "arg1=val1"); CPPUNIT_ASSERT(argv[4] == "-o"); CPPUNIT_ASSERT(argv[5] == "arg2"); CPPUNIT_ASSERT(argv[6] == "val2"); CPPUNIT_ASSERT(argv[7] == "foo"); CPPUNIT_ASSERT(argv[8] == "bar"); argv.clear(); parseCommandLine( "-i \"identity.key\" -o arg1=val1 -o arg2 val2 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "-i"); CPPUNIT_ASSERT(argv[1] == "identity.key"); CPPUNIT_ASSERT(argv[2] == "-o"); CPPUNIT_ASSERT(argv[3] == "arg1=val1"); CPPUNIT_ASSERT(argv[4] == "-o"); CPPUNIT_ASSERT(argv[5] == "arg2"); CPPUNIT_ASSERT(argv[6] == "val2"); CPPUNIT_ASSERT(argv[7] == "foo"); CPPUNIT_ASSERT(argv[8] == "bar"); argv.clear(); parseCommandLine( "/usr/local/bin/program -arg1 \"val1 'val2 val3' val4\" -o arg1=val1 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "/usr/local/bin/program"); CPPUNIT_ASSERT(argv[1] == "-arg1"); CPPUNIT_ASSERT(argv[2] == "val1 'val2 val3' val4"); CPPUNIT_ASSERT(argv[3] == "-o"); CPPUNIT_ASSERT(argv[4] == "arg1=val1"); CPPUNIT_ASSERT(argv[5] == "foo"); CPPUNIT_ASSERT(argv[6] == "bar"); argv.clear(); parseCommandLine( "/usr/local/bin/program -arg1 \"val1 'val2 \"val3 val4\" val5' val6\" -o arg1=val1 foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "/usr/local/bin/program"); CPPUNIT_ASSERT(argv[1] == "-arg1"); CPPUNIT_ASSERT(argv[2] == "val1 'val2 \"val3 val4\" val5' val6"); CPPUNIT_ASSERT(argv[3] == "-o"); CPPUNIT_ASSERT(argv[4] == "arg1=val1"); CPPUNIT_ASSERT(argv[5] == "foo"); CPPUNIT_ASSERT(argv[6] == "bar"); argv.clear(); parseCommandLine( "c:\\putty\\plink.exe -i identity.key -q foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "c:\\putty\\plink.exe"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "identity.key"); CPPUNIT_ASSERT(argv[3] == "-q"); CPPUNIT_ASSERT(argv[4] == "foo"); CPPUNIT_ASSERT(argv[5] == "bar"); argv.clear(); parseCommandLine( "c:\\Program Files\\plink.exe -i identity.key -q foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "c:\\Program Files\\plink.exe"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "identity.key"); CPPUNIT_ASSERT(argv[3] == "-q"); CPPUNIT_ASSERT(argv[4] == "foo"); CPPUNIT_ASSERT(argv[5] == "bar"); argv.clear(); parseCommandLine( "c:\\Program Files\\plink.exe -i \"c:\\Documents and Settings\\firewall\\identity.key\" -q foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "c:\\Program Files\\plink.exe"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "c:\\Documents and Settings\\firewall\\identity.key"); CPPUNIT_ASSERT(argv[3] == "-q"); CPPUNIT_ASSERT(argv[4] == "foo"); CPPUNIT_ASSERT(argv[5] == "bar"); argv.clear(); parseCommandLine( "c:\\Program Files\\plink.exe -i 'c:\\Documents and Settings\\firewall\\identity.key' -q foo bar", argv); qDebug() << argv; CPPUNIT_ASSERT(argv[0] == "c:\\Program Files\\plink.exe"); CPPUNIT_ASSERT(argv[1] == "-i"); CPPUNIT_ASSERT(argv[2] == "c:\\Documents and Settings\\firewall\\identity.key"); CPPUNIT_ASSERT(argv[3] == "-q"); CPPUNIT_ASSERT(argv[4] == "foo"); CPPUNIT_ASSERT(argv[5] == "bar"); } fwbuilder-5.3.7/src/unit_tests/parseCommandLineTest/parseCommandLineTest.h000066400000000000000000000022271303637203600270220ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2009 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id$ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef RCSTEST_H #define RCSTEST_H #include class parseCommandLineTest : public CppUnit::TestFixture { public: void parseCommandLines(); CPPUNIT_TEST_SUITE(parseCommandLineTest); CPPUNIT_TEST(parseCommandLines); CPPUNIT_TEST_SUITE_END(); }; #endif // RCSTEST_H fwbuilder-5.3.7/src/unit_tests/parseCommandLineTest/parseCommandLineTest.pro000066400000000000000000000002631303637203600273710ustar00rootroot00000000000000include(../tests_common.pri) QT += gui network HEADERS += parseCommandLineTest.h SOURCES += main_parseCommandLineTest.cpp parseCommandLineTest.cpp TARGET = parseCommandLineTest fwbuilder-5.3.7/src/unit_tests/startTipDialogTest/000077500000000000000000000000001303637203600222765ustar00rootroot00000000000000fwbuilder-5.3.7/src/unit_tests/startTipDialogTest/main_startTipDialogTest.cpp000066400000000000000000000033071303637203600276030ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: main_startTipDialogTest.cpp 2948 2010-06-02 19:11:31Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "startTipDialogTest.h" #include #include #include "FWWindow.h" #include "FWBSettings.h" #include "FWBApplication.h" using namespace std; using namespace libfwbuilder; int fwbdebug = 0; FWWindow *mw = NULL; FWBSettings *st = NULL; FWBApplication *app = NULL; int sig = FWB_SIG; extern void build_app(int argc, char** argv, FWBApplication** app, FWBSettings** st); int main(int argc, char** argv) { app = new FWBApplication(argc, argv); app->setOrganizationName(QLatin1String("NetCitadel")); app->setApplicationName(QLatin1String("Firewall Builder")); build_app(argc, argv, &app, &st); QTest::qExec(new startTipDialogTest()); if (QFile::exists("test_work.fwb")) QFile::remove("test_work.fwb"); } fwbuilder-5.3.7/src/unit_tests/startTipDialogTest/startTipDialogTest.cpp000066400000000000000000000064321303637203600266010ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: startTipDialogTest.cpp 3043 2010-06-30 14:19:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "startTipDialogTest.h" #include "FWWindow.h" #include "FWBApplication.h" #include "StartTipDialog.h" #include #include "global.h" #include "FWBSettings.h" #include #include #include #include #include "common/commoninit.h" #include "platforms.h" startTipDialogTest::startTipDialogTest(QWidget *parent) : QObject(parent) { } void startTipDialogTest::testDialogAppear() { st->setBool("UI/NoStartTip", false); st->setBool("UI/FirstRun", true); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *dialog = NULL; for(int i=0; i<10; i++) { qDebug() << "app->topLevelWidgets():"; foreach (QWidget *widget, QApplication::topLevelWidgets()) { if (dynamic_cast(widget) != NULL) { qDebug() << widget << "isHidden()=" << widget->isHidden(); if (widget->objectName() == "StartTipDialog_q") dialog = dynamic_cast(widget); } } // qDebug() << "app->activeWindow()=" << app->activeWindow(); // dialog = dynamic_cast(app->activeWindow()); qDebug() << "--"; if (dialog == NULL) QTest::qWait(1000); else break; } Q_ASSERT(dialog != NULL); QPushButton *prevTip = dialog->findChild("prevTipButton"); QPushButton *nextTip = dialog->findChild("nextTipButton"); QTextBrowser *textview = dialog->findChild("textview"); QString oldtext = textview->toPlainText(); QTest::mouseClick(prevTip, Qt::LeftButton); QVERIFY(oldtext != textview->toPlainText()); oldtext = textview->toPlainText(); QTest::mouseClick(nextTip, Qt::LeftButton); QVERIFY(oldtext != textview->toPlainText()); dialog->reject(); mw->hide(); mw->deleteLater(); } void startTipDialogTest::testDialogNotAppear() { st->setBool("UI/NoStartTip", true); st->setBool("UI/FirstRun", false); mw = new FWWindow(); mw->show(); mw->startupLoad(); StartTipDialog *dialog = NULL; for(int i=0; i<10; i++) { dialog = dynamic_cast(app->activeWindow()); if (dialog == NULL) QTest::qWait(1000); else break; } Q_ASSERT(dialog == NULL); } void startTipDialogTest::cleanupTestCase() { } fwbuilder-5.3.7/src/unit_tests/startTipDialogTest/startTipDialogTest.h000066400000000000000000000023651303637203600262470ustar00rootroot00000000000000/* Firewall Builder Copyright (C) 2010 NetCitadel, LLC Author: Roman Bovsunivskiy a2k0001@gmail.com $Id: startTipDialogTest.h 3043 2010-06-30 14:19:36Z a2k $ This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. To get a copy of the GNU General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FWWINDOWTEST_H #define FWWINDOWTEST_H #include #include #include class startTipDialogTest : public QObject { Q_OBJECT public: startTipDialogTest(QWidget *parent = 0); private slots: void testDialogAppear(); void testDialogNotAppear(); void cleanupTestCase(); }; #endif // FWWINDOWTEST_H fwbuilder-5.3.7/src/unit_tests/startTipDialogTest/startTipDialogTest.pro000066400000000000000000000002701303637203600266110ustar00rootroot00000000000000include(../tests_common.pri) QT += testlib network gui TARGET = startTipDialogTest HEADERS += startTipDialogTest.h SOURCES += main_startTipDialogTest.cpp \ startTipDialogTest.cpp fwbuilder-5.3.7/src/unit_tests/tests_common.pri000066400000000000000000000044441303637203600217400ustar00rootroot00000000000000#-*- mode: makefile; tab-width: 4; -*- # include(../../qmake.inc) QT += network OBJECTS_DIR = .obj MOC_DIR = .moc QMAKE_CXXFLAGS += $$CPPUNIT_CFLAGS CONFIG -= release CONFIG += debug INCLUDEPATH += ../../.. \ ../.. \ ../../common \ ../../parsers \ ../../import \ ../../compiler_lib \ ../../libgui \ ../../libgui/.ui \ ../../iptlib \ ../../pflib \ ../../cisco_lib \ ../../libfwbuilder/src DEPENDPATH += ../../.. \ ../.. \ ../../common \ ../../parsers \ ../../import \ ../../compiler_lib \ ../../libgui \ ../../libgui/.ui \ ../../iptlib \ ../../pflib \ ../../cisco_lib \ ../../libfwbuilder/src run_tests.commands = echo "Running tests..."; ./${TARGET} run_tests.depends = build_tests build_tests.depends = all clean_tests.depends = clean QMAKE_EXTRA_TARGETS += run_tests build_tests clean_tests INCLUDEPATH += $$ANTLR_INCLUDEPATH DEPENDPATH += $$ANTLR_INCLUDEPATH DEFINES += $$ANTLR_DEFINES DEPENDPATH = ../../common \ ../../iptlib \ ../../pflib \ ../../cisco_lib/ \ ../../compiler_lib \ ../../libgui \ ../../libfwbuilder/src/fwbuilder \ ../../libfwbuilder/src/fwcompiler STATIC_LIBS += \ ../main/libtest_main.a \ ../../libgui/libgui.a \ ../../import/libimport.a \ ../../common/libcommon.a \ ../../iptlib/libiptlib.a \ ../../pflib/libfwbpf.a \ ../../cisco_lib/libfwbcisco.a \ ../../compiler_lib/libcompilerdriver.a \ ../../libfwbuilder/src/fwcompiler/libfwcompiler.a \ ../../libfwbuilder/src/fwbuilder/libfwbuilder.a \ ../../parsers/libfwbparser.a \ $$ANTLR_LIBS \ $$CPPUNIT_LIBS PRE_TARGETDEPS += ../../common/libcommon.a \ ../main/libtest_main.a \ ../../iptlib/libiptlib.a \ ../../pflib/libfwbpf.a \ ../../cisco_lib/libfwbcisco.a \ ../../compiler_lib/libcompilerdriver.a \ ../../parsers/libfwbparser.a \ ../../import/libimport.a \ ../../libfwbuilder/src/fwcompiler/libfwcompiler.a \ ../../libfwbuilder/src/fwbuilder/libfwbuilder.a \ $$ANTLR_LIBS LIBS = $$STATIC_LIBS $$LIBS fwbuilder-5.3.7/src/unit_tests/unit_tests.pro000066400000000000000000000006241303637203600214310ustar00rootroot00000000000000DOLLAR = $ libgui.target = ../libgui/libgui.a libgui.commands = cd ../libgui && qmake -spec $$QMAKESPEC && make && cd - build_tests.commands = ./unit_tests.sh make build_tests run_tests.commands = ./unit_tests.sh make run_tests clean_tests.commands = ./unit_tests.sh make clean build_tests.depends = libgui run_tests.depends = libgui QMAKE_EXTRA_TARGETS += libgui run_tests clean_tests build_tests fwbuilder-5.3.7/src/unit_tests/unit_tests.sh000077500000000000000000000005241303637203600212450ustar00rootroot00000000000000#!/bin/sh QMAKE="${QMAKE:-qmake}" QMAKEPARAMS="${QMAKESPEC:+ -spec $QMAKESPEC}" set -e build() { local _d="$1" shift ( cd "$_d" && $QMAKE $QMAKEPARAMS && "$@" ) } build main "$@" find . -maxdepth 1 -type d | egrep -- '^\./[A-Za-z0-9_-]*$' | while read _d do echo "======================= $_d" build "$_d" "$@" done fwbuilder-5.3.7/test/000077500000000000000000000000001303637203600144735ustar00rootroot00000000000000fwbuilder-5.3.7/test/combined/000077500000000000000000000000001303637203600162535ustar00rootroot00000000000000fwbuilder-5.3.7/test/combined/objects.fwb000066400000000000000000000744471303637203600204240ustar00rootroot00000000000000 fwbuilder-5.3.7/test/iosacl/000077500000000000000000000000001303637203600157455ustar00rootroot00000000000000fwbuilder-5.3.7/test/iosacl/Makefile000066400000000000000000000007301303637203600174050ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_iosacl -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_iosacl -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/iosacl/addr-table-1.tbl000066400000000000000000000003041303637203600206020ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too fwbuilder-5.3.7/test/iosacl/auto-interface-test.fw.orig000077500000000000000000000112541303637203600231330ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * auto-interface-test.fw ! ! An example of Cisco router ! ! Prolog script: ! ! ! End of prolog script: ! ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 192.168.1.1 0.0.0.0 any deny ip any any exit interface FastEthernet0/0 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e1_0_in no ip access-list extended e1_0_out no ip access-list extended e1_1_in no ip access-list extended e1_1_out no ip access-list extended fe0_0_in no ip access-list extended fe0_0_out no ipv6 access-list ipv6_Policy_v6_e1_0_in no ipv6 access-list ipv6_Policy_v6_e1_0_out no ipv6 access-list ipv6_Policy_v6_e1_1_in no ipv6 access-list ipv6_Policy_v6_e1_1_out no ipv6 access-list ipv6_Policy_v6_fe0_0_in no ipv6 access-list ipv6_Policy_v6_fe0_0_out ! ================ IPv4 ip access-list extended e1_0_in ! ! Rule 0 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 1 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit ip access-list extended e1_0_out ! ! Rule 0 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 2 (global) permit ip 10.1.2.0 0.0.0.255 any ! ! Rule 3 (global) permit ip 10.1.3.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit ip access-list extended e1_1_in ! ! Rule 1 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 2 (global) permit ip 10.1.2.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit ip access-list extended e1_1_out ! ! Rule 0 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 2 (global) permit ip 10.1.2.0 0.0.0.255 any ! ! Rule 3 (global) permit ip 10.1.3.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit ip access-list extended fe0_0_in ! ! Rule 1 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 3 (global) permit ip 10.1.3.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit ip access-list extended fe0_0_out ! ! Rule 0 (global) permit ip 10.1.1.0 0.0.0.255 any ! ! Rule 2 (global) permit ip 10.1.2.0 0.0.0.255 any ! ! Rule 3 (global) permit ip 10.1.3.0 0.0.0.255 any ! ! Rule 4 (global) permit ip 10.1.0.0 0.0.255.255 any exit interface Ethernet1/0 ip access-group e1_0_in in exit interface Ethernet1/0 ip access-group e1_0_out out exit interface Ethernet1/1 ip access-group e1_1_in in exit interface Ethernet1/1 ip access-group e1_1_out out exit interface FastEthernet0/0 ip access-group fe0_0_in in exit interface FastEthernet0/0 ip access-group fe0_0_out out exit ! ================ IPv6 ipv6 access-list ipv6_Policy_v6_e1_0_in ! ! Rule Policy_v6 0 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 1 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ipv6 access-list ipv6_Policy_v6_e1_0_out ! ! Rule Policy_v6 0 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 2 (global) permit ipv6 2001:1234:2::/64 any ! ! Rule Policy_v6 3 (global) permit ipv6 2001:1234:3::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ipv6 access-list ipv6_Policy_v6_e1_1_in ! ! Rule Policy_v6 1 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 2 (global) permit ipv6 2001:1234:2::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ipv6 access-list ipv6_Policy_v6_e1_1_out ! ! Rule Policy_v6 0 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 2 (global) permit ipv6 2001:1234:2::/64 any ! ! Rule Policy_v6 3 (global) permit ipv6 2001:1234:3::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ipv6 access-list ipv6_Policy_v6_fe0_0_in ! ! Rule Policy_v6 1 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 3 (global) permit ipv6 2001:1234:3::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ipv6 access-list ipv6_Policy_v6_fe0_0_out ! ! Rule Policy_v6 0 (global) permit ipv6 2001:1234:1::/64 any ! ! Rule Policy_v6 2 (global) permit ipv6 2001:1234:2::/64 any ! ! Rule Policy_v6 3 (global) permit ipv6 2001:1234:3::/64 any ! ! Rule Policy_v6 4 (global) permit ipv6 2001:1234::/48 any exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/block-hosts.tbl000066400000000000000000000016301303637203600207000ustar00rootroot00000000000000# # use this table to test run-time AddressTable object # (this is just a small collection of addresses that sent spam to me # on Nov 20 2005) # 151.8.224.178 # this is also a comment 168.156.76.20 193.207.126.36 195.136.186.35 196.15.136.15 201.10.180.138 201.17.93.16 201.36.156.121 202.103.25.253 202.96.112.93 203.162.3.209 203.209.124.144 210.106.193.237 210.222.114.102 211.144.143.143 211.172.218.237 211.250.16.132 212.100.212.100 212.21.241.31 218.104.138.146 218.18.72.252 218.39.114.122 218.55.115.43 219.132.104.160 220.71.17.86 220.81.50.105 220.91.99.46 221.14.249.242 221.166.177.135 221.198.33.38 221.202.160.233 221.205.54.125 221.217.44.248 222.100.212.223 222.121.118.144 222.174.113.2 58.231.13.78 58.33.181.83 58.53.82.190 61.150.47.112 61.184.14.102 64.106.85.186 70.228.60.100 80.243.72.149 80.249.77.34 80.51.236.6 81.196.74.125 81.2.36.254 82.117.221.205 82.143.196.17 82.77.37.174 84.90.8.198 fwbuilder-5.3.7/test/iosacl/c3620.fw.orig000077500000000000000000000142141303637203600200040ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * c3620.fw ! ! ! Prolog script: ! ! ! End of prolog script: ! no service timestamp log datetime localtime logging buffered 6 logging console 6 no ip access-list extended e1_0_in no ip access-list extended e1_0_out no ip access-list extended e1_1_in no ip access-list extended e1_1_out no ip access-list extended fe0_0_in no ip access-list extended fe0_0_out ! ================ IPv4 ip access-list extended e1_0_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! ! Rule 1 (Ethernet1/0) ! this comment has empty lines at the end ! remark 1 (Ethernet1/0) remark this comment has empty lines at the end permit tcp any any eq 80 ! ! Rule 2 (Ethernet1/0) ! this comment has empty line in the middle ! ! last line remark 2 (Ethernet1/0) remark this comment has empty line in the middle remark last line permit tcp any any eq 443 ! ! Rule 5 (Ethernet1/0) remark 5 (Ethernet1/0) permit ip any 10.3.14.0 0.0.0.255 ! ! Rule 7 (global) remark 7 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 8 (global) remark 8 (global) permit tcp any 10.3.14.0 0.0.0.255 eq 22 permit udp any 10.3.14.0 0.0.0.255 eq 53 permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 9 (global) remark 9 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 10 (global) remark 10 (global) permit tcp any eq 80 10.3.14.0 0.0.0.255 established exit ip access-list extended e1_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 ! ! Rule 1 (Ethernet1/0) ! this comment has empty lines at the end ! remark 1 (Ethernet1/0) remark this comment has empty lines at the end permit tcp any any eq 80 ! ! Rule 2 (Ethernet1/0) ! this comment has empty line in the middle ! ! last line remark 2 (Ethernet1/0) remark this comment has empty line in the middle remark last line permit tcp any any eq 443 ! ! Rule 4 (Ethernet1/0) ! this comment ends with a whitespace remark 4 (Ethernet1/0) remark this comment ends with a whitespace permit ip 10.3.14.0 0.0.0.255 any exit ip access-list extended e1_1_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! ! Rule 0 (Ethernet1/1) ! interface eth 1/1 has only ! inbound access list remark 0 (Ethernet1/1) remark interface eth 1/1 has only remark inbound access list permit tcp any any eq 80 ! ! Rule 7 (global) remark 7 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 8 (global) remark 8 (global) permit tcp any 10.3.14.0 0.0.0.255 eq 22 permit udp any 10.3.14.0 0.0.0.255 eq 53 permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 9 (global) remark 9 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 10 (global) remark 10 (global) permit tcp any eq 80 10.3.14.0 0.0.0.255 established exit ip access-list extended e1_1_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 exit ip access-list extended fe0_0_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! ! Rule 3 (FastEthernet0/0) ! this comment starts with a whitespace remark 3 (FastEthernet0/0) remark this comment starts with a whitespace permit ip 10.3.14.0 0.0.0.255 any ! ! Rule 7 (global) remark 7 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 8 (global) remark 8 (global) permit tcp any 10.3.14.0 0.0.0.255 eq 22 permit udp any 10.3.14.0 0.0.0.255 eq 53 permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 9 (global) remark 9 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 10 (global) remark 10 (global) permit tcp any eq 80 10.3.14.0 0.0.0.255 established exit ip access-list extended fe0_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 ! ! Rule 6 (FastEthernet0/0) remark 6 (FastEthernet0/0) permit ip any 10.3.14.0 0.0.0.255 ! ! Rule 7 (global) remark 7 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 8 (global) remark 8 (global) permit tcp any 10.3.14.0 0.0.0.255 eq 22 permit udp any 10.3.14.0 0.0.0.255 eq 53 permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 9 (global) remark 9 (global) permit tcp any 10.3.14.0 0.0.0.255 established ! ! Rule 10 (global) remark 10 (global) permit tcp any eq 80 10.3.14.0 0.0.0.255 established exit interface Ethernet1/0 ip access-group e1_0_in in exit interface Ethernet1/0 ip access-group e1_0_out out exit interface Ethernet1/1 ip access-group e1_1_in in exit interface Ethernet1/1 ip access-group e1_1_out out exit interface FastEthernet0/0 ip access-group fe0_0_in in exit interface FastEthernet0/0 ip access-group fe0_0_out out exit ! ! Rule 0 (main) ! ! ! ip route 10.10.10.0 255.255.255.0 10.3.14.254 1 ! ! Rule 1 (main) ! ! ! ip route 10.10.11.0 255.255.255.0 FastEthernet0/0 1 ! ! Rule 2 (main) ! ! ! ip route 10.10.12.0 255.255.255.0 FastEthernet0/0 1 ! ! Rule 3 (main) ! ! ! ip route 0.0.0.0 0.0.0.0 Ethernet1/0 1 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/ccie4u-r1.fw.orig000077500000000000000000000452741303637203600207550ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * ccie4u-r1.fw ! ! CCIE4U router R1 ! 2600 ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ! Prolog script: ! ! ! End of prolog script: ! ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.1.1.0 0.0.0.0 any deny ip any any exit interface FastEthernet0/0 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended fe0_0_in no ip access-list extended fe0_0_out no ip access-list extended fe0_1_in no ip access-list extended fe0_1_out no ipv6 access-list ipv6_fe0_0_in no ipv6 access-list ipv6_fe0_0_out no ipv6 access-list ipv6_fe0_1_in no ipv6 access-list ipv6_fe0_1_out ! ================ IPv4 ip access-list extended fe0_0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp host 10.1.1.100 host 10.1.1.1 eq 22 permit tcp host 10.1.1.100 host 10.1.2.1 eq 22 ! ! Rule r1-ipv4 1 (global) permit icmp any host 61.150.47.112 8 permit icmp any host 192.168.1.0 8 permit 50 any host 61.150.47.112 dscp af12 permit 50 any host 192.168.1.0 dscp af12 ! ! Rule r1-ipv4 2 (global) permit icmp host 61.150.47.112 any 8 permit icmp host 192.168.1.0 any 8 exit ip access-list extended fe0_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.1.1.1 eq 22 host 10.1.1.100 permit tcp host 10.1.2.1 eq 22 host 10.1.1.100 ! ! Rule r1-ipv4 1 (global) permit icmp any host 61.150.47.112 8 permit icmp any host 192.168.1.0 8 permit 50 any host 61.150.47.112 dscp af12 permit 50 any host 192.168.1.0 dscp af12 ! ! Rule r1-ipv4 2 (global) permit icmp host 61.150.47.112 any 8 permit icmp host 192.168.1.0 any 8 exit ip access-list extended fe0_1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp host 10.1.1.100 host 10.1.1.1 eq 22 permit tcp host 10.1.1.100 host 10.1.2.1 eq 22 ! ! Rule r1-ipv4 1 (global) permit icmp any host 61.150.47.112 8 permit icmp any host 192.168.1.0 8 permit 50 any host 61.150.47.112 dscp af12 permit 50 any host 192.168.1.0 dscp af12 ! ! Rule r1-ipv4 2 (global) permit icmp host 61.150.47.112 any 8 permit icmp host 192.168.1.0 any 8 exit ip access-list extended fe0_1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.1.1.1 eq 22 host 10.1.1.100 permit tcp host 10.1.2.1 eq 22 host 10.1.1.100 ! ! Rule r1-ipv4 1 (global) permit icmp any host 61.150.47.112 8 permit icmp any host 192.168.1.0 8 permit 50 any host 61.150.47.112 dscp af12 permit 50 any host 192.168.1.0 dscp af12 ! ! Rule r1-ipv4 2 (global) permit icmp host 61.150.47.112 any 8 permit icmp host 192.168.1.0 any 8 exit interface FastEthernet0/0 ip access-group fe0_0_in in exit interface FastEthernet0/0 ip access-group fe0_0_out out exit interface FastEthernet0/1 ip access-group fe0_1_in in exit interface FastEthernet0/1 ip access-group fe0_1_out out exit ! ================ IPv6 ipv6 access-list ipv6_fe0_0_in ! ! Rule r1-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 2 (global) ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 3 (global) ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 5 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp 3ffe:1200:2000::/36 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 6 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 7 (global) permit ipv6 any host fe80::21d:9ff:fe8b:8e94 log ! ! Rule r1-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule r1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule r1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit ipv6 access-list ipv6_fe0_0_out ! ! Rule r1-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 3 (global) ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule r1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule r1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit ipv6 access-list ipv6_fe0_1_in ! ! Rule r1-ipv6 1 (global) ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 2 (global) ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 3 (global) ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 5 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp 3ffe:1200:2000::/36 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 6 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 7 (global) permit ipv6 any host fe80::21d:9ff:fe8b:8e94 log ! ! Rule r1-ipv6 9 (global) ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule r1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule r1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit ipv6 access-list ipv6_fe0_1_out ! ! Rule r1-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it ! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 3 (global) ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it ! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule r1-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it ! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule r1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule r1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule r1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit interface FastEthernet0/0 ipv6 traffic-filter ipv6_fe0_0_in in exit interface FastEthernet0/0 ipv6 traffic-filter ipv6_fe0_0_out out exit interface FastEthernet0/1 ipv6 traffic-filter ipv6_fe0_1_in in exit interface FastEthernet0/1 ipv6 traffic-filter ipv6_fe0_1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/cluster-tests.fwb000066400000000000000000007033021303637203600212730ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/test/iosacl/do-diff000077500000000000000000000002731303637203600172050ustar00rootroot00000000000000#!/bin/sh N=$1 if which opendiff > /dev/null; then TOOL="opendiff" elif which tkdiff > /dev/null; then TOOL="tkdiff " else TOOL="diff -u -b -B" fi $TOOL ${N}.fw.orig ${N}.fw fwbuilder-5.3.7/test/iosacl/dynamips1-og.fw.orig000077500000000000000000000111041303637203600215520ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! !# files: * dynamips1-og.fw ! ! IOS 12.4 with object-groups ! ! Prolog script: ! ! ! End of prolog script: ! no ip access-list extended fe0_0_in no ip access-list extended fe0_0_out no ipv6 access-list ipv6_fe0_0_in no ipv6 access-list ipv6_fe0_0_out no object-group network id29216X37699.src.net.0 no object-group service id29216X37699.srv.udp.0 no object-group network id18740X37673.dst.net.0 no object-group network id18964X37673.src.net.0 object-group network id29216X37699.src.net.0 host 61.150.47.112 host 192.168.1.0 exit object-group service id29216X37699.srv.udp.0 udp range 1024 65535 udp eq 161 exit object-group network id18740X37673.dst.net.0 10.3.14.0 /24 host 192.0.2.1 host 192.0.2.2 host 192.0.2.3 exit object-group network id18964X37673.src.net.0 host 192.0.2.1 host 192.0.2.2 host 192.0.2.3 exit ! ================ IPv4 ip access-list extended fe0_0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.3.14.0 0.0.0.255 host 10.3.14.114 eq 22 ! ! Rule 1 (FastEthernet0/0) ! object-groups can not be used for ipv6 permit icmp object-group id29216X37699.src.net.0 host 10.3.14.114 8 permit object-group id29216X37699.srv.udp.0 object-group id29216X37699.src.net.0 host 10.3.14.114 ! ! Rule 2 (FastEthernet0/0) permit icmp any object-group id18740X37673.dst.net.0 8 permit object-group id29216X37699.srv.udp.0 any object-group id18740X37673.dst.net.0 ! ! Rule 3 (FastEthernet0/0) permit icmp any object-group id18740X37673.dst.net.0 8 log permit udp any object-group id18740X37673.dst.net.0 eq 161 log ! ! Rule 4 (FastEthernet0/0) permit icmp any host 10.3.14.40 8 log permit object-group id29216X37699.srv.udp.0 any host 10.3.14.40 log ! ! Rule 5 (FastEthernet0/0) permit icmp any 10.3.14.0 0.0.0.255 8 log permit object-group id29216X37699.srv.udp.0 any 10.3.14.0 0.0.0.255 log ! ! Rule 6 (global) permit icmp object-group id18740X37673.dst.net.0 any 8 log permit object-group id29216X37699.srv.udp.0 object-group id18740X37673.dst.net.0 any log ! ! Rule 7 (global) permit icmp object-group id18740X37673.dst.net.0 any 8 log permit object-group id29216X37699.srv.udp.0 object-group id18740X37673.dst.net.0 any log ! ! Rule 8 (global) permit icmp host 10.3.14.40 any 8 log permit object-group id29216X37699.srv.udp.0 host 10.3.14.40 any log ! ! Rule 9 (FastEthernet0/0) permit udp object-group id18964X37673.src.net.0 any eq 161 ! ! Rule 10 (FastEthernet0/0) permit object-group id29216X37699.srv.udp.0 object-group id18964X37673.src.net.0 any ! ! Rule 11 (global) deny ip 10.3.14.0 0.0.0.255 any log ! ! Rule 12 (global) permit ip any host 10.3.14.114 exit ip access-list extended fe0_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.3.14.114 eq 22 10.3.14.0 0.0.0.255 ! ! Rule 0 (FastEthernet0/0) permit ip host 10.3.14.114 any ! ! Rule 6 (global) permit icmp object-group id18740X37673.dst.net.0 any 8 log permit object-group id29216X37699.srv.udp.0 object-group id18740X37673.dst.net.0 any log ! ! Rule 7 (global) permit icmp object-group id18740X37673.dst.net.0 any 8 log permit object-group id29216X37699.srv.udp.0 object-group id18740X37673.dst.net.0 any log ! ! Rule 8 (global) permit icmp host 10.3.14.40 any 8 log permit object-group id29216X37699.srv.udp.0 host 10.3.14.40 any log ! ! Rule 11 (global) deny ip 10.3.14.0 0.0.0.255 any log exit interface FastEthernet0/0 ip access-group fe0_0_in in exit interface FastEthernet0/0 ip access-group fe0_0_out out exit ! ================ IPv6 ipv6 access-list ipv6_fe0_0_in ! ! Rule 1 (FastEthernet0/0) ! object-groups can not be used for ipv6 permit udp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 gt 1023 permit udp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 161 permit udp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 gt 1023 permit udp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 161 ! ! Rule 12 (global) permit ipv6 any host fe80::21d:9ff:fe8b:8e94 exit ipv6 access-list ipv6_fe0_0_out ! ! Rule 0 (FastEthernet0/0) permit ipv6 host fe80::21d:9ff:fe8b:8e94 any exit interface FastEthernet0/0 ipv6 traffic-filter ipv6_fe0_0_in in exit interface FastEthernet0/0 ipv6 traffic-filter ipv6_fe0_0_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/firewall-ipv6-1.fw.orig000077500000000000000000000274451303637203600221060ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * firewall-ipv6-1.fw ! ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! ! Prolog script: ! ! ! End of prolog script: ! ! temporary access list for "safety net install" no ipv6 access-list tmp_acl ipv6 access-list tmp_acl permit ipv6 host fe80::21d:9ff:aaaa:bbbb any permit icmp any any deny ipv6 any any exit interface Ethernet0/0 no ipv6 traffic-filter in no ipv6 traffic-filter out ipv6 traffic-filter tmp_acl in exit no ip access-list extended fw-ipv6-1-ipv4_e0_0_in no ip access-list extended fw-ipv6-1-ipv4_e0_0_out no ipv6 access-list ipv6_e0_0_in no ipv6 access-list ipv6_e0_0_out ! ================ IPv4 ip access-list extended fw-ipv6-1-ipv4_e0_0_in ! ! Rule fw-ipv6-1-ipv4 1 (global) permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit ip access-list extended fw-ipv6-1-ipv4_e0_0_out permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit ! ================ IPv6 ipv6 access-list ipv6_e0_0_in ! ! Rule fw-ipv6-1-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-1-ipv6 1 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-1-ipv6 2 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-1-ipv6 3 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-1-ipv6 5 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp 3ffe:1200:2000::/36 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-1-ipv6 6 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-1-ipv6 7 (global) permit ipv6 any host fe80::21d:9ff:fe8b:8e94 log ! ! Rule fw-ipv6-1-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-1-ipv6 9 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule fw-ipv6-1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule fw-ipv6-1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit ipv6 access-list ipv6_e0_0_out ! ! Rule fw-ipv6-1-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-1-ipv6 1 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-1-ipv6 3 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-1-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-1-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-1-ipv6 9 (global) ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it ! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-1-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-1-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule fw-ipv6-1-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule fw-ipv6-1-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_in in exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/firewall-ipv6-2.fw.orig000077500000000000000000000300471303637203600220770ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * firewall-ipv6-2.fw ! ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! ! Prolog script: ! ! ! End of prolog script: ! ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 1.1.1.0 0.0.0.255 any deny ip any any exit interface Ethernet0/0 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_0_in no ip access-list extended e0_0_out no ipv6 access-list ipv6_e0_0_in no ipv6 access-list ipv6_e0_0_out ! ================ IPv4 ip access-list extended e0_0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp host 1.1.1.100 host 1.1.1.1 eq 22 ! ! Rule fw-ipv6-2-ipv4 1 (global) permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit ip access-list extended e0_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 host 1.1.1.100 ! ! Rule fw-ipv6-2-ipv4 1 (global) permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit interface Ethernet0/0 ip access-group e0_0_in in exit interface Ethernet0/0 ip access-group e0_0_out out exit ! ================ IPv6 ipv6 access-list ipv6_e0_0_in ! ! Rule fw-ipv6-2-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-2-ipv6 1 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-2-ipv6 2 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-2-ipv6 3 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-2-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-2-ipv6 5 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp 3ffe:1200:2000::/36 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-2-ipv6 6 (global) permit tcp host 2001:5c0:0:2::24 host fe80::21d:9ff:fe8b:8e94 eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-2-ipv6 7 (global) permit ipv6 any host fe80::21d:9ff:fe8b:8e94 log ! ! Rule fw-ipv6-2-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-2-ipv6 9 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-2-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-2-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule fw-ipv6-2-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule fw-ipv6-2-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit ipv6 access-list ipv6_e0_0_out ! ! Rule fw-ipv6-2-ipv6 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-2-ipv6 1 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-2-ipv6 3 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-2-ipv6 4 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log ! ! Rule fw-ipv6-2-ipv6 8 (global) permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-2-ipv6 9 (global) ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it ! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-2-ipv6 10 (global) permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log ! ! Rule fw-ipv6-2-ipv6 11 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 ! ! Rule fw-ipv6-2-ipv6 12 (global) permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established ! ! Rule fw-ipv6-2-ipv6 13 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 permit udp host 2001:5c0:0:2::24 any eq 161 permit udp host 3ffe:1200:2001:1:8000::1 any eq 161 permit icmp host 2001:5c0:0:2::24 any 128 permit icmp host 3ffe:1200:2001:1:8000::1 any 128 permit tcp host 2001:5c0:0:2::24 any established permit tcp host 3ffe:1200:2001:1:8000::1 any established exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_in in exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/firewall-ipv6-3.fw.orig000077500000000000000000000050151303637203600220750ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * firewall-ipv6-3.fw ! ! test "safety net" install in case when there are many rulesets ! ! Prolog script: ! ! ! End of prolog script: ! ! temporary access list for "safety net install" no ipv6 access-list tmp_acl ipv6 access-list tmp_acl permit ipv6 fe80::21d:9ff:aaaa:bbbb/64 any permit icmp any any deny ipv6 any any exit interface Ethernet0/0 no ipv6 traffic-filter in no ipv6 traffic-filter out ipv6 traffic-filter tmp_acl in exit no ip access-list extended e0_0_in no ip access-list extended e0_0_out no ipv6 access-list ipv6_e0_0_in no ipv6 access-list ipv6_e0_0_out no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_in no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_out ! ================ IPv4 ip access-list extended e0_0_in ! ! Rule fw-ipv6-3-ipv4 1 (global) permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit ip access-list extended e0_0_out permit 50 host 61.150.47.112 any dscp af12 permit 50 host 192.168.1.0 any dscp af12 exit interface Ethernet0/0 ip access-group e0_0_in in exit interface Ethernet0/0 ip access-group e0_0_out out exit ! ================ IPv6 ipv6 access-list ipv6_e0_0_in ! ! Rule fw-ipv6-3-ipv6-1 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-3-ipv6-1 1 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log exit ipv6 access-list ipv6_e0_0_out ! ! Rule fw-ipv6-3-ipv6-1 0 (global) permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-3-ipv6-1 1 (global) permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_in in exit interface Ethernet0/0 ipv6 traffic-filter ipv6_e0_0_out out exit ! ================ IPv6 ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_in ! ! Rule fw-ipv6-3-ipv6-2 0 (global) permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 exit ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_out permit 50 host 2001:5c0:0:2::24 any dscp af11 permit 50 host 3ffe:1200:2001:1:8000::1 any dscp af11 exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/objects-for-regression-tests.fwb000066400000000000000000014320111303637203600242020ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk dscp af11 dscp af12 dscp af11 fwbuilder-5.3.7/test/iosacl/quick-cmp.sh000077500000000000000000000014431303637203600201770ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"Generated\" -I 'Activating ' -I 'Firewall Builder fwb_iosacl v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done exit 0 run_diffs_for_file() { xmlfile=$1 folder=$2 fwbedit list -f $xmlfile -o $folder -c -F%name% | sort | while read fwobj; do V="$fwobj <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" echo "$DIFFCMD ${fwobj}.fw.orig ${fwobj}.fw" done } run_diffs_for_file objects-for-regression-tests.fwb /User/Firewalls # run_diffs_for_file cluster-tests.fwb /User/Clusters fwbuilder-5.3.7/test/iosacl/recycle000077500000000000000000000000751303637203600173230ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/iosacl/run.all000077500000000000000000000010031303637203600172400ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_iosacl -v -f $XMLFILE -xt $fwobj" done exit 0 XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_iosacl -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/iosacl/testios1-1.fw.orig000077500000000000000000000250071303637203600211620ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * testios1-1.fw ! ! dynamic interface eth0 ! ! Prolog script: ! ! This is prolog ! ! End of prolog script: ! hostname testios1-1 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.1 0.0.0.0 any deny ip any any exit interface ethernet0 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule 0 (ethernet0) ! anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ! ! Rule 1 (global) ! комментарий по-русски deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 7 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 9 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 10 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 13 (global) ! interface ethernet1 has address on network 10.10.10.0/24, ! therefore net-10.10.10 is behind the router and we do ! not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 14 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 15 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 16 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 19 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 20 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af11 ! ! Rule 21 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af12 ! ! Rule 22 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule 1 (global) ! комментарий по-русски deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 10 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 13 (global) ! interface ethernet1 has address on network 10.10.10.0/24, ! therefore net-10.10.10 is behind the router and we do ! not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 14 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 15 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 16 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 19 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 20 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af11 ! ! Rule 21 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af12 ! ! Rule 22 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 8 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 exit ip access-list extended e1_out ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Rule 0 (main) ! ! ip route 0.0.0.0 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 ethernet0 1 ! ! Epilog script: ! ! This is epilog for testing ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios1.fw.orig000077500000000000000000000254311303637203600210250ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * testios1.fw ! ! ! Prolog script: ! ! This is prolog ! ! End of prolog script: ! hostname testios1 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.1 0.0.0.0 any deny ip any any exit interface ethernet0 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp host 1.1.1.100 host 1.1.1.1 eq 22 permit tcp host 1.1.1.100 host 3.3.3.3 eq 22 permit tcp host 1.1.1.100 host 10.10.10.1 eq 22 ! ! Rule 0 (ethernet0) ! anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ! ! Rule 1 (global) ! комментарий по-русски deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 7 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 9 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 10 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 13 (global) ! interface ethernet1 has address on network 10.10.10.0/24, ! therefore net-10.10.10 is behind the router and we do ! not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 14 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 15 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 16 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 19 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 20 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af11 ! ! Rule 21 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af12 ! ! Rule 22 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 host 1.1.1.100 permit tcp host 3.3.3.3 eq 22 host 1.1.1.100 permit tcp host 10.10.10.1 eq 22 host 1.1.1.100 ! ! Rule 1 (global) ! комментарий по-русски deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 10 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 13 (global) ! interface ethernet1 has address on network 10.10.10.0/24, ! therefore net-10.10.10 is behind the router and we do ! not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 14 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 15 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 16 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 19 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 20 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af11 ! ! Rule 21 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp af12 ! ! Rule 22 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 8 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 exit ip access-list extended e1_out ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (testios1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! This is epilog for testing ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios2.fw.orig000077500000000000000000000311541303637203600210250ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * testios2.fw ! ! testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall ! testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule ! testios2:Routing:0: error: MultiPath routing not supported by platform ! testios2:Routing:1: error: MultiPath routing not supported by platform ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios2 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.0 0.0.0.255 any deny ip any any exit interface ethernet1 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 ! ! Rule 0 (ethernet0) ! anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ! ! Rule 1 (global) deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 8 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (global) permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 19 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 1 (global) deny ip any any log fragments ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 11 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 19 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 ! ! Rule 1 (global) deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 7 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 10 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (global) permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 19 (global) deny ip any any log exit ip access-list extended e1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 1 (global) deny ip any any log fragments ! ! Rule 2 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (ethernet0,ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 10 (ethernet1) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ! ! Rule 12 (global) permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ! ! Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ! ! Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ! ! Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ! ! Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ! ! Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ! ! Rule 19 (global) deny ip any any log exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Rule 0 (main) ! ! testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall ! ! Rule 1 (main) ! ! testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios20-v12.3.fw.orig000077500000000000000000000105661303637203600216600ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.3 ! !# files: * testios20-v12.3.fw ! ! testios20-v12.3:Policy:10: error: IP options match requires IOS v12.4 or later. ! testios20-v12.3:Policy:10: error: IP options match requires IOS v12.4 or later. ! testios20-v12.3:Policy:10: error: IP options match requires IOS v12.4 or later. ! testios20-v12.3:Policy:10: error: IP options match requires IOS v12.4 or later. ! testios20-v12.3:Policy:11: error: IP options match requires IOS v12.4 or later. ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios20-v12.3 no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 2 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 10 (ethernet0) permit ip any any option lsr permit ip any any option record-route permit ip any any option ssr permit ip any any ! ! Rule 11 (ethernet0) permit ip any any option any-options ! ! Rule 12 (global) permit ip any any ! ! Rule 13 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule 2 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 12 (global) permit ip any any ! ! Rule 13 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 1 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 12 (global) permit ip any any ! ! Rule 13 (global) deny ip any any log exit ip access-list extended e1_out ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 1 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 12 (global) permit ip any any ! ! Rule 13 (global) deny ip any any log exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios20.fw.orig000077500000000000000000000104431303637203600211030ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! !# files: * testios20.fw ! ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios20 no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 2 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 5 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 10 (ethernet0) permit ip any any option lsr permit ip any any option record-route permit ip any any option ssr permit ip any any ! ! Rule 11 (ethernet0) permit ip any any option any-options ! ! Rule 12 (ethernet0) permit tcp any any match-all -urg +ack -psh -rst -syn -fin ! ! Rule 13 (ethernet0) permit tcp any any match-all -urg +ack -psh -rst -syn -fin permit tcp any any match-all -urg -ack -psh -rst +syn -fin ! ! Rule 14 (ethernet0) permit tcp any any match-all -urg +ack -psh -rst +syn -fin ! ! Rule 15 (global) permit ip any any ! ! Rule 16 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule 2 (ethernet0) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 15 (global) permit ip any any ! ! Rule 16 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 1 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 3 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 4 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 15 (global) permit ip any any ! ! Rule 16 (global) deny ip any any log exit ip access-list extended e1_out ! ! Rule 0 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 1 (ethernet1) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ! ! Rule 6 (global) permit ip any any tos 16 ! ! Rule 7 (global) permit ip any any dscp 16 ! ! Rule 8 (global) permit ip any any dscp af11 ! ! Rule 9 (global) permit ip any any dscp 16 permit ip any any dscp af11 ! ! Rule 15 (global) permit ip any any ! ! Rule 16 (global) deny ip any any log exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios3.fw.orig000077500000000000000000000545271303637203600210370ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! !# files: * testios3.fw ! ! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios3 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.0 0.0.0.255 any deny ip any any exit interface ethernet1 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 0 (ethernet0) deny ip 10.10.10.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.10.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.10.0 0.0.0.255 192.168.2.128 0.0.0.127 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.11.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.11.0 0.0.0.255 192.168.2.128 0.0.0.127 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.12.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.12.0 0.0.0.255 192.168.2.128 0.0.0.127 log ! ! Rule 1 (ethernet0) deny ip 10.10.10.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.10.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.10.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.10.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.10.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.10.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.10.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.10.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.10.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.10.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.10.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.10.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.10.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.10.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.10.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.10.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.10.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.10.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.10.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.10.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.10.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.10.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.10.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.10.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.10.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.10.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.10.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.10.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.10.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.10.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.10.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.10.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.10.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.10.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.10.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.10.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.10.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.10.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.10.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.10.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.10.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.10.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.10.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.10.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.10.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.10.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.10.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.10.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.10.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.10.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.10.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.10.0 0.0.0.255 host 222.174.113.2 log deny ip 10.10.11.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.11.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.11.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.11.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.11.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.11.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.11.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.11.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.11.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.11.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.11.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.11.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.11.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.11.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.11.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.11.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.11.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.11.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.11.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.11.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.11.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.11.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.11.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.11.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.11.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.11.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.11.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.11.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.11.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.11.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.11.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.11.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.11.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.11.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.11.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.11.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.11.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.11.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.11.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.11.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.11.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.11.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.11.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.11.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.11.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.11.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.11.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.11.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.11.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.11.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.11.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.11.0 0.0.0.255 host 222.174.113.2 log deny ip 10.10.12.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.12.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.12.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.12.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.12.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.12.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.12.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.12.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.12.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.12.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.12.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.12.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.12.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.12.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.12.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.12.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.12.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.12.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.12.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.12.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.12.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.12.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.12.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.12.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.12.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.12.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.12.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.12.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.12.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.12.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.12.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.12.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.12.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.12.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.12.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.12.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.12.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.12.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.12.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.12.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.12.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.12.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.12.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.12.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.12.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.12.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.12.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.12.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.12.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.12.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.12.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.12.0 0.0.0.255 host 222.174.113.2 log ! ! Rule 2 (ethernet0) deny ip 10.10.10.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.10.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.10.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.10.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.10.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.10.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.10.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.10.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.10.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.10.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.10.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.10.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.10.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.10.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.10.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.10.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.10.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.10.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.10.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.10.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.10.0 0.0.0.255 192.168.2.128 0.0.0.127 log deny ip 10.10.10.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.10.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.10.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.10.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.10.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.10.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.10.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.10.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.10.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.10.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.10.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.10.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.10.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.10.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.10.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.10.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.10.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.10.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.10.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.10.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.10.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.10.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.10.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.10.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.10.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.10.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.10.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.10.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.10.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.10.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.10.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.10.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.10.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.10.0 0.0.0.255 host 222.174.113.2 log deny ip 10.10.11.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.11.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.11.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.11.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.11.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.11.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.11.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.11.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.11.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.11.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.11.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.11.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.11.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.11.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.11.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.11.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.11.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.11.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.11.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.11.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.11.0 0.0.0.255 192.168.2.128 0.0.0.127 log deny ip 10.10.11.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.11.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.11.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.11.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.11.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.11.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.11.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.11.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.11.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.11.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.11.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.11.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.11.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.11.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.11.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.11.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.11.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.11.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.11.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.11.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.11.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.11.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.11.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.11.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.11.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.11.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.11.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.11.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.11.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.11.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.11.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.11.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.11.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.11.0 0.0.0.255 host 222.174.113.2 log deny ip 10.10.12.0 0.0.0.255 host 58.33.181.83 log deny ip 10.10.12.0 0.0.0.255 host 58.53.82.190 log deny ip 10.10.12.0 0.0.0.255 host 58.231.13.78 log deny ip 10.10.12.0 0.0.0.255 host 61.150.47.112 log deny ip 10.10.12.0 0.0.0.255 host 61.184.14.102 log deny ip 10.10.12.0 0.0.0.255 host 64.106.85.186 log deny ip 10.10.12.0 0.0.0.255 host 70.228.60.100 log deny ip 10.10.12.0 0.0.0.255 host 80.51.236.6 log deny ip 10.10.12.0 0.0.0.255 host 80.243.72.149 log deny ip 10.10.12.0 0.0.0.255 host 80.249.77.34 log deny ip 10.10.12.0 0.0.0.255 host 81.2.36.254 log deny ip 10.10.12.0 0.0.0.255 host 81.196.74.125 log deny ip 10.10.12.0 0.0.0.255 host 82.77.37.174 log deny ip 10.10.12.0 0.0.0.255 host 82.117.221.205 log deny ip 10.10.12.0 0.0.0.255 host 82.143.196.17 log deny ip 10.10.12.0 0.0.0.255 host 84.90.8.198 log deny ip 10.10.12.0 0.0.0.255 host 151.8.224.178 log deny ip 10.10.12.0 0.0.0.255 host 168.156.76.20 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.1 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.2 log deny ip 10.10.12.0 0.0.0.255 192.168.1.3 0.0.0.3 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.200 log deny ip 10.10.12.0 0.0.0.255 host 192.168.1.201 log deny ip 10.10.12.0 0.0.0.255 192.168.2.128 0.0.0.127 log deny ip 10.10.12.0 0.0.0.255 host 193.207.126.36 log deny ip 10.10.12.0 0.0.0.255 host 195.136.186.35 log deny ip 10.10.12.0 0.0.0.255 host 196.15.136.15 log deny ip 10.10.12.0 0.0.0.255 host 201.10.180.138 log deny ip 10.10.12.0 0.0.0.255 host 201.17.93.16 log deny ip 10.10.12.0 0.0.0.255 host 201.36.156.121 log deny ip 10.10.12.0 0.0.0.255 host 202.96.112.93 log deny ip 10.10.12.0 0.0.0.255 host 202.103.25.253 log deny ip 10.10.12.0 0.0.0.255 host 203.162.3.209 log deny ip 10.10.12.0 0.0.0.255 host 203.209.124.144 log deny ip 10.10.12.0 0.0.0.255 host 210.106.193.237 log deny ip 10.10.12.0 0.0.0.255 host 210.222.114.102 log deny ip 10.10.12.0 0.0.0.255 host 211.144.143.143 log deny ip 10.10.12.0 0.0.0.255 host 211.172.218.237 log deny ip 10.10.12.0 0.0.0.255 host 211.250.16.132 log deny ip 10.10.12.0 0.0.0.255 host 212.21.241.31 log deny ip 10.10.12.0 0.0.0.255 host 212.100.212.100 log deny ip 10.10.12.0 0.0.0.255 host 218.18.72.252 log deny ip 10.10.12.0 0.0.0.255 host 218.39.114.122 log deny ip 10.10.12.0 0.0.0.255 host 218.55.115.43 log deny ip 10.10.12.0 0.0.0.255 host 218.104.138.146 log deny ip 10.10.12.0 0.0.0.255 host 219.132.104.160 log deny ip 10.10.12.0 0.0.0.255 host 220.71.17.86 log deny ip 10.10.12.0 0.0.0.255 host 220.81.50.105 log deny ip 10.10.12.0 0.0.0.255 host 220.91.99.46 log deny ip 10.10.12.0 0.0.0.255 host 221.14.249.242 log deny ip 10.10.12.0 0.0.0.255 host 221.166.177.135 log deny ip 10.10.12.0 0.0.0.255 host 221.198.33.38 log deny ip 10.10.12.0 0.0.0.255 host 221.202.160.233 log deny ip 10.10.12.0 0.0.0.255 host 221.205.54.125 log deny ip 10.10.12.0 0.0.0.255 host 221.217.44.248 log deny ip 10.10.12.0 0.0.0.255 host 222.100.212.223 log deny ip 10.10.12.0 0.0.0.255 host 222.121.118.144 log deny ip 10.10.12.0 0.0.0.255 host 222.174.113.2 log ! ! Rule 3 (ethernet0) ! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode deny ip 10.10.10.0 0.0.0.255 192.0.2.0 0.0.0.255 log deny ip 10.10.11.0 0.0.0.255 192.0.2.0 0.0.0.255 log deny ip 10.10.12.0 0.0.0.255 192.0.2.0 0.0.0.255 log ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 4 (global) deny ip any any log exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios4.fw.orig000077500000000000000000000126561303637203600210350ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:20 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! !# files: * testios4.fw ! ! using object-groups ! testios4:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios4 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.0 0.0.0.255 any deny ip any any exit interface ethernet1 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out no object-group network id47161X84238.1.src.net.0 no object-group network id47180X84238.src.net.0 no object-group network id47180X84238.dst.net.0 no object-group network id47192X84238.dst.net.0 no object-group network id47204X84238.dst.net.0 object-group network id47161X84238.1.src.net.0 host 1.1.1.1 host 10.10.10.1 exit object-group network id47180X84238.src.net.0 10.10.10.0 /24 10.10.11.0 /24 10.10.12.0 /24 exit object-group network id47180X84238.dst.net.0 192.168.1.1 /32 192.168.1.2 /32 192.168.1.3 /30 192.168.1.200 /32 192.168.1.201 /32 192.168.2.128 /25 exit object-group network id47192X84238.dst.net.0 58.33.181.83 /32 58.53.82.190 /32 58.231.13.78 /32 61.150.47.112 /32 61.184.14.102 /32 64.106.85.186 /32 70.228.60.100 /32 80.51.236.6 /32 80.243.72.149 /32 80.249.77.34 /32 81.2.36.254 /32 81.196.74.125 /32 82.77.37.174 /32 82.117.221.205 /32 82.143.196.17 /32 84.90.8.198 /32 151.8.224.178 /32 168.156.76.20 /32 193.207.126.36 /32 195.136.186.35 /32 196.15.136.15 /32 201.10.180.138 /32 201.17.93.16 /32 201.36.156.121 /32 202.96.112.93 /32 202.103.25.253 /32 203.162.3.209 /32 203.209.124.144 /32 210.106.193.237 /32 210.222.114.102 /32 211.144.143.143 /32 211.172.218.237 /32 211.250.16.132 /32 212.21.241.31 /32 212.100.212.100 /32 218.18.72.252 /32 218.39.114.122 /32 218.55.115.43 /32 218.104.138.146 /32 219.132.104.160 /32 220.71.17.86 /32 220.81.50.105 /32 220.91.99.46 /32 221.14.249.242 /32 221.166.177.135 /32 221.198.33.38 /32 221.202.160.233 /32 221.205.54.125 /32 221.217.44.248 /32 222.100.212.223 /32 222.121.118.144 /32 222.174.113.2 /32 exit object-group network id47204X84238.dst.net.0 58.33.181.83 /32 58.53.82.190 /32 58.231.13.78 /32 61.150.47.112 /32 61.184.14.102 /32 64.106.85.186 /32 70.228.60.100 /32 80.51.236.6 /32 80.243.72.149 /32 80.249.77.34 /32 81.2.36.254 /32 81.196.74.125 /32 82.77.37.174 /32 82.117.221.205 /32 82.143.196.17 /32 84.90.8.198 /32 151.8.224.178 /32 168.156.76.20 /32 192.168.1.1 /32 192.168.1.2 /32 192.168.1.3 /30 192.168.1.200 /32 192.168.1.201 /32 192.168.2.128 /25 193.207.126.36 /32 195.136.186.35 /32 196.15.136.15 /32 201.10.180.138 /32 201.17.93.16 /32 201.36.156.121 /32 202.96.112.93 /32 202.103.25.253 /32 203.162.3.209 /32 203.209.124.144 /32 210.106.193.237 /32 210.222.114.102 /32 211.144.143.143 /32 211.172.218.237 /32 211.250.16.132 /32 212.21.241.31 /32 212.100.212.100 /32 218.18.72.252 /32 218.39.114.122 /32 218.55.115.43 /32 218.104.138.146 /32 219.132.104.160 /32 220.71.17.86 /32 220.81.50.105 /32 220.91.99.46 /32 221.14.249.242 /32 221.166.177.135 /32 221.198.33.38 /32 221.202.160.233 /32 221.205.54.125 /32 221.217.44.248 /32 222.100.212.223 /32 222.121.118.144 /32 222.174.113.2 /32 exit ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 object-group id47161X84238.1.src.net.0 eq 22 ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp object-group id47161X84238.1.src.net.0 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 0 (ethernet0) deny ip object-group id47180X84238.src.net.0 object-group id47180X84238.dst.net.0 log ! ! Rule 1 (ethernet0) deny ip object-group id47180X84238.src.net.0 object-group id47192X84238.dst.net.0 log ! ! Rule 2 (ethernet0) deny ip object-group id47180X84238.src.net.0 object-group id47204X84238.dst.net.0 log ! ! Rule 3 (ethernet0) ! testios4:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode deny ip object-group id47180X84238.src.net.0 192.0.2.0 0.0.0.255 log ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 object-group id47161X84238.1.src.net.0 eq 22 ! ! Rule 4 (global) deny ip any any log exit ip access-list extended e1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp object-group id47161X84238.1.src.net.0 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 4 (global) deny ip any any log exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios5-1.fw.orig000077500000000000000000000162331303637203600211670ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:21 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! !# files: * testios5-1.fw ! ! mirrored rules, using object-groups ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios5-1 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.0 0.0.0.255 any deny ip any any exit interface ethernet1 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out no object-group network id115980X79820.1.src.net.0 no object-group network id115999X79820.src.net.0 no object-group network id115999X79820.dst.net.0 no object-group service id116125X79820.srv.tcp.0 no object-group service id91445X81725.srv.tcp.0 object-group network id115980X79820.1.src.net.0 host 1.1.1.1 host 10.10.10.1 exit object-group network id115999X79820.src.net.0 22.22.21.0 /24 22.22.22.0 /24 exit object-group network id115999X79820.dst.net.0 10.10.10.0 /24 10.10.11.0 /24 exit object-group service id116125X79820.srv.tcp.0 tcp eq 80 tcp eq 443 exit object-group service id91445X81725.srv.tcp.0 tcp range 0 65535 tcp eq 80 exit ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 object-group id115980X79820.1.src.net.0 eq 22 ! ! Rule 0 (ethernet0) permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 ! ! Rule 1 (ethernet0) permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 2 (ethernet0) permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 3 (ethernet0) deny ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 ! ! Rule 4 (ethernet0) permit tcp object-group id115999X79820.src.net.0 eq 80 object-group id115999X79820.dst.net.0 established ! ! Rule 5 (ethernet0) permit tcp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 eq 80 ! ! Rule 6 (ethernet0) permit tcp object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 eq 80 ! ! Rule 7 (ethernet0) permit udp object-group id115999X79820.src.net.0 eq 123 object-group id115999X79820.dst.net.0 ! ! Rule 8 (ethernet0) permit icmp object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 0 ! ! Rule 9 (ethernet0) permit icmp object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 0 permit tcp object-group id115999X79820.src.net.0 eq 80 object-group id115999X79820.dst.net.0 established permit tcp object-group id115999X79820.src.net.0 eq 443 object-group id115999X79820.dst.net.0 established permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 permit udp object-group id115999X79820.src.net.0 eq 123 object-group id115999X79820.dst.net.0 ! ! Rule 10 (ethernet0) permit tcp object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 match-all -urg +ack -psh -rst -syn -fin permit tcp object-group id115999X79820.src.net.0 eq 80 object-group id115999X79820.dst.net.0 established permit tcp object-group id115999X79820.src.net.0 eq 443 object-group id115999X79820.dst.net.0 established permit tcp object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 match-all -urg +ack -psh -rst +syn -fin permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 ! ! Rule 11 (ethernet0) permit object-group id91445X81725.srv.tcp.0 object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 ! ! Rule 12 (ethernet0) permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp object-group id115980X79820.1.src.net.0 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 0 (ethernet0) permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 1 (ethernet0) permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 ! ! Rule 2 (ethernet0) permit ip object-group id115999X79820.src.net.0 object-group id115999X79820.dst.net.0 permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 3 (ethernet0) deny ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 4 (ethernet0) permit tcp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 eq 80 ! ! Rule 5 (ethernet0) permit tcp object-group id115999X79820.src.net.0 eq 80 object-group id115999X79820.dst.net.0 established ! ! Rule 6 (ethernet0) permit tcp object-group id115999X79820.dst.net.0 eq 80 object-group id115999X79820.src.net.0 established ! ! Rule 7 (ethernet0) permit udp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 eq 123 ! ! Rule 8 (ethernet0) permit icmp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 8 ! ! Rule 9 (ethernet0) permit icmp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 8 permit object-group id116125X79820.srv.tcp.0 object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 permit udp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 eq 123 ! ! Rule 10 (ethernet0) permit tcp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 match-all -urg +ack -psh -rst -syn -fin permit tcp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 match-all -urg +ack -psh -rst +syn -fin permit object-group id116125X79820.srv.tcp.0 object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 11 (ethernet0) permit tcp object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 established permit tcp object-group id115999X79820.dst.net.0 eq 80 object-group id115999X79820.src.net.0 established permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 ! ! Rule 12 (ethernet0) permit ip object-group id115999X79820.dst.net.0 object-group id115999X79820.src.net.0 exit ip access-list extended e1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 object-group id115980X79820.1.src.net.0 eq 22 exit ip access-list extended e1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp object-group id115980X79820.1.src.net.0 eq 22 10.10.10.0 0.0.0.255 exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/iosacl/testios5.fw.orig000077500000000000000000000357401303637203600210350ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_iosacl v5.0.1.3584 ! ! Generated Tue Nov 8 08:41:21 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! !# files: * testios5.fw ! ! mirrored rules, not using object-groups ! ! Prolog script: ! ! ! End of prolog script: ! hostname testios5 ! temporary access list for "safety net install" no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.10.0 0.0.0.255 any deny ip any any exit interface ethernet1 no ip access-group in no ip access-group out ip access-group tmp_acl in exit no ip access-list extended e0_in no ip access-list extended e0_out no ip access-list extended e1_in no ip access-list extended e1_out ! ================ IPv4 ip access-list extended e0_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 ! ! Rule 0 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 ! ! Rule 1 (ethernet0) permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 ! ! Rule 2 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 ! ! Rule 3 (ethernet0) deny ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 deny ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 ! ! Rule 4 (ethernet0) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established ! ! Rule 5 (ethernet0) permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 ! ! Rule 6 (ethernet0) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit tcp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 eq 80 permit tcp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit tcp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 eq 80 ! ! Rule 7 (ethernet0) permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 ! ! Rule 8 (ethernet0) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 0 ! ! Rule 9 (ethernet0) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 ! ! Rule 10 (ethernet0) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 eq 80 permit tcp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit tcp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 eq 80 permit tcp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin ! ! Rule 11 (ethernet0) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit tcp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit tcp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit tcp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 ! ! Rule 12 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 option any-options permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp 16 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 option any-options permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 dscp 16 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 option any-options permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 dscp 16 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 option any-options permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 dscp 16 ! ! Rule 13 (ethernet0) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit icmp 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 eq 179 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 79 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 179 10.10.11.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 79 10.10.11.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 179 10.10.10.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 79 10.10.10.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 179 10.10.11.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 79 10.10.11.0 0.0.0.255 established permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.21.0 0.0.0.255 eq 26000 10.10.10.0 0.0.0.255 permit udp 22.22.21.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 permit udp 22.22.21.0 0.0.0.255 eq 26000 10.10.11.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.10.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 26000 10.10.10.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 123 10.10.11.0 0.0.0.255 permit udp 22.22.22.0 0.0.0.255 eq 26000 10.10.11.0 0.0.0.255 exit ip access-list extended e0_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 ! ! Rule 0 (ethernet0) permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 ! ! Rule 1 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 ! ! Rule 2 (ethernet0) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 ! ! Rule 3 (ethernet0) deny ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 deny ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 deny ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 deny ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 ! ! Rule 4 (ethernet0) permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 ! ! Rule 5 (ethernet0) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit tcp 22.22.22.0 0.0.0.255 eq 80 10.10.11.0 0.0.0.255 established ! ! Rule 6 (ethernet0) permit tcp 10.10.10.0 0.0.0.255 eq 80 22.22.21.0 0.0.0.255 established permit tcp 10.10.10.0 0.0.0.255 eq 80 22.22.22.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 eq 80 22.22.21.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 eq 80 22.22.22.0 0.0.0.255 established ! ! Rule 7 (ethernet0) permit udp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 ! ! Rule 8 (ethernet0) permit icmp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 8 permit icmp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 8 permit icmp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 8 permit icmp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 8 ! ! Rule 9 (ethernet0) permit icmp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 8 permit icmp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 8 permit icmp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 8 permit icmp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 8 permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 80 permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 80 permit udp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 ! ! Rule 10 (ethernet0) permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 10.10.10.0 0.0.0.255 eq 80 22.22.21.0 0.0.0.255 established permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 10.10.10.0 0.0.0.255 eq 80 22.22.22.0 0.0.0.255 established permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 10.10.11.0 0.0.0.255 eq 80 22.22.21.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 match-all -urg +ack -psh -rst -syn -fin permit tcp 10.10.11.0 0.0.0.255 eq 80 22.22.22.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 match-all -urg +ack -psh -rst +syn -fin ! ! Rule 11 (ethernet0) permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 established permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 established permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 established ! ! Rule 12 (ethernet0) permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 option any-options permit ip 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 dscp 16 permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 option any-options permit ip 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 dscp 16 permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 option any-options permit ip 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 dscp 16 permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 option any-options permit ip 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 dscp 16 ! ! Rule 13 (ethernet0) permit icmp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 0 permit icmp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 0 permit icmp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 0 permit icmp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 0 permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 179 permit tcp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 79 permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 179 permit tcp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 79 permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 179 permit tcp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 79 permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 179 permit tcp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 79 permit udp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.10.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 26000 permit udp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 permit udp 10.10.10.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 26000 permit udp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.21.0 0.0.0.255 eq 26000 permit udp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 123 permit udp 10.10.11.0 0.0.0.255 22.22.22.0 0.0.0.255 eq 26000 exit ip access-list extended e1_in ! ! Rule -1 backup ssh access rule (automatic) permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 exit ip access-list extended e1_out ! ! Rule -2 backup ssh access rule (out) (automatic) permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255 permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255 exit interface ethernet0 ip access-group e0_in in exit interface ethernet0 ip access-group e0_out out exit interface ethernet1 ip access-group e1_in in exit interface ethernet1 ip access-group e1_out out exit ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/ipf/000077500000000000000000000000001303637203600152515ustar00rootroot00000000000000fwbuilder-5.3.7/test/ipf/Makefile000066400000000000000000000007241303637203600167140ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) # CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_ipf -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_ipf -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/ipf/addr-table-1.tbl000066400000000000000000000003041303637203600201060ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too fwbuilder-5.3.7/test/ipf/do-diff000077500000000000000000000002521303637203600165060ustar00rootroot00000000000000#!/bin/sh T=$1 N=$2 if which opendiff > /dev/null; then TOOL="opendiff" else TOOL="tkdiff -b -B " fi ${TOOL} firewall${N}-${T}.conf.orig firewall${N}-${T}.conf fwbuilder-5.3.7/test/ipf/firewall-ipf.conf.orig000077500000000000000000000663271303637203600214610ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall:Policy:4: warning: Changing rule direction due to self reference # firewall:Policy:8: warning: Changing rule direction due to self reference # firewall:Policy:19: warning: Changing rule direction due to self reference # firewall:Policy:19: warning: Changing rule direction due to self reference # firewall:Policy:20: warning: Changing rule direction due to self reference # firewall:Policy:: warning: ipfilter can not match "any IP option" # firewall:Policy:: warning: ipfilter can not match "any IP option" # # Rule backup ssh access rule # backup ssh access rule pass in quick proto tcp from 192.168.1.100 to 192.168.1.1 port = 22 flags S keep state pass in quick proto tcp from 192.168.1.100 to 222.222.222.222 port = 22 flags S keep state # # Rule 0 (eth1) block in log level local0.warning quick on eth1 from any to 192.168.1.1 with short block in log level local0.warning quick on eth1 from any to 222.222.222.222 with short # # Rule 1 (eth1) # Automatically generated rule blocking short fragments block in log level local0.warning quick on eth1 from any to any with short # # Rule 2 (eth1) # Automatically generated anti-spoofing rule block in log level local0.warning quick on eth1 from 192.168.1.1 to any block in log level local0.warning quick on eth1 from 222.222.222.222 to any block in log level local0.warning quick on eth1 from 192.168.1.0/24 to any # # Rule 3 (eth1) # комментарий по-русски pass in quick on eth1 proto icmp from 22.22.22.0/24 to any keep state pass in quick on eth1 proto icmp from 33.33.33.0/24 to any keep state pass in quick on eth1 proto tcp from 22.22.22.0/24 to any flags S keep state pass in quick on eth1 proto tcp from 33.33.33.0/24 to any flags S keep state pass in quick on eth1 proto udp from 22.22.22.0/24 to any keep state pass in quick on eth1 proto udp from 33.33.33.0/24 to any keep state pass in quick on eth1 from 22.22.22.0/24 to any pass in quick on eth1 from 33.33.33.0/24 to any # # Rule 4 (eth0) # firewall:Policy:4: warning: Changing rule direction due to self reference pass in quick on eth0 proto udp from 192.168.1.0/24 to 192.168.1.1 port = 53 keep state pass in quick on eth0 proto udp from 192.168.1.0/24 to 222.222.222.222 port = 53 keep state # # Rule 5 (eth0) block in log level local0.warning quick on eth0 proto udp from any to 192.168.1.255 port = 53 # # Rule 6 (global) block in log level local0.warning quick proto icmp from any to any block in log level local0.warning quick proto tcp from any to any flags S/UAPRSF block in log level local0.warning quick proto tcp from any to any flags ARSF/UAPRSF block out log level local0.warning quick proto icmp from any to any block out log level local0.warning quick proto tcp from any to any flags S/UAPRSF block out log level local0.warning quick proto tcp from any to any flags ARSF/UAPRSF # # Rule 7 (global) block return-icmp-as-dest (3) in log level local0.warning quick from any to any with opt rr block return-icmp-as-dest (3) in log level local0.warning quick from any to any with opt lsrr opt ssrr block return-icmp-as-dest (3) in log level local0.warning quick from any to any with opt ts block return-icmp-as-dest (3) in log level local0.warning quick from any to any block out log level local0.warning quick from any to any with opt rr block out log level local0.warning quick from any to any with opt lsrr opt ssrr block out log level local0.warning quick from any to any with opt ts block out log level local0.warning quick from any to any # # Rule 8 (global) # firewall:Policy:8: warning: Changing rule direction due to self reference block return-icmp-as-dest (3) in quick proto 50 from any to 192.168.1.1 block return-icmp-as-dest (3) in quick proto 50 from any to 222.222.222.222 # # Rule 11 (global) pass in quick proto tcp from 211.11.11.11 to 192.168.1.10 port = 53 flags S keep state pass in quick proto tcp from 211.22.22.22 to 192.168.1.10 port = 53 flags S keep state pass out quick proto tcp from 211.11.11.11 to 192.168.1.10 port = 53 flags S keep state pass out quick proto tcp from 211.22.22.22 to 192.168.1.10 port = 53 flags S keep state # # Rule 12 (global) pass in quick proto tcp from any to 192.168.1.10 port = 113 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 13 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 53 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 2105 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 21 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 70 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 80 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 443 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 143 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 993 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 6667 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 543 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 544 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 389 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 98 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 3306 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 2049 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 119 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 110 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 5432 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 515 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 26000 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 512 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 513 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 514 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 4321 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 25 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 465 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 1080 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 3128 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 22 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 111 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 23 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port 9999 >< 10041 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 540 flags S keep state pass in quick proto tcp from any to 192.168.1.10 port = 7100 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 113 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 13 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 53 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 2105 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 21 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 70 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 80 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 443 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 143 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 993 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 6667 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 543 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 544 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 389 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 98 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 3306 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 2049 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 119 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 110 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 5432 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 515 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 26000 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 512 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 513 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 514 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 4321 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 25 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 465 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 1080 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 3128 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 22 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 111 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 23 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port 9999 >< 10041 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 540 flags S keep state pass out quick proto tcp from any to 192.168.1.10 port = 7100 flags S keep state # # Rule 13 (global) pass in quick proto icmp from any to 192.168.1.0/24 icmp-type 3 keep state pass in quick proto icmp from any to 192.168.1.0/24 icmp-type 0 code 0 keep state pass in quick proto icmp from any to 192.168.1.0/24 icmp-type 11 code 0 keep state pass in quick proto icmp from any to 192.168.1.0/24 icmp-type 11 code 1 keep state pass in quick proto tcp from any to 192.168.1.0/24 port = 3128 flags S keep state pass out quick proto icmp from any to 192.168.1.0/24 icmp-type 3 keep state pass out quick proto icmp from any to 192.168.1.0/24 icmp-type 0 code 0 keep state pass out quick proto icmp from any to 192.168.1.0/24 icmp-type 11 code 0 keep state pass out quick proto icmp from any to 192.168.1.0/24 icmp-type 11 code 1 keep state pass out quick proto tcp from any to 192.168.1.0/24 port = 3128 flags S keep state # # Rule 14 (global) skip 2 in from any to 192.168.1.11 skip 1 in from any to 192.168.1.12/30 skip 8 in from any to any pass in quick proto tcp from any to any port = 113 flags S keep state pass in quick proto tcp from any to any port = 80 flags S keep state pass in quick proto tcp from any to any port = 443 flags S keep state pass in quick proto tcp from any to any port = 143 flags S keep state pass in quick proto tcp from any to any port = 25 flags S keep state pass in quick proto tcp from any to any port = 3128 flags S keep state pass in quick proto tcp from any to any port = 22 flags S keep state pass in quick proto tcp from any to any port = 540 flags S keep state skip 2 out from any to 192.168.1.11 skip 1 out from any to 192.168.1.12/30 skip 8 out from any to any pass out quick proto tcp from any to any port = 113 flags S keep state pass out quick proto tcp from any to any port = 80 flags S keep state pass out quick proto tcp from any to any port = 443 flags S keep state pass out quick proto tcp from any to any port = 143 flags S keep state pass out quick proto tcp from any to any port = 25 flags S keep state pass out quick proto tcp from any to any port = 3128 flags S keep state pass out quick proto tcp from any to any port = 22 flags S keep state pass out quick proto tcp from any to any port = 540 flags S keep state # # Rule 15 (global) pass in quick proto tcp from any to 192.168.1.11 port = 113 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 80 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 443 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 143 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 25 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 3128 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 22 flags S keep state pass in quick proto tcp from any to 192.168.1.11 port = 540 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 113 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 80 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 443 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 143 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 25 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 3128 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 22 flags S keep state pass out quick proto tcp from any to 192.168.1.11 port = 540 flags S keep state # # Rule 16 (global) skip 5 in from any to 192.168.1.11 skip 4 in from any to 192.168.1.12 skip 3 in from any to 192.168.1.13 skip 2 in from any to 192.168.1.14 skip 1 in from any to 192.168.1.15 skip 8 in from any to any pass in quick proto tcp from any to any port = 113 flags S keep state pass in quick proto tcp from any to any port = 80 flags S keep state pass in quick proto tcp from any to any port = 443 flags S keep state pass in quick proto tcp from any to any port = 143 flags S keep state pass in quick proto tcp from any to any port = 25 flags S keep state pass in quick proto tcp from any to any port = 3128 flags S keep state pass in quick proto tcp from any to any port = 22 flags S keep state pass in quick proto tcp from any to any port = 540 flags S keep state skip 5 out from any to 192.168.1.11 skip 4 out from any to 192.168.1.12 skip 3 out from any to 192.168.1.13 skip 2 out from any to 192.168.1.14 skip 1 out from any to 192.168.1.15 skip 8 out from any to any pass out quick proto tcp from any to any port = 113 flags S keep state pass out quick proto tcp from any to any port = 80 flags S keep state pass out quick proto tcp from any to any port = 443 flags S keep state pass out quick proto tcp from any to any port = 143 flags S keep state pass out quick proto tcp from any to any port = 25 flags S keep state pass out quick proto tcp from any to any port = 3128 flags S keep state pass out quick proto tcp from any to any port = 22 flags S keep state pass out quick proto tcp from any to any port = 540 flags S keep state # # Rule 17 (global) pass in log level local0.warning quick proto icmp from 192.168.1.1 to 192.168.1.1 keep state pass in log level local0.warning quick proto icmp from 192.168.1.1 to 222.222.222.222 keep state pass in log level local0.warning quick proto icmp from 222.222.222.222 to 192.168.1.1 keep state pass in log level local0.warning quick proto icmp from 222.222.222.222 to 222.222.222.222 keep state pass in log level local0.warning quick proto tcp from 192.168.1.1 to 192.168.1.1 flags S keep state pass in log level local0.warning quick proto tcp from 192.168.1.1 to 222.222.222.222 flags S keep state pass in log level local0.warning quick proto tcp from 222.222.222.222 to 192.168.1.1 flags S keep state pass in log level local0.warning quick proto tcp from 222.222.222.222 to 222.222.222.222 flags S keep state pass in log level local0.warning quick proto udp from 192.168.1.1 to 192.168.1.1 keep state pass in log level local0.warning quick proto udp from 192.168.1.1 to 222.222.222.222 keep state pass in log level local0.warning quick proto udp from 222.222.222.222 to 192.168.1.1 keep state pass in log level local0.warning quick proto udp from 222.222.222.222 to 222.222.222.222 keep state pass in log level local0.warning quick from 192.168.1.1 to 192.168.1.1 pass in log level local0.warning quick from 192.168.1.1 to 222.222.222.222 pass in log level local0.warning quick from 222.222.222.222 to 192.168.1.1 pass in log level local0.warning quick from 222.222.222.222 to 222.222.222.222 pass out log level local0.warning quick proto icmp from 192.168.1.1 to 192.168.1.1 keep state pass out log level local0.warning quick proto icmp from 192.168.1.1 to 222.222.222.222 keep state pass out log level local0.warning quick proto icmp from 222.222.222.222 to 192.168.1.1 keep state pass out log level local0.warning quick proto icmp from 222.222.222.222 to 222.222.222.222 keep state pass out log level local0.warning quick proto tcp from 192.168.1.1 to 192.168.1.1 flags S keep state pass out log level local0.warning quick proto tcp from 192.168.1.1 to 222.222.222.222 flags S keep state pass out log level local0.warning quick proto tcp from 222.222.222.222 to 192.168.1.1 flags S keep state pass out log level local0.warning quick proto tcp from 222.222.222.222 to 222.222.222.222 flags S keep state pass out log level local0.warning quick proto udp from 192.168.1.1 to 192.168.1.1 keep state pass out log level local0.warning quick proto udp from 192.168.1.1 to 222.222.222.222 keep state pass out log level local0.warning quick proto udp from 222.222.222.222 to 192.168.1.1 keep state pass out log level local0.warning quick proto udp from 222.222.222.222 to 222.222.222.222 keep state pass out log level local0.warning quick from 192.168.1.1 to 192.168.1.1 pass out log level local0.warning quick from 192.168.1.1 to 222.222.222.222 pass out log level local0.warning quick from 222.222.222.222 to 192.168.1.1 pass out log level local0.warning quick from 222.222.222.222 to 222.222.222.222 # # Rule 19 (global) # firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto icmp from 192.168.1.1 to 192.168.1.1 keep state pass in quick proto icmp from 192.168.1.1 to 222.222.222.222 keep state pass in quick proto icmp from 222.222.222.222 to 192.168.1.1 keep state pass in quick proto icmp from 222.222.222.222 to 222.222.222.222 keep state pass in quick proto tcp from 192.168.1.1 to 192.168.1.1 flags S keep state pass in quick proto tcp from 192.168.1.1 to 222.222.222.222 flags S keep state pass in quick proto tcp from 222.222.222.222 to 192.168.1.1 flags S keep state pass in quick proto tcp from 222.222.222.222 to 222.222.222.222 flags S keep state pass in quick proto udp from 192.168.1.1 to 192.168.1.1 keep state pass in quick proto udp from 192.168.1.1 to 222.222.222.222 keep state pass in quick proto udp from 222.222.222.222 to 192.168.1.1 keep state pass in quick proto udp from 222.222.222.222 to 222.222.222.222 keep state pass in quick from 192.168.1.1 to 192.168.1.1 pass in quick from 192.168.1.1 to 222.222.222.222 pass in quick from 222.222.222.222 to 192.168.1.1 pass in quick from 222.222.222.222 to 222.222.222.222 pass out quick proto icmp from 192.168.1.1 to 192.168.1.1 keep state pass out quick proto icmp from 192.168.1.1 to 222.222.222.222 keep state pass out quick proto icmp from 222.222.222.222 to 192.168.1.1 keep state pass out quick proto icmp from 222.222.222.222 to 222.222.222.222 keep state pass out quick proto tcp from 192.168.1.1 to 192.168.1.1 flags S keep state pass out quick proto tcp from 192.168.1.1 to 222.222.222.222 flags S keep state pass out quick proto tcp from 222.222.222.222 to 192.168.1.1 flags S keep state pass out quick proto tcp from 222.222.222.222 to 222.222.222.222 flags S keep state pass out quick proto udp from 192.168.1.1 to 192.168.1.1 keep state pass out quick proto udp from 192.168.1.1 to 222.222.222.222 keep state pass out quick proto udp from 222.222.222.222 to 192.168.1.1 keep state pass out quick proto udp from 222.222.222.222 to 222.222.222.222 keep state pass out quick from 192.168.1.1 to 192.168.1.1 pass out quick from 192.168.1.1 to 222.222.222.222 pass out quick from 222.222.222.222 to 192.168.1.1 pass out quick from 222.222.222.222 to 222.222.222.222 pass out quick proto icmp from 192.168.1.1 to 33.33.33.33 keep state pass out quick proto icmp from 192.168.1.1 to 33.33.33.34 keep state pass out quick proto icmp from 222.222.222.222 to 33.33.33.33 keep state pass out quick proto icmp from 222.222.222.222 to 33.33.33.34 keep state pass out quick proto tcp from 192.168.1.1 to 33.33.33.33 flags S keep state pass out quick proto tcp from 192.168.1.1 to 33.33.33.34 flags S keep state pass out quick proto tcp from 222.222.222.222 to 33.33.33.33 flags S keep state pass out quick proto tcp from 222.222.222.222 to 33.33.33.34 flags S keep state pass out quick proto udp from 192.168.1.1 to 33.33.33.33 keep state pass out quick proto udp from 192.168.1.1 to 33.33.33.34 keep state pass out quick proto udp from 222.222.222.222 to 33.33.33.33 keep state pass out quick proto udp from 222.222.222.222 to 33.33.33.34 keep state pass out quick from 192.168.1.1 to 33.33.33.33 pass out quick from 192.168.1.1 to 33.33.33.34 pass out quick from 222.222.222.222 to 33.33.33.33 pass out quick from 222.222.222.222 to 33.33.33.34 pass in quick proto icmp from 33.33.33.33 to 192.168.1.1 keep state pass in quick proto icmp from 33.33.33.33 to 222.222.222.222 keep state pass in quick proto icmp from 33.33.33.34 to 192.168.1.1 keep state pass in quick proto icmp from 33.33.33.34 to 222.222.222.222 keep state pass in quick proto tcp from 33.33.33.33 to 192.168.1.1 flags S keep state pass in quick proto tcp from 33.33.33.33 to 222.222.222.222 flags S keep state pass in quick proto tcp from 33.33.33.34 to 192.168.1.1 flags S keep state pass in quick proto tcp from 33.33.33.34 to 222.222.222.222 flags S keep state pass in quick proto udp from 33.33.33.33 to 192.168.1.1 keep state pass in quick proto udp from 33.33.33.33 to 222.222.222.222 keep state pass in quick proto udp from 33.33.33.34 to 192.168.1.1 keep state pass in quick proto udp from 33.33.33.34 to 222.222.222.222 keep state pass in quick from 33.33.33.33 to 192.168.1.1 pass in quick from 33.33.33.33 to 222.222.222.222 pass in quick from 33.33.33.34 to 192.168.1.1 pass in quick from 33.33.33.34 to 222.222.222.222 skip 3 in from 33.33.33.33 to any skip 2 in from 33.33.33.34 to any skip 1 in from 192.168.1.1 to any skip 24 in from any to any pass in quick proto icmp from any to 33.33.33.33 keep state pass in quick proto icmp from any to 33.33.33.34 keep state pass in quick proto icmp from any to 192.168.1.1 keep state skip 3 in from 33.33.33.33 to any skip 2 in from 33.33.33.34 to any skip 1 in from 192.168.1.1 to any skip 17 in from any to any pass in quick proto tcp from any to 33.33.33.33 flags S keep state pass in quick proto tcp from any to 33.33.33.34 flags S keep state pass in quick proto tcp from any to 192.168.1.1 flags S keep state skip 3 in from 33.33.33.33 to any skip 2 in from 33.33.33.34 to any skip 1 in from 192.168.1.1 to any skip 10 in from any to any pass in quick proto udp from any to 33.33.33.33 keep state pass in quick proto udp from any to 33.33.33.34 keep state pass in quick proto udp from any to 192.168.1.1 keep state skip 3 in from 33.33.33.33 to any skip 2 in from 33.33.33.34 to any skip 1 in from 192.168.1.1 to any skip 3 in from any to any pass in quick from any to 33.33.33.33 pass in quick from any to 33.33.33.34 pass in quick from any to 192.168.1.1 skip 3 out from 33.33.33.33 to any skip 2 out from 33.33.33.34 to any skip 1 out from 192.168.1.1 to any skip 24 out from any to any pass out quick proto icmp from any to 33.33.33.33 keep state pass out quick proto icmp from any to 33.33.33.34 keep state pass out quick proto icmp from any to 192.168.1.1 keep state skip 3 out from 33.33.33.33 to any skip 2 out from 33.33.33.34 to any skip 1 out from 192.168.1.1 to any skip 17 out from any to any pass out quick proto tcp from any to 33.33.33.33 flags S keep state pass out quick proto tcp from any to 33.33.33.34 flags S keep state pass out quick proto tcp from any to 192.168.1.1 flags S keep state skip 3 out from 33.33.33.33 to any skip 2 out from 33.33.33.34 to any skip 1 out from 192.168.1.1 to any skip 10 out from any to any pass out quick proto udp from any to 33.33.33.33 keep state pass out quick proto udp from any to 33.33.33.34 keep state pass out quick proto udp from any to 192.168.1.1 keep state skip 3 out from 33.33.33.33 to any skip 2 out from 33.33.33.34 to any skip 1 out from 192.168.1.1 to any skip 3 out from any to any pass out quick from any to 33.33.33.33 pass out quick from any to 33.33.33.34 pass out quick from any to 192.168.1.1 # # Rule 20 (global) # Automatically generated 'masquerading' rule # firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto icmp from 192.168.1.1 to any keep state pass out quick proto icmp from 222.222.222.222 to any keep state pass out quick proto tcp from 192.168.1.1 to any flags S keep state pass out quick proto tcp from 222.222.222.222 to any flags S keep state pass out quick proto udp from 192.168.1.1 to any keep state pass out quick proto udp from 222.222.222.222 to any keep state pass out quick from 192.168.1.1 to any pass out quick from 222.222.222.222 to any pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any flags S keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any flags S keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 21 (global) # Automatically generated 'catch all' rule block in log level daemon.alert quick from any to any block out log level daemon.alert quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall-nat.conf.orig000077500000000000000000000017401303637203600214510ustar00rootroot00000000000000# # Rule 0 (NAT) # comment : rule 0 map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 map eth1 from 192.168.1.0/24 to any -> 222.222.222.222/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 222.222.222.222/32 # # Rule 1 (NAT) rdr eth0 from any to 192.168.1.1/32 port = 25 -> 192.168.1.10 port 25 tcp rdr eth1 from any to 222.222.222.222/32 port = 25 -> 192.168.1.10 port 25 tcp # # Rule 2 (NAT) rdr eth1 from any to any port = 80 -> 222.222.222.222 port 3128 tcp rdr eth0 from any to any port = 80 -> 192.168.1.1 port 3128 tcp # # Rule 3 (NAT) rdr eth0 from 192.168.1.0/24 to any port = 80 -> 192.168.1.1 port 3128 tcp rdr eth0 from 192.168.1.0/24 to any port = 443 -> 192.168.1.1 port 3128 tcp # # Rule 4 (NAT) rdr eth0 from 192.168.1.0/24 to any port = 80 -> 222.222.222.222 port 3128 tcp rdr eth0 from 192.168.1.0/24 to any port = 443 -> 222.222.222.222 port 3128 tcp fwbuilder-5.3.7/test/ipf/firewall.fw.orig000077500000000000000000000105111303637203600203540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:26 2011 PST by vadim # # files: * firewall.fw ipf.fw # files: firewall-ipf.conf ipf.conf # files: firewall-nat.conf nat.conf # # Compiled for ipf # # this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule # firewall:Policy:4: warning: Changing rule direction due to self reference # firewall:Policy:8: warning: Changing rule direction due to self reference # firewall:Policy:19: warning: Changing rule direction due to self reference # firewall:Policy:19: warning: Changing rule direction due to self reference # firewall:Policy:20: warning: Changing rule direction due to self reference # firewall:Policy:: warning: ipfilter can not match "any IP option" # firewall:Policy:: warning: ipfilter can not match "any IP option" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "eth1 222.222.222.222/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Sat Mar 12 19:44:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f ipf.conf $IPNAT -f nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall1-ipf.conf.orig000077500000000000000000000232451303637203600215320ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:10: warning: Changing rule direction due to self reference # firewall1:Policy:12: warning: Changing rule direction due to self reference # # Rule 0 (eth0) skip 11 in on eth0 proto icmp from 22.22.22.22 to 22.22.22.22 skip 10 in on eth0 proto icmp from 22.22.22.22 to 192.168.1.1 skip 9 in on eth0 proto icmp from 192.168.1.1 to 22.22.22.22 skip 8 in on eth0 proto icmp from 192.168.1.1 to 192.168.1.1 skip 7 in on eth0 proto 50 from 22.22.22.22 to 22.22.22.22 skip 6 in on eth0 proto 50 from 22.22.22.22 to 192.168.1.1 skip 5 in on eth0 proto 50 from 192.168.1.1 to 22.22.22.22 skip 4 in on eth0 proto 50 from 192.168.1.1 to 192.168.1.1 skip 11 out on eth0 proto icmp from 22.22.22.22 to 22.22.22.22 skip 10 out on eth0 proto icmp from 22.22.22.22 to 192.168.1.1 skip 9 out on eth0 proto icmp from 192.168.1.1 to 22.22.22.22 skip 8 out on eth0 proto icmp from 192.168.1.1 to 192.168.1.1 skip 7 out on eth0 proto 50 from 22.22.22.22 to 22.22.22.22 skip 6 out on eth0 proto 50 from 22.22.22.22 to 192.168.1.1 skip 5 out on eth0 proto 50 from 192.168.1.1 to 22.22.22.22 skip 4 out on eth0 proto 50 from 192.168.1.1 to 192.168.1.1 block in log quick on eth0 proto icmp from 22.22.22.22 to any block in log quick on eth0 proto icmp from 192.168.1.1 to any block in log quick on eth0 proto 50 from 22.22.22.22 to any block in log quick on eth0 proto 50 from 192.168.1.1 to any block out log quick on eth0 proto icmp from 22.22.22.22 to any block out log quick on eth0 proto icmp from 192.168.1.1 to any block out log quick on eth0 proto 50 from 22.22.22.22 to any block out log quick on eth0 proto 50 from 192.168.1.1 to any # # Rule 1 (eth0) skip 11 in on eth0 proto icmp from 192.168.1.10 to 192.168.1.10 skip 10 in on eth0 proto icmp from 192.168.1.10 to 192.168.1.20 skip 9 in on eth0 proto icmp from 192.168.1.20 to 192.168.1.10 skip 8 in on eth0 proto icmp from 192.168.1.20 to 192.168.1.20 skip 7 in on eth0 proto 50 from 192.168.1.10 to 192.168.1.10 skip 6 in on eth0 proto 50 from 192.168.1.10 to 192.168.1.20 skip 5 in on eth0 proto 50 from 192.168.1.20 to 192.168.1.10 skip 4 in on eth0 proto 50 from 192.168.1.20 to 192.168.1.20 skip 11 out on eth0 proto icmp from 192.168.1.10 to 192.168.1.10 skip 10 out on eth0 proto icmp from 192.168.1.10 to 192.168.1.20 skip 9 out on eth0 proto icmp from 192.168.1.20 to 192.168.1.10 skip 8 out on eth0 proto icmp from 192.168.1.20 to 192.168.1.20 skip 7 out on eth0 proto 50 from 192.168.1.10 to 192.168.1.10 skip 6 out on eth0 proto 50 from 192.168.1.10 to 192.168.1.20 skip 5 out on eth0 proto 50 from 192.168.1.20 to 192.168.1.10 skip 4 out on eth0 proto 50 from 192.168.1.20 to 192.168.1.20 block in quick on eth0 proto icmp from 192.168.1.10 to any block in quick on eth0 proto icmp from 192.168.1.20 to any block in quick on eth0 proto 50 from 192.168.1.10 to any block in quick on eth0 proto 50 from 192.168.1.20 to any block out quick on eth0 proto icmp from 192.168.1.10 to any block out quick on eth0 proto icmp from 192.168.1.20 to any block out quick on eth0 proto 50 from 192.168.1.10 to any block out quick on eth0 proto 50 from 192.168.1.20 to any # # Rule 2 (eth1) # Anti-spoofing rule block in log quick on eth1 from 22.22.22.22 to any block in log quick on eth1 from 22.22.23.23 to any block in log quick on eth1 from 192.168.1.1 to any block in log quick on eth1 from 192.168.2.1 to any block in log quick on eth1 from 192.168.1.0/24 to any # # Rule 3 (eth1) # Anti-spoofing rule skip 1 out on eth1 from 192.168.1.0/24 to any block out log quick on eth1 from any to any # # Rule 4 (lo) pass in quick on lo proto icmp from any to any keep state pass in quick on lo proto tcp from any to any keep state pass in quick on lo proto udp from any to any keep state pass in quick on lo from any to any pass out quick on lo proto icmp from any to any keep state pass out quick on lo proto tcp from any to any keep state pass out quick on lo proto udp from any to any keep state pass out quick on lo from any to any # # Rule 5 (global) block in log quick proto tcp from any to any flags S/UAPRSF block out log quick proto tcp from any to any flags S/UAPRSF # # Rule 7 (global) # hostF has the same IP address as firewal. pass in log quick proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state pass out log quick proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state # # Rule 8 (global) # testing negation in the policy rule skip 2 in proto icmp from 192.168.1.10 to any icmp-type 3 skip 1 in proto icmp from 192.168.1.20 to any icmp-type 3 skip 2 out proto icmp from 192.168.1.10 to any icmp-type 3 skip 1 out proto icmp from 192.168.1.20 to any icmp-type 3 block in log quick proto icmp from any to any icmp-type 3 block out log quick proto icmp from any to any icmp-type 3 # # Rule 9 (global) # firewall1:Policy:9: warning: Changing rule direction due to self reference skip 11 in proto icmp from 192.168.1.10 to 22.22.22.22 icmp-type 3 skip 10 in proto icmp from 192.168.1.10 to 22.22.23.23 icmp-type 3 skip 9 in proto icmp from 192.168.1.10 to 192.168.1.1 icmp-type 3 skip 8 in proto icmp from 192.168.1.10 to 192.168.2.1 icmp-type 3 skip 7 in proto icmp from 192.168.1.20 to 22.22.22.22 icmp-type 3 skip 6 in proto icmp from 192.168.1.20 to 22.22.23.23 icmp-type 3 skip 5 in proto icmp from 192.168.1.20 to 192.168.1.1 icmp-type 3 skip 4 in proto icmp from 192.168.1.20 to 192.168.2.1 icmp-type 3 block in log quick proto icmp from any to 22.22.22.22 icmp-type 3 block in log quick proto icmp from any to 22.22.23.23 icmp-type 3 block in log quick proto icmp from any to 192.168.1.1 icmp-type 3 block in log quick proto icmp from any to 192.168.2.1 icmp-type 3 # # Rule 10 (global) # firewall1:Policy:10: warning: Changing rule direction due to self reference skip 5 out from 22.22.22.22 to 192.168.1.0/24 skip 4 out from 22.22.23.23 to 192.168.1.0/24 skip 3 out from 192.168.1.1 to 192.168.1.0/24 skip 2 out from 192.168.2.1 to 192.168.1.0/24 skip 1 in from 192.168.2.0/24 to 192.168.1.0/24 skip 1 out from 192.168.2.0/24 to 192.168.1.0/24 block in log quick from any to 192.168.1.0/24 block out log quick from any to 192.168.1.0/24 # # Rule 11 (global) skip 5 in from 192.168.1.0/24 to 192.168.1.10 skip 4 in from 192.168.1.0/24 to 192.168.1.20 skip 3 in from 192.168.2.0/24 to 192.168.1.10 skip 2 in from 192.168.2.0/24 to 192.168.1.20 skip 5 out from 192.168.1.0/24 to 192.168.1.10 skip 4 out from 192.168.1.0/24 to 192.168.1.20 skip 3 out from 192.168.2.0/24 to 192.168.1.10 skip 2 out from 192.168.2.0/24 to 192.168.1.20 block in log quick from 192.168.1.0/24 to any block in log quick from 192.168.2.0/24 to any block out log quick from 192.168.1.0/24 to any block out log quick from 192.168.2.0/24 to any # # Rule 12 (global) # firewall1:Policy:12: warning: Changing rule direction due to self reference skip 4 in from any to 22.22.22.22 skip 3 in from any to 22.22.23.23 skip 2 in from any to 192.168.1.1 skip 1 in from any to 192.168.2.1 block in quick from any to any block out quick from any to any # # Rule 15 (global) skip 11 in proto icmp from 22.22.22.22 to 22.22.22.22 skip 10 in proto icmp from 22.22.22.22 to 192.168.1.1 skip 9 in proto icmp from 192.168.1.1 to 22.22.22.22 skip 8 in proto icmp from 192.168.1.1 to 192.168.1.1 skip 7 in proto 50 from 22.22.22.22 to 22.22.22.22 skip 6 in proto 50 from 22.22.22.22 to 192.168.1.1 skip 5 in proto 50 from 192.168.1.1 to 22.22.22.22 skip 4 in proto 50 from 192.168.1.1 to 192.168.1.1 skip 11 out proto icmp from 22.22.22.22 to 22.22.22.22 skip 10 out proto icmp from 22.22.22.22 to 192.168.1.1 skip 9 out proto icmp from 192.168.1.1 to 22.22.22.22 skip 8 out proto icmp from 192.168.1.1 to 192.168.1.1 skip 7 out proto 50 from 22.22.22.22 to 22.22.22.22 skip 6 out proto 50 from 22.22.22.22 to 192.168.1.1 skip 5 out proto 50 from 192.168.1.1 to 22.22.22.22 skip 4 out proto 50 from 192.168.1.1 to 192.168.1.1 block in log quick proto icmp from 22.22.22.22 to any block in log quick proto icmp from 192.168.1.1 to any block in log quick proto 50 from 22.22.22.22 to any block in log quick proto 50 from 192.168.1.1 to any block out log quick proto icmp from 22.22.22.22 to any block out log quick proto icmp from 192.168.1.1 to any block out log quick proto 50 from 22.22.22.22 to any block out log quick proto 50 from 192.168.1.1 to any # # Rule 16 (global) # 'masquerading' rule pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 17 (global) # 'catch all' rule block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall1-nat.conf.orig000077500000000000000000000025751303637203600215410ustar00rootroot00000000000000# # Rule 1 (NAT) map eth0 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth1 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth2 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth3 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth0 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth1 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth2 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth3 from 192.168.1.10/32 to any -> 22.22.22.23/32 # # Rule 3 (NAT) map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 map eth2 from 192.168.1.0/24 to any -> 192.168.2.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to any -> 192.168.2.1/32 # # Rule 4 (NAT) map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 fwbuilder-5.3.7/test/ipf/firewall1.fw.orig000077500000000000000000000034321303637203600204410ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:26 2011 PST by vadim # # files: * firewall1.fw /etc/ipf.fw # files: firewall1-ipf.conf /etc/fw/ipf.conf # files: firewall1-nat.conf /etc/fw/nat.conf # # Compiled for ipf # # this object is used to test all kinds of negation in policy rules # Currently negation in NAT is not supported for ipf, therefore all rules in NAT with # negation are disabled # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:10: warning: Changing rule direction due to self reference # firewall1:Policy:12: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/ipf.conf $IPNAT -f /etc/fw/nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall10-ipf.conf.orig000077500000000000000000000171571303637203600216170ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall10:Policy:2: warning: Changing rule direction due to self reference # # Rule 0 (global) count in from any to any count out from any to any # # Rule 1 (global) skip 5 in from 192.168.1.10 to any skip 4 in from 192.168.1.20 to any skip 3 in from 192.168.1.100 to any skip 2 in from 192.168.1.110 to any skip 1 in from 192.168.1.120 to any skip 18 in from any to any skip 4 in from any to 192.168.2.10 skip 3 in from any to 192.168.2.20 skip 2 in from any to 192.168.2.30 skip 1 in from any to 192.168.2.40 skip 13 in from any to any skip 12 in proto tcp from any to any port = 21 skip 11 in proto tcp from any to any port = 80 skip 10 in proto tcp from any to any port = 119 skip 9 in proto tcp from any to any port = 25 skip 5 out from 192.168.1.10 to any skip 4 out from 192.168.1.20 to any skip 3 out from 192.168.1.100 to any skip 2 out from 192.168.1.110 to any skip 1 out from 192.168.1.120 to any skip 18 out from any to any skip 4 out from any to 192.168.2.10 skip 3 out from any to 192.168.2.20 skip 2 out from any to 192.168.2.30 skip 1 out from any to 192.168.2.40 skip 13 out from any to any skip 12 out proto tcp from any to any port = 21 skip 11 out proto tcp from any to any port = 80 skip 10 out proto tcp from any to any port = 119 skip 9 out proto tcp from any to any port = 25 skip 4 in from any to 192.168.2.10 skip 3 in from any to 192.168.2.20 skip 2 in from any to 192.168.2.30 skip 1 in from any to 192.168.2.40 skip 4 in from any to any pass in quick proto tcp from any to any port = 21 flags S keep state pass in quick proto tcp from any to any port = 80 flags S keep state pass in quick proto tcp from any to any port = 119 flags S keep state pass in quick proto tcp from any to any port = 25 flags S keep state skip 4 out from any to 192.168.2.10 skip 3 out from any to 192.168.2.20 skip 2 out from any to 192.168.2.30 skip 1 out from any to 192.168.2.40 skip 4 out from any to any pass out quick proto tcp from any to any port = 21 flags S keep state pass out quick proto tcp from any to any port = 80 flags S keep state pass out quick proto tcp from any to any port = 119 flags S keep state pass out quick proto tcp from any to any port = 25 flags S keep state # # Rule 2 (global) # firewall10:Policy:2: warning: Changing rule direction due to self reference skip 1 in from 192.168.1.0/24 to any skip 11 in from any to any skip 3 in from any to 22.22.22.22 skip 2 in from any to 192.168.1.1 skip 1 in from any to 192.168.2.0 skip 7 in from any to any pass in quick proto icmp from any to any icmp-type 3 keep state pass in quick proto icmp from any to any icmp-type 0 code 0 keep state pass in quick proto icmp from any to any icmp-type 11 code 0 keep state pass in quick proto icmp from any to any icmp-type 11 code 1 keep state pass in quick proto tcp from 192.168.1.0/24 to 22.22.22.22 port = 22 flags S keep state pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 22 flags S keep state pass in quick proto tcp from 192.168.1.0/24 to 192.168.2.0 port = 22 flags S keep state # # Rule 3 (global) skip 5 in from 192.168.1.10 to any skip 4 in from 192.168.1.20 to any skip 3 in from 192.168.1.100 to any skip 2 in from 192.168.1.110 to any skip 1 in from 192.168.1.120 to any skip 9 in from any to any skip 4 in from any to 192.168.2.10 skip 3 in from any to 192.168.2.20 skip 2 in from any to 192.168.2.30 skip 1 in from any to 192.168.2.40 skip 4 in from any to any block in quick proto tcp from any to any port = 21 block in quick proto tcp from any to any port = 80 block in quick proto tcp from any to any port = 119 block in quick proto tcp from any to any port = 25 skip 5 out from 192.168.1.10 to any skip 4 out from 192.168.1.20 to any skip 3 out from 192.168.1.100 to any skip 2 out from 192.168.1.110 to any skip 1 out from 192.168.1.120 to any skip 9 out from any to any skip 4 out from any to 192.168.2.10 skip 3 out from any to 192.168.2.20 skip 2 out from any to 192.168.2.30 skip 1 out from any to 192.168.2.40 skip 4 out from any to any block out quick proto tcp from any to any port = 21 block out quick proto tcp from any to any port = 80 block out quick proto tcp from any to any port = 119 block out quick proto tcp from any to any port = 25 # # Rule 4 (global) skip 1 in from 192.168.1.10 to any skip 9 in from any to any skip 4 in from any to 192.168.2.10 skip 3 in from any to 192.168.2.20 skip 2 in from any to 192.168.2.30 skip 1 in from any to 192.168.2.40 skip 4 in from any to any block in quick proto tcp from any to any port = 21 block in quick proto tcp from any to any port = 80 block in quick proto tcp from any to any port = 119 block in quick proto tcp from any to any port = 25 skip 1 out from 192.168.1.10 to any skip 9 out from any to any skip 4 out from any to 192.168.2.10 skip 3 out from any to 192.168.2.20 skip 2 out from any to 192.168.2.30 skip 1 out from any to 192.168.2.40 skip 4 out from any to any block out quick proto tcp from any to any port = 21 block out quick proto tcp from any to any port = 80 block out quick proto tcp from any to any port = 119 block out quick proto tcp from any to any port = 25 # # Rule 5 (global) skip 5 in from 192.168.1.10 to any skip 4 in from 192.168.1.20 to any skip 3 in from 192.168.1.100 to any skip 2 in from 192.168.1.110 to any skip 1 in from 192.168.1.120 to any skip 4 in from any to any block in quick proto tcp from any to 192.168.2.10 port = 21 block in quick proto tcp from any to 192.168.2.10 port = 80 block in quick proto tcp from any to 192.168.2.10 port = 119 block in quick proto tcp from any to 192.168.2.10 port = 25 skip 5 out from 192.168.1.10 to any skip 4 out from 192.168.1.20 to any skip 3 out from 192.168.1.100 to any skip 2 out from 192.168.1.110 to any skip 1 out from 192.168.1.120 to any skip 4 out from any to any block out quick proto tcp from any to 192.168.2.10 port = 21 block out quick proto tcp from any to 192.168.2.10 port = 80 block out quick proto tcp from any to 192.168.2.10 port = 119 block out quick proto tcp from any to 192.168.2.10 port = 25 # # Rule 6 (global) skip 5 in from 192.168.1.10 to any skip 4 in from 192.168.1.20 to any skip 3 in from 192.168.1.100 to any skip 2 in from 192.168.1.110 to any skip 1 in from 192.168.1.120 to any skip 4 in from any to any block in quick proto tcp from any to 192.168.2.10 port = 80 block in quick proto tcp from any to 192.168.2.20 port = 80 block in quick proto tcp from any to 192.168.2.30 port = 80 block in quick proto tcp from any to 192.168.2.40 port = 80 skip 5 out from 192.168.1.10 to any skip 4 out from 192.168.1.20 to any skip 3 out from 192.168.1.100 to any skip 2 out from 192.168.1.110 to any skip 1 out from 192.168.1.120 to any skip 4 out from any to any block out quick proto tcp from any to 192.168.2.10 port = 80 block out quick proto tcp from any to 192.168.2.20 port = 80 block out quick proto tcp from any to 192.168.2.30 port = 80 block out quick proto tcp from any to 192.168.2.40 port = 80 # # Rule 7 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall10.fw.orig000077500000000000000000000025601303637203600205220ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:26 2011 PST by vadim # # files: * firewall10.fw /etc/firewall10.fw # files: firewall10-ipf.conf /etc/firewall10-ipf.conf # # Compiled for ipf # # firewall10:Policy:2: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/firewall10-ipf.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall11-ipf.conf.orig000077500000000000000000000024521303637203600216100ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall11:Policy:1: warning: Changing rule direction due to self reference # # Rule 0 (ng0) pass in quick on ng0 proto icmp from any to keep state pass in quick on ng0 proto tcp from any to keep state pass in quick on ng0 proto udp from any to keep state pass in quick on ng0 from any to # # Rule 1 (global) # firewall11:Policy:1: warning: Changing rule direction due to self reference pass in quick proto icmp from any to 10.0.0.1 keep state pass in quick proto tcp from any to 10.0.0.1 keep state pass in quick proto udp from any to 10.0.0.1 keep state pass in quick from any to 10.0.0.1 # # Rule 2 (global) pass in quick proto icmp from any to keep state pass in quick proto tcp from any to keep state pass in quick proto udp from any to keep state pass in quick from any to pass out quick proto icmp from any to keep state pass out quick proto tcp from any to keep state pass out quick proto udp from any to keep state pass out quick from any to # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall11-nat.conf.orig000077500000000000000000000002241303637203600216070ustar00rootroot00000000000000# # Rule 0 (NAT) rdr ng0 from any to any -> 10.0.0.1 ip rdr ng1 from any to any -> 10.0.0.1 ip rdr fxp0 from any to 10.0.0.1/32 -> 10.0.0.1 ip fwbuilder-5.3.7/test/ipf/firewall11.fw.orig000077500000000000000000000076011303637203600205240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:26 2011 PST by vadim # # files: * firewall11.fw /etc/firewall11.fw # files: firewall11-ipf.conf /etc/firewall11-ipf.conf # files: firewall11-nat.conf /etc/firewall11-nat.conf # # Compiled for ipf # # firewall11:Policy:1: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "fxp0 10.0.0.1/0xffffff00" "" update_addresses_of_interface "fxp1" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Sat Mar 12 19:44:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/firewall11-ipf.conf $IPNAT -f /etc/firewall11-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall2-ipf.conf.orig000077500000000000000000000117151303637203600215320ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall2:Policy:9: warning: Changing rule direction due to self reference # # Rule 0 (eth1) # Anti-spoofing rule block in log quick on eth1 from 22.22.22.22 to any block in log quick on eth1 from 22.22.23.23 to any block in log quick on eth1 from 192.168.1.1 to any block in log quick on eth1 from 192.168.2.1 to any block in log quick on eth1 from 192.168.1.0/24 to any # # Rule 1 (eth1) # Anti-spoofing rule skip 5 out on eth1 from 22.22.22.22 to any skip 4 out on eth1 from 22.22.23.23 to any skip 3 out on eth1 from 192.168.1.1 to any skip 2 out on eth1 from 192.168.2.1 to any skip 1 out on eth1 from 192.168.1.0/24 to any block out log quick on eth1 from any to any # # Rule 2 (global) # block fragments block in log quick from any to any with short block out log quick from any to any with short # # Rule 3 (global) # sends TCP RST and makes custom record in the log block return-rst in log quick proto tcp from any to any port = 113 block out log quick proto tcp from any to any port = 113 # # Rule 4 (global) # sends TCP RST and makes custom record in the log block return-icmp-as-dest (0) in log quick proto udp from any to any port = 161 block out log quick proto udp from any to any port = 161 # # Rule 5 (global) pass in quick proto icmp from 192.168.1.10 to 200.200.200.200 keep state pass in quick proto icmp from 192.168.1.20 to 200.200.200.200 keep state pass in quick proto tcp from 192.168.1.10 to 200.200.200.200 keep state pass in quick proto tcp from 192.168.1.20 to 200.200.200.200 keep state pass in quick proto udp from 192.168.1.10 to 200.200.200.200 keep state pass in quick proto udp from 192.168.1.20 to 200.200.200.200 keep state pass in quick from 192.168.1.10 to 200.200.200.200 pass in quick from 192.168.1.20 to 200.200.200.200 pass out quick proto icmp from 192.168.1.10 to 200.200.200.200 keep state pass out quick proto icmp from 192.168.1.20 to 200.200.200.200 keep state pass out quick proto tcp from 192.168.1.10 to 200.200.200.200 keep state pass out quick proto tcp from 192.168.1.20 to 200.200.200.200 keep state pass out quick proto udp from 192.168.1.10 to 200.200.200.200 keep state pass out quick proto udp from 192.168.1.20 to 200.200.200.200 keep state pass out quick from 192.168.1.10 to 200.200.200.200 pass out quick from 192.168.1.20 to 200.200.200.200 # # Rule 6 (global) pass in quick proto icmp from 200.200.200.200 to 192.168.1.10 keep state pass in quick proto icmp from 200.200.200.200 to 192.168.1.20 keep state pass in quick proto tcp from 200.200.200.200 to 192.168.1.10 keep state pass in quick proto tcp from 200.200.200.200 to 192.168.1.20 keep state pass in quick proto udp from 200.200.200.200 to 192.168.1.10 keep state pass in quick proto udp from 200.200.200.200 to 192.168.1.20 keep state pass in quick from 200.200.200.200 to 192.168.1.10 pass in quick from 200.200.200.200 to 192.168.1.20 pass out quick proto icmp from 200.200.200.200 to 192.168.1.10 keep state pass out quick proto icmp from 200.200.200.200 to 192.168.1.20 keep state pass out quick proto tcp from 200.200.200.200 to 192.168.1.10 keep state pass out quick proto tcp from 200.200.200.200 to 192.168.1.20 keep state pass out quick proto udp from 200.200.200.200 to 192.168.1.10 keep state pass out quick proto udp from 200.200.200.200 to 192.168.1.20 keep state pass out quick from 200.200.200.200 to 192.168.1.10 pass out quick from 200.200.200.200 to 192.168.1.20 # # Rule 7 (global) # 'masquerading' rule pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 8 (global) # host-fw2 has the same address as # one of the firewall's interfaces pass in log quick proto tcp from any to 22.22.22.22 port = 21 keep state pass out log quick proto tcp from any to 22.22.22.22 port = 21 keep state # # Rule 9 (global) # firewall2:Policy:9: warning: Changing rule direction due to self reference pass in log quick proto tcp from any to 22.22.23.23 port = 21 keep state pass in log quick proto tcp from any to 192.168.1.1 port = 21 keep state pass in log quick proto tcp from any to 192.168.2.1 port = 21 keep state # # Rule 10 (global) # 'catch all' rule block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall2-nat.conf.orig000077500000000000000000000500631303637203600215350ustar00rootroot00000000000000# NAT compiler errors and warnings: # firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules # # Rule 0 (NAT) map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 map eth2 from 192.168.1.0/24 to any -> 192.168.2.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to any -> 192.168.2.1/32 # # Rule 1 (NAT) map eth0 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth1 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth3 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth2 from 192.168.1.10/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth0 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth1 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth3 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth2 from 192.168.1.10/32 to any -> 22.22.22.23/32 map eth0 from 192.168.1.20/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth1 from 192.168.1.20/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth3 from 192.168.1.20/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth2 from 192.168.1.20/32 to any -> 22.22.22.23/32 portmap tcp/udp auto map eth0 from 192.168.1.20/32 to any -> 22.22.22.23/32 map eth1 from 192.168.1.20/32 to any -> 22.22.22.23/32 map eth3 from 192.168.1.20/32 to any -> 22.22.22.23/32 map eth2 from 192.168.1.20/32 to any -> 22.22.22.23/32 # # Rule 2 (NAT) map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 proxy port 21 ftp/tcp map eth3 from 192.168.1.0/24 to any -> 22.22.23.23/32 proxy port 21 ftp/tcp map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 proxy port 21 ftp/tcp map eth2 from 192.168.1.0/24 to any -> 192.168.2.1/32 proxy port 21 ftp/tcp map eth1 from 192.168.1.0/24 to any port = 22 -> 22.22.22.22/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to any port = 22 -> 22.22.23.23/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any port = 22 -> 192.168.1.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to any port = 22 -> 192.168.2.1/32 portmap tcp/udp auto # # Rule 3 (NAT) map eth1 from 192.168.1.0/24 to any port = 22 -> 22.22.22.22/32 portmap tcp/udp auto # # Rule 4 (NAT) map eth1 from 192.168.1.0/24 to any -> 22.22.22.22/32 proxy port 500 ipsec/udp # # Rule 5 (NAT) map eth0 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 map eth1 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 map eth3 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 map eth2 from 192.168.1.0/24 to 192.168.1.10/32 -> 192.168.1.1/32 map eth0 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 map eth1 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 map eth3 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 map eth2 from 192.168.1.0/24 to 192.168.1.20/32 -> 192.168.1.1/32 # # Rule 7 (NAT) rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.10 port 80 tcp rdr eth1 from any to 22.22.22.23/32 port = 119 -> 192.168.1.10 port 119 tcp # # Rule 8 (NAT) # load balancing rule rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.10,192.168.1.20 port 80 tcp round-robin rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.100 port 80 tcp round-robin # # Rule 9 (NAT) # load balancing rule rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.10,192.168.1.20 port 80 tcp round-robin rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.100 port 80 tcp round-robin # # Rule 10 (NAT) map eth0 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 map eth1 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 map eth3 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 map eth2 from 192.168.1.0/24 to 192.168.2.10/32 -> 192.168.2.1/32 # # Rule 11 (NAT) rdr eth1 from any to 22.22.22.24/32 port = 80 -> 192.168.2.10 port 80 tcp # # Rule 12 (NAT) rdr eth1 from any to 22.22.22.22/32 port = 119 -> 192.168.1.10 port 119 tcp # # Rule 13 (NAT) map eth0 from 192.168.1.20/32 to any -> 22.22.23.24/32 portmap tcp/udp auto map eth1 from 192.168.1.20/32 to any -> 22.22.23.24/32 portmap tcp/udp auto map eth3 from 192.168.1.20/32 to any -> 22.22.23.24/32 portmap tcp/udp auto map eth2 from 192.168.1.20/32 to any -> 22.22.23.24/32 portmap tcp/udp auto map eth0 from 192.168.1.20/32 to any -> 22.22.23.24/32 map eth1 from 192.168.1.20/32 to any -> 22.22.23.24/32 map eth3 from 192.168.1.20/32 to any -> 22.22.23.24/32 map eth2 from 192.168.1.20/32 to any -> 22.22.23.24/32 # # Rule 15 (NAT) # NETMAP map eth0 from 192.168.1.0/24 to any -> 22.22.22.0/24 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 22.22.22.0/24 portmap tcp/udp auto map eth3 from 192.168.1.0/24 to any -> 22.22.22.0/24 portmap tcp/udp auto map eth2 from 192.168.1.0/24 to any -> 22.22.22.0/24 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 22.22.22.0/24 map eth1 from 192.168.1.0/24 to any -> 22.22.22.0/24 map eth3 from 192.168.1.0/24 to any -> 22.22.22.0/24 map eth2 from 192.168.1.0/24 to any -> 22.22.22.0/24 # # Rule 17 (NAT) # firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10000 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10000 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10001 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10001 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10002 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10002 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10003 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10003 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10004 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10004 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10005 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10005 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10006 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10006 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10007 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10007 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10008 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10008 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10009 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10009 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10010 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10010 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10011 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10011 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10012 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10012 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10013 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10013 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10014 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10014 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10015 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10015 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10016 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10016 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10017 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10017 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10018 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10018 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10019 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10019 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10020 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10020 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10021 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10021 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10022 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10022 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10023 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10023 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10024 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10024 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10025 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10025 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10026 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10026 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10027 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10027 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10028 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10028 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10029 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10029 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10030 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10030 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10031 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10031 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10032 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10032 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10033 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10033 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10034 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10034 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10035 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10035 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10036 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10036 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10037 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10037 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10038 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10038 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10039 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10039 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp rdr eth1 from any to 22.22.22.22/32 port = 10040 -> 192.168.1.10 port 10000 tcp rdr eth3 from any to 22.22.23.23/32 port = 10040 -> 192.168.1.10 port 10000 tcp rdr eth0 from any to 192.168.1.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp rdr eth2 from any to 192.168.2.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp # # Rule 18 (NAT) rdr eth1 from any to 22.22.22.23/32 port = 80 -> 192.168.1.10 port 25 tcp # # Rule 19 (NAT) map eth2 from 192.168.1.0/24 to 192.168.2.0/24 -> 0/0 proxy port 21 ftp/tcp # # Rule 20 (NAT) map eth2 from 192.168.1.0/24 to 192.168.2.0/24 -> 0/0 proxy port 1720 h323/tcp map eth2 from 192.168.1.0/24 to 192.168.2.0/24 -> 0/0 proxy port 21 ftp/tcp # # Rule 21 (NAT) map eth2 from 192.168.1.0/24 to 192.168.2.0/24 port = 80 -> 0/0 # # Rule 22 (NAT) map eth2 from 192.168.1.0/24 to 192.168.2.0/24 -> 0/0 # # Rule 23 (NAT) map eth2 from 192.168.1.0/24 to 192.168.2.0/24 -> 0/0 fwbuilder-5.3.7/test/ipf/firewall2.fw.orig000077500000000000000000000031451303637203600204430ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:27 2011 PST by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # files: firewall2-ipf.conf /etc/fw/firewall2-ipf.conf # files: firewall2-nat.conf /etc/fw/firewall2-nat.conf # # Compiled for ipf # # this object has several interfaces and shows different rules for NAT. Also testing policy rule options # firewall2:Policy:9: warning: Changing rule direction due to self reference # firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/firewall2-ipf.conf $IPNAT -f /etc/fw/firewall2-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall34-ipf.conf.orig000077500000000000000000000074231303637203600216200ustar00rootroot00000000000000# # Rule 0 (global) pass in quick proto icmp from any to 192.168.1.1 keep state pass in quick proto icmp from any to 192.168.1.2 keep state pass in quick proto icmp from any to 192.168.1.3/30 keep state pass in quick proto icmp from any to 192.168.1.200 keep state pass in quick proto icmp from any to 192.168.1.201 keep state pass in quick proto icmp from any to 192.168.2.128/25 keep state pass in quick proto tcp from any to 192.168.1.1 keep state pass in quick proto tcp from any to 192.168.1.2 keep state pass in quick proto tcp from any to 192.168.1.3/30 keep state pass in quick proto tcp from any to 192.168.1.200 keep state pass in quick proto tcp from any to 192.168.1.201 keep state pass in quick proto tcp from any to 192.168.2.128/25 keep state pass in quick proto udp from any to 192.168.1.1 keep state pass in quick proto udp from any to 192.168.1.2 keep state pass in quick proto udp from any to 192.168.1.3/30 keep state pass in quick proto udp from any to 192.168.1.200 keep state pass in quick proto udp from any to 192.168.1.201 keep state pass in quick proto udp from any to 192.168.2.128/25 keep state pass in quick from any to 192.168.1.1 pass in quick from any to 192.168.1.2 pass in quick from any to 192.168.1.3/30 pass in quick from any to 192.168.1.200 pass in quick from any to 192.168.1.201 pass in quick from any to 192.168.2.128/25 pass out quick proto icmp from any to 192.168.1.1 keep state pass out quick proto icmp from any to 192.168.1.2 keep state pass out quick proto icmp from any to 192.168.1.3/30 keep state pass out quick proto icmp from any to 192.168.1.200 keep state pass out quick proto icmp from any to 192.168.1.201 keep state pass out quick proto icmp from any to 192.168.2.128/25 keep state pass out quick proto tcp from any to 192.168.1.1 keep state pass out quick proto tcp from any to 192.168.1.2 keep state pass out quick proto tcp from any to 192.168.1.3/30 keep state pass out quick proto tcp from any to 192.168.1.200 keep state pass out quick proto tcp from any to 192.168.1.201 keep state pass out quick proto tcp from any to 192.168.2.128/25 keep state pass out quick proto udp from any to 192.168.1.1 keep state pass out quick proto udp from any to 192.168.1.2 keep state pass out quick proto udp from any to 192.168.1.3/30 keep state pass out quick proto udp from any to 192.168.1.200 keep state pass out quick proto udp from any to 192.168.1.201 keep state pass out quick proto udp from any to 192.168.2.128/25 keep state pass out quick from any to 192.168.1.1 pass out quick from any to 192.168.1.2 pass out quick from any to 192.168.1.3/30 pass out quick from any to 192.168.1.200 pass out quick from any to 192.168.1.201 pass out quick from any to 192.168.2.128/25 # # Rule 7 (global) pass in quick proto tcp from any to 192.168.1.10 port = 25 keep state pass out quick proto tcp from any to 192.168.1.10 port = 25 keep state # # Rule 8 (global) pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 9 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall34-nat.conf.orig000077500000000000000000000000001303637203600216040ustar00rootroot00000000000000fwbuilder-5.3.7/test/ipf/firewall34.fw.orig000077500000000000000000000074261303637203600205360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:27 2011 PST by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # files: firewall34-ipf.conf /etc/fw/firewall34-ipf.conf # files: firewall34-nat.conf /etc/fw/firewall34-nat.conf # # Compiled for ipf # # testing AddressTable object FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth1 192.168.1.100/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Sat Mar 12 19:44:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/firewall34-ipf.conf $IPNAT -f /etc/fw/firewall34-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall35-ipf.conf.orig000077500000000000000000000012751303637203600216200ustar00rootroot00000000000000# # Rule 0 (le1) auth in quick on le1 from 192.168.1.0/24 to any # # Rule 1 (le1) skip 1 in on le1 from 192.168.1.0/24 to any auth in quick on le1 from any to any # # Rule 2 (le1) pass in quick on le1 proto icmp from 192.168.1.0/24 to any keep state pass in quick on le1 proto tcp from 192.168.1.0/24 to any flags S keep state pass in quick on le1 proto udp from 192.168.1.0/24 to any keep state pass in quick on le1 from 192.168.1.0/24 to any # # Rule 3 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall35-nat.conf.orig000077500000000000000000000027351303637203600216260ustar00rootroot00000000000000# # Rule 0 (NAT) map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 map le0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map le0 from 192.168.1.0/24 to any -> 192.168.1.1/32 # # Rule 1 (NAT) map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 # # Rule 2 (NAT) map le0 from 192.168.1.0/24 to any -> 0/0 # # Rule 3 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 4 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 5 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.1 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.1 port 22 tcp # # Rule 6 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 7 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 8 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.1 port 22 tcp # # Rule 9 (NAT) rdr le0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr le1 from any to any port = 22 -> 192.168.1.100 port 22 tcp fwbuilder-5.3.7/test/ipf/firewall35.fw.orig000077500000000000000000000026271303637203600205350ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:27 2011 PST by vadim # # files: * firewall35.fw /etc/firewall35.fw # files: firewall35-ipf.conf /etc/firewall35-ipf.conf # files: firewall35-nat.conf /etc/firewall35-nat.conf # # Compiled for ipf # # Testing action Custom FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/firewall35-ipf.conf $IPNAT -f /etc/firewall35-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall4-ipf.conf.orig000077500000000000000000000066501303637203600215360ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall4:Policy:6: warning: Changing rule direction due to self reference # firewall4:Policy:6: warning: Changing rule direction due to self reference # # Rule 0 (eth1) # Anti-spoofing rule block in log quick on eth1 from 192.168.1.1 to any block in log quick on eth1 from 192.168.2.1 to any block in log quick on eth1 from 222.222.222.222 to any block in log quick on eth1 from 192.168.1.0/24 to any # # Rule 1 (eth1) # Anti-spoofing rule skip 4 out on eth1 from 192.168.1.1 to any skip 3 out on eth1 from 192.168.2.1 to any skip 2 out on eth1 from 222.222.222.222 to any skip 1 out on eth1 from 192.168.1.0/24 to any block out log quick on eth1 from any to any # # Rule 2 (eth1) block in log quick on eth1 proto icmp from any to any icmp-type 8 code 0 block out log quick on eth1 proto icmp from any to any icmp-type 8 code 0 # # Rule 3 (eth1) skip 1 in on eth1 proto icmp from 192.168.2.0/24 to any icmp-type 8 code 0 skip 1 out on eth1 proto icmp from 192.168.2.0/24 to any icmp-type 8 code 0 block in log quick on eth1 proto icmp from any to any icmp-type 8 code 0 block out log quick on eth1 proto icmp from any to any icmp-type 8 code 0 # # Rule 4 (global) # hostF has the same IP address as firewal. pass in log quick proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state pass out log quick proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state # # Rule 5 (global) # testing negation in the policy rule skip 2 in proto icmp from 192.168.1.10 to any icmp-type 3 skip 1 in proto icmp from 192.168.1.20 to any icmp-type 3 skip 2 out proto icmp from 192.168.1.10 to any icmp-type 3 skip 1 out proto icmp from 192.168.1.20 to any icmp-type 3 block in log quick proto icmp from any to any icmp-type 3 block out log quick proto icmp from any to any icmp-type 3 # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference skip 8 in proto icmp from 192.168.1.10 to 192.168.1.1 icmp-type 3 skip 7 in proto icmp from 192.168.1.10 to 192.168.2.1 icmp-type 3 skip 6 in proto icmp from 192.168.1.10 to 222.222.222.222 icmp-type 3 skip 5 in proto icmp from 192.168.1.20 to 192.168.1.1 icmp-type 3 skip 4 in proto icmp from 192.168.1.20 to 192.168.2.1 icmp-type 3 skip 3 in proto icmp from 192.168.1.20 to 222.222.222.222 icmp-type 3 block in log quick proto icmp from any to 192.168.1.1 icmp-type 3 block in log quick proto icmp from any to 192.168.2.1 icmp-type 3 block in log quick proto icmp from any to 222.222.222.222 icmp-type 3 # # Rule 8 (global) # 'masquerading' rule pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 10 (global) # 'catch all' rule block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall4-nat.conf.orig000077500000000000000000000045041303637203600215360ustar00rootroot00000000000000# # Rule 0 (NAT) map eth1 from 192.168.1.10/32 to any -> 0/32 portmap tcp/udp auto map eth1 from 192.168.1.10/32 to any -> 0/32 map eth0 from 192.168.1.10/32 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.10/32 to any -> 192.168.1.1/32 map eth2 from 192.168.1.10/32 to any -> 192.168.2.1/32 portmap tcp/udp auto map eth2 from 192.168.1.10/32 to any -> 192.168.2.1/32 map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 portmap tcp/udp auto map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 # # Rule 1 (NAT) map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 portmap tcp/udp auto map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 # # Rule 2 (NAT) map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 portmap tcp/udp auto map eth3 from 192.168.1.10/32 to any -> 222.222.222.222/32 # # Rule 3 (NAT) map eth1 from 192.168.1.10/32 to any -> 0/32 portmap tcp/udp auto map eth1 from 192.168.1.10/32 to any -> 0/32 # # Rule 5 (NAT) rdr eth1 from any to any port = 22 -> 192.168.1.10 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.10 port 22 tcp rdr eth2 from any to 192.168.2.1/32 port = 22 -> 192.168.1.10 port 22 tcp rdr eth3 from any to 222.222.222.222/32 port = 22 -> 192.168.1.10 port 22 tcp # # Rule 6 (NAT) rdr eth0 from 192.168.1.0/24 to any port = 80 -> 192.168.2.1 port 3128 tcp rdr eth0 from 192.168.1.0/24 to any port = 443 -> 192.168.2.1 port 3128 tcp # # Rule 7 (NAT) rdr eth0 from 192.168.1.0/24 to any port = 80 -> 192.168.2.1 port 3128 tcp rdr eth0 from 192.168.1.0/24 to any port = 443 -> 192.168.2.1 port 3128 tcp # # Rule 8 (NAT) rdr eth0 from any to any port = 80 -> 192.168.1.1 port 3128 tcp rdr eth1 from any to any port = 80 -> 0/32 port 3128 tcp rdr eth2 from any to any port = 80 -> 192.168.2.1 port 3128 tcp rdr eth3 from any to any port = 80 -> 222.222.222.222 port 3128 tcp rdr eth0 from any to any port = 443 -> 192.168.1.1 port 3128 tcp rdr eth1 from any to any port = 443 -> 0/32 port 3128 tcp rdr eth2 from any to any port = 443 -> 192.168.2.1 port 3128 tcp rdr eth3 from any to any port = 443 -> 222.222.222.222 port 3128 tcp # # Rule 10 (NAT) map eth1 from any to any -> 0/32 proxy port 514 rcmd/tcp # # Rule 11 (NAT) map eth1 from 192.168.1.0/24 to any -> 0/32 proxy port 21 ftp/tcp fwbuilder-5.3.7/test/ipf/firewall4.fw.orig000077500000000000000000000033401303637203600204420ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:27 2011 PST by vadim # # files: * firewall4.fw /etc/fw/firewall4.fw # files: firewall4-ipf.conf /etc/fw/firewall4-ipf.conf # files: firewall4-nat.conf /etc/fw/firewall4-nat.conf # # Compiled for ipf # # this object is used to test a configuration where firewall has dynamic address # firewall4::: error: Dynamic interface eth1 should not have an IP address object attached to it. This IP address object will be ignored. # firewall4:Policy:6: warning: Changing rule direction due to self reference # firewall4:Policy:6: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/usr/sbin/ipf" IPNAT="/usr/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/firewall4-ipf.conf $IPNAT -f /etc/fw/firewall4-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall5-ipf.conf.orig000077500000000000000000000020231303637203600215250ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall5:Policy:0: warning: Changing rule direction due to self reference # # Rule 0 (global) # firewall5:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state pass in quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 1 (global) pass in quick proto tcp from any to (ppp0) port = 22 flags S keep state pass out quick proto tcp from any to (ppp0) port = 22 flags S keep state # # Rule 2 (global) pass out quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state pass out quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state # # Rule 5 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall5-nat.conf.orig000077500000000000000000000047051303637203600215420ustar00rootroot00000000000000# # Rule 0 (NAT) map ppp0 from 192.168.1.0/24 to any -> 0/32 portmap tcp/udp auto map ppp0 from 192.168.1.0/24 to any -> 0/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 # # Rule 1 (NAT) map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 # # Rule 2 (NAT) map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 # # Rule 3 (NAT) rdr ppp0 from any to (ppp0) port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 4 (NAT) rdr ppp0 from any to (ppp0) port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 5 (NAT) rdr ppp0 from any to (ppp0) port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 6 (NAT) rdr ppp0 from any to (ppp0) port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 7 (NAT) rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 8 (NAT) rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp fwbuilder-5.3.7/test/ipf/firewall5.fw.orig000077500000000000000000000033751303637203600204530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:27 2011 PST by vadim # # files: * firewall5.fw /etc/firewall5.fw # files: firewall5-ipf.conf /etc/firewall5-ipf.conf # files: firewall5-nat.conf /etc/firewall5-nat.conf # # Compiled for ipf # # Dynamic interface ppp0 # firewall5:Policy:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } getaddr() { intf=$1 varname=$2 L=`ifconfig $1 | grep 'inet '` if [ -z "$L" ]; then L="inet 0.0.0.0/32" fi set $L a=$2 eval "$varname=$a" } getaddr ppp0 i_ppp0 verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C cat /etc/firewall5-ipf.conf | grep -v '#' | sed "s/ (ppp0) / $i_ppp0 /" | $IPF -I -f - cat /etc/firewall5-nat.conf | grep -v '#' | sed "s/ (ppp0) / $i_ppp0 /" | $IPNAT -f - $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall7-ipf.conf.orig000077500000000000000000000011501303637203600215270ustar00rootroot00000000000000# # Rule 0 (eth0) block in log quick on eth0 from any to 192.168.1.255 # # Rule 1 (eth1) block in log quick on eth1 from any to 22.22.22.22 block in log quick on eth1 from any to 22.22.23.23 block in log quick on eth1 from any to 192.168.1.1 block in log quick on eth1 from any to 192.168.2.1 # # Rule 2 (global) pass in quick proto udp from any to 192.168.1.255 port = 68 keep state pass out quick proto udp from any to 192.168.1.255 port = 68 keep state # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall7.fw.orig000077500000000000000000000024441303637203600204510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:28 2011 PST by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # files: firewall7-ipf.conf /etc/fw/firewall7-ipf.conf # # Compiled for ipf # # testing rules with broadcasts FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/firewall7-ipf.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall8-ipf.conf.orig000077500000000000000000000015431303637203600215360ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall8:Policy:0: warning: Changing rule direction due to self reference # # Rule 0 (global) # firewall8:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state pass in quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 1 (global) pass out quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state pass out quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state # # Rule 4 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall8-nat.conf.orig000077500000000000000000000046711303637203600215470ustar00rootroot00000000000000# # Rule 0 (NAT) map ppp0 from 192.168.1.0/24 to any -> 0/32 portmap tcp/udp auto map ppp0 from 192.168.1.0/24 to any -> 0/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map eth0 from 192.168.1.0/24 to any -> 192.168.1.1/32 # # Rule 1 (NAT) map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.34/32 # # Rule 2 (NAT) map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 portmap tcp/udp auto map eth1 from 192.168.1.0/24 to any -> 33.33.33.33/32 # # Rule 3 (NAT) rdr ppp0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 4 (NAT) rdr ppp0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 5 (NAT) rdr ppp0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 6 (NAT) rdr ppp0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 7 (NAT) rdr eth1 from any to 33.33.33.33/32 port = 22 -> 192.168.1.100 port 22 tcp rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 8 (NAT) rdr eth1 from any to 33.33.33.34/32 port = 22 -> 192.168.1.100 port 22 tcp fwbuilder-5.3.7/test/ipf/firewall8.fw.orig000077500000000000000000000027031303637203600204500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:28 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # files: firewall8-ipf.conf /etc/firewall8-ipf.conf # files: firewall8-nat.conf /etc/firewall8-nat.conf # # Compiled for ipf # # firewall8:Policy:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/firewall8-ipf.conf $IPNAT -f /etc/firewall8-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/firewall9-ipf.conf.orig000077500000000000000000000044461303637203600215440ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall9:Policy:5: warning: Changing rule direction due to self reference # # Rule 0 (le1) skip 1 in on le1 from 33.33.33.0/24 to any block in log quick on le1 from any to any # # Rule 1 (le1) pass in quick on le1 proto icmp from 33.33.33.0/24 to 192.168.1.10 icmp-type 3 keep state pass in quick on le1 proto icmp from 33.33.33.0/24 to 192.168.1.10 icmp-type 0 code 0 keep state pass in quick on le1 proto icmp from 33.33.33.0/24 to 192.168.1.10 icmp-type 11 code 0 keep state pass in quick on le1 proto icmp from 33.33.33.0/24 to 192.168.1.10 icmp-type 11 code 1 keep state pass in quick on le1 proto tcp from 33.33.33.0/24 to 192.168.1.10 port = 22 flags S keep state # # Rule 2 (le1) skip 6 in on le1 from 22.22.22.22 to any skip 5 in on le1 from 192.168.1.1 to any skip 4 in on le1 from 192.168.1.0/24 to any pass in quick on le1 proto icmp from any to any keep state pass in quick on le1 proto tcp from any to any flags S keep state pass in quick on le1 proto udp from any to any keep state pass in quick on le1 from any to any # # Rule 3 (global) count in from any to any count out from any to any # # Rule 4 (global) count in log from any to any count out log from any to any # # Rule 5 (global) # firewall9:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 22 flags S keep state pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 6 (global) pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any flags S keep state pass in quick proto udp from 192.168.1.0/24 to any keep state pass in quick from 192.168.1.0/24 to any pass out quick proto icmp from 192.168.1.0/24 to any keep state pass out quick proto tcp from 192.168.1.0/24 to any flags S keep state pass out quick proto udp from 192.168.1.0/24 to any keep state pass out quick from 192.168.1.0/24 to any # # Rule 7 (global) block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/firewall9-nat.conf.orig000077500000000000000000000027351303637203600215470ustar00rootroot00000000000000# # Rule 0 (NAT) map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 map le0 from 192.168.1.0/24 to any -> 192.168.1.1/32 portmap tcp/udp auto map le0 from 192.168.1.0/24 to any -> 192.168.1.1/32 # # Rule 1 (NAT) map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 portmap tcp/udp auto map le1 from 192.168.1.0/24 to any -> 22.22.22.22/32 # # Rule 2 (NAT) map le0 from 192.168.1.0/24 to any -> 0/0 # # Rule 3 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 4 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 5 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.1 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.1 port 22 tcp # # Rule 6 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp rdr le0 from any to 192.168.1.1/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 7 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.100 port 22 tcp # # Rule 8 (NAT) rdr le1 from any to 22.22.22.22/32 port = 22 -> 192.168.1.1 port 22 tcp # # Rule 9 (NAT) rdr le0 from any to any port = 22 -> 192.168.1.100 port 22 tcp rdr le1 from any to any port = 22 -> 192.168.1.100 port 22 tcp fwbuilder-5.3.7/test/ipf/firewall9.fw.orig000077500000000000000000000027031303637203600204510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:28 2011 PST by vadim # # files: * firewall9.fw /etc/firewall9.fw # files: firewall9-ipf.conf /etc/firewall9-ipf.conf # files: firewall9-nat.conf /etc/firewall9-nat.conf # # Compiled for ipf # # firewall9:Policy:5: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/firewall9-ipf.conf $IPNAT -f /etc/firewall9-nat.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/host-ipf.conf.orig000077500000000000000000000133251303637203600206170ustar00rootroot00000000000000# Policy compiler errors and warnings: # host:Policy:4: warning: Changing rule direction due to self reference # host:Policy:5: warning: Changing rule direction due to self reference # host:Policy:6: warning: Changing rule direction due to self reference # # Rule 0 (eth0) pass in log quick on eth0 proto icmp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on eth0 proto tcp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on eth0 proto udp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on eth0 from 22.22.22.22 to 22.22.22.22 pass out log quick on eth0 proto icmp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on eth0 proto tcp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on eth0 proto udp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on eth0 from 22.22.22.22 to 22.22.22.22 # # Rule 1 (lo) # allow everything on loopback pass in quick on lo proto icmp from any to 22.22.22.22 keep state pass in quick on lo proto icmp from any to 127.0.0.1 keep state pass in quick on lo proto tcp from any to 22.22.22.22 keep state pass in quick on lo proto tcp from any to 127.0.0.1 keep state pass in quick on lo proto udp from any to 22.22.22.22 keep state pass in quick on lo proto udp from any to 127.0.0.1 keep state pass in quick on lo from any to 22.22.22.22 pass in quick on lo from any to 127.0.0.1 # # Rule 2 (lo) # allow everything on loopback pass out quick on lo proto icmp from 22.22.22.22 to any keep state pass out quick on lo proto icmp from 127.0.0.1 to any keep state pass out quick on lo proto tcp from 22.22.22.22 to any keep state pass out quick on lo proto tcp from 127.0.0.1 to any keep state pass out quick on lo proto udp from 22.22.22.22 to any keep state pass out quick on lo proto udp from 127.0.0.1 to any keep state pass out quick on lo from 22.22.22.22 to any pass out quick on lo from 127.0.0.1 to any # # Rule 3 (lo) pass in log quick on lo proto icmp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on lo proto icmp from 22.22.22.22 to 127.0.0.1 keep state pass in log quick on lo proto icmp from 127.0.0.1 to 22.22.22.22 keep state pass in log quick on lo proto icmp from 127.0.0.1 to 127.0.0.1 keep state pass in log quick on lo proto tcp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on lo proto tcp from 22.22.22.22 to 127.0.0.1 keep state pass in log quick on lo proto tcp from 127.0.0.1 to 22.22.22.22 keep state pass in log quick on lo proto tcp from 127.0.0.1 to 127.0.0.1 keep state pass in log quick on lo proto udp from 22.22.22.22 to 22.22.22.22 keep state pass in log quick on lo proto udp from 22.22.22.22 to 127.0.0.1 keep state pass in log quick on lo proto udp from 127.0.0.1 to 22.22.22.22 keep state pass in log quick on lo proto udp from 127.0.0.1 to 127.0.0.1 keep state pass in log quick on lo from 22.22.22.22 to 22.22.22.22 pass in log quick on lo from 22.22.22.22 to 127.0.0.1 pass in log quick on lo from 127.0.0.1 to 22.22.22.22 pass in log quick on lo from 127.0.0.1 to 127.0.0.1 pass out log quick on lo proto icmp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on lo proto icmp from 22.22.22.22 to 127.0.0.1 keep state pass out log quick on lo proto icmp from 127.0.0.1 to 22.22.22.22 keep state pass out log quick on lo proto icmp from 127.0.0.1 to 127.0.0.1 keep state pass out log quick on lo proto tcp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on lo proto tcp from 22.22.22.22 to 127.0.0.1 keep state pass out log quick on lo proto tcp from 127.0.0.1 to 22.22.22.22 keep state pass out log quick on lo proto tcp from 127.0.0.1 to 127.0.0.1 keep state pass out log quick on lo proto udp from 22.22.22.22 to 22.22.22.22 keep state pass out log quick on lo proto udp from 22.22.22.22 to 127.0.0.1 keep state pass out log quick on lo proto udp from 127.0.0.1 to 22.22.22.22 keep state pass out log quick on lo proto udp from 127.0.0.1 to 127.0.0.1 keep state pass out log quick on lo from 22.22.22.22 to 22.22.22.22 pass out log quick on lo from 22.22.22.22 to 127.0.0.1 pass out log quick on lo from 127.0.0.1 to 22.22.22.22 pass out log quick on lo from 127.0.0.1 to 127.0.0.1 # # Rule 4 (global) # block fragments # host:Policy:4: warning: Changing rule direction due to self reference block in log quick from any to 22.22.22.22 with short # # Rule 5 (global) # host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto icmp from any to 22.22.22.22 icmp-type 3 keep state pass in quick proto tcp from any to 22.22.22.22 port = 21 keep state pass in quick proto tcp from any to 22.22.22.22 port = 80 keep state pass in quick proto tcp from any to 22.22.22.22 port = 25 keep state pass in quick proto tcp from any to 22.22.22.22 port = 22 keep state pass in quick proto tcp from any to 22.22.22.22 port = 23 keep state # # Rule 6 (global) # allow all outgoing connections # host:Policy:6: warning: Changing rule direction due to self reference pass out quick proto icmp from 22.22.22.22 to any keep state pass out quick proto tcp from 22.22.22.22 to any keep state pass out quick proto udp from 22.22.22.22 to any keep state pass out quick from 22.22.22.22 to any # # Rule 7 (global) # 'catch all' rule block in log quick from any to any block out log quick from any to any # # Rule fallback rule # fallback rule block in quick from any to any block out quick from any to any fwbuilder-5.3.7/test/ipf/host.fw.orig000077500000000000000000000027541303637203600175360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipf v4.2.0.3499 # # Generated Sat Mar 12 19:44:28 2011 PST by vadim # # files: * host.fw /etc/fw/host.fw # files: host-ipf.conf /etc/fw/host-ipf.conf # # Compiled for ipf # # firewall protects host it is running on # host:Policy:4: warning: Changing rule direction due to self reference # host:Policy:5: warning: Changing rule direction due to self reference # host:Policy:6: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $IPF -Fa $IPNAT -C $IPF -I -f /etc/fw/host-ipf.conf $IPF -s epilog_commands /sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -Efwbuilder-5.3.7/test/ipf/large_policy_test.fwb000066400000000000000000000401341303637203600214630ustar00rootroot00000000000000 fwbuilder-5.3.7/test/ipf/objects-for-regression-tests.fwb000066400000000000000000014042041303637203600235110ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk -m ip_conntrack_talk -m ip_nat_talk fwbuilder-5.3.7/test/ipf/quick-cmp.sh000077500000000000000000000006101303637203600174760ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipf v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig *.conf.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done fwbuilder-5.3.7/test/ipf/recycle000077500000000000000000000002521303637203600166240ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done for f in *-ipf.conf; do j=${f}.orig mv $f $j done for f in *-nat.conf; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/ipf/run.all000077500000000000000000000007751303637203600165630ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipf -v -f $XMLFILE -xt $fwobj" done exit 0 XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipf -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/ipfw/000077500000000000000000000000001303637203600154405ustar00rootroot00000000000000fwbuilder-5.3.7/test/ipfw/Makefile000066400000000000000000000007261303637203600171050ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) # CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_ipfw -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_ipfw -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/ipfw/do-diff000077500000000000000000000003321303637203600166740ustar00rootroot00000000000000#!/bin/sh N=$1 if which opendiff > /dev/null 2>&1; then TOOL="opendiff" elif which tkdiff > /dev/null 2>&1; then TOOL="tkdiff -b -B " else TOOL="diff -b -B " fi ${TOOL} firewall${N}.fw.orig firewall${N}.fw fwbuilder-5.3.7/test/ipfw/firewall.fw.orig000077500000000000000000000154671303637203600205620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:43 2011 PST by vadim # # files: * firewall.fw ipfw.fw # # # # Compiled for ipfw # # this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule # firewall:Policy:3: warning: Changing rule direction due to self reference # firewall:Policy:9: warning: Changing rule direction due to self reference # firewall:Policy:20: warning: Changing rule direction due to self reference # firewall:Policy:6: warning: ipfw can not match "any IP option" # firewall:Policy:8: warning: ipfw can not match "any IP option" set -x cd /etc/fw || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/usr/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:43 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule backup ssh access rule # backup ssh access rule "$IPFW" add 9 set 1 permit tcp from me to 192.168.1.100 out established keep-state "$IPFW" add 10 set 1 permit tcp from 192.168.1.100 to me 22 in setup keep-state || exit 1 # # Rule 0 (eth1) "$IPFW" add 20 set 1 drop log all from any to me frag in recv eth1 || exit 1 # # Rule 1 (eth1) # Automatically generated rule blocking short fragments "$IPFW" add 30 set 1 drop log all from any to any frag in recv eth1 || exit 1 # # Rule 2 (eth1) # Automatically generated anti-spoofing rule "$IPFW" add 40 set 1 drop log all from me to any in recv eth1 || exit 1 "$IPFW" add 50 set 1 drop log all from 192.168.1.0/24 to any in recv eth1 || exit 1 # # Rule 3 (eth0) # комментарий по-русски # firewall:Policy:3: warning: Changing rule direction due to self reference "$IPFW" add 60 set 1 permit udp from 192.168.1.0/24 to me 53 in recv eth0 keep-state || exit 1 # # Rule 4 (eth0) "$IPFW" add 70 set 1 drop log udp from any to 192.168.1.255 53 in recv eth0 || exit 1 # # Rule 5 (global) "$IPFW" add 80 set 1 drop log tcp from any to any tcpflags !fin,syn,!rst,!psh,!ack,!urg || exit 1 "$IPFW" add 90 set 1 drop log tcp from any to any tcpflags fin,syn,rst,!psh,ack,!urg || exit 1 # # Rule 6 (global) "$IPFW" add 100 set 1 unreach port log all from any to any || exit 1 # # Rule 7 (global) "$IPFW" add 110 set 1 unreach port log all from any to any ipoptions rr || exit 1 # # Rule 8 (global) "$IPFW" add 120 set 1 unreach port log all from any to any ipoptions rr || exit 1 "$IPFW" add 130 set 1 unreach port log all from any to any ipoptions lsrr,ssrr || exit 1 "$IPFW" add 140 set 1 unreach port log all from any to any ipoptions ts || exit 1 "$IPFW" add 150 set 1 unreach port log all from any to any || exit 1 # # Rule 9 (global) # firewall:Policy:9: warning: Changing rule direction due to self reference "$IPFW" add 160 set 1 unreach port 50 from any to me in || exit 1 # # Rule 12 (global) "$IPFW" add 170 set 1 permit tcp from 211.11.11.11 to 192.168.1.10 53 setup keep-state || exit 1 "$IPFW" add 180 set 1 permit tcp from 211.22.22.22 to 192.168.1.10 53 setup keep-state || exit 1 # # Rule 13 (global) "$IPFW" add 190 set 1 permit tcp from any to 192.168.1.10 10000-11000,113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389,98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080,3128,22,111,23,540,7100 setup keep-state || exit 1 # # Rule 14 (global) "$IPFW" add 200 set 1 permit tcp from any to 192.168.1.11 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 # # Rule 15 (global) "$IPFW" add 210 set 1 permit tcp from any to 192.168.1.11 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 "$IPFW" add 220 set 1 permit tcp from any to 192.168.1.12/30 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 # # Rule 16 (global) "$IPFW" add 230 set 1 permit tcp from any to 192.168.1.11 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 "$IPFW" add 240 set 1 permit tcp from any to 192.168.1.12 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 "$IPFW" add 250 set 1 permit tcp from any to 192.168.1.13 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 "$IPFW" add 260 set 1 permit tcp from any to 192.168.1.14 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 "$IPFW" add 270 set 1 permit tcp from any to 192.168.1.15 113,80,443,143,25,3128,22,540 setup keep-state || exit 1 # # Rule 17 (global) "$IPFW" add 280 set 1 permit icmp from any to 192.168.1.0/24 icmptypes 3,0,11,11 keep-state || exit 1 "$IPFW" add 290 set 1 permit tcp from any to 192.168.1.0/24 3128 setup keep-state || exit 1 # # Rule 18 (global) "$IPFW" add 300 set 1 permit icmp from any to 192.168.1.0/24 icmptypes 3,0,11,11 keep-state || exit 1 "$IPFW" add 310 set 1 permit tcp from any 20 to 192.168.1.0/24 1024-65535 setup keep-state || exit 1 "$IPFW" add 320 set 1 permit tcp from any to 192.168.1.0/24 10000-11000 setup keep-state || exit 1 "$IPFW" add 330 set 1 permit tcp from any to 192.168.1.0/24 6000-6063,113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389,98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080,3128,22,111,23,540,7100 setup keep-state || exit 1 # # Rule 19 (global) "$IPFW" add 340 set 1 permit log all from me to me keep-state || exit 1 # # Rule 20 (global) # Automatically generated 'masquerading' rule # firewall:Policy:20: warning: Changing rule direction due to self reference "$IPFW" add 350 set 1 permit all from me to any out keep-state || exit 1 "$IPFW" add 360 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # # Rule 21 (global) # Automatically generated 'catch all' rule "$IPFW" add 370 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 380 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall1.fw.orig000077500000000000000000000205621303637203600206330ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall1.fw /etc/firewall1.fw # # # # Compiled for ipfw # # this object is used to test all kinds of negation in policy rules # Currently negation in NAT is not supported for ipf, therefore all rules in NAT with # negation are disabled # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:9: warning: Changing rule direction due to self reference # firewall1:Policy:10: warning: Changing rule direction due to self reference # firewall1:Policy:13: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/Library/Application Support/PeerGuardian/ipfwFast" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (eth0) "$IPFW" add 10 set 1 skipto 130 icmp from 22.22.22.22 to 22.22.22.22 via eth0 || exit 1 "$IPFW" add 20 set 1 skipto 130 icmp from 22.22.22.22 to 192.168.1.1 via eth0 || exit 1 "$IPFW" add 30 set 1 skipto 130 icmp from 192.168.1.1 to 22.22.22.22 via eth0 || exit 1 "$IPFW" add 40 set 1 skipto 130 icmp from 192.168.1.1 to 192.168.1.1 via eth0 || exit 1 "$IPFW" add 50 set 1 skipto 130 50 from 22.22.22.22 to 22.22.22.22 via eth0 || exit 1 "$IPFW" add 60 set 1 skipto 130 50 from 22.22.22.22 to 192.168.1.1 via eth0 || exit 1 "$IPFW" add 70 set 1 skipto 130 50 from 192.168.1.1 to 22.22.22.22 via eth0 || exit 1 "$IPFW" add 80 set 1 skipto 130 50 from 192.168.1.1 to 192.168.1.1 via eth0 || exit 1 "$IPFW" add 90 set 1 drop log icmp from 22.22.22.22 to any via eth0 || exit 1 "$IPFW" add 100 set 1 drop log icmp from 192.168.1.1 to any via eth0 || exit 1 "$IPFW" add 110 set 1 drop log 50 from 22.22.22.22 to any via eth0 || exit 1 "$IPFW" add 120 set 1 drop log 50 from 192.168.1.1 to any via eth0 || exit 1 # # Rule 1 (eth0) "$IPFW" add 130 set 1 skipto 250 icmp from 192.168.1.10 to 192.168.1.10 via eth0 || exit 1 "$IPFW" add 140 set 1 skipto 250 icmp from 192.168.1.10 to 192.168.1.20 via eth0 || exit 1 "$IPFW" add 150 set 1 skipto 250 icmp from 192.168.1.20 to 192.168.1.10 via eth0 || exit 1 "$IPFW" add 160 set 1 skipto 250 icmp from 192.168.1.20 to 192.168.1.20 via eth0 || exit 1 "$IPFW" add 170 set 1 skipto 250 50 from 192.168.1.10 to 192.168.1.10 via eth0 || exit 1 "$IPFW" add 180 set 1 skipto 250 50 from 192.168.1.10 to 192.168.1.20 via eth0 || exit 1 "$IPFW" add 190 set 1 skipto 250 50 from 192.168.1.20 to 192.168.1.10 via eth0 || exit 1 "$IPFW" add 200 set 1 skipto 250 50 from 192.168.1.20 to 192.168.1.20 via eth0 || exit 1 "$IPFW" add 210 set 1 drop icmp from 192.168.1.10 to any via eth0 || exit 1 "$IPFW" add 220 set 1 drop icmp from 192.168.1.20 to any via eth0 || exit 1 "$IPFW" add 230 set 1 drop 50 from 192.168.1.10 to any via eth0 || exit 1 "$IPFW" add 240 set 1 drop 50 from 192.168.1.20 to any via eth0 || exit 1 # # Rule 2 (eth1) # Anti-spoofing rule "$IPFW" add 250 set 1 drop log all from me to any in recv eth1 || exit 1 "$IPFW" add 260 set 1 drop log all from 192.168.1.0/24 to any in recv eth1 || exit 1 # # Rule 3 (eth1) # Anti-spoofing rule "$IPFW" add 270 set 1 skipto 290 all from 192.168.1.0/24 to any out xmit eth1 || exit 1 "$IPFW" add 280 set 1 drop log all from any to any out xmit eth1 || exit 1 # # Rule 4 (lo) "$IPFW" add 290 set 1 permit all from any to any via lo keep-state || exit 1 # # Rule 5 (global) "$IPFW" add 300 set 1 drop log tcp from any to any tcpflags !fin,syn,!rst,!psh,!ack,!urg || exit 1 # # Rule 7 (global) # hostF has the same IP address as firewal. "$IPFW" add 310 set 1 permit log icmp from any to 192.168.1.1 icmptypes 8 keep-state || exit 1 # # Rule 8 (global) # testing negation in the policy rule "$IPFW" add 320 set 1 skipto 350 icmp from 192.168.1.10 to any icmptypes 3 || exit 1 "$IPFW" add 330 set 1 skipto 350 icmp from 192.168.1.20 to any icmptypes 3 || exit 1 "$IPFW" add 340 set 1 drop log icmp from any to any icmptypes 3 || exit 1 # # Rule 9 (global) # firewall1:Policy:9: warning: Changing rule direction due to self reference "$IPFW" add 350 set 1 skipto 380 icmp from 192.168.1.10 to me icmptypes 3 in || exit 1 "$IPFW" add 360 set 1 skipto 380 icmp from 192.168.1.20 to me icmptypes 3 in || exit 1 "$IPFW" add 370 set 1 drop log icmp from any to me icmptypes 3 in || exit 1 # # Rule 10 (global) # firewall1:Policy:10: warning: Changing rule direction due to self reference "$IPFW" add 380 set 1 skipto 410 all from me to 192.168.1.0/24 out || exit 1 "$IPFW" add 390 set 1 skipto 410 all from 192.168.2.0/24 to 192.168.1.0/24 || exit 1 "$IPFW" add 400 set 1 drop log all from any to 192.168.1.0/24 || exit 1 # # Rule 11 (global) "$IPFW" add 410 set 1 skipto 440 tcp from 22.22.22.0/24 to 192.168.1.10 80 || exit 1 "$IPFW" add 420 set 1 skipto 440 tcp from 33.33.33.0/24 to 192.168.1.10 80 || exit 1 "$IPFW" add 430 set 1 permit tcp from any to 192.168.1.10 80 setup keep-state || exit 1 # # Rule 12 (global) "$IPFW" add 440 set 1 skipto 500 all from 192.168.1.0/24 to 192.168.1.10 || exit 1 "$IPFW" add 450 set 1 skipto 500 all from 192.168.1.0/24 to 192.168.1.20 || exit 1 "$IPFW" add 460 set 1 skipto 500 all from 192.168.2.0/24 to 192.168.1.10 || exit 1 "$IPFW" add 470 set 1 skipto 500 all from 192.168.2.0/24 to 192.168.1.20 || exit 1 "$IPFW" add 480 set 1 drop log all from 192.168.1.0/24 to any || exit 1 "$IPFW" add 490 set 1 drop log all from 192.168.2.0/24 to any || exit 1 # # Rule 13 (global) # firewall1:Policy:13: warning: Changing rule direction due to self reference "$IPFW" add 500 set 1 skipto 520 all from any to me in || exit 1 "$IPFW" add 510 set 1 drop all from any to any || exit 1 # # Rule 16 (global) "$IPFW" add 520 set 1 skipto 640 icmp from 22.22.22.22 to 22.22.22.22 || exit 1 "$IPFW" add 530 set 1 skipto 640 icmp from 22.22.22.22 to 192.168.1.1 || exit 1 "$IPFW" add 540 set 1 skipto 640 icmp from 192.168.1.1 to 22.22.22.22 || exit 1 "$IPFW" add 550 set 1 skipto 640 icmp from 192.168.1.1 to 192.168.1.1 || exit 1 "$IPFW" add 560 set 1 skipto 640 50 from 22.22.22.22 to 22.22.22.22 || exit 1 "$IPFW" add 570 set 1 skipto 640 50 from 22.22.22.22 to 192.168.1.1 || exit 1 "$IPFW" add 580 set 1 skipto 640 50 from 192.168.1.1 to 22.22.22.22 || exit 1 "$IPFW" add 590 set 1 skipto 640 50 from 192.168.1.1 to 192.168.1.1 || exit 1 "$IPFW" add 600 set 1 drop log icmp from 22.22.22.22 to any || exit 1 "$IPFW" add 610 set 1 drop log icmp from 192.168.1.1 to any || exit 1 "$IPFW" add 620 set 1 drop log 50 from 22.22.22.22 to any || exit 1 "$IPFW" add 630 set 1 drop log 50 from 192.168.1.1 to any || exit 1 # # Rule 17 (global) # 'masquerading' rule "$IPFW" add 640 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # # Rule 18 (global) # 'catch all' rule "$IPFW" add 650 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 660 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall2.fw.orig000077500000000000000000000076201303637203600206340ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall2.fw /etc/firewall2.fw # # # # Compiled for ipfw # # this object has several interfaces and shows different rules for NAT. Also testing policy rule options # firewall2:Policy:12: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (eth1) "$IPFW" add 10 set 1 permit tcp from any to any established in recv eth1 keep-state || exit 1 # # Rule 1 (eth1) "$IPFW" add 20 set 1 permit tcp from any to any established in recv eth1 || exit 1 # # Rule 2 (eth1) "$IPFW" add 30 set 1 permit tcp from any 80 to any established in recv eth1 || exit 1 # # Rule 3 (eth1) # Anti-spoofing rule "$IPFW" add 40 set 1 drop log all from me to any in recv eth1 || exit 1 "$IPFW" add 50 set 1 drop log all from 192.168.1.0/24 to any in recv eth1 || exit 1 # # Rule 4 (eth1) # Anti-spoofing rule "$IPFW" add 60 set 1 skipto 90 all from me to any out xmit eth1 || exit 1 "$IPFW" add 70 set 1 skipto 90 all from 192.168.1.0/24 to any out xmit eth1 || exit 1 "$IPFW" add 80 set 1 drop log all from any to any out xmit eth1 || exit 1 # # Rule 5 (global) # block fragments "$IPFW" add 90 set 1 drop log all from any to any frag || exit 1 # # Rule 6 (global) # sends TCP RST and makes custom record in the log "$IPFW" add 100 set 1 reset log tcp from any to any 113 || exit 1 # # Rule 7 (global) # sends TCP RST and makes custom record in the log "$IPFW" add 110 set 1 unreach net log udp from any to any 161 || exit 1 # # Rule 8 (global) "$IPFW" add 120 set 1 permit all from 192.168.1.10 to 200.200.200.200 keep-state || exit 1 "$IPFW" add 130 set 1 permit all from 192.168.1.20 to 200.200.200.200 keep-state || exit 1 # # Rule 9 (global) "$IPFW" add 140 set 1 permit all from 200.200.200.200 to 192.168.1.10 keep-state || exit 1 "$IPFW" add 150 set 1 permit all from 200.200.200.200 to 192.168.1.20 keep-state || exit 1 # # Rule 10 (global) # 'masquerading' rule "$IPFW" add 160 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # # Rule 11 (global) # host-fw2 has the same address as # one of the firewall's interfaces "$IPFW" add 170 set 1 permit log tcp from any to 22.22.22.22 21 setup keep-state || exit 1 # # Rule 12 (global) # firewall2:Policy:12: warning: Changing rule direction due to self reference "$IPFW" add 180 set 1 permit log tcp from any to me 21 in setup keep-state || exit 1 # # Rule 13 (global) # 'catch all' rule "$IPFW" add 190 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 200 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall33.fw.orig000077500000000000000000000212341303637203600207150ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # # # # Compiled for ipfw # # testing DNSName object # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode cd /etc/fw || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth1 192.168.1.100/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (global) "$IPFW" add 10 set 1 permit all from 157.166.224.25 to any keep-state || exit 1 "$IPFW" add 20 set 1 permit all from 157.166.224.26 to any keep-state || exit 1 "$IPFW" add 30 set 1 permit all from 157.166.226.25 to any keep-state || exit 1 "$IPFW" add 40 set 1 permit all from 157.166.226.26 to any keep-state || exit 1 "$IPFW" add 50 set 1 permit all from 157.166.255.18 to any keep-state || exit 1 "$IPFW" add 60 set 1 permit all from 157.166.255.19 to any keep-state || exit 1 # # Rule 1 (global) "$IPFW" add 70 set 1 permit all from www.cnn.com to any keep-state || exit 1 # # Rule 2 (global) # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode "$IPFW" add 80 set 1 permit all from 192.0.2.1 to any keep-state || exit 1 # # Rule 3 (global) "$IPFW" add 90 set 1 permit all from buildmaster to any keep-state || exit 1 # # Rule 4 (global) "$IPFW" add 100 set 1 skipto 170 all from any to 157.166.224.25 || exit 1 "$IPFW" add 110 set 1 skipto 170 all from any to 157.166.224.26 || exit 1 "$IPFW" add 120 set 1 skipto 170 all from any to 157.166.226.25 || exit 1 "$IPFW" add 130 set 1 skipto 170 all from any to 157.166.226.26 || exit 1 "$IPFW" add 140 set 1 skipto 170 all from any to 157.166.255.18 || exit 1 "$IPFW" add 150 set 1 skipto 170 all from any to 157.166.255.19 || exit 1 "$IPFW" add 160 set 1 drop all from any to any || exit 1 # # Rule 5 (global) "$IPFW" add 170 set 1 skipto 190 all from any to www.cnn.com || exit 1 "$IPFW" add 180 set 1 drop all from any to any || exit 1 # # Rule 6 (global) # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode "$IPFW" add 190 set 1 skipto 210 all from any to 192.0.2.1 || exit 1 "$IPFW" add 200 set 1 permit all from any to any keep-state || exit 1 # # Rule 7 (global) "$IPFW" add 210 set 1 skipto 230 all from any to buildmaster || exit 1 "$IPFW" add 220 set 1 permit all from any to any keep-state || exit 1 # # Rule 8 (global) "$IPFW" add 230 set 1 skipto 350 all from any to 74.125.224.48 || exit 1 "$IPFW" add 240 set 1 skipto 350 all from any to 74.125.224.49 || exit 1 "$IPFW" add 250 set 1 skipto 350 all from any to 74.125.224.50 || exit 1 "$IPFW" add 260 set 1 skipto 350 all from any to 74.125.224.51 || exit 1 "$IPFW" add 270 set 1 skipto 350 all from any to 74.125.224.52 || exit 1 "$IPFW" add 280 set 1 skipto 350 all from any to 157.166.224.25 || exit 1 "$IPFW" add 290 set 1 skipto 350 all from any to 157.166.224.26 || exit 1 "$IPFW" add 300 set 1 skipto 350 all from any to 157.166.226.25 || exit 1 "$IPFW" add 310 set 1 skipto 350 all from any to 157.166.226.26 || exit 1 "$IPFW" add 320 set 1 skipto 350 all from any to 157.166.255.18 || exit 1 "$IPFW" add 330 set 1 skipto 350 all from any to 157.166.255.19 || exit 1 "$IPFW" add 340 set 1 permit all from any to any keep-state || exit 1 # # Rule 9 (global) "$IPFW" add 350 set 1 skipto 380 all from any to www.google.com || exit 1 "$IPFW" add 360 set 1 skipto 380 all from any to www.cnn.com || exit 1 "$IPFW" add 370 set 1 permit all from any to any keep-state || exit 1 # # Rule 10 (global) "$IPFW" add 380 set 1 skipto 460 all from any to www.google.com || exit 1 "$IPFW" add 390 set 1 skipto 460 all from any to 157.166.224.25 || exit 1 "$IPFW" add 400 set 1 skipto 460 all from any to 157.166.224.26 || exit 1 "$IPFW" add 410 set 1 skipto 460 all from any to 157.166.226.25 || exit 1 "$IPFW" add 420 set 1 skipto 460 all from any to 157.166.226.26 || exit 1 "$IPFW" add 430 set 1 skipto 460 all from any to 157.166.255.18 || exit 1 "$IPFW" add 440 set 1 skipto 460 all from any to 157.166.255.19 || exit 1 "$IPFW" add 450 set 1 permit all from any to any keep-state || exit 1 # # Rule 11 (global) "$IPFW" add 460 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 470 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall34.fw.orig000077500000000000000000000043541303637203600207220ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall34.fw /etc/firewall34.fw # # # # Compiled for ipfw # # Testing actions Pipe, Classify, Custom cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 # ================ IPv4 # ================ Rule set Policy # # Rule 0 (rl1) # port 8668 is natd "$IPFW" add 10 set 1 divert 8668 all from 192.168.1.0/24 to any via rl1 || exit 1 # # Rule 1 (global) # rule doing divert to natd (8668) should go before check-state "$IPFW" add 20 set 1 check-state all from any to any || exit 1 # # Rule 2 (global) "$IPFW" add 30 set 1 divert 1234 tcp from 192.168.1.0/24 to any 22 || exit 1 # # Rule 3 (global) "$IPFW" add 40 set 1 queue 2 tcp from 192.168.1.0/24 to any 22 || exit 1 # # Rule 4 (global) "$IPFW" add 50 set 1 pipe 1 tcp from 192.168.1.0/24 to any 80 || exit 1 # # Rule 5 (global) "$IPFW" add 60 set 1 prob .80 log all from 192.168.1.0/24 to any || exit 1 # # Rule 6 (global) "$IPFW" add 70 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 80 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall4.fw.orig000077500000000000000000000073071303637203600206400ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall4.fw /etc/firewall4.fw # # # # Compiled for ipfw # # this object is used to test a configuration where firewall has dynamic address # firewall4::: error: Dynamic interface eth1 should not have an IP address object attached to it. This IP address object will be ignored. # firewall4:Policy:6: warning: Changing rule direction due to self reference # firewall4:Policy:6: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/usr/sbin/ipf" IPNAT="/usr/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (eth1) # Anti-spoofing rule "$IPFW" add 10 set 1 drop log all from me to any in recv eth1 || exit 1 "$IPFW" add 20 set 1 drop log all from 192.168.1.0/24 to any in recv eth1 || exit 1 # # Rule 1 (eth1) # Anti-spoofing rule "$IPFW" add 30 set 1 skipto 60 all from me to any out xmit eth1 || exit 1 "$IPFW" add 40 set 1 skipto 60 all from 192.168.1.0/24 to any out xmit eth1 || exit 1 "$IPFW" add 50 set 1 drop log all from any to any out xmit eth1 || exit 1 # # Rule 2 (eth1) "$IPFW" add 60 set 1 drop log icmp from any to any icmptypes 8 via eth1 || exit 1 # # Rule 3 (eth1) "$IPFW" add 70 set 1 skipto 90 icmp from 192.168.2.0/24 to any icmptypes 8 via eth1 || exit 1 "$IPFW" add 80 set 1 drop log icmp from any to any icmptypes 8 via eth1 || exit 1 # # Rule 4 (global) # hostF has the same IP address as firewal. "$IPFW" add 90 set 1 permit log icmp from any to 192.168.1.1 icmptypes 8 keep-state || exit 1 # # Rule 5 (global) # testing negation in the policy rule "$IPFW" add 100 set 1 skipto 130 icmp from 192.168.1.10 to any icmptypes 3 || exit 1 "$IPFW" add 110 set 1 skipto 130 icmp from 192.168.1.20 to any icmptypes 3 || exit 1 "$IPFW" add 120 set 1 drop log icmp from any to any icmptypes 3 || exit 1 # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference "$IPFW" add 130 set 1 skipto 160 icmp from 192.168.1.10 to me icmptypes 3 in || exit 1 "$IPFW" add 140 set 1 skipto 160 icmp from 192.168.1.20 to me icmptypes 3 in || exit 1 "$IPFW" add 150 set 1 drop log icmp from any to me icmptypes 3 in || exit 1 # # Rule 8 (global) # 'masquerading' rule "$IPFW" add 160 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # # Rule 10 (global) # 'catch all' rule "$IPFW" add 170 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 180 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall7.fw.orig000077500000000000000000000034301303637203600206340ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall7.fw /etc/firewall7.fw # # # # Compiled for ipfw # # testing rules with broadcasts cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (eth0) "$IPFW" add 10 set 1 drop log all from any to 192.168.1.255 in recv eth0 || exit 1 # # Rule 1 (eth1) "$IPFW" add 20 set 1 drop log all from any to me in recv eth1 || exit 1 # # Rule 2 (global) "$IPFW" add 30 set 1 permit udp from any to 192.168.1.255 68 keep-state || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 40 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall8.fw.orig000077500000000000000000000043601303637203600206400ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # # # # Compiled for ipfw # # firewall8:Policy:0: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (global) # firewall8:Policy:0: warning: Changing rule direction due to self reference "$IPFW" add 10 set 1 permit tcp from any to me 22 in setup keep-state || exit 1 # # Rule 1 (global) "$IPFW" add 20 set 1 permit tcp from any to 33.33.33.33 22 setup keep-state || exit 1 "$IPFW" add 30 set 1 permit tcp from any to 33.33.33.34 22 setup keep-state || exit 1 # # Rule 2 (global) "$IPFW" add 40 set 1 permit tcp from any to 33.33.33.33 22 setup keep-state || exit 1 # # Rule 3 (global) "$IPFW" add 50 set 1 permit tcp from any to 33.33.33.34 22 setup keep-state || exit 1 # # Rule 4 (global) "$IPFW" add 60 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 70 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/firewall9.fw.orig000077500000000000000000000057771303637203600206560ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:44 2011 PST by vadim # # files: * firewall9.fw /etc/firewall9.fw # # # # Compiled for ipfw # # firewall9:Policy:5: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:44 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (firewall9:eth1) "$IPFW" add 10 set 1 skipto 30 all from 33.33.33.0/24 to any in recv firewall9:eth1 || exit 1 "$IPFW" add 20 set 1 drop log all from any to any in recv firewall9:eth1 || exit 1 # # Rule 1 (firewall9:eth1) "$IPFW" add 30 set 1 permit icmp from 33.33.33.0/24 to 192.168.1.10 icmptypes 3,0,11,11 in recv firewall9:eth1 keep-state || exit 1 "$IPFW" add 40 set 1 permit tcp from 33.33.33.0/24 to 192.168.1.10 22 in recv firewall9:eth1 setup keep-state || exit 1 # # Rule 2 (firewall9:eth1) "$IPFW" add 50 set 1 skipto 80 all from me to any in recv firewall9:eth1 || exit 1 "$IPFW" add 60 set 1 skipto 80 all from 192.168.1.0/24 to any in recv firewall9:eth1 || exit 1 "$IPFW" add 70 set 1 permit all from any to any in recv firewall9:eth1 keep-state || exit 1 # # Rule 3 (global) "$IPFW" add 80 set 1 count all from any to any || exit 1 # # Rule 4 (global) "$IPFW" add 90 set 1 count log all from any to any || exit 1 # # Rule 5 (global) # firewall9:Policy:5: warning: Changing rule direction due to self reference "$IPFW" add 100 set 1 permit tcp from any to me 22 in setup keep-state || exit 1 # # Rule 6 (global) "$IPFW" add 110 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # # Rule 7 (global) "$IPFW" add 120 set 1 permit tcp from any to any established || exit 1 # # Rule 8 (global) "$IPFW" add 130 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 140 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/host.fw.orig000077500000000000000000000056401303637203600177220ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:45 2011 PST by vadim # # files: * host.fw /etc/host.fw # # # # Compiled for ipfw # # firewall protects host it is running on # host:Policy:4: warning: Changing rule direction due to self reference # host:Policy:5: warning: Changing rule direction due to self reference # host:Policy:6: warning: Changing rule direction due to self reference cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:45 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (eth0) "$IPFW" add 10 set 1 permit log all from me to me via eth0 keep-state || exit 1 # # Rule 1 (lo) # allow everything on loopback "$IPFW" add 20 set 1 permit all from any to me in recv lo keep-state || exit 1 # # Rule 2 (lo) # allow everything on loopback "$IPFW" add 30 set 1 permit all from me to any out xmit lo keep-state || exit 1 # # Rule 3 (lo) "$IPFW" add 40 set 1 permit log all from me to me via lo keep-state || exit 1 # # Rule 4 (global) # block fragments # host:Policy:4: warning: Changing rule direction due to self reference "$IPFW" add 50 set 1 drop log all from any to me frag in || exit 1 # # Rule 5 (global) # host:Policy:5: warning: Changing rule direction due to self reference "$IPFW" add 60 set 1 permit icmp from any to me icmptypes 3 in keep-state || exit 1 "$IPFW" add 70 set 1 permit tcp from any to me 21,80,25,22,23 in setup keep-state || exit 1 # # Rule 6 (global) # allow all outgoing connections # host:Policy:6: warning: Changing rule direction due to self reference "$IPFW" add 80 set 1 permit all from me to any out keep-state || exit 1 # # Rule 7 (global) # 'catch all' rule "$IPFW" add 90 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 100 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/mac.fw.orig000077500000000000000000000057221303637203600175060ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipfw v4.2.0.3499 # # Generated Sat Mar 12 19:44:45 2011 PST by vadim # # files: * mac.fw /etc/mac.fw # # # # Compiled for ipfw # # mac:Policy:1: warning: Changing rule direction due to self reference # mac:Policy:3: warning: Changing rule direction due to self reference # mac:Policy:4: warning: Changing rule direction due to self reference set -x cd /etc || exit 1 IFCONFIG="/sbin/ifconfig" IPFW="/sbin/ipfw" SYSCTL="/usr/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Sat Mar 12 19:44:45 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands "$IPFW" set disable 1 "$IPFW" add 1 set 1 check-state ip from any to any # ================ IPv4 # ================ Rule set Policy # # Rule 0 (lo0) "$IPFW" add 10 set 1 permit all from any to any via lo0 keep-state || exit 1 # # Rule 1 (global) # mac:Policy:1: warning: Changing rule direction due to self reference "$IPFW" add 20 set 1 permit tcp from any to me established in keep-state || exit 1 # # Rule 2 (global) "$IPFW" add 30 set 1 drop log all from any to any frag || exit 1 "$IPFW" add 40 set 1 drop log tcp from any to any tcpflags fin,syn,!rst,psh,ack,urg || exit 1 # # Rule 3 (global) # mac:Policy:3: warning: Changing rule direction due to self reference "$IPFW" add 50 set 1 permit icmp from any to me icmptypes 3,0,11,11 in keep-state || exit 1 "$IPFW" add 60 set 1 permit tcp from any to me 25,22 in setup keep-state || exit 1 "$IPFW" add 70 set 1 permit udp from any to me in keep-state || exit 1 # # Rule 4 (global) # mac:Policy:4: warning: Changing rule direction due to self reference "$IPFW" add 80 set 1 permit icmp from me to any icmptypes 3,0,11,11 out keep-state || exit 1 "$IPFW" add 90 set 1 permit tcp from me to any out setup keep-state || exit 1 "$IPFW" add 100 set 1 permit udp from me to any 68,67,53 out keep-state || exit 1 # # Rule 5 (global) "$IPFW" add 110 set 1 drop log all from any to any || exit 1 # # Rule fallback rule # fallback rule "$IPFW" add 120 set 1 drop all from any to any || exit 1 epilog_commands "$IPFW" set swap 0 1 || exit 1 "$IPFW" delete set 1fwbuilder-5.3.7/test/ipfw/objects-for-regression-tests.fwb000066400000000000000000010756661303637203600237200ustar00rootroot00000000000000 -m ip_conntrack_talk -m ip_nat_talk established established established -m state --state ESTABLISHED,RELATED fwbuilder-5.3.7/test/ipfw/quick-cmp.sh000077500000000000000000000014411303637203600176700ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"Generated\" -I 'Activating ' -I 'Firewall Builder fwb_ipfw v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done exit 0 run_diffs_for_file() { xmlfile=$1 folder=$2 fwbedit list -f $xmlfile -o $folder -c -F%name% | sort | while read fwobj; do V="$fwobj <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" echo "$DIFFCMD ${fwobj}.fw.orig ${fwobj}.fw" done } run_diffs_for_file objects-for-regression-tests.fwb /User/Firewalls # run_diffs_for_file cluster-tests.fwb /User/Clusters fwbuilder-5.3.7/test/ipfw/recycle000077500000000000000000000000751303637203600170160ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/ipfw/run.all000077500000000000000000000007771303637203600167540ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipfw -v -f $XMLFILE -xt $fwobj" done exit 0 XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipfw -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/ipt/000077500000000000000000000000001303637203600152675ustar00rootroot00000000000000fwbuilder-5.3.7/test/ipt/Makefile000066400000000000000000000007221303637203600167300ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_ipt -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_ipt -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/ipt/addr-table-1.tbl000066400000000000000000000004251303637203600201300ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too # ipv6 addresses 2001:458:20:100:250:b7ff:fe00:2af/128 fe80::21d:9ff:fe8b:8e94/64 fwbuilder-5.3.7/test/ipt/block-hosts.tbl000066400000000000000000000017601303637203600202260ustar00rootroot00000000000000# # use this table to test run-time AddressTable object # (this is just a small collection of addresses that sent spam to me # on Nov 20 2005) # ; this is a comment, too ; empty lines are allowed and should be skipped by the script 151.8.224.178 # this is also a comment 168.156.76.20 193.207.126.36 195.136.186.35 196.15.136.15 201.10.180.138 201.17.93.16 201.36.156.121 202.103.25.253 202.96.112.93 203.162.3.209 203.209.124.144 210.106.193.237 210.222.114.102 211.144.143.143 211.172.218.237 211.250.16.132 212.100.212.100 212.21.241.31 218.104.138.146 218.18.72.252 218.39.114.122 218.55.115.43 219.132.104.160 220.71.17.86 220.81.50.105 220.91.99.46 221.14.249.242 221.166.177.135 221.198.33.38 221.202.160.233 221.205.54.125 221.217.44.248 222.100.212.223 222.121.118.144 222.174.113.2 58.231.13.78 58.33.181.83 58.53.82.190 61.150.47.112 61.184.14.102 64.106.85.186 70.228.60.100 80.243.72.149 80.249.77.34 80.51.236.6 81.196.74.125 81.2.36.254 82.117.221.205 82.143.196.17 82.77.37.174 84.90.8.198 fwbuilder-5.3.7/test/ipt/cluster-tests.fwb000066400000000000000000014304271303637203600206230ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/test/ipt/do-all-diff000077500000000000000000000005561303637203600173010ustar00rootroot00000000000000#!/usr/bin/perl $XMLFILE=@ARGV[0]; if (-x "/usr/bin/opendiff") { $TOOL="opendiff"; } else { $TOOL="tkdiff -b -B "; } while (<>) { $str=$_; while ( $str=~ /]+name="([^"]*).*$"/; $fw=$1; printf "$TOOL %s.fw.orig %s.fw\n",$fw,$fw; $str=~ s/^.*]+name="$fw"[^>]+>//; } } fwbuilder-5.3.7/test/ipt/do-diff000077500000000000000000000003371303637203600165300ustar00rootroot00000000000000#!/bin/sh N=$1 if which opendiff > /dev/null 2>&1; then TOOL="opendiff" elif which tkdiff > /dev/null 2>&1; then TOOL="tkdiff -b -B " else TOOL="diff -U 8 -b -B " fi ${TOOL} firewall${N}.fw.orig firewall${N}.fw fwbuilder-5.3.7/test/ipt/emtpy-table.tbl000066400000000000000000000000751303637203600202170ustar00rootroot00000000000000# this is an empty address table file # it has no addresses fwbuilder-5.3.7/test/ipt/firewall-base-rulesets.fw.orig000077500000000000000000000315541303637203600231600ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:19 2012 PDT by vadim # # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw # # Compiled for iptables (any version) # # this firewall is used to test a rule in the global policy of object "firewall" FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 172.16.1.1/24" "" update_addresses_of_interface "eth2 192.168.100.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set web_server_inbound # # Rule web_server_inbound 0 (global) # echo "Rule web_server_inbound 0 (global)" # $IPTABLES -N web_server_inbound $IPTABLES -A web_server_inbound -i + -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # # Rule web_server_inbound 1 (global) # echo "Rule web_server_inbound 1 (global)" # $IPTABLES -A web_server_inbound -i + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_inbound -i + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule web_server_inbound 2 (global) # echo "Rule web_server_inbound 2 (global)" # $IPTABLES -N web_server_inbound_2 $IPTABLES -A web_server_inbound -p tcp -m tcp --dport 3306 -j web_server_inbound_2 $IPTABLES -A web_server_inbound_2 -j LOG --log-level info --log-prefix "web_server_inbound/2 -- DENY" $IPTABLES -A web_server_inbound_2 -j DROP # ================ Table 'filter', rule set mail_server_inbound # # Rule mail_server_inbound 0 (global) # echo "Rule mail_server_inbound 0 (global)" # $IPTABLES -N mail_server_inbound $IPTABLES -A mail_server_inbound -i + -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT # # Rule mail_server_inbound 1 (global) # echo "Rule mail_server_inbound 1 (global)" # $IPTABLES -A mail_server_inbound -i + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_inbound -i + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set mail_server_outbound # # Rule mail_server_outbound 0 (global) # echo "Rule mail_server_outbound 0 (global)" # $IPTABLES -N mail_server_outbound $IPTABLES -A mail_server_outbound -o + -p tcp -m tcp -m multiport --dports 53,25 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_outbound -o + -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT # # Rule mail_server_outbound 1 (global) # echo "Rule mail_server_outbound 1 (global)" # $IPTABLES -A mail_server_outbound -o + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_outbound -o + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set web_server_outbound # # Rule web_server_outbound 0 (global) # echo "Rule web_server_outbound 0 (global)" # $IPTABLES -N web_server_outbound $IPTABLES -A web_server_outbound -o + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_outbound -o + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule web_server_outbound 1 (global) # echo "Rule web_server_outbound 1 (global)" # $IPTABLES -A web_server_outbound -o + -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_outbound -o + -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set base-ruleset # # Rule base-ruleset 0 (global) # echo "Rule base-ruleset 0 (global)" # $IPTABLES -N base-ruleset $IPTABLES -N Cid41961X1271.0 $IPTABLES -A base-ruleset -p tcp -m tcp --dport 22 -m state --state NEW -j Cid41961X1271.0 $IPTABLES -A Cid41961X1271.0 -d 33.33.33.33 -j ACCEPT $IPTABLES -A Cid41961X1271.0 -d 172.16.1.1 -j ACCEPT $IPTABLES -A Cid41961X1271.0 -d 192.168.100.1 -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:19 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-1.fw.orig000077500000000000000000000602571303637203600214260ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:21 2012 PDT by vadim # # files: * firewall-ipv6-1.fw /etc/firewall-ipv6-1.fw # # Compiled for iptables (any version) # # Using ULOG globally, but ipv6 rules # should fall back to LOG because # there is no ULOG for ip6tables yet # Bug 2141911 # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '15 (global)' below it # firewall-ipv6-1:Policy:14: error: Rule '14 (global)' shadows rule '16 (global)' below it # firewall-ipv6-1:Policy:14: error: Rule '14 (global)' shadows rule '17 (global)' below it # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '17 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 7 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 9 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 10 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 11 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 12 (global)' below it # firewall-ipv6-1:Policy_ipv6:8: error: Rule 'Policy_ipv6 8 (global)' shadows rule 'Policy_ipv6 13 (global)' below it # firewall-ipv6-1:Policy_ipv6:0: error: Rule 'Policy_ipv6 0 (global)' shadows rule 'Policy_ipv6 14 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:7: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:9: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-1:Policy_ipv6:: warning: Backup ssh access rule could not be added to IPv6 policy because specified address '1.1.1.2' is invalid FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # backup ssh access $IPTABLES -A INPUT -p tcp -m tcp -s 1.1.1.2/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 1.1.1.2/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 4 (global) # echo "Rule 4 (global)" # # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it $IPTABLES -N Cid4834D3108571.0 $IPTABLES -A INPUT -p tcp -m tcp -d 1.1.1.1 --dport 22 -m state --state NEW -j Cid4834D3108571.0 $IPTABLES -N RULE_4 $IPTABLES -A Cid4834D3108571.0 -s 61.150.47.112 -j RULE_4 $IPTABLES -A Cid4834D3108571.0 -s 192.168.1.0 -j RULE_4 $IPTABLES -A RULE_4 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 4 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_4 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid4835041F8571.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid4835041F8571.0 $IPTABLES -N RULE_6 $IPTABLES -A Cid4835041F8571.0 -s 61.150.47.112 -j RULE_6 $IPTABLES -A Cid4835041F8571.0 -s 192.168.1.0 -j RULE_6 $IPTABLES -A RULE_6 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 6 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_6 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N In_RULE_7 $IPTABLES -A INPUT -m state --state NEW -j In_RULE_7 $IPTABLES -A In_RULE_7 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A In_RULE_7 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N RULE_10 $IPTABLES -A INPUT -s 61.150.47.112 -m state --state NEW -j RULE_10 $IPTABLES -A INPUT -s 192.168.1.0 -m state --state NEW -j RULE_10 $IPTABLES -A FORWARD -s 61.150.47.112 -m state --state NEW -j RULE_10 $IPTABLES -A FORWARD -s 192.168.1.0 -m state --state NEW -j RULE_10 $IPTABLES -A RULE_10 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_10 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A INPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '15 (global)' below it # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '17 (global)' below it $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # INPUT, OUTPUT, FORWARD $IPTABLES -A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # INPUT, OUTPUT, FORWARD $IPTABLES -A OUTPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -d 72.55.148.116 -j RULE_21 $IPTABLES -A OUTPUT -d 207.251.84.150 -j RULE_21 $IPTABLES -A FORWARD -d 72.55.148.116 -j RULE_21 $IPTABLES -A FORWARD -d 207.251.84.150 -j RULE_21 $IPTABLES -A RULE_21 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 21 -- DENY " --ulog-qthreshold 1 $IPTABLES -A RULE_21 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # rules to permit IPv6 Neighbor discovery $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # # for bug 2047082 # firewall-ipv6-1:Policy_ipv6:0: error: Rule 'Policy_ipv6 0 (global)' shadows rule 'Policy_ipv6 14 (global)' below it $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 1 (global) # echo "Rule Policy_ipv6 1 (global)" # $IP6TABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 3 (global) # echo "Rule Policy_ipv6 3 (global)" # # INPUT, OUTPUT, FORWARD $IP6TABLES -A INPUT -s fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -s fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -s fe80::/64 -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 4 (global) # echo "Rule Policy_ipv6 4 (global)" # # INPUT, OUTPUT, FORWARD $IP6TABLES -A OUTPUT -d fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -d fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d fe80::/64 -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 5 (global) # echo "Rule Policy_ipv6 5 (global)" # # for bug 2462927, ipv6 networks with /32 # netmask $IP6TABLES -A INPUT -s 2001:db8::/32 -j DROP $IP6TABLES -A INPUT -s 3fff:ffff::/16 -j DROP $IP6TABLES -A INPUT -s 3fff:ffff::/32 -j DROP # # Rule Policy_ipv6 6 (global) # echo "Rule Policy_ipv6 6 (global)" # # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 10 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 11 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 12 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 7 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 9 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -d fe80::21d:9ff:fe8b:8e94 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 7 (global) # echo "Rule Policy_ipv6 7 (global)" # # firewall-ipv6-1:Policy_ipv6:7: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 8 (global) # echo "Rule Policy_ipv6 8 (global)" # # firewall-ipv6-1:Policy_ipv6:8: error: Rule 'Policy_ipv6 8 (global)' shadows rule 'Policy_ipv6 13 (global)' below it # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 9 (global) # echo "Rule Policy_ipv6 9 (global)" # # firewall-ipv6-1:Policy_ipv6:9: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 10 (global) # echo "Rule Policy_ipv6 10 (global)" # # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p tcp -m tcp -m multiport --dports 3268,3269,445,42,53,88,389,636,135,139 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -p udp -m udp -m multiport --dports 53,88,138,137 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 11 (global) # echo "Rule Policy_ipv6 11 (global)" # $IP6TABLES -A OUTPUT -p ipv6-icmp -d fe80::21d:9ff:fe8b:8e94 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 12 (global) # echo "Rule Policy_ipv6 12 (global)" # $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 13 (global) # echo "Rule Policy_ipv6 13 (global)" # $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 14 (global) # echo "Rule Policy_ipv6 14 (global)" # $IP6TABLES -A OUTPUT -s fe80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:21 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-2.fw.orig000077500000000000000000001062411303637203600214210ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:21 2012 PDT by vadim # # files: * firewall-ipv6-2.fw /etc/firewall-ipv6-2.fw # # Compiled for iptables (any version) # # Using ULOG globally, but ipv6 rules # should fall back to LOG because # there is no ULOG for ip6tables yet # Bug 2141911 # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '17 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '18 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '19 (global)' below it # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '19 (global)' below it # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '29 (global)' below it # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '30 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall-ipv6-2:Policy:11: error: Rule '11 (global)' shadows rule '12 (global)' below it # firewall-ipv6-2:Policy:11: error: Rule '11 (global)' shadows rule '12 (global)' below it # firewall-ipv6-2:Policy:13: error: Rule '13 (global)' shadows rule '14 (global)' below it # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '17 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '18 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '19 (global)' below it # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '19 (global)' below it # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '25 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '29 (global)' below it # firewall-ipv6-2:Policy:22: error: Rule '22 (global)' shadows rule '30 (global)' below it # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:28: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 # firewall-ipv6-2:Policy:: warning: Backup ssh access rule could not be added to IPv6 policy because specified address '1.1.1.2' is invalid FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # backup ssh access $IPTABLES -A INPUT -p tcp -m tcp -s 1.1.1.2/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 1.1.1.2/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 4 (global) # echo "Rule 4 (global)" # # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it $IPTABLES -N Cid56136X87590.0 $IPTABLES -A INPUT -p tcp -m tcp -d 1.1.1.1 --dport 22 -m state --state NEW -j Cid56136X87590.0 $IPTABLES -N RULE_4 $IPTABLES -A Cid56136X87590.0 -s 61.150.47.112 -j RULE_4 $IPTABLES -A Cid56136X87590.0 -s 192.168.1.0 -j RULE_4 $IPTABLES -A RULE_4 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 4 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_4 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid56160X87590.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid56160X87590.0 $IPTABLES -N RULE_6 $IPTABLES -A Cid56160X87590.0 -s 61.150.47.112 -j RULE_6 $IPTABLES -A Cid56160X87590.0 -s 192.168.1.0 -j RULE_6 $IPTABLES -A RULE_6 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 6 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_6 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it $IPTABLES -N In_RULE_7 $IPTABLES -A INPUT -m state --state NEW -j In_RULE_7 $IPTABLES -A In_RULE_7 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A In_RULE_7 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N RULE_12 $IPTABLES -A INPUT -s 61.150.47.112 -m state --state NEW -j RULE_12 $IPTABLES -A INPUT -s 192.168.1.0 -m state --state NEW -j RULE_12 $IPTABLES -A FORWARD -s 61.150.47.112 -m state --state NEW -j RULE_12 $IPTABLES -A FORWARD -s 192.168.1.0 -m state --state NEW -j RULE_12 $IPTABLES -A RULE_12 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 12 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A RULE_12 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A INPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '17 (global)' below it # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '19 (global)' below it $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # # INPUT, OUTPUT, FORWARD # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '30 (global)' below it $IPTABLES -A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # # INPUT, OUTPUT, FORWARD $IPTABLES -A OUTPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # # for bug 2047082 $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N RULE_24 $IPTABLES -A OUTPUT -d 72.55.148.116 -j RULE_24 $IPTABLES -A OUTPUT -d 207.251.84.150 -j RULE_24 $IPTABLES -A FORWARD -d 72.55.148.116 -j RULE_24 $IPTABLES -A FORWARD -d 207.251.84.150 -j RULE_24 $IPTABLES -A RULE_24 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 24 -- DENY " --ulog-qthreshold 1 $IPTABLES -A RULE_24 -j DROP # # Rule 30 (global) # echo "Rule 30 (global)" # $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j ACCEPT # # Rule 32 (global) # echo "Rule 32 (global)" # # ipv4 address range for bug 2820152 $IPTABLES -N RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.2/31 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.4/30 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.8/29 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.16/28 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.32/27 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.64/27 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.96/30 -j RULE_32 $IPTABLES -A OUTPUT -d 192.168.1.100 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.1 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.2/31 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.4/30 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.8/29 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.16/28 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.32/27 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.64/27 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.96/30 -j RULE_32 $IPTABLES -A FORWARD -d 192.168.1.100 -j RULE_32 $IPTABLES -A RULE_32 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 32 -- DENY " --ulog-qthreshold 1 $IPTABLES -A RULE_32 -j DROP # # Rule 33 (global) # echo "Rule 33 (global)" # # ipv4 address range for bug 2820152 $IPTABLES -N RULE_33 $IPTABLES -A OUTPUT -d 255.255.255.255 -j RULE_33 $IPTABLES -A INPUT -d 255.255.255.255 -j RULE_33 $IPTABLES -A RULE_33 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 33 -- DENY " --ulog-qthreshold 1 $IPTABLES -A RULE_33 -j DROP # # Rule 34 (global) # echo "Rule 34 (global)" # $IPTABLES -N RULE_34 $IPTABLES -A OUTPUT -j RULE_34 $IPTABLES -A INPUT -j RULE_34 $IPTABLES -A FORWARD -j RULE_34 $IPTABLES -A RULE_34 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 34 -- DENY " --ulog-qthreshold 1 $IPTABLES -A RULE_34 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # this rule shadows the next. # Note that we add command line # flag -xt to the compiler $IP6TABLES -A INPUT -p tcp -m tcp -s fe80::/64 -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it $IP6TABLES -A INPUT -p tcp -m tcp -s 2001:5c0:0:2::24 -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it $IP6TABLES -N RULE_2 $IP6TABLES -A INPUT -p tcp -m tcp -s 3ffe:1200:2001:1:8000::1 --dport 22 -m state --state NEW -j RULE_2 $IP6TABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " $IP6TABLES -A RULE_2 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it $IP6TABLES -N Cid56124X87590.0 $IP6TABLES -A INPUT -p tcp -m tcp -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j Cid56124X87590.0 $IP6TABLES -N RULE_3 $IP6TABLES -A Cid56124X87590.0 -s 2001:5c0:0:2::24 -j RULE_3 $IP6TABLES -A Cid56124X87590.0 -s 3ffe:1200:2000::/36 -j RULE_3 $IP6TABLES -A Cid56124X87590.0 -s 3ffe:1200:2001:1:8000::1 -j RULE_3 $IP6TABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT " $IP6TABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IP6TABLES -N Cid56136X87590.0 $IP6TABLES -A INPUT -p tcp -m tcp -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j Cid56136X87590.0 $IP6TABLES -N RULE_4 $IP6TABLES -A Cid56136X87590.0 -s 2001:5c0:0:2::24 -j RULE_4 $IP6TABLES -A Cid56136X87590.0 -s 3ffe:1200:2001:1:8000::1 -j RULE_4 $IP6TABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT " $IP6TABLES -A RULE_4 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IP6TABLES -N Cid56148X87590.0 $IP6TABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid56148X87590.0 $IP6TABLES -N RULE_5 $IP6TABLES -A Cid56148X87590.0 -s 2001:5c0:0:2::24 -j RULE_5 $IP6TABLES -A Cid56148X87590.0 -s 3ffe:1200:2000::/36 -j RULE_5 $IP6TABLES -A Cid56148X87590.0 -s 3ffe:1200:2001:1:8000::1 -j RULE_5 $IP6TABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IP6TABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IP6TABLES -N Cid56160X87590.0 $IP6TABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid56160X87590.0 $IP6TABLES -N RULE_6 $IP6TABLES -A Cid56160X87590.0 -s 2001:5c0:0:2::24 -j RULE_6 $IP6TABLES -A Cid56160X87590.0 -s 3ffe:1200:2001:1:8000::1 -j RULE_6 $IP6TABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- ACCEPT " $IP6TABLES -A RULE_6 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it $IP6TABLES -N In_RULE_7 $IP6TABLES -A INPUT -m state --state NEW -j In_RULE_7 $IP6TABLES -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT " $IP6TABLES -A In_RULE_7 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it $IP6TABLES -A OUTPUT -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IP6TABLES -A OUTPUT -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '25 (global)' below it $IP6TABLES -N RULE_10 $IP6TABLES -A INPUT -s fe80::/64 -m state --state NEW -j RULE_10 $IP6TABLES -A OUTPUT -s fe80::/64 -m state --state NEW -j RULE_10 $IP6TABLES -A FORWARD -s fe80::/64 -m state --state NEW -j RULE_10 $IP6TABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT " $IP6TABLES -A RULE_10 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # firewall-ipv6-2:Policy:11: error: Rule '11 (global)' shadows rule '12 (global)' below it $IP6TABLES -N RULE_11 $IP6TABLES -A INPUT -s 2001:5c0:0:2::24 -m state --state NEW -j RULE_11 $IP6TABLES -A INPUT -s 3ffe:1200:2000::/36 -m state --state NEW -j RULE_11 $IP6TABLES -A INPUT -s 3ffe:1200:2001:1:8000::1 -m state --state NEW -j RULE_11 $IP6TABLES -A FORWARD -s 2001:5c0:0:2::24 -m state --state NEW -j RULE_11 $IP6TABLES -A FORWARD -s 3ffe:1200:2000::/36 -m state --state NEW -j RULE_11 $IP6TABLES -A FORWARD -s 3ffe:1200:2001:1:8000::1 -m state --state NEW -j RULE_11 $IP6TABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- ACCEPT " $IP6TABLES -A RULE_11 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IP6TABLES -N RULE_12 $IP6TABLES -A INPUT -s 2001:5c0:0:2::24 -m state --state NEW -j RULE_12 $IP6TABLES -A INPUT -s 3ffe:1200:2001:1:8000::1 -m state --state NEW -j RULE_12 $IP6TABLES -A FORWARD -s 2001:5c0:0:2::24 -m state --state NEW -j RULE_12 $IP6TABLES -A FORWARD -s 3ffe:1200:2001:1:8000::1 -m state --state NEW -j RULE_12 $IP6TABLES -A RULE_12 -j LOG --log-level info --log-prefix "RULE 12 -- ACCEPT " $IP6TABLES -A RULE_12 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '18 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '19 (global)' below it # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '29 (global)' below it # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # # for bug 2047082 # firewall-ipv6-2:Policy:22: error: Rule '22 (global)' shadows rule '30 (global)' below it $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IP6TABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule 25 (global) # echo "Rule 25 (global)" # # INPUT, OUTPUT, FORWARD $IP6TABLES -A INPUT -s fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -s fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -s fe80::/64 -m state --state NEW -j ACCEPT # # Rule 26 (global) # echo "Rule 26 (global)" # # INPUT, OUTPUT, FORWARD $IP6TABLES -A OUTPUT -d fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -d fe80::/64 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d fe80::/64 -m state --state NEW -j ACCEPT # # Rule 27 (global) # echo "Rule 27 (global)" # # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -d fe80::21d:9ff:fe8b:8e94 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule 28 (global) # echo "Rule 28 (global)" # # firewall-ipv6-2:Policy:28: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule 30 (global) # echo "Rule 30 (global)" # $IP6TABLES -A OUTPUT -s fe80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT # # Rule 31 (global) # echo "Rule 31 (global)" # # test for bug 2463048 # "custom services should have IPv4/v6 setting" # rule should compile for ipv6 b/c custom service # object "ipv6 source route" is configured as "ipv6" $IP6TABLES -N RULE_31 $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j RULE_31 $IP6TABLES -A INPUT -m rt --rt-type 0 -j RULE_31 $IP6TABLES -A FORWARD -m rt --rt-type 0 -j RULE_31 $IP6TABLES -A RULE_31 -j LOG --log-level info --log-prefix "RULE 31 -- DENY " $IP6TABLES -A RULE_31 -j DROP # # Rule 34 (global) # echo "Rule 34 (global)" # $IP6TABLES -N RULE_34 $IP6TABLES -A OUTPUT -j RULE_34 $IP6TABLES -A INPUT -j RULE_34 $IP6TABLES -A FORWARD -j RULE_34 $IP6TABLES -A RULE_34 -j LOG --log-level info --log-prefix "RULE 34 -- DENY " $IP6TABLES -A RULE_34 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all # backup ssh access $IPTABLES -A INPUT -p tcp -m tcp -s 1.1.1.2/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 1.1.1.2/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:21 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-3.fw.orig000077500000000000000000000447531303637203600214330ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:22 2012 PDT by vadim # # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw # # Compiled for iptables (any version) # # Simple policy that makes sense in ipv4 but translates into a few wide-matching rules in ipv6. Policy is configured as dual address family # firewall-ipv6-3:fw-ipv6-3:2: error: Rule 'fw-ipv6-3 2 (global)' shadows rule 'fw-ipv6-3 3 (global)' below it # firewall-ipv6-3:fw-ipv6-3:4: error: Rule 'fw-ipv6-3 4 (global)' shadows rule 'fw-ipv6-3 6 (global)' below it # firewall-ipv6-3:fw-ipv6-3:2: error: Rule 'fw-ipv6-3 2 (global)' shadows rule 'fw-ipv6-3 3 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 # ================ Table 'filter', rule set fw-ipv6-3 # # Rule fw-ipv6-3 0 (global) # echo "Rule fw-ipv6-3 0 (global)" # $IPTABLES -N In_fw-ipv6-3_0 $IPTABLES -A INPUT -m state --state NEW -j In_fw-ipv6-3_0 $IPTABLES -A In_fw-ipv6-3_0 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 0 -- ACCEPT " --ulog-qthreshold 1 $IPTABLES -A In_fw-ipv6-3_0 -j ACCEPT # # Rule fw-ipv6-3 1 (global) # echo "Rule fw-ipv6-3 1 (global)" # $IPTABLES -A INPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 2 (global) # echo "Rule fw-ipv6-3 2 (global)" # # firewall-ipv6-3:fw-ipv6-3:2: error: Rule 'fw-ipv6-3 2 (global)' shadows rule 'fw-ipv6-3 3 (global)' below it $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 3 (global) # echo "Rule fw-ipv6-3 3 (global)" # $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 4 (global) # echo "Rule fw-ipv6-3 4 (global)" # # INPUT, OUTPUT, FORWARD # firewall-ipv6-3:fw-ipv6-3:4: error: Rule 'fw-ipv6-3 4 (global)' shadows rule 'fw-ipv6-3 6 (global)' below it $IPTABLES -A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 5 (global) # echo "Rule fw-ipv6-3 5 (global)" # # INPUT, OUTPUT, FORWARD $IPTABLES -A OUTPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 1.1.1.0/24 -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 6 (global) # echo "Rule fw-ipv6-3 6 (global)" # # for bug 2047082 $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 7 (global) # echo "Rule fw-ipv6-3 7 (global)" # $IPTABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 8 (global) # echo "Rule fw-ipv6-3 8 (global)" # $IPTABLES -N fw-ipv6-3_8 $IPTABLES -A OUTPUT -d 72.55.148.116 -j fw-ipv6-3_8 $IPTABLES -A OUTPUT -d 207.251.84.150 -j fw-ipv6-3_8 $IPTABLES -A FORWARD -d 72.55.148.116 -j fw-ipv6-3_8 $IPTABLES -A FORWARD -d 207.251.84.150 -j fw-ipv6-3_8 $IPTABLES -A fw-ipv6-3_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 -- DENY " --ulog-qthreshold 1 $IPTABLES -A fw-ipv6-3_8 -j DROP # # Rule fw-ipv6-3 9 (global) # echo "Rule fw-ipv6-3 9 (global)" # # ipv4 address range for bug 2820152 $IPTABLES -N fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.1 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.2/31 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.4/30 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.8/29 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.16/28 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.32/27 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.64/27 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.96/30 -j fw-ipv6-3_9 $IPTABLES -A OUTPUT -d 192.168.1.100 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.1 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.2/31 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.4/30 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.8/29 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.16/28 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.32/27 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.64/27 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.96/30 -j fw-ipv6-3_9 $IPTABLES -A FORWARD -d 192.168.1.100 -j fw-ipv6-3_9 $IPTABLES -A fw-ipv6-3_9 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 9 -- DENY " --ulog-qthreshold 1 $IPTABLES -A fw-ipv6-3_9 -j DROP # # Rule fw-ipv6-3 10 (global) # echo "Rule fw-ipv6-3 10 (global)" # # ipv4 address range for bug 2820152 $IPTABLES -N fw-ipv6-3_10 $IPTABLES -A OUTPUT -d 255.255.255.255 -j fw-ipv6-3_10 $IPTABLES -A INPUT -d 255.255.255.255 -j fw-ipv6-3_10 $IPTABLES -A fw-ipv6-3_10 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 -- DENY " --ulog-qthreshold 1 $IPTABLES -A fw-ipv6-3_10 -j DROP # # Rule fw-ipv6-3 11 (global) # echo "Rule fw-ipv6-3 11 (global)" # $IPTABLES -N fw-ipv6-3_11 $IPTABLES -A OUTPUT -j fw-ipv6-3_11 $IPTABLES -A INPUT -j fw-ipv6-3_11 $IPTABLES -A FORWARD -j fw-ipv6-3_11 $IPTABLES -A fw-ipv6-3_11 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 11 -- DENY " --ulog-qthreshold 1 $IPTABLES -A fw-ipv6-3_11 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set fw-ipv6-3 # # Rule fw-ipv6-3 0 (global) # echo "Rule fw-ipv6-3 0 (global)" # $IP6TABLES -N In_fw-ipv6-3_0 $IP6TABLES -A INPUT -m state --state NEW -j In_fw-ipv6-3_0 $IP6TABLES -A In_fw-ipv6-3_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IP6TABLES -A In_fw-ipv6-3_0 -j ACCEPT # # Rule fw-ipv6-3 6 (global) # echo "Rule fw-ipv6-3 6 (global)" # # for bug 2047082 $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 7 (global) # echo "Rule fw-ipv6-3 7 (global)" # $IP6TABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule fw-ipv6-3 11 (global) # echo "Rule fw-ipv6-3 11 (global)" # $IP6TABLES -N fw-ipv6-3_11 $IP6TABLES -A OUTPUT -j fw-ipv6-3_11 $IP6TABLES -A INPUT -j fw-ipv6-3_11 $IP6TABLES -A FORWARD -j fw-ipv6-3_11 $IP6TABLES -A fw-ipv6-3_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY " $IP6TABLES -A fw-ipv6-3_11 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:22 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-4-1.fw.orig000077500000000000000000000370571303637203600215710ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:24 2012 PDT by vadim # # files: * firewall-ipv6-4-1.fw /etc/firewall-ipv6-4-1.fw # # Compiled for iptables 1.4.0 # # Policy is configured as dual address family. Using iptables-restore. Firewall is NOT part of any # firewall-ipv6-4-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall-ipv6-4-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-4-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo ":In_RULE_0 - [0:0]" echo "-A INPUT -m state --state NEW -j In_RULE_0 " echo "-A In_RULE_0 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 0 -- ACCEPT \" --ulog-qthreshold 1 " echo "-A In_RULE_0 -j ACCEPT " # # Rule 1 (global) echo "-A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 2 (global) # firewall-ipv6-4-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it echo "-A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " # # Rule 3 (global) echo "-A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 4 (global) # INPUT, OUTPUT, FORWARD # firewall-ipv6-4-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it echo "-A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 5 (global) # INPUT, OUTPUT, FORWARD echo "-A FORWARD -d 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 6 (global) # for bug 2047082 # echo "-A OUTPUT -m state --state NEW -j ACCEPT " # # Rule 7 (global) echo "-A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT " # # Rule 8 (global) echo ":RULE_8 - [0:0]" echo "-A FORWARD -d 72.55.148.116 -j RULE_8 " echo "-A FORWARD -d 207.251.84.150 -j RULE_8 " echo "-A RULE_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 " echo "-A RULE_8 -j DROP " # # Rule 9 (global) # ipv4 address range for bug 2820152 echo "-A FORWARD -m iprange --dst-range 192.168.1.1-192.168.1.100 -m state --state NEW -j ACCEPT " # # Rule 10 (global) # ipv4 address range for bug 2820152 echo "-A INPUT -d 255.255.255.255 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":RULE_11 - [0:0]" echo "-A FORWARD -j RULE_11 " echo "-A RULE_11 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 11 -- DENY \" --ulog-qthreshold 1 " echo "-A RULE_11 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 1.1.1.0/24 -j MASQUERADE " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo ":In_RULE_0 - [0:0]" echo "-A INPUT -m state --state NEW -j In_RULE_0 " echo "-A In_RULE_0 -j LOG --log-level info --log-prefix \"RULE 0 -- ACCEPT \"" echo "-A In_RULE_0 -j ACCEPT " # # Rule 6 (global) # for bug 2047082 # echo "-A OUTPUT -m state --state NEW -j ACCEPT " # # Rule 7 (global) echo "-A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":RULE_11 - [0:0]" echo "-A FORWARD -j RULE_11 " echo "-A RULE_11 -j LOG --log-level info --log-prefix \"RULE 11 -- DENY \"" echo "-A RULE_11 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s fe80::/64 -j MASQUERADE " # echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:24 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-4.fw.orig000077500000000000000000000442041303637203600214230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:23 2012 PDT by vadim # # files: * firewall-ipv6-4.fw /etc/firewall-ipv6-4.fw # # Compiled for iptables (any version) # # Simple policy that makes sense in ipv4 but translates into a few wide-matching rules in ipv6. Policy is configured as dual address family. Using iptables-restore. # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo ":In_RULE_0 - [0:0]" echo "-A INPUT -m state --state NEW -j In_RULE_0 " echo "-A In_RULE_0 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 0 -- ACCEPT \" --ulog-qthreshold 1 " echo "-A In_RULE_0 -j ACCEPT " # # Rule 1 (global) echo "-A INPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 2 (global) # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it echo "-A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " echo "-A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " echo "-A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " # # Rule 3 (global) echo "-A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT " echo "-A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT " echo "-A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 4 (global) # INPUT, OUTPUT, FORWARD # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it echo "-A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 5 (global) # INPUT, OUTPUT, FORWARD echo "-A OUTPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 1.1.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 6 (global) # for bug 2047082 # echo "-A OUTPUT -m state --state NEW -j ACCEPT " # # Rule 7 (global) echo "-A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT " # # Rule 8 (global) echo ":RULE_8 - [0:0]" echo "-A OUTPUT -d 72.55.148.116 -j RULE_8 " echo "-A OUTPUT -d 207.251.84.150 -j RULE_8 " echo "-A FORWARD -d 72.55.148.116 -j RULE_8 " echo "-A FORWARD -d 207.251.84.150 -j RULE_8 " echo "-A RULE_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 " echo "-A RULE_8 -j DROP " # # Rule 9 (global) # ipv4 address range for bug 2820152 echo "-A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.2/31 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.4/30 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.8/29 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.16/28 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.32/27 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.64/27 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.96/30 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.100 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.2/31 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.4/30 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.8/29 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.16/28 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.32/27 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.64/27 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.96/30 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.100 -m state --state NEW -j ACCEPT " # # Rule 10 (global) # ipv4 address range for bug 2820152 echo "-A OUTPUT -d 255.255.255.255 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 255.255.255.255 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":RULE_11 - [0:0]" echo "-A OUTPUT -j RULE_11 " echo "-A INPUT -j RULE_11 " echo "-A FORWARD -j RULE_11 " echo "-A RULE_11 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 11 -- DENY \" --ulog-qthreshold 1 " echo "-A RULE_11 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 1.1.1.0/24 -j MASQUERADE " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo ":In_RULE_0 - [0:0]" echo "-A INPUT -m state --state NEW -j In_RULE_0 " echo "-A In_RULE_0 -j LOG --log-level info --log-prefix \"RULE 0 -- ACCEPT \"" echo "-A In_RULE_0 -j ACCEPT " # # Rule 6 (global) # for bug 2047082 # echo "-A OUTPUT -m state --state NEW -j ACCEPT " # # Rule 7 (global) echo "-A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT " echo "-A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":RULE_11 - [0:0]" echo "-A OUTPUT -j RULE_11 " echo "-A INPUT -j RULE_11 " echo "-A FORWARD -j RULE_11 " echo "-A RULE_11 -j LOG --log-level info --log-prefix \"RULE 11 -- DENY \"" echo "-A RULE_11 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s fe80::/64 -j MASQUERADE " # echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:23 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-5.fw.orig000077500000000000000000000250701303637203600214240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:24 2012 PDT by vadim # # files: * firewall-ipv6-5.fw /etc/firewall-ipv6-5.fw # # Compiled for iptables (any version) # # two interfaces, one has ipv4 address, another ipv6 # Combined ipv6+ipv6 ruleset. Only interface with address # that matches address family should be used in generated rule FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 1.1.1.1/24" "" update_addresses_of_interface "eth1 fe80::21d:9ff:fe8b:8e94/64" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT # # Rule 2 (eth1,eth0) # echo "Rule 2 (eth1,eth0)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # $IP6TABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT # # Rule 2 (eth1,eth0) # echo "Rule 2 (eth1,eth0)" # $IP6TABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:24 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-6.fw.orig000077500000000000000000000252701303637203600214270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:26 2012 PDT by vadim # # files: * firewall-ipv6-6.fw /etc/firewall-ipv6-6.fw # # Compiled for iptables (any version) # # one interfaces with both ipv4 and ipv6 addresses FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_v6 # # Rule Policy_v6 0 (eth0) # echo "Rule Policy_v6 0 (eth0)" # $IP6TABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:26 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-7.fw.orig000077500000000000000000000317201303637203600214250ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:26 2012 PDT by vadim # # files: * firewall-ipv6-7.fw /etc/firewall-ipv6-7.fw # # Compiled for iptables 1.4.0 # # one interface has dynamic address, testing functions that get the address at run time FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # rules to permit IPv6 Neighbor discovery echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:26 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-8.fw.orig000077500000000000000000000367121303637203600214340ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:27 2012 PDT by vadim # # files: * firewall-ipv6-8.fw /etc/firewall-ipv6-8.fw # # Compiled for iptables 1.4.0 # # matching multicast with different directions FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', rule set Policy_OSPF # # Rule Policy_OSPF 2 (global) echo ":Policy_OSPF - [0:0]" echo "-A Policy_OSPF -j DROP " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # rules to permit IPv6 Neighbor discovery echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy_OSPF # # Rule Policy_OSPF 0 (eth0) echo ":Policy_OSPF - [0:0]" echo "-A Policy_OSPF -i eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A Policy_OSPF -i eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " echo "-A Policy_OSPF -o eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A Policy_OSPF -o eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " # # Rule Policy_OSPF 1 (global) echo "-A Policy_OSPF -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A Policy_OSPF -s fe80::/10 -d fe80::/10 -j ACCEPT " # # Rule Policy_OSPF 2 (global) echo "-A Policy_OSPF -j DROP " # # ================ Table 'filter', rule set Policy_v6 # # Rule Policy_v6 0 (eth0) # see #1523 echo "-A INPUT -i eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A FORWARD -i eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " echo "-A FORWARD -o eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A FORWARD -o eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " # # Rule Policy_v6 1 (eth0) # see #1523 echo "-A INPUT -i eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 2 (eth0) # see #1523 echo "-A FORWARD -o eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 3 (eth0) # see #1523 echo "-A FORWARD -o eth0 -s fe80::21d:9ff:fe8b:aaaa -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 4 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 5 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -s fe80::21d:9ff:fe8b:8e94 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 6 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -s fe80::21d:9ff:fe8b:8e94 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 7 (eth0) # see #1523 echo "-A INPUT -i eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A INPUT -i eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " echo "-A FORWARD -i eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " echo "-A OUTPUT -o eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " echo "-A OUTPUT -o eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " echo "-A FORWARD -o eth0 -s fe80::/10 -d fe80::/10 -j ACCEPT " # # Rule Policy_v6 8 (eth0) # see #1523 echo "-A INPUT -i eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 9 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -s fe80::/10 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 11 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 12 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -s fe80::21d:9ff:fe8b:8e94 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 13 (eth0) # see #1523 echo "-A OUTPUT -o eth0 -s fe80::21d:9ff:fe8b:8e94 -d ff00::/8 -j ACCEPT " # # Rule Policy_v6 14 (global) echo "-A OUTPUT -p 89 -j Policy_OSPF " echo "-A INPUT -p 89 -j Policy_OSPF " echo "-A FORWARD -p 89 -j Policy_OSPF " # # Rule Policy_v6 15 (eth0) echo "-A INPUT -i eth0 -p 89 -j Policy_OSPF " echo "-A FORWARD -i eth0 -p 89 -j Policy_OSPF " echo "-A OUTPUT -o eth0 -p 89 -j Policy_OSPF " echo "-A FORWARD -o eth0 -p 89 -j Policy_OSPF " # echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:27 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig000077500000000000000000000310571303637203600267140ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:27 2012 PDT by vadim # # files: * firewall-ipv6-ipt-reset-prolog-after-flush.fw /etc/firewall-ipv6-ipt-reset-prolog-after-flush.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Usigng iptables-restore. Prolog is after iptables reset and flush # Prolog place "after policy reset" can not be used when policy is activated with iptables-restore FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:27 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig000077500000000000000000000307321303637203600277150ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:29 2012 PDT by vadim # # files: * firewall-ipv6-ipt-reset-prolog-after-interfaces.fw /etc/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Usigng iptables-restore. Prolog is after configuration of interfaces FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:29 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig000077500000000000000000000306631303637203600253000ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:29 2012 PDT by vadim # # files: * firewall-ipv6-ipt-reset-prolog-top.fw /etc/firewall-ipv6-ipt-reset-prolog-top.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Usigng iptables-restore. Prolog is on top of the policy FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A INPUT -m state --state NEW -j ACCEPT " echo "-A FORWARD -i + -m state --state NEW -j ACCEPT " # echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:29 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-nd-ns-1.fw.orig000077500000000000000000000315331303637203600224360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:30 2012 PDT by vadim # # files: * firewall-ipv6-nd-ns-1.fw /etc/firewall-ipv6-nd-ns-1.fw # # Compiled for iptables 1.4.0 # # automatic ND/NS rules FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 192.0.2.1/24" "" } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # rules to permit IPv6 Neighbor discovery echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:30 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-nd-ns-2.fw.orig000077500000000000000000000324401303637203600224350ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:30 2012 PDT by vadim # # files: * firewall-ipv6-nd-ns-2.fw /etc/firewall-ipv6-nd-ns-2.fw # # Compiled for iptables 1.4.0 # # automatic ND/NS rules, bridging fw FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP6TABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 192.0.2.1/24" "" } script_body() { # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES # ================ IPv6 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # rules to permit IPv6 Neighbor discovery echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT " echo "-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT " echo "-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT " # drop packets that do not match any valid state and log them echo ":drop_invalid - [0:0]" echo "-A OUTPUT -m state --state INVALID -j drop_invalid " echo "-A INPUT -m state --state INVALID -j drop_invalid " echo "-A FORWARD -m state --state INVALID -j drop_invalid " echo "-A drop_invalid -j LOG --log-level debug --log-prefix \"INVALID state -- DENY \"" echo "-A drop_invalid -j DROP " echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT ) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:30 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig000077500000000000000000000276001303637203600250010ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:32 2012 PDT by vadim # # files: * firewall-ipv6-prolog-after-flush.fw /etc/firewall-ipv6-prolog-after-flush.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Prolog is after iptables reset and flush FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i + -m state --state NEW -j ACCEPT # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -i + -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:32 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig000077500000000000000000000276151303637203600260110ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:32 2012 PDT by vadim # # files: * firewall-ipv6-prolog-after-interfaces.fw /etc/firewall-ipv6-prolog-after-interfaces.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Prolog is after configuration of interfaces FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i + -m state --state NEW -j ACCEPT # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -i + -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:32 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces prolog_commands reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-ipv6-prolog-top.fw.orig000077500000000000000000000275461303637203600233740ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:33 2012 PDT by vadim # # files: * firewall-ipv6-prolog-top.fw /etc/firewall-ipv6-prolog-top.fw # # Compiled for iptables (any version) # # Policy is configured as dual address family. Prolog is on top of the policy FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" echo "This is prolog" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 1.1.1.0/24 -j SNAT --to-source 22.22.22.22 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i + -m state --state NEW -j ACCEPT # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IP6TABLES -N drop_invalid $IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid $IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid $IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IP6TABLES -A drop_invalid -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -i + -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:33 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall-server-1-s.fw.orig000077500000000000000000000247241303637203600223070ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:33 2012 PDT by vadim # # files: * firewall-server-1-s.fw /etc/fw/firewall-server-1-s.fw # # Compiled for iptables (any version) # # fw is part of any is OFF # ip forwarding is OFF # firewall-server-1-s:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it # firewall-server-1-s:Policy:0: error: Rule '0 (eth0)' shadows rule '2 (eth0)' below it # firewall-server-1-s:Policy:0: error: Rule '0 (eth0)' shadows rule '3 (eth0)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: lo eth0" for i in lo eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # ticket #1338: local override of "Assume fw is part of any" # only INPUT chain because ip forwarding is off $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j DROP # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # # ticket #1338: "assume fw is part of any" is off, ip forwarding is off $IPTABLES -N Cid2293081X29313.0 $IPTABLES -A INPUT -i eth0 -s 127.0.0.1 -j Cid2293081X29313.0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j Cid2293081X29313.0 $IPTABLES -A Cid2293081X29313.0 -d 127.0.0.1 -j DROP $IPTABLES -A Cid2293081X29313.0 -d 192.168.1.1 -j DROP # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # # ticket #1338: "assume fw is part of any" is off, ip forwarding is off $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -d 192.168.1.1 -j DROP } ip_forward() { : echo 0 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:33 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall.fw.orig000077500000000000000000002034731303637203600204050ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:06 2012 PDT by vadim # # files: * firewall.fw /etc/fw/firewall.fw # # Compiled for iptables (any version) # # this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall:NAT:11: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule # firewall:NAT:16: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule # firewall:NAT:: warning: Empty inet address in object id3BF1B3E8-pa # firewall:NAT:: warning: Empty inet address in object id3BF1B3E8-pa # firewall:NAT:: warning: Empty inet address in object id3E0BD74A # firewall:NAT:: warning: Empty inet address in object id3E0BD74A # firewall:NAT:: warning: Empty inet address in object id3DB0B351-pa # firewall:NAT:: warning: Empty inet address in object id3DB0B351-pa # firewall:NAT:: warning: Empty inet address in object id3BF1B3E8-pa # firewall:NAT:: warning: Empty inet address in object id3BF1B3E8-pa # firewall:Policy:36: warning: Empty MAC address in rule # firewall:Policy:37: warning: Empty MAC address in rule # firewall:Policy:38: warning: Empty MAC address in rule # firewall:Policy:39: warning: Empty MAC address in rule # firewall:Policy:40: warning: Empty MAC address in rule # firewall:Policy:40: warning: Empty MAC address in rule # firewall:Policy:41: warning: Can not match MAC address of the firewall (chain OUTPUT) # firewall:Policy:36: warning: Empty MAC address in rule # firewall:Policy:37: warning: Empty MAC address in rule # firewall:Policy:38: warning: Empty MAC address in rule # firewall:Policy:39: warning: Empty MAC address in rule # firewall:Policy:40: warning: Empty MAC address in rule # firewall:Policy:40: warning: Empty MAC address in rule FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/usr/local/sbin/modprobe" IPTABLES="/usr/local/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/usr/local/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth1 eth0" for i in eth1 eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth1 222.222.222.222/24 222.222.222.0/32 222.222.222.1/32 222.222.222.2/32 222.222.222.3/32 222.222.222.4/32 222.222.222.5/32 222.222.222.6/32 222.222.222.7/32 222.222.222.8/32 222.222.222.9/32 222.222.222.10/32 222.222.222.11/32 222.222.222.12/32 222.222.222.13/32 222.222.222.14/32 222.222.222.15/32 222.222.222.16/32 222.222.222.17/32 222.222.222.18/32 222.222.222.19/32 222.222.222.20/32 222.222.222.21/32 222.222.222.22/32 222.222.222.23/32 222.222.222.24/32 222.222.222.25/32 222.222.222.26/32 222.222.222.27/32 222.222.222.28/32 222.222.222.29/32 222.222.222.30/32 222.222.222.31/32 222.222.222.32/32 222.222.222.33/32 222.222.222.34/32 222.222.222.35/32 222.222.222.36/32 222.222.222.37/32 222.222.222.38/32 222.222.222.39/32 222.222.222.40/32 222.222.222.41/32 222.222.222.42/32 222.222.222.43/32 222.222.222.44/32 222.222.222.45/32 222.222.222.46/32 222.222.222.47/32 222.222.222.48/32 222.222.222.49/32 222.222.222.50/32 222.222.222.51/32 222.222.222.52/32 222.222.222.53/32 222.222.222.54/32 222.222.222.55/32 222.222.222.56/32 222.222.222.57/32 222.222.222.58/32 222.222.222.59/32 222.222.222.60/32 222.222.222.61/32 222.222.222.62/32 222.222.222.63/32 222.222.222.64/32 222.222.222.65/32 222.222.222.66/32 222.222.222.67/32 222.222.222.68/32 222.222.222.69/32 222.222.222.70/32 222.222.222.71/32 222.222.222.72/32 222.222.222.73/32 222.222.222.74/32 222.222.222.75/32 222.222.222.76/32 222.222.222.77/32 222.222.222.78/32 222.222.222.79/32 222.222.222.80/32 222.222.222.81/32 222.222.222.82/32 222.222.222.83/32 222.222.222.84/32 222.222.222.85/32 222.222.222.86/32 222.222.222.87/32 222.222.222.88/32 222.222.222.89/32 222.222.222.90/32 222.222.222.91/32 222.222.222.92/32 222.222.222.93/32 222.222.222.94/32 222.222.222.95/32 222.222.222.96/32 222.222.222.97/32 222.222.222.98/32 222.222.222.99/32 222.222.222.100/32 222.222.222.101/32 222.222.222.102/32 222.222.222.103/32 222.222.222.104/32 222.222.222.105/32 222.222.222.106/32 222.222.222.107/32 222.222.222.108/32 222.222.222.109/32 222.222.222.110/32 222.222.222.111/32 222.222.222.112/32 222.222.222.113/32 222.222.222.114/32 222.222.222.115/32 222.222.222.116/32 222.222.222.117/32 222.222.222.118/32 222.222.222.119/32 222.222.222.120/32 222.222.222.121/32 222.222.222.122/32 222.222.222.123/32 222.222.222.124/32 222.222.222.125/32 222.222.222.126/32 222.222.222.127/32 222.222.222.128/32 222.222.222.129/32 222.222.222.130/32 222.222.222.131/32 222.222.222.132/32 222.222.222.133/32 222.222.222.134/32 222.222.222.135/32 222.222.222.136/32 222.222.222.137/32 222.222.222.138/32 222.222.222.139/32 222.222.222.140/32 222.222.222.141/32 222.222.222.142/32 222.222.222.143/32 222.222.222.144/32 222.222.222.145/32 222.222.222.146/32 222.222.222.147/32 222.222.222.148/32 222.222.222.149/32 222.222.222.150/32 222.222.222.151/32 222.222.222.152/32 222.222.222.153/32 222.222.222.154/32 222.222.222.155/32 222.222.222.156/32 222.222.222.157/32 222.222.222.158/32 222.222.222.159/32 222.222.222.160/32 222.222.222.161/32 222.222.222.162/32 222.222.222.163/32 222.222.222.164/32 222.222.222.165/32 222.222.222.166/32 222.222.222.167/32 222.222.222.168/32 222.222.222.169/32 222.222.222.170/32 222.222.222.171/32 222.222.222.172/32 222.222.222.173/32 222.222.222.174/32 222.222.222.175/32 222.222.222.176/32 222.222.222.177/32 222.222.222.178/32 222.222.222.179/32 222.222.222.180/32 222.222.222.181/32 222.222.222.182/32 222.222.222.183/32 222.222.222.184/32 222.222.222.185/32 222.222.222.186/32 222.222.222.187/32 222.222.222.188/32 222.222.222.189/32 222.222.222.190/32 222.222.222.191/32 222.222.222.192/32 222.222.222.193/32 222.222.222.194/32 222.222.222.195/32 222.222.222.196/32 222.222.222.197/32 222.222.222.198/32 222.222.222.199/32 222.222.222.200/32 222.222.222.201/32 222.222.222.202/32 222.222.222.203/32 222.222.222.204/32 222.222.222.205/32 222.222.222.206/32 222.222.222.207/32 222.222.222.208/32 222.222.222.209/32 222.222.222.210/32 222.222.222.211/32 222.222.222.212/32 222.222.222.213/32 222.222.222.214/32 222.222.222.215/32 222.222.222.216/32 222.222.222.217/32 222.222.222.218/32 222.222.222.219/32 222.222.222.220/32 222.222.222.221/32 222.222.222.222/32 222.222.222.223/32 222.222.222.224/32 222.222.222.225/32 222.222.222.226/32 222.222.222.227/32 222.222.222.228/32 222.222.222.229/32 222.222.222.230/32 222.222.222.231/32 222.222.222.232/32 222.222.222.233/32 222.222.222.234/32 222.222.222.235/32 222.222.222.236/32 222.222.222.237/32 222.222.222.238/32 222.222.222.239/32 222.222.222.240/32 222.222.222.241/32 222.222.222.242/32 222.222.222.243/32 222.222.222.244/32 222.222.222.245/32 222.222.222.246/32 222.222.222.247/32 222.222.222.248/32 222.222.222.249/32 222.222.222.250/32 222.222.222.251/32 222.222.222.252/32 222.222.222.253/32 222.222.222.254/32 222.222.222.40/24 222.222.222.41/24" "" update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.20/24 192.168.1.10/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # backup ssh access $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.100/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.100/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.222 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 222.222.222.0/24 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10/31 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.12/30 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.16/28 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.32/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.64/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.96/30 -j SNAT --to-source 222.222.222.10-222.222.222.100 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.100 -j SNAT --to-source 222.222.222.10-222.222.222.100 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j DNAT --to-destination :3128 $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -d 22.22.22.23 --dport 4000:4010 -j SNAT --to-source 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -d 22.22.22.23 --dport 3128 -j SNAT --to-source 192.168.1.10 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 25 -j DNAT --to-destination 192.168.1.10:25 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 25 -j DNAT --to-destination 192.168.1.10:25 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 222.222.222.222 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 222.222.222.222 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 1000:1010 -d 192.168.1.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 1000:1010 -d 222.222.222.222 -j DNAT --to-destination 192.168.1.10 # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --sport 1000:1010 -j SNAT --to-source 222.222.222.222:1000-1010 # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # # firewall:NAT:11: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 25 -j SNAT --to-source 222.222.222.222 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:70 -d 222.222.222.40 --dport 25 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:70 -d 222.222.222.41 --dport 25 -j DNAT --to-destination 192.168.1.10 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -s 192.168.1.15 -d 222.222.222.40 --dport 25 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -s 192.168.1.15 -d 222.222.222.41 --dport 25 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # # hsould match mac and ip addresses $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:71 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:71 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:70 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:70 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 # # Rule 15 (NAT) # echo "Rule 15 (NAT)" # # ensure generated rules match different mac addresses $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -s 192.168.1.15 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -s 192.168.1.15 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # # should match mac and ip addresses # firewall:NAT:16: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule $IPTABLES -t nat -N Cid445F52DE31658.0 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j Cid445F52DE31658.0 $IPTABLES -t nat -A Cid445F52DE31658.0 -d 61.150.47.112 -j RETURN $IPTABLES -t nat -A Cid445F52DE31658.0 -d 223.223.223.223 -j RETURN $IPTABLES -t nat -A Cid445F52DE31658.0 -p tcp -m tcp --dport 80 -j SNAT --to-source 222.222.222.222 # # Rule 17 (NAT) # echo "Rule 17 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 1024:65535 -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.10:80 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 1024:65535 -d 222.222.222.222 --dport 80 -j DNAT --to-destination 192.168.1.10:80 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 53 -d 192.168.1.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 53 -d 222.222.222.222 -j DNAT --to-destination 192.168.1.10 # # Rule 19 (NAT) # echo "Rule 19 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10:4000-4010 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10:4000-4010 # # Rule 20 (NAT) # echo "Rule 20 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 4000:4010 -j SNAT --to-source 222.222.222.222 # # Rule 21 (NAT) # echo "Rule 21 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.10 --dport 3128 -j DNAT --to-destination :80 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j DNAT --to-destination :80 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # # should use multiport # and account for # no more than 15 ports # per rule $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 222.222.222.222 --dports 113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 222.222.222.222 --dports 98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 222.222.222.222 --dports 3128,22,111,23,540,7100 -j DNAT --to-destination 192.168.1.10 # # Rule 24 (NAT) # echo "Rule 24 (NAT)" # # should use multiport # and account for # no more than 15 ports # per rule $IPTABLES -t nat -N Cid3EF4288E.0 $IPTABLES -t nat -A PREROUTING -d 222.222.222.222 -j Cid3EF4288E.0 $IPTABLES -t nat -A Cid3EF4288E.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -t nat -A Cid3EF4288E.0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389 -j RETURN $IPTABLES -t nat -A Cid3EF4288E.0 -p tcp -m tcp -m multiport --dports 98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080 -j RETURN $IPTABLES -t nat -A Cid3EF4288E.0 -p tcp -m tcp -m multiport --dports 3128,22,111,23,540,7100 -j RETURN $IPTABLES -t nat -A Cid3EF4288E.0 -j DNAT --to-destination 192.168.1.10 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Automatically generated rule blocking short fragments $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -p all -f -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -p all -f -j In_RULE_0 $IPTABLES -A In_RULE_0 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # тестовый комментарий по-русски. Проверяем конвертацию из/в Utf8 $IPTABLES -N Cid3B09D29D.0 $IPTABLES -A INPUT -i eth1 -p all -f -j Cid3B09D29D.0 $IPTABLES -N In_RULE_1 $IPTABLES -A Cid3B09D29D.0 -d 192.168.1.1 -j In_RULE_1 $IPTABLES -A Cid3B09D29D.0 -d 222.222.222.222 -j In_RULE_1 $IPTABLES -A In_RULE_1 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (eth1) # echo "Rule 2 (eth1)" # # Automatically generated anti-spoofing rule $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 222.222.222.222 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 222.222.222.222 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_2 $IPTABLES -A In_RULE_2 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # $IPTABLES -N Cid47421X33852.0 $IPTABLES -A INPUT -i eth1 -p udp -m udp --dport 53 -m state --state NEW -j Cid47421X33852.0 $IPTABLES -A Cid47421X33852.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid47421X33852.0 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid47421X33852.1 $IPTABLES -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j Cid47421X33852.1 $IPTABLES -A Cid47421X33852.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid47421X33852.1 -d 222.222.222.222 -j ACCEPT # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # # rule in FORWARD chain with # -o eth1 and dest address of the firewall # is pretty much impossible $IPTABLES -A INPUT -i eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT # # Rule 5 (eth1) # echo "Rule 5 (eth1)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT # # Rule 6 (eth1) # echo "Rule 6 (eth1)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT # # Rule 7 (eth1) # echo "Rule 7 (eth1)" # $IPTABLES -N Cid112281X33852.0 $IPTABLES -A INPUT -i eth1 -p udp -m udp --dport 53 -m state --state NEW -j Cid112281X33852.0 $IPTABLES -A Cid112281X33852.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid112281X33852.0 -s 222.222.222.222 -j ACCEPT $IPTABLES -N Cid112281X33852.1 $IPTABLES -A FORWARD -i eth1 -p udp -m udp --dport 53 -m state --state NEW -j Cid112281X33852.1 $IPTABLES -A Cid112281X33852.1 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid112281X33852.1 -s 222.222.222.222 -j ACCEPT $IPTABLES -N Cid112281X33852.2 $IPTABLES -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j Cid112281X33852.2 $IPTABLES -A Cid112281X33852.2 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid112281X33852.2 -s 222.222.222.222 -j ACCEPT # # Rule 8 (eth1) # echo "Rule 8 (eth1)" # # keep FORWARD chain # because it is needed for anti-spoofing rules $IPTABLES -A INPUT -i eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT # # Rule 9 (eth1) # echo "Rule 9 (eth1)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p udp -m udp -s 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p udp -m udp -s 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -s 222.222.222.222 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p udp -m udp -s 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT # # Rule 10 (eth0) # echo "Rule 10 (eth0)" # $IPTABLES -N Cid3B92DFC5.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 192.168.1.0/24 --dport 53 -m state --state NEW -j Cid3B92DFC5.0 $IPTABLES -A Cid3B92DFC5.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3B92DFC5.0 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3B92DFC5.1 $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 --dport 53 -m state --state NEW -j Cid3B92DFC5.1 $IPTABLES -A Cid3B92DFC5.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3B92DFC5.1 -d 222.222.222.222 -j ACCEPT # # Rule 11 (eth0) # echo "Rule 11 (eth0)" # # code should go into INPUT chain with # address in destination for comparison $IPTABLES -N In_RULE_11 $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 192.168.1.255 --dport 53 -j In_RULE_11 $IPTABLES -A In_RULE_11 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A In_RULE_11 -j DROP # # Rule 12 (eth0) # echo "Rule 12 (eth0)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # # Rule 13 (eth0,eth1) # echo "Rule 13 (eth0,eth1)" # # reject using connlimit $IPTABLES -A INPUT -i eth0 -d 192.168.1.1 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j DROP $IPTABLES -A INPUT -i eth0 -d 222.222.222.222 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j DROP $IPTABLES -A INPUT -i eth1 -d 192.168.1.1 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j DROP $IPTABLES -A INPUT -i eth1 -d 222.222.222.222 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j DROP # # Rule 14 (eth0,eth1) # echo "Rule 14 (eth0,eth1)" # # reject using connlimit $IPTABLES -A INPUT -i eth0 -d 192.168.1.1 -m dstlimit --dstlimit 2/second --dstlimit-burst 5 --dstlimit-mode destip --dstlimit-name htable_rule_14 -j DROP $IPTABLES -A INPUT -i eth0 -d 222.222.222.222 -m dstlimit --dstlimit 2/second --dstlimit-burst 5 --dstlimit-mode destip --dstlimit-name htable_rule_14 -j DROP $IPTABLES -A INPUT -i eth1 -d 192.168.1.1 -m dstlimit --dstlimit 2/second --dstlimit-burst 5 --dstlimit-mode destip --dstlimit-name htable_rule_14 -j DROP $IPTABLES -A INPUT -i eth1 -d 222.222.222.222 -m dstlimit --dstlimit 2/second --dstlimit-burst 5 --dstlimit-mode destip --dstlimit-name htable_rule_14 -j DROP # # Rule 15 (eth0,eth1) # echo "Rule 15 (eth0,eth1)" # $IPTABLES -A INPUT -i eth0 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 222.222.222.222 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -d 222.222.222.222 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # OUTPUT $IPTABLES -N Cid469F1D0830391.0 $IPTABLES -A OUTPUT -d 1.1.1.1 -j Cid469F1D0830391.0 $IPTABLES -A Cid469F1D0830391.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid469F1D0830391.0 -s 222.222.222.222 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # INTPUT with "-i +" # "-i +" is redundant if chain is INPUT, # optimization removes it $IPTABLES -N Cid469F1CF730391.0 $IPTABLES -A INPUT -s 1.1.1.1 -j Cid469F1CF730391.0 $IPTABLES -A Cid469F1CF730391.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid469F1CF730391.0 -d 222.222.222.222 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # OUTPUT + FORWARD $IPTABLES -A OUTPUT -d 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -o + -d 1.1.1.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # INPUT + FORWARD $IPTABLES -A INPUT -s 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -i + -s 1.1.1.1 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # # OUTPUT + FORWARD $IPTABLES -A OUTPUT -d 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -d 1.1.1.1 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # # INPUT + FORWARD $IPTABLES -A INPUT -s 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.1 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N RULE_22 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -j RULE_22 $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags ALL NONE -j RULE_22 $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_22 $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags ALL ACK,RST,SYN,FIN -j RULE_22 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j RULE_22 $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j RULE_22 $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_22 $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL ACK,RST,SYN,FIN -j RULE_22 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -j RULE_22 $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags ALL NONE -j RULE_22 $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_22 $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags ALL ACK,RST,SYN,FIN -j RULE_22 $IPTABLES -A RULE_22 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_22 -j DROP # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -A OUTPUT -p all -m ipv4options --rr -j DROP $IPTABLES -A OUTPUT -p all -m ipv4options --lsrr --ssrr -j DROP $IPTABLES -A OUTPUT -p all -m ipv4options --ts -j DROP $IPTABLES -A INPUT -p all -m ipv4options --rr -j DROP $IPTABLES -A INPUT -p all -m ipv4options --lsrr --ssrr -j DROP $IPTABLES -A INPUT -p all -m ipv4options --ts -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --rr -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --lsrr --ssrr -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --ts -j DROP # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -A OUTPUT -p all -m ipv4options --any-opt -j DROP $IPTABLES -A INPUT -p all -m ipv4options --any-opt -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --any-opt -j DROP # # Rule 25 (global) # echo "Rule 25 (global)" # $IPTABLES -A OUTPUT -p all -m dscp --dscp-class AF4 -m ipv4options --lsrr --ra -j DROP $IPTABLES -A INPUT -p all -m dscp --dscp-class AF4 -m ipv4options --lsrr --ra -j DROP $IPTABLES -A FORWARD -p all -m dscp --dscp-class AF4 -m ipv4options --lsrr --ra -j DROP # # Rule 26 (global) # echo "Rule 26 (global)" # $IPTABLES -N RULE_26 $IPTABLES -A OUTPUT -p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK -j RULE_26 $IPTABLES -A OUTPUT -p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST -j RULE_26 $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK -j RULE_26 $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST -j RULE_26 $IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK -j RULE_26 $IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST -j RULE_26 $IPTABLES -A RULE_26 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_26 -j DROP # # Rule 28 (global) # echo "Rule 28 (global)" # # both src and dst have multiple interfaces $IPTABLES -N Cid3EE24E9C.0 $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j Cid3EE24E9C.0 $IPTABLES -A INPUT -s 222.222.222.222 -m state --state NEW -j Cid3EE24E9C.0 $IPTABLES -A Cid3EE24E9C.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3EE24E9C.0 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3EE24E9C.1 $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j Cid3EE24E9C.1 $IPTABLES -A OUTPUT -s 222.222.222.222 -m state --state NEW -j Cid3EE24E9C.1 $IPTABLES -A Cid3EE24E9C.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3EE24E9C.1 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3EE24E9C.2 $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j Cid3EE24E9C.2 $IPTABLES -A OUTPUT -s 222.222.222.222 -m state --state NEW -j Cid3EE24E9C.2 $IPTABLES -A Cid3EE24E9C.2 -d 33.33.33.33 -j ACCEPT $IPTABLES -A Cid3EE24E9C.2 -d 172.16.1.1 -j ACCEPT $IPTABLES -A Cid3EE24E9C.2 -d 192.168.100.1 -j ACCEPT $IPTABLES -N Cid3EE24E9C.3 $IPTABLES -A INPUT -d 192.168.1.1 -m state --state NEW -j Cid3EE24E9C.3 $IPTABLES -A INPUT -d 222.222.222.222 -m state --state NEW -j Cid3EE24E9C.3 $IPTABLES -A Cid3EE24E9C.3 -s 33.33.33.33 -j ACCEPT $IPTABLES -A Cid3EE24E9C.3 -s 172.16.1.1 -j ACCEPT $IPTABLES -A Cid3EE24E9C.3 -s 192.168.100.1 -j ACCEPT $IPTABLES -N Cid3EE24E9C.4 $IPTABLES -A FORWARD -s 33.33.33.33 -m state --state NEW -j Cid3EE24E9C.4 $IPTABLES -A FORWARD -s 172.16.1.1 -m state --state NEW -j Cid3EE24E9C.4 $IPTABLES -A FORWARD -s 192.168.100.1 -m state --state NEW -j Cid3EE24E9C.4 $IPTABLES -A Cid3EE24E9C.4 -d 33.33.33.33 -j ACCEPT $IPTABLES -A Cid3EE24E9C.4 -d 172.16.1.1 -j ACCEPT $IPTABLES -A Cid3EE24E9C.4 -d 192.168.100.1 -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # $IPTABLES -A FORWARD -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -d 192.168.1.10 -m state --state NEW -j ACCEPT # # Rule 30 (global) # echo "Rule 30 (global)" # $IPTABLES -N Cid3E0AA611.0 $IPTABLES -A INPUT -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -m state --state NEW -j Cid3E0AA611.0 $IPTABLES -A Cid3E0AA611.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E0AA611.0 -d 222.222.222.222 -j ACCEPT # # Rule 31 (global) # echo "Rule 31 (global)" # $IPTABLES -A FORWARD -m mac --mac-source 00:10:4b:de:e9:70 -d 192.168.1.10 -m state --state NEW -j ACCEPT # # Rule 32 (global) # echo "Rule 32 (global)" # $IPTABLES -N Cid3E0AA504.0 $IPTABLES -A INPUT -m mac --mac-source 00:10:4b:de:e9:70 -m state --state NEW -j Cid3E0AA504.0 $IPTABLES -A Cid3E0AA504.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E0AA504.0 -d 222.222.222.222 -j ACCEPT # # Rule 33 (global) # echo "Rule 33 (global)" # $IPTABLES -A FORWARD -m mac --mac-source 00:10:4b:de:e9:70 -d 200.200.200.200 -m state --state NEW -j ACCEPT # # Rule 34 (global) # echo "Rule 34 (global)" # $IPTABLES -N Cid3E0F40D5.0 $IPTABLES -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -s 192.168.1.15 -m state --state NEW -j Cid3E0F40D5.0 $IPTABLES -A Cid3E0F40D5.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E0F40D5.0 -d 222.222.222.222 -j ACCEPT # # Rule 35 (global) # echo "Rule 35 (global)" # $IPTABLES -N Cid3E0F452C.0 $IPTABLES -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -m state --state NEW -j Cid3E0F452C.0 $IPTABLES -A Cid3E0F452C.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E0F452C.0 -d 222.222.222.222 -j ACCEPT # # Rule 36 (global) # echo "Rule 36 (global)" # # firewall:Policy:36: warning: Empty MAC address in rule $IPTABLES -N Cid3DB0B422.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3DB0B422.0 $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # # Rule 37 (global) # echo "Rule 37 (global)" # # firewall:Policy:37: warning: Empty MAC address in rule $IPTABLES -N Cid3DB0B628.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3DB0B628.0 $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -s 192.168.1.20 -j ACCEPT # # Rule 38 (global) # echo "Rule 38 (global)" # # firewall:Policy:38: warning: Empty MAC address in rule $IPTABLES -N Cid3DE474B7.0 $IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -d 192.168.1.10 -m state --state NEW -j Cid3DE474B7.0 $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # # Rule 39 (global) # echo "Rule 39 (global)" # # firewall:Policy:39: warning: Empty MAC address in rule $IPTABLES -N Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 10000:11000 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 3128,22,111,23,540,7100 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # # Rule 40 (global) # echo "Rule 40 (global)" # # firewall:Policy:40: warning: Empty MAC address in rule $IPTABLES -N Cid445FAA6D31658.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid445FAA6D31658.0 $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT $IPTABLES -N Cid445FAA6D31658.1 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j Cid445FAA6D31658.1 $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # # Rule 41 (global) # echo "Rule 41 (global)" # # firewall:Policy:41: warning: Can not match MAC address of the firewall (chain OUTPUT) $IPTABLES -A OUTPUT -s 192.168.1.1 -d 192.168.1.10 -m state --state NEW -j ACCEPT # # Rule 42 (global) # echo "Rule 42 (global)" # $IPTABLES -N Cpol-firewall2-3.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cpol-firewall2-3.0 $IPTABLES -N Cpol-firewall2-3.1 $IPTABLES -A Cpol-firewall2-3.0 -s 211.11.11.11 -j Cpol-firewall2-3.1 $IPTABLES -A Cpol-firewall2-3.0 -s 211.22.22.22 -j Cpol-firewall2-3.1 $IPTABLES -N RULE_42 $IPTABLES -A Cpol-firewall2-3.1 -m time --timestart 18:00 --timestop 23:59 -j RULE_42 $IPTABLES -A Cpol-firewall2-3.1 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_42 $IPTABLES -A Cpol-firewall2-3.1 -m time --timestart 00:00 --timestop 23:59 --days Sun -j RULE_42 $IPTABLES -A Cpol-firewall2-3.1 -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j RULE_42 $IPTABLES -A RULE_42 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_42 -j ACCEPT # # Rule 43 (global) # echo "Rule 43 (global)" # $IPTABLES -N Cid3FB8455E.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 10000:11000 -m state --state NEW -j Cid3FB8455E.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,143,993,6667,6667,543,544,389 -m state --state NEW -j Cid3FB8455E.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 98,3306,2049,119,110,5432,515,26000,512,513,514,4321,25,465,1080 -m state --state NEW -j Cid3FB8455E.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 3128,22,111,23,540,7100 -m state --state NEW -j Cid3FB8455E.0 $IPTABLES -N Cid3FB8455E.1 $IPTABLES -A Cid3FB8455E.0 -s 211.11.11.11 -j Cid3FB8455E.1 $IPTABLES -A Cid3FB8455E.0 -s 211.22.22.22 -j Cid3FB8455E.1 $IPTABLES -A Cid3FB8455E.1 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3FB8455E.1 -d 192.168.1.20 -j ACCEPT # # Rule 44 (global) # echo "Rule 44 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state NEW -j ACCEPT # # Rule 45 (global) # echo "Rule 45 (global)" # # Rule #20 test: from Rock $IPTABLES -A OUTPUT -p tcp -m tcp --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --sport 53 -d 192.168.1.10 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 53,3128 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -d 192.168.1.10 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 53,3128 -m state --state NEW -j ACCEPT # # Rule 46 (global) # echo "Rule 46 (global)" # $IPTABLES -N Cpol-firewall2-4.0 $IPTABLES -A OUTPUT -d 192.168.1.0/24 -m state --state NEW -j Cpol-firewall2-4.0 $IPTABLES -A Cpol-firewall2-4.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.0 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT $IPTABLES -N Cpol-firewall2-4.1 $IPTABLES -A INPUT -d 192.168.1.0/24 -m state --state NEW -j Cpol-firewall2-4.1 $IPTABLES -A Cpol-firewall2-4.1 -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.1 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.1 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.1 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.1 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT $IPTABLES -N Cpol-firewall2-4.2 $IPTABLES -A FORWARD -d 192.168.1.0/24 -m state --state NEW -j Cpol-firewall2-4.2 $IPTABLES -A Cpol-firewall2-4.2 -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.2 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.2 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.2 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT $IPTABLES -A Cpol-firewall2-4.2 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT # # Rule 47 (global) # echo "Rule 47 (global)" # $IPTABLES -N Cid3CD8770E.0 $IPTABLES -A OUTPUT -d 192.168.1.11 -m state --state NEW -j Cid3CD8770E.0 $IPTABLES -A OUTPUT -d 192.168.1.12/30 -m state --state NEW -j Cid3CD8770E.0 $IPTABLES -A Cid3CD8770E.0 -p tcp -m tcp -m multiport --dports 113,80,443,143,25,22,540 -j ACCEPT $IPTABLES -A Cid3CD8770E.0 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT $IPTABLES -N Cid3CD8770E.1 $IPTABLES -A INPUT -d 192.168.1.11 -m state --state NEW -j Cid3CD8770E.1 $IPTABLES -A INPUT -d 192.168.1.12/30 -m state --state NEW -j Cid3CD8770E.1 $IPTABLES -A Cid3CD8770E.1 -p tcp -m tcp -m multiport --dports 113,80,443,143,25,22,540 -j ACCEPT $IPTABLES -A Cid3CD8770E.1 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT $IPTABLES -N Cid3CD8770E.2 $IPTABLES -A FORWARD -d 192.168.1.11 -m state --state NEW -j Cid3CD8770E.2 $IPTABLES -A FORWARD -d 192.168.1.12/30 -m state --state NEW -j Cid3CD8770E.2 $IPTABLES -A Cid3CD8770E.2 -p tcp -m tcp -m multiport --dports 113,80,443,143,25,22,540 -j ACCEPT $IPTABLES -A Cid3CD8770E.2 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT # # Rule 48 (global) # echo "Rule 48 (global)" # $IPTABLES -N Cid3CD87B1E.0 $IPTABLES -A OUTPUT -d 192.168.1.11 -m state --state NEW -j Cid3CD87B1E.0 $IPTABLES -A OUTPUT -d 192.168.1.12 -m state --state NEW -j Cid3CD87B1E.0 $IPTABLES -A OUTPUT -d 192.168.1.13 -m state --state NEW -j Cid3CD87B1E.0 $IPTABLES -A OUTPUT -d 192.168.1.14 -m state --state NEW -j Cid3CD87B1E.0 $IPTABLES -A OUTPUT -d 192.168.1.15 -m state --state NEW -j Cid3CD87B1E.0 $IPTABLES -A Cid3CD87B1E.0 -p tcp -m tcp -m multiport --dports 113,80,443,143,25,22,540 -j ACCEPT $IPTABLES -A Cid3CD87B1E.0 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT $IPTABLES -N Cid3CD87B1E.1 $IPTABLES -A FORWARD -d 192.168.1.11 -m state --state NEW -j Cid3CD87B1E.1 $IPTABLES -A FORWARD -d 192.168.1.12 -m state --state NEW -j Cid3CD87B1E.1 $IPTABLES -A FORWARD -d 192.168.1.13 -m state --state NEW -j Cid3CD87B1E.1 $IPTABLES -A FORWARD -d 192.168.1.14 -m state --state NEW -j Cid3CD87B1E.1 $IPTABLES -A FORWARD -d 192.168.1.15 -m state --state NEW -j Cid3CD87B1E.1 $IPTABLES -A Cid3CD87B1E.1 -p tcp -m tcp -m multiport --dports 113,80,443,143,25,22,540 -j ACCEPT $IPTABLES -A Cid3CD87B1E.1 -m ip_conntrack_talk -m ip_nat_talk -j ACCEPT # # Rule 49 (global) # echo "Rule 49 (global)" # # group "special combined srv" # has couple of UDP services, # plus "ALL UDP" service, which has # empty ports specs. This is special # case for multiport. $IPTABLES -N Cid3E1FD93A.0 $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j Cid3E1FD93A.0 $IPTABLES -A INPUT -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -m state --state NEW -j Cid3E1FD93A.0 $IPTABLES -A Cid3E1FD93A.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E1FD93A.0 -d 222.222.222.222 -j ACCEPT # # Rule 50 (global) # echo "Rule 50 (global)" # # another test case for multiport: this rule # has 16 TCP services and should be split onto # two rules. If both rules use "-m multiport", then # rule with a single service should use "--dports". # It may be acceptable to not use multiport # in the rule with a single service at all. $IPTABLES -N Cid41D0F052.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 10000:11000 -m state --state NEW -j Cid41D0F052.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -s 192.168.1.0/24 --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -m state --state NEW -j Cid41D0F052.0 $IPTABLES -N RULE_50 $IPTABLES -A Cid41D0F052.0 -d 192.168.1.11 -j RULE_50 $IPTABLES -A Cid41D0F052.0 -d 192.168.1.12/30 -j RULE_50 $IPTABLES -N Cid41D0F052.1 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 10000:11000 -m state --state NEW -j Cid41D0F052.1 $IPTABLES -A INPUT -p tcp -m tcp -m multiport -s 192.168.1.0/24 --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -m state --state NEW -j Cid41D0F052.1 $IPTABLES -A Cid41D0F052.1 -d 192.168.1.11 -j RULE_50 $IPTABLES -A Cid41D0F052.1 -d 192.168.1.12/30 -j RULE_50 $IPTABLES -N Cid41D0F052.2 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 10000:11000 -m state --state NEW -j Cid41D0F052.2 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -s 192.168.1.0/24 --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -m state --state NEW -j Cid41D0F052.2 $IPTABLES -A Cid41D0F052.2 -d 192.168.1.11 -j RULE_50 $IPTABLES -A Cid41D0F052.2 -d 192.168.1.12/30 -j RULE_50 $IPTABLES -A RULE_50 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_50 -j ACCEPT # # Rule 51 (global) # echo "Rule 51 (global)" # $IPTABLES -N Cid3B58E180.0 $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j Cid3B58E180.0 $IPTABLES -A INPUT -s 222.222.222.222 -m state --state NEW -j Cid3B58E180.0 $IPTABLES -N RULE_51 $IPTABLES -A Cid3B58E180.0 -d 192.168.1.1 -j RULE_51 $IPTABLES -A Cid3B58E180.0 -d 222.222.222.222 -j RULE_51 $IPTABLES -N Cid3B58E180.1 $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j Cid3B58E180.1 $IPTABLES -A OUTPUT -s 222.222.222.222 -m state --state NEW -j Cid3B58E180.1 $IPTABLES -A Cid3B58E180.1 -d 192.168.1.1 -j RULE_51 $IPTABLES -A Cid3B58E180.1 -d 222.222.222.222 -j RULE_51 $IPTABLES -A RULE_51 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_51 -j ACCEPT # # Rule 52 (global) # echo "Rule 52 (global)" # $IPTABLES -N Cid3D41A4F4.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid3D41A4F4.0 $IPTABLES -N Cid3D41A4F4.1 $IPTABLES -A Cid3D41A4F4.0 -s 192.168.1.1 -j Cid3D41A4F4.1 $IPTABLES -A Cid3D41A4F4.0 -s 222.222.222.222 -j Cid3D41A4F4.1 $IPTABLES -A Cid3D41A4F4.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3D41A4F4.1 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3D41A4F4.2 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid3D41A4F4.2 $IPTABLES -N Cid3D41A4F4.3 $IPTABLES -A Cid3D41A4F4.2 -s 192.168.1.1 -j Cid3D41A4F4.3 $IPTABLES -A Cid3D41A4F4.2 -s 222.222.222.222 -j Cid3D41A4F4.3 $IPTABLES -A Cid3D41A4F4.3 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3D41A4F4.3 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3D41A4F4.4 $IPTABLES -A OUTPUT -p udp -m udp -d 200.200.200.200 --dport 161 -m state --state NEW -j Cid3D41A4F4.4 $IPTABLES -A Cid3D41A4F4.4 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3D41A4F4.4 -s 222.222.222.222 -j ACCEPT # # Rule 53 (global) # echo "Rule 53 (global)" # # Automatically generated 'masquerading' rule $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 222.222.222.222 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 222.222.222.222 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 54 (global) # echo "Rule 54 (global)" # # similar to a standard 'masquerading' # rule, but not so permissive as it does # not allow access to the firewall $IPTABLES -N Cid3CE894DA.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid3CE894DA.0 $IPTABLES -A Cid3CE894DA.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3CE894DA.0 -d 222.222.222.222 -j RETURN $IPTABLES -A Cid3CE894DA.0 -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 55 (global) # echo "Rule 55 (global)" # $IPTABLES -N Cid40F1CFA3.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid40F1CFA3.0 $IPTABLES -A Cid40F1CFA3.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid40F1CFA3.0 -d 222.222.222.222 -j RETURN $IPTABLES -A Cid40F1CFA3.0 -j ACCEPT $IPTABLES -N Cid40F1CFA3.1 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j Cid40F1CFA3.1 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j Cid40F1CFA3.1 $IPTABLES -A Cid40F1CFA3.1 -d 33.33.33.0/24 -j RETURN $IPTABLES -A Cid40F1CFA3.1 -j ACCEPT # # Rule 56 (global) # echo "Rule 56 (global)" # $IPTABLES -N Cid413D6500.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -m state --state NEW -j Cid413D6500.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -m state --state NEW -j Cid413D6500.0 $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -m state --state NEW -j Cid413D6500.0 $IPTABLES -N Cid413D6500.1 $IPTABLES -A Cid413D6500.0 -s 192.168.1.0/24 -j Cid413D6500.1 $IPTABLES -A Cid413D6500.0 -s 192.168.2.0/24 -j Cid413D6500.1 $IPTABLES -A Cid413D6500.1 -d 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid413D6500.1 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -N Cid413D6500.2 $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -m state --state NEW -j Cid413D6500.2 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -m state --state NEW -j Cid413D6500.2 $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -m state --state NEW -j Cid413D6500.2 $IPTABLES -N Cid413D6500.3 $IPTABLES -A Cid413D6500.2 -s 192.168.1.0/24 -j Cid413D6500.3 $IPTABLES -A Cid413D6500.2 -s 192.168.2.0/24 -j Cid413D6500.3 $IPTABLES -A Cid413D6500.3 -d 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid413D6500.3 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -N Cid413D6500.4 $IPTABLES -A FORWARD -p tcp -m tcp --dport 10000:11000 -m state --state NEW -j Cid413D6500.4 $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -m state --state NEW -j Cid413D6500.4 $IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,161 -m state --state NEW -j Cid413D6500.4 $IPTABLES -N Cid413D6500.5 $IPTABLES -A Cid413D6500.4 -s 192.168.1.0/24 -j Cid413D6500.5 $IPTABLES -A Cid413D6500.4 -s 192.168.2.0/24 -j Cid413D6500.5 $IPTABLES -A Cid413D6500.5 -d 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid413D6500.5 -d 192.168.2.0/24 -j ACCEPT # # Rule 57 (global) # echo "Rule 57 (global)" # # Automatically generated 'catch all' rule $IPTABLES -N RULE_57 $IPTABLES -A OUTPUT -j RULE_57 $IPTABLES -A INPUT -j RULE_57 $IPTABLES -A FORWARD -j RULE_57 $IPTABLES -A RULE_57 -m limit --limit 5/second -j LOG --log-level 7 --log-prefix "CUSTOM LOGGING" $IPTABLES -A RULE_57 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all # backup ssh access $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.100/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.100/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:06 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall1.fw.orig000077500000000000000000001402431303637203600204610ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:07 2012 PDT by vadim # # files: * firewall1.fw /etc/fw/firewall1.fw # # Compiled for iptables (any version) # # this object is used to test all kinds of negation in policy and NAT rules. # Assume firewall is part of any is ON FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.0/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.0/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 22.22.23.23/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s ! 192.168.1.0/24 -d 200.200.200.200 -j SNAT --to-source 22.22.22.23 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s ! 192.168.1.0/24 -d 200.200.200.200 --dport 80 -j SNAT --to-source 22.22.22.23 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -N Cid3CCA1B57.0 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3CCA1B57.0 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3CCA1B57.0 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3CCA1B57.0 $IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 192.168.2.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -N Cid3EB38983.0 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3EB38983.0 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3EB38983.0 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3EB38983.0 $IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 192.168.2.1 # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth0 -s ! 192.168.2.0/24 -j SNAT --to-source 192.168.1.1 # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -N Cid3BD8D94B.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D94B.0 $IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.22.22 -j RETURN $IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.23.23 -j RETURN $IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.1.1 -j RETURN $IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.2.1 -j RETURN $IPTABLES -t nat -A Cid3BD8D94B.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -N Cid3BD8D9DD.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D9DD.0 $IPTABLES -t nat -A Cid3BD8D9DD.0 -d 192.168.1.1 -j RETURN $IPTABLES -t nat -A Cid3BD8D9DD.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -N Cid3BBC0EA4.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.10 --dport 80 -j Cid3BBC0EA4.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.20 --dport 80 -j Cid3BBC0EA4.0 $IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid3BBC0EA4.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -N Cid3BBC0F93.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j Cid3BBC0F93.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j Cid3BBC0F93.0 $IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid3BBC0F93.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 15 (NAT) # echo "Rule 15 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j REDIRECT --to-ports 3128 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 5000 -d 22.22.22.23 --dport 5000:5010 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 9000 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 6667,3128 -j DNAT --to-destination 192.168.1.10 # # Rule 17 (NAT) # echo "Rule 17 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j DNAT --to-destination :3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j DNAT --to-destination :3128 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -N Cid3EB38A91.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid3EB38A91.0 $IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid3EB38A91.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination :3128 # ================ Table 'filter', rule set GOOD_GUYS # # Rule GOOD_GUYS 0 (global) # echo "Rule GOOD_GUYS 0 (global)" # $IPTABLES -N GOOD_GUYS $IPTABLES -N Cid40710X74808.0 $IPTABLES -A GOOD_GUYS -j Cid40710X74808.0 $IPTABLES -A Cid40710X74808.0 -s 1.1.1.0/24 -j RETURN $IPTABLES -A Cid40710X74808.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -N GOOD_GUYS_0_3 $IPTABLES -A Cid40710X74808.0 -j GOOD_GUYS_0_3 $IPTABLES -A GOOD_GUYS_0_3 -j LOG --log-level debug $IPTABLES -A GOOD_GUYS_0_3 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -N Cid3C5987DC.1 $IPTABLES -A INPUT -i eth0 -s 22.22.22.22 -j Cid3C5987DC.1 $IPTABLES -N Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.1 -p icmp -j Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.1 -p 50 -j Cid3C5987DC.0 $IPTABLES -N Cid3C5987DC.2 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j Cid3C5987DC.2 $IPTABLES -A Cid3C5987DC.2 -p icmp -j Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.2 -p 50 -j Cid3C5987DC.0 $IPTABLES -N Cid3C5987DC.3 $IPTABLES -A FORWARD -i eth0 -s 22.22.22.22 -j Cid3C5987DC.3 $IPTABLES -A Cid3C5987DC.3 -p icmp -j Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.3 -p 50 -j Cid3C5987DC.0 $IPTABLES -N Cid3C5987DC.4 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j Cid3C5987DC.4 $IPTABLES -A Cid3C5987DC.4 -p icmp -j Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.4 -p 50 -j Cid3C5987DC.0 $IPTABLES -A Cid3C5987DC.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3C5987DC.0 -d 192.168.1.1 -j RETURN $IPTABLES -N In_RULE_0_3 $IPTABLES -A Cid3C5987DC.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j In_RULE_0_3 $IPTABLES -A In_RULE_0_3 -j LOG --log-level debug $IPTABLES -A In_RULE_0_3 -j DROP $IPTABLES -N Cid3C5987DC.6 $IPTABLES -A OUTPUT -o eth0 -s 22.22.22.22 -j Cid3C5987DC.6 $IPTABLES -N Cid3C5987DC.5 $IPTABLES -A Cid3C5987DC.6 -p icmp -j Cid3C5987DC.5 $IPTABLES -A Cid3C5987DC.6 -p 50 -j Cid3C5987DC.5 $IPTABLES -N Cid3C5987DC.7 $IPTABLES -A OUTPUT -o eth0 -s 192.168.1.1 -j Cid3C5987DC.7 $IPTABLES -A Cid3C5987DC.7 -p icmp -j Cid3C5987DC.5 $IPTABLES -A Cid3C5987DC.7 -p 50 -j Cid3C5987DC.5 $IPTABLES -A Cid3C5987DC.5 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3C5987DC.5 -d 192.168.1.1 -j RETURN $IPTABLES -N Out_RULE_0_3 $IPTABLES -A Cid3C5987DC.5 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j Out_RULE_0_3 $IPTABLES -A Out_RULE_0_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_0_3 -j DROP # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -N Cid3CD34BEF.1 $IPTABLES -A INPUT -i eth0 -p icmp -j Cid3CD34BEF.1 $IPTABLES -A INPUT -i eth0 -p 50 -j Cid3CD34BEF.1 $IPTABLES -N Cid3CD34BEF.0 $IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.10 -j Cid3CD34BEF.0 $IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.20 -j Cid3CD34BEF.0 $IPTABLES -N Cid3CD34BEF.2 $IPTABLES -A FORWARD -i eth0 -p icmp -j Cid3CD34BEF.2 $IPTABLES -A FORWARD -i eth0 -p 50 -j Cid3CD34BEF.2 $IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.10 -j Cid3CD34BEF.0 $IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.20 -j Cid3CD34BEF.0 $IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.20 -j RETURN $IPTABLES -A Cid3CD34BEF.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP $IPTABLES -N Cid3CD34BEF.4 $IPTABLES -A FORWARD -o eth0 -p icmp -j Cid3CD34BEF.4 $IPTABLES -A FORWARD -o eth0 -p 50 -j Cid3CD34BEF.4 $IPTABLES -N Cid3CD34BEF.3 $IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.10 -j Cid3CD34BEF.3 $IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.20 -j Cid3CD34BEF.3 $IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.20 -j RETURN $IPTABLES -A Cid3CD34BEF.3 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP # # Rule 2 (eth1) # echo "Rule 2 (eth1)" # # Anti-spoofing rule $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_2 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_2 $IPTABLES -A In_RULE_2 -j LOG --log-level debug $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # # Anti-spoofing rule $IPTABLES -N Out_RULE_3 $IPTABLES -A OUTPUT -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3 $IPTABLES -A FORWARD -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3 $IPTABLES -A Out_RULE_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_3 -j DROP # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid40DBCD36.0 $IPTABLES -A OUTPUT -o eth1 -j Cid40DBCD36.0 $IPTABLES -A Cid40DBCD36.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid40DBCD36.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid40DBCD36.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid40DBCD36.0 -s 192.168.2.1 -j RETURN $IPTABLES -N Out_RULE_4_3 $IPTABLES -A Cid40DBCD36.0 -j Out_RULE_4_3 $IPTABLES -A Out_RULE_4_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_4_3 -j DROP $IPTABLES -N Cid40DBCD36.1 $IPTABLES -A FORWARD -o eth1 -j Cid40DBCD36.1 $IPTABLES -A Cid40DBCD36.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid40DBCD36.1 -j Out_RULE_4_3 # # Rule 5 (eth2) # echo "Rule 5 (eth2)" # $IPTABLES -A INPUT -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule 6 (eth2) # echo "Rule 6 (eth2)" # $IPTABLES -N In_RULE_6 $IPTABLES -A INPUT -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6 $IPTABLES -A FORWARD -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6 $IPTABLES -A In_RULE_6 -j LOG --log-level debug $IPTABLES -A In_RULE_6 -j DROP # # Rule 7 (eth1,eth3) # echo "Rule 7 (eth1,eth3)" # $IPTABLES -N In_RULE_7 $IPTABLES -A INPUT -i eth0 -s 22.22.23.128/25 -j In_RULE_7 $IPTABLES -A INPUT -i eth0 -s 33.33.33.0/24 -j In_RULE_7 $IPTABLES -A INPUT -i eth2 -s 22.22.23.128/25 -j In_RULE_7 $IPTABLES -A INPUT -i eth2 -s 33.33.33.0/24 -j In_RULE_7 $IPTABLES -A FORWARD -i eth0 -s 22.22.23.128/25 -j In_RULE_7 $IPTABLES -A FORWARD -i eth0 -s 33.33.33.0/24 -j In_RULE_7 $IPTABLES -A FORWARD -i eth2 -s 22.22.23.128/25 -j In_RULE_7 $IPTABLES -A FORWARD -i eth2 -s 33.33.33.0/24 -j In_RULE_7 $IPTABLES -A In_RULE_7 -j LOG --log-level debug $IPTABLES -A In_RULE_7 -j DROP # # Rule 8 (lo) # echo "Rule 8 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 9 (eth0,eth2) # echo "Rule 9 (eth0,eth2)" # $IPTABLES -N Cid433D045026912.0 $IPTABLES -A INPUT -i eth0 -j Cid433D045026912.0 $IPTABLES -A INPUT -i eth2 -j Cid433D045026912.0 $IPTABLES -A FORWARD -i eth0 -j Cid433D045026912.0 $IPTABLES -A FORWARD -i eth2 -j Cid433D045026912.0 $IPTABLES -A Cid433D045026912.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid433D045026912.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N In_RULE_9_3 $IPTABLES -A Cid433D045026912.0 -j In_RULE_9_3 $IPTABLES -A In_RULE_9_3 -j LOG --log-level debug $IPTABLES -A In_RULE_9_3 -j DROP # # Rule 10 (eth1,eth3) # echo "Rule 10 (eth1,eth3)" # $IPTABLES -N Cid434D389E26912.0 $IPTABLES -A INPUT -i eth1 -m state --state NEW -j Cid434D389E26912.0 $IPTABLES -A INPUT -i eth3 -m state --state NEW -j Cid434D389E26912.0 $IPTABLES -A FORWARD -i eth1 -m state --state NEW -j Cid434D389E26912.0 $IPTABLES -A FORWARD -i eth3 -m state --state NEW -j Cid434D389E26912.0 $IPTABLES -A Cid434D389E26912.0 -s 22.22.23.128/25 -j RETURN $IPTABLES -A Cid434D389E26912.0 -s 33.33.33.0/24 -j RETURN $IPTABLES -A Cid434D389E26912.0 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A RULE_11 -j RETURN $IPTABLES -A OUTPUT -j RULE_11 $IPTABLES -A INPUT -j RULE_11 $IPTABLES -A FORWARD -j RULE_11 # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N RULE_12 $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12 $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12 $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level debug $IPTABLES -A RULE_12 -j DROP # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N Cid3B9AB902.0 $IPTABLES -A OUTPUT -j Cid3B9AB902.0 $IPTABLES -A INPUT -j Cid3B9AB902.0 $IPTABLES -A FORWARD -j Cid3B9AB902.0 $IPTABLES -A Cid3B9AB902.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -N RULE_13_3 $IPTABLES -A Cid3B9AB902.0 -j RULE_13_3 $IPTABLES -A RULE_13_3 -j LOG --log-level debug $IPTABLES -A RULE_13_3 -j DROP # # Rule 14 (global) # echo "Rule 14 (global)" # # hostF has the same IP address as firewal. $IPTABLES -N RULE_14 $IPTABLES -A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14 $IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14 $IPTABLES -A RULE_14 -j LOG --log-level debug $IPTABLES -A RULE_14 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -N Cid434B03D526912.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid434B03D526912.0 $IPTABLES -A INPUT -m state --state NEW -j Cid434B03D526912.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid434B03D526912.0 $IPTABLES -A Cid434B03D526912.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid434B03D526912.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid434B03D526912.0 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # testing negation in the policy rule $IPTABLES -N Cid3B021E10.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0 $IPTABLES -A Cid3B021E10.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid3B021E10.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_16_3 $IPTABLES -A Cid3B021E10.0 -m limit --limit 10/minute -j RULE_16_3 $IPTABLES -A RULE_16_3 -j LOG --log-level debug $IPTABLES -A RULE_16_3 -j DROP # # Rule 17 (global) # echo "Rule 17 (global)" # # testing negation in the policy rule $IPTABLES -N Cid40C0D096.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0 $IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0 $IPTABLES -A Cid40C0D096.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid40C0D096.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_17_3 $IPTABLES -A Cid40C0D096.0 -m limit --limit 10/minute -j RULE_17_3 $IPTABLES -A RULE_17_3 -j LOG --log-level debug $IPTABLES -A RULE_17_3 -j RETURN # # Rule 18 (global) # echo "Rule 18 (global)" # # testing negation in the policy rule $IPTABLES -N Cid40C0D10A.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0 $IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0 $IPTABLES -A Cid40C0D10A.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid40C0D10A.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_18_3 $IPTABLES -A Cid40C0D10A.0 -m limit --limit 10/minute -j RULE_18_3 $IPTABLES -A RULE_18_3 -j LOG --log-level debug $IPTABLES -A RULE_18_3 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -N Cid3B0B4A13.1 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.1 $IPTABLES -N Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.1 -d 22.22.22.22 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.1 -d 22.22.23.23 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.1 -d 192.168.1.1 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.1 -d 192.168.2.1 -j Cid3B0B4A13.0 $IPTABLES -N Cid3B0B4A13.2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.2 $IPTABLES -A Cid3B0B4A13.2 -d 22.22.22.22 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.2 -d 22.22.23.23 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.2 -d 192.168.1.1 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.2 -d 192.168.2.1 -j Cid3B0B4A13.0 $IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_19_3 $IPTABLES -A Cid3B0B4A13.0 -j RULE_19_3 $IPTABLES -A RULE_19_3 -j LOG --log-level debug $IPTABLES -A RULE_19_3 -j DROP # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -N Cid3B5535B7.0 $IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid3B5535B7.0 $IPTABLES -A Cid3B5535B7.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid3B5535B7.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid3B5535B7.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid3B5535B7.0 -s 192.168.2.1 -j RETURN $IPTABLES -N Out_RULE_20_3 $IPTABLES -A Cid3B5535B7.0 -j Out_RULE_20_3 $IPTABLES -A Out_RULE_20_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_20_3 -j DROP $IPTABLES -N Cid3B5535B7.1 $IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid3B5535B7.1 $IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid3B5535B7.1 $IPTABLES -A Cid3B5535B7.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_20_3 $IPTABLES -A Cid3B5535B7.1 -j RULE_20_3 $IPTABLES -A RULE_20_3 -j LOG --log-level debug $IPTABLES -A RULE_20_3 -j DROP # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N Cid40F1D905.0 $IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid40F1D905.0 $IPTABLES -A Cid40F1D905.0 -s 192.168.1.1 -j RETURN $IPTABLES -N Out_RULE_21_3 $IPTABLES -A Cid40F1D905.0 -j Out_RULE_21_3 $IPTABLES -A Out_RULE_21_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_21_3 -j DROP $IPTABLES -N Cid40F1D905.1 $IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid40F1D905.1 $IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid40F1D905.1 $IPTABLES -A Cid40F1D905.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_21_3 $IPTABLES -A Cid40F1D905.1 -j RULE_21_3 $IPTABLES -A RULE_21_3 -j LOG --log-level debug $IPTABLES -A RULE_21_3 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N Cid3E74DF71.0 $IPTABLES -A INPUT -s 222.222.222.40 -j Cid3E74DF71.0 $IPTABLES -A INPUT -s 222.222.222.41 -j Cid3E74DF71.0 $IPTABLES -A FORWARD -s 222.222.222.40 -j Cid3E74DF71.0 $IPTABLES -A FORWARD -s 222.222.222.41 -j Cid3E74DF71.0 $IPTABLES -A Cid3E74DF71.0 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid3E74DF71.0 -d 192.168.1.20 -j RETURN $IPTABLES -N RULE_22_3 $IPTABLES -A Cid3E74DF71.0 -j RULE_22_3 $IPTABLES -A RULE_22_3 -j LOG --log-level debug $IPTABLES -A RULE_22_3 -j DROP # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N Cid3B11F63D.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -j Cid3B11F63D.0 $IPTABLES -A INPUT -s 192.168.2.0/24 -j Cid3B11F63D.0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j Cid3B11F63D.0 $IPTABLES -A OUTPUT -s 192.168.2.0/24 -j Cid3B11F63D.0 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j Cid3B11F63D.0 $IPTABLES -A FORWARD -s 192.168.2.0/24 -j Cid3B11F63D.0 $IPTABLES -A Cid3B11F63D.0 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid3B11F63D.0 -d 192.168.1.20 -j RETURN $IPTABLES -N RULE_23_3 $IPTABLES -A Cid3B11F63D.0 -j RULE_23_3 $IPTABLES -A RULE_23_3 -j LOG --log-level debug $IPTABLES -A RULE_23_3 -j DROP # # Rule 24 (global) # echo "Rule 24 (global)" # # testing negation in service field $IPTABLES -N Cid3B021E6F.0 $IPTABLES -A OUTPUT -d 192.168.1.10 -j Cid3B021E6F.0 $IPTABLES -A OUTPUT -d 192.168.1.20 -j Cid3B021E6F.0 $IPTABLES -A FORWARD -d 192.168.1.10 -j Cid3B021E6F.0 $IPTABLES -A FORWARD -d 192.168.1.20 -j Cid3B021E6F.0 $IPTABLES -A Cid3B021E6F.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN $IPTABLES -N RULE_24_3 $IPTABLES -A Cid3B021E6F.0 -j RULE_24_3 $IPTABLES -A RULE_24_3 -j LOG --log-level debug $IPTABLES -A RULE_24_3 -j DROP # # Rule 25 (global) # echo "Rule 25 (global)" # # testing negation in service field $IPTABLES -N Cid3CCA2CF4.0 $IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0 $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0 $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0 $IPTABLES -A Cid3CCA2CF4.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN $IPTABLES -N RULE_25_3 $IPTABLES -A Cid3CCA2CF4.0 -j RULE_25_3 $IPTABLES -A RULE_25_3 -j LOG --log-level debug $IPTABLES -A RULE_25_3 -j ACCEPT # # Rule 26 (global) # echo "Rule 26 (global)" # # testing negation in service field $IPTABLES -N Cid3EA925F1.0 $IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0 $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0 $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0 $IPTABLES -A Cid3EA925F1.0 -p tcp -m tcp --dport 25 -j RETURN $IPTABLES -N RULE_26_3 $IPTABLES -A Cid3EA925F1.0 -j RULE_26_3 $IPTABLES -A RULE_26_3 -j LOG --log-level debug $IPTABLES -A RULE_26_3 -j ACCEPT # # Rule 27 (global) # echo "Rule 27 (global)" # # testing negation in service field $IPTABLES -N Cid3EA9225C.0 $IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0 $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0 $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0 $IPTABLES -A Cid3EA9225C.0 -p icmp -m icmp --icmp-type any -j RETURN $IPTABLES -N RULE_27_3 $IPTABLES -A Cid3EA9225C.0 -j RULE_27_3 $IPTABLES -A RULE_27_3 -j LOG --log-level debug $IPTABLES -A RULE_27_3 -j ACCEPT # # Rule 28 (global) # echo "Rule 28 (global)" # # testing negation in service field $IPTABLES -N Cid4144E299.1 $IPTABLES -A OUTPUT -m state --state NEW -j Cid4144E299.1 $IPTABLES -A INPUT -m state --state NEW -j Cid4144E299.1 $IPTABLES -A FORWARD -m state --state NEW -j Cid4144E299.1 $IPTABLES -A Cid4144E299.1 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid4144E299.1 -d 192.168.1.20 -j RETURN $IPTABLES -N Cid4144E299.0 $IPTABLES -A Cid4144E299.1 -j Cid4144E299.0 $IPTABLES -A Cid4144E299.0 -p icmp -m icmp --icmp-type any -j RETURN $IPTABLES -A Cid4144E299.0 -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # # testing negation in service field $IPTABLES -N Cid41449248.1 $IPTABLES -A OUTPUT -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.1 $IPTABLES -N Cid41449248.0 $IPTABLES -A Cid41449248.1 -d 192.168.1.10 -j Cid41449248.0 $IPTABLES -A Cid41449248.1 -d 192.168.1.20 -j Cid41449248.0 $IPTABLES -N Cid41449248.2 $IPTABLES -A FORWARD -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.2 $IPTABLES -A Cid41449248.2 -d 192.168.1.10 -j Cid41449248.0 $IPTABLES -A Cid41449248.2 -d 192.168.1.20 -j Cid41449248.0 $IPTABLES -A Cid41449248.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -A Cid41449248.0 -j ACCEPT # # Rule 30 (global) # echo "Rule 30 (global)" # # testing negation in service field $IPTABLES -N Cid414532F3.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1 $IPTABLES -A Cid414532F3.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN $IPTABLES -N Cid414532F3.0 $IPTABLES -A Cid414532F3.1 -j Cid414532F3.0 $IPTABLES -A Cid414532F3.0 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid414532F3.0 -d 192.168.1.20 -j RETURN $IPTABLES -A Cid414532F3.0 -j ACCEPT # # Rule 31 (global) # echo "Rule 31 (global)" # # testing negation in service field $IPTABLES -N Cid41449257.1 $IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid41449257.1 $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid41449257.1 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid41449257.1 $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid41449257.1 $IPTABLES -A Cid41449257.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN $IPTABLES -N Cid41449257.0 $IPTABLES -A Cid41449257.1 -j Cid41449257.0 $IPTABLES -A Cid41449257.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -A Cid41449257.0 -j ACCEPT # # Rule 32 (global) # echo "Rule 32 (global)" # $IPTABLES -N Cid4368F08A15884.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.1 $IPTABLES -N Cid4368F08A15884.0 $IPTABLES -A Cid4368F08A15884.1 -s 22.22.22.22 -j Cid4368F08A15884.0 $IPTABLES -A Cid4368F08A15884.1 -s 22.22.23.23 -j Cid4368F08A15884.0 $IPTABLES -A Cid4368F08A15884.1 -s 192.168.1.1 -j Cid4368F08A15884.0 $IPTABLES -A Cid4368F08A15884.1 -s 192.168.2.1 -j Cid4368F08A15884.0 $IPTABLES -A Cid4368F08A15884.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid4368F08A15884.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid4368F08A15884.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid4368F08A15884.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid4368F08A15884.0 -j ACCEPT $IPTABLES -N Cid4368F08A15884.2 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.2 $IPTABLES -A Cid4368F08A15884.2 -s 22.22.22.22 -j ACCEPT $IPTABLES -A Cid4368F08A15884.2 -s 22.22.23.23 -j ACCEPT $IPTABLES -A Cid4368F08A15884.2 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid4368F08A15884.2 -s 192.168.2.1 -j ACCEPT # # Rule 33 (global) # echo "Rule 33 (global)" # $IPTABLES -N Cid3E74D8BB.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.1 $IPTABLES -N Cid3E74D8BB.0 $IPTABLES -A Cid3E74D8BB.1 -s 22.22.22.22 -j Cid3E74D8BB.0 $IPTABLES -A Cid3E74D8BB.1 -s 22.22.23.23 -j Cid3E74D8BB.0 $IPTABLES -A Cid3E74D8BB.1 -s 192.168.1.1 -j Cid3E74D8BB.0 $IPTABLES -A Cid3E74D8BB.1 -s 192.168.2.1 -j Cid3E74D8BB.0 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.0 $IPTABLES -A Cid3E74D8BB.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3E74D8BB.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid3E74D8BB.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3E74D8BB.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid3E74D8BB.0 -j ACCEPT $IPTABLES -N Cid3E74D8BB.3 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.3 $IPTABLES -N Cid3E74D8BB.2 $IPTABLES -A Cid3E74D8BB.3 -s 22.22.22.22 -j Cid3E74D8BB.2 $IPTABLES -A Cid3E74D8BB.3 -s 22.22.23.23 -j Cid3E74D8BB.2 $IPTABLES -A Cid3E74D8BB.3 -s 192.168.1.1 -j Cid3E74D8BB.2 $IPTABLES -A Cid3E74D8BB.3 -s 192.168.2.1 -j Cid3E74D8BB.2 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2 $IPTABLES -A Cid3E74D8BB.2 -d 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3E74D8BB.2 -j ACCEPT # # Rule 34 (global) # echo "Rule 34 (global)" # $IPTABLES -N Cid3B45739A.1 $IPTABLES -A INPUT -s 22.22.22.22 -j Cid3B45739A.1 $IPTABLES -N Cid3B45739A.0 $IPTABLES -A Cid3B45739A.1 -p icmp -j Cid3B45739A.0 $IPTABLES -A Cid3B45739A.1 -p 50 -j Cid3B45739A.0 $IPTABLES -N Cid3B45739A.2 $IPTABLES -A INPUT -s 192.168.1.1 -j Cid3B45739A.2 $IPTABLES -A Cid3B45739A.2 -p icmp -j Cid3B45739A.0 $IPTABLES -A Cid3B45739A.2 -p 50 -j Cid3B45739A.0 $IPTABLES -N Cid3B45739A.3 $IPTABLES -A OUTPUT -s 22.22.22.22 -j Cid3B45739A.3 $IPTABLES -A Cid3B45739A.3 -p icmp -j Cid3B45739A.0 $IPTABLES -A Cid3B45739A.3 -p 50 -j Cid3B45739A.0 $IPTABLES -N Cid3B45739A.4 $IPTABLES -A OUTPUT -s 192.168.1.1 -j Cid3B45739A.4 $IPTABLES -A Cid3B45739A.4 -p icmp -j Cid3B45739A.0 $IPTABLES -A Cid3B45739A.4 -p 50 -j Cid3B45739A.0 $IPTABLES -A Cid3B45739A.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3B45739A.0 -d 192.168.1.1 -j RETURN $IPTABLES -N RULE_34_3 $IPTABLES -A Cid3B45739A.0 -j RULE_34_3 $IPTABLES -A RULE_34_3 -j LOG --log-level debug $IPTABLES -A RULE_34_3 -j DROP # # Rule 35 (global) # echo "Rule 35 (global)" # # double negation rule $IPTABLES -N Cid4067B2C2.1 $IPTABLES -A OUTPUT -j Cid4067B2C2.1 $IPTABLES -A INPUT -j Cid4067B2C2.1 $IPTABLES -A FORWARD -j Cid4067B2C2.1 $IPTABLES -A Cid4067B2C2.1 -d 192.168.1.10 -j RETURN $IPTABLES -A Cid4067B2C2.1 -d 192.168.1.20 -j RETURN $IPTABLES -N Cid4067B2C2.0 $IPTABLES -A Cid4067B2C2.1 -j Cid4067B2C2.0 $IPTABLES -A Cid4067B2C2.0 -p tcp -m tcp -m multiport --dports 3128,8080 -j RETURN $IPTABLES -N RULE_35_3 $IPTABLES -A Cid4067B2C2.0 -j RULE_35_3 $IPTABLES -A RULE_35_3 -j LOG --log-level debug $IPTABLES -A RULE_35_3 -j DROP # # Rule 36 (global) # echo "Rule 36 (global)" # $IPTABLES -N Cid41A88DF6.0 $IPTABLES -A INPUT -m state --state NEW -j Cid41A88DF6.0 $IPTABLES -A Cid41A88DF6.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid41A88DF6.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid41A88DF6.0 -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT # # Rule 37 (global) # echo "Rule 37 (global)" # $IPTABLES -N Cid41B5176E.0 $IPTABLES -A OUTPUT -d 192.168.1.0/24 -m state --state NEW -j Cid41B5176E.0 $IPTABLES -A Cid41B5176E.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid41B5176E.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid41B5176E.0 -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 38 (global) # echo "Rule 38 (global)" # $IPTABLES -N Cid4143BD3F.0 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0 $IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RETURN $IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sun -j RETURN $IPTABLES -A Cid4143BD3F.0 -j ACCEPT # # Rule 39 (global) # echo "Rule 39 (global)" # $IPTABLES -N Cid4143BD1A.0 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0 $IPTABLES -A Cid4143BD1A.0 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN $IPTABLES -A Cid4143BD1A.0 -j ACCEPT # # Rule 40 (global) # echo "Rule 40 (global)" # $IPTABLES -N Cid1515316X29460.0 $IPTABLES -A INPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.0 $IPTABLES -A Cid1515316X29460.0 -s 22.22.22.22 -j DROP $IPTABLES -A Cid1515316X29460.0 -s 22.22.23.23 -j DROP $IPTABLES -A Cid1515316X29460.0 -s 192.168.1.1 -j DROP $IPTABLES -A Cid1515316X29460.0 -s 192.168.2.1 -j DROP $IPTABLES -N Cid1515316X29460.1 $IPTABLES -A OUTPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.1 $IPTABLES -A Cid1515316X29460.1 -s 22.22.22.22 -j DROP $IPTABLES -A Cid1515316X29460.1 -s 22.22.23.23 -j DROP $IPTABLES -A Cid1515316X29460.1 -s 192.168.1.1 -j DROP $IPTABLES -A Cid1515316X29460.1 -s 192.168.2.1 -j DROP # # Rule 41 (global) # echo "Rule 41 (global)" # $IPTABLES -N Cid1515397X29460.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.0 $IPTABLES -A Cid1515397X29460.0 -d 22.22.22.22 -j DROP $IPTABLES -A Cid1515397X29460.0 -d 22.22.23.23 -j DROP $IPTABLES -A Cid1515397X29460.0 -d 192.168.1.1 -j DROP $IPTABLES -A Cid1515397X29460.0 -d 192.168.2.1 -j DROP $IPTABLES -N Cid1515397X29460.1 $IPTABLES -A INPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.1 $IPTABLES -A Cid1515397X29460.1 -d 22.22.22.22 -j DROP $IPTABLES -A Cid1515397X29460.1 -d 22.22.23.23 -j DROP $IPTABLES -A Cid1515397X29460.1 -d 192.168.1.1 -j DROP $IPTABLES -A Cid1515397X29460.1 -d 192.168.2.1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:07 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces prolog_commands reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall10.fw.orig000077500000000000000000000344541303637203600205470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:08 2012 PDT by vadim # # files: * firewall10.fw /etc/fw/firewall10.fw # # Compiled for iptables 1.2.9 # # testing rules with action-on-reject "TCP reset" # in this firewall, unlike in firewall9, this option is set globally instead of setting it # in the rule options FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N Cid3D4F0A58.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 6667 -j Cid3D4F0A58.0 $IPTABLES -N RULE_0 $IPTABLES -A Cid3D4F0A58.0 -d 22.22.22.22 -j RULE_0 $IPTABLES -A Cid3D4F0A58.0 -d 192.168.1.1 -j RULE_0 $IPTABLES -A INPUT -p tcp -m tcp --dport 6667 -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level debug $IPTABLES -A RULE_0 -j REJECT --reject-with icmp-admin-prohibited # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N Cid3D4F0A62.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 53 -j Cid3D4F0A62.0 $IPTABLES -N RULE_1 $IPTABLES -A Cid3D4F0A62.0 -d 22.22.22.22 -j RULE_1 $IPTABLES -A Cid3D4F0A62.0 -d 192.168.1.1 -j RULE_1 $IPTABLES -A INPUT -p udp -m udp --dport 53 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level debug $IPTABLES -A RULE_1 -j REJECT --reject-with icmp-host-unreachable # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid3D4F0A6C.0 $IPTABLES -A OUTPUT -p icmp -j Cid3D4F0A6C.0 $IPTABLES -A OUTPUT -p 50 -j Cid3D4F0A6C.0 $IPTABLES -N RULE_2 $IPTABLES -A Cid3D4F0A6C.0 -d 22.22.22.22 -j RULE_2 $IPTABLES -A Cid3D4F0A6C.0 -d 192.168.1.1 -j RULE_2 $IPTABLES -A INPUT -p icmp -j RULE_2 $IPTABLES -A INPUT -p 50 -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level debug $IPTABLES -A RULE_2 -j REJECT --reject-with icmp-host-unreachable # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid3D4F0A76.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4F0A76.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j Cid3D4F0A76.0 $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4F0A76.0 $IPTABLES -N RULE_3 $IPTABLES -A Cid3D4F0A76.0 -d 22.22.22.22 -j RULE_3 $IPTABLES -A Cid3D4F0A76.0 -d 192.168.1.1 -j RULE_3 $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j RULE_3 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_3 $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level debug $IPTABLES -A RULE_3 -j REJECT --reject-with icmp-host-unreachable # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid3D4F0A80.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4F0A80.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j Cid3D4F0A80.0 $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4F0A80.0 $IPTABLES -A Cid3D4F0A80.0 -d 22.22.22.22 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A Cid3D4F0A80.0 -d 192.168.1.1 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-host-unreachable # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid3D4F0A8A.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4F0A8A.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j Cid3D4F0A8A.0 $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4F0A8A.0 $IPTABLES -A Cid3D4F0A8A.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3D4F0A8A.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3D4F0A8A.0 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A FORWARD -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-host-unreachable # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid3D4F0A94.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4F0A94.0 $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4F0A94.0 $IPTABLES -A INPUT -j Cid3D4F0A94.0 $IPTABLES -A Cid3D4F0A94.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4F0A94.0 -p tcp -m tcp --dport 113 -j RETURN $IPTABLES -A Cid3D4F0A94.0 -p udp -m udp -m multiport --dports 53,161 -j RETURN $IPTABLES -A Cid3D4F0A94.0 -j REJECT --reject-with icmp-host-unreachable # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid3D4F0A9E.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4F0A9E.0 $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4F0A9E.0 $IPTABLES -A INPUT -j Cid3D4F0A9E.0 $IPTABLES -A Cid3D4F0A9E.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4F0A9E.0 -p tcp -m tcp --dport 113 -j RETURN $IPTABLES -A Cid3D4F0A9E.0 -p udp -m udp -m multiport --dports 53,161 -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid3D4F0A9E.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -j LOG --log-level debug $IPTABLES -A RULE_7_3 -j REJECT --reject-with icmp-host-unreachable } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:08 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall11.fw.orig000077500000000000000000000401001303637203600205310ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:09 2012 PDT by vadim # # files: * firewall11.fw /etc/fw/firewall11.fw # # Compiled for iptables (any version) # # testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. # This is BRIDGING FIREWALL # Firewall is part of any is OFF # Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 10.1.1.1/32" "" getaddr eth2 i_eth2 getaddr6 eth2 i_eth2_v6 getnet eth2 i_eth2_network getnet6 eth2 i_eth2_v6_network getaddr br0 i_br0 getaddr6 br0 i_br0_v6 getnet br0 i_br0_network getnet6 br0 i_br0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o br0 -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 10.1.1.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # see bug #1693 , SF bug 3048516 # combination of using SNAT instead of MASQ, # source port translation and dynamic interface for i_br0 in $i_br0_list do test -n "$i_br0" && $IPTABLES -t nat -A POSTROUTING -o br0 -p tcp -m tcp -s 192.168.1.0/24 --sport 1000:1010 -j SNAT --to-source $i_br0:1000-1010 done # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # see SF bug 3057503 for i_br0 in $i_br0_list do test -n "$i_br0" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination $i_br0:3128 done # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d 192.168.1.255 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -A FORWARD -o eth0 -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth0 -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d 224.0.1.141 -m state --state NEW -j ACCEPT # # Rule 5 (eth0) # echo "Rule 5 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 6 (eth0) # echo "Rule 6 (eth0)" # $IPTABLES -A FORWARD -i eth0 -d ! 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 7 (br0) # echo "Rule 7 (br0)" # $IPTABLES -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 8 (br0) # echo "Rule 8 (br0)" # $IPTABLES -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 9 (br0) # echo "Rule 9 (br0)" # for i_br0 in $i_br0_list do test -n "$i_br0" && $IPTABLES -A INPUT -i br0 -p tcp -m tcp -d $i_br0 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 10 (br0) # echo "Rule 10 (br0)" # $IPTABLES -N In_RULE_10 $IPTABLES -A INPUT -i br0 -j In_RULE_10 $IPTABLES -A FORWARD -i br0 -j In_RULE_10 $IPTABLES -A In_RULE_10 -j LOG --log-level debug $IPTABLES -A In_RULE_10 -j DROP $IPTABLES -N Out_RULE_10 $IPTABLES -A OUTPUT -o br0 -j Out_RULE_10 $IPTABLES -A FORWARD -o br0 -j Out_RULE_10 $IPTABLES -A Out_RULE_10 -j LOG --log-level debug $IPTABLES -A Out_RULE_10 -j DROP # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A FORWARD -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N Cid3D94D513.0 $IPTABLES -A FORWARD -p udp -m udp --dport 68 -m state --state NEW -j Cid3D94D513.0 $IPTABLES -A Cid3D94D513.0 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3D94D513.0 -d 192.168.1.255 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.0 --dport 68 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A FORWARD -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A FORWARD -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -A FORWARD -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -N RULE_18 $IPTABLES -A FORWARD -d 192.168.1.10 -j RULE_18 $IPTABLES -A RULE_18 -j LOG --log-level debug $IPTABLES -A RULE_18 -j DROP # # Rule 19 (global) # echo "Rule 19 (global)" # # this rule should generate commands # in both INPUT and FORWARD chains # because this is a bridging firewall # see bug #811860 $IPTABLES -N Cid3DD4BBC7.0 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid3DD4BBC7.0 for i_br0 in $i_br0_list do test -n "$i_br0" && $IPTABLES -A Cid3DD4BBC7.0 -d $i_br0 -j ACCEPT done for i_eth2 in $i_eth2_list do test -n "$i_eth2" && $IPTABLES -A Cid3DD4BBC7.0 -d $i_eth2 -j ACCEPT done $IPTABLES -A Cid3DD4BBC7.0 -d 10.1.1.1 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # for i_br0 in $i_br0_list do test -n "$i_br0" && $IPTABLES -A FORWARD -d $i_br0 -m state --state NEW -j ACCEPT done for i_eth2 in $i_eth2_list do test -n "$i_eth2" && $IPTABLES -A FORWARD -d $i_eth2 -m state --state NEW -j ACCEPT done $IPTABLES -A FORWARD -d 10.1.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -A FORWARD -d 10.1.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 10.1.1.1 -m state --state NEW -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N RULE_23 $IPTABLES -A FORWARD -j RULE_23 $IPTABLES -A RULE_23 -j LOG --log-level debug $IPTABLES -A RULE_23 -j DROP # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N RULE_24 $IPTABLES -A OUTPUT -j RULE_24 $IPTABLES -A INPUT -j RULE_24 $IPTABLES -A FORWARD -j RULE_24 $IPTABLES -A RULE_24 -j LOG --log-level debug $IPTABLES -A RULE_24 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:09 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall12.fw.orig000077500000000000000000000376701303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:09 2012 PDT by vadim # # files: * firewall12.fw /etc/fw/firewall12.fw # # Compiled for iptables (any version) # # This firewall does not do NAT for addresses, but translates port for a server # firewall12:NAT:16: error: NAT rule can not change service types: TCPService to UDPService # firewall12:NAT:16: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip # firewall12::: warning: Can not add virtual address for object fw1:eth0:ip # firewall12::: warning: Can not add virtual address for object fw1:eth1:ip FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 22.22.22.22/24 22.22.22.23/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination :8080 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j DNAT --to-destination :8080 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j DNAT --to-destination :8080 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 8080 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j REDIRECT --to-ports 8080 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 8080 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j REDIRECT --to-ports 8080 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 22.22.22.22:8080 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j DNAT --to-destination 22.22.22.22:8080 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # # port-only translation $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp --sport 6767 -j SNAT --to-source :67 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p udp -m udp --sport 6767 -j SNAT --to-source 22.22.23.22:67 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # # port-only translation $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # # SDNAT $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.0.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -d 192.168.1.10 --dport 22 -j SNAT --to-source 192.0.2.1 $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -d 192.168.1.10 --dport 22 -j SNAT --to-source 192.168.1.1 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # # SDNAT with source port $IPTABLES -t nat -A PREROUTING -p udp -m udp --sport 123 -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p udp -m udp --sport 123 -d 192.168.1.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp --sport 123 -d 192.168.1.10 -j SNAT --to-source 192.0.2.1:5050 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp --sport 123 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1:5050 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # # SDNAT with dest port $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.1.0/24 --dport 53 -j DNAT --to-destination 192.168.1.10:1053 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.0.2.1 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.168.1.1 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # # SDNAT # translate src and dst addresses # and src and dst ports $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.1.0/24 --sport 1024:65535 --dport 53 -j DNAT --to-destination 192.168.1.10:1053 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.0.2.1:32767-65535 $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.168.1.1:32767-65535 # # Rule 15 (NAT) # echo "Rule 15 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 --dport 53 -j SNAT --to-source :5050 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 22.22.22.23 --dport 8080 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 22.22.22.23 --dport 8080 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -j RULE_1 $IPTABLES -A INPUT -j RULE_1 $IPTABLES -A FORWARD -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:09 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall13.fw.orig000077500000000000000000000253041303637203600205440ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:11 2012 PDT by vadim # # files: * firewall13.fw /etc/fw/firewall13.fw # # Compiled for iptables (any version) # # Testing empty groups thing # firewall13:NAT:0: warning: Empty group or address table object 'empty Ogroup' # firewall13:NAT:0: warning: After removal of all empty groups and address table objects rule element OSrc becomes 'any' in the rule 0 (NAT) # Dropping rule 0 (NAT) because option 'Ignore rules with empty groups' is in effect # firewall13:NAT:1: warning: Empty group or address table object 'empty Ogroup2' # firewall13:NAT:1: warning: After removal of all empty groups and address table objects rule element OSrc becomes 'any' in the rule 1 (NAT) # Dropping rule 1 (NAT) because option 'Ignore rules with empty groups' is in effect # firewall13:Policy:0: warning: Empty group or address table object 'empty Ogroup2' # firewall13:Policy:0: warning: After removal of all empty groups and address table objects rule element Src becomes 'any' in the rule 0 (global) # Dropping rule 0 (global) because option 'Ignore rules with empty groups' is in effect # firewall13:Policy:1: warning: Empty group or address table object 'empty Sgroup' # firewall13:Policy:1: warning: After removal of all empty groups and address table objects rule element Srv becomes 'any' in the rule 1 (global) # Dropping rule 1 (global) because option 'Ignore rules with empty groups' is in effect FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 22.22.22.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -j RULE_2 $IPTABLES -A INPUT -j RULE_2 $IPTABLES -A FORWARD -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A RULE_2 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:11 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall14.fw.orig000077500000000000000000000262641303637203600205530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:11 2012 PDT by vadim # # files: * firewall14.fw /etc/fw/firewall14.fw # # Compiled for iptables (any version) # # special configuration with overlapping subnets on external and dmz interfaces # testing NAT rules (especially choice of interfaces for -o ) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24 22.22.23.160/24 22.22.23.40/24" "" update_addresses_of_interface "eth2 22.22.23.132/25" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.160 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 22.22.23.128/25 -j SNAT --to-source 22.22.23.160 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.132 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.132 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # I guess this rule does not make much sense $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.160 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.22 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 22.22.23.128/25 -j SNAT --to-source 22.22.23.40 } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:11 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall15.fw.orig000077500000000000000000000243451303637203600205520ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:12 2012 PDT by vadim # # files: * firewall15.fw /etc/fw/firewall15.fw # # Compiled for iptables (any version) # # Testing "Accept TCP sessions opened prior to firewall restart flag" # in combination with "Assume firewall is part of any" - both # flags are OFF here FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 22.22.22.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (lo) # echo "Rule 0 (lo)" # # option 'assume firewall is part of any' # is off, but this rule should go into # INPUT/OUTPUT chains anyway $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A FORWARD -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:12 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall16.fw.orig000077500000000000000000000343601303637203600205510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:12 2012 PDT by vadim # # files: * firewall16.fw /etc/fw/firewall16.fw # # Compiled for iptables (any version) # # testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of "NAT back to the same subnet" with a twist. # This firewall also has option "local NAT" enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # should generate code in both PREROUTING # and OUTPUT chain because option "local NAT" # is enabled $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.10:80 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.2.10:80 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:3128 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 8080 -j DNAT --to-destination 192.168.1.10:3128 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -s 192.168.2.1 --dport 8080 -j DNAT --to-destination 192.168.1.10:3128 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -s 192.168.2.1 --dport 8080 -j DNAT --to-destination 192.168.1.10:3128 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 22.22.23.22 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.2.1 -j SNAT --to-source 22.22.23.22 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 22.22.23.22 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.2.1 -j SNAT --to-source 22.22.23.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.22 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.2.1 -j SNAT --to-source 22.22.23.22 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.2.1 -j SNAT --to-source 22.22.23.22 # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 22.22.23.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -j ACCEPT # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 22.22.23.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -s 192.168.2.1 -j ACCEPT # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -s 192.168.2.1 -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -j RULE_1 $IPTABLES -A INPUT -j RULE_1 $IPTABLES -A FORWARD -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:12 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall17.fw.orig000077500000000000000000000336621303637203600205560ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:14 2012 PDT by vadim # # files: * firewall17.fw /etc/fw/firewall17.fw # # Compiled for iptables (any version) # # doing SNAT with virtual addresses of two external interface # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters # firewall17:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 33.33.33.33/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 22.22.23.23/24 44.44.44.44/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # compiler should add "-o eth2" $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.33 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # # compiler should add "-o eth2" $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 44.44.44.44 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # $IPTABLES -N Cid3E1C6BE3.0 $IPTABLES -A INPUT -i eth1 -j Cid3E1C6BE3.0 $IPTABLES -A Cid3E1C6BE3.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3E1C6BE3.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid3E1C6BE3.0 -d 33.33.33.33 -j RETURN $IPTABLES -A Cid3E1C6BE3.0 -d 44.44.44.44 -j RETURN $IPTABLES -A Cid3E1C6BE3.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3E1C6BE3.0 -d 192.168.2.1 -j RETURN $IPTABLES -N In_RULE_0_3 $IPTABLES -A Cid3E1C6BE3.0 -j In_RULE_0_3 $IPTABLES -A In_RULE_0_3 -j LOG --log-level debug --log-prefix "RULE 0 -- DENY on interface g" $IPTABLES -A In_RULE_0_3 -j DROP $IPTABLES -N In_RULE_0 $IPTABLES -A FORWARD -i eth1 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level debug --log-prefix "RULE 0 -- DENY on interface g" $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N rule0acct $IPTABLES -A rule0acct -j RETURN $IPTABLES -A OUTPUT -j rule0acct $IPTABLES -A INPUT -j rule0acct $IPTABLES -A FORWARD -j rule0acct # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -j RULE_2 $IPTABLES -A INPUT -j RULE_2 $IPTABLES -A FORWARD -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level debug --log-prefix "RULE 2 -- ACCOUNTING on inter" $IPTABLES -N rule1acct $IPTABLES -A rule1acct -j RETURN $IPTABLES -A RULE_2 -j rule1acct # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level debug --log-prefix "RULE 3 -- ACCOUNTING on inter" $IPTABLES -A RULE_3 -j RETURN # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N RULE_4 $IPTABLES -A RULE_4 -j RETURN $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.11 -d 192.168.2.10 --dport 4000:4010 -j RULE_4 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.11 -d 192.168.2.10 --dport 22 -j RULE_4 # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid3E1C6BC9.0 $IPTABLES -A INPUT -j Cid3E1C6BC9.0 $IPTABLES -A Cid3E1C6BC9.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3E1C6BC9.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid3E1C6BC9.0 -d 33.33.33.33 -j RETURN $IPTABLES -A Cid3E1C6BC9.0 -d 44.44.44.44 -j RETURN $IPTABLES -A Cid3E1C6BC9.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3E1C6BC9.0 -d 192.168.2.1 -j RETURN $IPTABLES -N In_RULE_5_3 $IPTABLES -A Cid3E1C6BC9.0 -j In_RULE_5_3 $IPTABLES -A In_RULE_5_3 -j LOG --log-level debug --log-prefix "RULE 5 -- DENY on interface g" $IPTABLES -A In_RULE_5_3 -j DROP $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -j RULE_5 $IPTABLES -A FORWARD -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level debug --log-prefix "RULE 5 -- DENY on interface g" $IPTABLES -A RULE_5 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:14 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall18.fw.orig000077500000000000000000000354441303637203600205570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:14 2012 PDT by vadim # # files: * firewall18.fw /etc/fw/firewall18.fw # # Compiled for iptables (any version) # # this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth2 eth0 eth1 lo ppp0" for i in eth2 eth0 eth1 lo ppp0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth2 66.66.66.1/25" "" update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 66.66.66.130/25" "" update_addresses_of_interface "lo 127.0.0.1/8" "" getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -t nat -A POSTROUTING -o eth1 -s $i_ppp0 -j SNAT --to-source 66.66.66.130 done $IPTABLES -t nat -A POSTROUTING -o eth1 -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 66.66.66.130 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.1 -j SNAT --to-source 66.66.66.130 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -t nat -A POSTROUTING -o eth1 -s $i_ppp0 -j SNAT --to-source 66.66.66.130 done $IPTABLES -t nat -A POSTROUTING -o eth1 -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 66.66.66.130 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.1 -j SNAT --to-source 66.66.66.130 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 66.66.66.130 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 66.66.66.130 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -t nat -A POSTROUTING -o eth+ -s $i_ppp0 -j SNAT --to-source 66.66.66.130 done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -t nat -A POSTROUTING -o ppp+ -s $i_ppp0 -j SNAT --to-source 66.66.66.130 done $IPTABLES -t nat -A POSTROUTING -o eth+ -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 66.66.66.130 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 66.66.66.130 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.1 -j SNAT --to-source 66.66.66.130 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j SNAT --to-source 66.66.66.130 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 66.66.66.1 -j SNAT --to-source 66.66.66.130 # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # using address range object # 255.255.255.255-255.255.255.255 $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -d 255.255.255.255 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP $IPTABLES -N Out_RULE_0 $IPTABLES -A OUTPUT -o eth0 -d 255.255.255.255 -j Out_RULE_0 $IPTABLES -A Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A Out_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (ppp0) # echo "Rule 2 (ppp0)" # # anti-spoofing rule $IPTABLES -N In_RULE_2 for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A INPUT -i ppp0 -s $i_ppp0 -j In_RULE_2 done $IPTABLES -A INPUT -i ppp0 -s 66.66.66.1 -j In_RULE_2 $IPTABLES -A INPUT -i ppp0 -s 66.66.66.130 -j In_RULE_2 $IPTABLES -A INPUT -i ppp0 -s 192.168.1.1 -j In_RULE_2 for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A FORWARD -i ppp0 -s $i_ppp0 -j In_RULE_2 done $IPTABLES -A FORWARD -i ppp0 -s 66.66.66.1 -j In_RULE_2 $IPTABLES -A FORWARD -i ppp0 -s 66.66.66.130 -j In_RULE_2 $IPTABLES -A FORWARD -i ppp0 -s 192.168.1.1 -j In_RULE_2 $IPTABLES -A In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (ppp0) # echo "Rule 3 (ppp0)" # # but old broadcast is permitted $IPTABLES -A INPUT -i ppp0 -s 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -j RULE_4 $IPTABLES -A INPUT -j RULE_4 $IPTABLES -A FORWARD -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -A RULE_4 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:14 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall19.fw.orig000077500000000000000000000372401303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:15 2012 PDT by vadim # # files: * firewall19.fw /etc/fw/firewall19.fw # # Compiled for iptables (any version) # # testing different cmbinations of objects in the policy rules on loopback interface # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth2 eth0 eth1 lo ppp0" for i in eth2 eth0 eth1 lo ppp0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth2 66.66.66.1/25" "" update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 66.66.66.130/25" "" update_addresses_of_interface "lo 127.0.0.1/8" "" getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (lo) # echo "Rule 0 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A OUTPUT -o lo -d $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o lo -d 66.66.66.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 66.66.66.130 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 192.168.1.1 -m state --state NEW -j ACCEPT # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i lo -d 66.66.66.130 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i lo -d 66.66.66.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i lo -d 127.0.0.1 -m state --state NEW -j ACCEPT for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A INPUT -i lo -d $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o lo -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 66.66.66.130 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 66.66.66.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -m state --state NEW -j ACCEPT for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A OUTPUT -o lo -d $i_ppp0 -m state --state NEW -j ACCEPT done # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 192.168.1.1 -m state --state NEW -j ACCEPT # # Rule 3 (lo) # echo "Rule 3 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/second -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/second -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/second -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_5 $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_5 $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -A RULE_5 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid3EFBA6FE.0 $IPTABLES -A OUTPUT -j Cid3EFBA6FE.0 $IPTABLES -A INPUT -j Cid3EFBA6FE.0 $IPTABLES -A FORWARD -j Cid3EFBA6FE.0 $IPTABLES -A Cid3EFBA6FE.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -A Cid3EFBA6FE.0 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-host-prohibited $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-host-prohibited $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 5190 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-host-prohibited # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid40038EB9.0 $IPTABLES -A OUTPUT -j Cid40038EB9.0 $IPTABLES -A INPUT -j Cid40038EB9.0 $IPTABLES -A FORWARD -j Cid40038EB9.0 $IPTABLES -A Cid40038EB9.0 -p tcp -m tcp --dport 5190 --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -A Cid40038EB9.0 -j REJECT --reject-with icmp-host-prohibited # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited $IPTABLES -A OUTPUT -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited $IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 66.66.66.130 --dport 3128 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -d 127.0.0.1 --dport 3128 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -d 66.66.66.130 --dport 3128 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -d 127.0.0.1 --dport 3128 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N RULE_12 $IPTABLES -A OUTPUT -j RULE_12 $IPTABLES -A INPUT -j RULE_12 $IPTABLES -A FORWARD -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level info --log-prefix "RULE 12 -- DENY " $IPTABLES -A RULE_12 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:15 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-1.fw.orig000077500000000000000000002210451303637203600206200ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:21 2012 PDT by vadim # # files: * firewall2-1.fw /etc/fw/firewall2-1.fw # # Compiled for iptables lt_1.2.6 # # copy of firewall2 but old iptables version # firewall2-1:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) # firewall2-1:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2-1:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-1:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it # firewall2-1:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-1:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-1:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall2-1:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-1:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.10/24 192.168.1.50/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24 22.22.22.24/24 22.22.22.25/24 22.22.22.0/32 22.22.22.1/32 22.22.22.2/32 22.22.22.3/32 22.22.22.4/32 22.22.22.5/32 22.22.22.6/32 22.22.22.7/32 22.22.22.8/32 22.22.22.9/32 22.22.22.10/32 22.22.22.11/32 22.22.22.12/32 22.22.22.13/32 22.22.22.14/32 22.22.22.15/32 22.22.22.16/32 22.22.22.17/32 22.22.22.18/32 22.22.22.19/32 22.22.22.20/32 22.22.22.21/32 22.22.22.22/32 22.22.22.23/32 22.22.22.24/32 22.22.22.25/32 22.22.22.26/32 22.22.22.27/32 22.22.22.28/32 22.22.22.29/32 22.22.22.30/32 22.22.22.31/32 22.22.22.32/32 22.22.22.33/32 22.22.22.34/32 22.22.22.35/32 22.22.22.36/32 22.22.22.37/32 22.22.22.38/32 22.22.22.39/32 22.22.22.40/32 22.22.22.41/32 22.22.22.42/32 22.22.22.43/32 22.22.22.44/32 22.22.22.45/32 22.22.22.46/32 22.22.22.47/32 22.22.22.48/32 22.22.22.49/32 22.22.22.50/32 22.22.22.51/32 22.22.22.52/32 22.22.22.53/32 22.22.22.54/32 22.22.22.55/32 22.22.22.56/32 22.22.22.57/32 22.22.22.58/32 22.22.22.59/32 22.22.22.60/32 22.22.22.61/32 22.22.22.62/32 22.22.22.63/32 22.22.22.64/32 22.22.22.65/32 22.22.22.66/32 22.22.22.67/32 22.22.22.68/32 22.22.22.69/32 22.22.22.70/32 22.22.22.71/32 22.22.22.72/32 22.22.22.73/32 22.22.22.74/32 22.22.22.75/32 22.22.22.76/32 22.22.22.77/32 22.22.22.78/32 22.22.22.79/32 22.22.22.80/32 22.22.22.81/32 22.22.22.82/32 22.22.22.83/32 22.22.22.84/32 22.22.22.85/32 22.22.22.86/32 22.22.22.87/32 22.22.22.88/32 22.22.22.89/32 22.22.22.90/32 22.22.22.91/32 22.22.22.92/32 22.22.22.93/32 22.22.22.94/32 22.22.22.95/32 22.22.22.96/32 22.22.22.97/32 22.22.22.98/32 22.22.22.99/32 22.22.22.100/32 22.22.22.101/32 22.22.22.102/32 22.22.22.103/32 22.22.22.104/32 22.22.22.105/32 22.22.22.106/32 22.22.22.107/32 22.22.22.108/32 22.22.22.109/32 22.22.22.110/32 22.22.22.111/32 22.22.22.112/32 22.22.22.113/32 22.22.22.114/32 22.22.22.115/32 22.22.22.116/32 22.22.22.117/32 22.22.22.118/32 22.22.22.119/32 22.22.22.120/32 22.22.22.121/32 22.22.22.122/32 22.22.22.123/32 22.22.22.124/32 22.22.22.125/32 22.22.22.126/32 22.22.22.127/32 22.22.22.128/32 22.22.22.129/32 22.22.22.130/32 22.22.22.131/32 22.22.22.132/32 22.22.22.133/32 22.22.22.134/32 22.22.22.135/32 22.22.22.136/32 22.22.22.137/32 22.22.22.138/32 22.22.22.139/32 22.22.22.140/32 22.22.22.141/32 22.22.22.142/32 22.22.22.143/32 22.22.22.144/32 22.22.22.145/32 22.22.22.146/32 22.22.22.147/32 22.22.22.148/32 22.22.22.149/32 22.22.22.150/32 22.22.22.151/32 22.22.22.152/32 22.22.22.153/32 22.22.22.154/32 22.22.22.155/32 22.22.22.156/32 22.22.22.157/32 22.22.22.158/32 22.22.22.159/32 22.22.22.160/32 22.22.22.161/32 22.22.22.162/32 22.22.22.163/32 22.22.22.164/32 22.22.22.165/32 22.22.22.166/32 22.22.22.167/32 22.22.22.168/32 22.22.22.169/32 22.22.22.170/32 22.22.22.171/32 22.22.22.172/32 22.22.22.173/32 22.22.22.174/32 22.22.22.175/32 22.22.22.176/32 22.22.22.177/32 22.22.22.178/32 22.22.22.179/32 22.22.22.180/32 22.22.22.181/32 22.22.22.182/32 22.22.22.183/32 22.22.22.184/32 22.22.22.185/32 22.22.22.186/32 22.22.22.187/32 22.22.22.188/32 22.22.22.189/32 22.22.22.190/32 22.22.22.191/32 22.22.22.192/32 22.22.22.193/32 22.22.22.194/32 22.22.22.195/32 22.22.22.196/32 22.22.22.197/32 22.22.22.198/32 22.22.22.199/32 22.22.22.200/32 22.22.22.201/32 22.22.22.202/32 22.22.22.203/32 22.22.22.204/32 22.22.22.205/32 22.22.22.206/32 22.22.22.207/32 22.22.22.208/32 22.22.22.209/32 22.22.22.210/32 22.22.22.211/32 22.22.22.212/32 22.22.22.213/32 22.22.22.214/32 22.22.22.215/32 22.22.22.216/32 22.22.22.217/32 22.22.22.218/32 22.22.22.219/32 22.22.22.220/32 22.22.22.221/32 22.22.22.222/32 22.22.22.223/32 22.22.22.224/32 22.22.22.225/32 22.22.22.226/32 22.22.22.227/32 22.22.22.228/32 22.22.22.229/32 22.22.22.230/32 22.22.22.231/32 22.22.22.232/32 22.22.22.233/32 22.22.22.234/32 22.22.22.235/32 22.22.22.236/32 22.22.22.237/32 22.22.22.238/32 22.22.22.239/32 22.22.22.240/32 22.22.22.241/32 22.22.22.242/32 22.22.22.243/32 22.22.22.244/32 22.22.22.245/32 22.22.22.246/32 22.22.22.247/32 22.22.22.248/32 22.22.22.249/32 22.22.22.250/32 22.22.22.251/32 22.22.22.252/32 22.22.22.253/32 22.22.22.254/32" "" update_addresses_of_interface "eth3 22.22.23.23/24 22.22.25.50/24 22.22.23.24/24" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.40/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.24 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.25 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -N Cid31547X1798.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid31547X1798.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid31547X1798.0 $IPTABLES -t nat -A Cid31547X1798.0 -s 22.22.22.22 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.0 -s 22.22.23.23 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.0 -s 22.22.25.50 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.0 -s 192.168.2.40 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.10 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.11 -j ACCEPT $IPTABLES -t nat -N Cid31547X1798.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid31547X1798.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid31547X1798.1 $IPTABLES -t nat -A Cid31547X1798.1 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.1 -s 192.168.1.20 -j ACCEPT $IPTABLES -t nat -N Cid31547X1798.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.10 -j Cid31547X1798.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.11 -j Cid31547X1798.2 $IPTABLES -t nat -A Cid31547X1798.2 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid31547X1798.2 -s 192.168.1.20 -j ACCEPT # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -N Cid31565X1798.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.10 -j Cid31565X1798.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.20 -j Cid31565X1798.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.10 -j Cid31565X1798.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.20 -j Cid31565X1798.0 $IPTABLES -t nat -A Cid31565X1798.0 -d 192.168.2.10 -j RETURN $IPTABLES -t nat -A Cid31565X1798.0 -d 192.168.2.11 -j RETURN $IPTABLES -t nat -A Cid31565X1798.0 -j ACCEPT # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.23.23 -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.25.50 -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -s 200.200.200.200 -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.24 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.25 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.24 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.25 --destination-port 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 17 (NAT) # echo "Rule 17 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.20 -j SNAT --to-source 22.22.23.24 # # Rule 19 (NAT) # echo "Rule 19 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 $IPTABLES -t nat -A OUTPUT -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 # # Rule 20 (NAT) # echo "Rule 20 (NAT)" # # firewall2-1:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) # echo "Rule 21 (NAT)" # # NETMAP $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # # NETMAP $IPTABLES -t nat -A PREROUTING -d 22.22.22.0/24 -j NETMAP --to 192.168.1.0/24 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 # # Rule 24 (NAT) # echo "Rule 24 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.10 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 25 (NAT) # echo "Rule 25 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 # # Rule 26 (NAT) # echo "Rule 26 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 443 -j REDIRECT --to-ports 3128 # # Rule 27 (NAT) # echo "Rule 27 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 # # Rule 28 (NAT) # echo "Rule 28 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 # # Rule 29 (NAT) # echo "Rule 29 (NAT)" # # transparent proxy rule $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 22.22.22.23 -j DNAT --to-destination 192.168.2.10 # # Rule 31 (NAT) # echo "Rule 31 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 32 (NAT) # echo "Rule 32 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 # # Rule 33 (NAT) # echo "Rule 33 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 34 (NAT) # echo "Rule 34 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s ! 192.168.1.10 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 35 (NAT) # echo "Rule 35 (NAT)" # $IPTABLES -t nat -N Cid31935X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid31935X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid31935X1798.0 $IPTABLES -t nat -A Cid31935X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid31935X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid31935X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # # Rule 36 (NAT) # echo "Rule 36 (NAT)" # $IPTABLES -t nat -N Cid31949X1798.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -j Cid31949X1798.1 $IPTABLES -t nat -A Cid31949X1798.1 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid31949X1798.1 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -N Cid31949X1798.0 $IPTABLES -t nat -A Cid31949X1798.1 -j Cid31949X1798.0 $IPTABLES -t nat -A Cid31949X1798.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -t nat -A Cid31949X1798.0 -j SNAT --to-source 192.168.1.1 # # Rule 37 (NAT) # echo "Rule 37 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 38 (NAT) # echo "Rule 38 (NAT)" # # this is the "exception" rule # used in support req. originally $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 39 (NAT) # echo "Rule 39 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 40 (NAT) # echo "Rule 40 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 41 (NAT) # echo "Rule 41 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32019X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32019X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid32019X1798.0 $IPTABLES -t nat -A Cid32019X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32019X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32019X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 42 (NAT) # echo "Rule 42 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32033X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32033X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid32033X1798.0 $IPTABLES -t nat -A Cid32033X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32033X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32033X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 43 (NAT) # echo "Rule 43 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32047X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32047X1798.0 $IPTABLES -t nat -A Cid32047X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32047X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32047X1798.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 44 (NAT) # echo "Rule 44 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 45 (NAT) # echo "Rule 45 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32075X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32075X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid32075X1798.0 $IPTABLES -t nat -A Cid32075X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32075X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32075X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Anti-spoofing rule # firewall2-1:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 0 -- DENY " --ulog-qthreshold 1 $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid31178X1798.0 $IPTABLES -A OUTPUT -o eth1 -j Cid31178X1798.0 $IPTABLES -A Cid31178X1798.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid31178X1798.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid31178X1798.0 -s 22.22.25.50 -j RETURN $IPTABLES -A Cid31178X1798.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid31178X1798.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid31178X1798.0 -s 192.168.2.40 -j RETURN $IPTABLES -N Out_RULE_1_3 $IPTABLES -A Cid31178X1798.0 -j Out_RULE_1_3 $IPTABLES -A Out_RULE_1_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 1 -- DENY " --ulog-qthreshold 1 $IPTABLES -A Out_RULE_1_3 -j DROP $IPTABLES -N Cid31178X1798.1 $IPTABLES -A FORWARD -o eth1 -j Cid31178X1798.1 $IPTABLES -A Cid31178X1798.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid31178X1798.1 -j Out_RULE_1_3 # # Rule 2 (fw2i1,3) # echo "Rule 2 (fw2i1,3)" # # testing group in "interface" # this rule should be identical to rule 3 $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_2 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_2 $IPTABLES -A In_RULE_2 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 2 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1,eth3) # echo "Rule 3 (eth1,eth3)" # $IPTABLES -N In_RULE_3 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_3 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --destination-port 68,67 -j In_RULE_3 $IPTABLES -A In_RULE_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 3 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_3 -j DROP # # Rule 4 (eth1,eth3) # echo "Rule 4 (eth1,eth3)" # # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (eth1,eth3) # echo "Rule 5 (eth1,eth3)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT # # Rule 6 (eth1,eth3) # echo "Rule 6 (eth1,eth3)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid31255X1798.0 $IPTABLES -A OUTPUT -j Cid31255X1798.0 $IPTABLES -A INPUT -j Cid31255X1798.0 $IPTABLES -A FORWARD -j Cid31255X1798.0 $IPTABLES -A Cid31255X1798.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid31255X1798.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_7_3 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # block fragments $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -p all -f -j RULE_8 $IPTABLES -A INPUT -p all -f -j RULE_8 $IPTABLES -A FORWARD -p all -f -j RULE_8 $IPTABLES -A RULE_8 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # # sends TCP RST and makes custom record # in the log $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A RULE_9 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "IDENT" --ulog-qthreshold 1 $IPTABLES -A RULE_9 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) # echo "Rule 11 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid112778X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid112778X70161.0 $IPTABLES -A Cid112778X70161.0 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid112778X70161.0 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid112778X70161.1 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid112778X70161.1 $IPTABLES -A Cid112778X70161.1 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid112778X70161.1 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid112778X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid112778X70161.2 $IPTABLES -A Cid112778X70161.2 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid112778X70161.2 -d 192.168.1.100 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94383X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94383X70161.0 $IPTABLES -A Cid94383X70161.0 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid94383X70161.0 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid94383X70161.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94383X70161.1 $IPTABLES -A Cid94383X70161.1 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid94383X70161.1 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid94383X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94383X70161.2 $IPTABLES -A Cid94383X70161.2 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid94383X70161.2 -s 192.168.1.100 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid131133X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid131133X70161.0 $IPTABLES -N Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.10/31 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.12/30 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.16/28 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.32/27 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.64/27 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.96/30 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.0 -s 222.222.222.100 -j Cid131133X70161.1 $IPTABLES -A Cid131133X70161.1 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid131133X70161.1 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid131133X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid131133X70161.2 $IPTABLES -N Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.10/31 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.12/30 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.16/28 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.32/27 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.64/27 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.96/30 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.2 -s 222.222.222.100 -j Cid131133X70161.3 $IPTABLES -A Cid131133X70161.3 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid131133X70161.3 -d 192.168.1.100 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid131116X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid131116X70161.0 $IPTABLES -N Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.10/31 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.12/30 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.16/28 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.32/27 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.64/27 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.96/30 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.0 -s 192.168.1.100 -j Cid131116X70161.1 $IPTABLES -A Cid131116X70161.1 -d 222.222.222.10/31 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.12/30 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.16/28 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.32/27 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.64/27 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.96/30 -j ACCEPT $IPTABLES -A Cid131116X70161.1 -d 222.222.222.100 -j ACCEPT $IPTABLES -N Cid131116X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid131116X70161.2 $IPTABLES -N Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.10/31 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.12/30 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.16/28 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.32/27 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.64/27 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.96/30 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.2 -s 192.168.1.100 -j Cid131116X70161.3 $IPTABLES -A Cid131116X70161.3 -d 222.222.222.10/31 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.12/30 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.16/28 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.32/27 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.64/27 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.96/30 -j ACCEPT $IPTABLES -A Cid131116X70161.3 -d 222.222.222.100 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94366X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94366X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94366X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94366X70161.0 $IPTABLES -A Cid94366X70161.0 -d 192.168.1.10/31 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.12/30 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.16/28 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.32/27 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.64/27 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.96/30 -j RETURN $IPTABLES -A Cid94366X70161.0 -d 192.168.1.100 -j RETURN $IPTABLES -A Cid94366X70161.0 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94349X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94349X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94349X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94349X70161.0 $IPTABLES -A Cid94349X70161.0 -s 192.168.1.10/31 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.12/30 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.16/28 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.32/27 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.64/27 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.96/30 -j RETURN $IPTABLES -A Cid94349X70161.0 -s 192.168.1.100 -j RETURN $IPTABLES -A Cid94349X70161.0 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94331X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94331X70161.0 $IPTABLES -A Cid94331X70161.0 -d 192.168.1.0 -j RETURN $IPTABLES -A Cid94331X70161.0 -j ACCEPT $IPTABLES -N Cid94331X70161.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94331X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94331X70161.1 $IPTABLES -A Cid94331X70161.1 -d 192.168.1.10/31 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.12/30 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.16/28 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.32/27 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.64/27 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.96/30 -j RETURN $IPTABLES -A Cid94331X70161.1 -d 192.168.1.100 -j RETURN $IPTABLES -A Cid94331X70161.1 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94313X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94313X70161.0 $IPTABLES -A Cid94313X70161.0 -s 192.168.1.0 -j RETURN $IPTABLES -A Cid94313X70161.0 -j ACCEPT $IPTABLES -N Cid94313X70161.1 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94313X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94313X70161.1 $IPTABLES -A Cid94313X70161.1 -s 192.168.1.10/31 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.12/30 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.16/28 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.32/27 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.64/27 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.96/30 -j RETURN $IPTABLES -A Cid94313X70161.1 -s 192.168.1.100 -j RETURN $IPTABLES -A Cid94313X70161.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using module iprange if # iptables version is >= 1.2.11 # also test for bug #2526173 $IPTABLES -N RULE_19 $IPTABLES -A INPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A OUTPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A RULE_19 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 19 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_19 -j DROP # # Rule 20 (global) # echo "Rule 20 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.1 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -N Cid80837X35957.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid80837X35957.0 $IPTABLES -A Cid80837X35957.0 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid80837X35957.0 -s 192.168.1.100 -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.1 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -N Cid80837X35957.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid80837X35957.1 $IPTABLES -A Cid80837X35957.1 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid80837X35957.1 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid80837X35957.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid80837X35957.2 $IPTABLES -A Cid80837X35957.2 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid80837X35957.2 -s 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N Cid31303X1798.0 $IPTABLES -A INPUT -p icmp -s 192.168.2.0/24 -m state --state NEW -j Cid31303X1798.0 $IPTABLES -N RULE_21 $IPTABLES -A Cid31303X1798.0 -d 192.168.2.1 -j RULE_21 $IPTABLES -A Cid31303X1798.0 -d 192.168.2.40 -j RULE_21 $IPTABLES -A RULE_21 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 21 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_21 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N Cid31315X1798.0 $IPTABLES -A FORWARD -d 211.11.11.11 -m state --state NEW -j Cid31315X1798.0 $IPTABLES -A Cid31315X1798.0 -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid31315X1798.0 -s 192.168.1.20 -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N Cid31328X1798.0 $IPTABLES -A FORWARD -s 211.11.11.11 -m state --state NEW -j Cid31328X1798.0 $IPTABLES -A Cid31328X1798.0 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid31328X1798.0 -d 192.168.1.20 -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N Cid31341X1798.0 $IPTABLES -A OUTPUT -p tcp -m tcp -j Cid31341X1798.0 $IPTABLES -A INPUT -p tcp -m tcp -j Cid31341X1798.0 $IPTABLES -A FORWARD -p tcp -m tcp -j Cid31341X1798.0 $IPTABLES -A Cid31341X1798.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid31341X1798.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid31341X1798.0 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -N Cid31341X1798.1 $IPTABLES -A OUTPUT -j Cid31341X1798.1 $IPTABLES -A INPUT -j Cid31341X1798.1 $IPTABLES -A FORWARD -j Cid31341X1798.1 $IPTABLES -A Cid31341X1798.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid31341X1798.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid31341X1798.1 -j REJECT --reject-with icmp-net-unreachable # # Rule 25 (global) # echo "Rule 25 (global)" # # firewall2-1:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule 26 (global) # echo "Rule 26 (global)" # $IPTABLES -N RULE_26 $IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A RULE_26 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 26 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_26 -j DROP # # Rule 27 (global) # echo "Rule 27 (global)" # # host-fw2 has the same address as # one of the firewall's interfaces $IPTABLES -N RULE_27 $IPTABLES -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A INPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A RULE_27 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 27 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_27 -j ACCEPT # # Rule 28 (global) # echo "Rule 28 (global)" # $IPTABLES -N Cid31391X1798.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid31391X1798.0 $IPTABLES -N RULE_28 $IPTABLES -A Cid31391X1798.0 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid31391X1798.0 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid31391X1798.0 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid31391X1798.0 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid31391X1798.0 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid31391X1798.0 -d 192.168.2.40 -j RULE_28 $IPTABLES -N Cid31391X1798.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid31391X1798.1 $IPTABLES -A Cid31391X1798.1 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid31391X1798.1 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid31391X1798.1 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid31391X1798.1 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid31391X1798.1 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid31391X1798.1 -d 192.168.2.40 -j RULE_28 $IPTABLES -A RULE_28 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 28 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_28 -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # # 'catch all' rule $IPTABLES -N RULE_29 $IPTABLES -A OUTPUT -j RULE_29 $IPTABLES -A INPUT -j RULE_29 $IPTABLES -A FORWARD -j RULE_29 $IPTABLES -A RULE_29 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 29 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_29 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:21 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-2.fw.orig000077500000000000000000001737231303637203600206320ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:23 2012 PDT by vadim # # files: * firewall2-2.fw /etc/fw/firewall2-2.fw # # Compiled for iptables 1.4.0 # # another copy of firewall2 but new iptables version # firewall2-2:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) # firewall2-2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2-2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it # firewall2-2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall2-2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-2:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.10/24 192.168.1.50/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24 22.22.22.24/24 22.22.22.25/24 22.22.22.0/32 22.22.22.1/32 22.22.22.2/32 22.22.22.3/32 22.22.22.4/32 22.22.22.5/32 22.22.22.6/32 22.22.22.7/32 22.22.22.8/32 22.22.22.9/32 22.22.22.10/32 22.22.22.11/32 22.22.22.12/32 22.22.22.13/32 22.22.22.14/32 22.22.22.15/32 22.22.22.16/32 22.22.22.17/32 22.22.22.18/32 22.22.22.19/32 22.22.22.20/32 22.22.22.21/32 22.22.22.22/32 22.22.22.23/32 22.22.22.24/32 22.22.22.25/32 22.22.22.26/32 22.22.22.27/32 22.22.22.28/32 22.22.22.29/32 22.22.22.30/32 22.22.22.31/32 22.22.22.32/32 22.22.22.33/32 22.22.22.34/32 22.22.22.35/32 22.22.22.36/32 22.22.22.37/32 22.22.22.38/32 22.22.22.39/32 22.22.22.40/32 22.22.22.41/32 22.22.22.42/32 22.22.22.43/32 22.22.22.44/32 22.22.22.45/32 22.22.22.46/32 22.22.22.47/32 22.22.22.48/32 22.22.22.49/32 22.22.22.50/32 22.22.22.51/32 22.22.22.52/32 22.22.22.53/32 22.22.22.54/32 22.22.22.55/32 22.22.22.56/32 22.22.22.57/32 22.22.22.58/32 22.22.22.59/32 22.22.22.60/32 22.22.22.61/32 22.22.22.62/32 22.22.22.63/32 22.22.22.64/32 22.22.22.65/32 22.22.22.66/32 22.22.22.67/32 22.22.22.68/32 22.22.22.69/32 22.22.22.70/32 22.22.22.71/32 22.22.22.72/32 22.22.22.73/32 22.22.22.74/32 22.22.22.75/32 22.22.22.76/32 22.22.22.77/32 22.22.22.78/32 22.22.22.79/32 22.22.22.80/32 22.22.22.81/32 22.22.22.82/32 22.22.22.83/32 22.22.22.84/32 22.22.22.85/32 22.22.22.86/32 22.22.22.87/32 22.22.22.88/32 22.22.22.89/32 22.22.22.90/32 22.22.22.91/32 22.22.22.92/32 22.22.22.93/32 22.22.22.94/32 22.22.22.95/32 22.22.22.96/32 22.22.22.97/32 22.22.22.98/32 22.22.22.99/32 22.22.22.100/32 22.22.22.101/32 22.22.22.102/32 22.22.22.103/32 22.22.22.104/32 22.22.22.105/32 22.22.22.106/32 22.22.22.107/32 22.22.22.108/32 22.22.22.109/32 22.22.22.110/32 22.22.22.111/32 22.22.22.112/32 22.22.22.113/32 22.22.22.114/32 22.22.22.115/32 22.22.22.116/32 22.22.22.117/32 22.22.22.118/32 22.22.22.119/32 22.22.22.120/32 22.22.22.121/32 22.22.22.122/32 22.22.22.123/32 22.22.22.124/32 22.22.22.125/32 22.22.22.126/32 22.22.22.127/32 22.22.22.128/32 22.22.22.129/32 22.22.22.130/32 22.22.22.131/32 22.22.22.132/32 22.22.22.133/32 22.22.22.134/32 22.22.22.135/32 22.22.22.136/32 22.22.22.137/32 22.22.22.138/32 22.22.22.139/32 22.22.22.140/32 22.22.22.141/32 22.22.22.142/32 22.22.22.143/32 22.22.22.144/32 22.22.22.145/32 22.22.22.146/32 22.22.22.147/32 22.22.22.148/32 22.22.22.149/32 22.22.22.150/32 22.22.22.151/32 22.22.22.152/32 22.22.22.153/32 22.22.22.154/32 22.22.22.155/32 22.22.22.156/32 22.22.22.157/32 22.22.22.158/32 22.22.22.159/32 22.22.22.160/32 22.22.22.161/32 22.22.22.162/32 22.22.22.163/32 22.22.22.164/32 22.22.22.165/32 22.22.22.166/32 22.22.22.167/32 22.22.22.168/32 22.22.22.169/32 22.22.22.170/32 22.22.22.171/32 22.22.22.172/32 22.22.22.173/32 22.22.22.174/32 22.22.22.175/32 22.22.22.176/32 22.22.22.177/32 22.22.22.178/32 22.22.22.179/32 22.22.22.180/32 22.22.22.181/32 22.22.22.182/32 22.22.22.183/32 22.22.22.184/32 22.22.22.185/32 22.22.22.186/32 22.22.22.187/32 22.22.22.188/32 22.22.22.189/32 22.22.22.190/32 22.22.22.191/32 22.22.22.192/32 22.22.22.193/32 22.22.22.194/32 22.22.22.195/32 22.22.22.196/32 22.22.22.197/32 22.22.22.198/32 22.22.22.199/32 22.22.22.200/32 22.22.22.201/32 22.22.22.202/32 22.22.22.203/32 22.22.22.204/32 22.22.22.205/32 22.22.22.206/32 22.22.22.207/32 22.22.22.208/32 22.22.22.209/32 22.22.22.210/32 22.22.22.211/32 22.22.22.212/32 22.22.22.213/32 22.22.22.214/32 22.22.22.215/32 22.22.22.216/32 22.22.22.217/32 22.22.22.218/32 22.22.22.219/32 22.22.22.220/32 22.22.22.221/32 22.22.22.222/32 22.22.22.223/32 22.22.22.224/32 22.22.22.225/32 22.22.22.226/32 22.22.22.227/32 22.22.22.228/32 22.22.22.229/32 22.22.22.230/32 22.22.22.231/32 22.22.22.232/32 22.22.22.233/32 22.22.22.234/32 22.22.22.235/32 22.22.22.236/32 22.22.22.237/32 22.22.22.238/32 22.22.22.239/32 22.22.22.240/32 22.22.22.241/32 22.22.22.242/32 22.22.22.243/32 22.22.22.244/32 22.22.22.245/32 22.22.22.246/32 22.22.22.247/32 22.22.22.248/32 22.22.22.249/32 22.22.22.250/32 22.22.22.251/32 22.22.22.252/32 22.22.22.253/32 22.22.22.254/32" "" update_addresses_of_interface "eth3 22.22.23.23/24 22.22.25.50/24 22.22.23.24/24" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.40/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.24 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.25 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -N Cid32503X1798.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid32503X1798.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid32503X1798.0 $IPTABLES -t nat -A Cid32503X1798.0 -s 22.22.22.22 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.0 -s 22.22.23.23 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.0 -s 22.22.25.50 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.0 -s 192.168.2.40 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.10 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.11 -j ACCEPT $IPTABLES -t nat -N Cid32503X1798.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid32503X1798.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid32503X1798.1 $IPTABLES -t nat -A Cid32503X1798.1 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.1 -s 192.168.1.20 -j ACCEPT $IPTABLES -t nat -N Cid32503X1798.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.10 -j Cid32503X1798.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.11 -j Cid32503X1798.2 $IPTABLES -t nat -A Cid32503X1798.2 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid32503X1798.2 -s 192.168.1.20 -j ACCEPT # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -N Cid32521X1798.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.10 -j Cid32521X1798.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.20 -j Cid32521X1798.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.10 -j Cid32521X1798.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.20 -j Cid32521X1798.0 $IPTABLES -t nat -A Cid32521X1798.0 -d 192.168.2.10 -j RETURN $IPTABLES -t nat -A Cid32521X1798.0 -d 192.168.2.11 -j RETURN $IPTABLES -t nat -A Cid32521X1798.0 -j ACCEPT # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.23.23 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.25.50 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -s 200.200.200.200 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 17 (NAT) # echo "Rule 17 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.20 -j SNAT --to-source 22.22.23.24 # # Rule 19 (NAT) # echo "Rule 19 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 $IPTABLES -t nat -A OUTPUT -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 # # Rule 20 (NAT) # echo "Rule 20 (NAT)" # # firewall2-2:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) # echo "Rule 21 (NAT)" # # NETMAP $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # # NETMAP $IPTABLES -t nat -A PREROUTING -d 22.22.22.0/24 -j NETMAP --to 192.168.1.0/24 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 # # Rule 24 (NAT) # echo "Rule 24 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.10 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 25 (NAT) # echo "Rule 25 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 # # Rule 26 (NAT) # echo "Rule 26 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 443 -j REDIRECT --to-ports 3128 # # Rule 27 (NAT) # echo "Rule 27 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 # # Rule 28 (NAT) # echo "Rule 28 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 # # Rule 29 (NAT) # echo "Rule 29 (NAT)" # # transparent proxy rule $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 22.22.22.23 -j DNAT --to-destination 192.168.2.10 # # Rule 31 (NAT) # echo "Rule 31 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 32 (NAT) # echo "Rule 32 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 # # Rule 33 (NAT) # echo "Rule 33 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 34 (NAT) # echo "Rule 34 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s ! 192.168.1.10 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 35 (NAT) # echo "Rule 35 (NAT)" # $IPTABLES -t nat -N Cid32891X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid32891X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid32891X1798.0 $IPTABLES -t nat -A Cid32891X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32891X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32891X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # # Rule 36 (NAT) # echo "Rule 36 (NAT)" # $IPTABLES -t nat -N Cid32905X1798.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -j Cid32905X1798.1 $IPTABLES -t nat -A Cid32905X1798.1 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32905X1798.1 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -N Cid32905X1798.0 $IPTABLES -t nat -A Cid32905X1798.1 -j Cid32905X1798.0 $IPTABLES -t nat -A Cid32905X1798.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -t nat -A Cid32905X1798.0 -j SNAT --to-source 192.168.1.1 # # Rule 37 (NAT) # echo "Rule 37 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 38 (NAT) # echo "Rule 38 (NAT)" # # this is the "exception" rule # used in support req. originally $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 39 (NAT) # echo "Rule 39 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 40 (NAT) # echo "Rule 40 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 41 (NAT) # echo "Rule 41 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32975X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32975X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid32975X1798.0 $IPTABLES -t nat -A Cid32975X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32975X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32975X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 42 (NAT) # echo "Rule 42 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid32989X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid32989X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid32989X1798.0 $IPTABLES -t nat -A Cid32989X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid32989X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid32989X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 43 (NAT) # echo "Rule 43 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid33003X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid33003X1798.0 $IPTABLES -t nat -A Cid33003X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid33003X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid33003X1798.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 44 (NAT) # echo "Rule 44 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 45 (NAT) # echo "Rule 45 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid33031X1798.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid33031X1798.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid33031X1798.0 $IPTABLES -t nat -A Cid33031X1798.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid33031X1798.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid33031X1798.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Anti-spoofing rule # firewall2-2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 0 -- DENY " --ulog-qthreshold 1 $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid32134X1798.0 $IPTABLES -A OUTPUT -o eth1 -j Cid32134X1798.0 $IPTABLES -A Cid32134X1798.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid32134X1798.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid32134X1798.0 -s 22.22.25.50 -j RETURN $IPTABLES -A Cid32134X1798.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid32134X1798.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid32134X1798.0 -s 192.168.2.40 -j RETURN $IPTABLES -N Out_RULE_1_3 $IPTABLES -A Cid32134X1798.0 -j Out_RULE_1_3 $IPTABLES -A Out_RULE_1_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 1 -- DENY " --ulog-qthreshold 1 $IPTABLES -A Out_RULE_1_3 -j DROP $IPTABLES -N Cid32134X1798.1 $IPTABLES -A FORWARD -o eth1 -j Cid32134X1798.1 $IPTABLES -A Cid32134X1798.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid32134X1798.1 -j Out_RULE_1_3 # # Rule 2 (fw2i1,3) # echo "Rule 2 (fw2i1,3)" # # testing group in "interface" # this rule should be identical to rule 3 $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A In_RULE_2 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 2 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1,eth3) # echo "Rule 3 (eth1,eth3)" # $IPTABLES -N In_RULE_3 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A In_RULE_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 3 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_3 -j DROP # # Rule 4 (eth1,eth3) # echo "Rule 4 (eth1,eth3)" # # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (eth1,eth3) # echo "Rule 5 (eth1,eth3)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 6 (eth1,eth3) # echo "Rule 6 (eth1,eth3)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid32211X1798.0 $IPTABLES -A OUTPUT -j Cid32211X1798.0 $IPTABLES -A INPUT -j Cid32211X1798.0 $IPTABLES -A FORWARD -j Cid32211X1798.0 $IPTABLES -A Cid32211X1798.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid32211X1798.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_7_3 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # block fragments $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -p all -f -j RULE_8 $IPTABLES -A INPUT -p all -f -j RULE_8 $IPTABLES -A FORWARD -p all -f -j RULE_8 $IPTABLES -A RULE_8 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # # sends TCP RST and makes custom record # in the log $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A RULE_9 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "IDENT" --ulog-qthreshold 1 $IPTABLES -A RULE_9 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) # echo "Rule 11 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A OUTPUT -p udp -m udp -m iprange --dst-range 192.168.1.10-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -m iprange --dst-range 192.168.1.10-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A INPUT -p udp -m udp -m iprange --src-range 192.168.1.10-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -m iprange --src-range 192.168.1.10-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A FORWARD -p udp -m udp -m iprange --src-range 222.222.222.10-222.222.222.100 --dst-range 192.168.1.10-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A FORWARD -p udp -m udp -m iprange --src-range 192.168.1.10-192.168.1.100 --dst-range 222.222.222.10-222.222.222.100 --dport 161 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94453X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94453X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94453X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94453X70161.0 $IPTABLES -A Cid94453X70161.0 -m iprange --dst-range 192.168.1.10-192.168.1.100 -j RETURN $IPTABLES -A Cid94453X70161.0 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94436X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94436X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94436X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94436X70161.0 $IPTABLES -A Cid94436X70161.0 -m iprange --src-range 192.168.1.10-192.168.1.100 -j RETURN $IPTABLES -A Cid94436X70161.0 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94418X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94418X70161.0 $IPTABLES -A Cid94418X70161.0 -d 192.168.1.0 -j RETURN $IPTABLES -A Cid94418X70161.0 -j ACCEPT $IPTABLES -N Cid94418X70161.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94418X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94418X70161.1 $IPTABLES -A Cid94418X70161.1 -m iprange --dst-range 192.168.1.10-192.168.1.100 -j RETURN $IPTABLES -A Cid94418X70161.1 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid94400X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94400X70161.0 $IPTABLES -A Cid94400X70161.0 -s 192.168.1.0 -j RETURN $IPTABLES -A Cid94400X70161.0 -j ACCEPT $IPTABLES -N Cid94400X70161.1 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid94400X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid94400X70161.1 $IPTABLES -A Cid94400X70161.1 -m iprange --src-range 192.168.1.10-192.168.1.100 -j RETURN $IPTABLES -A Cid94400X70161.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using module iprange if # iptables version is >= 1.2.11 # also test for bug #2526173 $IPTABLES -N RULE_19 $IPTABLES -A INPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A OUTPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A RULE_19 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 19 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_19 -j DROP # # Rule 20 (global) # echo "Rule 20 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A INPUT -p udp -m udp -m iprange --src-range 192.168.1.1-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -m iprange --src-range 192.168.1.1-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -m iprange --src-range 192.168.1.1-192.168.1.100 --dport 161 -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N Cid32259X1798.0 $IPTABLES -A INPUT -p icmp -m icmp -s 192.168.2.0/24 --icmp-type any -m state --state NEW -j Cid32259X1798.0 $IPTABLES -N RULE_21 $IPTABLES -A Cid32259X1798.0 -d 192.168.2.1 -j RULE_21 $IPTABLES -A Cid32259X1798.0 -d 192.168.2.40 -j RULE_21 $IPTABLES -A RULE_21 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 21 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_21 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N Cid32271X1798.0 $IPTABLES -A FORWARD -d 211.11.11.11 -m state --state NEW -j Cid32271X1798.0 $IPTABLES -A Cid32271X1798.0 -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid32271X1798.0 -s 192.168.1.20 -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N Cid32284X1798.0 $IPTABLES -A FORWARD -s 211.11.11.11 -m state --state NEW -j Cid32284X1798.0 $IPTABLES -A Cid32284X1798.0 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid32284X1798.0 -d 192.168.1.20 -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N Cid32297X1798.0 $IPTABLES -A OUTPUT -p tcp -m tcp -j Cid32297X1798.0 $IPTABLES -A INPUT -p tcp -m tcp -j Cid32297X1798.0 $IPTABLES -A FORWARD -p tcp -m tcp -j Cid32297X1798.0 $IPTABLES -A Cid32297X1798.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid32297X1798.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid32297X1798.0 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -N Cid32297X1798.1 $IPTABLES -A OUTPUT -j Cid32297X1798.1 $IPTABLES -A INPUT -j Cid32297X1798.1 $IPTABLES -A FORWARD -j Cid32297X1798.1 $IPTABLES -A Cid32297X1798.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid32297X1798.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid32297X1798.1 -j REJECT --reject-with icmp-net-unreachable # # Rule 25 (global) # echo "Rule 25 (global)" # # firewall2-2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule 26 (global) # echo "Rule 26 (global)" # $IPTABLES -N RULE_26 $IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A RULE_26 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 26 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_26 -j DROP # # Rule 27 (global) # echo "Rule 27 (global)" # # host-fw2 has the same address as # one of the firewall's interfaces $IPTABLES -N RULE_27 $IPTABLES -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A INPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A RULE_27 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 27 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_27 -j ACCEPT # # Rule 28 (global) # echo "Rule 28 (global)" # $IPTABLES -N Cid32347X1798.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid32347X1798.0 $IPTABLES -N RULE_28 $IPTABLES -A Cid32347X1798.0 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid32347X1798.0 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid32347X1798.0 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid32347X1798.0 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid32347X1798.0 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid32347X1798.0 -d 192.168.2.40 -j RULE_28 $IPTABLES -N Cid32347X1798.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid32347X1798.1 $IPTABLES -A Cid32347X1798.1 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid32347X1798.1 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid32347X1798.1 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid32347X1798.1 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid32347X1798.1 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid32347X1798.1 -d 192.168.2.40 -j RULE_28 $IPTABLES -A RULE_28 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 28 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_28 -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # # 'catch all' rule $IPTABLES -N RULE_29 $IPTABLES -A OUTPUT -j RULE_29 $IPTABLES -A INPUT -j RULE_29 $IPTABLES -A FORWARD -j RULE_29 $IPTABLES -A RULE_29 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 29 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_29 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:23 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-3.fw.orig000077500000000000000000001552541303637203600206320ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:25 2012 PDT by vadim # # files: * firewall2-3.fw /etc/fw/firewall2-3.fw # # Compiled for iptables ge_1.2.6 # # copy of firewall2, version >= 1.2.6 # firewall2-3:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) # firewall2-3:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-3:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-3:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall2-3:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2-3:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.10/24 192.168.1.50/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24 22.22.22.24/24 22.22.22.25/24 22.22.22.0/32 22.22.22.1/32 22.22.22.2/32 22.22.22.3/32 22.22.22.4/32 22.22.22.5/32 22.22.22.6/32 22.22.22.7/32 22.22.22.8/32 22.22.22.9/32 22.22.22.10/32 22.22.22.11/32 22.22.22.12/32 22.22.22.13/32 22.22.22.14/32 22.22.22.15/32 22.22.22.16/32 22.22.22.17/32 22.22.22.18/32 22.22.22.19/32 22.22.22.20/32 22.22.22.21/32 22.22.22.22/32 22.22.22.23/32 22.22.22.24/32 22.22.22.25/32 22.22.22.26/32 22.22.22.27/32 22.22.22.28/32 22.22.22.29/32 22.22.22.30/32 22.22.22.31/32 22.22.22.32/32 22.22.22.33/32 22.22.22.34/32 22.22.22.35/32 22.22.22.36/32 22.22.22.37/32 22.22.22.38/32 22.22.22.39/32 22.22.22.40/32 22.22.22.41/32 22.22.22.42/32 22.22.22.43/32 22.22.22.44/32 22.22.22.45/32 22.22.22.46/32 22.22.22.47/32 22.22.22.48/32 22.22.22.49/32 22.22.22.50/32 22.22.22.51/32 22.22.22.52/32 22.22.22.53/32 22.22.22.54/32 22.22.22.55/32 22.22.22.56/32 22.22.22.57/32 22.22.22.58/32 22.22.22.59/32 22.22.22.60/32 22.22.22.61/32 22.22.22.62/32 22.22.22.63/32 22.22.22.64/32 22.22.22.65/32 22.22.22.66/32 22.22.22.67/32 22.22.22.68/32 22.22.22.69/32 22.22.22.70/32 22.22.22.71/32 22.22.22.72/32 22.22.22.73/32 22.22.22.74/32 22.22.22.75/32 22.22.22.76/32 22.22.22.77/32 22.22.22.78/32 22.22.22.79/32 22.22.22.80/32 22.22.22.81/32 22.22.22.82/32 22.22.22.83/32 22.22.22.84/32 22.22.22.85/32 22.22.22.86/32 22.22.22.87/32 22.22.22.88/32 22.22.22.89/32 22.22.22.90/32 22.22.22.91/32 22.22.22.92/32 22.22.22.93/32 22.22.22.94/32 22.22.22.95/32 22.22.22.96/32 22.22.22.97/32 22.22.22.98/32 22.22.22.99/32 22.22.22.100/32 22.22.22.101/32 22.22.22.102/32 22.22.22.103/32 22.22.22.104/32 22.22.22.105/32 22.22.22.106/32 22.22.22.107/32 22.22.22.108/32 22.22.22.109/32 22.22.22.110/32 22.22.22.111/32 22.22.22.112/32 22.22.22.113/32 22.22.22.114/32 22.22.22.115/32 22.22.22.116/32 22.22.22.117/32 22.22.22.118/32 22.22.22.119/32 22.22.22.120/32 22.22.22.121/32 22.22.22.122/32 22.22.22.123/32 22.22.22.124/32 22.22.22.125/32 22.22.22.126/32 22.22.22.127/32 22.22.22.128/32 22.22.22.129/32 22.22.22.130/32 22.22.22.131/32 22.22.22.132/32 22.22.22.133/32 22.22.22.134/32 22.22.22.135/32 22.22.22.136/32 22.22.22.137/32 22.22.22.138/32 22.22.22.139/32 22.22.22.140/32 22.22.22.141/32 22.22.22.142/32 22.22.22.143/32 22.22.22.144/32 22.22.22.145/32 22.22.22.146/32 22.22.22.147/32 22.22.22.148/32 22.22.22.149/32 22.22.22.150/32 22.22.22.151/32 22.22.22.152/32 22.22.22.153/32 22.22.22.154/32 22.22.22.155/32 22.22.22.156/32 22.22.22.157/32 22.22.22.158/32 22.22.22.159/32 22.22.22.160/32 22.22.22.161/32 22.22.22.162/32 22.22.22.163/32 22.22.22.164/32 22.22.22.165/32 22.22.22.166/32 22.22.22.167/32 22.22.22.168/32 22.22.22.169/32 22.22.22.170/32 22.22.22.171/32 22.22.22.172/32 22.22.22.173/32 22.22.22.174/32 22.22.22.175/32 22.22.22.176/32 22.22.22.177/32 22.22.22.178/32 22.22.22.179/32 22.22.22.180/32 22.22.22.181/32 22.22.22.182/32 22.22.22.183/32 22.22.22.184/32 22.22.22.185/32 22.22.22.186/32 22.22.22.187/32 22.22.22.188/32 22.22.22.189/32 22.22.22.190/32 22.22.22.191/32 22.22.22.192/32 22.22.22.193/32 22.22.22.194/32 22.22.22.195/32 22.22.22.196/32 22.22.22.197/32 22.22.22.198/32 22.22.22.199/32 22.22.22.200/32 22.22.22.201/32 22.22.22.202/32 22.22.22.203/32 22.22.22.204/32 22.22.22.205/32 22.22.22.206/32 22.22.22.207/32 22.22.22.208/32 22.22.22.209/32 22.22.22.210/32 22.22.22.211/32 22.22.22.212/32 22.22.22.213/32 22.22.22.214/32 22.22.22.215/32 22.22.22.216/32 22.22.22.217/32 22.22.22.218/32 22.22.22.219/32 22.22.22.220/32 22.22.22.221/32 22.22.22.222/32 22.22.22.223/32 22.22.22.224/32 22.22.22.225/32 22.22.22.226/32 22.22.22.227/32 22.22.22.228/32 22.22.22.229/32 22.22.22.230/32 22.22.22.231/32 22.22.22.232/32 22.22.22.233/32 22.22.22.234/32 22.22.22.235/32 22.22.22.236/32 22.22.22.237/32 22.22.22.238/32 22.22.22.239/32 22.22.22.240/32 22.22.22.241/32 22.22.22.242/32 22.22.22.243/32 22.22.22.244/32 22.22.22.245/32 22.22.22.246/32 22.22.22.247/32 22.22.22.248/32 22.22.22.249/32 22.22.22.250/32 22.22.22.251/32 22.22.22.252/32 22.22.22.253/32 22.22.22.254/32" "" update_addresses_of_interface "eth3 22.22.23.23/24 22.22.25.50/24 22.22.23.24/24" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.40/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.24 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.25 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -N Cid35496X1833.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid35496X1833.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid35496X1833.0 $IPTABLES -t nat -A Cid35496X1833.0 -s 22.22.22.22 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.0 -s 22.22.23.23 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.0 -s 22.22.25.50 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.0 -s 192.168.2.40 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.10 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.11 -j ACCEPT $IPTABLES -t nat -N Cid35496X1833.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid35496X1833.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid35496X1833.1 $IPTABLES -t nat -A Cid35496X1833.1 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.1 -s 192.168.1.20 -j ACCEPT $IPTABLES -t nat -N Cid35496X1833.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.10 -j Cid35496X1833.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.11 -j Cid35496X1833.2 $IPTABLES -t nat -A Cid35496X1833.2 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid35496X1833.2 -s 192.168.1.20 -j ACCEPT # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -N Cid35514X1833.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.10 -j Cid35514X1833.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.20 -j Cid35514X1833.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.10 -j Cid35514X1833.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.20 -j Cid35514X1833.0 $IPTABLES -t nat -A Cid35514X1833.0 -d 192.168.2.10 -j RETURN $IPTABLES -t nat -A Cid35514X1833.0 -d 192.168.2.11 -j RETURN $IPTABLES -t nat -A Cid35514X1833.0 -j ACCEPT # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.23.23 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.25.50 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -s 200.200.200.200 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 17 (NAT) # echo "Rule 17 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.20 -j SNAT --to-source 22.22.23.24 # # Rule 19 (NAT) # echo "Rule 19 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 $IPTABLES -t nat -A OUTPUT -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 # # Rule 20 (NAT) # echo "Rule 20 (NAT)" # # firewall2-3:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) # echo "Rule 21 (NAT)" # # NETMAP $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # # NETMAP $IPTABLES -t nat -A PREROUTING -d 22.22.22.0/24 -j NETMAP --to 192.168.1.0/24 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 # # Rule 24 (NAT) # echo "Rule 24 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.10 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 25 (NAT) # echo "Rule 25 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 # # Rule 26 (NAT) # echo "Rule 26 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 443 -j REDIRECT --to-ports 3128 # # Rule 27 (NAT) # echo "Rule 27 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 # # Rule 28 (NAT) # echo "Rule 28 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 # # Rule 29 (NAT) # echo "Rule 29 (NAT)" # # transparent proxy rule $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 22.22.22.23 -j DNAT --to-destination 192.168.2.10 # # Rule 31 (NAT) # echo "Rule 31 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 32 (NAT) # echo "Rule 32 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 # # Rule 33 (NAT) # echo "Rule 33 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 34 (NAT) # echo "Rule 34 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s ! 192.168.1.10 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 35 (NAT) # echo "Rule 35 (NAT)" # $IPTABLES -t nat -N Cid35884X1833.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid35884X1833.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid35884X1833.0 $IPTABLES -t nat -A Cid35884X1833.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid35884X1833.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid35884X1833.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # # Rule 36 (NAT) # echo "Rule 36 (NAT)" # $IPTABLES -t nat -N Cid35898X1833.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -j Cid35898X1833.1 $IPTABLES -t nat -A Cid35898X1833.1 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid35898X1833.1 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -N Cid35898X1833.0 $IPTABLES -t nat -A Cid35898X1833.1 -j Cid35898X1833.0 $IPTABLES -t nat -A Cid35898X1833.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -t nat -A Cid35898X1833.0 -j SNAT --to-source 192.168.1.1 # # Rule 37 (NAT) # echo "Rule 37 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 38 (NAT) # echo "Rule 38 (NAT)" # # this is the "exception" rule # used in support req. originally $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 39 (NAT) # echo "Rule 39 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 40 (NAT) # echo "Rule 40 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 41 (NAT) # echo "Rule 41 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid35968X1833.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid35968X1833.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid35968X1833.0 $IPTABLES -t nat -A Cid35968X1833.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid35968X1833.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid35968X1833.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 42 (NAT) # echo "Rule 42 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid35982X1833.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid35982X1833.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid35982X1833.0 $IPTABLES -t nat -A Cid35982X1833.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid35982X1833.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid35982X1833.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 43 (NAT) # echo "Rule 43 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid35996X1833.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid35996X1833.0 $IPTABLES -t nat -A Cid35996X1833.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid35996X1833.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid35996X1833.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 44 (NAT) # echo "Rule 44 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 45 (NAT) # echo "Rule 45 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid36024X1833.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid36024X1833.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid36024X1833.0 $IPTABLES -t nat -A Cid36024X1833.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid36024X1833.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid36024X1833.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Anti-spoofing rule $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 0 -- DENY " --ulog-qthreshold 1 $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid35127X1833.0 $IPTABLES -A OUTPUT -o eth1 -j Cid35127X1833.0 $IPTABLES -A Cid35127X1833.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid35127X1833.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid35127X1833.0 -s 22.22.25.50 -j RETURN $IPTABLES -A Cid35127X1833.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid35127X1833.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid35127X1833.0 -s 192.168.2.40 -j RETURN $IPTABLES -N Out_RULE_1_3 $IPTABLES -A Cid35127X1833.0 -j Out_RULE_1_3 $IPTABLES -A Out_RULE_1_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 1 -- DENY " --ulog-qthreshold 1 $IPTABLES -A Out_RULE_1_3 -j DROP $IPTABLES -N Cid35127X1833.1 $IPTABLES -A FORWARD -o eth1 -j Cid35127X1833.1 $IPTABLES -A Cid35127X1833.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid35127X1833.1 -j Out_RULE_1_3 # # Rule 2 (fw2i1,3) # echo "Rule 2 (fw2i1,3)" # # testing group in "interface" # this rule should be identical to rule 3 $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A In_RULE_2 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 2 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1,eth3) # echo "Rule 3 (eth1,eth3)" # $IPTABLES -N In_RULE_3 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A In_RULE_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 3 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_3 -j DROP # # Rule 4 (eth1,eth3) # echo "Rule 4 (eth1,eth3)" # # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (eth1,eth3) # echo "Rule 5 (eth1,eth3)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 6 (eth1,eth3) # echo "Rule 6 (eth1,eth3)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid35204X1833.0 $IPTABLES -A OUTPUT -j Cid35204X1833.0 $IPTABLES -A INPUT -j Cid35204X1833.0 $IPTABLES -A FORWARD -j Cid35204X1833.0 $IPTABLES -A Cid35204X1833.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid35204X1833.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_7_3 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # block fragments $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -p all -f -j RULE_8 $IPTABLES -A INPUT -p all -f -j RULE_8 $IPTABLES -A FORWARD -p all -f -j RULE_8 $IPTABLES -A RULE_8 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # # sends TCP RST and makes custom record # in the log $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A RULE_9 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "IDENT" --ulog-qthreshold 1 $IPTABLES -A RULE_9 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N Cid35252X1833.0 $IPTABLES -A INPUT -p icmp -s 192.168.2.0/24 -m state --state NEW -j Cid35252X1833.0 $IPTABLES -N RULE_11 $IPTABLES -A Cid35252X1833.0 -d 192.168.2.1 -j RULE_11 $IPTABLES -A Cid35252X1833.0 -d 192.168.2.40 -j RULE_11 $IPTABLES -A RULE_11 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 11 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_11 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N Cid35264X1833.0 $IPTABLES -A FORWARD -d 211.11.11.11 -m state --state NEW -j Cid35264X1833.0 $IPTABLES -A Cid35264X1833.0 -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid35264X1833.0 -s 192.168.1.20 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N Cid35277X1833.0 $IPTABLES -A FORWARD -s 211.11.11.11 -m state --state NEW -j Cid35277X1833.0 $IPTABLES -A Cid35277X1833.0 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid35277X1833.0 -d 192.168.1.20 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -N Cid35290X1833.0 $IPTABLES -A OUTPUT -p tcp -m tcp -j Cid35290X1833.0 $IPTABLES -A INPUT -p tcp -m tcp -j Cid35290X1833.0 $IPTABLES -A FORWARD -p tcp -m tcp -j Cid35290X1833.0 $IPTABLES -A Cid35290X1833.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid35290X1833.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid35290X1833.0 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -N Cid35290X1833.1 $IPTABLES -A OUTPUT -j Cid35290X1833.1 $IPTABLES -A INPUT -j Cid35290X1833.1 $IPTABLES -A FORWARD -j Cid35290X1833.1 $IPTABLES -A Cid35290X1833.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid35290X1833.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid35290X1833.1 -j REJECT --reject-with icmp-net-unreachable # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -N RULE_16 $IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_16 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_16 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_16 $IPTABLES -A RULE_16 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 16 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_16 -j DROP # # Rule 17 (global) # echo "Rule 17 (global)" # # host-fw2 has the same address as # one of the firewall's interfaces $IPTABLES -N RULE_17 $IPTABLES -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_17 $IPTABLES -A INPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_17 $IPTABLES -A RULE_17 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 17 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_17 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -N Cid35340X1833.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid35340X1833.0 $IPTABLES -N RULE_18 $IPTABLES -A Cid35340X1833.0 -d 22.22.22.22 -j RULE_18 $IPTABLES -A Cid35340X1833.0 -d 22.22.23.23 -j RULE_18 $IPTABLES -A Cid35340X1833.0 -d 22.22.25.50 -j RULE_18 $IPTABLES -A Cid35340X1833.0 -d 192.168.1.1 -j RULE_18 $IPTABLES -A Cid35340X1833.0 -d 192.168.2.1 -j RULE_18 $IPTABLES -A Cid35340X1833.0 -d 192.168.2.40 -j RULE_18 $IPTABLES -N Cid35340X1833.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid35340X1833.1 $IPTABLES -A Cid35340X1833.1 -d 22.22.22.22 -j RULE_18 $IPTABLES -A Cid35340X1833.1 -d 22.22.23.23 -j RULE_18 $IPTABLES -A Cid35340X1833.1 -d 22.22.25.50 -j RULE_18 $IPTABLES -A Cid35340X1833.1 -d 192.168.1.1 -j RULE_18 $IPTABLES -A Cid35340X1833.1 -d 192.168.2.1 -j RULE_18 $IPTABLES -A Cid35340X1833.1 -d 192.168.2.40 -j RULE_18 $IPTABLES -A RULE_18 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 18 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_18 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # 'catch all' rule $IPTABLES -N RULE_19 $IPTABLES -A OUTPUT -j RULE_19 $IPTABLES -A INPUT -j RULE_19 $IPTABLES -A FORWARD -j RULE_19 $IPTABLES -A RULE_19 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 19 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_19 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:25 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-4.fw.orig000077500000000000000000000423601303637203600206240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:28 2012 PDT by vadim # # files: * firewall2-4.fw /etc/fw/firewall2-4.fw # # Compiled for iptables (any version) # # tests for error conditions in NATCompiler_ipt::VerifyRules # firewall2-4:NAT:0: error: Can not use negation in translated source # firewall2-4:NAT:1: error: Can not use negation in translated destination. # firewall2-4:NAT:2: error: Can not use negation in translated service. # firewall2-4:NAT:3: error: Translated service should be 'Original' or should contain single object. # firewall2-4:NAT:4: error: Translated service should be 'Original' or should contain single object. # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule # firewall2-4:NAT:7: error: Action 'Branch' needs NAT rule set to point to # firewall2-4:NAT:9: error: Can not use unnumbered interface in Translated Source of a Source translation rule. # firewall2-4:NAT:10: error: Original and translated source should both be networks of the same size. # firewall2-4:NAT:12: error: Can not use service object in Translated Service if Original Service is 'Any'. # firewall2-4:NAT:13: error: NAT rule can not change service types: UDPService to TCPService # firewall2-4:NAT:13: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. # firewall2-4:NAT:14: error: NAT rule can not change service types: UDPService to TCPService # firewall2-4:NAT:14: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. # firewall2-4:NAT:14: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.10/24 192.168.1.20/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.0/32 22.22.22.1/32 22.22.22.2/32 22.22.22.3/32 22.22.22.4/32 22.22.22.5/32 22.22.22.6/32 22.22.22.7/32 22.22.22.8/32 22.22.22.9/32 22.22.22.10/32 22.22.22.11/32 22.22.22.12/32 22.22.22.13/32 22.22.22.14/32 22.22.22.15/32 22.22.22.16/32 22.22.22.17/32 22.22.22.18/32 22.22.22.19/32 22.22.22.20/32 22.22.22.21/32 22.22.22.22/32 22.22.22.23/32 22.22.22.24/32 22.22.22.25/32 22.22.22.26/32 22.22.22.27/32 22.22.22.28/32 22.22.22.29/32 22.22.22.30/32 22.22.22.31/32 22.22.22.32/32 22.22.22.33/32 22.22.22.34/32 22.22.22.35/32 22.22.22.36/32 22.22.22.37/32 22.22.22.38/32 22.22.22.39/32 22.22.22.40/32 22.22.22.41/32 22.22.22.42/32 22.22.22.43/32 22.22.22.44/32 22.22.22.45/32 22.22.22.46/32 22.22.22.47/32 22.22.22.48/32 22.22.22.49/32 22.22.22.50/32 22.22.22.51/32 22.22.22.52/32 22.22.22.53/32 22.22.22.54/32 22.22.22.55/32 22.22.22.56/32 22.22.22.57/32 22.22.22.58/32 22.22.22.59/32 22.22.22.60/32 22.22.22.61/32 22.22.22.62/32 22.22.22.63/32 22.22.22.64/32 22.22.22.65/32 22.22.22.66/32 22.22.22.67/32 22.22.22.68/32 22.22.22.69/32 22.22.22.70/32 22.22.22.71/32 22.22.22.72/32 22.22.22.73/32 22.22.22.74/32 22.22.22.75/32 22.22.22.76/32 22.22.22.77/32 22.22.22.78/32 22.22.22.79/32 22.22.22.80/32 22.22.22.81/32 22.22.22.82/32 22.22.22.83/32 22.22.22.84/32 22.22.22.85/32 22.22.22.86/32 22.22.22.87/32 22.22.22.88/32 22.22.22.89/32 22.22.22.90/32 22.22.22.91/32 22.22.22.92/32 22.22.22.93/32 22.22.22.94/32 22.22.22.95/32 22.22.22.96/32 22.22.22.97/32 22.22.22.98/32 22.22.22.99/32 22.22.22.100/32 22.22.22.101/32 22.22.22.102/32 22.22.22.103/32 22.22.22.104/32 22.22.22.105/32 22.22.22.106/32 22.22.22.107/32 22.22.22.108/32 22.22.22.109/32 22.22.22.110/32 22.22.22.111/32 22.22.22.112/32 22.22.22.113/32 22.22.22.114/32 22.22.22.115/32 22.22.22.116/32 22.22.22.117/32 22.22.22.118/32 22.22.22.119/32 22.22.22.120/32 22.22.22.121/32 22.22.22.122/32 22.22.22.123/32 22.22.22.124/32 22.22.22.125/32 22.22.22.126/32 22.22.22.127/32 22.22.22.128/32 22.22.22.129/32 22.22.22.130/32 22.22.22.131/32 22.22.22.132/32 22.22.22.133/32 22.22.22.134/32 22.22.22.135/32 22.22.22.136/32 22.22.22.137/32 22.22.22.138/32 22.22.22.139/32 22.22.22.140/32 22.22.22.141/32 22.22.22.142/32 22.22.22.143/32 22.22.22.144/32 22.22.22.145/32 22.22.22.146/32 22.22.22.147/32 22.22.22.148/32 22.22.22.149/32 22.22.22.150/32 22.22.22.151/32 22.22.22.152/32 22.22.22.153/32 22.22.22.154/32 22.22.22.155/32 22.22.22.156/32 22.22.22.157/32 22.22.22.158/32 22.22.22.159/32 22.22.22.160/32 22.22.22.161/32 22.22.22.162/32 22.22.22.163/32 22.22.22.164/32 22.22.22.165/32 22.22.22.166/32 22.22.22.167/32 22.22.22.168/32 22.22.22.169/32 22.22.22.170/32 22.22.22.171/32 22.22.22.172/32 22.22.22.173/32 22.22.22.174/32 22.22.22.175/32 22.22.22.176/32 22.22.22.177/32 22.22.22.178/32 22.22.22.179/32 22.22.22.180/32 22.22.22.181/32 22.22.22.182/32 22.22.22.183/32 22.22.22.184/32 22.22.22.185/32 22.22.22.186/32 22.22.22.187/32 22.22.22.188/32 22.22.22.189/32 22.22.22.190/32 22.22.22.191/32 22.22.22.192/32 22.22.22.193/32 22.22.22.194/32 22.22.22.195/32 22.22.22.196/32 22.22.22.197/32 22.22.22.198/32 22.22.22.199/32 22.22.22.200/32 22.22.22.201/32 22.22.22.202/32 22.22.22.203/32 22.22.22.204/32 22.22.22.205/32 22.22.22.206/32 22.22.22.207/32 22.22.22.208/32 22.22.22.209/32 22.22.22.210/32 22.22.22.211/32 22.22.22.212/32 22.22.22.213/32 22.22.22.214/32 22.22.22.215/32 22.22.22.216/32 22.22.22.217/32 22.22.22.218/32 22.22.22.219/32 22.22.22.220/32 22.22.22.221/32 22.22.22.222/32 22.22.22.223/32 22.22.22.224/32 22.22.22.225/32 22.22.22.226/32 22.22.22.227/32 22.22.22.228/32 22.22.22.229/32 22.22.22.230/32 22.22.22.231/32 22.22.22.232/32 22.22.22.233/32 22.22.22.234/32 22.22.22.235/32 22.22.22.236/32 22.22.22.237/32 22.22.22.238/32 22.22.22.239/32 22.22.22.240/32 22.22.22.241/32 22.22.22.242/32 22.22.22.243/32 22.22.22.244/32 22.22.22.245/32 22.22.22.246/32 22.22.22.247/32 22.22.22.248/32 22.22.22.249/32 22.22.22.250/32 22.22.22.251/32 22.22.22.252/32 22.22.22.253/32 22.22.22.254/32" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.40/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.20 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j NETMAP --to 22.22.22.0/24 # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to-source 192.168.2.1 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # 'catch all' rule $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 0 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:28 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-5.fw.orig000077500000000000000000000326151303637203600206270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:30 2012 PDT by vadim # # files: * firewall2-5.fw /etc/fw/firewall2-5.fw # # Compiled for iptables (any version) # # various tests for the "-o itf" clause in SNAT rules # firewall2-5:NAT:4: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) # firewall2-5:NAT:6: error: Original and translated source should both be networks of the same size. # firewall2-5:NAT:7: warning: Adding of virtual address for address range is not implemented (object range 33 30-33) # firewall2-5::: warning: Can not add virtual address 22.22.22.0 (object external_net) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24 222.222.222.40/24 222.222.222.41/24" "" update_addresses_of_interface "eth3 33.33.33.25/29" "" update_addresses_of_interface "eth2 33.33.33.3/29 33.33.33.4/29" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # NETMAP and no -o itf $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.41 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.222 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.222 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # should be -o eth1 # firewall2-5:NAT:4: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.10-222.222.222.100 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # # should be -o eth2 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.1-33.33.33.3 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # # partially matches eth3 # firewall2-5:NAT:7: warning: Adding of virtual address for address range is not implemented (object range 33 30-33) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.30-33.33.33.33 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # # should be two rules: -o eth2 and -o eth3 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.1-33.33.33.33 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # # should be -o eth2 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.3 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.4 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # 'catch all' rule $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 0 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:30 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-6.fw.orig000077500000000000000000000370031303637203600206240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:31 2012 PDT by vadim # # files: * firewall2-6.fw /etc/fw/firewall2-6.fw # # Compiled for iptables (any version) # # tests for nat rules with inbound and outbound interfaces # firewall2-6:NAT:6: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:7: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:8: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:9: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:10: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:11: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:12: error: Can not use inbound interface specification with rules that translate source because iptables does not allow "-i" in POSTROUTING chain # firewall2-6:NAT:17: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6:NAT:17: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6:NAT:18: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6:NAT:19: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6:NAT:20: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6:NAT:21: error: Can not use outbound interface specification with rules that translate destination because iptables does not allow "-o" in PREROUTING chain # firewall2-6::: warning: Can not add virtual address 22.22.22.0 (object external_net) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24 222.222.222.40/24" "" update_addresses_of_interface "eth3 33.33.33.25/29" "" update_addresses_of_interface "eth2 33.33.33.3/29 33.33.33.4/29" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # NETMAP and no -o itf $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o ! eth3 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -A PREROUTING -i eth1 -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 # # Rule 15 (NAT) # echo "Rule 15 (NAT)" # $IPTABLES -t nat -A PREROUTING -i eth3 -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A PREROUTING -i eth1 -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -i eth3 -d 222.222.222.40 -j DNAT --to-destination 192.168.1.10 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # # rule for SF feature request 1954286 $IPTABLES -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 3996:4000 -j DNAT --to-destination 192.168.1.10 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # # REDIRECT $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # 'catch all' rule $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 0 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:31 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2-7.fw.orig000077500000000000000000000301561303637203600206270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:33 2012 PDT by vadim # # files: * firewall2-7.fw /etc/fw/firewall2-7.fw # # Compiled for iptables (any version) # # tests for nat rules with inbound and outbound interfaces with complex interface configuration # firewall2-7::: warning: Can not add virtual address 22.22.22.0 (object external_net) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth3 33.33.33.25/29" "" update_addresses_of_interface "eth2 33.33.33.3/29 33.33.33.4/29" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "bridge0 10.1.1.1/24" "" update_addresses_of_interface "vlan101 222.222.222.222/24 222.222.222.40/24" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # NETMAP and no -o itf $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o bridge+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o vlan+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o vlan101 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # $IPTABLES -t nat -A POSTROUTING -o ! eth3 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.40 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # REDIRECT $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # 'catch all' rule $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 0 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:33 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall2.fw.orig000077500000000000000000002253101303637203600204610ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:17 2012 PDT by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # # Compiled for iptables (any version) # # this object has several interfaces and shows different rules for NAT. Also testing policy rule options # firewall2:NAT:22: warning: Adding of virtual address for address range is not implemented (object ext_range) # firewall2:NAT:51: error: NAT rule can not change service types: CustomService to TCPService # firewall2:NAT:51: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '2 (fw2i1,3)' below it # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '2 (fw2i1,3)' below it # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it # firewall2:Policy:2: error: Rule '2 (fw2i1,3)' shadows rule '3 (eth1,eth3)' below it # firewall2:Policy:2: error: Rule '2 (fw2i1,3)' shadows rule '3 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it # firewall2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. # firewall2:Policy:: warning: Log prefix has been truncated to 29 characters # firewall2:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.10/24 192.168.1.50/24" "" update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24 22.22.22.24/24 22.22.22.25/24 22.22.22.0/32 22.22.22.1/32 22.22.22.2/32 22.22.22.3/32 22.22.22.4/32 22.22.22.5/32 22.22.22.6/32 22.22.22.7/32 22.22.22.8/32 22.22.22.9/32 22.22.22.10/32 22.22.22.11/32 22.22.22.12/32 22.22.22.13/32 22.22.22.14/32 22.22.22.15/32 22.22.22.16/32 22.22.22.17/32 22.22.22.18/32 22.22.22.19/32 22.22.22.20/32 22.22.22.21/32 22.22.22.22/32 22.22.22.23/32 22.22.22.24/32 22.22.22.25/32 22.22.22.26/32 22.22.22.27/32 22.22.22.28/32 22.22.22.29/32 22.22.22.30/32 22.22.22.31/32 22.22.22.32/32 22.22.22.33/32 22.22.22.34/32 22.22.22.35/32 22.22.22.36/32 22.22.22.37/32 22.22.22.38/32 22.22.22.39/32 22.22.22.40/32 22.22.22.41/32 22.22.22.42/32 22.22.22.43/32 22.22.22.44/32 22.22.22.45/32 22.22.22.46/32 22.22.22.47/32 22.22.22.48/32 22.22.22.49/32 22.22.22.50/32 22.22.22.51/32 22.22.22.52/32 22.22.22.53/32 22.22.22.54/32 22.22.22.55/32 22.22.22.56/32 22.22.22.57/32 22.22.22.58/32 22.22.22.59/32 22.22.22.60/32 22.22.22.61/32 22.22.22.62/32 22.22.22.63/32 22.22.22.64/32 22.22.22.65/32 22.22.22.66/32 22.22.22.67/32 22.22.22.68/32 22.22.22.69/32 22.22.22.70/32 22.22.22.71/32 22.22.22.72/32 22.22.22.73/32 22.22.22.74/32 22.22.22.75/32 22.22.22.76/32 22.22.22.77/32 22.22.22.78/32 22.22.22.79/32 22.22.22.80/32 22.22.22.81/32 22.22.22.82/32 22.22.22.83/32 22.22.22.84/32 22.22.22.85/32 22.22.22.86/32 22.22.22.87/32 22.22.22.88/32 22.22.22.89/32 22.22.22.90/32 22.22.22.91/32 22.22.22.92/32 22.22.22.93/32 22.22.22.94/32 22.22.22.95/32 22.22.22.96/32 22.22.22.97/32 22.22.22.98/32 22.22.22.99/32 22.22.22.100/32 22.22.22.101/32 22.22.22.102/32 22.22.22.103/32 22.22.22.104/32 22.22.22.105/32 22.22.22.106/32 22.22.22.107/32 22.22.22.108/32 22.22.22.109/32 22.22.22.110/32 22.22.22.111/32 22.22.22.112/32 22.22.22.113/32 22.22.22.114/32 22.22.22.115/32 22.22.22.116/32 22.22.22.117/32 22.22.22.118/32 22.22.22.119/32 22.22.22.120/32 22.22.22.121/32 22.22.22.122/32 22.22.22.123/32 22.22.22.124/32 22.22.22.125/32 22.22.22.126/32 22.22.22.127/32 22.22.22.128/32 22.22.22.129/32 22.22.22.130/32 22.22.22.131/32 22.22.22.132/32 22.22.22.133/32 22.22.22.134/32 22.22.22.135/32 22.22.22.136/32 22.22.22.137/32 22.22.22.138/32 22.22.22.139/32 22.22.22.140/32 22.22.22.141/32 22.22.22.142/32 22.22.22.143/32 22.22.22.144/32 22.22.22.145/32 22.22.22.146/32 22.22.22.147/32 22.22.22.148/32 22.22.22.149/32 22.22.22.150/32 22.22.22.151/32 22.22.22.152/32 22.22.22.153/32 22.22.22.154/32 22.22.22.155/32 22.22.22.156/32 22.22.22.157/32 22.22.22.158/32 22.22.22.159/32 22.22.22.160/32 22.22.22.161/32 22.22.22.162/32 22.22.22.163/32 22.22.22.164/32 22.22.22.165/32 22.22.22.166/32 22.22.22.167/32 22.22.22.168/32 22.22.22.169/32 22.22.22.170/32 22.22.22.171/32 22.22.22.172/32 22.22.22.173/32 22.22.22.174/32 22.22.22.175/32 22.22.22.176/32 22.22.22.177/32 22.22.22.178/32 22.22.22.179/32 22.22.22.180/32 22.22.22.181/32 22.22.22.182/32 22.22.22.183/32 22.22.22.184/32 22.22.22.185/32 22.22.22.186/32 22.22.22.187/32 22.22.22.188/32 22.22.22.189/32 22.22.22.190/32 22.22.22.191/32 22.22.22.192/32 22.22.22.193/32 22.22.22.194/32 22.22.22.195/32 22.22.22.196/32 22.22.22.197/32 22.22.22.198/32 22.22.22.199/32 22.22.22.200/32 22.22.22.201/32 22.22.22.202/32 22.22.22.203/32 22.22.22.204/32 22.22.22.205/32 22.22.22.206/32 22.22.22.207/32 22.22.22.208/32 22.22.22.209/32 22.22.22.210/32 22.22.22.211/32 22.22.22.212/32 22.22.22.213/32 22.22.22.214/32 22.22.22.215/32 22.22.22.216/32 22.22.22.217/32 22.22.22.218/32 22.22.22.219/32 22.22.22.220/32 22.22.22.221/32 22.22.22.222/32 22.22.22.223/32 22.22.22.224/32 22.22.22.225/32 22.22.22.226/32 22.22.22.227/32 22.22.22.228/32 22.22.22.229/32 22.22.22.230/32 22.22.22.231/32 22.22.22.232/32 22.22.22.233/32 22.22.22.234/32 22.22.22.235/32 22.22.22.236/32 22.22.22.237/32 22.22.22.238/32 22.22.22.239/32 22.22.22.240/32 22.22.22.241/32 22.22.22.242/32 22.22.22.243/32 22.22.22.244/32 22.22.22.245/32 22.22.22.246/32 22.22.22.247/32 22.22.22.248/32 22.22.22.249/32 22.22.22.250/32 22.22.22.251/32 22.22.22.252/32 22.22.22.253/32 22.22.22.254/32" "" update_addresses_of_interface "eth3 22.22.23.23/24 22.22.25.50/24 22.22.23.24/24" "" update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.40/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop TCP sessions opened prior firewall restart $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP $IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 1 --ulog-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 3 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/0 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 11/1 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 50 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 $IPTABLES -t nat -A POSTROUTING -o eth1 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p 88 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.25.50 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 --random $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.24 --random $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.25 --random # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 10 (NAT) # echo "Rule 10 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to-source 192.168.2.40 # # Rule 11 (NAT) # echo "Rule 11 (NAT)" # $IPTABLES -t nat -N Cid3D1519E8.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid3D1519E8.0 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid3D1519E8.0 $IPTABLES -t nat -A Cid3D1519E8.0 -s 22.22.22.22 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.0 -s 22.22.23.23 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.0 -s 22.22.25.50 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.0 -s 192.168.2.40 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.10 -j ACCEPT $IPTABLES -t nat -A OUTPUT -d 192.168.2.11 -j ACCEPT $IPTABLES -t nat -N Cid3D1519E8.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.10 -j Cid3D1519E8.1 $IPTABLES -t nat -A POSTROUTING -d 192.168.2.11 -j Cid3D1519E8.1 $IPTABLES -t nat -A Cid3D1519E8.1 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.1 -s 192.168.1.20 -j ACCEPT $IPTABLES -t nat -N Cid3D1519E8.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.10 -j Cid3D1519E8.2 $IPTABLES -t nat -A PREROUTING -d 192.168.2.11 -j Cid3D1519E8.2 $IPTABLES -t nat -A Cid3D1519E8.2 -s 192.168.1.10 -j ACCEPT $IPTABLES -t nat -A Cid3D1519E8.2 -s 192.168.1.20 -j ACCEPT # # Rule 12 (NAT) # echo "Rule 12 (NAT)" # $IPTABLES -t nat -N Cid3D151BA0.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.10 -j Cid3D151BA0.0 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.20 -j Cid3D151BA0.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.10 -j Cid3D151BA0.0 $IPTABLES -t nat -A PREROUTING -s 192.168.1.20 -j Cid3D151BA0.0 $IPTABLES -t nat -A Cid3D151BA0.0 -d 192.168.2.10 -j RETURN $IPTABLES -t nat -A Cid3D151BA0.0 -d 192.168.2.11 -j RETURN $IPTABLES -t nat -A Cid3D151BA0.0 -j ACCEPT # # Rule 13 (NAT) # echo "Rule 13 (NAT)" # $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 50 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p 88 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10 # # Rule 14 (NAT) # echo "Rule 14 (NAT)" # $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 3 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 0/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 15 (NAT) # echo "Rule 15 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.23.23 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -s 22.22.25.50 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 16 (NAT) # echo "Rule 16 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -s 200.200.200.200 -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 18 (NAT) # echo "Rule 18 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.24 --dports 80,119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m multiport -d 22.22.22.25 --dports 80,119 -j DNAT --to-destination 192.168.1.10 # # Rule 19 (NAT) # echo "Rule 19 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 119 -j DNAT --to-destination 192.168.1.10 # # Rule 20 (NAT) # echo "Rule 20 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.20 -j SNAT --to-source 22.22.23.24 # # Rule 21 (NAT) # echo "Rule 21 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 $IPTABLES -t nat -A OUTPUT -d 22.22.23.24 -j DNAT --to-destination 192.168.1.20 # # Rule 22 (NAT) # echo "Rule 22 (NAT)" # # firewall2:NAT:22: warning: Adding of virtual address for address range is not implemented (object ext_range) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 23 (NAT) # echo "Rule 23 (NAT)" # # NETMAP $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 22.22.22.0/24 # # Rule 24 (NAT) # echo "Rule 24 (NAT)" # # NETMAP $IPTABLES -t nat -A PREROUTING -d 22.22.22.0/24 -j NETMAP --to 192.168.1.0/24 # # Rule 25 (NAT) # echo "Rule 25 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.1 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.2.40 --dport 10000:11000 -j DNAT --to-destination 192.168.1.10:10000-11000 # # Rule 26 (NAT) # echo "Rule 26 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.25.50 --dport 80 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.10 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 27 (NAT) # echo "Rule 27 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.23 --dport 80 -j DNAT --to-destination 192.168.1.10:25 # # Rule 28 (NAT) # echo "Rule 28 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.25.50 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 443 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.40 --dport 443 -j REDIRECT --to-ports 3128 # # Rule 29 (NAT) # echo "Rule 29 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.10-192.168.1.100 # # Rule 30 (NAT) # echo "Rule 30 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 8080 -j DNAT --to-destination 192.168.1.11-192.168.1.15 # # Rule 31 (NAT) # echo "Rule 31 (NAT)" # # transparent proxy rule $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 22.22.22.23 -j DNAT --to-destination 192.168.2.10 # # Rule 33 (NAT) # echo "Rule 33 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080 # # Rule 34 (NAT) # echo "Rule 34 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:8080 # # Rule 35 (NAT) # echo "Rule 35 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 36 (NAT) # echo "Rule 36 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s ! 192.168.1.10 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 37 (NAT) # echo "Rule 37 (NAT)" # $IPTABLES -t nat -N Cid40F195C3.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid40F195C3.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d ! 192.168.1.50 --dport 80 -j Cid40F195C3.0 $IPTABLES -t nat -A Cid40F195C3.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid40F195C3.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid40F195C3.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # # Rule 38 (NAT) # echo "Rule 38 (NAT)" # $IPTABLES -t nat -N Cid40F1C52F.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -j Cid40F1C52F.1 $IPTABLES -t nat -A Cid40F1C52F.1 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid40F1C52F.1 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -N Cid40F1C52F.0 $IPTABLES -t nat -A Cid40F1C52F.1 -j Cid40F1C52F.0 $IPTABLES -t nat -A Cid40F1C52F.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -t nat -A Cid40F1C52F.0 -j SNAT --to-source 192.168.1.1 # # Rule 39 (NAT) # echo "Rule 39 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.10:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.10 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 40 (NAT) # echo "Rule 40 (NAT)" # # this is the "exception" rule # used in support req. originally $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 41 (NAT) # echo "Rule 41 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 42 (NAT) # echo "Rule 42 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 43 (NAT) # echo "Rule 43 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid46D67A4324736.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid46D67A4324736.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid46D67A4324736.0 $IPTABLES -t nat -A Cid46D67A4324736.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid46D67A4324736.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid46D67A4324736.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 44 (NAT) # echo "Rule 44 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid46D67A5924736.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid46D67A5924736.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid46D67A5924736.0 $IPTABLES -t nat -A Cid46D67A5924736.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid46D67A5924736.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid46D67A5924736.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128 # # Rule 45 (NAT) # echo "Rule 45 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid46D49F3624736.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid46D49F3624736.0 $IPTABLES -t nat -A Cid46D49F3624736.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid46D49F3624736.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid46D49F3624736.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # # Rule 46 (NAT) # echo "Rule 46 (NAT)" # # "exception" rule in the pair # from a support req. $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 80 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.20 --dport 80 -j SNAT --to-source 22.22.22.22 # # Rule 47 (NAT) # echo "Rule 47 (NAT)" # # testing transparent proxy # roules for a support req. $IPTABLES -t nat -N Cid46D6AA2F24736.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid46D6AA2F24736.0 $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j Cid46D6AA2F24736.0 $IPTABLES -t nat -A Cid46D6AA2F24736.0 -s 192.168.1.10 -j RETURN $IPTABLES -t nat -A Cid46D6AA2F24736.0 -s 192.168.1.20 -j RETURN $IPTABLES -t nat -A Cid46D6AA2F24736.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50:3128 # # Rule 48 (NAT) # echo "Rule 48 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 3050:3051 -j DNAT --to-destination :700 $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 --dport 700 -j SNAT --to-source 192.168.1.10 # # Rule 49 (NAT) # echo "Rule 49 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 9040 -j REDIRECT --to-ports 9040 # # Rule 50 (NAT) # echo "Rule 50 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m owner --uid-owner anonymous -j REDIRECT --to-ports 9040 # # Rule 52 (NAT) # echo "Rule 52 (NAT)" # $IPTABLES -t nat -A OUTPUT -p udp -m udp -m owner --uid-owner anonymous -j REDIRECT --to-ports 53 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Anti-spoofing rule # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '2 (fw2i1,3)' below it # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 22.22.25.50 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.40 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 0 -- DENY " --ulog-qthreshold 1 $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid3AFB6710.0 $IPTABLES -A OUTPUT -o eth1 -j Cid3AFB6710.0 $IPTABLES -A Cid3AFB6710.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid3AFB6710.0 -s 22.22.23.23 -j RETURN $IPTABLES -A Cid3AFB6710.0 -s 22.22.25.50 -j RETURN $IPTABLES -A Cid3AFB6710.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid3AFB6710.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid3AFB6710.0 -s 192.168.2.40 -j RETURN $IPTABLES -N Out_RULE_1_3 $IPTABLES -A Cid3AFB6710.0 -j Out_RULE_1_3 $IPTABLES -A Out_RULE_1_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "Iface: global RULE 1 -- DENY " --ulog-qthreshold 1 $IPTABLES -A Out_RULE_1_3 -j DROP $IPTABLES -N Cid3AFB6710.1 $IPTABLES -A FORWARD -o eth1 -j Cid3AFB6710.1 $IPTABLES -A Cid3AFB6710.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3AFB6710.1 -j Out_RULE_1_3 # # Rule 2 (fw2i1,3) # echo "Rule 2 (fw2i1,3)" # # testing group in "interface" # this rule should be identical to rule 3 # firewall2:Policy:2: error: Rule '2 (fw2i1,3)' shadows rule '3 (eth1,eth3)' below it $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A In_RULE_2 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 2 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth1,eth3) # echo "Rule 3 (eth1,eth3)" # $IPTABLES -N In_RULE_3 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A In_RULE_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 3 - DENY **" --ulog-qthreshold 1 $IPTABLES -A In_RULE_3 -j DROP # # Rule 4 (eth1,eth3) # echo "Rule 4 (eth1,eth3)" # # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (eth1,eth3) # echo "Rule 5 (eth1,eth3)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 6 (eth1,eth3) # echo "Rule 6 (eth1,eth3)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid3D6748D9.0 $IPTABLES -A OUTPUT -j Cid3D6748D9.0 $IPTABLES -A INPUT -j Cid3D6748D9.0 $IPTABLES -A FORWARD -j Cid3D6748D9.0 $IPTABLES -A Cid3D6748D9.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid3D6748D9.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_7_3 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # block fragments $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -p all -f -j RULE_8 $IPTABLES -A INPUT -p all -f -j RULE_8 $IPTABLES -A FORWARD -p all -f -j RULE_8 $IPTABLES -A RULE_8 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # # sends TCP RST and makes custom record # in the log $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j RULE_9 $IPTABLES -A RULE_9 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "IDENT" --ulog-qthreshold 1 $IPTABLES -A RULE_9 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 10 (global) # echo "Rule 10 (global)" # # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) # echo "Rule 11 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid39895X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid39895X70161.0 $IPTABLES -A Cid39895X70161.0 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39895X70161.0 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid39895X70161.1 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid39895X70161.1 $IPTABLES -A Cid39895X70161.1 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39895X70161.1 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid39895X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid39895X70161.2 $IPTABLES -A Cid39895X70161.2 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39895X70161.2 -d 192.168.1.100 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid39909X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid39909X70161.0 $IPTABLES -A Cid39909X70161.0 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39909X70161.0 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid39909X70161.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid39909X70161.1 $IPTABLES -A Cid39909X70161.1 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39909X70161.1 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid39909X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid39909X70161.2 $IPTABLES -A Cid39909X70161.2 -s 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid39909X70161.2 -s 192.168.1.100 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid131093X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid131093X70161.0 $IPTABLES -N Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.10/31 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.12/30 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.16/28 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.32/27 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.64/27 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.96/30 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.0 -s 222.222.222.100 -j Cid131093X70161.1 $IPTABLES -A Cid131093X70161.1 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid131093X70161.1 -d 192.168.1.100 -j ACCEPT $IPTABLES -N Cid131093X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid131093X70161.2 $IPTABLES -N Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.10/31 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.12/30 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.16/28 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.32/27 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.64/27 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.96/30 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.2 -s 222.222.222.100 -j Cid131093X70161.3 $IPTABLES -A Cid131093X70161.3 -d 192.168.1.10/31 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.12/30 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid131093X70161.3 -d 192.168.1.100 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid131076X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid131076X70161.0 $IPTABLES -N Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.10/31 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.12/30 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.16/28 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.32/27 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.64/27 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.96/30 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.0 -s 192.168.1.100 -j Cid131076X70161.1 $IPTABLES -A Cid131076X70161.1 -d 222.222.222.10/31 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.12/30 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.16/28 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.32/27 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.64/27 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.96/30 -j ACCEPT $IPTABLES -A Cid131076X70161.1 -d 222.222.222.100 -j ACCEPT $IPTABLES -N Cid131076X70161.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid131076X70161.2 $IPTABLES -N Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.10/31 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.12/30 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.16/28 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.32/27 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.64/27 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.96/30 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.2 -s 192.168.1.100 -j Cid131076X70161.3 $IPTABLES -A Cid131076X70161.3 -d 222.222.222.10/31 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.12/30 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.16/28 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.32/27 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.64/27 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.96/30 -j ACCEPT $IPTABLES -A Cid131076X70161.3 -d 222.222.222.100 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid57999X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid57999X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid57999X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid57999X70161.0 $IPTABLES -A Cid57999X70161.0 -d 192.168.1.10/31 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.12/30 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.16/28 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.32/27 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.64/27 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.96/30 -j RETURN $IPTABLES -A Cid57999X70161.0 -d 192.168.1.100 -j RETURN $IPTABLES -A Cid57999X70161.0 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid58016X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid58016X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid58016X70161.0 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid58016X70161.0 $IPTABLES -A Cid58016X70161.0 -s 192.168.1.10/31 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.12/30 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.16/28 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.32/27 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.64/27 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.96/30 -j RETURN $IPTABLES -A Cid58016X70161.0 -s 192.168.1.100 -j RETURN $IPTABLES -A Cid58016X70161.0 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid76132X70161.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid76132X70161.0 $IPTABLES -A Cid76132X70161.0 -d 192.168.1.0 -j RETURN $IPTABLES -A Cid76132X70161.0 -j ACCEPT $IPTABLES -N Cid76132X70161.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid76132X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid76132X70161.1 $IPTABLES -A Cid76132X70161.1 -d 192.168.1.10/31 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.12/30 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.16/28 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.32/27 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.64/27 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.96/30 -j RETURN $IPTABLES -A Cid76132X70161.1 -d 192.168.1.100 -j RETURN $IPTABLES -A Cid76132X70161.1 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -N Cid76149X70161.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid76149X70161.0 $IPTABLES -A Cid76149X70161.0 -s 192.168.1.0 -j RETURN $IPTABLES -A Cid76149X70161.0 -j ACCEPT $IPTABLES -N Cid76149X70161.1 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid76149X70161.1 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid76149X70161.1 $IPTABLES -A Cid76149X70161.1 -s 192.168.1.10/31 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.12/30 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.16/28 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.32/27 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.64/27 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.96/30 -j RETURN $IPTABLES -A Cid76149X70161.1 -s 192.168.1.100 -j RETURN $IPTABLES -A Cid76149X70161.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using module iprange if # iptables version is >= 1.2.11 # also test for bug #2526173 $IPTABLES -N RULE_19 $IPTABLES -A INPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A OUTPUT -s 0.0.0.0 -j RULE_19 $IPTABLES -A RULE_19 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 19 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_19 -j DROP # # Rule 20 (global) # echo "Rule 20 (global)" # # using module iprange if # iptables version is >= 1.2.11 $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.1 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -N Cid42387X35957.0 $IPTABLES -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid42387X35957.0 $IPTABLES -A Cid42387X35957.0 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid42387X35957.0 -s 192.168.1.100 -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.1 --dport 161 -m state --state NEW -j ACCEPT $IPTABLES -N Cid42387X35957.1 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -m state --state NEW -j Cid42387X35957.1 $IPTABLES -A Cid42387X35957.1 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid42387X35957.1 -s 192.168.1.100 -j ACCEPT $IPTABLES -N Cid42387X35957.2 $IPTABLES -A FORWARD -p udp -m udp --dport 161 -m state --state NEW -j Cid42387X35957.2 $IPTABLES -A Cid42387X35957.2 -s 192.168.1.2/31 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.4/30 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.8/29 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.16/28 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.32/27 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.64/27 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.96/30 -j ACCEPT $IPTABLES -A Cid42387X35957.2 -s 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N Cid3DD1E1E0.0 $IPTABLES -A INPUT -p icmp -m icmp -s 192.168.2.0/24 --icmp-type any -m state --state NEW -j Cid3DD1E1E0.0 $IPTABLES -N RULE_21 $IPTABLES -A Cid3DD1E1E0.0 -d 192.168.2.1 -j RULE_21 $IPTABLES -A Cid3DD1E1E0.0 -d 192.168.2.40 -j RULE_21 $IPTABLES -A RULE_21 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 21 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_21 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N Cid3D8FC846.0 $IPTABLES -A FORWARD -d 211.11.11.11 -m state --state NEW -j Cid3D8FC846.0 $IPTABLES -A Cid3D8FC846.0 -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3D8FC846.0 -s 192.168.1.20 -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N Cid3D8FC984.0 $IPTABLES -A FORWARD -s 211.11.11.11 -m state --state NEW -j Cid3D8FC984.0 $IPTABLES -A Cid3D8FC984.0 -d 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3D8FC984.0 -d 192.168.1.20 -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N Cid3DCBFEA0.0 $IPTABLES -A OUTPUT -p tcp -m tcp -j Cid3DCBFEA0.0 $IPTABLES -A INPUT -p tcp -m tcp -j Cid3DCBFEA0.0 $IPTABLES -A FORWARD -p tcp -m tcp -j Cid3DCBFEA0.0 $IPTABLES -A Cid3DCBFEA0.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3DCBFEA0.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid3DCBFEA0.0 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -N Cid3DCBFEA0.1 $IPTABLES -A OUTPUT -j Cid3DCBFEA0.1 $IPTABLES -A INPUT -j Cid3DCBFEA0.1 $IPTABLES -A FORWARD -j Cid3DCBFEA0.1 $IPTABLES -A Cid3DCBFEA0.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3DCBFEA0.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid3DCBFEA0.1 -j REJECT --reject-with icmp-net-unreachable # # Rule 25 (global) # echo "Rule 25 (global)" # # firewall2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule 26 (global) # echo "Rule 26 (global)" # $IPTABLES -N RULE_26 $IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_26 $IPTABLES -A RULE_26 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 26 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_26 -j DROP # # Rule 27 (global) # echo "Rule 27 (global)" # # host-fw2 has the same address as # one of the firewall's interfaces $IPTABLES -N RULE_27 $IPTABLES -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A INPUT -p tcp -m tcp -d 22.22.22.22 --dport 21 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j RULE_27 $IPTABLES -A RULE_27 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 27 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_27 -j ACCEPT # # Rule 28 (global) # echo "Rule 28 (global)" # $IPTABLES -N Cid3C447BCB.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid3C447BCB.0 $IPTABLES -N RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid3C447BCB.0 -d 192.168.2.40 -j RULE_28 $IPTABLES -N Cid3C447BCB.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j Cid3C447BCB.1 $IPTABLES -A Cid3C447BCB.1 -d 22.22.22.22 -j RULE_28 $IPTABLES -A Cid3C447BCB.1 -d 22.22.23.23 -j RULE_28 $IPTABLES -A Cid3C447BCB.1 -d 22.22.25.50 -j RULE_28 $IPTABLES -A Cid3C447BCB.1 -d 192.168.1.1 -j RULE_28 $IPTABLES -A Cid3C447BCB.1 -d 192.168.2.1 -j RULE_28 $IPTABLES -A Cid3C447BCB.1 -d 192.168.2.40 -j RULE_28 $IPTABLES -A RULE_28 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 28 - ACCEPT **" --ulog-qthreshold 1 $IPTABLES -A RULE_28 -j ACCEPT # # Rule 29 (global) # echo "Rule 29 (global)" # # 'catch all' rule # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. $IPTABLES -N RULE_29 $IPTABLES -A INPUT -s 1.2.3.0/0 -j RULE_29 $IPTABLES -A OUTPUT -s 1.2.3.0/0 -j RULE_29 $IPTABLES -A FORWARD -s 1.2.3.0/0 -j RULE_29 $IPTABLES -A RULE_29 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 29 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_29 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:17 2012 by vadim" check_tools check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all prolog_commands script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall20-ipv6.fw.orig000077500000000000000000000301121303637203600214150ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:18 2012 PDT by vadim # # files: * firewall20-ipv6.fw /etc/fw/firewall20-ipv6.fw # # Compiled for iptables (any version) # # testing firewall_is_part_of_any_and_networks # also testing SNAT and DNAT rules when external interface has dynamic address # dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth2" for i in eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::1/64 192.168.1.1/24" "" update_addresses_of_interface "eth2 2001:470:1f05:590::1/64 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv6 # ================ Table 'filter', rule set Policy # # Rule 1 (ppp*) # echo "Rule 1 (ppp*)" # # ppp clients can not connect to the firewall $IP6TABLES -N In_RULE_1 getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr6 $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IP6TABLES -A INPUT -i ppp+ -d $addr -j In_RULE_1 done done $IP6TABLES -A In_RULE_1 -j LOG $IP6TABLES -A In_RULE_1 -j DROP # # Rule 2 (ppp*) # echo "Rule 2 (ppp*)" # $IP6TABLES -N In_RULE_2 $IP6TABLES -A INPUT -i ppp+ -j In_RULE_2 $IP6TABLES -A In_RULE_2 -j LOG $IP6TABLES -A In_RULE_2 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IP6TABLES -N Cid30296X26784.0 $IP6TABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid30296X26784.0 getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr6 $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IP6TABLES -A Cid30296X26784.0 -d $addr -j ACCEPT done done $IP6TABLES -A Cid30296X26784.0 -d 2001:470:1f05:590::1 -j ACCEPT $IP6TABLES -A Cid30296X26784.0 -d fe80::1 -j ACCEPT $IP6TABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr6 $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IP6TABLES -A OUTPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT done done getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr6 $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IP6TABLES -A INPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT done done # # Rule 18 (global) # echo "Rule 18 (global)" # $IP6TABLES -N RULE_18 $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j RULE_18 $IP6TABLES -A INPUT -m rt --rt-type 0 -j RULE_18 $IP6TABLES -A FORWARD -m rt --rt-type 0 -j RULE_18 $IP6TABLES -A RULE_18 -j LOG $IP6TABLES -A RULE_18 -j DROP # # Rule 19 (global) # echo "Rule 19 (global)" # # Automatically generated 'catch all' rule $IP6TABLES -N RULE_19 $IP6TABLES -A OUTPUT -j RULE_19 $IP6TABLES -A INPUT -j RULE_19 $IP6TABLES -A FORWARD -j RULE_19 $IP6TABLES -A RULE_19 -j LOG $IP6TABLES -A RULE_19 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:18 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall20.fw.orig000077500000000000000000000472161303637203600205500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:17 2012 PDT by vadim # # files: * firewall20.fw /etc/fw/firewall20.fw # # Compiled for iptables (any version) # # testing firewall_is_part_of_any_and_networks # also testing SNAT and DNAT rules when external interface # has dynamic address # dynamic interface ppp0 has an address object attached to it # (interface used to be static and had an address, then got # converted to dynamic but address object is still there). Compiler # should ignore this address object and issue a warning. # firewall20::: error: Dynamic interface ppp* should not have an IP address object attached to it. This IP address object will be ignored. # firewall20::: warning: Can not add virtual address for object address # firewall20::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth2" for i in eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j MASQUERADE # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j MASQUERADE --random # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j SNAT --to-source $addr done done # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $addr --dport 22 -j DNAT --to-destination 192.168.1.10:22 done done $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 200.200.200.200 -j DNAT --to-destination 192.168.2.10 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.10 -j SNAT --to-source 192.168.2.1 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10 getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $addr --dport 22 -j DNAT --to-destination 192.168.1.10 done done # ================ Table 'filter', rule set Policy # # Rule 0 (ppp*) # echo "Rule 0 (ppp*)" # # ppp clients get addresses on 10.1.1.0 $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i ppp+ -s ! 10.1.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i ppp+ -s ! 10.1.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (ppp*) # echo "Rule 1 (ppp*)" # # ppp clients can not connect to the firewall $IPTABLES -N In_RULE_1 getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -A INPUT -i ppp+ -d $addr -j In_RULE_1 done done $IPTABLES -A In_RULE_1 -j LOG $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (ppp*) # echo "Rule 2 (ppp*)" # $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i ppp+ -j In_RULE_2 $IPTABLES -A In_RULE_2 -j LOG $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (ppp*) # echo "Rule 3 (ppp*)" # # ppp clients can only connect to the mail # server and web proxy on DMZ $IPTABLES -A FORWARD -i ppp+ -p tcp -m tcp -m multiport -d 192.168.2.10 --dports 25,3128 -m state --state NEW -j ACCEPT # # Rule 4 (ppp*) # echo "Rule 4 (ppp*)" # # ppp clients can not connect to # anything else on DMZ and # internal net $IPTABLES -N In_RULE_4 $IPTABLES -A INPUT -i ppp+ -d 192.168.1.0/24 -j In_RULE_4 $IPTABLES -A INPUT -i ppp+ -d 192.168.2.0/24 -j In_RULE_4 $IPTABLES -A FORWARD -i ppp+ -d 192.168.1.0/24 -j In_RULE_4 $IPTABLES -A FORWARD -i ppp+ -d 192.168.2.0/24 -j In_RULE_4 $IPTABLES -A In_RULE_4 -j LOG $IPTABLES -A In_RULE_4 -j DROP # # Rule 5 (ppp*) # echo "Rule 5 (ppp*)" # $IPTABLES -A INPUT -i ppp+ -s ! 33.33.33.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -s ! 33.33.33.0/24 -m state --state NEW -j ACCEPT # # Rule 6 (eth2) # echo "Rule 6 (eth2)" # $IPTABLES -N In_RULE_6 $IPTABLES -A INPUT -i eth2 -s ! 192.168.2.0/24 -j In_RULE_6 $IPTABLES -A FORWARD -i eth2 -s ! 192.168.2.0/24 -j In_RULE_6 $IPTABLES -A In_RULE_6 -j LOG $IPTABLES -A In_RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # # hostF has the same IP address as firewal. $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_7 $IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_7 $IPTABLES -A RULE_7 -j LOG $IPTABLES -A RULE_7 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid3EFBC67F.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3EFBC67F.0 getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -A Cid3EFBC67F.0 -d $addr -j ACCEPT done done $IPTABLES -A Cid3EFBC67F.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3EFBC67F.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -A OUTPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT done done getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && $IPTABLES -A INPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT done done # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N Cid3EFBC6A8.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3EFBC6A8.0 $IPTABLES -A Cid3EFBC6A8.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3EFBC6A8.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -N Cid3EFBC6A8.1 $IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3EFBC6A8.1 $IPTABLES -A Cid3EFBC6A8.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3EFBC6A8.1 -d 192.168.2.1 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N Cid3EFBC6B3.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3EFBC6B3.0 $IPTABLES -N RULE_13 $IPTABLES -A Cid3EFBC6B3.0 -d 192.168.1.1 -j RULE_13 $IPTABLES -A Cid3EFBC6B3.0 -d 192.168.2.1 -j RULE_13 $IPTABLES -N Cid3EFBC6B3.1 $IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3EFBC6B3.1 $IPTABLES -A Cid3EFBC6B3.1 -d 192.168.1.1 -j RULE_13 $IPTABLES -A Cid3EFBC6B3.1 -d 192.168.2.1 -j RULE_13 $IPTABLES -A RULE_13 -j LOG $IPTABLES -A RULE_13 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # firewall is part of Any, so compiler should # generate code in both FORWARD and # OUTPUT chains $IPTABLES -A OUTPUT -d 200.200.200.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 200.200.200.200 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # firewall is part of Any, compiler should # generate code for both FORWARD and # INPUT chains $IPTABLES -A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 200.200.200.200 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # because firewall has interface on network # internal_net, compiler should generate code # for both FORWARD and INPUT chains $IPTABLES -A INPUT -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -N Cid3EFBC6DC.0 $IPTABLES -A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid3EFBC6DC.0 $IPTABLES -A Cid3EFBC6DC.0 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid3EFBC6DC.0 -s 192.168.2.0/24 -j ACCEPT $IPTABLES -N Cid3EFBC6DC.1 $IPTABLES -A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid3EFBC6DC.1 $IPTABLES -A Cid3EFBC6DC.1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid3EFBC6DC.1 -s 192.168.2.0/24 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # Automatically generated 'catch all' rule $IPTABLES -N RULE_19 $IPTABLES -A OUTPUT -j RULE_19 $IPTABLES -A INPUT -j RULE_19 $IPTABLES -A FORWARD -j RULE_19 $IPTABLES -A RULE_19 -j LOG $IPTABLES -A RULE_19 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:17 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall21-1.fw.orig000077500000000000000000000311171303637203600207000ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:20 2012 PDT by vadim # # files: * firewall21-1.fw /etc/fw/firewall21-1.fw # # Compiled for iptables 1.4.3 # # two dynamic interfaces in the same policy or NAT rule # iptables v1.4.3 # firewall21-1:Policy:: warning: Log prefix has been truncated to 29 characters # firewall21-1:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.168.1.100/24" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.10 done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -d $i_eth1 -j DNAT --to-destination 192.168.1.10 done # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.10 --random --persistent done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -d $i_eth1 -j DNAT --to-destination 192.168.1.10 --random --persistent done # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE --random # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 --persistent done # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 --random --persistent done # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth0 -s $i_eth0 -m state --state NEW -j ACCEPT done # # Rule 1 (global) # echo "Rule 1 (global)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -s $i_eth0 -m state --state NEW -j ACCEPT done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A INPUT -s $i_eth1 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -s $i_eth0 -m state --state NEW -j ACCEPT done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A OUTPUT -s $i_eth1 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d $i_eth0 --dports 68,67 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -p udp -m udp -m multiport -d $i_eth0 --dports 68,67 -m state --state NEW -j ACCEPT done # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level debug --log-prefix "RULE 3 -- DENY on interface g" $IPTABLES -A RULE_3 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:20 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall21.fw.orig000077500000000000000000000310101303637203600205320ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:19 2012 PDT by vadim # # files: * firewall21.fw /etc/fw/firewall21.fw # # Compiled for iptables (any version) # # two dynamic interfaces in the same policy or NAT rule # firewall21:Policy:: warning: Log prefix has been truncated to 29 characters # firewall21:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.168.1.100/24" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.10 done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -d $i_eth1 -j DNAT --to-destination 192.168.1.10 done # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.10 --random done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -d $i_eth1 -j DNAT --to-destination 192.168.1.10 --random done # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE --random # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 done # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 --random done # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth0 -s $i_eth0 -m state --state NEW -j ACCEPT done # # Rule 1 (global) # echo "Rule 1 (global)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -s $i_eth0 -m state --state NEW -j ACCEPT done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A INPUT -s $i_eth1 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -s $i_eth0 -m state --state NEW -j ACCEPT done for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A OUTPUT -s $i_eth1 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d $i_eth0 --dports 68,67 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -p udp -m udp -m multiport -d $i_eth0 --dports 68,67 -m state --state NEW -j ACCEPT done # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level debug --log-prefix "RULE 3 -- DENY on interface g" $IPTABLES -A RULE_3 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:19 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall22.fw.orig000077500000000000000000000234041303637203600205430ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:22 2012 PDT by vadim # # files: * firewall22.fw /etc/fw/firewall22.fw # # Compiled for iptables 1.2.9 # # testing NAT rules using custom services FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -m string --string test_pattern -j SNAT --to-source 192.168.2.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 192.168.2.1 -m string --string test_pattern -j DNAT --to-destination 192.168.1.10 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -m string --string test_pattern -j DNAT --to-destination 200.200.200.200 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 200.200.200.200 -m string --string test_pattern -j SNAT --to-source 192.168.2.1 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s ! 192.168.2.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s ! 192.168.2.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -j RULE_1 $IPTABLES -A INPUT -j RULE_1 $IPTABLES -A FORWARD -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level error $IPTABLES -A RULE_1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:22 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall23-1.fw.orig000077500000000000000000000426161303637203600207100ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:25 2012 PDT by vadim # # files: * firewall23-1.fw /etc/fw/firewall23-1.fw # # Compiled for iptables 1.3.0 # # This is BRIDGING FIREWALL # Testing module physdev FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "br0 192.168.1.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'mangle', rule set Policy # # Rule 13 (eth2) # echo "Rule 13 (eth2)" # $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12 # # Rule 14 (eth3) # echo "Rule 14 (eth3)" # $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth3 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 2:12 # # Rule 15 (eth2) # echo "Rule 15 (eth2)" # $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12 # ================ Table 'filter', rule set Policy # # Rule 0 (eth2,eth3) # echo "Rule 0 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m physdev --physdev-in eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m physdev --physdev-in eth3 -m state --state NEW -j ACCEPT # # Rule 1 (eth2,eth3) # echo "Rule 1 (eth2,eth3)" # $IPTABLES -A INPUT -m physdev --physdev-in eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m physdev --physdev-in eth3 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -m state --state NEW -j ACCEPT # # Rule 2 (eth2,eth3) # echo "Rule 2 (eth2,eth3)" # $IPTABLES -N In_RULE_2 $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.10 -m state --state NEW -j In_RULE_2 $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.20 -m state --state NEW -j In_RULE_2 $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 192.168.1.10 -m state --state NEW -j In_RULE_2 $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 192.168.1.20 -m state --state NEW -j In_RULE_2 $IPTABLES -A In_RULE_2 -j LOG --log-level debug $IPTABLES -A In_RULE_2 -j ACCEPT # # Rule 3 (eth2,eth3) # echo "Rule 3 (eth2,eth3)" # # testing for bug 1593221 $IPTABLES -N Cid45546AAE30629.0 $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -s 192.168.1.0/24 -m state --state NEW -j Cid45546AAE30629.0 $IPTABLES -N In_RULE_3 $IPTABLES -A Cid45546AAE30629.0 -d 192.168.1.10 -j In_RULE_3 $IPTABLES -A Cid45546AAE30629.0 -d 192.168.1.20 -j In_RULE_3 $IPTABLES -N Cid45546AAE30629.1 $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -s 192.168.1.0/24 -m state --state NEW -j Cid45546AAE30629.1 $IPTABLES -A Cid45546AAE30629.1 -d 192.168.1.10 -j In_RULE_3 $IPTABLES -A Cid45546AAE30629.1 -d 192.168.1.20 -j In_RULE_3 $IPTABLES -A In_RULE_3 -j LOG --log-level debug $IPTABLES -A In_RULE_3 -j ACCEPT # # Rule 4 (eth2,eth3) # echo "Rule 4 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.255 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 192.168.1.255 -m state --state NEW -j ACCEPT # # Rule 5 (eth2,eth3) # echo "Rule 5 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 6 (eth2,eth3) # echo "Rule 6 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 224.0.1.141 -m state --state NEW -j ACCEPT # # Rule 7 (eth2,eth3) # echo "Rule 7 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (eth2,eth3) # echo "Rule 8 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth3 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 9 (eth2,eth3) # echo "Rule 9 (eth2,eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -d ! 192.168.1.0/24 -j DROP $IPTABLES -A FORWARD -m physdev --physdev-in eth3 -d ! 192.168.1.0/24 -j DROP # # Rule 10 (eth2) # echo "Rule 10 (eth2)" # $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT # # Rule 11 (eth2) # echo "Rule 11 (eth2)" # $IPTABLES -A FORWARD -m physdev --physdev-in eth2 -s 192.168.1.10 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT # # Rule 12 (eth3) # echo "Rule 12 (eth3)" # $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth3 -s 192.168.1.10 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT # # Rule 15 (eth2) # echo "Rule 15 (eth2)" # $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j LOG --log-level debug # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -A OUTPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -d 192.168.1.10 -j RULE_21 $IPTABLES -A FORWARD -d 192.168.1.10 -j RULE_21 $IPTABLES -A RULE_21 -j LOG --log-level debug $IPTABLES -A RULE_21 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # # this rule should generate commands # in both INPUT and FORWARD chains # because this is a bridging firewall # see bug #811860 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # # interface of another firewall # (firewall11) # Why do we need to test for this? $IPTABLES -A OUTPUT -d 10.1.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 10.1.1.1 -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:25 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall23-2.fw.orig000077500000000000000000000226461303637203600207120ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:26 2012 PDT by vadim # # files: * firewall23-2.fw /etc/fw/firewall23-2.fw # # Compiled for iptables 1.3.0 # # This is BRIDGING FIREWALL # with two bridges and wildcard bridge port interfaces # see SF bug #3439613 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'filter', rule set Policy # # Rule 0 (vnet+) # echo "Rule 0 (vnet+)" # # -i br0 $IPTABLES -A INPUT -i br0 -m physdev --physdev-in vnet+ -m state --state NEW -j ACCEPT # # Rule 1 (vnet+) # echo "Rule 1 (vnet+)" # # -i br1 $IPTABLES -A INPUT -i br1 -m physdev --physdev-in vnet+ -m state --state NEW -j ACCEPT # # Rule 2 (vnet+) # echo "Rule 2 (vnet+)" # # -o br0 $IPTABLES -A OUTPUT -o br0 -m physdev --physdev-is-bridged --physdev-out vnet+ -m state --state NEW -j ACCEPT # # Rule 3 (vnet+) # echo "Rule 3 (vnet+)" # # -o br1 $IPTABLES -A OUTPUT -o br1 -m physdev --physdev-is-bridged --physdev-out vnet+ -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:26 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall23-3.fw.orig000077500000000000000000000221421303637203600207020ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:27 2012 PDT by vadim # # files: * firewall23-3.fw /etc/fw/firewall23-3.fw # # Compiled for iptables 1.3.0 # # This is BRIDGING FIREWALL # with one bridge and wildcard bridge port interfaces. # Since there is only one bridge, there is no need to add -i br0 / -o br0 # see SF bug #3439613 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'filter', rule set Policy # # Rule 0 (vnet+) # echo "Rule 0 (vnet+)" # $IPTABLES -A INPUT -m physdev --physdev-in vnet+ -m state --state NEW -j ACCEPT # # Rule 1 (vnet+) # echo "Rule 1 (vnet+)" # # -o br0 $IPTABLES -A OUTPUT -m physdev --physdev-is-bridged --physdev-out vnet+ -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:27 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall23.fw.orig000077500000000000000000000316161303637203600205500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:23 2012 PDT by vadim # # files: * firewall23.fw /etc/fw/firewall23.fw # # Compiled for iptables (any version) # # This is BRIDGING FIREWALL FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "br0 192.168.1.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth*) # echo "Rule 0 (eth*)" # $IPTABLES -A INPUT -i eth+ -m state --state NEW -j ACCEPT # # Rule 1 (eth*) # echo "Rule 1 (eth*)" # $IPTABLES -A INPUT -i eth+ -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth+ -m state --state NEW -j ACCEPT # # Rule 2 (eth*) # echo "Rule 2 (eth*)" # $IPTABLES -A FORWARD -i eth+ -d 192.168.1.255 -m state --state NEW -j ACCEPT # # Rule 3 (eth*) # echo "Rule 3 (eth*)" # $IPTABLES -A FORWARD -i eth+ -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 4 (eth*) # echo "Rule 4 (eth*)" # $IPTABLES -A FORWARD -i eth+ -d 224.0.1.141 -m state --state NEW -j ACCEPT # # Rule 5 (eth*) # echo "Rule 5 (eth*)" # $IPTABLES -A FORWARD -i eth+ -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 6 (eth*) # echo "Rule 6 (eth*)" # $IPTABLES -A FORWARD -i eth+ -d ! 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N RULE_12 $IPTABLES -A OUTPUT -d 192.168.1.10 -j RULE_12 $IPTABLES -A FORWARD -d 192.168.1.10 -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level debug $IPTABLES -A RULE_12 -j DROP # # Rule 13 (global) # echo "Rule 13 (global)" # # this rule should generate commands # in both INPUT and FORWARD chains # because this is a bridging firewall # see bug #811860 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # interface of another firewall # (firewall11) # Why do we need to test for this? $IPTABLES -A OUTPUT -d 10.1.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 10.1.1.1 -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:23 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall24.fw.orig000077500000000000000000000324331303637203600205470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:28 2012 PDT by vadim # # files: * firewall24.fw /etc/fw/firewall24.fw # # Compiled for iptables (any version) # # testing rules on unnumbered interface tun* FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0 192.168.1.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (tun*) # echo "Rule 0 (tun*)" # $IPTABLES -A INPUT -i tun+ -m state --state NEW -j ACCEPT # # Rule 1 (tun*) # echo "Rule 1 (tun*)" # $IPTABLES -A INPUT -i tun+ -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tun+ -m state --state NEW -j ACCEPT # # Rule 2 (tun*) # echo "Rule 2 (tun*)" # $IPTABLES -A OUTPUT -o tun+ -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o tun+ -m state --state NEW -j ACCEPT # # Rule 3 (tun*) # echo "Rule 3 (tun*)" # $IPTABLES -A INPUT -i tun+ -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tun+ -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o tun+ -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o tun+ -m state --state NEW -j ACCEPT # # Rule 4 (tun*) # echo "Rule 4 (tun*)" # $IPTABLES -A INPUT -i tun+ -p udp -m udp -m multiport --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tun+ -p udp -m udp -m multiport --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (tun*) # echo "Rule 5 (tun*)" # $IPTABLES -A INPUT -i tun+ -d 192.168.1.255 -m state --state NEW -j ACCEPT # # Rule 6 (tun*) # echo "Rule 6 (tun*)" # $IPTABLES -A INPUT -i tun+ -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 7 (tun*) # echo "Rule 7 (tun*)" # $IPTABLES -A INPUT -i tun+ -d 224.0.1.141 -m state --state NEW -j ACCEPT # # Rule 8 (tun*) # echo "Rule 8 (tun*)" # $IPTABLES -A INPUT -i tun+ -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tun+ -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 9 (tun*) # echo "Rule 9 (tun*)" # $IPTABLES -A INPUT -i tun+ -d ! 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tun+ -d ! 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -d 192.168.1.10 --dport 68 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 192.168.1.0 --dport 68 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A OUTPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.1.141 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 6667 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -N RULE_16 $IPTABLES -A OUTPUT -d 192.168.1.10 -j RULE_16 $IPTABLES -A FORWARD -d 192.168.1.10 -j RULE_16 $IPTABLES -A RULE_16 -j LOG --log-level debug $IPTABLES -A RULE_16 -j DROP # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:28 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall25.fw.orig000077500000000000000000000537221303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:30 2012 PDT by vadim # # files: * firewall25.fw /etc/fw/firewall25.fw # # Compiled for iptables 1.4.0 # # this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore # two rule sets for the filter table, to make sure there is only # one COMMIT for both # firewall25::: error: Dynamic interface ppp* should not have an IP address object attached to it. This IP address object will be ignored. # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table # firewall25::: warning: Can not add virtual address for object address # firewall25::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth2" for i in eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # backup ssh access echo "-A INPUT -p tcp -m tcp -s 192.168.1.1/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT " echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop TCP sessions opened prior firewall restart echo "-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " # drop packets that do not match any valid state echo "-A OUTPUT -m state --state INVALID -j DROP " echo "-A INPUT -m state --state INVALID -j DROP " echo "-A FORWARD -m state --state INVALID -j DROP " # ================ Table 'filter', rule set policy_2 # # Rule policy_2 0 (eth2) echo ":policy_2 - [0:0]" echo "-A policy_2 -o eth2 -m state --state NEW -j ACCEPT " # # Rule policy_2 1 (global) echo ":policy_2_1 - [0:0]" echo "-A policy_2 -j policy_2_1 " echo "-A policy_2_1 -j LOG " echo "-A policy_2_1 -j DROP " # # ================ Table 'filter', rule set mangle_ruleset # # Rule mangle_ruleset 0 (global) echo ":mangle_ruleset - [0:0]" echo ":mangle_ruleset_0 - [0:0]" echo "-A mangle_ruleset -j mangle_ruleset_0 " echo "-A mangle_ruleset_0 -j LOG " echo "-A mangle_ruleset_0 -j DROP " # # ================ Table 'filter', rule set Policy # # Rule 0 (ppp*) # ppp clients get addresses on 10.1.1.0 echo ":In_RULE_0 - [0:0]" echo "-A INPUT -i ppp+ -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A FORWARD -i ppp+ -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A In_RULE_0 -j LOG " echo "-A In_RULE_0 -j DROP " # # Rule 1 (ppp*) # ppp clients can not connect to the firewall echo ":In_RULE_1 - [0:0]" getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && echo "-A INPUT -i ppp+ -d $addr -j In_RULE_1 " done done echo "-A In_RULE_1 -j LOG " echo "-A In_RULE_1 -j DROP " # # Rule 2 (ppp*) echo ":In_RULE_2 - [0:0]" echo "-A INPUT -i ppp+ -j In_RULE_2 " echo "-A In_RULE_2 -j LOG " echo "-A In_RULE_2 -j DROP " # # Rule 3 (ppp*) # ppp clients can only connect to the mail # server and web proxy on DMZ echo "-A FORWARD -i ppp+ -p tcp -m tcp -m multiport -d 192.168.2.10 --dports 25,3128 -m state --state NEW -j ACCEPT " # # Rule 4 (ppp*) # ppp clients can not connect to # anything else on DMZ and # internal net echo ":In_RULE_4 - [0:0]" echo "-A INPUT -i ppp+ -d 192.168.1.0/24 -j In_RULE_4 " echo "-A INPUT -i ppp+ -d 192.168.2.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp+ -d 192.168.1.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp+ -d 192.168.2.0/24 -j In_RULE_4 " echo "-A In_RULE_4 -j LOG " echo "-A In_RULE_4 -j DROP " # # Rule 5 (eth2) echo ":In_RULE_5 - [0:0]" echo "-A INPUT -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A FORWARD -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A In_RULE_5 -j LOG " echo "-A In_RULE_5 -j DROP " # # Rule 6 (global) # hostF has the same IP address as firewal. echo ":RULE_6 - [0:0]" echo "-A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A RULE_6 -j LOG " echo "-A RULE_6 -j ACCEPT " # # Rule 7 (global) echo ":Cid417C681B.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid417C681B.0 " getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && echo "-A Cid417C681B.0 -d $addr -j ACCEPT " done done echo "-A Cid417C681B.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid417C681B.0 -d 192.168.2.1 -j ACCEPT " echo "-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT " # # Rule 8 (global) getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && echo "-A OUTPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT " done done getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && echo "-A INPUT -p tcp -m tcp -d $addr --dport 22 -m state --state NEW -j ACCEPT " done done # # Rule 9 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " # # Rule 10 (global) echo "-A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":Cid417C6844.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid417C6844.0 " echo "-A Cid417C6844.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid417C6844.0 -d 192.168.2.1 -j ACCEPT " echo ":Cid417C6844.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid417C6844.1 " echo "-A Cid417C6844.1 -d 192.168.1.1 -j ACCEPT " echo "-A Cid417C6844.1 -d 192.168.2.1 -j ACCEPT " # # Rule 12 (global) echo ":Cid417C684F.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid417C684F.0 " echo ":RULE_12 - [0:0]" echo "-A Cid417C684F.0 -d 192.168.1.1 -j RULE_12 " echo "-A Cid417C684F.0 -d 192.168.2.1 -j RULE_12 " echo ":Cid417C684F.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid417C684F.1 " echo "-A Cid417C684F.1 -d 192.168.1.1 -j RULE_12 " echo "-A Cid417C684F.1 -d 192.168.2.1 -j RULE_12 " echo "-A RULE_12 -j LOG " echo "-A RULE_12 -j ACCEPT " # # Rule 13 (global) # firewall is part of Any, so compiler should # generate code in both FORWARD and # OUTPUT chains echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 14 (global) # firewall is part of Any, compiler should # generate code for both FORWARD and # INPUT chains echo "-A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 15 (global) # because firewall has interface on network # internal_net, compiler should generate code # for both FORWARD and INPUT chains echo "-A INPUT -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 16 (global) echo ":Cid417C6878.0 - [0:0]" echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid417C6878.0 " echo "-A Cid417C6878.0 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid417C6878.0 -s 192.168.2.0/24 -j ACCEPT " echo ":Cid417C6878.1 - [0:0]" echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid417C6878.1 " echo "-A Cid417C6878.1 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid417C6878.1 -s 192.168.2.0/24 -j ACCEPT " # # Rule 17 (global) # this rule should go to mangle table, # since we also have default rule that goes to mangle (TCPMSS) # and pure mangle ruleset, making sure all rules for # mangle table end up with one COMMIT echo "-A OUTPUT -m state --state NEW -j LOG " echo "-A INPUT -m state --state NEW -j LOG " echo "-A FORWARD -m state --state NEW -j LOG " # # Rule 18 (global) echo "-A OUTPUT -j policy_2 " echo "-A INPUT -j policy_2 " echo "-A FORWARD -j policy_2 " # # Rule 20 (eth0) echo "-A INPUT -i eth0 -j policy_2 " echo "-A FORWARD -i eth0 -j policy_2 " # # Rule 22 (global) # Automatically generated 'catch all' rule echo ":RULE_22 - [0:0]" echo "-A OUTPUT -j RULE_22 " echo "-A INPUT -j RULE_22 " echo "-A FORWARD -j RULE_22 " echo "-A RULE_22 -j LOG " echo "-A RULE_22 -j DROP " # echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" # ================ Table 'mangle', rule set policy_2_mangle # # Rule policy_2_mangle 0 (eth2) echo ":policy_2_mangle - [0:0]" echo "-A policy_2_mangle -o eth2 -m state --state NEW -j ACCEPT " # # Rule policy_2_mangle 1 (global) # SF bug report 3034628 # "iptables does not allow target REJECT in mangle table" # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table echo ":policy_2_mangle_1 - [0:0]" echo "-A policy_2_mangle -p tcp -m tcp --dport 70 -j policy_2_mangle_1 " echo "-A policy_2_mangle_1 -j LOG " # # Rule policy_2_mangle 2 (global) echo ":policy_2_mangle_2 - [0:0]" echo "-A policy_2_mangle -j policy_2_mangle_2 " echo "-A policy_2_mangle_2 -j LOG " echo "-A policy_2_mangle_2 -j DROP " # # ================ Table 'mangle', rule set Policy # # Rule 17 (global) # this rule should go to mangle table, # since we also have default rule that goes to mangle (TCPMSS) # and pure mangle ruleset, making sure all rules for # mangle table end up with one COMMIT echo "-A OUTPUT -m state --state NEW -j MARK --set-mark 10" echo "-A PREROUTING -m state --state NEW -j MARK --set-mark 10" # # Rule 18 (global) echo ":policy_2 - [0:0]" echo "-A PREROUTING -j policy_2 " echo "-A POSTROUTING -j policy_2 " echo "-A FORWARD -j policy_2 " # # Rule 19 (global) echo "-A PREROUTING -j policy_2_mangle " echo "-A POSTROUTING -j policy_2_mangle " echo "-A FORWARD -j policy_2_mangle " # # Rule 20 (eth0) echo "-A PREROUTING -i eth0 -j policy_2 " echo "-A FORWARD -i eth0 -j policy_2 " # # Rule 21 (eth0) echo "-A PREROUTING -i eth0 -j policy_2_mangle " echo "-A FORWARD -i eth0 -j policy_2_mangle " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j MASQUERADE " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 " # # Rule 1 (NAT) echo "-A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " echo "-A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " # # Rule 2 (NAT) getinterfaces ppp | while read I; do ivar=$(getInterfaceVarName $I) getaddr $I $ivar cmd="$"${ivar}_list eval "addr_list=$cmd" for addr in $addr_list do test -n "$addr" && echo "-A PREROUTING -p tcp -m tcp -d $addr --dport 22 -j DNAT --to-destination 192.168.1.10:22 " done done echo "-A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " echo "-A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " # # Rule 3 (NAT) echo "-A PREROUTING -s 192.168.1.0/24 -d ! 200.200.200.200 -j DNAT --to-destination 192.168.2.10 " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.10 -j SNAT --to-source 192.168.2.1 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:30 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall26.fw.orig000077500000000000000000000433531303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:31 2012 PDT by vadim # # files: * firewall26.fw /etc/fw/firewall26.fw # # Compiled for iptables 1.4.0 # # this firewall uses iptables-restore format # One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore # firewall26::: warning: Can not add virtual address for object address # firewall26::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: ppp eth0 eth2" for i in ppp eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" getaddr ppp i_ppp getaddr6 ppp i_ppp_v6 getnet ppp i_ppp_network getnet6 ppp i_ppp_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # backup ssh access echo "-A INPUT -p tcp -m tcp -s 192.168.1.1/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT " echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop TCP sessions opened prior firewall restart echo "-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " # drop packets that do not match any valid state echo "-A OUTPUT -m state --state INVALID -j DROP " echo "-A INPUT -m state --state INVALID -j DROP " echo "-A FORWARD -m state --state INVALID -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (ppp) # ppp clients get addresses on 10.1.1.0 echo ":In_RULE_0 - [0:0]" echo "-A INPUT -i ppp -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A FORWARD -i ppp -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A In_RULE_0 -j LOG " echo "-A In_RULE_0 -j DROP " # # Rule 1 (ppp) # ppp clients can not connect to the firewall echo ":In_RULE_1 - [0:0]" for i_ppp in $i_ppp_list do test -n "$i_ppp" && echo "-A INPUT -i ppp -d $i_ppp -j In_RULE_1 " done echo "-A In_RULE_1 -j LOG " echo "-A In_RULE_1 -j DROP " # # Rule 2 (ppp) echo ":In_RULE_2 - [0:0]" echo "-A INPUT -i ppp -j In_RULE_2 " echo "-A In_RULE_2 -j LOG " echo "-A In_RULE_2 -j DROP " # # Rule 3 (ppp) # ppp clients can only connect to the mail # server and web proxy on DMZ echo "-A FORWARD -i ppp -p tcp -m tcp -m multiport -d 192.168.2.10 --dports 25,3128 -m state --state NEW -j ACCEPT " # # Rule 4 (ppp) # ppp clients can not connect to # anything else on DMZ and # internal net echo ":In_RULE_4 - [0:0]" echo "-A INPUT -i ppp -d 192.168.1.0/24 -j In_RULE_4 " echo "-A INPUT -i ppp -d 192.168.2.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp -d 192.168.1.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp -d 192.168.2.0/24 -j In_RULE_4 " echo "-A In_RULE_4 -j LOG " echo "-A In_RULE_4 -j DROP " # # Rule 5 (eth2) echo ":In_RULE_5 - [0:0]" echo "-A INPUT -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A FORWARD -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A In_RULE_5 -j LOG " echo "-A In_RULE_5 -j DROP " # # Rule 6 (global) # hostF has the same IP address as firewal. echo ":RULE_6 - [0:0]" echo "-A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A RULE_6 -j LOG " echo "-A RULE_6 -j ACCEPT " # # Rule 7 (global) echo ":Cid418C4619.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid418C4619.0 " for i_ppp in $i_ppp_list do test -n "$i_ppp" && echo "-A Cid418C4619.0 -d $i_ppp -j ACCEPT " done echo "-A Cid418C4619.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid418C4619.0 -d 192.168.2.1 -j ACCEPT " echo "-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT " # # Rule 8 (global) for i_ppp in $i_ppp_list do test -n "$i_ppp" && echo "-A OUTPUT -p tcp -m tcp -d $i_ppp --dport 22 -m state --state NEW -j ACCEPT " done for i_ppp in $i_ppp_list do test -n "$i_ppp" && echo "-A INPUT -p tcp -m tcp -d $i_ppp --dport 22 -m state --state NEW -j ACCEPT " done # # Rule 9 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " # # Rule 10 (global) echo "-A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":Cid418C4642.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid418C4642.0 " echo "-A Cid418C4642.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid418C4642.0 -d 192.168.2.1 -j ACCEPT " echo ":Cid418C4642.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid418C4642.1 " echo "-A Cid418C4642.1 -d 192.168.1.1 -j ACCEPT " echo "-A Cid418C4642.1 -d 192.168.2.1 -j ACCEPT " # # Rule 12 (global) echo ":Cid418C464D.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid418C464D.0 " echo ":RULE_12 - [0:0]" echo "-A Cid418C464D.0 -d 192.168.1.1 -j RULE_12 " echo "-A Cid418C464D.0 -d 192.168.2.1 -j RULE_12 " echo ":Cid418C464D.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid418C464D.1 " echo "-A Cid418C464D.1 -d 192.168.1.1 -j RULE_12 " echo "-A Cid418C464D.1 -d 192.168.2.1 -j RULE_12 " echo "-A RULE_12 -j LOG " echo "-A RULE_12 -j ACCEPT " # # Rule 13 (global) # firewall is part of Any, so compiler should # generate code in both FORWARD and # OUTPUT chains echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 14 (global) # firewall is part of Any, compiler should # generate code for both FORWARD and # INPUT chains echo "-A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 15 (global) # because firewall has interface on network # internal_net, compiler should generate code # for both FORWARD and INPUT chains echo "-A INPUT -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 16 (global) echo ":Cid418C4676.0 - [0:0]" echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid418C4676.0 " echo "-A Cid418C4676.0 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid418C4676.0 -s 192.168.2.0/24 -j ACCEPT " echo ":Cid418C4676.1 - [0:0]" echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid418C4676.1 " echo "-A Cid418C4676.1 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid418C4676.1 -s 192.168.2.0/24 -j ACCEPT " # # Rule 17 (global) # Automatically generated 'catch all' rule echo ":RULE_17 - [0:0]" echo "-A OUTPUT -j RULE_17 " echo "-A INPUT -j RULE_17 " echo "-A FORWARD -j RULE_17 " echo "-A RULE_17 -j LOG " echo "-A RULE_17 -j DROP " # echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o ppp -s 192.168.1.0/24 -j MASQUERADE " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 " # # Rule 1 (NAT) echo "-A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " echo "-A POSTROUTING -o ppp -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " # # Rule 2 (NAT) for i_ppp in $i_ppp_list do test -n "$i_ppp" && echo "-A PREROUTING -p tcp -m tcp -d $i_ppp --dport 22 -j DNAT --to-destination 192.168.1.10:22 " done echo "-A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " echo "-A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " # # Rule 3 (NAT) echo "-A PREROUTING -s 192.168.1.0/24 -d ! 200.200.200.200 -j DNAT --to-destination 192.168.2.10 " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.10 -j SNAT --to-source 192.168.2.1 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:31 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall27.fw.orig000077500000000000000000000425531303637203600205560ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:33 2012 PDT by vadim # # files: * firewall27.fw /etc/fw/firewall27.fw # # Compiled for iptables 1.4.0 # # this firewall uses iptables-restore format # all interfaces have static addresses, script pipes iptables commands straight to iptables-restore # firewall27::: warning: Can not add virtual address for object address # firewall27::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: ppp eth0 eth2" for i in ppp eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "ppp 192.0.2.1/24" "" update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # backup ssh access echo "-A INPUT -p tcp -m tcp -s 192.168.1.1/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT " echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop TCP sessions opened prior firewall restart echo "-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " # drop packets that do not match any valid state echo "-A OUTPUT -m state --state INVALID -j DROP " echo "-A INPUT -m state --state INVALID -j DROP " echo "-A FORWARD -m state --state INVALID -j DROP " # ================ Table 'filter', rule set Policy # # Rule 0 (ppp) # ppp clients get addresses on 10.1.1.0 echo ":In_RULE_0 - [0:0]" echo "-A INPUT -i ppp -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A FORWARD -i ppp -s ! 10.1.1.0/24 -j In_RULE_0 " echo "-A In_RULE_0 -j LOG " echo "-A In_RULE_0 -j DROP " # # Rule 1 (ppp) # ppp clients can not connect to the firewall echo ":In_RULE_1 - [0:0]" echo "-A INPUT -i ppp -d 192.0.2.1 -j In_RULE_1 " echo "-A In_RULE_1 -j LOG " echo "-A In_RULE_1 -j DROP " # # Rule 2 (ppp) echo ":In_RULE_2 - [0:0]" echo "-A INPUT -i ppp -j In_RULE_2 " echo "-A In_RULE_2 -j LOG " echo "-A In_RULE_2 -j DROP " # # Rule 3 (ppp) # ppp clients can only connect to the mail # server and web proxy on DMZ echo "-A FORWARD -i ppp -p tcp -m tcp -m multiport -d 192.168.2.10 --dports 25,3128 -m state --state NEW -j ACCEPT " # # Rule 4 (ppp) # ppp clients can not connect to # anything else on DMZ and # internal net echo ":In_RULE_4 - [0:0]" echo "-A INPUT -i ppp -d 192.168.1.0/24 -j In_RULE_4 " echo "-A INPUT -i ppp -d 192.168.2.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp -d 192.168.1.0/24 -j In_RULE_4 " echo "-A FORWARD -i ppp -d 192.168.2.0/24 -j In_RULE_4 " echo "-A In_RULE_4 -j LOG " echo "-A In_RULE_4 -j DROP " # # Rule 5 (eth2) echo ":In_RULE_5 - [0:0]" echo "-A INPUT -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A FORWARD -i eth2 -s ! 192.168.2.0/24 -j In_RULE_5 " echo "-A In_RULE_5 -j LOG " echo "-A In_RULE_5 -j DROP " # # Rule 6 (global) # hostF has the same IP address as firewal. echo ":RULE_6 - [0:0]" echo "-A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_6 " echo "-A RULE_6 -j LOG " echo "-A RULE_6 -j ACCEPT " # # Rule 7 (global) echo ":Cid4183D051.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid4183D051.0 " echo "-A Cid4183D051.0 -d 192.0.2.1 -j ACCEPT " echo "-A Cid4183D051.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid4183D051.0 -d 192.168.2.1 -j ACCEPT " echo "-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT " # # Rule 8 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.0.2.1 --dport 22 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -d 192.0.2.1 --dport 22 -m state --state NEW -j ACCEPT " # # Rule 9 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT " # # Rule 10 (global) echo "-A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo ":Cid4183D07A.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid4183D07A.0 " echo "-A Cid4183D07A.0 -d 192.168.1.1 -j ACCEPT " echo "-A Cid4183D07A.0 -d 192.168.2.1 -j ACCEPT " echo ":Cid4183D07A.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid4183D07A.1 " echo "-A Cid4183D07A.1 -d 192.168.1.1 -j ACCEPT " echo "-A Cid4183D07A.1 -d 192.168.2.1 -j ACCEPT " # # Rule 12 (global) echo ":Cid4183D085.0 - [0:0]" echo "-A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid4183D085.0 " echo ":RULE_12 - [0:0]" echo "-A Cid4183D085.0 -d 192.168.1.1 -j RULE_12 " echo "-A Cid4183D085.0 -d 192.168.2.1 -j RULE_12 " echo ":Cid4183D085.1 - [0:0]" echo "-A INPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid4183D085.1 " echo "-A Cid4183D085.1 -d 192.168.1.1 -j RULE_12 " echo "-A Cid4183D085.1 -d 192.168.2.1 -j RULE_12 " echo "-A RULE_12 -j LOG " echo "-A RULE_12 -j ACCEPT " # # Rule 13 (global) # firewall is part of Any, so compiler should # generate code in both FORWARD and # OUTPUT chains echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 14 (global) # firewall is part of Any, compiler should # generate code for both FORWARD and # INPUT chains echo "-A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 200.200.200.200 -m state --state NEW -j ACCEPT " # # Rule 15 (global) # because firewall has interface on network # internal_net, compiler should generate code # for both FORWARD and INPUT chains echo "-A INPUT -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 16 (global) echo ":Cid4183D0AE.0 - [0:0]" echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid4183D0AE.0 " echo "-A Cid4183D0AE.0 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid4183D0AE.0 -s 192.168.2.0/24 -j ACCEPT " echo ":Cid4183D0AE.1 - [0:0]" echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid4183D0AE.1 " echo "-A Cid4183D0AE.1 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid4183D0AE.1 -s 192.168.2.0/24 -j ACCEPT " # # Rule 17 (global) # Automatically generated 'catch all' rule echo ":RULE_17 - [0:0]" echo "-A OUTPUT -j RULE_17 " echo "-A INPUT -j RULE_17 " echo "-A FORWARD -j RULE_17 " echo "-A RULE_17 -j LOG " echo "-A RULE_17 -j DROP " # echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o ppp -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 " # # Rule 1 (NAT) echo "-A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " echo "-A POSTROUTING -o ppp -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 " # # Rule 2 (NAT) echo "-A PREROUTING -p tcp -m tcp -d 192.0.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " echo "-A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " echo "-A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 " # # Rule 3 (NAT) echo "-A PREROUTING -s 192.168.1.0/24 -d ! 200.200.200.200 -j DNAT --to-destination 192.168.2.10 " echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.10 -j SNAT --to-source 192.168.2.1 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:33 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall28.fw.orig000077500000000000000000000256361303637203600205620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:34 2012 PDT by vadim # # files: * firewall28.fw /etc/fw/firewall28.fw # # Compiled for iptables (any version) # # firewall28:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.0/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.22 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # this rule should shadow rule #1 because # it uses IPService object with protocol 0 # firewall28:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it $IPTABLES -A OUTPUT -p all -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p all -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6667 -j RULE_1 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6667 -j RULE_1 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 6667 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -A RULE_3 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:34 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall29.fw.orig000077500000000000000000000301151303637203600205470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:34 2012 PDT by vadim # # files: * firewall29.fw /etc/fw/firewall29.fw # # Compiled for iptables (any version) # # two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names # firewall29:Policy:: warning: Log prefix has been truncated to 29 characters # firewall29:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" getaddr eth0.200 i_eth0_200 getaddr6 eth0.200 i_eth0_200_v6 getnet eth0.200 i_eth0_200_network getnet6 eth0.200 i_eth0_200_v6_network getaddr eth0.100 i_eth0_100 getaddr6 eth0.100 i_eth0_100_v6 getnet eth0.100 i_eth0_100_network getnet6 eth0.100 i_eth0_100_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -t nat -A PREROUTING -d $i_eth0_100 -j DNAT --to-destination 192.168.1.10 done for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -t nat -A PREROUTING -d $i_eth0_200 -j DNAT --to-destination 192.168.1.10 done # ================ Table 'filter', rule set Policy # # Rule 0 (eth0.200) # echo "Rule 0 (eth0.200)" # for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -A OUTPUT -o eth0.200 -s $i_eth0_200 -m state --state NEW -j ACCEPT done # # Rule 1 (global) # echo "Rule 1 (global)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A INPUT -s $i_eth0_100 -m state --state NEW -j ACCEPT done for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -A INPUT -s $i_eth0_200 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A OUTPUT -s $i_eth0_100 -m state --state NEW -j ACCEPT done for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -A OUTPUT -s $i_eth0_200 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d $i_eth0_200 --dports 68,67 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT for i_eth0_200 in $i_eth0_200_list do test -n "$i_eth0_200" && $IPTABLES -A INPUT -p udp -m udp -m multiport -d $i_eth0_200 --dports 68,67 -m state --state NEW -j ACCEPT done # # Rule 3 (global) # echo "Rule 3 (global)" # # should be --connlimit-above 10 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m connlimit --connlimit-above 10 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # should be ! --connlimit-above 10 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m connlimit \! --connlimit-above 10 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -j RULE_5 $IPTABLES -A INPUT -j RULE_5 $IPTABLES -A FORWARD -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level debug --log-prefix "RULE 5 -- DENY on interface g" $IPTABLES -A RULE_5 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:34 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall3.fw.orig000077500000000000000000000412611303637203600204630ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:36 2012 PDT by vadim # # files: * firewall3.fw /etc/fw/firewall3.fw # # Compiled for iptables (any version) # # this object is used to test negation in policy rules with "Assume firewall is part of 'Any'" turned OFF FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23 # ================ Table 'filter', rule set Policy # # Rule 0 (lo) # echo "Rule 0 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # $IPTABLES -N In_RULE_1 $IPTABLES -A FORWARD -i eth1 -p all -f -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level debug $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -N In_RULE_2 $IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A In_RULE_2 -j LOG --log-level debug $IPTABLES -A In_RULE_2 -j DROP # # Rule 3 (eth0,eth2) # echo "Rule 3 (eth0,eth2)" # $IPTABLES -N In_RULE_3 $IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A FORWARD -i eth2 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_3 $IPTABLES -A In_RULE_3 -j LOG --log-level debug $IPTABLES -A In_RULE_3 -j DROP # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # # testing choice of chains in case when several interfaces # are used and rule matches on any or broadcast $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 5 (eth0,eth2) # echo "Rule 5 (eth0,eth2)" # # testing choice of chains in case when several interfaces # are used and rule matches on any or broadcast $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 6 (eth0) # echo "Rule 6 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 7 (eth0,eth2) # echo "Rule 7 (eth0,eth2)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2 -p udp -m udp -m multiport -s 0.0.0.0 -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # # Anti-spoofing rule $IPTABLES -N In_RULE_10 $IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_10 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_10 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_10 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_10 $IPTABLES -A In_RULE_10 -j LOG --log-level debug $IPTABLES -A In_RULE_10 -j DROP # # Rule 11 (eth1) # echo "Rule 11 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid3B02271D.0 $IPTABLES -A OUTPUT -o eth1 -j Cid3B02271D.0 $IPTABLES -A Cid3B02271D.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid3B02271D.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid3B02271D.0 -s 192.168.2.1 -j RETURN $IPTABLES -N Out_RULE_11_3 $IPTABLES -A Cid3B02271D.0 -j Out_RULE_11_3 $IPTABLES -A Out_RULE_11_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_11_3 -j DROP $IPTABLES -N Cid3B02271D.1 $IPTABLES -A FORWARD -o eth1 -j Cid3B02271D.1 $IPTABLES -A Cid3B02271D.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3B02271D.1 -j Out_RULE_11_3 # # Rule 12 (global) # echo "Rule 12 (global)" # # hostF has the same IP address as firewal. $IPTABLES -N RULE_12 $IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level debug $IPTABLES -A RULE_12 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # testing negation in the policy rule $IPTABLES -N Cid3B0226DF.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid3B0226DF.0 $IPTABLES -A Cid3B0226DF.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid3B0226DF.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_14_3 $IPTABLES -A Cid3B0226DF.0 -j RULE_14_3 $IPTABLES -A RULE_14_3 -j LOG --log-level debug $IPTABLES -A RULE_14_3 -j DROP # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A FORWARD -d ! 33.33.33.0/24 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -N Cid40F57E72.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid40F57E72.0 $IPTABLES -A Cid40F57E72.0 -d 33.33.33.0/24 -j RETURN $IPTABLES -A Cid40F57E72.0 -d 222.222.222.0/24 -j RETURN $IPTABLES -A Cid40F57E72.0 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -N Cid41A8EF1D.0 $IPTABLES -A INPUT -m state --state NEW -j Cid41A8EF1D.0 $IPTABLES -A Cid41A8EF1D.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid41A8EF1D.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid41A8EF1D.0 -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # # testing negation in service field $IPTABLES -N Cid3B0226EA.0 $IPTABLES -A FORWARD -d 192.168.1.10 -j Cid3B0226EA.0 $IPTABLES -A FORWARD -d 192.168.1.20 -j Cid3B0226EA.0 $IPTABLES -A Cid3B0226EA.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN $IPTABLES -N RULE_18_3 $IPTABLES -A Cid3B0226EA.0 -j RULE_18_3 $IPTABLES -A RULE_18_3 -j LOG --log-level debug $IPTABLES -A RULE_18_3 -j DROP # # Rule 19 (global) # echo "Rule 19 (global)" # # 'masquerading' rule $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # # 'catch all' rule $IPTABLES -N RULE_20 $IPTABLES -A FORWARD -j RULE_20 $IPTABLES -A RULE_20 -j LOG --log-level debug $IPTABLES -A RULE_20 -j DROP # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N Cid440D600617760.0 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid440D600617760.0 $IPTABLES -A Cid440D600617760.0 -s 22.22.22.22 -j RETURN $IPTABLES -A Cid440D600617760.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid440D600617760.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid440D600617760.0 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N Cid440D880417760.0 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid440D880417760.0 $IPTABLES -A Cid440D880417760.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid440D880417760.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid440D880417760.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid440D880417760.0 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 23 (eth1,eth0,eth2) # echo "Rule 23 (eth1,eth0,eth2)" # # this rule should go only to the FORWARD # chain but should have "-i eth" clause $IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:36 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall30.fw.orig000077500000000000000000000226561303637203600205520ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:36 2012 PDT by vadim # # files: * firewall30.fw /etc/fw/firewall30.fw # # Compiled for iptables (any version) # # testing shading of rules using MAC addresses FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -m mac --mac-source 00:10:4b:de:e9:6f -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m mac --mac-source 00:10:4b:de:e9:6f -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A INPUT -m mac --mac-source 00:10:4b:de:e9:70 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m mac --mac-source 00:10:4b:de:e9:70 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -j RULE_2 $IPTABLES -A INPUT -j RULE_2 $IPTABLES -A FORWARD -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level debug --log-prefix "RULE 2 -- DENY global" $IPTABLES -A RULE_2 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:36 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall31.fw.orig000077500000000000000000000322401303637203600205410ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:37 2012 PDT by vadim # # files: * firewall31.fw /etc/fw/firewall31.fw # # Compiled for iptables (any version) # # used to test time matching rules FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 18:00 --timestop 23:59 -j RULE_1 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 18:00 --timestop 23:59 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -m time --timestart 18:00 --timestop 23:59 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A RULE_1 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_3 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_3 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT " $IPTABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid4299E23B.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid4299E23B.0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j Cid4299E23B.0 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j Cid4299E23B.0 $IPTABLES -A Cid4299E23B.0 -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j RETURN $IPTABLES -N RULE_4_3 $IPTABLES -A Cid4299E23B.0 -j RULE_4_3 $IPTABLES -A RULE_4_3 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT " $IPTABLES -A RULE_4_3 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid4299E247.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid4299E247.0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j Cid4299E247.0 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j Cid4299E247.0 $IPTABLES -A Cid4299E247.0 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RETURN $IPTABLES -A Cid4299E247.0 -m time --timestart 00:00 --timestop 23:59 --days Sun -j RETURN $IPTABLES -N RULE_5_3 $IPTABLES -A Cid4299E247.0 -j RULE_5_3 $IPTABLES -A RULE_5_3 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5_3 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A FORWARD -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:37 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall32.fw.orig000077500000000000000000000271431303637203600205500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:37 2012 PDT by vadim # # files: * firewall32.fw /etc/fw/firewall32.fw # # Compiled for iptables (any version) # # testing AddressTable FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" getaddr eth0.100 i_eth0_100 getaddr6 eth0.100 i_eth0_100_v6 getnet eth0.100 i_eth0_100_network getnet6 eth0.100 i_eth0_100_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -t nat -A PREROUTING -d $i_eth0_100 -j DNAT --to-destination 192.168.1.10 done # ================ Table 'filter', rule set Policy_fw32 # # Rule Policy_fw32 0 (eth0.100) # echo "Rule Policy_fw32 0 (eth0.100)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A INPUT -i eth0.100 -s $i_eth0_100 -j DROP done $IPTABLES -A INPUT -i eth0.100 -s 192.168.1.0/24 -j DROP for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A FORWARD -i eth0.100 -s $i_eth0_100 -j DROP done $IPTABLES -A FORWARD -i eth0.100 -s 192.168.1.0/24 -j DROP # # Rule Policy_fw32 1 (global) # echo "Rule Policy_fw32 1 (global)" # $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.128/25 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.2.128/25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.2.128/25 -m state --state NEW -j ACCEPT # # Rule Policy_fw32 2 (global) # echo "Rule Policy_fw32 2 (global)" # $IPTABLES -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT # # Rule Policy_fw32 3 (global) # echo "Rule Policy_fw32 3 (global)" # $IPTABLES -N Policy_fw32_3 $IPTABLES -A OUTPUT -j Policy_fw32_3 $IPTABLES -A INPUT -j Policy_fw32_3 $IPTABLES -A FORWARD -j Policy_fw32_3 $IPTABLES -A Policy_fw32_3 -j LOG --log-level debug --log-prefix "RULE 3 -- DENY on global " $IPTABLES -A Policy_fw32_3 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:37 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall33-1.fw.orig000077500000000000000000000367221303637203600207120ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:40 2012 PDT by vadim # # files: * firewall33-1.fw /etc/fw/firewall33-1.fw # # Compiled for iptables (any version) # # firewall33-1:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33-1:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N Policy $IPTABLES -A Policy -s 157.166.226.25 -m state --state NEW -j ACCEPT $IPTABLES -A Policy -s 157.166.226.26 -m state --state NEW -j ACCEPT $IPTABLES -A Policy -s 157.166.255.18 -m state --state NEW -j ACCEPT $IPTABLES -A Policy -s 157.166.255.19 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A Policy -s www.cnn.com -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall33-1:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A Policy -s 192.0.2.1 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A Policy -s buildmaster -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid4386E38318346.0 $IPTABLES -A Policy -j Cid4386E38318346.0 $IPTABLES -A Cid4386E38318346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid4386E38318346.0 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid4386E37718346.0 $IPTABLES -A Policy -j Cid4386E37718346.0 $IPTABLES -A Cid4386E37718346.0 -d www.cnn.com -j RETURN $IPTABLES -A Cid4386E37718346.0 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -N Cid43867C3018346.0 $IPTABLES -A Policy -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A Cid43867C3018346.0 -d 192.0.2.1 -j RETURN $IPTABLES -A Cid43867C3018346.0 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid4386C10D18346.0 $IPTABLES -A Policy -m state --state NEW -j Cid4386C10D18346.0 $IPTABLES -A Cid4386C10D18346.0 -d buildmaster -j RETURN $IPTABLES -A Cid4386C10D18346.0 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid438728A918346.0 $IPTABLES -A Policy -m state --state NEW -j Cid438728A918346.0 $IPTABLES -A Cid438728A918346.0 -d 74.125.224.112 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.113 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.114 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.115 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.116 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid438728A918346.0 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid438728BA18346.0 $IPTABLES -A Policy -m state --state NEW -j Cid438728BA18346.0 $IPTABLES -A Cid438728BA18346.0 -d www.cnn.com -j RETURN $IPTABLES -A Cid438728BA18346.0 -d www.google.com -j RETURN $IPTABLES -A Cid438728BA18346.0 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N Cid438728CD18346.0 $IPTABLES -A Policy -m state --state NEW -j Cid438728CD18346.0 $IPTABLES -A Cid438728CD18346.0 -d www.google.com -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid438728CD18346.0 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # test for bug #1905718 # Group of DNS Name objects considered empty $IPTABLES -A Policy -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A Policy -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A Policy -d 72.55.148.116 -m state --state NEW -j ACCEPT $IPTABLES -A Policy -d 207.251.84.150 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N RULE_13 $IPTABLES -A Policy -j RULE_13 $IPTABLES -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY " $IPTABLES -A RULE_13 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # branches to firewall33:Policy which uses DNSName objects # testing for bug 1485 $IPTABLES -A OUTPUT -j Policy $IPTABLES -A INPUT -j Policy $IPTABLES -A FORWARD -j Policy } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:40 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall33.fw.orig000077500000000000000000000426761303637203600205610ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:40 2012 PDT by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # # Compiled for iptables (any version) # # testing DNSName object # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" getaddr eth0.100 i_eth0_100 getaddr6 eth0.100 i_eth0_100_v6 getnet eth0.100 i_eth0_100_network getnet6 eth0.100 i_eth0_100_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -t nat -A PREROUTING -d $i_eth0_100 -j DNAT --to-destination 192.168.1.10 done # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d 157.166.226.25 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d 157.166.226.26 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d 157.166.255.18 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d 157.166.255.19 -j MASQUERADE # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d www.cnn.com -j MASQUERADE # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d www.google.com -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth0.100 -d www.cnn.com -j MASQUERADE # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -N Cid43876E7B18346.0 $IPTABLES -t nat -A POSTROUTING -o eth0.100 -j Cid43876E7B18346.0 $IPTABLES -t nat -A Cid43876E7B18346.0 -d www.google.com -j RETURN $IPTABLES -t nat -A Cid43876E7B18346.0 -d www.cnn.com -j RETURN $IPTABLES -t nat -A Cid43876E7B18346.0 -j MASQUERADE # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -s 157.166.226.25 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 157.166.226.26 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 157.166.255.18 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 157.166.255.19 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 157.166.226.25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 157.166.226.26 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 157.166.255.18 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 157.166.255.19 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A INPUT -s www.cnn.com -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s www.cnn.com -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A INPUT -s 192.0.2.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.0.2.1 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A INPUT -s buildmaster -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s buildmaster -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid4386E38318346.0 $IPTABLES -A OUTPUT -j Cid4386E38318346.0 $IPTABLES -A INPUT -j Cid4386E38318346.0 $IPTABLES -A FORWARD -j Cid4386E38318346.0 $IPTABLES -A Cid4386E38318346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid4386E38318346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid4386E38318346.0 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid4386E37718346.0 $IPTABLES -A OUTPUT -j Cid4386E37718346.0 $IPTABLES -A INPUT -j Cid4386E37718346.0 $IPTABLES -A FORWARD -j Cid4386E37718346.0 $IPTABLES -A Cid4386E37718346.0 -d www.cnn.com -j RETURN $IPTABLES -A Cid4386E37718346.0 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -N Cid43867C3018346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A Cid43867C3018346.0 -d 192.0.2.1 -j RETURN $IPTABLES -A Cid43867C3018346.0 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid4386C10D18346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid4386C10D18346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid4386C10D18346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid4386C10D18346.0 $IPTABLES -A Cid4386C10D18346.0 -d buildmaster -j RETURN $IPTABLES -A Cid4386C10D18346.0 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid438728A918346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid438728A918346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid438728A918346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid438728A918346.0 $IPTABLES -A Cid438728A918346.0 -d 74.125.224.112 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.113 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.114 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.115 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 74.125.224.116 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid438728A918346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid438728A918346.0 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid438728BA18346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid438728BA18346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid438728BA18346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid438728BA18346.0 $IPTABLES -A Cid438728BA18346.0 -d www.cnn.com -j RETURN $IPTABLES -A Cid438728BA18346.0 -d www.google.com -j RETURN $IPTABLES -A Cid438728BA18346.0 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N Cid438728CD18346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid438728CD18346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid438728CD18346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid438728CD18346.0 $IPTABLES -A Cid438728CD18346.0 -d www.google.com -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.226.25 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.226.26 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.255.18 -j RETURN $IPTABLES -A Cid438728CD18346.0 -d 157.166.255.19 -j RETURN $IPTABLES -A Cid438728CD18346.0 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # test for bug #1905718 # Group of DNS Name objects considered empty $IPTABLES -A OUTPUT -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d ny6ix.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 6bone.net -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d ny6ix.net -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A OUTPUT -d 72.55.148.116 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 207.251.84.150 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 72.55.148.116 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 207.251.84.150 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N RULE_13 $IPTABLES -A OUTPUT -j RULE_13 $IPTABLES -A INPUT -j RULE_13 $IPTABLES -A FORWARD -j RULE_13 $IPTABLES -A RULE_13 -j LOG --log-level debug --log-prefix "RULE 13 -- DENY on global " $IPTABLES -A RULE_13 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:40 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall34.fw.orig000077500000000000000000000521561303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:41 2012 PDT by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # # Compiled for iptables (any version) # # testing AddressTable object # firewall34:Policy:12: warning: Empty group or address table object 'empty table' # firewall34:Policy:12: warning: After removal of all empty groups and address table objects rule element Dst becomes 'any' in the rule 12 (global) # Dropping rule 12 (global) because option 'Ignore rules with empty groups' is in effect FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "addr-table-1:a" "addr-table-1.tbl" check_file "block_these" "block-hosts.tbl" } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" getaddr eth0.100 i_eth0_100 getaddr6 eth0.100 i_eth0_100_v6 getnet eth0.100 i_eth0_100_network getnet6 eth0.100 i_eth0_100_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -N Cid4389EEB018346.0 for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $i_eth0_100 --dport 25 -j Cid4389EEB018346.0 done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -t nat -A Cid4389EEB018346.0 -s $at_block_these -j RETURN done $IPTABLES -t nat -A Cid4389EEB018346.0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.10 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -N Cid43891B6E674.0 $IPTABLES -t nat -A POSTROUTING -o eth0.100 -s 192.168.1.0/24 -j Cid43891B6E674.0 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -t nat -A Cid43891B6E674.0 -d $at_block_these -j RETURN done $IPTABLES -t nat -A Cid43891B6E674.0 -j MASQUERADE # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 192.168.2.128/25 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 192.168.2.128/25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.3/30 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.201 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.2.128/25 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -j RULE_1 done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A FORWARD -d $at_block_these -j RULE_1 done $IPTABLES -A RULE_1 -j LOG --log-level debug --log-prefix "RULE 1 -- DENY on global " $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -j RULE_2 done $IPTABLES -A OUTPUT -d 61.150.47.112 -j RULE_2 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A FORWARD -d $at_block_these -j RULE_2 done $IPTABLES -A FORWARD -d 61.150.47.112 -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level debug --log-prefix "RULE 2 -- DENY on global " $IPTABLES -A RULE_2 -j DROP # # Rule 3 (global) # echo "Rule 3 (global)" # grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -p tcp -m tcp -d $at_block_these --dport 25 -j DROP done $IPTABLES -A OUTPUT -p tcp -m tcp -d 61.150.47.112 --dport 25 -j DROP grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A FORWARD -p tcp -m tcp -d $at_block_these --dport 25 -j DROP done $IPTABLES -A FORWARD -p tcp -m tcp -d 61.150.47.112 --dport 25 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && { grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0_100 -d $at_block_these --dport 25 -j DROP done } done for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0_100 -d 61.150.47.112 --dport 25 -j DROP done # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N RULE_5 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A INPUT -s $at_block_these -j RULE_5 done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A FORWARD -s $at_block_these -j RULE_5 done $IPTABLES -A RULE_5 -j LOG --log-level debug --log-prefix "RULE 5 -- DENY on global " $IPTABLES -A RULE_5 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N RULE_6 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A INPUT -s $at_block_these -j RULE_6 done $IPTABLES -A INPUT -s 61.150.47.112 -j RULE_6 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A FORWARD -s $at_block_these -j RULE_6 done $IPTABLES -A FORWARD -s 61.150.47.112 -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level debug --log-prefix "RULE 6 -- DENY on global " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid4388F5A9674.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid4388F5A9674.0 $IPTABLES -A INPUT -m state --state NEW -j Cid4388F5A9674.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid4388F5A9674.0 grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A Cid4388F5A9674.0 -s $at_block_these -j RETURN done $IPTABLES -A Cid4388F5A9674.0 -s 61.150.47.112 -j RETURN $IPTABLES -A Cid4388F5A9674.0 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid4392312525682.0 for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A INPUT -s $i_eth0_100 -m state --state NEW -j Cid4392312525682.0 done for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && $IPTABLES -A OUTPUT -s $i_eth0_100 -m state --state NEW -j Cid4392312525682.0 done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A Cid4392312525682.0 -d $at_block_these -j RETURN done $IPTABLES -A Cid4392312525682.0 -d 61.150.47.112 -j RETURN $IPTABLES -A Cid4392312525682.0 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -j RULE_11 $IPTABLES -A INPUT -j RULE_11 $IPTABLES -A FORWARD -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level debug --log-prefix "RULE 11 -- DENY on global " $IPTABLES -A RULE_11 -j DROP # # Rule 13 (global) # echo "Rule 13 (global)" # # using address table # object with no addresses $IPTABLES -N RULE_13 $IPTABLES -A OUTPUT -d 22.22.22.0/24 -j RULE_13 $IPTABLES -A FORWARD -d 22.22.22.0/24 -j RULE_13 $IPTABLES -A RULE_13 -j LOG --log-level debug --log-prefix "RULE 13 -- DENY on global " $IPTABLES -A RULE_13 -j DROP # # Rule 14 (global) # echo "Rule 14 (global)" # # using connlimit # option. Connlimit # is only valid in combination # with "-p tcp -m tcp" $IPTABLES -N Cid45948F957794.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -m connlimit --connlimit-above 2 -j Cid45948F957794.0 $IPTABLES -A Cid45948F957794.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid45948F957794.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid45948F957794.0 -d 192.168.1.3/30 -j ACCEPT $IPTABLES -A Cid45948F957794.0 -d 192.168.1.200 -j ACCEPT $IPTABLES -A Cid45948F957794.0 -d 192.168.1.201 -j ACCEPT $IPTABLES -A Cid45948F957794.0 -d 192.168.2.128/25 -j ACCEPT $IPTABLES -N Cid45948F957794.1 $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -m connlimit --connlimit-above 2 -j Cid45948F957794.1 $IPTABLES -A Cid45948F957794.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid45948F957794.1 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid45948F957794.1 -d 192.168.1.3/30 -j ACCEPT $IPTABLES -A Cid45948F957794.1 -d 192.168.1.200 -j ACCEPT $IPTABLES -A Cid45948F957794.1 -d 192.168.1.201 -j ACCEPT $IPTABLES -A Cid45948F957794.1 -d 192.168.2.128/25 -j ACCEPT $IPTABLES -N Cid45948F957794.2 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -m connlimit --connlimit-above 2 -j Cid45948F957794.2 $IPTABLES -A Cid45948F957794.2 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid45948F957794.2 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid45948F957794.2 -d 192.168.1.3/30 -j ACCEPT $IPTABLES -A Cid45948F957794.2 -d 192.168.1.200 -j ACCEPT $IPTABLES -A Cid45948F957794.2 -d 192.168.1.201 -j ACCEPT $IPTABLES -A Cid45948F957794.2 -d 192.168.2.128/25 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_addr_table_1_a=$1; $IPTABLES -A OUTPUT -d $at_addr_table_1_a -m state --state NEW -j ACCEPT done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_addr_table_1_a=$1; $IPTABLES -A FORWARD -d $at_addr_table_1_a -m state --state NEW -j ACCEPT done # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # $IP6TABLES -A OUTPUT -d 2001:458:20:100:250:b7ff:fe00:2af -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -d fe80::21d:9ff:fe8b:8e94/64 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d 2001:458:20:100:250:b7ff:fe00:2af -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d fe80::21d:9ff:fe8b:8e94/64 -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 1 (global) # echo "Rule Policy_ipv6 1 (global)" # $IP6TABLES -N Policy_ipv6_1 $IP6TABLES -A OUTPUT -j Policy_ipv6_1 $IP6TABLES -A INPUT -j Policy_ipv6_1 $IP6TABLES -A FORWARD -j Policy_ipv6_1 $IP6TABLES -A Policy_ipv6_1 -j LOG --log-level debug --log-prefix "RULE 1 -- DENY on global " $IP6TABLES -A Policy_ipv6_1 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall35.fw.orig000077500000000000000000000421601303637203600205470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:41 2012 PDT by vadim # # files: * firewall35.fw /etc/fw/firewall35.fw # # Compiled for iptables (any version) # # testing AddressTable object # like firewall34, but uses different script format FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "block_these" "block-hosts.tbl" } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" getaddr eth0.100 i_eth0_100 getaddr6 eth0.100 i_eth0_100_v6 getnet eth0.100 i_eth0_100_network getnet6 eth0.100 i_eth0_100_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # ================ Table 'filter', rule set block_local_bcast # # Rule block_local_bcast 0 (global) # an attempt to build rule blocking local broadcast packets on the subnet where firewall has dynamic interface echo ":block_local_bcast - [0:0]" echo "-A block_local_bcast -d 192.168.222.255 -j DROP " # # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo "-A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.2 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.3/30 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.200 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.1.201 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -d 192.168.2.128/25 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.1.2 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.1.3/30 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.1.200 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.1.201 -m state --state NEW -j ACCEPT " echo "-A INPUT -d 192.168.2.128/25 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.2 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.3/30 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.200 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.1.201 -m state --state NEW -j ACCEPT " echo "-A FORWARD -d 192.168.2.128/25 -m state --state NEW -j ACCEPT " # # Rule 1 (global) echo ":RULE_1 - [0:0]" grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A OUTPUT -d $at_block_these -j RULE_1 " done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A FORWARD -d $at_block_these -j RULE_1 " done echo "-A RULE_1 -j LOG --log-level debug --log-prefix \"RULE 1 -- DENY on global \"" echo "-A RULE_1 -j DROP " # # Rule 2 (global) echo ":RULE_2 - [0:0]" grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A OUTPUT -d $at_block_these -j RULE_2 " done echo "-A OUTPUT -d 61.150.47.112 -j RULE_2 " grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A FORWARD -d $at_block_these -j RULE_2 " done echo "-A FORWARD -d 61.150.47.112 -j RULE_2 " echo "-A RULE_2 -j LOG --log-level debug --log-prefix \"RULE 2 -- DENY on global \"" echo "-A RULE_2 -j DROP " # # Rule 3 (global) grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A OUTPUT -p tcp -m tcp -d $at_block_these --dport 25 -j DROP " done echo "-A OUTPUT -p tcp -m tcp -d 61.150.47.112 --dport 25 -j DROP " grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A FORWARD -p tcp -m tcp -d $at_block_these --dport 25 -j DROP " done echo "-A FORWARD -p tcp -m tcp -d 61.150.47.112 --dport 25 -j DROP " # # Rule 4 (global) for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && { grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A OUTPUT -p tcp -m tcp -s $i_eth0_100 -d $at_block_these --dport 25 -j DROP " done } done for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && echo "-A OUTPUT -p tcp -m tcp -s $i_eth0_100 -d 61.150.47.112 --dport 25 -j DROP " done # # Rule 5 (global) # test rule for the discussion # https://sourceforge.net/projects/fwbuilder/forums/forum/16372/topic/3733964/index/page/1 echo "-A INPUT -j block_local_bcast " # # Rule 6 (global) echo ":RULE_6 - [0:0]" grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A INPUT -s $at_block_these -j RULE_6 " done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A FORWARD -s $at_block_these -j RULE_6 " done echo "-A RULE_6 -j LOG --log-level debug --log-prefix \"RULE 6 -- DENY on global \"" echo "-A RULE_6 -j DROP " # # Rule 7 (global) echo ":RULE_7 - [0:0]" grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A INPUT -s $at_block_these -j RULE_7 " done echo "-A INPUT -s 61.150.47.112 -j RULE_7 " grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A FORWARD -s $at_block_these -j RULE_7 " done echo "-A FORWARD -s 61.150.47.112 -j RULE_7 " echo "-A RULE_7 -j LOG --log-level debug --log-prefix \"RULE 7 -- DENY on global \"" echo "-A RULE_7 -j DROP " # # Rule 8 (global) echo ":Cid4392555025682.0 - [0:0]" echo "-A OUTPUT -m state --state NEW -j Cid4392555025682.0 " echo "-A INPUT -m state --state NEW -j Cid4392555025682.0 " echo "-A FORWARD -m state --state NEW -j Cid4392555025682.0 " grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A Cid4392555025682.0 -s $at_block_these -j RETURN " done echo "-A Cid4392555025682.0 -s 61.150.47.112 -j RETURN " echo "-A Cid4392555025682.0 -j ACCEPT " # # Rule 9 (global) echo ":Cid4392555D25682.0 - [0:0]" for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && echo "-A INPUT -s $i_eth0_100 -m state --state NEW -j Cid4392555D25682.0 " done for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && echo "-A OUTPUT -s $i_eth0_100 -m state --state NEW -j Cid4392555D25682.0 " done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A Cid4392555D25682.0 -d $at_block_these -j RETURN " done echo "-A Cid4392555D25682.0 -d 61.150.47.112 -j RETURN " echo "-A Cid4392555D25682.0 -j ACCEPT " # # Rule 10 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT " echo "-A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo "-A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 12 (global) echo ":RULE_12 - [0:0]" echo "-A OUTPUT -j RULE_12 " echo "-A INPUT -j RULE_12 " echo "-A FORWARD -j RULE_12 " echo "-A RULE_12 -j LOG --log-level debug --log-prefix \"RULE 12 -- DENY on global \"" echo "-A RULE_12 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo ":Cid4392558F25682.0 - [0:0]" for i_eth0_100 in $i_eth0_100_list do test -n "$i_eth0_100" && echo "-A PREROUTING -p tcp -m tcp -d $i_eth0_100 --dport 25 -j Cid4392558F25682.0 " done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A Cid4392558F25682.0 -s $at_block_these -j RETURN " done echo "-A Cid4392558F25682.0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.10 " # # Rule 1 (NAT) echo ":Cid4392559D25682.0 - [0:0]" echo "-A POSTROUTING -o eth0.100 -s 192.168.1.0/24 -j Cid4392559D25682.0 " grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; echo "-A Cid4392559D25682.0 -d $at_block_these -j RETURN " done echo "-A Cid4392559D25682.0 -j MASQUERADE " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall36-1.fw.orig000077500000000000000000000264511303637203600207130ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:43 2012 PDT by vadim # # files: * firewall36-1.fw /etc/firewall36-1.fw # # Compiled for iptables (any version) # # Testing routing configuration where routing rules do not install default route FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2" for i in eth0 eth1 lo eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 192.168.2.0/24 via 192.168.1.254 dev eth1 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:43 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall36-2.fw.orig000077500000000000000000000264231303637203600207130ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:45 2012 PDT by vadim # # files: * firewall36-2.fw /etc/firewall36-2.fw # # Compiled for iptables (any version) # # Testing routing configuration where routing rules install simple (not ECMP) default route FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2" for i in eth0 eth1 lo eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v 'proto kernel' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add default via 192.0.2.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:45 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall36.fw.orig000077500000000000000000000316111303637203600205470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:43 2012 PDT by vadim # # files: * firewall36.fw /etc/firewall36.fw # # Compiled for iptables (any version) # # testing routing rules # routing ruleset installs ECMP default # ROUTE target is deprecated in 4.3.0 # firewall36:Routing:4: warning: Rule has been suppressed because it contains IPv6 objects and Firewall Builder does not support IPv6 routing rules at this time FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2" for i in eth0 eth1 lo eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v 'proto kernel' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 1 (main) # echo "Routing rule 1 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 2 (main) # echo "Routing rule 2 (main)" # # # $IP route add 192.168.2.0/24 via 192.168.1.254 dev eth1 \ || route_command_error "2 (main)" # # Rule 3 (main) # echo "Routing rule 3 (main)" # # # $IP route add 22.22.22.100/30 via 192.168.1.254 dev eth1 \ || route_command_error "3 (main)" $IP route add 22.22.22.104/30 via 192.168.1.254 dev eth1 \ || route_command_error "3 (main)" $IP route add 22.22.22.108/31 via 192.168.1.254 dev eth1 \ || route_command_error "3 (main)" $IP route add 22.22.22.110 via 192.168.1.254 dev eth1 \ || route_command_error "3 (main)" # # Rule 5 (main) # echo "Routing rule 5 (main)" # # # $IP route add 192.168.1.0/24 dev eth1 \ || route_command_error "5 (main)" $IP route add 192.168.2.0/24 dev eth1 \ || route_command_error "5 (main)" # # ============== EQUAL COST MULTI PATH ============ # echo "Activating ecmp routing rules..." # # Multipath Rule derived from the following routing rules: # # Rule 0 (main) # # Rule 1 (main) # # $IP route add default \ nexthop dev eth0 \ nexthop dev eth2 \ || route_command_error "1" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:43 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall37-1.fw.orig000077500000000000000000001062671303637203600207200ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:46 2012 PDT by vadim # # files: * firewall37-1.fw /etc/fw/firewall37-1.fw # # Compiled for iptables (any version) # # testing TAG and CLASSIFY rules # same as firewall37 except rules are made to be terminating FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 22.22.23.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT # ================ Table 'mangle', rule set rule27_branch # # Rule rule27_branch 0 (global) # echo "Rule rule27_branch 0 (global)" # $IPTABLES -N rule27_branch -t mangle $IPTABLES -t mangle -A rule27_branch -p tcp -m tcp --tcp-flags ALL ACK -j CLASSIFY --set-class 1:16 # ================ Table 'mangle', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # terminating target $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 1 (global) # echo "Rule 1 (global)" # # terminating target $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 2 (global) # echo "Rule 2 (global)" # # terminating target $IPTABLES -N Cid45AB5AC525451.0 -t mangle $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -t mangle -A Cid45AB5AC525451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5AC525451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5AC525451.0 -j MARK --set-mark 16 # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # # terminating target $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # # temrinating target $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 5 (global) # echo "Rule 5 (global)" # # terminating and CONNMARK $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 6 (global) # echo "Rule 6 (global)" # # terminating and CONNMARK $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 7 (global) # echo "Rule 7 (global)" # # terminating and CONNMARK $IPTABLES -N Cid45AB5B0225451.0 -t mangle $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -t mangle -A Cid45AB5B0225451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5B0225451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5B0225451.0 -j MARK --set-mark 10 $IPTABLES -t mangle -A Cid45AB5B0225451.0 -j CONNMARK --save-mark # # Rule 8 (eth1) # echo "Rule 8 (eth1)" # # terminating and CONNMARK $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 8 $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 8 $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 9 (eth1) # echo "Rule 9 (eth1)" # # terminating and CONNMARK $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 9 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 9 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 9 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 9 $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 11 (global) # echo "Rule 11 (global)" # # testing for bug #1618381 # this rule, and the next one, should place # CLASSIFY rule in a separate chain # and pass control to it using -g $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10 # # Rule 12 (eth0) # echo "Rule 12 (eth0)" # # second rule for bug #1618381 $IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11 # # Rule 13 (global) # echo "Rule 13 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BAD25451.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0 $IPTABLES -t mangle -A Cid45AB5BAD25451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BAD25451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BAD25451.0 -j CLASSIFY --set-class 1:10 # # Rule 14 (global) # echo "Rule 14 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BBA25451.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0 $IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0 $IPTABLES -t mangle -A Cid45AB5BBA25451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BBA25451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BBA25451.0 -j CLASSIFY --set-class 1:10 # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11 # # Rule 16 (global) # echo "Rule 16 (global)" # # testing for bug #1618381 # this rule, and the next one, should place # CLASSIFY rule in a separate chain # and pass control to it using -g $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10 # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # second rule for bug #1618381 $IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11 # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # $IPTABLES -t mangle -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:11 # # Rule 19 (global) # echo "Rule 19 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BF925451.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0 $IPTABLES -t mangle -A Cid45AB5BF925451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BF925451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5BF925451.0 -j CLASSIFY --set-class 1:10 # # Rule 20 (global) # echo "Rule 20 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5C0625451.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0 $IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0 $IPTABLES -t mangle -A Cid45AB5C0625451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5C0625451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid45AB5C0625451.0 -j CLASSIFY --set-class 1:10 # # Rule 21 (eth0) # echo "Rule 21 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11 # # Rule 22 (global) # echo "Rule 22 (global)" # # bug #1618381 # should generate branching code # in both filter and mangle tables $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp -j rule27_branch $IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp -j rule27_branch $IPTABLES -t mangle -A FORWARD -p tcp -m tcp -j rule27_branch # ================ Table 'filter', rule set rule27_branch # # Rule rule27_branch 0 (global) # echo "Rule rule27_branch 0 (global)" # $IPTABLES -N rule27_branch $IPTABLES -A rule27_branch -p tcp -m tcp --tcp-flags ALL ACK -j ACCEPT # # Rule rule27_branch 1 (global) # echo "Rule rule27_branch 1 (global)" # $IPTABLES -N rule27_branch_1 $IPTABLES -A rule27_branch -p tcp -m tcp --dport 80 -m state --state NEW -j rule27_branch_1 $IPTABLES -A rule27_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A rule27_branch_1 -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # terminating target $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # # terminating target $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_1 $IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_1 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A RULE_1 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # terminating target $IPTABLES -N Cid45AB5AC525451.0 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid45AB5AC525451.0 $IPTABLES -A Cid45AB5AC525451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5AC525451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_2_3 $IPTABLES -A Cid45AB5AC525451.0 -j RULE_2_3 $IPTABLES -A RULE_2_3 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " $IPTABLES -A RULE_2_3 -j ACCEPT # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # # terminating target $IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # # temrinating target $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # terminating and CONNMARK $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # terminating and CONNMARK $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_6 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_6 $IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_6 $IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_6 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_6 $IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- ACCEPT " $IPTABLES -A RULE_6 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # # terminating and CONNMARK $IPTABLES -N Cid45AB5B0225451.0 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid45AB5B0225451.0 $IPTABLES -A Cid45AB5B0225451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5B0225451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid45AB5B0225451.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT " $IPTABLES -A RULE_7_3 -j ACCEPT # # Rule 8 (eth1) # echo "Rule 8 (eth1)" # # terminating and CONNMARK $IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 9 (eth1) # echo "Rule 9 (eth1)" # # terminating and CONNMARK $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE # # Rule 11 (global) # echo "Rule 11 (global)" # # testing for bug #1618381 # this rule, and the next one, should place # CLASSIFY rule in a separate chain # and pass control to it using -g $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT # # Rule 12 (eth0) # echo "Rule 12 (eth0)" # # second rule for bug #1618381 $IPTABLES -A INPUT -i eth0 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BAD25451.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0 $IPTABLES -A Cid45AB5BAD25451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5BAD25451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid45AB5BAD25451.0 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BBA25451.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0 $IPTABLES -A Cid45AB5BBA25451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5BBA25451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid45AB5BBA25451.0 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # testing for bug #1618381 # this rule, and the next one, should place # CLASSIFY rule in a separate chain # and pass control to it using -g $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # second rule for bug #1618381 $IPTABLES -A INPUT -i eth0 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -j ACCEPT # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # $IPTABLES -N Out_RULE_18 $IPTABLES -A OUTPUT -o eth0 -s 192.168.1.0/24 -j Out_RULE_18 $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -j Out_RULE_18 $IPTABLES -A Out_RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- ACCEPT " $IPTABLES -A Out_RULE_18 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5BF925451.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0 $IPTABLES -A Cid45AB5BF925451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5BF925451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid45AB5BF925451.0 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # # testing for bug #1618381 $IPTABLES -N Cid45AB5C0625451.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0 $IPTABLES -A Cid45AB5C0625451.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid45AB5C0625451.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid45AB5C0625451.0 -j ACCEPT # # Rule 21 (eth0) # echo "Rule 21 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT # # Rule 22 (global) # echo "Rule 22 (global)" # # bug #1618381 # should generate branching code # in both filter and mangle tables $IPTABLES -A OUTPUT -p tcp -m tcp -j rule27_branch $IPTABLES -A INPUT -p tcp -m tcp -j rule27_branch $IPTABLES -A FORWARD -p tcp -m tcp -j rule27_branch # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N RULE_24 $IPTABLES -A OUTPUT -j RULE_24 $IPTABLES -A INPUT -j RULE_24 $IPTABLES -A FORWARD -j RULE_24 $IPTABLES -A RULE_24 -j LOG --log-level info --log-prefix "RULE 24 -- DENY " $IPTABLES -A RULE_24 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:46 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall37-2.fw.orig000077500000000000000000000556651303637203600207260ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:47 2012 PDT by vadim # # files: * firewall37-2.fw /etc/fw/firewall37-2.fw # # Compiled for iptables (any version) # # testing TAG and CLASSIFY rules and combinations # normal script mode (not using iptables-restore) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', rule set classify_2 # # Rule classify_2 0 (global) # echo "Rule classify_2 0 (global)" # $IPTABLES -N classify_2 -t mangle $IPTABLES -t mangle -A classify_2 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:12 # ================ Table 'mangle', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2 # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2 # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 5 (eth0) # echo "Rule 5 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2 # # Rule 6 (eth0) # echo "Rule 6 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2 # # Rule 7 (eth0) # echo "Rule 7 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -j MARK --set-mark 2 $IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 8 (eth0) # echo "Rule 8 (eth0)" # $IPTABLES -N Cid591898X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -j Cid591898X26049.0 $IPTABLES -t mangle -A Cid591898X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591898X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591898X26049.0 -j MARK --set-mark 2 $IPTABLES -N Cid591898X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -j Cid591898X26049.1 $IPTABLES -t mangle -A Cid591898X26049.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591898X26049.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591898X26049.1 -j CLASSIFY --set-class 1:2 # # Rule 9 (eth0) # echo "Rule 9 (eth0)" # $IPTABLES -N Cid591842X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j Cid591842X26049.0 $IPTABLES -t mangle -A Cid591842X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591842X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591842X26049.0 -j MARK --set-mark 2 $IPTABLES -N Cid591842X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -m state --state NEW -j Cid591842X26049.1 $IPTABLES -t mangle -A Cid591842X26049.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591842X26049.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591842X26049.1 -j CLASSIFY --set-class 1:2 # # Rule 10 (eth0) # echo "Rule 10 (eth0)" # $IPTABLES -N Cid591786X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j Cid591786X26049.0 $IPTABLES -t mangle -A Cid591786X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591786X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591786X26049.0 -j MARK --set-mark 2 $IPTABLES -N Cid591786X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -m state --state NEW -j Cid591786X26049.1 $IPTABLES -t mangle -A Cid591786X26049.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591786X26049.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591786X26049.1 -j CLASSIFY --set-class 1:2 # # Rule 11 (eth0) # echo "Rule 11 (eth0)" # $IPTABLES -N Cid591730X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -j Cid591730X26049.0 $IPTABLES -t mangle -A Cid591730X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591730X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591730X26049.0 -j MARK --set-mark 2 $IPTABLES -N Cid591730X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -j Cid591730X26049.1 $IPTABLES -t mangle -A Cid591730X26049.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid591730X26049.1 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid591730X26049.1 -j CLASSIFY --set-class 1:2 # # Rule 12 (eth0) # echo "Rule 12 (eth0)" # $IPTABLES -N Cid994929X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j Cid994929X26049.0 $IPTABLES -t mangle -A Cid994929X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2 $IPTABLES -t mangle -A Cid994929X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2 $IPTABLES -N Cid994929X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j Cid994929X26049.1 $IPTABLES -t mangle -A Cid994929X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A Cid994929X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2 # # Rule 13 (eth0) # echo "Rule 13 (eth0)" # $IPTABLES -N Cid994873X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.0 $IPTABLES -t mangle -A Cid994873X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2 $IPTABLES -t mangle -A Cid994873X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2 $IPTABLES -N Cid994873X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.1 $IPTABLES -t mangle -A Cid994873X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A Cid994873X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2 # # Rule 14 (eth0) # echo "Rule 14 (eth0)" # $IPTABLES -N Cid994817X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994817X26049.0 $IPTABLES -t mangle -A Cid994817X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2 $IPTABLES -t mangle -A Cid994817X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2 $IPTABLES -N Cid994817X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994817X26049.1 $IPTABLES -t mangle -A Cid994817X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A Cid994817X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2 # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # $IPTABLES -N Cid994761X26049.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.0 $IPTABLES -t mangle -A Cid994761X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2 $IPTABLES -t mangle -A Cid994761X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2 $IPTABLES -N Cid994761X26049.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.1 $IPTABLES -t mangle -A Cid994761X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A Cid994761X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2 # # Rule 16 (global) # echo "Rule 16 (global)" # # test for #2405 # branching in mangle; branch rule set # uses CLASSIFY that is ivalid in PREROUTING # "Assume fw is part of any" is off for this rule $IPTABLES -t mangle -A PREROUTING -j classify_2 $IPTABLES -t mangle -A POSTROUTING -j classify_2 $IPTABLES -t mangle -A FORWARD -j classify_2 # # Rule 17 (global) # echo "Rule 17 (global)" # # test for #2405 # branching in mangle; branch rule set # uses CLASSIFY that is ivalid in PREROUTING # "Assume fw is part of any" is off for this rule # Should create branch in OUTPUT instead of # enumerating all ip addresses of the fw in PREROUTING $IPTABLES -t mangle -A PREROUTING -s 22.22.23.22 -j classify_2 $IPTABLES -t mangle -A PREROUTING -s 192.168.1.22 -j classify_2 $IPTABLES -t mangle -A PREROUTING -s 192.168.2.1 -j classify_2 $IPTABLES -t mangle -A POSTROUTING -s 22.22.23.22 -j classify_2 $IPTABLES -t mangle -A POSTROUTING -s 192.168.1.22 -j classify_2 $IPTABLES -t mangle -A POSTROUTING -s 192.168.2.1 -j classify_2 $IPTABLES -t mangle -A FORWARD -s 22.22.23.22 -j classify_2 $IPTABLES -t mangle -A FORWARD -s 192.168.1.22 -j classify_2 $IPTABLES -t mangle -A FORWARD -s 192.168.2.1 -j classify_2 # ================ Table 'filter', rule set Policy # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT # # Rule 5 (eth0) # echo "Rule 5 (eth0)" # $IPTABLES -A INPUT -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 7 (eth0) # echo "Rule 7 (eth0)" # $IPTABLES -A INPUT -i eth0 -s ! 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -s ! 192.168.1.0/24 -j ACCEPT # # Rule 9 (eth0) # echo "Rule 9 (eth0)" # $IPTABLES -N Cid591842X26049.0 $IPTABLES -A INPUT -i eth0 -m state --state NEW -j Cid591842X26049.0 $IPTABLES -A FORWARD -i eth0 -m state --state NEW -j Cid591842X26049.0 $IPTABLES -A Cid591842X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid591842X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid591842X26049.0 -j ACCEPT # # Rule 11 (eth0) # echo "Rule 11 (eth0)" # $IPTABLES -N Cid591730X26049.0 $IPTABLES -A INPUT -i eth0 -j Cid591730X26049.0 $IPTABLES -A FORWARD -i eth0 -j Cid591730X26049.0 $IPTABLES -A Cid591730X26049.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid591730X26049.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid591730X26049.0 -j ACCEPT # # Rule 13 (eth0) # echo "Rule 13 (eth0)" # $IPTABLES -N Cid994873X26049.0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.0 $IPTABLES -A Cid994873X26049.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A Cid994873X26049.0 -p tcp -m tcp --dport 80 -j ACCEPT $IPTABLES -N Cid994873X26049.1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.1 $IPTABLES -A Cid994873X26049.1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A Cid994873X26049.1 -p tcp -m tcp --dport 80 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # $IPTABLES -N Cid994761X26049.0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.0 $IPTABLES -A Cid994761X26049.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A Cid994761X26049.0 -p tcp -m tcp --dport 80 -j ACCEPT $IPTABLES -N Cid994761X26049.1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.1 $IPTABLES -A Cid994761X26049.1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A Cid994761X26049.1 -p tcp -m tcp --dport 80 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # test for #2405 # branching in mangle; branch rule set # uses CLASSIFY that is ivalid in PREROUTING # "Assume fw is part of any" is off for this rule $IPTABLES -N classify_2 $IPTABLES -A FORWARD -j classify_2 # # Rule 17 (global) # echo "Rule 17 (global)" # # test for #2405 # branching in mangle; branch rule set # uses CLASSIFY that is ivalid in PREROUTING # "Assume fw is part of any" is off for this rule # Should create branch in OUTPUT instead of # enumerating all ip addresses of the fw in PREROUTING $IPTABLES -A OUTPUT -j classify_2 # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -N RULE_18 $IPTABLES -A OUTPUT -j RULE_18 $IPTABLES -A INPUT -j RULE_18 $IPTABLES -A FORWARD -j RULE_18 $IPTABLES -A RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- DENY " $IPTABLES -A RULE_18 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:47 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall37.fw.orig000077500000000000000000001350741303637203600205600ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:45 2012 PDT by vadim # # files: * firewall37.fw /etc/fw/firewall37.fw # # Compiled for iptables (any version) # # testing TAG and CLASSIFY rules # normal script mode (not using iptables-restore) # firewall37:mangle_rules:7: warning: Empty group or address table object 'empty Ogroup' # firewall37:mangle_rules:7: warning: After removal of all empty groups and address table objects rule element Src becomes 'any' in the rule mangle_rules 7 (global) # Dropping rule mangle_rules 7 (global) because option 'Ignore rules with empty groups' is in effect FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 22.22.23.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT # ================ Table 'mangle', rule set mymark # # Rule mymark 0 (global) # echo "Rule mymark 0 (global)" # $IPTABLES -N mymark -t mangle $IPTABLES -t mangle -A mymark -d 192.168.2.0/24 -m state --state NEW -j MARK --set-mark 16 # # Rule mymark 1 (global) # echo "Rule mymark 1 (global)" # $IPTABLES -t mangle -A mymark -m state --state NEW -j MARK --set-mark 2 # ================ Table 'mangle', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 5 (eth1) # echo "Rule 5 (eth1)" # $IPTABLES -N Cid43501X5007.0 -t mangle $IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43501X5007.0 $IPTABLES -t mangle -A Cid43501X5007.0 -p 50 -j MARK --set-mark 16 $IPTABLES -t mangle -A Cid43501X5007.0 -p ah -j MARK --set-mark 16 # # Rule 6 (eth1) # echo "Rule 6 (eth1)" # $IPTABLES -N Cid43518X5007.0 -t mangle $IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43518X5007.0 $IPTABLES -t mangle -A Cid43518X5007.0 -p 50 -j MARK --set-mark 16 $IPTABLES -t mangle -A Cid43518X5007.0 -p ah -j MARK --set-mark 16 # # Rule 7 (eth1) # echo "Rule 7 (eth1)" # $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 8 (eth1) # echo "Rule 8 (eth1)" # $IPTABLES -N Cid43554X5007.0 -t mangle $IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43554X5007.0 $IPTABLES -t mangle -A Cid43554X5007.0 -p 50 -j MARK --set-mark 16 $IPTABLES -t mangle -A Cid43554X5007.0 -p ah -j MARK --set-mark 16 # # Rule 9 (eth1) # echo "Rule 9 (eth1)" # $IPTABLES -N Cid43571X5007.0 -t mangle $IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43571X5007.0 $IPTABLES -t mangle -A Cid43571X5007.0 -p 50 -j MARK --set-mark 16 $IPTABLES -t mangle -A Cid43571X5007.0 -p ah -j MARK --set-mark 16 # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -j MARK --set-mark 16 # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N Cid43BBCC139745.0 -t mangle $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -t mangle -A Cid43BBCC139745.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid43BBCC139745.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid43BBCC139745.0 -j MARK --set-mark 16 # # Rule 12 (eth1) # echo "Rule 12 (eth1)" # $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 13 (eth1) # echo "Rule 13 (eth1)" # $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 14 (eth1) # echo "Rule 14 (eth1)" # $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16 # # Rule 15 (global) # echo "Rule 15 (global)" # # using CONNMARK $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 16 (global) # echo "Rule 16 (global)" # # using CONNMARK $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 17 (global) # echo "Rule 17 (global)" # # using CONNMARK $IPTABLES -N Cid4483A4DF1810.0 -t mangle $IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -t mangle -A Cid4483A4DF1810.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid4483A4DF1810.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid4483A4DF1810.0 -j MARK --set-mark 10 $IPTABLES -t mangle -A Cid4483A4DF1810.0 -j CONNMARK --save-mark # # Rule 18 (eth1) # echo "Rule 18 (eth1)" # # using CONNMARK $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 19 (eth1) # echo "Rule 19 (eth1)" # # using CONNMARK $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 10 $IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N Cid451E56936383.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -j Cid451E56936383.0 $IPTABLES -t mangle -A Cid451E56936383.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid451E56936383.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid451E56936383.0 -j CLASSIFY --set-class 1:2 # # Rule 25 (global) # echo "Rule 25 (global)" # $IPTABLES -N Cid451E56A46383.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -j Cid451E56A46383.0 $IPTABLES -t mangle -A Cid451E56A46383.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid451E56A46383.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid451E56A46383.0 -j CLASSIFY --set-class 1:2 # # Rule 26 (eth1) # echo "Rule 26 (eth1)" # $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 27 (eth1) # echo "Rule 27 (eth1)" # $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 28 (eth1) # echo "Rule 28 (eth1)" # $IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 29 (eth1) # echo "Rule 29 (eth1)" # $IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2 # # Rule 30 (global) # echo "Rule 30 (global)" # $IPTABLES -t mangle -A POSTROUTING -s 22.22.23.22 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A POSTROUTING -s 192.168.1.22 -j CLASSIFY --set-class 1:2 $IPTABLES -t mangle -A POSTROUTING -s 192.168.2.1 -j CLASSIFY --set-class 1:2 # # Rule 31 (global) # echo "Rule 31 (global)" # # testing for bug #1618381 # classify action is non-terminating # in this firewall object $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10 # # Rule 32 (eth0) # echo "Rule 32 (eth0)" # # second rule for bug #1618381 $IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11 # # Rule 33 (global) # echo "Rule 33 (global)" # # testing for bug #1618381 $IPTABLES -N Cid459A026219324.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0 $IPTABLES -t mangle -A Cid459A026219324.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid459A026219324.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid459A026219324.0 -j CLASSIFY --set-class 1:10 # # Rule 34 (global) # echo "Rule 34 (global)" # # testing for bug #1618381 $IPTABLES -N Cid459A5AFB19324.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0 $IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0 $IPTABLES -t mangle -A Cid459A5AFB19324.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -t mangle -A Cid459A5AFB19324.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -t mangle -A Cid459A5AFB19324.0 -j CLASSIFY --set-class 1:10 # # Rule 35 (eth0) # echo "Rule 35 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11 # # Rule 37 (global) # echo "Rule 37 (global)" # $IPTABLES -t mangle -A PREROUTING -j mymark $IPTABLES -t mangle -A POSTROUTING -j mymark $IPTABLES -t mangle -A FORWARD -j mymark # ================ Table 'mangle', rule set mangle_rules # # Rule mangle_rules 0 (global) # echo "Rule mangle_rules 0 (global)" # $IPTABLES -t mangle -A OUTPUT -m mark ! --mark 0 -m state --state NEW -j ACCEPT $IPTABLES -t mangle -A INPUT -m mark ! --mark 0 -m state --state NEW -j ACCEPT $IPTABLES -t mangle -A PREROUTING -m mark ! --mark 0 -m state --state NEW -j ACCEPT # # Rule mangle_rules 1 (global) # echo "Rule mangle_rules 1 (global)" # $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -j CONNMARK --save-mark # # Rule mangle_rules 2 (global) # echo "Rule mangle_rules 2 (global)" # $IPTABLES -t mangle -A POSTROUTING -m mark --mark 1 -j CLASSIFY --set-class 1:12 # # Rule mangle_rules 4 (global) # echo "Rule mangle_rules 4 (global)" # $IPTABLES -t mangle -A INPUT -s 72.55.148.116 -m mark --mark 1 -m state --state NEW -j ACCEPT $IPTABLES -t mangle -A PREROUTING -s 72.55.148.116 -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 5 (global) # echo "Rule mangle_rules 5 (global)" # $IPTABLES -t mangle -A INPUT -s 6bone.net -m mark --mark 1 -m state --state NEW -j ACCEPT $IPTABLES -t mangle -A PREROUTING -s 6bone.net -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 6 (global) # echo "Rule mangle_rules 6 (global)" # $IPTABLES -N Cid122277X13558.0 -t mangle $IPTABLES -t mangle -A INPUT -m mark --mark 1 -m state --state NEW -j Cid122277X13558.0 $IPTABLES -t mangle -A Cid122277X13558.0 -s 6bone.net -j ACCEPT $IPTABLES -t mangle -A Cid122277X13558.0 -s ny6ix.net -j ACCEPT $IPTABLES -N Cid122277X13558.1 -t mangle $IPTABLES -t mangle -A PREROUTING -m mark --mark 1 -m state --state NEW -j Cid122277X13558.1 $IPTABLES -t mangle -A Cid122277X13558.1 -s 6bone.net -j ACCEPT $IPTABLES -t mangle -A Cid122277X13558.1 -s ny6ix.net -j ACCEPT # # Rule mangle_rules 8 (global) # echo "Rule mangle_rules 8 (global)" # $IPTABLES -t mangle -A OUTPUT -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 9 (global) # echo "Rule mangle_rules 9 (global)" # $IPTABLES -t mangle -A OUTPUT -s 22.22.23.22 -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 10 (global) # echo "Rule mangle_rules 10 (global)" # $IPTABLES -N Cid207332X13558.0 -t mangle $IPTABLES -t mangle -A OUTPUT -m mark --mark 1 -m state --state NEW -j Cid207332X13558.0 $IPTABLES -t mangle -A Cid207332X13558.0 -d 22.22.23.22 -j ACCEPT $IPTABLES -t mangle -A Cid207332X13558.0 -d 192.168.1.22 -j ACCEPT $IPTABLES -t mangle -A Cid207332X13558.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -t mangle -A INPUT -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 11 (global) # echo "Rule mangle_rules 11 (global)" # $IPTABLES -t mangle -A PREROUTING -i + -s ! 192.168.1.0/24 -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 12 (global) # echo "Rule mangle_rules 12 (global)" # $IPTABLES -t mangle -A PREROUTING -i + -s ! 1.1.1.1 -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 13 (global) # echo "Rule mangle_rules 13 (global)" # $IPTABLES -N Cid480281X13558.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i + -m mark --mark 1 -m state --state NEW -j Cid480281X13558.0 $IPTABLES -t mangle -A Cid480281X13558.0 -s 72.55.148.116 -j RETURN $IPTABLES -t mangle -A Cid480281X13558.0 -j ACCEPT # # Rule mangle_rules 14 (global) # echo "Rule mangle_rules 14 (global)" # $IPTABLES -N Cid480300X13558.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i + -m mark --mark 1 -m state --state NEW -j Cid480300X13558.0 $IPTABLES -t mangle -A Cid480300X13558.0 -s 6bone.net -j RETURN $IPTABLES -t mangle -A Cid480300X13558.0 -j ACCEPT # # Rule mangle_rules 15 (global) # echo "Rule mangle_rules 15 (global)" # # rules in mangle-only ruleset with action # Accept normally go to PREROUTING, # but if direction is set to outbound, # they go to POSTROUTING. This is just # a convention since there is no better # criteria as to how to tell the compiler # that such rule should be placed in # POSTROUTING. $IPTABLES -N Cid43052X80179.0 -t mangle $IPTABLES -t mangle -A POSTROUTING -o + -m mark --mark 1 -m state --state NEW -j Cid43052X80179.0 $IPTABLES -t mangle -A Cid43052X80179.0 -s 6bone.net -j ACCEPT $IPTABLES -t mangle -A Cid43052X80179.0 -s ny6ix.net -j ACCEPT # ================ Table 'filter', rule set mymark # # Rule mymark 0 (global) # echo "Rule mymark 0 (global)" # $IPTABLES -N mymark $IPTABLES -A mymark -d 192.168.2.0/24 -m state --state NEW -j ACCEPT # # Rule mymark 1 (global) # echo "Rule mymark 1 (global)" # $IPTABLES -A mymark -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_1 $IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_1 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_1 $IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A RULE_1 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid483502D710047.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid483502D710047.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid483502D710047.0 $IPTABLES -A Cid483502D710047.0 -s 22.22.23.22 -j ACCEPT $IPTABLES -A Cid483502D710047.0 -s 192.168.1.22 -j ACCEPT $IPTABLES -A Cid483502D710047.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid483502E810047.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid483502E810047.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid483502E810047.0 $IPTABLES -N RULE_4 $IPTABLES -A Cid483502E810047.0 -s 22.22.23.22 -j RULE_4 $IPTABLES -A Cid483502E810047.0 -s 192.168.1.22 -j RULE_4 $IPTABLES -A Cid483502E810047.0 -s 192.168.2.1 -j RULE_4 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_4 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT " $IPTABLES -A RULE_4 -j ACCEPT # # Rule 5 (eth1) # echo "Rule 5 (eth1)" # $IPTABLES -N Cid43501X5007.0 $IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43501X5007.0 $IPTABLES -A Cid43501X5007.0 -p 50 -j ACCEPT $IPTABLES -A Cid43501X5007.0 -p ah -j ACCEPT # # Rule 6 (eth1) # echo "Rule 6 (eth1)" # $IPTABLES -N Cid43518X5007.0 $IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43518X5007.0 $IPTABLES -A Cid43518X5007.0 -p 50 -j ACCEPT $IPTABLES -A Cid43518X5007.0 -p ah -j ACCEPT # # Rule 7 (eth1) # echo "Rule 7 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 8 (eth1) # echo "Rule 8 (eth1)" # $IPTABLES -N Cid43554X5007.0 $IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43554X5007.0 $IPTABLES -A Cid43554X5007.0 -p 50 -j ACCEPT $IPTABLES -A Cid43554X5007.0 -p ah -j ACCEPT # # Rule 9 (eth1) # echo "Rule 9 (eth1)" # $IPTABLES -N Cid43571X5007.0 $IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43571X5007.0 $IPTABLES -A Cid43571X5007.0 -p 50 -j ACCEPT $IPTABLES -A Cid43571X5007.0 -p ah -j ACCEPT # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N Cid43BBCC139745.0 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid43BBCC139745.0 $IPTABLES -A Cid43BBCC139745.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid43BBCC139745.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_11_3 $IPTABLES -A Cid43BBCC139745.0 -j RULE_11_3 $IPTABLES -A RULE_11_3 -j LOG --log-level info --log-prefix "RULE 11 -- ACCEPT " $IPTABLES -A RULE_11_3 -j ACCEPT # # Rule 12 (eth1) # echo "Rule 12 (eth1)" # $IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 13 (eth1) # echo "Rule 13 (eth1)" # $IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 14 (eth1) # echo "Rule 14 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # using CONNMARK $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # using CONNMARK $IPTABLES -N RULE_16 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_16 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_16 $IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_16 $IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_16 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_16 $IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_16 $IPTABLES -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- ACCEPT " $IPTABLES -A RULE_16 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # using CONNMARK $IPTABLES -N Cid4483A4DF1810.0 $IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A INPUT -p ah -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid4483A4DF1810.0 $IPTABLES -A Cid4483A4DF1810.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid4483A4DF1810.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_17_3 $IPTABLES -A Cid4483A4DF1810.0 -j RULE_17_3 $IPTABLES -A RULE_17_3 -j LOG --log-level info --log-prefix "RULE 17 -- ACCEPT " $IPTABLES -A RULE_17_3 -j ACCEPT # # Rule 18 (eth1) # echo "Rule 18 (eth1)" # # using CONNMARK $IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 19 (eth1) # echo "Rule 19 (eth1)" # # using CONNMARK $IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # # tag 0 matches packet that has not been marked yet. $IPTABLES -A OUTPUT -m mark ! --mark 0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m mark ! --mark 0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m mark ! --mark 0 -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -j ACCEPT # # Rule 23 (global) # echo "Rule 23 (global)" # $IPTABLES -N RULE_23 $IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_23 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_23 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_23 $IPTABLES -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- ACCEPT " $IPTABLES -A RULE_23 -j ACCEPT # # Rule 24 (global) # echo "Rule 24 (global)" # $IPTABLES -N Cid451E56936383.0 $IPTABLES -A OUTPUT -j Cid451E56936383.0 $IPTABLES -A INPUT -j Cid451E56936383.0 $IPTABLES -A FORWARD -j Cid451E56936383.0 $IPTABLES -A Cid451E56936383.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid451E56936383.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid451E56936383.0 -j ACCEPT # # Rule 25 (global) # echo "Rule 25 (global)" # $IPTABLES -N Cid451E56A46383.0 $IPTABLES -A OUTPUT -j Cid451E56A46383.0 $IPTABLES -A INPUT -j Cid451E56A46383.0 $IPTABLES -A FORWARD -j Cid451E56A46383.0 $IPTABLES -A Cid451E56A46383.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid451E56A46383.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_25_3 $IPTABLES -A Cid451E56A46383.0 -j RULE_25_3 $IPTABLES -A RULE_25_3 -j LOG --log-level info --log-prefix "RULE 25 -- ACCEPT " $IPTABLES -A RULE_25_3 -j ACCEPT # # Rule 26 (eth1) # echo "Rule 26 (eth1)" # $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -o eth1 -s 192.168.1.0/24 -j ACCEPT # # Rule 27 (eth1) # echo "Rule 27 (eth1)" # $IPTABLES -N In_RULE_27 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_27 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_27 $IPTABLES -A In_RULE_27 -j LOG --log-level info --log-prefix "RULE 27 -- ACCEPT " $IPTABLES -A In_RULE_27 -j ACCEPT $IPTABLES -N Out_RULE_27 $IPTABLES -A OUTPUT -o eth1 -s 192.168.1.0/24 -j Out_RULE_27 $IPTABLES -A FORWARD -o eth1 -s 192.168.1.0/24 -j Out_RULE_27 $IPTABLES -A Out_RULE_27 -j LOG --log-level info --log-prefix "RULE 27 -- ACCEPT " $IPTABLES -A Out_RULE_27 -j ACCEPT # # Rule 28 (eth1) # echo "Rule 28 (eth1)" # $IPTABLES -A INPUT -i ! eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -i ! eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A OUTPUT -o ! eth1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A FORWARD -o ! eth1 -s 192.168.1.0/24 -j ACCEPT # # Rule 29 (eth1) # echo "Rule 29 (eth1)" # $IPTABLES -N In_RULE_29 $IPTABLES -A INPUT -i ! eth1 -s 192.168.1.0/24 -j In_RULE_29 $IPTABLES -A FORWARD -i ! eth1 -s 192.168.1.0/24 -j In_RULE_29 $IPTABLES -A In_RULE_29 -j LOG --log-level info --log-prefix "RULE 29 -- ACCEPT " $IPTABLES -A In_RULE_29 -j ACCEPT $IPTABLES -N Out_RULE_29 $IPTABLES -A OUTPUT -o ! eth1 -s 192.168.1.0/24 -j Out_RULE_29 $IPTABLES -A FORWARD -o ! eth1 -s 192.168.1.0/24 -j Out_RULE_29 $IPTABLES -A Out_RULE_29 -j LOG --log-level info --log-prefix "RULE 29 -- ACCEPT " $IPTABLES -A Out_RULE_29 -j ACCEPT # # Rule 31 (global) # echo "Rule 31 (global)" # # testing for bug #1618381 # classify action is non-terminating # in this firewall object $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT # # Rule 32 (eth0) # echo "Rule 32 (eth0)" # # second rule for bug #1618381 $IPTABLES -A INPUT -i eth0 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -j ACCEPT # # Rule 33 (global) # echo "Rule 33 (global)" # # testing for bug #1618381 $IPTABLES -N Cid459A026219324.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0 $IPTABLES -A Cid459A026219324.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid459A026219324.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid459A026219324.0 -j ACCEPT # # Rule 34 (global) # echo "Rule 34 (global)" # # testing for bug #1618381 $IPTABLES -N Cid459A5AFB19324.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0 $IPTABLES -A Cid459A5AFB19324.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid459A5AFB19324.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -A Cid459A5AFB19324.0 -j ACCEPT # # Rule 35 (eth0) # echo "Rule 35 (eth0)" # # bug #1618381 # this rule uses multiport # and has to be split because # of that $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT # # Rule 36 (global) # echo "Rule 36 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 # # Rule 37 (global) # echo "Rule 37 (global)" # $IPTABLES -N RULE_37 $IPTABLES -A OUTPUT -j RULE_37 $IPTABLES -A INPUT -j RULE_37 $IPTABLES -A FORWARD -j RULE_37 $IPTABLES -A RULE_37 -j LOG --log-level info --log-prefix "RULE 37 -- BRANCH " $IPTABLES -A RULE_37 -j mymark # # Rule 38 (global) # echo "Rule 38 (global)" # $IPTABLES -N RULE_38 $IPTABLES -A OUTPUT -j RULE_38 $IPTABLES -A INPUT -j RULE_38 $IPTABLES -A FORWARD -j RULE_38 $IPTABLES -A RULE_38 -j LOG --log-level info --log-prefix "RULE 38 -- DENY " $IPTABLES -A RULE_38 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:45 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall38.fw.orig000077500000000000000000000422221303637203600205510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:48 2012 PDT by vadim # # files: * firewall38.fw /etc/fw/firewall38.fw # # Compiled for iptables 1.3.0 # # testing TAG rules # using iptables-restore FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # ================ Table 'filter', rule set Policy # # Rule 1 (global) echo "-A OUTPUT -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" echo "-A OUTPUT -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" echo "-A INPUT -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" echo "-A INPUT -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" echo "-A FORWARD -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" echo "-A FORWARD -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \"" # # Rule 2 (global) echo ":Cid43BBF1AD9745.0 - [0:0]" echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.0 " echo "-A Cid43BBF1AD9745.0 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo "-A Cid43BBF1AD9745.0 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo ":Cid43BBF1AD9745.1 - [0:0]" echo "-A INPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.1 " echo "-A Cid43BBF1AD9745.1 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo "-A Cid43BBF1AD9745.1 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo ":Cid43BBF1AD9745.2 - [0:0]" echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.2 " echo "-A Cid43BBF1AD9745.2 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo "-A Cid43BBF1AD9745.2 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo ":Cid43BBF1AD9745.3 - [0:0]" echo "-A FORWARD -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.3 " echo "-A Cid43BBF1AD9745.3 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" echo "-A Cid43BBF1AD9745.3 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \"" # # Rule 5 (global) echo "-A INPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 5 -- CONTINUE \"" echo "-A OUTPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 5 -- CONTINUE \"" # # Rule 9 (global) echo "-A OUTPUT -m mark --mark 16 -m state --state NEW -j ACCEPT " echo "-A INPUT -m mark --mark 16 -m state --state NEW -j ACCEPT " echo "-A FORWARD -m mark --mark 16 -m state --state NEW -j ACCEPT " # # Rule 10 (global) echo "-A OUTPUT -m mark ! --mark 16 -m state --state NEW -j ACCEPT " echo "-A INPUT -m mark ! --mark 16 -m state --state NEW -j ACCEPT " echo "-A FORWARD -m mark ! --mark 16 -m state --state NEW -j ACCEPT " # # Rule 11 (global) echo "-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -m mark --mark 16 -m state --state NEW -j ACCEPT " echo "-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT " echo "-A INPUT -m mark --mark 16 -m state --state NEW -j ACCEPT " echo "-A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT " echo "-A FORWARD -m mark --mark 16 -m state --state NEW -j ACCEPT " # # Rule 12 (global) echo ":Cid43EC87C832486.0 - [0:0]" echo "-A OUTPUT -m state --state NEW -j Cid43EC87C832486.0 " echo "-A INPUT -m state --state NEW -j Cid43EC87C832486.0 " echo "-A FORWARD -m state --state NEW -j Cid43EC87C832486.0 " echo "-A Cid43EC87C832486.0 -p tcp -m tcp --dport 80 -j RETURN " echo "-A Cid43EC87C832486.0 -m mark --mark 16 -j RETURN " echo "-A Cid43EC87C832486.0 -j ACCEPT " # # Rule 13 (global) echo "-A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE " echo "-A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE " # # Rule 14 (global) echo "-A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " echo "-A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 15 (global) echo ":RULE_15 - [0:0]" echo "-A OUTPUT -j RULE_15 " echo "-A INPUT -j RULE_15 " echo "-A FORWARD -j RULE_15 " echo "-A RULE_15 -j LOG --log-level info --log-prefix \"RULE 15 -- DENY \"" echo "-A RULE_15 -j DROP " # echo COMMIT echo '*mangle' # ================ Table 'mangle', automatic rules echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" # ================ Table 'mangle', rule set Policy # # Rule 0 (global) echo "-A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16" echo "-A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16" echo "-A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16" echo "-A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16" # # Rule 1 (global) echo "-A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16" echo "-A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16" echo "-A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16" echo "-A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16" # # Rule 2 (global) echo ":Cid43BBF1AD9745.0 - [0:0]" echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.0 " echo "-A Cid43BBF1AD9745.0 -p 50 -j MARK --set-mark 16" echo "-A Cid43BBF1AD9745.0 -p ah -j MARK --set-mark 16" echo ":Cid43BBF1AD9745.1 - [0:0]" echo "-A PREROUTING -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.1 " echo "-A Cid43BBF1AD9745.1 -p 50 -j MARK --set-mark 16" echo "-A Cid43BBF1AD9745.1 -p ah -j MARK --set-mark 16" # # Rule 3 (eth1) echo "-A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16" echo "-A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16" # # Rule 4 (global) # rule comment: rule 4 echo "-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 2" # # Rule 5 (global) echo "-A OUTPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j MARK --set-mark 2" # # Rule 6 (eth1) echo "-A OUTPUT -o eth1 -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j MARK --set-mark 2" # # Rule 7 (eth1) echo "-A PREROUTING -i eth1 -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j MARK --set-mark 2" # # Rule 8 (eth1) echo ":Cid462EA8B230547.0 - [0:0]" echo "-A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j Cid462EA8B230547.0 " echo "-A Cid462EA8B230547.0 -s 22.22.23.22 -j RETURN " echo "-A Cid462EA8B230547.0 -j MARK --set-mark 2" echo "-A POSTROUTING -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 2" # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth1 -s 22.22.23.22 -j SNAT --to-source 22.22.23.22 " echo "-A POSTROUTING -o eth1 -s 192.168.1.22 -j SNAT --to-source 22.22.23.22 " echo "-A POSTROUTING -o eth1 -s 192.168.2.1 -j SNAT --to-source 22.22.23.22 " echo "-A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.22 " # # Rule 1 (NAT) echo "-A POSTROUTING -o eth1 -s 192.168.1.0/24 -m mark --mark 16 -j SNAT --to-source 22.22.23.22 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:48 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall39.fw.orig000077500000000000000000000621741303637203600205620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:49 2012 PDT by vadim # # files: * firewall39.fw /etc/fw/firewall39.fw # # Compiled for iptables (any version) # # testing branching rules # normal script mode (not using iptables-restore) # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop # firewall39:rule6_branch:0: warning: Rule branches to rule set Policy which branches back to it, creating a loop FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.22/24" "" update_addresses_of_interface "eth1 22.22.23.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 22.22.23.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.22 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.2.1 -j ACCEPT $IPTABLES -t nat -A OUTPUT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT # ================ Table 'mangle', rule set Policy # # Rule 7 (global) # echo "Rule 7 (global)" # # green rules branch # also in mangle table $IPTABLES -N rule0_branch -t mangle $IPTABLES -t mangle -A PREROUTING -p 50 -j rule0_branch $IPTABLES -t mangle -A PREROUTING -p ah -j rule0_branch $IPTABLES -t mangle -A POSTROUTING -p 50 -j rule0_branch $IPTABLES -t mangle -A POSTROUTING -p ah -j rule0_branch $IPTABLES -t mangle -A FORWARD -p 50 -j rule0_branch $IPTABLES -t mangle -A FORWARD -p ah -j rule0_branch # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N rule1_branch -t mangle $IPTABLES -t mangle -A PREROUTING -p 50 -j rule1_branch $IPTABLES -t mangle -A PREROUTING -p ah -j rule1_branch $IPTABLES -t mangle -A POSTROUTING -p 50 -j rule1_branch $IPTABLES -t mangle -A POSTROUTING -p ah -j rule1_branch $IPTABLES -t mangle -A FORWARD -p 50 -j rule1_branch $IPTABLES -t mangle -A FORWARD -p ah -j rule1_branch # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid464C29BB3999.0 -t mangle $IPTABLES -t mangle -A PREROUTING -s ! 192.168.1.0/24 -j Cid464C29BB3999.0 $IPTABLES -N rule2_branch -t mangle $IPTABLES -t mangle -A Cid464C29BB3999.0 -p 50 -j rule2_branch $IPTABLES -t mangle -A Cid464C29BB3999.0 -p ah -j rule2_branch $IPTABLES -N Cid464C29BB3999.1 -t mangle $IPTABLES -t mangle -A POSTROUTING -s ! 192.168.1.0/24 -j Cid464C29BB3999.1 $IPTABLES -t mangle -A Cid464C29BB3999.1 -p 50 -j rule2_branch $IPTABLES -t mangle -A Cid464C29BB3999.1 -p ah -j rule2_branch $IPTABLES -N Cid464C29BB3999.2 -t mangle $IPTABLES -t mangle -A FORWARD -s ! 192.168.1.0/24 -j Cid464C29BB3999.2 $IPTABLES -t mangle -A Cid464C29BB3999.2 -p 50 -j rule2_branch $IPTABLES -t mangle -A Cid464C29BB3999.2 -p ah -j rule2_branch # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # $IPTABLES -N rule3_branch -t mangle $IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -j rule3_branch $IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -j rule3_branch $IPTABLES -t mangle -A FORWARD -i eth1 -p 50 -j rule3_branch $IPTABLES -t mangle -A FORWARD -i eth1 -p ah -j rule3_branch # # Rule 11 (eth1) # echo "Rule 11 (eth1)" # $IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -j rule3_branch $IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -j rule3_branch $IPTABLES -t mangle -A FORWARD -o eth1 -p 50 -j rule3_branch $IPTABLES -t mangle -A FORWARD -o eth1 -p ah -j rule3_branch # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N rule4_branch -t mangle $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch $IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch $IPTABLES -t mangle -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N rule5_branch -t mangle $IPTABLES -t mangle -A PREROUTING -s 192.168.1.0/24 -j rule5_branch $IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j rule5_branch $IPTABLES -t mangle -A FORWARD -s 192.168.1.0/24 -j rule5_branch # ================ Table 'filter', rule set rule_4_0_branch # # Rule rule_4_0_branch 0 (eth2) # echo "Rule rule_4_0_branch 0 (eth2)" # $IPTABLES -N rule_4_0_branch $IPTABLES -A rule_4_0_branch -o eth2 -m state --state NEW -j ACCEPT # # Rule rule_4_0_branch 1 (global) # echo "Rule rule_4_0_branch 1 (global)" # $IPTABLES -N rule_4_0_branch_1 $IPTABLES -A rule_4_0_branch -j rule_4_0_branch_1 $IPTABLES -A rule_4_0_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A rule_4_0_branch_1 -j DROP # ================ Table 'filter', rule set rule_4_1_branch # # Rule rule_4_1_branch 0 (eth2) # echo "Rule rule_4_1_branch 0 (eth2)" # $IPTABLES -N rule_4_1_branch $IPTABLES -A rule_4_1_branch -o eth2 -m state --state NEW -j ACCEPT # # Rule rule_4_1_branch 1 (global) # echo "Rule rule_4_1_branch 1 (global)" # $IPTABLES -N rule_4_1_branch_1 $IPTABLES -A rule_4_1_branch -j rule_4_1_branch_1 $IPTABLES -A rule_4_1_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A rule_4_1_branch_1 -j DROP # ================ Table 'filter', rule set rule0_branch # # Rule rule0_branch 0 (global) # echo "Rule rule0_branch 0 (global)" # $IPTABLES -N rule0_branch $IPTABLES -N rule0_branch_0 $IPTABLES -A rule0_branch -m state --state NEW -j rule0_branch_0 $IPTABLES -A rule0_branch_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IPTABLES -A rule0_branch_0 -j ACCEPT # ================ Table 'filter', rule set rule1_branch # # Rule rule1_branch 0 (global) # echo "Rule rule1_branch 0 (global)" # $IPTABLES -N rule1_branch $IPTABLES -N rule1_branch_0 $IPTABLES -A rule1_branch -d 192.168.2.10 -j rule1_branch_0 $IPTABLES -A rule1_branch_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A rule1_branch_0 -j DROP # # Rule rule1_branch 1 (global) # echo "Rule rule1_branch 1 (global)" # $IPTABLES -A rule1_branch -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set rule2_branch # # Rule rule2_branch 0 (global) # echo "Rule rule2_branch 0 (global)" # $IPTABLES -N rule2_branch $IPTABLES -N rule2_branch_0 $IPTABLES -A rule2_branch -d ! 192.168.2.10 -j rule2_branch_0 $IPTABLES -A rule2_branch_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A rule2_branch_0 -j DROP # # Rule rule2_branch 1 (global) # echo "Rule rule2_branch 1 (global)" # $IPTABLES -A rule2_branch -s 222.222.222.0/24 -d 192.168.2.10 -m state --state NEW -j ACCEPT # # Rule rule2_branch 2 (global) # echo "Rule rule2_branch 2 (global)" # $IPTABLES -N rule2_branch_2 $IPTABLES -A rule2_branch -j rule2_branch_2 $IPTABLES -A rule2_branch_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A rule2_branch_2 -j DROP # ================ Table 'filter', rule set rule3_branch # # Rule rule3_branch 0 (eth1) # echo "Rule rule3_branch 0 (eth1)" # $IPTABLES -N rule3_branch $IPTABLES -A rule3_branch -i eth1 -d 22.22.23.22 -m state --state NEW -j ACCEPT $IPTABLES -A rule3_branch -i eth1 -d 192.168.1.22 -m state --state NEW -j ACCEPT $IPTABLES -A rule3_branch -i eth1 -d 192.168.2.1 -m state --state NEW -j ACCEPT # # Rule rule3_branch 1 (global) # echo "Rule rule3_branch 1 (global)" # $IPTABLES -N rule3_branch_1 $IPTABLES -A rule3_branch -j rule3_branch_1 $IPTABLES -A rule3_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A rule3_branch_1 -j DROP # ================ Table 'filter', rule set rule4_branch # # Rule rule4_branch 0 (eth1) # echo "Rule rule4_branch 0 (eth1)" # $IPTABLES -N rule4_branch $IPTABLES -N In_rule4_branch_0 $IPTABLES -A rule4_branch -i eth1 -j In_rule4_branch_0 $IPTABLES -A In_rule4_branch_0 -j LOG --log-level info --log-prefix "RULE 0 -- BRANCH " $IPTABLES -A In_rule4_branch_0 -j rule_4_0_branch # # Rule rule4_branch 1 (eth0) # echo "Rule rule4_branch 1 (eth0)" # $IPTABLES -N In_rule4_branch_1 $IPTABLES -A rule4_branch -i eth0 -j In_rule4_branch_1 $IPTABLES -A In_rule4_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- BRANCH " $IPTABLES -A In_rule4_branch_1 -j rule_4_1_branch # ================ Table 'filter', rule set rule6_branch # # Rule rule6_branch 0 (global) # echo "Rule rule6_branch 0 (global)" # $IPTABLES -N rule6_branch $IPTABLES -N Policy $IPTABLES -A rule6_branch -j Policy # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p 50 -j rule0_branch $IPTABLES -A OUTPUT -p ah -j rule0_branch $IPTABLES -A INPUT -p 50 -j rule0_branch $IPTABLES -A INPUT -p ah -j rule0_branch $IPTABLES -A FORWARD -p 50 -j rule0_branch $IPTABLES -A FORWARD -p ah -j rule0_branch # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -p 50 -j RULE_1 $IPTABLES -A OUTPUT -p ah -j RULE_1 $IPTABLES -A INPUT -p 50 -j RULE_1 $IPTABLES -A INPUT -p ah -j RULE_1 $IPTABLES -A FORWARD -p 50 -j RULE_1 $IPTABLES -A FORWARD -p ah -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- BRANCH " $IPTABLES -A RULE_1 -j rule1_branch # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid445DA31230753.0 $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -j Cid445DA31230753.0 $IPTABLES -N RULE_2 $IPTABLES -A Cid445DA31230753.0 -p 50 -j RULE_2 $IPTABLES -A Cid445DA31230753.0 -p ah -j RULE_2 $IPTABLES -N Cid445DA31230753.1 $IPTABLES -A INPUT -s ! 192.168.1.0/24 -j Cid445DA31230753.1 $IPTABLES -A Cid445DA31230753.1 -p 50 -j RULE_2 $IPTABLES -A Cid445DA31230753.1 -p ah -j RULE_2 $IPTABLES -N Cid445DA31230753.2 $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -j Cid445DA31230753.2 $IPTABLES -A Cid445DA31230753.2 -p 50 -j RULE_2 $IPTABLES -A Cid445DA31230753.2 -p ah -j RULE_2 $IPTABLES -N Cid445DA31230753.3 $IPTABLES -A FORWARD -s ! 192.168.1.0/24 -j Cid445DA31230753.3 $IPTABLES -A Cid445DA31230753.3 -p 50 -j RULE_2 $IPTABLES -A Cid445DA31230753.3 -p ah -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- BRANCH " $IPTABLES -A RULE_2 -j rule2_branch # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # $IPTABLES -A INPUT -i eth1 -p 50 -j rule3_branch $IPTABLES -A INPUT -i eth1 -p ah -j rule3_branch $IPTABLES -A FORWARD -i eth1 -p 50 -j rule3_branch $IPTABLES -A FORWARD -i eth1 -p ah -j rule3_branch # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -j rule3_branch $IPTABLES -A OUTPUT -o eth1 -p ah -j rule3_branch $IPTABLES -A FORWARD -o eth1 -p 50 -j rule3_branch $IPTABLES -A FORWARD -o eth1 -p ah -j rule3_branch # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N rule5_branch $IPTABLES -A INPUT -s 192.168.1.0/24 -j rule5_branch $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j rule5_branch $IPTABLES -A FORWARD -s 192.168.1.0/24 -j rule5_branch # # Rule 7 (global) # echo "Rule 7 (global)" # # green rules branch # also in mangle table $IPTABLES -A OUTPUT -p 50 -j rule0_branch $IPTABLES -A OUTPUT -p ah -j rule0_branch $IPTABLES -A INPUT -p 50 -j rule0_branch $IPTABLES -A INPUT -p ah -j rule0_branch $IPTABLES -A FORWARD -p 50 -j rule0_branch $IPTABLES -A FORWARD -p ah -j rule0_branch # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -p 50 -j RULE_8 $IPTABLES -A OUTPUT -p ah -j RULE_8 $IPTABLES -A INPUT -p 50 -j RULE_8 $IPTABLES -A INPUT -p ah -j RULE_8 $IPTABLES -A FORWARD -p 50 -j RULE_8 $IPTABLES -A FORWARD -p ah -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- BRANCH " $IPTABLES -A RULE_8 -j rule1_branch # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid464C29BB3999.0 $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -j Cid464C29BB3999.0 $IPTABLES -N RULE_9 $IPTABLES -A Cid464C29BB3999.0 -p 50 -j RULE_9 $IPTABLES -A Cid464C29BB3999.0 -p ah -j RULE_9 $IPTABLES -N Cid464C29BB3999.1 $IPTABLES -A INPUT -s ! 192.168.1.0/24 -j Cid464C29BB3999.1 $IPTABLES -A Cid464C29BB3999.1 -p 50 -j RULE_9 $IPTABLES -A Cid464C29BB3999.1 -p ah -j RULE_9 $IPTABLES -N Cid464C29BB3999.2 $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -j Cid464C29BB3999.2 $IPTABLES -A Cid464C29BB3999.2 -p 50 -j RULE_9 $IPTABLES -A Cid464C29BB3999.2 -p ah -j RULE_9 $IPTABLES -N Cid464C29BB3999.3 $IPTABLES -A FORWARD -s ! 192.168.1.0/24 -j Cid464C29BB3999.3 $IPTABLES -A Cid464C29BB3999.3 -p 50 -j RULE_9 $IPTABLES -A Cid464C29BB3999.3 -p ah -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- BRANCH " $IPTABLES -A RULE_9 -j rule2_branch # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # $IPTABLES -A INPUT -i eth1 -p 50 -j rule3_branch $IPTABLES -A INPUT -i eth1 -p ah -j rule3_branch $IPTABLES -A FORWARD -i eth1 -p 50 -j rule3_branch $IPTABLES -A FORWARD -i eth1 -p ah -j rule3_branch # # Rule 11 (eth1) # echo "Rule 11 (eth1)" # $IPTABLES -A OUTPUT -o eth1 -p 50 -j rule3_branch $IPTABLES -A OUTPUT -o eth1 -p ah -j rule3_branch $IPTABLES -A FORWARD -o eth1 -p 50 -j rule3_branch $IPTABLES -A FORWARD -o eth1 -p ah -j rule3_branch # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j rule4_branch # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j rule5_branch $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j rule5_branch $IPTABLES -A FORWARD -s 192.168.1.0/24 -j rule5_branch # # Rule 14 (global) # echo "Rule 14 (global)" # # testing loop in branching rules $IPTABLES -A INPUT -s 192.168.1.0/24 -j rule6_branch $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j rule6_branch $IPTABLES -A FORWARD -s 192.168.1.0/24 -j rule6_branch # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j TCPMSS --set-mss 1400 # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -N RULE_16 $IPTABLES -A INPUT -s 222.222.222.0/24 -j RULE_16 $IPTABLES -A FORWARD -s 222.222.222.0/24 -j RULE_16 $IPTABLES -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- CUSTOM " $IPTABLES -A RULE_16 -j TARPIT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -N RULE_17 $IPTABLES -A OUTPUT -j RULE_17 $IPTABLES -A INPUT -j RULE_17 $IPTABLES -A FORWARD -j RULE_17 $IPTABLES -A RULE_17 -j LOG --log-level info --log-prefix "RULE 17 -- DENY " $IPTABLES -A RULE_17 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:49 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall4.fw.orig000077500000000000000000000561331303637203600204700ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:50 2012 PDT by vadim # # files: * firewall4.fw /etc/fw/firewall4.fw # # Compiled for iptables (any version) # # this object is used to test a configuration where firewall has dynamic address # firewall4::: error: Dynamic interface eth1 should not have an IP address object attached to it. This IP address object will be ignored. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 222.222.222.222/24 222.222.222.40/24 222.222.222.41/24" "" getaddr eth1 i_eth1 getaddr6 eth1 i_eth1_v6 getnet eth1 i_eth1_network getnet6 eth1 i_eth1_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.10 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.10 -j SNAT --to-source 192.168.2.1 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.10 -j SNAT --to-source 222.222.222.222 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 222.222.222.41 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 222.222.222.40 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 222.222.222.41 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 222.222.222.222 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A POSTROUTING -o eth1 -s $i_eth1 -j MASQUERADE done $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.1 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.2.1 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -s 222.222.222.222 -j MASQUERADE # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $i_eth1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 done $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 22 -j DNAT --to-destination 192.168.1.10:22 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $i_eth1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 done # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # # Anti-spoofing rule $IPTABLES -N In_RULE_0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A INPUT -i eth1 -s $i_eth1 -j In_RULE_0 done $IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 222.222.222.222 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A FORWARD -i eth1 -s $i_eth1 -j In_RULE_0 done $IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 222.222.222.222 -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # # Anti-spoofing rule $IPTABLES -N Cid3B0C63EB.0 $IPTABLES -A OUTPUT -o eth1 -j Cid3B0C63EB.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3B0C63EB.0 -s $i_eth1 -j RETURN done $IPTABLES -A Cid3B0C63EB.0 -s 192.168.1.1 -j RETURN $IPTABLES -A Cid3B0C63EB.0 -s 192.168.2.1 -j RETURN $IPTABLES -A Cid3B0C63EB.0 -s 222.222.222.222 -j RETURN $IPTABLES -N Out_RULE_1_3 $IPTABLES -A Cid3B0C63EB.0 -j Out_RULE_1_3 $IPTABLES -A Out_RULE_1_3 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A Out_RULE_1_3 -j DROP $IPTABLES -N Cid3B0C63EB.1 $IPTABLES -A FORWARD -o eth1 -j Cid3B0C63EB.1 $IPTABLES -A Cid3B0C63EB.1 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid3B0C63EB.1 -j Out_RULE_1_3 # # Rule 2 (eth1) # echo "Rule 2 (eth1)" # $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p icmp -m icmp -s ! 192.168.2.0/24 --icmp-type 8/0 -j In_RULE_2 $IPTABLES -A FORWARD -i eth1 -p icmp -m icmp -s ! 192.168.2.0/24 --icmp-type 8/0 -j In_RULE_2 $IPTABLES -A In_RULE_2 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A In_RULE_2 -j DROP $IPTABLES -N Out_RULE_2 $IPTABLES -A OUTPUT -o eth1 -p icmp -m icmp -s ! 192.168.2.0/24 --icmp-type 8/0 -j Out_RULE_2 $IPTABLES -A FORWARD -o eth1 -p icmp -m icmp -s ! 192.168.2.0/24 --icmp-type 8/0 -j Out_RULE_2 $IPTABLES -A Out_RULE_2 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A Out_RULE_2 -j DROP # # Rule 3 (eth1) # echo "Rule 3 (eth1)" # $IPTABLES -N Cid3E49FEF2.0 $IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E49FEF2.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3E49FEF2.0 -d $i_eth1 -j ACCEPT done $IPTABLES -A Cid3E49FEF2.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E49FEF2.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -A Cid3E49FEF2.0 -d 222.222.222.222 -j ACCEPT # # Rule 4 (eth1) # echo "Rule 4 (eth1)" # $IPTABLES -N In_RULE_4 $IPTABLES -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8/0 -j In_RULE_4 $IPTABLES -A FORWARD -i eth1 -p icmp -m icmp --icmp-type 8/0 -j In_RULE_4 $IPTABLES -A In_RULE_4 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A In_RULE_4 -j DROP $IPTABLES -N Out_RULE_4 $IPTABLES -A OUTPUT -o eth1 -p icmp -m icmp --icmp-type 8/0 -j Out_RULE_4 $IPTABLES -A FORWARD -o eth1 -p icmp -m icmp --icmp-type 8/0 -j Out_RULE_4 $IPTABLES -A Out_RULE_4 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A Out_RULE_4 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # # OUTPUT $IPTABLES -N Cid469EDB0514508.0 $IPTABLES -A OUTPUT -d 1.1.1.1 -j Cid469EDB0514508.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid469EDB0514508.0 -s $i_eth1 -j ACCEPT done $IPTABLES -A Cid469EDB0514508.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid469EDB0514508.0 -s 192.168.2.1 -j ACCEPT $IPTABLES -A Cid469EDB0514508.0 -s 222.222.222.222 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # INTPUT with "-i +" # the "-i +" option is redundant if chain is INPUT, # it should be removed by optimization $IPTABLES -N Cid469F02B014773.0 $IPTABLES -A INPUT -s 1.1.1.1 -j Cid469F02B014773.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid469F02B014773.0 -d $i_eth1 -j ACCEPT done $IPTABLES -A Cid469F02B014773.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid469F02B014773.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -A Cid469F02B014773.0 -d 222.222.222.222 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # # OUTPUT + FORWARD $IPTABLES -A OUTPUT -d 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -o + -d 1.1.1.1 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # INPUT + FORWARD $IPTABLES -A INPUT -s 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -i + -s 1.1.1.1 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # OUTPUT + FORWARD $IPTABLES -A OUTPUT -d 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -d 1.1.1.1 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # INPUT + FORWARD $IPTABLES -A INPUT -s 1.1.1.1 -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.1 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N Cid3B0C63B4.1 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0C63B4.1 $IPTABLES -N Cid3B0C63B4.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3B0C63B4.1 -d $i_eth1 -j Cid3B0C63B4.0 done $IPTABLES -A Cid3B0C63B4.1 -d 192.168.1.1 -j Cid3B0C63B4.0 $IPTABLES -A Cid3B0C63B4.1 -d 192.168.2.1 -j Cid3B0C63B4.0 $IPTABLES -A Cid3B0C63B4.1 -d 222.222.222.222 -j Cid3B0C63B4.0 $IPTABLES -N Cid3B0C63B4.2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0C63B4.2 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3B0C63B4.2 -d $i_eth1 -j Cid3B0C63B4.0 done $IPTABLES -A Cid3B0C63B4.2 -d 192.168.1.1 -j Cid3B0C63B4.0 $IPTABLES -A Cid3B0C63B4.2 -d 192.168.2.1 -j Cid3B0C63B4.0 $IPTABLES -A Cid3B0C63B4.2 -d 222.222.222.222 -j Cid3B0C63B4.0 $IPTABLES -A Cid3B0C63B4.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid3B0C63B4.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_11_3 $IPTABLES -A Cid3B0C63B4.0 -j RULE_11_3 $IPTABLES -A RULE_11_3 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A RULE_11_3 -j DROP # # Rule 12 (global) # echo "Rule 12 (global)" # # testing negation in the policy rule $IPTABLES -N Cid3B0C63A9.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0C63A9.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0C63A9.0 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid3B0C63A9.0 $IPTABLES -A Cid3B0C63A9.0 -s 192.168.1.10 -j RETURN $IPTABLES -A Cid3B0C63A9.0 -s 192.168.1.20 -j RETURN $IPTABLES -N RULE_12_3 $IPTABLES -A Cid3B0C63A9.0 -j RULE_12_3 $IPTABLES -A RULE_12_3 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A RULE_12_3 -j DROP # # Rule 13 (global) # echo "Rule 13 (global)" # # testing negation in service field $IPTABLES -N Cid3B0C63BF.1 $IPTABLES -A OUTPUT -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j Cid3B0C63BF.1 $IPTABLES -N Cid3B0C63BF.0 $IPTABLES -A Cid3B0C63BF.1 -d 192.168.1.10 -j Cid3B0C63BF.0 $IPTABLES -A Cid3B0C63BF.1 -d 192.168.1.20 -j Cid3B0C63BF.0 $IPTABLES -N Cid3B0C63BF.2 $IPTABLES -A FORWARD -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j Cid3B0C63BF.2 $IPTABLES -A Cid3B0C63BF.2 -d 192.168.1.10 -j Cid3B0C63BF.0 $IPTABLES -A Cid3B0C63BF.2 -d 192.168.1.20 -j Cid3B0C63BF.0 $IPTABLES -A Cid3B0C63BF.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN $IPTABLES -N RULE_13_3 $IPTABLES -A Cid3B0C63BF.0 -j RULE_13_3 $IPTABLES -A RULE_13_3 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A RULE_13_3 -j DROP # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -N RULE_14 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 25 -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j RULE_14 $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 25 -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j RULE_14 $IPTABLES -A RULE_14 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A RULE_14 -j DROP # # Rule 15 (global) # echo "Rule 15 (global)" # # should permit access to all # addresses that belong to # the firewall, but not to those # that are used in NAT rules # and are added as virtual # addresses $IPTABLES -N Cid3E4DD6AD.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j Cid3E4DD6AD.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3E4DD6AD.0 -d $i_eth1 -j ACCEPT done $IPTABLES -A Cid3E4DD6AD.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E4DD6AD.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -A Cid3E4DD6AD.0 -d 222.222.222.222 -j ACCEPT $IPTABLES -N Cid3E4DD6AD.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j Cid3E4DD6AD.1 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3E4DD6AD.1 -d $i_eth1 -j ACCEPT done $IPTABLES -A Cid3E4DD6AD.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E4DD6AD.1 -d 192.168.2.1 -j ACCEPT $IPTABLES -A Cid3E4DD6AD.1 -d 222.222.222.222 -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # 'masquerading' rule $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -N Cid3E20A8E1.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid3E20A8E1.0 for i_eth1 in $i_eth1_list do test -n "$i_eth1" && $IPTABLES -A Cid3E20A8E1.0 -d $i_eth1 -j RETURN done $IPTABLES -A Cid3E20A8E1.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3E20A8E1.0 -d 192.168.2.1 -j RETURN $IPTABLES -A Cid3E20A8E1.0 -d 222.222.222.222 -j RETURN $IPTABLES -A Cid3E20A8E1.0 -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # 'catch all' rule $IPTABLES -N RULE_19 $IPTABLES -A OUTPUT -j RULE_19 $IPTABLES -A INPUT -j RULE_19 $IPTABLES -A FORWARD -j RULE_19 $IPTABLES -A RULE_19 -j ULOG --ulog-nlgroup 7 --ulog-cprange 64 --ulog-qthreshold 1 $IPTABLES -A RULE_19 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:50 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall40-1.fw.orig000077500000000000000000000313051303637203600207000ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:51 2012 PDT by vadim # # files: * firewall40-1.fw /etc/firewall40-1.fw # # Compiled for iptables 1.4.0 # # more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set # firewall40-1:Policy_1:3: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS # firewall40-1:Policy_1:4: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 lo eth2 eth1" for i in eth0 lo eth2 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # Translate source address # for outgoing connections $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'mangle', rule set Policy_1 # # Rule Policy_1 0 (eth0) # echo "Rule Policy_1 0 (eth0)" # $IPTABLES -N Policy_1 -t mangle $IPTABLES -t mangle -A Policy_1 -i eth0 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A Policy_1 -i eth0 -m state --state NEW -j CONNMARK --save-mark # # Rule Policy_1 1 (eth2) # echo "Rule Policy_1 1 (eth2)" # $IPTABLES -t mangle -A Policy_1 -i eth2 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A Policy_1 -i eth2 -m state --state NEW -j CONNMARK --save-mark # # Rule Policy_1 6 (global) # echo "Rule Policy_1 6 (global)" # $IPTABLES -N Cid55038X29165.0 -t mangle $IPTABLES -t mangle -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j Cid55038X29165.0 $IPTABLES -t mangle -A Cid55038X29165.0 -d 22.22.22.0/24 -j MARK --set-mark 8 $IPTABLES -t mangle -A Cid55038X29165.0 -d 33.33.33.0/24 -j MARK --set-mark 8 # ================ Table 'filter', rule set Policy_1 # # Rule Policy_1 2 (global) # echo "Rule Policy_1 2 (global)" # # This permits access from internal net # to the Internet and DMZ $IPTABLES -N Policy_1 $IPTABLES -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule Policy_1 5 (global) # echo "Rule Policy_1 5 (global)" # $IPTABLES -N Policy_1_5 $IPTABLES -A Policy_1 -j Policy_1_5 $IPTABLES -A Policy_1_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -A Policy_1_5 -j DROP # # Rule Policy_1 6 (global) # echo "Rule Policy_1 6 (global)" # $IPTABLES -N Cid55038X29165.0 $IPTABLES -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j Cid55038X29165.0 $IPTABLES -A Cid55038X29165.0 -d 22.22.22.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " $IPTABLES -A Cid55038X29165.0 -d 33.33.33.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # any rule here to make top Policy ruleset non-empty $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A RULE_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:51 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall40-2.fw.orig000077500000000000000000000305031303637203600207000ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:52 2012 PDT by vadim # # files: * firewall40-2.fw /etc/firewall40-2.fw # # Compiled for iptables 1.4.0 # # more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set. Here the top Policy rule set is empty # firewall40-2:Policy_1:3: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS # firewall40-2:Policy_1:4: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 lo eth2 eth1" for i in eth0 lo eth2 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # Translate source address # for outgoing connections $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'mangle', rule set Policy_1 # # Rule Policy_1 0 (eth0) # echo "Rule Policy_1 0 (eth0)" # $IPTABLES -N Policy_1 -t mangle $IPTABLES -t mangle -A Policy_1 -i eth0 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A Policy_1 -i eth0 -m state --state NEW -j CONNMARK --save-mark # # Rule Policy_1 1 (eth2) # echo "Rule Policy_1 1 (eth2)" # $IPTABLES -t mangle -A Policy_1 -i eth2 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A Policy_1 -i eth2 -m state --state NEW -j CONNMARK --save-mark # # Rule Policy_1 6 (global) # echo "Rule Policy_1 6 (global)" # $IPTABLES -N Cid55227X22068.0 -t mangle $IPTABLES -t mangle -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j Cid55227X22068.0 $IPTABLES -t mangle -A Cid55227X22068.0 -d 22.22.22.0/24 -j MARK --set-mark 8 $IPTABLES -t mangle -A Cid55227X22068.0 -d 33.33.33.0/24 -j MARK --set-mark 8 # ================ Table 'filter', rule set Policy_1 # # Rule Policy_1 2 (global) # echo "Rule Policy_1 2 (global)" # # This permits access from internal net # to the Internet and DMZ $IPTABLES -N Policy_1 $IPTABLES -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule Policy_1 5 (global) # echo "Rule Policy_1 5 (global)" # $IPTABLES -N Policy_1_5 $IPTABLES -A Policy_1 -j Policy_1_5 $IPTABLES -A Policy_1_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -A Policy_1_5 -j DROP # # Rule Policy_1 6 (global) # echo "Rule Policy_1 6 (global)" # $IPTABLES -N Cid55227X22068.0 $IPTABLES -A Policy_1 -s 192.168.1.0/24 -m state --state NEW -j Cid55227X22068.0 $IPTABLES -A Cid55227X22068.0 -d 22.22.22.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " $IPTABLES -A Cid55227X22068.0 -d 33.33.33.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:52 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall40.fw.orig000077500000000000000000000311531303637203600205430ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:50 2012 PDT by vadim # # files: * firewall40.fw /etc/firewall40.fw # # Compiled for iptables 1.4.0 # # more complex and realistic combination of Tag and Route rules # firewall40:Policy:3: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS # firewall40:Policy:4: error: Option Route is deprecated. You can use Custom Action to generate iptables command using '-j ROUTE' target if it is supported by your firewall OS FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 lo eth2 eth1" for i in eth0 lo eth2 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.0.100.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # Translate source address # for outgoing connections $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'mangle', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --save-mark # # Rule 1 (eth2) # echo "Rule 1 (eth2)" # $IPTABLES -t mangle -A PREROUTING -i eth2 -m state --state NEW -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --save-mark # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid37084X26841.0 -t mangle $IPTABLES -t mangle -A PREROUTING -s 192.168.1.0/24 -m state --state NEW -j Cid37084X26841.0 $IPTABLES -t mangle -A Cid37084X26841.0 -d 22.22.22.0/24 -j MARK --set-mark 8 $IPTABLES -t mangle -A Cid37084X26841.0 -d 33.33.33.0/24 -j MARK --set-mark 8 # ================ Table 'filter', rule set Policy # # Rule 2 (global) # echo "Rule 2 (global)" # # This permits access from internal net # to the Internet and DMZ $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -j RULE_5 $IPTABLES -A INPUT -j RULE_5 $IPTABLES -A FORWARD -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -A RULE_5 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid37084X26841.0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j Cid37084X26841.0 $IPTABLES -A Cid37084X26841.0 -d 22.22.22.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " $IPTABLES -A Cid37084X26841.0 -d 33.33.33.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " $IPTABLES -N Cid37084X26841.1 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j Cid37084X26841.1 $IPTABLES -A Cid37084X26841.1 -d 22.22.22.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " $IPTABLES -A Cid37084X26841.1 -d 33.33.33.0/24 -j LOG --log-level info --log-prefix "RULE 6 -- CONTINUE " } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:50 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall41-1.fw.orig000077500000000000000000000370501303637203600207040ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:53 2012 PDT by vadim # # files: * firewall41-1.fw /etc/firewall41-1.fw # # Compiled for iptables 1.4.1.1 # # testing run time address table objects with module set # firewall41-1::: warning: Can not add virtual address for object atbl.1 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $IPSET } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_module_ipset() { $IPSET --list > /dev/null 2>&1 || { echo "Detected an error with ipset utility :" $IPSET -V exit 1 } } reload_address_table() { addrtbl_name=$1 data_file=$2 test -z "$addrtbl_name" -o -z "$data_file" && { echo "Usage: reload_address_table address_table_object_name file_name" exit 1 } $IPSET -X tmp_fwb_set:ip -q $IPSET -X tmp_fwb_set:net -q $IPSET -N tmp_fwb_set:ip iphash $IPSET -N tmp_fwb_set:net nethash grep -Ev '^#|^;|^\s*$' $data_file | while read L ; do set $L addr=$1 if echo $addr | grep -q "/" then $IPSET -A tmp_fwb_set:net $addr else $IPSET -A tmp_fwb_set:ip $addr fi done $IPSET --list ${addrtbl_name}:ip >/dev/null || $IPSET -N ${addrtbl_name}:ip iphash $IPSET --list ${addrtbl_name}:net >/dev/null || $IPSET -N ${addrtbl_name}:net nethash $IPSET -W ${addrtbl_name}:ip tmp_fwb_set:ip $IPSET -W ${addrtbl_name}:net tmp_fwb_set:net $IPSET --list ${addrtbl_name} >/dev/null || { $IPSET -N ${addrtbl_name} setlist } $IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:ip || { $IPSET -A ${addrtbl_name} ${addrtbl_name}:ip } $IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:net || { $IPSET -A ${addrtbl_name} ${addrtbl_name}:net } $IPSET -X tmp_fwb_set:ip $IPSET -X tmp_fwb_set:net } add_to_address_table() { addrtbl_name=$1 data_file=$2 address=$3 test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && { echo "Usage: add_to_address_table address_table_object_name file_name address" exit 1 } echo $address >> $data_file if echo $address | grep -q "/" then $IPSET -A ${addrtbl_name}:net $address else $IPSET -A ${addrtbl_name}:ip $address fi } remove_from_address_table() { addrtbl_name=$1 data_file=$2 address=$3 test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && { echo "Usage: remove_from_address_table address_table_object_name file_name address" exit 1 } escaped_addr=$(echo $address | sed 's!/!\\/!') sed -i "/^ *$escaped_addr *\$/d" $data_file if echo $address | grep -q "/" then $IPSET -D ${addrtbl_name}:net $address else $IPSET -D ${addrtbl_name}:ip $address fi } test_address_table() { addrtbl_name=$1 address=$2 test -z "$addrtbl_name" -o -z "$address" && { echo "Usage: test_address_table address_table_object_name address" exit 1 } if echo $address | grep -q "/" then $IPSET -T ${addrtbl_name}:net $address else $IPSET -T ${addrtbl_name}:ip $address fi } load_run_time_address_table_files() { : reload_address_table "atbl.1" "addr-table-1.tbl" reload_address_table "block_these" "block-hosts.tbl" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" check_file "block_these" "block-hosts.tbl" } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 1.1.1.1/24" "" update_addresses_of_interface "eth1 2.2.2.2/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -m set --set atbl.1 src -j SNAT --to-source 1.1.1.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -N Cid2287813X9995.0 $IPTABLES -t nat -A POSTROUTING -o eth0 -j Cid2287813X9995.0 $IPTABLES -t nat -A Cid2287813X9995.0 -m set --set atbl.1 src -j RETURN $IPTABLES -t nat -A Cid2287813X9995.0 -j SNAT --to-source 1.1.1.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -m set --set atbl.1 dst -j DNAT --to-destination 192.168.1.10 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -m set --set atbl.1 dst -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N Cid1162747X27867.0 $IPTABLES -A INPUT -m set ! --set atbl.1 dst -m state --state NEW -j Cid1162747X27867.0 $IPTABLES -A Cid1162747X27867.0 -s 1.1.1.1 -j ACCEPT $IPTABLES -A Cid1162747X27867.0 -s 2.2.2.2 -j ACCEPT $IPTABLES -A OUTPUT -m set ! --set atbl.1 dst -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -m set ! --set atbl.1 dst -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A OUTPUT -m set --set atbl.1 dst -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m set --set block_these dst -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -A INPUT -m set --set atbl.1 src -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid1162799X27867.0 $IPTABLES -A OUTPUT -m set ! --set atbl.1 src -m state --state NEW -j Cid1162799X27867.0 $IPTABLES -A Cid1162799X27867.0 -d 1.1.1.1 -j ACCEPT $IPTABLES -A Cid1162799X27867.0 -d 2.2.2.2 -j ACCEPT $IPTABLES -A INPUT -m set ! --set atbl.1 src -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -A INPUT -m set ! --set atbl.1 src -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -m set --set atbl.1 src -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m set --set block_these src -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -m set --set atbl.1 dst -j DROP $IPTABLES -A FORWARD -m set --set atbl.1 dst -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:53 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files check_module_ipset load_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; reload_address_table) reload_address_table $2 $3 ;; add_to_address_table) add_to_address_table $2 $3 $4 ;; remove_from_address_table) remove_from_address_table $2 $3 $4 ;; test_address_table) test_address_table $2 $3 ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces|reload_address_table|add_to_address_table|remove_from_address_table|test_address_table]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall41-2.fw.orig000077500000000000000000000323671303637203600207130ustar00rootroot00000000000000#!/bin/sh /etc/rc.common # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v4.2.0.3437 # # Generated Mon Jan 17 19:23:11 2011 PST by vadim # # files: * firewall41-2.fw # # Compiled for iptables 1.4.3 # # testing run time address table objects with module set # use module set is turned off # firewall41-2::: warning: Can not add virtual address for object atbl.1 START=46 EXTRA_COMMANDS="status interfaces test_interfaces" FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="" IPTABLES="/usr/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables" IPTABLES_RESTORE="/usr/sbin/iptables-restore" IP6TABLES_RESTORE="/usr/sbin/ip6tables-restore" IP="/usr/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/usr/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" test -x "$LOGGER" && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 $PGM >/dev/null 2>&1; test $? = 127 && { echo "$PGM not found" exit 1 } } check_tools() { find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" check_file "block_these" "block-hosts.tbl" } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi insmod ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 1.1.1.1/24" "" update_addresses_of_interface "eth1 2.2.2.2/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A POSTROUTING -o eth+ -s $at_atbl_1 -j SNAT --to-source 1.1.1.1 done # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -N Cid2101361X9995.0 $IPTABLES -t nat -A POSTROUTING -o eth+ -j Cid2101361X9995.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A Cid2101361X9995.0 -s $at_atbl_1 -j RETURN done $IPTABLES -t nat -A Cid2101361X9995.0 -o eth+ -j SNAT --to-source 1.1.1.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A PREROUTING -d $at_atbl_1 -j DNAT --to-destination 192.168.1.10 done # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT done # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N Cid4374297X29460.0 $IPTABLES -A INPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A INPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374297X29460.0 -d $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374297X29460.0 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid4374309X29460.0 $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374309X29460.0 $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374309X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374309X29460.0 -d $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374309X29460.0 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -m state --state NEW -j ACCEPT done # # Rule 4 (global) # echo "Rule 4 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT done # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid4374346X29460.0 $IPTABLES -A OUTPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A OUTPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374346X29460.0 -s $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374346X29460.0 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid4374358X29460.0 $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374358X29460.0 $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374358X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374358X29460.0 -s $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374358X29460.0 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A INPUT -s $at_block_these -m state --state NEW -j ACCEPT done # # Rule 8 (global) # echo "Rule 8 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -j DROP done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -d $at_atbl_1 -j DROP done } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } start() { log "Activating firewall script generated Mon Jan 17 19:23:11 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands } stop() { stop_action } status() { status_action } interfaces() { configure_interfaces } test_interfaces() { FWBDEBUG="echo" configure_interfaces } fwbuilder-5.3.7/test/ipt/firewall41.fw.orig000077500000000000000000000342061303637203600205460ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:53 2012 PDT by vadim # # files: * firewall41.fw /etc/firewall41.fw # # Compiled for iptables (any version) # # testing rule shadowing with run-time objects, rules with such objects should be ignored # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode # firewall41:Policy:5: error: Rule '5 (global)' shadows rule '6 (global)' below it # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode # firewall41:Policy:5: error: Rule '5 (global)' shadows rule '6 (global)' below it # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" check_file "block_these" "block-hosts.tbl" } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 1.1.1.1/24" "" update_addresses_of_interface "eth1 2.2.2.2/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -d www.heise.de -m state --state NEW -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IPTABLES -A RULE_0 -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j RULE_1 done $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A RULE_1 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid44F707E428576.0 $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid44F707E428576.0 $IPTABLES -N RULE_2 $IPTABLES -A Cid44F707E428576.0 -s 1.1.1.1 -j RULE_2 $IPTABLES -A Cid44F707E428576.0 -s 2.2.2.2 -j RULE_2 $IPTABLES -A OUTPUT -d 1.1.1.1 -m state --state NEW -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " $IPTABLES -A RULE_2 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -j RULE_3 done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -d $at_atbl_1 -j RULE_3 done $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -A RULE_3 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # # testing for bug #1086 # when two run-time objects are used in the rule, compiler adds blank command that blocks (permits) any to any $IPTABLES -N RULE_4 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j RULE_4 done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -m state --state NEW -j RULE_4 done $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT " $IPTABLES -A RULE_4 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # there should be warning saying the table could not be found # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:5: error: Rule '5 (global)' shadows rule '6 (global)' below it $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -d 192.0.2.0/24 -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -A RULE_5 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 192.0.2.1 -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:53 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall42.fw.orig000077500000000000000000000233151303637203600205460ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:55 2012 PDT by vadim # # files: * firewall42.fw /etc/fw/firewall42.fw # # Compiled for iptables (any version) # # simple test for a rule that matches local broadcast and should go into INPUT chain, but internal interface of the firewall is dynamic so compiler can not determine that given address is broadcast. Using fake interface to make this address match. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 192.168.1.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 255.255.255.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.1.141 --dport 67 -m state --state NEW -j ACCEPT # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 0.0.0.0 -d 255.255.255.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -s $i_eth0 -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT done } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:55 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall5.fw.orig000077500000000000000000000455351303637203600204750ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:56 2012 PDT by vadim # # files: * firewall5.fw /etc/fw/firewall5.fw # # Compiled for iptables (any version) # # testing firewall_is_part_of_any_and_networks. Also testing SNAT and DNAT rules when external interface has dynamic address. # dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. # All "configure interfaces" options are off, testing shell functions for this case. # firewall5::: error: Dynamic interface ppp0 should not have an IP address object attached to it. This IP address object will be ignored. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network getaddr ppp1 i_ppp1 getaddr6 ppp1 i_ppp1_v6 getnet ppp1 i_ppp1_network getnet6 ppp1 i_ppp1_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o ppp1 -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.23 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s 77.77.77.77 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 77.77.77.77 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.1 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.1.1 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.2.1 -j SNAT --to-source 22.22.22.23 $IPTABLES -t nat -A POSTROUTING -o ppp+ -s 192.168.2.1 -j SNAT --to-source 22.22.22.23 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $i_ppp0 --dport 22 -j DNAT --to-destination 192.168.1.10:22 done for i_ppp1 in $i_ppp1_list do test -n "$i_ppp1" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d $i_ppp1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 done $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10:22 # ================ Table 'filter', rule set Policy # # Rule 0 (ppp0) # echo "Rule 0 (ppp0)" # $IPTABLES -N Cid3E4A05B9.0 $IPTABLES -A INPUT -i ppp0 -j Cid3E4A05B9.0 $IPTABLES -A FORWARD -i ppp0 -j Cid3E4A05B9.0 for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A Cid3E4A05B9.0 -s $i_ppp0 -j RETURN done $IPTABLES -A Cid3E4A05B9.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -N In_RULE_0_3 $IPTABLES -A Cid3E4A05B9.0 -j In_RULE_0_3 $IPTABLES -A In_RULE_0_3 -j LOG $IPTABLES -A In_RULE_0_3 -j DROP # # Rule 1 (ppp1) # echo "Rule 1 (ppp1)" # $IPTABLES -N Cid3E8F5B72.0 $IPTABLES -A INPUT -i ppp1 -j Cid3E8F5B72.0 $IPTABLES -A FORWARD -i ppp1 -j Cid3E8F5B72.0 for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A Cid3E8F5B72.0 -s $i_ppp0 -j RETURN done $IPTABLES -A Cid3E8F5B72.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -N In_RULE_1_3 $IPTABLES -A Cid3E8F5B72.0 -j In_RULE_1_3 $IPTABLES -A In_RULE_1_3 -j LOG $IPTABLES -A In_RULE_1_3 -j DROP # # Rule 2 (ppp1,ppp0) # echo "Rule 2 (ppp1,ppp0)" # $IPTABLES -N Cid212010X42308.0 $IPTABLES -A INPUT -i ppp0 -j Cid212010X42308.0 $IPTABLES -A INPUT -i ppp1 -j Cid212010X42308.0 $IPTABLES -A FORWARD -i ppp0 -j Cid212010X42308.0 $IPTABLES -A FORWARD -i ppp1 -j Cid212010X42308.0 for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A Cid212010X42308.0 -s $i_ppp0 -j RETURN done for i_ppp1 in $i_ppp1_list do test -n "$i_ppp1" && $IPTABLES -A Cid212010X42308.0 -s $i_ppp1 -j RETURN done $IPTABLES -A Cid212010X42308.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -N In_RULE_2_3 $IPTABLES -A Cid212010X42308.0 -j In_RULE_2_3 $IPTABLES -A In_RULE_2_3 -j LOG $IPTABLES -A In_RULE_2_3 -j DROP # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 for i_ppp0 in $i_ppp0_list do for i_ppp1 in $i_ppp1_list do test -n "$i_ppp0" && test -n "$i_ppp1" && $IPTABLES -A INPUT -s $i_ppp0 -d $i_ppp1 -j RULE_3 done done for i_ppp0 in $i_ppp0_list do for i_ppp1 in $i_ppp1_list do test -n "$i_ppp0" && test -n "$i_ppp1" && $IPTABLES -A OUTPUT -s $i_ppp0 -d $i_ppp1 -j RULE_3 done done $IPTABLES -A RULE_3 -j LOG $IPTABLES -A RULE_3 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A OUTPUT -p tcp -m tcp -d $i_ppp0 --dport 22 -m state --state NEW -j ACCEPT done for i_ppp1 in $i_ppp1_list do test -n "$i_ppp1" && $IPTABLES -A OUTPUT -p tcp -m tcp -d $i_ppp1 --dport 22 -m state --state NEW -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A INPUT -p tcp -m tcp -d $i_ppp0 --dport 22 -m state --state NEW -j ACCEPT done for i_ppp1 in $i_ppp1_list do test -n "$i_ppp1" && $IPTABLES -A INPUT -p tcp -m tcp -d $i_ppp1 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 5 (global) # echo "Rule 5 (global)" # # hostF has the same IP address as firewal. $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_5 $IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid3E4A0454.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E4A0454.0 for i_ppp1 in $i_ppp1_list do test -n "$i_ppp1" && $IPTABLES -A Cid3E4A0454.0 -d $i_ppp1 -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A Cid3E4A0454.0 -d $i_ppp0 -j ACCEPT done $IPTABLES -A Cid3E4A0454.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E4A0454.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -m multiport -d 192.168.1.1 --dports 22,23 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid3E987157.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3E987157.0 $IPTABLES -A Cid3E987157.0 -d 77.77.77.77 -j ACCEPT $IPTABLES -A Cid3E987157.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E987157.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -N Cid3E987157.1 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3E987157.1 $IPTABLES -A Cid3E987157.1 -d 77.77.77.77 -j ACCEPT $IPTABLES -A Cid3E987157.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E987157.1 -d 192.168.2.1 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N Cid3E9871F4.0 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3E9871F4.0 $IPTABLES -N RULE_10 $IPTABLES -A Cid3E9871F4.0 -d 77.77.77.77 -j RULE_10 $IPTABLES -A Cid3E9871F4.0 -d 192.168.1.1 -j RULE_10 $IPTABLES -A Cid3E9871F4.0 -d 192.168.2.1 -j RULE_10 $IPTABLES -N Cid3E9871F4.1 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,23 -m state --state NEW -j Cid3E9871F4.1 $IPTABLES -A Cid3E9871F4.1 -d 77.77.77.77 -j RULE_10 $IPTABLES -A Cid3E9871F4.1 -d 192.168.1.1 -j RULE_10 $IPTABLES -A Cid3E9871F4.1 -d 192.168.2.1 -j RULE_10 $IPTABLES -A RULE_10 -j LOG $IPTABLES -A RULE_10 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # firewall is part of Any, so compiler should # generate code in both FORWARD and # OUTPUT chains $IPTABLES -A OUTPUT -d 200.200.200.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 200.200.200.200 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # firewall is part of Any, compiler should # generate code for both FORWARD and # INPUT chains $IPTABLES -A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 200.200.200.200 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # because firewall has interface on network # internal_net, compiler should generate code # for both FORWARD and INPUT chains $IPTABLES -A INPUT -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.10 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -N Cid3B19C5CA.0 $IPTABLES -A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid3B19C5CA.0 $IPTABLES -A Cid3B19C5CA.0 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid3B19C5CA.0 -s 192.168.2.0/24 -j ACCEPT $IPTABLES -N Cid3B19C5CA.1 $IPTABLES -A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid3B19C5CA.1 $IPTABLES -A Cid3B19C5CA.1 -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A Cid3B19C5CA.1 -s 192.168.2.0/24 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # Automatically generated 'catch all' rule $IPTABLES -N RULE_15 $IPTABLES -A OUTPUT -j RULE_15 $IPTABLES -A INPUT -j RULE_15 $IPTABLES -A FORWARD -j RULE_15 $IPTABLES -A RULE_15 -j LOG $IPTABLES -A RULE_15 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:56 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall50.fw.orig000077500000000000000000000253271303637203600205520ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:56 2012 PDT by vadim # # files: * firewall50.fw /etc/fw/firewall50.fw # # Compiled for iptables (any version) # # testing action 'Continue' FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set rule2_branch # # Rule rule2_branch 0 (global) # echo "Rule rule2_branch 0 (global)" # $IPTABLES -N rule2_branch $IPTABLES -N Cid4734305F19714.0 $IPTABLES -A rule2_branch -j Cid4734305F19714.0 $IPTABLES -A Cid4734305F19714.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid4734305F19714.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N rule2_branch_0_3 $IPTABLES -A Cid4734305F19714.0 -j rule2_branch_0_3 $IPTABLES -A rule2_branch_0_3 -j LOG --log-level debug $IPTABLES -A rule2_branch_0_3 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 $IPTABLES -A INPUT -s 192.168.2.0/24 $IPTABLES -A OUTPUT -s 192.168.1.0/24 $IPTABLES -A OUTPUT -s 192.168.2.0/24 $IPTABLES -A FORWARD -s 192.168.1.0/24 $IPTABLES -A FORWARD -s 192.168.2.0/24 # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A INPUT -s 192.168.0.0/16 -j RULE_1 $IPTABLES -A OUTPUT -s 192.168.0.0/16 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.0.0/16 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level debug $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A INPUT -s 192.168.0.0/16 -j rule2_branch $IPTABLES -A OUTPUT -s 192.168.0.0/16 -j rule2_branch $IPTABLES -A FORWARD -s 192.168.0.0/16 -j rule2_branch # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid4733CF6F19714.0 $IPTABLES -A OUTPUT -j Cid4733CF6F19714.0 $IPTABLES -A INPUT -j Cid4733CF6F19714.0 $IPTABLES -A FORWARD -j Cid4733CF6F19714.0 $IPTABLES -A Cid4733CF6F19714.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid4733CF6F19714.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N RULE_3_3 $IPTABLES -A Cid4733CF6F19714.0 -j RULE_3_3 $IPTABLES -A RULE_3_3 -j LOG --log-level debug $IPTABLES -A RULE_3_3 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -j RULE_4 $IPTABLES -A INPUT -j RULE_4 $IPTABLES -A FORWARD -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level debug $IPTABLES -A RULE_4 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:56 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall51.fw.orig000077500000000000000000000336321303637203600205510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:58 2012 PDT by vadim # # files: * firewall51.fw /etc/fw/firewall51.fw # # Compiled for iptables (any version) # # testing branching rules that point # at rule sets defined in object # firewall-base-rulesets FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set rule2_branch # # Rule rule2_branch 0 (global) # echo "Rule rule2_branch 0 (global)" # $IPTABLES -N rule2_branch $IPTABLES -N Cid484A060A4626.0 $IPTABLES -A rule2_branch -j Cid484A060A4626.0 $IPTABLES -A Cid484A060A4626.0 -s 192.168.1.0/24 -j RETURN $IPTABLES -A Cid484A060A4626.0 -s 192.168.2.0/24 -j RETURN $IPTABLES -N rule2_branch_0_3 $IPTABLES -A Cid484A060A4626.0 -j rule2_branch_0_3 $IPTABLES -A rule2_branch_0_3 -j LOG --log-level debug $IPTABLES -A rule2_branch_0_3 -j DROP # ================ Table 'filter', rule set mail_server_inbound # # Rule mail_server_inbound 0 (global) # echo "Rule mail_server_inbound 0 (global)" # $IPTABLES -N mail_server_inbound $IPTABLES -A mail_server_inbound -i + -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT # # Rule mail_server_inbound 1 (global) # echo "Rule mail_server_inbound 1 (global)" # $IPTABLES -A mail_server_inbound -i + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_inbound -i + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set mail_server_outbound # # Rule mail_server_outbound 0 (global) # echo "Rule mail_server_outbound 0 (global)" # $IPTABLES -N mail_server_outbound $IPTABLES -A mail_server_outbound -o + -p tcp -m tcp -m multiport --dports 53,25 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_outbound -o + -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT # # Rule mail_server_outbound 1 (global) # echo "Rule mail_server_outbound 1 (global)" # $IPTABLES -A mail_server_outbound -o + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A mail_server_outbound -o + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set web_server_inbound # # Rule web_server_inbound 0 (global) # echo "Rule web_server_inbound 0 (global)" # $IPTABLES -N web_server_inbound $IPTABLES -A web_server_inbound -i + -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # # Rule web_server_inbound 1 (global) # echo "Rule web_server_inbound 1 (global)" # $IPTABLES -A web_server_inbound -i + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_inbound -i + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule web_server_inbound 2 (global) # echo "Rule web_server_inbound 2 (global)" # $IPTABLES -N web_server_inbound_2 $IPTABLES -A web_server_inbound -p tcp -m tcp --dport 3306 -j web_server_inbound_2 $IPTABLES -A web_server_inbound_2 -j LOG --log-level debug --log-prefix "web_server_inbound/2 -- DENY" $IPTABLES -A web_server_inbound_2 -j DROP # ================ Table 'filter', rule set web_server_outbound # # Rule web_server_outbound 0 (global) # echo "Rule web_server_outbound 0 (global)" # $IPTABLES -N web_server_outbound $IPTABLES -A web_server_outbound -o + -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_outbound -o + -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT # # Rule web_server_outbound 1 (global) # echo "Rule web_server_outbound 1 (global)" # $IPTABLES -A web_server_outbound -o + -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A web_server_outbound -o + -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set base-ruleset # # Rule base-ruleset 0 (global) # echo "Rule base-ruleset 0 (global)" # $IPTABLES -N base-ruleset $IPTABLES -N Cid41961X1271.0 $IPTABLES -A base-ruleset -p tcp -m tcp --dport 22 -m state --state NEW -j Cid41961X1271.0 $IPTABLES -A Cid41961X1271.0 -d 33.33.33.33 -j ACCEPT $IPTABLES -A Cid41961X1271.0 -d 172.16.1.1 -j ACCEPT $IPTABLES -A Cid41961X1271.0 -d 192.168.100.1 -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.10 -j mail_server_inbound $IPTABLES -A FORWARD -d 192.168.1.10 -j mail_server_inbound # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A INPUT -s 192.168.1.10 -j mail_server_outbound $IPTABLES -A FORWARD -s 192.168.1.10 -j mail_server_outbound # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -d 192.168.1.20 -j web_server_inbound $IPTABLES -A FORWARD -d 192.168.1.20 -j web_server_inbound # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A INPUT -s 192.168.1.20 -j web_server_outbound $IPTABLES -A FORWARD -s 192.168.1.20 -j web_server_outbound # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -A OUTPUT -j base-ruleset $IPTABLES -A INPUT -j base-ruleset $IPTABLES -A FORWARD -j base-ruleset # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -j rule2_branch $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j rule2_branch $IPTABLES -A FORWARD -s 192.168.1.0/24 -j rule2_branch } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:58 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall6.fw.orig000077500000000000000000000415751303637203600204760ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:58 2012 PDT by vadim # # files: * firewall6.fw /etc/fw/firewall6.fw # # Compiled for iptables (any version) # # testing rule with firewall in dst and negation # also testing "Destination NAT Onto the Same Network" per Turorial chapter 3.5 # testing a rule with src=dst=firewall6 in the global policy (should use all interfaces including loopback) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 22.22.23.23/24 22.22.23.24/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.24 --dport 80 -j DNAT --to-destination 192.168.1.20 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # this is SDNAT rule, it translates # both source and destination # this rule should be equivalent to two rules above $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 -d 22.22.23.24 --dport 80 -j DNAT --to-destination 192.168.1.20 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.11 --dport 80 -j SNAT --to-source 192.168.1.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.12 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.11 --dport 80 -j SNAT --to-source 192.168.1.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.12 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.23.23 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1 --dport 80 -j DNAT --to-destination 192.168.1.11-192.168.1.12 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.11 --dport 80 -j SNAT --to-source 192.168.1.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.1.12 --dport 80 -j SNAT --to-source 192.168.1.1 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.100 --dport 80 -j DNAT --to-destination 192.168.1.100:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s ! 192.168.1.100 -d 192.168.1.100 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -N Cid3F9F8382.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3F9F8382.0 $IPTABLES -t nat -A Cid3F9F8382.0 -d 222.222.222.40 -j RETURN $IPTABLES -t nat -A Cid3F9F8382.0 -d 222.222.222.41 -j RETURN $IPTABLES -t nat -A Cid3F9F8382.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.100:3128 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.100 --dport 3128 -j SNAT --to-source 192.168.1.1 # # Rule 8 (NAT) # echo "Rule 8 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to-source 192.168.2.1 # # Rule 9 (NAT) # echo "Rule 9 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22 $IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23 $IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 # ================ Table 'filter', rule set Policy # # Rule 0 (eth1) # echo "Rule 0 (eth1)" # $IPTABLES -N Cid3C699028.0 $IPTABLES -A INPUT -i eth1 -j Cid3C699028.0 $IPTABLES -A Cid3C699028.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3C699028.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid3C699028.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3C699028.0 -d 192.168.2.1 -j RETURN $IPTABLES -N In_RULE_0_3 $IPTABLES -A Cid3C699028.0 -j In_RULE_0_3 $IPTABLES -A In_RULE_0_3 -j LOG --log-level debug --log-prefix "RULE 0 -- DENY global" $IPTABLES -A In_RULE_0_3 -j DROP $IPTABLES -N In_RULE_0 $IPTABLES -A FORWARD -i eth1 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level debug --log-prefix "RULE 0 -- DENY global" $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N Cid3C698FB2.0 $IPTABLES -A INPUT -j Cid3C698FB2.0 $IPTABLES -A Cid3C698FB2.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3C698FB2.0 -d 22.22.23.23 -j RETURN $IPTABLES -A Cid3C698FB2.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3C698FB2.0 -d 192.168.2.1 -j RETURN $IPTABLES -N In_RULE_1_3 $IPTABLES -A Cid3C698FB2.0 -j In_RULE_1_3 $IPTABLES -A In_RULE_1_3 -j LOG --log-level debug --log-prefix "RULE 1 -- DENY global" $IPTABLES -A In_RULE_1_3 -j DROP $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -j RULE_1 $IPTABLES -A FORWARD -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level debug --log-prefix "RULE 1 -- DENY global" $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid3E9C86DD.0 $IPTABLES -A INPUT -s 22.22.22.22 -m state --state NEW -j Cid3E9C86DD.0 $IPTABLES -A INPUT -s 22.22.23.23 -m state --state NEW -j Cid3E9C86DD.0 $IPTABLES -A INPUT -s 127.0.0.1 -m state --state NEW -j Cid3E9C86DD.0 $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j Cid3E9C86DD.0 $IPTABLES -A INPUT -s 192.168.2.1 -m state --state NEW -j Cid3E9C86DD.0 $IPTABLES -A Cid3E9C86DD.0 -d 22.22.22.22 -j ACCEPT $IPTABLES -A Cid3E9C86DD.0 -d 22.22.23.23 -j ACCEPT $IPTABLES -A Cid3E9C86DD.0 -d 127.0.0.1 -j ACCEPT $IPTABLES -A Cid3E9C86DD.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E9C86DD.0 -d 192.168.2.1 -j ACCEPT $IPTABLES -N Cid3E9C86DD.1 $IPTABLES -A OUTPUT -s 22.22.22.22 -m state --state NEW -j Cid3E9C86DD.1 $IPTABLES -A OUTPUT -s 22.22.23.23 -m state --state NEW -j Cid3E9C86DD.1 $IPTABLES -A OUTPUT -s 127.0.0.1 -m state --state NEW -j Cid3E9C86DD.1 $IPTABLES -A OUTPUT -s 192.168.1.1 -m state --state NEW -j Cid3E9C86DD.1 $IPTABLES -A OUTPUT -s 192.168.2.1 -m state --state NEW -j Cid3E9C86DD.1 $IPTABLES -A Cid3E9C86DD.1 -d 22.22.22.22 -j ACCEPT $IPTABLES -A Cid3E9C86DD.1 -d 22.22.23.23 -j ACCEPT $IPTABLES -A Cid3E9C86DD.1 -d 127.0.0.1 -j ACCEPT $IPTABLES -A Cid3E9C86DD.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid3E9C86DD.1 -d 192.168.2.1 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid141025X15403.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j Cid141025X15403.0 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j Cid141025X15403.0 $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j Cid141025X15403.0 $IPTABLES -A Cid141025X15403.0 -d 222.222.222.40 -j RETURN $IPTABLES -A Cid141025X15403.0 -d 222.222.222.41 -j RETURN $IPTABLES -A Cid141025X15403.0 -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:58 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall60.fw.orig000077500000000000000000000272721303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:59 2012 PDT by vadim # # files: * firewall60.fw /etc/firewall60.fw # # Compiled for iptables (any version) # # testing time litmiting for iptables < 1.4.0 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sun -j RULE_1 $IPTABLES -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sun -j RULE_1 $IPTABLES -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sun -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -m time --timestart 18:00 --timestop 23:59 -j RULE_2 $IPTABLES -A INPUT -m time --timestart 18:00 --timestop 23:59 -j RULE_2 $IPTABLES -A FORWARD -m time --timestart 18:00 --timestop 23:59 -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A RULE_2 -j DROP # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j RULE_3 $IPTABLES -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j RULE_3 $IPTABLES -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -A RULE_3 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_4 $IPTABLES -A INPUT -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_4 $IPTABLES -A FORWARD -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -A RULE_4 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:59 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall61-1.2.5.fw.orig000077500000000000000000000375741303637203600212240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:59 2012 PDT by vadim # # files: * firewall61-1.2.5.fw /etc/firewall61-1.2.5.fw # # Compiled for iptables lt_1.2.6 # # testing time litmiting for iptables 1.2.5 # firewall61-1.2.5:Policy_ipv6:: warning: target TCPMSS is not supported by ip6tables before v1.3.8 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', rule set fw61-Policy # # Rule fw61-Policy 0 (global) # echo "Rule fw61-Policy 0 (global)" # $IPTABLES -N fw61-Policy_0 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j fw61-Policy_0 $IPTABLES -t mangle -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j fw61-Policy_0 $IPTABLES -t mangle -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sat -j fw61-Policy_0 $IPTABLES -t mangle -A fw61-Policy_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -t mangle -A fw61-Policy_0 -j DROP # # Rule fw61-Policy 1 (global) # echo "Rule fw61-Policy 1 (global)" # $IPTABLES -N fw61-Policy_1 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sun -j fw61-Policy_1 $IPTABLES -t mangle -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sun -j fw61-Policy_1 $IPTABLES -t mangle -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sun -j fw61-Policy_1 $IPTABLES -t mangle -A fw61-Policy_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -t mangle -A fw61-Policy_1 -j DROP # # Rule fw61-Policy 2 (global) # echo "Rule fw61-Policy 2 (global)" # $IPTABLES -N fw61-Policy_2 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A INPUT -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A FORWARD -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A fw61-Policy_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -t mangle -A fw61-Policy_2 -j DROP # # Rule fw61-Policy 3 (global) # echo "Rule fw61-Policy 3 (global)" # $IPTABLES -N fw61-Policy_3 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A fw61-Policy_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -t mangle -A fw61-Policy_3 -j DROP # # Rule fw61-Policy 4 (global) # echo "Rule fw61-Policy 4 (global)" # $IPTABLES -N fw61-Policy_4 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A INPUT -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A FORWARD -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A fw61-Policy_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -t mangle -A fw61-Policy_4 -j DROP # # Rule fw61-Policy 5 (global) # echo "Rule fw61-Policy 5 (global)" # $IPTABLES -N fw61-Policy_5 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A INPUT -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A FORWARD -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A fw61-Policy_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -t mangle -A fw61-Policy_5 -j DROP # # Rule fw61-Policy 6 (global) # echo "Rule fw61-Policy 6 (global)" # $IPTABLES -N fw61-Policy_6 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A INPUT -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A FORWARD -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A fw61-Policy_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -t mangle -A fw61-Policy_6 -j DROP # # Rule fw61-Policy 7 (global) # echo "Rule fw61-Policy 7 (global)" # $IPTABLES -N fw61-Policy_7 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 00:00 --timestop 01:00 --days Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A INPUT -m time --timestart 00:00 --timestop 01:00 --days Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A FORWARD -m time --timestart 00:00 --timestop 01:00 --days Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A fw61-Policy_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -t mangle -A fw61-Policy_7 -j DROP # # Rule fw61-Policy 8 (global) # echo "Rule fw61-Policy 8 (global)" # $IPTABLES -N fw61-Policy_8 -t mangle $IPTABLES -t mangle -A OUTPUT -m time --timestart 01:00 --timestop 02:00 --days Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A INPUT -m time --timestart 01:00 --timestop 02:00 --days Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A FORWARD -m time --timestart 01:00 --timestop 02:00 --days Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A fw61-Policy_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -t mangle -A fw61-Policy_8 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # target TCPMSS is not supported by ip6tables before v1.3.8 # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # $IP6TABLES -N Policy_ipv6_0 $IP6TABLES -A OUTPUT -j Policy_ipv6_0 $IP6TABLES -A INPUT -j Policy_ipv6_0 $IP6TABLES -A FORWARD -j Policy_ipv6_0 $IP6TABLES -A Policy_ipv6_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IP6TABLES -A Policy_ipv6_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:16:59 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall61-1.2.6.fw.orig000077500000000000000000000355741303637203600212230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:01 2012 PDT by vadim # # files: * firewall61-1.2.6.fw /etc/firewall61-1.2.6.fw # # Compiled for iptables ge_1.2.6 # # testing time litmiting for iptables 1.2.6 # firewall61-1.2.6:Policy_ipv6:: warning: target TCPMSS is not supported by ip6tables before v1.3.8 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', rule set fw61-Policy # # Rule fw61-Policy 0 (global) # echo "Rule fw61-Policy 0 (global)" # $IPTABLES -N fw61-Policy -t mangle $IPTABLES -N fw61-Policy_0 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sat -j fw61-Policy_0 $IPTABLES -t mangle -A fw61-Policy_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -t mangle -A fw61-Policy_0 -j DROP # # Rule fw61-Policy 1 (global) # echo "Rule fw61-Policy 1 (global)" # $IPTABLES -N fw61-Policy_1 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sun -j fw61-Policy_1 $IPTABLES -t mangle -A fw61-Policy_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -t mangle -A fw61-Policy_1 -j DROP # # Rule fw61-Policy 2 (global) # echo "Rule fw61-Policy 2 (global)" # $IPTABLES -N fw61-Policy_2 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A fw61-Policy_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -t mangle -A fw61-Policy_2 -j DROP # # Rule fw61-Policy 3 (global) # echo "Rule fw61-Policy 3 (global)" # $IPTABLES -N fw61-Policy_3 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A fw61-Policy_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -t mangle -A fw61-Policy_3 -j DROP # # Rule fw61-Policy 4 (global) # echo "Rule fw61-Policy 4 (global)" # $IPTABLES -N fw61-Policy_4 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A fw61-Policy_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -t mangle -A fw61-Policy_4 -j DROP # # Rule fw61-Policy 5 (global) # echo "Rule fw61-Policy 5 (global)" # $IPTABLES -N fw61-Policy_5 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A fw61-Policy_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -t mangle -A fw61-Policy_5 -j DROP # # Rule fw61-Policy 6 (global) # echo "Rule fw61-Policy 6 (global)" # $IPTABLES -N fw61-Policy_6 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A fw61-Policy_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -t mangle -A fw61-Policy_6 -j DROP # # Rule fw61-Policy 7 (global) # echo "Rule fw61-Policy 7 (global)" # $IPTABLES -N fw61-Policy_7 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 01:00 --days Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A fw61-Policy_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -t mangle -A fw61-Policy_7 -j DROP # # Rule fw61-Policy 8 (global) # echo "Rule fw61-Policy 8 (global)" # $IPTABLES -N fw61-Policy_8 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:00 --timestop 02:00 --days Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A fw61-Policy_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -t mangle -A fw61-Policy_8 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- BRANCH " $IPTABLES -N fw61-Policy $IPTABLES -A RULE_0 -j fw61-Policy # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A OUTPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_1 $IPTABLES -A INPUT -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_1 $IPTABLES -A FORWARD -m time --timestart 00:00 --timestop 23:59 --days Sat -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # target TCPMSS is not supported by ip6tables before v1.3.8 # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # $IP6TABLES -N Policy_ipv6_0 $IP6TABLES -A OUTPUT -j Policy_ipv6_0 $IP6TABLES -A INPUT -j Policy_ipv6_0 $IP6TABLES -A FORWARD -j Policy_ipv6_0 $IP6TABLES -A Policy_ipv6_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IP6TABLES -A Policy_ipv6_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:01 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall61-1.3.x.fw.orig000077500000000000000000000350141303637203600213130ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:01 2012 PDT by vadim # # files: * firewall61-1.3.x.fw /etc/firewall61-1.3.x.fw # # Compiled for iptables 1.3.0 # # testing time litmiting for iptables 1.3.x # firewall61-1.3.x:Policy_ipv6:: warning: target TCPMSS is not supported by ip6tables before v1.3.8 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'mangle', rule set fw61-Policy # # Rule fw61-Policy 0 (global) # echo "Rule fw61-Policy 0 (global)" # $IPTABLES -N fw61-Policy -t mangle $IPTABLES -N fw61-Policy_0 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sat -j fw61-Policy_0 $IPTABLES -t mangle -A fw61-Policy_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -t mangle -A fw61-Policy_0 -j DROP # # Rule fw61-Policy 1 (global) # echo "Rule fw61-Policy 1 (global)" # $IPTABLES -N fw61-Policy_1 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sun -j fw61-Policy_1 $IPTABLES -t mangle -A fw61-Policy_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -t mangle -A fw61-Policy_1 -j DROP # # Rule fw61-Policy 2 (global) # echo "Rule fw61-Policy 2 (global)" # $IPTABLES -N fw61-Policy_2 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A fw61-Policy_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -t mangle -A fw61-Policy_2 -j DROP # # Rule fw61-Policy 3 (global) # echo "Rule fw61-Policy 3 (global)" # $IPTABLES -N fw61-Policy_3 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --days Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A fw61-Policy_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -t mangle -A fw61-Policy_3 -j DROP # # Rule fw61-Policy 4 (global) # echo "Rule fw61-Policy 4 (global)" # $IPTABLES -N fw61-Policy_4 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A fw61-Policy_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -t mangle -A fw61-Policy_4 -j DROP # # Rule fw61-Policy 5 (global) # echo "Rule fw61-Policy 5 (global)" # $IPTABLES -N fw61-Policy_5 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A fw61-Policy_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -t mangle -A fw61-Policy_5 -j DROP # # Rule fw61-Policy 6 (global) # echo "Rule fw61-Policy 6 (global)" # $IPTABLES -N fw61-Policy_6 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:01 --timestop 02:02 --days Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A fw61-Policy_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -t mangle -A fw61-Policy_6 -j DROP # # Rule fw61-Policy 7 (global) # echo "Rule fw61-Policy 7 (global)" # $IPTABLES -N fw61-Policy_7 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 01:00 --days Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A fw61-Policy_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -t mangle -A fw61-Policy_7 -j DROP # # Rule fw61-Policy 8 (global) # echo "Rule fw61-Policy 8 (global)" # $IPTABLES -N fw61-Policy_8 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:00 --timestop 02:00 --days Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A fw61-Policy_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -t mangle -A fw61-Policy_8 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- BRANCH " $IPTABLES -N fw61-Policy $IPTABLES -A RULE_0 -j fw61-Policy # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules # target TCPMSS is not supported by ip6tables before v1.3.8 # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # $IP6TABLES -N Policy_ipv6_0 $IP6TABLES -A OUTPUT -j Policy_ipv6_0 $IP6TABLES -A INPUT -j Policy_ipv6_0 $IP6TABLES -A FORWARD -j Policy_ipv6_0 $IP6TABLES -A Policy_ipv6_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IP6TABLES -A Policy_ipv6_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:01 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall61-1.4.fw.orig000077500000000000000000000351211303637203600210450ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:02 2012 PDT by vadim # # files: * firewall61-1.4.fw /etc/firewall61-1.4.fw # # Compiled for iptables 1.4.0 # # testing time litmiting for iptables 1.4.0 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'mangle', rule set fw61-Policy # # Rule fw61-Policy 0 (global) # echo "Rule fw61-Policy 0 (global)" # $IPTABLES -N fw61-Policy -t mangle $IPTABLES -N fw61-Policy_0 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --weekdays Sat -j fw61-Policy_0 $IPTABLES -t mangle -A fw61-Policy_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -t mangle -A fw61-Policy_0 -j DROP # # Rule fw61-Policy 1 (global) # echo "Rule fw61-Policy 1 (global)" # $IPTABLES -N fw61-Policy_1 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --weekdays Sun -j fw61-Policy_1 $IPTABLES -t mangle -A fw61-Policy_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -t mangle -A fw61-Policy_1 -j DROP # # Rule fw61-Policy 2 (global) # echo "Rule fw61-Policy 2 (global)" # $IPTABLES -N fw61-Policy_2 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 18:00 --timestop 23:59 -j fw61-Policy_2 $IPTABLES -t mangle -A fw61-Policy_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -t mangle -A fw61-Policy_2 -j DROP # # Rule fw61-Policy 3 (global) # echo "Rule fw61-Policy 3 (global)" # $IPTABLES -N fw61-Policy_3 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 00:00 --timestop 23:59 --weekdays Sat,Sun -j fw61-Policy_3 $IPTABLES -t mangle -A fw61-Policy_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -t mangle -A fw61-Policy_3 -j DROP # # Rule fw61-Policy 4 (global) # echo "Rule fw61-Policy 4 (global)" # $IPTABLES -N fw61-Policy_4 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 09:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j fw61-Policy_4 $IPTABLES -t mangle -A fw61-Policy_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -t mangle -A fw61-Policy_4 -j DROP # # Rule fw61-Policy 5 (global) # echo "Rule fw61-Policy 5 (global)" # $IPTABLES -N fw61-Policy_5 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:01 --timestop 02:02 --weekdays Sun,Mon -j fw61-Policy_5 $IPTABLES -t mangle -A fw61-Policy_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " $IPTABLES -t mangle -A fw61-Policy_5 -j DROP # # Rule fw61-Policy 6 (global) # echo "Rule fw61-Policy 6 (global)" # $IPTABLES -N fw61-Policy_6 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --datestart 2008-03-13T01:01:00 --datestop 2010-01-01T02:02:00 --weekdays Sun,Mon -j fw61-Policy_6 $IPTABLES -t mangle -A fw61-Policy_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -t mangle -A fw61-Policy_6 -j DROP # # Rule fw61-Policy 7 (global) # echo "Rule fw61-Policy 7 (global)" # $IPTABLES -N fw61-Policy_7 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --datestart 2008-03-13T00:00:00 --datestop 2010-01-01T01:00:00 --weekdays Fri,Sat -j fw61-Policy_7 $IPTABLES -t mangle -A fw61-Policy_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -t mangle -A fw61-Policy_7 -j DROP # # Rule fw61-Policy 8 (global) # echo "Rule fw61-Policy 8 (global)" # $IPTABLES -N fw61-Policy_8 -t mangle $IPTABLES -t mangle -A fw61-Policy -m time --timestart 01:00 --timestop 02:00 --weekdays Fri,Sat -j fw61-Policy_8 $IPTABLES -t mangle -A fw61-Policy_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -t mangle -A fw61-Policy_8 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -j RULE_0 $IPTABLES -A INPUT -j RULE_0 $IPTABLES -A FORWARD -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- BRANCH " $IPTABLES -N fw61-Policy $IPTABLES -A RULE_0 -j fw61-Policy # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'filter', rule set Policy_ipv6 # # Rule Policy_ipv6 0 (global) # echo "Rule Policy_ipv6 0 (global)" # $IP6TABLES -N Policy_ipv6_0 $IP6TABLES -A OUTPUT -j Policy_ipv6_0 $IP6TABLES -A INPUT -j Policy_ipv6_0 $IP6TABLES -A FORWARD -j Policy_ipv6_0 $IP6TABLES -A Policy_ipv6_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IP6TABLES -A Policy_ipv6_0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:02 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall62.fw.orig000077500000000000000000000446131303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:03 2012 PDT by vadim # # files: * firewall62.fw /etc/firewall62.fw # # Compiled for iptables 1.4.0 # # testing rules using UserService object # Note that iptables does not allow entering # iptables command that tries to match using module 'owner' in any chain # other than OUTPUT. This includes user defined chains too (it checks # how control passes to user defined chain and blocks command if # it appears that user defined chain gets control not from OUTPUT) # firewall62:Policy:0: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:2: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:4: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:5: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:5: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:6: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:7: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:8: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:8: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:9: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:9: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:10: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:10: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:11: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:11: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:12: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:13: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:16: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:16: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:17: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall62:Policy:17: warning: Iptables does not support module 'owner' in a chain other than OUTPUT FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # firewall62:Policy:0: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall62:Policy:2: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -N Cid484A599620246.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid484A599620246.0 $IPTABLES -A Cid484A599620246.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid484A599620246.0 -s 222.222.222.222 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # firewall62:Policy:4: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -s 192.168.1.1 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # firewall62:Policy:5: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # firewall62:Policy:6: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -N Cid4848F1BB20246.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid4848F1BB20246.0 $IPTABLES -A Cid4848F1BB20246.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid4848F1BB20246.0 -d 222.222.222.222 -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # firewall62:Policy:8: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # firewall62:Policy:9: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # bug 2186568 # firewall62:Policy:10: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # bug 2186568 # firewall62:Policy:11: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -N Cid55369X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid55369X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j Cid55369X1137.0 $IPTABLES -A Cid55369X1137.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid55369X1137.0 -d 222.222.222.222 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # bug 2186568 # firewall62:Policy:12: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # bug 2186568 # firewall62:Policy:13: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -N Cid72626X1137.0 $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000 -m state --state NEW -j Cid72626X1137.0 $IPTABLES -A Cid72626X1137.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid72626X1137.0 -d 222.222.222.222 -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # # bug 2186568 $IPTABLES -N Cid124556X1137.0 $IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j Cid124556X1137.0 $IPTABLES -A INPUT -s 222.222.222.222 -m state --state NEW -j Cid124556X1137.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid124556X1137.0 $IPTABLES -A Cid124556X1137.0 -m owner --uid-owner 2000 -j RETURN $IPTABLES -A Cid124556X1137.0 -m owner --uid-owner 500 -j RETURN $IPTABLES -A Cid124556X1137.0 -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # # bug 2186568 $IPTABLES -N Cid124573X1137.0 $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j Cid124573X1137.0 $IPTABLES -A OUTPUT -d 222.222.222.222 -m state --state NEW -j Cid124573X1137.0 $IPTABLES -A INPUT -m state --state NEW -j Cid124573X1137.0 $IPTABLES -A Cid124573X1137.0 -m owner --uid-owner 2000 -j RETURN $IPTABLES -A Cid124573X1137.0 -m owner --uid-owner 500 -j RETURN $IPTABLES -A Cid124573X1137.0 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # bug 2186568 # firewall62:Policy:16: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # # bug 2186568 # firewall62:Policy:17: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -N Cid89930X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid89930X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j Cid89930X1137.0 $IPTABLES -A Cid89930X1137.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid89930X1137.0 -d 222.222.222.222 -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -A OUTPUT -j DROP $IPTABLES -A INPUT -j DROP $IPTABLES -A FORWARD -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:03 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall63.fw.orig000077500000000000000000000246261303637203600205570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:04 2012 PDT by vadim # # files: * firewall63.fw /etc/firewall63.fw # # Compiled for iptables 1.4.0 # # testing TOS and DSCP matching FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 222.222.222.222/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p all -m tos --tos 0x20 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p all -m tos --tos 0x20 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -m tos --tos 0x20 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A OUTPUT -p all -m dscp --dscp 0x20 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p all -m dscp --dscp 0x20 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -m dscp --dscp 0x20 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A OUTPUT -p all -m dscp --dscp-class BE -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p all -m dscp --dscp-class BE -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -m dscp --dscp-class BE -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:04 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall7.fw.orig000077500000000000000000000314521303637203600204700ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:04 2012 PDT by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # # Compiled for iptables (any version) # # testing rules with broadcasts and multicasts and action-on-reject "TCP reset" # testing rules used for DHCP relay running on the firewall between interfaces eth0 and eth2 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth3 22.22.23.23/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 192.168.1.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 255.255.255.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.1.141 --dport 67 -m state --state NEW -j ACCEPT # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 0.0.0.0 -d 255.255.255.255 --dport 67 -m state --state NEW -j ACCEPT # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.1 -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 5 (eth2) # echo "Rule 5 (eth2)" # $IPTABLES -A OUTPUT -o eth2 -p udp -m udp -s 192.168.2.1 -d 192.168.2.10 --dport 67 -m state --state NEW -j ACCEPT # # Rule 6 (eth2) # echo "Rule 6 (eth2)" # $IPTABLES -A INPUT -i eth2 -p udp -m udp -s 192.168.2.10 -d 192.168.1.1 --dport 67 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -d 255.255.255.255 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.1.255 -j RULE_7 $IPTABLES -A INPUT -d 255.255.255.255 -j RULE_7 $IPTABLES -A INPUT -d 192.168.1.255 -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level debug $IPTABLES -A RULE_7 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # compiler should place rule in INPUT chain because this is broadcast destination $IPTABLES -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # compiler should place rule in INPUT chain because this is broadcast destination $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 192.168.1.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # compiler should place rule in INPUT chain because this is broadcast destination $IPTABLES -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -d 224.0.1.141 -m state --state NEW -j RULE_11 $IPTABLES -A INPUT -d 224.0.1.141 -m state --state NEW -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level debug $IPTABLES -A RULE_11 -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -N RULE_12 $IPTABLES -A OUTPUT -d 224.0.0.5 -m state --state NEW -j RULE_12 $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level debug $IPTABLES -A RULE_12 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.5 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A OUTPUT -d 224.0.0.0/4 -j DROP $IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:04 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall70.fw.orig000077500000000000000000000334231303637203600205500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:05 2012 PDT by vadim # # files: * firewall70.fw iptables.sh # # Compiled for iptables (any version) # # this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast # Also the name of the script on the firewall is different # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 66.66.66.130/25" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set very_long_ruleset_name_should_be_gt_30_chars # # Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # echo "Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)" # # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars_0 $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars -j very_long_ruleset_name_should_be_gt_30_chars_0 $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j DROP # ================ Table 'filter', rule set not_quite_long_ruleset_name # # Rule not_quite_long_ruleset_name 0 (global) # echo "Rule not_quite_long_ruleset_name 0 (global)" # # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) $IPTABLES -N not_quite_long_ruleset_name $IPTABLES -N Cid208737X59595.0 $IPTABLES -A not_quite_long_ruleset_name -s 22.22.22.0/24 -j Cid208737X59595.0 $IPTABLES -A not_quite_long_ruleset_name -s 33.33.33.0/24 -j Cid208737X59595.0 $IPTABLES -A Cid208737X59595.0 -d 66.66.66.130 -j RETURN $IPTABLES -A Cid208737X59595.0 -d 192.168.1.1 -j RETURN $IPTABLES -N not_quite_long_ruleset_name_0_3 $IPTABLES -A Cid208737X59595.0 -j not_quite_long_ruleset_name_0_3 $IPTABLES -A not_quite_long_ruleset_name_0_3 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A not_quite_long_ruleset_name_0_3 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:05 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall71.fw.orig000077500000000000000000000271601303637203600205520ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:06 2012 PDT by vadim # # files: * firewall71.fw /etc/fw/firewall71.fw # # Compiled for iptables 1.4.0 # # this firewall uses iptables-restore format. # two rule sets for the filter table, no rules in mangle, to make sure there is only one COMMIT for both # option "Clamp MSS to MTU" should be off because it puts rule # in mangle table. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth2" for i in eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # backup ssh access echo "-A INPUT -p tcp -m tcp -s 192.168.1.1/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT " echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop TCP sessions opened prior firewall restart echo "-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " # drop packets that do not match any valid state echo "-A OUTPUT -m state --state INVALID -j DROP " echo "-A INPUT -m state --state INVALID -j DROP " echo "-A FORWARD -m state --state INVALID -j DROP " # ================ Table 'filter', rule set fw71_policy_2 # # Rule fw71_policy_2 0 (global) echo ":fw71_policy_2 - [0:0]" echo ":fw71_policy_2_0 - [0:0]" echo "-A fw71_policy_2 -j fw71_policy_2_0 " echo "-A fw71_policy_2_0 -j LOG " echo "-A fw71_policy_2_0 -j DROP " # # ================ Table 'filter', rule set Policy # # Rule 0 (global) echo ":Cid42351X60089.0 - [0:0]" echo "-A OUTPUT -d 200.200.200.200 -m state --state NEW -j Cid42351X60089.0 " echo "-A Cid42351X60089.0 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid42351X60089.0 -s 192.168.2.0/24 -j ACCEPT " echo ":Cid42351X60089.1 - [0:0]" echo "-A FORWARD -d 200.200.200.200 -m state --state NEW -j Cid42351X60089.1 " echo "-A Cid42351X60089.1 -s 192.168.1.0/24 -j ACCEPT " echo "-A Cid42351X60089.1 -s 192.168.2.0/24 -j ACCEPT " # # Rule 1 (global) echo ":RULE_1 - [0:0]" echo "-A OUTPUT -j RULE_1 " echo "-A INPUT -j RULE_1 " echo "-A FORWARD -j RULE_1 " echo "-A RULE_1 -j LOG " echo "-A RULE_1 -j fw71_policy_2 " # # Rule 2 (global) # Automatically generated 'catch all' rule echo ":RULE_2 - [0:0]" echo "-A OUTPUT -j RULE_2 " echo "-A INPUT -j RULE_2 " echo "-A FORWARD -j RULE_2 " echo "-A RULE_2 -j LOG " echo "-A RULE_2 -j DROP " # echo COMMIT echo '*nat' # ================ Table 'nat', rule set NAT echo :PREROUTING ACCEPT [0:0] echo :POSTROUTING ACCEPT [0:0] echo :OUTPUT ACCEPT [0:0] # # Rule 0 (NAT) echo "-A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 " # echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:06 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall72-1.3.x.fw.orig000077500000000000000000000412021303637203600213110ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:07 2012 PDT by vadim # # files: * firewall72-1.3.x.fw /etc/fw/firewall72-1.3.x.fw # # Compiled for iptables 1.3.0 # # this firewall is used to test a rule in the global policy of object "firewall" # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it # firewall72-1.3.x:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall72-1.3.x::: warning: Can not add virtual address for object address # firewall72-1.3.x::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 172.16.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -s ! 192.168.1.0/24 -d 200.200.200.200 -j SNAT --to-source 22.22.22.23 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s ! 192.168.1.0/24 -d 200.200.200.200 --dport 80 -j SNAT --to-source 22.22.22.23 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 33.33.33.33 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 172.16.1.1 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 33.33.33.33 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 172.16.1.1 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -N Cid212911X8629.0 $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j Cid212911X8629.0 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid212911X8629.0 $IPTABLES -t nat -A Cid212911X8629.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid212911X8629.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid212911X8629.0 -j SNAT --to-source 172.16.1.1 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 # ================ Table 'filter', rule set Policy # # Rule 0 (lo) # echo "Rule 0 (lo)" # $IPTABLES -A INPUT -i ! lo -s 127.0.0.1 -j DROP $IPTABLES -A FORWARD -i ! lo -s 127.0.0.1 -j DROP $IPTABLES -A OUTPUT -o ! lo -s 127.0.0.1 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # $IPTABLES -N Cid107355X8629.0 $IPTABLES -A OUTPUT -o eth1 -s ! 192.168.1.0/24 -j Cid107355X8629.0 $IPTABLES -A Cid107355X8629.0 -d 33.33.33.33 -j DROP $IPTABLES -A Cid107355X8629.0 -d 172.16.1.1 -j DROP $IPTABLES -N Cid107355X8629.1 $IPTABLES -A FORWARD -o eth1 -s ! 192.168.1.0/24 -j Cid107355X8629.1 $IPTABLES -A Cid107355X8629.1 -d 33.33.33.33 -j DROP $IPTABLES -A Cid107355X8629.1 -d 172.16.1.1 -j DROP # # Rule 2 (eth1) # echo "Rule 2 (eth1)" # $IPTABLES -N Cid107338X8629.0 $IPTABLES -A INPUT -i eth1 -d ! 192.168.1.0/24 -j Cid107338X8629.0 $IPTABLES -A Cid107338X8629.0 -s 33.33.33.33 -j DROP $IPTABLES -A Cid107338X8629.0 -s 172.16.1.1 -j DROP $IPTABLES -N Cid107338X8629.1 $IPTABLES -A FORWARD -i eth1 -d ! 192.168.1.0/24 -j Cid107338X8629.1 $IPTABLES -A Cid107338X8629.1 -s 33.33.33.33 -j DROP $IPTABLES -A Cid107338X8629.1 -s 172.16.1.1 -j DROP # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid107321X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107321X8629.0 $IPTABLES -A Cid107321X8629.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -A Cid107321X8629.0 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid107304X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107304X8629.0 $IPTABLES -A Cid107304X8629.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -A Cid107304X8629.0 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid107287X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107287X8629.0 $IPTABLES -A Cid107287X8629.0 -p icmp -m icmp --icmp-type 3/1 -j RETURN $IPTABLES -A Cid107287X8629.0 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid107270X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107270X8629.0 $IPTABLES -A Cid107270X8629.0 -p icmp -m icmp --icmp-type 3/1 -j RETURN $IPTABLES -A Cid107270X8629.0 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid107253X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107253X8629.0 $IPTABLES -A Cid107253X8629.0 -p 47 -j RETURN $IPTABLES -A Cid107253X8629.0 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid107236X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid107236X8629.0 $IPTABLES -A Cid107236X8629.0 -p tcp -m tcp --tcp-flags ALL NONE -j RETURN $IPTABLES -A Cid107236X8629.0 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -d 172.16.1.1 -m mark ! --mark 16 -j DROP $IPTABLES -A INPUT -d 172.16.1.1 -m mark ! --mark 16 -j DROP # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # # Should use ! -i eth1 eventually # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it $IPTABLES -A FORWARD -i ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 11 (eth1) # echo "Rule 11 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -N Cid107185X8629.0 $IPTABLES -A FORWARD -i ! eth1 -d 192.168.1.0/24 -j Cid107185X8629.0 $IPTABLES -A Cid107185X8629.0 -p tcp -m tcp --tcp-flags ALL NONE -j RETURN $IPTABLES -A Cid107185X8629.0 -j DROP # # Rule 12 (eth1) # echo "Rule 12 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A OUTPUT -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 13 (eth1) # echo "Rule 13 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A FORWARD -i ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A OUTPUT -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 14 (eth1) # echo "Rule 14 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A FORWARD -i ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A OUTPUT -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD -o ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 15 (global) # echo "Rule 15 (global)" # # firewall72-1.3.x:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -d 172.16.1.1 -m owner ! --uid-owner 500 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:07 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall72-1.4.3.fw.orig000077500000000000000000000412021303637203600212050ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:07 2012 PDT by vadim # # files: * firewall72-1.4.3.fw /etc/fw/firewall72-1.4.3.fw # # Compiled for iptables 1.4.3 # # this firewall is used to test a rule in the global policy of object "firewall" # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it # firewall72-1.4.3:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT # firewall72-1.4.3::: warning: Can not add virtual address for object address # firewall72-1.4.3::: warning: Can not add virtual address for object address FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 172.16.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ ! -s 192.168.1.0/24 -d 200.200.200.200 -j SNAT --to-source 22.22.22.23 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp ! -s 192.168.1.0/24 -d 200.200.200.200 --dport 80 -j SNAT --to-source 22.22.22.23 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 ! -d 192.168.2.0/24 -j SNAT --to-source 33.33.33.33 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 ! -d 192.168.2.0/24 -j SNAT --to-source 172.16.1.1 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.0/24 ! -d 192.168.2.0/24 --dport 80 -j SNAT --to-source 33.33.33.33 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 ! -d 192.168.2.0/24 --dport 80 -j SNAT --to-source 172.16.1.1 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # $IPTABLES -t nat -N Cid213031X8629.0 $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j Cid213031X8629.0 $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid213031X8629.0 $IPTABLES -t nat -A Cid213031X8629.0 -d 192.168.1.0/24 -j RETURN $IPTABLES -t nat -A Cid213031X8629.0 -d 192.168.2.0/24 -j RETURN $IPTABLES -t nat -A Cid213031X8629.0 -j SNAT --to-source 172.16.1.1 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 ! -d 192.168.1.1 --dport 80 -j REDIRECT --to-ports 3128 # ================ Table 'filter', rule set Policy # # Rule 0 (lo) # echo "Rule 0 (lo)" # $IPTABLES -A INPUT ! -i lo -s 127.0.0.1 -j DROP $IPTABLES -A FORWARD ! -i lo -s 127.0.0.1 -j DROP $IPTABLES -A OUTPUT ! -o lo -s 127.0.0.1 -j DROP # # Rule 1 (eth1) # echo "Rule 1 (eth1)" # $IPTABLES -N Cid170430X8629.0 $IPTABLES -A OUTPUT -o eth1 ! -s 192.168.1.0/24 -j Cid170430X8629.0 $IPTABLES -A Cid170430X8629.0 -d 33.33.33.33 -j DROP $IPTABLES -A Cid170430X8629.0 -d 172.16.1.1 -j DROP $IPTABLES -N Cid170430X8629.1 $IPTABLES -A FORWARD -o eth1 ! -s 192.168.1.0/24 -j Cid170430X8629.1 $IPTABLES -A Cid170430X8629.1 -d 33.33.33.33 -j DROP $IPTABLES -A Cid170430X8629.1 -d 172.16.1.1 -j DROP # # Rule 2 (eth1) # echo "Rule 2 (eth1)" # $IPTABLES -N Cid170442X8629.0 $IPTABLES -A INPUT -i eth1 ! -d 192.168.1.0/24 -j Cid170442X8629.0 $IPTABLES -A Cid170442X8629.0 -s 33.33.33.33 -j DROP $IPTABLES -A Cid170442X8629.0 -s 172.16.1.1 -j DROP $IPTABLES -N Cid170442X8629.1 $IPTABLES -A FORWARD -i eth1 ! -d 192.168.1.0/24 -j Cid170442X8629.1 $IPTABLES -A Cid170442X8629.1 -s 33.33.33.33 -j DROP $IPTABLES -A Cid170442X8629.1 -s 172.16.1.1 -j DROP # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid170454X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170454X8629.0 $IPTABLES -A Cid170454X8629.0 -p tcp -m tcp --dport 80 -j RETURN $IPTABLES -A Cid170454X8629.0 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid170466X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170466X8629.0 $IPTABLES -A Cid170466X8629.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $IPTABLES -A Cid170466X8629.0 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid170478X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170478X8629.0 $IPTABLES -A Cid170478X8629.0 -p icmp -m icmp --icmp-type 3/1 -j RETURN $IPTABLES -A Cid170478X8629.0 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid170490X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170490X8629.0 $IPTABLES -A Cid170490X8629.0 -p icmp -m icmp --icmp-type 3/1 -j RETURN $IPTABLES -A Cid170490X8629.0 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N Cid170502X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170502X8629.0 $IPTABLES -A Cid170502X8629.0 -p 47 -j RETURN $IPTABLES -A Cid170502X8629.0 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N Cid170514X8629.0 $IPTABLES -A INPUT -d 172.16.1.1 -j Cid170514X8629.0 $IPTABLES -A Cid170514X8629.0 -p tcp -m tcp --tcp-flags ALL NONE -j RETURN $IPTABLES -A Cid170514X8629.0 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -d 172.16.1.1 -m mark ! --mark 16 -j DROP $IPTABLES -A INPUT -d 172.16.1.1 -m mark ! --mark 16 -j DROP # # Rule 10 (eth1) # echo "Rule 10 (eth1)" # # Should use ! -i eth1 eventually # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it $IPTABLES -A FORWARD ! -i eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 11 (eth1) # echo "Rule 11 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -N Cid170550X8629.0 $IPTABLES -A FORWARD ! -i eth1 -d 192.168.1.0/24 -j Cid170550X8629.0 $IPTABLES -A Cid170550X8629.0 -p tcp -m tcp --tcp-flags ALL NONE -j RETURN $IPTABLES -A Cid170550X8629.0 -j DROP # # Rule 12 (eth1) # echo "Rule 12 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A OUTPUT ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 13 (eth1) # echo "Rule 13 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A FORWARD ! -i eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A OUTPUT ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 14 (eth1) # echo "Rule 14 (eth1)" # # Should use ! -i eth1 eventually $IPTABLES -A FORWARD ! -i eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A OUTPUT ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD ! -o eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 15 (global) # echo "Rule 15 (global)" # # firewall72-1.4.3:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT $IPTABLES -A OUTPUT -d 172.16.1.1 -m owner ! --uid-owner 500 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:07 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall73.fw.orig000077500000000000000000000320751303637203600205550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:08 2012 PDT by vadim # # files: * firewall73.fw /etc/fw/firewall73.fw # # Compiled for iptables 1.4.3 # # testing for "-i +" that is generated # when interface rule element is "any" # but direction is inbound. Trying different # combinations. Bug 2822098 # "Firewall is part of any" is on FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 172.16.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -j DROP $IPTABLES -A FORWARD -i eth0 -j DROP $IPTABLES -A OUTPUT -o eth0 -j DROP $IPTABLES -A FORWARD -o eth0 -j DROP # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A INPUT -i eth0 -j DROP $IPTABLES -A FORWARD -i eth0 -j DROP # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -A OUTPUT -o eth0 -j DROP $IPTABLES -A FORWARD -o eth0 -j DROP # # Rule 3 (lo) # echo "Rule 3 (lo)" # $IPTABLES -A INPUT -i lo -j DROP $IPTABLES -A OUTPUT -o lo -j DROP # # Rule 4 (lo) # echo "Rule 4 (lo)" # $IPTABLES -A INPUT -i lo -j DROP # # Rule 5 (lo) # echo "Rule 5 (lo)" # $IPTABLES -A OUTPUT -o lo -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -A OUTPUT -j DROP $IPTABLES -A INPUT -j DROP $IPTABLES -A FORWARD -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -j DROP $IPTABLES -A FORWARD -i + -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -j DROP $IPTABLES -A FORWARD -o + -j DROP # # Rule 9 (eth0) # echo "Rule 9 (eth0)" # $IPTABLES -A INPUT -i eth0 -j DROP $IPTABLES -A OUTPUT -o eth0 -d 33.33.33.33 -j DROP $IPTABLES -A OUTPUT -o eth0 -d 172.16.1.1 -j DROP # # Rule 10 (eth0) # echo "Rule 10 (eth0)" # $IPTABLES -A INPUT -i eth0 -j DROP # # Rule 11 (eth0) # echo "Rule 11 (eth0)" # $IPTABLES -A OUTPUT -o eth0 -d 33.33.33.33 -j DROP $IPTABLES -A OUTPUT -o eth0 -d 172.16.1.1 -j DROP # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A OUTPUT -d 33.33.33.33 -j DROP $IPTABLES -A OUTPUT -d 172.16.1.1 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A INPUT -j DROP # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A OUTPUT -d 33.33.33.33 -j DROP $IPTABLES -A OUTPUT -d 172.16.1.1 -j DROP $IPTABLES -A FORWARD -o + -d 33.33.33.33 -j DROP $IPTABLES -A FORWARD -o + -d 172.16.1.1 -j DROP # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # $IPTABLES -A INPUT -i eth0 -s 33.33.33.33 -j DROP $IPTABLES -A INPUT -i eth0 -s 172.16.1.1 -j DROP $IPTABLES -A FORWARD -i eth0 -s 33.33.33.33 -j DROP $IPTABLES -A FORWARD -i eth0 -s 172.16.1.1 -j DROP $IPTABLES -A OUTPUT -o eth0 -j DROP # # Rule 16 (eth0) # echo "Rule 16 (eth0)" # $IPTABLES -A INPUT -i eth0 -s 33.33.33.33 -j DROP $IPTABLES -A INPUT -i eth0 -s 172.16.1.1 -j DROP $IPTABLES -A FORWARD -i eth0 -s 33.33.33.33 -j DROP $IPTABLES -A FORWARD -i eth0 -s 172.16.1.1 -j DROP # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # $IPTABLES -A OUTPUT -o eth0 -j DROP # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -A INPUT -s 33.33.33.33 -j DROP $IPTABLES -A INPUT -s 172.16.1.1 -j DROP $IPTABLES -A OUTPUT -j DROP # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -A INPUT -s 33.33.33.33 -j DROP $IPTABLES -A INPUT -s 172.16.1.1 -j DROP $IPTABLES -A FORWARD -i + -s 33.33.33.33 -j DROP $IPTABLES -A FORWARD -i + -s 172.16.1.1 -j DROP # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -A OUTPUT -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:08 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall74.fw.orig000077500000000000000000000234431303637203600205550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:09 2012 PDT by vadim # # files: * firewall74.fw /etc/fw/firewall74.fw # # Compiled for iptables 1.4.0 # # this firewall uses iptables-restore format and has no rules FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IPTABLES_RESTORE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : echo "Verifying interfaces: eth0 eth2" for i in eth0 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 ( echo '*filter' # ================ Table 'filter', automatic rules echo :INPUT DROP [0:0] echo :FORWARD DROP [0:0] echo :OUTPUT DROP [0:0] # accept established sessions echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT " echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT " # backup ssh access echo "-A INPUT -p tcp -m tcp -s 192.168.1.1/255.255.255.255 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT " echo "-A OUTPUT -p tcp -m tcp -d 192.168.1.1/255.255.255.255 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT " # drop TCP sessions opened prior firewall restart echo "-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " echo "-A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP " # drop packets that do not match any valid state echo "-A OUTPUT -m state --state INVALID -j DROP " echo "-A INPUT -m state --state INVALID -j DROP " echo "-A FORWARD -m state --state INVALID -j DROP " echo COMMIT ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$? test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:09 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall8.fw.orig000077500000000000000000000225231303637203600204700ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:10 2012 PDT by vadim # # files: * firewall8.fw /etc/fw/firewall8.fw # # Compiled for iptables (any version) # # this firewall is used to test a rule in the global policy of object "firewall" FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 33.33.33.33/24" "" update_addresses_of_interface "eth1 172.16.1.1/24" "" update_addresses_of_interface "eth2 192.168.100.1/24" "" getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:10 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall80.fw.orig000077500000000000000000000246511303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:10 2012 PDT by vadim # # files: * firewall80.fw /etc/fw/firewall80.fw # # Compiled for iptables (any version) # # Branch rules in NAT # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT_1 # # Rule NAT_1 0 (NAT) # echo "Rule NAT_1 0 (NAT)" # # DNAT Rule $IPTABLES -t nat -N NAT_1_PREROUTING $IPTABLES -t nat -A NAT_1_PREROUTING -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A OUTPUT -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 # # Rule NAT_1 1 (NAT) # echo "Rule NAT_1 1 (NAT)" # # SNAT rule $IPTABLES -t nat -N NAT_1_POSTROUTING $IPTABLES -t nat -A NAT_1_POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # Branch rule with actual translation. Translation is ignored and warning should be issued # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' $IPTABLES -t nat -A POSTROUTING -d 192.0.2.1 -j NAT_1_POSTROUTING $IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j NAT_1_PREROUTING # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # # DNAT Rule $IPTABLES -t nat -A POSTROUTING -j NAT_1_POSTROUTING $IPTABLES -t nat -A PREROUTING -j NAT_1_PREROUTING # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # for #1686 $IPTABLES -t nat -A POSTROUTING -p tcp -m tcp -s 192.0.2.1 --dport 10000:11000 -j NAT_1_POSTROUTING $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.0.2.1 --dport 10000:11000 -j NAT_1_PREROUTING # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # for #1686 $IPTABLES -t nat -A POSTROUTING -p tcp -m tcp -s 192.0.2.1 --dport 10000:11000 -j NAT_1_POSTROUTING $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.0.2.1 --dport 10000:11000 -j NAT_1_PREROUTING } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:10 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall81.fw.orig000077500000000000000000000266601303637203600205570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:11 2012 PDT by vadim # # files: * firewall81.fw /etc/fw/firewall81.fw # # Compiled for iptables (any version) # # This firewall has no "top" rule set objects. # firewall81::: warning: Missing top level NAT ruleset # firewall81::: warning: Missing top level Policy ruleset # firewall81:NAT_2:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING # firewall81:Policy:: warning: Log prefix has been truncated to 29 characters # firewall81:Policy:: warning: Log prefix has been truncated to 29 characters FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth1 192.168.1.100/24" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'nat', rule set NAT_2 # # Rule NAT_2 0 (NAT) # echo "Rule NAT_2 0 (NAT)" # # Branch rule with actual translation. # Translation is ignored and warning should be issued # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING # firewall81:NAT_2:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' $IPTABLES -t nat -N NAT_1 $IPTABLES -t nat -A POSTROUTING -d 192.0.2.1 -j NAT_1 $IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j NAT_1 # # Rule NAT_2 1 (NAT) # echo "Rule NAT_2 1 (NAT)" # # DNAT Rule # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING $IPTABLES -t nat -A POSTROUTING -j NAT_1 $IPTABLES -t nat -A PREROUTING -j NAT_1 # ================ Table 'nat', rule set NAT_1 # # Rule NAT_1 0 (NAT) # echo "Rule NAT_1 0 (NAT)" # # DNAT Rule $IPTABLES -t nat -N NAT_1_PREROUTING $IPTABLES -t nat -A NAT_1_PREROUTING -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 # # Rule NAT_1 1 (NAT) # echo "Rule NAT_1 1 (NAT)" # # SNAT rule $IPTABLES -t nat -N NAT_1_POSTROUTING $IPTABLES -t nat -A NAT_1_POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'nat', rule set NAT_1 # # Rule NAT_1 0 (NAT) # echo "Rule NAT_1 0 (NAT)" # # DNAT Rule $IPTABLES -t nat -A NAT_1_PREROUTING -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 # # Rule NAT_1 1 (NAT) # echo "Rule NAT_1 1 (NAT)" # # SNAT rule $IPTABLES -t nat -A NAT_1_POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N Policy $IPTABLES -N RULE_0 $IPTABLES -A Policy -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level debug --log-prefix "RULE 0 -- DENY on interface g" $IPTABLES -A RULE_0 -j DROP } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:11 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall82.fw.orig000077500000000000000000000257761303637203600205670ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:12 2012 PDT by vadim # # files: * firewall82.fw /etc/firewall82.fw # # Compiled for iptables (any version) # # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0 # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE # ================ Table 'filter', rule set Policy_A # # Rule Policy_A 0 (global) # echo "Rule Policy_A 0 (global)" # $IPTABLES -N Policy_A $IPTABLES -N Policy_B $IPTABLES -A Policy_A -j Policy_B # # Rule Policy_A 1 (global) # echo "Rule Policy_A 1 (global)" # # recursive branching $IPTABLES -N Policy $IPTABLES -A Policy_A -j Policy # # Rule Policy_A 2 (global) # echo "Rule Policy_A 2 (global)" # $IPTABLES -A Policy_A -j Policy_A # ================ Table 'filter', rule set Policy_B # # Rule Policy_B 0 (global) # echo "Rule Policy_B 0 (global)" # $IPTABLES -A Policy_B -d 192.0.2.100 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -j Policy_A $IPTABLES -A INPUT -j Policy_A $IPTABLES -A FORWARD -j Policy_A } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:12 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall82_A.fw.orig000077500000000000000000000246301303637203600210130ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:13 2012 PDT by vadim # # files: * firewall82_A.fw /etc/fw/firewall82_A.fw # # Compiled for iptables (any version) # # this object is used to hold branch rulesets for firewall82 # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_B # # Rule Policy_B 0 (global) # echo "Rule Policy_B 0 (global)" # $IPTABLES -N Policy_B $IPTABLES -A Policy_B -d 192.0.2.100 -m state --state NEW -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N Policy $IPTABLES -N Policy_A $IPTABLES -A Policy -j Policy_A # ================ Table 'filter', rule set Policy_A # # Rule Policy_A 0 (global) # echo "Rule Policy_A 0 (global)" # $IPTABLES -A OUTPUT -j Policy_B $IPTABLES -A INPUT -j Policy_B $IPTABLES -A FORWARD -j Policy_B # # Rule Policy_A 1 (global) # echo "Rule Policy_A 1 (global)" # # recursive branching $IPTABLES -A OUTPUT -j Policy $IPTABLES -A INPUT -j Policy $IPTABLES -A FORWARD -j Policy # # Rule Policy_A 2 (global) # echo "Rule Policy_A 2 (global)" # $IPTABLES -A OUTPUT -j Policy_A $IPTABLES -A INPUT -j Policy_A $IPTABLES -A FORWARD -j Policy_A } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:13 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall82_B.fw.orig000077500000000000000000000224171303637203600210150ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:13 2012 PDT by vadim # # files: * firewall82_B.fw /etc/fw/firewall82_B.fw # # Compiled for iptables (any version) # # this object is used to hold branch rulesets for firewall82 and firewall82_A FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_B # # Rule Policy_B 0 (global) # echo "Rule Policy_B 0 (global)" # $IPTABLES -A OUTPUT -d 192.0.2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.0.2.100 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:13 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall9.fw.orig000077500000000000000000000574651303637203600205060ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:15 2012 PDT by vadim # # files: * firewall9.fw /etc/fw/firewall9.fw # # Compiled for iptables (any version) # # testing rules with action-on-reject "TCP reset" # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.1/24" "" update_addresses_of_interface "eth1 22.22.22.22/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -N Cid3D4DF362.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 6667 -j Cid3D4DF362.0 $IPTABLES -N RULE_0 $IPTABLES -A Cid3D4DF362.0 -d 22.22.22.22 -j RULE_0 $IPTABLES -A Cid3D4DF362.0 -d 192.168.1.1 -j RULE_0 $IPTABLES -A INPUT -p tcp -m tcp --dport 6667 -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level debug --log-prefix "RULE 0 -- REJECT global" $IPTABLES -A RULE_0 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 1 (global) # echo "Rule 1 (global)" # # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N Cid3D4DF36C.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 53 -j Cid3D4DF36C.0 $IPTABLES -N RULE_1 $IPTABLES -A Cid3D4DF36C.0 -d 22.22.22.22 -j RULE_1 $IPTABLES -A Cid3D4DF36C.0 -d 192.168.1.1 -j RULE_1 $IPTABLES -A INPUT -p udp -m udp --dport 53 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level debug --log-prefix "RULE 1 -- REJECT global" $IPTABLES -A RULE_1 -j REJECT --reject-with icmp-net-unreachable # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N Cid3D4DF376.0 $IPTABLES -A OUTPUT -p icmp -j Cid3D4DF376.0 $IPTABLES -A OUTPUT -p 50 -j Cid3D4DF376.0 $IPTABLES -N RULE_2 $IPTABLES -A Cid3D4DF376.0 -d 22.22.22.22 -j RULE_2 $IPTABLES -A Cid3D4DF376.0 -d 192.168.1.1 -j RULE_2 $IPTABLES -A INPUT -p icmp -j RULE_2 $IPTABLES -A INPUT -p 50 -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level debug --log-prefix "RULE 2 -- REJECT global" $IPTABLES -A RULE_2 -j REJECT --reject-with icmp-net-unreachable # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid3D4DF380.0 $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4DF380.0 $IPTABLES -N RULE_3_1 $IPTABLES -A Cid3D4DF380.0 -d 22.22.22.22 -j RULE_3_1 $IPTABLES -A Cid3D4DF380.0 -d 192.168.1.1 -j RULE_3_1 $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j RULE_3_1 $IPTABLES -A RULE_3_1 -j LOG --log-level debug --log-prefix "RULE 3 -- REJECT global" $IPTABLES -A RULE_3_1 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid3D4DF380.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4DF380.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j Cid3D4DF380.1 $IPTABLES -N RULE_3_2 $IPTABLES -A Cid3D4DF380.1 -d 22.22.22.22 -j RULE_3_2 $IPTABLES -A Cid3D4DF380.1 -d 192.168.1.1 -j RULE_3_2 $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j RULE_3_2 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j RULE_3_2 $IPTABLES -A RULE_3_2 -j LOG --log-level debug --log-prefix "RULE 3 -- REJECT global" $IPTABLES -A RULE_3_2 -p tcp -m tcp -j REJECT --reject-with tcp-reset # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N Cid3D4DF38A.0 $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4DF38A.0 $IPTABLES -A Cid3D4DF38A.0 -d 22.22.22.22 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid3D4DF38A.0 -d 192.168.1.1 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid3D4DF38A.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4DF38A.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j Cid3D4DF38A.1 $IPTABLES -A Cid3D4DF38A.1 -p tcp -m tcp -d 22.22.22.22 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid3D4DF38A.1 -p tcp -m tcp -d 192.168.1.1 -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid3D4DF394.0 $IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,161 -j Cid3D4DF394.0 $IPTABLES -A Cid3D4DF394.0 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3D4DF394.0 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3D4DF394.0 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,161 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid3D4DF394.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 10000:11000 -j Cid3D4DF394.1 $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j Cid3D4DF394.1 $IPTABLES -A Cid3D4DF394.1 -d 22.22.22.22 -j RETURN $IPTABLES -A Cid3D4DF394.1 -d 192.168.1.1 -j RETURN $IPTABLES -A Cid3D4DF394.1 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m tcp --dport 10000:11000 -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset # # Rule 6 (global) # echo "Rule 6 (global)" # # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N Cid3D4DF39E.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4DF39E.0 $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4DF39E.0 $IPTABLES -A INPUT -j Cid3D4DF39E.0 $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp --dport 113 -j RETURN $IPTABLES -A Cid3D4DF39E.0 -p udp -m udp -m multiport --dports 53,161 -j RETURN $IPTABLES -A Cid3D4DF39E.0 -j REJECT --reject-with icmp-net-unreachable # # Rule 7 (global) # echo "Rule 7 (global)" # # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N Cid3D4DF3A8.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4DF3A8.0 $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4DF3A8.0 $IPTABLES -A INPUT -j Cid3D4DF3A8.0 $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp --dport 113 -j RETURN $IPTABLES -A Cid3D4DF3A8.0 -p udp -m udp -m multiport --dports 53,161 -j RETURN $IPTABLES -N RULE_7_3 $IPTABLES -A Cid3D4DF3A8.0 -j RULE_7_3 $IPTABLES -A RULE_7_3 -j LOG --log-level debug --log-prefix "RULE 7 -- REJECT global" $IPTABLES -A RULE_7_3 -j REJECT --reject-with icmp-net-unreachable # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REJECT --reject-with tcp-reset # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N Cid4144FFAE.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid4144FFAE.0 $IPTABLES -A Cid4144FFAE.0 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid4144FFAE.0 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid4144FFAE.1 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid4144FFAE.1 $IPTABLES -A Cid4144FFAE.1 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid4144FFAE.1 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid4144FFAE.2 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid4144FFAE.2 $IPTABLES -A Cid4144FFAE.2 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid4144FFAE.2 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N Cid41456B50.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid41456B50.0 $IPTABLES -A Cid41456B50.0 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B50.0 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B50.1 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid41456B50.1 $IPTABLES -A Cid41456B50.1 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B50.1 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B50.2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid41456B50.2 $IPTABLES -A Cid41456B50.2 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B50.2 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B50.3 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid41456B50.3 $IPTABLES -A Cid41456B50.3 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B50.3 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid41456B50.4 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid41456B50.4 $IPTABLES -A Cid41456B50.4 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B50.4 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid41456B50.5 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid41456B50.5 $IPTABLES -A Cid41456B50.5 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B50.5 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N Cid41456B75.0 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid41456B75.0 $IPTABLES -A Cid41456B75.0 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B75.0 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B75.1 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid41456B75.1 $IPTABLES -A Cid41456B75.1 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B75.1 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B75.2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid41456B75.2 $IPTABLES -A Cid41456B75.2 -s 192.168.1.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A Cid41456B75.2 -s 192.168.2.0/24 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid41456B75.3 $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j Cid41456B75.3 $IPTABLES -A Cid41456B75.3 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B75.3 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid41456B75.4 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j Cid41456B75.4 $IPTABLES -A Cid41456B75.4 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B75.4 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -N Cid41456B75.5 $IPTABLES -A FORWARD -p tcp -m tcp --dport 21 -j Cid41456B75.5 $IPTABLES -A Cid41456B75.5 -p tcp -m tcp -s 192.168.1.0/24 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid41456B75.5 -p tcp -m tcp -s 192.168.2.0/24 -j REJECT --reject-with tcp-reset # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N Cid206275X37109.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -j Cid206275X37109.0 $IPTABLES -A Cid206275X37109.0 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206275X37109.0 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -N Cid206275X37109.1 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j Cid206275X37109.1 $IPTABLES -A Cid206275X37109.1 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206275X37109.1 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -N Cid206275X37109.2 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j Cid206275X37109.2 $IPTABLES -A Cid206275X37109.2 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206275X37109.2 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -A FORWARD -p udp -m udp -s 192.168.1.0/24 --dport 53 -j REJECT --reject-with icmp-net-unreachable $IPTABLES -N Cid206293X37109.0 $IPTABLES -A INPUT -s 192.168.1.0/24 -j Cid206293X37109.0 $IPTABLES -A Cid206293X37109.0 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206293X37109.0 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -N Cid206293X37109.1 $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j Cid206293X37109.1 $IPTABLES -A Cid206293X37109.1 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206293X37109.1 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -N Cid206293X37109.2 $IPTABLES -A FORWARD -s 192.168.1.0/24 -j Cid206293X37109.2 $IPTABLES -A Cid206293X37109.2 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset $IPTABLES -A Cid206293X37109.2 -p tcp -m tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset } ip_forward() { : } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:15 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall90.fw.orig000077500000000000000000000234351303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:15 2012 PDT by vadim # # files: * firewall90.fw /etc/fw/firewall90.fw # # Compiled for iptables (any version) # # test for ipv4options module FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A FORWARD -p all -m dscp --dscp-class AF4 -m ipv4options --lsrr --ra -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A FORWARD -p all -m ipv4options --rr -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --lsrr --ssrr -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --ts -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A FORWARD -p all -m ipv4options --any-opt -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:15 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall91.fw.orig000077500000000000000000000235251303637203600205550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:16 2012 PDT by vadim # # files: * firewall91.fw /etc/fw/firewall91.fw # # Compiled for iptables 1.4.3 # # test for ipv4options module for v1.4.3 and later FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A FORWARD -p all -m dscp --dscp-class AF4 -m ipv4options --flags lsrr,router-alert -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A FORWARD -p all -m ipv4options --flags record-route -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --flags lsrr,ssrr -j DROP $IPTABLES -A FORWARD -p all -m ipv4options --flags timestamp -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -A FORWARD -p all -m ipv4options --any -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:16 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall92.fw.orig000077500000000000000000000267211303637203600205570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:16 2012 PDT by vadim # # files: * firewall92.fw /etc/fw/firewall92.fw # # Compiled for iptables (any version) # # rules for the TOR transparent proxy per # https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy # See ticket 1685 # firewall92:NAT:2: error: NAT rule can not change service types: CustomService to TCPService # firewall92:NAT:2: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A OUTPUT -p udp -m udp -m owner --uid-owner anonymous -j REDIRECT --to-ports 53 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -m owner --uid-owner anonymous -j REDIRECT --to-ports 9040 # ================ Table 'filter', rule set Policy_1 # # Rule Policy_1 0 (global) # echo "Rule Policy_1 0 (global)" # $IPTABLES -N Policy_1 $IPTABLES -N Cid1009688X9517.0 $IPTABLES -A Policy_1 -o + -p tcp -m tcp --dport 9040 -j Cid1009688X9517.0 $IPTABLES -A Policy_1 -o + -p udp -m udp --dport 53 -j Cid1009688X9517.0 $IPTABLES -N Out_Policy_1_0 $IPTABLES -A Cid1009688X9517.0 -s 192.0.2.1 -j Out_Policy_1_0 $IPTABLES -A Cid1009688X9517.0 -s 192.168.1.1 -j Out_Policy_1_0 $IPTABLES -A Out_Policy_1_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A Out_Policy_1_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -m owner --uid-owner anonymous -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -m owner --uid-owner anonymous -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # # matching module owner here # and tcp and udp ports in the branch $IPTABLES -A OUTPUT -m owner --uid-owner anonymous -j Policy_1 # # Rule 2 (global) # echo "Rule 2 (global)" # # this only matches module owner $IPTABLES -N Out_RULE_2 $IPTABLES -A OUTPUT -m owner --uid-owner anonymous -j Out_RULE_2 $IPTABLES -A Out_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A Out_RULE_2 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:16 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall93.fw.orig000077500000000000000000000317331303637203600205570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:18 2012 PDT by vadim # # files: * firewall93.fw /etc/fw/firewall93.fw # # Compiled for iptables (any version) # # testing shell code generated for dynamic interface with "-" in the name FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 ppp0 ppp-dsl" for i in eth0 ppp0 ppp-dsl ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::20c:29ff:fe28:c078/64 192.0.2.1/24" "" getaddr ppp0 i_ppp0 getaddr6 ppp0 i_ppp0_v6 getnet ppp0 i_ppp0_network getnet6 ppp0 i_ppp0_v6_network getaddr ppp-dsl i_ppp_dsl getaddr6 ppp-dsl i_ppp_dsl_v6 getnet ppp-dsl i_ppp_dsl_network getnet6 ppp-dsl i_ppp_dsl_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (ppp0) # echo "Rule 0 (ppp0)" # for i_ppp_dsl in $i_ppp_dsl_list do test -n "$i_ppp_dsl" && $IPTABLES -A INPUT -i ppp0 -s $i_ppp_dsl -m state --state NEW -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A INPUT -i ppp0 -s $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -i ppp0 -s 192.0.2.1 -m state --state NEW -j ACCEPT for i_ppp_dsl in $i_ppp_dsl_list do test -n "$i_ppp_dsl" && $IPTABLES -A FORWARD -i ppp0 -s $i_ppp_dsl -m state --state NEW -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A FORWARD -i ppp0 -s $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A FORWARD -i ppp0 -s 192.0.2.1 -m state --state NEW -j ACCEPT # # Rule 1 (ppp-dsl) # echo "Rule 1 (ppp-dsl)" # for i_ppp_dsl in $i_ppp_dsl_list do test -n "$i_ppp_dsl" && $IPTABLES -A INPUT -i ppp-dsl -s $i_ppp_dsl -m state --state NEW -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A INPUT -i ppp-dsl -s $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A INPUT -i ppp-dsl -s 192.0.2.1 -m state --state NEW -j ACCEPT for i_ppp_dsl in $i_ppp_dsl_list do test -n "$i_ppp_dsl" && $IPTABLES -A FORWARD -i ppp-dsl -s $i_ppp_dsl -m state --state NEW -j ACCEPT done for i_ppp0 in $i_ppp0_list do test -n "$i_ppp0" && $IPTABLES -A FORWARD -i ppp-dsl -s $i_ppp0 -m state --state NEW -j ACCEPT done $IPTABLES -A FORWARD -i ppp-dsl -s 192.0.2.1 -m state --state NEW -j ACCEPT # ================ IPv6 # ================ Table 'filter', rule set Policy_v6 # # Rule Policy_v6 0 (ppp-dsl) # echo "Rule Policy_v6 0 (ppp-dsl)" # $IP6TABLES -N Policy_v6 for i_ppp_dsl_v6 in $i_ppp_dsl_v6_list do test -n "$i_ppp_dsl_v6" && $IP6TABLES -A Policy_v6 -i ppp-dsl -s $i_ppp_dsl_v6 -m state --state NEW -j ACCEPT done for i_ppp0_v6 in $i_ppp0_v6_list do test -n "$i_ppp0_v6" && $IP6TABLES -A Policy_v6 -i ppp-dsl -s $i_ppp0_v6 -m state --state NEW -j ACCEPT done $IP6TABLES -A Policy_v6 -i ppp-dsl -s fe80::20c:29ff:fe28:c078 -m state --state NEW -j ACCEPT # # Rule Policy_v6 1 (ppp0) # echo "Rule Policy_v6 1 (ppp0)" # for i_ppp_dsl_v6 in $i_ppp_dsl_v6_list do test -n "$i_ppp_dsl_v6" && $IP6TABLES -A Policy_v6 -i ppp0 -s $i_ppp_dsl_v6 -m state --state NEW -j ACCEPT done for i_ppp0_v6 in $i_ppp0_v6_list do test -n "$i_ppp0_v6" && $IP6TABLES -A Policy_v6 -i ppp0 -s $i_ppp0_v6 -m state --state NEW -j ACCEPT done $IP6TABLES -A Policy_v6 -i ppp0 -s fe80::20c:29ff:fe28:c078 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:18 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall94.fw.orig000077500000000000000000000353021303637203600205540ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:18 2012 PDT by vadim # # files: * firewall94.fw /etc/fw/firewall94.fw # # Compiled for iptables 1.3.0 # # testing rules that use address ranges that include or not include fw FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 fe80::20c:29ff:fe28:c078/64 192.168.1.2/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # address range in src includes firewall $IPTABLES -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m iprange --src-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --src-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -A INPUT -m iprange --src-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --src-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # address range in src includes firewall $IPTABLES -A OUTPUT -m iprange --src-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --src-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A FORWARD -m iprange --src-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # address range in dst includes firewall $IPTABLES -A OUTPUT -m iprange --dst-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m iprange --dst-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --dst-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A OUTPUT -m iprange --dst-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --dst-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # address range in dst includes firewall $IPTABLES -A INPUT -m iprange --dst-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m iprange --dst-range 192.168.1.1-192.168.1.3 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A FORWARD -m iprange --dst-range 192.168.1.3-192.168.1.5 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A INPUT -s 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A OUTPUT -s 255.255.255.255 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -A OUTPUT -s 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -s 255.255.255.255 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A INPUT -s 0.0.0.0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -A OUTPUT -s 0.0.0.0 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 14 (global) # echo "Rule 14 (global)" # $IPTABLES -A OUTPUT -s 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 15 (global) # echo "Rule 15 (global)" # $IPTABLES -A OUTPUT -s 0.0.0.0 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # $IPTABLES -A OUTPUT -d 0.0.0.0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 17 (global) # echo "Rule 17 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -d 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 18 (global) # echo "Rule 18 (global)" # $IPTABLES -A OUTPUT -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 0.0.0.0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -d 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.0/24 -d 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -A INPUT -d 0.0.0.0 -m state --state NEW -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -d 0.0.0.0 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:18 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/firewall95.fw.orig000077500000000000000000000230441303637203600205550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:19 2012 PDT by vadim # # files: * firewall95.fw /etc/fw/firewall95.fw # # Compiled for iptables 1.3.0 # # firewall has intrface with netmask /31 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0" for i in eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 192.168.1.10/31" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # address 192.168.1.11 should not be considered a broadcast on the subnet attached to eth0 $IPTABLES -A OUTPUT -d 192.168.1.11 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.11 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:19 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/fw-A.fw.orig000077500000000000000000000504721303637203600173710ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:35 2012 PDT by vadim # # files: * fw-A.fw /sw/FWbuilder/fw-A.fw # # Compiled for iptables 1.3.0 # # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not in the same local network as interface eth3 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG find_program $IFENSLAVE } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } missing_bond() { bond_intf=$1 cmd=$2 test "$cmd" = "down" && { echo "# Bring unconfigured bonding interface $bond_intf down" $FWBDEBUG $IP link set $bond_intf down } } missing_slave() { slave=$1 cmd=$2 oldIFS=$IFS IFS="@" set $slave intf=$1 bond_interface=$2 IFS=$oldIFS test "$cmd" = "-d" && { echo "# Delete bonding interface slave: $bond_interface $intf" $FWBDEBUG $IFENSLAVE -d $bond_interface $intf } || { echo "# Add bonding interface slave: $bond_interface $intf" $FWBDEBUG $IP link set $bond_interface up $FWBDEBUG $IFENSLAVE $bond_interface $intf } } load_bonding_module() { bonding_interfaces=$1 shift module_parameters=$* PROC_DIR="/proc/net/bonding/" test -d $PROC_DIR || { cmd="$MODPROBE bonding $module_parameters" test -n "$FWBDEBUG" && echo "# $cmd" || $cmd || { # Module load failed. cat </dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: bond0 eth2 eth3 bond1 lo eth6 eth0 eth1 bond0.2 bond0.1 eth2.201 eth2.202 eth4 eth5" for i in bond0 eth2 eth3 bond1 lo eth6 eth0 eth1 bond0.2 bond0.1 eth2.201 eth2.202 eth4 eth5 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces load_bonding_module "bond0 bond1" max_bonds=2 mode=802.3ad xmit_hash_policy=layer2 miimon=100 update_bonding bond0 eth0 eth1 update_bonding bond1 eth4 eth5 clear_bonding_except_known bond0 bond1 update_vlans_of_interface "bond0 bond0.2 bond0.1" update_vlans_of_interface "eth2 eth2.201 eth2.202" clear_vlans_except_known bond0.2@bond0 bond0.1@bond0 eth2.201@eth2 eth2.202@eth2 update_addresses_of_interface "eth3 192.0.2.11/24" "" update_addresses_of_interface "bond1 192.168.11.11/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth6 192.168.6.11/24" "" update_addresses_of_interface "bond0.2 192.168.2.11/24" "" update_addresses_of_interface "bond0.1 192.168.1.11/24" "" update_addresses_of_interface "eth2.201 192.168.201.11/24" "" update_addresses_of_interface "eth2.202 192.168.202.11/24" "" clear_addresses_except_known_interfaces bond0 eth2 eth3 bond1 lo eth6 eth0 eth1 bond0.2 bond0.1 eth2.201 eth2.202 eth4 eth5 } script_body() { echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 250000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max echo 250000 > /sys/module/ip_conntrack/parameters/hashsize echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v 'proto kernel' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not in the same local network as interface eth3 # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall $IP route add default via 200.200.200.200 dev eth3 \ || route_command_error "0 (main)" # # Rule 1 (main) # echo "Routing rule 1 (main)" # # for 1410: gateway matches subnet of a vlan interface # $IP route add 192.168.101.0/24 via 192.168.1.200 dev bond0.1 \ || route_command_error "1 (main)" # # Rule 2 (main) # echo "Routing rule 2 (main)" # # for 1410: gateway matches subnet of a vlan interface # $IP route add 192.168.102.0/24 via 192.168.2.200 dev bond0.2 \ || route_command_error "2 (main)" # # Rule 3 (main) # echo "Routing rule 3 (main)" # # # $IP route add 192.168.111.0/24 via 192.168.11.200 dev bond1 \ || route_command_error "3 (main)" # # Rule 4 (main) # echo "Routing rule 4 (main)" # # for 1410: gateway matches subnet of a vlan interface # $IP route add 192.168.211.0/24 via 192.168.201.200 dev eth2.201 \ || route_command_error "4 (main)" # # Rule 5 (main) # echo "Routing rule 5 (main)" # # for 1410: gateway matches subnet of a vlan interface # $IP route add 192.168.212.0/24 via 192.168.202.200 dev eth2.202 \ || route_command_error "5 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:35 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/fw1.fw.orig000077500000000000000000000417141303637203600172730ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:35 2012 PDT by vadim # # files: * fw1.fw /etc/fw1.fw # # Compiled for iptables (any version) # # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0 # fw1:NAT:8: error: NAT rule can not change service types: TCPService to UDPService # fw1:NAT:8: error: Translated Service should be either 'Original' or should contain object of the same type as Original Service. # fw1:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 fe80::21d:9ff:fe8b:8e94/64 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # # source port only $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 --sport 123 -j SNAT --to-source :5050 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # dest port only $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.1.0/24 --dport 53 -j DNAT --to-destination :1053 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # # SDNAT $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.0.2.1 --dport 22 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.1 --dport 22 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -d 192.168.1.10 --dport 22 -j SNAT --to-source 192.168.1.1 # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # SDNAT with source port $IPTABLES -t nat -A PREROUTING -p udp -m udp --sport 123 -d 192.0.2.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A PREROUTING -p udp -m udp --sport 123 -d 192.168.1.1 -j DNAT --to-destination 192.168.1.10 $IPTABLES -t nat -A POSTROUTING -o eth1 -p udp -m udp --sport 123 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1:5050 # # Rule 5 (NAT) # echo "Rule 5 (NAT)" # # SDNAT with dest port $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.1.0/24 --dport 53 -j DNAT --to-destination 192.168.1.10:1053 $IPTABLES -t nat -A POSTROUTING -o eth1 -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.168.1.1 # # Rule 6 (NAT) # echo "Rule 6 (NAT)" # # SDNAT # translate src and dst addresses # and src and dst ports $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.1.0/24 --sport 1024:65535 --dport 53 -j DNAT --to-destination 192.168.1.10:1053 $IPTABLES -t nat -A POSTROUTING -o eth1 -p udp -m udp -s 192.168.1.0/24 -d 192.168.1.10 --dport 1053 -j SNAT --to-source 192.168.1.1:32767-65535 # # Rule 7 (NAT) # echo "Rule 7 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth+ -p udp -m udp -s 192.168.1.0/24 --dport 53 -j SNAT --to-source :5050 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # # anti spoofing rule $IPTABLES -N Cid45745X95438.0 $IPTABLES -A FORWARD -i + -d 192.168.171.2 -m state --state NEW -j Cid45745X95438.0 $IPTABLES -N In_RULE_0 $IPTABLES -A Cid45745X95438.0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A Cid45745X95438.0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i + -s 192.168.1.0/24 -d 192.168.171.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (global) # echo "Rule 1 (global)" # # fw1:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # fw1:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT " $IPTABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -d 192.0.2.1 -m state --state NEW -j RULE_4 $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_4 $IPTABLES -A INPUT -m state --state NEW -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -A RULE_4 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 1 --tcp-flags SYN SYN -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 1 --tcp-flags SYN SYN -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 1 --tcp-flags SYN SYN -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -p tcp -m tcp -j RULE_6 $IPTABLES -A INPUT -p tcp -m tcp -j RULE_6 $IPTABLES -A FORWARD -p tcp -m tcp -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- REJECT " $IPTABLES -A RULE_6 -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A FORWARD -j RULE_6 $IPTABLES -A RULE_6 -j REJECT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:35 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/fwbuilder.fw.orig000077500000000000000000000331721303637203600205600ustar00rootroot00000000000000#!/bin/sh /etc/rc.common # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:16:54 2012 PDT by vadim # # files: * fwbuilder.fw /etc/init.d/fwbuilder.fw # # Compiled for iptables 1.4.3 # # testing run time address table objects with module set # use module set is turned off # firewall41-2::: warning: Can not add virtual address for object atbl.1 START=46 EXTRA_COMMANDS="status interfaces test_interfaces" FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="" IPTABLES="/usr/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables" IPTABLES_RESTORE="/usr/sbin/iptables-restore" IP6TABLES_RESTORE="/usr/sbin/ip6tables-restore" IP="/usr/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/usr/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" check_file "block_these" "block-hosts.tbl" } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi insmod ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1" for i in eth0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 1.1.1.1/24" "" update_addresses_of_interface "eth1 2.2.2.2/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A POSTROUTING -o eth+ -s $at_atbl_1 -j SNAT --to-source 1.1.1.1 done # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -N Cid2101361X9995.0 $IPTABLES -t nat -A POSTROUTING -o eth+ -j Cid2101361X9995.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A Cid2101361X9995.0 -s $at_atbl_1 -j RETURN done $IPTABLES -t nat -A Cid2101361X9995.0 -j SNAT --to-source 1.1.1.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -t nat -A PREROUTING -d $at_atbl_1 -j DNAT --to-destination 192.168.1.10 done # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT done # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N Cid4374297X29460.0 $IPTABLES -A INPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A INPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374297X29460.0 -d $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374297X29460.0 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N Cid4374309X29460.0 $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374309X29460.0 $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374309X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374309X29460.0 -d $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374309X29460.0 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -m state --state NEW -j ACCEPT done # # Rule 4 (global) # echo "Rule 4 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT done # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -N Cid4374346X29460.0 $IPTABLES -A OUTPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A OUTPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374346X29460.0 -s $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374346X29460.0 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N Cid4374358X29460.0 $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374358X29460.0 $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374358X29460.0 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A Cid4374358X29460.0 -s $at_atbl_1 -j RETURN done $IPTABLES -A Cid4374358X29460.0 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT done grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do set $L; at_block_these=$1; $IPTABLES -A INPUT -s $at_block_these -m state --state NEW -j ACCEPT done # # Rule 8 (global) # echo "Rule 8 (global)" # grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -j DROP done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -d $at_atbl_1 -j DROP done } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } start() { log "Activating firewall script generated Sun Mar 18 21:16:54 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands } stop() { stop_action } status() { status_action } interfaces() { configure_interfaces } test_interfaces() { FWBDEBUG="echo" configure_interfaces } fwbuilder-5.3.7/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig000077500000000000000000000546071303637203600246240ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * heartbeat_cluster_1_d_linux-1-d.fw firewall.sh # # Compiled for iptables (any version) # # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-2-d' because its address in unknown. # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-2-d' because its address in unknown. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2 eth2.100" for i in eth0 eth1 lo eth2 eth2.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth1 192.168.1.1/24" "192.168.1.254/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2.100 172.20.0.1/24" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 done # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 --random done # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.100 done # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.100 done # ================ Table 'filter', rule set Policy # # Rule -8 heartbeat (automatic) # echo "Rule -8 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth2.100 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -7 heartbeat (automatic) # echo "Rule -7 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth2.100 -p udp -m udp -s 172.20.0.2 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -6 heartbeat (automatic) # echo "Rule -6 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -5 heartbeat (automatic) # echo "Rule -5 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -s 192.168.1.2 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_0 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done $IPTABLES -A INPUT -i eth0 -s 172.20.0.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.254 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done $IPTABLES -A FORWARD -i eth0 -s 172.20.0.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.254 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT " $IPTABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # fw is part of any and networks for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 6 (global) # echo "Rule 6 (global)" # # fw is NOT part of any and networks for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 7 (global) # echo "Rule 7 (global)" # # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-2-d' because its address in unknown. for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 8 (global) # echo "Rule 8 (global)" # # fw is part of any $IPTABLES -N Cid307958X52019.0 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid307958X52019.0 $IPTABLES -A Cid307958X52019.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid307958X52019.0 -s 192.168.1.254 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # fw is not part of any $IPTABLES -N Cid625000X52019.0 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid625000X52019.0 $IPTABLES -A Cid625000X52019.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid625000X52019.0 -s 192.168.1.254 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is not part of any $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.254 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.1 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.2 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.2 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_12 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -d $i_eth0 -j RULE_12 done $IPTABLES -A OUTPUT -d 172.20.0.1 -j RULE_12 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_12 $IPTABLES -A OUTPUT -d 192.168.1.254 -j RULE_12 $IPTABLES -A INPUT -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level info --log-prefix "RULE 12 -- DENY " $IPTABLES -A RULE_12 -j DROP # # Rule 13 (eth0) # echo "Rule 13 (eth0)" # $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 14 (eth0,eth1) # echo "Rule 14 (eth0,eth1)" # $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 16 (eth0,eth1) # echo "Rule 16 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT # # Rule 18 (eth0,eth1) # echo "Rule 18 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT # # Rule 19 (eth0) # echo "Rule 19 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 20 (eth0,eth1) # echo "Rule 20 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 21 (eth0) # echo "Rule 21 (eth0)" # $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o ! eth0 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o ! eth0 -d 172.20.0.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -d 192.168.1.254 -m state --state NEW -j ACCEPT # # Rule 22 (eth0,eth1) # echo "Rule 22 (eth0,eth1)" # $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth2 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o eth2 -d 172.20.0.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -d 192.168.1.254 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth2.100 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o eth2.100 -d 172.20.0.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -d 192.168.1.254 -m state --state NEW -j ACCEPT # # Rule 23 (eth0) # echo "Rule 23 (eth0)" # # fw is part of any is OFF $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT # # Rule 24 (eth0,eth1) # echo "Rule 24 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig000077500000000000000000000552661303637203600246270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * heartbeat_cluster_1_d_linux-2-d.fw firewall.sh # # Compiled for iptables (any version) # # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0 # heartbeat_cluster_1_d:NAT:4: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. # heartbeat_cluster_1_d:NAT:: warning: Empty inet address in object id57982X27834 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2 eth2.100" for i in eth0 eth1 lo eth2 eth2.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.254/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2.100 172.20.0.2/24" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 done # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $i_eth0 --random done # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -t nat -A PREROUTING -d $i_eth0 -j DNAT --to-destination 192.168.1.100 done # # Rule 4 (NAT) # echo "Rule 4 (NAT)" # # heartbeat_cluster_1_d:NAT:4: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. $IPTABLES -t nat -A PREROUTING -d -j DNAT --to-destination 192.168.1.100 # ================ Table 'filter', rule set Policy # # Rule -8 heartbeat (automatic) # echo "Rule -8 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth2.100 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -7 heartbeat (automatic) # echo "Rule -7 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth2.100 -p udp -m udp -s 172.20.0.1 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -6 heartbeat (automatic) # echo "Rule -6 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -5 heartbeat (automatic) # echo "Rule -5 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth1 -p udp -m udp -s 192.168.1.1 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_0 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done $IPTABLES -A INPUT -i eth0 -s 172.20.0.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.254 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done $IPTABLES -A FORWARD -i eth0 -s 172.20.0.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.254 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT " $IPTABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # fw is part of any and networks for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 6 (global) # echo "Rule 6 (global)" # # fw is NOT part of any and networks for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 7 (global) # echo "Rule 7 (global)" # # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT done # # Rule 8 (global) # echo "Rule 8 (global)" # # fw is part of any $IPTABLES -N Cid307958X52019.0 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid307958X52019.0 $IPTABLES -A Cid307958X52019.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid307958X52019.0 -s 192.168.1.254 -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # fw is not part of any $IPTABLES -N Cid625000X52019.0 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid625000X52019.0 $IPTABLES -A Cid625000X52019.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid625000X52019.0 -s 192.168.1.254 -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is not part of any $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.254 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.2 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.1 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.1 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_12 for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -d $i_eth0 -j RULE_12 done $IPTABLES -A OUTPUT -d 172.20.0.2 -j RULE_12 $IPTABLES -A OUTPUT -d 192.168.1.2 -j RULE_12 $IPTABLES -A OUTPUT -d 192.168.1.254 -j RULE_12 $IPTABLES -A INPUT -j RULE_12 $IPTABLES -A RULE_12 -j LOG --log-level info --log-prefix "RULE 12 -- DENY " $IPTABLES -A RULE_12 -j DROP # # Rule 13 (eth0) # echo "Rule 13 (eth0)" # $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 14 (eth0,eth1) # echo "Rule 14 (eth0,eth1)" # $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 16 (eth0,eth1) # echo "Rule 16 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT # # Rule 18 (eth0,eth1) # echo "Rule 18 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i eth2.100 -m state --state NEW -j ACCEPT # # Rule 19 (eth0) # echo "Rule 19 (eth0)" # # fw is part of any is OFF $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 20 (eth0,eth1) # echo "Rule 20 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth2.100 -m state --state NEW -j ACCEPT # # Rule 21 (eth0) # echo "Rule 21 (eth0)" # $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o ! eth0 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o ! eth0 -d 172.20.0.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -d 192.168.1.254 -m state --state NEW -j ACCEPT # # Rule 22 (eth0,eth1) # echo "Rule 22 (eth0,eth1)" # $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth2 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o eth2 -d 172.20.0.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2 -d 192.168.1.254 -m state --state NEW -j ACCEPT for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -o eth2.100 -d $i_eth0 -m state --state NEW -j ACCEPT done $IPTABLES -A OUTPUT -o eth2.100 -d 172.20.0.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -d 192.168.1.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth2.100 -d 192.168.1.254 -m state --state NEW -j ACCEPT # # Rule 23 (eth0) # echo "Rule 23 (eth0)" # # fw is part of any is OFF $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT # # Rule 24 (eth0,eth1) # echo "Rule 24 (eth0,eth1)" # # fw is part of any is OFF $IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth2.100 -m state --state NEW -j ACCEPT } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/heartbeat_cluster_1_linux-1.fw.orig000077500000000000000000000635511303637203600240760ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * heartbeat_cluster_1_linux-1.fw /etc/heartbeat_cluster_1_linux-1.fw # # Compiled for iptables 1.4.0 # # # linux-1:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-1" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 172.24.0.3 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.100.1 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is part of any $IPTABLES -N Cid997025X96143.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid997025X96143.0 $IPTABLES -A Cid997025X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # fw is NOT part of any $IPTABLES -N Cid143289X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143289X96143.0 $IPTABLES -A Cid143289X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # fw is NOT part of any $IPTABLES -N Cid1946680X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1946680X96143.0 $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 14 (eth0) # echo "Rule 14 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid378955X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.0 $IPTABLES -A Cid378955X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -N Cid378955X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.1 $IPTABLES -A Cid378955X96143.1 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 192.168.100.1 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid1801407X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1801407X96143.0 $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # fw is NOT part of any $IPTABLES -N Cid143343X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143343X96143.0 $IPTABLES -A Cid143343X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143343X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid2241935X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.0 $IPTABLES -A Cid2241935X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.1 $IPTABLES -A Cid2241935X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.1 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid2241981X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241981X96143.0 $IPTABLES -A Cid2241981X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241981X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using interface of another cluster in the rule $IPTABLES -N Cid8228X45618.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8228X45618.0 $IPTABLES -A Cid8228X45618.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.100 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -N Cid147047X84105.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid147047X84105.0 $IPTABLES -A Cid147047X84105.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_21 $IPTABLES -A INPUT -m state --state NEW -j RULE_21 $IPTABLES -A FORWARD -m state --state NEW -j RULE_21 $IPTABLES -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY " $IPTABLES -A RULE_21 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N RULE_22 $IPTABLES -A OUTPUT -j RULE_22 $IPTABLES -A INPUT -j RULE_22 $IPTABLES -A FORWARD -j RULE_22 $IPTABLES -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY " $IPTABLES -A RULE_22 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/heartbeat_cluster_1_linux-2.fw.orig000077500000000000000000000556471303637203600241060ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * heartbeat_cluster_1_linux-2.fw /etc/heartbeat_cluster_1_linux-2.fw # # Compiled for iptables 1.4.0 # # linux-2:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-2" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -N Cid3009X69605.2.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j Cid3009X69605.2.0 $IPTABLES -A Cid3009X69605.2.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.2.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.3 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.3 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A FORWARD -d 172.24.0.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.1.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.100.1 -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.3 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.3 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is part of any $IPTABLES -N Cid997025X96143.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid997025X96143.0 $IPTABLES -A Cid997025X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 172.24.0.3 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.3 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # fw is NOT part of any $IPTABLES -N Cid143289X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143289X96143.0 $IPTABLES -A Cid143289X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # fw is NOT part of any $IPTABLES -N Cid1946680X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1946680X96143.0 $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 14 (eth0) # echo "Rule 14 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid378955X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.0 $IPTABLES -A Cid378955X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 172.24.0.3 -j ACCEPT $IPTABLES -N Cid378955X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.1 $IPTABLES -A Cid378955X96143.1 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 172.24.0.3 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid1801407X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1801407X96143.0 $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid143343X96143.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143343X96143.0 $IPTABLES -A Cid143343X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143343X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is NOT part of any $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.0 $IPTABLES -A Cid2241935X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.1 $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.1 $IPTABLES -A Cid2241935X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.1 -s 192.168.100.1 -j ACCEPT # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # # fw is NOT part of any $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241981X96143.0 $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241981X96143.0 $IPTABLES -A Cid2241981X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241981X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using interface of another cluster in the rule $IPTABLES -N Cid8228X45618.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8228X45618.0 $IPTABLES -A Cid8228X45618.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.100 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -N Cid147047X84105.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid147047X84105.0 $IPTABLES -A Cid147047X84105.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_21 $IPTABLES -A INPUT -m state --state NEW -j RULE_21 $IPTABLES -A FORWARD -m state --state NEW -j RULE_21 $IPTABLES -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY " $IPTABLES -A RULE_21 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N RULE_22 $IPTABLES -A OUTPUT -j RULE_22 $IPTABLES -A INPUT -j RULE_22 $IPTABLES -A FORWARD -j RULE_22 $IPTABLES -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY " $IPTABLES -A RULE_22 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/heartbeat_cluster_2_linux-1.fw.orig000077500000000000000000000510201303637203600240630ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * heartbeat_cluster_2_linux-1.fw /etc/heartbeat_cluster_2_linux-1.fw # # Compiled for iptables 1.4.0 # # # linux-1:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-1" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 172.24.0.3 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 172.24.0.3 --dport 694 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 172.24.0.3 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 172.24.0.3 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_8 $IPTABLES -A OUTPUT -d 172.24.0.2 -j RULE_8 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_8 $IPTABLES -A OUTPUT -d 192.168.1.2 -j RULE_8 $IPTABLES -A OUTPUT -d 192.168.100.1 -j RULE_8 $IPTABLES -A INPUT -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_10 $IPTABLES -A INPUT -m state --state NEW -j RULE_10 $IPTABLES -A FORWARD -m state --state NEW -j RULE_10 $IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- DENY " $IPTABLES -A RULE_10 -j DROP # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -j RULE_11 $IPTABLES -A INPUT -j RULE_11 $IPTABLES -A FORWARD -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY " $IPTABLES -A RULE_11 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/heartbeat_cluster_2_linux-2.fw.orig000077500000000000000000000446531303637203600241020ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * heartbeat_cluster_2_linux-2.fw /etc/heartbeat_cluster_2_linux-2.fw # # Compiled for iptables 1.4.0 # # linux-2:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-2" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -N Cid3009X69605.3.0 $IPTABLES -A OUTPUT -o eth0 -p udp -m udp --dport 694 -j Cid3009X69605.3.0 $IPTABLES -A Cid3009X69605.3.0 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.3.0 -d 192.168.100.1 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -N Cid3009X69605.2.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 694 -j Cid3009X69605.2.0 $IPTABLES -A Cid3009X69605.2.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.2.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -N Cid3009X69605.1.0 $IPTABLES -A OUTPUT -o eth0 -p udp -m udp --dport 3781 -j Cid3009X69605.1.0 $IPTABLES -A Cid3009X69605.1.0 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.1.0 -d 192.168.100.1 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -N Cid3009X69605.0.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 3781 -j Cid3009X69605.0.0 $IPTABLES -A Cid3009X69605.0.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.0.0 -s 192.168.100.1 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.3 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.3 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A FORWARD -d 172.24.0.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.1.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.100.1 -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_8 $IPTABLES -A OUTPUT -d 172.24.0.3 -j RULE_8 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_8 $IPTABLES -A OUTPUT -d 192.168.1.3 -j RULE_8 $IPTABLES -A INPUT -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_10 $IPTABLES -A INPUT -m state --state NEW -j RULE_10 $IPTABLES -A FORWARD -m state --state NEW -j RULE_10 $IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- DENY " $IPTABLES -A RULE_10 -j DROP # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -j RULE_11 $IPTABLES -A INPUT -j RULE_11 $IPTABLES -A FORWARD -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY " $IPTABLES -A RULE_11 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/host.fw.orig000077500000000000000000000262311303637203600175500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:36 2012 PDT by vadim # # files: * host.fw /etc/fw/host.fw # # Compiled for iptables (any version) # # firewall protects host it is running on FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces } script_body() { echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level debug $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # # allow everything on loopback $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT # # Rule 2 (lo) # echo "Rule 2 (lo)" # # allow everything on loopback $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (lo) # echo "Rule 3 (lo)" # $IPTABLES -N Cid3BD8ECC6.0 $IPTABLES -A INPUT -i lo -s 22.22.22.22 -m state --state NEW -j Cid3BD8ECC6.0 $IPTABLES -A INPUT -i lo -s 127.0.0.1 -m state --state NEW -j Cid3BD8ECC6.0 $IPTABLES -N In_RULE_3 $IPTABLES -A Cid3BD8ECC6.0 -d 22.22.22.22 -j In_RULE_3 $IPTABLES -A Cid3BD8ECC6.0 -d 127.0.0.1 -j In_RULE_3 $IPTABLES -A In_RULE_3 -j LOG --log-level debug $IPTABLES -A In_RULE_3 -j ACCEPT $IPTABLES -N Cid3BD8ECC6.1 $IPTABLES -A OUTPUT -o lo -s 22.22.22.22 -m state --state NEW -j Cid3BD8ECC6.1 $IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -m state --state NEW -j Cid3BD8ECC6.1 $IPTABLES -N Out_RULE_3 $IPTABLES -A Cid3BD8ECC6.1 -d 22.22.22.22 -j Out_RULE_3 $IPTABLES -A Cid3BD8ECC6.1 -d 127.0.0.1 -j Out_RULE_3 $IPTABLES -A Out_RULE_3 -j LOG --log-level debug $IPTABLES -A Out_RULE_3 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 22.22.22.22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # 'catch all' rule $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 50 -j RULE_8 $IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 50 -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level debug --log-prefix "CATCH ALL RULE" $IPTABLES -A RULE_8 -j DROP } ip_forward() { : echo 0 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:36 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/ipcop1.fw.orig000077500000000000000000000120311303637203600177570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v4.2.0.3437 # # Generated Mon Jan 17 19:25:17 2011 PST by vadim # # files: * ipcop1.fw # # Compiled for iptables (any version) # # Endian firewall appliance, 2 interfaces: # br0 is GREEN # eth1 is RED # Do not forget to change IP addresses to # match your firewall. PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" test -x "$LOGGER" && $LOGGER -p info "$1" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by AddressTable object $1" exit 1 } } getInterfaceVarName() { echo $1 | sed 's/\./_/' } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } find_program() { PGM=$1 $PGM /dev/null 2>&1; test $? = 127 && { echo "$PGM not found" exit 1 } } check_tools() { find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" } verify_interfaces() { : echo "Verifying interfaces: et0 eth1" for i in et0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } script_body() { # ================ IPv4 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A INPUT -s 192.168.1.1 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.2 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.3/30 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.200 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.201 -j RULE_1 $IPTABLES -A INPUT -s 192.168.2.128/25 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.1 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.2 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.3/30 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.200 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.201 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.2.128/25 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -j RULE_2 done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -s $at_atbl_1 -j RULE_2 done $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A RULE_2 -j DROP } reset_all() { : reset_iptables_v4 } case "$1" in start) check_tools check_run_time_address_table_files verify_interfaces prolog_commands script_body epilog_commands ;; stop) # on IPCOP "/etc/rc.firewall stop" purges all tables and chains # and then calls this script with command "stop", but there is # nothing left for us to do here. ;; reload) $0 stop $0 start ;; *) echo "Usage $0 {start|stop|reload}" ;; esac fwbuilder-5.3.7/test/ipt/large_policy_test.fwb000066400000000000000000003752401303637203600215120ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/test/ipt/linux-1.fw.orig000077500000000000000000000630251303637203600200720ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v4.2.0.3425 # # Generated Fri Jan 7 13:12:17 2011 PST by vadim # # files: * linux-1.fw # # Compiled for iptables (any version) # # # linux-1:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-1" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" test -x "$LOGGER" && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 $PGM /dev/null 2>&1; test $? = 127 && { echo "$PGM not found" exit 1 } } check_tools() { find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.2 --dport 22 -j DNAT --to-destination 192.168.1.100 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.100.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 172.24.0.3 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.100.1 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is part of any $IPTABLES -N Cid997025X96143.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid997025X96143.0 $IPTABLES -A Cid997025X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # fw is NOT part of any $IPTABLES -N Cid143289X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143289X96143.0 $IPTABLES -A Cid143289X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # fw is NOT part of any $IPTABLES -N Cid1946680X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1946680X96143.0 $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 14 (eth0) # echo "Rule 14 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid378955X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.0 $IPTABLES -A Cid378955X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -N Cid378955X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.1 $IPTABLES -A Cid378955X96143.1 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 192.168.100.1 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid1801407X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1801407X96143.0 $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # fw is NOT part of any $IPTABLES -N Cid143343X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143343X96143.0 $IPTABLES -A Cid143343X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143343X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid2241935X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.0 $IPTABLES -A Cid2241935X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.1 $IPTABLES -A Cid2241935X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.1 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid2241981X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241981X96143.0 $IPTABLES -A Cid2241981X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241981X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using interface of another cluster in the rule $IPTABLES -N Cid8228X45618.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8228X45618.0 $IPTABLES -A Cid8228X45618.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.100 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -N Cid147047X84105.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid147047X84105.0 $IPTABLES -A Cid147047X84105.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_21 $IPTABLES -A INPUT -m state --state NEW -j RULE_21 $IPTABLES -A FORWARD -m state --state NEW -j RULE_21 $IPTABLES -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY " $IPTABLES -A RULE_21 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N RULE_22 $IPTABLES -A OUTPUT -j RULE_22 $IPTABLES -A INPUT -j RULE_22 $IPTABLES -A FORWARD -j RULE_22 $IPTABLES -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY " $IPTABLES -A RULE_22 -j DROP # ============== ROUTING RULES ============== TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" (umask 077 && mkdir $TMPDIRNAME) || exit 1 # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules (IFS=" "; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) oldRoutes=$($IP route show | sort -k 2) echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Fri Jan 7 13:12:17 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/linux-2.fw.orig000077500000000000000000000546401303637203600200760ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v4.2.0.3425 # # Generated Fri Jan 7 13:12:17 2011 PST by vadim # # files: * linux-2.fw # # Compiled for iptables (any version) # # linux-2:to_fw:: warning: ignoring cluster rule set "to_fw" because member firewall "linux-2" has rule set with the same name. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" test -x "$LOGGER" && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 $PGM /dev/null 2>&1; test $? = 127 && { echo "$PGM not found" exit 1 } } check_tools() { find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.3 --dport 22 -j DNAT --to-destination 192.168.1.100 # # Rule 3 (NAT) # echo "Rule 3 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 172.24.0.1 --dport 22 -j DNAT --to-destination 192.168.1.100 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -N C.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j C.0 $IPTABLES -A C.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A C.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.1 -j to_fw $IPTABLES -A OUTPUT -d 172.24.0.3 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.1 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.3 -j to_fw $IPTABLES -A INPUT -j to_fw # # Rule 7 (global) # echo "Rule 7 (global)" # # branch rule set is different in members linux-1 and linux-2 $IPTABLES -A OUTPUT -d 172.24.0.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.1.2 -j to_fw $IPTABLES -A OUTPUT -d 192.168.100.1 -j to_fw $IPTABLES -A FORWARD -d 172.24.0.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.1.2 -j to_fw $IPTABLES -A FORWARD -d 192.168.100.1 -j to_fw # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.3 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.3 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # # fw is part of any $IPTABLES -N Cid997025X96143.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid997025X96143.0 $IPTABLES -A Cid997025X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 172.24.0.3 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid997025X96143.0 -s 192.168.1.3 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 12 (global) # echo "Rule 12 (global)" # # fw is NOT part of any $IPTABLES -N Cid143289X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143289X96143.0 $IPTABLES -A Cid143289X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid143289X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # # fw is NOT part of any $IPTABLES -N Cid1946680X96143.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1946680X96143.0 $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1946680X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 14 (eth0) # echo "Rule 14 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid378955X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.0 $IPTABLES -A Cid378955X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.0 -s 172.24.0.3 -j ACCEPT $IPTABLES -N Cid378955X96143.1 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid378955X96143.1 $IPTABLES -A Cid378955X96143.1 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid378955X96143.1 -s 172.24.0.3 -j ACCEPT # # Rule 15 (eth0) # echo "Rule 15 (eth0)" # # fw is NOT part of any $IPTABLES -N Cid1801407X96143.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid1801407X96143.0 $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.1 -j ACCEPT $IPTABLES -A Cid1801407X96143.0 -s 172.24.0.3 -j ACCEPT # # Rule 16 (global) # echo "Rule 16 (global)" # # fw is NOT part of any $IPTABLES -A OUTPUT -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid143343X96143.0 $IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j Cid143343X96143.0 $IPTABLES -A Cid143343X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid143343X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 17 (eth0) # echo "Rule 17 (eth0)" # # fw is NOT part of any $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.0 $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.0 $IPTABLES -A Cid2241935X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.0 -s 192.168.100.1 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241935X96143.1 $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241935X96143.1 $IPTABLES -A Cid2241935X96143.1 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241935X96143.1 -s 192.168.100.1 -j ACCEPT # # Rule 18 (eth0) # echo "Rule 18 (eth0)" # # fw is NOT part of any $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 172.24.0.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid2241981X96143.0 $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid2241981X96143.0 $IPTABLES -A Cid2241981X96143.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid2241981X96143.0 -s 192.168.100.1 -j ACCEPT # # Rule 19 (global) # echo "Rule 19 (global)" # # using interface of another cluster in the rule $IPTABLES -N Cid8228X45618.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8228X45618.0 $IPTABLES -A Cid8228X45618.0 -s 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.2 -j ACCEPT $IPTABLES -A Cid8228X45618.0 -s 192.168.1.100 -j ACCEPT # # Rule 20 (global) # echo "Rule 20 (global)" # $IPTABLES -N Cid147047X84105.0 $IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid147047X84105.0 $IPTABLES -A Cid147047X84105.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid147047X84105.0 -d 192.168.1.100 -j ACCEPT # # Rule 21 (global) # echo "Rule 21 (global)" # $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_21 $IPTABLES -A INPUT -m state --state NEW -j RULE_21 $IPTABLES -A FORWARD -m state --state NEW -j RULE_21 $IPTABLES -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY " $IPTABLES -A RULE_21 -j DROP # # Rule 22 (global) # echo "Rule 22 (global)" # $IPTABLES -N RULE_22 $IPTABLES -A OUTPUT -j RULE_22 $IPTABLES -A INPUT -j RULE_22 $IPTABLES -A FORWARD -j RULE_22 $IPTABLES -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY " $IPTABLES -A RULE_22 -j DROP # ============== ROUTING RULES ============== TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" (umask 077 && mkdir $TMPDIRNAME) || exit 1 # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules (IFS=" "; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) oldRoutes=$($IP route show | sort -k 2) echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # # $IP route add 172.24.1.0/24 via 172.24.0.100 dev eth0 \ || route_command_error "0 (main)" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Fri Jan 7 13:12:17 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/objects-for-regression-tests.fwb000066400000000000000000134433711303637203600235420ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk -m ip_conntrack_talk -m ip_nat_talk -p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK -p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST -m string --string test_pattern -m string --string test_pattern -p tcp ! --syn -dport 5190 -m state --state NEW -m rt --rt-type 0 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -m owner --uid-owner anonymous -m owner --uid-owner anonymous -m owner --uid-owner anonymous fwbuilder-5.3.7/test/ipt/openais_cluster_1_linux-1.fw.orig000077500000000000000000000510211303637203600235620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * openais_cluster_1_linux-1.fw /etc/openais_cluster_1_linux-1.fw # # Compiled for iptables 1.4.0 # # # openais_cluster_1:Routing:1: error: Object "gw1" used as gateway in the routing rule 1 (main) is not in the same local network as interface eth1 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 openais (automatic) # echo "Rule -4 openais (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 226.94.1.1 --dport 5405 -j ACCEPT # # Rule -3 openais (automatic) # echo "Rule -3 openais (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 172.24.0.3 -d 226.94.1.1 --dport 5405 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.2 -j DROP $IPTABLES -A OUTPUT -d 192.168.100.1 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_7 $IPTABLES -A OUTPUT -d 172.24.0.2 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.1.2 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.100.1 -j RULE_7 $IPTABLES -A INPUT -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -A RULE_7 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_9 $IPTABLES -A INPUT -m state --state NEW -j RULE_9 $IPTABLES -A FORWARD -m state --state NEW -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -j RULE_10 $IPTABLES -A INPUT -j RULE_10 $IPTABLES -A FORWARD -j RULE_10 $IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- DENY " $IPTABLES -A RULE_10 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 1 (main) # echo "Routing rule 1 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # ============== EQUAL COST MULTI PATH ============ # echo "Activating ecmp routing rules..." # # Multipath Rule derived from the following routing rules: # # Rule 0 (main) # # Rule 1 (main) # interface vrrp1 belongs to a different firewall (cluster) # $IP route add 172.24.1.0/24 \ nexthop via 172.24.0.100 dev eth0 \ nexthop via 172.24.0.100 dev eth1 \ || route_command_error "1" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/openais_cluster_1_linux-2.fw.orig000077500000000000000000000436771303637203600236050ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * openais_cluster_1_linux-2.fw /etc/openais_cluster_1_linux-2.fw # # Compiled for iptables 1.4.0 # # openais_cluster_1:Routing:1: error: Object "gw1" used as gateway in the routing rule 1 (main) is not in the same local network as interface eth1 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -4 openais (automatic) # echo "Rule -4 openais (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 226.94.1.1 --dport 5405 -j ACCEPT # # Rule -3 openais (automatic) # echo "Rule -3 openais (automatic)" # $IPTABLES -N Cid3009X69605.2.0 $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 226.94.1.1 --dport 5405 -j Cid3009X69605.2.0 $IPTABLES -A Cid3009X69605.2.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.2.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3781 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -A OUTPUT -d 172.24.0.1 -j DROP $IPTABLES -A OUTPUT -d 172.24.0.3 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.1 -j DROP $IPTABLES -A OUTPUT -d 192.168.1.3 -j DROP $IPTABLES -A INPUT -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_7 $IPTABLES -A OUTPUT -d 172.24.0.3 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_7 $IPTABLES -A OUTPUT -d 192.168.1.3 -j RULE_7 $IPTABLES -A INPUT -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -A RULE_7 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_9 $IPTABLES -A INPUT -m state --state NEW -j RULE_9 $IPTABLES -A FORWARD -m state --state NEW -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -j RULE_10 $IPTABLES -A INPUT -j RULE_10 $IPTABLES -A FORWARD -j RULE_10 $IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- DENY " $IPTABLES -A RULE_10 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 1 (main) # echo "Routing rule 1 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # ============== EQUAL COST MULTI PATH ============ # echo "Activating ecmp routing rules..." # # Multipath Rule derived from the following routing rules: # # Rule 0 (main) # # Rule 1 (main) # interface vrrp1 belongs to a different firewall (cluster) # $IP route add 172.24.1.0/24 \ nexthop via 172.24.0.100 dev eth0 \ nexthop via 172.24.0.100 dev eth1 \ || route_command_error "1" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/optimizer_test.fwb000066400000000000000000002004551303637203600210560ustar00rootroot00000000000000 fwbuilder-5.3.7/test/ipt/quick-cmp.sh000077500000000000000000000014751303637203600175260ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -w -I \"^ *$\" -I \" *# *$\" -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipt v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done exit 0 run_diffs_for_file() { xmlfile=$1 folder=$2 fwbedit list -f $xmlfile -o $folder -c -F%name% | sort | while read fwobj; do V="$fwobj <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" echo "$DIFFCMD ${fwobj}.fw.orig ${fwobj}.fw" done } run_diffs_for_file objects-for-regression-tests.fwb /User/Firewalls # run_diffs_for_file cluster-tests.fwb /User/Clusters fwbuilder-5.3.7/test/ipt/rc.firewall.local000077500000000000000000000121221303637203600205140ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:31:01 2012 PDT by vadim # # files: * rc.firewall.local /etc/rc.d//rc.firewall.local # # Compiled for iptables (any version) # # Endian firewall appliance, 2 interfaces: # br0 is GREEN # eth1 is RED # Do not forget to change IP addresses to # match your firewall. PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by AddressTable object $1" exit 1 } } getInterfaceVarName() { echo $1 | sed 's/\./_/' } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : check_file "atbl.1" "addr-table-1.tbl" } verify_interfaces() { : echo "Verifying interfaces: et0 eth1" for i in et0 eth1 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } script_body() { # ================ IPv4 # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # $IPTABLES -N RULE_1 $IPTABLES -A INPUT -s 192.168.1.1 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.2 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.3/30 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.200 -j RULE_1 $IPTABLES -A INPUT -s 192.168.1.201 -j RULE_1 $IPTABLES -A INPUT -s 192.168.2.128/25 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.1 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.2 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.3/30 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.200 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.1.201 -j RULE_1 $IPTABLES -A FORWARD -s 192.168.2.128/25 -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # $IPTABLES -N RULE_2 grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -j RULE_2 done grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -s $at_atbl_1 -j RULE_2 done $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IPTABLES -A RULE_2 -j DROP } reset_all() { : reset_iptables_v4 } case "$1" in start) check_tools check_run_time_address_table_files verify_interfaces prolog_commands script_body epilog_commands ;; stop) # on IPCOP "/etc/rc.firewall stop" purges all tables and chains # and then calls this script with command "stop", but there is # nothing left for us to do here. ;; reload) $0 stop $0 start ;; *) echo "Usage $0 {start|stop|reload}" ;; esac fwbuilder-5.3.7/test/ipt/recycle000077500000000000000000000000751303637203600166450ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/ipt/rh90.fw.orig000077500000000000000000000272071303637203600173610ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:38 2012 PDT by vadim # # files: * rh90.fw /etc/rh90.fw # # Compiled for iptables (any version) # # This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 lo" for i in eth0 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 10.3.14.58/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 10.3.14.58 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 10.3.14.58 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # SSH Access to the host; useful ICMP # types; ping request $IPTABLES -N Cid41528C32.0 $IPTABLES -A OUTPUT -d 10.3.14.58 -m state --state NEW -j Cid41528C32.0 $IPTABLES -A Cid41528C32.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A Cid41528C32.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT $IPTABLES -A Cid41528C32.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A Cid41528C32.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT $IPTABLES -A Cid41528C32.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT $IPTABLES -A Cid41528C32.0 -p tcp -m tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A INPUT -s 10.3.14.58 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -j RULE_4 $IPTABLES -A INPUT -j RULE_4 $IPTABLES -A FORWARD -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -A RULE_4 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:38 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/run-clusters.all000077500000000000000000000003731303637203600204350ustar00rootroot00000000000000#!/bin/sh XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipt -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/ipt/run.all000077500000000000000000000010171303637203600165670ustar00rootroot00000000000000#!/bin/sh make -j2 -k all exit 0 XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipt -v -f $XMLFILE -xt $fwobj" done XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_ipt -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/ipt/server-cluster-1_server-1.fw.orig000077500000000000000000000251001303637203600234340ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * server-cluster-1_server-1.fw /etc/fw/server-cluster-1_server-1.fw # # Compiled for iptables (any version) # # fw is part of any is OFF # ip forwarding is OFF # server-cluster-1:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it # server-cluster-1:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: lo eth0" for i in lo eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0 192.168.1.1/24" "192.168.1.100/24" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o lo -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i lo -p udp -m udp -s 127.0.0.1 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 heartbeat (automatic) # echo "Rule -2 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -1 heartbeat (automatic) # echo "Rule -1 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 192.168.1.2 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule 0 (global) # echo "Rule 0 (global)" # # test for ticket #1338 # server-cluster-1:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it $IPTABLES -A INPUT -s 192.168.1.1 -j DROP $IPTABLES -A INPUT -s 192.168.1.100 -j DROP } ip_forward() { : echo 0 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/server-cluster-1_server-2.fw.orig000077500000000000000000000244561303637203600234520ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * server-cluster-1_server-2.fw /etc/fw/server-cluster-1_server-2.fw # # Compiled for iptables (any version) # # fw is part of any is OFF # ip forwarding is OFF FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: lo eth0" for i in lo eth0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0 192.168.1.2/24" "192.168.1.100/24" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule -4 heartbeat (automatic) # echo "Rule -4 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o lo -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -3 heartbeat (automatic) # echo "Rule -3 heartbeat (automatic)" # $IPTABLES -A INPUT -i lo -p udp -m udp -s 127.0.0.1 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -2 heartbeat (automatic) # echo "Rule -2 heartbeat (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule -1 heartbeat (automatic) # echo "Rule -1 heartbeat (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -s 192.168.1.1 -d 224.0.10.100 --dport 694 -j ACCEPT # # Rule 0 (global) # echo "Rule 0 (global)" # # test for ticket #1338 $IPTABLES -A INPUT -s 192.168.1.2 -j DROP $IPTABLES -A INPUT -s 192.168.1.100 -j DROP } ip_forward() { : echo 0 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/test-shadowing-1.fw.orig000077500000000000000000000335041303637203600216720ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:40 2012 PDT by vadim # # files: * test-shadowing-1.fw /etc/test-shadowing-1.fw # # Compiled for iptables (any version) # # testing shadowing detection # compiler runs with -xt flag # firewall is assumed to be part of any # test-shadowing-1:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-1:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it # test-shadowing-1:Policy:6: error: Rule '6 (global)' shadows rule '7 (global)' below it # test-shadowing-1:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 eth2" for i in eth0 eth1 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 22.22.22.22/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # shades rule below # test-shadowing-1:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it $IPTABLES -A OUTPUT -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -N Out_RULE_1 $IPTABLES -A FORWARD -o eth0 -s 192.168.1.10 -j Out_RULE_1 $IPTABLES -A Out_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A Out_RULE_1 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall is part # of any for this rule # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -N Cid4514B3E62143.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid4514B3E62143.0 $IPTABLES -A Cid4514B3E62143.0 -s 22.22.22.22 -j DROP $IPTABLES -A Cid4514B3E62143.0 -s 192.168.1.1 -j DROP $IPTABLES -A Cid4514B3E62143.0 -s 192.168.2.1 -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # # test-shadowing-1:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 21 -j DROP $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 21 -j DROP $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 21 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # # test-shadowing-1:Policy:6: error: Rule '6 (global)' shadows rule '7 (global)' below it $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 123 -j DROP $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.0/24 --dport 123 -j DROP $IPTABLES -A FORWARD -p udp -m udp -s 192.168.1.0/24 --dport 123 -j DROP # # Rule 8 (global) # echo "Rule 8 (global)" # # this rule should shadow rule below it because # it uses IPService object with protocol 0 # test-shadowing-1:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it $IPTABLES -A INPUT -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -A INPUT -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j DROP $IPTABLES -A OUTPUT -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j DROP $IPTABLES -A FORWARD -p icmp -m icmp -s 192.168.1.0/24 --icmp-type 0/0 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:40 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/test-shadowing-2.fw.orig000077500000000000000000000270571303637203600217010ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:40 2012 PDT by vadim # # files: * test-shadowing-2.fw /etc/test-shadowing-2.fw # # Compiled for iptables (any version) # # testing shadowing detection # compiler runs with -xt flag # firewall is NOT assumed to be part of any # test-shadowing-2:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # test-shadowing-2:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 eth2" for i in eth0 eth1 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 22.22.22.22/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # shades rule below # test-shadowing-2:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A FORWARD -o eth0 -s 192.168.1.10 -j DROP # # Rule 2 (global) # echo "Rule 2 (global)" # # firewall is part # of any for this rule # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j DROP # # Rule 4 (global) # echo "Rule 4 (global)" # # this rule should shadow rule below it because # it uses IPService object with protocol 0 # test-shadowing-2:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it $IPTABLES -A FORWARD -p all -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 6667 -j DROP # # Rule 6 (global) # echo "Rule 6 (global)" # $IPTABLES -N RULE_6 $IPTABLES -A FORWARD -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:40 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/test-shadowing-3.fw.orig000077500000000000000000000361631303637203600217000ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:41 2012 PDT by vadim # # files: * test-shadowing-3.fw /etc/test-shadowing-3.fw # # Compiled for iptables (any version) # # testing shadowing detection # compiler runs with -xt flag # testing shadowing when rules have non-default options # test-shadowing-3:Policy_3:0: error: Rule 'Policy_3 0 (eth0)' shadows rule 'Policy_3 1 (eth0)' below it # test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)' below it # test-shadowing-3:Policy_6:0: error: Rule 'Policy_6 0 (global)' shadows rule 'Policy_6 1 (global)' below it # test-shadowing-3:Policy_7:0: error: Rule 'Policy_7 0 (global)' shadows rule 'Policy_7 1 (global)' below it FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 eth2" for i in eth0 eth1 eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 22.22.22.22/24" "" update_addresses_of_interface "eth1 192.168.1.1/24" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_1 # # Rule Policy_1 0 (eth0) # echo "Rule Policy_1 0 (eth0)" # # connlimit $IPTABLES -N Policy_1 $IPTABLES -A Policy_1 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m connlimit --connlimit-above 10 -j ACCEPT # # Rule Policy_1 1 (eth0) # echo "Rule Policy_1 1 (eth0)" # $IPTABLES -A Policy_1 -o eth0 -s 192.168.1.0/24 -j DROP # ================ Table 'filter', rule set Policy_2 # # Rule Policy_2 0 (eth0) # echo "Rule Policy_2 0 (eth0)" # # hashlimit $IPTABLES -N Policy_2 $IPTABLES -A Policy_2 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 10/second --hashlimit-name test -j ACCEPT # # Rule Policy_2 1 (eth0) # echo "Rule Policy_2 1 (eth0)" # $IPTABLES -A Policy_2 -o eth0 -s 192.168.1.0/24 -j DROP # ================ Table 'filter', rule set Policy_3 # # Rule Policy_3 0 (eth0) # echo "Rule Policy_3 0 (eth0)" # # 50/sec # test-shadowing-3:Policy_3:0: error: Rule 'Policy_3 0 (eth0)' shadows rule 'Policy_3 1 (eth0)' below it $IPTABLES -N Policy_3 $IPTABLES -A Policy_3 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # # Rule Policy_3 1 (eth0) # echo "Rule Policy_3 1 (eth0)" # # 50/sec $IPTABLES -A Policy_3 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # ================ Table 'filter', rule set Policy_4 # # Rule Policy_4 0 (eth0) # echo "Rule Policy_4 0 (eth0)" # # 30/sec $IPTABLES -N Policy_4 $IPTABLES -A Policy_4 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 30/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # # Rule Policy_4 1 (eth0) # echo "Rule Policy_4 1 (eth0)" # # 50/sec $IPTABLES -A Policy_4 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # # Rule Policy_4 2 (eth0) # echo "Rule Policy_4 2 (eth0)" # # htable_rule_4 $IPTABLES -A Policy_4 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 10/second --hashlimit-mode srcip --hashlimit-name htable_rule_4 -j ACCEPT # # Rule Policy_4 3 (eth0) # echo "Rule Policy_4 3 (eth0)" # # htable_rule_5 $IPTABLES -A Policy_4 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 10/second --hashlimit-mode srcip --hashlimit-name htable_rule_5 -j ACCEPT # ================ Table 'filter', rule set Policy_5 # # Rule Policy_5 0 (eth0) # echo "Rule Policy_5 0 (eth0)" # # 50/sec # test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)' below it $IPTABLES -N Policy_5 $IPTABLES -A Policy_5 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # # Rule Policy_5 1 (eth0) # echo "Rule Policy_5 1 (eth0)" # # 30/sec $IPTABLES -A Policy_5 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 30/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # ================ Table 'filter', rule set Policy_6 # # Rule Policy_6 0 (global) # echo "Rule Policy_6 0 (global)" # # test-shadowing-3:Policy_6:0: error: Rule 'Policy_6 0 (global)' shadows rule 'Policy_6 1 (global)' below it $IPTABLES -N Policy_6 $IPTABLES -A Policy_6 -i + -s 192.168.11.0/24 -j DROP # # Rule Policy_6 1 (global) # echo "Rule Policy_6 1 (global)" # $IPTABLES -A Policy_6 -i + -s 192.168.11.10/31 -j DROP # ================ Table 'filter', rule set Policy_7 # # Rule Policy_7 0 (global) # echo "Rule Policy_7 0 (global)" # # test-shadowing-3:Policy_7:0: error: Rule 'Policy_7 0 (global)' shadows rule 'Policy_7 1 (global)' below it $IPTABLES -N Policy_7 $IPTABLES -A Policy_7 -i + -s 192.168.11.10/31 -j DROP # # Rule Policy_7 1 (global) # echo "Rule Policy_7 1 (global)" # $IPTABLES -A Policy_7 -i + -s 192.168.11.11 -j DROP # ================ Table 'filter', rule set Policy_8 # # Rule Policy_8 0 (global) # echo "Rule Policy_8 0 (global)" # # even though this is a trivial case, # I had a bug with handling networks with netmask /31 that broke it $IPTABLES -N Policy_8 $IPTABLES -A Policy_8 -i + -s 24.56.78.90 -j DROP # # Rule Policy_8 1 (global) # echo "Rule Policy_8 1 (global)" # $IPTABLES -A Policy_8 -i + -s 222.222.222.0/24 -j DROP # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # limit $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -m limit --limit 10/second -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:41 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/test_fw.fw.orig000077500000000000000000000442001303637203600202420ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:38 2012 PDT by vadim # # files: * test_fw.fw /etc/test_fw.fw # # Compiled for iptables (any version) # # This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1. FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth2" for i in eth0 eth1 lo eth2 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689 # this ensures that secondary ip address is "promoted" to primary # when primary address is deleted, instead of deleting both # primary and secondary addresses. It looks like this is only # available starting from Linux 2.6.16 test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \ echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries update_addresses_of_interface "eth0 192.0.2.1/24" "" update_addresses_of_interface "eth1 fe80::20c:29ff:fed2:cca1/64 192.168.1.1/24" "" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth2 192.168.2.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # no need to translate # between DMZ and # internal net $IPTABLES -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # # Translate source address # for outgoing connections $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j SNAT --to-source 192.0.2.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # $IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j DNAT --to-destination 192.168.2.10 # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.2.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.2.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_4 $IPTABLES -A OUTPUT -d 192.0.2.1 -m state --state NEW -j RULE_4 $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_4 $IPTABLES -A OUTPUT -d 192.168.2.1 -m state --state NEW -j RULE_4 $IPTABLES -A INPUT -m state --state NEW -j RULE_4 $IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " $IPTABLES -A RULE_4 -j DROP # # Rule 5 (global) # echo "Rule 5 (global)" # # Quickly reject attempts to connect # to ident server to avoid SMTP delays $IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j REJECT $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT $IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j REJECT # # Rule 6 (global) # echo "Rule 6 (global)" # # Mail relay on DMZ can accept # connections from hosts on the # Internet $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 25 -m state --state NEW -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # # this rule permits a mail relay # located on DMZ to connect # to internal mail server $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.10 -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # # Mail relay needs DNS and can # connect to mail servers on the # Internet $IPTABLES -A INPUT -p tcp -m tcp -m multiport -s 192.168.2.10 -d ! 192.168.1.0/24 --dports 53,25 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m udp -s 192.168.2.10 -d ! 192.168.1.0/24 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -s 192.168.2.10 -d ! 192.168.1.0/24 --dports 53,25 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -s 192.168.2.10 -d ! 192.168.1.0/24 --dport 53 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # All other access from DMZ to # internal net is denied $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9 $IPTABLES -A INPUT -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9 $IPTABLES -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP # # Rule 10 (global) # echo "Rule 10 (global)" # # This permits access from internal net # to the Internet and DMZ $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -j RULE_11 $IPTABLES -A INPUT -j RULE_11 $IPTABLES -A FORWARD -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY " $IPTABLES -A RULE_11 -j DROP # ================ IPv6 # ================ Table 'filter', automatic rules # accept established sessions $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'filter', rule set Policy_OSPF # # Rule Policy_OSPF 0 (eth1) # echo "Rule Policy_OSPF 0 (eth1)" # $IP6TABLES -N Policy_OSPF $IP6TABLES -A Policy_OSPF -i eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT $IP6TABLES -A Policy_OSPF -i eth1 -s fe80::/10 -d fe80::/10 -j ACCEPT $IP6TABLES -A Policy_OSPF -o eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT $IP6TABLES -A Policy_OSPF -o eth1 -s fe80::/10 -d fe80::/10 -j ACCEPT # ================ Table 'filter', rule set Policy_v6 # # Rule Policy_v6 0 (eth1) # echo "Rule Policy_v6 0 (eth1)" # $IP6TABLES -A OUTPUT -o eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT # # Rule Policy_v6 1 (global) # echo "Rule Policy_v6 1 (global)" # $IP6TABLES -A OUTPUT -p 89 -j Policy_OSPF $IP6TABLES -A INPUT -p 89 -j Policy_OSPF $IP6TABLES -A FORWARD -p 89 -j Policy_OSPF } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 reset_iptables_v6 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IP6TABLES -P OUTPUT ACCEPT $IP6TABLES -P INPUT ACCEPT $IP6TABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:38 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat ipv6" configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/vrrp_cluster_1_linux-1.fw.orig000077500000000000000000000507121303637203600231230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * vrrp_cluster_1_linux-1.fw /etc/vrrp_cluster_1_linux-1.fw # # Compiled for iptables 1.4.0 # # # vrrp_cluster_1:Routing:1: error: Object "gw1" used as gateway in the routing rule 1 (main) is not in the same local network as interface eth1 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.2 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.2 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.100.1 -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_8 $IPTABLES -A INPUT -m state --state NEW -j RULE_8 $IPTABLES -A FORWARD -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -j RULE_9 $IPTABLES -A INPUT -j RULE_9 $IPTABLES -A FORWARD -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 1 (main) # echo "Routing rule 1 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # ============== EQUAL COST MULTI PATH ============ # echo "Activating ecmp routing rules..." # # Multipath Rule derived from the following routing rules: # # Rule 0 (main) # # Rule 1 (main) # # $IP route add 172.24.1.0/24 \ nexthop via 172.24.0.100 dev eth0 \ nexthop via 172.24.0.100 dev eth1 \ || route_command_error "1" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/vrrp_cluster_1_linux-2.fw.orig000077500000000000000000000436541303637203600231330ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * vrrp_cluster_1_linux-2.fw /etc/vrrp_cluster_1_linux-2.fw # # Compiled for iptables 1.4.0 # # vrrp_cluster_1:Routing:1: error: Object "gw1" used as gateway in the routing rule 1 (main) is not in the same local network as interface eth1 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/16" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.2 -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -N Cid3009X69605.2.0 $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -j Cid3009X69605.2.0 $IPTABLES -A Cid3009X69605.2.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.2.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.3 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.3 -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_8 $IPTABLES -A INPUT -m state --state NEW -j RULE_8 $IPTABLES -A FORWARD -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -j RULE_9 $IPTABLES -A INPUT -j RULE_9 $IPTABLES -A FORWARD -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP # ============== ROUTING RULES ============== HAVE_MKTEMP=$(which mktemp) test -n "$HAVE_MKTEMP" && { TMPDIRNAME=$(mktemp -d) test -z "$TMPDIRNAME" && exit 1 } test -z "$HAVE_MKTEMP" && { TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$" (umask 077 && mkdir $TMPDIRNAME) || exit 1 } TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" OLD_ROUTES="$TMPDIRNAME/.old_routes" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules $IP route show | while read route ; do $IP route del $route ; done # restore old routing rules sh $OLD_ROUTES echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 # store previous routing configuration (sort: 'via' GW has to be # inserted after device routes) $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES echo "Deleting routing rules previously set by user space processes..." $IP route show | grep -v '\( proto kernel \)\|\(default via \)' | \ while read route ; do $IP route del $route ; done echo "Activating non-ecmp routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # Rule 1 (main) # echo "Routing rule 1 (main)" # # Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below. # # ============== EQUAL COST MULTI PATH ============ # echo "Activating ecmp routing rules..." # # Multipath Rule derived from the following routing rules: # # Rule 0 (main) # # Rule 1 (main) # # $IP route add 172.24.1.0/24 \ nexthop via 172.24.0.100 dev eth0 \ nexthop via 172.24.0.100 dev eth1 \ || route_command_error "1" restore_script_output echo "...done." } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/vrrp_cluster_2_linux-1.fw.orig000077500000000000000000000447571303637203600231400ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * vrrp_cluster_2_linux-1.fw /etc/vrrp_cluster_2_linux-1.fw # # Compiled for iptables 1.4.0 # # FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP find_program $VCONFIG } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@" set $vlan subint=$1 parent=$2 IFS=$oldIFS vlan_id=$(echo $subint | sed -r 's/(vlan|[^.]*\.)//') test "$cmd" = "add" && { echo $subint | grep -q "vlan" && name_type="VLAN_PLUS_VID" || name_type="DEV_PLUS_VID" test "$vlan_id" \< "1" || name_type="${name_type}_NO_PAD" echo "# Adding VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG set_name_type $name_type $FWBDEBUG $VCONFIG $cmd $parent $vlan_id $FWBDEBUG $IP link set $subint up } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (parent: $parent)" $FWBDEBUG $VCONFIG $cmd $subint } } parse_fwb_vlans() { set $1 vlan_parent_interface=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent_interface" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent_interface=$1 CURRENT_VLANS="" PROC_DIR="/proc/net/vlan/" test -d $PROC_DIR || $MODPROBE 8021q || { echo "$PROC_DIR does not exist. Vlan interfaces are not available." exit 1 } test -f "/proc/net/vlan/config" && { CURRENT_VLANS=$( cat /proc/net/vlan/config | grep -v 'Dev name' | grep $vlan_parent_interface | \ while read subint a vlan_id b parent; do echo "${subint}@$parent" done | sort ) } echo $CURRENT_VLANS } update_vlans_of_interface() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } add_vlans() { args="$1" set $1 vlan_parent_interface=$1 FWB_VLANS=$(parse_fwb_vlans $args) CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface) $IP link set $vlan_parent_interface up diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add } clear_vlans_except_known() { FWB_VLANS=$* CURRENT_VLANS=$(parse_current_vlans '|') diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo eth0.100" for i in eth0 eth1 lo eth0.100 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth0 eth0.100" clear_vlans_except_known eth0.100@eth0 update_addresses_of_interface "eth0 172.24.0.2/16" "172.24.0.1/24" update_addresses_of_interface "eth1 192.168.1.2/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" update_addresses_of_interface "eth0.100 192.168.100.1/24" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 10/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 10/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -8 VRRP (automatic) # echo "Rule -8 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -7 VRRP (automatic) # echo "Rule -7 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.4 -d 224.0.0.18 -j ACCEPT # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.4 -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.100.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid5188X25627.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.0 $IPTABLES -A Cid5188X25627.0 -d 192.168.1.3 -j ACCEPT $IPTABLES -A Cid5188X25627.0 -d 192.168.1.4 -j ACCEPT $IPTABLES -N Cid5188X25627.1 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.1 $IPTABLES -A Cid5188X25627.1 -d 192.168.1.3 -j ACCEPT $IPTABLES -A Cid5188X25627.1 -d 192.168.1.4 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.2 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.2 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.100.1 -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_8 $IPTABLES -A INPUT -m state --state NEW -j RULE_8 $IPTABLES -A FORWARD -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -j RULE_9 $IPTABLES -A INPUT -j RULE_9 $IPTABLES -A FORWARD -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/vrrp_cluster_2_linux-2.fw.orig000077500000000000000000000377211303637203600231320ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * vrrp_cluster_2_linux-2.fw /etc/vrrp_cluster_2_linux-2.fw # # Compiled for iptables 1.4.0 # FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.3/16" "172.24.0.1/24" update_addresses_of_interface "eth1 192.168.1.3/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set to_fw # # Rule to_fw 0 (global) # echo "Rule to_fw 0 (global)" # # hashlimit 20/sec $IPTABLES -N to_fw $IPTABLES -N to_fw_0 $IPTABLES -A to_fw -m hashlimit --hashlimit 20/second --hashlimit-name htable_rule_0 -j to_fw_0 $IPTABLES -A to_fw_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A to_fw_0 -j DROP # ================ Table 'filter', rule set Policy # # Rule -8 VRRP (automatic) # echo "Rule -8 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -7 VRRP (automatic) # echo "Rule -7 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.4 -d 224.0.0.18 -j ACCEPT # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.2 -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.4 -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -N Cid3009X69605.2.0 $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -j Cid3009X69605.2.0 $IPTABLES -A Cid3009X69605.2.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid3009X69605.2.0 -s 192.168.100.1 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.3 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.3 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid5188X25627.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.0 $IPTABLES -A Cid5188X25627.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid5188X25627.0 -d 192.168.1.4 -j ACCEPT $IPTABLES -N Cid5188X25627.1 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.1 $IPTABLES -A Cid5188X25627.1 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid5188X25627.1 -d 192.168.1.4 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.3 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.3 -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_8 $IPTABLES -A INPUT -m state --state NEW -j RULE_8 $IPTABLES -A FORWARD -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -j RULE_9 $IPTABLES -A INPUT -j RULE_9 $IPTABLES -A FORWARD -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/ipt/vrrp_cluster_2_linux-3.fw.orig000077500000000000000000000362761303637203600231370ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.2.3596 # # Generated Sun Mar 18 21:17:42 2012 PDT by vadim # # files: * vrrp_cluster_2_linux-3.fw /etc/vrrp_cluster_2_linux-3.fw # # Compiled for iptables (any version) # FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "eth0 172.24.0.4/16" "172.24.0.1/24" update_addresses_of_interface "eth1 192.168.1.4/24" "192.168.1.1/24" update_addresses_of_interface "lo 127.0.0.1/8" "" } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # ================ Table 'filter', rule set Policy # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.2 -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -2 VRRP (automatic) # echo "Rule -2 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT # # Rule -1 VRRP (automatic) # echo "Rule -1 VRRP (automatic)" # $IPTABLES -N Cid8278X18284.0.0 $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -j Cid8278X18284.0.0 $IPTABLES -A Cid8278X18284.0.0 -s 172.24.0.2 -j ACCEPT $IPTABLES -A Cid8278X18284.0.0 -s 192.168.100.1 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # $IPTABLES -A INPUT -i eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) # echo "Rule 1 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 172.24.0.4 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.4 -m state --state NEW -j In_RULE_1 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.4 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.4 -m state --state NEW -j In_RULE_1 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_1 $IPTABLES -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A In_RULE_1 -j DROP # # Rule 2 (lo) # echo "Rule 2 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.4 --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid5188X25627.0 $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.0 $IPTABLES -A Cid5188X25627.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid5188X25627.0 -d 192.168.1.3 -j ACCEPT $IPTABLES -N Cid5188X25627.1 $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j Cid5188X25627.1 $IPTABLES -A Cid5188X25627.1 -d 192.168.1.2 -j ACCEPT $IPTABLES -A Cid5188X25627.1 -d 192.168.1.3 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT " $IPTABLES -A RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.1 -j RULE_6 $IPTABLES -A OUTPUT -d 172.24.0.4 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_6 $IPTABLES -A OUTPUT -d 192.168.1.4 -j RULE_6 $IPTABLES -A INPUT -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " $IPTABLES -A RULE_6 -j DROP # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 8 (global) # echo "Rule 8 (global)" # $IPTABLES -N RULE_8 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_8 $IPTABLES -A INPUT -m state --state NEW -j RULE_8 $IPTABLES -A FORWARD -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IPTABLES -A RULE_8 -j DROP # # Rule 9 (global) # echo "Rule 9 (global)" # $IPTABLES -N RULE_9 $IPTABLES -A OUTPUT -j RULE_9 $IPTABLES -A INPUT -j RULE_9 $IPTABLES -A FORWARD -j RULE_9 $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY " $IPTABLES -A RULE_9 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim" check_tools prolog_commands check_run_time_address_table_files load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVALfwbuilder-5.3.7/test/pf/000077500000000000000000000000001303637203600151005ustar00rootroot00000000000000fwbuilder-5.3.7/test/pf/Makefile000066400000000000000000000007201303637203600165370ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_pf -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_pf -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/pf/addr-table-1.tbl000066400000000000000000000003041303637203600177350ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too fwbuilder-5.3.7/test/pf/block-hosts.tbl000066400000000000000000000015771303637203600200450ustar00rootroot00000000000000# # use this table to test run-time AddressTable object # (this is just a small collection of addresses that sent spam to me # on Nov 20 2005) # 151.8.224.178 168.156.76.20 193.207.126.36 195.136.186.35 196.15.136.15 201.10.180.138 201.17.93.16 201.36.156.121 202.103.25.253 202.96.112.93 203.162.3.209 203.209.124.144 210.106.193.237 210.222.114.102 211.144.143.143 211.172.218.237 211.250.16.132 212.100.212.100 212.21.241.31 218.104.138.146 218.18.72.252 218.39.114.122 218.55.115.43 219.132.104.160 220.71.17.86 220.81.50.105 220.91.99.46 221.14.249.242 221.166.177.135 221.198.33.38 221.202.160.233 221.205.54.125 221.217.44.248 222.100.212.223 222.121.118.144 222.174.113.2 58.231.13.78 58.33.181.83 58.53.82.190 61.150.47.112 61.184.14.102 64.106.85.186 70.228.60.100 80.243.72.149 80.249.77.34 80.51.236.6 81.196.74.125 81.2.36.254 82.117.221.205 82.143.196.17 82.77.37.174 84.90.8.198 fwbuilder-5.3.7/test/pf/cluster-tests.fwb000066400000000000000000010420321303637203600204230ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/test/pf/do-diff000077500000000000000000000002331303637203600163340ustar00rootroot00000000000000#!/bin/sh N=$1 if which opendiff > /dev/null; then TOOL="opendiff" else TOOL="tkdiff -b -B " fi ${TOOL} firewall${N}.conf.orig firewall${N}.conf fwbuilder-5.3.7/test/pf/firewall-base-rulesets-mail_server_inbound.conf.orig000066400000000000000000000004541303637203600273160ustar00rootroot00000000000000# # Rule mail_server_inbound 0 (global) pass in quick inet proto tcp from any to any port 25 keep state label "RULE 0 -- ACCEPT " # # Rule mail_server_inbound 1 (global) pass in quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state label "RULE 1 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-base-rulesets-mail_server_outbound.conf.orig000066400000000000000000000006271303637203600275210ustar00rootroot00000000000000# # Rule mail_server_outbound 0 (global) pass out quick inet proto tcp from any to any port { 53, 25 } keep state label "RULE 0 -- ACCEPT " pass out quick inet proto udp from any to any port 53 keep state label "RULE 0 -- ACCEPT " # # Rule mail_server_outbound 1 (global) pass out quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state label "RULE 1 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-base-rulesets-web_server_inbound.conf.orig000066400000000000000000000004521303637203600271470ustar00rootroot00000000000000# # Rule web_server_inbound 0 (global) pass in quick inet proto tcp from any to any port 80 keep state label "RULE 0 -- ACCEPT " # # Rule web_server_inbound 1 (global) pass in quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state label "RULE 1 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-base-rulesets-web_server_outbound.conf.orig000066400000000000000000000006151303637203600273510ustar00rootroot00000000000000# # Rule web_server_outbound 0 (global) pass out quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state label "RULE 0 -- ACCEPT " # # Rule web_server_outbound 1 (global) pass out quick inet proto tcp from any to any port 53 keep state label "RULE 1 -- ACCEPT " pass out quick inet proto udp from any to any port 53 keep state label "RULE 1 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-base-rulesets.conf.orig000066400000000000000000000007551303637203600232760ustar00rootroot00000000000000 # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE -1 -- DROP " load anchor mail_server_inbound from "/etc/fw/firewall-base-rulesets-mail_server_inbound.conf" load anchor mail_server_outbound from "/etc/fw/firewall-base-rulesets-mail_server_outbound.conf" load anchor web_server_inbound from "/etc/fw/firewall-base-rulesets-web_server_inbound.conf" load anchor web_server_outbound from "/etc/fw/firewall-base-rulesets-web_server_outbound.conf" fwbuilder-5.3.7/test/pf/firewall-base-rulesets.fw.orig000077500000000000000000000102511303637203600227600ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:30 2011 PST by vadim # # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw # files: firewall-base-rulesets.conf /etc/fw/firewall-base-rulesets.conf # files: firewall-base-rulesets-web_server_inbound.conf /etc/fw/firewall-base-rulesets-web_server_inbound.conf # files: firewall-base-rulesets-mail_server_inbound.conf /etc/fw/firewall-base-rulesets-mail_server_inbound.conf # files: firewall-base-rulesets-mail_server_outbound.conf /etc/fw/firewall-base-rulesets-mail_server_outbound.conf # files: firewall-base-rulesets-web_server_outbound.conf /etc/fw/firewall-base-rulesets-web_server_outbound.conf # # Compiled for pf # # this firewall is used to test a rule in the global policy of object "firewall" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "en0 33.33.33.33/0xffffff00" "" update_addresses_of_interface "en1 172.16.1.1/0xffffff00" "" update_addresses_of_interface "en2 192.168.100.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:30 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall-base-rulesets.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall-ipv6-1-Policy_ipv4.conf.orig000066400000000000000000000001601303637203600237270ustar00rootroot00000000000000# # Rule Policy_ipv4 0 (lo) pass quick on lo inet from any to any keep state label "RULE 0 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-ipv6-1.conf.orig000066400000000000000000000104671303637203600215430ustar00rootroot00000000000000 # Tables: (2) table { 2001:5c0:0:2::24 , 3ffe:1200:2000::/36 , 3ffe:1200:2001:1:8000::1 } table { 2001:5c0:0:2::24 , 3ffe:1200:2001:1:8000::1 } # Policy compiler errors and warnings: # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference # # Rule 0 (lo) pass quick on lo inet6 from any to any keep state label "RULE 0 -- ACCEPT " # # Rule 1 (global) # this rule shadows the next. # Note that we add command line # flag -xt to the compiler pass quick inet6 proto tcp from fe80::/64 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it pass quick inet6 proto tcp from 2001:5c0:0:2::24 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from 3ffe:1200:2001:1:8000::1 to self port 22 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 5 -- ACCEPT " # # Rule 6 (global) # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to self port 22 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to self port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) pass in log quick inet6 from any to self keep state label "RULE 8 -- ACCEPT " # # Rule 9 (global) pass log quick inet6 from fe80::/64 to any keep state label "RULE 9 -- ACCEPT " # # Rule 10 (global) # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it pass log quick inet6 from to any keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) pass log quick inet6 from to any keep state label "RULE 11 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet6 from any to any label "RULE 10000 -- DROP " load anchor Policy_ipv4 from "/etc/firewall-ipv6-1-Policy_ipv4.conf" fwbuilder-5.3.7/test/pf/firewall-ipv6-1.fw.orig000077500000000000000000000117111303637203600212260ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:30 2011 PST by vadim # # files: * firewall-ipv6-1.fw pf-ipv6.fw # files: firewall-ipv6-1.conf /etc/fw/pf-ipv6.conf # files: firewall-ipv6-1-Policy_ipv4.conf /etc/firewall-ipv6-1-Policy_ipv4.conf # # Compiled for pf # # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet6.ip6.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/0xffffff00" "" update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:30 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/pf-ipv6.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall-ipv6-2.conf.orig000066400000000000000000000137551303637203600215470ustar00rootroot00000000000000 # Tables: (5) table { 222.222.222.22 , 222.222.222.23 } table { 2001:5c0:0:2::24 , 3ffe:1200:2000::/36 , 3ffe:1200:2001:1:8000::1 } table { 61.150.47.112 , 74.125.224.144 , 74.125.224.145 , 74.125.224.146 , 74.125.224.147 , 74.125.224.148 , 192.168.1.0 } table { 2001:5c0:0:2::24 , 3ffe:1200:2001:1:8000::1 } table { 61.150.47.112 , 192.168.1.0 } # Policy compiler errors and warnings: # firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference # # Rule 0 (lo) pass quick on lo inet from any to any keep state label "RULE 0 -- ACCEPT " # # Rule 4 (global) pass log quick inet proto tcp from to 1.1.1.1 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) # firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it pass log quick inet proto tcp from to 1.1.1.1 port 22 keep state label "RULE 5 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference pass in log quick inet proto tcp from to self port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) pass in log quick inet from any to self keep state label "RULE 8 -- ACCEPT " # # Rule 11 (global) pass log quick inet from to any keep state label "RULE 11 -- ACCEPT " # # Rule 12 (global) pass quick inet proto icmp from any to any icmp-type 8 code 0 keep state label "RULE 12 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " # Policy compiler errors and warnings: # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-2:Policy:3: warning: Changing rule direction due to self reference # firewall-ipv6-2:Policy:6: warning: Changing rule direction due to self reference # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference # # Rule 0 (lo) pass quick on lo inet6 from any to any keep state label "RULE 0 -- ACCEPT " # # Rule 1 (global) # this rule shadows the next. # Note that we add command line # flag -xt to the compiler pass quick inet6 proto tcp from fe80::/64 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it pass quick inet6 proto tcp from 2001:5c0:0:2::24 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:3: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from 3ffe:1200:2001:1:8000::1 to self port 22 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 5 -- ACCEPT " # # Rule 6 (global) # firewall-ipv6-2:Policy:6: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to self port 22 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to self port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) pass in log quick inet6 from any to self keep state label "RULE 8 -- ACCEPT " # # Rule 9 (global) pass log quick inet6 from fe80::/64 to any keep state label "RULE 9 -- ACCEPT " # # Rule 10 (global) # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it pass log quick inet6 from to any keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) pass log quick inet6 from to any keep state label "RULE 11 -- ACCEPT " # # Rule 12 (global) pass quick inet6 proto icmp6 from any to any keep state label "RULE 12 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet6 from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall-ipv6-2.fw.orig000077500000000000000000000122021303637203600212230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:31 2011 PST by vadim # # files: * firewall-ipv6-2.fw pf.fw # files: firewall-ipv6-2.conf pf.conf # # Compiled for pf # # Combined ipv4/ipv6 policy ruleset # firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-2:Policy:3: warning: Changing rule direction due to self reference # firewall-ipv6-2:Policy:6: warning: Changing rule direction due to self reference # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet6.ip6.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/0xffffff00" "" update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:31 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall-ipv6-3-Policy_ipv4.conf.orig000066400000000000000000000001621303637203600237330ustar00rootroot00000000000000# # Rule Policy_ipv4 0 (lo0) pass quick on lo0 inet from any to any keep state label "RULE 0 -- ACCEPT " fwbuilder-5.3.7/test/pf/firewall-ipv6-3.conf.orig000066400000000000000000000004401303637203600215330ustar00rootroot00000000000000 # # Rule 0 (lo0) pass quick on lo0 inet6 from any to any keep state label "RULE 0 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet6 from any to any label "RULE 10000 -- DROP " load anchor Policy_ipv4 from "/etc/firewall-ipv6-3-Policy_ipv4.conf" fwbuilder-5.3.7/test/pf/firewall-ipv6-3.fw.orig000077500000000000000000000021631303637203600212310ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:31 2011 PST by vadim # # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw # files: firewall-ipv6-3.conf /etc/firewall-ipv6-3.conf # files: firewall-ipv6-3-Policy_ipv4.conf /etc/firewall-ipv6-3-Policy_ipv4.conf # # Compiled for pf # gateway_enable="YES" ipv6_gateway_enable="YES" cloned_interfaces="vlan100 vlan101" ipv6_network_interfaces="ed0 lo0" network_interfaces="ed0 lo0 vlan100 vlan101" ifconfig_ed0="1.1.1.1 netmask 0xffffff00" ifconfig_ed0="fe80::21d:9ff:fe8b:8e94/64" ifconfig_ed0_alias0="10.10.10.1 netmask 0xffffff00" ifconfig_ed0_alias0="2001:db8::1/64" ifconfig_ed0_alias1="10.10.10.2 netmask 0xffffff00" ifconfig_ed0_alias1="2001:db8::2/64" vlans_ed1="vlan100 vlan101" create_args_vlan100="vlan 100 vlandev ed1" create_args_vlan101="vlan 101 vlandev ed1" ifconfig_lo0="127.0.0.1 netmask 0xff000000" ifconfig_lo0="::1/128" ifconfig_vlan100="172.16.1.1 netmask 0xfffffff0" ifconfig_vlan101="172.16.2.1 netmask 0xfffffff0" pf_enable="YES" pf_rules="/etc/firewall-ipv6-3.conf" fwbuilder-5.3.7/test/pf/firewall.conf.orig000066400000000000000000000141761303637203600205240ustar00rootroot00000000000000 set limit { frags 4000, states 10000, src-nodes 1000, tables 1000, table-entries 1000000 } set timeout interval 15 set timeout frag 40 set timeout tcp.first 120 set timeout tcp.opening 120 set timeout tcp.established 86400 set timeout tcp.closing 60 set timeout tcp.finwait 60 set timeout tcp.closed 30 set timeout udp.first 10 set timeout udp.single 10 set timeout udp.multiple 10 set timeout icmp.first 10 set timeout icmp.error 10 set timeout other.first 10 set timeout other.single 10 set timeout other.multiple 10 set timeout adaptive.start 6000 set timeout adaptive.end 12000 # # Scrub rules # scrub in all fragment reassemble # Tables: (3) table { 192.168.1.11 , 192.168.1.12/30 } table { 192.168.1.1 , 222.222.222.222 } table { 211.11.11.11 , 211.22.22.22 } # # Rule 0 (NAT) nat on eth1 from 192.168.1.0/24 to any -> (eth1) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule 2 (NAT) rdr proto tcp from any to port 25 -> 192.168.1.10 port 25 # # Rule 3 (NAT) rdr proto tcp from any to any port 80 -> 127.0.0.1 port 3128 # Policy compiler errors and warnings: # firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)' below it # firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it # firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)' below it # firewall:Policy:3: warning: Changing rule direction due to self reference # firewall:Policy:18: warning: Changing rule direction due to self reference # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 flags S/SA modulate state label "RULE -1 - ACCEPT" # # Rule 0 (eth1) block in log quick on eth1 inet from any to self fragment label "RULE 0 - DROP" # # Rule 1 (eth1) # Automatically generated rule blocking short fragments block in log quick on eth1 inet from any to any fragment label "RULE 1 - DROP" # # Rule 2 (eth1) # Automatically generated anti-spoofing rule block in log quick on eth1 inet from self to any label "RULE 2 - DROP" block in log quick on eth1 inet from 192.168.1.0/24 to any label "RULE 2 - DROP" # # Rule 3 (eth0) # комментарий по-русски, Проверяем конвертацию в Utf-8 # firewall:Policy:3: warning: Changing rule direction due to self reference pass in quick on eth0 inet proto udp from 192.168.1.0/24 to self port 53 keep state label "RULE 3 - ACCEPT" # # Rule 4 (eth0) # code should go into INPUT chain with # address in destination for comparison block in log quick on eth0 inet proto udp from any to 192.168.1.255 port 53 label "RULE 4 - DROP" # # Rule 5 (global) block log quick inet proto tcp from any to any flags S/UAPRSF label "** RULE 5" block log quick inet proto tcp from any to any flags ARSF/UAPRSF label "** RULE 5" # # Rule 6 (global) block log quick inet from any to any label "RULE 6 - DROP" # # Rule 9 (global) # this rule is limited to 4 simultaneous # connections by rule options pass quick inet proto tcp from to 192.168.1.10 port 53 flags S/SA modulate state ( max 4 ) label "RULE 9 - ACCEPT" # # Rule 10 (global) pass quick inet proto tcp from 33.33.33.0/24 port 20 to 192.168.1.10 port >= 1024 flags S/SA modulate state label "RULE 10 - ACCEPT" pass quick inet proto tcp from 33.33.33.0/24 to 192.168.1.10 port { 113, 80, 443, 143, 25, 22, 540 } flags S/SA modulate state label "RULE 10 - ACCEPT" # # Rule 11 (global) pass quick inet proto tcp from any to 192.168.1.10 port { 113, 13, 53, 2105, 21, 70, 80, 443, 143, 993, 6667, 6667, 543, 544, 389, 98, 3306, 2049, 119, 110, 5432, 515, 26000, 512, 513, 514, 4321, 25, 465, 1080, 3128, 22, 111, 23, 9999 >< 11001, 540, 7100 } flags S/SA modulate state ( max-src-nodes 10, max-src-states 10, max-src-conn-rate 3/15 ) label "RULE 11 - ACCEPT" # # Rule 12 (global) pass quick inet proto tcp from any to port { 113, 80, 443, 143, 25, 3128, 22, 540 } flags S/SA modulate state ( max 10, max-src-nodes 75, max-src-states 2 ) label "RULE 12 - ACCEPT" # # Rule 14 (global) pass quick inet proto icmp from any to 192.168.1.0/24 icmp-type { 3 , 0 code 0 , 11 code 0 , 11 code 1 } keep state label "RULE 14 - ACCEPT" pass quick inet proto tcp from any to 192.168.1.0/24 port 3128 flags S/SA modulate state label "RULE 14 - ACCEPT" # # Rule 16 (global) pass quick inet from any to 192.168.1.10 keep state label "RULE 16 - ACCEPT" # # Rule 18 (global) # Automatically generated 'masquerading' rule # firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)' below it # firewall:Policy:18: warning: Changing rule direction due to self reference pass out quick inet from self to any keep state label "RULE 18 - ACCEPT" pass quick inet from 192.168.1.0/24 to any keep state label "RULE 18 - ACCEPT" # # Rule 19 (global) # test for bug 1111267: "CustomService should specify protocol and parameters for it" # Should generate "proto { tcp udp icmp gre}" pass quick inet proto {tcp udp icmp gre} from any to any keep state label "RULE 19 - ACCEPT" # # Rule 20 (global) # bug #2791950 "no way to generate "pass out" rule with no interface" # Interface field should be "any", direction "outbound" # firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it # firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)' below it pass out quick inet from any to any keep state label "RULE 20 - ACCEPT" # # Rule 21 (global) # bug #2791950 "no way to generate "pass out" rule with no interface" # pass out quick inet from 192.168.1.0/24 to any keep state label "RULE 21 - ACCEPT" # # Rule 22 (global) # bug #2791950 "no way to generate "pass out" rule with no interface" # pass out quick inet from any to 192.168.1.0/24 keep state label "RULE 22 - ACCEPT" # # Rule 23 (global) # Automatically generated 'catch all' rule block log quick inet from any to any label "RULE 23 - DROP" # # Rule fallback rule # fallback rule block log quick inet from any to any label "RULE 10000 - DROP" fwbuilder-5.3.7/test/pf/firewall.fw.orig000077500000000000000000000103511303637203600202050ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:38:57 2011 PST by vadim # # files: * firewall.fw /etc/pf.fw # files: firewall.conf /etc/pf.conf # # Compiled for pf # # this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule # firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)' below it # firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it # firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)' below it # firewall:Policy:3: warning: Changing rule direction due to self reference # firewall:Policy:18: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.directed-broadcast=0 $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { : echo 'This is prolog script' } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "eth1 222.222.222.222/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:38:57 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall1.conf.orig000066400000000000000000000134101303637203600205730ustar00rootroot00000000000000 # # Prolog script # # prolog: # some pf command at the very top of the .conf file goes here # # End of prolog script # # # Scrub rules # scrub in all fragment reassemble # Tables: (6) table { 22.22.22.22 , 192.168.1.1 } table { 192.168.1.10 , 192.168.1.20 } table { self , 192.168.2.0/24 } table { 33.33.33.0/24 , 33.33.44.0/24 } table { 192.168.1.0/24 , 192.168.2.0/24 } table { 22.22.22.22 , 22.22.23.23 , 192.168.1.1 , 192.168.2.1 } # # Rule 0 (NAT) no nat from 192.168.1.0/24 to 192.168.2.0/24 no rdr from 192.168.1.0/24 to 192.168.2.0/24 # # Rule 1 (NAT) nat from 192.168.1.10 to any -> 22.22.22.23 # # Rule 2 (NAT) nat from ! 192.168.1.0/24 to 200.200.200.200 -> 22.22.22.23 # # Rule 3 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) nat on eth1 from 192.168.1.0/24 to any -> (eth1) nat on eth2 from 192.168.1.0/24 to any -> (eth2) nat on eth3 from 192.168.1.0/24 to any -> (eth3) # # Rule 4 (NAT) nat on eth1 from 192.168.1.0/24 to any -> (eth1) nat on eth3 from 192.168.1.0/24 to any -> (eth3) # # Rule 5 (NAT) # more examples # of NAT rules with # multiple objects in TSrc # in firewall3 nat from 192.168.1.0/24 to any -> { 22.22.22.50 , 22.22.22.51 } # # Rule 6 (NAT) nat on eth0 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth0) nat on eth1 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth1) nat on eth2 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth2) nat on eth3 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth3) # # Rule 7 (NAT) nat on eth0 from 192.168.1.0/24 to ! -> (eth0) nat on eth1 from 192.168.1.0/24 to ! -> (eth1) nat on eth2 from 192.168.1.0/24 to ! -> (eth2) nat on eth3 from 192.168.1.0/24 to ! -> (eth3) # # Rule 8 (NAT) nat on eth0 from ! 192.168.2.0/24 to any -> (eth0) nat on eth1 from ! 192.168.2.0/24 to any -> (eth1) nat on eth2 from ! 192.168.2.0/24 to any -> (eth2) nat on eth3 from ! 192.168.2.0/24 to any -> (eth3) # # Rule 9 (NAT) rdr proto tcp from 192.168.1.0/24 to ! port 80 -> 127.0.0.1 port 3128 # # Rule 10 (NAT) rdr proto tcp from 192.168.1.0/24 to ! 192.168.1.1 port 80 -> 127.0.0.1 port 3128 # # Rule 11 (NAT) rdr proto tcp from to ! port 80 -> 127.0.0.1 port 3128 # # Rule 12 (NAT) rdr proto tcp from 192.168.1.0/24 to ! port 80 -> 127.0.0.1 port 3128 rdr proto tcp from 192.168.1.0/24 to ! port 81 -> 127.0.0.1 port 3128 # # Rule 13 (NAT) rdr proto tcp from 192.168.1.0/24 to ! port 80 -> 192.168.2.200 port 3128 rdr proto tcp from 192.168.1.0/24 to ! port 81 -> 192.168.2.200 port 3128 # # Rule 14 (NAT) rdr proto tcp from ! to port 80 -> 127.0.0.1 port 3128 # # Rule 15 (NAT) rdr proto tcp from ! 192.168.1.10 to any port 80 -> 127.0.0.1 port 3128 # # Rule 16 (NAT) rdr on eth1 proto tcp from to 22.22.22.22 port 80 -> 192.168.1.10 port 80 # Policy compiler errors and warnings: # firewall1:Policy:10: warning: Changing rule direction due to self reference # firewall1:Policy:18: warning: Changing rule direction due to self reference # # Rule 0 (eth0) block log quick on eth0 inet proto icmp from to ! block log quick on eth0 inet proto 50 from to ! # # Rule 1 (eth0) block quick on eth0 inet proto icmp from to ! block quick on eth0 inet proto 50 from to ! # # Rule 2 (eth1) # Anti-spoofing rule block in log quick on eth1 inet from self to any block in log quick on eth1 inet from 192.168.1.0/24 to any # # Rule 3 (eth1) # Anti-spoofing rule block out log quick on eth1 inet from ! 192.168.1.0/24 to any # # Rule 4 (eth1) # testing rule shading: this rule is not # shaded by rule #1 pass in quick on eth1 inet proto icmp from any to any icmp-type 8 code 0 keep state # # Rule 5 (global) block log quick inet proto tcp from any to any flags S/UAPRSF # # Rule 7 (global) # hostF has the same IP address as firewal. pass log quick inet proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state # # Rule 8 (global) # testing negation in the policy rule block log quick inet proto icmp from ! 192.168.1.10 to any icmp-type 3 # # Rule 9 (global) # testing negation in the policy rule block log quick inet proto icmp from ! to any icmp-type 3 # # Rule 10 (global) # this rule is shaded by rule above. # firewall1:Policy:10: warning: Changing rule direction due to self reference block in log quick inet proto icmp from ! to self icmp-type 3 # # Rule 11 (global) # this rule shades rule below block log quick inet from ! to 192.168.1.0/24 # # Rule 12 (global) block log quick inet from to ! # # Rule 13 (global) # testing negation in the policy rule block return-icmp log quick inet from 192.168.1.10 to any # # Rule 16 (global) block log quick inet proto icmp from to ! block log quick inet proto 50 from to ! # # Rule 17 (global) # 'masquerading' rule pass quick inet from 192.168.1.0/24 to any keep state # # Rule 18 (global) # firewall1:Policy:18: warning: Changing rule direction due to self reference pass in quick inet proto tcp from any to self port 3128 keep state # # Rule 19 (eth0) # rule from http://www.benzedrine.cx/transquid.html # Used to permit connections to transparent # squid proxy. Should be "in $int_if" but destination # is loopback interface pass in quick on eth0 inet proto tcp from any to 127.0.0.1 port 3128 keep state # # Rule 20 (global) # 'catch all' rule block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall1.fw.orig000077500000000000000000000027011303637203600202660ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:38:58 2011 PST by vadim # # files: * firewall1.fw /etc/fw/firewall1.fw # files: firewall1.conf /etc/fw/firewall1.conf # # Compiled for pf # # this object is used to test all kinds of negation in policy rules # Also using interface policy on eth1 to test specific case with negation and # rule shading depection # firewall1:Policy:10: warning: Changing rule direction due to self reference # firewall1:Policy:18: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:38:58 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-1.conf.orig000066400000000000000000000013601303637203600210120ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 flags S/SA keep state # # Rule 0 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } flags S/SA keep state # # Rule 1 (lo0) pass quick on lo0 inet from any to any # # Rule 2 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 flags S/SA keep state # # Rule 3 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall10-1.fw.orig000077500000000000000000000022721303637203600205070ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:00 2011 PST by vadim # # files: * firewall10-1.fw /etc/fw/firewall10-1.fw # files: firewall10-1.conf /etc/fw/firewall10-1.conf # # Compiled for pf 3.x # # PF 3.x, testing # "flags S/SA keep state" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:00 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-2.conf.orig000066400000000000000000000014211303637203600210110ustar00rootroot00000000000000 set skip on lo0 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 modulate state # # Rule 0 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } modulate state # # Rule 1 (lo0) pass quick on lo0 inet from any to any no state # # Rule 2 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 keep state modulate state # # Rule 3 (global) block log quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state fwbuilder-5.3.7/test/pf/firewall10-2.fw.orig000077500000000000000000000022741303637203600205120ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:01 2011 PST by vadim # # files: * firewall10-2.fw /etc/fw/firewall10-2.fw # files: firewall10-2.conf /etc/fw/firewall10-2.conf # # Compiled for pf 4.0 # # PF 4.x, testing # "flags S/SA keep state" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:01 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-2.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-3.conf.orig000066400000000000000000000013171303637203600210160ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 keep state # # Rule 0 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } keep state # # Rule 1 (lo0) pass quick on lo0 inet from any to any # # Rule 2 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 keep state # # Rule 3 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall10-3.fw.orig000077500000000000000000000023571303637203600205150ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:02 2011 PST by vadim # # files: * firewall10-3.fw /etc/fw/firewall10-3.fw # files: firewall10-3.conf /etc/fw/firewall10-3.conf # # Compiled for pf 3.x # # PF 3.x, testing # "flags S/SA keep state" # "Accept tcp sessions opened # prior to restart" ON FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:02 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-3.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-4.conf.orig000066400000000000000000000014021303637203600210120ustar00rootroot00000000000000 set skip on lo0 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 flags any # # Rule 0 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } flags any # # Rule 1 (lo0) pass quick on lo0 inet from any to any no state # # Rule 2 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 flags any keep state # # Rule 3 (global) block log quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state fwbuilder-5.3.7/test/pf/firewall10-4.fw.orig000077500000000000000000000023641303637203600205140ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:04 2011 PST by vadim # # files: * firewall10-4.fw /etc/fw/firewall10-4.fw # files: firewall10-4.conf /etc/fw/firewall10-4.conf # # Compiled for pf 4.0 # # PF 4.x, testing # "flags S/SA keep state" # "Accept tcp sessions opened # prior to restart" is ON FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:04 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-4.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-5.conf.orig000066400000000000000000000017051303637203600210210ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 keep state # # Rule 0 (enc0) # This adds "pass out ... keep state" # rule that compiler 2.1.14 # does not add automatically for pf 3.x # Note that checkbox "add 'keep state'" # is on in options pass out quick on enc0 inet from any to any keep state # # Rule 1 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } keep state # # Rule 2 (lo0) pass quick on lo0 inet from any to any # # Rule 3 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 keep state # # Rule 4 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall10-5.fw.orig000077500000000000000000000024131303637203600205100ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:06 2011 PST by vadim # # files: * firewall10-5.fw /etc/fw/firewall10-5.fw # files: firewall10-5.conf /etc/fw/firewall10-5.conf # # Compiled for pf 3.x # # PF 3.x, testing # "flags S/SA keep state" # "Accept tcp sessions opened # prior to restart" ON # Using "pass all outgoing" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:06 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-5.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall10-6.conf.orig000066400000000000000000000014021303637203600210140ustar00rootroot00000000000000 set skip on lo0 # # Scrub rules # scrub in all fragment reassemble # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 flags any # # Rule 0 (eth0) pass in quick on eth0 inet proto tcp from 192.168.1.0/24 to any port { 80, 22 } flags any # # Rule 1 (lo0) pass quick on lo0 inet from any to any no state # # Rule 2 (enc0) # via ipsec pass quick on enc0 inet proto tcp from 33.33.33.0/24 to 192.168.1.0/24 port 80 flags any keep state # # Rule 3 (global) block log quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state fwbuilder-5.3.7/test/pf/firewall10-6.fw.orig000077500000000000000000000024201303637203600205070ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:07 2011 PST by vadim # # files: * firewall10-6.fw /etc/fw/firewall10-6.fw # files: firewall10-6.conf /etc/fw/firewall10-6.conf # # Compiled for pf 4.0 # # PF 4.x, testing # "flags S/SA keep state" # "Accept tcp sessions opened # prior to restart" is ON # Using "pass all outgoing" FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:07 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall10-6.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall100.conf.orig000066400000000000000000000010121303637203600207260ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall100.fw.orig000077500000000000000000000146601303637203600204350ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:38:59 2011 PST by vadim # # files: * firewall100.fw /etc/fw/pf.fw # files: firewall100.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # routing rules # firewall100:Routing:1: error: Gateway and interface are both empty in the rule # firewall100:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for openbsd # firewall100:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" $IFCONFIG em0 mtu 1490 update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:38:59 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 # ============== ROUTING RULES ============== TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules route -n show -inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \ while read route gw rest; do route delete $route $gw; done # restore old routing rules (IFS=" "; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 oldRoutes=$(route -n show -inet | awk '{printf "route add %s %s\n",$1,$2;}') echo "Deleting routing rules previously set by user space processes..." route -n show -inet | grep S | grep -Ev 'lo0' | \ while read route gw rest; do route delete $route $gw; done echo "Activating routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # setting default via gateway # line 2 comment # route add default 10.1.1.1 || route_command_error "0 (main)" # # Rule 1 (main) # echo "Routing rule 1 (main)" # # empty rule # # firewall100:Routing:1: error: Gateway and interface are both empty in the rule # firewall100:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for openbsd route add default || route_command_error "1 (main)" # # Rule 2 (main) # echo "Routing rule 2 (main)" # route add 192.168.171.2 10.1.1.1 || route_command_error "2 (main)" # # Rule 3 (main) # echo "Routing rule 3 (main)" # route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)" # # Rule 4 (main) # echo "Routing rule 4 (main)" # # firewall100:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)" restore_script_output echo "...done." epilog_commandsfwbuilder-5.3.7/test/pf/firewall101.conf.orig000066400000000000000000000010121303637203600207270ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall101.fw.orig000077500000000000000000000151021303637203600204260ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:00 2011 PST by vadim # # files: * firewall101.fw /etc/fw/pf.fw # files: firewall101.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # routing rules, shell script format # firewall101:Routing:1: error: Gateway and interface are both empty in the rule # firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd # firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" $IFCONFIG em0 mtu 1490 update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:00 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 # ============== ROUTING RULES ============== TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules netstat -rn -f inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \ while read route gw rest; do route delete $route $gw; done # restore old routing rules (IFS=" "; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 oldRoutes=$(netstat -rn -f inet | awk '/^$|Destination|Routing tables|Internet:/ {next;} {printf "route add %s %s\n",$1,$2;}') echo "Deleting routing rules previously set by user space processes..." netstat -rn -f inet | awk '$3 ~ /S/ { print $0;}' | grep -Ev 'lo0' | \ while read route gw rest; do route delete $route $gw; done echo "Activating routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # setting default via gateway # line 2 comment # route add default 10.1.1.1 || route_command_error "0 (main)" # # Rule 1 (main) # echo "Routing rule 1 (main)" # # empty rule # # firewall101:Routing:1: error: Gateway and interface are both empty in the rule # firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd route add default || route_command_error "1 (main)" # # Rule 2 (main) # echo "Routing rule 2 (main)" # route add 192.168.171.2 10.1.1.1 || route_command_error "2 (main)" # # Rule 3 (main) # echo "Routing rule 3 (main)" # route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)" # # Rule 4 (main) # echo "Routing rule 4 (main)" # # firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)" restore_script_output echo "...done." epilog_commandsfwbuilder-5.3.7/test/pf/firewall102.conf.orig000066400000000000000000000010121303637203600207300ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall102.fw.orig000077500000000000000000000023161303637203600204320ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:01 2011 PST by vadim # # files: * firewall102.fw /etc/fw/pf.fw # files: firewall102.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # routing rules, rc.conf format # firewall102:Routing:1: error: Gateway and interface are both empty in the rule # firewall102:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd # firewall102:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning gateway_enable="YES" network_interfaces="em0 em1" ifconfig_em0="10.3.14.81 netmask 0xffffff00 mtu 1490 " ifconfig_em1="10.1.1.81 netmask 0xffffff00" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" static_routes="route_0 route_1 route_2 route_3 route_4" route_route_0="default 10.1.1.1 " route_route_1="default " route_route_2="192.168.171.2 10.1.1.1 " route_route_3="22.22.22.0/24 10.1.1.1 " route_route_4="33.33.33.0/24 10.1.1.1 " fwbuilder-5.3.7/test/pf/firewall103-1.conf.orig000066400000000000000000000010121303637203600210670ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall103-1.fw.orig000077500000000000000000000241551303637203600205760ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:03 2011 PST by vadim # # files: * firewall103-1.fw /etc/fw/pf.fw # files: firewall103-1.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, static address, shell script format, OpenBSD 4.7 FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_addresses_of_interface "em2" "" update_addresses_of_interface "em3" "" update_bridge_interface bridge0 "em2 em3" $IFCONFIG bridge0 -stp em2 $IFCONFIG bridge0 -stp em3 update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:03 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall103-2.conf.orig000066400000000000000000000007721303637203600211040ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # scrub all reassemble tcp no-df scrub out all random-id min-ttl 1 max-mss 1460 # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall103-2.fw.orig000077500000000000000000000241551303637203600205770ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:03 2011 PST by vadim # # files: * firewall103-2.fw /etc/fw/pf.fw # files: firewall103-2.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.0 # # bridge interface, static address, shell script format, OpenBSD <4.7 FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="brconfig" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_addresses_of_interface "em2" "" update_addresses_of_interface "em3" "" update_bridge_interface bridge0 "em2 em3" $IFCONFIG bridge0 -stp em2 $IFCONFIG bridge0 -stp em3 update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:03 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall103.conf.orig000066400000000000000000000010121303637203600207310ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall103.fw.orig000077500000000000000000000242121303637203600204320ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:02 2011 PST by vadim # # files: * firewall103.fw /etc/fw/pf.fw # files: firewall103.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, static address, shell script format FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_addresses_of_interface "em2" "" update_addresses_of_interface "em3" "" update_bridge_interface bridge0 "em2 em3" $IFCONFIG bridge0 -stp em2 $IFCONFIG bridge0 -stp em3 update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:02 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall104-1.conf.orig000066400000000000000000000010121303637203600210700ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall104-1.fw.orig000077500000000000000000000240511303637203600205720ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:05 2011 PST by vadim # # files: * firewall104-1.fw /etc/fw/pf.fw # files: firewall104-1.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, dynamic address, shell script format, OpenBSD 4.7 FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_addresses_of_interface "em2" "" update_addresses_of_interface "em3" "" update_bridge_interface bridge0 "em2 em3" $IFCONFIG bridge0 -stp em2 $IFCONFIG bridge0 -stp em3 } log "Activating firewall script generated Wed Nov 30 18:39:05 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall104.conf.orig000066400000000000000000000010121303637203600207320ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall104.fw.orig000077500000000000000000000241161303637203600204360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:04 2011 PST by vadim # # files: * firewall104.fw /etc/fw/pf.fw # files: firewall104.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, dynamic address, shell script format, with STP FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_addresses_of_interface "em2" "" update_addresses_of_interface "em3" "" update_bridge_interface bridge0 "em2 em3" $IFCONFIG bridge0 stp em2 $IFCONFIG bridge0 stp em3 } log "Activating firewall script generated Wed Nov 30 18:39:04 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall105.conf.orig000066400000000000000000000010121303637203600207330ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall105.fw.orig000077500000000000000000000013031303637203600204300ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:05 2011 PST by vadim # # files: * firewall105.fw /etc/fw/pf.fw # files: firewall105.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, static address, rc.conf format gateway_enable="YES" cloned_interfaces="bridge0" network_interfaces="bridge0 em0 em1" ifconfig_em0="10.3.14.81 netmask 0xffffff00" ifconfig_em1="10.1.1.81 netmask 0xffffff00" ifconfig_em2="up" ifconfig_em3="up" ifconfig_bridge0="addm em2 -stp em2 addm em3 -stp em3 up 192.168.1.1 netmask 0xffffff00" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" fwbuilder-5.3.7/test/pf/firewall106.conf.orig000066400000000000000000000010121303637203600207340ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall106.fw.orig000077500000000000000000000025511303637203600204370ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:06 2011 PST by vadim # # files: * firewall106.fw /etc/fw/pf.fw # files: firewall106.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # bridge interface, dynamic address, rc.conf format, with STP # firewall106:Routing:1: error: Gateway and interface are both empty in the rule # firewall106:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd # firewall106:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning gateway_enable="YES" cloned_interfaces="bridge0" network_interfaces="bridge0 em0 em1" ifconfig_em0="10.3.14.81 netmask 0xffffff00" ifconfig_em1="10.1.1.81 netmask 0xffffff00" ifconfig_em2="up" ifconfig_em3="up" ifconfig_bridge0="addm em2 stp em2 addm em3 stp em3 up DHCP" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" static_routes="route_0 route_1 route_2 route_3 route_4" route_route_0="default 10.1.1.1 " route_route_1="default " route_route_2="192.168.171.2 10.1.1.1 " route_route_3="22.22.22.0/24 10.1.1.1 " route_route_4="33.33.33.0/24 10.1.1.1 " fwbuilder-5.3.7/test/pf/firewall107.conf.orig000066400000000000000000000010121303637203600207350ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall107.fw.orig000077500000000000000000000241771303637203600204500ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:07 2011 PST by vadim # # files: * firewall107.fw /etc/fw/pf.fw # files: firewall107.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # vlan interface, static address, shell script format FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan101 vlan102 sync_bridge_interfaces sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" update_vlans_of_interface "em2 vlan101:101 vlan102:102" update_addresses_of_interface "em2" "" update_addresses_of_interface "vlan101 192.168.101.1/0xffffff00" "" update_addresses_of_interface "vlan102 192.168.102.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:07 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall108.conf.orig000066400000000000000000000010121303637203600207360ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall108.fw.orig000077500000000000000000000014551303637203600204430ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:08 2011 PST by vadim # # files: * firewall108.fw /etc/fw/pf.fw # files: firewall108.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # vlan interface, static address, rc.conf format gateway_enable="YES" cloned_interfaces="vlan101 vlan102" network_interfaces="em0 em1 vlan101 vlan102" ifconfig_em0="10.3.14.81 netmask 0xffffff00" ifconfig_em1="10.1.1.81 netmask 0xffffff00" vlans_em2="vlan101 vlan102" create_args_vlan101="vlan 101 vlandev em2" create_args_vlan102="vlan 102 vlandev em2" ifconfig_vlan101="192.168.101.1 netmask 0xffffff00" ifconfig_vlan102="192.168.102.1 netmask 0xffffff00" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" fwbuilder-5.3.7/test/pf/firewall109-1.conf.orig000066400000000000000000000010121303637203600210750ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall109-1.fw.orig000077500000000000000000000017471303637203600206060ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:09 2011 PST by vadim # # files: * firewall109-1.fw /etc/fw/pf.fw # files: firewall109-1.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # complex configuration with bridge and vlan, rc.conf format gateway_enable="YES" cloned_interfaces="vlan101 vlan102 bridge0" network_interfaces="bridge0 em0 vlan101 vlan102" ifconfig_em0="10.3.14.81 netmask 0xffffff00" ifconfig_em1="up media 100baseTX mediaopt full-duplex" vlans_em2="vlan101 vlan102" create_args_vlan101="vlan 101 vlandev em2" create_args_vlan102="vlan 102 vlandev em2" ifconfig_em2="up media 100baseTX mediaopt full-duplex" ifconfig_vlan101="192.168.101.1 netmask 0xffffff00" ifconfig_vlan102="192.168.102.1 netmask 0xffffff00" ifconfig_bridge0="addm em1 -stp em1 addm em2 -stp em2 up 192.168.1.1 netmask 0xffffff00" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" fwbuilder-5.3.7/test/pf/firewall109-2.conf.orig000066400000000000000000000010121303637203600210760ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall109-2.fw.orig000077500000000000000000000245411303637203600206040ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:09 2011 PST by vadim # # files: * firewall109-2.fw /etc/fw/pf.fw # files: firewall109-2.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan8210 vlan9210 sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_vlans_of_interface "em1 vlan9210:210" update_addresses_of_interface "em1" "" update_vlans_of_interface "em2 vlan8210:210" update_addresses_of_interface "em2" "" update_addresses_of_interface "vlan8210" "" update_addresses_of_interface "vlan9210" "" update_bridge_interface bridge0 "vlan8210 vlan9210" $IFCONFIG bridge0 -stp vlan8210 $IFCONFIG bridge0 -stp vlan9210 update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:09 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall109-3.conf.orig000066400000000000000000000010121303637203600210770ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall109-3.fw.orig000077500000000000000000000016121303637203600205770ustar00rootroot00000000000000# # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:10 2011 PST by vadim # # files: * firewall109-3.fw /etc/fw/pf.fw # files: firewall109-3.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs. rc.conf format gateway_enable="YES" cloned_interfaces="vlan8210 vlan9210 bridge0" network_interfaces="bridge0 em0" ifconfig_em0="10.3.14.81 netmask 0xffffff00" vlans_em1="vlan9210" create_args_vlan9210="vlan 210 vlandev em1" vlans_em2="vlan8210" create_args_vlan8210="vlan 210 vlandev em2" ifconfig_vlan8210="up" ifconfig_vlan9210="up" ifconfig_bridge0="addm vlan8210 -stp vlan8210 addm vlan9210 -stp vlan9210 up 192.168.1.1 netmask 0xffffff00" pf_enable="YES" pf_rules="/etc/fw/path\ with\ space/pf.conf" fwbuilder-5.3.7/test/pf/firewall109.conf.orig000066400000000000000000000010121303637203600207370ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall109.fw.orig000077500000000000000000000246121303637203600204440ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:08 2011 PST by vadim # # files: * firewall109.fw /etc/fw/pf.fw # files: firewall109.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # complex configuration with bridge and vlan FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } BRCONFIG="$IFCONFIG" missing_port() { intf=$1 cmd=$2 oldIFS=$IFS IFS="@" set $intf port=$1 bridge_interface=$2 IFS=$oldIFS echo "# Updating bridge configuration: $bridge_interface $cmd $port" $FWBDEBUG $BRCONFIG $bridge_interface $cmd $port test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up } update_bridge_interface() { bridge_interface=$1 shift FWB_PORTS="" CURRENT_PORTS="" FWB_PORTS=$( for subint in $*; do echo "${subint}@$bridge_interface" done | sort ) # this is really redundant because we create missing bridge # interfaces in sync_bridge_interfaces. However will leave this # here so that function update_bridge can be used without prior # call to sync_bridge_interfaces The difference is that # sync_bridge_interfaces also deletes bridge interfaces that exist # on the machine but are missing in fwbuilder confgiuration. The # update_bridge function can only add bridge interfaces. $BRCONFIG $bridge_interface >/dev/null 2>&1 || { echo "# Creating bridge interface $bridge_interface" $FWBDEBUG $IFCONFIG $bridge_interface create $FWBDEBUG $IFCONFIG $bridge_interface up } PORTS=$( $BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }' ) test -n "$PORTS" && { CURRENT_PORTS=$( for subint in $PORTS; do echo "${subint}@$bridge_interface" done | sort ) } # first delete bridge ports, then add. This way, if an interface # moves from one bridge to another, we remove it first and then # add. It would not work if we tried to add it first, brctl issues # an error: # device eth2 is already a member of a bridge; can't enslave it to bridge br1. # diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm } sync_bridge_interfaces() { $BRCONFIG -a | awk -F: -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } ($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \ while read brintf; do echo "# Deleting bridge interface $brintf" $FWBDEBUG $IFCONFIG $brintf down $FWBDEBUG $IFCONFIG $brintf destroy done for brint in $*; do $BRCONFIG $brint >/dev/null 2>&1 || { echo "# Creating bridge interface $brintf" $FWBDEBUG $IFCONFIG $brint create $FWBDEBUG $IFCONFIG $brint up } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan101 vlan102 sync_bridge_interfaces bridge0 sync_carp_interfaces sync_pfsync_interfaces update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1" "" $IFCONFIG em1 media 100baseTX mediaopt full-duplex update_vlans_of_interface "em2 vlan101:101 vlan102:102" update_addresses_of_interface "em2" "" $IFCONFIG em2 media 100baseTX mediaopt full-duplex update_addresses_of_interface "vlan101 192.168.101.1/0xffffff00" "" update_addresses_of_interface "vlan102 192.168.102.1/0xffffff00" "" update_bridge_interface bridge0 "em1 em2" $IFCONFIG bridge0 -stp em1 $IFCONFIG bridge0 -stp em2 update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:08 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall11.conf.orig000066400000000000000000000015441303637203600206610ustar00rootroot00000000000000 # Tables: (2) table { 192.168.1.10 , 192.168.1.20 } table { 192.168.1.0/24 , 192.168.2.0/24 } # Policy compiler errors and warnings: # firewall11:Policy:0: warning: Changing rule direction due to self reference # firewall11:Policy:1: warning: Changing rule direction due to self reference # # Rule 0 (global) # firewall11:Policy:0: warning: Changing rule direction due to self reference pass in quick inet proto tcp from to self port 22 flags S/SA keep state # # Rule 1 (global) # firewall11:Policy:1: warning: Changing rule direction due to self reference block in quick inet from any to self # # Rule 2 (global) pass quick inet from to any keep state # # Rule 3 (global) block quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall11.fw.orig000077500000000000000000000030241303637203600203460ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:11 2011 PST by vadim # # files: * firewall11.fw /etc/firewall11.fw # files: firewall11.conf /etc/firewall11.conf # # Compiled for pf # # example to illustrate access to the firewall limited to only few # source addresses. Since in PF firewall is always part of "any", # have to explcitly add a rule to block ssh to the firewall # from other sources. # firewall11:Policy:0: warning: Changing rule direction due to self reference # firewall11:Policy:1: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/sbin/pfctl" SYSCTL="/usr/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:11 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall11.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall110.conf.orig000066400000000000000000000011661303637203600207410ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # Policy compiler errors and warnings: # firewall110:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # # Rule 0 (global) # see #1867 this rule is non-terminating and should not shadow next pass inet from any to any tag tag2 # # Rule 1 (global) # firewall110:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it pass quick inet from any to any keep state queue ssh_q # # Rule 2 (global) pass inet from any to any tag INTNET keep state # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall110.fw.orig000077500000000000000000000024741303637203600204360ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:11 2011 PST by vadim # # files: * firewall110.fw /etc/fw/firewall110.fw # files: firewall110.conf /etc/fw/firewall110.conf # # Compiled for pf # # testing shadowing of rules with tag action # firewall110:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:11 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall110.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall111-Policy_1.conf.orig000066400000000000000000000000001303637203600224010ustar00rootroot00000000000000fwbuilder-5.3.7/test/pf/firewall111.conf.orig000066400000000000000000000132561303637203600207450ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # Policy compiler errors and warnings: # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '8 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '9 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '18 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '19 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '20 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '21 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '30 (global)' below it # # Rule 0 (global) pass inet from any to any tag tag2 no state # # Rule 1 (global) pass inet from any to any tag tag2 # # Rule 2 (global) # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '18 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '19 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '20 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '21 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '30 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '8 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '9 (global)' below it pass quick inet from any to any tag tag2 # # Rule 3 (global) pass quick inet from any to any tag tag2 no state # # Rule 4 (global) pass inet from any to any tag tag2 no state # # Rule 5 (global) anchor "Policy_1" inet from any to any tag tag2 no state # # Rule 6 (global) pass inet from any to any no state queue ssh_q # # Rule 7 (global) pass inet from any to any queue ssh_q # # Rule 8 (global) pass quick inet from any to any queue ssh_q # # Rule 9 (global) pass quick inet from any to any no state queue ssh_q # # Rule 10 (global) pass inet from any to any no state queue ssh_q # # Rule 11 (global) anchor "Policy_1" inet from any to any no state queue ssh_q # # Rule 12 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any no state pass out route-to { ( le0 192.168.1.100 ) } inet from any to any no state # # Rule 13 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any pass out route-to { ( le0 192.168.1.100 ) } inet from any to any # # Rule 14 (global) pass in quick route-to { ( le0 192.168.1.100 ) } inet from any to any pass out quick route-to { ( le0 192.168.1.100 ) } inet from any to any # # Rule 15 (global) pass in quick route-to { ( le0 192.168.1.100 ) } inet from any to any no state pass out quick route-to { ( le0 192.168.1.100 ) } inet from any to any no state # # Rule 16 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any no state pass out route-to { ( le0 192.168.1.100 ) } inet from any to any no state # # Rule 17 (global) anchor "Policy_1" in route-to { ( le0 192.168.1.100 ) } inet from any to any no state anchor "Policy_1" out route-to { ( le0 192.168.1.100 ) } inet from any to any no state # # Rule 18 (global) pass inet from any to any tag tag2 no state queue ssh_q # # Rule 19 (global) pass inet from any to any tag tag2 queue ssh_q # # Rule 20 (global) pass quick inet from any to any tag tag2 queue ssh_q # # Rule 21 (global) pass quick inet from any to any tag tag2 no state queue ssh_q # # Rule 22 (global) pass inet from any to any tag tag2 no state queue ssh_q # # Rule 23 (global) anchor "Policy_1" inet from any to any tag tag2 no state queue ssh_q # # Rule 24 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q pass out route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q # # Rule 25 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 queue ssh_q pass out route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 queue ssh_q # # Rule 26 (global) pass in quick route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 queue ssh_q pass out quick route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 queue ssh_q # # Rule 27 (global) pass in quick route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q pass out quick route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q # # Rule 28 (global) pass in route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q pass out route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q # # Rule 29 (global) anchor "Policy_1" in route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q anchor "Policy_1" out route-to { ( le0 192.168.1.100 ) } inet from any to any tag tag2 no state queue ssh_q # # Rule 30 (global) block quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state load anchor Policy_1 from "/etc/fw/firewall111-Policy_1.conf" fwbuilder-5.3.7/test/pf/firewall111.fw.orig000077500000000000000000000042431303637203600204330ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:12 2011 PST by vadim # # files: * firewall111.fw /etc/fw/firewall111.fw # files: firewall111.conf /etc/fw/firewall111.conf # files: firewall111-Policy_1.conf /etc/fw/firewall111-Policy_1.conf # # Compiled for pf 4.0 # # testing rules with options tag, classify and route and combinations # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '8 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '9 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '18 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '19 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '20 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '21 (global)' below it # firewall111:Policy:2: error: Rule '2 (global)' shadows rule '30 (global)' below it FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:12 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall111.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall12.conf.orig000066400000000000000000000040401303637203600206540ustar00rootroot00000000000000 # Tables: (1) table { 22.22.22.22 , 22.22.23.22 } # # Rule 4 (NAT) rdr proto tcp from any to port 80 -> 127.0.0.1 port 8080 # # Rule 7 (NAT) nat on en0 proto udp from any port 6767 to any -> (en0) port 67 nat on en1 proto udp from any port 6767 to any -> (en1) port 67 # # Rule 9 (NAT) rdr proto tcp from any to any port 80 -> 127.0.0.1 port 8080 # # Rule 10 (NAT) # SDNAT rdr proto tcp from any to port 22 -> 192.168.1.10 port 22 nat on en0 proto tcp from any to 192.168.1.10 port 22 -> (en0) nat on en1 proto tcp from any to 192.168.1.10 port 22 -> (en1) # # Rule 11 (NAT) # SDNAT with source port rdr proto udp from any port 123 to -> 192.168.1.10 nat on en0 proto udp from any port 123 to 192.168.1.10 -> (en0) port 5050 nat on en1 proto udp from any port 123 to 192.168.1.10 -> (en1) port 5050 # # Rule 12 (NAT) # SDNAT with dest port rdr proto udp from 192.168.1.0/24 to any port 53 -> 192.168.1.10 port 1053 nat on en0 proto udp from 192.168.1.0/24 to 192.168.1.10 port 1053 -> (en0) nat on en1 proto udp from 192.168.1.0/24 to 192.168.1.10 port 1053 -> (en1) # # Rule 13 (NAT) # SDNAT # translate src and dst addresses # and src and dst ports rdr proto udp from 192.168.1.0/24 port 1024:65535 to any port 53 -> 192.168.1.10 port 1053 nat on en0 proto udp from 192.168.1.0/24 to 192.168.1.10 port 1053 -> (en0) port 32767:* nat on en1 proto udp from 192.168.1.0/24 to 192.168.1.10 port 1053 -> (en1) port 32767:* # # Rule 14 (NAT) # Matches destination port, translates source port nat on en0 proto udp from 192.168.1.0/24 to any port 53 -> (en0) port 5050 nat on en1 proto udp from 192.168.1.0/24 to any port 53 -> (en1) port 5050 # # Rule 0 (global) pass quick inet proto tcp from any to 22.22.22.23 port 8080 flags any label "RULE 0 -- ACCEPT " # # Rule 1 (global) block log quick inet from any to any no state label "RULE 1 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall12.fw.orig000077500000000000000000000072421303637203600203550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:13 2011 PST by vadim # # files: * firewall12.fw /etc/fw/firewall12.fw # files: firewall12.conf /etc/fw/firewall12.conf # # Compiled for pf 4.0 # # This firewall does not do NAT for addresses, but translates port for a server FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "en0 22.22.22.22/0xffffff00" "" update_addresses_of_interface "en1 22.22.23.22/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:13 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall12.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall13.conf.orig000066400000000000000000000031471303637203600206640ustar00rootroot00000000000000 # NAT compiler errors and warnings: # firewall13:NAT:0: warning: Empty group or address table object 'egroup' # firewall13:NAT:0: warning: After removal of all empty groups and address table objects rule element OSrc becomes 'any' in the rule 0 (NAT) # Dropping rule 0 (NAT) because option 'Ignore rules with empty groups' is in effect # firewall13:NAT:1: warning: Empty group or address table object 'egroup' # firewall13:NAT:2: warning: Empty group or address table object 'sgroup' # firewall13:NAT:2: warning: After removal of all empty groups and address table objects rule element OSrv becomes 'any' in the rule 2 (NAT) # Dropping rule 2 (NAT) because option 'Ignore rules with empty groups' is in effect # # Rule 1 (NAT) # firewall13:NAT:1: warning: Empty group or address table object 'egroup' rdr proto tcp from 200.200.200.200 to 22.22.22.23 port 6667 -> 192.168.1.10 port 6667 # Policy compiler errors and warnings: # firewall13:Policy:0: warning: Empty group or address table object 'egroup2' # firewall13:Policy:1: warning: Empty group or address table object 'sgroup' # firewall13:Policy:1: warning: After removal of all empty groups and address table objects rule element Srv becomes 'any' in the rule 1 (global) # Dropping rule 1 (global) because option 'Ignore rules with empty groups' is in effect # # Rule 0 (global) # firewall13:Policy:0: warning: Empty group or address table object 'egroup2' pass quick inet from 200.200.200.200 to 192.168.1.10 keep state # # Rule 2 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall13.fw.orig000077500000000000000000000045561303637203600203630ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:13 2011 PST by vadim # # files: * firewall13.fw /etc/fw/firewall13.fw # files: firewall13.conf /etc/fw/firewall13.conf # # Compiled for pf # # testing detection of empty groups # firewall13:NAT:0: warning: Empty group or address table object 'egroup' # firewall13:NAT:0: warning: After removal of all empty groups and address table objects rule element OSrc becomes 'any' in the rule 0 (NAT) # Dropping rule 0 (NAT) because option 'Ignore rules with empty groups' is in effect # firewall13:NAT:1: warning: Empty group or address table object 'egroup' # firewall13:NAT:2: warning: Empty group or address table object 'sgroup' # firewall13:NAT:2: warning: After removal of all empty groups and address table objects rule element OSrv becomes 'any' in the rule 2 (NAT) # Dropping rule 2 (NAT) because option 'Ignore rules with empty groups' is in effect # firewall13:Policy:0: warning: Empty group or address table object 'egroup2' # firewall13:Policy:1: warning: Empty group or address table object 'sgroup' # firewall13:Policy:1: warning: After removal of all empty groups and address table objects rule element Srv becomes 'any' in the rule 1 (global) # Dropping rule 1 (global) because option 'Ignore rules with empty groups' is in effect FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.directed-broadcast=0 $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:13 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall13.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall14-1.conf.orig000066400000000000000000000007621303637203600210230ustar00rootroot00000000000000 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 64 max-mss 1460) # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall14-1.fw.orig000077500000000000000000000136201303637203600205120ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:14 2011 PST by vadim # # files: * firewall14-1.fw /etc/firewall14-1.fw # files: firewall14-1.conf /etc/firewall14-1.conf # # Compiled for pf 4.6 # # Testing scrub rules format PF 4.6 FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan101 vlan103 update_vlans_of_interface "em0 vlan101:101 vlan103:103" update_addresses_of_interface "em0 10.1.1.50/0xffffff00" "" update_addresses_of_interface "pcn0 10.3.14.50/0xffffff00" "" update_addresses_of_interface "vlan101 10.100.101.1/0xffffff00" "" update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:14 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall14-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall14.conf.orig000066400000000000000000000007521303637203600206640ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble no-df scrub out all random-id min-ttl 64 max-mss 1460 # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall14.fw.orig000077500000000000000000000136101303637203600203530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:14 2011 PST by vadim # # files: * firewall14.fw /etc/firewall14.fw # files: firewall14.conf /etc/firewall14.conf # # Compiled for pf 4.0 # # Testing scrub rules format PF < 4.6 FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan101 vlan103 update_vlans_of_interface "em0 vlan101:101 vlan103:103" update_addresses_of_interface "em0 10.1.1.50/0xffffff00" "" update_addresses_of_interface "pcn0 10.3.14.50/0xffffff00" "" update_addresses_of_interface "vlan101 10.100.101.1/0xffffff00" "" update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:14 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall14.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall2-1.conf.orig000066400000000000000000000054531303637203600207420ustar00rootroot00000000000000 set limit { frags 5000, states 10000 } set optimization aggressive set timeout tcp.first 5 set timeout tcp.opening 5 set timeout tcp.established 10 # # Prolog script # # prolog # prolog commands go after set commands # # End of prolog script # # # Scrub rules # scrub in all fragment reassemble no-df scrub out all random-id min-ttl 32 max-mss 1460 # Tables: (1) table { 22.22.22.22 , 192.168.1.1 } # NAT compiler errors and warnings: # firewall2-1:NAT:1: error: Negation in original service is not supported. # firewall2-1:NAT:2: error: Can not translate 'any' into a specific service. # firewall2-1:NAT:3: error: Can not use negation in translated source. # firewall2-1:NAT:4: error: Can not use negation in translated destination. # firewall2-1:NAT:5: error: Can not use negation in translated service. # firewall2-1:NAT:6: error: Translated service should be 'Original' or should contain single object. # firewall2-1:NAT:7: error: Translated service should be 'Original' or should contain single object. # firewall2-1:NAT:9: error: Can not use unnumbered interface in Translated Source of a Source translation rule. # firewall2-1:NAT:12: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:13: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:15: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:16: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # firewall2-1:NAT:16: error: Action 'Branch' needs NAT rule set to point to # firewall2-1:NAT:17: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # # Rule 0 (NAT) rdr on { eth1 eth0 } from any to -> 192.168.1.10 # # Rule 8 (NAT) no nat proto tcp from 192.168.1.0/24 to any no rdr proto tcp from 192.168.1.0/24 to any # # Rule 10 (NAT) no nat proto tcp from any to 22.22.22.22 no rdr proto tcp from any to 22.22.22.22 # # Rule 11 (NAT) rdr proto tcp from any to (eth1) port 1080 -> { 192.168.1.10 , 192.168.1.20 } port 1080 # # Rule 14 (NAT) nat from 192.168.1.0/24 to any -> 22.22.22.0/28 # # Rule 17 (NAT) # firewall2-1:NAT:17: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' nat-anchor "NAT" proto tcp from 192.168.1.0/24 to any port 1080 rdr-anchor "NAT" proto tcp from 192.168.1.0/24 to any port 1080 # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 keep state label "RULE -1 - ACCEPT **" # # Rule 0 (global) # 'catch all' rule block log quick inet from any to any label "RULE 0 - DROP **" # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 - DROP **" fwbuilder-5.3.7/test/pf/firewall2-1.fw.orig000077500000000000000000000050441303637203600204300ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:16 2011 PST by vadim # # files: * firewall2-1.fw /etc/fw/firewall2-1.fw # files: firewall2-1.conf /etc/fw/firewall2-1.conf # # Compiled for pf # # testing different errors in NATCompiler_pf::VerifyRules # firewall2-1:NAT:17: warning: Rule branches to rule set NAT which branches back to it, creating a loop # firewall2-1:NAT:1: error: Negation in original service is not supported. # firewall2-1:NAT:2: error: Can not translate 'any' into a specific service. # firewall2-1:NAT:3: error: Can not use negation in translated source. # firewall2-1:NAT:4: error: Can not use negation in translated destination. # firewall2-1:NAT:5: error: Can not use negation in translated service. # firewall2-1:NAT:6: error: Translated service should be 'Original' or should contain single object. # firewall2-1:NAT:7: error: Translated service should be 'Original' or should contain single object. # firewall2-1:NAT:9: error: Can not use unnumbered interface in Translated Source of a Source translation rule. # firewall2-1:NAT:12: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:13: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:15: error: Can not use network or address range object in translated destination. # firewall2-1:NAT:16: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # firewall2-1:NAT:16: error: Action 'Branch' needs NAT rule set to point to # firewall2-1:NAT:17: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:16 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall2-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall2-6.conf.orig000066400000000000000000000030311303637203600207350ustar00rootroot00000000000000 # # Rule 0 (NAT) # NETMAP and no -o itf nat from 192.168.1.0/24 to any -> 22.22.22.0/24 # # Rule 1 (NAT) nat on em1 from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 2 (NAT) # nat on em3 from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 3 (NAT) # nat on { em1 em3 } from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 4 (NAT) nat on { em1 em3 } from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 5 (NAT) # nat on ! em3 from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 6 (NAT) # nat on { em0 em2 } from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 7 (NAT) nat on { em0 em2 } from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 8 (NAT) rdr from any to 222.222.222.40 -> 192.168.1.10 # # Rule 9 (NAT) rdr on em0 from any to 222.222.222.40 -> 192.168.1.10 # # Rule 10 (NAT) rdr on { em0 em2 } from any to 222.222.222.40 -> 192.168.1.10 # # Rule 11 (NAT) rdr on { em0 em2 } from any to 222.222.222.40 -> 192.168.1.10 # # Rule 12 (NAT) rdr on ! em0 from any to 222.222.222.40 -> 192.168.1.10 # # Rule 13 (NAT) rdr on { em1 em3 } from any to 222.222.222.40 -> 192.168.1.10 # # Rule 14 (NAT) rdr on { em1 em3 } from any to 222.222.222.40 -> 192.168.1.10 # # Rule 15 (NAT) # REDIRECT rdr on em0 proto tcp from any to any port 80 -> 127.0.0.1 port 3128 # # Rule 0 (global) # 'catch all' rule block log quick inet from any to any label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall2-6.fw.orig000077500000000000000000000076231303637203600204420ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:17 2011 PST by vadim # # files: * firewall2-6.fw /etc/firewall2-6.fw # files: firewall2-6.conf /etc/firewall2-6.conf # # Compiled for pf # # tests for nat rules with inbound and outbound interfaces FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "em1 222.222.222.222/0xffffff00 222.222.222.40/0xffffff00" "" update_addresses_of_interface "em2 33.33.33.3/0xfffffff8 33.33.33.4/0xfffffff8" "" update_addresses_of_interface "em3 33.33.33.25/0xfffffff8" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:17 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall2-6.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall2.conf.orig000066400000000000000000000200151303637203600205730ustar00rootroot00000000000000 set limit { frags 5000, states 10000 } set optimization aggressive set timeout tcp.first 5 set timeout tcp.opening 5 set timeout tcp.established 10 # # Prolog script # # prolog # prolog commands go after set commands # # End of prolog script # # # Scrub rules # scrub in all fragment reassemble no-df scrub out all random-id min-ttl 32 max-mss 1460 # Tables: (4) table { 192.168.1.10 , 192.168.1.20 } table { eth4 , 22.22.22.22 , 22.22.23.23 , 192.168.1.1 , 192.168.2.1 } table { 192.168.1.0/24 , 192.168.2.0/24 } table { self , 192.168.1.0/24 } # # Rule 0 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) nat on eth1 from 192.168.1.0/24 to any -> (eth1) nat on eth3 from 192.168.1.0/24 to any -> (eth3) nat on eth2 from 192.168.1.0/24 to any -> (eth2) nat on eth4 from 192.168.1.0/24 to any -> (eth4) # # Rule 1 (NAT) nat from to any -> 22.22.22.23 # # Rule 2 (NAT) nat from 192.168.1.0/24 to -> 192.168.1.1 # # Rule 3 (NAT) nat on eth0 proto tcp from 192.168.1.0/24 to any port 80 -> (eth0) nat on eth1 proto tcp from 192.168.1.0/24 to any port 80 -> (eth1) nat on eth3 proto tcp from 192.168.1.0/24 to any port 80 -> (eth3) nat on eth2 proto tcp from 192.168.1.0/24 to any port 80 -> (eth2) nat on eth4 proto tcp from 192.168.1.0/24 to any port 80 -> (eth4) # # Rule 4 (NAT) nat proto tcp from to any port 80 -> 22.22.22.23 # # Rule 5 (NAT) nat proto tcp from 192.168.1.0/24 to port 80 -> 192.168.1.1 # # Rule 6 (NAT) nat on eth0 proto 47 from 192.168.1.0/24 to any -> (eth0) nat on eth1 proto 47 from 192.168.1.0/24 to any -> (eth1) nat on eth3 proto 47 from 192.168.1.0/24 to any -> (eth3) nat on eth2 proto 47 from 192.168.1.0/24 to any -> (eth2) nat on eth4 proto 47 from 192.168.1.0/24 to any -> (eth4) # # Rule 7 (NAT) nat proto icmp from to any -> 22.22.22.23 # # Rule 8 (NAT) nat proto udp from 192.168.1.0/24 to port 53 -> 192.168.1.1 # # Rule 9 (NAT) rdr from any to 22.22.22.23 -> 192.168.1.10 # # Rule 10 (NAT) rdr proto tcp from any to 22.22.22.23 port 80 -> 192.168.1.10 port 80 rdr proto tcp from any to 22.22.22.23 port 119 -> 192.168.1.10 port 119 # # Rule 11 (NAT) rdr proto tcp from any to 22.22.22.22 port 119 -> 192.168.1.10 port 119 # # Rule 12 (NAT) nat from 192.168.1.20 to any -> 22.22.23.24 # # Rule 16 (NAT) rdr from any to -> 192.168.1.10 # # Rule 17 (NAT) rdr on eth1 from any to 22.22.22.22 -> 192.168.1.10 # # Rule 18 (NAT) rdr on eth1 from any to 22.22.22.22 -> 192.168.1.10 # # Rule 19 (NAT) rdr proto 47 from any to -> 192.168.1.10 # # Rule 20 (NAT) rdr proto tcp from any to port 10000:11000 -> 192.168.1.10 port 10000:* # # Rule 21 (NAT) rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:* # # Rule 22 (NAT) rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:* # # Rule 23 (NAT) rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:* nat on eth0 proto tcp from any to 192.168.1.10 port 10000:11000 -> 192.168.1.1 # # Rule 24 (NAT) rdr proto tcp from any to 22.22.22.23 port 80 -> 192.168.1.10 port 25 # # Rule 25 (NAT) rdr proto tcp from 192.168.1.0/24 to any port 80 -> 127.0.0.1 port 80 # # Rule 26 (NAT) rdr proto tcp from 192.168.1.0/24 to any port 80 -> (eth0) port 80 # # Rule 27 (NAT) rdr proto tcp from any to port 1080 -> 127.0.0.1 port 80 # # Rule 28 (NAT) # SF bug 3162862 rdr proto tcp from 192.168.1.0/24 to ! 192.168.1.0/24 port 80 -> 192.168.1.10 port 10000:* # # Rule 29 (NAT) # SF bug 3162862 rdr proto tcp from 192.168.1.0/24 to ! port 80 -> 192.168.1.10 port 10000:* # # Rule 30 (NAT) # SF bug 3162862 rdr proto tcp from 192.168.1.0/24 to ! port 80 -> 127.0.0.1 port 10000:* # # Rule 31 (NAT) # for bug 1111267: this custom service object has # "proto ..." in the protocol string, compiler can put # it in generated nat command in the right place. nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22 # # Rule 32 (NAT) # for bug 1111267: this custom service object # has "proto .." in the code string but we can't insert # it in the generated nat command b/c it would appear # in the wrong place, after "from". nat on eth1 from 192.168.1.0/24 to any -> 22.22.22.22 # # Rule 33 (NAT) nat on eth1 proto tcp from 192.168.1.0/24 to any -> 22.22.22.22 nat on eth1 proto udp from 192.168.1.0/24 to any -> 22.22.22.22 nat on eth1 proto 47 from 192.168.1.0/24 to any -> 22.22.22.22 nat on eth1 proto icmp from 192.168.1.0/24 to any -> 22.22.22.22 # # Rule 34 (NAT) nat on eth0 proto tcp from 192.168.1.0/24 to any port 80 -> (eth0) # # Rule 35 (NAT) nat on eth4 proto tcp from 192.168.1.0/24 to any port 80 -> (eth4) # # Rule 36 (NAT) rdr proto tcp from any to 22.22.22.22 port 119 -> { 192.168.1.10 , 255.255.255.255 } port 119 # # Rule 37 (NAT) rdr on eth1 proto tcp from any to (eth1) port 119 -> { 192.168.1.10 , 255.255.255.255 } port 119 round-robin # # Rule 38 (NAT) nat from eth0:network to any -> 22.22.22.0/24 # # Rule 39 (NAT) nat from eth0:network to any -> eth1:network # Policy compiler errors and warnings: # firewall2:Policy:12: warning: Changing rule direction due to self reference # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 192.168.1.100 to self port 22 keep state label "RULE -1 - ACCEPT **" # # Rule 0 (eth0) block in log quick on eth0 inet from ! 192.168.1.0/24 to any label "RULE 0 - DROP **" # # Rule 1 (eth1) # Anti-spoofing rule block in log quick on eth1 inet from self to any label "Iface: eth1 RULE 1 -- DROP **" block in log quick on eth1 inet from 192.168.1.0/24 to any label "Iface: eth1 RULE 1 -- DROP **" # # Rule 2 (f2i1,3) # rules 2,3,4 test group # usage in interface # all three rules should yield # the same config block in log quick on { eth1 eth3 } inet from self to any label "Iface: eth1 eth3 RULE 2 -- DROP **" block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 2 -- DROP **" # # Rule 3 (f2i1,eth3) # Anti-spoofing rule block in log quick on { eth1 eth3 } inet from self to any label "Iface: eth1 eth3 RULE 3 -- DROP **" block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 3 -- DROP **" # # Rule 4 (eth1,eth3) # Anti-spoofing rule block in log quick on { eth1 eth3 } inet from self to any label "Iface: eth1 eth3 RULE 4 -- DROP **" block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 4 -- DROP **" # # Rule 5 (eth1) # Anti-spoofing rule block out log quick on eth1 inet from ! to any label "Iface: eth1 RULE 5 -- DROP **" # # Rule 6 (global) # block fragments block log quick inet from any to any fragment label "RULE 6 - DROP **" # # Rule 7 (global) # sends TCP RST and makes custom record in the log block return-rst log quick inet proto tcp from any to any port 113 label "IDENT" # # Rule 8 (global) pass quick inet from to 200.200.200.200 keep state label "RULE 8 - ACCEPT **" # # Rule 9 (global) pass quick inet from 200.200.200.200 to keep state label "RULE 9 - ACCEPT **" # # Rule 10 (global) # 'masquerading' rule pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 - ACCEPT **" # # Rule 12 (global) # firewall2:Policy:12: warning: Changing rule direction due to self reference pass in quick inet proto tcp from any to self port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **" pass quick inet proto tcp from any to 192.168.1.10 port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **" # # Rule 13 (global) # 'catch all' rule block log quick inet from any to any label "RULE 13 - DROP **" # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 - DROP **" fwbuilder-5.3.7/test/pf/firewall2.fw.orig000077500000000000000000000024611303637203600202720ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:15 2011 PST by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # files: firewall2.conf /etc/fw/firewall2.conf # # Compiled for pf # # this object has several interfaces and shows different rules for NAT. Also testing policy rule options # firewall2:Policy:12: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:15 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall2.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall20.conf.orig000066400000000000000000000013061303637203600206550ustar00rootroot00000000000000 # # Rule 0 (NAT) nat on dc2 from 192.168.1.0/24 to any -> (dc2) nat on dc0 from 192.168.1.0/24 to any -> (dc0) nat on dc1 from 192.168.1.0/24 to any -> (dc1) # # Rule 1 (NAT) nat on dc1 from 192.168.1.0/24 to any -> (dc1) # # Rule 2 (NAT) nat on dc1 from 192.168.1.0/24 to any -> 222.222.222.20 # # Rule 3 (NAT) nat on dc0 from 192.168.1.0/24 to any -> 222.222.222.40 # # Rule 0 (dc0) pass in quick on dc0 inet from any to 222.222.222.22 keep state # # Rule 1 (dc1) pass out quick on dc1 inet from any to 222.222.222.22 keep state # # Rule 2 (global) block quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall20.fw.orig000077500000000000000000000022331303637203600203470ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:15 2011 PST by vadim # # files: * firewall20.fw /etc/fw/firewall20.fw # files: firewall20.conf /etc/fw/firewall20.conf # # Compiled for pf # # firewall using proxy arp FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:15 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall20.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall21-NAT_1.conf.orig000066400000000000000000000001741303637203600215200ustar00rootroot00000000000000# # Rule NAT_1 0 (NAT) nat on en1 from 192.168.1.0/24 to any -> (en1) nat on en0 from 192.168.1.0/24 to any -> (en0) fwbuilder-5.3.7/test/pf/firewall21.conf.orig000066400000000000000000000016771303637203600206710ustar00rootroot00000000000000 # NAT compiler errors and warnings: # firewall21:NAT:3: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # # Rule 0 (NAT) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # # Rule 1 (NAT) rdr proto tcp from 192.168.1.0/24 to any port 21 -> 127.0.0.1 port 8021 # # Rule 2 (NAT) nat-anchor "NAT_1" from 192.168.1.0/24 to any rdr-anchor "NAT_1" from 192.168.1.0/24 to any # # Rule 3 (NAT) # firewall21:NAT:3: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' nat-anchor "NAT_1" from 192.168.1.0/24 to any rdr-anchor "NAT_1" from 192.168.1.0/24 to any # # Rule 0 (global) anchor "ftp-proxy/*" inet from any to any no state # # Rule 1 (global) pass quick inet proto tcp from any to 127.0.0.1 port 8021 flags any # # Rule fallback rule # fallback rule block quick inet from any to any no state load anchor NAT_1 from "/etc/fw/firewall21-NAT_1.conf" fwbuilder-5.3.7/test/pf/firewall21.fw.orig000077500000000000000000000032731303637203600203550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:16 2011 PST by vadim # # files: * firewall21.fw /etc/fw/firewall21.fw # files: firewall21.conf /etc/fw/firewall21.conf # files: firewall21-NAT_1.conf /etc/fw/firewall21-NAT_1.conf # # Compiled for pf 4.0 # # branching in NAT rules # PF v4.0-4.2 # firewall21:ftp-proxy/*:: warning: The name of the NAT ruleset ftp-proxy/* ends with '/*', assuming it is externally controlled and skipping it. # firewall21:ftp-proxy/*:: warning: The name of the Policy ruleset ftp-proxy/* ends with '/*', assuming it is externally controlled and skipping it. # firewall21:NAT:3: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/local/bin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:16 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall21.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall22-NAT_1.conf.orig000066400000000000000000000001741303637203600215210ustar00rootroot00000000000000# # Rule NAT_1 0 (NAT) nat on en1 from 192.168.1.0/24 to any -> (en1) nat on en0 from 192.168.1.0/24 to any -> (en0) fwbuilder-5.3.7/test/pf/firewall22.conf.orig000066400000000000000000000015171303637203600206630ustar00rootroot00000000000000 set state-policy if-bound # # Scrub rules # scrub in all fragment reassemble # NAT compiler errors and warnings: # firewall22:NAT:2: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' # # Rule 0 (NAT) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # # Rule 1 (NAT) nat-anchor "NAT_1" from 192.168.1.0/24 to any rdr-anchor "NAT_1" from 192.168.1.0/24 to any # # Rule 2 (NAT) # firewall22:NAT:2: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' nat-anchor "NAT_1" from 192.168.1.0/24 to any rdr-anchor "NAT_1" from 192.168.1.0/24 to any # # Rule 0 (global) block log quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state load anchor NAT_1 from "/etc/fw/firewall22-NAT_1.conf" fwbuilder-5.3.7/test/pf/firewall22.fw.orig000077500000000000000000000030541303637203600203530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:17 2011 PST by vadim # # files: * firewall22.fw /etc/fw/firewall22.fw # files: firewall22.conf /etc/fw/firewall22.conf # files: firewall22-NAT_1.conf /etc/fw/firewall22-NAT_1.conf # # Compiled for pf 4.3 # # branching in NAT rules # PF v4.3 and later # firewall22:ftp-proxy/*:: warning: The name of the NAT ruleset ftp-proxy/* ends with '/*', assuming it is externally controlled and skipping it. # firewall22:NAT:2: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/local/bin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:17 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall22.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall3.conf.orig000066400000000000000000000023421303637203600205770ustar00rootroot00000000000000 set optimization conservative # # Scrub rules # scrub in all no-df scrub out all random-id # # Prolog script # # prolog # prolog commands go after scrub commands # # End of prolog script # # # Rule 0 (NAT) nat on le0 from 192.168.1.0/24 to any -> 22.22.22.21 # # Rule 1 (NAT) nat on le0 from 192.168.1.0/24 to any -> (le0) bitmask # # Rule 2 (NAT) nat from 192.168.1.0/24 to any -> 22.22.22.0/28 source-hash # # Rule 3 (NAT) nat from 192.168.1.0/24 to any -> { 22.22.22.1 , 22.22.22.2/31 , 22.22.22.4 , 22.22.22.5 } round-robin static-port # # Rule 4 (NAT) rdr from any to 22.22.22.21 -> { 192.168.1.10 , 192.168.1.20 } round-robin # Policy compiler errors and warnings: # firewall3:Policy:0: warning: Changing rule direction due to self reference # # Rule 0 (global) # All other attempts to connect to # the firewall are denied and logged # firewall3:Policy:0: warning: Changing rule direction due to self reference block in log quick inet from any to self label "RULE 0 -- DROP " # # Rule 1 (global) pass quick inet from 192.168.1.0/24 to any keep state ( max 1000 ) label "RULE 1 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall3.fw.orig000077500000000000000000000075001303637203600202720ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:18 2011 PST by vadim # # files: * firewall3.fw /etc/firewall3.fw # files: firewall3.conf /etc/firewall3.conf # # Compiled for pf # # testing NAT rules with multiple objects in TSrc and TDst and NAT rule options # firewall3:Policy:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "le0 22.22.22.21/0xffffff00 22.22.22.22/0xffffff00 22.22.22.0/0xffffff00 22.22.22.1/0xffffff00" "" update_addresses_of_interface "le1 192.168.1.1/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:18 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall3.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall33.conf.orig000066400000000000000000000061231303637203600206630ustar00rootroot00000000000000 # Tables: (4) table { 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 } table { www.google.com , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 } table { www.google.com , www.cnn.com } table { 74.125.224.144 , 74.125.224.145 , 74.125.224.146 , 74.125.224.147 , 74.125.224.148 , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 } # # Rule 0 (NAT) nat on eth0.100 from any to -> (eth0.100) # # Rule 1 (NAT) nat on eth0.100 from any to www.cnn.com -> (eth0.100) # # Rule 2 (NAT) nat on eth0.100 from any to -> (eth0.100) # # Rule 3 (NAT) nat on eth0.100 from any to ! -> (eth0.100) # Policy compiler errors and warnings: # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # # Rule 0 (global) pass quick inet from to any keep state label "RULE 0 -- ACCEPT on global " # # Rule 1 (global) pass quick inet from www.cnn.com to any keep state label "RULE 1 -- ACCEPT on global " # # Rule 2 (global) # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode pass quick inet from 192.0.2.1 to any keep state label "RULE 2 -- ACCEPT on global " # # Rule 3 (global) pass quick inet from buildmaster to any keep state label "RULE 3 -- ACCEPT on global " # # Rule 4 (global) block quick inet from any to ! label "RULE 4 -- DROP on global " # # Rule 5 (global) block quick inet from any to ! www.cnn.com label "RULE 5 -- DROP on global " # # Rule 6 (global) # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode pass quick inet from any to ! 192.0.2.1 keep state label "RULE 6 -- ACCEPT on global " # # Rule 7 (global) pass quick inet from any to ! buildmaster keep state label "RULE 7 -- ACCEPT on global " # # Rule 8 (global) pass quick inet from any to ! keep state label "RULE 8 -- ACCEPT on global " # # Rule 9 (global) pass quick inet from any to ! keep state label "RULE 9 -- ACCEPT on global " # # Rule 10 (global) pass quick inet from any to ! keep state label "RULE 10 -- ACCEPT on global " # # Rule 11 (global) block log quick inet from any to any label "RULE 11 -- DROP on global " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP on global " fwbuilder-5.3.7/test/pf/firewall33.fw.orig000077500000000000000000000100451303637203600203530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:18 2011 PST by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # files: firewall33.conf /etc/fw/firewall33.conf # # Compiled for pf # # testing DNSName object # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth1 192.168.1.100/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:18 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall33.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall34.conf.orig000066400000000000000000000056061303637203600206710ustar00rootroot00000000000000 # Tables: (4) table persist file "block-hosts.tbl" table persist table { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 } table { 7.7.7.7 , 61.150.47.112 , 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 } # # Rule 0 (NAT) rdr on eth0.100 proto tcp from ! to (eth0.100) port 25 -> 192.168.1.10 port 25 # # Rule 1 (NAT) rdr on eth0.100 proto tcp from to (eth0.100) port 25 -> 192.168.1.10 port 25 rdr on eth0.100 proto tcp from to (eth0.100) port 25 -> 192.168.1.10 port 25 # # Rule 2 (NAT) nat on eth0.100 from 192.168.1.0/24 to ! -> (eth0.100) # # Rule 3 (NAT) rdr proto tcp from any to (eth0.100) port 25 -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 } port 25 # # Rule 4 (NAT) rdr from any to (eth0.100) -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 } # # Rule 5 (NAT) no nat from 192.168.1.0/24 to no rdr from 192.168.1.0/24 to # # Rule 6 (NAT) rdr from 192.168.1.0/24 to -> (lo) # # Rule 0 (global) pass quick inet from any to keep state label "RULE 0 -- ACCEPT on global " # # Rule 1 (global) block log quick inet from any to label "RULE 1 -- DROP on global " # # Rule 2 (global) block log quick inet from any to label "RULE 2 -- DROP on global " block log quick inet from any to label "RULE 2 -- DROP on global " # # Rule 3 (global) block log quick inet from any to label "RULE 3 -- DROP on global " # # Rule 4 (global) block log quick inet from to any label "RULE 4 -- DROP on global " # # Rule 5 (global) block quick inet proto tcp from any to port 25 label "RULE 5 -- DROP on global " block quick inet proto tcp from any to 61.150.47.112 port 25 label "RULE 5 -- DROP on global " # # Rule 6 (global) block log quick inet from to any label "RULE 6 -- DROP on global " # # Rule 7 (global) block log quick inet from to any label "RULE 7 -- DROP on global " block log quick inet from 61.150.47.112 to any label "RULE 7 -- DROP on global " # # Rule 9 (global) pass quick inet proto tcp from any to 192.168.1.10 port 25 keep state ( max-src-conn 5, overload flush global ) label "RULE 9 -- ACCEPT on global " # # Rule 10 (global) pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 -- ACCEPT on global " # # Rule 11 (global) block log quick inet from any to any label "RULE 11 -- DROP on global " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP on global " fwbuilder-5.3.7/test/pf/firewall34.fw.orig000077500000000000000000000070531303637203600203610ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:19 2011 PST by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # files: firewall34.conf /etc/fw/firewall34.conf # # Compiled for pf # # testing AddressTable object FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth1 192.168.1.100/0xffffff00" "" update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:19 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall34.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall38.conf.orig000066400000000000000000000025461303637203600206750ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # # Rule 0 (NAT) nat on le0 from 192.168.1.0/24 to any -> (le0) nat on enc1 from 192.168.1.0/24 to any -> (enc1) # # Rule 1 (NAT) nat on le0 from 192.168.1.0/24 to any tagged ipsec_tag -> (le0) nat on enc1 from 192.168.1.0/24 to any tagged ipsec_tag -> (enc1) # # Rule 0 (le0) pass in on le0 inet from any to any tag INTNET keep state # # Rule 1 (enc1) pass in quick on enc1 inet from any to any keep state # # Rule 2 (enc0) pass out quick on enc0 inet from any to any tagged INTNET keep state # # Rule 3 (enc0) pass out quick on enc0 inet proto tcp from any to any port 80 keep state # # Rule 4 (lo) pass quick on lo inet from any to any keep state # # Rule 5 (global) pass quick inet from any to any tagged ipsec_tag keep state # # Rule 6 (global) pass quick inet from any to any tagged ipsec_tag keep state pass quick inet from any to any tagged tag2 keep state # # Rule 8 (global) pass quick inet proto tcp from any to any port 80 keep state pass quick inet from any to any tagged ipsec_tag keep state # # Rule 10 (global) pass quick inet proto tcp from 192.168.1.0/24 to any port 25 queue mail # # Rule 11 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall38.fw.orig000077500000000000000000000023271303637203600203640ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:19 2011 PST by vadim # # files: * firewall38.fw /etc/fw/firewall38.fw # files: firewall38.conf /etc/fw/firewall38.conf # # Compiled for pf # # testing rules with tag service FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:19 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall38.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall39-rule2_branch.conf.orig000066400000000000000000000005651303637203600232410ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall39:rule2_branch:0: warning: Changing rule direction due to self reference # # Rule rule2_branch 0 (global) # firewall39:rule2_branch:0: warning: Changing rule direction due to self reference pass in quick inet from any to self keep state # # Rule rule2_branch 1 (global) block log quick inet from any to any fwbuilder-5.3.7/test/pf/firewall39-rule3_branch.conf.orig000066400000000000000000000005441303637203600232370ustar00rootroot00000000000000 # Tables: (1) table { 192.168.1.11 , 192.168.1.12 } # # Rule rule3_branch 0 (global) pass in quick inet from any to 192.168.1.10 keep state # # Rule rule3_branch 1 (global) pass quick inet from any to ! keep state # # Rule rule3_branch 2 (global) block log quick inet from any to any fwbuilder-5.3.7/test/pf/firewall39-rule5_branch.conf.orig000066400000000000000000000000001303637203600232240ustar00rootroot00000000000000fwbuilder-5.3.7/test/pf/firewall39.conf.orig000066400000000000000000000033431303637203600206720ustar00rootroot00000000000000 # # Scrub rules # scrub in all fragment reassemble # # Rule 0 (NAT) nat on le0 from 192.168.1.0/24 to any -> (le0) nat on enc1 from 192.168.1.0/24 to any -> (enc1) # # Rule 1 (NAT) nat on le0 from 192.168.1.0/24 to any tagged ipsec_tag -> (le0) nat on enc1 from 192.168.1.0/24 to any tagged ipsec_tag -> (enc1) # # Rule 0 (le0) pass in on le0 inet from any to any tag INTNET keep state # # Rule 1 (enc1) pass in quick on enc1 inet from any to any keep state # # Rule 2 (enc0) # logging is not allowed with 'anchor' # compiler should not generate 'log' keyword anchor "rule2_branch" in on enc0 inet proto 50 from any to any anchor "rule2_branch" in on enc0 inet proto 51 from any to any # # Rule 3 (enc0) anchor "rule3_branch" in on enc0 inet proto tcp from any to any port 80 # # Rule 4 (lo) pass quick on lo inet from any to any keep state # # Rule 5 (global) anchor "rule5_branch" inet proto 50 from any to any anchor "rule5_branch" inet proto 51 from any to any # # Rule 6 (global) pass quick inet proto 50 from any to any keep state pass quick inet proto 51 from any to any keep state # # Rule 7 (global) pass quick inet proto tcp from any to any port 80 keep state pass quick inet from any to any tagged ipsec_tag keep state # # Rule 9 (global) pass quick inet proto tcp from 192.168.1.0/24 to any port 25 queue mail # # Rule 10 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any load anchor rule2_branch from "/etc/fw/firewall39-rule2_branch.conf" load anchor rule3_branch from "/etc/fw/firewall39-rule3_branch.conf" load anchor rule5_branch from "/etc/fw/firewall39-rule5_branch.conf" fwbuilder-5.3.7/test/pf/firewall39.fw.orig000077500000000000000000000027321303637203600203650ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:20 2011 PST by vadim # # files: * firewall39.fw pf.fw # files: firewall39.conf pf.conf # files: firewall39-rule2_branch.conf /etc/fw/firewall39-rule2_branch.conf # files: firewall39-rule3_branch.conf /etc/fw/firewall39-rule3_branch.conf # files: firewall39-rule5_branch.conf /etc/fw/firewall39-rule5_branch.conf # # Compiled for pf # # testing branching rules # firewall39:rule2_branch:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:20 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall4.conf.orig000066400000000000000000000051521303637203600206020ustar00rootroot00000000000000 set optimization high-latency # Tables: (3) table { eth1 , 192.168.1.1 , 192.168.2.1 , 222.222.222.222 } table { self , 192.168.1.0/24 } table { 192.168.1.10 , 192.168.1.20 } # # Prolog script # # prolog commands go after table definitions # # End of prolog script # # # Rule 0 (NAT) nat on eth0 from 192.168.1.10 to any -> (eth0) nat on eth1 from 192.168.1.10 to any -> (eth1) nat on eth2 from 192.168.1.10 to any -> (eth2) nat on eth3 from 192.168.1.10 to any -> (eth3) # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth0) nat on eth1 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth1) nat on eth2 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth2) nat on eth3 from 192.168.1.0/24 to ! 192.168.2.0/24 -> (eth3) # # Rule 2 (NAT) rdr proto tcp from any to port 22 -> 192.168.1.10 port 22 # # Rule 3 (NAT) # SDNAT rule rdr on eth3 proto tcp from 192.168.1.0/24 to 222.222.222.222 port 80 -> 192.168.1.10 port 80 nat on eth0 proto tcp from 192.168.1.0/24 to 192.168.1.10 port 80 -> (eth0) # # Rule 4 (NAT) nat on eth3 from 192.168.1.0/24 to any -> (eth3) # # Rule 5 (NAT) # eth1 is dynamic nat on eth1 proto tcp from 192.168.1.0/24 to any port 22 -> (eth1) # Policy compiler errors and warnings: # firewall4:Policy:6: warning: Changing rule direction due to self reference # # Rule 0 (global) anchor "ftp-proxy/*" inet from any to any # # Rule 1 (global) pass log quick inet proto tcp from any to (eth1) port 22 keep state # # Rule 2 (eth1) block log quick on eth1 inet proto icmp from ! 192.168.2.0/24 to any icmp-type 8 code 0 # # Rule 3 (eth1) # Anti-spoofing rule block in log quick on eth1 inet from self to any block in log quick on eth1 inet from 192.168.1.0/24 to any # # Rule 4 (eth1) # Anti-spoofing rule block out log quick on eth1 inet from ! to any # # Rule 5 (global) # hostF has the same IP address as firewal. pass log quick inet proto icmp from any to 192.168.1.1 icmp-type 8 code 0 keep state # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference block in log quick inet proto icmp from ! to self icmp-type 3 # # Rule 7 (global) # testing negation in the policy rule block log quick inet proto icmp from ! to any icmp-type 3 # # Rule 9 (global) # 'masquerading' rule pass quick inet from 192.168.1.0/24 to any keep state # # Rule 10 (global) # 'catch all' rule block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall4.fw.orig000077500000000000000000000030331303637203600202700ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:20 2011 PST by vadim # # files: * firewall4.fw pf.fw # files: firewall4.conf /etc/fw/pf.conf # # Compiled for pf # # this object is used to test a configuration where firewall has dynamic address # firewall4::: error: Dynamic interface eth1 should not have an IP address object attached to it. This IP address object will be ignored. # firewall4:ftp-proxy/*:: warning: The name of the Policy ruleset ftp-proxy/* ends with '/*', assuming it is externally controlled and skipping it. # firewall4:Policy:6: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:20 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall40-1-routes.conf.orig000066400000000000000000000071741303637203600223450ustar00rootroot00000000000000# Policy compiler errors and warnings: # firewall40-1:routes:1: error: Interface specification is required for action Route. # firewall40-1:routes:1: error: Only one router specified with load balancing for rule action Route: 'route_reply_through' # firewall40-1:routes:2: error: Interface specification is required for action Route. # firewall40-1:routes:2: error: Only one router specified with load balancing for rule action Route: 'route_copy_through' # firewall40-1:routes:6: error: Interface specification is required for action Route. # firewall40-1:routes:6: error: More than one router specified without load balancing for rule action Route: 'route_through' # firewall40-1:routes:7: error: Interface specification is required for action Route. # firewall40-1:routes:8: error: Interface specification is required for action Route. # firewall40-1:routes:9: error: Interface specification is required for action Route. # firewall40-1:routes:10: error: Interface specification is required for action Route. # # Rule routes 0 (fxp0) # route_through, load balancing random pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- ACCEPT " # # Rule routes 1 (fxp0) # error: interface is required pass in quick on fxp0 reply-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- ACCEPT " # # Rule routes 2 (fxp0) # error: interface is required pass in quick on fxp0 dup-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- ACCEPT " # # Rule routes 3 (fxp0) # fastroute pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 3 -- ACCEPT " # # Rule routes 4 (fxp0) # fastroute pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 4 -- ACCEPT " # # Rule routes 5 (fxp0) # fastroute pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 5 -- ACCEPT " # # Rule routes 6 (fxp0) # route_through, load balancing none # error: interface is required pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- ACCEPT " # # Rule routes 7 (fxp0) # route_through, load balancing bitmask # error: interface is required pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } bitmask inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- ACCEPT " # # Rule routes 8 (fxp0) # route_through, load balancing random # error: interface is required pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- ACCEPT " # # Rule routes 9 (fxp0) # route_through, load balancing source hash # error: interface is required pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- ACCEPT " # # Rule routes 10 (fxp0) # route_through, load balancing round robin # error: interface is required pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- ACCEPT " # # Rule routes 11 (global) block log quick inet from any to any label "RULE 11 -- DROP " fwbuilder-5.3.7/test/pf/firewall40-1.conf.orig000066400000000000000000000070271303637203600210230ustar00rootroot00000000000000 # # Rule 0 (NAT) # Translate source address # for outgoing connections nat on le1 from 192.168.1.0/24 to any -> (le1) # # Rule 1 (NAT) # Translate source address # for outgoing connections nat on le2 from 192.168.1.0/24 to any -> (le2) # Policy compiler errors and warnings: # firewall40-1:Policy:9: error: Only one router specified with load balancing for rule action Route: 'route_through' # firewall40-1:Policy:10: error: Only one router specified with load balancing for rule action Route: 'route_through' # firewall40-1:Policy:11: error: Illegal IP address for next hop # firewall40-1:Policy:11: error: Only one router specified with load balancing for rule action Route: 'route_through' # # Rule 0 (fxp0) pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- ACCEPT " # # Rule 1 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (fxp0) pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 3 -- ACCEPT " # # Rule 4 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 4 -- ACCEPT " # # Rule 5 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 5 -- ACCEPT " # # Rule 6 (fxp0) pass in quick on fxp0 route-to { ( le1 192.0.2.0/24 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.0/24 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.2.0/255.255.255.0 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- ACCEPT " # # Rule 9 (fxp0) # this should fail because # it has one address for the next # hop and it is /32. # Run compiler with # command line argument -xt # to convert errors to warnings # and make it generate .conf # file anyway pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- ACCEPT " # # Rule 10 (fxp0) # this should fail because # it has one address for the next # hop and it is /32. pass in quick on fxp0 route-to { ( le2 192.0.2.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- ACCEPT " # # Rule 11 (fxp0) # this should fail because # it ip address in next hop # is illegal pass in quick on fxp0 route-to { ( le2 192.0.300.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 11 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " load anchor routes from "/etc/firewall40-1-routes.conf" fwbuilder-5.3.7/test/pf/firewall40-1.fw.orig000077500000000000000000000122161303637203600205110ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:21 2011 PST by vadim # # files: * firewall40-1.fw /etc/firewall40-1.fw # files: firewall40-1.conf /etc/firewall40-1.conf # files: firewall40-1-routes.conf /etc/firewall40-1-routes.conf # # Compiled for pf # # testing Route action # with load balancing # firewall40-1:Policy:9: error: Only one router specified with load balancing for rule action Route: 'route_through' # firewall40-1:Policy:10: error: Only one router specified with load balancing for rule action Route: 'route_through' # firewall40-1:Policy:11: error: Illegal IP address for next hop # firewall40-1:Policy:11: error: Only one router specified with load balancing for rule action Route: 'route_through' # firewall40-1:routes:1: error: Interface specification is required for action Route. # firewall40-1:routes:1: error: Only one router specified with load balancing for rule action Route: 'route_reply_through' # firewall40-1:routes:2: error: Interface specification is required for action Route. # firewall40-1:routes:2: error: Only one router specified with load balancing for rule action Route: 'route_copy_through' # firewall40-1:routes:6: error: Interface specification is required for action Route. # firewall40-1:routes:6: error: More than one router specified without load balancing for rule action Route: 'route_through' # firewall40-1:routes:7: error: Interface specification is required for action Route. # firewall40-1:routes:8: error: Interface specification is required for action Route. # firewall40-1:routes:9: error: Interface specification is required for action Route. # firewall40-1:routes:10: error: Interface specification is required for action Route. FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "fxp0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "le1 192.0.2.1/0xffffff00" "" update_addresses_of_interface "le2 192.0.3.1/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:21 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall40-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall40-2.conf.orig000066400000000000000000000016011303637203600210140ustar00rootroot00000000000000 # # Rule 0 (NAT) # Translate source address # for outgoing connections match out on le1 from 192.168.1.0/24 to any nat-to (le1) # # Rule 1 (NAT) # Translate source address # for outgoing connections match out on le2 from 192.168.1.0/24 to any nat-to (le2) # # Rule 0 (fxp0) pass in quick on fxp0 inet proto tcp from 192.168.1.0/24 to any port { 80, 25 } no state label "RULE 0 -- ACCEPT " route-to { ( le1 192.0.2.10 ) } # # Rule 1 (fxp0) pass in quick on fxp0 inet proto tcp from 192.168.1.0/24 to any port 22 no state label "RULE 1 -- ACCEPT " route-to { ( le2 192.0.3.10 ) } # # Rule 2 (fxp0) pass in quick on fxp0 inet proto tcp from 192.168.1.0/24 to any port 22 flags any label "RULE 2 -- ACCEPT " route-to { ( le2 192.0.3.10 ) } # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall40-2.fw.orig000077500000000000000000000073421303637203600205160ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:22 2011 PST by vadim # # files: * firewall40-2.fw /etc/firewall40-2.fw # files: firewall40-2.conf /etc/firewall40-2.conf # # Compiled for pf 4.7 # # testing Route action for PF v4.7 and later FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "fxp0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "le1 192.0.2.1/0xffffff00" "" update_addresses_of_interface "le2 192.0.3.1/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:22 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall40-2.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall40.conf.orig000066400000000000000000000020671303637203600206640ustar00rootroot00000000000000 # # Rule 0 (NAT) # Translate source address # for outgoing connections nat on le1 from 192.168.1.0/24 to any -> (le1) # # Rule 1 (NAT) # Translate source address # for outgoing connections nat on le2 from 192.168.1.0/24 to any -> (le2) # # Rule 0 (lo0) pass quick on lo0 inet from any to any label "RULE 0 -- ACCEPT " # # Rule 1 (fxp0) pass quick on fxp0 inet from 192.168.1.0/24 to 192.168.1.0/24 label "RULE 1 -- ACCEPT " # # Rule 2 (fxp0) pass in quick on fxp0 route-to { ( le1 192.0.2.10 ) } inet proto tcp from 192.168.1.0/24 to any port { 80, 25 } label "RULE 2 -- ACCEPT " # # Rule 3 (fxp0) pass in quick on fxp0 route-to { ( le2 192.0.3.10 ) } inet proto tcp from 192.168.1.0/24 to any port 22 label "RULE 3 -- ACCEPT " # # Rule 4 (global) pass out quick inet from self to any keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) block log quick inet from any to any label "RULE 5 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall40.fw.orig000077500000000000000000000072751303637203600203640ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:21 2011 PST by vadim # # files: * firewall40.fw /etc/firewall40.fw # files: firewall40.conf /etc/firewall40.conf # # Compiled for pf # # testing Route action FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "fxp0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "le1 192.0.2.1/0xffffff00" "" update_addresses_of_interface "le2 192.0.3.1/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } log "Activating firewall script generated Wed Nov 30 18:39:21 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall40.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall41.conf.orig000066400000000000000000000030521303637203600206600ustar00rootroot00000000000000 # Tables: (3) table persist file "block-hosts.tbl" table persist table { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 } # Policy compiler errors and warnings: # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode # # Rule 0 (global) pass out log quick inet from self to www.heise.de keep state label "RULE 0 -- ACCEPT " # # Rule 1 (global) pass out log quick inet from self to keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) pass out log quick inet from self to keep state label "RULE 2 -- ACCEPT " pass out log quick inet from self to keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode pass out log quick inet from self to 192.0.2.0/24 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) pass out log quick inet from self to 1.1.1.1 keep state label "RULE 4 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall41.fw.orig000077500000000000000000000101131303637203600203460ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:22 2011 PST by vadim # # files: * firewall41.fw /etc/firewall41.fw # files: firewall41.conf /etc/firewall41.conf # # Compiled for pf # # testing rule shadowing with run-time objects, rules with such objects should be ignored # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "eth0 1.1.1.1/0xffffff00" "" update_addresses_of_interface "eth1 2.2.2.2/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:22 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall41.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall5.conf.orig000066400000000000000000000006731303637203600206060ustar00rootroot00000000000000 set optimization normal # # Rule 0 (global) block log quick inet from any to any fragment block log quick inet proto 50 from any to any # # Rule 1 (global) block log quick inet from any to any fragment block log quick inet proto tcp from any to any flags ARSF/UAPRSF # # Rule 2 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall5.fw.orig000077500000000000000000000024771303637203600203040ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:23 2011 PST by vadim # # files: * firewall5.fw /etc/fw/firewall5.fw # files: firewall5.conf /etc/fw/firewall5.conf # # Compiled for pf # # testing IP fragments and scrub FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.directed-broadcast=0 $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:23 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall5.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall51-mail_server_inbound.conf.orig000066400000000000000000000003641303637203600247100ustar00rootroot00000000000000# # Rule mail_server_inbound 0 (global) pass in quick inet proto tcp from any to any port 25 keep state # # Rule mail_server_inbound 1 (global) pass in quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state fwbuilder-5.3.7/test/pf/firewall51-mail_server_outbound.conf.orig000066400000000000000000000005031303637203600251040ustar00rootroot00000000000000# # Rule mail_server_outbound 0 (global) pass out quick inet proto tcp from any to any port { 53, 25 } keep state pass out quick inet proto udp from any to any port 53 keep state # # Rule mail_server_outbound 1 (global) pass out quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state fwbuilder-5.3.7/test/pf/firewall51-rule2_branch.conf.orig000066400000000000000000000002671303637203600232320ustar00rootroot00000000000000 # Tables: (1) table { 192.168.1.0/24 , 192.168.2.0/24 } # # Rule rule2_branch 0 (global) block log quick inet from ! to any fwbuilder-5.3.7/test/pf/firewall51-web_server_inbound.conf.orig000066400000000000000000000003621303637203600245410ustar00rootroot00000000000000# # Rule web_server_inbound 0 (global) pass in quick inet proto tcp from any to any port 80 keep state # # Rule web_server_inbound 1 (global) pass in quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state fwbuilder-5.3.7/test/pf/firewall51-web_server_outbound.conf.orig000066400000000000000000000004711303637203600247430ustar00rootroot00000000000000# # Rule web_server_outbound 0 (global) pass out quick inet proto icmp from any to any icmp-type { 3 , 8 code 0 } keep state # # Rule web_server_outbound 1 (global) pass out quick inet proto tcp from any to any port 53 keep state pass out quick inet proto udp from any to any port 53 keep state fwbuilder-5.3.7/test/pf/firewall51.conf.orig000066400000000000000000000016061303637203600206640ustar00rootroot00000000000000 # # Rule 0 (global) anchor "mail_server_inbound" inet from any to 192.168.1.10 # # Rule 1 (global) anchor "mail_server_outbound" inet from 192.168.1.10 to any # # Rule 2 (global) anchor "web_server_inbound" inet from any to 192.168.1.20 # # Rule 3 (global) anchor "web_server_outbound" inet from 192.168.1.20 to any # # Rule 4 (global) anchor "rule2_branch" inet from 192.168.1.0/24 to any # # Rule fallback rule # fallback rule block quick inet from any to any load anchor mail_server_inbound from "/etc/fw/firewall51-mail_server_inbound.conf" load anchor mail_server_outbound from "/etc/fw/firewall51-mail_server_outbound.conf" load anchor rule2_branch from "/etc/fw/firewall51-rule2_branch.conf" load anchor web_server_inbound from "/etc/fw/firewall51-web_server_inbound.conf" load anchor web_server_outbound from "/etc/fw/firewall51-web_server_outbound.conf" fwbuilder-5.3.7/test/pf/firewall51.fw.orig000077500000000000000000000032301303637203600203510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:23 2011 PST by vadim # # files: * firewall51.fw /etc/fw/firewall51.fw # files: firewall51.conf /etc/fw/firewall51.conf # files: firewall51-rule2_branch.conf /etc/fw/firewall51-rule2_branch.conf # files: firewall51-mail_server_inbound.conf /etc/fw/firewall51-mail_server_inbound.conf # files: firewall51-mail_server_outbound.conf /etc/fw/firewall51-mail_server_outbound.conf # files: firewall51-web_server_inbound.conf /etc/fw/firewall51-web_server_inbound.conf # files: firewall51-web_server_outbound.conf /etc/fw/firewall51-web_server_outbound.conf # # Compiled for pf # # testing branching rules that point # at rule sets defined in object # firewall-base-rulesets FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:23 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall51.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall6.conf.orig000066400000000000000000000006471303637203600206100ustar00rootroot00000000000000 # Policy compiler errors and warnings: # firewall6:Policy:1: warning: Changing rule direction due to self reference # # Rule 0 (eth1) block in log quick on eth1 inet from any to ! self # # Rule 1 (global) # firewall6:Policy:1: warning: Changing rule direction due to self reference block in quick inet from any to ! self # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall6.fw.orig000077500000000000000000000023701303637203600202750ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:24 2011 PST by vadim # # files: * firewall6.fw /etc/fw/firewall6.fw # files: firewall6.conf /etc/fw/firewall6.conf # # Compiled for pf # # testing rule with firewall in dst and negation # firewall6:Policy:1: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:24 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall6.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall62.conf.orig000066400000000000000000000120111303637203600206560ustar00rootroot00000000000000 # Policy compiler errors and warnings: # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it # firewall62:Policy:1: warning: Changing rule direction due to self reference # firewall62:Policy:2: warning: Changing rule direction due to self reference # firewall62:Policy:4: warning: Changing rule direction due to self reference # firewall62:Policy:8: warning: Changing rule direction due to self reference # firewall62:Policy:9: warning: Changing rule direction due to self reference # firewall62:Policy:12: warning: Changing rule direction due to self reference # # Rule 0 (en0) # rule from FR 1948872 # should generate # pass in quick on en0 user proxy pass in quick on en0 inet from any to any user proxy label "RULE 0 -- ACCEPT " # # Rule 1 (global) # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it # firewall62:Policy:1: warning: Changing rule direction due to self reference pass out quick inet from self to any user { 2000, 500 } label "RULE 1 -- ACCEPT " # # Rule 2 (global) # firewall62:Policy:2: warning: Changing rule direction due to self reference pass out quick inet from self to any user 2000 label "RULE 2 -- ACCEPT " # # Rule 3 (global) # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it pass out quick inet proto tcp from self to any port 80 flags any label "RULE 3 -- ACCEPT " pass out quick inet from self to any user 2000 label "RULE 3 -- ACCEPT " # # Rule 4 (global) # firewall62:Policy:4: warning: Changing rule direction due to self reference pass out quick inet proto tcp from self to any port 80 flags any label "RULE 4 -- ACCEPT " pass out quick inet from self to any user 2000 label "RULE 4 -- ACCEPT " # # Rule 5 (global) pass out quick inet proto tcp from self to any port 80 flags any label "RULE 5 -- ACCEPT " pass out quick inet from self to any user 2000 label "RULE 5 -- ACCEPT " # # Rule 6 (global) pass quick inet from 192.168.1.1 to any user 2000 label "RULE 6 -- ACCEPT " # # Rule 7 (global) pass quick inet from 192.168.1.0/24 to any user 2000 label "RULE 7 -- ACCEPT " # # Rule 8 (global) # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: warning: Changing rule direction due to self reference pass in quick inet from any to self user 2000 label "RULE 8 -- ACCEPT " # # Rule 9 (global) # firewall62:Policy:9: warning: Changing rule direction due to self reference pass in quick inet from any to self user { 2000, 500 } label "RULE 9 -- ACCEPT " # # Rule 10 (global) pass in quick inet from any to self user 2000 label "RULE 10 -- ACCEPT " # # Rule 11 (global) pass quick inet from ! 192.168.1.0/24 to any user 2000 label "RULE 11 -- ACCEPT " # # Rule 12 (global) # firewall62:Policy:12: warning: Changing rule direction due to self reference pass in quick inet from any to ! self user 2000 label "RULE 12 -- ACCEPT " # # Rule 13 (global) block quick inet from any to any no state label "RULE 13 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall62.fw.orig000077500000000000000000000134251303637203600203620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:24 2011 PST by vadim # # files: * firewall62.fw /etc/firewall62.fw # files: firewall62.conf /etc/firewall62.conf # # Compiled for pf 4.0 # # testing rules using UserService object # Note that iptables does not allow entering # iptables command that tries to match using module 'owner' in any chain # other than OUTPUT. This includes user defined chains too (it checks # how control passes to user defined chain and blocks command if # it appears that user defined chain gets control not from OUTPUT) # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it # firewall62:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it # firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it # firewall62:Policy:1: warning: Changing rule direction due to self reference # firewall62:Policy:2: warning: Changing rule direction due to self reference # firewall62:Policy:4: warning: Changing rule direction due to self reference # firewall62:Policy:8: warning: Changing rule direction due to self reference # firewall62:Policy:9: warning: Changing rule direction due to self reference # firewall62:Policy:12: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "en0 192.168.1.1/0xffffff00" "" update_addresses_of_interface "en1 222.222.222.222/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:24 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall62.conf || exit 1 $PFCTL -F states epilog_commandsfwbuilder-5.3.7/test/pf/firewall63.conf.orig000066400000000000000000000006501303637203600206650ustar00rootroot00000000000000 # # Rule 0 (global) block log quick inet from any to any tos 0x20 # # Rule 1 (global) block log quick inet from any to any tos 0x10 # # Rule 2 (global) block log quick inet from any to any tos 0x10 block log quick inet from any to any tos 0x20 # # Rule 4 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall63.fw.orig000077500000000000000000000024721303637203600203630ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:25 2011 PST by vadim # # files: * firewall63.fw /etc/fw/firewall63.fw # files: firewall63.conf /etc/fw/firewall63.conf # # Compiled for pf # # testing tos matching FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.directed-broadcast=0 $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:25 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall63.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall7.conf.orig000066400000000000000000000004131303637203600206000ustar00rootroot00000000000000 # # Rule 0 (eth0) block in log quick on eth0 inet from any to 192.168.1.255 # # Rule 1 (global) pass quick inet proto udp from any to 192.168.1.255 port 68 keep state # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall7.fw.orig000077500000000000000000000022331303637203600202740ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:25 2011 PST by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # files: firewall7.conf /etc/fw/firewall7.conf # # Compiled for pf # # testing rules with broadcasts FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:25 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall7.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall70.conf.orig000066400000000000000000000033351303637203600206660ustar00rootroot00000000000000 # Policy compiler errors and warnings: # firewall70:Policy:0: warning: Changing rule direction due to self reference # firewall70:Policy:1: warning: Changing rule direction due to self reference # firewall70:Policy:2: warning: Changing rule direction due to self reference # firewall70:Policy:3: warning: Changing rule direction due to self reference # firewall70:Policy:4: warning: Changing rule direction due to self reference # firewall70:Policy:5: warning: Changing rule direction due to self reference # # Rule 0 (global) # firewall70:Policy:0: warning: Changing rule direction due to self reference pass in quick inet proto tcp from any to self port 22 flags S/SA keep state # # Rule 1 (en0) # firewall70:Policy:1: warning: Changing rule direction due to self reference pass in quick on en0 inet proto tcp from any to self port 22 flags S/SA keep state # # Rule 2 (en0,en1) # firewall70:Policy:2: warning: Changing rule direction due to self reference pass in quick on { en0 en1 } inet proto tcp from any to self port 22 flags S/SA keep state # # Rule 3 (en2,en0,en1,en3) # firewall70:Policy:3: warning: Changing rule direction due to self reference pass in quick on { en0 en1 en2 en3 } inet proto tcp from any to self port 22 flags S/SA keep state # # Rule 4 (en0) # firewall70:Policy:4: warning: Changing rule direction due to self reference pass in quick on { en1 en2 } inet proto tcp from any to self port 22 flags S/SA keep state # # Rule 5 (en0,en1) # firewall70:Policy:5: warning: Changing rule direction due to self reference pass in quick on en2 inet proto tcp from any to self port 22 flags S/SA keep state # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall70.fw.orig000077500000000000000000000034321303637203600203560ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:26 2011 PST by vadim # # files: * firewall70.fw /etc/fw/firewall70.fw # files: firewall70.conf /etc/fw/firewall70.conf # # Compiled for pf # # testing for unpotected interfaces # firewall70:Policy:0: warning: Changing rule direction due to self reference # firewall70:Policy:1: warning: Changing rule direction due to self reference # firewall70:Policy:2: warning: Changing rule direction due to self reference # firewall70:Policy:3: warning: Changing rule direction due to self reference # firewall70:Policy:4: warning: Changing rule direction due to self reference # firewall70:Policy:5: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.directed-broadcast=0 $SYSCTL -w net.inet.ip.forwarding=1 $SYSCTL -w net.inet.ip.sourceroute=0 $SYSCTL -w net.inet.ip.redirect=0 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall70.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall8.conf.orig000066400000000000000000000030761303637203600206110ustar00rootroot00000000000000 # Tables: (2) table { ppp0 , 33.33.33.33 , 33.33.33.34 , 192.168.1.1 } table { 33.33.33.33 , 33.33.33.34 } # # Rule 0 (NAT) nat on eth1 from 192.168.1.0/24 to any -> (eth1) nat on eth0 from 192.168.1.0/24 to any -> (eth0) nat on ppp0 from 192.168.1.0/24 to any -> (ppp0) # # Rule 1 (NAT) nat on eth1 from 192.168.1.0/24 to any -> (eth1) # # Rule 2 (NAT) nat on eth1 from 192.168.1.0/24 to any -> 33.33.33.33 # # Rule 3 (NAT) rdr proto tcp from any to port 22 -> 192.168.1.100 port 22 # # Rule 4 (NAT) rdr on eth1 proto tcp from any to 33.33.33.34 port 22 -> 192.168.1.100 port 22 # # Rule 5 (NAT) rdr on eth1 proto tcp from any to 33.33.33.34 port 22 -> 192.168.1.100 port 22 # # Rule 6 (NAT) rdr on eth1 proto tcp from any to 33.33.33.34 port 22 -> 192.168.1.100 port 22 # # Rule 7 (NAT) rdr on eth1 proto tcp from any to 33.33.33.34 port 22 -> 192.168.1.100 port 22 # # Rule 8 (NAT) rdr proto tcp from 192.168.1.0/24 to any port 80 -> (eth1) port 80 # # Rule 0 (global) pass inet from any to any # # Rule 1 (global) pass log inet from any to any # # Rule 2 (global) pass quick inet proto tcp from any to 33.33.33.33 port 22 flags S/SA keep state # # Rule 3 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 flags S/SA keep state # # Rule 4 (global) pass quick inet proto tcp from any to port 22 flags S/SA keep state # # Rule 5 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall8.fw.orig000077500000000000000000000022351303637203600202770ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:26 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # files: firewall8.conf /etc/firewall8.conf # # Compiled for pf # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/sbin/pfctl" SYSCTL="/usr/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:26 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall8.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall80-4.5.conf.orig000066400000000000000000000021671303637203600211750ustar00rootroot00000000000000 # # Rule 0 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 no state # # Rule 1 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 keep state # # Rule 2 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 # # Rule 3 (global) # activate source tracking pass quick inet proto tcp from any to 33.33.33.34 port 22 keep state ( max-src-nodes 10 ) # # Rule 4 (global) # modulate state pass quick inet proto tcp from any to 33.33.33.34 port 22 modulate state ( max-src-nodes 10 ) # # Rule 5 (global) # synproxy pass quick inet proto tcp from any to 33.33.33.34 port 22 synproxy state ( max-src-nodes 10 ) # # Rule 6 (global) # keep state, no-sync, pflow pass quick inet proto tcp from any to 33.33.33.34 port 22 keep state ( no-sync, pflow, max-src-nodes 10 ) # # Rule 7 (global) pass quick inet from any to 33.33.33.34 # # Rule 8 (global) # synproxy pass quick inet from any to any # # Rule 9 (global) block log quick inet from any to any no state # # Rule fallback rule # fallback rule block quick inet from any to any no state fwbuilder-5.3.7/test/pf/firewall80-4.5.fw.orig000077500000000000000000000023331303637203600206620ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:27 2011 PST by vadim # # files: * firewall80-4.5.fw /etc/firewall80-4.5.fw # files: firewall80-4.5.conf /etc/firewall80-4.5.conf # # Compiled for pf 4.5 # # Testin state tracking options FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/sbin/pfctl" SYSCTL="/usr/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall80-4.5.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall80.conf.orig000066400000000000000000000012651303637203600206670ustar00rootroot00000000000000 # # Rule 0 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 # # Rule 1 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 flags S/SA keep state # # Rule 2 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 flags S/SA keep state # # Rule 3 (global) pass quick inet proto tcp from any to 33.33.33.34 port 22 flags S/SA keep state ( max-src-nodes 10 ) # # Rule 4 (global) # synproxy pass quick inet proto tcp from any to 33.33.33.34 port 22 flags S/SA synproxy state # # Rule 5 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall80.fw.orig000077500000000000000000000023101303637203600203510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:27 2011 PST by vadim # # files: * firewall80.fw /etc/firewall80.fw # files: firewall80.conf /etc/firewall80.conf # # Compiled for pf ge_3.7 # # Testin state tracking options FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/sbin/pfctl" SYSCTL="/usr/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:27 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/firewall80.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall9.conf.orig000066400000000000000000000007311303637203600206050ustar00rootroot00000000000000 # # Rule 1 (NAT) nat on eth0 from 192.168.1.0/24 to any -> (eth0) # # Rule 0 (eth0) block in log quick on eth0 inet from any to 192.168.1.255 # # Rule 1 (lo) pass quick on lo inet from any to any keep state # # Rule 3 (global) pass quick inet proto udp from any to 192.168.1.255 port 68 keep state # # Rule 4 (global) block log quick inet from any to any # # Rule fallback rule # fallback rule block quick inet from any to any fwbuilder-5.3.7/test/pf/firewall9.fw.orig000077500000000000000000000023321303637203600202760ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:28 2011 PST by vadim # # files: * firewall9.fw /etc/fw/firewall9.fw # files: firewall9.conf /etc/fw/firewall9.conf # # Compiled for pf # # testing rules with broadcasts FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/usr/local/bin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } verify_interfaces() { : } set_kernel_vars() { : } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : } log "Activating firewall script generated Wed Nov 30 18:39:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/firewall9.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall91.conf.orig000066400000000000000000000006021303637203600206630ustar00rootroot00000000000000 # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 flags S/SA keep state label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall91.fw.orig000077500000000000000000000135151303637203600203640ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:28 2011 PST by vadim # # files: * firewall91.fw /etc/fw/pf.fw # files: firewall91.conf /etc/fw/pf.conf # # Compiled for pf # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan101 vlan103 update_vlans_of_interface "em0 vlan101:101 vlan103:103" update_addresses_of_interface "em0 10.1.1.50/0xffffff00" "" update_addresses_of_interface "pcn0 10.3.14.50/0xffffff00" "" update_addresses_of_interface "vlan101 10.100.101.1/0xffffff00" "" update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:28 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall92.conf.orig000066400000000000000000000032761303637203600206760ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # NAT compiler errors and warnings: # firewall92:NAT:2: error: No translation rules are not supported for PF 4.7, use negation to implement exclusions # # Rule 0 (NAT) match out on em0 from 10.1.1.0/24 to any nat-to (em0) # # Rule 1 (NAT) match in on em0 proto udp from ! 10.3.14.41 to 10.3.14.81 port 161 rdr-to 10.1.1.1 port 161 # # Rule 3 (NAT) match in on em0 proto udp from any to 10.3.14.81 port 161 rdr-to 10.1.1.1 port 161 # # Rule 4 (NAT) match out on em1 from 10.1.1.0/24 to any nat-to (em0) # # Rule 5 (NAT) match out on ! em0 from 10.1.1.0/24 to any nat-to 10.3.14.201 # Policy compiler errors and warnings: # firewall92:Policy:0: warning: Changing rule direction due to self reference # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT " # # Rule 0 (global) # firewall92:Policy:0: warning: Changing rule direction due to self reference pass in quick inet proto tcp from 10.3.14.0/24 to self port 22 label "RULE 0 -- ACCEPT " # # Rule 1 (global) pass quick inet from 10.1.1.0/24 to any label "RULE 1 -- ACCEPT " # # Rule 2 (global) match inet from any to 10.1.1.1 tag INTNET label "RULE 2 -- " # # Rule 3 (global) pass quick inet proto udp from any to any port 161 label "RULE 3 -- ACCEPT " # # Rule 4 (global) block log quick inet from any to any no state label "RULE 4 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/firewall92.fw.orig000077500000000000000000000075131303637203600203660ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:29 2011 PST by vadim # # files: * firewall92.fw /etc/fw/pf.fw # files: firewall92.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # syntax of the nat and rdr rules has changed in 4.7 # firewall92:NAT:2: error: No translation rules are not supported for PF 4.7, use negation to implement exclusions # firewall92:Policy:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 10.3.14.81/0xffffff00 10.3.14.201/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:29 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/firewall93.conf.orig000066400000000000000000000063121303637203600206710ustar00rootroot00000000000000 set timeout udp.single 5 # # Scrub rules # match all scrub (reassemble tcp no-df ) match out all scrub (random-id min-ttl 1 max-mss 1460) # Tables: (7) table { 22.22.22.0/28 , 192.168.1.10 } table { 22.22.22.0/28 , 192.168.1.10 } table { 192.168.171.2 } table { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.0/24 , 192.168.2.128/25 } table { 3ffe:1200:2001:1:8000::1 , fe80::/64 } table { 192.168.1.0/24 , 192.168.2.0/24 , ::ffff:0:0:0/96 , fc00::/7 , fe80::/64 } table { 192.168.1.0/24 , 192.168.1.10 } # # Rule 0 (NAT) match out on em0 from 10.1.1.0/24 to any nat-to (em0) # Policy compiler errors and warnings: # firewall93:Policy:0: warning: Changing rule direction due to self reference # # Rule backup ssh access rule # backup ssh access rule pass in quick inet proto tcp from 10.3.14.30 to self port 22 label "RULE -1 -- ACCEPT" # # Rule 0 (global) # firewall93:Policy:0: warning: Changing rule direction due to self reference pass in quick inet proto tcp from 10.3.14.0/24 to self port 22 label "RULE 0 -- ACCEPT" # # Rule 1 (global) pass quick inet from to any label "RULE 1 -- ACCEPT" # # Rule 2 (global) # see #2671 pass quick inet proto tcp from to any port 3128 label "RULE 2 -- ACCEPT" pass quick inet proto udp from to any port 53 label "RULE 2 -- ACCEPT" # # Rule 3 (global) # using the same group second time, # objects should not get duplicated # in the generated table. See #2671 pass quick inet from any to label "RULE 3 -- ACCEPT" # # Rule 4 (global) # just one object in the group pass quick inet from to any label "RULE 4 -- ACCEPT" # # Rule 5 (global) # object a-192.168.1.10 is a member # of at least two groups used in this rule pass quick inet from { , , } to any label "RULE 5 -- ACCEPT" # # Rule 6 (global) # the same rule, same objects as rule 3, # but different group with the same objects pass quick inet from to any label "RULE 6 -- ACCEPT" # # Rule 7 (global) block in quick inet from to any no state label "RULE 7 -- DROP" # # Rule 8 (global) # group uses address table object pass quick inet from any to label "RULE 8 -- ACCEPT" # # Rule 11 (global) block in quick inet from to any no state label "RULE 11 -- DROP" # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP" # # Rule 9 (global) block in quick inet6 from to any no state label "RULE 9 -- DROP" # # Rule 10 (global) # the same group second time, # check for duplicates. See #2671 block in quick inet6 from any to no state label "RULE 10 -- DROP" # # Rule 11 (global) block in quick inet6 from to any no state label "RULE 11 -- DROP" # # Rule fallback rule # fallback rule block quick inet6 from any to any no state label "RULE 10000 -- DROP" fwbuilder-5.3.7/test/pf/firewall93.fw.orig000077500000000000000000000073231303637203600203660ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:29 2011 PST by vadim # # files: * firewall93.fw /etc/fw/pf.fw # files: firewall93.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # testing option “preserve group and addresses table object names” # firewall93:Policy:0: warning: Changing rule direction due to self reference FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:29 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/objects-for-regression-tests.fwb000066400000000000000000056752431303637203600233610ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk -m ip_conntrack_talk -m ip_nat_talk proto {tcp udp icmp gre} fwbuilder-5.3.7/test/pf/pf_cluster_1_openbsd-1.conf.orig000066400000000000000000000036571303637203600231570ustar00rootroot00000000000000 # Tables: (2) table { 172.24.0.1 , 172.24.0.2 , 192.168.1.1 , 192.168.1.2 } table { 172.24.0.1 , 172.24.0.2 } # # Rule 0 (NAT) nat on en0 from 192.168.1.0/24 to any -> (carp0) # # Rule 1 (NAT) nat on en0 from 192.168.1.0/24 to any -> 172.24.0.1 # # Rule 2 (NAT) nat from 192.168.1.0/24 to any -> 172.24.0.1 # # Rule 3 (NAT) nat on en0 from 192.168.1.0/24 to any -> { (en0) , (en0) } # # Rule 4 (NAT) nat on en0 from 192.168.1.0/24 to any -> (en0) # # Rule 5 (NAT) nat from 192.168.1.0/24 to any -> (en0) # # Rule 6 (NAT) rdr on en0 proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule 7 (NAT) rdr on en0 proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule 8 (NAT) rdr proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule -3 pfsync (automatic) pass quick on en0 inet proto pfsync from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (lo0) pass quick on lo0 inet from any to any label "RULE 0 -- ACCEPT " # # Rule 1 (global) pass quick inet from any to label "RULE 1 -- ACCEPT " # # Rule 2 (global) pass quick inet from to any label "RULE 2 -- ACCEPT " # # Rule 3 (global) pass quick inet from any to label "RULE 3 -- ACCEPT " # # Rule 4 (carp0) pass in quick on en0 inet from any to any label "RULE 4 -- ACCEPT " # # Rule 5 (carp0) pass in quick on en1 inet from any to any label "RULE 5 -- ACCEPT " # # Rule 6 (global) block log quick inet from any to any no state label "RULE 6 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_1_openbsd-1.fw.orig000077500000000000000000000171251303637203600226440ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:31 2011 PST by vadim # # files: * pf_cluster_1_openbsd-1.fw /etc/pf_cluster_1_openbsd-1.fw # files: pf_cluster_1_openbsd-1.conf /etc/pf_cluster_1_openbsd-1.conf # # Compiled for pf 4.x # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_carp_interfaces carp0 carp1 sync_pfsync_interfaces pfsync0 update_addresses_of_interface "en0 172.24.0.2/0xffffff00 172.24.0.3/0xffffff00" "" $IFCONFIG pfsync0 syncdev en0 syncpeer 172.24.0.3 $IFCONFIG pfsync0 up update_addresses_of_interface "en1 192.168.1.2/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" $IFCONFIG carp0 vhid 101 pass secret carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 100 pass secret carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:31 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_1_openbsd-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_1_openbsd-2.conf.orig000066400000000000000000000036571303637203600231600ustar00rootroot00000000000000 # Tables: (2) table { 172.24.0.1 , 172.24.0.3 , 192.168.1.1 , 192.168.1.3 } table { 172.24.0.1 , 172.24.0.3 } # # Rule 0 (NAT) nat on en0 from 192.168.1.0/24 to any -> (carp0) # # Rule 1 (NAT) nat on en0 from 192.168.1.0/24 to any -> 172.24.0.1 # # Rule 2 (NAT) nat from 192.168.1.0/24 to any -> 172.24.0.1 # # Rule 3 (NAT) nat on en0 from 192.168.1.0/24 to any -> { (en0) , (en0) } # # Rule 4 (NAT) nat from 192.168.1.0/24 to any -> (en0) # # Rule 5 (NAT) nat on en0 from 192.168.1.0/24 to any -> (en0) # # Rule 6 (NAT) rdr on en0 proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule 7 (NAT) rdr on en0 proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule 8 (NAT) rdr proto tcp from any to 172.24.0.1 port 80 -> 172.24.0.100 port 80 # # Rule -3 pfsync (automatic) pass quick on en0 inet proto pfsync from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (lo0) pass quick on lo0 inet from any to any label "RULE 0 -- ACCEPT " # # Rule 1 (global) pass quick inet from any to label "RULE 1 -- ACCEPT " # # Rule 2 (global) pass quick inet from to any label "RULE 2 -- ACCEPT " # # Rule 3 (global) pass quick inet from any to label "RULE 3 -- ACCEPT " # # Rule 4 (carp0) pass in quick on en0 inet from any to any label "RULE 4 -- ACCEPT " # # Rule 5 (carp0) pass in quick on en1 inet from any to any label "RULE 5 -- ACCEPT " # # Rule 6 (global) block log quick inet from any to any no state label "RULE 6 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_1_openbsd-2.fw.orig000077500000000000000000000114411303637203600226400ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:31 2011 PST by vadim # # files: * pf_cluster_1_openbsd-2.fw /etc/pf_cluster_1_openbsd-2.fw # files: pf_cluster_1_openbsd-2.conf /etc/pf_cluster_1_openbsd-2.conf # # Compiled for pf 4.x # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_carp_interfaces carp0 carp1 update_addresses_of_interface "en0 172.24.0.3/0xffffff00 172.24.0.2/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.3/0xffffff00" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" $IFCONFIG carp0 vhid 101 pass secret advskew 1 carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 100 pass secret advskew 1 carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:31 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_1_openbsd-2.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_2_freebsd-1.conf.orig000066400000000000000000000010721303637203600231250ustar00rootroot00000000000000 # # Rule -3 pfsync (automatic) pass quick on en0 inet proto pfsync from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_2_freebsd-1.fw.orig000077500000000000000000000170511303637203600226230ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_2_freebsd-1.fw /etc/pf_cluster_2_freebsd-1.fw # files: pf_cluster_2_freebsd-1.conf /etc/pf_cluster_2_freebsd-1.conf # # Compiled for pf 4.0 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces sync_carp_interfaces carp0 carp1 sync_pfsync_interfaces pfsync0 update_addresses_of_interface "en0 172.24.0.2/0xffffff00" "" $IFCONFIG pfsync0 syncdev en0 $IFCONFIG pfsync0 up update_addresses_of_interface "en1 192.168.1.2/0xffffff00" "" $IFCONFIG carp0 vhid 101 pass secret advskew 5 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 100 pass secret advskew 5 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_2_freebsd-1.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_2_freebsd-2.conf.orig000066400000000000000000000010721303637203600231260ustar00rootroot00000000000000 # # Rule -3 pfsync (automatic) pass quick on en0 inet proto pfsync from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any no state label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_2_freebsd-2.fw.orig000077500000000000000000000113751303637203600226270ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_2_freebsd-2.fw /etc/pf_cluster_2_freebsd-2.fw # files: pf_cluster_2_freebsd-2.conf /etc/pf_cluster_2_freebsd-2.conf # # Compiled for pf 4.0 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } sync_carp_interfaces() { $IFCONFIG | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_carp_interfaces carp0 carp1 update_addresses_of_interface "en0 172.24.0.3/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.3/0xffffff00" "" $IFCONFIG carp0 vhid 101 pass secret advskew 10 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 100 pass secret advskew 10 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_2_freebsd-2.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_3_openbsd-3.conf.orig000066400000000000000000000040211303637203600231450ustar00rootroot00000000000000 # Tables: (1) table { 172.20.0.1 , 172.20.0.2 , 172.24.0.1 , 172.24.0.2 , 192.168.1.1 , 192.168.1.2 } # # Rule -3 CARP (automatic) pass quick on vlan100 inet proto carp from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (carp0) block in log quick on en0 inet from to any no state label "RULE 0 -- DROP " # # Rule 1 (carp0) pass quick on en0 inet from any to any label "RULE 1 -- ACCEPT " # # Rule 2 (carp0,carp1) pass quick on { en0 en1 } inet proto tcp from any to port 22 label "RULE 2 -- ACCEPT " # # Rule 3 (cl3 itf) pass quick on { en0 en1 } inet proto tcp from any to port 22 label "RULE 3 -- ACCEPT " # # Rule 4 (carp0) pass quick on { en1 en2 vlan100 } inet from any to any label "RULE 4 -- ACCEPT " # # Rule 5 (carp0,carp1) pass quick on { en2 vlan100 } inet from any to any label "RULE 5 -- ACCEPT " # # Rule 6 (carp0,carp1,carp2) pass quick on en2 inet from any to any label "RULE 6 -- ACCEPT " # # Rule 7 (carp0) pass in quick on { en1 en2 vlan100 } inet from any to any label "RULE 7 -- ACCEPT " # # Rule 8 (carp0,carp1) pass in quick on { en2 vlan100 } inet from any to any label "RULE 8 -- ACCEPT " # # Rule 9 (carp0) pass out quick on { en1 en2 vlan100 } inet from any to any label "RULE 9 -- ACCEPT " # # Rule 10 (carp0,carp1) pass out quick on { en2 vlan100 } inet from any to any label "RULE 10 -- ACCEPT " # # Rule 11 (carp0) pass quick on { en1 en2 vlan100 } inet from any to label "RULE 11 -- ACCEPT " # # Rule 12 (carp0,carp1) pass quick on { en2 vlan100 } inet from any to label "RULE 12 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_3_openbsd-3.fw.orig000077500000000000000000000173551303637203600226550ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_3_openbsd-3.fw /etc/pf_cluster_3_openbsd-3.fw # files: pf_cluster_3_openbsd-3.conf /etc/pf_cluster_3_openbsd-3.conf # # Compiled for pf 4.6 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan100 sync_carp_interfaces carp0 carp1 carp2 sync_pfsync_interfaces update_addresses_of_interface "en0 172.24.0.2/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.2/0xffffff00" "" update_vlans_of_interface "en2 vlan100:100" update_addresses_of_interface "en2" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" update_addresses_of_interface "vlan100 172.20.0.2/0xffffff00" "" $IFCONFIG carp0 vhid 1 carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 1 carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" $IFCONFIG carp2 vhid 1 carpdev vlan100 update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_3_openbsd-3.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_3_openbsd-4.conf.orig000066400000000000000000000040211303637203600231460ustar00rootroot00000000000000 # Tables: (1) table { 172.20.0.1 , 172.20.0.3 , 172.24.0.1 , 172.24.0.3 , 192.168.1.1 , 192.168.1.3 } # # Rule -3 CARP (automatic) pass quick on vlan100 inet proto carp from any to any label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -1 -- ACCEPT " # # Rule 0 (carp0) block in log quick on en0 inet from to any no state label "RULE 0 -- DROP " # # Rule 1 (carp0) pass quick on en0 inet from any to any label "RULE 1 -- ACCEPT " # # Rule 2 (carp0,carp1) pass quick on { en0 en1 } inet proto tcp from any to port 22 label "RULE 2 -- ACCEPT " # # Rule 3 (cl3 itf) pass quick on { en0 en1 } inet proto tcp from any to port 22 label "RULE 3 -- ACCEPT " # # Rule 4 (carp0) pass quick on { en1 en2 vlan100 } inet from any to any label "RULE 4 -- ACCEPT " # # Rule 5 (carp0,carp1) pass quick on { en2 vlan100 } inet from any to any label "RULE 5 -- ACCEPT " # # Rule 6 (carp0,carp1,carp2) pass quick on en2 inet from any to any label "RULE 6 -- ACCEPT " # # Rule 7 (carp0) pass in quick on { en1 en2 vlan100 } inet from any to any label "RULE 7 -- ACCEPT " # # Rule 8 (carp0,carp1) pass in quick on { en2 vlan100 } inet from any to any label "RULE 8 -- ACCEPT " # # Rule 9 (carp0) pass out quick on { en1 en2 vlan100 } inet from any to any label "RULE 9 -- ACCEPT " # # Rule 10 (carp0,carp1) pass out quick on { en2 vlan100 } inet from any to any label "RULE 10 -- ACCEPT " # # Rule 11 (carp0) pass quick on { en1 en2 vlan100 } inet from any to label "RULE 11 -- ACCEPT " # # Rule 12 (carp0,carp1) pass quick on { en2 vlan100 } inet from any to label "RULE 12 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_3_openbsd-4.fw.orig000077500000000000000000000117431303637203600226510ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_3_openbsd-4.fw /etc/pf_cluster_3_openbsd-4.fw # files: pf_cluster_3_openbsd-4.conf /etc/pf_cluster_3_openbsd-4.conf # # Compiled for pf 4.6 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_carp_interfaces carp0 carp1 carp2 update_addresses_of_interface "en0 172.24.0.3/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.3/0xffffff00" "" update_addresses_of_interface "en2" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" update_addresses_of_interface "vlan100 172.20.0.3/0xffffff00" "" $IFCONFIG carp0 vhid 1 advskew 1 carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 1 advskew 1 carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" $IFCONFIG carp2 vhid 1 advskew 1 carpdev vlan100 update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_3_openbsd-4.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_4_pf.conf.orig000066400000000000000000000011111303637203600217560ustar00rootroot00000000000000 # # Rule -3 pfsync (automatic) pass quick on en0 inet proto pfsync from any to any keep state label "RULE -3 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any keep state label "RULE -2 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any keep state label "RULE -1 -- ACCEPT " # # Rule 0 (global) block log quick inet from any to any label "RULE 0 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_5_openbsd-3.conf.orig000066400000000000000000000011651303637203600231550ustar00rootroot00000000000000 # # Rule 0 (NAT) # rule is attached to physical interface en0 # but uses address of carp0 for translation nat on en0 from 192.168.1.0/24 to any -> (carp0) # # Rule -3 CARP (automatic) pass quick on vlan100 inet proto carp from any to any label "RULE -4 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -3 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE -1 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_5_openbsd-3.fw.orig000077500000000000000000000173551303637203600226570ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_5_openbsd-3.fw /etc/pf_cluster_5_openbsd-3.fw # files: pf_cluster_5_openbsd-3.conf /etc/pf_cluster_5_openbsd-3.conf # # Compiled for pf 4.6 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } missing_vlan() { vlan=$1 cmd=$2 oldIFS=$IFS IFS="@:" set $vlan subint=$1 vlan_id=$2 parent=$3 IFS=$oldIFS test "$cmd" = "add" && { echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1 $FWBDEBUG $IFCONFIG $subint up || exit 1 } test "$cmd" = "rem" && { echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)" $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1 $FWBDEBUG $IFCONFIG $subint destroy || exit 1 } } parse_fwb_vlans() { set $1 vlan_parent=$1 shift FWB_VLANS=$( for subint in $*; do echo "${subint}@$vlan_parent" done | sort ) echo $FWB_VLANS } parse_current_vlans() { vlan_parent=$1 $IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \ sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \ while read vlan_subint vlan_id parent do test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent" done | sort } update_vlans_of_interface() { args="$1" set $1 vlan_parent=$1 FWB_VLANS=$(parse_fwb_vlans "$args") CURRENT_VLANS=$(parse_current_vlans $vlan_parent) $IFCONFIG $vlan_parent up || exit 1 diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem } sync_vlan_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting vlan interface $intf" $FWBDEBUG $IFCONFIG $intf destroy || exit 1 done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating vlan interface $intf" $FWBDEBUG $IFCONFIG $intf create || exit 1 } done } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } sync_pfsync_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating pfsync interface $intf" $FWBDEBUG $IFCONFIG $intf create } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_vlan_interfaces vlan100 sync_carp_interfaces carp0 carp1 carp2 sync_pfsync_interfaces update_addresses_of_interface "en0 172.24.0.2/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.2/0xffffff00" "" update_vlans_of_interface "en2 vlan100:100" update_addresses_of_interface "en2" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" update_addresses_of_interface "vlan100 172.20.0.2/0xffffff00" "" $IFCONFIG carp0 vhid 1 carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 1 carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" $IFCONFIG carp2 vhid 1 carpdev vlan100 update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_5_openbsd-3.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/pf_cluster_5_openbsd-4.conf.orig000066400000000000000000000011651303637203600231560ustar00rootroot00000000000000 # # Rule 0 (NAT) # rule is attached to physical interface en0 # but uses address of carp0 for translation nat on en0 from 192.168.1.0/24 to any -> (carp0) # # Rule -3 CARP (automatic) pass quick on vlan100 inet proto carp from any to any label "RULE -4 -- ACCEPT " # # Rule -2 CARP (automatic) pass quick on en1 inet proto carp from any to any label "RULE -3 -- ACCEPT " # # Rule -1 CARP (automatic) pass quick on en0 inet proto carp from any to any label "RULE -2 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet from any to any no state label "RULE -1 -- DROP " fwbuilder-5.3.7/test/pf/pf_cluster_5_openbsd-4.fw.orig000077500000000000000000000117431303637203600226530ustar00rootroot00000000000000#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.1.3591 # # Generated Wed Nov 30 18:39:32 2011 PST by vadim # # files: * pf_cluster_5_openbsd-4.fw /etc/pf_cluster_5_openbsd-4.fw # files: pf_cluster_5_openbsd-4.conf /etc/pf_cluster_5_openbsd-4.conf # # Compiled for pf 4.6 # FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } sync_carp_interfaces() { $IFCONFIG -A | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;} } ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\ while read intf; do echo "# Deleting carp interface $intf" $FWBDEBUG $IFCONFIG $intf destroy done for intf in $*; do $IFCONFIG $intf >/dev/null 2>&1 || { echo "# Creating carp interface $intf" $SYSCTL -w net.inet.carp.allow=1 $FWBDEBUG $IFCONFIG $intf create || { echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?" exit 1 } } done } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : sync_carp_interfaces carp0 carp1 carp2 update_addresses_of_interface "en0 172.24.0.3/0xffffff00" "" update_addresses_of_interface "en1 192.168.1.3/0xffffff00" "" update_addresses_of_interface "en2" "" update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" update_addresses_of_interface "vlan100 172.20.0.3/0xffffff00" "" $IFCONFIG carp0 vhid 1 advskew 1 carpdev en0 update_addresses_of_interface "carp0 172.24.0.1/0xffffff00" "" $IFCONFIG carp1 vhid 1 advskew 1 carpdev en1 update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" $IFCONFIG carp2 vhid 1 advskew 1 carpdev vlan100 update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } log "Activating firewall script generated Wed Nov 30 18:39:32 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/pf_cluster_5_openbsd-4.conf || exit 1 epilog_commandsfwbuilder-5.3.7/test/pf/quick-cmp.sh000077500000000000000000000006261303637203600173340ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_pf v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig *rc.conf*.orig *.conf.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done fwbuilder-5.3.7/test/pf/recycle000077500000000000000000000001721303637203600164540ustar00rootroot00000000000000#!/bin/sh for f in *.fw *rc.conf*; do j=${f}.orig mv $f $j done for f in *.conf; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/pf/run-clusters.all000077500000000000000000000007731303637203600202520ustar00rootroot00000000000000#!/bin/sh #XMLFILE="objects-for-regression-tests.fwb" #fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ # sort | while read fwobj #do # echo "echo" # echo "echo \"============================ $fwobj\"" # echo "fwb_pf -v -f $XMLFILE -xt $fwobj" #done XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_pf -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/pf/run.all000077500000000000000000000007631303637203600164070ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_pf -v -f $XMLFILE -xt $fwobj" done XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_pf -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/pix/000077500000000000000000000000001303637203600152735ustar00rootroot00000000000000fwbuilder-5.3.7/test/pix/Makefile000066400000000000000000000007221303637203600167340ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_pix -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_pix -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/pix/addr-table-1.tbl000066400000000000000000000003041303637203600201300ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too fwbuilder-5.3.7/test/pix/block-hosts.tbl000066400000000000000000000016301303637203600202260ustar00rootroot00000000000000# # use this table to test run-time AddressTable object # (this is just a small collection of addresses that sent spam to me # on Nov 20 2005) # 151.8.224.178 # this is also a comment 168.156.76.20 193.207.126.36 195.136.186.35 196.15.136.15 201.10.180.138 201.17.93.16 201.36.156.121 202.103.25.253 202.96.112.93 203.162.3.209 203.209.124.144 210.106.193.237 210.222.114.102 211.144.143.143 211.172.218.237 211.250.16.132 212.100.212.100 212.21.241.31 218.104.138.146 218.18.72.252 218.39.114.122 218.55.115.43 219.132.104.160 220.71.17.86 220.81.50.105 220.91.99.46 221.14.249.242 221.166.177.135 221.198.33.38 221.202.160.233 221.205.54.125 221.217.44.248 222.100.212.223 222.121.118.144 222.174.113.2 58.231.13.78 58.33.181.83 58.53.82.190 61.150.47.112 61.184.14.102 64.106.85.186 70.228.60.100 80.243.72.149 80.249.77.34 80.51.236.6 81.196.74.125 81.2.36.254 82.117.221.205 82.143.196.17 82.77.37.174 84.90.8.198 fwbuilder-5.3.7/test/pix/cluster-tests.fwb000066400000000000000000005136131303637203600206250ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established -m state --state ESTABLISHED,RELATED -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk fwbuilder-5.3.7/test/pix/cluster1-1_pix1.fw.orig000077500000000000000000000123271303637203600214410ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: yes ! Assume firewall is part of any: yes ! !# files: * cluster1-1_pix1.fw ! ! ! pix1::: warning: Interface Ethernet0 has vlan subinterfaces, it can not be used for ACL. Marking this interface "unprotected" to exclude it. ! ! Prolog script: ! ! ! End of prolog script: ! hostname pix1 interface Ethernet1 nameif inside ip address 10.3.14.206 255.255.255.0 standby 10.3.14.207 security-level 100 exit interface Ethernet0 no nameif no ip address no security-level exit interface Ethernet2 description LAN/STATE Failover Interface no nameif exit interface Ethernet0.101 vlan 101 nameif outside ip address 192.0.2.253 255.255.255.0 standby 192.0.2.254 security-level 0 exit interface Ethernet0.102 vlan 102 nameif dmz20 ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254 security-level 20 exit failover lan unit primary failover lan interface failover Ethernet2 failover lan enable failover key super_secret failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global !################ clear xlate clear config static clear config global clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object-group network id56590X61097.src.net.0 network-object host 10.3.14.206 network-object host 10.3.14.207 exit object-group network id56590X61097.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 exit object-group network id56590X61097.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 exit object-group network id56627X61097.src.net.0 network-object host 172.17.1.253 network-object host 192.0.2.253 exit ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule access-list outside_in deny ip object-group id56590X61097.src.net.0 any log 2 interval 300 access-list outside_in deny ip object-group id56590X61097.src.net.1 any log 2 interval 300 access-list outside_in deny ip object-group id56590X61097.src.net.2 any log 2 interval 300 access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300 ! ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id56627X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 ! ! Rule 4 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp object-group id56590X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id56590X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id56590X61097.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 ! ! Rule 5 (global) ! All other attempts to connect to ! the firewall are denied and logged access-list inside_in deny ip any object-group id56590X61097.src.net.0 log 2 interval 300 access-list inside_in deny ip any object-group id56590X61097.src.net.1 log 2 interval 300 access-list inside_in deny ip any object-group id56590X61097.src.net.2 log 2 interval 300 ! ! Rule 6 (global) access-list inside_in permit ip 10.3.14.0 255.255.255.0 any access-list inside_out permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 7 (global) access-list inside_in deny ip any any log 2 interval 300 access-list inside_out deny ip any any log 2 interval 300 access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id56689X61097.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id56689X61097.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/cluster1-1_pix2.fw.orig000077500000000000000000000123311303637203600214350ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: yes ! Assume firewall is part of any: yes ! !# files: * cluster1-1_pix2.fw ! ! ! pix2::: warning: Interface Ethernet0 has vlan subinterfaces, it can not be used for ACL. Marking this interface "unprotected" to exclude it. ! ! Prolog script: ! ! ! End of prolog script: ! hostname pix2 interface Ethernet1 nameif inside ip address 10.3.14.207 255.255.255.0 standby 10.3.14.206 security-level 100 exit interface Ethernet0 no nameif no ip address no security-level exit interface Ethernet2 description LAN/STATE Failover Interface no nameif exit interface Ethernet0.101 vlan 101 nameif outside ip address 192.0.2.254 255.255.255.0 standby 192.0.2.253 security-level 0 exit interface Ethernet0.102 vlan 102 nameif dmz20 ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253 security-level 20 exit failover lan unit secondary failover lan interface failover Ethernet2 failover lan enable failover key super_secret failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global !################ clear xlate clear config static clear config global clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object-group network id56590X61097.src.net.0 network-object host 10.3.14.206 network-object host 10.3.14.207 exit object-group network id56590X61097.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 exit object-group network id56590X61097.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 exit object-group network id56627X61097.src.net.0 network-object host 172.17.1.253 network-object host 192.0.2.253 exit ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule access-list outside_in deny ip object-group id56590X61097.src.net.0 any log 3 interval 300 access-list outside_in deny ip object-group id56590X61097.src.net.1 any log 3 interval 300 access-list outside_in deny ip object-group id56590X61097.src.net.2 any log 3 interval 300 access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300 ! ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id56627X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 ! ! Rule 4 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp object-group id56590X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id56590X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id56590X61097.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 ! ! Rule 5 (global) ! All other attempts to connect to ! the firewall are denied and logged access-list inside_in deny ip any object-group id56590X61097.src.net.0 log 3 interval 300 access-list inside_in deny ip any object-group id56590X61097.src.net.1 log 3 interval 300 access-list inside_in deny ip any object-group id56590X61097.src.net.2 log 3 interval 300 ! ! Rule 6 (global) access-list inside_in permit ip 10.3.14.0 255.255.255.0 any access-list inside_out permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 7 (global) access-list inside_in deny ip any any log 3 interval 300 access-list inside_out deny ip any any log 3 interval 300 access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id56689X61097.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id56689X61097.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/cluster1_pix1.fw.orig000077500000000000000000000151701303637203600213020ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: yes ! Assume firewall is part of any: yes ! !# files: * cluster1_pix1.fw ! ! ! pix1::: warning: Interface Ethernet0 has vlan subinterfaces, it can not be used for ACL. Marking this interface "unprotected" to exclude it. ! ! Prolog script: ! ! ! End of prolog script: ! hostname pix1 interface Ethernet1 nameif inside ip address 10.3.14.206 255.255.255.0 standby 10.3.14.207 security-level 100 exit interface Ethernet0 no nameif no ip address no security-level exit interface Ethernet2 description LAN/STATE Failover Interface no nameif exit interface Ethernet0.101 vlan 101 nameif outside ip address 192.0.2.253 255.255.255.0 standby 192.0.2.254 security-level 0 exit interface Ethernet0.102 vlan 102 nameif dmz20 ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254 security-level 20 exit failover lan unit primary failover lan interface failover Ethernet2 failover lan enable failover key super_secret failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global !################ clear xlate clear config static clear config global clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object-group network id2913X78273.src.net.0 network-object host 10.3.14.206 network-object host 10.3.14.207 exit object-group network id2913X78273.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 exit object-group network id2913X78273.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 exit object-group network id55439X897.src.net.0 network-object host 172.17.1.253 network-object host 192.0.2.253 exit ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule access-list outside_in deny ip object-group id2913X78273.src.net.0 any log 2 interval 300 access-list outside_in deny ip object-group id2913X78273.src.net.1 any log 2 interval 300 access-list outside_in deny ip object-group id2913X78273.src.net.2 any log 2 interval 300 access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300 ! ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id55439X897.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 ! ! Rule 4 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp object-group id2913X78273.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 ! ! Rule 5 (Ethernet0.101,Ethernet0.102) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 6 (cl1 itf) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 7 (Ethernet0.101,Ethernet0.102) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list outside_out permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53 ! ! Rule 8 (cl1 itf) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list outside_out permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53 ! ! Rule 9 (global) ! All other attempts to connect to ! the firewall are denied and logged access-list inside_in deny ip any object-group id2913X78273.src.net.0 log 2 interval 300 access-list inside_in deny ip any object-group id2913X78273.src.net.1 log 2 interval 300 access-list inside_in deny ip any object-group id2913X78273.src.net.2 log 2 interval 300 ! ! Rule 10 (global) access-list inside_in permit ip 10.3.14.0 255.255.255.0 any access-list inside_out permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 11 (global) access-list inside_in deny ip any any log 2 interval 300 access-list inside_out deny ip any any log 2 interval 300 access-group dmz20_in in interface dmz20 access-group dmz20_out out interface dmz20 access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside access-group outside_out out interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id4606X78273.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id4606X78273.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/cluster1_pix2.fw.orig000077500000000000000000000153631303637203600213070ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: yes ! Assume firewall is part of any: yes ! !# files: * cluster1_pix2.fw ! ! ! pix2::: warning: Interface Ethernet0 has vlan subinterfaces, it can not be used for ACL. Marking this interface "unprotected" to exclude it. ! ! Prolog script: ! ! ! End of prolog script: ! hostname pix2 interface Ethernet1 nameif inside ip address 10.3.14.207 255.255.255.0 standby 10.3.14.206 security-level 100 exit interface Ethernet0 no nameif no ip address no security-level exit interface Ethernet2 description LAN/STATE Failover Interface no nameif exit interface Ethernet0.101 vlan 101 nameif outside ip address 192.0.2.254 255.255.255.0 standby 192.0.2.253 security-level 0 exit interface Ethernet0.102 vlan 102 nameif dmz20 ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253 security-level 20 exit failover lan unit secondary failover lan interface failover Ethernet2 failover lan enable failover key super_secret failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover link failover Ethernet2 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254 failover no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global !################ clear xlate clear config static clear config global clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object-group network id2913X78273.src.net.0 network-object host 10.3.14.206 network-object host 10.3.14.207 exit object-group network id2913X78273.src.net.1 network-object host 172.17.1.253 network-object host 172.17.1.254 network-object host 192.0.2.253 network-object host 192.0.2.254 exit object-group network id2913X78273.src.net.2 network-object host 10.0.0.253 network-object host 10.0.0.254 exit object-group network id55439X897.src.net.0 network-object host 172.17.1.253 network-object host 192.0.2.253 exit object-group network id3401X82678.dst.net.0 network-object host 172.17.1.254 network-object host 192.0.2.254 exit ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule access-list outside_in deny ip object-group id2913X78273.src.net.0 any log 3 interval 300 access-list outside_in deny ip object-group id2913X78273.src.net.1 any log 3 interval 300 access-list outside_in deny ip object-group id2913X78273.src.net.2 any log 3 interval 300 access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300 ! ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id55439X897.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 ! ! Rule 4 (global) ! Firewall uses one of the machines ! on internal network for DNS access-list inside_out permit udp object-group id2913X78273.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 ! ! Rule 5 (Ethernet0.101,Ethernet0.102) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 6 (cl1 itf) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 7 (Ethernet0.101,Ethernet0.102) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list outside_out permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53 ! ! Rule 8 (cl1 itf) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list outside_out permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_in permit udp any 10.3.14.0 255.255.255.0 eq 53 access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53 ! ! Rule 9 (global) ! All other attempts to connect to ! the firewall are denied and logged access-list inside_in deny ip any object-group id2913X78273.src.net.0 log 3 interval 300 access-list inside_in deny ip any object-group id2913X78273.src.net.1 log 3 interval 300 access-list inside_in deny ip any object-group id2913X78273.src.net.2 log 3 interval 300 ! ! Rule 10 (global) access-list inside_in permit ip 10.3.14.0 255.255.255.0 any access-list inside_out permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 11 (global) access-list inside_in deny ip any any log 3 interval 300 access-list inside_out deny ip any any log 3 interval 300 access-group dmz20_in in interface dmz20 access-group dmz20_out out interface dmz20 access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside access-group outside_out out interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id4606X78273.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id4606X78273.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/do-diff000077500000000000000000000003131303637203600165260ustar00rootroot00000000000000#!/bin/sh N=$1 if which opendiff > /dev/null; then TOOL="opendiff" elif which tkdiff > /dev/null; then TOOL="tkdiff " else TOOL="diff -u -b -B" fi $TOOL firewall${N}.fw.orig firewall${N}.fw fwbuilder-5.3.7/test/pix/firewall.fw.orig000077500000000000000000000726331303637203600204130ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:01 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall.fw ! ! this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it ! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it ! C firewall:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! N firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. ! R firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! R firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! R firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! R firewall:Routing:7: error: MultiPath routing not supported by platform ! R firewall:Routing:8: warning: Two of the sub rules created from the gui routing rules 7 (main) and 8 (main) are identical, skipping the second. Revise them to avoid this warning ! ! Prolog script: ! ! ! End of prolog script: ! hostname firewall nameif ethernet1 outside security0 nameif ethernet0 inside security100 nameif ethernet2 dmz security50 logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 1 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap clear ntp ntp server 192.168.1.20 source inside prefer no service resetinbound no service resetoutside sysopt connection tcpmss 1380 sysopt connection timewait sysopt security fragguard sysopt nodnsalias inbound sysopt nodnsalias outbound no sysopt route dnat floodguard disable fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 !################ clear access-list tmp_acl access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear static clear global clear nat clear access-list dmz_acl_in clear access-list inside_acl_in clear access-list outside_acl_in clear icmp clear telnet clear object-group object-group network id3C4E4C38.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id3C4E4C38.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id3D8FCE32.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service pol-firewall2-2.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service pol-firewall2-2.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network pol-firewall2-3.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id3E155E82.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id3D0F8031.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id3CD87B1E.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id3CD87B1E.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id3CD8770E.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service pol-firewall2-4.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule -1 backup ssh access rule (automatic) ssh 192.168.1.100 255.255.255.255 inside ! ! Rule 0 (global) ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-list dmz_acl_in deny ip any any ! ! Rule 2 (ethernet1) ! комментарий по-русски icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! firewall:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (ethernet0) ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0 ! ! Rule 6 (ethernet0) access-list inside_acl_in deny ip any host 192.168.1.255 ! ! Rule 8 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0 ! ! Rule 9 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 10 (global) access-list outside_acl_in permit icmp any host 22.22.22.22 3 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 access-list outside_acl_in permit icmp any any 3 access-list inside_acl_in permit icmp any any 3 access-list dmz_acl_in permit icmp any any 3 access-list outside_acl_in permit 47 any any access-list inside_acl_in permit 47 any any access-list dmz_acl_in permit 47 any any access-list outside_acl_in permit 50 any any access-list inside_acl_in permit 50 any any access-list dmz_acl_in permit 50 any any ! ! Rule 12 (global) access-list outside_acl_in permit ip object-group id3C4E4C38.dst.net.0 object-group pol-firewall2-3.dst.net.0 ! ! Rule 13 (global) ! firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule access-list inside_acl_in permit tcp host 192.168.1.10 object-group id3E155E82.dst.net.0 eq 3128 ! ! Rule 14 (global) access-list outside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 ! ! Rule 15 (global) http 192.168.1.0 255.255.255.0 inside icmp permit 192.168.1.0 255.255.255.0 3 inside access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.0 host 192.168.1.1 3 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 ! ! Rule 17 (global) access-list outside_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 ! ! Rule 18 (global) access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0 ! ! Rule 19 (global) ! objects hostA and hostB are ! redundant and should be removed by ! removeRedundantAddressesFromDst access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list outside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000 access-list inside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000 access-list dmz_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000 ! ! Rule 20 (global) access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 ! ! Rule 23 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 ! ! Rule 24 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 25 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ! ! Rule 2 (NAT) nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 5 (NAT) static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 ! ! Rule 6 (NAT) ! firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. global (inside) 8 interface nat (dmz) 8 192.168.2.0 255.255.255.0 outside ! ! Rule 7 (NAT) clear access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 8 (NAT) access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 ! ! Rule 9 (NAT) nat (dmz) 0 0 0 ! ! Rule 10 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 11 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Rule 0 (main) ! ! "Routing rule 0 (main)" ! ! ! route outside 0.0.0.0 0.0.0.0 22.22.22.254 1 ! ! Rule 1 (main) ! ! "Routing rule 1 (main)" ! ! ! route inside 10.3.14.0 255.255.255.0 192.168.1.254 1 ! ! Rule 2 (main) ! ! "Routing rule 2 (main)" ! ! ! route inside 10.1.2.0 255.255.255.0 192.168.1.254 1 ! ! Rule 3 (main) ! ! "Routing rule 3 (main)" ! ! ! ! firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule route 10.1.3.0 255.255.255.0 192.168.1.254 1 ! ! Rule 4 (main) ! ! "Routing rule 4 (main)" ! ! ! ! firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule route inside 10.1.4.0 255.255.255.0 1 ! ! Rule 5 (main) ! ! "Routing rule 5 (main)" ! ! ! ! firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule route 10.1.5.0 255.255.255.0 1 ! ! Rule 6 (main) ! ! "Routing rule 6 (main)" ! ! ! route outside 33.33.33.0 255.255.255.0 22.22.22.100 1 ! ! Rule 7 (main) ! ! "Routing rule 7 (main)" ! ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall1.fw.orig000077500000000000000000000104671303637203600204710ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:01 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall1.fw ! ! this object is used to test all kinds of negation in policy rules ! firewall1::: error: Dynamic interface eth1 should not have an IP address object attached to it. This IP address object will be ignored. ! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. ! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. ! N firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! N firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 inside security100 nameif eth1 outside security0 nameif eth2 dmz security50 no logging buffered no logging console no logging timestamp no logging on telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server no service resetinbound no service resetoutside no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt route dnat floodguard disable !################ ! ! Rule 2 (eth1) ! Anti-spoofing rule access-list outside_acl_in deny ip host 192.168.1.1 any access-list outside_acl_in deny ip host 192.168.2.1 any access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any ! ! Rule 3 (eth0) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (eth1) icmp permit any 8 outside access-list outside_acl_in permit icmp any interface outside 8 icmp permit any 11 outside access-list outside_acl_in permit icmp any interface outside 11 ! ! Rule 5 (eth1) access-list outside_acl_in permit icmp any any 8 access-list outside_acl_in permit icmp any any 11 ! ! Rule 6 (eth1,eth2) access-list outside_acl_in permit icmp any interface outside 8 access-list outside_acl_in permit icmp any interface outside 11 icmp permit any 8 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 8 icmp permit any 11 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 11 ! ! Rule 9 (global) ! firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 dmz ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz ! ! Rule 11 (global) ! hostF has the same IP address as firewal. icmp permit any 8 inside access-list inside_acl_in permit icmp any host 192.168.1.1 8 ! ! Rule 19 (global) ! 'masquerading' rule access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 20 (global) ! 'catch all' rule access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 1 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.10 255.255.255.255 0 0 ! ! Rule 4 (NAT) ! firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. global (outside) 2 interface nat (inside) 2 192.168.1.0 255.255.255.0 0 0 global (dmz) 2 interface ! nat (dmz) 2 192.168.2.0 255.255.255.0 0 0 ! ! ! Rule 5 (NAT) ! firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! ! ! ! ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall10.fw.orig000077500000000000000000000306731303637203600205520ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:01 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall10.fw ! ! big policy. Testing compiler performance ! C firewall10:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! ! Prolog script: ! ! ! End of prolog script: ! hostname firewall10 nameif ethernet1 outside security0 nameif ethernet0 inside security100 nameif ethernet2 dmz security50 logging host inside 192.168.1.30 logging queue 512 logging facility 16 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 trap snmp-server host inside 192.168.1.22 poll ntp server 192.168.1.20 source inside no service resetinbound no service resetoutside sysopt connection tcpmss 1380 sysopt connection timewait sysopt nodnsalias inbound sysopt nodnsalias outbound floodguard disable fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 !################ object-group network id3DB0FA90.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id3DB0FA90.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id3DB0F9C7.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service id3DB0F9BD.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service id3DB0F9BD.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network id3DB0F9E6.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id3DB10695.src.net.0 network-object 192.168.1.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 exit object-group network id3DB10695.src.net.1 network-object 192.168.2.0 255.255.255.0 network-object 192.168.3.0 255.255.255.0 exit object-group network id3DB10695.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 network-object host 192.168.1.20 exit object-group network id3DB0F9F2.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id3DB0F9FC.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id3DB0F9FC.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id3DB0FA07.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service id3DB0FA12.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! firewall10:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 6 interval 300 ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id3DB0FA90.dst.net.0 object-group id3DB0FA90.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3DB0FA90.dst.net.0 object-group id3DB0FA90.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3DB0FA90.dst.net.0 object-group id3DB0FA90.srv.tcp.0 ! ! Rule 7 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id3DB0F9C7.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id3DB0F9C7.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id3DB0F9C7.srv.icmp.0 ! ! Rule 8 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id3DB0F9BD.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id3DB0F9BD.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id3DB0F9BD.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id3DB0F9BD.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id3DB0F9BD.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id3DB0F9BD.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 9 (global) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 6 interval 300 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 6 interval 300 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 6 interval 300 access-list outside_acl_in permit icmp any any 3 log 6 interval 300 access-list inside_acl_in permit icmp any any 3 log 6 interval 300 access-list dmz_acl_in permit icmp any any 3 log 6 interval 300 access-list outside_acl_in permit 47 any any log 6 interval 300 access-list inside_acl_in permit 47 any any log 6 interval 300 access-list dmz_acl_in permit 47 any any log 6 interval 300 access-list outside_acl_in permit 50 any any log 6 interval 300 access-list inside_acl_in permit 50 any any log 6 interval 300 access-list dmz_acl_in permit 50 any any log 6 interval 300 ! ! Rule 11 (global) access-list outside_acl_in permit ip object-group id3DB0FA90.dst.net.0 object-group id3DB0F9E6.dst.net.0 ! ! Rule 12 (global) access-list outside_acl_in permit ip 192.168.4.0 255.255.255.0 host 192.168.1.1 access-list inside_acl_in permit ip object-group id3DB10695.src.net.0 host 192.168.1.1 access-list dmz_acl_in permit ip object-group id3DB10695.src.net.1 host 192.168.1.1 access-list outside_acl_in permit ip 192.168.4.0 255.255.255.0 object-group id3DB10695.dst.net.0 access-list inside_acl_in permit ip object-group id3DB10695.src.net.0 object-group id3DB10695.dst.net.0 access-list dmz_acl_in permit ip object-group id3DB10695.src.net.1 object-group id3DB10695.dst.net.0 ! ! Rule 13 (global) access-list outside_acl_in permit tcp any object-group id3DB0F9F2.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id3DB0F9F2.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id3DB0F9F2.dst.net.0 eq 3128 ! ! Rule 14 (global) access-list outside_acl_in permit tcp any object-group id3DB0F9FC.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3DB0F9FC.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3DB0F9FC.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 ! ! Rule 15 (global) access-list outside_acl_in permit tcp any object-group id3DB0FA07.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id3DB0FA07.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id3DB0FA07.dst.net.0 object-group id3DB0F9FC.srv.tcp.0 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id3DB0FA12.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id3DB0FA12.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id3DB0FA12.srv.tcp.0 ! ! Rule 19 (global) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 20 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 6 interval 300 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 6 interval 300 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 6 interval 300 ! ! Rule 21 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 22 (global) access-list outside_acl_in deny ip any any log 6 interval 300 access-list inside_acl_in deny ip any any log 6 interval 300 access-list dmz_acl_in deny ip any any log 6 interval 300 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id3DB0F916.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id3DB0F916.0 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) access-list id3DB0F924.0 permit ip 192.168.2.0 255.255.255.0 any access-list id3DB0F924.0 permit ip 192.168.3.0 255.255.255.0 any nat (dmz) 1 access-list id3DB0F924.0 0 0 ! ! Rule 2 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) access-list id3DB0F94E.0 permit tcp host 192.168.1.10 eq 25 any static (inside,outside) tcp interface 25 access-list id3DB0F94E.0 0 0 ! ! Rule 5 (NAT) ! policy NAT ! rule global (inside) 7 interface access-list id3DB0F95C.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list id3DB0F95C.0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 7 access-list id3DB0F95C.0 outside ! ! Rule 6 (NAT) ! policy NAT ! rule access-list id3F9353DD.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list id3F9353DD.0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 nat (inside) 1 access-list id3F9353DD.0 0 0 ! ! Rule 7 (NAT) access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 ! ! Rule 8 (NAT) access-list nat0.inside permit ip host 192.168.1.10 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.10 192.168.3.0 255.255.255.0 ! ! Rule 9 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 10 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Rule 11 (NAT) static (inside,outside) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall101.fw.orig000077500000000000000000000025361303637203600206300ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:01 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall101.fw ! ! this firewall generates "short" config (only acls and nat rules, no interface configuration, timeouts and inspectors) ! ! Prolog script: ! ! ! End of prolog script: ! ! This script was generated with option "Generate only access-list, access-group, ! nat, static, global" commands turned on in the "Script" tab of the firewall ! object advanced settings dialog. Skipping system configuration commands. !################ object-group network id63559X5474.src.net.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 exit ! ! Rule 0 (global) access-list inside_acl_in permit ip object-group id63559X5474.src.net.0 host 192.168.1.20 ! ! Rule 1 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall11.fw.orig000077500000000000000000000055111303637203600205440ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:02 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall11.fw ! ! testing conversion of objects into their natted addresses when outside interface has multiple addresses and nat rule uses ip address which is not the first one under interface. Nat rules 3-4-5 and global policy rule 0 ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth1 dmz security50 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound sysopt route dnat floodguard enable !################ ! ! Rule 0 (global) access-list outside_acl_in permit tcp any host 10.5.80.20 eq 80 access-list outside_acl_in permit tcp any host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any host 192.168.1.10 eq 80 ! ! Rule 1 (global) access-list inside_acl_in permit tcp any host 192.168.1.20 eq 1500 ! ! Rule 2 (global) access-list outside_acl_in deny tcp any any range 1000 10001 access-list dmz_acl_in deny tcp any any range 1000 10001 access-list inside_acl_in deny tcp any any range 1000 10001 ! ! Rule 3 (global) access-list outside_acl_in permit ip any 192.168.1.0 255.255.255.0 access-list dmz_acl_in permit ip any 192.168.1.0 255.255.255.0 access-list inside_acl_in permit ip any 192.168.1.0 255.255.255.0 ! ! Rule 4 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (dmz) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 ! ! Rule 1 (NAT) global (outside) 1 interface ! nat (dmz) 1 192.168.2.0 255.255.255.0 0 0 ! ! Rule 2 (NAT) ! ! ! ! Rule 3 (NAT) static (inside,outside) tcp 10.5.80.20 80 192.168.1.10 80 netmask 255.255.240.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall12.fw.orig000077500000000000000000000105421303637203600205450ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:03 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall12.fw ! ! this firewall has DMZ using routable address ! ! Prolog script: ! ! ! End of prolog script: ! hostname firewall12 nameif ethernet0 outside security0 ip address outside dhcp setroute retry 10 nameif ethernet1 inside security100 ip address inside 10.3.14.20 255.255.255.0 nameif ethernet2 dmz50 security50 ip address dmz50 192.0.2.1 255.255.255.0 logging host inside 10.3.14.10 format emblem logging queue 1000 logging facility 16 no logging buffered no logging console no logging timestamp logging on logging device-id string real_firewall timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout rpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 snmp-server community public snmp-server enable traps snmp-server host inside 10.3.14.40 poll ntp server 10.3.14.30 source inside no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable fixup protocol dns maximum-length 65535 fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error !################ object-group network id3F8F95CD.dst.net.0 network-object host 192.0.2.20 network-object host 192.0.2.21 network-object host 192.0.2.23 exit ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 1 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) icmp permit any 0 outside access-list outside_acl_in remark 2 (global) access-list outside_acl_in permit icmp any interface outside 0 icmp permit any 0 inside access-list inside_acl_in remark 2 (global) access-list inside_acl_in permit icmp any host 10.3.14.20 0 icmp permit any 0 dmz50 access-list dmz50_acl_in remark 2 (global) access-list dmz50_acl_in permit icmp any host 192.0.2.1 0 ! ! Rule 3 (global) ! this comment ! consists of ! 3 lines of text access-list outside_acl_in remark 3 (global) access-list outside_acl_in remark this comment access-list outside_acl_in remark consists of access-list outside_acl_in remark 3 lines of text access-list outside_acl_in permit tcp any interface outside eq 80 access-list outside_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80 access-list inside_acl_in remark 3 (global) access-list inside_acl_in remark this comment access-list inside_acl_in remark consists of access-list inside_acl_in remark 3 lines of text access-list inside_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80 access-list dmz50_acl_in remark 3 (global) access-list dmz50_acl_in remark this comment access-list dmz50_acl_in remark consists of access-list dmz50_acl_in remark 3 lines of text access-list dmz50_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80 ! ! Rule 4 (global) access-list outside_acl_in remark 4 (global) access-list outside_acl_in permit tcp any interface outside eq 80 ! ! Rule 5 (global) access-list dmz50_acl_in remark 5 (global) access-list dmz50_acl_in permit tcp any host 192.0.2.1 eq 80 ! ! Rule 6 (global) access-list outside_acl_in remark 6 (global) access-list outside_acl_in deny ip any any log 5 interval 120 access-list inside_acl_in remark 6 (global) access-list inside_acl_in deny ip any any log 5 interval 120 access-list dmz50_acl_in remark 6 (global) access-list dmz50_acl_in deny ip any any log 5 interval 120 access-group dmz50_acl_in in interface dmz50 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id3F8F9592.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id3F8F9592.0 0 0 global (dmz50) 1 interface ! ! ! Rule 1 (NAT) access-list id3F8F95A0.0 permit tcp host 10.3.14.30 eq 80 any static (inside,outside) tcp interface 80 access-list id3F8F95A0.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall13.fw.orig000077500000000000000000000057041303637203600205520ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:03 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall13.fw ! ! various policy NAT rules per examples from ! http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113601 ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard enable !################ ! ! Rule 0 (global) access-list outside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 1 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id3FA349A3.0 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224 ! ! Rule 1 (NAT) global (outside) 1 interface access-list id3FA34CB5.0 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 ! ! Rule 2 (NAT) access-list id3FA349A3.0 permit tcp 10.1.2.0 255.255.255.0 host 209.165.201.11 eq 80 nat (inside) 1 access-list id3FA349A3.0 0 0 ! ! Rule 3 (NAT) access-list id3FA34CB5.0 permit tcp 10.1.2.0 255.255.255.0 host 209.165.201.11 eq 23 ! ! Rule 4 (NAT) ! ! ! ! Rule 5 (NAT) access-list id3FA35071.0 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224 static (inside,outside) interface access-list id3FA35071.0 0 0 ! ! Rule 6 (NAT) access-list id3FA35063.0 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224 static (inside,outside) interface access-list id3FA35063.0 0 0 ! ! Rule 7 (NAT) access-list id3FA44ABB.0 permit tcp host 10.1.2.27 eq 80 host 209.165.200.225 access-list id3FA44ABB.1 permit tcp host 10.1.2.27 eq 81 host 209.165.200.225 access-list id3FA44ABB.0 permit tcp host 10.1.2.27 eq 80 host 209.165.201.11 static (inside,outside) tcp interface 80 access-list id3FA44ABB.0 0 0 access-list id3FA44ABB.1 permit tcp host 10.1.2.27 eq 81 host 209.165.201.11 static (inside,outside) tcp interface 81 access-list id3FA44ABB.1 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall14.fw.orig000077500000000000000000000034261303637203600205520ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:03 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall14.fw ! ! testing dual NAT per user's request ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard enable !################ ! ! Rule 0 (global) access-list inside_acl_in permit ip 10.1.2.0 255.255.255.0 any ! ! Rule 1 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id3FA74FDE.0 permit ip host 10.1.2.27 any nat (inside) 1 access-list id3FA74FDE.0 0 0 ! ! Rule 1 (NAT) access-list id3FA74FCE.0 permit ip host 209.165.201.11 any static (outside,inside) interface access-list id3FA74FCE.0 0 0 ! ! Rule 2 (NAT) access-list id3FA7502F.0 permit ip host 10.1.2.27 any static (inside,outside) interface access-list id3FA7502F.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall2.fw.orig000077500000000000000000000144011303637203600204620ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:04 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall2.fw ! ! lots of different combinations of objects in the NAT rules ! C firewall2:Policy:1: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 inside security100 nameif eth1 outside security0 nameif eth2 dmz security50 no logging buffered no logging console no logging timestamp no logging on telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server no snmp-server enable traps clear ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable !################ clear xlate clear static clear global clear nat clear access-list clear icmp clear telnet clear object-group object-group service id3D6EF08C.srv.tcp.0 tcp port-object eq 80 port-object eq 119 exit object-group network id3D8FCCDE.src.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit ! ! Rule 0 (eth1) ! Anti-spoofing rule access-list outside_acl_in deny ip host 192.168.1.1 any log 6 interval 300 access-list outside_acl_in deny ip host 22.22.22.22 any log 6 interval 300 access-list outside_acl_in deny ip host 192.168.2.1 any log 6 interval 300 access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300 ! ! Rule 1 (eth1) ! Anti-spoofing rule ! firewall2:Policy:1: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300 ! ! Rule 2 (global) access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0 access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 access-list outside_acl_in permit tcp any host 22.22.22.22 eq 119 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0 ! ! Rule 3 (global) access-list inside_acl_in permit ip object-group id3D8FCCDE.src.net.0 host 200.200.200.200 ! ! Rule 4 (global) access-list outside_acl_in permit ip host 200.200.200.200 object-group id3D8FCCDE.src.net.0 ! ! Rule 6 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 1 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 2 (NAT) global (outside) 1 interface access-list id3AFB66C8.0 permit ip 192.168.1.0 255.255.255.0 any global (dmz) 1 interface ! ! ! Rule 3 (NAT) access-list id3AFB66C8.0 permit ip host 192.168.1.10 any ! access-list id3AFB66C8.0 permit ip host 192.168.1.20 any ! ! ! Rule 4 (NAT) access-list id3AFB66C8.0 permit ip host 192.168.1.11 any ! access-list id3AFB66C8.0 permit ip 192.168.1.12 255.255.255.252 any ! ! ! Rule 5 (NAT) access-list id3D1C2292.0 permit ip 192.168.2.0 255.255.255.0 any nat (dmz) 1 access-list id3D1C2292.0 0 0 ! ! Rule 6 (NAT) ! ! ! Rule 7 (NAT) global (outside) 1 interface ! ! ! Rule 8 (NAT) ! ! ! Rule 9 (NAT) ! ! ! ! Rule 10 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 11 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! ! Rule 12 (NAT) global (dmz) 1 interface access-list id3D1C1104.0 permit ip host 192.168.1.10 192.168.2.0 255.255.255.0 ! ! Rule 13 (NAT) access-list id3D1C1D30.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 1 access-list id3D1C1D30.0 0 0 ! ! Rule 14 (NAT) ! ! ! Rule 16 (NAT) access-list id3D1BFFA4.0 permit ip host 192.168.1.10 any static (inside,outside) interface access-list id3D1BFFA4.0 0 0 ! ! Rule 17 (NAT) access-list id3D1C0835.0 permit tcp host 192.168.1.10 eq 6667 any static (inside,outside) tcp interface 6667 access-list id3D1C0835.0 0 0 ! ! Rule 18 (NAT) access-list id16986X27842.0 permit tcp host 192.168.1.1 eq 6667 any static (inside,outside) tcp interface 6667 access-list id16986X27842.0 0 0 ! ! Rule 19 (NAT) access-list id414351C7.0 permit tcp host 192.168.1.10 eq 80 any ! ! Rule 20 (NAT) access-list id414351C7.0 permit tcp host 192.168.1.10 eq 80 any static (inside,outside) tcp interface 80 access-list id414351C7.0 0 0 ! ! Rule 21 (NAT) access-list id3AFB69BD.0 permit ip host 192.168.1.10 any static (inside,outside) interface access-list id3AFB69BD.0 0 0 ! ! Rule 22 (NAT) access-list id3D1BFFCE.0 permit ip 192.168.1.0 255.255.255.0 any static (inside,outside) 22.22.22.0 access-list id3D1BFFCE.0 0 0 ! ! Rule 24 (NAT) access-list id3D1BFFF6.0 permit ip host 192.168.1.10 192.168.2.0 255.255.255.0 static (inside,dmz) interface access-list id3D1BFFF6.0 0 0 ! ! Rule 25 (NAT) access-list id3BEEF6D2.0 permit tcp host 192.168.1.10 eq 119 any static (inside,outside) tcp interface 119 access-list id3BEEF6D2.0 0 0 ! ! Rule 27 (NAT) access-list id3B7313C4.0 permit tcp host 192.168.1.10 eq 3128 any static (inside,outside) tcp interface 80 access-list id3B7313C4.0 0 0 ! ! Rule 28 (NAT) access-list id47B6CF3421818.0 permit tcp host 192.168.1.10 eq 3128 any ! ! Rule 29 (NAT) access-list id36573X14603.0 permit tcp host 192.168.1.10 eq 3128 any static (inside,outside) tcp interface 80 access-list id36573X14603.0 0 0 ! ! Rule 30 (NAT) access-list id47B6CF3421818.0 permit tcp host 192.168.1.10 eq 3128 any static (inside,outside) tcp interface 80 access-list id47B6CF3421818.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall20.fw.orig000077500000000000000000000120161303637203600205420ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:04 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall20.fw ! ! testing outbound ACLs ! v6.3, emulation of outbound ACLs is on ! C firewall20:Policy:5: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall20:Policy:7: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall20:Policy:7: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall20:Policy:7: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth1 dmz security50 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard enable fixup protocol ftp 21 !################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 1 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 2 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 3 (eth1) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 4 (eth2) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 5 (eth1,eth2) ! dmz -> intnet ! firewall20:Policy:5: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 6 (eth0,eth1) access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 7 (eth0,eth1) ! firewall20:Policy:7: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 8 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id4528A51F20039.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id4528A51F20039.0 0 0 ! ! Rule 1 (NAT) access-list id4528A54A20039.0 permit ip 192.168.2.0 255.255.255.0 any nat (dmz) 1 access-list id4528A54A20039.0 0 0 ! ! Rule 2 (NAT) access-list id4528A55820039.0 permit ip host 192.168.2.100 any static (dmz,outside) interface access-list id4528A55820039.0 0 0 ! ! Rule 3 (NAT) global (inside) 3 interface access-list id4528A56620039.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 3 access-list id4528A56620039.0 outside ! ! Rule 4 (NAT) global (dmz) 4 interface access-list id4528A57420039.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 4 access-list id4528A57420039.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall21-1.fw.orig000077500000000000000000000160031303637203600207010ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:04 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall21-1.fw ! ! testing outbound ACLs ! this is a copy of firewall21 except with different version ! v6.3, outbound ACLs are not supported ! C firewall21-1:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21-1:Policy:14: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21-1:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21-1:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21-1:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21-1:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth1 dmz security50 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard enable fixup protocol ftp 21 !################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 1 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 2 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 3 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 5 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 6 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 7 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 8 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 9 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 10 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 11 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 12 (eth1) ! dmz -> intnet ! firewall21-1:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 13 (eth1) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 15 (eth2) ! dmz -> intnet access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 16 (eth2) ! dmz -> intnet access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 17 (eth2) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 18 (eth1,eth2) ! dmz -> intnet ! firewall21-1:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 19 (eth0,eth1) access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 20 (eth0,eth1) ! firewall21-1:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 21 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id4529FE6016799.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id4529FE6016799.0 0 0 ! ! Rule 1 (NAT) access-list id4529FE6E16799.0 permit ip 192.168.2.0 255.255.255.0 any nat (dmz) 1 access-list id4529FE6E16799.0 0 0 ! ! Rule 2 (NAT) access-list id4529FE7C16799.0 permit ip host 192.168.2.100 any static (dmz,outside) interface access-list id4529FE7C16799.0 0 0 ! ! Rule 3 (NAT) global (inside) 3 interface access-list id4529FE8A16799.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 3 access-list id4529FE8A16799.0 outside ! ! Rule 4 (NAT) global (dmz) 4 interface access-list id4529FE9816799.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 4 access-list id4529FE9816799.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall21.fw.orig000077500000000000000000000162661303637203600205560ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:04 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall21.fw ! ! testing outbound ACLs ! v7.0, outbound ACLs are supported ! option 'generate outbound acls' is OFF ! C firewall21:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21:Policy:14: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall21:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! interface eth0 nameif outside security-level 0 exit interface eth1 nameif dmz security-level 50 exit interface eth2 nameif inside security-level 100 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp service-policy global_policy global !################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 1 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 2 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 3 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 5 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 6 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 7 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 8 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 9 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 10 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 11 (global) access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 12 (eth1) ! dmz -> intnet ! firewall21:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 13 (eth1) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 15 (eth2) ! dmz -> intnet access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 16 (eth2) ! dmz -> intnet access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 17 (eth2) ! dmz -> intnet access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 18 (eth1,eth2) ! dmz -> intnet ! firewall21:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 19 (eth0,eth1) access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300 access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 20 (eth0,eth1) ! firewall21:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 21 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id45293EF520039.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id45293EF520039.0 tcp 0 0 ! ! Rule 1 (NAT) access-list id45293F0320039.0 permit ip 192.168.2.0 255.255.255.0 any nat (dmz) 1 access-list id45293F0320039.0 tcp 0 0 ! ! Rule 2 (NAT) access-list id45293F1120039.0 permit ip host 192.168.2.100 any static (dmz,outside) interface access-list id45293F1120039.0 tcp 0 0 ! ! Rule 3 (NAT) global (inside) 3 interface access-list id45293F1F20039.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 3 access-list id45293F1F20039.0 outside ! ! Rule 4 (NAT) global (dmz) 4 interface access-list id45293F2D20039.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 4 access-list id45293F2D20039.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall22.fw.orig000077500000000000000000000170121303637203600205450ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:06 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: yes ! Assume firewall is part of any: no ! !# files: * firewall22.fw ! ! testing outbound ACLs ! v7.0, outbound ACLs are supported ! option 'generate outbound acls' is ON ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! interface eth0 nameif outside security-level 0 exit interface eth1 nameif dmz security-level 50 exit interface eth2 nameif inside security-level 100 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp service-policy global_policy global !################ ! ! Rule 0 (global) access-list outside_in permit ip any host 192.168.1.10 access-list dmz_in permit ip any host 192.168.1.10 access-list inside_in permit ip any host 192.168.1.10 access-list inside_out permit ip any host 192.168.1.10 ! ! Rule 1 (global) access-list outside_in permit ip any host 192.168.1.10 access-list dmz_in permit ip any host 192.168.1.10 access-list inside_in permit ip any host 192.168.1.10 ! ! Rule 2 (global) access-list outside_out permit ip any host 192.168.1.10 access-list dmz_out permit ip any host 192.168.1.10 access-list inside_out permit ip any host 192.168.1.10 ! ! Rule 3 (global) access-list inside_in permit ip 192.168.1.0 255.255.255.0 any access-list outside_out permit ip 192.168.1.0 255.255.255.0 any access-list dmz_out permit ip 192.168.1.0 255.255.255.0 any access-list inside_out permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (global) access-list outside_in permit ip 192.168.1.0 255.255.255.0 any access-list dmz_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 5 (global) access-list outside_out permit ip 192.168.1.0 255.255.255.0 any access-list dmz_out permit ip 192.168.1.0 255.255.255.0 any access-list inside_out permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 6 (global) access-list dmz_in permit ip 192.168.2.0 255.255.255.0 any access-list outside_out permit ip 192.168.2.0 255.255.255.0 any access-list dmz_out permit ip 192.168.2.0 255.255.255.0 any access-list inside_out permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 7 (global) access-list outside_in permit ip 192.168.2.0 255.255.255.0 any access-list dmz_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_in permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 8 (global) access-list outside_out permit ip 192.168.2.0 255.255.255.0 any access-list dmz_out permit ip 192.168.2.0 255.255.255.0 any access-list inside_out permit ip 192.168.2.0 255.255.255.0 any ! ! Rule 9 (global) access-list dmz_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 access-list inside_out permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 10 (global) access-list outside_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 access-list dmz_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 access-list inside_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 11 (global) access-list outside_out permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 access-list dmz_out permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 access-list inside_out permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 12 (eth1) ! dmz -> intnet access-list dmz_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_out permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 13 (eth1) ! dmz -> intnet access-list dmz_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 14 (eth1) ! dmz -> intnet access-list dmz_out permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 15 (eth2) ! dmz -> intnet access-list inside_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_out permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 16 (eth2) ! dmz -> intnet access-list inside_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 17 (eth2) ! dmz -> intnet access-list inside_out permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 18 (eth1,eth2) ! dmz -> intnet access-list dmz_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_out permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_out permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 19 (eth0,eth1) access-list outside_in deny ip host 10.5.70.20 any log 0 interval 300 access-list outside_in deny ip host 192.168.2.20 any log 0 interval 300 access-list outside_in deny ip host 192.168.1.20 any log 0 interval 300 access-list outside_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 access-list dmz_in deny ip host 10.5.70.20 any log 0 interval 300 access-list dmz_in deny ip host 192.168.2.20 any log 0 interval 300 access-list dmz_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 20 (eth0,eth1) access-list outside_out permit ip host 10.5.70.20 any access-list outside_out permit ip 192.168.2.0 255.255.255.0 any access-list outside_out permit ip 192.168.1.0 255.255.255.0 any access-list dmz_out permit ip host 192.168.2.20 any access-list dmz_out permit ip 192.168.2.0 255.255.255.0 any access-list dmz_out permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 21 (global) access-list outside_in deny ip any any access-list dmz_in deny ip any any access-list inside_in deny ip any any access-list outside_out deny ip any any access-list dmz_out deny ip any any access-list inside_out deny ip any any access-group dmz_in in interface dmz access-group dmz_out out interface dmz access-group inside_in in interface inside access-group inside_out out interface inside access-group outside_in in interface outside access-group outside_out out interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id4529E45516799.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id4529E45516799.0 tcp 0 0 ! ! Rule 1 (NAT) access-list id4529E46316799.0 permit ip 192.168.2.0 255.255.255.0 any nat (dmz) 1 access-list id4529E46316799.0 tcp 0 0 ! ! Rule 2 (NAT) access-list id4529E47116799.0 permit ip host 192.168.2.100 any static (dmz,outside) interface access-list id4529E47116799.0 tcp 0 0 ! ! Rule 3 (NAT) global (inside) 3 interface access-list id4529E47F16799.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 3 access-list id4529E47F16799.0 outside ! ! Rule 4 (NAT) global (dmz) 4 interface access-list id4529E48D16799.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 4 access-list id4529E48D16799.0 tcp 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall23.fw.orig000077500000000000000000000042151303637203600205470ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:06 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall23.fw ! ! lots of different combinations of objects in the NAT rules ! User sets inbound and outbound interfaces in NAT rules ! ! Prolog script: ! ! ! End of prolog script: ! nameif ethernet0 inside security100 nameif ethernet1 outside security0 nameif ethernet2 dmz security50 no logging buffered no logging console no logging timestamp no logging on telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server no snmp-server enable traps clear ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable clear xlate clear static clear global clear nat ! ! Rule 0 (NAT) global (outside) 1 interface access-list id1641246X21763.0 permit ip 192.168.1.0 255.255.255.0 any global (dmz) 1 interface ! ! ! Rule 1 (NAT) ! global (outside) 1 interface ! ! ! Rule 2 (NAT) ! ! ! ! Rule 3 (NAT) ! ! global (dmz) 1 interface ! ! ! ! Rule 4 (NAT) access-list id626114X21763.0 permit ip 192.168.1.0 255.255.255.0 any nat (outside) 1 access-list id626114X21763.0 0 0 ! ! ! Rule 5 (NAT) access-list id36895X21071.0 permit tcp host 192.168.1.1 eq 6667 any static (inside,outside) tcp interface 6667 access-list id36895X21071.0 0 0 ! ! Rule 6 (NAT) access-list id36809X21071.0 permit tcp host 192.168.1.10 eq 6667 any ! ! Rule 7 (NAT) access-list id36809X21071.0 permit tcp host 192.168.1.10 eq 6667 any ! ! Rule 8 (NAT) access-list id36809X21071.0 permit tcp host 192.168.1.10 eq 6667 any static (inside,outside) tcp interface 6667 access-list id36809X21071.0 0 0 access-list id1641340X21763.1 permit tcp host 192.168.1.10 eq 6667 any static (inside,dmz) tcp interface 6667 access-list id1641340X21763.1 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall3.fw.orig000077500000000000000000000070541303637203600204710ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:06 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall3.fw ! ! testing icmp and ssh/telnet commands ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 inside security100 nameif eth1 outside security0 nameif eth2 dmz security50 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server no snmp-server enable traps clear ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt route dnat floodguard disable !################ clear access-list clear icmp clear telnet ! ! Rule 0 (eth0) ssh 0.0.0.0 0.0.0.0 inside access-list inside_acl_in permit tcp any any eq 22 ! ! Rule 1 (eth0) ssh 0.0.0.0 0.0.0.0 inside ! ! Rule 2 (eth0) icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list inside_acl_in permit icmp any any 3 ! ! Rule 3 (eth0) access-list inside_acl_in permit icmp any host 192.168.1.1 3 ! ! Rule 4 (eth1) ssh 0.0.0.0 0.0.0.0 outside access-list outside_acl_in permit tcp any any eq 22 ! ! Rule 5 (eth1) ssh 0.0.0.0 0.0.0.0 outside ! ! Rule 6 (eth1) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 7 (eth1) access-list outside_acl_in permit icmp any host 22.22.22.22 3 ! ! Rule 8 (global) access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list outside_acl_in permit icmp any host 22.22.22.22 3 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 access-list inside_acl_in permit icmp any any 3 access-list outside_acl_in permit icmp any any 3 access-list dmz_acl_in permit icmp any any 3 ! ! Rule 9 (global) access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 10 (global) ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz access-list inside_acl_in permit tcp any any eq 22 access-list outside_acl_in permit tcp any any eq 22 access-list dmz_acl_in permit tcp any any eq 22 ! ! Rule 11 (global) ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz ! ! Rule 12 (global) telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 outside telnet 0.0.0.0 0.0.0.0 dmz access-list inside_acl_in permit tcp any any eq 23 access-list outside_acl_in permit tcp any any eq 23 access-list dmz_acl_in permit tcp any any eq 23 ! ! Rule 13 (global) telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 outside telnet 0.0.0.0 0.0.0.0 dmz ! ! Rule 14 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall33.fw.orig000077500000000000000000000126671303637203600205620ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:07 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: no ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall33.fw ! ! testing DNSName object ! C firewall33:Policy:3: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode ! C firewall33:Policy:4: error: Run-time AddressTable and DNSName objects are not supported. ! C firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode ! C firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode ! C firewall33:Policy:8: error: Run-time AddressTable and DNSName objects are not supported. ! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall33:NAT:2: error: Run-time AddressTable and DNSName objects are not supported. ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0.100 outside security0 nameif eth1 inside security100 no logging buffered no logging console no logging timestamp no logging on telnet timeout -1 aaa authentication ssh console LOCAL ssh timeout -1 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable !################ object-group network id43867C2418346.src.net.0 network-object host 157.166.226.25 network-object host 157.166.226.26 network-object host 157.166.255.18 network-object host 157.166.255.19 exit object-group network id438728A918346.dst.net.0 network-object host 74.125.224.112 network-object host 74.125.224.113 network-object host 74.125.224.114 network-object host 74.125.224.115 network-object host 74.125.224.116 network-object host 157.166.226.25 network-object host 157.166.226.26 network-object host 157.166.255.18 network-object host 157.166.255.19 exit ! ! Rule 0 (eth0.100) access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any ! ! Rule 1 (global) access-list outside_acl_in permit ip object-group id43867C2418346.src.net.0 any ! ! Rule 3 (global) ! firewall33:Policy:3: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode access-list outside_acl_in permit ip host 192.0.2.1 any ! ! Rule 5 (global) access-list outside_acl_in deny ip any object-group id43867C2418346.src.net.0 access-list inside_acl_in deny ip any object-group id43867C2418346.src.net.0 ! ! Rule 7 (global) ! firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode access-list outside_acl_in permit ip any host 192.0.2.1 access-list inside_acl_in permit ip any host 192.0.2.1 ! ! Rule 9 (global) access-list outside_acl_in permit ip any object-group id438728A918346.dst.net.0 access-list inside_acl_in permit ip any object-group id438728A918346.dst.net.0 ! ! Rule 11 (global) access-list outside_acl_in deny ip any any log 6 interval 300 access-list inside_acl_in deny ip any any log 6 interval 300 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) access-list id43867C4918346.0 permit ip host 192.168.1.10 any static (inside,outside) interface access-list id43867C4918346.0 0 0 ! ! Rule 1 (NAT) ! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. global (outside) 1 interface access-list id43876E2618346.0 permit ip any host 157.166.226.25 access-list id43876E2618346.0 permit ip any host 157.166.226.26 access-list id43876E2618346.0 permit ip any host 157.166.255.18 access-list id43876E2618346.0 permit ip any host 157.166.255.19 nat (outside) 1 access-list id43876E2618346.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall34.fw.orig000077500000000000000000000141311303637203600205470ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:08 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: no ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall34.fw ! ! testing AddressTable object ! C firewall34:Policy:1: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode ! C firewall34:Policy:1: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0.100 outside security0 nameif eth1 inside security100 no logging buffered no logging console no logging timestamp no logging on telnet timeout -1 aaa authentication ssh console LOCAL ssh timeout -1 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable !################ object-group network id16988X10208.dst.net.0 network-object 192.168.1.1 255.255.255.255 network-object 192.168.1.2 255.255.255.255 network-object 192.168.1.3 255.255.255.252 network-object 192.168.1.200 255.255.255.255 network-object 192.168.1.201 255.255.255.255 exit object-group network id4390C25825682.dst.net.0 network-object 58.33.181.83 255.255.255.255 network-object 58.53.82.190 255.255.255.255 network-object 58.231.13.78 255.255.255.255 network-object 61.150.47.112 255.255.255.255 network-object 61.184.14.102 255.255.255.255 network-object 64.106.85.186 255.255.255.255 network-object 70.228.60.100 255.255.255.255 network-object 80.51.236.6 255.255.255.255 network-object 80.243.72.149 255.255.255.255 network-object 80.249.77.34 255.255.255.255 network-object 81.2.36.254 255.255.255.255 network-object 81.196.74.125 255.255.255.255 network-object 82.77.37.174 255.255.255.255 network-object 82.117.221.205 255.255.255.255 network-object 82.143.196.17 255.255.255.255 network-object 84.90.8.198 255.255.255.255 network-object 151.8.224.178 255.255.255.255 network-object 168.156.76.20 255.255.255.255 network-object 193.207.126.36 255.255.255.255 network-object 195.136.186.35 255.255.255.255 network-object 196.15.136.15 255.255.255.255 network-object 201.10.180.138 255.255.255.255 network-object 201.17.93.16 255.255.255.255 network-object 201.36.156.121 255.255.255.255 network-object 202.96.112.93 255.255.255.255 network-object 202.103.25.253 255.255.255.255 network-object 203.162.3.209 255.255.255.255 network-object 203.209.124.144 255.255.255.255 network-object 210.106.193.237 255.255.255.255 network-object 210.222.114.102 255.255.255.255 network-object 211.144.143.143 255.255.255.255 network-object 211.172.218.237 255.255.255.255 network-object 211.250.16.132 255.255.255.255 network-object 212.21.241.31 255.255.255.255 network-object 212.100.212.100 255.255.255.255 network-object 218.18.72.252 255.255.255.255 network-object 218.39.114.122 255.255.255.255 network-object 218.55.115.43 255.255.255.255 network-object 218.104.138.146 255.255.255.255 network-object 219.132.104.160 255.255.255.255 network-object 220.71.17.86 255.255.255.255 network-object 220.81.50.105 255.255.255.255 network-object 220.91.99.46 255.255.255.255 network-object 221.14.249.242 255.255.255.255 network-object 221.166.177.135 255.255.255.255 network-object 221.198.33.38 255.255.255.255 network-object 221.202.160.233 255.255.255.255 network-object 221.205.54.125 255.255.255.255 network-object 221.217.44.248 255.255.255.255 network-object 222.100.212.223 255.255.255.255 network-object 222.121.118.144 255.255.255.255 network-object 222.174.113.2 255.255.255.255 exit object-group network id21263X16880.src.net.0 network-object 10.1.0.0 255.255.255.0 network-object 10.1.2.0 255.255.255.0 network-object 10.1.3.0 255.255.255.0 network-object 10.1.4.0 255.255.255.0 exit ! ! Rule 0 (global) access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128 access-list inside_acl_in permit ip any 192.168.2.128 255.255.255.128 access-list outside_acl_in permit ip any object-group id16988X10208.dst.net.0 access-list inside_acl_in permit ip any object-group id16988X10208.dst.net.0 ! ! Rule 1 (global) ! firewall34:Policy:1: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode access-list outside_acl_in permit ip any 192.0.2.0 255.255.255.0 access-list inside_acl_in permit ip any 192.0.2.0 255.255.255.0 ! ! Rule 2 (global) access-list outside_acl_in deny ip any object-group id4390C25825682.dst.net.0 log 6 interval 300 access-list inside_acl_in deny ip any object-group id4390C25825682.dst.net.0 log 6 interval 300 ! ! Rule 3 (global) access-list outside_acl_in deny tcp any object-group id4390C25825682.dst.net.0 eq 25 access-list inside_acl_in deny tcp any object-group id4390C25825682.dst.net.0 eq 25 ! ! Rule 5 (global) access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300 ! ! Rule 6 (global) access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300 ! ! Rule 7 (global) access-list outside_acl_in permit ip object-group id4390C25825682.dst.net.0 any ! ! Rule 8 (global) ! for #1917 access-list outside_acl_in deny ip object-group id21263X16880.src.net.0 any ! ! Rule 10 (global) access-list outside_acl_in permit tcp any host 192.168.1.10 eq 25 access-list inside_acl_in permit tcp any host 192.168.1.10 eq 25 ! ! Rule 11 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 12 (global) access-list outside_acl_in deny ip any any log 6 interval 300 access-list inside_acl_in deny ip any any log 6 interval 300 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall4.fw.orig000077500000000000000000000072741303637203600204760ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:08 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall4.fw ! ! this object is used to test "Replace NAT'ted objects with their translations" option ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 inside security100 nameif eth1 dmz1 security40 nameif eth2 dmz2 security50 nameif eth3 outside security0 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout uauth 2:0:0 absolute telnet timeout -1 clear ssh aaa authentication ssh console LOCAL ssh timeout -1 clear snmp-server no snmp-server enable traps clear ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt route dnat floodguard disable !################ clear xlate clear static clear global clear nat clear access-list clear icmp clear telnet clear object-group object-group service id3D79A1C2.srv.tcp.0 tcp port-object eq 80 port-object eq 22 exit object-group network id3D79A1E4.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit ! ! Rule 0 (global) access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22 access-list dmz1_acl_in permit tcp any host 192.168.1.10 eq 22 access-list dmz2_acl_in permit tcp any host 192.168.2.1 eq 22 access-list dmz2_acl_in permit tcp any host 192.168.1.10 eq 22 access-list outside_acl_in permit tcp any host 222.222.222.222 eq 22 access-list outside_acl_in permit tcp any host 192.168.1.10 eq 22 ! ! Rule 1 (global) access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id3D79A1C2.srv.tcp.0 access-list dmz1_acl_in permit tcp any host 192.168.1.10 object-group id3D79A1C2.srv.tcp.0 access-list dmz2_acl_in permit tcp any host 192.168.2.1 eq 22 access-list dmz2_acl_in permit tcp any host 192.168.1.10 object-group id3D79A1C2.srv.tcp.0 access-list outside_acl_in permit tcp any host 222.222.222.222 eq 22 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id3D79A1C2.srv.tcp.0 ! ! Rule 2 (global) access-list inside_acl_in permit tcp any object-group id3D79A1E4.dst.net.0 eq 22 access-list dmz1_acl_in permit tcp any object-group id3D79A1E4.dst.net.0 eq 22 access-list dmz2_acl_in permit tcp any host 192.168.2.1 eq 22 access-list dmz2_acl_in permit tcp any object-group id3D79A1E4.dst.net.0 eq 22 access-list outside_acl_in permit tcp any host 222.222.222.222 eq 22 access-list outside_acl_in permit tcp any object-group id3D79A1E4.dst.net.0 eq 22 ! ! Rule 3 (global) ! 'masquerading' rule access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (global) ! 'catch all' rule access-list inside_acl_in deny ip any any access-list dmz1_acl_in deny ip any any access-list dmz2_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group dmz1_acl_in in interface dmz1 access-group dmz2_acl_in in interface dmz2 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) static (inside,outside) tcp interface 22 192.168.1.10 22 0 0 ! ! Rule 1 (NAT) static (inside,dmz2) tcp interface 22 192.168.1.10 22 0 0 ! ! Rule 2 (NAT) static (inside,dmz2) tcp interface 22 192.168.1.10 22 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall50.fw.orig000077500000000000000000000363641303637203600205610ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:08 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall50.fw ! ! this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule. PIX 7.0 ! C firewall50:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall50:Policy:9: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C firewall50:Policy:15: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! C firewall50:Policy:29: error: PIX does not support checking for IP options in ACLs. ! ! Prolog script: ! ! ! End of prolog script: ! hostname firewall50 interface ethernet1 nameif outside security-level 0 exit interface ethernet0 nameif inside security-level 100 exit interface ethernet2 nameif dmz security-level 50 exit logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear config ssh aaa authentication ssh console LOCAL ssh timeout 5 clear config snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap clear config ntp ntp server 192.168.1.20 source inside prefer no service resetinbound no service resetoutside sysopt connection tcpmss 1380 sysopt connection timewait sysopt nodnsalias inbound sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet service-policy global_policy global !################ clear config access-list tmp_acl access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear config static clear config global clear config nat clear config access-list dmz_acl_in clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet clear config object-group clear config object object-group network id45142FA628543.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id45142FA628543.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id45142FCB28543.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service id45142FD728543.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service id45142FD728543.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network id45142FFC28543.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id4514300A28543.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id4514301628543.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id4514302F28543.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id4514302F28543.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id4514303C28543.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service id4514304928543.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule 2 (ethernet1) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! firewall50:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0 ! ! Rule 6 (ethernet0) access-list inside_acl_in deny ip any host 192.168.1.255 ! ! Rule 8 (global) access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 ! ! Rule 9 (ethernet2,ethernet0) ! firewall50:Policy:9: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 ! ! Rule 10 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0 ! ! Rule 11 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 12 (global) access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300 access-list outside_acl_in permit icmp any any 3 log 0 interval 300 access-list inside_acl_in permit icmp any any 3 log 0 interval 300 access-list dmz_acl_in permit icmp any any 3 log 0 interval 300 access-list outside_acl_in permit 47 any any log 0 interval 300 access-list inside_acl_in permit 47 any any log 0 interval 300 access-list dmz_acl_in permit 47 any any log 0 interval 300 access-list outside_acl_in permit 50 any any log 0 interval 300 access-list inside_acl_in permit 50 any any log 0 interval 300 access-list dmz_acl_in permit 50 any any log 0 interval 300 ! ! Rule 14 (global) access-list outside_acl_in permit ip object-group id45142FA628543.dst.net.0 object-group id45142FFC28543.dst.net.0 ! ! Rule 15 (global) ! firewall50:Policy:15: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule access-list inside_acl_in permit tcp host 192.168.1.10 object-group id4514300A28543.dst.net.0 eq 3128 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128 ! ! Rule 17 (global) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 18 (global) access-list outside_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 ! ! Rule 19 (global) access-list outside_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0 ! ! Rule 20 (global) access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0 ! ! Rule 21 (global) ! objects hostA and hostB are ! redundant and should be removed by ! removeRedundantAddressesFromDst access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 ! ! Rule 22 (global) access-list outside_acl_in permit udp any range 10000 10010 host 192.168.1.10 access-list inside_acl_in permit udp any range 10000 10010 host 192.168.1.10 access-list dmz_acl_in permit udp any range 10000 10010 host 192.168.1.10 access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list outside_acl_in permit tcp any range 20000 20020 host 192.168.1.10 access-list inside_acl_in permit tcp any range 20000 20020 host 192.168.1.10 access-list dmz_acl_in permit tcp any range 20000 20020 host 192.168.1.10 ! ! Rule 25 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300 ! ! Rule 26 (global) access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 27 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 28 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface clear config access-list id451430AE28543.0 access-list id451430AE28543.0 permit ip 192.168.1.0 255.255.255.0 any nat (inside) 1 access-list id451430AE28543.0 tcp 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) nat (dmz) 1 0.0.0.0 0.0.0.0 tcp 0 0 ! ! Rule 2 (NAT) nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 5 (NAT) clear config access-list id451430F428543.0 access-list id451430F428543.0 permit tcp host 192.168.1.10 eq 25 any static (inside,outside) tcp interface 25 access-list id451430F428543.0 tcp 0 0 ! ! Rule 6 (NAT) clear config access-list id47B71DF021818.0 access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any ! ! Rule 7 (NAT) access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any ! ! Rule 8 (NAT) access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any static (inside,outside) tcp interface 2525 access-list id47B71DF021818.0 tcp 0 0 ! ! Rule 9 (NAT) global (inside) 8 interface clear config access-list id4514310228543.0 access-list id4514310228543.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (dmz) 8 access-list id4514310228543.0 outside ! ! Rule 10 (NAT) clear config access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 11 (NAT) access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 ! ! Rule 12 (NAT) nat (dmz) 0 0 0 ! ! Rule 13 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 14 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall6.fw.orig000077500000000000000000000040641303637203600204720ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:08 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall6.fw ! ! testing rule with firewall in dst and negation ! ! Prolog script: ! ! ! End of prolog script: ! nameif eth0 inside security100 nameif eth1 outside security0 nameif eth2 dmz security50 logging host outside 10.3.14.30 logging queue 512 logging facility 20 logging trap 4 logging buffered 5 logging console 0 logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout uauth 2:0:0 absolute clear ssh aaa authentication ssh console LOCAL clear snmp-server no snmp-server enable traps clear ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt route dnat floodguard disable !################ clear xlate clear static clear global clear nat clear access-list clear icmp clear telnet ! ! Rule 0 (eth1) access-list outside_acl_in deny ip any host 22.22.22.22 ! ! Rule 1 (global) access-list inside_acl_in deny ip any host 192.168.1.1 access-list outside_acl_in deny ip any host 22.22.22.22 access-list dmz_acl_in deny ip any host 192.168.2.1 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 ! ! Rule 1 (NAT) static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 ! ! Rule 2 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.10 255.255.255.255 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall8.fw.orig000077500000000000000000000054741303637203600205020ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:09 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall8.fw ! ! N firewall8:NAT:5: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. ! N firewall8:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth1 dmz security50 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:2:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound sysopt route dnat floodguard enable fixup protocol ftp 21 !################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 access-list dmz_acl_in permit ip any host 192.168.1.10 access-list inside_acl_in permit ip any host 192.168.1.10 ! ! Rule 1 (global) access-list outside_acl_in permit ip any 192.168.1.0 255.255.255.0 access-list dmz_acl_in permit ip any 192.168.1.0 255.255.255.0 access-list inside_acl_in permit ip any 192.168.1.0 255.255.255.0 ! ! Rule 2 (global) access-list outside_acl_in deny ip any any access-list dmz_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (outside) 1 interface ! ! ! Rule 1 (NAT) ! ! ! Rule 2 (NAT) ! ! ! Rule 3 (NAT) nat (dmz) 1 192.168.2.0 255.255.255.0 0 0 ! ! Rule 4 (NAT) static (dmz,outside) interface 192.168.2.100 0 0 ! ! Rule 5 (NAT) ! firewall8:NAT:5: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. global (inside) 1 interface ! ! ! Rule 6 (NAT) ! firewall8:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. global (dmz) 1 interface ! ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall80.fw.orig000077500000000000000000000130121303637203600205450ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:09 2011 PDT by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall80.fw ! ! testing rules with broadcasts ! N firewall80:NAT:0: error: CustomService objects are not supported in NAT rules ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif outside security-level 100 exit interface FastEthernet1 nameif inside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config static clear config global clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object-group icmp-type id19186X29796.srv.icmp.0 icmp-object 0 icmp-object 8 exit object-group service id19186X29796.srv.tcp.0 tcp port-object eq 53 port-object eq 25 exit object-group service id19186X29796.srv.udp.0 udp port-object eq 53 port-object eq 123 exit object-group icmp-type id21447X11252.srv.icmp.0 icmp-object 3 icmp-object 8 exit ! ! Rule 0 (FastEthernet1) ssh 0.0.0.0 0.0.0.0 inside ! ! Rule 1 (FastEthernet1) access-list inside_acl_in permit tcp any host 22.22.22.22 eq 22 ! ! Rule 2 (global) access-list outside_acl_in permit tcp any host 192.168.1.10 eq 22 access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22 ! ! Rule 3 (FastEthernet1) icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 ! ! Rule 4 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id19186X29796.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id19186X29796.srv.icmp.0 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id19186X29796.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id19186X29796.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id19186X29796.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id19186X29796.srv.udp.0 access-list outside_acl_in permit 50 any host 192.168.1.10 access-list inside_acl_in permit 50 any host 192.168.1.10 access-list outside_acl_in permit 51 any host 192.168.1.10 access-list inside_acl_in permit 51 any host 192.168.1.10 ! ! Rule 5 (global) ! matching source ports access-list outside_acl_in deny udp any range 10000 10010 host 192.168.1.10 access-list inside_acl_in deny udp any range 10000 10010 host 192.168.1.10 access-list outside_acl_in deny tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in deny tcp any gt 1023 host 192.168.1.10 eq 80 ! ! Rule 6 (global) access-list outside_acl_in deny tcp any range 20000 20020 host 192.168.1.10 access-list inside_acl_in deny tcp any range 20000 20020 host 192.168.1.10 access-list outside_acl_in deny tcp any range 30000 30030 host 192.168.1.10 access-list inside_acl_in deny tcp any range 30000 30030 host 192.168.1.10 ! ! Rule 7 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! access-list outside_acl_in deny icmp any host 192.168.1.10 access-list inside_acl_in deny icmp any host 192.168.1.10 access-list outside_acl_in deny tcp any host 192.168.1.10 access-list inside_acl_in deny tcp any host 192.168.1.10 ! ! Rule 8 (global) ! for #1938 matching ! mixed services icmp permit 192.168.1.0 255.255.255.192 3 inside icmp permit 192.168.1.0 255.255.255.192 8 inside access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 host 192.168.1.1 object-group id21447X11252.srv.icmp.0 access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 any object-group id21447X11252.srv.icmp.0 access-list inside_acl_in permit tcp 192.168.1.0 255.255.255.192 any eq 3128 access-list inside_acl_in permit udp 192.168.1.0 255.255.255.192 any eq 53 ! ! Rule 9 (global) ! for #1942 ! using custom service access-list outside_acl_in deny tcp any host 192.168.1.10 neq 8080 access-list inside_acl_in deny tcp any host 192.168.1.10 neq 8080 ! ! Rule 10 (global) ! for #1942 ! using custom service access-list outside_acl_in deny tcp any host 192.168.1.10 neq 8080 access-list inside_acl_in deny tcp any host 192.168.1.10 neq 8080 access-list outside_acl_in deny tcp any host 192.168.1.10 eq 3128 access-list inside_acl_in deny tcp any host 192.168.1.10 eq 3128 ! ! Rule 11 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall81.fw.orig000077500000000000000000000114571303637203600205610ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:10 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall81.fw ! ! test for the warning issued when translated address is used in ! policy rule ! C firewall81:Policy:1: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! C firewall81:Policy:2: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! C firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object object service http.0 service tcp destination eq 80 exit object network hostA:eth0.0 host 192.168.1.10 exit ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! access-list inside_acl_in deny icmp any object hostA:eth0.0 access-list outside_acl_in deny icmp any object hostA:eth0.0 access-list inside_acl_in deny tcp any object hostA:eth0.0 access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst ! firewall81:Policy:1: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 2 (global) ! test rule using translated address in dst ! firewall81:Policy:2: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst ! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) ! for #1942 ! using custom service access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080 access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080 ! ! Rule 5 (global) ! for #1942 ! using custom service access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080 access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080 access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128 access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128 ! ! Rule 6 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall82.fw.orig000077500000000000000000000105121303637203600205510ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:11 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall82.fw ! ! test for the warning issued when translated address is used in ! policy rule. HEre we have slightly different NAT than in firewall81 ! C firewall82:Policy:1: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! C firewall82:Policy:2: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! C firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object object service http.0 service tcp destination eq 80 exit object network hostA:eth0.0 host 192.168.1.10 exit ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! access-list inside_acl_in deny icmp any object hostA:eth0.0 access-list outside_acl_in deny icmp any object hostA:eth0.0 access-list inside_acl_in deny tcp any object hostA:eth0.0 access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst ! firewall82:Policy:1: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 2 (global) ! test rule using translated address in dst ! firewall82:Policy:2: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst ! firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall83.fw.orig000077500000000000000000000054271303637203600205630ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:11 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall83.fw ! ! test for the warning issued when translated address is used in ! policy rule. Here we have SNAT rule and warning should not be issued ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object object service http.0 service tcp destination eq 80 exit object network hostA:eth0.0 host 192.168.1.10 exit ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! access-list inside_acl_in deny icmp any object hostA:eth0.0 access-list outside_acl_in deny icmp any object hostA:eth0.0 access-list inside_acl_in deny tcp any object hostA:eth0.0 access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 2 (global) ! test rule using translated address in dst access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall9.fw.orig000077500000000000000000000033051303637203600204720ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:11 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * firewall9.fw ! ! this firewall has no rules at all. ! ! Prolog script: ! no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound ! ! End of prolog script: ! nameif eth0 outside security0 nameif eth1 dmz security50 nameif eth2 inside security100 no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout rpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 absolute telnet timeout 5 aaa authentication ssh console LOCAL ssh timeout 5 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable fixup protocol ctiqbe 2748 fixup protocol dns maximum-length 65535 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol ils 389 fixup protocol mgcp 2427 fixup protocol mgcp 2727 fixup protocol pptp 1723 fixup protocol rsh fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall90.fw.orig000077500000000000000000000256371303637203600205660ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:11 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall90.fw ! ! testing new style ASA 8.3 nat commands ! SNAT rules ! N firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation ! N firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation ! N firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall90:NAT:24: error: CustomService objects are not supported in NAT rules ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object service http.0 service tcp destination eq 80 exit object service smtp.0 service tcp destination eq 25 exit object service smtps.0 service tcp destination eq 465 exit object service squid.0 service tcp destination eq 3128 exit object network spamhost1.0 host 61.150.47.112 exit object network external_gw_1.0 host 22.22.22.254 exit object network external_gw2.0 host 22.22.22.100 exit object network spamhost2.0 host 61.150.47.113 exit object network hostA:eth0.0 host 192.168.1.10 exit object network Internal_net.0 subnet 192.168.1.0 255.255.255.0 exit object network internal_subnet_1.0 subnet 192.168.1.0 255.255.255.192 exit object network internal_subnet_2.0 subnet 192.168.1.64 255.255.255.192 exit object network ext_subnet.0 subnet 22.22.22.128 255.255.255.224 exit object network ext_subnet-192.0 subnet 22.22.22.128 255.255.255.192 exit object network test_range_1.0 range 192.168.1.11 192.168.1.15 exit object network outside_range.0 range 22.22.22.21 22.22.22.25 exit object network outside_range-1.0 range 22.22.22.30 22.22.22.40 exit object network firewall90:FastEthernet1:ip.0 host 22.22.22.22 exit object network firewall90:FastEthernet1:ip-1.0 host 22.22.22.23 exit object-group network id178211X29963.osrc.net.0 network-object object internal_subnet_1.0 network-object object internal_subnet_2.0 exit object-group network id21353X4994.osrc.net.0 network-object object Internal_net.0 network-object object internal_subnet_1.0 network-object object internal_subnet_2.0 exit object-group network id20069X32406.osrc.net.0 network-object object test_range_1.0 exit object-group network id130599X29063.tsrc.net.0 network-object object outside_range.0 network-object object firewall90:FastEthernet1:ip.0 network-object object external_gw2.0 exit object-group network id20720X27505.tsrc.net.0 network-object object outside_range.0 network-object object external_gw2.0 exit object-group network id241772X29764.tsrc.net.0 network-object object outside_range.0 exit object-group network id643092X27990.tsrc.net.0 network-object object ext_subnet.0 exit object-group network id21121X3710.tsrc.net.0 network-object object outside_range-1.0 network-object object external_gw2.0 exit object-group network id21177X3720.tsrc.net.0 network-object object ext_subnet.0 exit object-group network id77971X5929.odst.net.0 network-object object spamhost1.0 network-object object spamhost2.0 exit object-group network id77971X5929.tsrc.net.0 network-object object outside_range-1.0 network-object object external_gw2.0 exit object-group network id77971X5929.tsrc.net.1 network-object object outside_range-1.0 network-object object external_gw2.0 exit object-group network id78630X30274.src.net.0 network-object 10.1.2.0 255.255.255.0 network-object 10.1.3.0 255.255.255.0 exit ! ! Rule 0 (global) access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any ! ! Rule 1 (global) ! for #1942 ! using custom service access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 ! ! Rule 2 (global) ! for #1942 ! using custom service access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128 access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128 ! ! Rule 3 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (inside,outside) source dynamic Internal_net.0 interface service http.0 http.0 description "0 (NAT)" ! ! Rule 1 (NAT) nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "1 (NAT)" ! ! Rule 2 (NAT) nat (inside,outside) source static hostA:eth0.0 interface service smtp.0 smtp.0 description "2 (NAT)" ! ! Rule 3 (NAT) nat (inside,outside) source dynamic id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "3 (NAT)" ! ! Rule 4 (NAT) ! for #1928 ! note that group in OSrc includes another group nat (inside,outside) source dynamic id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "4 (NAT)" ! ! Rule 5 (NAT) nat (inside,outside) source dynamic id20069X32406.osrc.net.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "5 (NAT)" ! ! Rule 6 (NAT) nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 external_gw_1.0 service smtp.0 smtp.0 description "6 (NAT)" ! ! Rule 7 (NAT) ! For #1907 nat (inside,outside) source dynamic hostA:eth0.0 id130599X29063.tsrc.net.0 service smtp.0 smtp.0 description "7 (NAT)" ! ! Rule 8 (NAT) ! For #1907 nat (inside,outside) source dynamic hostA:eth0.0 id20720X27505.tsrc.net.0 interface service smtp.0 smtp.0 description "8 (NAT)" ! ! Rule 9 (NAT) ! For #1907 nat (inside,outside) source dynamic hostA:eth0.0 id241772X29764.tsrc.net.0 interface service smtp.0 smtp.0 description "9 (NAT)" ! ! Rule 10 (NAT) ! For #1907 nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 service smtp.0 smtp.0 description "10 (NAT)" ! ! Rule 11 (NAT) ! For #1907 nat (inside,outside) source dynamic hostA:eth0.0 id643092X27990.tsrc.net.0 interface service smtp.0 smtp.0 description "11 (NAT)" ! ! Rule 12 (NAT) ! for #1902 nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 dns description "12 (NAT)" ! ! Rule 13 (NAT) ! for #1902 ! can't use dns with destination matching or translation ! firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 dns description "13 (NAT)" ! ! Rule 14 (NAT) ! for #1902 ! cant use dns with service translation either ! firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 dns description "14 (NAT)" ! ! Rule 15 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 description "15 (NAT)" ! ! Rule 16 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source dynamic hostA:eth0.0 id241772X29764.tsrc.net.0 description "16 (NAT)" ! ! Rule 17 (NAT) ! for #1908 "static" vs "dynamic" ! for #1885 "named object" - create ! for #1907 "multiple objects in TSrc" ! network object to define address range, then add it to object-group nat (inside,outside) source dynamic hostA:eth0.0 id21121X3710.tsrc.net.0 interface description "17 (NAT)" ! ! Rule 18 (NAT) ! for #1908, #1916 "static" vs "dynamic" ! for #1907 "multiple objects in TSrc" nat (inside,outside) source dynamic hostA:eth0.0 id21177X3720.tsrc.net.0 interface description "18 (NAT)" ! ! Rule 19 (NAT) ! for #1908 ! "static" vs "dynamic" ! firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. nat (outside,outside) source dynamic id241772X29764.tsrc.net.0 firewall90:FastEthernet1:ip-1.0 description "19 (NAT)" ! ! Rule 20 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "20 (NAT)" ! ! Rule 21 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source static internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "21 (NAT)" ! ! Rule 22 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 squid.0 description "22 (NAT)" ! ! Rule 23 (NAT) ! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations nat (inside,outside) source dynamic id178211X29963.osrc.net.0 id77971X5929.tsrc.net.0 interface destination static id77971X5929.odst.net.0 id77971X5929.odst.net.0 service smtp.0 smtp.0 description "23 (NAT)" nat (inside,outside) source dynamic id178211X29963.osrc.net.0 id77971X5929.tsrc.net.1 interface destination static id77971X5929.odst.net.0 id77971X5929.odst.net.0 service smtps.0 smtps.0 description "23 (NAT)" ! ! Rule 25 (NAT) ! for #1916 ! "static" vs "dynamic" when TSrc is subnet nat (inside,outside) source static internal_subnet_1.0 ext_subnet-192.0 description "25 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall91.fw.orig000077500000000000000000000106571303637203600205630ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.0.3557 ! ! Generated Wed Jul 6 17:49:22 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall91.fw ! ! testing new style ASA 8.3 nat commands ! DNAT rules ! N firewall91:NAT:8: error: Can not translate multiple services into one service in one rule. ! N firewall91:NAT:9: error: Translated service should be 'Original' or should contain single object. ! N firewall91:NAT:13: error: Oiginal destination can not be "any" in rules that translate destination ! N firewall91:NAT:14: error: Oiginal destination can not be "any" in rules that translate destination ! N firewall91:NAT:15: error: Oiginal destination can not be "any" in rules that translate destination ! N firewall91:NAT:16: error: Oiginal destination can not be "any" in rules that translate destination ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object object service http.0 service tcp destination eq 80 exit object service https.0 service tcp destination eq 443 exit object service squid.0 service tcp destination eq 3128 exit object network external_gw2.0 host 22.22.22.100 exit object network hostA:eth0.0 host 192.168.1.10 exit object network internal_subnet_1.0 subnet 192.168.1.0 255.255.255.192 exit object network test_range_1.0 range 192.168.1.11 192.168.1.15 exit object network outside_range.0 range 22.22.22.21 22.22.22.25 exit ! ! Rule 0 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)" ! ! Rule 1 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "1 (NAT)" ! ! Rule 2 (NAT) nat (outside,inside) source static any any destination static external_gw2.0 hostA:eth0.0 description "2 (NAT)" ! ! Rule 3 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "3 (NAT)" ! ! Rule 4 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "4 (NAT)" ! ! Rule 5 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 squid.0 description "5 (NAT)" ! ! Rule 6 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service https.0 https.0 description "6 (NAT)" ! ! Rule 7 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "7 (NAT)" ! ! Rule 10 (NAT) ! for #1941 nat (outside,inside) source static any any destination static outside_range.0 hostA:eth0.0 description "10 (NAT)" ! ! Rule 11 (NAT) ! for #1941 nat (inside,outside) source dynamic internal_subnet_1.0 interface destination static outside_range.0 hostA:eth0.0 description "11 (NAT)" ! ! Rule 12 (NAT) ! translating one range into another. nat (outside,inside) source static any any destination static outside_range.0 test_range_1.0 description "12 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall92.fw.orig000077500000000000000000000064211303637203600205560ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:13 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall92.fw ! ! testing new style ASA 8.3 nat commands ! no-nat rules ("identity nat") ! ! Prolog script: ! ! ! End of prolog script: ! interface FastEthernet0 nameif inside security-level 100 exit interface FastEthernet1 nameif outside security-level 0 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global policy-map type inspect ip-options ip-options-map parameters eool action allow router-alert action clear !################ clear xlate clear config nat clear config access-list clear config icmp clear config telnet clear config object-group clear config object object service http.0 service tcp destination eq 80 exit object service smtp.0 service tcp destination eq 25 exit object network spamhost1.0 host 61.150.47.112 exit object network hostA:eth0.0 host 192.168.1.10 exit object network Internal_net.0 subnet 192.168.1.0 255.255.255.0 exit object network internal_subnet_1.0 subnet 192.168.1.0 255.255.255.192 exit object network internal_subnet_2.0 subnet 192.168.1.64 255.255.255.192 exit object network test_range_1.0 range 192.168.1.11 192.168.1.15 exit object-group network id20655X6113.osrc.net.0 network-object object internal_subnet_1.0 network-object object internal_subnet_2.0 exit object-group network id20600X6113.osrc.net.0 network-object object test_range_1.0 exit ! ! Rule 0 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) nat (inside,outside) source static Internal_net.0 Internal_net.0 service http.0 http.0 description "0 (NAT)" ! ! Rule 1 (NAT) nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 service smtp.0 smtp.0 description "1 (NAT)" ! ! Rule 2 (NAT) nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "2 (NAT)" ! ! Rule 3 (NAT) nat (inside,outside) source static id20655X6113.osrc.net.0 id20655X6113.osrc.net.0 service smtp.0 smtp.0 description "3 (NAT)" ! ! Rule 4 (NAT) nat (inside,outside) source static id20600X6113.osrc.net.0 id20600X6113.osrc.net.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "4 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall93.fw.orig000077500000000000000000000037551303637203600205660ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:13 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall93.fw ! ! test for #1949 ! split NAT rule by OSrc to make sure objects in OSrc match network zones of ! inetrfaces ! ! Prolog script: ! ! ! End of prolog script: ! interface Ethernet0/0 nameif outside security-level 0 exit interface Ethernet0/1 nameif inside security-level 100 exit interface Ethernet0/2 nameif dmz security-level 10 exit no logging buffered no logging console no logging timestamp no logging on timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global clear xlate clear config nat clear config object-group clear config object object network dmz-range-1.0 range 172.16.0.10 172.16.0.15 exit object network inside-range-1.0 range 10.0.0.1 10.0.0.5 exit object-group network id26270X5313.osrc.net.0 network-object object inside-range-1.0 exit object-group network id26270X5313.osrc.net.1 network-object object dmz-range-1.0 exit ! ! Rule 0 (NAT) nat (inside,outside) source dynamic id26270X5313.osrc.net.0 interface description "0 (NAT)" nat (dmz,outside) source dynamic id26270X5313.osrc.net.1 interface description "0 (NAT)" ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/firewall94.fw.orig000077500000000000000000000033011303637203600205520ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:13 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * firewall94.fw ! ! test using address ranges in policy rule ! ! Prolog script: ! ! ! End of prolog script: ! interface Ethernet0/0 nameif outside security-level 0 exit interface Ethernet0/1 nameif inside security-level 100 exit no logging buffered no logging console no logging timestamp no logging on telnet timeout -1 clear config ssh aaa authentication ssh console LOCAL ssh timeout -1 clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy service-policy global_policy global !################ clear config access-list clear config icmp clear config telnet clear config object-group clear config object object network inside-range-1.0 range 10.0.0.5 10.0.0.10 exit object network inside-range-2.0 range 10.0.0.8 10.0.0.15 exit object-group network id26782X14355.src.net.0 network-object object inside-range-1.0 network-object object inside-range-2.0 exit ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) access-list inside_acl_in deny ip object-group id26782X14355.src.net.0 any log 6 interval 300 access-group inside_acl_in in interface inside ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/fwsm1.fw.orig000077500000000000000000000315041303637203600176330ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:14 2011 PDT by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * fwsm1.fw ! ! C fwsm1:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it ! C fwsm1:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C fwsm1:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! ! Prolog script: ! ! ! End of prolog script: ! hostname fwsm1 nameif ethernet1 outside security0 nameif ethernet0 inside security100 nameif ethernet2 dmz security50 logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout rpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap no service resetinbound no service resetoutside sysopt connection tcpmss 1380 sysopt nodnsalias inbound sysopt nodnsalias outbound floodguard disable fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 !################ access-list mode auto clear access-list tmp_acl access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear static clear global clear nat clear access-list dmz_acl_in clear access-list inside_acl_in clear access-list outside_acl_in clear icmp clear telnet clear object-group object-group network id444A03DE9567.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id444A03DE9567.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id444A04039567.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service id444A040F9567.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service id444A040F9567.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network id444A04349567.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id444A04429567.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id444A044E9567.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id444A04679567.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id444A04679567.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id444A04749567.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service id444A04819567.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule 2 (ethernet1) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! fwsm1:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id444A03DE9567.dst.net.0 object-group id444A03DE9567.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id444A03DE9567.dst.net.0 object-group id444A03DE9567.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id444A03DE9567.dst.net.0 object-group id444A03DE9567.srv.tcp.0 ! ! Rule 6 (ethernet0) access-list inside_acl_in deny ip any host 192.168.1.255 ! ! Rule 8 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id444A04039567.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id444A04039567.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id444A04039567.srv.icmp.0 ! ! Rule 9 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id444A040F9567.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id444A040F9567.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id444A040F9567.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id444A040F9567.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id444A040F9567.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id444A040F9567.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 10 (global) access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300 access-list outside_acl_in permit icmp any any 3 log 0 interval 300 access-list inside_acl_in permit icmp any any 3 log 0 interval 300 access-list dmz_acl_in permit icmp any any 3 log 0 interval 300 access-list outside_acl_in permit 47 any any log 0 interval 300 access-list inside_acl_in permit 47 any any log 0 interval 300 access-list dmz_acl_in permit 47 any any log 0 interval 300 access-list outside_acl_in permit 50 any any log 0 interval 300 access-list inside_acl_in permit 50 any any log 0 interval 300 access-list dmz_acl_in permit 50 any any log 0 interval 300 ! ! Rule 12 (global) access-list outside_acl_in permit ip object-group id444A03DE9567.dst.net.0 object-group id444A04349567.dst.net.0 ! ! Rule 13 (global) ! fwsm1:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule access-list inside_acl_in permit tcp host 192.168.1.10 object-group id444A04429567.dst.net.0 eq 3128 ! ! Rule 14 (global) access-list outside_acl_in permit tcp any object-group id444A044E9567.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id444A044E9567.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id444A044E9567.dst.net.0 eq 3128 ! ! Rule 15 (global) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id444A04679567.dst.net.0 object-group id444A04679567.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id444A04679567.dst.net.0 object-group id444A04679567.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id444A04679567.dst.net.0 object-group id444A04679567.srv.tcp.0 ! ! Rule 17 (global) access-list outside_acl_in permit tcp any object-group id444A04749567.dst.net.0 object-group id444A04679567.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id444A04749567.dst.net.0 object-group id444A04679567.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id444A04749567.dst.net.0 object-group id444A04679567.srv.tcp.0 ! ! Rule 18 (global) ! fwsm1:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 ! ! Rule 19 (global) ! objects hostA and hostB are ! redundant and should be removed by ! removeRedundantAddressesFromDst access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 ! ! Rule 20 (global) access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 ! ! Rule 23 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300 ! ! Rule 24 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 25 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ! ! Rule 2 (NAT) nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 5 (NAT) static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 ! ! Rule 6 (NAT) global (inside) 8 interface nat (dmz) 8 192.168.2.0 255.255.255.0 outside ! ! Rule 7 (NAT) clear access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 8 (NAT) access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 ! ! Rule 9 (NAT) nat (dmz) 0 0 0 ! ! Rule 10 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 11 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/fwsm2.fw.orig000077500000000000000000000317341303637203600176410ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:15 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * fwsm2.fw ! ! C fwsm2:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it ! C fwsm2:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C fwsm2:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! ! Prolog script: ! ! ! End of prolog script: ! hostname fwsm2 interface ethernet1 nameif outside security-level 0 exit interface ethernet0 nameif inside security-level 100 exit interface ethernet2 nameif dmz security-level 50 exit logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear config ssh aaa authentication ssh console LOCAL ssh timeout 5 clear config snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap no service resetinbound sysopt connection tcpmss 1380 sysopt nodnsalias inbound sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet service-policy global_policy global !################ access-list mode auto clear config access-list tmp_acl access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear config static clear config global clear config nat clear config access-list dmz_acl_in clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet clear config object-group object-group network id17298X54624.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id17298X54624.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id17335X54624.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service id17347X54624.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service id17347X54624.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network id17384X54624.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id17398X54624.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id17410X54624.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id17435X54624.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id17435X54624.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id17448X54624.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service id17461X54624.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule 2 (ethernet1) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! fwsm2:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id17298X54624.dst.net.0 object-group id17298X54624.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id17298X54624.dst.net.0 object-group id17298X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id17298X54624.dst.net.0 object-group id17298X54624.srv.tcp.0 ! ! Rule 6 (ethernet0) access-list inside_acl_in deny ip any host 192.168.1.255 ! ! Rule 8 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id17335X54624.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id17335X54624.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id17335X54624.srv.icmp.0 ! ! Rule 9 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id17347X54624.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id17347X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id17347X54624.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id17347X54624.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id17347X54624.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id17347X54624.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 10 (global) access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300 access-list outside_acl_in permit icmp any any 3 log 0 interval 300 access-list inside_acl_in permit icmp any any 3 log 0 interval 300 access-list dmz_acl_in permit icmp any any 3 log 0 interval 300 access-list outside_acl_in permit 47 any any log 0 interval 300 access-list inside_acl_in permit 47 any any log 0 interval 300 access-list dmz_acl_in permit 47 any any log 0 interval 300 access-list outside_acl_in permit 50 any any log 0 interval 300 access-list inside_acl_in permit 50 any any log 0 interval 300 access-list dmz_acl_in permit 50 any any log 0 interval 300 ! ! Rule 12 (global) access-list outside_acl_in permit ip object-group id17298X54624.dst.net.0 object-group id17384X54624.dst.net.0 ! ! Rule 13 (global) ! fwsm2:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule access-list inside_acl_in permit tcp host 192.168.1.10 object-group id17398X54624.dst.net.0 eq 3128 ! ! Rule 14 (global) access-list outside_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq 3128 ! ! Rule 15 (global) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id17435X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id17435X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id17435X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 ! ! Rule 17 (global) access-list outside_acl_in permit tcp any object-group id17448X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id17448X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id17448X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 ! ! Rule 18 (global) ! fwsm2:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 ! ! Rule 19 (global) ! objects hostA and hostB are ! redundant and should be removed by ! removeRedundantAddressesFromDst access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 ! ! Rule 20 (global) access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 ! ! Rule 23 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300 ! ! Rule 24 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 25 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ! ! Rule 2 (NAT) nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 5 (NAT) static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 ! ! Rule 6 (NAT) global (inside) 8 interface nat (dmz) 8 192.168.2.0 255.255.255.0 outside ! ! Rule 7 (NAT) clear config access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 8 (NAT) access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 ! ! Rule 9 (NAT) nat (dmz) 0 0 0 ! ! Rule 10 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 11 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/fwsm3.fw.orig000077500000000000000000000315741303637203600176440ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:15 2011 PDT by vadim ! ! Compiled for fwsm 3.2 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * fwsm3.fw ! ! C fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it ! C fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings ! C fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! ! Prolog script: ! ! ! End of prolog script: ! hostname fwsm3 interface ethernet1 nameif outside security-level 0 exit interface ethernet0 nameif inside security-level 100 exit interface ethernet2 nameif dmz security-level 50 exit logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear config ssh aaa authentication ssh console LOCAL ssh timeout 5 clear config snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap no service resetinbound sysopt connection tcpmss 1380 sysopt nodnsalias inbound sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet service-policy global_policy global !################ access-list mode auto clear config access-list tmp_acl access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear config static clear config global clear config nat clear config access-list dmz_acl_in clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet clear config object-group object-group network id37010X447.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 exit object-group service id37010X447.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 22 port-object eq 540 exit object-group icmp-type id37094X447.srv.icmp.0 icmp-object 3 icmp-object 0 icmp-object 11 exit object-group service id37122X447.srv.tcp.0 tcp port-object eq 70 port-object eq 6667 port-object eq 3128 port-object eq 23 exit object-group service id37122X447.srv.udp.0 udp port-object eq 53 port-object eq 161 exit object-group network id37207X447.dst.net.0 network-object host 192.168.1.10 network-object host 192.168.1.20 exit object-group network id37237X447.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id37265X447.dst.net.0 network-object 192.168.1.250 255.255.255.254 network-object 192.168.1.252 255.255.255.252 exit object-group network id37322X447.dst.net.0 network-object host 192.168.1.11 network-object host 192.168.1.12 network-object host 192.168.1.13 network-object host 192.168.1.14 network-object host 192.168.1.15 exit object-group service id37322X447.srv.tcp.0 tcp port-object eq 113 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 25 port-object eq 3128 port-object eq 22 port-object eq 540 exit object-group network id37351X447.dst.net.0 network-object 192.168.1.11 255.255.255.255 network-object 192.168.1.12 255.255.255.252 exit object-group service id37380X447.srv.tcp.0 tcp port-object eq 113 port-object eq 13 port-object eq 53 port-object eq 2105 port-object eq 21 port-object eq 70 port-object eq 80 port-object eq 443 port-object eq 143 port-object eq 993 port-object eq 6667 port-object eq 6667 port-object eq 543 port-object eq 544 port-object eq 389 port-object eq 98 port-object eq 3306 port-object eq 2049 port-object eq 119 port-object eq 110 port-object eq 5432 port-object eq 515 port-object eq 26000 port-object eq 512 port-object eq 513 port-object eq 514 port-object eq 4321 port-object eq 25 port-object eq 465 port-object eq 1080 port-object eq 3128 port-object eq 22 port-object eq 111 port-object eq 23 port-object range 10000 11000 port-object eq 540 port-object eq 7100 exit ! ! Rule 2 (ethernet1) icmp permit any 3 outside access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule ! fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 ! ! Rule 6 (ethernet0) access-list inside_acl_in deny ip any host 192.168.1.255 ! ! Rule 8 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 ! ! Rule 9 (global) access-list outside_acl_in permit icmp any host 192.168.1.10 access-list inside_acl_in permit icmp any host 192.168.1.10 access-list dmz_acl_in permit icmp any host 192.168.1.10 access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 access-list outside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 access-list inside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 access-list outside_acl_in permit 47 any host 192.168.1.10 access-list inside_acl_in permit 47 any host 192.168.1.10 access-list dmz_acl_in permit 47 any host 192.168.1.10 ! ! Rule 10 (global) access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300 icmp permit any 3 inside access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300 icmp permit any 3 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300 access-list outside_acl_in permit icmp any any 3 log 0 interval 300 access-list inside_acl_in permit icmp any any 3 log 0 interval 300 access-list dmz_acl_in permit icmp any any 3 log 0 interval 300 access-list outside_acl_in permit 47 any any log 0 interval 300 access-list inside_acl_in permit 47 any any log 0 interval 300 access-list dmz_acl_in permit 47 any any log 0 interval 300 access-list outside_acl_in permit 50 any any log 0 interval 300 access-list inside_acl_in permit 50 any any log 0 interval 300 access-list dmz_acl_in permit 50 any any log 0 interval 300 ! ! Rule 12 (global) access-list outside_acl_in permit ip object-group id37010X447.dst.net.0 object-group id37207X447.dst.net.0 ! ! Rule 13 (global) ! fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule access-list inside_acl_in permit tcp host 192.168.1.10 object-group id37237X447.dst.net.0 eq 3128 ! ! Rule 14 (global) access-list outside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 access-list inside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 access-list dmz_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 ! ! Rule 15 (global) ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 ! ! Rule 17 (global) access-list outside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 access-list inside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 access-list dmz_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 ! ! Rule 18 (global) ! fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 ! ! Rule 19 (global) ! objects hostA and hostB are ! redundant and should be removed by ! removeRedundantAddressesFromDst access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 ! ! Rule 20 (global) access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 ! ! Rule 23 (global) access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300 access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300 access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300 ! ! Rule 24 (global) access-list outside_acl_in permit ip host 22.22.22.22 any access-list inside_acl_in permit ip host 192.168.1.1 any access-list dmz_acl_in permit ip host 192.168.2.1 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 25 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface ! ! ! Rule 1 (NAT) nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ! ! Rule 2 (NAT) nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ! ! ! Rule 3 (NAT) global (outside) 1 22.22.22.0 netmask 255.255.255.0 ! ! ! Rule 4 (NAT) global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 ! ! ! Rule 5 (NAT) static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 ! ! Rule 6 (NAT) global (inside) 8 interface nat (dmz) 8 192.168.2.0 255.255.255.0 outside ! ! Rule 7 (NAT) clear config access-list nat0.inside access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside ! ! Rule 8 (NAT) access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 ! ! Rule 9 (NAT) nat (dmz) 0 0 0 ! ! Rule 10 (NAT) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! ! Rule 11 (NAT) static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/fwsm4.fw.orig000077500000000000000000000072031303637203600176350ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:15 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * fwsm4.fw ! ! using manual commit mode ! ! Prolog script: ! ! ! End of prolog script: ! hostname fwsm4 interface ethernet1 nameif outside security-level 0 exit interface ethernet0 nameif inside security-level 100 exit interface ethernet2 nameif dmz security-level 50 exit logging host inside 192.168.1.30 logging queue 512 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on timeout xlate 3:0:0 timeout conn 1:0:0 timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute telnet timeout 5 clear config ssh aaa authentication ssh console LOCAL ssh timeout 5 clear config snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 192.168.1.20 poll snmp-server host inside 192.168.1.22 trap no service resetinbound sysopt connection tcpmss 1380 sysopt nodnsalias inbound sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet service-policy global_policy global !################ access-list mode manual clear config access-list tmp_acl access-list commit access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any access-list commit access-group tmp_acl in interface outside access-group tmp_acl in interface inside access-group tmp_acl in interface dmz clear xlate clear config static clear config global clear config nat clear config access-list dmz_acl_in clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet access-list commit clear config object-group object-group network id59803X13930.src.net.0 network-object 10.0.0.0 255.255.255.0 network-object 10.1.0.0 255.255.255.0 network-object 172.16.0.1 255.255.255.255 network-object 172.16.0.2 255.255.255.255 exit ! ! Rule 1 (ethernet1) ! need this rule to generate at least one object group icmp permit 10.0.0.0 255.255.255.0 3 outside access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 icmp permit 10.1.0.0 255.255.255.0 3 outside access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 icmp permit host 172.16.0.1 3 outside access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 icmp permit host 172.16.0.2 3 outside access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 ! ! Rule 2 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 access-list commit access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface ! ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/networks-table-1.txt000066400000000000000000000000601303637203600211270ustar00rootroot0000000000000010.1.0.0/24 10.1.2.0/24 10.1.3.0/24 10.1.4.0/24 fwbuilder-5.3.7/test/pix/objects-for-regression-tests.fwb000066400000000000000000042166161303637203600235460ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk -m ip_conntrack_talk -m ip_nat_talk tcp destination neq 8080 neq 8080 fwbuilder-5.3.7/test/pix/pix515.fw.orig000077500000000000000000000103221303637203600176240ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:16 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: yes ! !# files: * pix515.fw ! ! Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. ! This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. ! Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall. ! ! Prolog script: ! ! ! End of prolog script: ! interface ethernet0 nameif outside security-level 0 exit interface ethernet1 nameif inside security-level 100 exit logging buffered 6 no logging console logging timestamp logging on logging device-id hostname timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout sunrpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 clear config ssh aaa authentication ssh console LOCAL clear config snmp-server no snmp-server enable traps clear config ntp no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default service-policy global_policy global !################ clear config access-list tmp_acl access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any access-list tmp_acl deny ip any any access-group tmp_acl in interface outside access-group tmp_acl in interface inside clear xlate clear config static clear config global clear config nat clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet ! ! Rule -1 backup ssh access rule (automatic) ssh 10.3.14.42 255.255.255.255 inside ! ! Rule 0 (global) ssh 10.3.14.0 255.255.255.0 inside access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit tcp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 access-list inside_acl_in permit udp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 ! ! Rule 1 (global) access-list outside_acl_in remark 1 (global) access-list outside_acl_in permit tcp any host 192.168.1.1 eq 2525 access-list outside_acl_in permit tcp any host 10.3.14.50 eq 25 access-list inside_acl_in remark 1 (global) access-list inside_acl_in permit tcp any host 10.3.14.50 eq 25 ! ! Rule 3 (global) access-list outside_acl_in remark 3 (global) access-list outside_acl_in permit ip host 192.168.1.1 any access-list inside_acl_in remark 3 (global) access-list inside_acl_in permit ip host 10.3.14.206 any ! ! Rule 4 (global) access-list inside_acl_in remark 4 (global) access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 5 (global) access-list outside_acl_in remark 5 (global) access-list outside_acl_in deny ip any any log 6 interval 300 access-list inside_acl_in remark 5 (global) access-list inside_acl_in deny ip any any log 6 interval 300 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface clear config access-list id47B7A71421818.0 access-list id47B7A71421818.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id47B7A71421818.0 tcp 0 0 ! ! Rule 1 (NAT) clear config access-list id47B7C22E21818.0 access-list id47B7C22E21818.0 permit tcp host 10.3.14.50 eq 25 any static (inside,outside) tcp interface 2525 access-list id47B7C22E21818.0 tcp 0 0 ! ! Rule 0 (main) ! ! "Routing rule 0 (main)" ! ! The default metric on PIX is 1, so the GUI default value of 0 becomes 1 in ! the compiled rules. ! route inside 192.168.10.0 255.255.255.0 10.3.14.254 1 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/quick-cmp.sh000077500000000000000000000007661303637203600175340ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"! Generated\" -I 'Activating ' -I '! Firewall Builder fwb_pix v' -I 'Can not find file' -I '===='" SDIFFCMD="sdiff -b -B -W -I \"! Generated\" -I 'Activating ' -I '! Firewall Builder fwb_pix v' -I 'Can not find file' -I '===='" for f in $(ls *.fw.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done fwbuilder-5.3.7/test/pix/real.fw.orig000077500000000000000000000054771303637203600175330ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * real.fw ! ! ! Prolog script: ! ! ! End of prolog script: ! hostname real nameif ethernet0 outside security0 ip address outside dhcp setroute retry 10 nameif ethernet1 inside security100 ip address inside 10.3.14.204 255.255.255.0 logging host inside 10.3.14.10 format emblem logging queue 1000 logging facility 16 logging trap 0 no logging buffered no logging console no logging timestamp logging on logging device-id string real_firewall timeout xlate 0:0:30 timeout conn 0:0:0 timeout udp 0:0:0 timeout rpc 0:0:0 timeout h323 0:0:0 timeout sip 0:0:0 timeout sip_media 0:0:0 timeout half-closed 0:0:0 timeout uauth 0:0:0 absolute telnet timeout 5 clear ssh aaa authentication ssh console LOCAL ssh timeout 5 clear snmp-server snmp-server community public snmp-server enable traps snmp-server host inside 10.3.14.40 poll clear ntp ntp server 10.3.14.30 source inside no service resetinbound no service resetoutside no sysopt connection timewait no sysopt nodnsalias inbound no sysopt nodnsalias outbound floodguard disable fixup protocol dns maximum-length 65535 fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error !################ clear xlate clear static clear global clear nat clear access-list clear icmp clear telnet ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 1 (global) ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) icmp permit any 0 outside access-list outside_acl_in remark 2 (global) access-list outside_acl_in permit icmp any interface outside 0 icmp permit any 0 inside access-list inside_acl_in remark 2 (global) access-list inside_acl_in permit icmp any host 10.3.14.204 0 ! ! Rule 3 (global) access-list outside_acl_in remark 3 (global) access-list outside_acl_in permit tcp any host 10.3.14.30 eq 80 access-list inside_acl_in remark 3 (global) access-list inside_acl_in permit tcp any host 10.3.14.30 eq 80 ! ! Rule 4 (global) access-list outside_acl_in remark 4 (global) access-list outside_acl_in deny ip any any log 5 interval 120 access-list inside_acl_in remark 4 (global) access-list inside_acl_in deny ip any any log 5 interval 120 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) global (outside) 1 interface access-list id3D385E43.0 permit ip 10.3.14.0 255.255.255.0 any nat (inside) 1 access-list id3D385E43.0 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/pix/recycle000077500000000000000000000000751303637203600166510ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/pix/run.all000077500000000000000000000007651303637203600166040ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_pix -v -f $XMLFILE -xt $fwobj" done XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_pix -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/pix/test_net_zone_2.fw.orig000077500000000000000000000037131303637203600217000ustar00rootroot00000000000000! ! This is automatically generated file. DO NOT MODIFY ! ! ! Firewall Builder fwb_pix v5.0.1.3581 ! ! Generated Wed Oct 19 16:51:17 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported ! Emulate outbound ACLs: no ! Generating outbound ACLs: no ! Assume firewall is part of any: no ! !# files: * test_net_zone_2.fw ! ! testing security levels and labels ! N test_net_zone_2:NAT:0: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N test_net_zone_2:NAT:0: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! ! Prolog script: ! ! ! End of prolog script: ! nameif ethernet0 outside security0 nameif ethernet1 inside security100 no logging buffered no logging console no logging timestamp no logging on telnet timeout -1 aaa authentication ssh console LOCAL ssh timeout -1 no snmp-server enable traps no service resetinbound no service resetoutside no sysopt connection timewait no sysopt security fragguard no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt route dnat floodguard disable !################ ! ! Rule 0 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside ! ! Rule 0 (NAT) ! test_net_zone_2:NAT:0: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. global (outside) 1 interface nat (outside) 1 192.168.1.0 255.255.255.0 0 0 nat (outside) 1 192.168.1.11 255.255.255.255 0 0 ! ! Epilog script: ! ! End of epilog script: ! fwbuilder-5.3.7/test/procurve_acl/000077500000000000000000000000001303637203600171575ustar00rootroot00000000000000fwbuilder-5.3.7/test/procurve_acl/Makefile000066400000000000000000000007441303637203600206240ustar00rootroot00000000000000 FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort) CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort) $(FW_OBJECTS): fwb_procurve_acl -f objects-for-regression-tests.fwb -xt $@ $(CL_OBJECTS): fwb_procurve_acl -f cluster-tests.fwb -xt -xc $@ .PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS) all: firewalls clusters firewalls: $(FW_OBJECTS) clusters: $(CL_OBJECTS) fwbuilder-5.3.7/test/procurve_acl/addr-table-1.tbl000066400000000000000000000003041303637203600220140ustar00rootroot00000000000000# this is a comment # ; this should be a comment too ; 192.168.1.1 192.168.1.2/32 192.168.1.3/30 192.168.2.128/25 192.168.1.200/32 # comment again 192.168.1.201/32 # this should work, too fwbuilder-5.3.7/test/procurve_acl/block-hosts.tbl000066400000000000000000000016301303637203600221120ustar00rootroot00000000000000# # use this table to test run-time AddressTable object # (this is just a small collection of addresses that sent spam to me # on Nov 20 2005) # 151.8.224.178 # this is also a comment 168.156.76.20 193.207.126.36 195.136.186.35 196.15.136.15 201.10.180.138 201.17.93.16 201.36.156.121 202.103.25.253 202.96.112.93 203.162.3.209 203.209.124.144 210.106.193.237 210.222.114.102 211.144.143.143 211.172.218.237 211.250.16.132 212.100.212.100 212.21.241.31 218.104.138.146 218.18.72.252 218.39.114.122 218.55.115.43 219.132.104.160 220.71.17.86 220.81.50.105 220.91.99.46 221.14.249.242 221.166.177.135 221.198.33.38 221.202.160.233 221.205.54.125 221.217.44.248 222.100.212.223 222.121.118.144 222.174.113.2 58.231.13.78 58.33.181.83 58.53.82.190 61.150.47.112 61.184.14.102 64.106.85.186 70.228.60.100 80.243.72.149 80.249.77.34 80.51.236.6 81.196.74.125 81.2.36.254 82.117.221.205 82.143.196.17 82.77.37.174 84.90.8.198 fwbuilder-5.3.7/test/procurve_acl/objects-for-regression-tests.fwb000066400000000000000000010067711303637203600254260ustar00rootroot00000000000000 established established -m state --state ESTABLISHED,RELATED established established established -m state --state ESTABLISHED,RELATED established -m record_rpc -m irc -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 -m string --string test_pattern -m talk dscp af11 dscp af12 dscp af11 fwbuilder-5.3.7/test/procurve_acl/quick-cmp.sh000077500000000000000000000014511303637203600214100ustar00rootroot00000000000000#!/bin/sh DIFFCMD="diff -C 5 -c -b -B -w -I \"Generated\" -I 'Activating ' -I 'Firewall Builder fwb_procurve_acl v' -I 'Can not find file' -I '====' -I 'log '" for f in $(ls *.fw.orig) do V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" new_f=$(echo $f | sed 's/.orig//') echo "$DIFFCMD $f $new_f" done exit 0 run_diffs_for_file() { xmlfile=$1 folder=$2 fwbedit list -f $xmlfile -o $folder -c -F%name% | sort | while read fwobj; do V="$fwobj <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" echo "echo \"$V\" | cut -c1-72" echo "$DIFFCMD ${fwobj}.fw.orig ${fwobj}.fw" done } run_diffs_for_file objects-for-regression-tests.fwb /User/Firewalls # run_diffs_for_file cluster-tests.fwb /User/Clusters fwbuilder-5.3.7/test/procurve_acl/recycle000077500000000000000000000000751303637203600205350ustar00rootroot00000000000000#!/bin/sh for f in *.fw; do j=${f}.orig mv $f $j done fwbuilder-5.3.7/test/procurve_acl/run.all000077500000000000000000000010171303637203600204570ustar00rootroot00000000000000#!/bin/sh XMLFILE="objects-for-regression-tests.fwb" fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_procurve_acl -v -f $XMLFILE -xt $fwobj" done exit 0 XMLFILE="cluster-tests.fwb" fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \ sort | while read fwobj do echo "echo" echo "echo \"============================ $fwobj\"" echo "fwb_procurve_acl -v -f $XMLFILE -xt -xc $fwobj" done fwbuilder-5.3.7/test/procurve_acl/testhp1.fw.orig000077500000000000000000001077101303637203600220550ustar00rootroot00000000000000; ; This is automatically generated file. DO NOT MODIFY ! ; ; Firewall Builder fwb_procurve_acl v4.2.0.3499 ; ; Generated Fri Mar 11 12:20:05 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; ;# files: * testhp1.fw ; ; ; Prolog script: ; ; ; End of prolog script: ; interface a1 no ip access-group a1_in in exit no ip access-list extended a1_in interface a1 no ip access-group a1_out out exit no ip access-list extended a1_out interface a2 no ip access-group a2_in in exit no ip access-list extended a2_in interface a2 no ip access-group a2_out out exit no ip access-list extended a2_out interface b1 no ip access-group b1_in in exit no ip access-list extended b1_in interface b1 no ip access-group b1_out out exit no ip access-list extended b1_out interface b2 no ip access-group b2_in in exit no ip access-list extended b2_in interface b2 no ip access-group b2_out out exit no ip access-list extended b2_out no vlan 10 ip access-group vlan_10_in in no ip access-list extended vlan_10_in no vlan 10 ip access-group vlan_10_out out no ip access-list extended vlan_10_out no vlan 20 ip access-group vlan_20_in in no ip access-list extended vlan_20_in no vlan 20 ip access-group vlan_20_out out no ip access-list extended vlan_20_out no vlan 401 ip access-group vlan_401_in in no ip access-list extended vlan_401_in no vlan 401 ip access-group vlan_401_out out no ip access-list extended vlan_401_out no vlan 402 ip access-group vlan_402_in in no ip access-list extended vlan_402_in no vlan 402 ip access-group vlan_402_out out no ip access-list extended vlan_402_out no vlan 40 ip access-group vlan_40_in in no ip access-list extended vlan_40_in no vlan 40 ip access-group vlan_40_out out no ip access-list extended vlan_40_out ; ================ IPv4 ip access-list extended a1_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (a1) permit ip any 10.10.10.0 0.0.0.255 ; ; Rule 22 (a1,a2) permit ip any 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended a1_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended a2_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 22 (a1,a2) permit ip any 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended a2_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended b1_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended b1_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended b2_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended b2_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_10_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 0 (vlan 10) ; anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 7 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_10_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_20_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 8 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_20_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_401_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_401_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_402_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_402_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_40_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 23 (global) deny ip any any log exit ip access-list extended vlan_40_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 23 (global) deny ip any any log exit interface a1 ip access-group a1_in in exit interface a1 ip access-group a1_out out exit interface a2 ip access-group a2_in in exit interface a2 ip access-group a2_out out exit interface b1 ip access-group b1_in in exit interface b1 ip access-group b1_out out exit interface b2 ip access-group b2_in in exit interface b2 ip access-group b2_out out exit vlan 10 ip access-group vlan_10_in in vlan 10 ip access-group vlan_10_out out vlan 20 ip access-group vlan_20_in in vlan 20 ip access-group vlan_20_out out vlan 401 ip access-group vlan_401_in in vlan 401 ip access-group vlan_401_out out vlan 402 ip access-group vlan_402_in in vlan 402 ip access-group vlan_402_out out vlan 40 ip access-group vlan_40_in in vlan 40 ip access-group vlan_40_out out ; ; Epilog script: ; ; End of epilog script: ; fwbuilder-5.3.7/test/procurve_acl/testhp2.fw.orig000077500000000000000000000445161303637203600220620ustar00rootroot00000000000000; ; This is automatically generated file. DO NOT MODIFY ! ; ; Firewall Builder fwb_procurve_acl v4.2.0.3499 ; ; Generated Fri Mar 11 12:20:05 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; ;# files: * testhp2.fw ; ; Using "no clear acl" script option ; ; Prolog script: ; ; ; End of prolog script: ; ; ================ IPv4 ip access-list extended vlan_10_in permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_10_out permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_20_in permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_20_out permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_401_in permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_401_out permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 deny ip any any log exit ip access-list extended vlan_402_in permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_402_out permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_40_in permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 deny ip any any log exit ip access-list extended vlan_40_out permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 deny ip any any log exit vlan 10 ip access-group vlan_10_in in vlan 10 ip access-group vlan_10_out out vlan 20 ip access-group vlan_20_in in vlan 20 ip access-group vlan_20_out out vlan 401 ip access-group vlan_401_in in vlan 401 ip access-group vlan_401_out out vlan 402 ip access-group vlan_402_in in vlan 402 ip access-group vlan_402_out out vlan 40 ip access-group vlan_40_in in vlan 40 ip access-group vlan_40_out out ; ; Epilog script: ; ; End of epilog script: ; fwbuilder-5.3.7/test/procurve_acl/testhp3.fw.orig000077500000000000000000000562621303637203600220640ustar00rootroot00000000000000; ; This is automatically generated file. DO NOT MODIFY ! ; ; Firewall Builder fwb_procurve_acl v4.2.0.3499 ; ; Generated Fri Mar 11 12:20:05 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; ;# files: * testhp3.fw ; ; Using "safety net" script option ; ; Prolog script: ; ; ; End of prolog script: ; ; temporary access list for "safety net install" no vlan 40 ip access-group tmp_acl in no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.11.10 0.0.0.0 any deny ip any any exit vlan 40 ip access-group tmp_acl in no vlan 10 ip access-group vlan_10_in in no ip access-list extended vlan_10_in no vlan 10 ip access-group vlan_10_out out no ip access-list extended vlan_10_out no vlan 20 ip access-group vlan_20_in in no ip access-list extended vlan_20_in no vlan 20 ip access-group vlan_20_out out no ip access-list extended vlan_20_out no vlan 401 ip access-group vlan_401_in in no ip access-list extended vlan_401_in no vlan 401 ip access-group vlan_401_out out no ip access-list extended vlan_401_out no vlan 402 ip access-group vlan_402_in in no ip access-list extended vlan_402_in no vlan 402 ip access-group vlan_402_out out no ip access-list extended vlan_402_out no vlan 40 ip access-group vlan_40_in in no ip access-list extended vlan_40_in no vlan 40 ip access-group vlan_40_out out no ip access-list extended vlan_40_out ; ================ IPv4 ip access-list extended vlan_10_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 0 (vlan 10) ; anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 7 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_10_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_20_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 8 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_20_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_401_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_401_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_402_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_402_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_40_in ; ; Rule -1 backup ssh access rule (automatic) permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) deny ip any any log exit ip access-list extended vlan_40_out ; ; Rule -2 backup ssh access rule (out) (automatic) permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 21 (global) deny ip any any log exit vlan 10 ip access-group vlan_10_in in vlan 10 ip access-group vlan_10_out out vlan 20 ip access-group vlan_20_in in vlan 20 ip access-group vlan_20_out out vlan 401 ip access-group vlan_401_in in vlan 401 ip access-group vlan_401_out out vlan 402 ip access-group vlan_402_in in vlan 402 ip access-group vlan_402_out out vlan 40 ip access-group vlan_40_in in vlan 40 ip access-group vlan_40_out out ; ; Epilog script: ; ; End of epilog script: ; fwbuilder-5.3.7/test/procurve_acl/testhp4.fw.orig000077500000000000000000000774451303637203600220730ustar00rootroot00000000000000; ; This is automatically generated file. DO NOT MODIFY ! ; ; Firewall Builder fwb_procurve_acl v4.2.0.3499 ; ; Generated Fri Mar 11 12:20:05 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; ;# files: * testhp4.fw ; ; Using "safety net" script option, management interface is not a vlan ; ; Prolog script: ; ; ; End of prolog script: ; ; temporary access list for "safety net install" interface a1 no ip access-group tmp_acl in exit no ip access-list extended tmp_acl ip access-list extended tmp_acl permit ip 10.10.11.10 0.0.0.0 any deny ip any any exit interface a1 ip access-group tmp_acl in exit interface a1 no ip access-group a1_in in exit no ip access-list extended a1_in interface a1 no ip access-group a1_out out exit no ip access-list extended a1_out no vlan 10 ip access-group vlan_10_in in no ip access-list extended vlan_10_in no vlan 10 ip access-group vlan_10_out out no ip access-list extended vlan_10_out no vlan 20 ip access-group vlan_20_in in no ip access-list extended vlan_20_in no vlan 20 ip access-group vlan_20_out out no ip access-list extended vlan_20_out no vlan 401 ip access-group vlan_401_in in no ip access-list extended vlan_401_in no vlan 401 ip access-group vlan_401_out out no ip access-list extended vlan_401_out no vlan 402 ip access-group vlan_402_in in no ip access-list extended vlan_402_in no vlan 402 ip access-group vlan_402_out out no ip access-list extended vlan_402_out no vlan 40 ip access-group vlan_40_in in no ip access-list extended vlan_40_in no vlan 40 ip access-group vlan_40_out out no ip access-list extended vlan_40_out ; ================ IPv4 ip access-list extended a1_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended a1_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_10_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 0 (vlan 10) ; anti-spoofing remark "0 (vlan 10)" remark anti-spoofing deny ip 10.10.10.0 0.0.0.255 any log deny ip 10.10.11.0 0.0.0.255 any log deny ip 10.10.12.0 0.0.0.255 any log ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) remark "2 (vlan 20,vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) remark "3 (testhp1 itf)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) remark "4 (vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 7 (vlan 10) remark "7 (vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) remark "10 (vlan 10)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_10_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) remark "2 (vlan 20,vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) remark "3 (testhp1 itf)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 4 (vlan 10) remark "4 (vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 10 (vlan 10) remark "10 (vlan 10)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_20_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 2 (vlan 20,vlan 10) remark "2 (vlan 20,vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) remark "3 (testhp1 itf)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) remark "5 (vlan 20)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 8 (vlan 20) remark "8 (vlan 20)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) remark "11 (vlan 20)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_20_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 2 (vlan 20,vlan 10) remark "2 (vlan 20,vlan 10)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 3 (testhp1 itf) remark "3 (testhp1 itf)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 5 (vlan 20) remark "5 (vlan 20)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 11 (vlan 20) remark "11 (vlan 20)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_401_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_401_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_402_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_402_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_40_in ; ; Rule -1 backup ssh access rule (automatic) remark "-1 backup ssh access rule (automatic)" permit tcp host 10.10.11.10 host 10.10.1.1 eq 22 permit tcp host 10.10.11.10 host 10.10.10.1 eq 22 permit tcp host 10.10.11.10 host 10.10.11.1 eq 22 permit tcp host 10.10.11.10 host 10.10.12.1 eq 22 ; ; Rule 1 (global) remark "1 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 6 (global) remark "6 (global)" permit ip any 10.10.10.0 0.0.0.255 permit ip any 10.10.11.0 0.0.0.255 permit ip any 10.10.12.0 0.0.0.255 ; ; Rule 9 (global) remark "9 (global)" permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255 permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255 ; ; Rule 12 (global) ; interface ethernet1 has address on network 10.10.10.0/24, ; therefore net-10.10.10 is behind the router and we do ; not need to put rules 12-18 in outbound acl of eth0 remark "12 (global)" remark "interface ethernet1 has address on network 10.10.10.0/24," remark "therefore net-10.10.10 is behind the router and we do" remark "not need to put rules 12-18 in outbound acl of eth0" permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 13 (global) remark "13 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3 permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11 ; ; Rule 14 (global) remark "14 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80 ; ; Rule 15 (global) remark "15 (global)" permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53 ; ; Rule 16 (global) remark "16 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established ; ; Rule 17 (global) remark "17 (global)" permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established ; ; Rule 18 (global) remark "18 (global)" permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179 permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123 permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000 ; ; Rule 19 (global) remark "19 (global)" permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 20 (global) remark "20 (global)" permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit ip access-list extended vlan_40_out ; ; Rule -2 backup ssh access rule (out) (automatic) remark "-2 backup ssh access rule (out) (automatic)" permit tcp host 10.10.1.1 eq 22 host 10.10.11.10 permit tcp host 10.10.10.1 eq 22 host 10.10.11.10 permit tcp host 10.10.11.1 eq 22 host 10.10.11.10 permit tcp host 10.10.12.1 eq 22 host 10.10.11.10 ; ; Rule 21 (global) remark "21 (global)" deny ip any any log exit interface a1 ip access-group a1_in in exit interface a1 ip access-group a1_out out exit vlan 10 ip access-group vlan_10_in in vlan 10 ip access-group vlan_10_out out vlan 20 ip access-group vlan_20_in in vlan 20 ip access-group vlan_20_out out vlan 401 ip access-group vlan_401_in in vlan 401 ip access-group vlan_401_out out vlan 402 ip access-group vlan_402_in in vlan 402 ip access-group vlan_402_out out vlan 40 ip access-group vlan_40_in in vlan 40 ip access-group vlan_40_out out ; ; Epilog script: ; ; End of epilog script: ; fwbuilder-5.3.7/unit_tests.sh000077500000000000000000000003751303637203600162610ustar00rootroot00000000000000#!/bin/sh QMAKE="${QMAKE:-qmake}" QMAKEPARAMS="${QMAKESPEC:+ -spec $QMAKESPEC}" set -e find . -mindepth 1 -type d -name unit_tests | while read directory do echo "===> Running tests in $directory" (cd $directory && $QMAKE $QMAKEPARAMS && "$@") done